{ "metadata": { "source_file": "primevul_valid_grouped.json", "filter_min_depth": 2, "filter_max_depth": "unlimited", "original_groups": 4777, "filtered_groups": 720, "total_functions": 14270, "depth_distribution": { "25": 1, "1": 4057, "14": 3, "13": 1, "5": 13, "2": 489, "6": 16, "3": 135, "4": 50, "7": 6, "8": 2, "12": 2, "11": 1, "10": 1 } }, "groups": [ { "call_depth": 25, "longest_call_chain": [ "tty_send_xchar", "start_tty", "__start_tty", "start", "sendRequest", "maybeReadVirginBody", "Read", "FrameReady", "AttemptFlush_Locked", "Run", "LoadMap", "Load", "GetLength", "RenderChannel", "Stop", "ClearJoiners", "SendCommissionerSet", "SendMgmtCommissionerSetRequest", "Free", "PushToFreeList", "DeAllocateUntrustedBuffers", "BestEffortAbort", "DebugPuts", "CHECK_OCALL", "IsOutsideEnclave" ], "group_size": 8062, "functions": [ { "func": "static bool php_imagepolygon(const Resource& image,\n const Array& points, int num_points,\n int color, int filled) {\n gdImagePtr im = get_valid_image_resource(image);\n if (!im) return false;\n gdPointPtr pts;\n int nelem, i;\n\n nelem = points.size();\n if (nelem < 6) {\n raise_warning(\"You must have at least 3 points in your array\");\n return false;\n }\n\n if (nelem < num_points * 2) {\n raise_warning(\"Trying to use %d points in array with only %d points\",\n num_points, nelem/2);\n return false;\n }\n\n pts = (gdPointPtr)IM_MALLOC(num_points * sizeof(gdPoint));\n CHECK_ALLOC_R(pts, (num_points * sizeof(gdPoint)), false);\n\n for (i = 0; i < num_points; i++) {\n if (points.exists(i * 2)) {\n pts[i].x = points[i * 2].toInt32();\n }\n if (points.exists(i * 2 + 1)) {\n pts[i].y = points[i * 2 + 1].toInt32();\n }\n }\n\n if (filled) {\n gdImageFilledPolygon(im, pts, num_points, color);\n } else {\n color = SetupAntiAliasedColor(im, color);\n gdImagePolygon(im, pts, num_points, color);\n }\n\n IM_FREE(pts);\n return true;\n}", "project": "hhvm", "hash": 196354726806014419952852030876077791778, "size": 42, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219188 }, { "func": "static int ca8210_set_frame_retries(struct ieee802154_hw *hw, s8 retries)\n{\n\tu8 status;\n\tstruct ca8210_priv *priv = hw->priv;\n\n\tstatus = mlme_set_request_sync(\n\t\tMAC_MAX_FRAME_RETRIES,\n\t\t0,\n\t\t1,\n\t\t&retries,\n\t\tpriv->spi\n\t);\n\tif (status) {\n\t\tdev_err(\n\t\t\t&priv->spi->dev,\n\t\t\t\"error setting frame retries, MLME-SET.confirm status = %d\",\n\t\t\tstatus\n\t\t);\n\t}\n\treturn link_to_linux_err(status);\n}", "project": "linux", "hash": 148239524511363758656728180475444871727, "size": 21, "commit_id": "6402939ec86eaf226c8b8ae00ed983936b164908", "message": "ieee802154: ca8210: prevent memory leak\n\nIn ca8210_probe the allocated pdata needs to be assigned to\nspi_device->dev.platform_data before calling ca8210_get_platform_data.\nOthrwise when ca8210_get_platform_data fails pdata cannot be released.\n\nSigned-off-by: Navid Emamdoost \nLink: https://lore.kernel.org/r/20190917224713.26371-1-navid.emamdoost@gmail.com\nSigned-off-by: Stefan Schmidt ", "target": 0, "dataset": "other", "idx": 408804 }, { "func": " Item_basic_constant(THD *thd): Item_basic_value(thd), used_table_map(0) {};", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 338632272190629526329241208718807145412, "size": 1, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509078 }, { "func": "int sctp_inet_listen(struct socket *sock, int backlog)\n{\n\tstruct sock *sk = sock->sk;\n\tstruct sctp_endpoint *ep = sctp_sk(sk)->ep;\n\tint err = -EINVAL;\n\n\tif (unlikely(backlog < 0))\n\t\treturn err;\n\n\tlock_sock(sk);\n\n\t/* Peeled-off sockets are not allowed to listen(). */\n\tif (sctp_style(sk, UDP_HIGH_BANDWIDTH))\n\t\tgoto out;\n\n\tif (sock->state != SS_UNCONNECTED)\n\t\tgoto out;\n\n\tif (!sctp_sstate(sk, LISTENING) && !sctp_sstate(sk, CLOSED))\n\t\tgoto out;\n\n\t/* If backlog is zero, disable listening. */\n\tif (!backlog) {\n\t\tif (sctp_sstate(sk, CLOSED))\n\t\t\tgoto out;\n\n\t\terr = 0;\n\t\tsctp_unhash_endpoint(ep);\n\t\tsk->sk_state = SCTP_SS_CLOSED;\n\t\tif (sk->sk_reuse || sctp_sk(sk)->reuse)\n\t\t\tsctp_sk(sk)->bind_hash->fastreuse = 1;\n\t\tgoto out;\n\t}\n\n\t/* If we are already listening, just update the backlog */\n\tif (sctp_sstate(sk, LISTENING))\n\t\tWRITE_ONCE(sk->sk_max_ack_backlog, backlog);\n\telse {\n\t\terr = sctp_listen_start(sk, backlog);\n\t\tif (err)\n\t\t\tgoto out;\n\t}\n\n\terr = 0;\nout:\n\trelease_sock(sk);\n\treturn err;\n}", "project": "linux", "hash": 92356295895443476831545394253852598697, "size": 48, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398110 }, { "project": "Chrome", "commit_id": "327585cb0eab0859518643a2d00917081f7e7645", "target": 0, "func": "void WebGraphicsContext3DDefaultImpl::prepareTexture()\n{\n if (!m_renderDirectlyToWebView) {\n resolveMultisampledFramebuffer(0, 0, m_cachedWidth, m_cachedHeight);\n }\n}\n", "cwe": "", "big_vul_idx": 99016, "idx": 89071, "hash": 200635163471972268756938762781993491759 }, { "func": "bool pb_decode_svarint(pb_istream_t *stream, int64_t *dest)\n{\n uint64_t value;\n if (!pb_decode_varint(stream, &value))\n return false;\n \n if (value & 1)\n *dest = (int64_t)(~(value >> 1));\n else\n *dest = (int64_t)(value >> 1);\n \n return true;\n}", "project": "nanopb", "hash": 137534108024952480921833986146569008674, "size": 13, "commit_id": "7b396821ddd06df8e39143f16e1dc0a4645b89a3", "message": "Fix invalid free() after failed realloc() (GHSA-gcx3-7m76-287p)", "target": 0, "dataset": "other", "idx": 255348 }, { "func": "static void nfs4_xdr_enc_setattr(struct rpc_rqst *req, struct xdr_stream *xdr,\n\t\t\t\t const void *data)\n{\n\tconst struct nfs_setattrargs *args = data;\n\tstruct compound_hdr hdr = {\n\t\t.minorversion = nfs4_xdr_minorversion(&args->seq_args),\n\t};\n\n\tencode_compound_hdr(xdr, req, &hdr);\n\tencode_sequence(xdr, &args->seq_args, &hdr);\n\tencode_putfh(xdr, args->fh, &hdr);\n\tencode_setattr(xdr, args, args->server, &hdr);\n\tencode_getfattr(xdr, args->bitmask, &hdr);\n\tencode_nops(&hdr);\n}", "project": "linux", "hash": 237902466199038134326647869045275507017, "size": 15, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431149 }, { "func": "int bcf_translate(const bcf_hdr_t *dst_hdr, bcf_hdr_t *src_hdr, bcf1_t *line)\n{\n int i;\n if ( line->errcode )\n {\n hts_log_error(\"Unchecked error (%d) at %s:%\"PRIhts_pos\", exiting\", line->errcode, bcf_seqname_safe(src_hdr,line), line->pos+1);\n exit(1);\n }\n if ( src_hdr->ntransl==-1 ) return 0; // no need to translate, all tags have the same id\n if ( !src_hdr->ntransl ) // called for the first time, see what needs translating\n {\n int dict;\n for (dict=0; dict<2; dict++) // BCF_DT_ID and BCF_DT_CTG\n {\n src_hdr->transl[dict] = (int*) malloc(src_hdr->n[dict]*sizeof(int));\n for (i=0; in[dict]; i++)\n {\n if ( !src_hdr->id[dict][i].key ) // gap left after removed BCF header lines\n {\n src_hdr->transl[dict][i] = -1;\n continue;\n }\n src_hdr->transl[dict][i] = bcf_hdr_id2int(dst_hdr,dict,src_hdr->id[dict][i].key);\n if ( src_hdr->transl[dict][i]!=-1 && i!=src_hdr->transl[dict][i] ) src_hdr->ntransl++;\n }\n }\n if ( !src_hdr->ntransl )\n {\n free(src_hdr->transl[0]); src_hdr->transl[0] = NULL;\n free(src_hdr->transl[1]); src_hdr->transl[1] = NULL;\n src_hdr->ntransl = -1;\n }\n if ( src_hdr->ntransl==-1 ) return 0;\n }\n bcf_unpack(line,BCF_UN_ALL);\n\n // CHROM\n if ( src_hdr->transl[BCF_DT_CTG][line->rid] >=0 ) line->rid = src_hdr->transl[BCF_DT_CTG][line->rid];\n\n // FILTER\n for (i=0; id.n_flt; i++)\n {\n int src_id = line->d.flt[i];\n if ( src_hdr->transl[BCF_DT_ID][src_id] >=0 )\n line->d.flt[i] = src_hdr->transl[BCF_DT_ID][src_id];\n line->d.shared_dirty |= BCF1_DIRTY_FLT;\n }\n\n // INFO\n for (i=0; in_info; i++)\n {\n int src_id = line->d.info[i].key;\n int dst_id = src_hdr->transl[BCF_DT_ID][src_id];\n if ( dst_id<0 ) continue;\n line->d.info[i].key = dst_id;\n if ( !line->d.info[i].vptr ) continue; // skip deleted\n int src_size = src_id>>7 ? ( src_id>>15 ? BCF_BT_INT32 : BCF_BT_INT16) : BCF_BT_INT8;\n int dst_size = dst_id>>7 ? ( dst_id>>15 ? BCF_BT_INT32 : BCF_BT_INT16) : BCF_BT_INT8;\n if ( src_size==dst_size ) // can overwrite\n {\n uint8_t *vptr = line->d.info[i].vptr - line->d.info[i].vptr_off;\n if ( dst_size==BCF_BT_INT8 ) { vptr[1] = (uint8_t)dst_id; }\n else if ( dst_size==BCF_BT_INT16 ) { *(uint16_t*)vptr = (uint16_t)dst_id; }\n else { *(uint32_t*)vptr = (uint32_t)dst_id; }\n }\n else // must realloc\n {\n bcf_info_t *info = &line->d.info[i];\n kstring_t str = {0,0,0};\n bcf_enc_int1(&str, dst_id);\n bcf_enc_size(&str, info->len,info->type);\n uint32_t vptr_off = str.l;\n kputsn((char*)info->vptr, info->vptr_len, &str);\n if( info->vptr_free ) free(info->vptr - info->vptr_off);\n info->vptr_off = vptr_off;\n info->vptr = (uint8_t*)str.s + info->vptr_off;\n info->vptr_free = 1;\n line->d.shared_dirty |= BCF1_DIRTY_INF;\n }\n }\n\n // FORMAT\n for (i=0; in_fmt; i++)\n {\n int src_id = line->d.fmt[i].id;\n int dst_id = src_hdr->transl[BCF_DT_ID][src_id];\n if ( dst_id<0 ) continue;\n line->d.fmt[i].id = dst_id;\n if( !line->d.fmt[i].p ) continue; // skip deleted\n int src_size = src_id>>7 ? ( src_id>>15 ? BCF_BT_INT32 : BCF_BT_INT16) : BCF_BT_INT8;\n int dst_size = dst_id>>7 ? ( dst_id>>15 ? BCF_BT_INT32 : BCF_BT_INT16) : BCF_BT_INT8;\n if ( src_size==dst_size ) // can overwrite\n {\n uint8_t *p = line->d.fmt[i].p - line->d.fmt[i].p_off; // pointer to the vector size (4bits) and BT type (4bits)\n if ( dst_size==BCF_BT_INT8 ) { p[1] = dst_id; }\n else if ( dst_size==BCF_BT_INT16 ) { i16_to_le(dst_id, p + 1); }\n else { i32_to_le(dst_id, p + 1); }\n }\n else // must realloc\n {\n bcf_fmt_t *fmt = &line->d.fmt[i];\n kstring_t str = {0,0,0};\n bcf_enc_int1(&str, dst_id);\n bcf_enc_size(&str, fmt->n, fmt->type);\n uint32_t p_off = str.l;\n kputsn((char*)fmt->p, fmt->p_len, &str);\n if( fmt->p_free ) free(fmt->p - fmt->p_off);\n fmt->p_off = p_off;\n fmt->p = (uint8_t*)str.s + fmt->p_off;\n fmt->p_free = 1;\n line->d.indiv_dirty = 1;\n }\n }\n return 0;\n}", "project": "htslib", "hash": 195675032722034602681055763560143151190, "size": 115, "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c", "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields. It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097", "target": 0, "dataset": "other", "idx": 402186 }, { "func": "static inline void __fuse_dentry_settime(struct dentry *dentry, u64 time)\n{\n\t((union fuse_dentry *) dentry->d_fsdata)->time = time;\n}", "project": "linux", "hash": 308750398351602964517838657054145904610, "size": 4, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342090 }, { "func": "static inline void __fuse_dentry_settime(struct dentry *entry, u64 time)\n{\n\tentry->d_fsdata = (void *) time;\n}", "project": "linux", "hash": 154114634839637516877131239785164999715, "size": 4, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342101 }, { "func": "\nstatic int io_register_rsrc(struct io_ring_ctx *ctx, void __user *arg,\n\t\t\t unsigned int size)\n{\n\tstruct io_uring_rsrc_register rr;\n\n\t/* keep it extendible */\n\tif (size != sizeof(rr))\n\t\treturn -EINVAL;\n\n\tmemset(&rr, 0, sizeof(rr));\n\tif (copy_from_user(&rr, arg, size))\n\t\treturn -EFAULT;\n\tif (!rr.nr)\n\t\treturn -EINVAL;\n\n\tswitch (rr.type) {\n\tcase IORING_RSRC_FILE:\n\t\treturn io_sqe_files_register(ctx, u64_to_user_ptr(rr.data),\n\t\t\t\t\t rr.nr, u64_to_user_ptr(rr.tags));\n\tcase IORING_RSRC_BUFFER:\n\t\treturn io_sqe_buffers_register(ctx, u64_to_user_ptr(rr.data),\n\t\t\t\t\t rr.nr, u64_to_user_ptr(rr.tags));\n\t}\n\treturn -EINVAL;", "project": "linux", "hash": 123161322328624232182934154176094106940, "size": 25, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338520 }, { "func": "static void mt_fix_const_fields(struct hid_device *hdev, unsigned int usage)\n{\n\tstruct hid_report *report;\n\tint i;\n\n\tlist_for_each_entry(report,\n\t\t\t &hdev->report_enum[HID_INPUT_REPORT].report_list,\n\t\t\t list) {\n\n\t\tif (!report->maxfield)\n\t\t\tcontinue;\n\n\t\tfor (i = 0; i < report->maxfield; i++)\n\t\t\tif (report->field[i]->maxusage >= 1)\n\t\t\t\tmt_fix_const_field(report->field[i], usage);\n\t}\n}", "project": "linux", "hash": 26872809020082780673363797875174189715, "size": 17, "commit_id": "35556bed836f8dc07ac55f69c8d17dce3e7f0e25", "message": "HID: core: Sanitize event code and type when mapping input\n\nWhen calling into hid_map_usage(), the passed event code is\nblindly stored as is, even if it doesn't fit in the associated bitmap.\n\nThis event code can come from a variety of sources, including devices\nmasquerading as input devices, only a bit more \"programmable\".\n\nInstead of taking the event code at face value, check that it actually\nfits the corresponding bitmap, and if it doesn't:\n- spit out a warning so that we know which device is acting up\n- NULLify the bitmap pointer so that we catch unexpected uses\n\nCode paths that can make use of untrusted inputs can now check\nthat the mapping was indeed correct and bail out if not.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Marc Zyngier \nSigned-off-by: Benjamin Tissoires ", "target": 0, "dataset": "other", "idx": 458420 }, { "func": "void CClient::SetNick(const CString& s) { m_sNick = s; }", "project": "znc", "hash": 237711416998024209612552398604026381003, "size": 1, "commit_id": "d229761821da38d984a9e4098ad96842490dc001", "message": "Fix echo-message for *status\n\nClose #1705", "target": 0, "dataset": "other", "idx": 231568 }, { "func": " void ValidateInputTensors(OpKernelContext* ctx, const Tensor& in0,\n const Tensor& in1) {\n OP_REQUIRES(\n ctx, in0.dims() >= 2,\n errors::InvalidArgument(\"In[0] ndims must be >= 2: \", in0.dims()));\n\n OP_REQUIRES(\n ctx, in1.dims() >= 2,\n errors::InvalidArgument(\"In[1] ndims must be >= 2: \", in1.dims()));\n\n OP_REQUIRES(ctx, in0.NumElements() > 0,\n errors::InvalidArgument(\"In[0] must not be an empty tensor: \",\n in0.DebugString()));\n\n OP_REQUIRES(ctx, in1.NumElements() > 0,\n errors::InvalidArgument(\"In[1] must not be an empty tensor: \",\n in1.DebugString()));\n }", "project": "tensorflow", "hash": 179417973634723313902931120107769800464, "size": 18, "commit_id": "0ab290774f91a23bebe30a358fde4e53ab4876a0", "message": "Ensure validation sticks in banded_triangular_solve_op\n\nPiperOrigin-RevId: 373275480\nChange-Id: Id7717cf275b2d6fdb9441fbbe166d555182d2e79", "target": 0, "dataset": "other", "idx": 232650 }, { "project": "Chrome", "commit_id": "87190165c55bcf3eecd8824dd8d083f5e3236552", "target": 0, "func": "void AudioManagerBase::Shutdown() {\n scoped_ptr audio_thread;\n {\n base::AutoLock lock(audio_thread_lock_);\n audio_thread_.swap(audio_thread);\n }\n\n if (!audio_thread.get())\n return;\n\n CHECK_NE(MessageLoop::current(), audio_thread->message_loop());\n\n audio_thread->message_loop()->PostTask(FROM_HERE, base::Bind(\n &AudioManagerBase::ShutdownOnAudioThread,\n base::Unretained(this)));\n\n audio_thread->Stop();\n}\n", "cwe": "", "big_vul_idx": 113850, "idx": 102050, "hash": 80662531451866104522928738077249881922 }, { "func": "static int nfs4_proc_access(struct inode *inode, struct nfs_access_entry *entry)\n{\n\tstruct nfs4_exception exception = {\n\t\t.interruptible = true,\n\t};\n\tint err;\n\tdo {\n\t\terr = _nfs4_proc_access(inode, entry);\n\t\ttrace_nfs4_access(inode, err);\n\t\terr = nfs4_handle_exception(NFS_SERVER(inode), err,\n\t\t\t\t&exception);\n\t} while (exception.retry);\n\treturn err;\n}", "project": "linux", "hash": 64109035837608043571942097147402451947, "size": 14, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431481 }, { "func": "static void load_xref_from_plaintext(FILE *fp, xref_t *xref)\n{\n int i, obj_id, added_entries;\n char c, buf[32] = {0};\n long start, pos;\n size_t buf_idx;\n\n start = ftell(fp);\n\n /* Get number of entries */\n pos = xref->end;\n fseek(fp, pos, SEEK_SET);\n while (ftell(fp) != 0)\n if (SAFE_F(fp, (fgetc(fp) == '/' && fgetc(fp) == 'S')))\n break;\n else\n SAFE_E(fseek(fp, --pos, SEEK_SET), 0, \"Failed seek to xref /Size.\\n\");\n\n SAFE_E(fread(buf, 1, 21, fp), 21, \"Failed to load entry Size string.\\n\");\n xref->n_entries = atoi(buf + strlen(\"ize \"));\n xref->entries = safe_calloc(xref->n_entries * sizeof(struct _xref_entry));\n\n /* Load entry data */\n obj_id = 0;\n fseek(fp, xref->start + strlen(\"xref\"), SEEK_SET);\n added_entries = 0;\n for (i=0; in_entries; i++)\n {\n /* Advance past newlines. */\n c = fgetc(fp);\n while (c == '\\n' || c == '\\r')\n c = fgetc(fp);\n\n if (ferror(fp) || feof(fp))\n break;\n\n /* Collect data up until the following newline. */\n buf_idx = 0;\n while (c != '\\n' && c != '\\r' && !feof(fp) &&\n !ferror(fp) && buf_idx < sizeof(buf))\n {\n buf[buf_idx++] = c;\n c = fgetc(fp);\n }\n if (buf_idx >= sizeof(buf)) {\n FAIL(\"Failed to locate newline character. \"\n \"This might be a corrupt PDF.\\n\");\n }\n buf[buf_idx] = '\\0';\n\n /* Went to far and hit start of trailer */\n if (strchr(buf, 't'))\n break;\n\n /* Entry or object id */\n if (strlen(buf) > 17)\n {\n const char *token = NULL;\n xref->entries[i].obj_id = obj_id++;\n token = strtok(buf, \" \");\n if (!token) {\n FAIL(\"Failed to parse xref entry. \"\n \"This might be a corrupt PDF.\\n\");\n }\n xref->entries[i].offset = atol(token);\n token = strtok(NULL, \" \");\n if (!token) {\n FAIL(\"Failed to parse xref entry. \"\n \"This might be a corrupt PDF.\\n\");\n }\n xref->entries[i].gen_num = atoi(token);\n xref->entries[i].f_or_n = buf[17];\n ++added_entries;\n }\n else\n {\n obj_id = atoi(buf);\n --i;\n }\n }\n\n xref->n_entries = added_entries;\n fseek(fp, start, SEEK_SET);\n}", "project": "pdfresurrect", "hash": 331923305721359227346562002677734506454, "size": 84, "commit_id": "7e35d1806e111fd28610ccc86bb33f54792ac370", "message": "Fix possible infinite loop case when looking for a trailer.\n\nThanks to chibataiki for reporting and isolating this!", "target": 0, "dataset": "other", "idx": 355607 }, { "func": "static void load_xref_from_plaintext(FILE *fp, xref_t *xref)\n{\n int i, obj_id, added_entries;\n char c, buf[32] = {0};\n long start, pos;\n size_t buf_idx;\n\n start = ftell(fp);\n\n /* Get number of entries */\n pos = xref->end;\n fseek(fp, pos, SEEK_SET);\n while (ftell(fp) != 0)\n if (SAFE_F(fp, (fgetc(fp) == '/' && fgetc(fp) == 'S')))\n break;\n else\n SAFE_E(fseek(fp, --pos, SEEK_SET), 0, \"Failed seek to xref /Size.\\n\");\n\n SAFE_E(fread(buf, 1, 21, fp), 21, \"Failed to load entry Size string.\\n\");\n xref->n_entries = atoi(buf + strlen(\"ize \"));\n xref->entries = safe_calloc(xref->n_entries * sizeof(struct _xref_entry));\n\n /* Load entry data */\n obj_id = 0;\n fseek(fp, xref->start + strlen(\"xref\"), SEEK_SET);\n added_entries = 0;\n for (i=0; in_entries; i++)\n {\n /* Advance past newlines. */\n c = fgetc(fp);\n while (c == '\\n' || c == '\\r')\n c = fgetc(fp);\n\n /* Collect data up until the following newline. */\n buf_idx = 0;\n while (c != '\\n' && c != '\\r' && !feof(fp) &&\n !ferror(fp) && buf_idx < sizeof(buf))\n {\n buf[buf_idx++] = c;\n c = fgetc(fp);\n }\n if (buf_idx >= sizeof(buf)) {\n FAIL(\"Failed to locate newline character. \"\n \"This might be a corrupt PDF.\\n\");\n }\n buf[buf_idx] = '\\0';\n\n /* Went to far and hit start of trailer */\n if (strchr(buf, 't'))\n break;\n\n /* Entry or object id */\n if (strlen(buf) > 17)\n {\n const char *token = NULL;\n xref->entries[i].obj_id = obj_id++;\n token = strtok(buf, \" \");\n if (!token) {\n FAIL(\"Failed to parse xref entry. \"\n \"This might be a corrupt PDF.\\n\");\n }\n xref->entries[i].offset = atol(token);\n token = strtok(NULL, \" \");\n if (!token) {\n FAIL(\"Failed to parse xref entry. \"\n \"This might be a corrupt PDF.\\n\");\n }\n xref->entries[i].gen_num = atoi(token);\n xref->entries[i].f_or_n = buf[17];\n ++added_entries;\n }\n else\n {\n obj_id = atoi(buf);\n --i;\n }\n }\n\n xref->n_entries = added_entries;\n fseek(fp, start, SEEK_SET);\n}", "project": "pdfresurrect", "hash": 65037652043849965763380787453615363953, "size": 81, "commit_id": "1b422459f07353adce2878806d5247d9e91fb397", "message": "Update header validation checks.\n\nThanks to yifengchen-cc for identifying this.", "target": 0, "dataset": "other", "idx": 400404 }, { "func": "static int exif_process_IFD_in_TIFF(image_info_type *ImageInfo,\n size_t dir_offset, int section_index) {\n int i, sn, num_entries, sub_section_index = 0;\n unsigned char *dir_entry;\n char tagname[64];\n size_t ifd_size, dir_size, entry_offset, next_offset,\n entry_length, entry_value=0, fgot;\n int entry_tag , entry_type;\n tag_table_type tag_table = exif_get_tag_table(section_index);\n\n if (ImageInfo->ifd_nesting_level > MAX_IFD_NESTING_LEVEL) {\n return 0;\n }\n\n if (ImageInfo->FileSize >= dir_offset+2) {\n sn = exif_file_sections_add(ImageInfo, M_PSEUDO, 2, nullptr);\n if (sn == -1) return 0;\n /* we do not know the order of sections */\n ImageInfo->infile->seek(dir_offset, SEEK_SET);\n String snData = ImageInfo->infile->read(2);\n memcpy(ImageInfo->file.list[sn].data, snData.c_str(), 2);\n num_entries = php_ifd_get16u(ImageInfo->file.list[sn].data,\n ImageInfo->motorola_intel);\n dir_size = 2/*num dir entries*/ +\n 12/*length of entry*/*num_entries +\n 4/* offset to next ifd (points to thumbnail or NULL)*/;\n if (ImageInfo->FileSize >= dir_offset+dir_size) {\n if (exif_file_sections_realloc(ImageInfo, sn, dir_size)) {\n return 0;\n }\n snData = ImageInfo->infile->read(dir_size-2);\n memcpy(ImageInfo->file.list[sn].data+2, snData.c_str(), dir_size-2);\n next_offset =\n php_ifd_get32u(ImageInfo->file.list[sn].data + dir_size - 4,\n ImageInfo->motorola_intel);\n /* now we have the directory we can look how long it should be */\n ifd_size = dir_size;\n char *end = (char*)ImageInfo->file.list[sn].data + dir_size;\n for(i=0;ifile.list[sn].data+2+i*12;\n CHECK_BUFFER_R(dir_entry+4, end, 4, 0);\n entry_tag = php_ifd_get16u(dir_entry+0, ImageInfo->motorola_intel);\n entry_type = php_ifd_get16u(dir_entry+2, ImageInfo->motorola_intel);\n if (entry_type > NUM_FORMATS) {\n raise_notice(\"Read from TIFF: tag(0x%04X,%12s): \"\n \"Illegal format code 0x%04X, switching to BYTE\",\n entry_tag,\n exif_get_tagname(entry_tag, tagname, -12, tag_table),\n entry_type);\n /* Since this is repeated in exif_process_IFD_TAG make it a\n notice here and make it a warning in the exif_process_IFD_TAG\n which is called elsewhere. */\n entry_type = TAG_FMT_BYTE;\n }\n entry_length =\n php_ifd_get32u(dir_entry+4, ImageInfo->motorola_intel) *\n get_php_tiff_bytes_per_format(entry_type);\n if (entry_length <= 4) {\n switch(entry_type) {\n case TAG_FMT_USHORT:\n CHECK_BUFFER_R(dir_entry+8, end, 2, 0);\n entry_value = php_ifd_get16u(dir_entry+8,\n ImageInfo->motorola_intel);\n break;\n case TAG_FMT_SSHORT:\n CHECK_BUFFER_R(dir_entry+8, end, 2, 0);\n entry_value = php_ifd_get16s(dir_entry+8,\n ImageInfo->motorola_intel);\n break;\n case TAG_FMT_ULONG:\n CHECK_BUFFER_R(dir_entry+8, end, 4, 0);\n entry_value = php_ifd_get32u(dir_entry+8,\n ImageInfo->motorola_intel);\n break;\n case TAG_FMT_SLONG:\n CHECK_BUFFER_R(dir_entry+8, end, 4, 0);\n entry_value = php_ifd_get32s(dir_entry+8,\n ImageInfo->motorola_intel);\n break;\n }\n switch(entry_tag) {\n case TAG_IMAGEWIDTH:\n case TAG_COMP_IMAGE_WIDTH:\n ImageInfo->Width = entry_value;\n break;\n case TAG_IMAGEHEIGHT:\n case TAG_COMP_IMAGE_HEIGHT:\n ImageInfo->Height = entry_value;\n break;\n case TAG_PHOTOMETRIC_INTERPRETATION:\n switch (entry_value) {\n case PMI_BLACK_IS_ZERO:\n case PMI_WHITE_IS_ZERO:\n case PMI_TRANSPARENCY_MASK:\n ImageInfo->IsColor = 0;\n break;\n case PMI_RGB:\n case PMI_PALETTE_COLOR:\n case PMI_SEPARATED:\n case PMI_YCBCR:\n case PMI_CIELAB:\n ImageInfo->IsColor = 1;\n break;\n }\n break;\n }\n } else {\n CHECK_BUFFER_R(dir_entry+8, end, 4, 0);\n entry_offset =\n php_ifd_get32u(dir_entry+8, ImageInfo->motorola_intel);\n /* if entry needs expading ifd cache and entry is at end of\n current ifd cache. */\n /* otherwise there may be huge holes between two entries */\n if (entry_offset + entry_length > dir_offset + ifd_size &&\n entry_offset == dir_offset + ifd_size) {\n ifd_size = entry_offset + entry_length - dir_offset;\n }\n }\n }\n if (ImageInfo->FileSize >=\n dir_offset + ImageInfo->file.list[sn].size) {\n if (ifd_size > dir_size) {\n if (dir_offset + ifd_size > ImageInfo->FileSize) {\n raise_warning(\"Error in TIFF: filesize(x%04lX) less than \"\n \"size of IFD(x%04lX + x%04lX)\",\n ImageInfo->FileSize, dir_offset, ifd_size);\n return 0;\n }\n if (exif_file_sections_realloc(ImageInfo, sn, ifd_size)) {\n return 0;\n } else {\n end = (char*)ImageInfo->file.list[sn].data + dir_size;\n }\n /* read values not stored in directory itself */\n snData = ImageInfo->infile->read(ifd_size-dir_size);\n memcpy(ImageInfo->file.list[sn].data+dir_size, snData.c_str(),\n ifd_size-dir_size);\n }\n /* now process the tags */\n for(i=0;ifile.list[sn].data+2+i*12;\n CHECK_BUFFER_R(dir_entry+2, end, 2, 0);\n entry_tag = php_ifd_get16u(dir_entry+0, ImageInfo->motorola_intel);\n entry_type = php_ifd_get16u(dir_entry+2, ImageInfo->motorola_intel);\n if (entry_tag == TAG_EXIF_IFD_POINTER ||\n entry_tag == TAG_INTEROP_IFD_POINTER ||\n entry_tag == TAG_GPS_IFD_POINTER ||\n entry_tag == TAG_SUB_IFD) {\n switch(entry_tag) {\n case TAG_EXIF_IFD_POINTER:\n ImageInfo->sections_found |= FOUND_EXIF;\n sub_section_index = SECTION_EXIF;\n break;\n case TAG_GPS_IFD_POINTER:\n ImageInfo->sections_found |= FOUND_GPS;\n sub_section_index = SECTION_GPS;\n break;\n case TAG_INTEROP_IFD_POINTER:\n ImageInfo->sections_found |= FOUND_INTEROP;\n sub_section_index = SECTION_INTEROP;\n break;\n case TAG_SUB_IFD:\n ImageInfo->sections_found |= FOUND_THUMBNAIL;\n sub_section_index = SECTION_THUMBNAIL;\n break;\n }\n CHECK_BUFFER_R(dir_entry+8, end, 4, 0);\n entry_offset =\n php_ifd_get32u(dir_entry+8, ImageInfo->motorola_intel);\n ImageInfo->ifd_nesting_level++;\n exif_process_IFD_in_TIFF(ImageInfo, entry_offset,\n sub_section_index);\n if (section_index!=SECTION_THUMBNAIL && entry_tag==TAG_SUB_IFD) {\n if (ImageInfo->Thumbnail.filetype != IMAGE_FILETYPE_UNKNOWN &&\n ImageInfo->Thumbnail.size &&\n ImageInfo->Thumbnail.offset &&\n ImageInfo->read_thumbnail) {\n if (!ImageInfo->Thumbnail.data) {\n ImageInfo->Thumbnail.data =\n (char *)IM_MALLOC(ImageInfo->Thumbnail.size);\n CHECK_ALLOC_R(ImageInfo->Thumbnail.data,\n ImageInfo->Thumbnail.size, 0);\n ImageInfo->infile->seek(ImageInfo->Thumbnail.offset,\n SEEK_SET);\n String str =\n ImageInfo->infile->read(ImageInfo->Thumbnail.size);\n fgot = str.length();\n if (fgot < ImageInfo->Thumbnail.size) {\n raise_warning(\"Thumbnail goes IFD boundary or \"\n \"end of file reached\");\n IM_FREE(ImageInfo->Thumbnail.data);\n ImageInfo->Thumbnail.data = nullptr;\n } else {\n memcpy(ImageInfo->Thumbnail.data, str.c_str(), fgot);\n exif_thumbnail_build(ImageInfo);\n }\n }\n }\n }\n } else {\n if (!exif_process_IFD_TAG(ImageInfo, (char*)dir_entry,\n (char*)(ImageInfo->file.list[sn].data-dir_offset),\n (char*)(ImageInfo->file.list[sn].data + ifd_size),\n ifd_size, 0, section_index, 0, tag_table)) {\n return 0;\n }\n }\n }\n /* If we had a thumbnail in a SUB_IFD we have ANOTHER image in\n NEXT IFD */\n if (next_offset && section_index != SECTION_THUMBNAIL) {\n /* this should be a thumbnail IFD */\n /* the thumbnail itself is stored at Tag=StripOffsets */\n ImageInfo->ifd_nesting_level++;\n exif_process_IFD_in_TIFF(ImageInfo, next_offset,\n SECTION_THUMBNAIL);\n if (!ImageInfo->Thumbnail.data && ImageInfo->Thumbnail.offset &&\n ImageInfo->Thumbnail.size && ImageInfo->read_thumbnail) {\n ImageInfo->Thumbnail.data =\n (char *)IM_MALLOC(ImageInfo->Thumbnail.size);\n CHECK_ALLOC_R(ImageInfo->Thumbnail.data,\n ImageInfo->Thumbnail.size, 0);\n ImageInfo->infile->seek(ImageInfo->Thumbnail.offset, SEEK_SET);\n String str = ImageInfo->infile->read(ImageInfo->Thumbnail.size);\n fgot = str.length();\n if (fgot < ImageInfo->Thumbnail.size) {\n raise_warning(\"Thumbnail goes IFD boundary or \"\n \"end of file reached\");\n IM_FREE(ImageInfo->Thumbnail.data);\n ImageInfo->Thumbnail.data = nullptr;\n } else {\n memcpy(ImageInfo->Thumbnail.data, str.c_str(), fgot);\n exif_thumbnail_build(ImageInfo);\n }\n }\n }\n return 1;\n } else {\n raise_warning(\"Error in TIFF: filesize(x%04lX) less than \"\n \"size of IFD(x%04lX)\",\n ImageInfo->FileSize,\n dir_offset+ImageInfo->file.list[sn].size);\n return 0;\n }\n } else {\n raise_warning(\"Error in TIFF: filesize(x%04lX) less than size \"\n \"of IFD dir(x%04lX)\",\n ImageInfo->FileSize, dir_offset+dir_size);\n return 0;\n }\n } else {\n raise_warning(\"Error in TIFF: filesize(x%04lX) less than \"\n \"start of IFD dir(x%04lX)\",\n ImageInfo->FileSize, dir_offset+2);\n return 0;\n }\n}", "project": "hhvm", "hash": 28165869633105710580082672812803172367, "size": 257, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219047 }, { "func": "static inline bool need_preempt(const struct intel_engine_cs *engine,\n\t\t\t\tconst struct i915_request *rq,\n\t\t\t\tstruct rb_node *rb)\n{\n\tint last_prio;\n\n\tif (!intel_engine_has_semaphores(engine))\n\t\treturn false;\n\n\t/*\n\t * Check if the current priority hint merits a preemption attempt.\n\t *\n\t * We record the highest value priority we saw during rescheduling\n\t * prior to this dequeue, therefore we know that if it is strictly\n\t * less than the current tail of ESLP[0], we do not need to force\n\t * a preempt-to-idle cycle.\n\t *\n\t * However, the priority hint is a mere hint that we may need to\n\t * preempt. If that hint is stale or we may be trying to preempt\n\t * ourselves, ignore the request.\n\t *\n\t * More naturally we would write\n\t * prio >= max(0, last);\n\t * except that we wish to prevent triggering preemption at the same\n\t * priority level: the task that is running should remain running\n\t * to preserve FIFO ordering of dependencies.\n\t */\n\tlast_prio = max(effective_prio(rq), I915_PRIORITY_NORMAL - 1);\n\tif (engine->execlists.queue_priority_hint <= last_prio)\n\t\treturn false;\n\n\t/*\n\t * Check against the first request in ELSP[1], it will, thanks to the\n\t * power of PI, be the highest priority of that context.\n\t */\n\tif (!list_is_last(&rq->sched.link, &engine->active.requests) &&\n\t rq_prio(list_next_entry(rq, sched.link)) > last_prio)\n\t\treturn true;\n\n\tif (rb) {\n\t\tstruct virtual_engine *ve =\n\t\t\trb_entry(rb, typeof(*ve), nodes[engine->id].rb);\n\t\tbool preempt = false;\n\n\t\tif (engine == ve->siblings[0]) { /* only preempt one sibling */\n\t\t\tstruct i915_request *next;\n\n\t\t\trcu_read_lock();\n\t\t\tnext = READ_ONCE(ve->request);\n\t\t\tif (next)\n\t\t\t\tpreempt = rq_prio(next) > last_prio;\n\t\t\trcu_read_unlock();\n\t\t}\n\n\t\tif (preempt)\n\t\t\treturn preempt;\n\t}\n\n\t/*\n\t * If the inflight context did not trigger the preemption, then maybe\n\t * it was the set of queued requests? Pick the highest priority in\n\t * the queue (the first active priolist) and see if it deserves to be\n\t * running instead of ELSP[0].\n\t *\n\t * The highest priority request in the queue can not be either\n\t * ELSP[0] or ELSP[1] as, thanks again to PI, if it was the same\n\t * context, it's priority would not exceed ELSP[0] aka last_prio.\n\t */\n\treturn queue_prio(&engine->execlists) > last_prio;\n}", "project": "linux", "hash": 71150750791009049204844099611633494076, "size": 70, "commit_id": "bc8a76a152c5f9ef3b48104154a65a68a8b76946", "message": "drm/i915/gen9: Clear residual context state on context switch\n\nIntel ID: PSIRT-TA-201910-001\nCVEID: CVE-2019-14615\n\nIntel GPU Hardware prior to Gen11 does not clear EU state\nduring a context switch. This can result in information\nleakage between contexts.\n\nFor Gen8 and Gen9, hardware provides a mechanism for\nfast cleardown of the EU state, by issuing a PIPE_CONTROL\nwith bit 27 set. We can use this in a context batch buffer\nto explicitly cleardown the state on every context switch.\n\nAs this workaround is already in place for gen8, we can borrow\nthe code verbatim for Gen9.\n\nSigned-off-by: Mika Kuoppala \nSigned-off-by: Akeem G Abodunrin \nCc: Kumar Valsan Prathap \nCc: Chris Wilson \nCc: Balestrieri Francesco \nCc: Bloomfield Jon \nCc: Dutt Sudeep ", "target": 0, "dataset": "other", "idx": 281486 }, { "func": "static int gfn_to_memslot_approx(struct kvm_memslots *slots, gfn_t gfn)\n{\n\tint start = 0, end = slots->used_slots;\n\tint slot = atomic_read(&slots->lru_slot);\n\tstruct kvm_memory_slot *memslots = slots->memslots;\n\n\tif (gfn >= memslots[slot].base_gfn &&\n\t gfn < memslots[slot].base_gfn + memslots[slot].npages)\n\t\treturn slot;\n\n\twhile (start < end) {\n\t\tslot = start + (end - start) / 2;\n\n\t\tif (gfn >= memslots[slot].base_gfn)\n\t\t\tend = slot;\n\t\telse\n\t\t\tstart = slot + 1;\n\t}\n\n\tif (gfn >= memslots[start].base_gfn &&\n\t gfn < memslots[start].base_gfn + memslots[start].npages) {\n\t\tatomic_set(&slots->lru_slot, start);\n\t}\n\n\treturn start;\n}", "project": "linux", "hash": 159643048193941973936019115496720882719, "size": 26, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354708 }, { "func": "static int _nfs4_proc_commit(struct file *dst, struct nfs_commitargs *args,\n\t\t\t\tstruct nfs_commitres *res)\n{\n\tstruct inode *dst_inode = file_inode(dst);\n\tstruct nfs_server *server = NFS_SERVER(dst_inode);\n\tstruct rpc_message msg = {\n\t\t.rpc_proc = &nfs4_procedures[NFSPROC4_CLNT_COMMIT],\n\t\t.rpc_argp = args,\n\t\t.rpc_resp = res,\n\t};\n\n\targs->fh = NFS_FH(dst_inode);\n\treturn nfs4_call_sync(server->client, server, &msg,\n\t\t\t&args->seq_args, &res->seq_res, 1);\n}", "project": "linux", "hash": 298705019860907528961214821801125717797, "size": 15, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431532 }, { "func": "static void print_func_help_header_irq(struct trace_buffer *buf, struct seq_file *m,\n\t\t\t\t unsigned int flags)\n{\n\tbool tgid = flags & TRACE_ITER_RECORD_TGID;\n\tconst char tgid_space[] = \" \";\n\tconst char space[] = \" \";\n\n\tseq_printf(m, \"# %s _-----=> irqs-off\\n\",\n\t\t tgid ? tgid_space : space);\n\tseq_printf(m, \"# %s / _----=> need-resched\\n\",\n\t\t tgid ? tgid_space : space);\n\tseq_printf(m, \"# %s| / _---=> hardirq/softirq\\n\",\n\t\t tgid ? tgid_space : space);\n\tseq_printf(m, \"# %s|| / _--=> preempt-depth\\n\",\n\t\t tgid ? tgid_space : space);\n\tseq_printf(m, \"# %s||| / delay\\n\",\n\t\t tgid ? tgid_space : space);\n\tseq_printf(m, \"# TASK-PID CPU#%s|||| TIMESTAMP FUNCTION\\n\",\n\t\t tgid ? \" TGID \" : space);\n\tseq_printf(m, \"# | | | %s|||| | |\\n\",\n\t\t tgid ? \" | \" : space);\n}", "project": "linux", "hash": 313171145729581026243210700514761932620, "size": 22, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445527 }, { "func": "static void reg_w(struct sd *sd, u16 index, u16 value)\n{\n\tstruct gspca_dev *gspca_dev = (struct gspca_dev *)sd;\n\tint ret, req = 0;\n\n\tif (sd->gspca_dev.usb_err < 0)\n\t\treturn;\n\n\t/* Avoid things going to fast for the bridge with a xhci host */\n\tudelay(150);\n\n\tswitch (sd->bridge) {\n\tcase BRIDGE_OV511:\n\tcase BRIDGE_OV511PLUS:\n\t\treq = 2;\n\t\tbreak;\n\tcase BRIDGE_OVFX2:\n\t\treq = 0x0a;\n\t\t/* fall through */\n\tcase BRIDGE_W9968CF:\n\t\tgspca_dbg(gspca_dev, D_USBO, \"SET %02x %04x %04x\\n\",\n\t\t\t req, value, index);\n\t\tret = usb_control_msg(sd->gspca_dev.dev,\n\t\t\tusb_sndctrlpipe(sd->gspca_dev.dev, 0),\n\t\t\treq,\n\t\t\tUSB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_DEVICE,\n\t\t\tvalue, index, NULL, 0, 500);\n\t\tgoto leave;\n\tdefault:\n\t\treq = 1;\n\t}\n\n\tgspca_dbg(gspca_dev, D_USBO, \"SET %02x 0000 %04x %02x\\n\",\n\t\t req, index, value);\n\tsd->gspca_dev.usb_buf[0] = value;\n\tret = usb_control_msg(sd->gspca_dev.dev,\n\t\t\tusb_sndctrlpipe(sd->gspca_dev.dev, 0),\n\t\t\treq,\n\t\t\tUSB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_DEVICE,\n\t\t\t0, index,\n\t\t\tsd->gspca_dev.usb_buf, 1, 500);\nleave:\n\tif (ret < 0) {\n\t\tgspca_err(gspca_dev, \"reg_w %02x failed %d\\n\", index, ret);\n\t\tsd->gspca_dev.usb_err = ret;\n\t\treturn;\n\t}\n}", "project": "linux", "hash": 268591987613124558794860898799581752111, "size": 48, "commit_id": "998912346c0da53a6dbb71fab3a138586b596b30", "message": "media: ov519: add missing endpoint sanity checks\n\nMake sure to check that we have at least one endpoint before accessing\nthe endpoint array to avoid dereferencing a NULL-pointer on stream\nstart.\n\nNote that these sanity checks are not redundant as the driver is mixing\nlooking up altsettings by index and by number, which need not coincide.\n\nFixes: 1876bb923c98 (\"V4L/DVB (12079): gspca_ov519: add support for the ov511 bridge\")\nFixes: b282d87332f5 (\"V4L/DVB (12080): gspca_ov519: Fix ov518+ with OV7620AE (Trust spacecam 320)\")\nCc: stable # 2.6.31\nCc: Hans de Goede \nSigned-off-by: Johan Hovold \nSigned-off-by: Hans Verkuil \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 306337 }, { "func": "UrnState::~UrnState()\n{\n SWALLOW_EXCEPTIONS({\n if (urlres_e) {\n if (sc)\n storeUnregister(sc, urlres_e, this);\n urlres_e->unlock(\"~UrnState+res\");\n }\n\n if (entry)\n entry->unlock(\"~UrnState+prime\");\n\n safe_free(urlres);\n });\n}", "project": "squid", "hash": 104198610450039499953531436543892094646, "size": 15, "commit_id": "47a085ff06598b64817875769022b8707a0af7db", "message": "Bug 5104: Memory leak in RFC 2169 response parsing (#778)\n\nA temporary parsing buffer was not being released when\nparsing completed.", "target": 0, "dataset": "other", "idx": 306749 }, { "func": "bool fuse_invalid_attr(struct fuse_attr *attr)\n{\n\treturn !fuse_valid_type(attr->mode) ||\n\t\tattr->size > LLONG_MAX;\n}", "project": "linux", "hash": 116037288519171767094995283046900449250, "size": 5, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342161 }, { "func": "static unsigned long __gfn_to_hva_many(struct kvm_memory_slot *slot, gfn_t gfn,\n\t\t\t\t gfn_t *nr_pages, bool write)\n{\n\tif (!slot || slot->flags & KVM_MEMSLOT_INVALID)\n\t\treturn KVM_HVA_ERR_BAD;\n\n\tif (memslot_is_readonly(slot) && write)\n\t\treturn KVM_HVA_ERR_RO_BAD;\n\n\tif (nr_pages)\n\t\t*nr_pages = slot->npages - (gfn - slot->base_gfn);\n\n\treturn __gfn_to_hva_memslot(slot, gfn);\n}", "project": "linux", "hash": 33581625288452943849268978986263889106, "size": 14, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354508 }, { "func": "static int sctp_setsockopt_nodelay(struct sock *sk, int *val,\n\t\t\t\t unsigned int optlen)\n{\n\tif (optlen < sizeof(int))\n\t\treturn -EINVAL;\n\tsctp_sk(sk)->nodelay = (*val == 0) ? 0 : 1;\n\treturn 0;\n}", "project": "linux", "hash": 32253863290876898396409699281368608017, "size": 8, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398181 }, { "func": "static Variant preg_match_impl(const StringData* pattern,\n const StringData* subject,\n Variant* subpats, int flags, int start_offset,\n bool global) {\n PCRECache::Accessor accessor;\n if (!pcre_get_compiled_regex_cache(accessor, pattern)) {\n return preg_return_bad_regex_error(false);\n }\n const pcre_cache_entry* pce = accessor.get();\n\n const bool hackArrOutput = flags & PREG_FB_HACK_ARRAYS;\n const bool includeNonMatchingCaptures = flags & PREG_FB__PRIVATE__HSL_IMPL;\n\n pcre_extra extra;\n init_local_extra(&extra, pce->extra);\n if (subpats) {\n *subpats = hackArrOutput ? Array::CreateDict() : Array::CreateDArray();\n }\n int exec_options = 0;\n\n int subpats_order = global ? PREG_PATTERN_ORDER : 0;\n bool offset_capture = false;\n if (flags) {\n offset_capture = flags & PREG_OFFSET_CAPTURE;\n\n /*\n * subpats_order is pre-set to pattern mode so we change it only if\n * necessary.\n */\n if (flags & 0xff) {\n subpats_order = flags & 0xff;\n }\n if ((global && (subpats_order < PREG_PATTERN_ORDER ||\n subpats_order > PREG_SET_ORDER)) ||\n (!global && subpats_order != 0)) {\n raise_warning(\"Invalid flags specified\");\n return preg_return_internal_error(init_null());\n }\n }\n\n /* Negative offset counts from the end of the string. */\n if (start_offset < 0) {\n start_offset = subject->size() + start_offset;\n if (start_offset < 0) {\n start_offset = 0;\n }\n }\n\n int size_offsets = 0;\n int* offsets = create_offset_array(pce, size_offsets);\n SmartFreeHelper offsetsFreer(offsets);\n int num_subpats = size_offsets / 3;\n if (offsets == nullptr) {\n return preg_return_internal_error(false);\n }\n\n const char* const* subpat_names = get_subpat_names(pce);\n if (subpat_names == nullptr) {\n return preg_return_internal_error(false);\n }\n\n /* Allocate match sets array and initialize the values. */\n\n /* An array of sets of matches for each subpattern after a global match */\n auto match_sets = hackArrOutput ? Array::CreateDict() : Array::CreateDArray();\n if (global && subpats_order == PREG_PATTERN_ORDER) {\n for (int i = 0; i < num_subpats; i++) {\n match_sets.set(i,\n hackArrOutput ? Array::CreateDict() : Array::CreateDArray());\n }\n }\n\n int matched = 0;\n\n int g_notempty = 0; // If the match should not be empty\n const char** stringlist; // Holds list of subpatterns\n int i;\n do {\n\n int count = 0;\n /*\n * Optimization: If the pattern defines a literal substring,\n * compare the strings directly (i.e. memcmp) instead of performing\n * the full regular expression evaluation.\n * Take the slow path if there are any special compile options.\n */\n if (pce->literal_data && !global) {\n assertx(pce->literal_data->isLiteral());\n /* TODO(t13140878): compare literal against multiple substrings\n * in the preg_match_all (global == true) case. */\n count = pce->literal_data->matches(subject, start_offset, offsets) ? 1\n : PCRE_ERROR_NOMATCH;\n } else {\n /* Execute the regular expression. */\n count = pcre_exec(pce->re, &extra, subject->data(), subject->size(),\n start_offset,\n exec_options | g_notempty,\n offsets, size_offsets);\n\n /* The string was already proved to be valid UTF-8 */\n exec_options |= PCRE_NO_UTF8_CHECK;\n }\n /* Check for too many substrings condition. */\n if (count == 0) {\n raise_warning(\"Matched, but too many substrings\");\n count = size_offsets / 3;\n }\n\n /* If something has matched */\n if (count > 0) {\n matched++;\n\n if (subpats) {\n // Try to get the list of substrings and display a warning if failed.\n if (offsets[1] < offsets[0] ||\n pcre_get_substring_list(subject->data(), offsets, count,\n &stringlist) < 0) {\n raise_warning(\"Get subpatterns list failed\");\n return preg_return_internal_error(false);\n }\n\n if (global) { /* global pattern matching */\n if (subpats_order == PREG_PATTERN_ORDER) {\n /* For each subpattern, insert it into the appropriate array. */\n for (i = 0; i < count; i++) {\n auto const length = offsets[(i<<1)+1] - offsets[i<<1];\n auto const match = String(stringlist[i], length, CopyString);\n auto const value = offset_capture\n ? Variant(str_offset_pair(match, offsets[i<<1], hackArrOutput))\n : Variant(match);\n auto& arr = asArrRef(match_sets.lval(i));\n assertx(arr->isVectorData());\n arr.set(safe_cast(arr.size()), value);\n }\n /*\n * If the number of captured subpatterns on this run is\n * less than the total possible number, pad the result\n * arrays with empty strings.\n */\n if (count < num_subpats) {\n for (; i < num_subpats; i++) {\n auto& arr = asArrRef(match_sets.lval(i));\n assertx(arr->isVectorData());\n arr.set(safe_cast(arr.size()), empty_string());\n }\n }\n } else {\n auto result_set = hackArrOutput\n ? Array::CreateDict()\n : Array::CreateDArray();\n\n /* Add all the subpatterns to it */\n for (i = 0; i < count; i++) {\n auto const length = offsets[(i<<1)+1] - offsets[i<<1];\n auto const match = String(stringlist[i], length, CopyString);\n auto const value = offset_capture\n ? Variant(str_offset_pair(match, offsets[i<<1], hackArrOutput))\n : Variant(match);\n if (subpat_names[i]) {\n result_set.set(String(subpat_names[i]), value);\n }\n result_set.set(i, value);\n }\n if (includeNonMatchingCaptures && count < num_subpats) {\n auto const match = empty_string();\n for (; i < num_subpats; i++) {\n auto const value = offset_capture\n ? Variant(str_offset_pair(match, offsets[i<<1], hackArrOutput))\n : Variant(match);\n if (subpat_names[i]) {\n result_set.set(String(subpat_names[i]), value);\n }\n result_set.set(i, value);\n }\n }\n /* And add it to the output array */\n auto& arr = subpats->asArrRef();\n assertx(arr->isVectorData());\n arr.set(safe_cast(arr.size()), std::move(result_set));\n }\n } else { /* single pattern matching */\n /* For each subpattern, insert it into the subpatterns array. */\n auto& arr = subpats->asArrRef();\n for (i = 0; i < count; i++) {\n auto const length = offsets[(i<<1)+1] - offsets[i<<1];\n auto const match = String(stringlist[i], length, CopyString);\n auto const value = offset_capture\n ? Variant(str_offset_pair(match, offsets[i<<1], hackArrOutput))\n : Variant(match);\n if (subpat_names[i]) {\n arr.set(String(subpat_names[i]), value);\n }\n arr.set(i, value);\n }\n if (includeNonMatchingCaptures && count < num_subpats) {\n auto const match = empty_string();\n for (; i < num_subpats; i++) {\n auto const value = offset_capture\n ? Variant(str_offset_pair(match, offsets[i<<1], hackArrOutput))\n : Variant(match);\n if (subpat_names[i]) {\n arr.set(String(subpat_names[i]), value);\n }\n arr.set(i, value);\n }\n }\n }\n pcre_free((void *) stringlist);\n }\n } else if (count == PCRE_ERROR_NOMATCH) {\n /* If we previously set PCRE_NOTEMPTY after a null match,\n this is not necessarily the end. We need to advance\n the start offset, and continue. Fudge the offset values\n to achieve this, unless we're already at the end of the string. */\n if (g_notempty && start_offset < subject->size()) {\n offsets[0] = start_offset;\n offsets[1] = start_offset + 1;\n } else\n break;\n } else {\n if (pcre_need_log_error(count)) {\n pcre_log_error(__FUNCTION__, __LINE__, count,\n pattern->data(), pattern->size(),\n subject->data(), subject->size(),\n \"\", 0,\n flags, start_offset, g_notempty, global);\n }\n return preg_return_pcre_error(count, false);\n }\n\n /* If we have matched an empty string, mimic what Perl's /g options does.\n This turns out to be rather cunning. First we set PCRE_NOTEMPTY and try\n the match again at the same point. If this fails (picked up above) we\n advance to the next character. */\n g_notempty = (offsets[1] == offsets[0])? PCRE_NOTEMPTY | PCRE_ANCHORED : 0;\n\n /* Advance to the position right after the last full match */\n start_offset = offsets[1];\n } while (global);\n\n /* Add the match sets to the output array and clean up */\n if (subpats && global && subpats_order == PREG_PATTERN_ORDER) {\n auto& arr = subpats->asArrRef();\n for (i = 0; i < num_subpats; i++) {\n if (subpat_names[i]) {\n arr.set(String(subpat_names[i]), match_sets[i]);\n }\n arr.set(i, match_sets[i]);\n }\n }\n return preg_return_no_error(std::move(matched));\n}", "project": "hhvm", "hash": 255146715088431621612610538018660630094, "size": 252, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219341 }, { "func": "static int io_sq_offload_start(struct io_ring_ctx *ctx,\n\t\t\t struct io_uring_params *p)\n{\n\tint ret;\n\n\tmmgrab(current->mm);\n\tctx->sqo_mm = current->mm;\n\n\tif (ctx->flags & IORING_SETUP_SQPOLL) {\n\t\tret = -EPERM;\n\t\tif (!capable(CAP_SYS_ADMIN))\n\t\t\tgoto err;\n\n\t\tctx->sq_thread_idle = msecs_to_jiffies(p->sq_thread_idle);\n\t\tif (!ctx->sq_thread_idle)\n\t\t\tctx->sq_thread_idle = HZ;\n\n\t\tif (p->flags & IORING_SETUP_SQ_AFF) {\n\t\t\tint cpu = p->sq_thread_cpu;\n\n\t\t\tret = -EINVAL;\n\t\t\tif (cpu >= nr_cpu_ids)\n\t\t\t\tgoto err;\n\t\t\tif (!cpu_online(cpu))\n\t\t\t\tgoto err;\n\n\t\t\tctx->sqo_thread = kthread_create_on_cpu(io_sq_thread,\n\t\t\t\t\t\t\tctx, cpu,\n\t\t\t\t\t\t\t\"io_uring-sq\");\n\t\t} else {\n\t\t\tctx->sqo_thread = kthread_create(io_sq_thread, ctx,\n\t\t\t\t\t\t\t\"io_uring-sq\");\n\t\t}\n\t\tif (IS_ERR(ctx->sqo_thread)) {\n\t\t\tret = PTR_ERR(ctx->sqo_thread);\n\t\t\tctx->sqo_thread = NULL;\n\t\t\tgoto err;\n\t\t}\n\t\twake_up_process(ctx->sqo_thread);\n\t} else if (p->flags & IORING_SETUP_SQ_AFF) {\n\t\t/* Can't have SQ_AFF without SQPOLL */\n\t\tret = -EINVAL;\n\t\tgoto err;\n\t}\n\n\tret = io_init_wq_offload(ctx, p);\n\tif (ret)\n\t\tgoto err;\n\n\treturn 0;\nerr:\n\tio_finish_async(ctx);\n\tif (ctx->sqo_mm) {\n\t\tmmdrop(ctx->sqo_mm);\n\t\tctx->sqo_mm = NULL;\n\t}\n\treturn ret;\n}", "project": "linux", "hash": 129012252525103379849880590047911863750, "size": 58, "commit_id": "6d816e088c359866f9867057e04f244c608c42fe", "message": "io_uring: hold 'ctx' reference around task_work queue + execute\n\nWe're holding the request reference, but we need to go one higher\nto ensure that the ctx remains valid after the request has finished.\nIf the ring is closed with pending task_work inflight, and the\ngiven io_kiocb finishes sync during issue, then we need a reference\nto the ring itself around the task_work execution cycle.\n\nCc: stable@vger.kernel.org # v5.7+\nReported-by: syzbot+9b260fc33297966f5a8e@syzkaller.appspotmail.com\nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 456963 }, { "func": "static bool kvm_hv_msr_partition_wide(u32 msr)\n{\n\tbool r = false;\n\n\tswitch (msr) {\n\tcase HV_X64_MSR_GUEST_OS_ID:\n\tcase HV_X64_MSR_HYPERCALL:\n\tcase HV_X64_MSR_REFERENCE_TSC:\n\tcase HV_X64_MSR_TIME_REF_COUNT:\n\tcase HV_X64_MSR_CRASH_CTL:\n\tcase HV_X64_MSR_CRASH_P0 ... HV_X64_MSR_CRASH_P4:\n\tcase HV_X64_MSR_RESET:\n\tcase HV_X64_MSR_REENLIGHTENMENT_CONTROL:\n\tcase HV_X64_MSR_TSC_EMULATION_CONTROL:\n\tcase HV_X64_MSR_TSC_EMULATION_STATUS:\n\tcase HV_X64_MSR_SYNDBG_OPTIONS:\n\tcase HV_X64_MSR_SYNDBG_CONTROL ... HV_X64_MSR_SYNDBG_PENDING_BUFFER:\n\t\tr = true;\n\t\tbreak;\n\t}\n\n\treturn r;\n}", "project": "linux", "hash": 162756733636231743389741361416531615452, "size": 23, "commit_id": "919f4ebc598701670e80e31573a58f1f2d2bf918", "message": "KVM: x86: hyper-v: Fix Hyper-V context null-ptr-deref\n\nReported by syzkaller:\n\n KASAN: null-ptr-deref in range [0x0000000000000140-0x0000000000000147]\n CPU: 1 PID: 8370 Comm: syz-executor859 Not tainted 5.11.0-syzkaller #0\n RIP: 0010:synic_get arch/x86/kvm/hyperv.c:165 [inline]\n RIP: 0010:kvm_hv_set_sint_gsi arch/x86/kvm/hyperv.c:475 [inline]\n RIP: 0010:kvm_hv_irq_routing_update+0x230/0x460 arch/x86/kvm/hyperv.c:498\n Call Trace:\n kvm_set_irq_routing+0x69b/0x940 arch/x86/kvm/../../../virt/kvm/irqchip.c:223\n kvm_vm_ioctl+0x12d0/0x2800 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3959\n vfs_ioctl fs/ioctl.c:48 [inline]\n __do_sys_ioctl fs/ioctl.c:753 [inline]\n __se_sys_ioctl fs/ioctl.c:739 [inline]\n __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739\n do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nHyper-V context is lazily allocated until Hyper-V specific MSRs are accessed\nor SynIC is enabled. However, the syzkaller testcase sets irq routing table\ndirectly w/o enabling SynIC. This results in null-ptr-deref when accessing\nSynIC Hyper-V context. This patch fixes it.\n\nsyzkaller source: https://syzkaller.appspot.com/x/repro.c?x=163342ccd00000\n\nReported-by: syzbot+6987f3b2dbd9eda95f12@syzkaller.appspotmail.com\nFixes: 8f014550dfb1 (\"KVM: x86: hyper-v: Make Hyper-V emulation enablement conditional\")\nSigned-off-by: Wanpeng Li \nMessage-Id: <1614326399-5762-1-git-send-email-wanpengli@tencent.com>\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 343531 }, { "func": "static int blosc_d(\n struct thread_context* thread_context, int32_t bsize,\n int32_t leftoverblock, const uint8_t* src, int32_t srcsize, int32_t src_offset,\n uint8_t* dest, int32_t dest_offset, uint8_t* tmp, uint8_t* tmp2) {\n blosc2_context* context = thread_context->parent_context;\n uint8_t* filters = context->filters;\n uint8_t *tmp3 = thread_context->tmp4;\n int32_t compformat = (context->header_flags & 0xe0) >> 5;\n int dont_split = (context->header_flags & 0x10) >> 4;\n //uint8_t blosc_version_format = src[0];\n int nstreams;\n int32_t neblock;\n int32_t nbytes; /* number of decompressed bytes in split */\n int32_t cbytes; /* number of compressed bytes in split */\n int32_t ctbytes = 0; /* number of compressed bytes in block */\n int32_t ntbytes = 0; /* number of uncompressed bytes in block */\n uint8_t* _dest;\n int32_t typesize = context->typesize;\n int32_t nblock = dest_offset / context->blocksize;\n const char* compname;\n\n if (context->block_maskout != NULL && context->block_maskout[nblock]) {\n // Do not decompress, but act as if we successfully decompressed everything\n return bsize;\n }\n\n if (src_offset <= 0 || src_offset >= srcsize) {\n /* Invalid block src offset encountered */\n return -1;\n }\n\n src += src_offset;\n srcsize -= src_offset;\n\n int last_filter_index = last_filter(filters, 'd');\n\n if ((last_filter_index >= 0) &&\n (next_filter(filters, BLOSC2_MAX_FILTERS, 'd') != BLOSC_DELTA)) {\n // We are making use of some filter, so use a temp for destination\n _dest = tmp;\n } else {\n // If no filters, or only DELTA in pipeline\n _dest = dest + dest_offset;\n }\n\n /* The number of compressed data streams for this block */\n if (!dont_split && !leftoverblock && !context->use_dict) {\n // We don't want to split when in a training dict state\n nstreams = (int32_t)typesize;\n }\n else {\n nstreams = 1;\n }\n\n neblock = bsize / nstreams;\n for (int j = 0; j < nstreams; j++) {\n if (srcsize < sizeof(int32_t)) {\n /* Not enough input to read compressed size */\n return -1;\n }\n srcsize -= sizeof(int32_t);\n cbytes = sw32_(src); /* amount of compressed bytes */\n if (cbytes > 0) {\n if (srcsize < cbytes) {\n /* Not enough input to read compressed bytes */\n return -1;\n }\n srcsize -= cbytes;\n }\n src += sizeof(int32_t);\n ctbytes += (int32_t)sizeof(int32_t);\n\n /* Uncompress */\n if (cbytes <= 0) {\n // A run\n if (cbytes < -255) {\n // Runs can only encode a byte\n return -2;\n }\n uint8_t value = -cbytes;\n memset(_dest, value, (unsigned int)neblock);\n nbytes = neblock;\n cbytes = 0; // everything is encoded in the cbytes token\n }\n else if (cbytes == neblock) {\n memcpy(_dest, src, (unsigned int)neblock);\n nbytes = (int32_t)neblock;\n }\n else {\n if (compformat == BLOSC_BLOSCLZ_FORMAT) {\n nbytes = blosclz_decompress(src, cbytes, _dest, (int)neblock);\n }\n #if defined(HAVE_LZ4)\n else if (compformat == BLOSC_LZ4_FORMAT) {\n nbytes = lz4_wrap_decompress((char*)src, (size_t)cbytes,\n (char*)_dest, (size_t)neblock);\n }\n #endif /* HAVE_LZ4 */\n #if defined(HAVE_LIZARD)\n else if (compformat == BLOSC_LIZARD_FORMAT) {\n nbytes = lizard_wrap_decompress((char*)src, (size_t)cbytes,\n (char*)_dest, (size_t)neblock);\n }\n #endif /* HAVE_LIZARD */\n #if defined(HAVE_SNAPPY)\n else if (compformat == BLOSC_SNAPPY_FORMAT) {\n nbytes = snappy_wrap_decompress((char*)src, (size_t)cbytes,\n (char*)_dest, (size_t)neblock);\n }\n #endif /* HAVE_SNAPPY */\n #if defined(HAVE_ZLIB)\n else if (compformat == BLOSC_ZLIB_FORMAT) {\n nbytes = zlib_wrap_decompress((char*)src, (size_t)cbytes,\n (char*)_dest, (size_t)neblock);\n }\n #endif /* HAVE_ZLIB */\n #if defined(HAVE_ZSTD)\n else if (compformat == BLOSC_ZSTD_FORMAT) {\n nbytes = zstd_wrap_decompress(thread_context,\n (char*)src, (size_t)cbytes,\n (char*)_dest, (size_t)neblock);\n }\n #endif /* HAVE_ZSTD */\n else {\n compname = clibcode_to_clibname(compformat);\n fprintf(stderr,\n \"Blosc has not been compiled with decompression \"\n \"support for '%s' format. \", compname);\n fprintf(stderr, \"Please recompile for adding this support.\\n\");\n return -5; /* signals no decompression support */\n }\n\n /* Check that decompressed bytes number is correct */\n if (nbytes != neblock) {\n return -2;\n }\n\n }\n src += cbytes;\n ctbytes += cbytes;\n _dest += nbytes;\n ntbytes += nbytes;\n } /* Closes j < nstreams */\n\n if (last_filter_index >= 0) {\n int errcode = pipeline_d(context, bsize, dest, dest_offset, tmp, tmp2, tmp3,\n last_filter_index);\n if (errcode < 0)\n return errcode;\n }\n\n /* Return the number of uncompressed bytes */\n return (int)ntbytes;\n}", "project": "c-blosc2", "hash": 160117951850961190713572459081964126060, "size": 154, "commit_id": "c4c6470e88210afc95262c8b9fcc27e30ca043ee", "message": "Fixed asan heap buffer overflow when not enough space to write compressed block size.", "target": 0, "dataset": "other", "idx": 303094 }, { "func": "static u8 hci_get_auth_req(struct hci_conn *conn)\n{\n\t/* If remote requests no-bonding follow that lead */\n\tif (conn->remote_auth == HCI_AT_NO_BONDING ||\n\t conn->remote_auth == HCI_AT_NO_BONDING_MITM)\n\t\treturn conn->remote_auth | (conn->auth_type & 0x01);\n\n\t/* If both remote and local have enough IO capabilities, require\n\t * MITM protection\n\t */\n\tif (conn->remote_cap != HCI_IO_NO_INPUT_OUTPUT &&\n\t conn->io_capability != HCI_IO_NO_INPUT_OUTPUT)\n\t\treturn conn->remote_auth | 0x01;\n\n\t/* No MITM protection possible so ignore remote requirement */\n\treturn (conn->remote_auth & ~0x01) | (conn->auth_type & 0x01);\n}", "project": "linux", "hash": 50475379913766896849868968508123862081, "size": 17, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431906 }, { "func": "static void signal_delivered(struct ksignal *ksig, int stepping)\n{\n\tsigset_t blocked;\n\n\t/* A signal was successfully delivered, and the\n\t saved sigmask was stored on the signal frame,\n\t and will be restored by sigreturn. So we can\n\t simply clear the restore sigmask flag. */\n\tclear_restore_sigmask();\n\n\tsigorsets(&blocked, ¤t->blocked, &ksig->ka.sa.sa_mask);\n\tif (!(ksig->ka.sa.sa_flags & SA_NODEFER))\n\t\tsigaddset(&blocked, ksig->sig);\n\tset_current_blocked(&blocked);\n\ttracehook_signal_handler(stepping);\n}", "project": "linux", "hash": 132721459896624133914871799419706305144, "size": 16, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375292 }, { "func": "uint32_t ssh_buffer_pass_bytes(struct ssh_buffer_struct *buffer, uint32_t len){\n buffer_verify(buffer);\n\n if (buffer->pos + len < len || buffer->used < buffer->pos + len) {\n return 0;\n }\n\n buffer->pos+=len;\n /* if the buffer is empty after having passed the whole bytes into it, we can clean it */\n if(buffer->pos==buffer->used){\n buffer->pos=0;\n buffer->used=0;\n }\n buffer_verify(buffer);\n return len;\n}", "project": "libssh-mirror", "hash": 306101965913245193165031336639848995161, "size": 16, "commit_id": "10b3ebbe61a7031a3dae97f05834442220447181", "message": "buffer: Reformat ssh_buffer_add_data()\n\nSigned-off-by: Andreas Schneider \nReviewed-by: Anderson Toshiyuki Sasaki \nReviewed-by: Jakub Jelen ", "target": 0, "dataset": "other", "idx": 345172 }, { "func": "static inline bool kvm_request_pending(struct kvm_vcpu *vcpu)\n{\n\treturn READ_ONCE(vcpu->requests);\n}", "project": "linux", "hash": 307964118238849623480861927780873852912, "size": 4, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354548 }, { "func": "static inline unsigned long fuse_get_user_addr(const struct iov_iter *ii)\n{\n\treturn (unsigned long)ii->iov->iov_base + ii->iov_offset;\n}", "project": "linux", "hash": 71106224258729979603384555020365055850, "size": 4, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342019 }, { "func": "static void cmd_post(char *msgid, int mode)\n{\n char *mboxname;\n FILE *f = NULL;\n message_data_t *msg;\n int r = 0;\n\n /* check if we want this article */\n if (msgid && my_find_msgid(msgid, &mboxname, NULL)) {\n\t/* already have it */\n\tsyslog(LOG_INFO,\n\t \"dupelim: news article id %s already present in mailbox %s\",\n\t msgid, mboxname);\n\tr = NNTP_DONT_SEND;\n }\n\n if (mode != POST_TAKETHIS) {\n\tif (r) {\n\t prot_printf(nntp_out, \"%u %s Do not send article\\r\\n\",\n\t\t\tpost_codes[mode].no, msgid ? msgid : \"\");\n\t return;\n\t}\n\telse {\n\t prot_printf(nntp_out, \"%u %s Send article\\r\\n\",\n\t\t\tpost_codes[mode].cont, msgid ? msgid : \"\");\n\t if (mode == POST_CHECK) return;\n\t}\n }\n\n /* get a spool file (if needed) */\n if (!r) {\n\tf = tmpfile();\n\tif (!f) r = IMAP_IOERROR;\n }\n\n if (f) {\n\tmsg_new(&msg);\n\n\t/* spool the article */\n\tr = savemsg(msg, f);\n\n\t/* deliver the article */\n\tif (!r) r = deliver(msg);\n\n\tif (!r) {\n\t prot_printf(nntp_out, \"%u %s Article received ok\\r\\n\",\n\t\t\tpost_codes[mode].ok, msg->id ? msg->id : \"\");\n#if 0 /* XXX Need to review control message auth/authz and implementation */\n\t /* process control messages */\n\t if (msg->control && !config_mupdate_server) {\n\t\tint r1 = 0;\n\n\t\t/* XXX check PGP signature */\n\t\tif (!strncmp(msg->control, \"newgroup\", 8))\n\t\t r1 = newgroup(msg);\n\t\telse if (!strncmp(msg->control, \"rmgroup\", 7))\n\t\t r1 = rmgroup(msg);\n\t\telse if (!strncmp(msg->control, \"mvgroup\", 7))\n\t\t r1 = mvgroup(msg);\n\t\telse if (!strncmp(msg->control, \"cancel\", 6))\n\t\t r1 = cancel(msg);\n\t\telse\n\t\t r1 = NNTP_UNKNOWN_CONTROLMSG;\n\n\t\tif (r1)\n\t\t syslog(LOG_WARNING, \"control message '%s' failed: %s\",\n\t\t\t msg->control, error_message(r1));\n\t\telse {\n\t\t syslog(LOG_INFO, \"control message '%s' succeeded\",\n\t\t\t msg->control);\n\t\t}\n\t }\n#endif\n\t if (msg->id) {\n\t\tconst char *peers = config_getstring(IMAPOPT_NEWSPEER);\n\n\t\t/* send the article upstream */\n\t\tif (peers) {\n\t\t char *tmpbuf, *cur_peer, *next_peer;\n\n\t\t /* make a working copy of the peers */\n\t\t cur_peer = tmpbuf = xstrdup(peers);\n\n\t\t while (cur_peer) {\n\t\t\t/* eat any leading whitespace */\n\t\t\twhile (Uisspace(*cur_peer)) cur_peer++;\n\n\t\t\t/* find end of peer */\n\t\t\tif ((next_peer = strchr(cur_peer, ' ')) ||\n\t\t\t (next_peer = strchr(cur_peer, '\\t')))\n\t\t\t *next_peer++ = '\\0';\n\n\t\t\t/* feed the article to this peer */\n\t\t\tfeedpeer(cur_peer, msg);\n\n\t\t\t/* move to next peer */\n\t\t\tcur_peer = next_peer;\n\t\t }\n\n\t\t free(tmpbuf);\n\t\t}\n\n\t\t/* gateway news to mail */\n\t\tnews2mail(msg);\n\t }\n\t}\n\n\tmsg_free(msg); /* does fclose() */\n\tif (stage) append_removestage(stage);\n\tstage = NULL;\n }\n else {\n\t/* flush the article from the stream */\n\tspool_copy_msg(nntp_in, NULL);\n }\n\n if (r) {\n\tprot_printf(nntp_out, \"%u %s Failed receiving article (%s)\\r\\n\",\n\t\t post_codes[mode].fail, msgid ? msgid : \"\",\n\t\t error_message(r));\n }\n\n prot_flush(nntp_out);\n}", "project": "cyrus-imapd", "hash": 287309456173288951154486340471656213963, "size": 124, "commit_id": "0f8f026699829b65733c3081657b24e2174f4f4d", "message": "CVE-2011-3208 - fix buffer overflow in nntpd", "target": 0, "dataset": "other", "idx": 451897 }, { "func": "static bool __follow_mount_rcu(struct nameidata *nd, struct path *path,\n\t\t\t struct inode **inode, unsigned *seqp)\n{\n\tfor (;;) {\n\t\tstruct mount *mounted;\n\t\t/*\n\t\t * Don't forget we might have a non-mountpoint managed dentry\n\t\t * that wants to block transit.\n\t\t */\n\t\tswitch (managed_dentry_rcu(path)) {\n\t\tcase -ECHILD:\n\t\tdefault:\n\t\t\treturn false;\n\t\tcase -EISDIR:\n\t\t\treturn true;\n\t\tcase 0:\n\t\t\tbreak;\n\t\t}\n\n\t\tif (!d_mountpoint(path->dentry))\n\t\t\treturn !(path->dentry->d_flags & DCACHE_NEED_AUTOMOUNT);\n\n\t\tmounted = __lookup_mnt(path->mnt, path->dentry);\n\t\tif (!mounted)\n\t\t\tbreak;\n\t\tpath->mnt = &mounted->mnt;\n\t\tpath->dentry = mounted->mnt.mnt_root;\n\t\tnd->flags |= LOOKUP_JUMPED;\n\t\t*seqp = read_seqcount_begin(&path->dentry->d_seq);\n\t\t/*\n\t\t * Update the inode too. We don't need to re-check the\n\t\t * dentry sequence number here after this d_inode read,\n\t\t * because a mount-point is always pinned.\n\t\t */\n\t\t*inode = path->dentry->d_inode;\n\t}\n\treturn !read_seqretry(&mount_lock, nd->m_seq) &&\n\t\t!(path->dentry->d_flags & DCACHE_NEED_AUTOMOUNT);\n}", "project": "linux", "hash": 68029399765713833000386477724852239746, "size": 39, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295437 }, { "func": "static void sctp_for_each_tx_datachunk(struct sctp_association *asoc,\n\t\t\t\t bool clear,\n\t\t\t\t void (*cb)(struct sctp_chunk *))\n\n{\n\tstruct sctp_datamsg *msg, *prev_msg = NULL;\n\tstruct sctp_outq *q = &asoc->outqueue;\n\tstruct sctp_chunk *chunk, *c;\n\tstruct sctp_transport *t;\n\n\tlist_for_each_entry(t, &asoc->peer.transport_addr_list, transports)\n\t\tlist_for_each_entry(chunk, &t->transmitted, transmitted_list)\n\t\t\ttraverse_and_process();\n\n\tlist_for_each_entry(chunk, &q->retransmit, transmitted_list)\n\t\ttraverse_and_process();\n\n\tlist_for_each_entry(chunk, &q->sacked, transmitted_list)\n\t\ttraverse_and_process();\n\n\tlist_for_each_entry(chunk, &q->abandoned, transmitted_list)\n\t\ttraverse_and_process();\n\n\tlist_for_each_entry(chunk, &q->out_chunk_list, list)\n\t\ttraverse_and_process();\n}", "project": "linux", "hash": 55290403141249923046893974510656492503, "size": 26, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398207 }, { "func": "bool kvm_make_all_cpus_request(struct kvm *kvm, unsigned int req)\n{\n\tcpumask_var_t cpus;\n\tbool called;\n\n\tzalloc_cpumask_var(&cpus, GFP_ATOMIC);\n\n\tcalled = kvm_make_vcpus_request_mask(kvm, req, NULL, cpus);\n\n\tfree_cpumask_var(cpus);\n\treturn called;\n}", "project": "linux", "hash": 131495402111343223712518595249320168590, "size": 12, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354701 }, { "project": "Chrome", "commit_id": "6834289784ed45b5524de0fb7ef43ae283b0d6d3", "target": 0, "func": "void MediaElementAudioSourceNode::dispose()\n{\n m_mediaElement->setAudioSourceNode(0);\n uninitialize();\n AudioSourceNode::dispose();\n}\n", "cwe": "", "big_vul_idx": 139703, "idx": 124851, "hash": 213143519144992084598555471004954472205 }, { "func": "static void hci_cc_le_read_buffer_size(struct hci_dev *hdev,\n\t\t\t\t struct sk_buff *skb)\n{\n\tstruct hci_rp_le_read_buffer_size *rp = (void *) skb->data;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, rp->status);\n\n\tif (rp->status)\n\t\treturn;\n\n\thdev->le_mtu = __le16_to_cpu(rp->le_mtu);\n\thdev->le_pkts = rp->le_max_pkt;\n\n\thdev->le_cnt = hdev->le_pkts;\n\n\tBT_DBG(\"%s le mtu %d:%d\", hdev->name, hdev->le_mtu, hdev->le_pkts);\n}", "project": "linux", "hash": 97727366777912604796849549299967537166, "size": 17, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431995 }, { "func": "int64_t OpLevelCostEstimator::CalculateTensorSize(\n const OpInfo::TensorProperties& tensor, bool* found_unknown_shapes) {\n int64_t count = CalculateTensorElementCount(tensor, found_unknown_shapes);\n int size = DataTypeSize(BaseType(tensor.dtype()));\n VLOG(2) << \"Count: \" << count << \" DataTypeSize: \" << size;\n return count * size;\n}", "project": "tensorflow", "hash": 30356833384239526298374288181452483910, "size": 7, "commit_id": "fcd18ce3101f245b083b30655c27b239dc72221e", "message": "Prevent integer overflow in `OpLevelCostEstimator::CalculateTensorSize`.\n\nIn order to not change the API, we return a negative value in case of overflow. A better fix is to change the API to return a status instead.\n\nPiperOrigin-RevId: 408713061\nChange-Id: I3771475b0c72a2844a3854086966562fd33f2da5", "target": 1, "dataset": "other", "idx": 195387 }, { "func": "void LanLinkProvider::encrypted()\n{\n qCDebug(KDECONNECT_CORE) << \"Socket successfully established an SSL connection\";\n\n QSslSocket* socket = qobject_cast(sender());\n if (!socket) return;\n\n Q_ASSERT(socket->mode() != QSslSocket::UnencryptedMode);\n LanDeviceLink::ConnectionStarted connectionOrigin = (socket->mode() == QSslSocket::SslClientMode)? LanDeviceLink::Locally : LanDeviceLink::Remotely;\n\n NetworkPacket* receivedPacket = m_receivedIdentityPackets[socket].np;\n const QString& deviceId = receivedPacket->get(QStringLiteral(\"deviceId\"));\n\n addLink(deviceId, socket, receivedPacket, connectionOrigin);\n\n // Copied from tcpSocketConnected slot, now delete received packet\n delete m_receivedIdentityPackets.take(socket).np;\n}", "project": "kdeconnect-kde", "hash": 149617593382637356125094296200473053480, "size": 18, "commit_id": "542d94a70c56aa386c8d4d793481ce181b0422e8", "message": "Limit number of connected sockets from unpaired devices\n\nThanks Matthias Gerstner for reporting this.", "target": 0, "dataset": "other", "idx": 227364 }, { "func": "int headerPut(Header h, rpmtd td, headerPutFlags flags)\n{\n int rc;\n \n assert(td != NULL);\n if (flags & HEADERPUT_APPEND) {\n\trc = findEntry(h, td->tag, td->type) ?\n\t\tintAppendEntry(h, td) :\n\t\tintAddEntry(h, td);\n } else {\n\trc = intAddEntry(h, td);\n }\n return rc;\n}", "project": "rpm", "hash": 70077594011064460093049264701556680728, "size": 14, "commit_id": "8f4b3c3cab8922a2022b9e47c71f1ecf906077ef", "message": "hdrblobInit() needs bounds checks too\n\nUsers can pass untrusted data to hdrblobInit() and it must be robust\nagainst this.", "target": 0, "dataset": "other", "idx": 318152 }, { "func": "static inline void __tcp_fast_path_on(struct tcp_sock *tp, u32 snd_wnd)\n{\n\ttp->pred_flags = htonl((tp->tcp_header_len << 26) |\n\t\t\t ntohl(TCP_FLAG_ACK) |\n\t\t\t snd_wnd);\n}", "project": "linux", "hash": 9847037853206421943627989220381475472, "size": 6, "commit_id": "bb1fceca22492109be12640d49f5ea5a544c6bb4", "message": "tcp: fix use after free in tcp_xmit_retransmit_queue()\n\nWhen tcp_sendmsg() allocates a fresh and empty skb, it puts it at the\ntail of the write queue using tcp_add_write_queue_tail()\n\nThen it attempts to copy user data into this fresh skb.\n\nIf the copy fails, we undo the work and remove the fresh skb.\n\nUnfortunately, this undo lacks the change done to tp->highest_sack and\nwe can leave a dangling pointer (to a freed skb)\n\nLater, tcp_xmit_retransmit_queue() can dereference this pointer and\naccess freed memory. For regular kernels where memory is not unmapped,\nthis might cause SACK bugs because tcp_highest_sack_seq() is buggy,\nreturning garbage instead of tp->snd_nxt, but with various debug\nfeatures like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel.\n\nThis bug was found by Marco Grassi thanks to syzkaller.\n\nFixes: 6859d49475d4 (\"[TCP]: Abstract tp->highest_sack accessing & point to next skb\")\nReported-by: Marco Grassi \nSigned-off-by: Eric Dumazet \nCc: Ilpo Järvinen \nCc: Yuchung Cheng \nCc: Neal Cardwell \nAcked-by: Neal Cardwell \nReviewed-by: Cong Wang \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 410756 }, { "func": "static int sctp_getsockopt_peer_auth_chunks(struct sock *sk, int len,\n\t\t\t\t char __user *optval, int __user *optlen)\n{\n\tstruct sctp_authchunks __user *p = (void __user *)optval;\n\tstruct sctp_authchunks val;\n\tstruct sctp_association *asoc;\n\tstruct sctp_chunks_param *ch;\n\tu32 num_chunks = 0;\n\tchar __user *to;\n\n\tif (len < sizeof(struct sctp_authchunks))\n\t\treturn -EINVAL;\n\n\tif (copy_from_user(&val, optval, sizeof(val)))\n\t\treturn -EFAULT;\n\n\tto = p->gauth_chunks;\n\tasoc = sctp_id2assoc(sk, val.gauth_assoc_id);\n\tif (!asoc)\n\t\treturn -EINVAL;\n\n\tif (!asoc->peer.auth_capable)\n\t\treturn -EACCES;\n\n\tch = asoc->peer.peer_chunks;\n\tif (!ch)\n\t\tgoto num;\n\n\t/* See if the user provided enough room for all the data */\n\tnum_chunks = ntohs(ch->param_hdr.length) - sizeof(struct sctp_paramhdr);\n\tif (len < num_chunks)\n\t\treturn -EINVAL;\n\n\tif (copy_to_user(to, ch->chunks, num_chunks))\n\t\treturn -EFAULT;\nnum:\n\tlen = sizeof(struct sctp_authchunks) + num_chunks;\n\tif (put_user(len, optlen))\n\t\treturn -EFAULT;\n\tif (put_user(num_chunks, &p->gauth_number_of_chunks))\n\t\treturn -EFAULT;\n\treturn 0;\n}", "project": "linux", "hash": 313066170713277861933254121893051219391, "size": 43, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398190 }, { "func": "static int gdLayerOverlay (int dst, int src)\n{\n\tint a1, a2;\n\ta1 = gdAlphaMax - gdTrueColorGetAlpha(dst);\n\ta2 = gdAlphaMax - gdTrueColorGetAlpha(src);\n\treturn ( ((gdAlphaMax - a1*a2/gdAlphaMax) << 24) +\n\t\t(gdAlphaOverlayColor( gdTrueColorGetRed(src), gdTrueColorGetRed(dst), gdRedMax ) << 16) +\n\t\t(gdAlphaOverlayColor( gdTrueColorGetGreen(src), gdTrueColorGetGreen(dst), gdGreenMax ) << 8) +\n\t\t(gdAlphaOverlayColor( gdTrueColorGetBlue(src), gdTrueColorGetBlue(dst), gdBlueMax ))\n\t\t);\n}", "project": "php-src", "hash": 35406473542547142602957853332726030030, "size": 11, "commit_id": "c395c6e5d7e8df37a21265ff76e48fe75ceb5ae6", "message": "iFixed bug #72446 - Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow", "target": 0, "dataset": "other", "idx": 295164 }, { "func": "void CSoundFile::FineVolumeUp(ModChannel *pChn, ModCommand::PARAM param, bool volCol) const\n{\n\tif(GetType() == MOD_TYPE_XM)\n\t{\n\t\t// FT2 compatibility: EAx / EBx memory is not linked\n\t\t// Test case: FineVol-LinkMem.xm\n\t\tif(param) pChn->nOldFineVolUpDown = (param << 4) | (pChn->nOldFineVolUpDown & 0x0F); else param = (pChn->nOldFineVolUpDown >> 4);\n\t} else if(volCol)\n\t{\n\t\tif(param) pChn->nOldVolParam = param; else param = pChn->nOldVolParam;\n\t} else\n\t{\n\t\tif(param) pChn->nOldFineVolUpDown = param; else param = pChn->nOldFineVolUpDown;\n\t}\n\n\tif(pChn->isFirstTick)\n\t{\n\t\tpChn->nVolume += param * 4;\n\t\tif(pChn->nVolume > 256) pChn->nVolume = 256;\n\t\tif(GetType() & MOD_TYPE_MOD) pChn->dwFlags.set(CHN_FASTVOLRAMP);\n\t}\n}", "project": "openmpt", "hash": 130937433840025106768246663280454115261, "size": 22, "commit_id": "7ebf02af2e90f03e0dbd0e18b8b3164f372fb97c", "message": "[Fix] Possible out-of-bounds read when computing length of some IT files with pattern loops (OpenMPT: formats that are converted to IT, libopenmpt: IT/ITP/MO3), caught with afl-fuzz.\n\ngit-svn-id: https://source.openmpt.org/svn/openmpt/trunk/OpenMPT@10027 56274372-70c3-4bfc-bfc3-4c3a0b034d27", "target": 0, "dataset": "other", "idx": 255176 }, { "func": "nfs4_label_release_security(struct nfs4_label *label)\n{\n\tif (label)\n\t\tsecurity_release_secctx(label->label, label->len);\n}", "project": "linux", "hash": 45228447072026311545148358377468740501, "size": 5, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431130 }, { "func": "static rsRetVal qDelDisk(qqueue_t *pThis)\n{\n\tobj_t *pDummyObj;\t/* we need to deserialize it... */\n\tDEFiRet;\n\n\tint64 offsIn;\n\tint64 offsOut;\n\n\tCHKiRet(strm.GetCurrOffset(pThis->tVars.disk.pReadDel, &offsIn));\n\tCHKiRet(obj.Deserialize(&pDummyObj, (uchar*) \"msg\", pThis->tVars.disk.pReadDel, NULL, NULL));\n\tobjDestruct(pDummyObj);\n\tCHKiRet(strm.GetCurrOffset(pThis->tVars.disk.pReadDel, &offsOut));\n\n\t/* This time it is a bit tricky: we free disk space only upon file deletion. So we need\n\t * to keep track of what we have read until we get an out-offset that is lower than the\n\t * in-offset (which indicates file change). Then, we can subtract the whole thing from\n\t * the on-disk size. -- rgerhards, 2008-01-30\n\t */\n\tif(offsIn < offsOut) {\n\t\tpThis->tVars.disk.bytesRead += offsOut - offsIn;\n\t} else {\n\t\tpThis->tVars.disk.sizeOnDisk -= pThis->tVars.disk.bytesRead;\n\t\tpThis->tVars.disk.bytesRead = offsOut;\n\t\tDBGOPRINT((obj_t*) pThis, \"a file has been deleted, now %lld octets disk space used\\n\", pThis->tVars.disk.sizeOnDisk);\n\t\t/* awake possibly waiting enq process */\n\t\tpthread_cond_signal(&pThis->notFull); /* we hold the mutex while we are in here! */\n\t}\n\nfinalize_it:\n\tRETiRet;\n}", "project": "rsyslog", "hash": 133364267017211796342107744534073439289, "size": 31, "commit_id": "dfa88369d4ca4290db56b843f9eabdae1bfe0fd5", "message": "bugfix: memory leak when $RepeatedMsgReduction on was used\n\nbug tracker: http://bugzilla.adiscon.com/show_bug.cgi?id=225", "target": 0, "dataset": "other", "idx": 373785 }, { "func": "static void evdev_pass_values(struct evdev_client *client,\n\t\t\tconst struct input_value *vals, unsigned int count,\n\t\t\tktime_t mono, ktime_t real)\n{\n\tstruct evdev *evdev = client->evdev;\n\tconst struct input_value *v;\n\tstruct input_event event;\n\tbool wakeup = false;\n\n\tevent.time = ktime_to_timeval(client->clkid == CLOCK_MONOTONIC ?\n\t\t\t\t mono : real);\n\n\t/* Interrupts are disabled, just acquire the lock. */\n\tspin_lock(&client->buffer_lock);\n\n\tfor (v = vals; v != vals + count; v++) {\n\t\tevent.type = v->type;\n\t\tevent.code = v->code;\n\t\tevent.value = v->value;\n\t\t__pass_event(client, &event);\n\t\tif (v->type == EV_SYN && v->code == SYN_REPORT)\n\t\t\twakeup = true;\n\t}\n\n\tspin_unlock(&client->buffer_lock);\n\n\tif (wakeup)\n\t\twake_up_interruptible(&evdev->wait);\n}", "project": "linux", "hash": 205290035242294583042308739949683608924, "size": 29, "commit_id": "483180281f0ac60d1138710eb21f4b9961901294", "message": "Input: evdev - flush queues during EVIOCGKEY-like ioctls\n\nIf userspace requests current KEY-state, they very likely assume that no\nsuch events are pending in the output queue of the evdev device.\nOtherwise, they will parse events which they already handled via\nEVIOCGKEY(). For XKB applications this can cause irreversible keyboard\nstates if a modifier is locked multiple times because a CTRL-DOWN event is\nhandled once via EVIOCGKEY() and once from the queue via read(), even\nthough it should handle it only once.\n\nTherefore, lets do the only logical thing and flush the evdev queue\natomically during this ioctl. We only flush events that are affected by\nthe given ioctl.\n\nThis only affects boolean events like KEY, SND, SW and LED. ABS, REL and\nothers are not affected as duplicate events can be handled gracefully by\nuser-space.\n\nNote: This actually breaks semantics of the evdev ABI. However,\ninvestigations showed that userspace already expects the new semantics and\nwe end up fixing at least all XKB applications.\nAll applications that are aware of this race-condition mirror the KEY\nstate for each open-file and detect/drop duplicate events. Hence, they do\nnot care whether duplicates are posted or not and work fine with this fix.\n\nAlso note that we need proper locking to guarantee atomicity and avoid\ndead-locks. event_lock must be locked before queue_lock (see input-core).\nHowever, we can safely release event_lock while flushing the queue. This\nallows the input-core to proceed with pending events and only stop if it\nneeds our queue_lock to post new events.\nThis should guarantee that we don't block event-dispatching for too long\nwhile flushing a single event queue.\n\nSigned-off-by: David Herrmann \nAcked-by: Peter Hutterer \nSigned-off-by: Dmitry Torokhov ", "target": 0, "dataset": "other", "idx": 381727 }, { "func": "otError Commissioner::AddJoiner(const Mac::ExtAddress *aEui64, const char *aPskd, uint32_t aTimeout)\n{\n otError error = OT_ERROR_NO_BUFS;\n\n VerifyOrExit(mState == OT_COMMISSIONER_STATE_ACTIVE, error = OT_ERROR_INVALID_STATE);\n\n VerifyOrExit(strnlen(aPskd, Dtls::kPskMaxLength + 1) <= Dtls::kPskMaxLength, error = OT_ERROR_INVALID_ARGS);\n\n RemoveJoiner(aEui64, 0); // remove immediately\n\n for (Joiner *joiner = &mJoiners[0]; joiner < OT_ARRAY_END(mJoiners); joiner++)\n {\n if (joiner->mValid)\n {\n continue;\n }\n\n if (aEui64 != NULL)\n {\n joiner->mEui64 = *aEui64;\n joiner->mAny = false;\n }\n else\n {\n joiner->mAny = true;\n }\n\n (void)strlcpy(joiner->mPsk, aPskd, sizeof(joiner->mPsk));\n joiner->mValid = true;\n joiner->mExpirationTime = TimerMilli::GetNow() + Time::SecToMsec(aTimeout);\n\n UpdateJoinerExpirationTimer();\n\n SendCommissionerSet();\n\n otLogInfoMeshCoP(\"Added Joiner (%s, %s)\", (aEui64 != NULL) ? aEui64->ToString().AsCString() : \"*\", aPskd);\n\n ExitNow(error = OT_ERROR_NONE);\n }\n\nexit:\n return error;\n}", "project": "openthread", "hash": 174584353248319508290649237050080322123, "size": 43, "commit_id": "c3a3a0c424322009fec3ab735fb20ce8f6e19e70", "message": "[commissioner] use strnlen instead of strlen (#4404)", "target": 0, "dataset": "other", "idx": 269885 }, { "func": "static int power_check_constraints(struct cpu_hw_events *cpuhw,\n\t\t\t\t u64 event_id[], unsigned int cflags[],\n\t\t\t\t int n_ev, struct perf_event **event)\n{\n\tunsigned long mask, value, nv;\n\tunsigned long smasks[MAX_HWEVENTS], svalues[MAX_HWEVENTS];\n\tint n_alt[MAX_HWEVENTS], choice[MAX_HWEVENTS];\n\tint i, j;\n\tunsigned long addf = ppmu->add_fields;\n\tunsigned long tadd = ppmu->test_adder;\n\tunsigned long grp_mask = ppmu->group_constraint_mask;\n\tunsigned long grp_val = ppmu->group_constraint_val;\n\n\tif (n_ev > ppmu->n_counter)\n\t\treturn -1;\n\n\t/* First see if the events will go on as-is */\n\tfor (i = 0; i < n_ev; ++i) {\n\t\tif ((cflags[i] & PPMU_LIMITED_PMC_REQD)\n\t\t && !ppmu->limited_pmc_event(event_id[i])) {\n\t\t\tppmu->get_alternatives(event_id[i], cflags[i],\n\t\t\t\t\t cpuhw->alternatives[i]);\n\t\t\tevent_id[i] = cpuhw->alternatives[i][0];\n\t\t}\n\t\tif (ppmu->get_constraint(event_id[i], &cpuhw->amasks[i][0],\n\t\t\t\t\t &cpuhw->avalues[i][0], event[i]->attr.config1))\n\t\t\treturn -1;\n\t}\n\tvalue = mask = 0;\n\tfor (i = 0; i < n_ev; ++i) {\n\t\tnv = (value | cpuhw->avalues[i][0]) +\n\t\t\t(value & cpuhw->avalues[i][0] & addf);\n\n\t\tif (((((nv + tadd) ^ value) & mask) & (~grp_mask)) != 0)\n\t\t\tbreak;\n\n\t\tif (((((nv + tadd) ^ cpuhw->avalues[i][0]) & cpuhw->amasks[i][0])\n\t\t\t& (~grp_mask)) != 0)\n\t\t\tbreak;\n\n\t\tvalue = nv;\n\t\tmask |= cpuhw->amasks[i][0];\n\t}\n\tif (i == n_ev) {\n\t\tif ((value & mask & grp_mask) != (mask & grp_val))\n\t\t\treturn -1;\n\t\telse\n\t\t\treturn 0;\t/* all OK */\n\t}\n\n\t/* doesn't work, gather alternatives... */\n\tif (!ppmu->get_alternatives)\n\t\treturn -1;\n\tfor (i = 0; i < n_ev; ++i) {\n\t\tchoice[i] = 0;\n\t\tn_alt[i] = ppmu->get_alternatives(event_id[i], cflags[i],\n\t\t\t\t\t\t cpuhw->alternatives[i]);\n\t\tfor (j = 1; j < n_alt[i]; ++j)\n\t\t\tppmu->get_constraint(cpuhw->alternatives[i][j],\n\t\t\t\t\t &cpuhw->amasks[i][j],\n\t\t\t\t\t &cpuhw->avalues[i][j],\n\t\t\t\t\t event[i]->attr.config1);\n\t}\n\n\t/* enumerate all possibilities and see if any will work */\n\ti = 0;\n\tj = -1;\n\tvalue = mask = nv = 0;\n\twhile (i < n_ev) {\n\t\tif (j >= 0) {\n\t\t\t/* we're backtracking, restore context */\n\t\t\tvalue = svalues[i];\n\t\t\tmask = smasks[i];\n\t\t\tj = choice[i];\n\t\t}\n\t\t/*\n\t\t * See if any alternative k for event_id i,\n\t\t * where k > j, will satisfy the constraints.\n\t\t */\n\t\twhile (++j < n_alt[i]) {\n\t\t\tnv = (value | cpuhw->avalues[i][j]) +\n\t\t\t\t(value & cpuhw->avalues[i][j] & addf);\n\t\t\tif ((((nv + tadd) ^ value) & mask) == 0 &&\n\t\t\t (((nv + tadd) ^ cpuhw->avalues[i][j])\n\t\t\t & cpuhw->amasks[i][j]) == 0)\n\t\t\t\tbreak;\n\t\t}\n\t\tif (j >= n_alt[i]) {\n\t\t\t/*\n\t\t\t * No feasible alternative, backtrack\n\t\t\t * to event_id i-1 and continue enumerating its\n\t\t\t * alternatives from where we got up to.\n\t\t\t */\n\t\t\tif (--i < 0)\n\t\t\t\treturn -1;\n\t\t} else {\n\t\t\t/*\n\t\t\t * Found a feasible alternative for event_id i,\n\t\t\t * remember where we got up to with this event_id,\n\t\t\t * go on to the next event_id, and start with\n\t\t\t * the first alternative for it.\n\t\t\t */\n\t\t\tchoice[i] = j;\n\t\t\tsvalues[i] = value;\n\t\t\tsmasks[i] = mask;\n\t\t\tvalue = nv;\n\t\t\tmask |= cpuhw->amasks[i][j];\n\t\t\t++i;\n\t\t\tj = -1;\n\t\t}\n\t}\n\n\t/* OK, we have a feasible combination, tell the caller the solution */\n\tfor (i = 0; i < n_ev; ++i)\n\t\tevent_id[i] = cpuhw->alternatives[i][choice[i]];\n\treturn 0;\n}", "project": "linux", "hash": 105386368936263454915002675154616944852, "size": 117, "commit_id": "60b7ed54a41b550d50caf7f2418db4a7e75b5bdc", "message": "powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set\n\nOn systems without any specific PMU driver support registered, running\nperf record causes Oops.\n\nThe relevant portion from call trace:\n\n BUG: Kernel NULL pointer dereference on read at 0x00000040\n Faulting instruction address: 0xc0021f0c\n Oops: Kernel access of bad area, sig: 11 [#1]\n BE PAGE_SIZE=4K PREEMPT CMPCPRO\n SAF3000 DIE NOTIFICATION\n CPU: 0 PID: 442 Comm: null_syscall Not tainted 5.13.0-rc6-s3k-dev-01645-g7649ee3d2957 #5164\n NIP: c0021f0c LR: c00e8ad8 CTR: c00d8a5c\n NIP perf_instruction_pointer+0x10/0x60\n LR perf_prepare_sample+0x344/0x674\n Call Trace:\n perf_prepare_sample+0x7c/0x674 (unreliable)\n perf_event_output_forward+0x3c/0x94\n __perf_event_overflow+0x74/0x14c\n perf_swevent_hrtimer+0xf8/0x170\n __hrtimer_run_queues.constprop.0+0x160/0x318\n hrtimer_interrupt+0x148/0x3b0\n timer_interrupt+0xc4/0x22c\n Decrementer_virt+0xb8/0xbc\n\nDuring perf record session, perf_instruction_pointer() is called to\ncapture the sample IP. This function in core-book3s accesses\nppmu->flags. If a platform specific PMU driver is not registered, ppmu\nis set to NULL and accessing its members results in a crash. Fix this\ncrash by checking if ppmu is set.\n\nFixes: 2ca13a4cc56c (\"powerpc/perf: Use regs->nip when SIAR is zero\")\nCc: stable@vger.kernel.org # v5.11+\nReported-by: Christophe Leroy \nSigned-off-by: Athira Rajeev \nTested-by: Christophe Leroy \nSigned-off-by: Michael Ellerman \nLink: https://lore.kernel.org/r/1623952506-1431-1-git-send-email-atrajeev@linux.vnet.ibm.com", "target": 0, "dataset": "other", "idx": 374673 }, { "func": "static void fuse_fillattr(struct inode *inode, struct fuse_attr *attr,\n\t\t\t struct kstat *stat)\n{\n\tunsigned int blkbits;\n\tstruct fuse_conn *fc = get_fuse_conn(inode);\n\n\t/* see the comment in fuse_change_attributes() */\n\tif (fc->writeback_cache && S_ISREG(inode->i_mode)) {\n\t\tattr->size = i_size_read(inode);\n\t\tattr->mtime = inode->i_mtime.tv_sec;\n\t\tattr->mtimensec = inode->i_mtime.tv_nsec;\n\t\tattr->ctime = inode->i_ctime.tv_sec;\n\t\tattr->ctimensec = inode->i_ctime.tv_nsec;\n\t}\n\n\tstat->dev = inode->i_sb->s_dev;\n\tstat->ino = attr->ino;\n\tstat->mode = (inode->i_mode & S_IFMT) | (attr->mode & 07777);\n\tstat->nlink = attr->nlink;\n\tstat->uid = make_kuid(fc->user_ns, attr->uid);\n\tstat->gid = make_kgid(fc->user_ns, attr->gid);\n\tstat->rdev = inode->i_rdev;\n\tstat->atime.tv_sec = attr->atime;\n\tstat->atime.tv_nsec = attr->atimensec;\n\tstat->mtime.tv_sec = attr->mtime;\n\tstat->mtime.tv_nsec = attr->mtimensec;\n\tstat->ctime.tv_sec = attr->ctime;\n\tstat->ctime.tv_nsec = attr->ctimensec;\n\tstat->size = attr->size;\n\tstat->blocks = attr->blocks;\n\n\tif (attr->blksize != 0)\n\t\tblkbits = ilog2(attr->blksize);\n\telse\n\t\tblkbits = inode->i_sb->s_blocksize_bits;\n\n\tstat->blksize = 1 << blkbits;\n}", "project": "linux", "hash": 143298746169068391161933240558448640583, "size": 38, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341987 }, { "func": " Cached_item_int(Item *item_par) :Cached_item_item(item_par),value(0) {}", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 289534140533769674336397710762213762959, "size": 1, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509105 }, { "func": "static inline void remove_full(struct kmem_cache *s, struct kmem_cache_node *n,\n\t\t\t\t\tstruct page *page) {}", "project": "linux", "hash": 118296575605879479000637413070757974568, "size": 2, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280067 }, { "func": "static void remove_full(struct kmem_cache *s, struct kmem_cache_node *n, struct page *page)\n{\n\tif (!(s->flags & SLAB_STORE_USER))\n\t\treturn;\n\n\tlockdep_assert_held(&n->list_lock);\n\tlist_del(&page->slab_list);\n}", "project": "linux", "hash": 31796482243752193323973751329289870591, "size": 8, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280140 }, { "func": "static int merge_block(struct archive_read* a, ssize_t block_size,\n const uint8_t** p)\n{\n\tstruct rar5* rar = get_context(a);\n\tssize_t cur_block_size, partial_offset = 0;\n\tconst uint8_t* lp;\n\tint ret;\n\n\tif(rar->merge_mode) {\n\t\tarchive_set_error(&a->archive, ARCHIVE_ERRNO_PROGRAMMER,\n\t\t \"Recursive merge is not allowed\");\n\n\t\treturn ARCHIVE_FATAL;\n\t}\n\n\t/* Set a flag that we're in the switching mode. */\n\trar->cstate.switch_multivolume = 1;\n\n\t/* Reallocate the memory which will hold the whole block. */\n\tif(rar->vol.push_buf)\n\t\tfree((void*) rar->vol.push_buf);\n\n\t/* Increasing the allocation block by 8 is due to bit reading functions,\n\t * which are using additional 2 or 4 bytes. Allocating the block size\n\t * by exact value would make bit reader perform reads from invalid\n\t * memory block when reading the last byte from the buffer. */\n\trar->vol.push_buf = malloc(block_size + 8);\n\tif(!rar->vol.push_buf) {\n\t\tarchive_set_error(&a->archive, ENOMEM,\n\t\t \"Can't allocate memory for a merge block buffer.\");\n\t\treturn ARCHIVE_FATAL;\n\t}\n\n\t/* Valgrind complains if the extension block for bit reader is not\n\t * initialized, so initialize it. */\n\tmemset(&rar->vol.push_buf[block_size], 0, 8);\n\n\t/* A single block can span across multiple multivolume archive files,\n\t * so we use a loop here. This loop will consume enough multivolume\n\t * archive files until the whole block is read. */\n\n\twhile(1) {\n\t\t/* Get the size of current block chunk in this multivolume\n\t\t * archive file and read it. */\n\t\tcur_block_size = rar5_min(rar->file.bytes_remaining,\n\t\t block_size - partial_offset);\n\n\t\tif(cur_block_size == 0) {\n\t\t\tarchive_set_error(&a->archive,\n\t\t\t ARCHIVE_ERRNO_FILE_FORMAT,\n\t\t\t \"Encountered block size == 0 during block merge\");\n\t\t\treturn ARCHIVE_FATAL;\n\t\t}\n\n\t\tif(!read_ahead(a, cur_block_size, &lp))\n\t\t\treturn ARCHIVE_EOF;\n\n\t\t/* Sanity check; there should never be a situation where this\n\t\t * function reads more data than the block's size. */\n\t\tif(partial_offset + cur_block_size > block_size) {\n\t\t\tarchive_set_error(&a->archive,\n\t\t\t ARCHIVE_ERRNO_PROGRAMMER,\n\t\t\t \"Consumed too much data when merging blocks.\");\n\t\t\treturn ARCHIVE_FATAL;\n\t\t}\n\n\t\t/* Merge previous block chunk with current block chunk,\n\t\t * or create first block chunk if this is our first\n\t\t * iteration. */\n\t\tmemcpy(&rar->vol.push_buf[partial_offset], lp, cur_block_size);\n\n\t\t/* Advance the stream read pointer by this block chunk size. */\n\t\tif(ARCHIVE_OK != consume(a, cur_block_size))\n\t\t\treturn ARCHIVE_EOF;\n\n\t\t/* Update the pointers. `partial_offset` contains information\n\t\t * about the sum of merged block chunks. */\n\t\tpartial_offset += cur_block_size;\n\t\trar->file.bytes_remaining -= cur_block_size;\n\n\t\t/* If `partial_offset` is the same as `block_size`, this means\n\t\t * we've merged all block chunks and we have a valid full\n\t\t * block. */\n\t\tif(partial_offset == block_size) {\n\t\t\tbreak;\n\t\t}\n\n\t\t/* If we don't have any bytes to read, this means we should\n\t\t * switch to another multivolume archive file. */\n\t\tif(rar->file.bytes_remaining == 0) {\n\t\t\trar->merge_mode++;\n\t\t\tret = advance_multivolume(a);\n\t\t\trar->merge_mode--;\n\t\t\tif(ret != ARCHIVE_OK) {\n\t\t\t\treturn ret;\n\t\t\t}\n\t\t}\n\t}\n\n\t*p = rar->vol.push_buf;\n\n\t/* If we're here, we can resume unpacking by processing the block\n\t * pointed to by the `*p` memory pointer. */\n\n\treturn ARCHIVE_OK;\n}", "project": "libarchive", "hash": 302224979061378591787940485004032018777, "size": 106, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 0, "dataset": "other", "idx": 244794 }, { "func": "static void defer_request(struct i915_request *rq, struct list_head * const pl)\n{\n\tLIST_HEAD(list);\n\n\t/*\n\t * We want to move the interrupted request to the back of\n\t * the round-robin list (i.e. its priority level), but\n\t * in doing so, we must then move all requests that were in\n\t * flight and were waiting for the interrupted request to\n\t * be run after it again.\n\t */\n\tdo {\n\t\tstruct i915_dependency *p;\n\n\t\tGEM_BUG_ON(i915_request_is_active(rq));\n\t\tlist_move_tail(&rq->sched.link, pl);\n\n\t\tlist_for_each_entry(p, &rq->sched.waiters_list, wait_link) {\n\t\t\tstruct i915_request *w =\n\t\t\t\tcontainer_of(p->waiter, typeof(*w), sched);\n\n\t\t\t/* Leave semaphores spinning on the other engines */\n\t\t\tif (w->engine != rq->engine)\n\t\t\t\tcontinue;\n\n\t\t\t/* No waiter should start before its signaler */\n\t\t\tGEM_BUG_ON(i915_request_started(w) &&\n\t\t\t\t !i915_request_completed(rq));\n\n\t\t\tGEM_BUG_ON(i915_request_is_active(w));\n\t\t\tif (list_empty(&w->sched.link))\n\t\t\t\tcontinue; /* Not yet submitted; unready */\n\n\t\t\tif (rq_prio(w) < rq_prio(rq))\n\t\t\t\tcontinue;\n\n\t\t\tGEM_BUG_ON(rq_prio(w) > rq_prio(rq));\n\t\t\tlist_move_tail(&w->sched.link, &list);\n\t\t}\n\n\t\trq = list_first_entry_or_null(&list, typeof(*rq), sched.link);\n\t} while (rq);\n}", "project": "linux", "hash": 288341464164317277609773304406762077001, "size": 43, "commit_id": "bc8a76a152c5f9ef3b48104154a65a68a8b76946", "message": "drm/i915/gen9: Clear residual context state on context switch\n\nIntel ID: PSIRT-TA-201910-001\nCVEID: CVE-2019-14615\n\nIntel GPU Hardware prior to Gen11 does not clear EU state\nduring a context switch. This can result in information\nleakage between contexts.\n\nFor Gen8 and Gen9, hardware provides a mechanism for\nfast cleardown of the EU state, by issuing a PIPE_CONTROL\nwith bit 27 set. We can use this in a context batch buffer\nto explicitly cleardown the state on every context switch.\n\nAs this workaround is already in place for gen8, we can borrow\nthe code verbatim for Gen9.\n\nSigned-off-by: Mika Kuoppala \nSigned-off-by: Akeem G Abodunrin \nCc: Kumar Valsan Prathap \nCc: Chris Wilson \nCc: Balestrieri Francesco \nCc: Bloomfield Jon \nCc: Dutt Sudeep ", "target": 0, "dataset": "other", "idx": 281449 }, { "func": "static int test_unaligned_bulk(\n\tstruct usbtest_dev *tdev,\n\tint pipe,\n\tunsigned length,\n\tint iterations,\n\tunsigned transfer_flags,\n\tconst char *label)\n{\n\tint retval;\n\tstruct urb *urb = usbtest_alloc_urb(testdev_to_usbdev(tdev),\n\t\t\tpipe, length, transfer_flags, 1, 0, simple_callback);\n\n\tif (!urb)\n\t\treturn -ENOMEM;\n\n\tretval = simple_io(tdev, urb, iterations, 0, 0, label);\n\tsimple_free_urb(urb);\n\treturn retval;\n}", "project": "linux", "hash": 197877331208853299090087215520745165382, "size": 19, "commit_id": "28ebeb8db77035e058a510ce9bd17c2b9a009dba", "message": "usb: usbtest: fix missing kfree(dev->buf) in usbtest_disconnect\n\nBUG: memory leak\nunreferenced object 0xffff888055046e00 (size 256):\n comm \"kworker/2:9\", pid 2570, jiffies 4294942129 (age 1095.500s)\n hex dump (first 32 bytes):\n 00 70 04 55 80 88 ff ff 18 bb 5a 81 ff ff ff ff .p.U......Z.....\n f5 96 78 81 ff ff ff ff 37 de 8e 81 ff ff ff ff ..x.....7.......\n backtrace:\n [<00000000d121dccf>] kmemleak_alloc_recursive\ninclude/linux/kmemleak.h:43 [inline]\n [<00000000d121dccf>] slab_post_alloc_hook mm/slab.h:586 [inline]\n [<00000000d121dccf>] slab_alloc_node mm/slub.c:2786 [inline]\n [<00000000d121dccf>] slab_alloc mm/slub.c:2794 [inline]\n [<00000000d121dccf>] kmem_cache_alloc_trace+0x15e/0x2d0 mm/slub.c:2811\n [<000000005c3c3381>] kmalloc include/linux/slab.h:555 [inline]\n [<000000005c3c3381>] usbtest_probe+0x286/0x19d0\ndrivers/usb/misc/usbtest.c:2790\n [<000000001cec6910>] usb_probe_interface+0x2bd/0x870\ndrivers/usb/core/driver.c:361\n [<000000007806c118>] really_probe+0x48d/0x8f0 drivers/base/dd.c:551\n [<00000000a3308c3e>] driver_probe_device+0xfc/0x2a0 drivers/base/dd.c:724\n [<000000003ef66004>] __device_attach_driver+0x1b6/0x240\ndrivers/base/dd.c:831\n [<00000000eee53e97>] bus_for_each_drv+0x14e/0x1e0 drivers/base/bus.c:431\n [<00000000bb0648d0>] __device_attach+0x1f9/0x350 drivers/base/dd.c:897\n [<00000000838b324a>] device_initial_probe+0x1a/0x20 drivers/base/dd.c:944\n [<0000000030d501c1>] bus_probe_device+0x1e1/0x280 drivers/base/bus.c:491\n [<000000005bd7adef>] device_add+0x131d/0x1c40 drivers/base/core.c:2504\n [<00000000a0937814>] usb_set_configuration+0xe84/0x1ab0\ndrivers/usb/core/message.c:2030\n [<00000000e3934741>] generic_probe+0x6a/0xe0 drivers/usb/core/generic.c:210\n [<0000000098ade0f1>] usb_probe_device+0x90/0xd0\ndrivers/usb/core/driver.c:266\n [<000000007806c118>] really_probe+0x48d/0x8f0 drivers/base/dd.c:551\n [<00000000a3308c3e>] driver_probe_device+0xfc/0x2a0 drivers/base/dd.c:724\n\nAcked-by: Alan Stern \nReported-by: Kyungtae Kim \nSigned-off-by: Zqiang \nLink: https://lore.kernel.org/r/20200612035210.20494-1-qiang.zhang@windriver.com\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 412259 }, { "func": "static int sctp_getsockopt_associnfo(struct sock *sk, int len,\n\t\t\t\t char __user *optval,\n\t\t\t\t int __user *optlen)\n{\n\n\tstruct sctp_assocparams assocparams;\n\tstruct sctp_association *asoc;\n\tstruct list_head *pos;\n\tint cnt = 0;\n\n\tif (len < sizeof (struct sctp_assocparams))\n\t\treturn -EINVAL;\n\n\tlen = sizeof(struct sctp_assocparams);\n\n\tif (copy_from_user(&assocparams, optval, len))\n\t\treturn -EFAULT;\n\n\tasoc = sctp_id2assoc(sk, assocparams.sasoc_assoc_id);\n\n\tif (!asoc && assocparams.sasoc_assoc_id != SCTP_FUTURE_ASSOC &&\n\t sctp_style(sk, UDP))\n\t\treturn -EINVAL;\n\n\t/* Values correspoinding to the specific association */\n\tif (asoc) {\n\t\tassocparams.sasoc_asocmaxrxt = asoc->max_retrans;\n\t\tassocparams.sasoc_peer_rwnd = asoc->peer.rwnd;\n\t\tassocparams.sasoc_local_rwnd = asoc->a_rwnd;\n\t\tassocparams.sasoc_cookie_life = ktime_to_ms(asoc->cookie_life);\n\n\t\tlist_for_each(pos, &asoc->peer.transport_addr_list) {\n\t\t\tcnt++;\n\t\t}\n\n\t\tassocparams.sasoc_number_peer_destinations = cnt;\n\t} else {\n\t\t/* Values corresponding to the endpoint */\n\t\tstruct sctp_sock *sp = sctp_sk(sk);\n\n\t\tassocparams.sasoc_asocmaxrxt = sp->assocparams.sasoc_asocmaxrxt;\n\t\tassocparams.sasoc_peer_rwnd = sp->assocparams.sasoc_peer_rwnd;\n\t\tassocparams.sasoc_local_rwnd = sp->assocparams.sasoc_local_rwnd;\n\t\tassocparams.sasoc_cookie_life =\n\t\t\t\t\tsp->assocparams.sasoc_cookie_life;\n\t\tassocparams.sasoc_number_peer_destinations =\n\t\t\t\t\tsp->assocparams.\n\t\t\t\t\tsasoc_number_peer_destinations;\n\t}\n\n\tif (put_user(len, optlen))\n\t\treturn -EFAULT;\n\n\tif (copy_to_user(optval, &assocparams, len))\n\t\treturn -EFAULT;\n\n\treturn 0;\n}", "project": "linux", "hash": 43058636840895382079536870318321412426, "size": 58, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398146 }, { "func": "void bcf_hdr_remove(bcf_hdr_t *hdr, int type, const char *key)\n{\n int i = 0;\n bcf_hrec_t *hrec;\n if ( !key )\n {\n while ( inhrec )\n {\n if ( hdr->hrec[i]->type!=type ) { i++; continue; }\n hrec = hdr->hrec[i];\n\n if ( type==BCF_HL_FLT || type==BCF_HL_INFO || type==BCF_HL_FMT || type== BCF_HL_CTG )\n {\n int j = bcf_hrec_find_key(hdr->hrec[i], \"ID\");\n if ( j>=0 )\n {\n vdict_t *d = type==BCF_HL_CTG ? (vdict_t*)hdr->dict[BCF_DT_CTG] : (vdict_t*)hdr->dict[BCF_DT_ID];\n khint_t k = kh_get(vdict, d, hdr->hrec[i]->vals[j]);\n kh_val(d, k).hrec[type==BCF_HL_CTG?0:type] = NULL;\n }\n }\n\n hdr->dirty = 1;\n hdr->nhrec--;\n if ( i < hdr->nhrec )\n memmove(&hdr->hrec[i],&hdr->hrec[i+1],(hdr->nhrec-i)*sizeof(bcf_hrec_t*));\n bcf_hrec_destroy(hrec);\n }\n return;\n }\n while (1)\n {\n if ( type==BCF_HL_FLT || type==BCF_HL_INFO || type==BCF_HL_FMT || type== BCF_HL_CTG )\n {\n hrec = bcf_hdr_get_hrec(hdr, type, \"ID\", key, NULL);\n if ( !hrec ) return;\n\n for (i=0; inhrec; i++)\n if ( hdr->hrec[i]==hrec ) break;\n assert( inhrec );\n\n vdict_t *d = type==BCF_HL_CTG ? (vdict_t*)hdr->dict[BCF_DT_CTG] : (vdict_t*)hdr->dict[BCF_DT_ID];\n khint_t k = kh_get(vdict, d, key);\n kh_val(d, k).hrec[type==BCF_HL_CTG?0:type] = NULL;\n }\n else\n {\n for (i=0; inhrec; i++)\n {\n if ( hdr->hrec[i]->type!=type ) continue;\n if ( type==BCF_HL_GEN )\n {\n if ( !strcmp(hdr->hrec[i]->key,key) ) break;\n }\n else\n {\n // not all structured lines have ID, we could be more sophisticated as in bcf_hdr_get_hrec()\n int j = bcf_hrec_find_key(hdr->hrec[i], \"ID\");\n if ( j>=0 && !strcmp(hdr->hrec[i]->vals[j],key) ) break;\n }\n }\n if ( i==hdr->nhrec ) return;\n hrec = hdr->hrec[i];\n }\n\n hdr->nhrec--;\n if ( i < hdr->nhrec )\n memmove(&hdr->hrec[i],&hdr->hrec[i+1],(hdr->nhrec-i)*sizeof(bcf_hrec_t*));\n bcf_hrec_destroy(hrec);\n hdr->dirty = 1;\n }\n}", "project": "htslib", "hash": 337107124136583209160142491581853697256, "size": 72, "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c", "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields. It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097", "target": 0, "dataset": "other", "idx": 402229 }, { "func": "static bool check_request_str(const char* const str,\n bool (*check) (int c))\n{\n for (size_t i(0); str[i] != '\\0'; ++i)\n {\n if (!check(str[i]))\n {\n WSREP_WARN(\"Illegal character in state transfer request: %i (%c).\",\n str[i], str[i]);\n return true;\n }\n }\n\n return false;\n}", "project": "mysql-wsrep", "hash": 160735219665205430158658490588174914991, "size": 15, "commit_id": "4ea4b0c6a318209ac09b15aaa906c7b4a13b988c", "message": "codership/mysql-wsrep-bugs#758 Donor uses invalid SST methods", "target": 0, "dataset": "other", "idx": 454797 }, { "func": "HttpStateData::reusableReply(HttpStateData::ReuseDecision &decision)\n{\n HttpReply const *rep = finalReply();\n HttpHeader const *hdr = &rep->header;\n const char *v;\n#if USE_HTTP_VIOLATIONS\n\n const RefreshPattern *R = NULL;\n\n /* This strange looking define first looks up the refresh pattern\n * and then checks if the specified flag is set. The main purpose\n * of this is to simplify the refresh pattern lookup and USE_HTTP_VIOLATIONS\n * condition\n */\n#define REFRESH_OVERRIDE(flag) \\\n ((R = (R ? R : refreshLimits(entry->mem_obj->storeId()))) , \\\n (R && R->flags.flag))\n#else\n#define REFRESH_OVERRIDE(flag) 0\n#endif\n\n if (EBIT_TEST(entry->flags, RELEASE_REQUEST))\n return decision.make(ReuseDecision::doNotCacheButShare, \"the entry has been released\");\n\n // RFC 7234 section 4: a cache MUST use the most recent response\n // (as determined by the Date header field)\n // TODO: whether such responses could be shareable?\n if (sawDateGoBack)\n return decision.make(ReuseDecision::reuseNot, \"the response has an older date header\");\n\n // Check for Surrogate/1.0 protocol conditions\n // NP: reverse-proxy traffic our parent server has instructed us never to cache\n if (surrogateNoStore)\n return decision.make(ReuseDecision::reuseNot, \"Surrogate-Control:no-store\");\n\n // RFC 2616: HTTP/1.1 Cache-Control conditions\n if (!ignoreCacheControl) {\n // XXX: check to see if the request headers alone were enough to prevent caching earlier\n // (ie no-store request header) no need to check those all again here if so.\n // for now we are not reliably doing that so we waste CPU re-checking request CC\n\n // RFC 2616 section 14.9.2 - MUST NOT cache any response with request CC:no-store\n if (request && request->cache_control && request->cache_control->hasNoStore() &&\n !REFRESH_OVERRIDE(ignore_no_store))\n return decision.make(ReuseDecision::reuseNot,\n \"client request Cache-Control:no-store\");\n\n // NP: request CC:no-cache only means cache READ is forbidden. STORE is permitted.\n if (rep->cache_control && rep->cache_control->hasNoCacheWithParameters()) {\n /* TODO: we are allowed to cache when no-cache= has parameters.\n * Provided we strip away any of the listed headers unless they are revalidated\n * successfully (ie, must revalidate AND these headers are prohibited on stale replies).\n * That is a bit tricky for squid right now so we avoid caching entirely.\n */\n return decision.make(ReuseDecision::reuseNot,\n \"server reply Cache-Control:no-cache has parameters\");\n }\n\n // NP: request CC:private is undefined. We ignore.\n // NP: other request CC flags are limiters on HIT/MISS. We don't care about here.\n\n // RFC 2616 section 14.9.2 - MUST NOT cache any response with CC:no-store\n if (rep->cache_control && rep->cache_control->hasNoStore() &&\n !REFRESH_OVERRIDE(ignore_no_store))\n return decision.make(ReuseDecision::reuseNot,\n \"server reply Cache-Control:no-store\");\n\n // RFC 2616 section 14.9.1 - MUST NOT cache any response with CC:private in a shared cache like Squid.\n // CC:private overrides CC:public when both are present in a response.\n // TODO: add a shared/private cache configuration possibility.\n if (rep->cache_control &&\n rep->cache_control->hasPrivate() &&\n !REFRESH_OVERRIDE(ignore_private)) {\n /* TODO: we are allowed to cache when private= has parameters.\n * Provided we strip away any of the listed headers unless they are revalidated\n * successfully (ie, must revalidate AND these headers are prohibited on stale replies).\n * That is a bit tricky for squid right now so we avoid caching entirely.\n */\n return decision.make(ReuseDecision::reuseNot,\n \"server reply Cache-Control:private\");\n }\n }\n\n // RFC 2068, sec 14.9.4 - MUST NOT cache any response with Authentication UNLESS certain CC controls are present\n // allow HTTP violations to IGNORE those controls (ie re-block caching Auth)\n if (request && (request->flags.auth || request->flags.authSent)) {\n if (!rep->cache_control)\n return decision.make(ReuseDecision::reuseNot,\n \"authenticated and server reply missing Cache-Control\");\n\n if (ignoreCacheControl)\n return decision.make(ReuseDecision::reuseNot,\n \"authenticated and ignoring Cache-Control\");\n\n bool mayStore = false;\n // HTTPbis pt6 section 3.2: a response CC:public is present\n if (rep->cache_control->hasPublic()) {\n debugs(22, 3, HERE << \"Authenticated but server reply Cache-Control:public\");\n mayStore = true;\n\n // HTTPbis pt6 section 3.2: a response CC:must-revalidate is present\n } else if (rep->cache_control->hasMustRevalidate()) {\n debugs(22, 3, HERE << \"Authenticated but server reply Cache-Control:must-revalidate\");\n mayStore = true;\n\n#if USE_HTTP_VIOLATIONS\n // NP: given the must-revalidate exception we should also be able to exempt no-cache.\n // HTTPbis WG verdict on this is that it is omitted from the spec due to being 'unexpected' by\n // some. The caching+revalidate is not exactly unsafe though with Squids interpretation of no-cache\n // (without parameters) as equivalent to must-revalidate in the reply.\n } else if (rep->cache_control->hasNoCacheWithoutParameters()) {\n debugs(22, 3, HERE << \"Authenticated but server reply Cache-Control:no-cache (equivalent to must-revalidate)\");\n mayStore = true;\n#endif\n\n // HTTPbis pt6 section 3.2: a response CC:s-maxage is present\n } else if (rep->cache_control->hasSMaxAge()) {\n debugs(22, 3, HERE << \"Authenticated but server reply Cache-Control:s-maxage\");\n mayStore = true;\n }\n\n if (!mayStore)\n return decision.make(ReuseDecision::reuseNot, \"authenticated transaction\");\n\n // NP: response CC:no-cache is equivalent to CC:must-revalidate,max-age=0. We MAY cache, and do so.\n // NP: other request CC flags are limiters on HIT/MISS/REFRESH. We don't care about here.\n }\n\n /* HACK: The \"multipart/x-mixed-replace\" content type is used for\n * continuous push replies. These are generally dynamic and\n * probably should not be cachable\n */\n if ((v = hdr->getStr(Http::HdrType::CONTENT_TYPE)))\n if (!strncasecmp(v, \"multipart/x-mixed-replace\", 25))\n return decision.make(ReuseDecision::reuseNot, \"Content-Type:multipart/x-mixed-replace\");\n\n // TODO: if possible, provide more specific message for each status code\n static const char *shareableError = \"shareable error status code\";\n static const char *nonShareableError = \"non-shareable error status code\";\n ReuseDecision::Answers statusAnswer = ReuseDecision::reuseNot;\n const char *statusReason = nonShareableError;\n\n switch (rep->sline.status()) {\n\n /* There are several situations when a non-cacheable response may be\n * still shareable (e.g., among collapsed clients). We assume that these\n * are 3xx and 5xx responses, indicating server problems and some of\n * 4xx responses, common for all clients with a given cache key (e.g.,\n * 404 Not Found or 414 URI Too Long). On the other hand, we should not\n * share non-cacheable client-specific errors, such as 400 Bad Request\n * or 406 Not Acceptable.\n */\n\n /* Responses that are cacheable */\n\n case Http::scOkay:\n\n case Http::scNonAuthoritativeInformation:\n\n case Http::scMultipleChoices:\n\n case Http::scMovedPermanently:\n case Http::scPermanentRedirect:\n\n case Http::scGone:\n /*\n * Don't cache objects that need to be refreshed on next request,\n * unless we know how to refresh it.\n */\n\n if (refreshIsCachable(entry) || REFRESH_OVERRIDE(store_stale))\n decision.make(ReuseDecision::cachePositively, \"refresh check returned cacheable\");\n else\n decision.make(ReuseDecision::doNotCacheButShare, \"refresh check returned non-cacheable\");\n break;\n\n /* Responses that only are cacheable if the server says so */\n\n case Http::scFound:\n case Http::scTemporaryRedirect:\n if (rep->date <= 0)\n decision.make(ReuseDecision::doNotCacheButShare, \"Date is missing/invalid\");\n else if (rep->expires > rep->date)\n decision.make(ReuseDecision::cachePositively, \"Expires > Date\");\n else\n decision.make(ReuseDecision::doNotCacheButShare, \"Expires <= Date\");\n break;\n\n /* These responses can be negatively cached. Most can also be shared. */\n case Http::scNoContent:\n case Http::scUseProxy:\n case Http::scForbidden:\n case Http::scNotFound:\n case Http::scMethodNotAllowed:\n case Http::scUriTooLong:\n case Http::scInternalServerError:\n case Http::scNotImplemented:\n case Http::scBadGateway:\n case Http::scServiceUnavailable:\n case Http::scGatewayTimeout:\n case Http::scMisdirectedRequest:\n statusAnswer = ReuseDecision::doNotCacheButShare;\n statusReason = shareableError;\n // fall through to the actual decision making below\n\n case Http::scBadRequest: // no sharing; perhaps the server did not like something specific to this request\n#if USE_HTTP_VIOLATIONS\n if (Config.negativeTtl > 0)\n decision.make(ReuseDecision::cacheNegatively, \"Config.negativeTtl > 0\");\n else\n#endif\n decision.make(statusAnswer, statusReason);\n break;\n\n /* these responses can never be cached, some\n of them can be shared though */\n case Http::scSeeOther:\n case Http::scNotModified:\n case Http::scUnauthorized:\n case Http::scProxyAuthenticationRequired:\n case Http::scPaymentRequired:\n case Http::scInsufficientStorage:\n // TODO: use more specific reason for non-error status codes\n decision.make(ReuseDecision::doNotCacheButShare, shareableError);\n break;\n\n case Http::scPartialContent: /* Not yet supported. TODO: make shareable for suitable ranges */\n case Http::scNotAcceptable:\n case Http::scRequestTimeout: // TODO: is this shareable?\n case Http::scConflict: // TODO: is this shareable?\n case Http::scLengthRequired:\n case Http::scPreconditionFailed:\n case Http::scPayloadTooLarge:\n case Http::scUnsupportedMediaType:\n case Http::scUnprocessableEntity:\n case Http::scLocked: // TODO: is this shareable?\n case Http::scFailedDependency:\n case Http::scRequestedRangeNotSatisfied:\n case Http::scExpectationFailed:\n case Http::scInvalidHeader: /* Squid header parsing error */\n case Http::scHeaderTooLarge:\n decision.make(ReuseDecision::reuseNot, nonShareableError);\n break;\n\n default:\n /* RFC 2616 section 6.1.1: an unrecognized response MUST NOT be cached. */\n decision.make(ReuseDecision::reuseNot, \"unknown status code\");\n break;\n }\n\n return decision.answer;\n}", "project": "squid", "hash": 105362147464180594114333735897157735956, "size": 252, "commit_id": "fd68382860633aca92065e6c343cfd1b12b126e7", "message": "Improve Transfer-Encoding handling (#702)\n\nReject messages containing Transfer-Encoding header with coding other\nthan chunked or identity. Squid does not support other codings.\n\nFor simplicity and security sake, also reject messages where\nTransfer-Encoding contains unnecessary complex values that are\ntechnically equivalent to \"chunked\" or \"identity\" (e.g., \",,chunked\" or\n\"identity, chunked\").\n\nRFC 7230 formally deprecated and removed identity coding, but it is\nstill used by some agents.", "target": 0, "dataset": "other", "idx": 402376 }, { "func": "static int fuse_copy_ioctl_iovec(struct fuse_conn *fc, struct iovec *dst,\n\t\t\t\t void *src, size_t transferred, unsigned count,\n\t\t\t\t bool is_compat)\n{\n\tunsigned i;\n\tstruct fuse_ioctl_iovec *fiov = src;\n\n\tif (fc->minor < 16) {\n\t\treturn fuse_copy_ioctl_iovec_old(dst, src, transferred,\n\t\t\t\t\t\t count, is_compat);\n\t}\n\n\tif (count * sizeof(struct fuse_ioctl_iovec) != transferred)\n\t\treturn -EIO;\n\n\tfor (i = 0; i < count; i++) {\n\t\t/* Did the server supply an inappropriate value? */\n\t\tif (fiov[i].base != (unsigned long) fiov[i].base ||\n\t\t fiov[i].len != (unsigned long) fiov[i].len)\n\t\t\treturn -EIO;\n\n\t\tdst[i].iov_base = (void __user *) (unsigned long) fiov[i].base;\n\t\tdst[i].iov_len = (size_t) fiov[i].len;\n\n#ifdef CONFIG_COMPAT\n\t\tif (is_compat &&\n\t\t (ptr_to_compat(dst[i].iov_base) != fiov[i].base ||\n\t\t (compat_size_t) dst[i].iov_len != fiov[i].len))\n\t\t\treturn -EIO;\n#endif\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 86767937435675079476183916322583963035, "size": 34, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341913 }, { "func": "static void trace_exit_regs(lua_State *L, ExitState *ex)\n{\n int32_t i;\n setintV(L->top++, RID_NUM_GPR);\n setintV(L->top++, RID_NUM_FPR);\n for (i = 0; i < RID_NUM_GPR; i++) {\n if (sizeof(ex->gpr[i]) == sizeof(int32_t))\n setintV(L->top++, (int32_t)ex->gpr[i]);\n else\n setnumV(L->top++, (lua_Number)ex->gpr[i]);\n }\n#if !LJ_SOFTFP\n for (i = 0; i < RID_NUM_FPR; i++) {\n setnumV(L->top, ex->fpr[i]);\n if (LJ_UNLIKELY(tvisnan(L->top)))\n setnanV(L->top);\n L->top++;\n }\n#endif\n}", "project": "LuaJIT", "hash": 241421065289777438704555358576713311249, "size": 20, "commit_id": "e296f56b825c688c3530a981dc6b495d972f3d01", "message": "Call error function on rethrow after trace exit.", "target": 0, "dataset": "other", "idx": 394622 }, { "func": "static void init_common_reg_state(u32 * const regs,\n\t\t\t\t const struct intel_engine_cs *engine,\n\t\t\t\t const struct intel_ring *ring)\n{\n\tregs[CTX_CONTEXT_CONTROL] =\n\t\t_MASKED_BIT_DISABLE(CTX_CTRL_ENGINE_CTX_RESTORE_INHIBIT) |\n\t\t_MASKED_BIT_ENABLE(CTX_CTRL_INHIBIT_SYN_CTX_SWITCH);\n\tif (INTEL_GEN(engine->i915) < 11)\n\t\tregs[CTX_CONTEXT_CONTROL] |=\n\t\t\t_MASKED_BIT_DISABLE(CTX_CTRL_ENGINE_CTX_SAVE_INHIBIT |\n\t\t\t\t\t CTX_CTRL_RS_CTX_ENABLE);\n\n\tregs[CTX_RING_BUFFER_CONTROL] = RING_CTL_SIZE(ring->size) | RING_VALID;\n\tregs[CTX_BB_STATE] = RING_BB_PPGTT;\n}", "project": "linux", "hash": 135689670398071447398536836941226089375, "size": 15, "commit_id": "bc8a76a152c5f9ef3b48104154a65a68a8b76946", "message": "drm/i915/gen9: Clear residual context state on context switch\n\nIntel ID: PSIRT-TA-201910-001\nCVEID: CVE-2019-14615\n\nIntel GPU Hardware prior to Gen11 does not clear EU state\nduring a context switch. This can result in information\nleakage between contexts.\n\nFor Gen8 and Gen9, hardware provides a mechanism for\nfast cleardown of the EU state, by issuing a PIPE_CONTROL\nwith bit 27 set. We can use this in a context batch buffer\nto explicitly cleardown the state on every context switch.\n\nAs this workaround is already in place for gen8, we can borrow\nthe code verbatim for Gen9.\n\nSigned-off-by: Mika Kuoppala \nSigned-off-by: Akeem G Abodunrin \nCc: Kumar Valsan Prathap \nCc: Chris Wilson \nCc: Balestrieri Francesco \nCc: Bloomfield Jon \nCc: Dutt Sudeep ", "target": 0, "dataset": "other", "idx": 281529 }, { "func": "ROWINDEX CSoundFile::PatternLoop(ModChannel *pChn, uint32 param)\n{\n\tif (param)\n\t{\n\t\t// Loop Repeat\n\t\tif(pChn->nPatternLoopCount)\n\t\t{\n\t\t\t// There's a loop left\n\t\t\tpChn->nPatternLoopCount--;\n\t\t\tif(!pChn->nPatternLoopCount)\n\t\t\t{\n\t\t\t\t// IT compatibility 10. Pattern loops (+ same fix for S3M files)\n\t\t\t\t// When finishing a pattern loop, the next loop without a dedicated SB0 starts on the first row after the previous loop.\n\t\t\t\tif(m_playBehaviour[kITPatternLoopTargetReset] || (GetType() == MOD_TYPE_S3M))\n\t\t\t\t{\n\t\t\t\t\tpChn->nPatternLoop = m_PlayState.m_nRow + 1;\n\t\t\t\t}\n\n\t\t\t\treturn ROWINDEX_INVALID;\n\t\t\t}\n\t\t} else\n\t\t{\n\t\t\t// First time we get into the loop => Set loop count.\n\n\t\t\t// IT compatibility 10. Pattern loops (+ same fix for XM / MOD / S3M files)\n\t\t\tif(!m_playBehaviour[kITFT2PatternLoop] && !(GetType() & (MOD_TYPE_MOD | MOD_TYPE_S3M)))\n\t\t\t{\n\t\t\t\tModChannel *p = m_PlayState.Chn;\n\t\t\t\tfor(CHANNELINDEX i = 0; i < GetNumChannels(); i++, p++) if (p != pChn)\n\t\t\t\t{\n\t\t\t\t\t// Loop on other channel\n\t\t\t\t\tif(p->nPatternLoopCount) return ROWINDEX_INVALID;\n\t\t\t\t}\n\t\t\t}\n\t\t\tpChn->nPatternLoopCount = static_cast(param);\n\t\t}\n\t\tm_PlayState.m_nNextPatStartRow = pChn->nPatternLoop; // Nasty FT2 E60 bug emulation!\n\t\treturn pChn->nPatternLoop;\n\t} else\n\t{\n\t\t// Loop Start\n\t\tpChn->nPatternLoop = m_PlayState.m_nRow;\n\t}\n\treturn ROWINDEX_INVALID;\n}", "project": "openmpt", "hash": 325252007137609318428404776968472691280, "size": 45, "commit_id": "7ebf02af2e90f03e0dbd0e18b8b3164f372fb97c", "message": "[Fix] Possible out-of-bounds read when computing length of some IT files with pattern loops (OpenMPT: formats that are converted to IT, libopenmpt: IT/ITP/MO3), caught with afl-fuzz.\n\ngit-svn-id: https://source.openmpt.org/svn/openmpt/trunk/OpenMPT@10027 56274372-70c3-4bfc-bfc3-4c3a0b034d27", "target": 0, "dataset": "other", "idx": 255189 }, { "func": "static inline bool is_error_noslot_pfn(kvm_pfn_t pfn)\n{\n\treturn !!(pfn & KVM_PFN_ERR_NOSLOT_MASK);\n}", "project": "linux", "hash": 49302910298122123810044305135602868050, "size": 4, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354736 }, { "func": "static void hci_cc_read_voice_setting(struct hci_dev *hdev, struct sk_buff *skb)\n{\n\tstruct hci_rp_read_voice_setting *rp = (void *) skb->data;\n\t__u16 setting;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, rp->status);\n\n\tif (rp->status)\n\t\treturn;\n\n\tsetting = __le16_to_cpu(rp->voice_setting);\n\n\tif (hdev->voice_setting == setting)\n\t\treturn;\n\n\thdev->voice_setting = setting;\n\n\tBT_DBG(\"%s voice setting 0x%4.4x\", hdev->name, setting);\n\n\tif (hdev->notify)\n\t\thdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);\n}", "project": "linux", "hash": 134709999377391227223413730997768781702, "size": 22, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431886 }, { "func": "ExecutionStatus JSObject::defineNewOwnProperty(\n Handle selfHandle,\n Runtime *runtime,\n SymbolID name,\n PropertyFlags propertyFlags,\n Handle<> valueOrAccessor) {\n assert(\n !selfHandle->flags_.proxyObject &&\n \"definedNewOwnProperty cannot be used with proxy objects\");\n assert(\n !(propertyFlags.accessor && !valueOrAccessor.get().isPointer()) &&\n \"accessor must be non-empty\");\n assert(\n !(propertyFlags.accessor && propertyFlags.writable) &&\n \"writable must not be set with accessors\");\n assert(\n !HiddenClass::debugIsPropertyDefined(\n selfHandle->clazz_.get(runtime), runtime, name) &&\n \"new property is already defined\");\n\n return addOwnPropertyImpl(\n selfHandle, runtime, name, propertyFlags, valueOrAccessor);\n}", "project": "hermes", "hash": 246458272570209372686776472684426667411, "size": 23, "commit_id": "fe52854cdf6725c2eaa9e125995da76e6ceb27da", "message": "[CVE-2020-1911] Look up HostObject computed properties on the right object in the prototype chain.\n\nSummary:\nThe change in the hermes repository fixes the security vulnerability\nCVE-2020-1911. This vulnerability only affects applications which\nallow evaluation of uncontrolled, untrusted JavaScript code not\nshipped with the app, so React Native apps will generally not be affected.\n\nThis revision includes a test for the bug. The test is generic JSI\ncode, so it is included in the hermes and react-native repositories.\n\nChangelog: [Internal]\n\nReviewed By: tmikov\n\nDifferential Revision: D23322992\n\nfbshipit-source-id: 4e88c974afe1ad33a263f9cac03e9dc98d33649a", "target": 0, "dataset": "other", "idx": 230176 }, { "func": "\nstatic void io_sq_thread_finish(struct io_ring_ctx *ctx)\n{\n\tstruct io_sq_data *sqd = ctx->sq_data;\n\n\tif (sqd) {\n\t\tio_sq_thread_park(sqd);\n\t\tlist_del_init(&ctx->sqd_list);\n\t\tio_sqd_update_thread_idle(sqd);\n\t\tio_sq_thread_unpark(sqd);\n\n\t\tio_put_sq_data(sqd);\n\t\tctx->sq_data = NULL;\n\t}", "project": "linux", "hash": 21118760102524198411265341022853908793, "size": 14, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338623 }, { "func": "static ssize_t f_printer_opts_pnp_string_show(struct config_item *item,\n\t\t\t\t\t char *page)\n{\n\tstruct f_printer_opts *opts = to_f_printer_opts(item);\n\tint result = 0;\n\n\tmutex_lock(&opts->lock);\n\tif (!opts->pnp_string)\n\t\tgoto unlock;\n\n\tresult = strlcpy(page, opts->pnp_string, PAGE_SIZE);\n\tif (result >= PAGE_SIZE) {\n\t\tresult = PAGE_SIZE;\n\t} else if (page[result - 1] != '\\n' && result + 1 < PAGE_SIZE) {\n\t\tpage[result++] = '\\n';\n\t\tpage[result] = '\\0';\n\t}\n\nunlock:\n\tmutex_unlock(&opts->lock);\n\n\treturn result;\n}", "project": "linux", "hash": 236416107725030894819981472434268978814, "size": 23, "commit_id": "e8d5f92b8d30bb4ade76494490c3c065e12411b1", "message": "usb: gadget: function: printer: fix use-after-free in __lock_acquire\n\nFix this by increase object reference count.\n\nBUG: KASAN: use-after-free in __lock_acquire+0x3fd4/0x4180\nkernel/locking/lockdep.c:3831\nRead of size 8 at addr ffff8880683b0018 by task syz-executor.0/3377\n\nCPU: 1 PID: 3377 Comm: syz-executor.0 Not tainted 5.6.11 #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011\nCall Trace:\n __dump_stack lib/dump_stack.c:77 [inline]\n dump_stack+0xce/0x128 lib/dump_stack.c:118\n print_address_description.constprop.4+0x21/0x3c0 mm/kasan/report.c:374\n __kasan_report+0x131/0x1b0 mm/kasan/report.c:506\n kasan_report+0x12/0x20 mm/kasan/common.c:641\n __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135\n __lock_acquire+0x3fd4/0x4180 kernel/locking/lockdep.c:3831\n lock_acquire+0x127/0x350 kernel/locking/lockdep.c:4488\n __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]\n _raw_spin_lock_irqsave+0x35/0x50 kernel/locking/spinlock.c:159\n printer_ioctl+0x4a/0x110 drivers/usb/gadget/function/f_printer.c:723\n vfs_ioctl fs/ioctl.c:47 [inline]\n ksys_ioctl+0xfb/0x130 fs/ioctl.c:763\n __do_sys_ioctl fs/ioctl.c:772 [inline]\n __se_sys_ioctl fs/ioctl.c:770 [inline]\n __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:770\n do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294\n entry_SYSCALL_64_after_hwframe+0x49/0xbe\nRIP: 0033:0x4531a9\nCode: ed 60 fc ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48\n89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d\n01 f0 ff ff 0f 83 bb 60 fc ff c3 66 2e 0f 1f 84 00 00 00 00\nRSP: 002b:00007fd14ad72c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 000000000073bfa8 RCX: 00000000004531a9\nRDX: fffffffffffffff9 RSI: 000000000000009e RDI: 0000000000000003\nRBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 00000000004bbd61\nR13: 00000000004d0a98 R14: 00007fd14ad736d4 R15: 00000000ffffffff\n\nAllocated by task 2393:\n save_stack+0x21/0x90 mm/kasan/common.c:72\n set_track mm/kasan/common.c:80 [inline]\n __kasan_kmalloc.constprop.3+0xa7/0xd0 mm/kasan/common.c:515\n kasan_kmalloc+0x9/0x10 mm/kasan/common.c:529\n kmem_cache_alloc_trace+0xfa/0x2d0 mm/slub.c:2813\n kmalloc include/linux/slab.h:555 [inline]\n kzalloc include/linux/slab.h:669 [inline]\n gprinter_alloc+0xa1/0x870 drivers/usb/gadget/function/f_printer.c:1416\n usb_get_function+0x58/0xc0 drivers/usb/gadget/functions.c:61\n config_usb_cfg_link+0x1ed/0x3e0 drivers/usb/gadget/configfs.c:444\n configfs_symlink+0x527/0x11d0 fs/configfs/symlink.c:202\n vfs_symlink+0x33d/0x5b0 fs/namei.c:4201\n do_symlinkat+0x11b/0x1d0 fs/namei.c:4228\n __do_sys_symlinkat fs/namei.c:4242 [inline]\n __se_sys_symlinkat fs/namei.c:4239 [inline]\n __x64_sys_symlinkat+0x73/0xb0 fs/namei.c:4239\n do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294\n entry_SYSCALL_64_after_hwframe+0x49/0xbe\n\nFreed by task 3368:\n save_stack+0x21/0x90 mm/kasan/common.c:72\n set_track mm/kasan/common.c:80 [inline]\n kasan_set_free_info mm/kasan/common.c:337 [inline]\n __kasan_slab_free+0x135/0x190 mm/kasan/common.c:476\n kasan_slab_free+0xe/0x10 mm/kasan/common.c:485\n slab_free_hook mm/slub.c:1444 [inline]\n slab_free_freelist_hook mm/slub.c:1477 [inline]\n slab_free mm/slub.c:3034 [inline]\n kfree+0xf7/0x410 mm/slub.c:3995\n gprinter_free+0x49/0xd0 drivers/usb/gadget/function/f_printer.c:1353\n usb_put_function+0x38/0x50 drivers/usb/gadget/functions.c:87\n config_usb_cfg_unlink+0x2db/0x3b0 drivers/usb/gadget/configfs.c:485\n configfs_unlink+0x3b9/0x7f0 fs/configfs/symlink.c:250\n vfs_unlink+0x287/0x570 fs/namei.c:4073\n do_unlinkat+0x4f9/0x620 fs/namei.c:4137\n __do_sys_unlink fs/namei.c:4184 [inline]\n __se_sys_unlink fs/namei.c:4182 [inline]\n __x64_sys_unlink+0x42/0x50 fs/namei.c:4182\n do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294\n entry_SYSCALL_64_after_hwframe+0x49/0xbe\n\nThe buggy address belongs to the object at ffff8880683b0000\n which belongs to the cache kmalloc-1k of size 1024\nThe buggy address is located 24 bytes inside of\n 1024-byte region [ffff8880683b0000, ffff8880683b0400)\nThe buggy address belongs to the page:\npage:ffffea0001a0ec00 refcount:1 mapcount:0 mapping:ffff88806c00e300\nindex:0xffff8880683b1800 compound_mapcount: 0\nflags: 0x100000000010200(slab|head)\nraw: 0100000000010200 0000000000000000 0000000600000001 ffff88806c00e300\nraw: ffff8880683b1800 000000008010000a 00000001ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\n\nReported-by: Kyungtae Kim \nSigned-off-by: Zqiang \nSigned-off-by: Felipe Balbi ", "target": 0, "dataset": "other", "idx": 389349 }, { "func": "int ecall_deliver_signal(int signum, int sigcode) {\n int result = 0;\n try {\n result = asylo::primitives::DeliverSignal(signum, sigcode);\n } catch (...) {\n LOG(FATAL) << \"Uncaught exception in enclave\";\n }\n return result;\n}", "project": "asylo", "hash": 84865445450155503386063667349435578712, "size": 9, "commit_id": "382da2b8b09cbf928668a2445efb778f76bd9c8a", "message": "Check output of ecall_restore is outside enclave\n\nPiperOrigin-RevId: 334265380\nChange-Id: Ifbaead6bce56f01b2a4d69f53ca508d0138f6f61", "target": 0, "dataset": "other", "idx": 265531 }, { "func": "void RGWAsioFrontend::pause_for_new_config()\n{\n impl->pause();\n}", "project": "ceph", "hash": 182039723790671341890134612798627856373, "size": 4, "commit_id": "ff72c50a2c43c57aead933eb4903ad1ca6d1748a", "message": "rgw: improve beast\n\nAvoid leaking connections that had partially-consumed\nclient data on unexpected disconnect.\n\nResolves CVE-2020-1700 (moderate impact flaw).\n\nFixes: https://tracker.ceph.com/issues/42531\n\nSigned-off-by: Or Friedmann \nSigned-off-by: Matt Benjamin ", "target": 0, "dataset": "other", "idx": 384562 }, { "func": "static void hci_remote_ext_features_evt(struct hci_dev *hdev,\n\t\t\t\t\tstruct sk_buff *skb)\n{\n\tstruct hci_ev_remote_ext_features *ev = (void *) skb->data;\n\tstruct hci_conn *conn;\n\n\tBT_DBG(\"%s\", hdev->name);\n\n\thci_dev_lock(hdev);\n\n\tconn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));\n\tif (!conn)\n\t\tgoto unlock;\n\n\tif (ev->page < HCI_MAX_PAGES)\n\t\tmemcpy(conn->features[ev->page], ev->features, 8);\n\n\tif (!ev->status && ev->page == 0x01) {\n\t\tstruct inquiry_entry *ie;\n\n\t\tie = hci_inquiry_cache_lookup(hdev, &conn->dst);\n\t\tif (ie)\n\t\t\tie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);\n\n\t\tif (ev->features[0] & LMP_HOST_SSP) {\n\t\t\tset_bit(HCI_CONN_SSP_ENABLED, &conn->flags);\n\t\t} else {\n\t\t\t/* It is mandatory by the Bluetooth specification that\n\t\t\t * Extended Inquiry Results are only used when Secure\n\t\t\t * Simple Pairing is enabled, but some devices violate\n\t\t\t * this.\n\t\t\t *\n\t\t\t * To make these devices work, the internal SSP\n\t\t\t * enabled flag needs to be cleared if the remote host\n\t\t\t * features do not indicate SSP support */\n\t\t\tclear_bit(HCI_CONN_SSP_ENABLED, &conn->flags);\n\t\t}\n\n\t\tif (ev->features[0] & LMP_HOST_SC)\n\t\t\tset_bit(HCI_CONN_SC_ENABLED, &conn->flags);\n\t}\n\n\tif (conn->state != BT_CONFIG)\n\t\tgoto unlock;\n\n\tif (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {\n\t\tstruct hci_cp_remote_name_req cp;\n\t\tmemset(&cp, 0, sizeof(cp));\n\t\tbacpy(&cp.bdaddr, &conn->dst);\n\t\tcp.pscan_rep_mode = 0x02;\n\t\thci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);\n\t} else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))\n\t\tmgmt_device_connected(hdev, conn, 0, NULL, 0);\n\n\tif (!hci_outgoing_auth_needed(hdev, conn)) {\n\t\tconn->state = BT_CONNECTED;\n\t\thci_connect_cfm(conn, ev->status);\n\t\thci_conn_drop(conn);\n\t}\n\nunlock:\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 197053300060343672744243056135009534420, "size": 63, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 432030 }, { "func": "static void DBGUNDO(struct sock *sk, const char *msg)\n{\n\tstruct tcp_sock *tp = tcp_sk(sk);\n\tstruct inet_sock *inet = inet_sk(sk);\n\n\tif (sk->sk_family == AF_INET) {\n\t\tprintk(KERN_DEBUG \"Undo %s %pI4/%u c%u l%u ss%u/%u p%u\\n\",\n\t\t msg,\n\t\t &inet->inet_daddr, ntohs(inet->inet_dport),\n\t\t tp->snd_cwnd, tcp_left_out(tp),\n\t\t tp->snd_ssthresh, tp->prior_ssthresh,\n\t\t tp->packets_out);\n\t}\n#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)\n\telse if (sk->sk_family == AF_INET6) {\n\t\tstruct ipv6_pinfo *np = inet6_sk(sk);\n\t\tprintk(KERN_DEBUG \"Undo %s %pI6/%u c%u l%u ss%u/%u p%u\\n\",\n\t\t msg,\n\t\t &np->daddr, ntohs(inet->inet_dport),\n\t\t tp->snd_cwnd, tcp_left_out(tp),\n\t\t tp->snd_ssthresh, tp->prior_ssthresh,\n\t\t tp->packets_out);\n\t}\n#endif\n}", "project": "net-next", "hash": 321096548998272743139919630306380082356, "size": 25, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409842 }, { "func": "static void encode_putrootfh(struct xdr_stream *xdr, struct compound_hdr *hdr)\n{\n\tencode_op_hdr(xdr, OP_PUTROOTFH, decode_putrootfh_maxsz, hdr);\n}", "project": "linux", "hash": 156327334934995417069049434004544611241, "size": 4, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431517 }, { "func": "static int __tracing_resize_ring_buffer(struct trace_array *tr,\n\t\t\t\t\tunsigned long size, int cpu)\n{\n\tint ret;\n\n\t/*\n\t * If kernel or user changes the size of the ring buffer\n\t * we use the size that was given, and we can forget about\n\t * expanding it later.\n\t */\n\tring_buffer_expanded = true;\n\n\t/* May be called before buffers are initialized */\n\tif (!tr->trace_buffer.buffer)\n\t\treturn 0;\n\n\tret = ring_buffer_resize(tr->trace_buffer.buffer, size, cpu);\n\tif (ret < 0)\n\t\treturn ret;\n\n#ifdef CONFIG_TRACER_MAX_TRACE\n\tif (!(tr->flags & TRACE_ARRAY_FL_GLOBAL) ||\n\t !tr->current_trace->use_max_tr)\n\t\tgoto out;\n\n\tret = ring_buffer_resize(tr->max_buffer.buffer, size, cpu);\n\tif (ret < 0) {\n\t\tint r = resize_buffer_duplicate_size(&tr->trace_buffer,\n\t\t\t\t\t\t &tr->trace_buffer, cpu);\n\t\tif (r < 0) {\n\t\t\t/*\n\t\t\t * AARGH! We are left with different\n\t\t\t * size max buffer!!!!\n\t\t\t * The max buffer is our \"snapshot\" buffer.\n\t\t\t * When a tracer needs a snapshot (one of the\n\t\t\t * latency tracers), it swaps the max buffer\n\t\t\t * with the saved snap shot. We succeeded to\n\t\t\t * update the size of the main buffer, but failed to\n\t\t\t * update the size of the max buffer. But when we tried\n\t\t\t * to reset the main buffer to the original size, we\n\t\t\t * failed there too. This is very unlikely to\n\t\t\t * happen, but if it does, warn and kill all\n\t\t\t * tracing.\n\t\t\t */\n\t\t\tWARN_ON(1);\n\t\t\ttracing_disabled = 1;\n\t\t}\n\t\treturn ret;\n\t}\n\n\tif (cpu == RING_BUFFER_ALL_CPUS)\n\t\tset_buffer_entries(&tr->max_buffer, size);\n\telse\n\t\tper_cpu_ptr(tr->max_buffer.data, cpu)->entries = size;\n\n out:\n#endif /* CONFIG_TRACER_MAX_TRACE */\n\n\tif (cpu == RING_BUFFER_ALL_CPUS)\n\t\tset_buffer_entries(&tr->trace_buffer, size);\n\telse\n\t\tper_cpu_ptr(tr->trace_buffer.data, cpu)->entries = size;\n\n\treturn ret;\n}", "project": "linux", "hash": 233167316620955703841834084953265408049, "size": 65, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445734 }, { "func": "void CSoundFile::SetSpeed(PlayState &playState, uint32 param) const\n{\n#ifdef MODPLUG_TRACKER\n\t// FT2 appears to be decrementing the tick count before checking for zero,\n\t// so it effectively counts down 65536 ticks with speed = 0 (song speed is a 16-bit variable in FT2)\n\tif(GetType() == MOD_TYPE_XM && !param)\n\t{\n\t\tplayState.m_nMusicSpeed = uint16_max;\n\t}\n#endif\t// MODPLUG_TRACKER\n\tif(param > 0) playState.m_nMusicSpeed = param;\n\tif(GetType() == MOD_TYPE_STM && param > 0)\n\t{\n\t\tplayState.m_nMusicSpeed = std::max(param >> 4u, 1);\n\t\tplayState.m_nMusicTempo = ConvertST2Tempo(static_cast(param));\n\t}\n}", "project": "openmpt", "hash": 93798272632158339127972012072168961285, "size": 17, "commit_id": "7ebf02af2e90f03e0dbd0e18b8b3164f372fb97c", "message": "[Fix] Possible out-of-bounds read when computing length of some IT files with pattern loops (OpenMPT: formats that are converted to IT, libopenmpt: IT/ITP/MO3), caught with afl-fuzz.\n\ngit-svn-id: https://source.openmpt.org/svn/openmpt/trunk/OpenMPT@10027 56274372-70c3-4bfc-bfc3-4c3a0b034d27", "target": 0, "dataset": "other", "idx": 255198 }, { "func": "CallResult JSObject::deleteComputed(\n Handle selfHandle,\n Runtime *runtime,\n Handle<> nameValHandle,\n PropOpFlags opFlags) {\n assert(\n !opFlags.getMustExist() && \"mustExist cannot be specified when deleting\");\n\n // If nameValHandle is an object, we should convert it to string now,\n // because toString may have side-effect, and we want to do this only\n // once.\n auto converted = toPropertyKeyIfObject(runtime, nameValHandle);\n if (LLVM_UNLIKELY(converted == ExecutionStatus::EXCEPTION)) {\n return ExecutionStatus::EXCEPTION;\n }\n\n auto nameValPrimitiveHandle = *converted;\n\n // If the name is a valid integer array index, store it here.\n OptValue arrayIndex;\n\n // If we have indexed storage, we must attempt to convert the name to array\n // index, even if the conversion is expensive.\n if (selfHandle->flags_.indexedStorage) {\n MutableHandle strPrim{runtime};\n TO_ARRAY_INDEX(runtime, nameValPrimitiveHandle, strPrim, arrayIndex);\n }\n\n // Try the fast-path first: the \"name\" is a valid array index and we don't\n // have \"index-like\" named properties.\n if (arrayIndex && selfHandle->flags_.fastIndexProperties) {\n // Delete the indexed property.\n if (deleteOwnIndexed(selfHandle, runtime, *arrayIndex))\n return true;\n\n // Cannot delete property (for example this may be a typed array).\n if (opFlags.getThrowOnError()) {\n // TODO: better error message.\n return runtime->raiseTypeError(\"Cannot delete property\");\n }\n return false;\n }\n\n // slow path, check if object is lazy before continuing.\n if (LLVM_UNLIKELY(selfHandle->flags_.lazyObject)) {\n // initialize and try again.\n initializeLazyObject(runtime, selfHandle);\n return deleteComputed(selfHandle, runtime, nameValHandle, opFlags);\n }\n\n // Convert the string to an SymbolID;\n SymbolID id;\n LAZY_TO_IDENTIFIER(runtime, nameValPrimitiveHandle, id);\n\n // Find the property by name.\n NamedPropertyDescriptor desc;\n auto pos = findProperty(selfHandle, runtime, id, desc);\n\n // If the property exists, make sure it is configurable.\n if (pos) {\n // If the property isn't configurable, fail.\n if (LLVM_UNLIKELY(!desc.flags.configurable)) {\n if (opFlags.getThrowOnError()) {\n // TODO: a better message.\n return runtime->raiseTypeError(\"Property is not configurable\");\n }\n return false;\n }\n }\n\n // At this point we know that the named property either doesn't exist, or\n // is configurable and so can be deleted, or the object is a Proxy.\n\n // If it is an \"index-like\" property, we must also delete the \"shadow\" indexed\n // property in order to keep Array.length correct.\n if (arrayIndex) {\n if (!deleteOwnIndexed(selfHandle, runtime, *arrayIndex)) {\n // Cannot delete property (for example this may be a typed array).\n if (opFlags.getThrowOnError()) {\n // TODO: better error message.\n return runtime->raiseTypeError(\"Cannot delete property\");\n }\n return false;\n }\n }\n\n if (pos) {\n // delete the named property (if it exists).\n // Clear the deleted property value to prevent memory leaks.\n setNamedSlotValue(\n *selfHandle, runtime, desc, HermesValue::encodeEmptyValue());\n\n // Remove the property descriptor.\n auto newClazz = HiddenClass::deleteProperty(\n runtime->makeHandle(selfHandle->clazz_), runtime, *pos);\n selfHandle->clazz_.set(runtime, *newClazz, &runtime->getHeap());\n } else if (LLVM_UNLIKELY(selfHandle->flags_.proxyObject)) {\n CallResult> key = toPropertyKey(runtime, nameValPrimitiveHandle);\n if (key == ExecutionStatus::EXCEPTION)\n return ExecutionStatus::EXCEPTION;\n return proxyOpFlags(\n runtime,\n opFlags,\n \"Proxy delete returned false\",\n JSProxy::deleteComputed(selfHandle, runtime, *key));\n }\n\n return true;\n}", "project": "hermes", "hash": 9024011335875103489303018071550827870, "size": 109, "commit_id": "fe52854cdf6725c2eaa9e125995da76e6ceb27da", "message": "[CVE-2020-1911] Look up HostObject computed properties on the right object in the prototype chain.\n\nSummary:\nThe change in the hermes repository fixes the security vulnerability\nCVE-2020-1911. This vulnerability only affects applications which\nallow evaluation of uncontrolled, untrusted JavaScript code not\nshipped with the app, so React Native apps will generally not be affected.\n\nThis revision includes a test for the bug. The test is generic JSI\ncode, so it is included in the hermes and react-native repositories.\n\nChangelog: [Internal]\n\nReviewed By: tmikov\n\nDifferential Revision: D23322992\n\nfbshipit-source-id: 4e88c974afe1ad33a263f9cac03e9dc98d33649a", "target": 0, "dataset": "other", "idx": 230231 }, { "func": "\nstatic void __io_queue_sqe(struct io_kiocb *req)\n{\n\tstruct io_kiocb *linked_timeout = io_prep_linked_timeout(req);\n\tint ret;\n\n\tret = io_issue_sqe(req, IO_URING_F_NONBLOCK|IO_URING_F_COMPLETE_DEFER);\n\n\t/*\n\t * We async punt it if the file wasn't marked NOWAIT, or if the file\n\t * doesn't support non-blocking read/write attempts\n\t */\n\tif (likely(!ret)) {\n\t\t/* drop submission reference */\n\t\tif (req->flags & REQ_F_COMPLETE_INLINE) {\n\t\t\tstruct io_ring_ctx *ctx = req->ctx;\n\t\t\tstruct io_comp_state *cs = &ctx->submit_state.comp;\n\n\t\t\tcs->reqs[cs->nr++] = req;\n\t\t\tif (cs->nr == ARRAY_SIZE(cs->reqs))\n\t\t\t\tio_submit_flush_completions(cs, ctx);\n\t\t} else {\n\t\t\tio_put_req(req);\n\t\t}\n\t} else if (ret == -EAGAIN && !(req->flags & REQ_F_NOWAIT)) {\n\t\tif (!io_arm_poll_handler(req)) {\n\t\t\t/*\n\t\t\t * Queued up for async execution, worker will release\n\t\t\t * submit reference when the iocb is actually submitted.\n\t\t\t */\n\t\t\tio_queue_async_work(req);\n\t\t}\n\t} else {\n\t\tio_req_complete_failed(req, ret);\n\t}\n\tif (linked_timeout)\n\t\tio_queue_linked_timeout(linked_timeout);", "project": "linux", "hash": 73225000628212832828131691392537467111, "size": 37, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338642 }, { "func": "static void __init apply_trace_boot_options(void)\n{\n\tchar *buf = trace_boot_options_buf;\n\tchar *option;\n\n\twhile (true) {\n\t\toption = strsep(&buf, \",\");\n\n\t\tif (!option)\n\t\t\tbreak;\n\n\t\tif (*option)\n\t\t\ttrace_set_options(&global_trace, option);\n\n\t\t/* Put back the comma to allow this to be called again */\n\t\tif (buf)\n\t\t\t*(buf - 1) = ',';\n\t}\n}", "project": "linux", "hash": 117221522482041487919971533568927950479, "size": 19, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445716 }, { "func": "static int input_dev_freeze(struct device *dev)\n{\n\tstruct input_dev *input_dev = to_input_dev(dev);\n\n\tspin_lock_irq(&input_dev->event_lock);\n\n\t/*\n\t * Keys that are pressed now are unlikely to be\n\t * still pressed when we resume.\n\t */\n\tinput_dev_release_keys(input_dev);\n\n\tspin_unlock_irq(&input_dev->event_lock);\n\n\treturn 0;\n}", "project": "linux", "hash": 82201861329827415393224491903363435548, "size": 16, "commit_id": "cb222aed03d798fc074be55e59d9a112338ee784", "message": "Input: add safety guards to input_set_keycode()\n\nIf we happen to have a garbage in input device's keycode table with values\ntoo big we'll end up doing clear_bit() with offset way outside of our\nbitmaps, damaging other objects within an input device or even outside of\nit. Let's add sanity checks to the returned old keycodes.\n\nReported-by: syzbot+c769968809f9359b07aa@syzkaller.appspotmail.com\nReported-by: syzbot+76f3a30e88d256644c78@syzkaller.appspotmail.com\nLink: https://lore.kernel.org/r/20191207212757.GA245964@dtor-ws\nSigned-off-by: Dmitry Torokhov ", "target": 0, "dataset": "other", "idx": 353313 }, { "func": "static int tcp_dma_try_early_copy(struct sock *sk, struct sk_buff *skb,\n\t\t\t\t int hlen)\n{\n\tstruct tcp_sock *tp = tcp_sk(sk);\n\tint chunk = skb->len - hlen;\n\tint dma_cookie;\n\tint copied_early = 0;\n\n\tif (tp->ucopy.wakeup)\n\t\treturn 0;\n\n\tif (!tp->ucopy.dma_chan && tp->ucopy.pinned_list)\n\t\ttp->ucopy.dma_chan = dma_find_channel(DMA_MEMCPY);\n\n\tif (tp->ucopy.dma_chan && skb_csum_unnecessary(skb)) {\n\n\t\tdma_cookie = dma_skb_copy_datagram_iovec(tp->ucopy.dma_chan,\n\t\t\t\t\t\t\t skb, hlen,\n\t\t\t\t\t\t\t tp->ucopy.iov, chunk,\n\t\t\t\t\t\t\t tp->ucopy.pinned_list);\n\n\t\tif (dma_cookie < 0)\n\t\t\tgoto out;\n\n\t\ttp->ucopy.dma_cookie = dma_cookie;\n\t\tcopied_early = 1;\n\n\t\ttp->ucopy.len -= chunk;\n\t\ttp->copied_seq += chunk;\n\t\ttcp_rcv_space_adjust(sk);\n\n\t\tif ((tp->ucopy.len == 0) ||\n\t\t (tcp_flag_word(tcp_hdr(skb)) & TCP_FLAG_PSH) ||\n\t\t (atomic_read(&sk->sk_rmem_alloc) > (sk->sk_rcvbuf >> 1))) {\n\t\t\ttp->ucopy.wakeup = 1;\n\t\t\tsk->sk_data_ready(sk, 0);\n\t\t}\n\t} else if (chunk > 0) {\n\t\ttp->ucopy.wakeup = 1;\n\t\tsk->sk_data_ready(sk, 0);\n\t}\nout:\n\treturn copied_early;\n}", "project": "net-next", "hash": 8107280588298713151215334289624009244, "size": 44, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409845 }, { "func": "static int nfs4_proc_readdir(struct dentry *dentry, const struct cred *cred,\n\t\tu64 cookie, struct page **pages, unsigned int count, bool plus)\n{\n\tstruct nfs4_exception exception = {\n\t\t.interruptible = true,\n\t};\n\tint err;\n\tdo {\n\t\terr = _nfs4_proc_readdir(dentry, cred, cookie,\n\t\t\t\tpages, count, plus);\n\t\ttrace_nfs4_readdir(d_inode(dentry), err);\n\t\terr = nfs4_handle_exception(NFS_SERVER(d_inode(dentry)), err,\n\t\t\t\t&exception);\n\t} while (exception.retry);\n\treturn err;\n}", "project": "linux", "hash": 252405602606912949325886487825131715855, "size": 16, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431389 }, { "func": "static void tcp_try_to_open(struct sock *sk, int flag)\n{\n\tstruct tcp_sock *tp = tcp_sk(sk);\n\n\ttcp_verify_left_out(tp);\n\n\tif (!tp->frto_counter && !tcp_any_retrans_done(sk))\n\t\ttp->retrans_stamp = 0;\n\n\tif (flag & FLAG_ECE)\n\t\ttcp_enter_cwr(sk, 1);\n\n\tif (inet_csk(sk)->icsk_ca_state != TCP_CA_CWR) {\n\t\ttcp_try_keep_open(sk);\n\t\tif (inet_csk(sk)->icsk_ca_state != TCP_CA_Open)\n\t\t\ttcp_moderate_cwnd(tp);\n\t} else {\n\t\ttcp_cwnd_down(sk, flag);\n\t}\n}", "project": "net-next", "hash": 18538401283755102382980246939749402903, "size": 20, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409850 }, { "func": " void Transcode(tstring* s, UConverter* input_encoder,\n bool* found_any_format_error) {\n icu::UnicodeString source;\n IterateUnicodeString(\n *s, input_encoder,\n std::bind(&UnicodeTranscodeOp::TranslateCodepoints, this, &source,\n found_any_format_error, std::placeholders::_1,\n std::placeholders::_2, std::placeholders::_3));\n\n Encode(output_encoding_, source, s);\n }", "project": "tensorflow", "hash": 252532873059638524701546467022568936404, "size": 11, "commit_id": "2e0ee46f1a47675152d3d865797a18358881d7a6", "message": "Ensure non-empty input_splits in tf.raw_ops.UnicodeEncode\n\nPiperOrigin-RevId: 387170080\nChange-Id: I3b489acc51c5cb4124c535b9df7cc6e62ef21766", "target": 0, "dataset": "other", "idx": 238834 }, { "func": "static inline int pfkey_sec_ctx_len(const struct sadb_x_sec_ctx *sec_ctx)\n{\n\treturn DIV_ROUND_UP(sizeof(struct sadb_x_sec_ctx) +\n\t\t\t sec_ctx->sadb_x_ctx_len,\n\t\t\t sizeof(uint64_t));\n}", "project": "linux", "hash": 241519408489945211186947430302031841071, "size": 6, "commit_id": "9a564bccb78a76740ea9d75a259942df8143d02c", "message": "af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\n\nAdd __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\nto initialize the buffer of supp_skb to fix a kernel-info-leak issue.\n1) Function pfkey_register calls compose_sadb_supported to request\na sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate\na sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then\ncompose_sadb_supported treats the memory as a struct sadb_supported and\nbegins to initialize. But it just initializes the field sadb_supported_len\nand field sadb_supported_exttype without field sadb_supported_reserved.\n\nReported-by: TCS Robot \nSigned-off-by: Haimin Zhang \nSigned-off-by: Steffen Klassert ", "target": 0, "dataset": "other", "idx": 268070 }, { "func": "static inline u32 perf_get_misc_flags(struct pt_regs *regs)\n{\n\treturn 0;\n}", "project": "linux", "hash": 282466549997785507044451510322545018841, "size": 4, "commit_id": "60b7ed54a41b550d50caf7f2418db4a7e75b5bdc", "message": "powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set\n\nOn systems without any specific PMU driver support registered, running\nperf record causes Oops.\n\nThe relevant portion from call trace:\n\n BUG: Kernel NULL pointer dereference on read at 0x00000040\n Faulting instruction address: 0xc0021f0c\n Oops: Kernel access of bad area, sig: 11 [#1]\n BE PAGE_SIZE=4K PREEMPT CMPCPRO\n SAF3000 DIE NOTIFICATION\n CPU: 0 PID: 442 Comm: null_syscall Not tainted 5.13.0-rc6-s3k-dev-01645-g7649ee3d2957 #5164\n NIP: c0021f0c LR: c00e8ad8 CTR: c00d8a5c\n NIP perf_instruction_pointer+0x10/0x60\n LR perf_prepare_sample+0x344/0x674\n Call Trace:\n perf_prepare_sample+0x7c/0x674 (unreliable)\n perf_event_output_forward+0x3c/0x94\n __perf_event_overflow+0x74/0x14c\n perf_swevent_hrtimer+0xf8/0x170\n __hrtimer_run_queues.constprop.0+0x160/0x318\n hrtimer_interrupt+0x148/0x3b0\n timer_interrupt+0xc4/0x22c\n Decrementer_virt+0xb8/0xbc\n\nDuring perf record session, perf_instruction_pointer() is called to\ncapture the sample IP. This function in core-book3s accesses\nppmu->flags. If a platform specific PMU driver is not registered, ppmu\nis set to NULL and accessing its members results in a crash. Fix this\ncrash by checking if ppmu is set.\n\nFixes: 2ca13a4cc56c (\"powerpc/perf: Use regs->nip when SIAR is zero\")\nCc: stable@vger.kernel.org # v5.11+\nReported-by: Christophe Leroy \nSigned-off-by: Athira Rajeev \nTested-by: Christophe Leroy \nSigned-off-by: Michael Ellerman \nLink: https://lore.kernel.org/r/1623952506-1431-1-git-send-email-atrajeev@linux.vnet.ibm.com", "target": 0, "dataset": "other", "idx": 374695 }, { "func": "static inline u32 perf_get_misc_flags(struct pt_regs *regs)\n{\n\tbool use_siar = regs_use_siar(regs);\n\tunsigned long mmcra = regs->dsisr;\n\tint marked = mmcra & MMCRA_SAMPLE_ENABLE;\n\n\tif (!use_siar)\n\t\treturn perf_flags_from_msr(regs);\n\n\t/*\n\t * Check the address in SIAR to identify the\n\t * privilege levels since the SIER[MSR_HV, MSR_PR]\n\t * bits are not set for marked events in power10\n\t * DD1.\n\t */\n\tif (marked && (ppmu->flags & PPMU_P10_DD1)) {\n\t\tunsigned long siar = mfspr(SPRN_SIAR);\n\t\tif (siar) {\n\t\t\tif (is_kernel_addr(siar))\n\t\t\t\treturn PERF_RECORD_MISC_KERNEL;\n\t\t\treturn PERF_RECORD_MISC_USER;\n\t\t} else {\n\t\t\tif (is_kernel_addr(regs->nip))\n\t\t\t\treturn PERF_RECORD_MISC_KERNEL;\n\t\t\treturn PERF_RECORD_MISC_USER;\n\t\t}\n\t}\n\n\t/*\n\t * If we don't have flags in MMCRA, rather than using\n\t * the MSR, we intuit the flags from the address in\n\t * SIAR which should give slightly more reliable\n\t * results\n\t */\n\tif (ppmu->flags & PPMU_NO_SIPR) {\n\t\tunsigned long siar = mfspr(SPRN_SIAR);\n\t\tif (is_kernel_addr(siar))\n\t\t\treturn PERF_RECORD_MISC_KERNEL;\n\t\treturn PERF_RECORD_MISC_USER;\n\t}\n\n\t/* PR has priority over HV, so order below is important */\n\tif (regs_sipr(regs))\n\t\treturn PERF_RECORD_MISC_USER;\n\n\tif (regs_sihv(regs) && (freeze_events_kernel != MMCR0_FCHV))\n\t\treturn PERF_RECORD_MISC_HYPERVISOR;\n\n\treturn PERF_RECORD_MISC_KERNEL;\n}", "project": "linux", "hash": 32896567936750452968132264850075505878, "size": 50, "commit_id": "60b7ed54a41b550d50caf7f2418db4a7e75b5bdc", "message": "powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set\n\nOn systems without any specific PMU driver support registered, running\nperf record causes Oops.\n\nThe relevant portion from call trace:\n\n BUG: Kernel NULL pointer dereference on read at 0x00000040\n Faulting instruction address: 0xc0021f0c\n Oops: Kernel access of bad area, sig: 11 [#1]\n BE PAGE_SIZE=4K PREEMPT CMPCPRO\n SAF3000 DIE NOTIFICATION\n CPU: 0 PID: 442 Comm: null_syscall Not tainted 5.13.0-rc6-s3k-dev-01645-g7649ee3d2957 #5164\n NIP: c0021f0c LR: c00e8ad8 CTR: c00d8a5c\n NIP perf_instruction_pointer+0x10/0x60\n LR perf_prepare_sample+0x344/0x674\n Call Trace:\n perf_prepare_sample+0x7c/0x674 (unreliable)\n perf_event_output_forward+0x3c/0x94\n __perf_event_overflow+0x74/0x14c\n perf_swevent_hrtimer+0xf8/0x170\n __hrtimer_run_queues.constprop.0+0x160/0x318\n hrtimer_interrupt+0x148/0x3b0\n timer_interrupt+0xc4/0x22c\n Decrementer_virt+0xb8/0xbc\n\nDuring perf record session, perf_instruction_pointer() is called to\ncapture the sample IP. This function in core-book3s accesses\nppmu->flags. If a platform specific PMU driver is not registered, ppmu\nis set to NULL and accessing its members results in a crash. Fix this\ncrash by checking if ppmu is set.\n\nFixes: 2ca13a4cc56c (\"powerpc/perf: Use regs->nip when SIAR is zero\")\nCc: stable@vger.kernel.org # v5.11+\nReported-by: Christophe Leroy \nSigned-off-by: Athira Rajeev \nTested-by: Christophe Leroy \nSigned-off-by: Michael Ellerman \nLink: https://lore.kernel.org/r/1623952506-1431-1-git-send-email-atrajeev@linux.vnet.ibm.com", "target": 0, "dataset": "other", "idx": 374700 }, { "func": "static inline void trace_access_unlock(int cpu)\n{\n\tif (cpu == RING_BUFFER_ALL_CPUS) {\n\t\tup_write(&all_cpu_access_lock);\n\t} else {\n\t\tmutex_unlock(&per_cpu(cpu_access_lock, cpu));\n\t\tup_read(&all_cpu_access_lock);\n\t}\n}", "project": "linux", "hash": 73982090825036297220715958564052466750, "size": 9, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445752 }, { "func": "static inline void trace_access_unlock(int cpu)\n{\n\t(void)cpu;\n\tmutex_unlock(&access_lock);\n}", "project": "linux", "hash": 43866420513588589840205074653945046104, "size": 5, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445811 }, { "func": "void JSObject::initializeLazyObject(\n Runtime *runtime,\n Handle lazyObject) {\n assert(lazyObject->flags_.lazyObject && \"object must be lazy\");\n // object is now assumed to be a regular object.\n lazyObject->flags_.lazyObject = 0;\n\n // only functions can be lazy.\n assert(vmisa(lazyObject.get()) && \"unexpected lazy object\");\n Callable::defineLazyProperties(Handle::vmcast(lazyObject), runtime);\n}", "project": "hermes", "hash": 44792727220605810732867876481387301606, "size": 11, "commit_id": "fe52854cdf6725c2eaa9e125995da76e6ceb27da", "message": "[CVE-2020-1911] Look up HostObject computed properties on the right object in the prototype chain.\n\nSummary:\nThe change in the hermes repository fixes the security vulnerability\nCVE-2020-1911. This vulnerability only affects applications which\nallow evaluation of uncontrolled, untrusted JavaScript code not\nshipped with the app, so React Native apps will generally not be affected.\n\nThis revision includes a test for the bug. The test is generic JSI\ncode, so it is included in the hermes and react-native repositories.\n\nChangelog: [Internal]\n\nReviewed By: tmikov\n\nDifferential Revision: D23322992\n\nfbshipit-source-id: 4e88c974afe1ad33a263f9cac03e9dc98d33649a", "target": 0, "dataset": "other", "idx": 230233 }, { "func": "static bool memslot_is_readonly(struct kvm_memory_slot *slot)\n{\n\treturn slot->flags & KVM_MEM_READONLY;\n}", "project": "linux", "hash": 307679309195129524632965126232337799557, "size": 4, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354790 }, { "func": "static void start_interleave_scan(struct hci_dev *hdev)\n{\n\thdev->interleave_scan_state = INTERLEAVE_SCAN_NO_FILTER;\n\tqueue_delayed_work(hdev->req_workqueue,\n\t\t\t &hdev->interleave_scan, 0);\n}", "project": "linux", "hash": 177960447555542853331078921349999798909, "size": 6, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402524 }, { "func": " Cached_item_item(Item *arg) : item(arg) {}", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 57359834169386115739434574670551141587, "size": 1, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509075 }, { "func": "change_refs_to_tmp_fields(THD *thd, Ref_ptr_array ref_pointer_array,\n\t\t\t List &res_selected_fields,\n\t\t\t List &res_all_fields, uint elements,\n\t\t\t List &all_fields)\n{\n List_iterator_fast it(all_fields);\n Item *item, *new_item;\n res_selected_fields.empty();\n res_all_fields.empty();\n\n uint i, border= all_fields.elements - elements;\n for (i= 0; (item= it++); i++)\n {\n if (item->type() == Item::SUM_FUNC_ITEM && item->const_item())\n new_item= item;\n else\n {\n if (!(new_item= item->get_tmp_table_item(thd)))\n return 1;\n }\n\n if (res_all_fields.push_back(new_item, thd->mem_root))\n return 1;\n ref_pointer_array[((i < border)? all_fields.elements-i-1 : i-border)]=\n new_item;\n }\n\n List_iterator_fast itr(res_all_fields);\n for (i= 0; i < border; i++)\n itr++;\n itr.sublist(res_selected_fields, elements);\n\n return thd->is_fatal_error;\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 208073774210146620056386989836155651831, "size": 34, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508679 }, { "func": "SYSCALL_DEFINE1(unlink, const char __user *, pathname)\n{\n\treturn do_unlinkat(AT_FDCWD, getname(pathname));\n}", "project": "linux", "hash": 326005394842913645129837001376149345947, "size": 4, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295330 }, { "func": "long do_unlinkat(int dfd, struct filename *name)\n{\n\tint error;\n\tstruct dentry *dentry;\n\tstruct path path;\n\tstruct qstr last;\n\tint type;\n\tstruct inode *inode = NULL;\n\tstruct inode *delegated_inode = NULL;\n\tunsigned int lookup_flags = 0;\nretry:\n\tname = filename_parentat(dfd, name, lookup_flags, &path, &last, &type);\n\tif (IS_ERR(name))\n\t\treturn PTR_ERR(name);\n\n\terror = -EISDIR;\n\tif (type != LAST_NORM)\n\t\tgoto exit1;\n\n\terror = mnt_want_write(path.mnt);\n\tif (error)\n\t\tgoto exit1;\nretry_deleg:\n\tinode_lock_nested(path.dentry->d_inode, I_MUTEX_PARENT);\n\tdentry = __lookup_hash(&last, path.dentry, lookup_flags);\n\terror = PTR_ERR(dentry);\n\tif (!IS_ERR(dentry)) {\n\t\t/* Why not before? Because we want correct error value */\n\t\tif (last.name[last.len])\n\t\t\tgoto slashes;\n\t\tinode = dentry->d_inode;\n\t\tif (d_is_negative(dentry))\n\t\t\tgoto slashes;\n\t\tihold(inode);\n\t\terror = security_path_unlink(&path, dentry);\n\t\tif (error)\n\t\t\tgoto exit2;\n\t\terror = vfs_unlink(path.dentry->d_inode, dentry, &delegated_inode);\nexit2:\n\t\tdput(dentry);\n\t}\n\tinode_unlock(path.dentry->d_inode);\n\tif (inode)\n\t\tiput(inode);\t/* truncate the inode here */\n\tinode = NULL;\n\tif (delegated_inode) {\n\t\terror = break_deleg_wait(&delegated_inode);\n\t\tif (!error)\n\t\t\tgoto retry_deleg;\n\t}\n\tmnt_drop_write(path.mnt);\nexit1:\n\tpath_put(&path);\n\tif (retry_estale(error, lookup_flags)) {\n\t\tlookup_flags |= LOOKUP_REVAL;\n\t\tinode = NULL;\n\t\tgoto retry;\n\t}\n\tputname(name);\n\treturn error;\n\nslashes:\n\tif (d_is_negative(dentry))\n\t\terror = -ENOENT;\n\telse if (d_is_dir(dentry))\n\t\terror = -EISDIR;\n\telse\n\t\terror = -ENOTDIR;\n\tgoto exit2;\n}", "project": "linux", "hash": 13437364274148371414188483852476628649, "size": 70, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295362 }, { "func": "static char * __cvt(double value, int ndigit, int *decpt, int *sign,\n int fmode, int pad) {\n register char *s = nullptr;\n char *p, *rve, c;\n size_t siz;\n\n if (ndigit < 0) {\n siz = -ndigit + 1;\n } else {\n siz = ndigit + 1;\n }\n\n /* __dtoa() doesn't allocate space for 0 so we do it by hand */\n if (value == 0.0) {\n *decpt = 1 - fmode; /* 1 for 'e', 0 for 'f' */\n *sign = 0;\n if ((rve = s = (char *)malloc(ndigit?siz:2)) == nullptr) {\n return(nullptr);\n }\n *rve++ = '0';\n *rve = '\\0';\n if (!ndigit) {\n return(s);\n }\n } else {\n p = zend_dtoa(value, fmode + 2, ndigit, decpt, sign, &rve);\n if (*decpt == 9999) {\n /* Infinity or Nan, convert to inf or nan like printf */\n *decpt = 0;\n c = *p;\n zend_freedtoa(p);\n return strdup(c == 'I' ? \"INF\" : \"NAN\");\n }\n /* Make a local copy and adjust rve to be in terms of s */\n if (pad && fmode) {\n siz += *decpt;\n }\n if ((s = (char *)malloc(siz+1)) == nullptr) {\n zend_freedtoa(p);\n return(nullptr);\n }\n (void)string_copy(s, p, siz);\n rve = s + (rve - p);\n zend_freedtoa(p);\n }\n\n /* Add trailing zeros */\n if (pad) {\n siz -= rve - s;\n while (--siz) {\n *rve++ = '0';\n }\n *rve = '\\0';\n }\n\n return(s);\n}", "project": "hhvm", "hash": 67978032080169126113182722441024998972, "size": 57, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219353 }, { "func": "static void setautobright(struct gspca_dev *gspca_dev, s32 val)\n{\n\tstruct sd *sd = (struct sd *) gspca_dev;\n\n\ti2c_w_mask(sd, 0x2d, val ? 0x10 : 0x00, 0x10);\n}", "project": "linux", "hash": 32588184215509188109331819871710043891, "size": 6, "commit_id": "998912346c0da53a6dbb71fab3a138586b596b30", "message": "media: ov519: add missing endpoint sanity checks\n\nMake sure to check that we have at least one endpoint before accessing\nthe endpoint array to avoid dereferencing a NULL-pointer on stream\nstart.\n\nNote that these sanity checks are not redundant as the driver is mixing\nlooking up altsettings by index and by number, which need not coincide.\n\nFixes: 1876bb923c98 (\"V4L/DVB (12079): gspca_ov519: add support for the ov511 bridge\")\nFixes: b282d87332f5 (\"V4L/DVB (12080): gspca_ov519: Fix ov518+ with OV7620AE (Trust spacecam 320)\")\nCc: stable # 2.6.31\nCc: Hans de Goede \nSigned-off-by: Johan Hovold \nSigned-off-by: Hans Verkuil \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 306299 }, { "func": "void trace_buffered_event_enable(void)\n{\n\tstruct ring_buffer_event *event;\n\tstruct page *page;\n\tint cpu;\n\n\tWARN_ON_ONCE(!mutex_is_locked(&event_mutex));\n\n\tif (trace_buffered_event_ref++)\n\t\treturn;\n\n\tfor_each_tracing_cpu(cpu) {\n\t\tpage = alloc_pages_node(cpu_to_node(cpu),\n\t\t\t\t\tGFP_KERNEL | __GFP_NORETRY, 0);\n\t\tif (!page)\n\t\t\tgoto failed;\n\n\t\tevent = page_address(page);\n\t\tmemset(event, 0, sizeof(*event));\n\n\t\tper_cpu(trace_buffered_event, cpu) = event;\n\n\t\tpreempt_disable();\n\t\tif (cpu == smp_processor_id() &&\n\t\t this_cpu_read(trace_buffered_event) !=\n\t\t per_cpu(trace_buffered_event, cpu))\n\t\t\tWARN_ON_ONCE(1);\n\t\tpreempt_enable();\n\t}\n\n\treturn;\n failed:\n\ttrace_buffered_event_disable();\n}", "project": "linux", "hash": 139131169115816830326869557873879403808, "size": 34, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445586 }, { "func": "static void mt_sync_frame(struct mt_device *td, struct mt_application *app,\n\t\t\t struct input_dev *input)\n{\n\tif (app->quirks & MT_QUIRK_WIN8_PTP_BUTTONS)\n\t\tinput_event(input, EV_KEY, BTN_LEFT, app->left_button_state);\n\n\tinput_mt_sync_frame(input);\n\tinput_event(input, EV_MSC, MSC_TIMESTAMP, app->timestamp);\n\tinput_sync(input);\n\n\tmt_release_pending_palms(td, app, input);\n\n\tapp->num_received = 0;\n\tapp->left_button_state = 0;\n\n\tif (test_bit(MT_IO_FLAGS_ACTIVE_SLOTS, &td->mt_io_flags))\n\t\tset_bit(MT_IO_FLAGS_PENDING_SLOTS, &td->mt_io_flags);\n\telse\n\t\tclear_bit(MT_IO_FLAGS_PENDING_SLOTS, &td->mt_io_flags);\n\tclear_bit(MT_IO_FLAGS_ACTIVE_SLOTS, &td->mt_io_flags);\n}", "project": "linux", "hash": 292874055528998441791967529140796392436, "size": 21, "commit_id": "35556bed836f8dc07ac55f69c8d17dce3e7f0e25", "message": "HID: core: Sanitize event code and type when mapping input\n\nWhen calling into hid_map_usage(), the passed event code is\nblindly stored as is, even if it doesn't fit in the associated bitmap.\n\nThis event code can come from a variety of sources, including devices\nmasquerading as input devices, only a bit more \"programmable\".\n\nInstead of taking the event code at face value, check that it actually\nfits the corresponding bitmap, and if it doesn't:\n- spit out a warning so that we know which device is acting up\n- NULLify the bitmap pointer so that we catch unexpected uses\n\nCode paths that can make use of untrusted inputs can now check\nthat the mapping was indeed correct and bail out if not.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Marc Zyngier \nSigned-off-by: Benjamin Tissoires ", "target": 0, "dataset": "other", "idx": 458400 }, { "func": "parse_sub_exp (re_string_t *regexp, regex_t *preg, re_token_t *token,\n\t reg_syntax_t syntax, Idx nest, reg_errcode_t *err)\n{\n re_dfa_t *dfa = preg->buffer;\n bin_tree_t *tree;\n size_t cur_nsub;\n cur_nsub = preg->re_nsub++;\n\n fetch_token (token, regexp, syntax | RE_CARET_ANCHORS_HERE);\n\n /* The subexpression may be a null string. */\n if (token->type == OP_CLOSE_SUBEXP)\n tree = NULL;\n else\n {\n tree = parse_reg_exp (regexp, preg, token, syntax, nest, err);\n if (BE (*err == REG_NOERROR && token->type != OP_CLOSE_SUBEXP, 0))\n\t{\n\t if (tree != NULL)\n\t postorder (tree, free_tree, NULL);\n\t *err = REG_EPAREN;\n\t}\n if (BE (*err != REG_NOERROR, 0))\n\treturn NULL;\n }\n\n if (cur_nsub <= '9' - '1')\n dfa->completed_bkref_map |= 1 << cur_nsub;\n\n tree = create_tree (dfa, tree, NULL, SUBEXP);\n if (BE (tree == NULL, 0))\n {\n *err = REG_ESPACE;\n return NULL;\n }\n tree->token.opr.idx = cur_nsub;\n return tree;\n}", "project": "gnulib", "hash": 170571015609791747481334130134388638817, "size": 38, "commit_id": "5513b40999149090987a0341c018d05d3eea1272", "message": "Diagnose ERE '()|\\1'\n\nProblem reported by Hanno Böck in: http://bugs.gnu.org/21513\n* lib/regcomp.c (parse_reg_exp): While parsing alternatives, keep\ntrack of the set of previously-completed subexpressions available\nbefore the first alternative, and restore this set just before\nparsing each subsequent alternative. This lets us diagnose the\ninvalid back-reference in the ERE '()|\\1'.", "target": 0, "dataset": "other", "idx": 285527 }, { "func": "parse (re_string_t *regexp, regex_t *preg, reg_syntax_t syntax,\n reg_errcode_t *err)\n{\n re_dfa_t *dfa = preg->buffer;\n bin_tree_t *tree, *eor, *root;\n re_token_t current_token;\n dfa->syntax = syntax;\n fetch_token (¤t_token, regexp, syntax | RE_CARET_ANCHORS_HERE);\n tree = parse_reg_exp (regexp, preg, ¤t_token, syntax, 0, err);\n if (BE (*err != REG_NOERROR && tree == NULL, 0))\n return NULL;\n eor = create_tree (dfa, NULL, NULL, END_OF_RE);\n if (tree != NULL)\n root = create_tree (dfa, tree, eor, CONCAT);\n else\n root = eor;\n if (BE (eor == NULL || root == NULL, 0))\n {\n *err = REG_ESPACE;\n return NULL;\n }\n return root;\n}", "project": "gnulib", "hash": 266288640118770460670596425632351472863, "size": 23, "commit_id": "5513b40999149090987a0341c018d05d3eea1272", "message": "Diagnose ERE '()|\\1'\n\nProblem reported by Hanno Böck in: http://bugs.gnu.org/21513\n* lib/regcomp.c (parse_reg_exp): While parsing alternatives, keep\ntrack of the set of previously-completed subexpressions available\nbefore the first alternative, and restore this set just before\nparsing each subsequent alternative. This lets us diagnose the\ninvalid back-reference in the ERE '()|\\1'.", "target": 0, "dataset": "other", "idx": 285535 }, { "func": "int bcf_hrec_add_key(bcf_hrec_t *hrec, const char *str, size_t len)\n{\n char **tmp;\n size_t n = hrec->nkeys + 1;\n assert(len > 0 && len < SIZE_MAX);\n tmp = realloc(hrec->keys, sizeof(char*)*n);\n if (!tmp) return -1;\n hrec->keys = tmp;\n tmp = realloc(hrec->vals, sizeof(char*)*n);\n if (!tmp) return -1;\n hrec->vals = tmp;\n\n hrec->keys[hrec->nkeys] = (char*) malloc((len+1)*sizeof(char));\n if (!hrec->keys[hrec->nkeys]) return -1;\n memcpy(hrec->keys[hrec->nkeys],str,len);\n hrec->keys[hrec->nkeys][len] = 0;\n hrec->vals[hrec->nkeys] = NULL;\n hrec->nkeys = n;\n return 0;\n}", "project": "htslib", "hash": 71878491145630710095088858923680854096, "size": 20, "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c", "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields. It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097", "target": 0, "dataset": "other", "idx": 402152 }, { "func": "static int allocate_trace_buffers(struct trace_array *tr, int size)\n{\n\tint ret;\n\n\tret = allocate_trace_buffer(tr, &tr->trace_buffer, size);\n\tif (ret)\n\t\treturn ret;\n\n#ifdef CONFIG_TRACER_MAX_TRACE\n\tret = allocate_trace_buffer(tr, &tr->max_buffer,\n\t\t\t\t allocate_snapshot ? size : 1);\n\tif (WARN_ON(ret)) {\n\t\tring_buffer_free(tr->trace_buffer.buffer);\n\t\ttr->trace_buffer.buffer = NULL;\n\t\tfree_percpu(tr->trace_buffer.data);\n\t\ttr->trace_buffer.data = NULL;\n\t\treturn -ENOMEM;\n\t}\n\ttr->allocated_snapshot = allocate_snapshot;\n\n\t/*\n\t * Only the top level trace array gets its snapshot allocated\n\t * from the kernel command line.\n\t */\n\tallocate_snapshot = false;\n#endif\n\treturn 0;\n}", "project": "linux", "hash": 175544394816006719717524889194672975934, "size": 28, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445679 }, { "func": "void CServer::Kick(int ClientID, const char *pReason)\n{\n\tif(ClientID < 0 || ClientID >= MAX_CLIENTS || m_aClients[ClientID].m_State == CClient::STATE_EMPTY)\n\t{\n\t\tConsole()->Print(IConsole::OUTPUT_LEVEL_STANDARD, \"server\", \"invalid client id to kick\");\n\t\treturn;\n\t}\n\telse if(m_RconClientID == ClientID)\n\t{\n\t\tConsole()->Print(IConsole::OUTPUT_LEVEL_STANDARD, \"server\", \"you can't kick yourself\");\n \t\treturn;\n\t}\n\telse if(m_aClients[ClientID].m_Authed > m_RconAuthLevel)\n\t{\n\t\tConsole()->Print(IConsole::OUTPUT_LEVEL_STANDARD, \"server\", \"kick command denied\");\n \t\treturn;\n\t}\n\n\tm_NetServer.Drop(ClientID, pReason);\n}", "project": "teeworlds", "hash": 138746829612542626944925461675717503875, "size": 20, "commit_id": "c68402fa7e279d42886d5951d1ea8ac2facc1ea5", "message": "changed a check", "target": 0, "dataset": "other", "idx": 382005 }, { "func": "pfkey_sockaddr_size(sa_family_t family)\n{\n\treturn PFKEY_ALIGN8(pfkey_sockaddr_len(family));\n}", "project": "linux", "hash": 214196676846131135022946721604454053478, "size": 4, "commit_id": "9a564bccb78a76740ea9d75a259942df8143d02c", "message": "af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\n\nAdd __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\nto initialize the buffer of supp_skb to fix a kernel-info-leak issue.\n1) Function pfkey_register calls compose_sadb_supported to request\na sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate\na sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then\ncompose_sadb_supported treats the memory as a struct sadb_supported and\nbegins to initialize. But it just initializes the field sadb_supported_len\nand field sadb_supported_exttype without field sadb_supported_reserved.\n\nReported-by: TCS Robot \nSigned-off-by: Haimin Zhang \nSigned-off-by: Steffen Klassert ", "target": 0, "dataset": "other", "idx": 267992 }, { "func": "static int fuse_writepages(struct address_space *mapping,\n\t\t\t struct writeback_control *wbc)\n{\n\tstruct inode *inode = mapping->host;\n\tstruct fuse_conn *fc = get_fuse_conn(inode);\n\tstruct fuse_fill_wb_data data;\n\tint err;\n\n\terr = -EIO;\n\tif (fuse_is_bad(inode))\n\t\tgoto out;\n\n\tdata.inode = inode;\n\tdata.wpa = NULL;\n\tdata.ff = NULL;\n\n\terr = -ENOMEM;\n\tdata.orig_pages = kcalloc(fc->max_pages,\n\t\t\t\t sizeof(struct page *),\n\t\t\t\t GFP_NOFS);\n\tif (!data.orig_pages)\n\t\tgoto out;\n\n\terr = write_cache_pages(mapping, wbc, fuse_writepages_fill, &data);\n\tif (data.wpa) {\n\t\tWARN_ON(!data.wpa->ia.ap.num_pages);\n\t\tfuse_writepages_send(&data);\n\t}\n\tif (data.ff)\n\t\tfuse_file_put(data.ff, false, false);\n\n\tkfree(data.orig_pages);\nout:\n\treturn err;\n}", "project": "linux", "hash": 193204828532401087295391409798361704923, "size": 35, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342073 }, { "func": " inline void ReplaceWith(int dimensions_count, const int32_t* dims_data) {\n Resize(dimensions_count);\n int32_t* dst_dims = DimsData();\n std::memcpy(dst_dims, dims_data, dimensions_count * sizeof(int32_t));\n }", "project": "tensorflow", "hash": 305268560344138923630935332733855953665, "size": 5, "commit_id": "8ee24e7949a203d234489f9da2c5bf45a7d5157d", "message": "[tflite] Ensure `MatchingDim` does not allow buffer overflow.\n\nWe check in `MatchingDim` that both arguments have the same dimensionality, however that is a `DCHECK` only enabled if building in debug mode. Hence, it could be possible to cause buffer overflows by passing in a tensor with larger dimensions as the second argument. To fix, we now make `MatchingDim` return the minimum of the two sizes.\n\nA much better fix would be to return a status object but that requires refactoring a large part of the codebase for minor benefits.\n\nPiperOrigin-RevId: 332526127\nChange-Id: If627d0d2c80a685217b6e0d1e64b0872dbf1c5e4", "target": 0, "dataset": "other", "idx": 269158 }, { "func": "static bool nfs4_refresh_open_old_stateid(nfs4_stateid *dst,\n\t\tstruct nfs4_state *state)\n{\n\t__be32 seqid_open;\n\tu32 dst_seqid;\n\tbool ret;\n\tint seq;\n\n\tfor (;;) {\n\t\tret = false;\n\t\tif (!nfs4_valid_open_stateid(state))\n\t\t\tbreak;\n\t\tseq = read_seqbegin(&state->seqlock);\n\t\tif (!nfs4_state_match_open_stateid_other(state, dst)) {\n\t\t\tif (read_seqretry(&state->seqlock, seq))\n\t\t\t\tcontinue;\n\t\t\tbreak;\n\t\t}\n\t\tseqid_open = state->open_stateid.seqid;\n\t\tif (read_seqretry(&state->seqlock, seq))\n\t\t\tcontinue;\n\n\t\tdst_seqid = be32_to_cpu(dst->seqid);\n\t\tif ((s32)(dst_seqid - be32_to_cpu(seqid_open)) >= 0)\n\t\t\tdst->seqid = cpu_to_be32(dst_seqid + 1);\n\t\telse\n\t\t\tdst->seqid = seqid_open;\n\t\tret = true;\n\t\tbreak;\n\t}\n\n\treturn ret;\n}", "project": "linux", "hash": 138843120523493154786149567051415123486, "size": 33, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 430947 }, { "func": "static void exif_iif_add_value(image_info_type *image_info, int section_index,\n char *name, int tag, int format, int length,\n void* value, int motorola_intel) {\n size_t idex;\n void *vptr;\n image_info_value *info_value;\n image_info_data *info_data;\n image_info_data *list;\n\n if (length < 0) {\n return;\n }\n\n size_t realloc_size = (image_info->info_list[section_index].count+1) *\n sizeof(image_info_data);\n list = (image_info_data*)\n IM_REALLOC(image_info->info_list[section_index].list, realloc_size);\n CHECK_ALLOC(list, realloc_size);\n image_info->info_list[section_index].list = list;\n\n info_data = &image_info->info_list[section_index].\n list[image_info->info_list[section_index].count];\n memset(info_data, 0, sizeof(image_info_data));\n info_data->tag = tag;\n info_data->format = format;\n info_data->length = length;\n PHP_STRDUP(info_data->name, name);\n info_value = &info_data->value;\n\n switch (format) {\n case TAG_FMT_STRING:\n if (value) {\n length = php_strnlen((char*)value, length);\n // TODO\n // if (PG(magic_quotes_runtime)) {\n // info_value->s = php_addslashes(value, length, &length, 0);\n // } else {\n PHP_STRNDUP(info_value->s, (const char *)value, length);\n // }\n info_data->length = (info_value->s ? length : 0);\n } else {\n info_data->length = 0;\n PHP_STRDUP(info_value->s, \"\");\n }\n break;\n\n default:\n /* Standard says more types possible but skip them...\n * but allow users to handle data if they know how to\n * So not return but use type UNDEFINED\n * return;\n */\n info_data->tag = TAG_FMT_UNDEFINED;/* otherwise not freed from memory */\n case TAG_FMT_SBYTE:\n case TAG_FMT_BYTE:\n /* in contrast to strings bytes do not need to allocate buffer for\n nullptr if length==0 */\n if (!length)\n break;\n case TAG_FMT_UNDEFINED:\n if (value) {\n /* do not recompute length here */\n // TODO\n // if (PG(magic_quotes_runtime)) {\n // info_value->s = php_addslashes(value, length, &length, 0);\n // } else {\n PHP_STRNDUP(info_value->s, (const char *)value, length);\n // }\n info_data->length = (info_value->s ? length : 0);\n } else {\n info_data->length = 0;\n PHP_STRDUP(info_value->s, \"\");\n }\n break;\n\n case TAG_FMT_USHORT:\n case TAG_FMT_ULONG:\n case TAG_FMT_URATIONAL:\n case TAG_FMT_SSHORT:\n case TAG_FMT_SLONG:\n case TAG_FMT_SRATIONAL:\n case TAG_FMT_SINGLE:\n case TAG_FMT_DOUBLE:\n if (length==0) {\n break;\n } else if (length>1) {\n info_value->list =\n (image_info_value*)IM_CALLOC(length, sizeof(image_info_value));\n CHECK_ALLOC(info_value->list, sizeof(image_info_value));\n } else {\n info_value = &info_data->value;\n }\n for (idex=0,vptr=value; idex<(size_t)length;\n idex++,vptr=(char *) vptr + get_php_tiff_bytes_per_format(format)) {\n if (length>1) {\n info_value = &info_data->value.list[idex];\n }\n switch (format) {\n case TAG_FMT_USHORT:\n info_value->u = php_ifd_get16u(vptr, motorola_intel);\n break;\n\n case TAG_FMT_ULONG:\n info_value->u = php_ifd_get32u(vptr, motorola_intel);\n break;\n\n case TAG_FMT_URATIONAL:\n info_value->ur.num = php_ifd_get32u(vptr, motorola_intel);\n info_value->ur.den = php_ifd_get32u(4+(char *)vptr, motorola_intel);\n break;\n\n case TAG_FMT_SSHORT:\n info_value->i = php_ifd_get16s(vptr, motorola_intel);\n break;\n\n case TAG_FMT_SLONG:\n info_value->i = php_ifd_get32s(vptr, motorola_intel);\n break;\n\n case TAG_FMT_SRATIONAL:\n info_value->sr.num = php_ifd_get32u(vptr, motorola_intel);\n info_value->sr.den = php_ifd_get32u(4+(char *)vptr, motorola_intel);\n break;\n\n case TAG_FMT_SINGLE:\n info_value->f = *(float *)value;\n\n case TAG_FMT_DOUBLE:\n info_value->d = *(double *)value;\n break;\n }\n }\n }\n image_info->sections_found |= 1<info_list[section_index].count++;\n}", "project": "hhvm", "hash": 52218264679626364717075334929406422375, "size": 136, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219078 }, { "func": "static void exif_iif_add_value(image_info_type *image_info, int section_index, char *name, int tag, int format, int length, void* value, size_t value_len, int motorola_intel)\n{\n\tsize_t idex;\n\tvoid *vptr, *vptr_end;\n\timage_info_value *info_value;\n\timage_info_data *info_data;\n\timage_info_data *list;\n\n\tif (length < 0) {\n\t\treturn;\n\t}\n\n\tlist = safe_erealloc(image_info->info_list[section_index].list, (image_info->info_list[section_index].count+1), sizeof(image_info_data), 0);\n\timage_info->info_list[section_index].list = list;\n\n\tinfo_data = &image_info->info_list[section_index].list[image_info->info_list[section_index].count];\n\tmemset(info_data, 0, sizeof(image_info_data));\n\tinfo_data->tag = tag;\n\tinfo_data->format = format;\n\tinfo_data->length = length;\n\tinfo_data->name = estrdup(name);\n\tinfo_value = &info_data->value;\n\n\tswitch (format) {\n\t\tcase TAG_FMT_STRING:\n\t\t\tif (length > value_len) {\n\t\t\t\texif_error_docref(\"exif_iif_add_value\" EXIFERR_CC, image_info, E_WARNING, \"length > value_len: %d > %zu\", length, value_len);\n\t\t\t\tvalue = NULL;\n\t\t\t}\n\t\t\tif (value) {\n\t\t\t\tlength = (int)php_strnlen(value, length);\n\t\t\t\tinfo_value->s = estrndup(value, length);\n\t\t\t\tinfo_data->length = length;\n\t\t\t} else {\n\t\t\t\tinfo_data->length = 0;\n\t\t\t\tinfo_value->s = estrdup(\"\");\n\t\t\t}\n\t\t\tbreak;\n\n\t\tdefault:\n\t\t\t/* Standard says more types possible but skip them...\n\t\t\t * but allow users to handle data if they know how to\n\t\t\t * So not return but use type UNDEFINED\n\t\t\t * return;\n\t\t\t */\n\t\t\tinfo_data->tag = TAG_FMT_UNDEFINED;/* otherwise not freed from memory */\n\t\tcase TAG_FMT_SBYTE:\n\t\tcase TAG_FMT_BYTE:\n\t\t/* in contrast to strings bytes do not need to allocate buffer for NULL if length==0 */\n\t\t\tif (!length)\n\t\t\t\tbreak;\n\t\tcase TAG_FMT_UNDEFINED:\n\t\t\tif (length > value_len) {\n\t\t\t\texif_error_docref(\"exif_iif_add_value\" EXIFERR_CC, image_info, E_WARNING, \"length > value_len: %d > %zu\", length, value_len);\n\t\t\t\tvalue = NULL;\n\t\t\t}\n\t\t\tif (value) {\n\t\t\t\tif (tag == TAG_MAKER_NOTE) {\n\t\t\t\t\tlength = (int) php_strnlen(value, length);\n\t\t\t\t}\n\n\t\t\t\t/* do not recompute length here */\n\t\t\t\tinfo_value->s = estrndup(value, length);\n\t\t\t\tinfo_data->length = length;\n\t\t\t} else {\n\t\t\t\tinfo_data->length = 0;\n\t\t\t\tinfo_value->s = estrdup(\"\");\n\t\t\t}\n\t\t\tbreak;\n\n\t\tcase TAG_FMT_USHORT:\n\t\tcase TAG_FMT_ULONG:\n\t\tcase TAG_FMT_URATIONAL:\n\t\tcase TAG_FMT_SSHORT:\n\t\tcase TAG_FMT_SLONG:\n\t\tcase TAG_FMT_SRATIONAL:\n\t\tcase TAG_FMT_SINGLE:\n\t\tcase TAG_FMT_DOUBLE:\n\t\t\tif (length==0) {\n\t\t\t\tbreak;\n\t\t\t} else\n\t\t\tif (length>1) {\n\t\t\t\tinfo_value->list = safe_emalloc(length, sizeof(image_info_value), 0);\n\t\t\t} else {\n\t\t\t\tinfo_value = &info_data->value;\n\t\t\t}\n\t\t\tvptr_end = (char *) value + value_len;\n\t\t\tfor (idex=0,vptr=value; idex<(size_t)length; idex++,vptr=(char *) vptr + php_tiff_bytes_per_format[format]) {\n\t\t\t\tif ((char *) vptr_end - (char *) vptr < php_tiff_bytes_per_format[format]) {\n\t\t\t\t\texif_error_docref(\"exif_iif_add_value\" EXIFERR_CC, image_info, E_WARNING, \"Value too short\");\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t\tif (length>1) {\n\t\t\t\t\tinfo_value = &info_data->value.list[idex];\n\t\t\t\t}\n\t\t\t\tswitch (format) {\n\t\t\t\t\tcase TAG_FMT_USHORT:\n\t\t\t\t\t\tinfo_value->u = php_ifd_get16u(vptr, motorola_intel);\n\t\t\t\t\t\tbreak;\n\n\t\t\t\t\tcase TAG_FMT_ULONG:\n\t\t\t\t\t\tinfo_value->u = php_ifd_get32u(vptr, motorola_intel);\n\t\t\t\t\t\tbreak;\n\n\t\t\t\t\tcase TAG_FMT_URATIONAL:\n\t\t\t\t\t\tinfo_value->ur.num = php_ifd_get32u(vptr, motorola_intel);\n\t\t\t\t\t\tinfo_value->ur.den = php_ifd_get32u(4+(char *)vptr, motorola_intel);\n\t\t\t\t\t\tbreak;\n\n\t\t\t\t\tcase TAG_FMT_SSHORT:\n\t\t\t\t\t\tinfo_value->i = php_ifd_get16s(vptr, motorola_intel);\n\t\t\t\t\t\tbreak;\n\n\t\t\t\t\tcase TAG_FMT_SLONG:\n\t\t\t\t\t\tinfo_value->i = php_ifd_get32s(vptr, motorola_intel);\n\t\t\t\t\t\tbreak;\n\n\t\t\t\t\tcase TAG_FMT_SRATIONAL:\n\t\t\t\t\t\tinfo_value->sr.num = php_ifd_get32u(vptr, motorola_intel);\n\t\t\t\t\t\tinfo_value->sr.den = php_ifd_get32u(4+(char *)vptr, motorola_intel);\n\t\t\t\t\t\tbreak;\n\n\t\t\t\t\tcase TAG_FMT_SINGLE:\n#ifdef EXIF_DEBUG\n\t\t\t\t\t\tphp_error_docref(NULL, E_WARNING, \"Found value of type single\");\n#endif\n\t\t\t\t\t\tinfo_value->f = *(float *)value;\n\t\t\t\t\t\tbreak;\n\t\t\t\t\tcase TAG_FMT_DOUBLE:\n#ifdef EXIF_DEBUG\n\t\t\t\t\t\tphp_error_docref(NULL, E_WARNING, \"Found value of type double\");\n#endif\n\t\t\t\t\t\tinfo_value->d = *(double *)value;\n\t\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t}\n\t}\n\timage_info->sections_found |= 1<info_list[section_index].count++;\n}", "project": "php-src", "hash": 268760631243094757804327437796302812014, "size": 140, "commit_id": "e648fa4699e8d072db6db34fcc09826e8127fab8", "message": "Fix bug #78256 (heap-buffer-overflow on exif_process_user_comment)\n\n(cherry picked from commit aeb6d13185a2ea4f1496ede2697469faed98ce05)", "target": 0, "dataset": "other", "idx": 335785 }, { "func": "\nstatic bool bfq_may_be_close_cooperator(struct bfq_queue *bfqq,\n\t\t\t\t\tstruct bfq_queue *new_bfqq)\n{\n\tif (bfq_too_late_for_merging(new_bfqq))\n\t\treturn false;\n\n\tif (bfq_class_idle(bfqq) || bfq_class_idle(new_bfqq) ||\n\t (bfqq->ioprio_class != new_bfqq->ioprio_class))\n\t\treturn false;\n\n\t/*\n\t * If either of the queues has already been detected as seeky,\n\t * then merging it with the other queue is unlikely to lead to\n\t * sequential I/O.\n\t */\n\tif (BFQQ_SEEKY(bfqq) || BFQQ_SEEKY(new_bfqq))\n\t\treturn false;\n\n\t/*\n\t * Interleaved I/O is known to be done by (some) applications\n\t * only for reads, so it does not make sense to merge async\n\t * queues.\n\t */\n\tif (!bfq_bfqq_sync(bfqq) || !bfq_bfqq_sync(new_bfqq))\n\t\treturn false;\n\n\treturn true;", "project": "linux", "hash": 139227681081160820281320101187978963559, "size": 28, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453278 }, { "project": "Chrome", "commit_id": "327585cb0eab0859518643a2d00917081f7e7645", "target": 0, "func": "int WebGraphicsContext3DDefaultImpl::height()\n{\n return m_cachedHeight;\n}\n", "cwe": "", "big_vul_idx": 99008, "idx": 89065, "hash": 64116610462830865603401763131393630973 }, { "func": "static int ctnetlink_dump_status(struct sk_buff *skb, const struct nf_conn *ct)\n{\n\tif (nla_put_be32(skb, CTA_STATUS, htonl(ct->status)))\n\t\tgoto nla_put_failure;\n\treturn 0;\n\nnla_put_failure:\n\treturn -1;\n}", "project": "linux", "hash": 273755515027361221745016126089457139319, "size": 9, "commit_id": "1cc5ef91d2ff94d2bf2de3b3585423e8a1051cb6", "message": "netfilter: ctnetlink: add a range check for l3/l4 protonum\n\nThe indexes to the nf_nat_l[34]protos arrays come from userspace. So\ncheck the tuple's family, e.g. l3num, when creating the conntrack in\norder to prevent an OOB memory access during setup. Here is an example\nkernel panic on 4.14.180 when userspace passes in an index greater than\nNFPROTO_NUMPROTO.\n\nInternal error: Oops - BUG: 0 [#1] PREEMPT SMP\nModules linked in:...\nProcess poc (pid: 5614, stack limit = 0x00000000a3933121)\nCPU: 4 PID: 5614 Comm: poc Tainted: G S W O 4.14.180-g051355490483\nHardware name: Qualcomm Technologies, Inc. SM8150 V2 PM8150 Google Inc. MSM\ntask: 000000002a3dfffe task.stack: 00000000a3933121\npc : __cfi_check_fail+0x1c/0x24\nlr : __cfi_check_fail+0x1c/0x24\n...\nCall trace:\n__cfi_check_fail+0x1c/0x24\nname_to_dev_t+0x0/0x468\nnfnetlink_parse_nat_setup+0x234/0x258\nctnetlink_parse_nat_setup+0x4c/0x228\nctnetlink_new_conntrack+0x590/0xc40\nnfnetlink_rcv_msg+0x31c/0x4d4\nnetlink_rcv_skb+0x100/0x184\nnfnetlink_rcv+0xf4/0x180\nnetlink_unicast+0x360/0x770\nnetlink_sendmsg+0x5a0/0x6a4\n___sys_sendmsg+0x314/0x46c\nSyS_sendmsg+0xb4/0x108\nel0_svc_naked+0x34/0x38\n\nThis crash is not happening since 5.4+, however, ctnetlink still\nallows for creating entries with unsupported layer 3 protocol number.\n\nFixes: c1d10adb4a521 (\"[NETFILTER]: Add ctnetlink port for nf_conntrack\")\nSigned-off-by: Will McVicker \n[pablo@netfilter.org: rebased original patch on top of nf.git]\nSigned-off-by: Pablo Neira Ayuso ", "target": 0, "dataset": "other", "idx": 394175 }, { "func": "void JOIN::set_allowed_join_cache_types()\n{\n allowed_join_cache_types= 0;\n if (optimizer_flag(thd, OPTIMIZER_SWITCH_JOIN_CACHE_INCREMENTAL))\n allowed_join_cache_types|= JOIN_CACHE_INCREMENTAL_BIT;\n if (optimizer_flag(thd, OPTIMIZER_SWITCH_JOIN_CACHE_HASHED))\n allowed_join_cache_types|= JOIN_CACHE_HASHED_BIT;\n if (optimizer_flag(thd, OPTIMIZER_SWITCH_JOIN_CACHE_BKA))\n allowed_join_cache_types|= JOIN_CACHE_BKA_BIT;\n allowed_semijoin_with_cache=\n optimizer_flag(thd, OPTIMIZER_SWITCH_SEMIJOIN_WITH_CACHE);\n allowed_outer_join_with_cache=\n optimizer_flag(thd, OPTIMIZER_SWITCH_OUTER_JOIN_WITH_CACHE);\n max_allowed_join_cache_level= thd->variables.join_cache_level;\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 149899838064389986283863749314522973387, "size": 15, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508586 }, { "func": "static void set_msr_interception(u32 *msrpm, unsigned msr,\n\t\t\t\t int read, int write)\n{\n\tu8 bit_read, bit_write;\n\tunsigned long tmp;\n\tu32 offset;\n\n\t/*\n\t * If this warning triggers extend the direct_access_msrs list at the\n\t * beginning of the file\n\t */\n\tWARN_ON(!valid_msr_intercept(msr));\n\n\toffset = svm_msrpm_offset(msr);\n\tbit_read = 2 * (msr & 0x0f);\n\tbit_write = 2 * (msr & 0x0f) + 1;\n\ttmp = msrpm[offset];\n\n\tBUG_ON(offset == MSR_INVALID);\n\n\tread ? clear_bit(bit_read, &tmp) : set_bit(bit_read, &tmp);\n\twrite ? clear_bit(bit_write, &tmp) : set_bit(bit_write, &tmp);\n\n\tmsrpm[offset] = tmp;\n}", "project": "linux", "hash": 80365121054721288371644700752223759908, "size": 25, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432587 }, { "func": "static OPJ_UINT32 opj_j2k_get_SQcd_SQcc_size(opj_j2k_t *p_j2k,\n OPJ_UINT32 p_tile_no,\n OPJ_UINT32 p_comp_no)\n{\n OPJ_UINT32 l_num_bands;\n\n opj_cp_t *l_cp = 00;\n opj_tcp_t *l_tcp = 00;\n opj_tccp_t *l_tccp = 00;\n\n /* preconditions */\n assert(p_j2k != 00);\n\n l_cp = &(p_j2k->m_cp);\n l_tcp = &l_cp->tcps[p_tile_no];\n l_tccp = &l_tcp->tccps[p_comp_no];\n\n /* preconditions again */\n assert(p_tile_no < l_cp->tw * l_cp->th);\n assert(p_comp_no < p_j2k->m_private_image->numcomps);\n\n l_num_bands = (l_tccp->qntsty == J2K_CCP_QNTSTY_SIQNT) ? 1 :\n (l_tccp->numresolutions * 3 - 2);\n\n if (l_tccp->qntsty == J2K_CCP_QNTSTY_NOQNT) {\n return 1 + l_num_bands;\n } else {\n return 1 + 2 * l_num_bands;\n }\n}", "project": "openjpeg", "hash": 12068669570805813273410153403263124987, "size": 30, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357411 }, { "func": "static int fixup_owner(u32 __user *uaddr, int fshared, struct futex_q *q,\n\t\t int locked)\n{\n\tstruct task_struct *owner;\n\tint ret = 0;\n\n\tif (locked) {\n\t\t/*\n\t\t * Got the lock. We might not be the anticipated owner if we\n\t\t * did a lock-steal - fix up the PI-state in that case:\n\t\t */\n\t\tif (q->pi_state->owner != current)\n\t\t\tret = fixup_pi_state_owner(uaddr, q, current, fshared);\n\t\tgoto out;\n\t}\n\n\t/*\n\t * Catch the rare case, where the lock was released when we were on the\n\t * way back before we locked the hash bucket.\n\t */\n\tif (q->pi_state->owner == current) {\n\t\t/*\n\t\t * Try to get the rt_mutex now. This might fail as some other\n\t\t * task acquired the rt_mutex after we removed ourself from the\n\t\t * rt_mutex waiters list.\n\t\t */\n\t\tif (rt_mutex_trylock(&q->pi_state->pi_mutex)) {\n\t\t\tlocked = 1;\n\t\t\tgoto out;\n\t\t}\n\n\t\t/*\n\t\t * pi_state is incorrect, some other task did a lock steal and\n\t\t * we returned due to timeout or signal without taking the\n\t\t * rt_mutex. Too late. We can access the rt_mutex_owner without\n\t\t * locking, as the other task is now blocked on the hash bucket\n\t\t * lock. Fix the state up.\n\t\t */\n\t\towner = rt_mutex_owner(&q->pi_state->pi_mutex);\n\t\tret = fixup_pi_state_owner(uaddr, q, owner, fshared);\n\t\tgoto out;\n\t}\n\n\t/*\n\t * Paranoia check. If we did not take the lock, then we should not be\n\t * the owner, nor the pending owner, of the rt_mutex.\n\t */\n\tif (rt_mutex_owner(&q->pi_state->pi_mutex) == current)\n\t\tprintk(KERN_ERR \"fixup_owner: ret = %d pi-mutex: %p \"\n\t\t\t\t\"pi-state %p\\n\", ret,\n\t\t\t\tq->pi_state->pi_mutex.owner,\n\t\t\t\tq->pi_state->owner);\n\nout:\n\treturn ret ? ret : locked;\n}", "target": 0, "cwe": [], "project": "linux-2.6", "commit_id": "5ecb01cfdf96c5f465192bdb2a4fd4a61a24c6cc", "hash": 308399091060586468398864851051167991472, "size": 56, "message": "futex_lock_pi() key refcnt fix\n\nThis fixes a futex key reference count bug in futex_lock_pi(),\nwhere a key's reference count is incremented twice but decremented\nonly once, causing the backing object to not be released.\n\nIf the futex is created in a temporary file in an ext3 file system,\nthis bug causes the file's inode to become an \"undead\" orphan,\nwhich causes an oops from a BUG_ON() in ext3_put_super() when the\nfile system is unmounted. glibc's test suite is known to trigger this,\nsee .\n\nThe bug is a regression from 2.6.28-git3, namely Peter Zijlstra's\n38d47c1b7075bd7ec3881141bb3629da58f88dab \"[PATCH] futex: rely on\nget_user_pages() for shared futexes\". That commit made get_futex_key()\nalso increment the reference count of the futex key, and updated its\ncallers to decrement the key's reference count before returning.\nUnfortunately the normal exit path in futex_lock_pi() wasn't corrected:\nthe reference count is incremented by get_futex_key() and queue_lock(),\nbut the normal exit path only decrements once, via unqueue_me_pi().\nThe fix is to put_futex_key() after unqueue_me_pi(), since 2.6.31\nthis is easily done by 'goto out_put_key' rather than 'goto out'.\n\nSigned-off-by: Mikael Pettersson \nAcked-by: Peter Zijlstra \nAcked-by: Darren Hart \nSigned-off-by: Thomas Gleixner \nCc: ", "dataset": "other", "idx": 492303 }, { "func": "void calculate_sigpending(void)\n{\n\t/* Have any signals or users of TIF_SIGPENDING been delayed\n\t * until after fork?\n\t */\n\tspin_lock_irq(¤t->sighand->siglock);\n\tset_tsk_thread_flag(current, TIF_SIGPENDING);\n\trecalc_sigpending();\n\tspin_unlock_irq(¤t->sighand->siglock);\n}", "project": "linux", "hash": 250953534890626198062389129824989834243, "size": 10, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375308 }, { "func": "static int fuse_fill_super(struct super_block *sb, struct fs_context *fsc)\n{\n\tstruct fuse_fs_context *ctx = fsc->fs_private;\n\tstruct file *file;\n\tint err;\n\tstruct fuse_conn *fc;\n\tstruct fuse_mount *fm;\n\n\terr = -EINVAL;\n\tfile = fget(ctx->fd);\n\tif (!file)\n\t\tgoto err;\n\n\t/*\n\t * Require mount to happen from the same user namespace which\n\t * opened /dev/fuse to prevent potential attacks.\n\t */\n\tif ((file->f_op != &fuse_dev_operations) ||\n\t (file->f_cred->user_ns != sb->s_user_ns))\n\t\tgoto err_fput;\n\tctx->fudptr = &file->private_data;\n\n\tfc = kmalloc(sizeof(*fc), GFP_KERNEL);\n\terr = -ENOMEM;\n\tif (!fc)\n\t\tgoto err_fput;\n\n\tfm = kzalloc(sizeof(*fm), GFP_KERNEL);\n\tif (!fm) {\n\t\tkfree(fc);\n\t\tgoto err_fput;\n\t}\n\n\tfuse_conn_init(fc, fm, sb->s_user_ns, &fuse_dev_fiq_ops, NULL);\n\tfc->release = fuse_free_conn;\n\n\tsb->s_fs_info = fm;\n\n\terr = fuse_fill_super_common(sb, ctx);\n\tif (err)\n\t\tgoto err_put_conn;\n\t/*\n\t * atomic_dec_and_test() in fput() provides the necessary\n\t * memory barrier for file->private_data to be visible on all\n\t * CPUs after this\n\t */\n\tfput(file);\n\tfuse_send_init(get_fuse_mount_super(sb));\n\treturn 0;\n\n err_put_conn:\n\tfuse_conn_put(fc);\n\tkfree(fm);\n\tsb->s_fs_info = NULL;\n err_fput:\n\tfput(file);\n err:\n\treturn err;\n}", "project": "linux", "hash": 157801667561435213613279211925738080901, "size": 59, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342033 }, { "func": "TEST_F(ZNCTest, AwayNotify) {\n auto znc = Run();\n auto ircd = ConnectIRCd();\n auto client = ConnectClient();\n client.Write(\"CAP LS\");\n client.Write(\"PASS :hunter2\");\n client.Write(\"NICK nick\");\n client.Write(\"USER user/test x x :x\");\n QByteArray cap_ls;\n client.ReadUntilAndGet(\" LS :\", cap_ls);\n ASSERT_THAT(cap_ls.toStdString(),\n AllOf(HasSubstr(\"cap-notify\"), Not(HasSubstr(\"away-notify\"))));\n client.Write(\"CAP REQ :cap-notify\");\n client.ReadUntil(\"ACK :cap-notify\");\n client.Write(\"CAP END\");\n client.ReadUntil(\" 001 \");\n ircd.ReadUntil(\"USER\");\n ircd.Write(\"CAP user LS :away-notify\");\n ircd.ReadUntil(\"CAP REQ :away-notify\");\n ircd.Write(\"CAP user ACK :away-notify\");\n ircd.ReadUntil(\"CAP END\");\n ircd.Write(\":server 001 user :welcome\");\n client.ReadUntil(\"CAP user NEW :away-notify\");\n client.Write(\"CAP REQ :away-notify\");\n client.ReadUntil(\"ACK :away-notify\");\n ircd.Write(\":x!y@z AWAY :reason\");\n client.ReadUntil(\":x!y@z AWAY :reason\");\n ircd.Close();\n client.ReadUntil(\"DEL :away-notify\");\n}", "project": "znc", "hash": 108078487648564595235087477113095088941, "size": 30, "commit_id": "d229761821da38d984a9e4098ad96842490dc001", "message": "Fix echo-message for *status\n\nClose #1705", "target": 0, "dataset": "other", "idx": 231545 }, { "func": "int kvm_read_guest_cached(struct kvm *kvm, struct gfn_to_hva_cache *ghc,\n\t\t\t void *data, unsigned long len)\n{\n\tstruct kvm_memslots *slots = kvm_memslots(kvm);\n\tint r;\n\n\tBUG_ON(len > ghc->len);\n\n\tif (slots->generation != ghc->generation) {\n\t\tif (__kvm_gfn_to_hva_cache_init(slots, ghc, ghc->gpa, ghc->len))\n\t\t\treturn -EFAULT;\n\t}\n\n\tif (kvm_is_error_hva(ghc->hva))\n\t\treturn -EFAULT;\n\n\tif (unlikely(!ghc->memslot))\n\t\treturn kvm_read_guest(kvm, ghc->gpa, data, len);\n\n\tr = __copy_from_user(data, (void __user *)ghc->hva, len);\n\tif (r)\n\t\treturn -EFAULT;\n\n\treturn 0;\n}", "project": "linux", "hash": 58426066765929807099130300606835088587, "size": 25, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354620 }, { "func": "int kvm_read_guest_cached(struct kvm *kvm, struct gfn_to_hva_cache *ghc,\n\t\t\t void *data, unsigned long len)\n{\n\treturn kvm_read_guest_offset_cached(kvm, ghc, data, 0, len);\n}", "project": "linux", "hash": 212315726283511132460279360763988264599, "size": 5, "commit_id": "f8be156be163a052a067306417cd0ff679068c97", "message": "KVM: do not allow mapping valid but non-reference-counted pages\n\nIt's possible to create a region which maps valid but non-refcounted\npages (e.g., tail pages of non-compound higher order allocations). These\nhost pages can then be returned by gfn_to_page, gfn_to_pfn, etc., family\nof APIs, which take a reference to the page, which takes it from 0 to 1.\nWhen the reference is dropped, this will free the page incorrectly.\n\nFix this by only taking a reference on valid pages if it was non-zero,\nwhich indicates it is participating in normal refcounting (and can be\nreleased with put_page).\n\nThis addresses CVE-2021-22543.\n\nSigned-off-by: Nicholas Piggin \nTested-by: Paolo Bonzini \nCc: stable@vger.kernel.org\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 404077 }, { "func": "static void ov51x_led_control(struct sd *sd, int on)\n{\n\tif (sd->invert_led)\n\t\ton = !on;\n\n\tswitch (sd->bridge) {\n\t/* OV511 has no LED control */\n\tcase BRIDGE_OV511PLUS:\n\t\treg_w(sd, R511_SYS_LED_CTL, on);\n\t\tbreak;\n\tcase BRIDGE_OV518:\n\tcase BRIDGE_OV518PLUS:\n\t\treg_w_mask(sd, R518_GPIO_OUT, 0x02 * on, 0x02);\n\t\tbreak;\n\tcase BRIDGE_OV519:\n\t\treg_w_mask(sd, OV519_GPIO_DATA_OUT0, on, 1);\n\t\tbreak;\n\t}\n}", "project": "linux", "hash": 107958386299552405529986942362637000174, "size": 19, "commit_id": "998912346c0da53a6dbb71fab3a138586b596b30", "message": "media: ov519: add missing endpoint sanity checks\n\nMake sure to check that we have at least one endpoint before accessing\nthe endpoint array to avoid dereferencing a NULL-pointer on stream\nstart.\n\nNote that these sanity checks are not redundant as the driver is mixing\nlooking up altsettings by index and by number, which need not coincide.\n\nFixes: 1876bb923c98 (\"V4L/DVB (12079): gspca_ov519: add support for the ov511 bridge\")\nFixes: b282d87332f5 (\"V4L/DVB (12080): gspca_ov519: Fix ov518+ with OV7620AE (Trust spacecam 320)\")\nCc: stable # 2.6.31\nCc: Hans de Goede \nSigned-off-by: Johan Hovold \nSigned-off-by: Hans Verkuil \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 306298 }, { "func": "static int _nfs4_proc_exchange_id(struct nfs_client *clp, const struct cred *cred,\n\t\t\tu32 sp4_how)\n{\n\tstruct rpc_task *task;\n\tstruct nfs41_exchange_id_args *argp;\n\tstruct nfs41_exchange_id_res *resp;\n\tunsigned long now = jiffies;\n\tint status;\n\n\ttask = nfs4_run_exchange_id(clp, cred, sp4_how, NULL);\n\tif (IS_ERR(task))\n\t\treturn PTR_ERR(task);\n\n\targp = task->tk_msg.rpc_argp;\n\tresp = task->tk_msg.rpc_resp;\n\tstatus = task->tk_status;\n\tif (status != 0)\n\t\tgoto out;\n\n\tstatus = nfs4_check_cl_exchange_flags(resp->flags);\n\tif (status != 0)\n\t\tgoto out;\n\n\tstatus = nfs4_sp4_select_mode(clp, &resp->state_protect);\n\tif (status != 0)\n\t\tgoto out;\n\n\tdo_renew_lease(clp, now);\n\n\tclp->cl_clientid = resp->clientid;\n\tclp->cl_exchange_flags = resp->flags;\n\tclp->cl_seqid = resp->seqid;\n\t/* Client ID is not confirmed */\n\tif (!(resp->flags & EXCHGID4_FLAG_CONFIRMED_R))\n\t\tclear_bit(NFS4_SESSION_ESTABLISHED,\n\t\t\t &clp->cl_session->session_state);\n\n\tif (clp->cl_serverscope != NULL &&\n\t !nfs41_same_server_scope(clp->cl_serverscope,\n\t\t\t\tresp->server_scope)) {\n\t\tdprintk(\"%s: server_scope mismatch detected\\n\",\n\t\t\t__func__);\n\t\tset_bit(NFS4CLNT_SERVER_SCOPE_MISMATCH, &clp->cl_state);\n\t}\n\n\tswap(clp->cl_serverowner, resp->server_owner);\n\tswap(clp->cl_serverscope, resp->server_scope);\n\tswap(clp->cl_implid, resp->impl_id);\n\n\t/* Save the EXCHANGE_ID verifier session trunk tests */\n\tmemcpy(clp->cl_confirm.data, argp->verifier.data,\n\t sizeof(clp->cl_confirm.data));\nout:\n\ttrace_nfs4_exchange_id(clp, status);\n\trpc_put_task(task);\n\treturn status;\n}", "project": "linux", "hash": 247690289518356938119455013593805885444, "size": 57, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 430991 }, { "func": "void opj_tcd_makelayer_fixed(opj_tcd_t *tcd, OPJ_UINT32 layno,\n OPJ_UINT32 final)\n{\n OPJ_UINT32 compno, resno, bandno, precno, cblkno;\n OPJ_INT32 value; /*, matrice[tcd_tcp->numlayers][tcd_tile->comps[0].numresolutions][3]; */\n OPJ_INT32 matrice[10][10][3];\n OPJ_UINT32 i, j, k;\n\n opj_cp_t *cp = tcd->cp;\n opj_tcd_tile_t *tcd_tile = tcd->tcd_image->tiles;\n opj_tcp_t *tcd_tcp = tcd->tcp;\n\n for (compno = 0; compno < tcd_tile->numcomps; compno++) {\n opj_tcd_tilecomp_t *tilec = &tcd_tile->comps[compno];\n\n for (i = 0; i < tcd_tcp->numlayers; i++) {\n for (j = 0; j < tilec->numresolutions; j++) {\n for (k = 0; k < 3; k++) {\n matrice[i][j][k] =\n (OPJ_INT32)((OPJ_FLOAT32)cp->m_specific_param.m_enc.m_matrice[i *\n tilec->numresolutions * 3 + j * 3 + k]\n * (OPJ_FLOAT32)(tcd->image->comps[compno].prec / 16.0));\n }\n }\n }\n\n for (resno = 0; resno < tilec->numresolutions; resno++) {\n opj_tcd_resolution_t *res = &tilec->resolutions[resno];\n\n for (bandno = 0; bandno < res->numbands; bandno++) {\n opj_tcd_band_t *band = &res->bands[bandno];\n\n /* Skip empty bands */\n if (opj_tcd_is_band_empty(band)) {\n continue;\n }\n\n for (precno = 0; precno < res->pw * res->ph; precno++) {\n opj_tcd_precinct_t *prc = &band->precincts[precno];\n\n for (cblkno = 0; cblkno < prc->cw * prc->ch; cblkno++) {\n opj_tcd_cblk_enc_t *cblk = &prc->cblks.enc[cblkno];\n opj_tcd_layer_t *layer = &cblk->layers[layno];\n OPJ_UINT32 n;\n OPJ_INT32 imsb = (OPJ_INT32)(tcd->image->comps[compno].prec -\n cblk->numbps); /* number of bit-plan equal to zero */\n\n /* Correction of the matrix of coefficient to include the IMSB information */\n if (layno == 0) {\n value = matrice[layno][resno][bandno];\n if (imsb >= value) {\n value = 0;\n } else {\n value -= imsb;\n }\n } else {\n value = matrice[layno][resno][bandno] - matrice[layno - 1][resno][bandno];\n if (imsb >= matrice[layno - 1][resno][bandno]) {\n value -= (imsb - matrice[layno - 1][resno][bandno]);\n if (value < 0) {\n value = 0;\n }\n }\n }\n\n if (layno == 0) {\n cblk->numpassesinlayers = 0;\n }\n\n n = cblk->numpassesinlayers;\n if (cblk->numpassesinlayers == 0) {\n if (value != 0) {\n n = 3 * (OPJ_UINT32)value - 2 + cblk->numpassesinlayers;\n } else {\n n = cblk->numpassesinlayers;\n }\n } else {\n n = 3 * (OPJ_UINT32)value + cblk->numpassesinlayers;\n }\n\n layer->numpasses = n - cblk->numpassesinlayers;\n\n if (!layer->numpasses) {\n continue;\n }\n\n if (cblk->numpassesinlayers == 0) {\n layer->len = cblk->passes[n - 1].rate;\n layer->data = cblk->data;\n } else {\n layer->len = cblk->passes[n - 1].rate - cblk->passes[cblk->numpassesinlayers -\n 1].rate;\n layer->data = cblk->data + cblk->passes[cblk->numpassesinlayers - 1].rate;\n }\n\n if (final) {\n cblk->numpassesinlayers = n;\n }\n }\n }\n }\n }\n }\n}", "project": "openjpeg", "hash": 91749747998771096724756426336707596439, "size": 104, "commit_id": "15cf3d95814dc931ca0ecb132f81cb152e051bae", "message": "Encoder: grow again buffer size in opj_tcd_code_block_enc_allocate_data() (fixes #1283)", "target": 0, "dataset": "other", "idx": 359166 }, { "func": "static int kvm_device_release(struct inode *inode, struct file *filp)\n{\n\tstruct kvm_device *dev = filp->private_data;\n\tstruct kvm *kvm = dev->kvm;\n\n\tif (dev->ops->release) {\n\t\tmutex_lock(&kvm->lock);\n\t\tlist_del(&dev->vm_node);\n\t\tdev->ops->release(dev);\n\t\tmutex_unlock(&kvm->lock);\n\t}\n\n\tkvm_put_kvm(kvm);\n\treturn 0;\n}", "project": "linux", "hash": 313345246963124166566937448714530032588, "size": 15, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354808 }, { "func": "int tracing_is_on(void)\n{\n\treturn tracer_tracing_is_on(&global_trace);\n}", "project": "linux", "hash": 171491713501972965736317142121685592071, "size": 4, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445786 }, { "func": "static int nested_svm_check_exception(struct vcpu_svm *svm, unsigned nr,\n\t\t\t\t bool has_error_code, u32 error_code)\n{\n\tint vmexit;\n\n\tif (!is_guest_mode(&svm->vcpu))\n\t\treturn 0;\n\n\tvmexit = nested_svm_intercept(svm);\n\tif (vmexit != NESTED_EXIT_DONE)\n\t\treturn 0;\n\n\tsvm->vmcb->control.exit_code = SVM_EXIT_EXCP_BASE + nr;\n\tsvm->vmcb->control.exit_code_hi = 0;\n\tsvm->vmcb->control.exit_info_1 = error_code;\n\n\t/*\n\t * EXITINFO2 is undefined for all exception intercepts other\n\t * than #PF.\n\t */\n\tif (svm->vcpu.arch.exception.nested_apf)\n\t\tsvm->vmcb->control.exit_info_2 = svm->vcpu.arch.apf.nested_apf_token;\n\telse if (svm->vcpu.arch.exception.has_payload)\n\t\tsvm->vmcb->control.exit_info_2 = svm->vcpu.arch.exception.payload;\n\telse\n\t\tsvm->vmcb->control.exit_info_2 = svm->vcpu.arch.cr2;\n\n\tsvm->nested.exit_required = true;\n\treturn vmexit;\n}", "project": "linux", "hash": 140380560879637239669275147570862840379, "size": 30, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432552 }, { "func": "static int nested_svm_check_exception(struct vcpu_svm *svm, unsigned nr,\n\t\t\t\t bool has_error_code, u32 error_code)\n{\n\tint vmexit;\n\n\tif (!is_guest_mode(&svm->vcpu))\n\t\treturn 0;\n\n\tsvm->vmcb->control.exit_code = SVM_EXIT_EXCP_BASE + nr;\n\tsvm->vmcb->control.exit_code_hi = 0;\n\tsvm->vmcb->control.exit_info_1 = error_code;\n\tsvm->vmcb->control.exit_info_2 = svm->vcpu.arch.cr2;\n\n\tvmexit = nested_svm_intercept(svm);\n\tif (vmexit == NESTED_EXIT_DONE)\n\t\tsvm->nested.exit_required = true;\n\n\treturn vmexit;\n}", "project": "kvm", "hash": 317253720640967731871460064201345530490, "size": 19, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437566 }, { "func": "int nfs4_proc_get_rootfh(struct nfs_server *server, struct nfs_fh *fhandle,\n\t\t\t struct nfs_fsinfo *info,\n\t\t\t bool auth_probe)\n{\n\tint status = 0;\n\n\tif (!auth_probe)\n\t\tstatus = nfs4_lookup_root(server, fhandle, info);\n\n\tif (auth_probe || status == NFS4ERR_WRONGSEC)\n\t\tstatus = server->nfs_client->cl_mvops->find_root_sec(server,\n\t\t\t\tfhandle, info);\n\n\tif (status == 0)\n\t\tstatus = nfs4_server_capabilities(server, fhandle);\n\tif (status == 0)\n\t\tstatus = nfs4_do_fsinfo(server, fhandle, info);\n\n\treturn nfs4_map_errors(status);\n}", "project": "linux", "hash": 251008087980110551355896470195531700871, "size": 20, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431086 }, { "func": "void vma_adjust_trans_huge(struct vm_area_struct *vma,\n\t\t\t unsigned long start,\n\t\t\t unsigned long end,\n\t\t\t long adjust_next)\n{\n\t/*\n\t * If the new start address isn't hpage aligned and it could\n\t * previously contain an hugepage: check if we need to split\n\t * an huge pmd.\n\t */\n\tif (start & ~HPAGE_PMD_MASK &&\n\t (start & HPAGE_PMD_MASK) >= vma->vm_start &&\n\t (start & HPAGE_PMD_MASK) + HPAGE_PMD_SIZE <= vma->vm_end)\n\t\tsplit_huge_pmd_address(vma, start, false, NULL);\n\n\t/*\n\t * If the new end address isn't hpage aligned and it could\n\t * previously contain an hugepage: check if we need to split\n\t * an huge pmd.\n\t */\n\tif (end & ~HPAGE_PMD_MASK &&\n\t (end & HPAGE_PMD_MASK) >= vma->vm_start &&\n\t (end & HPAGE_PMD_MASK) + HPAGE_PMD_SIZE <= vma->vm_end)\n\t\tsplit_huge_pmd_address(vma, end, false, NULL);\n\n\t/*\n\t * If we're also updating the vma->vm_next->vm_start, if the new\n\t * vm_next->vm_start isn't page aligned and it could previously\n\t * contain an hugepage: check if we need to split an huge pmd.\n\t */\n\tif (adjust_next > 0) {\n\t\tstruct vm_area_struct *next = vma->vm_next;\n\t\tunsigned long nstart = next->vm_start;\n\t\tnstart += adjust_next << PAGE_SHIFT;\n\t\tif (nstart & ~HPAGE_PMD_MASK &&\n\t\t (nstart & HPAGE_PMD_MASK) >= next->vm_start &&\n\t\t (nstart & HPAGE_PMD_MASK) + HPAGE_PMD_SIZE <= next->vm_end)\n\t\t\tsplit_huge_pmd_address(next, nstart, false, NULL);\n\t}\n}", "project": "linux", "hash": 220367151543374057732853349720216302417, "size": 40, "commit_id": "c444eb564fb16645c172d550359cb3d75fe8a040", "message": "mm: thp: make the THP mapcount atomic against __split_huge_pmd_locked()\n\nWrite protect anon page faults require an accurate mapcount to decide\nif to break the COW or not. This is implemented in the THP path with\nreuse_swap_page() ->\npage_trans_huge_map_swapcount()/page_trans_huge_mapcount().\n\nIf the COW triggers while the other processes sharing the page are\nunder a huge pmd split, to do an accurate reading, we must ensure the\nmapcount isn't computed while it's being transferred from the head\npage to the tail pages.\n\nreuse_swap_cache() already runs serialized by the page lock, so it's\nenough to add the page lock around __split_huge_pmd_locked too, in\norder to add the missing serialization.\n\nNote: the commit in \"Fixes\" is just to facilitate the backporting,\nbecause the code before such commit didn't try to do an accurate THP\nmapcount calculation and it instead used the page_count() to decide if\nto COW or not. Both the page_count and the pin_count are THP-wide\nrefcounts, so they're inaccurate if used in\nreuse_swap_page(). Reverting such commit (besides the unrelated fix to\nthe local anon_vma assignment) would have also opened the window for\nmemory corruption side effects to certain workloads as documented in\nsuch commit header.\n\nSigned-off-by: Andrea Arcangeli \nSuggested-by: Jann Horn \nReported-by: Jann Horn \nAcked-by: Kirill A. Shutemov \nFixes: 6d0a07edd17c (\"mm: thp: calculate the mapcount correctly for THP pages during WP faults\")\nCc: stable@vger.kernel.org\nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 364158 }, { "func": "int RGWGetObj_ObjStore_S3Website::send_response_data_error()\n{\n return RGWGetObj_ObjStore_S3::send_response_data_error();\n}", "project": "ceph", "hash": 240863971196789128090716305177569311378, "size": 4, "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 281354 }, { "func": "int RGWGetObj_ObjStore_S3::send_response_data_error()\n{\n bufferlist bl;\n return send_response_data(bl, 0 , 0);\n}", "project": "ceph", "hash": 56622942933862796091596727341407544619, "size": 5, "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 281391 }, { "func": "int RGWGetObj_ObjStore_SWIFT::send_response_data_error()\n{\n std::string error_content;\n op_ret = error_handler(op_ret, &error_content);\n if (! op_ret) {\n /* The error handler has taken care of the error. */\n return 0;\n }\n\n bufferlist error_bl;\n error_bl.append(error_content);\n return send_response_data(error_bl, 0, error_bl.length());\n}", "project": "ceph", "hash": 133530698448087630576384385439188247544, "size": 13, "commit_id": "f44a8ae8aa27ecef69528db9aec220f12492810e", "message": "rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name\n\nchecking for empty name avoids later assertion in RGWObjectCtx::set_atomic\n\nFixes: CVE-2021-3531\n\nReviewed-by: Casey Bodley \nSigned-off-by: Casey Bodley \n(cherry picked from commit 7196a469b4470f3c8628489df9a41ec8b00a5610)", "target": 0, "dataset": "other", "idx": 448789 }, { "func": "static __always_inline void slab_unlock(struct page *page)\n{\n\tVM_BUG_ON_PAGE(PageTail(page), page);\n\t__bit_spin_unlock(PG_locked, &page->flags);\n}", "project": "linux", "hash": 74716339120672715453809740428406346061, "size": 5, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280073 }, { "func": "static int getPixelFormat(int pixelSize, int flags)\n{\n\tif(pixelSize==1) return TJPF_GRAY;\n\tif(pixelSize==3)\n\t{\n\t\tif(flags&TJ_BGR) return TJPF_BGR;\n\t\telse return TJPF_RGB;\n\t}\n\tif(pixelSize==4)\n\t{\n\t\tif(flags&TJ_ALPHAFIRST)\n\t\t{\n\t\t\tif(flags&TJ_BGR) return TJPF_XBGR;\n\t\t\telse return TJPF_XRGB;\n\t\t}\n\t\telse\n\t\t{\n\t\t\tif(flags&TJ_BGR) return TJPF_BGRX;\n\t\t\telse return TJPF_RGBX;\n\t\t}\n\t}\n\treturn -1;\n}", "project": "libjpeg-turbo", "hash": 77942747971340508096977218260915910819, "size": 23, "commit_id": "dab6be4cfb2f9307b5378d2d1dc74d9080383dc2", "message": "tjDecompressToYUV*(): Fix OOB write/double free\n\n... when attempting to decompress grayscale JPEG images with sampling\nfactors != 1.\n\nFixes #387", "target": 0, "dataset": "other", "idx": 311093 }, { "func": "static void SFDGetOtfFeatName(FILE *sfd,SplineFont *sf) {\n int ch;\n struct otfname *cur;\n struct otffeatname *fn;\n\n fn = chunkalloc(sizeof(struct otffeatname));\n fn->tag = gettag(sfd);\n for (;;) {\n\twhile ( (ch=nlgetc(sfd))==' ' );\n\tungetc(ch,sfd);\n\tif ( !isdigit(ch))\n break;\n\tcur = chunkalloc(sizeof(struct otfname));\n\tcur->next = fn->names;\n\tfn->names = cur;\n\tgetsint(sfd,(int16 *) &cur->lang);\n\tcur->name = SFDReadUTF7Str(sfd);\n }\n fn->next = sf->feat_names;\n sf->feat_names = fn;\n}", "project": "fontforge", "hash": 185682266311241266330843059915297146923, "size": 21, "commit_id": "048a91e2682c1a8936ae34dbc7bd70291ec05410", "message": "Fix for #4084 Use-after-free (heap) in the SFD_GetFontMetaData() function\nFix for #4086 NULL pointer dereference in the SFDGetSpiros() function\nFix for #4088 NULL pointer dereference in the SFD_AssignLookups() function\nAdd empty sf->fontname string if it isn't set, fixing #4089 #4090 and many\n other potential issues (many downstream calls to strlen() on the value).", "target": 0, "dataset": "other", "idx": 417768 }, { "func": "static int fuse_do_readpage(struct file *file, struct page *page)\n{\n\tstruct inode *inode = page->mapping->host;\n\tstruct fuse_mount *fm = get_fuse_mount(inode);\n\tloff_t pos = page_offset(page);\n\tstruct fuse_page_desc desc = { .length = PAGE_SIZE };\n\tstruct fuse_io_args ia = {\n\t\t.ap.args.page_zeroing = true,\n\t\t.ap.args.out_pages = true,\n\t\t.ap.num_pages = 1,\n\t\t.ap.pages = &page,\n\t\t.ap.descs = &desc,\n\t};\n\tssize_t res;\n\tu64 attr_ver;\n\n\t/*\n\t * Page writeback can extend beyond the lifetime of the\n\t * page-cache page, so make sure we read a properly synced\n\t * page.\n\t */\n\tfuse_wait_on_page_writeback(inode, page->index);\n\n\tattr_ver = fuse_get_attr_version(fm->fc);\n\n\t/* Don't overflow end offset */\n\tif (pos + (desc.length - 1) == LLONG_MAX)\n\t\tdesc.length--;\n\n\tfuse_read_args_fill(&ia, file, pos, desc.length, FUSE_READ);\n\tres = fuse_simple_request(fm, &ia.ap.args);\n\tif (res < 0)\n\t\treturn res;\n\t/*\n\t * Short read means EOF. If file size is larger, truncate it\n\t */\n\tif (res < desc.length)\n\t\tfuse_short_read(inode, attr_ver, res, &ia.ap);\n\n\tSetPageUptodate(page);\n\n\treturn 0;\n}", "project": "linux", "hash": 255970740077331228978621466548530325276, "size": 43, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342034 }, { "func": "static OPJ_BOOL opj_j2k_pre_write_tile(opj_j2k_t * p_j2k,\n OPJ_UINT32 p_tile_index,\n opj_stream_private_t *p_stream,\n opj_event_mgr_t * p_manager)\n{\n (void)p_stream;\n if (p_tile_index != p_j2k->m_current_tile_number) {\n opj_event_msg(p_manager, EVT_ERROR, \"The given tile index does not match.\");\n return OPJ_FALSE;\n }\n\n opj_event_msg(p_manager, EVT_INFO, \"tile number %d / %d\\n\",\n p_j2k->m_current_tile_number + 1, p_j2k->m_cp.tw * p_j2k->m_cp.th);\n\n p_j2k->m_specific_param.m_encoder.m_current_tile_part_number = 0;\n p_j2k->m_tcd->cur_totnum_tp = p_j2k->m_cp.tcps[p_tile_index].m_nb_tile_parts;\n p_j2k->m_specific_param.m_encoder.m_current_poc_tile_part_number = 0;\n\n /* initialisation before tile encoding */\n if (! opj_tcd_init_encode_tile(p_j2k->m_tcd, p_j2k->m_current_tile_number,\n p_manager)) {\n return OPJ_FALSE;\n }\n\n return OPJ_TRUE;\n}", "project": "openjpeg", "hash": 13921447667955104358326248691534322213, "size": 26, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357359 }, { "func": "static int __nf_tables_dump_rules(struct sk_buff *skb,\n\t\t\t\t unsigned int *idx,\n\t\t\t\t struct netlink_callback *cb,\n\t\t\t\t const struct nft_table *table,\n\t\t\t\t const struct nft_chain *chain)\n{\n\tstruct net *net = sock_net(skb->sk);\n\tconst struct nft_rule *rule, *prule;\n\tunsigned int s_idx = cb->args[0];\n\n\tprule = NULL;\n\tlist_for_each_entry_rcu(rule, &chain->rules, list) {\n\t\tif (!nft_is_active(net, rule))\n\t\t\tgoto cont_skip;\n\t\tif (*idx < s_idx)\n\t\t\tgoto cont;\n\t\tif (*idx > s_idx) {\n\t\t\tmemset(&cb->args[1], 0,\n\t\t\t\t\tsizeof(cb->args) - sizeof(cb->args[0]));\n\t\t}\n\t\tif (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,\n\t\t\t\t\tcb->nlh->nlmsg_seq,\n\t\t\t\t\tNFT_MSG_NEWRULE,\n\t\t\t\t\tNLM_F_MULTI | NLM_F_APPEND,\n\t\t\t\t\ttable->family,\n\t\t\t\t\ttable, chain, rule, prule) < 0)\n\t\t\treturn 1;\n\n\t\tnl_dump_check_consistent(cb, nlmsg_hdr(skb));\ncont:\n\t\tprule = rule;\ncont_skip:\n\t\t(*idx)++;\n\t}\n\treturn 0;\n}", "project": "linux", "hash": 75479852415768518265222098803824920132, "size": 36, "commit_id": "ad9f151e560b016b6ad3280b48e42fa11e1a5440", "message": "netfilter: nf_tables: initialize set before expression setup\n\nnft_set_elem_expr_alloc() needs an initialized set if expression sets on\nthe NFT_EXPR_GC flag. Move set fields initialization before expression\nsetup.\n\n[4512935.019450] ==================================================================\n[4512935.019456] BUG: KASAN: null-ptr-deref in nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019487] Read of size 8 at addr 0000000000000070 by task nft/23532\n[4512935.019494] CPU: 1 PID: 23532 Comm: nft Not tainted 5.12.0-rc4+ #48\n[...]\n[4512935.019502] Call Trace:\n[4512935.019505] dump_stack+0x89/0xb4\n[4512935.019512] ? nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019536] ? nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019560] kasan_report.cold.12+0x5f/0xd8\n[4512935.019566] ? nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019590] nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019615] nf_tables_newset+0xc7f/0x1460 [nf_tables]\n\nReported-by: syzbot+ce96ca2b1d0b37c6422d@syzkaller.appspotmail.com\nFixes: 65038428b2c6 (\"netfilter: nf_tables: allow to specify stateful expression in set definition\")\nSigned-off-by: Pablo Neira Ayuso ", "target": 0, "dataset": "other", "idx": 328390 }, { "func": "static int imap_mbox_open(struct Mailbox *m)\n{\n if (!m->account || !m->mdata)\n return -1;\n\n char buf[PATH_MAX];\n int count = 0;\n int rc;\n\n struct ImapAccountData *adata = imap_adata_get(m);\n struct ImapMboxData *mdata = imap_mdata_get(m);\n\n mutt_debug(LL_DEBUG3, \"opening %s, saving %s\\n\", m->pathbuf.data,\n (adata->mailbox ? adata->mailbox->pathbuf.data : \"(none)\"));\n adata->prev_mailbox = adata->mailbox;\n adata->mailbox = m;\n\n /* clear mailbox status */\n adata->status = 0;\n m->rights = 0;\n mdata->new_mail_count = 0;\n\n if (m->verbose)\n mutt_message(_(\"Selecting %s...\"), mdata->name);\n\n /* pipeline ACL test */\n if (adata->capabilities & IMAP_CAP_ACL)\n {\n snprintf(buf, sizeof(buf), \"MYRIGHTS %s\", mdata->munge_name);\n imap_exec(adata, buf, IMAP_CMD_QUEUE);\n }\n /* assume we have all rights if ACL is unavailable */\n else\n {\n m->rights |= MUTT_ACL_LOOKUP | MUTT_ACL_READ | MUTT_ACL_SEEN | MUTT_ACL_WRITE |\n MUTT_ACL_INSERT | MUTT_ACL_POST | MUTT_ACL_CREATE | MUTT_ACL_DELETE;\n }\n\n /* pipeline the postponed count if possible */\n struct Mailbox *m_postponed = mx_mbox_find2(C_Postponed);\n struct ImapAccountData *postponed_adata = imap_adata_get(m_postponed);\n if (postponed_adata &&\n imap_account_match(&postponed_adata->conn->account, &adata->conn->account))\n {\n imap_mailbox_status(m_postponed, true);\n }\n\n if (C_ImapCheckSubscribed)\n imap_exec(adata, \"LSUB \\\"\\\" \\\"*\\\"\", IMAP_CMD_QUEUE);\n\n imap_mbox_select(m);\n\n do\n {\n char *pc = NULL;\n\n rc = imap_cmd_step(adata);\n if (rc != IMAP_RES_CONTINUE)\n break;\n\n pc = adata->buf + 2;\n\n /* Obtain list of available flags here, may be overridden by a\n * PERMANENTFLAGS tag in the OK response */\n if (mutt_istr_startswith(pc, \"FLAGS\"))\n {\n /* don't override PERMANENTFLAGS */\n if (STAILQ_EMPTY(&mdata->flags))\n {\n mutt_debug(LL_DEBUG3, \"Getting mailbox FLAGS\\n\");\n pc = get_flags(&mdata->flags, pc);\n if (!pc)\n goto fail;\n }\n }\n /* PERMANENTFLAGS are massaged to look like FLAGS, then override FLAGS */\n else if (mutt_istr_startswith(pc, \"OK [PERMANENTFLAGS\"))\n {\n mutt_debug(LL_DEBUG3, \"Getting mailbox PERMANENTFLAGS\\n\");\n /* safe to call on NULL */\n mutt_list_free(&mdata->flags);\n /* skip \"OK [PERMANENT\" so syntax is the same as FLAGS */\n pc += 13;\n pc = get_flags(&(mdata->flags), pc);\n if (!pc)\n goto fail;\n }\n /* save UIDVALIDITY for the header cache */\n else if (mutt_istr_startswith(pc, \"OK [UIDVALIDITY\"))\n {\n mutt_debug(LL_DEBUG3, \"Getting mailbox UIDVALIDITY\\n\");\n pc += 3;\n pc = imap_next_word(pc);\n if (mutt_str_atoui(pc, &mdata->uidvalidity) < 0)\n goto fail;\n }\n else if (mutt_istr_startswith(pc, \"OK [UIDNEXT\"))\n {\n mutt_debug(LL_DEBUG3, \"Getting mailbox UIDNEXT\\n\");\n pc += 3;\n pc = imap_next_word(pc);\n if (mutt_str_atoui(pc, &mdata->uid_next) < 0)\n goto fail;\n }\n else if (mutt_istr_startswith(pc, \"OK [HIGHESTMODSEQ\"))\n {\n mutt_debug(LL_DEBUG3, \"Getting mailbox HIGHESTMODSEQ\\n\");\n pc += 3;\n pc = imap_next_word(pc);\n if (mutt_str_atoull(pc, &mdata->modseq) < 0)\n goto fail;\n }\n else if (mutt_istr_startswith(pc, \"OK [NOMODSEQ\"))\n {\n mutt_debug(LL_DEBUG3, \"Mailbox has NOMODSEQ set\\n\");\n mdata->modseq = 0;\n }\n else\n {\n pc = imap_next_word(pc);\n if (mutt_istr_startswith(pc, \"EXISTS\"))\n {\n count = mdata->new_mail_count;\n mdata->new_mail_count = 0;\n }\n }\n } while (rc == IMAP_RES_CONTINUE);\n\n if (rc == IMAP_RES_NO)\n {\n char *s = imap_next_word(adata->buf); /* skip seq */\n s = imap_next_word(s); /* Skip response */\n mutt_error(\"%s\", s);\n goto fail;\n }\n\n if (rc != IMAP_RES_OK)\n goto fail;\n\n /* check for READ-ONLY notification */\n if (mutt_istr_startswith(imap_get_qualifier(adata->buf), \"[READ-ONLY]\") &&\n !(adata->capabilities & IMAP_CAP_ACL))\n {\n mutt_debug(LL_DEBUG2, \"Mailbox is read-only\\n\");\n m->readonly = true;\n }\n\n /* dump the mailbox flags we've found */\n if (C_DebugLevel > LL_DEBUG2)\n {\n if (STAILQ_EMPTY(&mdata->flags))\n mutt_debug(LL_DEBUG3, \"No folder flags found\\n\");\n else\n {\n struct ListNode *np = NULL;\n struct Buffer flag_buffer;\n mutt_buffer_init(&flag_buffer);\n mutt_buffer_printf(&flag_buffer, \"Mailbox flags: \");\n STAILQ_FOREACH(np, &mdata->flags, entries)\n {\n mutt_buffer_add_printf(&flag_buffer, \"[%s] \", np->data);\n }\n mutt_debug(LL_DEBUG3, \"%s\\n\", flag_buffer.data);\n FREE(&flag_buffer.data);\n }\n }\n\n if (!((m->rights & MUTT_ACL_DELETE) || (m->rights & MUTT_ACL_SEEN) ||\n (m->rights & MUTT_ACL_WRITE) || (m->rights & MUTT_ACL_INSERT)))\n {\n m->readonly = true;\n }\n\n while (m->email_max < count)\n mx_alloc_memory(m);\n\n m->msg_count = 0;\n m->msg_unread = 0;\n m->msg_flagged = 0;\n m->msg_new = 0;\n m->msg_deleted = 0;\n m->size = 0;\n m->vcount = 0;\n\n if (count && (imap_read_headers(m, 1, count, true) < 0))\n {\n mutt_error(_(\"Error opening mailbox\"));\n goto fail;\n }\n\n mutt_debug(LL_DEBUG2, \"msg_count is %d\\n\", m->msg_count);\n return 0;\n\nfail:\n if (adata->state == IMAP_SELECTED)\n adata->state = IMAP_AUTHENTICATED;\n return -1;\n}", "project": "neomutt", "hash": 41742418481217597908987218732272348768, "size": 198, "commit_id": "9c36717a3e2af1f2c1b7242035455ec8112b4b06", "message": "imap: close connection on all failures\n\nThanks to Gabriel Salles-Loustau for spotting the problem.\n\nCo-authored-by: Kevin McCarthy ", "target": 0, "dataset": "other", "idx": 357018 }, { "project": "Chrome", "commit_id": "6834289784ed45b5524de0fb7ef43ae283b0d6d3", "target": 0, "func": "void AudioContext::handleDirtyAudioNodeOutputs()\n{\n ASSERT(isGraphOwner());\n\n for (HashSet::iterator i = m_dirtyAudioNodeOutputs.begin(); i != m_dirtyAudioNodeOutputs.end(); ++i)\n (*i)->updateRenderingState();\n\n m_dirtyAudioNodeOutputs.clear();\n}\n", "cwe": "", "big_vul_idx": 139658, "idx": 124808, "hash": 309034135801541196383080892857029661551 }, { "func": "static void input_repeat_key(struct timer_list *t)\n{\n\tstruct input_dev *dev = from_timer(dev, t, timer);\n\tunsigned long flags;\n\n\tspin_lock_irqsave(&dev->event_lock, flags);\n\n\tif (test_bit(dev->repeat_key, dev->key) &&\n\t is_event_supported(dev->repeat_key, dev->keybit, KEY_MAX)) {\n\t\tstruct input_value vals[] = {\n\t\t\t{ EV_KEY, dev->repeat_key, 2 },\n\t\t\tinput_value_sync\n\t\t};\n\n\t\tinput_pass_values(dev, vals, ARRAY_SIZE(vals));\n\n\t\tif (dev->rep[REP_PERIOD])\n\t\t\tmod_timer(&dev->timer, jiffies +\n\t\t\t\t\tmsecs_to_jiffies(dev->rep[REP_PERIOD]));\n\t}\n\n\tspin_unlock_irqrestore(&dev->event_lock, flags);\n}", "project": "linux", "hash": 252292139044070722429713976200842724695, "size": 23, "commit_id": "cb222aed03d798fc074be55e59d9a112338ee784", "message": "Input: add safety guards to input_set_keycode()\n\nIf we happen to have a garbage in input device's keycode table with values\ntoo big we'll end up doing clear_bit() with offset way outside of our\nbitmaps, damaging other objects within an input device or even outside of\nit. Let's add sanity checks to the returned old keycodes.\n\nReported-by: syzbot+c769968809f9359b07aa@syzkaller.appspotmail.com\nReported-by: syzbot+76f3a30e88d256644c78@syzkaller.appspotmail.com\nLink: https://lore.kernel.org/r/20191207212757.GA245964@dtor-ws\nSigned-off-by: Dmitry Torokhov ", "target": 0, "dataset": "other", "idx": 353317 }, { "func": "uint8_t intsetGet(intset *is, uint32_t pos, int64_t *value) {\n if (pos < intrev32ifbe(is->length)) {\n *value = _intsetGet(is,pos);\n return 1;\n }\n return 0;\n}", "project": "redis", "hash": 247170552468099845477105341729613881587, "size": 7, "commit_id": "789f10156009b404950ad717642a9496ed887083", "message": "Fix integer overflow in intset (CVE-2021-29478)\n\nAn integer overflow bug in Redis 6.2 could be exploited to corrupt the heap and\npotentially result with remote code execution.\n\nThe vulnerability involves changing the default set-max-intset-entries\nconfiguration value, creating a large set key that consists of integer values\nand using the COPY command to duplicate it.\n\nThe integer overflow bug exists in all versions of Redis starting with 2.6,\nwhere it could result with a corrupted RDB or DUMP payload, but not exploited\nthrough COPY (which did not exist before 6.2).\n\n(cherry picked from commit 29900d4e6bccdf3691bedf0ea9a5d84863fa3592)", "target": 0, "dataset": "other", "idx": 290638 }, { "func": "int blosc_compress(int clevel, int doshuffle, size_t typesize, size_t nbytes,\n const void* src, void* dest, size_t destsize) {\n return blosc2_compress(clevel, doshuffle, (int32_t)typesize, src, (int32_t)nbytes, dest, (int32_t)destsize);\n}", "project": "c-blosc2", "hash": 73411895441779550096199647632995788911, "size": 4, "commit_id": "c4c6470e88210afc95262c8b9fcc27e30ca043ee", "message": "Fixed asan heap buffer overflow when not enough space to write compressed block size.", "target": 0, "dataset": "other", "idx": 303113 }, { "func": "static bool get_pcre_fullinfo(pcre_cache_entry* pce) {\n pcre_extra extra;\n init_local_extra(&extra, pce->extra);\n\n /* Calculate the size of the offsets array*/\n int rc = pcre_fullinfo(pce->re, &extra, PCRE_INFO_CAPTURECOUNT,\n &pce->num_subpats);\n if (rc < 0) {\n raise_warning(\"Internal pcre_fullinfo() error %d\", rc);\n return false;\n }\n pce->num_subpats++;\n return true;\n}", "project": "hhvm", "hash": 261733128260988769290900077885034481513, "size": 14, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219258 }, { "func": "int pfkey_sadb_addr2xfrm_addr(const struct sadb_address *addr, xfrm_address_t *xaddr)\n{\n\treturn pfkey_sockaddr_extract((struct sockaddr *)(addr + 1),\n\t\t\t\t xaddr);\n}", "project": "linux", "hash": 195349453771894227308245326017074041442, "size": 5, "commit_id": "9a564bccb78a76740ea9d75a259942df8143d02c", "message": "af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\n\nAdd __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\nto initialize the buffer of supp_skb to fix a kernel-info-leak issue.\n1) Function pfkey_register calls compose_sadb_supported to request\na sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate\na sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then\ncompose_sadb_supported treats the memory as a struct sadb_supported and\nbegins to initialize. But it just initializes the field sadb_supported_len\nand field sadb_supported_exttype without field sadb_supported_reserved.\n\nReported-by: TCS Robot \nSigned-off-by: Haimin Zhang \nSigned-off-by: Steffen Klassert ", "target": 0, "dataset": "other", "idx": 268010 }, { "func": "string_open_failed(int eno, char *format, ...)\n{\nva_list ap;\nuschar buffer[1024];\n\nUstrcpy(buffer, \"failed to open \");\nva_start(ap, format);\n\n/* Use the checked formatting routine to ensure that the buffer\ndoes not overflow. It should not, since this is called only for internally\nspecified messages. If it does, the message just gets truncated, and there\ndoesn't seem much we can do about that. */\n\n(void)string_vformat(buffer+15, sizeof(buffer) - 15, format, ap);\n\nreturn (eno == EACCES)?\n string_sprintf(\"%s: %s (euid=%ld egid=%ld)\", buffer, strerror(eno),\n (long int)geteuid(), (long int)getegid()) :\n string_sprintf(\"%s: %s\", buffer, strerror(eno));\n}", "project": "exim", "hash": 304626116731249625123367762987803296915, "size": 20, "commit_id": "24c929a27415c7cfc7126c47e4cad39acf3efa6b", "message": "Buffer overrun fix. fixes: bug #787", "target": 0, "dataset": "other", "idx": 301225 }, { "func": "static int openssl_x509v3_subjectAltName(BIO *bio, X509_EXTENSION *extension)\n{\n\tGENERAL_NAMES *names;\n\tconst X509V3_EXT_METHOD *method = NULL;\n\tASN1_OCTET_STRING *extension_data;\n\tlong i, length, num;\n\tconst unsigned char *p;\n\n\tmethod = X509V3_EXT_get(extension);\n\tif (method == NULL) {\n\t\treturn -1;\n\t}\n\n\textension_data = X509_EXTENSION_get_data(extension);\n\tp = extension_data->data;\n\tlength = extension_data->length;\n\tif (method->it) {\n\t\tnames = (GENERAL_NAMES*) (ASN1_item_d2i(NULL, &p, length,\n\t\t\tASN1_ITEM_ptr(method->it)));\n\t} else {\n\t\tnames = (GENERAL_NAMES*) (method->d2i(NULL, &p, length));\n\t}\n\tif (names == NULL) {\n\t\tphp_openssl_store_errors();\n\t\treturn -1;\n\t}\n\n\tnum = sk_GENERAL_NAME_num(names);\n\tfor (i = 0; i < num; i++) {\n\t\tGENERAL_NAME *name;\n\t\tASN1_STRING *as;\n\t\tname = sk_GENERAL_NAME_value(names, i);\n\t\tswitch (name->type) {\n\t\t\tcase GEN_EMAIL:\n\t\t\t\tBIO_puts(bio, \"email:\");\n\t\t\t\tas = name->d.rfc822Name;\n\t\t\t\tBIO_write(bio, ASN1_STRING_get0_data(as),\n\t\t\t\t\tASN1_STRING_length(as));\n\t\t\t\tbreak;\n\t\t\tcase GEN_DNS:\n\t\t\t\tBIO_puts(bio, \"DNS:\");\n\t\t\t\tas = name->d.dNSName;\n\t\t\t\tBIO_write(bio, ASN1_STRING_get0_data(as),\n\t\t\t\t\tASN1_STRING_length(as));\n\t\t\t\tbreak;\n\t\t\tcase GEN_URI:\n\t\t\t\tBIO_puts(bio, \"URI:\");\n\t\t\t\tas = name->d.uniformResourceIdentifier;\n\t\t\t\tBIO_write(bio, ASN1_STRING_get0_data(as),\n\t\t\t\t\tASN1_STRING_length(as));\n\t\t\t\tbreak;\n\t\t\tdefault:\n\t\t\t\t/* use builtin print for GEN_OTHERNAME, GEN_X400,\n\t\t\t\t * GEN_EDIPARTY, GEN_DIRNAME, GEN_IPADD and GEN_RID\n\t\t\t\t */\n\t\t\t\tGENERAL_NAME_print(bio, name);\n\t\t\t}\n\t\t\t/* trailing ', ' except for last element */\n\t\t\tif (i < (num - 1)) {\n\t\t\t\tBIO_puts(bio, \", \");\n\t\t\t}\n\t}\n\tsk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free);\n\n\treturn 0;\n}", "project": "php-src", "hash": 149545759224273965654753694004378196559, "size": 66, "commit_id": "0216630ea2815a5789a24279a1211ac398d4de79", "message": "Fix bug #79601 (Wrong ciphertext/tag in AES-CCM encryption for a 12 bytes IV)", "target": 0, "dataset": "other", "idx": 291409 }, { "func": "void hamming(float *w, int N)\r\n{\r\n for (int i = 0; i < N; i++)\r\n {\r\n w[i] = (float)(0.54 - 0.46 * cos(TWOPI * i / (N - 1)));\r\n }\r\n\r\n}\r", "project": "soundtouch", "hash": 271250469061164163764189394232034713788, "size": 8, "commit_id": "a1c400eb2cff849c0e5f9d6916d69ffea3ad2c85", "message": "Fix issue CVE-2018-17096: Replace assert with runtime exception", "target": 0, "dataset": "other", "idx": 368105 }, { "func": "static bool _php_image_convert(const String& f_org, const String& f_dest,\n int dest_height, int dest_width,\n int threshold, int image_type) {\n gdImagePtr im_org, im_dest, im_tmp;\n req::ptr org_file, dest_file;\n FILE *org, *dest;\n int org_height, org_width;\n int white, black;\n int color, color_org, median;\n int x, y;\n float x_ratio, y_ratio;\n#ifdef HAVE_GD_JPG\n // long ignore_warning;\n#endif\n\n /* Check threshold value */\n if (threshold < 0 || threshold > 8) {\n raise_warning(\"Invalid threshold value '%d'\", threshold);\n return false;\n }\n\n /* Open origin file */\n org_file = php_open_plain_file(f_org, \"rb\", &org);\n if (!org_file) {\n return false;\n }\n\n /* Open destination file */\n dest_file = php_open_plain_file(f_dest, \"wb\", &dest);\n if (!dest_file) {\n return false;\n }\n\n switch (image_type) {\n case PHP_GDIMG_TYPE_GIF:\n im_org = gdImageCreateFromGif(org);\n if (im_org == nullptr) {\n raise_warning(\"Unable to open '%s' Not a valid GIF file\",\n f_org.c_str());\n return false;\n }\n break;\n\n#ifdef HAVE_GD_JPG\n case PHP_GDIMG_TYPE_JPG:\n im_org = gdImageCreateFromJpeg(org);\n if (im_org == nullptr) {\n raise_warning(\"Unable to open '%s' Not a valid JPEG file\",\n f_org.c_str());\n return false;\n }\n break;\n#endif /* HAVE_GD_JPG */\n\n\n#ifdef HAVE_GD_PNG\n case PHP_GDIMG_TYPE_PNG:\n im_org = gdImageCreateFromPng(org);\n if (im_org == nullptr) {\n raise_warning(\"Unable to open '%s' Not a valid PNG file\",\n f_org.c_str());\n return false;\n }\n break;\n#endif /* HAVE_GD_PNG */\n\n#ifdef HAVE_LIBVPX\n case PHP_GDIMG_TYPE_WEBP:\n im_org = gdImageCreateFromWebp(org);\n if (im_org == nullptr) {\n raise_warning(\"Unable to open '%s' Not a valid webp file\",\n f_org.c_str());\n return false;\n }\n break;\n#endif /* HAVE_LIBVPX */\n\n default:\n raise_warning(\"Format not supported\");\n return false;\n }\n\n org_width = gdImageSX (im_org);\n org_height = gdImageSY (im_org);\n\n x_ratio = (float) org_width / (float) dest_width;\n y_ratio = (float) org_height / (float) dest_height;\n\n if (x_ratio > 1 && y_ratio > 1) {\n if (y_ratio > x_ratio) {\n x_ratio = y_ratio;\n } else {\n y_ratio = x_ratio;\n }\n dest_width = (int) (org_width / x_ratio);\n dest_height = (int) (org_height / y_ratio);\n } else {\n x_ratio = (float) dest_width / (float) org_width;\n y_ratio = (float) dest_height / (float) org_height;\n\n if (y_ratio < x_ratio) {\n x_ratio = y_ratio;\n } else {\n y_ratio = x_ratio;\n }\n dest_width = (int) (org_width * x_ratio);\n dest_height = (int) (org_height * y_ratio);\n }\n\n im_tmp = gdImageCreate (dest_width, dest_height);\n if (im_tmp == nullptr) {\n raise_warning(\"Unable to allocate temporary buffer\");\n return false;\n }\n\n gdImageCopyResized (im_tmp, im_org, 0, 0, 0, 0,\n dest_width, dest_height, org_width, org_height);\n\n gdImageDestroy(im_org);\n\n org_file->close();\n\n im_dest = gdImageCreate(dest_width, dest_height);\n if (im_dest == nullptr) {\n raise_warning(\"Unable to allocate destination buffer\");\n return false;\n }\n\n white = gdImageColorAllocate(im_dest, 255, 255, 255);\n if (white == -1) {\n raise_warning(\"Unable to allocate the colors for \"\n \"the destination buffer\");\n return false;\n }\n\n black = gdImageColorAllocate(im_dest, 0, 0, 0);\n if (black == -1) {\n raise_warning(\"Unable to allocate the colors for \"\n \"the destination buffer\");\n return false;\n }\n\n threshold = threshold * 32;\n\n for (y = 0; y < dest_height; y++) {\n for (x = 0; x < dest_width; x++) {\n color_org = gdImageGetPixel (im_tmp, x, y);\n median = (im_tmp->red[color_org] +\n im_tmp->green[color_org] +\n im_tmp->blue[color_org]) / 3;\n if (median < threshold) {\n color = black;\n } else {\n color = white;\n }\n gdImageSetPixel(im_dest, x, y, color);\n }\n }\n\n gdImageDestroy(im_tmp);\n\n gdImageWBMP(im_dest, black , dest);\n\n fflush(dest);\n dest_file->close();\n\n gdImageDestroy(im_dest);\n\n return true;\n}", "project": "hhvm", "hash": 117239297049484162585324443889325390654, "size": 170, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219106 }, { "func": "static int SLContains(struct script_record *sr, uint32 script, uint32 lang) {\n int i, j;\n\n if ( script==DEFAULT_SCRIPT || script == 0 )\nreturn( true );\n for ( i=0; sr[i].script!=0; ++i ) {\n\tif ( sr[i].script==script ) {\n\t if ( lang==0 )\nreturn( true );\n\t for ( j=0; sr[i].langs[j]!=0; ++j )\n\t\tif ( sr[i].langs[j]==lang )\nreturn( true );\n\nreturn( false );\t/* this script entry didn't contain the language. won't be any other scripts to check */\n\t}\n }\nreturn( false );\t/* Never found script */\n}", "project": "fontforge", "hash": 255894083555114231224506188661233517787, "size": 18, "commit_id": "048a91e2682c1a8936ae34dbc7bd70291ec05410", "message": "Fix for #4084 Use-after-free (heap) in the SFD_GetFontMetaData() function\nFix for #4086 NULL pointer dereference in the SFDGetSpiros() function\nFix for #4088 NULL pointer dereference in the SFD_AssignLookups() function\nAdd empty sf->fontname string if it isn't set, fixing #4089 #4090 and many\n other potential issues (many downstream calls to strlen() on the value).", "target": 0, "dataset": "other", "idx": 417793 }, { "project": "opaque", "commit_id": "5ddda15d89f5ac82f4416208c5319ace4aecdc36", "target": 0, "func": "JNIEXPORT jlong JNICALL Java_edu_berkeley_cs_rise_opaque_execution_SGXEnclave_StartEnclave(\n JNIEnv *env, jobject obj, jstring library_path) {\n (void)env;\n (void)obj;\n\n env->GetJavaVM(&jvm);\n\n sgx_enclave_id_t eid;\n sgx_launch_token_t token = {0};\n int updated = 0;\n\n const char *library_path_str = env->GetStringUTFChars(library_path, nullptr);\n sgx_check(\"StartEnclave\",\n sgx_create_enclave(\n library_path_str, SGX_DEBUG_FLAG, &token, &updated, &eid, nullptr));\n env->ReleaseStringUTFChars(library_path, library_path_str);\n\n return eid;\n}", "idx": 519079, "cwe": "CWE-787", "hash": 233245978054944448753194087186337875730, "dataset": "other" }, { "func": "int usb_host_device_close(const char *devname)\n{\n char product_name[PRODUCT_NAME_SZ];\n int bus_num, addr;\n USBHostDevice *s;\n\n if (strstr(devname, \"auto:\"))\n return usb_host_auto_del(devname);\n\n if (usb_host_find_device(&bus_num, &addr, product_name, sizeof(product_name),\n devname) < 0)\n return -1;\n \n s = hostdev_find(bus_num, addr);\n if (s) {\n usb_device_del_addr(0, s->dev.addr);\n return 0;\n }\n\n return -1;\n}", "project": "qemu", "hash": 165175200913276732170614044717768585303, "size": 21, "commit_id": "babd03fde68093482528010a5435c14ce9128e3f", "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel. However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris \nSigned-off-by: Anthony Liguori ", "target": 0, "dataset": "other", "idx": 346292 }, { "func": "static void hci_cc_le_read_num_adv_sets(struct hci_dev *hdev,\n\t\t\t\t struct sk_buff *skb)\n{\n\tstruct hci_rp_le_read_num_supported_adv_sets *rp = (void *) skb->data;\n\n\tBT_DBG(\"%s status 0x%2.2x No of Adv sets %u\", hdev->name, rp->status,\n\t rp->num_of_sets);\n\n\tif (rp->status)\n\t\treturn;\n\n\thdev->le_num_of_adv_sets = rp->num_of_sets;\n}", "project": "linux", "hash": 55952040578314342401436958216812152257, "size": 13, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431884 }, { "func": "int hci_req_sync(struct hci_dev *hdev, int (*req)(struct hci_request *req,\n\t\t\t\t\t\t unsigned long opt),\n\t\t unsigned long opt, u32 timeout, u8 *hci_status)\n{\n\tint ret;\n\n\tif (!test_bit(HCI_UP, &hdev->flags))\n\t\treturn -ENETDOWN;\n\n\t/* Serialize all requests */\n\thci_req_sync_lock(hdev);\n\tret = __hci_req_sync(hdev, req, opt, timeout, hci_status);\n\thci_req_sync_unlock(hdev);\n\n\treturn ret;\n}", "project": "linux", "hash": 119058947373563095041334918661267933841, "size": 16, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 1, "dataset": "other", "idx": 207859 }, { "func": "int hci_req_sync(struct hci_dev *hdev, int (*req)(struct hci_request *req,\n\t\t\t\t\t\t unsigned long opt),\n\t\t unsigned long opt, u32 timeout, u8 *hci_status)\n{\n\tint ret;\n\n\t/* Serialize all requests */\n\thci_req_sync_lock(hdev);\n\t/* check the state after obtaing the lock to protect the HCI_UP\n\t * against any races from hci_dev_do_close when the controller\n\t * gets removed.\n\t */\n\tif (test_bit(HCI_UP, &hdev->flags))\n\t\tret = __hci_req_sync(hdev, req, opt, timeout, hci_status);\n\telse\n\t\tret = -ENETDOWN;\n\thci_req_sync_unlock(hdev);\n\n\treturn ret;\n}", "project": "linux", "hash": 18084705760266005754007910834066501149, "size": 20, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402494 }, { "func": " bool str_eq(const String *value,\n const String *other, CHARSET_INFO *cs, bool binary_cmp) const\n {\n return binary_cmp ?\n value->bin_eq(other) :\n collation.collation == cs && value->eq(other, collation.collation);\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 11161653765615078301378379130209078544, "size": 7, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509041 }, { "func": " bool str_eq(const String *value, const Item *item, bool binary_cmp) const\n {\n DBUG_ASSERT(is_basic_value(STRING_ITEM));\n return is_basic_value(item, STRING_ITEM) &&\n str_eq(value, ((Item_basic_value*)item)->val_str(NULL),\n item->collation.collation, binary_cmp);\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 7545958521454363220381490801298480432, "size": 7, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509337 }, { "func": "static int pfkey_spdflush(struct sock *sk, struct sk_buff *skb, const struct sadb_msg *hdr, void * const *ext_hdrs)\n{\n\tstruct net *net = sock_net(sk);\n\tstruct km_event c;\n\tint err, err2;\n\n\terr = xfrm_policy_flush(net, XFRM_POLICY_TYPE_MAIN, true);\n\terr2 = unicast_flush_resp(sk, hdr);\n\tif (err || err2) {\n\t\tif (err == -ESRCH) /* empty table - old silent behavior */\n\t\t\treturn 0;\n\t\treturn err;\n\t}\n\n\tc.data.type = XFRM_POLICY_TYPE_MAIN;\n\tc.event = XFRM_MSG_FLUSHPOLICY;\n\tc.portid = hdr->sadb_msg_pid;\n\tc.seq = hdr->sadb_msg_seq;\n\tc.net = net;\n\tkm_policy_notify(NULL, 0, &c);\n\n\treturn 0;\n}", "project": "linux", "hash": 219127269682534682578142564729828097918, "size": 23, "commit_id": "9a564bccb78a76740ea9d75a259942df8143d02c", "message": "af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\n\nAdd __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\nto initialize the buffer of supp_skb to fix a kernel-info-leak issue.\n1) Function pfkey_register calls compose_sadb_supported to request\na sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate\na sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then\ncompose_sadb_supported treats the memory as a struct sadb_supported and\nbegins to initialize. But it just initializes the field sadb_supported_len\nand field sadb_supported_exttype without field sadb_supported_reserved.\n\nReported-by: TCS Robot \nSigned-off-by: Haimin Zhang \nSigned-off-by: Steffen Klassert ", "target": 0, "dataset": "other", "idx": 268042 }, { "func": "static int test_toggle_sync(struct usbtest_dev *tdev, int ep, struct urb *urb)\n{\n\tint\tretval;\n\n\t/* clear initial data toggle to DATA0 */\n\tretval = usb_clear_halt(urb->dev, urb->pipe);\n\tif (retval < 0) {\n\t\tERROR(tdev, \"ep %02x couldn't clear halt, %d\\n\", ep, retval);\n\t\treturn retval;\n\t}\n\n\t/* transfer 3 data packets, should be DATA0, DATA1, DATA0 */\n\tretval = simple_io(tdev, urb, 1, 0, 0, __func__);\n\tif (retval != 0)\n\t\treturn -EINVAL;\n\n\t/* clear halt resets device side data toggle, host should react to it */\n\tretval = usb_clear_halt(urb->dev, urb->pipe);\n\tif (retval < 0) {\n\t\tERROR(tdev, \"ep %02x couldn't clear halt, %d\\n\", ep, retval);\n\t\treturn retval;\n\t}\n\n\t/* host should use DATA0 again after clear halt */\n\tretval = simple_io(tdev, urb, 1, 0, 0, __func__);\n\n\treturn retval;\n}", "project": "linux", "hash": 116317110420807282734762072596545566411, "size": 28, "commit_id": "28ebeb8db77035e058a510ce9bd17c2b9a009dba", "message": "usb: usbtest: fix missing kfree(dev->buf) in usbtest_disconnect\n\nBUG: memory leak\nunreferenced object 0xffff888055046e00 (size 256):\n comm \"kworker/2:9\", pid 2570, jiffies 4294942129 (age 1095.500s)\n hex dump (first 32 bytes):\n 00 70 04 55 80 88 ff ff 18 bb 5a 81 ff ff ff ff .p.U......Z.....\n f5 96 78 81 ff ff ff ff 37 de 8e 81 ff ff ff ff ..x.....7.......\n backtrace:\n [<00000000d121dccf>] kmemleak_alloc_recursive\ninclude/linux/kmemleak.h:43 [inline]\n [<00000000d121dccf>] slab_post_alloc_hook mm/slab.h:586 [inline]\n [<00000000d121dccf>] slab_alloc_node mm/slub.c:2786 [inline]\n [<00000000d121dccf>] slab_alloc mm/slub.c:2794 [inline]\n [<00000000d121dccf>] kmem_cache_alloc_trace+0x15e/0x2d0 mm/slub.c:2811\n [<000000005c3c3381>] kmalloc include/linux/slab.h:555 [inline]\n [<000000005c3c3381>] usbtest_probe+0x286/0x19d0\ndrivers/usb/misc/usbtest.c:2790\n [<000000001cec6910>] usb_probe_interface+0x2bd/0x870\ndrivers/usb/core/driver.c:361\n [<000000007806c118>] really_probe+0x48d/0x8f0 drivers/base/dd.c:551\n [<00000000a3308c3e>] driver_probe_device+0xfc/0x2a0 drivers/base/dd.c:724\n [<000000003ef66004>] __device_attach_driver+0x1b6/0x240\ndrivers/base/dd.c:831\n [<00000000eee53e97>] bus_for_each_drv+0x14e/0x1e0 drivers/base/bus.c:431\n [<00000000bb0648d0>] __device_attach+0x1f9/0x350 drivers/base/dd.c:897\n [<00000000838b324a>] device_initial_probe+0x1a/0x20 drivers/base/dd.c:944\n [<0000000030d501c1>] bus_probe_device+0x1e1/0x280 drivers/base/bus.c:491\n [<000000005bd7adef>] device_add+0x131d/0x1c40 drivers/base/core.c:2504\n [<00000000a0937814>] usb_set_configuration+0xe84/0x1ab0\ndrivers/usb/core/message.c:2030\n [<00000000e3934741>] generic_probe+0x6a/0xe0 drivers/usb/core/generic.c:210\n [<0000000098ade0f1>] usb_probe_device+0x90/0xd0\ndrivers/usb/core/driver.c:266\n [<000000007806c118>] really_probe+0x48d/0x8f0 drivers/base/dd.c:551\n [<00000000a3308c3e>] driver_probe_device+0xfc/0x2a0 drivers/base/dd.c:724\n\nAcked-by: Alan Stern \nReported-by: Kyungtae Kim \nSigned-off-by: Zqiang \nLink: https://lore.kernel.org/r/20200612035210.20494-1-qiang.zhang@windriver.com\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 412288 }, { "project": "Chrome", "commit_id": "327585cb0eab0859518643a2d00917081f7e7645", "target": 0, "func": "void WebGraphicsContext3DDefaultImpl::resolveMultisampledFramebuffer(unsigned x, unsigned y, unsigned width, unsigned height)\n{\n if (m_attributes.antialias) {\n bool mustRestoreFBO = (m_boundFBO != m_multisampleFBO);\n glBindFramebufferEXT(GL_READ_FRAMEBUFFER_EXT, m_multisampleFBO);\n glBindFramebufferEXT(GL_DRAW_FRAMEBUFFER_EXT, m_fbo);\n glBlitFramebufferEXT(x, y, x + width, y + height, x, y, x + width, y + height, GL_COLOR_BUFFER_BIT, GL_LINEAR);\n if (mustRestoreFBO)\n glBindFramebufferEXT(GL_FRAMEBUFFER_EXT, m_boundFBO);\n }\n}\n", "cwe": "", "big_vul_idx": 99021, "idx": 89076, "hash": 113376297903825920267475609246599958573 }, { "func": "static void nfs4_reclaim_complete_done(struct rpc_task *task, void *data)\n{\n\tstruct nfs4_reclaim_complete_data *calldata = data;\n\tstruct nfs_client *clp = calldata->clp;\n\tstruct nfs4_sequence_res *res = &calldata->res.seq_res;\n\n\tdprintk(\"--> %s\\n\", __func__);\n\tif (!nfs41_sequence_done(task, res))\n\t\treturn;\n\n\ttrace_nfs4_reclaim_complete(clp, task->tk_status);\n\tif (nfs41_reclaim_complete_handle_errors(task, clp) == -EAGAIN) {\n\t\trpc_restart_call_prepare(task);\n\t\treturn;\n\t}\n\tdprintk(\"<-- %s\\n\", __func__);\n}", "project": "linux", "hash": 170163071590648954154472013852486647037, "size": 17, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431387 }, { "func": "static void hci_cs_setup_sync_conn(struct hci_dev *hdev, __u8 status)\n{\n\tstruct hci_cp_setup_sync_conn *cp;\n\tstruct hci_conn *acl, *sco;\n\t__u16 handle;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, status);\n\n\tif (!status)\n\t\treturn;\n\n\tcp = hci_sent_cmd_data(hdev, HCI_OP_SETUP_SYNC_CONN);\n\tif (!cp)\n\t\treturn;\n\n\thandle = __le16_to_cpu(cp->handle);\n\n\tBT_DBG(\"%s handle 0x%4.4x\", hdev->name, handle);\n\n\thci_dev_lock(hdev);\n\n\tacl = hci_conn_hash_lookup_handle(hdev, handle);\n\tif (acl) {\n\t\tsco = acl->link;\n\t\tif (sco) {\n\t\t\tsco->state = BT_CLOSED;\n\n\t\t\thci_connect_cfm(sco, status);\n\t\t\thci_conn_del(sco);\n\t\t}\n\t}\n\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 8607335660088189365485104944056202814, "size": 34, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431976 }, { "func": "UnicodeStringTest::TestStringEnumeration() {\n UnicodeString s;\n TestEnumeration ten;\n int32_t i, length;\n UErrorCode status;\n\n const UChar *pu;\n const char *pc;\n\n // test the next() default implementation and ensureCharsCapacity()\n for(i=0; ictx;\n\tu64 sqe_addr = req->cancel.addr;\n\tstruct io_tctx_node *node;\n\tint ret;\n\n\t/* tasks should wait for their io-wq threads, so safe w/o sync */\n\tret = io_async_cancel_one(req->task->io_uring, sqe_addr, ctx);\n\tspin_lock_irq(&ctx->completion_lock);\n\tif (ret != -ENOENT)\n\t\tgoto done;\n\tret = io_timeout_cancel(ctx, sqe_addr);\n\tif (ret != -ENOENT)\n\t\tgoto done;\n\tret = io_poll_cancel(ctx, sqe_addr, false);\n\tif (ret != -ENOENT)\n\t\tgoto done;\n\tspin_unlock_irq(&ctx->completion_lock);\n\n\t/* slow path, try all io-wq's */\n\tio_ring_submit_lock(ctx, !(issue_flags & IO_URING_F_NONBLOCK));\n\tret = -ENOENT;\n\tlist_for_each_entry(node, &ctx->tctx_list, ctx_node) {\n\t\tstruct io_uring_task *tctx = node->task->io_uring;\n\n\t\tret = io_async_cancel_one(tctx, req->cancel.addr, ctx);\n\t\tif (ret != -ENOENT)\n\t\t\tbreak;\n\t}\n\tio_ring_submit_unlock(ctx, !(issue_flags & IO_URING_F_NONBLOCK));\n\n\tspin_lock_irq(&ctx->completion_lock);\ndone:\n\tio_cqring_fill_event(ctx, req->user_data, ret, 0);\n\tio_commit_cqring(ctx);\n\tspin_unlock_irq(&ctx->completion_lock);\n\tio_cqring_ev_posted(ctx);\n\n\tif (ret < 0)\n\t\treq_set_fail_links(req);\n\tio_put_req(req);\n\treturn 0;", "project": "linux", "hash": 260428136606303221429530974302847604044, "size": 44, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338565 }, { "func": "static int sctp_getsockopt_rtoinfo(struct sock *sk, int len,\n\t\t\t\tchar __user *optval,\n\t\t\t\tint __user *optlen) {\n\tstruct sctp_rtoinfo rtoinfo;\n\tstruct sctp_association *asoc;\n\n\tif (len < sizeof (struct sctp_rtoinfo))\n\t\treturn -EINVAL;\n\n\tlen = sizeof(struct sctp_rtoinfo);\n\n\tif (copy_from_user(&rtoinfo, optval, len))\n\t\treturn -EFAULT;\n\n\tasoc = sctp_id2assoc(sk, rtoinfo.srto_assoc_id);\n\n\tif (!asoc && rtoinfo.srto_assoc_id != SCTP_FUTURE_ASSOC &&\n\t sctp_style(sk, UDP))\n\t\treturn -EINVAL;\n\n\t/* Values corresponding to the specific association. */\n\tif (asoc) {\n\t\trtoinfo.srto_initial = jiffies_to_msecs(asoc->rto_initial);\n\t\trtoinfo.srto_max = jiffies_to_msecs(asoc->rto_max);\n\t\trtoinfo.srto_min = jiffies_to_msecs(asoc->rto_min);\n\t} else {\n\t\t/* Values corresponding to the endpoint. */\n\t\tstruct sctp_sock *sp = sctp_sk(sk);\n\n\t\trtoinfo.srto_initial = sp->rtoinfo.srto_initial;\n\t\trtoinfo.srto_max = sp->rtoinfo.srto_max;\n\t\trtoinfo.srto_min = sp->rtoinfo.srto_min;\n\t}\n\n\tif (put_user(len, optlen))\n\t\treturn -EFAULT;\n\n\tif (copy_to_user(optval, &rtoinfo, len))\n\t\treturn -EFAULT;\n\n\treturn 0;\n}", "project": "linux", "hash": 117240380800308005547892782060302128902, "size": 42, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398145 }, { "func": "int phar_tar_flush(phar_archive_data *phar, char *user_stub, long len, int defaultstub, char **error TSRMLS_DC) /* {{{ */\n{\n\tphar_entry_info entry = {0};\n\tstatic const char newstub[] = \"is_persistent) {\n\t\tif (error) {\n\t\t\tspprintf(error, 0, \"internal error: attempt to flush cached tar-based phar \\\"%s\\\"\", phar->fname);\n\t\t}\n\t\treturn EOF;\n\t}\n\n\tif (phar->is_data) {\n\t\tgoto nostub;\n\t}\n\n\t/* set alias */\n\tif (!phar->is_temporary_alias && phar->alias_len) {\n\t\tentry.filename = estrndup(\".phar/alias.txt\", sizeof(\".phar/alias.txt\")-1);\n\t\tentry.filename_len = sizeof(\".phar/alias.txt\")-1;\n\t\tentry.fp = php_stream_fopen_tmpfile();\n\t\tif (entry.fp == NULL) {\n\t\t\tspprintf(error, 0, \"phar error: unable to create temporary file\");\n\t\t\treturn -1;\n\t\t}\n\t\tif (phar->alias_len != (int)php_stream_write(entry.fp, phar->alias, phar->alias_len)) {\n\t\t\tif (error) {\n\t\t\t\tspprintf(error, 0, \"unable to set alias in tar-based phar \\\"%s\\\"\", phar->fname);\n\t\t\t}\n\t\t\treturn EOF;\n\t\t}\n\n\t\tentry.uncompressed_filesize = phar->alias_len;\n\n\t\tif (SUCCESS != zend_hash_update(&phar->manifest, entry.filename, entry.filename_len, (void*)&entry, sizeof(phar_entry_info), NULL)) {\n\t\t\tif (error) {\n\t\t\t\tspprintf(error, 0, \"unable to set alias in tar-based phar \\\"%s\\\"\", phar->fname);\n\t\t\t}\n\t\t\treturn EOF;\n\t\t}\n\t} else {\n\t\tzend_hash_del(&phar->manifest, \".phar/alias.txt\", sizeof(\".phar/alias.txt\")-1);\n\t}\n\n\t/* set stub */\n\tif (user_stub && !defaultstub) {\n\t\tchar *pos;\n\t\tif (len < 0) {\n\t\t\t/* resource passed in */\n\t\t\tif (!(php_stream_from_zval_no_verify(stubfile, (zval **)user_stub))) {\n\t\t\t\tif (error) {\n\t\t\t\t\tspprintf(error, 0, \"unable to access resource to copy stub to new tar-based phar \\\"%s\\\"\", phar->fname);\n\t\t\t\t}\n\t\t\t\treturn EOF;\n\t\t\t}\n\t\t\tif (len == -1) {\n\t\t\t\tlen = PHP_STREAM_COPY_ALL;\n\t\t\t} else {\n\t\t\t\tlen = -len;\n\t\t\t}\n\t\t\tuser_stub = 0;\n\n\t\t\tif (!(len = php_stream_copy_to_mem(stubfile, &user_stub, len, 0)) || !user_stub) {\n\t\t\t\tif (error) {\n\t\t\t\t\tspprintf(error, 0, \"unable to read resource to copy stub to new tar-based phar \\\"%s\\\"\", phar->fname);\n\t\t\t\t}\n\t\t\t\treturn EOF;\n\t\t\t}\n\t\t\tfree_user_stub = 1;\n\t\t} else {\n\t\t\tfree_user_stub = 0;\n\t\t}\n\n\t\ttmp = estrndup(user_stub, len);\n\t\tif ((pos = php_stristr(tmp, halt_stub, len, sizeof(halt_stub) - 1)) == NULL) {\n\t\t\tefree(tmp);\n\t\t\tif (error) {\n\t\t\t\tspprintf(error, 0, \"illegal stub for tar-based phar \\\"%s\\\"\", phar->fname);\n\t\t\t}\n\t\t\tif (free_user_stub) {\n\t\t\t\tefree(user_stub);\n\t\t\t}\n\t\t\treturn EOF;\n\t\t}\n\t\tpos = user_stub + (pos - tmp);\n\t\tefree(tmp);\n\n\t\tlen = pos - user_stub + 18;\n\t\tentry.fp = php_stream_fopen_tmpfile();\n\t\tif (entry.fp == NULL) {\n\t\t\tspprintf(error, 0, \"phar error: unable to create temporary file\");\n\t\t\treturn EOF;\n\t\t}\n\t\tentry.uncompressed_filesize = len + 5;\n\n\t\tif ((size_t)len != php_stream_write(entry.fp, user_stub, len)\n\t\t|| 5 != php_stream_write(entry.fp, \" ?>\\r\\n\", 5)) {\n\t\t\tif (error) {\n\t\t\t\tspprintf(error, 0, \"unable to create stub from string in new tar-based phar \\\"%s\\\"\", phar->fname);\n\t\t\t}\n\t\t\tif (free_user_stub) {\n\t\t\t\tefree(user_stub);\n\t\t\t}\n\t\t\tphp_stream_close(entry.fp);\n\t\t\treturn EOF;\n\t\t}\n\n\t\tentry.filename = estrndup(\".phar/stub.php\", sizeof(\".phar/stub.php\")-1);\n\t\tentry.filename_len = sizeof(\".phar/stub.php\")-1;\n\t\tzend_hash_update(&phar->manifest, entry.filename, entry.filename_len, (void*)&entry, sizeof(phar_entry_info), NULL);\n\n\t\tif (free_user_stub) {\n\t\t\tefree(user_stub);\n\t\t}\n\t} else {\n\t\t/* Either this is a brand new phar (add the stub), or the default stub is required (overwrite the stub) */\n\t\tentry.fp = php_stream_fopen_tmpfile();\n\t\tif (entry.fp == NULL) {\n\t\t\tspprintf(error, 0, \"phar error: unable to create temporary file\");\n\t\t\treturn EOF;\n\t\t}\n\t\tif (sizeof(newstub)-1 != php_stream_write(entry.fp, newstub, sizeof(newstub)-1)) {\n\t\t\tphp_stream_close(entry.fp);\n\t\t\tif (error) {\n\t\t\t\tspprintf(error, 0, \"unable to %s stub in%star-based phar \\\"%s\\\", failed\", user_stub ? \"overwrite\" : \"create\", user_stub ? \" \" : \" new \", phar->fname);\n\t\t\t}\n\t\t\treturn EOF;\n\t\t}\n\n\t\tentry.uncompressed_filesize = entry.compressed_filesize = sizeof(newstub) - 1;\n\t\tentry.filename = estrndup(\".phar/stub.php\", sizeof(\".phar/stub.php\")-1);\n\t\tentry.filename_len = sizeof(\".phar/stub.php\")-1;\n\n\t\tif (!defaultstub) {\n\t\t\tif (!zend_hash_exists(&phar->manifest, \".phar/stub.php\", sizeof(\".phar/stub.php\")-1)) {\n\t\t\t\tif (SUCCESS != zend_hash_add(&phar->manifest, entry.filename, entry.filename_len, (void*)&entry, sizeof(phar_entry_info), NULL)) {\n\t\t\t\t\tphp_stream_close(entry.fp);\n\t\t\t\t\tefree(entry.filename);\n\t\t\t\t\tif (error) {\n\t\t\t\t\t\tspprintf(error, 0, \"unable to create stub in tar-based phar \\\"%s\\\"\", phar->fname);\n\t\t\t\t\t}\n\t\t\t\t\treturn EOF;\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\tphp_stream_close(entry.fp);\n\t\t\t\tefree(entry.filename);\n\t\t\t}\n\t\t} else {\n\t\t\tif (SUCCESS != zend_hash_update(&phar->manifest, entry.filename, entry.filename_len, (void*)&entry, sizeof(phar_entry_info), NULL)) {\n\t\t\t\tphp_stream_close(entry.fp);\n\t\t\t\tefree(entry.filename);\n\t\t\t\tif (error) {\n\t\t\t\t\tspprintf(error, 0, \"unable to overwrite stub in tar-based phar \\\"%s\\\"\", phar->fname);\n\t\t\t\t}\n\t\t\t\treturn EOF;\n\t\t\t}\n\t\t}\n\t}\nnostub:\n\tif (phar->fp && !phar->is_brandnew) {\n\t\toldfile = phar->fp;\n\t\tcloseoldfile = 0;\n\t\tphp_stream_rewind(oldfile);\n\t} else {\n\t\toldfile = php_stream_open_wrapper(phar->fname, \"rb\", 0, NULL);\n\t\tcloseoldfile = oldfile != NULL;\n\t}\n\n\tnewfile = php_stream_fopen_tmpfile();\n\tif (!newfile) {\n\t\tif (error) {\n\t\t\tspprintf(error, 0, \"unable to create temporary file\");\n\t\t}\n\t\tif (closeoldfile) {\n\t\t\tphp_stream_close(oldfile);\n\t\t}\n\t\treturn EOF;\n\t}\n\n\tpass.old = oldfile;\n\tpass.new = newfile;\n\tpass.error = error;\n\tpass.free_fp = 1;\n\tpass.free_ufp = 1;\n\n\tif (phar->metadata) {\n\t\tphar_entry_info *mentry;\n\t\tif (SUCCESS == zend_hash_find(&(phar->manifest), \".phar/.metadata.bin\", sizeof(\".phar/.metadata.bin\")-1, (void **)&mentry)) {\n\t\t\tif (ZEND_HASH_APPLY_KEEP != phar_tar_setmetadata(phar->metadata, mentry, error TSRMLS_CC)) {\n\t\t\t\tif (closeoldfile) {\n\t\t\t\t\tphp_stream_close(oldfile);\n\t\t\t\t}\n\t\t\t\treturn EOF;\n\t\t\t}\n\t\t} else {\n\t\t\tphar_entry_info newentry = {0};\n\n\t\t\tnewentry.filename = estrndup(\".phar/.metadata.bin\", sizeof(\".phar/.metadata.bin\")-1);\n\t\t\tnewentry.filename_len = sizeof(\".phar/.metadata.bin\")-1;\n\t\t\tnewentry.phar = phar;\n\t\t\tnewentry.tar_type = TAR_FILE;\n\t\t\tnewentry.is_tar = 1;\n\n\t\t\tif (SUCCESS != zend_hash_add(&(phar->manifest), \".phar/.metadata.bin\", sizeof(\".phar/.metadata.bin\")-1, (void *)&newentry, sizeof(phar_entry_info), (void **)&mentry)) {\n\t\t\t\tspprintf(error, 0, \"phar tar error: unable to add magic metadata file to manifest for phar archive \\\"%s\\\"\", phar->fname);\n\t\t\t\tif (closeoldfile) {\n\t\t\t\t\tphp_stream_close(oldfile);\n\t\t\t\t}\n\t\t\t\treturn EOF;\n\t\t\t}\n\n\t\t\tif (ZEND_HASH_APPLY_KEEP != phar_tar_setmetadata(phar->metadata, mentry, error TSRMLS_CC)) {\n\t\t\t\tzend_hash_del(&(phar->manifest), \".phar/.metadata.bin\", sizeof(\".phar/.metadata.bin\")-1);\n\t\t\t\tif (closeoldfile) {\n\t\t\t\t\tphp_stream_close(oldfile);\n\t\t\t\t}\n\t\t\t\treturn EOF;\n\t\t\t}\n\t\t}\n\t}\n\n\tzend_hash_apply_with_argument(&phar->manifest, (apply_func_arg_t) phar_tar_setupmetadata, (void *) &pass TSRMLS_CC);\n\n\tif (error && *error) {\n\t\tif (closeoldfile) {\n\t\t\tphp_stream_close(oldfile);\n\t\t}\n\n\t\t/* on error in the hash iterator above, error is set */\n\t\tphp_stream_close(newfile);\n\t\treturn EOF;\n\t}\n\n\tzend_hash_apply_with_argument(&phar->manifest, (apply_func_arg_t) phar_tar_writeheaders, (void *) &pass TSRMLS_CC);\n\n\t/* add signature for executable tars or tars explicitly set with setSignatureAlgorithm */\n\tif (!phar->is_data || phar->sig_flags) {\n\t\tif (FAILURE == phar_create_signature(phar, newfile, &signature, &signature_length, error TSRMLS_CC)) {\n\t\t\tif (error) {\n\t\t\t\tchar *save = *error;\n\t\t\t\tspprintf(error, 0, \"phar error: unable to write signature to tar-based phar: %s\", save);\n\t\t\t\tefree(save);\n\t\t\t}\n\n\t\t\tif (closeoldfile) {\n\t\t\t\tphp_stream_close(oldfile);\n\t\t\t}\n\n\t\t\tphp_stream_close(newfile);\n\t\t\treturn EOF;\n\t\t}\n\n\t\tentry.filename = \".phar/signature.bin\";\n\t\tentry.filename_len = sizeof(\".phar/signature.bin\")-1;\n\t\tentry.fp = php_stream_fopen_tmpfile();\n\t\tif (entry.fp == NULL) {\n\t\t\tspprintf(error, 0, \"phar error: unable to create temporary file\");\n\t\t\treturn EOF;\n\t\t}\n#ifdef WORDS_BIGENDIAN\n# define PHAR_SET_32(var, buffer) \\\n\t*(php_uint32 *)(var) = (((((unsigned char*)&(buffer))[3]) << 24) \\\n\t\t| ((((unsigned char*)&(buffer))[2]) << 16) \\\n\t\t| ((((unsigned char*)&(buffer))[1]) << 8) \\\n\t\t| (((unsigned char*)&(buffer))[0]))\n#else\n# define PHAR_SET_32(var, buffer) *(php_uint32 *)(var) = (php_uint32) (buffer)\n#endif\n\t\tPHAR_SET_32(sigbuf, phar->sig_flags);\n\t\tPHAR_SET_32(sigbuf + 4, signature_length);\n\n\t\tif (8 != (int)php_stream_write(entry.fp, sigbuf, 8) || signature_length != (int)php_stream_write(entry.fp, signature, signature_length)) {\n\t\t\tefree(signature);\n\t\t\tif (error) {\n\t\t\t\tspprintf(error, 0, \"phar error: unable to write signature to tar-based phar %s\", phar->fname);\n\t\t\t}\n\n\t\t\tif (closeoldfile) {\n\t\t\t\tphp_stream_close(oldfile);\n\t\t\t}\n\t\t\tphp_stream_close(newfile);\n\t\t\treturn EOF;\n\t\t}\n\n\t\tefree(signature);\n\t\tentry.uncompressed_filesize = entry.compressed_filesize = signature_length + 8;\n\t\t/* throw out return value and write the signature */\n\t\tentry.filename_len = phar_tar_writeheaders((void *)&entry, (void *)&pass TSRMLS_CC);\n\n\t\tif (error && *error) {\n\t\t\tif (closeoldfile) {\n\t\t\t\tphp_stream_close(oldfile);\n\t\t\t}\n\t\t\t/* error is set by writeheaders */\n\t\t\tphp_stream_close(newfile);\n\t\t\treturn EOF;\n\t\t}\n\t} /* signature */\n\n\t/* add final zero blocks */\n\tbuf = (char *) ecalloc(1024, 1);\n\tphp_stream_write(newfile, buf, 1024);\n\tefree(buf);\n\n\tif (closeoldfile) {\n\t\tphp_stream_close(oldfile);\n\t}\n\n\t/* on error in the hash iterator above, error is set */\n\tif (error && *error) {\n\t\tphp_stream_close(newfile);\n\t\treturn EOF;\n\t}\n\n\tif (phar->fp && pass.free_fp) {\n\t\tphp_stream_close(phar->fp);\n\t}\n\n\tif (phar->ufp) {\n\t\tif (pass.free_ufp) {\n\t\t\tphp_stream_close(phar->ufp);\n\t\t}\n\t\tphar->ufp = NULL;\n\t}\n\n\tphar->is_brandnew = 0;\n\tphp_stream_rewind(newfile);\n\n\tif (phar->donotflush) {\n\t\t/* deferred flush */\n\t\tphar->fp = newfile;\n\t} else {\n\t\tphar->fp = php_stream_open_wrapper(phar->fname, \"w+b\", IGNORE_URL|STREAM_MUST_SEEK|REPORT_ERRORS, NULL);\n\t\tif (!phar->fp) {\n\t\t\tphar->fp = newfile;\n\t\t\tif (error) {\n\t\t\t\tspprintf(error, 0, \"unable to open new phar \\\"%s\\\" for writing\", phar->fname);\n\t\t\t}\n\t\t\treturn EOF;\n\t\t}\n\n\t\tif (phar->flags & PHAR_FILE_COMPRESSED_GZ) {\n\t\t\tphp_stream_filter *filter;\n\t\t\t/* to properly compress, we have to tell zlib to add a zlib header */\n\t\t\tzval filterparams;\n\n\t\t\tarray_init(&filterparams);\n/* this is defined in zlib's zconf.h */\n#ifndef MAX_WBITS\n#define MAX_WBITS 15\n#endif\n\t\t\tadd_assoc_long(&filterparams, \"window\", MAX_WBITS + 16);\n\t\t\tfilter = php_stream_filter_create(\"zlib.deflate\", &filterparams, php_stream_is_persistent(phar->fp) TSRMLS_CC);\n\t\t\tzval_dtor(&filterparams);\n\n\t\t\tif (!filter) {\n\t\t\t\t/* copy contents uncompressed rather than lose them */\n\t\t\t\tphar_stream_copy_to_stream(newfile, phar->fp, PHP_STREAM_COPY_ALL, NULL);\n\t\t\t\tphp_stream_close(newfile);\n\t\t\t\tif (error) {\n\t\t\t\t\tspprintf(error, 4096, \"unable to compress all contents of phar \\\"%s\\\" using zlib, PHP versions older than 5.2.6 have a buggy zlib\", phar->fname);\n\t\t\t\t}\n\t\t\t\treturn EOF;\n\t\t\t}\n\n\t\t\tphp_stream_filter_append(&phar->fp->writefilters, filter);\n\t\t\tphar_stream_copy_to_stream(newfile, phar->fp, PHP_STREAM_COPY_ALL, NULL);\n\t\t\tphp_stream_filter_flush(filter, 1);\n\t\t\tphp_stream_filter_remove(filter, 1 TSRMLS_CC);\n\t\t\tphp_stream_close(phar->fp);\n\t\t\t/* use the temp stream as our base */\n\t\t\tphar->fp = newfile;\n\t\t} else if (phar->flags & PHAR_FILE_COMPRESSED_BZ2) {\n\t\t\tphp_stream_filter *filter;\n\n\t\t\tfilter = php_stream_filter_create(\"bzip2.compress\", NULL, php_stream_is_persistent(phar->fp) TSRMLS_CC);\n\t\t\tphp_stream_filter_append(&phar->fp->writefilters, filter);\n\t\t\tphar_stream_copy_to_stream(newfile, phar->fp, PHP_STREAM_COPY_ALL, NULL);\n\t\t\tphp_stream_filter_flush(filter, 1);\n\t\t\tphp_stream_filter_remove(filter, 1 TSRMLS_CC);\n\t\t\tphp_stream_close(phar->fp);\n\t\t\t/* use the temp stream as our base */\n\t\t\tphar->fp = newfile;\n\t\t} else {\n\t\t\tphar_stream_copy_to_stream(newfile, phar->fp, PHP_STREAM_COPY_ALL, NULL);\n\t\t\t/* we could also reopen the file in \"rb\" mode but there is no need for that */\n\t\t\tphp_stream_close(newfile);\n\t\t}\n\t}\n\treturn EOF;\n}", "project": "php-src", "hash": 270098452641366376678173418771224109660, "size": 405, "commit_id": "07c7df68bd68bbe706371fccc77c814ebb335d9e", "message": "Fixed bug #71488: Stack overflow when decompressing tar archives", "target": 0, "dataset": "other", "idx": 355577 }, { "func": "void CWebSock::SetVars() {\n m_Template[\"SessionUser\"] = GetUser();\n m_Template[\"SessionIP\"] = GetRemoteIP();\n m_Template[\"Tag\"] = CZNC::GetTag(GetSession()->GetUser() != nullptr, true);\n m_Template[\"Version\"] = CZNC::GetVersion();\n m_Template[\"SkinName\"] = GetSkinName();\n m_Template[\"_CSRF_Check\"] = GetCSRFCheck();\n m_Template[\"URIPrefix\"] = GetURIPrefix();\n\n if (GetSession()->IsAdmin()) {\n m_Template[\"IsAdmin\"] = \"true\";\n }\n\n GetSession()->FillMessageLoops(m_Template);\n GetSession()->ClearMessageLoops();\n\n // Global Mods\n CModules& vgMods = CZNC::Get().GetModules();\n for (CModule* pgMod : vgMods) {\n AddModLoop(\"GlobalModLoop\", *pgMod);\n }\n\n // User Mods\n if (IsLoggedIn()) {\n CModules& vMods = GetSession()->GetUser()->GetModules();\n\n for (CModule* pMod : vMods) {\n AddModLoop(\"UserModLoop\", *pMod);\n }\n\n vector vNetworks = GetSession()->GetUser()->GetNetworks();\n for (CIRCNetwork* pNetwork : vNetworks) {\n CModules& vnMods = pNetwork->GetModules();\n\n CTemplate& Row = m_Template.AddRow(\"NetworkModLoop\");\n Row[\"NetworkName\"] = pNetwork->GetName();\n\n for (CModule* pnMod : vnMods) {\n AddModLoop(\"ModLoop\", *pnMod, &Row);\n }\n }\n }\n\n if (IsLoggedIn()) {\n m_Template[\"LoggedIn\"] = \"true\";\n }\n}", "project": "znc", "hash": 140539149183987252205122800466841115972, "size": 47, "commit_id": "a4a5aeeb17d32937d8c7d743dae9a4cc755ce773", "message": "Don't let web skin name ../../../../ access files outside of usual skins directories.\n\nThanks for Jeriko One for finding and reporting this.", "target": 0, "dataset": "other", "idx": 265765 }, { "func": "static void pre_svm_run(struct vcpu_svm *svm)\n{\n\tint cpu = raw_smp_processor_id();\n\n\tstruct svm_cpu_data *sd = per_cpu(svm_data, cpu);\n\n\tif (sev_guest(svm->vcpu.kvm))\n\t\treturn pre_sev_run(svm, cpu);\n\n\t/* FIXME: handle wraparound of asid_generation */\n\tif (svm->asid_generation != sd->asid_generation)\n\t\tnew_asid(svm, sd);\n}", "project": "linux", "hash": 201074791000476203202699091588063353974, "size": 13, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432640 }, { "func": "static void pre_svm_run(struct vcpu_svm *svm)\n{\n\tint cpu = raw_smp_processor_id();\n\n\tstruct svm_cpu_data *sd = per_cpu(svm_data, cpu);\n\n\t/* FIXME: handle wraparound of asid_generation */\n\tif (svm->asid_generation != sd->asid_generation)\n\t\tnew_asid(svm, sd);\n}", "project": "kvm", "hash": 137538093459904633666402260629862700351, "size": 10, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437581 }, { "func": "static void nfs4_xdr_enc_setclientid(struct rpc_rqst *req,\n\t\t\t\t struct xdr_stream *xdr,\n\t\t\t\t const void *data)\n{\n\tconst struct nfs4_setclientid *sc = data;\n\tstruct compound_hdr hdr = {\n\t\t.nops\t= 0,\n\t};\n\n\tencode_compound_hdr(xdr, req, &hdr);\n\tencode_setclientid(xdr, sc, &hdr);\n\tencode_nops(&hdr);\n}", "project": "linux", "hash": 286026763710410824964380369132554624773, "size": 13, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431400 }, { "func": "static int tcp_copy_to_iovec(struct sock *sk, struct sk_buff *skb, int hlen)\n{\n\tstruct tcp_sock *tp = tcp_sk(sk);\n\tint chunk = skb->len - hlen;\n\tint err;\n\n\tlocal_bh_enable();\n\tif (skb_csum_unnecessary(skb))\n\t\terr = skb_copy_datagram_iovec(skb, hlen, tp->ucopy.iov, chunk);\n\telse\n\t\terr = skb_copy_and_csum_datagram_iovec(skb, hlen,\n\t\t\t\t\t\t tp->ucopy.iov);\n\n\tif (!err) {\n\t\ttp->ucopy.len -= chunk;\n\t\ttp->copied_seq += chunk;\n\t\ttcp_rcv_space_adjust(sk);\n\t}\n\n\tlocal_bh_disable();\n\treturn err;\n}", "project": "net-next", "hash": 185078515270054059863339202872733526837, "size": 22, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409854 }, { "func": "static int fuse_rename_common(struct inode *olddir, struct dentry *oldent,\n\t\t\t struct inode *newdir, struct dentry *newent,\n\t\t\t unsigned int flags, int opcode, size_t argsize)\n{\n\tint err;\n\tstruct fuse_rename2_in inarg;\n\tstruct fuse_mount *fm = get_fuse_mount(olddir);\n\tFUSE_ARGS(args);\n\n\tmemset(&inarg, 0, argsize);\n\tinarg.newdir = get_node_id(newdir);\n\tinarg.flags = flags;\n\targs.opcode = opcode;\n\targs.nodeid = get_node_id(olddir);\n\targs.in_numargs = 3;\n\targs.in_args[0].size = argsize;\n\targs.in_args[0].value = &inarg;\n\targs.in_args[1].size = oldent->d_name.len + 1;\n\targs.in_args[1].value = oldent->d_name.name;\n\targs.in_args[2].size = newent->d_name.len + 1;\n\targs.in_args[2].value = newent->d_name.name;\n\terr = fuse_simple_request(fm, &args);\n\tif (!err) {\n\t\t/* ctime changes */\n\t\tfuse_invalidate_attr(d_inode(oldent));\n\t\tfuse_update_ctime(d_inode(oldent));\n\n\t\tif (flags & RENAME_EXCHANGE) {\n\t\t\tfuse_invalidate_attr(d_inode(newent));\n\t\t\tfuse_update_ctime(d_inode(newent));\n\t\t}\n\n\t\tfuse_dir_changed(olddir);\n\t\tif (olddir != newdir)\n\t\t\tfuse_dir_changed(newdir);\n\n\t\t/* newent will end up negative */\n\t\tif (!(flags & RENAME_EXCHANGE) && d_really_is_positive(newent)) {\n\t\t\tfuse_invalidate_attr(d_inode(newent));\n\t\t\tfuse_invalidate_entry_cache(newent);\n\t\t\tfuse_update_ctime(d_inode(newent));\n\t\t}\n\t} else if (err == -EINTR) {\n\t\t/* If request was interrupted, DEITY only knows if the\n\t\t rename actually took place. If the invalidation\n\t\t fails (e.g. some process has CWD under the renamed\n\t\t directory), then there can be inconsistency between\n\t\t the dcache and the real filesystem. Tough luck. */\n\t\tfuse_invalidate_entry(oldent);\n\t\tif (d_really_is_positive(newent))\n\t\t\tfuse_invalidate_entry(newent);\n\t}\n\n\treturn err;\n}", "project": "linux", "hash": 137810431490804234188046796619727468105, "size": 55, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342047 }, { "func": "static int _nfs4_do_open_reclaim(struct nfs_open_context *ctx, struct nfs4_state *state)\n{\n\tstruct nfs_delegation *delegation;\n\tstruct nfs4_opendata *opendata;\n\tfmode_t delegation_type = 0;\n\tint status;\n\n\topendata = nfs4_open_recoverdata_alloc(ctx, state,\n\t\t\tNFS4_OPEN_CLAIM_PREVIOUS);\n\tif (IS_ERR(opendata))\n\t\treturn PTR_ERR(opendata);\n\trcu_read_lock();\n\tdelegation = rcu_dereference(NFS_I(state->inode)->delegation);\n\tif (delegation != NULL && test_bit(NFS_DELEGATION_NEED_RECLAIM, &delegation->flags) != 0)\n\t\tdelegation_type = delegation->type;\n\trcu_read_unlock();\n\topendata->o_arg.u.delegation_type = delegation_type;\n\tstatus = nfs4_open_recover(opendata, state);\n\tnfs4_opendata_put(opendata);\n\treturn status;\n}", "project": "linux", "hash": 48014099122456726389306279329636226167, "size": 21, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431477 }, { "func": "static void SFDParseMathItem(FILE *sfd,SplineFont *sf,char *tok) {\n /* The first five characters of a math item's keyword will be \"MATH:\" */\n /* the rest will be one of the entries in math_constants_descriptor */\n int i;\n struct MATH *math;\n\n if ( (math = sf->MATH) == NULL )\n\tmath = sf->MATH = calloc(1,sizeof(struct MATH));\n for ( i=0; math_constants_descriptor[i].script_name!=NULL; ++i ) {\n\tchar *name = math_constants_descriptor[i].script_name;\n\tint len = strlen( name );\n\tif ( strncmp(tok+5,name,len)==0 && tok[5+len] == ':' && tok[6+len]=='\\0' ) {\n\t int16 *pos = (int16 *) (((char *) (math)) + math_constants_descriptor[i].offset );\n\t getsint(sfd,pos);\n\t if ( math_constants_descriptor[i].devtab_offset != -1 ) {\n\t\tDeviceTable **devtab = (DeviceTable **) (((char *) (math)) + math_constants_descriptor[i].devtab_offset );\n\t\t*devtab = SFDReadDeviceTable(sfd,*devtab);\n break;\n\t }\n\t}\n }\n}", "project": "fontforge", "hash": 31904206027089519284173069316906798388, "size": 22, "commit_id": "048a91e2682c1a8936ae34dbc7bd70291ec05410", "message": "Fix for #4084 Use-after-free (heap) in the SFD_GetFontMetaData() function\nFix for #4086 NULL pointer dereference in the SFDGetSpiros() function\nFix for #4088 NULL pointer dereference in the SFD_AssignLookups() function\nAdd empty sf->fontname string if it isn't set, fixing #4089 #4090 and many\n other potential issues (many downstream calls to strlen() on the value).", "target": 0, "dataset": "other", "idx": 417813 }, { "func": "TfLiteStatus Prepare(TfLiteContext* context, TfLiteNode* node) {\n auto* params =\n reinterpret_cast(node->builtin_data);\n OpData* data = reinterpret_cast(node->user_data);\n\n bool has_bias = NumInputs(node) == 3;\n\n TF_LITE_ENSURE(context, has_bias || NumInputs(node) == 2);\n const TfLiteTensor* input;\n TF_LITE_ENSURE_OK(context, GetInputSafe(context, node, kInputTensor, &input));\n const TfLiteTensor* filter;\n TF_LITE_ENSURE_OK(context,\n GetInputSafe(context, node, kFilterTensor, &filter));\n const TfLiteTensor* bias = nullptr;\n\n TF_LITE_ENSURE_EQ(context, NumOutputs(node), 1);\n TfLiteTensor* output;\n TF_LITE_ENSURE_OK(context,\n GetOutputSafe(context, node, kOutputTensor, &output));\n\n TF_LITE_ENSURE_EQ(context, NumDimensions(input), 4);\n TF_LITE_ENSURE_EQ(context, NumDimensions(filter), 4);\n\n const TfLiteType data_type = input->type;\n\n const TfLiteType filter_type = filter->type;\n const bool is_hybrid =\n data_type == kTfLiteFloat32 && filter_type == kTfLiteInt8;\n TF_LITE_ENSURE(context,\n data_type == kTfLiteFloat32 || data_type == kTfLiteUInt8 ||\n data_type == kTfLiteInt8 || data_type == kTfLiteInt16);\n TF_LITE_ENSURE_TYPES_EQ(context, output->type, data_type);\n if (!is_hybrid) {\n TF_LITE_ENSURE(context,\n filter->type == data_type || data_type == kTfLiteInt16);\n }\n\n if (data_type == kTfLiteInt16) {\n TF_LITE_ENSURE_EQ(context, input->params.zero_point, 0);\n TF_LITE_ENSURE_EQ(context, output->params.zero_point, 0);\n }\n\n // Filter in DepthwiseConv is expected to be [1, H, W, O].\n TF_LITE_ENSURE_EQ(context, SizeOfDimension(filter, 0), 1);\n\n if (has_bias) {\n TF_LITE_ENSURE_OK(context, GetInputSafe(context, node, kBiasTensor, &bias));\n if (data_type == kTfLiteUInt8 || data_type == kTfLiteInt8) {\n TF_LITE_ENSURE_TYPES_EQ(context, bias->type, kTfLiteInt32);\n TF_LITE_ENSURE_EQ(context, bias->params.zero_point, 0);\n } else if (data_type == kTfLiteInt16) {\n TF_LITE_ENSURE_TYPES_EQ(context, bias->type, kTfLiteInt64);\n TF_LITE_ENSURE_EQ(context, bias->params.zero_point, 0);\n } else {\n TF_LITE_ENSURE_TYPES_EQ(context, bias->type, data_type);\n }\n TF_LITE_ENSURE_EQ(context, NumDimensions(bias), 1);\n TF_LITE_ENSURE_EQ(context, SizeOfDimension(filter, 3),\n SizeOfDimension(bias, 0));\n }\n\n int channels_out = SizeOfDimension(filter, 3);\n int width = SizeOfDimension(input, 2);\n int height = SizeOfDimension(input, 1);\n int filter_width = SizeOfDimension(filter, 2);\n int filter_height = SizeOfDimension(filter, 1);\n int batches = SizeOfDimension(input, 0);\n\n // Matching GetWindowedOutputSize in TensorFlow.\n auto padding = params->padding;\n int out_width, out_height;\n\n data->padding = ComputePaddingHeightWidth(\n params->stride_height, params->stride_width,\n params->dilation_height_factor, params->dilation_width_factor, height,\n width, filter_height, filter_width, padding, &out_height, &out_width);\n\n // Note that quantized inference requires that all tensors have their\n // parameters set. This is usually done during quantized training or\n // calibration.\n if (data_type != kTfLiteFloat32) {\n TF_LITE_ENSURE_EQ(context, filter->quantization.type,\n kTfLiteAffineQuantization);\n TF_LITE_ENSURE(context, filter->quantization.type != kTfLiteNoQuantization);\n const auto* affine_quantization =\n reinterpret_cast(\n filter->quantization.params);\n TF_LITE_ENSURE(context, affine_quantization);\n TF_LITE_ENSURE(context, affine_quantization->scale);\n TF_LITE_ENSURE(context, (affine_quantization->scale->size == 1 ||\n affine_quantization->scale->size == channels_out));\n\n data->per_channel_output_multiplier.resize(channels_out);\n data->per_channel_output_shift.resize(channels_out);\n TF_LITE_ENSURE_STATUS(tflite::PopulateConvolutionQuantizationParams(\n context, input, filter, bias, output, params->activation,\n &data->output_multiplier, &data->output_shift,\n &data->output_activation_min, &data->output_activation_max,\n data->per_channel_output_multiplier.data(),\n data->per_channel_output_shift.data(), channels_out));\n }\n\n if (is_hybrid) {\n TF_LITE_ENSURE(context, filter->quantization.type != kTfLiteNoQuantization);\n const auto* affine_quantization =\n reinterpret_cast(\n filter->quantization.params);\n TF_LITE_ENSURE(context, affine_quantization);\n TF_LITE_ENSURE(context, affine_quantization->scale);\n TF_LITE_ENSURE_EQ(\n context, affine_quantization->scale->size,\n filter->dims->data[affine_quantization->quantized_dimension]);\n\n int temporaries_count = 0;\n data->input_quantized_index = temporaries_count;\n if (data->input_quantized_id == kTensorNotAllocated) {\n TF_LITE_ENSURE_OK(\n context, context->AddTensors(context, 1, &data->input_quantized_id));\n }\n ++temporaries_count;\n data->scaling_factors_index = temporaries_count;\n if (data->scaling_factors_id == kTensorNotAllocated) {\n TF_LITE_ENSURE_OK(\n context, context->AddTensors(context, 1, &data->scaling_factors_id));\n }\n ++temporaries_count;\n data->input_offset_index = temporaries_count;\n if (data->input_offset_id == kTensorNotAllocated) {\n TF_LITE_ENSURE_OK(\n context, context->AddTensors(context, 1, &data->input_offset_id));\n }\n ++temporaries_count;\n\n TfLiteIntArrayFree(node->temporaries);\n node->temporaries = TfLiteIntArrayCreate(temporaries_count);\n\n node->temporaries->data[data->input_quantized_index] =\n data->input_quantized_id;\n TfLiteTensor* input_quantized;\n TF_LITE_ENSURE_OK(\n context, GetTemporarySafe(context, node, data->input_quantized_index,\n &input_quantized));\n input_quantized->type = kTfLiteInt8;\n input_quantized->allocation_type = kTfLiteArenaRw;\n if (!TfLiteIntArrayEqual(input_quantized->dims, input->dims)) {\n TfLiteIntArray* input_quantized_size = TfLiteIntArrayCopy(input->dims);\n TF_LITE_ENSURE_OK(context, context->ResizeTensor(context, input_quantized,\n input_quantized_size));\n }\n node->temporaries->data[data->scaling_factors_index] =\n data->scaling_factors_id;\n TfLiteTensor* scaling_factors;\n TF_LITE_ENSURE_OK(\n context, GetTemporarySafe(context, node, data->scaling_factors_index,\n &scaling_factors));\n scaling_factors->type = kTfLiteFloat32;\n scaling_factors->allocation_type = kTfLiteArenaRw;\n const int batch_size = SizeOfDimension(input, 0);\n int scaling_dims[1] = {batch_size};\n if (!TfLiteIntArrayEqualsArray(scaling_factors->dims, 1, scaling_dims)) {\n TfLiteIntArray* scaling_factors_size = TfLiteIntArrayCreate(1);\n scaling_factors_size->data[0] = batch_size;\n TF_LITE_ENSURE_OK(context, context->ResizeTensor(context, scaling_factors,\n scaling_factors_size));\n }\n node->temporaries->data[data->input_offset_index] = data->input_offset_id;\n TfLiteTensor* input_offsets;\n TF_LITE_ENSURE_OK(context,\n GetTemporarySafe(context, node, data->input_offset_index,\n &input_offsets));\n input_offsets->type = kTfLiteInt32;\n input_offsets->allocation_type = kTfLiteArenaRw;\n if (!TfLiteIntArrayEqualsArray(input_offsets->dims, 1, scaling_dims)) {\n TfLiteIntArray* input_offsets_size = TfLiteIntArrayCreate(1);\n input_offsets_size->data[0] = batch_size;\n TF_LITE_ENSURE_OK(context, context->ResizeTensor(context, input_offsets,\n input_offsets_size));\n }\n }\n\n TfLiteIntArray* outputSize = TfLiteIntArrayCreate(4);\n outputSize->data[0] = batches;\n outputSize->data[1] = out_height;\n outputSize->data[2] = out_width;\n outputSize->data[3] = channels_out;\n return context->ResizeTensor(context, output, outputSize);\n}", "project": "tensorflow", "hash": 195314963762430554293071564484057477345, "size": 187, "commit_id": "e5b0eec199c2d03de54fd6a7fd9275692218e2bc", "message": "[lite] Add validation check for dilation height/width to be positive integers.\n\nPiperOrigin-RevId: 416429178\nChange-Id: If7cdcddca54486434d9b2f06e7e2b401d7c3ee25", "target": 1, "dataset": "other", "idx": 195247 }, { "func": "TfLiteStatus Prepare(TfLiteContext* context, TfLiteNode* node) {\n OpData* op_data = reinterpret_cast(node->user_data);\n int num_inputs = node->inputs->size;\n // The number of outputs should be the same as number of inputs.\n TF_LITE_ENSURE_EQ(context, node->outputs->size, num_inputs);\n\n // Check subgraph indices and get subgraphs.\n Subgraph* this_subgraph = reinterpret_cast(context->impl_);\n auto* subgraphs = this_subgraph->GetSubgraphs();\n TF_LITE_ENSURE(context, op_data->cond_subgraph_index < subgraphs->size());\n TF_LITE_ENSURE(context, op_data->body_subgraph_index < subgraphs->size());\n TF_LITE_ENSURE(context,\n op_data->cond_subgraph_index != op_data->body_subgraph_index);\n\n Subgraph* cond_subgraph = (*subgraphs)[op_data->cond_subgraph_index].get();\n Subgraph* body_subgraph = (*subgraphs)[op_data->body_subgraph_index].get();\n\n // Check input & output count of the condition subgraph.\n TF_LITE_ENSURE_EQ(context, cond_subgraph->inputs().size(), num_inputs);\n TF_LITE_ENSURE_EQ(context, cond_subgraph->outputs().size(), 1);\n\n // Check input & output count of the body subgraph.\n TF_LITE_ENSURE_EQ(context, body_subgraph->inputs().size(), num_inputs);\n TF_LITE_ENSURE_EQ(context, body_subgraph->outputs().size(), num_inputs);\n\n // Prepare and check the condition subgraph.\n TF_LITE_ENSURE_OK(\n context, CopyTensorsShapeAndType(\n context, this_subgraph, TfLiteIntArrayView(node->inputs),\n cond_subgraph, cond_subgraph->inputs(), true));\n TF_LITE_ENSURE_OK(context, cond_subgraph->AllocateTensors());\n TfLiteTensor* cond_output =\n cond_subgraph->tensor(cond_subgraph->outputs()[0]);\n // This should rarely happens. In most cases the output is static with shape\n // [1]. However theoretically intermediate tensors in the cond subgraph\n // can be dynamic.\n if (IsDynamicTensor(cond_output)) {\n op_data->cond_has_dynamic_output_tensors = true;\n } else {\n TF_LITE_ENSURE_STATUS(CheckCondOutput(context, cond_output));\n }\n\n // Prepare and check the body subgraph.\n TF_LITE_ENSURE_OK(\n context, CopyTensorsShapeAndType(\n context, this_subgraph, TfLiteIntArrayView(node->inputs),\n body_subgraph, body_subgraph->inputs(), true));\n TF_LITE_ENSURE_OK(context, body_subgraph->AllocateTensors());\n if (body_subgraph->HasDynamicTensors()) {\n op_data->body_has_dynamic_output_tensors = true;\n } else {\n for (int i = 0; i < num_inputs; ++i) {\n TfLiteTensor* body_input =\n body_subgraph->tensor(body_subgraph->inputs()[i]);\n TfLiteTensor* body_output =\n body_subgraph->tensor(body_subgraph->outputs()[i]);\n TF_LITE_ENSURE_TYPES_EQ(context, body_input->type, body_output->type);\n\n TF_LITE_ENSURE(context, !IsDynamicTensor(body_output));\n if (!TfLiteIntArrayEqual(body_input->dims, body_output->dims)) {\n // If the output shape of the body subgraph is static w.r.t. a fixed\n // input size, but it's different from input size, it's still considered\n // dynamic. For example: If a subgraph keeps padding its input with a\n // fixed padding, the output shape is static w.r.t the input shape and\n // padding, but running it in a loop will keep bloating the tensor.\n op_data->body_has_dynamic_output_tensors = true;\n break;\n }\n }\n }\n for (int i = 0; i < num_inputs; ++i) {\n TfLiteTensor* output;\n TF_LITE_ENSURE_OK(context, GetOutputSafe(context, node, i, &output));\n if (op_data->body_has_dynamic_output_tensors) {\n SetTensorToDynamic(output);\n } else {\n TfLiteTensor* body_output =\n body_subgraph->tensor(body_subgraph->outputs()[i]);\n TfLiteIntArray* output_size = TfLiteIntArrayCopy(body_output->dims);\n TF_LITE_ENSURE_OK(context,\n context->ResizeTensor(context, output, output_size));\n }\n }\n return kTfLiteOk;\n}", "project": "tensorflow", "hash": 289464015359408411287110058600644174067, "size": 85, "commit_id": "c6173f5fe66cdbab74f4f869311fe6aae2ba35f4", "message": "TFLite: Error out when the graph has a recurion.\n\nRecursion is currently unsupported.\n\nPiperOrigin-RevId: 371708957\nChange-Id: I8dfad0d85cbfe08e39ae8ea7bad21254ddee5003", "target": 1, "dataset": "other", "idx": 198126 }, { "func": "TfLiteStatus Prepare(TfLiteContext* context, TfLiteNode* node) {\n auto* params =\n reinterpret_cast(node->builtin_data);\n int axis = params->axis;\n int num_inputs = node->inputs->size;\n\n // The number of dimensions of the input tensors must match, and all\n // dimensions except 'axis' must be equal.\n const TfLiteTensor* t0;\n TF_LITE_ENSURE_OK(context, GetInputSafe(context, node, 0, &t0));\n TfLiteType input_type = t0->type;\n if (axis < 0) axis += t0->dims->size;\n TF_LITE_ENSURE(context, axis >= 0);\n TF_LITE_ENSURE(context, axis < t0->dims->size);\n\n TF_LITE_ENSURE_EQ(context, params->activation, kTfLiteActNone);\n TF_LITE_ENSURE(context,\n input_type == kTfLiteFloat32 || input_type == kTfLiteUInt8 ||\n input_type == kTfLiteInt8 || input_type == kTfLiteInt16 ||\n input_type == kTfLiteInt32 || input_type == kTfLiteInt64 ||\n input_type == kTfLiteBool);\n\n // Output dimensions will match input dimensions, except 'axis', which\n // will be the sum of inputs\n int sum_axis = t0->dims->data[axis];\n for (int i = 1; i < num_inputs; ++i) {\n const TfLiteTensor* t;\n TF_LITE_ENSURE_OK(context, GetInputSafe(context, node, i, &t));\n TF_LITE_ENSURE_EQ(context, t->dims->size, t0->dims->size);\n TF_LITE_ENSURE_EQ(context, t->type, input_type);\n for (int d = 0; d < t0->dims->size; ++d) {\n if (d == axis) {\n sum_axis += t->dims->data[axis];\n } else {\n TF_LITE_ENSURE_EQ(context, t->dims->data[d], t0->dims->data[d]);\n }\n }\n }\n\n TfLiteIntArray* output_size = TfLiteIntArrayCreate(t0->dims->size);\n for (int d = 0; d < t0->dims->size; ++d) {\n output_size->data[d] = (d == axis) ? sum_axis : t0->dims->data[d];\n }\n\n TfLiteTensor* output;\n TF_LITE_ENSURE_OK(context, GetOutputSafe(context, node, 0, &output));\n TF_LITE_ENSURE_TYPES_EQ(context, output->type, input_type);\n\n if (input_type == kTfLiteInt8) {\n // Make sure there is no re-scaling needed for Int8 quantized kernel. This\n // is a restriction we introduced to Int8 kernels.\n VectorOfTensors all_inputs(*context, *node->inputs);\n for (int i = 0; i < node->inputs->size; ++i) {\n const TfLiteTensor* t;\n TF_LITE_ENSURE_OK(context, GetInputSafe(context, node, i, &t));\n TF_LITE_ENSURE_EQ(context, t->params.scale, output->params.scale);\n TF_LITE_ENSURE_EQ(context, t->params.zero_point,\n output->params.zero_point);\n }\n }\n\n if (input_type == kTfLiteInt16) {\n // Make sure that all Int16 inputs have a null zero-point.\n for (int i = 0; i < node->inputs->size; ++i) {\n const TfLiteTensor* t = GetInput(context, node, i);\n TF_LITE_ENSURE_EQ(context, t->params.zero_point, 0);\n }\n TF_LITE_ENSURE_EQ(context, output->params.zero_point, 0);\n }\n\n return context->ResizeTensor(context, output, output_size);\n}", "project": "tensorflow", "hash": 92324200070320272661822081558700268693, "size": 72, "commit_id": "4253f96a58486ffe84b61c0415bb234a4632ee73", "message": "Fix integer overflow in TFLite concat\n\nPiperOrigin-RevId: 371013841\nChange-Id: I6a4782ce7ca753e23ff31e7fb6aeb7f9d412cd29", "target": 1, "dataset": "other", "idx": 198349 }, { "func": "TfLiteStatus Prepare(TfLiteContext* context, TfLiteNode* node) {\n auto* params =\n reinterpret_cast(node->builtin_data);\n\n TF_LITE_ENSURE_EQ(context, NumInputs(node), 1);\n TF_LITE_ENSURE_EQ(context, NumOutputs(node), 1);\n\n const TfLiteTensor* input;\n TF_LITE_ENSURE_OK(context, GetInputSafe(context, node, kInputTensor, &input));\n TfLiteTensor* output;\n TF_LITE_ENSURE_OK(context,\n GetOutputSafe(context, node, kOutputTensor, &output));\n\n TF_LITE_ENSURE_EQ(context, NumDimensions(input), 4);\n\n auto data_type = output->type;\n TF_LITE_ENSURE(context,\n data_type == kTfLiteFloat32 || data_type == kTfLiteUInt8 ||\n data_type == kTfLiteInt8 || data_type == kTfLiteInt32 ||\n data_type == kTfLiteInt64);\n TF_LITE_ENSURE_TYPES_EQ(context, input->type, output->type);\n\n const int block_size = params->block_size;\n const int input_height = input->dims->data[1];\n const int input_width = input->dims->data[2];\n int output_height = input_height / block_size;\n int output_width = input_width / block_size;\n\n TF_LITE_ENSURE_EQ(context, input_height, output_height * block_size);\n TF_LITE_ENSURE_EQ(context, input_width, output_width * block_size);\n\n TfLiteIntArray* output_size = TfLiteIntArrayCreate(4);\n output_size->data[0] = input->dims->data[0];\n output_size->data[1] = output_height;\n output_size->data[2] = output_width;\n output_size->data[3] = input->dims->data[3] * block_size * block_size;\n\n return context->ResizeTensor(context, output, output_size);\n}", "project": "tensorflow", "hash": 31179933714560962811339968929323691110, "size": 39, "commit_id": "0d45ea1ca641b21b73bcf9c00e0179cda284e7e7", "message": "Prevent one more div by 0 in TFLite\n\nPiperOrigin-RevId: 370800114\nChange-Id: I6b956aeb8c458cc6f514408d2e89ffacfe249e57", "target": 1, "dataset": "other", "idx": 198448 }, { "func": "TfLiteStatus Prepare(TfLiteContext* context, TfLiteNode* node) {\n // Check for supported activation types.\n auto* params =\n reinterpret_cast(node->builtin_data);\n const TfLiteTensor* filter;\n TF_LITE_ENSURE_OK(context,\n GetInputSafe(context, node, kWeightsTensor, &filter));\n const TfLiteTensor* input;\n TF_LITE_ENSURE_OK(context, GetInputSafe(context, node, kInputTensor, &input));\n const bool is_quantized =\n ((filter->type == kTfLiteUInt8) || (filter->type == kTfLiteInt8));\n const bool is_hybrid = is_quantized && (input->type == kTfLiteFloat32);\n const bool is_pie = kernel_type == kLegacyPie;\n\n // Pie and hybrid path supports all kinds of fused activations, otherwise only\n // clipping activations are supported.\n if (!is_pie && !is_hybrid) {\n TF_LITE_ENSURE(context, params->activation == kTfLiteActNone ||\n params->activation == kTfLiteActRelu ||\n params->activation == kTfLiteActReluN1To1 ||\n params->activation == kTfLiteActRelu6);\n }\n return PrepareImpl(context, node);\n}", "project": "tensorflow", "hash": 208452942271695439038365352368050990840, "size": 24, "commit_id": "6c0b2b70eeee588591680f5b7d5d38175fd7cdf6", "message": "[lite] add validation check for sparse fully connected\n\nPiperOrigin-RevId: 417629354\nChange-Id: If96171c4bd4f5fdb01d6368d6deab19d1c9beca7", "target": 0, "dataset": "other", "idx": 220478 }, { "func": "TfLiteStatus Prepare(TfLiteContext* context, TfLiteNode* node) {\n auto* params =\n reinterpret_cast(node->builtin_data);\n OpData* data = reinterpret_cast(node->user_data);\n\n bool has_bias = NumInputs(node) == 3;\n\n TF_LITE_ENSURE(context, has_bias || NumInputs(node) == 2);\n const TfLiteTensor* input;\n TF_LITE_ENSURE_OK(context, GetInputSafe(context, node, kInputTensor, &input));\n const TfLiteTensor* filter;\n TF_LITE_ENSURE_OK(context,\n GetInputSafe(context, node, kFilterTensor, &filter));\n const TfLiteTensor* bias = nullptr;\n\n TF_LITE_ENSURE_EQ(context, NumOutputs(node), 1);\n TfLiteTensor* output;\n TF_LITE_ENSURE_OK(context,\n GetOutputSafe(context, node, kOutputTensor, &output));\n\n TF_LITE_ENSURE_EQ(context, NumDimensions(input), 4);\n TF_LITE_ENSURE_EQ(context, NumDimensions(filter), 4);\n TF_LITE_ENSURE(context, params->dilation_height_factor > 0);\n TF_LITE_ENSURE(context, params->dilation_width_factor > 0);\n\n const TfLiteType data_type = input->type;\n\n const TfLiteType filter_type = filter->type;\n const bool is_hybrid =\n data_type == kTfLiteFloat32 && filter_type == kTfLiteInt8;\n TF_LITE_ENSURE(context,\n data_type == kTfLiteFloat32 || data_type == kTfLiteUInt8 ||\n data_type == kTfLiteInt8 || data_type == kTfLiteInt16);\n TF_LITE_ENSURE_TYPES_EQ(context, output->type, data_type);\n if (!is_hybrid) {\n TF_LITE_ENSURE(context,\n filter->type == data_type || data_type == kTfLiteInt16);\n }\n\n if (data_type == kTfLiteInt16) {\n TF_LITE_ENSURE_EQ(context, input->params.zero_point, 0);\n TF_LITE_ENSURE_EQ(context, output->params.zero_point, 0);\n }\n\n // Filter in DepthwiseConv is expected to be [1, H, W, O].\n TF_LITE_ENSURE_EQ(context, SizeOfDimension(filter, 0), 1);\n\n if (has_bias) {\n TF_LITE_ENSURE_OK(context, GetInputSafe(context, node, kBiasTensor, &bias));\n if (data_type == kTfLiteUInt8 || data_type == kTfLiteInt8) {\n TF_LITE_ENSURE_TYPES_EQ(context, bias->type, kTfLiteInt32);\n TF_LITE_ENSURE_EQ(context, bias->params.zero_point, 0);\n } else if (data_type == kTfLiteInt16) {\n TF_LITE_ENSURE_TYPES_EQ(context, bias->type, kTfLiteInt64);\n TF_LITE_ENSURE_EQ(context, bias->params.zero_point, 0);\n } else {\n TF_LITE_ENSURE_TYPES_EQ(context, bias->type, data_type);\n }\n TF_LITE_ENSURE_EQ(context, NumDimensions(bias), 1);\n TF_LITE_ENSURE_EQ(context, SizeOfDimension(filter, 3),\n SizeOfDimension(bias, 0));\n }\n\n int channels_out = SizeOfDimension(filter, 3);\n int width = SizeOfDimension(input, 2);\n int height = SizeOfDimension(input, 1);\n int filter_width = SizeOfDimension(filter, 2);\n int filter_height = SizeOfDimension(filter, 1);\n int batches = SizeOfDimension(input, 0);\n\n // Matching GetWindowedOutputSize in TensorFlow.\n auto padding = params->padding;\n int out_width, out_height;\n\n data->padding = ComputePaddingHeightWidth(\n params->stride_height, params->stride_width,\n params->dilation_height_factor, params->dilation_width_factor, height,\n width, filter_height, filter_width, padding, &out_height, &out_width);\n\n // Note that quantized inference requires that all tensors have their\n // parameters set. This is usually done during quantized training or\n // calibration.\n if (data_type != kTfLiteFloat32) {\n TF_LITE_ENSURE_EQ(context, filter->quantization.type,\n kTfLiteAffineQuantization);\n TF_LITE_ENSURE(context, filter->quantization.type != kTfLiteNoQuantization);\n const auto* affine_quantization =\n reinterpret_cast(\n filter->quantization.params);\n TF_LITE_ENSURE(context, affine_quantization);\n TF_LITE_ENSURE(context, affine_quantization->scale);\n TF_LITE_ENSURE(context, (affine_quantization->scale->size == 1 ||\n affine_quantization->scale->size == channels_out));\n\n data->per_channel_output_multiplier.resize(channels_out);\n data->per_channel_output_shift.resize(channels_out);\n TF_LITE_ENSURE_STATUS(tflite::PopulateConvolutionQuantizationParams(\n context, input, filter, bias, output, params->activation,\n &data->output_multiplier, &data->output_shift,\n &data->output_activation_min, &data->output_activation_max,\n data->per_channel_output_multiplier.data(),\n data->per_channel_output_shift.data(), channels_out));\n }\n\n if (is_hybrid) {\n TF_LITE_ENSURE(context, filter->quantization.type != kTfLiteNoQuantization);\n const auto* affine_quantization =\n reinterpret_cast(\n filter->quantization.params);\n TF_LITE_ENSURE(context, affine_quantization);\n TF_LITE_ENSURE(context, affine_quantization->scale);\n TF_LITE_ENSURE_EQ(\n context, affine_quantization->scale->size,\n filter->dims->data[affine_quantization->quantized_dimension]);\n\n int temporaries_count = 0;\n data->input_quantized_index = temporaries_count;\n if (data->input_quantized_id == kTensorNotAllocated) {\n TF_LITE_ENSURE_OK(\n context, context->AddTensors(context, 1, &data->input_quantized_id));\n }\n ++temporaries_count;\n data->scaling_factors_index = temporaries_count;\n if (data->scaling_factors_id == kTensorNotAllocated) {\n TF_LITE_ENSURE_OK(\n context, context->AddTensors(context, 1, &data->scaling_factors_id));\n }\n ++temporaries_count;\n data->input_offset_index = temporaries_count;\n if (data->input_offset_id == kTensorNotAllocated) {\n TF_LITE_ENSURE_OK(\n context, context->AddTensors(context, 1, &data->input_offset_id));\n }\n ++temporaries_count;\n\n TfLiteIntArrayFree(node->temporaries);\n node->temporaries = TfLiteIntArrayCreate(temporaries_count);\n\n node->temporaries->data[data->input_quantized_index] =\n data->input_quantized_id;\n TfLiteTensor* input_quantized;\n TF_LITE_ENSURE_OK(\n context, GetTemporarySafe(context, node, data->input_quantized_index,\n &input_quantized));\n input_quantized->type = kTfLiteInt8;\n input_quantized->allocation_type = kTfLiteArenaRw;\n if (!TfLiteIntArrayEqual(input_quantized->dims, input->dims)) {\n TfLiteIntArray* input_quantized_size = TfLiteIntArrayCopy(input->dims);\n TF_LITE_ENSURE_OK(context, context->ResizeTensor(context, input_quantized,\n input_quantized_size));\n }\n node->temporaries->data[data->scaling_factors_index] =\n data->scaling_factors_id;\n TfLiteTensor* scaling_factors;\n TF_LITE_ENSURE_OK(\n context, GetTemporarySafe(context, node, data->scaling_factors_index,\n &scaling_factors));\n scaling_factors->type = kTfLiteFloat32;\n scaling_factors->allocation_type = kTfLiteArenaRw;\n const int batch_size = SizeOfDimension(input, 0);\n int scaling_dims[1] = {batch_size};\n if (!TfLiteIntArrayEqualsArray(scaling_factors->dims, 1, scaling_dims)) {\n TfLiteIntArray* scaling_factors_size = TfLiteIntArrayCreate(1);\n scaling_factors_size->data[0] = batch_size;\n TF_LITE_ENSURE_OK(context, context->ResizeTensor(context, scaling_factors,\n scaling_factors_size));\n }\n node->temporaries->data[data->input_offset_index] = data->input_offset_id;\n TfLiteTensor* input_offsets;\n TF_LITE_ENSURE_OK(context,\n GetTemporarySafe(context, node, data->input_offset_index,\n &input_offsets));\n input_offsets->type = kTfLiteInt32;\n input_offsets->allocation_type = kTfLiteArenaRw;\n if (!TfLiteIntArrayEqualsArray(input_offsets->dims, 1, scaling_dims)) {\n TfLiteIntArray* input_offsets_size = TfLiteIntArrayCreate(1);\n input_offsets_size->data[0] = batch_size;\n TF_LITE_ENSURE_OK(context, context->ResizeTensor(context, input_offsets,\n input_offsets_size));\n }\n }\n\n TfLiteIntArray* outputSize = TfLiteIntArrayCreate(4);\n outputSize->data[0] = batches;\n outputSize->data[1] = out_height;\n outputSize->data[2] = out_width;\n outputSize->data[3] = channels_out;\n return context->ResizeTensor(context, output, outputSize);\n}", "project": "tensorflow", "hash": 67839353802325440041115603135108378593, "size": 189, "commit_id": "e5b0eec199c2d03de54fd6a7fd9275692218e2bc", "message": "[lite] Add validation check for dilation height/width to be positive integers.\n\nPiperOrigin-RevId: 416429178\nChange-Id: If7cdcddca54486434d9b2f06e7e2b401d7c3ee25", "target": 0, "dataset": "other", "idx": 223174 }, { "func": "TfLiteStatus Prepare(TfLiteContext* context, TfLiteNode* node) {\n OpData* data = reinterpret_cast(node->user_data);\n\n bool has_bias = NumInputs(node) == 4;\n\n // Sanity checks on op\n TF_LITE_ENSURE(context, has_bias || NumInputs(node) == 3);\n TF_LITE_ENSURE_EQ(context, NumOutputs(node), 1);\n\n // Retrieve tensors\n const TfLiteTensor* output_shape;\n TF_LITE_ENSURE_OK(\n context, GetInputSafe(context, node, kOutputShapeTensor, &output_shape));\n const TfLiteTensor* weights;\n TF_LITE_ENSURE_OK(context,\n GetInputSafe(context, node, kWeightsTensor, &weights));\n const TfLiteTensor* input;\n TF_LITE_ENSURE_OK(context,\n GetInputSafe(context, node, kDataInputTensor, &input));\n const TfLiteTensor* bias = nullptr;\n\n TfLiteTensor* output;\n TF_LITE_ENSURE_OK(context,\n GetOutputSafe(context, node, kOutputTensor, &output));\n\n // Tensor sanity checks\n TF_LITE_ENSURE_EQ(context, NumDimensions(output_shape), 1);\n TF_LITE_ENSURE_EQ(context, NumDimensions(input), 4);\n TF_LITE_ENSURE_EQ(context, NumDimensions(weights), 4);\n TF_LITE_ENSURE(context,\n input->type == kTfLiteFloat32 || input->type == kTfLiteUInt8 ||\n input->type == kTfLiteInt8 || input->type == kTfLiteInt16);\n\n if (has_bias) {\n bias = GetOptionalInputTensor(context, node, kBiasTensor);\n if (bias) {\n if (input->type == kTfLiteUInt8 || input->type == kTfLiteInt8) {\n TF_LITE_ENSURE_TYPES_EQ(context, bias->type, kTfLiteInt32);\n if (input->type == kTfLiteInt8) {\n TF_LITE_ENSURE_EQ(context, bias->params.zero_point, 0);\n }\n } else if (input->type == kTfLiteInt16) {\n TF_LITE_ENSURE_EQ(context, bias->type, kTfLiteInt64);\n TF_LITE_ENSURE_EQ(context, bias->params.zero_point, 0);\n } else {\n TF_LITE_ENSURE_TYPES_EQ(context, bias->type, input->type);\n }\n TF_LITE_ENSURE_EQ(context, NumElements(bias),\n SizeOfDimension(weights, 0));\n }\n }\n\n if (input->type == kTfLiteInt16) {\n TF_LITE_ENSURE_EQ(context, weights->type, kTfLiteInt8);\n TF_LITE_ENSURE_EQ(context, input->params.zero_point, 0);\n TF_LITE_ENSURE_EQ(context, output->params.zero_point, 0);\n } else {\n TF_LITE_ENSURE_TYPES_EQ(context, weights->type, input->type);\n }\n TF_LITE_ENSURE_TYPES_EQ(context, output->type, input->type);\n // Ensure that weights and inputs have the same channel dimension.\n // Note: TOCO will reorder weights in the following format: OHWI.\n TF_LITE_ENSURE_EQ(context, SizeOfDimension(input, 3),\n SizeOfDimension(weights, 3));\n\n // Allocate col2Im, transposed_weights & scratch Tensor.\n TF_LITE_ENSURE_STATUS(AllocateTemporaryTensorsIfRequired(\n context, input->type, weights->type, node));\n\n OpData* user_data = reinterpret_cast(node->user_data);\n TfLiteTensor* col2im = nullptr;\n if (data->has_col2im) {\n node->temporaries->data[data->col2im_index] = data->col2im_id;\n TF_LITE_ENSURE_OK(\n context,\n GetTemporarySafe(context, node, user_data->col2im_index, &col2im));\n }\n\n if (!IsConstantTensor(output_shape)) {\n // Defer resizing until Eval().\n SetTensorToDynamic(output);\n if (data->has_col2im) {\n SetTensorToDynamic(col2im);\n }\n } else {\n TF_LITE_ENSURE_STATUS(ResizeTensor(context, output_shape, output));\n if (data->has_col2im) {\n TF_LITE_ENSURE_STATUS(\n ResizeCol2ImTensor(context, output_shape, weights, input, col2im));\n }\n }\n\n if (data->weights_are_transposed) {\n node->temporaries->data[data->transposed_weights_index] =\n data->transposed_weights_id;\n TfLiteTensor* transposed_weights;\n TF_LITE_ENSURE_OK(\n context,\n GetTemporarySafe(context, node, user_data->transposed_weights_index,\n &transposed_weights));\n if (!IsConstantTensor(weights)) {\n SetTensorToDynamic(transposed_weights);\n } else {\n ResizeAndTransposeWeights(context, weights, transposed_weights);\n }\n }\n\n if (input->type == kTfLiteUInt8 || input->type == kTfLiteInt8 ||\n input->type == kTfLiteInt16) {\n node->temporaries->data[data->scratch_tensor_index] =\n data->scratch_tensor_id;\n TfLiteTensor* scratch_buffer;\n TF_LITE_ENSURE_OK(\n context, GetTemporarySafe(context, node, data->scratch_tensor_index,\n &scratch_buffer));\n if (input->type == kTfLiteInt16) {\n scratch_buffer->type = kTfLiteInt64;\n } else {\n scratch_buffer->type = kTfLiteInt32;\n }\n\n scratch_buffer->allocation_type = kTfLiteDynamic;\n if (!IsConstantTensor(output_shape)) {\n SetTensorToDynamic(scratch_buffer);\n } else {\n TF_LITE_ENSURE_STATUS(\n ResizeTensor(context, output_shape, scratch_buffer));\n }\n\n TF_LITE_ENSURE_EQ(context, weights->quantization.type,\n kTfLiteAffineQuantization);\n const auto* affine_quantization =\n reinterpret_cast(\n weights->quantization.params);\n const int channels_out = weights->dims->data[0];\n TF_LITE_ENSURE(context, affine_quantization);\n TF_LITE_ENSURE(context, affine_quantization->scale);\n TF_LITE_ENSURE(context, (affine_quantization->scale->size == 1 ||\n affine_quantization->scale->size == channels_out));\n\n data->per_channel_output_multiplier.resize(channels_out);\n data->per_channel_output_shift.resize(channels_out);\n TF_LITE_ENSURE_STATUS(tflite::PopulateConvolutionQuantizationParams(\n context, input, weights, bias, output, kTfLiteActNone,\n &data->output_multiplier, &data->output_shift,\n &data->output_activation_min, &data->output_activation_max,\n data->per_channel_output_multiplier.data(),\n data->per_channel_output_shift.data(), channels_out));\n }\n\n return kTfLiteOk;\n}", "project": "tensorflow", "hash": 338541472009814251775925686808296996651, "size": 152, "commit_id": "801c1c6be5324219689c98e1bd3e0ca365ee834d", "message": "Fix another division by 0 in TFLite\n\nPiperOrigin-RevId: 370800181\nChange-Id: I924809166a6131f5075e6d45c455106538d755f9", "target": 0, "dataset": "other", "idx": 265426 }, { "func": "TfLiteStatus Prepare(TfLiteContext* context, TfLiteNode* node) {\n TF_LITE_ENSURE_EQ(context, NumInputs(node), 4);\n TF_LITE_ENSURE_EQ(context, NumOutputs(node), 1);\n\n OneHotContext op_context{context, node};\n switch (op_context.dtype) {\n // TODO(b/111744875): Support uint8 and quantization.\n case kTfLiteFloat32:\n case kTfLiteInt16:\n case kTfLiteInt32:\n case kTfLiteInt64:\n case kTfLiteInt8:\n case kTfLiteUInt8:\n case kTfLiteBool:\n op_context.output->type = op_context.dtype;\n break;\n default:\n TF_LITE_KERNEL_LOG(context, \"Unknown output data type: %s\",\n TfLiteTypeGetName(op_context.dtype));\n return kTfLiteError;\n }\n\n TF_LITE_ENSURE(context, op_context.indices->type == kTfLiteInt32 ||\n op_context.indices->type == kTfLiteInt64);\n TF_LITE_ENSURE(context, op_context.axis >= 0 &&\n op_context.axis < op_context.output_dims);\n TF_LITE_ENSURE_EQ(context, NumElements(op_context.depth), 1);\n TF_LITE_ENSURE_EQ(context, NumElements(op_context.on_value), 1);\n TF_LITE_ENSURE_EQ(context, NumElements(op_context.off_value), 1);\n TF_LITE_ENSURE_TYPES_EQ(context, op_context.on_value->type, op_context.dtype);\n TF_LITE_ENSURE_TYPES_EQ(context, op_context.off_value->type,\n op_context.dtype);\n\n if (!IsConstantTensor(op_context.depth)) {\n SetTensorToDynamic(op_context.output);\n return kTfLiteOk;\n }\n\n return ResizeOutputTensor(context, op_context);\n}", "project": "tensorflow", "hash": 262446679592366953380903278226423756764, "size": 40, "commit_id": "3ebedd7e345453d68e279cfc3e4072648e5e12e5", "message": "Prevent division by 0 in OneHot implementation\n\nIf input indices is degenerate, the implementation would do a divide by zero. See https://github.com/tensorflow/tensorflow/blob/745d57df6d5e9bc568666a2a48ed8dd629c27241/tensorflow/lite/kernels/one_hot.cc#L68-L72\n\nPiperOrigin-RevId: 370966870\nChange-Id: Ie018337811c8016b5a1d3a277d00d5f2e19a2058", "target": 0, "dataset": "other", "idx": 267936 }, { "func": "TfLiteStatus Prepare(TfLiteContext* context, TfLiteNode* node) {\n auto* params =\n reinterpret_cast(node->builtin_data);\n int axis = params->axis;\n int num_inputs = node->inputs->size;\n\n // The number of dimensions of the input tensors must match, and all\n // dimensions except 'axis' must be equal.\n const TfLiteTensor* t0;\n TF_LITE_ENSURE_OK(context, GetInputSafe(context, node, 0, &t0));\n TfLiteType input_type = t0->type;\n if (axis < 0) axis += t0->dims->size;\n TF_LITE_ENSURE(context, axis >= 0);\n TF_LITE_ENSURE(context, axis < t0->dims->size);\n\n TF_LITE_ENSURE_EQ(context, params->activation, kTfLiteActNone);\n TF_LITE_ENSURE(context,\n input_type == kTfLiteFloat32 || input_type == kTfLiteUInt8 ||\n input_type == kTfLiteInt8 || input_type == kTfLiteInt16 ||\n input_type == kTfLiteInt32 || input_type == kTfLiteInt64 ||\n input_type == kTfLiteBool);\n\n // Output dimensions will match input dimensions, except 'axis', which\n // will be the sum of inputs\n int sum_axis = t0->dims->data[axis];\n for (int i = 1; i < num_inputs; ++i) {\n const TfLiteTensor* t;\n TF_LITE_ENSURE_OK(context, GetInputSafe(context, node, i, &t));\n TF_LITE_ENSURE_EQ(context, t->dims->size, t0->dims->size);\n TF_LITE_ENSURE_EQ(context, t->type, input_type);\n for (int d = 0; d < t0->dims->size; ++d) {\n if (d == axis) {\n // Avoid integer overflow in sum_axis below\n TF_LITE_ENSURE(context, t->dims->data[axis] >= 0);\n TF_LITE_ENSURE(context, t->dims->data[axis] <=\n std::numeric_limits::max() - sum_axis);\n sum_axis += t->dims->data[axis];\n } else {\n TF_LITE_ENSURE_EQ(context, t->dims->data[d], t0->dims->data[d]);\n }\n }\n }\n\n TfLiteIntArray* output_size = TfLiteIntArrayCreate(t0->dims->size);\n for (int d = 0; d < t0->dims->size; ++d) {\n output_size->data[d] = (d == axis) ? sum_axis : t0->dims->data[d];\n }\n\n TfLiteTensor* output;\n TF_LITE_ENSURE_OK(context, GetOutputSafe(context, node, 0, &output));\n TF_LITE_ENSURE_TYPES_EQ(context, output->type, input_type);\n\n if (input_type == kTfLiteInt8) {\n // Make sure there is no re-scaling needed for Int8 quantized kernel. This\n // is a restriction we introduced to Int8 kernels.\n VectorOfTensors all_inputs(*context, *node->inputs);\n for (int i = 0; i < node->inputs->size; ++i) {\n const TfLiteTensor* t;\n TF_LITE_ENSURE_OK(context, GetInputSafe(context, node, i, &t));\n TF_LITE_ENSURE_EQ(context, t->params.scale, output->params.scale);\n TF_LITE_ENSURE_EQ(context, t->params.zero_point,\n output->params.zero_point);\n }\n }\n\n if (input_type == kTfLiteInt16) {\n // Make sure that all Int16 inputs have a null zero-point.\n for (int i = 0; i < node->inputs->size; ++i) {\n const TfLiteTensor* t = GetInput(context, node, i);\n TF_LITE_ENSURE_EQ(context, t->params.zero_point, 0);\n }\n TF_LITE_ENSURE_EQ(context, output->params.zero_point, 0);\n }\n\n return context->ResizeTensor(context, output, output_size);\n}", "project": "tensorflow", "hash": 173727750294110908854288838016785698395, "size": 76, "commit_id": "4253f96a58486ffe84b61c0415bb234a4632ee73", "message": "Fix integer overflow in TFLite concat\n\nPiperOrigin-RevId: 371013841\nChange-Id: I6a4782ce7ca753e23ff31e7fb6aeb7f9d412cd29", "target": 0, "dataset": "other", "idx": 273050 }, { "func": "TfLiteStatus Prepare(TfLiteContext* context, TfLiteNode* node) {\n auto* params =\n reinterpret_cast(node->builtin_data);\n\n TF_LITE_ENSURE_EQ(context, NumInputs(node), 1);\n TF_LITE_ENSURE_EQ(context, NumOutputs(node), 1);\n\n const TfLiteTensor* input;\n TF_LITE_ENSURE_OK(context, GetInputSafe(context, node, kInputTensor, &input));\n TfLiteTensor* output;\n TF_LITE_ENSURE_OK(context,\n GetOutputSafe(context, node, kOutputTensor, &output));\n\n TF_LITE_ENSURE_EQ(context, NumDimensions(input), 4);\n\n auto data_type = output->type;\n TF_LITE_ENSURE(context,\n data_type == kTfLiteFloat32 || data_type == kTfLiteUInt8 ||\n data_type == kTfLiteInt8 || data_type == kTfLiteInt32 ||\n data_type == kTfLiteInt64);\n TF_LITE_ENSURE_TYPES_EQ(context, input->type, output->type);\n\n const int block_size = params->block_size;\n TF_LITE_ENSURE(context, block_size > 0);\n const int input_height = input->dims->data[1];\n const int input_width = input->dims->data[2];\n int output_height = input_height / block_size;\n int output_width = input_width / block_size;\n\n TF_LITE_ENSURE_EQ(context, input_height, output_height * block_size);\n TF_LITE_ENSURE_EQ(context, input_width, output_width * block_size);\n\n TfLiteIntArray* output_size = TfLiteIntArrayCreate(4);\n output_size->data[0] = input->dims->data[0];\n output_size->data[1] = output_height;\n output_size->data[2] = output_width;\n output_size->data[3] = input->dims->data[3] * block_size * block_size;\n\n return context->ResizeTensor(context, output, output_size);\n}", "project": "tensorflow", "hash": 53852501749742148609964241513124776788, "size": 40, "commit_id": "0d45ea1ca641b21b73bcf9c00e0179cda284e7e7", "message": "Prevent one more div by 0 in TFLite\n\nPiperOrigin-RevId: 370800114\nChange-Id: I6b956aeb8c458cc6f514408d2e89ffacfe249e57", "target": 0, "dataset": "other", "idx": 274812 }, { "func": "void lj_trace_freestate(global_State *g)\n{\n jit_State *J = G2J(g);\n#ifdef LUA_USE_ASSERT\n { /* This assumes all traces have already been freed. */\n ptrdiff_t i;\n for (i = 1; i < (ptrdiff_t)J->sizetrace; i++)\n lua_assert(i == (ptrdiff_t)J->cur.traceno || traceref(J, i) == NULL);\n }\n#endif\n lj_mcode_free(J);\n lj_ir_k64_freeall(J);\n lj_mem_freevec(g, J->snapmapbuf, J->sizesnapmap, SnapEntry);\n lj_mem_freevec(g, J->snapbuf, J->sizesnap, SnapShot);\n lj_mem_freevec(g, J->irbuf + J->irbotlim, J->irtoplim - J->irbotlim, IRIns);\n lj_mem_freevec(g, J->trace, J->sizetrace, GCRef);\n}", "project": "LuaJIT", "hash": 143026852331824686345852240533525394262, "size": 17, "commit_id": "e296f56b825c688c3530a981dc6b495d972f3d01", "message": "Call error function on rethrow after trace exit.", "target": 0, "dataset": "other", "idx": 394614 }, { "func": "static int nfs4_call_sync_sequence(struct rpc_clnt *clnt,\n\t\t\t\t struct nfs_server *server,\n\t\t\t\t struct rpc_message *msg,\n\t\t\t\t struct nfs4_sequence_args *args,\n\t\t\t\t struct nfs4_sequence_res *res)\n{\n\treturn nfs4_do_call_sync(clnt, server, msg, args, res, 0);\n}", "project": "linux", "hash": 83431404013410304931412776028962758863, "size": 8, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431155 }, { "func": "static int oidc_request_post_preserved_restore(request_rec *r,\n\t\tconst char *original_url) {\n\n\toidc_debug(r, \"enter: original_url=%s\", original_url);\n\n\tconst char *method = \"postOnLoad\";\n\tconst char *script =\n\t\t\tapr_psprintf(r->pool,\n\t\t\t\t\t\" \\n\", method, original_url);\n\n\tconst char *body = \"

Restoring...

\\n\"\n\t\t\t\"
\\n\";\n\n\treturn oidc_util_html_send(r, \"Restoring...\", script, method, body,\n\t\t\tOK);\n}", "project": "mod_auth_openidc", "hash": 35525550530039889010628581634183056973, "size": 38, "commit_id": "00c315cb0c8ab77c67be4a2ac08a71a83ac58751", "message": "avoid XSS vulnerability when using OIDCPreservePost On\n\nand supplying URLs that contain single quotes; thanks @oss-aimoto\n\nSigned-off-by: Hans Zandbelt ", "target": 1, "dataset": "other", "idx": 206516 }, { "func": "__u64 kvm_s390_get_cpu_timer(struct kvm_vcpu *vcpu)\n{\n\tunsigned int seq;\n\t__u64 value;\n\n\tif (unlikely(!vcpu->arch.cputm_enabled))\n\t\treturn vcpu->arch.sie_block->cputm;\n\n\tpreempt_disable(); /* protect from TOD sync and vcpu_load/put */\n\tdo {\n\t\tseq = raw_read_seqcount(&vcpu->arch.cputm_seqcount);\n\t\t/*\n\t\t * If the writer would ever execute a read in the critical\n\t\t * section, e.g. in irq context, we have a deadlock.\n\t\t */\n\t\tWARN_ON_ONCE((seq & 1) && smp_processor_id() == vcpu->cpu);\n\t\tvalue = vcpu->arch.sie_block->cputm;\n\t\t/* if cputm_start is 0, accounting is being started/stopped */\n\t\tif (likely(vcpu->arch.cputm_start))\n\t\t\tvalue -= get_tod_clock_fast() - vcpu->arch.cputm_start;\n\t} while (read_seqcount_retry(&vcpu->arch.cputm_seqcount, seq & ~1));\n\tpreempt_enable();\n\treturn value;\n}", "project": "linux", "hash": 80476224194059167948953523211639665079, "size": 24, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354436 }, { "func": "HttpStateData::httpTimeout(const CommTimeoutCbParams &)\n{\n debugs(11, 4, serverConnection << \": '\" << entry->url() << \"'\");\n\n if (entry->store_status == STORE_PENDING) {\n fwd->fail(new ErrorState(ERR_READ_TIMEOUT, Http::scGatewayTimeout, fwd->request));\n }\n\n closeServer();\n mustStop(\"HttpStateData::httpTimeout\");\n}", "project": "squid", "hash": 58648645829686741715162818407942237850, "size": 11, "commit_id": "fd68382860633aca92065e6c343cfd1b12b126e7", "message": "Improve Transfer-Encoding handling (#702)\n\nReject messages containing Transfer-Encoding header with coding other\nthan chunked or identity. Squid does not support other codings.\n\nFor simplicity and security sake, also reject messages where\nTransfer-Encoding contains unnecessary complex values that are\ntechnically equivalent to \"chunked\" or \"identity\" (e.g., \",,chunked\" or\n\"identity, chunked\").\n\nRFC 7230 formally deprecated and removed identity coding, but it is\nstill used by some agents.", "target": 0, "dataset": "other", "idx": 402305 }, { "func": "static void pcre_log_error(const char* func, int line, int pcre_code,\n const char* pattern, int pattern_size,\n const char* subject, int subject_size,\n const char* repl, int repl_size,\n int arg1 = 0, int arg2 = 0,\n int arg3 = 0, int arg4 = 0) {\n const char* escapedPattern;\n const char* escapedSubject;\n const char* escapedRepl;\n std::string p(pattern, pattern_size);\n std::string s(subject, subject_size);\n std::string r(repl, repl_size);\n escapedPattern = Logger::EscapeString(p);\n escapedSubject = Logger::EscapeString(s);\n escapedRepl = Logger::EscapeString(r);\n const char* errString =\n (pcre_code == PCRE_ERROR_MATCHLIMIT) ? \"PCRE_ERROR_MATCHLIMIT\" :\n (pcre_code == PCRE_ERROR_RECURSIONLIMIT) ? \"PCRE_ERROR_RECURSIONLIMIT\" :\n \"UNKNOWN\";\n raise_warning_unsampled(\n \"REGEXERR: %s/%d: err=%d(%s), pattern='%s', subject='%s', repl='%s', \"\n \"limits=(%\" PRId64 \", %\" PRId64 \"), extra=(%d, %d, %d, %d)\",\n func, line, pcre_code, errString,\n escapedPattern, escapedSubject, escapedRepl,\n tl_pcre_globals->preg_backtrace_limit,\n tl_pcre_globals->preg_recursion_limit,\n arg1, arg2, arg3, arg4);\n free((void *)escapedPattern);\n free((void *)escapedSubject);\n free((void *)escapedRepl);\n}", "project": "hhvm", "hash": 158635750366120202008248161943874086966, "size": 31, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219109 }, { "func": "static void initargs(int argc, char **argv)\n{\n int c;\n\n CmdName = cmdName(argv[0]);\n opterr = 0;\n while ((c = getopt(argc, argv, \":vg:o:\")) != -1) {\n\tswitch (c) {\n\tcase 'g':\n\t gname = optarg;\n\t break;\n\tcase 'v':\n\t Verbose = 1;\n\t break;\n\tcase 'o':\n\t outFile = openFile(optarg, \"w\");\n\t break;\n\tcase ':':\n\t fprintf(stderr, \"%s: option -%c missing argument\\n\", CmdName, optopt);\n\t usage(1);\n\t break;\n\tcase '?':\n\t if (optopt == '?')\n\t\tusage(0);\n\t else {\n\t\tfprintf(stderr, \"%s: option -%c unrecognized\\n\", CmdName,\n\t\t\toptopt);\n\t\tusage(1);\n\t }\n\t}\n }\n\n argv += optind;\n argc -= optind;\n\n if (argc)\n\tFiles = argv;\n if (!outFile)\n\toutFile = stdout;\n}", "target": 0, "cwe": [ "CWE-476" ], "project": "graphviz", "commit_id": "839085f8026afd6f6920a0c31ad2a9d880d97932", "hash": 109817921175919041576927374075975232399, "size": 40, "message": "attempted fix for null pointer deference on malformed input", "dataset": "other", "idx": 505490 }, { "func": "static int kvm_vm_ioctl_create_vcpu(struct kvm *kvm, u32 id)\n{\n\tint r;\n\tstruct kvm_vcpu *vcpu;\n\tstruct page *page;\n\n\tif (id >= KVM_MAX_VCPU_ID)\n\t\treturn -EINVAL;\n\n\tmutex_lock(&kvm->lock);\n\tif (kvm->created_vcpus == KVM_MAX_VCPUS) {\n\t\tmutex_unlock(&kvm->lock);\n\t\treturn -EINVAL;\n\t}\n\n\tkvm->created_vcpus++;\n\tmutex_unlock(&kvm->lock);\n\n\tr = kvm_arch_vcpu_precreate(kvm, id);\n\tif (r)\n\t\tgoto vcpu_decrement;\n\n\tvcpu = kmem_cache_zalloc(kvm_vcpu_cache, GFP_KERNEL);\n\tif (!vcpu) {\n\t\tr = -ENOMEM;\n\t\tgoto vcpu_decrement;\n\t}\n\n\tBUILD_BUG_ON(sizeof(struct kvm_run) > PAGE_SIZE);\n\tpage = alloc_page(GFP_KERNEL | __GFP_ZERO);\n\tif (!page) {\n\t\tr = -ENOMEM;\n\t\tgoto vcpu_free;\n\t}\n\tvcpu->run = page_address(page);\n\n\tkvm_vcpu_init(vcpu, kvm, id);\n\n\tr = kvm_arch_vcpu_create(vcpu);\n\tif (r)\n\t\tgoto vcpu_free_run_page;\n\n\tkvm_create_vcpu_debugfs(vcpu);\n\n\tmutex_lock(&kvm->lock);\n\tif (kvm_get_vcpu_by_id(kvm, id)) {\n\t\tr = -EEXIST;\n\t\tgoto unlock_vcpu_destroy;\n\t}\n\n\tvcpu->vcpu_idx = atomic_read(&kvm->online_vcpus);\n\tBUG_ON(kvm->vcpus[vcpu->vcpu_idx]);\n\n\t/* Now it's all set up, let userspace reach it */\n\tkvm_get_kvm(kvm);\n\tr = create_vcpu_fd(vcpu);\n\tif (r < 0) {\n\t\tkvm_put_kvm_no_destroy(kvm);\n\t\tgoto unlock_vcpu_destroy;\n\t}\n\n\tkvm->vcpus[vcpu->vcpu_idx] = vcpu;\n\n\t/*\n\t * Pairs with smp_rmb() in kvm_get_vcpu. Write kvm->vcpus\n\t * before kvm->online_vcpu's incremented value.\n\t */\n\tsmp_wmb();\n\tatomic_inc(&kvm->online_vcpus);\n\n\tmutex_unlock(&kvm->lock);\n\tkvm_arch_vcpu_postcreate(vcpu);\n\treturn r;\n\nunlock_vcpu_destroy:\n\tmutex_unlock(&kvm->lock);\n\tdebugfs_remove_recursive(vcpu->debugfs_dentry);\n\tkvm_arch_vcpu_destroy(vcpu);\nvcpu_free_run_page:\n\tfree_page((unsigned long)vcpu->run);\nvcpu_free:\n\tkmem_cache_free(kvm_vcpu_cache, vcpu);\nvcpu_decrement:\n\tmutex_lock(&kvm->lock);\n\tkvm->created_vcpus--;\n\tmutex_unlock(&kvm->lock);\n\treturn r;\n}", "project": "linux", "hash": 269717757721623786006132406642203520970, "size": 88, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354423 }, { "func": "static int kvm_vm_ioctl_create_vcpu(struct kvm *kvm, u32 id)\n{\n\tint r;\n\tstruct kvm_vcpu *vcpu;\n\tstruct page *page;\n\n\tif (id >= KVM_MAX_VCPU_ID)\n\t\treturn -EINVAL;\n\n\tmutex_lock(&kvm->lock);\n\tif (kvm->created_vcpus == KVM_MAX_VCPUS) {\n\t\tmutex_unlock(&kvm->lock);\n\t\treturn -EINVAL;\n\t}\n\n\tkvm->created_vcpus++;\n\tmutex_unlock(&kvm->lock);\n\n\tr = kvm_arch_vcpu_precreate(kvm, id);\n\tif (r)\n\t\tgoto vcpu_decrement;\n\n\tvcpu = kmem_cache_zalloc(kvm_vcpu_cache, GFP_KERNEL_ACCOUNT);\n\tif (!vcpu) {\n\t\tr = -ENOMEM;\n\t\tgoto vcpu_decrement;\n\t}\n\n\tBUILD_BUG_ON(sizeof(struct kvm_run) > PAGE_SIZE);\n\tpage = alloc_page(GFP_KERNEL_ACCOUNT | __GFP_ZERO);\n\tif (!page) {\n\t\tr = -ENOMEM;\n\t\tgoto vcpu_free;\n\t}\n\tvcpu->run = page_address(page);\n\n\tkvm_vcpu_init(vcpu, kvm, id);\n\n\tr = kvm_arch_vcpu_create(vcpu);\n\tif (r)\n\t\tgoto vcpu_free_run_page;\n\n\tif (kvm->dirty_ring_size) {\n\t\tr = kvm_dirty_ring_alloc(&vcpu->dirty_ring,\n\t\t\t\t\t id, kvm->dirty_ring_size);\n\t\tif (r)\n\t\t\tgoto arch_vcpu_destroy;\n\t}\n\n\tmutex_lock(&kvm->lock);\n\tif (kvm_get_vcpu_by_id(kvm, id)) {\n\t\tr = -EEXIST;\n\t\tgoto unlock_vcpu_destroy;\n\t}\n\n\tvcpu->vcpu_idx = atomic_read(&kvm->online_vcpus);\n\tBUG_ON(kvm->vcpus[vcpu->vcpu_idx]);\n\n\t/* Now it's all set up, let userspace reach it */\n\tkvm_get_kvm(kvm);\n\tr = create_vcpu_fd(vcpu);\n\tif (r < 0) {\n\t\tkvm_put_kvm_no_destroy(kvm);\n\t\tgoto unlock_vcpu_destroy;\n\t}\n\n\tkvm->vcpus[vcpu->vcpu_idx] = vcpu;\n\n\t/*\n\t * Pairs with smp_rmb() in kvm_get_vcpu. Write kvm->vcpus\n\t * before kvm->online_vcpu's incremented value.\n\t */\n\tsmp_wmb();\n\tatomic_inc(&kvm->online_vcpus);\n\n\tmutex_unlock(&kvm->lock);\n\tkvm_arch_vcpu_postcreate(vcpu);\n\tkvm_create_vcpu_debugfs(vcpu);\n\treturn r;\n\nunlock_vcpu_destroy:\n\tmutex_unlock(&kvm->lock);\n\tkvm_dirty_ring_free(&vcpu->dirty_ring);\narch_vcpu_destroy:\n\tkvm_arch_vcpu_destroy(vcpu);\nvcpu_free_run_page:\n\tfree_page((unsigned long)vcpu->run);\nvcpu_free:\n\tkmem_cache_free(kvm_vcpu_cache, vcpu);\nvcpu_decrement:\n\tmutex_lock(&kvm->lock);\n\tkvm->created_vcpus--;\n\tmutex_unlock(&kvm->lock);\n\treturn r;\n}", "project": "linux", "hash": 176918198826778172941452624562918371967, "size": 95, "commit_id": "f8be156be163a052a067306417cd0ff679068c97", "message": "KVM: do not allow mapping valid but non-reference-counted pages\n\nIt's possible to create a region which maps valid but non-refcounted\npages (e.g., tail pages of non-compound higher order allocations). These\nhost pages can then be returned by gfn_to_page, gfn_to_pfn, etc., family\nof APIs, which take a reference to the page, which takes it from 0 to 1.\nWhen the reference is dropped, this will free the page incorrectly.\n\nFix this by only taking a reference on valid pages if it was non-zero,\nwhich indicates it is participating in normal refcounting (and can be\nreleased with put_page).\n\nThis addresses CVE-2021-22543.\n\nSigned-off-by: Nicholas Piggin \nTested-by: Paolo Bonzini \nCc: stable@vger.kernel.org\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 404056 }, { "func": "static int __io_openat_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)\n{\n\tconst char __user *fname;\n\tint ret;\n\n\tif (unlikely(req->ctx->flags & (IORING_SETUP_IOPOLL|IORING_SETUP_SQPOLL)))\n\t\treturn -EINVAL;\n\tif (unlikely(sqe->ioprio || sqe->buf_index))\n\t\treturn -EINVAL;\n\tif (unlikely(req->flags & REQ_F_FIXED_FILE))\n\t\treturn -EBADF;\n\n\t/* open.how should be already initialised */\n\tif (!(req->open.how.flags & O_PATH) && force_o_largefile())\n\t\treq->open.how.flags |= O_LARGEFILE;\n\n\treq->open.dfd = READ_ONCE(sqe->fd);\n\tfname = u64_to_user_ptr(READ_ONCE(sqe->addr));\n\treq->open.filename = getname(fname);\n\tif (IS_ERR(req->open.filename)) {\n\t\tret = PTR_ERR(req->open.filename);\n\t\treq->open.filename = NULL;\n\t\treturn ret;\n\t}\n\treq->open.nofile = rlimit(RLIMIT_NOFILE);\n\treq->flags |= REQ_F_NEED_CLEANUP;\n\treturn 0;\n}", "project": "linux", "hash": 138091500099524633335769710754444374169, "size": 28, "commit_id": "6d816e088c359866f9867057e04f244c608c42fe", "message": "io_uring: hold 'ctx' reference around task_work queue + execute\n\nWe're holding the request reference, but we need to go one higher\nto ensure that the ctx remains valid after the request has finished.\nIf the ring is closed with pending task_work inflight, and the\ngiven io_kiocb finishes sync during issue, then we need a reference\nto the ring itself around the task_work execution cycle.\n\nCc: stable@vger.kernel.org # v5.7+\nReported-by: syzbot+9b260fc33297966f5a8e@syzkaller.appspotmail.com\nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 456936 }, { "func": "static inline unsigned int tcp_packets_in_flight(const struct tcp_sock *tp)\n{\n\treturn tp->packets_out - tcp_left_out(tp) + tp->retrans_out;\n}", "project": "linux", "hash": 93565690257372551977338607849324151009, "size": 4, "commit_id": "bb1fceca22492109be12640d49f5ea5a544c6bb4", "message": "tcp: fix use after free in tcp_xmit_retransmit_queue()\n\nWhen tcp_sendmsg() allocates a fresh and empty skb, it puts it at the\ntail of the write queue using tcp_add_write_queue_tail()\n\nThen it attempts to copy user data into this fresh skb.\n\nIf the copy fails, we undo the work and remove the fresh skb.\n\nUnfortunately, this undo lacks the change done to tp->highest_sack and\nwe can leave a dangling pointer (to a freed skb)\n\nLater, tcp_xmit_retransmit_queue() can dereference this pointer and\naccess freed memory. For regular kernels where memory is not unmapped,\nthis might cause SACK bugs because tcp_highest_sack_seq() is buggy,\nreturning garbage instead of tp->snd_nxt, but with various debug\nfeatures like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel.\n\nThis bug was found by Marco Grassi thanks to syzkaller.\n\nFixes: 6859d49475d4 (\"[TCP]: Abstract tp->highest_sack accessing & point to next skb\")\nReported-by: Marco Grassi \nSigned-off-by: Eric Dumazet \nCc: Ilpo Järvinen \nCc: Yuchung Cheng \nCc: Neal Cardwell \nAcked-by: Neal Cardwell \nReviewed-by: Cong Wang \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 410770 }, { "func": " */\nstatic bool bfq_bfqq_update_budg_for_activation(struct bfq_data *bfqd,\n\t\t\t\t\t\tstruct bfq_queue *bfqq,\n\t\t\t\t\t\tbool arrived_in_time)\n{\n\tstruct bfq_entity *entity = &bfqq->entity;\n\n\t/*\n\t * In the next compound condition, we check also whether there\n\t * is some budget left, because otherwise there is no point in\n\t * trying to go on serving bfqq with this same budget: bfqq\n\t * would be expired immediately after being selected for\n\t * service. This would only cause useless overhead.\n\t */\n\tif (bfq_bfqq_non_blocking_wait_rq(bfqq) && arrived_in_time &&\n\t bfq_bfqq_budget_left(bfqq) > 0) {\n\t\t/*\n\t\t * We do not clear the flag non_blocking_wait_rq here, as\n\t\t * the latter is used in bfq_activate_bfqq to signal\n\t\t * that timestamps need to be back-shifted (and is\n\t\t * cleared right after).\n\t\t */\n\n\t\t/*\n\t\t * In next assignment we rely on that either\n\t\t * entity->service or entity->budget are not updated\n\t\t * on expiration if bfqq is empty (see\n\t\t * __bfq_bfqq_recalc_budget). Thus both quantities\n\t\t * remain unchanged after such an expiration, and the\n\t\t * following statement therefore assigns to\n\t\t * entity->budget the remaining budget on such an\n\t\t * expiration.\n\t\t */\n\t\tentity->budget = min_t(unsigned long,\n\t\t\t\t bfq_bfqq_budget_left(bfqq),\n\t\t\t\t bfqq->max_budget);\n\n\t\t/*\n\t\t * At this point, we have used entity->service to get\n\t\t * the budget left (needed for updating\n\t\t * entity->budget). Thus we finally can, and have to,\n\t\t * reset entity->service. The latter must be reset\n\t\t * because bfqq would otherwise be charged again for\n\t\t * the service it has received during its previous\n\t\t * service slot(s).\n\t\t */\n\t\tentity->service = 0;\n\n\t\treturn true;\n\t}\n\n\t/*\n\t * We can finally complete expiration, by setting service to 0.\n\t */\n\tentity->service = 0;\n\tentity->budget = max_t(unsigned long, bfqq->max_budget,\n\t\t\t bfq_serv_to_charge(bfqq->next_rq, bfqq));\n\tbfq_clear_bfqq_non_blocking_wait_rq(bfqq);\n\treturn false;", "project": "linux", "hash": 199070891693556586311935012068099569301, "size": 59, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453364 }, { "func": "static ssize_t hung_up_tty_read(struct file *file, char __user *buf,\n\t\t\t\tsize_t count, loff_t *ppos)\n{\n\treturn 0;\n}", "project": "linux", "hash": 157583451890864124526014113943193711936, "size": 5, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 326012 }, { "func": " */\nstatic void bfq_updated_next_req(struct bfq_data *bfqd,\n\t\t\t\t struct bfq_queue *bfqq)\n{\n\tstruct bfq_entity *entity = &bfqq->entity;\n\tstruct request *next_rq = bfqq->next_rq;\n\tunsigned long new_budget;\n\n\tif (!next_rq)\n\t\treturn;\n\n\tif (bfqq == bfqd->in_service_queue)\n\t\t/*\n\t\t * In order not to break guarantees, budgets cannot be\n\t\t * changed after an entity has been selected.\n\t\t */\n\t\treturn;\n\n\tnew_budget = max_t(unsigned long,\n\t\t\t max_t(unsigned long, bfqq->max_budget,\n\t\t\t\t bfq_serv_to_charge(next_rq, bfqq)),\n\t\t\t entity->service);\n\tif (entity->budget != new_budget) {\n\t\tentity->budget = new_budget;\n\t\tbfq_log_bfqq(bfqd, bfqq, \"updated next rq: new budget %lu\",\n\t\t\t\t\t new_budget);\n\t\tbfq_requeue_bfqq(bfqd, bfqq, false);\n\t}", "project": "linux", "hash": 147015016499062898091615244423781545235, "size": 28, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453381 }, { "func": "int32_t WebContents::ID() const {\n return weak_map_id();\n}", "project": "electron", "hash": 234255077817532095486114368474912707827, "size": 3, "commit_id": "18613925610ba319da7f497b6deed85ad712c59b", "message": "refactor: wire will-navigate up to a navigation throttle instead of OpenURL (#25108)\n\n* refactor: wire will-navigate up to a navigation throttle instead of OpenURL (#25065)\r\n\r\n* refactor: wire will-navigate up to a navigation throttle instead of OpenURL\r\n\r\n* spec: add test for x-site _top navigation\r\n\r\n* chore: old code be old", "target": 0, "dataset": "other", "idx": 269769 }, { "func": "void CLua::init_lua()\n{\n if (_state)\n return;\n\n#ifdef NO_CUSTOM_ALLOCATOR\n // If this is likely to be used as a server, warn the builder.\n // NOTE: #warning doesn't work on MSVC, so this will be fatal there\n // (not that webtiles or dgamelaunch are supported on Windows anyway).\n# if defined(USE_TILE_WEB) || defined(DGAMELAUNCH)\n# warning Detected 64-bit Luajit, disabling CLua memory throttling.\n# endif\n _state = luaL_newstate();\n#else\n // Throttle memory usage in managed (clua) VMs\n _state = managed_vm? lua_newstate(_clua_allocator, this) : luaL_newstate();\n#endif\n if (!_state)\n end(1, false, \"Unable to create Lua state.\");\n\n lua_stack_cleaner clean(_state);\n\n lua_atpanic(_state, _clua_panic);\n\n#ifdef CLUA_UNRESTRICTED_LIBS\n // open all libs -- this is not safe for public servers or releases!\n // Intended for people writing bots and the like.\n luaL_openlibs(_state);\n#else\n // Selectively load some, but not all Lua core libraries.\n //\n // In Lua 5.1, these library setup calls are not supposed to be called\n // directly from C. If the lua version changes, this may need to be changed:\n // recommended practice is (apparently) checking the lua version's linit.cc\n // and seeing how that does the full library setup.\n //\n // This doesn't seem to *obviously* impact the libraries we use by default,\n // but some of the libraries we don't use will panic if not called\n // correctly; since someone writing a bot (for example) might want to\n // expand this, do things \"correctly\". The core lua libraries in 5.1 we are\n // not loading are:\n //\n // {LUA_LOADLIBNAME, luaopen_package}, // (require etc)\n // {LUA_IOLIBNAME, luaopen_io}, //\n // {LUA_OSLIBNAME, luaopen_os},\n // {LUA_DBLIBNAME, luaopen_debug},\n const vector> lua_core_libs =\n {\n {\"\", luaopen_base}, // XX: why no name? but this is how linit.cc does it\n {LUA_TABLIBNAME, luaopen_table},\n {LUA_STRLIBNAME, luaopen_string},\n {LUA_MATHLIBNAME, luaopen_math},\n };\n\n for (auto l : lua_core_libs)\n {\n lua_pushcfunction(_state, l.second);\n lua_pushstring(_state, l.first.c_str());\n lua_call(_state, 1, 0);\n }\n#endif\n\n lua_pushboolean(_state, managed_vm);\n setregistry(\"lua_vm_is_managed\");\n\n lua_pushlightuserdata(_state, this);\n setregistry(\"__clua\");\n}", "project": "crawl", "hash": 71452706803229845476731548778896900140, "size": 68, "commit_id": "768f60da87a3fa0b5561da5ade9309577c176d04", "message": "Disable lua bytecode loading", "target": 0, "dataset": "other", "idx": 230498 }, { "func": "unsigned short parse_port(const char *input, boost::system::error_code& ec)\n{\n char *end = nullptr;\n auto port = std::strtoul(input, &end, 10);\n if (port > std::numeric_limits::max()) {\n ec.assign(ERANGE, boost::system::system_category());\n } else if (port == 0 && end == input) {\n ec.assign(EINVAL, boost::system::system_category());\n }\n return port;\n}", "project": "ceph", "hash": 115533104929880576756672865043220804765, "size": 11, "commit_id": "ff72c50a2c43c57aead933eb4903ad1ca6d1748a", "message": "rgw: improve beast\n\nAvoid leaking connections that had partially-consumed\nclient data on unexpected disconnect.\n\nResolves CVE-2020-1700 (moderate impact flaw).\n\nFixes: https://tracker.ceph.com/issues/42531\n\nSigned-off-by: Or Friedmann \nSigned-off-by: Matt Benjamin ", "target": 0, "dataset": "other", "idx": 384557 }, { "func": "static inline void TCP_ECN_rcv_synack(struct tcp_sock *tp, const struct tcphdr *th)\n{\n\tif ((tp->ecn_flags & TCP_ECN_OK) && (!th->ece || th->cwr))\n\t\ttp->ecn_flags &= ~TCP_ECN_OK;\n}", "project": "net-next", "hash": 311995667184818657645596334567479080138, "size": 5, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409879 }, { "func": "int nested_svm_vmrun(struct vcpu_svm *svm)\n{\n\tint ret;\n\tstruct vmcb *vmcb12;\n\tstruct vmcb *hsave = svm->nested.hsave;\n\tstruct vmcb *vmcb = svm->vmcb;\n\tstruct kvm_host_map map;\n\tu64 vmcb12_gpa;\n\n\tif (is_smm(&svm->vcpu)) {\n\t\tkvm_queue_exception(&svm->vcpu, UD_VECTOR);\n\t\treturn 1;\n\t}\n\n\tvmcb12_gpa = svm->vmcb->save.rax;\n\tret = kvm_vcpu_map(&svm->vcpu, gpa_to_gfn(vmcb12_gpa), &map);\n\tif (ret == -EINVAL) {\n\t\tkvm_inject_gp(&svm->vcpu, 0);\n\t\treturn 1;\n\t} else if (ret) {\n\t\treturn kvm_skip_emulated_instruction(&svm->vcpu);\n\t}\n\n\tret = kvm_skip_emulated_instruction(&svm->vcpu);\n\n\tvmcb12 = map.hva;\n\n\tif (WARN_ON_ONCE(!svm->nested.initialized))\n\t\treturn -EINVAL;\n\n\tif (!nested_vmcb_checks(svm, vmcb12)) {\n\t\tvmcb12->control.exit_code = SVM_EXIT_ERR;\n\t\tvmcb12->control.exit_code_hi = 0;\n\t\tvmcb12->control.exit_info_1 = 0;\n\t\tvmcb12->control.exit_info_2 = 0;\n\t\tgoto out;\n\t}\n\n\ttrace_kvm_nested_vmrun(svm->vmcb->save.rip, vmcb12_gpa,\n\t\t\t vmcb12->save.rip,\n\t\t\t vmcb12->control.int_ctl,\n\t\t\t vmcb12->control.event_inj,\n\t\t\t vmcb12->control.nested_ctl);\n\n\ttrace_kvm_nested_intercepts(vmcb12->control.intercepts[INTERCEPT_CR] & 0xffff,\n\t\t\t\t vmcb12->control.intercepts[INTERCEPT_CR] >> 16,\n\t\t\t\t vmcb12->control.intercepts[INTERCEPT_EXCEPTION],\n\t\t\t\t vmcb12->control.intercepts[INTERCEPT_WORD3],\n\t\t\t\t vmcb12->control.intercepts[INTERCEPT_WORD4],\n\t\t\t\t vmcb12->control.intercepts[INTERCEPT_WORD5]);\n\n\t/* Clear internal status */\n\tkvm_clear_exception_queue(&svm->vcpu);\n\tkvm_clear_interrupt_queue(&svm->vcpu);\n\n\t/*\n\t * Save the old vmcb, so we don't need to pick what we save, but can\n\t * restore everything when a VMEXIT occurs\n\t */\n\thsave->save.es = vmcb->save.es;\n\thsave->save.cs = vmcb->save.cs;\n\thsave->save.ss = vmcb->save.ss;\n\thsave->save.ds = vmcb->save.ds;\n\thsave->save.gdtr = vmcb->save.gdtr;\n\thsave->save.idtr = vmcb->save.idtr;\n\thsave->save.efer = svm->vcpu.arch.efer;\n\thsave->save.cr0 = kvm_read_cr0(&svm->vcpu);\n\thsave->save.cr4 = svm->vcpu.arch.cr4;\n\thsave->save.rflags = kvm_get_rflags(&svm->vcpu);\n\thsave->save.rip = kvm_rip_read(&svm->vcpu);\n\thsave->save.rsp = vmcb->save.rsp;\n\thsave->save.rax = vmcb->save.rax;\n\tif (npt_enabled)\n\t\thsave->save.cr3 = vmcb->save.cr3;\n\telse\n\t\thsave->save.cr3 = kvm_read_cr3(&svm->vcpu);\n\n\tcopy_vmcb_control_area(&hsave->control, &vmcb->control);\n\n\tsvm->nested.nested_run_pending = 1;\n\n\tif (enter_svm_guest_mode(svm, vmcb12_gpa, vmcb12))\n\t\tgoto out_exit_err;\n\n\tif (nested_svm_vmrun_msrpm(svm))\n\t\tgoto out;\n\nout_exit_err:\n\tsvm->nested.nested_run_pending = 0;\n\n\tsvm->vmcb->control.exit_code = SVM_EXIT_ERR;\n\tsvm->vmcb->control.exit_code_hi = 0;\n\tsvm->vmcb->control.exit_info_1 = 0;\n\tsvm->vmcb->control.exit_info_2 = 0;\n\n\tnested_svm_vmexit(svm);\n\nout:\n\tkvm_vcpu_unmap(&svm->vcpu, &map, true);\n\n\treturn ret;\n}", "project": "linux", "hash": 141649806115592010502494780149120635226, "size": 102, "commit_id": "a58d9166a756a0f4a6618e4f593232593d6df134", "message": "KVM: SVM: load control fields from VMCB12 before checking them\n\nAvoid races between check and use of the nested VMCB controls. This\nfor example ensures that the VMRUN intercept is always reflected to the\nnested hypervisor, instead of being processed by the host. Without this\npatch, it is possible to end up with svm->nested.hsave pointing to\nthe MSR permission bitmap for nested guests.\n\nThis bug is CVE-2021-29657.\n\nReported-by: Felix Wilhelm \nCc: stable@vger.kernel.org\nFixes: 2fcf4876ada (\"KVM: nSVM: implement on demand allocation of the nested state\")\nSigned-off-by: Paolo Bonzini ", "target": 1, "dataset": "other", "idx": 206039 }, { "func": "int nested_svm_vmrun(struct vcpu_svm *svm)\n{\n\tint ret;\n\tstruct vmcb *vmcb12;\n\tstruct vmcb *hsave = svm->nested.hsave;\n\tstruct vmcb *vmcb = svm->vmcb;\n\tstruct kvm_host_map map;\n\tu64 vmcb12_gpa;\n\n\tif (is_smm(&svm->vcpu)) {\n\t\tkvm_queue_exception(&svm->vcpu, UD_VECTOR);\n\t\treturn 1;\n\t}\n\n\tvmcb12_gpa = svm->vmcb->save.rax;\n\tret = kvm_vcpu_map(&svm->vcpu, gpa_to_gfn(vmcb12_gpa), &map);\n\tif (ret == -EINVAL) {\n\t\tkvm_inject_gp(&svm->vcpu, 0);\n\t\treturn 1;\n\t} else if (ret) {\n\t\treturn kvm_skip_emulated_instruction(&svm->vcpu);\n\t}\n\n\tret = kvm_skip_emulated_instruction(&svm->vcpu);\n\n\tvmcb12 = map.hva;\n\n\tif (WARN_ON_ONCE(!svm->nested.initialized))\n\t\treturn -EINVAL;\n\n\tload_nested_vmcb_control(svm, &vmcb12->control);\n\n\tif (!nested_vmcb_check_save(svm, vmcb12) ||\n\t !nested_vmcb_check_controls(&svm->nested.ctl)) {\n\t\tvmcb12->control.exit_code = SVM_EXIT_ERR;\n\t\tvmcb12->control.exit_code_hi = 0;\n\t\tvmcb12->control.exit_info_1 = 0;\n\t\tvmcb12->control.exit_info_2 = 0;\n\t\tgoto out;\n\t}\n\n\ttrace_kvm_nested_vmrun(svm->vmcb->save.rip, vmcb12_gpa,\n\t\t\t vmcb12->save.rip,\n\t\t\t vmcb12->control.int_ctl,\n\t\t\t vmcb12->control.event_inj,\n\t\t\t vmcb12->control.nested_ctl);\n\n\ttrace_kvm_nested_intercepts(vmcb12->control.intercepts[INTERCEPT_CR] & 0xffff,\n\t\t\t\t vmcb12->control.intercepts[INTERCEPT_CR] >> 16,\n\t\t\t\t vmcb12->control.intercepts[INTERCEPT_EXCEPTION],\n\t\t\t\t vmcb12->control.intercepts[INTERCEPT_WORD3],\n\t\t\t\t vmcb12->control.intercepts[INTERCEPT_WORD4],\n\t\t\t\t vmcb12->control.intercepts[INTERCEPT_WORD5]);\n\n\t/* Clear internal status */\n\tkvm_clear_exception_queue(&svm->vcpu);\n\tkvm_clear_interrupt_queue(&svm->vcpu);\n\n\t/*\n\t * Save the old vmcb, so we don't need to pick what we save, but can\n\t * restore everything when a VMEXIT occurs\n\t */\n\thsave->save.es = vmcb->save.es;\n\thsave->save.cs = vmcb->save.cs;\n\thsave->save.ss = vmcb->save.ss;\n\thsave->save.ds = vmcb->save.ds;\n\thsave->save.gdtr = vmcb->save.gdtr;\n\thsave->save.idtr = vmcb->save.idtr;\n\thsave->save.efer = svm->vcpu.arch.efer;\n\thsave->save.cr0 = kvm_read_cr0(&svm->vcpu);\n\thsave->save.cr4 = svm->vcpu.arch.cr4;\n\thsave->save.rflags = kvm_get_rflags(&svm->vcpu);\n\thsave->save.rip = kvm_rip_read(&svm->vcpu);\n\thsave->save.rsp = vmcb->save.rsp;\n\thsave->save.rax = vmcb->save.rax;\n\tif (npt_enabled)\n\t\thsave->save.cr3 = vmcb->save.cr3;\n\telse\n\t\thsave->save.cr3 = kvm_read_cr3(&svm->vcpu);\n\n\tcopy_vmcb_control_area(&hsave->control, &vmcb->control);\n\n\tsvm->nested.nested_run_pending = 1;\n\n\tif (enter_svm_guest_mode(svm, vmcb12_gpa, vmcb12))\n\t\tgoto out_exit_err;\n\n\tif (nested_svm_vmrun_msrpm(svm))\n\t\tgoto out;\n\nout_exit_err:\n\tsvm->nested.nested_run_pending = 0;\n\n\tsvm->vmcb->control.exit_code = SVM_EXIT_ERR;\n\tsvm->vmcb->control.exit_code_hi = 0;\n\tsvm->vmcb->control.exit_info_1 = 0;\n\tsvm->vmcb->control.exit_info_2 = 0;\n\n\tnested_svm_vmexit(svm);\n\nout:\n\tkvm_vcpu_unmap(&svm->vcpu, &map, true);\n\n\treturn ret;\n}", "project": "linux", "hash": 86206897187959108781935741539715146259, "size": 105, "commit_id": "a58d9166a756a0f4a6618e4f593232593d6df134", "message": "KVM: SVM: load control fields from VMCB12 before checking them\n\nAvoid races between check and use of the nested VMCB controls. This\nfor example ensures that the VMRUN intercept is always reflected to the\nnested hypervisor, instead of being processed by the host. Without this\npatch, it is possible to end up with svm->nested.hsave pointing to\nthe MSR permission bitmap for nested guests.\n\nThis bug is CVE-2021-29657.\n\nReported-by: Felix Wilhelm \nCc: stable@vger.kernel.org\nFixes: 2fcf4876ada (\"KVM: nSVM: implement on demand allocation of the nested state\")\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 376647 }, { "func": "static int nested_svm_vmrun(struct vcpu_svm *svm)\n{\n\tint ret;\n\tstruct vmcb *nested_vmcb;\n\tstruct vmcb *hsave = svm->nested.hsave;\n\tstruct vmcb *vmcb = svm->vmcb;\n\tstruct kvm_host_map map;\n\tu64 vmcb_gpa;\n\n\tvmcb_gpa = svm->vmcb->save.rax;\n\n\tret = kvm_vcpu_map(&svm->vcpu, gpa_to_gfn(vmcb_gpa), &map);\n\tif (ret == -EINVAL) {\n\t\tkvm_inject_gp(&svm->vcpu, 0);\n\t\treturn 1;\n\t} else if (ret) {\n\t\treturn kvm_skip_emulated_instruction(&svm->vcpu);\n\t}\n\n\tret = kvm_skip_emulated_instruction(&svm->vcpu);\n\n\tnested_vmcb = map.hva;\n\n\tif (!nested_vmcb_checks(nested_vmcb)) {\n\t\tnested_vmcb->control.exit_code = SVM_EXIT_ERR;\n\t\tnested_vmcb->control.exit_code_hi = 0;\n\t\tnested_vmcb->control.exit_info_1 = 0;\n\t\tnested_vmcb->control.exit_info_2 = 0;\n\n\t\tkvm_vcpu_unmap(&svm->vcpu, &map, true);\n\n\t\treturn ret;\n\t}\n\n\ttrace_kvm_nested_vmrun(svm->vmcb->save.rip, vmcb_gpa,\n\t\t\t nested_vmcb->save.rip,\n\t\t\t nested_vmcb->control.int_ctl,\n\t\t\t nested_vmcb->control.event_inj,\n\t\t\t nested_vmcb->control.nested_ctl);\n\n\ttrace_kvm_nested_intercepts(nested_vmcb->control.intercept_cr & 0xffff,\n\t\t\t\t nested_vmcb->control.intercept_cr >> 16,\n\t\t\t\t nested_vmcb->control.intercept_exceptions,\n\t\t\t\t nested_vmcb->control.intercept);\n\n\t/* Clear internal status */\n\tkvm_clear_exception_queue(&svm->vcpu);\n\tkvm_clear_interrupt_queue(&svm->vcpu);\n\n\t/*\n\t * Save the old vmcb, so we don't need to pick what we save, but can\n\t * restore everything when a VMEXIT occurs\n\t */\n\thsave->save.es = vmcb->save.es;\n\thsave->save.cs = vmcb->save.cs;\n\thsave->save.ss = vmcb->save.ss;\n\thsave->save.ds = vmcb->save.ds;\n\thsave->save.gdtr = vmcb->save.gdtr;\n\thsave->save.idtr = vmcb->save.idtr;\n\thsave->save.efer = svm->vcpu.arch.efer;\n\thsave->save.cr0 = kvm_read_cr0(&svm->vcpu);\n\thsave->save.cr4 = svm->vcpu.arch.cr4;\n\thsave->save.rflags = kvm_get_rflags(&svm->vcpu);\n\thsave->save.rip = kvm_rip_read(&svm->vcpu);\n\thsave->save.rsp = vmcb->save.rsp;\n\thsave->save.rax = vmcb->save.rax;\n\tif (npt_enabled)\n\t\thsave->save.cr3 = vmcb->save.cr3;\n\telse\n\t\thsave->save.cr3 = kvm_read_cr3(&svm->vcpu);\n\n\tcopy_vmcb_control_area(hsave, vmcb);\n\n\tenter_svm_guest_mode(svm, vmcb_gpa, nested_vmcb, &map);\n\n\tif (!nested_svm_vmrun_msrpm(svm)) {\n\t\tsvm->vmcb->control.exit_code = SVM_EXIT_ERR;\n\t\tsvm->vmcb->control.exit_code_hi = 0;\n\t\tsvm->vmcb->control.exit_info_1 = 0;\n\t\tsvm->vmcb->control.exit_info_2 = 0;\n\n\t\tnested_svm_vmexit(svm);\n\t}\n\n\treturn ret;\n}", "project": "linux", "hash": 198152140342535051601331732087015237669, "size": 86, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432514 }, { "func": "static bool nested_svm_vmrun(struct vcpu_svm *svm)\n{\n\tstruct vmcb *nested_vmcb;\n\tstruct vmcb *hsave = svm->nested.hsave;\n\tstruct vmcb *vmcb = svm->vmcb;\n\tstruct page *page;\n\tu64 vmcb_gpa;\n\n\tvmcb_gpa = svm->vmcb->save.rax;\n\n\tnested_vmcb = nested_svm_map(svm, svm->vmcb->save.rax, &page);\n\tif (!nested_vmcb)\n\t\treturn false;\n\n\tif (!nested_vmcb_checks(nested_vmcb)) {\n\t\tnested_vmcb->control.exit_code = SVM_EXIT_ERR;\n\t\tnested_vmcb->control.exit_code_hi = 0;\n\t\tnested_vmcb->control.exit_info_1 = 0;\n\t\tnested_vmcb->control.exit_info_2 = 0;\n\n\t\tnested_svm_unmap(page);\n\n\t\treturn false;\n\t}\n\n\ttrace_kvm_nested_vmrun(svm->vmcb->save.rip, vmcb_gpa,\n\t\t\t nested_vmcb->save.rip,\n\t\t\t nested_vmcb->control.int_ctl,\n\t\t\t nested_vmcb->control.event_inj,\n\t\t\t nested_vmcb->control.nested_ctl);\n\n\ttrace_kvm_nested_intercepts(nested_vmcb->control.intercept_cr & 0xffff,\n\t\t\t\t nested_vmcb->control.intercept_cr >> 16,\n\t\t\t\t nested_vmcb->control.intercept_exceptions,\n\t\t\t\t nested_vmcb->control.intercept);\n\n\t/* Clear internal status */\n\tkvm_clear_exception_queue(&svm->vcpu);\n\tkvm_clear_interrupt_queue(&svm->vcpu);\n\n\t/*\n\t * Save the old vmcb, so we don't need to pick what we save, but can\n\t * restore everything when a VMEXIT occurs\n\t */\n\thsave->save.es = vmcb->save.es;\n\thsave->save.cs = vmcb->save.cs;\n\thsave->save.ss = vmcb->save.ss;\n\thsave->save.ds = vmcb->save.ds;\n\thsave->save.gdtr = vmcb->save.gdtr;\n\thsave->save.idtr = vmcb->save.idtr;\n\thsave->save.efer = svm->vcpu.arch.efer;\n\thsave->save.cr0 = kvm_read_cr0(&svm->vcpu);\n\thsave->save.cr4 = svm->vcpu.arch.cr4;\n\thsave->save.rflags = kvm_get_rflags(&svm->vcpu);\n\thsave->save.rip = kvm_rip_read(&svm->vcpu);\n\thsave->save.rsp = vmcb->save.rsp;\n\thsave->save.rax = vmcb->save.rax;\n\tif (npt_enabled)\n\t\thsave->save.cr3 = vmcb->save.cr3;\n\telse\n\t\thsave->save.cr3 = kvm_read_cr3(&svm->vcpu);\n\n\tcopy_vmcb_control_area(hsave, vmcb);\n\n\tif (kvm_get_rflags(&svm->vcpu) & X86_EFLAGS_IF)\n\t\tsvm->vcpu.arch.hflags |= HF_HIF_MASK;\n\telse\n\t\tsvm->vcpu.arch.hflags &= ~HF_HIF_MASK;\n\n\tif (nested_vmcb->control.nested_ctl) {\n\t\tkvm_mmu_unload(&svm->vcpu);\n\t\tsvm->nested.nested_cr3 = nested_vmcb->control.nested_cr3;\n\t\tnested_svm_init_mmu_context(&svm->vcpu);\n\t}\n\n\t/* Load the nested guest state */\n\tsvm->vmcb->save.es = nested_vmcb->save.es;\n\tsvm->vmcb->save.cs = nested_vmcb->save.cs;\n\tsvm->vmcb->save.ss = nested_vmcb->save.ss;\n\tsvm->vmcb->save.ds = nested_vmcb->save.ds;\n\tsvm->vmcb->save.gdtr = nested_vmcb->save.gdtr;\n\tsvm->vmcb->save.idtr = nested_vmcb->save.idtr;\n\tkvm_set_rflags(&svm->vcpu, nested_vmcb->save.rflags);\n\tsvm_set_efer(&svm->vcpu, nested_vmcb->save.efer);\n\tsvm_set_cr0(&svm->vcpu, nested_vmcb->save.cr0);\n\tsvm_set_cr4(&svm->vcpu, nested_vmcb->save.cr4);\n\tif (npt_enabled) {\n\t\tsvm->vmcb->save.cr3 = nested_vmcb->save.cr3;\n\t\tsvm->vcpu.arch.cr3 = nested_vmcb->save.cr3;\n\t} else\n\t\t(void)kvm_set_cr3(&svm->vcpu, nested_vmcb->save.cr3);\n\n\t/* Guest paging mode is active - reset mmu */\n\tkvm_mmu_reset_context(&svm->vcpu);\n\n\tsvm->vmcb->save.cr2 = svm->vcpu.arch.cr2 = nested_vmcb->save.cr2;\n\tkvm_register_write(&svm->vcpu, VCPU_REGS_RAX, nested_vmcb->save.rax);\n\tkvm_register_write(&svm->vcpu, VCPU_REGS_RSP, nested_vmcb->save.rsp);\n\tkvm_register_write(&svm->vcpu, VCPU_REGS_RIP, nested_vmcb->save.rip);\n\n\t/* In case we don't even reach vcpu_run, the fields are not updated */\n\tsvm->vmcb->save.rax = nested_vmcb->save.rax;\n\tsvm->vmcb->save.rsp = nested_vmcb->save.rsp;\n\tsvm->vmcb->save.rip = nested_vmcb->save.rip;\n\tsvm->vmcb->save.dr7 = nested_vmcb->save.dr7;\n\tsvm->vmcb->save.dr6 = nested_vmcb->save.dr6;\n\tsvm->vmcb->save.cpl = nested_vmcb->save.cpl;\n\n\tsvm->nested.vmcb_msrpm = nested_vmcb->control.msrpm_base_pa & ~0x0fffULL;\n\tsvm->nested.vmcb_iopm = nested_vmcb->control.iopm_base_pa & ~0x0fffULL;\n\n\t/* cache intercepts */\n\tsvm->nested.intercept_cr = nested_vmcb->control.intercept_cr;\n\tsvm->nested.intercept_dr = nested_vmcb->control.intercept_dr;\n\tsvm->nested.intercept_exceptions = nested_vmcb->control.intercept_exceptions;\n\tsvm->nested.intercept = nested_vmcb->control.intercept;\n\n\tsvm_flush_tlb(&svm->vcpu);\n\tsvm->vmcb->control.int_ctl = nested_vmcb->control.int_ctl | V_INTR_MASKING_MASK;\n\tif (nested_vmcb->control.int_ctl & V_INTR_MASKING_MASK)\n\t\tsvm->vcpu.arch.hflags |= HF_VINTR_MASK;\n\telse\n\t\tsvm->vcpu.arch.hflags &= ~HF_VINTR_MASK;\n\n\tif (svm->vcpu.arch.hflags & HF_VINTR_MASK) {\n\t\t/* We only want the cr8 intercept bits of the guest */\n\t\tclr_cr_intercept(svm, INTERCEPT_CR8_READ);\n\t\tclr_cr_intercept(svm, INTERCEPT_CR8_WRITE);\n\t}\n\n\t/* We don't want to see VMMCALLs from a nested guest */\n\tclr_intercept(svm, INTERCEPT_VMMCALL);\n\n\tsvm->vmcb->control.lbr_ctl = nested_vmcb->control.lbr_ctl;\n\tsvm->vmcb->control.int_vector = nested_vmcb->control.int_vector;\n\tsvm->vmcb->control.int_state = nested_vmcb->control.int_state;\n\tsvm->vmcb->control.tsc_offset += nested_vmcb->control.tsc_offset;\n\tsvm->vmcb->control.event_inj = nested_vmcb->control.event_inj;\n\tsvm->vmcb->control.event_inj_err = nested_vmcb->control.event_inj_err;\n\n\tnested_svm_unmap(page);\n\n\t/* Enter Guest-Mode */\n\tenter_guest_mode(&svm->vcpu);\n\n\t/*\n\t * Merge guest and host intercepts - must be called with vcpu in\n\t * guest-mode to take affect here\n\t */\n\trecalc_intercepts(svm);\n\n\tsvm->nested.vmcb = vmcb_gpa;\n\n\tenable_gif(svm);\n\n\tmark_all_dirty(svm->vmcb);\n\n\treturn true;\n}", "project": "kvm", "hash": 1285046657381883073333321517956550008, "size": 159, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437578 }, { "func": "static struct inode *fuse_get_root_inode(struct super_block *sb, unsigned mode)\n{\n\tstruct fuse_attr attr;\n\tmemset(&attr, 0, sizeof(attr));\n\n\tattr.mode = mode;\n\tattr.ino = FUSE_ROOT_ID;\n\tattr.nlink = 1;\n\treturn fuse_iget(sb, 1, 0, &attr, 0, 0);\n}", "project": "linux", "hash": 191060433810744407156921445029259343079, "size": 10, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341989 }, { "func": "static int __init set_trace_boot_clock(char *str)\n{\n\tstrlcpy(trace_boot_clock_buf, str, MAX_TRACER_SIZE);\n\ttrace_boot_clock = trace_boot_clock_buf;\n\treturn 0;\n}", "project": "linux", "hash": 196203031401372290192786391065451460196, "size": 6, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445727 }, { "func": "static struct kvm_memslots *install_new_memslots(struct kvm *kvm,\n\t\tint as_id, struct kvm_memslots *slots)\n{\n\tstruct kvm_memslots *old_memslots = __kvm_memslots(kvm, as_id);\n\tu64 gen = old_memslots->generation;\n\n\tWARN_ON(gen & KVM_MEMSLOT_GEN_UPDATE_IN_PROGRESS);\n\tslots->generation = gen | KVM_MEMSLOT_GEN_UPDATE_IN_PROGRESS;\n\n\trcu_assign_pointer(kvm->memslots[as_id], slots);\n\tsynchronize_srcu_expedited(&kvm->srcu);\n\n\t/*\n\t * Increment the new memslot generation a second time, dropping the\n\t * update in-progress flag and incrementing the generation based on\n\t * the number of address spaces. This provides a unique and easily\n\t * identifiable generation number while the memslots are in flux.\n\t */\n\tgen = slots->generation & ~KVM_MEMSLOT_GEN_UPDATE_IN_PROGRESS;\n\n\t/*\n\t * Generations must be unique even across address spaces. We do not need\n\t * a global counter for that, instead the generation space is evenly split\n\t * across address spaces. For example, with two address spaces, address\n\t * space 0 will use generations 0, 2, 4, ... while address space 1 will\n\t * use generations 1, 3, 5, ...\n\t */\n\tgen += KVM_ADDRESS_SPACE_NUM;\n\n\tkvm_arch_memslots_updated(kvm, gen);\n\n\tslots->generation = gen;\n\n\treturn old_memslots;\n}", "project": "linux", "hash": 33954475776295253542156584100999901900, "size": 35, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354744 }, { "func": "void imap_expunge_mailbox(struct Mailbox *m)\n{\n struct ImapAccountData *adata = imap_adata_get(m);\n struct ImapMboxData *mdata = imap_mdata_get(m);\n if (!adata || !mdata)\n return;\n\n struct Email *e = NULL;\n\n#ifdef USE_HCACHE\n imap_hcache_open(adata, mdata);\n#endif\n\n for (int i = 0; i < m->msg_count; i++)\n {\n e = m->emails[i];\n if (!e)\n break;\n\n if (e->index == INT_MAX)\n {\n mutt_debug(LL_DEBUG2, \"Expunging message UID %u\\n\", imap_edata_get(e)->uid);\n\n e->deleted = true;\n\n imap_cache_del(m, e);\n#ifdef USE_HCACHE\n imap_hcache_del(mdata, imap_edata_get(e)->uid);\n#endif\n\n mutt_hash_int_delete(mdata->uid_hash, imap_edata_get(e)->uid, e);\n\n imap_edata_free((void **) &e->edata);\n }\n else\n {\n /* NeoMutt has several places where it turns off e->active as a\n * hack. For example to avoid FLAG updates, or to exclude from\n * imap_exec_msgset.\n *\n * Unfortunately, when a reopen is allowed and the IMAP_EXPUNGE_PENDING\n * flag becomes set (e.g. a flag update to a modified header),\n * this function will be called by imap_cmd_finish().\n *\n * The ctx_update_tables() will free and remove these \"inactive\" headers,\n * despite that an EXPUNGE was not received for them.\n * This would result in memory leaks and segfaults due to dangling\n * pointers in the msn_index and uid_hash.\n *\n * So this is another hack to work around the hacks. We don't want to\n * remove the messages, so make sure active is on. */\n e->active = true;\n }\n }\n\n#ifdef USE_HCACHE\n imap_hcache_close(mdata);\n#endif\n\n mailbox_changed(m, NT_MAILBOX_UPDATE);\n mailbox_changed(m, NT_MAILBOX_RESORT);\n}", "project": "neomutt", "hash": 263950993513418372489695459835691192796, "size": 62, "commit_id": "9c36717a3e2af1f2c1b7242035455ec8112b4b06", "message": "imap: close connection on all failures\n\nThanks to Gabriel Salles-Loustau for spotting the problem.\n\nCo-authored-by: Kevin McCarthy ", "target": 0, "dataset": "other", "idx": 357044 }, { "func": "static int tracing_buffers_release(struct inode *inode, struct file *file)\n{\n\tstruct ftrace_buffer_info *info = file->private_data;\n\tstruct trace_iterator *iter = &info->iter;\n\n\tmutex_lock(&trace_types_lock);\n\n\titer->tr->current_trace->ref--;\n\n\t__trace_array_put(iter->tr);\n\n\tif (info->spare)\n\t\tring_buffer_free_read_page(iter->trace_buffer->buffer,\n\t\t\t\t\t info->spare_cpu, info->spare);\n\tkfree(info);\n\n\tmutex_unlock(&trace_types_lock);\n\n\treturn 0;\n}", "project": "linux", "hash": 186534236209573998726972825605981465272, "size": 20, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445723 }, { "func": " void fetch_value_from(Item *new_item)\n {\n Item *save= item;\n item= new_item;\n cmp();\n item= save;\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 303466654765150996745128106662552052087, "size": 7, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509396 }, { "func": "static zend_bool php_auto_globals_create_cookie(zend_string *name)\n{\n\tif (PG(variables_order) && (strchr(PG(variables_order),'C') || strchr(PG(variables_order),'c'))) {\n\t\tsapi_module.treat_data(PARSE_COOKIE, NULL, NULL);\n\t} else {\n\t\tzval_ptr_dtor(&PG(http_globals)[TRACK_VARS_COOKIE]);\n\t\tarray_init(&PG(http_globals)[TRACK_VARS_COOKIE]);\n\t}\n\n\tzend_hash_update(&EG(symbol_table), name, &PG(http_globals)[TRACK_VARS_COOKIE]);\n\tZ_ADDREF(PG(http_globals)[TRACK_VARS_COOKIE]);\n\n\treturn 0; /* don't rearm */\n}", "project": "php-src", "hash": 216559238809723418684103767263101082909, "size": 14, "commit_id": "6559fe912661ca5ce5f0eeeb591d928451428ed0", "message": "Do not decode cookie names anymore", "target": 0, "dataset": "other", "idx": 374972 }, { "func": "static int oidc_parse_expires_in(request_rec *r, const char *expires_in) {\n\tif (expires_in != NULL) {\n\t\tchar *ptr = NULL;\n\t\tlong number = strtol(expires_in, &ptr, 10);\n\t\tif (number <= 0) {\n\t\t\toidc_warn(r,\n\t\t\t\t\t\"could not convert \\\"expires_in\\\" value (%s) to a number\",\n\t\t\t\t\texpires_in);\n\t\t\treturn -1;\n\t\t}\n\t\treturn number;\n\t}\n\treturn -1;\n}", "project": "mod_auth_openidc", "hash": 18070041662864018288769346985498373349, "size": 14, "commit_id": "00c315cb0c8ab77c67be4a2ac08a71a83ac58751", "message": "avoid XSS vulnerability when using OIDCPreservePost On\n\nand supplying URLs that contain single quotes; thanks @oss-aimoto\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 381959 }, { "func": "static void conn_set_key(struct hci_conn *conn, u8 key_type, u8 pin_len)\n{\n\tif (key_type == HCI_LK_CHANGED_COMBINATION)\n\t\treturn;\n\n\tconn->pin_length = pin_len;\n\tconn->key_type = key_type;\n\n\tswitch (key_type) {\n\tcase HCI_LK_LOCAL_UNIT:\n\tcase HCI_LK_REMOTE_UNIT:\n\tcase HCI_LK_DEBUG_COMBINATION:\n\t\treturn;\n\tcase HCI_LK_COMBINATION:\n\t\tif (pin_len == 16)\n\t\t\tconn->pending_sec_level = BT_SECURITY_HIGH;\n\t\telse\n\t\t\tconn->pending_sec_level = BT_SECURITY_MEDIUM;\n\t\tbreak;\n\tcase HCI_LK_UNAUTH_COMBINATION_P192:\n\tcase HCI_LK_UNAUTH_COMBINATION_P256:\n\t\tconn->pending_sec_level = BT_SECURITY_MEDIUM;\n\t\tbreak;\n\tcase HCI_LK_AUTH_COMBINATION_P192:\n\t\tconn->pending_sec_level = BT_SECURITY_HIGH;\n\t\tbreak;\n\tcase HCI_LK_AUTH_COMBINATION_P256:\n\t\tconn->pending_sec_level = BT_SECURITY_FIPS;\n\t\tbreak;\n\t}\n}", "project": "linux", "hash": 32063684826449645507058522865471298330, "size": 31, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431887 }, { "func": "void gdImageFilledRectangle (gdImagePtr im, int x1, int y1, int x2, int y2, int color)\n{\n\tint x, y;\n\n\n\tif (x1 == x2 && y1 == y2) {\n\t\tgdImageSetPixel(im, x1, y1, color);\n\t\treturn;\n\t}\n\n\tif (x1 > x2) {\n\t\tx = x1;\n\t\tx1 = x2;\n\t\tx2 = x;\n\t}\n\n\tif (y1 > y2) {\n\t\ty = y1;\n\t\ty1 = y2;\n\t\ty2 = y;\n\t}\n\n\tif (x1 < 0) {\n\t\tx1 = 0;\n\t}\n\n\tif (x2 >= gdImageSX(im)) {\n\t\tx2 = gdImageSX(im) - 1;\n\t}\n\n\tif (y1 < 0) {\n\t\ty1 = 0;\n\t}\n\n\tif (y2 >= gdImageSY(im)) {\n\t\ty2 = gdImageSY(im) - 1;\n\t}\n\n\tfor (y = y1; (y <= y2); y++) {\n\t\tfor (x = x1; (x <= x2); x++) {\n\t\t\tgdImageSetPixel (im, x, y, color);\n\t\t}\n\t}\n}", "project": "php-src", "hash": 34375703458571233423260331920803112180, "size": 44, "commit_id": "c395c6e5d7e8df37a21265ff76e48fe75ceb5ae6", "message": "iFixed bug #72446 - Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow", "target": 0, "dataset": "other", "idx": 295189 }, { "func": "static inline void kvm_memslot_delete(struct kvm_memslots *slots,\n\t\t\t\t struct kvm_memory_slot *memslot)\n{\n\tstruct kvm_memory_slot *mslots = slots->memslots;\n\tint i;\n\n\tif (WARN_ON(slots->id_to_index[memslot->id] == -1))\n\t\treturn;\n\n\tslots->used_slots--;\n\n\tfor (i = slots->id_to_index[memslot->id]; i < slots->used_slots; i++) {\n\t\tmslots[i] = mslots[i + 1];\n\t\tslots->id_to_index[mslots[i].id] = i;\n\t}\n\tmslots[i] = *memslot;\n\tslots->id_to_index[memslot->id] = -1;\n}", "project": "linux", "hash": 222311292455674309157254629171646173763, "size": 18, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 1, "dataset": "other", "idx": 204190 }, { "func": "static inline void kvm_memslot_delete(struct kvm_memslots *slots,\n\t\t\t\t struct kvm_memory_slot *memslot)\n{\n\tstruct kvm_memory_slot *mslots = slots->memslots;\n\tint i;\n\n\tif (WARN_ON(slots->id_to_index[memslot->id] == -1))\n\t\treturn;\n\n\tslots->used_slots--;\n\n\tif (atomic_read(&slots->lru_slot) >= slots->used_slots)\n\t\tatomic_set(&slots->lru_slot, 0);\n\n\tfor (i = slots->id_to_index[memslot->id]; i < slots->used_slots; i++) {\n\t\tmslots[i] = mslots[i + 1];\n\t\tslots->id_to_index[mslots[i].id] = i;\n\t}\n\tmslots[i] = *memslot;\n\tslots->id_to_index[memslot->id] = -1;\n}", "project": "linux", "hash": 281781368969257104938303693558751249981, "size": 21, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354527 }, { "func": "void exit_signals(struct task_struct *tsk)\n{\n\tint group_stop = 0;\n\tsigset_t unblocked;\n\n\t/*\n\t * @tsk is about to have PF_EXITING set - lock out users which\n\t * expect stable threadgroup.\n\t */\n\tcgroup_threadgroup_change_begin(tsk);\n\n\tif (thread_group_empty(tsk) || signal_group_exit(tsk->signal)) {\n\t\ttsk->flags |= PF_EXITING;\n\t\tcgroup_threadgroup_change_end(tsk);\n\t\treturn;\n\t}\n\n\tspin_lock_irq(&tsk->sighand->siglock);\n\t/*\n\t * From now this task is not visible for group-wide signals,\n\t * see wants_signal(), do_signal_stop().\n\t */\n\ttsk->flags |= PF_EXITING;\n\n\tcgroup_threadgroup_change_end(tsk);\n\n\tif (!signal_pending(tsk))\n\t\tgoto out;\n\n\tunblocked = tsk->blocked;\n\tsignotset(&unblocked);\n\tretarget_shared_pending(tsk, &unblocked);\n\n\tif (unlikely(tsk->jobctl & JOBCTL_STOP_PENDING) &&\n\t task_participate_group_stop(tsk))\n\t\tgroup_stop = CLD_STOPPED;\nout:\n\tspin_unlock_irq(&tsk->sighand->siglock);\n\n\t/*\n\t * If group stop has completed, deliver the notification. This\n\t * should always go to the real parent of the group leader.\n\t */\n\tif (unlikely(group_stop)) {\n\t\tread_lock(&tasklist_lock);\n\t\tdo_notify_parent_cldstop(tsk, false, group_stop);\n\t\tread_unlock(&tasklist_lock);\n\t}\n}", "project": "linux", "hash": 192056318775988238435965220769195377291, "size": 49, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375293 }, { "func": "static void setexposure(struct gspca_dev *gspca_dev, s32 val)\n{\n\tstruct sd *sd = (struct sd *) gspca_dev;\n\n\ti2c_w(sd, 0x10, val);\n}", "project": "linux", "hash": 228862529818975329618882526547074899266, "size": 6, "commit_id": "998912346c0da53a6dbb71fab3a138586b596b30", "message": "media: ov519: add missing endpoint sanity checks\n\nMake sure to check that we have at least one endpoint before accessing\nthe endpoint array to avoid dereferencing a NULL-pointer on stream\nstart.\n\nNote that these sanity checks are not redundant as the driver is mixing\nlooking up altsettings by index and by number, which need not coincide.\n\nFixes: 1876bb923c98 (\"V4L/DVB (12079): gspca_ov519: add support for the ov511 bridge\")\nFixes: b282d87332f5 (\"V4L/DVB (12080): gspca_ov519: Fix ov518+ with OV7620AE (Trust spacecam 320)\")\nCc: stable # 2.6.31\nCc: Hans de Goede \nSigned-off-by: Johan Hovold \nSigned-off-by: Hans Verkuil \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 306329 }, { "func": "static int pfkey_xfrm_policy2msg_size(const struct xfrm_policy *xp)\n{\n\tconst struct xfrm_tmpl *t;\n\tint sockaddr_size = pfkey_sockaddr_size(xp->family);\n\tint socklen = 0;\n\tint i;\n\n\tfor (i=0; ixfrm_nr; i++) {\n\t\tt = xp->xfrm_vec + i;\n\t\tsocklen += pfkey_sockaddr_len(t->encap_family);\n\t}\n\n\treturn sizeof(struct sadb_msg) +\n\t\t(sizeof(struct sadb_lifetime) * 3) +\n\t\t(sizeof(struct sadb_address) * 2) +\n\t\t(sockaddr_size * 2) +\n\t\tsizeof(struct sadb_x_policy) +\n\t\t(xp->xfrm_nr * sizeof(struct sadb_x_ipsecrequest)) +\n\t\t(socklen * 2) +\n\t\tpfkey_xfrm_policy2sec_ctx_size(xp);\n}", "project": "linux", "hash": 132796571173668487219275649156812575299, "size": 21, "commit_id": "9a564bccb78a76740ea9d75a259942df8143d02c", "message": "af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\n\nAdd __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\nto initialize the buffer of supp_skb to fix a kernel-info-leak issue.\n1) Function pfkey_register calls compose_sadb_supported to request\na sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate\na sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then\ncompose_sadb_supported treats the memory as a struct sadb_supported and\nbegins to initialize. But it just initializes the field sadb_supported_len\nand field sadb_supported_exttype without field sadb_supported_reserved.\n\nReported-by: TCS Robot \nSigned-off-by: Haimin Zhang \nSigned-off-by: Steffen Klassert ", "target": 0, "dataset": "other", "idx": 268034 }, { "func": "static inline bool wants_signal(int sig, struct task_struct *p)\n{\n\tif (sigismember(&p->blocked, sig))\n\t\treturn false;\n\n\tif (p->flags & PF_EXITING)\n\t\treturn false;\n\n\tif (sig == SIGKILL)\n\t\treturn true;\n\n\tif (task_is_stopped_or_traced(p))\n\t\treturn false;\n\n\treturn task_curr(p) || !signal_pending(p);\n}", "project": "linux", "hash": 297224688818995930218257630998963299078, "size": 16, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375214 }, { "func": "static void hci_cc_le_read_adv_tx_power(struct hci_dev *hdev,\n\t\t\t\t\tstruct sk_buff *skb)\n{\n\tstruct hci_rp_le_read_adv_tx_power *rp = (void *) skb->data;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, rp->status);\n\n\tif (rp->status)\n\t\treturn;\n\n\thdev->adv_tx_power = rp->tx_power;\n}", "project": "linux", "hash": 59014278121661974253023729482266309423, "size": 12, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431904 }, { "func": "static void io_async_task_func(struct callback_head *cb)\n{\n\tstruct io_kiocb *req = container_of(cb, struct io_kiocb, task_work);\n\tstruct async_poll *apoll = req->apoll;\n\tstruct io_ring_ctx *ctx = req->ctx;\n\n\ttrace_io_uring_task_run(req->ctx, req->opcode, req->user_data);\n\n\tif (io_poll_rewait(req, &apoll->poll)) {\n\t\tspin_unlock_irq(&ctx->completion_lock);\n\t\treturn;\n\t}\n\n\t/* If req is still hashed, it cannot have been canceled. Don't check. */\n\tif (hash_hashed(&req->hash_node))\n\t\thash_del(&req->hash_node);\n\n\tio_poll_remove_double(req, apoll->double_poll);\n\tspin_unlock_irq(&ctx->completion_lock);\n\n\tif (!READ_ONCE(apoll->poll.canceled))\n\t\t__io_req_task_submit(req);\n\telse\n\t\t__io_req_task_cancel(req, -ECANCELED);\n\n\tkfree(apoll->double_poll);\n\tkfree(apoll);\n}", "project": "linux", "hash": 73404555622332263956206411713115350167, "size": 28, "commit_id": "6d816e088c359866f9867057e04f244c608c42fe", "message": "io_uring: hold 'ctx' reference around task_work queue + execute\n\nWe're holding the request reference, but we need to go one higher\nto ensure that the ctx remains valid after the request has finished.\nIf the ring is closed with pending task_work inflight, and the\ngiven io_kiocb finishes sync during issue, then we need a reference\nto the ring itself around the task_work execution cycle.\n\nCc: stable@vger.kernel.org # v5.7+\nReported-by: syzbot+9b260fc33297966f5a8e@syzkaller.appspotmail.com\nSigned-off-by: Jens Axboe ", "target": 1, "dataset": "other", "idx": 212266 }, { "func": "\nstatic void io_async_task_func(struct callback_head *cb)\n{\n\tstruct io_kiocb *req = container_of(cb, struct io_kiocb, task_work);\n\tstruct async_poll *apoll = req->apoll;\n\tstruct io_ring_ctx *ctx = req->ctx;\n\n\ttrace_io_uring_task_run(req->ctx, req->opcode, req->user_data);\n\n\tif (io_poll_rewait(req, &apoll->poll)) {\n\t\tspin_unlock_irq(&ctx->completion_lock);\n\t\treturn;\n\t}\n\n\thash_del(&req->hash_node);\n\tio_poll_remove_double(req);\n\tspin_unlock_irq(&ctx->completion_lock);\n\n\tif (!READ_ONCE(apoll->poll.canceled))\n\t\t__io_req_task_submit(req);\n\telse\n\t\tio_req_complete_failed(req, -ECANCELED);", "project": "linux", "hash": 308064365757555139139633602737017126882, "size": 22, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338596 }, { "func": "static void io_async_task_func(struct callback_head *cb)\n{\n\tstruct io_kiocb *req = container_of(cb, struct io_kiocb, task_work);\n\tstruct async_poll *apoll = req->apoll;\n\tstruct io_ring_ctx *ctx = req->ctx;\n\n\ttrace_io_uring_task_run(req->ctx, req->opcode, req->user_data);\n\n\tif (io_poll_rewait(req, &apoll->poll)) {\n\t\tspin_unlock_irq(&ctx->completion_lock);\n\t\tpercpu_ref_put(&ctx->refs);\n\t\treturn;\n\t}\n\n\t/* If req is still hashed, it cannot have been canceled. Don't check. */\n\tif (hash_hashed(&req->hash_node))\n\t\thash_del(&req->hash_node);\n\n\tio_poll_remove_double(req, apoll->double_poll);\n\tspin_unlock_irq(&ctx->completion_lock);\n\n\tif (!READ_ONCE(apoll->poll.canceled))\n\t\t__io_req_task_submit(req);\n\telse\n\t\t__io_req_task_cancel(req, -ECANCELED);\n\n\tpercpu_ref_put(&ctx->refs);\n\tkfree(apoll->double_poll);\n\tkfree(apoll);\n}", "project": "linux", "hash": 269241368234990870928581246061985683801, "size": 30, "commit_id": "6d816e088c359866f9867057e04f244c608c42fe", "message": "io_uring: hold 'ctx' reference around task_work queue + execute\n\nWe're holding the request reference, but we need to go one higher\nto ensure that the ctx remains valid after the request has finished.\nIf the ring is closed with pending task_work inflight, and the\ngiven io_kiocb finishes sync during issue, then we need a reference\nto the ring itself around the task_work execution cycle.\n\nCc: stable@vger.kernel.org # v5.7+\nReported-by: syzbot+9b260fc33297966f5a8e@syzkaller.appspotmail.com\nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 456954 }, { "func": "void SFD_GetFontMetaDataVoid( FILE *sfd,\n\t\t\t char *tok,\n\t\t\t SplineFont *sf,\n\t\t\t void* d ) {\n SFD_GetFontMetaData(sfd, tok, sf, d);\n}", "project": "fontforge", "hash": 113403746064016829105233560344158909205, "size": 6, "commit_id": "048a91e2682c1a8936ae34dbc7bd70291ec05410", "message": "Fix for #4084 Use-after-free (heap) in the SFD_GetFontMetaData() function\nFix for #4086 NULL pointer dereference in the SFDGetSpiros() function\nFix for #4088 NULL pointer dereference in the SFD_AssignLookups() function\nAdd empty sf->fontname string if it isn't set, fixing #4089 #4090 and many\n other potential issues (many downstream calls to strlen() on the value).", "target": 0, "dataset": "other", "idx": 417869 }, { "func": "static int sctp_setsockopt_recvnxtinfo(struct sock *sk, int *val,\n\t\t\t\t unsigned int optlen)\n{\n\tif (optlen < sizeof(int))\n\t\treturn -EINVAL;\n\n\tsctp_sk(sk)->recvnxtinfo = (*val == 0) ? 0 : 1;\n\n\treturn 0;\n}", "project": "linux", "hash": 244497664499768236138525822507602696419, "size": 10, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398144 }, { "func": " void pushStringData(StringData* data) {\n auto const tv = top++;\n tv->m_type = KindOfString;\n tv->m_data.pstr = data;\n }", "project": "hhvm", "hash": 308182594766785933771357539043493191044, "size": 5, "commit_id": "b3679121bb3c7017ff04b4c08402ffff5cf59b13", "message": "Fix buffer overrun in SimpleParser::handleBackslash\n\nSummary:\nIt read 4 chars, then checked for validity, but any of them could have\nbeen the end of the string, so check after each one instead.\n\nReviewed By: oulgen\n\nDifferential Revision: D19611163\n\nfbshipit-source-id: 3da0a39555cb85a93f4fd98048368f17cf37e2e4", "target": 0, "dataset": "other", "idx": 227311 }, { "func": "void CServer::SendMapListEntryAdd(const CMapListEntry *pMapListEntry, int ClientID)\n{\n\tCMsgPacker Msg(NETMSG_MAPLIST_ENTRY_ADD, true);\n\tMsg.AddString(pMapListEntry->m_aName, 256);\n\tSendMsg(&Msg, MSGFLAG_VITAL, ClientID);\n}", "project": "teeworlds", "hash": 337407985718967488372077711576870615632, "size": 6, "commit_id": "c68402fa7e279d42886d5951d1ea8ac2facc1ea5", "message": "changed a check", "target": 0, "dataset": "other", "idx": 382047 }, { "func": "kvm_pfn_t gfn_to_pfn_memslot_atomic(struct kvm_memory_slot *slot, gfn_t gfn)\n{\n\treturn __gfn_to_pfn_memslot(slot, gfn, true, NULL, true, NULL);\n}", "project": "linux", "hash": 205838985838450544143936887289294432576, "size": 4, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354434 }, { "func": "kvm_pfn_t gfn_to_pfn_memslot_atomic(struct kvm_memory_slot *slot, gfn_t gfn)\n{\n\treturn __gfn_to_pfn_memslot(slot, gfn, true, NULL, true, NULL, NULL);\n}", "project": "linux", "hash": 143196951646798854923487369578765552547, "size": 4, "commit_id": "f8be156be163a052a067306417cd0ff679068c97", "message": "KVM: do not allow mapping valid but non-reference-counted pages\n\nIt's possible to create a region which maps valid but non-refcounted\npages (e.g., tail pages of non-compound higher order allocations). These\nhost pages can then be returned by gfn_to_page, gfn_to_pfn, etc., family\nof APIs, which take a reference to the page, which takes it from 0 to 1.\nWhen the reference is dropped, this will free the page incorrectly.\n\nFix this by only taking a reference on valid pages if it was non-zero,\nwhich indicates it is participating in normal refcounting (and can be\nreleased with put_page).\n\nThis addresses CVE-2021-22543.\n\nSigned-off-by: Nicholas Piggin \nTested-by: Paolo Bonzini \nCc: stable@vger.kernel.org\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 404113 }, { "func": "static int sctp_setsockopt_associnfo(struct sock *sk,\n\t\t\t\t struct sctp_assocparams *assocparams,\n\t\t\t\t unsigned int optlen)\n{\n\n\tstruct sctp_association *asoc;\n\n\tif (optlen != sizeof(struct sctp_assocparams))\n\t\treturn -EINVAL;\n\n\tasoc = sctp_id2assoc(sk, assocparams->sasoc_assoc_id);\n\n\tif (!asoc && assocparams->sasoc_assoc_id != SCTP_FUTURE_ASSOC &&\n\t sctp_style(sk, UDP))\n\t\treturn -EINVAL;\n\n\t/* Set the values to the specific association */\n\tif (asoc) {\n\t\tif (assocparams->sasoc_asocmaxrxt != 0) {\n\t\t\t__u32 path_sum = 0;\n\t\t\tint paths = 0;\n\t\t\tstruct sctp_transport *peer_addr;\n\n\t\t\tlist_for_each_entry(peer_addr, &asoc->peer.transport_addr_list,\n\t\t\t\t\ttransports) {\n\t\t\t\tpath_sum += peer_addr->pathmaxrxt;\n\t\t\t\tpaths++;\n\t\t\t}\n\n\t\t\t/* Only validate asocmaxrxt if we have more than\n\t\t\t * one path/transport. We do this because path\n\t\t\t * retransmissions are only counted when we have more\n\t\t\t * then one path.\n\t\t\t */\n\t\t\tif (paths > 1 &&\n\t\t\t assocparams->sasoc_asocmaxrxt > path_sum)\n\t\t\t\treturn -EINVAL;\n\n\t\t\tasoc->max_retrans = assocparams->sasoc_asocmaxrxt;\n\t\t}\n\n\t\tif (assocparams->sasoc_cookie_life != 0)\n\t\t\tasoc->cookie_life =\n\t\t\t\tms_to_ktime(assocparams->sasoc_cookie_life);\n\t} else {\n\t\t/* Set the values to the endpoint */\n\t\tstruct sctp_sock *sp = sctp_sk(sk);\n\n\t\tif (assocparams->sasoc_asocmaxrxt != 0)\n\t\t\tsp->assocparams.sasoc_asocmaxrxt =\n\t\t\t\t\t\tassocparams->sasoc_asocmaxrxt;\n\t\tif (assocparams->sasoc_cookie_life != 0)\n\t\t\tsp->assocparams.sasoc_cookie_life =\n\t\t\t\t\t\tassocparams->sasoc_cookie_life;\n\t}\n\treturn 0;\n}", "project": "linux", "hash": 106779191152192713301245862436971862873, "size": 57, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398098 }, { "func": "static inline void set_freepointer(struct kmem_cache *s, void *object, void *fp)\n{\n\tunsigned long freeptr_addr = (unsigned long)object + s->offset;\n\n#ifdef CONFIG_SLAB_FREELIST_HARDENED\n\tBUG_ON(object == fp); /* naive detection of double free or corruption */\n#endif\n\n\t*(void **)freeptr_addr = freelist_ptr(s, fp, freeptr_addr);\n}", "project": "linux", "hash": 78170963570909145308103522704548700086, "size": 10, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280264 }, { "func": "void fuse_conn_destroy(struct fuse_mount *fm)\n{\n\tstruct fuse_conn *fc = fm->fc;\n\n\tif (fc->destroy)\n\t\tfuse_send_destroy(fm);\n\n\tfuse_abort_conn(fc);\n\tfuse_wait_aborted(fc);\n\n\tif (!list_empty(&fc->entry)) {\n\t\tmutex_lock(&fuse_mutex);\n\t\tlist_del(&fc->entry);\n\t\tfuse_ctl_remove_conn(fc);\n\t\tmutex_unlock(&fuse_mutex);\n\t}\n}", "project": "linux", "hash": 265548658488806236274664959279168044626, "size": 17, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342058 }, { "func": "u64 entry_attr_timeout(struct fuse_entry_out *o)\n{\n\treturn time_to_jiffies(o->attr_valid, o->attr_valid_nsec);\n}", "project": "linux", "hash": 329764467445860284674131474318144704151, "size": 4, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342155 }, { "func": "static void tpacket_destruct_skb(struct sk_buff *skb)\n{\n\tstruct packet_sock *po = pkt_sk(skb->sk);\n\n\tif (likely(po->tx_ring.pg_vec)) {\n\t\tvoid *ph;\n\t\t__u32 ts;\n\n\t\tph = skb_zcopy_get_nouarg(skb);\n\t\tpacket_dec_pending(&po->tx_ring);\n\n\t\tts = __packet_set_timestamp(po, ph, skb);\n\t\t__packet_set_status(po, ph, TP_STATUS_AVAILABLE | ts);\n\n\t\tif (!packet_read_pending(&po->tx_ring))\n\t\t\tcomplete(&po->skb_completion);\n\t}\n\n\tsock_wfree(skb);\n}", "project": "linux", "hash": 99778153097746614209801410555220504888, "size": 20, "commit_id": "acf69c946233259ab4d64f8869d4037a198c7f06", "message": "net/packet: fix overflow in tpacket_rcv\n\nUsing tp_reserve to calculate netoff can overflow as\ntp_reserve is unsigned int and netoff is unsigned short.\n\nThis may lead to macoff receving a smaller value then\nsizeof(struct virtio_net_hdr), and if po->has_vnet_hdr\nis set, an out-of-bounds write will occur when\ncalling virtio_net_hdr_from_skb.\n\nThe bug is fixed by converting netoff to unsigned int\nand checking if it exceeds USHRT_MAX.\n\nThis addresses CVE-2020-14386\n\nFixes: 8913336a7e8d (\"packet: add PACKET_RESERVE sockopt\")\nSigned-off-by: Or Cohen \nSigned-off-by: Eric Dumazet \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 330402 }, { "func": "int archive_read_support_format_rar5(struct archive *_a) {\n\tstruct archive_read* ar;\n\tint ret;\n\tstruct rar5* rar;\n\n\tif(ARCHIVE_OK != (ret = get_archive_read(_a, &ar)))\n\t\treturn ret;\n\n\trar = malloc(sizeof(*rar));\n\tif(rar == NULL) {\n\t\tarchive_set_error(&ar->archive, ENOMEM,\n\t\t \"Can't allocate rar5 data\");\n\t\treturn ARCHIVE_FATAL;\n\t}\n\n\tif(ARCHIVE_OK != rar5_init(rar)) {\n\t\tarchive_set_error(&ar->archive, ENOMEM,\n\t\t \"Can't allocate rar5 filter buffer\");\n\t\treturn ARCHIVE_FATAL;\n\t}\n\n\tret = __archive_read_register_format(ar,\n\t rar,\n\t \"rar5\",\n\t rar5_bid,\n\t rar5_options,\n\t rar5_read_header,\n\t rar5_read_data,\n\t rar5_read_data_skip,\n\t rar5_seek_data,\n\t rar5_cleanup,\n\t rar5_capabilities,\n\t rar5_has_encrypted_entries);\n\n\tif(ret != ARCHIVE_OK) {\n\t\t(void) rar5_cleanup(ar);\n\t}\n\n\treturn ret;\n}", "project": "libarchive", "hash": 34532675953904720479052458339815936021, "size": 40, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 0, "dataset": "other", "idx": 244774 }, { "func": "static int sctp_getsockopt_peer_addr_info(struct sock *sk, int len,\n\t\t\t\t\t char __user *optval,\n\t\t\t\t\t int __user *optlen)\n{\n\tstruct sctp_paddrinfo pinfo;\n\tstruct sctp_transport *transport;\n\tint retval = 0;\n\n\tif (len < sizeof(pinfo)) {\n\t\tretval = -EINVAL;\n\t\tgoto out;\n\t}\n\n\tlen = sizeof(pinfo);\n\tif (copy_from_user(&pinfo, optval, len)) {\n\t\tretval = -EFAULT;\n\t\tgoto out;\n\t}\n\n\ttransport = sctp_addr_id2transport(sk, &pinfo.spinfo_address,\n\t\t\t\t\t pinfo.spinfo_assoc_id);\n\tif (!transport) {\n\t\tretval = -EINVAL;\n\t\tgoto out;\n\t}\n\n\tif (transport->state == SCTP_PF &&\n\t transport->asoc->pf_expose == SCTP_PF_EXPOSE_DISABLE) {\n\t\tretval = -EACCES;\n\t\tgoto out;\n\t}\n\n\tpinfo.spinfo_assoc_id = sctp_assoc2id(transport->asoc);\n\tpinfo.spinfo_state = transport->state;\n\tpinfo.spinfo_cwnd = transport->cwnd;\n\tpinfo.spinfo_srtt = transport->srtt;\n\tpinfo.spinfo_rto = jiffies_to_msecs(transport->rto);\n\tpinfo.spinfo_mtu = transport->pathmtu;\n\n\tif (pinfo.spinfo_state == SCTP_UNKNOWN)\n\t\tpinfo.spinfo_state = SCTP_ACTIVE;\n\n\tif (put_user(len, optlen)) {\n\t\tretval = -EFAULT;\n\t\tgoto out;\n\t}\n\n\tif (copy_to_user(optval, &pinfo, len)) {\n\t\tretval = -EFAULT;\n\t\tgoto out;\n\t}\n\nout:\n\treturn retval;\n}", "project": "linux", "hash": 80694379686213947982286801185519432131, "size": 55, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398092 }, { "func": "static void opj_j2k_write_coc_in_memory(opj_j2k_t *p_j2k,\n OPJ_UINT32 p_comp_no,\n OPJ_BYTE * p_data,\n OPJ_UINT32 * p_data_written,\n opj_event_mgr_t * p_manager\n )\n{\n opj_cp_t *l_cp = 00;\n opj_tcp_t *l_tcp = 00;\n OPJ_UINT32 l_coc_size, l_remaining_size;\n OPJ_BYTE * l_current_data = 00;\n opj_image_t *l_image = 00;\n OPJ_UINT32 l_comp_room;\n\n /* preconditions */\n assert(p_j2k != 00);\n assert(p_manager != 00);\n\n l_cp = &(p_j2k->m_cp);\n l_tcp = &l_cp->tcps[p_j2k->m_current_tile_number];\n l_image = p_j2k->m_private_image;\n l_comp_room = (l_image->numcomps <= 256) ? 1 : 2;\n\n l_coc_size = 5 + l_comp_room + opj_j2k_get_SPCod_SPCoc_size(p_j2k,\n p_j2k->m_current_tile_number, p_comp_no);\n l_remaining_size = l_coc_size;\n\n l_current_data = p_data;\n\n opj_write_bytes(l_current_data, J2K_MS_COC,\n 2); /* COC */\n l_current_data += 2;\n\n opj_write_bytes(l_current_data, l_coc_size - 2,\n 2); /* L_COC */\n l_current_data += 2;\n\n opj_write_bytes(l_current_data, p_comp_no, l_comp_room); /* Ccoc */\n l_current_data += l_comp_room;\n\n opj_write_bytes(l_current_data, l_tcp->tccps[p_comp_no].csty,\n 1); /* Scoc */\n ++l_current_data;\n\n l_remaining_size -= (5 + l_comp_room);\n opj_j2k_write_SPCod_SPCoc(p_j2k, p_j2k->m_current_tile_number, 0,\n l_current_data, &l_remaining_size, p_manager);\n * p_data_written = l_coc_size;\n}", "project": "openjpeg", "hash": 193581908205945486487379343229566203783, "size": 49, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357399 }, { "func": "static int ca8210_start(struct ieee802154_hw *hw)\n{\n\tint status;\n\tu8 rx_on_when_idle;\n\tu8 lqi_threshold = 0;\n\tstruct ca8210_priv *priv = hw->priv;\n\n\tpriv->last_dsn = -1;\n\t/* Turn receiver on when idle for now just to test rx */\n\trx_on_when_idle = 1;\n\tstatus = mlme_set_request_sync(\n\t\tMAC_RX_ON_WHEN_IDLE,\n\t\t0,\n\t\t1,\n\t\t&rx_on_when_idle,\n\t\tpriv->spi\n\t);\n\tif (status) {\n\t\tdev_crit(\n\t\t\t&priv->spi->dev,\n\t\t\t\"Setting rx_on_when_idle failed, status = %d\\n\",\n\t\t\tstatus\n\t\t);\n\t\treturn link_to_linux_err(status);\n\t}\n\tstatus = hwme_set_request_sync(\n\t\tHWME_LQILIMIT,\n\t\t1,\n\t\t&lqi_threshold,\n\t\tpriv->spi\n\t);\n\tif (status) {\n\t\tdev_crit(\n\t\t\t&priv->spi->dev,\n\t\t\t\"Setting lqilimit failed, status = %d\\n\",\n\t\t\tstatus\n\t\t);\n\t\treturn link_to_linux_err(status);\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 62627157343716620029660668382100474514, "size": 42, "commit_id": "6402939ec86eaf226c8b8ae00ed983936b164908", "message": "ieee802154: ca8210: prevent memory leak\n\nIn ca8210_probe the allocated pdata needs to be assigned to\nspi_device->dev.platform_data before calling ca8210_get_platform_data.\nOthrwise when ca8210_get_platform_data fails pdata cannot be released.\n\nSigned-off-by: Navid Emamdoost \nLink: https://lore.kernel.org/r/20190917224713.26371-1-navid.emamdoost@gmail.com\nSigned-off-by: Stefan Schmidt ", "target": 0, "dataset": "other", "idx": 408780 }, { "func": "void BPMDetect::updateBeatPos(int process_samples)\r\n{\r\n SAMPLETYPE *pBuffer;\r\n\r\n assert(buffer->numSamples() >= (uint)(process_samples + windowLen));\r\n\r\n pBuffer = buffer->ptrBegin();\r\n assert(process_samples == XCORR_UPDATE_SEQUENCE / 2);\r\n\r\n // static double thr = 0.0003;\r\n double posScale = (double)this->decimateBy / (double)this->sampleRate;\r\n int resetDur = (int)(0.12 / posScale + 0.5);\r\n double corrScale = 1.0 / (double)(windowLen - windowStart);\r\n\r\n // prescale pbuffer\r\n float tmp[XCORR_UPDATE_SEQUENCE / 2];\r\n for (int i = 0; i < process_samples; i++)\r\n {\r\n tmp[i] = hamw2[i] * hamw2[i] * pBuffer[i];\r\n }\r\n\r\n #pragma omp parallel for\r\n for (int offs = windowStart; offs < windowLen; offs++)\r\n {\r\n double sum = 0;\r\n for (int i = 0; i < process_samples; i++)\r\n {\r\n sum += tmp[i] * pBuffer[offs + i];\r\n }\r\n beatcorr_ringbuff[(beatcorr_ringbuffpos + offs) % windowLen] += (float)((sum > 0) ? sum : 0); // accumulate only positive correlations\r\n }\r\n\r\n int skipstep = XCORR_UPDATE_SEQUENCE / OVERLAP_FACTOR;\r\n\r\n // compensate empty buffer at beginning by scaling coefficient\r\n float scale = (float)windowLen / (float)(skipstep * init_scaler);\r\n if (scale > 1.0f)\r\n {\r\n init_scaler++;\r\n }\r\n else\r\n {\r\n scale = 1.0f;\r\n }\r\n\r\n // detect beats\r\n for (int i = 0; i < skipstep; i++)\r\n {\r\n LONG_SAMPLETYPE max = 0;\r\n\r\n float sum = beatcorr_ringbuff[beatcorr_ringbuffpos];\r\n sum -= beat_lpf.update(sum);\r\n\r\n if (sum > peakVal)\r\n {\r\n // found new local largest value\r\n peakVal = sum;\r\n peakPos = pos;\r\n }\r\n if (pos > peakPos + resetDur)\r\n {\r\n // largest value not updated for 200msec => accept as beat\r\n peakPos += skipstep;\r\n if (peakVal > 0)\r\n {\r\n // add detected beat to end of \"beats\" vector\r\n BEAT temp = { (float)(peakPos * posScale), (float)(peakVal * scale) };\r\n beats.push_back(temp);\r\n }\r\n\r\n peakVal = 0;\r\n peakPos = pos;\r\n }\r\n\r\n beatcorr_ringbuff[beatcorr_ringbuffpos] = 0;\r\n pos++;\r\n beatcorr_ringbuffpos = (beatcorr_ringbuffpos + 1) % windowLen;\r\n }\r\n}\r", "project": "soundtouch", "hash": 25576011666711638770635392396417487807, "size": 79, "commit_id": "a1c400eb2cff849c0e5f9d6916d69ffea3ad2c85", "message": "Fix issue CVE-2018-17096: Replace assert with runtime exception", "target": 0, "dataset": "other", "idx": 368101 }, { "func": "__be32 * xdr_reserve_space(struct xdr_stream *xdr, size_t nbytes)\n{\n\t__be32 *p = xdr->p;\n\t__be32 *q;\n\n\txdr_commit_encode(xdr);\n\t/* align nbytes on the next 32-bit boundary */\n\tnbytes += 3;\n\tnbytes &= ~3;\n\tq = p + (nbytes >> 2);\n\tif (unlikely(q > xdr->end || q < p))\n\t\treturn xdr_get_next_encode_buffer(xdr, nbytes);\n\txdr->p = q;\n\tif (xdr->iov)\n\t\txdr->iov->iov_len += nbytes;\n\telse\n\t\txdr->buf->page_len += nbytes;\n\txdr->buf->len += nbytes;\n\treturn p;\n}", "project": "linux", "hash": 190851956901302902667271965832085223120, "size": 20, "commit_id": "6d1c0f3d28f98ea2736128ed3e46821496dc3a8c", "message": "sunrpc: Avoid a KASAN slab-out-of-bounds bug in xdr_set_page_base()\n\nThis seems to happen fairly easily during READ_PLUS testing on NFS v4.2.\nI found that we could end up accessing xdr->buf->pages[pgnr] with a pgnr\ngreater than the number of pages in the array. So let's just return\nearly if we're setting base to a point at the end of the page data and\nlet xdr_set_tail_base() handle setting up the buffer pointers instead.\n\nSigned-off-by: Anna Schumaker \nFixes: 8d86e373b0ef (\"SUNRPC: Clean up helpers xdr_set_iov() and xdr_set_page_base()\")\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 481042 }, { "func": "UnicodeStringTest::TestCompare()\n{\n UnicodeString test1(\"this is a test\");\n UnicodeString test2(\"this is a test\");\n UnicodeString test3(\"this is a test of the emergency broadcast system\");\n UnicodeString test4(\"never say, \\\"this is a test\\\"!!\");\n\n UnicodeString test5((UChar)0x5000);\n UnicodeString test6((UChar)0x5100);\n\n UChar uniChars[] = { 0x74, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, \n 0x20, 0x61, 0x20, 0x74, 0x65, 0x73, 0x74, 0 };\n char chars[] = \"this is a test\";\n\n // test operator== and operator!=\n if (test1 != test2 || test1 == test3 || test1 == test4)\n errln(\"operator== or operator!= failed\");\n\n // test operator> and operator<\n if (test1 > test2 || test1 < test2 || !(test1 < test3) || !(test1 > test4) ||\n !(test5 < test6)\n ) {\n errln(\"operator> or operator< failed\");\n }\n\n // test operator>= and operator<=\n if (!(test1 >= test2) || !(test1 <= test2) || !(test1 <= test3) || !(test1 >= test4))\n errln(\"operator>= or operator<= failed\");\n\n // test compare(UnicodeString)\n if (test1.compare(test2) != 0 || test1.compare(test3) >= 0 || test1.compare(test4) <= 0)\n errln(\"compare(UnicodeString) failed\");\n\n //test compare(offset, length, UnicodeString)\n if(test1.compare(0, 14, test2) != 0 ||\n test3.compare(0, 14, test2) != 0 ||\n test4.compare(12, 14, test2) != 0 ||\n test3.compare(0, 18, test1) <=0 )\n errln(\"compare(offset, length, UnicodeString) failes\");\n\n // test compare(UChar*)\n if (test2.compare(uniChars) != 0 || test3.compare(uniChars) <= 0 || test4.compare(uniChars) >= 0)\n errln(\"compare(UChar*) failed\");\n\n // test compare(char*)\n if (test2.compare(chars) != 0 || test3.compare(chars) <= 0 || test4.compare(chars) >= 0)\n errln(\"compare(char*) failed\");\n\n // test compare(UChar*, length)\n if (test1.compare(uniChars, 4) <= 0 || test1.compare(uniChars, 4) <= 0)\n errln(\"compare(UChar*, length) failed\");\n\n // test compare(thisOffset, thisLength, that, thatOffset, thatLength)\n if (test1.compare(0, 14, test2, 0, 14) != 0 \n || test1.compare(0, 14, test3, 0, 14) != 0\n || test1.compare(0, 14, test4, 12, 14) != 0)\n errln(\"1. compare(thisOffset, thisLength, that, thatOffset, thatLength) failed\");\n\n if (test1.compare(10, 4, test2, 0, 4) >= 0 \n || test1.compare(10, 4, test3, 22, 9) <= 0\n || test1.compare(10, 4, test4, 22, 4) != 0)\n errln(\"2. compare(thisOffset, thisLength, that, thatOffset, thatLength) failed\");\n\n // test compareBetween\n if (test1.compareBetween(0, 14, test2, 0, 14) != 0 || test1.compareBetween(0, 14, test3, 0, 14) != 0\n || test1.compareBetween(0, 14, test4, 12, 26) != 0)\n errln(\"compareBetween failed\");\n\n if (test1.compareBetween(10, 14, test2, 0, 4) >= 0 || test1.compareBetween(10, 14, test3, 22, 31) <= 0\n || test1.compareBetween(10, 14, test4, 22, 26) != 0)\n errln(\"compareBetween failed\");\n\n // test compare() etc. with strings that share a buffer but are not equal\n test2=test1; // share the buffer, length() too large for the stackBuffer\n test2.truncate(1); // change only the length, not the buffer\n if( test1==test2 || test1<=test2 ||\n test1.compare(test2)<=0 ||\n test1.compareCodePointOrder(test2)<=0 ||\n test1.compareCodePointOrder(0, INT32_MAX, test2)<=0 ||\n test1.compareCodePointOrder(0, INT32_MAX, test2, 0, INT32_MAX)<=0 ||\n test1.compareCodePointOrderBetween(0, INT32_MAX, test2, 0, INT32_MAX)<=0 ||\n test1.caseCompare(test2, U_FOLD_CASE_DEFAULT)<=0\n ) {\n errln(\"UnicodeStrings that share a buffer but have different lengths compare as equal\");\n }\n\n /* test compareCodePointOrder() */\n {\n /* these strings are in ascending order */\n static const UChar strings[][4]={\n { 0x61, 0 }, /* U+0061 */\n { 0x20ac, 0xd801, 0 }, /* U+20ac U+d801 */\n { 0x20ac, 0xd800, 0xdc00, 0 }, /* U+20ac U+10000 */\n { 0xd800, 0 }, /* U+d800 */\n { 0xd800, 0xff61, 0 }, /* U+d800 U+ff61 */\n { 0xdfff, 0 }, /* U+dfff */\n { 0xff61, 0xdfff, 0 }, /* U+ff61 U+dfff */\n { 0xff61, 0xd800, 0xdc02, 0 }, /* U+ff61 U+10002 */\n { 0xd800, 0xdc02, 0 }, /* U+10002 */\n { 0xd84d, 0xdc56, 0 } /* U+23456 */\n };\n UnicodeString u[20]; // must be at least as long as strings[]\n int32_t i;\n\n for(i=0; i=0 || u[i].compareCodePointOrder(0, INT32_MAX, u[i+1].getBuffer())>=0) {\n errln(\"error: UnicodeString::compareCodePointOrder() fails for string %d and the following one\\n\", i);\n }\n }\n }\n\n /* test caseCompare() */\n {\n static const UChar\n _mixed[]= { 0x61, 0x42, 0x131, 0x3a3, 0xdf, 0x130, 0x49, 0xfb03, 0xd93f, 0xdfff, 0 },\n _otherDefault[]= { 0x41, 0x62, 0x131, 0x3c3, 0x73, 0x53, 0x69, 0x307, 0x69, 0x46, 0x66, 0x49, 0xd93f, 0xdfff, 0 },\n _otherExcludeSpecialI[]={ 0x41, 0x62, 0x131, 0x3c3, 0x53, 0x73, 0x69, 0x131, 0x66, 0x46, 0x69, 0xd93f, 0xdfff, 0 },\n _different[]= { 0x41, 0x62, 0x131, 0x3c3, 0x73, 0x53, 0x130, 0x49, 0x46, 0x66, 0x49, 0xd93f, 0xdffd, 0 };\n\n UnicodeString\n mixed(TRUE, _mixed, -1),\n otherDefault(TRUE, _otherDefault, -1),\n otherExcludeSpecialI(TRUE, _otherExcludeSpecialI, -1),\n different(TRUE, _different, -1);\n\n int8_t result;\n\n /* test caseCompare() */\n result=mixed.caseCompare(otherDefault, U_FOLD_CASE_DEFAULT);\n if(result!=0 || 0!=mixed.caseCompareBetween(0, INT32_MAX, otherDefault, 0, INT32_MAX, U_FOLD_CASE_DEFAULT)) {\n errln(\"error: mixed.caseCompare(other, default)=%ld instead of 0\\n\", result);\n }\n result=mixed.caseCompare(otherExcludeSpecialI, U_FOLD_CASE_EXCLUDE_SPECIAL_I);\n if(result!=0) {\n errln(\"error: mixed.caseCompare(otherExcludeSpecialI, U_FOLD_CASE_EXCLUDE_SPECIAL_I)=%ld instead of 0\\n\", result);\n }\n result=mixed.caseCompare(otherDefault, U_FOLD_CASE_EXCLUDE_SPECIAL_I);\n if(result==0 || 0==mixed.caseCompareBetween(0, INT32_MAX, otherDefault, 0, INT32_MAX, U_FOLD_CASE_EXCLUDE_SPECIAL_I)) {\n errln(\"error: mixed.caseCompare(other, U_FOLD_CASE_EXCLUDE_SPECIAL_I)=0 instead of !=0\\n\");\n }\n\n /* test caseCompare() */\n result=mixed.caseCompare(different, U_FOLD_CASE_DEFAULT);\n if(result<=0) {\n errln(\"error: mixed.caseCompare(different, default)=%ld instead of positive\\n\", result);\n }\n\n /* test caseCompare() - include the folded sharp s (U+00df) with different lengths */\n result=mixed.caseCompare(1, 4, different, 1, 5, U_FOLD_CASE_DEFAULT);\n if(result!=0 || 0!=mixed.caseCompareBetween(1, 5, different, 1, 6, U_FOLD_CASE_DEFAULT)) {\n errln(\"error: mixed.caseCompare(mixed, 1, 4, different, 1, 5, default)=%ld instead of 0\\n\", result);\n }\n\n /* test caseCompare() - stop in the middle of the sharp s (U+00df) */\n result=mixed.caseCompare(1, 4, different, 1, 4, U_FOLD_CASE_DEFAULT);\n if(result<=0) {\n errln(\"error: mixed.caseCompare(1, 4, different, 1, 4, default)=%ld instead of positive\\n\", result);\n }\n }\n\n // test that srcLength=-1 is handled in functions that\n // take input const UChar */int32_t srcLength (j785)\n {\n static const UChar u[]={ 0x61, 0x308, 0x62, 0 };\n UnicodeString s=UNICODE_STRING(\"a\\\\u0308b\", 8).unescape();\n\n if(s.compare(u, -1)!=0 || s.compare(0, 999, u, 0, -1)!=0) {\n errln(\"error UnicodeString::compare(..., const UChar *, srcLength=-1) does not work\");\n }\n\n if(s.compareCodePointOrder(u, -1)!=0 || s.compareCodePointOrder(0, 999, u, 0, -1)!=0) {\n errln(\"error UnicodeString::compareCodePointOrder(..., const UChar *, srcLength=-1, ...) does not work\");\n }\n\n if(s.caseCompare(u, -1, U_FOLD_CASE_DEFAULT)!=0 || s.caseCompare(0, 999, u, 0, -1, U_FOLD_CASE_DEFAULT)!=0) {\n errln(\"error UnicodeString::caseCompare(..., const UChar *, srcLength=-1, ...) does not work\");\n }\n\n if(s.indexOf(u, 1, -1, 0, 999)!=1 || s.indexOf(u+1, -1, 0, 999)!=1 || s.indexOf(u+1, -1, 0)!=1) {\n errln(\"error UnicodeString::indexOf(const UChar *, srcLength=-1, ...) does not work\");\n }\n\n if(s.lastIndexOf(u, 1, -1, 0, 999)!=1 || s.lastIndexOf(u+1, -1, 0, 999)!=1 || s.lastIndexOf(u+1, -1, 0)!=1) {\n errln(\"error UnicodeString::lastIndexOf(const UChar *, srcLength=-1, ...) does not work\");\n }\n\n UnicodeString s2, s3;\n s2.replace(0, 0, u+1, -1);\n s3.replace(0, 0, u, 1, -1);\n if(s.compare(1, 999, s2)!=0 || s2!=s3) {\n errln(\"error UnicodeString::replace(..., const UChar *, srcLength=-1, ...) does not work\");\n }\n }\n}", "project": "icu", "hash": 14023232569839772383808195808131919574, "size": 198, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430726 }, { "func": "static int packet_ioctl(struct socket *sock, unsigned int cmd,\n\t\t\tunsigned long arg)\n{\n\tstruct sock *sk = sock->sk;\n\n\tswitch (cmd) {\n\tcase SIOCOUTQ:\n\t{\n\t\tint amount = sk_wmem_alloc_get(sk);\n\n\t\treturn put_user(amount, (int __user *)arg);\n\t}\n\tcase SIOCINQ:\n\t{\n\t\tstruct sk_buff *skb;\n\t\tint amount = 0;\n\n\t\tspin_lock_bh(&sk->sk_receive_queue.lock);\n\t\tskb = skb_peek(&sk->sk_receive_queue);\n\t\tif (skb)\n\t\t\tamount = skb->len;\n\t\tspin_unlock_bh(&sk->sk_receive_queue.lock);\n\t\treturn put_user(amount, (int __user *)arg);\n\t}\n#ifdef CONFIG_INET\n\tcase SIOCADDRT:\n\tcase SIOCDELRT:\n\tcase SIOCDARP:\n\tcase SIOCGARP:\n\tcase SIOCSARP:\n\tcase SIOCGIFADDR:\n\tcase SIOCSIFADDR:\n\tcase SIOCGIFBRDADDR:\n\tcase SIOCSIFBRDADDR:\n\tcase SIOCGIFNETMASK:\n\tcase SIOCSIFNETMASK:\n\tcase SIOCGIFDSTADDR:\n\tcase SIOCSIFDSTADDR:\n\tcase SIOCSIFFLAGS:\n\t\treturn inet_dgram_ops.ioctl(sock, cmd, arg);\n#endif\n\n\tdefault:\n\t\treturn -ENOIOCTLCMD;\n\t}\n\treturn 0;\n}", "project": "linux", "hash": 201912837190894305520707630716125091703, "size": 47, "commit_id": "acf69c946233259ab4d64f8869d4037a198c7f06", "message": "net/packet: fix overflow in tpacket_rcv\n\nUsing tp_reserve to calculate netoff can overflow as\ntp_reserve is unsigned int and netoff is unsigned short.\n\nThis may lead to macoff receving a smaller value then\nsizeof(struct virtio_net_hdr), and if po->has_vnet_hdr\nis set, an out-of-bounds write will occur when\ncalling virtio_net_hdr_from_skb.\n\nThe bug is fixed by converting netoff to unsigned int\nand checking if it exceeds USHRT_MAX.\n\nThis addresses CVE-2020-14386\n\nFixes: 8913336a7e8d (\"packet: add PACKET_RESERVE sockopt\")\nSigned-off-by: Or Cohen \nSigned-off-by: Eric Dumazet \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 330400 }, { "func": "void __hci_req_update_adv_data(struct hci_request *req, u8 instance)\n{\n\tstruct hci_dev *hdev = req->hdev;\n\tu8 len;\n\n\tif (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))\n\t\treturn;\n\n\tif (ext_adv_capable(hdev)) {\n\t\tstruct hci_cp_le_set_ext_adv_data cp;\n\n\t\tmemset(&cp, 0, sizeof(cp));\n\n\t\tlen = create_instance_adv_data(hdev, instance, cp.data);\n\n\t\t/* There's nothing to do if the data hasn't changed */\n\t\tif (hdev->adv_data_len == len &&\n\t\t memcmp(cp.data, hdev->adv_data, len) == 0)\n\t\t\treturn;\n\n\t\tmemcpy(hdev->adv_data, cp.data, sizeof(cp.data));\n\t\thdev->adv_data_len = len;\n\n\t\tcp.length = len;\n\t\tcp.handle = instance;\n\t\tcp.operation = LE_SET_ADV_DATA_OP_COMPLETE;\n\t\tcp.frag_pref = LE_SET_ADV_DATA_NO_FRAG;\n\n\t\thci_req_add(req, HCI_OP_LE_SET_EXT_ADV_DATA, sizeof(cp), &cp);\n\t} else {\n\t\tstruct hci_cp_le_set_adv_data cp;\n\n\t\tmemset(&cp, 0, sizeof(cp));\n\n\t\tlen = create_instance_adv_data(hdev, instance, cp.data);\n\n\t\t/* There's nothing to do if the data hasn't changed */\n\t\tif (hdev->adv_data_len == len &&\n\t\t memcmp(cp.data, hdev->adv_data, len) == 0)\n\t\t\treturn;\n\n\t\tmemcpy(hdev->adv_data, cp.data, sizeof(cp.data));\n\t\thdev->adv_data_len = len;\n\n\t\tcp.length = len;\n\n\t\thci_req_add(req, HCI_OP_LE_SET_ADV_DATA, sizeof(cp), &cp);\n\t}\n}", "project": "linux", "hash": 264791715796854545062653621232030499059, "size": 49, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402533 }, { "func": "static void sp_node_init(struct sp_node *node, unsigned long start,\n\t\t\tunsigned long end, struct mempolicy *pol)\n{\n\tnode->start = start;\n\tnode->end = end;\n\tnode->policy = pol;\n}", "project": "linux", "hash": 177219190065642917707739927044317533698, "size": 7, "commit_id": "aa9f7d5172fac9bf1f09e678c35e287a40a7b7dd", "message": "mm: mempolicy: require at least one nodeid for MPOL_PREFERRED\n\nUsing an empty (malformed) nodelist that is not caught during mount option\nparsing leads to a stack-out-of-bounds access.\n\nThe option string that was used was: \"mpol=prefer:,\". However,\nMPOL_PREFERRED requires a single node number, which is not being provided\nhere.\n\nAdd a check that 'nodes' is not empty after parsing for MPOL_PREFERRED's\nnodeid.\n\nFixes: 095f1fc4ebf3 (\"mempolicy: rework shmem mpol parsing and display\")\nReported-by: Entropy Moe <3ntr0py1337@gmail.com>\nReported-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nSigned-off-by: Randy Dunlap \nSigned-off-by: Andrew Morton \nTested-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nCc: Lee Schermerhorn \nLink: http://lkml.kernel.org/r/89526377-7eb6-b662-e1d8-4430928abde9@infradead.org\nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 366761 }, { "func": "static bool io_poll_remove_one(struct io_kiocb *req)\n{\n\tbool do_complete;\n\n\tif (req->opcode == IORING_OP_POLL_ADD) {\n\t\tio_poll_remove_double(req, req->io);\n\t\tdo_complete = __io_poll_remove_one(req, &req->poll);\n\t} else {\n\t\tstruct async_poll *apoll = req->apoll;\n\n\t\tio_poll_remove_double(req, apoll->double_poll);\n\n\t\t/* non-poll requests have submit ref still */\n\t\tdo_complete = __io_poll_remove_one(req, &apoll->poll);\n\t\tif (do_complete) {\n\t\t\tio_put_req(req);\n\t\t\tkfree(apoll->double_poll);\n\t\t\tkfree(apoll);\n\t\t}\n\t}\n\n\tif (do_complete) {\n\t\tio_cqring_fill_event(req, -ECANCELED);\n\t\tio_commit_cqring(req->ctx);\n\t\treq->flags |= REQ_F_COMP_LOCKED;\n\t\tio_put_req(req);\n\t}\n\n\treturn do_complete;\n}", "project": "linux", "hash": 224945234587893744373483289265900322687, "size": 30, "commit_id": "6d816e088c359866f9867057e04f244c608c42fe", "message": "io_uring: hold 'ctx' reference around task_work queue + execute\n\nWe're holding the request reference, but we need to go one higher\nto ensure that the ctx remains valid after the request has finished.\nIf the ring is closed with pending task_work inflight, and the\ngiven io_kiocb finishes sync during issue, then we need a reference\nto the ring itself around the task_work execution cycle.\n\nCc: stable@vger.kernel.org # v5.7+\nReported-by: syzbot+9b260fc33297966f5a8e@syzkaller.appspotmail.com\nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 456946 }, { "func": "static void sd_stopN(struct gspca_dev *gspca_dev)\n{\n\tstruct sd *sd = (struct sd *) gspca_dev;\n\n\tov51x_stop(sd);\n\tov51x_led_control(sd, 0);\n}", "project": "linux", "hash": 232068405699226537536806632754775916480, "size": 7, "commit_id": "998912346c0da53a6dbb71fab3a138586b596b30", "message": "media: ov519: add missing endpoint sanity checks\n\nMake sure to check that we have at least one endpoint before accessing\nthe endpoint array to avoid dereferencing a NULL-pointer on stream\nstart.\n\nNote that these sanity checks are not redundant as the driver is mixing\nlooking up altsettings by index and by number, which need not coincide.\n\nFixes: 1876bb923c98 (\"V4L/DVB (12079): gspca_ov519: add support for the ov511 bridge\")\nFixes: b282d87332f5 (\"V4L/DVB (12080): gspca_ov519: Fix ov518+ with OV7620AE (Trust spacecam 320)\")\nCc: stable # 2.6.31\nCc: Hans de Goede \nSigned-off-by: Johan Hovold \nSigned-off-by: Hans Verkuil \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 306310 }, { "project": "Chrome", "commit_id": "327585cb0eab0859518643a2d00917081f7e7645", "target": 0, "func": "void WebGraphicsContext3DDefaultImpl::copyTexImage2D(unsigned long target, long level, unsigned long internalformat,\n long x, long y, unsigned long width, unsigned long height, long border)\n{\n makeContextCurrent();\n\n bool needsResolve = (m_attributes.antialias && m_boundFBO == m_multisampleFBO);\n if (needsResolve) {\n resolveMultisampledFramebuffer(x, y, width, height);\n glBindFramebufferEXT(GL_FRAMEBUFFER_EXT, m_fbo);\n }\n\n glCopyTexImage2D(target, level, internalformat, x, y, width, height, border);\n\n if (needsResolve)\n glBindFramebufferEXT(GL_FRAMEBUFFER_EXT, m_boundFBO);\n}\n", "cwe": "", "big_vul_idx": 98974, "idx": 89033, "hash": 129001766758943746724598623087937816330 }, { "func": "static uint8_t intsetSearch(intset *is, int64_t value, uint32_t *pos) {\n int min = 0, max = intrev32ifbe(is->length)-1, mid = -1;\n int64_t cur = -1;\n\n /* The value can never be found when the set is empty */\n if (intrev32ifbe(is->length) == 0) {\n if (pos) *pos = 0;\n return 0;\n } else {\n /* Check for the case where we know we cannot find the value,\n * but do know the insert position. */\n if (value > _intsetGet(is,max)) {\n if (pos) *pos = intrev32ifbe(is->length);\n return 0;\n } else if (value < _intsetGet(is,0)) {\n if (pos) *pos = 0;\n return 0;\n }\n }\n\n while(max >= min) {\n mid = ((unsigned int)min + (unsigned int)max) >> 1;\n cur = _intsetGet(is,mid);\n if (value > cur) {\n min = mid+1;\n } else if (value < cur) {\n max = mid-1;\n } else {\n break;\n }\n }\n\n if (value == cur) {\n if (pos) *pos = mid;\n return 1;\n } else {\n if (pos) *pos = min;\n return 0;\n }\n}", "project": "redis", "hash": 101840953721773032001327438316926843983, "size": 40, "commit_id": "789f10156009b404950ad717642a9496ed887083", "message": "Fix integer overflow in intset (CVE-2021-29478)\n\nAn integer overflow bug in Redis 6.2 could be exploited to corrupt the heap and\npotentially result with remote code execution.\n\nThe vulnerability involves changing the default set-max-intset-entries\nconfiguration value, creating a large set key that consists of integer values\nand using the COPY command to duplicate it.\n\nThe integer overflow bug exists in all versions of Redis starting with 2.6,\nwhere it could result with a corrupted RDB or DUMP payload, but not exploited\nthrough COPY (which did not exist before 6.2).\n\n(cherry picked from commit 29900d4e6bccdf3691bedf0ea9a5d84863fa3592)", "target": 0, "dataset": "other", "idx": 290633 }, { "func": "void fuse_file_free(struct fuse_file *ff)\n{\n\tkfree(ff->release_args);\n\tmutex_destroy(&ff->readdir.lock);\n\tkfree(ff);\n}", "project": "linux", "hash": 106797336937151990484960503360203543505, "size": 6, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341889 }, { "func": "static int getint(FILE *sfd, int *val) {\n char tokbuf[100]; int ch;\n char *pt=tokbuf, *end = tokbuf+100-2;\n\n while ( isspace(ch = nlgetc(sfd)));\n if ( ch=='-' || ch=='+' ) {\n\t*pt++ = ch;\n\tch = nlgetc(sfd);\n }\n while ( isdigit(ch)) {\n\tif ( ptfontname string if it isn't set, fixing #4089 #4090 and many\n other potential issues (many downstream calls to strlen() on the value).", "target": 0, "dataset": "other", "idx": 417767 }, { "func": "static struct ttflangname *SFDGetLangName(FILE *sfd,struct ttflangname *old) {\n struct ttflangname *cur = chunkalloc(sizeof(struct ttflangname)), *prev;\n int i;\n\n getint(sfd,&cur->lang);\n for ( i=0; inames[i] = SFDReadUTF7Str(sfd);\n if ( old==NULL )\nreturn( cur );\n for ( prev = old; prev->next !=NULL; prev = prev->next );\n prev->next = cur;\nreturn( old );\n}", "project": "fontforge", "hash": 31771349174946100537149651320299386631, "size": 13, "commit_id": "048a91e2682c1a8936ae34dbc7bd70291ec05410", "message": "Fix for #4084 Use-after-free (heap) in the SFD_GetFontMetaData() function\nFix for #4086 NULL pointer dereference in the SFDGetSpiros() function\nFix for #4088 NULL pointer dereference in the SFD_AssignLookups() function\nAdd empty sf->fontname string if it isn't set, fixing #4089 #4090 and many\n other potential issues (many downstream calls to strlen() on the value).", "target": 0, "dataset": "other", "idx": 417887 }, { "func": "static int fixup_pi_state_owner(u32 __user *uaddr, struct futex_q *q,\n\t\t\t\tstruct task_struct *newowner, int fshared)\n{\n\tu32 newtid = task_pid_vnr(newowner) | FUTEX_WAITERS;\n\tstruct futex_pi_state *pi_state = q->pi_state;\n\tstruct task_struct *oldowner = pi_state->owner;\n\tu32 uval, curval, newval;\n\tint ret;\n\n\t/* Owner died? */\n\tif (!pi_state->owner)\n\t\tnewtid |= FUTEX_OWNER_DIED;\n\n\t/*\n\t * We are here either because we stole the rtmutex from the\n\t * pending owner or we are the pending owner which failed to\n\t * get the rtmutex. We have to replace the pending owner TID\n\t * in the user space variable. This must be atomic as we have\n\t * to preserve the owner died bit here.\n\t *\n\t * Note: We write the user space value _before_ changing the pi_state\n\t * because we can fault here. Imagine swapped out pages or a fork\n\t * that marked all the anonymous memory readonly for cow.\n\t *\n\t * Modifying pi_state _before_ the user space value would\n\t * leave the pi_state in an inconsistent state when we fault\n\t * here, because we need to drop the hash bucket lock to\n\t * handle the fault. This might be observed in the PID check\n\t * in lookup_pi_state.\n\t */\nretry:\n\tif (get_futex_value_locked(&uval, uaddr))\n\t\tgoto handle_fault;\n\n\twhile (1) {\n\t\tnewval = (uval & FUTEX_OWNER_DIED) | newtid;\n\n\t\tcurval = cmpxchg_futex_value_locked(uaddr, uval, newval);\n\n\t\tif (curval == -EFAULT)\n\t\t\tgoto handle_fault;\n\t\tif (curval == uval)\n\t\t\tbreak;\n\t\tuval = curval;\n\t}\n\n\t/*\n\t * We fixed up user space. Now we need to fix the pi_state\n\t * itself.\n\t */\n\tif (pi_state->owner != NULL) {\n\t\traw_spin_lock_irq(&pi_state->owner->pi_lock);\n\t\tWARN_ON(list_empty(&pi_state->list));\n\t\tlist_del_init(&pi_state->list);\n\t\traw_spin_unlock_irq(&pi_state->owner->pi_lock);\n\t}\n\n\tpi_state->owner = newowner;\n\n\traw_spin_lock_irq(&newowner->pi_lock);\n\tWARN_ON(!list_empty(&pi_state->list));\n\tlist_add(&pi_state->list, &newowner->pi_state_list);\n\traw_spin_unlock_irq(&newowner->pi_lock);\n\treturn 0;\n\n\t/*\n\t * To handle the page fault we need to drop the hash bucket\n\t * lock here. That gives the other task (either the pending\n\t * owner itself or the task which stole the rtmutex) the\n\t * chance to try the fixup of the pi_state. So once we are\n\t * back from handling the fault we need to check the pi_state\n\t * after reacquiring the hash bucket lock and before trying to\n\t * do another fixup. When the fixup has been done already we\n\t * simply return.\n\t */\nhandle_fault:\n\tspin_unlock(q->lock_ptr);\n\n\tret = fault_in_user_writeable(uaddr);\n\n\tspin_lock(q->lock_ptr);\n\n\t/*\n\t * Check if someone else fixed it for us:\n\t */\n\tif (pi_state->owner != oldowner)\n\t\treturn 0;\n\n\tif (ret)\n\t\treturn ret;\n\n\tgoto retry;\n}", "target": 0, "cwe": [], "project": "linux-2.6", "commit_id": "5ecb01cfdf96c5f465192bdb2a4fd4a61a24c6cc", "hash": 280239936159476167719697355964784853415, "size": 93, "message": "futex_lock_pi() key refcnt fix\n\nThis fixes a futex key reference count bug in futex_lock_pi(),\nwhere a key's reference count is incremented twice but decremented\nonly once, causing the backing object to not be released.\n\nIf the futex is created in a temporary file in an ext3 file system,\nthis bug causes the file's inode to become an \"undead\" orphan,\nwhich causes an oops from a BUG_ON() in ext3_put_super() when the\nfile system is unmounted. glibc's test suite is known to trigger this,\nsee .\n\nThe bug is a regression from 2.6.28-git3, namely Peter Zijlstra's\n38d47c1b7075bd7ec3881141bb3629da58f88dab \"[PATCH] futex: rely on\nget_user_pages() for shared futexes\". That commit made get_futex_key()\nalso increment the reference count of the futex key, and updated its\ncallers to decrement the key's reference count before returning.\nUnfortunately the normal exit path in futex_lock_pi() wasn't corrected:\nthe reference count is incremented by get_futex_key() and queue_lock(),\nbut the normal exit path only decrements once, via unqueue_me_pi().\nThe fix is to put_futex_key() after unqueue_me_pi(), since 2.6.31\nthis is easily done by 'goto out_put_key' rather than 'goto out'.\n\nSigned-off-by: Mikael Pettersson \nAcked-by: Peter Zijlstra \nAcked-by: Darren Hart \nSigned-off-by: Thomas Gleixner \nCc: ", "dataset": "other", "idx": 492308 }, { "func": "static void tcp_clamp_window(struct sock *sk)\n{\n\tstruct tcp_sock *tp = tcp_sk(sk);\n\tstruct inet_connection_sock *icsk = inet_csk(sk);\n\n\ticsk->icsk_ack.quick = 0;\n\n\tif (sk->sk_rcvbuf < sysctl_tcp_rmem[2] &&\n\t !(sk->sk_userlocks & SOCK_RCVBUF_LOCK) &&\n\t !tcp_memory_pressure &&\n\t atomic_long_read(&tcp_memory_allocated) < sysctl_tcp_mem[0]) {\n\t\tsk->sk_rcvbuf = min(atomic_read(&sk->sk_rmem_alloc),\n\t\t\t\t sysctl_tcp_rmem[2]);\n\t}\n\tif (atomic_read(&sk->sk_rmem_alloc) > sk->sk_rcvbuf)\n\t\ttp->rcv_ssthresh = min(tp->window_clamp, 2U * tp->advmss);\n}", "project": "net-next", "hash": 264685607731168259116682332083742038969, "size": 17, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409856 }, { "func": "HeaderTableRecord::HeaderTableRecord() :\n name(\"\"), id(HdrType::BAD_HDR), type(HdrFieldType::ftInvalid),\n list(false), request(false), reply(false), hopbyhop(false), denied304(false)\n{}", "project": "squid", "hash": 251813797779705074152019324949611819145, "size": 4, "commit_id": "d09b34de2575af3bab4b34c775f93acb7270b4c3", "message": "Limit HeaderLookupTable_t::lookup() to BadHdr and specific IDs", "target": 0, "dataset": "other", "idx": 430898 }, { "func": "HeaderTableRecord::HeaderTableRecord(const char *n) :\n name(n), id(HdrType::BAD_HDR), type(HdrFieldType::ftInvalid),\n list(false), request(false), reply(false), hopbyhop(false), denied304(false)\n{}", "project": "squid", "hash": 5934406381356208319279434013622609119, "size": 4, "commit_id": "d09b34de2575af3bab4b34c775f93acb7270b4c3", "message": "Limit HeaderLookupTable_t::lookup() to BadHdr and specific IDs", "target": 0, "dataset": "other", "idx": 430899 }, { "func": "HeaderTableRecord::HeaderTableRecord(const char *n, HdrType theId, HdrFieldType theType, int theKind) :\n name(n), id(theId), type(theType),\n list(theKind & HdrKind::ListHeader), request(theKind & HdrKind::RequestHeader),\n reply(theKind & HdrKind::ReplyHeader), hopbyhop(theKind & HdrKind::HopByHopHeader),\n denied304(theKind & HdrKind::Denied304Header)\n{}", "project": "squid", "hash": 152502840069768166618841513472274321587, "size": 6, "commit_id": "d09b34de2575af3bab4b34c775f93acb7270b4c3", "message": "Limit HeaderLookupTable_t::lookup() to BadHdr and specific IDs", "target": 0, "dataset": "other", "idx": 430903 }, { "func": " HeaderToFilterStateFilter(const std::string& header, const std::string& state)\n : header_(header), state_(state) {}", "project": "envoy", "hash": 59851598576812822944872331885311624254, "size": 2, "commit_id": "9371333230b1a6e1be2eccf4868771e11af6253a", "message": "CVE-2021-43824\n\njwt_atuhn: fixed the crash when a CONNECT request is sent to JWT filter\nconfigured with regex match.\n\nSigned-off-by: Yan Avlasov ", "target": 0, "dataset": "other", "idx": 246602 }, { "func": "void LibRaw::fixupArri()\n{\n struct alist_t\n {\n const char *a_model;\n const char *a_software;\n ushort a_width,a_height;\n int a_black;\n unsigned a_filters;\n float a_aspect;\n }\n alist[] =\n {\n {\"ALEXA65\", \"Alexa65 XT\", 6560 ,3100, 256,0x49494949,1.f},\n\n {\"ALEXALF\", \"Alexa LF Plus W\", 3840 ,2160, 256,0x49494949,1.0f },\n {\"ALEXALF\", \"Alexa LF Plus W\", 4448 ,1856, 256,0x49494949,0.75f },\n {\"ALEXALF\", \"Alexa LF Plus W\", 4448 ,3096, 256,0x49494949,1.f },\n\n {\"ALEXA\", \"Alexa Plus 4:3 SXT\", 2880 ,1620, 256,0x61616161,.75f},\n {\"ALEXA\", \"Alexa Plus 4:3 SXT\", 3168 ,1782, 256,0x61616161,0.75f},\n {\"ALEXA\", \"Alexa Plus 4:3 SXT\", 3424 ,2202, 256,0x61616161,1.f},\n {\"ALEXA\", \"Alexa Plus 4:3 SXT\", 2592 ,2160, 256,0x61616161,1.12f},\n\n {\"ALEXA\", \"Alexa Plus 4:3 XT\", 2592 ,2160, 256,0x61616161,1.12f},\n {\"ALEXA\", \"Alexa Plus 4:3 XT\", 2880 ,2160, 256,0x61616161,1.f},\n {\"ALEXA\", \"Alexa Plus 4:3 XT\", 2880 ,1620, 256,0x61616161,0.75f},\n {\"ALEXA\", \"Alexa Plus 4:3 XT\", 3424 ,2202, 256,0x61616161,1.f},\n };\n for(int i = 0; i < int(sizeof(alist)/sizeof(alist[0])); i++)\n if(!strncasecmp(model,alist[i].a_model,strlen(alist[i].a_model)) && software\n && !strncasecmp(software,alist[i].a_software,strlen(alist[i].a_software))\n && width == alist[i].a_width && height == alist[i].a_height)\n {\n filters = alist[i].a_filters;\n black = alist[i].a_black;\n pixel_aspect = alist[i].a_aspect;\n strcpy(model,software);\n software[0]=0;\n return;\n }\n}", "project": "LibRaw", "hash": 338507502143088175344042735947694923886, "size": 42, "commit_id": "4feaed4dea636cee4fee010f615881ccf76a096d", "message": "limit loops to MIN(colors,4) in dng fields parser", "target": 0, "dataset": "other", "idx": 482360 }, { "func": "static inline void metadata_access_enable(void)\n{\n\tkasan_disable_current();\n}", "project": "linux", "hash": 84318421634357450443275606765853646065, "size": 4, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280250 }, { "func": "void tty_save_termios(struct tty_struct *tty)\n{\n\tstruct ktermios *tp;\n\tint idx = tty->index;\n\n\t/* If the port is going to reset then it has no termios to save */\n\tif (tty->driver->flags & TTY_DRIVER_RESET_TERMIOS)\n\t\treturn;\n\n\t/* Stash the termios data */\n\ttp = tty->driver->termios[idx];\n\tif (tp == NULL) {\n\t\ttp = kmalloc(sizeof(*tp), GFP_KERNEL);\n\t\tif (tp == NULL)\n\t\t\treturn;\n\t\ttty->driver->termios[idx] = tp;\n\t}\n\t*tp = tty->termios;\n}", "project": "linux", "hash": 326362038266141560193269854382215427067, "size": 19, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 326035 }, { "func": "void Commissioner::SendJoinFinalizeResponse(const Coap::Message &aRequest, StateTlv::State aState)\n{\n otError error = OT_ERROR_NONE;\n Ip6::MessageInfo joinerMessageInfo;\n MeshCoP::StateTlv stateTlv;\n Coap::Message * message;\n Mac::ExtAddress joinerId;\n\n VerifyOrExit((message = NewMeshCoPMessage(Get())) != NULL, error = OT_ERROR_NO_BUFS);\n\n SuccessOrExit(error = message->SetDefaultResponseHeader(aRequest));\n SuccessOrExit(error = message->SetPayloadMarker());\n message->SetOffset(message->GetLength());\n message->SetSubType(Message::kSubTypeJoinerFinalizeResponse);\n\n stateTlv.Init();\n stateTlv.SetState(aState);\n SuccessOrExit(error = message->AppendTlv(stateTlv));\n\n joinerMessageInfo.SetPeerAddr(Get().GetMeshLocal64());\n joinerMessageInfo.GetPeerAddr().SetIid(mJoinerIid);\n joinerMessageInfo.SetPeerPort(mJoinerPort);\n\n#if OPENTHREAD_CONFIG_REFERENCE_DEVICE_ENABLE\n uint8_t buf[OPENTHREAD_CONFIG_MESSAGE_BUFFER_SIZE];\n\n VerifyOrExit(message->GetLength() <= sizeof(buf));\n message->Read(message->GetOffset(), message->GetLength() - message->GetOffset(), buf);\n otDumpCertMeshCoP(\"[THCI] direction=send | type=JOIN_FIN.rsp |\", buf, message->GetLength() - message->GetOffset());\n#endif\n\n SuccessOrExit(error = Get().SendMessage(*message, joinerMessageInfo));\n\n joinerId.Set(mJoinerIid);\n joinerId.ToggleLocal();\n SignalJoinerEvent(OT_COMMISSIONER_JOINER_FINALIZE, joinerId);\n\n if (!mJoiners[mJoinerIndex].mAny)\n {\n // remove after kRemoveJoinerDelay (seconds)\n RemoveJoiner(&mJoiners[mJoinerIndex].mEui64, kRemoveJoinerDelay);\n }\n\n otLogInfoMeshCoP(\"sent joiner finalize response\");\n\nexit:\n\n if (error != OT_ERROR_NONE && message != NULL)\n {\n message->Free();\n }\n}", "project": "openthread", "hash": 212399879466304512899917968181976061149, "size": 52, "commit_id": "c3a3a0c424322009fec3ab735fb20ce8f6e19e70", "message": "[commissioner] use strnlen instead of strlen (#4404)", "target": 0, "dataset": "other", "idx": 269906 }, { "func": "static inline void __sctp_put_port(struct sock *sk)\n{\n\tstruct sctp_bind_hashbucket *head =\n\t\t&sctp_port_hashtable[sctp_phashfn(sock_net(sk),\n\t\t\t\t\t\t inet_sk(sk)->inet_num)];\n\tstruct sctp_bind_bucket *pp;\n\n\tspin_lock(&head->lock);\n\tpp = sctp_sk(sk)->bind_hash;\n\t__sk_del_bind_node(sk);\n\tsctp_sk(sk)->bind_hash = NULL;\n\tinet_sk(sk)->inet_num = 0;\n\tsctp_bucket_destroy(pp);\n\tspin_unlock(&head->lock);\n}", "project": "linux", "hash": 106319875586657686365936924112694078341, "size": 15, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398085 }, { "func": "static void svm_enable_lbrv(struct vcpu_svm *svm)\n{\n\tu32 *msrpm = svm->msrpm;\n\n\tsvm->vmcb->control.virt_ext |= LBR_CTL_ENABLE_MASK;\n\tset_msr_interception(msrpm, MSR_IA32_LASTBRANCHFROMIP, 1, 1);\n\tset_msr_interception(msrpm, MSR_IA32_LASTBRANCHTOIP, 1, 1);\n\tset_msr_interception(msrpm, MSR_IA32_LASTINTFROMIP, 1, 1);\n\tset_msr_interception(msrpm, MSR_IA32_LASTINTTOIP, 1, 1);\n}", "project": "linux", "hash": 336771086562159300474566500617641185764, "size": 10, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432512 }, { "func": "static void svm_enable_lbrv(struct vcpu_svm *svm)\n{\n\tu32 *msrpm = svm->msrpm;\n\n\tsvm->vmcb->control.lbr_ctl = 1;\n\tset_msr_interception(msrpm, MSR_IA32_LASTBRANCHFROMIP, 1, 1);\n\tset_msr_interception(msrpm, MSR_IA32_LASTBRANCHTOIP, 1, 1);\n\tset_msr_interception(msrpm, MSR_IA32_LASTINTFROMIP, 1, 1);\n\tset_msr_interception(msrpm, MSR_IA32_LASTINTTOIP, 1, 1);\n}", "project": "kvm", "hash": 180594939399195048947701888749072892787, "size": 10, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437602 }, { "func": "int cdev_add(struct cdev *p, dev_t dev, unsigned count)\n{\n\tint error;\n\n\tp->dev = dev;\n\tp->count = count;\n\n\terror = kobj_map(cdev_map, dev, count, NULL,\n\t\t\t exact_match, exact_lock, p);\n\tif (error)\n\t\treturn error;\n\n\tkobject_get(p->kobj.parent);\n\n\treturn 0;\n}", "project": "linux", "hash": 151165360894936832231465031133527813543, "size": 16, "commit_id": "68faa679b8be1a74e6663c21c3a9d25d32f1c079", "message": "chardev: Avoid potential use-after-free in 'chrdev_open()'\n\n'chrdev_open()' calls 'cdev_get()' to obtain a reference to the\n'struct cdev *' stashed in the 'i_cdev' field of the target inode\nstructure. If the pointer is NULL, then it is initialised lazily by\nlooking up the kobject in the 'cdev_map' and so the whole procedure is\nprotected by the 'cdev_lock' spinlock to serialise initialisation of\nthe shared pointer.\n\nUnfortunately, it is possible for the initialising thread to fail *after*\ninstalling the new pointer, for example if the subsequent '->open()' call\non the file fails. In this case, 'cdev_put()' is called, the reference\ncount on the kobject is dropped and, if nobody else has taken a reference,\nthe release function is called which finally clears 'inode->i_cdev' from\n'cdev_purge()' before potentially freeing the object. The problem here\nis that a racing thread can happily take the 'cdev_lock' and see the\nnon-NULL pointer in the inode, which can result in a refcount increment\nfrom zero and a warning:\n\n | ------------[ cut here ]------------\n | refcount_t: addition on 0; use-after-free.\n | WARNING: CPU: 2 PID: 6385 at lib/refcount.c:25 refcount_warn_saturate+0x6d/0xf0\n | Modules linked in:\n | CPU: 2 PID: 6385 Comm: repro Not tainted 5.5.0-rc2+ #22\n | Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014\n | RIP: 0010:refcount_warn_saturate+0x6d/0xf0\n | Code: 05 55 9a 15 01 01 e8 9d aa c8 ff 0f 0b c3 80 3d 45 9a 15 01 00 75 ce 48 c7 c7 00 9c 62 b3 c6 08\n | RSP: 0018:ffffb524c1b9bc70 EFLAGS: 00010282\n | RAX: 0000000000000000 RBX: ffff9e9da1f71390 RCX: 0000000000000000\n | RDX: ffff9e9dbbd27618 RSI: ffff9e9dbbd18798 RDI: ffff9e9dbbd18798\n | RBP: 0000000000000000 R08: 000000000000095f R09: 0000000000000039\n | R10: 0000000000000000 R11: ffffb524c1b9bb20 R12: ffff9e9da1e8c700\n | R13: ffffffffb25ee8b0 R14: 0000000000000000 R15: ffff9e9da1e8c700\n | FS: 00007f3b87d26700(0000) GS:ffff9e9dbbd00000(0000) knlGS:0000000000000000\n | CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n | CR2: 00007fc16909c000 CR3: 000000012df9c000 CR4: 00000000000006e0\n | DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n | DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n | Call Trace:\n | kobject_get+0x5c/0x60\n | cdev_get+0x2b/0x60\n | chrdev_open+0x55/0x220\n | ? cdev_put.part.3+0x20/0x20\n | do_dentry_open+0x13a/0x390\n | path_openat+0x2c8/0x1470\n | do_filp_open+0x93/0x100\n | ? selinux_file_ioctl+0x17f/0x220\n | do_sys_open+0x186/0x220\n | do_syscall_64+0x48/0x150\n | entry_SYSCALL_64_after_hwframe+0x44/0xa9\n | RIP: 0033:0x7f3b87efcd0e\n | Code: 89 54 24 08 e8 a3 f4 ff ff 8b 74 24 0c 48 8b 3c 24 41 89 c0 44 8b 54 24 08 b8 01 01 00 00 89 f4\n | RSP: 002b:00007f3b87d259f0 EFLAGS: 00000293 ORIG_RAX: 0000000000000101\n | RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f3b87efcd0e\n | RDX: 0000000000000000 RSI: 00007f3b87d25a80 RDI: 00000000ffffff9c\n | RBP: 00007f3b87d25e90 R08: 0000000000000000 R09: 0000000000000000\n | R10: 0000000000000000 R11: 0000000000000293 R12: 00007ffe188f504e\n | R13: 00007ffe188f504f R14: 00007f3b87d26700 R15: 0000000000000000\n | ---[ end trace 24f53ca58db8180a ]---\n\nSince 'cdev_get()' can already fail to obtain a reference, simply move\nit over to use 'kobject_get_unless_zero()' instead of 'kobject_get()',\nwhich will cause the racing thread to return -ENXIO if the initialising\nthread fails unexpectedly.\n\nCc: Hillf Danton \nCc: Andrew Morton \nCc: Al Viro \nReported-by: syzbot+82defefbbd8527e1c2cb@syzkaller.appspotmail.com\nSigned-off-by: Will Deacon \nCc: stable \nLink: https://lore.kernel.org/r/20191219120203.32691-1-will@kernel.org\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 446388 }, { "func": " bool parseAlse() {\n if (*p++ != 'a') return false;\n if (*p++ != 'l') return false;\n if (*p++ != 's') return false;\n if (*p++ != 'e') return false;\n auto const tv = top++;\n tv->m_type = KindOfBoolean;\n tv->m_data.num = false;\n return true;\n }", "project": "hhvm", "hash": 152964448573337337279325639685156719619, "size": 10, "commit_id": "b3679121bb3c7017ff04b4c08402ffff5cf59b13", "message": "Fix buffer overrun in SimpleParser::handleBackslash\n\nSummary:\nIt read 4 chars, then checked for validity, but any of them could have\nbeen the end of the string, so check after each one instead.\n\nReviewed By: oulgen\n\nDifferential Revision: D19611163\n\nfbshipit-source-id: 3da0a39555cb85a93f4fd98048368f17cf37e2e4", "target": 0, "dataset": "other", "idx": 227290 }, { "func": "ConnStateData::getSslContextDone(Security::ContextPointer &ctx)\n{\n if (port->secure.generateHostCertificates && !ctx) {\n debugs(33, 2, \"Failed to generate TLS context for \" << tlsConnectHostOrIp);\n }\n\n // If generated ssl context = NULL, try to use static ssl context.\n if (!ctx) {\n if (!port->secure.staticContext) {\n debugs(83, DBG_IMPORTANT, \"Closing \" << clientConnection->remote << \" as lacking TLS context\");\n clientConnection->close();\n return;\n } else {\n debugs(33, 5, \"Using static TLS context.\");\n ctx = port->secure.staticContext;\n }\n }\n\n if (!httpsCreate(this, ctx))\n return;\n\n // bumped intercepted conns should already have Config.Timeout.request set\n // but forwarded connections may only have Config.Timeout.lifetime. [Re]set\n // to make sure the connection does not get stuck on non-SSL clients.\n typedef CommCbMemFunT TimeoutDialer;\n AsyncCall::Pointer timeoutCall = JobCallback(33, 5, TimeoutDialer,\n this, ConnStateData::requestTimeout);\n commSetConnTimeout(clientConnection, Config.Timeout.request, timeoutCall);\n\n switchedToHttps_ = true;\n\n auto ssl = fd_table[clientConnection->fd].ssl.get();\n BIO *b = SSL_get_rbio(ssl);\n Ssl::ClientBio *bio = static_cast(BIO_get_data(b));\n bio->setReadBufData(inBuf);\n inBuf.clear();\n clientNegotiateSSL(clientConnection->fd, this);\n}", "project": "squid", "hash": 210343661279176110143572714325259695179, "size": 38, "commit_id": "fd68382860633aca92065e6c343cfd1b12b126e7", "message": "Improve Transfer-Encoding handling (#702)\n\nReject messages containing Transfer-Encoding header with coding other\nthan chunked or identity. Squid does not support other codings.\n\nFor simplicity and security sake, also reject messages where\nTransfer-Encoding contains unnecessary complex values that are\ntechnically equivalent to \"chunked\" or \"identity\" (e.g., \",,chunked\" or\n\"identity, chunked\").\n\nRFC 7230 formally deprecated and removed identity coding, but it is\nstill used by some agents.", "target": 0, "dataset": "other", "idx": 402317 }, { "func": "static int _nfs4_proc_symlink(struct inode *dir, struct dentry *dentry,\n\t\tstruct page *page, unsigned int len, struct iattr *sattr,\n\t\tstruct nfs4_label *label)\n{\n\tstruct nfs4_createdata *data;\n\tint status = -ENAMETOOLONG;\n\n\tif (len > NFS4_MAXPATHLEN)\n\t\tgoto out;\n\n\tstatus = -ENOMEM;\n\tdata = nfs4_alloc_createdata(dir, &dentry->d_name, sattr, NF4LNK);\n\tif (data == NULL)\n\t\tgoto out;\n\n\tdata->msg.rpc_proc = &nfs4_procedures[NFSPROC4_CLNT_SYMLINK];\n\tdata->arg.u.symlink.pages = &page;\n\tdata->arg.u.symlink.len = len;\n\tdata->arg.label = label;\n\t\n\tstatus = nfs4_do_create(dir, dentry, data);\n\n\tnfs4_free_createdata(data);\nout:\n\treturn status;\n}", "project": "linux", "hash": 244592914014544522288487642670921708552, "size": 26, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431000 }, { "func": "static bool add_ref_to_table_cond(THD *thd, JOIN_TAB *join_tab)\n{\n DBUG_ENTER(\"add_ref_to_table_cond\");\n if (!join_tab->ref.key_parts)\n DBUG_RETURN(FALSE);\n\n Item_cond_and *cond= new (thd->mem_root) Item_cond_and(thd);\n TABLE *table=join_tab->table;\n int error= 0;\n if (!cond)\n DBUG_RETURN(TRUE);\n\n for (uint i=0 ; i < join_tab->ref.key_parts ; i++)\n {\n Field *field=table->field[table->key_info[join_tab->ref.key].key_part[i].\n\t\t\t fieldnr-1];\n Item *value=join_tab->ref.items[i];\n cond->add(new (thd->mem_root)\n Item_func_equal(thd, new (thd->mem_root) Item_field(thd, field),\n value),\n thd->mem_root);\n }\n if (unlikely(thd->is_fatal_error))\n DBUG_RETURN(TRUE);\n if (!cond->fixed)\n {\n Item *tmp_item= (Item*) cond;\n cond->fix_fields(thd, &tmp_item);\n DBUG_ASSERT(cond == tmp_item);\n }\n if (join_tab->select)\n {\n Item *UNINIT_VAR(cond_copy);\n if (join_tab->select->pre_idx_push_select_cond)\n cond_copy= cond->copy_andor_structure(thd);\n if (join_tab->select->cond)\n error=(int) cond->add(join_tab->select->cond, thd->mem_root);\n join_tab->select->cond= cond;\n if (join_tab->select->pre_idx_push_select_cond)\n {\n Item *new_cond= and_conds(thd, cond_copy,\n join_tab->select->pre_idx_push_select_cond);\n if (new_cond->fix_fields_if_needed(thd, &new_cond))\n error= 1;\n join_tab->pre_idx_push_select_cond=\n join_tab->select->pre_idx_push_select_cond= new_cond;\n }\n join_tab->set_select_cond(cond, __LINE__);\n }\n else if ((join_tab->select= make_select(join_tab->table, 0, 0, cond,\n (SORT_INFO*) 0, 0, &error)))\n join_tab->set_select_cond(cond, __LINE__);\n\n DBUG_RETURN(error ? TRUE : FALSE);\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 290593701748933191801835451465005709339, "size": 55, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508740 }, { "project": "Chrome", "commit_id": "123e68f88fd0ed4f7447ba81148f9b619b947c47", "target": 0, "func": "std::unique_ptr ClipboardReader::Create(\n const String& mime_type) {\n if (mime_type == kMimeTypeImagePng)\n return std::make_unique();\n if (mime_type == kMimeTypeTextPlain)\n return std::make_unique();\n\n return nullptr;\n}\n", "cwe": "", "big_vul_idx": 100152, "idx": 90056, "hash": 160807238694424993230146456177804487148 }, { "func": "gin::Handle WebContents::Create(\n v8::Isolate* isolate,\n const gin_helper::Dictionary& options) {\n return gin::CreateHandle(isolate, new WebContents(isolate, options));\n}", "project": "electron", "hash": 317594268578456607673963998607972829958, "size": 5, "commit_id": "18613925610ba319da7f497b6deed85ad712c59b", "message": "refactor: wire will-navigate up to a navigation throttle instead of OpenURL (#25108)\n\n* refactor: wire will-navigate up to a navigation throttle instead of OpenURL (#25065)\r\n\r\n* refactor: wire will-navigate up to a navigation throttle instead of OpenURL\r\n\r\n* spec: add test for x-site _top navigation\r\n\r\n* chore: old code be old", "target": 0, "dataset": "other", "idx": 269715 }, { "func": "static int sctp_getsockopt_asconf_supported(struct sock *sk, int len,\n\t\t\t\t\t char __user *optval,\n\t\t\t\t\t int __user *optlen)\n{\n\tstruct sctp_assoc_value params;\n\tstruct sctp_association *asoc;\n\tint retval = -EFAULT;\n\n\tif (len < sizeof(params)) {\n\t\tretval = -EINVAL;\n\t\tgoto out;\n\t}\n\n\tlen = sizeof(params);\n\tif (copy_from_user(¶ms, optval, len))\n\t\tgoto out;\n\n\tasoc = sctp_id2assoc(sk, params.assoc_id);\n\tif (!asoc && params.assoc_id != SCTP_FUTURE_ASSOC &&\n\t sctp_style(sk, UDP)) {\n\t\tretval = -EINVAL;\n\t\tgoto out;\n\t}\n\n\tparams.assoc_value = asoc ? asoc->peer.asconf_capable\n\t\t\t\t : sctp_sk(sk)->ep->asconf_enable;\n\n\tif (put_user(len, optlen))\n\t\tgoto out;\n\n\tif (copy_to_user(optval, ¶ms, len))\n\t\tgoto out;\n\n\tretval = 0;\n\nout:\n\treturn retval;\n}", "project": "linux", "hash": 325029456707603032547692983294334813939, "size": 38, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398123 }, { "func": "static int ctnetlink_dump_extinfo(struct sk_buff *skb,\n\t\t\t\t struct nf_conn *ct, u32 type)\n{\n\tif (ctnetlink_dump_acct(skb, ct, type) < 0 ||\n\t ctnetlink_dump_timestamp(skb, ct) < 0 ||\n\t ctnetlink_dump_helpinfo(skb, ct) < 0 ||\n\t ctnetlink_dump_labels(skb, ct) < 0 ||\n\t ctnetlink_dump_ct_seq_adj(skb, ct) < 0 ||\n\t ctnetlink_dump_ct_synproxy(skb, ct) < 0)\n\t\treturn -1;\n\n\treturn 0;\n}", "project": "linux", "hash": 79903923276867702883595529983829700705, "size": 13, "commit_id": "1cc5ef91d2ff94d2bf2de3b3585423e8a1051cb6", "message": "netfilter: ctnetlink: add a range check for l3/l4 protonum\n\nThe indexes to the nf_nat_l[34]protos arrays come from userspace. So\ncheck the tuple's family, e.g. l3num, when creating the conntrack in\norder to prevent an OOB memory access during setup. Here is an example\nkernel panic on 4.14.180 when userspace passes in an index greater than\nNFPROTO_NUMPROTO.\n\nInternal error: Oops - BUG: 0 [#1] PREEMPT SMP\nModules linked in:...\nProcess poc (pid: 5614, stack limit = 0x00000000a3933121)\nCPU: 4 PID: 5614 Comm: poc Tainted: G S W O 4.14.180-g051355490483\nHardware name: Qualcomm Technologies, Inc. SM8150 V2 PM8150 Google Inc. MSM\ntask: 000000002a3dfffe task.stack: 00000000a3933121\npc : __cfi_check_fail+0x1c/0x24\nlr : __cfi_check_fail+0x1c/0x24\n...\nCall trace:\n__cfi_check_fail+0x1c/0x24\nname_to_dev_t+0x0/0x468\nnfnetlink_parse_nat_setup+0x234/0x258\nctnetlink_parse_nat_setup+0x4c/0x228\nctnetlink_new_conntrack+0x590/0xc40\nnfnetlink_rcv_msg+0x31c/0x4d4\nnetlink_rcv_skb+0x100/0x184\nnfnetlink_rcv+0xf4/0x180\nnetlink_unicast+0x360/0x770\nnetlink_sendmsg+0x5a0/0x6a4\n___sys_sendmsg+0x314/0x46c\nSyS_sendmsg+0xb4/0x108\nel0_svc_naked+0x34/0x38\n\nThis crash is not happening since 5.4+, however, ctnetlink still\nallows for creating entries with unsupported layer 3 protocol number.\n\nFixes: c1d10adb4a521 (\"[NETFILTER]: Add ctnetlink port for nf_conntrack\")\nSigned-off-by: Will McVicker \n[pablo@netfilter.org: rebased original patch on top of nf.git]\nSigned-off-by: Pablo Neira Ayuso ", "target": 0, "dataset": "other", "idx": 394203 }, { "func": "inline bool SparseTensor::ToDense(Tensor* out, bool initialize) {\n if (!ValidateAndInitializeToDense(out, initialize)) return false;\n\n auto out_t = out->flat();\n auto vals_t = vals_.vec();\n auto ix_t = ix_.matrix();\n const int64* const ix_ptr = ix_t.data();\n\n if (dims_ == 1) {\n // Fast path for sparse vectors.\n const int64 out_length = out->shape().dim_size(0);\n for (int n = 0; n < vals_t.dimension(0); ++n) {\n const int64 index = internal::SubtleMustCopy(ix_ptr[n]);\n if (!FastBoundsCheck(index, out_length)) return false;\n out_t(index) = vals_t(n);\n }\n return true;\n } else if (dims_ == 2) {\n // Fast path for sparse matrices.\n const auto& out_shape = out->shape();\n const int64 out_rows = out_shape.dim_size(0);\n const int64 out_cols = out_shape.dim_size(1);\n for (int n = 0; n < vals_t.dimension(0); ++n) {\n const int64 row_index = internal::SubtleMustCopy(ix_ptr[n * 2]);\n const int64 col_index = internal::SubtleMustCopy(ix_ptr[n * 2 + 1]);\n if (!(FastBoundsCheck(row_index, out_rows) &&\n FastBoundsCheck(col_index, out_cols))) {\n return false;\n }\n out_t(row_index * out_cols + col_index) = vals_t(n);\n }\n return true;\n } else {\n // General path for N-dimensional sparse tensors.\n gtl::InlinedVector strides(dims_);\n const auto& out_shape = out->shape().dim_sizes();\n if (dims_ > 0) {\n strides[dims_ - 1] = 1;\n }\n for (int d = dims_ - 2; d >= 0; --d) {\n strides[d] = strides[d + 1] * out_shape[d + 1];\n }\n\n for (int n = 0; n < vals_t.dimension(0); ++n) {\n bool invalid_dims = false;\n int64 ix = 0;\n for (int d = 0; d < dims_; ++d) {\n const int64 ix_n_d = internal::SubtleMustCopy(ix_ptr[n * dims_ + d]);\n if (!FastBoundsCheck(ix_n_d, out_shape[d])) {\n invalid_dims = true;\n }\n ix += strides[d] * ix_n_d;\n }\n if (invalid_dims) return false;\n out_t(ix) = vals_t(n);\n }\n return true;\n }\n}", "project": "tensorflow", "hash": 101310980648470830291198096409023097979, "size": 59, "commit_id": "8ba6fa29cd8bf9cef9b718dc31c78c73081f5b31", "message": "Fix heap-buffer-overflow issue with `tf.raw_ops.SparseSplit`.\n\nPiperOrigin-RevId: 371242872\nChange-Id: I482bb3d12602c7c3cc9446f97fb9f584bb98e9a4", "target": 0, "dataset": "other", "idx": 277008 }, { "func": "nfs4_atomic_open(struct inode *dir, struct nfs_open_context *ctx,\n\t\tint open_flags, struct iattr *attr, int *opened)\n{\n\tstruct nfs4_state *state;\n\tstruct nfs4_label l = {0, 0, 0, NULL}, *label = NULL;\n\n\tlabel = nfs4_label_init_security(dir, ctx->dentry, attr, &l);\n\n\t/* Protect against concurrent sillydeletes */\n\tstate = nfs4_do_open(dir, ctx, open_flags, attr, label, opened);\n\n\tnfs4_label_release_security(label);\n\n\tif (IS_ERR(state))\n\t\treturn ERR_CAST(state);\n\treturn state->inode;\n}", "project": "linux", "hash": 298271473874890762595263628248927367103, "size": 17, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431460 }, { "func": "static int nf_tables_newobj(struct sk_buff *skb, const struct nfnl_info *info,\n\t\t\t const struct nlattr * const nla[])\n{\n\tconst struct nfgenmsg *nfmsg = nlmsg_data(info->nlh);\n\tstruct netlink_ext_ack *extack = info->extack;\n\tu8 genmask = nft_genmask_next(info->net);\n\tconst struct nft_object_type *type;\n\tint family = nfmsg->nfgen_family;\n\tstruct net *net = info->net;\n\tstruct nft_table *table;\n\tstruct nft_object *obj;\n\tstruct nft_ctx ctx;\n\tu32 objtype;\n\tint err;\n\n\tif (!nla[NFTA_OBJ_TYPE] ||\n\t !nla[NFTA_OBJ_NAME] ||\n\t !nla[NFTA_OBJ_DATA])\n\t\treturn -EINVAL;\n\n\ttable = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask,\n\t\t\t\t NETLINK_CB(skb).portid);\n\tif (IS_ERR(table)) {\n\t\tNL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);\n\t\treturn PTR_ERR(table);\n\t}\n\n\tobjtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));\n\tobj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);\n\tif (IS_ERR(obj)) {\n\t\terr = PTR_ERR(obj);\n\t\tif (err != -ENOENT) {\n\t\t\tNL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);\n\t\t\treturn err;\n\t\t}\n\t} else {\n\t\tif (info->nlh->nlmsg_flags & NLM_F_EXCL) {\n\t\t\tNL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);\n\t\t\treturn -EEXIST;\n\t\t}\n\t\tif (info->nlh->nlmsg_flags & NLM_F_REPLACE)\n\t\t\treturn -EOPNOTSUPP;\n\n\t\ttype = __nft_obj_type_get(objtype);\n\t\tnft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);\n\n\t\treturn nf_tables_updobj(&ctx, type, nla[NFTA_OBJ_DATA], obj);\n\t}\n\n\tnft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);\n\n\ttype = nft_obj_type_get(net, objtype);\n\tif (IS_ERR(type))\n\t\treturn PTR_ERR(type);\n\n\tobj = nft_obj_init(&ctx, type, nla[NFTA_OBJ_DATA]);\n\tif (IS_ERR(obj)) {\n\t\terr = PTR_ERR(obj);\n\t\tgoto err_init;\n\t}\n\tobj->key.table = table;\n\tobj->handle = nf_tables_alloc_handle(table);\n\n\tobj->key.name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL);\n\tif (!obj->key.name) {\n\t\terr = -ENOMEM;\n\t\tgoto err_strdup;\n\t}\n\n\tif (nla[NFTA_OBJ_USERDATA]) {\n\t\tobj->udata = nla_memdup(nla[NFTA_OBJ_USERDATA], GFP_KERNEL);\n\t\tif (obj->udata == NULL)\n\t\t\tgoto err_userdata;\n\n\t\tobj->udlen = nla_len(nla[NFTA_OBJ_USERDATA]);\n\t}\n\n\terr = nft_trans_obj_add(&ctx, NFT_MSG_NEWOBJ, obj);\n\tif (err < 0)\n\t\tgoto err_trans;\n\n\terr = rhltable_insert(&nft_objname_ht, &obj->rhlhead,\n\t\t\t nft_objname_ht_params);\n\tif (err < 0)\n\t\tgoto err_obj_ht;\n\n\tlist_add_tail_rcu(&obj->list, &table->objects);\n\ttable->use++;\n\treturn 0;\nerr_obj_ht:\n\t/* queued in transaction log */\n\tINIT_LIST_HEAD(&obj->list);\n\treturn err;\nerr_trans:\n\tkfree(obj->udata);\nerr_userdata:\n\tkfree(obj->key.name);\nerr_strdup:\n\tif (obj->ops->destroy)\n\t\tobj->ops->destroy(&ctx, obj);\n\tkfree(obj);\nerr_init:\n\tmodule_put(type->owner);\n\treturn err;\n}", "project": "linux", "hash": 201702723341345538996381482279997639543, "size": 105, "commit_id": "ad9f151e560b016b6ad3280b48e42fa11e1a5440", "message": "netfilter: nf_tables: initialize set before expression setup\n\nnft_set_elem_expr_alloc() needs an initialized set if expression sets on\nthe NFT_EXPR_GC flag. Move set fields initialization before expression\nsetup.\n\n[4512935.019450] ==================================================================\n[4512935.019456] BUG: KASAN: null-ptr-deref in nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019487] Read of size 8 at addr 0000000000000070 by task nft/23532\n[4512935.019494] CPU: 1 PID: 23532 Comm: nft Not tainted 5.12.0-rc4+ #48\n[...]\n[4512935.019502] Call Trace:\n[4512935.019505] dump_stack+0x89/0xb4\n[4512935.019512] ? nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019536] ? nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019560] kasan_report.cold.12+0x5f/0xd8\n[4512935.019566] ? nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019590] nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019615] nf_tables_newset+0xc7f/0x1460 [nf_tables]\n\nReported-by: syzbot+ce96ca2b1d0b37c6422d@syzkaller.appspotmail.com\nFixes: 65038428b2c6 (\"netfilter: nf_tables: allow to specify stateful expression in set definition\")\nSigned-off-by: Pablo Neira Ayuso ", "target": 0, "dataset": "other", "idx": 328389 }, { "func": "OPJ_BOOL opj_alloc_tile_component_data(opj_tcd_tilecomp_t *l_tilec)\n{\n if ((l_tilec->data == 00) ||\n ((l_tilec->data_size_needed > l_tilec->data_size) &&\n (l_tilec->ownsData == OPJ_FALSE))) {\n l_tilec->data = (OPJ_INT32 *) opj_image_data_alloc(l_tilec->data_size_needed);\n if (!l_tilec->data && l_tilec->data_size_needed != 0) {\n return OPJ_FALSE;\n }\n /*fprintf(stderr, \"tAllocate data of tilec (int): %d x OPJ_UINT32n\",l_data_size);*/\n l_tilec->data_size = l_tilec->data_size_needed;\n l_tilec->ownsData = OPJ_TRUE;\n } else if (l_tilec->data_size_needed > l_tilec->data_size) {\n /* We don't need to keep old data */\n opj_image_data_free(l_tilec->data);\n l_tilec->data = (OPJ_INT32 *) opj_image_data_alloc(l_tilec->data_size_needed);\n if (! l_tilec->data) {\n l_tilec->data_size = 0;\n l_tilec->data_size_needed = 0;\n l_tilec->ownsData = OPJ_FALSE;\n return OPJ_FALSE;\n }\n /*fprintf(stderr, \"tReallocate data of tilec (int): from %d to %d x OPJ_UINT32n\", l_tilec->data_size, l_data_size);*/\n l_tilec->data_size = l_tilec->data_size_needed;\n l_tilec->ownsData = OPJ_TRUE;\n }\n return OPJ_TRUE;\n}", "project": "openjpeg", "hash": 236982636587186458486072528089234323034, "size": 28, "commit_id": "15cf3d95814dc931ca0ecb132f81cb152e051bae", "message": "Encoder: grow again buffer size in opj_tcd_code_block_enc_allocate_data() (fixes #1283)", "target": 0, "dataset": "other", "idx": 359181 }, { "func": "\nstatic int io_sqe_buffer_register(struct io_ring_ctx *ctx, struct iovec *iov,\n\t\t\t\t struct io_mapped_ubuf **pimu,\n\t\t\t\t struct page **last_hpage)\n{\n\tstruct io_mapped_ubuf *imu = NULL;\n\tstruct vm_area_struct **vmas = NULL;\n\tstruct page **pages = NULL;\n\tunsigned long off, start, end, ubuf;\n\tsize_t size;\n\tint ret, pret, nr_pages, i;\n\n\tif (!iov->iov_base) {\n\t\t*pimu = ctx->dummy_ubuf;\n\t\treturn 0;\n\t}\n\n\tubuf = (unsigned long) iov->iov_base;\n\tend = (ubuf + iov->iov_len + PAGE_SIZE - 1) >> PAGE_SHIFT;\n\tstart = ubuf >> PAGE_SHIFT;\n\tnr_pages = end - start;\n\n\t*pimu = NULL;\n\tret = -ENOMEM;\n\n\tpages = kvmalloc_array(nr_pages, sizeof(struct page *), GFP_KERNEL);\n\tif (!pages)\n\t\tgoto done;\n\n\tvmas = kvmalloc_array(nr_pages, sizeof(struct vm_area_struct *),\n\t\t\t GFP_KERNEL);\n\tif (!vmas)\n\t\tgoto done;\n\n\timu = kvmalloc(struct_size(imu, bvec, nr_pages), GFP_KERNEL);\n\tif (!imu)\n\t\tgoto done;\n\n\tret = 0;\n\tmmap_read_lock(current->mm);\n\tpret = pin_user_pages(ubuf, nr_pages, FOLL_WRITE | FOLL_LONGTERM,\n\t\t\t pages, vmas);\n\tif (pret == nr_pages) {\n\t\t/* don't support file backed memory */\n\t\tfor (i = 0; i < nr_pages; i++) {\n\t\t\tstruct vm_area_struct *vma = vmas[i];\n\n\t\t\tif (vma->vm_file &&\n\t\t\t !is_file_hugepages(vma->vm_file)) {\n\t\t\t\tret = -EOPNOTSUPP;\n\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\t} else {\n\t\tret = pret < 0 ? pret : -EFAULT;\n\t}\n\tmmap_read_unlock(current->mm);\n\tif (ret) {\n\t\t/*\n\t\t * if we did partial map, or found file backed vmas,\n\t\t * release any pages we did get\n\t\t */\n\t\tif (pret > 0)\n\t\t\tunpin_user_pages(pages, pret);\n\t\tgoto done;\n\t}\n\n\tret = io_buffer_account_pin(ctx, pages, pret, imu, last_hpage);\n\tif (ret) {\n\t\tunpin_user_pages(pages, pret);\n\t\tgoto done;\n\t}\n\n\toff = ubuf & ~PAGE_MASK;\n\tsize = iov->iov_len;\n\tfor (i = 0; i < nr_pages; i++) {\n\t\tsize_t vec_len;\n\n\t\tvec_len = min_t(size_t, size, PAGE_SIZE - off);\n\t\timu->bvec[i].bv_page = pages[i];\n\t\timu->bvec[i].bv_len = vec_len;\n\t\timu->bvec[i].bv_offset = off;\n\t\toff = 0;\n\t\tsize -= vec_len;\n\t}\n\t/* store original address for later verification */\n\timu->ubuf = ubuf;\n\timu->ubuf_end = ubuf + iov->iov_len;\n\timu->nr_bvecs = nr_pages;\n\t*pimu = imu;\n\tret = 0;\ndone:\n\tif (ret)\n\t\tkvfree(imu);\n\tkvfree(pages);\n\tkvfree(vmas);\n\treturn ret;", "project": "linux", "hash": 101068385375855243258163014029470499625, "size": 97, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338693 }, { "func": "static req::ptr get_valid_mcrypt_resource(const Resource& td) {\n auto pm = dyn_cast_or_null(td);\n\n if (pm == nullptr || pm->isInvalid()) {\n raise_warning(\"supplied argument is not a valid MCrypt resource\");\n return nullptr;\n }\n\n return pm;\n}", "project": "hhvm", "hash": 295970071276929980641534732040254888308, "size": 10, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219557 }, { "func": "\tvoid PushModeParams()\n\t{\n\t\tfor (Modes::ChangeList::List::const_iterator i = beginit; i != lastit; ++i)\n\t\t{\n\t\t\tconst Modes::Change& item = *i;\n\t\t\tif (!item.param.empty())\n\t\t\t\tPushParamRef(item.param);\n\t\t}\n\t}", "project": "inspircd", "hash": 94268753455410472929395682201861862198, "size": 9, "commit_id": "4350a11c663b0d75f8119743bffb7736d87abd4d", "message": "Fix sending malformed pong messages in some cases.", "target": 0, "dataset": "other", "idx": 273232 }, { "func": "int bcf_hrec_set_val(bcf_hrec_t *hrec, int i, const char *str, size_t len, int is_quoted)\n{\n if ( hrec->vals[i] ) {\n free(hrec->vals[i]);\n hrec->vals[i] = NULL;\n }\n if ( !str ) return 0;\n if ( is_quoted )\n {\n if (len >= SIZE_MAX - 3) {\n errno = ENOMEM;\n return -1;\n }\n hrec->vals[i] = (char*) malloc((len+3)*sizeof(char));\n if (!hrec->vals[i]) return -1;\n hrec->vals[i][0] = '\"';\n memcpy(&hrec->vals[i][1],str,len);\n hrec->vals[i][len+1] = '\"';\n hrec->vals[i][len+2] = 0;\n }\n else\n {\n if (len == SIZE_MAX) {\n errno = ENOMEM;\n return -1;\n }\n hrec->vals[i] = (char*) malloc((len+1)*sizeof(char));\n if (!hrec->vals[i]) return -1;\n memcpy(hrec->vals[i],str,len);\n hrec->vals[i][len] = 0;\n }\n return 0;\n}", "project": "htslib", "hash": 114100435050975265941482758773219292814, "size": 33, "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c", "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields. It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097", "target": 0, "dataset": "other", "idx": 402227 }, { "func": "static inline int kvm_memslot_move_backward(struct kvm_memslots *slots,\n\t\t\t\t\t struct kvm_memory_slot *memslot)\n{\n\tstruct kvm_memory_slot *mslots = slots->memslots;\n\tint i;\n\n\tif (WARN_ON_ONCE(slots->id_to_index[memslot->id] == -1) ||\n\t WARN_ON_ONCE(!slots->used_slots))\n\t\treturn -1;\n\n\t/*\n\t * Move the target memslot backward in the array by shifting existing\n\t * memslots with a higher GFN (than the target memslot) towards the\n\t * front of the array.\n\t */\n\tfor (i = slots->id_to_index[memslot->id]; i < slots->used_slots - 1; i++) {\n\t\tif (memslot->base_gfn > mslots[i + 1].base_gfn)\n\t\t\tbreak;\n\n\t\tWARN_ON_ONCE(memslot->base_gfn == mslots[i + 1].base_gfn);\n\n\t\t/* Shift the next memslot forward one and update its index. */\n\t\tmslots[i] = mslots[i + 1];\n\t\tslots->id_to_index[mslots[i].id] = i;\n\t}\n\treturn i;\n}", "project": "linux", "hash": 247564585176221704675827656282717767991, "size": 27, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354610 }, { "func": "\nstatic bool bfq_too_late_for_merging(struct bfq_queue *bfqq)\n{\n\treturn bfqq->service_from_backlogged > 0 &&\n\t\ttime_is_before_jiffies(bfqq->first_IO_time +\n\t\t\t\t bfq_merge_time_limit);", "project": "linux", "hash": 309534966463615940149731453417389114739, "size": 6, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453382 }, { "func": "void __cold\nbfq_pos_tree_add_move(struct bfq_data *bfqd, struct bfq_queue *bfqq)\n{\n\tstruct rb_node **p, *parent;\n\tstruct bfq_queue *__bfqq;\n\n\tif (bfqq->pos_root) {\n\t\trb_erase(&bfqq->pos_node, bfqq->pos_root);\n\t\tbfqq->pos_root = NULL;\n\t}\n\n\t/* oom_bfqq does not participate in queue merging */\n\tif (bfqq == &bfqd->oom_bfqq)\n\t\treturn;\n\n\t/*\n\t * bfqq cannot be merged any longer (see comments in\n\t * bfq_setup_cooperator): no point in adding bfqq into the\n\t * position tree.\n\t */\n\tif (bfq_too_late_for_merging(bfqq))\n\t\treturn;\n\n\tif (bfq_class_idle(bfqq))\n\t\treturn;\n\tif (!bfqq->next_rq)\n\t\treturn;\n\n\tbfqq->pos_root = &bfq_bfqq_to_bfqg(bfqq)->rq_pos_tree;\n\t__bfqq = bfq_rq_pos_tree_lookup(bfqd, bfqq->pos_root,\n\t\t\tblk_rq_pos(bfqq->next_rq), &parent, &p);\n\tif (!__bfqq) {\n\t\trb_link_node(&bfqq->pos_node, parent, p);\n\t\trb_insert_color(&bfqq->pos_node, bfqq->pos_root);\n\t} else\n\t\tbfqq->pos_root = NULL;", "project": "linux", "hash": 84325666667980432528082225636736727595, "size": 36, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453301 }, { "func": "static int ctnetlink_dump_ct_seq_adj(struct sk_buff *skb, struct nf_conn *ct)\n{\n\tstruct nf_conn_seqadj *seqadj = nfct_seqadj(ct);\n\tstruct nf_ct_seqadj *seq;\n\n\tif (!(ct->status & IPS_SEQ_ADJUST) || !seqadj)\n\t\treturn 0;\n\n\tspin_lock_bh(&ct->lock);\n\tseq = &seqadj->seq[IP_CT_DIR_ORIGINAL];\n\tif (dump_ct_seq_adj(skb, seq, CTA_SEQ_ADJ_ORIG) == -1)\n\t\tgoto err;\n\n\tseq = &seqadj->seq[IP_CT_DIR_REPLY];\n\tif (dump_ct_seq_adj(skb, seq, CTA_SEQ_ADJ_REPLY) == -1)\n\t\tgoto err;\n\n\tspin_unlock_bh(&ct->lock);\n\treturn 0;\nerr:\n\tspin_unlock_bh(&ct->lock);\n\treturn -1;\n}", "project": "linux", "hash": 175764004954664888954942462822784408253, "size": 23, "commit_id": "1cc5ef91d2ff94d2bf2de3b3585423e8a1051cb6", "message": "netfilter: ctnetlink: add a range check for l3/l4 protonum\n\nThe indexes to the nf_nat_l[34]protos arrays come from userspace. So\ncheck the tuple's family, e.g. l3num, when creating the conntrack in\norder to prevent an OOB memory access during setup. Here is an example\nkernel panic on 4.14.180 when userspace passes in an index greater than\nNFPROTO_NUMPROTO.\n\nInternal error: Oops - BUG: 0 [#1] PREEMPT SMP\nModules linked in:...\nProcess poc (pid: 5614, stack limit = 0x00000000a3933121)\nCPU: 4 PID: 5614 Comm: poc Tainted: G S W O 4.14.180-g051355490483\nHardware name: Qualcomm Technologies, Inc. SM8150 V2 PM8150 Google Inc. MSM\ntask: 000000002a3dfffe task.stack: 00000000a3933121\npc : __cfi_check_fail+0x1c/0x24\nlr : __cfi_check_fail+0x1c/0x24\n...\nCall trace:\n__cfi_check_fail+0x1c/0x24\nname_to_dev_t+0x0/0x468\nnfnetlink_parse_nat_setup+0x234/0x258\nctnetlink_parse_nat_setup+0x4c/0x228\nctnetlink_new_conntrack+0x590/0xc40\nnfnetlink_rcv_msg+0x31c/0x4d4\nnetlink_rcv_skb+0x100/0x184\nnfnetlink_rcv+0xf4/0x180\nnetlink_unicast+0x360/0x770\nnetlink_sendmsg+0x5a0/0x6a4\n___sys_sendmsg+0x314/0x46c\nSyS_sendmsg+0xb4/0x108\nel0_svc_naked+0x34/0x38\n\nThis crash is not happening since 5.4+, however, ctnetlink still\nallows for creating entries with unsupported layer 3 protocol number.\n\nFixes: c1d10adb4a521 (\"[NETFILTER]: Add ctnetlink port for nf_conntrack\")\nSigned-off-by: Will McVicker \n[pablo@netfilter.org: rebased original patch on top of nf.git]\nSigned-off-by: Pablo Neira Ayuso ", "target": 0, "dataset": "other", "idx": 394223 }, { "func": "static void discov_update(struct work_struct *work)\n{\n\tstruct hci_dev *hdev = container_of(work, struct hci_dev,\n\t\t\t\t\t discov_update);\n\tu8 status = 0;\n\n\tswitch (hdev->discovery.state) {\n\tcase DISCOVERY_STARTING:\n\t\tstart_discovery(hdev, &status);\n\t\tmgmt_start_discovery_complete(hdev, status);\n\t\tif (status)\n\t\t\thci_discovery_set_state(hdev, DISCOVERY_STOPPED);\n\t\telse\n\t\t\thci_discovery_set_state(hdev, DISCOVERY_FINDING);\n\t\tbreak;\n\tcase DISCOVERY_STOPPING:\n\t\thci_req_sync(hdev, stop_discovery, 0, HCI_CMD_TIMEOUT, &status);\n\t\tmgmt_stop_discovery_complete(hdev, status);\n\t\tif (!status)\n\t\t\thci_discovery_set_state(hdev, DISCOVERY_STOPPED);\n\t\tbreak;\n\tcase DISCOVERY_STOPPED:\n\tdefault:\n\t\treturn;\n\t}\n}", "project": "linux", "hash": 139387725538757647053427881013968394796, "size": 26, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402581 }, { "func": "static long fuse_file_ioctl(struct file *file, unsigned int cmd,\n\t\t\t unsigned long arg)\n{\n\treturn fuse_ioctl_common(file, cmd, arg, 0);\n}", "project": "linux", "hash": 318508941170088142492074948956978453504, "size": 5, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342145 }, { "func": "static int bcf_hdr_set_idx(bcf_hdr_t *hdr, int dict_type, const char *tag, bcf_idinfo_t *idinfo)\n{\n size_t new_n;\n\n // If available, preserve existing IDX\n if ( idinfo->id==-1 )\n idinfo->id = hdr->n[dict_type];\n else if ( idinfo->id < hdr->n[dict_type] && hdr->id[dict_type][idinfo->id].key )\n {\n hts_log_error(\"Conflicting IDX=%d lines in the header dictionary, the new tag is %s\",\n idinfo->id, tag);\n errno = EINVAL;\n return -1;\n }\n\n new_n = idinfo->id >= hdr->n[dict_type] ? idinfo->id+1 : hdr->n[dict_type];\n if (hts_resize(bcf_idpair_t, new_n, &hdr->m[dict_type],\n &hdr->id[dict_type], HTS_RESIZE_CLEAR)) {\n return -1;\n }\n hdr->n[dict_type] = new_n;\n\n // NB: the next kh_put call can invalidate the idinfo pointer, therefore\n // we leave it unassigned here. It must be set explicitly in bcf_hdr_sync.\n hdr->id[dict_type][idinfo->id].key = tag;\n\n return 0;\n}", "project": "htslib", "hash": 29285882631440890875084588453327875021, "size": 28, "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c", "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields. It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097", "target": 0, "dataset": "other", "idx": 402246 }, { "func": "nfs4_init_uniquifier_client_string(struct nfs_client *clp)\n{\n\tsize_t len;\n\tchar *str;\n\n\tlen = 10 + 10 + 1 + 10 + 1 +\n\t\tstrlen(nfs4_client_id_uniquifier) + 1 +\n\t\tstrlen(clp->cl_rpcclient->cl_nodename) + 1;\n\n\tif (len > NFS4_OPAQUE_LIMIT + 1)\n\t\treturn -EINVAL;\n\n\t/*\n\t * Since this string is allocated at mount time, and held until the\n\t * nfs_client is destroyed, we can use GFP_KERNEL here w/o worrying\n\t * about a memory-reclaim deadlock.\n\t */\n\tstr = kmalloc(len, GFP_KERNEL);\n\tif (!str)\n\t\treturn -ENOMEM;\n\n\tscnprintf(str, len, \"Linux NFSv%u.%u %s/%s\",\n\t\t\tclp->rpc_ops->version, clp->cl_minorversion,\n\t\t\tnfs4_client_id_uniquifier,\n\t\t\tclp->cl_rpcclient->cl_nodename);\n\tclp->cl_owner_id = str;\n\treturn 0;\n}", "project": "linux", "hash": 123700907025249146609928485825772974981, "size": 28, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431580 }, { "func": "static int gdImageTileGet (gdImagePtr im, int x, int y)\n{\n\tint srcx, srcy;\n\tint tileColor,p;\n\tif (!im->tile) {\n\t\treturn -1;\n\t}\n\tsrcx = x % gdImageSX(im->tile);\n\tsrcy = y % gdImageSY(im->tile);\n\tp = gdImageGetPixel(im->tile, srcx, srcy);\n\n\tif (im->trueColor) {\n\t\tif (im->tile->trueColor) {\n\t\t\ttileColor = p;\n\t\t} else {\n\t\t\ttileColor = gdTrueColorAlpha( gdImageRed(im->tile,p), gdImageGreen(im->tile,p), gdImageBlue (im->tile,p), gdImageAlpha (im->tile,p));\n\t\t}\n\t} else {\n\t\tif (im->tile->trueColor) {\n\t\t\ttileColor = gdImageColorResolveAlpha(im, gdTrueColorGetRed (p), gdTrueColorGetGreen (p), gdTrueColorGetBlue (p), gdTrueColorGetAlpha (p));\n\t\t} else {\n\t\t\ttileColor = p;\n\t\t\ttileColor = gdImageColorResolveAlpha(im, gdImageRed (im->tile,p), gdImageGreen (im->tile,p), gdImageBlue (im->tile,p), gdImageAlpha (im->tile,p));\n\t\t}\n\t}\n\treturn tileColor;\n}", "project": "php-src", "hash": 167722306273305889224565840393037349096, "size": 27, "commit_id": "c395c6e5d7e8df37a21265ff76e48fe75ceb5ae6", "message": "iFixed bug #72446 - Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow", "target": 0, "dataset": "other", "idx": 295151 }, { "func": "static int nf_tables_newchain(struct sk_buff *skb, const struct nfnl_info *info,\n\t\t\t const struct nlattr * const nla[])\n{\n\tstruct nftables_pernet *nft_net = nft_pernet(info->net);\n\tconst struct nfgenmsg *nfmsg = nlmsg_data(info->nlh);\n\tstruct netlink_ext_ack *extack = info->extack;\n\tu8 genmask = nft_genmask_next(info->net);\n\tint family = nfmsg->nfgen_family;\n\tstruct nft_chain *chain = NULL;\n\tstruct net *net = info->net;\n\tconst struct nlattr *attr;\n\tstruct nft_table *table;\n\tu8 policy = NF_ACCEPT;\n\tstruct nft_ctx ctx;\n\tu64 handle = 0;\n\tu32 flags = 0;\n\n\tlockdep_assert_held(&nft_net->commit_mutex);\n\n\ttable = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask,\n\t\t\t\t NETLINK_CB(skb).portid);\n\tif (IS_ERR(table)) {\n\t\tNL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);\n\t\treturn PTR_ERR(table);\n\t}\n\n\tchain = NULL;\n\tattr = nla[NFTA_CHAIN_NAME];\n\n\tif (nla[NFTA_CHAIN_HANDLE]) {\n\t\thandle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));\n\t\tchain = nft_chain_lookup_byhandle(table, handle, genmask);\n\t\tif (IS_ERR(chain)) {\n\t\t\tNL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_HANDLE]);\n\t\t\treturn PTR_ERR(chain);\n\t\t}\n\t\tattr = nla[NFTA_CHAIN_HANDLE];\n\t} else if (nla[NFTA_CHAIN_NAME]) {\n\t\tchain = nft_chain_lookup(net, table, attr, genmask);\n\t\tif (IS_ERR(chain)) {\n\t\t\tif (PTR_ERR(chain) != -ENOENT) {\n\t\t\t\tNL_SET_BAD_ATTR(extack, attr);\n\t\t\t\treturn PTR_ERR(chain);\n\t\t\t}\n\t\t\tchain = NULL;\n\t\t}\n\t} else if (!nla[NFTA_CHAIN_ID]) {\n\t\treturn -EINVAL;\n\t}\n\n\tif (nla[NFTA_CHAIN_POLICY]) {\n\t\tif (chain != NULL &&\n\t\t !nft_is_base_chain(chain)) {\n\t\t\tNL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);\n\t\t\treturn -EOPNOTSUPP;\n\t\t}\n\n\t\tif (chain == NULL &&\n\t\t nla[NFTA_CHAIN_HOOK] == NULL) {\n\t\t\tNL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);\n\t\t\treturn -EOPNOTSUPP;\n\t\t}\n\n\t\tpolicy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));\n\t\tswitch (policy) {\n\t\tcase NF_DROP:\n\t\tcase NF_ACCEPT:\n\t\t\tbreak;\n\t\tdefault:\n\t\t\treturn -EINVAL;\n\t\t}\n\t}\n\n\tif (nla[NFTA_CHAIN_FLAGS])\n\t\tflags = ntohl(nla_get_be32(nla[NFTA_CHAIN_FLAGS]));\n\telse if (chain)\n\t\tflags = chain->flags;\n\n\tif (flags & ~NFT_CHAIN_FLAGS)\n\t\treturn -EOPNOTSUPP;\n\n\tnft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla);\n\n\tif (chain != NULL) {\n\t\tif (info->nlh->nlmsg_flags & NLM_F_EXCL) {\n\t\t\tNL_SET_BAD_ATTR(extack, attr);\n\t\t\treturn -EEXIST;\n\t\t}\n\t\tif (info->nlh->nlmsg_flags & NLM_F_REPLACE)\n\t\t\treturn -EOPNOTSUPP;\n\n\t\tflags |= chain->flags & NFT_CHAIN_BASE;\n\t\treturn nf_tables_updchain(&ctx, genmask, policy, flags, attr,\n\t\t\t\t\t extack);\n\t}\n\n\treturn nf_tables_addchain(&ctx, family, genmask, policy, flags, extack);\n}", "project": "linux", "hash": 337260377351970865901242503539829658001, "size": 98, "commit_id": "ad9f151e560b016b6ad3280b48e42fa11e1a5440", "message": "netfilter: nf_tables: initialize set before expression setup\n\nnft_set_elem_expr_alloc() needs an initialized set if expression sets on\nthe NFT_EXPR_GC flag. Move set fields initialization before expression\nsetup.\n\n[4512935.019450] ==================================================================\n[4512935.019456] BUG: KASAN: null-ptr-deref in nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019487] Read of size 8 at addr 0000000000000070 by task nft/23532\n[4512935.019494] CPU: 1 PID: 23532 Comm: nft Not tainted 5.12.0-rc4+ #48\n[...]\n[4512935.019502] Call Trace:\n[4512935.019505] dump_stack+0x89/0xb4\n[4512935.019512] ? nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019536] ? nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019560] kasan_report.cold.12+0x5f/0xd8\n[4512935.019566] ? nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019590] nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019615] nf_tables_newset+0xc7f/0x1460 [nf_tables]\n\nReported-by: syzbot+ce96ca2b1d0b37c6422d@syzkaller.appspotmail.com\nFixes: 65038428b2c6 (\"netfilter: nf_tables: allow to specify stateful expression in set definition\")\nSigned-off-by: Pablo Neira Ayuso ", "target": 0, "dataset": "other", "idx": 328356 }, { "func": "static int nfs4_delay_interruptible(long *timeout)\n{\n\tmight_sleep();\n\n\tfreezable_schedule_timeout_interruptible_unsafe(nfs4_update_delay(timeout));\n\tif (!signal_pending(current))\n\t\treturn 0;\n\treturn __fatal_signal_pending(current) ? -EINTR :-ERESTARTSYS;\n}", "project": "linux", "hash": 223487911386856952885535642046950007226, "size": 9, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431275 }, { "func": " static size_t BufferBytesForLength(int length) {\n return (length + 1) * sizeof(TypedValue) / 2; // Worst case: \"[0,0,...,0]\"\n }", "project": "hhvm", "hash": 187985021163479296056909586194168485018, "size": 3, "commit_id": "b3679121bb3c7017ff04b4c08402ffff5cf59b13", "message": "Fix buffer overrun in SimpleParser::handleBackslash\n\nSummary:\nIt read 4 chars, then checked for validity, but any of them could have\nbeen the end of the string, so check after each one instead.\n\nReviewed By: oulgen\n\nDifferential Revision: D19611163\n\nfbshipit-source-id: 3da0a39555cb85a93f4fd98048368f17cf37e2e4", "target": 0, "dataset": "other", "idx": 227296 }, { "func": " void initSb(int length) {\n if (UNLIKELY(length >= sb_cap)) {\n // No decoded string in the output can use more bytes than input size.\n const auto new_cap = length + 1;\n size_t bufSize = length <= RuntimeOption::EvalSimpleJsonMaxLength ?\n SimpleParser::BufferBytesForLength(length) :\n new_cap * 2;\n if (tl_buffer.raw) {\n json_free(tl_buffer.raw);\n tl_buffer.raw = nullptr;\n }\n sb_cap = 0;\n if (!tl_heap->preAllocOOM(bufSize)) {\n tl_buffer.raw = (char*)json_malloc(bufSize);\n if (!tl_buffer.raw) tl_heap->forceOOM();\n }\n check_non_safepoint_surprise();\n always_assert(tl_buffer.raw);\n sb_buf.setBuf(tl_buffer.raw, new_cap);\n sb_key.setBuf(tl_buffer.raw + new_cap, new_cap);\n // Set new capacity if and ony if allocations succeed.\n sb_cap = new_cap;\n } else {\n sb_buf.clear();\n sb_key.clear();\n }\n }", "project": "hhvm", "hash": 207874871631564152991404295803592777555, "size": 27, "commit_id": "b3679121bb3c7017ff04b4c08402ffff5cf59b13", "message": "Fix buffer overrun in SimpleParser::handleBackslash\n\nSummary:\nIt read 4 chars, then checked for validity, but any of them could have\nbeen the end of the string, so check after each one instead.\n\nReviewed By: oulgen\n\nDifferential Revision: D19611163\n\nfbshipit-source-id: 3da0a39555cb85a93f4fd98048368f17cf37e2e4", "target": 0, "dataset": "other", "idx": 227297 }, { "func": "static inline int tcp_ack_is_dubious(const struct sock *sk, const int flag)\n{\n\treturn !(flag & FLAG_NOT_DUP) || (flag & FLAG_CA_ALERT) ||\n\t\tinet_csk(sk)->icsk_ca_state != TCP_CA_Open;\n}", "project": "net-next", "hash": 282599344952777217844431052044884835344, "size": 5, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409914 }, { "func": "int mnt_optstr_append_option(char **optstr, const char *name, const char *value)\n{\n\tstruct ul_buffer buf = UL_INIT_BUFFER;\n\tint rc;\n\tsize_t nsz, vsz, osz;\n\n\tif (!optstr)\n\t\treturn -EINVAL;\n\tif (!name || !*name)\n\t\treturn 0;\n\n\tnsz = strlen(name);\n\tosz = *optstr ? strlen(*optstr) : 0;\n\tvsz = value ? strlen(value) : 0;\n\n\tul_buffer_refer_string(&buf, *optstr);\n\tul_buffer_set_chunksize(&buf, osz + nsz + vsz + 3);\t/* to call realloc() only once */\n\n\trc = __buffer_append_option(&buf, name, nsz, value, vsz);\n\n\t*optstr = ul_buffer_get_data(&buf, NULL, NULL);\n\treturn rc;\n}", "project": "util-linux", "hash": 321784079453775841413358071653001160309, "size": 23, "commit_id": "57202f5713afa2af20ffbb6ab5331481d0396f8d", "message": "libmount: fix UID check for FUSE umount [CVE-2021-3995]\n\nImproper UID check allows an unprivileged user to unmount FUSE\nfilesystems of users with similar UID.\n\nSigned-off-by: Karel Zak ", "target": 0, "dataset": "other", "idx": 410440 }, { "func": "static inline void ep_set_ffd(struct epoll_filefd *ffd,\n\t\t\t struct file *file, int fd)\n{\n\tffd->file = file;\n\tffd->fd = fd;\n}", "project": "linux", "hash": 96115614057108101035582008267660863223, "size": 6, "commit_id": "52c479697c9b73f628140dcdfcd39ea302d05482", "message": "do_epoll_ctl(): clean the failure exits up a bit\n\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 336278 }, { "func": "int tty_check_change(struct tty_struct *tty)\n{\n\treturn __tty_check_change(tty, SIGTTOU);\n}", "project": "linux", "hash": 89355145711054240102050129116252511896, "size": 4, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 326070 }, { "func": " bool val_bool()\n {\n if (check_null_ref())\n return 0;\n else\n return Item_direct_ref::val_bool();\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 136288418024296490581652743941650700931, "size": 7, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509314 }, { "func": "static void move_ptes(struct vm_area_struct *vma, pmd_t *old_pmd,\n\t\tunsigned long old_addr, unsigned long old_end,\n\t\tstruct vm_area_struct *new_vma, pmd_t *new_pmd,\n\t\tunsigned long new_addr, bool need_rmap_locks)\n{\n\tstruct mm_struct *mm = vma->vm_mm;\n\tpte_t *old_pte, *new_pte, pte;\n\tspinlock_t *old_ptl, *new_ptl;\n\tbool force_flush = false;\n\tunsigned long len = old_end - old_addr;\n\n\t/*\n\t * When need_rmap_locks is true, we take the i_mmap_rwsem and anon_vma\n\t * locks to ensure that rmap will always observe either the old or the\n\t * new ptes. This is the easiest way to avoid races with\n\t * truncate_pagecache(), page migration, etc...\n\t *\n\t * When need_rmap_locks is false, we use other ways to avoid\n\t * such races:\n\t *\n\t * - During exec() shift_arg_pages(), we use a specially tagged vma\n\t * which rmap call sites look for using vma_is_temporary_stack().\n\t *\n\t * - During mremap(), new_vma is often known to be placed after vma\n\t * in rmap traversal order. This ensures rmap will always observe\n\t * either the old pte, or the new pte, or both (the page table locks\n\t * serialize access to individual ptes, but only rmap traversal\n\t * order guarantees that we won't miss both the old and new ptes).\n\t */\n\tif (need_rmap_locks)\n\t\ttake_rmap_locks(vma);\n\n\t/*\n\t * We don't have to worry about the ordering of src and dst\n\t * pte locks because exclusive mmap_sem prevents deadlock.\n\t */\n\told_pte = pte_offset_map_lock(mm, old_pmd, old_addr, &old_ptl);\n\tnew_pte = pte_offset_map(new_pmd, new_addr);\n\tnew_ptl = pte_lockptr(mm, new_pmd);\n\tif (new_ptl != old_ptl)\n\t\tspin_lock_nested(new_ptl, SINGLE_DEPTH_NESTING);\n\tflush_tlb_batched_pending(vma->vm_mm);\n\tarch_enter_lazy_mmu_mode();\n\n\tfor (; old_addr < old_end; old_pte++, old_addr += PAGE_SIZE,\n\t\t\t\t new_pte++, new_addr += PAGE_SIZE) {\n\t\tif (pte_none(*old_pte))\n\t\t\tcontinue;\n\n\t\tpte = ptep_get_and_clear(mm, old_addr, old_pte);\n\t\t/*\n\t\t * If we are remapping a valid PTE, make sure\n\t\t * to flush TLB before we drop the PTL for the\n\t\t * PTE.\n\t\t *\n\t\t * NOTE! Both old and new PTL matter: the old one\n\t\t * for racing with page_mkclean(), the new one to\n\t\t * make sure the physical page stays valid until\n\t\t * the TLB entry for the old mapping has been\n\t\t * flushed.\n\t\t */\n\t\tif (pte_present(pte))\n\t\t\tforce_flush = true;\n\t\tpte = move_pte(pte, new_vma->vm_page_prot, old_addr, new_addr);\n\t\tpte = move_soft_dirty_pte(pte);\n\t\tset_pte_at(mm, new_addr, new_pte, pte);\n\t}\n\n\tarch_leave_lazy_mmu_mode();\n\tif (force_flush)\n\t\tflush_tlb_range(vma, old_end - len, old_end);\n\tif (new_ptl != old_ptl)\n\t\tspin_unlock(new_ptl);\n\tpte_unmap(new_pte - 1);\n\tpte_unmap_unlock(old_pte - 1, old_ptl);\n\tif (need_rmap_locks)\n\t\tdrop_rmap_locks(vma);\n}", "project": "linux", "hash": 82187114488891167538250982168432834447, "size": 78, "commit_id": "5bfea2d9b17f1034a68147a8b03b9789af5700f9", "message": "mm: Fix mremap not considering huge pmd devmap\n\nThe original code in mm/mremap.c checks huge pmd by:\n\n\t\tif (is_swap_pmd(*old_pmd) || pmd_trans_huge(*old_pmd)) {\n\nHowever, a DAX mapped nvdimm is mapped as huge page (by default) but it\nis not transparent huge page (_PAGE_PSE | PAGE_DEVMAP). This commit\nchanges the condition to include the case.\n\nThis addresses CVE-2020-10757.\n\nFixes: 5c7fb56e5e3f (\"mm, dax: dax-pmd vs thp-pmd vs hugetlbfs-pmd\")\nCc: \nReported-by: Fan Yang \nSigned-off-by: Fan Yang \nTested-by: Fan Yang \nTested-by: Dan Williams \nReviewed-by: Dan Williams \nAcked-by: Kirill A. Shutemov \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 321575 }, { "func": "static int __dequeue_signal(struct sigpending *pending, sigset_t *mask,\n\t\t\tkernel_siginfo_t *info, bool *resched_timer)\n{\n\tint sig = next_signal(pending, mask);\n\n\tif (sig)\n\t\tcollect_signal(sig, pending, info, resched_timer);\n\treturn sig;\n}", "project": "linux", "hash": 337173810628225632907675343597625885821, "size": 9, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375285 }, { "func": "static void hci_le_ext_adv_term_evt(struct hci_dev *hdev, struct sk_buff *skb)\n{\n\tstruct hci_evt_le_ext_adv_set_term *ev = (void *) skb->data;\n\tstruct hci_conn *conn;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, ev->status);\n\n\tif (ev->status)\n\t\treturn;\n\n\tconn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->conn_handle));\n\tif (conn) {\n\t\tstruct adv_info *adv_instance;\n\n\t\tif (hdev->adv_addr_type != ADDR_LE_DEV_RANDOM)\n\t\t\treturn;\n\n\t\tif (!hdev->cur_adv_instance) {\n\t\t\tbacpy(&conn->resp_addr, &hdev->random_addr);\n\t\t\treturn;\n\t\t}\n\n\t\tadv_instance = hci_find_adv_instance(hdev, hdev->cur_adv_instance);\n\t\tif (adv_instance)\n\t\t\tbacpy(&conn->resp_addr, &adv_instance->random_addr);\n\t}\n}", "project": "linux", "hash": 70496378273834681985297399791362207747, "size": 27, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 432006 }, { "func": "static char* oidc_make_sid_iss_unique(request_rec *r, const char *sid,\n\t\tconst char *issuer) {\n\treturn apr_psprintf(r->pool, \"%s@%s\", sid, issuer);\n}", "project": "mod_auth_openidc", "hash": 324948482964071728186867195904250409667, "size": 4, "commit_id": "00c315cb0c8ab77c67be4a2ac08a71a83ac58751", "message": "avoid XSS vulnerability when using OIDCPreservePost On\n\nand supplying URLs that contain single quotes; thanks @oss-aimoto\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 381938 }, { "func": "void gdImageCharUp (gdImagePtr im, gdFontPtr f, int x, int y, int c, int color)\n{\n\tint cx, cy;\n\tint px, py;\n\tint fline;\n\tcx = 0;\n\tcy = 0;\n#ifdef CHARSET_EBCDIC\n\tc = ASC (c);\n#endif /*CHARSET_EBCDIC */\n\tif ((c < f->offset) || (c >= (f->offset + f->nchars))) {\n\t\treturn;\n\t}\n\tfline = (c - f->offset) * f->h * f->w;\n\tfor (py = y; py > (y - f->w); py--) {\n\t\tfor (px = x; px < (x + f->h); px++) {\n\t\t\tif (f->data[fline + cy * f->w + cx]) {\n\t\t\t\tgdImageSetPixel(im, px, py, color);\n\t\t\t}\n\t\t\tcy++;\n\t\t}\n\t\tcy = 0;\n\t\tcx++;\n\t}\n}", "project": "php-src", "hash": 309052467628475635487848496696373237784, "size": 25, "commit_id": "c395c6e5d7e8df37a21265ff76e48fe75ceb5ae6", "message": "iFixed bug #72446 - Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow", "target": 0, "dataset": "other", "idx": 295125 }, { "func": "static int packet_sendmsg_spkt(struct socket *sock, struct msghdr *msg,\n\t\t\t size_t len)\n{\n\tstruct sock *sk = sock->sk;\n\tDECLARE_SOCKADDR(struct sockaddr_pkt *, saddr, msg->msg_name);\n\tstruct sk_buff *skb = NULL;\n\tstruct net_device *dev;\n\tstruct sockcm_cookie sockc;\n\t__be16 proto = 0;\n\tint err;\n\tint extra_len = 0;\n\n\t/*\n\t *\tGet and verify the address.\n\t */\n\n\tif (saddr) {\n\t\tif (msg->msg_namelen < sizeof(struct sockaddr))\n\t\t\treturn -EINVAL;\n\t\tif (msg->msg_namelen == sizeof(struct sockaddr_pkt))\n\t\t\tproto = saddr->spkt_protocol;\n\t} else\n\t\treturn -ENOTCONN;\t/* SOCK_PACKET must be sent giving an address */\n\n\t/*\n\t *\tFind the device first to size check it\n\t */\n\n\tsaddr->spkt_device[sizeof(saddr->spkt_device) - 1] = 0;\nretry:\n\trcu_read_lock();\n\tdev = dev_get_by_name_rcu(sock_net(sk), saddr->spkt_device);\n\terr = -ENODEV;\n\tif (dev == NULL)\n\t\tgoto out_unlock;\n\n\terr = -ENETDOWN;\n\tif (!(dev->flags & IFF_UP))\n\t\tgoto out_unlock;\n\n\t/*\n\t * You may not queue a frame bigger than the mtu. This is the lowest level\n\t * raw protocol and you must do your own fragmentation at this level.\n\t */\n\n\tif (unlikely(sock_flag(sk, SOCK_NOFCS))) {\n\t\tif (!netif_supports_nofcs(dev)) {\n\t\t\terr = -EPROTONOSUPPORT;\n\t\t\tgoto out_unlock;\n\t\t}\n\t\textra_len = 4; /* We're doing our own CRC */\n\t}\n\n\terr = -EMSGSIZE;\n\tif (len > dev->mtu + dev->hard_header_len + VLAN_HLEN + extra_len)\n\t\tgoto out_unlock;\n\n\tif (!skb) {\n\t\tsize_t reserved = LL_RESERVED_SPACE(dev);\n\t\tint tlen = dev->needed_tailroom;\n\t\tunsigned int hhlen = dev->header_ops ? dev->hard_header_len : 0;\n\n\t\trcu_read_unlock();\n\t\tskb = sock_wmalloc(sk, len + reserved + tlen, 0, GFP_KERNEL);\n\t\tif (skb == NULL)\n\t\t\treturn -ENOBUFS;\n\t\t/* FIXME: Save some space for broken drivers that write a hard\n\t\t * header at transmission time by themselves. PPP is the notable\n\t\t * one here. This should really be fixed at the driver level.\n\t\t */\n\t\tskb_reserve(skb, reserved);\n\t\tskb_reset_network_header(skb);\n\n\t\t/* Try to align data part correctly */\n\t\tif (hhlen) {\n\t\t\tskb->data -= hhlen;\n\t\t\tskb->tail -= hhlen;\n\t\t\tif (len < hhlen)\n\t\t\t\tskb_reset_network_header(skb);\n\t\t}\n\t\terr = memcpy_from_msg(skb_put(skb, len), msg, len);\n\t\tif (err)\n\t\t\tgoto out_free;\n\t\tgoto retry;\n\t}\n\n\tif (!dev_validate_header(dev, skb->data, len)) {\n\t\terr = -EINVAL;\n\t\tgoto out_unlock;\n\t}\n\tif (len > (dev->mtu + dev->hard_header_len + extra_len) &&\n\t !packet_extra_vlan_len_allowed(dev, skb)) {\n\t\terr = -EMSGSIZE;\n\t\tgoto out_unlock;\n\t}\n\n\tsockcm_init(&sockc, sk);\n\tif (msg->msg_controllen) {\n\t\terr = sock_cmsg_send(sk, msg, &sockc);\n\t\tif (unlikely(err))\n\t\t\tgoto out_unlock;\n\t}\n\n\tskb->protocol = proto;\n\tskb->dev = dev;\n\tskb->priority = sk->sk_priority;\n\tskb->mark = sk->sk_mark;\n\tskb->tstamp = sockc.transmit_time;\n\n\tskb_setup_tx_timestamp(skb, sockc.tsflags);\n\n\tif (unlikely(extra_len == 4))\n\t\tskb->no_fcs = 1;\n\n\tpacket_parse_headers(skb, sock);\n\n\tdev_queue_xmit(skb);\n\trcu_read_unlock();\n\treturn len;\n\nout_unlock:\n\trcu_read_unlock();\nout_free:\n\tkfree_skb(skb);\n\treturn err;\n}", "project": "linux", "hash": 84788405253634047061931871245931939955, "size": 126, "commit_id": "acf69c946233259ab4d64f8869d4037a198c7f06", "message": "net/packet: fix overflow in tpacket_rcv\n\nUsing tp_reserve to calculate netoff can overflow as\ntp_reserve is unsigned int and netoff is unsigned short.\n\nThis may lead to macoff receving a smaller value then\nsizeof(struct virtio_net_hdr), and if po->has_vnet_hdr\nis set, an out-of-bounds write will occur when\ncalling virtio_net_hdr_from_skb.\n\nThe bug is fixed by converting netoff to unsigned int\nand checking if it exceeds USHRT_MAX.\n\nThis addresses CVE-2020-14386\n\nFixes: 8913336a7e8d (\"packet: add PACKET_RESERVE sockopt\")\nSigned-off-by: Or Cohen \nSigned-off-by: Eric Dumazet \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 330368 }, { "func": "static int core_pre_config(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *ptemp)\n{\n ap_mutex_init(pconf);\n\n if (!saved_server_config_defines)\n init_config_defines(pconf);\n apr_pool_cleanup_register(pconf, NULL, reset_config_defines,\n apr_pool_cleanup_null);\n\n mpm_common_pre_config(pconf);\n\n return OK;\n}", "project": "httpd", "hash": 119035144148223245914337234430821869838, "size": 13, "commit_id": "4cc27823899e070268b906ca677ee838d07cf67a", "message": "core: Disallow Methods' registration at run time (.htaccess), they may be\nused only if registered at init time (httpd.conf).\n\nCalling ap_method_register() in children processes is not the right scope\nsince it won't be shared for all requests.\n\n\ngit-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1807655 13f79535-47bb-0310-9956-ffa450edef68", "target": 0, "dataset": "other", "idx": 246362 }, { "func": "void imap_keepalive(void)\n{\n time_t now = mutt_date_epoch();\n struct Account *np = NULL;\n TAILQ_FOREACH(np, &NeoMutt->accounts, entries)\n {\n if (np->type != MUTT_IMAP)\n continue;\n\n struct ImapAccountData *adata = np->adata;\n if (!adata || !adata->mailbox)\n continue;\n\n const short c_imap_keepalive =\n cs_subset_number(NeoMutt->sub, \"imap_keepalive\");\n if ((adata->state >= IMAP_AUTHENTICATED) && (now >= (adata->lastread + c_imap_keepalive)))\n imap_check_mailbox(adata->mailbox, true);\n }\n}", "project": "neomutt", "hash": 322419735042318792132015060342791530812, "size": 19, "commit_id": "fa1db5785e5cfd9d3cd27b7571b9fe268d2ec2dc", "message": "Fix seqset iterator when it ends in a comma\n\nIf the seqset ended with a comma, the substr_end marker would be just\nbefore the trailing nul. In the next call, the loop to skip the\nmarker would iterate right past the end of string too.\n\nThe fix is simple: place the substr_end marker and skip past it\nimmediately.", "target": 0, "dataset": "other", "idx": 399292 }, { "func": "static int nfs4_proc_mknod(struct inode *dir, struct dentry *dentry,\n\t\tstruct iattr *sattr, dev_t rdev)\n{\n\tstruct nfs_server *server = NFS_SERVER(dir);\n\tstruct nfs4_exception exception = {\n\t\t.interruptible = true,\n\t};\n\tstruct nfs4_label l, *label = NULL;\n\tint err;\n\n\tlabel = nfs4_label_init_security(dir, dentry, sattr, &l);\n\n\tif (!(server->attr_bitmask[2] & FATTR4_WORD2_MODE_UMASK))\n\t\tsattr->ia_mode &= ~current_umask();\n\tdo {\n\t\terr = _nfs4_proc_mknod(dir, dentry, sattr, label, rdev);\n\t\ttrace_nfs4_mknod(dir, &dentry->d_name, err);\n\t\terr = nfs4_handle_exception(NFS_SERVER(dir), err,\n\t\t\t\t&exception);\n\t} while (exception.retry);\n\n\tnfs4_label_release_security(label);\n\n\treturn err;\n}", "project": "linux", "hash": 138016616174396456496029803489427484942, "size": 25, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431199 }, { "func": "int RGWHandler_REST_S3Website::error_handler(int err_no,\n\t\t\t\t\t string* error_content) {\n int new_err_no = -1;\n rgw_http_errors::const_iterator r = rgw_http_s3_errors.find(err_no > 0 ? err_no : -err_no);\n int http_error_code = -1;\n\n if (r != rgw_http_s3_errors.end()) {\n http_error_code = r->second.first;\n }\n ldout(s->cct, 10) << \"RGWHandler_REST_S3Website::error_handler err_no=\" << err_no << \" http_ret=\" << http_error_code << dendl;\n\n RGWBWRoutingRule rrule;\n bool should_redirect =\n s->bucket_info.website_conf.should_redirect(original_object_name,\n http_error_code, &rrule);\n\n if (should_redirect) {\n const string& hostname = s->info.env->get(\"HTTP_HOST\", \"\");\n const string& protocol =\n (s->info.env->get(\"SERVER_PORT_SECURE\") ? \"https\" : \"http\");\n int redirect_code = 0;\n rrule.apply_rule(protocol, hostname, original_object_name,\n &s->redirect, &redirect_code);\n // Apply a custom HTTP response code\n if (redirect_code > 0)\n s->err.http_ret = redirect_code; // Apply a custom HTTP response code\n ldout(s->cct, 10) << \"error handler redirect code=\" << redirect_code\n\t\t << \" proto+host:\" << protocol << \"://\" << hostname\n\t\t << \" -> \" << s->redirect << dendl;\n return -ERR_WEBSITE_REDIRECT;\n } else if (err_no == -ERR_WEBSITE_REDIRECT) {\n // Do nothing here, this redirect will be handled in abort_early's ERR_WEBSITE_REDIRECT block\n // Do NOT fire the ErrorDoc handler\n } else if (!s->bucket_info.website_conf.error_doc.empty()) {\n /* This serves an entire page!\n On success, it will return zero, and no further content should be sent to the socket\n On failure, we need the double-error handler\n */\n new_err_no = RGWHandler_REST_S3Website::serve_errordoc(http_error_code, s->bucket_info.website_conf.error_doc);\n if (new_err_no && new_err_no != -1) {\n err_no = new_err_no;\n }\n } else {\n ldout(s->cct, 20) << \"No special error handling today!\" << dendl;\n }\n\n return err_no;\n}", "project": "ceph", "hash": 94712813637401000865596535927229790503, "size": 48, "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 281408 }, { "func": "int RGWSwiftWebsiteHandler::error_handler(const int err_no,\n std::string* const error_content)\n{\n const auto& ws_conf = s->bucket_info.website_conf;\n\n if (can_be_website_req() && ! ws_conf.error_doc.empty()) {\n set_req_state_err(s, err_no);\n return serve_errordoc(s->err.http_ret, ws_conf.error_doc);\n }\n\n /* Let's go to the default, no-op handler. */\n return err_no;\n}", "project": "ceph", "hash": 317578339399558809867180716819222573474, "size": 13, "commit_id": "f44a8ae8aa27ecef69528db9aec220f12492810e", "message": "rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name\n\nchecking for empty name avoids later assertion in RGWObjectCtx::set_atomic\n\nFixes: CVE-2021-3531\n\nReviewed-by: Casey Bodley \nSigned-off-by: Casey Bodley \n(cherry picked from commit 7196a469b4470f3c8628489df9a41ec8b00a5610)", "target": 0, "dataset": "other", "idx": 448868 }, { "func": "ConnStateData::receivedFirstByte()\n{\n if (receivedFirstByte_)\n return;\n\n receivedFirstByte_ = true;\n // Set timeout to Config.Timeout.request\n typedef CommCbMemFunT TimeoutDialer;\n AsyncCall::Pointer timeoutCall = JobCallback(33, 5,\n TimeoutDialer, this, ConnStateData::requestTimeout);\n commSetConnTimeout(clientConnection, Config.Timeout.request, timeoutCall);\n}", "project": "squid", "hash": 24311604685447442847709285570023797452, "size": 12, "commit_id": "fd68382860633aca92065e6c343cfd1b12b126e7", "message": "Improve Transfer-Encoding handling (#702)\n\nReject messages containing Transfer-Encoding header with coding other\nthan chunked or identity. Squid does not support other codings.\n\nFor simplicity and security sake, also reject messages where\nTransfer-Encoding contains unnecessary complex values that are\ntechnically equivalent to \"chunked\" or \"identity\" (e.g., \",,chunked\" or\n\"identity, chunked\").\n\nRFC 7230 formally deprecated and removed identity coding, but it is\nstill used by some agents.", "target": 0, "dataset": "other", "idx": 402299 }, { "func": "ElectronNavigationThrottle::WillRedirectRequest() {\n auto* handle = navigation_handle();\n auto* contents = handle->GetWebContents();\n if (!contents) {\n NOTREACHED();\n return PROCEED;\n }\n\n v8::Isolate* isolate = v8::Isolate::GetCurrent();\n v8::HandleScope scope(isolate);\n auto api_contents = electron::api::WebContents::From(isolate, contents);\n if (api_contents.IsEmpty()) {\n // No need to emit any event if the WebContents is not available in JS.\n return PROCEED;\n }\n\n if (api_contents->EmitNavigationEvent(\"will-redirect\", handle)) {\n return CANCEL;\n }\n return PROCEED;\n}", "project": "electron", "hash": 19538621332591865598545347691380386786, "size": 21, "commit_id": "18613925610ba319da7f497b6deed85ad712c59b", "message": "refactor: wire will-navigate up to a navigation throttle instead of OpenURL (#25108)\n\n* refactor: wire will-navigate up to a navigation throttle instead of OpenURL (#25065)\r\n\r\n* refactor: wire will-navigate up to a navigation throttle instead of OpenURL\r\n\r\n* spec: add test for x-site _top navigation\r\n\r\n* chore: old code be old", "target": 0, "dataset": "other", "idx": 269714 }, { "func": "static void cs_le_create_conn(struct hci_dev *hdev, bdaddr_t *peer_addr,\n\t\t\t u8 peer_addr_type, u8 own_address_type,\n\t\t\t u8 filter_policy)\n{\n\tstruct hci_conn *conn;\n\n\tconn = hci_conn_hash_lookup_le(hdev, peer_addr,\n\t\t\t\t peer_addr_type);\n\tif (!conn)\n\t\treturn;\n\n\t/* Store the initiator and responder address information which\n\t * is needed for SMP. These values will not change during the\n\t * lifetime of the connection.\n\t */\n\tconn->init_addr_type = own_address_type;\n\tif (own_address_type == ADDR_LE_DEV_RANDOM)\n\t\tbacpy(&conn->init_addr, &hdev->random_addr);\n\telse\n\t\tbacpy(&conn->init_addr, &hdev->bdaddr);\n\n\tconn->resp_addr_type = peer_addr_type;\n\tbacpy(&conn->resp_addr, peer_addr);\n\n\t/* We don't want the connection attempt to stick around\n\t * indefinitely since LE doesn't have a page timeout concept\n\t * like BR/EDR. Set a timer for any connection that doesn't use\n\t * the white list for connecting.\n\t */\n\tif (filter_policy == HCI_LE_USE_PEER_ADDR)\n\t\tqueue_delayed_work(conn->hdev->workqueue,\n\t\t\t\t &conn->le_conn_timeout,\n\t\t\t\t conn->conn_timeout);\n}", "project": "linux", "hash": 280126833995572967592122996468641254995, "size": 34, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431933 }, { "func": "static int pep_sock_connect(struct sock *sk, struct sockaddr *addr, int len)\n{\n\tstruct pep_sock *pn = pep_sk(sk);\n\tint err;\n\tu8 data[4] = { 0 /* sub-blocks */, PAD, PAD, PAD };\n\n\tif (pn->pipe_handle == PN_PIPE_INVALID_HANDLE)\n\t\tpn->pipe_handle = 1; /* anything but INVALID_HANDLE */\n\n\terr = pipe_handler_request(sk, PNS_PEP_CONNECT_REQ,\n\t\t\t\tpn->init_enable, data, 4);\n\tif (err) {\n\t\tpn->pipe_handle = PN_PIPE_INVALID_HANDLE;\n\t\treturn err;\n\t}\n\n\tsk->sk_state = TCP_SYN_SENT;\n\n\treturn 0;\n}", "project": "linux", "hash": 280768466974192907416977393229840932149, "size": 20, "commit_id": "bcd0f93353326954817a4f9fa55ec57fb38acbb0", "message": "phonet: refcount leak in pep_sock_accep\n\nsock_hold(sk) is invoked in pep_sock_accept(), but __sock_put(sk) is not\ninvoked in subsequent failure branches(pep_accept_conn() != 0).\n\nSigned-off-by: Hangyu Hua \nLink: https://lore.kernel.org/r/20211209082839.33985-1-hbh25y@gmail.com\nSigned-off-by: Jakub Kicinski ", "target": 0, "dataset": "other", "idx": 224789 }, { "func": "static void encode_compound_hdr(struct xdr_stream *xdr,\n\t\t\t\tstruct rpc_rqst *req,\n\t\t\t\tstruct compound_hdr *hdr)\n{\n\t__be32 *p;\n\n\t/* initialize running count of expected bytes in reply.\n\t * NOTE: the replied tag SHOULD be the same is the one sent,\n\t * but this is not required as a MUST for the server to do so. */\n\thdr->replen = 3 + hdr->taglen;\n\n\tWARN_ON_ONCE(hdr->taglen > NFS4_MAXTAGLEN);\n\tencode_string(xdr, hdr->taglen, hdr->tag);\n\tp = reserve_space(xdr, 8);\n\t*p++ = cpu_to_be32(hdr->minorversion);\n\thdr->nops_p = p;\n\t*p = cpu_to_be32(hdr->nops);\n}", "project": "linux", "hash": 272775528875884423278139742274006747151, "size": 18, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431381 }, { "func": "static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,\n\t\t\t\t u32 portid, u32 seq, int event,\n\t\t\t\t u32 flags, int family,\n\t\t\t\t const struct nft_table *table,\n\t\t\t\t const struct nft_chain *chain,\n\t\t\t\t const struct nft_rule *rule,\n\t\t\t\t const struct nft_rule *prule)\n{\n\tstruct nlmsghdr *nlh;\n\tconst struct nft_expr *expr, *next;\n\tstruct nlattr *list;\n\tu16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);\n\n\tnlh = nfnl_msg_put(skb, portid, seq, type, flags, family, NFNETLINK_V0,\n\t\t\t nft_base_seq(net));\n\tif (!nlh)\n\t\tgoto nla_put_failure;\n\n\tif (nla_put_string(skb, NFTA_RULE_TABLE, table->name))\n\t\tgoto nla_put_failure;\n\tif (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))\n\t\tgoto nla_put_failure;\n\tif (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle),\n\t\t\t NFTA_RULE_PAD))\n\t\tgoto nla_put_failure;\n\n\tif (event != NFT_MSG_DELRULE && prule) {\n\t\tif (nla_put_be64(skb, NFTA_RULE_POSITION,\n\t\t\t\t cpu_to_be64(prule->handle),\n\t\t\t\t NFTA_RULE_PAD))\n\t\t\tgoto nla_put_failure;\n\t}\n\n\tif (chain->flags & NFT_CHAIN_HW_OFFLOAD)\n\t\tnft_flow_rule_stats(chain, rule);\n\n\tlist = nla_nest_start_noflag(skb, NFTA_RULE_EXPRESSIONS);\n\tif (list == NULL)\n\t\tgoto nla_put_failure;\n\tnft_rule_for_each_expr(expr, next, rule) {\n\t\tif (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0)\n\t\t\tgoto nla_put_failure;\n\t}\n\tnla_nest_end(skb, list);\n\n\tif (rule->udata) {\n\t\tstruct nft_userdata *udata = nft_userdata(rule);\n\t\tif (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1,\n\t\t\t udata->data) < 0)\n\t\t\tgoto nla_put_failure;\n\t}\n\n\tnlmsg_end(skb, nlh);\n\treturn 0;\n\nnla_put_failure:\n\tnlmsg_trim(skb, nlh);\n\treturn -1;\n}", "project": "linux", "hash": 255627108893074896307977627878317464235, "size": 59, "commit_id": "ad9f151e560b016b6ad3280b48e42fa11e1a5440", "message": "netfilter: nf_tables: initialize set before expression setup\n\nnft_set_elem_expr_alloc() needs an initialized set if expression sets on\nthe NFT_EXPR_GC flag. Move set fields initialization before expression\nsetup.\n\n[4512935.019450] ==================================================================\n[4512935.019456] BUG: KASAN: null-ptr-deref in nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019487] Read of size 8 at addr 0000000000000070 by task nft/23532\n[4512935.019494] CPU: 1 PID: 23532 Comm: nft Not tainted 5.12.0-rc4+ #48\n[...]\n[4512935.019502] Call Trace:\n[4512935.019505] dump_stack+0x89/0xb4\n[4512935.019512] ? nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019536] ? nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019560] kasan_report.cold.12+0x5f/0xd8\n[4512935.019566] ? nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019590] nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019615] nf_tables_newset+0xc7f/0x1460 [nf_tables]\n\nReported-by: syzbot+ce96ca2b1d0b37c6422d@syzkaller.appspotmail.com\nFixes: 65038428b2c6 (\"netfilter: nf_tables: allow to specify stateful expression in set definition\")\nSigned-off-by: Pablo Neira Ayuso ", "target": 0, "dataset": "other", "idx": 328343 }, { "func": "static bool vhost_can_busy_poll(unsigned long endtime)\n{\n\treturn likely(!need_resched() && !time_after(busy_clock(), endtime) &&\n\t\t !signal_pending(current));\n}", "project": "linux", "hash": 65048447435955723673914136635696726590, "size": 5, "commit_id": "42d84c8490f9f0931786f1623191fcab397c3d64", "message": "vhost: Check docket sk_family instead of call getname\n\nDoing so, we save one call to get data we already have in the struct.\n\nAlso, since there is no guarantee that getname use sockaddr_ll\nparameter beyond its size, we add a little bit of security here.\nIt should do not do beyond MAX_ADDR_LEN, but syzbot found that\nax25_getname writes more (72 bytes, the size of full_sockaddr_ax25,\nversus 20 + 32 bytes of sockaddr_ll + MAX_ADDR_LEN in syzbot repro).\n\nFixes: 3a4d5c94e9593 (\"vhost_net: a kernel-level virtio server\")\nReported-by: syzbot+f2a62d07a5198c819c7b@syzkaller.appspotmail.com\nSigned-off-by: Eugenio Pérez \nAcked-by: Michael S. Tsirkin \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 441985 }, { "func": "static void kiocb_done(struct kiocb *kiocb, ssize_t ret,\n\t\t unsigned int issue_flags)\n{\n\tstruct io_kiocb *req = container_of(kiocb, struct io_kiocb, rw.kiocb);\n\tstruct io_async_rw *io = req->async_data;\n\tbool check_reissue = kiocb->ki_complete == io_complete_rw;\n\n\t/* add previously done IO, if any */\n\tif (io && io->bytes_done > 0) {\n\t\tif (ret < 0)\n\t\t\tret = io->bytes_done;\n\t\telse\n\t\t\tret += io->bytes_done;\n\t}\n\n\tif (req->flags & REQ_F_CUR_POS)\n\t\treq->file->f_pos = kiocb->ki_pos;\n\tif (ret >= 0 && kiocb->ki_complete == io_complete_rw)\n\t\t__io_complete_rw(req, ret, 0, issue_flags);\n\telse\n\t\tio_rw_done(kiocb, ret);\n\n\tif (check_reissue && req->flags & REQ_F_REISSUE) {\n\t\treq->flags &= ~REQ_F_REISSUE;\n\t\tif (io_resubmit_prep(req)) {\n\t\t\treq_ref_get(req);\n\t\t\tio_queue_async_work(req);\n\t\t} else {\n\t\t\tint cflags = 0;\n\n\t\t\treq_set_fail_links(req);\n\t\t\tif (req->flags & REQ_F_BUFFER_SELECTED)\n\t\t\t\tcflags = io_put_rw_kbuf(req);\n\t\t\t__io_req_complete(req, issue_flags, ret, cflags);\n\t\t}\n\t}\n}", "project": "linux", "hash": 169328060577521973592074513046501844106, "size": 37, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338525 }, { "func": "static void kiocb_done(struct kiocb *kiocb, ssize_t ret,\n\t\t struct io_comp_state *cs)\n{\n\tstruct io_kiocb *req = container_of(kiocb, struct io_kiocb, rw.kiocb);\n\n\tif (req->flags & REQ_F_CUR_POS)\n\t\treq->file->f_pos = kiocb->ki_pos;\n\tif (ret >= 0 && kiocb->ki_complete == io_complete_rw)\n\t\t__io_complete_rw(req, ret, 0, cs);\n\telse\n\t\tio_rw_done(kiocb, ret);\n}", "project": "linux", "hash": 327165183154618810455394077474281174946, "size": 12, "commit_id": "6d816e088c359866f9867057e04f244c608c42fe", "message": "io_uring: hold 'ctx' reference around task_work queue + execute\n\nWe're holding the request reference, but we need to go one higher\nto ensure that the ctx remains valid after the request has finished.\nIf the ring is closed with pending task_work inflight, and the\ngiven io_kiocb finishes sync during issue, then we need a reference\nto the ring itself around the task_work execution cycle.\n\nCc: stable@vger.kernel.org # v5.7+\nReported-by: syzbot+9b260fc33297966f5a8e@syzkaller.appspotmail.com\nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 456951 }, { "func": "static void register_prot_hook(struct sock *sk)\n{\n\tlockdep_assert_held_once(&pkt_sk(sk)->bind_lock);\n\t__register_prot_hook(sk);\n}", "project": "linux", "hash": 214569325543472449340298968982738877454, "size": 5, "commit_id": "acf69c946233259ab4d64f8869d4037a198c7f06", "message": "net/packet: fix overflow in tpacket_rcv\n\nUsing tp_reserve to calculate netoff can overflow as\ntp_reserve is unsigned int and netoff is unsigned short.\n\nThis may lead to macoff receving a smaller value then\nsizeof(struct virtio_net_hdr), and if po->has_vnet_hdr\nis set, an out-of-bounds write will occur when\ncalling virtio_net_hdr_from_skb.\n\nThe bug is fixed by converting netoff to unsigned int\nand checking if it exceeds USHRT_MAX.\n\nThis addresses CVE-2020-14386\n\nFixes: 8913336a7e8d (\"packet: add PACKET_RESERVE sockopt\")\nSigned-off-by: Or Cohen \nSigned-off-by: Eric Dumazet \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 330375 }, { "func": "int imap_access(const char *path)\n{\n if (imap_path_status(path, false) >= 0)\n return 0;\n return -1;\n}", "project": "neomutt", "hash": 256695618484674626848589996629493723599, "size": 6, "commit_id": "9c36717a3e2af1f2c1b7242035455ec8112b4b06", "message": "imap: close connection on all failures\n\nThanks to Gabriel Salles-Loustau for spotting the problem.\n\nCo-authored-by: Kevin McCarthy ", "target": 0, "dataset": "other", "idx": 357033 }, { "func": "static __init int tracer_init_tracefs(void)\n{\n\tstruct dentry *d_tracer;\n\n\ttrace_access_lock_init();\n\n\td_tracer = tracing_init_dentry();\n\tif (IS_ERR(d_tracer))\n\t\treturn 0;\n\n\tinit_tracer_tracefs(&global_trace, d_tracer);\n\tftrace_init_tracefs_toplevel(&global_trace, d_tracer);\n\n\ttrace_create_file(\"tracing_thresh\", 0644, d_tracer,\n\t\t\t&global_trace, &tracing_thresh_fops);\n\n\ttrace_create_file(\"README\", 0444, d_tracer,\n\t\t\tNULL, &tracing_readme_fops);\n\n\ttrace_create_file(\"saved_cmdlines\", 0444, d_tracer,\n\t\t\tNULL, &tracing_saved_cmdlines_fops);\n\n\ttrace_create_file(\"saved_cmdlines_size\", 0644, d_tracer,\n\t\t\t NULL, &tracing_saved_cmdlines_size_fops);\n\n\ttrace_create_file(\"saved_tgids\", 0444, d_tracer,\n\t\t\tNULL, &tracing_saved_tgids_fops);\n\n\ttrace_eval_init();\n\n\ttrace_create_eval_file(d_tracer);\n\n#ifdef CONFIG_MODULES\n\tregister_module_notifier(&trace_module_nb);\n#endif\n\n#ifdef CONFIG_DYNAMIC_FTRACE\n\ttrace_create_file(\"dyn_ftrace_total_info\", 0444, d_tracer,\n\t\t\t&ftrace_update_tot_cnt, &tracing_dyn_info_fops);\n#endif\n\n\tcreate_trace_instances(d_tracer);\n\n\tupdate_tracer_options(&global_trace);\n\n\treturn 0;\n}", "project": "linux", "hash": 305408131826697831768649593407602360649, "size": 47, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445758 }, { "func": "static void hardware_disable_all(void)\n{\n\traw_spin_lock(&kvm_count_lock);\n\thardware_disable_all_nolock();\n\traw_spin_unlock(&kvm_count_lock);\n}", "project": "linux", "hash": 226443474421466114374628020078566066822, "size": 6, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354535 }, { "func": "static int oidc_handle_logout_request(request_rec *r, oidc_cfg *c,\n\t\toidc_session_t *session, const char *url) {\n\n\toidc_debug(r, \"enter (url=%s)\", url);\n\n\t/* if there's no remote_user then there's no (stored) session to kill */\n\tif (session->remote_user != NULL)\n\t\toidc_revoke_tokens(r, c, session);\n\n\t/*\n\t * remove session state (cq. cache entry and cookie)\n\t * always clear the session cookie because the cookie may be not sent (but still in the browser)\n\t * due to SameSite policies\n\t */\n\toidc_session_kill(r, session);\n\n\t/* see if this is the OP calling us */\n\tif (oidc_is_front_channel_logout(url)) {\n\n\t\t/* set recommended cache control headers */\n\t\toidc_util_hdr_err_out_add(r, OIDC_HTTP_HDR_CACHE_CONTROL,\n\t\t\t\t\"no-cache, no-store\");\n\t\toidc_util_hdr_err_out_add(r, OIDC_HTTP_HDR_PRAGMA, \"no-cache\");\n\t\toidc_util_hdr_err_out_add(r, OIDC_HTTP_HDR_P3P, \"CAO PSA OUR\");\n\t\toidc_util_hdr_err_out_add(r, OIDC_HTTP_HDR_EXPIRES, \"0\");\n\t\toidc_util_hdr_err_out_add(r, OIDC_HTTP_HDR_X_FRAME_OPTIONS, \"DENY\");\n\n\t\t/* see if this is PF-PA style logout in which case we return a transparent pixel */\n\t\tconst char *accept = oidc_util_hdr_in_accept_get(r);\n\t\tif ((apr_strnatcmp(url, OIDC_IMG_STYLE_LOGOUT_PARAM_VALUE) == 0)\n\t\t\t\t|| ((accept) && strstr(accept, OIDC_CONTENT_TYPE_IMAGE_PNG))) {\n\t\t\t// terminate with DONE instead of OK\n\t\t\t// to avoid Apache returning auth/authz error 401 for the redirect URI\n\t\t\treturn oidc_util_http_send(r, (const char*) &oidc_transparent_pixel,\n\t\t\t\t\tsizeof(oidc_transparent_pixel), OIDC_CONTENT_TYPE_IMAGE_PNG,\n\t\t\t\t\tDONE);\n\t\t}\n\n\t\t/* standard HTTP based logout: should be called in an iframe from the OP */\n\t\treturn oidc_util_html_send(r, \"Logged Out\", NULL, NULL,\n\t\t\t\t\"

Logged Out

\", DONE);\n\t}\n\n\t/* see if we don't need to go somewhere special after killing the session locally */\n\tif (url == NULL)\n\t\treturn oidc_util_html_send(r, \"Logged Out\", NULL, NULL,\n\t\t\t\t\"

Logged Out

\", OK);\n\n\t/* send the user to the specified where-to-go-after-logout URL */\n\toidc_util_hdr_out_location_set(r, url);\n\n\treturn HTTP_MOVED_TEMPORARILY;\n}", "project": "mod_auth_openidc", "hash": 306207046544447682518124597991310811934, "size": 53, "commit_id": "00c315cb0c8ab77c67be4a2ac08a71a83ac58751", "message": "avoid XSS vulnerability when using OIDCPreservePost On\n\nand supplying URLs that contain single quotes; thanks @oss-aimoto\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 381955 }, { "func": "static int oidc_handle_logout_request(request_rec *r, oidc_cfg *c,\n\t\toidc_session_t *session, const char *url) {\n\n\toidc_debug(r, \"enter (url=%s)\", url);\n\n\t/* if there's no remote_user then there's no (stored) session to kill */\n\tif (session->remote_user != NULL) {\n\n\t\toidc_revoke_tokens(r, c, session);\n\n\t\t/* remove session state (cq. cache entry and cookie) */\n\t\toidc_session_kill(r, session);\n\t}\n\n\t/* see if this is the OP calling us */\n\tif (oidc_is_front_channel_logout(url)) {\n\n\t\t/* set recommended cache control headers */\n\t\toidc_util_hdr_err_out_add(r, OIDC_HTTP_HDR_CACHE_CONTROL,\n\t\t\t\t\"no-cache, no-store\");\n\t\toidc_util_hdr_err_out_add(r, OIDC_HTTP_HDR_PRAGMA, \"no-cache\");\n\t\toidc_util_hdr_err_out_add(r, OIDC_HTTP_HDR_P3P, \"CAO PSA OUR\");\n\t\toidc_util_hdr_err_out_add(r, OIDC_HTTP_HDR_EXPIRES, \"0\");\n\t\toidc_util_hdr_err_out_add(r, OIDC_HTTP_HDR_X_FRAME_OPTIONS, \"DENY\");\n\n\t\t/* see if this is PF-PA style logout in which case we return a transparent pixel */\n\t\tconst char *accept = oidc_util_hdr_in_accept_get(r);\n\t\tif ((apr_strnatcmp(url, OIDC_IMG_STYLE_LOGOUT_PARAM_VALUE) == 0)\n\t\t\t\t|| ((accept) && strstr(accept, OIDC_CONTENT_TYPE_IMAGE_PNG))) {\n\t\t\treturn oidc_util_http_send(r,\n\t\t\t\t\t(const char *) &oidc_transparent_pixel,\n\t\t\t\t\tsizeof(oidc_transparent_pixel), OIDC_CONTENT_TYPE_IMAGE_PNG,\n\t\t\t\t\tOK);\n\t\t}\n\n\t\t/* standard HTTP based logout: should be called in an iframe from the OP */\n\t\treturn oidc_util_html_send(r, \"Logged Out\", NULL, NULL,\n\t\t\t\t\"

Logged Out

\", OK);\n\t}\n\n\t/* see if we don't need to go somewhere special after killing the session locally */\n\tif (url == NULL)\n\t\treturn oidc_util_html_send(r, \"Logged Out\", NULL, NULL,\n\t\t\t\t\"

Logged Out

\", OK);\n\n\t/* send the user to the specified where-to-go-after-logout URL */\n\toidc_util_hdr_out_location_set(r, url);\n\n\treturn HTTP_MOVED_TEMPORARILY;\n}", "project": "mod_auth_openidc", "hash": 161227663856032381269614218966650079344, "size": 50, "commit_id": "ce37080c6aea30aabae8b4a9b4eea7808445cc8e", "message": "2.4.0.2 oops\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 447712 }, { "func": "static int set_sadb_address(struct sk_buff *skb, int sasize, int type,\n\t\t\t const struct xfrm_selector *sel)\n{\n\tstruct sadb_address *addr;\n\taddr = skb_put(skb, sizeof(struct sadb_address) + sasize);\n\taddr->sadb_address_len = (sizeof(struct sadb_address) + sasize)/8;\n\taddr->sadb_address_exttype = type;\n\taddr->sadb_address_proto = sel->proto;\n\taddr->sadb_address_reserved = 0;\n\n\tswitch (type) {\n\tcase SADB_EXT_ADDRESS_SRC:\n\t\taddr->sadb_address_prefixlen = sel->prefixlen_s;\n\t\tpfkey_sockaddr_fill(&sel->saddr, 0,\n\t\t\t\t (struct sockaddr *)(addr + 1),\n\t\t\t\t sel->family);\n\t\tbreak;\n\tcase SADB_EXT_ADDRESS_DST:\n\t\taddr->sadb_address_prefixlen = sel->prefixlen_d;\n\t\tpfkey_sockaddr_fill(&sel->daddr, 0,\n\t\t\t\t (struct sockaddr *)(addr + 1),\n\t\t\t\t sel->family);\n\t\tbreak;\n\tdefault:\n\t\treturn -EINVAL;\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 102088310448062199184204499753926613645, "size": 29, "commit_id": "9a564bccb78a76740ea9d75a259942df8143d02c", "message": "af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\n\nAdd __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\nto initialize the buffer of supp_skb to fix a kernel-info-leak issue.\n1) Function pfkey_register calls compose_sadb_supported to request\na sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate\na sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then\ncompose_sadb_supported treats the memory as a struct sadb_supported and\nbegins to initialize. But it just initializes the field sadb_supported_len\nand field sadb_supported_exttype without field sadb_supported_reserved.\n\nReported-by: TCS Robot \nSigned-off-by: Haimin Zhang \nSigned-off-by: Steffen Klassert ", "target": 0, "dataset": "other", "idx": 268089 }, { "func": "u32 screen_glyph_unicode(struct vc_data *vc, int n)\n{\n\tstruct uni_screen *uniscr = get_vc_uniscr(vc);\n\n\tif (uniscr)\n\t\treturn uniscr->lines[n / vc->vc_cols][n % vc->vc_cols];\n\treturn inverse_translate(vc, screen_glyph(vc, n * 2), 1);\n}", "project": "linux", "hash": 133823291078272696299805389510930448792, "size": 8, "commit_id": "ca4463bf8438b403596edd0ec961ca0d4fbe0220", "message": "vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console\n\nThe VT_DISALLOCATE ioctl can free a virtual console while tty_release()\nis still running, causing a use-after-free in con_shutdown(). This\noccurs because VT_DISALLOCATE considers a virtual console's\n'struct vc_data' to be unused as soon as the corresponding tty's\nrefcount hits 0. But actually it may be still being closed.\n\nFix this by making vc_data be reference-counted via the embedded\n'struct tty_port'. A newly allocated virtual console has refcount 1.\nOpening it for the first time increments the refcount to 2. Closing it\nfor the last time decrements the refcount (in tty_operations::cleanup()\nso that it happens late enough), as does VT_DISALLOCATE.\n\nReproducer:\n\t#include \n\t#include \n\t#include \n\t#include \n\n\tint main()\n\t{\n\t\tif (fork()) {\n\t\t\tfor (;;)\n\t\t\t\tclose(open(\"/dev/tty5\", O_RDWR));\n\t\t} else {\n\t\t\tint fd = open(\"/dev/tty10\", O_RDWR);\n\n\t\t\tfor (;;)\n\t\t\t\tioctl(fd, VT_DISALLOCATE, 5);\n\t\t}\n\t}\n\nKASAN report:\n\tBUG: KASAN: use-after-free in con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\tWrite of size 8 at addr ffff88806a4ec108 by task syz_vt/129\n\n\tCPU: 0 PID: 129 Comm: syz_vt Not tainted 5.6.0-rc2 #11\n\tHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20191223_100556-anatol 04/01/2014\n\tCall Trace:\n\t [...]\n\t con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\t release_tty+0xa8/0x410 drivers/tty/tty_io.c:1514\n\t tty_release_struct+0x34/0x50 drivers/tty/tty_io.c:1629\n\t tty_release+0x984/0xed0 drivers/tty/tty_io.c:1789\n\t [...]\n\n\tAllocated by task 129:\n\t [...]\n\t kzalloc include/linux/slab.h:669 [inline]\n\t vc_allocate drivers/tty/vt/vt.c:1085 [inline]\n\t vc_allocate+0x1ac/0x680 drivers/tty/vt/vt.c:1066\n\t con_install+0x4d/0x3f0 drivers/tty/vt/vt.c:3229\n\t tty_driver_install_tty drivers/tty/tty_io.c:1228 [inline]\n\t tty_init_dev+0x94/0x350 drivers/tty/tty_io.c:1341\n\t tty_open_by_driver drivers/tty/tty_io.c:1987 [inline]\n\t tty_open+0x3ca/0xb30 drivers/tty/tty_io.c:2035\n\t [...]\n\n\tFreed by task 130:\n\t [...]\n\t kfree+0xbf/0x1e0 mm/slab.c:3757\n\t vt_disallocate drivers/tty/vt/vt_ioctl.c:300 [inline]\n\t vt_ioctl+0x16dc/0x1e30 drivers/tty/vt/vt_ioctl.c:818\n\t tty_ioctl+0x9db/0x11b0 drivers/tty/tty_io.c:2660\n\t [...]\n\nFixes: 4001d7b7fc27 (\"vt: push down the tty lock so we can see what is left to tackle\")\nCc: # v3.4+\nReported-by: syzbot+522643ab5729b0421998@syzkaller.appspotmail.com\nAcked-by: Jiri Slaby \nSigned-off-by: Eric Biggers \nLink: https://lore.kernel.org/r/20200322034305.210082-2-ebiggers@kernel.org\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 437055 }, { "func": "static void reset_terminal(struct vc_data *vc, int do_clear)\n{\n\tvc->vc_top\t\t= 0;\n\tvc->vc_bottom\t\t= vc->vc_rows;\n\tvc->vc_state\t\t= ESnormal;\n\tvc->vc_priv\t\t= EPecma;\n\tvc->vc_translate\t= set_translate(LAT1_MAP, vc);\n\tvc->vc_G0_charset\t= LAT1_MAP;\n\tvc->vc_G1_charset\t= GRAF_MAP;\n\tvc->vc_charset\t\t= 0;\n\tvc->vc_need_wrap\t= 0;\n\tvc->vc_report_mouse\t= 0;\n\tvc->vc_utf = default_utf8;\n\tvc->vc_utf_count\t= 0;\n\n\tvc->vc_disp_ctrl\t= 0;\n\tvc->vc_toggle_meta\t= 0;\n\n\tvc->vc_decscnm\t\t= 0;\n\tvc->vc_decom\t\t= 0;\n\tvc->vc_decawm\t\t= 1;\n\tvc->vc_deccm\t\t= global_cursor_default;\n\tvc->vc_decim\t\t= 0;\n\n\tvt_reset_keyboard(vc->vc_num);\n\n\tvc->vc_cursor_type = cur_default;\n\tvc->vc_complement_mask = vc->vc_s_complement_mask;\n\n\tdefault_attr(vc);\n\tupdate_attr(vc);\n\n\tvc->vc_tab_stop[0]\t=\n\tvc->vc_tab_stop[1]\t=\n\tvc->vc_tab_stop[2]\t=\n\tvc->vc_tab_stop[3]\t=\n\tvc->vc_tab_stop[4]\t=\n\tvc->vc_tab_stop[5]\t=\n\tvc->vc_tab_stop[6]\t=\n\tvc->vc_tab_stop[7]\t= 0x01010101;\n\n\tvc->vc_bell_pitch = DEFAULT_BELL_PITCH;\n\tvc->vc_bell_duration = DEFAULT_BELL_DURATION;\n\tvc->vc_cur_blink_ms = DEFAULT_CURSOR_BLINK_MS;\n\n\tgotoxy(vc, 0, 0);\n\tsave_cur(vc);\n\tif (do_clear)\n\t csi_J(vc, 2);\n}", "project": "linux", "hash": 307748207665148099475645994863630285303, "size": 50, "commit_id": "ca4463bf8438b403596edd0ec961ca0d4fbe0220", "message": "vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console\n\nThe VT_DISALLOCATE ioctl can free a virtual console while tty_release()\nis still running, causing a use-after-free in con_shutdown(). This\noccurs because VT_DISALLOCATE considers a virtual console's\n'struct vc_data' to be unused as soon as the corresponding tty's\nrefcount hits 0. But actually it may be still being closed.\n\nFix this by making vc_data be reference-counted via the embedded\n'struct tty_port'. A newly allocated virtual console has refcount 1.\nOpening it for the first time increments the refcount to 2. Closing it\nfor the last time decrements the refcount (in tty_operations::cleanup()\nso that it happens late enough), as does VT_DISALLOCATE.\n\nReproducer:\n\t#include \n\t#include \n\t#include \n\t#include \n\n\tint main()\n\t{\n\t\tif (fork()) {\n\t\t\tfor (;;)\n\t\t\t\tclose(open(\"/dev/tty5\", O_RDWR));\n\t\t} else {\n\t\t\tint fd = open(\"/dev/tty10\", O_RDWR);\n\n\t\t\tfor (;;)\n\t\t\t\tioctl(fd, VT_DISALLOCATE, 5);\n\t\t}\n\t}\n\nKASAN report:\n\tBUG: KASAN: use-after-free in con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\tWrite of size 8 at addr ffff88806a4ec108 by task syz_vt/129\n\n\tCPU: 0 PID: 129 Comm: syz_vt Not tainted 5.6.0-rc2 #11\n\tHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20191223_100556-anatol 04/01/2014\n\tCall Trace:\n\t [...]\n\t con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\t release_tty+0xa8/0x410 drivers/tty/tty_io.c:1514\n\t tty_release_struct+0x34/0x50 drivers/tty/tty_io.c:1629\n\t tty_release+0x984/0xed0 drivers/tty/tty_io.c:1789\n\t [...]\n\n\tAllocated by task 129:\n\t [...]\n\t kzalloc include/linux/slab.h:669 [inline]\n\t vc_allocate drivers/tty/vt/vt.c:1085 [inline]\n\t vc_allocate+0x1ac/0x680 drivers/tty/vt/vt.c:1066\n\t con_install+0x4d/0x3f0 drivers/tty/vt/vt.c:3229\n\t tty_driver_install_tty drivers/tty/tty_io.c:1228 [inline]\n\t tty_init_dev+0x94/0x350 drivers/tty/tty_io.c:1341\n\t tty_open_by_driver drivers/tty/tty_io.c:1987 [inline]\n\t tty_open+0x3ca/0xb30 drivers/tty/tty_io.c:2035\n\t [...]\n\n\tFreed by task 130:\n\t [...]\n\t kfree+0xbf/0x1e0 mm/slab.c:3757\n\t vt_disallocate drivers/tty/vt/vt_ioctl.c:300 [inline]\n\t vt_ioctl+0x16dc/0x1e30 drivers/tty/vt/vt_ioctl.c:818\n\t tty_ioctl+0x9db/0x11b0 drivers/tty/tty_io.c:2660\n\t [...]\n\nFixes: 4001d7b7fc27 (\"vt: push down the tty lock so we can see what is left to tackle\")\nCc: # v3.4+\nReported-by: syzbot+522643ab5729b0421998@syzkaller.appspotmail.com\nAcked-by: Jiri Slaby \nSigned-off-by: Eric Biggers \nLink: https://lore.kernel.org/r/20200322034305.210082-2-ebiggers@kernel.org\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 437052 }, { "func": "static int futex_wake(u32 __user *uaddr, int fshared, int nr_wake, u32 bitset)\n{\n\tstruct futex_hash_bucket *hb;\n\tstruct futex_q *this, *next;\n\tstruct plist_head *head;\n\tunion futex_key key = FUTEX_KEY_INIT;\n\tint ret;\n\n\tif (!bitset)\n\t\treturn -EINVAL;\n\n\tret = get_futex_key(uaddr, fshared, &key);\n\tif (unlikely(ret != 0))\n\t\tgoto out;\n\n\thb = hash_futex(&key);\n\tspin_lock(&hb->lock);\n\thead = &hb->chain;\n\n\tplist_for_each_entry_safe(this, next, head, list) {\n\t\tif (match_futex (&this->key, &key)) {\n\t\t\tif (this->pi_state || this->rt_waiter) {\n\t\t\t\tret = -EINVAL;\n\t\t\t\tbreak;\n\t\t\t}\n\n\t\t\t/* Check if one of the bits is set in both bitsets */\n\t\t\tif (!(this->bitset & bitset))\n\t\t\t\tcontinue;\n\n\t\t\twake_futex(this);\n\t\t\tif (++ret >= nr_wake)\n\t\t\t\tbreak;\n\t\t}\n\t}\n\n\tspin_unlock(&hb->lock);\n\tput_futex_key(fshared, &key);\nout:\n\treturn ret;\n}", "target": 0, "cwe": [], "project": "linux-2.6", "commit_id": "5ecb01cfdf96c5f465192bdb2a4fd4a61a24c6cc", "hash": 45535231520226598017321576585527494129, "size": 41, "message": "futex_lock_pi() key refcnt fix\n\nThis fixes a futex key reference count bug in futex_lock_pi(),\nwhere a key's reference count is incremented twice but decremented\nonly once, causing the backing object to not be released.\n\nIf the futex is created in a temporary file in an ext3 file system,\nthis bug causes the file's inode to become an \"undead\" orphan,\nwhich causes an oops from a BUG_ON() in ext3_put_super() when the\nfile system is unmounted. glibc's test suite is known to trigger this,\nsee .\n\nThe bug is a regression from 2.6.28-git3, namely Peter Zijlstra's\n38d47c1b7075bd7ec3881141bb3629da58f88dab \"[PATCH] futex: rely on\nget_user_pages() for shared futexes\". That commit made get_futex_key()\nalso increment the reference count of the futex key, and updated its\ncallers to decrement the key's reference count before returning.\nUnfortunately the normal exit path in futex_lock_pi() wasn't corrected:\nthe reference count is incremented by get_futex_key() and queue_lock(),\nbut the normal exit path only decrements once, via unqueue_me_pi().\nThe fix is to put_futex_key() after unqueue_me_pi(), since 2.6.31\nthis is easily done by 'goto out_put_key' rather than 'goto out'.\n\nSigned-off-by: Mikael Pettersson \nAcked-by: Peter Zijlstra \nAcked-by: Darren Hart \nSigned-off-by: Thomas Gleixner \nCc: ", "dataset": "other", "idx": 492289 }, { "func": "static u64 kvm_s390_get_initial_cpuid(void)\n{\n\tstruct cpuid cpuid;\n\n\tget_cpu_id(&cpuid);\n\tcpuid.version = 0xff;\n\treturn *((u64 *) &cpuid);\n}", "project": "linux", "hash": 234909435052118934322559143567259154802, "size": 8, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354729 }, { "func": "static int fuse_writepage_locked(struct page *page)\n{\n\tstruct address_space *mapping = page->mapping;\n\tstruct inode *inode = mapping->host;\n\tstruct fuse_conn *fc = get_fuse_conn(inode);\n\tstruct fuse_inode *fi = get_fuse_inode(inode);\n\tstruct fuse_writepage_args *wpa;\n\tstruct fuse_args_pages *ap;\n\tstruct page *tmp_page;\n\tint error = -ENOMEM;\n\n\tset_page_writeback(page);\n\n\twpa = fuse_writepage_args_alloc();\n\tif (!wpa)\n\t\tgoto err;\n\tap = &wpa->ia.ap;\n\n\ttmp_page = alloc_page(GFP_NOFS | __GFP_HIGHMEM);\n\tif (!tmp_page)\n\t\tgoto err_free;\n\n\terror = -EIO;\n\twpa->ia.ff = fuse_write_file_get(fc, fi);\n\tif (!wpa->ia.ff)\n\t\tgoto err_nofile;\n\n\tfuse_write_args_fill(&wpa->ia, wpa->ia.ff, page_offset(page), 0);\n\n\tcopy_highpage(tmp_page, page);\n\twpa->ia.write.in.write_flags |= FUSE_WRITE_CACHE;\n\twpa->next = NULL;\n\tap->args.in_pages = true;\n\tap->num_pages = 1;\n\tap->pages[0] = tmp_page;\n\tap->descs[0].offset = 0;\n\tap->descs[0].length = PAGE_SIZE;\n\tap->args.end = fuse_writepage_end;\n\twpa->inode = inode;\n\n\tinc_wb_stat(&inode_to_bdi(inode)->wb, WB_WRITEBACK);\n\tinc_node_page_state(tmp_page, NR_WRITEBACK_TEMP);\n\n\tspin_lock(&fi->lock);\n\ttree_insert(&fi->writepages, wpa);\n\tlist_add_tail(&wpa->queue_entry, &fi->queued_writes);\n\tfuse_flush_writepages(inode);\n\tspin_unlock(&fi->lock);\n\n\tend_page_writeback(page);\n\n\treturn 0;\n\nerr_nofile:\n\t__free_page(tmp_page);\nerr_free:\n\tkfree(wpa);\nerr:\n\tmapping_set_error(page->mapping, error);\n\tend_page_writeback(page);\n\treturn error;\n}", "project": "linux", "hash": 304138405316463529877235624318159298654, "size": 62, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341978 }, { "func": "static inline bool kvm_check_request(int req, struct kvm_vcpu *vcpu)\n{\n\tif (kvm_test_request(req, vcpu)) {\n\t\tkvm_clear_request(req, vcpu);\n\n\t\t/*\n\t\t * Ensure the rest of the request is visible to kvm_check_request's\n\t\t * caller. Paired with the smp_wmb in kvm_make_request.\n\t\t */\n\t\tsmp_mb__after_atomic();\n\t\treturn true;\n\t} else {\n\t\treturn false;\n\t}\n}", "project": "linux", "hash": 150211748929768698710049187210814715182, "size": 15, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354628 }, { "func": "static void do_SAK_work(struct work_struct *work)\n{\n\tstruct tty_struct *tty =\n\t\tcontainer_of(work, struct tty_struct, SAK_work);\n\t__do_SAK(tty);\n}", "project": "linux", "hash": 91700903489543844999026131850779732439, "size": 6, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 325958 }, { "project": "Chrome", "commit_id": "6834289784ed45b5524de0fb7ef43ae283b0d6d3", "target": 0, "func": "void AudioContext::initialize()\n{\n if (isInitialized())\n return;\n\n FFTFrame::initialize();\n m_listener = AudioListener::create();\n\n if (m_destinationNode.get()) {\n m_destinationNode->initialize();\n\n if (!isOfflineContext()) {\n startRendering();\n ++s_hardwareContextCount;\n }\n\n m_isInitialized = true;\n }\n}\n", "cwe": "", "big_vul_idx": 139664, "idx": 124814, "hash": 154592358439444653285840951889929652076 }, { "project": "Chrome", "commit_id": "327585cb0eab0859518643a2d00917081f7e7645", "target": 0, "func": "bool WebGraphicsContext3DDefaultImpl::initialize(WebGraphicsContext3D::Attributes attributes, WebView* webView, bool renderDirectlyToWebView)\n{\n if (!gfx::GLContext::InitializeOneOff())\n return false;\n\n m_renderDirectlyToWebView = renderDirectlyToWebView;\n gfx::GLContext* shareContext = 0;\n\n if (!renderDirectlyToWebView) {\n WebGraphicsContext3D* viewContext = webView->graphicsContext3D();\n if (viewContext) {\n WebGraphicsContext3DDefaultImpl* contextImpl = static_cast(viewContext);\n shareContext = contextImpl->m_glContext.get();\n } else {\n m_renderDirectlyToWebView = false;\n }\n }\n\n m_glContext = WTF::adoptPtr(gfx::GLContext::CreateOffscreenGLContext(shareContext));\n if (!m_glContext)\n return false;\n\n m_attributes = attributes;\n\n if (renderDirectlyToWebView)\n m_attributes.antialias = false;\n\n validateAttributes();\n\n glEnable(GL_VERTEX_PROGRAM_POINT_SIZE);\n\n if (!angleCreateCompilers()) {\n angleDestroyCompilers();\n return false;\n }\n\n m_initialized = true;\n return true;\n}\n", "cwe": "", "big_vul_idx": 99010, "idx": 175544, "hash": 8215074276990840095189758592324469949 }, { "func": "void ScanLineInputFile::initialize(const Header& header)\n{\n _data->header = header;\n\n _data->lineOrder = _data->header.lineOrder();\n\n const Box2i &dataWindow = _data->header.dataWindow();\n\n _data->minX = dataWindow.min.x;\n _data->maxX = dataWindow.max.x;\n _data->minY = dataWindow.min.y;\n _data->maxY = dataWindow.max.y;\n\n Compression comp = _data->header.compression();\n\n _data->linesInBuffer =\n numLinesInBuffer (comp);\n\n int lineOffsetSize = (dataWindow.max.y - dataWindow.min.y +\n _data->linesInBuffer) / _data->linesInBuffer;\n\n //\n // avoid allocating excessive memory due to large lineOffsets table size.\n // If the chunktablesize claims to be large,\n // check the file is big enough to contain the table before allocating memory\n // in the bytesPerLineTable and the lineOffsets table.\n // Attempt to read the last entry in the table. Either the seekg() or the read()\n // call will throw an exception if the file is too small to contain the table\n //\n if (lineOffsetSize > gLargeChunkTableSize)\n {\n Int64 pos = _streamData->is->tellg();\n _streamData->is->seekg(pos + (lineOffsetSize-1)*sizeof(Int64));\n Int64 temp;\n OPENEXR_IMF_INTERNAL_NAMESPACE::Xdr::read (*_streamData->is, temp);\n _streamData->is->seekg(pos);\n\n }\n\n\n size_t maxBytesPerLine = bytesPerLineTable (_data->header,\n _data->bytesPerLine);\n\n if (maxBytesPerLine*numLinesInBuffer(comp) > INT_MAX)\n {\n throw IEX_NAMESPACE::InputExc(\"maximum bytes per scanline exceeds maximum permissible size\");\n }\n\n\n //\n // allocate compressor objects\n //\n for (size_t i = 0; i < _data->lineBuffers.size(); i++)\n {\n _data->lineBuffers[i] = new LineBuffer (newCompressor(comp,\n maxBytesPerLine,\n _data->header));\n }\n\n\n\n _data->lineBufferSize = maxBytesPerLine * _data->linesInBuffer;\n\n if (!_streamData->is->isMemoryMapped())\n {\n for (size_t i = 0; i < _data->lineBuffers.size(); i++)\n {\n _data->lineBuffers[i]->buffer = (char *) EXRAllocAligned(_data->lineBufferSize*sizeof(char),16);\n if (!_data->lineBuffers[i]->buffer)\n {\n throw IEX_NAMESPACE::LogicExc(\"Failed to allocate memory for scanline buffers\");\n }\n }\n }\n _data->nextLineBufferMinY = _data->minY - 1;\n\n offsetInLineBufferTable (_data->bytesPerLine,\n _data->linesInBuffer,\n _data->offsetInLineBuffer);\n\n\n _data->lineOffsets.resize (lineOffsetSize);\n}", "project": "openexr", "hash": 22351819646121800230325071822285424033, "size": 83, "commit_id": "bc88cdb6c97fbf5bc5d11ad8ca55306da931283a", "message": "sanity check ScanlineInput bytesPerLine instead of lineOffset size (#863)\n\nSigned-off-by: Peter Hillman \r\n\r\nCo-authored-by: Cary Phillips ", "target": 1, "dataset": "other", "idx": 211127 }, { "func": "TEST_P(LocalJwksIntegrationTest, MissingToken) {\n config_helper_.prependFilter(getFilterConfig(true));\n initialize();\n\n codec_client_ = makeHttpConnection(lookupPort(\"http\"));\n\n auto response = codec_client_->makeHeaderOnlyRequest(Http::TestRequestHeaderMapImpl{\n {\":method\", \"GET\"},\n {\":path\", \"/\"},\n {\":scheme\", \"http\"},\n {\":authority\", \"host\"},\n });\n\n ASSERT_TRUE(response->waitForEndStream());\n ASSERT_TRUE(response->complete());\n EXPECT_EQ(\"401\", response->headers().getStatusValue());\n EXPECT_EQ(\n \"Bearer realm=\\\"http://host/\\\"\",\n response->headers().get(Http::Headers::get().WWWAuthenticate)[0]->value().getStringView());\n}", "project": "envoy", "hash": 141031777373137051619356877975533055062, "size": 20, "commit_id": "9371333230b1a6e1be2eccf4868771e11af6253a", "message": "CVE-2021-43824\n\njwt_atuhn: fixed the crash when a CONNECT request is sent to JWT filter\nconfigured with regex match.\n\nSigned-off-by: Yan Avlasov ", "target": 0, "dataset": "other", "idx": 246598 }, { "func": "TEST_P(LocalJwksIntegrationTest, WithGoodToken) {\n config_helper_.prependFilter(getFilterConfig(true));\n initialize();\n\n codec_client_ = makeHttpConnection(lookupPort(\"http\"));\n\n auto response = codec_client_->makeHeaderOnlyRequest(Http::TestRequestHeaderMapImpl{\n {\":method\", \"GET\"},\n {\":path\", \"/\"},\n {\":scheme\", \"http\"},\n {\":authority\", \"host\"},\n {\"Authorization\", \"Bearer \" + std::string(GoodToken)},\n });\n\n waitForNextUpstreamRequest();\n const auto payload_entry =\n upstream_request_->headers().get(Http::LowerCaseString(\"sec-istio-auth-userinfo\"));\n EXPECT_FALSE(payload_entry.empty());\n EXPECT_EQ(payload_entry[0]->value().getStringView(), ExpectedPayloadValue);\n // Verify the token is removed.\n EXPECT_TRUE(upstream_request_->headers().get(Http::CustomHeaders::get().Authorization).empty());\n upstream_request_->encodeHeaders(Http::TestResponseHeaderMapImpl{{\":status\", \"200\"}}, true);\n ASSERT_TRUE(response->waitForEndStream());\n ASSERT_TRUE(response->complete());\n EXPECT_EQ(\"200\", response->headers().getStatusValue());\n}", "project": "envoy", "hash": 20963081683187049433141914839331176701, "size": 26, "commit_id": "9371333230b1a6e1be2eccf4868771e11af6253a", "message": "CVE-2021-43824\n\njwt_atuhn: fixed the crash when a CONNECT request is sent to JWT filter\nconfigured with regex match.\n\nSigned-off-by: Yan Avlasov ", "target": 0, "dataset": "other", "idx": 246603 }, { "func": "TEST_P(LocalJwksIntegrationTest, ExpiredTokenHeadReply) {\n config_helper_.prependFilter(getFilterConfig(true));\n initialize();\n\n codec_client_ = makeHttpConnection(lookupPort(\"http\"));\n\n auto response = codec_client_->makeHeaderOnlyRequest(Http::TestRequestHeaderMapImpl{\n {\":method\", \"HEAD\"},\n {\":path\", \"/\"},\n {\":scheme\", \"http\"},\n {\":authority\", \"host\"},\n {\"Authorization\", \"Bearer \" + std::string(ExpiredToken)},\n });\n\n ASSERT_TRUE(response->waitForEndStream());\n ASSERT_TRUE(response->complete());\n EXPECT_EQ(\"401\", response->headers().getStatusValue());\n EXPECT_EQ(\n \"Bearer realm=\\\"http://host/\\\", error=\\\"invalid_token\\\"\",\n response->headers().get(Http::Headers::get().WWWAuthenticate)[0]->value().getStringView());\n\n EXPECT_NE(\"0\", response->headers().getContentLengthValue());\n EXPECT_THAT(response->body(), ::testing::IsEmpty());\n}", "project": "envoy", "hash": 186552020726766200673960587857500480353, "size": 24, "commit_id": "9371333230b1a6e1be2eccf4868771e11af6253a", "message": "CVE-2021-43824\n\njwt_atuhn: fixed the crash when a CONNECT request is sent to JWT filter\nconfigured with regex match.\n\nSigned-off-by: Yan Avlasov ", "target": 0, "dataset": "other", "idx": 246607 }, { "func": "TEST_P(LocalJwksIntegrationTest, ConnectRequestWithRegExMatch) {\n config_helper_.prependFilter(getAuthFilterConfig(ExampleConfigWithRegEx, true));\n initialize();\n\n codec_client_ = makeHttpConnection(lookupPort(\"http\"));\n\n auto encoder_decoder = codec_client_->startRequest(Http::TestRequestHeaderMapImpl{\n {\":method\", \"CONNECT\"},\n {\":authority\", \"host.com:80\"},\n {\"authorization\", \"Bearer \" + std::string(GoodToken)},\n });\n request_encoder_ = &encoder_decoder.first;\n auto response = std::move(encoder_decoder.second);\n\n if (downstreamProtocol() == Http::CodecType::HTTP1) {\n // Because CONNECT requests for HTTP/1 do not include a path, they will fail\n // to find a route match and return a 404.\n ASSERT_TRUE(response->waitForEndStream());\n ASSERT_TRUE(response->complete());\n EXPECT_EQ(\"404\", response->headers().getStatusValue());\n } else {\n ASSERT_TRUE(response->waitForReset());\n ASSERT_TRUE(codec_client_->waitForDisconnect());\n }\n}", "project": "envoy", "hash": 120512640944325246457148716865806035522, "size": 25, "commit_id": "9371333230b1a6e1be2eccf4868771e11af6253a", "message": "CVE-2021-43824\n\njwt_atuhn: fixed the crash when a CONNECT request is sent to JWT filter\nconfigured with regex match.\n\nSigned-off-by: Yan Avlasov ", "target": 0, "dataset": "other", "idx": 246622 }, { "func": "TEST_P(LocalJwksIntegrationTest, CorsPreflight) {\n config_helper_.prependFilter(getFilterConfig(true));\n initialize();\n\n codec_client_ = makeHttpConnection(lookupPort(\"http\"));\n\n auto response = codec_client_->makeHeaderOnlyRequest(Http::TestRequestHeaderMapImpl{\n {\":method\", \"OPTIONS\"},\n {\":path\", \"/\"},\n {\":scheme\", \"http\"},\n {\":authority\", \"host\"},\n {\"access-control-request-method\", \"GET\"},\n {\"origin\", \"test-origin\"},\n });\n\n waitForNextUpstreamRequest();\n upstream_request_->encodeHeaders(Http::TestResponseHeaderMapImpl{{\":status\", \"200\"}}, true);\n ASSERT_TRUE(response->waitForEndStream());\n ASSERT_TRUE(response->complete());\n EXPECT_EQ(\"200\", response->headers().getStatusValue());\n}", "project": "envoy", "hash": 337385455103123614349343748596269584286, "size": 21, "commit_id": "9371333230b1a6e1be2eccf4868771e11af6253a", "message": "CVE-2021-43824\n\njwt_atuhn: fixed the crash when a CONNECT request is sent to JWT filter\nconfigured with regex match.\n\nSigned-off-by: Yan Avlasov ", "target": 0, "dataset": "other", "idx": 246624 }, { "func": "TEST_P(LocalJwksIntegrationTest, NoRequiresPath) {\n config_helper_.prependFilter(getFilterConfig(true));\n initialize();\n\n codec_client_ = makeHttpConnection(lookupPort(\"http\"));\n\n auto response = codec_client_->makeHeaderOnlyRequest(Http::TestRequestHeaderMapImpl{\n {\":method\", \"GET\"},\n {\":path\", \"/foo\"},\n {\":scheme\", \"http\"},\n {\":authority\", \"host\"},\n });\n\n waitForNextUpstreamRequest();\n upstream_request_->encodeHeaders(Http::TestResponseHeaderMapImpl{{\":status\", \"200\"}}, true);\n\n ASSERT_TRUE(response->waitForEndStream());\n ASSERT_TRUE(response->complete());\n EXPECT_EQ(\"200\", response->headers().getStatusValue());\n}", "project": "envoy", "hash": 235930785685766706339596616975312029507, "size": 20, "commit_id": "9371333230b1a6e1be2eccf4868771e11af6253a", "message": "CVE-2021-43824\n\njwt_atuhn: fixed the crash when a CONNECT request is sent to JWT filter\nconfigured with regex match.\n\nSigned-off-by: Yan Avlasov ", "target": 0, "dataset": "other", "idx": 246631 }, { "func": "TEST_P(LocalJwksIntegrationTest, ExpiredToken) {\n config_helper_.prependFilter(getFilterConfig(true));\n initialize();\n\n codec_client_ = makeHttpConnection(lookupPort(\"http\"));\n\n auto response = codec_client_->makeHeaderOnlyRequest(Http::TestRequestHeaderMapImpl{\n {\":method\", \"GET\"},\n {\":path\", \"/\"},\n {\":scheme\", \"http\"},\n {\":authority\", \"host\"},\n {\"Authorization\", \"Bearer \" + std::string(ExpiredToken)},\n });\n\n ASSERT_TRUE(response->waitForEndStream());\n ASSERT_TRUE(response->complete());\n EXPECT_EQ(\"401\", response->headers().getStatusValue());\n EXPECT_EQ(1, response->headers().get(Http::Headers::get().WWWAuthenticate).size());\n EXPECT_EQ(\n \"Bearer realm=\\\"http://host/\\\", error=\\\"invalid_token\\\"\",\n response->headers().get(Http::Headers::get().WWWAuthenticate)[0]->value().getStringView());\n}", "project": "envoy", "hash": 123924048584737403537406581120422974795, "size": 22, "commit_id": "9371333230b1a6e1be2eccf4868771e11af6253a", "message": "CVE-2021-43824\n\njwt_atuhn: fixed the crash when a CONNECT request is sent to JWT filter\nconfigured with regex match.\n\nSigned-off-by: Yan Avlasov ", "target": 0, "dataset": "other", "idx": 246633 }, { "func": "void ScanLineInputFile::initialize(const Header& header)\n{\n _data->header = header;\n\n _data->lineOrder = _data->header.lineOrder();\n\n const Box2i &dataWindow = _data->header.dataWindow();\n\n _data->minX = dataWindow.min.x;\n _data->maxX = dataWindow.max.x;\n _data->minY = dataWindow.min.y;\n _data->maxY = dataWindow.max.y;\n\n Compression comp = _data->header.compression();\n\n _data->linesInBuffer =\n numLinesInBuffer (comp);\n\n int lineOffsetSize = (dataWindow.max.y - dataWindow.min.y +\n _data->linesInBuffer) / _data->linesInBuffer;\n\n //\n // avoid allocating excessive memory due to large lineOffsets and bytesPerLine table sizes.\n // If the chunktablesize claims to be large,\n // check the file is big enough to contain the lineOffsets table before allocating memory\n // in the bytesPerLineTable and the lineOffsets table.\n // Attempt to read the last entry in the table. Either the seekg() or the read()\n // call will throw an exception if the file is too small to contain the table\n //\n if (lineOffsetSize * _data->linesInBuffer > gLargeChunkTableSize)\n {\n Int64 pos = _streamData->is->tellg();\n _streamData->is->seekg(pos + (lineOffsetSize-1)*sizeof(Int64));\n Int64 temp;\n OPENEXR_IMF_INTERNAL_NAMESPACE::Xdr::read (*_streamData->is, temp);\n _streamData->is->seekg(pos);\n\n }\n\n\n size_t maxBytesPerLine = bytesPerLineTable (_data->header,\n _data->bytesPerLine);\n\n if (maxBytesPerLine*numLinesInBuffer(comp) > INT_MAX)\n {\n throw IEX_NAMESPACE::InputExc(\"maximum bytes per scanline exceeds maximum permissible size\");\n }\n\n\n //\n // allocate compressor objects\n //\n for (size_t i = 0; i < _data->lineBuffers.size(); i++)\n {\n _data->lineBuffers[i] = new LineBuffer (newCompressor(comp,\n maxBytesPerLine,\n _data->header));\n }\n\n\n\n _data->lineBufferSize = maxBytesPerLine * _data->linesInBuffer;\n\n if (!_streamData->is->isMemoryMapped())\n {\n for (size_t i = 0; i < _data->lineBuffers.size(); i++)\n {\n _data->lineBuffers[i]->buffer = (char *) EXRAllocAligned(_data->lineBufferSize*sizeof(char),16);\n if (!_data->lineBuffers[i]->buffer)\n {\n throw IEX_NAMESPACE::LogicExc(\"Failed to allocate memory for scanline buffers\");\n }\n }\n }\n _data->nextLineBufferMinY = _data->minY - 1;\n\n offsetInLineBufferTable (_data->bytesPerLine,\n _data->linesInBuffer,\n _data->offsetInLineBuffer);\n\n\n _data->lineOffsets.resize (lineOffsetSize);\n}", "project": "openexr", "hash": 103823671992022679830878815429871629942, "size": 83, "commit_id": "bc88cdb6c97fbf5bc5d11ad8ca55306da931283a", "message": "sanity check ScanlineInput bytesPerLine instead of lineOffset size (#863)\n\nSigned-off-by: Peter Hillman \r\n\r\nCo-authored-by: Cary Phillips ", "target": 0, "dataset": "other", "idx": 446283 }, { "func": "static int tcp_check_sack_reneging(struct sock *sk, int flag)\n{\n\tif (flag & FLAG_SACK_RENEGING) {\n\t\tstruct inet_connection_sock *icsk = inet_csk(sk);\n\t\tNET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPSACKRENEGING);\n\n\t\ttcp_enter_loss(sk, 1);\n\t\ticsk->icsk_retransmits++;\n\t\ttcp_retransmit_skb(sk, tcp_write_queue_head(sk));\n\t\tinet_csk_reset_xmit_timer(sk, ICSK_TIME_RETRANS,\n\t\t\t\t\t icsk->icsk_rto, TCP_RTO_MAX);\n\t\treturn 1;\n\t}\n\treturn 0;\n}", "project": "net-next", "hash": 225507548970286881671759711498817477812, "size": 15, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409919 }, { "func": "static void destruct_tty_driver(struct kref *kref)\n{\n\tstruct tty_driver *driver = container_of(kref, struct tty_driver, kref);\n\tint i;\n\tstruct ktermios *tp;\n\n\tif (driver->flags & TTY_DRIVER_INSTALLED) {\n\t\tfor (i = 0; i < driver->num; i++) {\n\t\t\ttp = driver->termios[i];\n\t\t\tif (tp) {\n\t\t\t\tdriver->termios[i] = NULL;\n\t\t\t\tkfree(tp);\n\t\t\t}\n\t\t\tif (!(driver->flags & TTY_DRIVER_DYNAMIC_DEV))\n\t\t\t\ttty_unregister_device(driver, i);\n\t\t}\n\t\tproc_tty_unregister_driver(driver);\n\t\tif (driver->flags & TTY_DRIVER_DYNAMIC_ALLOC)\n\t\t\tcdev_del(driver->cdevs[0]);\n\t}\n\tkfree(driver->cdevs);\n\tkfree(driver->ports);\n\tkfree(driver->termios);\n\tkfree(driver->ttys);\n\tkfree(driver);\n}", "project": "linux", "hash": 151557263194975934506366937965881711474, "size": 26, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 326020 }, { "func": "void __hci_req_update_name(struct hci_request *req)\n{\n\tstruct hci_dev *hdev = req->hdev;\n\tstruct hci_cp_write_local_name cp;\n\n\tmemcpy(cp.name, hdev->dev_name, sizeof(cp.name));\n\n\thci_req_add(req, HCI_OP_WRITE_LOCAL_NAME, sizeof(cp), &cp);\n}", "project": "linux", "hash": 264727068179774788552654999143568587294, "size": 9, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402531 }, { "func": "Status ConvertNodeDefsToGraph(const GraphConstructorOptions& opts,\n gtl::ArraySlice nodes, Graph* g) {\n ShapeRefiner refiner(TF_GRAPH_DEF_VERSION, g->op_registry());\n // TODO(irving): Copy will go away once NodeInfo exists\n std::vector node_defs;\n node_defs.reserve(nodes.size());\n for (const auto& n : nodes) {\n node_defs.push_back(&n);\n }\n return GraphConstructor::Construct(opts, node_defs, nullptr, nullptr, g,\n &refiner, /*return_tensors=*/nullptr,\n /*return_nodes=*/nullptr,\n /*missing_unused_input_map_keys=*/nullptr);\n}", "project": "tensorflow", "hash": 172454641249108650070532568504292795646, "size": 14, "commit_id": "0cc38aaa4064fd9e79101994ce9872c6d91f816b", "message": "Prevent unitialized memory access in `GraphConstructor::MakeEdge`\n\nThe `MakeEdge` implementation assumes that there exists an output at `output_index` of `src` node and an input at `input_index` of `dst` node. However, if this is not the case this results in accessing data out of bounds. Because we are accessing an array that is a private member of a class and only in read only mode, this usually results only in unitialized memory access. However, it is reasonable to think that malicious users could manipulate these indexes to actually read data outside the class, thus resulting in information leakage and further exploits.\n\nPiperOrigin-RevId: 346343288\nChange-Id: I2127da27c2023d27f26efd39afa6c853385cab6f", "target": 0, "dataset": "other", "idx": 268366 }, { "func": "static long validate_slab_cache(struct kmem_cache *s)\n{\n\tint node;\n\tunsigned long count = 0;\n\tstruct kmem_cache_node *n;\n\n\tflush_all(s);\n\tfor_each_kmem_cache_node(s, node, n)\n\t\tcount += validate_slab_node(s, n);\n\n\treturn count;\n}", "project": "linux", "hash": 136608568907360277374094026498769961430, "size": 12, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280117 }, { "func": "HttpStateData::readReply(const CommIoCbParams &io)\n{\n Must(!flags.do_next_read); // XXX: should have been set false by mayReadVirginBody()\n flags.do_next_read = false;\n\n debugs(11, 5, io.conn);\n\n // Bail out early on Comm::ERR_CLOSING - close handlers will tidy up for us\n if (io.flag == Comm::ERR_CLOSING) {\n debugs(11, 3, \"http socket closing\");\n return;\n }\n\n if (EBIT_TEST(entry->flags, ENTRY_ABORTED)) {\n abortTransaction(\"store entry aborted while reading reply\");\n return;\n }\n\n Must(Comm::IsConnOpen(serverConnection));\n Must(io.conn->fd == serverConnection->fd);\n\n /*\n * Don't reset the timeout value here. The value should be\n * counting Config.Timeout.request and applies to the request\n * as a whole, not individual read() calls.\n * Plus, it breaks our lame *HalfClosed() detection\n */\n\n Must(maybeMakeSpaceAvailable(true));\n CommIoCbParams rd(this); // will be expanded with ReadNow results\n rd.conn = io.conn;\n rd.size = entry->bytesWanted(Range(0, inBuf.spaceSize()));\n\n if (rd.size <= 0) {\n assert(entry->mem_obj);\n AsyncCall::Pointer nilCall;\n entry->mem_obj->delayRead(DeferredRead(readDelayed, this, CommRead(io.conn, NULL, 0, nilCall)));\n return;\n }\n\n switch (Comm::ReadNow(rd, inBuf)) {\n case Comm::INPROGRESS:\n if (inBuf.isEmpty())\n debugs(33, 2, io.conn << \": no data to process, \" << xstrerr(rd.xerrno));\n flags.do_next_read = true;\n maybeReadVirginBody();\n return;\n\n case Comm::OK:\n {\n payloadSeen += rd.size;\n#if USE_DELAY_POOLS\n DelayId delayId = entry->mem_obj->mostBytesAllowed();\n delayId.bytesIn(rd.size);\n#endif\n\n statCounter.server.all.kbytes_in += rd.size;\n statCounter.server.http.kbytes_in += rd.size;\n ++ IOStats.Http.reads;\n\n int bin = 0;\n for (int clen = rd.size - 1; clen; ++bin)\n clen >>= 1;\n\n ++ IOStats.Http.read_hist[bin];\n\n request->hier.notePeerRead();\n }\n\n /* Continue to process previously read data */\n break;\n\n case Comm::ENDFILE: // close detected by 0-byte read\n eof = 1;\n flags.do_next_read = false;\n\n /* Continue to process previously read data */\n break;\n\n // case Comm::COMM_ERROR:\n default: // no other flags should ever occur\n debugs(11, 2, io.conn << \": read failure: \" << xstrerr(rd.xerrno));\n ErrorState *err = new ErrorState(ERR_READ_ERROR, Http::scBadGateway, fwd->request);\n err->xerrno = rd.xerrno;\n fwd->fail(err);\n flags.do_next_read = false;\n closeServer();\n mustStop(\"HttpStateData::readReply\");\n return;\n }\n\n /* Process next response from buffer */\n processReply();\n}", "project": "squid", "hash": 307497614340754529998534052985040164405, "size": 94, "commit_id": "fd68382860633aca92065e6c343cfd1b12b126e7", "message": "Improve Transfer-Encoding handling (#702)\n\nReject messages containing Transfer-Encoding header with coding other\nthan chunked or identity. Squid does not support other codings.\n\nFor simplicity and security sake, also reject messages where\nTransfer-Encoding contains unnecessary complex values that are\ntechnically equivalent to \"chunked\" or \"identity\" (e.g., \",,chunked\" or\n\"identity, chunked\").\n\nRFC 7230 formally deprecated and removed identity coding, but it is\nstill used by some agents.", "target": 0, "dataset": "other", "idx": 402369 }, { "func": "static int sctp_getsockopt_primary_addr(struct sock *sk, int len,\n\t\t\t\t\tchar __user *optval, int __user *optlen)\n{\n\tstruct sctp_prim prim;\n\tstruct sctp_association *asoc;\n\tstruct sctp_sock *sp = sctp_sk(sk);\n\n\tif (len < sizeof(struct sctp_prim))\n\t\treturn -EINVAL;\n\n\tlen = sizeof(struct sctp_prim);\n\n\tif (copy_from_user(&prim, optval, len))\n\t\treturn -EFAULT;\n\n\tasoc = sctp_id2assoc(sk, prim.ssp_assoc_id);\n\tif (!asoc)\n\t\treturn -EINVAL;\n\n\tif (!asoc->peer.primary_path)\n\t\treturn -ENOTCONN;\n\n\tmemcpy(&prim.ssp_addr, &asoc->peer.primary_path->ipaddr,\n\t\tasoc->peer.primary_path->af_specific->sockaddr_len);\n\n\tsctp_get_pf_specific(sk->sk_family)->addr_to_user(sp,\n\t\t\t(union sctp_addr *)&prim.ssp_addr);\n\n\tif (put_user(len, optlen))\n\t\treturn -EFAULT;\n\tif (copy_to_user(optval, &prim, len))\n\t\treturn -EFAULT;\n\n\treturn 0;\n}", "project": "linux", "hash": 335375532341678984835205513302920299829, "size": 35, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398163 }, { "func": "CallResult JSObject::putComputedWithReceiver_RJS(\n Handle selfHandle,\n Runtime *runtime,\n Handle<> nameValHandle,\n Handle<> valueHandle,\n Handle<> receiver,\n PropOpFlags opFlags) {\n assert(\n !opFlags.getMustExist() &&\n \"mustExist flag cannot be used with computed properties\");\n\n // Try the fast-path first: has \"index-like\" properties, the \"name\"\n // already is a valid integer index, selfHandle and receiver are the\n // same, and it is present in storage.\n if (selfHandle->flags_.fastIndexProperties) {\n if (auto arrayIndex = toArrayIndexFastPath(*nameValHandle)) {\n if (selfHandle.getHermesValue().getRaw() == receiver->getRaw()) {\n if (haveOwnIndexed(selfHandle.get(), runtime, *arrayIndex)) {\n auto result =\n setOwnIndexed(selfHandle, runtime, *arrayIndex, valueHandle);\n if (LLVM_UNLIKELY(result == ExecutionStatus::EXCEPTION))\n return ExecutionStatus::EXCEPTION;\n if (LLVM_LIKELY(*result))\n return true;\n if (opFlags.getThrowOnError()) {\n // TODO: better message.\n return runtime->raiseTypeError(\n \"Cannot assign to read-only property\");\n }\n return false;\n }\n }\n }\n }\n\n // If nameValHandle is an object, we should convert it to string now,\n // because toString may have side-effect, and we want to do this only\n // once.\n auto converted = toPropertyKeyIfObject(runtime, nameValHandle);\n if (LLVM_UNLIKELY(converted == ExecutionStatus::EXCEPTION)) {\n return ExecutionStatus::EXCEPTION;\n }\n auto nameValPrimitiveHandle = *converted;\n\n ComputedPropertyDescriptor desc;\n\n // Look for the property in this object or along the prototype chain.\n MutableHandle propObj{runtime};\n if (LLVM_UNLIKELY(\n getComputedPrimitiveDescriptor(\n selfHandle, runtime, nameValPrimitiveHandle, propObj, desc) ==\n ExecutionStatus::EXCEPTION)) {\n return ExecutionStatus::EXCEPTION;\n }\n\n // If the property exists (or, we hit a proxy/hostobject on the way\n // up the chain)\n if (propObj) {\n // Get the simple case out of the way: If the property already\n // exists on selfHandle, is not an accessor, selfHandle and\n // receiver are the same, selfHandle is not a host\n // object/proxy/internal setter, and the property is writable,\n // just write into the same slot.\n\n if (LLVM_LIKELY(\n selfHandle == propObj &&\n selfHandle.getHermesValue().getRaw() == receiver->getRaw() &&\n !desc.flags.accessor && !desc.flags.internalSetter &&\n !desc.flags.hostObject && !desc.flags.proxyObject &&\n desc.flags.writable)) {\n if (LLVM_UNLIKELY(\n setComputedSlotValue(selfHandle, runtime, desc, valueHandle) ==\n ExecutionStatus::EXCEPTION)) {\n return ExecutionStatus::EXCEPTION;\n }\n return true;\n }\n\n // Is it an accessor?\n if (LLVM_UNLIKELY(desc.flags.accessor)) {\n auto *accessor = vmcast(\n getComputedSlotValue(propObj.get(), runtime, desc));\n\n // If it is a read-only accessor, fail.\n if (!accessor->setter) {\n if (opFlags.getThrowOnError()) {\n return runtime->raiseTypeErrorForValue(\n \"Cannot assign to property \",\n nameValPrimitiveHandle,\n \" which has only a getter\");\n }\n return false;\n }\n\n // Execute the accessor on this object.\n if (accessor->setter.get(runtime)->executeCall1(\n runtime->makeHandle(accessor->setter),\n runtime,\n receiver,\n valueHandle.get()) == ExecutionStatus::EXCEPTION) {\n return ExecutionStatus::EXCEPTION;\n }\n return true;\n }\n\n if (LLVM_UNLIKELY(desc.flags.proxyObject)) {\n assert(\n !opFlags.getMustExist() &&\n \"MustExist cannot be used with Proxy objects\");\n CallResult> key = toPropertyKey(runtime, nameValPrimitiveHandle);\n if (key == ExecutionStatus::EXCEPTION)\n return ExecutionStatus::EXCEPTION;\n CallResult setRes =\n JSProxy::setComputed(propObj, runtime, *key, valueHandle, receiver);\n if (LLVM_UNLIKELY(setRes == ExecutionStatus::EXCEPTION)) {\n return ExecutionStatus::EXCEPTION;\n }\n if (!*setRes && opFlags.getThrowOnError()) {\n // TODO: better message.\n return runtime->raiseTypeError(\n TwineChar16(\"Proxy trap returned false for property\"));\n }\n return setRes;\n }\n\n if (LLVM_UNLIKELY(!desc.flags.writable)) {\n if (desc.flags.staticBuiltin) {\n SymbolID id{};\n LAZY_TO_IDENTIFIER(runtime, nameValPrimitiveHandle, id);\n return raiseErrorForOverridingStaticBuiltin(\n selfHandle, runtime, runtime->makeHandle(id));\n }\n if (opFlags.getThrowOnError()) {\n return runtime->raiseTypeErrorForValue(\n \"Cannot assign to read-only property \", nameValPrimitiveHandle, \"\");\n }\n return false;\n }\n\n if (selfHandle == propObj && desc.flags.internalSetter) {\n SymbolID id{};\n LAZY_TO_IDENTIFIER(runtime, nameValPrimitiveHandle, id);\n return internalSetter(\n selfHandle,\n runtime,\n id,\n desc.castToNamedPropertyDescriptorRef(),\n valueHandle,\n opFlags);\n }\n }\n\n // The property does not exist as an conventional own property on\n // this object.\n\n MutableHandle receiverHandle{runtime, *selfHandle};\n if (selfHandle.getHermesValue().getRaw() != receiver->getRaw() ||\n receiverHandle->isHostObject() || receiverHandle->isProxyObject()) {\n if (selfHandle.getHermesValue().getRaw() != receiver->getRaw()) {\n receiverHandle = dyn_vmcast(*receiver);\n }\n if (!receiverHandle) {\n return false;\n }\n CallResult descDefinedRes = getOwnComputedPrimitiveDescriptor(\n receiverHandle, runtime, nameValPrimitiveHandle, IgnoreProxy::No, desc);\n if (LLVM_UNLIKELY(descDefinedRes == ExecutionStatus::EXCEPTION)) {\n return ExecutionStatus::EXCEPTION;\n }\n DefinePropertyFlags dpf;\n if (*descDefinedRes) {\n if (LLVM_UNLIKELY(desc.flags.accessor || !desc.flags.writable)) {\n return false;\n }\n\n if (LLVM_LIKELY(\n !desc.flags.internalSetter && !receiverHandle->isHostObject() &&\n !receiverHandle->isProxyObject())) {\n if (LLVM_UNLIKELY(\n setComputedSlotValue(\n receiverHandle, runtime, desc, valueHandle) ==\n ExecutionStatus::EXCEPTION)) {\n return ExecutionStatus::EXCEPTION;\n }\n return true;\n }\n }\n\n if (LLVM_UNLIKELY(\n desc.flags.internalSetter || receiverHandle->isHostObject() ||\n receiverHandle->isProxyObject())) {\n SymbolID id{};\n LAZY_TO_IDENTIFIER(runtime, nameValPrimitiveHandle, id);\n if (desc.flags.internalSetter) {\n return internalSetter(\n receiverHandle,\n runtime,\n id,\n desc.castToNamedPropertyDescriptorRef(),\n valueHandle,\n opFlags);\n } else if (receiverHandle->isHostObject()) {\n return vmcast(receiverHandle.get())->set(id, *valueHandle);\n }\n assert(\n receiverHandle->isProxyObject() && \"descriptor flags are impossible\");\n if (*descDefinedRes) {\n dpf.setValue = 1;\n } else {\n dpf = DefinePropertyFlags::getDefaultNewPropertyFlags();\n }\n return JSProxy::defineOwnProperty(\n receiverHandle,\n runtime,\n nameValPrimitiveHandle,\n dpf,\n valueHandle,\n opFlags);\n }\n }\n\n /// Can we add more properties?\n if (LLVM_UNLIKELY(!receiverHandle->isExtensible())) {\n if (opFlags.getThrowOnError()) {\n return runtime->raiseTypeError(\n \"cannot add a new property\"); // TODO: better message.\n }\n return false;\n }\n\n // If we have indexed storage we must check whether the property is an index,\n // and if it is, store it in indexed storage.\n if (receiverHandle->flags_.indexedStorage) {\n OptValue arrayIndex;\n MutableHandle strPrim{runtime};\n TO_ARRAY_INDEX(runtime, nameValPrimitiveHandle, strPrim, arrayIndex);\n if (arrayIndex) {\n // Check whether we need to update array's \".length\" property.\n if (auto *array = dyn_vmcast(receiverHandle.get())) {\n if (LLVM_UNLIKELY(*arrayIndex >= JSArray::getLength(array))) {\n auto cr = putNamed_RJS(\n receiverHandle,\n runtime,\n Predefined::getSymbolID(Predefined::length),\n runtime->makeHandle(\n HermesValue::encodeNumberValue(*arrayIndex + 1)),\n opFlags);\n if (LLVM_UNLIKELY(cr == ExecutionStatus::EXCEPTION))\n return ExecutionStatus::EXCEPTION;\n if (LLVM_UNLIKELY(!*cr))\n return false;\n }\n }\n\n auto result =\n setOwnIndexed(receiverHandle, runtime, *arrayIndex, valueHandle);\n if (LLVM_UNLIKELY(result == ExecutionStatus::EXCEPTION))\n return ExecutionStatus::EXCEPTION;\n if (LLVM_LIKELY(*result))\n return true;\n\n if (opFlags.getThrowOnError()) {\n // TODO: better message.\n return runtime->raiseTypeError(\"Cannot assign to read-only property\");\n }\n return false;\n }\n }\n\n SymbolID id{};\n LAZY_TO_IDENTIFIER(runtime, nameValPrimitiveHandle, id);\n\n // Add a new named property.\n return addOwnProperty(\n receiverHandle,\n runtime,\n id,\n DefinePropertyFlags::getDefaultNewPropertyFlags(),\n valueHandle,\n opFlags);\n}", "project": "hermes", "hash": 22276050551116012672246483362569889414, "size": 281, "commit_id": "8cb935cd3b2321c46aa6b7ed8454d95c75a7fca0", "message": "Handle set where internalSetter and Proxy are both true\n\nSummary:\nIf putComputed is called on a proxy whose target's prototype\nis an array with a propname of 'length', then internalSetter will be\ntrue, and the receiver will be a proxy. In that case, proxy needs to\nwin; the behavior may assert or be UB otherwise.\n\nReviewed By: tmikov\n\nDifferential Revision: D23916279\n\nfbshipit-source-id: c760356d48a02ece565fb4bc1acdafd7ccad7c68", "target": 1, "dataset": "other", "idx": 197476 }, { "func": "CallResult JSObject::putComputedWithReceiver_RJS(\n Handle selfHandle,\n Runtime *runtime,\n Handle<> nameValHandle,\n Handle<> valueHandle,\n Handle<> receiver,\n PropOpFlags opFlags) {\n assert(\n !opFlags.getMustExist() &&\n \"mustExist flag cannot be used with computed properties\");\n\n // Try the fast-path first: has \"index-like\" properties, the \"name\"\n // already is a valid integer index, selfHandle and receiver are the\n // same, and it is present in storage.\n if (selfHandle->flags_.fastIndexProperties) {\n if (auto arrayIndex = toArrayIndexFastPath(*nameValHandle)) {\n if (selfHandle.getHermesValue().getRaw() == receiver->getRaw()) {\n if (haveOwnIndexed(selfHandle.get(), runtime, *arrayIndex)) {\n auto result =\n setOwnIndexed(selfHandle, runtime, *arrayIndex, valueHandle);\n if (LLVM_UNLIKELY(result == ExecutionStatus::EXCEPTION))\n return ExecutionStatus::EXCEPTION;\n if (LLVM_LIKELY(*result))\n return true;\n if (opFlags.getThrowOnError()) {\n // TODO: better message.\n return runtime->raiseTypeError(\n \"Cannot assign to read-only property\");\n }\n return false;\n }\n }\n }\n }\n\n // If nameValHandle is an object, we should convert it to string now,\n // because toString may have side-effect, and we want to do this only\n // once.\n auto converted = toPropertyKeyIfObject(runtime, nameValHandle);\n if (LLVM_UNLIKELY(converted == ExecutionStatus::EXCEPTION)) {\n return ExecutionStatus::EXCEPTION;\n }\n auto nameValPrimitiveHandle = *converted;\n\n ComputedPropertyDescriptor desc;\n\n // Look for the property in this object or along the prototype chain.\n MutableHandle propObj{runtime};\n if (LLVM_UNLIKELY(\n getComputedPrimitiveDescriptor(\n selfHandle, runtime, nameValPrimitiveHandle, propObj, desc) ==\n ExecutionStatus::EXCEPTION)) {\n return ExecutionStatus::EXCEPTION;\n }\n\n // If the property exists (or, we hit a proxy/hostobject on the way\n // up the chain)\n if (propObj) {\n // Get the simple case out of the way: If the property already\n // exists on selfHandle, is not an accessor, selfHandle and\n // receiver are the same, selfHandle is not a host\n // object/proxy/internal setter, and the property is writable,\n // just write into the same slot.\n\n if (LLVM_LIKELY(\n selfHandle == propObj &&\n selfHandle.getHermesValue().getRaw() == receiver->getRaw() &&\n !desc.flags.accessor && !desc.flags.internalSetter &&\n !desc.flags.hostObject && !desc.flags.proxyObject &&\n desc.flags.writable)) {\n if (LLVM_UNLIKELY(\n setComputedSlotValue(selfHandle, runtime, desc, valueHandle) ==\n ExecutionStatus::EXCEPTION)) {\n return ExecutionStatus::EXCEPTION;\n }\n return true;\n }\n\n // Is it an accessor?\n if (LLVM_UNLIKELY(desc.flags.accessor)) {\n auto *accessor = vmcast(\n getComputedSlotValue(propObj.get(), runtime, desc));\n\n // If it is a read-only accessor, fail.\n if (!accessor->setter) {\n if (opFlags.getThrowOnError()) {\n return runtime->raiseTypeErrorForValue(\n \"Cannot assign to property \",\n nameValPrimitiveHandle,\n \" which has only a getter\");\n }\n return false;\n }\n\n // Execute the accessor on this object.\n if (accessor->setter.get(runtime)->executeCall1(\n runtime->makeHandle(accessor->setter),\n runtime,\n receiver,\n valueHandle.get()) == ExecutionStatus::EXCEPTION) {\n return ExecutionStatus::EXCEPTION;\n }\n return true;\n }\n\n if (LLVM_UNLIKELY(desc.flags.proxyObject)) {\n assert(\n !opFlags.getMustExist() &&\n \"MustExist cannot be used with Proxy objects\");\n CallResult> key = toPropertyKey(runtime, nameValPrimitiveHandle);\n if (key == ExecutionStatus::EXCEPTION)\n return ExecutionStatus::EXCEPTION;\n CallResult setRes =\n JSProxy::setComputed(propObj, runtime, *key, valueHandle, receiver);\n if (LLVM_UNLIKELY(setRes == ExecutionStatus::EXCEPTION)) {\n return ExecutionStatus::EXCEPTION;\n }\n if (!*setRes && opFlags.getThrowOnError()) {\n // TODO: better message.\n return runtime->raiseTypeError(\n TwineChar16(\"Proxy trap returned false for property\"));\n }\n return setRes;\n }\n\n if (LLVM_UNLIKELY(!desc.flags.writable)) {\n if (desc.flags.staticBuiltin) {\n SymbolID id{};\n LAZY_TO_IDENTIFIER(runtime, nameValPrimitiveHandle, id);\n return raiseErrorForOverridingStaticBuiltin(\n selfHandle, runtime, runtime->makeHandle(id));\n }\n if (opFlags.getThrowOnError()) {\n return runtime->raiseTypeErrorForValue(\n \"Cannot assign to read-only property \", nameValPrimitiveHandle, \"\");\n }\n return false;\n }\n\n if (selfHandle == propObj && desc.flags.internalSetter) {\n SymbolID id{};\n LAZY_TO_IDENTIFIER(runtime, nameValPrimitiveHandle, id);\n return internalSetter(\n selfHandle,\n runtime,\n id,\n desc.castToNamedPropertyDescriptorRef(),\n valueHandle,\n opFlags);\n }\n }\n\n // The property does not exist as an conventional own property on\n // this object.\n\n MutableHandle receiverHandle{runtime, *selfHandle};\n if (selfHandle.getHermesValue().getRaw() != receiver->getRaw() ||\n receiverHandle->isHostObject() || receiverHandle->isProxyObject()) {\n if (selfHandle.getHermesValue().getRaw() != receiver->getRaw()) {\n receiverHandle = dyn_vmcast(*receiver);\n }\n if (!receiverHandle) {\n return false;\n }\n CallResult descDefinedRes = getOwnComputedPrimitiveDescriptor(\n receiverHandle, runtime, nameValPrimitiveHandle, IgnoreProxy::No, desc);\n if (LLVM_UNLIKELY(descDefinedRes == ExecutionStatus::EXCEPTION)) {\n return ExecutionStatus::EXCEPTION;\n }\n DefinePropertyFlags dpf;\n if (*descDefinedRes) {\n if (LLVM_UNLIKELY(desc.flags.accessor || !desc.flags.writable)) {\n return false;\n }\n\n if (LLVM_LIKELY(\n !desc.flags.internalSetter && !receiverHandle->isHostObject() &&\n !receiverHandle->isProxyObject())) {\n if (LLVM_UNLIKELY(\n setComputedSlotValue(\n receiverHandle, runtime, desc, valueHandle) ==\n ExecutionStatus::EXCEPTION)) {\n return ExecutionStatus::EXCEPTION;\n }\n return true;\n }\n }\n\n if (LLVM_UNLIKELY(\n desc.flags.internalSetter || receiverHandle->isHostObject() ||\n receiverHandle->isProxyObject())) {\n SymbolID id{};\n LAZY_TO_IDENTIFIER(runtime, nameValPrimitiveHandle, id);\n if (desc.flags.internalSetter) {\n return internalSetter(\n receiverHandle,\n runtime,\n id,\n desc.castToNamedPropertyDescriptorRef(),\n valueHandle,\n opFlags);\n } else if (receiverHandle->isHostObject()) {\n return vmcast(receiverHandle.get())->set(id, *valueHandle);\n }\n assert(\n receiverHandle->isProxyObject() && \"descriptor flags are impossible\");\n if (*descDefinedRes) {\n dpf.setValue = 1;\n } else {\n dpf = DefinePropertyFlags::getDefaultNewPropertyFlags();\n }\n return JSProxy::defineOwnProperty(\n receiverHandle, runtime, id, dpf, valueHandle, opFlags);\n }\n }\n\n /// Can we add more properties?\n if (LLVM_UNLIKELY(!receiverHandle->isExtensible())) {\n if (opFlags.getThrowOnError()) {\n return runtime->raiseTypeError(\n \"cannot add a new property\"); // TODO: better message.\n }\n return false;\n }\n\n // If we have indexed storage we must check whether the property is an index,\n // and if it is, store it in indexed storage.\n if (receiverHandle->flags_.indexedStorage) {\n OptValue arrayIndex;\n MutableHandle strPrim{runtime};\n TO_ARRAY_INDEX(runtime, nameValPrimitiveHandle, strPrim, arrayIndex);\n if (arrayIndex) {\n // Check whether we need to update array's \".length\" property.\n if (auto *array = dyn_vmcast(receiverHandle.get())) {\n if (LLVM_UNLIKELY(*arrayIndex >= JSArray::getLength(array))) {\n auto cr = putNamed_RJS(\n receiverHandle,\n runtime,\n Predefined::getSymbolID(Predefined::length),\n runtime->makeHandle(\n HermesValue::encodeNumberValue(*arrayIndex + 1)),\n opFlags);\n if (LLVM_UNLIKELY(cr == ExecutionStatus::EXCEPTION))\n return ExecutionStatus::EXCEPTION;\n if (LLVM_UNLIKELY(!*cr))\n return false;\n }\n }\n\n auto result =\n setOwnIndexed(receiverHandle, runtime, *arrayIndex, valueHandle);\n if (LLVM_UNLIKELY(result == ExecutionStatus::EXCEPTION))\n return ExecutionStatus::EXCEPTION;\n if (LLVM_LIKELY(*result))\n return true;\n\n if (opFlags.getThrowOnError()) {\n // TODO: better message.\n return runtime->raiseTypeError(\"Cannot assign to read-only property\");\n }\n return false;\n }\n }\n\n SymbolID id{};\n LAZY_TO_IDENTIFIER(runtime, nameValPrimitiveHandle, id);\n\n // Add a new named property.\n return addOwnProperty(\n receiverHandle,\n runtime,\n id,\n DefinePropertyFlags::getDefaultNewPropertyFlags(),\n valueHandle,\n opFlags);\n}", "project": "hermes", "hash": 303246646436119241172915062626763097038, "size": 276, "commit_id": "fe52854cdf6725c2eaa9e125995da76e6ceb27da", "message": "[CVE-2020-1911] Look up HostObject computed properties on the right object in the prototype chain.\n\nSummary:\nThe change in the hermes repository fixes the security vulnerability\nCVE-2020-1911. This vulnerability only affects applications which\nallow evaluation of uncontrolled, untrusted JavaScript code not\nshipped with the app, so React Native apps will generally not be affected.\n\nThis revision includes a test for the bug. The test is generic JSI\ncode, so it is included in the hermes and react-native repositories.\n\nChangelog: [Internal]\n\nReviewed By: tmikov\n\nDifferential Revision: D23322992\n\nfbshipit-source-id: 4e88c974afe1ad33a263f9cac03e9dc98d33649a", "target": 0, "dataset": "other", "idx": 230234 }, { "func": "CallResult JSObject::putComputedWithReceiver_RJS(\n Handle selfHandle,\n Runtime *runtime,\n Handle<> nameValHandle,\n Handle<> valueHandle,\n Handle<> receiver,\n PropOpFlags opFlags) {\n assert(\n !opFlags.getMustExist() &&\n \"mustExist flag cannot be used with computed properties\");\n\n // Try the fast-path first: has \"index-like\" properties, the \"name\"\n // already is a valid integer index, selfHandle and receiver are the\n // same, and it is present in storage.\n if (selfHandle->flags_.fastIndexProperties) {\n if (auto arrayIndex = toArrayIndexFastPath(*nameValHandle)) {\n if (selfHandle.getHermesValue().getRaw() == receiver->getRaw()) {\n if (haveOwnIndexed(selfHandle.get(), runtime, *arrayIndex)) {\n auto result =\n setOwnIndexed(selfHandle, runtime, *arrayIndex, valueHandle);\n if (LLVM_UNLIKELY(result == ExecutionStatus::EXCEPTION))\n return ExecutionStatus::EXCEPTION;\n if (LLVM_LIKELY(*result))\n return true;\n if (opFlags.getThrowOnError()) {\n // TODO: better message.\n return runtime->raiseTypeError(\n \"Cannot assign to read-only property\");\n }\n return false;\n }\n }\n }\n }\n\n // If nameValHandle is an object, we should convert it to string now,\n // because toString may have side-effect, and we want to do this only\n // once.\n auto converted = toPropertyKeyIfObject(runtime, nameValHandle);\n if (LLVM_UNLIKELY(converted == ExecutionStatus::EXCEPTION)) {\n return ExecutionStatus::EXCEPTION;\n }\n auto nameValPrimitiveHandle = *converted;\n\n ComputedPropertyDescriptor desc;\n\n // Look for the property in this object or along the prototype chain.\n MutableHandle propObj{runtime};\n if (LLVM_UNLIKELY(\n getComputedPrimitiveDescriptor(\n selfHandle, runtime, nameValPrimitiveHandle, propObj, desc) ==\n ExecutionStatus::EXCEPTION)) {\n return ExecutionStatus::EXCEPTION;\n }\n\n // If the property exists (or, we hit a proxy/hostobject on the way\n // up the chain)\n if (propObj) {\n // Get the simple case out of the way: If the property already\n // exists on selfHandle, is not an accessor, selfHandle and\n // receiver are the same, selfHandle is not a host\n // object/proxy/internal setter, and the property is writable,\n // just write into the same slot.\n\n if (LLVM_LIKELY(\n selfHandle == propObj &&\n selfHandle.getHermesValue().getRaw() == receiver->getRaw() &&\n !desc.flags.accessor && !desc.flags.internalSetter &&\n !desc.flags.hostObject && !desc.flags.proxyObject &&\n desc.flags.writable)) {\n if (LLVM_UNLIKELY(\n setComputedSlotValue(selfHandle, runtime, desc, valueHandle) ==\n ExecutionStatus::EXCEPTION)) {\n return ExecutionStatus::EXCEPTION;\n }\n return true;\n }\n\n // Is it an accessor?\n if (LLVM_UNLIKELY(desc.flags.accessor)) {\n auto *accessor = vmcast(\n getComputedSlotValue(propObj.get(), runtime, desc));\n\n // If it is a read-only accessor, fail.\n if (!accessor->setter) {\n if (opFlags.getThrowOnError()) {\n return runtime->raiseTypeErrorForValue(\n \"Cannot assign to property \",\n nameValPrimitiveHandle,\n \" which has only a getter\");\n }\n return false;\n }\n\n // Execute the accessor on this object.\n if (accessor->setter.get(runtime)->executeCall1(\n runtime->makeHandle(accessor->setter),\n runtime,\n receiver,\n valueHandle.get()) == ExecutionStatus::EXCEPTION) {\n return ExecutionStatus::EXCEPTION;\n }\n return true;\n }\n\n if (LLVM_UNLIKELY(desc.flags.proxyObject)) {\n assert(\n !opFlags.getMustExist() &&\n \"MustExist cannot be used with Proxy objects\");\n CallResult> key = toPropertyKey(runtime, nameValPrimitiveHandle);\n if (key == ExecutionStatus::EXCEPTION)\n return ExecutionStatus::EXCEPTION;\n CallResult setRes =\n JSProxy::setComputed(propObj, runtime, *key, valueHandle, receiver);\n if (LLVM_UNLIKELY(setRes == ExecutionStatus::EXCEPTION)) {\n return ExecutionStatus::EXCEPTION;\n }\n if (!*setRes && opFlags.getThrowOnError()) {\n // TODO: better message.\n return runtime->raiseTypeError(\n TwineChar16(\"Proxy trap returned false for property\"));\n }\n return setRes;\n }\n\n if (LLVM_UNLIKELY(!desc.flags.writable)) {\n if (desc.flags.staticBuiltin) {\n SymbolID id{};\n LAZY_TO_IDENTIFIER(runtime, nameValPrimitiveHandle, id);\n return raiseErrorForOverridingStaticBuiltin(\n selfHandle, runtime, runtime->makeHandle(id));\n }\n if (opFlags.getThrowOnError()) {\n return runtime->raiseTypeErrorForValue(\n \"Cannot assign to read-only property \", nameValPrimitiveHandle, \"\");\n }\n return false;\n }\n\n if (selfHandle == propObj && desc.flags.internalSetter) {\n SymbolID id{};\n LAZY_TO_IDENTIFIER(runtime, nameValPrimitiveHandle, id);\n return internalSetter(\n selfHandle,\n runtime,\n id,\n desc.castToNamedPropertyDescriptorRef(),\n valueHandle,\n opFlags);\n }\n }\n\n // The property does not exist as an conventional own property on\n // this object.\n\n MutableHandle receiverHandle{runtime, *selfHandle};\n if (selfHandle.getHermesValue().getRaw() != receiver->getRaw() ||\n receiverHandle->isHostObject() || receiverHandle->isProxyObject()) {\n if (selfHandle.getHermesValue().getRaw() != receiver->getRaw()) {\n receiverHandle = dyn_vmcast(*receiver);\n }\n if (!receiverHandle) {\n return false;\n }\n CallResult descDefinedRes = getOwnComputedPrimitiveDescriptor(\n receiverHandle, runtime, nameValPrimitiveHandle, IgnoreProxy::No, desc);\n if (LLVM_UNLIKELY(descDefinedRes == ExecutionStatus::EXCEPTION)) {\n return ExecutionStatus::EXCEPTION;\n }\n DefinePropertyFlags dpf;\n if (*descDefinedRes) {\n if (LLVM_UNLIKELY(desc.flags.accessor || !desc.flags.writable)) {\n return false;\n }\n\n if (LLVM_LIKELY(\n !desc.flags.internalSetter && !receiverHandle->isHostObject() &&\n !receiverHandle->isProxyObject())) {\n if (LLVM_UNLIKELY(\n setComputedSlotValue(\n receiverHandle, runtime, desc, valueHandle) ==\n ExecutionStatus::EXCEPTION)) {\n return ExecutionStatus::EXCEPTION;\n }\n return true;\n }\n }\n\n if (LLVM_UNLIKELY(\n desc.flags.internalSetter || receiverHandle->isHostObject() ||\n receiverHandle->isProxyObject())) {\n // If putComputed is called on a proxy whose target's prototype\n // is an array with a propname of 'length', then internalSetter\n // will be true, and the receiver will be a proxy. In that case,\n // proxy wins.\n if (receiverHandle->isProxyObject()) {\n if (*descDefinedRes) {\n dpf.setValue = 1;\n } else {\n dpf = DefinePropertyFlags::getDefaultNewPropertyFlags();\n }\n return JSProxy::defineOwnProperty(\n receiverHandle,\n runtime,\n nameValPrimitiveHandle,\n dpf,\n valueHandle,\n opFlags);\n }\n SymbolID id{};\n LAZY_TO_IDENTIFIER(runtime, nameValPrimitiveHandle, id);\n if (desc.flags.internalSetter) {\n return internalSetter(\n receiverHandle,\n runtime,\n id,\n desc.castToNamedPropertyDescriptorRef(),\n valueHandle,\n opFlags);\n }\n assert(\n receiverHandle->isHostObject() && \"descriptor flags are impossible\");\n return vmcast(receiverHandle.get())->set(id, *valueHandle);\n }\n }\n\n /// Can we add more properties?\n if (LLVM_UNLIKELY(!receiverHandle->isExtensible())) {\n if (opFlags.getThrowOnError()) {\n return runtime->raiseTypeError(\n \"cannot add a new property\"); // TODO: better message.\n }\n return false;\n }\n\n // If we have indexed storage we must check whether the property is an index,\n // and if it is, store it in indexed storage.\n if (receiverHandle->flags_.indexedStorage) {\n OptValue arrayIndex;\n MutableHandle strPrim{runtime};\n TO_ARRAY_INDEX(runtime, nameValPrimitiveHandle, strPrim, arrayIndex);\n if (arrayIndex) {\n // Check whether we need to update array's \".length\" property.\n if (auto *array = dyn_vmcast(receiverHandle.get())) {\n if (LLVM_UNLIKELY(*arrayIndex >= JSArray::getLength(array))) {\n auto cr = putNamed_RJS(\n receiverHandle,\n runtime,\n Predefined::getSymbolID(Predefined::length),\n runtime->makeHandle(\n HermesValue::encodeNumberValue(*arrayIndex + 1)),\n opFlags);\n if (LLVM_UNLIKELY(cr == ExecutionStatus::EXCEPTION))\n return ExecutionStatus::EXCEPTION;\n if (LLVM_UNLIKELY(!*cr))\n return false;\n }\n }\n\n auto result =\n setOwnIndexed(receiverHandle, runtime, *arrayIndex, valueHandle);\n if (LLVM_UNLIKELY(result == ExecutionStatus::EXCEPTION))\n return ExecutionStatus::EXCEPTION;\n if (LLVM_LIKELY(*result))\n return true;\n\n if (opFlags.getThrowOnError()) {\n // TODO: better message.\n return runtime->raiseTypeError(\"Cannot assign to read-only property\");\n }\n return false;\n }\n }\n\n SymbolID id{};\n LAZY_TO_IDENTIFIER(runtime, nameValPrimitiveHandle, id);\n\n // Add a new named property.\n return addOwnProperty(\n receiverHandle,\n runtime,\n id,\n DefinePropertyFlags::getDefaultNewPropertyFlags(),\n valueHandle,\n opFlags);\n}", "project": "hermes", "hash": 22945775706399007322739222011717058068, "size": 286, "commit_id": "8cb935cd3b2321c46aa6b7ed8454d95c75a7fca0", "message": "Handle set where internalSetter and Proxy are both true\n\nSummary:\nIf putComputed is called on a proxy whose target's prototype\nis an array with a propname of 'length', then internalSetter will be\ntrue, and the receiver will be a proxy. In that case, proxy needs to\nwin; the behavior may assert or be UB otherwise.\n\nReviewed By: tmikov\n\nDifferential Revision: D23916279\n\nfbshipit-source-id: c760356d48a02ece565fb4bc1acdafd7ccad7c68", "target": 0, "dataset": "other", "idx": 259369 }, { "func": "void rec_wont(struct Curl_easy *data, int option)\n{\n struct TELNET *tn = data->req.p.telnet;\n switch(tn->him[option]) {\n case CURL_NO:\n /* Already disabled */\n break;\n\n case CURL_YES:\n tn->him[option] = CURL_NO;\n send_negotiation(data, CURL_DONT, option);\n break;\n\n case CURL_WANTNO:\n switch(tn->himq[option]) {\n case CURL_EMPTY:\n tn->him[option] = CURL_NO;\n break;\n\n case CURL_OPPOSITE:\n tn->him[option] = CURL_WANTYES;\n tn->himq[option] = CURL_EMPTY;\n send_negotiation(data, CURL_DO, option);\n break;\n }\n break;\n\n case CURL_WANTYES:\n switch(tn->himq[option]) {\n case CURL_EMPTY:\n tn->him[option] = CURL_NO;\n break;\n case CURL_OPPOSITE:\n tn->him[option] = CURL_NO;\n tn->himq[option] = CURL_EMPTY;\n break;\n }\n break;\n }\n}", "project": "curl", "hash": 304854631837926041603922390092275208182, "size": 40, "commit_id": "39ce47f219b09c380b81f89fe54ac586c8db6bde", "message": "telnet: check sscanf() for correct number of matches\n\nCVE-2021-22898\n\nBug: https://curl.se/docs/CVE-2021-22898.html", "target": 0, "dataset": "other", "idx": 481504 }, { "func": "bool instantiate_tmp_table(TABLE *table, KEY *keyinfo, \n TMP_ENGINE_COLUMNDEF *start_recinfo,\n TMP_ENGINE_COLUMNDEF **recinfo,\n ulonglong options)\n{\n if (table->s->db_type() == TMP_ENGINE_HTON)\n {\n /*\n If it is not heap (in-memory) table then convert index to unique\n constrain.\n */\n MEM_CHECK_DEFINED(table->record[0], table->s->reclength);\n if (create_internal_tmp_table(table, keyinfo, start_recinfo, recinfo,\n options))\n return TRUE;\n MEM_CHECK_DEFINED(table->record[0], table->s->reclength);\n }\n if (open_tmp_table(table))\n return TRUE;\n\n return FALSE;\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 165869581791197430905604845981841949626, "size": 22, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508546 }, { "func": "RGWOp* RGWSwiftWebsiteHandler::get_ws_listing_op()\n{\n class RGWWebsiteListing : public RGWListBucket_ObjStore_SWIFT {\n const std::string prefix_override;\n\n int get_params() override {\n prefix = prefix_override;\n max = default_max;\n delimiter = \"/\";\n return 0;\n }\n\n void send_response() override {\n /* Generate the header now. */\n set_req_state_err(s, op_ret);\n dump_errno(s);\n dump_container_metadata(s, bucket, bucket_quota,\n s->bucket_info.website_conf);\n end_header(s, this, \"text/html\");\n if (op_ret < 0) {\n return;\n }\n\n /* Now it's the time to start generating HTML bucket listing.\n * All the crazy stuff with crafting tags will be delegated to\n * RGWSwiftWebsiteListingFormatter. */\n std::stringstream ss;\n RGWSwiftWebsiteListingFormatter htmler(ss, prefix);\n\n const auto& ws_conf = s->bucket_info.website_conf;\n htmler.generate_header(s->decoded_uri,\n ws_conf.listing_css_doc);\n\n for (const auto& pair : common_prefixes) {\n std::string subdir_name = pair.first;\n if (! subdir_name.empty()) {\n /* To be compliant with Swift we need to remove the trailing\n * slash. */\n subdir_name.pop_back();\n }\n\n htmler.dump_subdir(subdir_name);\n }\n\n for (const rgw_bucket_dir_entry& obj : objs) {\n if (! common_prefixes.count(obj.key.name + '/')) {\n htmler.dump_object(obj);\n }\n }\n\n htmler.generate_footer();\n dump_body(s, ss.str());\n }\n public:\n /* Taking prefix_override by value to leverage std::string r-value ref\n * ctor and thus avoid extra memory copying/increasing ref counter. */\n explicit RGWWebsiteListing(std::string prefix_override)\n : prefix_override(std::move(prefix_override)) {\n }\n };\n\n std::string prefix = std::move(s->object.name);\n s->object = rgw_obj_key();\n\n return new RGWWebsiteListing(std::move(prefix));\n}", "project": "ceph", "hash": 42145891040937066115664658653386779544, "size": 66, "commit_id": "f44a8ae8aa27ecef69528db9aec220f12492810e", "message": "rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name\n\nchecking for empty name avoids later assertion in RGWObjectCtx::set_atomic\n\nFixes: CVE-2021-3531\n\nReviewed-by: Casey Bodley \nSigned-off-by: Casey Bodley \n(cherry picked from commit 7196a469b4470f3c8628489df9a41ec8b00a5610)", "target": 0, "dataset": "other", "idx": 448766 }, { "func": "static int sctp_setsockopt_asconf_supported(struct sock *sk,\n\t\t\t\t\t struct sctp_assoc_value *params,\n\t\t\t\t\t unsigned int optlen)\n{\n\tstruct sctp_association *asoc;\n\tstruct sctp_endpoint *ep;\n\tint retval = -EINVAL;\n\n\tif (optlen != sizeof(*params))\n\t\tgoto out;\n\n\tasoc = sctp_id2assoc(sk, params->assoc_id);\n\tif (!asoc && params->assoc_id != SCTP_FUTURE_ASSOC &&\n\t sctp_style(sk, UDP))\n\t\tgoto out;\n\n\tep = sctp_sk(sk)->ep;\n\tep->asconf_enable = !!params->assoc_value;\n\n\tif (ep->asconf_enable && ep->auth_enable) {\n\t\tsctp_auth_ep_add_chunkid(ep, SCTP_CID_ASCONF);\n\t\tsctp_auth_ep_add_chunkid(ep, SCTP_CID_ASCONF_ACK);\n\t}\n\n\tretval = 0;\n\nout:\n\treturn retval;\n}", "project": "linux", "hash": 85094705977414975751925895494933006759, "size": 29, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398105 }, { "func": "static int _nfs4_get_security_label(struct inode *inode, void *buf,\n\t\t\t\t\tsize_t buflen)\n{\n\tstruct nfs_server *server = NFS_SERVER(inode);\n\tstruct nfs_fattr fattr;\n\tstruct nfs4_label label = {0, 0, buflen, buf};\n\n\tu32 bitmask[3] = { 0, 0, FATTR4_WORD2_SECURITY_LABEL };\n\tstruct nfs4_getattr_arg arg = {\n\t\t.fh\t\t= NFS_FH(inode),\n\t\t.bitmask\t= bitmask,\n\t};\n\tstruct nfs4_getattr_res res = {\n\t\t.fattr\t\t= &fattr,\n\t\t.label\t\t= &label,\n\t\t.server\t\t= server,\n\t};\n\tstruct rpc_message msg = {\n\t\t.rpc_proc\t= &nfs4_procedures[NFSPROC4_CLNT_GETATTR],\n\t\t.rpc_argp\t= &arg,\n\t\t.rpc_resp\t= &res,\n\t};\n\tint ret;\n\n\tnfs_fattr_init(&fattr);\n\n\tret = nfs4_call_sync(server->client, server, &msg, &arg.seq_args, &res.seq_res, 0);\n\tif (ret)\n\t\treturn ret;\n\tif (!(fattr.valid & NFS_ATTR_FATTR_V4_SECURITY_LABEL))\n\t\treturn -ENOENT;\n\treturn 0;\n}", "project": "linux", "hash": 246690118842505570211725056433216330666, "size": 33, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431627 }, { "project": "phosphor-host-ipmid", "commit_id": "b265455a2518ece7c004b43c144199ec980fc620", "target": 1, "func": "int PasswdMgr::updatePasswdSpecialFile(const std::string& userName,\n const std::string& newUserName)\n{\n phosphor::user::shadow::Lock lock();\n\n size_t bytesWritten = 0;\n size_t inBytesLen = 0;\n size_t isUsrFound = false;\n const EVP_CIPHER* cipher = EVP_aes_128_cbc();\n std::vector dataBuf;\n\n // Read the encrypted file and get the file data\n // Check user existance and return if not exist.\n if (readPasswdFileData(dataBuf) != 0)\n {\n log(\"Error in reading the encrypted pass file\");\n return -EIO;\n }\n\n if (dataBuf.size() != 0)\n {\n inBytesLen =\n dataBuf.size() + newUserName.size() + EVP_CIPHER_block_size(cipher);\n }\n\n std::vector inBytes(inBytesLen);\n if (inBytesLen != 0)\n {\n char* outPtr = reinterpret_cast(dataBuf.data());\n char* nToken = NULL;\n char* linePtr = strtok_r(outPtr, \"\\n\", &nToken);\n while (linePtr != NULL)\n {\n size_t userEPos = 0;\n\n std::string lineStr(linePtr);\n if ((userEPos = lineStr.find(\":\")) != std::string::npos)\n {\n if (userName.compare(lineStr.substr(0, userEPos)) == 0)\n {\n isUsrFound = true;\n if (!newUserName.empty())\n {\n bytesWritten += std::snprintf(\n reinterpret_cast(&inBytes[0]) + bytesWritten,\n (inBytesLen - bytesWritten), \"%s%s\\n\",\n newUserName.c_str(),\n lineStr.substr(userEPos, lineStr.size()).data());\n }\n }\n else\n {\n bytesWritten += std::snprintf(\n reinterpret_cast(&inBytes[0]) + bytesWritten,\n (inBytesLen - bytesWritten), \"%s\\n\", lineStr.data());\n }\n }\n linePtr = strtok_r(NULL, \"\\n\", &nToken);\n }\n inBytesLen = bytesWritten;\n }\n if (!isUsrFound)\n {\n log(\"User doesn't exist\");\n return 0;\n }\n\n // Read the key buff from key file\n std::array keyBuff;\n std::ifstream keyFile(encryptKeyFileName, std::ios::in | std::ios::binary);\n if (!keyFile.good())\n {\n log(\"Error in opening encryption key file\");\n return -EIO;\n }\n keyFile.read(reinterpret_cast(keyBuff.data()), keyBuff.size());\n if (keyFile.fail())\n {\n log(\"Error in reading encryption key file\");\n return -EIO;\n }\n keyFile.close();\n\n // Read the original passwd file mode\n struct stat st = {};\n if (stat(passwdFileName, &st) != 0)\n {\n log(\"Error in getting password file fstat()\");\n return -EIO;\n }\n\n // Create temporary file for write\n std::string pwdFile(passwdFileName);\n std::vector tempFileName(pwdFile.begin(), pwdFile.end());\n std::vector fileTemplate = {'_', '_', 'X', 'X', 'X',\n 'X', 'X', 'X', '\\0'};\n tempFileName.insert(tempFileName.end(), fileTemplate.begin(),\n fileTemplate.end());\n int fd = mkstemp((char*)tempFileName.data());\n if (fd == -1)\n {\n log(\"Error creating temp file\");\n return -EIO;\n }\n\n std::string strTempFileName(tempFileName.data());\n // Open the temp file for writing from provided fd\n // By \"true\", remove it at exit if still there.\n // This is needed to cleanup the temp file at exception\n phosphor::user::File temp(fd, strTempFileName, \"w\", true);\n if ((temp)() == NULL)\n {\n close(fd);\n log(\"Error creating temp file\");\n return -EIO;\n }\n\n // Set the file mode as of actual ipmi-pass file.\n if (fchmod(fileno((temp)()), st.st_mode) < 0)\n {\n log(\"Error setting fchmod for temp file\");\n return -EIO;\n }\n\n const EVP_MD* digest = EVP_sha256();\n size_t hashLen = EVP_MD_block_size(digest);\n std::vector hash(hashLen);\n size_t ivLen = EVP_CIPHER_iv_length(cipher);\n std::vector iv(ivLen);\n std::array key;\n size_t keyLen = key.size();\n std::array mac;\n size_t macLen = mac.size();\n\n // Create random hash and generate hash key which will be used for\n // encryption.\n if (RAND_bytes(hash.data(), hashLen) != 1)\n {\n log(\"Hash genertion failed, bailing out\");\n return -EIO;\n }\n if (NULL == HMAC(digest, keyBuff.data(), keyBuff.size(), hash.data(),\n hashLen, key.data(),\n reinterpret_cast(&keyLen)))\n {\n log(\"Failed to create MAC for authentication\");\n return -EIO;\n }\n\n // Generate IV values\n if (RAND_bytes(iv.data(), ivLen) != 1)\n {\n log(\"UV genertion failed, bailing out\");\n return -EIO;\n }\n\n // Encrypt the input data\n std::vector outBytes(inBytesLen + EVP_MAX_BLOCK_LENGTH);\n size_t outBytesLen = 0;\n if (inBytesLen != 0)\n {\n if (encryptDecryptData(true, EVP_aes_128_cbc(), key.data(), keyLen,\n iv.data(), ivLen, inBytes.data(), inBytesLen,\n mac.data(), &macLen, outBytes.data(),\n &outBytesLen) != 0)\n {\n log(\"Error while encrypting the data\");\n return -EIO;\n }\n outBytes[outBytesLen] = 0;\n }\n OPENSSL_cleanse(key.data(), keyLen);\n\n // Update the meta password structure.\n MetaPassStruct metaData = {META_PASSWD_SIG, {0, 0}, 0, 0, 0, 0, 0};\n metaData.hashSize = hashLen;\n metaData.ivSize = ivLen;\n metaData.dataSize = bytesWritten;\n metaData.padSize = outBytesLen - bytesWritten;\n metaData.macSize = macLen;\n\n if (fwrite(&metaData, 1, sizeof(metaData), (temp)()) != sizeof(metaData))\n {\n log(\"Error in writing meta data\");\n return -EIO;\n }\n\n if (fwrite(&hash[0], 1, hashLen, (temp)()) != hashLen)\n {\n log(\"Error in writing hash data\");\n return -EIO;\n }\n\n if (fwrite(&iv[0], 1, ivLen, (temp)()) != ivLen)\n {\n log(\"Error in writing IV data\");\n return -EIO;\n }\n\n if (fwrite(&outBytes[0], 1, outBytesLen, (temp)()) != outBytesLen)\n {\n log(\"Error in writing encrypted data\");\n return -EIO;\n }\n\n if (fwrite(&mac[0], 1, macLen, (temp)()) != macLen)\n {\n log(\"Error in writing MAC data\");\n return -EIO;\n }\n\n if (fflush((temp)()))\n {\n log(\n \"File fflush error while writing entries to special file\");\n return -EIO;\n }\n\n OPENSSL_cleanse(iv.data(), ivLen);\n\n // Rename the tmp file to actual file\n if (std::rename(strTempFileName.data(), passwdFileName) != 0)\n {\n log(\"Failed to rename tmp file to ipmi-pass\");\n return -EIO;\n }\n\n return 0;\n}", "idx": 217248, "cwe": "CWE-276", "hash": 221959307217368580668393288338011666999, "dataset": "other" }, { "project": "phosphor-host-ipmid", "commit_id": "b265455a2518ece7c004b43c144199ec980fc620", "target": 0, "func": "int PasswdMgr::updatePasswdSpecialFile(const std::string& userName,\n const std::string& newUserName)\n{\n phosphor::user::shadow::Lock lock();\n\n size_t bytesWritten = 0;\n size_t inBytesLen = 0;\n size_t isUsrFound = false;\n const EVP_CIPHER* cipher = EVP_aes_128_cbc();\n std::vector dataBuf;\n\n // Read the encrypted file and get the file data\n // Check user existance and return if not exist.\n if (readPasswdFileData(dataBuf) != 0)\n {\n log(\"Error in reading the encrypted pass file\");\n return -EIO;\n }\n\n if (dataBuf.size() != 0)\n {\n inBytesLen =\n dataBuf.size() + newUserName.size() + EVP_CIPHER_block_size(cipher);\n }\n\n std::vector inBytes(inBytesLen);\n if (inBytesLen != 0)\n {\n char* outPtr = reinterpret_cast(dataBuf.data());\n char* nToken = NULL;\n char* linePtr = strtok_r(outPtr, \"\\n\", &nToken);\n while (linePtr != NULL)\n {\n size_t userEPos = 0;\n\n std::string lineStr(linePtr);\n if ((userEPos = lineStr.find(\":\")) != std::string::npos)\n {\n if (userName.compare(lineStr.substr(0, userEPos)) == 0)\n {\n isUsrFound = true;\n if (!newUserName.empty())\n {\n bytesWritten += std::snprintf(\n reinterpret_cast(&inBytes[0]) + bytesWritten,\n (inBytesLen - bytesWritten), \"%s%s\\n\",\n newUserName.c_str(),\n lineStr.substr(userEPos, lineStr.size()).data());\n }\n }\n else\n {\n bytesWritten += std::snprintf(\n reinterpret_cast(&inBytes[0]) + bytesWritten,\n (inBytesLen - bytesWritten), \"%s\\n\", lineStr.data());\n }\n }\n linePtr = strtok_r(NULL, \"\\n\", &nToken);\n }\n inBytesLen = bytesWritten;\n }\n if (!isUsrFound)\n {\n log(\"User doesn't exist\");\n return 0;\n }\n\n // Read the key buff from key file\n std::array keyBuff;\n std::ifstream keyFile(encryptKeyFileName, std::ios::in | std::ios::binary);\n if (!keyFile.good())\n {\n log(\"Error in opening encryption key file\");\n return -EIO;\n }\n keyFile.read(reinterpret_cast(keyBuff.data()), keyBuff.size());\n if (keyFile.fail())\n {\n log(\"Error in reading encryption key file\");\n return -EIO;\n }\n keyFile.close();\n\n // Read the original passwd file mode\n struct stat st = {};\n if (stat(passwdFileName, &st) != 0)\n {\n log(\"Error in getting password file fstat()\");\n return -EIO;\n }\n\n // Create temporary file for write\n std::string pwdFile(passwdFileName);\n std::vector tempFileName(pwdFile.begin(), pwdFile.end());\n std::vector fileTemplate = {'_', '_', 'X', 'X', 'X',\n 'X', 'X', 'X', '\\0'};\n tempFileName.insert(tempFileName.end(), fileTemplate.begin(),\n fileTemplate.end());\n int fd = mkstemp((char*)tempFileName.data());\n if (fd == -1)\n {\n log(\"Error creating temp file\");\n return -EIO;\n }\n\n std::string strTempFileName(tempFileName.data());\n // Open the temp file for writing from provided fd\n // By \"true\", remove it at exit if still there.\n // This is needed to cleanup the temp file at exception\n phosphor::user::File temp(fd, strTempFileName, \"w\", true);\n if ((temp)() == NULL)\n {\n close(fd);\n log(\"Error creating temp file\");\n return -EIO;\n }\n\n // Set the file mode as read-write for owner only\n if (fchmod(fileno((temp)()), S_IRUSR | S_IWUSR) < 0)\n {\n log(\"Error setting fchmod for temp file\");\n return -EIO;\n }\n\n const EVP_MD* digest = EVP_sha256();\n size_t hashLen = EVP_MD_block_size(digest);\n std::vector hash(hashLen);\n size_t ivLen = EVP_CIPHER_iv_length(cipher);\n std::vector iv(ivLen);\n std::array key;\n size_t keyLen = key.size();\n std::array mac;\n size_t macLen = mac.size();\n\n // Create random hash and generate hash key which will be used for\n // encryption.\n if (RAND_bytes(hash.data(), hashLen) != 1)\n {\n log(\"Hash genertion failed, bailing out\");\n return -EIO;\n }\n if (NULL == HMAC(digest, keyBuff.data(), keyBuff.size(), hash.data(),\n hashLen, key.data(),\n reinterpret_cast(&keyLen)))\n {\n log(\"Failed to create MAC for authentication\");\n return -EIO;\n }\n\n // Generate IV values\n if (RAND_bytes(iv.data(), ivLen) != 1)\n {\n log(\"UV genertion failed, bailing out\");\n return -EIO;\n }\n\n // Encrypt the input data\n std::vector outBytes(inBytesLen + EVP_MAX_BLOCK_LENGTH);\n size_t outBytesLen = 0;\n if (inBytesLen != 0)\n {\n if (encryptDecryptData(true, EVP_aes_128_cbc(), key.data(), keyLen,\n iv.data(), ivLen, inBytes.data(), inBytesLen,\n mac.data(), &macLen, outBytes.data(),\n &outBytesLen) != 0)\n {\n log(\"Error while encrypting the data\");\n return -EIO;\n }\n outBytes[outBytesLen] = 0;\n }\n OPENSSL_cleanse(key.data(), keyLen);\n\n // Update the meta password structure.\n MetaPassStruct metaData = {META_PASSWD_SIG, {0, 0}, 0, 0, 0, 0, 0};\n metaData.hashSize = hashLen;\n metaData.ivSize = ivLen;\n metaData.dataSize = bytesWritten;\n metaData.padSize = outBytesLen - bytesWritten;\n metaData.macSize = macLen;\n\n if (fwrite(&metaData, 1, sizeof(metaData), (temp)()) != sizeof(metaData))\n {\n log(\"Error in writing meta data\");\n return -EIO;\n }\n\n if (fwrite(&hash[0], 1, hashLen, (temp)()) != hashLen)\n {\n log(\"Error in writing hash data\");\n return -EIO;\n }\n\n if (fwrite(&iv[0], 1, ivLen, (temp)()) != ivLen)\n {\n log(\"Error in writing IV data\");\n return -EIO;\n }\n\n if (fwrite(&outBytes[0], 1, outBytesLen, (temp)()) != outBytesLen)\n {\n log(\"Error in writing encrypted data\");\n return -EIO;\n }\n\n if (fwrite(&mac[0], 1, macLen, (temp)()) != macLen)\n {\n log(\"Error in writing MAC data\");\n return -EIO;\n }\n\n if (fflush((temp)()))\n {\n log(\n \"File fflush error while writing entries to special file\");\n return -EIO;\n }\n\n OPENSSL_cleanse(iv.data(), ivLen);\n\n // Rename the tmp file to actual file\n if (std::rename(strTempFileName.data(), passwdFileName) != 0)\n {\n log(\"Failed to rename tmp file to ipmi-pass\");\n return -EIO;\n }\n\n return 0;\n}", "idx": 519579, "cwe": "CWE-276", "hash": 122115830430551595209272746493260850260, "dataset": "other" }, { "func": "static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoPtr, char **pszEncoding, char *szValuePtr, int ByteCount)\n{\n\tint a;\n\tchar *decode;\n\tsize_t len;\n\n\t*pszEncoding = NULL;\n\t/* Copy the comment */\n\tif (ByteCount>=8) {\n\t\tconst zend_encoding *from, *to;\n\t\tif (!memcmp(szValuePtr, \"UNICODE\\0\", 8)) {\n\t\t\t*pszEncoding = estrdup((const char*)szValuePtr);\n\t\t\tszValuePtr = szValuePtr+8;\n\t\t\tByteCount -= 8;\n\t\t\t/* First try to detect BOM: ZERO WIDTH NOBREAK SPACE (FEFF 16)\n\t\t\t * since we have no encoding support for the BOM yet we skip that.\n\t\t\t */\n\t\t\tif (!memcmp(szValuePtr, \"\\xFE\\xFF\", 2)) {\n\t\t\t\tdecode = \"UCS-2BE\";\n\t\t\t\tszValuePtr = szValuePtr+2;\n\t\t\t\tByteCount -= 2;\n\t\t\t} else if (!memcmp(szValuePtr, \"\\xFF\\xFE\", 2)) {\n\t\t\t\tdecode = \"UCS-2LE\";\n\t\t\t\tszValuePtr = szValuePtr+2;\n\t\t\t\tByteCount -= 2;\n\t\t\t} else if (ImageInfo->motorola_intel) {\n\t\t\t\tdecode = ImageInfo->decode_unicode_be;\n\t\t\t} else {\n\t\t\t\tdecode = ImageInfo->decode_unicode_le;\n\t\t\t}\n\t\t\tto = zend_multibyte_fetch_encoding(ImageInfo->encode_unicode);\n\t\t\tfrom = zend_multibyte_fetch_encoding(decode);\n\t\t\t/* XXX this will fail again if encoding_converter returns on error something different than SIZE_MAX */\n\t\t\tif (!to || !from || zend_multibyte_encoding_converter(\n\t\t\t\t\t(unsigned char**)pszInfoPtr,\n\t\t\t\t\t&len,\n\t\t\t\t\t(unsigned char*)szValuePtr,\n\t\t\t\t\tByteCount,\n\t\t\t\t\tto,\n\t\t\t\t\tfrom) == (size_t)-1) {\n\t\t\t\tlen = exif_process_string_raw(pszInfoPtr, szValuePtr, ByteCount);\n\t\t\t}\n\t\t\treturn len;\n\t\t} else if (!memcmp(szValuePtr, \"ASCII\\0\\0\\0\", 8)) {\n\t\t\t*pszEncoding = estrdup((const char*)szValuePtr);\n\t\t\tszValuePtr = szValuePtr+8;\n\t\t\tByteCount -= 8;\n\t\t} else if (!memcmp(szValuePtr, \"JIS\\0\\0\\0\\0\\0\", 8)) {\n\t\t\t/* JIS should be tanslated to MB or we leave it to the user - leave it to the user */\n\t\t\t*pszEncoding = estrdup((const char*)szValuePtr);\n\t\t\tszValuePtr = szValuePtr+8;\n\t\t\tByteCount -= 8;\n\t\t\t/* XXX this will fail again if encoding_converter returns on error something different than SIZE_MAX */\n\t\t\tto = zend_multibyte_fetch_encoding(ImageInfo->encode_jis);\n\t\t\tfrom = zend_multibyte_fetch_encoding(ImageInfo->motorola_intel ? ImageInfo->decode_jis_be : ImageInfo->decode_jis_le);\n\t\t\tif (!to || !from || zend_multibyte_encoding_converter(\n\t\t\t\t\t(unsigned char**)pszInfoPtr,\n\t\t\t\t\t&len,\n\t\t\t\t\t(unsigned char*)szValuePtr,\n\t\t\t\t\tByteCount,\n\t\t\t\t\tto,\n\t\t\t\t\tfrom) == (size_t)-1) {\n\t\t\t\tlen = exif_process_string_raw(pszInfoPtr, szValuePtr, ByteCount);\n\t\t\t}\n\t\t\treturn len;\n\t\t} else if (!memcmp(szValuePtr, \"\\0\\0\\0\\0\\0\\0\\0\\0\", 8)) {\n\t\t\t/* 8 NULL means undefined and should be ASCII... */\n\t\t\t*pszEncoding = estrdup(\"UNDEFINED\");\n\t\t\tszValuePtr = szValuePtr+8;\n\t\t\tByteCount -= 8;\n\t\t}\n\t}\n\n\t/* Olympus has this padded with trailing spaces. Remove these first. */\n\tif (ByteCount>0) {\n\t\tfor (a=ByteCount-1;a && szValuePtr[a]==' ';a--) {\n\t\t\t(szValuePtr)[a] = '\\0';\n\t\t}\n\t}\n\n\t/* normal text without encoding */\n\texif_process_string(pszInfoPtr, szValuePtr, ByteCount);\n\treturn strlen(*pszInfoPtr);\n}", "project": "php-src", "hash": 5427184732579812301760671687371059038, "size": 84, "commit_id": "e648fa4699e8d072db6db34fcc09826e8127fab8", "message": "Fix bug #78256 (heap-buffer-overflow on exif_process_user_comment)\n\n(cherry picked from commit aeb6d13185a2ea4f1496ede2697469faed98ce05)", "target": 1, "dataset": "other", "idx": 202638 }, { "func": "static bool php_string_to_if_index(const char *val, unsigned *out)\n{\n#if HAVE_IF_NAMETOINDEX\n unsigned int ind = if_nametoindex(val);\n if (ind == 0) {\n raise_warning(\"no interface with name \\\"%s\\\" could be found\", val);\n return false;\n } else {\n *out = ind;\n return true;\n }\n#else\n raise_warning(\"this platform does not support looking up an interface by \"\n \"name, an integer interface index must be supplied instead\");\n return false;\n#endif\n}", "project": "hhvm", "hash": 41569397245830316689489743606446004045, "size": 17, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219073 }, { "func": "bool open_tmp_table(TABLE *table)\n{\n int error;\n if (unlikely((error= table->file->ha_open(table, table->s->path.str, O_RDWR,\n HA_OPEN_TMP_TABLE |\n HA_OPEN_INTERNAL_TABLE))))\n {\n table->file->print_error(error, MYF(0)); /* purecov: inspected */\n table->db_stat= 0;\n return 1;\n }\n table->db_stat= HA_OPEN_KEYFILE;\n (void) table->file->extra(HA_EXTRA_QUICK); /* Faster */\n if (!table->is_created())\n {\n table->set_created();\n table->in_use->inc_status_created_tmp_tables();\n }\n\n return 0;\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 284016787136127261544067331142175347003, "size": 21, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508514 }, { "func": "static ino_t fuse_squash_ino(u64 ino64)\n{\n\tino_t ino = (ino_t) ino64;\n\tif (sizeof(ino_t) < sizeof(u64))\n\t\tino ^= ino64 >> (sizeof(u64) - sizeof(ino_t)) * 8;\n\treturn ino;\n}", "project": "linux", "hash": 183123502790683306366756162994412357920, "size": 7, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342154 }, { "func": "static int sctp_getsockopt_active_key(struct sock *sk, int len,\n\t\t\t\t char __user *optval, int __user *optlen)\n{\n\tstruct sctp_endpoint *ep = sctp_sk(sk)->ep;\n\tstruct sctp_authkeyid val;\n\tstruct sctp_association *asoc;\n\n\tif (len < sizeof(struct sctp_authkeyid))\n\t\treturn -EINVAL;\n\n\tlen = sizeof(struct sctp_authkeyid);\n\tif (copy_from_user(&val, optval, len))\n\t\treturn -EFAULT;\n\n\tasoc = sctp_id2assoc(sk, val.scact_assoc_id);\n\tif (!asoc && val.scact_assoc_id && sctp_style(sk, UDP))\n\t\treturn -EINVAL;\n\n\tif (asoc) {\n\t\tif (!asoc->peer.auth_capable)\n\t\t\treturn -EACCES;\n\t\tval.scact_keynumber = asoc->active_key_id;\n\t} else {\n\t\tif (!ep->auth_enable)\n\t\t\treturn -EACCES;\n\t\tval.scact_keynumber = ep->active_key_id;\n\t}\n\n\tif (put_user(len, optlen))\n\t\treturn -EFAULT;\n\tif (copy_to_user(optval, &val, len))\n\t\treturn -EFAULT;\n\n\treturn 0;\n}", "project": "linux", "hash": 52836793059872812107519069027488133082, "size": 35, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398097 }, { "func": "static inline void gprinter_put_minor(int minor)\n{\n\tida_simple_remove(&printer_ida, minor);\n}", "project": "linux", "hash": 176433196990928946223960140371469080841, "size": 4, "commit_id": "e8d5f92b8d30bb4ade76494490c3c065e12411b1", "message": "usb: gadget: function: printer: fix use-after-free in __lock_acquire\n\nFix this by increase object reference count.\n\nBUG: KASAN: use-after-free in __lock_acquire+0x3fd4/0x4180\nkernel/locking/lockdep.c:3831\nRead of size 8 at addr ffff8880683b0018 by task syz-executor.0/3377\n\nCPU: 1 PID: 3377 Comm: syz-executor.0 Not tainted 5.6.11 #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011\nCall Trace:\n __dump_stack lib/dump_stack.c:77 [inline]\n dump_stack+0xce/0x128 lib/dump_stack.c:118\n print_address_description.constprop.4+0x21/0x3c0 mm/kasan/report.c:374\n __kasan_report+0x131/0x1b0 mm/kasan/report.c:506\n kasan_report+0x12/0x20 mm/kasan/common.c:641\n __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135\n __lock_acquire+0x3fd4/0x4180 kernel/locking/lockdep.c:3831\n lock_acquire+0x127/0x350 kernel/locking/lockdep.c:4488\n __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]\n _raw_spin_lock_irqsave+0x35/0x50 kernel/locking/spinlock.c:159\n printer_ioctl+0x4a/0x110 drivers/usb/gadget/function/f_printer.c:723\n vfs_ioctl fs/ioctl.c:47 [inline]\n ksys_ioctl+0xfb/0x130 fs/ioctl.c:763\n __do_sys_ioctl fs/ioctl.c:772 [inline]\n __se_sys_ioctl fs/ioctl.c:770 [inline]\n __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:770\n do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294\n entry_SYSCALL_64_after_hwframe+0x49/0xbe\nRIP: 0033:0x4531a9\nCode: ed 60 fc ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48\n89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d\n01 f0 ff ff 0f 83 bb 60 fc ff c3 66 2e 0f 1f 84 00 00 00 00\nRSP: 002b:00007fd14ad72c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 000000000073bfa8 RCX: 00000000004531a9\nRDX: fffffffffffffff9 RSI: 000000000000009e RDI: 0000000000000003\nRBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 00000000004bbd61\nR13: 00000000004d0a98 R14: 00007fd14ad736d4 R15: 00000000ffffffff\n\nAllocated by task 2393:\n save_stack+0x21/0x90 mm/kasan/common.c:72\n set_track mm/kasan/common.c:80 [inline]\n __kasan_kmalloc.constprop.3+0xa7/0xd0 mm/kasan/common.c:515\n kasan_kmalloc+0x9/0x10 mm/kasan/common.c:529\n kmem_cache_alloc_trace+0xfa/0x2d0 mm/slub.c:2813\n kmalloc include/linux/slab.h:555 [inline]\n kzalloc include/linux/slab.h:669 [inline]\n gprinter_alloc+0xa1/0x870 drivers/usb/gadget/function/f_printer.c:1416\n usb_get_function+0x58/0xc0 drivers/usb/gadget/functions.c:61\n config_usb_cfg_link+0x1ed/0x3e0 drivers/usb/gadget/configfs.c:444\n configfs_symlink+0x527/0x11d0 fs/configfs/symlink.c:202\n vfs_symlink+0x33d/0x5b0 fs/namei.c:4201\n do_symlinkat+0x11b/0x1d0 fs/namei.c:4228\n __do_sys_symlinkat fs/namei.c:4242 [inline]\n __se_sys_symlinkat fs/namei.c:4239 [inline]\n __x64_sys_symlinkat+0x73/0xb0 fs/namei.c:4239\n do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294\n entry_SYSCALL_64_after_hwframe+0x49/0xbe\n\nFreed by task 3368:\n save_stack+0x21/0x90 mm/kasan/common.c:72\n set_track mm/kasan/common.c:80 [inline]\n kasan_set_free_info mm/kasan/common.c:337 [inline]\n __kasan_slab_free+0x135/0x190 mm/kasan/common.c:476\n kasan_slab_free+0xe/0x10 mm/kasan/common.c:485\n slab_free_hook mm/slub.c:1444 [inline]\n slab_free_freelist_hook mm/slub.c:1477 [inline]\n slab_free mm/slub.c:3034 [inline]\n kfree+0xf7/0x410 mm/slub.c:3995\n gprinter_free+0x49/0xd0 drivers/usb/gadget/function/f_printer.c:1353\n usb_put_function+0x38/0x50 drivers/usb/gadget/functions.c:87\n config_usb_cfg_unlink+0x2db/0x3b0 drivers/usb/gadget/configfs.c:485\n configfs_unlink+0x3b9/0x7f0 fs/configfs/symlink.c:250\n vfs_unlink+0x287/0x570 fs/namei.c:4073\n do_unlinkat+0x4f9/0x620 fs/namei.c:4137\n __do_sys_unlink fs/namei.c:4184 [inline]\n __se_sys_unlink fs/namei.c:4182 [inline]\n __x64_sys_unlink+0x42/0x50 fs/namei.c:4182\n do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294\n entry_SYSCALL_64_after_hwframe+0x49/0xbe\n\nThe buggy address belongs to the object at ffff8880683b0000\n which belongs to the cache kmalloc-1k of size 1024\nThe buggy address is located 24 bytes inside of\n 1024-byte region [ffff8880683b0000, ffff8880683b0400)\nThe buggy address belongs to the page:\npage:ffffea0001a0ec00 refcount:1 mapcount:0 mapping:ffff88806c00e300\nindex:0xffff8880683b1800 compound_mapcount: 0\nflags: 0x100000000010200(slab|head)\nraw: 0100000000010200 0000000000000000 0000000600000001 ffff88806c00e300\nraw: ffff8880683b1800 000000008010000a 00000001ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\n\nReported-by: Kyungtae Kim \nSigned-off-by: Zqiang \nSigned-off-by: Felipe Balbi ", "target": 0, "dataset": "other", "idx": 389331 }, { "func": "enum uni_interp interp_from_encoding(Encoding *enc,enum uni_interp interp) {\n\n if ( enc==NULL )\nreturn( interp );\n\n if ( enc->is_japanese )\n\tinterp = ui_japanese;\n else if ( enc->is_korean )\n\tinterp = ui_korean;\n else if ( enc->is_tradchinese )\n\tinterp = ui_trad_chinese;\n else if ( enc->is_simplechinese )\n\tinterp = ui_simp_chinese;\nreturn( interp );\n}", "project": "fontforge", "hash": 303925354015959692467239616479639584351, "size": 15, "commit_id": "048a91e2682c1a8936ae34dbc7bd70291ec05410", "message": "Fix for #4084 Use-after-free (heap) in the SFD_GetFontMetaData() function\nFix for #4086 NULL pointer dereference in the SFDGetSpiros() function\nFix for #4088 NULL pointer dereference in the SFD_AssignLookups() function\nAdd empty sf->fontname string if it isn't set, fixing #4089 #4090 and many\n other potential issues (many downstream calls to strlen() on the value).", "target": 0, "dataset": "other", "idx": 417791 }, { "func": "uint8_t bf_bit_size(const struct compressed_block_header* hdr) {\n\treturn hdr->block_flags_u8 & 7;\n}", "project": "libarchive", "hash": 137943366666651017561142972405048151595, "size": 3, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 0, "dataset": "other", "idx": 244737 }, { "func": "void __do_SAK(struct tty_struct *tty)\n{\n#ifdef TTY_SOFT_SAK\n\ttty_hangup(tty);\n#else\n\tstruct task_struct *g, *p;\n\tstruct pid *session;\n\tint\t\ti;\n\n\tif (!tty)\n\t\treturn;\n\tsession = tty->session;\n\n\ttty_ldisc_flush(tty);\n\n\ttty_driver_flush_buffer(tty);\n\n\tread_lock(&tasklist_lock);\n\t/* Kill the entire session */\n\tdo_each_pid_task(session, PIDTYPE_SID, p) {\n\t\ttty_notice(tty, \"SAK: killed process %d (%s): by session\\n\",\n\t\t\t task_pid_nr(p), p->comm);\n\t\tgroup_send_sig_info(SIGKILL, SEND_SIG_PRIV, p, PIDTYPE_SID);\n\t} while_each_pid_task(session, PIDTYPE_SID, p);\n\n\t/* Now kill any processes that happen to have the tty open */\n\tdo_each_thread(g, p) {\n\t\tif (p->signal->tty == tty) {\n\t\t\ttty_notice(tty, \"SAK: killed process %d (%s): by controlling tty\\n\",\n\t\t\t\t task_pid_nr(p), p->comm);\n\t\t\tgroup_send_sig_info(SIGKILL, SEND_SIG_PRIV, p, PIDTYPE_SID);\n\t\t\tcontinue;\n\t\t}\n\t\ttask_lock(p);\n\t\ti = iterate_fd(p->files, 0, this_tty, tty);\n\t\tif (i != 0) {\n\t\t\ttty_notice(tty, \"SAK: killed process %d (%s): by fd#%d\\n\",\n\t\t\t\t task_pid_nr(p), p->comm, i - 1);\n\t\t\tgroup_send_sig_info(SIGKILL, SEND_SIG_PRIV, p, PIDTYPE_SID);\n\t\t}\n\t\ttask_unlock(p);\n\t} while_each_thread(g, p);\n\tread_unlock(&tasklist_lock);\n#endif\n}", "project": "linux", "hash": 327113028686969306396725554617278047338, "size": 45, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 1, "dataset": "other", "idx": 201881 }, { "func": "void __do_SAK(struct tty_struct *tty)\n{\n#ifdef TTY_SOFT_SAK\n\ttty_hangup(tty);\n#else\n\tstruct task_struct *g, *p;\n\tstruct pid *session;\n\tint\t\ti;\n\tunsigned long flags;\n\n\tif (!tty)\n\t\treturn;\n\n\tspin_lock_irqsave(&tty->ctrl_lock, flags);\n\tsession = get_pid(tty->session);\n\tspin_unlock_irqrestore(&tty->ctrl_lock, flags);\n\n\ttty_ldisc_flush(tty);\n\n\ttty_driver_flush_buffer(tty);\n\n\tread_lock(&tasklist_lock);\n\t/* Kill the entire session */\n\tdo_each_pid_task(session, PIDTYPE_SID, p) {\n\t\ttty_notice(tty, \"SAK: killed process %d (%s): by session\\n\",\n\t\t\t task_pid_nr(p), p->comm);\n\t\tgroup_send_sig_info(SIGKILL, SEND_SIG_PRIV, p, PIDTYPE_SID);\n\t} while_each_pid_task(session, PIDTYPE_SID, p);\n\n\t/* Now kill any processes that happen to have the tty open */\n\tdo_each_thread(g, p) {\n\t\tif (p->signal->tty == tty) {\n\t\t\ttty_notice(tty, \"SAK: killed process %d (%s): by controlling tty\\n\",\n\t\t\t\t task_pid_nr(p), p->comm);\n\t\t\tgroup_send_sig_info(SIGKILL, SEND_SIG_PRIV, p, PIDTYPE_SID);\n\t\t\tcontinue;\n\t\t}\n\t\ttask_lock(p);\n\t\ti = iterate_fd(p->files, 0, this_tty, tty);\n\t\tif (i != 0) {\n\t\t\ttty_notice(tty, \"SAK: killed process %d (%s): by fd#%d\\n\",\n\t\t\t\t task_pid_nr(p), p->comm, i - 1);\n\t\t\tgroup_send_sig_info(SIGKILL, SEND_SIG_PRIV, p, PIDTYPE_SID);\n\t\t}\n\t\ttask_unlock(p);\n\t} while_each_thread(g, p);\n\tread_unlock(&tasklist_lock);\n\tput_pid(session);\n#endif\n}", "project": "linux", "hash": 232074957705892957788904660986151519370, "size": 50, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 326074 }, { "func": "void ndpi_set_protocol_detection_bitmask2(struct ndpi_detection_module_struct *ndpi_str,\n const NDPI_PROTOCOL_BITMASK *dbm) {\n NDPI_PROTOCOL_BITMASK detection_bitmask_local;\n NDPI_PROTOCOL_BITMASK *detection_bitmask = &detection_bitmask_local;\n u_int32_t a = 0;\n\n NDPI_BITMASK_SET(detection_bitmask_local, *dbm);\n NDPI_BITMASK_SET(ndpi_str->detection_bitmask, *dbm);\n\n /* set this here to zero to be interrupt safe */\n ndpi_str->callback_buffer_size = 0;\n\n /* HTTP */\n init_http_dissector(ndpi_str, &a, detection_bitmask);\n\n /* STARCRAFT */\n init_starcraft_dissector(ndpi_str, &a, detection_bitmask);\n\n /* TLS */\n init_tls_dissector(ndpi_str, &a, detection_bitmask);\n\n /* STUN */\n init_stun_dissector(ndpi_str, &a, detection_bitmask);\n\n /* RTP */\n init_rtp_dissector(ndpi_str, &a, detection_bitmask);\n\n /* RTSP */\n init_rtsp_dissector(ndpi_str, &a, detection_bitmask);\n\n /* RDP */\n init_rdp_dissector(ndpi_str, &a, detection_bitmask);\n\n /* SIP */\n init_sip_dissector(ndpi_str, &a, detection_bitmask);\n\n /* IMO */\n init_imo_dissector(ndpi_str, &a, detection_bitmask);\n\n /* Teredo */\n init_teredo_dissector(ndpi_str, &a, detection_bitmask);\n\n /* EDONKEY */\n init_edonkey_dissector(ndpi_str, &a, detection_bitmask);\n\n /* FASTTRACK */\n init_fasttrack_dissector(ndpi_str, &a, detection_bitmask);\n\n /* GNUTELLA */\n init_gnutella_dissector(ndpi_str, &a, detection_bitmask);\n\n /* DIRECTCONNECT */\n init_directconnect_dissector(ndpi_str, &a, detection_bitmask);\n\n /* NATS */\n init_nats_dissector(ndpi_str, &a, detection_bitmask);\n\n /* APPLEJUICE */\n init_applejuice_dissector(ndpi_str, &a, detection_bitmask);\n\n /* SOULSEEK */\n init_soulseek_dissector(ndpi_str, &a, detection_bitmask);\n\n /* SOCKS */\n init_socks_dissector(ndpi_str, &a, detection_bitmask);\n\n /* IRC */\n init_irc_dissector(ndpi_str, &a, detection_bitmask);\n\n /* JABBER */\n init_jabber_dissector(ndpi_str, &a, detection_bitmask);\n\n /* MAIL_POP */\n init_mail_pop_dissector(ndpi_str, &a, detection_bitmask);\n\n /* MAIL_IMAP */\n init_mail_imap_dissector(ndpi_str, &a, detection_bitmask);\n\n /* MAIL_SMTP */\n init_mail_smtp_dissector(ndpi_str, &a, detection_bitmask);\n\n /* USENET */\n init_usenet_dissector(ndpi_str, &a, detection_bitmask);\n\n /* DNS */\n init_dns_dissector(ndpi_str, &a, detection_bitmask);\n\n /* FILETOPIA */\n init_fbzero_dissector(ndpi_str, &a, detection_bitmask);\n\n /* VMWARE */\n init_vmware_dissector(ndpi_str, &a, detection_bitmask);\n\n /* NON_TCP_UDP */\n init_non_tcp_udp_dissector(ndpi_str, &a, detection_bitmask);\n\n /* SOPCAST */\n init_sopcast_dissector(ndpi_str, &a, detection_bitmask);\n\n /* TVUPLAYER */\n init_tvuplayer_dissector(ndpi_str, &a, detection_bitmask);\n\n /* PPSTREAM */\n init_ppstream_dissector(ndpi_str, &a, detection_bitmask);\n\n /* PPLIVE */\n init_pplive_dissector(ndpi_str, &a, detection_bitmask);\n\n /* IAX */\n init_iax_dissector(ndpi_str, &a, detection_bitmask);\n\n /* MGPC */\n init_mgpc_dissector(ndpi_str, &a, detection_bitmask);\n\n /* ZATTOO */\n init_zattoo_dissector(ndpi_str, &a, detection_bitmask);\n\n /* QQ */\n init_qq_dissector(ndpi_str, &a, detection_bitmask);\n\n /* SSH */\n init_ssh_dissector(ndpi_str, &a, detection_bitmask);\n\n /* AYIYA */\n init_ayiya_dissector(ndpi_str, &a, detection_bitmask);\n\n /* THUNDER */\n init_thunder_dissector(ndpi_str, &a, detection_bitmask);\n\n /* VNC */\n init_vnc_dissector(ndpi_str, &a, detection_bitmask);\n\n /* TEAMVIEWER */\n init_teamviewer_dissector(ndpi_str, &a, detection_bitmask);\n\n /* DHCP */\n init_dhcp_dissector(ndpi_str, &a, detection_bitmask);\n\n /* STEAM */\n init_steam_dissector(ndpi_str, &a, detection_bitmask);\n\n /* HALFLIFE2 */\n init_halflife2_dissector(ndpi_str, &a, detection_bitmask);\n\n /* XBOX */\n init_xbox_dissector(ndpi_str, &a, detection_bitmask);\n\n /* HTTP_APPLICATION_ACTIVESYNC */\n init_http_activesync_dissector(ndpi_str, &a, detection_bitmask);\n\n /* SMB */\n init_smb_dissector(ndpi_str, &a, detection_bitmask);\n\n /* MINING */\n init_mining_dissector(ndpi_str, &a, detection_bitmask);\n\n /* TELNET */\n init_telnet_dissector(ndpi_str, &a, detection_bitmask);\n\n /* NTP */\n init_ntp_dissector(ndpi_str, &a, detection_bitmask);\n\n /* NFS */\n init_nfs_dissector(ndpi_str, &a, detection_bitmask);\n\n /* SSDP */\n init_ssdp_dissector(ndpi_str, &a, detection_bitmask);\n\n /* WORLD_OF_WARCRAFT */\n init_world_of_warcraft_dissector(ndpi_str, &a, detection_bitmask);\n\n /* POSTGRES */\n init_postgres_dissector(ndpi_str, &a, detection_bitmask);\n\n /* MYSQL */\n init_mysql_dissector(ndpi_str, &a, detection_bitmask);\n\n /* BGP */\n init_bgp_dissector(ndpi_str, &a, detection_bitmask);\n\n /* SNMP */\n init_snmp_dissector(ndpi_str, &a, detection_bitmask);\n\n /* KONTIKI */\n init_kontiki_dissector(ndpi_str, &a, detection_bitmask);\n\n /* ICECAST */\n init_icecast_dissector(ndpi_str, &a, detection_bitmask);\n\n /* SHOUTCAST */\n init_shoutcast_dissector(ndpi_str, &a, detection_bitmask);\n\n /* KERBEROS */\n init_kerberos_dissector(ndpi_str, &a, detection_bitmask);\n\n /* OPENFT */\n init_openft_dissector(ndpi_str, &a, detection_bitmask);\n\n /* SYSLOG */\n init_syslog_dissector(ndpi_str, &a, detection_bitmask);\n\n /* DIRECT_DOWNLOAD_LINK */\n init_directdownloadlink_dissector(ndpi_str, &a, detection_bitmask);\n\n /* NETBIOS */\n init_netbios_dissector(ndpi_str, &a, detection_bitmask);\n\n /* MDNS */\n init_mdns_dissector(ndpi_str, &a, detection_bitmask);\n\n /* IPP */\n init_ipp_dissector(ndpi_str, &a, detection_bitmask);\n\n /* LDAP */\n init_ldap_dissector(ndpi_str, &a, detection_bitmask);\n\n /* WARCRAFT3 */\n init_warcraft3_dissector(ndpi_str, &a, detection_bitmask);\n\n /* XDMCP */\n init_xdmcp_dissector(ndpi_str, &a, detection_bitmask);\n\n /* TFTP */\n init_tftp_dissector(ndpi_str, &a, detection_bitmask);\n\n /* MSSQL_TDS */\n init_mssql_tds_dissector(ndpi_str, &a, detection_bitmask);\n\n /* PPTP */\n init_pptp_dissector(ndpi_str, &a, detection_bitmask);\n\n /* STEALTHNET */\n init_stealthnet_dissector(ndpi_str, &a, detection_bitmask);\n\n /* DHCPV6 */\n init_dhcpv6_dissector(ndpi_str, &a, detection_bitmask);\n\n /* AFP */\n init_afp_dissector(ndpi_str, &a, detection_bitmask);\n\n /* check_mk */\n init_checkmk_dissector(ndpi_str, &a, detection_bitmask);\n\n /* AIMINI */\n init_aimini_dissector(ndpi_str, &a, detection_bitmask);\n\n /* FLORENSIA */\n init_florensia_dissector(ndpi_str, &a, detection_bitmask);\n\n /* MAPLESTORY */\n init_maplestory_dissector(ndpi_str, &a, detection_bitmask);\n\n /* DOFUS */\n init_dofus_dissector(ndpi_str, &a, detection_bitmask);\n\n /* WORLD_OF_KUNG_FU */\n init_world_of_kung_fu_dissector(ndpi_str, &a, detection_bitmask);\n\n /* FIESTA */\n init_fiesta_dissector(ndpi_str, &a, detection_bitmask);\n\n /* CROSSIFIRE */\n init_crossfire_dissector(ndpi_str, &a, detection_bitmask);\n\n /* GUILDWARS */\n init_guildwars_dissector(ndpi_str, &a, detection_bitmask);\n\n /* ARMAGETRON */\n init_armagetron_dissector(ndpi_str, &a, detection_bitmask);\n\n /* DROPBOX */\n init_dropbox_dissector(ndpi_str, &a, detection_bitmask);\n\n /* SPOTIFY */\n init_spotify_dissector(ndpi_str, &a, detection_bitmask);\n\n /* RADIUS */\n init_radius_dissector(ndpi_str, &a, detection_bitmask);\n\n /* CITRIX */\n init_citrix_dissector(ndpi_str, &a, detection_bitmask);\n\n /* LOTUS_NOTES */\n init_lotus_notes_dissector(ndpi_str, &a, detection_bitmask);\n\n /* GTP */\n init_gtp_dissector(ndpi_str, &a, detection_bitmask);\n\n /* DCERPC */\n init_dcerpc_dissector(ndpi_str, &a, detection_bitmask);\n\n /* NETFLOW */\n init_netflow_dissector(ndpi_str, &a, detection_bitmask);\n\n /* SFLOW */\n init_sflow_dissector(ndpi_str, &a, detection_bitmask);\n\n /* H323 */\n init_h323_dissector(ndpi_str, &a, detection_bitmask);\n\n /* OPENVPN */\n init_openvpn_dissector(ndpi_str, &a, detection_bitmask);\n\n /* NOE */\n init_noe_dissector(ndpi_str, &a, detection_bitmask);\n\n /* CISCOVPN */\n init_ciscovpn_dissector(ndpi_str, &a, detection_bitmask);\n\n /* TEAMSPEAK */\n init_teamspeak_dissector(ndpi_str, &a, detection_bitmask);\n\n /* TOR */\n init_tor_dissector(ndpi_str, &a, detection_bitmask);\n\n /* SKINNY */\n init_skinny_dissector(ndpi_str, &a, detection_bitmask);\n\n /* RTCP */\n init_rtcp_dissector(ndpi_str, &a, detection_bitmask);\n\n /* RSYNC */\n init_rsync_dissector(ndpi_str, &a, detection_bitmask);\n\n /* WHOIS_DAS */\n init_whois_das_dissector(ndpi_str, &a, detection_bitmask);\n\n /* ORACLE */\n init_oracle_dissector(ndpi_str, &a, detection_bitmask);\n\n /* CORBA */\n init_corba_dissector(ndpi_str, &a, detection_bitmask);\n\n /* RTMP */\n init_rtmp_dissector(ndpi_str, &a, detection_bitmask);\n\n /* FTP_CONTROL */\n init_ftp_control_dissector(ndpi_str, &a, detection_bitmask);\n\n /* FTP_DATA */\n init_ftp_data_dissector(ndpi_str, &a, detection_bitmask);\n\n /* PANDO */\n init_pando_dissector(ndpi_str, &a, detection_bitmask);\n\n /* MEGACO */\n init_megaco_dissector(ndpi_str, &a, detection_bitmask);\n\n /* REDIS */\n init_redis_dissector(ndpi_str, &a, detection_bitmask);\n\n /* UPnP */\n init_upnp_dissector(ndpi_str, &a, detection_bitmask);\n\n /* VHUA */\n init_vhua_dissector(ndpi_str, &a, detection_bitmask);\n\n /* ZMQ */\n init_zmq_dissector(ndpi_str, &a, detection_bitmask);\n\n /* TELEGRAM */\n init_telegram_dissector(ndpi_str, &a, detection_bitmask);\n\n /* QUIC */\n init_quic_dissector(ndpi_str, &a, detection_bitmask);\n\n /* DIAMETER */\n init_diameter_dissector(ndpi_str, &a, detection_bitmask);\n\n /* APPLE_PUSH */\n init_apple_push_dissector(ndpi_str, &a, detection_bitmask);\n\n /* EAQ */\n init_eaq_dissector(ndpi_str, &a, detection_bitmask);\n\n /* KAKAOTALK_VOICE */\n init_kakaotalk_voice_dissector(ndpi_str, &a, detection_bitmask);\n\n /* MPEGTS */\n init_mpegts_dissector(ndpi_str, &a, detection_bitmask);\n\n /* UBNTAC2 */\n init_ubntac2_dissector(ndpi_str, &a, detection_bitmask);\n\n /* COAP */\n init_coap_dissector(ndpi_str, &a, detection_bitmask);\n\n /* MQTT */\n init_mqtt_dissector(ndpi_str, &a, detection_bitmask);\n\n /* SOME/IP */\n init_someip_dissector(ndpi_str, &a, detection_bitmask);\n\n /* RX */\n init_rx_dissector(ndpi_str, &a, detection_bitmask);\n\n /* GIT */\n init_git_dissector(ndpi_str, &a, detection_bitmask);\n\n /* HANGOUT */\n init_hangout_dissector(ndpi_str, &a, detection_bitmask);\n\n /* DRDA */\n init_drda_dissector(ndpi_str, &a, detection_bitmask);\n\n /* BJNP */\n init_bjnp_dissector(ndpi_str, &a, detection_bitmask);\n\n /* SMPP */\n init_smpp_dissector(ndpi_str, &a, detection_bitmask);\n\n /* TINC */\n init_tinc_dissector(ndpi_str, &a, detection_bitmask);\n\n /* FIX */\n init_fix_dissector(ndpi_str, &a, detection_bitmask);\n\n /* NINTENDO */\n init_nintendo_dissector(ndpi_str, &a, detection_bitmask);\n\n /* MODBUS */\n init_modbus_dissector(ndpi_str, &a, detection_bitmask);\n\n /* CAPWAP */\n init_capwap_dissector(ndpi_str, &a, detection_bitmask);\n\n /* ZABBIX */\n init_zabbix_dissector(ndpi_str, &a, detection_bitmask);\n\n /*** Put false-positive sensitive protocols at the end ***/\n\n /* VIBER */\n init_viber_dissector(ndpi_str, &a, detection_bitmask);\n\n /* SKYPE */\n init_skype_dissector(ndpi_str, &a, detection_bitmask);\n\n /* BITTORRENT */\n init_bittorrent_dissector(ndpi_str, &a, detection_bitmask);\n\n /* WHATSAPP */\n init_whatsapp_dissector(ndpi_str, &a, detection_bitmask);\n\n /* OOKLA */\n init_ookla_dissector(ndpi_str, &a, detection_bitmask);\n\n /* AMQP */\n init_amqp_dissector(ndpi_str, &a, detection_bitmask);\n\n /* CSGO */\n init_csgo_dissector(ndpi_str, &a, detection_bitmask);\n\n /* LISP */\n init_lisp_dissector(ndpi_str, &a, detection_bitmask);\n\n /* AJP */\n init_ajp_dissector(ndpi_str, &a, detection_bitmask);\n\n /* Memcached */\n init_memcached_dissector(ndpi_str, &a, detection_bitmask);\n\n /* Nest Log Sink */\n init_nest_log_sink_dissector(ndpi_str, &a, detection_bitmask);\n\n /* WireGuard VPN */\n init_wireguard_dissector(ndpi_str, &a, detection_bitmask);\n\n /* Amazon_Video */\n init_amazon_video_dissector(ndpi_str, &a, detection_bitmask);\n\n /* Targus Getdata */\n init_targus_getdata_dissector(ndpi_str, &a, detection_bitmask);\n\n /* S7 comm */\n init_s7comm_dissector(ndpi_str, &a, detection_bitmask);\n\n /* IEC 60870-5-104 */\n init_104_dissector(ndpi_str, &a, detection_bitmask);\n\n /* WEBSOCKET */\n init_websocket_dissector(ndpi_str, &a, detection_bitmask);\n\n#ifdef CUSTOM_NDPI_PROTOCOLS\n#include \"../../../nDPI-custom/custom_ndpi_main_init.c\"\n#endif\n\n /* ----------------------------------------------------------------- */\n\n ndpi_str->callback_buffer_size = a;\n\n NDPI_LOG_DBG2(ndpi_str, \"callback_buffer_size is %u\\n\", ndpi_str->callback_buffer_size);\n\n /* now build the specific buffer for tcp, udp and non_tcp_udp */\n ndpi_str->callback_buffer_size_tcp_payload = 0;\n ndpi_str->callback_buffer_size_tcp_no_payload = 0;\n for (a = 0; a < ndpi_str->callback_buffer_size; a++) {\n if((ndpi_str->callback_buffer[a].ndpi_selection_bitmask &\n\t(NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP |\n\t NDPI_SELECTION_BITMASK_PROTOCOL_COMPLETE_TRAFFIC)) != 0) {\n if(_ndpi_debug_callbacks)\n\tNDPI_LOG_DBG2(ndpi_str, \"callback_buffer_tcp_payload, adding buffer %u as entry %u\\n\", a,\n\t\t ndpi_str->callback_buffer_size_tcp_payload);\n\n memcpy(&ndpi_str->callback_buffer_tcp_payload[ndpi_str->callback_buffer_size_tcp_payload],\n\t &ndpi_str->callback_buffer[a], sizeof(struct ndpi_call_function_struct));\n ndpi_str->callback_buffer_size_tcp_payload++;\n\n if((ndpi_str->callback_buffer[a].ndpi_selection_bitmask & NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) ==\n\t 0) {\n\tif(_ndpi_debug_callbacks)\n\t NDPI_LOG_DBG2(\n ndpi_str,\n \"\\tcallback_buffer_tcp_no_payload, additional adding buffer %u to no_payload process\\n\", a);\n\n\tmemcpy(&ndpi_str->callback_buffer_tcp_no_payload[ndpi_str->callback_buffer_size_tcp_no_payload],\n\t &ndpi_str->callback_buffer[a], sizeof(struct ndpi_call_function_struct));\n\tndpi_str->callback_buffer_size_tcp_no_payload++;\n }\n }\n }\n\n ndpi_str->callback_buffer_size_udp = 0;\n for (a = 0; a < ndpi_str->callback_buffer_size; a++) {\n if((ndpi_str->callback_buffer[a].ndpi_selection_bitmask &\n\t(NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP |\n\t NDPI_SELECTION_BITMASK_PROTOCOL_COMPLETE_TRAFFIC)) != 0) {\n if(_ndpi_debug_callbacks)\n\tNDPI_LOG_DBG2(ndpi_str, \"callback_buffer_size_udp: adding buffer : %u as entry %u\\n\", a,\n\t\t ndpi_str->callback_buffer_size_udp);\n\n memcpy(&ndpi_str->callback_buffer_udp[ndpi_str->callback_buffer_size_udp], &ndpi_str->callback_buffer[a],\n\t sizeof(struct ndpi_call_function_struct));\n ndpi_str->callback_buffer_size_udp++;\n }\n }\n\n ndpi_str->callback_buffer_size_non_tcp_udp = 0;\n for (a = 0; a < ndpi_str->callback_buffer_size; a++) {\n if((ndpi_str->callback_buffer[a].ndpi_selection_bitmask &\n\t(NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP |\n\t NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP)) == 0 ||\n (ndpi_str->callback_buffer[a].ndpi_selection_bitmask & NDPI_SELECTION_BITMASK_PROTOCOL_COMPLETE_TRAFFIC) !=\n 0) {\n if(_ndpi_debug_callbacks)\n\tNDPI_LOG_DBG2(ndpi_str, \"callback_buffer_non_tcp_udp: adding buffer : %u as entry %u\\n\", a,\n\t\t ndpi_str->callback_buffer_size_non_tcp_udp);\n\n memcpy(&ndpi_str->callback_buffer_non_tcp_udp[ndpi_str->callback_buffer_size_non_tcp_udp],\n\t &ndpi_str->callback_buffer[a], sizeof(struct ndpi_call_function_struct));\n ndpi_str->callback_buffer_size_non_tcp_udp++;\n }\n }\n}", "project": "nDPI", "hash": 261150802988930778439635816516446799530, "size": 553, "commit_id": "6a9f5e4f7c3fd5ddab3e6727b071904d76773952", "message": "Fixed use after free caused by dangling pointer\n\n * This fix also improved RCE Injection detection\n\nSigned-off-by: Toni Uhlig ", "target": 0, "dataset": "other", "idx": 263375 }, { "func": "void PCRECache::clearStatic() {\n std::unique_lock lock(m_clearMutex, std::try_to_lock);\n if (!lock) return;\n\n auto newExpire = time(nullptr) + RuntimeOption::EvalPCREExpireInterval;\n m_expire.store(newExpire, std::memory_order_relaxed);\n\n auto tmpMap = CreateStatic();\n tmpMap = m_staticCache.exchange(tmpMap, std::memory_order_acq_rel);\n\n Treadmill::enqueue([tmpMap]() {\n DestroyStatic(tmpMap);\n });\n}", "project": "hhvm", "hash": 90743704851428270491332912936580293231, "size": 14, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219161 }, { "func": "static struct uvc_entity *uvc_entity_by_reference(struct uvc_device *dev,\n\tint id, struct uvc_entity *entity)\n{\n\tunsigned int i;\n\n\tif (entity == NULL)\n\t\tentity = list_entry(&dev->entities, struct uvc_entity, list);\n\n\tlist_for_each_entry_continue(entity, &dev->entities, list) {\n\t\tfor (i = 0; i < entity->bNrInPins; ++i)\n\t\t\tif (entity->baSourceID[i] == id)\n\t\t\t\treturn entity;\n\t}\n\n\treturn NULL;\n}", "project": "linux", "hash": 194070061358313123136025621743133105934, "size": 16, "commit_id": "68035c80e129c4cfec659aac4180354530b26527", "message": "media: uvcvideo: Avoid cyclic entity chains due to malformed USB descriptors\n\nWay back in 2017, fuzzing the 4.14-rc2 USB stack with syzkaller kicked\nup the following WARNING from the UVC chain scanning code:\n\n | list_add double add: new=ffff880069084010, prev=ffff880069084010,\n | next=ffff880067d22298.\n | ------------[ cut here ]------------\n | WARNING: CPU: 1 PID: 1846 at lib/list_debug.c:31 __list_add_valid+0xbd/0xf0\n | Modules linked in:\n | CPU: 1 PID: 1846 Comm: kworker/1:2 Not tainted\n | 4.14.0-rc2-42613-g1488251d1a98 #238\n | Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011\n | Workqueue: usb_hub_wq hub_event\n | task: ffff88006b01ca40 task.stack: ffff880064358000\n | RIP: 0010:__list_add_valid+0xbd/0xf0 lib/list_debug.c:29\n | RSP: 0018:ffff88006435ddd0 EFLAGS: 00010286\n | RAX: 0000000000000058 RBX: ffff880067d22298 RCX: 0000000000000000\n | RDX: 0000000000000058 RSI: ffffffff85a58800 RDI: ffffed000c86bbac\n | RBP: ffff88006435dde8 R08: 1ffff1000c86ba52 R09: 0000000000000000\n | R10: 0000000000000002 R11: 0000000000000000 R12: ffff880069084010\n | R13: ffff880067d22298 R14: ffff880069084010 R15: ffff880067d222a0\n | FS: 0000000000000000(0000) GS:ffff88006c900000(0000) knlGS:0000000000000000\n | CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n | CR2: 0000000020004ff2 CR3: 000000006b447000 CR4: 00000000000006e0\n | Call Trace:\n | __list_add ./include/linux/list.h:59\n | list_add_tail+0x8c/0x1b0 ./include/linux/list.h:92\n | uvc_scan_chain_forward.isra.8+0x373/0x416\n | drivers/media/usb/uvc/uvc_driver.c:1471\n | uvc_scan_chain drivers/media/usb/uvc/uvc_driver.c:1585\n | uvc_scan_device drivers/media/usb/uvc/uvc_driver.c:1769\n | uvc_probe+0x77f2/0x8f00 drivers/media/usb/uvc/uvc_driver.c:2104\n\nLooking into the output from usbmon, the interesting part is the\nfollowing data packet:\n\n ffff880069c63e00 30710169 C Ci:1:002:0 0 143 = 09028f00 01030080\n 00090403 00000e01 00000924 03000103 7c003328 010204db\n\nIf we drop the lead configuration and interface descriptors, we're left\nwith an output terminal descriptor describing a generic display:\n\n /* Output terminal descriptor */\n buf[0]\t09\n buf[1]\t24\n buf[2]\t03\t/* UVC_VC_OUTPUT_TERMINAL */\n buf[3]\t00\t/* ID */\n buf[4]\t01\t/* type == 0x0301 (UVC_OTT_DISPLAY) */\n buf[5]\t03\n buf[6]\t7c\n buf[7]\t00\t/* source ID refers to self! */\n buf[8]\t33\n\nThe problem with this descriptor is that it is self-referential: the\nsource ID of 0 matches itself! This causes the 'struct uvc_entity'\nrepresenting the display to be added to its chain list twice during\n'uvc_scan_chain()': once via 'uvc_scan_chain_entity()' when it is\nprocessed directly from the 'dev->entities' list and then again\nimmediately afterwards when trying to follow the source ID in\n'uvc_scan_chain_forward()'\n\nAdd a check before adding an entity to a chain list to ensure that the\nentity is not already part of a chain.\n\nLink: https://lore.kernel.org/linux-media/CAAeHK+z+Si69jUR+N-SjN9q4O+o5KFiNManqEa-PjUta7EOb7A@mail.gmail.com/\n\nCc: \nFixes: c0efd232929c (\"V4L/DVB (8145a): USB Video Class driver\")\nReported-by: Andrey Konovalov \nSigned-off-by: Will Deacon \nSigned-off-by: Laurent Pinchart \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 409215 }, { "func": "int bcf_hdr_printf(bcf_hdr_t *hdr, const char *fmt, ...)\n{\n char tmp[256], *line = tmp;\n va_list ap;\n va_start(ap, fmt);\n int n = vsnprintf(line, sizeof(tmp), fmt, ap);\n va_end(ap);\n\n if (n >= sizeof(tmp)) {\n n++; // For trailing NUL\n line = (char*)malloc(n);\n if (!line)\n return -1;\n\n va_start(ap, fmt);\n vsnprintf(line, n, fmt, ap);\n va_end(ap);\n }\n\n int ret = bcf_hdr_append(hdr, line);\n\n if (line != tmp) free(line);\n return ret;\n}", "project": "htslib", "hash": 49849869117012754318638273876160483590, "size": 24, "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c", "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields. It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097", "target": 0, "dataset": "other", "idx": 402195 }, { "func": "static rsRetVal qDelDirect(qqueue_t __attribute__((unused)) *pThis)\n{\n\treturn RS_RET_OK;\n}", "project": "rsyslog", "hash": 4572666150150072743687197461247580535, "size": 4, "commit_id": "dfa88369d4ca4290db56b843f9eabdae1bfe0fd5", "message": "bugfix: memory leak when $RepeatedMsgReduction on was used\n\nbug tracker: http://bugzilla.adiscon.com/show_bug.cgi?id=225", "target": 0, "dataset": "other", "idx": 373755 }, { "func": "static void SFDGetGasp(FILE *sfd,SplineFont *sf) {\n int i;\n\n getsint(sfd,(int16 *) &sf->gasp_cnt);\n sf->gasp = malloc(sf->gasp_cnt*sizeof(struct gasp));\n for ( i=0; igasp_cnt; ++i ) {\n\tgetsint(sfd,(int16 *) &sf->gasp[i].ppem);\n\tgetsint(sfd,(int16 *) &sf->gasp[i].flags);\n }\n getsint(sfd,(int16 *) &sf->gasp_version);\n}", "project": "fontforge", "hash": 323285546317596376962687739623472119014, "size": 11, "commit_id": "048a91e2682c1a8936ae34dbc7bd70291ec05410", "message": "Fix for #4084 Use-after-free (heap) in the SFD_GetFontMetaData() function\nFix for #4086 NULL pointer dereference in the SFDGetSpiros() function\nFix for #4088 NULL pointer dereference in the SFD_AssignLookups() function\nAdd empty sf->fontname string if it isn't set, fixing #4089 #4090 and many\n other potential issues (many downstream calls to strlen() on the value).", "target": 0, "dataset": "other", "idx": 417817 }, { "func": "static void intsetRepr(intset *is) {\n for (uint32_t i = 0; i < intrev32ifbe(is->length); i++) {\n printf(\"%lld\\n\", (uint64_t)_intsetGet(is,i));\n }\n printf(\"\\n\");\n}", "project": "redis", "hash": 338653571298637988491111079915218415132, "size": 6, "commit_id": "789f10156009b404950ad717642a9496ed887083", "message": "Fix integer overflow in intset (CVE-2021-29478)\n\nAn integer overflow bug in Redis 6.2 could be exploited to corrupt the heap and\npotentially result with remote code execution.\n\nThe vulnerability involves changing the default set-max-intset-entries\nconfiguration value, creating a large set key that consists of integer values\nand using the COPY command to duplicate it.\n\nThe integer overflow bug exists in all versions of Redis starting with 2.6,\nwhere it could result with a corrupted RDB or DUMP payload, but not exploited\nthrough COPY (which did not exist before 6.2).\n\n(cherry picked from commit 29900d4e6bccdf3691bedf0ea9a5d84863fa3592)", "target": 0, "dataset": "other", "idx": 290634 }, { "func": "static void ptrace_trap_notify(struct task_struct *t)\n{\n\tWARN_ON_ONCE(!(t->ptrace & PT_SEIZED));\n\tassert_spin_locked(&t->sighand->siglock);\n\n\ttask_set_jobctl_pending(t, JOBCTL_TRAP_NOTIFY);\n\tptrace_signal_wake_up(t, t->jobctl & JOBCTL_LISTENING);\n}", "project": "linux", "hash": 80661436259156583176587165528870492057, "size": 8, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375246 }, { "func": "void CSnapIDPool::TimeoutIDs()\n{\n\t// process timed ids\n\twhile(m_FirstTimed != -1)\n\t\tRemoveFirstTimeout();\n}", "project": "teeworlds", "hash": 32853513939754507539403924063448611103, "size": 6, "commit_id": "c68402fa7e279d42886d5951d1ea8ac2facc1ea5", "message": "changed a check", "target": 0, "dataset": "other", "idx": 382028 }, { "func": "static int pfkey_can_dump(const struct sock *sk)\n{\n\tif (3 * atomic_read(&sk->sk_rmem_alloc) <= 2 * sk->sk_rcvbuf)\n\t\treturn 1;\n\treturn 0;\n}", "project": "linux", "hash": 308312997818549214358237347620786355959, "size": 6, "commit_id": "9a564bccb78a76740ea9d75a259942df8143d02c", "message": "af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\n\nAdd __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\nto initialize the buffer of supp_skb to fix a kernel-info-leak issue.\n1) Function pfkey_register calls compose_sadb_supported to request\na sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate\na sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then\ncompose_sadb_supported treats the memory as a struct sadb_supported and\nbegins to initialize. But it just initializes the field sadb_supported_len\nand field sadb_supported_exttype without field sadb_supported_reserved.\n\nReported-by: TCS Robot \nSigned-off-by: Haimin Zhang \nSigned-off-by: Steffen Klassert ", "target": 0, "dataset": "other", "idx": 268056 }, { "func": "\t}\n}\n\nvoid iscsi_conn_error_event(struct iscsi_cls_conn *conn, enum iscsi_err error)\n{\n\tstruct nlmsghdr\t*nlh;\n\tstruct sk_buff\t*skb;\n\tstruct iscsi_uevent *ev;\n\tstruct iscsi_internal *priv;\n\tint len = nlmsg_total_size(sizeof(*ev));\n\tunsigned long flags;\n\n\tspin_lock_irqsave(&connlock, flags);\n\tlist_add(&conn->conn_list_err, &connlist_err);\n\tspin_unlock_irqrestore(&connlock, flags);\n\tqueue_work(system_unbound_wq, &stop_conn_work);\n\n\tpriv = iscsi_if_transport_lookup(conn->transport);\n\tif (!priv)\n\t\treturn;\n\n\tskb = alloc_skb(len, GFP_ATOMIC);\n\tif (!skb) {\n\t\tiscsi_cls_conn_printk(KERN_ERR, conn, \"gracefully ignored \"\n\t\t\t\t \"conn error (%d)\\n\", error);\n\t\treturn;\n\t}\n\n\tnlh = __nlmsg_put(skb, 0, 0, 0, (len - sizeof(*nlh)), 0);\n\tev = nlmsg_data(nlh);\n\tev->transport_handle = iscsi_handle(conn->transport);\n\tev->type = ISCSI_KEVENT_CONN_ERROR;\n\tev->r.connerror.error = error;\n\tev->r.connerror.cid = conn->cid;\n\tev->r.connerror.sid = iscsi_conn_get_sid(conn);\n\n\tiscsi_multicast_skb(skb, ISCSI_NL_GRP_ISCSID, GFP_ATOMIC);\n", "project": "linux", "hash": 48005715943374134974071357075705604887, "size": 38, "commit_id": "f9dbdf97a5bd92b1a49cee3d591b55b11fd7a6d5", "message": "scsi: iscsi: Verify lengths on passthrough PDUs\n\nOpen-iSCSI sends passthrough PDUs over netlink, but the kernel should be\nverifying that the provided PDU header and data lengths fall within the\nnetlink message to prevent accessing beyond that in memory.\n\nCc: stable@vger.kernel.org\nReported-by: Adam Nichols \nReviewed-by: Lee Duncan \nReviewed-by: Mike Christie \nSigned-off-by: Chris Leech \nSigned-off-by: Martin K. Petersen ", "target": 0, "dataset": "other", "idx": 379934 }, { "func": "static void update_const_equal_items(THD *thd, COND *cond, JOIN_TAB *tab,\n bool const_key)\n{\n if (!(cond->used_tables() & tab->table->map))\n return;\n\n if (cond->type() == Item::COND_ITEM)\n {\n List *cond_list= ((Item_cond*) cond)->argument_list(); \n List_iterator_fast li(*cond_list);\n Item *item;\n while ((item= li++))\n update_const_equal_items(thd, item, tab,\n (((Item_cond*) cond)->top_level() &&\n ((Item_cond*) cond)->functype() ==\n Item_func::COND_AND_FUNC));\n }\n else if (cond->type() == Item::FUNC_ITEM && \n ((Item_cond*) cond)->functype() == Item_func::MULT_EQUAL_FUNC)\n {\n Item_equal *item_equal= (Item_equal *) cond;\n bool contained_const= item_equal->get_const() != NULL;\n item_equal->update_const(thd);\n if (!contained_const && item_equal->get_const())\n {\n /* Update keys for range analysis */\n Item_equal_fields_iterator it(*item_equal);\n while (it++)\n {\n Field *field= it.get_curr_field();\n JOIN_TAB *stat= field->table->reginfo.join_tab;\n key_map possible_keys= field->key_start;\n possible_keys.intersect(field->table->keys_in_use_for_query);\n stat[0].const_keys.merge(possible_keys);\n\n /*\n For each field in the multiple equality (for which we know that it \n is a constant) we have to find its corresponding key part, and set \n that key part in const_key_parts.\n */ \n if (!possible_keys.is_clear_all())\n {\n TABLE *field_tab= field->table;\n KEYUSE *use;\n for (use= stat->keyuse; use && use->table == field_tab; use++)\n if (const_key &&\n !use->is_for_hash_join() && possible_keys.is_set(use->key) && \n field_tab->key_info[use->key].key_part[use->keypart].field ==\n field)\n field_tab->const_key_parts[use->key]|= use->keypart_map;\n }\n }\n }\n }\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 226437133096455676357913185366021786493, "size": 55, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508555 }, { "func": "bool lua_text_pattern::valid() const\n{\n return translated? isvalid : translate();\n}", "project": "crawl", "hash": 129737191060945739153017554090612121210, "size": 4, "commit_id": "768f60da87a3fa0b5561da5ade9309577c176d04", "message": "Disable lua bytecode loading", "target": 0, "dataset": "other", "idx": 230525 }, { "func": "UnicodeStringTest::TestMoveSwap() {\n static const UChar abc[3] = { 0x61, 0x62, 0x63 }; // \"abc\"\n UnicodeString s1(FALSE, abc, UPRV_LENGTHOF(abc)); // read-only alias\n UnicodeString s2(100, 0x7a, 100); // 100 * 'z' should be on the heap\n UnicodeString s3(\"defg\", 4, US_INV); // in stack buffer\n const UChar *p = s2.getBuffer();\n s1.swap(s2);\n if(s1.getBuffer() != p || s1.length() != 100 || s2.getBuffer() != abc || s2.length() != 3) {\n errln(\"UnicodeString.swap() did not swap\");\n }\n swap(s2, s3);\n if(s2 != UNICODE_STRING_SIMPLE(\"defg\") || s3.getBuffer() != abc || s3.length() != 3) {\n errln(\"swap(UnicodeString) did not swap back\");\n }\n UnicodeString s4;\n s4 = std::move(s1);\n if(s4.getBuffer() != p || s4.length() != 100 || !s1.isBogus()) {\n errln(\"UnicodeString = std::move(heap) did not move\");\n }\n UnicodeString s5;\n s5 = std::move(s2);\n if(s5 != UNICODE_STRING_SIMPLE(\"defg\")) {\n errln(\"UnicodeString = std::move(stack) did not move\");\n }\n UnicodeString s6;\n s6 = std::move(s3);\n if(s6.getBuffer() != abc || s6.length() != 3) {\n errln(\"UnicodeString = std::move(alias) did not move\");\n }\n infoln(\"TestMoveSwap() with rvalue references\");\n s1 = static_cast(s6);\n if(s1.getBuffer() != abc || s1.length() != 3) {\n errln(\"UnicodeString move assignment operator did not move\");\n }\n UnicodeString s7(static_cast(s4));\n if(s7.getBuffer() != p || s7.length() != 100 || !s4.isBogus()) {\n errln(\"UnicodeString move constructor did not move\");\n }\n\n // Move self assignment leaves the object valid but in an undefined state.\n // Do it to make sure there is no crash,\n // but do not check for any particular resulting value.\n moveFrom(s1, s1);\n moveFrom(s2, s2);\n moveFrom(s3, s3);\n moveFrom(s4, s4);\n moveFrom(s5, s5);\n moveFrom(s6, s6);\n moveFrom(s7, s7);\n // Simple copy assignment must work.\n UnicodeString simple = UNICODE_STRING_SIMPLE(\"simple\");\n s1 = s6 = s4 = s7 = simple;\n if(s1 != simple || s4 != simple || s6 != simple || s7 != simple) {\n errln(\"UnicodeString copy after self-move did not work\");\n }\n}", "project": "icu", "hash": 167975243722866015763293897367678016324, "size": 56, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430725 }, { "func": "static OPJ_BOOL opj_tcd_t1_encode(opj_tcd_t *p_tcd)\n{\n const OPJ_FLOAT64 * l_mct_norms;\n OPJ_UINT32 l_mct_numcomps = 0U;\n opj_tcp_t * l_tcp = p_tcd->tcp;\n\n if (l_tcp->mct == 1) {\n l_mct_numcomps = 3U;\n /* irreversible encoding */\n if (l_tcp->tccps->qmfbid == 0) {\n l_mct_norms = opj_mct_get_mct_norms_real();\n } else {\n l_mct_norms = opj_mct_get_mct_norms();\n }\n } else {\n l_mct_numcomps = p_tcd->image->numcomps;\n l_mct_norms = (const OPJ_FLOAT64 *)(l_tcp->mct_norms);\n }\n\n return opj_t1_encode_cblks(p_tcd,\n p_tcd->tcd_image->tiles, l_tcp, l_mct_norms,\n l_mct_numcomps);\n\n return OPJ_TRUE;\n}", "project": "openjpeg", "hash": 194928259849086105141197458867637338635, "size": 25, "commit_id": "15cf3d95814dc931ca0ecb132f81cb152e051bae", "message": "Encoder: grow again buffer size in opj_tcd_code_block_enc_allocate_data() (fixes #1283)", "target": 0, "dataset": "other", "idx": 359165 }, { "func": "static void hci_cs_inquiry(struct hci_dev *hdev, __u8 status)\n{\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, status);\n\n\tif (status) {\n\t\thci_conn_check_pending(hdev);\n\t\treturn;\n\t}\n\n\tset_bit(HCI_INQUIRY, &hdev->flags);\n}", "project": "linux", "hash": 269336665408160332088889832033008596051, "size": 11, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 432024 }, { "func": "static void enable_irq_window(struct kvm_vcpu *vcpu)\n{\n\tstruct vcpu_svm *svm = to_svm(vcpu);\n\n\t/*\n\t * In case GIF=0 we can't rely on the CPU to tell us when GIF becomes\n\t * 1, because that's a separate STGI/VMRUN intercept. The next time we\n\t * get that intercept, this function will be called again though and\n\t * we'll get the vintr intercept. However, if the vGIF feature is\n\t * enabled, the STGI interception will not occur. Enable the irq\n\t * window under the assumption that the hardware will set the GIF.\n\t */\n\tif ((vgif_enabled(svm) || gif_set(svm)) && nested_svm_intr(svm)) {\n\t\t/*\n\t\t * IRQ window is not needed when AVIC is enabled,\n\t\t * unless we have pending ExtINT since it cannot be injected\n\t\t * via AVIC. In such case, we need to temporarily disable AVIC,\n\t\t * and fallback to injecting IRQ via V_IRQ.\n\t\t */\n\t\tsvm_toggle_avic_for_irq_window(vcpu, false);\n\t\tsvm_set_vintr(svm);\n\t\tsvm_inject_irq(svm, 0x0);\n\t}\n}", "project": "linux", "hash": 118775785978941797125518989066920522019, "size": 24, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432613 }, { "func": "static void enable_irq_window(struct kvm_vcpu *vcpu)\n{\n\tstruct vcpu_svm *svm = to_svm(vcpu);\n\n\t/*\n\t * In case GIF=0 we can't rely on the CPU to tell us when GIF becomes\n\t * 1, because that's a separate STGI/VMRUN intercept. The next time we\n\t * get that intercept, this function will be called again though and\n\t * we'll get the vintr intercept.\n\t */\n\tif (gif_set(svm) && nested_svm_intr(svm)) {\n\t\tsvm_set_vintr(svm);\n\t\tsvm_inject_irq(svm, 0x0);\n\t}\n}", "project": "kvm", "hash": 11752108102315955649646163552774083860, "size": 15, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437623 }, { "func": "void mark_wrapper(int x1, int y1, int x2, int y2) {\n\tint t, r_x1 = x1, r_y1 = y1, r_x2 = x2, r_y2 = y2;\n\n\tif (rotating) {\n\t\t/* well we hope rot_fb will always be the last one... */\n\t\trotate_coords(x1, y1, &r_x1, &r_y1, -1, -1);\n\t\trotate_coords(x2, y2, &r_x2, &r_y2, -1, -1);\n\t\trotate_fb(x1, y1, x2, y2);\n\t\tif (r_x1 > r_x2) {\n\t\t\tt = r_x1;\n\t\t\tr_x1 = r_x2;\n\t\t\tr_x2 = t;\n\t\t}\n\t\tif (r_y1 > r_y2) {\n\t\t\tt = r_y1;\n\t\t\tr_y1 = r_y2;\n\t\t\tr_y2 = t;\n\t\t}\n\t\t/* painting errors */\n\t\tr_x1--;\n\t\tr_x2++;\n\t\tr_y1--;\n\t\tr_y2++;\n\t}\n\trfbMarkRectAsModified(screen, r_x1, r_y1, r_x2, r_y2);\n}", "project": "x11vnc", "hash": 233015971173096397153185913845174781676, "size": 26, "commit_id": "69eeb9f7baa14ca03b16c9de821f9876def7a36a", "message": "scan: limit access to shared memory segments to current user", "target": 0, "dataset": "other", "idx": 360789 }, { "func": "void luaE_freethread (lua_State *L, lua_State *L1) {\n LX *l = fromstate(L1);\n luaF_close(L1, L1->stack, NOCLOSINGMETH); /* close all upvalues */\n lua_assert(L1->openupval == NULL);\n luai_userstatefree(L, L1);\n freestack(L1);\n luaM_free(L, l);\n}", "project": "lua", "hash": 310776607161124172744651824872207821616, "size": 8, "commit_id": "a2195644d89812e5b157ce7bac35543e06db05e3", "message": "Fixed bug: invalid 'oldpc' when returning to a function\n\nThe field 'L->oldpc' is not always updated when control returns to a\nfunction; an invalid value can seg. fault when computing 'changedline'.\n(One example is an error in a finalizer; control can return to\n'luaV_execute' without executing 'luaD_poscall'.) Instead of trying to\nfix all possible corner cases, it seems safer to be resilient to invalid\nvalues for 'oldpc'. Valid but wrong values at most cause an extra call\nto a line hook.", "target": 0, "dataset": "other", "idx": 462775 }, { "func": "static noinline void preempt_reset(struct intel_engine_cs *engine)\n{\n\tconst unsigned int bit = I915_RESET_ENGINE + engine->id;\n\tunsigned long *lock = &engine->gt->reset.flags;\n\n\tif (i915_modparams.reset < 3)\n\t\treturn;\n\n\tif (test_and_set_bit(bit, lock))\n\t\treturn;\n\n\t/* Mark this tasklet as disabled to avoid waiting for it to complete */\n\ttasklet_disable_nosync(&engine->execlists.tasklet);\n\n\tGEM_TRACE(\"%s: preempt timeout %lu+%ums\\n\",\n\t\t engine->name,\n\t\t READ_ONCE(engine->props.preempt_timeout_ms),\n\t\t jiffies_to_msecs(jiffies - engine->execlists.preempt.expires));\n\tintel_engine_reset(engine, \"preemption time out\");\n\n\ttasklet_enable(&engine->execlists.tasklet);\n\tclear_and_wake_up_bit(bit, lock);\n}", "project": "linux", "hash": 200386132518760927540017778899590314321, "size": 23, "commit_id": "bc8a76a152c5f9ef3b48104154a65a68a8b76946", "message": "drm/i915/gen9: Clear residual context state on context switch\n\nIntel ID: PSIRT-TA-201910-001\nCVEID: CVE-2019-14615\n\nIntel GPU Hardware prior to Gen11 does not clear EU state\nduring a context switch. This can result in information\nleakage between contexts.\n\nFor Gen8 and Gen9, hardware provides a mechanism for\nfast cleardown of the EU state, by issuing a PIPE_CONTROL\nwith bit 27 set. We can use this in a context batch buffer\nto explicitly cleardown the state on every context switch.\n\nAs this workaround is already in place for gen8, we can borrow\nthe code verbatim for Gen9.\n\nSigned-off-by: Mika Kuoppala \nSigned-off-by: Akeem G Abodunrin \nCc: Kumar Valsan Prathap \nCc: Chris Wilson \nCc: Balestrieri Francesco \nCc: Bloomfield Jon \nCc: Dutt Sudeep ", "target": 0, "dataset": "other", "idx": 281507 }, { "func": "DLLEXPORT int DLLCALL tjDecompressHeader3(tjhandle handle,\n\tconst unsigned char *jpegBuf, unsigned long jpegSize, int *width,\n\tint *height, int *jpegSubsamp, int *jpegColorspace)\n{\n\tint retval=0;\n\n\tgetdinstance(handle);\n\tif((this->init&DECOMPRESS)==0)\n\t\t_throw(\"tjDecompressHeader3(): Instance has not been initialized for decompression\");\n\n\tif(jpegBuf==NULL || jpegSize<=0 || width==NULL || height==NULL\n\t\t|| jpegSubsamp==NULL || jpegColorspace==NULL)\n\t\t_throw(\"tjDecompressHeader3(): Invalid argument\");\n\n\tif(setjmp(this->jerr.setjmp_buffer))\n\t{\n\t\t/* If we get here, the JPEG code has signaled an error. */\n\t\treturn -1;\n\t}\n\n\tjpeg_mem_src_tj(dinfo, jpegBuf, jpegSize);\n\tjpeg_read_header(dinfo, TRUE);\n\n\t*width=dinfo->image_width;\n\t*height=dinfo->image_height;\n\t*jpegSubsamp=getSubsamp(dinfo);\n\tswitch(dinfo->jpeg_color_space)\n\t{\n\t\tcase JCS_GRAYSCALE: *jpegColorspace=TJCS_GRAY; break;\n\t\tcase JCS_RGB: *jpegColorspace=TJCS_RGB; break;\n\t\tcase JCS_YCbCr: *jpegColorspace=TJCS_YCbCr; break;\n\t\tcase JCS_CMYK: *jpegColorspace=TJCS_CMYK; break;\n\t\tcase JCS_YCCK: *jpegColorspace=TJCS_YCCK; break;\n\t\tdefault: *jpegColorspace=-1; break;\n\t}\n\n\tjpeg_abort_decompress(dinfo);\n\n\tif(*jpegSubsamp<0)\n\t\t_throw(\"tjDecompressHeader3(): Could not determine subsampling type for JPEG image\");\n\tif(*jpegColorspace<0)\n\t\t_throw(\"tjDecompressHeader3(): Could not determine colorspace of JPEG image\");\n\tif(*width<1 || *height<1)\n\t\t_throw(\"tjDecompressHeader3(): Invalid data returned in header\");\n\n\tbailout:\n\tif(this->jerr.warning) retval=-1;\n\treturn retval;\n}", "project": "libjpeg-turbo", "hash": 198993376397015787024923815619418651477, "size": 49, "commit_id": "dab6be4cfb2f9307b5378d2d1dc74d9080383dc2", "message": "tjDecompressToYUV*(): Fix OOB write/double free\n\n... when attempting to decompress grayscale JPEG images with sampling\nfactors != 1.\n\nFixes #387", "target": 0, "dataset": "other", "idx": 311107 }, { "func": "static void ov519_set_mode(struct sd *sd)\n{\n\tstatic const struct ov_regvals bridge_ov7660[2][10] = {\n\t\t{{0x10, 0x14}, {0x11, 0x1e}, {0x12, 0x00}, {0x13, 0x00},\n\t\t {0x14, 0x00}, {0x15, 0x00}, {0x16, 0x00}, {0x20, 0x0c},\n\t\t {0x25, 0x01}, {0x26, 0x00}},\n\t\t{{0x10, 0x28}, {0x11, 0x3c}, {0x12, 0x00}, {0x13, 0x00},\n\t\t {0x14, 0x00}, {0x15, 0x00}, {0x16, 0x00}, {0x20, 0x0c},\n\t\t {0x25, 0x03}, {0x26, 0x00}}\n\t};\n\tstatic const struct ov_i2c_regvals sensor_ov7660[2][3] = {\n\t\t{{0x12, 0x00}, {0x24, 0x00}, {0x0c, 0x0c}},\n\t\t{{0x12, 0x00}, {0x04, 0x00}, {0x0c, 0x00}}\n\t};\n\tstatic const struct ov_i2c_regvals sensor_ov7660_2[] = {\n\t\t{OV7670_R17_HSTART, 0x13},\n\t\t{OV7670_R18_HSTOP, 0x01},\n\t\t{OV7670_R32_HREF, 0x92},\n\t\t{OV7670_R19_VSTART, 0x02},\n\t\t{OV7670_R1A_VSTOP, 0x7a},\n\t\t{OV7670_R03_VREF, 0x00},\n/*\t\t{0x33, 0x00}, */\n/*\t\t{0x34, 0x07}, */\n/*\t\t{0x36, 0x00}, */\n/*\t\t{0x6b, 0x0a}, */\n\t};\n\n\twrite_regvals(sd, bridge_ov7660[sd->gspca_dev.curr_mode],\n\t\t\tARRAY_SIZE(bridge_ov7660[0]));\n\twrite_i2c_regvals(sd, sensor_ov7660[sd->gspca_dev.curr_mode],\n\t\t\tARRAY_SIZE(sensor_ov7660[0]));\n\twrite_i2c_regvals(sd, sensor_ov7660_2,\n\t\t\tARRAY_SIZE(sensor_ov7660_2));\n}", "project": "linux", "hash": 33028830110898196615728359302349293986, "size": 34, "commit_id": "998912346c0da53a6dbb71fab3a138586b596b30", "message": "media: ov519: add missing endpoint sanity checks\n\nMake sure to check that we have at least one endpoint before accessing\nthe endpoint array to avoid dereferencing a NULL-pointer on stream\nstart.\n\nNote that these sanity checks are not redundant as the driver is mixing\nlooking up altsettings by index and by number, which need not coincide.\n\nFixes: 1876bb923c98 (\"V4L/DVB (12079): gspca_ov519: add support for the ov511 bridge\")\nFixes: b282d87332f5 (\"V4L/DVB (12080): gspca_ov519: Fix ov518+ with OV7620AE (Trust spacecam 320)\")\nCc: stable # 2.6.31\nCc: Hans de Goede \nSigned-off-by: Johan Hovold \nSigned-off-by: Hans Verkuil \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 306325 }, { "func": "static void hci_cc_read_local_ext_features(struct hci_dev *hdev,\n\t\t\t\t\t struct sk_buff *skb)\n{\n\tstruct hci_rp_read_local_ext_features *rp = (void *) skb->data;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, rp->status);\n\n\tif (rp->status)\n\t\treturn;\n\n\tif (hdev->max_page < rp->max_page)\n\t\thdev->max_page = rp->max_page;\n\n\tif (rp->page < HCI_MAX_PAGES)\n\t\tmemcpy(hdev->features[rp->page], rp->features, 8);\n}", "project": "linux", "hash": 43485310369722391457975104835546051662, "size": 16, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 432026 }, { "func": "static void nfs4_return_incompatible_delegation(struct inode *inode, fmode_t fmode)\n{\n\tstruct nfs_delegation *delegation;\n\n\tfmode &= FMODE_READ|FMODE_WRITE;\n\trcu_read_lock();\n\tdelegation = nfs4_get_valid_delegation(inode);\n\tif (delegation == NULL || (delegation->type & fmode) == fmode) {\n\t\trcu_read_unlock();\n\t\treturn;\n\t}\n\trcu_read_unlock();\n\tnfs4_inode_return_delegation(inode);\n}", "project": "linux", "hash": 153397932870203717807998451827598200510, "size": 14, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431222 }, { "func": "static bool checkreturn pb_dec_bool(pb_istream_t *stream, const pb_field_t *field, void *dest)\n{\n uint32_t value;\n PB_UNUSED(field);\n if (!pb_decode_varint32(stream, &value))\n return false;\n\n *(bool*)dest = (value != 0);\n return true;\n}", "project": "nanopb", "hash": 280068867351053397111892897157713930684, "size": 10, "commit_id": "aa9d0d1ca78d6adec3adfeecf3a706c7f9df81f2", "message": "Fix invalid free() after failed realloc() (GHSA-gcx3-7m76-287p)", "target": 0, "dataset": "other", "idx": 252521 }, { "func": "PrimitiveStatus TrustedPrimitives::UntrustedCall(uint64_t untrusted_selector,\n MessageWriter *input,\n MessageReader *output) {\n int ret;\n\n UntrustedCacheMalloc *untrusted_cache = UntrustedCacheMalloc::Instance();\n\n SgxParams *const sgx_params =\n reinterpret_cast(untrusted_cache->Malloc(sizeof(SgxParams)));\n if (!TrustedPrimitives::IsOutsideEnclave(sgx_params, sizeof(SgxParams))) {\n TrustedPrimitives::BestEffortAbort(\n \"UntrustedCall: sgx_param should be in untrusted memory\");\n }\n Cleanup clean_up(\n [sgx_params, untrusted_cache] { untrusted_cache->Free(sgx_params); });\n sgx_params->input_size = 0;\n sgx_params->input = nullptr;\n if (input) {\n sgx_params->input_size = input->MessageSize();\n if (sgx_params->input_size > 0) {\n // Allocate and copy data to |input_buffer|.\n sgx_params->input = untrusted_cache->Malloc(sgx_params->input_size);\n const void *input_pointer = sgx_params->input;\n uint64_t input_size = sgx_params->input_size;\n if (!TrustedPrimitives::IsOutsideEnclave(input_pointer, input_size)) {\n TrustedPrimitives::BestEffortAbort(\n \"UntrustedCall: sgx_param input should be in untrusted memory\");\n }\n input->Serialize(const_cast(input_pointer));\n }\n }\n sgx_params->output_size = 0;\n sgx_params->output = nullptr;\n CHECK_OCALL(\n ocall_dispatch_untrusted_call(&ret, untrusted_selector, sgx_params));\n if (sgx_params->input) {\n untrusted_cache->Free(const_cast(sgx_params->input));\n }\n if (!TrustedPrimitives::IsOutsideEnclave(sgx_params->output,\n sgx_params->output_size)) {\n TrustedPrimitives::BestEffortAbort(\n \"UntrustedCall: sgx_param output should be in untrusted memory\");\n }\n if (sgx_params->output) {\n // For the results obtained in |output_buffer|, copy them to |output|\n // before freeing the buffer.\n output->Deserialize(sgx_params->output, sgx_params->output_size);\n TrustedPrimitives::UntrustedLocalFree(sgx_params->output);\n }\n return PrimitiveStatus::OkStatus();\n}", "project": "asylo", "hash": 257682981429665497503990072998187396956, "size": 51, "commit_id": "53ed5d8fd8118ced1466e509606dd2f473707a5c", "message": "Store untrusted output pointer in enclave\n\nValidate the pointer after it's stored in enclave to avoid unexpected\nmodifications after it's validated.\n\nPiperOrigin-RevId: 365648810\nChange-Id: I3079128040c142e86bab8255b07d03562a6fcb61", "target": 1, "dataset": "other", "idx": 195725 }, { "func": "PrimitiveStatus TrustedPrimitives::UntrustedCall(uint64_t untrusted_selector,\n MessageWriter *input,\n MessageReader *output) {\n int ret;\n\n UntrustedCacheMalloc *untrusted_cache = UntrustedCacheMalloc::Instance();\n\n SgxParams *const sgx_params =\n reinterpret_cast(untrusted_cache->Malloc(sizeof(SgxParams)));\n Cleanup clean_up(\n [sgx_params, untrusted_cache] { untrusted_cache->Free(sgx_params); });\n sgx_params->input_size = 0;\n sgx_params->input = nullptr;\n if (input) {\n sgx_params->input_size = input->MessageSize();\n if (sgx_params->input_size > 0) {\n // Allocate and copy data to |input_buffer|.\n sgx_params->input = untrusted_cache->Malloc(sgx_params->input_size);\n input->Serialize(const_cast(sgx_params->input));\n }\n }\n sgx_params->output_size = 0;\n sgx_params->output = nullptr;\n CHECK_OCALL(\n ocall_dispatch_untrusted_call(&ret, untrusted_selector, sgx_params));\n if (sgx_params->input) {\n untrusted_cache->Free(const_cast(sgx_params->input));\n }\n if (sgx_params->output) {\n // For the results obtained in |output_buffer|, copy them to |output|\n // before freeing the buffer.\n output->Deserialize(sgx_params->output, sgx_params->output_size);\n TrustedPrimitives::UntrustedLocalFree(sgx_params->output);\n }\n return PrimitiveStatus::OkStatus();\n}", "project": "asylo", "hash": 261964073185143736765939860190443192174, "size": 36, "commit_id": "83036fd841d33baa7e039f842d131aa7881fdcc2", "message": "Verify UntrustedCall output is outside enclave\n\nPiperOrigin-RevId: 333781703\nChange-Id: I9df55c04dc8b04f4bf0bda8e68cc32bca81b933a", "target": 1, "dataset": "other", "idx": 196831 }, { "func": "PrimitiveStatus TrustedPrimitives::UntrustedCall(uint64_t untrusted_selector,\n MessageWriter *input,\n MessageReader *output) {\n int ret;\n\n UntrustedCacheMalloc *untrusted_cache = UntrustedCacheMalloc::Instance();\n\n SgxParams *const sgx_params =\n reinterpret_cast(untrusted_cache->Malloc(sizeof(SgxParams)));\n if (!TrustedPrimitives::IsOutsideEnclave(sgx_params, sizeof(SgxParams))) {\n TrustedPrimitives::BestEffortAbort(\n \"UntrustedCall: sgx_param should be in untrusted memory\");\n }\n Cleanup clean_up(\n [sgx_params, untrusted_cache] { untrusted_cache->Free(sgx_params); });\n sgx_params->input_size = 0;\n sgx_params->input = nullptr;\n if (input) {\n sgx_params->input_size = input->MessageSize();\n if (sgx_params->input_size > 0) {\n // Allocate and copy data to |input_buffer|.\n sgx_params->input = untrusted_cache->Malloc(sgx_params->input_size);\n if (!TrustedPrimitives::IsOutsideEnclave(sgx_params->input,\n sgx_params->input_size)) {\n TrustedPrimitives::BestEffortAbort(\n \"UntrustedCall: sgx_param input should be in untrusted memory\");\n }\n input->Serialize(const_cast(sgx_params->input));\n }\n }\n sgx_params->output_size = 0;\n sgx_params->output = nullptr;\n CHECK_OCALL(\n ocall_dispatch_untrusted_call(&ret, untrusted_selector, sgx_params));\n if (sgx_params->input) {\n untrusted_cache->Free(const_cast(sgx_params->input));\n }\n if (!TrustedPrimitives::IsOutsideEnclave(sgx_params->output,\n sgx_params->output_size)) {\n TrustedPrimitives::BestEffortAbort(\n \"UntrustedCall: sgx_param output should be in untrusted memory\");\n }\n if (sgx_params->output) {\n // For the results obtained in |output_buffer|, copy them to |output|\n // before freeing the buffer.\n output->Deserialize(sgx_params->output, sgx_params->output_size);\n TrustedPrimitives::UntrustedLocalFree(sgx_params->output);\n }\n return PrimitiveStatus::OkStatus();\n}", "project": "asylo", "hash": 326601397101442661693510475405318810722, "size": 50, "commit_id": "ecfcd0008b6f8f63c6fa3cc1b62fcd4a52f2c0ad", "message": "Store untrusted input to enclave variable\n\nThe untrusted input pointer should be stored to trusted variable before\nchecking to avoid unexpected modifications after checking.\n\nPiperOrigin-RevId: 362553830\nChange-Id: I743f9bd3487de60269e247d74f2188f2ffc06d01", "target": 1, "dataset": "other", "idx": 197851 }, { "func": "PrimitiveStatus TrustedPrimitives::UntrustedCall(uint64_t untrusted_selector,\n MessageWriter *input,\n MessageReader *output) {\n int ret;\n\n UntrustedCacheMalloc *untrusted_cache = UntrustedCacheMalloc::Instance();\n\n SgxParams *const sgx_params =\n reinterpret_cast(untrusted_cache->Malloc(sizeof(SgxParams)));\n if (!TrustedPrimitives::IsOutsideEnclave(sgx_params, sizeof(SgxParams))) {\n TrustedPrimitives::BestEffortAbort(\n \"UntrustedCall: sgx_param should be in untrusted memory\");\n }\n Cleanup clean_up(\n [sgx_params, untrusted_cache] { untrusted_cache->Free(sgx_params); });\n sgx_params->input_size = 0;\n sgx_params->input = nullptr;\n if (input) {\n sgx_params->input_size = input->MessageSize();\n if (sgx_params->input_size > 0) {\n // Allocate and copy data to |input_buffer|.\n sgx_params->input = untrusted_cache->Malloc(sgx_params->input_size);\n const void *input_pointer = sgx_params->input;\n uint64_t input_size = sgx_params->input_size;\n if (!TrustedPrimitives::IsOutsideEnclave(input_pointer, input_size)) {\n TrustedPrimitives::BestEffortAbort(\n \"UntrustedCall: sgx_param input should be in untrusted memory\");\n }\n input->Serialize(const_cast(input_pointer));\n }\n }\n sgx_params->output_size = 0;\n sgx_params->output = nullptr;\n CHECK_OCALL(\n ocall_dispatch_untrusted_call(&ret, untrusted_selector, sgx_params));\n if (sgx_params->input) {\n untrusted_cache->Free(const_cast(sgx_params->input));\n }\n const void *output_pointer = sgx_params->output;\n uint64_t output_size = sgx_params->output_size;\n if (!TrustedPrimitives::IsOutsideEnclave(output_pointer, output_size)) {\n TrustedPrimitives::BestEffortAbort(\n \"UntrustedCall: sgx_param output should be in untrusted memory\");\n }\n if (sgx_params->output) {\n // For the results obtained in |output_buffer|, copy them to |output|\n // before freeing the buffer.\n output->Deserialize(output_pointer, output_size);\n TrustedPrimitives::UntrustedLocalFree(sgx_params->output);\n }\n return PrimitiveStatus::OkStatus();\n}", "project": "asylo", "hash": 20214115828053448204164555554097192268, "size": 52, "commit_id": "53ed5d8fd8118ced1466e509606dd2f473707a5c", "message": "Store untrusted output pointer in enclave\n\nValidate the pointer after it's stored in enclave to avoid unexpected\nmodifications after it's validated.\n\nPiperOrigin-RevId: 365648810\nChange-Id: I3079128040c142e86bab8255b07d03562a6fcb61", "target": 0, "dataset": "other", "idx": 232064 }, { "func": "PrimitiveStatus TrustedPrimitives::UntrustedCall(uint64_t untrusted_selector,\n MessageWriter *input,\n MessageReader *output) {\n int ret;\n\n UntrustedCacheMalloc *untrusted_cache = UntrustedCacheMalloc::Instance();\n\n SgxParams *const sgx_params =\n reinterpret_cast(untrusted_cache->Malloc(sizeof(SgxParams)));\n Cleanup clean_up(\n [sgx_params, untrusted_cache] { untrusted_cache->Free(sgx_params); });\n sgx_params->input_size = 0;\n sgx_params->input = nullptr;\n if (input) {\n sgx_params->input_size = input->MessageSize();\n if (sgx_params->input_size > 0) {\n // Allocate and copy data to |input_buffer|.\n sgx_params->input = untrusted_cache->Malloc(sgx_params->input_size);\n input->Serialize(const_cast(sgx_params->input));\n }\n }\n sgx_params->output_size = 0;\n sgx_params->output = nullptr;\n CHECK_OCALL(\n ocall_dispatch_untrusted_call(&ret, untrusted_selector, sgx_params));\n if (sgx_params->input) {\n untrusted_cache->Free(const_cast(sgx_params->input));\n }\n if (!TrustedPrimitives::IsOutsideEnclave(sgx_params->output,\n sgx_params->output_size)) {\n TrustedPrimitives::BestEffortAbort(\n \"UntrustedCall: sgx_param output should be in untrusted memory\");\n }\n if (sgx_params->output) {\n // For the results obtained in |output_buffer|, copy them to |output|\n // before freeing the buffer.\n output->Deserialize(sgx_params->output, sgx_params->output_size);\n TrustedPrimitives::UntrustedLocalFree(sgx_params->output);\n }\n return PrimitiveStatus::OkStatus();\n}", "project": "asylo", "hash": 97744345373278828596253695008510711317, "size": 41, "commit_id": "83036fd841d33baa7e039f842d131aa7881fdcc2", "message": "Verify UntrustedCall output is outside enclave\n\nPiperOrigin-RevId: 333781703\nChange-Id: I9df55c04dc8b04f4bf0bda8e68cc32bca81b933a", "target": 0, "dataset": "other", "idx": 246050 }, { "func": "static int sctp_sendmsg_new_asoc(struct sock *sk, __u16 sflags,\n\t\t\t\t struct sctp_cmsgs *cmsgs,\n\t\t\t\t union sctp_addr *daddr,\n\t\t\t\t struct sctp_transport **tp)\n{\n\tstruct sctp_endpoint *ep = sctp_sk(sk)->ep;\n\tstruct sctp_association *asoc;\n\tstruct cmsghdr *cmsg;\n\t__be32 flowinfo = 0;\n\tstruct sctp_af *af;\n\tint err;\n\n\t*tp = NULL;\n\n\tif (sflags & (SCTP_EOF | SCTP_ABORT))\n\t\treturn -EINVAL;\n\n\tif (sctp_style(sk, TCP) && (sctp_sstate(sk, ESTABLISHED) ||\n\t\t\t\t sctp_sstate(sk, CLOSING)))\n\t\treturn -EADDRNOTAVAIL;\n\n\t/* Label connection socket for first association 1-to-many\n\t * style for client sequence socket()->sendmsg(). This\n\t * needs to be done before sctp_assoc_add_peer() as that will\n\t * set up the initial packet that needs to account for any\n\t * security ip options (CIPSO/CALIPSO) added to the packet.\n\t */\n\taf = sctp_get_af_specific(daddr->sa.sa_family);\n\tif (!af)\n\t\treturn -EINVAL;\n\terr = security_sctp_bind_connect(sk, SCTP_SENDMSG_CONNECT,\n\t\t\t\t\t (struct sockaddr *)daddr,\n\t\t\t\t\t af->sockaddr_len);\n\tif (err < 0)\n\t\treturn err;\n\n\terr = sctp_connect_new_asoc(ep, daddr, cmsgs->init, tp);\n\tif (err)\n\t\treturn err;\n\tasoc = (*tp)->asoc;\n\n\tif (!cmsgs->addrs_msg)\n\t\treturn 0;\n\n\tif (daddr->sa.sa_family == AF_INET6)\n\t\tflowinfo = daddr->v6.sin6_flowinfo;\n\n\t/* sendv addr list parse */\n\tfor_each_cmsghdr(cmsg, cmsgs->addrs_msg) {\n\t\tunion sctp_addr _daddr;\n\t\tint dlen;\n\n\t\tif (cmsg->cmsg_level != IPPROTO_SCTP ||\n\t\t (cmsg->cmsg_type != SCTP_DSTADDRV4 &&\n\t\t cmsg->cmsg_type != SCTP_DSTADDRV6))\n\t\t\tcontinue;\n\n\t\tdaddr = &_daddr;\n\t\tmemset(daddr, 0, sizeof(*daddr));\n\t\tdlen = cmsg->cmsg_len - sizeof(struct cmsghdr);\n\t\tif (cmsg->cmsg_type == SCTP_DSTADDRV4) {\n\t\t\tif (dlen < sizeof(struct in_addr)) {\n\t\t\t\terr = -EINVAL;\n\t\t\t\tgoto free;\n\t\t\t}\n\n\t\t\tdlen = sizeof(struct in_addr);\n\t\t\tdaddr->v4.sin_family = AF_INET;\n\t\t\tdaddr->v4.sin_port = htons(asoc->peer.port);\n\t\t\tmemcpy(&daddr->v4.sin_addr, CMSG_DATA(cmsg), dlen);\n\t\t} else {\n\t\t\tif (dlen < sizeof(struct in6_addr)) {\n\t\t\t\terr = -EINVAL;\n\t\t\t\tgoto free;\n\t\t\t}\n\n\t\t\tdlen = sizeof(struct in6_addr);\n\t\t\tdaddr->v6.sin6_flowinfo = flowinfo;\n\t\t\tdaddr->v6.sin6_family = AF_INET6;\n\t\t\tdaddr->v6.sin6_port = htons(asoc->peer.port);\n\t\t\tmemcpy(&daddr->v6.sin6_addr, CMSG_DATA(cmsg), dlen);\n\t\t}\n\n\t\terr = sctp_connect_add_peer(asoc, daddr, sizeof(*daddr));\n\t\tif (err)\n\t\t\tgoto free;\n\t}\n\n\treturn 0;\n\nfree:\n\tsctp_association_free(asoc);\n\treturn err;\n}", "project": "linux", "hash": 18072951643409581925427061638885835481, "size": 94, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398139 }, { "func": "static int read_from_url(struct playlist *pls, struct segment *seg,\n uint8_t *buf, int buf_size,\n enum ReadFromURLMode mode)\n{\n int ret;\n\n /* limit read if the segment was only a part of a file */\n if (seg->size >= 0)\n buf_size = FFMIN(buf_size, seg->size - pls->cur_seg_offset);\n\n if (mode == READ_COMPLETE)\n ret = ffurl_read_complete(pls->input, buf, buf_size);\n else\n ret = ffurl_read(pls->input, buf, buf_size);\n\n if (ret > 0)\n pls->cur_seg_offset += ret;\n\n return ret;\n}", "project": "FFmpeg", "hash": 312989959915534519268172861611169860167, "size": 20, "commit_id": "6959358683c7533f586c07a766acc5fe9544d8b2", "message": "avformat/hls: check segment duration value of EXTINF\n\nfix ticket: 8673\nset the default EXTINF duration to 1ms if duration is smaller than 1ms\n\nSigned-off-by: Steven Liu \n(cherry picked from commit 9dfb19baeb86a8bb02c53a441682c6e9a6e104cc)", "target": 0, "dataset": "other", "idx": 270458 }, { "func": "static bool checkreturn pb_dec_svarint(pb_istream_t *stream, const pb_field_t *field, void *dest)\n{\n pb_int64_t value, clamped;\n if (!pb_decode_svarint(stream, &value))\n return false;\n \n /* Cast to the proper field size, while checking for overflows */\n if (field->data_size == sizeof(pb_int64_t))\n clamped = *(pb_int64_t*)dest = value;\n else if (field->data_size == sizeof(int32_t))\n clamped = *(int32_t*)dest = (int32_t)value;\n else if (field->data_size == sizeof(int_least16_t))\n clamped = *(int_least16_t*)dest = (int_least16_t)value;\n else if (field->data_size == sizeof(int_least8_t))\n clamped = *(int_least8_t*)dest = (int_least8_t)value;\n else\n PB_RETURN_ERROR(stream, \"invalid data_size\");\n\n if (clamped != value)\n PB_RETURN_ERROR(stream, \"integer too large\");\n \n return true;\n}", "project": "nanopb", "hash": 90536597169320685430560594037118625736, "size": 23, "commit_id": "aa9d0d1ca78d6adec3adfeecf3a706c7f9df81f2", "message": "Fix invalid free() after failed realloc() (GHSA-gcx3-7m76-287p)", "target": 0, "dataset": "other", "idx": 252523 }, { "func": "static bool checkreturn pb_dec_svarint(pb_istream_t *stream, const pb_field_t *field, void *dest)\n{\n int64_t value;\n if (!pb_decode_svarint(stream, &value))\n return false;\n \n switch (field->data_size)\n {\n case 4: *(int32_t*)dest = (int32_t)value; break;\n case 8: *(int64_t*)dest = value; break;\n default: PB_RETURN_ERROR(stream, \"invalid data_size\");\n }\n \n return true;\n}", "project": "nanopb", "hash": 207614073290737669694290499440186178753, "size": 15, "commit_id": "7b396821ddd06df8e39143f16e1dc0a4645b89a3", "message": "Fix invalid free() after failed realloc() (GHSA-gcx3-7m76-287p)", "target": 0, "dataset": "other", "idx": 255331 }, { "func": "static inline int tcp_may_raise_cwnd(const struct sock *sk, const int flag)\n{\n\tconst struct tcp_sock *tp = tcp_sk(sk);\n\treturn (!(flag & FLAG_ECE) || tp->snd_cwnd < tp->snd_ssthresh) &&\n\t\t!((1 << inet_csk(sk)->icsk_ca_state) & (TCPF_CA_Recovery | TCPF_CA_CWR));\n}", "project": "net-next", "hash": 306753925758662228291354964098100711331, "size": 6, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409887 }, { "func": "R_API void __cons_cb_fkey(RCore *core, int fkey) {\n\tchar buf[32];\n\tsnprintf (buf, sizeof (buf), \"key.f%d\", fkey);\n\tconst char *v = r_config_get (core->config, buf);\n\tif (v && *v) {\n\t\tr_cons_printf (\"%s\\n\", v);\n\t\tr_core_cmd0 (core, v);\n\t\tr_cons_flush ();\n\t}\n}", "project": "radare2", "hash": 64305542228913814427558872185646989712, "size": 10, "commit_id": "cb8b683758edddae2d2f62e8e63a738c39f92683", "message": "Fix #16303 - c->table_query double free (#16318)", "target": 0, "dataset": "other", "idx": 232165 }, { "func": "static void put_cpu_partial(struct kmem_cache *s, struct page *page, int drain)\n{\n#ifdef CONFIG_SLUB_CPU_PARTIAL\n\tstruct page *oldpage;\n\tint pages;\n\tint pobjects;\n\n\tpreempt_disable();\n\tdo {\n\t\tpages = 0;\n\t\tpobjects = 0;\n\t\toldpage = this_cpu_read(s->cpu_slab->partial);\n\n\t\tif (oldpage) {\n\t\t\tpobjects = oldpage->pobjects;\n\t\t\tpages = oldpage->pages;\n\t\t\tif (drain && pobjects > s->cpu_partial) {\n\t\t\t\tunsigned long flags;\n\t\t\t\t/*\n\t\t\t\t * partial array is full. Move the existing\n\t\t\t\t * set to the per node partial list.\n\t\t\t\t */\n\t\t\t\tlocal_irq_save(flags);\n\t\t\t\tunfreeze_partials(s, this_cpu_ptr(s->cpu_slab));\n\t\t\t\tlocal_irq_restore(flags);\n\t\t\t\toldpage = NULL;\n\t\t\t\tpobjects = 0;\n\t\t\t\tpages = 0;\n\t\t\t\tstat(s, CPU_PARTIAL_DRAIN);\n\t\t\t}\n\t\t}\n\n\t\tpages++;\n\t\tpobjects += page->objects - page->inuse;\n\n\t\tpage->pages = pages;\n\t\tpage->pobjects = pobjects;\n\t\tpage->next = oldpage;\n\n\t} while (this_cpu_cmpxchg(s->cpu_slab->partial, oldpage, page)\n\t\t\t\t\t\t\t\t!= oldpage);\n\tif (unlikely(!s->cpu_partial)) {\n\t\tunsigned long flags;\n\n\t\tlocal_irq_save(flags);\n\t\tunfreeze_partials(s, this_cpu_ptr(s->cpu_slab));\n\t\tlocal_irq_restore(flags);\n\t}\n\tpreempt_enable();\n#endif\t/* CONFIG_SLUB_CPU_PARTIAL */\n}", "project": "linux", "hash": 7729402798582590475662214689347618756, "size": 51, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280028 }, { "func": "static void SFDGetDesignSize(FILE *sfd,SplineFont *sf) {\n int ch;\n struct otfname *cur;\n\n getsint(sfd,(int16 *) &sf->design_size);\n while ( (ch=nlgetc(sfd))==' ' );\n ungetc(ch,sfd);\n if ( isdigit(ch)) {\n\tgetsint(sfd,(int16 *) &sf->design_range_bottom);\n\twhile ( (ch=nlgetc(sfd))==' ' );\n\tif ( ch!='-' )\n\t ungetc(ch,sfd);\n\tgetsint(sfd,(int16 *) &sf->design_range_top);\n\tgetsint(sfd,(int16 *) &sf->fontstyle_id);\n\tfor (;;) {\n\t while ( (ch=nlgetc(sfd))==' ' );\n\t ungetc(ch,sfd);\n\t if ( !isdigit(ch))\n\tbreak;\n\t cur = chunkalloc(sizeof(struct otfname));\n\t cur->next = sf->fontstyle_name;\n\t sf->fontstyle_name = cur;\n\t getsint(sfd,(int16 *) &cur->lang);\n\t cur->name = SFDReadUTF7Str(sfd);\n\t}\n }\n}", "project": "fontforge", "hash": 302423688141670830254883428452435859990, "size": 27, "commit_id": "048a91e2682c1a8936ae34dbc7bd70291ec05410", "message": "Fix for #4084 Use-after-free (heap) in the SFD_GetFontMetaData() function\nFix for #4086 NULL pointer dereference in the SFDGetSpiros() function\nFix for #4088 NULL pointer dereference in the SFD_AssignLookups() function\nAdd empty sf->fontname string if it isn't set, fixing #4089 #4090 and many\n other potential issues (many downstream calls to strlen() on the value).", "target": 0, "dataset": "other", "idx": 417757 }, { "func": "static int svm_smi_allowed(struct kvm_vcpu *vcpu)\n{\n\tstruct vcpu_svm *svm = to_svm(vcpu);\n\n\t/* Per APM Vol.2 15.22.2 \"Response to SMI\" */\n\tif (!gif_set(svm))\n\t\treturn 0;\n\n\tif (is_guest_mode(&svm->vcpu) &&\n\t svm->nested.intercept & (1ULL << INTERCEPT_SMI)) {\n\t\t/* TODO: Might need to set exit_info_1 and exit_info_2 here */\n\t\tsvm->vmcb->control.exit_code = SVM_EXIT_SMI;\n\t\tsvm->nested.exit_required = true;\n\t\treturn 0;\n\t}\n\n\treturn 1;\n}", "project": "linux", "hash": 207560324791156478312714758760660016205, "size": 18, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432631 }, { "func": "\tPrivmsg(NoCopy, const std::string& source, const std::string& target, const std::string& text, MessageType mt = MSG_PRIVMSG)\n\t\t: ClientProtocol::Message(CommandStrFromMsgType(mt), source)\n\t{\n\t\tPushParam(target);\n\t\tPushParamRef(text);\n\t}", "project": "inspircd", "hash": 331902382815701179015458620740480467841, "size": 6, "commit_id": "4350a11c663b0d75f8119743bffb7736d87abd4d", "message": "Fix sending malformed pong messages in some cases.", "target": 0, "dataset": "other", "idx": 273214 }, { "func": "\tPrivmsg(User* source, const std::string& target, const std::string& text, MessageType mt = MSG_PRIVMSG)\n\t\t: ClientProtocol::Message(CommandStrFromMsgType(mt), source)\n\t{\n\t\tPushParam(target);\n\t\tPushParam(text);\n\t}", "project": "inspircd", "hash": 64576823575419031933673781440491599094, "size": 6, "commit_id": "4350a11c663b0d75f8119743bffb7736d87abd4d", "message": "Fix sending malformed pong messages in some cases.", "target": 0, "dataset": "other", "idx": 273230 }, { "func": "\tError(const std::string& text)\n\t\t\t: ClientProtocol::Message(\"ERROR\")\n\t{\n\t\tPushParam(text);\n\t}", "project": "inspircd", "hash": 35142928365041536622715115573248092978, "size": 5, "commit_id": "4350a11c663b0d75f8119743bffb7736d87abd4d", "message": "Fix sending malformed pong messages in some cases.", "target": 0, "dataset": "other", "idx": 273236 }, { "func": "\tPrivmsg(NoCopy, User* source, const std::string& target, const std::string& text, MessageType mt = MSG_PRIVMSG)\n\t\t: ClientProtocol::Message(CommandStrFromMsgType(mt), source)\n\t{\n\t\tPushParam(target);\n\t\tPushParamRef(text);\n\t}", "project": "inspircd", "hash": 110412259744021576227055848882173020317, "size": 6, "commit_id": "4350a11c663b0d75f8119743bffb7736d87abd4d", "message": "Fix sending malformed pong messages in some cases.", "target": 0, "dataset": "other", "idx": 273259 }, { "func": "static inline void sctp_set_owner_w(struct sctp_chunk *chunk)\n{\n\tstruct sctp_association *asoc = chunk->asoc;\n\tstruct sock *sk = asoc->base.sk;\n\n\t/* The sndbuf space is tracked per association. */\n\tsctp_association_hold(asoc);\n\n\tif (chunk->shkey)\n\t\tsctp_auth_shkey_hold(chunk->shkey);\n\n\tskb_set_owner_w(chunk->skb, sk);\n\n\tchunk->skb->destructor = sctp_wfree;\n\t/* Save the chunk pointer in skb for sctp_wfree to use later. */\n\tskb_shinfo(chunk->skb)->destructor_arg = chunk;\n\n\trefcount_add(sizeof(struct sctp_chunk), &sk->sk_wmem_alloc);\n\tasoc->sndbuf_used += chunk->skb->truesize + sizeof(struct sctp_chunk);\n\tsk->sk_wmem_queued += chunk->skb->truesize + sizeof(struct sctp_chunk);\n\tsk_mem_charge(sk, chunk->skb->truesize);\n}", "project": "linux", "hash": 121998937771694844400236624235954682743, "size": 22, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398125 }, { "func": "static int ca8210_reset_init(struct spi_device *spi)\n{\n\tint ret;\n\tstruct ca8210_platform_data *pdata = spi->dev.platform_data;\n\n\tpdata->gpio_reset = of_get_named_gpio(\n\t\tspi->dev.of_node,\n\t\t\"reset-gpio\",\n\t\t0\n\t);\n\n\tret = gpio_direction_output(pdata->gpio_reset, 1);\n\tif (ret < 0) {\n\t\tdev_crit(\n\t\t\t&spi->dev,\n\t\t\t\"Reset GPIO %d did not set to output mode\\n\",\n\t\t\tpdata->gpio_reset\n\t\t);\n\t}\n\n\treturn ret;\n}", "project": "linux", "hash": 181052985040846121571924392823550548576, "size": 22, "commit_id": "6402939ec86eaf226c8b8ae00ed983936b164908", "message": "ieee802154: ca8210: prevent memory leak\n\nIn ca8210_probe the allocated pdata needs to be assigned to\nspi_device->dev.platform_data before calling ca8210_get_platform_data.\nOthrwise when ca8210_get_platform_data fails pdata cannot be released.\n\nSigned-off-by: Navid Emamdoost \nLink: https://lore.kernel.org/r/20190917224713.26371-1-navid.emamdoost@gmail.com\nSigned-off-by: Stefan Schmidt ", "target": 0, "dataset": "other", "idx": 408799 }, { "func": "int bcf_update_format(const bcf_hdr_t *hdr, bcf1_t *line, const char *key, const void *values, int n, int type)\n{\n // Is the field already present?\n int i, fmt_id = bcf_hdr_id2int(hdr,BCF_DT_ID,key);\n if ( !bcf_hdr_idinfo_exists(hdr,BCF_HL_FMT,fmt_id) )\n {\n if ( !n ) return 0;\n return -1; // the key not present in the header\n }\n\n if ( !(line->unpacked & BCF_UN_FMT) ) bcf_unpack(line, BCF_UN_FMT);\n\n for (i=0; in_fmt; i++)\n if ( line->d.fmt[i].id==fmt_id ) break;\n bcf_fmt_t *fmt = i==line->n_fmt ? NULL : &line->d.fmt[i];\n\n if ( !n )\n {\n if ( fmt )\n {\n // Mark the tag for removal, free existing memory if necessary\n if ( fmt->p_free )\n {\n free(fmt->p - fmt->p_off);\n fmt->p_free = 0;\n }\n line->d.indiv_dirty = 1;\n fmt->p = NULL;\n }\n return 0;\n }\n\n line->n_sample = bcf_hdr_nsamples(hdr);\n int nps = n / line->n_sample; // number of values per sample\n assert( nps && nps*line->n_sample==n ); // must be divisible by n_sample\n\n // Encode the values and determine the size required to accommodate the values\n kstring_t str = {0,0,0};\n bcf_enc_int1(&str, fmt_id);\n assert(values != NULL);\n if ( type==BCF_HT_INT )\n bcf_enc_vint(&str, n, (int32_t*)values, nps);\n else if ( type==BCF_HT_REAL )\n {\n bcf_enc_size(&str, nps, BCF_BT_FLOAT);\n serialize_float_array(&str, nps*line->n_sample, (float *) values);\n }\n else if ( type==BCF_HT_STR )\n {\n bcf_enc_size(&str, nps, BCF_BT_CHAR);\n kputsn((char*)values, nps*line->n_sample, &str);\n }\n else\n {\n hts_log_error(\"The type %d not implemented yet at %s:%\"PRIhts_pos, type, bcf_seqname_safe(hdr,line), line->pos+1);\n abort();\n }\n\n if ( !fmt )\n {\n // Not present, new format field\n line->n_fmt++;\n hts_expand0(bcf_fmt_t, line->n_fmt, line->d.m_fmt, line->d.fmt);\n\n // Special case: VCF specification requires that GT is always first\n if ( line->n_fmt > 1 && key[0]=='G' && key[1]=='T' && !key[2] )\n {\n for (i=line->n_fmt-1; i>0; i--)\n line->d.fmt[i] = line->d.fmt[i-1];\n fmt = &line->d.fmt[0];\n }\n else\n fmt = &line->d.fmt[line->n_fmt-1];\n bcf_unpack_fmt_core1((uint8_t*)str.s, line->n_sample, fmt);\n line->d.indiv_dirty = 1;\n fmt->p_free = 1;\n }\n else\n {\n // The tag is already present, check if it is big enough to accomodate the new block\n if ( str.l <= fmt->p_len + fmt->p_off )\n {\n // good, the block is big enough\n if ( str.l != fmt->p_len + fmt->p_off ) line->d.indiv_dirty = 1;\n uint8_t *ptr = fmt->p - fmt->p_off;\n memcpy(ptr, str.s, str.l);\n free(str.s);\n int p_free = fmt->p_free;\n bcf_unpack_fmt_core1(ptr, line->n_sample, fmt);\n fmt->p_free = p_free;\n }\n else\n {\n if ( fmt->p_free )\n free(fmt->p - fmt->p_off);\n bcf_unpack_fmt_core1((uint8_t*)str.s, line->n_sample, fmt);\n fmt->p_free = 1;\n line->d.indiv_dirty = 1;\n }\n }\n line->unpacked |= BCF_UN_FMT;\n return 0;\n}", "project": "htslib", "hash": 105146097219312674450416679437839763787, "size": 103, "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c", "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields. It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097", "target": 0, "dataset": "other", "idx": 402231 }, { "func": "int release_threadpool(blosc2_context *context) {\n int32_t t;\n void* status;\n int rc;\n\n if (context->threads_started > 0) {\n if (threads_callback) {\n /* free context data for user-managed threads */\n for (t=0; tthreads_started; t++)\n destroy_thread_context(context->thread_contexts + t);\n my_free(context->thread_contexts);\n }\n else {\n /* Tell all existing threads to finish */\n context->end_threads = 1;\n WAIT_INIT(-1, context);\n\n /* Join exiting threads */\n for (t = 0; t < context->threads_started; t++) {\n rc = pthread_join(context->threads[t], &status);\n if (rc) {\n fprintf(stderr, \"ERROR; return code from pthread_join() is %d\\n\", rc);\n fprintf(stderr, \"\\tError detail: %s\\n\", strerror(rc));\n }\n }\n\n /* Thread attributes */\n #if !defined(_WIN32)\n pthread_attr_destroy(&context->ct_attr);\n #endif\n\n /* Release thread handlers */\n my_free(context->threads);\n }\n\n /* Release mutex and condition variable objects */\n pthread_mutex_destroy(&context->count_mutex);\n pthread_mutex_destroy(&context->delta_mutex);\n pthread_cond_destroy(&context->delta_cv);\n\n /* Barriers */\n #ifdef BLOSC_POSIX_BARRIERS\n pthread_barrier_destroy(&context->barr_init);\n pthread_barrier_destroy(&context->barr_finish);\n #else\n pthread_mutex_destroy(&context->count_threads_mutex);\n pthread_cond_destroy(&context->count_threads_cv);\n context->count_threads = 0; /* Reset threads counter */\n #endif\n\n /* Reset flags and counters */\n context->end_threads = 0;\n context->threads_started = 0;\n }\n\n\n return 0;\n}", "project": "c-blosc2", "hash": 299773824046360099644851019196341469379, "size": 58, "commit_id": "c4c6470e88210afc95262c8b9fcc27e30ca043ee", "message": "Fixed asan heap buffer overflow when not enough space to write compressed block size.", "target": 0, "dataset": "other", "idx": 303079 }, { "func": "void imap_get_parent_path(const char *path, char *buf, size_t buflen)\n{\n struct ImapAccountData *adata = NULL;\n struct ImapMboxData *mdata = NULL;\n char mbox[1024];\n\n if (imap_adata_find(path, &adata, &mdata) < 0)\n {\n mutt_str_copy(buf, path, buflen);\n return;\n }\n\n /* Gets the parent mbox in mbox */\n imap_get_parent(mdata->name, adata->delim, mbox, sizeof(mbox));\n\n /* Returns a fully qualified IMAP url */\n imap_qualify_path(buf, buflen, &adata->conn->account, mbox);\n imap_mdata_free((void *) &mdata);\n}", "project": "neomutt", "hash": 209904762029414677868145613229948526541, "size": 19, "commit_id": "fa1db5785e5cfd9d3cd27b7571b9fe268d2ec2dc", "message": "Fix seqset iterator when it ends in a comma\n\nIf the seqset ended with a comma, the substr_end marker would be just\nbefore the trailing nul. In the next call, the loop to skip the\nmarker would iterate right past the end of string too.\n\nThe fix is simple: place the substr_end marker and skip past it\nimmediately.", "target": 0, "dataset": "other", "idx": 399272 }, { "func": "static int ca8210_set_tx_power(struct ieee802154_hw *hw, s32 mbm)\n{\n\tstruct ca8210_priv *priv = hw->priv;\n\n\tmbm /= 100;\n\treturn link_to_linux_err(\n\t\tmlme_set_request_sync(PHY_TRANSMIT_POWER, 0, 1, &mbm, priv->spi)\n\t);\n}", "project": "linux", "hash": 59160977827397085011255314038139906676, "size": 9, "commit_id": "6402939ec86eaf226c8b8ae00ed983936b164908", "message": "ieee802154: ca8210: prevent memory leak\n\nIn ca8210_probe the allocated pdata needs to be assigned to\nspi_device->dev.platform_data before calling ca8210_get_platform_data.\nOthrwise when ca8210_get_platform_data fails pdata cannot be released.\n\nSigned-off-by: Navid Emamdoost \nLink: https://lore.kernel.org/r/20190917224713.26371-1-navid.emamdoost@gmail.com\nSigned-off-by: Stefan Schmidt ", "target": 0, "dataset": "other", "idx": 408771 }, { "func": "gdImagePtr get_valid_image_resource(const Resource& image) {\n auto img_res = dyn_cast_or_null(image);\n if (!img_res || !img_res->get()) {\n raise_warning(\"supplied resource is not a valid Image resource\");\n return nullptr;\n }\n return img_res->get();\n}", "project": "hhvm", "hash": 312401242762979260312146703781239017565, "size": 8, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219365 }, { "func": "void bcf_hrec_destroy(bcf_hrec_t *hrec)\n{\n if (!hrec) return;\n free(hrec->key);\n if ( hrec->value ) free(hrec->value);\n int i;\n for (i=0; inkeys; i++)\n {\n free(hrec->keys[i]);\n free(hrec->vals[i]);\n }\n free(hrec->keys);\n free(hrec->vals);\n free(hrec);\n}", "project": "htslib", "hash": 158471715139110204255571716811717305211, "size": 15, "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c", "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields. It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097", "target": 0, "dataset": "other", "idx": 402141 }, { "func": "bool ItemStackMetadata::setString(const std::string &name, const std::string &var)\n{\n\tbool result = Metadata::setString(name, var);\n\tif (name == TOOLCAP_KEY)\n\t\tupdateToolCapabilities();\n\treturn result;\n}", "project": "minetest", "hash": 260790760425028914771767596212402179523, "size": 7, "commit_id": "b5956bde259faa240a81060ff4e598e25ad52dae", "message": "Sanitize ItemStack meta text", "target": 1, "dataset": "other", "idx": 198663 }, { "func": "bool ItemStackMetadata::setString(const std::string &name, const std::string &var)\n{\n\tstd::string clean_name = name;\n\tstd::string clean_var = var;\n\tsanitize_string(clean_name);\n\tsanitize_string(clean_var);\n\n\tbool result = Metadata::setString(clean_name, clean_var);\n\tif (clean_name == TOOLCAP_KEY)\n\t\tupdateToolCapabilities();\n\treturn result;\n}", "project": "minetest", "hash": 29693985862186695302198532605370901986, "size": 12, "commit_id": "b5956bde259faa240a81060ff4e598e25ad52dae", "message": "Sanitize ItemStack meta text", "target": 0, "dataset": "other", "idx": 279961 }, { "func": "void CSoundFile::KeyOff(ModChannel *pChn) const\n{\n\tconst bool bKeyOn = !pChn->dwFlags[CHN_KEYOFF];\n\tpChn->dwFlags.set(CHN_KEYOFF);\n\tif(pChn->pModInstrument != nullptr && !pChn->VolEnv.flags[ENV_ENABLED])\n\t{\n\t\tpChn->dwFlags.set(CHN_NOTEFADE);\n\t}\n\tif (!pChn->nLength) return;\n\tif (pChn->dwFlags[CHN_SUSTAINLOOP] && pChn->pModSample && bKeyOn)\n\t{\n\t\tconst ModSample *pSmp = pChn->pModSample;\n\t\tif(pSmp->uFlags[CHN_LOOP])\n\t\t{\n\t\t\tif (pSmp->uFlags[CHN_PINGPONGLOOP])\n\t\t\t\tpChn->dwFlags.set(CHN_PINGPONGLOOP);\n\t\t\telse\n\t\t\t\tpChn->dwFlags.reset(CHN_PINGPONGLOOP | CHN_PINGPONGFLAG);\n\t\t\tpChn->dwFlags.set(CHN_LOOP);\n\t\t\tpChn->nLength = pSmp->nLength;\n\t\t\tpChn->nLoopStart = pSmp->nLoopStart;\n\t\t\tpChn->nLoopEnd = pSmp->nLoopEnd;\n\t\t\tif (pChn->nLength > pChn->nLoopEnd) pChn->nLength = pChn->nLoopEnd;\n\t\t\tif(pChn->position.GetUInt() > pChn->nLength)\n\t\t\t{\n\t\t\t\t// Test case: SusAfterLoop.it\n\t\t\t\tpChn->position.Set(pChn->position.GetInt() - pChn->nLength + pChn->nLoopStart);\n\t\t\t}\n\t\t} else\n\t\t{\n\t\t\tpChn->dwFlags.reset(CHN_LOOP | CHN_PINGPONGLOOP | CHN_PINGPONGFLAG);\n\t\t\tpChn->nLength = pSmp->nLength;\n\t\t}\n\t}\n\n\tif (pChn->pModInstrument)\n\t{\n\t\tconst ModInstrument *pIns = pChn->pModInstrument;\n\t\tif((pIns->VolEnv.dwFlags[ENV_LOOP] || (GetType() & (MOD_TYPE_XM | MOD_TYPE_MT2 | MOD_TYPE_MDL))) && pIns->nFadeOut != 0)\n\t\t{\n\t\t\tpChn->dwFlags.set(CHN_NOTEFADE);\n\t\t}\n\n\t\tif (pIns->VolEnv.nReleaseNode != ENV_RELEASE_NODE_UNSET && pChn->VolEnv.nEnvValueAtReleaseJump == NOT_YET_RELEASED)\n\t\t{\n\t\t\tpChn->VolEnv.nEnvValueAtReleaseJump = pIns->VolEnv.GetValueFromPosition(pChn->VolEnv.nEnvPosition, 256);\n\t\t\tpChn->VolEnv.nEnvPosition = pIns->VolEnv[pIns->VolEnv.nReleaseNode].tick;\n\t\t}\n\t}\n}", "project": "openmpt", "hash": 65775283095610283149996470997596924665, "size": 50, "commit_id": "7ebf02af2e90f03e0dbd0e18b8b3164f372fb97c", "message": "[Fix] Possible out-of-bounds read when computing length of some IT files with pattern loops (OpenMPT: formats that are converted to IT, libopenmpt: IT/ITP/MO3), caught with afl-fuzz.\n\ngit-svn-id: https://source.openmpt.org/svn/openmpt/trunk/OpenMPT@10027 56274372-70c3-4bfc-bfc3-4c3a0b034d27", "target": 0, "dataset": "other", "idx": 255203 }, { "func": "static void ecryptfs_set_default_crypt_stat_vals(\n\tstruct ecryptfs_crypt_stat *crypt_stat,\n\tstruct ecryptfs_mount_crypt_stat *mount_crypt_stat)\n{\n\tecryptfs_copy_mount_wide_flags_to_inode_flags(crypt_stat,\n\t\t\t\t\t\t mount_crypt_stat);\n\tecryptfs_set_default_sizes(crypt_stat);\n\tstrcpy(crypt_stat->cipher, ECRYPTFS_DEFAULT_CIPHER);\n\tcrypt_stat->key_size = ECRYPTFS_DEFAULT_KEY_BYTES;\n\tcrypt_stat->flags &= ~(ECRYPTFS_KEY_VALID);\n\tcrypt_stat->file_version = ECRYPTFS_FILE_VERSION;\n\tcrypt_stat->mount_crypt_stat = mount_crypt_stat;\n}", "target": 0, "cwe": [ "CWE-189" ], "project": "linux-2.6", "commit_id": "8faece5f906725c10e7a1f6caf84452abadbdc7b", "hash": 56545942953424984816424621161359876961, "size": 13, "message": "eCryptfs: Allocate a variable number of pages for file headers\n\nWhen allocating the memory used to store the eCryptfs header contents, a\nsingle, zeroed page was being allocated with get_zeroed_page().\nHowever, the size of an eCryptfs header is either PAGE_CACHE_SIZE or\nECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE (8192), whichever is larger, and is\nstored in the file's private_data->crypt_stat->num_header_bytes_at_front\nfield.\n\necryptfs_write_metadata_to_contents() was using\nnum_header_bytes_at_front to decide how many bytes should be written to\nthe lower filesystem for the file header. Unfortunately, at least 8K\nwas being written from the page, despite the chance of the single,\nzeroed page being smaller than 8K. This resulted in random areas of\nkernel memory being written between the 0x1000 and 0x1FFF bytes offsets\nin the eCryptfs file headers if PAGE_SIZE was 4K.\n\nThis patch allocates a variable number of pages, calculated with\nnum_header_bytes_at_front, and passes the number of allocated pages\nalong to ecryptfs_write_metadata_to_contents().\n\nThanks to Florian Streibelt for reporting the data leak and working with\nme to find the problem. 2.6.28 is the only kernel release with this\nvulnerability. Corresponds to CVE-2009-0787\n\nSigned-off-by: Tyler Hicks \nAcked-by: Dustin Kirkland \nReviewed-by: Eric Sandeen \nReviewed-by: Eugene Teo \nCc: Greg KH \nCc: dann frazier \nCc: Serge E. Hallyn \nCc: Florian Streibelt \nCc: stable@kernel.org\nSigned-off-by: Linus Torvalds ", "dataset": "other", "idx": 490170 }, { "func": "static OPJ_BOOL opj_j2k_read_unk(opj_j2k_t *p_j2k,\n opj_stream_private_t *p_stream,\n OPJ_UINT32 *output_marker,\n opj_event_mgr_t * p_manager\n )\n{\n OPJ_UINT32 l_unknown_marker;\n const opj_dec_memory_marker_handler_t * l_marker_handler;\n OPJ_UINT32 l_size_unk = 2;\n\n /* preconditions*/\n assert(p_j2k != 00);\n assert(p_manager != 00);\n assert(p_stream != 00);\n\n opj_event_msg(p_manager, EVT_WARNING, \"Unknown marker\\n\");\n\n for (;;) {\n /* Try to read 2 bytes (the next marker ID) from stream and copy them into the buffer*/\n if (opj_stream_read_data(p_stream,\n p_j2k->m_specific_param.m_decoder.m_header_data, 2, p_manager) != 2) {\n opj_event_msg(p_manager, EVT_ERROR, \"Stream too short\\n\");\n return OPJ_FALSE;\n }\n\n /* read 2 bytes as the new marker ID*/\n opj_read_bytes(p_j2k->m_specific_param.m_decoder.m_header_data,\n &l_unknown_marker, 2);\n\n if (!(l_unknown_marker < 0xff00)) {\n\n /* Get the marker handler from the marker ID*/\n l_marker_handler = opj_j2k_get_marker_handler(l_unknown_marker);\n\n if (!(p_j2k->m_specific_param.m_decoder.m_state & l_marker_handler->states)) {\n opj_event_msg(p_manager, EVT_ERROR,\n \"Marker is not compliant with its position\\n\");\n return OPJ_FALSE;\n } else {\n if (l_marker_handler->id != J2K_MS_UNK) {\n /* Add the marker to the codestream index*/\n if (l_marker_handler->id != J2K_MS_SOT) {\n OPJ_BOOL res = opj_j2k_add_mhmarker(p_j2k->cstr_index, J2K_MS_UNK,\n (OPJ_UINT32) opj_stream_tell(p_stream) - l_size_unk,\n l_size_unk);\n if (res == OPJ_FALSE) {\n opj_event_msg(p_manager, EVT_ERROR, \"Not enough memory to add mh marker\\n\");\n return OPJ_FALSE;\n }\n }\n break; /* next marker is known and well located */\n } else {\n l_size_unk += 2;\n }\n }\n }\n }\n\n *output_marker = l_marker_handler->id ;\n\n return OPJ_TRUE;\n}", "project": "openjpeg", "hash": 42756480395414336526239263074136246934, "size": 62, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357323 }, { "func": "static int lookup_fast(struct nameidata *nd,\n\t\t struct path *path, struct inode **inode,\n\t\t unsigned *seqp)\n{\n\tstruct vfsmount *mnt = nd->path.mnt;\n\tstruct dentry *dentry, *parent = nd->path.dentry;\n\tint status = 1;\n\tint err;\n\n\t/*\n\t * Rename seqlock is not required here because in the off chance\n\t * of a false negative due to a concurrent rename, the caller is\n\t * going to fall back to non-racy lookup.\n\t */\n\tif (nd->flags & LOOKUP_RCU) {\n\t\tunsigned seq;\n\t\tbool negative;\n\t\tdentry = __d_lookup_rcu(parent, &nd->last, &seq);\n\t\tif (unlikely(!dentry)) {\n\t\t\tif (unlazy_walk(nd))\n\t\t\t\treturn -ECHILD;\n\t\t\treturn 0;\n\t\t}\n\n\t\t/*\n\t\t * This sequence count validates that the inode matches\n\t\t * the dentry name information from lookup.\n\t\t */\n\t\t*inode = d_backing_inode(dentry);\n\t\tnegative = d_is_negative(dentry);\n\t\tif (unlikely(read_seqcount_retry(&dentry->d_seq, seq)))\n\t\t\treturn -ECHILD;\n\n\t\t/*\n\t\t * This sequence count validates that the parent had no\n\t\t * changes while we did the lookup of the dentry above.\n\t\t *\n\t\t * The memory barrier in read_seqcount_begin of child is\n\t\t * enough, we can use __read_seqcount_retry here.\n\t\t */\n\t\tif (unlikely(__read_seqcount_retry(&parent->d_seq, nd->seq)))\n\t\t\treturn -ECHILD;\n\n\t\t*seqp = seq;\n\t\tstatus = d_revalidate(dentry, nd->flags);\n\t\tif (likely(status > 0)) {\n\t\t\t/*\n\t\t\t * Note: do negative dentry check after revalidation in\n\t\t\t * case that drops it.\n\t\t\t */\n\t\t\tif (unlikely(negative))\n\t\t\t\treturn -ENOENT;\n\t\t\tpath->mnt = mnt;\n\t\t\tpath->dentry = dentry;\n\t\t\tif (likely(__follow_mount_rcu(nd, path, inode, seqp)))\n\t\t\t\treturn 1;\n\t\t}\n\t\tif (unlazy_child(nd, dentry, seq))\n\t\t\treturn -ECHILD;\n\t\tif (unlikely(status == -ECHILD))\n\t\t\t/* we'd been told to redo it in non-rcu mode */\n\t\t\tstatus = d_revalidate(dentry, nd->flags);\n\t} else {\n\t\tdentry = __d_lookup(parent, &nd->last);\n\t\tif (unlikely(!dentry))\n\t\t\treturn 0;\n\t\tstatus = d_revalidate(dentry, nd->flags);\n\t}\n\tif (unlikely(status <= 0)) {\n\t\tif (!status)\n\t\t\td_invalidate(dentry);\n\t\tdput(dentry);\n\t\treturn status;\n\t}\n\n\tpath->mnt = mnt;\n\tpath->dentry = dentry;\n\terr = follow_managed(path, nd);\n\tif (likely(err > 0))\n\t\t*inode = d_backing_inode(path->dentry);\n\treturn err;\n}", "project": "linux", "hash": 8574179322187902322391893941074409381, "size": 82, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295358 }, { "func": "int enc_untrusted_sys_futex_wait(int32_t *futex, int32_t expected,\n int64_t timeout_microsec) {\n if (!TrustedPrimitives::IsOutsideEnclave(futex, sizeof(int32_t))) {\n TrustedPrimitives::BestEffortAbort(\n \"enc_untrusted_sys_futex_wait: futex word should be in untrusted \"\n \"local memory.\");\n }\n\n MessageWriter input;\n MessageReader output;\n input.Push(reinterpret_cast(futex));\n input.Push(expected);\n input.Push(timeout_microsec);\n const auto status = NonSystemCallDispatcher(\n ::asylo::host_call::kSysFutexWaitHandler, &input, &output);\n CheckStatusAndParamCount(status, output, \"enc_untrusted_sys_futex_wait\", 2);\n int result = output.next();\n int klinux_errno = output.next();\n\n // If FUTEX_WAIT successfully causes the thread to be suspended in the kernel,\n // it returns a zero when the caller is woken up. Otherwise, it returns the\n // appropriate errno.\n if (result != 0) {\n errno = FromkLinuxErrorNumber(klinux_errno);\n }\n return result;\n}", "project": "asylo", "hash": 219272135699476275292655812622347821158, "size": 27, "commit_id": "a37fb6a0e7daf30134dbbf357c9a518a1026aa02", "message": "Check untrusted queue is in outside enclave\n\nPiperOrigin-RevId: 333370935\nChange-Id: Ic3f15d5db1302d95c7cb199b44172474fecb81ca", "target": 0, "dataset": "other", "idx": 231081 }, { "func": "void add_interrupt_randomness(int irq)\n{\n\tstruct timer_rand_state *state;\n\n\tstate = get_timer_rand_state(irq);\n\n\tif (state == NULL)\n\t\treturn;\n\n\tDEBUG_ENT(\"irq event %d\\n\", irq);\n\tadd_timer_randomness(state, 0x100 + irq);\n}", "target": 0, "cwe": [ "CWE-310" ], "project": "linux-2.6", "commit_id": "8a0a9bd4db63bc45e3017bedeafbd88d0eb84d02", "hash": 228546552708345918702248662800768559221, "size": 12, "message": "random: make get_random_int() more random\n\nIt's a really simple patch that basically just open-codes the current\n\"secure_ip_id()\" call, but when open-coding it we now use a _static_\nhashing area, so that it gets updated every time.\n\nAnd to make sure somebody can't just start from the same original seed of\nall-zeroes, and then do the \"half_md4_transform()\" over and over until\nthey get the same sequence as the kernel has, each iteration also mixes in\nthe same old \"current->pid + jiffies\" we used - so we should now have a\nregular strong pseudo-number generator, but we also have one that doesn't\nhave a single seed.\n\nNote: the \"pid + jiffies\" is just meant to be a tiny tiny bit of noise. It\nhas no real meaning. It could be anything. I just picked the previous\nseed, it's just that now we keep the state in between calls and that will\nfeed into the next result, and that should make all the difference.\n\nI made that hash be a per-cpu data just to avoid cache-line ping-pong:\nhaving multiple CPU's write to the same data would be fine for randomness,\nand add yet another layer of chaos to it, but since get_random_int() is\nsupposed to be a fast interface I did it that way instead. I considered\nusing \"__raw_get_cpu_var()\" to avoid any preemption overhead while still\ngetting the hash be _mostly_ ping-pong free, but in the end good taste won\nout.\n\nSigned-off-by: Ingo Molnar \nSigned-off-by: Linus Torvalds ", "dataset": "other", "idx": 499889 }, { "func": "static void mt_feature_mapping(struct hid_device *hdev,\n\t\tstruct hid_field *field, struct hid_usage *usage)\n{\n\tstruct mt_device *td = hid_get_drvdata(hdev);\n\n\tswitch (usage->hid) {\n\tcase HID_DG_CONTACTMAX:\n\t\tmt_get_feature(hdev, field->report);\n\n\t\ttd->maxcontacts = field->value[0];\n\t\tif (!td->maxcontacts &&\n\t\t field->logical_maximum <= MT_MAX_MAXCONTACT)\n\t\t\ttd->maxcontacts = field->logical_maximum;\n\t\tif (td->mtclass.maxcontacts)\n\t\t\t/* check if the maxcontacts is given by the class */\n\t\t\ttd->maxcontacts = td->mtclass.maxcontacts;\n\n\t\tbreak;\n\tcase HID_DG_BUTTONTYPE:\n\t\tif (usage->usage_index >= field->report_count) {\n\t\t\tdev_err(&hdev->dev, \"HID_DG_BUTTONTYPE out of range\\n\");\n\t\t\tbreak;\n\t\t}\n\n\t\tmt_get_feature(hdev, field->report);\n\t\tif (field->value[usage->usage_index] == MT_BUTTONTYPE_CLICKPAD)\n\t\t\ttd->is_buttonpad = true;\n\n\t\tbreak;\n\tcase 0xff0000c5:\n\t\t/* Retrieve the Win8 blob once to enable some devices */\n\t\tif (usage->usage_index == 0)\n\t\t\tmt_get_feature(hdev, field->report);\n\t\tbreak;\n\t}\n}", "project": "linux", "hash": 331454539095360781464348826168695836849, "size": 36, "commit_id": "35556bed836f8dc07ac55f69c8d17dce3e7f0e25", "message": "HID: core: Sanitize event code and type when mapping input\n\nWhen calling into hid_map_usage(), the passed event code is\nblindly stored as is, even if it doesn't fit in the associated bitmap.\n\nThis event code can come from a variety of sources, including devices\nmasquerading as input devices, only a bit more \"programmable\".\n\nInstead of taking the event code at face value, check that it actually\nfits the corresponding bitmap, and if it doesn't:\n- spit out a warning so that we know which device is acting up\n- NULLify the bitmap pointer so that we catch unexpected uses\n\nCode paths that can make use of untrusted inputs can now check\nthat the mapping was indeed correct and bail out if not.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Marc Zyngier \nSigned-off-by: Benjamin Tissoires ", "target": 0, "dataset": "other", "idx": 458363 }, { "func": "CairoFontEngine::getFont(GfxFont *gfxFont, XRef *xref) {\n int i, j;\n Ref ref;\n CairoFont *font;\n GfxFontType fontType;\n \n fontType = gfxFont->getType();\n if (fontType == fontType3) {\n /* Need to figure this out later */\n // return NULL;\n }\n\n ref = *gfxFont->getID();\n\n for (i = 0; i < cairoFontCacheSize; ++i) {\n font = fontCache[i];\n if (font && font->matches(ref)) {\n for (j = i; j > 0; --j) {\n\tfontCache[j] = fontCache[j-1];\n }\n fontCache[0] = font;\n return font;\n }\n }\n \n font = CairoFont::create (gfxFont, xref, lib, useCIDs);\n //XXX: if font is null should we still insert it into the cache?\n if (fontCache[cairoFontCacheSize - 1]) {\n delete fontCache[cairoFontCacheSize - 1];\n }\n for (j = cairoFontCacheSize - 1; j > 0; --j) {\n fontCache[j] = fontCache[j-1];\n }\n fontCache[0] = font;\n return font;\n}", "project": "poppler", "hash": 223837065428052086418626781249921633736, "size": 36, "commit_id": "1a531dcfee1c6fc79a414c38cbe7327fbf9a59d8", "message": "Fix a crash with invalid embedded fonts", "target": 0, "dataset": "other", "idx": 421888 }, { "func": "static void sca_copy_b_to_e(struct esca_block *d, struct bsca_block *s)\n{\n\tint i;\n\n\td->ipte_control = s->ipte_control;\n\td->mcn[0] = s->mcn;\n\tfor (i = 0; i < KVM_S390_BSCA_CPU_SLOTS; i++)\n\t\tsca_copy_entry(&d->cpu[i], &s->cpu[i]);\n}", "project": "linux", "hash": 166449962924090092400373875211193029860, "size": 9, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354457 }, { "func": "static int sctp_setsockopt_encap_port(struct sock *sk,\n\t\t\t\t struct sctp_udpencaps *encap,\n\t\t\t\t unsigned int optlen)\n{\n\tstruct sctp_association *asoc;\n\tstruct sctp_transport *t;\n\t__be16 encap_port;\n\n\tif (optlen != sizeof(*encap))\n\t\treturn -EINVAL;\n\n\t/* If an address other than INADDR_ANY is specified, and\n\t * no transport is found, then the request is invalid.\n\t */\n\tencap_port = (__force __be16)encap->sue_port;\n\tif (!sctp_is_any(sk, (union sctp_addr *)&encap->sue_address)) {\n\t\tt = sctp_addr_id2transport(sk, &encap->sue_address,\n\t\t\t\t\t encap->sue_assoc_id);\n\t\tif (!t)\n\t\t\treturn -EINVAL;\n\n\t\tt->encap_port = encap_port;\n\t\treturn 0;\n\t}\n\n\t/* Get association, if assoc_id != SCTP_FUTURE_ASSOC and the\n\t * socket is a one to many style socket, and an association\n\t * was not found, then the id was invalid.\n\t */\n\tasoc = sctp_id2assoc(sk, encap->sue_assoc_id);\n\tif (!asoc && encap->sue_assoc_id != SCTP_FUTURE_ASSOC &&\n\t sctp_style(sk, UDP))\n\t\treturn -EINVAL;\n\n\t/* If changes are for association, also apply encap_port to\n\t * each transport.\n\t */\n\tif (asoc) {\n\t\tlist_for_each_entry(t, &asoc->peer.transport_addr_list,\n\t\t\t\t transports)\n\t\t\tt->encap_port = encap_port;\n\n\t\treturn 0;\n\t}\n\n\tsctp_sk(sk)->encap_port = encap_port;\n\treturn 0;\n}", "project": "linux", "hash": 59683858385655999452689272437864074039, "size": 48, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398136 }, { "func": "static void kvm_hv_notify_acked_sint(struct kvm_vcpu *vcpu, u32 sint)\n{\n\tstruct kvm *kvm = vcpu->kvm;\n\tstruct kvm_vcpu_hv_synic *synic = to_hv_synic(vcpu);\n\tstruct kvm_vcpu_hv *hv_vcpu = to_hv_vcpu(vcpu);\n\tstruct kvm_vcpu_hv_stimer *stimer;\n\tint gsi, idx;\n\n\ttrace_kvm_hv_notify_acked_sint(vcpu->vcpu_id, sint);\n\n\t/* Try to deliver pending Hyper-V SynIC timers messages */\n\tfor (idx = 0; idx < ARRAY_SIZE(hv_vcpu->stimer); idx++) {\n\t\tstimer = &hv_vcpu->stimer[idx];\n\t\tif (stimer->msg_pending && stimer->config.enable &&\n\t\t !stimer->config.direct_mode &&\n\t\t stimer->config.sintx == sint)\n\t\t\tstimer_mark_pending(stimer, false);\n\t}\n\n\tidx = srcu_read_lock(&kvm->irq_srcu);\n\tgsi = atomic_read(&synic->sint_to_gsi[sint]);\n\tif (gsi != -1)\n\t\tkvm_notify_acked_gsi(kvm, gsi);\n\tsrcu_read_unlock(&kvm->irq_srcu, idx);\n}", "project": "linux", "hash": 10747352529601367419164267263214066708, "size": 25, "commit_id": "919f4ebc598701670e80e31573a58f1f2d2bf918", "message": "KVM: x86: hyper-v: Fix Hyper-V context null-ptr-deref\n\nReported by syzkaller:\n\n KASAN: null-ptr-deref in range [0x0000000000000140-0x0000000000000147]\n CPU: 1 PID: 8370 Comm: syz-executor859 Not tainted 5.11.0-syzkaller #0\n RIP: 0010:synic_get arch/x86/kvm/hyperv.c:165 [inline]\n RIP: 0010:kvm_hv_set_sint_gsi arch/x86/kvm/hyperv.c:475 [inline]\n RIP: 0010:kvm_hv_irq_routing_update+0x230/0x460 arch/x86/kvm/hyperv.c:498\n Call Trace:\n kvm_set_irq_routing+0x69b/0x940 arch/x86/kvm/../../../virt/kvm/irqchip.c:223\n kvm_vm_ioctl+0x12d0/0x2800 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3959\n vfs_ioctl fs/ioctl.c:48 [inline]\n __do_sys_ioctl fs/ioctl.c:753 [inline]\n __se_sys_ioctl fs/ioctl.c:739 [inline]\n __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739\n do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nHyper-V context is lazily allocated until Hyper-V specific MSRs are accessed\nor SynIC is enabled. However, the syzkaller testcase sets irq routing table\ndirectly w/o enabling SynIC. This results in null-ptr-deref when accessing\nSynIC Hyper-V context. This patch fixes it.\n\nsyzkaller source: https://syzkaller.appspot.com/x/repro.c?x=163342ccd00000\n\nReported-by: syzbot+6987f3b2dbd9eda95f12@syzkaller.appspotmail.com\nFixes: 8f014550dfb1 (\"KVM: x86: hyper-v: Make Hyper-V emulation enablement conditional\")\nSigned-off-by: Wanpeng Li \nMessage-Id: <1614326399-5762-1-git-send-email-wanpengli@tencent.com>\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 343482 }, { "func": "static bool io_file_supports_async(struct io_kiocb *req, int rw)\n{\n\tif (rw == READ && (req->flags & REQ_F_ASYNC_READ))\n\t\treturn true;\n\telse if (rw == WRITE && (req->flags & REQ_F_ASYNC_WRITE))\n\t\treturn true;\n\n\treturn __io_file_supports_async(req->file, rw);\n}", "project": "linux", "hash": 29351666736231412512229705328171938909, "size": 9, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338675 }, { "func": "static void hci_cc_user_passkey_reply(struct hci_dev *hdev, struct sk_buff *skb)\n{\n\tstruct hci_rp_user_confirm_reply *rp = (void *) skb->data;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, rp->status);\n\n\thci_dev_lock(hdev);\n\n\tif (hci_dev_test_flag(hdev, HCI_MGMT))\n\t\tmgmt_user_passkey_reply_complete(hdev, &rp->bdaddr, ACL_LINK,\n\t\t\t\t\t\t 0, rp->status);\n\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 301755505228227299872402512864381107671, "size": 14, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431935 }, { "func": "TfLiteStatus EvalHybrid(TfLiteContext* context, TfLiteNode* node,\n TfLiteFullyConnectedParams* params, OpData* data,\n const TfLiteTensor* input, const TfLiteTensor* filter,\n const TfLiteTensor* bias, TfLiteTensor* input_quantized,\n TfLiteTensor* scaling_factors,\n TfLiteTensor* accum_scratch, TfLiteTensor* row_sums,\n TfLiteTensor* input_offsets, TfLiteTensor* output) {\n const auto& output_shape = GetTensorShape(output);\n CpuBackendContext* cpu_backend_context =\n CpuBackendContext::GetFromContext(context);\n const bool is_dense = filter->sparsity == nullptr;\n if (is_dense) {\n return EvalHybridDense(context, node, params, data, input, filter, bias,\n input_quantized, scaling_factors, accum_scratch,\n row_sums, input_offsets, output);\n }\n\n TfLiteTensor* filter_ledger = &context->tensors[node->temporaries->data[5]];\n if (!data->ledger_initialized) {\n PopulateLedgerData(filter->sparsity, context,\n GetTensorData(filter_ledger));\n data->ledger_initialized = true;\n }\n\n // The multi-threaded kernel slices the workload along the batch dimension. If\n // there's not enough batches of data, the number of threads used is equal to\n // the batch size.\n // TODO(b/173442777): If needed, we can improve this later with slicing along\n // the row dimension of the weight.\n const int max_threads = cpu_backend_context->max_num_threads();\n const int batches =\n FlatSizeSkipDim(output_shape, output_shape.DimensionsCount() - 1);\n const int thread_count = std::max(1, std::min(batches, max_threads));\n if (params->asymmetric_quantize_inputs && data->compute_row_sums) {\n // Precompute row sums.\n static const int kBlockSize = 16;\n const uint8_t* ledger_ptr = GetTensorData(filter_ledger);\n const int8_t* row_ptr = GetTensorData(filter);\n const int output_depth = filter->dims->data[0];\n int32_t* row_sums_ptr = GetTensorData(row_sums);\n for (int row = 0; row < output_depth; ++row) {\n int32_t row_sum = 0;\n int num_nonzero_blocks = *ledger_ptr++;\n for (int i = 0; i < num_nonzero_blocks; ++i, ++ledger_ptr) {\n for (int c = 0; c < kBlockSize; c++) {\n row_sum += (*row_ptr++);\n }\n }\n row_sums_ptr[row] = row_sum;\n }\n data->compute_row_sums = false;\n }\n std::vector tasks;\n tasks.reserve(thread_count);\n int thread_start = 0;\n for (int i = 0; i < thread_count; ++i) {\n // This makes sure the workload is relatively balanced when batches is not\n // a multiple of thread_count. The first mod(batches, thread_count) tasks\n // need to process one more batch than the rest.\n int thread_end = thread_start + batches / thread_count;\n if (i < batches % thread_count) thread_end++;\n\n tasks.emplace_back(context, node, params, data, input, filter, bias,\n thread_start, thread_end, input_quantized,\n scaling_factors, accum_scratch, row_sums, input_offsets,\n output);\n thread_start = thread_end;\n }\n cpu_backend_threadpool::Execute(tasks.size(), tasks.data(),\n cpu_backend_context);\n return kTfLiteOk;\n}", "project": "tensorflow", "hash": 106252617170312870783184061976612638960, "size": 72, "commit_id": "6c0b2b70eeee588591680f5b7d5d38175fd7cdf6", "message": "[lite] add validation check for sparse fully connected\n\nPiperOrigin-RevId: 417629354\nChange-Id: If96171c4bd4f5fdb01d6368d6deab19d1c9beca7", "target": 0, "dataset": "other", "idx": 220488 }, { "func": "int kvm_arch_vcpu_ioctl_get_sregs(struct kvm_vcpu *vcpu,\n\t\t\t\t struct kvm_sregs *sregs)\n{\n\tvcpu_load(vcpu);\n\n\tmemcpy(&sregs->acrs, &vcpu->run->s.regs.acrs, sizeof(sregs->acrs));\n\tmemcpy(&sregs->crs, &vcpu->arch.sie_block->gcr, sizeof(sregs->crs));\n\n\tvcpu_put(vcpu);\n\treturn 0;\n}", "project": "linux", "hash": 67726073301747064092392998900309395510, "size": 11, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354524 }, { "func": "static inline void ep_set_busy_poll_napi_id(struct epitem *epi)\n{\n}", "project": "linux", "hash": 256898482261773831305728914204478540941, "size": 3, "commit_id": "52c479697c9b73f628140dcdfcd39ea302d05482", "message": "do_epoll_ctl(): clean the failure exits up a bit\n\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 336267 }, { "func": "static inline void ep_set_busy_poll_napi_id(struct epitem *epi)\n{\n\tstruct eventpoll *ep;\n\tunsigned int napi_id;\n\tstruct socket *sock;\n\tstruct sock *sk;\n\tint err;\n\n\tif (!net_busy_loop_on())\n\t\treturn;\n\n\tsock = sock_from_file(epi->ffd.file, &err);\n\tif (!sock)\n\t\treturn;\n\n\tsk = sock->sk;\n\tif (!sk)\n\t\treturn;\n\n\tnapi_id = READ_ONCE(sk->sk_napi_id);\n\tep = epi->ep;\n\n\t/* Non-NAPI IDs can be rejected\n\t *\tor\n\t * Nothing to do if we already have this ID\n\t */\n\tif (napi_id < MIN_NAPI_ID || napi_id == ep->napi_id)\n\t\treturn;\n\n\t/* record NAPI ID for use in next busy poll */\n\tep->napi_id = napi_id;\n}", "project": "linux", "hash": 192866581538252337550394409200638594292, "size": 32, "commit_id": "52c479697c9b73f628140dcdfcd39ea302d05482", "message": "do_epoll_ctl(): clean the failure exits up a bit\n\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 336283 }, { "func": "static int kvm_alloc_dirty_bitmap(struct kvm_memory_slot *memslot)\n{\n\tunsigned long dirty_bytes = 2 * kvm_dirty_bitmap_bytes(memslot);\n\n\tmemslot->dirty_bitmap = kvzalloc(dirty_bytes, GFP_KERNEL_ACCOUNT);\n\tif (!memslot->dirty_bitmap)\n\t\treturn -ENOMEM;\n\n\treturn 0;\n}", "project": "linux", "hash": 126521008756275328290982906556916478390, "size": 10, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354501 }, { "func": " void Jp2Image::printStructure(std::ostream& out, PrintStructureOption option, int depth)\n {\n if (io_->open() != 0)\n throw Error(kerDataSourceOpenFailed, io_->path(), strError());\n\n // Ensure that this is the correct image type\n if (!isJp2Type(*io_, false)) {\n if (io_->error() || io_->eof())\n throw Error(kerFailedToReadImageData);\n throw Error(kerNotAJpeg);\n }\n\n bool bPrint = option == kpsBasic || option == kpsRecursive;\n bool bRecursive = option == kpsRecursive;\n bool bICC = option == kpsIccProfile;\n bool bXMP = option == kpsXMP;\n bool bIPTCErase = option == kpsIptcErase;\n\n if (bPrint) {\n out << \"STRUCTURE OF JPEG2000 FILE: \" << io_->path() << std::endl;\n out << \" address | length | box | data\" << std::endl;\n }\n\n if ( bPrint || bXMP || bICC || bIPTCErase ) {\n\n long position = 0;\n Jp2BoxHeader box = {1,1};\n Jp2BoxHeader subBox = {1,1};\n Jp2UuidBox uuid = {{0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};\n bool bLF = false;\n\n while (box.length && box.type != kJp2BoxTypeClose && io_->read((byte*)&box, sizeof(box)) == sizeof(box))\n {\n position = io_->tell();\n box.length = getLong((byte*)&box.length, bigEndian);\n box.type = getLong((byte*)&box.type, bigEndian);\n enforce(box.length <= io_->size()-io_->tell() , Exiv2::kerCorruptedMetadata);\n\n if (bPrint) {\n out << Internal::stringFormat(\"%8ld | %8ld | \", position - sizeof(box),\n (size_t)box.length)\n << toAscii(box.type) << \" | \";\n bLF = true;\n if (box.type == kJp2BoxTypeClose)\n lf(out, bLF);\n }\n if (box.type == kJp2BoxTypeClose)\n break;\n\n switch (box.type) {\n case kJp2BoxTypeJp2Header: {\n lf(out, bLF);\n\n while (io_->read((byte*)&subBox, sizeof(subBox)) == sizeof(subBox) &&\n io_->tell() < position + (long)box.length) // don't read beyond the box!\n {\n int address = io_->tell() - sizeof(subBox);\n subBox.length = getLong((byte*)&subBox.length, bigEndian);\n subBox.type = getLong((byte*)&subBox.type, bigEndian);\n\n if (subBox.length < sizeof(box) || subBox.length > io_->size() - io_->tell()) {\n throw Error(kerCorruptedMetadata);\n }\n\n DataBuf data(subBox.length - sizeof(box));\n io_->read(data.pData_, data.size_);\n if (bPrint) {\n out << Internal::stringFormat(\"%8ld | %8ld | sub:\", (size_t)address,\n (size_t)subBox.length)\n << toAscii(subBox.type) << \" | \"\n << Internal::binaryToString(makeSlice(data, 0, std::min(30l, data.size_)));\n bLF = true;\n }\n\n if (subBox.type == kJp2BoxTypeColorHeader) {\n long pad = 3; // don't know why there are 3 padding bytes\n if (bPrint) {\n out << \" | pad:\";\n for (int i = 0; i < 3; i++)\n out << \" \" << (int)data.pData_[i];\n }\n long iccLength = getULong(data.pData_ + pad, bigEndian);\n if (bPrint) {\n out << \" | iccLength:\" << iccLength;\n }\n if (bICC) {\n out.write((const char*)data.pData_ + pad, iccLength);\n }\n }\n lf(out, bLF);\n }\n } break;\n\n case kJp2BoxTypeUuid: {\n if (io_->read((byte*)&uuid, sizeof(uuid)) == sizeof(uuid)) {\n bool bIsExif = memcmp(uuid.uuid, kJp2UuidExif, sizeof(uuid)) == 0;\n bool bIsIPTC = memcmp(uuid.uuid, kJp2UuidIptc, sizeof(uuid)) == 0;\n bool bIsXMP = memcmp(uuid.uuid, kJp2UuidXmp, sizeof(uuid)) == 0;\n\n bool bUnknown = !(bIsExif || bIsIPTC || bIsXMP);\n\n if (bPrint) {\n if (bIsExif)\n out << \"Exif: \";\n if (bIsIPTC)\n out << \"IPTC: \";\n if (bIsXMP)\n out << \"XMP : \";\n if (bUnknown)\n out << \"????: \";\n }\n\n DataBuf rawData;\n rawData.alloc(box.length - sizeof(uuid) - sizeof(box));\n long bufRead = io_->read(rawData.pData_, rawData.size_);\n if (io_->error())\n throw Error(kerFailedToReadImageData);\n if (bufRead != rawData.size_)\n throw Error(kerInputDataReadFailed);\n\n if (bPrint) {\n out << Internal::binaryToString(\n makeSlice(rawData, 0, rawData.size_>40?40:rawData.size_));\n out.flush();\n }\n lf(out, bLF);\n\n if (bIsExif && bRecursive && rawData.size_ > 8) { // \"II*\\0long\"\n if ((rawData.pData_[0] == rawData.pData_[1]) &&\n (rawData.pData_[0] == 'I' || rawData.pData_[0] == 'M')) {\n BasicIo::UniquePtr p = BasicIo::UniquePtr(new MemIo(rawData.pData_, rawData.size_));\n printTiffStructure(*p, out, option, depth);\n }\n }\n\n if (bIsIPTC && bRecursive) {\n IptcData::printStructure(out, makeSlice(rawData.pData_, 0, rawData.size_), depth);\n }\n\n if (bIsXMP && bXMP) {\n out.write((const char*)rawData.pData_, rawData.size_);\n }\n }\n } break;\n\n default:\n break;\n }\n\n // Move to the next box.\n io_->seek(static_cast(position - sizeof(box) + box.length), BasicIo::beg);\n if (io_->error())\n throw Error(kerFailedToReadImageData);\n if (bPrint)\n lf(out, bLF);\n }\n }\n } // JpegBase::printStructure", "project": "exiv2", "hash": 27474576784033121755514682875575639577, "size": 158, "commit_id": "f9308839198aca5e68a65194f151a1de92398f54", "message": "Better bounds checking in Jp2Image::encodeJp2Header()", "target": 0, "dataset": "other", "idx": 409138 }, { "func": "int kvm_vm_ioctl_get_dirty_log(struct kvm *kvm,\n\t\t\t struct kvm_dirty_log *log)\n{\n\tint r;\n\tunsigned long n;\n\tstruct kvm_memory_slot *memslot;\n\tint is_dirty;\n\n\tif (kvm_is_ucontrol(kvm))\n\t\treturn -EINVAL;\n\n\tmutex_lock(&kvm->slots_lock);\n\n\tr = -EINVAL;\n\tif (log->slot >= KVM_USER_MEM_SLOTS)\n\t\tgoto out;\n\n\tr = kvm_get_dirty_log(kvm, log, &is_dirty, &memslot);\n\tif (r)\n\t\tgoto out;\n\n\t/* Clear the dirty log */\n\tif (is_dirty) {\n\t\tn = kvm_dirty_bitmap_bytes(memslot);\n\t\tmemset(memslot->dirty_bitmap, 0, n);\n\t}\n\tr = 0;\nout:\n\tmutex_unlock(&kvm->slots_lock);\n\treturn r;\n}", "project": "linux", "hash": 193328444173583611839147734681058360787, "size": 31, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354469 }, { "func": "static int kvm_vm_ioctl_get_dirty_log(struct kvm *kvm,\n\t\t\t\t struct kvm_dirty_log *log)\n{\n\tint r;\n\n\tmutex_lock(&kvm->slots_lock);\n\n\tr = kvm_get_dirty_log_protect(kvm, log);\n\n\tmutex_unlock(&kvm->slots_lock);\n\treturn r;\n}", "project": "linux", "hash": 109784595370654831602320259491656901820, "size": 12, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354709 }, { "func": " bool get_time(MYSQL_TIME *ltime)\n { return get_date(ltime, TIME_TIME_ONLY | TIME_INVALID_DATES); }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 203674752900835546113896342011022282544, "size": 2, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509251 }, { "func": "int ecall_restore(const char *input, uint64_t input_len, char **output,\n uint64_t *output_len) {\n if (!asylo::primitives::TrustedPrimitives::IsOutsideEnclave(input,\n input_len) ||\n !asylo::primitives::TrustedPrimitives::IsOutsideEnclave(\n output_len, sizeof(uint64_t))) {\n asylo::primitives::TrustedPrimitives::BestEffortAbort(\n \"ecall_restore: input/output found to not be in untrusted memory.\");\n }\n int result = 0;\n size_t tmp_output_len;\n try {\n result = asylo::Restore(input, static_cast(input_len), output,\n &tmp_output_len);\n } catch (...) {\n LOG(FATAL) << \"Uncaught exception in enclave\";\n }\n\n if (output_len) {\n *output_len = static_cast(tmp_output_len);\n }\n return result;\n}", "project": "asylo", "hash": 104108689796384044909836162554974524043, "size": 23, "commit_id": "382da2b8b09cbf928668a2445efb778f76bd9c8a", "message": "Check output of ecall_restore is outside enclave\n\nPiperOrigin-RevId: 334265380\nChange-Id: Ifbaead6bce56f01b2a4d69f53ca508d0138f6f61", "target": 1, "dataset": "other", "idx": 197910 }, { "func": "int ecall_restore(const char *input, uint64_t input_len, char **output,\n uint64_t *output_len) {\n if (!asylo::primitives::TrustedPrimitives::IsOutsideEnclave(input,\n input_len) ||\n !asylo::primitives::TrustedPrimitives::IsOutsideEnclave(\n output_len, sizeof(uint64_t)) ||\n !asylo::primitives::TrustedPrimitives::IsOutsideEnclave(output,\n *output_len)) {\n asylo::primitives::TrustedPrimitives::BestEffortAbort(\n \"ecall_restore: input/output found to not be in untrusted memory.\");\n }\n int result = 0;\n size_t tmp_output_len;\n try {\n result = asylo::Restore(input, static_cast(input_len), output,\n &tmp_output_len);\n } catch (...) {\n LOG(FATAL) << \"Uncaught exception in enclave\";\n }\n\n if (output_len) {\n *output_len = static_cast(tmp_output_len);\n }\n return result;\n}", "project": "asylo", "hash": 330875018941072471989270103810819584619, "size": 25, "commit_id": "382da2b8b09cbf928668a2445efb778f76bd9c8a", "message": "Check output of ecall_restore is outside enclave\n\nPiperOrigin-RevId: 334265380\nChange-Id: Ifbaead6bce56f01b2a4d69f53ca508d0138f6f61", "target": 0, "dataset": "other", "idx": 265529 }, { "func": "int ssh_buffer_add_u32(struct ssh_buffer_struct *buffer,uint32_t data)\n{\n int rc;\n\n rc = ssh_buffer_add_data(buffer, &data, sizeof(data));\n if (rc < 0) {\n return -1;\n }\n\n return 0;\n}", "project": "libssh-mirror", "hash": 258013355922631127505695951368357504415, "size": 11, "commit_id": "10b3ebbe61a7031a3dae97f05834442220447181", "message": "buffer: Reformat ssh_buffer_add_data()\n\nSigned-off-by: Andreas Schneider \nReviewed-by: Anderson Toshiyuki Sasaki \nReviewed-by: Jakub Jelen ", "target": 0, "dataset": "other", "idx": 345156 }, { "func": "void CServer::SendRconLineAuthed(const char *pLine, void *pUser, bool Highlighted)\n{\n\tCServer *pThis = (CServer *)pUser;\n\tstatic volatile int ReentryGuard = 0;\n\tint i;\n\n\tif(ReentryGuard) return;\n\tReentryGuard++;\n\n\tfor(i = 0; i < MAX_CLIENTS; i++)\n\t{\n\t\tif(pThis->m_aClients[i].m_State != CClient::STATE_EMPTY && pThis->m_aClients[i].m_Authed >= pThis->m_RconAuthLevel)\n\t\t\tpThis->SendRconLine(i, pLine);\n\t}\n\n\tReentryGuard--;\n}", "project": "teeworlds", "hash": 17947087909141608119310159823385571303, "size": 17, "commit_id": "c68402fa7e279d42886d5951d1ea8ac2facc1ea5", "message": "changed a check", "target": 0, "dataset": "other", "idx": 382025 }, { "func": "trace_options_core_read(struct file *filp, char __user *ubuf, size_t cnt,\n\t\t\tloff_t *ppos)\n{\n\tvoid *tr_index = filp->private_data;\n\tstruct trace_array *tr;\n\tunsigned int index;\n\tchar *buf;\n\n\tget_tr_index(tr_index, &tr, &index);\n\n\tif (tr->trace_flags & (1 << index))\n\t\tbuf = \"1\\n\";\n\telse\n\t\tbuf = \"0\\n\";\n\n\treturn simple_read_from_buffer(ubuf, cnt, ppos, buf, 2);\n}", "project": "linux", "hash": 15566921001175664303199847066728813689, "size": 17, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445546 }, { "func": "static void get_tr_index(void *data, struct trace_array **ptr,\n\t\t\t unsigned int *pindex)\n{\n\t*pindex = *(unsigned char *)data;\n\n\t*ptr = container_of(data - *pindex, struct trace_array,\n\t\t\t trace_flags_index);\n}", "project": "linux", "hash": 318783986940279056993401236919883256740, "size": 8, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445578 }, { "func": "trace_options_core_write(struct file *filp, const char __user *ubuf, size_t cnt,\n\t\t\t loff_t *ppos)\n{\n\tvoid *tr_index = filp->private_data;\n\tstruct trace_array *tr;\n\tunsigned int index;\n\tunsigned long val;\n\tint ret;\n\n\tget_tr_index(tr_index, &tr, &index);\n\n\tret = kstrtoul_from_user(ubuf, cnt, 10, &val);\n\tif (ret)\n\t\treturn ret;\n\n\tif (val != 0 && val != 1)\n\t\treturn -EINVAL;\n\n\tmutex_lock(&trace_types_lock);\n\tret = set_tracer_flag(tr, 1 << index, val);\n\tmutex_unlock(&trace_types_lock);\n\n\tif (ret < 0)\n\t\treturn ret;\n\n\t*ppos += cnt;\n\n\treturn cnt;\n}", "project": "linux", "hash": 45205017990904590921516149603479113132, "size": 29, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445617 }, { "func": "static int __kvm_read_guest_atomic(struct kvm_memory_slot *slot, gfn_t gfn,\n\t\t\t void *data, int offset, unsigned long len)\n{\n\tint r;\n\tunsigned long addr;\n\n\taddr = gfn_to_hva_memslot_prot(slot, gfn, NULL);\n\tif (kvm_is_error_hva(addr))\n\t\treturn -EFAULT;\n\tpagefault_disable();\n\tr = __copy_from_user_inatomic(data, (void __user *)addr + offset, len);\n\tpagefault_enable();\n\tif (r)\n\t\treturn -EFAULT;\n\treturn 0;\n}", "project": "linux", "hash": 254133066017794257502210983481625502688, "size": 16, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354827 }, { "func": "enum_func_status\nphp_mysqlnd_rowp_read_binary_protocol(MYSQLND_MEMORY_POOL_CHUNK * row_buffer, zval ** fields,\n\t\t\t\t\t\t\t\t\t unsigned int field_count, const MYSQLND_FIELD * fields_metadata,\n\t\t\t\t\t\t\t\t\t zend_bool as_int_or_float, MYSQLND_STATS * stats TSRMLS_DC)\n{\n\tunsigned int i;\n\tzend_uchar * p = row_buffer->ptr;\n\tzend_uchar * null_ptr, bit;\n\tzval **current_field, **end_field, **start_field;\n\n\tDBG_ENTER(\"php_mysqlnd_rowp_read_binary_protocol\");\n\n\tif (!fields) {\n\t\tDBG_RETURN(FAIL);\n\t}\n\n\tend_field = (start_field = fields) + field_count;\n\n\t/* skip the first byte, not EODATA_MARKER -> 0x0, status */\n\tp++;\n\tnull_ptr= p;\n\tp += (field_count + 9)/8;\t/* skip null bits */\n\tbit\t= 4;\t\t\t\t\t/* first 2 bits are reserved */\n\n\tfor (i = 0, current_field = start_field; current_field < end_field; current_field++, i++) {\n\t\tDBG_INF(\"Directly creating zval\");\n\t\tMAKE_STD_ZVAL(*current_field);\n\t\tif (!*current_field) {\n\t\t\tDBG_RETURN(FAIL);\n\t\t}\n\t}\n\n\tfor (i = 0, current_field = start_field; current_field < end_field; current_field++, i++) {\n\t\tenum_mysqlnd_collected_stats statistic;\n\t\tzend_uchar * orig_p = p;\n\n\t\tDBG_INF_FMT(\"Into zval=%p decoding column %u [%s.%s.%s] type=%u field->flags&unsigned=%u flags=%u is_bit=%u\",\n\t\t\t*current_field, i,\n\t\t\tfields_metadata[i].db, fields_metadata[i].table, fields_metadata[i].name, fields_metadata[i].type,\n\t\t\tfields_metadata[i].flags & UNSIGNED_FLAG, fields_metadata[i].flags, fields_metadata[i].type == MYSQL_TYPE_BIT);\n\t\tif (*null_ptr & bit) {\n\t\t\tDBG_INF(\"It's null\");\n\t\t\tZVAL_NULL(*current_field);\n\t\t\tstatistic = STAT_BINARY_TYPE_FETCHED_NULL;\n\t\t} else {\n\t\t\tenum_mysqlnd_field_types type = fields_metadata[i].type;\n\t\t\tmysqlnd_ps_fetch_functions[type].func(*current_field, &fields_metadata[i], 0, &p TSRMLS_CC);\n\n\t\t\tif (MYSQLND_G(collect_statistics)) {\n\t\t\t\tswitch (fields_metadata[i].type) {\n\t\t\t\t\tcase MYSQL_TYPE_DECIMAL:\tstatistic = STAT_BINARY_TYPE_FETCHED_DECIMAL; break;\n\t\t\t\t\tcase MYSQL_TYPE_TINY:\t\tstatistic = STAT_BINARY_TYPE_FETCHED_INT8; break;\n\t\t\t\t\tcase MYSQL_TYPE_SHORT:\t\tstatistic = STAT_BINARY_TYPE_FETCHED_INT16; break;\n\t\t\t\t\tcase MYSQL_TYPE_LONG:\t\tstatistic = STAT_BINARY_TYPE_FETCHED_INT32; break;\n\t\t\t\t\tcase MYSQL_TYPE_FLOAT:\t\tstatistic = STAT_BINARY_TYPE_FETCHED_FLOAT; break;\n\t\t\t\t\tcase MYSQL_TYPE_DOUBLE:\t\tstatistic = STAT_BINARY_TYPE_FETCHED_DOUBLE; break;\n\t\t\t\t\tcase MYSQL_TYPE_NULL:\t\tstatistic = STAT_BINARY_TYPE_FETCHED_NULL; break;\n\t\t\t\t\tcase MYSQL_TYPE_TIMESTAMP:\tstatistic = STAT_BINARY_TYPE_FETCHED_TIMESTAMP; break;\n\t\t\t\t\tcase MYSQL_TYPE_LONGLONG:\tstatistic = STAT_BINARY_TYPE_FETCHED_INT64; break;\n\t\t\t\t\tcase MYSQL_TYPE_INT24:\t\tstatistic = STAT_BINARY_TYPE_FETCHED_INT24; break;\n\t\t\t\t\tcase MYSQL_TYPE_DATE:\t\tstatistic = STAT_BINARY_TYPE_FETCHED_DATE; break;\n\t\t\t\t\tcase MYSQL_TYPE_TIME:\t\tstatistic = STAT_BINARY_TYPE_FETCHED_TIME; break;\n\t\t\t\t\tcase MYSQL_TYPE_DATETIME:\tstatistic = STAT_BINARY_TYPE_FETCHED_DATETIME; break;\n\t\t\t\t\tcase MYSQL_TYPE_YEAR:\t\tstatistic = STAT_BINARY_TYPE_FETCHED_YEAR; break;\n\t\t\t\t\tcase MYSQL_TYPE_NEWDATE:\tstatistic = STAT_BINARY_TYPE_FETCHED_DATE; break;\n\t\t\t\t\tcase MYSQL_TYPE_VARCHAR:\tstatistic = STAT_BINARY_TYPE_FETCHED_STRING; break;\n\t\t\t\t\tcase MYSQL_TYPE_BIT:\t\tstatistic = STAT_BINARY_TYPE_FETCHED_BIT; break;\n\t\t\t\t\tcase MYSQL_TYPE_NEWDECIMAL:\tstatistic = STAT_BINARY_TYPE_FETCHED_DECIMAL; break;\n\t\t\t\t\tcase MYSQL_TYPE_ENUM:\t\tstatistic = STAT_BINARY_TYPE_FETCHED_ENUM; break;\n\t\t\t\t\tcase MYSQL_TYPE_SET:\t\tstatistic = STAT_BINARY_TYPE_FETCHED_SET; break;\n\t\t\t\t\tcase MYSQL_TYPE_TINY_BLOB:\tstatistic = STAT_BINARY_TYPE_FETCHED_BLOB; break;\n\t\t\t\t\tcase MYSQL_TYPE_MEDIUM_BLOB:statistic = STAT_BINARY_TYPE_FETCHED_BLOB; break;\n\t\t\t\t\tcase MYSQL_TYPE_LONG_BLOB:\tstatistic = STAT_BINARY_TYPE_FETCHED_BLOB; break;\n\t\t\t\t\tcase MYSQL_TYPE_BLOB:\t\tstatistic = STAT_BINARY_TYPE_FETCHED_BLOB; break;\n\t\t\t\t\tcase MYSQL_TYPE_VAR_STRING:\tstatistic = STAT_BINARY_TYPE_FETCHED_STRING; break;\n\t\t\t\t\tcase MYSQL_TYPE_STRING:\t\tstatistic = STAT_BINARY_TYPE_FETCHED_STRING; break;\n\t\t\t\t\tcase MYSQL_TYPE_GEOMETRY:\tstatistic = STAT_BINARY_TYPE_FETCHED_GEOMETRY; break;\n\t\t\t\t\tdefault: statistic = STAT_BINARY_TYPE_FETCHED_OTHER; break;\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\tMYSQLND_INC_CONN_STATISTIC_W_VALUE2(stats, statistic, 1,\n\t\t\t\t\t\t\t\t\t\tSTAT_BYTES_RECEIVED_PURE_DATA_PS,\n\t\t\t\t\t\t\t\t\t\t(Z_TYPE_PP(current_field) == IS_STRING)?\n\t\t\t\t\t\t\t\t\t\t\tZ_STRLEN_PP(current_field) : (p - orig_p));\n\n\t\tif (!((bit<<=1) & 255)) {\n\t\t\tbit = 1;\t/* to the following byte */\n\t\t\tnull_ptr++;\n\t\t}\n\t}\n\n\tDBG_RETURN(PASS);", "project": "php-src", "hash": 120848902100343192233800248766384104189, "size": 93, "commit_id": "28f80baf3c53e267c9ce46a2a0fadbb981585132", "message": "Fix bug #72293 - Heap overflow in mysqlnd related to BIT fields", "target": 0, "dataset": "other", "idx": 416669 }, { "func": "/* should only be called by SQPOLL task */\nstatic void io_uring_cancel_sqpoll(struct io_sq_data *sqd)\n{\n\tstruct io_uring_task *tctx = current->io_uring;\n\tstruct io_ring_ctx *ctx;\n\ts64 inflight;\n\tDEFINE_WAIT(wait);\n\n\tif (!current->io_uring)\n\t\treturn;\n\tWARN_ON_ONCE(!sqd || sqd->thread != current);\n\n\tatomic_inc(&tctx->in_idle);\n\tdo {\n\t\t/* read completions before cancelations */\n\t\tinflight = tctx_inflight(tctx, false);\n\t\tif (!inflight)\n\t\t\tbreak;\n\t\tlist_for_each_entry(ctx, &sqd->ctx_list, sqd_list)\n\t\t\tio_uring_try_cancel_requests(ctx, current, NULL);\n\n\t\tprepare_to_wait(&tctx->wait, &wait, TASK_UNINTERRUPTIBLE);\n\t\t/*\n\t\t * If we've seen completions, retry without waiting. This\n\t\t * avoids a race where a completion comes in before we did\n\t\t * prepare_to_wait().\n\t\t */\n\t\tif (inflight == tctx_inflight(tctx, false))\n\t\t\tschedule();\n\t\tfinish_wait(&tctx->wait, &wait);\n\t} while (1);\n\tatomic_dec(&tctx->in_idle);", "project": "linux", "hash": 256846438900903602746474492286695842728, "size": 32, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338653 }, { "func": " * Malformed skbs with wrong lengths or invalid creds are not processed.\n */\nstatic void\niscsi_if_rx(struct sk_buff *skb)\n{\n\tu32 portid = NETLINK_CB(skb).portid;\n\n\tmutex_lock(&rx_queue_mutex);\n\twhile (skb->len >= NLMSG_HDRLEN) {\n\t\tint err;\n\t\tuint32_t rlen;\n\t\tstruct nlmsghdr\t*nlh;\n\t\tstruct iscsi_uevent *ev;\n\t\tuint32_t group;\n\t\tint retries = ISCSI_SEND_MAX_ALLOWED;\n\n\t\tnlh = nlmsg_hdr(skb);\n\t\tif (nlh->nlmsg_len < sizeof(*nlh) + sizeof(*ev) ||\n\t\t skb->len < nlh->nlmsg_len) {\n\t\t\tbreak;\n\t\t}\n\n\t\tev = nlmsg_data(nlh);\n\t\trlen = NLMSG_ALIGN(nlh->nlmsg_len);\n\t\tif (rlen > skb->len)\n\t\t\trlen = skb->len;\n\n\t\terr = iscsi_if_recv_msg(skb, nlh, &group);\n\t\tif (err) {\n\t\t\tev->type = ISCSI_KEVENT_IF_ERROR;\n\t\t\tev->iferror = err;\n\t\t}\n\t\tdo {\n\t\t\t/*\n\t\t\t * special case for GET_STATS:\n\t\t\t * on success - sending reply and stats from\n\t\t\t * inside of if_recv_msg(),\n\t\t\t * on error - fall through.\n\t\t\t */\n\t\t\tif (ev->type == ISCSI_UEVENT_GET_STATS && !err)\n\t\t\t\tbreak;\n\t\t\tif (ev->type == ISCSI_UEVENT_GET_CHAP && !err)\n\t\t\t\tbreak;\n\t\t\terr = iscsi_if_send_reply(portid, nlh->nlmsg_type,\n\t\t\t\t\t\t ev, sizeof(*ev));\n\t\t\tif (err == -EAGAIN && --retries < 0) {\n\t\t\t\tprintk(KERN_WARNING \"Send reply failed, error %d\\n\", err);\n\t\t\t\tbreak;\n\t\t\t}\n\t\t} while (err < 0 && err != -ECONNREFUSED && err != -ESRCH);\n\t\tskb_pull(skb, rlen);", "project": "linux", "hash": 301574115642297678541543575563311549387, "size": 51, "commit_id": "f9dbdf97a5bd92b1a49cee3d591b55b11fd7a6d5", "message": "scsi: iscsi: Verify lengths on passthrough PDUs\n\nOpen-iSCSI sends passthrough PDUs over netlink, but the kernel should be\nverifying that the provided PDU header and data lengths fall within the\nnetlink message to prevent accessing beyond that in memory.\n\nCc: stable@vger.kernel.org\nReported-by: Adam Nichols \nReviewed-by: Lee Duncan \nReviewed-by: Mike Christie \nSigned-off-by: Chris Leech \nSigned-off-by: Martin K. Petersen ", "target": 0, "dataset": "other", "idx": 380023 }, { "func": "static int x25_create(struct net *net, struct socket *sock, int protocol,\n\t\t int kern)\n{\n\tstruct sock *sk;\n\tstruct x25_sock *x25;\n\tint rc = -EAFNOSUPPORT;\n\n\tif (!net_eq(net, &init_net))\n\t\tgoto out;\n\n\trc = -ESOCKTNOSUPPORT;\n\tif (sock->type != SOCK_SEQPACKET)\n\t\tgoto out;\n\n\trc = -EINVAL;\n\tif (protocol)\n\t\tgoto out;\n\n\trc = -ENOMEM;\n\tif ((sk = x25_alloc_socket(net, kern)) == NULL)\n\t\tgoto out;\n\n\tx25 = x25_sk(sk);\n\n\tsock_init_data(sock, sk);\n\n\tx25_init_timers(sk);\n\n\tsock->ops = &x25_proto_ops;\n\tsk->sk_protocol = protocol;\n\tsk->sk_backlog_rcv = x25_backlog_rcv;\n\n\tx25->t21 = sysctl_x25_call_request_timeout;\n\tx25->t22 = sysctl_x25_reset_request_timeout;\n\tx25->t23 = sysctl_x25_clear_request_timeout;\n\tx25->t2 = sysctl_x25_ack_holdback_timeout;\n\tx25->state = X25_STATE_0;\n\tx25->cudmatchlength = 0;\n\tset_bit(X25_ACCPT_APPRV_FLAG, &x25->flags);\t/* normally no cud */\n\t\t\t\t\t\t\t/* on call accept */\n\n\tx25->facilities.winsize_in = X25_DEFAULT_WINDOW_SIZE;\n\tx25->facilities.winsize_out = X25_DEFAULT_WINDOW_SIZE;\n\tx25->facilities.pacsize_in = X25_DEFAULT_PACKET_SIZE;\n\tx25->facilities.pacsize_out = X25_DEFAULT_PACKET_SIZE;\n\tx25->facilities.throughput = 0;\t/* by default don't negotiate\n\t\t\t\t\t\t throughput */\n\tx25->facilities.reverse = X25_DEFAULT_REVERSE;\n\tx25->dte_facilities.calling_len = 0;\n\tx25->dte_facilities.called_len = 0;\n\tmemset(x25->dte_facilities.called_ae, '\\0',\n\t\t\tsizeof(x25->dte_facilities.called_ae));\n\tmemset(x25->dte_facilities.calling_ae, '\\0',\n\t\t\tsizeof(x25->dte_facilities.calling_ae));\n\n\trc = 0;\nout:\n\treturn rc;\n}", "project": "net", "hash": 128456553202608926981726504234070800101, "size": 59, "commit_id": "7781607938c8371d4c2b243527430241c62e39c2", "message": "net/x25: Fix null-ptr-deref caused by x25_disconnect\n\nWhen the link layer is terminating, x25->neighbour will be set to NULL\nin x25_disconnect(). As a result, it could cause null-ptr-deref bugs in\nx25_sendmsg(),x25_recvmsg() and x25_connect(). One of the bugs is\nshown below.\n\n (Thread 1) | (Thread 2)\nx25_link_terminated() | x25_recvmsg()\n x25_kill_by_neigh() | ...\n x25_disconnect() | lock_sock(sk)\n ... | ...\n x25->neighbour = NULL //(1) |\n ... | x25->neighbour->extended //(2)\n\nThe code sets NULL to x25->neighbour in position (1) and dereferences\nx25->neighbour in position (2), which could cause null-ptr-deref bug.\n\nThis patch adds lock_sock() in x25_kill_by_neigh() in order to synchronize\nwith x25_sendmsg(), x25_recvmsg() and x25_connect(). What`s more, the\nsock held by lock_sock() is not NULL, because it is extracted from x25_list\nand uses x25_list_lock to synchronize.\n\nFixes: 4becb7ee5b3d (\"net/x25: Fix x25_neigh refcnt leak when x25 disconnect\")\nSigned-off-by: Duoming Zhou \nReviewed-by: Lin Ma \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 449183 }, { "func": "static TraceNo trace_findfree(jit_State *J)\n{\n MSize osz, lim;\n if (J->freetrace == 0)\n J->freetrace = 1;\n for (; J->freetrace < J->sizetrace; J->freetrace++)\n if (traceref(J, J->freetrace) == NULL)\n return J->freetrace++;\n /* Need to grow trace array. */\n lim = (MSize)J->param[JIT_P_maxtrace] + 1;\n if (lim < 2) lim = 2; else if (lim > 65535) lim = 65535;\n osz = J->sizetrace;\n if (osz >= lim)\n return 0; /* Too many traces. */\n lj_mem_growvec(J->L, J->trace, J->sizetrace, lim, GCRef);\n for (; osz < J->sizetrace; osz++)\n setgcrefnull(J->trace[osz]);\n return J->freetrace;\n}", "project": "LuaJIT", "hash": 240120030135434599817015452282608582616, "size": 19, "commit_id": "e296f56b825c688c3530a981dc6b495d972f3d01", "message": "Call error function on rethrow after trace exit.", "target": 0, "dataset": "other", "idx": 394632 }, { "func": "static inline void kvm_make_request(int req, struct kvm_vcpu *vcpu)\n{\n\t/*\n\t * Ensure the rest of the request is published to kvm_check_request's\n\t * caller. Paired with the smp_mb__after_atomic in kvm_check_request.\n\t */\n\tsmp_wmb();\n\tset_bit(req & KVM_REQUEST_MASK, (void *)&vcpu->requests);\n}", "project": "linux", "hash": 129685674297761197195406379583268779972, "size": 9, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354468 }, { "func": "static bool php_imagechar(const Resource& image, int size, int x, int y,\n const String& c, int color, int mode) {\n gdImagePtr im = get_valid_image_resource(image);\n if (!im) return false;\n int ch = 0;\n gdFontPtr font;\n\n if (mode < 2) {\n ch = (int)((unsigned char)(c.charAt(0)));\n }\n\n font = php_find_gd_font(size);\n\n switch (mode) {\n case 0:\n gdImageChar(im, font, x, y, ch, color);\n break;\n case 1:\n php_gdimagecharup(im, font, x, y, ch, color);\n break;\n case 2:\n for (int i = 0; (i < c.length()); i++) {\n gdImageChar(im, font, x, y, (int)((unsigned char)c.charAt(i)), color);\n x += font->w;\n }\n break;\n case 3:\n for (int i = 0; (i < c.length()); i++) {\n gdImageCharUp(im, font, x, y, (int)c.charAt(i), color);\n y -= font->w;\n }\n break;\n }\n return true;\n}", "project": "hhvm", "hash": 200109610097625196044747161103276735814, "size": 35, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219844 }, { "func": " virtual bool get_date_result(MYSQL_TIME *ltime, ulonglong fuzzydate)\n { return get_date(ltime,fuzzydate); }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 216549899204927102137252979915393408514, "size": 2, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509467 }, { "func": " */\nstatic void bfq_update_inject_limit(struct bfq_data *bfqd,\n\t\t\t\t struct bfq_queue *bfqq)\n{\n\tu64 tot_time_ns = ktime_get_ns() - bfqd->last_empty_occupied_ns;\n\tunsigned int old_limit = bfqq->inject_limit;\n\n\tif (bfqq->last_serv_time_ns > 0 && bfqd->rqs_injected) {\n\t\tu64 threshold = (bfqq->last_serv_time_ns * 3)>>1;\n\n\t\tif (tot_time_ns >= threshold && old_limit > 0) {\n\t\t\tbfqq->inject_limit--;\n\t\t\tbfqq->decrease_time_jif = jiffies;\n\t\t} else if (tot_time_ns < threshold &&\n\t\t\t old_limit <= bfqd->max_rq_in_driver)\n\t\t\tbfqq->inject_limit++;\n\t}\n\n\t/*\n\t * Either we still have to compute the base value for the\n\t * total service time, and there seem to be the right\n\t * conditions to do it, or we can lower the last base value\n\t * computed.\n\t *\n\t * NOTE: (bfqd->rq_in_driver == 1) means that there is no I/O\n\t * request in flight, because this function is in the code\n\t * path that handles the completion of a request of bfqq, and,\n\t * in particular, this function is executed before\n\t * bfqd->rq_in_driver is decremented in such a code path.\n\t */\n\tif ((bfqq->last_serv_time_ns == 0 && bfqd->rq_in_driver == 1) ||\n\t tot_time_ns < bfqq->last_serv_time_ns) {\n\t\tif (bfqq->last_serv_time_ns == 0) {\n\t\t\t/*\n\t\t\t * Now we certainly have a base value: make sure we\n\t\t\t * start trying injection.\n\t\t\t */\n\t\t\tbfqq->inject_limit = max_t(unsigned int, 1, old_limit);\n\t\t}\n\t\tbfqq->last_serv_time_ns = tot_time_ns;\n\t} else if (!bfqd->rqs_injected && bfqd->rq_in_driver == 1)\n\t\t/*\n\t\t * No I/O injected and no request still in service in\n\t\t * the drive: these are the exact conditions for\n\t\t * computing the base value of the total service time\n\t\t * for bfqq. So let's update this value, because it is\n\t\t * rather variable. For example, it varies if the size\n\t\t * or the spatial locality of the I/O requests in bfqq\n\t\t * change.\n\t\t */\n\t\tbfqq->last_serv_time_ns = tot_time_ns;\n\n\n\t/* update complete, not waiting for any request completion any longer */\n\tbfqd->waited_rq = NULL;\n\tbfqd->rqs_injected = false;", "project": "linux", "hash": 72810562750346575165399381074004576699, "size": 56, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453392 }, { "func": "static int run_filter(struct archive_read* a, struct filter_info* flt) {\n\tint ret;\n\tstruct rar5* rar = get_context(a);\n\n\tfree(rar->cstate.filtered_buf);\n\n\trar->cstate.filtered_buf = malloc(flt->block_length);\n\tif(!rar->cstate.filtered_buf) {\n\t\tarchive_set_error(&a->archive, ENOMEM,\n\t\t \"Can't allocate memory for filter data.\");\n\t\treturn ARCHIVE_FATAL;\n\t}\n\n\tswitch(flt->type) {\n\t\tcase FILTER_DELTA:\n\t\t\tret = run_delta_filter(rar, flt);\n\t\t\tbreak;\n\n\t\tcase FILTER_E8:\n\t\t\t/* fallthrough */\n\t\tcase FILTER_E8E9:\n\t\t\tret = run_e8e9_filter(rar, flt,\n\t\t\t flt->type == FILTER_E8E9);\n\t\t\tbreak;\n\n\t\tcase FILTER_ARM:\n\t\t\tret = run_arm_filter(rar, flt);\n\t\t\tbreak;\n\n\t\tdefault:\n\t\t\tarchive_set_error(&a->archive,\n\t\t\t ARCHIVE_ERRNO_FILE_FORMAT,\n\t\t\t \"Unsupported filter type: 0x%x\", flt->type);\n\t\t\treturn ARCHIVE_FATAL;\n\t}\n\n\tif(ret != ARCHIVE_OK) {\n\t\t/* Filter has failed. */\n\t\treturn ret;\n\t}\n\n\tif(ARCHIVE_OK != push_data_ready(a, rar, rar->cstate.filtered_buf,\n\t flt->block_length, rar->cstate.last_write_ptr))\n\t{\n\t\tarchive_set_error(&a->archive, ARCHIVE_ERRNO_PROGRAMMER,\n\t\t \"Stack overflow when submitting unpacked data\");\n\n\t\treturn ARCHIVE_FATAL;\n\t}\n\n\trar->cstate.last_write_ptr += flt->block_length;\n\treturn ARCHIVE_OK;\n}", "project": "libarchive", "hash": 202987453298659916686945224587713736582, "size": 53, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 0, "dataset": "other", "idx": 244725 }, { "func": "static OPJ_BOOL opj_j2k_add_mhmarker(opj_codestream_index_t *cstr_index,\n OPJ_UINT32 type, OPJ_OFF_T pos, OPJ_UINT32 len)\n{\n assert(cstr_index != 00);\n\n /* expand the list? */\n if ((cstr_index->marknum + 1) > cstr_index->maxmarknum) {\n opj_marker_info_t *new_marker;\n cstr_index->maxmarknum = (OPJ_UINT32)(100 + (OPJ_FLOAT32)\n cstr_index->maxmarknum);\n new_marker = (opj_marker_info_t *) opj_realloc(cstr_index->marker,\n cstr_index->maxmarknum * sizeof(opj_marker_info_t));\n if (! new_marker) {\n opj_free(cstr_index->marker);\n cstr_index->marker = NULL;\n cstr_index->maxmarknum = 0;\n cstr_index->marknum = 0;\n /* opj_event_msg(p_manager, EVT_ERROR, \"Not enough memory to add mh marker\\n\"); */\n return OPJ_FALSE;\n }\n cstr_index->marker = new_marker;\n }\n\n /* add the marker */\n cstr_index->marker[cstr_index->marknum].type = (OPJ_UINT16)type;\n cstr_index->marker[cstr_index->marknum].pos = (OPJ_INT32)pos;\n cstr_index->marker[cstr_index->marknum].len = (OPJ_INT32)len;\n cstr_index->marknum++;\n return OPJ_TRUE;\n}", "project": "openjpeg", "hash": 268065641191860342677410699731883724585, "size": 30, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357386 }, { "func": "\nstatic bool io_arm_poll_handler(struct io_kiocb *req)\n{\n\tconst struct io_op_def *def = &io_op_defs[req->opcode];\n\tstruct io_ring_ctx *ctx = req->ctx;\n\tstruct async_poll *apoll;\n\tstruct io_poll_table ipt;\n\t__poll_t mask, ret;\n\tint rw;\n\n\tif (!req->file || !file_can_poll(req->file))\n\t\treturn false;\n\tif (req->flags & REQ_F_POLLED)\n\t\treturn false;\n\tif (def->pollin)\n\t\trw = READ;\n\telse if (def->pollout)\n\t\trw = WRITE;\n\telse\n\t\treturn false;\n\t/* if we can't nonblock try, then no point in arming a poll handler */\n\tif (!io_file_supports_async(req, rw))\n\t\treturn false;\n\n\tapoll = kmalloc(sizeof(*apoll), GFP_ATOMIC);\n\tif (unlikely(!apoll))\n\t\treturn false;\n\tapoll->double_poll = NULL;\n\n\treq->flags |= REQ_F_POLLED;\n\treq->apoll = apoll;\n\n\tmask = EPOLLONESHOT;\n\tif (def->pollin)\n\t\tmask |= POLLIN | POLLRDNORM;\n\tif (def->pollout)\n\t\tmask |= POLLOUT | POLLWRNORM;\n\n\t/* If reading from MSG_ERRQUEUE using recvmsg, ignore POLLIN */\n\tif ((req->opcode == IORING_OP_RECVMSG) &&\n\t (req->sr_msg.msg_flags & MSG_ERRQUEUE))\n\t\tmask &= ~POLLIN;\n\n\tmask |= POLLERR | POLLPRI;\n\n\tipt.pt._qproc = io_async_queue_proc;\n\n\tret = __io_arm_poll_handler(req, &apoll->poll, &ipt, mask,\n\t\t\t\t\tio_async_wake);\n\tif (ret || ipt.error) {\n\t\tio_poll_remove_double(req);\n\t\tspin_unlock_irq(&ctx->completion_lock);\n\t\treturn false;\n\t}\n\tspin_unlock_irq(&ctx->completion_lock);\n\ttrace_io_uring_poll_arm(ctx, req->opcode, req->user_data, mask,\n\t\t\t\t\tapoll->poll.events);\n\treturn true;", "project": "linux", "hash": 157104264693687336219892133418735339266, "size": 58, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338708 }, { "func": "static bool io_arm_poll_handler(struct io_kiocb *req)\n{\n\tconst struct io_op_def *def = &io_op_defs[req->opcode];\n\tstruct io_ring_ctx *ctx = req->ctx;\n\tstruct async_poll *apoll;\n\tstruct io_poll_table ipt;\n\t__poll_t mask, ret;\n\n\tif (!req->file || !file_can_poll(req->file))\n\t\treturn false;\n\tif (req->flags & REQ_F_POLLED)\n\t\treturn false;\n\tif (!def->pollin && !def->pollout)\n\t\treturn false;\n\n\tapoll = kmalloc(sizeof(*apoll), GFP_ATOMIC);\n\tif (unlikely(!apoll))\n\t\treturn false;\n\tapoll->double_poll = NULL;\n\n\treq->flags |= REQ_F_POLLED;\n\tio_get_req_task(req);\n\treq->apoll = apoll;\n\tINIT_HLIST_NODE(&req->hash_node);\n\n\tmask = 0;\n\tif (def->pollin)\n\t\tmask |= POLLIN | POLLRDNORM;\n\tif (def->pollout)\n\t\tmask |= POLLOUT | POLLWRNORM;\n\tmask |= POLLERR | POLLPRI;\n\n\tipt.pt._qproc = io_async_queue_proc;\n\n\tret = __io_arm_poll_handler(req, &apoll->poll, &ipt, mask,\n\t\t\t\t\tio_async_wake);\n\tif (ret) {\n\t\tio_poll_remove_double(req, apoll->double_poll);\n\t\tspin_unlock_irq(&ctx->completion_lock);\n\t\tkfree(apoll->double_poll);\n\t\tkfree(apoll);\n\t\treturn false;\n\t}\n\tspin_unlock_irq(&ctx->completion_lock);\n\ttrace_io_uring_poll_arm(ctx, req->opcode, req->user_data, mask,\n\t\t\t\t\tapoll->poll.events);\n\treturn true;\n}", "project": "linux", "hash": 325201674246385763100252070511538999798, "size": 48, "commit_id": "6d816e088c359866f9867057e04f244c608c42fe", "message": "io_uring: hold 'ctx' reference around task_work queue + execute\n\nWe're holding the request reference, but we need to go one higher\nto ensure that the ctx remains valid after the request has finished.\nIf the ring is closed with pending task_work inflight, and the\ngiven io_kiocb finishes sync during issue, then we need a reference\nto the ring itself around the task_work execution cycle.\n\nCc: stable@vger.kernel.org # v5.7+\nReported-by: syzbot+9b260fc33297966f5a8e@syzkaller.appspotmail.com\nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 456919 }, { "project": "Chrome", "commit_id": "957973753ec4159003ff7930d946b7e89c7e09f3", "target": 0, "func": "BlobURLRequestJob::~BlobURLRequestJob() {\n CloseStream();\n}\n", "cwe": "", "big_vul_idx": 106428, "idx": 176355, "hash": 273774792849203835496514814749886708723 }, { "func": "PLUGINDEX CSoundFile::GetActiveInstrumentPlugin(CHANNELINDEX nChn, PluginMutePriority respectMutes) const\n{\n\t// Unlike channel settings, pModInstrument is copied from the original chan to the NNA chan,\n\t// so we don't need to worry about finding the master chan.\n\n\tPLUGINDEX plug = 0;\n\tif(m_PlayState.Chn[nChn].pModInstrument != nullptr)\n\t{\n\t\tif(respectMutes == RespectMutes && m_PlayState.Chn[nChn].pModSample && m_PlayState.Chn[nChn].pModSample->uFlags[CHN_MUTE])\n\t\t{\n\t\t\tplug = 0;\n\t\t} else\n\t\t{\n\t\t\tplug = m_PlayState.Chn[nChn].pModInstrument->nMixPlug;\n\t\t}\n\t}\n\treturn plug;\n}", "project": "openmpt", "hash": 300587444660757074039295214534322322460, "size": 18, "commit_id": "7ebf02af2e90f03e0dbd0e18b8b3164f372fb97c", "message": "[Fix] Possible out-of-bounds read when computing length of some IT files with pattern loops (OpenMPT: formats that are converted to IT, libopenmpt: IT/ITP/MO3), caught with afl-fuzz.\n\ngit-svn-id: https://source.openmpt.org/svn/openmpt/trunk/OpenMPT@10027 56274372-70c3-4bfc-bfc3-4c3a0b034d27", "target": 0, "dataset": "other", "idx": 255232 }, { "func": "int hci_update_random_address(struct hci_request *req, bool require_privacy,\n\t\t\t bool use_rpa, u8 *own_addr_type)\n{\n\tstruct hci_dev *hdev = req->hdev;\n\tint err;\n\n\t/* If privacy is enabled use a resolvable private address. If\n\t * current RPA has expired or there is something else than\n\t * the current RPA in use, then generate a new one.\n\t */\n\tif (use_rpa) {\n\t\tint to;\n\n\t\t/* If Controller supports LL Privacy use own address type is\n\t\t * 0x03\n\t\t */\n\t\tif (use_ll_privacy(hdev))\n\t\t\t*own_addr_type = ADDR_LE_DEV_RANDOM_RESOLVED;\n\t\telse\n\t\t\t*own_addr_type = ADDR_LE_DEV_RANDOM;\n\n\t\tif (!hci_dev_test_and_clear_flag(hdev, HCI_RPA_EXPIRED) &&\n\t\t !bacmp(&hdev->random_addr, &hdev->rpa))\n\t\t\treturn 0;\n\n\t\terr = smp_generate_rpa(hdev, hdev->irk, &hdev->rpa);\n\t\tif (err < 0) {\n\t\t\tbt_dev_err(hdev, \"failed to generate new RPA\");\n\t\t\treturn err;\n\t\t}\n\n\t\tset_random_addr(req, &hdev->rpa);\n\n\t\tto = msecs_to_jiffies(hdev->rpa_timeout * 1000);\n\t\tqueue_delayed_work(hdev->workqueue, &hdev->rpa_expired, to);\n\n\t\treturn 0;\n\t}\n\n\t/* In case of required privacy without resolvable private address,\n\t * use an non-resolvable private address. This is useful for active\n\t * scanning and non-connectable advertising.\n\t */\n\tif (require_privacy) {\n\t\tbdaddr_t nrpa;\n\n\t\twhile (true) {\n\t\t\t/* The non-resolvable private address is generated\n\t\t\t * from random six bytes with the two most significant\n\t\t\t * bits cleared.\n\t\t\t */\n\t\t\tget_random_bytes(&nrpa, 6);\n\t\t\tnrpa.b[5] &= 0x3f;\n\n\t\t\t/* The non-resolvable private address shall not be\n\t\t\t * equal to the public address.\n\t\t\t */\n\t\t\tif (bacmp(&hdev->bdaddr, &nrpa))\n\t\t\t\tbreak;\n\t\t}\n\n\t\t*own_addr_type = ADDR_LE_DEV_RANDOM;\n\t\tset_random_addr(req, &nrpa);\n\t\treturn 0;\n\t}\n\n\t/* If forcing static address is in use or there is no public\n\t * address use the static address as random address (but skip\n\t * the HCI command if the current random address is already the\n\t * static one.\n\t *\n\t * In case BR/EDR has been disabled on a dual-mode controller\n\t * and a static address has been configured, then use that\n\t * address instead of the public BR/EDR address.\n\t */\n\tif (hci_dev_test_flag(hdev, HCI_FORCE_STATIC_ADDR) ||\n\t !bacmp(&hdev->bdaddr, BDADDR_ANY) ||\n\t (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED) &&\n\t bacmp(&hdev->static_addr, BDADDR_ANY))) {\n\t\t*own_addr_type = ADDR_LE_DEV_RANDOM;\n\t\tif (bacmp(&hdev->static_addr, &hdev->random_addr))\n\t\t\thci_req_add(req, HCI_OP_LE_SET_RANDOM_ADDR, 6,\n\t\t\t\t &hdev->static_addr);\n\t\treturn 0;\n\t}\n\n\t/* Neither privacy nor static address is being used so use a\n\t * public address.\n\t */\n\t*own_addr_type = ADDR_LE_DEV_PUBLIC;\n\n\treturn 0;\n}", "project": "linux", "hash": 233553219234023494306708578719623259031, "size": 93, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402486 }, { "func": "ConnStateData::clientParseRequests()\n{\n bool parsed_req = false;\n\n debugs(33, 5, HERE << clientConnection << \": attempting to parse\");\n\n // Loop while we have read bytes that are not needed for producing the body\n // On errors, bodyPipe may become nil, but readMore will be cleared\n while (!inBuf.isEmpty() && !bodyPipe && flags.readMore) {\n\n // Prohibit concurrent requests when using a pinned to-server connection\n // because our Client classes do not support request pipelining.\n if (pinning.pinned && !pinning.readHandler) {\n debugs(33, 3, clientConnection << \" waits for busy \" << pinning.serverConnection);\n break;\n }\n\n /* Limit the number of concurrent requests */\n if (concurrentRequestQueueFilled())\n break;\n\n // try to parse the PROXY protocol header magic bytes\n if (needProxyProtocolHeader_) {\n if (!parseProxyProtocolHeader())\n break;\n\n // we have been waiting for PROXY to provide client-IP\n // for some lookups, ie rDNS and IDENT.\n whenClientIpKnown();\n\n // Done with PROXY protocol which has cleared preservingClientData_.\n // If the next protocol supports on_unsupported_protocol, then its\n // parseOneRequest() must reset preservingClientData_.\n assert(!preservingClientData_);\n }\n\n if (Http::StreamPointer context = parseOneRequest()) {\n debugs(33, 5, clientConnection << \": done parsing a request\");\n\n AsyncCall::Pointer timeoutCall = commCbCall(5, 4, \"clientLifetimeTimeout\",\n CommTimeoutCbPtrFun(clientLifetimeTimeout, context->http));\n commSetConnTimeout(clientConnection, Config.Timeout.lifetime, timeoutCall);\n\n context->registerWithConn();\n\n#if USE_OPENSSL\n if (switchedToHttps())\n parsedBumpedRequestCount++;\n#endif\n\n processParsedRequest(context);\n\n parsed_req = true; // XXX: do we really need to parse everything right NOW ?\n\n if (context->mayUseConnection()) {\n debugs(33, 3, HERE << \"Not parsing new requests, as this request may need the connection\");\n break;\n }\n } else {\n debugs(33, 5, clientConnection << \": not enough request data: \" <<\n inBuf.length() << \" < \" << Config.maxRequestHeaderSize);\n Must(inBuf.length() < Config.maxRequestHeaderSize);\n break;\n }\n }\n\n /* XXX where to 'finish' the parsing pass? */\n return parsed_req;\n}", "project": "squid", "hash": 124967477804669897146316925651496592462, "size": 69, "commit_id": "fd68382860633aca92065e6c343cfd1b12b126e7", "message": "Improve Transfer-Encoding handling (#702)\n\nReject messages containing Transfer-Encoding header with coding other\nthan chunked or identity. Squid does not support other codings.\n\nFor simplicity and security sake, also reject messages where\nTransfer-Encoding contains unnecessary complex values that are\ntechnically equivalent to \"chunked\" or \"identity\" (e.g., \",,chunked\" or\n\"identity, chunked\").\n\nRFC 7230 formally deprecated and removed identity coding, but it is\nstill used by some agents.", "target": 0, "dataset": "other", "idx": 402324 }, { "func": "\tbool NetworkPage(CWebSock& WebSock, CTemplate& Tmpl, CUser* pUser, CIRCNetwork* pNetwork = NULL) {\n\t\tCSmartPtr spSession = WebSock.GetSession();\n\t\tTmpl.SetFile(\"add_edit_network.tmpl\");\n\n\t\tif (!WebSock.GetParam(\"submitted\").ToUInt()) {\n\t\t\tTmpl[\"Username\"] = pUser->GetUserName();\n\n\t\t\tset ssNetworkMods;\n\t\t\tCZNC::Get().GetModules().GetAvailableMods(ssNetworkMods, CModInfo::NetworkModule);\n\t\t\tfor (set::iterator it = ssNetworkMods.begin(); it != ssNetworkMods.end(); ++it) {\n\t\t\t\tconst CModInfo& Info = *it;\n\t\t\t\tCTemplate& l = Tmpl.AddRow(\"ModuleLoop\");\n\n\t\t\t\tl[\"Name\"] = Info.GetName();\n\t\t\t\tl[\"Description\"] = Info.GetDescription();\n\t\t\t\tl[\"Wiki\"] = Info.GetWikiPage();\n\t\t\t\tl[\"HasArgs\"] = CString(Info.GetHasArgs());\n\t\t\t\tl[\"ArgsHelpText\"] = Info.GetArgsHelpText();\n\n\t\t\t\tif (pNetwork) {\n\t\t\t\t\tCModule *pModule = pNetwork->GetModules().FindModule(Info.GetName());\n\t\t\t\t\tif (pModule) {\n\t\t\t\t\t\tl[\"Checked\"] = \"true\";\n\t\t\t\t\t\tl[\"Args\"] = pModule->GetArgs();\n\t\t\t\t\t}\n\t\t\t\t}\n\n\t\t\t\tif (!spSession->IsAdmin() && pUser->DenyLoadMod()) {\n\t\t\t\t\tl[\"Disabled\"] = \"true\";\n\t\t\t\t}\n\t\t\t}\n\n\t\t\t// To change BindHosts be admin or don't have DenySetBindHost\n\t\t\tif (spSession->IsAdmin() || !spSession->GetUser()->DenySetBindHost()) {\n\t\t\t\tTmpl[\"BindHostEdit\"] = \"true\";\n\t\t\t\tconst VCString& vsBindHosts = CZNC::Get().GetBindHosts();\n\t\t\t\tif (vsBindHosts.empty()) {\n\t\t\t\t\tif (pNetwork) {\n\t\t\t\t\t\tTmpl[\"BindHost\"] = pNetwork->GetBindHost();\n\t\t\t\t\t}\n\t\t\t\t} else {\n\t\t\t\t\tbool bFoundBindHost = false;\n\t\t\t\t\tfor (unsigned int b = 0; b < vsBindHosts.size(); b++) {\n\t\t\t\t\t\tconst CString& sBindHost = vsBindHosts[b];\n\t\t\t\t\t\tCTemplate& l = Tmpl.AddRow(\"BindHostLoop\");\n\n\t\t\t\t\t\tl[\"BindHost\"] = sBindHost;\n\n\t\t\t\t\t\tif (pNetwork && pNetwork->GetBindHost() == sBindHost) {\n\t\t\t\t\t\t\tl[\"Checked\"] = \"true\";\n\t\t\t\t\t\t\tbFoundBindHost = true;\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\n\t\t\t\t\t// If our current bindhost is not in the global list...\n\t\t\t\t\tif (pNetwork && !bFoundBindHost && !pNetwork->GetBindHost().empty()) {\n\t\t\t\t\t\tCTemplate& l = Tmpl.AddRow(\"BindHostLoop\");\n\n\t\t\t\t\t\tl[\"BindHost\"] = pNetwork->GetBindHost();\n\t\t\t\t\t\tl[\"Checked\"] = \"true\";\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tif (pNetwork) {\n\t\t\t\tTmpl[\"Action\"] = \"editnetwork\";\n\t\t\t\tTmpl[\"Edit\"] = \"true\";\n\t\t\t\tTmpl[\"Title\"] = \"Edit Network\" + CString(\" [\" + pNetwork->GetName() + \"]\") + \" of User [\" + pUser->GetUserName() + \"]\";\n\t\t\t\tTmpl[\"Name\"] = pNetwork->GetName();\n\n\t\t\t\tTmpl[\"Nick\"] = pNetwork->GetNick();\n\t\t\t\tTmpl[\"AltNick\"] = pNetwork->GetAltNick();\n\t\t\t\tTmpl[\"Ident\"] = pNetwork->GetIdent();\n\t\t\t\tTmpl[\"RealName\"] = pNetwork->GetRealName();\n\n\t\t\t\tTmpl[\"FloodProtection\"] = CString(CIRCSock::IsFloodProtected(pNetwork->GetFloodRate()));\n\t\t\t\tTmpl[\"FloodRate\"] = CString(pNetwork->GetFloodRate());\n\t\t\t\tTmpl[\"FloodBurst\"] = CString(pNetwork->GetFloodBurst());\n\n\t\t\t\tTmpl[\"IRCConnectEnabled\"] = CString(pNetwork->GetIRCConnectEnabled());\n\n\t\t\t\tconst vector& vServers = pNetwork->GetServers();\n\t\t\t\tfor (unsigned int a = 0; a < vServers.size(); a++) {\n\t\t\t\t\tCTemplate& l = Tmpl.AddRow(\"ServerLoop\");\n\t\t\t\t\tl[\"Server\"] = vServers[a]->GetString();\n\t\t\t\t}\n\n\t\t\t\tconst vector& Channels = pNetwork->GetChans();\n\t\t\t\tfor (unsigned int c = 0; c < Channels.size(); c++) {\n\t\t\t\t\tCChan* pChan = Channels[c];\n\t\t\t\t\tCTemplate& l = Tmpl.AddRow(\"ChannelLoop\");\n\n\t\t\t\t\tl[\"Network\"] = pNetwork->GetName();\n\t\t\t\t\tl[\"Username\"] = pUser->GetUserName();\n\t\t\t\t\tl[\"Name\"] = pChan->GetName();\n\t\t\t\t\tl[\"Perms\"] = pChan->GetPermStr();\n\t\t\t\t\tl[\"CurModes\"] = pChan->GetModeString();\n\t\t\t\t\tl[\"DefModes\"] = pChan->GetDefaultModes();\n\t\t\t\t\tl[\"BufferCount\"] = CString(pChan->GetBufferCount());\n\t\t\t\t\tl[\"Options\"] = pChan->GetOptions();\n\n\t\t\t\t\tif (pChan->InConfig()) {\n\t\t\t\t\t\tl[\"InConfig\"] = \"true\";\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\tif (!spSession->IsAdmin() && !pUser->HasSpaceForNewNetwork()) {\n\t\t\t\t\tWebSock.PrintErrorPage(\"Network number limit reached. Ask an admin to increase the limit for you, or delete few old ones from Your Settings\");\n\t\t\t\t\treturn true;\n\t\t\t\t}\n\n\t\t\t\tTmpl[\"Action\"] = \"addnetwork\";\n\t\t\t\tTmpl[\"Title\"] = \"Add Network for User [\" + pUser->GetUserName() + \"]\";\n\t\t\t\tTmpl[\"IRCConnectEnabled\"] = \"true\";\n\t\t\t\tTmpl[\"FloodProtection\"] = \"true\";\n\t\t\t\tTmpl[\"FloodRate\"] = \"1.0\";\n\t\t\t\tTmpl[\"FloodBurst\"] = \"4\";\n\t\t\t}\n\n\t\t\tFOR_EACH_MODULE(i, make_pair(pUser, pNetwork)) {\n\t\t\t\tCTemplate& mod = Tmpl.AddRow(\"EmbeddedModuleLoop\");\n\t\t\t\tmod.insert(Tmpl.begin(), Tmpl.end());\n\t\t\t\tmod[\"WebadminAction\"] = \"display\";\n\t\t\t\tif ((*i)->OnEmbeddedWebRequest(WebSock, \"webadmin/network\", mod)) {\n\t\t\t\t\tmod[\"Embed\"] = WebSock.FindTmpl(*i, \"WebadminNetwork.tmpl\");\n\t\t\t\t\tmod[\"ModName\"] = (*i)->GetModName();\n\t\t\t\t}\n\t\t\t}\n\n\t\t\treturn true;\n\t\t}\n\n\t\tCString sName = WebSock.GetParam(\"network\").Trim_n();\n\t\tif (sName.empty()) {\n\t\t\tWebSock.PrintErrorPage(\"Network name is a required argument\");\n\t\t\treturn true;\n\t\t}\n\n\t\tif (!pNetwork) {\n\t\t\tif (!spSession->IsAdmin() && !pUser->HasSpaceForNewNetwork()) {\n\t\t\t\tWebSock.PrintErrorPage(\"Network number limit reached. Ask an admin to increase the limit for you, or delete few old ones from Your Settings\");\n\t\t\t\treturn true;\n\t\t\t}\n\t\t\tif (!CIRCNetwork::IsValidNetwork(sName)) {\n\t\t\t\tWebSock.PrintErrorPage(\"Network name should be alphanumeric\");\n\t\t\t\treturn true;\n\t\t\t}\n\t\t\tpNetwork = pUser->AddNetwork(sName);\n\t\t\tif (!pNetwork) {\n\t\t\t\tWebSock.PrintErrorPage(\"Network [\" + sName.Token(0) + \"] already exists\");\n\t\t\t\treturn true;\n\t\t\t}\n\t\t}\n\n\t\tCString sArg;\n\n\t\tpNetwork->SetNick(WebSock.GetParam(\"nick\"));\n\t\tpNetwork->SetAltNick(WebSock.GetParam(\"altnick\"));\n\t\tpNetwork->SetIdent(WebSock.GetParam(\"ident\"));\n\t\tpNetwork->SetRealName(WebSock.GetParam(\"realname\"));\n\n\t\tpNetwork->SetIRCConnectEnabled(WebSock.GetParam(\"doconnect\").ToBool());\n\n\t\tsArg = WebSock.GetParam(\"bindhost\");\n\t\t// To change BindHosts be admin or don't have DenySetBindHost\n\t\tif (spSession->IsAdmin() || !spSession->GetUser()->DenySetBindHost()) {\n\t\t\tCString sHost = WebSock.GetParam(\"bindhost\");\n\t\t\tconst VCString& vsHosts = CZNC::Get().GetBindHosts();\n\t\t\tif (!spSession->IsAdmin() && !vsHosts.empty()) {\n\t\t\t\tVCString::const_iterator it;\n\t\t\t\tbool bFound = false;\n\n\t\t\t\tfor (it = vsHosts.begin(); it != vsHosts.end(); ++it) {\n\t\t\t\t\tif (sHost.Equals(*it)) {\n\t\t\t\t\t\tbFound = true;\n\t\t\t\t\t\tbreak;\n\t\t\t\t\t}\n\t\t\t\t}\n\n\t\t\t\tif (!bFound) {\n\t\t\t\t\tsHost = pNetwork->GetBindHost();\n\t\t\t\t}\n\t\t\t}\n\t\t\tpNetwork->SetBindHost(sHost);\n\t\t}\n\n\t\tif (WebSock.GetParam(\"floodprotection\").ToBool()) {\n\t\t\tpNetwork->SetFloodRate(WebSock.GetParam(\"floodrate\").ToDouble());\n\t\t\tpNetwork->SetFloodBurst(WebSock.GetParam(\"floodburst\").ToUShort());\n\t\t} else {\n\t\t\tpNetwork->SetFloodRate(-1);\n\t\t}\n\n\t\tVCString vsArgs;\n\n\t\tpNetwork->DelServers();\n\t\tWebSock.GetRawParam(\"servers\").Split(\"\\n\", vsArgs);\n\t\tfor (unsigned int a = 0; a < vsArgs.size(); a++) {\n\t\t\tpNetwork->AddServer(vsArgs[a].Trim_n());\n\t\t}\n\n\t\tWebSock.GetParamValues(\"channel\", vsArgs);\n\t\tfor (unsigned int a = 0; a < vsArgs.size(); a++) {\n\t\t\tconst CString& sChan = vsArgs[a];\n\t\t\tCChan *pChan = pNetwork->FindChan(sChan.TrimRight_n(\"\\r\"));\n\t\t\tif (pChan) {\n\t\t\t\tpChan->SetInConfig(WebSock.GetParam(\"save_\" + sChan).ToBool());\n\t\t\t}\n\t\t}\n\n\t\tset ssArgs;\n\t\tWebSock.GetParamValues(\"loadmod\", ssArgs);\n\t\tif (spSession->IsAdmin() || !pUser->DenyLoadMod()) {\n\t\t\tfor (set::iterator it = ssArgs.begin(); it != ssArgs.end(); ++it) {\n\t\t\t\tCString sModRet;\n\t\t\t\tCString sModName = (*it).TrimRight_n(\"\\r\");\n\t\t\t\tCString sModLoadError;\n\n\t\t\t\tif (!sModName.empty()) {\n\t\t\t\t\tCString sArgs = WebSock.GetParam(\"modargs_\" + sModName);\n\n\t\t\t\t\tCModule *pMod = pNetwork->GetModules().FindModule(sModName);\n\n\t\t\t\t\tif (!pMod) {\n\t\t\t\t\t\tif (!pNetwork->GetModules().LoadModule(sModName, sArgs, CModInfo::NetworkModule, pUser, pNetwork, sModRet)) {\n\t\t\t\t\t\t\tsModLoadError = \"Unable to load module [\" + sModName + \"] [\" + sModRet + \"]\";\n\t\t\t\t\t\t}\n\t\t\t\t\t} else if (pMod->GetArgs() != sArgs) {\n\t\t\t\t\t\tif (!pNetwork->GetModules().ReloadModule(sModName, sArgs, pUser, pNetwork, sModRet)) {\n\t\t\t\t\t\t\tsModLoadError = \"Unable to reload module [\" + sModName + \"] [\" + sModRet + \"]\";\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\n\t\t\t\t\tif (!sModLoadError.empty()) {\n\t\t\t\t\t\tDEBUG(sModLoadError);\n\t\t\t\t\t\tWebSock.GetSession()->AddError(sModLoadError);\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\tconst CModules& vCurMods = pNetwork->GetModules();\n\t\tset ssUnloadMods;\n\n\t\tfor (unsigned int a = 0; a < vCurMods.size(); a++) {\n\t\t\tCModule* pCurMod = vCurMods[a];\n\n\t\t\tif (ssArgs.find(pCurMod->GetModName()) == ssArgs.end() && pCurMod->GetModName() != GetModName()) {\n\t\t\t\tssUnloadMods.insert(pCurMod->GetModName());\n\t\t\t}\n\t\t}\n\n\t\tfor (set::iterator it2 = ssUnloadMods.begin(); it2 != ssUnloadMods.end(); ++it2) {\n\t\t\tpNetwork->GetModules().UnloadModule(*it2);\n\t\t}\n\n\t\tCTemplate TmplMod;\n\t\tTmplMod[\"Username\"] = pUser->GetUserName();\n\t\tTmplMod[\"Name\"] = pNetwork->GetName();\n\t\tTmplMod[\"WebadminAction\"] = \"change\";\n\t\tFOR_EACH_MODULE(it, make_pair(pUser, pNetwork)) {\n\t\t\t(*it)->OnEmbeddedWebRequest(WebSock, \"webadmin/network\", TmplMod);\n\t\t}\n\n\t\tif (!CZNC::Get().WriteConfig()) {\n\t\t\tWebSock.PrintErrorPage(\"Network added/modified, but config was not written\");\n\t\t\treturn true;\n\t\t}\n\n\t\tWebSock.Redirect(\"edituser?user=\" + pUser->GetUserName().Escape_n(CString::EURL));\n\t\treturn true;\n\t}", "project": "znc", "hash": 247225147728624662697354633946996283052, "size": 272, "commit_id": "2bd410ee5570cea127233f1133ea22f25174eb28", "message": "Fix NULL pointer dereference in webadmin.\n\nTriggerable by any non-admin, if webadmin is loaded.\n\nThe only affected version is 1.0\n\nThanks to ChauffeR (Simone Esposito) for reporting this.", "target": 0, "dataset": "other", "idx": 412193 }, { "func": "int nfs41_sequence_done(struct rpc_task *task, struct nfs4_sequence_res *res)\n{\n\tif (!nfs41_sequence_process(task, res))\n\t\treturn 0;\n\tif (res->sr_slot != NULL)\n\t\tnfs41_sequence_free_slot(res);\n\treturn 1;\n\n}", "project": "linux", "hash": 324983903596724150686703026991866290296, "size": 9, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431561 }, { "func": "static void DSA_get0_key(const DSA *d, const BIGNUM **pub_key, const BIGNUM **priv_key)\n{\n\t*pub_key = d->pub_key;\n\t*priv_key = d->priv_key;\n}", "project": "php-src", "hash": 186889883696139212645569736030151497746, "size": 5, "commit_id": "0216630ea2815a5789a24279a1211ac398d4de79", "message": "Fix bug #79601 (Wrong ciphertext/tag in AES-CCM encryption for a 12 bytes IV)", "target": 0, "dataset": "other", "idx": 291372 }, { "func": "static int ca8210_set_csma_params(\n\tstruct ieee802154_hw *hw,\n\tu8 min_be,\n\tu8 max_be,\n\tu8 retries\n)\n{\n\tu8 status;\n\tstruct ca8210_priv *priv = hw->priv;\n\n\tstatus = mlme_set_request_sync(MAC_MIN_BE, 0, 1, &min_be, priv->spi);\n\tif (status) {\n\t\tdev_err(\n\t\t\t&priv->spi->dev,\n\t\t\t\"error setting min be, MLME-SET.confirm status = %d\",\n\t\t\tstatus\n\t\t);\n\t\treturn link_to_linux_err(status);\n\t}\n\tstatus = mlme_set_request_sync(MAC_MAX_BE, 0, 1, &max_be, priv->spi);\n\tif (status) {\n\t\tdev_err(\n\t\t\t&priv->spi->dev,\n\t\t\t\"error setting max be, MLME-SET.confirm status = %d\",\n\t\t\tstatus\n\t\t);\n\t\treturn link_to_linux_err(status);\n\t}\n\tstatus = mlme_set_request_sync(\n\t\tMAC_MAX_CSMA_BACKOFFS,\n\t\t0,\n\t\t1,\n\t\t&retries,\n\t\tpriv->spi\n\t);\n\tif (status) {\n\t\tdev_err(\n\t\t\t&priv->spi->dev,\n\t\t\t\"error setting max csma backoffs, MLME-SET.confirm status = %d\",\n\t\t\tstatus\n\t\t);\n\t}\n\treturn link_to_linux_err(status);\n}", "project": "linux", "hash": 40014961409600192211882006854176772416, "size": 44, "commit_id": "6402939ec86eaf226c8b8ae00ed983936b164908", "message": "ieee802154: ca8210: prevent memory leak\n\nIn ca8210_probe the allocated pdata needs to be assigned to\nspi_device->dev.platform_data before calling ca8210_get_platform_data.\nOthrwise when ca8210_get_platform_data fails pdata cannot be released.\n\nSigned-off-by: Navid Emamdoost \nLink: https://lore.kernel.org/r/20190917224713.26371-1-navid.emamdoost@gmail.com\nSigned-off-by: Stefan Schmidt ", "target": 0, "dataset": "other", "idx": 408808 }, { "func": "static void imap_mbox_select(struct Mailbox *m)\n{\n struct ImapAccountData *adata = imap_adata_get(m);\n struct ImapMboxData *mdata = imap_mdata_get(m);\n if (!adata || !mdata)\n return;\n\n const char *condstore = NULL;\n#ifdef USE_HCACHE\n if ((adata->capabilities & IMAP_CAP_CONDSTORE) && C_ImapCondstore)\n condstore = \" (CONDSTORE)\";\n else\n#endif\n condstore = \"\";\n\n char buf[PATH_MAX];\n snprintf(buf, sizeof(buf), \"%s %s%s\", m->readonly ? \"EXAMINE\" : \"SELECT\",\n mdata->munge_name, condstore);\n\n adata->state = IMAP_SELECTED;\n\n imap_cmd_start(adata, buf);\n}", "project": "neomutt", "hash": 251328538964071511722250362086251817429, "size": 23, "commit_id": "9c36717a3e2af1f2c1b7242035455ec8112b4b06", "message": "imap: close connection on all failures\n\nThanks to Gabriel Salles-Loustau for spotting the problem.\n\nCo-authored-by: Kevin McCarthy ", "target": 0, "dataset": "other", "idx": 357035 }, { "func": "void LibRaw::identify()\n{\n // clang-format off\n static const ushort canon[][11] = {\n // raw_width, raw_height, left_margin, top_margin, width_decrement,\n // height_decrement, mask01, mask03, mask11,\n\t // mask13, CFA_filters.\n\t { 1944, 1416, 0, 0, 48, 0 }, // 00 \"PowerShot Pro90 IS\"\n\t { 2144, 1560, 4, 8, 52, 2, 0, 0, 0, 25 }, // 01 \"PowerShot S30\", \"PowerShot G1\"\n\t { 2224, 1456, 48, 6, 0, 2 }, // 02 \"EOS D30\"\n\t { 2376, 1728, 12, 6, 52, 2 }, // 03 \"PowerShot G2\", \"PowerShot S40\", \"PowerShot G3\", \"PowerShot S45\"\n\t { 2672, 1968, 12, 6, 44, 2 }, // 04 \"PowerShot G5\", \"PowerShot S50\", \"PowerShot S60\"\n\t { 3152, 2068, 64, 12, 0, 0, 16 }, // 05 \"EOS D60\", \"EOS 10D\", \"EOS 300D\"\n\t { 3160, 2344, 44, 12, 4, 4 }, // 06 \"PowerShot G6\", \"PowerShot S70\"\n\t { 3344, 2484, 4, 6, 52, 6 }, // 07 \"PowerShot Pro1\"\n\t { 3516, 2328, 42, 14, 0, 0 }, // 08 \"EOS 350D\"\n\t { 3596, 2360, 74, 12, 0, 0 }, // 09 \"EOS-1D Mark II\", \"EOS 20D\", \"EOS-1D Mark II N\", \"EOS 30D\"\n\t { 3744, 2784, 52, 12, 8, 12 }, // 10 \"PowerShot G11\", \"PowerShot S90\", \"PowerShot G12\", \"PowerShot S95\"\n\t { 3944, 2622, 30, 18, 6, 2 }, // 11 \"EOS 40D\"\n\t { 3948, 2622, 42, 18, 0, 2 }, // 12 \"EOS 400D\", \"EOS 1000D\"\n\t { 3984, 2622, 76, 20, 0, 2, 14 }, // 13 \"EOS-1D Mark III\"\n\t { 4032, 2656, 112, 44, 10, 0 }, // 14 APS-C crop mode: \"EOS 6D Mark II\"??, \"EOS RP\"\n\t { 4104, 3048, 48, 12, 24, 12 }, // 15 \"PowerShot G9\"\n\t { 4116, 2178, 4, 2, 0, 0 }, // 16 ??\n\t { 4152, 2772, 192, 12, 0, 0 }, // 17 \"PowerShot SX1 IS\"\n\t { 4160, 3124, 104, 11, 8, 65 }, // 18 \"PowerShot S100 (new)\", \"PowerShot S100V\", \"PowerShot G15\", \"PowerShot S110 (new)\"\n\t { 4176, 3062, 96, 17, 8, 0, 0, 16, 0, 7, 0x49 }, // 19 \"PowerShot SX50 HS\"\n\t { 4192, 3062, 96, 17, 24, 0, 0, 16, 0, 0, 0x49 }, // 20 \"PowerShot G16\", \"PowerShot S120\"\n\t { 4312, 2876, 22, 18, 0, 2 }, // 21 \"EOS 450D\"\n\t { 4352, 2850, 144, 46, 0, 0 }, // 22 APS-C crop mode: \"EOS R\"\n\t { 4352, 2874, 62, 18, 0, 0 }, // 23 \"EOS 1100D\"\n\t { 4476, 2954, 90, 34, 0, 0 }, // 24 \"EOS 5D\"\n\t { 4480, 3348, 12, 10, 36, 12, 0, 0, 0, 18, 0x49 }, // 25 \"PowerShot G10\"\n\t { 4480, 3366, 80, 50, 0, 0 }, // 26 \"PowerShot G1 X Mark II\"\n\t { 4496, 3366, 80, 50, 12, 0 }, // 27 \"PowerShot G1 X\"\n\t { 4768, 3516, 96, 16, 0, 0, 0, 16 }, // 28 \"PowerShot SX60 HS\"\n\t { 4832, 3204, 62, 26, 0, 0 }, // 29 \"EOS 500D\"\n\t { 4832, 3228, 62, 51, 0, 0 }, // 30 \"EOS 50D\"\n\t { 5108, 3349, 98, 13, 0, 0 }, // 31 \"EOS-1Ds Mark II\"\n\t { 5120, 3318, 142, 45, 62, 0 }, // 32 \"EOS-1D Mark IV\"\n\t { 5280, 3528, 72, 52, 0, 0 }, // 33 \"EOS M10\", \"EOS 650D\", \"EOS 700D\", \"EOS M\", \"EOS 100D\", \"EOS M2\"\n\t { 5344, 3516, 142, 51, 0, 0 }, // 34 \"EOS 550D\", \"EOS 600D\", \"EOS 60D\", \"EOS 1200D\", \"EOS 1300D\", \"EOS 3000D\"\n\t { 5344, 3584, 126, 100, 0, 2 }, // 35 \"EOS-1D X\", \"EOS-1D C\"\n\t { 5344, 3950, 98, 18, 0, 0, 0, 24, 0, 0 }, // 36 \"PowerShot SX70 HS\"\n\t { 5360, 3516, 158, 51, 0, 0 }, // 37 \"EOS 7D\"\n\t { 5568, 3708, 72, 38, 0, 0 }, // 38; \"EOS 7D Mark II\", \"EOS 6D\", \"EOS 70D\", \"EOS-1D X MARK II\"\n\t { 5632, 3710, 96, 17, 0, 0, 0, 16, 0, 0, 0x49 }, // 39 \"PowerShot G7 X\", \"PowerShot G3 X\", \"PowerShot G9 X\", \"PowerShot G5 X\", \"PowerShot G7 X Mark II\", \"PowerShot G9 X Mark II\"\n\t { 5712, 3774, 62, 20, 10, 2 }, // 40 \"EOS-1Ds Mark III\"\n\t { 5792, 3804, 158, 51, 0, 0 }, // 41 \"EOS 5D Mark II\"\n\t { 5920, 3950, 122, 80, 2, 0 }, // 42 \"EOS 5D Mark III\"\n\t { 6096, 4051, 76, 35, 0, 0 }, // 43 \"EOS 1500D\"\n\t { 6096, 4056, 72, 34, 0, 0 }, // 44 \"EOS M3\", \"EOS 760D\", \"EOS 750D\"\n\t { 6288, 4056, 264, 36, 0, 0 }, // 45 \"EOS M5\", \"EOS M100\", \"EOS M6\", \"PowerShot G1 X Mark III\", \"EOS 80D\", \"EOS 800D\", \"EOS 77D\", \"EOS 200D\", \"EOS 250D\", \"EOS M50\"\n\t { 6384, 4224, 120, 44, 0, 0 }, // 46 \"EOS 6D Mark II\", \"EOS RP\"\n\t { 6880, 4544, 136, 42, 0, 0 }, // 47 \"EOS 5D Mark IV\"\n\t { 6888, 4546, 146, 48, 0, 0 }, // 48 \"EOS R\"\n\t { 7128, 4732, 144, 72, 0, 0 }, // 49 \"EOS M6 II\", \"EOS 90D\"\n\t { 8896, 5920, 160, 64, 0, 0 }, // 50 \"EOS 5DS\", \"EOS 5DS R\"\n };\n\n static const libraw_custom_camera_t const_table[] = {\n\t { 786432, 1024, 768, 0, 0, 0, 0, 0, 0x94, 0, 0, \"AVT\", \"F-080C\" },\n\t { 1447680, 1392, 1040, 0, 0, 0, 0, 0, 0x94, 0, 0, \"AVT\", \"F-145C\" },\n\t { 1920000, 1600, 1200, 0, 0, 0, 0, 0, 0x94, 0, 0, \"AVT\", \"F-201C\" },\n\t { 5067304, 2588, 1958, 0, 0, 0, 0, 0, 0x94, 0, 0, \"AVT\", \"F-510C\" },\n\t { 5067316, 2588, 1958, 0, 0, 0, 0, 0, 0x94, 0, 0, \"AVT\", \"F-510C\", 12 },\n\t { 10134608, 2588, 1958, 0, 0, 0, 0, 9, 0x94, 0, 0, \"AVT\", \"F-510C\" },\n\t { 10134620, 2588, 1958, 0, 0, 0, 0, 9, 0x94, 0, 0, \"AVT\", \"F-510C\", 12 },\n\t { 16157136, 3272, 2469, 0, 0, 0, 0, 9, 0x94, 0, 0, \"AVT\", \"F-810C\" },\n\t { 15980544, 3264, 2448, 0, 0, 0, 0, 8, 0x61, 0, 1, \"AgfaPhoto\", \"DC-833m\" },\n\t { 9631728, 2532, 1902, 0, 0, 0, 0, 96, 0x61, 0, 0, \"Alcatel\", \"5035D\" },\n\t { 31850496, 4608, 3456, 0, 0, 0, 0, 0, 0x94, 0, 0, \"GITUP\", \"GIT2 4:3\" },\n\t { 23887872, 4608, 2592, 0, 0, 0, 0, 0, 0x94, 0, 0, \"GITUP\", \"GIT2 16:9\" },\n\t { 32257024, 4624, 3488, 8, 2, 16, 2, 0, 0x94, 0, 0, \"GITUP\", \"GIT2P 4:3\" },\n\t { 24192768, 4624, 2616, 8, 2, 16, 2, 0, 0x94, 0, 0, \"GITUP\", \"GIT2P 16:9\" },\n\t { 18016000, 4000, 2252, 0, 0, 0, 0, 0, 0x94, 0, 0, \"GITUP\", \"G3DUO 16:9\" },\n\t // {24000000, 4000, 3000, 0, 0, 0, 0, 0, 0x94, 0, 0, \"GITUP\",\n // \"G3DUO 4:3\"}, // Conflict w/ Samsung WB550\n\n // Android Raw dumps id start\n // File Size in bytes Horizontal Res Vertical Flag then bayer order eg\n // 0x16 bbgr 0x94 rggb\n\t { 1540857, 2688, 1520, 0, 0, 0, 0, 1, 0x61, 0, 0, \"Samsung\", \"S3\" },\n\t { 2658304, 1212, 1096, 0, 0, 0, 0, 1, 0x16, 0, 0, \"LG\", \"G3FrontMipi\" },\n\t { 2842624, 1296, 1096, 0, 0, 0, 0, 1, 0x16, 0, 0, \"LG\", \"G3FrontQCOM\" },\n\t { 2969600, 1976, 1200, 0, 0, 0, 0, 1, 0x16, 0, 0, \"Xiaomi\", \"MI3wMipi\" },\n\t { 3170304, 1976, 1200, 0, 0, 0, 0, 1, 0x16, 0, 0, \"Xiaomi\", \"MI3wQCOM\" },\n\t { 3763584, 1584, 1184, 0, 0, 0, 0, 96, 0x61, 0, 0, \"I_Mobile\", \"I_StyleQ6\" },\n\t { 5107712, 2688, 1520, 0, 0, 0, 0, 1, 0x61, 0, 0, \"OmniVisi\", \"UltraPixel1\" },\n\t { 5382640, 2688, 1520, 0, 0, 0, 0, 1, 0x61, 0, 0, \"OmniVisi\", \"UltraPixel2\" },\n\t { 5664912, 2688, 1520, 0, 0, 0, 0, 1, 0x61, 0, 0, \"OmniVisi\", \"4688\" },\n\t { 5664912, 2688, 1520, 0, 0, 0, 0, 1, 0x61, 0, 0, \"OmniVisi\", \"4688\" },\n\t { 5364240, 2688, 1520, 0, 0, 0, 0, 1, 0x61, 0, 0, \"OmniVisi\", \"4688\" },\n\t { 6299648, 2592, 1944, 0, 0, 0, 0, 1, 0x16, 0, 0, \"OmniVisi\", \"OV5648\" },\n\t { 6721536, 2592, 1944, 0, 0, 0, 0, 0, 0x16, 0, 0, \"OmniVisi\", \"OV56482\" },\n\t { 6746112, 2592, 1944, 0, 0, 0, 0, 0, 0x16, 0, 0, \"HTC\", \"OneSV\" },\n\t { 9631728, 2532, 1902, 0, 0, 0, 0, 96, 0x61, 0, 0, \"Sony\", \"5mp\" },\n\t { 9830400, 2560, 1920, 0, 0, 0, 0, 96, 0x61, 0, 0, \"NGM\", \"ForwardArt\" },\n\t { 10186752, 3264, 2448, 0, 0, 0, 0, 1, 0x94, 0, 0, \"Sony\", \"IMX219-mipi 8mp\" },\n\t { 10223360, 2608, 1944, 0, 0, 0, 0, 96, 0x16, 0, 0, \"Sony\", \"IMX\" },\n\t { 10782464, 3282, 2448, 0, 0, 0, 0, 0, 0x16, 0, 0, \"HTC\", \"MyTouch4GSlide\" },\n\t { 10788864, 3282, 2448, 0, 0, 0, 0, 0, 0x16, 0, 0, \"Xperia\", \"L\" },\n\t { 15967488, 3264, 2446, 0, 0, 0, 0, 96, 0x16, 0, 0, \"OmniVison\", \"OV8850\" },\n\t { 16224256, 4208, 3082, 0, 0, 0, 0, 1, 0x16, 0, 0, \"LG\", \"G3MipiL\" },\n\t { 16424960, 4208, 3120, 0, 0, 0, 0, 1, 0x16, 0, 0, \"IMX135\", \"MipiL\" },\n\t { 17326080, 4164, 3120, 0, 0, 0, 0, 1, 0x16, 0, 0, \"LG\", \"G3LQCom\" },\n\t { 17522688, 4212, 3120, 0, 0, 0, 0, 0, 0x16, 0, 0, \"Sony\", \"IMX135-QCOM\" },\n\t { 19906560, 4608, 3456, 0, 0, 0, 0, 1, 0x16, 0, 0, \"Gione\", \"E7mipi\" },\n\t { 19976192, 5312, 2988, 0, 0, 0, 0, 1, 0x16, 0, 0, \"LG\", \"G4\" },\n\t { 20389888, 4632, 3480, 0, 0, 0, 0, 1, 0x16, 0, 0, \"Xiaomi\", \"RedmiNote3Pro\" },\n\t { 20500480, 4656, 3496, 0, 0, 0, 0, 1, 0x94, 0, 0, \"Sony\", \"IMX298-mipi 16mp\" },\n\t { 21233664, 4608, 3456, 0, 0, 0, 0, 1, 0x16, 0, 0, \"Gione\", \"E7qcom\" },\n\t { 26023936, 4192, 3104, 0, 0, 0, 0, 96, 0x94, 0, 0, \"THL\", \"5000\" },\n\t { 26257920, 4208, 3120, 0, 0, 0, 0, 96, 0x94, 0, 0, \"Sony\", \"IMX214\" },\n\t { 26357760, 4224, 3120, 0, 0, 0, 0, 96, 0x61, 0, 0, \"OV\", \"13860\" },\n\t { 41312256, 5248, 3936, 0, 0, 0, 0, 96, 0x61, 0, 0, \"Meizu\", \"MX4\" },\n\t { 42923008, 5344, 4016, 0, 0, 0, 0, 96, 0x61, 0, 0, \"Sony\", \"IMX230\" },\n // Android Raw dumps id end\n\t { 20137344, 3664, 2748, 0, 0, 0, 0, 0x40, 0x49, 0, 0, \"Aptina\", \"MT9J003\", 0xffff },\n\t { 2868726, 1384, 1036, 0, 0, 0, 0, 64, 0x49, 0, 8, \"Baumer\", \"TXG14\", 1078 },\n\t { 5298000, 2400, 1766, 12, 12, 44, 2, 40, 0x94, 0, 2, \"Canon\", \"PowerShot SD300\" }, // chdk hack\n\t { 6553440, 2664, 1968, 4, 4, 44, 4, 40, 0x94, 0, 2, \"Canon\", \"PowerShot A460\" }, // chdk hack\n\t { 6573120, 2672, 1968, 12, 8, 44, 0, 40, 0x94, 0, 2, \"Canon\", \"PowerShot A610\" }, // chdk hack\n\t { 6653280, 2672, 1992, 10, 6, 42, 2, 40, 0x94, 0, 2, \"Canon\", \"PowerShot A530\" }, // chdk hack\n\t { 7710960, 2888, 2136, 44, 8, 4, 0, 40, 0x94, 0, 2, \"Canon\", \"PowerShot S3 IS\" }, // chdk hack\n\t { 9219600, 3152, 2340, 36, 12, 4, 0, 40, 0x94, 0, 2, \"Canon\", \"PowerShot A620\" }, // chdk hack\n\t { 9243240, 3152, 2346, 12, 7, 44, 13, 40, 0x49, 0, 2, \"Canon\", \"PowerShot A470\" }, // chdk hack\n\t { 10341600, 3336, 2480, 6, 5, 32, 3, 40, 0x94, 0, 2, \"Canon\", \"PowerShot A720 IS\" }, // chdk hack\n\t { 10383120, 3344, 2484, 12, 6, 44, 6, 40, 0x94, 0, 2, \"Canon\", \"PowerShot A630\" }, // chdk hack\n\t { 12945240, 3736, 2772, 12, 6, 52, 6, 40, 0x94, 0, 2, \"Canon\", \"PowerShot A640\" }, // chdk hack\n\t { 15636240, 4104, 3048, 48, 12, 24, 12, 40, 0x94, 0, 2, \"Canon\", \"PowerShot A650\" }, // chdk hack\n\t { 15467760, 3720, 2772, 6, 12, 30, 0, 40, 0x94, 0, 2, \"Canon\", \"PowerShot SX110 IS\" }, // chdk hack\n\t { 15534576, 3728, 2778, 12, 9, 44, 9, 40, 0x94, 0, 2, \"Canon\", \"PowerShot SX120 IS\" }, // chdk hack\n\t { 18653760, 4080, 3048, 24, 12, 24, 12, 40, 0x94, 0, 2, \"Canon\", \"PowerShot SX20 IS\" }, // chdk hack\n\t { 18763488, 4104, 3048, 10, 22, 82, 22, 8, 0x49, 0, 0, \"Canon\", \"PowerShot D10\" }, // ? chdk hack ?\n\t { 19131120, 4168, 3060, 92, 16, 4, 1, 40, 0x94, 0, 2, \"Canon\", \"PowerShot SX220 HS\" }, // chdk hack\n\t { 21936096, 4464, 3276, 25, 10, 73, 12, 40, 0x16, 0, 2, \"Canon\", \"PowerShot SX30 IS\" }, // chdk hack\n\t { 24724224, 4704, 3504, 8, 16, 56, 8, 40, 0x49, 0, 2, \"Canon\", \"PowerShot A3300 IS\" }, // chdk hack\n\t { 30858240, 5248, 3920, 8, 16, 56, 16, 40, 0x94, 0, 2, \"Canon\", \"IXUS 160\" }, // chdk hack\n\t { 1976352, 1632, 1211, 0, 2, 0, 1, 0, 0x94, 0, 1, \"Casio\", \"QV-2000UX\" },\n\t { 3217760, 2080, 1547, 0, 0, 10, 1, 0, 0x94, 0, 1, \"Casio\", \"QV-3*00EX\" },\n\t { 6218368, 2585, 1924, 0, 0, 9, 0, 0, 0x94, 0, 1, \"Casio\", \"QV-5700\" },\n\t { 7816704, 2867, 2181, 0, 0, 34, 36, 0, 0x16, 0, 1, \"Casio\", \"EX-Z60\" },\n\t { 2937856, 1621, 1208, 0, 0, 1, 0, 0, 0x94, 7, 13, \"Casio\", \"EX-S20\" },\n\t { 4948608, 2090, 1578, 0, 0, 32, 34, 0, 0x94, 7, 1, \"Casio\", \"EX-S100\" },\n\t { 6054400, 2346, 1720, 2, 0, 32, 0, 0, 0x94, 7, 1, \"Casio\", \"QV-R41\" },\n\t { 7426656, 2568, 1928, 0, 0, 0, 0, 0, 0x94, 0, 1, \"Casio\", \"EX-P505\" },\n\t { 7530816, 2602, 1929, 0, 0, 22, 0, 0, 0x94, 7, 1, \"Casio\", \"QV-R51\" },\n\t { 7542528, 2602, 1932, 0, 0, 32, 0, 0, 0x94, 7, 1, \"Casio\", \"EX-Z50\" },\n\t { 7562048, 2602, 1937, 0, 0, 25, 0, 0, 0x16, 7, 1, \"Casio\", \"EX-Z500\" },\n\t { 7753344, 2602, 1986, 0, 0, 32, 26, 0, 0x94, 7, 1, \"Casio\", \"EX-Z55\" },\n\t { 9313536, 2858, 2172, 0, 0, 14, 30, 0, 0x94, 7, 1, \"Casio\", \"EX-P600\" },\n\t { 10834368, 3114, 2319, 0, 0, 27, 0, 0, 0x94, 0, 1, \"Casio\", \"EX-Z750\" },\n\t { 10843712, 3114, 2321, 0, 0, 25, 0, 0, 0x94, 0, 1, \"Casio\", \"EX-Z75\" },\n\t { 10979200, 3114, 2350, 0, 0, 32, 32, 0, 0x94, 7, 1, \"Casio\", \"EX-P700\" },\n\t { 12310144, 3285, 2498, 0, 0, 6, 30, 0, 0x94, 0, 1, \"Casio\", \"EX-Z850\" },\n\t { 12489984, 3328, 2502, 0, 0, 47, 35, 0, 0x94, 0, 1, \"Casio\", \"EX-Z8\" },\n\t { 15499264, 3754, 2752, 0, 0, 82, 0, 0, 0x94, 0, 1, \"Casio\", \"EX-Z1050\" },\n\t { 18702336, 4096, 3044, 0, 0, 24, 0, 80, 0x94, 7, 1, \"Casio\", \"EX-ZR100\" },\n\t { 7684000, 2260, 1700, 0, 0, 0, 0, 13, 0x94, 0, 1, \"Casio\", \"QV-4000\" },\n\t { 787456, 1024, 769, 0, 1, 0, 0, 0, 0x49, 0, 0, \"Creative\", \"PC-CAM 600\" },\n\t { 28829184, 4384, 3288, 0, 0, 0, 0, 36, 0x61, 0, 0, \"DJI\" },\n\t { 15151104, 4608, 3288, 0, 0, 0, 0, 0, 0x94, 0, 0, \"Matrix\" },\n\t { 3840000, 1600, 1200, 0, 0, 0, 0, 65, 0x49, 0, 0, \"Foculus\", \"531C\" },\n\t { 307200, 640, 480, 0, 0, 0, 0, 0, 0x94, 0, 0, \"Generic\" },\n\t { 62464, 256, 244, 1, 1, 6, 1, 0, 0x8d, 0, 0, \"Kodak\", \"DC20\" },\n\t { 124928, 512, 244, 1, 1, 10, 1, 0, 0x8d, 0, 0, \"Kodak\", \"DC20\" },\n\t { 1652736, 1536, 1076, 0, 52, 0, 0, 0, 0x61, 0, 0, \"Kodak\", \"DCS200\" },\n\t { 4159302, 2338, 1779, 1, 33, 1, 2, 0, 0x94, 0, 0, \"Kodak\", \"C330\" },\n\t { 4162462, 2338, 1779, 1, 33, 1, 2, 0, 0x94, 0, 0, \"Kodak\", \"C330\", 3160 },\n\t { 2247168, 1232, 912, 0, 0, 16, 0, 0, 0x00, 0, 0, \"Kodak\", \"C330\" },\n\t { 3370752, 1232, 912, 0, 0, 16, 0, 0, 0x00, 0, 0, \"Kodak\", \"C330\" },\n\t { 6163328, 2864, 2152, 0, 0, 0, 0, 0, 0x94, 0, 0, \"Kodak\", \"C603\" },\n\t { 6166488, 2864, 2152, 0, 0, 0, 0, 0, 0x94, 0, 0, \"Kodak\", \"C603\", 3160 },\n\t { 460800, 640, 480, 0, 0, 0, 0, 0, 0x00, 0, 0, \"Kodak\", \"C603\" },\n\t { 9116448, 2848, 2134, 0, 0, 0, 0, 0, 0x00, 0, 0, \"Kodak\", \"C603\" },\n\t { 12241200, 4040, 3030, 2, 0, 0, 13, 0, 0x49, 0, 0, \"Kodak\", \"12MP\" },\n\t { 12272756, 4040, 3030, 2, 0, 0, 13, 0, 0x49, 0, 0, \"Kodak\", \"12MP\", 31556 },\n\t { 18000000, 4000, 3000, 0, 0, 0, 0, 0, 0x00, 0, 0, \"Kodak\", \"12MP\" },\n\t { 614400, 640, 480, 0, 3, 0, 0, 64, 0x94, 0, 0, \"Kodak\", \"KAI-0340\" },\n\t { 15360000, 3200, 2400, 0, 0, 0, 0, 96, 0x16, 0, 0, \"Lenovo\", \"A820\" },\n\t { 3884928, 1608, 1207, 0, 0, 0, 0, 96, 0x16, 0, 0, \"Micron\", \"2010\", 3212 },\n\t { 1138688, 1534, 986, 0, 0, 0, 0, 0, 0x61, 0, 0, \"Minolta\", \"RD175\", 513 },\n\t { 1581060, 1305, 969, 0, 0, 18, 6, 6, 0x1e, 4, 1, \"Nikon\", \"E900\" }, // \"diag raw\" hack\n\t { 2465792, 1638, 1204, 0, 0, 22, 1, 6, 0x4b, 5, 1, \"Nikon\", \"E950\" }, // \"diag raw\" hack; possibly also Nikon E700, E800, E775;\n\t // Olympus C-2020Z\n\t { 2940928, 1616, 1213, 0, 0, 0, 7, 30, 0x94, 0, 1, \"Nikon\", \"E2100\" }, // \"diag raw\" hack; also Nikon E2500\n\t { 4771840, 2064, 1541, 0, 0, 0, 1, 6, 0xe1, 0, 1, \"Nikon\", \"E990\" }, // \"diag raw\" hack; possibly also Nikon E880, E885, E995;\n\t // Olympus C-3030Z\n\t { 4775936, 2064, 1542, 0, 0, 0, 0, 30, 0x94, 0, 1, \"Nikon\", \"E3700\" }, // \"diag raw\" hack; Nikon E3100, E3200, E3500;\n\t // Pentax \"Optio 33WR\"; possibly also Olympus C-740UZ\n\t { 5865472, 2288, 1709, 0, 0, 0, 1, 6, 0xb4, 0, 1, \"Nikon\", \"E4500\" }, // \"diag raw\" hack; possibly also Olympus C-4040Z\n\t { 5869568, 2288, 1710, 0, 0, 0, 0, 6, 0x16, 0, 1, \"Nikon\", \"E4300\" }, // \"diag raw\" hack; also Minolta \"DiMAGE Z2\"\n\t { 7438336, 2576, 1925, 0, 0, 0, 1, 6, 0xb4, 0, 1, \"Nikon\", \"E5000\" }, // also Nikon E5700\n\t { 8998912, 2832, 2118, 0, 0, 0, 0, 30, 0x94, 7, 1, \"Nikon\", \"COOLPIX S6\" }, // \"diag raw\" hack\n\t { 5939200, 2304, 1718, 0, 0, 0, 0, 30, 0x16, 0, 0, \"Olympus\", \"C-770UZ\" }, // possibly also Olympus C-4100Z, C-765UZ\n\t { 3178560, 2064, 1540, 0, 0, 0, 0, 0, 0x94, 0, 1, \"Pentax\", \"Optio S V1.01\" },\n\t { 4841984, 2090, 1544, 0, 0, 22, 0, 0, 0x94, 7, 1, \"Pentax\", \"Optio S\" },\n\t { 6114240, 2346, 1737, 0, 0, 22, 0, 0, 0x94, 7, 1, \"Pentax\", \"Optio S4\" },\n\t { 10702848, 3072, 2322, 0, 0, 0, 21, 30, 0x94, 0, 1, \"Pentax\", \"Optio 750Z\" },\n\t { 4147200, 1920, 1080, 0, 0, 0, 0, 0, 0x49, 0, 0, \"Photron\", \"BC2-HD\" },\n\t { 4151666, 1920, 1080, 0, 0, 0, 0, 0, 0x49, 0, 0, \"Photron\", \"BC2-HD\", 8 },\n\t { 13248000, 2208, 3000, 0, 0, 0, 0, 13, 0x61, 0, 0, \"Pixelink\", \"A782\" },\n\t { 6291456, 2048, 1536, 0, 0, 0, 0, 96, 0x61, 0, 0, \"RoverShot\", \"3320AF\" },\n\t { 311696, 644, 484, 0, 0, 0, 0, 0, 0x16, 0, 8, \"ST Micro\", \"STV680 VGA\" },\n\t { 16098048, 3288, 2448, 0, 0, 24, 0, 9, 0x94, 0, 1, \"Samsung\", \"S85\" }, // hack\n\t { 16215552, 3312, 2448, 0, 0, 48, 0, 9, 0x94, 0, 1, \"Samsung\", \"S85\" }, // hack\n\t { 20487168, 3648, 2808, 0, 0, 0, 0, 13, 0x94, 5, 1, \"Samsung\", \"WB550\" },\n\t { 24000000, 4000, 3000, 0, 0, 0, 0, 13, 0x94, 5, 1, \"Samsung\", \"WB550\" },\n\t { 12582980, 3072, 2048, 0, 0, 0, 0, 33, 0x61, 0, 0, \"Sinar\", \"\", 68 }, // Sinarback 23; same res. as Leaf Volare & Cantare\n\t { 33292868, 4080, 4080, 0, 0, 0, 0, 33, 0x61, 0, 0, \"Sinar\", \"\", 68 }, // Sinarback 44\n\t { 44390468, 4080, 5440, 0, 0, 0, 0, 33, 0x61, 0, 0, \"Sinar\", \"\", 68 }, // Sinarback 54\n\t { 1409024, 1376, 1024, 0, 0, 1, 0, 0, 0x49, 0, 0, \"Sony\", \"XCD-SX910CR\" },\n\t { 2818048, 1376, 1024, 0, 0, 1, 0, 97, 0x49, 0, 0, \"Sony\", \"XCD-SX910CR\" },\n };\n\n libraw_custom_camera_t\n table[64 + sizeof(const_table) / sizeof(const_table[0])];\n\n\n // clang-format on\n\n char head[64] = {0}, *cp;\n int hlen, fsize, flen, zero_fsize = 1, i, c;\n struct jhead jh;\n\n unsigned camera_count =\n parse_custom_cameras(64, table, imgdata.params.custom_camera_strings);\n for (int q = 0; q < int(sizeof(const_table) / sizeof(const_table[0])); q++)\n memmove(&table[q + camera_count], &const_table[q], sizeof(const_table[0]));\n camera_count += sizeof(const_table) / sizeof(const_table[0]);\n\n tiff_flip = flip = filters = UINT_MAX; /* unknown */\n raw_height = raw_width = fuji_width = fuji_layout = cr2_slice[0] = 0;\n maximum = height = width = top_margin = left_margin = 0;\n cdesc[0] = desc[0] = artist[0] = make[0] = model[0] = model2[0] = 0;\n iso_speed = shutter = aperture = focal_len = 0;\n unique_id = 0ULL;\n tiff_nifds = 0;\n is_NikonTransfer = 0;\n is_Sony = 0;\n is_pana_raw = 0;\n maker_index = LIBRAW_CAMERAMAKER_Unknown;\n is_4K_RAFdata = 0;\n FujiCropMode = 0;\n is_PentaxRicohMakernotes = 0;\n normalized_model[0] = 0;\n normalized_make[0] = 0;\n CM_found = 0;\n memset(tiff_ifd, 0, sizeof tiff_ifd);\n libraw_internal_data.unpacker_data.crx_track_selected = -1;\n libraw_internal_data.unpacker_data.CR3_CTMDtag = 0;\n imgdata.makernotes.hasselblad.nIFD_CM[0] =\n imgdata.makernotes.hasselblad.nIFD_CM[1] = -1;\n imgdata.makernotes.kodak.ISOCalibrationGain = 1.0f;\n imCommon.CameraTemperature = imCommon.SensorTemperature =\n imCommon.SensorTemperature2 = imCommon.LensTemperature =\n imCommon.AmbientTemperature = imCommon.BatteryTemperature =\n imCommon.exifAmbientTemperature = -1000.0f;\n\n imgdata.color.ExifColorSpace = LIBRAW_COLORSPACE_Unknown;\n for (i = 0; i < LIBRAW_IFD_MAXCOUNT; i++)\n {\n tiff_ifd[i].dng_color[0].illuminant = tiff_ifd[i].dng_color[1].illuminant =\n 0xffff;\n for (int c = 0; c < 4; c++)\n tiff_ifd[i].dng_levels.analogbalance[c] = 1.0f;\n }\n\n memset(gpsdata, 0, sizeof gpsdata);\n memset(cblack, 0, sizeof cblack);\n memset(white, 0, sizeof white);\n memset(mask, 0, sizeof mask);\n thumb_offset = thumb_length = thumb_width = thumb_height = 0;\n load_raw = thumb_load_raw = 0;\n write_thumb = &LibRaw::jpeg_thumb;\n data_offset = meta_offset = meta_length = tiff_bps = tiff_compress = 0;\n kodak_cbpp = zero_after_ff = dng_version = load_flags = 0;\n timestamp = shot_order = tiff_samples = black = is_foveon = 0;\n mix_green = profile_length = data_error = zero_is_bad = 0;\n pixel_aspect = is_raw = raw_color = 1;\n tile_width = tile_length = 0;\n metadata_blocks = 0;\n\n for (i = 0; i < 4; i++)\n {\n cam_mul[i] = i == 1;\n pre_mul[i] = i < 3;\n FORC3 cmatrix[c][i] = 0;\n FORC3 rgb_cam[c][i] = c == i;\n }\n colors = 3;\n for (i = 0; i < 0x10000; i++)\n curve[i] = i;\n\n order = get2();\n hlen = get4();\n fseek(ifp, 0, SEEK_SET);\n\n if (fread(head, 1, 64, ifp) < 64)\n throw LIBRAW_EXCEPTION_IO_CORRUPT;\n libraw_internal_data.unpacker_data.lenRAFData =\n libraw_internal_data.unpacker_data.posRAFData = 0;\n\n fseek(ifp, 0, SEEK_END);\n flen = fsize = ftell(ifp);\n if ((cp = (char *)memmem(head, 32, (char *)\"MMMM\", 4)) ||\n (cp = (char *)memmem(head, 32, (char *)\"IIII\", 4)))\n {\n parse_phase_one(cp - head);\n if (cp - head && parse_tiff(0))\n apply_tiff();\n }\n else if (order == 0x4949 || order == 0x4d4d)\n {\n if (!memcmp(head + 6, \"HEAPCCDR\", 8))\n {\n data_offset = hlen;\n parse_ciff(hlen, flen - hlen, 0);\n load_raw = &LibRaw::canon_load_raw;\n }\n else if (parse_tiff(0))\n apply_tiff();\n }\n else if (!memcmp(head, \"\\xff\\xd8\\xff\\xe1\", 4) && !memcmp(head + 6, \"Exif\", 4))\n {\n fseek(ifp, 4, SEEK_SET);\n data_offset = 4 + get2();\n fseek(ifp, data_offset, SEEK_SET);\n if (fgetc(ifp) != 0xff)\n parse_tiff(12);\n thumb_offset = 0;\n }\n else if (!memcmp(head + 25, \"ARECOYK\", 7)) // 'KYOCERA' right-to-left\n {\n strcpy(make, \"Contax\");\n strcpy(model, \"N Digital\");\n parse_kyocera();\n }\n else if (!strcmp(head, \"PXN\"))\n {\n strcpy(make, \"Logitech\");\n strcpy(model, \"Fotoman Pixtura\");\n }\n else if (!strcmp(head, \"qktk\"))\n {\n strcpy(make, \"Apple\");\n strcpy(model, \"QuickTake 100\");\n load_raw = &LibRaw::quicktake_100_load_raw;\n }\n else if (!strcmp(head, \"qktn\"))\n {\n strcpy(make, \"Apple\");\n strcpy(model, \"QuickTake 150\");\n load_raw = &LibRaw::kodak_radc_load_raw;\n }\n else if (!memcmp(head, \"FUJIFILM\", 8))\n {\n memcpy(imFuji.SerialSignature, head + 0x10, 0x0c);\n imFuji.SerialSignature[0x0c] = 0;\n strncpy(model, head + 0x1c, 0x20);\n model[0x20] = 0;\n memcpy(model2, head + 0x3c, 4);\n model2[4] = 0;\n strcpy(imFuji.RAFVersion, model2);\n fseek(ifp, 84, SEEK_SET);\n thumb_offset = get4();\n thumb_length = get4();\n fseek(ifp, 92, SEEK_SET);\n parse_fuji(get4());\n if (thumb_offset > 120)\n {\n fseek(ifp, 120, SEEK_SET);\n is_raw += (i = get4()) ? 1 : 0;\n if (is_raw == 2 && shot_select)\n parse_fuji(i);\n }\n load_raw = &LibRaw::unpacked_load_raw;\n fseek(ifp, 100 + 28 * (shot_select > 0), SEEK_SET);\n parse_tiff(data_offset = get4());\n parse_tiff(thumb_offset + 12);\n apply_tiff();\n }\n else if (!memcmp(head, \"RIFF\", 4))\n {\n fseek(ifp, 0, SEEK_SET);\n parse_riff();\n }\n else if (!memcmp(head + 4, \"ftypqt \", 9))\n {\n fseek(ifp, 0, SEEK_SET);\n parse_qt(fsize);\n is_raw = 0;\n }\n else if (!memcmp(head, \"\\0\\001\\0\\001\\0@\", 6))\n {\n fseek(ifp, 6, SEEK_SET);\n fread(make, 1, 8, ifp);\n fread(model, 1, 8, ifp);\n fread(model2, 1, 16, ifp);\n data_offset = get2();\n get2();\n raw_width = get2();\n raw_height = get2();\n load_raw = &LibRaw::nokia_load_raw;\n filters = 0x61616161;\n }\n else if (!memcmp(head, \"NOKIARAW\", 8))\n {\n strcpy(make, \"NOKIA\");\n order = 0x4949;\n fseek(ifp, 300, SEEK_SET);\n data_offset = get4();\n i = get4(); // bytes count\n width = get2();\n height = get2();\n\n // Data integrity check\n if (width < 1 || width > 16000 || height < 1 || height > 16000 ||\n i < (width * height) || i > (2 * width * height))\n throw LIBRAW_EXCEPTION_IO_CORRUPT;\n\n switch (tiff_bps = i * 8 / (width * height))\n {\n case 8:\n load_raw = &LibRaw::eight_bit_load_raw;\n break;\n case 10:\n load_raw = &LibRaw::nokia_load_raw;\n break;\n case 0:\n throw LIBRAW_EXCEPTION_IO_CORRUPT;\n break;\n }\n raw_height = height + (top_margin = i / (width * tiff_bps / 8) - height);\n mask[0][3] = 1;\n filters = 0x61616161;\n }\n else if (!memcmp(head, \"ARRI\", 4))\n {\n order = 0x4949;\n fseek(ifp, 20, SEEK_SET);\n width = get4();\n height = get4();\n strcpy(make, \"ARRI\");\n fseek(ifp, 668, SEEK_SET);\n fread(model, 1, 64, ifp);\n model[63] = 0;\n fseek(ifp, 760, SEEK_SET);\n fread(software, 1, 64, ifp);\n if((unsigned char)software[0] == 0xff) software[0] = 0;\n software[63] = 0;\n data_offset = 4096;\n load_raw = &LibRaw::packed_load_raw;\n load_flags = 88;\n filters = 0x61616161;\n fixupArri();\n }\n else if (!memcmp(head, \"XPDS\", 4))\n {\n order = 0x4949;\n fseek(ifp, 0x800, SEEK_SET);\n fread(make, 1, 41, ifp);\n raw_height = get2();\n raw_width = get2();\n fseek(ifp, 56, SEEK_CUR);\n fread(model, 1, 30, ifp);\n data_offset = 0x10000;\n load_raw = &LibRaw::canon_rmf_load_raw;\n gamma_curve(0, 12.25, 1, 1023);\n }\n else if (!memcmp(head + 4, \"RED1\", 4))\n {\n strcpy(make, \"Red\");\n strcpy(model, \"One\");\n parse_redcine();\n load_raw = &LibRaw::redcine_load_raw;\n gamma_curve(1 / 2.4, 12.92, 1, 4095);\n filters = 0x49494949;\n }\n else if (!memcmp(head, \"DSC-Image\", 9))\n parse_rollei();\n else if (!memcmp(head, \"PWAD\", 4))\n parse_sinar_ia();\n else if (!memcmp(head, \"\\0MRM\", 4))\n parse_minolta(0);\n else if (!memcmp(head, \"FOVb\", 4))\n {\n parse_x3f(); /* Does nothing if USE_X3FTOOLS is not defined */\n }\n else if (!memcmp(head, \"CI\", 2))\n parse_cine();\n#ifdef USE_6BY9RPI\n else if (!memcmp(head, \"BRCM\", 4)) {\n\tfseek(ifp, 0, SEEK_SET);\n\tstrcpy(make, \"RaspberryPi\");\n\tstrcpy(model, \"Pi\");\n\tparse_raspberrypi();\n\t}\n#endif\n else if (!memcmp(head + 4, \"ftypcrx \", 8))\n {\n int err;\n unsigned long long szAtomList;\n short nesting = -1;\n short nTrack = -1;\n short TrackType;\n char AtomNameStack[128];\n strcpy(make, \"Canon\");\n\n szAtomList = ifp->size();\n err = parseCR3(0ULL, szAtomList, nesting, AtomNameStack, nTrack, TrackType);\n if ((err == 0 || err == -14) &&\n nTrack >= 0) // no error, or too deep nesting\n selectCRXTrack(nTrack);\n }\n\n if (make[0] == 0)\n for (zero_fsize = i = 0; i < (int)camera_count; i++)\n if (fsize == (int)table[i].fsize)\n {\n strcpy(make, table[i].t_make);\n strcpy(model, table[i].t_model);\n flip = table[i].flags >> 2;\n zero_is_bad = table[i].flags & 2;\n data_offset = table[i].offset == 0xffff ? 0 : table[i].offset;\n raw_width = table[i].rw;\n raw_height = table[i].rh;\n left_margin = table[i].lm;\n top_margin = table[i].tm;\n width = raw_width - left_margin - table[i].rm;\n height = raw_height - top_margin - table[i].bm;\n filters = 0x1010101U * table[i].cf;\n colors = 4 - !((filters & filters >> 1) & 0x5555);\n load_flags = table[i].lf & 0xff;\n if (table[i].lf & 0x100) /* Monochrome sensor dump */\n {\n colors = 1;\n filters = 0;\n }\n switch (tiff_bps = (fsize - data_offset) * 8 / (raw_width * raw_height))\n {\n case 6:\n load_raw = &LibRaw::minolta_rd175_load_raw;\n ilm.CameraMount = LIBRAW_MOUNT_Minolta_A;\n break;\n case 8:\n load_raw = &LibRaw::eight_bit_load_raw;\n break;\n case 10:\n if ((fsize - data_offset) / raw_height * 3 >= raw_width * 4)\n {\n load_raw = &LibRaw::android_loose_load_raw;\n break;\n }\n else if (load_flags & 1)\n {\n load_raw = &LibRaw::android_tight_load_raw;\n break;\n }\n case 12:\n load_flags |= 128;\n load_raw = &LibRaw::packed_load_raw;\n break;\n case 16:\n order = 0x4949 | 0x404 * (load_flags & 1);\n tiff_bps -= load_flags >> 4;\n tiff_bps -= load_flags = load_flags >> 1 & 7;\n load_raw = table[i].offset == 0xffff\n ? &LibRaw::unpacked_load_raw_reversed\n : &LibRaw::unpacked_load_raw;\n }\n maximum = (1 << tiff_bps) - (1 << table[i].max);\n break;\n }\n if (zero_fsize)\n fsize = 0;\n if (make[0] == 0)\n parse_smal(0, flen);\n if (make[0] == 0)\n {\n parse_jpeg(0);\n#ifdef USE_6BY9RPI\n\tif (!(strncmp(model, \"ov\", 2) && strncmp(model, \"RP_\", 3))) {\n\t\t//Assume that this isn't a raw unless the header can be found\n\t\tis_raw = 0;\n\n\t\tif (!strncasecmp(model, \"RP_imx\", 6)) {\n\t\t\tconst long offsets[] = {\n\t\t\t\t//IMX219 offsets\n\t\t\t\t10270208, //8MPix 3280x2464\n\t\t\t\t2678784, //1920x1080\n\t\t\t\t2628608, //1640x1232\n\t\t\t\t1963008, //1640x922\n\t\t\t\t1233920, //1280x720\n\t\t\t\t445440, //640x480\n\t\t\t\t-1 //Marker for end of table\n\t\t\t};\n\t\t\tint offset_idx;\n\t\t\tfor (offset_idx = 0; offsets[offset_idx] != -1; offset_idx++) {\n\t\t\t\tif (!fseek(ifp, -offsets[offset_idx], SEEK_END) &&\n\t\t\t\t\tfread(head, 1, 32, ifp) && !strncmp(head, \"BRCM\", 4)) {\n\n\t\t\t\t\tfseek(ifp, -32, SEEK_CUR);\n\t\t\t\t\tstrcpy(make, \"SonyRPF\");\n\t\t\t\t\tparse_raspberrypi();\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\telse if (!strncasecmp(model, \"RP_OV\", 5) || !strncasecmp(model, \"ov5647\", 6)) {\n\t\t\tconst long offsets[] = {\n\t\t\t\t\t6404096, //5MPix 2592x1944\n\t\t\t\t\t2717696, //1920x1080\n\t\t\t\t\t1625600, //1296x972\n\t\t\t\t\t1233920, //1296x730\n\t\t\t\t\t445440, //640x480\n\t\t\t\t\t-1 //Marker for end of table\n\t\t\t};\n\t\t\tint offset_idx;\n\t\t\tfor (offset_idx = 0; offsets[offset_idx] != -1; offset_idx++) {\n\t\t\t\tif (!fseek(ifp, -offsets[offset_idx], SEEK_END) &&\n\t\t\t\t\tfread(head, 1, 32, ifp) && !strncmp(head, \"BRCM\", 4)) {\n\t\t\t\t\tfseek(ifp, -32, SEEK_CUR);\n\t\t\t\t\tstrcpy(make, \"OmniVision\");\n\t\t\t\t\twidth = raw_width;\n\t\t\t\t\t//Defaults\n\t\t\t\t\traw_width = 2611;\n\t\t\t\t\tfilters = 0x16161616;\n\t\t\t\t\tparse_raspberrypi();\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t}\n\t }\n\t}// else is_raw = 0;\n#else\n fseek(ifp, 0, SEEK_END);\n int sz = ftell(ifp);\n if (!strncmp(model, \"RP_imx219\", 9) && sz >= 0x9cb600 &&\n !fseek(ifp, -0x9cb600, SEEK_END) && fread(head, 1, 0x20, ifp) &&\n !strncmp(head, \"BRCM\", 4))\n {\n strcpy(make, \"Broadcom\");\n strcpy(model, \"RPi IMX219\");\n if (raw_height > raw_width)\n flip = 5;\n data_offset = ftell(ifp) + 0x8000 - 0x20;\n parse_broadcom();\n black = 66;\n maximum = 0x3ff;\n load_raw = &LibRaw::broadcom_load_raw;\n thumb_offset = 0;\n thumb_length = sz - 0x9cb600 - 1;\n }\n else if (!(strncmp(model, \"ov5647\", 6) && strncmp(model, \"RP_OV5647\", 9)) &&\n sz >= 0x61b800 && !fseek(ifp, -0x61b800, SEEK_END) &&\n fread(head, 1, 0x20, ifp) && !strncmp(head, \"BRCM\", 4))\n {\n strcpy(make, \"Broadcom\");\n if (!strncmp(model, \"ov5647\", 6))\n strcpy(model, \"RPi OV5647 v.1\");\n else\n strcpy(model, \"RPi OV5647 v.2\");\n if (raw_height > raw_width)\n flip = 5;\n data_offset = ftell(ifp) + 0x8000 - 0x20;\n parse_broadcom();\n black = 16;\n maximum = 0x3ff;\n load_raw = &LibRaw::broadcom_load_raw;\n thumb_offset = 0;\n thumb_length = sz - 0x61b800 - 1;\n }\n else\n is_raw = 0;\n#endif\n }\n\n // make sure strings are terminated\n desc[511] = artist[63] = make[63] = model[63] = model2[63] = 0;\n\n for (i = 0; i < int(sizeof CorpTable / sizeof *CorpTable); i++)\n {\n if (strcasestr(make, CorpTable[i].CorpName))\n { /* Simplify company names */\n maker_index = CorpTable[i].CorpId;\n strcpy(make, CorpTable[i].CorpName);\n }\n }\n\n if ((makeIs(LIBRAW_CAMERAMAKER_Kodak) || makeIs(LIBRAW_CAMERAMAKER_Leica)) &&\n ((cp = strcasestr(model, \" DIGITAL CAMERA\")) ||\n (cp = strstr(model, \"FILE VERSION\")))) {\n *cp = 0;\n } else if (makeIs(LIBRAW_CAMERAMAKER_Ricoh) && !strncasecmp(model, \"PENTAX\", 6)) {\n maker_index = LIBRAW_CAMERAMAKER_Pentax;\n strcpy(make, \"Pentax\");\n } else if (makeIs(LIBRAW_CAMERAMAKER_JK_Imaging) && !strncasecmp(model, \"Kodak\", 5)) {\n maker_index = LIBRAW_CAMERAMAKER_Kodak;\n strcpy(make, \"Kodak\");\n }\n\n remove_trailing_spaces(make, sizeof(make));\n remove_trailing_spaces(model, sizeof(model));\n\n i = strbuflen(make); /* Remove make from model */\n if (!strncasecmp(model, make, i) && model[i++] == ' ')\n memmove(model, model + i, 64 - i);\n\n if (makeIs(LIBRAW_CAMERAMAKER_Fujifilm) && !strncmp(model, \"FinePix\", 7)) {\n memmove(model, model + 7, strlen(model) - 6);\n if (model[0] == ' ') {\n memmove(model, model + 1, strlen(model));\n }\n } else if ((makeIs(LIBRAW_CAMERAMAKER_Kodak) || makeIs(LIBRAW_CAMERAMAKER_Konica)) &&\n !strncmp(model, \"Digital Camera \", 15)) {\n memmove(model, model + 15, strlen(model) - 14);\n }\n\n desc[511] = artist[63] = make[63] = model[63] = model2[63] = 0;\n if (!is_raw)\n goto notraw;\n\n if (!height)\n height = raw_height;\n if (!width)\n width = raw_width;\n\n identify_finetune_pentax();\n\n\n if (dng_version)\n {\n if (filters == UINT_MAX)\n filters = 0;\n if (!filters)\n colors = tiff_samples;\n switch (tiff_compress)\n {\n case 0: // Compression not set, assuming uncompressed\n case 1:\n#ifdef USE_DNGSDK\n // Uncompressed float\n if (load_raw != &LibRaw::float_dng_load_raw_placeholder)\n#endif\n load_raw = &LibRaw::packed_dng_load_raw;\n break;\n case 7:\n load_raw = &LibRaw::lossless_dng_load_raw;\n break;\n case 8:\n load_raw = &LibRaw::deflate_dng_load_raw;\n break;\n#ifdef USE_GPRSDK\n case 9:\n load_raw = &LibRaw::vc5_dng_load_raw_placeholder;\n break;\n#endif\n case 34892:\n load_raw = &LibRaw::lossy_dng_load_raw;\n break;\n default:\n load_raw = 0;\n }\n GetNormalizedModel();\n if (makeIs(LIBRAW_CAMERAMAKER_Olympus) &&\n (OlyID == OlyID_STYLUS_1) && // don't use normalized_model below, it is 'Stylus 1'\n (strchr(model+6, 's') ||\n strchr(model+6, 'S')))\n {\n width -= 16;\n }\n goto dng_skip;\n }\n\n if (makeIs(LIBRAW_CAMERAMAKER_Canon) && !fsize && tiff_bps != 15)\n {\n bool fromtable = false;\n if (!load_raw)\n load_raw = &LibRaw::lossless_jpeg_load_raw;\n for (i = 0; i < int(sizeof canon / sizeof *canon); i++)\n if (raw_width == canon[i][0] && raw_height == canon[i][1])\n {\n width = raw_width - (left_margin = canon[i][2]);\n height = raw_height - (top_margin = canon[i][3]);\n width -= canon[i][4];\n height -= canon[i][5];\n mask[0][1] = canon[i][6];\n mask[0][3] = -canon[i][7];\n mask[1][1] = canon[i][8];\n mask[1][3] = -canon[i][9];\n if (canon[i][10])\n filters = canon[i][10] * 0x01010101U;\n fromtable = true;\n }\n if ((unique_id | 0x20000ULL) ==\n 0x2720000ULL) // \"PowerShot G11\", \"PowerShot S90\": 0x2700000, 0x2720000\n // possibly \"PowerShot SX120 IS\" (if not chdk hack?): 0x2710000\n {\n left_margin = 8;\n top_margin = 16;\n }\n if(!fromtable && imgdata.makernotes.canon.AverageBlackLevel) // not known, but metadata known\n {\n FORC4 cblack[c] = imgdata.makernotes.canon.ChannelBlackLevel[c];\n black = cblack[4] = cblack[5] = 0;\n // Prevent automatic BL calculation\n mask[0][3] = 1;\n mask[0][1] = 2;\n\n if(imgdata.makernotes.canon.SensorWidth == raw_width\n && imgdata.makernotes.canon.SensorHeight == raw_height)\n {\n left_margin = (imgdata.makernotes.canon.SensorLeftBorder+1) & 0xfffe; // round to 2\n width = imgdata.makernotes.canon.SensorRightBorder - left_margin;\n top_margin = (imgdata.makernotes.canon.SensorTopBorder +1) & 0xfffe;\n height = imgdata.makernotes.canon.SensorBottomBorder - top_margin;\n }\n }\n }\n\n identify_finetune_by_filesize(fsize);\n\n if (!strcmp(model, \"KAI-0340\") && find_green(16, 16, 3840, 5120) < 25)\n {\n height = 480;\n top_margin = filters = 0;\n strcpy(model, \"C603\");\n }\n\n GetNormalizedModel();\n\n identify_finetune_dcr(head, fsize, flen);\n\n /* Early reject for damaged images */\n if (!load_raw || height < 22 || width < 22 ||\n (tiff_bps > 16 &&\n (load_raw != &LibRaw::deflate_dng_load_raw &&\n load_raw != &LibRaw::float_dng_load_raw_placeholder)) ||\n tiff_samples > 4 || colors > 4 ||\n colors < 1\n /* alloc in unpack() may be fooled by size adjust */\n || ((int)width + (int)left_margin > 65535) ||\n ((int)height + (int)top_margin > 65535))\n {\n is_raw = 0;\n RUN_CALLBACK(LIBRAW_PROGRESS_IDENTIFY, 1, 2);\n return;\n }\n if (!model[0])\n {\n sprintf(model, \"%dx%d\", width, height);\n strcpy(normalized_model, model);\n }\n\n if (!(imgdata.params.raw_processing_options &\n LIBRAW_PROCESSING_ZEROFILTERS_FOR_MONOCHROMETIFFS) &&\n (filters == UINT_MAX)) // Default dcraw behaviour\n filters = 0x94949494;\n else if (filters == UINT_MAX)\n {\n if (tiff_nifds > 0 && tiff_samples == 1)\n {\n colors = 1;\n filters = 0;\n }\n else\n filters = 0x94949494;\n }\n\n if (thumb_offset && !thumb_height)\n {\n fseek(ifp, thumb_offset, SEEK_SET);\n if (ljpeg_start(&jh, 1))\n {\n thumb_width = jh.wide;\n thumb_height = jh.high;\n }\n }\n\ndng_skip:\n if (dng_version)\n\t identify_process_dng_fields();\n\n /* Early reject for damaged images again (after dng fields processing) */\n if (!load_raw || height < 22 || width < 22 ||\n (tiff_bps > 16 &&\n (load_raw != &LibRaw::deflate_dng_load_raw &&\n load_raw != &LibRaw::float_dng_load_raw_placeholder)) ||\n tiff_samples > 4 || colors > 4 || colors < 1)\n {\n is_raw = 0;\n RUN_CALLBACK(LIBRAW_PROGRESS_IDENTIFY, 1, 2);\n return;\n }\n {\n // Check cam_mul range\n int cmul_ok = 1;\n FORCC if (cam_mul[c] <= 0.001f) cmul_ok = 0;\n ;\n\n if (cmul_ok)\n {\n double cmin = cam_mul[0], cmax;\n double cnorm[4];\n FORCC cmin = MIN(cmin, cam_mul[c]);\n FORCC cnorm[c] = cam_mul[c] / cmin;\n cmax = cmin = cnorm[0];\n FORCC\n {\n cmin = MIN(cmin, cnorm[c]);\n cmax = MIN(cmax, cnorm[c]);\n }\n if (cmin <= 0.01f || cmax > 100.f)\n cmul_ok = false;\n }\n if (!cmul_ok)\n {\n if (cam_mul[0] > 0)\n cam_mul[0] = 0;\n cam_mul[3] = 0;\n }\n }\n if ((use_camera_matrix & (((use_camera_wb || dng_version)?0:1) | 0x2)) &&\n cmatrix[0][0] > 0.125)\n {\n memcpy(rgb_cam, cmatrix, sizeof cmatrix);\n raw_color = 0;\n }\n if (raw_color && !CM_found)\n CM_found = adobe_coeff(maker_index, normalized_model);\n else if ((imgdata.color.cam_xyz[0][0] < 0.01) && !CM_found)\n CM_found = adobe_coeff(maker_index, normalized_model, 1);\n\n if (load_raw == &LibRaw::kodak_radc_load_raw)\n if ((raw_color) && !CM_found)\n\t\tCM_found = adobe_coeff(LIBRAW_CAMERAMAKER_Apple, \"Quicktake\");\n\n if ((maker_index != LIBRAW_CAMERAMAKER_Unknown) && normalized_model[0])\n SetStandardIlluminants (maker_index, normalized_model);\n\n // Clear erorneus fuji_width if not set through parse_fuji or for DNG\n if (fuji_width && !dng_version &&\n !(imgdata.process_warnings & LIBRAW_WARN_PARSEFUJI_PROCESSED))\n fuji_width = 0;\n\n if (fuji_width)\n {\n fuji_width = width >> !fuji_layout;\n filters = fuji_width & 1 ? 0x94949494 : 0x49494949;\n width = (height >> fuji_layout) + fuji_width;\n height = width - 1;\n pixel_aspect = 1;\n }\n else\n {\n if (raw_height < height)\n raw_height = height;\n if (raw_width < width)\n raw_width = width;\n }\n if (!tiff_bps)\n tiff_bps = 12;\n if (!maximum)\n {\n maximum = (1 << tiff_bps) - 1;\n if (maximum < 0x10000 && curve[maximum] > 0 &&\n load_raw == &LibRaw::sony_arw2_load_raw)\n maximum = curve[maximum];\n }\n if (maximum > 0xffff)\n maximum = 0xffff;\n if (!load_raw || height < 22 || width < 22 ||\n (tiff_bps > 16 &&\n (load_raw != &LibRaw::deflate_dng_load_raw &&\n load_raw != &LibRaw::float_dng_load_raw_placeholder)) ||\n tiff_samples > 6 || colors > 4)\n is_raw = 0;\n\n if (raw_width < 22 || raw_width > 64000 || raw_height < 22 ||\n pixel_aspect < 0.1 || pixel_aspect > 10. ||\n raw_height > 64000)\n is_raw = 0;\n\n#ifdef NO_JASPER\n if (load_raw == &LibRaw::redcine_load_raw)\n {\n is_raw = 0;\n imgdata.process_warnings |= LIBRAW_WARN_NO_JASPER;\n }\n#endif\n#ifdef NO_JPEG\n if (load_raw == &LibRaw::kodak_jpeg_load_raw ||\n load_raw == &LibRaw::lossy_dng_load_raw)\n {\n is_raw = 0;\n imgdata.process_warnings |= LIBRAW_WARN_NO_JPEGLIB;\n }\n#endif\n if (!cdesc[0])\n strcpy(cdesc, colors == 3 ? \"RGBG\" : \"GMCY\");\n if (!raw_height)\n raw_height = height;\n if (!raw_width)\n raw_width = width;\n if (filters > 999 && colors == 3)\n filters |= ((filters >> 2 & 0x22222222) | (filters << 2 & 0x88888888)) &\n filters << 1;\nnotraw:\n if (flip == (int)UINT_MAX)\n flip = tiff_flip;\n if (flip == (int)UINT_MAX)\n flip = 0;\n\n // Convert from degrees to bit-field if needed\n if (flip > 89 || flip < -89)\n {\n switch ((flip + 3600) % 360)\n {\n case 270:\n flip = 5;\n break;\n case 180:\n flip = 3;\n break;\n case 90:\n flip = 6;\n break;\n }\n }\n\n if (pana_bpp)\n imgdata.color.raw_bps = pana_bpp;\n else if ((load_raw == &LibRaw::phase_one_load_raw) ||\n (load_raw == &LibRaw::phase_one_load_raw_c))\n imgdata.color.raw_bps = ph1.format;\n else\n imgdata.color.raw_bps = tiff_bps;\n\n RUN_CALLBACK(LIBRAW_PROGRESS_IDENTIFY, 1, 2);\n}", "project": "LibRaw", "hash": 211540252267248340494288106785302692702, "size": 1041, "commit_id": "4feaed4dea636cee4fee010f615881ccf76a096d", "message": "limit loops to MIN(colors,4) in dng fields parser", "target": 0, "dataset": "other", "idx": 482362 }, { "func": "static void io_queue_async_work(struct io_kiocb *req)\n{\n\tstruct io_ring_ctx *ctx = req->ctx;\n\tstruct io_kiocb *link = io_prep_linked_timeout(req);\n\tstruct io_uring_task *tctx = req->task->io_uring;\n\n\tBUG_ON(!tctx);\n\tBUG_ON(!tctx->io_wq);\n\n\t/* init ->work of the whole link before punting */\n\tio_prep_async_link(req);\n\ttrace_io_uring_queue_async_work(ctx, io_wq_is_hashed(&req->work), req,\n\t\t\t\t\t&req->work, req->flags);\n\tio_wq_enqueue(tctx->io_wq, &req->work);\n\tif (link)\n\t\tio_queue_linked_timeout(link);\n}", "project": "linux", "hash": 275168438570489230130557898561919709825, "size": 17, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338582 }, { "func": "static int tty_cdev_add(struct tty_driver *driver, dev_t dev,\n\t\tunsigned int index, unsigned int count)\n{\n\tint err;\n\n\t/* init here, since reused cdevs cause crashes */\n\tdriver->cdevs[index] = cdev_alloc();\n\tif (!driver->cdevs[index])\n\t\treturn -ENOMEM;\n\tdriver->cdevs[index]->ops = &tty_fops;\n\tdriver->cdevs[index]->owner = driver->owner;\n\terr = cdev_add(driver->cdevs[index], dev, count);\n\tif (err)\n\t\tkobject_put(&driver->cdevs[index]->kobj);\n\treturn err;\n}", "project": "linux", "hash": 300946371934539339801311034989642249880, "size": 16, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 326021 }, { "func": "LUA_API int lua_resume (lua_State *L, lua_State *from, int nargs,\n int *nresults) {\n int status;\n lua_lock(L);\n if (L->status == LUA_OK) { /* may be starting a coroutine */\n if (L->ci != &L->base_ci) /* not in base level? */\n return resume_error(L, \"cannot resume non-suspended coroutine\", nargs);\n else if (L->top - (L->ci->func + 1) == nargs) /* no function? */\n return resume_error(L, \"cannot resume dead coroutine\", nargs);\n }\n else if (L->status != LUA_YIELD) /* ended with errors? */\n return resume_error(L, \"cannot resume dead coroutine\", nargs);\n if (from == NULL)\n L->nCcalls = CSTACKTHREAD;\n else /* correct 'nCcalls' for this thread */\n L->nCcalls = getCcalls(from) - L->nci - CSTACKCF;\n if (L->nCcalls <= CSTACKERR)\n return resume_error(L, \"C stack overflow\", nargs);\n luai_userstateresume(L, nargs);\n api_checknelems(L, (L->status == LUA_OK) ? nargs + 1 : nargs);\n status = luaD_rawrunprotected(L, resume, &nargs);\n /* continue running after recoverable errors */\n while (errorstatus(status) && recover(L, status)) {\n /* unroll continuation */\n status = luaD_rawrunprotected(L, unroll, &status);\n }\n if (likely(!errorstatus(status)))\n lua_assert(status == L->status); /* normal end or yield */\n else { /* unrecoverable error */\n L->status = cast_byte(status); /* mark thread as 'dead' */\n luaD_seterrorobj(L, status, L->top); /* push error message */\n L->ci->top = L->top;\n }\n *nresults = (status == LUA_YIELD) ? L->ci->u2.nyield\n : cast_int(L->top - (L->ci->func + 1));\n lua_unlock(L);\n return status;\n}", "project": "lua", "hash": 246189224585848148512139342124533487624, "size": 38, "commit_id": "34affe7a63fc5d842580a9f23616d057e17dfe27", "message": "Fixed bug: 'luaD_callnoyield' called twice in a row\n\nIn luaD_callnoyield, when there is a possible stack overflow, it\nzeros the number of CallInfos to force a check when calling the\nfunction. However, if the \"function\" is not a function, the code will\nraise an error before checking the stack. Then, the error handling calls\nluaD_callnoyield again and nCcalls is decremented again, crossing the\nstack redzone without raising an error. (This loop can only happens\nonce, because the error handler must be a function. But once is enough\nto cross the redzone.)", "target": 0, "dataset": "other", "idx": 454328 }, { "func": "static __poll_t ca8210_test_int_poll(\n\tstruct file *filp,\n\tstruct poll_table_struct *ptable\n)\n{\n\t__poll_t return_flags = 0;\n\tstruct ca8210_priv *priv = filp->private_data;\n\n\tpoll_wait(filp, &priv->test.readq, ptable);\n\tif (!kfifo_is_empty(&priv->test.up_fifo))\n\t\treturn_flags |= (EPOLLIN | EPOLLRDNORM);\n\tif (wait_event_interruptible(\n\t\tpriv->test.readq,\n\t\t!kfifo_is_empty(&priv->test.up_fifo))) {\n\t\treturn EPOLLERR;\n\t}\n\treturn return_flags;\n}", "project": "linux", "hash": 166873064520701296271260349675841634465, "size": 18, "commit_id": "6402939ec86eaf226c8b8ae00ed983936b164908", "message": "ieee802154: ca8210: prevent memory leak\n\nIn ca8210_probe the allocated pdata needs to be assigned to\nspi_device->dev.platform_data before calling ca8210_get_platform_data.\nOthrwise when ca8210_get_platform_data fails pdata cannot be released.\n\nSigned-off-by: Navid Emamdoost \nLink: https://lore.kernel.org/r/20190917224713.26371-1-navid.emamdoost@gmail.com\nSigned-off-by: Stefan Schmidt ", "target": 0, "dataset": "other", "idx": 408783 }, { "func": "static void nfs40_clear_delegation_stateid(struct nfs4_state *state)\n{\n\tif (rcu_access_pointer(NFS_I(state->inode)->delegation) != NULL)\n\t\tnfs_finish_clear_delegation_stateid(state, NULL);\n}", "project": "linux", "hash": 314755748286114755814267828879799745821, "size": 5, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431109 }, { "func": "static void hci_cc_user_passkey_neg_reply(struct hci_dev *hdev,\n\t\t\t\t\t struct sk_buff *skb)\n{\n\tstruct hci_rp_user_confirm_reply *rp = (void *) skb->data;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, rp->status);\n\n\thci_dev_lock(hdev);\n\n\tif (hci_dev_test_flag(hdev, HCI_MGMT))\n\t\tmgmt_user_passkey_neg_reply_complete(hdev, &rp->bdaddr,\n\t\t\t\t\t\t ACL_LINK, 0, rp->status);\n\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 308255396096855225377959318605758226747, "size": 15, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431951 }, { "func": "int bcf_update_info(const bcf_hdr_t *hdr, bcf1_t *line, const char *key, const void *values, int n, int type)\n{\n static int negative_rlen_warned = 0;\n int is_end_tag;\n\n // Is the field already present?\n int i, inf_id = bcf_hdr_id2int(hdr,BCF_DT_ID,key);\n if ( !bcf_hdr_idinfo_exists(hdr,BCF_HL_INFO,inf_id) ) return -1; // No such INFO field in the header\n if ( !(line->unpacked & BCF_UN_INFO) ) bcf_unpack(line, BCF_UN_INFO);\n\n is_end_tag = strcmp(key, \"END\") == 0;\n\n for (i=0; in_info; i++)\n if ( inf_id==line->d.info[i].key ) break;\n bcf_info_t *inf = i==line->n_info ? NULL : &line->d.info[i];\n\n if ( !n || (type==BCF_HT_STR && !values) )\n {\n if ( n==0 && is_end_tag )\n line->rlen = line->n_allele ? strlen(line->d.allele[0]) : 0;\n if ( inf )\n {\n // Mark the tag for removal, free existing memory if necessary\n if ( inf->vptr_free )\n {\n free(inf->vptr - inf->vptr_off);\n inf->vptr_free = 0;\n }\n line->d.shared_dirty |= BCF1_DIRTY_INF;\n inf->vptr = NULL;\n inf->vptr_off = inf->vptr_len = 0;\n }\n return 0;\n }\n\n if (is_end_tag)\n {\n if (n != 1)\n {\n hts_log_error(\"END info tag should only have one value at %s:%\"PRIhts_pos, bcf_seqname_safe(hdr,line), line->pos+1);\n line->errcode |= BCF_ERR_TAG_INVALID;\n return -1;\n }\n if (type != BCF_HT_INT && type != BCF_HT_LONG)\n {\n hts_log_error(\"Wrong type (%d) for END info tag at %s:%\"PRIhts_pos, type, bcf_seqname_safe(hdr,line), line->pos+1);\n line->errcode |= BCF_ERR_TAG_INVALID;\n return -1;\n }\n }\n\n // Encode the values and determine the size required to accommodate the values\n kstring_t str = {0,0,0};\n bcf_enc_int1(&str, inf_id);\n if ( type==BCF_HT_INT )\n bcf_enc_vint(&str, n, (int32_t*)values, -1);\n else if ( type==BCF_HT_REAL )\n bcf_enc_vfloat(&str, n, (float*)values);\n else if ( type==BCF_HT_FLAG || type==BCF_HT_STR )\n {\n if ( values==NULL )\n bcf_enc_size(&str, 0, BCF_BT_NULL);\n else\n bcf_enc_vchar(&str, strlen((char*)values), (char*)values);\n }\n#ifdef VCF_ALLOW_INT64\n else if ( type==BCF_HT_LONG )\n {\n if (n != 1) {\n hts_log_error(\"Only storing a single BCF_HT_LONG value is supported at %s:%\"PRIhts_pos, bcf_seqname_safe(hdr,line), line->pos+1);\n abort();\n }\n bcf_enc_long1(&str, *(int64_t *) values);\n }\n#endif\n else\n {\n hts_log_error(\"The type %d not implemented yet at %s:%\"PRIhts_pos, type, bcf_seqname_safe(hdr,line), line->pos+1);\n abort();\n }\n\n // Is the INFO tag already present\n if ( inf )\n {\n // Is it big enough to accommodate new block?\n if ( str.l <= inf->vptr_len + inf->vptr_off )\n {\n if ( str.l != inf->vptr_len + inf->vptr_off ) line->d.shared_dirty |= BCF1_DIRTY_INF;\n uint8_t *ptr = inf->vptr - inf->vptr_off;\n memcpy(ptr, str.s, str.l);\n free(str.s);\n int vptr_free = inf->vptr_free;\n bcf_unpack_info_core1(ptr, inf);\n inf->vptr_free = vptr_free;\n }\n else\n {\n if ( inf->vptr_free )\n free(inf->vptr - inf->vptr_off);\n bcf_unpack_info_core1((uint8_t*)str.s, inf);\n inf->vptr_free = 1;\n line->d.shared_dirty |= BCF1_DIRTY_INF;\n }\n }\n else\n {\n // The tag is not present, create new one\n line->n_info++;\n hts_expand0(bcf_info_t, line->n_info, line->d.m_info , line->d.info);\n inf = &line->d.info[line->n_info-1];\n bcf_unpack_info_core1((uint8_t*)str.s, inf);\n inf->vptr_free = 1;\n line->d.shared_dirty |= BCF1_DIRTY_INF;\n }\n line->unpacked |= BCF_UN_INFO;\n\n if ( n==1 && is_end_tag) {\n hts_pos_t end = type == BCF_HT_INT ? *(int32_t *) values : *(int64_t *) values;\n if ( (type == BCF_HT_INT && end!=bcf_int32_missing) || (type == BCF_HT_LONG && end!=bcf_int64_missing) )\n {\n if ( end <= line->pos )\n {\n if ( !negative_rlen_warned )\n {\n hts_log_warning(\"INFO/END=%\"PRIhts_pos\" is smaller than POS at %s:%\"PRIhts_pos,end,bcf_seqname_safe(hdr,line),line->pos+1);\n negative_rlen_warned = 1;\n }\n line->rlen = line->n_allele ? strlen(line->d.allele[0]) : 0;\n }\n else\n line->rlen = end - line->pos;\n }\n }\n return 0;\n}", "project": "htslib", "hash": 111752274623528464875113034271230118481, "size": 135, "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c", "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields. It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097", "target": 0, "dataset": "other", "idx": 402239 }, { "func": "static inline uint64_t nfs4_lock_length(struct file_lock *fl)\n{\n\tif (fl->fl_end == OFFSET_MAX)\n\t\treturn ~(uint64_t)0;\n\treturn fl->fl_end - fl->fl_start + 1;\n}", "project": "linux", "hash": 149895504065681179920142427215734785828, "size": 6, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431154 }, { "func": "static void hci_sync_conn_complete_evt(struct hci_dev *hdev,\n\t\t\t\t struct sk_buff *skb)\n{\n\tstruct hci_ev_sync_conn_complete *ev = (void *) skb->data;\n\tstruct hci_conn *conn;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, ev->status);\n\n\thci_dev_lock(hdev);\n\n\tconn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);\n\tif (!conn) {\n\t\tif (ev->link_type == ESCO_LINK)\n\t\t\tgoto unlock;\n\n\t\t/* When the link type in the event indicates SCO connection\n\t\t * and lookup of the connection object fails, then check\n\t\t * if an eSCO connection object exists.\n\t\t *\n\t\t * The core limits the synchronous connections to either\n\t\t * SCO or eSCO. The eSCO connection is preferred and tried\n\t\t * to be setup first and until successfully established,\n\t\t * the link type will be hinted as eSCO.\n\t\t */\n\t\tconn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr);\n\t\tif (!conn)\n\t\t\tgoto unlock;\n\t}\n\n\tswitch (ev->status) {\n\tcase 0x00:\n\t\tconn->handle = __le16_to_cpu(ev->handle);\n\t\tconn->state = BT_CONNECTED;\n\t\tconn->type = ev->link_type;\n\n\t\thci_debugfs_create_conn(conn);\n\t\thci_conn_add_sysfs(conn);\n\t\tbreak;\n\n\tcase 0x10:\t/* Connection Accept Timeout */\n\tcase 0x0d:\t/* Connection Rejected due to Limited Resources */\n\tcase 0x11:\t/* Unsupported Feature or Parameter Value */\n\tcase 0x1c:\t/* SCO interval rejected */\n\tcase 0x1a:\t/* Unsupported Remote Feature */\n\tcase 0x1e:\t/* Invalid LMP Parameters */\n\tcase 0x1f:\t/* Unspecified error */\n\tcase 0x20:\t/* Unsupported LMP Parameter value */\n\t\tif (conn->out) {\n\t\t\tconn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |\n\t\t\t\t\t(hdev->esco_type & EDR_ESCO_MASK);\n\t\t\tif (hci_setup_sync(conn, conn->link->handle))\n\t\t\t\tgoto unlock;\n\t\t}\n\t\t/* fall through */\n\n\tdefault:\n\t\tconn->state = BT_CLOSED;\n\t\tbreak;\n\t}\n\n\tbt_dev_dbg(hdev, \"SCO connected with air mode: %02x\", ev->air_mode);\n\n\tswitch (conn->setting & SCO_AIRMODE_MASK) {\n\tcase SCO_AIRMODE_CVSD:\n\t\tif (hdev->notify)\n\t\t\thdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_CVSD);\n\t\tbreak;\n\tcase SCO_AIRMODE_TRANSP:\n\t\tif (hdev->notify)\n\t\t\thdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_TRANSP);\n\t\tbreak;\n\t}\n\n\thci_connect_cfm(conn, ev->status);\n\tif (ev->status)\n\t\thci_conn_del(conn);\n\nunlock:\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 218953412793929985656113093362392630024, "size": 80, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431870 }, { "func": "static String exif_get_sectionname(int section) {\n switch(section) {\n case SECTION_FILE: return s_FILE;\n case SECTION_COMPUTED: return s_COMPUTED;\n case SECTION_ANY_TAG: return s_ANY_TAG;\n case SECTION_IFD0: return s_IFD0;\n case SECTION_THUMBNAIL: return s_THUMBNAIL;\n case SECTION_COMMENT: return s_COMMENT;\n case SECTION_APP0: return s_APP0;\n case SECTION_EXIF: return s_EXIF;\n case SECTION_FPIX: return s_FPIX;\n case SECTION_GPS: return s_GPS;\n case SECTION_INTEROP: return s_INTEROP;\n case SECTION_APP12: return s_APP12;\n case SECTION_WINXP: return s_WINXP;\n case SECTION_MAKERNOTE: return s_MAKERNOTE;\n }\n return empty_string();\n}", "project": "hhvm", "hash": 78810450034122239422548743671105480352, "size": 19, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219523 }, { "func": "static int pfkey_delete(struct sock *sk, struct sk_buff *skb, const struct sadb_msg *hdr, void * const *ext_hdrs)\n{\n\tstruct net *net = sock_net(sk);\n\tstruct xfrm_state *x;\n\tstruct km_event c;\n\tint err;\n\n\tif (!ext_hdrs[SADB_EXT_SA-1] ||\n\t !present_and_same_family(ext_hdrs[SADB_EXT_ADDRESS_SRC-1],\n\t\t\t\t ext_hdrs[SADB_EXT_ADDRESS_DST-1]))\n\t\treturn -EINVAL;\n\n\tx = pfkey_xfrm_state_lookup(net, hdr, ext_hdrs);\n\tif (x == NULL)\n\t\treturn -ESRCH;\n\n\tif ((err = security_xfrm_state_delete(x)))\n\t\tgoto out;\n\n\tif (xfrm_state_kern(x)) {\n\t\terr = -EPERM;\n\t\tgoto out;\n\t}\n\n\terr = xfrm_state_delete(x);\n\n\tif (err < 0)\n\t\tgoto out;\n\n\tc.seq = hdr->sadb_msg_seq;\n\tc.portid = hdr->sadb_msg_pid;\n\tc.event = XFRM_MSG_DELSA;\n\tkm_state_notify(x, &c);\nout:\n\txfrm_audit_state_delete(x, err ? 0 : 1, true);\n\txfrm_state_put(x);\n\n\treturn err;\n}", "project": "linux", "hash": 150043973178224040228126200418931208424, "size": 39, "commit_id": "9a564bccb78a76740ea9d75a259942df8143d02c", "message": "af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\n\nAdd __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\nto initialize the buffer of supp_skb to fix a kernel-info-leak issue.\n1) Function pfkey_register calls compose_sadb_supported to request\na sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate\na sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then\ncompose_sadb_supported treats the memory as a struct sadb_supported and\nbegins to initialize. But it just initializes the field sadb_supported_len\nand field sadb_supported_exttype without field sadb_supported_reserved.\n\nReported-by: TCS Robot \nSigned-off-by: Haimin Zhang \nSigned-off-by: Steffen Klassert ", "target": 0, "dataset": "other", "idx": 268040 }, { "func": " Item_int_with_ref(THD *thd, longlong i, Item *ref_arg, bool unsigned_arg):\n Item_int(thd, i), ref(ref_arg)\n {\n unsigned_flag= unsigned_arg;\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 231900792443083261791045410829777190088, "size": 5, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509135 }, { "func": " Item_ref(THD *thd, Item_ref *item)\n :Item_ident(thd, item), set_properties_only(0), ref(item->ref) {}", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 66086526274928446449026474987465055338, "size": 2, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509415 }, { "func": "static void execlists_init_reg_state(u32 *regs,\n\t\t\t\t const struct intel_context *ce,\n\t\t\t\t const struct intel_engine_cs *engine,\n\t\t\t\t const struct intel_ring *ring,\n\t\t\t\t bool close)\n{\n\t/*\n\t * A context is actually a big batch buffer with several\n\t * MI_LOAD_REGISTER_IMM commands followed by (reg, value) pairs. The\n\t * values we are setting here are only for the first context restore:\n\t * on a subsequent save, the GPU will recreate this batchbuffer with new\n\t * values (including all the missing MI_LOAD_REGISTER_IMM commands that\n\t * we are not initializing here).\n\t *\n\t * Must keep consistent with virtual_update_register_offsets().\n\t */\n\tu32 *bbe = set_offsets(regs, reg_offsets(engine), engine);\n\n\tif (close) { /* Close the batch; used mainly by live_lrc_layout() */\n\t\t*bbe = MI_BATCH_BUFFER_END;\n\t\tif (INTEL_GEN(engine->i915) >= 10)\n\t\t\t*bbe |= BIT(0);\n\t}\n\n\tinit_common_reg_state(regs, engine, ring);\n\tinit_ppgtt_reg_state(regs, vm_alias(ce->vm));\n\n\tinit_wa_bb_reg_state(regs, engine,\n\t\t\t INTEL_GEN(engine->i915) >= 12 ?\n\t\t\t GEN12_CTX_BB_PER_CTX_PTR :\n\t\t\t CTX_BB_PER_CTX_PTR);\n}", "project": "linux", "hash": 156269827870547847353134256969855752864, "size": 32, "commit_id": "bc8a76a152c5f9ef3b48104154a65a68a8b76946", "message": "drm/i915/gen9: Clear residual context state on context switch\n\nIntel ID: PSIRT-TA-201910-001\nCVEID: CVE-2019-14615\n\nIntel GPU Hardware prior to Gen11 does not clear EU state\nduring a context switch. This can result in information\nleakage between contexts.\n\nFor Gen8 and Gen9, hardware provides a mechanism for\nfast cleardown of the EU state, by issuing a PIPE_CONTROL\nwith bit 27 set. We can use this in a context batch buffer\nto explicitly cleardown the state on every context switch.\n\nAs this workaround is already in place for gen8, we can borrow\nthe code verbatim for Gen9.\n\nSigned-off-by: Mika Kuoppala \nSigned-off-by: Akeem G Abodunrin \nCc: Kumar Valsan Prathap \nCc: Chris Wilson \nCc: Balestrieri Francesco \nCc: Bloomfield Jon \nCc: Dutt Sudeep ", "target": 0, "dataset": "other", "idx": 281496 }, { "func": "static int sctp_setsockopt_reset_assoc(struct sock *sk, sctp_assoc_t *associd,\n\t\t\t\t unsigned int optlen)\n{\n\tstruct sctp_association *asoc;\n\n\tif (optlen != sizeof(*associd))\n\t\treturn -EINVAL;\n\n\tasoc = sctp_id2assoc(sk, *associd);\n\tif (!asoc)\n\t\treturn -EINVAL;\n\n\treturn sctp_send_reset_assoc(asoc);\n}", "project": "linux", "hash": 300454075650637905923628107470720838122, "size": 14, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398054 }, { "func": "static int nfs4_run_open_task(struct nfs4_opendata *data,\n\t\t\t struct nfs_open_context *ctx)\n{\n\tstruct inode *dir = d_inode(data->dir);\n\tstruct nfs_server *server = NFS_SERVER(dir);\n\tstruct nfs_openargs *o_arg = &data->o_arg;\n\tstruct nfs_openres *o_res = &data->o_res;\n\tstruct rpc_task *task;\n\tstruct rpc_message msg = {\n\t\t.rpc_proc = &nfs4_procedures[NFSPROC4_CLNT_OPEN],\n\t\t.rpc_argp = o_arg,\n\t\t.rpc_resp = o_res,\n\t\t.rpc_cred = data->owner->so_cred,\n\t};\n\tstruct rpc_task_setup task_setup_data = {\n\t\t.rpc_client = server->client,\n\t\t.rpc_message = &msg,\n\t\t.callback_ops = &nfs4_open_ops,\n\t\t.callback_data = data,\n\t\t.workqueue = nfsiod_workqueue,\n\t\t.flags = RPC_TASK_ASYNC | RPC_TASK_CRED_NOREF,\n\t};\n\tint status;\n\n\tkref_get(&data->kref);\n\tdata->rpc_done = false;\n\tdata->rpc_status = 0;\n\tdata->cancelled = false;\n\tdata->is_recover = false;\n\tif (!ctx) {\n\t\tnfs4_init_sequence(&o_arg->seq_args, &o_res->seq_res, 1, 1);\n\t\tdata->is_recover = true;\n\t\ttask_setup_data.flags |= RPC_TASK_TIMEOUT;\n\t} else {\n\t\tnfs4_init_sequence(&o_arg->seq_args, &o_res->seq_res, 1, 0);\n\t\tpnfs_lgopen_prepare(data, ctx);\n\t}\n\ttask = rpc_run_task(&task_setup_data);\n\tif (IS_ERR(task))\n\t\treturn PTR_ERR(task);\n\tstatus = rpc_wait_for_completion_task(task);\n\tif (status != 0) {\n\t\tdata->cancelled = true;\n\t\tsmp_wmb();\n\t} else\n\t\tstatus = data->rpc_status;\n\trpc_put_task(task);\n\n\treturn status;\n}", "project": "linux", "hash": 331223328672547486682093415041636692060, "size": 50, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431113 }, { "func": "static int may_delete(struct inode *dir, struct dentry *victim, bool isdir)\n{\n\tstruct inode *inode = d_backing_inode(victim);\n\tint error;\n\n\tif (d_is_negative(victim))\n\t\treturn -ENOENT;\n\tBUG_ON(!inode);\n\n\tBUG_ON(victim->d_parent->d_inode != dir);\n\n\t/* Inode writeback is not safe when the uid or gid are invalid. */\n\tif (!uid_valid(inode->i_uid) || !gid_valid(inode->i_gid))\n\t\treturn -EOVERFLOW;\n\n\taudit_inode_child(dir, victim, AUDIT_TYPE_CHILD_DELETE);\n\n\terror = inode_permission(dir, MAY_WRITE | MAY_EXEC);\n\tif (error)\n\t\treturn error;\n\tif (IS_APPEND(dir))\n\t\treturn -EPERM;\n\n\tif (check_sticky(dir, inode) || IS_APPEND(inode) ||\n\t IS_IMMUTABLE(inode) || IS_SWAPFILE(inode) || HAS_UNMAPPED_ID(inode))\n\t\treturn -EPERM;\n\tif (isdir) {\n\t\tif (!d_is_dir(victim))\n\t\t\treturn -ENOTDIR;\n\t\tif (IS_ROOT(victim))\n\t\t\treturn -EBUSY;\n\t} else if (d_is_dir(victim))\n\t\treturn -EISDIR;\n\tif (IS_DEADDIR(dir))\n\t\treturn -ENOENT;\n\tif (victim->d_flags & DCACHE_NFSFS_RENAMED)\n\t\treturn -EBUSY;\n\treturn 0;\n}", "project": "linux", "hash": 210110107217058395017113024964593761898, "size": 39, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295361 }, { "func": "static int check_slab(struct kmem_cache *s, struct page *page)\n{\n\tint maxobj;\n\n\tVM_BUG_ON(!irqs_disabled());\n\n\tif (!PageSlab(page)) {\n\t\tslab_err(s, page, \"Not a valid slab page\");\n\t\treturn 0;\n\t}\n\n\tmaxobj = order_objects(compound_order(page), s->size);\n\tif (page->objects > maxobj) {\n\t\tslab_err(s, page, \"objects %u > max %u\",\n\t\t\tpage->objects, maxobj);\n\t\treturn 0;\n\t}\n\tif (page->inuse > page->objects) {\n\t\tslab_err(s, page, \"inuse %u > max %u\",\n\t\t\tpage->inuse, page->objects);\n\t\treturn 0;\n\t}\n\t/* Slab_pad_check fixes things up after itself */\n\tslab_pad_check(s, page);\n\treturn 1;\n}", "project": "linux", "hash": 74578022695515778607663151603674033378, "size": 26, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280147 }, { "project": "Chrome", "commit_id": "ea994548ed483e234a6fadd0cbdfa10d58b75cef", "target": 0, "func": "SoftwareFrame::~SoftwareFrame() {\n if (frame_manager_client_) {\n frame_manager_client_->SoftwareFrameWasFreed(\n output_surface_id_, frame_id_);\n }\n}\n", "cwe": "", "big_vul_idx": 129977, "idx": 116288, "hash": 203727747676076058069916355025323104362 }, { "func": "static void encode_lookup(struct xdr_stream *xdr, const struct qstr *name, struct compound_hdr *hdr)\n{\n\tencode_op_hdr(xdr, OP_LOOKUP, decode_lookup_maxsz, hdr);\n\tencode_string(xdr, name->len, name->name);\n}", "project": "linux", "hash": 301241139042681873301547126259809394494, "size": 5, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431092 }, { "project": "Chrome", "commit_id": "957973753ec4159003ff7930d946b7e89c7e09f3", "target": 0, "func": "int BlobURLRequestJob::ComputeBytesToRead() const {\n int64 current_item_remaining_bytes =\n item_length_list_[item_index_] - current_item_offset_;\n int bytes_to_read = (read_buf_remaining_bytes_ > current_item_remaining_bytes)\n ? static_cast(current_item_remaining_bytes)\n : read_buf_remaining_bytes_;\n if (bytes_to_read > remaining_bytes_)\n bytes_to_read = static_cast(remaining_bytes_);\n return bytes_to_read;\n}\n", "cwe": "", "big_vul_idx": 106407, "idx": 95560, "hash": 38904628908051643095424623688208160849 }, { "func": "static void nfs4_renew_done(struct rpc_task *task, void *calldata)\n{\n\tstruct nfs4_renewdata *data = calldata;\n\tstruct nfs_client *clp = data->client;\n\tunsigned long timestamp = data->timestamp;\n\n\ttrace_nfs4_renew_async(clp, task->tk_status);\n\tswitch (task->tk_status) {\n\tcase 0:\n\t\tbreak;\n\tcase -NFS4ERR_LEASE_MOVED:\n\t\tnfs4_schedule_lease_moved_recovery(clp);\n\t\tbreak;\n\tdefault:\n\t\t/* Unless we're shutting down, schedule state recovery! */\n\t\tif (test_bit(NFS_CS_RENEWD, &clp->cl_res_state) == 0)\n\t\t\treturn;\n\t\tif (task->tk_status != NFS4ERR_CB_PATH_DOWN) {\n\t\t\tnfs4_schedule_lease_recovery(clp);\n\t\t\treturn;\n\t\t}\n\t\tnfs4_schedule_path_down_recovery(clp);\n\t}\n\tdo_renew_lease(clp, timestamp);\n}", "project": "linux", "hash": 172280939732893382915192984690530666601, "size": 25, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431461 }, { "func": "static void hci_cc_read_rssi(struct hci_dev *hdev, struct sk_buff *skb)\n{\n\tstruct hci_rp_read_rssi *rp = (void *) skb->data;\n\tstruct hci_conn *conn;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, rp->status);\n\n\tif (rp->status)\n\t\treturn;\n\n\thci_dev_lock(hdev);\n\n\tconn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));\n\tif (conn)\n\t\tconn->rssi = rp->rssi;\n\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 222286455867122365014431888111861881891, "size": 18, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431977 }, { "func": "static int sctp_setsockopt_mappedv4(struct sock *sk, int *val,\n\t\t\t\t unsigned int optlen)\n{\n\tstruct sctp_sock *sp = sctp_sk(sk);\n\n\tif (optlen < sizeof(int))\n\t\treturn -EINVAL;\n\tif (*val)\n\t\tsp->v4mapped = 1;\n\telse\n\t\tsp->v4mapped = 0;\n\n\treturn 0;\n}", "project": "linux", "hash": 249701311290526417952839487179003496698, "size": 14, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398064 }, { "func": "static int on_fcn_delete (RAnal *_anal, void* _user, RAnalFunction *fcn) {\n\tRCore *core = (RCore*)_user;\n\tconst char *cmd = r_config_get (core->config, \"cmd.fcn.delete\");\n\tif (cmd && *cmd) {\n\t\tut64 oaddr = core->offset;\n\t\tut64 addr = fcn->addr;\n\t\tr_core_seek (core, addr, 1);\n\t\tr_core_cmd0 (core, cmd);\n\t\tr_core_seek (core, oaddr, 1);\n\t}\n\treturn 0;\n}", "project": "radare2", "hash": 281843144130837609988184248684972584019, "size": 12, "commit_id": "cb8b683758edddae2d2f62e8e63a738c39f92683", "message": "Fix #16303 - c->table_query double free (#16318)", "target": 0, "dataset": "other", "idx": 232148 }, { "func": "char* formatPackets(float numPkts, char *buf) {\n\n if(numPkts < 1000) {\n snprintf(buf, 32, \"%.2f\", numPkts);\n } else if(numPkts < (1000*1000)) {\n snprintf(buf, 32, \"%.2f K\", numPkts/1000);\n } else {\n numPkts /= (1000*1000);\n snprintf(buf, 32, \"%.2f M\", numPkts);\n }\n\n return(buf);\n}", "project": "nDPI", "hash": 161874237089337060160376846677327207266, "size": 13, "commit_id": "b7e666e465f138ae48ab81976726e67deed12701", "message": "Added fix to avoid potential heap buffer overflow in H.323 dissector\nModified HTTP report information to make it closer to the HTTP field names", "target": 0, "dataset": "other", "idx": 254842 }, { "func": "static void nfs4_xdr_enc_link(struct rpc_rqst *req, struct xdr_stream *xdr,\n\t\t\t const void *data)\n{\n\tconst struct nfs4_link_arg *args = data;\n\tstruct compound_hdr hdr = {\n\t\t.minorversion = nfs4_xdr_minorversion(&args->seq_args),\n\t};\n\n\tencode_compound_hdr(xdr, req, &hdr);\n\tencode_sequence(xdr, &args->seq_args, &hdr);\n\tencode_putfh(xdr, args->fh, &hdr);\n\tencode_savefh(xdr, &hdr);\n\tencode_putfh(xdr, args->dir_fh, &hdr);\n\tencode_link(xdr, args->name, &hdr);\n\tencode_restorefh(xdr, &hdr);\n\tencode_getfattr(xdr, args->bitmask, &hdr);\n\tencode_nops(&hdr);\n}", "project": "linux", "hash": 233013137869235835237117263253550635056, "size": 18, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431310 }, { "func": "void __hci_req_pause_adv_instances(struct hci_request *req)\n{\n\tbt_dev_dbg(req->hdev, \"Pausing advertising instances\");\n\n\t/* Call to disable any advertisements active on the controller.\n\t * This will succeed even if no advertisements are configured.\n\t */\n\t__hci_req_disable_advertising(req);\n\n\t/* If we are using software rotation, pause the loop */\n\tif (!ext_adv_capable(req->hdev))\n\t\tcancel_adv_timeout(req->hdev);\n}", "project": "linux", "hash": 207436539396529782482242971167225024929, "size": 13, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402552 }, { "func": "void LibRaw::parse_exif(int base)\n{\n unsigned entries, tag, type, len, save, c;\n double expo, ape;\n\n unsigned kodak = !strncmp(make, \"EASTMAN\", 7) && tiff_nifds < 3;\n\n entries = get2();\n if (!strncmp(make, \"Hasselblad\", 10) && (tiff_nifds > 3) && (entries > 512))\n return;\n INT64 fsize = ifp->size();\n while (entries--)\n {\n tiff_get(base, &tag, &type, &len, &save);\n\n INT64 savepos = ftell(ifp);\n if (len > 8 && savepos + len > fsize * 2)\n {\n fseek(ifp, save, SEEK_SET); // Recover tiff-read position!!\n continue;\n }\n if (callbacks.exif_cb)\n {\n callbacks.exif_cb(callbacks.exifparser_data, tag, type, len, order, ifp,\n base);\n fseek(ifp, savepos, SEEK_SET);\n }\n\n switch (tag)\n {\n\tcase 0xA005: // Interoperability IFD\n\t\tfseek(ifp, get4() + base, SEEK_SET);\n\t\tparse_exif_interop(base);\n\t\tbreak;\n\tcase 0xA001: // ExifIFD.ColorSpace\n\t\tc = get2();\n\t\tif (c == 1 && imgdata.color.ExifColorSpace == LIBRAW_COLORSPACE_Unknown)\n\t\t\timgdata.color.ExifColorSpace = LIBRAW_COLORSPACE_sRGB;\n\t\telse if (c == 2)\n\t\t\timgdata.color.ExifColorSpace = LIBRAW_COLORSPACE_AdobeRGB;\n\t\tbreak;\n case 0x9400:\n imCommon.exifAmbientTemperature = getreal(type);\n if ((imCommon.CameraTemperature > -273.15f) &&\n ((OlyID == OlyID_TG_5) ||\n (OlyID == OlyID_TG_6))\n )\n imCommon.CameraTemperature += imCommon.exifAmbientTemperature;\n break;\n case 0x9401:\n imCommon.exifHumidity = getreal(type);\n break;\n case 0x9402:\n imCommon.exifPressure = getreal(type);\n break;\n case 0x9403:\n imCommon.exifWaterDepth = getreal(type);\n break;\n case 0x9404:\n imCommon.exifAcceleration = getreal(type);\n break;\n case 0x9405:\n imCommon.exifCameraElevationAngle = getreal(type);\n break;\n\n case 0xa405: // FocalLengthIn35mmFormat\n imgdata.lens.FocalLengthIn35mmFormat = get2();\n break;\n case 0xa431: // BodySerialNumber\n stmread(imgdata.shootinginfo.BodySerial, len, ifp);\n break;\n case 0xa432: // LensInfo, 42034dec, Lens Specification per EXIF standard\n imgdata.lens.MinFocal = getreal(type);\n imgdata.lens.MaxFocal = getreal(type);\n imgdata.lens.MaxAp4MinFocal = getreal(type);\n imgdata.lens.MaxAp4MaxFocal = getreal(type);\n break;\n case 0xa435: // LensSerialNumber\n stmread(imgdata.lens.LensSerial, len, ifp);\n if (!strncmp(imgdata.lens.LensSerial, \"----\", 4))\n imgdata.lens.LensSerial[0] = '\\0';\n break;\n case 0xa420: /* 42016, ImageUniqueID */\n stmread(imgdata.color.ImageUniqueID, len, ifp);\n break;\n case 0xc65d: /* 50781, RawDataUniqueID */\n imgdata.color.RawDataUniqueID[16] = 0;\n fread(imgdata.color.RawDataUniqueID, 1, 16, ifp);\n break;\n case 0xc630: // DNG LensInfo, Lens Specification per EXIF standard\n imgdata.lens.dng.MinFocal = getreal(type);\n imgdata.lens.dng.MaxFocal = getreal(type);\n imgdata.lens.dng.MaxAp4MinFocal = getreal(type);\n imgdata.lens.dng.MaxAp4MaxFocal = getreal(type);\n break;\n case 0xc68b: /* 50827, OriginalRawFileName */\n stmread(imgdata.color.OriginalRawFileName, len, ifp);\n break;\n case 0xa433: // LensMake\n stmread(imgdata.lens.LensMake, len, ifp);\n break;\n case 0xa434: // LensModel\n stmread(imgdata.lens.Lens, len, ifp);\n if (!strncmp(imgdata.lens.Lens, \"----\", 4))\n imgdata.lens.Lens[0] = '\\0';\n break;\n case 0x9205:\n imgdata.lens.EXIF_MaxAp = libraw_powf64l(2.0f, (getreal(type) / 2.0f));\n break;\n case 0x829a: // 33434\n tiff_ifd[tiff_nifds - 1].t_shutter = shutter = getreal(type);\n break;\n case 0x829d: // 33437, FNumber\n aperture = getreal(type);\n break;\n case 0x8827: // 34855\n iso_speed = get2();\n break;\n case 0x8831: // 34865\n if (iso_speed == 0xffff && !strncasecmp(make, \"FUJI\", 4))\n iso_speed = getreal(type);\n break;\n case 0x8832: // 34866\n if (iso_speed == 0xffff &&\n (!strncasecmp(make, \"SONY\", 4) || !strncasecmp(make, \"CANON\", 5)))\n iso_speed = getreal(type);\n break;\n case 0x9003: // 36867\n case 0x9004: // 36868\n get_timestamp(0);\n break;\n case 0x9201: // 37377\n if ((expo = -getreal(type)) < 128 && shutter == 0.)\n tiff_ifd[tiff_nifds - 1].t_shutter = shutter =\n libraw_powf64l(2.0, expo);\n break;\n case 0x9202: // 37378 ApertureValue\n if ((fabs(ape = getreal(type)) < 256.0) && (!aperture))\n aperture = libraw_powf64l(2.0, ape / 2);\n break;\n case 0x9209: // 37385\n flash_used = getreal(type);\n break;\n case 0x920a: // 37386\n focal_len = getreal(type);\n break;\n case 0x927c: // 37500\n if (((make[0] == '\\0') && !strncmp(model, \"ov5647\", 6)) ||\n (!strncmp(make, \"RaspberryPi\", 11) &&\n (!strncmp(model, \"RP_OV5647\", 9) ||\n !strncmp(model, \"RP_imx219\", 9))))\n {\n char mn_text[512];\n char *pos;\n char ccms[512];\n ushort l;\n float num;\n\n fgets(mn_text, MIN(len, 511), ifp);\n mn_text[511] = 0;\n\n pos = strstr(mn_text, \"gain_r=\");\n if (pos)\n cam_mul[0] = atof(pos + 7);\n pos = strstr(mn_text, \"gain_b=\");\n if (pos)\n cam_mul[2] = atof(pos + 7);\n if ((cam_mul[0] > 0.001f) && (cam_mul[2] > 0.001f))\n cam_mul[1] = cam_mul[3] = 1.0f;\n else\n cam_mul[0] = cam_mul[2] = 0.0f;\n\n pos = strstr(mn_text, \"ccm=\");\n if (pos)\n {\n pos += 4;\n char *pos2 = strstr(pos, \" \");\n if (pos2)\n {\n l = pos2 - pos;\n memcpy(ccms, pos, l);\n ccms[l] = '\\0';\n#ifdef LIBRAW_WIN32_CALLS\n // Win32 strtok is already thread-safe\n pos = strtok(ccms, \",\");\n#else\n char *last = 0;\n pos = strtok_r(ccms, \",\", &last);\n#endif\n if (pos)\n {\n for (l = 0; l < 4; l++)\n {\n num = 0.0;\n for (c = 0; c < 3; c++)\n {\n imgdata.color.ccm[l][c] = (float)atoi(pos);\n num += imgdata.color.ccm[l][c];\n#ifdef LIBRAW_WIN32_CALLS\n pos = strtok(NULL, \",\");\n#else\n pos = strtok_r(NULL, \",\", &last);\n#endif\n if (!pos)\n goto end; // broken\n }\n if (num > 0.01)\n FORC3 imgdata.color.ccm[l][c] = imgdata.color.ccm[l][c] / num;\n }\n }\n }\n }\n end:;\n }\n else if (!strncmp(make, \"SONY\", 4) &&\n (!strncmp(model, \"DSC-V3\", 6) || !strncmp(model, \"DSC-F828\", 8)))\n {\n parseSonySRF(len);\n break;\n }\n else if ((len == 1) && !strncmp(make, \"NIKON\", 5))\n {\n c = get4();\n if (c)\n fseek(ifp, c, SEEK_SET);\n is_NikonTransfer = 1;\n }\n parse_makernote(base, 0);\n break;\n case 0xa002: // 40962\n if (kodak)\n raw_width = get4();\n break;\n case 0xa003: // 40963\n if (kodak)\n raw_height = get4();\n break;\n case 0xa302: // 41730\n if (get4() == 0x20002)\n for (exif_cfa = c = 0; c < 8; c += 2)\n exif_cfa |= fgetc(ifp) * 0x01010101U << c;\n }\n fseek(ifp, save, SEEK_SET);\n }\n}", "project": "LibRaw", "hash": 182171441535201305274163229980614035603, "size": 245, "commit_id": "55f0a0c08974b8b79ebfa7762b555a1704b25fb2", "message": "possible buffer underrun in exif parser", "target": 1, "dataset": "other", "idx": 207309 }, { "func": "void LibRaw::parse_exif(int base)\n{\n unsigned entries, tag, type, len, save, c;\n double expo, ape;\n\n unsigned kodak = !strncmp(make, \"EASTMAN\", 7) && tiff_nifds < 3;\n\n entries = get2();\n if (!strncmp(make, \"Hasselblad\", 10) && (tiff_nifds > 3) && (entries > 512))\n return;\n INT64 fsize = ifp->size();\n while (entries--)\n {\n tiff_get(base, &tag, &type, &len, &save);\n\n INT64 savepos = ftell(ifp);\n if (len > 8 && savepos + len > fsize * 2)\n {\n fseek(ifp, save, SEEK_SET); // Recover tiff-read position!!\n continue;\n }\n if (callbacks.exif_cb)\n {\n callbacks.exif_cb(callbacks.exifparser_data, tag, type, len, order, ifp,\n base);\n fseek(ifp, savepos, SEEK_SET);\n }\n\n switch (tag)\n {\n\tcase 0xA005: // Interoperability IFD\n\t\tfseek(ifp, get4() + base, SEEK_SET);\n\t\tparse_exif_interop(base);\n\t\tbreak;\n\tcase 0xA001: // ExifIFD.ColorSpace\n\t\tc = get2();\n\t\tif (c == 1 && imgdata.color.ExifColorSpace == LIBRAW_COLORSPACE_Unknown)\n\t\t\timgdata.color.ExifColorSpace = LIBRAW_COLORSPACE_sRGB;\n\t\telse if (c == 2)\n\t\t\timgdata.color.ExifColorSpace = LIBRAW_COLORSPACE_AdobeRGB;\n\t\tbreak;\n case 0x9400:\n imCommon.exifAmbientTemperature = getreal(type);\n if ((imCommon.CameraTemperature > -273.15f) &&\n ((OlyID == OlyID_TG_5) ||\n (OlyID == OlyID_TG_6))\n )\n imCommon.CameraTemperature += imCommon.exifAmbientTemperature;\n break;\n case 0x9401:\n imCommon.exifHumidity = getreal(type);\n break;\n case 0x9402:\n imCommon.exifPressure = getreal(type);\n break;\n case 0x9403:\n imCommon.exifWaterDepth = getreal(type);\n break;\n case 0x9404:\n imCommon.exifAcceleration = getreal(type);\n break;\n case 0x9405:\n imCommon.exifCameraElevationAngle = getreal(type);\n break;\n\n case 0xa405: // FocalLengthIn35mmFormat\n imgdata.lens.FocalLengthIn35mmFormat = get2();\n break;\n case 0xa431: // BodySerialNumber\n stmread(imgdata.shootinginfo.BodySerial, len, ifp);\n break;\n case 0xa432: // LensInfo, 42034dec, Lens Specification per EXIF standard\n imgdata.lens.MinFocal = getreal(type);\n imgdata.lens.MaxFocal = getreal(type);\n imgdata.lens.MaxAp4MinFocal = getreal(type);\n imgdata.lens.MaxAp4MaxFocal = getreal(type);\n break;\n case 0xa435: // LensSerialNumber\n stmread(imgdata.lens.LensSerial, len, ifp);\n if (!strncmp(imgdata.lens.LensSerial, \"----\", 4))\n imgdata.lens.LensSerial[0] = '\\0';\n break;\n case 0xa420: /* 42016, ImageUniqueID */\n stmread(imgdata.color.ImageUniqueID, len, ifp);\n break;\n case 0xc65d: /* 50781, RawDataUniqueID */\n imgdata.color.RawDataUniqueID[16] = 0;\n fread(imgdata.color.RawDataUniqueID, 1, 16, ifp);\n break;\n case 0xc630: // DNG LensInfo, Lens Specification per EXIF standard\n imgdata.lens.dng.MinFocal = getreal(type);\n imgdata.lens.dng.MaxFocal = getreal(type);\n imgdata.lens.dng.MaxAp4MinFocal = getreal(type);\n imgdata.lens.dng.MaxAp4MaxFocal = getreal(type);\n break;\n case 0xc68b: /* 50827, OriginalRawFileName */\n stmread(imgdata.color.OriginalRawFileName, len, ifp);\n break;\n case 0xa433: // LensMake\n stmread(imgdata.lens.LensMake, len, ifp);\n break;\n case 0xa434: // LensModel\n stmread(imgdata.lens.Lens, len, ifp);\n if (!strncmp(imgdata.lens.Lens, \"----\", 4))\n imgdata.lens.Lens[0] = '\\0';\n break;\n case 0x9205:\n imgdata.lens.EXIF_MaxAp = libraw_powf64l(2.0f, (getreal(type) / 2.0f));\n break;\n case 0x829a: // 33434\n shutter = getreal(type);\n if (tiff_nifds > 0 && tiff_nifds <= LIBRAW_IFD_MAXCOUNT)\n tiff_ifd[tiff_nifds - 1].t_shutter = shutter;\n break;\n case 0x829d: // 33437, FNumber\n aperture = getreal(type);\n break;\n case 0x8827: // 34855\n iso_speed = get2();\n break;\n case 0x8831: // 34865\n if (iso_speed == 0xffff && !strncasecmp(make, \"FUJI\", 4))\n iso_speed = getreal(type);\n break;\n case 0x8832: // 34866\n if (iso_speed == 0xffff &&\n (!strncasecmp(make, \"SONY\", 4) || !strncasecmp(make, \"CANON\", 5)))\n iso_speed = getreal(type);\n break;\n case 0x9003: // 36867\n case 0x9004: // 36868\n get_timestamp(0);\n break;\n case 0x9201: // 37377\n if ((expo = -getreal(type)) < 128 && shutter == 0.)\n {\n shutter = libraw_powf64l(2.0, expo);\n if (tiff_nifds > 0 && tiff_nifds <= LIBRAW_IFD_MAXCOUNT)\n tiff_ifd[tiff_nifds - 1].t_shutter = shutter;\n }\n break;\n case 0x9202: // 37378 ApertureValue\n if ((fabs(ape = getreal(type)) < 256.0) && (!aperture))\n aperture = libraw_powf64l(2.0, ape / 2);\n break;\n case 0x9209: // 37385\n flash_used = getreal(type);\n break;\n case 0x920a: // 37386\n focal_len = getreal(type);\n break;\n case 0x927c: // 37500\n if (((make[0] == '\\0') && !strncmp(model, \"ov5647\", 6)) ||\n (!strncmp(make, \"RaspberryPi\", 11) &&\n (!strncmp(model, \"RP_OV5647\", 9) ||\n !strncmp(model, \"RP_imx219\", 9))))\n {\n char mn_text[512];\n char *pos;\n char ccms[512];\n ushort l;\n float num;\n\n fgets(mn_text, MIN(len, 511), ifp);\n mn_text[511] = 0;\n\n pos = strstr(mn_text, \"gain_r=\");\n if (pos)\n cam_mul[0] = atof(pos + 7);\n pos = strstr(mn_text, \"gain_b=\");\n if (pos)\n cam_mul[2] = atof(pos + 7);\n if ((cam_mul[0] > 0.001f) && (cam_mul[2] > 0.001f))\n cam_mul[1] = cam_mul[3] = 1.0f;\n else\n cam_mul[0] = cam_mul[2] = 0.0f;\n\n pos = strstr(mn_text, \"ccm=\");\n if (pos)\n {\n pos += 4;\n char *pos2 = strstr(pos, \" \");\n if (pos2)\n {\n l = pos2 - pos;\n memcpy(ccms, pos, l);\n ccms[l] = '\\0';\n#ifdef LIBRAW_WIN32_CALLS\n // Win32 strtok is already thread-safe\n pos = strtok(ccms, \",\");\n#else\n char *last = 0;\n pos = strtok_r(ccms, \",\", &last);\n#endif\n if (pos)\n {\n for (l = 0; l < 4; l++)\n {\n num = 0.0;\n for (c = 0; c < 3; c++)\n {\n imgdata.color.ccm[l][c] = (float)atoi(pos);\n num += imgdata.color.ccm[l][c];\n#ifdef LIBRAW_WIN32_CALLS\n pos = strtok(NULL, \",\");\n#else\n pos = strtok_r(NULL, \",\", &last);\n#endif\n if (!pos)\n goto end; // broken\n }\n if (num > 0.01)\n FORC3 imgdata.color.ccm[l][c] = imgdata.color.ccm[l][c] / num;\n }\n }\n }\n }\n end:;\n }\n else if (!strncmp(make, \"SONY\", 4) &&\n (!strncmp(model, \"DSC-V3\", 6) || !strncmp(model, \"DSC-F828\", 8)))\n {\n parseSonySRF(len);\n break;\n }\n else if ((len == 1) && !strncmp(make, \"NIKON\", 5))\n {\n c = get4();\n if (c)\n fseek(ifp, c, SEEK_SET);\n is_NikonTransfer = 1;\n }\n parse_makernote(base, 0);\n break;\n case 0xa002: // 40962\n if (kodak)\n raw_width = get4();\n break;\n case 0xa003: // 40963\n if (kodak)\n raw_height = get4();\n break;\n case 0xa302: // 41730\n if (get4() == 0x20002)\n for (exif_cfa = c = 0; c < 8; c += 2)\n exif_cfa |= fgetc(ifp) * 0x01010101U << c;\n }\n fseek(ifp, save, SEEK_SET);\n }\n}", "project": "LibRaw", "hash": 124973419188282141476335511350835218609, "size": 250, "commit_id": "55f0a0c08974b8b79ebfa7762b555a1704b25fb2", "message": "possible buffer underrun in exif parser", "target": 0, "dataset": "other", "idx": 395532 }, { "func": "uint32_t enc_untrusted_qe_get_quote_size(uint32_t *quote_size) {\n uint32_t result;\n CHECK_OCALL(ocall_enc_untrusted_qe_get_quote_size(&result, quote_size));\n return result;\n}", "project": "asylo", "hash": 288819657861831006610231628288033825822, "size": 5, "commit_id": "53ed5d8fd8118ced1466e509606dd2f473707a5c", "message": "Store untrusted output pointer in enclave\n\nValidate the pointer after it's stored in enclave to avoid unexpected\nmodifications after it's validated.\n\nPiperOrigin-RevId: 365648810\nChange-Id: I3079128040c142e86bab8255b07d03562a6fcb61", "target": 0, "dataset": "other", "idx": 232051 }, { "func": "static long do_set_mempolicy(unsigned short mode, unsigned short flags,\n\t\t\t nodemask_t *nodes)\n{\n\tstruct mempolicy *new, *old;\n\tNODEMASK_SCRATCH(scratch);\n\tint ret;\n\n\tif (!scratch)\n\t\treturn -ENOMEM;\n\n\tnew = mpol_new(mode, flags, nodes);\n\tif (IS_ERR(new)) {\n\t\tret = PTR_ERR(new);\n\t\tgoto out;\n\t}\n\n\ttask_lock(current);\n\tret = mpol_set_nodemask(new, nodes, scratch);\n\tif (ret) {\n\t\ttask_unlock(current);\n\t\tmpol_put(new);\n\t\tgoto out;\n\t}\n\told = current->mempolicy;\n\tcurrent->mempolicy = new;\n\tif (new && new->mode == MPOL_INTERLEAVE)\n\t\tcurrent->il_prev = MAX_NUMNODES-1;\n\ttask_unlock(current);\n\tmpol_put(old);\n\tret = 0;\nout:\n\tNODEMASK_SCRATCH_FREE(scratch);\n\treturn ret;\n}", "project": "linux", "hash": 25967355112867667073798447326252941491, "size": 34, "commit_id": "aa9f7d5172fac9bf1f09e678c35e287a40a7b7dd", "message": "mm: mempolicy: require at least one nodeid for MPOL_PREFERRED\n\nUsing an empty (malformed) nodelist that is not caught during mount option\nparsing leads to a stack-out-of-bounds access.\n\nThe option string that was used was: \"mpol=prefer:,\". However,\nMPOL_PREFERRED requires a single node number, which is not being provided\nhere.\n\nAdd a check that 'nodes' is not empty after parsing for MPOL_PREFERRED's\nnodeid.\n\nFixes: 095f1fc4ebf3 (\"mempolicy: rework shmem mpol parsing and display\")\nReported-by: Entropy Moe <3ntr0py1337@gmail.com>\nReported-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nSigned-off-by: Randy Dunlap \nSigned-off-by: Andrew Morton \nTested-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nCc: Lee Schermerhorn \nLink: http://lkml.kernel.org/r/89526377-7eb6-b662-e1d8-4430928abde9@infradead.org\nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 366744 }, { "func": "getname(const char __user * filename)\n{\n\treturn getname_flags(filename, 0, NULL);\n}", "project": "linux", "hash": 82828342163072647807650710156295307829, "size": 4, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295367 }, { "project": "Chrome", "commit_id": "6834289784ed45b5524de0fb7ef43ae283b0d6d3", "target": 0, "func": "bool AudioContext::tryLock()\n{\n ASSERT(isAudioThread());\n if (!isAudioThread()) {\n lock();\n return true;\n }\n return m_contextGraphMutex.tryLock();\n}\n", "cwe": "", "big_vul_idx": 139694, "idx": 124842, "hash": 202954022761302649955775851095778979219 }, { "func": " inline const int32_t* DimsData() const {\n return size_ > kMaxSmallSize ? dims_pointer_ : dims_;\n }", "project": "tensorflow", "hash": 326177845889428239513422342478717562905, "size": 3, "commit_id": "8ee24e7949a203d234489f9da2c5bf45a7d5157d", "message": "[tflite] Ensure `MatchingDim` does not allow buffer overflow.\n\nWe check in `MatchingDim` that both arguments have the same dimensionality, however that is a `DCHECK` only enabled if building in debug mode. Hence, it could be possible to cause buffer overflows by passing in a tensor with larger dimensions as the second argument. To fix, we now make `MatchingDim` return the minimum of the two sizes.\n\nA much better fix would be to return a status object but that requires refactoring a large part of the codebase for minor benefits.\n\nPiperOrigin-RevId: 332526127\nChange-Id: If627d0d2c80a685217b6e0d1e64b0872dbf1c5e4", "target": 0, "dataset": "other", "idx": 269146 }, { "func": " inline int32_t* DimsData() {\n return size_ > kMaxSmallSize ? dims_pointer_ : dims_;\n }", "project": "tensorflow", "hash": 65406076754142136641562065203005688454, "size": 3, "commit_id": "8ee24e7949a203d234489f9da2c5bf45a7d5157d", "message": "[tflite] Ensure `MatchingDim` does not allow buffer overflow.\n\nWe check in `MatchingDim` that both arguments have the same dimensionality, however that is a `DCHECK` only enabled if building in debug mode. Hence, it could be possible to cause buffer overflows by passing in a tensor with larger dimensions as the second argument. To fix, we now make `MatchingDim` return the minimum of the two sizes.\n\nA much better fix would be to return a status object but that requires refactoring a large part of the codebase for minor benefits.\n\nPiperOrigin-RevId: 332526127\nChange-Id: If627d0d2c80a685217b6e0d1e64b0872dbf1c5e4", "target": 0, "dataset": "other", "idx": 269183 }, { "func": "static inline unsigned long kvm_dirty_bitmap_bytes(struct kvm_memory_slot *memslot)\n{\n\treturn ALIGN(memslot->npages, BITS_PER_LONG) / 8;\n}", "project": "linux", "hash": 333158663452903578394662795979830351876, "size": 4, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354833 }, { "func": "void PCRECache::reinit(CacheKind kind) {\n switch (m_kind) {\n case CacheKind::Static:\n if (m_staticCache.load()) {\n DestroyStatic(m_staticCache);\n m_staticCache = nullptr;\n }\n break;\n case CacheKind::Lru:\n m_lruCache.reset();\n break;\n case CacheKind::Scalable:\n m_scalableCache.reset();\n break;\n }\n m_kind = kind;\n\n switch (kind) {\n case CacheKind::Static:\n m_staticCache = CreateStatic();\n m_expire = time(nullptr) + RuntimeOption::EvalPCREExpireInterval;\n break;\n case CacheKind::Lru:\n m_lruCache.reset(new LRUCache(RuntimeOption::EvalPCRETableSize));\n break;\n case CacheKind::Scalable:\n m_scalableCache.reset(\n new ScalableCache(RuntimeOption::EvalPCRETableSize));\n break;\n }\n}", "project": "hhvm", "hash": 195107856226961872475164744600991308255, "size": 31, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219154 }, { "func": "JOIN::reinit()\n{\n DBUG_ENTER(\"JOIN::reinit\");\n\n unit->offset_limit_cnt= (ha_rows)(select_lex->offset_limit ?\n select_lex->offset_limit->val_uint() : 0);\n\n first_record= false;\n group_sent= false;\n cleaned= false;\n\n if (aggr_tables)\n {\n JOIN_TAB *curr_tab= join_tab + exec_join_tab_cnt();\n JOIN_TAB *end_tab= curr_tab + aggr_tables;\n for ( ; curr_tab < end_tab; curr_tab++)\n {\n TABLE *tmp_table= curr_tab->table;\n if (!tmp_table->is_created())\n continue;\n tmp_table->file->extra(HA_EXTRA_RESET_STATE);\n tmp_table->file->ha_delete_all_rows();\n }\n }\n clear_sj_tmp_tables(this);\n if (current_ref_ptrs != items0)\n {\n set_items_ref_array(items0);\n set_group_rpa= false;\n }\n\n /* need to reset ref access state (see join_read_key) */\n if (join_tab)\n {\n JOIN_TAB *tab;\n for (tab= first_linear_tab(this, WITH_BUSH_ROOTS, WITH_CONST_TABLES); tab;\n tab= next_linear_tab(this, tab, WITH_BUSH_ROOTS))\n {\n tab->ref.key_err= TRUE;\n }\n }\n\n /* Reset of sum functions */\n if (sum_funcs)\n {\n Item_sum *func, **func_ptr= sum_funcs;\n while ((func= *(func_ptr++)))\n func->clear();\n }\n\n if (no_rows_in_result_called)\n {\n /* Reset effect of possible no_rows_in_result() */\n List_iterator_fast it(fields_list);\n Item *item;\n no_rows_in_result_called= 0;\n while ((item= it++))\n item->restore_to_before_no_rows_in_result();\n }\n\n if (!(select_options & SELECT_DESCRIBE))\n if (init_ftfuncs(thd, select_lex, MY_TEST(order)))\n DBUG_RETURN(1);\n\n DBUG_RETURN(0);\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 44327050907890501976084427234605402541, "size": 66, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508717 }, { "func": "static int oidc_check_mixed_userid_oauth(request_rec *r, oidc_cfg *c) {\n\n\t/* get the bearer access token from the Authorization header */\n\tconst char *access_token = NULL;\n\tif (oidc_oauth_get_bearer_token(r, &access_token) == TRUE) {\n\n\t\tr->ap_auth_type = apr_pstrdup(r->pool, OIDC_AUTH_TYPE_OPENID_OAUTH20);\n\t\treturn oidc_oauth_check_userid(r, c, access_token);\n\t}\n\n\t/* no bearer token found: then treat this as a regular OIDC browser request */\n\tr->ap_auth_type = apr_pstrdup(r->pool, OIDC_AUTH_TYPE_OPENID_CONNECT);\n\treturn oidc_check_userid_openidc(r, c);\n}", "project": "mod_auth_openidc", "hash": 40142207305598433973836260097206883840, "size": 14, "commit_id": "00c315cb0c8ab77c67be4a2ac08a71a83ac58751", "message": "avoid XSS vulnerability when using OIDCPreservePost On\n\nand supplying URLs that contain single quotes; thanks @oss-aimoto\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 381906 }, { "func": "static int oidc_check_mixed_userid_oauth(request_rec *r, oidc_cfg *c) {\n\n\t/* get the bearer access token from the Authorization header */\n\tconst char *access_token = NULL;\n\tif (oidc_oauth_get_bearer_token(r, &access_token) == TRUE)\n\t\treturn oidc_oauth_check_userid(r, c, access_token);\n\n\t/* no bearer token found: then treat this as a regular OIDC browser request */\n\treturn oidc_check_userid_openidc(r, c);\n}", "project": "mod_auth_openidc", "hash": 54917939507356350698194628861061985032, "size": 10, "commit_id": "ce37080c6aea30aabae8b4a9b4eea7808445cc8e", "message": "2.4.0.2 oops\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 447698 }, { "func": "ZEND_API zval * zend_throw_exception(zend_class_entry *exception_ce, char *message, long code TSRMLS_DC) /* {{{ */\n{\n\tzval *ex;\n\n\tMAKE_STD_ZVAL(ex);\n\tif (exception_ce) {\n\t\tif (!instanceof_function(exception_ce, default_exception_ce TSRMLS_CC)) {\n\t\t\tzend_error(E_NOTICE, \"Exceptions must be derived from the Exception base class\");\n\t\t\texception_ce = default_exception_ce;\n\t\t}\n\t} else {\n\t\texception_ce = default_exception_ce;\n\t}\n\tobject_init_ex(ex, exception_ce);\n\n\n\tif (message) {\n\t\tzend_update_property_string(default_exception_ce, ex, \"message\", sizeof(\"message\")-1, message TSRMLS_CC);\n\t}\n\tif (code) {\n\t\tzend_update_property_long(default_exception_ce, ex, \"code\", sizeof(\"code\")-1, code TSRMLS_CC);\n\t}\n\n\tzend_throw_exception_internal(ex TSRMLS_CC);\n\treturn ex;\n}", "project": "php-src", "hash": 61832353851167105318436025275961984568, "size": 26, "commit_id": "a894a8155fab068d68a04bf181dbaddfa01ccbb0", "message": "More fixes for bug #69152", "target": 0, "dataset": "other", "idx": 374457 }, { "func": "ZEND_METHOD(exception, __clone)\n{\n\t/* Should never be executable */\n\tzend_throw_exception(NULL, \"Cannot clone object using __clone()\", 0 TSRMLS_CC);\n}", "project": "php-src", "hash": 141800913809589761866232257457697710008, "size": 5, "commit_id": "a894a8155fab068d68a04bf181dbaddfa01ccbb0", "message": "More fixes for bug #69152", "target": 0, "dataset": "other", "idx": 374459 }, { "func": "static void hci_inquiry_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)\n{\n\t__u8 status = *((__u8 *) skb->data);\n\tstruct discovery_state *discov = &hdev->discovery;\n\tstruct inquiry_entry *e;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, status);\n\n\thci_conn_check_pending(hdev);\n\n\tif (!test_and_clear_bit(HCI_INQUIRY, &hdev->flags))\n\t\treturn;\n\n\tsmp_mb__after_atomic(); /* wake_up_bit advises about this barrier */\n\twake_up_bit(&hdev->flags, HCI_INQUIRY);\n\n\tif (!hci_dev_test_flag(hdev, HCI_MGMT))\n\t\treturn;\n\n\thci_dev_lock(hdev);\n\n\tif (discov->state != DISCOVERY_FINDING)\n\t\tgoto unlock;\n\n\tif (list_empty(&discov->resolve)) {\n\t\t/* When BR/EDR inquiry is active and no LE scanning is in\n\t\t * progress, then change discovery state to indicate completion.\n\t\t *\n\t\t * When running LE scanning and BR/EDR inquiry simultaneously\n\t\t * and the LE scan already finished, then change the discovery\n\t\t * state to indicate completion.\n\t\t */\n\t\tif (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||\n\t\t !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks))\n\t\t\thci_discovery_set_state(hdev, DISCOVERY_STOPPED);\n\t\tgoto unlock;\n\t}\n\n\te = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);\n\tif (e && hci_resolve_name(hdev, e) == 0) {\n\t\te->name_state = NAME_PENDING;\n\t\thci_discovery_set_state(hdev, DISCOVERY_RESOLVING);\n\t} else {\n\t\t/* When BR/EDR inquiry is active and no LE scanning is in\n\t\t * progress, then change discovery state to indicate completion.\n\t\t *\n\t\t * When running LE scanning and BR/EDR inquiry simultaneously\n\t\t * and the LE scan already finished, then change the discovery\n\t\t * state to indicate completion.\n\t\t */\n\t\tif (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||\n\t\t !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks))\n\t\t\thci_discovery_set_state(hdev, DISCOVERY_STOPPED);\n\t}\n\nunlock:\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 46292200799998315790273646459443914633, "size": 58, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 432019 }, { "func": "static long kvm_vm_ioctl(struct file *filp,\n\t\t\t unsigned int ioctl, unsigned long arg)\n{\n\tstruct kvm *kvm = filp->private_data;\n\tvoid __user *argp = (void __user *)arg;\n\tint r;\n\n\tif (kvm->mm != current->mm)\n\t\treturn -EIO;\n\tswitch (ioctl) {\n\tcase KVM_CREATE_VCPU:\n\t\tr = kvm_vm_ioctl_create_vcpu(kvm, arg);\n\t\tbreak;\n\tcase KVM_ENABLE_CAP: {\n\t\tstruct kvm_enable_cap cap;\n\n\t\tr = -EFAULT;\n\t\tif (copy_from_user(&cap, argp, sizeof(cap)))\n\t\t\tgoto out;\n\t\tr = kvm_vm_ioctl_enable_cap_generic(kvm, &cap);\n\t\tbreak;\n\t}\n\tcase KVM_SET_USER_MEMORY_REGION: {\n\t\tstruct kvm_userspace_memory_region kvm_userspace_mem;\n\n\t\tr = -EFAULT;\n\t\tif (copy_from_user(&kvm_userspace_mem, argp,\n\t\t\t\t\t\tsizeof(kvm_userspace_mem)))\n\t\t\tgoto out;\n\n\t\tr = kvm_vm_ioctl_set_memory_region(kvm, &kvm_userspace_mem);\n\t\tbreak;\n\t}\n\tcase KVM_GET_DIRTY_LOG: {\n\t\tstruct kvm_dirty_log log;\n\n\t\tr = -EFAULT;\n\t\tif (copy_from_user(&log, argp, sizeof(log)))\n\t\t\tgoto out;\n\t\tr = kvm_vm_ioctl_get_dirty_log(kvm, &log);\n\t\tbreak;\n\t}\n#ifdef CONFIG_KVM_GENERIC_DIRTYLOG_READ_PROTECT\n\tcase KVM_CLEAR_DIRTY_LOG: {\n\t\tstruct kvm_clear_dirty_log log;\n\n\t\tr = -EFAULT;\n\t\tif (copy_from_user(&log, argp, sizeof(log)))\n\t\t\tgoto out;\n\t\tr = kvm_vm_ioctl_clear_dirty_log(kvm, &log);\n\t\tbreak;\n\t}\n#endif\n#ifdef CONFIG_KVM_MMIO\n\tcase KVM_REGISTER_COALESCED_MMIO: {\n\t\tstruct kvm_coalesced_mmio_zone zone;\n\n\t\tr = -EFAULT;\n\t\tif (copy_from_user(&zone, argp, sizeof(zone)))\n\t\t\tgoto out;\n\t\tr = kvm_vm_ioctl_register_coalesced_mmio(kvm, &zone);\n\t\tbreak;\n\t}\n\tcase KVM_UNREGISTER_COALESCED_MMIO: {\n\t\tstruct kvm_coalesced_mmio_zone zone;\n\n\t\tr = -EFAULT;\n\t\tif (copy_from_user(&zone, argp, sizeof(zone)))\n\t\t\tgoto out;\n\t\tr = kvm_vm_ioctl_unregister_coalesced_mmio(kvm, &zone);\n\t\tbreak;\n\t}\n#endif\n\tcase KVM_IRQFD: {\n\t\tstruct kvm_irqfd data;\n\n\t\tr = -EFAULT;\n\t\tif (copy_from_user(&data, argp, sizeof(data)))\n\t\t\tgoto out;\n\t\tr = kvm_irqfd(kvm, &data);\n\t\tbreak;\n\t}\n\tcase KVM_IOEVENTFD: {\n\t\tstruct kvm_ioeventfd data;\n\n\t\tr = -EFAULT;\n\t\tif (copy_from_user(&data, argp, sizeof(data)))\n\t\t\tgoto out;\n\t\tr = kvm_ioeventfd(kvm, &data);\n\t\tbreak;\n\t}\n#ifdef CONFIG_HAVE_KVM_MSI\n\tcase KVM_SIGNAL_MSI: {\n\t\tstruct kvm_msi msi;\n\n\t\tr = -EFAULT;\n\t\tif (copy_from_user(&msi, argp, sizeof(msi)))\n\t\t\tgoto out;\n\t\tr = kvm_send_userspace_msi(kvm, &msi);\n\t\tbreak;\n\t}\n#endif\n#ifdef __KVM_HAVE_IRQ_LINE\n\tcase KVM_IRQ_LINE_STATUS:\n\tcase KVM_IRQ_LINE: {\n\t\tstruct kvm_irq_level irq_event;\n\n\t\tr = -EFAULT;\n\t\tif (copy_from_user(&irq_event, argp, sizeof(irq_event)))\n\t\t\tgoto out;\n\n\t\tr = kvm_vm_ioctl_irq_line(kvm, &irq_event,\n\t\t\t\t\tioctl == KVM_IRQ_LINE_STATUS);\n\t\tif (r)\n\t\t\tgoto out;\n\n\t\tr = -EFAULT;\n\t\tif (ioctl == KVM_IRQ_LINE_STATUS) {\n\t\t\tif (copy_to_user(argp, &irq_event, sizeof(irq_event)))\n\t\t\t\tgoto out;\n\t\t}\n\n\t\tr = 0;\n\t\tbreak;\n\t}\n#endif\n#ifdef CONFIG_HAVE_KVM_IRQ_ROUTING\n\tcase KVM_SET_GSI_ROUTING: {\n\t\tstruct kvm_irq_routing routing;\n\t\tstruct kvm_irq_routing __user *urouting;\n\t\tstruct kvm_irq_routing_entry *entries = NULL;\n\n\t\tr = -EFAULT;\n\t\tif (copy_from_user(&routing, argp, sizeof(routing)))\n\t\t\tgoto out;\n\t\tr = -EINVAL;\n\t\tif (!kvm_arch_can_set_irq_routing(kvm))\n\t\t\tgoto out;\n\t\tif (routing.nr > KVM_MAX_IRQ_ROUTES)\n\t\t\tgoto out;\n\t\tif (routing.flags)\n\t\t\tgoto out;\n\t\tif (routing.nr) {\n\t\t\tr = -ENOMEM;\n\t\t\tentries = vmalloc(array_size(sizeof(*entries),\n\t\t\t\t\t\t routing.nr));\n\t\t\tif (!entries)\n\t\t\t\tgoto out;\n\t\t\tr = -EFAULT;\n\t\t\turouting = argp;\n\t\t\tif (copy_from_user(entries, urouting->entries,\n\t\t\t\t\t routing.nr * sizeof(*entries)))\n\t\t\t\tgoto out_free_irq_routing;\n\t\t}\n\t\tr = kvm_set_irq_routing(kvm, entries, routing.nr,\n\t\t\t\t\trouting.flags);\nout_free_irq_routing:\n\t\tvfree(entries);\n\t\tbreak;\n\t}\n#endif /* CONFIG_HAVE_KVM_IRQ_ROUTING */\n\tcase KVM_CREATE_DEVICE: {\n\t\tstruct kvm_create_device cd;\n\n\t\tr = -EFAULT;\n\t\tif (copy_from_user(&cd, argp, sizeof(cd)))\n\t\t\tgoto out;\n\n\t\tr = kvm_ioctl_create_device(kvm, &cd);\n\t\tif (r)\n\t\t\tgoto out;\n\n\t\tr = -EFAULT;\n\t\tif (copy_to_user(argp, &cd, sizeof(cd)))\n\t\t\tgoto out;\n\n\t\tr = 0;\n\t\tbreak;\n\t}\n\tcase KVM_CHECK_EXTENSION:\n\t\tr = kvm_vm_ioctl_check_extension_generic(kvm, arg);\n\t\tbreak;\n\tdefault:\n\t\tr = kvm_arch_vm_ioctl(filp, ioctl, arg);\n\t}\nout:\n\treturn r;\n}", "project": "linux", "hash": 214333304072830174215332954608177463626, "size": 188, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354676 }, { "func": "static long kvm_vm_ioctl(struct file *filp,\n\t\t\t unsigned int ioctl, unsigned long arg)\n{\n\tstruct kvm *kvm = filp->private_data;\n\tvoid __user *argp = (void __user *)arg;\n\tint r;\n\n\tif (kvm->mm != current->mm)\n\t\treturn -EIO;\n\tswitch (ioctl) {\n\tcase KVM_CREATE_VCPU:\n\t\tr = kvm_vm_ioctl_create_vcpu(kvm, arg);\n\t\tbreak;\n\tcase KVM_ENABLE_CAP: {\n\t\tstruct kvm_enable_cap cap;\n\n\t\tr = -EFAULT;\n\t\tif (copy_from_user(&cap, argp, sizeof(cap)))\n\t\t\tgoto out;\n\t\tr = kvm_vm_ioctl_enable_cap_generic(kvm, &cap);\n\t\tbreak;\n\t}\n\tcase KVM_SET_USER_MEMORY_REGION: {\n\t\tstruct kvm_userspace_memory_region kvm_userspace_mem;\n\n\t\tr = -EFAULT;\n\t\tif (copy_from_user(&kvm_userspace_mem, argp,\n\t\t\t\t\t\tsizeof(kvm_userspace_mem)))\n\t\t\tgoto out;\n\n\t\tr = kvm_vm_ioctl_set_memory_region(kvm, &kvm_userspace_mem);\n\t\tbreak;\n\t}\n\tcase KVM_GET_DIRTY_LOG: {\n\t\tstruct kvm_dirty_log log;\n\n\t\tr = -EFAULT;\n\t\tif (copy_from_user(&log, argp, sizeof(log)))\n\t\t\tgoto out;\n\t\tr = kvm_vm_ioctl_get_dirty_log(kvm, &log);\n\t\tbreak;\n\t}\n#ifdef CONFIG_KVM_GENERIC_DIRTYLOG_READ_PROTECT\n\tcase KVM_CLEAR_DIRTY_LOG: {\n\t\tstruct kvm_clear_dirty_log log;\n\n\t\tr = -EFAULT;\n\t\tif (copy_from_user(&log, argp, sizeof(log)))\n\t\t\tgoto out;\n\t\tr = kvm_vm_ioctl_clear_dirty_log(kvm, &log);\n\t\tbreak;\n\t}\n#endif\n#ifdef CONFIG_KVM_MMIO\n\tcase KVM_REGISTER_COALESCED_MMIO: {\n\t\tstruct kvm_coalesced_mmio_zone zone;\n\n\t\tr = -EFAULT;\n\t\tif (copy_from_user(&zone, argp, sizeof(zone)))\n\t\t\tgoto out;\n\t\tr = kvm_vm_ioctl_register_coalesced_mmio(kvm, &zone);\n\t\tbreak;\n\t}\n\tcase KVM_UNREGISTER_COALESCED_MMIO: {\n\t\tstruct kvm_coalesced_mmio_zone zone;\n\n\t\tr = -EFAULT;\n\t\tif (copy_from_user(&zone, argp, sizeof(zone)))\n\t\t\tgoto out;\n\t\tr = kvm_vm_ioctl_unregister_coalesced_mmio(kvm, &zone);\n\t\tbreak;\n\t}\n#endif\n\tcase KVM_IRQFD: {\n\t\tstruct kvm_irqfd data;\n\n\t\tr = -EFAULT;\n\t\tif (copy_from_user(&data, argp, sizeof(data)))\n\t\t\tgoto out;\n\t\tr = kvm_irqfd(kvm, &data);\n\t\tbreak;\n\t}\n\tcase KVM_IOEVENTFD: {\n\t\tstruct kvm_ioeventfd data;\n\n\t\tr = -EFAULT;\n\t\tif (copy_from_user(&data, argp, sizeof(data)))\n\t\t\tgoto out;\n\t\tr = kvm_ioeventfd(kvm, &data);\n\t\tbreak;\n\t}\n#ifdef CONFIG_HAVE_KVM_MSI\n\tcase KVM_SIGNAL_MSI: {\n\t\tstruct kvm_msi msi;\n\n\t\tr = -EFAULT;\n\t\tif (copy_from_user(&msi, argp, sizeof(msi)))\n\t\t\tgoto out;\n\t\tr = kvm_send_userspace_msi(kvm, &msi);\n\t\tbreak;\n\t}\n#endif\n#ifdef __KVM_HAVE_IRQ_LINE\n\tcase KVM_IRQ_LINE_STATUS:\n\tcase KVM_IRQ_LINE: {\n\t\tstruct kvm_irq_level irq_event;\n\n\t\tr = -EFAULT;\n\t\tif (copy_from_user(&irq_event, argp, sizeof(irq_event)))\n\t\t\tgoto out;\n\n\t\tr = kvm_vm_ioctl_irq_line(kvm, &irq_event,\n\t\t\t\t\tioctl == KVM_IRQ_LINE_STATUS);\n\t\tif (r)\n\t\t\tgoto out;\n\n\t\tr = -EFAULT;\n\t\tif (ioctl == KVM_IRQ_LINE_STATUS) {\n\t\t\tif (copy_to_user(argp, &irq_event, sizeof(irq_event)))\n\t\t\t\tgoto out;\n\t\t}\n\n\t\tr = 0;\n\t\tbreak;\n\t}\n#endif\n#ifdef CONFIG_HAVE_KVM_IRQ_ROUTING\n\tcase KVM_SET_GSI_ROUTING: {\n\t\tstruct kvm_irq_routing routing;\n\t\tstruct kvm_irq_routing __user *urouting;\n\t\tstruct kvm_irq_routing_entry *entries = NULL;\n\n\t\tr = -EFAULT;\n\t\tif (copy_from_user(&routing, argp, sizeof(routing)))\n\t\t\tgoto out;\n\t\tr = -EINVAL;\n\t\tif (!kvm_arch_can_set_irq_routing(kvm))\n\t\t\tgoto out;\n\t\tif (routing.nr > KVM_MAX_IRQ_ROUTES)\n\t\t\tgoto out;\n\t\tif (routing.flags)\n\t\t\tgoto out;\n\t\tif (routing.nr) {\n\t\t\turouting = argp;\n\t\t\tentries = vmemdup_user(urouting->entries,\n\t\t\t\t\t array_size(sizeof(*entries),\n\t\t\t\t\t\t\t routing.nr));\n\t\t\tif (IS_ERR(entries)) {\n\t\t\t\tr = PTR_ERR(entries);\n\t\t\t\tgoto out;\n\t\t\t}\n\t\t}\n\t\tr = kvm_set_irq_routing(kvm, entries, routing.nr,\n\t\t\t\t\trouting.flags);\n\t\tkvfree(entries);\n\t\tbreak;\n\t}\n#endif /* CONFIG_HAVE_KVM_IRQ_ROUTING */\n\tcase KVM_CREATE_DEVICE: {\n\t\tstruct kvm_create_device cd;\n\n\t\tr = -EFAULT;\n\t\tif (copy_from_user(&cd, argp, sizeof(cd)))\n\t\t\tgoto out;\n\n\t\tr = kvm_ioctl_create_device(kvm, &cd);\n\t\tif (r)\n\t\t\tgoto out;\n\n\t\tr = -EFAULT;\n\t\tif (copy_to_user(argp, &cd, sizeof(cd)))\n\t\t\tgoto out;\n\n\t\tr = 0;\n\t\tbreak;\n\t}\n\tcase KVM_CHECK_EXTENSION:\n\t\tr = kvm_vm_ioctl_check_extension_generic(kvm, arg);\n\t\tbreak;\n\tcase KVM_RESET_DIRTY_RINGS:\n\t\tr = kvm_vm_ioctl_reset_dirty_pages(kvm);\n\t\tbreak;\n\tdefault:\n\t\tr = kvm_arch_vm_ioctl(filp, ioctl, arg);\n\t}\nout:\n\treturn r;\n}", "project": "linux", "hash": 247087096162755537454295086043416091569, "size": 188, "commit_id": "f8be156be163a052a067306417cd0ff679068c97", "message": "KVM: do not allow mapping valid but non-reference-counted pages\n\nIt's possible to create a region which maps valid but non-refcounted\npages (e.g., tail pages of non-compound higher order allocations). These\nhost pages can then be returned by gfn_to_page, gfn_to_pfn, etc., family\nof APIs, which take a reference to the page, which takes it from 0 to 1.\nWhen the reference is dropped, this will free the page incorrectly.\n\nFix this by only taking a reference on valid pages if it was non-zero,\nwhich indicates it is participating in normal refcounting (and can be\nreleased with put_page).\n\nThis addresses CVE-2021-22543.\n\nSigned-off-by: Nicholas Piggin \nTested-by: Paolo Bonzini \nCc: stable@vger.kernel.org\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 404048 }, { "func": "static void tcp_ratehalving_spur_to_response(struct sock *sk)\n{\n\ttcp_enter_cwr(sk, 0);\n}", "project": "net-next", "hash": 207288996808135963008066777432050092438, "size": 4, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409898 }, { "func": "static void hash_rlp_list_length(uint32_t length) {\n uint8_t buf[4];\n if (length <= 55) {\n buf[0] = 0xc0 + length;\n hash_data(buf, 1);\n } else if (length <= 0xff) {\n buf[0] = 0xf7 + 1;\n buf[1] = length;\n hash_data(buf, 2);\n } else if (length <= 0xffff) {\n buf[0] = 0xf7 + 2;\n buf[1] = length >> 8;\n buf[2] = length & 0xff;\n hash_data(buf, 3);\n } else {\n buf[0] = 0xf7 + 3;\n buf[1] = length >> 16;\n buf[2] = length >> 8;\n buf[3] = length & 0xff;\n hash_data(buf, 4);\n }\n}", "project": "keepkey-firmware", "hash": 219686520433671529143793409112813842246, "size": 22, "commit_id": "e49d45594002d4d3fbc1f03488e6dfc0a0a65836", "message": "710 merge", "target": 0, "dataset": "other", "idx": 220889 }, { "func": "void opj_tcd_rateallocate_fixed(opj_tcd_t *tcd)\n{\n OPJ_UINT32 layno;\n\n for (layno = 0; layno < tcd->tcp->numlayers; layno++) {\n opj_tcd_makelayer_fixed(tcd, layno, 1);\n }\n}", "project": "openjpeg", "hash": 39867254955728981107529174027010276236, "size": 8, "commit_id": "15cf3d95814dc931ca0ecb132f81cb152e051bae", "message": "Encoder: grow again buffer size in opj_tcd_code_block_enc_allocate_data() (fixes #1283)", "target": 0, "dataset": "other", "idx": 359183 }, { "func": "static int get_tag_value(char *buf, int buf_size,\n const char *str, const char *tag,\n const char *stopchars)\n{\n const char *p;\n char *q;\n p = strstr(str, tag);\n if (!p)\n return -1;\n p += strlen(tag);\n while (qemu_isspace(*p))\n p++;\n q = buf;\n while (*p != '\\0' && !strchr(stopchars, *p)) {\n if ((q - buf) < (buf_size - 1))\n *q++ = *p;\n p++;\n }\n *q = '\\0';\n return q - buf;\n}", "project": "qemu", "hash": 175451434343861082548218437347527070484, "size": 21, "commit_id": "babd03fde68093482528010a5435c14ce9128e3f", "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel. However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris \nSigned-off-by: Anthony Liguori ", "target": 0, "dataset": "other", "idx": 346275 }, { "func": "CtPtr ProtocolV1::handle_tag_ack(char *buffer, int r) {\n ldout(cct, 20) << __func__ << \" r=\" << r << dendl;\n\n if (r < 0) {\n ldout(cct, 1) << __func__ << \" read ack seq failed\" << dendl;\n return _fault();\n }\n\n ceph_le64 seq;\n seq = *(ceph_le64 *)buffer;\n ldout(cct, 20) << __func__ << \" got ACK\" << dendl;\n\n ldout(cct, 15) << __func__ << \" got ack seq \" << seq << dendl;\n // trim sent list\n static const int max_pending = 128;\n int i = 0;\n auto now = ceph::mono_clock::now();\n Message *pending[max_pending];\n connection->write_lock.lock();\n while (!sent.empty() && sent.front()->get_seq() <= seq && i < max_pending) {\n Message *m = sent.front();\n sent.pop_front();\n pending[i++] = m;\n ldout(cct, 10) << __func__ << \" got ack seq \" << seq\n << \" >= \" << m->get_seq() << \" on \" << m << \" \" << *m\n << dendl;\n }\n connection->write_lock.unlock();\n connection->logger->tinc(l_msgr_handle_ack_lat, ceph::mono_clock::now() - now);\n for (int k = 0; k < i; k++) {\n pending[k]->put();\n }\n\n return CONTINUE(wait_message);\n}", "project": "ceph", "hash": 239183021299729900366551994951709163452, "size": 35, "commit_id": "bafdfec8f974f1a3f7d404bcfd0a4cfad784937d", "message": "msg/async/ProtocolV1: resurrect \"implement cephx_*require_version options\"\n\nThis was added in commit 9bcbc2a3621f (\"mon,msg: implement\ncephx_*_require_version options\") and inadvertently dropped in\ncommit e6f043f7d2dc (\"msgr/async: huge refactoring of protocol V1\").\nAs a result, service daemons don't enforce cephx_require_version\nand cephx_cluster_require_version options and connections without\nCEPH_FEATURE_CEPHX_V2 are allowed through.\n\n(cephx_service_require_version enforcement was brought back a\nyear later in commit 321548010578 (\"mon/MonClient: skip CEPHX_V2\nchallenge if client doesn't support it\"), although the peer gets\nTAG_BADAUTHORIZER instead of TAG_FEATURES.)\n\nResurrect the original behaviour: all cephx_*require_version\noptions are enforced and the peer gets TAG_FEATURES, signifying\nthat it is missing a required feature.\n\nSigned-off-by: Ilya Dryomov \n(cherry picked from commit 6f5c4152ca2c6423e665cde2196c6301f76043a2)", "target": 0, "dataset": "other", "idx": 356898 }, { "func": "static void fuse_writepage_finish(struct fuse_mount *fm,\n\t\t\t\t struct fuse_writepage_args *wpa)\n{\n\tstruct fuse_args_pages *ap = &wpa->ia.ap;\n\tstruct inode *inode = wpa->inode;\n\tstruct fuse_inode *fi = get_fuse_inode(inode);\n\tstruct backing_dev_info *bdi = inode_to_bdi(inode);\n\tint i;\n\n\tfor (i = 0; i < ap->num_pages; i++) {\n\t\tdec_wb_stat(&bdi->wb, WB_WRITEBACK);\n\t\tdec_node_page_state(ap->pages[i], NR_WRITEBACK_TEMP);\n\t\twb_writeout_inc(&bdi->wb);\n\t}\n\twake_up(&fi->page_waitq);\n}", "project": "linux", "hash": 56200556666891298228770214211671066556, "size": 16, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341923 }, { "project": "phosphor-host-ipmid", "commit_id": "b265455a2518ece7c004b43c144199ec980fc620", "target": 0, "func": "void PasswdMgr::checkAndReload(void)\n{\n std::time_t updatedTime = getUpdatedFileTime();\n if (fileLastUpdatedTime != updatedTime && updatedTime != -1)\n {\n log(\"Reloading password map list\");\n passwdMapList.clear();\n initPasswordMap();\n }\n}", "idx": 519585, "cwe": "CWE-276", "hash": 59189752934891254806547548292812718399, "dataset": "other" }, { "func": "void CSoundFile::Tremolo(ModChannel *pChn, uint32 param) const\n{\n\tif (param & 0x0F) pChn->nTremoloDepth = (param & 0x0F) << 2;\n\tif (param & 0xF0) pChn->nTremoloSpeed = (param >> 4) & 0x0F;\n\tpChn->dwFlags.set(CHN_TREMOLO);\n}", "project": "openmpt", "hash": 75789142215552320251147815242077565109, "size": 6, "commit_id": "7ebf02af2e90f03e0dbd0e18b8b3164f372fb97c", "message": "[Fix] Possible out-of-bounds read when computing length of some IT files with pattern loops (OpenMPT: formats that are converted to IT, libopenmpt: IT/ITP/MO3), caught with afl-fuzz.\n\ngit-svn-id: https://source.openmpt.org/svn/openmpt/trunk/OpenMPT@10027 56274372-70c3-4bfc-bfc3-4c3a0b034d27", "target": 0, "dataset": "other", "idx": 255223 }, { "func": "ExecutionStatus Interpreter::casePutOwnGetterSetterByVal(\n Runtime *runtime,\n PinnedHermesValue *frameRegs,\n const inst::Inst *ip) {\n DefinePropertyFlags dpFlags{};\n dpFlags.setConfigurable = 1;\n dpFlags.configurable = 1;\n dpFlags.setEnumerable = 1;\n dpFlags.enumerable = ip->iPutOwnGetterSetterByVal.op5;\n\n MutableHandle getter(runtime);\n MutableHandle setter(runtime);\n if (LLVM_LIKELY(!O3REG(PutOwnGetterSetterByVal).isUndefined())) {\n dpFlags.setGetter = 1;\n getter = vmcast(O3REG(PutOwnGetterSetterByVal));\n }\n if (LLVM_LIKELY(!O4REG(PutOwnGetterSetterByVal).isUndefined())) {\n dpFlags.setSetter = 1;\n setter = vmcast(O4REG(PutOwnGetterSetterByVal));\n }\n assert(\n (dpFlags.setSetter || dpFlags.setGetter) &&\n \"No accessor set in PutOwnGetterSetterByVal\");\n\n auto res = PropertyAccessor::create(runtime, getter, setter);\n if (LLVM_UNLIKELY(res == ExecutionStatus::EXCEPTION))\n return ExecutionStatus::EXCEPTION;\n\n auto accessor = runtime->makeHandle(*res);\n\n return JSObject::defineOwnComputed(\n Handle::vmcast(&O1REG(PutOwnGetterSetterByVal)),\n runtime,\n Handle<>(&O2REG(PutOwnGetterSetterByVal)),\n dpFlags,\n accessor)\n .getStatus();\n}", "project": "hermes", "hash": 142222387373310633506449001684521284390, "size": 38, "commit_id": "b2021df620824627f5a8c96615edbd1eb7fdddfc", "message": "Fix CVE-2020-1914 by using NEXTINST for SaveGeneratorLong\n\nSummary:\nIf `SaveGeneratorLong` was emitted, it would accidentally jump to the\nwrong next instruction, based on how long SaveGenerator was.\n\nMake a callout function to handle the common case, and handle the dispatch\nwithin each case of the interpreter loop.\n\nFixes CVE-2020-1914\n\nReviewed By: neildhar\n\nDifferential Revision: D24024242\n\nfbshipit-source-id: 3bcb88daa740f0d50e91771a49eb212551ce8bd8", "target": 0, "dataset": "other", "idx": 295517 }, { "func": "void fuse_dev_free(struct fuse_dev *fud)\n{\n\tstruct fuse_conn *fc = fud->fc;\n\n\tif (fc) {\n\t\tspin_lock(&fc->lock);\n\t\tlist_del(&fud->entry);\n\t\tspin_unlock(&fc->lock);\n\n\t\tfuse_conn_put(fc);\n\t}\n\tkfree(fud->pq.processing);\n\tkfree(fud);\n}", "project": "linux", "hash": 284256378330236747962764521809916825266, "size": 14, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342018 }, { "func": "static inline int bcf1_sync_filter(bcf1_t *line, kstring_t *str)\n{\n // typed vector of integers\n if ( line->d.n_flt ) {\n return bcf_enc_vint(str, line->d.n_flt, line->d.flt, -1);\n } else {\n return bcf_enc_vint(str, 0, 0, -1);\n }\n}", "project": "htslib", "hash": 258554228402137312857608773749669464809, "size": 9, "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c", "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields. It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097", "target": 0, "dataset": "other", "idx": 402140 }, { "func": "static int sctp_setsockopt_adaptation_layer(struct sock *sk,\n\t\t\t\t\t struct sctp_setadaptation *adapt,\n\t\t\t\t\t unsigned int optlen)\n{\n\tif (optlen != sizeof(struct sctp_setadaptation))\n\t\treturn -EINVAL;\n\n\tsctp_sk(sk)->adaptation_ind = adapt->ssb_adaptation_ind;\n\n\treturn 0;\n}", "project": "linux", "hash": 197672785505307455906163123062582777686, "size": 11, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398106 }, { "func": "bool imap_has_flag(struct ListHead *flag_list, const char *flag)\n{\n if (STAILQ_EMPTY(flag_list))\n return false;\n\n const size_t flaglen = mutt_str_len(flag);\n struct ListNode *np = NULL;\n STAILQ_FOREACH(np, flag_list, entries)\n {\n const size_t nplen = strlen(np->data);\n if ((flaglen >= nplen) && ((flag[nplen] == '\\0') || (flag[nplen] == ' ')) &&\n mutt_istrn_equal(np->data, flag, nplen))\n {\n return true;\n }\n\n if (mutt_str_equal(np->data, \"\\\\*\"))\n return true;\n }\n\n return false;\n}", "project": "neomutt", "hash": 290256714704913299898496010303005671117, "size": 22, "commit_id": "9c36717a3e2af1f2c1b7242035455ec8112b4b06", "message": "imap: close connection on all failures\n\nThanks to Gabriel Salles-Loustau for spotting the problem.\n\nCo-authored-by: Kevin McCarthy ", "target": 0, "dataset": "other", "idx": 357039 }, { "func": "static OPJ_BOOL opj_j2k_exec(opj_j2k_t * p_j2k,\n opj_procedure_list_t * p_procedure_list,\n opj_stream_private_t *p_stream,\n opj_event_mgr_t * p_manager)\n{\n OPJ_BOOL(** l_procedure)(opj_j2k_t *, opj_stream_private_t *,\n opj_event_mgr_t *) = 00;\n OPJ_BOOL l_result = OPJ_TRUE;\n OPJ_UINT32 l_nb_proc, i;\n\n /* preconditions*/\n assert(p_procedure_list != 00);\n assert(p_j2k != 00);\n assert(p_stream != 00);\n assert(p_manager != 00);\n\n l_nb_proc = opj_procedure_list_get_nb_procedures(p_procedure_list);\n l_procedure = (OPJ_BOOL(**)(opj_j2k_t *, opj_stream_private_t *,\n opj_event_mgr_t *)) opj_procedure_list_get_first_procedure(p_procedure_list);\n\n for (i = 0; i < l_nb_proc; ++i) {\n l_result = l_result && ((*l_procedure)(p_j2k, p_stream, p_manager));\n ++l_procedure;\n }\n\n /* and clear the procedure list at the end.*/\n opj_procedure_list_clear(p_procedure_list);\n return l_result;\n}", "project": "openjpeg", "hash": 161779834282757740200273901900194395228, "size": 29, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357432 }, { "func": "static void tcp_collapse_ofo_queue(struct sock *sk)\n{\n\tstruct tcp_sock *tp = tcp_sk(sk);\n\tstruct sk_buff *skb = skb_peek(&tp->out_of_order_queue);\n\tstruct sk_buff *head;\n\tu32 start, end;\n\n\tif (skb == NULL)\n\t\treturn;\n\n\tstart = TCP_SKB_CB(skb)->seq;\n\tend = TCP_SKB_CB(skb)->end_seq;\n\thead = skb;\n\n\tfor (;;) {\n\t\tstruct sk_buff *next = NULL;\n\n\t\tif (!skb_queue_is_last(&tp->out_of_order_queue, skb))\n\t\t\tnext = skb_queue_next(&tp->out_of_order_queue, skb);\n\t\tskb = next;\n\n\t\t/* Segment is terminated when we see gap or when\n\t\t * we are at the end of all the queue. */\n\t\tif (!skb ||\n\t\t after(TCP_SKB_CB(skb)->seq, end) ||\n\t\t before(TCP_SKB_CB(skb)->end_seq, start)) {\n\t\t\ttcp_collapse(sk, &tp->out_of_order_queue,\n\t\t\t\t head, skb, start, end);\n\t\t\thead = skb;\n\t\t\tif (!skb)\n\t\t\t\tbreak;\n\t\t\t/* Start new segment */\n\t\t\tstart = TCP_SKB_CB(skb)->seq;\n\t\t\tend = TCP_SKB_CB(skb)->end_seq;\n\t\t} else {\n\t\t\tif (before(TCP_SKB_CB(skb)->seq, start))\n\t\t\t\tstart = TCP_SKB_CB(skb)->seq;\n\t\t\tif (after(TCP_SKB_CB(skb)->end_seq, end))\n\t\t\t\tend = TCP_SKB_CB(skb)->end_seq;\n\t\t}\n\t}\n}", "project": "net-next", "hash": 39322149710380288390608094216607261037, "size": 42, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409934 }, { "func": "string SummarizeFunc(const NameAttrList& func) {\n std::vector entries;\n for (const auto& p : func.attr()) {\n entries.push_back(\n strings::StrCat(p.first, \"=\", SummarizeAttrValue(p.second)));\n }\n std::sort(entries.begin(), entries.end());\n return strings::StrCat(func.name(), \"[\", absl::StrJoin(entries, \", \"), \"]\");\n}", "project": "tensorflow", "hash": 155886311716808909246070482244099883578, "size": 9, "commit_id": "c2426bba00a01de6913738df8fa78e0215fcce02", "message": "Use `PartialTensorShape` instead of `TensorShape`.\n\n`TensorShape` constructor throws a CHECK-fail if shape is partial/overflows which the other doesn't. We are only determining the number of elements in the shape and partial shape should be used as it returns negative number when needed.\n\nPiperOrigin-RevId: 409205384\nChange-Id: Ia56542ff9ec758f2c9ffc7e4dcc9fa7eecd86e7b", "target": 0, "dataset": "other", "idx": 223169 }, { "func": "static void synic_update_vector(struct kvm_vcpu_hv_synic *synic,\n\t\t\t\tint vector)\n{\n\tif (vector < HV_SYNIC_FIRST_VALID_VECTOR)\n\t\treturn;\n\n\tif (synic_has_vector_connected(synic, vector))\n\t\t__set_bit(vector, synic->vec_bitmap);\n\telse\n\t\t__clear_bit(vector, synic->vec_bitmap);\n\n\tif (synic_has_vector_auto_eoi(synic, vector))\n\t\t__set_bit(vector, synic->auto_eoi_bitmap);\n\telse\n\t\t__clear_bit(vector, synic->auto_eoi_bitmap);\n}", "project": "linux", "hash": 94961511875398334292080210675071342492, "size": 16, "commit_id": "919f4ebc598701670e80e31573a58f1f2d2bf918", "message": "KVM: x86: hyper-v: Fix Hyper-V context null-ptr-deref\n\nReported by syzkaller:\n\n KASAN: null-ptr-deref in range [0x0000000000000140-0x0000000000000147]\n CPU: 1 PID: 8370 Comm: syz-executor859 Not tainted 5.11.0-syzkaller #0\n RIP: 0010:synic_get arch/x86/kvm/hyperv.c:165 [inline]\n RIP: 0010:kvm_hv_set_sint_gsi arch/x86/kvm/hyperv.c:475 [inline]\n RIP: 0010:kvm_hv_irq_routing_update+0x230/0x460 arch/x86/kvm/hyperv.c:498\n Call Trace:\n kvm_set_irq_routing+0x69b/0x940 arch/x86/kvm/../../../virt/kvm/irqchip.c:223\n kvm_vm_ioctl+0x12d0/0x2800 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3959\n vfs_ioctl fs/ioctl.c:48 [inline]\n __do_sys_ioctl fs/ioctl.c:753 [inline]\n __se_sys_ioctl fs/ioctl.c:739 [inline]\n __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739\n do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nHyper-V context is lazily allocated until Hyper-V specific MSRs are accessed\nor SynIC is enabled. However, the syzkaller testcase sets irq routing table\ndirectly w/o enabling SynIC. This results in null-ptr-deref when accessing\nSynIC Hyper-V context. This patch fixes it.\n\nsyzkaller source: https://syzkaller.appspot.com/x/repro.c?x=163342ccd00000\n\nReported-by: syzbot+6987f3b2dbd9eda95f12@syzkaller.appspotmail.com\nFixes: 8f014550dfb1 (\"KVM: x86: hyper-v: Make Hyper-V emulation enablement conditional\")\nSigned-off-by: Wanpeng Li \nMessage-Id: <1614326399-5762-1-git-send-email-wanpengli@tencent.com>\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 343493 }, { "func": " * %NULL on failure\n */\nstruct device *\niscsi_find_flashnode_conn(struct iscsi_bus_flash_session *fnode_sess)\n{", "project": "linux", "hash": 201289231005347630161995778916856414356, "size": 5, "commit_id": "f9dbdf97a5bd92b1a49cee3d591b55b11fd7a6d5", "message": "scsi: iscsi: Verify lengths on passthrough PDUs\n\nOpen-iSCSI sends passthrough PDUs over netlink, but the kernel should be\nverifying that the provided PDU header and data lengths fall within the\nnetlink message to prevent accessing beyond that in memory.\n\nCc: stable@vger.kernel.org\nReported-by: Adam Nichols \nReviewed-by: Lee Duncan \nReviewed-by: Mike Christie \nSigned-off-by: Chris Leech \nSigned-off-by: Martin K. Petersen ", "target": 0, "dataset": "other", "idx": 379964 }, { "func": "int RGWPutObj_ObjStore_SWIFT::update_slo_segment_size(rgw_slo_entry& entry) {\n\n int r = 0;\n const string& path = entry.path;\n\n /* If the path starts with slashes, strip them all. */\n const size_t pos_init = path.find_first_not_of('/');\n\n if (pos_init == string::npos) {\n return -EINVAL;\n }\n\n const size_t pos_sep = path.find('/', pos_init);\n if (pos_sep == string::npos) {\n return -EINVAL;\n }\n\n string bucket_name = path.substr(pos_init, pos_sep - pos_init);\n string obj_name = path.substr(pos_sep + 1);\n\n rgw_bucket bucket;\n\n if (bucket_name.compare(s->bucket.name) != 0) {\n RGWBucketInfo bucket_info;\n map bucket_attrs;\n auto obj_ctx = store->svc.sysobj->init_obj_ctx();\n r = store->get_bucket_info(obj_ctx, s->user->user_id.tenant,\n\t\t\t bucket_name, bucket_info, nullptr,\n\t\t\t &bucket_attrs);\n if (r < 0) {\n ldpp_dout(this, 0) << \"could not get bucket info for bucket=\"\n\t\t\t << bucket_name << dendl;\n return r;\n }\n bucket = bucket_info.bucket;\n } else {\n bucket = s->bucket;\n }\n\n /* fetch the stored size of the seg (or error if not valid) */\n rgw_obj_key slo_key(obj_name);\n rgw_obj slo_seg(bucket, slo_key);\n\n /* no prefetch */\n RGWObjectCtx obj_ctx(store);\n obj_ctx.set_atomic(slo_seg);\n\n RGWRados::Object op_target(store, s->bucket_info, obj_ctx, slo_seg);\n RGWRados::Object::Read read_op(&op_target);\n\n bool compressed;\n RGWCompressionInfo cs_info;\n map attrs;\n uint64_t size_bytes{0};\n\n read_op.params.attrs = &attrs;\n read_op.params.obj_size = &size_bytes;\n\n r = read_op.prepare();\n if (r < 0) {\n return r;\n }\n\n r = rgw_compression_info_from_attrset(attrs, compressed, cs_info);\n if (r < 0) {\n return -EIO;\n }\n\n if (compressed) {\n size_bytes = cs_info.orig_size;\n }\n\n /* \"When the PUT operation sees the multipart-manifest=put query\n * parameter, it reads the request body and verifies that each\n * segment object exists and that the sizes and ETags match. If\n * there is a mismatch, the PUT operation fails.\"\n */\n if (entry.size_bytes &&\n (entry.size_bytes != size_bytes)) {\n return -EINVAL;\n }\n\n entry.size_bytes = size_bytes;\n\n return 0;\n} /* RGWPutObj_ObjStore_SWIFT::update_slo_segment_sizes */", "project": "ceph", "hash": 231768884442258682972355367982993061972, "size": 86, "commit_id": "f44a8ae8aa27ecef69528db9aec220f12492810e", "message": "rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name\n\nchecking for empty name avoids later assertion in RGWObjectCtx::set_atomic\n\nFixes: CVE-2021-3531\n\nReviewed-by: Casey Bodley \nSigned-off-by: Casey Bodley \n(cherry picked from commit 7196a469b4470f3c8628489df9a41ec8b00a5610)", "target": 0, "dataset": "other", "idx": 448825 }, { "func": "void flush_signals(struct task_struct *t)\n{\n\tunsigned long flags;\n\n\tspin_lock_irqsave(&t->sighand->siglock, flags);\n\tclear_tsk_thread_flag(t, TIF_SIGPENDING);\n\tflush_sigqueue(&t->pending);\n\tflush_sigqueue(&t->signal->shared_pending);\n\tspin_unlock_irqrestore(&t->sighand->siglock, flags);\n}", "project": "linux", "hash": 33557013210321045282740213812622920501, "size": 10, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375257 }, { "func": "static void hci_link_key_notify_evt(struct hci_dev *hdev, struct sk_buff *skb)\n{\n\tstruct hci_ev_link_key_notify *ev = (void *) skb->data;\n\tstruct hci_conn *conn;\n\tstruct link_key *key;\n\tbool persistent;\n\tu8 pin_len = 0;\n\n\tBT_DBG(\"%s\", hdev->name);\n\n\thci_dev_lock(hdev);\n\n\tconn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);\n\tif (!conn)\n\t\tgoto unlock;\n\n\thci_conn_hold(conn);\n\tconn->disc_timeout = HCI_DISCONN_TIMEOUT;\n\thci_conn_drop(conn);\n\n\tset_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);\n\tconn_set_key(conn, ev->key_type, conn->pin_length);\n\n\tif (!hci_dev_test_flag(hdev, HCI_MGMT))\n\t\tgoto unlock;\n\n\tkey = hci_add_link_key(hdev, conn, &ev->bdaddr, ev->link_key,\n\t\t\t ev->key_type, pin_len, &persistent);\n\tif (!key)\n\t\tgoto unlock;\n\n\t/* Update connection information since adding the key will have\n\t * fixed up the type in the case of changed combination keys.\n\t */\n\tif (ev->key_type == HCI_LK_CHANGED_COMBINATION)\n\t\tconn_set_key(conn, key->type, key->pin_len);\n\n\tmgmt_new_link_key(hdev, key, persistent);\n\n\t/* Keep debug keys around only if the HCI_KEEP_DEBUG_KEYS flag\n\t * is set. If it's not set simply remove the key from the kernel\n\t * list (we've still notified user space about it but with\n\t * store_hint being 0).\n\t */\n\tif (key->type == HCI_LK_DEBUG_COMBINATION &&\n\t !hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS)) {\n\t\tlist_del_rcu(&key->list);\n\t\tkfree_rcu(key, rcu);\n\t\tgoto unlock;\n\t}\n\n\tif (persistent)\n\t\tclear_bit(HCI_CONN_FLUSH_KEY, &conn->flags);\n\telse\n\t\tset_bit(HCI_CONN_FLUSH_KEY, &conn->flags);\n\nunlock:\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 174839375449306388382068850500105725447, "size": 59, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431955 }, { "func": "static void handle_tx_zerocopy(struct vhost_net *net, struct socket *sock)\n{\n\tstruct vhost_net_virtqueue *nvq = &net->vqs[VHOST_NET_VQ_TX];\n\tstruct vhost_virtqueue *vq = &nvq->vq;\n\tunsigned out, in;\n\tint head;\n\tstruct msghdr msg = {\n\t\t.msg_name = NULL,\n\t\t.msg_namelen = 0,\n\t\t.msg_control = NULL,\n\t\t.msg_controllen = 0,\n\t\t.msg_flags = MSG_DONTWAIT,\n\t};\n\tstruct tun_msg_ctl ctl;\n\tsize_t len, total_len = 0;\n\tint err;\n\tstruct vhost_net_ubuf_ref *uninitialized_var(ubufs);\n\tbool zcopy_used;\n\tint sent_pkts = 0;\n\n\tdo {\n\t\tbool busyloop_intr;\n\n\t\t/* Release DMAs done buffers first */\n\t\tvhost_zerocopy_signal_used(net, vq);\n\n\t\tbusyloop_intr = false;\n\t\thead = get_tx_bufs(net, nvq, &msg, &out, &in, &len,\n\t\t\t\t &busyloop_intr);\n\t\t/* On error, stop handling until the next kick. */\n\t\tif (unlikely(head < 0))\n\t\t\tbreak;\n\t\t/* Nothing new? Wait for eventfd to tell us they refilled. */\n\t\tif (head == vq->num) {\n\t\t\tif (unlikely(busyloop_intr)) {\n\t\t\t\tvhost_poll_queue(&vq->poll);\n\t\t\t} else if (unlikely(vhost_enable_notify(&net->dev, vq))) {\n\t\t\t\tvhost_disable_notify(&net->dev, vq);\n\t\t\t\tcontinue;\n\t\t\t}\n\t\t\tbreak;\n\t\t}\n\n\t\tzcopy_used = len >= VHOST_GOODCOPY_LEN\n\t\t\t && !vhost_exceeds_maxpend(net)\n\t\t\t && vhost_net_tx_select_zcopy(net);\n\n\t\t/* use msg_control to pass vhost zerocopy ubuf info to skb */\n\t\tif (zcopy_used) {\n\t\t\tstruct ubuf_info *ubuf;\n\t\t\tubuf = nvq->ubuf_info + nvq->upend_idx;\n\n\t\t\tvq->heads[nvq->upend_idx].id = cpu_to_vhost32(vq, head);\n\t\t\tvq->heads[nvq->upend_idx].len = VHOST_DMA_IN_PROGRESS;\n\t\t\tubuf->callback = vhost_zerocopy_callback;\n\t\t\tubuf->ctx = nvq->ubufs;\n\t\t\tubuf->desc = nvq->upend_idx;\n\t\t\trefcount_set(&ubuf->refcnt, 1);\n\t\t\tmsg.msg_control = &ctl;\n\t\t\tctl.type = TUN_MSG_UBUF;\n\t\t\tctl.ptr = ubuf;\n\t\t\tmsg.msg_controllen = sizeof(ctl);\n\t\t\tubufs = nvq->ubufs;\n\t\t\tatomic_inc(&ubufs->refcount);\n\t\t\tnvq->upend_idx = (nvq->upend_idx + 1) % UIO_MAXIOV;\n\t\t} else {\n\t\t\tmsg.msg_control = NULL;\n\t\t\tubufs = NULL;\n\t\t}\n\t\ttotal_len += len;\n\t\tif (tx_can_batch(vq, total_len) &&\n\t\t likely(!vhost_exceeds_maxpend(net))) {\n\t\t\tmsg.msg_flags |= MSG_MORE;\n\t\t} else {\n\t\t\tmsg.msg_flags &= ~MSG_MORE;\n\t\t}\n\n\t\t/* TODO: Check specific error and bomb out unless ENOBUFS? */\n\t\terr = sock->ops->sendmsg(sock, &msg, len);\n\t\tif (unlikely(err < 0)) {\n\t\t\tif (zcopy_used) {\n\t\t\t\tvhost_net_ubuf_put(ubufs);\n\t\t\t\tnvq->upend_idx = ((unsigned)nvq->upend_idx - 1)\n\t\t\t\t\t% UIO_MAXIOV;\n\t\t\t}\n\t\t\tvhost_discard_vq_desc(vq, 1);\n\t\t\tvhost_net_enable_vq(net, vq);\n\t\t\tbreak;\n\t\t}\n\t\tif (err != len)\n\t\t\tpr_debug(\"Truncated TX packet: \"\n\t\t\t\t \" len %d != %zd\\n\", err, len);\n\t\tif (!zcopy_used)\n\t\t\tvhost_add_used_and_signal(&net->dev, vq, head, 0);\n\t\telse\n\t\t\tvhost_zerocopy_signal_used(net, vq);\n\t\tvhost_net_tx_packet(net);\n\t} while (likely(!vhost_exceeds_weight(vq, ++sent_pkts, total_len)));\n}", "project": "linux", "hash": 274411127013263557824026009014729863032, "size": 99, "commit_id": "42d84c8490f9f0931786f1623191fcab397c3d64", "message": "vhost: Check docket sk_family instead of call getname\n\nDoing so, we save one call to get data we already have in the struct.\n\nAlso, since there is no guarantee that getname use sockaddr_ll\nparameter beyond its size, we add a little bit of security here.\nIt should do not do beyond MAX_ADDR_LEN, but syzbot found that\nax25_getname writes more (72 bytes, the size of full_sockaddr_ax25,\nversus 20 + 32 bytes of sockaddr_ll + MAX_ADDR_LEN in syzbot repro).\n\nFixes: 3a4d5c94e9593 (\"vhost_net: a kernel-level virtio server\")\nReported-by: syzbot+f2a62d07a5198c819c7b@syzkaller.appspotmail.com\nSigned-off-by: Eugenio Pérez \nAcked-by: Michael S. Tsirkin \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 441983 }, { "func": "static void le_conn_complete_evt(struct hci_dev *hdev, u8 status,\n\t\t\tbdaddr_t *bdaddr, u8 bdaddr_type, u8 role, u16 handle,\n\t\t\tu16 interval, u16 latency, u16 supervision_timeout)\n{\n\tstruct hci_conn_params *params;\n\tstruct hci_conn *conn;\n\tstruct smp_irk *irk;\n\tu8 addr_type;\n\n\thci_dev_lock(hdev);\n\n\t/* All controllers implicitly stop advertising in the event of a\n\t * connection, so ensure that the state bit is cleared.\n\t */\n\thci_dev_clear_flag(hdev, HCI_LE_ADV);\n\n\tconn = hci_lookup_le_connect(hdev);\n\tif (!conn) {\n\t\tconn = hci_conn_add(hdev, LE_LINK, bdaddr, role);\n\t\tif (!conn) {\n\t\t\tbt_dev_err(hdev, \"no memory for new connection\");\n\t\t\tgoto unlock;\n\t\t}\n\n\t\tconn->dst_type = bdaddr_type;\n\n\t\t/* If we didn't have a hci_conn object previously\n\t\t * but we're in master role this must be something\n\t\t * initiated using a white list. Since white list based\n\t\t * connections are not \"first class citizens\" we don't\n\t\t * have full tracking of them. Therefore, we go ahead\n\t\t * with a \"best effort\" approach of determining the\n\t\t * initiator address based on the HCI_PRIVACY flag.\n\t\t */\n\t\tif (conn->out) {\n\t\t\tconn->resp_addr_type = bdaddr_type;\n\t\t\tbacpy(&conn->resp_addr, bdaddr);\n\t\t\tif (hci_dev_test_flag(hdev, HCI_PRIVACY)) {\n\t\t\t\tconn->init_addr_type = ADDR_LE_DEV_RANDOM;\n\t\t\t\tbacpy(&conn->init_addr, &hdev->rpa);\n\t\t\t} else {\n\t\t\t\thci_copy_identity_address(hdev,\n\t\t\t\t\t\t\t &conn->init_addr,\n\t\t\t\t\t\t\t &conn->init_addr_type);\n\t\t\t}\n\t\t}\n\t} else {\n\t\tcancel_delayed_work(&conn->le_conn_timeout);\n\t}\n\n\tif (!conn->out) {\n\t\t/* Set the responder (our side) address type based on\n\t\t * the advertising address type.\n\t\t */\n\t\tconn->resp_addr_type = hdev->adv_addr_type;\n\t\tif (hdev->adv_addr_type == ADDR_LE_DEV_RANDOM) {\n\t\t\t/* In case of ext adv, resp_addr will be updated in\n\t\t\t * Adv Terminated event.\n\t\t\t */\n\t\t\tif (!ext_adv_capable(hdev))\n\t\t\t\tbacpy(&conn->resp_addr, &hdev->random_addr);\n\t\t} else {\n\t\t\tbacpy(&conn->resp_addr, &hdev->bdaddr);\n\t\t}\n\n\t\tconn->init_addr_type = bdaddr_type;\n\t\tbacpy(&conn->init_addr, bdaddr);\n\n\t\t/* For incoming connections, set the default minimum\n\t\t * and maximum connection interval. They will be used\n\t\t * to check if the parameters are in range and if not\n\t\t * trigger the connection update procedure.\n\t\t */\n\t\tconn->le_conn_min_interval = hdev->le_conn_min_interval;\n\t\tconn->le_conn_max_interval = hdev->le_conn_max_interval;\n\t}\n\n\t/* Lookup the identity address from the stored connection\n\t * address and address type.\n\t *\n\t * When establishing connections to an identity address, the\n\t * connection procedure will store the resolvable random\n\t * address first. Now if it can be converted back into the\n\t * identity address, start using the identity address from\n\t * now on.\n\t */\n\tirk = hci_get_irk(hdev, &conn->dst, conn->dst_type);\n\tif (irk) {\n\t\tbacpy(&conn->dst, &irk->bdaddr);\n\t\tconn->dst_type = irk->addr_type;\n\t}\n\n\tif (status) {\n\t\thci_le_conn_failed(conn, status);\n\t\tgoto unlock;\n\t}\n\n\tif (conn->dst_type == ADDR_LE_DEV_PUBLIC)\n\t\taddr_type = BDADDR_LE_PUBLIC;\n\telse\n\t\taddr_type = BDADDR_LE_RANDOM;\n\n\t/* Drop the connection if the device is blocked */\n\tif (hci_bdaddr_list_lookup(&hdev->blacklist, &conn->dst, addr_type)) {\n\t\thci_conn_drop(conn);\n\t\tgoto unlock;\n\t}\n\n\tif (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))\n\t\tmgmt_device_connected(hdev, conn, 0, NULL, 0);\n\n\tconn->sec_level = BT_SECURITY_LOW;\n\tconn->handle = handle;\n\tconn->state = BT_CONFIG;\n\n\tconn->le_conn_interval = interval;\n\tconn->le_conn_latency = latency;\n\tconn->le_supv_timeout = supervision_timeout;\n\n\thci_debugfs_create_conn(conn);\n\thci_conn_add_sysfs(conn);\n\n\t/* The remote features procedure is defined for master\n\t * role only. So only in case of an initiated connection\n\t * request the remote features.\n\t *\n\t * If the local controller supports slave-initiated features\n\t * exchange, then requesting the remote features in slave\n\t * role is possible. Otherwise just transition into the\n\t * connected state without requesting the remote features.\n\t */\n\tif (conn->out ||\n\t (hdev->le_features[0] & HCI_LE_SLAVE_FEATURES)) {\n\t\tstruct hci_cp_le_read_remote_features cp;\n\n\t\tcp.handle = __cpu_to_le16(conn->handle);\n\n\t\thci_send_cmd(hdev, HCI_OP_LE_READ_REMOTE_FEATURES,\n\t\t\t sizeof(cp), &cp);\n\n\t\thci_conn_hold(conn);\n\t} else {\n\t\tconn->state = BT_CONNECTED;\n\t\thci_connect_cfm(conn, status);\n\t}\n\n\tparams = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst,\n\t\t\t\t\t conn->dst_type);\n\tif (params) {\n\t\tlist_del_init(¶ms->action);\n\t\tif (params->conn) {\n\t\t\thci_conn_drop(params->conn);\n\t\t\thci_conn_put(params->conn);\n\t\t\tparams->conn = NULL;\n\t\t}\n\t}\n\nunlock:\n\thci_update_background_scan(hdev);\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 52346928944057808793529312922772451670, "size": 161, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431918 }, { "func": "static int sctp_bind(struct sock *sk, struct sockaddr *addr, int addr_len)\n{\n\tint retval = 0;\n\n\tlock_sock(sk);\n\n\tpr_debug(\"%s: sk:%p, addr:%p, addr_len:%d\\n\", __func__, sk,\n\t\t addr, addr_len);\n\n\t/* Disallow binding twice. */\n\tif (!sctp_sk(sk)->ep->base.bind_addr.port)\n\t\tretval = sctp_do_bind(sk, (union sctp_addr *)addr,\n\t\t\t\t addr_len);\n\telse\n\t\tretval = -EINVAL;\n\n\trelease_sock(sk);\n\n\treturn retval;\n}", "project": "linux", "hash": 213824714322196232542193622063692582558, "size": 20, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398201 }, { "func": "bool RGWFormPost::is_non_expired()\n{\n std::string expires = get_part_str(ctrl_parts, \"expires\", \"0\");\n\n std::string err;\n const uint64_t expires_timestamp =\n static_cast(strict_strtoll(expires.c_str(), 10, &err));\n\n if (! err.empty()) {\n dout(5) << \"failed to parse FormPost's expires: \" << err << dendl;\n return false;\n }\n\n const utime_t now = ceph_clock_now();\n if (expires_timestamp <= static_cast(now.sec())) {\n dout(5) << \"FormPost form expired: \"\n << expires_timestamp << \" <= \" << now.sec() << dendl;\n return false;\n }\n\n return true;\n}", "project": "ceph", "hash": 300665365415187529574680808904023651278, "size": 22, "commit_id": "f44a8ae8aa27ecef69528db9aec220f12492810e", "message": "rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name\n\nchecking for empty name avoids later assertion in RGWObjectCtx::set_atomic\n\nFixes: CVE-2021-3531\n\nReviewed-by: Casey Bodley \nSigned-off-by: Casey Bodley \n(cherry picked from commit 7196a469b4470f3c8628489df9a41ec8b00a5610)", "target": 0, "dataset": "other", "idx": 448783 }, { "func": "static void io_flush_cached_locked_reqs(struct io_ring_ctx *ctx,\n\t\t\t\t\tstruct io_comp_state *cs)\n{\n\tspin_lock_irq(&ctx->completion_lock);\n\tlist_splice_init(&cs->locked_free_list, &cs->free_list);\n\tcs->locked_free_nr = 0;\n\tspin_unlock_irq(&ctx->completion_lock);\n}", "project": "linux", "hash": 59675355040410060694017107241567565460, "size": 8, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338672 }, { "func": "OPJ_BOOL opj_tcd_decode_tile(opj_tcd_t *p_tcd,\n OPJ_UINT32 win_x0,\n OPJ_UINT32 win_y0,\n OPJ_UINT32 win_x1,\n OPJ_UINT32 win_y1,\n OPJ_UINT32 numcomps_to_decode,\n const OPJ_UINT32 *comps_indices,\n OPJ_BYTE *p_src,\n OPJ_UINT32 p_max_length,\n OPJ_UINT32 p_tile_no,\n opj_codestream_index_t *p_cstr_index,\n opj_event_mgr_t *p_manager\n )\n{\n OPJ_UINT32 l_data_read;\n OPJ_UINT32 compno;\n\n p_tcd->tcd_tileno = p_tile_no;\n p_tcd->tcp = &(p_tcd->cp->tcps[p_tile_no]);\n p_tcd->win_x0 = win_x0;\n p_tcd->win_y0 = win_y0;\n p_tcd->win_x1 = win_x1;\n p_tcd->win_y1 = win_y1;\n p_tcd->whole_tile_decoding = OPJ_TRUE;\n\n opj_free(p_tcd->used_component);\n p_tcd->used_component = NULL;\n\n if (numcomps_to_decode) {\n OPJ_BOOL* used_component = (OPJ_BOOL*) opj_calloc(sizeof(OPJ_BOOL),\n p_tcd->image->numcomps);\n if (used_component == NULL) {\n return OPJ_FALSE;\n }\n for (compno = 0; compno < numcomps_to_decode; compno++) {\n used_component[ comps_indices[compno] ] = OPJ_TRUE;\n }\n\n p_tcd->used_component = used_component;\n }\n\n for (compno = 0; compno < p_tcd->image->numcomps; compno++) {\n if (p_tcd->used_component != NULL && !p_tcd->used_component[compno]) {\n continue;\n }\n\n if (!opj_tcd_is_whole_tilecomp_decoding(p_tcd, compno)) {\n p_tcd->whole_tile_decoding = OPJ_FALSE;\n break;\n }\n }\n\n if (p_tcd->whole_tile_decoding) {\n for (compno = 0; compno < p_tcd->image->numcomps; compno++) {\n opj_tcd_tilecomp_t* tilec = &(p_tcd->tcd_image->tiles->comps[compno]);\n opj_tcd_resolution_t *l_res = &\n (tilec->resolutions[tilec->minimum_num_resolutions - 1]);\n OPJ_SIZE_T l_data_size;\n\n /* compute l_data_size with overflow check */\n OPJ_SIZE_T res_w = (OPJ_SIZE_T)(l_res->x1 - l_res->x0);\n OPJ_SIZE_T res_h = (OPJ_SIZE_T)(l_res->y1 - l_res->y0);\n\n if (p_tcd->used_component != NULL && !p_tcd->used_component[compno]) {\n continue;\n }\n\n /* issue 733, l_data_size == 0U, probably something wrong should be checked before getting here */\n if (res_h > 0 && res_w > SIZE_MAX / res_h) {\n opj_event_msg(p_manager, EVT_ERROR,\n \"Size of tile data exceeds system limits\\n\");\n return OPJ_FALSE;\n }\n l_data_size = res_w * res_h;\n\n if (SIZE_MAX / sizeof(OPJ_UINT32) < l_data_size) {\n opj_event_msg(p_manager, EVT_ERROR,\n \"Size of tile data exceeds system limits\\n\");\n return OPJ_FALSE;\n }\n l_data_size *= sizeof(OPJ_UINT32);\n\n tilec->data_size_needed = l_data_size;\n\n if (!opj_alloc_tile_component_data(tilec)) {\n opj_event_msg(p_manager, EVT_ERROR,\n \"Size of tile data exceeds system limits\\n\");\n return OPJ_FALSE;\n }\n }\n } else {\n /* Compute restricted tile-component and tile-resolution coordinates */\n /* of the window of interest, but defer the memory allocation until */\n /* we know the resno_decoded */\n for (compno = 0; compno < p_tcd->image->numcomps; compno++) {\n OPJ_UINT32 resno;\n opj_tcd_tilecomp_t* tilec = &(p_tcd->tcd_image->tiles->comps[compno]);\n opj_image_comp_t* image_comp = &(p_tcd->image->comps[compno]);\n\n if (p_tcd->used_component != NULL && !p_tcd->used_component[compno]) {\n continue;\n }\n\n /* Compute the intersection of the area of interest, expressed in tile coordinates */\n /* with the tile coordinates */\n tilec->win_x0 = opj_uint_max(\n (OPJ_UINT32)tilec->x0,\n opj_uint_ceildiv(p_tcd->win_x0, image_comp->dx));\n tilec->win_y0 = opj_uint_max(\n (OPJ_UINT32)tilec->y0,\n opj_uint_ceildiv(p_tcd->win_y0, image_comp->dy));\n tilec->win_x1 = opj_uint_min(\n (OPJ_UINT32)tilec->x1,\n opj_uint_ceildiv(p_tcd->win_x1, image_comp->dx));\n tilec->win_y1 = opj_uint_min(\n (OPJ_UINT32)tilec->y1,\n opj_uint_ceildiv(p_tcd->win_y1, image_comp->dy));\n if (tilec->win_x1 < tilec->win_x0 ||\n tilec->win_y1 < tilec->win_y0) {\n /* We should not normally go there. The circumstance is when */\n /* the tile coordinates do not intersect the area of interest */\n /* Upper level logic should not even try to decode that tile */\n opj_event_msg(p_manager, EVT_ERROR,\n \"Invalid tilec->win_xxx values\\n\");\n return OPJ_FALSE;\n }\n\n for (resno = 0; resno < tilec->numresolutions; ++resno) {\n opj_tcd_resolution_t *res = tilec->resolutions + resno;\n res->win_x0 = opj_uint_ceildivpow2(tilec->win_x0,\n tilec->numresolutions - 1 - resno);\n res->win_y0 = opj_uint_ceildivpow2(tilec->win_y0,\n tilec->numresolutions - 1 - resno);\n res->win_x1 = opj_uint_ceildivpow2(tilec->win_x1,\n tilec->numresolutions - 1 - resno);\n res->win_y1 = opj_uint_ceildivpow2(tilec->win_y1,\n tilec->numresolutions - 1 - resno);\n }\n }\n }\n\n#ifdef TODO_MSD /* FIXME */\n /* INDEX >> */\n if (p_cstr_info) {\n OPJ_UINT32 resno, compno, numprec = 0;\n for (compno = 0; compno < (OPJ_UINT32) p_cstr_info->numcomps; compno++) {\n opj_tcp_t *tcp = &p_tcd->cp->tcps[0];\n opj_tccp_t *tccp = &tcp->tccps[compno];\n opj_tcd_tilecomp_t *tilec_idx = &p_tcd->tcd_image->tiles->comps[compno];\n for (resno = 0; resno < tilec_idx->numresolutions; resno++) {\n opj_tcd_resolution_t *res_idx = &tilec_idx->resolutions[resno];\n p_cstr_info->tile[p_tile_no].pw[resno] = res_idx->pw;\n p_cstr_info->tile[p_tile_no].ph[resno] = res_idx->ph;\n numprec += res_idx->pw * res_idx->ph;\n p_cstr_info->tile[p_tile_no].pdx[resno] = tccp->prcw[resno];\n p_cstr_info->tile[p_tile_no].pdy[resno] = tccp->prch[resno];\n }\n }\n p_cstr_info->tile[p_tile_no].packet = (opj_packet_info_t *) opj_malloc(\n p_cstr_info->numlayers * numprec * sizeof(opj_packet_info_t));\n p_cstr_info->packno = 0;\n }\n /* << INDEX */\n#endif\n\n /*--------------TIER2------------------*/\n /* FIXME _ProfStart(PGROUP_T2); */\n l_data_read = 0;\n if (! opj_tcd_t2_decode(p_tcd, p_src, &l_data_read, p_max_length, p_cstr_index,\n p_manager)) {\n return OPJ_FALSE;\n }\n /* FIXME _ProfStop(PGROUP_T2); */\n\n /*------------------TIER1-----------------*/\n\n /* FIXME _ProfStart(PGROUP_T1); */\n if (! opj_tcd_t1_decode(p_tcd, p_manager)) {\n return OPJ_FALSE;\n }\n /* FIXME _ProfStop(PGROUP_T1); */\n\n\n /* For subtile decoding, now we know the resno_decoded, we can allocate */\n /* the tile data buffer */\n if (!p_tcd->whole_tile_decoding) {\n for (compno = 0; compno < p_tcd->image->numcomps; compno++) {\n opj_tcd_tilecomp_t* tilec = &(p_tcd->tcd_image->tiles->comps[compno]);\n opj_image_comp_t* image_comp = &(p_tcd->image->comps[compno]);\n opj_tcd_resolution_t *res = tilec->resolutions + image_comp->resno_decoded;\n OPJ_SIZE_T w = res->win_x1 - res->win_x0;\n OPJ_SIZE_T h = res->win_y1 - res->win_y0;\n OPJ_SIZE_T l_data_size;\n\n opj_image_data_free(tilec->data_win);\n tilec->data_win = NULL;\n\n if (p_tcd->used_component != NULL && !p_tcd->used_component[compno]) {\n continue;\n }\n\n if (w > 0 && h > 0) {\n if (w > SIZE_MAX / h) {\n opj_event_msg(p_manager, EVT_ERROR,\n \"Size of tile data exceeds system limits\\n\");\n return OPJ_FALSE;\n }\n l_data_size = w * h;\n if (l_data_size > SIZE_MAX / sizeof(OPJ_INT32)) {\n opj_event_msg(p_manager, EVT_ERROR,\n \"Size of tile data exceeds system limits\\n\");\n return OPJ_FALSE;\n }\n l_data_size *= sizeof(OPJ_INT32);\n\n tilec->data_win = (OPJ_INT32*) opj_image_data_alloc(l_data_size);\n if (tilec->data_win == NULL) {\n opj_event_msg(p_manager, EVT_ERROR,\n \"Size of tile data exceeds system limits\\n\");\n return OPJ_FALSE;\n }\n }\n }\n }\n\n /*----------------DWT---------------------*/\n\n /* FIXME _ProfStart(PGROUP_DWT); */\n if\n (! opj_tcd_dwt_decode(p_tcd)) {\n return OPJ_FALSE;\n }\n /* FIXME _ProfStop(PGROUP_DWT); */\n\n /*----------------MCT-------------------*/\n /* FIXME _ProfStart(PGROUP_MCT); */\n if\n (! opj_tcd_mct_decode(p_tcd, p_manager)) {\n return OPJ_FALSE;\n }\n /* FIXME _ProfStop(PGROUP_MCT); */\n\n /* FIXME _ProfStart(PGROUP_DC_SHIFT); */\n if\n (! opj_tcd_dc_level_shift_decode(p_tcd)) {\n return OPJ_FALSE;\n }\n /* FIXME _ProfStop(PGROUP_DC_SHIFT); */\n\n\n /*---------------TILE-------------------*/\n return OPJ_TRUE;\n}", "project": "openjpeg", "hash": 262497764028247097485989458429050164995, "size": 253, "commit_id": "15cf3d95814dc931ca0ecb132f81cb152e051bae", "message": "Encoder: grow again buffer size in opj_tcd_code_block_enc_allocate_data() (fixes #1283)", "target": 0, "dataset": "other", "idx": 359174 }, { "project": "opaque", "commit_id": "5ddda15d89f5ac82f4416208c5319ace4aecdc36", "target": 0, "func": "void ecall_sample(uint8_t *input_rows, size_t input_rows_length,\n uint8_t **output_rows, size_t *output_rows_length) {\n // Guard against operating on arbitrary enclave memory\n assert(sgx_is_outside_enclave(input_rows, input_rows_length) == 1);\n sgx_lfence();\n\n try {\n sample(input_rows, input_rows_length,\n output_rows, output_rows_length);\n } catch (const std::runtime_error &e) {\n ocall_throw(e.what());\n }\n}", "idx": 519058, "cwe": "CWE-787", "hash": 191387782946795579471133035741532825323, "dataset": "other" }, { "func": "static void SFDGetType1(FILE *sfd) {\n /* We've read the OrigType1 token (this is now obselete, but parse it in case there are any old sfds) */\n int len;\n struct enc85 dec;\n\n memset(&dec,'\\0', sizeof(dec)); dec.pos = -1;\n dec.sfd = sfd;\n\n getint(sfd,&len);\n while ( --len >= 0 )\n\tDec85(&dec);\n}", "project": "fontforge", "hash": 215989177114604800124725095675329366909, "size": 12, "commit_id": "048a91e2682c1a8936ae34dbc7bd70291ec05410", "message": "Fix for #4084 Use-after-free (heap) in the SFD_GetFontMetaData() function\nFix for #4086 NULL pointer dereference in the SFDGetSpiros() function\nFix for #4088 NULL pointer dereference in the SFD_AssignLookups() function\nAdd empty sf->fontname string if it isn't set, fixing #4089 #4090 and many\n other potential issues (many downstream calls to strlen() on the value).", "target": 0, "dataset": "other", "idx": 417889 }, { "func": "static int gprinter_setup(int count)\n{\n\tint status;\n\tdev_t devt;\n\n\tusb_gadget_class = class_create(THIS_MODULE, \"usb_printer_gadget\");\n\tif (IS_ERR(usb_gadget_class)) {\n\t\tstatus = PTR_ERR(usb_gadget_class);\n\t\tusb_gadget_class = NULL;\n\t\tpr_err(\"unable to create usb_gadget class %d\\n\", status);\n\t\treturn status;\n\t}\n\n\tstatus = alloc_chrdev_region(&devt, 0, count, \"USB printer gadget\");\n\tif (status) {\n\t\tpr_err(\"alloc_chrdev_region %d\\n\", status);\n\t\tclass_destroy(usb_gadget_class);\n\t\tusb_gadget_class = NULL;\n\t\treturn status;\n\t}\n\n\tmajor = MAJOR(devt);\n\tminors = count;\n\n\treturn status;\n}", "project": "linux", "hash": 298614457477053054992956997234867556011, "size": 26, "commit_id": "e8d5f92b8d30bb4ade76494490c3c065e12411b1", "message": "usb: gadget: function: printer: fix use-after-free in __lock_acquire\n\nFix this by increase object reference count.\n\nBUG: KASAN: use-after-free in __lock_acquire+0x3fd4/0x4180\nkernel/locking/lockdep.c:3831\nRead of size 8 at addr ffff8880683b0018 by task syz-executor.0/3377\n\nCPU: 1 PID: 3377 Comm: syz-executor.0 Not tainted 5.6.11 #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011\nCall Trace:\n __dump_stack lib/dump_stack.c:77 [inline]\n dump_stack+0xce/0x128 lib/dump_stack.c:118\n print_address_description.constprop.4+0x21/0x3c0 mm/kasan/report.c:374\n __kasan_report+0x131/0x1b0 mm/kasan/report.c:506\n kasan_report+0x12/0x20 mm/kasan/common.c:641\n __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135\n __lock_acquire+0x3fd4/0x4180 kernel/locking/lockdep.c:3831\n lock_acquire+0x127/0x350 kernel/locking/lockdep.c:4488\n __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]\n _raw_spin_lock_irqsave+0x35/0x50 kernel/locking/spinlock.c:159\n printer_ioctl+0x4a/0x110 drivers/usb/gadget/function/f_printer.c:723\n vfs_ioctl fs/ioctl.c:47 [inline]\n ksys_ioctl+0xfb/0x130 fs/ioctl.c:763\n __do_sys_ioctl fs/ioctl.c:772 [inline]\n __se_sys_ioctl fs/ioctl.c:770 [inline]\n __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:770\n do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294\n entry_SYSCALL_64_after_hwframe+0x49/0xbe\nRIP: 0033:0x4531a9\nCode: ed 60 fc ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48\n89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d\n01 f0 ff ff 0f 83 bb 60 fc ff c3 66 2e 0f 1f 84 00 00 00 00\nRSP: 002b:00007fd14ad72c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 000000000073bfa8 RCX: 00000000004531a9\nRDX: fffffffffffffff9 RSI: 000000000000009e RDI: 0000000000000003\nRBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 00000000004bbd61\nR13: 00000000004d0a98 R14: 00007fd14ad736d4 R15: 00000000ffffffff\n\nAllocated by task 2393:\n save_stack+0x21/0x90 mm/kasan/common.c:72\n set_track mm/kasan/common.c:80 [inline]\n __kasan_kmalloc.constprop.3+0xa7/0xd0 mm/kasan/common.c:515\n kasan_kmalloc+0x9/0x10 mm/kasan/common.c:529\n kmem_cache_alloc_trace+0xfa/0x2d0 mm/slub.c:2813\n kmalloc include/linux/slab.h:555 [inline]\n kzalloc include/linux/slab.h:669 [inline]\n gprinter_alloc+0xa1/0x870 drivers/usb/gadget/function/f_printer.c:1416\n usb_get_function+0x58/0xc0 drivers/usb/gadget/functions.c:61\n config_usb_cfg_link+0x1ed/0x3e0 drivers/usb/gadget/configfs.c:444\n configfs_symlink+0x527/0x11d0 fs/configfs/symlink.c:202\n vfs_symlink+0x33d/0x5b0 fs/namei.c:4201\n do_symlinkat+0x11b/0x1d0 fs/namei.c:4228\n __do_sys_symlinkat fs/namei.c:4242 [inline]\n __se_sys_symlinkat fs/namei.c:4239 [inline]\n __x64_sys_symlinkat+0x73/0xb0 fs/namei.c:4239\n do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294\n entry_SYSCALL_64_after_hwframe+0x49/0xbe\n\nFreed by task 3368:\n save_stack+0x21/0x90 mm/kasan/common.c:72\n set_track mm/kasan/common.c:80 [inline]\n kasan_set_free_info mm/kasan/common.c:337 [inline]\n __kasan_slab_free+0x135/0x190 mm/kasan/common.c:476\n kasan_slab_free+0xe/0x10 mm/kasan/common.c:485\n slab_free_hook mm/slub.c:1444 [inline]\n slab_free_freelist_hook mm/slub.c:1477 [inline]\n slab_free mm/slub.c:3034 [inline]\n kfree+0xf7/0x410 mm/slub.c:3995\n gprinter_free+0x49/0xd0 drivers/usb/gadget/function/f_printer.c:1353\n usb_put_function+0x38/0x50 drivers/usb/gadget/functions.c:87\n config_usb_cfg_unlink+0x2db/0x3b0 drivers/usb/gadget/configfs.c:485\n configfs_unlink+0x3b9/0x7f0 fs/configfs/symlink.c:250\n vfs_unlink+0x287/0x570 fs/namei.c:4073\n do_unlinkat+0x4f9/0x620 fs/namei.c:4137\n __do_sys_unlink fs/namei.c:4184 [inline]\n __se_sys_unlink fs/namei.c:4182 [inline]\n __x64_sys_unlink+0x42/0x50 fs/namei.c:4182\n do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294\n entry_SYSCALL_64_after_hwframe+0x49/0xbe\n\nThe buggy address belongs to the object at ffff8880683b0000\n which belongs to the cache kmalloc-1k of size 1024\nThe buggy address is located 24 bytes inside of\n 1024-byte region [ffff8880683b0000, ffff8880683b0400)\nThe buggy address belongs to the page:\npage:ffffea0001a0ec00 refcount:1 mapcount:0 mapping:ffff88806c00e300\nindex:0xffff8880683b1800 compound_mapcount: 0\nflags: 0x100000000010200(slab|head)\nraw: 0100000000010200 0000000000000000 0000000600000001 ffff88806c00e300\nraw: ffff8880683b1800 000000008010000a 00000001ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\n\nReported-by: Kyungtae Kim \nSigned-off-by: Zqiang \nSigned-off-by: Felipe Balbi ", "target": 0, "dataset": "other", "idx": 389333 }, { "func": "static inline bool fuse_page_is_writeback(struct inode *inode, pgoff_t index)\n{\n\treturn fuse_range_is_writeback(inode, index, index);\n}", "project": "linux", "hash": 336281039598418225779808185416230888491, "size": 4, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342056 }, { "func": "static int tracing_release_pipe(struct inode *inode, struct file *file)\n{\n\tstruct trace_iterator *iter = file->private_data;\n\tstruct trace_array *tr = inode->i_private;\n\n\tmutex_lock(&trace_types_lock);\n\n\ttr->current_trace->ref--;\n\n\tif (iter->trace->pipe_close)\n\t\titer->trace->pipe_close(iter);\n\n\tmutex_unlock(&trace_types_lock);\n\n\tfree_cpumask_var(iter->started);\n\tmutex_destroy(&iter->mutex);\n\tkfree(iter);\n\n\ttrace_array_put(tr);\n\n\treturn 0;\n}", "project": "linux", "hash": 101938979579101515812239037268831530750, "size": 22, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445810 }, { "func": "Header headerLoad(void * uh)\n{\n return headerImport(uh, 0, 0);\n}", "project": "rpm", "hash": 205927736347450106941816935923143268065, "size": 4, "commit_id": "8f4b3c3cab8922a2022b9e47c71f1ecf906077ef", "message": "hdrblobInit() needs bounds checks too\n\nUsers can pass untrusted data to hdrblobInit() and it must be robust\nagainst this.", "target": 0, "dataset": "other", "idx": 318179 }, { "func": "void mark_page_dirty(struct kvm *kvm, gfn_t gfn)\n{\n\tstruct kvm_memory_slot *memslot;\n\n\tmemslot = gfn_to_memslot(kvm, gfn);\n\tmark_page_dirty_in_slot(memslot, gfn);\n}", "project": "linux", "hash": 307759767465314549124399978832667460596, "size": 7, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354648 }, { "func": " */\nstatic ssize_t bfq_timeout_sync_store(struct elevator_queue *e,\n\t\t\t\t const char *page, size_t count)\n{\n\tstruct bfq_data *bfqd = e->elevator_data;\n\tunsigned long __data;\n\tint ret;\n\n\tret = bfq_var_store(&__data, (page));\n\tif (ret)\n\t\treturn ret;\n\n\tif (__data < 1)\n\t\t__data = 1;\n\telse if (__data > INT_MAX)\n\t\t__data = INT_MAX;\n\n\tbfqd->bfq_timeout = msecs_to_jiffies(__data);\n\tif (bfqd->bfq_user_max_budget == 0)\n\t\tbfqd->bfq_max_budget = bfq_calc_max_budget(bfqd);\n\n\treturn count;", "project": "linux", "hash": 272841289691804503499457301839006201697, "size": 22, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453291 }, { "func": "static void encode_setclientid(struct xdr_stream *xdr, const struct nfs4_setclientid *setclientid, struct compound_hdr *hdr)\n{\n\t__be32 *p;\n\n\tencode_op_hdr(xdr, OP_SETCLIENTID, decode_setclientid_maxsz, hdr);\n\tencode_nfs4_verifier(xdr, setclientid->sc_verifier);\n\n\tencode_string(xdr, strlen(setclientid->sc_clnt->cl_owner_id),\n\t\t\tsetclientid->sc_clnt->cl_owner_id);\n\tp = reserve_space(xdr, 4);\n\t*p = cpu_to_be32(setclientid->sc_prog);\n\tencode_string(xdr, setclientid->sc_netid_len, setclientid->sc_netid);\n\tencode_string(xdr, setclientid->sc_uaddr_len, setclientid->sc_uaddr);\n\tp = reserve_space(xdr, 4);\n\t*p = cpu_to_be32(setclientid->sc_clnt->cl_cb_ident);\n}", "project": "linux", "hash": 294813284662283171308539405578148799310, "size": 16, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431543 }, { "func": "static void printFlowsStats() {\n int thread_id;\n u_int32_t total_flows = 0;\n FILE *out = results_file ? results_file : stdout;\n\n if(enable_payload_analyzer)\n ndpi_report_payload_stats();\n\n for(thread_id = 0; thread_id < num_threads; thread_id++)\n total_flows += ndpi_thread_info[thread_id].workflow->num_allocated_flows;\n\n if((all_flows = (struct flow_info*)malloc(sizeof(struct flow_info)*total_flows)) == NULL) {\n fprintf(out, \"Fatal error: not enough memory\\n\");\n exit(-1);\n }\n\n if(verbose) {\n ndpi_host_ja3_fingerprints *ja3ByHostsHashT = NULL; // outer hash table\n ndpi_ja3_fingerprints_host *hostByJA3C_ht = NULL; // for client\n ndpi_ja3_fingerprints_host *hostByJA3S_ht = NULL; // for server\n int i;\n ndpi_host_ja3_fingerprints *ja3ByHost_element = NULL;\n ndpi_ja3_info *info_of_element = NULL;\n ndpi_host_ja3_fingerprints *tmp = NULL;\n ndpi_ja3_info *tmp2 = NULL;\n unsigned int num_ja3_client;\n unsigned int num_ja3_server;\n \n fprintf(out, \"\\n\");\n\n num_flows = 0;\n for(thread_id = 0; thread_id < num_threads; thread_id++) {\n for(i=0; indpi_flows_root[i],\n\t\t node_print_known_proto_walker, &thread_id);\n }\n\n if((verbose == 2) || (verbose == 3)) {\n for(i = 0; i < num_flows; i++) {\n\tndpi_host_ja3_fingerprints *ja3ByHostFound = NULL;\n\tndpi_ja3_fingerprints_host *hostByJA3Found = NULL;\n\n\t//check if this is a ssh-ssl flow\n\tif(all_flows[i].flow->ssh_tls.ja3_client[0] != '\\0'){\n\t //looking if the host is already in the hash table\n\t HASH_FIND_INT(ja3ByHostsHashT, &(all_flows[i].flow->src_ip), ja3ByHostFound);\n\n\t //host ip -> ja3\n\t if(ja3ByHostFound == NULL){\n\t //adding the new host\n\t ndpi_host_ja3_fingerprints *newHost = malloc(sizeof(ndpi_host_ja3_fingerprints));\n\t newHost->host_client_info_hasht = NULL;\n\t newHost->host_server_info_hasht = NULL;\n\t newHost->ip_string = all_flows[i].flow->src_name;\n\t newHost->ip = all_flows[i].flow->src_ip;\n\t newHost->dns_name = all_flows[i].flow->ssh_tls.client_requested_server_name;\n\n\t ndpi_ja3_info *newJA3 = malloc(sizeof(ndpi_ja3_info));\n\t newJA3->ja3 = all_flows[i].flow->ssh_tls.ja3_client;\n\t newJA3->unsafe_cipher = all_flows[i].flow->ssh_tls.client_unsafe_cipher;\n\t //adding the new ja3 fingerprint\n\t HASH_ADD_KEYPTR(hh, newHost->host_client_info_hasht,\n\t\t\t newJA3->ja3, strlen(newJA3->ja3), newJA3);\n\t //adding the new host\n\t HASH_ADD_INT(ja3ByHostsHashT, ip, newHost);\n\t } else {\n\t //host already in the hash table\n\t ndpi_ja3_info *infoFound = NULL;\n\n\t HASH_FIND_STR(ja3ByHostFound->host_client_info_hasht,\n\t\t\t all_flows[i].flow->ssh_tls.ja3_client, infoFound);\n\n\t if(infoFound == NULL){\n\t ndpi_ja3_info *newJA3 = malloc(sizeof(ndpi_ja3_info));\n\t newJA3->ja3 = all_flows[i].flow->ssh_tls.ja3_client;\n\t newJA3->unsafe_cipher = all_flows[i].flow->ssh_tls.client_unsafe_cipher;\n\t HASH_ADD_KEYPTR(hh, ja3ByHostFound->host_client_info_hasht,\n\t\t\t newJA3->ja3, strlen(newJA3->ja3), newJA3);\n\t }\n\t }\n\n\t //ja3 -> host ip\n\t HASH_FIND_STR(hostByJA3C_ht, all_flows[i].flow->ssh_tls.ja3_client, hostByJA3Found);\n\t if(hostByJA3Found == NULL){\n\t ndpi_ip_dns *newHost = malloc(sizeof(ndpi_ip_dns));\n\n\t newHost->ip = all_flows[i].flow->src_ip;\n\t newHost->ip_string = all_flows[i].flow->src_name;\n\t newHost->dns_name = all_flows[i].flow->ssh_tls.client_requested_server_name;;\n\n\t ndpi_ja3_fingerprints_host *newElement = malloc(sizeof(ndpi_ja3_fingerprints_host));\n\t newElement->ja3 = all_flows[i].flow->ssh_tls.ja3_client;\n\t newElement->unsafe_cipher = all_flows[i].flow->ssh_tls.client_unsafe_cipher;\n\t newElement->ipToDNS_ht = NULL;\n\n\t HASH_ADD_INT(newElement->ipToDNS_ht, ip, newHost);\n\t HASH_ADD_KEYPTR(hh, hostByJA3C_ht, newElement->ja3, strlen(newElement->ja3),\n\t\t\t newElement);\n\t } else {\n\t ndpi_ip_dns *innerElement = NULL;\n\t HASH_FIND_INT(hostByJA3Found->ipToDNS_ht, &(all_flows[i].flow->src_ip), innerElement);\n\t if(innerElement == NULL){\n\t ndpi_ip_dns *newInnerElement = malloc(sizeof(ndpi_ip_dns));\n\t newInnerElement->ip = all_flows[i].flow->src_ip;\n\t newInnerElement->ip_string = all_flows[i].flow->src_name;\n\t newInnerElement->dns_name = all_flows[i].flow->ssh_tls.client_requested_server_name;\n\t HASH_ADD_INT(hostByJA3Found->ipToDNS_ht, ip, newInnerElement);\n\t }\n\t }\n\t}\n\n\tif(all_flows[i].flow->ssh_tls.ja3_server[0] != '\\0'){\n\t //looking if the host is already in the hash table\n\t HASH_FIND_INT(ja3ByHostsHashT, &(all_flows[i].flow->dst_ip), ja3ByHostFound);\n\t if(ja3ByHostFound == NULL){\n\t //adding the new host in the hash table\n\t ndpi_host_ja3_fingerprints *newHost = malloc(sizeof(ndpi_host_ja3_fingerprints));\n\t newHost->host_client_info_hasht = NULL;\n\t newHost->host_server_info_hasht = NULL;\n\t newHost->ip_string = all_flows[i].flow->dst_name;\n\t newHost->ip = all_flows[i].flow->dst_ip;\n\t newHost->dns_name = all_flows[i].flow->ssh_tls.server_info;\n\n\t ndpi_ja3_info *newJA3 = malloc(sizeof(ndpi_ja3_info));\n\t newJA3->ja3 = all_flows[i].flow->ssh_tls.ja3_server;\n\t newJA3->unsafe_cipher = all_flows[i].flow->ssh_tls.server_unsafe_cipher;\n\t //adding the new ja3 fingerprint\n\t HASH_ADD_KEYPTR(hh, newHost->host_server_info_hasht, newJA3->ja3,\n\t\t\t strlen(newJA3->ja3), newJA3);\n\t //adding the new host\n\t HASH_ADD_INT(ja3ByHostsHashT, ip, newHost);\n\t } else {\n\t //host already in the hashtable\n\t ndpi_ja3_info *infoFound = NULL;\n\t HASH_FIND_STR(ja3ByHostFound->host_server_info_hasht,\n\t\t\t all_flows[i].flow->ssh_tls.ja3_server, infoFound);\n\t if(infoFound == NULL){\n\t ndpi_ja3_info *newJA3 = malloc(sizeof(ndpi_ja3_info));\n\t newJA3->ja3 = all_flows[i].flow->ssh_tls.ja3_server;\n\t newJA3->unsafe_cipher = all_flows[i].flow->ssh_tls.server_unsafe_cipher;\n\t HASH_ADD_KEYPTR(hh, ja3ByHostFound->host_server_info_hasht,\n\t\t\t newJA3->ja3, strlen(newJA3->ja3), newJA3);\n\t }\n\t }\n\n\t HASH_FIND_STR(hostByJA3S_ht, all_flows[i].flow->ssh_tls.ja3_server, hostByJA3Found);\n\t if(hostByJA3Found == NULL){\n\t ndpi_ip_dns *newHost = malloc(sizeof(ndpi_ip_dns));\n\n\t newHost->ip = all_flows[i].flow->dst_ip;\n\t newHost->ip_string = all_flows[i].flow->dst_name;\n\t newHost->dns_name = all_flows[i].flow->ssh_tls.server_info;;\n\n\t ndpi_ja3_fingerprints_host *newElement = malloc(sizeof(ndpi_ja3_fingerprints_host));\n\t newElement->ja3 = all_flows[i].flow->ssh_tls.ja3_server;\n\t newElement->unsafe_cipher = all_flows[i].flow->ssh_tls.server_unsafe_cipher;\n\t newElement->ipToDNS_ht = NULL;\n\n\t HASH_ADD_INT(newElement->ipToDNS_ht, ip, newHost);\n\t HASH_ADD_KEYPTR(hh, hostByJA3S_ht, newElement->ja3, strlen(newElement->ja3),\n\t\t\t newElement);\n\t } else {\n\t ndpi_ip_dns *innerElement = NULL;\n\n\t HASH_FIND_INT(hostByJA3Found->ipToDNS_ht, &(all_flows[i].flow->dst_ip), innerElement);\n\t if(innerElement == NULL){\n\t ndpi_ip_dns *newInnerElement = malloc(sizeof(ndpi_ip_dns));\n\t newInnerElement->ip = all_flows[i].flow->dst_ip;\n\t newInnerElement->ip_string = all_flows[i].flow->dst_name;\n\t newInnerElement->dns_name = all_flows[i].flow->ssh_tls.server_info;\n\t HASH_ADD_INT(hostByJA3Found->ipToDNS_ht, ip, newInnerElement);\n\t }\n\t }\n\n\t}\n }\n\n if(ja3ByHostsHashT) {\n\tndpi_ja3_fingerprints_host *hostByJA3Element = NULL;\n\tndpi_ja3_fingerprints_host *tmp3 = NULL;\n\tndpi_ip_dns *innerHashEl = NULL;\n\tndpi_ip_dns *tmp4 = NULL;\n\n\tif(verbose == 2) {\n\t /* for each host the number of flow with a ja3 fingerprint is printed */\n\t i = 1;\n\n\t fprintf(out, \"JA3 Host Stats: \\n\");\n\t fprintf(out, \"\\t\\t IP %-24s \\t %-10s \\n\", \"Address\", \"# JA3C\");\n\n\t for(ja3ByHost_element = ja3ByHostsHashT; ja3ByHost_element != NULL;\n\t ja3ByHost_element = ja3ByHost_element->hh.next) {\n\t num_ja3_client = HASH_COUNT(ja3ByHost_element->host_client_info_hasht);\n\t num_ja3_server = HASH_COUNT(ja3ByHost_element->host_server_info_hasht);\n\n\t if(num_ja3_client > 0) {\n\t fprintf(out, \"\\t%d\\t %-24s \\t %-7u\\n\",\n\t\t i,\n\t\t ja3ByHost_element->ip_string,\n\t\t num_ja3_client\n\t\t );\n\t i++;\n\t }\n\n\t }\n\t} else if(verbose == 3) {\n\t int i = 1;\n\t int againstRepeat;\n\t ndpi_ja3_fingerprints_host *hostByJA3Element = NULL;\n\t ndpi_ja3_fingerprints_host *tmp3 = NULL;\n\t ndpi_ip_dns *innerHashEl = NULL;\n\t ndpi_ip_dns *tmp4 = NULL;\n\n\t //for each host it is printted the JA3C and JA3S, along the server name (if any)\n\t //and the security status\n\n\t fprintf(out, \"JA3C/JA3S Host Stats: \\n\");\n\t fprintf(out, \"\\t%-7s %-24s %-34s %s\\n\", \"\", \"IP\", \"JA3C\", \"JA3S\");\n\n\t //reminder\n\t //ja3ByHostsHashT: hash table \n\t //ja3ByHost_element: element of ja3ByHostsHashT\n\t //info_of_element: element of the inner hash table of ja3ByHost_element\n\t HASH_ITER(hh, ja3ByHostsHashT, ja3ByHost_element, tmp) {\n\t num_ja3_client = HASH_COUNT(ja3ByHost_element->host_client_info_hasht);\n\t num_ja3_server = HASH_COUNT(ja3ByHost_element->host_server_info_hasht);\n\t againstRepeat = 0;\n\t if(num_ja3_client > 0) {\n\t HASH_ITER(hh, ja3ByHost_element->host_client_info_hasht, info_of_element, tmp2) {\n\t\tfprintf(out, \"\\t%-7d %-24s %s %s\\n\",\n\t\t\ti,\n\t\t\tja3ByHost_element->ip_string,\n\t\t\tinfo_of_element->ja3,\n\t\t\tprint_cipher(info_of_element->unsafe_cipher)\n\t\t\t);\n\t\tagainstRepeat = 1;\n\t\ti++;\n\t }\n\t }\n\n\t if(num_ja3_server > 0) {\n\t HASH_ITER(hh, ja3ByHost_element->host_server_info_hasht, info_of_element, tmp2) {\n\t\tfprintf(out, \"\\t%-7d %-24s %-34s %s %s %s%s%s\\n\",\n\t\t\ti,\n\t\t\tja3ByHost_element->ip_string,\n\t\t\t\"\",\n\t\t\tinfo_of_element->ja3,\n\t\t\tprint_cipher(info_of_element->unsafe_cipher),\n\t\t\tja3ByHost_element->dns_name[0] ? \"[\" : \"\",\n\t\t\tja3ByHost_element->dns_name,\n\t\t\tja3ByHost_element->dns_name[0] ? \"]\" : \"\"\n\t\t\t);\n\t\ti++;\n\t }\n\t }\n\t }\n\n\t i = 1;\n\n\t fprintf(out, \"\\nIP/JA3 Distribution:\\n\");\n\t fprintf(out, \"%-15s %-39s %-26s\\n\", \"\", \"JA3\", \"IP\");\n\t HASH_ITER(hh, hostByJA3C_ht, hostByJA3Element, tmp3) {\n\t againstRepeat = 0;\n\t HASH_ITER(hh, hostByJA3Element->ipToDNS_ht, innerHashEl, tmp4) {\n\t if(againstRepeat == 0) {\n\t\tfprintf(out, \"\\t%-7d JA3C %s\",\n\t\t\ti,\n\t\t\thostByJA3Element->ja3\n\t\t\t);\n\t\tfprintf(out, \" %-15s %s\\n\",\n\t\t\tinnerHashEl->ip_string,\n\t\t\tprint_cipher(hostByJA3Element->unsafe_cipher)\n\t\t\t);\n\t\tagainstRepeat = 1;\n\t\ti++;\n\t } else {\n\t\tfprintf(out, \"\\t%45s\", \"\");\n\t\tfprintf(out, \" %-15s %s\\n\",\n\t\t\tinnerHashEl->ip_string,\n\t\t\tprint_cipher(hostByJA3Element->unsafe_cipher)\n\t\t\t);\n\t }\n\t }\n\t }\n\t HASH_ITER(hh, hostByJA3S_ht, hostByJA3Element, tmp3) {\n\t againstRepeat = 0;\n\t HASH_ITER(hh, hostByJA3Element->ipToDNS_ht, innerHashEl, tmp4) {\n\t if(againstRepeat == 0) {\n\t\tfprintf(out, \"\\t%-7d JA3S %s\",\n\t\t\ti,\n\t\t\thostByJA3Element->ja3\n\t\t\t);\n\t\tfprintf(out, \" %-15s %-10s %s%s%s\\n\",\n\t\t\tinnerHashEl->ip_string,\n\t\t\tprint_cipher(hostByJA3Element->unsafe_cipher),\n\t\t\tinnerHashEl->dns_name[0] ? \"[\" : \"\",\n\t\t\tinnerHashEl->dns_name,\n\t\t\tinnerHashEl->dns_name[0] ? \"]\" : \"\"\n\t\t\t);\n\t\tagainstRepeat = 1;\n\t\ti++;\n\t } else {\n\t\tfprintf(out, \"\\t%45s\", \"\");\n\t\tfprintf(out, \" %-15s %-10s %s%s%s\\n\",\n\t\t\tinnerHashEl->ip_string,\n\t\t\tprint_cipher(hostByJA3Element->unsafe_cipher),\n\t\t\tinnerHashEl->dns_name[0] ? \"[\" : \"\",\n\t\t\tinnerHashEl->dns_name,\n\t\t\tinnerHashEl->dns_name[0] ? \"]\" : \"\"\n\t\t\t);\n\t }\n\t }\n\t }\n\t}\n\tfprintf(out, \"\\n\\n\");\n\n\t//freeing the hash table\n\tHASH_ITER(hh, ja3ByHostsHashT, ja3ByHost_element, tmp) {\n\t HASH_ITER(hh, ja3ByHost_element->host_client_info_hasht, info_of_element, tmp2) {\n\t if(ja3ByHost_element->host_client_info_hasht)\n\t HASH_DEL(ja3ByHost_element->host_client_info_hasht, info_of_element);\n\t free(info_of_element);\n\t }\n\t HASH_ITER(hh, ja3ByHost_element->host_server_info_hasht, info_of_element, tmp2) {\n\t if(ja3ByHost_element->host_server_info_hasht)\n\t HASH_DEL(ja3ByHost_element->host_server_info_hasht, info_of_element);\n\t free(info_of_element);\n\t }\n\t HASH_DEL(ja3ByHostsHashT, ja3ByHost_element);\n\t free(ja3ByHost_element);\n\t}\n\n\tHASH_ITER(hh, hostByJA3C_ht, hostByJA3Element, tmp3) {\n\t HASH_ITER(hh, hostByJA3C_ht->ipToDNS_ht, innerHashEl, tmp4) {\n\t if(hostByJA3Element->ipToDNS_ht)\n\t HASH_DEL(hostByJA3Element->ipToDNS_ht, innerHashEl);\n\t free(innerHashEl);\n\t }\n\t HASH_DEL(hostByJA3C_ht, hostByJA3Element);\n\t free(hostByJA3Element);\n\t}\n\n\thostByJA3Element = NULL;\n\tHASH_ITER(hh, hostByJA3S_ht, hostByJA3Element, tmp3) {\n\t HASH_ITER(hh, hostByJA3S_ht->ipToDNS_ht, innerHashEl, tmp4) {\n\t if(hostByJA3Element->ipToDNS_ht)\n\t HASH_DEL(hostByJA3Element->ipToDNS_ht, innerHashEl);\n\t free(innerHashEl);\n\t }\n\t HASH_DEL(hostByJA3S_ht, hostByJA3Element);\n\t free(hostByJA3Element);\n\t}\n }\n }\n\n /* Print all flows stats */\n\n qsort(all_flows, num_flows, sizeof(struct flow_info), cmpFlows);\n\n if(verbose > 1) {\n for(i=0; istats.protocol_counter[0 /* 0 = Unknown */] > 0) {\n\tfprintf(out, \"\\n\\nUndetected flows:%s\\n\",\n\t\tundetected_flows_deleted ? \" (expired flows are not listed below)\" : \"\");\n\tbreak;\n }\n }\n\n num_flows = 0;\n for(thread_id = 0; thread_id < num_threads; thread_id++) {\n if(ndpi_thread_info[thread_id].workflow->stats.protocol_counter[0] > 0) {\n\tfor(i=0; indpi_flows_root[i],\n\t\t node_print_unknown_proto_walker, &thread_id);\n }\n }\n\n qsort(all_flows, num_flows, sizeof(struct flow_info), cmpFlows);\n\n for(i=0; indpi_flows_root[i],\n\t\t node_print_known_proto_walker, &thread_id);\n }\n\n for(i=0; i coloc_values;\n if (!TryGetNodeAttr(node->attrs(), kColocationAttrName, &coloc_values))\n continue;\n bool updated = false;\n for (size_t i = 0; i < coloc_values.size(); ++i) {\n StringPiece val(coloc_values[i]);\n if (absl::ConsumePrefix(&val, kColocationGroupPrefix)) {\n auto name_pair = uniquified_names_.find(string(val));\n if (name_pair == uniquified_names_.end()) continue;\n updated = true;\n coloc_values[i] =\n strings::StrCat(kColocationGroupPrefix, name_pair->second);\n }\n }\n if (updated) {\n node->AddAttr(kColocationAttrName, std::move(coloc_values));\n }\n }\n}", "project": "tensorflow", "hash": 116087162642636061288974461048635425935, "size": 23, "commit_id": "0cc38aaa4064fd9e79101994ce9872c6d91f816b", "message": "Prevent unitialized memory access in `GraphConstructor::MakeEdge`\n\nThe `MakeEdge` implementation assumes that there exists an output at `output_index` of `src` node and an input at `input_index` of `dst` node. However, if this is not the case this results in accessing data out of bounds. Because we are accessing an array that is a private member of a class and only in read only mode, this usually results only in unitialized memory access. However, it is reasonable to think that malicious users could manipulate these indexes to actually read data outside the class, thus resulting in information leakage and further exploits.\n\nPiperOrigin-RevId: 346343288\nChange-Id: I2127da27c2023d27f26efd39afa6c853385cab6f", "target": 0, "dataset": "other", "idx": 268307 }, { "func": " void used_tables_and_const_cache_update_and_join(Item *item)\n {\n item->update_used_tables();\n used_tables_and_const_cache_join(item);\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 232756519732793472305182599129696181793, "size": 5, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509072 }, { "func": " void used_tables_and_const_cache_update_and_join(uint argc, Item **argv)\n {\n for (uint i=0 ; i < argc ; i++)\n used_tables_and_const_cache_update_and_join(argv[i]);\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 325799995370488074368539505281969981542, "size": 5, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509126 }, { "func": " void used_tables_and_const_cache_update_and_join(List &list)\n {\n List_iterator_fast li(list);\n Item *item;\n while ((item=li++))\n used_tables_and_const_cache_update_and_join(item);\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 330464710265302527857886965963527339766, "size": 7, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509331 }, { "func": "UnicodeStringTest::TestFindAndReplace()\n{\n UnicodeString test1(\"One potato, two potato, three potato, four\\n\");\n UnicodeString test2(\"potato\");\n UnicodeString test3(\"MISSISSIPPI\");\n\n UnicodeString expectedValue;\n\n test1.findAndReplace(test2, test3);\n expectedValue = \"One MISSISSIPPI, two MISSISSIPPI, three MISSISSIPPI, four\\n\";\n if (test1 != expectedValue)\n errln(\"findAndReplace failed: expected \\\"\" + expectedValue + \"\\\", got \\\"\" + test1 + \"\\\".\");\n test1.findAndReplace(2, 32, test3, test2);\n expectedValue = \"One potato, two potato, three MISSISSIPPI, four\\n\";\n if (test1 != expectedValue)\n errln(\"findAndReplace failed: expected \\\"\" + expectedValue + \"\\\", got \\\"\" + test1 + \"\\\".\");\n}", "project": "icu", "hash": 233807188011638101606334964601048147896, "size": 17, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430854 }, { "func": "static apr_status_t ap_session_load(request_rec * r, session_rec ** z)\n{\n\n session_dir_conf *dconf = ap_get_module_config(r->per_dir_config,\n &session_module);\n apr_time_t now;\n session_rec *zz = NULL;\n int rv = 0;\n\n /* is the session enabled? */\n if (!dconf || !dconf->enabled) {\n return APR_SUCCESS;\n }\n\n /* should the session be loaded at all? */\n if (!session_included(r, dconf)) {\n ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01814)\n \"excluded by configuration for: %s\", r->uri);\n return APR_SUCCESS;\n }\n\n /* load the session from the session hook */\n rv = ap_run_session_load(r, &zz);\n if (DECLINED == rv) {\n ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01815)\n \"session is enabled but no session modules have been configured, \"\n \"session not loaded: %s\", r->uri);\n return APR_EGENERAL;\n }\n else if (OK != rv) {\n ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(01816)\n \"error while loading the session, \"\n \"session not loaded: %s\", r->uri);\n return rv;\n }\n\n /* found a session that hasn't expired? */\n now = apr_time_now();\n\n if (zz) {\n /* load the session attributes */\n rv = ap_run_session_decode(r, zz);\n \n /* having a session we cannot decode is just as good as having\n none at all */\n if (OK != rv) {\n ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(01817)\n \"error while decoding the session, \"\n \"session not loaded: %s\", r->uri);\n /* preserve pointers to zz in load/save providers */\n memset(zz, 0, sizeof(session_rec));\n zz->pool = r->pool;\n zz->entries = apr_table_make(zz->pool, 10);\n }\n\n /* invalidate session if session is expired */\n if (zz && zz->expiry && zz->expiry < now) {\n ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r, \"session is expired\");\n /* preserve pointers to zz in load/save providers */\n memset(zz, 0, sizeof(session_rec));\n zz->pool = r->pool;\n zz->entries = apr_table_make(zz->pool, 10);\n }\n }\n\n /* no luck, create a blank session. Note that the included session_load \n * providers will return new sessions during session_load when configured.\n */\n if (!zz) {\n zz = (session_rec *) apr_pcalloc(r->pool, sizeof(session_rec));\n zz->pool = r->pool;\n zz->entries = apr_table_make(zz->pool, 10);\n }\n\n /* make sure the expiry and maxage are set, if present */\n if (dconf->maxage) {\n if (!zz->expiry) {\n zz->expiry = now + dconf->maxage * APR_USEC_PER_SEC;\n }\n zz->maxage = dconf->maxage;\n }\n\n *z = zz;\n\n return APR_SUCCESS;\n\n}", "project": "httpd", "hash": 252298360690988135014391077762073436860, "size": 87, "commit_id": "7e09dd714fc62c08c5b0319ed7b9702594faf49b", "message": "mod_session: account for the '&' in identity_concat().\n\ngit-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887052 13f79535-47bb-0310-9956-ffa450edef68", "target": 0, "dataset": "other", "idx": 389226 }, { "func": "static void pb_message_set_to_defaults(const pb_field_t fields[], void *dest_struct)\n{\n pb_field_iter_t iter;\n\n if (!pb_field_iter_begin(&iter, fields, dest_struct))\n return; /* Empty message type */\n \n do\n {\n pb_field_set_to_default(&iter);\n } while (pb_field_iter_next(&iter));\n}", "project": "nanopb", "hash": 62128678746498726606345755057950703367, "size": 12, "commit_id": "aa9d0d1ca78d6adec3adfeecf3a706c7f9df81f2", "message": "Fix invalid free() after failed realloc() (GHSA-gcx3-7m76-287p)", "target": 0, "dataset": "other", "idx": 252519 }, { "func": "static void pb_message_set_to_defaults(const pb_field_t fields[], void *dest_struct)\n{\n pb_field_iterator_t iter;\n pb_field_init(&iter, fields, dest_struct);\n \n do\n {\n pb_type_t type;\n type = iter.pos->type;\n \n /* Avoid crash on empty message types (zero fields) */\n if (iter.pos->tag == 0)\n continue;\n \n if (PB_ATYPE(type) == PB_ATYPE_STATIC)\n {\n if (PB_HTYPE(type) == PB_HTYPE_OPTIONAL)\n {\n /* Set has_field to false. Still initialize the optional field\n * itself also. */\n *(bool*)iter.pSize = false;\n }\n else if (PB_HTYPE(type) == PB_HTYPE_REPEATED)\n {\n /* Set array count to 0, no need to initialize contents. */\n *(size_t*)iter.pSize = 0;\n continue;\n }\n \n if (PB_LTYPE(iter.pos->type) == PB_LTYPE_SUBMESSAGE)\n {\n /* Initialize submessage to defaults */\n pb_message_set_to_defaults((const pb_field_t *) iter.pos->ptr, iter.pData);\n }\n else if (iter.pos->ptr != NULL)\n {\n /* Initialize to default value */\n memcpy(iter.pData, iter.pos->ptr, iter.pos->data_size);\n }\n else\n {\n /* Initialize to zeros */\n memset(iter.pData, 0, iter.pos->data_size);\n }\n }\n else if (PB_ATYPE(type) == PB_ATYPE_POINTER)\n {\n /* Initialize the pointer to NULL. */\n *(void**)iter.pData = NULL;\n \n /* Initialize array count to 0. */\n if (PB_HTYPE(type) == PB_HTYPE_REPEATED)\n {\n *(size_t*)iter.pSize = 0;\n }\n }\n else if (PB_ATYPE(type) == PB_ATYPE_CALLBACK)\n {\n /* Don't overwrite callback */\n }\n } while (pb_field_next(&iter));\n}", "project": "nanopb", "hash": 191381461004512787486858112232447816347, "size": 62, "commit_id": "7b396821ddd06df8e39143f16e1dc0a4645b89a3", "message": "Fix invalid free() after failed realloc() (GHSA-gcx3-7m76-287p)", "target": 0, "dataset": "other", "idx": 255342 }, { "func": "static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval,\n\t\t\t\t int __user *optlen)\n{\n\tstruct sctp_event_subscribe subscribe;\n\t__u8 *sn_type = (__u8 *)&subscribe;\n\tint i;\n\n\tif (len == 0)\n\t\treturn -EINVAL;\n\tif (len > sizeof(struct sctp_event_subscribe))\n\t\tlen = sizeof(struct sctp_event_subscribe);\n\tif (put_user(len, optlen))\n\t\treturn -EFAULT;\n\n\tfor (i = 0; i < len; i++)\n\t\tsn_type[i] = sctp_ulpevent_type_enabled(sctp_sk(sk)->subscribe,\n\t\t\t\t\t\t\tSCTP_SN_TYPE_BASE + i);\n\n\tif (copy_to_user(optval, &subscribe, len))\n\t\treturn -EFAULT;\n\n\treturn 0;\n}", "project": "linux", "hash": 11868332793483632384519404584814212177, "size": 23, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398186 }, { "func": "\nstatic void io_rsrc_file_put(struct io_ring_ctx *ctx, struct io_rsrc_put *prsrc)\n{\n\tstruct file *file = prsrc->file;\n#if defined(CONFIG_UNIX)\n\tstruct sock *sock = ctx->ring_sock->sk;\n\tstruct sk_buff_head list, *head = &sock->sk_receive_queue;\n\tstruct sk_buff *skb;\n\tint i;\n\n\t__skb_queue_head_init(&list);\n\n\t/*\n\t * Find the skb that holds this file in its SCM_RIGHTS. When found,\n\t * remove this entry and rearrange the file array.\n\t */\n\tskb = skb_dequeue(head);\n\twhile (skb) {\n\t\tstruct scm_fp_list *fp;\n\n\t\tfp = UNIXCB(skb).fp;\n\t\tfor (i = 0; i < fp->count; i++) {\n\t\t\tint left;\n\n\t\t\tif (fp->fp[i] != file)\n\t\t\t\tcontinue;\n\n\t\t\tunix_notinflight(fp->user, fp->fp[i]);\n\t\t\tleft = fp->count - 1 - i;\n\t\t\tif (left) {\n\t\t\t\tmemmove(&fp->fp[i], &fp->fp[i + 1],\n\t\t\t\t\t\tleft * sizeof(struct file *));\n\t\t\t}\n\t\t\tfp->count--;\n\t\t\tif (!fp->count) {\n\t\t\t\tkfree_skb(skb);\n\t\t\t\tskb = NULL;\n\t\t\t} else {\n\t\t\t\t__skb_queue_tail(&list, skb);\n\t\t\t}\n\t\t\tfput(file);\n\t\t\tfile = NULL;\n\t\t\tbreak;\n\t\t}\n\n\t\tif (!file)\n\t\t\tbreak;\n\n\t\t__skb_queue_tail(&list, skb);\n\n\t\tskb = skb_dequeue(head);\n\t}\n\n\tif (skb_peek(&list)) {\n\t\tspin_lock_irq(&head->lock);\n\t\twhile ((skb = __skb_dequeue(&list)) != NULL)\n\t\t\t__skb_queue_tail(head, skb);\n\t\tspin_unlock_irq(&head->lock);\n\t}\n#else\n\tfput(file);\n#endif", "project": "linux", "hash": 266683570883325016482885133129517932062, "size": 62, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338590 }, { "func": "static u8 mcps_data_request(\n\tu8 src_addr_mode,\n\tu8 dst_address_mode,\n\tu16 dst_pan_id,\n\tunion macaddr *dst_addr,\n\tu8 msdu_length,\n\tu8 *msdu,\n\tu8 msdu_handle,\n\tu8 tx_options,\n\tstruct secspec *security,\n\tvoid *device_ref\n)\n{\n\tstruct secspec *psec;\n\tstruct mac_message command;\n\n\tcommand.command_id = SPI_MCPS_DATA_REQUEST;\n\tcommand.pdata.data_req.src_addr_mode = src_addr_mode;\n\tcommand.pdata.data_req.dst.mode = dst_address_mode;\n\tif (dst_address_mode != MAC_MODE_NO_ADDR) {\n\t\tcommand.pdata.data_req.dst.pan_id[0] = LS_BYTE(dst_pan_id);\n\t\tcommand.pdata.data_req.dst.pan_id[1] = MS_BYTE(dst_pan_id);\n\t\tif (dst_address_mode == MAC_MODE_SHORT_ADDR) {\n\t\t\tcommand.pdata.data_req.dst.address[0] = LS_BYTE(\n\t\t\t\tdst_addr->short_address\n\t\t\t);\n\t\t\tcommand.pdata.data_req.dst.address[1] = MS_BYTE(\n\t\t\t\tdst_addr->short_address\n\t\t\t);\n\t\t} else { /* MAC_MODE_LONG_ADDR*/\n\t\t\tmemcpy(\n\t\t\t\tcommand.pdata.data_req.dst.address,\n\t\t\t\tdst_addr->ieee_address,\n\t\t\t\t8\n\t\t\t);\n\t\t}\n\t}\n\tcommand.pdata.data_req.msdu_length = msdu_length;\n\tcommand.pdata.data_req.msdu_handle = msdu_handle;\n\tcommand.pdata.data_req.tx_options = tx_options;\n\tmemcpy(command.pdata.data_req.msdu, msdu, msdu_length);\n\tpsec = (struct secspec *)(command.pdata.data_req.msdu + msdu_length);\n\tcommand.length = sizeof(struct mcps_data_request_pset) -\n\t\tMAX_DATA_SIZE + msdu_length;\n\tif (!security || security->security_level == 0) {\n\t\tpsec->security_level = 0;\n\t\tcommand.length += 1;\n\t} else {\n\t\t*psec = *security;\n\t\tcommand.length += sizeof(struct secspec);\n\t}\n\n\tif (ca8210_spi_transfer(device_ref, &command.command_id,\n\t\t\t\tcommand.length + 2))\n\t\treturn MAC_SYSTEM_ERROR;\n\n\treturn MAC_SUCCESS;\n}", "project": "linux", "hash": 28505409225307121031830184201900223191, "size": 58, "commit_id": "6402939ec86eaf226c8b8ae00ed983936b164908", "message": "ieee802154: ca8210: prevent memory leak\n\nIn ca8210_probe the allocated pdata needs to be assigned to\nspi_device->dev.platform_data before calling ca8210_get_platform_data.\nOthrwise when ca8210_get_platform_data fails pdata cannot be released.\n\nSigned-off-by: Navid Emamdoost \nLink: https://lore.kernel.org/r/20190917224713.26371-1-navid.emamdoost@gmail.com\nSigned-off-by: Stefan Schmidt ", "target": 0, "dataset": "other", "idx": 408798 }, { "func": "static void nfs41_sequence_free_slot(struct nfs4_sequence_res *res)\n{\n\tnfs41_release_slot(res->sr_slot);\n\tres->sr_slot = NULL;\n}", "project": "linux", "hash": 247390617260644436072453297187673629076, "size": 5, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431219 }, { "func": "static int tracing_wait_pipe(struct file *filp)\n{\n\tstruct trace_iterator *iter = filp->private_data;\n\tint ret;\n\n\twhile (trace_empty(iter)) {\n\n\t\tif ((filp->f_flags & O_NONBLOCK)) {\n\t\t\treturn -EAGAIN;\n\t\t}\n\n\t\t/*\n\t\t * We block until we read something and tracing is disabled.\n\t\t * We still block if tracing is disabled, but we have never\n\t\t * read anything. This allows a user to cat this file, and\n\t\t * then enable tracing. But after we have read something,\n\t\t * we give an EOF when tracing is again disabled.\n\t\t *\n\t\t * iter->pos will be 0 if we haven't read anything.\n\t\t */\n\t\tif (!tracer_tracing_is_on(iter->tr) && iter->pos)\n\t\t\tbreak;\n\n\t\tmutex_unlock(&iter->mutex);\n\n\t\tret = wait_on_pipe(iter, false);\n\n\t\tmutex_lock(&iter->mutex);\n\n\t\tif (ret)\n\t\t\treturn ret;\n\t}\n\n\treturn 1;\n}", "project": "linux", "hash": 73953232291456338958244639972957703317, "size": 35, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445613 }, { "func": "void ssh_buffer_free(struct ssh_buffer_struct *buffer)\n{\n if (buffer == NULL) {\n return;\n }\n buffer_verify(buffer);\n\n if (buffer->secure && buffer->allocated > 0) {\n /* burn the data */\n explicit_bzero(buffer->data, buffer->allocated);\n SAFE_FREE(buffer->data);\n\n explicit_bzero(buffer, sizeof(struct ssh_buffer_struct));\n } else {\n SAFE_FREE(buffer->data);\n }\n SAFE_FREE(buffer);\n}", "project": "libssh-mirror", "hash": 233175993505894612619539972461348352162, "size": 18, "commit_id": "10b3ebbe61a7031a3dae97f05834442220447181", "message": "buffer: Reformat ssh_buffer_add_data()\n\nSigned-off-by: Andreas Schneider \nReviewed-by: Anderson Toshiyuki Sasaki \nReviewed-by: Jakub Jelen ", "target": 0, "dataset": "other", "idx": 345149 }, { "func": "static int tracing_open(struct inode *inode, struct file *file)\n{\n\tstruct trace_array *tr = inode->i_private;\n\tstruct trace_iterator *iter;\n\tint ret = 0;\n\n\tif (trace_array_get(tr) < 0)\n\t\treturn -ENODEV;\n\n\t/* If this file was open for write, then erase contents */\n\tif ((file->f_mode & FMODE_WRITE) && (file->f_flags & O_TRUNC)) {\n\t\tint cpu = tracing_get_cpu(inode);\n\t\tstruct trace_buffer *trace_buf = &tr->trace_buffer;\n\n#ifdef CONFIG_TRACER_MAX_TRACE\n\t\tif (tr->current_trace->print_max)\n\t\t\ttrace_buf = &tr->max_buffer;\n#endif\n\n\t\tif (cpu == RING_BUFFER_ALL_CPUS)\n\t\t\ttracing_reset_online_cpus(trace_buf);\n\t\telse\n\t\t\ttracing_reset(trace_buf, cpu);\n\t}\n\n\tif (file->f_mode & FMODE_READ) {\n\t\titer = __tracing_open(inode, file, false);\n\t\tif (IS_ERR(iter))\n\t\t\tret = PTR_ERR(iter);\n\t\telse if (tr->trace_flags & TRACE_ITER_LATENCY_FMT)\n\t\t\titer->iter_flags |= TRACE_FILE_LAT_FMT;\n\t}\n\n\tif (ret < 0)\n\t\ttrace_array_put(tr);\n\n\treturn ret;\n}", "project": "linux", "hash": 65792993757146399006855197197169939245, "size": 38, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445598 }, { "func": "static int connectable_update(struct hci_request *req, unsigned long opt)\n{\n\tstruct hci_dev *hdev = req->hdev;\n\n\thci_dev_lock(hdev);\n\n\t__hci_req_update_scan(req);\n\n\t/* If BR/EDR is not enabled and we disable advertising as a\n\t * by-product of disabling connectable, we need to update the\n\t * advertising flags.\n\t */\n\tif (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))\n\t\t__hci_req_update_adv_data(req, hdev->cur_adv_instance);\n\n\t/* Update the advertising parameters if necessary */\n\tif (hci_dev_test_flag(hdev, HCI_ADVERTISING) ||\n\t !list_empty(&hdev->adv_instances)) {\n\t\tif (ext_adv_capable(hdev))\n\t\t\t__hci_req_start_ext_adv(req, hdev->cur_adv_instance);\n\t\telse\n\t\t\t__hci_req_enable_advertising(req);\n\t}\n\n\t__hci_update_background_scan(req);\n\n\thci_dev_unlock(hdev);\n\n\treturn 0;\n}", "project": "linux", "hash": 101096143308069673586409473006139622084, "size": 30, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402569 }, { "func": "bool kvm_arch_vcpu_in_kernel(struct kvm_vcpu *vcpu)\n{\n\treturn !(vcpu->arch.sie_block->gpsw.mask & PSW_MASK_PSTATE);\n}", "project": "linux", "hash": 156120585520043283621798942550712823682, "size": 4, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354547 }, { "func": "void AddPrefixes(StringPiece node_name,\n gtl::FlatSet* prefixes) {\n size_t idx = -1;\n while ((idx = node_name.find('/', idx + 1)) != StringPiece::npos) {\n prefixes->insert(node_name.substr(0, idx));\n }\n}", "project": "tensorflow", "hash": 110013340063748412065781130365500814847, "size": 7, "commit_id": "0cc38aaa4064fd9e79101994ce9872c6d91f816b", "message": "Prevent unitialized memory access in `GraphConstructor::MakeEdge`\n\nThe `MakeEdge` implementation assumes that there exists an output at `output_index` of `src` node and an input at `input_index` of `dst` node. However, if this is not the case this results in accessing data out of bounds. Because we are accessing an array that is a private member of a class and only in read only mode, this usually results only in unitialized memory access. However, it is reasonable to think that malicious users could manipulate these indexes to actually read data outside the class, thus resulting in information leakage and further exploits.\n\nPiperOrigin-RevId: 346343288\nChange-Id: I2127da27c2023d27f26efd39afa6c853385cab6f", "target": 0, "dataset": "other", "idx": 268340 }, { "func": "\nstatic void io_sq_thread_stop(struct io_sq_data *sqd)\n{\n\tWARN_ON_ONCE(sqd->thread == current);\n\tWARN_ON_ONCE(test_bit(IO_SQ_THREAD_SHOULD_STOP, &sqd->state));\n\n\tset_bit(IO_SQ_THREAD_SHOULD_STOP, &sqd->state);\n\tmutex_lock(&sqd->lock);\n\tif (sqd->thread)\n\t\twake_up_process(sqd->thread);\n\tmutex_unlock(&sqd->lock);\n\twait_for_completion(&sqd->exited);", "project": "linux", "hash": 146708041250631848076167834309748625769, "size": 12, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338648 }, { "func": "static void mark_page_dirty_in_slot(struct kvm_memory_slot *memslot,\n\t\t\t\t gfn_t gfn)\n{\n\tif (memslot && memslot->dirty_bitmap) {\n\t\tunsigned long rel_gfn = gfn - memslot->base_gfn;\n\n\t\tset_bit_le(rel_gfn, memslot->dirty_bitmap);\n\t}\n}", "project": "linux", "hash": 194409841438891009257644331788977988373, "size": 9, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354588 }, { "func": "void mark_page_dirty_in_slot(struct kvm *kvm,\n\t\t\t struct kvm_memory_slot *memslot,\n\t\t \t gfn_t gfn)\n{\n\tif (memslot && kvm_slot_dirty_track_enabled(memslot)) {\n\t\tunsigned long rel_gfn = gfn - memslot->base_gfn;\n\t\tu32 slot = (memslot->as_id << 16) | memslot->id;\n\n\t\tif (kvm->dirty_ring_size)\n\t\t\tkvm_dirty_ring_push(kvm_dirty_ring_get(kvm),\n\t\t\t\t\t slot, rel_gfn);\n\t\telse\n\t\t\tset_bit_le(rel_gfn, memslot->dirty_bitmap);\n\t}\n}", "project": "linux", "hash": 89586965858914049679833921527619859911, "size": 15, "commit_id": "f8be156be163a052a067306417cd0ff679068c97", "message": "KVM: do not allow mapping valid but non-reference-counted pages\n\nIt's possible to create a region which maps valid but non-refcounted\npages (e.g., tail pages of non-compound higher order allocations). These\nhost pages can then be returned by gfn_to_page, gfn_to_pfn, etc., family\nof APIs, which take a reference to the page, which takes it from 0 to 1.\nWhen the reference is dropped, this will free the page incorrectly.\n\nFix this by only taking a reference on valid pages if it was non-zero,\nwhich indicates it is participating in normal refcounting (and can be\nreleased with put_page).\n\nThis addresses CVE-2021-22543.\n\nSigned-off-by: Nicholas Piggin \nTested-by: Paolo Bonzini \nCc: stable@vger.kernel.org\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 404108 }, { "func": "uint32_t ssh_buffer_get_len(struct ssh_buffer_struct *buffer){\n buffer_verify(buffer);\n return buffer->used - buffer->pos;\n}", "project": "libssh-mirror", "hash": 291956769607621011997144776270920574468, "size": 4, "commit_id": "10b3ebbe61a7031a3dae97f05834442220447181", "message": "buffer: Reformat ssh_buffer_add_data()\n\nSigned-off-by: Andreas Schneider \nReviewed-by: Anderson Toshiyuki Sasaki \nReviewed-by: Jakub Jelen ", "target": 0, "dataset": "other", "idx": 345153 }, { "func": "int vspprintf_ap(char** pbuf, size_t /*max_len*/, const char* format,\n va_list ap) {\n int len;\n len = xbuf_format_converter(pbuf, format, ap);\n return len;\n}", "project": "hhvm", "hash": 324580399161184777665678947809971898740, "size": 6, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219869 }, { "func": "static void nfs4_opendata_free(struct kref *kref)\n{\n\tstruct nfs4_opendata *p = container_of(kref,\n\t\t\tstruct nfs4_opendata, kref);\n\tstruct super_block *sb = p->dentry->d_sb;\n\n\tnfs4_lgopen_release(p->lgp);\n\tnfs_free_seqid(p->o_arg.seqid);\n\tnfs4_sequence_free_slot(&p->o_res.seq_res);\n\tif (p->state != NULL)\n\t\tnfs4_put_open_state(p->state);\n\tnfs4_put_state_owner(p->owner);\n\n\tnfs4_label_free(p->a_label);\n\tnfs4_label_free(p->f_label);\n\n\tdput(p->dir);\n\tdput(p->dentry);\n\tnfs_sb_deactive(sb);\n\tnfs_fattr_free_names(&p->f_attr);\n\tkfree(p->f_attr.mdsthreshold);\n\tkfree(p);\n}", "project": "linux", "hash": 144501199715785145455733938095251064846, "size": 23, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431341 }, { "func": "int fuse_lookup_name(struct super_block *sb, u64 nodeid, const struct qstr *name,\n\t\t struct fuse_entry_out *outarg, struct inode **inode)\n{\n\tstruct fuse_mount *fm = get_fuse_mount_super(sb);\n\tFUSE_ARGS(args);\n\tstruct fuse_forget_link *forget;\n\tu64 attr_version;\n\tint err;\n\n\t*inode = NULL;\n\terr = -ENAMETOOLONG;\n\tif (name->len > FUSE_NAME_MAX)\n\t\tgoto out;\n\n\n\tforget = fuse_alloc_forget();\n\terr = -ENOMEM;\n\tif (!forget)\n\t\tgoto out;\n\n\tattr_version = fuse_get_attr_version(fm->fc);\n\n\tfuse_lookup_init(fm->fc, &args, nodeid, name, outarg);\n\terr = fuse_simple_request(fm, &args);\n\t/* Zero nodeid is same as -ENOENT, but with valid timeout */\n\tif (err || !outarg->nodeid)\n\t\tgoto out_put_forget;\n\n\terr = -EIO;\n\tif (!outarg->nodeid)\n\t\tgoto out_put_forget;\n\tif (fuse_invalid_attr(&outarg->attr))\n\t\tgoto out_put_forget;\n\n\t*inode = fuse_iget(sb, outarg->nodeid, outarg->generation,\n\t\t\t &outarg->attr, entry_attr_timeout(outarg),\n\t\t\t attr_version);\n\terr = -ENOMEM;\n\tif (!*inode) {\n\t\tfuse_queue_forget(fm->fc, forget, outarg->nodeid, 1);\n\t\tgoto out;\n\t}\n\terr = 0;\n\n out_put_forget:\n\tkfree(forget);\n out:\n\treturn err;\n}", "project": "linux", "hash": 75136298477137285190300000387350606602, "size": 49, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341996 }, { "func": "void kvm_release_pfn(kvm_pfn_t pfn, bool dirty, struct gfn_to_pfn_cache *cache)\n{\n\tif (pfn == 0)\n\t\treturn;\n\n\tif (cache)\n\t\tcache->pfn = cache->gfn = 0;\n\n\tif (dirty)\n\t\tkvm_release_pfn_dirty(pfn);\n\telse\n\t\tkvm_release_pfn_clean(pfn);\n}", "project": "linux", "hash": 19493843610102453367562014639598201145, "size": 13, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354446 }, { "func": "static int shutdown_interception(struct vcpu_svm *svm)\n{\n\tstruct kvm_run *kvm_run = svm->vcpu.run;\n\n\t/*\n\t * VMCB is undefined after a SHUTDOWN intercept\n\t * so reinitialize it.\n\t */\n\tclear_page(svm->vmcb);\n\tinit_vmcb(svm);\n\n\tkvm_run->exit_reason = KVM_EXIT_SHUTDOWN;\n\treturn 0;\n}", "project": "linux", "hash": 97823783429734114406678508229249483950, "size": 14, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432494 }, { "func": "int JOIN::rollup_write_data(uint idx, TMP_TABLE_PARAM *tmp_table_param_arg, TABLE *table_arg)\n{\n uint i;\n for (i= send_group_parts ; i-- > idx ; )\n {\n /* Get reference pointers to sum functions in place */\n copy_ref_ptr_array(ref_ptrs, rollup.ref_pointer_arrays[i]);\n if ((!having || having->val_int()))\n {\n int write_error;\n Item *item;\n List_iterator_fast it(rollup.fields[i]);\n while ((item= it++))\n {\n if (item->type() == Item::NULL_ITEM && item->is_result_field())\n item->save_in_result_field(1);\n }\n copy_sum_funcs(sum_funcs_end[i+1], sum_funcs_end[i]);\n if (unlikely((write_error=\n table_arg->file->ha_write_tmp_row(table_arg->record[0]))))\n {\n\tif (create_internal_tmp_table_from_heap(thd, table_arg, \n tmp_table_param_arg->start_recinfo,\n &tmp_table_param_arg->recinfo,\n write_error, 0, NULL))\n\t return 1;\t\t \n }\n }\n }\n /* Restore ref_pointer_array */\n set_items_ref_array(current_ref_ptrs);\n return 0;\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 331649700607337119314647873098670892835, "size": 33, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508643 }, { "func": "static void hci_cc_read_page_scan_activity(struct hci_dev *hdev,\n\t\t\t\t\t struct sk_buff *skb)\n{\n\tstruct hci_rp_read_page_scan_activity *rp = (void *) skb->data;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, rp->status);\n\n\tif (rp->status)\n\t\treturn;\n\n\tif (test_bit(HCI_INIT, &hdev->flags)) {\n\t\thdev->page_scan_interval = __le16_to_cpu(rp->interval);\n\t\thdev->page_scan_window = __le16_to_cpu(rp->window);\n\t}\n}", "project": "linux", "hash": 120954037045170436171832751869326024683, "size": 15, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431938 }, { "func": "static void __trace_array_put(struct trace_array *this_tr)\n{\n\tWARN_ON(!this_tr->ref);\n\tthis_tr->ref--;\n}", "project": "linux", "hash": 157054708441913938631706495389110629419, "size": 5, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445793 }, { "func": "void sctp_copy_sock(struct sock *newsk, struct sock *sk,\n\t\t struct sctp_association *asoc)\n{\n\tstruct inet_sock *inet = inet_sk(sk);\n\tstruct inet_sock *newinet;\n\tstruct sctp_sock *sp = sctp_sk(sk);\n\tstruct sctp_endpoint *ep = sp->ep;\n\n\tnewsk->sk_type = sk->sk_type;\n\tnewsk->sk_bound_dev_if = sk->sk_bound_dev_if;\n\tnewsk->sk_flags = sk->sk_flags;\n\tnewsk->sk_tsflags = sk->sk_tsflags;\n\tnewsk->sk_no_check_tx = sk->sk_no_check_tx;\n\tnewsk->sk_no_check_rx = sk->sk_no_check_rx;\n\tnewsk->sk_reuse = sk->sk_reuse;\n\tsctp_sk(newsk)->reuse = sp->reuse;\n\n\tnewsk->sk_shutdown = sk->sk_shutdown;\n\tnewsk->sk_destruct = sctp_destruct_sock;\n\tnewsk->sk_family = sk->sk_family;\n\tnewsk->sk_protocol = IPPROTO_SCTP;\n\tnewsk->sk_backlog_rcv = sk->sk_prot->backlog_rcv;\n\tnewsk->sk_sndbuf = sk->sk_sndbuf;\n\tnewsk->sk_rcvbuf = sk->sk_rcvbuf;\n\tnewsk->sk_lingertime = sk->sk_lingertime;\n\tnewsk->sk_rcvtimeo = sk->sk_rcvtimeo;\n\tnewsk->sk_sndtimeo = sk->sk_sndtimeo;\n\tnewsk->sk_rxhash = sk->sk_rxhash;\n\n\tnewinet = inet_sk(newsk);\n\n\t/* Initialize sk's sport, dport, rcv_saddr and daddr for\n\t * getsockname() and getpeername()\n\t */\n\tnewinet->inet_sport = inet->inet_sport;\n\tnewinet->inet_saddr = inet->inet_saddr;\n\tnewinet->inet_rcv_saddr = inet->inet_rcv_saddr;\n\tnewinet->inet_dport = htons(asoc->peer.port);\n\tnewinet->pmtudisc = inet->pmtudisc;\n\tnewinet->inet_id = prandom_u32();\n\n\tnewinet->uc_ttl = inet->uc_ttl;\n\tnewinet->mc_loop = 1;\n\tnewinet->mc_ttl = 1;\n\tnewinet->mc_index = 0;\n\tnewinet->mc_list = NULL;\n\n\tif (newsk->sk_flags & SK_FLAGS_TIMESTAMP)\n\t\tnet_enable_timestamp();\n\n\t/* Set newsk security attributes from orginal sk and connection\n\t * security attribute from ep.\n\t */\n\tsecurity_sctp_sk_clone(ep, sk, newsk);\n}", "project": "linux", "hash": 298740673715509831217870603540984858019, "size": 55, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398141 }, { "project": "Chrome", "commit_id": "957973753ec4159003ff7930d946b7e89c7e09f3", "target": 0, "func": "void BlobURLRequestJob::Kill() {\n CloseStream();\n\n net::URLRequestJob::Kill();\n callback_factory_.RevokeAll();\n method_factory_.RevokeAll();\n}\n", "cwe": "", "big_vul_idx": 106417, "idx": 176353, "hash": 106657281755431104980632566030180629669 }, { "func": "static void autocomplete_zignatures(RCore *core, RLineCompletion *completion, const char* msg) {\n\tr_return_if_fail (msg);\n\tint length = strlen (msg);\n\tRSpaces *zs = &core->anal->zign_spaces;\n\tRSpace *s;\n\tRSpaceIter it;\n\n\tr_spaces_foreach (zs, it, s) {\n\t\tif (!strncmp (msg, s->name, length)) {\n\t\t\tr_line_completion_push (completion, s->name);\n\t\t}\n\t}\n\n\tif (strlen (msg) == 0) {\n\t\tr_line_completion_push (completion, \"*\");\n\t}\n}", "project": "radare2", "hash": 314042027715466645329467422686225115215, "size": 17, "commit_id": "cb8b683758edddae2d2f62e8e63a738c39f92683", "message": "Fix #16303 - c->table_query double free (#16318)", "target": 0, "dataset": "other", "idx": 232179 }, { "func": " enum Item_result result_type () const { return orig_item->result_type(); }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 211184991859237441960386166390549930912, "size": 1, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509006 }, { "func": " enum Item_result result_type () const\n { return Type_handler_hybrid_field_type::result_type(); }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 218509550643875403065929337171327814190, "size": 2, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509188 }, { "func": " enum Item_result result_type () const\n {\n /*\n In 10.1 Item_type_holder::result_type() returned\n Field::result_merge_type(field_type()), which returned STRING_RESULT\n for the BIT data type. In 10.2 it returns INT_RESULT, similar\n to what Field_bit::result_type() does. This should not be\n important because Item_type_holder is a limited purpose Item\n and its result_type() should not be called from outside of\n Item_type_holder. It's called only internally from decimal_int_part()\n from join_types(), to calculate \"decimals\" of the result data type.\n As soon as we get BIT as one of the joined types, the result field\n type cannot be numeric: it's either BIT, or VARBINARY.\n */\n return Type_handler_hybrid_real_field_type::result_type();\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 280549977111095764728811927678933454693, "size": 16, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509408 }, { "func": " Item_result result_type() const { return type_handler()->result_type(); }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 43133183712294925487416749059596445219, "size": 1, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509413 }, { "func": "static bool __listen_unix (RSocket *s, const char *file) {\n\tstruct sockaddr_un unix_name;\n\tint sock = socket (PF_UNIX, SOCK_STREAM, 0);\n\tif (sock < 0) {\n\t\treturn false;\n\t}\n\t// TODO: set socket options\n\tunix_name.sun_family = AF_UNIX;\n\tstrncpy (unix_name.sun_path, file, sizeof (unix_name.sun_path)-1);\n\n\t/* just to make sure there is no other socket file */\n\tunlink (unix_name.sun_path);\n\n\tif (bind (sock, (struct sockaddr *) &unix_name, sizeof (unix_name)) < 0) {\n\t\tclose (sock);\n\t\treturn false;\n\t}\n\tr_sys_signal (SIGPIPE, SIG_IGN);\n\n\t/* change permissions */\n\tif (chmod (unix_name.sun_path, 0777) != 0) {\n\t\tclose (sock);\n\t\treturn false;\n\t}\n\tif (listen (sock, 1)) {\n\t\tclose (sock);\n\t\treturn false;\n\t}\n\ts->fd = sock;\n\treturn true;\n}", "project": "radare2", "hash": 124390865669971743522778950456249126754, "size": 31, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 0, "dataset": "other", "idx": 268861 }, { "func": "void tracing_reset(struct trace_buffer *buf, int cpu)\n{\n\tstruct ring_buffer *buffer = buf->buffer;\n\n\tif (!buffer)\n\t\treturn;\n\n\tring_buffer_record_disable(buffer);\n\n\t/* Make sure all commits have finished */\n\tsynchronize_sched();\n\tring_buffer_reset_cpu(buffer, cpu);\n\n\tring_buffer_record_enable(buffer);\n}", "project": "linux", "hash": 328638458943504433020831542466576471665, "size": 15, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445677 }, { "func": "static inline void encode_openhdr(struct xdr_stream *xdr, const struct nfs_openargs *arg)\n{\n\t__be32 *p;\n /*\n * opcode 4, seqid 4, share_access 4, share_deny 4, clientid 8, ownerlen 4,\n * owner 4 = 32\n */\n\tencode_nfs4_seqid(xdr, arg->seqid);\n\tencode_share_access(xdr, arg->share_access);\n\tp = reserve_space(xdr, 36);\n\tp = xdr_encode_hyper(p, arg->clientid);\n\t*p++ = cpu_to_be32(24);\n\tp = xdr_encode_opaque_fixed(p, \"open id:\", 8);\n\t*p++ = cpu_to_be32(arg->server->s_dev);\n\t*p++ = cpu_to_be32(arg->id.uniquifier);\n\txdr_encode_hyper(p, arg->id.create_time);\n}", "project": "linux", "hash": 66554845480951631711791757768719107168, "size": 17, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431306 }, { "func": "static unsigned int x25_new_lci(struct x25_neigh *nb)\n{\n\tunsigned int lci = 1;\n\tstruct sock *sk;\n\n\twhile ((sk = x25_find_socket(lci, nb)) != NULL) {\n\t\tsock_put(sk);\n\t\tif (++lci == 4096) {\n\t\t\tlci = 0;\n\t\t\tbreak;\n\t\t}\n\t\tcond_resched();\n\t}\n\n\treturn lci;\n}", "project": "net", "hash": 119827092404316315335114460145290997828, "size": 16, "commit_id": "7781607938c8371d4c2b243527430241c62e39c2", "message": "net/x25: Fix null-ptr-deref caused by x25_disconnect\n\nWhen the link layer is terminating, x25->neighbour will be set to NULL\nin x25_disconnect(). As a result, it could cause null-ptr-deref bugs in\nx25_sendmsg(),x25_recvmsg() and x25_connect(). One of the bugs is\nshown below.\n\n (Thread 1) | (Thread 2)\nx25_link_terminated() | x25_recvmsg()\n x25_kill_by_neigh() | ...\n x25_disconnect() | lock_sock(sk)\n ... | ...\n x25->neighbour = NULL //(1) |\n ... | x25->neighbour->extended //(2)\n\nThe code sets NULL to x25->neighbour in position (1) and dereferences\nx25->neighbour in position (2), which could cause null-ptr-deref bug.\n\nThis patch adds lock_sock() in x25_kill_by_neigh() in order to synchronize\nwith x25_sendmsg(), x25_recvmsg() and x25_connect(). What`s more, the\nsock held by lock_sock() is not NULL, because it is extracted from x25_list\nand uses x25_list_lock to synchronize.\n\nFixes: 4becb7ee5b3d (\"net/x25: Fix x25_neigh refcnt leak when x25 disconnect\")\nSigned-off-by: Duoming Zhou \nReviewed-by: Lin Ma \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 449169 }, { "func": "static int irda_create(struct net *net, struct socket *sock, int protocol)\n{\n\tstruct sock *sk;\n\tstruct irda_sock *self;\n\n\tIRDA_DEBUG(2, \"%s()\\n\", __func__);\n\n\tif (net != &init_net)\n\t\treturn -EAFNOSUPPORT;\n\n\t/* Check for valid socket type */\n\tswitch (sock->type) {\n\tcase SOCK_STREAM: /* For TTP connections with SAR disabled */\n\tcase SOCK_SEQPACKET: /* For TTP connections with SAR enabled */\n\tcase SOCK_DGRAM: /* For TTP Unitdata or LMP Ultra transfers */\n\t\tbreak;\n\tdefault:\n\t\treturn -ESOCKTNOSUPPORT;\n\t}\n\n\t/* Allocate networking socket */\n\tsk = sk_alloc(net, PF_IRDA, GFP_ATOMIC, &irda_proto);\n\tif (sk == NULL)\n\t\treturn -ENOMEM;\n\n\tself = irda_sk(sk);\n\tIRDA_DEBUG(2, \"%s() : self is %p\\n\", __func__, self);\n\n\tinit_waitqueue_head(&self->query_wait);\n\n\tswitch (sock->type) {\n\tcase SOCK_STREAM:\n\t\tsock->ops = &irda_stream_ops;\n\t\tself->max_sdu_size_rx = TTP_SAR_DISABLE;\n\t\tbreak;\n\tcase SOCK_SEQPACKET:\n\t\tsock->ops = &irda_seqpacket_ops;\n\t\tself->max_sdu_size_rx = TTP_SAR_UNBOUND;\n\t\tbreak;\n\tcase SOCK_DGRAM:\n\t\tswitch (protocol) {\n#ifdef CONFIG_IRDA_ULTRA\n\t\tcase IRDAPROTO_ULTRA:\n\t\t\tsock->ops = &irda_ultra_ops;\n\t\t\t/* Initialise now, because we may send on unbound\n\t\t\t * sockets. Jean II */\n\t\t\tself->max_data_size = ULTRA_MAX_DATA - LMP_PID_HEADER;\n\t\t\tself->max_header_size = IRDA_MAX_HEADER + LMP_PID_HEADER;\n\t\t\tbreak;\n#endif /* CONFIG_IRDA_ULTRA */\n\t\tcase IRDAPROTO_UNITDATA:\n\t\t\tsock->ops = &irda_dgram_ops;\n\t\t\t/* We let Unitdata conn. be like seqpack conn. */\n\t\t\tself->max_sdu_size_rx = TTP_SAR_UNBOUND;\n\t\t\tbreak;\n\t\tdefault:\n\t\t\tsk_free(sk);\n\t\t\treturn -ESOCKTNOSUPPORT;\n\t\t}\n\t\tbreak;\n\tdefault:\n\t\tsk_free(sk);\n\t\treturn -ESOCKTNOSUPPORT;\n\t}\n\n\t/* Initialise networking socket struct */\n\tsock_init_data(sock, sk);\t/* Note : set sk->sk_refcnt to 1 */\n\tsk->sk_family = PF_IRDA;\n\tsk->sk_protocol = protocol;\n\n\t/* Register as a client with IrLMP */\n\tself->ckey = irlmp_register_client(0, NULL, NULL, NULL);\n\tself->mask.word = 0xffff;\n\tself->rx_flow = self->tx_flow = FLOW_START;\n\tself->nslots = DISCOVERY_DEFAULT_SLOTS;\n\tself->daddr = DEV_ADDR_ANY;\t/* Until we get connected */\n\tself->saddr = 0x0;\t\t/* so IrLMP assign us any link */\n\treturn 0;\n}", "target": 0, "cwe": [ "CWE-200" ], "project": "linux-2.6", "commit_id": "09384dfc76e526c3993c09c42e016372dc9dd22c", "hash": 106885965778615223578093025091659319284, "size": 79, "message": "irda: Fix irda_getname() leak\n\nirda_getname() can leak kernel memory to user.\n\nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "dataset": "other", "idx": 490845 }, { "func": "static inline void *freelist_dereference(const struct kmem_cache *s,\n\t\t\t\t\t void *ptr_addr)\n{\n\treturn freelist_ptr(s, (void *)*(unsigned long *)(ptr_addr),\n\t\t\t (unsigned long)ptr_addr);\n}", "project": "linux", "hash": 283923555331507501018837495534655884662, "size": 6, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280131 }, { "func": "static ssize_t xdr_encode_bitmap4(struct xdr_stream *xdr,\n\t\tconst __u32 *bitmap, size_t len)\n{\n\tssize_t ret;\n\n\t/* Trim empty words */\n\twhile (len > 0 && bitmap[len-1] == 0)\n\t\tlen--;\n\tret = xdr_stream_encode_uint32_array(xdr, bitmap, len);\n\tif (WARN_ON_ONCE(ret < 0))\n\t\treturn ret;\n\treturn len;\n}", "project": "linux", "hash": 207689552014100552040900473864925839648, "size": 13, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431209 }, { "func": "static int pipe_snd_status(struct sock *sk, u8 type, u8 status, gfp_t priority)\n{\n\tu8 data[4] = { type, PAD, PAD, status };\n\n\treturn pep_indicate(sk, PNS_PEP_STATUS_IND, PN_PEP_TYPE_COMMON,\n\t\t\t\tdata, 4, priority);\n}", "project": "linux", "hash": 165760874592625984073319112719953500822, "size": 7, "commit_id": "bcd0f93353326954817a4f9fa55ec57fb38acbb0", "message": "phonet: refcount leak in pep_sock_accep\n\nsock_hold(sk) is invoked in pep_sock_accept(), but __sock_put(sk) is not\ninvoked in subsequent failure branches(pep_accept_conn() != 0).\n\nSigned-off-by: Hangyu Hua \nLink: https://lore.kernel.org/r/20211209082839.33985-1-hbh25y@gmail.com\nSigned-off-by: Jakub Kicinski ", "target": 0, "dataset": "other", "idx": 224803 }, { "func": "int nfs4_sequence_done(struct rpc_task *task,\n\t\t struct nfs4_sequence_res *res)\n{\n\treturn nfs40_sequence_done(task, res);\n}", "project": "linux", "hash": 113540062754643724129486970900670795836, "size": 5, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431236 }, { "func": "int nfs4_sequence_done(struct rpc_task *task, struct nfs4_sequence_res *res)\n{\n\tif (res->sr_slot == NULL)\n\t\treturn 1;\n\tif (!res->sr_slot->table->session)\n\t\treturn nfs40_sequence_done(task, res);\n\treturn nfs41_sequence_done(task, res);\n}", "project": "linux", "hash": 111805296670459222578139218363460252423, "size": 8, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431360 }, { "func": "int ssh_buffer_add_u16(struct ssh_buffer_struct *buffer,uint16_t data)\n{\n int rc;\n\n rc = ssh_buffer_add_data(buffer, &data, sizeof(data));\n if (rc < 0) {\n return -1;\n }\n\n return 0;\n}", "project": "libssh-mirror", "hash": 132000135809120111687971676919505199073, "size": 11, "commit_id": "10b3ebbe61a7031a3dae97f05834442220447181", "message": "buffer: Reformat ssh_buffer_add_data()\n\nSigned-off-by: Andreas Schneider \nReviewed-by: Anderson Toshiyuki Sasaki \nReviewed-by: Jakub Jelen ", "target": 0, "dataset": "other", "idx": 345143 }, { "func": "bool VerifySparsity(const RuntimeShape& weights_shape,\n const RuntimeShape& input_shape,\n const RuntimeShape& output_shape,\n const TfLiteSparsity* sparsity) {\n const int weights_dims_count = weights_shape.DimensionsCount();\n const int output_dims_count = output_shape.DimensionsCount();\n const int w0_size = sparsity->dim_metadata[0].dense_size;\n const int accum_depth = weights_shape.Dims(weights_dims_count - 1);\n const int output_elements = output_shape.FlatSize();\n const int input_elements = input_shape.FlatSize();\n const int batches = FlatSizeSkipDim(output_shape, output_dims_count - 1);\n const int output_depth = MatchingDim(weights_shape, weights_dims_count - 2,\n output_shape, output_dims_count - 1);\n const int max_batch_index = batches - 1;\n const int max_output = max_batch_index * output_depth + w0_size;\n const int max_batch_depth = accum_depth * max_batch_index;\n\n // Verify output size is enough.\n if (output_elements < max_output) return false;\n\n // Verify index from sparse in input is valid.\n for (int i = 0; i < sparsity->dim_metadata[1].array_indices->size; ++i) {\n if (input_elements <=\n max_batch_depth + sparsity->dim_metadata[1].array_indices->data[i])\n return false;\n }\n return true;\n}", "project": "tensorflow", "hash": 8875275108829332307641194834073790640, "size": 28, "commit_id": "6c0b2b70eeee588591680f5b7d5d38175fd7cdf6", "message": "[lite] add validation check for sparse fully connected\n\nPiperOrigin-RevId: 417629354\nChange-Id: If96171c4bd4f5fdb01d6368d6deab19d1c9beca7", "target": 0, "dataset": "other", "idx": 220487 }, { "func": "R_API int r_socket_read_block(RSocket *s, ut8 *buf, int len) {\n\tint ret = 0;\n\tfor (ret = 0; ret < len; ) {\n\t\tint r = r_socket_read (s, buf + ret, len - ret);\n\t\tif (r == -1) {\n#if HAVE_LIB_SSL\n\t\t\tif (SSL_get_error (s->sfd, r) == SSL_ERROR_WANT_READ) {\n\t\t\t\tif (r_socket_ready (s, 1, 0) == 1) {\n\t\t\t\t\tcontinue;\n\t\t\t\t}\n\t\t\t}\n#endif\n\t\t\treturn -1;\n\t\t}\n\t\tif (r < 1) {\n\t\t\tbreak;\n\t\t}\n\t\tret += r;\n\t}\n\treturn ret;\n}", "project": "radare2", "hash": 264959666055801920071061456170151303851, "size": 21, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 0, "dataset": "other", "idx": 269008 }, { "func": "int imap_fast_trash(struct Mailbox *m, char *dest)\n{\n char prompt[1024];\n int rc = -1;\n bool triedcreate = false;\n enum QuadOption err_continue = MUTT_NO;\n\n struct ImapAccountData *adata = imap_adata_get(m);\n struct ImapAccountData *dest_adata = NULL;\n struct ImapMboxData *dest_mdata = NULL;\n\n if (imap_adata_find(dest, &dest_adata, &dest_mdata) < 0)\n return -1;\n\n struct Buffer sync_cmd = mutt_buffer_make(0);\n\n /* check that the save-to folder is in the same account */\n if (!imap_account_match(&(adata->conn->account), &(dest_adata->conn->account)))\n {\n mutt_debug(LL_DEBUG3, \"%s not same server as %s\\n\", dest, mailbox_path(m));\n goto out;\n }\n\n for (int i = 0; i < m->msg_count; i++)\n {\n struct Email *e = m->emails[i];\n if (!e)\n break;\n if (e->active && e->changed && e->deleted && !e->purge)\n {\n rc = imap_sync_message_for_copy(m, e, &sync_cmd, &err_continue);\n if (rc < 0)\n {\n mutt_debug(LL_DEBUG1, \"could not sync\\n\");\n goto out;\n }\n }\n }\n\n /* loop in case of TRYCREATE */\n do\n {\n rc = imap_exec_msgset(m, \"UID COPY\", dest_mdata->munge_name, MUTT_TRASH, false, false);\n if (rc == 0)\n {\n mutt_debug(LL_DEBUG1, \"No messages to trash\\n\");\n rc = -1;\n goto out;\n }\n else if (rc < 0)\n {\n mutt_debug(LL_DEBUG1, \"could not queue copy\\n\");\n goto out;\n }\n else if (m->verbose)\n {\n mutt_message(ngettext(\"Copying %d message to %s...\", \"Copying %d messages to %s...\", rc),\n rc, dest_mdata->name);\n }\n\n /* let's get it on */\n rc = imap_exec(adata, NULL, IMAP_CMD_NO_FLAGS);\n if (rc == IMAP_EXEC_ERROR)\n {\n if (triedcreate)\n {\n mutt_debug(LL_DEBUG1, \"Already tried to create mailbox %s\\n\", dest_mdata->name);\n break;\n }\n /* bail out if command failed for reasons other than nonexistent target */\n if (!mutt_istr_startswith(imap_get_qualifier(adata->buf), \"[TRYCREATE]\"))\n break;\n mutt_debug(LL_DEBUG3, \"server suggests TRYCREATE\\n\");\n snprintf(prompt, sizeof(prompt), _(\"Create %s?\"), dest_mdata->name);\n if (C_Confirmcreate && (mutt_yesorno(prompt, MUTT_YES) != MUTT_YES))\n {\n mutt_clear_error();\n goto out;\n }\n if (imap_create_mailbox(adata, dest_mdata->name) < 0)\n break;\n triedcreate = true;\n }\n } while (rc == IMAP_EXEC_ERROR);\n\n if (rc != IMAP_EXEC_SUCCESS)\n {\n imap_error(\"imap_fast_trash\", adata->buf);\n goto out;\n }\n\n rc = IMAP_EXEC_SUCCESS;\n\nout:\n mutt_buffer_dealloc(&sync_cmd);\n imap_mdata_free((void *) &dest_mdata);\n\n return ((rc == IMAP_EXEC_SUCCESS) ? 0 : -1);\n}", "project": "neomutt", "hash": 67233524080073656630559443719802217190, "size": 99, "commit_id": "9c36717a3e2af1f2c1b7242035455ec8112b4b06", "message": "imap: close connection on all failures\n\nThanks to Gabriel Salles-Loustau for spotting the problem.\n\nCo-authored-by: Kevin McCarthy ", "target": 0, "dataset": "other", "idx": 357045 }, { "func": "int tracing_update_buffers(void)\n{\n\tint ret = 0;\n\n\tmutex_lock(&trace_types_lock);\n\tif (!ring_buffer_expanded)\n\t\tret = __tracing_resize_ring_buffer(&global_trace, trace_buf_size,\n\t\t\t\t\t\tRING_BUFFER_ALL_CPUS);\n\tmutex_unlock(&trace_types_lock);\n\n\treturn ret;\n}", "project": "linux", "hash": 260875952470297583639543241163152806095, "size": 12, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445584 }, { "func": "\nstatic void bfq_init_root_group(struct bfq_group *root_group,\n\t\t\t\tstruct bfq_data *bfqd)\n{\n\tint i;\n\n#ifdef CONFIG_BFQ_GROUP_IOSCHED\n\troot_group->entity.parent = NULL;\n\troot_group->my_entity = NULL;\n\troot_group->bfqd = bfqd;\n#endif\n\troot_group->rq_pos_tree = RB_ROOT;\n\tfor (i = 0; i < BFQ_IOPRIO_CLASSES; i++)\n\t\troot_group->sched_data.service_tree[i] = BFQ_SERVICE_TREE_INIT;\n\troot_group->sched_data.bfq_class_idle_last_service = jiffies;", "project": "linux", "hash": 212662036476637741184854089607917789554, "size": 15, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453283 }, { "func": "inline void FastMemcpy(void* dst, const void* src, size_t size) {\n // clang-format off\n switch (size) {\n // Most compilers will generate inline code for fixed sizes,\n // which is significantly faster for small copies.\n case 1: memcpy(dst, src, 1); break;\n case 2: memcpy(dst, src, 2); break;\n case 3: memcpy(dst, src, 3); break;\n case 4: memcpy(dst, src, 4); break;\n case 5: memcpy(dst, src, 5); break;\n case 6: memcpy(dst, src, 6); break;\n case 7: memcpy(dst, src, 7); break;\n case 8: memcpy(dst, src, 8); break;\n case 9: memcpy(dst, src, 9); break;\n case 10: memcpy(dst, src, 10); break;\n case 11: memcpy(dst, src, 11); break;\n case 12: memcpy(dst, src, 12); break;\n case 13: memcpy(dst, src, 13); break;\n case 14: memcpy(dst, src, 14); break;\n case 15: memcpy(dst, src, 15); break;\n case 16: memcpy(dst, src, 16); break;\n#if defined(PLATFORM_GOOGLE) || defined(PLATFORM_POSIX) && \\\n !defined(IS_MOBILE_PLATFORM)\n // On Linux, memmove appears to be faster than memcpy for\n // large sizes, strangely enough.\n default: memmove(dst, src, size); break;\n#else\n default: memcpy(dst, src, size); break;\n#endif\n }\n // clang-format on\n}", "project": "tensorflow", "hash": 312006317482688497676478691489044826032, "size": 32, "commit_id": "030af767d357d1b4088c4a25c72cb3906abac489", "message": "Fix `tf.raw_ops.ResourceCountUpTo` null pointer dereference.\n\nPiperOrigin-RevId: 368294347\nChange-Id: I2c16fbfc9b4966c402c3d8e311f0d665a9c852d8", "target": 0, "dataset": "other", "idx": 232662 }, { "func": "static int do_execveat_common(int fd, struct filename *filename,\n\t\t\t struct user_arg_ptr argv,\n\t\t\t struct user_arg_ptr envp,\n\t\t\t int flags)\n{\n\treturn __do_execve_file(fd, filename, argv, envp, flags, NULL);\n}", "project": "linux", "hash": 28153163062284387224759919004426784429, "size": 7, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375264 }, { "func": "static unsigned int fanout_demux_rollover(struct packet_fanout *f,\n\t\t\t\t\t struct sk_buff *skb,\n\t\t\t\t\t unsigned int idx, bool try_self,\n\t\t\t\t\t unsigned int num)\n{\n\tstruct packet_sock *po, *po_next, *po_skip = NULL;\n\tunsigned int i, j, room = ROOM_NONE;\n\n\tpo = pkt_sk(f->arr[idx]);\n\n\tif (try_self) {\n\t\troom = packet_rcv_has_room(po, skb);\n\t\tif (room == ROOM_NORMAL ||\n\t\t (room == ROOM_LOW && !fanout_flow_is_huge(po, skb)))\n\t\t\treturn idx;\n\t\tpo_skip = po;\n\t}\n\n\ti = j = min_t(int, po->rollover->sock, num - 1);\n\tdo {\n\t\tpo_next = pkt_sk(f->arr[i]);\n\t\tif (po_next != po_skip && !READ_ONCE(po_next->pressure) &&\n\t\t packet_rcv_has_room(po_next, skb) == ROOM_NORMAL) {\n\t\t\tif (i != j)\n\t\t\t\tpo->rollover->sock = i;\n\t\t\tatomic_long_inc(&po->rollover->num);\n\t\t\tif (room == ROOM_LOW)\n\t\t\t\tatomic_long_inc(&po->rollover->num_huge);\n\t\t\treturn i;\n\t\t}\n\n\t\tif (++i == num)\n\t\t\ti = 0;\n\t} while (i != j);\n\n\tatomic_long_inc(&po->rollover->num_failed);\n\treturn idx;\n}", "project": "linux", "hash": 199356827203740454497922783319499194982, "size": 38, "commit_id": "acf69c946233259ab4d64f8869d4037a198c7f06", "message": "net/packet: fix overflow in tpacket_rcv\n\nUsing tp_reserve to calculate netoff can overflow as\ntp_reserve is unsigned int and netoff is unsigned short.\n\nThis may lead to macoff receving a smaller value then\nsizeof(struct virtio_net_hdr), and if po->has_vnet_hdr\nis set, an out-of-bounds write will occur when\ncalling virtio_net_hdr_from_skb.\n\nThe bug is fixed by converting netoff to unsigned int\nand checking if it exceeds USHRT_MAX.\n\nThis addresses CVE-2020-14386\n\nFixes: 8913336a7e8d (\"packet: add PACKET_RESERVE sockopt\")\nSigned-off-by: Or Cohen \nSigned-off-by: Eric Dumazet \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 330408 }, { "func": "CallResult JSObject::isExtensible(\n PseudoHandle self,\n Runtime *runtime) {\n if (LLVM_UNLIKELY(self->isProxyObject())) {\n return JSProxy::isExtensible(runtime->makeHandle(std::move(self)), runtime);\n }\n return self->isExtensible();\n}", "project": "hermes", "hash": 86724539350669477457470728302150038822, "size": 8, "commit_id": "fe52854cdf6725c2eaa9e125995da76e6ceb27da", "message": "[CVE-2020-1911] Look up HostObject computed properties on the right object in the prototype chain.\n\nSummary:\nThe change in the hermes repository fixes the security vulnerability\nCVE-2020-1911. This vulnerability only affects applications which\nallow evaluation of uncontrolled, untrusted JavaScript code not\nshipped with the app, so React Native apps will generally not be affected.\n\nThis revision includes a test for the bug. The test is generic JSI\ncode, so it is included in the hermes and react-native repositories.\n\nChangelog: [Internal]\n\nReviewed By: tmikov\n\nDifferential Revision: D23322992\n\nfbshipit-source-id: 4e88c974afe1ad33a263f9cac03e9dc98d33649a", "target": 0, "dataset": "other", "idx": 230232 }, { "func": "static int imap_path_parent(char *buf, size_t buflen)\n{\n char tmp[PATH_MAX] = { 0 };\n\n imap_get_parent_path(buf, tmp, sizeof(tmp));\n mutt_str_copy(buf, tmp, buflen);\n return 0;\n}", "project": "neomutt", "hash": 197039005619403778824749920738872293472, "size": 8, "commit_id": "9c36717a3e2af1f2c1b7242035455ec8112b4b06", "message": "imap: close connection on all failures\n\nThanks to Gabriel Salles-Loustau for spotting the problem.\n\nCo-authored-by: Kevin McCarthy ", "target": 0, "dataset": "other", "idx": 357031 }, { "project": "Chrome", "commit_id": "327585cb0eab0859518643a2d00917081f7e7645", "target": 0, "func": "WebString WebGraphicsContext3DDefaultImpl::getShaderSource(WebGLId shader)\n{\n makeContextCurrent();\n\n ShaderSourceMap::iterator result = m_shaderSourceMap.find(shader);\n if (result != m_shaderSourceMap.end()) {\n ShaderSourceEntry* entry = result->second;\n ASSERT(entry);\n if (!entry->source)\n return WebString();\n WebString res = WebString::fromUTF8(entry->source, strlen(entry->source));\n return res;\n }\n\n GLint logLength = 0;\n glGetShaderiv(shader, GL_SHADER_SOURCE_LENGTH, &logLength);\n if (logLength <= 1)\n return WebString();\n GLchar* log = 0;\n if (!tryFastMalloc(logLength * sizeof(GLchar)).getValue(log))\n return WebString();\n GLsizei returnedLogLength;\n glGetShaderSource(shader, logLength, &returnedLogLength, log);\n ASSERT(logLength == returnedLogLength + 1);\n WebString res = WebString::fromUTF8(log, returnedLogLength);\n fastFree(log);\n return res;\n}\n", "cwe": "", "big_vul_idx": 99005, "idx": 89062, "hash": 308242398566707613154201390026702380527 }, { "func": "\tMode(User* source, Channel* Chantarget, User* Usertarget, const Modes::ChangeList& changelist)\n\t\t: ClientProtocol::Message(\"MODE\", source)\n\t\t, chantarget(Chantarget)\n\t\t, usertarget(Usertarget)\n\t\t, beginit(changelist.getlist().begin())\n\t{\n\t\tPushParamRef(GetStrTarget());\n\t\tPushParam(ToModeLetters(changelist.getlist(), 450, beginit, lastit));\n\t\tPushModeParams();\n\t}", "project": "inspircd", "hash": 164338085301114147876651437598717046890, "size": 10, "commit_id": "4350a11c663b0d75f8119743bffb7736d87abd4d", "message": "Fix sending malformed pong messages in some cases.", "target": 0, "dataset": "other", "idx": 273262 }, { "func": "static int unshare_sighand(struct task_struct *me)\n{\n\tstruct sighand_struct *oldsighand = me->sighand;\n\n\tif (refcount_read(&oldsighand->count) != 1) {\n\t\tstruct sighand_struct *newsighand;\n\t\t/*\n\t\t * This ->sighand is shared with the CLONE_SIGHAND\n\t\t * but not CLONE_THREAD task, switch to the new one.\n\t\t */\n\t\tnewsighand = kmem_cache_alloc(sighand_cachep, GFP_KERNEL);\n\t\tif (!newsighand)\n\t\t\treturn -ENOMEM;\n\n\t\trefcount_set(&newsighand->count, 1);\n\t\tmemcpy(newsighand->action, oldsighand->action,\n\t\t sizeof(newsighand->action));\n\n\t\twrite_lock_irq(&tasklist_lock);\n\t\tspin_lock(&oldsighand->siglock);\n\t\trcu_assign_pointer(me->sighand, newsighand);\n\t\tspin_unlock(&oldsighand->siglock);\n\t\twrite_unlock_irq(&tasklist_lock);\n\n\t\t__cleanup_sighand(oldsighand);\n\t}\n\treturn 0;\n}", "project": "linux", "hash": 261029361626572745465580218021931205361, "size": 28, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375151 }, { "func": "static int test_ifsection_section(cmd_parms *cmd, const char *arg)\n{\n const char *name = apr_pstrcat(cmd->temp_pool, \"<\", arg, NULL);\n return ap_exists_directive(cmd->temp_pool, name);\n}", "project": "httpd", "hash": 214056307592188401661121285809899582888, "size": 5, "commit_id": "4cc27823899e070268b906ca677ee838d07cf67a", "message": "core: Disallow Methods' registration at run time (.htaccess), they may be\nused only if registered at init time (httpd.conf).\n\nCalling ap_method_register() in children processes is not the right scope\nsince it won't be shared for all requests.\n\n\ngit-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1807655 13f79535-47bb-0310-9956-ffa450edef68", "target": 0, "dataset": "other", "idx": 246282 }, { "func": "void intel_lr_context_reset(struct intel_engine_cs *engine,\n\t\t\t struct intel_context *ce,\n\t\t\t u32 head,\n\t\t\t bool scrub)\n{\n\tGEM_BUG_ON(!intel_context_is_pinned(ce));\n\n\t/*\n\t * We want a simple context + ring to execute the breadcrumb update.\n\t * We cannot rely on the context being intact across the GPU hang,\n\t * so clear it and rebuild just what we need for the breadcrumb.\n\t * All pending requests for this context will be zapped, and any\n\t * future request will be after userspace has had the opportunity\n\t * to recreate its own state.\n\t */\n\tif (scrub)\n\t\trestore_default_state(ce, engine);\n\n\t/* Rerun the request; its payload has been neutered (if guilty). */\n\tce->ring->head = head;\n\tintel_ring_update_space(ce->ring);\n\n\t__execlists_update_reg_state(ce, engine);\n}", "project": "linux", "hash": 109936873472909269977577006315740476934, "size": 24, "commit_id": "bc8a76a152c5f9ef3b48104154a65a68a8b76946", "message": "drm/i915/gen9: Clear residual context state on context switch\n\nIntel ID: PSIRT-TA-201910-001\nCVEID: CVE-2019-14615\n\nIntel GPU Hardware prior to Gen11 does not clear EU state\nduring a context switch. This can result in information\nleakage between contexts.\n\nFor Gen8 and Gen9, hardware provides a mechanism for\nfast cleardown of the EU state, by issuing a PIPE_CONTROL\nwith bit 27 set. We can use this in a context batch buffer\nto explicitly cleardown the state on every context switch.\n\nAs this workaround is already in place for gen8, we can borrow\nthe code verbatim for Gen9.\n\nSigned-off-by: Mika Kuoppala \nSigned-off-by: Akeem G Abodunrin \nCc: Kumar Valsan Prathap \nCc: Chris Wilson \nCc: Balestrieri Francesco \nCc: Bloomfield Jon \nCc: Dutt Sudeep ", "target": 0, "dataset": "other", "idx": 281421 }, { "func": "static inline void disable_gif(struct vcpu_svm *svm)\n{\n\tif (vgif_enabled(svm))\n\t\tsvm->vmcb->control.int_ctl &= ~V_GIF_MASK;\n\telse\n\t\tsvm->vcpu.arch.hflags &= ~HF_GIF_MASK;\n}", "project": "linux", "hash": 142292350154931643952249327271533797950, "size": 7, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432476 }, { "func": "static inline void disable_gif(struct vcpu_svm *svm)\n{\n\tsvm->vcpu.arch.hflags &= ~HF_GIF_MASK;\n}", "project": "kvm", "hash": 41049236882769354137039682696725642878, "size": 4, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437562 }, { "func": "static int sctp_send_asconf(struct sctp_association *asoc,\n\t\t\t struct sctp_chunk *chunk)\n{\n\tint retval = 0;\n\n\t/* If there is an outstanding ASCONF chunk, queue it for later\n\t * transmission.\n\t */\n\tif (asoc->addip_last_asconf) {\n\t\tlist_add_tail(&chunk->list, &asoc->addip_chunk_list);\n\t\tgoto out;\n\t}\n\n\t/* Hold the chunk until an ASCONF_ACK is received. */\n\tsctp_chunk_hold(chunk);\n\tretval = sctp_primitive_ASCONF(asoc->base.net, asoc, chunk);\n\tif (retval)\n\t\tsctp_chunk_free(chunk);\n\telse\n\t\tasoc->addip_last_asconf = chunk;\n\nout:\n\treturn retval;\n}", "project": "linux", "hash": 305112704140747428914781898766624864703, "size": 24, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398124 }, { "func": "static InlineX int pad4(int value)\n{\n int remainder = value & 3;\n if (!remainder) return value;\n return value + 4 - remainder;\n}", "project": "libvncserver", "hash": 209270106577216959037438020447209041906, "size": 6, "commit_id": "a6788d1da719ae006605b78d22f5a9f170b423af", "message": "libvncserver: scale: cast to 64 bit before shifting\n\nSince pixel_value is 64 bit the data type of the shift operand should\nbe 64 bit too to prevent integer overflows.", "target": 0, "dataset": "other", "idx": 296797 }, { "func": "static void init_trace_flags_index(struct trace_array *tr)\n{\n\tint i;\n\n\t/* Used by the trace options files */\n\tfor (i = 0; i < TRACE_FLAGS_MAX_SIZE; i++)\n\t\ttr->trace_flags_index[i] = i;\n}", "project": "linux", "hash": 296587036644950211879888807993519673999, "size": 8, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445696 }, { "func": "int32_t getGrowCapacity(int32_t newLength) {\n int32_t growSize = (newLength >> 2) + kGrowSize;\n if(growSize <= (kMaxCapacity - newLength)) {\n return newLength + growSize;\n } else {\n return kMaxCapacity;\n }\n}", "project": "icu", "hash": 114222209525176101423711662668545920584, "size": 8, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430849 }, { "func": "gdImagePtr gdImageCreateFromGifCtx(gdIOCtxPtr fd) /* {{{ */\n{\n\tint BitPixel;\n#if 0\n\tint ColorResolution;\n\tint Background;\n\tint AspectRatio;\n#endif\n\tint Transparent = (-1);\n\tunsigned char buf[16];\n\tunsigned char c;\n\tunsigned char ColorMap[3][MAXCOLORMAPSIZE];\n\tunsigned char localColorMap[3][MAXCOLORMAPSIZE];\n\tint imw, imh, screen_width, screen_height;\n\tint gif87a, useGlobalColormap;\n\tint bitPixel;\n\tint\t i;\n\t/*1.4//int imageCount = 0; */\n\n\tint ZeroDataBlock = FALSE;\n\tint haveGlobalColormap;\n\tgdImagePtr im = 0;\n\n\t/*1.4//imageNumber = 1; */\n\tif (! ReadOK(fd,buf,6)) {\n\t\treturn 0;\n\t}\n\tif (strncmp((char *)buf,\"GIF\",3) != 0) {\n\t\treturn 0;\n\t}\n\n\tif (memcmp((char *)buf+3, \"87a\", 3) == 0) {\n\t\tgif87a = 1;\n\t} else if (memcmp((char *)buf+3, \"89a\", 3) == 0) {\n\t\tgif87a = 0;\n\t} else {\n\t\treturn 0;\n\t}\n\n\tif (! ReadOK(fd,buf,7)) {\n\t\treturn 0;\n\t}\n\n\tBitPixel = 2<<(buf[4]&0x07);\n#if 0\n\tColorResolution = (int) (((buf[4]&0x70)>>3)+1);\n\tBackground = buf[5];\n\tAspectRatio = buf[6];\n#endif\n\tscreen_width = imw = LM_to_uint(buf[0],buf[1]);\n\tscreen_height = imh = LM_to_uint(buf[2],buf[3]);\n\n\thaveGlobalColormap = BitSet(buf[4], LOCALCOLORMAP); /* Global Colormap */\n\tif (haveGlobalColormap) {\n\t\tif (ReadColorMap(fd, BitPixel, ColorMap)) {\n\t\t\treturn 0;\n\t\t}\n\t}\n\n\tfor (;;) {\n\t\tint top, left;\n\t\tint width, height;\n\n\t\tif (! ReadOK(fd,&c,1)) {\n\t\t\treturn 0;\n\t\t}\n\t\tif (c == ';') { /* GIF terminator */\n\t\t\tgoto terminated;\n\t\t}\n\n\t\tif (c == '!') { /* Extension */\n\t\t\tif (! ReadOK(fd,&c,1)) {\n\t\t\t\treturn 0;\n\t\t\t}\n\t\t\tDoExtension(fd, c, &Transparent, &ZeroDataBlock);\n\t\t\tcontinue;\n\t\t}\n\n\t\tif (c != ',') { /* Not a valid start character */\n\t\t\tcontinue;\n\t\t}\n\n\t\t/*1.4//++imageCount; */\n\n\t\tif (! ReadOK(fd,buf,9)) {\n\t\t\treturn 0;\n\t\t}\n\n\t\tuseGlobalColormap = ! BitSet(buf[8], LOCALCOLORMAP);\n\n\t\tbitPixel = 1<<((buf[8]&0x07)+1);\n\t\tleft = LM_to_uint(buf[0], buf[1]);\n\t\ttop = LM_to_uint(buf[2], buf[3]);\n\t\twidth = LM_to_uint(buf[4], buf[5]);\n\t\theight = LM_to_uint(buf[6], buf[7]);\n\n\t\tif (left + width > screen_width || top + height > screen_height) {\n\t\t\tif (VERBOSE) {\n\t\t\t\tprintf(\"Frame is not confined to screen dimension.\\n\");\n\t\t\t}\n\t\t\treturn 0;\n\t\t}\n\n\t\tif (!(im = gdImageCreate(width, height))) {\n\t\t\treturn 0;\n\t\t}\n\t\tim->interlace = BitSet(buf[8], INTERLACE);\n\t\tif (!useGlobalColormap) {\n\t\t\tif (ReadColorMap(fd, bitPixel, localColorMap)) { \n\t\t\t\tgdImageDestroy(im);\n\t\t\t\treturn 0;\n\t\t\t}\n\t\t\tReadImage(im, fd, width, height, localColorMap, \n\t\t\t\t\tBitSet(buf[8], INTERLACE), &ZeroDataBlock);\n\t\t} else {\n\t\t\tif (!haveGlobalColormap) {\n\t\t\t\tgdImageDestroy(im);\n\t\t\t\treturn 0;\n\t\t\t}\n\t\t\tReadImage(im, fd, width, height,\n\t\t\t\t\t\tColorMap, \n\t\t\t\t\t\tBitSet(buf[8], INTERLACE), &ZeroDataBlock);\n\t\t}\n\t\tif (Transparent != (-1)) {\n\t\t\tgdImageColorTransparent(im, Transparent);\n\t\t}\n\t\tgoto terminated;\n\t}\n\nterminated:\n\t/* Terminator before any image was declared! */\n\tif (!im) {\n\t\treturn 0;\n\t}\n\tif (!im->colorsTotal) {\n\t\tgdImageDestroy(im);\n\t\treturn 0;\n\t}\n\t/* Check for open colors at the end, so\n\t we can reduce colorsTotal and ultimately\n\t BitsPerPixel */\n\tfor (i=((im->colorsTotal-1)); (i>=0); i--) {\n\t\tif (im->open[i]) {\n\t\t\tim->colorsTotal--;\n\t\t} else {\n\t\t\tbreak;\n\t\t}\n\t}\n\treturn im;\n}", "project": "php-src", "hash": 101555333886468920205088379346708806099, "size": 150, "commit_id": "8dc4f4dc9e44d1cbfe4654aa6e0dc27c94913938", "message": "Fix #74435: Buffer over-read into uninitialized memory\n\nThe stack allocated color map buffers were not zeroed before usage, and\nso undefined palette indexes could cause information leakage.", "target": 1, "dataset": "other", "idx": 205750 }, { "func": "SYSCALL_DEFINE3(set_mempolicy, int, mode, const unsigned long __user *, nmask,\n\t\tunsigned long, maxnode)\n{\n\treturn kernel_set_mempolicy(mode, nmask, maxnode);\n}", "project": "linux", "hash": 48034079206645473232348603168247082470, "size": 5, "commit_id": "aa9f7d5172fac9bf1f09e678c35e287a40a7b7dd", "message": "mm: mempolicy: require at least one nodeid for MPOL_PREFERRED\n\nUsing an empty (malformed) nodelist that is not caught during mount option\nparsing leads to a stack-out-of-bounds access.\n\nThe option string that was used was: \"mpol=prefer:,\". However,\nMPOL_PREFERRED requires a single node number, which is not being provided\nhere.\n\nAdd a check that 'nodes' is not empty after parsing for MPOL_PREFERRED's\nnodeid.\n\nFixes: 095f1fc4ebf3 (\"mempolicy: rework shmem mpol parsing and display\")\nReported-by: Entropy Moe <3ntr0py1337@gmail.com>\nReported-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nSigned-off-by: Randy Dunlap \nSigned-off-by: Andrew Morton \nTested-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nCc: Lee Schermerhorn \nLink: http://lkml.kernel.org/r/89526377-7eb6-b662-e1d8-4430928abde9@infradead.org\nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 366782 }, { "func": "static long kernel_set_mempolicy(int mode, const unsigned long __user *nmask,\n\t\t\t\t unsigned long maxnode)\n{\n\tint err;\n\tnodemask_t nodes;\n\tunsigned short flags;\n\n\tflags = mode & MPOL_MODE_FLAGS;\n\tmode &= ~MPOL_MODE_FLAGS;\n\tif ((unsigned int)mode >= MPOL_MAX)\n\t\treturn -EINVAL;\n\tif ((flags & MPOL_F_STATIC_NODES) && (flags & MPOL_F_RELATIVE_NODES))\n\t\treturn -EINVAL;\n\terr = get_nodes(&nodes, nmask, maxnode);\n\tif (err)\n\t\treturn err;\n\treturn do_set_mempolicy(mode, flags, &nodes);\n}", "project": "linux", "hash": 44210456202505631718562328730185181701, "size": 18, "commit_id": "aa9f7d5172fac9bf1f09e678c35e287a40a7b7dd", "message": "mm: mempolicy: require at least one nodeid for MPOL_PREFERRED\n\nUsing an empty (malformed) nodelist that is not caught during mount option\nparsing leads to a stack-out-of-bounds access.\n\nThe option string that was used was: \"mpol=prefer:,\". However,\nMPOL_PREFERRED requires a single node number, which is not being provided\nhere.\n\nAdd a check that 'nodes' is not empty after parsing for MPOL_PREFERRED's\nnodeid.\n\nFixes: 095f1fc4ebf3 (\"mempolicy: rework shmem mpol parsing and display\")\nReported-by: Entropy Moe <3ntr0py1337@gmail.com>\nReported-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nSigned-off-by: Randy Dunlap \nSigned-off-by: Andrew Morton \nTested-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nCc: Lee Schermerhorn \nLink: http://lkml.kernel.org/r/89526377-7eb6-b662-e1d8-4430928abde9@infradead.org\nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 366800 }, { "func": "static void nfs_resync_open_stateid_locked(struct nfs4_state *state)\n{\n\tif (!(state->n_wronly || state->n_rdonly || state->n_rdwr))\n\t\treturn;\n\tif (state->n_wronly)\n\t\tset_bit(NFS_O_WRONLY_STATE, &state->flags);\n\tif (state->n_rdonly)\n\t\tset_bit(NFS_O_RDONLY_STATE, &state->flags);\n\tif (state->n_rdwr)\n\t\tset_bit(NFS_O_RDWR_STATE, &state->flags);\n\tset_bit(NFS_OPEN_STATE, &state->flags);\n}", "project": "linux", "hash": 81678516616556996553515822346367446243, "size": 12, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431162 }, { "func": "static void start_discovery(struct hci_dev *hdev, u8 *status)\n{\n\tunsigned long timeout;\n\n\tbt_dev_dbg(hdev, \"type %u\", hdev->discovery.type);\n\n\tswitch (hdev->discovery.type) {\n\tcase DISCOV_TYPE_BREDR:\n\t\tif (!hci_dev_test_flag(hdev, HCI_INQUIRY))\n\t\t\thci_req_sync(hdev, bredr_inquiry,\n\t\t\t\t DISCOV_BREDR_INQUIRY_LEN, HCI_CMD_TIMEOUT,\n\t\t\t\t status);\n\t\treturn;\n\tcase DISCOV_TYPE_INTERLEAVED:\n\t\t/* When running simultaneous discovery, the LE scanning time\n\t\t * should occupy the whole discovery time sine BR/EDR inquiry\n\t\t * and LE scanning are scheduled by the controller.\n\t\t *\n\t\t * For interleaving discovery in comparison, BR/EDR inquiry\n\t\t * and LE scanning are done sequentially with separate\n\t\t * timeouts.\n\t\t */\n\t\tif (test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY,\n\t\t\t &hdev->quirks)) {\n\t\t\ttimeout = msecs_to_jiffies(DISCOV_LE_TIMEOUT);\n\t\t\t/* During simultaneous discovery, we double LE scan\n\t\t\t * interval. We must leave some time for the controller\n\t\t\t * to do BR/EDR inquiry.\n\t\t\t */\n\t\t\thci_req_sync(hdev, interleaved_discov,\n\t\t\t\t hdev->le_scan_int_discovery * 2, HCI_CMD_TIMEOUT,\n\t\t\t\t status);\n\t\t\tbreak;\n\t\t}\n\n\t\ttimeout = msecs_to_jiffies(hdev->discov_interleaved_timeout);\n\t\thci_req_sync(hdev, active_scan, hdev->le_scan_int_discovery,\n\t\t\t HCI_CMD_TIMEOUT, status);\n\t\tbreak;\n\tcase DISCOV_TYPE_LE:\n\t\ttimeout = msecs_to_jiffies(DISCOV_LE_TIMEOUT);\n\t\thci_req_sync(hdev, active_scan, hdev->le_scan_int_discovery,\n\t\t\t HCI_CMD_TIMEOUT, status);\n\t\tbreak;\n\tdefault:\n\t\t*status = HCI_ERROR_UNSPECIFIED;\n\t\treturn;\n\t}\n\n\tif (*status)\n\t\treturn;\n\n\tbt_dev_dbg(hdev, \"timeout %u ms\", jiffies_to_msecs(timeout));\n\n\t/* When service discovery is used and the controller has a\n\t * strict duplicate filter, it is important to remember the\n\t * start and duration of the scan. This is required for\n\t * restarting scanning during the discovery phase.\n\t */\n\tif (test_bit(HCI_QUIRK_STRICT_DUPLICATE_FILTER, &hdev->quirks) &&\n\t\t hdev->discovery.result_filtering) {\n\t\thdev->discovery.scan_start = jiffies;\n\t\thdev->discovery.scan_duration = timeout;\n\t}\n\n\tqueue_delayed_work(hdev->req_workqueue, &hdev->le_scan_disable,\n\t\t\t timeout);\n}", "project": "linux", "hash": 31824289771215003617005460079659014089, "size": 68, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402553 }, { "func": "static void set_fs_factor(int max) {\n\tint f, fac = 1, n = dpy_y;\n\n\tfs_factor = 0;\n\tif ((bpp/8) * dpy_x * dpy_y <= max) {\n\t\tfs_factor = 1;\n\t\treturn;\n\t}\n\tfor (f=2; f <= 101; f++) {\n\t\twhile (n % f == 0) {\n\t\t\tn = n / f;\n\t\t\tfac = fac * f;\n\t\t\tif ( (bpp/8) * dpy_x * (dpy_y/fac) <= max ) {\n\t\t\t\tfs_factor = fac;\n\t\t\t\treturn;\n\t\t\t}\n\t\t}\n\t}\n}", "project": "x11vnc", "hash": 120175476029459504493934471135043231195, "size": 19, "commit_id": "69eeb9f7baa14ca03b16c9de821f9876def7a36a", "message": "scan: limit access to shared memory segments to current user", "target": 0, "dataset": "other", "idx": 360761 }, { "func": "static u64 nested_svm_get_tdp_pdptr(struct kvm_vcpu *vcpu, int index)\n{\n\tstruct vcpu_svm *svm = to_svm(vcpu);\n\tu64 cr3 = svm->nested.ctl.nested_cr3;\n\tu64 pdpte;\n\tint ret;\n\n\tret = kvm_vcpu_read_guest_page(vcpu, gpa_to_gfn(__sme_clr(cr3)), &pdpte,\n\t\t\t\t offset_in_page(cr3) + index * 8, 8);\n\tif (ret)\n\t\treturn 0;\n\treturn pdpte;\n}", "project": "linux", "hash": 19850077179079108019479794126731135604, "size": 13, "commit_id": "a58d9166a756a0f4a6618e4f593232593d6df134", "message": "KVM: SVM: load control fields from VMCB12 before checking them\n\nAvoid races between check and use of the nested VMCB controls. This\nfor example ensures that the VMRUN intercept is always reflected to the\nnested hypervisor, instead of being processed by the host. Without this\npatch, it is possible to end up with svm->nested.hsave pointing to\nthe MSR permission bitmap for nested guests.\n\nThis bug is CVE-2021-29657.\n\nReported-by: Felix Wilhelm \nCc: stable@vger.kernel.org\nFixes: 2fcf4876ada (\"KVM: nSVM: implement on demand allocation of the nested state\")\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 376654 }, { "func": "static u64 nested_svm_get_tdp_pdptr(struct kvm_vcpu *vcpu, int index)\n{\n\tstruct vcpu_svm *svm = to_svm(vcpu);\n\tu64 cr3 = svm->nested.nested_cr3;\n\tu64 pdpte;\n\tint ret;\n\n\tret = kvm_vcpu_read_guest_page(vcpu, gpa_to_gfn(__sme_clr(cr3)), &pdpte,\n\t\t\t\t offset_in_page(cr3) + index * 8, 8);\n\tif (ret)\n\t\treturn 0;\n\treturn pdpte;\n}", "project": "linux", "hash": 242272122133598138577360622820161857995, "size": 13, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432624 }, { "func": "static u64 nested_svm_get_tdp_pdptr(struct kvm_vcpu *vcpu, int index)\n{\n\tstruct vcpu_svm *svm = to_svm(vcpu);\n\tu64 cr3 = svm->nested.nested_cr3;\n\tu64 pdpte;\n\tint ret;\n\n\tret = kvm_read_guest_page(vcpu->kvm, gpa_to_gfn(cr3), &pdpte,\n\t\t\t\t offset_in_page(cr3) + index * 8, 8);\n\tif (ret)\n\t\treturn 0;\n\treturn pdpte;\n}", "project": "kvm", "hash": 111208703219377579795160919620508969924, "size": 13, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437548 }, { "func": " Field *make_num_distinct_aggregator_field(MEM_ROOT *mem_root,\n const Item *item) const\n {\n return type_handler()->make_num_distinct_aggregator_field(mem_root, this);\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 93073855095878864164953788238619468323, "size": 5, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509200 }, { "func": "unsigned int full_name_hash(const void *salt, const char *name, unsigned int len)\n{\n\tunsigned long a, x = 0, y = (unsigned long)salt;\n\n\tfor (;;) {\n\t\tif (!len)\n\t\t\tgoto done;\n\t\ta = load_unaligned_zeropad(name);\n\t\tif (len < sizeof(unsigned long))\n\t\t\tbreak;\n\t\tHASH_MIX(x, y, a);\n\t\tname += sizeof(unsigned long);\n\t\tlen -= sizeof(unsigned long);\n\t}\n\tx ^= a & bytemask_from_count(len);\ndone:\n\treturn fold_hash(x, y);\n}", "project": "linux", "hash": 264670650062234893554003019196813989165, "size": 18, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295417 }, { "func": "unsigned int full_name_hash(const void *salt, const char *name, unsigned int len)\n{\n\tunsigned long hash = init_name_hash(salt);\n\twhile (len--)\n\t\thash = partial_name_hash((unsigned char)*name++, hash);\n\treturn end_name_hash(hash);\n}", "project": "linux", "hash": 325076227045855098463376198413001158875, "size": 7, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295444 }, { "func": "static int sctp_connect_add_peer(struct sctp_association *asoc,\n\t\t\t\t union sctp_addr *daddr, int addr_len)\n{\n\tstruct sctp_endpoint *ep = asoc->ep;\n\tstruct sctp_association *old;\n\tstruct sctp_transport *t;\n\tint err;\n\n\terr = sctp_verify_addr(ep->base.sk, daddr, addr_len);\n\tif (err)\n\t\treturn err;\n\n\told = sctp_endpoint_lookup_assoc(ep, daddr, &t);\n\tif (old && old != asoc)\n\t\treturn old->state >= SCTP_STATE_ESTABLISHED ? -EISCONN\n\t\t\t\t\t\t\t : -EALREADY;\n\n\tif (sctp_endpoint_is_peeled_off(ep, daddr))\n\t\treturn -EADDRNOTAVAIL;\n\n\tt = sctp_assoc_add_peer(asoc, daddr, GFP_KERNEL, SCTP_UNKNOWN);\n\tif (!t)\n\t\treturn -ENOMEM;\n\n\treturn 0;\n}", "project": "linux", "hash": 320426487121641131792364675269226684873, "size": 26, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398202 }, { "func": " */\nstatic int io_timeout_remove(struct io_kiocb *req, unsigned int issue_flags)\n{\n\tstruct io_timeout_rem *tr = &req->timeout_rem;\n\tstruct io_ring_ctx *ctx = req->ctx;\n\tint ret;\n\n\tspin_lock_irq(&ctx->completion_lock);\n\tif (!(req->timeout_rem.flags & IORING_TIMEOUT_UPDATE))\n\t\tret = io_timeout_cancel(ctx, tr->addr);\n\telse\n\t\tret = io_timeout_update(ctx, tr->addr, &tr->ts,\n\t\t\t\t\tio_translate_timeout_mode(tr->flags));\n\n\tio_cqring_fill_event(ctx, req->user_data, ret, 0);\n\tio_commit_cqring(ctx);\n\tspin_unlock_irq(&ctx->completion_lock);\n\tio_cqring_ev_posted(ctx);\n\tif (ret < 0)\n\t\treq_set_fail_links(req);\n\tio_put_req(req);\n\treturn 0;", "project": "linux", "hash": 276101292388873985075978698218022348136, "size": 22, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338563 }, { "func": "static int oidc_handle_session_management_iframe_op(request_rec *r, oidc_cfg *c,\n\t\toidc_session_t *session, const char *check_session_iframe) {\n\toidc_debug(r, \"enter\");\n\toidc_util_hdr_out_location_set(r, check_session_iframe);\n\treturn HTTP_MOVED_TEMPORARILY;\n}", "project": "mod_auth_openidc", "hash": 251724903950435812476961811398519221822, "size": 6, "commit_id": "00c315cb0c8ab77c67be4a2ac08a71a83ac58751", "message": "avoid XSS vulnerability when using OIDCPreservePost On\n\nand supplying URLs that contain single quotes; thanks @oss-aimoto\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 381934 }, { "func": "static void nfs4_xdr_enc_write(struct rpc_rqst *req, struct xdr_stream *xdr,\n\t\t\t const void *data)\n{\n\tconst struct nfs_pgio_args *args = data;\n\tstruct compound_hdr hdr = {\n\t\t.minorversion = nfs4_xdr_minorversion(&args->seq_args),\n\t};\n\n\tencode_compound_hdr(xdr, req, &hdr);\n\tencode_sequence(xdr, &args->seq_args, &hdr);\n\tencode_putfh(xdr, args->fh, &hdr);\n\tencode_write(xdr, args, &hdr);\n\treq->rq_snd_buf.flags |= XDRBUF_WRITE;\n\tif (args->bitmask)\n\t\tencode_getfattr(xdr, args->bitmask, &hdr);\n\tencode_nops(&hdr);\n}", "project": "linux", "hash": 7198945113821506200150912341429789259, "size": 17, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431337 }, { "func": "static inline void stgi(void)\n{\n\tasm volatile (__ex(\"stgi\"));\n}", "project": "linux", "hash": 308945508913104304918616447727078003584, "size": 4, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432558 }, { "func": "static inline void stgi(void)\n{\n\tasm volatile (__ex(SVM_STGI));\n}", "project": "kvm", "hash": 251884577382026422503412194278689625136, "size": 4, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437545 }, { "func": "static int grep_file(struct grep_opt *opt, const char *filename)\n{\n\tstruct stat st;\n\tint i;\n\tchar *data;\n\tsize_t sz;\n\n\tif (lstat(filename, &st) < 0) {\n\terr_ret:\n\t\tif (errno != ENOENT)\n\t\t\terror(\"'%s': %s\", filename, strerror(errno));\n\t\treturn 0;\n\t}\n\tif (!st.st_size)\n\t\treturn 0; /* empty file -- no grep hit */\n\tif (!S_ISREG(st.st_mode))\n\t\treturn 0;\n\tsz = xsize_t(st.st_size);\n\ti = open(filename, O_RDONLY);\n\tif (i < 0)\n\t\tgoto err_ret;\n\tdata = xmalloc(sz + 1);\n\tif (st.st_size != read_in_full(i, data, sz)) {\n\t\terror(\"'%s': short read %s\", filename, strerror(errno));\n\t\tclose(i);\n\t\tfree(data);\n\t\treturn 0;\n\t}\n\tclose(i);\n\tif (opt->relative && opt->prefix_length)\n\t\tfilename += opt->prefix_length;\n\ti = grep_buffer(opt, filename, data, sz);\n\tfree(data);\n\treturn i;\n}", "project": "git", "hash": 294513509190234181962848035130136997941, "size": 35, "commit_id": "620e2bb93785ed8eb60846d94fd4753d4817c8ec", "message": "Fix buffer overflow in git-grep\n\nIf PATH_MAX on your system is smaller than any path stored in the git\nrepository, that can cause memory corruption inside of the grep_tree\nfunction used by git-grep.\n\nSigned-off-by: Dmitry Potapov \nSigned-off-by: Junio C Hamano ", "target": 0, "dataset": "other", "idx": 446052 }, { "func": "static int run_arm_filter(struct rar5* rar, struct filter_info* flt) {\n\tssize_t i = 0;\n\tuint32_t offset;\n\n\tcircular_memcpy(rar->cstate.filtered_buf,\n\t rar->cstate.window_buf, rar->cstate.window_mask,\n\t rar->cstate.solid_offset + flt->block_start,\n\t rar->cstate.solid_offset + flt->block_start + flt->block_length);\n\n\tfor(i = 0; i < flt->block_length - 3; i += 4) {\n\t\tuint8_t* b = &rar->cstate.window_buf[\n\t\t (rar->cstate.solid_offset +\n\t\t flt->block_start + i + 3) & rar->cstate.window_mask];\n\n\t\tif(*b == 0xEB) {\n\t\t\t/* 0xEB = ARM's BL (branch + link) instruction. */\n\t\t\toffset = read_filter_data(rar,\n\t\t\t (rar->cstate.solid_offset + flt->block_start + i) &\n\t\t\t rar->cstate.window_mask) & 0x00ffffff;\n\n\t\t\toffset -= (uint32_t) ((i + flt->block_start) / 4);\n\t\t\toffset = (offset & 0x00ffffff) | 0xeb000000;\n\t\t\twrite_filter_data(rar, (uint32_t)i, offset);\n\t\t}\n\t}\n\n\treturn ARCHIVE_OK;\n}", "project": "libarchive", "hash": 176561754585652277322635708347828073079, "size": 28, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 0, "dataset": "other", "idx": 244817 }, { "func": "static bool kvm_hv_is_syndbg_enabled(struct kvm_vcpu *vcpu)\n{\n\tstruct kvm_cpuid_entry2 *entry;\n\n\tentry = kvm_find_cpuid_entry(vcpu,\n\t\t\t\t HYPERV_CPUID_SYNDBG_PLATFORM_CAPABILITIES,\n\t\t\t\t 0);\n\tif (!entry)\n\t\treturn false;\n\n\treturn entry->eax & HV_X64_SYNDBG_CAP_ALLOW_KERNEL_DEBUGGING;\n}", "project": "linux", "hash": 72763872609863748237891759899962387606, "size": 12, "commit_id": "919f4ebc598701670e80e31573a58f1f2d2bf918", "message": "KVM: x86: hyper-v: Fix Hyper-V context null-ptr-deref\n\nReported by syzkaller:\n\n KASAN: null-ptr-deref in range [0x0000000000000140-0x0000000000000147]\n CPU: 1 PID: 8370 Comm: syz-executor859 Not tainted 5.11.0-syzkaller #0\n RIP: 0010:synic_get arch/x86/kvm/hyperv.c:165 [inline]\n RIP: 0010:kvm_hv_set_sint_gsi arch/x86/kvm/hyperv.c:475 [inline]\n RIP: 0010:kvm_hv_irq_routing_update+0x230/0x460 arch/x86/kvm/hyperv.c:498\n Call Trace:\n kvm_set_irq_routing+0x69b/0x940 arch/x86/kvm/../../../virt/kvm/irqchip.c:223\n kvm_vm_ioctl+0x12d0/0x2800 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3959\n vfs_ioctl fs/ioctl.c:48 [inline]\n __do_sys_ioctl fs/ioctl.c:753 [inline]\n __se_sys_ioctl fs/ioctl.c:739 [inline]\n __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739\n do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nHyper-V context is lazily allocated until Hyper-V specific MSRs are accessed\nor SynIC is enabled. However, the syzkaller testcase sets irq routing table\ndirectly w/o enabling SynIC. This results in null-ptr-deref when accessing\nSynIC Hyper-V context. This patch fixes it.\n\nsyzkaller source: https://syzkaller.appspot.com/x/repro.c?x=163342ccd00000\n\nReported-by: syzbot+6987f3b2dbd9eda95f12@syzkaller.appspotmail.com\nFixes: 8f014550dfb1 (\"KVM: x86: hyper-v: Make Hyper-V emulation enablement conditional\")\nSigned-off-by: Wanpeng Li \nMessage-Id: <1614326399-5762-1-git-send-email-wanpengli@tencent.com>\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 343473 }, { "func": "static bool __connect_unix(RSocket *s, const char *file) {\n\tstruct sockaddr_un addr;\n\tint sock = socket (PF_UNIX, SOCK_STREAM, 0);\n\tif (sock < 0) {\n\t\tfree (s);\n\t\treturn false;\n\t}\n\t// TODO: set socket options\n\taddr.sun_family = AF_UNIX;\n\tstrncpy (addr.sun_path, file, sizeof (addr.sun_path)-1);\n\n\tif (connect (sock, (struct sockaddr *)&addr, sizeof(addr))==-1) {\n\t\tclose (sock);\n\t\tfree (s);\n\t\treturn false;\n\t}\n\ts->fd = sock;\n\ts->is_ssl = false;\n\treturn true;\n}", "project": "radare2", "hash": 272310249672005791827843142495876206620, "size": 20, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 0, "dataset": "other", "idx": 269069 }, { "func": "static int synic_deliver_msg(struct kvm_vcpu_hv_synic *synic, u32 sint,\n\t\t\t struct hv_message *src_msg, bool no_retry)\n{\n\tstruct kvm_vcpu *vcpu = hv_synic_to_vcpu(synic);\n\tint msg_off = offsetof(struct hv_message_page, sint_message[sint]);\n\tgfn_t msg_page_gfn;\n\tstruct hv_message_header hv_hdr;\n\tint r;\n\n\tif (!(synic->msg_page & HV_SYNIC_SIMP_ENABLE))\n\t\treturn -ENOENT;\n\n\tmsg_page_gfn = synic->msg_page >> PAGE_SHIFT;\n\n\t/*\n\t * Strictly following the spec-mandated ordering would assume setting\n\t * .msg_pending before checking .message_type. However, this function\n\t * is only called in vcpu context so the entire update is atomic from\n\t * guest POV and thus the exact order here doesn't matter.\n\t */\n\tr = kvm_vcpu_read_guest_page(vcpu, msg_page_gfn, &hv_hdr.message_type,\n\t\t\t\t msg_off + offsetof(struct hv_message,\n\t\t\t\t\t\t\theader.message_type),\n\t\t\t\t sizeof(hv_hdr.message_type));\n\tif (r < 0)\n\t\treturn r;\n\n\tif (hv_hdr.message_type != HVMSG_NONE) {\n\t\tif (no_retry)\n\t\t\treturn 0;\n\n\t\thv_hdr.message_flags.msg_pending = 1;\n\t\tr = kvm_vcpu_write_guest_page(vcpu, msg_page_gfn,\n\t\t\t\t\t &hv_hdr.message_flags,\n\t\t\t\t\t msg_off +\n\t\t\t\t\t offsetof(struct hv_message,\n\t\t\t\t\t\t header.message_flags),\n\t\t\t\t\t sizeof(hv_hdr.message_flags));\n\t\tif (r < 0)\n\t\t\treturn r;\n\t\treturn -EAGAIN;\n\t}\n\n\tr = kvm_vcpu_write_guest_page(vcpu, msg_page_gfn, src_msg, msg_off,\n\t\t\t\t sizeof(src_msg->header) +\n\t\t\t\t src_msg->header.payload_size);\n\tif (r < 0)\n\t\treturn r;\n\n\tr = synic_set_irq(synic, sint);\n\tif (r < 0)\n\t\treturn r;\n\tif (r == 0)\n\t\treturn -EFAULT;\n\treturn 0;\n}", "project": "linux", "hash": 286044140416205928558623172055496545271, "size": 56, "commit_id": "919f4ebc598701670e80e31573a58f1f2d2bf918", "message": "KVM: x86: hyper-v: Fix Hyper-V context null-ptr-deref\n\nReported by syzkaller:\n\n KASAN: null-ptr-deref in range [0x0000000000000140-0x0000000000000147]\n CPU: 1 PID: 8370 Comm: syz-executor859 Not tainted 5.11.0-syzkaller #0\n RIP: 0010:synic_get arch/x86/kvm/hyperv.c:165 [inline]\n RIP: 0010:kvm_hv_set_sint_gsi arch/x86/kvm/hyperv.c:475 [inline]\n RIP: 0010:kvm_hv_irq_routing_update+0x230/0x460 arch/x86/kvm/hyperv.c:498\n Call Trace:\n kvm_set_irq_routing+0x69b/0x940 arch/x86/kvm/../../../virt/kvm/irqchip.c:223\n kvm_vm_ioctl+0x12d0/0x2800 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3959\n vfs_ioctl fs/ioctl.c:48 [inline]\n __do_sys_ioctl fs/ioctl.c:753 [inline]\n __se_sys_ioctl fs/ioctl.c:739 [inline]\n __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739\n do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nHyper-V context is lazily allocated until Hyper-V specific MSRs are accessed\nor SynIC is enabled. However, the syzkaller testcase sets irq routing table\ndirectly w/o enabling SynIC. This results in null-ptr-deref when accessing\nSynIC Hyper-V context. This patch fixes it.\n\nsyzkaller source: https://syzkaller.appspot.com/x/repro.c?x=163342ccd00000\n\nReported-by: syzbot+6987f3b2dbd9eda95f12@syzkaller.appspotmail.com\nFixes: 8f014550dfb1 (\"KVM: x86: hyper-v: Make Hyper-V emulation enablement conditional\")\nSigned-off-by: Wanpeng Li \nMessage-Id: <1614326399-5762-1-git-send-email-wanpengli@tencent.com>\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 343484 }, { "func": " Item_static_string_func(THD *thd, const char *name_par,\n const String *str,\n CHARSET_INFO *tocs, uint *conv_errors,\n Derivation dv, uint repertoire):\n Item_string(thd, str, tocs, conv_errors, dv, repertoire),\n func_name(name_par)\n {}", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 13910454458752348701112574537033444178, "size": 7, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 508991 }, { "func": " Item_static_float_func(THD *thd, const char *str, double val_arg,\n uint decimal_par, uint length):\n Item_float(thd, NullS, val_arg, decimal_par, length), func_name(str)\n {}", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 247217554743831786400083595377631937460, "size": 4, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509043 }, { "func": " Item_static_string_func(THD *thd, const char *name_par, const char *str,\n uint length, CHARSET_INFO *cs,\n Derivation dv= DERIVATION_COERCIBLE):\n Item_string(thd, NullS, str, length, cs, dv), func_name(name_par)\n {}", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 254484583632382209400112667964970158516, "size": 5, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509329 }, { "func": "static int sctp_getsockopt_recvnxtinfo(struct sock *sk,\tint len,\n\t\t\t\t char __user *optval,\n\t\t\t\t int __user *optlen)\n{\n\tint val = 0;\n\n\tif (len < sizeof(int))\n\t\treturn -EINVAL;\n\n\tlen = sizeof(int);\n\tif (sctp_sk(sk)->recvnxtinfo)\n\t\tval = 1;\n\tif (put_user(len, optlen))\n\t\treturn -EFAULT;\n\tif (copy_to_user(optval, &val, len))\n\t\treturn -EFAULT;\n\n\treturn 0;\n}", "project": "linux", "hash": 152563127257022055631498953456522864480, "size": 19, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398191 }, { "func": "static int nfs4_proc_lookup_common(struct rpc_clnt **clnt, struct inode *dir,\n\t\t\t\t struct dentry *dentry, struct nfs_fh *fhandle,\n\t\t\t\t struct nfs_fattr *fattr, struct nfs4_label *label)\n{\n\tstruct nfs4_exception exception = {\n\t\t.interruptible = true,\n\t};\n\tstruct rpc_clnt *client = *clnt;\n\tconst struct qstr *name = &dentry->d_name;\n\tint err;\n\tdo {\n\t\terr = _nfs4_proc_lookup(client, dir, dentry, fhandle, fattr, label);\n\t\ttrace_nfs4_lookup(dir, name, err);\n\t\tswitch (err) {\n\t\tcase -NFS4ERR_BADNAME:\n\t\t\terr = -ENOENT;\n\t\t\tgoto out;\n\t\tcase -NFS4ERR_MOVED:\n\t\t\terr = nfs4_get_referral(client, dir, name, fattr, fhandle);\n\t\t\tif (err == -NFS4ERR_MOVED)\n\t\t\t\terr = nfs4_handle_exception(NFS_SERVER(dir), err, &exception);\n\t\t\tgoto out;\n\t\tcase -NFS4ERR_WRONGSEC:\n\t\t\terr = -EPERM;\n\t\t\tif (client != *clnt)\n\t\t\t\tgoto out;\n\t\t\tclient = nfs4_negotiate_security(client, dir, name);\n\t\t\tif (IS_ERR(client))\n\t\t\t\treturn PTR_ERR(client);\n\n\t\t\texception.retry = 1;\n\t\t\tbreak;\n\t\tdefault:\n\t\t\terr = nfs4_handle_exception(NFS_SERVER(dir), err, &exception);\n\t\t}\n\t} while (exception.retry);\n\nout:\n\tif (err == 0)\n\t\t*clnt = client;\n\telse if (client != *clnt)\n\t\trpc_shutdown_client(client);\n\n\treturn err;\n}", "project": "linux", "hash": 300207398683299602648533014818734348348, "size": 45, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431437 }, { "func": "static void power_pmu_start(struct perf_event *event, int ef_flags)\n{\n\tunsigned long flags;\n\ts64 left;\n\tunsigned long val;\n\n\tif (!event->hw.idx || !event->hw.sample_period)\n\t\treturn;\n\n\tif (!(event->hw.state & PERF_HES_STOPPED))\n\t\treturn;\n\n\tif (ef_flags & PERF_EF_RELOAD)\n\t\tWARN_ON_ONCE(!(event->hw.state & PERF_HES_UPTODATE));\n\n\tlocal_irq_save(flags);\n\tperf_pmu_disable(event->pmu);\n\n\tevent->hw.state = 0;\n\tleft = local64_read(&event->hw.period_left);\n\n\tval = 0;\n\tif (left < 0x80000000L)\n\t\tval = 0x80000000L - left;\n\n\twrite_pmc(event->hw.idx, val);\n\n\tperf_event_update_userpage(event);\n\tperf_pmu_enable(event->pmu);\n\tlocal_irq_restore(flags);\n}", "project": "linux", "hash": 265033013830661062341900298266703909546, "size": 31, "commit_id": "60b7ed54a41b550d50caf7f2418db4a7e75b5bdc", "message": "powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set\n\nOn systems without any specific PMU driver support registered, running\nperf record causes Oops.\n\nThe relevant portion from call trace:\n\n BUG: Kernel NULL pointer dereference on read at 0x00000040\n Faulting instruction address: 0xc0021f0c\n Oops: Kernel access of bad area, sig: 11 [#1]\n BE PAGE_SIZE=4K PREEMPT CMPCPRO\n SAF3000 DIE NOTIFICATION\n CPU: 0 PID: 442 Comm: null_syscall Not tainted 5.13.0-rc6-s3k-dev-01645-g7649ee3d2957 #5164\n NIP: c0021f0c LR: c00e8ad8 CTR: c00d8a5c\n NIP perf_instruction_pointer+0x10/0x60\n LR perf_prepare_sample+0x344/0x674\n Call Trace:\n perf_prepare_sample+0x7c/0x674 (unreliable)\n perf_event_output_forward+0x3c/0x94\n __perf_event_overflow+0x74/0x14c\n perf_swevent_hrtimer+0xf8/0x170\n __hrtimer_run_queues.constprop.0+0x160/0x318\n hrtimer_interrupt+0x148/0x3b0\n timer_interrupt+0xc4/0x22c\n Decrementer_virt+0xb8/0xbc\n\nDuring perf record session, perf_instruction_pointer() is called to\ncapture the sample IP. This function in core-book3s accesses\nppmu->flags. If a platform specific PMU driver is not registered, ppmu\nis set to NULL and accessing its members results in a crash. Fix this\ncrash by checking if ppmu is set.\n\nFixes: 2ca13a4cc56c (\"powerpc/perf: Use regs->nip when SIAR is zero\")\nCc: stable@vger.kernel.org # v5.11+\nReported-by: Christophe Leroy \nSigned-off-by: Athira Rajeev \nTested-by: Christophe Leroy \nSigned-off-by: Michael Ellerman \nLink: https://lore.kernel.org/r/1623952506-1431-1-git-send-email-atrajeev@linux.vnet.ibm.com", "target": 0, "dataset": "other", "idx": 374713 }, { "func": "static bool find_e_opts(RCore *core, RLineCompletion *completion, RLineBuffer *buf) {\n\tconst char *pattern = \"e (.*)=\";\n\tRRegex *rx = r_regex_new (pattern, \"e\");\n\tconst size_t nmatch = 2;\n\tRRegexMatch pmatch[2];\n\tbool ret = false;\n\n\t// required to get the new list of items to autocomplete for cmd.pdc at least\n\tr_core_config_update (core);\n\n\tif (r_regex_exec (rx, buf->data, nmatch, pmatch, 1)) {\n\t\tgoto out;\n\t}\n\tint i;\n\tchar *str = NULL, *sp;\n\tfor (i = pmatch[1].rm_so; i < pmatch[1].rm_eo; i++) {\n\t\tstr = r_str_appendch (str, buf->data[i]);\n\t}\n\tif (!str) {\n\t\tgoto out;\n\t}\n\tif ((sp = strchr (str, ' '))) {\n\t\t// if the name contains a space, just null\n\t\t*sp = 0;\n\t}\n\tRConfigNode *node = r_config_node_get (core->config, str);\n\tif (sp) {\n\t\t// if nulled, then restore.\n\t\t*sp = ' ';\n\t}\n\tif (!node) {\n\t\treturn false;\n\t}\n\tRListIter *iter;\n\tchar *option;\n\tchar *p = (char *) strchr (buf->data, '=');\n\tp = r_str_ichr (p + 1, ' ');\n\tint n = strlen (p);\n\tr_list_foreach (node->options, iter, option) {\n\t\tif (!strncmp (option, p, n)) {\n\t\t\tr_line_completion_push (completion, option);\n\t\t}\n\t}\n\tcompletion->opt = true;\n\tret = true;\n\n out:\n\tr_regex_free (rx);\n\treturn ret;\n}", "project": "radare2", "hash": 234835958009577608000632406462091731616, "size": 50, "commit_id": "cb8b683758edddae2d2f62e8e63a738c39f92683", "message": "Fix #16303 - c->table_query double free (#16318)", "target": 0, "dataset": "other", "idx": 232189 }, { "func": "\nstatic int io_sqe_files_register(struct io_ring_ctx *ctx, void __user *arg,\n\t\t\t\t unsigned nr_args, u64 __user *tags)\n{\n\t__s32 __user *fds = (__s32 __user *) arg;\n\tstruct file *file;\n\tint fd, ret;\n\tunsigned i;\n\tstruct io_rsrc_data *file_data;\n\n\tif (ctx->file_data)\n\t\treturn -EBUSY;\n\tif (!nr_args)\n\t\treturn -EINVAL;\n\tif (nr_args > IORING_MAX_FIXED_FILES)\n\t\treturn -EMFILE;\n\tret = io_rsrc_node_switch_start(ctx);\n\tif (ret)\n\t\treturn ret;\n\n\tfile_data = io_rsrc_data_alloc(ctx, io_rsrc_file_put, nr_args);\n\tif (!file_data)\n\t\treturn -ENOMEM;\n\tctx->file_data = file_data;\n\tret = -ENOMEM;\n\tif (!io_alloc_file_tables(&ctx->file_table, nr_args))\n\t\tgoto out_free;\n\n\tfor (i = 0; i < nr_args; i++, ctx->nr_user_files++) {\n\t\tu64 tag = 0;\n\n\t\tif ((tags && copy_from_user(&tag, &tags[i], sizeof(tag))) ||\n\t\t copy_from_user(&fd, &fds[i], sizeof(fd))) {\n\t\t\tret = -EFAULT;\n\t\t\tgoto out_fput;\n\t\t}\n\t\t/* allow sparse sets */\n\t\tif (fd == -1) {\n\t\t\tret = -EINVAL;\n\t\t\tif (unlikely(tag))\n\t\t\t\tgoto out_fput;\n\t\t\tcontinue;\n\t\t}\n\n\t\tfile = fget(fd);\n\t\tret = -EBADF;\n\t\tif (unlikely(!file))\n\t\t\tgoto out_fput;\n\n\t\t/*\n\t\t * Don't allow io_uring instances to be registered. If UNIX\n\t\t * isn't enabled, then this causes a reference cycle and this\n\t\t * instance can never get freed. If UNIX is enabled we'll\n\t\t * handle it just fine, but there's still no point in allowing\n\t\t * a ring fd as it doesn't support regular read/write anyway.\n\t\t */\n\t\tif (file->f_op == &io_uring_fops) {\n\t\t\tfput(file);\n\t\t\tgoto out_fput;\n\t\t}\n\t\tctx->file_data->tags[i] = tag;\n\t\tio_fixed_file_set(io_fixed_file_slot(&ctx->file_table, i), file);\n\t}\n\n\tret = io_sqe_files_scm(ctx);\n\tif (ret) {\n\t\t__io_sqe_files_unregister(ctx);\n\t\treturn ret;\n\t}\n\n\tio_rsrc_node_switch(ctx, NULL);\n\treturn ret;\nout_fput:\n\tfor (i = 0; i < ctx->nr_user_files; i++) {\n\t\tfile = io_file_from_index(ctx, i);\n\t\tif (file)\n\t\t\tfput(file);\n\t}\n\tio_free_file_tables(&ctx->file_table, nr_args);\n\tctx->nr_user_files = 0;\nout_free:\n\tio_rsrc_data_free(ctx->file_data);\n\tctx->file_data = NULL;\n\treturn ret;", "project": "linux", "hash": 27730019408736257014743417428302924459, "size": 84, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338522 }, { "func": "int dccp_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,\n\t\t size_t len)\n{\n\tconst struct dccp_sock *dp = dccp_sk(sk);\n\tconst int flags = msg->msg_flags;\n\tconst int noblock = flags & MSG_DONTWAIT;\n\tstruct sk_buff *skb;\n\tint rc, size;\n\tlong timeo;\n\n\tif (len > dp->dccps_mss_cache)\n\t\treturn -EMSGSIZE;\n\n\tlock_sock(sk);\n\n\tif (sysctl_dccp_tx_qlen &&\n\t (sk->sk_write_queue.qlen >= sysctl_dccp_tx_qlen)) {\n\t\trc = -EAGAIN;\n\t\tgoto out_release;\n\t}\n\n\ttimeo = sock_sndtimeo(sk, noblock);\n\n\t/*\n\t * We have to use sk_stream_wait_connect here to set sk_write_pending,\n\t * so that the trick in dccp_rcv_request_sent_state_process.\n\t */\n\t/* Wait for a connection to finish. */\n\tif ((1 << sk->sk_state) & ~(DCCPF_OPEN | DCCPF_PARTOPEN))\n\t\tif ((rc = sk_stream_wait_connect(sk, &timeo)) != 0)\n\t\t\tgoto out_release;\n\n\tsize = sk->sk_prot->max_header + len;\n\trelease_sock(sk);\n\tskb = sock_alloc_send_skb(sk, size, noblock, &rc);\n\tlock_sock(sk);\n\tif (skb == NULL)\n\t\tgoto out_release;\n\n\tskb_reserve(skb, sk->sk_prot->max_header);\n\trc = memcpy_fromiovec(skb_put(skb, len), msg->msg_iov, len);\n\tif (rc != 0)\n\t\tgoto out_discard;\n\n\tskb_queue_tail(&sk->sk_write_queue, skb);\n\tdccp_write_xmit(sk,0);\nout_release:\n\trelease_sock(sk);\n\treturn rc ? : len;\nout_discard:\n\tkfree_skb(skb);\n\tgoto out_release;\n}", "target": 0, "cwe": [ "CWE-189" ], "project": "linux-2.6", "commit_id": "3e8a0a559c66ee9e7468195691a56fefc3589740", "hash": 46835554393615334542366614312835775372, "size": 53, "message": "dccp: change L/R must have at least one byte in the dccpsf_val field\n \nThanks to Eugene Teo for reporting this problem.\n \nSigned-off-by: Eugene Teo \nSigned-off-by: Arnaldo Carvalho de Melo \nSigned-off-by: Gerrit Renker \nSigned-off-by: David S. Miller ", "dataset": "other", "idx": 488800 }, { "func": "void option_error(void)\n{\n\tif (!err_buf[0]) {\n\t\tstrlcpy(err_buf, \"Error parsing options: option may \"\n\t\t\t\"be supported on client but not on server?\\n\",\n\t\t\tsizeof err_buf);\n\t}\n\n\trprintf(FERROR, RSYNC_NAME \": %s\", err_buf);\n\tmsleep(20);\n}", "project": "rsync", "hash": 122557421019850413002837220976421186544, "size": 11, "commit_id": "7706303828fcde524222babb2833864a4bd09e07", "message": "Ignore --protect-args when already sent by client\n\nIn parse_arguments when --protect-args is encountered the function exits\nearly. The caller is expected to check protect_args, and recall\nparse_arguments setting protect_args to 2. This patch prevents the\nclient from resetting protect_args during the second pass of\nparse_arguments. This prevents parse_arguments returning early the\nsecond time before it's able to sanitize the arguments it received.", "target": 0, "dataset": "other", "idx": 364671 }, { "func": "static int handle_lookup_down(struct nameidata *nd)\n{\n\tstruct path path = nd->path;\n\tstruct inode *inode = nd->inode;\n\tunsigned seq = nd->seq;\n\tint err;\n\n\tif (nd->flags & LOOKUP_RCU) {\n\t\t/*\n\t\t * don't bother with unlazy_walk on failure - we are\n\t\t * at the very beginning of walk, so we lose nothing\n\t\t * if we simply redo everything in non-RCU mode\n\t\t */\n\t\tif (unlikely(!__follow_mount_rcu(nd, &path, &inode, &seq)))\n\t\t\treturn -ECHILD;\n\t} else {\n\t\tdget(path.dentry);\n\t\terr = follow_managed(&path, nd);\n\t\tif (unlikely(err < 0))\n\t\t\treturn err;\n\t\tinode = d_backing_inode(path.dentry);\n\t\tseq = 0;\n\t}\n\tpath_to_nameidata(&path, nd);\n\tnd->inode = inode;\n\tnd->seq = seq;\n\treturn 0;\n}", "project": "linux", "hash": 294184030683203629342307403105062158529, "size": 28, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295445 }, { "func": "UnicodeStringAppendable::appendCodePoint(UChar32 c) {\n UChar buffer[U16_MAX_LENGTH];\n int32_t cLength = 0;\n UBool isError = FALSE;\n U16_APPEND(buffer, cLength, U16_MAX_LENGTH, c, isError);\n return !isError && str.doAppend(buffer, 0, cLength).isWritable();\n}", "project": "icu", "hash": 56613368358335019403467234800216011758, "size": 7, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430787 }, { "func": "my_bool _mariadb_set_conf_option(MYSQL *mysql, const char *config_option, const char *config_value)\n{\n if (config_option)\n {\n int i;\n char *c;\n \n /* CONC-395: replace underscore \"_\" by dash \"-\" */\n while ((c= strchr(config_option, '_')))\n *c= '-';\n\n for (i=0; mariadb_defaults[i].conf_key; i++)\n {\n if (!strcmp(mariadb_defaults[i].conf_key, config_option))\n {\n my_bool val_bool;\n int val_int;\n size_t val_sizet;\n int rc;\n void *option_val= NULL;\n switch (mariadb_defaults[i].type) {\n case MARIADB_OPTION_BOOL:\n val_bool= 0;\n if (config_value)\n val_bool= atoi(config_value);\n option_val= &val_bool;\n break;\n case MARIADB_OPTION_INT:\n val_int= 0;\n if (config_value)\n val_int= atoi(config_value);\n option_val= &val_int;\n break;\n case MARIADB_OPTION_SIZET:\n val_sizet= 0;\n if (config_value)\n val_sizet= strtol(config_value, NULL, 10);\n option_val= &val_sizet;\n break;\n case MARIADB_OPTION_STR:\n option_val= (void*)config_value;\n break;\n case MARIADB_OPTION_NONE:\n break;\n }\n rc= mysql_optionsv(mysql, mariadb_defaults[i].option, option_val);\n return(test(rc));\n }\n }\n }\n /* unknown key */\n return 1;\n}", "project": "mariadb-connector-c", "hash": 3173202401855878679387267938109439424, "size": 53, "commit_id": "2759b87d72926b7c9b5426437a7c8dd15ff57945", "message": "sanity checks for client-supplied OK packet content\n\nreported by Matthias Kaiser, Apple Information Security", "target": 0, "dataset": "other", "idx": 429640 }, { "func": "\nstatic int io_submit_sqe(struct io_ring_ctx *ctx, struct io_kiocb *req,\n\t\t\t const struct io_uring_sqe *sqe)\n{\n\tstruct io_submit_link *link = &ctx->submit_state.link;\n\tint ret;\n\n\tret = io_init_req(ctx, req, sqe);\n\tif (unlikely(ret)) {\nfail_req:\n\t\tif (link->head) {\n\t\t\t/* fail even hard links since we don't submit */\n\t\t\tlink->head->flags |= REQ_F_FAIL_LINK;\n\t\t\tio_req_complete_failed(link->head, -ECANCELED);\n\t\t\tlink->head = NULL;\n\t\t}\n\t\tio_req_complete_failed(req, ret);\n\t\treturn ret;\n\t}\n\tret = io_req_prep(req, sqe);\n\tif (unlikely(ret))\n\t\tgoto fail_req;\n\n\t/* don't need @sqe from now on */\n\ttrace_io_uring_submit_sqe(ctx, req->opcode, req->user_data,\n\t\t\t\ttrue, ctx->flags & IORING_SETUP_SQPOLL);\n\n\t/*\n\t * If we already have a head request, queue this one for async\n\t * submittal once the head completes. If we don't have a head but\n\t * IOSQE_IO_LINK is set in the sqe, start a new head. This one will be\n\t * submitted sync once the chain is complete. If none of those\n\t * conditions are true (normal request), then just queue it.\n\t */\n\tif (link->head) {\n\t\tstruct io_kiocb *head = link->head;\n\n\t\t/*\n\t\t * Taking sequential execution of a link, draining both sides\n\t\t * of the link also fullfils IOSQE_IO_DRAIN semantics for all\n\t\t * requests in the link. So, it drains the head and the\n\t\t * next after the link request. The last one is done via\n\t\t * drain_next flag to persist the effect across calls.\n\t\t */\n\t\tif (req->flags & REQ_F_IO_DRAIN) {\n\t\t\thead->flags |= REQ_F_IO_DRAIN;\n\t\t\tctx->drain_next = 1;\n\t\t}\n\t\tret = io_req_prep_async(req);\n\t\tif (unlikely(ret))\n\t\t\tgoto fail_req;\n\t\ttrace_io_uring_link(ctx, req, head);\n\t\tlink->last->link = req;\n\t\tlink->last = req;\n\n\t\t/* last request of a link, enqueue the link */\n\t\tif (!(req->flags & (REQ_F_LINK | REQ_F_HARDLINK))) {\n\t\t\tio_queue_sqe(head);\n\t\t\tlink->head = NULL;\n\t\t}\n\t} else {\n\t\tif (unlikely(ctx->drain_next)) {\n\t\t\treq->flags |= REQ_F_IO_DRAIN;\n\t\t\tctx->drain_next = 0;\n\t\t}\n\t\tif (req->flags & (REQ_F_LINK | REQ_F_HARDLINK)) {\n\t\t\tlink->head = req;\n\t\t\tlink->last = req;\n\t\t} else {\n\t\t\tio_queue_sqe(req);\n\t\t}\n\t}\n\n\treturn 0;", "project": "linux", "hash": 301032589699699418447514992893193113866, "size": 74, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338705 }, { "func": "static int io_submit_sqe(struct io_kiocb *req, const struct io_uring_sqe *sqe,\n\t\t\t struct io_kiocb **link, struct io_comp_state *cs)\n{\n\tstruct io_ring_ctx *ctx = req->ctx;\n\tint ret;\n\n\t/*\n\t * If we already have a head request, queue this one for async\n\t * submittal once the head completes. If we don't have a head but\n\t * IOSQE_IO_LINK is set in the sqe, start a new head. This one will be\n\t * submitted sync once the chain is complete. If none of those\n\t * conditions are true (normal request), then just queue it.\n\t */\n\tif (*link) {\n\t\tstruct io_kiocb *head = *link;\n\n\t\t/*\n\t\t * Taking sequential execution of a link, draining both sides\n\t\t * of the link also fullfils IOSQE_IO_DRAIN semantics for all\n\t\t * requests in the link. So, it drains the head and the\n\t\t * next after the link request. The last one is done via\n\t\t * drain_next flag to persist the effect across calls.\n\t\t */\n\t\tif (req->flags & REQ_F_IO_DRAIN) {\n\t\t\thead->flags |= REQ_F_IO_DRAIN;\n\t\t\tctx->drain_next = 1;\n\t\t}\n\t\tret = io_req_defer_prep(req, sqe);\n\t\tif (unlikely(ret)) {\n\t\t\t/* fail even hard links since we don't submit */\n\t\t\thead->flags |= REQ_F_FAIL_LINK;\n\t\t\treturn ret;\n\t\t}\n\t\ttrace_io_uring_link(ctx, req, head);\n\t\tio_get_req_task(req);\n\t\tlist_add_tail(&req->link_list, &head->link_list);\n\n\t\t/* last request of a link, enqueue the link */\n\t\tif (!(req->flags & (REQ_F_LINK | REQ_F_HARDLINK))) {\n\t\t\tio_queue_link_head(head, cs);\n\t\t\t*link = NULL;\n\t\t}\n\t} else {\n\t\tif (unlikely(ctx->drain_next)) {\n\t\t\treq->flags |= REQ_F_IO_DRAIN;\n\t\t\tctx->drain_next = 0;\n\t\t}\n\t\tif (req->flags & (REQ_F_LINK | REQ_F_HARDLINK)) {\n\t\t\treq->flags |= REQ_F_LINK_HEAD;\n\t\t\tINIT_LIST_HEAD(&req->link_list);\n\n\t\t\tret = io_req_defer_prep(req, sqe);\n\t\t\tif (unlikely(ret))\n\t\t\t\treq->flags |= REQ_F_FAIL_LINK;\n\t\t\t*link = req;\n\t\t} else {\n\t\t\tio_queue_sqe(req, sqe, cs);\n\t\t}\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 27401411288435274733940724507501838365, "size": 62, "commit_id": "6d816e088c359866f9867057e04f244c608c42fe", "message": "io_uring: hold 'ctx' reference around task_work queue + execute\n\nWe're holding the request reference, but we need to go one higher\nto ensure that the ctx remains valid after the request has finished.\nIf the ring is closed with pending task_work inflight, and the\ngiven io_kiocb finishes sync during issue, then we need a reference\nto the ring itself around the task_work execution cycle.\n\nCc: stable@vger.kernel.org # v5.7+\nReported-by: syzbot+9b260fc33297966f5a8e@syzkaller.appspotmail.com\nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 456909 }, { "func": "static int pathspec_matches(const char **paths, const char *name)\n{\n\tint namelen, i;\n\tif (!paths || !*paths)\n\t\treturn 1;\n\tnamelen = strlen(name);\n\tfor (i = 0; paths[i]; i++) {\n\t\tconst char *match = paths[i];\n\t\tint matchlen = strlen(match);\n\t\tconst char *cp, *meta;\n\n\t\tif (!matchlen ||\n\t\t ((matchlen <= namelen) &&\n\t\t !strncmp(name, match, matchlen) &&\n\t\t (match[matchlen-1] == '/' ||\n\t\t name[matchlen] == '\\0' || name[matchlen] == '/')))\n\t\t\treturn 1;\n\t\tif (!fnmatch(match, name, 0))\n\t\t\treturn 1;\n\t\tif (name[namelen-1] != '/')\n\t\t\tcontinue;\n\n\t\t/* We are being asked if the directory (\"name\") is worth\n\t\t * descending into.\n\t\t *\n\t\t * Find the longest leading directory name that does\n\t\t * not have metacharacter in the pathspec; the name\n\t\t * we are looking at must overlap with that directory.\n\t\t */\n\t\tfor (cp = match, meta = NULL; cp - match < matchlen; cp++) {\n\t\t\tchar ch = *cp;\n\t\t\tif (ch == '*' || ch == '[' || ch == '?') {\n\t\t\t\tmeta = cp;\n\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\t\tif (!meta)\n\t\t\tmeta = cp; /* fully literal */\n\n\t\tif (namelen <= meta - match) {\n\t\t\t/* Looking at \"Documentation/\" and\n\t\t\t * the pattern says \"Documentation/howto/\", or\n\t\t\t * \"Documentation/diff*.txt\". The name we\n\t\t\t * have should match prefix.\n\t\t\t */\n\t\t\tif (!memcmp(match, name, namelen))\n\t\t\t\treturn 1;\n\t\t\tcontinue;\n\t\t}\n\n\t\tif (meta - match < namelen) {\n\t\t\t/* Looking at \"Documentation/howto/\" and\n\t\t\t * the pattern says \"Documentation/h*\";\n\t\t\t * match up to \"Do.../h\"; this avoids descending\n\t\t\t * into \"Documentation/technical/\".\n\t\t\t */\n\t\t\tif (!memcmp(match, name, meta - match))\n\t\t\t\treturn 1;\n\t\t\tcontinue;\n\t\t}\n\t}\n\treturn 0;\n}", "project": "git", "hash": 314469880913230660882298170977288386672, "size": 63, "commit_id": "620e2bb93785ed8eb60846d94fd4753d4817c8ec", "message": "Fix buffer overflow in git-grep\n\nIf PATH_MAX on your system is smaller than any path stored in the git\nrepository, that can cause memory corruption inside of the grep_tree\nfunction used by git-grep.\n\nSigned-off-by: Dmitry Potapov \nSigned-off-by: Junio C Hamano ", "target": 0, "dataset": "other", "idx": 446045 }, { "func": "static inline void hash_data(const uint8_t *buf, size_t size) {\n sha3_Update(&keccak_ctx, buf, size);\n}", "project": "keepkey-firmware", "hash": 337522335853007929613082426041967195693, "size": 3, "commit_id": "e49d45594002d4d3fbc1f03488e6dfc0a0a65836", "message": "710 merge", "target": 0, "dataset": "other", "idx": 220882 }, { "func": "void rfbIncrClientRef(rfbClientPtr cl) {}", "project": "libvncserver", "hash": 132818902769256995555568312575840182328, "size": 1, "commit_id": "673c07a75ed844d74676f3ccdcfdc706a7052dba", "message": "libvncserver/rfbserver: fix possible divide-by-zero\n\nCloses #409", "target": 0, "dataset": "other", "idx": 295851 }, { "func": "void rfbIncrClientRef(rfbClientPtr cl)\n{\n LOCK(cl->refCountMutex);\n cl->refCount++;\n UNLOCK(cl->refCountMutex);\n}", "project": "libvncserver", "hash": 47711196148291259086760023933536303591, "size": 6, "commit_id": "673c07a75ed844d74676f3ccdcfdc706a7052dba", "message": "libvncserver/rfbserver: fix possible divide-by-zero\n\nCloses #409", "target": 0, "dataset": "other", "idx": 295855 }, { "func": "static void hci_cc_write_ssp_mode(struct hci_dev *hdev, struct sk_buff *skb)\n{\n\t__u8 status = *((__u8 *) skb->data);\n\tstruct hci_cp_write_ssp_mode *sent;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, status);\n\n\tsent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_MODE);\n\tif (!sent)\n\t\treturn;\n\n\thci_dev_lock(hdev);\n\n\tif (!status) {\n\t\tif (sent->mode)\n\t\t\thdev->features[1][0] |= LMP_HOST_SSP;\n\t\telse\n\t\t\thdev->features[1][0] &= ~LMP_HOST_SSP;\n\t}\n\n\tif (hci_dev_test_flag(hdev, HCI_MGMT))\n\t\tmgmt_ssp_enable_complete(hdev, sent->mode, status);\n\telse if (!status) {\n\t\tif (sent->mode)\n\t\t\thci_dev_set_flag(hdev, HCI_SSP_ENABLED);\n\t\telse\n\t\t\thci_dev_clear_flag(hdev, HCI_SSP_ENABLED);\n\t}\n\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 278427985181823617265588890952771953282, "size": 31, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 432033 }, { "func": "static int present_and_same_family(const struct sadb_address *src,\n\t\t\t\t const struct sadb_address *dst)\n{\n\tconst struct sockaddr *s_addr, *d_addr;\n\n\tif (!src || !dst)\n\t\treturn 0;\n\n\ts_addr = (const struct sockaddr *)(src + 1);\n\td_addr = (const struct sockaddr *)(dst + 1);\n\tif (s_addr->sa_family != d_addr->sa_family)\n\t\treturn 0;\n\tif (s_addr->sa_family != AF_INET\n#if IS_ENABLED(CONFIG_IPV6)\n\t && s_addr->sa_family != AF_INET6\n#endif\n\t\t)\n\t\treturn 0;\n\n\treturn 1;\n}", "project": "linux", "hash": 125796811694666321720368899010084700706, "size": 21, "commit_id": "9a564bccb78a76740ea9d75a259942df8143d02c", "message": "af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\n\nAdd __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\nto initialize the buffer of supp_skb to fix a kernel-info-leak issue.\n1) Function pfkey_register calls compose_sadb_supported to request\na sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate\na sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then\ncompose_sadb_supported treats the memory as a struct sadb_supported and\nbegins to initialize. But it just initializes the field sadb_supported_len\nand field sadb_supported_exttype without field sadb_supported_reserved.\n\nReported-by: TCS Robot \nSigned-off-by: Haimin Zhang \nSigned-off-by: Steffen Klassert ", "target": 0, "dataset": "other", "idx": 268054 }, { "project": "Chrome", "commit_id": "6834289784ed45b5524de0fb7ef43ae283b0d6d3", "target": 0, "func": "void AudioContext::derefNode(AudioNode* node)\n{\n ASSERT(isGraphOwner());\n\n for (unsigned i = 0; i < m_referencedNodes.size(); ++i) {\n if (node == m_referencedNodes.at(i).get()) {\n node->breakConnection();\n m_referencedNodes.remove(i);\n break;\n }\n }\n}\n", "cwe": "", "big_vul_idx": 139652, "idx": 124802, "hash": 160212523541301535627710924842407475360 }, { "func": "static void flags_to_filters(const uint8_t flags, uint8_t* filters) {\n /* Initialize the filter pipeline */\n memset(filters, 0, BLOSC2_MAX_FILTERS);\n /* Fill the filter pipeline */\n if (flags & BLOSC_DOSHUFFLE)\n filters[BLOSC2_MAX_FILTERS - 1] = BLOSC_SHUFFLE;\n if (flags & BLOSC_DOBITSHUFFLE)\n filters[BLOSC2_MAX_FILTERS - 1] = BLOSC_BITSHUFFLE;\n if (flags & BLOSC_DODELTA)\n filters[BLOSC2_MAX_FILTERS - 2] = BLOSC_DELTA;\n}", "project": "c-blosc2", "hash": 263183344567651380621352925779465533876, "size": 11, "commit_id": "c4c6470e88210afc95262c8b9fcc27e30ca043ee", "message": "Fixed asan heap buffer overflow when not enough space to write compressed block size.", "target": 0, "dataset": "other", "idx": 303125 }, { "func": "static void __init trace_eval_init(void)\n{\n\tint len;\n\n\tlen = __stop_ftrace_eval_maps - __start_ftrace_eval_maps;\n\ttrace_insert_eval_map(NULL, __start_ftrace_eval_maps, len);\n}", "project": "linux", "hash": 73410949751829195230076007267114562623, "size": 7, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445654 }, { "func": "static void nfs4_close_done(struct rpc_task *task, void *data)\n{\n\tstruct nfs4_closedata *calldata = data;\n\tstruct nfs4_state *state = calldata->state;\n\tstruct nfs_server *server = NFS_SERVER(calldata->inode);\n\tnfs4_stateid *res_stateid = NULL;\n\tstruct nfs4_exception exception = {\n\t\t.state = state,\n\t\t.inode = calldata->inode,\n\t\t.stateid = &calldata->arg.stateid,\n\t};\n\n\tdprintk(\"%s: begin!\\n\", __func__);\n\tif (!nfs4_sequence_done(task, &calldata->res.seq_res))\n\t\treturn;\n\ttrace_nfs4_close(state, &calldata->arg, &calldata->res, task->tk_status);\n\n\t/* Handle Layoutreturn errors */\n\tif (pnfs_roc_done(task, calldata->inode,\n\t\t\t\t&calldata->arg.lr_args,\n\t\t\t\t&calldata->res.lr_res,\n\t\t\t\t&calldata->res.lr_ret) == -EAGAIN)\n\t\tgoto out_restart;\n\n\t/* hmm. we are done with the inode, and in the process of freeing\n\t * the state_owner. we keep this around to process errors\n\t */\n\tswitch (task->tk_status) {\n\t\tcase 0:\n\t\t\tres_stateid = &calldata->res.stateid;\n\t\t\trenew_lease(server, calldata->timestamp);\n\t\t\tbreak;\n\t\tcase -NFS4ERR_ACCESS:\n\t\t\tif (calldata->arg.bitmask != NULL) {\n\t\t\t\tcalldata->arg.bitmask = NULL;\n\t\t\t\tcalldata->res.fattr = NULL;\n\t\t\t\tgoto out_restart;\n\n\t\t\t}\n\t\t\tbreak;\n\t\tcase -NFS4ERR_OLD_STATEID:\n\t\t\t/* Did we race with OPEN? */\n\t\t\tif (nfs4_refresh_open_old_stateid(&calldata->arg.stateid,\n\t\t\t\t\t\tstate))\n\t\t\t\tgoto out_restart;\n\t\t\tgoto out_release;\n\t\tcase -NFS4ERR_ADMIN_REVOKED:\n\t\tcase -NFS4ERR_STALE_STATEID:\n\t\tcase -NFS4ERR_EXPIRED:\n\t\t\tnfs4_free_revoked_stateid(server,\n\t\t\t\t\t&calldata->arg.stateid,\n\t\t\t\t\ttask->tk_msg.rpc_cred);\n\t\t\t/* Fallthrough */\n\t\tcase -NFS4ERR_BAD_STATEID:\n\t\t\tif (calldata->arg.fmode == 0)\n\t\t\t\tbreak;\n\t\t\t/* Fallthrough */\n\t\tdefault:\n\t\t\ttask->tk_status = nfs4_async_handle_exception(task,\n\t\t\t\t\tserver, task->tk_status, &exception);\n\t\t\tif (exception.retry)\n\t\t\t\tgoto out_restart;\n\t}\n\tnfs_clear_open_stateid(state, &calldata->arg.stateid,\n\t\t\tres_stateid, calldata->arg.fmode);\nout_release:\n\ttask->tk_status = 0;\n\tnfs_release_seqid(calldata->arg.seqid);\n\tnfs_refresh_inode(calldata->inode, &calldata->fattr);\n\tdprintk(\"%s: done, ret = %d!\\n\", __func__, task->tk_status);\n\treturn;\nout_restart:\n\ttask->tk_status = 0;\n\trpc_restart_call_prepare(task);\n\tgoto out_release;\n}", "project": "linux", "hash": 177509285540943795446501335900042261564, "size": 76, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431289 }, { "func": "static int dr_interception(struct vcpu_svm *svm)\n{\n\tint reg, dr;\n\tunsigned long val;\n\n\tif (svm->vcpu.guest_debug == 0) {\n\t\t/*\n\t\t * No more DR vmexits; force a reload of the debug registers\n\t\t * and reenter on this instruction. The next vmexit will\n\t\t * retrieve the full state of the debug registers.\n\t\t */\n\t\tclr_dr_intercepts(svm);\n\t\tsvm->vcpu.arch.switch_db_regs |= KVM_DEBUGREG_WONT_EXIT;\n\t\treturn 1;\n\t}\n\n\tif (!boot_cpu_has(X86_FEATURE_DECODEASSISTS))\n\t\treturn emulate_on_interception(svm);\n\n\treg = svm->vmcb->control.exit_info_1 & SVM_EXITINFO_REG_MASK;\n\tdr = svm->vmcb->control.exit_code - SVM_EXIT_READ_DR0;\n\n\tif (dr >= 16) { /* mov to DRn */\n\t\tif (!kvm_require_dr(&svm->vcpu, dr - 16))\n\t\t\treturn 1;\n\t\tval = kvm_register_read(&svm->vcpu, reg);\n\t\tkvm_set_dr(&svm->vcpu, dr - 16, val);\n\t} else {\n\t\tif (!kvm_require_dr(&svm->vcpu, dr))\n\t\t\treturn 1;\n\t\tkvm_get_dr(&svm->vcpu, dr, &val);\n\t\tkvm_register_write(&svm->vcpu, reg, val);\n\t}\n\n\treturn kvm_skip_emulated_instruction(&svm->vcpu);\n}", "project": "linux", "hash": 151472567997074616813684608259451851619, "size": 36, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432522 }, { "func": "static int dr_interception(struct vcpu_svm *svm)\n{\n\tint reg, dr;\n\tunsigned long val;\n\tint err;\n\n\tif (svm->vcpu.guest_debug == 0) {\n\t\t/*\n\t\t * No more DR vmexits; force a reload of the debug registers\n\t\t * and reenter on this instruction. The next vmexit will\n\t\t * retrieve the full state of the debug registers.\n\t\t */\n\t\tclr_dr_intercepts(svm);\n\t\tsvm->vcpu.arch.switch_db_regs |= KVM_DEBUGREG_WONT_EXIT;\n\t\treturn 1;\n\t}\n\n\tif (!boot_cpu_has(X86_FEATURE_DECODEASSISTS))\n\t\treturn emulate_on_interception(svm);\n\n\treg = svm->vmcb->control.exit_info_1 & SVM_EXITINFO_REG_MASK;\n\tdr = svm->vmcb->control.exit_code - SVM_EXIT_READ_DR0;\n\n\tif (dr >= 16) { /* mov to DRn */\n\t\tval = kvm_register_read(&svm->vcpu, reg);\n\t\tkvm_set_dr(&svm->vcpu, dr - 16, val);\n\t} else {\n\t\terr = kvm_get_dr(&svm->vcpu, dr, &val);\n\t\tif (!err)\n\t\t\tkvm_register_write(&svm->vcpu, reg, val);\n\t}\n\n\tskip_emulated_instruction(&svm->vcpu);\n\n\treturn 1;\n}", "project": "kvm", "hash": 3379329268840477858665253468636076137, "size": 36, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437658 }, { "func": "static ssize_t sst_prepare_other (const char* method,\n const char* sst_auth,\n const char* addr_in,\n const char** addr_out)\n{\n int const cmd_len= 4096;\n wsp::string cmd_str(cmd_len);\n\n if (!cmd_str())\n {\n WSREP_ERROR(\"sst_prepare_other(): could not allocate cmd buffer of %d bytes\",\n cmd_len);\n return -ENOMEM;\n }\n\n const char* binlog_opt= \"\";\n char* binlog_opt_val= NULL;\n\n int ret;\n if ((ret= generate_binlog_opt_val(&binlog_opt_val)))\n {\n WSREP_ERROR(\"sst_prepare_other(): generate_binlog_opt_val() failed: %d\",\n ret);\n return ret;\n }\n if (strlen(binlog_opt_val)) binlog_opt= WSREP_SST_OPT_BINLOG;\n\n ret= snprintf (cmd_str(), cmd_len,\n \"wsrep_sst_%s \"\n WSREP_SST_OPT_ROLE\" 'joiner' \"\n WSREP_SST_OPT_ADDR\" '%s' \"\n WSREP_SST_OPT_DATA\" '%s' \"\n WSREP_SST_OPT_CONF\" '%s' \"\n WSREP_SST_OPT_CONF_SUFFIX\" '%s' \"\n WSREP_SST_OPT_PARENT\" '%d'\"\n \" %s '%s' \",\n method, addr_in, mysql_real_data_home,\n wsrep_defaults_file, wsrep_defaults_group_suffix,\n (int)getpid(), binlog_opt, binlog_opt_val);\n my_free(binlog_opt_val);\n\n if (ret < 0 || ret >= cmd_len)\n {\n WSREP_ERROR(\"sst_prepare_other(): snprintf() failed: %d\", ret);\n return (ret < 0 ? ret : -EMSGSIZE);\n }\n\n wsp::env env(NULL);\n if (env.error())\n {\n WSREP_ERROR(\"sst_prepare_other(): env. var ctor failed: %d\", -env.error());\n return -env.error();\n }\n\n if ((ret= sst_append_auth_env(env, sst_auth)))\n {\n WSREP_ERROR(\"sst_prepare_other(): appending auth failed: %d\", ret);\n return ret;\n }\n\n pthread_t tmp;\n sst_thread_arg arg(cmd_str(), env());\n mysql_mutex_lock (&arg.lock);\n ret = pthread_create (&tmp, NULL, sst_joiner_thread, &arg);\n if (ret)\n {\n WSREP_ERROR(\"sst_prepare_other(): pthread_create() failed: %d (%s)\",\n ret, strerror(ret));\n return -ret;\n }\n mysql_cond_wait (&arg.cond, &arg.lock);\n\n *addr_out= arg.ret_str;\n\n if (!arg.err)\n ret = strlen(*addr_out);\n else\n {\n assert (arg.err < 0);\n ret = arg.err;\n }\n\n pthread_detach (tmp);\n\n return ret;\n}", "project": "mysql-wsrep", "hash": 403967401963846997103542399258118357, "size": 86, "commit_id": "4ea4b0c6a318209ac09b15aaa906c7b4a13b988c", "message": "codership/mysql-wsrep-bugs#758 Donor uses invalid SST methods", "target": 0, "dataset": "other", "idx": 454790 }, { "func": "static int io_interception(struct vcpu_svm *svm)\n{\n\tstruct kvm_vcpu *vcpu = &svm->vcpu;\n\tu32 io_info = svm->vmcb->control.exit_info_1; /* address size bug? */\n\tint size, in, string;\n\tunsigned port;\n\n\t++svm->vcpu.stat.io_exits;\n\tstring = (io_info & SVM_IOIO_STR_MASK) != 0;\n\tin = (io_info & SVM_IOIO_TYPE_MASK) != 0;\n\tif (string)\n\t\treturn kvm_emulate_instruction(vcpu, 0);\n\n\tport = io_info >> 16;\n\tsize = (io_info & SVM_IOIO_SIZE_MASK) >> SVM_IOIO_SIZE_SHIFT;\n\tsvm->next_rip = svm->vmcb->control.exit_info_2;\n\n\treturn kvm_fast_pio(&svm->vcpu, size, port, in);\n}", "project": "linux", "hash": 51795547930477852916417711415968214590, "size": 19, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432619 }, { "func": "static int io_interception(struct vcpu_svm *svm)\n{\n\tstruct kvm_vcpu *vcpu = &svm->vcpu;\n\tu32 io_info = svm->vmcb->control.exit_info_1; /* address size bug? */\n\tint size, in, string;\n\tunsigned port;\n\n\t++svm->vcpu.stat.io_exits;\n\tstring = (io_info & SVM_IOIO_STR_MASK) != 0;\n\tin = (io_info & SVM_IOIO_TYPE_MASK) != 0;\n\tif (string || in)\n\t\treturn emulate_instruction(vcpu, 0) == EMULATE_DONE;\n\n\tport = io_info >> 16;\n\tsize = (io_info & SVM_IOIO_SIZE_MASK) >> SVM_IOIO_SIZE_SHIFT;\n\tsvm->next_rip = svm->vmcb->control.exit_info_2;\n\tskip_emulated_instruction(&svm->vcpu);\n\n\treturn kvm_fast_pio_out(vcpu, size, port);\n}", "project": "kvm", "hash": 106908631463765080524271198924123192156, "size": 20, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437619 }, { "func": "bool ethereum_isThorchainTx(const EthereumSignTx *msg) {\n if (msg->has_to && msg->to.size == 20 &&\n memcmp(msg->data_initial_chunk.bytes,\n \"\\x1f\\xec\\xe7\\xb4\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\", \n 16) == 0) {\n return true;\n }\n return false;\n}", "project": "keepkey-firmware", "hash": 295481234044306856922706061851453405260, "size": 9, "commit_id": "e49d45594002d4d3fbc1f03488e6dfc0a0a65836", "message": "710 merge", "target": 0, "dataset": "other", "idx": 220893 }, { "func": "static void nfs4_xdr_enc_lockt(struct rpc_rqst *req, struct xdr_stream *xdr,\n\t\t\t const void *data)\n{\n\tconst struct nfs_lockt_args *args = data;\n\tstruct compound_hdr hdr = {\n\t\t.minorversion = nfs4_xdr_minorversion(&args->seq_args),\n\t};\n\n\tencode_compound_hdr(xdr, req, &hdr);\n\tencode_sequence(xdr, &args->seq_args, &hdr);\n\tencode_putfh(xdr, args->fh, &hdr);\n\tencode_lockt(xdr, args, &hdr);\n\tencode_nops(&hdr);\n}", "project": "linux", "hash": 26716614381274596720375522784508960007, "size": 14, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431564 }, { "func": "static int oidc_check_max_session_duration(request_rec *r, oidc_cfg *cfg,\n\t\toidc_session_t *session) {\n\n\t/* get the session expiry from the session data */\n\tapr_time_t session_expires = oidc_session_get_session_expires(r, session);\n\n\t/* check the expire timestamp against the current time */\n\tif (apr_time_now() > session_expires) {\n\t\toidc_warn(r, \"maximum session duration exceeded for user: %s\",\n\t\t\t\tsession->remote_user);\n\t\toidc_session_kill(r, session);\n\t\treturn oidc_handle_unauthenticated_user(r, cfg);\n\t}\n\n\t/* log message about max session duration */\n\toidc_log_session_expires(r, \"session max lifetime\", session_expires);\n\n\treturn OK;\n}", "project": "mod_auth_openidc", "hash": 29263162344681964154913330050401502873, "size": 19, "commit_id": "00c315cb0c8ab77c67be4a2ac08a71a83ac58751", "message": "avoid XSS vulnerability when using OIDCPreservePost On\n\nand supplying URLs that contain single quotes; thanks @oss-aimoto\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 381909 }, { "func": "R_API void r_core_autocomplete_reload (RCore *core) {\n\tr_return_if_fail (core);\n\tr_core_autocomplete_free (core->autocomplete);\n\t__init_autocomplete (core);\n}", "project": "radare2", "hash": 76230802173017254942269121364976886357, "size": 5, "commit_id": "cb8b683758edddae2d2f62e8e63a738c39f92683", "message": "Fix #16303 - c->table_query double free (#16318)", "target": 0, "dataset": "other", "idx": 232184 }, { "func": "static void encode_nfs4_stateid(struct xdr_stream *xdr, const nfs4_stateid *stateid)\n{\n\tencode_opaque_fixed(xdr, stateid, NFS4_STATEID_SIZE);\n}", "project": "linux", "hash": 280499454307271640947522328561570823040, "size": 4, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431177 }, { "func": "static int remove_dup_with_hash_index(THD *thd, TABLE *table,\n\t\t\t\t uint field_count,\n\t\t\t\t Field **first_field,\n\t\t\t\t ulong key_length,\n\t\t\t\t Item *having)\n{\n uchar *key_buffer, *key_pos, *record=table->record[0];\n int error;\n handler *file= table->file;\n ulong extra_length= ALIGN_SIZE(key_length)-key_length;\n uint *field_lengths, *field_length;\n HASH hash;\n Field **ptr;\n DBUG_ENTER(\"remove_dup_with_hash_index\");\n\n if (unlikely(!my_multi_malloc(MYF(MY_WME),\n &key_buffer,\n (uint) ((key_length + extra_length) *\n (long) file->stats.records),\n &field_lengths,\n (uint) (field_count*sizeof(*field_lengths)),\n NullS)))\n DBUG_RETURN(1);\n\n for (ptr= first_field, field_length=field_lengths ; *ptr ; ptr++)\n (*field_length++)= (*ptr)->sort_length();\n\n if (unlikely(my_hash_init(&hash, &my_charset_bin,\n (uint) file->stats.records, 0,\n key_length, (my_hash_get_key) 0, 0, 0)))\n {\n my_free(key_buffer);\n DBUG_RETURN(1);\n }\n\n if (unlikely((error= file->ha_rnd_init(1))))\n goto err;\n\n key_pos=key_buffer;\n for (;;)\n {\n uchar *org_key_pos;\n if (unlikely(thd->check_killed()))\n {\n error=0;\n goto err;\n }\n if (unlikely((error= file->ha_rnd_next(record))))\n {\n if (error == HA_ERR_END_OF_FILE)\n\tbreak;\n goto err;\n }\n if (having && !having->val_int())\n {\n if (unlikely((error= file->ha_delete_row(record))))\n\tgoto err;\n continue;\n }\n\n /* copy fields to key buffer */\n org_key_pos= key_pos;\n field_length=field_lengths;\n for (ptr= first_field ; *ptr ; ptr++)\n {\n (*ptr)->make_sort_key(key_pos, *field_length);\n key_pos+= (*ptr)->maybe_null() + *field_length++;\n }\n /* Check if it exists before */\n if (my_hash_search(&hash, org_key_pos, key_length))\n {\n /* Duplicated found ; Remove the row */\n if (unlikely((error= file->ha_delete_row(record))))\n\tgoto err;\n }\n else\n {\n if (my_hash_insert(&hash, org_key_pos))\n goto err;\n }\n key_pos+=extra_length;\n }\n my_free(key_buffer);\n my_hash_free(&hash);\n file->extra(HA_EXTRA_NO_CACHE);\n (void) file->ha_rnd_end();\n DBUG_RETURN(0);\n\nerr:\n my_free(key_buffer);\n my_hash_free(&hash);\n file->extra(HA_EXTRA_NO_CACHE);\n (void) file->ha_rnd_end();\n if (unlikely(error))\n file->print_error(error,MYF(0));\n DBUG_RETURN(1);\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 204619735989042459511209828163808522614, "size": 97, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508474 }, { "func": "static int strncpy_with_color_codes(char *s1, char *s2, int n) {\n\tint i = 0, j = 0;\n\tint count = 0;\n\twhile (s2[j] && count < n) {\n\t\t// detect (consecutive) color codes\n\t\twhile (s2[j] == 0x1b) {\n\t\t\t// copy till 'm'\n\t\t\twhile (s2[j] && s2[j] != 'm') {\n\t\t\t\ts1[i++] = s2[j++];\n\t\t\t}\n\t\t\t// copy 'm'\n\t\t\tif (s2[j]) {\n\t\t\t\ts1[i++] = s2[j++];\n\t\t\t}\n\t\t}\n\t\tif (s2[j]) {\n\t\t\ts1[i++] = s2[j++];\n\t\t\tcount++;\n\t\t}\n\t}\n\treturn i;\n}", "project": "radare2", "hash": 114598083534942839141181450745505025483, "size": 22, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 0, "dataset": "other", "idx": 268918 }, { "func": "void fuse_invalidate_atime(struct inode *inode)\n{\n\tif (!IS_RDONLY(inode))\n\t\tfuse_invalidate_attr_mask(inode, STATX_ATIME);\n}", "project": "linux", "hash": 293210782791453864452869879632399444902, "size": 5, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341895 }, { "func": "static bool tipc_node_check_state(struct tipc_node *n, struct sk_buff *skb,\n\t\t\t\t int bearer_id, struct sk_buff_head *xmitq)\n{\n\tstruct tipc_msg *hdr = buf_msg(skb);\n\tint usr = msg_user(hdr);\n\tint mtyp = msg_type(hdr);\n\tu16 oseqno = msg_seqno(hdr);\n\tu16 exp_pkts = msg_msgcnt(hdr);\n\tu16 rcv_nxt, syncpt, dlv_nxt, inputq_len;\n\tint state = n->state;\n\tstruct tipc_link *l, *tnl, *pl = NULL;\n\tstruct tipc_media_addr *maddr;\n\tint pb_id;\n\n\tif (trace_tipc_node_check_state_enabled()) {\n\t\ttrace_tipc_skb_dump(skb, false, \"skb for node state check\");\n\t\ttrace_tipc_node_check_state(n, true, \" \");\n\t}\n\tl = n->links[bearer_id].link;\n\tif (!l)\n\t\treturn false;\n\trcv_nxt = tipc_link_rcv_nxt(l);\n\n\n\tif (likely((state == SELF_UP_PEER_UP) && (usr != TUNNEL_PROTOCOL)))\n\t\treturn true;\n\n\t/* Find parallel link, if any */\n\tfor (pb_id = 0; pb_id < MAX_BEARERS; pb_id++) {\n\t\tif ((pb_id != bearer_id) && n->links[pb_id].link) {\n\t\t\tpl = n->links[pb_id].link;\n\t\t\tbreak;\n\t\t}\n\t}\n\n\tif (!tipc_link_validate_msg(l, hdr)) {\n\t\ttrace_tipc_skb_dump(skb, false, \"PROTO invalid (2)!\");\n\t\ttrace_tipc_link_dump(l, TIPC_DUMP_NONE, \"PROTO invalid (2)!\");\n\t\treturn false;\n\t}\n\n\t/* Check and update node accesibility if applicable */\n\tif (state == SELF_UP_PEER_COMING) {\n\t\tif (!tipc_link_is_up(l))\n\t\t\treturn true;\n\t\tif (!msg_peer_link_is_up(hdr))\n\t\t\treturn true;\n\t\ttipc_node_fsm_evt(n, PEER_ESTABL_CONTACT_EVT);\n\t}\n\n\tif (state == SELF_DOWN_PEER_LEAVING) {\n\t\tif (msg_peer_node_is_up(hdr))\n\t\t\treturn false;\n\t\ttipc_node_fsm_evt(n, PEER_LOST_CONTACT_EVT);\n\t\treturn true;\n\t}\n\n\tif (state == SELF_LEAVING_PEER_DOWN)\n\t\treturn false;\n\n\t/* Ignore duplicate packets */\n\tif ((usr != LINK_PROTOCOL) && less(oseqno, rcv_nxt))\n\t\treturn true;\n\n\t/* Initiate or update failover mode if applicable */\n\tif ((usr == TUNNEL_PROTOCOL) && (mtyp == FAILOVER_MSG)) {\n\t\tsyncpt = oseqno + exp_pkts - 1;\n\t\tif (pl && !tipc_link_is_reset(pl)) {\n\t\t\t__tipc_node_link_down(n, &pb_id, xmitq, &maddr);\n\t\t\ttrace_tipc_node_link_down(n, true,\n\t\t\t\t\t\t \"node link down <- failover!\");\n\t\t\ttipc_skb_queue_splice_tail_init(tipc_link_inputq(pl),\n\t\t\t\t\t\t\ttipc_link_inputq(l));\n\t\t}\n\n\t\t/* If parallel link was already down, and this happened before\n\t\t * the tunnel link came up, node failover was never started.\n\t\t * Ensure that a FAILOVER_MSG is sent to get peer out of\n\t\t * NODE_FAILINGOVER state, also this node must accept\n\t\t * TUNNEL_MSGs from peer.\n\t\t */\n\t\tif (n->state != NODE_FAILINGOVER)\n\t\t\ttipc_node_link_failover(n, pl, l, xmitq);\n\n\t\t/* If pkts arrive out of order, use lowest calculated syncpt */\n\t\tif (less(syncpt, n->sync_point))\n\t\t\tn->sync_point = syncpt;\n\t}\n\n\t/* Open parallel link when tunnel link reaches synch point */\n\tif ((n->state == NODE_FAILINGOVER) && tipc_link_is_up(l)) {\n\t\tif (!more(rcv_nxt, n->sync_point))\n\t\t\treturn true;\n\t\ttipc_node_fsm_evt(n, NODE_FAILOVER_END_EVT);\n\t\tif (pl)\n\t\t\ttipc_link_fsm_evt(pl, LINK_FAILOVER_END_EVT);\n\t\treturn true;\n\t}\n\n\t/* No synching needed if only one link */\n\tif (!pl || !tipc_link_is_up(pl))\n\t\treturn true;\n\n\t/* Initiate synch mode if applicable */\n\tif ((usr == TUNNEL_PROTOCOL) && (mtyp == SYNCH_MSG) && (oseqno == 1)) {\n\t\tif (n->capabilities & TIPC_TUNNEL_ENHANCED)\n\t\t\tsyncpt = msg_syncpt(hdr);\n\t\telse\n\t\t\tsyncpt = msg_seqno(msg_inner_hdr(hdr)) + exp_pkts - 1;\n\t\tif (!tipc_link_is_up(l))\n\t\t\t__tipc_node_link_up(n, bearer_id, xmitq);\n\t\tif (n->state == SELF_UP_PEER_UP) {\n\t\t\tn->sync_point = syncpt;\n\t\t\ttipc_link_fsm_evt(l, LINK_SYNCH_BEGIN_EVT);\n\t\t\ttipc_node_fsm_evt(n, NODE_SYNCH_BEGIN_EVT);\n\t\t}\n\t}\n\n\t/* Open tunnel link when parallel link reaches synch point */\n\tif (n->state == NODE_SYNCHING) {\n\t\tif (tipc_link_is_synching(l)) {\n\t\t\ttnl = l;\n\t\t} else {\n\t\t\ttnl = pl;\n\t\t\tpl = l;\n\t\t}\n\t\tinputq_len = skb_queue_len(tipc_link_inputq(pl));\n\t\tdlv_nxt = tipc_link_rcv_nxt(pl) - inputq_len;\n\t\tif (more(dlv_nxt, n->sync_point)) {\n\t\t\ttipc_link_fsm_evt(tnl, LINK_SYNCH_END_EVT);\n\t\t\ttipc_node_fsm_evt(n, NODE_SYNCH_END_EVT);\n\t\t\treturn true;\n\t\t}\n\t\tif (l == pl)\n\t\t\treturn true;\n\t\tif ((usr == TUNNEL_PROTOCOL) && (mtyp == SYNCH_MSG))\n\t\t\treturn true;\n\t\tif (usr == LINK_PROTOCOL)\n\t\t\treturn true;\n\t\treturn false;\n\t}\n\treturn true;\n}", "project": "linux", "hash": 47776099743076799375243158320502248762, "size": 143, "commit_id": "0217ed2848e8538bcf9172d97ed2eeb4a26041bb", "message": "tipc: better validate user input in tipc_nl_retrieve_key()\n\nBefore calling tipc_aead_key_size(ptr), we need to ensure\nwe have enough data to dereference ptr->keylen.\n\nWe probably also want to make sure tipc_aead_key_size()\nwont overflow with malicious ptr->keylen values.\n\nSyzbot reported:\n\nBUG: KMSAN: uninit-value in __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\nBUG: KMSAN: uninit-value in tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\nCPU: 0 PID: 21060 Comm: syz-executor.5 Not tainted 5.11.0-rc7-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nCall Trace:\n __dump_stack lib/dump_stack.c:79 [inline]\n dump_stack+0x21c/0x280 lib/dump_stack.c:120\n kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118\n __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197\n __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\n tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\n genl_family_rcv_msg_doit net/netlink/genetlink.c:739 [inline]\n genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]\n genl_rcv_msg+0x1319/0x1610 net/netlink/genetlink.c:800\n netlink_rcv_skb+0x6fa/0x810 net/netlink/af_netlink.c:2494\n genl_rcv+0x63/0x80 net/netlink/genetlink.c:811\n netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]\n netlink_unicast+0x11d6/0x14a0 net/netlink/af_netlink.c:1330\n netlink_sendmsg+0x1740/0x1840 net/netlink/af_netlink.c:1919\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\nRIP: 0023:0xf7f60549\nCode: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00\nRSP: 002b:00000000f555a5fc EFLAGS: 00000296 ORIG_RAX: 0000000000000172\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000200\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n\nUninit was created at:\n kmsan_save_stack_with_flags mm/kmsan/kmsan.c:121 [inline]\n kmsan_internal_poison_shadow+0x5c/0xf0 mm/kmsan/kmsan.c:104\n kmsan_slab_alloc+0x8d/0xe0 mm/kmsan/kmsan_hooks.c:76\n slab_alloc_node mm/slub.c:2907 [inline]\n __kmalloc_node_track_caller+0xa37/0x1430 mm/slub.c:4527\n __kmalloc_reserve net/core/skbuff.c:142 [inline]\n __alloc_skb+0x2f8/0xb30 net/core/skbuff.c:210\n alloc_skb include/linux/skbuff.h:1099 [inline]\n netlink_alloc_large_skb net/netlink/af_netlink.c:1176 [inline]\n netlink_sendmsg+0xdbc/0x1840 net/netlink/af_netlink.c:1894\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\n\nFixes: e1f32190cf7d (\"tipc: add support for AEAD key setting via netlink\")\nSigned-off-by: Eric Dumazet \nCc: Tuong Lien \nCc: Jon Maloy \nCc: Ying Xue \nReported-by: syzbot \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 364970 }, { "func": "static int _nfs41_test_stateid(struct nfs_server *server,\n\t\tnfs4_stateid *stateid,\n\t\tconst struct cred *cred)\n{\n\tint status;\n\tstruct nfs41_test_stateid_args args = {\n\t\t.stateid = stateid,\n\t};\n\tstruct nfs41_test_stateid_res res;\n\tstruct rpc_message msg = {\n\t\t.rpc_proc = &nfs4_procedures[NFSPROC4_CLNT_TEST_STATEID],\n\t\t.rpc_argp = &args,\n\t\t.rpc_resp = &res,\n\t\t.rpc_cred = cred,\n\t};\n\tstruct rpc_clnt *rpc_client = server->client;\n\n\tnfs4_state_protect(server->nfs_client, NFS_SP4_MACH_CRED_STATEID,\n\t\t&rpc_client, &msg);\n\n\tdprintk(\"NFS call test_stateid %p\\n\", stateid);\n\tnfs4_init_sequence(&args.seq_args, &res.seq_res, 0, 1);\n\tstatus = nfs4_call_sync_sequence(rpc_client, server, &msg,\n\t\t\t&args.seq_args, &res.seq_res);\n\tif (status != NFS_OK) {\n\t\tdprintk(\"NFS reply test_stateid: failed, %d\\n\", status);\n\t\treturn status;\n\t}\n\tdprintk(\"NFS reply test_stateid: succeeded, %d\\n\", -res.status);\n\treturn -res.status;\n}", "project": "linux", "hash": 206851164426470222192079616714401633943, "size": 31, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431284 }, { "func": "static int on_fcn_rename(RAnal *_anal, void* _user, RAnalFunction *fcn, const char *oname) {\n\tRCore *core = (RCore*)_user;\n\tconst char *cmd = r_config_get (core->config, \"cmd.fcn.rename\");\n\tif (cmd && *cmd) {\n\t\t// XXX: wat do with old name here?\n\t\tut64 oaddr = core->offset;\n\t\tut64 addr = fcn->addr;\n\t\tr_core_seek (core, addr, 1);\n\t\tr_core_cmd0 (core, cmd);\n\t\tr_core_seek (core, oaddr, 1);\n\t}\n\treturn 0;\n}", "project": "radare2", "hash": 190466924840418046912110331602524336559, "size": 13, "commit_id": "cb8b683758edddae2d2f62e8e63a738c39f92683", "message": "Fix #16303 - c->table_query double free (#16318)", "target": 0, "dataset": "other", "idx": 232192 }, { "func": "void LanLinkProvider::configureSocket(QSslSocket* socket) {\n\n socket->setProxy(QNetworkProxy::NoProxy);\n\n socket->setSocketOption(QAbstractSocket::KeepAliveOption, QVariant(1));\n\n#ifdef TCP_KEEPIDLE\n // time to start sending keepalive packets (seconds)\n int maxIdle = 10;\n setsockopt(socket->socketDescriptor(), IPPROTO_TCP, TCP_KEEPIDLE, &maxIdle, sizeof(maxIdle));\n#endif\n\n#ifdef TCP_KEEPINTVL\n // interval between keepalive packets after the initial period (seconds)\n int interval = 5;\n setsockopt(socket->socketDescriptor(), IPPROTO_TCP, TCP_KEEPINTVL, &interval, sizeof(interval));\n#endif\n\n#ifdef TCP_KEEPCNT\n // number of missed keepalive packets before disconnecting\n int count = 3;\n setsockopt(socket->socketDescriptor(), IPPROTO_TCP, TCP_KEEPCNT, &count, sizeof(count));\n#endif\n\n}", "project": "kdeconnect-kde", "hash": 130746550387076461620283514816110043110, "size": 25, "commit_id": "542d94a70c56aa386c8d4d793481ce181b0422e8", "message": "Limit number of connected sockets from unpaired devices\n\nThanks Matthias Gerstner for reporting this.", "target": 0, "dataset": "other", "idx": 227361 }, { "func": "static bool notify_change_record_identical(struct notify_change_event *c1,\n\t\t\t\t\t struct notify_change_event *c2)\n{\n\t/* Note this is deliberately case sensitive. */\n\tif (c1->action == c2->action &&\n\t\t\tstrcmp(c1->name, c2->name) == 0) {\n\t\treturn True;\n\t}\n\treturn False;\n}", "project": "samba", "hash": 206530335082749750005948437607124682339, "size": 10, "commit_id": "c300a85848350635e7ddd8129b31c4d439dc0f8a", "message": "s3: smbd: Ensure change notifies can't get set unless the directory handle is open for SEC_DIR_LIST.\n\nRemove knownfail entry.\n\nCVE-2020-14318\n\nBUG: https://bugzilla.samba.org/show_bug.cgi?id=14434\n\nSigned-off-by: Jeremy Allison ", "target": 0, "dataset": "other", "idx": 279702 }, { "func": "}\n\nstatic int\niscsi_if_transport_ep(struct iscsi_transport *transport,\n\t\t struct iscsi_uevent *ev, int msg_type)\n{\n\tstruct iscsi_endpoint *ep;\n\tint rc = 0;\n\n\tswitch (msg_type) {\n\tcase ISCSI_UEVENT_TRANSPORT_EP_CONNECT_THROUGH_HOST:\n\tcase ISCSI_UEVENT_TRANSPORT_EP_CONNECT:\n\t\trc = iscsi_if_ep_connect(transport, ev, msg_type);\n\t\tbreak;\n\tcase ISCSI_UEVENT_TRANSPORT_EP_POLL:\n\t\tif (!transport->ep_poll)\n\t\t\treturn -EINVAL;\n\n\t\tep = iscsi_lookup_endpoint(ev->u.ep_poll.ep_handle);\n\t\tif (!ep)\n\t\t\treturn -EINVAL;\n\n\t\tev->r.retcode = transport->ep_poll(ep,\n\t\t\t\t\t\t ev->u.ep_poll.timeout_ms);\n\t\tbreak;\n\tcase ISCSI_UEVENT_TRANSPORT_EP_DISCONNECT:\n\t\trc = iscsi_if_ep_disconnect(transport,\n\t\t\t\t\t ev->u.ep_disconnect.ep_handle);\n\t\tbreak;", "project": "linux", "hash": 194199989214566785740166282803677492207, "size": 29, "commit_id": "f9dbdf97a5bd92b1a49cee3d591b55b11fd7a6d5", "message": "scsi: iscsi: Verify lengths on passthrough PDUs\n\nOpen-iSCSI sends passthrough PDUs over netlink, but the kernel should be\nverifying that the provided PDU header and data lengths fall within the\nnetlink message to prevent accessing beyond that in memory.\n\nCc: stable@vger.kernel.org\nReported-by: Adam Nichols \nReviewed-by: Lee Duncan \nReviewed-by: Mike Christie \nSigned-off-by: Chris Leech \nSigned-off-by: Martin K. Petersen ", "target": 0, "dataset": "other", "idx": 379938 }, { "func": "static int may_linkat(struct path *link)\n{\n\tstruct inode *inode = link->dentry->d_inode;\n\n\t/* Inode writeback is not safe when the uid or gid are invalid. */\n\tif (!uid_valid(inode->i_uid) || !gid_valid(inode->i_gid))\n\t\treturn -EOVERFLOW;\n\n\tif (!sysctl_protected_hardlinks)\n\t\treturn 0;\n\n\t/* Source inode owner (or CAP_FOWNER) can hardlink all they like,\n\t * otherwise, it must be a safe source.\n\t */\n\tif (safe_hardlink_source(inode) || inode_owner_or_capable(inode))\n\t\treturn 0;\n\n\taudit_log_path_denied(AUDIT_ANOM_LINK, \"linkat\");\n\treturn -EPERM;\n}", "project": "linux", "hash": 184853928824838466699231014840437366090, "size": 20, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295332 }, { "func": "static inline void hid_hw_wait(struct hid_device *hdev)\n{\n\tif (hdev->ll_driver->wait)\n\t\thdev->ll_driver->wait(hdev);\n}", "project": "linux", "hash": 162188235752709152716311670249806510092, "size": 5, "commit_id": "35556bed836f8dc07ac55f69c8d17dce3e7f0e25", "message": "HID: core: Sanitize event code and type when mapping input\n\nWhen calling into hid_map_usage(), the passed event code is\nblindly stored as is, even if it doesn't fit in the associated bitmap.\n\nThis event code can come from a variety of sources, including devices\nmasquerading as input devices, only a bit more \"programmable\".\n\nInstead of taking the event code at face value, check that it actually\nfits the corresponding bitmap, and if it doesn't:\n- spit out a warning so that we know which device is acting up\n- NULLify the bitmap pointer so that we catch unexpected uses\n\nCode paths that can make use of untrusted inputs can now check\nthat the mapping was indeed correct and bail out if not.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Marc Zyngier \nSigned-off-by: Benjamin Tissoires ", "target": 0, "dataset": "other", "idx": 458413 }, { "func": "bool kvm_vcpu_wake_up(struct kvm_vcpu *vcpu)\n{\n\tstruct swait_queue_head *wqp;\n\n\twqp = kvm_arch_vcpu_wq(vcpu);\n\tif (swq_has_sleeper(wqp)) {\n\t\tswake_up_one(wqp);\n\t\tWRITE_ONCE(vcpu->ready, true);\n\t\t++vcpu->stat.halt_wakeup;\n\t\treturn true;\n\t}\n\n\treturn false;\n}", "project": "linux", "hash": 256464077615967666443656145339187318009, "size": 14, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354609 }, { "func": "bool kvm_vcpu_wake_up(struct kvm_vcpu *vcpu)\n{\n\tstruct rcuwait *waitp;\n\n\twaitp = kvm_arch_vcpu_get_wait(vcpu);\n\tif (rcuwait_wake_up(waitp)) {\n\t\tWRITE_ONCE(vcpu->ready, true);\n\t\t++vcpu->stat.halt_wakeup;\n\t\treturn true;\n\t}\n\n\treturn false;\n}", "project": "linux", "hash": 269927004258019129227177896114620888798, "size": 13, "commit_id": "f8be156be163a052a067306417cd0ff679068c97", "message": "KVM: do not allow mapping valid but non-reference-counted pages\n\nIt's possible to create a region which maps valid but non-refcounted\npages (e.g., tail pages of non-compound higher order allocations). These\nhost pages can then be returned by gfn_to_page, gfn_to_pfn, etc., family\nof APIs, which take a reference to the page, which takes it from 0 to 1.\nWhen the reference is dropped, this will free the page incorrectly.\n\nFix this by only taking a reference on valid pages if it was non-zero,\nwhich indicates it is participating in normal refcounting (and can be\nreleased with put_page).\n\nThis addresses CVE-2021-22543.\n\nSigned-off-by: Nicholas Piggin \nTested-by: Paolo Bonzini \nCc: stable@vger.kernel.org\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 404104 }, { "func": "static int pep_indicate(struct sock *sk, u8 id, u8 code,\n\t\t\tconst void *data, int len, gfp_t priority)\n{\n\tstruct pep_sock *pn = pep_sk(sk);\n\tstruct pnpipehdr *ph;\n\tstruct sk_buff *skb;\n\n\tskb = pep_alloc_skb(sk, data, len, priority);\n\tif (!skb)\n\t\treturn -ENOMEM;\n\n\tph = pnp_hdr(skb);\n\tph->utid = 0;\n\tph->message_id = id;\n\tph->pipe_handle = pn->pipe_handle;\n\tph->error_code = code;\n\treturn pn_skb_send(sk, skb, NULL);\n}", "project": "linux", "hash": 169010138908032358841018816847965375259, "size": 18, "commit_id": "bcd0f93353326954817a4f9fa55ec57fb38acbb0", "message": "phonet: refcount leak in pep_sock_accep\n\nsock_hold(sk) is invoked in pep_sock_accept(), but __sock_put(sk) is not\ninvoked in subsequent failure branches(pep_accept_conn() != 0).\n\nSigned-off-by: Hangyu Hua \nLink: https://lore.kernel.org/r/20211209082839.33985-1-hbh25y@gmail.com\nSigned-off-by: Jakub Kicinski ", "target": 0, "dataset": "other", "idx": 224822 }, { "func": "ConnStateData::initiateTunneledRequest(HttpRequest::Pointer const &cause, Http::MethodType const method, const char *reason, const SBuf &payload)\n{\n // fake a CONNECT request to force connState to tunnel\n SBuf connectHost;\n unsigned short connectPort = 0;\n\n if (pinning.serverConnection != nullptr) {\n static char ip[MAX_IPSTRLEN];\n connectHost = pinning.serverConnection->remote.toStr(ip, sizeof(ip));\n connectPort = pinning.serverConnection->remote.port();\n } else if (cause) {\n connectHost = cause->url.hostOrIp();\n connectPort = cause->url.port();\n#if USE_OPENSSL\n } else if (!tlsConnectHostOrIp.isEmpty()) {\n connectHost = tlsConnectHostOrIp;\n connectPort = tlsConnectPort;\n#endif\n } else if (transparent()) {\n static char ip[MAX_IPSTRLEN];\n connectHost = clientConnection->local.toStr(ip, sizeof(ip));\n connectPort = clientConnection->local.port();\n } else {\n debugs(33, 2, \"Not able to compute URL, abort request tunneling for \" << reason);\n return false;\n }\n\n debugs(33, 2, \"Request tunneling for \" << reason);\n ClientHttpRequest *http = buildFakeRequest(method, connectHost, connectPort, payload);\n HttpRequest::Pointer request = http->request;\n request->flags.forceTunnel = true;\n http->calloutContext = new ClientRequestContext(http);\n http->doCallouts();\n clientProcessRequestFinished(this, request);\n return true;\n}", "project": "squid", "hash": 51252159761614448506597145197744726128, "size": 36, "commit_id": "fd68382860633aca92065e6c343cfd1b12b126e7", "message": "Improve Transfer-Encoding handling (#702)\n\nReject messages containing Transfer-Encoding header with coding other\nthan chunked or identity. Squid does not support other codings.\n\nFor simplicity and security sake, also reject messages where\nTransfer-Encoding contains unnecessary complex values that are\ntechnically equivalent to \"chunked\" or \"identity\" (e.g., \",,chunked\" or\n\"identity, chunked\").\n\nRFC 7230 formally deprecated and removed identity coding, but it is\nstill used by some agents.", "target": 0, "dataset": "other", "idx": 402391 }, { "func": "static int sctp_send_asconf_add_ip(struct sock\t\t*sk,\n\t\t\t\t struct sockaddr\t*addrs,\n\t\t\t\t int \t\t\taddrcnt)\n{\n\tstruct sctp_sock\t\t*sp;\n\tstruct sctp_endpoint\t\t*ep;\n\tstruct sctp_association\t\t*asoc;\n\tstruct sctp_bind_addr\t\t*bp;\n\tstruct sctp_chunk\t\t*chunk;\n\tstruct sctp_sockaddr_entry\t*laddr;\n\tunion sctp_addr\t\t\t*addr;\n\tunion sctp_addr\t\t\tsaveaddr;\n\tvoid\t\t\t\t*addr_buf;\n\tstruct sctp_af\t\t\t*af;\n\tstruct list_head\t\t*p;\n\tint \t\t\t\ti;\n\tint \t\t\t\tretval = 0;\n\n\tsp = sctp_sk(sk);\n\tep = sp->ep;\n\n\tif (!ep->asconf_enable)\n\t\treturn retval;\n\n\tpr_debug(\"%s: sk:%p, addrs:%p, addrcnt:%d\\n\",\n\t\t __func__, sk, addrs, addrcnt);\n\n\tlist_for_each_entry(asoc, &ep->asocs, asocs) {\n\t\tif (!asoc->peer.asconf_capable)\n\t\t\tcontinue;\n\n\t\tif (asoc->peer.addip_disabled_mask & SCTP_PARAM_ADD_IP)\n\t\t\tcontinue;\n\n\t\tif (!sctp_state(asoc, ESTABLISHED))\n\t\t\tcontinue;\n\n\t\t/* Check if any address in the packed array of addresses is\n\t\t * in the bind address list of the association. If so,\n\t\t * do not send the asconf chunk to its peer, but continue with\n\t\t * other associations.\n\t\t */\n\t\taddr_buf = addrs;\n\t\tfor (i = 0; i < addrcnt; i++) {\n\t\t\taddr = addr_buf;\n\t\t\taf = sctp_get_af_specific(addr->v4.sin_family);\n\t\t\tif (!af) {\n\t\t\t\tretval = -EINVAL;\n\t\t\t\tgoto out;\n\t\t\t}\n\n\t\t\tif (sctp_assoc_lookup_laddr(asoc, addr))\n\t\t\t\tbreak;\n\n\t\t\taddr_buf += af->sockaddr_len;\n\t\t}\n\t\tif (i < addrcnt)\n\t\t\tcontinue;\n\n\t\t/* Use the first valid address in bind addr list of\n\t\t * association as Address Parameter of ASCONF CHUNK.\n\t\t */\n\t\tbp = &asoc->base.bind_addr;\n\t\tp = bp->address_list.next;\n\t\tladdr = list_entry(p, struct sctp_sockaddr_entry, list);\n\t\tchunk = sctp_make_asconf_update_ip(asoc, &laddr->a, addrs,\n\t\t\t\t\t\t addrcnt, SCTP_PARAM_ADD_IP);\n\t\tif (!chunk) {\n\t\t\tretval = -ENOMEM;\n\t\t\tgoto out;\n\t\t}\n\n\t\t/* Add the new addresses to the bind address list with\n\t\t * use_as_src set to 0.\n\t\t */\n\t\taddr_buf = addrs;\n\t\tfor (i = 0; i < addrcnt; i++) {\n\t\t\taddr = addr_buf;\n\t\t\taf = sctp_get_af_specific(addr->v4.sin_family);\n\t\t\tmemcpy(&saveaddr, addr, af->sockaddr_len);\n\t\t\tretval = sctp_add_bind_addr(bp, &saveaddr,\n\t\t\t\t\t\t sizeof(saveaddr),\n\t\t\t\t\t\t SCTP_ADDR_NEW, GFP_ATOMIC);\n\t\t\taddr_buf += af->sockaddr_len;\n\t\t}\n\t\tif (asoc->src_out_of_asoc_ok) {\n\t\t\tstruct sctp_transport *trans;\n\n\t\t\tlist_for_each_entry(trans,\n\t\t\t &asoc->peer.transport_addr_list, transports) {\n\t\t\t\ttrans->cwnd = min(4*asoc->pathmtu, max_t(__u32,\n\t\t\t\t 2*asoc->pathmtu, 4380));\n\t\t\t\ttrans->ssthresh = asoc->peer.i.a_rwnd;\n\t\t\t\ttrans->rto = asoc->rto_initial;\n\t\t\t\tsctp_max_rto(asoc, trans);\n\t\t\t\ttrans->rtt = trans->srtt = trans->rttvar = 0;\n\t\t\t\t/* Clear the source and route cache */\n\t\t\t\tsctp_transport_route(trans, NULL,\n\t\t\t\t\t\t sctp_sk(asoc->base.sk));\n\t\t\t}\n\t\t}\n\t\tretval = sctp_send_asconf(asoc, chunk);\n\t}\n\nout:\n\treturn retval;\n}", "project": "linux", "hash": 6400104083416762689180731533253790938, "size": 107, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398192 }, { "func": "static int kvm_s390_vm_set_attr(struct kvm *kvm, struct kvm_device_attr *attr)\n{\n\tint ret;\n\n\tswitch (attr->group) {\n\tcase KVM_S390_VM_MEM_CTRL:\n\t\tret = kvm_s390_set_mem_control(kvm, attr);\n\t\tbreak;\n\tcase KVM_S390_VM_TOD:\n\t\tret = kvm_s390_set_tod(kvm, attr);\n\t\tbreak;\n\tcase KVM_S390_VM_CPU_MODEL:\n\t\tret = kvm_s390_set_cpu_model(kvm, attr);\n\t\tbreak;\n\tcase KVM_S390_VM_CRYPTO:\n\t\tret = kvm_s390_vm_set_crypto(kvm, attr);\n\t\tbreak;\n\tcase KVM_S390_VM_MIGRATION:\n\t\tret = kvm_s390_vm_set_migration(kvm, attr);\n\t\tbreak;\n\tdefault:\n\t\tret = -ENXIO;\n\t\tbreak;\n\t}\n\n\treturn ret;\n}", "project": "linux", "hash": 20030492052905207989304451029396322250, "size": 27, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354590 }, { "func": "static void dist_cache_push(struct rar5* rar, int value) {\n\tint* q = rar->cstate.dist_cache;\n\n\tq[3] = q[2];\n\tq[2] = q[1];\n\tq[1] = q[0];\n\tq[0] = value;\n}", "project": "libarchive", "hash": 230199132559840125306997662318121781191, "size": 8, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 0, "dataset": "other", "idx": 244701 }, { "func": "void requeue_futex(struct futex_q *q, struct futex_hash_bucket *hb1,\n\t\t struct futex_hash_bucket *hb2, union futex_key *key2)\n{\n\n\t/*\n\t * If key1 and key2 hash to the same bucket, no need to\n\t * requeue.\n\t */\n\tif (likely(&hb1->chain != &hb2->chain)) {\n\t\tplist_del(&q->list, &hb1->chain);\n\t\tplist_add(&q->list, &hb2->chain);\n\t\tq->lock_ptr = &hb2->lock;\n#ifdef CONFIG_DEBUG_PI_LIST\n\t\tq->list.plist.spinlock = &hb2->lock;\n#endif\n\t}\n\tget_futex_key_refs(key2);\n\tq->key = *key2;\n}", "target": 0, "cwe": [], "project": "linux-2.6", "commit_id": "5ecb01cfdf96c5f465192bdb2a4fd4a61a24c6cc", "hash": 34014358023755490148630839044498545736, "size": 19, "message": "futex_lock_pi() key refcnt fix\n\nThis fixes a futex key reference count bug in futex_lock_pi(),\nwhere a key's reference count is incremented twice but decremented\nonly once, causing the backing object to not be released.\n\nIf the futex is created in a temporary file in an ext3 file system,\nthis bug causes the file's inode to become an \"undead\" orphan,\nwhich causes an oops from a BUG_ON() in ext3_put_super() when the\nfile system is unmounted. glibc's test suite is known to trigger this,\nsee .\n\nThe bug is a regression from 2.6.28-git3, namely Peter Zijlstra's\n38d47c1b7075bd7ec3881141bb3629da58f88dab \"[PATCH] futex: rely on\nget_user_pages() for shared futexes\". That commit made get_futex_key()\nalso increment the reference count of the futex key, and updated its\ncallers to decrement the key's reference count before returning.\nUnfortunately the normal exit path in futex_lock_pi() wasn't corrected:\nthe reference count is incremented by get_futex_key() and queue_lock(),\nbut the normal exit path only decrements once, via unqueue_me_pi().\nThe fix is to put_futex_key() after unqueue_me_pi(), since 2.6.31\nthis is easily done by 'goto out_put_key' rather than 'goto out'.\n\nSigned-off-by: Mikael Pettersson \nAcked-by: Peter Zijlstra \nAcked-by: Darren Hart \nSigned-off-by: Thomas Gleixner \nCc: ", "dataset": "other", "idx": 492301 }, { "func": "static int headerMatchLocale(const char *td, const char *l, const char *le)\n{\n const char *fe;\n\n /* First try a complete match. */\n if (strlen(td) == (le-l) && rstreqn(td, l, (le - l)))\n\treturn 1;\n\n /* Next, try stripping optional dialect and matching. */\n for (fe = l; fe < le && *fe != '@'; fe++)\n\t{};\n if (fe < le && rstreqn(td, l, (fe - l)))\n\treturn 1;\n\n /* Next, try stripping optional codeset and matching. */\n for (fe = l; fe < le && *fe != '.'; fe++)\n\t{};\n if (fe < le && rstreqn(td, l, (fe - l)))\n\treturn 1;\n\n /* Finally, try stripping optional country code and matching. */\n for (fe = l; fe < le && *fe != '_'; fe++)\n\t{};\n if (fe < le && rstreqn(td, l, (fe - l)))\n\treturn 2;\n\n return 0;\n}", "project": "rpm", "hash": 186949741183263429066633920180273332162, "size": 28, "commit_id": "8f4b3c3cab8922a2022b9e47c71f1ecf906077ef", "message": "hdrblobInit() needs bounds checks too\n\nUsers can pass untrusted data to hdrblobInit() and it must be robust\nagainst this.", "target": 0, "dataset": "other", "idx": 318183 }, { "func": "static void discard_slab(struct kmem_cache *s, struct page *page)\n{\n\tdec_slabs_node(s, page_to_nid(page), page->objects);\n\tfree_slab(s, page);\n}", "project": "linux", "hash": 236300638336818559510098392157280013483, "size": 5, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280246 }, { "func": "static int check_errorlog_dir(apr_pool_t *p, server_rec *s)\n{\n if (!s->error_fname || s->error_fname[0] == '|'\n || s->errorlog_provider != NULL) {\n return APR_SUCCESS;\n }\n else {\n char *abs = ap_server_root_relative(p, s->error_fname);\n char *dir = ap_make_dirstr_parent(p, abs);\n apr_finfo_t finfo;\n apr_status_t rv = apr_stat(&finfo, dir, APR_FINFO_TYPE, p);\n if (rv == APR_SUCCESS && finfo.filetype != APR_DIR)\n rv = APR_ENOTDIR;\n if (rv != APR_SUCCESS) {\n const char *desc = \"main error log\";\n if (s->defn_name)\n desc = apr_psprintf(p, \"error log of vhost defined at %s:%d\",\n s->defn_name, s->defn_line_number);\n ap_log_error(APLOG_MARK, APLOG_STARTUP|APLOG_EMERG, rv,\n ap_server_conf, APLOGNO(02291)\n \"Cannot access directory '%s' for %s\", dir, desc);\n return !OK;\n }\n }\n return OK;\n}", "project": "httpd", "hash": 239774730186425017105132119379015707083, "size": 26, "commit_id": "4cc27823899e070268b906ca677ee838d07cf67a", "message": "core: Disallow Methods' registration at run time (.htaccess), they may be\nused only if registered at init time (httpd.conf).\n\nCalling ap_method_register() in children processes is not the right scope\nsince it won't be shared for all requests.\n\n\ngit-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1807655 13f79535-47bb-0310-9956-ffa450edef68", "target": 0, "dataset": "other", "idx": 246348 }, { "func": "static void kvm_arch_vcpu_ioctl_initial_reset(struct kvm_vcpu *vcpu)\n{\n\t/* Initial reset is a superset of the normal reset */\n\tkvm_arch_vcpu_ioctl_normal_reset(vcpu);\n\n\t/* this equals initial cpu reset in pop, but we don't switch to ESA */\n\tvcpu->arch.sie_block->gpsw.mask = 0;\n\tvcpu->arch.sie_block->gpsw.addr = 0;\n\tkvm_s390_set_prefix(vcpu, 0);\n\tkvm_s390_set_cpu_timer(vcpu, 0);\n\tvcpu->arch.sie_block->ckc = 0;\n\tmemset(vcpu->arch.sie_block->gcr, 0, sizeof(vcpu->arch.sie_block->gcr));\n\tvcpu->arch.sie_block->gcr[0] = CR0_INITIAL_MASK;\n\tvcpu->arch.sie_block->gcr[14] = CR14_INITIAL_MASK;\n\tvcpu->run->s.regs.fpc = 0;\n\t/*\n\t * Do not reset these registers in the protected case, as some of\n\t * them are overlayed and they are not accessible in this case\n\t * anyway.\n\t */\n\tif (!kvm_s390_pv_cpu_is_protected(vcpu)) {\n\t\tvcpu->arch.sie_block->gbea = 1;\n\t\tvcpu->arch.sie_block->pp = 0;\n\t\tvcpu->arch.sie_block->fpf &= ~FPF_BPBC;\n\t\tvcpu->arch.sie_block->todpr = 0;\n\t}\n}", "project": "linux", "hash": 475470827689157002443666110919967002, "size": 27, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354760 }, { "func": "void luaE_enterCcall (lua_State *L) {\n int ncalls = getCcalls(L);\n L->nCcalls--;\n if (ncalls <= CSTACKERR) { /* possible overflow? */\n luaE_freeCI(L); /* release unused CIs */\n ncalls = getCcalls(L); /* update call count */\n if (ncalls <= CSTACKERR) { /* still overflow? */\n if (ncalls <= CSTACKERRMARK) /* below error-handling zone? */\n luaD_throw(L, LUA_ERRERR); /* error while handling stack error */\n else if (ncalls >= CSTACKMARK) {\n /* not in error-handling zone; raise the error now */\n L->nCcalls = (CSTACKMARK - 1); /* enter error-handling zone */\n luaG_runerror(L, \"C stack overflow\");\n }\n /* else stack is in the error-handling zone;\n allow message handler to work */\n }\n }\n}", "project": "lua", "hash": 175093689003680100396846474112418768394, "size": 19, "commit_id": "a2195644d89812e5b157ce7bac35543e06db05e3", "message": "Fixed bug: invalid 'oldpc' when returning to a function\n\nThe field 'L->oldpc' is not always updated when control returns to a\nfunction; an invalid value can seg. fault when computing 'changedline'.\n(One example is an error in a finalizer; control can return to\n'luaV_execute' without executing 'luaD_poscall'.) Instead of trying to\nfix all possible corner cases, it seems safer to be resilient to invalid\nvalues for 'oldpc'. Valid but wrong values at most cause an extra call\nto a line hook.", "target": 0, "dataset": "other", "idx": 462770 }, { "func": "int fuse_readdir(struct file *file, struct dir_context *ctx)\n{\n\tstruct fuse_file *ff = file->private_data;\n\tstruct inode *inode = file_inode(file);\n\tint err;\n\n\tif (fuse_is_bad(inode))\n\t\treturn -EIO;\n\n\tmutex_lock(&ff->readdir.lock);\n\n\terr = UNCACHED;\n\tif (ff->open_flags & FOPEN_CACHE_DIR)\n\t\terr = fuse_readdir_cached(file, ctx);\n\tif (err == UNCACHED)\n\t\terr = fuse_readdir_uncached(file, ctx);\n\n\tmutex_unlock(&ff->readdir.lock);\n\n\treturn err;\n}", "project": "linux", "hash": 316429418861296766044691440776134081780, "size": 21, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341901 }, { "func": "SYSCALL_DEFINE1(ssetmask, int, newmask)\n{\n\tint old = current->blocked.sig[0];\n\tsigset_t newset;\n\n\tsiginitset(&newset, newmask);\n\tset_current_blocked(&newset);\n\n\treturn old;\n}", "project": "linux", "hash": 162185271614502058088242848201925217347, "size": 10, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375185 }, { "func": "int64 CServer::TickStartTime(int Tick)\n{\n\treturn m_GameStartTime + (time_freq()*Tick)/SERVER_TICK_SPEED;\n}", "project": "teeworlds", "hash": 274562061884356324473503715922279853873, "size": 4, "commit_id": "c68402fa7e279d42886d5951d1ea8ac2facc1ea5", "message": "changed a check", "target": 0, "dataset": "other", "idx": 381985 }, { "func": "void kvm_arch_sync_dirty_log(struct kvm *kvm, struct kvm_memory_slot *memslot)\n{\n\tint i;\n\tgfn_t cur_gfn, last_gfn;\n\tunsigned long gaddr, vmaddr;\n\tstruct gmap *gmap = kvm->arch.gmap;\n\tDECLARE_BITMAP(bitmap, _PAGE_ENTRIES);\n\n\t/* Loop over all guest segments */\n\tcur_gfn = memslot->base_gfn;\n\tlast_gfn = memslot->base_gfn + memslot->npages;\n\tfor (; cur_gfn <= last_gfn; cur_gfn += _PAGE_ENTRIES) {\n\t\tgaddr = gfn_to_gpa(cur_gfn);\n\t\tvmaddr = gfn_to_hva_memslot(memslot, cur_gfn);\n\t\tif (kvm_is_error_hva(vmaddr))\n\t\t\tcontinue;\n\n\t\tbitmap_zero(bitmap, _PAGE_ENTRIES);\n\t\tgmap_sync_dirty_log_pmd(gmap, bitmap, gaddr, vmaddr);\n\t\tfor (i = 0; i < _PAGE_ENTRIES; i++) {\n\t\t\tif (test_bit(i, bitmap))\n\t\t\t\tmark_page_dirty(kvm, cur_gfn + i);\n\t\t}\n\n\t\tif (fatal_signal_pending(current))\n\t\t\treturn;\n\t\tcond_resched();\n\t}\n}", "project": "linux", "hash": 239287967049623981543784367358383278459, "size": 29, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354761 }, { "func": "static int kvm_s390_vm_set_migration(struct kvm *kvm,\n\t\t\t\t struct kvm_device_attr *attr)\n{\n\tint res = -ENXIO;\n\n\tmutex_lock(&kvm->slots_lock);\n\tswitch (attr->attr) {\n\tcase KVM_S390_VM_MIGRATION_START:\n\t\tres = kvm_s390_vm_start_migration(kvm);\n\t\tbreak;\n\tcase KVM_S390_VM_MIGRATION_STOP:\n\t\tres = kvm_s390_vm_stop_migration(kvm);\n\t\tbreak;\n\tdefault:\n\t\tbreak;\n\t}\n\tmutex_unlock(&kvm->slots_lock);\n\n\treturn res;\n}", "project": "linux", "hash": 5395854229876387266494050511746691998, "size": 20, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354471 }, { "func": "static bool checkreturn pb_dec_string(pb_istream_t *stream, const pb_field_t *field, void *dest)\n{\n uint32_t size;\n size_t alloc_size;\n bool status;\n if (!pb_decode_varint32(stream, &size))\n return false;\n \n /* Space for null terminator */\n alloc_size = size + 1;\n \n if (alloc_size < size)\n PB_RETURN_ERROR(stream, \"size too large\");\n \n if (PB_ATYPE(field->type) == PB_ATYPE_POINTER)\n {\n#ifndef PB_ENABLE_MALLOC\n PB_RETURN_ERROR(stream, \"no malloc support\");\n#else\n if (!allocate_field(stream, dest, alloc_size, 1))\n return false;\n dest = *(void**)dest;\n#endif\n }\n else\n {\n if (alloc_size > field->data_size)\n PB_RETURN_ERROR(stream, \"string overflow\");\n }\n \n status = pb_read(stream, (pb_byte_t*)dest, size);\n *((pb_byte_t*)dest + size) = 0;\n return status;\n}", "project": "nanopb", "hash": 67202966286668420385615773369404992231, "size": 34, "commit_id": "aa9d0d1ca78d6adec3adfeecf3a706c7f9df81f2", "message": "Fix invalid free() after failed realloc() (GHSA-gcx3-7m76-287p)", "target": 0, "dataset": "other", "idx": 252506 }, { "func": "static bool checkreturn pb_dec_string(pb_istream_t *stream, const pb_field_t *field, void *dest)\n{\n uint32_t size;\n size_t alloc_size;\n bool status;\n if (!pb_decode_varint32(stream, &size))\n return false;\n \n /* Space for null terminator */\n alloc_size = size + 1;\n \n if (alloc_size < size)\n PB_RETURN_ERROR(stream, \"size too large\");\n \n if (PB_ATYPE(field->type) == PB_ATYPE_POINTER)\n {\n#ifndef PB_ENABLE_MALLOC\n PB_RETURN_ERROR(stream, \"no malloc support\");\n#else\n if (!allocate_field(stream, dest, alloc_size, 1))\n return false;\n dest = *(void**)dest;\n#endif\n }\n else\n {\n if (alloc_size > field->data_size)\n PB_RETURN_ERROR(stream, \"string overflow\");\n }\n \n status = pb_read(stream, (uint8_t*)dest, size);\n *((uint8_t*)dest + size) = 0;\n return status;\n}", "project": "nanopb", "hash": 44618457237780092990576115802278239235, "size": 34, "commit_id": "7b396821ddd06df8e39143f16e1dc0a4645b89a3", "message": "Fix invalid free() after failed realloc() (GHSA-gcx3-7m76-287p)", "target": 0, "dataset": "other", "idx": 255346 }, { "func": "static bool skip_this_pass(int severity)\n{\n /*\n * See if it's a pass-specific error or warning which should be skipped.\n * We cannot skip errors stronger than ERR_NONFATAL as by definition\n * they cannot be resumed from.\n */\n if ((severity & ERR_MASK) > ERR_NONFATAL)\n\treturn false;\n\n /*\n * passn is 1 on the very first pass only.\n * pass0 is 2 on the code-generation (final) pass only.\n * These are the passes we care about in this case.\n */\n return (((severity & ERR_PASS1) && passn != 1) ||\n\t ((severity & ERR_PASS2) && pass0 != 2));\n}", "project": "nasm", "hash": 173627947206023300191340698770454325066, "size": 18, "commit_id": "e996d28c70d45008085322b442b44a9224308548", "message": "labels: Don't nil dereference if no label provided\n\nAn equ without label may cause nil dereference\n\n |\tequ 0x100\n\nFixes 98578071b9d71ecaa2344dd9c185237c1765041e\n\nSigned-off-by: Cyrill Gorcunov ", "target": 0, "dataset": "other", "idx": 257480 }, { "func": "int ip_append_data(struct sock *sk, struct flowi4 *fl4,\n\t\t int getfrag(void *from, char *to, int offset, int len,\n\t\t\t int odd, struct sk_buff *skb),\n\t\t void *from, int length, int transhdrlen,\n\t\t struct ipcm_cookie *ipc, struct rtable **rtp,\n\t\t unsigned int flags)\n{\n\tstruct inet_sock *inet = inet_sk(sk);\n\tint err;\n\n\tif (flags&MSG_PROBE)\n\t\treturn 0;\n\n\tif (skb_queue_empty(&sk->sk_write_queue)) {\n\t\terr = ip_setup_cork(sk, &inet->cork.base, ipc, rtp);\n\t\tif (err)\n\t\t\treturn err;\n\t} else {\n\t\ttranshdrlen = 0;\n\t}\n\n\treturn __ip_append_data(sk, fl4, &sk->sk_write_queue, &inet->cork.base,\n\t\t\t\tsk_page_frag(sk), getfrag,\n\t\t\t\tfrom, length, transhdrlen, flags);\n}", "project": "net", "hash": 254917916961534230860585695795608319329, "size": 25, "commit_id": "85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa", "message": "udp: consistently apply ufo or fragmentation\n\nWhen iteratively building a UDP datagram with MSG_MORE and that\ndatagram exceeds MTU, consistently choose UFO or fragmentation.\n\nOnce skb_is_gso, always apply ufo. Conversely, once a datagram is\nsplit across multiple skbs, do not consider ufo.\n\nSendpage already maintains the first invariant, only add the second.\nIPv6 does not have a sendpage implementation to modify.\n\nA gso skb must have a partial checksum, do not follow sk_no_check_tx\nin udp_send_skb.\n\nFound by syzkaller.\n\nFixes: e89e9cf539a2 (\"[IPv4/IPv6]: UFO Scatter-gather approach\")\nReported-by: Andrey Konovalov \nSigned-off-by: Willem de Bruijn \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 468919 }, { "func": "static int nfs40_sequence_done(struct rpc_task *task,\n\t\t\t struct nfs4_sequence_res *res)\n{\n\tif (res->sr_slot != NULL)\n\t\tnfs40_sequence_free_slot(res);\n\treturn 1;\n}", "project": "linux", "hash": 243327487309809652057322825283260585681, "size": 7, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431355 }, { "func": "static void nfs4_xdr_enc_fsid_present(struct rpc_rqst *req,\n\t\t\t\t struct xdr_stream *xdr,\n\t\t\t\t const void *data)\n{\n\tconst struct nfs4_fsid_present_arg *args = data;\n\tstruct compound_hdr hdr = {\n\t\t.minorversion = nfs4_xdr_minorversion(&args->seq_args),\n\t};\n\n\tencode_compound_hdr(xdr, req, &hdr);\n\tencode_sequence(xdr, &args->seq_args, &hdr);\n\tencode_putfh(xdr, args->fh, &hdr);\n\tencode_getfh(xdr, &hdr);\n\tif (args->renew)\n\t\tencode_renew(xdr, args->clientid, &hdr);\n\tencode_nops(&hdr);\n}", "project": "linux", "hash": 339721391102150677158064372812489392773, "size": 17, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431471 }, { "func": "void tracing_record_taskinfo(struct task_struct *task, int flags)\n{\n\tbool done;\n\n\tif (tracing_record_taskinfo_skip(flags))\n\t\treturn;\n\n\t/*\n\t * Record as much task information as possible. If some fail, continue\n\t * to try to record the others.\n\t */\n\tdone = !(flags & TRACE_RECORD_CMDLINE) || trace_save_cmdline(task);\n\tdone &= !(flags & TRACE_RECORD_TGID) || trace_save_tgid(task);\n\n\t/* If recording any information failed, retry again soon. */\n\tif (!done)\n\t\treturn;\n\n\t__this_cpu_write(trace_taskinfo_save, false);\n}", "project": "linux", "hash": 105515956123061245659858236431743681561, "size": 20, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445681 }, { "func": "static void SFGuessScriptList(SplineFont1 *sf) {\n uint32 scripts[32], script;\n int i, scnt=0, j;\n\n for ( i=0; isf.glyphcnt; ++i ) if ( sf->sf.glyphs[i]!=NULL ) {\n\tscript = SCScriptFromUnicode(sf->sf.glyphs[i]);\n\tif ( script!=0 && script!=DEFAULT_SCRIPT ) {\n\t for ( j=scnt-1; j>=0 ; --j )\n\t\tif ( scripts[j]==script )\n\t break;\n\t if ( j<0 ) {\n\t\tscripts[scnt++] = script;\n\t\tif ( scnt>=32 )\n break;\n\t }\n\t}\n }\n if ( scnt==0 )\n\tscripts[scnt++] = CHR('l','a','t','n');\n\n /* order scripts */\n for ( i=0; iscripts[j] ) {\n\t script = scripts[i];\n\t scripts[i] = scripts[j];\n\t scripts[j] = script;\n\t}\n }\n\n if ( sf->sf.cidmaster ) sf = (SplineFont1 *) sf->sf.cidmaster;\n else if ( sf->sf.mm!=NULL ) sf=(SplineFont1 *) sf->sf.mm->normal;\n if ( sf->script_lang!=NULL )\nreturn;\n sf->script_lang = calloc(2,sizeof(struct script_record *));\n sf->script_lang[0] = calloc(scnt+1,sizeof(struct script_record));\n sf->sli_cnt = 1;\n for ( j=0; jscript_lang[0][j].script = scripts[j];\n\tsf->script_lang[0][j].langs = malloc(2*sizeof(uint32));\n\tsf->script_lang[0][j].langs[0] = DEFAULT_LANG;\n\tsf->script_lang[0][j].langs[1] = 0;\n }\n sf->script_lang[1] = NULL;\n}", "project": "fontforge", "hash": 308201656028681154264986945975555821283, "size": 44, "commit_id": "048a91e2682c1a8936ae34dbc7bd70291ec05410", "message": "Fix for #4084 Use-after-free (heap) in the SFD_GetFontMetaData() function\nFix for #4086 NULL pointer dereference in the SFDGetSpiros() function\nFix for #4088 NULL pointer dereference in the SFD_AssignLookups() function\nAdd empty sf->fontname string if it isn't set, fixing #4089 #4090 and many\n other potential issues (many downstream calls to strlen() on the value).", "target": 0, "dataset": "other", "idx": 417906 }, { "func": "static inline int kvm_irqfd(struct kvm *kvm, struct kvm_irqfd *args)\n{\n\treturn -EINVAL;\n}", "project": "linux", "hash": 73716336962123928983372367373940796391, "size": 4, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354819 }, { "func": "static inline void svm_inject_irq(struct vcpu_svm *svm, int irq)\n{\n\tstruct vmcb_control_area *control;\n\n\t/* The following fields are ignored when AVIC is enabled */\n\tcontrol = &svm->vmcb->control;\n\tcontrol->int_vector = irq;\n\tcontrol->int_ctl &= ~V_INTR_PRIO_MASK;\n\tcontrol->int_ctl |= V_IRQ_MASK |\n\t\t((/*control->int_vector >> 4*/ 0xf) << V_INTR_PRIO_SHIFT);\n\tmark_dirty(svm->vmcb, VMCB_INTR);\n}", "project": "linux", "hash": 311374196998061141425207510644719772933, "size": 12, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432516 }, { "func": "static inline void svm_inject_irq(struct vcpu_svm *svm, int irq)\n{\n\tstruct vmcb_control_area *control;\n\n\tcontrol = &svm->vmcb->control;\n\tcontrol->int_vector = irq;\n\tcontrol->int_ctl &= ~V_INTR_PRIO_MASK;\n\tcontrol->int_ctl |= V_IRQ_MASK |\n\t\t((/*control->int_vector >> 4*/ 0xf) << V_INTR_PRIO_SHIFT);\n\tmark_dirty(svm->vmcb, VMCB_INTR);\n}", "project": "kvm", "hash": 11654429714973661628998033999519809702, "size": 11, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437594 }, { "func": "void kvm_arch_crypto_clear_masks(struct kvm *kvm)\n{\n\tmutex_lock(&kvm->lock);\n\tkvm_s390_vcpu_block_all(kvm);\n\n\tmemset(&kvm->arch.crypto.crycb->apcb0, 0,\n\t sizeof(kvm->arch.crypto.crycb->apcb0));\n\tmemset(&kvm->arch.crypto.crycb->apcb1, 0,\n\t sizeof(kvm->arch.crypto.crycb->apcb1));\n\n\tVM_EVENT(kvm, 3, \"%s\", \"CLR CRYCB:\");\n\t/* recreate the shadow crycb for each vcpu */\n\tkvm_s390_sync_request_broadcast(kvm, KVM_REQ_VSIE_RESTART);\n\tkvm_s390_vcpu_unblock_all(kvm);\n\tmutex_unlock(&kvm->lock);\n}", "project": "linux", "hash": 165959977138605340512725451901940512551, "size": 16, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354738 }, { "func": "}\nEXPORT_SYMBOL_GPL(iscsi_alloc_session);\n\nint iscsi_add_session(struct iscsi_cls_session *session, unsigned int target_id)\n{\n\tunsigned long flags;\n\tint id = 0;\n\tint err;\n\n\tsession->sid = atomic_add_return(1, &iscsi_session_nr);\n\n\tif (target_id == ISCSI_MAX_TARGET) {\n\t\tid = ida_simple_get(&iscsi_sess_ida, 0, 0, GFP_KERNEL);\n\n\t\tif (id < 0) {\n\t\t\tiscsi_cls_session_printk(KERN_ERR, session,\n\t\t\t\t\t\"Failure in Target ID Allocation\\n\");\n\t\t\treturn id;\n\t\t}\n\t\tsession->target_id = (unsigned int)id;\n\t\tsession->ida_used = true;\n\t} else\n\t\tsession->target_id = target_id;\n\n\tdev_set_name(&session->dev, \"session%u\", session->sid);\n\terr = device_add(&session->dev);\n\tif (err) {\n\t\tiscsi_cls_session_printk(KERN_ERR, session,\n\t\t\t\t\t \"could not register session's dev\\n\");\n\t\tgoto release_ida;\n\t}\n\terr = transport_register_device(&session->dev);\n\tif (err) {\n\t\tiscsi_cls_session_printk(KERN_ERR, session,\n\t\t\t\t\t \"could not register transport's dev\\n\");\n\t\tgoto release_dev;\n\t}\n\n\tspin_lock_irqsave(&sesslock, flags);\n\tlist_add(&session->sess_list, &sesslist);\n\tspin_unlock_irqrestore(&sesslock, flags);\n\n\tiscsi_session_event(session, ISCSI_KEVENT_CREATE_SESSION);\n\tISCSI_DBG_TRANS_SESSION(session, \"Completed session adding\\n\");\n\treturn 0;\n\nrelease_dev:\n\tdevice_del(&session->dev);\nrelease_ida:\n\tif (session->ida_used)\n\t\tida_simple_remove(&iscsi_sess_ida, session->target_id);", "project": "linux", "hash": 230883493301094141693277392455677788848, "size": 51, "commit_id": "f9dbdf97a5bd92b1a49cee3d591b55b11fd7a6d5", "message": "scsi: iscsi: Verify lengths on passthrough PDUs\n\nOpen-iSCSI sends passthrough PDUs over netlink, but the kernel should be\nverifying that the provided PDU header and data lengths fall within the\nnetlink message to prevent accessing beyond that in memory.\n\nCc: stable@vger.kernel.org\nReported-by: Adam Nichols \nReviewed-by: Lee Duncan \nReviewed-by: Mike Christie \nSigned-off-by: Chris Leech \nSigned-off-by: Martin K. Petersen ", "target": 0, "dataset": "other", "idx": 379988 }, { "func": "static int slab_pad_check(struct kmem_cache *s, struct page *page)\n{\n\tu8 *start;\n\tu8 *fault;\n\tu8 *end;\n\tu8 *pad;\n\tint length;\n\tint remainder;\n\n\tif (!(s->flags & SLAB_POISON))\n\t\treturn 1;\n\n\tstart = page_address(page);\n\tlength = page_size(page);\n\tend = start + length;\n\tremainder = length % s->size;\n\tif (!remainder)\n\t\treturn 1;\n\n\tpad = end - remainder;\n\tmetadata_access_enable();\n\tfault = memchr_inv(pad, POISON_INUSE, remainder);\n\tmetadata_access_disable();\n\tif (!fault)\n\t\treturn 1;\n\twhile (end > fault && end[-1] == POISON_INUSE)\n\t\tend--;\n\n\tslab_err(s, page, \"Padding overwritten. 0x%p-0x%p @offset=%tu\",\n\t\t\tfault, end - 1, fault - start);\n\tprint_section(KERN_ERR, \"Padding \", pad, remainder);\n\n\trestore_bytes(s, \"slab padding\", POISON_INUSE, fault, end);\n\treturn 0;\n}", "project": "linux", "hash": 167592776743216027543459178298721397168, "size": 35, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280114 }, { "func": "static inline int slab_pad_check(struct kmem_cache *s, struct page *page)\n\t\t\t{ return 1; }", "project": "linux", "hash": 304946035430562201489842406580970045748, "size": 2, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280167 }, { "func": "static int cmd_status (const char *s)\n{\n s = imap_next_word((char*)s);\n \n if (!ascii_strncasecmp(\"OK\", s, 2))\n return IMAP_CMD_OK;\n if (!ascii_strncasecmp(\"NO\", s, 2))\n return IMAP_CMD_NO;\n\n return IMAP_CMD_BAD;\n}", "project": "mutt", "hash": 198142429704801270303977867182406445547, "size": 11, "commit_id": "9347b5c01dc52682cb6be11539d9b7ebceae4416", "message": "Handle NO response without message properly", "target": 0, "dataset": "other", "idx": 338027 }, { "func": "int bcf_get_format_values(const bcf_hdr_t *hdr, bcf1_t *line, const char *tag, void **dst, int *ndst, int type)\n{\n int i,j, tag_id = bcf_hdr_id2int(hdr, BCF_DT_ID, tag);\n if ( !bcf_hdr_idinfo_exists(hdr,BCF_HL_FMT,tag_id) ) return -1; // no such FORMAT field in the header\n if ( tag[0]=='G' && tag[1]=='T' && tag[2]==0 )\n {\n // Ugly: GT field is considered to be a string by the VCF header but BCF represents it as INT.\n if ( bcf_hdr_id2type(hdr,BCF_HL_FMT,tag_id)!=BCF_HT_STR ) return -2;\n }\n else if ( bcf_hdr_id2type(hdr,BCF_HL_FMT,tag_id)!=type ) return -2; // expected different type\n\n if ( !(line->unpacked & BCF_UN_FMT) ) bcf_unpack(line, BCF_UN_FMT);\n\n for (i=0; in_fmt; i++)\n if ( line->d.fmt[i].id==tag_id ) break;\n if ( i==line->n_fmt ) return -3; // the tag is not present in this record\n bcf_fmt_t *fmt = &line->d.fmt[i];\n if ( !fmt->p ) return -3; // the tag was marked for removal\n\n if ( type==BCF_HT_STR )\n {\n int n = fmt->n*bcf_hdr_nsamples(hdr);\n if ( *ndst < n )\n {\n *dst = realloc(*dst, n);\n if ( !*dst ) return -4; // could not alloc\n *ndst = n;\n }\n memcpy(*dst,fmt->p,n);\n return n;\n }\n\n // Make sure the buffer is big enough\n int nsmpl = bcf_hdr_nsamples(hdr);\n int size1 = type==BCF_HT_INT ? sizeof(int32_t) : sizeof(float);\n if ( *ndst < fmt->n*nsmpl )\n {\n *ndst = fmt->n*nsmpl;\n *dst = realloc(*dst, *ndst*size1);\n if ( !*dst ) return -4; // could not alloc\n }\n\n #define BRANCH(type_t, convert, is_missing, is_vector_end, set_missing, set_vector_end, set_regular, out_type_t) { \\\n out_type_t *tmp = (out_type_t *) *dst; \\\n uint8_t *fmt_p = fmt->p; \\\n for (i=0; in; j++) \\\n { \\\n type_t p = convert(fmt_p + j * sizeof(type_t)); \\\n if ( is_missing ) set_missing; \\\n else if ( is_vector_end ) { set_vector_end; break; } \\\n else set_regular; \\\n tmp++; \\\n } \\\n for (; jn; j++) { set_vector_end; tmp++; } \\\n fmt_p += fmt->size; \\\n } \\\n }\n switch (fmt->type) {\n case BCF_BT_INT8: BRANCH(int8_t, le_to_i8, p==bcf_int8_missing, p==bcf_int8_vector_end, *tmp=bcf_int32_missing, *tmp=bcf_int32_vector_end, *tmp=p, int32_t); break;\n case BCF_BT_INT16: BRANCH(int16_t, le_to_i16, p==bcf_int16_missing, p==bcf_int16_vector_end, *tmp=bcf_int32_missing, *tmp=bcf_int32_vector_end, *tmp=p, int32_t); break;\n case BCF_BT_INT32: BRANCH(int32_t, le_to_i32, p==bcf_int32_missing, p==bcf_int32_vector_end, *tmp=bcf_int32_missing, *tmp=bcf_int32_vector_end, *tmp=p, int32_t); break;\n case BCF_BT_FLOAT: BRANCH(uint32_t, le_to_u32, p==bcf_float_missing, p==bcf_float_vector_end, bcf_float_set_missing(*tmp), bcf_float_set_vector_end(*tmp), bcf_float_set(tmp, p), float); break;\n default: hts_log_error(\"Unexpected type %d at %s:%\"PRIhts_pos, fmt->type, bcf_seqname_safe(hdr,line), line->pos+1); exit(1);\n }\n #undef BRANCH\n return nsmpl*fmt->n;\n}", "project": "htslib", "hash": 76677238240826806287036156972981104019, "size": 69, "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c", "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields. It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097", "target": 0, "dataset": "other", "idx": 402234 }, { "func": "void kvm_vcpu_mark_page_dirty(struct kvm_vcpu *vcpu, gfn_t gfn)\n{\n\tstruct kvm_memory_slot *memslot;\n\n\tmemslot = kvm_vcpu_gfn_to_memslot(vcpu, gfn);\n\tmark_page_dirty_in_slot(memslot, gfn);\n}", "project": "linux", "hash": 269743296982747189595427939392719972180, "size": 7, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354747 }, { "func": "void kvm_vcpu_mark_page_dirty(struct kvm_vcpu *vcpu, gfn_t gfn)\n{\n\tstruct kvm_memory_slot *memslot;\n\n\tmemslot = kvm_vcpu_gfn_to_memslot(vcpu, gfn);\n\tmark_page_dirty_in_slot(vcpu->kvm, memslot, gfn);\n}", "project": "linux", "hash": 121864188627453683048752635471721680067, "size": 7, "commit_id": "f8be156be163a052a067306417cd0ff679068c97", "message": "KVM: do not allow mapping valid but non-reference-counted pages\n\nIt's possible to create a region which maps valid but non-refcounted\npages (e.g., tail pages of non-compound higher order allocations). These\nhost pages can then be returned by gfn_to_page, gfn_to_pfn, etc., family\nof APIs, which take a reference to the page, which takes it from 0 to 1.\nWhen the reference is dropped, this will free the page incorrectly.\n\nFix this by only taking a reference on valid pages if it was non-zero,\nwhich indicates it is participating in normal refcounting (and can be\nreleased with put_page).\n\nThis addresses CVE-2021-22543.\n\nSigned-off-by: Nicholas Piggin \nTested-by: Paolo Bonzini \nCc: stable@vger.kernel.org\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 404100 }, { "func": "static inline struct sk_buff *tcp_write_queue_next(const struct sock *sk,\n\t\t\t\t\t\t const struct sk_buff *skb)\n{\n\treturn skb_queue_next(&sk->sk_write_queue, skb);\n}", "project": "linux", "hash": 321063761507164964741337132458701420904, "size": 5, "commit_id": "bb1fceca22492109be12640d49f5ea5a544c6bb4", "message": "tcp: fix use after free in tcp_xmit_retransmit_queue()\n\nWhen tcp_sendmsg() allocates a fresh and empty skb, it puts it at the\ntail of the write queue using tcp_add_write_queue_tail()\n\nThen it attempts to copy user data into this fresh skb.\n\nIf the copy fails, we undo the work and remove the fresh skb.\n\nUnfortunately, this undo lacks the change done to tp->highest_sack and\nwe can leave a dangling pointer (to a freed skb)\n\nLater, tcp_xmit_retransmit_queue() can dereference this pointer and\naccess freed memory. For regular kernels where memory is not unmapped,\nthis might cause SACK bugs because tcp_highest_sack_seq() is buggy,\nreturning garbage instead of tp->snd_nxt, but with various debug\nfeatures like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel.\n\nThis bug was found by Marco Grassi thanks to syzkaller.\n\nFixes: 6859d49475d4 (\"[TCP]: Abstract tp->highest_sack accessing & point to next skb\")\nReported-by: Marco Grassi \nSigned-off-by: Eric Dumazet \nCc: Ilpo Järvinen \nCc: Yuchung Cheng \nCc: Neal Cardwell \nAcked-by: Neal Cardwell \nReviewed-by: Cong Wang \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 410775 }, { "func": "CallResult getOwnComputedPrimitiveDescriptorImpl(\n Handle selfHandle,\n Runtime *runtime,\n Handle<> nameValHandle,\n JSObject::IgnoreProxy ignoreProxy,\n SymbolID &id,\n ComputedPropertyDescriptor &desc) {\n assert(\n !nameValHandle->isObject() &&\n \"nameValHandle passed to \"\n \"getOwnComputedPrimitiveDescriptor \"\n \"cannot be an object\");\n\n // Try the fast paths first if we have \"fast\" index properties and the\n // property name is an obvious index.\n if (auto arrayIndex = toArrayIndexFastPath(*nameValHandle)) {\n if (JSObject::Helper::flags(*selfHandle).fastIndexProperties) {\n auto res = JSObject::Helper::getOwnIndexedPropertyFlags(\n selfHandle.get(), runtime, *arrayIndex);\n if (res) {\n // This a valid array index, residing in our indexed storage.\n desc.flags = *res;\n desc.flags.indexed = 1;\n desc.slot = *arrayIndex;\n return true;\n }\n\n // This a valid array index, but we don't have it in our indexed storage,\n // and we don't have index-like named properties.\n return false;\n }\n\n if (!selfHandle->getClass(runtime)->getHasIndexLikeProperties() &&\n !selfHandle->isHostObject() && !selfHandle->isLazy() &&\n !selfHandle->isProxyObject()) {\n // Early return to handle the case where an object definitely has no\n // index-like properties. This avoids allocating a new StringPrimitive and\n // uniquing it below.\n return false;\n }\n }\n\n // Convert the string to a SymbolID\n LAZY_TO_IDENTIFIER(runtime, nameValHandle, id);\n\n // Look for a named property with this name.\n if (JSObject::getOwnNamedDescriptor(\n selfHandle,\n runtime,\n id,\n JSObject::Helper::castToNamedPropertyDescriptorRef(desc))) {\n return true;\n }\n\n if (LLVM_LIKELY(\n !JSObject::Helper::flags(*selfHandle).indexedStorage &&\n !selfHandle->isLazy() && !selfHandle->isProxyObject())) {\n return false;\n }\n MutableHandle strPrim{runtime};\n\n // If we have indexed storage, perform potentially expensive conversions\n // to array index and check it.\n if (JSObject::Helper::flags(*selfHandle).indexedStorage) {\n // If the name is a valid integer array index, store it here.\n OptValue arrayIndex;\n\n // Try to convert the property name to an array index.\n TO_ARRAY_INDEX(runtime, nameValHandle, strPrim, arrayIndex);\n\n if (arrayIndex) {\n auto res = JSObject::Helper::getOwnIndexedPropertyFlags(\n selfHandle.get(), runtime, *arrayIndex);\n if (res) {\n desc.flags = *res;\n desc.flags.indexed = 1;\n desc.slot = *arrayIndex;\n return true;\n }\n }\n return false;\n }\n\n if (selfHandle->isLazy()) {\n JSObject::initializeLazyObject(runtime, selfHandle);\n return JSObject::getOwnComputedPrimitiveDescriptor(\n selfHandle, runtime, nameValHandle, ignoreProxy, desc);\n }\n\n assert(selfHandle->isProxyObject() && \"descriptor flags are impossible\");\n if (ignoreProxy == JSObject::IgnoreProxy::Yes) {\n return false;\n }\n return JSProxy::getOwnProperty(\n selfHandle, runtime, nameValHandle, desc, nullptr);\n}", "project": "hermes", "hash": 139117670758870052842329739938081870175, "size": 96, "commit_id": "fe52854cdf6725c2eaa9e125995da76e6ceb27da", "message": "[CVE-2020-1911] Look up HostObject computed properties on the right object in the prototype chain.\n\nSummary:\nThe change in the hermes repository fixes the security vulnerability\nCVE-2020-1911. This vulnerability only affects applications which\nallow evaluation of uncontrolled, untrusted JavaScript code not\nshipped with the app, so React Native apps will generally not be affected.\n\nThis revision includes a test for the bug. The test is generic JSI\ncode, so it is included in the hermes and react-native repositories.\n\nChangelog: [Internal]\n\nReviewed By: tmikov\n\nDifferential Revision: D23322992\n\nfbshipit-source-id: 4e88c974afe1ad33a263f9cac03e9dc98d33649a", "target": 0, "dataset": "other", "idx": 230265 }, { "func": "static void configurePcapHandle(pcap_t * pcap_handle) {\n\n if(bpfFilter != NULL) {\n struct bpf_program fcode;\n\n if(pcap_compile(pcap_handle, &fcode, bpfFilter, 1, 0xFFFFFF00) < 0) {\n printf(\"pcap_compile error: '%s'\\n\", pcap_geterr(pcap_handle));\n } else {\n if(pcap_setfilter(pcap_handle, &fcode) < 0) {\n\tprintf(\"pcap_setfilter error: '%s'\\n\", pcap_geterr(pcap_handle));\n } else\n\tprintf(\"Successfully set BPF filter to '%s'\\n\", bpfFilter);\n }\n }\n}", "project": "nDPI", "hash": 107219587217054086136256478966240092788, "size": 15, "commit_id": "b7e666e465f138ae48ab81976726e67deed12701", "message": "Added fix to avoid potential heap buffer overflow in H.323 dissector\nModified HTTP report information to make it closer to the HTTP field names", "target": 0, "dataset": "other", "idx": 254861 }, { "project": "Chrome", "commit_id": "1da0daecc540238cb473f0d6322da51d3a544244", "target": 0, "func": "void VideoRendererBase::OnDecoderFlushDone() {\n base::AutoLock auto_lock(lock_);\n DCHECK_EQ(kFlushingDecoder, state_);\n DCHECK(!pending_read_);\n\n state_ = kFlushing;\n AttemptFlush_Locked();\n}\n", "cwe": "", "big_vul_idx": 113356, "idx": 101646, "hash": 31783608377893439573211521885355744272 }, { "func": "BCLine LJ_FASTCALL lj_debug_line(GCproto *pt, BCPos pc)\n{\n const void *lineinfo = proto_lineinfo(pt);\n if (pc <= pt->sizebc && lineinfo) {\n BCLine first = pt->firstline;\n if (pc == pt->sizebc) return first + pt->numline;\n if (pc-- == 0) return first;\n if (pt->numline < 256)\n return first + (BCLine)((const uint8_t *)lineinfo)[pc];\n else if (pt->numline < 65536)\n return first + (BCLine)((const uint16_t *)lineinfo)[pc];\n else\n return first + (BCLine)((const uint32_t *)lineinfo)[pc];\n }\n return 0;\n}", "project": "LuaJIT", "hash": 81019889936550878722374671259324331009, "size": 16, "commit_id": "e296f56b825c688c3530a981dc6b495d972f3d01", "message": "Call error function on rethrow after trace exit.", "target": 0, "dataset": "other", "idx": 394661 }, { "func": "static int pep_reject_conn(struct sock *sk, struct sk_buff *skb, u8 code,\n\t\t\t\tgfp_t priority)\n{\n\tstatic const u8 data[4] = { PAD, PAD, PAD, 0 /* sub-blocks */ };\n\tWARN_ON(code == PN_PIPE_NO_ERROR);\n\treturn pep_reply(sk, skb, code, data, sizeof(data), priority);\n}", "project": "linux", "hash": 316942177316157132257923771183538393504, "size": 7, "commit_id": "bcd0f93353326954817a4f9fa55ec57fb38acbb0", "message": "phonet: refcount leak in pep_sock_accep\n\nsock_hold(sk) is invoked in pep_sock_accept(), but __sock_put(sk) is not\ninvoked in subsequent failure branches(pep_accept_conn() != 0).\n\nSigned-off-by: Hangyu Hua \nLink: https://lore.kernel.org/r/20211209082839.33985-1-hbh25y@gmail.com\nSigned-off-by: Jakub Kicinski ", "target": 0, "dataset": "other", "idx": 224808 }, { "func": " */\nvoid bfq_bfqq_expire(struct bfq_data *bfqd,\n\t\t struct bfq_queue *bfqq,\n\t\t bool compensate,\n\t\t enum bfqq_expiration reason)\n{\n\tbool slow;\n\tunsigned long delta = 0;\n\tstruct bfq_entity *entity = &bfqq->entity;\n\n\t/*\n\t * Check whether the process is slow (see bfq_bfqq_is_slow).\n\t */\n\tslow = bfq_bfqq_is_slow(bfqd, bfqq, compensate, reason, &delta);\n\n\t/*\n\t * As above explained, charge slow (typically seeky) and\n\t * timed-out queues with the time and not the service\n\t * received, to favor sequential workloads.\n\t *\n\t * Processes doing I/O in the slower disk zones will tend to\n\t * be slow(er) even if not seeky. Therefore, since the\n\t * estimated peak rate is actually an average over the disk\n\t * surface, these processes may timeout just for bad luck. To\n\t * avoid punishing them, do not charge time to processes that\n\t * succeeded in consuming at least 2/3 of their budget. This\n\t * allows BFQ to preserve enough elasticity to still perform\n\t * bandwidth, and not time, distribution with little unlucky\n\t * or quasi-sequential processes.\n\t */\n\tif (bfqq->wr_coeff == 1 &&\n\t (slow ||\n\t (reason == BFQQE_BUDGET_TIMEOUT &&\n\t bfq_bfqq_budget_left(bfqq) >= entity->budget / 3)))\n\t\tbfq_bfqq_charge_time(bfqd, bfqq, delta);\n\n\tif (reason == BFQQE_TOO_IDLE &&\n\t entity->service <= 2 * entity->budget / 10)\n\t\tbfq_clear_bfqq_IO_bound(bfqq);\n\n\tif (bfqd->low_latency && bfqq->wr_coeff == 1)\n\t\tbfqq->last_wr_start_finish = jiffies;\n\n\tif (bfqd->low_latency && bfqd->bfq_wr_max_softrt_rate > 0 &&\n\t RB_EMPTY_ROOT(&bfqq->sort_list)) {\n\t\t/*\n\t\t * If we get here, and there are no outstanding\n\t\t * requests, then the request pattern is isochronous\n\t\t * (see the comments on the function\n\t\t * bfq_bfqq_softrt_next_start()). Thus we can compute\n\t\t * soft_rt_next_start. And we do it, unless bfqq is in\n\t\t * interactive weight raising. We do not do it in the\n\t\t * latter subcase, for the following reason. bfqq may\n\t\t * be conveying the I/O needed to load a soft\n\t\t * real-time application. Such an application will\n\t\t * actually exhibit a soft real-time I/O pattern after\n\t\t * it finally starts doing its job. But, if\n\t\t * soft_rt_next_start is computed here for an\n\t\t * interactive bfqq, and bfqq had received a lot of\n\t\t * service before remaining with no outstanding\n\t\t * request (likely to happen on a fast device), then\n\t\t * soft_rt_next_start would be assigned such a high\n\t\t * value that, for a very long time, bfqq would be\n\t\t * prevented from being possibly considered as soft\n\t\t * real time.\n\t\t *\n\t\t * If, instead, the queue still has outstanding\n\t\t * requests, then we have to wait for the completion\n\t\t * of all the outstanding requests to discover whether\n\t\t * the request pattern is actually isochronous.\n\t\t */\n\t\tif (bfqq->dispatched == 0 &&\n\t\t bfqq->wr_coeff != bfqd->bfq_wr_coeff)\n\t\t\tbfqq->soft_rt_next_start =\n\t\t\t\tbfq_bfqq_softrt_next_start(bfqd, bfqq);\n\t\telse if (bfqq->dispatched > 0) {\n\t\t\t/*\n\t\t\t * Schedule an update of soft_rt_next_start to when\n\t\t\t * the task may be discovered to be isochronous.\n\t\t\t */\n\t\t\tbfq_mark_bfqq_softrt_update(bfqq);\n\t\t}\n\t}\n\n\tbfq_log_bfqq(bfqd, bfqq,\n\t\t\"expire (%d, slow %d, num_disp %d, short_ttime %d)\", reason,\n\t\tslow, bfqq->dispatched, bfq_bfqq_has_short_ttime(bfqq));\n\n\t/*\n\t * bfqq expired, so no total service time needs to be computed\n\t * any longer: reset state machine for measuring total service\n\t * times.\n\t */\n\tbfqd->rqs_injected = bfqd->wait_dispatch = false;\n\tbfqd->waited_rq = NULL;\n\n\t/*\n\t * Increase, decrease or leave budget unchanged according to\n\t * reason.\n\t */\n\t__bfq_bfqq_recalc_budget(bfqd, bfqq, reason);\n\tif (__bfq_bfqq_expire(bfqd, bfqq, reason))\n\t\t/* bfqq is gone, no more actions on it */\n\t\treturn;\n\n\t/* mark bfqq as waiting a request only if a bic still points to it */\n\tif (!bfq_bfqq_busy(bfqq) &&\n\t reason != BFQQE_BUDGET_TIMEOUT &&\n\t reason != BFQQE_BUDGET_EXHAUSTED) {\n\t\tbfq_mark_bfqq_non_blocking_wait_rq(bfqq);\n\t\t/*\n\t\t * Not setting service to 0, because, if the next rq\n\t\t * arrives in time, the queue will go on receiving\n\t\t * service with this same budget (as if it never expired)\n\t\t */\n\t} else\n\t\tentity->service = 0;\n\n\t/*\n\t * Reset the received-service counter for every parent entity.\n\t * Differently from what happens with bfqq->entity.service,\n\t * the resetting of this counter never needs to be postponed\n\t * for parent entities. In fact, in case bfqq may have a\n\t * chance to go on being served using the last, partially\n\t * consumed budget, bfqq->entity.service needs to be kept,\n\t * because if bfqq then actually goes on being served using\n\t * the same budget, the last value of bfqq->entity.service is\n\t * needed to properly decrement bfqq->entity.budget by the\n\t * portion already consumed. In contrast, it is not necessary\n\t * to keep entity->service for parent entities too, because\n\t * the bubble up of the new value of bfqq->entity.budget will\n\t * make sure that the budgets of parent entities are correct,\n\t * even in case bfqq and thus parent entities go on receiving\n\t * service with the same budget.\n\t */\n\tentity = entity->parent;\n\tfor_each_entity(entity)\n\t\tentity->service = 0;", "project": "linux", "hash": 182001668168082967838940886781455870929, "size": 138, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453366 }, { "func": "void CWebSock::PrintErrorPage(const CString& sMessage) {\n m_Template.SetFile(\"Error.tmpl\");\n\n m_Template[\"Action\"] = \"error\";\n m_Template[\"Title\"] = \"Error\";\n m_Template[\"Error\"] = sMessage;\n}", "project": "znc", "hash": 144122483179530150421905880421020303106, "size": 7, "commit_id": "a4a5aeeb17d32937d8c7d743dae9a4cc755ce773", "message": "Don't let web skin name ../../../../ access files outside of usual skins directories.\n\nThanks for Jeriko One for finding and reporting this.", "target": 0, "dataset": "other", "idx": 265779 }, { "func": "static void ip_cork_release(struct inet_cork *cork)\n{\n\tcork->flags &= ~IPCORK_OPT;\n\tkfree(cork->opt);\n\tcork->opt = NULL;\n\tdst_release(cork->dst);\n\tcork->dst = NULL;\n}", "project": "net", "hash": 92416336376661980502294465846632864676, "size": 8, "commit_id": "85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa", "message": "udp: consistently apply ufo or fragmentation\n\nWhen iteratively building a UDP datagram with MSG_MORE and that\ndatagram exceeds MTU, consistently choose UFO or fragmentation.\n\nOnce skb_is_gso, always apply ufo. Conversely, once a datagram is\nsplit across multiple skbs, do not consider ufo.\n\nSendpage already maintains the first invariant, only add the second.\nIPv6 does not have a sendpage implementation to modify.\n\nA gso skb must have a partial checksum, do not follow sk_no_check_tx\nin udp_send_skb.\n\nFound by syzkaller.\n\nFixes: e89e9cf539a2 (\"[IPv4/IPv6]: UFO Scatter-gather approach\")\nReported-by: Andrey Konovalov \nSigned-off-by: Willem de Bruijn \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 468979 }, { "func": "int cdev_device_add(struct cdev *cdev, struct device *dev)\n{\n\tint rc = 0;\n\n\tif (dev->devt) {\n\t\tcdev_set_parent(cdev, &dev->kobj);\n\n\t\trc = cdev_add(cdev, dev->devt, 1);\n\t\tif (rc)\n\t\t\treturn rc;\n\t}\n\n\trc = device_add(dev);\n\tif (rc)\n\t\tcdev_del(cdev);\n\n\treturn rc;\n}", "project": "linux", "hash": 2493730040943291843962062760214034998, "size": 18, "commit_id": "68faa679b8be1a74e6663c21c3a9d25d32f1c079", "message": "chardev: Avoid potential use-after-free in 'chrdev_open()'\n\n'chrdev_open()' calls 'cdev_get()' to obtain a reference to the\n'struct cdev *' stashed in the 'i_cdev' field of the target inode\nstructure. If the pointer is NULL, then it is initialised lazily by\nlooking up the kobject in the 'cdev_map' and so the whole procedure is\nprotected by the 'cdev_lock' spinlock to serialise initialisation of\nthe shared pointer.\n\nUnfortunately, it is possible for the initialising thread to fail *after*\ninstalling the new pointer, for example if the subsequent '->open()' call\non the file fails. In this case, 'cdev_put()' is called, the reference\ncount on the kobject is dropped and, if nobody else has taken a reference,\nthe release function is called which finally clears 'inode->i_cdev' from\n'cdev_purge()' before potentially freeing the object. The problem here\nis that a racing thread can happily take the 'cdev_lock' and see the\nnon-NULL pointer in the inode, which can result in a refcount increment\nfrom zero and a warning:\n\n | ------------[ cut here ]------------\n | refcount_t: addition on 0; use-after-free.\n | WARNING: CPU: 2 PID: 6385 at lib/refcount.c:25 refcount_warn_saturate+0x6d/0xf0\n | Modules linked in:\n | CPU: 2 PID: 6385 Comm: repro Not tainted 5.5.0-rc2+ #22\n | Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014\n | RIP: 0010:refcount_warn_saturate+0x6d/0xf0\n | Code: 05 55 9a 15 01 01 e8 9d aa c8 ff 0f 0b c3 80 3d 45 9a 15 01 00 75 ce 48 c7 c7 00 9c 62 b3 c6 08\n | RSP: 0018:ffffb524c1b9bc70 EFLAGS: 00010282\n | RAX: 0000000000000000 RBX: ffff9e9da1f71390 RCX: 0000000000000000\n | RDX: ffff9e9dbbd27618 RSI: ffff9e9dbbd18798 RDI: ffff9e9dbbd18798\n | RBP: 0000000000000000 R08: 000000000000095f R09: 0000000000000039\n | R10: 0000000000000000 R11: ffffb524c1b9bb20 R12: ffff9e9da1e8c700\n | R13: ffffffffb25ee8b0 R14: 0000000000000000 R15: ffff9e9da1e8c700\n | FS: 00007f3b87d26700(0000) GS:ffff9e9dbbd00000(0000) knlGS:0000000000000000\n | CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n | CR2: 00007fc16909c000 CR3: 000000012df9c000 CR4: 00000000000006e0\n | DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n | DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n | Call Trace:\n | kobject_get+0x5c/0x60\n | cdev_get+0x2b/0x60\n | chrdev_open+0x55/0x220\n | ? cdev_put.part.3+0x20/0x20\n | do_dentry_open+0x13a/0x390\n | path_openat+0x2c8/0x1470\n | do_filp_open+0x93/0x100\n | ? selinux_file_ioctl+0x17f/0x220\n | do_sys_open+0x186/0x220\n | do_syscall_64+0x48/0x150\n | entry_SYSCALL_64_after_hwframe+0x44/0xa9\n | RIP: 0033:0x7f3b87efcd0e\n | Code: 89 54 24 08 e8 a3 f4 ff ff 8b 74 24 0c 48 8b 3c 24 41 89 c0 44 8b 54 24 08 b8 01 01 00 00 89 f4\n | RSP: 002b:00007f3b87d259f0 EFLAGS: 00000293 ORIG_RAX: 0000000000000101\n | RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f3b87efcd0e\n | RDX: 0000000000000000 RSI: 00007f3b87d25a80 RDI: 00000000ffffff9c\n | RBP: 00007f3b87d25e90 R08: 0000000000000000 R09: 0000000000000000\n | R10: 0000000000000000 R11: 0000000000000293 R12: 00007ffe188f504e\n | R13: 00007ffe188f504f R14: 00007f3b87d26700 R15: 0000000000000000\n | ---[ end trace 24f53ca58db8180a ]---\n\nSince 'cdev_get()' can already fail to obtain a reference, simply move\nit over to use 'kobject_get_unless_zero()' instead of 'kobject_get()',\nwhich will cause the racing thread to return -ENXIO if the initialising\nthread fails unexpectedly.\n\nCc: Hillf Danton \nCc: Andrew Morton \nCc: Al Viro \nReported-by: syzbot+82defefbbd8527e1c2cb@syzkaller.appspotmail.com\nSigned-off-by: Will Deacon \nCc: stable \nLink: https://lore.kernel.org/r/20191219120203.32691-1-will@kernel.org\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 446387 }, { "func": "int kvm_vcpu_map(struct kvm_vcpu *vcpu, gfn_t gfn, struct kvm_host_map *map)\n{\n\treturn __kvm_map_gfn(kvm_vcpu_memslots(vcpu), gfn, map,\n\t\tNULL, false);\n}", "project": "linux", "hash": 123688672316547894584724967765685616093, "size": 5, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354801 }, { "func": "static void\nbfq_update_io_seektime(struct bfq_data *bfqd, struct bfq_queue *bfqq,\n\t\t struct request *rq)\n{\n\tbfqq->seek_history <<= 1;\n\tbfqq->seek_history |= BFQ_RQ_SEEKY(bfqd, bfqq->last_request_pos, rq);\n\n\tif (bfqq->wr_coeff > 1 &&\n\t bfqq->wr_cur_max_time == bfqd->bfq_wr_rt_max_time &&\n\t BFQQ_TOTALLY_SEEKY(bfqq))\n\t\tbfq_bfqq_end_wr(bfqq);", "project": "linux", "hash": 226659455374585939285524324309724144903, "size": 11, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453324 }, { "func": "void kvm_s390_vcpu_unsetup_cmma(struct kvm_vcpu *vcpu)\n{\n\tfree_page(vcpu->arch.sie_block->cbrlo);\n\tvcpu->arch.sie_block->cbrlo = 0;\n}", "project": "linux", "hash": 26287654427844302284096134226851654549, "size": 5, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354519 }, { "func": "void gdImageCopyResized (gdImagePtr dst, gdImagePtr src, int dstX, int dstY, int srcX, int srcY, int dstW, int dstH, int srcW, int srcH)\n{\n\tint c;\n\tint x, y;\n\tint tox, toy;\n\tint ydest;\n\tint i;\n\tint colorMap[gdMaxColors];\n\t/* Stretch vectors */\n\tint *stx, *sty;\n\n\tif (overflow2(sizeof(int), srcW)) {\n\t\treturn;\n\t}\n\tif (overflow2(sizeof(int), srcH)) {\n\t\treturn;\n\t}\n\n\tstx = (int *) gdMalloc (sizeof (int) * srcW);\n\tsty = (int *) gdMalloc (sizeof (int) * srcH);\n\n\t/* Fixed by Mao Morimoto 2.0.16 */\n\tfor (i = 0; (i < srcW); i++) {\n\t\tstx[i] = dstW * (i+1) / srcW - dstW * i / srcW ;\n\t}\n\tfor (i = 0; (i < srcH); i++) {\n\t\tsty[i] = dstH * (i+1) / srcH - dstH * i / srcH ;\n\t}\n\tfor (i = 0; (i < gdMaxColors); i++) {\n\t\tcolorMap[i] = (-1);\n\t}\n\ttoy = dstY;\n\tfor (y = srcY; (y < (srcY + srcH)); y++) {\n\t\tfor (ydest = 0; (ydest < sty[y - srcY]); ydest++) {\n\t\t\ttox = dstX;\n\t\t\tfor (x = srcX; (x < (srcX + srcW)); x++) {\n\t\t\t\tint nc = 0;\n\t\t\t\tint mapTo;\n\t\t\t\tif (!stx[x - srcX]) {\n\t\t\t\t\tcontinue;\n\t\t\t\t}\n\t\t\t\tif (dst->trueColor) {\n\t\t\t\t\t/* 2.0.9: Thorben Kundinger: Maybe the source image is not a truecolor image */\n\t\t\t\t\tif (!src->trueColor) {\n\t\t\t\t\t \tint tmp = gdImageGetPixel (src, x, y);\n\t\t \t\t\t\tmapTo = gdImageGetTrueColorPixel (src, x, y);\n\t\t\t\t\t \tif (gdImageGetTransparent (src) == tmp) {\n\t\t\t\t\t\t\t/* 2.0.21, TK: not tox++ */\n\t\t\t\t\t\t\ttox += stx[x - srcX];\n\t\t\t\t\t \t\tcontinue;\n\t\t\t\t\t \t}\n\t\t\t\t\t} else {\n\t\t\t\t\t\t/* TK: old code follows */\n\t\t\t\t\t \tmapTo = gdImageGetTrueColorPixel (src, x, y);\n\t\t\t\t\t\t/* Added 7/24/95: support transparent copies */\n\t\t\t\t\t\tif (gdImageGetTransparent (src) == mapTo) {\n\t\t\t\t\t\t\t/* 2.0.21, TK: not tox++ */\n\t\t\t\t\t\t\ttox += stx[x - srcX];\n\t\t\t\t\t\t\tcontinue;\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t} else {\n\t\t\t\t\tc = gdImageGetPixel (src, x, y);\n\t\t\t\t\t/* Added 7/24/95: support transparent copies */\n\t\t\t\t\tif (gdImageGetTransparent (src) == c) {\n\t\t\t\t\t tox += stx[x - srcX];\n\t\t\t\t\t continue;\n\t\t\t\t\t}\n\t\t\t\t\tif (src->trueColor) {\n\t\t\t\t\t /* Remap to the palette available in the destination image. This is slow and works badly. */\n\t\t\t\t\t mapTo = gdImageColorResolveAlpha(dst, gdTrueColorGetRed(c),\n\t\t\t\t\t \t\t\t\t\t gdTrueColorGetGreen(c),\n\t\t\t\t\t \t\t\t\t\t gdTrueColorGetBlue(c),\n\t\t\t\t\t \t\t\t\t\t gdTrueColorGetAlpha (c));\n\t\t\t\t\t} else {\n\t\t\t\t\t\t/* Have we established a mapping for this color? */\n\t\t\t\t\t\tif (colorMap[c] == (-1)) {\n\t\t\t\t\t\t\t/* If it's the same image, mapping is trivial */\n\t\t\t\t\t\t\tif (dst == src) {\n\t\t\t\t\t\t\t\tnc = c;\n\t\t\t\t\t\t\t} else {\n\t\t\t\t\t\t\t\t/* Find or create the best match */\n\t\t\t\t\t\t\t\t/* 2.0.5: can't use gdTrueColorGetRed, etc with palette */\n\t\t\t\t\t\t\t\tnc = gdImageColorResolveAlpha(dst, gdImageRed(src, c),\n\t\t\t\t\t\t\t\t\t\t\t\t gdImageGreen(src, c),\n\t\t\t\t\t\t\t\t\t\t\t\t gdImageBlue(src, c),\n\t\t\t\t\t\t\t\t\t\t\t\t gdImageAlpha(src, c));\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\tcolorMap[c] = nc;\n\t\t\t\t\t\t}\n\t\t\t\t\t\tmapTo = colorMap[c];\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\tfor (i = 0; (i < stx[x - srcX]); i++) {\n\t\t\t\t\tgdImageSetPixel (dst, tox, toy, mapTo);\n\t\t\t\t\ttox++;\n\t\t\t\t}\n\t\t\t}\n\t\t\ttoy++;\n\t\t}\n\t}\n\tgdFree (stx);\n\tgdFree (sty);\n}", "project": "php-src", "hash": 112485659317449635028327462756806022149, "size": 104, "commit_id": "c395c6e5d7e8df37a21265ff76e48fe75ceb5ae6", "message": "iFixed bug #72446 - Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow", "target": 0, "dataset": "other", "idx": 295145 }, { "func": "static int trace_create_savedcmd(void)\n{\n\tint ret;\n\n\tsavedcmd = kmalloc(sizeof(*savedcmd), GFP_KERNEL);\n\tif (!savedcmd)\n\t\treturn -ENOMEM;\n\n\tret = allocate_cmdlines_buffer(SAVED_CMDLINES_DEFAULT, savedcmd);\n\tif (ret < 0) {\n\t\tkfree(savedcmd);\n\t\tsavedcmd = NULL;\n\t\treturn -ENOMEM;\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 271722184413178619266693043100480751446, "size": 17, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445747 }, { "func": "}\n\nstatic int\niscsi_multicast_skb(struct sk_buff *skb, uint32_t group, gfp_t gfp)", "project": "linux", "hash": 105511037642103783893488837197027989174, "size": 4, "commit_id": "f9dbdf97a5bd92b1a49cee3d591b55b11fd7a6d5", "message": "scsi: iscsi: Verify lengths on passthrough PDUs\n\nOpen-iSCSI sends passthrough PDUs over netlink, but the kernel should be\nverifying that the provided PDU header and data lengths fall within the\nnetlink message to prevent accessing beyond that in memory.\n\nCc: stable@vger.kernel.org\nReported-by: Adam Nichols \nReviewed-by: Lee Duncan \nReviewed-by: Mike Christie \nSigned-off-by: Chris Leech \nSigned-off-by: Martin K. Petersen ", "target": 0, "dataset": "other", "idx": 380018 }, { "project": "Chrome", "commit_id": "1da0daecc540238cb473f0d6322da51d3a544244", "target": 0, "func": "void VideoRendererBase::Play(const base::Closure& callback) {\n base::AutoLock auto_lock(lock_);\n DCHECK_EQ(kPrerolled, state_);\n state_ = kPlaying;\n callback.Run();\n}\n", "cwe": "", "big_vul_idx": 113358, "idx": 101648, "hash": 280252465338326183292529959697577421482 }, { "func": "void gdImageRectangle (gdImagePtr im, int x1, int y1, int x2, int y2, int color)\n{\n\tint x1h = x1, x1v = x1, y1h = y1, y1v = y1, x2h = x2, x2v = x2, y2h = y2, y2v = y2;\n\tint thick = im->thick;\n\tint t;\n\n\tif (x1 == x2 && y1 == y2 && thick == 1) {\n\t\tgdImageSetPixel(im, x1, y1, color);\n\t\treturn;\n\t}\n\n\tif (y2 < y1) {\n\t\tt=y1;\n\t\ty1 = y2;\n\t\ty2 = t;\n\n\t\tt = x1;\n\t\tx1 = x2;\n\t\tx2 = t;\n\t}\n\n\tx1h = x1; x1v = x1; y1h = y1; y1v = y1; x2h = x2; x2v = x2; y2h = y2; y2v = y2;\n\tif (thick > 1) {\n\t\tint cx, cy, x1ul, y1ul, x2lr, y2lr;\n\t\tint half = thick >> 1;\n\n\t\tx1ul = x1 - half;\n\t\ty1ul = y1 - half;\n\n\t\tx2lr = x2 + half;\n\t\ty2lr = y2 + half;\n\n\t\tcy = y1ul + thick;\n\t\twhile (cy-- > y1ul) {\n\t\t\tcx = x1ul - 1;\n\t\t\twhile (cx++ < x2lr) {\n\t\t\t\tgdImageSetPixel(im, cx, cy, color);\n\t\t\t}\n\t\t}\n\n\t\tcy = y2lr - thick;\n\t\twhile (cy++ < y2lr) {\n\t\t\tcx = x1ul - 1;\n\t\t\twhile (cx++ < x2lr) {\n\t\t\t\tgdImageSetPixel(im, cx, cy, color);\n\t\t\t}\n\t\t}\n\n\t\tcy = y1ul + thick - 1;\n\t\twhile (cy++ < y2lr -thick) {\n\t\t\tcx = x1ul - 1;\n\t\t\twhile (cx++ < x1ul + thick) {\n\t\t\t\tgdImageSetPixel(im, cx, cy, color);\n\t\t\t}\n\t\t}\n\n\t\tcy = y1ul + thick - 1;\n\t\twhile (cy++ < y2lr -thick) {\n\t\t\tcx = x2lr - thick - 1;\n\t\t\twhile (cx++ < x2lr) {\n\t\t\t\tgdImageSetPixel(im, cx, cy, color);\n\t\t\t}\n\t\t}\n\n\t\treturn;\n\t} else {\n\t\ty1v = y1h + 1;\n\t\ty2v = y2h - 1;\n\t\tgdImageLine(im, x1h, y1h, x2h, y1h, color);\n\t\tgdImageLine(im, x1h, y2h, x2h, y2h, color);\n\t\tgdImageLine(im, x1v, y1v, x1v, y2v, color);\n\t\tgdImageLine(im, x2v, y1v, x2v, y2v, color);\n\t}\n}", "project": "php-src", "hash": 276666852176004362857888324176764131969, "size": 74, "commit_id": "c395c6e5d7e8df37a21265ff76e48fe75ceb5ae6", "message": "iFixed bug #72446 - Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow", "target": 0, "dataset": "other", "idx": 295168 }, { "func": "static int mwait_interception(struct vcpu_svm *svm)\n{\n\tprintk_once(KERN_WARNING \"kvm: MWAIT instruction emulated as NOP!\\n\");\n\treturn nop_interception(svm);\n}", "project": "linux", "hash": 78053157905362286778097321246530011194, "size": 5, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432611 }, { "func": "static int path_parent_directory(struct path *path)\n{\n\tstruct dentry *old = path->dentry;\n\t/* rare case of legitimate dget_parent()... */\n\tpath->dentry = dget_parent(path->dentry);\n\tdput(old);\n\tif (unlikely(!path_connected(path)))\n\t\treturn -ENOENT;\n\treturn 0;\n}", "project": "linux", "hash": 104447993435695074242553335089337962030, "size": 10, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295378 }, { "func": "int kvm_arch_init_vm(struct kvm *kvm, unsigned long type)\n{\n\tgfp_t alloc_flags = GFP_KERNEL;\n\tint i, rc;\n\tchar debug_name[16];\n\tstatic unsigned long sca_offset;\n\n\trc = -EINVAL;\n#ifdef CONFIG_KVM_S390_UCONTROL\n\tif (type & ~KVM_VM_S390_UCONTROL)\n\t\tgoto out_err;\n\tif ((type & KVM_VM_S390_UCONTROL) && (!capable(CAP_SYS_ADMIN)))\n\t\tgoto out_err;\n#else\n\tif (type)\n\t\tgoto out_err;\n#endif\n\n\trc = s390_enable_sie();\n\tif (rc)\n\t\tgoto out_err;\n\n\trc = -ENOMEM;\n\n\tif (!sclp.has_64bscao)\n\t\talloc_flags |= GFP_DMA;\n\trwlock_init(&kvm->arch.sca_lock);\n\t/* start with basic SCA */\n\tkvm->arch.sca = (struct bsca_block *) get_zeroed_page(alloc_flags);\n\tif (!kvm->arch.sca)\n\t\tgoto out_err;\n\tmutex_lock(&kvm_lock);\n\tsca_offset += 16;\n\tif (sca_offset + sizeof(struct bsca_block) > PAGE_SIZE)\n\t\tsca_offset = 0;\n\tkvm->arch.sca = (struct bsca_block *)\n\t\t\t((char *) kvm->arch.sca + sca_offset);\n\tmutex_unlock(&kvm_lock);\n\n\tsprintf(debug_name, \"kvm-%u\", current->pid);\n\n\tkvm->arch.dbf = debug_register(debug_name, 32, 1, 7 * sizeof(long));\n\tif (!kvm->arch.dbf)\n\t\tgoto out_err;\n\n\tBUILD_BUG_ON(sizeof(struct sie_page2) != 4096);\n\tkvm->arch.sie_page2 =\n\t (struct sie_page2 *) get_zeroed_page(GFP_KERNEL | GFP_DMA);\n\tif (!kvm->arch.sie_page2)\n\t\tgoto out_err;\n\n\tkvm->arch.sie_page2->kvm = kvm;\n\tkvm->arch.model.fac_list = kvm->arch.sie_page2->fac_list;\n\n\tfor (i = 0; i < kvm_s390_fac_size(); i++) {\n\t\tkvm->arch.model.fac_mask[i] = S390_lowcore.stfle_fac_list[i] &\n\t\t\t\t\t (kvm_s390_fac_base[i] |\n\t\t\t\t\t kvm_s390_fac_ext[i]);\n\t\tkvm->arch.model.fac_list[i] = S390_lowcore.stfle_fac_list[i] &\n\t\t\t\t\t kvm_s390_fac_base[i];\n\t}\n\tkvm->arch.model.subfuncs = kvm_s390_available_subfunc;\n\n\t/* we are always in czam mode - even on pre z14 machines */\n\tset_kvm_facility(kvm->arch.model.fac_mask, 138);\n\tset_kvm_facility(kvm->arch.model.fac_list, 138);\n\t/* we emulate STHYI in kvm */\n\tset_kvm_facility(kvm->arch.model.fac_mask, 74);\n\tset_kvm_facility(kvm->arch.model.fac_list, 74);\n\tif (MACHINE_HAS_TLB_GUEST) {\n\t\tset_kvm_facility(kvm->arch.model.fac_mask, 147);\n\t\tset_kvm_facility(kvm->arch.model.fac_list, 147);\n\t}\n\n\tif (css_general_characteristics.aiv && test_facility(65))\n\t\tset_kvm_facility(kvm->arch.model.fac_mask, 65);\n\n\tkvm->arch.model.cpuid = kvm_s390_get_initial_cpuid();\n\tkvm->arch.model.ibc = sclp.ibc & 0x0fff;\n\n\tkvm_s390_crypto_init(kvm);\n\n\tmutex_init(&kvm->arch.float_int.ais_lock);\n\tspin_lock_init(&kvm->arch.float_int.lock);\n\tfor (i = 0; i < FIRQ_LIST_COUNT; i++)\n\t\tINIT_LIST_HEAD(&kvm->arch.float_int.lists[i]);\n\tinit_waitqueue_head(&kvm->arch.ipte_wq);\n\tmutex_init(&kvm->arch.ipte_mutex);\n\n\tdebug_register_view(kvm->arch.dbf, &debug_sprintf_view);\n\tVM_EVENT(kvm, 3, \"vm created with type %lu\", type);\n\n\tif (type & KVM_VM_S390_UCONTROL) {\n\t\tkvm->arch.gmap = NULL;\n\t\tkvm->arch.mem_limit = KVM_S390_NO_MEM_LIMIT;\n\t} else {\n\t\tif (sclp.hamax == U64_MAX)\n\t\t\tkvm->arch.mem_limit = TASK_SIZE_MAX;\n\t\telse\n\t\t\tkvm->arch.mem_limit = min_t(unsigned long, TASK_SIZE_MAX,\n\t\t\t\t\t\t sclp.hamax + 1);\n\t\tkvm->arch.gmap = gmap_create(current->mm, kvm->arch.mem_limit - 1);\n\t\tif (!kvm->arch.gmap)\n\t\t\tgoto out_err;\n\t\tkvm->arch.gmap->private = kvm;\n\t\tkvm->arch.gmap->pfault_enabled = 0;\n\t}\n\n\tkvm->arch.use_pfmfi = sclp.has_pfmfi;\n\tkvm->arch.use_skf = sclp.has_skey;\n\tspin_lock_init(&kvm->arch.start_stop_lock);\n\tkvm_s390_vsie_init(kvm);\n\tif (use_gisa)\n\t\tkvm_s390_gisa_init(kvm);\n\tKVM_EVENT(3, \"vm 0x%pK created by pid %u\", kvm, current->pid);\n\n\treturn 0;\nout_err:\n\tfree_page((unsigned long)kvm->arch.sie_page2);\n\tdebug_unregister(kvm->arch.dbf);\n\tsca_dispose(kvm);\n\tKVM_EVENT(3, \"creation of vm failed: %d\", rc);\n\treturn rc;\n}", "project": "linux", "hash": 314859656108369557021578416863027261340, "size": 124, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354796 }, { "func": "static void trace_hotside(jit_State *J, const BCIns *pc)\n{\n SnapShot *snap = &traceref(J, J->parent)->snap[J->exitno];\n if (!(J2G(J)->hookmask & (HOOK_GC|HOOK_VMEVENT)) &&\n snap->count != SNAPCOUNT_DONE &&\n ++snap->count >= J->param[JIT_P_hotexit]) {\n lua_assert(J->state == LJ_TRACE_IDLE);\n /* J->parent is non-zero for a side trace. */\n J->state = LJ_TRACE_START;\n lj_trace_ins(J, pc);\n }\n}", "project": "LuaJIT", "hash": 179684409777471889921321243883674785208, "size": 12, "commit_id": "e296f56b825c688c3530a981dc6b495d972f3d01", "message": "Call error function on rethrow after trace exit.", "target": 0, "dataset": "other", "idx": 394656 }, { "func": "static int parse_dirplusfile(char *buf, size_t nbytes, struct file *file,\n\t\t\t struct dir_context *ctx, u64 attr_version)\n{\n\tstruct fuse_direntplus *direntplus;\n\tstruct fuse_dirent *dirent;\n\tsize_t reclen;\n\tint over = 0;\n\tint ret;\n\n\twhile (nbytes >= FUSE_NAME_OFFSET_DIRENTPLUS) {\n\t\tdirentplus = (struct fuse_direntplus *) buf;\n\t\tdirent = &direntplus->dirent;\n\t\treclen = FUSE_DIRENTPLUS_SIZE(direntplus);\n\n\t\tif (!dirent->namelen || dirent->namelen > FUSE_NAME_MAX)\n\t\t\treturn -EIO;\n\t\tif (reclen > nbytes)\n\t\t\tbreak;\n\t\tif (memchr(dirent->name, '/', dirent->namelen) != NULL)\n\t\t\treturn -EIO;\n\n\t\tif (!over) {\n\t\t\t/* We fill entries into dstbuf only as much as\n\t\t\t it can hold. But we still continue iterating\n\t\t\t over remaining entries to link them. If not,\n\t\t\t we need to send a FORGET for each of those\n\t\t\t which we did not link.\n\t\t\t*/\n\t\t\tover = !fuse_emit(file, ctx, dirent);\n\t\t\tif (!over)\n\t\t\t\tctx->pos = dirent->off;\n\t\t}\n\n\t\tbuf += reclen;\n\t\tnbytes -= reclen;\n\n\t\tret = fuse_direntplus_link(file, direntplus, attr_version);\n\t\tif (ret)\n\t\t\tfuse_force_forget(file, direntplus->entry_out.nodeid);\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 185784746105581586128616109829740338631, "size": 43, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341960 }, { "func": "static unsigned get_maxpacket(struct usb_device *udev, int pipe)\n{\n\tstruct usb_host_endpoint\t*ep;\n\n\tep = usb_pipe_endpoint(udev, pipe);\n\treturn le16_to_cpup(&ep->desc.wMaxPacketSize);\n}", "project": "linux", "hash": 188382914141697085936953316492778339415, "size": 7, "commit_id": "28ebeb8db77035e058a510ce9bd17c2b9a009dba", "message": "usb: usbtest: fix missing kfree(dev->buf) in usbtest_disconnect\n\nBUG: memory leak\nunreferenced object 0xffff888055046e00 (size 256):\n comm \"kworker/2:9\", pid 2570, jiffies 4294942129 (age 1095.500s)\n hex dump (first 32 bytes):\n 00 70 04 55 80 88 ff ff 18 bb 5a 81 ff ff ff ff .p.U......Z.....\n f5 96 78 81 ff ff ff ff 37 de 8e 81 ff ff ff ff ..x.....7.......\n backtrace:\n [<00000000d121dccf>] kmemleak_alloc_recursive\ninclude/linux/kmemleak.h:43 [inline]\n [<00000000d121dccf>] slab_post_alloc_hook mm/slab.h:586 [inline]\n [<00000000d121dccf>] slab_alloc_node mm/slub.c:2786 [inline]\n [<00000000d121dccf>] slab_alloc mm/slub.c:2794 [inline]\n [<00000000d121dccf>] kmem_cache_alloc_trace+0x15e/0x2d0 mm/slub.c:2811\n [<000000005c3c3381>] kmalloc include/linux/slab.h:555 [inline]\n [<000000005c3c3381>] usbtest_probe+0x286/0x19d0\ndrivers/usb/misc/usbtest.c:2790\n [<000000001cec6910>] usb_probe_interface+0x2bd/0x870\ndrivers/usb/core/driver.c:361\n [<000000007806c118>] really_probe+0x48d/0x8f0 drivers/base/dd.c:551\n [<00000000a3308c3e>] driver_probe_device+0xfc/0x2a0 drivers/base/dd.c:724\n [<000000003ef66004>] __device_attach_driver+0x1b6/0x240\ndrivers/base/dd.c:831\n [<00000000eee53e97>] bus_for_each_drv+0x14e/0x1e0 drivers/base/bus.c:431\n [<00000000bb0648d0>] __device_attach+0x1f9/0x350 drivers/base/dd.c:897\n [<00000000838b324a>] device_initial_probe+0x1a/0x20 drivers/base/dd.c:944\n [<0000000030d501c1>] bus_probe_device+0x1e1/0x280 drivers/base/bus.c:491\n [<000000005bd7adef>] device_add+0x131d/0x1c40 drivers/base/core.c:2504\n [<00000000a0937814>] usb_set_configuration+0xe84/0x1ab0\ndrivers/usb/core/message.c:2030\n [<00000000e3934741>] generic_probe+0x6a/0xe0 drivers/usb/core/generic.c:210\n [<0000000098ade0f1>] usb_probe_device+0x90/0xd0\ndrivers/usb/core/driver.c:266\n [<000000007806c118>] really_probe+0x48d/0x8f0 drivers/base/dd.c:551\n [<00000000a3308c3e>] driver_probe_device+0xfc/0x2a0 drivers/base/dd.c:724\n\nAcked-by: Alan Stern \nReported-by: Kyungtae Kim \nSigned-off-by: Zqiang \nLink: https://lore.kernel.org/r/20200612035210.20494-1-qiang.zhang@windriver.com\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 412265 }, { "func": "coproc_alloc (name, pid)\n char *name;\n pid_t pid;\n{\n struct coproc *cp;\n\n#if MULTIPLE_COPROCS\n cp = (struct coproc *)xmalloc (sizeof (struct coproc));\n#else\n cp = &sh_coproc;\n#endif\n coproc_init (cp);\n\n cp->c_name = savestring (name);\n cp->c_pid = pid;\n\n#if MULTIPLE_COPROCS\n cpl_add (cp);\n#endif\n\n return (cp);\n}", "project": "bash", "hash": 249448322245354515924501952483813802422, "size": 22, "commit_id": "863d31ae775d56b785dc5b0105b6d251515d81d5", "message": "commit bash-20120224 snapshot", "target": 0, "dataset": "other", "idx": 379421 }, { "func": "static __u32 __packet_set_timestamp(struct packet_sock *po, void *frame,\n\t\t\t\t struct sk_buff *skb)\n{\n\tunion tpacket_uhdr h;\n\tstruct timespec64 ts;\n\t__u32 ts_status;\n\n\tif (!(ts_status = tpacket_get_timestamp(skb, &ts, po->tp_tstamp)))\n\t\treturn 0;\n\n\th.raw = frame;\n\t/*\n\t * versions 1 through 3 overflow the timestamps in y2106, since they\n\t * all store the seconds in a 32-bit unsigned integer.\n\t * If we create a version 4, that should have a 64-bit timestamp,\n\t * either 64-bit seconds + 32-bit nanoseconds, or just 64-bit\n\t * nanoseconds.\n\t */\n\tswitch (po->tp_version) {\n\tcase TPACKET_V1:\n\t\th.h1->tp_sec = ts.tv_sec;\n\t\th.h1->tp_usec = ts.tv_nsec / NSEC_PER_USEC;\n\t\tbreak;\n\tcase TPACKET_V2:\n\t\th.h2->tp_sec = ts.tv_sec;\n\t\th.h2->tp_nsec = ts.tv_nsec;\n\t\tbreak;\n\tcase TPACKET_V3:\n\t\th.h3->tp_sec = ts.tv_sec;\n\t\th.h3->tp_nsec = ts.tv_nsec;\n\t\tbreak;\n\tdefault:\n\t\tWARN(1, \"TPACKET version not supported.\\n\");\n\t\tBUG();\n\t}\n\n\t/* one flush is safe, as both fields always lie on the same cacheline */\n\tflush_dcache_page(pgv_to_page(&h.h1->tp_sec));\n\tsmp_wmb();\n\n\treturn ts_status;\n}", "project": "linux", "hash": 340261309723772249692657374343223603274, "size": 42, "commit_id": "acf69c946233259ab4d64f8869d4037a198c7f06", "message": "net/packet: fix overflow in tpacket_rcv\n\nUsing tp_reserve to calculate netoff can overflow as\ntp_reserve is unsigned int and netoff is unsigned short.\n\nThis may lead to macoff receving a smaller value then\nsizeof(struct virtio_net_hdr), and if po->has_vnet_hdr\nis set, an out-of-bounds write will occur when\ncalling virtio_net_hdr_from_skb.\n\nThe bug is fixed by converting netoff to unsigned int\nand checking if it exceeds USHRT_MAX.\n\nThis addresses CVE-2020-14386\n\nFixes: 8913336a7e8d (\"packet: add PACKET_RESERVE sockopt\")\nSigned-off-by: Or Cohen \nSigned-off-by: Eric Dumazet \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 330414 }, { "func": "int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb,\n\t\t\t const struct tcphdr *th, unsigned int len)\n{\n\tstruct tcp_sock *tp = tcp_sk(sk);\n\tstruct inet_connection_sock *icsk = inet_csk(sk);\n\tint queued = 0;\n\tint res;\n\n\ttp->rx_opt.saw_tstamp = 0;\n\n\tswitch (sk->sk_state) {\n\tcase TCP_CLOSE:\n\t\tgoto discard;\n\n\tcase TCP_LISTEN:\n\t\tif (th->ack)\n\t\t\treturn 1;\n\n\t\tif (th->rst)\n\t\t\tgoto discard;\n\n\t\tif (th->syn) {\n\t\t\tif (th->fin)\n\t\t\t\tgoto discard;\n\t\t\tif (icsk->icsk_af_ops->conn_request(sk, skb) < 0)\n\t\t\t\treturn 1;\n\n\t\t\t/* Now we have several options: In theory there is\n\t\t\t * nothing else in the frame. KA9Q has an option to\n\t\t\t * send data with the syn, BSD accepts data with the\n\t\t\t * syn up to the [to be] advertised window and\n\t\t\t * Solaris 2.1 gives you a protocol error. For now\n\t\t\t * we just ignore it, that fits the spec precisely\n\t\t\t * and avoids incompatibilities. It would be nice in\n\t\t\t * future to drop through and process the data.\n\t\t\t *\n\t\t\t * Now that TTCP is starting to be used we ought to\n\t\t\t * queue this data.\n\t\t\t * But, this leaves one open to an easy denial of\n\t\t\t * service attack, and SYN cookies can't defend\n\t\t\t * against this problem. So, we drop the data\n\t\t\t * in the interest of security over speed unless\n\t\t\t * it's still in use.\n\t\t\t */\n\t\t\tkfree_skb(skb);\n\t\t\treturn 0;\n\t\t}\n\t\tgoto discard;\n\n\tcase TCP_SYN_SENT:\n\t\tqueued = tcp_rcv_synsent_state_process(sk, skb, th, len);\n\t\tif (queued >= 0)\n\t\t\treturn queued;\n\n\t\t/* Do step6 onward by hand. */\n\t\ttcp_urg(sk, skb, th);\n\t\t__kfree_skb(skb);\n\t\ttcp_data_snd_check(sk);\n\t\treturn 0;\n\t}\n\n\tres = tcp_validate_incoming(sk, skb, th, 0);\n\tif (res <= 0)\n\t\treturn -res;\n\n\t/* step 5: check the ACK field */\n\tif (th->ack) {\n\t\tint acceptable = tcp_ack(sk, skb, FLAG_SLOWPATH) > 0;\n\n\t\tswitch (sk->sk_state) {\n\t\tcase TCP_SYN_RECV:\n\t\t\tif (acceptable) {\n\t\t\t\ttp->copied_seq = tp->rcv_nxt;\n\t\t\t\tsmp_mb();\n\t\t\t\ttcp_set_state(sk, TCP_ESTABLISHED);\n\t\t\t\tsk->sk_state_change(sk);\n\n\t\t\t\t/* Note, that this wakeup is only for marginal\n\t\t\t\t * crossed SYN case. Passively open sockets\n\t\t\t\t * are not waked up, because sk->sk_sleep ==\n\t\t\t\t * NULL and sk->sk_socket == NULL.\n\t\t\t\t */\n\t\t\t\tif (sk->sk_socket)\n\t\t\t\t\tsk_wake_async(sk,\n\t\t\t\t\t\t SOCK_WAKE_IO, POLL_OUT);\n\n\t\t\t\ttp->snd_una = TCP_SKB_CB(skb)->ack_seq;\n\t\t\t\ttp->snd_wnd = ntohs(th->window) <<\n\t\t\t\t\t tp->rx_opt.snd_wscale;\n\t\t\t\ttcp_init_wl(tp, TCP_SKB_CB(skb)->seq);\n\n\t\t\t\tif (tp->rx_opt.tstamp_ok)\n\t\t\t\t\ttp->advmss -= TCPOLEN_TSTAMP_ALIGNED;\n\n\t\t\t\t/* Make sure socket is routed, for\n\t\t\t\t * correct metrics.\n\t\t\t\t */\n\t\t\t\ticsk->icsk_af_ops->rebuild_header(sk);\n\n\t\t\t\ttcp_init_metrics(sk);\n\n\t\t\t\ttcp_init_congestion_control(sk);\n\n\t\t\t\t/* Prevent spurious tcp_cwnd_restart() on\n\t\t\t\t * first data packet.\n\t\t\t\t */\n\t\t\t\ttp->lsndtime = tcp_time_stamp;\n\n\t\t\t\ttcp_mtup_init(sk);\n\t\t\t\ttcp_initialize_rcv_mss(sk);\n\t\t\t\ttcp_init_buffer_space(sk);\n\t\t\t\ttcp_fast_path_on(tp);\n\t\t\t} else {\n\t\t\t\treturn 1;\n\t\t\t}\n\t\t\tbreak;\n\n\t\tcase TCP_FIN_WAIT1:\n\t\t\tif (tp->snd_una == tp->write_seq) {\n\t\t\t\ttcp_set_state(sk, TCP_FIN_WAIT2);\n\t\t\t\tsk->sk_shutdown |= SEND_SHUTDOWN;\n\t\t\t\tdst_confirm(__sk_dst_get(sk));\n\n\t\t\t\tif (!sock_flag(sk, SOCK_DEAD))\n\t\t\t\t\t/* Wake up lingering close() */\n\t\t\t\t\tsk->sk_state_change(sk);\n\t\t\t\telse {\n\t\t\t\t\tint tmo;\n\n\t\t\t\t\tif (tp->linger2 < 0 ||\n\t\t\t\t\t (TCP_SKB_CB(skb)->end_seq != TCP_SKB_CB(skb)->seq &&\n\t\t\t\t\t after(TCP_SKB_CB(skb)->end_seq - th->fin, tp->rcv_nxt))) {\n\t\t\t\t\t\ttcp_done(sk);\n\t\t\t\t\t\tNET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPABORTONDATA);\n\t\t\t\t\t\treturn 1;\n\t\t\t\t\t}\n\n\t\t\t\t\ttmo = tcp_fin_time(sk);\n\t\t\t\t\tif (tmo > TCP_TIMEWAIT_LEN) {\n\t\t\t\t\t\tinet_csk_reset_keepalive_timer(sk, tmo - TCP_TIMEWAIT_LEN);\n\t\t\t\t\t} else if (th->fin || sock_owned_by_user(sk)) {\n\t\t\t\t\t\t/* Bad case. We could lose such FIN otherwise.\n\t\t\t\t\t\t * It is not a big problem, but it looks confusing\n\t\t\t\t\t\t * and not so rare event. We still can lose it now,\n\t\t\t\t\t\t * if it spins in bh_lock_sock(), but it is really\n\t\t\t\t\t\t * marginal case.\n\t\t\t\t\t\t */\n\t\t\t\t\t\tinet_csk_reset_keepalive_timer(sk, tmo);\n\t\t\t\t\t} else {\n\t\t\t\t\t\ttcp_time_wait(sk, TCP_FIN_WAIT2, tmo);\n\t\t\t\t\t\tgoto discard;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t\tbreak;\n\n\t\tcase TCP_CLOSING:\n\t\t\tif (tp->snd_una == tp->write_seq) {\n\t\t\t\ttcp_time_wait(sk, TCP_TIME_WAIT, 0);\n\t\t\t\tgoto discard;\n\t\t\t}\n\t\t\tbreak;\n\n\t\tcase TCP_LAST_ACK:\n\t\t\tif (tp->snd_una == tp->write_seq) {\n\t\t\t\ttcp_update_metrics(sk);\n\t\t\t\ttcp_done(sk);\n\t\t\t\tgoto discard;\n\t\t\t}\n\t\t\tbreak;\n\t\t}\n\t} else\n\t\tgoto discard;\n\n\t/* step 6: check the URG bit */\n\ttcp_urg(sk, skb, th);\n\n\t/* step 7: process the segment text */\n\tswitch (sk->sk_state) {\n\tcase TCP_CLOSE_WAIT:\n\tcase TCP_CLOSING:\n\tcase TCP_LAST_ACK:\n\t\tif (!before(TCP_SKB_CB(skb)->seq, tp->rcv_nxt))\n\t\t\tbreak;\n\tcase TCP_FIN_WAIT1:\n\tcase TCP_FIN_WAIT2:\n\t\t/* RFC 793 says to queue data in these states,\n\t\t * RFC 1122 says we MUST send a reset.\n\t\t * BSD 4.4 also does reset.\n\t\t */\n\t\tif (sk->sk_shutdown & RCV_SHUTDOWN) {\n\t\t\tif (TCP_SKB_CB(skb)->end_seq != TCP_SKB_CB(skb)->seq &&\n\t\t\t after(TCP_SKB_CB(skb)->end_seq - th->fin, tp->rcv_nxt)) {\n\t\t\t\tNET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPABORTONDATA);\n\t\t\t\ttcp_reset(sk);\n\t\t\t\treturn 1;\n\t\t\t}\n\t\t}\n\t\t/* Fall through */\n\tcase TCP_ESTABLISHED:\n\t\ttcp_data_queue(sk, skb);\n\t\tqueued = 1;\n\t\tbreak;\n\t}\n\n\t/* tcp_data could move socket to TIME-WAIT */\n\tif (sk->sk_state != TCP_CLOSE) {\n\t\ttcp_data_snd_check(sk);\n\t\ttcp_ack_snd_check(sk);\n\t}\n\n\tif (!queued) {\ndiscard:\n\t\t__kfree_skb(skb);\n\t}\n\treturn 0;\n}", "project": "net-next", "hash": 272241931287238542526434514124556341939, "size": 217, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409911 }, { "func": "static void ebb_event_add(struct perf_event *event) { }", "project": "linux", "hash": 262293016863915766741410804120743667114, "size": 1, "commit_id": "60b7ed54a41b550d50caf7f2418db4a7e75b5bdc", "message": "powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set\n\nOn systems without any specific PMU driver support registered, running\nperf record causes Oops.\n\nThe relevant portion from call trace:\n\n BUG: Kernel NULL pointer dereference on read at 0x00000040\n Faulting instruction address: 0xc0021f0c\n Oops: Kernel access of bad area, sig: 11 [#1]\n BE PAGE_SIZE=4K PREEMPT CMPCPRO\n SAF3000 DIE NOTIFICATION\n CPU: 0 PID: 442 Comm: null_syscall Not tainted 5.13.0-rc6-s3k-dev-01645-g7649ee3d2957 #5164\n NIP: c0021f0c LR: c00e8ad8 CTR: c00d8a5c\n NIP perf_instruction_pointer+0x10/0x60\n LR perf_prepare_sample+0x344/0x674\n Call Trace:\n perf_prepare_sample+0x7c/0x674 (unreliable)\n perf_event_output_forward+0x3c/0x94\n __perf_event_overflow+0x74/0x14c\n perf_swevent_hrtimer+0xf8/0x170\n __hrtimer_run_queues.constprop.0+0x160/0x318\n hrtimer_interrupt+0x148/0x3b0\n timer_interrupt+0xc4/0x22c\n Decrementer_virt+0xb8/0xbc\n\nDuring perf record session, perf_instruction_pointer() is called to\ncapture the sample IP. This function in core-book3s accesses\nppmu->flags. If a platform specific PMU driver is not registered, ppmu\nis set to NULL and accessing its members results in a crash. Fix this\ncrash by checking if ppmu is set.\n\nFixes: 2ca13a4cc56c (\"powerpc/perf: Use regs->nip when SIAR is zero\")\nCc: stable@vger.kernel.org # v5.11+\nReported-by: Christophe Leroy \nSigned-off-by: Athira Rajeev \nTested-by: Christophe Leroy \nSigned-off-by: Michael Ellerman \nLink: https://lore.kernel.org/r/1623952506-1431-1-git-send-email-atrajeev@linux.vnet.ibm.com", "target": 0, "dataset": "other", "idx": 374678 }, { "func": "static void ebb_event_add(struct perf_event *event)\n{\n\tif (!is_ebb_event(event) || current->thread.used_ebb)\n\t\treturn;\n\n\t/*\n\t * IFF this is the first time we've added an EBB event, set\n\t * PMXE in the user MMCR0 so we can detect when it's cleared by\n\t * userspace. We need this so that we can context switch while\n\t * userspace is in the EBB handler (where PMXE is 0).\n\t */\n\tcurrent->thread.used_ebb = 1;\n\tcurrent->thread.mmcr0 |= MMCR0_PMXE;\n}", "project": "linux", "hash": 88930625388511209862398557595313784471, "size": 14, "commit_id": "60b7ed54a41b550d50caf7f2418db4a7e75b5bdc", "message": "powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set\n\nOn systems without any specific PMU driver support registered, running\nperf record causes Oops.\n\nThe relevant portion from call trace:\n\n BUG: Kernel NULL pointer dereference on read at 0x00000040\n Faulting instruction address: 0xc0021f0c\n Oops: Kernel access of bad area, sig: 11 [#1]\n BE PAGE_SIZE=4K PREEMPT CMPCPRO\n SAF3000 DIE NOTIFICATION\n CPU: 0 PID: 442 Comm: null_syscall Not tainted 5.13.0-rc6-s3k-dev-01645-g7649ee3d2957 #5164\n NIP: c0021f0c LR: c00e8ad8 CTR: c00d8a5c\n NIP perf_instruction_pointer+0x10/0x60\n LR perf_prepare_sample+0x344/0x674\n Call Trace:\n perf_prepare_sample+0x7c/0x674 (unreliable)\n perf_event_output_forward+0x3c/0x94\n __perf_event_overflow+0x74/0x14c\n perf_swevent_hrtimer+0xf8/0x170\n __hrtimer_run_queues.constprop.0+0x160/0x318\n hrtimer_interrupt+0x148/0x3b0\n timer_interrupt+0xc4/0x22c\n Decrementer_virt+0xb8/0xbc\n\nDuring perf record session, perf_instruction_pointer() is called to\ncapture the sample IP. This function in core-book3s accesses\nppmu->flags. If a platform specific PMU driver is not registered, ppmu\nis set to NULL and accessing its members results in a crash. Fix this\ncrash by checking if ppmu is set.\n\nFixes: 2ca13a4cc56c (\"powerpc/perf: Use regs->nip when SIAR is zero\")\nCc: stable@vger.kernel.org # v5.11+\nReported-by: Christophe Leroy \nSigned-off-by: Athira Rajeev \nTested-by: Christophe Leroy \nSigned-off-by: Michael Ellerman \nLink: https://lore.kernel.org/r/1623952506-1431-1-git-send-email-atrajeev@linux.vnet.ibm.com", "target": 0, "dataset": "other", "idx": 374725 }, { "func": "void hci_req_clear_adv_instance(struct hci_dev *hdev, struct sock *sk,\n\t\t\t\tstruct hci_request *req, u8 instance,\n\t\t\t\tbool force)\n{\n\tstruct adv_info *adv_instance, *n, *next_instance = NULL;\n\tint err;\n\tu8 rem_inst;\n\n\t/* Cancel any timeout concerning the removed instance(s). */\n\tif (!instance || hdev->cur_adv_instance == instance)\n\t\tcancel_adv_timeout(hdev);\n\n\t/* Get the next instance to advertise BEFORE we remove\n\t * the current one. This can be the same instance again\n\t * if there is only one instance.\n\t */\n\tif (instance && hdev->cur_adv_instance == instance)\n\t\tnext_instance = hci_get_next_instance(hdev, instance);\n\n\tif (instance == 0x00) {\n\t\tlist_for_each_entry_safe(adv_instance, n, &hdev->adv_instances,\n\t\t\t\t\t list) {\n\t\t\tif (!(force || adv_instance->timeout))\n\t\t\t\tcontinue;\n\n\t\t\trem_inst = adv_instance->instance;\n\t\t\terr = hci_remove_adv_instance(hdev, rem_inst);\n\t\t\tif (!err)\n\t\t\t\tmgmt_advertising_removed(sk, hdev, rem_inst);\n\t\t}\n\t} else {\n\t\tadv_instance = hci_find_adv_instance(hdev, instance);\n\n\t\tif (force || (adv_instance && adv_instance->timeout &&\n\t\t\t !adv_instance->remaining_time)) {\n\t\t\t/* Don't advertise a removed instance. */\n\t\t\tif (next_instance &&\n\t\t\t next_instance->instance == instance)\n\t\t\t\tnext_instance = NULL;\n\n\t\t\terr = hci_remove_adv_instance(hdev, instance);\n\t\t\tif (!err)\n\t\t\t\tmgmt_advertising_removed(sk, hdev, instance);\n\t\t}\n\t}\n\n\tif (!req || !hdev_is_powered(hdev) ||\n\t hci_dev_test_flag(hdev, HCI_ADVERTISING))\n\t\treturn;\n\n\tif (next_instance && !ext_adv_capable(hdev))\n\t\t__hci_req_schedule_adv_instance(req, next_instance->instance,\n\t\t\t\t\t\tfalse);\n}", "project": "linux", "hash": 10831980407442343726236674767726323599, "size": 54, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402509 }, { "func": "static void fuse_aio_complete_req(struct fuse_mount *fm, struct fuse_args *args,\n\t\t\t\t int err)\n{\n\tstruct fuse_io_args *ia = container_of(args, typeof(*ia), ap.args);\n\tstruct fuse_io_priv *io = ia->io;\n\tssize_t pos = -1;\n\n\tfuse_release_user_pages(&ia->ap, io->should_dirty);\n\n\tif (err) {\n\t\t/* Nothing */\n\t} else if (io->write) {\n\t\tif (ia->write.out.size > ia->write.in.size) {\n\t\t\terr = -EIO;\n\t\t} else if (ia->write.in.size != ia->write.out.size) {\n\t\t\tpos = ia->write.in.offset - io->offset +\n\t\t\t\tia->write.out.size;\n\t\t}\n\t} else {\n\t\tu32 outsize = args->out_args[0].size;\n\n\t\tif (ia->read.in.size != outsize)\n\t\t\tpos = ia->read.in.offset - io->offset + outsize;\n\t}\n\n\tfuse_aio_complete(io, err, pos);\n\tfuse_io_free(ia);\n}", "project": "linux", "hash": 100064648311382044792549425064886147920, "size": 28, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342029 }, { "func": "void rotate_coords(int x, int y, int *xo, int *yo, int dxi, int dyi) {\n\tint xi = x, yi = y;\n\tint Dx, Dy;\n\n\tif (dxi >= 0) {\n\t\tDx = dxi;\n\t\tDy = dyi;\n\t} else if (scaling) {\n\t\tDx = scaled_x;\n\t\tDy = scaled_y;\n\t} else {\n\t\tDx = dpy_x;\n\t\tDy = dpy_y;\n\t}\n\n\t/* ncache?? */\n\n\tif (rotating == ROTATE_NONE) {\n\t\t*xo = xi;\n\t\t*yo = yi;\n\t} else if (rotating == ROTATE_X) {\n\t\t*xo = Dx - xi - 1;\n\t\t*yo = yi;\n\t} else if (rotating == ROTATE_Y) {\n\t\t*xo = xi;\n\t\t*yo = Dy - yi - 1;\n\t} else if (rotating == ROTATE_XY) {\n\t\t*xo = Dx - xi - 1;\n\t\t*yo = Dy - yi - 1;\n\t} else if (rotating == ROTATE_90) {\n\t\t*xo = Dy - yi - 1;\n\t\t*yo = xi;\n\t} else if (rotating == ROTATE_90X) {\n\t\t*xo = yi;\n\t\t*yo = xi;\n\t} else if (rotating == ROTATE_90Y) {\n\t\t*xo = Dy - yi - 1;\n\t\t*yo = Dx - xi - 1;\n\t} else if (rotating == ROTATE_270) {\n\t\t*xo = yi;\n\t\t*yo = Dx - xi - 1;\n\t}\n}", "project": "x11vnc", "hash": 158606915113634591144330365204392657048, "size": 43, "commit_id": "69eeb9f7baa14ca03b16c9de821f9876def7a36a", "message": "scan: limit access to shared memory segments to current user", "target": 0, "dataset": "other", "idx": 360767 }, { "func": "static void hci_check_pending_name(struct hci_dev *hdev, struct hci_conn *conn,\n\t\t\t\t bdaddr_t *bdaddr, u8 *name, u8 name_len)\n{\n\tstruct discovery_state *discov = &hdev->discovery;\n\tstruct inquiry_entry *e;\n\n\t/* Update the mgmt connected state if necessary. Be careful with\n\t * conn objects that exist but are not (yet) connected however.\n\t * Only those in BT_CONFIG or BT_CONNECTED states can be\n\t * considered connected.\n\t */\n\tif (conn &&\n\t (conn->state == BT_CONFIG || conn->state == BT_CONNECTED) &&\n\t !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))\n\t\tmgmt_device_connected(hdev, conn, 0, name, name_len);\n\n\tif (discov->state == DISCOVERY_STOPPED)\n\t\treturn;\n\n\tif (discov->state == DISCOVERY_STOPPING)\n\t\tgoto discov_complete;\n\n\tif (discov->state != DISCOVERY_RESOLVING)\n\t\treturn;\n\n\te = hci_inquiry_cache_lookup_resolve(hdev, bdaddr, NAME_PENDING);\n\t/* If the device was not found in a list of found devices names of which\n\t * are pending. there is no need to continue resolving a next name as it\n\t * will be done upon receiving another Remote Name Request Complete\n\t * Event */\n\tif (!e)\n\t\treturn;\n\n\tlist_del(&e->list);\n\tif (name) {\n\t\te->name_state = NAME_KNOWN;\n\t\tmgmt_remote_name(hdev, bdaddr, ACL_LINK, 0x00,\n\t\t\t\t e->data.rssi, name, name_len);\n\t} else {\n\t\te->name_state = NAME_NOT_KNOWN;\n\t}\n\n\tif (hci_resolve_next_name(hdev))\n\t\treturn;\n\ndiscov_complete:\n\thci_discovery_set_state(hdev, DISCOVERY_STOPPED);\n}", "project": "linux", "hash": 284710589561580116156821762483775583438, "size": 48, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431895 }, { "func": "static int update_scan(struct hci_request *req, unsigned long opt)\n{\n\thci_dev_lock(req->hdev);\n\t__hci_req_update_scan(req);\n\thci_dev_unlock(req->hdev);\n\treturn 0;\n}", "project": "linux", "hash": 326592139344288354210602266368766828120, "size": 7, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402560 }, { "func": "\nstatic bool bfq_allow_bio_merge(struct request_queue *q, struct request *rq,\n\t\t\t\tstruct bio *bio)\n{\n\tstruct bfq_data *bfqd = q->elevator->elevator_data;\n\tbool is_sync = op_is_sync(bio->bi_opf);\n\tstruct bfq_queue *bfqq = bfqd->bio_bfqq, *new_bfqq;\n\n\t/*\n\t * Disallow merge of a sync bio into an async request.\n\t */\n\tif (is_sync && !rq_is_sync(rq))\n\t\treturn false;\n\n\t/*\n\t * Lookup the bfqq that this bio will be queued with. Allow\n\t * merge only if rq is queued there.\n\t */\n\tif (!bfqq)\n\t\treturn false;\n\n\t/*\n\t * We take advantage of this function to perform an early merge\n\t * of the queues of possible cooperating processes.\n\t */\n\tnew_bfqq = bfq_setup_cooperator(bfqd, bfqq, bio, false);\n\tif (new_bfqq) {\n\t\t/*\n\t\t * bic still points to bfqq, then it has not yet been\n\t\t * redirected to some other bfq_queue, and a queue\n\t\t * merge between bfqq and new_bfqq can be safely\n\t\t * fulfilled, i.e., bic can be redirected to new_bfqq\n\t\t * and bfqq can be put.\n\t\t */\n\t\tbfq_merge_bfqqs(bfqd, bfqd->bio_bic, bfqq,\n\t\t\t\tnew_bfqq);\n\t\t/*\n\t\t * If we get here, bio will be queued into new_queue,\n\t\t * so use new_bfqq to decide whether bio and rq can be\n\t\t * merged.\n\t\t */\n\t\tbfqq = new_bfqq;\n\n\t\t/*\n\t\t * Change also bqfd->bio_bfqq, as\n\t\t * bfqd->bio_bic now points to new_bfqq, and\n\t\t * this function may be invoked again (and then may\n\t\t * use again bqfd->bio_bfqq).\n\t\t */\n\t\tbfqd->bio_bfqq = bfqq;\n\t}\n\n\treturn bfqq == RQ_BFQQ(rq);", "project": "linux", "hash": 84226915421851897684092451602754636126, "size": 53, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453319 }, { "func": "static int ov518_i2c_r(struct sd *sd, u8 reg)\n{\n\tstruct gspca_dev *gspca_dev = (struct gspca_dev *)sd;\n\tint value;\n\n\t/* Select camera register */\n\treg_w(sd, R51x_I2C_SADDR_2, reg);\n\n\t/* Initiate 2-byte write cycle */\n\treg_w(sd, R518_I2C_CTL, 0x03);\n\treg_r8(sd, R518_I2C_CTL);\n\n\t/* Initiate 2-byte read cycle */\n\treg_w(sd, R518_I2C_CTL, 0x05);\n\treg_r8(sd, R518_I2C_CTL);\n\n\tvalue = reg_r(sd, R51x_I2C_DATA);\n\tgspca_dbg(gspca_dev, D_USBI, \"ov518_i2c_r %02x %02x\\n\", reg, value);\n\treturn value;\n}", "project": "linux", "hash": 206340283320956279028850175719946234095, "size": 20, "commit_id": "998912346c0da53a6dbb71fab3a138586b596b30", "message": "media: ov519: add missing endpoint sanity checks\n\nMake sure to check that we have at least one endpoint before accessing\nthe endpoint array to avoid dereferencing a NULL-pointer on stream\nstart.\n\nNote that these sanity checks are not redundant as the driver is mixing\nlooking up altsettings by index and by number, which need not coincide.\n\nFixes: 1876bb923c98 (\"V4L/DVB (12079): gspca_ov519: add support for the ov511 bridge\")\nFixes: b282d87332f5 (\"V4L/DVB (12080): gspca_ov519: Fix ov518+ with OV7620AE (Trust spacecam 320)\")\nCc: stable # 2.6.31\nCc: Hans de Goede \nSigned-off-by: Johan Hovold \nSigned-off-by: Hans Verkuil \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 306300 }, { "func": "static void rle2image(struct enc85 *dec,int rlelen,struct _GImage *base) {\n uint8 *pt, *end;\n int r,c,set, cnt, ch, ch2;\n int i;\n\n r = c = 0; set = 1; pt = base->data; end = pt + base->bytes_per_line*base->height;\n memset(base->data,0xff,end-pt);\n while ( rlelen>0 ) {\n\tif ( pt>=end ) {\n\t IError( \"RLE failure\\n\" );\n\t while ( rlelen>0 ) { Dec85(dec); --rlelen; }\n break;\n\t}\n\tch = Dec85(dec);\n\t--rlelen;\n\tif ( ch==255 ) {\n\t ch2 = Dec85(dec);\n\t cnt = (ch2<<8) + Dec85(dec);\n\t rlelen -= 2;\n\t} else\n\t cnt = ch;\n\tif ( ch==255 && ch2==0 && cnt<255 ) {\n\t /* Line duplication */\n\t for ( i=0; idata+(r-1)*base->bytes_per_line,base->bytes_per_line);\n\t\t++r;\n\t\tpt += base->bytes_per_line;\n\t }\n\t set = 1;\n\t} else {\n\t if ( pt + ((c+cnt)>>3) > end ) {\n\t\tIError( \"Run length encoded image has been corrupted.\\n\" );\n break;\n\t }\n\t if ( !set ) {\n\t\tfor ( i=0; i>3] &= ((~0x80)>>((c+i)&7));\n\t }\n\t c += cnt;\n\t set = 1-set;\n\t if ( c>=base->width ) {\n\t\t++r;\n\t\tpt += base->bytes_per_line;\n\t\tc = 0; set = 1;\n\t }\n\t}\n }\n}", "project": "fontforge", "hash": 217687888326318575219847268292526727953, "size": 48, "commit_id": "048a91e2682c1a8936ae34dbc7bd70291ec05410", "message": "Fix for #4084 Use-after-free (heap) in the SFD_GetFontMetaData() function\nFix for #4086 NULL pointer dereference in the SFDGetSpiros() function\nFix for #4088 NULL pointer dereference in the SFD_AssignLookups() function\nAdd empty sf->fontname string if it isn't set, fixing #4089 #4090 and many\n other potential issues (many downstream calls to strlen() on the value).", "target": 0, "dataset": "other", "idx": 417868 }, { "func": "static void svm_fpu_deactivate(struct kvm_vcpu *vcpu)\n{\n\tstruct vcpu_svm *svm = to_svm(vcpu);\n\n\tset_exception_intercept(svm, NM_VECTOR);\n\tupdate_cr0_intercept(svm);\n}", "project": "kvm", "hash": 237030092764165912041919757159977078691, "size": 7, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437648 }, { "func": "static void signal_handler(int signum) {\n\tchar cmd[1024];\n\tif (!crash_handler_cmd) {\n\t\treturn;\n\t}\n\tsnprintf (cmd, sizeof(cmd) - 1, crash_handler_cmd, getpid ());\n\tr_sys_backtrace ();\n\texit (r_sys_cmd (cmd));\n}", "project": "radare2", "hash": 156603931691630002995810625021690829881, "size": 9, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 0, "dataset": "other", "idx": 268991 }, { "func": "static void avic_vcpu_load(struct kvm_vcpu *vcpu, int cpu)\n{\n\tu64 entry;\n\t/* ID = 0xff (broadcast), ID > 0xff (reserved) */\n\tint h_physical_id = kvm_cpu_get_apicid(cpu);\n\tstruct vcpu_svm *svm = to_svm(vcpu);\n\n\tif (!kvm_vcpu_apicv_active(vcpu))\n\t\treturn;\n\n\t/*\n\t * Since the host physical APIC id is 8 bits,\n\t * we can support host APIC ID upto 255.\n\t */\n\tif (WARN_ON(h_physical_id > AVIC_PHYSICAL_ID_ENTRY_HOST_PHYSICAL_ID_MASK))\n\t\treturn;\n\n\tentry = READ_ONCE(*(svm->avic_physical_id_cache));\n\tWARN_ON(entry & AVIC_PHYSICAL_ID_ENTRY_IS_RUNNING_MASK);\n\n\tentry &= ~AVIC_PHYSICAL_ID_ENTRY_HOST_PHYSICAL_ID_MASK;\n\tentry |= (h_physical_id & AVIC_PHYSICAL_ID_ENTRY_HOST_PHYSICAL_ID_MASK);\n\n\tentry &= ~AVIC_PHYSICAL_ID_ENTRY_IS_RUNNING_MASK;\n\tif (svm->avic_is_running)\n\t\tentry |= AVIC_PHYSICAL_ID_ENTRY_IS_RUNNING_MASK;\n\n\tWRITE_ONCE(*(svm->avic_physical_id_cache), entry);\n\tavic_update_iommu_vcpu_affinity(vcpu, h_physical_id,\n\t\t\t\t\tsvm->avic_is_running);\n}", "project": "linux", "hash": 85196072249028610097886996875876283132, "size": 31, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432505 }, { "func": "bool CServer::IsAuthed(int ClientID) const\n{\n\treturn m_aClients[ClientID].m_Authed;\n}", "project": "teeworlds", "hash": 75844521198910439205251577261037510825, "size": 4, "commit_id": "c68402fa7e279d42886d5951d1ea8ac2facc1ea5", "message": "changed a check", "target": 0, "dataset": "other", "idx": 382019 }, { "func": "static int get_npt_level(struct kvm_vcpu *vcpu)\n{\n#ifdef CONFIG_X86_64\n\treturn PT64_ROOT_4LEVEL;\n#else\n\treturn PT32E_ROOT_LEVEL;\n#endif\n}", "project": "linux", "hash": 248236132367007896264242284073934966862, "size": 8, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432573 }, { "func": "static int get_npt_level(void)\n{\n#ifdef CONFIG_X86_64\n\treturn PT64_ROOT_LEVEL;\n#else\n\treturn PT32E_ROOT_LEVEL;\n#endif\n}", "project": "kvm", "hash": 71193155610921133825715476700552397055, "size": 8, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437639 }, { "func": " void bring_value()\n {\n if (result_type() == ROW_RESULT)\n orig_item->bring_value();\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 138150597814172797079154662061403142012, "size": 5, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 508947 }, { "func": "static bool php_set_inet6_addr(struct sockaddr_in6 *sin6,\n const char *address,\n req::ptr sock) {\n struct in6_addr tmp;\n struct addrinfo hints;\n struct addrinfo *addrinfo = NULL;\n\n if (inet_pton(AF_INET6, address, &tmp)) {\n memcpy(&(sin6->sin6_addr.s6_addr), &(tmp.s6_addr),\n sizeof(struct in6_addr));\n } else {\n memset(&hints, 0, sizeof(struct addrinfo));\n hints.ai_family = PF_INET6;\n getaddrinfo(address, NULL, &hints, &addrinfo);\n if (!addrinfo) {\n // 10000 is a magic value to indicate a host error.\n SOCKET_ERROR(sock, \"Host lookup failed\", (-10000 - h_errno));\n return false;\n }\n if (addrinfo->ai_family != PF_INET6 ||\n addrinfo->ai_addrlen != sizeof(struct sockaddr_in6)) {\n raise_warning(\"Host lookup failed: Non AF_INET6 domain \"\n \"returned on AF_INET6 socket\");\n freeaddrinfo(addrinfo);\n return false;\n }\n\n memcpy(&(sin6->sin6_addr.s6_addr),\n ((struct sockaddr_in6*)(addrinfo->ai_addr))->sin6_addr.s6_addr,\n sizeof(struct in6_addr));\n freeaddrinfo(addrinfo);\n }\n\n const char *scope = strchr(address, '%');\n if (scope++) {\n int64_t lval = 0;\n double dval = 0;\n unsigned scope_id = 0;\n if (KindOfInt64 == is_numeric_string(scope, strlen(scope), &lval, &dval,\n 0)) {\n if (lval > 0 && lval <= UINT_MAX) {\n scope_id = lval;\n }\n } else {\n php_string_to_if_index(scope, &scope_id);\n }\n\n sin6->sin6_scope_id = scope_id;\n }\n\n return true;\n}", "project": "hhvm", "hash": 123264127280821912276377690876156861950, "size": 52, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219183 }, { "func": "ConnStateData::startPeekAndSplice()\n{\n // This is the Step2 of the SSL bumping\n assert(sslServerBump);\n Http::StreamPointer context = pipeline.front();\n ClientHttpRequest *http = context ? context->http : nullptr;\n\n if (sslServerBump->step == Ssl::bumpStep1) {\n sslServerBump->step = Ssl::bumpStep2;\n // Run a accessList check to check if want to splice or continue bumping\n\n ACLFilledChecklist *acl_checklist = new ACLFilledChecklist(Config.accessList.ssl_bump, sslServerBump->request.getRaw(), nullptr);\n acl_checklist->al = http ? http->al : nullptr;\n //acl_checklist->src_addr = params.conn->remote;\n //acl_checklist->my_addr = s->s;\n acl_checklist->banAction(allow_t(ACCESS_ALLOWED, Ssl::bumpNone));\n acl_checklist->banAction(allow_t(ACCESS_ALLOWED, Ssl::bumpClientFirst));\n acl_checklist->banAction(allow_t(ACCESS_ALLOWED, Ssl::bumpServerFirst));\n const char *log_uri = http ? http->log_uri : nullptr;\n acl_checklist->syncAle(sslServerBump->request.getRaw(), log_uri);\n acl_checklist->nonBlockingCheck(httpsSslBumpStep2AccessCheckDone, this);\n return;\n }\n\n // will call httpsPeeked() with certificate and connection, eventually\n Security::ContextPointer unConfiguredCTX(Ssl::createSSLContext(port->secure.signingCa.cert, port->secure.signingCa.pkey, port->secure));\n fd_table[clientConnection->fd].dynamicTlsContext = unConfiguredCTX;\n\n if (!httpsCreate(this, unConfiguredCTX))\n return;\n\n switchedToHttps_ = true;\n\n auto ssl = fd_table[clientConnection->fd].ssl.get();\n BIO *b = SSL_get_rbio(ssl);\n Ssl::ClientBio *bio = static_cast(BIO_get_data(b));\n bio->setReadBufData(inBuf);\n bio->hold(true);\n\n // Here squid should have all of the client hello message so the\n // tlsAttemptHandshake() should return 0.\n // This block exist only to force openSSL parse client hello and detect\n // ERR_SECURE_ACCEPT_FAIL error, which should be checked and splice if required.\n if (tlsAttemptHandshake(this, nullptr) < 0) {\n debugs(83, 2, \"TLS handshake failed.\");\n HttpRequest::Pointer request(http ? http->request : nullptr);\n if (!clientTunnelOnError(this, context, request, HttpRequestMethod(), ERR_SECURE_ACCEPT_FAIL))\n clientConnection->close();\n return;\n }\n\n // We need to reset inBuf here, to be used by incoming requests in the case\n // of SSL bump\n inBuf.clear();\n\n debugs(83, 5, \"Peek and splice at step2 done. Start forwarding the request!!! \");\n FwdState::Start(clientConnection, sslServerBump->entry, sslServerBump->request.getRaw(), http ? http->al : NULL);\n}", "project": "squid", "hash": 152181413886926224427690905172159440146, "size": 58, "commit_id": "fd68382860633aca92065e6c343cfd1b12b126e7", "message": "Improve Transfer-Encoding handling (#702)\n\nReject messages containing Transfer-Encoding header with coding other\nthan chunked or identity. Squid does not support other codings.\n\nFor simplicity and security sake, also reject messages where\nTransfer-Encoding contains unnecessary complex values that are\ntechnically equivalent to \"chunked\" or \"identity\" (e.g., \",,chunked\" or\n\"identity, chunked\").\n\nRFC 7230 formally deprecated and removed identity coding, but it is\nstill used by some agents.", "target": 0, "dataset": "other", "idx": 402312 }, { "func": "void gdImageCopy (gdImagePtr dst, gdImagePtr src, int dstX, int dstY, int srcX, int srcY, int w, int h)\n{\n\tint c;\n\tint x, y;\n\tint tox, toy;\n\tint i;\n\tint colorMap[gdMaxColors];\n\n\tif (dst->trueColor) {\n\t\t/* 2.0: much easier when the destination is truecolor. */\n\t\t/* 2.0.10: needs a transparent-index check that is still valid if\n\t\t * the source is not truecolor. Thanks to Frank Warmerdam.\n\t\t */\n\n\t\tif (src->trueColor) {\n\t\t\tfor (y = 0; (y < h); y++) {\n\t\t\t\tfor (x = 0; (x < w); x++) {\n\t\t\t\t\tint c = gdImageGetTrueColorPixel (src, srcX + x, srcY + y);\n\t\t\t\t\tgdImageSetPixel (dst, dstX + x, dstY + y, c);\n\t\t\t\t}\n\t\t\t}\n\t\t} else {\n\t\t\t/* source is palette based */\n\t\t\tfor (y = 0; (y < h); y++) {\n\t\t\t\tfor (x = 0; (x < w); x++) {\n\t\t\t\t\tint c = gdImageGetPixel (src, srcX + x, srcY + y);\n\t\t\t\t\tif (c != src->transparent) {\n\t\t\t\t\t\tgdImageSetPixel(dst, dstX + x, dstY + y, gdTrueColorAlpha(src->red[c], src->green[c], src->blue[c], src->alpha[c]));\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\treturn;\n\t}\n\n\t/* Destination is palette based */\n\tif (src->trueColor) { /* But source is truecolor (Ouch!) */\n\t\ttoy = dstY;\n\t\tfor (y = srcY; (y < (srcY + h)); y++) {\n\t\t\ttox = dstX;\n\t\t\tfor (x = srcX; x < (srcX + w); x++) {\n\t\t\t\tint nc;\n\t\t\t\tc = gdImageGetPixel (src, x, y);\n\n\t\t\t\t/* Get best match possible. */\n\t\t\t\tnc = gdImageColorResolveAlpha(dst, gdTrueColorGetRed(c), gdTrueColorGetGreen(c), gdTrueColorGetBlue(c), gdTrueColorGetAlpha(c));\n\n\t\t\t\tgdImageSetPixel(dst, tox, toy, nc);\n\t\t\t\ttox++;\n\t\t\t}\n\t\t\ttoy++;\n\t\t}\n\t\treturn;\n\t}\n\n\t/* Palette based to palette based */\n\tfor (i = 0; i < gdMaxColors; i++) {\n\t\tcolorMap[i] = (-1);\n\t}\n\ttoy = dstY;\n\tfor (y = srcY; y < (srcY + h); y++) {\n\t\ttox = dstX;\n\t\tfor (x = srcX; x < (srcX + w); x++) {\n\t\t\tint nc;\n\t\t\tint mapTo;\n\t\t\tc = gdImageGetPixel (src, x, y);\n\t\t\t/* Added 7/24/95: support transparent copies */\n\t\t\tif (gdImageGetTransparent (src) == c) {\n\t\t\t\ttox++;\n\t\t\t\tcontinue;\n\t\t\t}\n\t\t\t/* Have we established a mapping for this color? */\n\t\t\tif (src->trueColor) {\n\t\t\t\t/* 2.05: remap to the palette available in the destination image. This is slow and\n\t\t\t\t * works badly, but it beats crashing! Thanks to Padhrig McCarthy.\n\t\t\t\t */\n\t\t\t\tmapTo = gdImageColorResolveAlpha (dst, gdTrueColorGetRed (c), gdTrueColorGetGreen (c), gdTrueColorGetBlue (c), gdTrueColorGetAlpha (c));\n\t\t\t} else if (colorMap[c] == (-1)) {\n\t\t\t\t/* If it's the same image, mapping is trivial */\n\t\t\t\tif (dst == src) {\n\t\t\t\t\tnc = c;\n\t\t\t\t} else {\n\t\t\t\t\t/* Get best match possible. This function never returns error. */\n\t\t\t\t\tnc = gdImageColorResolveAlpha (dst, src->red[c], src->green[c], src->blue[c], src->alpha[c]);\n\t\t\t\t}\n\t\t\t\tcolorMap[c] = nc;\n\t\t\t\tmapTo = colorMap[c];\n\t\t\t} else {\n\t\t\t\tmapTo = colorMap[c];\n\t\t\t}\n\t\t\tgdImageSetPixel (dst, tox, toy, mapTo);\n\t\t\ttox++;\n\t\t}\n\t\ttoy++;\n\t}\n}", "project": "php-src", "hash": 81874915044527414155893298054948915972, "size": 96, "commit_id": "c395c6e5d7e8df37a21265ff76e48fe75ceb5ae6", "message": "iFixed bug #72446 - Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow", "target": 0, "dataset": "other", "idx": 295188 }, { "func": "ALWAYS_INLINE Variant preg_return_bad_regex_error(Variant&& return_value) {\n *rl_last_error_code = PHP_PCRE_BAD_REGEX_ERROR;\n return std::move(return_value);\n}", "project": "hhvm", "hash": 84584227484268896533448811653366239010, "size": 4, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219732 }, { "func": "void set_join_cache_denial(JOIN_TAB *join_tab)\n{\n if (join_tab->cache)\n {\n /* \n If there is a previous cache linked to this cache through the\n next_cache pointer: remove the link. \n */\n if (join_tab->cache->prev_cache)\n join_tab->cache->prev_cache->next_cache= 0;\n /*\n Same for the next_cache\n */\n if (join_tab->cache->next_cache)\n join_tab->cache->next_cache->prev_cache= 0;\n\n join_tab->cache->free();\n join_tab->cache= 0;\n }\n if (join_tab->use_join_cache)\n {\n join_tab->use_join_cache= FALSE;\n join_tab->used_join_cache_level= 0;\n /*\n It could be only sub_select(). It could not be sub_seject_sjm because we\n don't do join buffering for the first table in sjm nest. \n */\n join_tab[-1].next_select= sub_select;\n if (join_tab->type == JT_REF && join_tab->is_ref_for_hash_join())\n {\n join_tab->type= JT_ALL;\n join_tab->ref.key_parts= 0;\n }\n join_tab->join->return_tab= join_tab;\n }\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 321417171648683864498221677190522260761, "size": 36, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508443 }, { "func": "int CLua::execfile(const char *filename, bool trusted, bool die_on_fail,\n bool force)\n{\n if (!force && sourced_files.count(filename))\n return 0;\n\n lua_State *ls = state();\n int err = loadfile(ls, filename, trusted || !managed_vm, die_on_fail);\n lua_call_throttle strangler(this);\n if (!err)\n err = lua_pcall(ls, 0, 0, 0);\n if (!err)\n sourced_files.insert(filename);\n set_error(err);\n if (die_on_fail && !error.empty())\n {\n end(1, false, \"Lua execfile error (%s): %s\",\n filename, error.c_str());\n }\n return err;\n}", "project": "crawl", "hash": 177097080934846723584917573365796751035, "size": 21, "commit_id": "768f60da87a3fa0b5561da5ade9309577c176d04", "message": "Disable lua bytecode loading", "target": 0, "dataset": "other", "idx": 230489 }, { "func": "Status GraphConstructor::EnsureNoNameCollisions() {\n existing_nodes_.reserve(g_->num_nodes());\n // Populate existing_nodes_ and existing_prefixes_.\n for (Node* n : g_->nodes()) {\n bool already_exists = !existing_nodes_.insert({n->name(), n}).second;\n if (already_exists) {\n if (NodeNameInValues(opts_.input_map, n->name())) {\n return errors::InvalidArgument(\n \"cannot resolve input_map because multiple nodes exist with name '\",\n n->name(), \"'\");\n }\n if (NodeNameInValues(opts_.control_dependencies, n->name())) {\n return errors::InvalidArgument(\n \"cannot resolve control_dependencies because multiple nodes exist \"\n \"with name '\",\n n->name(), \"'\");\n }\n }\n AddPrefixes(n->name(), &existing_prefixes_);\n }\n if (prefix_.empty() && opts_.importing && !opts_.uniquify_names) {\n for (size_t i = 0; i < node_def_count(); ++i) {\n const string& name = get_node_def(i).name();\n if (NameExistsInGraph(name)) {\n return errors::InvalidArgument(\"Node name '\", name,\n \"' already exists in the Graph\");\n }\n }\n } else if (!prefix_.empty()) {\n StringPiece prefix_no_slash(prefix_);\n prefix_no_slash.remove_suffix(1);\n if (!IsValidNodeName(prefix_no_slash, false)) {\n return errors::InvalidArgument(\"Imported node name prefix '\", prefix_,\n \"' would lead to invalid node names\");\n }\n if (NameExistsInGraph(prefix_no_slash) && opts_.uniquify_prefix) {\n prefix_ = strings::StrCat(FindUniqueName(prefix_no_slash), \"/\");\n }\n }\n return Status::OK();\n}", "project": "tensorflow", "hash": 317414224464989372621985865622065290416, "size": 41, "commit_id": "0cc38aaa4064fd9e79101994ce9872c6d91f816b", "message": "Prevent unitialized memory access in `GraphConstructor::MakeEdge`\n\nThe `MakeEdge` implementation assumes that there exists an output at `output_index` of `src` node and an input at `input_index` of `dst` node. However, if this is not the case this results in accessing data out of bounds. Because we are accessing an array that is a private member of a class and only in read only mode, this usually results only in unitialized memory access. However, it is reasonable to think that malicious users could manipulate these indexes to actually read data outside the class, thus resulting in information leakage and further exploits.\n\nPiperOrigin-RevId: 346343288\nChange-Id: I2127da27c2023d27f26efd39afa6c853385cab6f", "target": 0, "dataset": "other", "idx": 268338 }, { "func": "static int irda_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)\n{\n\tstruct sock *sk = sock->sk;\n\n\tIRDA_DEBUG(4, \"%s(), cmd=%#x\\n\", __func__, cmd);\n\n\tswitch (cmd) {\n\tcase TIOCOUTQ: {\n\t\tlong amount;\n\n\t\tamount = sk->sk_sndbuf - sk_wmem_alloc_get(sk);\n\t\tif (amount < 0)\n\t\t\tamount = 0;\n\t\tif (put_user(amount, (unsigned int __user *)arg))\n\t\t\treturn -EFAULT;\n\t\treturn 0;\n\t}\n\n\tcase TIOCINQ: {\n\t\tstruct sk_buff *skb;\n\t\tlong amount = 0L;\n\t\t/* These two are safe on a single CPU system as only user tasks fiddle here */\n\t\tif ((skb = skb_peek(&sk->sk_receive_queue)) != NULL)\n\t\t\tamount = skb->len;\n\t\tif (put_user(amount, (unsigned int __user *)arg))\n\t\t\treturn -EFAULT;\n\t\treturn 0;\n\t}\n\n\tcase SIOCGSTAMP:\n\t\tif (sk != NULL)\n\t\t\treturn sock_get_timestamp(sk, (struct timeval __user *)arg);\n\t\treturn -EINVAL;\n\n\tcase SIOCGIFADDR:\n\tcase SIOCSIFADDR:\n\tcase SIOCGIFDSTADDR:\n\tcase SIOCSIFDSTADDR:\n\tcase SIOCGIFBRDADDR:\n\tcase SIOCSIFBRDADDR:\n\tcase SIOCGIFNETMASK:\n\tcase SIOCSIFNETMASK:\n\tcase SIOCGIFMETRIC:\n\tcase SIOCSIFMETRIC:\n\t\treturn -EINVAL;\n\tdefault:\n\t\tIRDA_DEBUG(1, \"%s(), doing device ioctl!\\n\", __func__);\n\t\treturn -ENOIOCTLCMD;\n\t}\n\n\t/*NOTREACHED*/\n\treturn 0;\n}", "target": 0, "cwe": [ "CWE-200" ], "project": "linux-2.6", "commit_id": "09384dfc76e526c3993c09c42e016372dc9dd22c", "hash": 191335328906931892669133714194598669671, "size": 53, "message": "irda: Fix irda_getname() leak\n\nirda_getname() can leak kernel memory to user.\n\nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "dataset": "other", "idx": 490859 }, { "func": "static __poll_t packet_poll(struct file *file, struct socket *sock,\n\t\t\t\tpoll_table *wait)\n{\n\tstruct sock *sk = sock->sk;\n\tstruct packet_sock *po = pkt_sk(sk);\n\t__poll_t mask = datagram_poll(file, sock, wait);\n\n\tspin_lock_bh(&sk->sk_receive_queue.lock);\n\tif (po->rx_ring.pg_vec) {\n\t\tif (!packet_previous_rx_frame(po, &po->rx_ring,\n\t\t\tTP_STATUS_KERNEL))\n\t\t\tmask |= EPOLLIN | EPOLLRDNORM;\n\t}\n\tpacket_rcv_try_clear_pressure(po);\n\tspin_unlock_bh(&sk->sk_receive_queue.lock);\n\tspin_lock_bh(&sk->sk_write_queue.lock);\n\tif (po->tx_ring.pg_vec) {\n\t\tif (packet_current_frame(po, &po->tx_ring, TP_STATUS_AVAILABLE))\n\t\t\tmask |= EPOLLOUT | EPOLLWRNORM;\n\t}\n\tspin_unlock_bh(&sk->sk_write_queue.lock);\n\treturn mask;\n}", "project": "linux", "hash": 211678301312820262957810689812070253630, "size": 23, "commit_id": "acf69c946233259ab4d64f8869d4037a198c7f06", "message": "net/packet: fix overflow in tpacket_rcv\n\nUsing tp_reserve to calculate netoff can overflow as\ntp_reserve is unsigned int and netoff is unsigned short.\n\nThis may lead to macoff receving a smaller value then\nsizeof(struct virtio_net_hdr), and if po->has_vnet_hdr\nis set, an out-of-bounds write will occur when\ncalling virtio_net_hdr_from_skb.\n\nThe bug is fixed by converting netoff to unsigned int\nand checking if it exceeds USHRT_MAX.\n\nThis addresses CVE-2020-14386\n\nFixes: 8913336a7e8d (\"packet: add PACKET_RESERVE sockopt\")\nSigned-off-by: Or Cohen \nSigned-off-by: Eric Dumazet \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 330418 }, { "func": "static bool checkreturn decode_callback_field(pb_istream_t *stream, pb_wire_type_t wire_type, pb_field_iter_t *iter)\n{\n pb_callback_t *pCallback = (pb_callback_t*)iter->pData;\n#ifdef PB_OLD_CALLBACK_STYLE\n void *arg;\n#else\n void **arg;\n#endif\n \n if (pCallback == NULL || pCallback->funcs.decode == NULL)\n return pb_skip_field(stream, wire_type);\n\n#ifdef PB_OLD_CALLBACK_STYLE\n arg = pCallback->arg;\n#else\n arg = &(pCallback->arg);\n#endif\n \n if (wire_type == PB_WT_STRING)\n {\n pb_istream_t substream;\n \n if (!pb_make_string_substream(stream, &substream))\n return false;\n \n do\n {\n if (!pCallback->funcs.decode(&substream, iter->pos, arg))\n PB_RETURN_ERROR(stream, \"callback failed\");\n } while (substream.bytes_left);\n \n if (!pb_close_string_substream(stream, &substream))\n return false;\n\n return true;\n }\n else\n {\n /* Copy the single scalar value to stack.\n * This is required so that we can limit the stream length,\n * which in turn allows to use same callback for packed and\n * not-packed fields. */\n pb_istream_t substream;\n pb_byte_t buffer[10];\n size_t size = sizeof(buffer);\n \n if (!read_raw_value(stream, wire_type, buffer, &size))\n return false;\n substream = pb_istream_from_buffer(buffer, size);\n \n return pCallback->funcs.decode(&substream, iter->pos, arg);\n }\n}", "project": "nanopb", "hash": 14949912798979820645959818883694359510, "size": 53, "commit_id": "aa9d0d1ca78d6adec3adfeecf3a706c7f9df81f2", "message": "Fix invalid free() after failed realloc() (GHSA-gcx3-7m76-287p)", "target": 0, "dataset": "other", "idx": 252508 }, { "func": "static bool checkreturn decode_callback_field(pb_istream_t *stream, pb_wire_type_t wire_type, pb_field_iterator_t *iter)\n{\n pb_callback_t *pCallback = (pb_callback_t*)iter->pData;\n \n#ifdef PB_OLD_CALLBACK_STYLE\n void *arg = pCallback->arg;\n#else\n void **arg = &(pCallback->arg);\n#endif\n \n if (pCallback->funcs.decode == NULL)\n return pb_skip_field(stream, wire_type);\n \n if (wire_type == PB_WT_STRING)\n {\n pb_istream_t substream;\n \n if (!pb_make_string_substream(stream, &substream))\n return false;\n \n do\n {\n if (!pCallback->funcs.decode(&substream, iter->pos, arg))\n PB_RETURN_ERROR(stream, \"callback failed\");\n } while (substream.bytes_left);\n \n pb_close_string_substream(stream, &substream);\n return true;\n }\n else\n {\n /* Copy the single scalar value to stack.\n * This is required so that we can limit the stream length,\n * which in turn allows to use same callback for packed and\n * not-packed fields. */\n pb_istream_t substream;\n uint8_t buffer[10];\n size_t size = sizeof(buffer);\n \n if (!read_raw_value(stream, wire_type, buffer, &size))\n return false;\n substream = pb_istream_from_buffer(buffer, size);\n \n return pCallback->funcs.decode(&substream, iter->pos, arg);\n }\n}", "project": "nanopb", "hash": 165928421394578286826941586476657543356, "size": 46, "commit_id": "7b396821ddd06df8e39143f16e1dc0a4645b89a3", "message": "Fix invalid free() after failed realloc() (GHSA-gcx3-7m76-287p)", "target": 0, "dataset": "other", "idx": 255337 }, { "func": "R_API int r_core_block_size(RCore *core, int bsize) {\n\treturn r_core_seek_size (core, core->offset, bsize);\n}", "project": "radare2", "hash": 192910918487204037483773775489778545305, "size": 3, "commit_id": "cb8b683758edddae2d2f62e8e63a738c39f92683", "message": "Fix #16303 - c->table_query double free (#16318)", "target": 0, "dataset": "other", "idx": 232183 }, { "func": "bool JOIN::get_best_combination()\n{\n uint tablenr;\n table_map used_tables;\n JOIN_TAB *j;\n KEYUSE *keyuse;\n DBUG_ENTER(\"get_best_combination\");\n\n /*\n Additional plan nodes for postjoin tmp tables:\n 1? + // For GROUP BY\n 1? + // For DISTINCT\n 1? + // For aggregation functions aggregated in outer query\n // when used with distinct\n 1? + // For ORDER BY\n 1? // buffer result\n Up to 2 tmp tables are actually used, but it's hard to tell exact number\n at this stage.\n */ \n uint aggr_tables= (group_list ? 1 : 0) +\n (select_distinct ?\n (tmp_table_param.using_outer_summary_function ? 2 : 1) : 0) +\n (order ? 1 : 0) +\n (select_options & (SELECT_BIG_RESULT | OPTION_BUFFER_RESULT) ? 1 : 0) ;\n \n if (aggr_tables == 0)\n aggr_tables= 1; /* For group by pushdown */\n\n if (select_lex->window_specs.elements)\n aggr_tables++;\n\n if (aggr_tables > 2)\n aggr_tables= 2;\n if (!(join_tab= (JOIN_TAB*) thd->alloc(sizeof(JOIN_TAB)*\n (top_join_tab_count + aggr_tables))))\n DBUG_RETURN(TRUE);\n\n full_join=0;\n hash_join= FALSE;\n\n fix_semijoin_strategies_for_picked_join_order(this);\n \n JOIN_TAB_RANGE *root_range;\n if (!(root_range= new (thd->mem_root) JOIN_TAB_RANGE))\n DBUG_RETURN(TRUE);\n root_range->start= join_tab;\n /* root_range->end will be set later */\n join_tab_ranges.empty();\n\n if (join_tab_ranges.push_back(root_range, thd->mem_root))\n DBUG_RETURN(TRUE);\n\n JOIN_TAB *sjm_nest_end= NULL;\n JOIN_TAB *sjm_nest_root= NULL;\n\n for (j=join_tab, tablenr=0 ; tablenr < table_count ; tablenr++,j++)\n {\n TABLE *form;\n POSITION *cur_pos= &best_positions[tablenr];\n if (cur_pos->sj_strategy == SJ_OPT_MATERIALIZE || \n cur_pos->sj_strategy == SJ_OPT_MATERIALIZE_SCAN)\n {\n /*\n Ok, we've entered an SJ-Materialization semi-join (note that this can't\n be done recursively, semi-joins are not allowed to be nested).\n 1. Put into main join order a JOIN_TAB that represents a lookup or scan\n in the temptable.\n */\n bzero((void*)j, sizeof(JOIN_TAB));\n j->join= this;\n j->table= NULL; //temporary way to tell SJM tables from others.\n j->ref.key = -1;\n j->on_expr_ref= (Item**) &null_ptr;\n j->keys= key_map(1); /* The unique index is always in 'possible keys' in EXPLAIN */\n\n /*\n 2. Proceed with processing SJM nest's join tabs, putting them into the\n sub-order\n */\n SJ_MATERIALIZATION_INFO *sjm= cur_pos->table->emb_sj_nest->sj_mat_info;\n j->records_read= (sjm->is_sj_scan? sjm->rows : 1);\n j->records= (ha_rows) j->records_read;\n j->cond_selectivity= 1.0;\n JOIN_TAB *jt;\n JOIN_TAB_RANGE *jt_range;\n if (!(jt= (JOIN_TAB*) thd->alloc(sizeof(JOIN_TAB)*sjm->tables)) ||\n !(jt_range= new JOIN_TAB_RANGE))\n DBUG_RETURN(TRUE);\n jt_range->start= jt;\n jt_range->end= jt + sjm->tables;\n join_tab_ranges.push_back(jt_range, thd->mem_root);\n j->bush_children= jt_range;\n sjm_nest_end= jt + sjm->tables;\n sjm_nest_root= j;\n\n j= jt;\n }\n \n *j= *best_positions[tablenr].table;\n\n j->bush_root_tab= sjm_nest_root;\n\n form= table[tablenr]= j->table;\n form->reginfo.join_tab=j;\n DBUG_PRINT(\"info\",(\"type: %d\", j->type));\n if (j->type == JT_CONST)\n goto loop_end;\t\t\t\t\t// Handled in make_join_stat..\n\n j->loosescan_match_tab= NULL; //non-nulls will be set later\n j->inside_loosescan_range= FALSE;\n j->ref.key = -1;\n j->ref.key_parts=0;\n\n if (j->type == JT_SYSTEM)\n goto loop_end;\n if ( !(keyuse= best_positions[tablenr].key))\n {\n j->type=JT_ALL;\n if (best_positions[tablenr].use_join_buffer &&\n tablenr != const_tables)\n\tfull_join= 1;\n }\n\n /*if (best_positions[tablenr].sj_strategy == SJ_OPT_LOOSE_SCAN)\n {\n DBUG_ASSERT(!keyuse || keyuse->key ==\n best_positions[tablenr].loosescan_picker.loosescan_key);\n j->index= best_positions[tablenr].loosescan_picker.loosescan_key;\n }*/\n\n if ((j->type == JT_REF || j->type == JT_EQ_REF) &&\n is_hash_join_key_no(j->ref.key))\n hash_join= TRUE; \n\n loop_end:\n /* \n Save records_read in JOIN_TAB so that select_describe()/etc don't have\n to access join->best_positions[]. \n */\n j->records_read= best_positions[tablenr].records_read;\n j->cond_selectivity= best_positions[tablenr].cond_selectivity;\n map2table[j->table->tablenr]= j;\n\n /* If we've reached the end of sjm nest, switch back to main sequence */\n if (j + 1 == sjm_nest_end)\n {\n j->last_leaf_in_bush= TRUE;\n j= sjm_nest_root;\n sjm_nest_root= NULL;\n sjm_nest_end= NULL;\n }\n }\n root_range->end= j;\n\n used_tables= OUTER_REF_TABLE_BIT;\t\t// Outer row is already read\n for (j=join_tab, tablenr=0 ; tablenr < table_count ; tablenr++,j++)\n {\n if (j->bush_children)\n j= j->bush_children->start;\n\n used_tables|= j->table->map;\n if (j->type != JT_CONST && j->type != JT_SYSTEM)\n {\n if ((keyuse= best_positions[tablenr].key) &&\n create_ref_for_key(this, j, keyuse, TRUE, used_tables))\n DBUG_RETURN(TRUE); // Something went wrong\n }\n if (j->last_leaf_in_bush)\n j= j->bush_root_tab;\n }\n \n top_join_tab_count= (uint)(join_tab_ranges.head()->end - \n join_tab_ranges.head()->start);\n\n update_depend_map(this);\n DBUG_RETURN(0);\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 221901518885302398782846074351309872603, "size": 177, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508519 }, { "func": "static ssize_t extract_entropy(struct entropy_store *r, void *buf,\n\t\t\t size_t nbytes, int min, int reserved)\n{\n\tssize_t ret = 0, i;\n\t__u8 tmp[EXTRACT_SIZE];\n\n\txfer_secondary_pool(r, nbytes);\n\tnbytes = account(r, nbytes, min, reserved);\n\n\twhile (nbytes) {\n\t\textract_buf(r, tmp);\n\t\ti = min_t(int, nbytes, EXTRACT_SIZE);\n\t\tmemcpy(buf, tmp, i);\n\t\tnbytes -= i;\n\t\tbuf += i;\n\t\tret += i;\n\t}\n\n\t/* Wipe data just returned from memory */\n\tmemset(tmp, 0, sizeof(tmp));\n\n\treturn ret;\n}", "target": 0, "cwe": [ "CWE-310" ], "project": "linux-2.6", "commit_id": "8a0a9bd4db63bc45e3017bedeafbd88d0eb84d02", "hash": 210408247450838984521487698290198310889, "size": 23, "message": "random: make get_random_int() more random\n\nIt's a really simple patch that basically just open-codes the current\n\"secure_ip_id()\" call, but when open-coding it we now use a _static_\nhashing area, so that it gets updated every time.\n\nAnd to make sure somebody can't just start from the same original seed of\nall-zeroes, and then do the \"half_md4_transform()\" over and over until\nthey get the same sequence as the kernel has, each iteration also mixes in\nthe same old \"current->pid + jiffies\" we used - so we should now have a\nregular strong pseudo-number generator, but we also have one that doesn't\nhave a single seed.\n\nNote: the \"pid + jiffies\" is just meant to be a tiny tiny bit of noise. It\nhas no real meaning. It could be anything. I just picked the previous\nseed, it's just that now we keep the state in between calls and that will\nfeed into the next result, and that should make all the difference.\n\nI made that hash be a per-cpu data just to avoid cache-line ping-pong:\nhaving multiple CPU's write to the same data would be fine for randomness,\nand add yet another layer of chaos to it, but since get_random_int() is\nsupposed to be a fast interface I did it that way instead. I considered\nusing \"__raw_get_cpu_var()\" to avoid any preemption overhead while still\ngetting the hash be _mostly_ ping-pong free, but in the end good taste won\nout.\n\nSigned-off-by: Ingo Molnar \nSigned-off-by: Linus Torvalds ", "dataset": "other", "idx": 499900 }, { "func": "static int php_vspprintf_ap(char **pbuf, size_t max_len,\n const char *fmt, va_list ap) {\n char *buf;\n int len = vspprintf_ap(&buf, max_len, fmt, ap);\n if (buf) {\n#ifdef IM_MEMORY_CHECK\n *pbuf = php_strndup_impl(buf, len, __LINE__);\n#else\n *pbuf = php_strndup_impl(buf, len);\n#endif\n free(buf);\n }\n return len;\n}", "project": "hhvm", "hash": 70598827000089970056577001575064933938, "size": 14, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219155 }, { "func": "bool test_r_str_replace_char_once(void) {\n\tchar* str = strdup (\"hello world\");\n\t(void) r_str_replace_char_once (str, 'l', 'x');\n\tmu_assert_streq (str, \"hexlo world\", \"error, replace char once failed\");\n\tfree (str);\n\tmu_end;\n}", "project": "radare2", "hash": 16083873722060404426969084280276259647, "size": 7, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 0, "dataset": "other", "idx": 269087 }, { "func": "int vfs_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry, struct inode **delegated_inode)\n{\n\tstruct inode *inode = old_dentry->d_inode;\n\tunsigned max_links = dir->i_sb->s_max_links;\n\tint error;\n\n\tif (!inode)\n\t\treturn -ENOENT;\n\n\terror = may_create(dir, new_dentry);\n\tif (error)\n\t\treturn error;\n\n\tif (dir->i_sb != inode->i_sb)\n\t\treturn -EXDEV;\n\n\t/*\n\t * A link to an append-only or immutable file cannot be created.\n\t */\n\tif (IS_APPEND(inode) || IS_IMMUTABLE(inode))\n\t\treturn -EPERM;\n\t/*\n\t * Updating the link count will likely cause i_uid and i_gid to\n\t * be writen back improperly if their true value is unknown to\n\t * the vfs.\n\t */\n\tif (HAS_UNMAPPED_ID(inode))\n\t\treturn -EPERM;\n\tif (!dir->i_op->link)\n\t\treturn -EPERM;\n\tif (S_ISDIR(inode->i_mode))\n\t\treturn -EPERM;\n\n\terror = security_inode_link(old_dentry, dir, new_dentry);\n\tif (error)\n\t\treturn error;\n\n\tinode_lock(inode);\n\t/* Make sure we don't allow creating hardlink to an unlinked file */\n\tif (inode->i_nlink == 0 && !(inode->i_state & I_LINKABLE))\n\t\terror = -ENOENT;\n\telse if (max_links && inode->i_nlink >= max_links)\n\t\terror = -EMLINK;\n\telse {\n\t\terror = try_break_deleg(inode, delegated_inode);\n\t\tif (!error)\n\t\t\terror = dir->i_op->link(old_dentry, dir, new_dentry);\n\t}\n\n\tif (!error && (inode->i_state & I_LINKABLE)) {\n\t\tspin_lock(&inode->i_lock);\n\t\tinode->i_state &= ~I_LINKABLE;\n\t\tspin_unlock(&inode->i_lock);\n\t}\n\tinode_unlock(inode);\n\tif (!error)\n\t\tfsnotify_link(dir, inode, new_dentry);\n\treturn error;\n}", "project": "linux", "hash": 254755010995607497487580060938442012999, "size": 59, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295441 }, { "func": "static void nfs4_xdr_enc_test_stateid(struct rpc_rqst *req,\n\t\t\t\t struct xdr_stream *xdr,\n\t\t\t\t const void *data)\n{\n\tconst struct nfs41_test_stateid_args *args = data;\n\tstruct compound_hdr hdr = {\n\t\t.minorversion = nfs4_xdr_minorversion(&args->seq_args),\n\t};\n\n\tencode_compound_hdr(xdr, req, &hdr);\n\tencode_sequence(xdr, &args->seq_args, &hdr);\n\tencode_test_stateid(xdr, args, &hdr);\n\tencode_nops(&hdr);\n}", "project": "linux", "hash": 15255210636467380621804974056255311872, "size": 14, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431576 }, { "func": "void CClient::Disconnected() {\n DEBUG(GetSockName() << \" == Disconnected()\");\n CIRCNetwork* pNetwork = m_pNetwork;\n SetNetwork(nullptr, false, false);\n\n if (m_pUser) {\n NETWORKMODULECALL(OnClientDisconnect(), m_pUser, pNetwork, this,\n NOTHING);\n }\n}", "project": "znc", "hash": 233917494226526256707745031517620297610, "size": 10, "commit_id": "d229761821da38d984a9e4098ad96842490dc001", "message": "Fix echo-message for *status\n\nClose #1705", "target": 0, "dataset": "other", "idx": 231535 }, { "func": "int force_sig_mceerr(int code, void __user *addr, short lsb)\n{\n\tstruct kernel_siginfo info;\n\n\tWARN_ON((code != BUS_MCEERR_AO) && (code != BUS_MCEERR_AR));\n\tclear_siginfo(&info);\n\tinfo.si_signo = SIGBUS;\n\tinfo.si_errno = 0;\n\tinfo.si_code = code;\n\tinfo.si_addr = addr;\n\tinfo.si_addr_lsb = lsb;\n\treturn force_sig_info(&info);\n}", "project": "linux", "hash": 77902711881242191085087718195589866415, "size": 13, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375224 }, { "func": "static void terminateDetection(u_int16_t thread_id) {\n ndpi_workflow_free(ndpi_thread_info[thread_id].workflow);\n}", "project": "nDPI", "hash": 338694747268653436830753840137046918052, "size": 3, "commit_id": "b7e666e465f138ae48ab81976726e67deed12701", "message": "Added fix to avoid potential heap buffer overflow in H.323 dissector\nModified HTTP report information to make it closer to the HTTP field names", "target": 0, "dataset": "other", "idx": 254827 }, { "func": "void CClient::RespondCap(const CString& sResponse) {\n PutClient(\":irc.znc.in CAP \" + GetNick() + \" \" + sResponse);\n}", "project": "znc", "hash": 224727153043211697777186866666225909739, "size": 3, "commit_id": "d229761821da38d984a9e4098ad96842490dc001", "message": "Fix echo-message for *status\n\nClose #1705", "target": 0, "dataset": "other", "idx": 231551 }, { "func": "void LanLinkProvider::userRequestsPair(const QString& deviceId)\n{\n LanPairingHandler* ph = createPairingHandler(m_links.value(deviceId));\n ph->requestPairing();\n}", "project": "kdeconnect-kde", "hash": 242565097666709823796975165743948048136, "size": 5, "commit_id": "542d94a70c56aa386c8d4d793481ce181b0422e8", "message": "Limit number of connected sockets from unpaired devices\n\nThanks Matthias Gerstner for reporting this.", "target": 0, "dataset": "other", "idx": 227356 }, { "func": "static int ctnetlink_exp_dump_tuple(struct sk_buff *skb,\n\t\t\t\t const struct nf_conntrack_tuple *tuple,\n\t\t\t\t u32 type)\n{\n\tstruct nlattr *nest_parms;\n\n\tnest_parms = nla_nest_start(skb, type);\n\tif (!nest_parms)\n\t\tgoto nla_put_failure;\n\tif (ctnetlink_dump_tuples(skb, tuple) < 0)\n\t\tgoto nla_put_failure;\n\tnla_nest_end(skb, nest_parms);\n\n\treturn 0;\n\nnla_put_failure:\n\treturn -1;\n}", "project": "linux", "hash": 245535822483816387725305757599414243377, "size": 18, "commit_id": "1cc5ef91d2ff94d2bf2de3b3585423e8a1051cb6", "message": "netfilter: ctnetlink: add a range check for l3/l4 protonum\n\nThe indexes to the nf_nat_l[34]protos arrays come from userspace. So\ncheck the tuple's family, e.g. l3num, when creating the conntrack in\norder to prevent an OOB memory access during setup. Here is an example\nkernel panic on 4.14.180 when userspace passes in an index greater than\nNFPROTO_NUMPROTO.\n\nInternal error: Oops - BUG: 0 [#1] PREEMPT SMP\nModules linked in:...\nProcess poc (pid: 5614, stack limit = 0x00000000a3933121)\nCPU: 4 PID: 5614 Comm: poc Tainted: G S W O 4.14.180-g051355490483\nHardware name: Qualcomm Technologies, Inc. SM8150 V2 PM8150 Google Inc. MSM\ntask: 000000002a3dfffe task.stack: 00000000a3933121\npc : __cfi_check_fail+0x1c/0x24\nlr : __cfi_check_fail+0x1c/0x24\n...\nCall trace:\n__cfi_check_fail+0x1c/0x24\nname_to_dev_t+0x0/0x468\nnfnetlink_parse_nat_setup+0x234/0x258\nctnetlink_parse_nat_setup+0x4c/0x228\nctnetlink_new_conntrack+0x590/0xc40\nnfnetlink_rcv_msg+0x31c/0x4d4\nnetlink_rcv_skb+0x100/0x184\nnfnetlink_rcv+0xf4/0x180\nnetlink_unicast+0x360/0x770\nnetlink_sendmsg+0x5a0/0x6a4\n___sys_sendmsg+0x314/0x46c\nSyS_sendmsg+0xb4/0x108\nel0_svc_naked+0x34/0x38\n\nThis crash is not happening since 5.4+, however, ctnetlink still\nallows for creating entries with unsupported layer 3 protocol number.\n\nFixes: c1d10adb4a521 (\"[NETFILTER]: Add ctnetlink port for nf_conntrack\")\nSigned-off-by: Will McVicker \n[pablo@netfilter.org: rebased original patch on top of nf.git]\nSigned-off-by: Pablo Neira Ayuso ", "target": 0, "dataset": "other", "idx": 394154 }, { "func": "TfLiteDelegate TfLiteDelegateCreate() {\n TfLiteDelegate d = {\n .data_ = NULL,\n .Prepare = NULL,\n .CopyFromBufferHandle = NULL,\n .CopyToBufferHandle = NULL,\n .FreeBufferHandle = NULL,\n .flags = kTfLiteDelegateFlagsNone,\n };\n return d;\n}", "project": "tensorflow", "hash": 324733641039016005977676789739895372812, "size": 11, "commit_id": "7c8cc4ec69cd348e44ad6a2699057ca88faad3e5", "message": "Fix a dangerous integer overflow and a malloc of negative size.\n\nPiperOrigin-RevId: 371254154\nChange-Id: I250a98a3df26328770167025670235a963a72da0", "target": 0, "dataset": "other", "idx": 259048 }, { "func": "}\nEXPORT_SYMBOL_GPL(iscsi_get_port_state_name);\n\nstatic int iscsi_session_match(struct attribute_container *cont,\n\t\t\t struct device *dev)\n{\n\tstruct iscsi_cls_session *session;\n\tstruct Scsi_Host *shost;\n\tstruct iscsi_internal *priv;\n\n\tif (!iscsi_is_session_dev(dev))\n\t\treturn 0;\n\n\tsession = iscsi_dev_to_session(dev);\n\tshost = iscsi_session_to_shost(session);\n\tif (!shost->transportt)\n\t\treturn 0;\n\n\tpriv = to_iscsi_internal(shost->transportt);\n\tif (priv->session_cont.ac.class != &iscsi_session_class.class)\n\t\treturn 0;", "project": "linux", "hash": 55587148838109855881350545583118725621, "size": 21, "commit_id": "f9dbdf97a5bd92b1a49cee3d591b55b11fd7a6d5", "message": "scsi: iscsi: Verify lengths on passthrough PDUs\n\nOpen-iSCSI sends passthrough PDUs over netlink, but the kernel should be\nverifying that the provided PDU header and data lengths fall within the\nnetlink message to prevent accessing beyond that in memory.\n\nCc: stable@vger.kernel.org\nReported-by: Adam Nichols \nReviewed-by: Lee Duncan \nReviewed-by: Mike Christie \nSigned-off-by: Chris Leech \nSigned-off-by: Martin K. Petersen ", "target": 0, "dataset": "other", "idx": 379982 }, { "func": "static int ca8210_config_extern_clk(\n\tstruct ca8210_platform_data *pdata,\n\tstruct spi_device *spi,\n\tbool on\n)\n{\n\tu8 clkparam[2];\n\n\tif (on) {\n\t\tdev_info(&spi->dev, \"Switching external clock on\\n\");\n\t\tswitch (pdata->extclockfreq) {\n\t\tcase SIXTEEN_MHZ:\n\t\t\tclkparam[0] = 1;\n\t\t\tbreak;\n\t\tcase EIGHT_MHZ:\n\t\t\tclkparam[0] = 2;\n\t\t\tbreak;\n\t\tcase FOUR_MHZ:\n\t\t\tclkparam[0] = 3;\n\t\t\tbreak;\n\t\tcase TWO_MHZ:\n\t\t\tclkparam[0] = 4;\n\t\t\tbreak;\n\t\tcase ONE_MHZ:\n\t\t\tclkparam[0] = 5;\n\t\t\tbreak;\n\t\tdefault:\n\t\t\tdev_crit(&spi->dev, \"Invalid extclock-freq\\n\");\n\t\t\treturn -EINVAL;\n\t\t}\n\t\tclkparam[1] = pdata->extclockgpio;\n\t} else {\n\t\tdev_info(&spi->dev, \"Switching external clock off\\n\");\n\t\tclkparam[0] = 0; /* off */\n\t\tclkparam[1] = 0;\n\t}\n\treturn link_to_linux_err(\n\t\thwme_set_request_sync(HWME_SYSCLKOUT, 2, clkparam, spi)\n\t);\n}", "project": "linux", "hash": 243043068309973966010385129275684215906, "size": 40, "commit_id": "6402939ec86eaf226c8b8ae00ed983936b164908", "message": "ieee802154: ca8210: prevent memory leak\n\nIn ca8210_probe the allocated pdata needs to be assigned to\nspi_device->dev.platform_data before calling ca8210_get_platform_data.\nOthrwise when ca8210_get_platform_data fails pdata cannot be released.\n\nSigned-off-by: Navid Emamdoost \nLink: https://lore.kernel.org/r/20190917224713.26371-1-navid.emamdoost@gmail.com\nSigned-off-by: Stefan Schmidt ", "target": 0, "dataset": "other", "idx": 408777 }, { "func": "static void encode_opaque_fixed(struct xdr_stream *xdr, const void *buf, size_t len)\n{\n\tWARN_ON_ONCE(xdr_stream_encode_opaque_fixed(xdr, buf, len) < 0);\n}", "project": "linux", "hash": 247813220943925634390827917324132054288, "size": 4, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431621 }, { "func": "static __always_inline bool slab_free_hook(struct kmem_cache *s, void *x)\n{\n\tkmemleak_free_recursive(x, s->flags);\n\n\t/*\n\t * Trouble is that we may no longer disable interrupts in the fast path\n\t * So in order to make the debug calls that expect irqs to be\n\t * disabled we need to disable interrupts temporarily.\n\t */\n#ifdef CONFIG_LOCKDEP\n\t{\n\t\tunsigned long flags;\n\n\t\tlocal_irq_save(flags);\n\t\tdebug_check_no_locks_freed(x, s->object_size);\n\t\tlocal_irq_restore(flags);\n\t}\n#endif\n\tif (!(s->flags & SLAB_DEBUG_OBJECTS))\n\t\tdebug_check_no_obj_freed(x, s->object_size);\n\n\t/* KASAN might put x into memory quarantine, delaying its reuse */\n\treturn kasan_slab_free(s, x, _RET_IP_);\n}", "project": "linux", "hash": 89663298150968910288963796242136960369, "size": 24, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280152 }, { "func": " void Jp2Image::doWriteMetadata(BasicIo& outIo)\n {\n if (!io_->isopen()) throw Error(kerInputDataReadFailed);\n if (!outIo.isopen()) throw Error(kerImageWriteFailed);\n\n#ifdef EXIV2_DEBUG_MESSAGES\n std::cout << \"Exiv2::Jp2Image::doWriteMetadata: Writing JPEG-2000 file \" << io_->path() << std::endl;\n std::cout << \"Exiv2::Jp2Image::doWriteMetadata: tmp file created \" << outIo.path() << std::endl;\n#endif\n\n // Ensure that this is the correct image type\n if (!isJp2Type(*io_, true))\n {\n if (io_->error() || io_->eof()) throw Error(kerInputDataReadFailed);\n throw Error(kerNoImageInInputData);\n }\n\n // Write JPEG2000 Signature.\n if (outIo.write(Jp2Signature, 12) != 12) throw Error(kerImageWriteFailed);\n\n Jp2BoxHeader box = {0,0};\n\n byte boxDataSize[4];\n byte boxUUIDtype[4];\n DataBuf bheaderBuf(8); // Box header : 4 bytes (data size) + 4 bytes (box type).\n\n // FIXME: Andreas, why the loop do not stop when EOF is taken from _io. The loop go out by an exception\n // generated by a zero size data read.\n\n while(io_->tell() < (long) io_->size())\n {\n#ifdef EXIV2_DEBUG_MESSAGES\n std::cout << \"Exiv2::Jp2Image::doWriteMetadata: Position: \" << io_->tell() << \" / \" << io_->size() << std::endl;\n#endif\n\n // Read chunk header.\n\n std::memset(bheaderBuf.pData_, 0x00, bheaderBuf.size_);\n long bufRead = io_->read(bheaderBuf.pData_, bheaderBuf.size_);\n if (io_->error()) throw Error(kerFailedToReadImageData);\n if (bufRead != bheaderBuf.size_) throw Error(kerInputDataReadFailed);\n\n // Decode box header.\n\n box.length = getLong(bheaderBuf.pData_, bigEndian);\n box.type = getLong(bheaderBuf.pData_ + 4, bigEndian);\n\n#ifdef EXIV2_DEBUG_MESSAGES\n std::cout << \"Exiv2::Jp2Image::doWriteMetadata: box type: \" << toAscii(box.type)\n << \" length: \" << box.length << std::endl;\n#endif\n\n if (box.length == 0)\n {\n#ifdef EXIV2_DEBUG_MESSAGES\n std::cout << \"Exiv2::Jp2Image::doWriteMetadata: Null Box size has been found. \"\n \"This is the last box of file.\" << std::endl;\n#endif\n box.length = (uint32_t) (io_->size() - io_->tell() + 8);\n }\n if (box.length < 8)\n {\n // box is broken, so there is nothing we can do here\n throw Error(kerCorruptedMetadata);\n }\n\n // Read whole box : Box header + Box data (not fixed size - can be null).\n\n DataBuf boxBuf(box.length); // Box header (8 bytes) + box data.\n memcpy(boxBuf.pData_, bheaderBuf.pData_, 8); // Copy header.\n bufRead = io_->read(boxBuf.pData_ + 8, box.length - 8); // Extract box data.\n if (io_->error())\n {\n#ifdef EXIV2_DEBUG_MESSAGES\n std::cout << \"Exiv2::Jp2Image::doWriteMetadata: Error reading source file\" << std::endl;\n#endif\n\n throw Error(kerFailedToReadImageData);\n }\n\n if (bufRead != (long)(box.length - 8))\n {\n#ifdef EXIV2_DEBUG_MESSAGES\n std::cout << \"Exiv2::Jp2Image::doWriteMetadata: Cannot read source file data\" << std::endl;\n#endif\n throw Error(kerInputDataReadFailed);\n }\n\n switch(box.type)\n {\n case kJp2BoxTypeJp2Header:\n {\n DataBuf newBuf;\n encodeJp2Header(boxBuf,newBuf);\n#ifdef EXIV2_DEBUG_MESSAGES\n std::cout << \"Exiv2::Jp2Image::doWriteMetadata: Write JP2Header box (length: \" << box.length << \")\" << std::endl;\n#endif\n if (outIo.write(newBuf.pData_, newBuf.size_) != newBuf.size_) throw Error(kerImageWriteFailed);\n\n // Write all updated metadata here, just after JP2Header.\n\n if (exifData_.count() > 0)\n {\n // Update Exif data to a new UUID box\n\n Blob blob;\n ExifParser::encode(blob, littleEndian, exifData_);\n if (blob.size())\n {\n DataBuf rawExif(static_cast(blob.size()));\n memcpy(rawExif.pData_, &blob[0], blob.size());\n\n DataBuf boxData(8 + 16 + rawExif.size_);\n ul2Data(boxDataSize, boxData.size_, Exiv2::bigEndian);\n ul2Data(boxUUIDtype, kJp2BoxTypeUuid, Exiv2::bigEndian);\n memcpy(boxData.pData_, boxDataSize, 4);\n memcpy(boxData.pData_ + 4, boxUUIDtype, 4);\n memcpy(boxData.pData_ + 8, kJp2UuidExif, 16);\n memcpy(boxData.pData_ + 8 + 16, rawExif.pData_, rawExif.size_);\n\n#ifdef EXIV2_DEBUG_MESSAGES\n std::cout << \"Exiv2::Jp2Image::doWriteMetadata: Write box with Exif metadata (length: \"\n << boxData.size_ << std::endl;\n#endif\n if (outIo.write(boxData.pData_, boxData.size_) != boxData.size_) throw Error(kerImageWriteFailed);\n }\n }\n\n if (iptcData_.count() > 0)\n {\n // Update Iptc data to a new UUID box\n\n DataBuf rawIptc = IptcParser::encode(iptcData_);\n if (rawIptc.size_ > 0)\n {\n DataBuf boxData(8 + 16 + rawIptc.size_);\n ul2Data(boxDataSize, boxData.size_, Exiv2::bigEndian);\n ul2Data(boxUUIDtype, kJp2BoxTypeUuid, Exiv2::bigEndian);\n memcpy(boxData.pData_, boxDataSize, 4);\n memcpy(boxData.pData_ + 4, boxUUIDtype, 4);\n memcpy(boxData.pData_ + 8, kJp2UuidIptc, 16);\n memcpy(boxData.pData_ + 8 + 16, rawIptc.pData_, rawIptc.size_);\n\n#ifdef EXIV2_DEBUG_MESSAGES\n std::cout << \"Exiv2::Jp2Image::doWriteMetadata: Write box with Iptc metadata (length: \"\n << boxData.size_ << std::endl;\n#endif\n if (outIo.write(boxData.pData_, boxData.size_) != boxData.size_) throw Error(kerImageWriteFailed);\n }\n }\n\n if (writeXmpFromPacket() == false)\n {\n if (XmpParser::encode(xmpPacket_, xmpData_) > 1)\n {\n#ifndef SUPPRESS_WARNINGS\n EXV_ERROR << \"Failed to encode XMP metadata.\" << std::endl;\n#endif\n }\n }\n if (xmpPacket_.size() > 0)\n {\n // Update Xmp data to a new UUID box\n\n DataBuf xmp(reinterpret_cast(xmpPacket_.data()), static_cast(xmpPacket_.size()));\n DataBuf boxData(8 + 16 + xmp.size_);\n ul2Data(boxDataSize, boxData.size_, Exiv2::bigEndian);\n ul2Data(boxUUIDtype, kJp2BoxTypeUuid, Exiv2::bigEndian);\n memcpy(boxData.pData_, boxDataSize, 4);\n memcpy(boxData.pData_ + 4, boxUUIDtype, 4);\n memcpy(boxData.pData_ + 8, kJp2UuidXmp, 16);\n memcpy(boxData.pData_ + 8 + 16, xmp.pData_, xmp.size_);\n\n#ifdef EXIV2_DEBUG_MESSAGES\n std::cout << \"Exiv2::Jp2Image::doWriteMetadata: Write box with XMP metadata (length: \"\n << boxData.size_ << \")\" << std::endl;\n#endif\n if (outIo.write(boxData.pData_, boxData.size_) != boxData.size_) throw Error(kerImageWriteFailed);\n }\n\n break;\n }\n\n case kJp2BoxTypeUuid:\n {\n if(memcmp(boxBuf.pData_ + 8, kJp2UuidExif, 16) == 0)\n {\n#ifdef EXIV2_DEBUG_MESSAGES\n std::cout << \"Exiv2::Jp2Image::doWriteMetadata: strip Exif Uuid box\" << std::endl;\n#endif\n }\n else if(memcmp(boxBuf.pData_ + 8, kJp2UuidIptc, 16) == 0)\n {\n#ifdef EXIV2_DEBUG_MESSAGES\n std::cout << \"Exiv2::Jp2Image::doWriteMetadata: strip Iptc Uuid box\" << std::endl;\n#endif\n }\n else if(memcmp(boxBuf.pData_ + 8, kJp2UuidXmp, 16) == 0)\n {\n#ifdef EXIV2_DEBUG_MESSAGES\n std::cout << \"Exiv2::Jp2Image::doWriteMetadata: strip Xmp Uuid box\" << std::endl;\n#endif\n }\n else\n {\n#ifdef EXIV2_DEBUG_MESSAGES\n std::cout << \"Exiv2::Jp2Image::doWriteMetadata: write Uuid box (length: \" << box.length << \")\" << std::endl;\n#endif\n if (outIo.write(boxBuf.pData_, boxBuf.size_) != boxBuf.size_) throw Error(kerImageWriteFailed);\n }\n break;\n }\n\n default:\n {\n#ifdef EXIV2_DEBUG_MESSAGES\n std::cout << \"Exiv2::Jp2Image::doWriteMetadata: write box (length: \" << box.length << \")\" << std::endl;\n#endif\n if (outIo.write(boxBuf.pData_, boxBuf.size_) != boxBuf.size_) throw Error(kerImageWriteFailed);\n\n break;\n }\n }\n }\n\n#ifdef EXIV2_DEBUG_MESSAGES\n std::cout << \"Exiv2::Jp2Image::doWriteMetadata: EOF\" << std::endl;\n#endif\n\n } // Jp2Image::doWriteMetadata", "project": "exiv2", "hash": 179548350090444296580556728200056610559, "size": 230, "commit_id": "f9308839198aca5e68a65194f151a1de92398f54", "message": "Better bounds checking in Jp2Image::encodeJp2Header()", "target": 0, "dataset": "other", "idx": 409139 }, { "func": "static int svm_deliver_avic_intr(struct kvm_vcpu *vcpu, int vec)\n{\n\tif (!vcpu->arch.apicv_active)\n\t\treturn -1;\n\n\tkvm_lapic_set_irr(vec, vcpu->arch.apic);\n\tsmp_mb__after_atomic();\n\n\tif (avic_vcpu_is_running(vcpu)) {\n\t\tint cpuid = vcpu->cpu;\n\n\t\tif (cpuid != get_cpu())\n\t\t\twrmsrl(SVM_AVIC_DOORBELL, kvm_cpu_get_apicid(cpuid));\n\t\tput_cpu();\n\t} else\n\t\tkvm_vcpu_wake_up(vcpu);\n\n\treturn 0;\n}", "project": "linux", "hash": 23876555162148011331501991778058782934, "size": 19, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432475 }, { "func": " void ComputeEasyCases(OpKernelContext* context, bool* done,\n std::vector* split_sizes_vec) {\n const int32_t num_split = context->num_outputs();\n const Tensor& input = context->input(0);\n const TensorShape& input_shape = input.shape();\n const Tensor& split_tensor = context->input(1);\n const Tensor& split_dim_tensor = context->input(2);\n\n OP_REQUIRES(context, split_dim_tensor.NumElements() == 1,\n errors::InvalidArgument(\"split_dim_tensor must have \"\n \"exactly one element.\"));\n\n const int32_t split_dim_orig = split_dim_tensor.flat()(0);\n const int32_t split_dim =\n split_dim_orig < 0 ? split_dim_orig + input.dims() : split_dim_orig;\n\n OP_REQUIRES(\n context,\n split_tensor.dims() == 1 && split_tensor.NumElements() == num_split,\n errors::InvalidArgument(\"size of the split_tensor must be 1-D and have \"\n \"the same elements as outputs got \",\n split_tensor.dims(), \" -D and \",\n split_tensor.NumElements(), \" elements\"));\n\n auto split_sizes_d = split_tensor.vec();\n\n split_sizes_vec->resize(split_sizes_d.size());\n\n std::copy(split_sizes_d.data(), split_sizes_d.data() + split_sizes_d.size(),\n split_sizes_vec->begin());\n\n OP_REQUIRES(\n context, num_split > 0,\n errors::InvalidArgument(\n \"Number of ways to split should be > 0, but got \", num_split));\n\n OP_REQUIRES(\n context, 0 <= split_dim && split_dim < input.dims(),\n errors::InvalidArgument(\"-input rank(-\", input.dims(),\n \") <= split_dim < input rank (\", input.dims(),\n \"), but got \", split_dim_orig));\n\n Tlen input_size_split_dim = input_shape.dim_size(split_dim);\n\n // Special case 1: num_split == 1. Nothing to do.\n if (num_split == 1) {\n context->set_output(0, context->input(0));\n OP_REQUIRES(\n context, (*split_sizes_vec)[0] == input_size_split_dim,\n errors::InvalidArgument(\"If there is only one output, it must have \"\n \"the same size as the input. Input size: \",\n input_size_split_dim,\n \" output size: \", (*split_sizes_vec)[0]));\n *done = true;\n return;\n }\n\n // Determine sizes of output, in case of a -1 input value\n int neg_one_dim = -1;\n Tlen determined_size = 0;\n for (int d = 0; d < split_sizes_vec->size(); ++d) {\n Tlen size = (*split_sizes_vec)[d];\n\n if (size == -1) {\n OP_REQUIRES(context, neg_one_dim == -1,\n errors::InvalidArgument(\"There can only be one -1 in the \"\n \"input.\"));\n neg_one_dim = d;\n } else {\n determined_size += size;\n }\n }\n\n OP_REQUIRES(\n context,\n (neg_one_dim == -1 && determined_size == input_size_split_dim) ||\n (neg_one_dim >= 0 && determined_size <= input_size_split_dim),\n errors::InvalidArgument(\"Determined shape must either match \"\n \"input shape along split_dim exactly if \"\n \"fully specified, or be less than the size of \"\n \"the input along split_dim if not fully \"\n \"specified. Got: \",\n determined_size));\n\n if (neg_one_dim >= 0) {\n (*split_sizes_vec)[neg_one_dim] = input_size_split_dim - determined_size;\n }\n\n // Special case 2: split along the 1st dimension. The requirements are that\n // either we are splitting the outer dimension of two or more such that\n // every outer subpart is aligned or that the split sizes mean that they are\n // always aligned. In these cases, we can share the underlying buffer.\n //\n // Apply this optimization conservatively: if input is aligned,\n // the resulting tensors must be aligned. It's conservative\n // because if the immediate consumer of the resulting tensors are\n // not using eigen for computation, its perfectly fine to avoid\n // the copying.\n if (SplitHasAlignedOutputsInFirstDimension(\n input_shape, split_dim, absl::MakeConstSpan(*split_sizes_vec))) {\n Tlen start = 0;\n for (int i = 0; i < num_split; ++i) {\n context->set_output(i,\n input.Slice(start, start + (*split_sizes_vec)[i]));\n start += (*split_sizes_vec)[i];\n }\n *done = true;\n return;\n }\n }", "project": "tensorflow", "hash": 126245865552496072215885042297203605082, "size": 110, "commit_id": "25d622ffc432acc736b14ca3904177579e733cc6", "message": "A negative size in one of the split sizes allowed the computed size of another\nto exceed the total dimension, leading to a segfault and security vulnerability.\nAdding a check for negative sizes prevents this.\n\nPiperOrigin-RevId: 401035665\nChange-Id: I79bbe329787dac82aa4bf60397a9129b716aedab", "target": 1, "dataset": "other", "idx": 195778 }, { "func": " void ComputeEasyCases(OpKernelContext* context, bool* done,\n std::vector* split_sizes_vec) {\n const int32_t num_split = context->num_outputs();\n const Tensor& input = context->input(0);\n const TensorShape& input_shape = input.shape();\n const Tensor& split_tensor = context->input(1);\n const Tensor& split_dim_tensor = context->input(2);\n\n OP_REQUIRES(context, split_dim_tensor.NumElements() == 1,\n errors::InvalidArgument(\"split_dim_tensor must have \"\n \"exactly one element.\"));\n\n const int32_t split_dim_orig = split_dim_tensor.flat()(0);\n const int32_t split_dim =\n split_dim_orig < 0 ? split_dim_orig + input.dims() : split_dim_orig;\n\n OP_REQUIRES(\n context,\n split_tensor.dims() == 1 && split_tensor.NumElements() == num_split,\n errors::InvalidArgument(\"size of the split_tensor must be 1-D and have \"\n \"the same elements as outputs got \",\n split_tensor.dims(), \" -D and \",\n split_tensor.NumElements(), \" elements\"));\n\n auto split_sizes_d = split_tensor.vec();\n\n split_sizes_vec->resize(split_sizes_d.size());\n\n std::copy(split_sizes_d.data(), split_sizes_d.data() + split_sizes_d.size(),\n split_sizes_vec->begin());\n\n OP_REQUIRES(\n context, num_split > 0,\n errors::InvalidArgument(\n \"Number of ways to split should be > 0, but got \", num_split));\n\n OP_REQUIRES(\n context, 0 <= split_dim && split_dim < input.dims(),\n errors::InvalidArgument(\"-input rank(-\", input.dims(),\n \") <= split_dim < input rank (\", input.dims(),\n \"), but got \", split_dim_orig));\n\n Tlen input_size_split_dim = input_shape.dim_size(split_dim);\n\n // Special case 1: num_split == 1. Nothing to do.\n if (num_split == 1) {\n context->set_output(0, context->input(0));\n OP_REQUIRES(\n context, (*split_sizes_vec)[0] == input_size_split_dim,\n errors::InvalidArgument(\"If there is only one output, it must have \"\n \"the same size as the input. Input size: \",\n input_size_split_dim,\n \" output size: \", (*split_sizes_vec)[0]));\n *done = true;\n return;\n }\n\n // Determine sizes of output, in case of a -1 input value\n int neg_one_dim = -1;\n Tlen determined_size = 0;\n for (int d = 0; d < split_sizes_vec->size(); ++d) {\n Tlen size = (*split_sizes_vec)[d];\n\n if (size == -1) {\n OP_REQUIRES(context, neg_one_dim == -1,\n errors::InvalidArgument(\"There can only be one -1 in the \"\n \"input.\"));\n neg_one_dim = d;\n } else {\n determined_size += size;\n }\n }\n\n OP_REQUIRES(\n context,\n (neg_one_dim == -1 && determined_size == input_size_split_dim) ||\n (neg_one_dim >= 0 && determined_size <= input_size_split_dim),\n errors::InvalidArgument(\"Determined shape must either match \"\n \"input shape along split_dim exactly if \"\n \"fully specified, or be less than the size of \"\n \"the input along split_dim if not fully \"\n \"specified. Got: \",\n determined_size));\n\n if (neg_one_dim >= 0) {\n (*split_sizes_vec)[neg_one_dim] = input_size_split_dim - determined_size;\n }\n\n for (int i = 0; i < split_sizes_vec->size(); ++i) {\n const Tlen& split_size = (*split_sizes_vec)[i];\n OP_REQUIRES(context, split_size >= Tlen(0),\n errors::InvalidArgument(\"Split size at index \", i,\n \" must be >= 0. Got: \", split_size));\n }\n\n // Special case 2: split along the 1st dimension. The requirements are that\n // either we are splitting the outer dimension of two or more such that\n // every outer subpart is aligned or that the split sizes mean that they are\n // always aligned. In these cases, we can share the underlying buffer.\n //\n // Apply this optimization conservatively: if input is aligned,\n // the resulting tensors must be aligned. It's conservative\n // because if the immediate consumer of the resulting tensors are\n // not using eigen for computation, its perfectly fine to avoid\n // the copying.\n if (SplitHasAlignedOutputsInFirstDimension(\n input_shape, split_dim, absl::MakeConstSpan(*split_sizes_vec))) {\n Tlen start = 0;\n for (int i = 0; i < num_split; ++i) {\n context->set_output(i,\n input.Slice(start, start + (*split_sizes_vec)[i]));\n start += (*split_sizes_vec)[i];\n }\n *done = true;\n return;\n }\n }", "project": "tensorflow", "hash": 246328078065637501416321248235339183827, "size": 117, "commit_id": "25d622ffc432acc736b14ca3904177579e733cc6", "message": "A negative size in one of the split sizes allowed the computed size of another\nto exceed the total dimension, leading to a segfault and security vulnerability.\nAdding a check for negative sizes prevents this.\n\nPiperOrigin-RevId: 401035665\nChange-Id: I79bbe329787dac82aa4bf60397a9129b716aedab", "target": 0, "dataset": "other", "idx": 233116 }, { "func": "static inline bool req_ref_put_and_test(struct io_kiocb *req)\n{\n\tWARN_ON_ONCE(req_ref_zero_or_close_to_overflow(req));\n\treturn atomic_dec_and_test(&req->refs);\n}", "project": "linux", "hash": 57529154659634307445797900167082147310, "size": 5, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338680 }, { "func": "static inline __u32 sctp_spp_sackdelay_enable(__u32 param_flags)\n{\n\treturn (param_flags & ~SPP_SACKDELAY) | SPP_SACKDELAY_ENABLE;\n}", "project": "linux", "hash": 169965889724339804054102673749984908059, "size": 4, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398140 }, { "func": "Status GraphConstructor::MakeEdge(Node* src, int output_index, Node* dst,\n int input_index) {\n DataType src_out = src->output_type(output_index);\n DataType dst_in = dst->input_type(input_index);\n if (!TypesCompatible(dst_in, src_out)) {\n return errors::InvalidArgument(\n \"Input \", input_index, \" of node \", dst->name(), \" was passed \",\n DataTypeString(src_out), \" from \", src->name(), \":\", output_index,\n \" incompatible with expected \", DataTypeString(dst_in), \".\");\n }\n g_->AddEdge(src, output_index, dst, input_index);\n return Status::OK();\n}", "project": "tensorflow", "hash": 119805169193765224854689007636694320603, "size": 13, "commit_id": "0cc38aaa4064fd9e79101994ce9872c6d91f816b", "message": "Prevent unitialized memory access in `GraphConstructor::MakeEdge`\n\nThe `MakeEdge` implementation assumes that there exists an output at `output_index` of `src` node and an input at `input_index` of `dst` node. However, if this is not the case this results in accessing data out of bounds. Because we are accessing an array that is a private member of a class and only in read only mode, this usually results only in unitialized memory access. However, it is reasonable to think that malicious users could manipulate these indexes to actually read data outside the class, thus resulting in information leakage and further exploits.\n\nPiperOrigin-RevId: 346343288\nChange-Id: I2127da27c2023d27f26efd39afa6c853385cab6f", "target": 1, "dataset": "other", "idx": 198049 }, { "func": "Status GraphConstructor::MakeEdge(Node* src, int output_index, Node* dst,\n int input_index) {\n if (output_index >= src->num_outputs()) {\n return errors::InvalidArgument(\n \"Output \", output_index, \" of node \", src->name(),\n \" does not exist. Node only has \", src->num_outputs(), \" outputs.\");\n }\n if (input_index >= dst->num_inputs()) {\n return errors::InvalidArgument(\n \"Input \", input_index, \" of node \", dst->name(),\n \" does not exist. Node only has \", dst->num_inputs(), \" inputs.\");\n }\n\n DataType src_out = src->output_type(output_index);\n DataType dst_in = dst->input_type(input_index);\n if (!TypesCompatible(dst_in, src_out)) {\n return errors::InvalidArgument(\n \"Input \", input_index, \" of node \", dst->name(), \" was passed \",\n DataTypeString(src_out), \" from \", src->name(), \":\", output_index,\n \" incompatible with expected \", DataTypeString(dst_in), \".\");\n }\n g_->AddEdge(src, output_index, dst, input_index);\n return Status::OK();\n}", "project": "tensorflow", "hash": 213211601759384738680783148753824892622, "size": 24, "commit_id": "0cc38aaa4064fd9e79101994ce9872c6d91f816b", "message": "Prevent unitialized memory access in `GraphConstructor::MakeEdge`\n\nThe `MakeEdge` implementation assumes that there exists an output at `output_index` of `src` node and an input at `input_index` of `dst` node. However, if this is not the case this results in accessing data out of bounds. Because we are accessing an array that is a private member of a class and only in read only mode, this usually results only in unitialized memory access. However, it is reasonable to think that malicious users could manipulate these indexes to actually read data outside the class, thus resulting in information leakage and further exploits.\n\nPiperOrigin-RevId: 346343288\nChange-Id: I2127da27c2023d27f26efd39afa6c853385cab6f", "target": 0, "dataset": "other", "idx": 268323 }, { "func": "int tipc_nl_node_set_link(struct sk_buff *skb, struct genl_info *info)\n{\n\tint err;\n\tint res = 0;\n\tint bearer_id;\n\tchar *name;\n\tstruct tipc_link *link;\n\tstruct tipc_node *node;\n\tstruct sk_buff_head xmitq;\n\tstruct nlattr *attrs[TIPC_NLA_LINK_MAX + 1];\n\tstruct net *net = sock_net(skb->sk);\n\n\t__skb_queue_head_init(&xmitq);\n\n\tif (!info->attrs[TIPC_NLA_LINK])\n\t\treturn -EINVAL;\n\n\terr = nla_parse_nested_deprecated(attrs, TIPC_NLA_LINK_MAX,\n\t\t\t\t\t info->attrs[TIPC_NLA_LINK],\n\t\t\t\t\t tipc_nl_link_policy, info->extack);\n\tif (err)\n\t\treturn err;\n\n\tif (!attrs[TIPC_NLA_LINK_NAME])\n\t\treturn -EINVAL;\n\n\tname = nla_data(attrs[TIPC_NLA_LINK_NAME]);\n\n\tif (strcmp(name, tipc_bclink_name) == 0)\n\t\treturn tipc_nl_bc_link_set(net, attrs);\n\n\tnode = tipc_node_find_by_name(net, name, &bearer_id);\n\tif (!node)\n\t\treturn -EINVAL;\n\n\ttipc_node_read_lock(node);\n\n\tlink = node->links[bearer_id].link;\n\tif (!link) {\n\t\tres = -EINVAL;\n\t\tgoto out;\n\t}\n\n\tif (attrs[TIPC_NLA_LINK_PROP]) {\n\t\tstruct nlattr *props[TIPC_NLA_PROP_MAX + 1];\n\n\t\terr = tipc_nl_parse_link_prop(attrs[TIPC_NLA_LINK_PROP], props);\n\t\tif (err) {\n\t\t\tres = err;\n\t\t\tgoto out;\n\t\t}\n\n\t\tif (props[TIPC_NLA_PROP_TOL]) {\n\t\t\tu32 tol;\n\n\t\t\ttol = nla_get_u32(props[TIPC_NLA_PROP_TOL]);\n\t\t\ttipc_link_set_tolerance(link, tol, &xmitq);\n\t\t}\n\t\tif (props[TIPC_NLA_PROP_PRIO]) {\n\t\t\tu32 prio;\n\n\t\t\tprio = nla_get_u32(props[TIPC_NLA_PROP_PRIO]);\n\t\t\ttipc_link_set_prio(link, prio, &xmitq);\n\t\t}\n\t\tif (props[TIPC_NLA_PROP_WIN]) {\n\t\t\tu32 max_win;\n\n\t\t\tmax_win = nla_get_u32(props[TIPC_NLA_PROP_WIN]);\n\t\t\ttipc_link_set_queue_limits(link,\n\t\t\t\t\t\t tipc_link_min_win(link),\n\t\t\t\t\t\t max_win);\n\t\t}\n\t}\n\nout:\n\ttipc_node_read_unlock(node);\n\ttipc_bearer_xmit(net, bearer_id, &xmitq, &node->links[bearer_id].maddr,\n\t\t\t NULL);\n\treturn res;\n}", "project": "linux", "hash": 39389998731186693951680021943870630192, "size": 80, "commit_id": "0217ed2848e8538bcf9172d97ed2eeb4a26041bb", "message": "tipc: better validate user input in tipc_nl_retrieve_key()\n\nBefore calling tipc_aead_key_size(ptr), we need to ensure\nwe have enough data to dereference ptr->keylen.\n\nWe probably also want to make sure tipc_aead_key_size()\nwont overflow with malicious ptr->keylen values.\n\nSyzbot reported:\n\nBUG: KMSAN: uninit-value in __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\nBUG: KMSAN: uninit-value in tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\nCPU: 0 PID: 21060 Comm: syz-executor.5 Not tainted 5.11.0-rc7-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nCall Trace:\n __dump_stack lib/dump_stack.c:79 [inline]\n dump_stack+0x21c/0x280 lib/dump_stack.c:120\n kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118\n __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197\n __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\n tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\n genl_family_rcv_msg_doit net/netlink/genetlink.c:739 [inline]\n genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]\n genl_rcv_msg+0x1319/0x1610 net/netlink/genetlink.c:800\n netlink_rcv_skb+0x6fa/0x810 net/netlink/af_netlink.c:2494\n genl_rcv+0x63/0x80 net/netlink/genetlink.c:811\n netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]\n netlink_unicast+0x11d6/0x14a0 net/netlink/af_netlink.c:1330\n netlink_sendmsg+0x1740/0x1840 net/netlink/af_netlink.c:1919\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\nRIP: 0023:0xf7f60549\nCode: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00\nRSP: 002b:00000000f555a5fc EFLAGS: 00000296 ORIG_RAX: 0000000000000172\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000200\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n\nUninit was created at:\n kmsan_save_stack_with_flags mm/kmsan/kmsan.c:121 [inline]\n kmsan_internal_poison_shadow+0x5c/0xf0 mm/kmsan/kmsan.c:104\n kmsan_slab_alloc+0x8d/0xe0 mm/kmsan/kmsan_hooks.c:76\n slab_alloc_node mm/slub.c:2907 [inline]\n __kmalloc_node_track_caller+0xa37/0x1430 mm/slub.c:4527\n __kmalloc_reserve net/core/skbuff.c:142 [inline]\n __alloc_skb+0x2f8/0xb30 net/core/skbuff.c:210\n alloc_skb include/linux/skbuff.h:1099 [inline]\n netlink_alloc_large_skb net/netlink/af_netlink.c:1176 [inline]\n netlink_sendmsg+0xdbc/0x1840 net/netlink/af_netlink.c:1894\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\n\nFixes: e1f32190cf7d (\"tipc: add support for AEAD key setting via netlink\")\nSigned-off-by: Eric Dumazet \nCc: Tuong Lien \nCc: Jon Maloy \nCc: Ying Xue \nReported-by: syzbot \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 364898 }, { "func": "static void set_prompt (RCore *r) {\n\tchar tmp[128];\n\tchar *filename = strdup (\"\");\n\tconst char *cmdprompt = r_config_get (r->config, \"cmd.prompt\");\n\tconst char *BEGIN = \"\";\n\tconst char *END = \"\";\n\tconst char *remote = \"\";\n\n\tif (cmdprompt && *cmdprompt) {\n\t\tr_core_cmd (r, cmdprompt, 0);\n\t}\n\n\tif (r_config_get_i (r->config, \"scr.prompt.file\")) {\n\t\tfree (filename);\n\t\tfilename = r_str_newf (\"\\\"%s\\\"\",\n\t\t\tr->io->desc ? r_file_basename (r->io->desc->name) : \"\");\n\t}\n\tif (r->cmdremote) {\n\t\tchar *s = r_core_cmd_str (r, \"s\");\n\t\tr->offset = r_num_math (NULL, s);\n\t\tfree (s);\n\t\tremote = \"=!\";\n\t}\n\n\tif (r_config_get_i (r->config, \"scr.color\")) {\n\t\tBEGIN = r->cons->context->pal.prompt;\n\t\tEND = r->cons->context->pal.reset;\n\t}\n\n\t// TODO: also in visual prompt and disasm/hexdump ?\n\tif (r_config_get_i (r->config, \"asm.segoff\")) {\n\t\tut32 a, b;\n\t\tunsigned int seggrn = r_config_get_i (r->config, \"asm.seggrn\");\n\n\t\ta = ((r->offset >> 16) << (16 - seggrn));\n\t\tb = (r->offset & 0xffff);\n\t\tsnprintf (tmp, 128, \"%04x:%04x\", a, b);\n\t} else {\n\t\tchar p[64], sec[32];\n\t\tint promptset = false;\n\n\t\tsec[0] = '\\0';\n\t\tif (r_config_get_i (r->config, \"scr.prompt.flag\")) {\n\t\t\tpromptset = prompt_flag (r, p, sizeof (p));\n\t\t}\n\t\tif (r_config_get_i (r->config, \"scr.prompt.sect\")) {\n\t\t\tprompt_sec (r, sec, sizeof (sec));\n\t\t}\n\n\t\tif (!promptset) {\n\t\t\tif (r->print->wide_offsets && r->dbg->bits & R_SYS_BITS_64) {\n\t\t\t\tsnprintf (p, sizeof (p), \"0x%016\" PFMT64x, r->offset);\n\t\t\t} else {\n\t\t\t\tsnprintf (p, sizeof (p), \"0x%08\" PFMT64x, r->offset);\n\t\t\t}\n\t\t}\n\t\tsnprintf (tmp, sizeof (tmp), \"%s%s\", sec, p);\n\t}\n\n\tchop_prompt (filename, tmp, 128);\n\tchar *prompt = r_str_newf (\"%s%s[%s%s]>%s \", filename, BEGIN, remote,\n\t\ttmp, END);\n\tr_line_set_prompt (prompt ? prompt : \"\");\n\n\tR_FREE (filename);\n\tR_FREE (prompt);\n}", "project": "radare2", "hash": 300207074089427767015379380144670672578, "size": 67, "commit_id": "cb8b683758edddae2d2f62e8e63a738c39f92683", "message": "Fix #16303 - c->table_query double free (#16318)", "target": 0, "dataset": "other", "idx": 232207 }, { "func": " bool matchSeparator(char ch) {\n if (LIKELY(*p++ == ch)) return true;\n return matchSeparatorSlow(ch);\n }", "project": "hhvm", "hash": 103303268475078240056181019478771874403, "size": 4, "commit_id": "b3679121bb3c7017ff04b4c08402ffff5cf59b13", "message": "Fix buffer overrun in SimpleParser::handleBackslash\n\nSummary:\nIt read 4 chars, then checked for validity, but any of them could have\nbeen the end of the string, so check after each one instead.\n\nReviewed By: oulgen\n\nDifferential Revision: D19611163\n\nfbshipit-source-id: 3da0a39555cb85a93f4fd98048368f17cf37e2e4", "target": 0, "dataset": "other", "idx": 227295 }, { "func": "static void nested_svm_init(struct vcpu_svm *svm)\n{\n\tsvm->vmcb->control.exit_code = SVM_EXIT_INIT;\n\tsvm->vmcb->control.exit_info_1 = 0;\n\tsvm->vmcb->control.exit_info_2 = 0;\n\n\tnested_svm_vmexit(svm);\n}", "project": "linux", "hash": 272907512767528784909588550896746102177, "size": 8, "commit_id": "a58d9166a756a0f4a6618e4f593232593d6df134", "message": "KVM: SVM: load control fields from VMCB12 before checking them\n\nAvoid races between check and use of the nested VMCB controls. This\nfor example ensures that the VMRUN intercept is always reflected to the\nnested hypervisor, instead of being processed by the host. Without this\npatch, it is possible to end up with svm->nested.hsave pointing to\nthe MSR permission bitmap for nested guests.\n\nThis bug is CVE-2021-29657.\n\nReported-by: Felix Wilhelm \nCc: stable@vger.kernel.org\nFixes: 2fcf4876ada (\"KVM: nSVM: implement on demand allocation of the nested state\")\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 376662 }, { "func": "static int simple_check_buf(struct usbtest_dev *tdev, struct urb *urb)\n{\n\tunsigned\ti;\n\tu8\t\texpected;\n\tu8\t\t*buf = urb->transfer_buffer;\n\tunsigned\tlen = urb->actual_length;\n\tunsigned\tmaxpacket = get_maxpacket(urb->dev, urb->pipe);\n\n\tint ret = check_guard_bytes(tdev, urb);\n\tif (ret)\n\t\treturn ret;\n\n\tfor (i = 0; i < len; i++, buf++) {\n\t\tswitch (pattern) {\n\t\t/* all-zeroes has no synchronization issues */\n\t\tcase 0:\n\t\t\texpected = 0;\n\t\t\tbreak;\n\t\t/* mod63 stays in sync with short-terminated transfers,\n\t\t * or otherwise when host and gadget agree on how large\n\t\t * each usb transfer request should be. resync is done\n\t\t * with set_interface or set_config.\n\t\t */\n\t\tcase 1:\t\t\t/* mod63 */\n\t\t\texpected = (i % maxpacket) % 63;\n\t\t\tbreak;\n\t\t/* always fail unsupported patterns */\n\t\tdefault:\n\t\t\texpected = !*buf;\n\t\t\tbreak;\n\t\t}\n\t\tif (*buf == expected)\n\t\t\tcontinue;\n\t\tERROR(tdev, \"buf[%d] = %d (not %d)\\n\", i, *buf, expected);\n\t\treturn -EINVAL;\n\t}\n\treturn 0;\n}", "project": "linux", "hash": 103973262594843701798172017173495601190, "size": 38, "commit_id": "28ebeb8db77035e058a510ce9bd17c2b9a009dba", "message": "usb: usbtest: fix missing kfree(dev->buf) in usbtest_disconnect\n\nBUG: memory leak\nunreferenced object 0xffff888055046e00 (size 256):\n comm \"kworker/2:9\", pid 2570, jiffies 4294942129 (age 1095.500s)\n hex dump (first 32 bytes):\n 00 70 04 55 80 88 ff ff 18 bb 5a 81 ff ff ff ff .p.U......Z.....\n f5 96 78 81 ff ff ff ff 37 de 8e 81 ff ff ff ff ..x.....7.......\n backtrace:\n [<00000000d121dccf>] kmemleak_alloc_recursive\ninclude/linux/kmemleak.h:43 [inline]\n [<00000000d121dccf>] slab_post_alloc_hook mm/slab.h:586 [inline]\n [<00000000d121dccf>] slab_alloc_node mm/slub.c:2786 [inline]\n [<00000000d121dccf>] slab_alloc mm/slub.c:2794 [inline]\n [<00000000d121dccf>] kmem_cache_alloc_trace+0x15e/0x2d0 mm/slub.c:2811\n [<000000005c3c3381>] kmalloc include/linux/slab.h:555 [inline]\n [<000000005c3c3381>] usbtest_probe+0x286/0x19d0\ndrivers/usb/misc/usbtest.c:2790\n [<000000001cec6910>] usb_probe_interface+0x2bd/0x870\ndrivers/usb/core/driver.c:361\n [<000000007806c118>] really_probe+0x48d/0x8f0 drivers/base/dd.c:551\n [<00000000a3308c3e>] driver_probe_device+0xfc/0x2a0 drivers/base/dd.c:724\n [<000000003ef66004>] __device_attach_driver+0x1b6/0x240\ndrivers/base/dd.c:831\n [<00000000eee53e97>] bus_for_each_drv+0x14e/0x1e0 drivers/base/bus.c:431\n [<00000000bb0648d0>] __device_attach+0x1f9/0x350 drivers/base/dd.c:897\n [<00000000838b324a>] device_initial_probe+0x1a/0x20 drivers/base/dd.c:944\n [<0000000030d501c1>] bus_probe_device+0x1e1/0x280 drivers/base/bus.c:491\n [<000000005bd7adef>] device_add+0x131d/0x1c40 drivers/base/core.c:2504\n [<00000000a0937814>] usb_set_configuration+0xe84/0x1ab0\ndrivers/usb/core/message.c:2030\n [<00000000e3934741>] generic_probe+0x6a/0xe0 drivers/usb/core/generic.c:210\n [<0000000098ade0f1>] usb_probe_device+0x90/0xd0\ndrivers/usb/core/driver.c:266\n [<000000007806c118>] really_probe+0x48d/0x8f0 drivers/base/dd.c:551\n [<00000000a3308c3e>] driver_probe_device+0xfc/0x2a0 drivers/base/dd.c:724\n\nAcked-by: Alan Stern \nReported-by: Kyungtae Kim \nSigned-off-by: Zqiang \nLink: https://lore.kernel.org/r/20200612035210.20494-1-qiang.zhang@windriver.com\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 412245 }, { "func": "bool JOIN::shrink_join_buffers(JOIN_TAB *jt, \n ulonglong curr_space,\n ulonglong needed_space)\n{\n JOIN_TAB *tab;\n JOIN_CACHE *cache;\n for (tab= first_linear_tab(this, WITHOUT_BUSH_ROOTS, WITHOUT_CONST_TABLES);\n tab != jt;\n tab= next_linear_tab(this, tab, WITHOUT_BUSH_ROOTS))\n {\n cache= tab->cache;\n if (cache)\n { \n size_t buff_size;\n if (needed_space < cache->get_min_join_buffer_size())\n return TRUE;\n if (cache->shrink_join_buffer_in_ratio(curr_space, needed_space))\n { \n revise_cache_usage(tab);\n return TRUE;\n }\n buff_size= cache->get_join_buffer_size();\n curr_space-= buff_size;\n needed_space-= buff_size;\n }\n }\n\n cache= jt->cache;\n DBUG_ASSERT(cache);\n if (needed_space < cache->get_min_join_buffer_size())\n return TRUE;\n cache->set_join_buffer_size((size_t)needed_space);\n \n return FALSE;\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 201020460746499212162329703523668869176, "size": 35, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508640 }, { "func": "static int kvm_s390_get_tod(struct kvm *kvm, struct kvm_device_attr *attr)\n{\n\tint ret;\n\n\tif (attr->flags)\n\t\treturn -EINVAL;\n\n\tswitch (attr->attr) {\n\tcase KVM_S390_VM_TOD_EXT:\n\t\tret = kvm_s390_get_tod_ext(kvm, attr);\n\t\tbreak;\n\tcase KVM_S390_VM_TOD_HIGH:\n\t\tret = kvm_s390_get_tod_high(kvm, attr);\n\t\tbreak;\n\tcase KVM_S390_VM_TOD_LOW:\n\t\tret = kvm_s390_get_tod_low(kvm, attr);\n\t\tbreak;\n\tdefault:\n\t\tret = -ENXIO;\n\t\tbreak;\n\t}\n\treturn ret;\n}", "project": "linux", "hash": 191427678231998020981710452166462864146, "size": 23, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354495 }, { "func": "int kvm_hv_get_msr_common(struct kvm_vcpu *vcpu, u32 msr, u64 *pdata, bool host)\n{\n\tstruct kvm_hv *hv = to_kvm_hv(vcpu->kvm);\n\n\tif (!host && !vcpu->arch.hyperv_enabled)\n\t\treturn 1;\n\n\tif (!to_hv_vcpu(vcpu)) {\n\t\tif (kvm_hv_vcpu_init(vcpu))\n\t\t\treturn 1;\n\t}\n\n\tif (kvm_hv_msr_partition_wide(msr)) {\n\t\tint r;\n\n\t\tmutex_lock(&hv->hv_lock);\n\t\tr = kvm_hv_get_msr_pw(vcpu, msr, pdata, host);\n\t\tmutex_unlock(&hv->hv_lock);\n\t\treturn r;\n\t} else\n\t\treturn kvm_hv_get_msr(vcpu, msr, pdata, host);\n}", "project": "linux", "hash": 226122327779284431269926626523621715335, "size": 22, "commit_id": "919f4ebc598701670e80e31573a58f1f2d2bf918", "message": "KVM: x86: hyper-v: Fix Hyper-V context null-ptr-deref\n\nReported by syzkaller:\n\n KASAN: null-ptr-deref in range [0x0000000000000140-0x0000000000000147]\n CPU: 1 PID: 8370 Comm: syz-executor859 Not tainted 5.11.0-syzkaller #0\n RIP: 0010:synic_get arch/x86/kvm/hyperv.c:165 [inline]\n RIP: 0010:kvm_hv_set_sint_gsi arch/x86/kvm/hyperv.c:475 [inline]\n RIP: 0010:kvm_hv_irq_routing_update+0x230/0x460 arch/x86/kvm/hyperv.c:498\n Call Trace:\n kvm_set_irq_routing+0x69b/0x940 arch/x86/kvm/../../../virt/kvm/irqchip.c:223\n kvm_vm_ioctl+0x12d0/0x2800 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3959\n vfs_ioctl fs/ioctl.c:48 [inline]\n __do_sys_ioctl fs/ioctl.c:753 [inline]\n __se_sys_ioctl fs/ioctl.c:739 [inline]\n __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739\n do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nHyper-V context is lazily allocated until Hyper-V specific MSRs are accessed\nor SynIC is enabled. However, the syzkaller testcase sets irq routing table\ndirectly w/o enabling SynIC. This results in null-ptr-deref when accessing\nSynIC Hyper-V context. This patch fixes it.\n\nsyzkaller source: https://syzkaller.appspot.com/x/repro.c?x=163342ccd00000\n\nReported-by: syzbot+6987f3b2dbd9eda95f12@syzkaller.appspotmail.com\nFixes: 8f014550dfb1 (\"KVM: x86: hyper-v: Make Hyper-V emulation enablement conditional\")\nSigned-off-by: Wanpeng Li \nMessage-Id: <1614326399-5762-1-git-send-email-wanpengli@tencent.com>\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 343488 }, { "func": "static void __nfs4_free_revoked_stateid(struct nfs_server *server,\n\t\tnfs4_stateid *stateid,\n\t\tconst struct cred *cred)\n{\n\tstateid->type = NFS4_REVOKED_STATEID_TYPE;\n\tnfs4_test_and_free_stateid(server, stateid, cred);\n}", "project": "linux", "hash": 253725692644103992310196468627530400619, "size": 7, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431629 }, { "func": "static void tracing_set_nop(struct trace_array *tr)\n{\n\tif (tr->current_trace == &nop_trace)\n\t\treturn;\n\t\n\ttr->current_trace->enabled--;\n\n\tif (tr->current_trace->reset)\n\t\ttr->current_trace->reset(tr);\n\n\ttr->current_trace = &nop_trace;\n}", "project": "linux", "hash": 216069087343665103608073672954106722282, "size": 12, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445762 }, { "func": "RGWOp* RGWSwiftWebsiteHandler::get_ws_redirect_op()\n{\n class RGWMovedPermanently: public RGWOp {\n const std::string location;\n public:\n explicit RGWMovedPermanently(const std::string& location)\n : location(location) {\n }\n\n int verify_permission() override {\n return 0;\n }\n\n void execute() override {\n op_ret = -ERR_PERMANENT_REDIRECT;\n return;\n }\n\n void send_response() override {\n set_req_state_err(s, op_ret);\n dump_errno(s);\n dump_content_length(s, 0);\n dump_redirect(s, location);\n end_header(s, this);\n }\n\n const char* name() const override {\n return \"RGWMovedPermanently\";\n }\n };\n\n return new RGWMovedPermanently(s->info.request_uri + '/');\n}", "project": "ceph", "hash": 32390839007774219152371437540383219877, "size": 33, "commit_id": "f44a8ae8aa27ecef69528db9aec220f12492810e", "message": "rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name\n\nchecking for empty name avoids later assertion in RGWObjectCtx::set_atomic\n\nFixes: CVE-2021-3531\n\nReviewed-by: Casey Bodley \nSigned-off-by: Casey Bodley \n(cherry picked from commit 7196a469b4470f3c8628489df9a41ec8b00a5610)", "target": 0, "dataset": "other", "idx": 448867 }, { "func": "static void slab_mem_offline_callback(void *arg)\n{\n\tstruct kmem_cache_node *n;\n\tstruct kmem_cache *s;\n\tstruct memory_notify *marg = arg;\n\tint offline_node;\n\n\toffline_node = marg->status_change_nid_normal;\n\n\t/*\n\t * If the node still has available memory. we need kmem_cache_node\n\t * for it yet.\n\t */\n\tif (offline_node < 0)\n\t\treturn;\n\n\tmutex_lock(&slab_mutex);\n\tlist_for_each_entry(s, &slab_caches, list) {\n\t\tn = get_node(s, offline_node);\n\t\tif (n) {\n\t\t\t/*\n\t\t\t * if n->nr_slabs > 0, slabs still exist on the node\n\t\t\t * that is going down. We were unable to free them,\n\t\t\t * and offline_pages() function shouldn't call this\n\t\t\t * callback. So, we must fail.\n\t\t\t */\n\t\t\tBUG_ON(slabs_node(s, offline_node));\n\n\t\t\ts->node[offline_node] = NULL;\n\t\t\tkmem_cache_free(kmem_cache_node, n);\n\t\t}\n\t}\n\tmutex_unlock(&slab_mutex);\n}", "project": "linux", "hash": 241409765814290746930753129102666600075, "size": 34, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280259 }, { "project": "opaque", "commit_id": "5ddda15d89f5ac82f4416208c5319ace4aecdc36", "target": 0, "func": "sgx_status_t ecall_put_secret_data(sgx_ra_context_t context,\n uint8_t* p_secret,\n uint32_t secret_size,\n uint8_t* gcm_mac) {\n try {\n return put_secret_data(context, p_secret, secret_size, gcm_mac);\n } catch (const std::runtime_error &e) {\n ocall_throw(e.what());\n return SGX_ERROR_UNEXPECTED;\n }\n}", "idx": 519062, "cwe": "CWE-787", "hash": 308586038446705430038635919122202378822, "dataset": "other" }, { "func": "static inline void trace_access_lock(int cpu)\n{\n\t(void)cpu;\n\tmutex_lock(&access_lock);\n}", "project": "linux", "hash": 33909298625037771036209154035677744624, "size": 5, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445595 }, { "func": "static inline void trace_access_lock(int cpu)\n{\n\tif (cpu == RING_BUFFER_ALL_CPUS) {\n\t\t/* gain it for accessing the whole ring buffer. */\n\t\tdown_write(&all_cpu_access_lock);\n\t} else {\n\t\t/* gain it for accessing a cpu ring buffer. */\n\n\t\t/* Firstly block other trace_access_lock(RING_BUFFER_ALL_CPUS). */\n\t\tdown_read(&all_cpu_access_lock);\n\n\t\t/* Secondly block other access to this @cpu ring buffer. */\n\t\tmutex_lock(&per_cpu(cpu_access_lock, cpu));\n\t}\n}", "project": "linux", "hash": 309956017968366731422982972106736993483, "size": 15, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445604 }, { "func": "static Variant php_pcre_replace(const String& pattern, const String& subject,\n const Variant& replace_var, bool callable,\n int limit, int* replace_count) {\n PCRECache::Accessor accessor;\n if (!pcre_get_compiled_regex_cache(accessor, pattern.get())) {\n return preg_return_bad_regex_error(init_null());\n }\n const pcre_cache_entry* pce = accessor.get();\n if (pce->preg_options & PREG_REPLACE_EVAL) {\n raise_error(\"preg_replace(): Support for the /e modifier has been removed, use \"\n \"preg_replace_callback instead\");\n }\n\n int size_offsets;\n int* offsets = create_offset_array(pce, size_offsets);\n SmartFreeHelper offsetsFreer(offsets);\n if (offsets == nullptr) {\n return preg_return_internal_error(init_null());\n }\n\n const char* const* subpat_names = get_subpat_names(pce);\n if (subpat_names == nullptr) {\n return preg_return_internal_error(init_null());\n }\n\n const char* replace = nullptr;\n const char* replace_end = nullptr;\n int replace_len = 0;\n String replace_val;\n\n if (!callable) {\n replace_val = replace_var.toString();\n replace = replace_val.data();\n replace_len = replace_val.size();\n replace_end = replace + replace_len;\n }\n\n StringBuffer result(2 * subject.size());\n\n try {\n\n /* Initialize */\n const char* match = nullptr;\n int start_offset = 0;\n pcre_extra extra;\n init_local_extra(&extra, pce->extra);\n\n const char* walk; // Used to walk the replacement string\n char walk_last; // Last walked character\n int match_len; // Length of the current match\n int backref; // Backreference number\n int g_notempty = 0; // If the match should not be empty\n int exec_options = 0; // Options passed to pcre_exec\n while (1) {\n /* Execute the regular expression. */\n int count = pcre_exec(pce->re, &extra, subject.data(), subject.size(),\n start_offset,\n exec_options | g_notempty,\n offsets, size_offsets);\n\n /* The string was already proved to be valid UTF-8 */\n exec_options |= PCRE_NO_UTF8_CHECK;\n\n /* Check for too many substrings condition. */\n if (count == 0) {\n raise_warning(\"Matched, but too many substrings\");\n count = size_offsets / 3;\n }\n\n const char* piece = subject.data() + start_offset;\n if (count > 0 && offsets[1] >= offsets[0] &&\n (limit == -1 || limit > 0)) {\n if (replace_count) {\n ++*replace_count;\n }\n /* Set the match location in subject */\n match = subject.data() + offsets[0];\n\n String callable_result;\n if (callable) {\n /* Use custom function to get replacement string and its length. */\n callable_result = preg_do_repl_func(replace_var, subject, offsets,\n subpat_names, count);\n } else { /* do regular substitution */\n walk = replace;\n walk_last = 0;\n while (walk < replace_end) {\n if ('\\\\' == *walk || '$' == *walk) {\n if (walk_last == '\\\\') {\n walk++;\n walk_last = 0;\n continue;\n }\n if (preg_get_backref(&walk, &backref)) {\n if (backref < count) {\n match_len = offsets[(backref<<1)+1] - offsets[backref<<1];\n }\n continue;\n }\n }\n walk++;\n walk_last = walk[-1];\n }\n }\n\n /* copy the part of the string before the match */\n result.append(piece, match-piece);\n\n /* copy replacement and backrefs */\n int result_len = result.size();\n\n if (callable) {\n /* Copy result from custom function to buffer and clean up. */\n result.append(callable_result.data(), callable_result.size());\n result_len += callable_result.size();\n } else { /* do regular backreference copying */\n walk = replace;\n walk_last = 0;\n Array params;\n while (walk < replace_end) {\n if ('\\\\' == *walk || '$' == *walk) {\n if (walk_last == '\\\\') {\n result.set(result.size() - 1, *walk++);\n walk_last = 0;\n continue;\n }\n if (preg_get_backref(&walk, &backref)) {\n if (backref < count) {\n match_len = offsets[(backref<<1)+1] - offsets[backref<<1];\n result.append(\n subject.data() + offsets[backref<<1],\n match_len\n );\n }\n continue;\n }\n }\n result.append(*walk++);\n walk_last = walk[-1];\n }\n }\n\n if (limit != -1) {\n limit--;\n }\n\n } else if (count == PCRE_ERROR_NOMATCH || limit == 0) {\n /* If we previously set PCRE_NOTEMPTY after a null match,\n this is not necessarily the end. We need to advance\n the start offset, and continue. Fudge the offset values\n to achieve this, unless we're already at the end of the string. */\n if (g_notempty != 0 && start_offset < subject.size()) {\n offsets[0] = start_offset;\n offsets[1] = start_offset + 1;\n result.append(piece, 1);\n } else {\n /* stick that last bit of string on our output */\n result.append(piece, subject.size() - start_offset);\n break;\n }\n } else {\n if (pcre_need_log_error(count)) {\n const char* s;\n int size;\n String stemp;\n if (callable) {\n if (replace_var.isObject()) {\n stemp = replace_var.asCObjRef()->getClassName().asString()\n + \"::__invoke\";\n } else {\n stemp = replace_var.toString();\n }\n s = stemp.data();\n size = stemp.size();\n } else {\n s = replace_val.data();\n size = replace_val.size();\n }\n pcre_log_error(__FUNCTION__, __LINE__, count,\n pattern.data(), pattern.size(),\n subject.data(), subject.size(),\n s, size,\n callable, limit, start_offset, g_notempty);\n }\n return preg_return_pcre_error(count, init_null());\n }\n\n /* If we have matched an empty string, mimic what Perl's /g options does.\n This turns out to be rather cunning. First we set PCRE_NOTEMPTY and try\n the match again at the same point. If this fails (picked up above) we\n advance to the next character. */\n g_notempty = (offsets[1] == offsets[0])? PCRE_NOTEMPTY | PCRE_ANCHORED : 0;\n\n /* Advance to the next piece. */\n start_offset = offsets[1];\n }\n\n return preg_return_no_error(result.detach());\n } catch (...) {\n throw;\n }\n}", "project": "hhvm", "hash": 12739977580301400517282192582480074035, "size": 202, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219394 }, { "func": "static inline int kmem_cache_debug(struct kmem_cache *s)\n{\n#ifdef CONFIG_SLUB_DEBUG\n\treturn unlikely(s->flags & SLAB_DEBUG_FLAGS);\n#else\n\treturn 0;\n#endif\n}", "project": "linux", "hash": 280007753346564029216910048474225457016, "size": 8, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280196 }, { "func": "CallResult JSObject::updateOwnProperty(\n Handle selfHandle,\n Runtime *runtime,\n SymbolID name,\n HiddenClass::PropertyPos propertyPos,\n NamedPropertyDescriptor desc,\n const DefinePropertyFlags dpFlags,\n Handle<> valueOrAccessor,\n PropOpFlags opFlags) {\n auto updateStatus = checkPropertyUpdate(\n runtime,\n desc.flags,\n dpFlags,\n getNamedSlotValue(selfHandle.get(), runtime, desc),\n valueOrAccessor,\n opFlags);\n if (updateStatus == ExecutionStatus::EXCEPTION)\n return ExecutionStatus::EXCEPTION;\n if (updateStatus->first == PropertyUpdateStatus::failed)\n return false;\n\n // If the property flags changed, update them.\n if (updateStatus->second != desc.flags) {\n desc.flags = updateStatus->second;\n auto newClazz = HiddenClass::updateProperty(\n runtime->makeHandle(selfHandle->clazz_),\n runtime,\n propertyPos,\n desc.flags);\n selfHandle->clazz_.set(runtime, *newClazz, &runtime->getHeap());\n }\n\n if (updateStatus->first == PropertyUpdateStatus::done)\n return true;\n assert(\n updateStatus->first == PropertyUpdateStatus::needSet &&\n \"unexpected PropertyUpdateStatus\");\n\n if (dpFlags.setValue) {\n if (LLVM_LIKELY(!desc.flags.internalSetter))\n setNamedSlotValue(selfHandle.get(), runtime, desc, valueOrAccessor.get());\n else\n return internalSetter(\n selfHandle, runtime, name, desc, valueOrAccessor, opFlags);\n } else if (dpFlags.isAccessor()) {\n setNamedSlotValue(selfHandle.get(), runtime, desc, valueOrAccessor.get());\n } else {\n // If checkPropertyUpdate() returned needSet, but there is no value or\n // accessor, clear the value.\n setNamedSlotValue(\n selfHandle.get(), runtime, desc, HermesValue::encodeUndefinedValue());\n }\n\n return true;\n}", "project": "hermes", "hash": 169237144585004247320648048069490225147, "size": 55, "commit_id": "fe52854cdf6725c2eaa9e125995da76e6ceb27da", "message": "[CVE-2020-1911] Look up HostObject computed properties on the right object in the prototype chain.\n\nSummary:\nThe change in the hermes repository fixes the security vulnerability\nCVE-2020-1911. This vulnerability only affects applications which\nallow evaluation of uncontrolled, untrusted JavaScript code not\nshipped with the app, so React Native apps will generally not be affected.\n\nThis revision includes a test for the bug. The test is generic JSI\ncode, so it is included in the hermes and react-native repositories.\n\nChangelog: [Internal]\n\nReviewed By: tmikov\n\nDifferential Revision: D23322992\n\nfbshipit-source-id: 4e88c974afe1ad33a263f9cac03e9dc98d33649a", "target": 0, "dataset": "other", "idx": 230225 }, { "func": "int zap_huge_pmd(struct mmu_gather *tlb, struct vm_area_struct *vma,\n\t\t pmd_t *pmd, unsigned long addr)\n{\n\tpmd_t orig_pmd;\n\tspinlock_t *ptl;\n\n\ttlb_change_page_size(tlb, HPAGE_PMD_SIZE);\n\n\tptl = __pmd_trans_huge_lock(pmd, vma);\n\tif (!ptl)\n\t\treturn 0;\n\t/*\n\t * For architectures like ppc64 we look at deposited pgtable\n\t * when calling pmdp_huge_get_and_clear. So do the\n\t * pgtable_trans_huge_withdraw after finishing pmdp related\n\t * operations.\n\t */\n\torig_pmd = pmdp_huge_get_and_clear_full(tlb->mm, addr, pmd,\n\t\t\ttlb->fullmm);\n\ttlb_remove_pmd_tlb_entry(tlb, pmd, addr);\n\tif (vma_is_special_huge(vma)) {\n\t\tif (arch_needs_pgtable_deposit())\n\t\t\tzap_deposited_table(tlb->mm, pmd);\n\t\tspin_unlock(ptl);\n\t\tif (is_huge_zero_pmd(orig_pmd))\n\t\t\ttlb_remove_page_size(tlb, pmd_page(orig_pmd), HPAGE_PMD_SIZE);\n\t} else if (is_huge_zero_pmd(orig_pmd)) {\n\t\tzap_deposited_table(tlb->mm, pmd);\n\t\tspin_unlock(ptl);\n\t\ttlb_remove_page_size(tlb, pmd_page(orig_pmd), HPAGE_PMD_SIZE);\n\t} else {\n\t\tstruct page *page = NULL;\n\t\tint flush_needed = 1;\n\n\t\tif (pmd_present(orig_pmd)) {\n\t\t\tpage = pmd_page(orig_pmd);\n\t\t\tpage_remove_rmap(page, true);\n\t\t\tVM_BUG_ON_PAGE(page_mapcount(page) < 0, page);\n\t\t\tVM_BUG_ON_PAGE(!PageHead(page), page);\n\t\t} else if (thp_migration_supported()) {\n\t\t\tswp_entry_t entry;\n\n\t\t\tVM_BUG_ON(!is_pmd_migration_entry(orig_pmd));\n\t\t\tentry = pmd_to_swp_entry(orig_pmd);\n\t\t\tpage = pfn_to_page(swp_offset(entry));\n\t\t\tflush_needed = 0;\n\t\t} else\n\t\t\tWARN_ONCE(1, \"Non present huge pmd without pmd migration enabled!\");\n\n\t\tif (PageAnon(page)) {\n\t\t\tzap_deposited_table(tlb->mm, pmd);\n\t\t\tadd_mm_counter(tlb->mm, MM_ANONPAGES, -HPAGE_PMD_NR);\n\t\t} else {\n\t\t\tif (arch_needs_pgtable_deposit())\n\t\t\t\tzap_deposited_table(tlb->mm, pmd);\n\t\t\tadd_mm_counter(tlb->mm, mm_counter_file(page), -HPAGE_PMD_NR);\n\t\t}\n\n\t\tspin_unlock(ptl);\n\t\tif (flush_needed)\n\t\t\ttlb_remove_page_size(tlb, page, HPAGE_PMD_SIZE);\n\t}\n\treturn 1;\n}", "project": "linux", "hash": 327583538601577646753954476455281243137, "size": 64, "commit_id": "c444eb564fb16645c172d550359cb3d75fe8a040", "message": "mm: thp: make the THP mapcount atomic against __split_huge_pmd_locked()\n\nWrite protect anon page faults require an accurate mapcount to decide\nif to break the COW or not. This is implemented in the THP path with\nreuse_swap_page() ->\npage_trans_huge_map_swapcount()/page_trans_huge_mapcount().\n\nIf the COW triggers while the other processes sharing the page are\nunder a huge pmd split, to do an accurate reading, we must ensure the\nmapcount isn't computed while it's being transferred from the head\npage to the tail pages.\n\nreuse_swap_cache() already runs serialized by the page lock, so it's\nenough to add the page lock around __split_huge_pmd_locked too, in\norder to add the missing serialization.\n\nNote: the commit in \"Fixes\" is just to facilitate the backporting,\nbecause the code before such commit didn't try to do an accurate THP\nmapcount calculation and it instead used the page_count() to decide if\nto COW or not. Both the page_count and the pin_count are THP-wide\nrefcounts, so they're inaccurate if used in\nreuse_swap_page(). Reverting such commit (besides the unrelated fix to\nthe local anon_vma assignment) would have also opened the window for\nmemory corruption side effects to certain workloads as documented in\nsuch commit header.\n\nSigned-off-by: Andrea Arcangeli \nSuggested-by: Jann Horn \nReported-by: Jann Horn \nAcked-by: Kirill A. Shutemov \nFixes: 6d0a07edd17c (\"mm: thp: calculate the mapcount correctly for THP pages during WP faults\")\nCc: stable@vger.kernel.org\nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 364129 }, { "func": "static void __execlists_reset_reg_state(const struct intel_context *ce,\n\t\t\t\t\tconst struct intel_engine_cs *engine)\n{\n\tu32 *regs = ce->lrc_reg_state;\n\tint x;\n\n\tx = lrc_ring_mi_mode(engine);\n\tif (x != -1) {\n\t\tregs[x + 1] &= ~STOP_RING;\n\t\tregs[x + 1] |= STOP_RING << 16;\n\t}\n}", "project": "linux", "hash": 207227874543314884387044060103188849455, "size": 12, "commit_id": "bc8a76a152c5f9ef3b48104154a65a68a8b76946", "message": "drm/i915/gen9: Clear residual context state on context switch\n\nIntel ID: PSIRT-TA-201910-001\nCVEID: CVE-2019-14615\n\nIntel GPU Hardware prior to Gen11 does not clear EU state\nduring a context switch. This can result in information\nleakage between contexts.\n\nFor Gen8 and Gen9, hardware provides a mechanism for\nfast cleardown of the EU state, by issuing a PIPE_CONTROL\nwith bit 27 set. We can use this in a context batch buffer\nto explicitly cleardown the state on every context switch.\n\nAs this workaround is already in place for gen8, we can borrow\nthe code verbatim for Gen9.\n\nSigned-off-by: Mika Kuoppala \nSigned-off-by: Akeem G Abodunrin \nCc: Kumar Valsan Prathap \nCc: Chris Wilson \nCc: Balestrieri Francesco \nCc: Bloomfield Jon \nCc: Dutt Sudeep ", "target": 0, "dataset": "other", "idx": 281542 }, { "func": "unsigned long gfn_to_hva_prot(struct kvm *kvm, gfn_t gfn, bool *writable)\n{\n\tstruct kvm_memory_slot *slot = gfn_to_memslot(kvm, gfn);\n\n\treturn gfn_to_hva_memslot_prot(slot, gfn, writable);\n}", "project": "linux", "hash": 229158219027242038778702131855062322423, "size": 6, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354762 }, { "func": "static int exec_grep(int argc, const char **argv)\n{\n\tpid_t pid;\n\tint status;\n\n\targv[argc] = NULL;\n\tpid = fork();\n\tif (pid < 0)\n\t\treturn pid;\n\tif (!pid) {\n\t\texecvp(\"grep\", (char **) argv);\n\t\texit(255);\n\t}\n\twhile (waitpid(pid, &status, 0) < 0) {\n\t\tif (errno == EINTR)\n\t\t\tcontinue;\n\t\treturn -1;\n\t}\n\tif (WIFEXITED(status)) {\n\t\tif (!WEXITSTATUS(status))\n\t\t\treturn 1;\n\t\treturn 0;\n\t}\n\treturn -1;\n}", "project": "git", "hash": 130620948247332009512582666812130752071, "size": 25, "commit_id": "620e2bb93785ed8eb60846d94fd4753d4817c8ec", "message": "Fix buffer overflow in git-grep\n\nIf PATH_MAX on your system is smaller than any path stored in the git\nrepository, that can cause memory corruption inside of the grep_tree\nfunction used by git-grep.\n\nSigned-off-by: Dmitry Potapov \nSigned-off-by: Junio C Hamano ", "target": 0, "dataset": "other", "idx": 446051 }, { "func": "\nstatic ssize_t bfq_strict_guarantees_store(struct elevator_queue *e,\n\t\t\t\t const char *page, size_t count)\n{\n\tstruct bfq_data *bfqd = e->elevator_data;\n\tunsigned long __data;\n\tint ret;\n\n\tret = bfq_var_store(&__data, (page));\n\tif (ret)\n\t\treturn ret;\n\n\tif (__data > 1)\n\t\t__data = 1;\n\tif (!bfqd->strict_guarantees && __data == 1\n\t && bfqd->bfq_slice_idle < 8 * NSEC_PER_MSEC)\n\t\tbfqd->bfq_slice_idle = 8 * NSEC_PER_MSEC;\n\n\tbfqd->strict_guarantees = __data;\n\n\treturn count;", "project": "linux", "hash": 15196820376473080233521789264124202047, "size": 21, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453352 }, { "func": "static loff_t fuse_file_llseek(struct file *file, loff_t offset, int whence)\n{\n\tloff_t retval;\n\tstruct inode *inode = file_inode(file);\n\n\tswitch (whence) {\n\tcase SEEK_SET:\n\tcase SEEK_CUR:\n\t\t /* No i_mutex protection necessary for SEEK_CUR and SEEK_SET */\n\t\tretval = generic_file_llseek(file, offset, whence);\n\t\tbreak;\n\tcase SEEK_END:\n\t\tinode_lock(inode);\n\t\tretval = fuse_update_attributes(inode, file);\n\t\tif (!retval)\n\t\t\tretval = generic_file_llseek(file, offset, whence);\n\t\tinode_unlock(inode);\n\t\tbreak;\n\tcase SEEK_HOLE:\n\tcase SEEK_DATA:\n\t\tinode_lock(inode);\n\t\tretval = fuse_lseek(file, offset, whence);\n\t\tinode_unlock(inode);\n\t\tbreak;\n\tdefault:\n\t\tretval = -EINVAL;\n\t}\n\n\treturn retval;\n}", "project": "linux", "hash": 3823351057166684801024268533517846692, "size": 30, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341990 }, { "func": "static int init_ov_sensor(struct sd *sd, u8 slave)\n{\n\tint i;\n\tstruct gspca_dev *gspca_dev = (struct gspca_dev *)sd;\n\n\tov51x_set_slave_ids(sd, slave);\n\n\t/* Reset the sensor */\n\ti2c_w(sd, 0x12, 0x80);\n\n\t/* Wait for it to initialize */\n\tmsleep(150);\n\n\tfor (i = 0; i < i2c_detect_tries; i++) {\n\t\tif (i2c_r(sd, OV7610_REG_ID_HIGH) == 0x7f &&\n\t\t i2c_r(sd, OV7610_REG_ID_LOW) == 0xa2) {\n\t\t\tgspca_dbg(gspca_dev, D_PROBE, \"I2C synced in %d attempt(s)\\n\",\n\t\t\t\t i);\n\t\t\treturn 0;\n\t\t}\n\n\t\t/* Reset the sensor */\n\t\ti2c_w(sd, 0x12, 0x80);\n\n\t\t/* Wait for it to initialize */\n\t\tmsleep(150);\n\n\t\t/* Dummy read to sync I2C */\n\t\tif (i2c_r(sd, 0x00) < 0)\n\t\t\treturn -1;\n\t}\n\treturn -1;\n}", "project": "linux", "hash": 169390934038983797944761406073661444096, "size": 33, "commit_id": "998912346c0da53a6dbb71fab3a138586b596b30", "message": "media: ov519: add missing endpoint sanity checks\n\nMake sure to check that we have at least one endpoint before accessing\nthe endpoint array to avoid dereferencing a NULL-pointer on stream\nstart.\n\nNote that these sanity checks are not redundant as the driver is mixing\nlooking up altsettings by index and by number, which need not coincide.\n\nFixes: 1876bb923c98 (\"V4L/DVB (12079): gspca_ov519: add support for the ov511 bridge\")\nFixes: b282d87332f5 (\"V4L/DVB (12080): gspca_ov519: Fix ov518+ with OV7620AE (Trust spacecam 320)\")\nCc: stable # 2.6.31\nCc: Hans de Goede \nSigned-off-by: Johan Hovold \nSigned-off-by: Hans Verkuil \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 306348 }, { "func": "static inline struct kvm_vcpu *kvm_get_vcpu(struct kvm *kvm, int i)\n{\n\tint num_vcpus = atomic_read(&kvm->online_vcpus);\n\ti = array_index_nospec(i, num_vcpus);\n\n\t/* Pairs with smp_wmb() in kvm_vm_ioctl_create_vcpu. */\n\tsmp_rmb();\n\treturn kvm->vcpus[i];\n}", "project": "linux", "hash": 229338149683929648074733364809500671092, "size": 9, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354689 }, { "func": " void SpatialMaxPoolGradGrad(OpKernelContext* context, Tensor* bottom_diff,\n const Tensor& tensor_in, const Tensor& tensor_out,\n const Tensor& top_diff,\n const PoolParameters& params,\n const Padding& padding) {\n typedef Eigen::Map>\n ConstEigenMatrixMap;\n typedef Eigen::Map>\n EigenMatrixMap;\n\n ConstEigenMatrixMap in_mat(\n tensor_in.flat().data(), params.depth,\n params.tensor_in_cols * params.tensor_in_rows * params.tensor_in_batch);\n ConstEigenMatrixMap out_mat(\n tensor_out.flat().data(), params.depth,\n params.out_width * params.out_height * params.tensor_in_batch);\n ConstEigenMatrixMap top_diff_mat(\n top_diff.flat().data(), params.depth,\n params.tensor_in_cols * params.tensor_in_rows * params.tensor_in_batch);\n EigenMatrixMap bottom_diff_mat(\n bottom_diff->flat().data(), params.depth,\n params.out_width * params.out_height * params.tensor_in_batch);\n\n const DeviceBase::CpuWorkerThreads& worker_threads =\n *(context->device()->tensorflow_cpu_worker_threads());\n\n // The following code basically does the following:\n // 1. Flattens the input, output, top_diff and bottom_diff tensors into\n // two dimensional arrays.\n // tensor_in_as_matrix:\n // depth by (tensor_in_cols * tensor_in_rows * tensor_in_batch)\n // tensor_out_as_matrix:\n // depth by (out_width * out_height * tensor_in_batch)\n // top_diff_as_matrix:\n // depth by (tensor_in_cols * tensor_in_rows * tensor_in_batch)\n // bottom_diff_as_matrix:\n // depth by (out_width * out_height * tensor_in_batch)\n //\n // 2. Walks through the set of columns in the flattened\n // tensor_in_as_matrix, tensor_out_as_matrix, top_diff_as_matrix\n // and updates the column(s) corresponding to the maximum values in\n // tensor_out_as_matrix with the corresponding values in\n // top_diff_as_matrix.\n auto shard = [¶ms, &in_mat, &out_mat, &top_diff_mat, &bottom_diff_mat](\n int64 start, int64 limit) {\n const int32 depth = params.depth;\n const int32 in_rows = params.tensor_in_rows;\n const int32 in_cols = params.tensor_in_cols;\n const int32 pad_top = params.pad_top;\n const int32 pad_left = params.pad_left;\n const int32 window_rows = params.window_rows;\n const int32 window_cols = params.window_cols;\n const int32 row_stride = params.row_stride;\n const int32 col_stride = params.col_stride;\n const int32 out_height = params.out_height;\n const int32 out_width = params.out_width;\n\n {\n // Initializes the output grad backprop tensor with 0.\n const int32 output_image_size = out_height * out_width * params.depth;\n EigenMatrixMap bottom_diff_shard(\n bottom_diff_mat.data() + start * output_image_size, 1,\n (limit - start) * output_image_size);\n bottom_diff_shard.setZero();\n }\n\n for (int b = start; b < limit; ++b) {\n for (int ph = 0; ph < out_height; ++ph) {\n for (int pw = 0; pw < out_width; ++pw) {\n // (h_start, h_end) * (w_start, w_end) is the range that the input\n // vector projects to.\n int h_start = ph * row_stride - pad_top;\n const int h_end = std::min(h_start + window_rows, in_rows);\n int w_start = pw * col_stride - pad_left;\n const int w_end = std::min(w_start + window_cols, in_cols);\n h_start = std::max(h_start, 0);\n w_start = std::max(w_start, 0);\n const int out_index = (b * out_height + ph) * out_width + pw;\n // Find value corresponding to the input maximum in top_diff.\n for (int d = 0; d < depth; ++d) {\n const T& output_ref = out_mat.coeffRef(d, out_index);\n bool should_stop = false;\n for (int h = h_start; h < h_end && !should_stop; ++h) {\n for (int w = w_start; w < w_end && !should_stop; ++w) {\n const int in_index = (b * in_rows + h) * in_cols + w;\n const T& input_ref = in_mat.coeffRef(d, in_index);\n if (output_ref == input_ref) {\n T& bottom_diff_ref = bottom_diff_mat.coeffRef(d, out_index);\n bottom_diff_ref = top_diff_mat.coeffRef(d, in_index);\n should_stop = true;\n }\n }\n }\n }\n }\n }\n }\n };\n\n const int64 shard_cost = params.out_width * params.out_height *\n params.depth * params.window_rows *\n params.window_cols;\n Shard(worker_threads.num_threads, worker_threads.workers,\n params.tensor_in_batch, shard_cost, shard);\n }", "project": "tensorflow", "hash": 19576004601672702121578231066284100967, "size": 105, "commit_id": "dcd7867de0fea4b72a2b34bd41eb74548dc23886", "message": "Fix heap buffer overflow\n\nPiperOrigin-RevId: 372132844\nChange-Id: Idef9895efaf145f2b1c23d31983601ec980cd5e4", "target": 0, "dataset": "other", "idx": 245443 }, { "func": "static int getlonglong(FILE *sfd, long long *val) {\n char tokbuf[100]; int ch;\n char *pt=tokbuf, *end = tokbuf+100-2;\n\n while ( isspace(ch = nlgetc(sfd)));\n if ( ch=='-' || ch=='+' ) {\n\t*pt++ = ch;\n\tch = nlgetc(sfd);\n }\n while ( isdigit(ch)) {\n\tif ( ptfontname string if it isn't set, fixing #4089 #4090 and many\n other potential issues (many downstream calls to strlen() on the value).", "target": 0, "dataset": "other", "idx": 417915 }, { "func": "static inline int alloc_kmem_cache_cpus(struct kmem_cache *s)\n{\n\tBUILD_BUG_ON(PERCPU_DYNAMIC_EARLY_SIZE <\n\t\t\tKMALLOC_SHIFT_HIGH * sizeof(struct kmem_cache_cpu));\n\n\t/*\n\t * Must align to double word boundary for the double cmpxchg\n\t * instructions to work; see __pcpu_double_call_return_bool().\n\t */\n\ts->cpu_slab = __alloc_percpu(sizeof(struct kmem_cache_cpu),\n\t\t\t\t 2 * sizeof(void *));\n\n\tif (!s->cpu_slab)\n\t\treturn 0;\n\n\tinit_kmem_cache_cpus(s);\n\n\treturn 1;\n}", "project": "linux", "hash": 1904010704143008876985757371228663804, "size": 19, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280115 }, { "func": "bool checkreturn pb_read(pb_istream_t *stream, uint8_t *buf, size_t count)\n{\n#ifndef PB_BUFFER_ONLY\n\tif (buf == NULL && stream->callback != buf_read)\n\t{\n\t\t/* Skip input bytes */\n\t\tuint8_t tmp[16];\n\t\twhile (count > 16)\n\t\t{\n\t\t\tif (!pb_read(stream, tmp, 16))\n\t\t\t\treturn false;\n\t\t\t\n\t\t\tcount -= 16;\n\t\t}\n\t\t\n\t\treturn pb_read(stream, tmp, count);\n\t}\n#endif\n\n if (stream->bytes_left < count)\n PB_RETURN_ERROR(stream, \"end-of-stream\");\n \n#ifndef PB_BUFFER_ONLY\n if (!stream->callback(stream, buf, count))\n PB_RETURN_ERROR(stream, \"io error\");\n#else\n if (!buf_read(stream, buf, count))\n return false;\n#endif\n \n stream->bytes_left -= count;\n return true;\n}", "project": "nanopb", "hash": 15275693418160395119585752311619934461, "size": 33, "commit_id": "7b396821ddd06df8e39143f16e1dc0a4645b89a3", "message": "Fix invalid free() after failed realloc() (GHSA-gcx3-7m76-287p)", "target": 0, "dataset": "other", "idx": 255327 }, { "func": "static void __init_autocomplete_default (RCore* core) {\n\tconst char *fcns[] = {\n\t\t\"afi\", \"afcf\", \"afn\", NULL\n\t};\n\tconst char *seeks[] = {\n\t\t\"s\", NULL\n\t};\n\tconst char *flags[] = {\n\t\t\"*\", \"s\", \"s+\", \"b\", \"f\", \"fg\", \"?\", \"?v\", \"ad\", \"bf\", \"c1\", \"db\", \"dbw\",\n\t\t\"f-\", \"fr\", \"tf\", \"/a\", \"/v\", \"/r\", \"/re\", \"aav\", \"aep\", \"aef\", \"afb\",\n\t\t\"afc\", \"axg\", \"axt\", \"axf\", \"dcu\", \"ag\", \"agfl\", \"aecu\", \"aesu\", \"aeim\", NULL\n\t};\n\tconst char *evals[] = {\n\t\t\"e\", \"ee\", \"et\", \"e?\", \"e!\", \"ev\", \"evj\", NULL\n\t};\n\tconst char *breaks[] = {\n\t\t\"db-\", \"dbc\", \"dbC\", \"dbd\", \"dbe\", \"dbs\", \"dbi\", \"dbte\", \"dbtd\", \"dbts\", NULL\n\t};\n\tconst char *files[] = {\n\t\t\".\", \"..\", \".*\", \"/F\", \"/m\", \"!\", \"!!\", \"#!c\", \"#!v\", \"#!cpipe\", \"#!vala\",\n\t\t\"#!rust\", \"#!zig\", \"#!pipe\", \"#!python\", \"aeli\", \"arp\", \"dmd\", \"drp\", \"o\",\n\t\t\"idp\", \"idpi\", \"L\", \"obf\", \"o+\", \"oc\", \"r2\", \"rabin2\", \"rasm2\", \"rahash2\", \"rax2\",\n\t\t\"rafind2\", \"cd\", \"on\", \"op\", \"wf\", \"rm\", \"wF\", \"wp\", \"Sd\", \"Sl\", \"to\", \"pm\",\n\t\t\"/m\", \"zos\", \"zfd\", \"zfs\", \"zfz\", \"cat\", \"wta\", \"wtf\", \"wxf\", \"dml\", \"vi\",\n\t\t\"less\", \"head\", \"tail\", NULL\n\t};\n\tconst char *projs[] = {\n\t\t\"Pc\", \"Pd\", \"Pi\", \"Po\", \"Ps\", \"P-\", NULL\n\t};\n\tconst char *mounts[] = {\n\t\t\"md\", \"mg\", \"mo\", \"ms\", \"mc\", \"mi\", \"mw\", NULL\n\t};\n\t__foreach (core, flags, R_CORE_AUTOCMPLT_FLAG);\n\t__foreach (core, seeks, R_CORE_AUTOCMPLT_SEEK);\n\t__foreach (core, fcns, R_CORE_AUTOCMPLT_FCN);\n\t__foreach (core, evals, R_CORE_AUTOCMPLT_EVAL);\n\t__foreach (core, breaks, R_CORE_AUTOCMPLT_BRKP);\n\t__foreach (core, files, R_CORE_AUTOCMPLT_FILE);\n\t__foreach (core, projs, R_CORE_AUTOCMPLT_PRJT);\n\t__foreach (core, mounts, R_CORE_AUTOCMPLT_MS);\n\n\tr_core_autocomplete_add (core->autocomplete, \"-\", R_CORE_AUTOCMPLT_MINS, true);\n\tr_core_autocomplete_add (core->autocomplete, \"zs\", R_CORE_AUTOCMPLT_ZIGN, true);\n\tr_core_autocomplete_add (core->autocomplete, \"fs\", R_CORE_AUTOCMPLT_FLSP, true);\n\tr_core_autocomplete_add (\n\t\tr_core_autocomplete_add (core->autocomplete, \"ls\", R_CORE_AUTOCMPLT_DFLT, true),\n\t\t\"-l\", R_CORE_AUTOCMPLT_FILE, true);\n\tr_core_autocomplete_add (core->autocomplete, \"eco\", R_CORE_AUTOCMPLT_THME, true);\n\tr_core_autocomplete_add (core->autocomplete, \"k\", R_CORE_AUTOCMPLT_SDB, true);\n\t/* macros */\n\tr_core_autocomplete_add (core->autocomplete, \".(\", R_CORE_AUTOCMPLT_MACR, true);\n\tr_core_autocomplete_add (core->autocomplete, \"(-\", R_CORE_AUTOCMPLT_MACR, true);\n\t/* just for hints */\n\tint i;\n\tfor (i = 0; i < radare_argc && radare_argv[i]; i++) {\n\t\tif (!r_core_autocomplete_find (core->autocomplete, radare_argv[i], true)) {\n\t\t\tr_core_autocomplete_add (core->autocomplete, radare_argv[i], R_CORE_AUTOCMPLT_DFLT, true);\n\t\t}\n\t}\n}", "project": "radare2", "hash": 284358266354063439115164530280736117516, "size": 60, "commit_id": "cb8b683758edddae2d2f62e8e63a738c39f92683", "message": "Fix #16303 - c->table_query double free (#16318)", "target": 0, "dataset": "other", "idx": 232147 }, { "func": "int dehexchar(char c) {\n if (c >= '0' && c <= '9') return c - '0';\n if (c >= 'A' && c <= 'F') return c - ('A' - 10);\n if (c >= 'a' && c <= 'f') return c - ('a' - 10);\n return -1;\n}", "project": "hhvm", "hash": 269905357429644202245026767685021546050, "size": 6, "commit_id": "b3679121bb3c7017ff04b4c08402ffff5cf59b13", "message": "Fix buffer overrun in SimpleParser::handleBackslash\n\nSummary:\nIt read 4 chars, then checked for validity, but any of them could have\nbeen the end of the string, so check after each one instead.\n\nReviewed By: oulgen\n\nDifferential Revision: D19611163\n\nfbshipit-source-id: 3da0a39555cb85a93f4fd98048368f17cf37e2e4", "target": 0, "dataset": "other", "idx": 227322 }, { "func": " Longlong_hybrid to_longlong_hybrid()\n {\n return Longlong_hybrid(val_int(), unsigned_flag);\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 31041866037592582648088159808109373525, "size": 4, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509445 }, { "func": "static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len)\n{\n\tstruct sock *sk = sock->sk;\n\tDECLARE_SOCKADDR(struct sockaddr_ll *, saddr, msg->msg_name);\n\tstruct sk_buff *skb;\n\tstruct net_device *dev;\n\t__be16 proto;\n\tunsigned char *addr = NULL;\n\tint err, reserve = 0;\n\tstruct sockcm_cookie sockc;\n\tstruct virtio_net_hdr vnet_hdr = { 0 };\n\tint offset = 0;\n\tstruct packet_sock *po = pkt_sk(sk);\n\tbool has_vnet_hdr = false;\n\tint hlen, tlen, linear;\n\tint extra_len = 0;\n\n\t/*\n\t *\tGet and verify the address.\n\t */\n\n\tif (likely(saddr == NULL)) {\n\t\tdev\t= packet_cached_dev_get(po);\n\t\tproto\t= po->num;\n\t} else {\n\t\terr = -EINVAL;\n\t\tif (msg->msg_namelen < sizeof(struct sockaddr_ll))\n\t\t\tgoto out;\n\t\tif (msg->msg_namelen < (saddr->sll_halen + offsetof(struct sockaddr_ll, sll_addr)))\n\t\t\tgoto out;\n\t\tproto\t= saddr->sll_protocol;\n\t\tdev = dev_get_by_index(sock_net(sk), saddr->sll_ifindex);\n\t\tif (sock->type == SOCK_DGRAM) {\n\t\t\tif (dev && msg->msg_namelen < dev->addr_len +\n\t\t\t\t offsetof(struct sockaddr_ll, sll_addr))\n\t\t\t\tgoto out_unlock;\n\t\t\taddr = saddr->sll_addr;\n\t\t}\n\t}\n\n\terr = -ENXIO;\n\tif (unlikely(dev == NULL))\n\t\tgoto out_unlock;\n\terr = -ENETDOWN;\n\tif (unlikely(!(dev->flags & IFF_UP)))\n\t\tgoto out_unlock;\n\n\tsockcm_init(&sockc, sk);\n\tsockc.mark = sk->sk_mark;\n\tif (msg->msg_controllen) {\n\t\terr = sock_cmsg_send(sk, msg, &sockc);\n\t\tif (unlikely(err))\n\t\t\tgoto out_unlock;\n\t}\n\n\tif (sock->type == SOCK_RAW)\n\t\treserve = dev->hard_header_len;\n\tif (po->has_vnet_hdr) {\n\t\terr = packet_snd_vnet_parse(msg, &len, &vnet_hdr);\n\t\tif (err)\n\t\t\tgoto out_unlock;\n\t\thas_vnet_hdr = true;\n\t}\n\n\tif (unlikely(sock_flag(sk, SOCK_NOFCS))) {\n\t\tif (!netif_supports_nofcs(dev)) {\n\t\t\terr = -EPROTONOSUPPORT;\n\t\t\tgoto out_unlock;\n\t\t}\n\t\textra_len = 4; /* We're doing our own CRC */\n\t}\n\n\terr = -EMSGSIZE;\n\tif (!vnet_hdr.gso_type &&\n\t (len > dev->mtu + reserve + VLAN_HLEN + extra_len))\n\t\tgoto out_unlock;\n\n\terr = -ENOBUFS;\n\thlen = LL_RESERVED_SPACE(dev);\n\ttlen = dev->needed_tailroom;\n\tlinear = __virtio16_to_cpu(vio_le(), vnet_hdr.hdr_len);\n\tlinear = max(linear, min_t(int, len, dev->hard_header_len));\n\tskb = packet_alloc_skb(sk, hlen + tlen, hlen, len, linear,\n\t\t\t msg->msg_flags & MSG_DONTWAIT, &err);\n\tif (skb == NULL)\n\t\tgoto out_unlock;\n\n\tskb_reset_network_header(skb);\n\n\terr = -EINVAL;\n\tif (sock->type == SOCK_DGRAM) {\n\t\toffset = dev_hard_header(skb, dev, ntohs(proto), addr, NULL, len);\n\t\tif (unlikely(offset < 0))\n\t\t\tgoto out_free;\n\t} else if (reserve) {\n\t\tskb_reserve(skb, -reserve);\n\t\tif (len < reserve + sizeof(struct ipv6hdr) &&\n\t\t dev->min_header_len != dev->hard_header_len)\n\t\t\tskb_reset_network_header(skb);\n\t}\n\n\t/* Returns -EFAULT on error */\n\terr = skb_copy_datagram_from_iter(skb, offset, &msg->msg_iter, len);\n\tif (err)\n\t\tgoto out_free;\n\n\tif (sock->type == SOCK_RAW &&\n\t !dev_validate_header(dev, skb->data, len)) {\n\t\terr = -EINVAL;\n\t\tgoto out_free;\n\t}\n\n\tskb_setup_tx_timestamp(skb, sockc.tsflags);\n\n\tif (!vnet_hdr.gso_type && (len > dev->mtu + reserve + extra_len) &&\n\t !packet_extra_vlan_len_allowed(dev, skb)) {\n\t\terr = -EMSGSIZE;\n\t\tgoto out_free;\n\t}\n\n\tskb->protocol = proto;\n\tskb->dev = dev;\n\tskb->priority = sk->sk_priority;\n\tskb->mark = sockc.mark;\n\tskb->tstamp = sockc.transmit_time;\n\n\tif (has_vnet_hdr) {\n\t\terr = virtio_net_hdr_to_skb(skb, &vnet_hdr, vio_le());\n\t\tif (err)\n\t\t\tgoto out_free;\n\t\tlen += sizeof(vnet_hdr);\n\t\tvirtio_net_hdr_set_proto(skb, &vnet_hdr);\n\t}\n\n\tpacket_parse_headers(skb, sock);\n\n\tif (unlikely(extra_len == 4))\n\t\tskb->no_fcs = 1;\n\n\terr = po->xmit(skb);\n\tif (err > 0 && (err = net_xmit_errno(err)) != 0)\n\t\tgoto out_unlock;\n\n\tdev_put(dev);\n\n\treturn len;\n\nout_free:\n\tkfree_skb(skb);\nout_unlock:\n\tif (dev)\n\t\tdev_put(dev);\nout:\n\treturn err;\n}", "project": "linux", "hash": 106602954669340843613709516188767697015, "size": 155, "commit_id": "acf69c946233259ab4d64f8869d4037a198c7f06", "message": "net/packet: fix overflow in tpacket_rcv\n\nUsing tp_reserve to calculate netoff can overflow as\ntp_reserve is unsigned int and netoff is unsigned short.\n\nThis may lead to macoff receving a smaller value then\nsizeof(struct virtio_net_hdr), and if po->has_vnet_hdr\nis set, an out-of-bounds write will occur when\ncalling virtio_net_hdr_from_skb.\n\nThe bug is fixed by converting netoff to unsigned int\nand checking if it exceeds USHRT_MAX.\n\nThis addresses CVE-2020-14386\n\nFixes: 8913336a7e8d (\"packet: add PACKET_RESERVE sockopt\")\nSigned-off-by: Or Cohen \nSigned-off-by: Eric Dumazet \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 330360 }, { "func": "int SFFindBiggestScriptLangIndex(SplineFont *_sf,uint32 script,uint32 lang) {\n int i, best_sli= -1, best_cnt= -1, cnt;\n SplineFont1 *sf = (SplineFont1 *) _sf;\n\n if ( _sf->sfd_version>=2 )\n\tIError( \"SFFindBiggestScriptLangIndex called with bad version number.\\n\" );\n\n if ( sf->script_lang==NULL )\n\tSFGuessScriptList(sf);\n for ( i=0; sf->script_lang[i]!=NULL; ++i ) {\n\tif ( SLContains(sf->script_lang[i],script,lang)) {\n\t cnt = SLCount(sf->script_lang[i]);\n\t if ( cnt>best_cnt ) {\n\t\tbest_sli = i;\n\t\tbest_cnt = cnt;\n\t }\n\t}\n }\n if ( best_sli==-1 )\nreturn( SFAddScriptLangIndex(_sf,script,lang) );\n\nreturn( best_sli );\n}", "project": "fontforge", "hash": 115376704438155258421947464439829883832, "size": 23, "commit_id": "048a91e2682c1a8936ae34dbc7bd70291ec05410", "message": "Fix for #4084 Use-after-free (heap) in the SFD_GetFontMetaData() function\nFix for #4086 NULL pointer dereference in the SFDGetSpiros() function\nFix for #4088 NULL pointer dereference in the SFD_AssignLookups() function\nAdd empty sf->fontname string if it isn't set, fixing #4089 #4090 and many\n other potential issues (many downstream calls to strlen() on the value).", "target": 0, "dataset": "other", "idx": 417755 }, { "func": "static void core_post_write_callback(void *user, ut64 maddr, ut8 *bytes, int cnt) {\n\tRCore *core = (RCore *)user;\n\tRBinSection *sec;\n\tut64 vaddr;\n\n\tif (!r_config_get_i (core->config, \"asm.cmt.patch\")) {\n\t\treturn;\n\t}\n\n\tchar *hex_pairs = r_hex_bin2strdup (bytes, cnt);\n\tif (!hex_pairs) {\n\t\teprintf (\"core_post_write_callback: Cannot obtain hex pairs\\n\");\n\t\treturn;\n\t}\n\n\tchar *comment = r_str_newf (\"patch: %d byte(s) (%s)\", cnt, hex_pairs);\n\tfree (hex_pairs);\n\tif (!comment) {\n\t\teprintf (\"core_post_write_callback: Cannot create comment\\n\");\n\t\treturn;\n\t}\n\n\tif ((sec = r_bin_get_section_at (r_bin_cur_object (core->bin), maddr, false))) {\n\t\tvaddr = maddr + sec->vaddr - sec->paddr;\n\t} else {\n\t\tvaddr = maddr;\n\t}\n\n\tr_meta_add (core->anal, R_META_TYPE_COMMENT, vaddr, vaddr, comment);\n\tfree (comment);\n}", "project": "radare2", "hash": 241404550151302907486033429332096442311, "size": 31, "commit_id": "cb8b683758edddae2d2f62e8e63a738c39f92683", "message": "Fix #16303 - c->table_query double free (#16318)", "target": 0, "dataset": "other", "idx": 232164 }, { "func": "static int Dec85(struct enc85 *dec) {\n int ch1, ch2, ch3, ch4, ch5;\n unsigned int val;\n\n if ( dec->pos<0 ) {\n\twhile ( isspace(ch1=getc(dec->sfd)));\n\tif ( ch1=='z' ) {\n\t dec->sofar[0] = dec->sofar[1] = dec->sofar[2] = dec->sofar[3] = 0;\n\t dec->pos = 3;\n\t} else {\n\t while ( isspace(ch2=getc(dec->sfd)));\n\t while ( isspace(ch3=getc(dec->sfd)));\n\t while ( isspace(ch4=getc(dec->sfd)));\n\t while ( isspace(ch5=getc(dec->sfd)));\n\t val = ((((ch1-'!')*85+ ch2-'!')*85 + ch3-'!')*85 + ch4-'!')*85 + ch5-'!';\n\t dec->sofar[3] = val>>24;\n\t dec->sofar[2] = val>>16;\n\t dec->sofar[1] = val>>8;\n\t dec->sofar[0] = val;\n\t dec->pos = 3;\n\t}\n }\nreturn( dec->sofar[dec->pos--] );\n}", "project": "fontforge", "hash": 235521199080836185269232960979462132550, "size": 24, "commit_id": "048a91e2682c1a8936ae34dbc7bd70291ec05410", "message": "Fix for #4084 Use-after-free (heap) in the SFD_GetFontMetaData() function\nFix for #4086 NULL pointer dereference in the SFDGetSpiros() function\nFix for #4088 NULL pointer dereference in the SFD_AssignLookups() function\nAdd empty sf->fontname string if it isn't set, fixing #4089 #4090 and many\n other potential issues (many downstream calls to strlen() on the value).", "target": 0, "dataset": "other", "idx": 417899 }, { "func": "static void svm_adjust_tsc_offset(struct kvm_vcpu *vcpu, s64 adjustment, bool host)\n{\n\tstruct vcpu_svm *svm = to_svm(vcpu);\n\n\tWARN_ON(adjustment < 0);\n\tif (host)\n\t\tadjustment = svm_scale_tsc(vcpu, adjustment);\n\n\tsvm->vmcb->control.tsc_offset += adjustment;\n\tif (is_guest_mode(vcpu))\n\t\tsvm->nested.hsave->control.tsc_offset += adjustment;\n\telse\n\t\ttrace_kvm_write_tsc_offset(vcpu->vcpu_id,\n\t\t\t\t svm->vmcb->control.tsc_offset - adjustment,\n\t\t\t\t svm->vmcb->control.tsc_offset);\n\n\tmark_dirty(svm->vmcb, VMCB_INTERCEPTS);\n}", "project": "kvm", "hash": 258670013922000316606679458665365303406, "size": 18, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437643 }, { "func": "static void tcp_fixup_sndbuf(struct sock *sk)\n{\n\tint sndmem = SKB_TRUESIZE(tcp_sk(sk)->rx_opt.mss_clamp + MAX_TCP_HEADER);\n\n\tsndmem *= TCP_INIT_CWND;\n\tif (sk->sk_sndbuf < sndmem)\n\t\tsk->sk_sndbuf = min(sndmem, sysctl_tcp_wmem[2]);\n}", "project": "net-next", "hash": 281027603903278287572137998592508729510, "size": 8, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409958 }, { "func": "static bool pmc_overflow_power7(unsigned long val)\n{\n\t/*\n\t * Events on POWER7 can roll back if a speculative event doesn't\n\t * eventually complete. Unfortunately in some rare cases they will\n\t * raise a performance monitor exception. We need to catch this to\n\t * ensure we reset the PMC. In all cases the PMC will be 256 or less\n\t * cycles from overflow.\n\t *\n\t * We only do this if the first pass fails to find any overflowing\n\t * PMCs because a user might set a period of less than 256 and we\n\t * don't want to mistakenly reset them.\n\t */\n\tif ((0x80000000 - val) <= 256)\n\t\treturn true;\n\n\treturn false;\n}", "project": "linux", "hash": 28024838775292632690106735892663168916, "size": 18, "commit_id": "60b7ed54a41b550d50caf7f2418db4a7e75b5bdc", "message": "powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set\n\nOn systems without any specific PMU driver support registered, running\nperf record causes Oops.\n\nThe relevant portion from call trace:\n\n BUG: Kernel NULL pointer dereference on read at 0x00000040\n Faulting instruction address: 0xc0021f0c\n Oops: Kernel access of bad area, sig: 11 [#1]\n BE PAGE_SIZE=4K PREEMPT CMPCPRO\n SAF3000 DIE NOTIFICATION\n CPU: 0 PID: 442 Comm: null_syscall Not tainted 5.13.0-rc6-s3k-dev-01645-g7649ee3d2957 #5164\n NIP: c0021f0c LR: c00e8ad8 CTR: c00d8a5c\n NIP perf_instruction_pointer+0x10/0x60\n LR perf_prepare_sample+0x344/0x674\n Call Trace:\n perf_prepare_sample+0x7c/0x674 (unreliable)\n perf_event_output_forward+0x3c/0x94\n __perf_event_overflow+0x74/0x14c\n perf_swevent_hrtimer+0xf8/0x170\n __hrtimer_run_queues.constprop.0+0x160/0x318\n hrtimer_interrupt+0x148/0x3b0\n timer_interrupt+0xc4/0x22c\n Decrementer_virt+0xb8/0xbc\n\nDuring perf record session, perf_instruction_pointer() is called to\ncapture the sample IP. This function in core-book3s accesses\nppmu->flags. If a platform specific PMU driver is not registered, ppmu\nis set to NULL and accessing its members results in a crash. Fix this\ncrash by checking if ppmu is set.\n\nFixes: 2ca13a4cc56c (\"powerpc/perf: Use regs->nip when SIAR is zero\")\nCc: stable@vger.kernel.org # v5.11+\nReported-by: Christophe Leroy \nSigned-off-by: Athira Rajeev \nTested-by: Christophe Leroy \nSigned-off-by: Michael Ellerman \nLink: https://lore.kernel.org/r/1623952506-1431-1-git-send-email-atrajeev@linux.vnet.ibm.com", "target": 0, "dataset": "other", "idx": 374708 }, { "func": "static int iret_interception(struct vcpu_svm *svm)\n{\n\t++svm->vcpu.stat.nmi_window_exits;\n\tclr_intercept(svm, INTERCEPT_IRET);\n\tsvm->vcpu.arch.hflags |= HF_IRET_MASK;\n\tsvm->nmi_iret_rip = kvm_rip_read(&svm->vcpu);\n\tkvm_make_request(KVM_REQ_EVENT, &svm->vcpu);\n\treturn 1;\n}", "project": "linux", "hash": 95089816263588825475473107254624949410, "size": 9, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432637 }, { "func": "const char * ndpi_strncasestr(const char *str1, const char *str2, size_t len) {\n size_t str1_len = strnlen(str1, len);\n size_t str2_len = strlen(str2);\n size_t i;\n\n for(i = 0; i < (str1_len - str2_len + 1); i++){\n if(str1[0] == '\\0')\n return NULL;\n else if(strncasecmp(str1, str2, str2_len) == 0)\n return(str1);\n\n str1++;\n }\n\n return NULL;\n}", "project": "nDPI", "hash": 278944290547404895843703984149033937745, "size": 16, "commit_id": "6a9f5e4f7c3fd5ddab3e6727b071904d76773952", "message": "Fixed use after free caused by dangling pointer\n\n * This fix also improved RCE Injection detection\n\nSigned-off-by: Toni Uhlig ", "target": 0, "dataset": "other", "idx": 263368 }, { "func": "static bool vhost_net_page_frag_refill(struct vhost_net *net, unsigned int sz,\n\t\t\t\t struct page_frag *pfrag, gfp_t gfp)\n{\n\tif (pfrag->page) {\n\t\tif (pfrag->offset + sz <= pfrag->size)\n\t\t\treturn true;\n\t\t__page_frag_cache_drain(pfrag->page, net->refcnt_bias);\n\t}\n\n\tpfrag->offset = 0;\n\tnet->refcnt_bias = 0;\n\tif (SKB_FRAG_PAGE_ORDER) {\n\t\t/* Avoid direct reclaim but allow kswapd to wake */\n\t\tpfrag->page = alloc_pages((gfp & ~__GFP_DIRECT_RECLAIM) |\n\t\t\t\t\t __GFP_COMP | __GFP_NOWARN |\n\t\t\t\t\t __GFP_NORETRY,\n\t\t\t\t\t SKB_FRAG_PAGE_ORDER);\n\t\tif (likely(pfrag->page)) {\n\t\t\tpfrag->size = PAGE_SIZE << SKB_FRAG_PAGE_ORDER;\n\t\t\tgoto done;\n\t\t}\n\t}\n\tpfrag->page = alloc_page(gfp);\n\tif (likely(pfrag->page)) {\n\t\tpfrag->size = PAGE_SIZE;\n\t\tgoto done;\n\t}\n\treturn false;\n\ndone:\n\tnet->refcnt_bias = USHRT_MAX;\n\tpage_ref_add(pfrag->page, USHRT_MAX - 1);\n\treturn true;\n}", "project": "linux", "hash": 24557756703434615355685994751198661696, "size": 34, "commit_id": "42d84c8490f9f0931786f1623191fcab397c3d64", "message": "vhost: Check docket sk_family instead of call getname\n\nDoing so, we save one call to get data we already have in the struct.\n\nAlso, since there is no guarantee that getname use sockaddr_ll\nparameter beyond its size, we add a little bit of security here.\nIt should do not do beyond MAX_ADDR_LEN, but syzbot found that\nax25_getname writes more (72 bytes, the size of full_sockaddr_ax25,\nversus 20 + 32 bytes of sockaddr_ll + MAX_ADDR_LEN in syzbot repro).\n\nFixes: 3a4d5c94e9593 (\"vhost_net: a kernel-level virtio server\")\nReported-by: syzbot+f2a62d07a5198c819c7b@syzkaller.appspotmail.com\nSigned-off-by: Eugenio Pérez \nAcked-by: Michael S. Tsirkin \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 441981 }, { "func": "void CServer::UpdateClientMapListEntries()\n{\n\tfor(int ClientID = Tick() % MAX_RCONCMD_RATIO; ClientID < MAX_CLIENTS; ClientID += MAX_RCONCMD_RATIO)\n\t{\n\t\tif(m_aClients[ClientID].m_State != CClient::STATE_EMPTY && m_aClients[ClientID].m_Authed)\n\t\t{\n\t\t\tfor(int i = 0; i < MAX_MAPLISTENTRY_SEND && m_aClients[ClientID].m_pMapListEntryToSend; ++i)\n\t\t\t{\n\t\t\t\tSendMapListEntryAdd(m_aClients[ClientID].m_pMapListEntryToSend, ClientID);\n\t\t\t\tm_aClients[ClientID].m_pMapListEntryToSend = m_aClients[ClientID].m_pMapListEntryToSend->m_pNext;\n\t\t\t}\n\t\t}\n\t}\n}", "project": "teeworlds", "hash": 154431553095322771907960044165040143452, "size": 14, "commit_id": "c68402fa7e279d42886d5951d1ea8ac2facc1ea5", "message": "changed a check", "target": 0, "dataset": "other", "idx": 382003 }, { "func": "static int sd_init(struct gspca_dev *gspca_dev)\n{\n\tstruct sd *sd = (struct sd *) gspca_dev;\n\tstruct cam *cam = &gspca_dev->cam;\n\n\tswitch (sd->bridge) {\n\tcase BRIDGE_OV511:\n\tcase BRIDGE_OV511PLUS:\n\t\tov511_configure(gspca_dev);\n\t\tbreak;\n\tcase BRIDGE_OV518:\n\tcase BRIDGE_OV518PLUS:\n\t\tov518_configure(gspca_dev);\n\t\tbreak;\n\tcase BRIDGE_OV519:\n\t\tov519_configure(sd);\n\t\tbreak;\n\tcase BRIDGE_OVFX2:\n\t\tovfx2_configure(sd);\n\t\tbreak;\n\tcase BRIDGE_W9968CF:\n\t\tw9968cf_configure(sd);\n\t\tbreak;\n\t}\n\n\t/* The OV519 must be more aggressive about sensor detection since\n\t * I2C write will never fail if the sensor is not present. We have\n\t * to try to initialize the sensor to detect its presence */\n\tsd->sensor = -1;\n\n\t/* Test for 76xx */\n\tif (init_ov_sensor(sd, OV7xx0_SID) >= 0) {\n\t\tov7xx0_configure(sd);\n\n\t/* Test for 6xx0 */\n\t} else if (init_ov_sensor(sd, OV6xx0_SID) >= 0) {\n\t\tov6xx0_configure(sd);\n\n\t/* Test for 8xx0 */\n\t} else if (init_ov_sensor(sd, OV8xx0_SID) >= 0) {\n\t\tov8xx0_configure(sd);\n\n\t/* Test for 3xxx / 2xxx */\n\t} else if (init_ov_sensor(sd, OV_HIRES_SID) >= 0) {\n\t\tov_hires_configure(sd);\n\t} else {\n\t\tgspca_err(gspca_dev, \"Can't determine sensor slave IDs\\n\");\n\t\tgoto error;\n\t}\n\n\tif (sd->sensor < 0)\n\t\tgoto error;\n\n\tov51x_led_control(sd, 0);\t/* turn LED off */\n\n\tswitch (sd->bridge) {\n\tcase BRIDGE_OV511:\n\tcase BRIDGE_OV511PLUS:\n\t\tif (sd->sif) {\n\t\t\tcam->cam_mode = ov511_sif_mode;\n\t\t\tcam->nmodes = ARRAY_SIZE(ov511_sif_mode);\n\t\t}\n\t\tbreak;\n\tcase BRIDGE_OV518:\n\tcase BRIDGE_OV518PLUS:\n\t\tif (sd->sif) {\n\t\t\tcam->cam_mode = ov518_sif_mode;\n\t\t\tcam->nmodes = ARRAY_SIZE(ov518_sif_mode);\n\t\t}\n\t\tbreak;\n\tcase BRIDGE_OV519:\n\t\tif (sd->sif) {\n\t\t\tcam->cam_mode = ov519_sif_mode;\n\t\t\tcam->nmodes = ARRAY_SIZE(ov519_sif_mode);\n\t\t}\n\t\tbreak;\n\tcase BRIDGE_OVFX2:\n\t\tswitch (sd->sensor) {\n\t\tcase SEN_OV2610:\n\t\tcase SEN_OV2610AE:\n\t\t\tcam->cam_mode = ovfx2_ov2610_mode;\n\t\t\tcam->nmodes = ARRAY_SIZE(ovfx2_ov2610_mode);\n\t\t\tbreak;\n\t\tcase SEN_OV3610:\n\t\t\tcam->cam_mode = ovfx2_ov3610_mode;\n\t\t\tcam->nmodes = ARRAY_SIZE(ovfx2_ov3610_mode);\n\t\t\tbreak;\n\t\tcase SEN_OV9600:\n\t\t\tcam->cam_mode = ovfx2_ov9600_mode;\n\t\t\tcam->nmodes = ARRAY_SIZE(ovfx2_ov9600_mode);\n\t\t\tbreak;\n\t\tdefault:\n\t\t\tif (sd->sif) {\n\t\t\t\tcam->cam_mode = ov519_sif_mode;\n\t\t\t\tcam->nmodes = ARRAY_SIZE(ov519_sif_mode);\n\t\t\t}\n\t\t\tbreak;\n\t\t}\n\t\tbreak;\n\tcase BRIDGE_W9968CF:\n\t\tif (sd->sif)\n\t\t\tcam->nmodes = ARRAY_SIZE(w9968cf_vga_mode) - 1;\n\n\t\t/* w9968cf needs initialisation once the sensor is known */\n\t\tw9968cf_init(sd);\n\t\tbreak;\n\t}\n\n\t/* initialize the sensor */\n\tswitch (sd->sensor) {\n\tcase SEN_OV2610:\n\t\twrite_i2c_regvals(sd, norm_2610, ARRAY_SIZE(norm_2610));\n\n\t\t/* Enable autogain, autoexpo, awb, bandfilter */\n\t\ti2c_w_mask(sd, 0x13, 0x27, 0x27);\n\t\tbreak;\n\tcase SEN_OV2610AE:\n\t\twrite_i2c_regvals(sd, norm_2610ae, ARRAY_SIZE(norm_2610ae));\n\n\t\t/* enable autoexpo */\n\t\ti2c_w_mask(sd, 0x13, 0x05, 0x05);\n\t\tbreak;\n\tcase SEN_OV3610:\n\t\twrite_i2c_regvals(sd, norm_3620b, ARRAY_SIZE(norm_3620b));\n\n\t\t/* Enable autogain, autoexpo, awb, bandfilter */\n\t\ti2c_w_mask(sd, 0x13, 0x27, 0x27);\n\t\tbreak;\n\tcase SEN_OV6620:\n\t\twrite_i2c_regvals(sd, norm_6x20, ARRAY_SIZE(norm_6x20));\n\t\tbreak;\n\tcase SEN_OV6630:\n\tcase SEN_OV66308AF:\n\t\twrite_i2c_regvals(sd, norm_6x30, ARRAY_SIZE(norm_6x30));\n\t\tbreak;\n\tdefault:\n/*\tcase SEN_OV7610: */\n/*\tcase SEN_OV76BE: */\n\t\twrite_i2c_regvals(sd, norm_7610, ARRAY_SIZE(norm_7610));\n\t\ti2c_w_mask(sd, 0x0e, 0x00, 0x40);\n\t\tbreak;\n\tcase SEN_OV7620:\n\tcase SEN_OV7620AE:\n\t\twrite_i2c_regvals(sd, norm_7620, ARRAY_SIZE(norm_7620));\n\t\tbreak;\n\tcase SEN_OV7640:\n\tcase SEN_OV7648:\n\t\twrite_i2c_regvals(sd, norm_7640, ARRAY_SIZE(norm_7640));\n\t\tbreak;\n\tcase SEN_OV7660:\n\t\ti2c_w(sd, OV7670_R12_COM7, OV7670_COM7_RESET);\n\t\tmsleep(14);\n\t\treg_w(sd, OV519_R57_SNAPSHOT, 0x23);\n\t\twrite_regvals(sd, init_519_ov7660,\n\t\t\t\tARRAY_SIZE(init_519_ov7660));\n\t\twrite_i2c_regvals(sd, norm_7660, ARRAY_SIZE(norm_7660));\n\t\tsd->gspca_dev.curr_mode = 1;\t/* 640x480 */\n\t\tov519_set_mode(sd);\n\t\tov519_set_fr(sd);\n\t\tsd_reset_snapshot(gspca_dev);\n\t\tov51x_restart(sd);\n\t\tov51x_stop(sd);\t\t\t/* not in win traces */\n\t\tov51x_led_control(sd, 0);\n\t\tbreak;\n\tcase SEN_OV7670:\n\t\twrite_i2c_regvals(sd, norm_7670, ARRAY_SIZE(norm_7670));\n\t\tbreak;\n\tcase SEN_OV8610:\n\t\twrite_i2c_regvals(sd, norm_8610, ARRAY_SIZE(norm_8610));\n\t\tbreak;\n\tcase SEN_OV9600:\n\t\twrite_i2c_regvals(sd, norm_9600, ARRAY_SIZE(norm_9600));\n\n\t\t/* enable autoexpo */\n/*\t\ti2c_w_mask(sd, 0x13, 0x05, 0x05); */\n\t\tbreak;\n\t}\n\treturn gspca_dev->usb_err;\nerror:\n\tgspca_err(gspca_dev, \"OV519 Config failed\\n\");\n\treturn -EINVAL;\n}", "project": "linux", "hash": 191971538604146641479319992398925620096, "size": 182, "commit_id": "998912346c0da53a6dbb71fab3a138586b596b30", "message": "media: ov519: add missing endpoint sanity checks\n\nMake sure to check that we have at least one endpoint before accessing\nthe endpoint array to avoid dereferencing a NULL-pointer on stream\nstart.\n\nNote that these sanity checks are not redundant as the driver is mixing\nlooking up altsettings by index and by number, which need not coincide.\n\nFixes: 1876bb923c98 (\"V4L/DVB (12079): gspca_ov519: add support for the ov511 bridge\")\nFixes: b282d87332f5 (\"V4L/DVB (12080): gspca_ov519: Fix ov518+ with OV7620AE (Trust spacecam 320)\")\nCc: stable # 2.6.31\nCc: Hans de Goede \nSigned-off-by: Johan Hovold \nSigned-off-by: Hans Verkuil \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 306303 }, { "func": "void usb_host_info(Monitor *mon)\n{\n struct USBAutoFilter *f;\n\n usb_host_scan(NULL, usb_host_info_device);\n\n if (usb_auto_filter)\n monitor_printf(mon, \" Auto filters:\\n\");\n for (f = usb_auto_filter; f; f = f->next) {\n char bus[10], addr[10], vid[10], pid[10];\n dec2str(f->bus_num, bus, sizeof(bus));\n dec2str(f->addr, addr, sizeof(addr));\n hex2str(f->vendor_id, vid, sizeof(vid));\n hex2str(f->product_id, pid, sizeof(pid));\n monitor_printf(mon, \" Device %s.%s ID %s:%s\\n\",\n bus, addr, vid, pid);\n }\n}", "project": "qemu", "hash": 211918064930303216094967896195405758826, "size": 18, "commit_id": "babd03fde68093482528010a5435c14ce9128e3f", "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel. However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris \nSigned-off-by: Anthony Liguori ", "target": 0, "dataset": "other", "idx": 346293 }, { "func": "static int nfs4_proc_set_acl(struct inode *inode, const void *buf, size_t buflen)\n{\n\tstruct nfs4_exception exception = { };\n\tint err;\n\tdo {\n\t\terr = __nfs4_proc_set_acl(inode, buf, buflen);\n\t\ttrace_nfs4_set_acl(inode, err);\n\t\terr = nfs4_handle_exception(NFS_SERVER(inode), err,\n\t\t\t\t&exception);\n\t} while (exception.retry);\n\treturn err;\n}", "project": "linux", "hash": 12377373035270487502261610286121602375, "size": 12, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431296 }, { "func": "int RGWHandler_REST_S3::postauth_init()\n{\n struct req_init_state *t = &s->init_state;\n bool relaxed_names = s->cct->_conf->rgw_relaxed_s3_bucket_names;\n\n rgw_parse_url_bucket(t->url_bucket, s->user->user_id.tenant,\n\t\t s->bucket_tenant, s->bucket_name);\n\n dout(10) << \"s->object=\" << (!s->object.empty() ? s->object : rgw_obj_key(\"\"))\n << \" s->bucket=\" << rgw_make_bucket_entry_name(s->bucket_tenant, s->bucket_name) << dendl;\n\n int ret;\n ret = rgw_validate_tenant_name(s->bucket_tenant);\n if (ret)\n return ret;\n if (!s->bucket_name.empty()) {\n ret = valid_s3_bucket_name(s->bucket_name, relaxed_names);\n if (ret)\n return ret;\n ret = validate_object_name(s->object.name);\n if (ret)\n return ret;\n }\n\n if (!t->src_bucket.empty()) {\n rgw_parse_url_bucket(t->src_bucket, s->user->user_id.tenant,\n\t\t\ts->src_tenant_name, s->src_bucket_name);\n ret = rgw_validate_tenant_name(s->src_tenant_name);\n if (ret)\n return ret;\n ret = valid_s3_bucket_name(s->src_bucket_name, relaxed_names);\n if (ret)\n return ret;\n }\n\n const char *mfa = s->info.env->get(\"HTTP_X_AMZ_MFA\");\n if (mfa) {\n ret = verify_mfa(store, s->user, string(mfa), &s->mfa_verified);\n }\n\n return 0;\n}", "project": "ceph", "hash": 49858201576460126087631136058182959649, "size": 42, "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 281279 }, { "func": "int RGWHandler_REST_SWIFT::postauth_init()\n{\n struct req_init_state* t = &s->init_state;\n\n /* XXX Stub this until Swift Auth sets account into URL. */\n s->bucket_tenant = s->user->user_id.tenant;\n s->bucket_name = t->url_bucket;\n\n dout(10) << \"s->object=\" <<\n (!s->object.empty() ? s->object : rgw_obj_key(\"\"))\n << \" s->bucket=\"\n\t << rgw_make_bucket_entry_name(s->bucket_tenant, s->bucket_name)\n\t << dendl;\n\n int ret;\n ret = rgw_validate_tenant_name(s->bucket_tenant);\n if (ret)\n return ret;\n ret = validate_bucket_name(s->bucket_name);\n if (ret)\n return ret;\n ret = validate_object_name(s->object.name);\n if (ret)\n return ret;\n\n if (!t->src_bucket.empty()) {\n /*\n * We don't allow cross-tenant copy at present. It requires account\n * names in the URL for Swift.\n */\n s->src_tenant_name = s->user->user_id.tenant;\n s->src_bucket_name = t->src_bucket;\n\n ret = validate_bucket_name(s->src_bucket_name);\n if (ret < 0) {\n return ret;\n }\n ret = validate_object_name(s->src_object.name);\n if (ret < 0) {\n return ret;\n }\n }\n\n return 0;\n}", "project": "ceph", "hash": 327730831682342809034402771893476277906, "size": 45, "commit_id": "f44a8ae8aa27ecef69528db9aec220f12492810e", "message": "rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name\n\nchecking for empty name avoids later assertion in RGWObjectCtx::set_atomic\n\nFixes: CVE-2021-3531\n\nReviewed-by: Casey Bodley \nSigned-off-by: Casey Bodley \n(cherry picked from commit 7196a469b4470f3c8628489df9a41ec8b00a5610)", "target": 0, "dataset": "other", "idx": 448869 }, { "func": "int nfs4_open_delegation_recall(struct nfs_open_context *ctx,\n\t\tstruct nfs4_state *state, const nfs4_stateid *stateid)\n{\n\tstruct nfs_server *server = NFS_SERVER(state->inode);\n\tstruct nfs4_opendata *opendata;\n\tint err = 0;\n\n\topendata = nfs4_open_recoverdata_alloc(ctx, state,\n\t\t\tNFS4_OPEN_CLAIM_DELEG_CUR_FH);\n\tif (IS_ERR(opendata))\n\t\treturn PTR_ERR(opendata);\n\tnfs4_stateid_copy(&opendata->o_arg.u.delegation, stateid);\n\tif (!test_bit(NFS_O_RDWR_STATE, &state->flags)) {\n\t\terr = nfs4_open_recover_helper(opendata, FMODE_READ|FMODE_WRITE);\n\t\tif (err)\n\t\t\tgoto out;\n\t}\n\tif (!test_bit(NFS_O_WRONLY_STATE, &state->flags)) {\n\t\terr = nfs4_open_recover_helper(opendata, FMODE_WRITE);\n\t\tif (err)\n\t\t\tgoto out;\n\t}\n\tif (!test_bit(NFS_O_RDONLY_STATE, &state->flags)) {\n\t\terr = nfs4_open_recover_helper(opendata, FMODE_READ);\n\t\tif (err)\n\t\t\tgoto out;\n\t}\n\tnfs_state_clear_delegation(state);\nout:\n\tnfs4_opendata_put(opendata);\n\treturn nfs4_handle_delegation_recall_error(server, state, stateid, NULL, err);\n}", "project": "linux", "hash": 98643037940508570375387991617876945836, "size": 32, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431229 }, { "func": "Status ConvBackpropExtractAndVerifyDimension(\n StringPiece label, const TensorShape& input_shape,\n const TensorShape& filter_shape, const TensorShape& output_shape,\n const gtl::ArraySlice dilations, const std::vector& strides,\n Padding padding, int64 padding_before, int64 padding_after, int spatial_dim,\n int filter_spatial_dim, ConvBackpropSpatialDimension* dim) {\n dim->input_size = input_shape.dim_size(spatial_dim);\n dim->filter_size = filter_shape.dim_size(filter_spatial_dim);\n dim->output_size = output_shape.dim_size(spatial_dim);\n dim->stride = strides[spatial_dim];\n dim->dilation = dilations[spatial_dim];\n int64 out_size = 0;\n TF_RETURN_IF_ERROR(GetWindowedOutputSizeVerboseV2(\n dim->input_size, dim->filter_size, dim->dilation, dim->stride, padding,\n &out_size, &padding_before, &padding_after));\n if (dim->output_size != out_size) {\n return errors::InvalidArgument(\n label, \": Size of out_backprop doesn't match computed: \", \"actual = \",\n dim->output_size, \", computed = \", out_size,\n \" spatial_dim: \", spatial_dim, \" input: \", dim->input_size,\n \" filter: \", dim->filter_size, \" output: \", dim->output_size,\n \" stride: \", dim->stride, \" dilation: \", dim->dilation);\n }\n\n int64 effective_filter_size = (dim->filter_size - 1) * dim->dilation + 1;\n dim->expanded_output_size = (dim->output_size - 1) * dim->stride + 1;\n const auto padded_out_size = dim->input_size + effective_filter_size - 1;\n dim->pad_before = effective_filter_size - 1 - padding_before;\n dim->pad_after =\n padded_out_size - dim->expanded_output_size - dim->pad_before;\n VLOG(2) << label << \": expanded_out = \" << dim->expanded_output_size\n << \", effective_filter_size = \" << effective_filter_size\n << \", padded_out = \" << padded_out_size\n << \", pad_before = \" << dim->pad_before\n << \", pad_after = \" << dim->pad_after\n << \", dilation = \" << dim->dilation << \", strides = \" << dim->stride;\n return Status::OK();\n}", "project": "tensorflow", "hash": 288568466581520403051081783931039576280, "size": 38, "commit_id": "fca9874a9b42a2134f907d2fb46ab774a831404a", "message": "Prevent another division by zero.\n\nPiperOrigin-RevId: 369338598\nChange-Id: I55471d363e401fdcf8d259670ad4eef672b731e2", "target": 0, "dataset": "other", "idx": 255023 }, { "func": "static int fuse_release(struct inode *inode, struct file *file)\n{\n\tstruct fuse_conn *fc = get_fuse_conn(inode);\n\n\t/* see fuse_vma_close() for !writeback_cache case */\n\tif (fc->writeback_cache)\n\t\twrite_inode_now(inode, 1);\n\n\tfuse_release_common(file, false);\n\n\t/* return value is ignored by VFS */\n\treturn 0;\n}", "project": "linux", "hash": 233625466950226890016770244495011348924, "size": 13, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342024 }, { "func": " bool real_eq(double value, const Item *item) const\n {\n DBUG_ASSERT(is_basic_value(REAL_ITEM));\n return is_basic_value(item, REAL_ITEM) &&\n value == ((Item_basic_value*)item)->val_real();\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 206514945941759783916768524856667101148, "size": 6, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 508932 }, { "func": "static int convert_fuse_file_lock(struct fuse_conn *fc,\n\t\t\t\t const struct fuse_file_lock *ffl,\n\t\t\t\t struct file_lock *fl)\n{\n\tswitch (ffl->type) {\n\tcase F_UNLCK:\n\t\tbreak;\n\n\tcase F_RDLCK:\n\tcase F_WRLCK:\n\t\tif (ffl->start > OFFSET_MAX || ffl->end > OFFSET_MAX ||\n\t\t ffl->end < ffl->start)\n\t\t\treturn -EIO;\n\n\t\tfl->fl_start = ffl->start;\n\t\tfl->fl_end = ffl->end;\n\n\t\t/*\n\t\t * Convert pid into init's pid namespace. The locks API will\n\t\t * translate it into the caller's pid namespace.\n\t\t */\n\t\trcu_read_lock();\n\t\tfl->fl_pid = pid_nr_ns(find_pid_ns(ffl->pid, fc->pid_ns), &init_pid_ns);\n\t\trcu_read_unlock();\n\t\tbreak;\n\n\tdefault:\n\t\treturn -EIO;\n\t}\n\tfl->fl_type = ffl->type;\n\treturn 0;\n}", "project": "linux", "hash": 146044281082662559934298671130178285244, "size": 32, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342046 }, { "func": "static void port_stats_walker(const void *node, ndpi_VISIT which, int depth, void *user_data) {\n if((which == ndpi_preorder) || (which == ndpi_leaf)) { /* Avoid walking the same node multiple times */\n struct ndpi_flow_info *flow = *(struct ndpi_flow_info **) node;\n u_int16_t thread_id = *(int *)user_data;\n u_int16_t sport, dport;\n char proto[16];\n int r;\n\n sport = ntohs(flow->src_port), dport = ntohs(flow->dst_port);\n\n /* get app level protocol */\n if(flow->detected_protocol.master_protocol)\n ndpi_protocol2name(ndpi_thread_info[thread_id].workflow->ndpi_struct,\n\t\t\t flow->detected_protocol, proto, sizeof(proto));\n else\n strncpy(proto, ndpi_get_proto_name(ndpi_thread_info[thread_id].workflow->ndpi_struct,\n\t\t\t\t\t flow->detected_protocol.app_protocol),sizeof(proto));\n\n if(((r = strcmp(ipProto2Name(flow->protocol), \"TCP\")) == 0)\n && (flow->src2dst_packets == 1) && (flow->dst2src_packets == 0)) {\n updateScanners(&scannerHosts, flow->src_ip, flow->ip_version, dport);\n }\n\n updateReceivers(&receivers, flow->dst_ip, flow->ip_version,\n flow->src2dst_packets, &topReceivers);\n\n updatePortStats(&srcStats, sport, flow->src_ip, flow->ip_version,\n flow->src2dst_packets, flow->src2dst_bytes, proto);\n\n updatePortStats(&dstStats, dport, flow->dst_ip, flow->ip_version,\n flow->dst2src_packets, flow->dst2src_bytes, proto);\n }\n}", "project": "nDPI", "hash": 261877172920487236795818520192273804998, "size": 33, "commit_id": "b7e666e465f138ae48ab81976726e67deed12701", "message": "Added fix to avoid potential heap buffer overflow in H.323 dissector\nModified HTTP report information to make it closer to the HTTP field names", "target": 0, "dataset": "other", "idx": 254833 }, { "func": "static inline int epoll_mutex_lock(struct mutex *mutex, int depth,\n\t\t\t\t bool nonblock)\n{\n\tif (!nonblock) {\n\t\tmutex_lock_nested(mutex, depth);\n\t\treturn 0;\n\t}\n\tif (mutex_trylock(mutex))\n\t\treturn 0;\n\treturn -EAGAIN;\n}", "project": "linux", "hash": 241821177960330039972147230566448456513, "size": 11, "commit_id": "52c479697c9b73f628140dcdfcd39ea302d05482", "message": "do_epoll_ctl(): clean the failure exits up a bit\n\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 336247 }, { "func": "CString CWebSock::FindTmpl(CModule* pModule, const CString& sName) {\n VCString vsDirs = GetDirs(pModule, true);\n CString sFile = pModule->GetModName() + \"_\" + sName;\n for (const CString& sDir : vsDirs) {\n if (CFile::Exists(CDir::ChangeDir(sDir, sFile))) {\n m_Template.AppendPath(sDir);\n return sFile;\n }\n }\n return sName;\n}", "project": "znc", "hash": 98764884873551617225858586913921235770, "size": 11, "commit_id": "a4a5aeeb17d32937d8c7d743dae9a4cc755ce773", "message": "Don't let web skin name ../../../../ access files outside of usual skins directories.\n\nThanks for Jeriko One for finding and reporting this.", "target": 0, "dataset": "other", "idx": 265773 }, { "func": "int kvm_vcpu_yield_to(struct kvm_vcpu *target)\n{\n\tstruct pid *pid;\n\tstruct task_struct *task = NULL;\n\tint ret = 0;\n\n\trcu_read_lock();\n\tpid = rcu_dereference(target->pid);\n\tif (pid)\n\t\ttask = get_pid_task(pid, PIDTYPE_PID);\n\trcu_read_unlock();\n\tif (!task)\n\t\treturn ret;\n\tret = yield_to(task, 1);\n\tput_task_struct(task);\n\n\treturn ret;\n}", "project": "linux", "hash": 270549016327109801564619541478135337033, "size": 18, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354684 }, { "func": "opj_j2k_t* opj_j2k_create_decompress(void)\n{\n opj_j2k_t *l_j2k = (opj_j2k_t*) opj_calloc(1, sizeof(opj_j2k_t));\n if (!l_j2k) {\n return 00;\n }\n\n l_j2k->m_is_decoder = 1;\n l_j2k->m_cp.m_is_decoder = 1;\n /* in the absence of JP2 boxes, consider different bit depth / sign */\n /* per component is allowed */\n l_j2k->m_cp.allow_different_bit_depth_sign = 1;\n\n#ifdef OPJ_DISABLE_TPSOT_FIX\n l_j2k->m_specific_param.m_decoder.m_nb_tile_parts_correction_checked = 1;\n#endif\n\n l_j2k->m_specific_param.m_decoder.m_default_tcp = (opj_tcp_t*) opj_calloc(1,\n sizeof(opj_tcp_t));\n if (!l_j2k->m_specific_param.m_decoder.m_default_tcp) {\n opj_j2k_destroy(l_j2k);\n return 00;\n }\n\n l_j2k->m_specific_param.m_decoder.m_header_data = (OPJ_BYTE *) opj_calloc(1,\n OPJ_J2K_DEFAULT_HEADER_SIZE);\n if (! l_j2k->m_specific_param.m_decoder.m_header_data) {\n opj_j2k_destroy(l_j2k);\n return 00;\n }\n\n l_j2k->m_specific_param.m_decoder.m_header_data_size =\n OPJ_J2K_DEFAULT_HEADER_SIZE;\n\n l_j2k->m_specific_param.m_decoder.m_tile_ind_to_dec = -1 ;\n\n l_j2k->m_specific_param.m_decoder.m_last_sot_read_pos = 0 ;\n\n /* codestream index creation */\n l_j2k->cstr_index = opj_j2k_create_cstr_index();\n if (!l_j2k->cstr_index) {\n opj_j2k_destroy(l_j2k);\n return 00;\n }\n\n /* validation list creation */\n l_j2k->m_validation_list = opj_procedure_list_create();\n if (! l_j2k->m_validation_list) {\n opj_j2k_destroy(l_j2k);\n return 00;\n }\n\n /* execution list creation */\n l_j2k->m_procedure_list = opj_procedure_list_create();\n if (! l_j2k->m_procedure_list) {\n opj_j2k_destroy(l_j2k);\n return 00;\n }\n\n l_j2k->m_tp = opj_thread_pool_create(opj_j2k_get_default_thread_count());\n if (!l_j2k->m_tp) {\n l_j2k->m_tp = opj_thread_pool_create(0);\n }\n if (!l_j2k->m_tp) {\n opj_j2k_destroy(l_j2k);\n return NULL;\n }\n\n return l_j2k;\n}", "project": "openjpeg", "hash": 150627416573122523961092494083253015301, "size": 70, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357295 }, { "func": "static void exif_process_COM(image_info_type *image_info, char *value,\n size_t length) {\n exif_iif_add_tag(image_info, SECTION_COMMENT, \"Comment\",\n TAG_COMPUTED_VALUE, TAG_FMT_STRING,\n length-2, value+2);\n}", "project": "hhvm", "hash": 206657314821379545143252204968318152080, "size": 6, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219781 }, { "func": "static bool isRemoveLiquidityEthCall(const EthereumSignTx *msg) {\n if (memcmp(msg->data_initial_chunk.bytes, \"\\x02\\x75\\x1c\\xec\", 4) == 0)\n return true;\n\n return false;\n}", "project": "keepkey-firmware", "hash": 77454676794033741302792232738457367844, "size": 6, "commit_id": "e49d45594002d4d3fbc1f03488e6dfc0a0a65836", "message": "710 merge", "target": 0, "dataset": "other", "idx": 220895 }, { "func": "static int sctp_setsockopt_pf_expose(struct sock *sk,\n\t\t\t\t struct sctp_assoc_value *params,\n\t\t\t\t unsigned int optlen)\n{\n\tstruct sctp_association *asoc;\n\tint retval = -EINVAL;\n\n\tif (optlen != sizeof(*params))\n\t\tgoto out;\n\n\tif (params->assoc_value > SCTP_PF_EXPOSE_MAX)\n\t\tgoto out;\n\n\tasoc = sctp_id2assoc(sk, params->assoc_id);\n\tif (!asoc && params->assoc_id != SCTP_FUTURE_ASSOC &&\n\t sctp_style(sk, UDP))\n\t\tgoto out;\n\n\tif (asoc)\n\t\tasoc->pf_expose = params->assoc_value;\n\telse\n\t\tsctp_sk(sk)->pf_expose = params->assoc_value;\n\tretval = 0;\n\nout:\n\treturn retval;\n}", "project": "linux", "hash": 326219531982683176684011499417488995434, "size": 27, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398048 }, { "func": "static void extract_buf(struct entropy_store *r, __u8 *out)\n{\n\tint i;\n\t__u32 hash[5], workspace[SHA_WORKSPACE_WORDS];\n\t__u8 extract[64];\n\n\t/* Generate a hash across the pool, 16 words (512 bits) at a time */\n\tsha_init(hash);\n\tfor (i = 0; i < r->poolinfo->poolwords; i += 16)\n\t\tsha_transform(hash, (__u8 *)(r->pool + i), workspace);\n\n\t/*\n\t * We mix the hash back into the pool to prevent backtracking\n\t * attacks (where the attacker knows the state of the pool\n\t * plus the current outputs, and attempts to find previous\n\t * ouputs), unless the hash function can be inverted. By\n\t * mixing at least a SHA1 worth of hash data back, we make\n\t * brute-forcing the feedback as hard as brute-forcing the\n\t * hash.\n\t */\n\tmix_pool_bytes_extract(r, hash, sizeof(hash), extract);\n\n\t/*\n\t * To avoid duplicates, we atomically extract a portion of the\n\t * pool while mixing, and hash one final time.\n\t */\n\tsha_transform(hash, extract, workspace);\n\tmemset(extract, 0, sizeof(extract));\n\tmemset(workspace, 0, sizeof(workspace));\n\n\t/*\n\t * In case the hash function has some recognizable output\n\t * pattern, we fold it in half. Thus, we always feed back\n\t * twice as much data as we output.\n\t */\n\thash[0] ^= hash[3];\n\thash[1] ^= hash[4];\n\thash[2] ^= rol32(hash[2], 16);\n\tmemcpy(out, hash, EXTRACT_SIZE);\n\tmemset(hash, 0, sizeof(hash));\n}", "target": 0, "cwe": [ "CWE-310" ], "project": "linux-2.6", "commit_id": "8a0a9bd4db63bc45e3017bedeafbd88d0eb84d02", "hash": 188794254955710787156299170402182658506, "size": 41, "message": "random: make get_random_int() more random\n\nIt's a really simple patch that basically just open-codes the current\n\"secure_ip_id()\" call, but when open-coding it we now use a _static_\nhashing area, so that it gets updated every time.\n\nAnd to make sure somebody can't just start from the same original seed of\nall-zeroes, and then do the \"half_md4_transform()\" over and over until\nthey get the same sequence as the kernel has, each iteration also mixes in\nthe same old \"current->pid + jiffies\" we used - so we should now have a\nregular strong pseudo-number generator, but we also have one that doesn't\nhave a single seed.\n\nNote: the \"pid + jiffies\" is just meant to be a tiny tiny bit of noise. It\nhas no real meaning. It could be anything. I just picked the previous\nseed, it's just that now we keep the state in between calls and that will\nfeed into the next result, and that should make all the difference.\n\nI made that hash be a per-cpu data just to avoid cache-line ping-pong:\nhaving multiple CPU's write to the same data would be fine for randomness,\nand add yet another layer of chaos to it, but since get_random_int() is\nsupposed to be a fast interface I did it that way instead. I considered\nusing \"__raw_get_cpu_var()\" to avoid any preemption overhead while still\ngetting the hash be _mostly_ ping-pong free, but in the end good taste won\nout.\n\nSigned-off-by: Ingo Molnar \nSigned-off-by: Linus Torvalds ", "dataset": "other", "idx": 499911 }, { "func": "bool kvm_is_reserved_pfn(kvm_pfn_t pfn)\n{\n\t/*\n\t * ZONE_DEVICE pages currently set PG_reserved, but from a refcounting\n\t * perspective they are \"normal\" pages, albeit with slightly different\n\t * usage rules.\n\t */\n\tif (pfn_valid(pfn))\n\t\treturn PageReserved(pfn_to_page(pfn)) &&\n\t\t !is_zero_pfn(pfn) &&\n\t\t !kvm_is_zone_device_pfn(pfn);\n\n\treturn true;\n}", "project": "linux", "hash": 239331381323556367879710653332160860169, "size": 14, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354712 }, { "func": "void put_tty_driver(struct tty_driver *d)\n{\n\ttty_driver_kref_put(d);\n}", "project": "linux", "hash": 83041291009926828562450655424146882509, "size": 4, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 326010 }, { "func": "lka_filter_process_response(const char *name, const char *line)\n{\n\tuint64_t reqid;\n\tuint64_t token;\n\tchar buffer[LINE_MAX];\n\tchar *ep = NULL;\n\tchar *kind = NULL;\n\tchar *qid = NULL;\n\t/*char *phase = NULL;*/\n\tchar *response = NULL;\n\tchar *parameter = NULL;\n\tstruct filter_session *fs;\n\n\t(void)strlcpy(buffer, line, sizeof buffer);\n\tif ((ep = strchr(buffer, '|')) == NULL)\n\t\tfatalx(\"Missing token: %s\", line);\n\tep[0] = '\\0';\n\n\tkind = buffer;\n\n\tqid = ep+1;\n\tif ((ep = strchr(qid, '|')) == NULL)\n\t\tfatalx(\"Missing reqid: %s\", line);\n\tep[0] = '\\0';\n\n\treqid = strtoull(qid, &ep, 16);\n\tif (qid[0] == '\\0' || *ep != '\\0')\n\t\tfatalx(\"Invalid reqid: %s\", line);\n\tif (errno == ERANGE && reqid == ULLONG_MAX)\n\t\tfatal(\"Invalid reqid: %s\", line);\n\n\tqid = ep+1;\n\tif ((ep = strchr(qid, '|')) == NULL)\n\t\tfatal(\"Missing directive: %s\", line);\n\tep[0] = '\\0';\n\n\ttoken = strtoull(qid, &ep, 16);\n\tif (qid[0] == '\\0' || *ep != '\\0')\n\t\tfatalx(\"Invalid token: %s\", line);\n\tif (errno == ERANGE && token == ULLONG_MAX)\n\t\tfatal(\"Invalid token: %s\", line);\n\n\tresponse = ep+1;\n\n\t/* session can legitimately disappear on a resume */\n\tif ((fs = tree_get(&sessions, reqid)) == NULL)\n\t\treturn;\n\n\tif (strcmp(kind, \"filter-dataline\") == 0) {\n\t\tif (fs->phase != FILTER_DATA_LINE)\n\t\t\tfatalx(\"filter-dataline out of dataline phase\");\n\t\tfilter_data_next(token, reqid, response);\n\t\treturn;\n\t}\n\tif (fs->phase == FILTER_DATA_LINE)\n\t\tfatalx(\"filter-result in dataline phase\");\n\n\tif ((ep = strchr(response, '|'))) {\n\t\tparameter = ep + 1;\n\t\tep[0] = '\\0';\n\t}\n\n\tif (strcmp(response, \"proceed\") == 0) {\n\t\tif (parameter != NULL)\n\t\t\tfatalx(\"Unexpected parameter after proceed: %s\", line);\n\t\tfilter_protocol_next(token, reqid, 0);\n\t\treturn;\n\t} else if (strcmp(response, \"junk\") == 0) {\n\t\tif (parameter != NULL)\n\t\t\tfatalx(\"Unexpected parameter after junk: %s\", line);\n\t\tif (fs->phase == FILTER_COMMIT)\n\t\t\tfatalx(\"filter-reponse junk after DATA\");\n\t\tfilter_result_junk(reqid);\n\t\treturn;\n\t} else {\n\t\tif (parameter == NULL)\n\t\t\tfatalx(\"Missing parameter: %s\", line);\n\n\t\tif (strcmp(response, \"rewrite\") == 0)\n\t\t\tfilter_result_rewrite(reqid, parameter);\n\t\telse if (strcmp(response, \"reject\") == 0)\n\t\t\tfilter_result_reject(reqid, parameter);\n\t\telse if (strcmp(response, \"disconnect\") == 0)\n\t\t\tfilter_result_disconnect(reqid, parameter);\n\t\telse\n\t\t\tfatalx(\"Invalid directive: %s\", line);\n\t}\n}", "project": "src", "hash": 330240686237198483857101105616747593888, "size": 88, "commit_id": "6c3220444ed06b5796dedfd53a0f4becd903c0d1", "message": "smtpd's filter state machine can prematurely release resources\nleading to a crash. From gilles@", "target": 0, "dataset": "other", "idx": 421546 }, { "func": "table_add(struct table *t, const char *key, const char *val)\n{\n\tif (t->t_backend->add == NULL)\n\t\tfatalx(\"table_add: cannot add to table\");\n\n\tif (t->t_backend->add(t, key, val) == 0)\n\t\tlog_warnx(\"warn: failed to add \\\"%s\\\" in table \\\"%s\\\"\", key, t->t_name);\n}", "project": "src", "hash": 187854473209541710096268977937116214394, "size": 8, "commit_id": "79a034b4aed29e965f45a13409268290c9910043", "message": "Use regfree after we're done with preg.\n\nFrom gilles@", "target": 0, "dataset": "other", "idx": 468901 }, { "func": "static void nfs4_lock_prepare(struct rpc_task *task, void *calldata)\n{\n\tstruct nfs4_lockdata *data = calldata;\n\tstruct nfs4_state *state = data->lsp->ls_state;\n\n\tdprintk(\"%s: begin!\\n\", __func__);\n\tif (nfs_wait_on_sequence(data->arg.lock_seqid, task) != 0)\n\t\tgoto out_wait;\n\t/* Do we need to do an open_to_lock_owner? */\n\tif (!test_bit(NFS_LOCK_INITIALIZED, &data->lsp->ls_flags)) {\n\t\tif (nfs_wait_on_sequence(data->arg.open_seqid, task) != 0) {\n\t\t\tgoto out_release_lock_seqid;\n\t\t}\n\t\tnfs4_stateid_copy(&data->arg.open_stateid,\n\t\t\t\t&state->open_stateid);\n\t\tdata->arg.new_lock_owner = 1;\n\t\tdata->res.open_seqid = data->arg.open_seqid;\n\t} else {\n\t\tdata->arg.new_lock_owner = 0;\n\t\tnfs4_stateid_copy(&data->arg.lock_stateid,\n\t\t\t\t&data->lsp->ls_stateid);\n\t}\n\tif (!nfs4_valid_open_stateid(state)) {\n\t\tdata->rpc_status = -EBADF;\n\t\ttask->tk_action = NULL;\n\t\tgoto out_release_open_seqid;\n\t}\n\tdata->timestamp = jiffies;\n\tif (nfs4_setup_sequence(data->server->nfs_client,\n\t\t\t\t&data->arg.seq_args,\n\t\t\t\t&data->res.seq_res,\n\t\t\t\ttask) == 0)\n\t\treturn;\nout_release_open_seqid:\n\tnfs_release_seqid(data->arg.open_seqid);\nout_release_lock_seqid:\n\tnfs_release_seqid(data->arg.lock_seqid);\nout_wait:\n\tnfs4_sequence_done(task, &data->res.seq_res);\n\tdprintk(\"%s: done!, ret = %d\\n\", __func__, data->rpc_status);\n}", "project": "linux", "hash": 194523466442426551993718175811554634141, "size": 41, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 430982 }, { "func": "static void proc_set_tty(struct tty_struct *tty)\n{\n\tspin_lock_irq(¤t->sighand->siglock);\n\t__proc_set_tty(tty);\n\tspin_unlock_irq(¤t->sighand->siglock);\n}", "project": "linux", "hash": 231099748773509557039885838780077400926, "size": 6, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 326028 }, { "func": "unsigned long move_page_tables(struct vm_area_struct *vma,\n\t\tunsigned long old_addr, struct vm_area_struct *new_vma,\n\t\tunsigned long new_addr, unsigned long len,\n\t\tbool need_rmap_locks)\n{\n\tunsigned long extent, next, old_end;\n\tstruct mmu_notifier_range range;\n\tpmd_t *old_pmd, *new_pmd;\n\n\told_end = old_addr + len;\n\tflush_cache_range(vma, old_addr, old_end);\n\n\tmmu_notifier_range_init(&range, MMU_NOTIFY_UNMAP, 0, vma, vma->vm_mm,\n\t\t\t\told_addr, old_end);\n\tmmu_notifier_invalidate_range_start(&range);\n\n\tfor (; old_addr < old_end; old_addr += extent, new_addr += extent) {\n\t\tcond_resched();\n\t\tnext = (old_addr + PMD_SIZE) & PMD_MASK;\n\t\t/* even if next overflowed, extent below will be ok */\n\t\textent = next - old_addr;\n\t\tif (extent > old_end - old_addr)\n\t\t\textent = old_end - old_addr;\n\t\told_pmd = get_old_pmd(vma->vm_mm, old_addr);\n\t\tif (!old_pmd)\n\t\t\tcontinue;\n\t\tnew_pmd = alloc_new_pmd(vma->vm_mm, vma, new_addr);\n\t\tif (!new_pmd)\n\t\t\tbreak;\n\t\tif (is_swap_pmd(*old_pmd) || pmd_trans_huge(*old_pmd)) {\n\t\t\tif (extent == HPAGE_PMD_SIZE) {\n\t\t\t\tbool moved;\n\t\t\t\t/* See comment in move_ptes() */\n\t\t\t\tif (need_rmap_locks)\n\t\t\t\t\ttake_rmap_locks(vma);\n\t\t\t\tmoved = move_huge_pmd(vma, old_addr, new_addr,\n\t\t\t\t\t\t old_end, old_pmd, new_pmd);\n\t\t\t\tif (need_rmap_locks)\n\t\t\t\t\tdrop_rmap_locks(vma);\n\t\t\t\tif (moved)\n\t\t\t\t\tcontinue;\n\t\t\t}\n\t\t\tsplit_huge_pmd(vma, old_pmd, old_addr);\n\t\t\tif (pmd_trans_unstable(old_pmd))\n\t\t\t\tcontinue;\n\t\t} else if (extent == PMD_SIZE) {\n#ifdef CONFIG_HAVE_MOVE_PMD\n\t\t\t/*\n\t\t\t * If the extent is PMD-sized, try to speed the move by\n\t\t\t * moving at the PMD level if possible.\n\t\t\t */\n\t\t\tbool moved;\n\n\t\t\tif (need_rmap_locks)\n\t\t\t\ttake_rmap_locks(vma);\n\t\t\tmoved = move_normal_pmd(vma, old_addr, new_addr,\n\t\t\t\t\told_end, old_pmd, new_pmd);\n\t\t\tif (need_rmap_locks)\n\t\t\t\tdrop_rmap_locks(vma);\n\t\t\tif (moved)\n\t\t\t\tcontinue;\n#endif\n\t\t}\n\n\t\tif (pte_alloc(new_vma->vm_mm, new_pmd))\n\t\t\tbreak;\n\t\tnext = (new_addr + PMD_SIZE) & PMD_MASK;\n\t\tif (extent > next - new_addr)\n\t\t\textent = next - new_addr;\n\t\tmove_ptes(vma, old_pmd, old_addr, old_addr + extent, new_vma,\n\t\t\t new_pmd, new_addr, need_rmap_locks);\n\t}\n\n\tmmu_notifier_invalidate_range_end(&range);\n\n\treturn len + old_addr - old_end;\t/* how much done */\n}", "project": "linux", "hash": 322406925399934688200484412754502215496, "size": 77, "commit_id": "5bfea2d9b17f1034a68147a8b03b9789af5700f9", "message": "mm: Fix mremap not considering huge pmd devmap\n\nThe original code in mm/mremap.c checks huge pmd by:\n\n\t\tif (is_swap_pmd(*old_pmd) || pmd_trans_huge(*old_pmd)) {\n\nHowever, a DAX mapped nvdimm is mapped as huge page (by default) but it\nis not transparent huge page (_PAGE_PSE | PAGE_DEVMAP). This commit\nchanges the condition to include the case.\n\nThis addresses CVE-2020-10757.\n\nFixes: 5c7fb56e5e3f (\"mm, dax: dax-pmd vs thp-pmd vs hugetlbfs-pmd\")\nCc: \nReported-by: Fan Yang \nSigned-off-by: Fan Yang \nTested-by: Fan Yang \nTested-by: Dan Williams \nReviewed-by: Dan Williams \nAcked-by: Kirill A. Shutemov \nSigned-off-by: Linus Torvalds ", "target": 1, "dataset": "other", "idx": 201788 }, { "func": "unsigned long move_page_tables(struct vm_area_struct *vma,\n\t\tunsigned long old_addr, struct vm_area_struct *new_vma,\n\t\tunsigned long new_addr, unsigned long len,\n\t\tbool need_rmap_locks)\n{\n\tunsigned long extent, next, old_end;\n\tstruct mmu_notifier_range range;\n\tpmd_t *old_pmd, *new_pmd;\n\n\told_end = old_addr + len;\n\tflush_cache_range(vma, old_addr, old_end);\n\n\tmmu_notifier_range_init(&range, MMU_NOTIFY_UNMAP, 0, vma, vma->vm_mm,\n\t\t\t\told_addr, old_end);\n\tmmu_notifier_invalidate_range_start(&range);\n\n\tfor (; old_addr < old_end; old_addr += extent, new_addr += extent) {\n\t\tcond_resched();\n\t\tnext = (old_addr + PMD_SIZE) & PMD_MASK;\n\t\t/* even if next overflowed, extent below will be ok */\n\t\textent = next - old_addr;\n\t\tif (extent > old_end - old_addr)\n\t\t\textent = old_end - old_addr;\n\t\told_pmd = get_old_pmd(vma->vm_mm, old_addr);\n\t\tif (!old_pmd)\n\t\t\tcontinue;\n\t\tnew_pmd = alloc_new_pmd(vma->vm_mm, vma, new_addr);\n\t\tif (!new_pmd)\n\t\t\tbreak;\n\t\tif (is_swap_pmd(*old_pmd) || pmd_trans_huge(*old_pmd) || pmd_devmap(*old_pmd)) {\n\t\t\tif (extent == HPAGE_PMD_SIZE) {\n\t\t\t\tbool moved;\n\t\t\t\t/* See comment in move_ptes() */\n\t\t\t\tif (need_rmap_locks)\n\t\t\t\t\ttake_rmap_locks(vma);\n\t\t\t\tmoved = move_huge_pmd(vma, old_addr, new_addr,\n\t\t\t\t\t\t old_end, old_pmd, new_pmd);\n\t\t\t\tif (need_rmap_locks)\n\t\t\t\t\tdrop_rmap_locks(vma);\n\t\t\t\tif (moved)\n\t\t\t\t\tcontinue;\n\t\t\t}\n\t\t\tsplit_huge_pmd(vma, old_pmd, old_addr);\n\t\t\tif (pmd_trans_unstable(old_pmd))\n\t\t\t\tcontinue;\n\t\t} else if (extent == PMD_SIZE) {\n#ifdef CONFIG_HAVE_MOVE_PMD\n\t\t\t/*\n\t\t\t * If the extent is PMD-sized, try to speed the move by\n\t\t\t * moving at the PMD level if possible.\n\t\t\t */\n\t\t\tbool moved;\n\n\t\t\tif (need_rmap_locks)\n\t\t\t\ttake_rmap_locks(vma);\n\t\t\tmoved = move_normal_pmd(vma, old_addr, new_addr,\n\t\t\t\t\told_end, old_pmd, new_pmd);\n\t\t\tif (need_rmap_locks)\n\t\t\t\tdrop_rmap_locks(vma);\n\t\t\tif (moved)\n\t\t\t\tcontinue;\n#endif\n\t\t}\n\n\t\tif (pte_alloc(new_vma->vm_mm, new_pmd))\n\t\t\tbreak;\n\t\tnext = (new_addr + PMD_SIZE) & PMD_MASK;\n\t\tif (extent > next - new_addr)\n\t\t\textent = next - new_addr;\n\t\tmove_ptes(vma, old_pmd, old_addr, old_addr + extent, new_vma,\n\t\t\t new_pmd, new_addr, need_rmap_locks);\n\t}\n\n\tmmu_notifier_invalidate_range_end(&range);\n\n\treturn len + old_addr - old_end;\t/* how much done */\n}", "project": "linux", "hash": 70690057593979156175552450811161004469, "size": 77, "commit_id": "5bfea2d9b17f1034a68147a8b03b9789af5700f9", "message": "mm: Fix mremap not considering huge pmd devmap\n\nThe original code in mm/mremap.c checks huge pmd by:\n\n\t\tif (is_swap_pmd(*old_pmd) || pmd_trans_huge(*old_pmd)) {\n\nHowever, a DAX mapped nvdimm is mapped as huge page (by default) but it\nis not transparent huge page (_PAGE_PSE | PAGE_DEVMAP). This commit\nchanges the condition to include the case.\n\nThis addresses CVE-2020-10757.\n\nFixes: 5c7fb56e5e3f (\"mm, dax: dax-pmd vs thp-pmd vs hugetlbfs-pmd\")\nCc: \nReported-by: Fan Yang \nSigned-off-by: Fan Yang \nTested-by: Fan Yang \nTested-by: Dan Williams \nReviewed-by: Dan Williams \nAcked-by: Kirill A. Shutemov \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 321574 }, { "func": "static int kvm_s390_get_processor(struct kvm *kvm, struct kvm_device_attr *attr)\n{\n\tstruct kvm_s390_vm_cpu_processor *proc;\n\tint ret = 0;\n\n\tproc = kzalloc(sizeof(*proc), GFP_KERNEL);\n\tif (!proc) {\n\t\tret = -ENOMEM;\n\t\tgoto out;\n\t}\n\tproc->cpuid = kvm->arch.model.cpuid;\n\tproc->ibc = kvm->arch.model.ibc;\n\tmemcpy(&proc->fac_list, kvm->arch.model.fac_list,\n\t S390_ARCH_FAC_LIST_SIZE_BYTE);\n\tVM_EVENT(kvm, 3, \"GET: guest ibc: 0x%4.4x, guest cpuid: 0x%16.16llx\",\n\t\t kvm->arch.model.ibc,\n\t\t kvm->arch.model.cpuid);\n\tVM_EVENT(kvm, 3, \"GET: guest faclist: 0x%16.16llx.%16.16llx.%16.16llx\",\n\t\t kvm->arch.model.fac_list[0],\n\t\t kvm->arch.model.fac_list[1],\n\t\t kvm->arch.model.fac_list[2]);\n\tif (copy_to_user((void __user *)attr->addr, proc, sizeof(*proc)))\n\t\tret = -EFAULT;\n\tkfree(proc);\nout:\n\treturn ret;\n}", "project": "linux", "hash": 223015517894394944477495605574829160209, "size": 27, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354522 }, { "func": "int sctp_inet_connect(struct socket *sock, struct sockaddr *uaddr,\n\t\t int addr_len, int flags)\n{\n\tif (addr_len < sizeof(uaddr->sa_family))\n\t\treturn -EINVAL;\n\n\tif (uaddr->sa_family == AF_UNSPEC)\n\t\treturn -EOPNOTSUPP;\n\n\treturn sctp_connect(sock->sk, uaddr, addr_len, flags);\n}", "project": "linux", "hash": 230454871713808658654336936844454325359, "size": 11, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398137 }, { "func": "static zend_bool php_openssl_pkey_init_and_assign_rsa(EVP_PKEY *pkey, RSA *rsa, zval *data)\n{\n\tBIGNUM *n, *e, *d, *p, *q, *dmp1, *dmq1, *iqmp;\n\n\tOPENSSL_PKEY_SET_BN(data, n);\n\tOPENSSL_PKEY_SET_BN(data, e);\n\tOPENSSL_PKEY_SET_BN(data, d);\n\tif (!n || !d || !RSA_set0_key(rsa, n, e, d)) {\n\t\treturn 0;\n\t}\n\n\tOPENSSL_PKEY_SET_BN(data, p);\n\tOPENSSL_PKEY_SET_BN(data, q);\n\tif ((p || q) && !RSA_set0_factors(rsa, p, q)) {\n\t\treturn 0;\n\t}\n\n\tOPENSSL_PKEY_SET_BN(data, dmp1);\n\tOPENSSL_PKEY_SET_BN(data, dmq1);\n\tOPENSSL_PKEY_SET_BN(data, iqmp);\n\tif ((dmp1 || dmq1 || iqmp) && !RSA_set0_crt_params(rsa, dmp1, dmq1, iqmp)) {\n\t\treturn 0;\n\t}\n\n\tif (!EVP_PKEY_assign_RSA(pkey, rsa)) {\n\t\tphp_openssl_store_errors();\n\t\treturn 0;\n\t}\n\n\treturn 1;\n}", "project": "php-src", "hash": 42717668826099104627854451766724902489, "size": 31, "commit_id": "0216630ea2815a5789a24279a1211ac398d4de79", "message": "Fix bug #79601 (Wrong ciphertext/tag in AES-CCM encryption for a 12 bytes IV)", "target": 0, "dataset": "other", "idx": 291391 }, { "func": "static OPJ_BOOL opj_j2k_are_all_used_components_decoded(opj_j2k_t *p_j2k,\n opj_event_mgr_t * p_manager)\n{\n OPJ_UINT32 compno;\n OPJ_BOOL decoded_all_used_components = OPJ_TRUE;\n\n if (p_j2k->m_specific_param.m_decoder.m_numcomps_to_decode) {\n for (compno = 0;\n compno < p_j2k->m_specific_param.m_decoder.m_numcomps_to_decode; compno++) {\n OPJ_UINT32 dec_compno =\n p_j2k->m_specific_param.m_decoder.m_comps_indices_to_decode[compno];\n if (p_j2k->m_output_image->comps[dec_compno].data == NULL) {\n opj_event_msg(p_manager, EVT_WARNING, \"Failed to decode component %d\\n\",\n dec_compno);\n decoded_all_used_components = OPJ_FALSE;\n }\n }\n } else {\n for (compno = 0; compno < p_j2k->m_output_image->numcomps; compno++) {\n if (p_j2k->m_output_image->comps[compno].data == NULL) {\n opj_event_msg(p_manager, EVT_WARNING, \"Failed to decode component %d\\n\",\n compno);\n decoded_all_used_components = OPJ_FALSE;\n }\n }\n }\n\n if (decoded_all_used_components == OPJ_FALSE) {\n opj_event_msg(p_manager, EVT_ERROR, \"Failed to decode all used components\\n\");\n return OPJ_FALSE;\n }\n\n return OPJ_TRUE;\n}", "project": "openjpeg", "hash": 123195239389304340431667367508325766808, "size": 34, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357383 }, { "func": "CWebSock::EPageReqResult CWebSock::PrintTemplate(const CString& sPageName,\n CString& sPageRet,\n CModule* pModule) {\n SetVars();\n\n m_Template[\"PageName\"] = sPageName;\n\n if (pModule) {\n m_Template[\"ModName\"] = pModule->GetModName();\n\n if (m_Template.find(\"Title\") == m_Template.end()) {\n m_Template[\"Title\"] = pModule->GetWebMenuTitle();\n }\n\n std::vector* breadcrumbs =\n m_Template.GetLoop(\"BreadCrumbs\");\n if (breadcrumbs->size() == 1 &&\n m_Template[\"Title\"] != pModule->GetModName()) {\n // Module didn't add its own breadcrumbs, so add a generic one...\n // But it'll be useless if it's the same as module name\n CTemplate& bread = m_Template.AddRow(\"BreadCrumbs\");\n bread[\"Text\"] = m_Template[\"Title\"];\n }\n }\n\n if (!m_bPathsSet) {\n SetPaths(pModule, true);\n }\n\n if (m_Template.GetFileName().empty() &&\n !m_Template.SetFile(sPageName + \".tmpl\")) {\n return PAGE_NOTFOUND;\n }\n\n if (m_Template.PrintString(sPageRet)) {\n return PAGE_PRINT;\n } else {\n return PAGE_NOTFOUND;\n }\n}", "project": "znc", "hash": 189236435523719998127246460481083566576, "size": 40, "commit_id": "a4a5aeeb17d32937d8c7d743dae9a4cc755ce773", "message": "Don't let web skin name ../../../../ access files outside of usual skins directories.\n\nThanks for Jeriko One for finding and reporting this.", "target": 0, "dataset": "other", "idx": 265786 }, { "func": "bool JOIN::make_aggr_tables_info()\n{\n List *curr_all_fields= &all_fields;\n List *curr_fields_list= &fields_list;\n JOIN_TAB *curr_tab= join_tab + const_tables;\n TABLE *exec_tmp_table= NULL;\n bool distinct= false;\n bool keep_row_order= false;\n bool is_having_added_as_table_cond= false;\n DBUG_ENTER(\"JOIN::make_aggr_tables_info\");\n\n const bool has_group_by= this->group;\n \n sort_and_group_aggr_tab= NULL;\n\n if (group_optimized_away)\n implicit_grouping= true;\n\n bool implicit_grouping_with_window_funcs= implicit_grouping &&\n select_lex->have_window_funcs();\n bool implicit_grouping_without_tables= implicit_grouping &&\n !tables_list;\n\n /*\n Setup last table to provide fields and all_fields lists to the next\n node in the plan.\n */\n if (join_tab && top_join_tab_count && tables_list)\n {\n join_tab[top_join_tab_count - 1].fields= &fields_list;\n join_tab[top_join_tab_count - 1].all_fields= &all_fields;\n }\n\n /*\n All optimization is done. Check if we can use the storage engines\n group by handler to evaluate the group by.\n Some storage engines, like spider can also do joins, group by and\n distinct in the engine, so we do this for all queries, not only\n GROUP BY queries.\n */\n if (tables_list && top_join_tab_count && !procedure)\n {\n /*\n At the moment we only support push down for queries where\n all tables are in the same storage engine\n */\n TABLE_LIST *tbl= tables_list;\n handlerton *ht= tbl && tbl->table ? tbl->table->file->partition_ht() : 0;\n for (tbl= tbl->next_local; ht && tbl; tbl= tbl->next_local)\n {\n if (!tbl->table || tbl->table->file->partition_ht() != ht)\n ht= 0;\n }\n\n if (ht && ht->create_group_by)\n {\n /* Check if the storage engine can intercept the query */\n Query query= {&all_fields, select_distinct, tables_list, conds,\n group_list, order ? order : group_list, having};\n group_by_handler *gbh= ht->create_group_by(thd, &query);\n\n if (gbh)\n {\n if (!(pushdown_query= new (thd->mem_root) Pushdown_query(select_lex, gbh)))\n DBUG_RETURN(1);\n /*\n We must store rows in the tmp table if we need to do an ORDER BY\n or DISTINCT and the storage handler can't handle it.\n */\n need_tmp= query.order_by || query.group_by || query.distinct;\n distinct= query.distinct;\n keep_row_order= query.order_by || query.group_by;\n \n order= query.order_by;\n\n aggr_tables++;\n curr_tab= join_tab + exec_join_tab_cnt();\n bzero((void*)curr_tab, sizeof(JOIN_TAB));\n curr_tab->ref.key= -1;\n curr_tab->join= this;\n\n if (!(curr_tab->tmp_table_param= new TMP_TABLE_PARAM(tmp_table_param)))\n DBUG_RETURN(1);\n TABLE* table= create_tmp_table(thd, curr_tab->tmp_table_param,\n all_fields,\n NULL, query.distinct,\n TRUE, select_options, HA_POS_ERROR,\n &empty_clex_str, !need_tmp,\n query.order_by || query.group_by);\n if (!table)\n DBUG_RETURN(1);\n\n if (!(curr_tab->aggr= new (thd->mem_root) AGGR_OP(curr_tab)))\n DBUG_RETURN(1);\n curr_tab->aggr->set_write_func(::end_send);\n curr_tab->table= table;\n /*\n Setup reference fields, used by summary functions and group by fields,\n to point to the temporary table.\n The actual switching to the temporary tables fields for HAVING\n and ORDER BY is done in do_select() by calling\n set_items_ref_array(items1).\n */\n init_items_ref_array();\n items1= ref_ptr_array_slice(2);\n //items1= items0 + all_fields.elements;\n if (change_to_use_tmp_fields(thd, items1,\n tmp_fields_list1, tmp_all_fields1,\n fields_list.elements, all_fields))\n DBUG_RETURN(1);\n\n /* Give storage engine access to temporary table */\n gbh->table= table;\n pushdown_query->store_data_in_temp_table= need_tmp;\n pushdown_query->having= having;\n\n /*\n Group by and having is calculated by the group_by handler.\n Reset the group by and having\n */\n DBUG_ASSERT(query.group_by == NULL);\n group= 0; group_list= 0;\n having= tmp_having= 0;\n /*\n Select distinct is handled by handler or by creating an unique index\n over all fields in the temporary table\n */\n select_distinct= 0;\n order= query.order_by;\n tmp_table_param.field_count+= tmp_table_param.sum_func_count;\n tmp_table_param.sum_func_count= 0;\n\n fields= curr_fields_list;\n\n //todo: new:\n curr_tab->ref_array= &items1;\n curr_tab->all_fields= &tmp_all_fields1;\n curr_tab->fields= &tmp_fields_list1;\n\n DBUG_RETURN(thd->is_fatal_error);\n }\n }\n }\n\n\n /*\n The loose index scan access method guarantees that all grouping or\n duplicate row elimination (for distinct) is already performed\n during data retrieval, and that all MIN/MAX functions are already\n computed for each group. Thus all MIN/MAX functions should be\n treated as regular functions, and there is no need to perform\n grouping in the main execution loop.\n Notice that currently loose index scan is applicable only for\n single table queries, thus it is sufficient to test only the first\n join_tab element of the plan for its access method.\n */\n if (join_tab && top_join_tab_count && tables_list &&\n join_tab->is_using_loose_index_scan())\n tmp_table_param.precomputed_group_by=\n !join_tab->is_using_agg_loose_index_scan();\n\n group_list_for_estimates= group_list;\n /* Create a tmp table if distinct or if the sort is too complicated */\n if (need_tmp)\n {\n aggr_tables++;\n curr_tab= join_tab + exec_join_tab_cnt();\n bzero((void*)curr_tab, sizeof(JOIN_TAB));\n curr_tab->ref.key= -1;\n if (only_const_tables())\n first_select= sub_select_postjoin_aggr;\n\n /*\n Create temporary table on first execution of this join.\n (Will be reused if this is a subquery that is executed several times.)\n */\n init_items_ref_array();\n\n ORDER *tmp_group= (ORDER *) 0;\n if (!simple_group && !procedure && !(test_flags & TEST_NO_KEY_GROUP))\n tmp_group= group_list;\n\n tmp_table_param.hidden_field_count= \n all_fields.elements - fields_list.elements;\n\n distinct= select_distinct && !group_list && \n !select_lex->have_window_funcs();\n keep_row_order= false;\n bool save_sum_fields= (group_list && simple_group) ||\n implicit_grouping_with_window_funcs;\n if (create_postjoin_aggr_table(curr_tab,\n &all_fields, tmp_group,\n save_sum_fields,\n distinct, keep_row_order))\n DBUG_RETURN(true);\n exec_tmp_table= curr_tab->table;\n\n if (exec_tmp_table->distinct)\n optimize_distinct();\n\n /* Change sum_fields reference to calculated fields in tmp_table */\n items1= ref_ptr_array_slice(2);\n if ((sort_and_group || curr_tab->table->group ||\n tmp_table_param.precomputed_group_by) && \n !implicit_grouping_without_tables)\n {\n if (change_to_use_tmp_fields(thd, items1,\n tmp_fields_list1, tmp_all_fields1,\n fields_list.elements, all_fields))\n DBUG_RETURN(true);\n }\n else\n {\n if (change_refs_to_tmp_fields(thd, items1,\n tmp_fields_list1, tmp_all_fields1,\n fields_list.elements, all_fields))\n DBUG_RETURN(true);\n }\n curr_all_fields= &tmp_all_fields1;\n curr_fields_list= &tmp_fields_list1;\n // Need to set them now for correct group_fields setup, reset at the end.\n set_items_ref_array(items1);\n curr_tab->ref_array= &items1;\n curr_tab->all_fields= &tmp_all_fields1;\n curr_tab->fields= &tmp_fields_list1;\n set_postjoin_aggr_write_func(curr_tab);\n\n /*\n If having is not handled here, it will be checked before the row is sent\n to the client.\n */\n if (tmp_having &&\n (sort_and_group || (exec_tmp_table->distinct && !group_list) ||\n\t select_lex->have_window_funcs()))\n {\n /*\n If there is no select distinct and there are no window functions\n then move the having to table conds of tmp table.\n NOTE : We cannot apply having after distinct or window functions\n If columns of having are not part of select distinct,\n then distinct may remove rows which can satisfy having.\n In the case of window functions we *must* make sure to not\n store any rows which don't match HAVING within the temp table,\n as rows will end up being used during their computation.\n */\n if (!select_distinct && !select_lex->have_window_funcs() &&\n add_having_as_table_cond(curr_tab))\n DBUG_RETURN(true);\n is_having_added_as_table_cond= tmp_having != having;\n\n /*\n Having condition which we are not able to add as tmp table conds are\n kept as before. And, this will be applied before storing the rows in\n tmp table.\n */\n curr_tab->having= having;\n having= NULL; // Already done\n }\n\n tmp_table_param.func_count= 0;\n tmp_table_param.field_count+= tmp_table_param.func_count;\n if (sort_and_group || curr_tab->table->group)\n {\n tmp_table_param.field_count+= tmp_table_param.sum_func_count;\n tmp_table_param.sum_func_count= 0;\n }\n\n if (exec_tmp_table->group)\n {\t\t\t\t\t\t// Already grouped\n if (!order && !no_order && !skip_sort_order)\n order= group_list; /* order by group */\n group_list= NULL;\n }\n\n /*\n If we have different sort & group then we must sort the data by group\n and copy it to another tmp table\n This code is also used if we are using distinct something\n we haven't been able to store in the temporary table yet\n like SEC_TO_TIME(SUM(...)).\n */\n if ((group_list &&\n (!test_if_subpart(group_list, order) || select_distinct)) ||\n (select_distinct && tmp_table_param.using_outer_summary_function))\n {\t\t\t\t\t/* Must copy to another table */\n DBUG_PRINT(\"info\",(\"Creating group table\"));\n\n calc_group_buffer(this, group_list);\n count_field_types(select_lex, &tmp_table_param, tmp_all_fields1,\n select_distinct && !group_list);\n tmp_table_param.hidden_field_count=\n tmp_all_fields1.elements - tmp_fields_list1.elements;\n\n curr_tab++;\n aggr_tables++;\n bzero((void*)curr_tab, sizeof(JOIN_TAB));\n curr_tab->ref.key= -1;\n\n /* group data to new table */\n /*\n If the access method is loose index scan then all MIN/MAX\n functions are precomputed, and should be treated as regular\n functions. See extended comment above.\n */\n if (join_tab->is_using_loose_index_scan())\n tmp_table_param.precomputed_group_by= TRUE;\n\n tmp_table_param.hidden_field_count=\n curr_all_fields->elements - curr_fields_list->elements;\n ORDER *dummy= NULL; //TODO can use table->group here also\n\n if (create_postjoin_aggr_table(curr_tab, curr_all_fields, dummy, true,\n distinct, keep_row_order))\n\tDBUG_RETURN(true);\n\n if (group_list)\n {\n if (!only_const_tables()) // No need to sort a single row\n {\n if (add_sorting_to_table(curr_tab - 1, group_list))\n DBUG_RETURN(true);\n }\n\n if (make_group_fields(this, this))\n DBUG_RETURN(true);\n }\n\n // Setup sum funcs only when necessary, otherwise we might break info\n // for the first table\n if (group_list || tmp_table_param.sum_func_count)\n {\n if (make_sum_func_list(*curr_all_fields, *curr_fields_list, true, true))\n DBUG_RETURN(true);\n if (prepare_sum_aggregators(sum_funcs,\n !join_tab->is_using_agg_loose_index_scan()))\n DBUG_RETURN(true);\n group_list= NULL;\n if (setup_sum_funcs(thd, sum_funcs))\n DBUG_RETURN(true);\n }\n // No sum funcs anymore\n DBUG_ASSERT(items2.is_null());\n\n items2= ref_ptr_array_slice(3);\n if (change_to_use_tmp_fields(thd, items2,\n tmp_fields_list2, tmp_all_fields2, \n fields_list.elements, tmp_all_fields1))\n DBUG_RETURN(true);\n\n curr_fields_list= &tmp_fields_list2;\n curr_all_fields= &tmp_all_fields2;\n set_items_ref_array(items2);\n curr_tab->ref_array= &items2;\n curr_tab->all_fields= &tmp_all_fields2;\n curr_tab->fields= &tmp_fields_list2;\n set_postjoin_aggr_write_func(curr_tab);\n\n tmp_table_param.field_count+= tmp_table_param.sum_func_count;\n tmp_table_param.sum_func_count= 0;\n }\n if (curr_tab->table->distinct)\n select_distinct= false; /* Each row is unique */\n\n if (select_distinct && !group_list)\n {\n if (having)\n {\n curr_tab->having= having;\n having->update_used_tables();\n }\n /*\n We only need DISTINCT operation if the join is not degenerate.\n If it is, we must not request DISTINCT processing, because\n remove_duplicates() assumes there is a preceding computation step (and\n in the degenerate join, there's none)\n */\n if (top_join_tab_count && tables_list)\n curr_tab->distinct= true;\n\n having= NULL;\n select_distinct= false;\n }\n /* Clean tmp_table_param for the next tmp table. */\n tmp_table_param.field_count= tmp_table_param.sum_func_count=\n tmp_table_param.func_count= 0;\n\n tmp_table_param.copy_field= tmp_table_param.copy_field_end=0;\n first_record= sort_and_group=0;\n\n if (!group_optimized_away || implicit_grouping_with_window_funcs)\n {\n group= false;\n }\n else\n {\n /*\n If grouping has been optimized away, a temporary table is\n normally not needed unless we're explicitly requested to create\n one (e.g. due to a SQL_BUFFER_RESULT hint or INSERT ... SELECT).\n\n In this case (grouping was optimized away), temp_table was\n created without a grouping expression and JOIN::exec() will not\n perform the necessary grouping (by the use of end_send_group()\n or end_write_group()) if JOIN::group is set to false.\n */\n // the temporary table was explicitly requested\n DBUG_ASSERT(MY_TEST(select_options & OPTION_BUFFER_RESULT));\n // the temporary table does not have a grouping expression\n DBUG_ASSERT(!curr_tab->table->group); \n }\n calc_group_buffer(this, group_list);\n count_field_types(select_lex, &tmp_table_param, *curr_all_fields, false);\n }\n\n if (group ||\n (implicit_grouping && !implicit_grouping_with_window_funcs) ||\n tmp_table_param.sum_func_count)\n {\n if (make_group_fields(this, this))\n DBUG_RETURN(true);\n\n DBUG_ASSERT(items3.is_null());\n\n if (items0.is_null())\n init_items_ref_array();\n items3= ref_ptr_array_slice(4);\n setup_copy_fields(thd, &tmp_table_param,\n items3, tmp_fields_list3, tmp_all_fields3,\n curr_fields_list->elements, *curr_all_fields);\n\n curr_fields_list= &tmp_fields_list3;\n curr_all_fields= &tmp_all_fields3;\n set_items_ref_array(items3);\n if (join_tab)\n {\n JOIN_TAB *last_tab= join_tab + top_join_tab_count + aggr_tables - 1;\n // Set grouped fields on the last table\n last_tab->ref_array= &items3;\n last_tab->all_fields= &tmp_all_fields3;\n last_tab->fields= &tmp_fields_list3;\n }\n if (make_sum_func_list(*curr_all_fields, *curr_fields_list, true, true))\n DBUG_RETURN(true);\n if (prepare_sum_aggregators(sum_funcs,\n !join_tab ||\n !join_tab-> is_using_agg_loose_index_scan()))\n DBUG_RETURN(true);\n if (unlikely(setup_sum_funcs(thd, sum_funcs) || thd->is_fatal_error))\n DBUG_RETURN(true);\n }\n if (group_list || order)\n {\n DBUG_PRINT(\"info\",(\"Sorting for send_result_set_metadata\"));\n THD_STAGE_INFO(thd, stage_sorting_result);\n /* If we have already done the group, add HAVING to sorted table */\n if (tmp_having && !is_having_added_as_table_cond &&\n !group_list && !sort_and_group)\n {\n if (add_having_as_table_cond(curr_tab))\n DBUG_RETURN(true);\n }\n\n if (group)\n select_limit= HA_POS_ERROR;\n else if (!need_tmp)\n {\n /*\n We can abort sorting after thd->select_limit rows if there are no\n filter conditions for any tables after the sorted one.\n Filter conditions come in several forms:\n 1. as a condition item attached to the join_tab, or\n 2. as a keyuse attached to the join_tab (ref access).\n */\n for (uint i= const_tables + 1; i < top_join_tab_count; i++)\n {\n JOIN_TAB *const tab= join_tab + i;\n if (tab->select_cond || // 1\n (tab->keyuse && !tab->first_inner)) // 2\n {\n /* We have to sort all rows */\n select_limit= HA_POS_ERROR;\n break;\n }\n }\n }\n /*\n Here we add sorting stage for ORDER BY/GROUP BY clause, if the\n optimiser chose FILESORT to be faster than INDEX SCAN or there is\n no suitable index present.\n OPTION_FOUND_ROWS supersedes LIMIT and is taken into account.\n */\n DBUG_PRINT(\"info\",(\"Sorting for order by/group by\"));\n ORDER *order_arg= group_list ? group_list : order;\n if (top_join_tab_count + aggr_tables > const_tables &&\n ordered_index_usage !=\n (group_list ? ordered_index_group_by : ordered_index_order_by) &&\n curr_tab->type != JT_CONST &&\n curr_tab->type != JT_EQ_REF) // Don't sort 1 row\n {\n // Sort either first non-const table or the last tmp table\n JOIN_TAB *sort_tab= curr_tab;\n\n if (add_sorting_to_table(sort_tab, order_arg))\n DBUG_RETURN(true);\n /*\n filesort_limit:\t Return only this many rows from filesort().\n We can use select_limit_cnt only if we have no group_by and 1 table.\n This allows us to use Bounded_queue for queries like:\n \"select SQL_CALC_FOUND_ROWS * from t1 order by b desc limit 1;\"\n m_select_limit == HA_POS_ERROR (we need a full table scan)\n unit->select_limit_cnt == 1 (we only need one row in the result set)\n */\n sort_tab->filesort->limit=\n (has_group_by || (join_tab + table_count > curr_tab + 1)) ?\n select_limit : unit->select_limit_cnt;\n }\n if (!only_const_tables() &&\n !join_tab[const_tables].filesort &&\n !(select_options & SELECT_DESCRIBE))\n {\n /*\n If no IO cache exists for the first table then we are using an\n INDEX SCAN and no filesort. Thus we should not remove the sorted\n attribute on the INDEX SCAN.\n */\n skip_sort_order= true;\n }\n }\n\n /*\n Window functions computation step should be attached to the last join_tab\n that's doing aggregation.\n The last join_tab reads the data from the temp. table. It also may do\n - sorting\n - duplicate value removal\n Both of these operations are done after window function computation step.\n */\n curr_tab= join_tab + total_join_tab_cnt();\n if (select_lex->window_funcs.elements)\n {\n if (!(curr_tab->window_funcs_step= new Window_funcs_computation))\n DBUG_RETURN(true);\n if (curr_tab->window_funcs_step->setup(thd, &select_lex->window_funcs,\n curr_tab))\n DBUG_RETURN(true);\n /* Count that we're using window functions. */\n status_var_increment(thd->status_var.feature_window_functions);\n }\n if (select_lex->custom_agg_func_used())\n status_var_increment(thd->status_var.feature_custom_aggregate_functions);\n\n fields= curr_fields_list;\n // Reset before execution\n set_items_ref_array(items0);\n if (join_tab)\n join_tab[exec_join_tab_cnt() + aggr_tables - 1].next_select=\n setup_end_select_func(this, NULL);\n group= has_group_by;\n\n DBUG_RETURN(false);\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 75189741080710126462697894487968852860, "size": 561, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508642 }, { "func": " Item** addr(uint i)\n { return result_type() == ROW_RESULT ? orig_item->addr(i) : 0; }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 271844613462484207695829955934275685178, "size": 2, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509378 }, { "func": "TfLiteStatus ResizeOutputTensor(TfLiteContext* context,\n const OneHotContext& op_context) {\n TF_LITE_ENSURE(context, *op_context.depth->data.i32 >= 0);\n TfLiteIntArray* output_size = TfLiteIntArrayCreate(op_context.output_dims);\n for (int i = 0; i < op_context.output_dims; ++i) {\n if (i < op_context.axis) {\n output_size->data[i] = op_context.indices->dims->data[i];\n } else if (i == op_context.axis) {\n output_size->data[i] = *op_context.depth->data.i32;\n } else {\n output_size->data[i] = op_context.indices->dims->data[i - 1];\n }\n }\n return context->ResizeTensor(context, op_context.output, output_size);\n}", "project": "tensorflow", "hash": 86511305776162510042282806038218414850, "size": 15, "commit_id": "3ebedd7e345453d68e279cfc3e4072648e5e12e5", "message": "Prevent division by 0 in OneHot implementation\n\nIf input indices is degenerate, the implementation would do a divide by zero. See https://github.com/tensorflow/tensorflow/blob/745d57df6d5e9bc568666a2a48ed8dd629c27241/tensorflow/lite/kernels/one_hot.cc#L68-L72\n\nPiperOrigin-RevId: 370966870\nChange-Id: Ie018337811c8016b5a1d3a277d00d5f2e19a2058", "target": 0, "dataset": "other", "idx": 267937 }, { "func": "void kvm_arch_destroy_vm(struct kvm *kvm)\n{\n\tu16 rc, rrc;\n\n\tkvm_free_vcpus(kvm);\n\tsca_dispose(kvm);\n\tkvm_s390_gisa_destroy(kvm);\n\t/*\n\t * We are already at the end of life and kvm->lock is not taken.\n\t * This is ok as the file descriptor is closed by now and nobody\n\t * can mess with the pv state. To avoid lockdep_assert_held from\n\t * complaining we do not use kvm_s390_pv_is_protected.\n\t */\n\tif (kvm_s390_pv_get_handle(kvm))\n\t\tkvm_s390_pv_deinit_vm(kvm, &rc, &rrc);\n\tdebug_unregister(kvm->arch.dbf);\n\tfree_page((unsigned long)kvm->arch.sie_page2);\n\tif (!kvm_is_ucontrol(kvm))\n\t\tgmap_remove(kvm->arch.gmap);\n\tkvm_s390_destroy_adapters(kvm);\n\tkvm_s390_clear_float_irqs(kvm);\n\tkvm_s390_vsie_destroy(kvm);\n\tKVM_EVENT(3, \"vm 0x%pK destroyed\", kvm);\n}", "project": "linux", "hash": 339254810616483168134909359571467529766, "size": 24, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354544 }, { "project": "Chrome", "commit_id": "1da0daecc540238cb473f0d6322da51d3a544244", "target": 0, "func": "void VideoRendererBase::ThreadMain() {\n base::PlatformThread::SetName(\"CrVideoRenderer\");\n\n const base::TimeDelta kIdleTimeDelta =\n base::TimeDelta::FromMilliseconds(10);\n\n uint32 frames_dropped = 0;\n\n for (;;) {\n if (frames_dropped > 0) {\n PipelineStatistics statistics;\n statistics.video_frames_dropped = frames_dropped;\n statistics_cb_.Run(statistics);\n\n frames_dropped = 0;\n }\n\n base::AutoLock auto_lock(lock_);\n\n if (state_ == kStopped)\n return;\n\n if (state_ != kPlaying || playback_rate_ == 0) {\n frame_available_.TimedWait(kIdleTimeDelta);\n continue;\n }\n\n if (ready_frames_.empty()) {\n frame_available_.TimedWait(kIdleTimeDelta);\n continue;\n }\n\n if (!current_frame_) {\n if (ready_frames_.front()->IsEndOfStream()) {\n state_ = kEnded;\n host()->NotifyEnded();\n ready_frames_.clear();\n\n continue;\n }\n\n frame_available_.TimedWait(kIdleTimeDelta);\n continue;\n }\n\n base::TimeDelta remaining_time =\n CalculateSleepDuration(ready_frames_.front(), playback_rate_);\n\n if (remaining_time.InMicroseconds() > 0) {\n remaining_time = std::min(remaining_time, kIdleTimeDelta);\n frame_available_.TimedWait(remaining_time);\n continue;\n }\n\n\n\n\n if (ready_frames_.front()->IsEndOfStream()) {\n state_ = kEnded;\n host()->NotifyEnded();\n ready_frames_.clear();\n\n continue;\n }\n\n if (pending_paint_) {\n while (!ready_frames_.empty()) {\n if (ready_frames_.front()->IsEndOfStream())\n break;\n\n base::TimeDelta remaining_time =\n ready_frames_.front()->GetTimestamp() - host()->GetTime();\n\n if (remaining_time.InMicroseconds() > 0)\n break;\n\n if (!drop_frames_)\n break;\n\n ++frames_dropped;\n ready_frames_.pop_front();\n AttemptRead_Locked();\n }\n frame_available_.TimedWait(kIdleTimeDelta);\n continue;\n }\n\n\n DCHECK(!pending_paint_);\n DCHECK(!ready_frames_.empty());\n current_frame_ = ready_frames_.front();\n ready_frames_.pop_front();\n AttemptRead_Locked();\n\n base::AutoUnlock auto_unlock(lock_);\n paint_cb_.Run();\n }\n}\n", "cwe": "", "big_vul_idx": 113363, "idx": 101652, "hash": 135955839650509607600829651563057241447 }, { "func": " bool value_depends_on_sql_mode_const_item()\n {\n /*\n Currently we use value_depends_on_sql_mode() only for virtual\n column expressions. They should not contain any expensive items.\n If we ever get a crash on the assert below, it means\n check_vcol_func_processor() is badly implemented for this item.\n */\n DBUG_ASSERT(!is_expensive());\n /*\n It should return const_item() actually.\n But for some reasons Item_field::const_item() returns true\n at value_depends_on_sql_mode() call time.\n This should be checked and fixed.\n */\n return basic_const_item();\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 125275853881989953645313290390146713512, "size": 17, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509381 }, { "func": "static int compat_tty_tiocgserial(struct tty_struct *tty,\n\t\t\tstruct serial_struct32 __user *ss)\n{\n\tstruct serial_struct32 v32;\n\tstruct serial_struct v;\n\tint err;\n\n\tmemset(&v, 0, sizeof(v));\n\tmemset(&v32, 0, sizeof(v32));\n\n\tif (!tty->ops->get_serial)\n\t\treturn -ENOTTY;\n\terr = tty->ops->get_serial(tty, &v);\n\tif (!err) {\n\t\tmemcpy(&v32, &v, offsetof(struct serial_struct32, iomem_base));\n\t\tv32.iomem_base = (unsigned long)v.iomem_base >> 32 ?\n\t\t\t0xfffffff : ptr_to_compat(v.iomem_base);\n\t\tv32.iomem_reg_shift = v.iomem_reg_shift;\n\t\tv32.port_high = v.port_high;\n\t\tif (copy_to_user(ss, &v32, sizeof(v32)))\n\t\t\terr = -EFAULT;\n\t}\n\treturn err;\n}", "project": "linux", "hash": 242469902243897949922471417887995053808, "size": 24, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 325996 }, { "func": "static ssize_t fuse_send_write_pages(struct fuse_io_args *ia,\n\t\t\t\t struct kiocb *iocb, struct inode *inode,\n\t\t\t\t loff_t pos, size_t count)\n{\n\tstruct fuse_args_pages *ap = &ia->ap;\n\tstruct file *file = iocb->ki_filp;\n\tstruct fuse_file *ff = file->private_data;\n\tstruct fuse_mount *fm = ff->fm;\n\tunsigned int offset, i;\n\tint err;\n\n\tfor (i = 0; i < ap->num_pages; i++)\n\t\tfuse_wait_on_page_writeback(inode, ap->pages[i]->index);\n\n\tfuse_write_args_fill(ia, ff, pos, count);\n\tia->write.in.flags = fuse_write_flags(iocb);\n\tif (fm->fc->handle_killpriv_v2 && !capable(CAP_FSETID))\n\t\tia->write.in.write_flags |= FUSE_WRITE_KILL_SUIDGID;\n\n\terr = fuse_simple_request(fm, &ap->args);\n\tif (!err && ia->write.out.size > count)\n\t\terr = -EIO;\n\n\toffset = ap->descs[0].offset;\n\tcount = ia->write.out.size;\n\tfor (i = 0; i < ap->num_pages; i++) {\n\t\tstruct page *page = ap->pages[i];\n\n\t\tif (!err && !offset && count >= PAGE_SIZE)\n\t\t\tSetPageUptodate(page);\n\n\t\tif (count > PAGE_SIZE - offset)\n\t\t\tcount -= PAGE_SIZE - offset;\n\t\telse\n\t\t\tcount = 0;\n\t\toffset = 0;\n\n\t\tunlock_page(page);\n\t\tput_page(page);\n\t}\n\n\treturn err;\n}", "project": "linux", "hash": 76421313553777879961015767601557205210, "size": 43, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342136 }, { "func": "static int key_notify_policy_flush(const struct km_event *c)\n{\n\tstruct sk_buff *skb_out;\n\tstruct sadb_msg *hdr;\n\n\tskb_out = alloc_skb(sizeof(struct sadb_msg) + 16, GFP_ATOMIC);\n\tif (!skb_out)\n\t\treturn -ENOBUFS;\n\thdr = skb_put(skb_out, sizeof(struct sadb_msg));\n\thdr->sadb_msg_type = SADB_X_SPDFLUSH;\n\thdr->sadb_msg_seq = c->seq;\n\thdr->sadb_msg_pid = c->portid;\n\thdr->sadb_msg_version = PF_KEY_V2;\n\thdr->sadb_msg_errno = (uint8_t) 0;\n\thdr->sadb_msg_satype = SADB_SATYPE_UNSPEC;\n\thdr->sadb_msg_len = (sizeof(struct sadb_msg) / sizeof(uint64_t));\n\thdr->sadb_msg_reserved = 0;\n\tpfkey_broadcast(skb_out, GFP_ATOMIC, BROADCAST_ALL, NULL, c->net);\n\treturn 0;\n\n}", "project": "linux", "hash": 185389402090747139639172691373877515275, "size": 21, "commit_id": "9a564bccb78a76740ea9d75a259942df8143d02c", "message": "af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\n\nAdd __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\nto initialize the buffer of supp_skb to fix a kernel-info-leak issue.\n1) Function pfkey_register calls compose_sadb_supported to request\na sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate\na sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then\ncompose_sadb_supported treats the memory as a struct sadb_supported and\nbegins to initialize. But it just initializes the field sadb_supported_len\nand field sadb_supported_exttype without field sadb_supported_reserved.\n\nReported-by: TCS Robot \nSigned-off-by: Haimin Zhang \nSigned-off-by: Steffen Klassert ", "target": 0, "dataset": "other", "idx": 268046 }, { "func": "static void io_refs_resurrect(struct percpu_ref *ref, struct completion *compl)\n{\n\tbool got = percpu_ref_tryget(ref);\n\n\t/* already at zero, wait for ->release() */\n\tif (!got)\n\t\twait_for_completion(compl);\n\tpercpu_ref_resurrect(ref);\n\tif (got)\n\t\tpercpu_ref_put(ref);\n}", "project": "linux", "hash": 255120751653355932884275166549555186285, "size": 11, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338513 }, { "func": "static int key_notify_sa_flush(const struct km_event *c)\n{\n\tstruct sk_buff *skb;\n\tstruct sadb_msg *hdr;\n\n\tskb = alloc_skb(sizeof(struct sadb_msg) + 16, GFP_ATOMIC);\n\tif (!skb)\n\t\treturn -ENOBUFS;\n\thdr = skb_put(skb, sizeof(struct sadb_msg));\n\thdr->sadb_msg_satype = pfkey_proto2satype(c->data.proto);\n\thdr->sadb_msg_type = SADB_FLUSH;\n\thdr->sadb_msg_seq = c->seq;\n\thdr->sadb_msg_pid = c->portid;\n\thdr->sadb_msg_version = PF_KEY_V2;\n\thdr->sadb_msg_errno = (uint8_t) 0;\n\thdr->sadb_msg_len = (sizeof(struct sadb_msg) / sizeof(uint64_t));\n\thdr->sadb_msg_reserved = 0;\n\n\tpfkey_broadcast(skb, GFP_ATOMIC, BROADCAST_ALL, NULL, c->net);\n\n\treturn 0;\n}", "project": "linux", "hash": 184954976751764225155352360775239318308, "size": 22, "commit_id": "9a564bccb78a76740ea9d75a259942df8143d02c", "message": "af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\n\nAdd __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\nto initialize the buffer of supp_skb to fix a kernel-info-leak issue.\n1) Function pfkey_register calls compose_sadb_supported to request\na sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate\na sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then\ncompose_sadb_supported treats the memory as a struct sadb_supported and\nbegins to initialize. But it just initializes the field sadb_supported_len\nand field sadb_supported_exttype without field sadb_supported_reserved.\n\nReported-by: TCS Robot \nSigned-off-by: Haimin Zhang \nSigned-off-by: Steffen Klassert ", "target": 0, "dataset": "other", "idx": 268088 }, { "func": "static int imap_path_is_empty(const char *path)\n{\n int rc = imap_path_status(path, false);\n if (rc < 0)\n return -1;\n if (rc == 0)\n return 1;\n return 0;\n}", "project": "neomutt", "hash": 209024820753745138119802382835322341005, "size": 9, "commit_id": "9c36717a3e2af1f2c1b7242035455ec8112b4b06", "message": "imap: close connection on all failures\n\nThanks to Gabriel Salles-Loustau for spotting the problem.\n\nCo-authored-by: Kevin McCarthy ", "target": 0, "dataset": "other", "idx": 357005 }, { "func": "static void exif_iif_add_fmt(image_info_type *image_info, int section_index,\n char *name, char *value, ...) {\n va_list arglist;\n\n va_start(arglist, value);\n if (value) {\n char *tmp = 0;\n php_vspprintf_ap(&tmp, 0, value, arglist);\n exif_iif_add_str(image_info, section_index, name, tmp);\n if (tmp) IM_FREE(tmp);\n }\n va_end(arglist);\n}", "project": "hhvm", "hash": 48695160193106415084036801050317222085, "size": 13, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219805 }, { "func": "R_API bool r_sys_mkdirp(const char *dir) {\n\tbool ret = true;\n\tchar slash = R_SYS_DIR[0];\n\tchar *path = strdup (dir), *ptr = path;\n\tif (!path) {\n\t\teprintf (\"r_sys_mkdirp: Unable to allocate memory\\n\");\n\t\treturn false;\n\t}\n\tif (*ptr == slash) {\n\t\tptr++;\n\t}\n#if __WINDOWS__\n\t{\n\t\tchar *p = strstr (ptr, \":\\\\\");\n\t\tif (p) {\n\t\t\tptr = p + 3;\n\t\t}\n\t}\n#endif\n\tfor (;;) {\n\t\t// find next slash\n\t\tfor (; *ptr; ptr++) {\n\t\t\tif (*ptr == '/' || *ptr == '\\\\') {\n\t\t\t\tslash = *ptr;\n\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\t\tif (!*ptr) {\n\t\t\tbreak;\n\t\t}\n\t\t*ptr = 0;\n\t\tif (!r_sys_mkdir (path) && r_sys_mkdir_failed ()) {\n\t\t\teprintf (\"r_sys_mkdirp: fail '%s' of '%s'\\n\", path, dir);\n\t\t\tfree (path);\n\t\t\treturn false;\n\t\t}\n\t\t*ptr = slash;\n\t\tptr++;\n\t}\n\tif (!r_sys_mkdir (path) && r_sys_mkdir_failed ()) {\n\t\tret = false;\n\t}\n\tfree (path);\n\treturn ret;\n}", "project": "radare2", "hash": 142045478893204286488614514639481148103, "size": 45, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 0, "dataset": "other", "idx": 268853 }, { "func": "static inline int r_sys_mkdirp(char *dir) {\n\tint ret = 1;\n\tconst char slash = DIRSEP;\n\tchar *path = dir;\n\tchar *ptr = path;\n\tif (*ptr == slash) {\n\t\tptr++;\n\t}\n#if __SDB_WINDOWS__\n\tchar *p = strstr (ptr, \":\\\\\");\n\tif (p) {\n\t\tptr = p + 3;\n\t}\n#endif\n\twhile ((ptr = strchr (ptr, slash))) {\n\t\t*ptr = 0;\n\t\tif (!r_sys_mkdir (path) && r_sys_mkdir_failed ()) {\n\t\t\teprintf (\"r_sys_mkdirp: fail '%s' of '%s'\\n\", path, dir);\n\t\t\t*ptr = slash;\n\t\t\treturn 0;\n\t\t}\n\t\t*ptr = slash;\n\t\tptr++;\n\t}\n\treturn ret;\n}", "project": "radare2", "hash": 311260809676592338613055498902173406259, "size": 26, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 0, "dataset": "other", "idx": 269041 }, { "func": "static inline void hidinput_configure_usages(struct hid_input *hidinput,\n\t\t\t\t\t struct hid_report *report)\n{\n\tint i, j;\n\n\tfor (i = 0; i < report->maxfield; i++)\n\t\tfor (j = 0; j < report->field[i]->maxusage; j++)\n\t\t\thidinput_configure_usage(hidinput, report->field[i],\n\t\t\t\t\t\t report->field[i]->usage + j);\n}", "project": "linux", "hash": 109305075034924708599522574560213909784, "size": 10, "commit_id": "35556bed836f8dc07ac55f69c8d17dce3e7f0e25", "message": "HID: core: Sanitize event code and type when mapping input\n\nWhen calling into hid_map_usage(), the passed event code is\nblindly stored as is, even if it doesn't fit in the associated bitmap.\n\nThis event code can come from a variety of sources, including devices\nmasquerading as input devices, only a bit more \"programmable\".\n\nInstead of taking the event code at face value, check that it actually\nfits the corresponding bitmap, and if it doesn't:\n- spit out a warning so that we know which device is acting up\n- NULLify the bitmap pointer so that we catch unexpected uses\n\nCode paths that can make use of untrusted inputs can now check\nthat the mapping was indeed correct and bail out if not.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Marc Zyngier \nSigned-off-by: Benjamin Tissoires ", "target": 0, "dataset": "other", "idx": 458358 }, { "project": "Chrome", "commit_id": "6834289784ed45b5524de0fb7ef43ae283b0d6d3", "target": 0, "func": "void AudioContext::addDeferredBreakConnection(AudioNode& node)\n{\n ASSERT(isAudioThread());\n m_deferredBreakConnectionList.append(&node);\n}\n", "cwe": "", "big_vul_idx": 139622, "idx": 124774, "hash": 294987331768230156944479542751483305678 }, { "func": "void __hci_abort_conn(struct hci_request *req, struct hci_conn *conn,\n\t\t u8 reason)\n{\n\tswitch (conn->state) {\n\tcase BT_CONNECTED:\n\tcase BT_CONFIG:\n\t\tif (conn->type == AMP_LINK) {\n\t\t\tstruct hci_cp_disconn_phy_link cp;\n\n\t\t\tcp.phy_handle = HCI_PHY_HANDLE(conn->handle);\n\t\t\tcp.reason = reason;\n\t\t\thci_req_add(req, HCI_OP_DISCONN_PHY_LINK, sizeof(cp),\n\t\t\t\t &cp);\n\t\t} else {\n\t\t\tstruct hci_cp_disconnect dc;\n\n\t\t\tdc.handle = cpu_to_le16(conn->handle);\n\t\t\tdc.reason = reason;\n\t\t\thci_req_add(req, HCI_OP_DISCONNECT, sizeof(dc), &dc);\n\t\t}\n\n\t\tconn->state = BT_DISCONN;\n\n\t\tbreak;\n\tcase BT_CONNECT:\n\t\tif (conn->type == LE_LINK) {\n\t\t\tif (test_bit(HCI_CONN_SCANNING, &conn->flags))\n\t\t\t\tbreak;\n\t\t\thci_req_add(req, HCI_OP_LE_CREATE_CONN_CANCEL,\n\t\t\t\t 0, NULL);\n\t\t} else if (conn->type == ACL_LINK) {\n\t\t\tif (req->hdev->hci_ver < BLUETOOTH_VER_1_2)\n\t\t\t\tbreak;\n\t\t\thci_req_add(req, HCI_OP_CREATE_CONN_CANCEL,\n\t\t\t\t 6, &conn->dst);\n\t\t}\n\t\tbreak;\n\tcase BT_CONNECT2:\n\t\tif (conn->type == ACL_LINK) {\n\t\t\tstruct hci_cp_reject_conn_req rej;\n\n\t\t\tbacpy(&rej.bdaddr, &conn->dst);\n\t\t\trej.reason = reason;\n\n\t\t\thci_req_add(req, HCI_OP_REJECT_CONN_REQ,\n\t\t\t\t sizeof(rej), &rej);\n\t\t} else if (conn->type == SCO_LINK || conn->type == ESCO_LINK) {\n\t\t\tstruct hci_cp_reject_sync_conn_req rej;\n\n\t\t\tbacpy(&rej.bdaddr, &conn->dst);\n\n\t\t\t/* SCO rejection has its own limited set of\n\t\t\t * allowed error values (0x0D-0x0F) which isn't\n\t\t\t * compatible with most values passed to this\n\t\t\t * function. To be safe hard-code one of the\n\t\t\t * values that's suitable for SCO.\n\t\t\t */\n\t\t\trej.reason = HCI_ERROR_REJ_LIMITED_RESOURCES;\n\n\t\t\thci_req_add(req, HCI_OP_REJECT_SYNC_CONN_REQ,\n\t\t\t\t sizeof(rej), &rej);\n\t\t}\n\t\tbreak;\n\tdefault:\n\t\tconn->state = BT_CLOSED;\n\t\tbreak;\n\t}\n}", "project": "linux", "hash": 22140180163212457451214472934101833439, "size": 68, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402547 }, { "func": "void ftrace_dump(enum ftrace_dump_mode oops_dump_mode)\n{\n\t/* use static because iter can be a bit big for the stack */\n\tstatic struct trace_iterator iter;\n\tstatic atomic_t dump_running;\n\tstruct trace_array *tr = &global_trace;\n\tunsigned int old_userobj;\n\tunsigned long flags;\n\tint cnt = 0, cpu;\n\n\t/* Only allow one dump user at a time. */\n\tif (atomic_inc_return(&dump_running) != 1) {\n\t\tatomic_dec(&dump_running);\n\t\treturn;\n\t}\n\n\t/*\n\t * Always turn off tracing when we dump.\n\t * We don't need to show trace output of what happens\n\t * between multiple crashes.\n\t *\n\t * If the user does a sysrq-z, then they can re-enable\n\t * tracing with echo 1 > tracing_on.\n\t */\n\ttracing_off();\n\n\tlocal_irq_save(flags);\n\n\t/* Simulate the iterator */\n\ttrace_init_global_iter(&iter);\n\n\tfor_each_tracing_cpu(cpu) {\n\t\tatomic_inc(&per_cpu_ptr(iter.trace_buffer->data, cpu)->disabled);\n\t}\n\n\told_userobj = tr->trace_flags & TRACE_ITER_SYM_USEROBJ;\n\n\t/* don't look at user memory in panic mode */\n\ttr->trace_flags &= ~TRACE_ITER_SYM_USEROBJ;\n\n\tswitch (oops_dump_mode) {\n\tcase DUMP_ALL:\n\t\titer.cpu_file = RING_BUFFER_ALL_CPUS;\n\t\tbreak;\n\tcase DUMP_ORIG:\n\t\titer.cpu_file = raw_smp_processor_id();\n\t\tbreak;\n\tcase DUMP_NONE:\n\t\tgoto out_enable;\n\tdefault:\n\t\tprintk(KERN_TRACE \"Bad dumping mode, switching to all CPUs dump\\n\");\n\t\titer.cpu_file = RING_BUFFER_ALL_CPUS;\n\t}\n\n\tprintk(KERN_TRACE \"Dumping ftrace buffer:\\n\");\n\n\t/* Did function tracer already get disabled? */\n\tif (ftrace_is_dead()) {\n\t\tprintk(\"# WARNING: FUNCTION TRACING IS CORRUPTED\\n\");\n\t\tprintk(\"# MAY BE MISSING FUNCTION EVENTS\\n\");\n\t}\n\n\t/*\n\t * We need to stop all tracing on all CPUS to read the\n\t * the next buffer. This is a bit expensive, but is\n\t * not done often. We fill all what we can read,\n\t * and then release the locks again.\n\t */\n\n\twhile (!trace_empty(&iter)) {\n\n\t\tif (!cnt)\n\t\t\tprintk(KERN_TRACE \"---------------------------------\\n\");\n\n\t\tcnt++;\n\n\t\t/* reset all but tr, trace, and overruns */\n\t\tmemset(&iter.seq, 0,\n\t\t sizeof(struct trace_iterator) -\n\t\t offsetof(struct trace_iterator, seq));\n\t\titer.iter_flags |= TRACE_FILE_LAT_FMT;\n\t\titer.pos = -1;\n\n\t\tif (trace_find_next_entry_inc(&iter) != NULL) {\n\t\t\tint ret;\n\n\t\t\tret = print_trace_line(&iter);\n\t\t\tif (ret != TRACE_TYPE_NO_CONSUME)\n\t\t\t\ttrace_consume(&iter);\n\t\t}\n\t\ttouch_nmi_watchdog();\n\n\t\ttrace_printk_seq(&iter.seq);\n\t}\n\n\tif (!cnt)\n\t\tprintk(KERN_TRACE \" (ftrace buffer empty)\\n\");\n\telse\n\t\tprintk(KERN_TRACE \"---------------------------------\\n\");\n\n out_enable:\n\ttr->trace_flags |= old_userobj;\n\n\tfor_each_tracing_cpu(cpu) {\n\t\tatomic_dec(&per_cpu_ptr(iter.trace_buffer->data, cpu)->disabled);\n\t}\n \tatomic_dec(&dump_running);\n\tlocal_irq_restore(flags);\n}", "project": "linux", "hash": 144811834276714259230515166825383846284, "size": 109, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445645 }, { "func": "static inline bool is_cr_intercept(struct vcpu_svm *svm, int bit)\n{\n\tstruct vmcb *vmcb = get_host_vmcb(svm);\n\n\treturn vmcb->control.intercept_cr & (1U << bit);\n}", "project": "linux", "hash": 340211297928599644347862251118413669338, "size": 6, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432473 }, { "func": "static bool nested_vmcb_checks(struct vmcb *vmcb)\n{\n\tif ((vmcb->control.intercept & (1ULL << INTERCEPT_VMRUN)) == 0)\n\t\treturn false;\n\n\tif (vmcb->control.asid == 0)\n\t\treturn false;\n\n\tif ((vmcb->control.nested_ctl & SVM_NESTED_CTL_NP_ENABLE) &&\n\t !npt_enabled)\n\t\treturn false;\n\n\treturn true;\n}", "project": "linux", "hash": 44443346426575479949937885571632396624, "size": 14, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432569 }, { "func": "static bool nested_vmcb_checks(struct vmcb *vmcb)\n{\n\tif ((vmcb->control.intercept & (1ULL << INTERCEPT_VMRUN)) == 0)\n\t\treturn false;\n\n\tif (vmcb->control.asid == 0)\n\t\treturn false;\n\n\tif (vmcb->control.nested_ctl && !npt_enabled)\n\t\treturn false;\n\n\treturn true;\n}", "project": "kvm", "hash": 224441327474718174799434538641840916342, "size": 13, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437586 }, { "func": "void __init early_trace_init(void)\n{\n\tif (tracepoint_printk) {\n\t\ttracepoint_print_iter =\n\t\t\tkmalloc(sizeof(*tracepoint_print_iter), GFP_KERNEL);\n\t\tif (WARN_ON(!tracepoint_print_iter))\n\t\t\ttracepoint_printk = 0;\n\t\telse\n\t\t\tstatic_key_enable(&tracepoint_printk_key.key);\n\t}\n\ttracer_alloc_buffers();\n}", "project": "linux", "hash": 298707282380961790430657042661319579693, "size": 12, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445653 }, { "func": "static void nfs41_sequence_call_done(struct rpc_task *task, void *data)\n{\n\tstruct nfs4_sequence_data *calldata = data;\n\tstruct nfs_client *clp = calldata->clp;\n\n\tif (!nfs41_sequence_done(task, task->tk_msg.rpc_resp))\n\t\treturn;\n\n\ttrace_nfs4_sequence(clp, task->tk_status);\n\tif (task->tk_status < 0) {\n\t\tdprintk(\"%s ERROR %d\\n\", __func__, task->tk_status);\n\t\tif (refcount_read(&clp->cl_count) == 1)\n\t\t\tgoto out;\n\n\t\tif (nfs41_sequence_handle_errors(task, clp) == -EAGAIN) {\n\t\t\trpc_restart_call_prepare(task);\n\t\t\treturn;\n\t\t}\n\t}\n\tdprintk(\"%s rpc_cred %p\\n\", __func__, task->tk_msg.rpc_cred);\nout:\n\tdprintk(\"<-- %s\\n\", __func__);\n}", "project": "linux", "hash": 181391965436363397865706953252992168855, "size": 23, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431212 }, { "func": "CallResult> JSObject::getComputedWithReceiver_RJS(\n Handle selfHandle,\n Runtime *runtime,\n Handle<> nameValHandle,\n Handle<> receiver) {\n // Try the fast-path first: no \"index-like\" properties and the \"name\" already\n // is a valid integer index.\n if (selfHandle->flags_.fastIndexProperties) {\n if (auto arrayIndex = toArrayIndexFastPath(*nameValHandle)) {\n // Do we have this value present in our array storage? If so, return it.\n PseudoHandle<> ourValue = createPseudoHandle(\n getOwnIndexed(selfHandle.get(), runtime, *arrayIndex));\n if (LLVM_LIKELY(!ourValue->isEmpty()))\n return ourValue;\n }\n }\n\n // If nameValHandle is an object, we should convert it to string now,\n // because toString may have side-effect, and we want to do this only\n // once.\n auto converted = toPropertyKeyIfObject(runtime, nameValHandle);\n if (LLVM_UNLIKELY(converted == ExecutionStatus::EXCEPTION)) {\n return ExecutionStatus::EXCEPTION;\n }\n auto nameValPrimitiveHandle = *converted;\n\n ComputedPropertyDescriptor desc;\n\n // Locate the descriptor. propObj contains the object which may be anywhere\n // along the prototype chain.\n MutableHandle propObj{runtime};\n if (LLVM_UNLIKELY(\n getComputedPrimitiveDescriptor(\n selfHandle, runtime, nameValPrimitiveHandle, propObj, desc) ==\n ExecutionStatus::EXCEPTION)) {\n return ExecutionStatus::EXCEPTION;\n }\n\n if (!propObj)\n return createPseudoHandle(HermesValue::encodeUndefinedValue());\n\n if (LLVM_LIKELY(\n !desc.flags.accessor && !desc.flags.hostObject &&\n !desc.flags.proxyObject))\n return createPseudoHandle(\n getComputedSlotValue(propObj.get(), runtime, desc));\n\n if (desc.flags.accessor) {\n auto *accessor = vmcast(\n getComputedSlotValue(propObj.get(), runtime, desc));\n if (!accessor->getter)\n return createPseudoHandle(HermesValue::encodeUndefinedValue());\n\n // Execute the accessor on this object.\n return accessor->getter.get(runtime)->executeCall0(\n runtime->makeHandle(accessor->getter), runtime, receiver);\n } else if (desc.flags.hostObject) {\n SymbolID id{};\n LAZY_TO_IDENTIFIER(runtime, nameValPrimitiveHandle, id);\n auto propRes = vmcast(selfHandle.get())->get(id);\n if (propRes == ExecutionStatus::EXCEPTION)\n return ExecutionStatus::EXCEPTION;\n return createPseudoHandle(*propRes);\n } else {\n assert(desc.flags.proxyObject && \"descriptor flags are impossible\");\n CallResult> key = toPropertyKey(runtime, nameValPrimitiveHandle);\n if (key == ExecutionStatus::EXCEPTION)\n return ExecutionStatus::EXCEPTION;\n return JSProxy::getComputed(propObj, runtime, *key, receiver);\n }\n}", "project": "hermes", "hash": 177426946888629742787453579694850240993, "size": 71, "commit_id": "fe52854cdf6725c2eaa9e125995da76e6ceb27da", "message": "[CVE-2020-1911] Look up HostObject computed properties on the right object in the prototype chain.\n\nSummary:\nThe change in the hermes repository fixes the security vulnerability\nCVE-2020-1911. This vulnerability only affects applications which\nallow evaluation of uncontrolled, untrusted JavaScript code not\nshipped with the app, so React Native apps will generally not be affected.\n\nThis revision includes a test for the bug. The test is generic JSI\ncode, so it is included in the hermes and react-native repositories.\n\nChangelog: [Internal]\n\nReviewed By: tmikov\n\nDifferential Revision: D23322992\n\nfbshipit-source-id: 4e88c974afe1ad33a263f9cac03e9dc98d33649a", "target": 1, "dataset": "other", "idx": 195664 }, { "func": "CallResult> JSObject::getComputedWithReceiver_RJS(\n Handle selfHandle,\n Runtime *runtime,\n Handle<> nameValHandle,\n Handle<> receiver) {\n // Try the fast-path first: no \"index-like\" properties and the \"name\" already\n // is a valid integer index.\n if (selfHandle->flags_.fastIndexProperties) {\n if (auto arrayIndex = toArrayIndexFastPath(*nameValHandle)) {\n // Do we have this value present in our array storage? If so, return it.\n PseudoHandle<> ourValue = createPseudoHandle(\n getOwnIndexed(selfHandle.get(), runtime, *arrayIndex));\n if (LLVM_LIKELY(!ourValue->isEmpty()))\n return ourValue;\n }\n }\n\n // If nameValHandle is an object, we should convert it to string now,\n // because toString may have side-effect, and we want to do this only\n // once.\n auto converted = toPropertyKeyIfObject(runtime, nameValHandle);\n if (LLVM_UNLIKELY(converted == ExecutionStatus::EXCEPTION)) {\n return ExecutionStatus::EXCEPTION;\n }\n auto nameValPrimitiveHandle = *converted;\n\n ComputedPropertyDescriptor desc;\n\n // Locate the descriptor. propObj contains the object which may be anywhere\n // along the prototype chain.\n MutableHandle propObj{runtime};\n if (LLVM_UNLIKELY(\n getComputedPrimitiveDescriptor(\n selfHandle, runtime, nameValPrimitiveHandle, propObj, desc) ==\n ExecutionStatus::EXCEPTION)) {\n return ExecutionStatus::EXCEPTION;\n }\n\n if (!propObj)\n return createPseudoHandle(HermesValue::encodeUndefinedValue());\n\n if (LLVM_LIKELY(\n !desc.flags.accessor && !desc.flags.hostObject &&\n !desc.flags.proxyObject))\n return createPseudoHandle(\n getComputedSlotValue(propObj.get(), runtime, desc));\n\n if (desc.flags.accessor) {\n auto *accessor = vmcast(\n getComputedSlotValue(propObj.get(), runtime, desc));\n if (!accessor->getter)\n return createPseudoHandle(HermesValue::encodeUndefinedValue());\n\n // Execute the accessor on this object.\n return accessor->getter.get(runtime)->executeCall0(\n runtime->makeHandle(accessor->getter), runtime, receiver);\n } else if (desc.flags.hostObject) {\n SymbolID id{};\n LAZY_TO_IDENTIFIER(runtime, nameValPrimitiveHandle, id);\n auto propRes = vmcast(propObj.get())->get(id);\n if (propRes == ExecutionStatus::EXCEPTION)\n return ExecutionStatus::EXCEPTION;\n return createPseudoHandle(*propRes);\n } else {\n assert(desc.flags.proxyObject && \"descriptor flags are impossible\");\n CallResult> key = toPropertyKey(runtime, nameValPrimitiveHandle);\n if (key == ExecutionStatus::EXCEPTION)\n return ExecutionStatus::EXCEPTION;\n return JSProxy::getComputed(propObj, runtime, *key, receiver);\n }\n}", "project": "hermes", "hash": 144306568268444659213632345202957132495, "size": 71, "commit_id": "fe52854cdf6725c2eaa9e125995da76e6ceb27da", "message": "[CVE-2020-1911] Look up HostObject computed properties on the right object in the prototype chain.\n\nSummary:\nThe change in the hermes repository fixes the security vulnerability\nCVE-2020-1911. This vulnerability only affects applications which\nallow evaluation of uncontrolled, untrusted JavaScript code not\nshipped with the app, so React Native apps will generally not be affected.\n\nThis revision includes a test for the bug. The test is generic JSI\ncode, so it is included in the hermes and react-native repositories.\n\nChangelog: [Internal]\n\nReviewed By: tmikov\n\nDifferential Revision: D23322992\n\nfbshipit-source-id: 4e88c974afe1ad33a263f9cac03e9dc98d33649a", "target": 0, "dataset": "other", "idx": 230182 }, { "func": "int gdImageGetTrueColorPixel (gdImagePtr im, int x, int y)\n{\n\tint p = gdImageGetPixel(im, x, y);\n\n\tif (!im->trueColor) {\n\t\treturn gdTrueColorAlpha(im->red[p], im->green[p], im->blue[p], (im->transparent == p) ? gdAlphaTransparent : im->alpha[p]);\n\t} else {\n\t\treturn p;\n\t}\n}", "project": "php-src", "hash": 134397036792275027662138019896166246540, "size": 10, "commit_id": "c395c6e5d7e8df37a21265ff76e48fe75ceb5ae6", "message": "iFixed bug #72446 - Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow", "target": 0, "dataset": "other", "idx": 295159 }, { "func": " const Tensor& indices() const { return ix_; }", "project": "tensorflow", "hash": 8986645232521309654324418740993405254, "size": 1, "commit_id": "8ba6fa29cd8bf9cef9b718dc31c78c73081f5b31", "message": "Fix heap-buffer-overflow issue with `tf.raw_ops.SparseSplit`.\n\nPiperOrigin-RevId: 371242872\nChange-Id: I482bb3d12602c7c3cc9446f97fb9f584bb98e9a4", "target": 0, "dataset": "other", "idx": 277021 }, { "func": "static pte_t move_soft_dirty_pte(pte_t pte)\n{\n\t/*\n\t * Set soft dirty bit so we can notice\n\t * in userspace the ptes were moved.\n\t */\n#ifdef CONFIG_MEM_SOFT_DIRTY\n\tif (pte_present(pte))\n\t\tpte = pte_mksoft_dirty(pte);\n\telse if (is_swap_pte(pte))\n\t\tpte = pte_swp_mksoft_dirty(pte);\n#endif\n\treturn pte;\n}", "project": "linux", "hash": 322804105732667734185066810460811741076, "size": 14, "commit_id": "5bfea2d9b17f1034a68147a8b03b9789af5700f9", "message": "mm: Fix mremap not considering huge pmd devmap\n\nThe original code in mm/mremap.c checks huge pmd by:\n\n\t\tif (is_swap_pmd(*old_pmd) || pmd_trans_huge(*old_pmd)) {\n\nHowever, a DAX mapped nvdimm is mapped as huge page (by default) but it\nis not transparent huge page (_PAGE_PSE | PAGE_DEVMAP). This commit\nchanges the condition to include the case.\n\nThis addresses CVE-2020-10757.\n\nFixes: 5c7fb56e5e3f (\"mm, dax: dax-pmd vs thp-pmd vs hugetlbfs-pmd\")\nCc: \nReported-by: Fan Yang \nSigned-off-by: Fan Yang \nTested-by: Fan Yang \nTested-by: Dan Williams \nReviewed-by: Dan Williams \nAcked-by: Kirill A. Shutemov \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 321573 }, { "func": "int kvm_vm_ioctl_check_extension(struct kvm *kvm, long ext)\n{\n\tint r;\n\n\tswitch (ext) {\n\tcase KVM_CAP_S390_PSW:\n\tcase KVM_CAP_S390_GMAP:\n\tcase KVM_CAP_SYNC_MMU:\n#ifdef CONFIG_KVM_S390_UCONTROL\n\tcase KVM_CAP_S390_UCONTROL:\n#endif\n\tcase KVM_CAP_ASYNC_PF:\n\tcase KVM_CAP_SYNC_REGS:\n\tcase KVM_CAP_ONE_REG:\n\tcase KVM_CAP_ENABLE_CAP:\n\tcase KVM_CAP_S390_CSS_SUPPORT:\n\tcase KVM_CAP_IOEVENTFD:\n\tcase KVM_CAP_DEVICE_CTRL:\n\tcase KVM_CAP_S390_IRQCHIP:\n\tcase KVM_CAP_VM_ATTRIBUTES:\n\tcase KVM_CAP_MP_STATE:\n\tcase KVM_CAP_IMMEDIATE_EXIT:\n\tcase KVM_CAP_S390_INJECT_IRQ:\n\tcase KVM_CAP_S390_USER_SIGP:\n\tcase KVM_CAP_S390_USER_STSI:\n\tcase KVM_CAP_S390_SKEYS:\n\tcase KVM_CAP_S390_IRQ_STATE:\n\tcase KVM_CAP_S390_USER_INSTR0:\n\tcase KVM_CAP_S390_CMMA_MIGRATION:\n\tcase KVM_CAP_S390_AIS:\n\tcase KVM_CAP_S390_AIS_MIGRATION:\n\tcase KVM_CAP_S390_VCPU_RESETS:\n\t\tr = 1;\n\t\tbreak;\n\tcase KVM_CAP_S390_HPAGE_1M:\n\t\tr = 0;\n\t\tif (hpage && !kvm_is_ucontrol(kvm))\n\t\t\tr = 1;\n\t\tbreak;\n\tcase KVM_CAP_S390_MEM_OP:\n\t\tr = MEM_OP_MAX_SIZE;\n\t\tbreak;\n\tcase KVM_CAP_NR_VCPUS:\n\tcase KVM_CAP_MAX_VCPUS:\n\tcase KVM_CAP_MAX_VCPU_ID:\n\t\tr = KVM_S390_BSCA_CPU_SLOTS;\n\t\tif (!kvm_s390_use_sca_entries())\n\t\t\tr = KVM_MAX_VCPUS;\n\t\telse if (sclp.has_esca && sclp.has_64bscao)\n\t\t\tr = KVM_S390_ESCA_CPU_SLOTS;\n\t\tbreak;\n\tcase KVM_CAP_S390_COW:\n\t\tr = MACHINE_HAS_ESOP;\n\t\tbreak;\n\tcase KVM_CAP_S390_VECTOR_REGISTERS:\n\t\tr = MACHINE_HAS_VX;\n\t\tbreak;\n\tcase KVM_CAP_S390_RI:\n\t\tr = test_facility(64);\n\t\tbreak;\n\tcase KVM_CAP_S390_GS:\n\t\tr = test_facility(133);\n\t\tbreak;\n\tcase KVM_CAP_S390_BPB:\n\t\tr = test_facility(82);\n\t\tbreak;\n\tcase KVM_CAP_S390_PROTECTED:\n\t\tr = is_prot_virt_host();\n\t\tbreak;\n\tdefault:\n\t\tr = 0;\n\t}\n\treturn r;\n}", "project": "linux", "hash": 190053379601094772953533929717742149579, "size": 74, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354538 }, { "func": "int kvm_arch_prepare_memory_region(struct kvm *kvm,\n\t\t\t\t struct kvm_memory_slot *memslot,\n\t\t\t\t const struct kvm_userspace_memory_region *mem,\n\t\t\t\t enum kvm_mr_change change)\n{\n\t/* A few sanity checks. We can have memory slots which have to be\n\t located/ended at a segment boundary (1MB). The memory in userland is\n\t ok to be fragmented into various different vmas. It is okay to mmap()\n\t and munmap() stuff in this slot after doing this call at any time */\n\n\tif (mem->userspace_addr & 0xffffful)\n\t\treturn -EINVAL;\n\n\tif (mem->memory_size & 0xffffful)\n\t\treturn -EINVAL;\n\n\tif (mem->guest_phys_addr + mem->memory_size > kvm->arch.mem_limit)\n\t\treturn -EINVAL;\n\n\t/* When we are protected, we should not change the memory slots */\n\tif (kvm_s390_pv_get_handle(kvm))\n\t\treturn -EINVAL;\n\treturn 0;\n}", "project": "linux", "hash": 226926121891190980780921243767001413142, "size": 24, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354579 }, { "func": "static char *core_cmdstr_callback (void *user, const char *cmd) {\n\tRCore *core = (RCore *)user;\n\treturn r_core_cmd_str (core, cmd);\n}", "project": "radare2", "hash": 164237432656056601475559283368837224102, "size": 4, "commit_id": "cb8b683758edddae2d2f62e8e63a738c39f92683", "message": "Fix #16303 - c->table_query double free (#16318)", "target": 0, "dataset": "other", "idx": 232143 }, { "func": "static void tipc_node_delete_from_list(struct tipc_node *node)\n{\n#ifdef CONFIG_TIPC_CRYPTO\n\ttipc_crypto_key_flush(node->crypto_rx);\n#endif\n\tlist_del_rcu(&node->list);\n\thlist_del_rcu(&node->hash);\n\ttipc_node_put(node);\n}", "project": "linux", "hash": 190532839997302596076587352802207169152, "size": 9, "commit_id": "0217ed2848e8538bcf9172d97ed2eeb4a26041bb", "message": "tipc: better validate user input in tipc_nl_retrieve_key()\n\nBefore calling tipc_aead_key_size(ptr), we need to ensure\nwe have enough data to dereference ptr->keylen.\n\nWe probably also want to make sure tipc_aead_key_size()\nwont overflow with malicious ptr->keylen values.\n\nSyzbot reported:\n\nBUG: KMSAN: uninit-value in __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\nBUG: KMSAN: uninit-value in tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\nCPU: 0 PID: 21060 Comm: syz-executor.5 Not tainted 5.11.0-rc7-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nCall Trace:\n __dump_stack lib/dump_stack.c:79 [inline]\n dump_stack+0x21c/0x280 lib/dump_stack.c:120\n kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118\n __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197\n __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\n tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\n genl_family_rcv_msg_doit net/netlink/genetlink.c:739 [inline]\n genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]\n genl_rcv_msg+0x1319/0x1610 net/netlink/genetlink.c:800\n netlink_rcv_skb+0x6fa/0x810 net/netlink/af_netlink.c:2494\n genl_rcv+0x63/0x80 net/netlink/genetlink.c:811\n netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]\n netlink_unicast+0x11d6/0x14a0 net/netlink/af_netlink.c:1330\n netlink_sendmsg+0x1740/0x1840 net/netlink/af_netlink.c:1919\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\nRIP: 0023:0xf7f60549\nCode: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00\nRSP: 002b:00000000f555a5fc EFLAGS: 00000296 ORIG_RAX: 0000000000000172\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000200\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n\nUninit was created at:\n kmsan_save_stack_with_flags mm/kmsan/kmsan.c:121 [inline]\n kmsan_internal_poison_shadow+0x5c/0xf0 mm/kmsan/kmsan.c:104\n kmsan_slab_alloc+0x8d/0xe0 mm/kmsan/kmsan_hooks.c:76\n slab_alloc_node mm/slub.c:2907 [inline]\n __kmalloc_node_track_caller+0xa37/0x1430 mm/slub.c:4527\n __kmalloc_reserve net/core/skbuff.c:142 [inline]\n __alloc_skb+0x2f8/0xb30 net/core/skbuff.c:210\n alloc_skb include/linux/skbuff.h:1099 [inline]\n netlink_alloc_large_skb net/netlink/af_netlink.c:1176 [inline]\n netlink_sendmsg+0xdbc/0x1840 net/netlink/af_netlink.c:1894\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\n\nFixes: e1f32190cf7d (\"tipc: add support for AEAD key setting via netlink\")\nSigned-off-by: Eric Dumazet \nCc: Tuong Lien \nCc: Jon Maloy \nCc: Ying Xue \nReported-by: syzbot \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 364915 }, { "func": "void input_release_device(struct input_handle *handle)\n{\n\tstruct input_dev *dev = handle->dev;\n\n\tmutex_lock(&dev->mutex);\n\t__input_release_device(handle);\n\tmutex_unlock(&dev->mutex);\n}", "project": "linux", "hash": 49798454851401001835902024336258953976, "size": 8, "commit_id": "cb222aed03d798fc074be55e59d9a112338ee784", "message": "Input: add safety guards to input_set_keycode()\n\nIf we happen to have a garbage in input device's keycode table with values\ntoo big we'll end up doing clear_bit() with offset way outside of our\nbitmaps, damaging other objects within an input device or even outside of\nit. Let's add sanity checks to the returned old keycodes.\n\nReported-by: syzbot+c769968809f9359b07aa@syzkaller.appspotmail.com\nReported-by: syzbot+76f3a30e88d256644c78@syzkaller.appspotmail.com\nLink: https://lore.kernel.org/r/20191207212757.GA245964@dtor-ws\nSigned-off-by: Dmitry Torokhov ", "target": 0, "dataset": "other", "idx": 353341 }, { "func": "static int kvm_hv_msr_set_crash_ctl(struct kvm *kvm, u64 data)\n{\n\tstruct kvm_hv *hv = to_kvm_hv(kvm);\n\n\thv->hv_crash_ctl = data & HV_CRASH_CTL_CRASH_NOTIFY;\n\n\treturn 0;\n}", "project": "linux", "hash": 274818985019995497299593922892031893295, "size": 8, "commit_id": "919f4ebc598701670e80e31573a58f1f2d2bf918", "message": "KVM: x86: hyper-v: Fix Hyper-V context null-ptr-deref\n\nReported by syzkaller:\n\n KASAN: null-ptr-deref in range [0x0000000000000140-0x0000000000000147]\n CPU: 1 PID: 8370 Comm: syz-executor859 Not tainted 5.11.0-syzkaller #0\n RIP: 0010:synic_get arch/x86/kvm/hyperv.c:165 [inline]\n RIP: 0010:kvm_hv_set_sint_gsi arch/x86/kvm/hyperv.c:475 [inline]\n RIP: 0010:kvm_hv_irq_routing_update+0x230/0x460 arch/x86/kvm/hyperv.c:498\n Call Trace:\n kvm_set_irq_routing+0x69b/0x940 arch/x86/kvm/../../../virt/kvm/irqchip.c:223\n kvm_vm_ioctl+0x12d0/0x2800 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3959\n vfs_ioctl fs/ioctl.c:48 [inline]\n __do_sys_ioctl fs/ioctl.c:753 [inline]\n __se_sys_ioctl fs/ioctl.c:739 [inline]\n __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739\n do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nHyper-V context is lazily allocated until Hyper-V specific MSRs are accessed\nor SynIC is enabled. However, the syzkaller testcase sets irq routing table\ndirectly w/o enabling SynIC. This results in null-ptr-deref when accessing\nSynIC Hyper-V context. This patch fixes it.\n\nsyzkaller source: https://syzkaller.appspot.com/x/repro.c?x=163342ccd00000\n\nReported-by: syzbot+6987f3b2dbd9eda95f12@syzkaller.appspotmail.com\nFixes: 8f014550dfb1 (\"KVM: x86: hyper-v: Make Hyper-V emulation enablement conditional\")\nSigned-off-by: Wanpeng Li \nMessage-Id: <1614326399-5762-1-git-send-email-wanpengli@tencent.com>\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 343524 }, { "func": "static void enable_nmi_window(struct kvm_vcpu *vcpu)\n{\n\tstruct vcpu_svm *svm = to_svm(vcpu);\n\n\tif ((svm->vcpu.arch.hflags & (HF_NMI_MASK | HF_IRET_MASK))\n\t == HF_NMI_MASK)\n\t\treturn; /* IRET will cause a vm exit */\n\n\tif (!gif_set(svm)) {\n\t\tif (vgif_enabled(svm))\n\t\t\tset_intercept(svm, INTERCEPT_STGI);\n\t\treturn; /* STGI will cause a vm exit */\n\t}\n\n\tif (svm->nested.exit_required)\n\t\treturn; /* we're not going to run the guest yet */\n\n\t/*\n\t * Something prevents NMI from been injected. Single step over possible\n\t * problem (IRET or exception injection or interrupt shadow)\n\t */\n\tsvm->nmi_singlestep_guest_rflags = svm_get_rflags(vcpu);\n\tsvm->nmi_singlestep = true;\n\tsvm->vmcb->save.rflags |= (X86_EFLAGS_TF | X86_EFLAGS_RF);\n}", "project": "linux", "hash": 172841631622277160061737395086712088068, "size": 25, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432444 }, { "func": "static void enable_nmi_window(struct kvm_vcpu *vcpu)\n{\n\tstruct vcpu_svm *svm = to_svm(vcpu);\n\n\tif ((svm->vcpu.arch.hflags & (HF_NMI_MASK | HF_IRET_MASK))\n\t == HF_NMI_MASK)\n\t\treturn; /* IRET will cause a vm exit */\n\n\t/*\n\t * Something prevents NMI from been injected. Single step over possible\n\t * problem (IRET or exception injection or interrupt shadow)\n\t */\n\tsvm->nmi_singlestep = true;\n\tsvm->vmcb->save.rflags |= (X86_EFLAGS_TF | X86_EFLAGS_RF);\n\tupdate_db_bp_intercept(vcpu);\n}", "project": "kvm", "hash": 81895019758534206793530311851109465259, "size": 16, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437572 }, { "func": "static int pfkey_create(struct net *net, struct socket *sock, int protocol,\n\t\t\tint kern)\n{\n\tstruct netns_pfkey *net_pfkey = net_generic(net, pfkey_net_id);\n\tstruct sock *sk;\n\tstruct pfkey_sock *pfk;\n\n\tif (!ns_capable(net->user_ns, CAP_NET_ADMIN))\n\t\treturn -EPERM;\n\tif (sock->type != SOCK_RAW)\n\t\treturn -ESOCKTNOSUPPORT;\n\tif (protocol != PF_KEY_V2)\n\t\treturn -EPROTONOSUPPORT;\n\n\tsk = sk_alloc(net, PF_KEY, GFP_KERNEL, &key_proto, kern);\n\tif (sk == NULL)\n\t\treturn -ENOMEM;\n\n\tpfk = pfkey_sk(sk);\n\tmutex_init(&pfk->dump_lock);\n\n\tsock->ops = &pfkey_ops;\n\tsock_init_data(sock, sk);\n\n\tsk->sk_family = PF_KEY;\n\tsk->sk_destruct = pfkey_sock_destruct;\n\n\tatomic_inc(&net_pfkey->socks_nr);\n\n\tpfkey_insert(sk);\n\n\treturn 0;\n}", "project": "linux", "hash": 60866650073447729090270724345897993613, "size": 33, "commit_id": "9a564bccb78a76740ea9d75a259942df8143d02c", "message": "af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\n\nAdd __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\nto initialize the buffer of supp_skb to fix a kernel-info-leak issue.\n1) Function pfkey_register calls compose_sadb_supported to request\na sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate\na sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then\ncompose_sadb_supported treats the memory as a struct sadb_supported and\nbegins to initialize. But it just initializes the field sadb_supported_len\nand field sadb_supported_exttype without field sadb_supported_reserved.\n\nReported-by: TCS Robot \nSigned-off-by: Haimin Zhang \nSigned-off-by: Steffen Klassert ", "target": 0, "dataset": "other", "idx": 268090 }, { "func": "static inline bool between(__u32 seq1, __u32 seq2, __u32 seq3)\n{\n\treturn seq3 - seq2 >= seq1 - seq2;\n}", "project": "linux", "hash": 96420119402857241561433296751689028023, "size": 4, "commit_id": "bb1fceca22492109be12640d49f5ea5a544c6bb4", "message": "tcp: fix use after free in tcp_xmit_retransmit_queue()\n\nWhen tcp_sendmsg() allocates a fresh and empty skb, it puts it at the\ntail of the write queue using tcp_add_write_queue_tail()\n\nThen it attempts to copy user data into this fresh skb.\n\nIf the copy fails, we undo the work and remove the fresh skb.\n\nUnfortunately, this undo lacks the change done to tp->highest_sack and\nwe can leave a dangling pointer (to a freed skb)\n\nLater, tcp_xmit_retransmit_queue() can dereference this pointer and\naccess freed memory. For regular kernels where memory is not unmapped,\nthis might cause SACK bugs because tcp_highest_sack_seq() is buggy,\nreturning garbage instead of tp->snd_nxt, but with various debug\nfeatures like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel.\n\nThis bug was found by Marco Grassi thanks to syzkaller.\n\nFixes: 6859d49475d4 (\"[TCP]: Abstract tp->highest_sack accessing & point to next skb\")\nReported-by: Marco Grassi \nSigned-off-by: Eric Dumazet \nCc: Ilpo Järvinen \nCc: Yuchung Cheng \nCc: Neal Cardwell \nAcked-by: Neal Cardwell \nReviewed-by: Cong Wang \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 410823 }, { "func": "TEST_F(ZNCTest, BuildMod) {\n auto znc = Run();\n auto ircd = ConnectIRCd();\n auto client = LoginClient();\n QTemporaryDir srcd;\n QDir srcdir(srcd.path());\n QFile file(srcdir.filePath(\"testmod.cpp\"));\n ASSERT_TRUE(file.open(QIODevice::WriteOnly | QIODevice::Text));\n QTextStream out(&file);\n out << R\"(\n #include \n class TestModule : public CModule {\n public:\n MODCONSTRUCTOR(TestModule) {}\n void OnModCommand(const CString& sLine) override {\n PutModule(\"Lorem ipsum\");\n }\n };\n MODULEDEFS(TestModule, \"Test\")\n )\";\n file.close();\n QDir dir(m_dir.path());\n EXPECT_TRUE(dir.mkdir(\"modules\"));\n EXPECT_TRUE(dir.cd(\"modules\"));\n {\n Process p(ZNC_BIN_DIR \"/znc-buildmod\",\n QStringList() << srcdir.filePath(\"file-not-found.cpp\"),\n [&](QProcess* proc) {\n proc->setWorkingDirectory(dir.absolutePath());\n proc->setProcessChannelMode(QProcess::ForwardedChannels);\n });\n p.ShouldFinishItself(1);\n p.ShouldFinishInSec(300);\n }\n {\n Process p(ZNC_BIN_DIR \"/znc-buildmod\",\n QStringList() << srcdir.filePath(\"testmod.cpp\"),\n [&](QProcess* proc) {\n proc->setWorkingDirectory(dir.absolutePath());\n proc->setProcessChannelMode(QProcess::ForwardedChannels);\n });\n p.ShouldFinishItself();\n p.ShouldFinishInSec(300);\n }\n client.Write(\"znc loadmod testmod\");\n client.Write(\"PRIVMSG *testmod :hi\");\n client.ReadUntil(\"Lorem ipsum\");\n}", "project": "znc", "hash": 270623841310691976053088330692740224371, "size": 48, "commit_id": "d229761821da38d984a9e4098ad96842490dc001", "message": "Fix echo-message for *status\n\nClose #1705", "target": 0, "dataset": "other", "idx": 231602 }, { "project": "mbed-coap", "commit_id": "4647a68e364401e81dbd370728127d844f221d93", "target": 0, "func": "void sn_coap_parser_release_allocated_coap_msg_mem(struct coap_s *handle, sn_coap_hdr_s *freed_coap_msg_ptr)\n{\n if (handle == NULL) {\n return;\n }\n\n if (freed_coap_msg_ptr != NULL) {\n\n // As there are multiple sequential calls to the protocol_free, caching pointer to it\n // saves one instruction per call.\n void (*local_free)(void *) = handle->sn_coap_protocol_free;\n\n local_free(freed_coap_msg_ptr->uri_path_ptr);\n local_free(freed_coap_msg_ptr->token_ptr);\n\n // same here, caching the struct start saves a bit.\n sn_coap_options_list_s *options_list_ptr = freed_coap_msg_ptr->options_list_ptr;\n\n if (options_list_ptr != NULL) {\n\n local_free(options_list_ptr->proxy_uri_ptr);\n\n local_free(options_list_ptr->etag_ptr);\n\n local_free(options_list_ptr->uri_host_ptr);\n\n local_free(options_list_ptr->location_path_ptr);\n\n local_free(options_list_ptr->location_query_ptr);\n\n local_free(options_list_ptr->uri_query_ptr);\n\n local_free(options_list_ptr);\n }\n\n local_free(freed_coap_msg_ptr);\n }\n}", "idx": 519475, "cwe": "CWE-401", "hash": 226830566663187955009384498804310239979, "dataset": "other" }, { "func": "static void __execlists_reset(struct intel_engine_cs *engine, bool stalled)\n{\n\tstruct intel_engine_execlists * const execlists = &engine->execlists;\n\tstruct intel_context *ce;\n\tstruct i915_request *rq;\n\n\tmb(); /* paranoia: read the CSB pointers from after the reset */\n\tclflush(execlists->csb_write);\n\tmb();\n\n\tprocess_csb(engine); /* drain preemption events */\n\n\t/* Following the reset, we need to reload the CSB read/write pointers */\n\treset_csb_pointers(engine);\n\n\t/*\n\t * Save the currently executing context, even if we completed\n\t * its request, it was still running at the time of the\n\t * reset and will have been clobbered.\n\t */\n\trq = execlists_active(execlists);\n\tif (!rq)\n\t\tgoto unwind;\n\n\t/* We still have requests in-flight; the engine should be active */\n\tGEM_BUG_ON(!intel_engine_pm_is_awake(engine));\n\n\tce = rq->hw_context;\n\tGEM_BUG_ON(!i915_vma_is_pinned(ce->state));\n\n\tif (i915_request_completed(rq)) {\n\t\t/* Idle context; tidy up the ring so we can restart afresh */\n\t\tce->ring->head = intel_ring_wrap(ce->ring, rq->tail);\n\t\tgoto out_replay;\n\t}\n\n\t/* Context has requests still in-flight; it should not be idle! */\n\tGEM_BUG_ON(i915_active_is_idle(&ce->active));\n\trq = active_request(ce->timeline, rq);\n\tce->ring->head = intel_ring_wrap(ce->ring, rq->head);\n\tGEM_BUG_ON(ce->ring->head == ce->ring->tail);\n\n\t/*\n\t * If this request hasn't started yet, e.g. it is waiting on a\n\t * semaphore, we need to avoid skipping the request or else we\n\t * break the signaling chain. However, if the context is corrupt\n\t * the request will not restart and we will be stuck with a wedged\n\t * device. It is quite often the case that if we issue a reset\n\t * while the GPU is loading the context image, that the context\n\t * image becomes corrupt.\n\t *\n\t * Otherwise, if we have not started yet, the request should replay\n\t * perfectly and we do not need to flag the result as being erroneous.\n\t */\n\tif (!i915_request_started(rq))\n\t\tgoto out_replay;\n\n\t/*\n\t * If the request was innocent, we leave the request in the ELSP\n\t * and will try to replay it on restarting. The context image may\n\t * have been corrupted by the reset, in which case we may have\n\t * to service a new GPU hang, but more likely we can continue on\n\t * without impact.\n\t *\n\t * If the request was guilty, we presume the context is corrupt\n\t * and have to at least restore the RING register in the context\n\t * image back to the expected values to skip over the guilty request.\n\t */\n\t__i915_request_reset(rq, stalled);\n\tif (!stalled)\n\t\tgoto out_replay;\n\n\t/*\n\t * We want a simple context + ring to execute the breadcrumb update.\n\t * We cannot rely on the context being intact across the GPU hang,\n\t * so clear it and rebuild just what we need for the breadcrumb.\n\t * All pending requests for this context will be zapped, and any\n\t * future request will be after userspace has had the opportunity\n\t * to recreate its own state.\n\t */\n\tGEM_BUG_ON(!intel_context_is_pinned(ce));\n\trestore_default_state(ce, engine);\n\nout_replay:\n\tGEM_TRACE(\"%s replay {head:%04x, tail:%04x}\\n\",\n\t\t engine->name, ce->ring->head, ce->ring->tail);\n\tintel_ring_update_space(ce->ring);\n\t__execlists_reset_reg_state(ce, engine);\n\t__execlists_update_reg_state(ce, engine);\n\tce->lrc_desc |= CTX_DESC_FORCE_RESTORE; /* paranoid: GPU was reset! */\n\nunwind:\n\t/* Push back any incomplete requests for replay after the reset. */\n\tcancel_port_requests(execlists);\n\t__unwind_incomplete_requests(engine);\n}", "project": "linux", "hash": 166108195832687773165072510509657004802, "size": 96, "commit_id": "bc8a76a152c5f9ef3b48104154a65a68a8b76946", "message": "drm/i915/gen9: Clear residual context state on context switch\n\nIntel ID: PSIRT-TA-201910-001\nCVEID: CVE-2019-14615\n\nIntel GPU Hardware prior to Gen11 does not clear EU state\nduring a context switch. This can result in information\nleakage between contexts.\n\nFor Gen8 and Gen9, hardware provides a mechanism for\nfast cleardown of the EU state, by issuing a PIPE_CONTROL\nwith bit 27 set. We can use this in a context batch buffer\nto explicitly cleardown the state on every context switch.\n\nAs this workaround is already in place for gen8, we can borrow\nthe code verbatim for Gen9.\n\nSigned-off-by: Mika Kuoppala \nSigned-off-by: Akeem G Abodunrin \nCc: Kumar Valsan Prathap \nCc: Chris Wilson \nCc: Balestrieri Francesco \nCc: Bloomfield Jon \nCc: Dutt Sudeep ", "target": 0, "dataset": "other", "idx": 281509 }, { "func": "int JOIN::init_join_caches()\n{\n JOIN_TAB *tab;\n\n for (tab= first_linear_tab(this, WITH_BUSH_ROOTS, WITHOUT_CONST_TABLES);\n tab;\n tab= next_linear_tab(this, tab, WITH_BUSH_ROOTS))\n {\n TABLE *table= tab->table;\n if (table->file->keyread_enabled())\n {\n if (!(table->file->index_flags(table->file->keyread, 0, 1) & HA_CLUSTERED_INDEX))\n table->mark_index_columns(table->file->keyread, table->read_set);\n }\n else if ((tab->read_first_record == join_read_first ||\n tab->read_first_record == join_read_last) &&\n !tab->filesort && table->covering_keys.is_set(tab->index) &&\n !table->no_keyread)\n {\n table->prepare_for_keyread(tab->index, table->read_set);\n }\n if (tab->cache && tab->cache->init(select_options & SELECT_DESCRIBE))\n revise_cache_usage(tab);\n else\n tab->remove_redundant_bnl_scan_conds();\n }\n return 0;\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 38782741550883337636706780125706729089, "size": 28, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508510 }, { "func": "static bool checkreturn pb_dec_varint(pb_istream_t *stream, const pb_field_t *field, void *dest)\n{\n pb_uint64_t value;\n pb_int64_t svalue;\n pb_int64_t clamped;\n if (!pb_decode_varint(stream, &value))\n return false;\n \n /* See issue 97: Google's C++ protobuf allows negative varint values to\n * be cast as int32_t, instead of the int64_t that should be used when\n * encoding. Previous nanopb versions had a bug in encoding. In order to\n * not break decoding of such messages, we cast <=32 bit fields to\n * int32_t first to get the sign correct.\n */\n if (field->data_size == sizeof(pb_int64_t))\n svalue = (pb_int64_t)value;\n else\n svalue = (int32_t)value;\n\n /* Cast to the proper field size, while checking for overflows */\n if (field->data_size == sizeof(pb_int64_t))\n clamped = *(pb_int64_t*)dest = svalue;\n else if (field->data_size == sizeof(int32_t))\n clamped = *(int32_t*)dest = (int32_t)svalue;\n else if (field->data_size == sizeof(int_least16_t))\n clamped = *(int_least16_t*)dest = (int_least16_t)svalue;\n else if (field->data_size == sizeof(int_least8_t))\n clamped = *(int_least8_t*)dest = (int_least8_t)svalue;\n else\n PB_RETURN_ERROR(stream, \"invalid data_size\");\n\n if (clamped != svalue)\n PB_RETURN_ERROR(stream, \"integer too large\");\n \n return true;\n}", "project": "nanopb", "hash": 294172568978733356349106023157396657097, "size": 36, "commit_id": "aa9d0d1ca78d6adec3adfeecf3a706c7f9df81f2", "message": "Fix invalid free() after failed realloc() (GHSA-gcx3-7m76-287p)", "target": 0, "dataset": "other", "idx": 252520 }, { "func": "static bool checkreturn pb_dec_varint(pb_istream_t *stream, const pb_field_iter_t *field)\n{\n if (PB_LTYPE(field->type) == PB_LTYPE_UVARINT)\n {\n pb_uint64_t value, clamped;\n if (!pb_decode_varint(stream, &value))\n return false;\n\n /* Cast to the proper field size, while checking for overflows */\n if (field->data_size == sizeof(pb_uint64_t))\n clamped = *(pb_uint64_t*)field->pData = value;\n else if (field->data_size == sizeof(uint32_t))\n clamped = *(uint32_t*)field->pData = (uint32_t)value;\n else if (field->data_size == sizeof(uint_least16_t))\n clamped = *(uint_least16_t*)field->pData = (uint_least16_t)value;\n else if (field->data_size == sizeof(uint_least8_t))\n clamped = *(uint_least8_t*)field->pData = (uint_least8_t)value;\n else\n PB_RETURN_ERROR(stream, \"invalid data_size\");\n\n if (clamped != value)\n PB_RETURN_ERROR(stream, \"integer too large\");\n\n return true;\n }\n else\n {\n pb_uint64_t value;\n pb_int64_t svalue;\n pb_int64_t clamped;\n\n if (PB_LTYPE(field->type) == PB_LTYPE_SVARINT)\n {\n if (!pb_decode_svarint(stream, &svalue))\n return false;\n }\n else\n {\n if (!pb_decode_varint(stream, &value))\n return false;\n\n /* See issue 97: Google's C++ protobuf allows negative varint values to\n * be cast as int32_t, instead of the int64_t that should be used when\n * encoding. Nanopb versions before 0.2.5 had a bug in encoding. In order to\n * not break decoding of such messages, we cast <=32 bit fields to\n * int32_t first to get the sign correct.\n */\n if (field->data_size == sizeof(pb_int64_t))\n svalue = (pb_int64_t)value;\n else\n svalue = (int32_t)value;\n }\n\n /* Cast to the proper field size, while checking for overflows */\n if (field->data_size == sizeof(pb_int64_t))\n clamped = *(pb_int64_t*)field->pData = svalue;\n else if (field->data_size == sizeof(int32_t))\n clamped = *(int32_t*)field->pData = (int32_t)svalue;\n else if (field->data_size == sizeof(int_least16_t))\n clamped = *(int_least16_t*)field->pData = (int_least16_t)svalue;\n else if (field->data_size == sizeof(int_least8_t))\n clamped = *(int_least8_t*)field->pData = (int_least8_t)svalue;\n else\n PB_RETURN_ERROR(stream, \"invalid data_size\");\n\n if (clamped != svalue)\n PB_RETURN_ERROR(stream, \"integer too large\");\n\n return true;\n }\n}", "project": "nanopb", "hash": 151151752921614011597641342983100065487, "size": 71, "commit_id": "e2f0ccf939d9f82931d085acb6df8e9a182a4261", "message": "Fix invalid free() with oneof (#647)\n\nNanopb would call free() or realloc() on an invalid\n(attacker controlled) pointer value when all the following\nconditions are true:\n\n- PB_ENABLE_MALLOC is defined at the compile time\n- Message definition contains an oneof field, and the oneof\n contains at least one pointer type field and at least one\n non-pointer type field.\n- Data being decoded first contains a non-pointer value for\n the oneof field, and later contains an overwriting pointer\n value.\n\nDepending on message layout, the bug may not be exploitable in all\ncases, but it is known to be exploitable at least with string and\nbytes fields. Actual security impact will also depend on the heap\nimplementation used.", "target": 0, "dataset": "other", "idx": 254705 }, { "func": "static bool checkreturn pb_dec_varint(pb_istream_t *stream, const pb_field_t *field, void *dest)\n{\n uint64_t value;\n if (!pb_decode_varint(stream, &value))\n return false;\n \n switch (field->data_size)\n {\n case 1: *(int8_t*)dest = (int8_t)value; break;\n case 2: *(int16_t*)dest = (int16_t)value; break;\n case 4: *(int32_t*)dest = (int32_t)value; break;\n case 8: *(int64_t*)dest = (int64_t)value; break;\n default: PB_RETURN_ERROR(stream, \"invalid data_size\");\n }\n \n return true;\n}", "project": "nanopb", "hash": 83107385871670185749937080114276186485, "size": 17, "commit_id": "7b396821ddd06df8e39143f16e1dc0a4645b89a3", "message": "Fix invalid free() after failed realloc() (GHSA-gcx3-7m76-287p)", "target": 0, "dataset": "other", "idx": 255341 }, { "func": "static int kvm_vcpu_release(struct inode *inode, struct file *filp)\n{\n\tstruct kvm_vcpu *vcpu = filp->private_data;\n\n\tdebugfs_remove_recursive(vcpu->debugfs_dentry);\n\tkvm_put_kvm(vcpu->kvm);\n\treturn 0;\n}", "project": "linux", "hash": 46885687326495002066014998332884132102, "size": 8, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354504 }, { "func": "clientPackRangeHdr(const HttpReply * rep, const HttpHdrRangeSpec * spec, String boundary, MemBuf * mb)\n{\n HttpHeader hdr(hoReply);\n assert(rep);\n assert(spec);\n\n /* put boundary */\n debugs(33, 5, \"appending boundary: \" << boundary);\n /* rfc2046 requires to _prepend_ boundary with ! */\n mb->appendf(\"\\r\\n--\" SQUIDSTRINGPH \"\\r\\n\", SQUIDSTRINGPRINT(boundary));\n\n /* stuff the header with required entries and pack it */\n\n if (rep->header.has(Http::HdrType::CONTENT_TYPE))\n hdr.putStr(Http::HdrType::CONTENT_TYPE, rep->header.getStr(Http::HdrType::CONTENT_TYPE));\n\n httpHeaderAddContRange(&hdr, *spec, rep->content_length);\n\n hdr.packInto(mb);\n hdr.clean();\n\n /* append (we packed a header, not a reply) */\n mb->append(\"\\r\\n\", 2);\n}", "project": "squid", "hash": 298470105768232821179609379788799513149, "size": 24, "commit_id": "fd68382860633aca92065e6c343cfd1b12b126e7", "message": "Improve Transfer-Encoding handling (#702)\n\nReject messages containing Transfer-Encoding header with coding other\nthan chunked or identity. Squid does not support other codings.\n\nFor simplicity and security sake, also reject messages where\nTransfer-Encoding contains unnecessary complex values that are\ntechnically equivalent to \"chunked\" or \"identity\" (e.g., \",,chunked\" or\n\"identity, chunked\").\n\nRFC 7230 formally deprecated and removed identity coding, but it is\nstill used by some agents.", "target": 0, "dataset": "other", "idx": 402360 }, { "func": "static inline void clr_exception_intercept(struct vcpu_svm *svm, int bit)\n{\n\tstruct vmcb *vmcb = get_host_vmcb(svm);\n\n\tvmcb->control.intercept_exceptions &= ~(1U << bit);\n\n\trecalc_intercepts(svm);\n}", "project": "linux", "hash": 84065223062837488252612552832435659541, "size": 8, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432471 }, { "func": "static int fuse_dir_release(struct inode *inode, struct file *file)\n{\n\tfuse_release_common(file, true);\n\n\treturn 0;\n}", "project": "linux", "hash": 19661698778070937469597818647688357703, "size": 6, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342050 }, { "func": "uint32_t matchesProtoClasses(\n Runtime *runtime,\n Handle obj,\n Handle arr) {\n MutableHandle head(runtime, obj->getParent(runtime));\n uint32_t i = 0;\n while (head.get()) {\n HermesValue protoCls = arr->at(i++);\n if (protoCls.isNull() || protoCls.getObject() != head->getClass(runtime) ||\n head->isProxyObject()) {\n return 0;\n }\n head = head->getParent(runtime);\n }\n // The chains must both end at the same point.\n if (head || !arr->at(i++).isNull()) {\n return 0;\n }\n assert(i > 0 && \"success should be positive\");\n return i;\n}", "project": "hermes", "hash": 57670583741921908044064768110141993235, "size": 21, "commit_id": "fe52854cdf6725c2eaa9e125995da76e6ceb27da", "message": "[CVE-2020-1911] Look up HostObject computed properties on the right object in the prototype chain.\n\nSummary:\nThe change in the hermes repository fixes the security vulnerability\nCVE-2020-1911. This vulnerability only affects applications which\nallow evaluation of uncontrolled, untrusted JavaScript code not\nshipped with the app, so React Native apps will generally not be affected.\n\nThis revision includes a test for the bug. The test is generic JSI\ncode, so it is included in the hermes and react-native repositories.\n\nChangelog: [Internal]\n\nReviewed By: tmikov\n\nDifferential Revision: D23322992\n\nfbshipit-source-id: 4e88c974afe1ad33a263f9cac03e9dc98d33649a", "target": 0, "dataset": "other", "idx": 230237 }, { "func": "UnicodeString UnicodeString::unescape() const {\n UnicodeString result(length(), (UChar32)0, (int32_t)0); // construct with capacity\n if (result.isBogus()) {\n return result;\n }\n const UChar *array = getBuffer();\n int32_t len = length();\n int32_t prev = 0;\n for (int32_t i=0;;) {\n if (i == len) {\n result.append(array, prev, len - prev);\n break;\n }\n if (array[i++] == 0x5C /*'\\\\'*/) {\n result.append(array, prev, (i - 1) - prev);\n UChar32 c = unescapeAt(i); // advances i\n if (c < 0) {\n result.remove(); // return empty string\n break; // invalid escape sequence\n }\n result.append(c);\n prev = i;\n }\n }\n return result;\n}", "project": "icu", "hash": 62075573834726379522578256998420899917, "size": 26, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430833 }, { "func": " void shrinkBy(int decrease) {\n p -= decrease;\n assertx(p >= begin);\n }", "project": "hhvm", "hash": 24235012334183465009468401944503422245, "size": 4, "commit_id": "b3679121bb3c7017ff04b4c08402ffff5cf59b13", "message": "Fix buffer overrun in SimpleParser::handleBackslash\n\nSummary:\nIt read 4 chars, then checked for validity, but any of them could have\nbeen the end of the string, so check after each one instead.\n\nReviewed By: oulgen\n\nDifferential Revision: D19611163\n\nfbshipit-source-id: 3da0a39555cb85a93f4fd98048368f17cf37e2e4", "target": 0, "dataset": "other", "idx": 227320 }, { "func": "ROWINDEX CSoundFile::PatternBreak(PlayState &state, CHANNELINDEX chn, uint8 param) const\n{\n\tif(param >= 64 && (GetType() & MOD_TYPE_S3M))\n\t{\n\t\t// ST3 ignores invalid pattern breaks.\n\t\treturn ROWINDEX_INVALID;\n\t}\n\n\tstate.m_nNextPatStartRow = 0; // FT2 E60 bug\n\n\treturn static_cast(CalculateXParam(state.m_nPattern, state.m_nRow, chn));\n}", "project": "openmpt", "hash": 336369807767688960965620695945275116112, "size": 12, "commit_id": "7ebf02af2e90f03e0dbd0e18b8b3164f372fb97c", "message": "[Fix] Possible out-of-bounds read when computing length of some IT files with pattern loops (OpenMPT: formats that are converted to IT, libopenmpt: IT/ITP/MO3), caught with afl-fuzz.\n\ngit-svn-id: https://source.openmpt.org/svn/openmpt/trunk/OpenMPT@10027 56274372-70c3-4bfc-bfc3-4c3a0b034d27", "target": 0, "dataset": "other", "idx": 255201 }, { "func": "static void nfs40_sequence_free_slot(struct nfs4_sequence_res *res)\n{\n\tstruct nfs4_slot *slot = res->sr_slot;\n\tstruct nfs4_slot_table *tbl;\n\n\ttbl = slot->table;\n\tspin_lock(&tbl->slot_tbl_lock);\n\tif (!nfs41_wake_and_assign_slot(tbl, slot))\n\t\tnfs4_free_slot(tbl, slot);\n\tspin_unlock(&tbl->slot_tbl_lock);\n\n\tres->sr_slot = NULL;\n}", "project": "linux", "hash": 301950929155077911332735128326325119179, "size": 13, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431283 }, { "func": "int mnt_optstr_set_option(char **optstr, const char *name, const char *value)\n{\n\tstruct libmnt_optloc ol = MNT_INIT_OPTLOC;\n\tchar *nameend;\n\tint rc = 1;\n\n\tif (!optstr || !name)\n\t\treturn -EINVAL;\n\n\tif (*optstr)\n\t\trc = mnt_optstr_locate_option(*optstr, name, &ol);\n\tif (rc < 0)\n\t\treturn rc;\t\t\t/* parse error */\n\tif (rc == 1)\n\t\treturn mnt_optstr_append_option(optstr, name, value);\t/* not found */\n\n\tnameend = ol.begin + ol.namesz;\n\n\tif (value == NULL && ol.value && ol.valsz)\n\t\t/* remove unwanted \"=value\" */\n\t\tmnt_optstr_remove_option_at(optstr, nameend, ol.end);\n\n\telse if (value && ol.value == NULL)\n\t\t/* insert \"=value\" */\n\t\trc = insert_value(optstr, nameend, value, NULL);\n\n\telse if (value && ol.value && strlen(value) == ol.valsz)\n\t\t/* simply replace =value */\n\t\tmemcpy(ol.value, value, ol.valsz);\n\n\telse if (value && ol.value) {\n\t\tmnt_optstr_remove_option_at(optstr, nameend, ol.end);\n\t\trc = insert_value(optstr, nameend, value, NULL);\n\t}\n\treturn rc;\n}", "project": "util-linux", "hash": 335670422700510000494926721274839122134, "size": 36, "commit_id": "57202f5713afa2af20ffbb6ab5331481d0396f8d", "message": "libmount: fix UID check for FUSE umount [CVE-2021-3995]\n\nImproper UID check allows an unprivileged user to unmount FUSE\nfilesystems of users with similar UID.\n\nSigned-off-by: Karel Zak ", "target": 0, "dataset": "other", "idx": 410409 }, { "func": "CWebSock::~CWebSock() {\n if (m_spAuth) {\n m_spAuth->Invalidate();\n }\n\n // we have to account for traffic here because CSocket does\n // not have a valid CModule* pointer.\n CUser* pUser = GetSession()->GetUser();\n if (pUser) {\n pUser->AddBytesWritten(GetBytesWritten());\n pUser->AddBytesRead(GetBytesRead());\n } else {\n CZNC::Get().AddBytesWritten(GetBytesWritten());\n CZNC::Get().AddBytesRead(GetBytesRead());\n }\n\n // bytes have been accounted for, so make sure they don't get again:\n ResetBytesWritten();\n ResetBytesRead();\n}", "project": "znc", "hash": 115131591917914560586244032413331303166, "size": 20, "commit_id": "a4a5aeeb17d32937d8c7d743dae9a4cc755ce773", "message": "Don't let web skin name ../../../../ access files outside of usual skins directories.\n\nThanks for Jeriko One for finding and reporting this.", "target": 0, "dataset": "other", "idx": 265780 }, { "func": "ConnStateData::parseProxy1p0()\n{\n ::Parser::Tokenizer tok(inBuf);\n tok.skip(Proxy1p0magic);\n\n // skip to first LF (assumes it is part of CRLF)\n static const CharacterSet lineContent = CharacterSet::LF.complement(\"non-LF\");\n SBuf line;\n if (tok.prefix(line, lineContent, 107-Proxy1p0magic.length())) {\n if (tok.skip('\\n')) {\n // found valid header\n inBuf = tok.remaining();\n needProxyProtocolHeader_ = false;\n // reset the tokenizer to work on found line only.\n tok.reset(line);\n } else\n return false; // no LF yet\n\n } else // protocol error only if there are more than 107 bytes prefix header\n return proxyProtocolError(inBuf.length() > 107? \"PROXY/1.0 error: missing CRLF\" : NULL);\n\n static const SBuf unknown(\"UNKNOWN\"), tcpName(\"TCP\");\n if (tok.skip(tcpName)) {\n\n // skip TCP/IP version number\n static const CharacterSet tcpVersions(\"TCP-version\",\"46\");\n if (!tok.skipOne(tcpVersions))\n return proxyProtocolError(\"PROXY/1.0 error: missing TCP version\");\n\n // skip SP after protocol version\n if (!tok.skip(' '))\n return proxyProtocolError(\"PROXY/1.0 error: missing SP\");\n\n SBuf ipa, ipb;\n int64_t porta, portb;\n static const CharacterSet ipChars = CharacterSet(\"IP Address\",\".:\") + CharacterSet::HEXDIG;\n\n // parse: src-IP SP dst-IP SP src-port SP dst-port CR\n // leave the LF until later.\n const bool correct = tok.prefix(ipa, ipChars) && tok.skip(' ') &&\n tok.prefix(ipb, ipChars) && tok.skip(' ') &&\n tok.int64(porta) && tok.skip(' ') &&\n tok.int64(portb) &&\n tok.skip('\\r');\n if (!correct)\n return proxyProtocolError(\"PROXY/1.0 error: invalid syntax\");\n\n // parse IP and port strings\n Ip::Address originalClient, originalDest;\n\n if (!originalClient.GetHostByName(ipa.c_str()))\n return proxyProtocolError(\"PROXY/1.0 error: invalid src-IP address\");\n\n if (!originalDest.GetHostByName(ipb.c_str()))\n return proxyProtocolError(\"PROXY/1.0 error: invalid dst-IP address\");\n\n if (porta > 0 && porta <= 0xFFFF) // max uint16_t\n originalClient.port(static_cast(porta));\n else\n return proxyProtocolError(\"PROXY/1.0 error: invalid src port\");\n\n if (portb > 0 && portb <= 0xFFFF) // max uint16_t\n originalDest.port(static_cast(portb));\n else\n return proxyProtocolError(\"PROXY/1.0 error: invalid dst port\");\n\n // we have original client and destination details now\n // replace the client connection values\n debugs(33, 5, \"PROXY/1.0 protocol on connection \" << clientConnection);\n clientConnection->local = originalDest;\n clientConnection->remote = originalClient;\n if ((clientConnection->flags & COMM_TRANSPARENT))\n clientConnection->flags ^= COMM_TRANSPARENT; // prevent TPROXY spoofing of this new IP.\n debugs(33, 5, \"PROXY/1.0 upgrade: \" << clientConnection);\n return true;\n\n } else if (tok.skip(unknown)) {\n // found valid but unusable header\n return true;\n\n } else\n return proxyProtocolError(\"PROXY/1.0 error: invalid protocol family\");\n\n return false;\n}", "project": "squid", "hash": 221843117062610244910572979437318554683, "size": 85, "commit_id": "fd68382860633aca92065e6c343cfd1b12b126e7", "message": "Improve Transfer-Encoding handling (#702)\n\nReject messages containing Transfer-Encoding header with coding other\nthan chunked or identity. Squid does not support other codings.\n\nFor simplicity and security sake, also reject messages where\nTransfer-Encoding contains unnecessary complex values that are\ntechnically equivalent to \"chunked\" or \"identity\" (e.g., \",,chunked\" or\n\"identity, chunked\").\n\nRFC 7230 formally deprecated and removed identity coding, but it is\nstill used by some agents.", "target": 0, "dataset": "other", "idx": 402393 }, { "func": "static int tcp_time_to_recover(struct sock *sk)\n{\n\tstruct tcp_sock *tp = tcp_sk(sk);\n\t__u32 packets_out;\n\n\t/* Do not perform any recovery during F-RTO algorithm */\n\tif (tp->frto_counter)\n\t\treturn 0;\n\n\t/* Trick#1: The loss is proven. */\n\tif (tp->lost_out)\n\t\treturn 1;\n\n\t/* Not-A-Trick#2 : Classic rule... */\n\tif (tcp_dupack_heuristics(tp) > tp->reordering)\n\t\treturn 1;\n\n\t/* Trick#3 : when we use RFC2988 timer restart, fast\n\t * retransmit can be triggered by timeout of queue head.\n\t */\n\tif (tcp_is_fack(tp) && tcp_head_timedout(sk))\n\t\treturn 1;\n\n\t/* Trick#4: It is still not OK... But will it be useful to delay\n\t * recovery more?\n\t */\n\tpackets_out = tp->packets_out;\n\tif (packets_out <= tp->reordering &&\n\t tp->sacked_out >= max_t(__u32, packets_out/2, sysctl_tcp_reordering) &&\n\t !tcp_may_send_now(sk)) {\n\t\t/* We have nothing to send. This connection is limited\n\t\t * either by receiver window or by application.\n\t\t */\n\t\treturn 1;\n\t}\n\n\t/* If a thin stream is detected, retransmit after first\n\t * received dupack. Employ only if SACK is supported in order\n\t * to avoid possible corner-case series of spurious retransmissions\n\t * Use only if there are no unsent data.\n\t */\n\tif ((tp->thin_dupack || sysctl_tcp_thin_dupack) &&\n\t tcp_stream_is_thin(tp) && tcp_dupack_heuristics(tp) > 1 &&\n\t tcp_is_sack(tp) && !tcp_send_head(sk))\n\t\treturn 1;\n\n\treturn 0;\n}", "project": "net-next", "hash": 64088465458662722904281393805880732906, "size": 48, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409838 }, { "func": "void fuse_change_attributes_common(struct inode *inode, struct fuse_attr *attr,\n\t\t\t\t u64 attr_valid)\n{\n\tstruct fuse_conn *fc = get_fuse_conn(inode);\n\tstruct fuse_inode *fi = get_fuse_inode(inode);\n\n\tlockdep_assert_held(&fi->lock);\n\n\tfi->attr_version = atomic64_inc_return(&fc->attr_version);\n\tfi->i_time = attr_valid;\n\tWRITE_ONCE(fi->inval_mask, 0);\n\n\tinode->i_ino = fuse_squash_ino(attr->ino);\n\tinode->i_mode = (inode->i_mode & S_IFMT) | (attr->mode & 07777);\n\tset_nlink(inode, attr->nlink);\n\tinode->i_uid = make_kuid(fc->user_ns, attr->uid);\n\tinode->i_gid = make_kgid(fc->user_ns, attr->gid);\n\tinode->i_blocks = attr->blocks;\n\tinode->i_atime.tv_sec = attr->atime;\n\tinode->i_atime.tv_nsec = attr->atimensec;\n\t/* mtime from server may be stale due to local buffered write */\n\tif (!fc->writeback_cache || !S_ISREG(inode->i_mode)) {\n\t\tinode->i_mtime.tv_sec = attr->mtime;\n\t\tinode->i_mtime.tv_nsec = attr->mtimensec;\n\t\tinode->i_ctime.tv_sec = attr->ctime;\n\t\tinode->i_ctime.tv_nsec = attr->ctimensec;\n\t}\n\n\tif (attr->blksize != 0)\n\t\tinode->i_blkbits = ilog2(attr->blksize);\n\telse\n\t\tinode->i_blkbits = inode->i_sb->s_blocksize_bits;\n\n\t/*\n\t * Don't set the sticky bit in i_mode, unless we want the VFS\n\t * to check permissions. This prevents failures due to the\n\t * check in may_delete().\n\t */\n\tfi->orig_i_mode = inode->i_mode;\n\tif (!fc->default_permissions)\n\t\tinode->i_mode &= ~S_ISVTX;\n\n\tfi->orig_ino = attr->ino;\n\n\t/*\n\t * We are refreshing inode data and it is possible that another\n\t * client set suid/sgid or security.capability xattr. So clear\n\t * S_NOSEC. Ideally, we could have cleared it only if suid/sgid\n\t * was set or if security.capability xattr was set. But we don't\n\t * know if security.capability has been set or not. So clear it\n\t * anyway. Its less efficient but should be safe.\n\t */\n\tinode->i_flags &= ~S_NOSEC;\n}", "project": "linux", "hash": 311773176178132099466800775090146711220, "size": 54, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342119 }, { "func": "static int usb_host_scan_sys(void *opaque, USBScanFunc *func)\n{\n DIR *dir = NULL;\n char line[1024];\n int bus_num, addr, speed, class_id, product_id, vendor_id;\n int ret = 0;\n char product_name[512];\n struct dirent *de;\n\n dir = opendir(USBSYSBUS_PATH \"/devices\");\n if (!dir) {\n perror(\"husb: cannot open devices directory\");\n goto the_end;\n }\n\n while ((de = readdir(dir))) {\n if (de->d_name[0] != '.' && !strchr(de->d_name, ':')) {\n char *tmpstr = de->d_name;\n if (!strncmp(de->d_name, \"usb\", 3))\n tmpstr += 3;\n bus_num = atoi(tmpstr);\n\n if (!usb_host_read_file(line, sizeof(line), \"devnum\", de->d_name))\n goto the_end;\n if (sscanf(line, \"%d\", &addr) != 1)\n goto the_end;\n\n if (!usb_host_read_file(line, sizeof(line), \"bDeviceClass\",\n de->d_name))\n goto the_end;\n if (sscanf(line, \"%x\", &class_id) != 1)\n goto the_end;\n\n if (!usb_host_read_file(line, sizeof(line), \"idVendor\", de->d_name))\n goto the_end;\n if (sscanf(line, \"%x\", &vendor_id) != 1)\n goto the_end;\n\n if (!usb_host_read_file(line, sizeof(line), \"idProduct\",\n de->d_name))\n goto the_end;\n if (sscanf(line, \"%x\", &product_id) != 1)\n goto the_end;\n\n if (!usb_host_read_file(line, sizeof(line), \"product\",\n de->d_name)) {\n *product_name = 0;\n } else {\n if (strlen(line) > 0)\n line[strlen(line) - 1] = '\\0';\n pstrcpy(product_name, sizeof(product_name), line);\n }\n\n if (!usb_host_read_file(line, sizeof(line), \"speed\", de->d_name))\n goto the_end;\n if (!strcmp(line, \"480\\n\"))\n speed = USB_SPEED_HIGH;\n else if (!strcmp(line, \"1.5\\n\"))\n speed = USB_SPEED_LOW;\n else\n speed = USB_SPEED_FULL;\n\n ret = func(opaque, bus_num, addr, class_id, vendor_id,\n product_id, product_name, speed);\n if (ret)\n goto the_end;\n }\n }\n the_end:\n if (dir)\n closedir(dir);\n return ret;\n}", "project": "qemu", "hash": 289698841628306080098246954932716839794, "size": 73, "commit_id": "babd03fde68093482528010a5435c14ce9128e3f", "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel. However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris \nSigned-off-by: Anthony Liguori ", "target": 0, "dataset": "other", "idx": 346322 }, { "func": "static int imap_mbox_close(struct Mailbox *m)\n{\n struct ImapAccountData *adata = imap_adata_get(m);\n struct ImapMboxData *mdata = imap_mdata_get(m);\n\n /* Check to see if the mailbox is actually open */\n if (!adata || !mdata)\n return 0;\n\n /* imap_mbox_open_append() borrows the struct ImapAccountData temporarily,\n * just for the connection.\n *\n * So when these are equal, it means we are actually closing the\n * mailbox and should clean up adata. Otherwise, we don't want to\n * touch adata - it's still being used. */\n if (m == adata->mailbox)\n {\n if ((adata->status != IMAP_FATAL) && (adata->state >= IMAP_SELECTED))\n {\n /* mx_mbox_close won't sync if there are no deleted messages\n * and the mailbox is unchanged, so we may have to close here */\n if (m->msg_deleted == 0)\n {\n adata->closing = true;\n imap_exec(adata, \"CLOSE\", IMAP_CMD_QUEUE);\n }\n adata->state = IMAP_AUTHENTICATED;\n }\n\n mutt_debug(LL_DEBUG3, \"closing %s, restoring %s\\n\", m->pathbuf.data,\n (adata->prev_mailbox ? adata->prev_mailbox->pathbuf.data : \"(none)\"));\n adata->mailbox = adata->prev_mailbox;\n imap_mbox_select(adata->prev_mailbox);\n imap_mdata_cache_reset(m->mdata);\n }\n\n return 0;\n}", "project": "neomutt", "hash": 80581864170844300519880502317379289672, "size": 38, "commit_id": "9c36717a3e2af1f2c1b7242035455ec8112b4b06", "message": "imap: close connection on all failures\n\nThanks to Gabriel Salles-Loustau for spotting the problem.\n\nCo-authored-by: Kevin McCarthy ", "target": 0, "dataset": "other", "idx": 357042 }, { "func": "static void csi_m(struct vc_data *vc)\n{\n\tint i;\n\n\tfor (i = 0; i <= vc->vc_npar; i++)\n\t\tswitch (vc->vc_par[i]) {\n\t\tcase 0:\t/* all attributes off */\n\t\t\tdefault_attr(vc);\n\t\t\tbreak;\n\t\tcase 1:\n\t\t\tvc->vc_intensity = 2;\n\t\t\tbreak;\n\t\tcase 2:\n\t\t\tvc->vc_intensity = 0;\n\t\t\tbreak;\n\t\tcase 3:\n\t\t\tvc->vc_italic = 1;\n\t\t\tbreak;\n\t\tcase 21:\n\t\t\t/*\n\t\t\t * No console drivers support double underline, so\n\t\t\t * convert it to a single underline.\n\t\t\t */\n\t\tcase 4:\n\t\t\tvc->vc_underline = 1;\n\t\t\tbreak;\n\t\tcase 5:\n\t\t\tvc->vc_blink = 1;\n\t\t\tbreak;\n\t\tcase 7:\n\t\t\tvc->vc_reverse = 1;\n\t\t\tbreak;\n\t\tcase 10: /* ANSI X3.64-1979 (SCO-ish?)\n\t\t\t * Select primary font, don't display control chars if\n\t\t\t * defined, don't set bit 8 on output.\n\t\t\t */\n\t\t\tvc->vc_translate = set_translate(vc->vc_charset == 0\n\t\t\t\t\t? vc->vc_G0_charset\n\t\t\t\t\t: vc->vc_G1_charset, vc);\n\t\t\tvc->vc_disp_ctrl = 0;\n\t\t\tvc->vc_toggle_meta = 0;\n\t\t\tbreak;\n\t\tcase 11: /* ANSI X3.64-1979 (SCO-ish?)\n\t\t\t * Select first alternate font, lets chars < 32 be\n\t\t\t * displayed as ROM chars.\n\t\t\t */\n\t\t\tvc->vc_translate = set_translate(IBMPC_MAP, vc);\n\t\t\tvc->vc_disp_ctrl = 1;\n\t\t\tvc->vc_toggle_meta = 0;\n\t\t\tbreak;\n\t\tcase 12: /* ANSI X3.64-1979 (SCO-ish?)\n\t\t\t * Select second alternate font, toggle high bit\n\t\t\t * before displaying as ROM char.\n\t\t\t */\n\t\t\tvc->vc_translate = set_translate(IBMPC_MAP, vc);\n\t\t\tvc->vc_disp_ctrl = 1;\n\t\t\tvc->vc_toggle_meta = 1;\n\t\t\tbreak;\n\t\tcase 22:\n\t\t\tvc->vc_intensity = 1;\n\t\t\tbreak;\n\t\tcase 23:\n\t\t\tvc->vc_italic = 0;\n\t\t\tbreak;\n\t\tcase 24:\n\t\t\tvc->vc_underline = 0;\n\t\t\tbreak;\n\t\tcase 25:\n\t\t\tvc->vc_blink = 0;\n\t\t\tbreak;\n\t\tcase 27:\n\t\t\tvc->vc_reverse = 0;\n\t\t\tbreak;\n\t\tcase 38:\n\t\t\ti = vc_t416_color(vc, i, rgb_foreground);\n\t\t\tbreak;\n\t\tcase 48:\n\t\t\ti = vc_t416_color(vc, i, rgb_background);\n\t\t\tbreak;\n\t\tcase 39:\n\t\t\tvc->vc_color = (vc->vc_def_color & 0x0f) |\n\t\t\t\t(vc->vc_color & 0xf0);\n\t\t\tbreak;\n\t\tcase 49:\n\t\t\tvc->vc_color = (vc->vc_def_color & 0xf0) |\n\t\t\t\t(vc->vc_color & 0x0f);\n\t\t\tbreak;\n\t\tdefault:\n\t\t\tif (vc->vc_par[i] >= 90 && vc->vc_par[i] <= 107) {\n\t\t\t\tif (vc->vc_par[i] < 100)\n\t\t\t\t\tvc->vc_intensity = 2;\n\t\t\t\tvc->vc_par[i] -= 60;\n\t\t\t}\n\t\t\tif (vc->vc_par[i] >= 30 && vc->vc_par[i] <= 37)\n\t\t\t\tvc->vc_color = color_table[vc->vc_par[i] - 30]\n\t\t\t\t\t| (vc->vc_color & 0xf0);\n\t\t\telse if (vc->vc_par[i] >= 40 && vc->vc_par[i] <= 47)\n\t\t\t\tvc->vc_color = (color_table[vc->vc_par[i] - 40] << 4)\n\t\t\t\t\t| (vc->vc_color & 0x0f);\n\t\t\tbreak;\n\t\t}\n\tupdate_attr(vc);\n}", "project": "linux", "hash": 305187969313241363412945091853502606536, "size": 103, "commit_id": "ca4463bf8438b403596edd0ec961ca0d4fbe0220", "message": "vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console\n\nThe VT_DISALLOCATE ioctl can free a virtual console while tty_release()\nis still running, causing a use-after-free in con_shutdown(). This\noccurs because VT_DISALLOCATE considers a virtual console's\n'struct vc_data' to be unused as soon as the corresponding tty's\nrefcount hits 0. But actually it may be still being closed.\n\nFix this by making vc_data be reference-counted via the embedded\n'struct tty_port'. A newly allocated virtual console has refcount 1.\nOpening it for the first time increments the refcount to 2. Closing it\nfor the last time decrements the refcount (in tty_operations::cleanup()\nso that it happens late enough), as does VT_DISALLOCATE.\n\nReproducer:\n\t#include \n\t#include \n\t#include \n\t#include \n\n\tint main()\n\t{\n\t\tif (fork()) {\n\t\t\tfor (;;)\n\t\t\t\tclose(open(\"/dev/tty5\", O_RDWR));\n\t\t} else {\n\t\t\tint fd = open(\"/dev/tty10\", O_RDWR);\n\n\t\t\tfor (;;)\n\t\t\t\tioctl(fd, VT_DISALLOCATE, 5);\n\t\t}\n\t}\n\nKASAN report:\n\tBUG: KASAN: use-after-free in con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\tWrite of size 8 at addr ffff88806a4ec108 by task syz_vt/129\n\n\tCPU: 0 PID: 129 Comm: syz_vt Not tainted 5.6.0-rc2 #11\n\tHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20191223_100556-anatol 04/01/2014\n\tCall Trace:\n\t [...]\n\t con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\t release_tty+0xa8/0x410 drivers/tty/tty_io.c:1514\n\t tty_release_struct+0x34/0x50 drivers/tty/tty_io.c:1629\n\t tty_release+0x984/0xed0 drivers/tty/tty_io.c:1789\n\t [...]\n\n\tAllocated by task 129:\n\t [...]\n\t kzalloc include/linux/slab.h:669 [inline]\n\t vc_allocate drivers/tty/vt/vt.c:1085 [inline]\n\t vc_allocate+0x1ac/0x680 drivers/tty/vt/vt.c:1066\n\t con_install+0x4d/0x3f0 drivers/tty/vt/vt.c:3229\n\t tty_driver_install_tty drivers/tty/tty_io.c:1228 [inline]\n\t tty_init_dev+0x94/0x350 drivers/tty/tty_io.c:1341\n\t tty_open_by_driver drivers/tty/tty_io.c:1987 [inline]\n\t tty_open+0x3ca/0xb30 drivers/tty/tty_io.c:2035\n\t [...]\n\n\tFreed by task 130:\n\t [...]\n\t kfree+0xbf/0x1e0 mm/slab.c:3757\n\t vt_disallocate drivers/tty/vt/vt_ioctl.c:300 [inline]\n\t vt_ioctl+0x16dc/0x1e30 drivers/tty/vt/vt_ioctl.c:818\n\t tty_ioctl+0x9db/0x11b0 drivers/tty/tty_io.c:2660\n\t [...]\n\nFixes: 4001d7b7fc27 (\"vt: push down the tty lock so we can see what is left to tackle\")\nCc: # v3.4+\nReported-by: syzbot+522643ab5729b0421998@syzkaller.appspotmail.com\nAcked-by: Jiri Slaby \nSigned-off-by: Eric Biggers \nLink: https://lore.kernel.org/r/20200322034305.210082-2-ebiggers@kernel.org\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 437037 }, { "func": "static void nfs4_xdr_enc_exchange_id(struct rpc_rqst *req,\n\t\t\t\t struct xdr_stream *xdr,\n\t\t\t\t const void *data)\n{\n\tconst struct nfs41_exchange_id_args *args = data;\n\tstruct compound_hdr hdr = {\n\t\t.minorversion = args->client->cl_mvops->minor_version,\n\t};\n\n\tencode_compound_hdr(xdr, req, &hdr);\n\tencode_exchange_id(xdr, args, &hdr);\n\tencode_nops(&hdr);\n}", "project": "linux", "hash": 106405697812051756879323053871144826108, "size": 13, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431624 }, { "func": "static void cdeque_clear(struct cdeque* d) {\n\td->size = 0;\n\td->beg_pos = 0;\n\td->end_pos = 0;\n}", "project": "libarchive", "hash": 155070120110263015880758353348019213519, "size": 5, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 0, "dataset": "other", "idx": 244786 }, { "func": "static void circular_memcpy(uint8_t* dst, uint8_t* window, const uint64_t mask,\n int64_t start, int64_t end)\n{\n\tif((start & mask) > (end & mask)) {\n\t\tssize_t len1 = mask + 1 - (start & mask);\n\t\tssize_t len2 = end & mask;\n\n\t\tmemcpy(dst, &window[start & mask], len1);\n\t\tmemcpy(dst + len1, window, len2);\n\t} else {\n\t\tmemcpy(dst, &window[start & mask], (size_t) (end - start));\n\t}\n}", "project": "libarchive", "hash": 165709001056251353334493457145715291150, "size": 13, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 0, "dataset": "other", "idx": 244800 }, { "func": "static void update_crc(struct rar5* rar, const uint8_t* p, size_t to_read) {\n int verify_crc;\n\n\tif(rar->skip_mode) {\n#if defined CHECK_CRC_ON_SOLID_SKIP\n\t\tverify_crc = 1;\n#else\n\t\tverify_crc = 0;\n#endif\n\t} else\n\t\tverify_crc = 1;\n\n\tif(verify_crc) {\n\t\t/* Don't update CRC32 if the file doesn't have the\n\t\t * `stored_crc32` info filled in. */\n\t\tif(rar->file.stored_crc32 > 0) {\n\t\t\trar->file.calculated_crc32 =\n\t\t\t\tcrc32(rar->file.calculated_crc32, p, to_read);\n\t\t}\n\n\t\t/* Check if the file uses an optional BLAKE2sp checksum\n\t\t * algorithm. */\n\t\tif(rar->file.has_blake2 > 0) {\n\t\t\t/* Return value of the `update` function is always 0,\n\t\t\t * so we can explicitly ignore it here. */\n\t\t\t(void) blake2sp_update(&rar->file.b2state, p, to_read);\n\t\t}\n\t}\n}", "project": "libarchive", "hash": 269413704884611643906638197755857939925, "size": 29, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 0, "dataset": "other", "idx": 244688 }, { "func": "inline tflite::Dims<4> ToRuntimeDims(const tflite::RuntimeShape& array_shape) {\n tflite::Dims<4> result;\n const int dimensions_count = array_shape.DimensionsCount();\n TFLITE_CHECK_LE(dimensions_count, 4);\n int cum_prod = 1;\n for (int i = 0; i < 4; i++) {\n const int new_dim =\n (i < dimensions_count) ? array_shape.Dims(dimensions_count - 1 - i) : 1;\n result.sizes[i] = new_dim;\n result.strides[i] = cum_prod;\n cum_prod *= new_dim;\n }\n return result;\n}", "project": "tensorflow", "hash": 311852612254714979902392390833885268762, "size": 14, "commit_id": "8ee24e7949a203d234489f9da2c5bf45a7d5157d", "message": "[tflite] Ensure `MatchingDim` does not allow buffer overflow.\n\nWe check in `MatchingDim` that both arguments have the same dimensionality, however that is a `DCHECK` only enabled if building in debug mode. Hence, it could be possible to cause buffer overflows by passing in a tensor with larger dimensions as the second argument. To fix, we now make `MatchingDim` return the minimum of the two sizes.\n\nA much better fix would be to return a status object but that requires refactoring a large part of the codebase for minor benefits.\n\nPiperOrigin-RevId: 332526127\nChange-Id: If627d0d2c80a685217b6e0d1e64b0872dbf1c5e4", "target": 0, "dataset": "other", "idx": 269173 }, { "func": "static uint8_t pfkey_proto_from_xfrm(uint8_t proto)\n{\n\treturn proto ? proto : IPSEC_PROTO_ANY;\n}", "project": "linux", "hash": 270324904640510887447449492571137304966, "size": 4, "commit_id": "9a564bccb78a76740ea9d75a259942df8143d02c", "message": "af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\n\nAdd __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\nto initialize the buffer of supp_skb to fix a kernel-info-leak issue.\n1) Function pfkey_register calls compose_sadb_supported to request\na sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate\na sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then\ncompose_sadb_supported treats the memory as a struct sadb_supported and\nbegins to initialize. But it just initializes the field sadb_supported_len\nand field sadb_supported_exttype without field sadb_supported_reserved.\n\nReported-by: TCS Robot \nSigned-off-by: Haimin Zhang \nSigned-off-by: Steffen Klassert ", "target": 0, "dataset": "other", "idx": 268015 }, { "func": "static inline int strtaglen(const char *str, rpm_count_t c, const char *end)\n{\n const char *start = str;\n const char *s = NULL;\n int len = -1; /* assume failure */\n\n if (end) {\n\twhile (end > start && (s = memchr(start, '\\0', end-start))) {\n\t if (--c == 0)\n\t\tbreak;\n\t start = s + 1;\n\t}\n } else {\n\twhile ((s = strchr(start, '\\0'))) {\n\t if (--c == 0)\n\t\tbreak;\n\t start = s + 1;\n\t}\n }\n\n if (s != NULL && c == 0)\n\tlen = s - str + 1;\n\n return len;\n}", "project": "rpm", "hash": 279615927234751628960382006415718652002, "size": 25, "commit_id": "8f4b3c3cab8922a2022b9e47c71f1ecf906077ef", "message": "hdrblobInit() needs bounds checks too\n\nUsers can pass untrusted data to hdrblobInit() and it must be robust\nagainst this.", "target": 0, "dataset": "other", "idx": 318188 }, { "func": "static void csi_at(struct vc_data *vc, unsigned int nr)\n{\n\tif (nr > vc->vc_cols - vc->vc_x)\n\t\tnr = vc->vc_cols - vc->vc_x;\n\telse if (!nr)\n\t\tnr = 1;\n\tinsert_char(vc, nr);\n}", "project": "linux", "hash": 153289063133593291201168169895193259806, "size": 8, "commit_id": "ca4463bf8438b403596edd0ec961ca0d4fbe0220", "message": "vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console\n\nThe VT_DISALLOCATE ioctl can free a virtual console while tty_release()\nis still running, causing a use-after-free in con_shutdown(). This\noccurs because VT_DISALLOCATE considers a virtual console's\n'struct vc_data' to be unused as soon as the corresponding tty's\nrefcount hits 0. But actually it may be still being closed.\n\nFix this by making vc_data be reference-counted via the embedded\n'struct tty_port'. A newly allocated virtual console has refcount 1.\nOpening it for the first time increments the refcount to 2. Closing it\nfor the last time decrements the refcount (in tty_operations::cleanup()\nso that it happens late enough), as does VT_DISALLOCATE.\n\nReproducer:\n\t#include \n\t#include \n\t#include \n\t#include \n\n\tint main()\n\t{\n\t\tif (fork()) {\n\t\t\tfor (;;)\n\t\t\t\tclose(open(\"/dev/tty5\", O_RDWR));\n\t\t} else {\n\t\t\tint fd = open(\"/dev/tty10\", O_RDWR);\n\n\t\t\tfor (;;)\n\t\t\t\tioctl(fd, VT_DISALLOCATE, 5);\n\t\t}\n\t}\n\nKASAN report:\n\tBUG: KASAN: use-after-free in con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\tWrite of size 8 at addr ffff88806a4ec108 by task syz_vt/129\n\n\tCPU: 0 PID: 129 Comm: syz_vt Not tainted 5.6.0-rc2 #11\n\tHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20191223_100556-anatol 04/01/2014\n\tCall Trace:\n\t [...]\n\t con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\t release_tty+0xa8/0x410 drivers/tty/tty_io.c:1514\n\t tty_release_struct+0x34/0x50 drivers/tty/tty_io.c:1629\n\t tty_release+0x984/0xed0 drivers/tty/tty_io.c:1789\n\t [...]\n\n\tAllocated by task 129:\n\t [...]\n\t kzalloc include/linux/slab.h:669 [inline]\n\t vc_allocate drivers/tty/vt/vt.c:1085 [inline]\n\t vc_allocate+0x1ac/0x680 drivers/tty/vt/vt.c:1066\n\t con_install+0x4d/0x3f0 drivers/tty/vt/vt.c:3229\n\t tty_driver_install_tty drivers/tty/tty_io.c:1228 [inline]\n\t tty_init_dev+0x94/0x350 drivers/tty/tty_io.c:1341\n\t tty_open_by_driver drivers/tty/tty_io.c:1987 [inline]\n\t tty_open+0x3ca/0xb30 drivers/tty/tty_io.c:2035\n\t [...]\n\n\tFreed by task 130:\n\t [...]\n\t kfree+0xbf/0x1e0 mm/slab.c:3757\n\t vt_disallocate drivers/tty/vt/vt_ioctl.c:300 [inline]\n\t vt_ioctl+0x16dc/0x1e30 drivers/tty/vt/vt_ioctl.c:818\n\t tty_ioctl+0x9db/0x11b0 drivers/tty/tty_io.c:2660\n\t [...]\n\nFixes: 4001d7b7fc27 (\"vt: push down the tty lock so we can see what is left to tackle\")\nCc: # v3.4+\nReported-by: syzbot+522643ab5729b0421998@syzkaller.appspotmail.com\nAcked-by: Jiri Slaby \nSigned-off-by: Eric Biggers \nLink: https://lore.kernel.org/r/20200322034305.210082-2-ebiggers@kernel.org\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 437051 }, { "func": "static ssize_t tracing_clock_write(struct file *filp, const char __user *ubuf,\n\t\t\t\t size_t cnt, loff_t *fpos)\n{\n\tstruct seq_file *m = filp->private_data;\n\tstruct trace_array *tr = m->private;\n\tchar buf[64];\n\tconst char *clockstr;\n\tint ret;\n\n\tif (cnt >= sizeof(buf))\n\t\treturn -EINVAL;\n\n\tif (copy_from_user(buf, ubuf, cnt))\n\t\treturn -EFAULT;\n\n\tbuf[cnt] = 0;\n\n\tclockstr = strstrip(buf);\n\n\tret = tracing_set_clock(tr, clockstr);\n\tif (ret)\n\t\treturn ret;\n\n\t*fpos += cnt;\n\n\treturn cnt;\n}", "project": "linux", "hash": 134405643624257496525192781715662331059, "size": 27, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445707 }, { "func": "static inline u64 fuse_get_attr_version(struct fuse_conn *fc)\n{\n\treturn atomic64_read(&fc->attr_version);\n}", "project": "linux", "hash": 47824600241110546524737100513930213104, "size": 4, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342148 }, { "func": "int nfs4_proc_secinfo(struct inode *dir, const struct qstr *name,\n\t\t struct nfs4_secinfo_flavors *flavors)\n{\n\tstruct nfs4_exception exception = {\n\t\t.interruptible = true,\n\t};\n\tint err;\n\tdo {\n\t\terr = -NFS4ERR_WRONGSEC;\n\n\t\t/* try to use integrity protection with machine cred */\n\t\tif (_nfs4_is_integrity_protected(NFS_SERVER(dir)->nfs_client))\n\t\t\terr = _nfs4_proc_secinfo(dir, name, flavors, true);\n\n\t\t/*\n\t\t * if unable to use integrity protection, or SECINFO with\n\t\t * integrity protection returns NFS4ERR_WRONGSEC (which is\n\t\t * disallowed by spec, but exists in deployed servers) use\n\t\t * the current filesystem's rpc_client and the user cred.\n\t\t */\n\t\tif (err == -NFS4ERR_WRONGSEC)\n\t\t\terr = _nfs4_proc_secinfo(dir, name, flavors, false);\n\n\t\ttrace_nfs4_secinfo(dir, name, err);\n\t\terr = nfs4_handle_exception(NFS_SERVER(dir), err,\n\t\t\t\t&exception);\n\t} while (exception.retry);\n\treturn err;\n}", "project": "linux", "hash": 250964704536031902023487066405565083070, "size": 29, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431494 }, { "func": "void __cleanup_sighand(struct sighand_struct *sighand)\n{\n\tif (refcount_dec_and_test(&sighand->count)) {\n\t\tsignalfd_cleanup(sighand);\n\t\t/*\n\t\t * sighand_cachep is SLAB_TYPESAFE_BY_RCU so we can free it\n\t\t * without an RCU grace period, see __lock_task_sighand().\n\t\t */\n\t\tkmem_cache_free(sighand_cachep, sighand);\n\t}\n}", "project": "linux", "hash": 244352415425446203504302795678185036136, "size": 11, "commit_id": "b4e00444cab4c3f3fec876dc0cccc8cbb0d1a948", "message": "fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent\n\ncurrent->group_leader->exit_signal may change during copy_process() if\ncurrent->real_parent exits.\n\nMove the assignment inside tasklist_lock to avoid the race.\n\nSigned-off-by: Eddy Wu \nAcked-by: Oleg Nesterov \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 293631 }, { "func": " bool agg_arg_charsets(DTCollation &c, Item **items, uint nitems,\n uint flags, int item_sep)\n {\n if (agg_item_collations(c, func_name(), items, nitems, flags, item_sep))\n return true;\n\n return agg_item_set_converter(c, func_name(), items, nitems,\n flags, item_sep);\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 331410067737162496318406338120556307044, "size": 9, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509313 }, { "func": "static int key_pol_get_resp(struct sock *sk, struct xfrm_policy *xp, const struct sadb_msg *hdr, int dir)\n{\n\tint err;\n\tstruct sk_buff *out_skb;\n\tstruct sadb_msg *out_hdr;\n\terr = 0;\n\n\tout_skb = pfkey_xfrm_policy2msg_prep(xp);\n\tif (IS_ERR(out_skb)) {\n\t\terr = PTR_ERR(out_skb);\n\t\tgoto out;\n\t}\n\terr = pfkey_xfrm_policy2msg(out_skb, xp, dir);\n\tif (err < 0) {\n\t\tkfree_skb(out_skb);\n\t\tgoto out;\n\t}\n\n\tout_hdr = (struct sadb_msg *) out_skb->data;\n\tout_hdr->sadb_msg_version = hdr->sadb_msg_version;\n\tout_hdr->sadb_msg_type = hdr->sadb_msg_type;\n\tout_hdr->sadb_msg_satype = 0;\n\tout_hdr->sadb_msg_errno = 0;\n\tout_hdr->sadb_msg_seq = hdr->sadb_msg_seq;\n\tout_hdr->sadb_msg_pid = hdr->sadb_msg_pid;\n\tpfkey_broadcast(out_skb, GFP_ATOMIC, BROADCAST_ONE, sk, xp_net(xp));\n\terr = 0;\n\nout:\n\treturn err;\n}", "project": "linux", "hash": 87104396641596049872015945663076172556, "size": 31, "commit_id": "9a564bccb78a76740ea9d75a259942df8143d02c", "message": "af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\n\nAdd __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\nto initialize the buffer of supp_skb to fix a kernel-info-leak issue.\n1) Function pfkey_register calls compose_sadb_supported to request\na sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate\na sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then\ncompose_sadb_supported treats the memory as a struct sadb_supported and\nbegins to initialize. But it just initializes the field sadb_supported_len\nand field sadb_supported_exttype without field sadb_supported_reserved.\n\nReported-by: TCS Robot \nSigned-off-by: Haimin Zhang \nSigned-off-by: Steffen Klassert ", "target": 0, "dataset": "other", "idx": 268004 }, { "func": "static int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d)\n{\n\tr->n = n;\n\tr->e = e;\n\tr->d = d;\n\n\treturn 1;\n}", "project": "php-src", "hash": 298399422583484556664129804997323301384, "size": 8, "commit_id": "0216630ea2815a5789a24279a1211ac398d4de79", "message": "Fix bug #79601 (Wrong ciphertext/tag in AES-CCM encryption for a 12 bytes IV)", "target": 0, "dataset": "other", "idx": 291452 }, { "func": "static void nfs4_xdr_enc_secinfo(struct rpc_rqst *req,\n\t\t\t\tstruct xdr_stream *xdr,\n\t\t\t\tconst void *data)\n{\n\tconst struct nfs4_secinfo_arg *args = data;\n\tstruct compound_hdr hdr = {\n\t\t.minorversion = nfs4_xdr_minorversion(&args->seq_args),\n\t};\n\n\tencode_compound_hdr(xdr, req, &hdr);\n\tencode_sequence(xdr, &args->seq_args, &hdr);\n\tencode_putfh(xdr, args->dir_fh, &hdr);\n\tencode_secinfo(xdr, args->name, &hdr);\n\tencode_nops(&hdr);\n}", "project": "linux", "hash": 311425049254401149763555680164958741375, "size": 15, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431346 }, { "func": "static void convert_fuse_statfs(struct kstatfs *stbuf, struct fuse_kstatfs *attr)\n{\n\tstbuf->f_type = FUSE_SUPER_MAGIC;\n\tstbuf->f_bsize = attr->bsize;\n\tstbuf->f_frsize = attr->frsize;\n\tstbuf->f_blocks = attr->blocks;\n\tstbuf->f_bfree = attr->bfree;\n\tstbuf->f_bavail = attr->bavail;\n\tstbuf->f_files = attr->files;\n\tstbuf->f_ffree = attr->ffree;\n\tstbuf->f_namelen = attr->namelen;\n\t/* fsid is left zero */\n}", "project": "linux", "hash": 100970405181273990299019166030537221482, "size": 13, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342010 }, { "func": "static inline void inc_slabs_node(struct kmem_cache *s, int node, int objects)\n{\n\tstruct kmem_cache_node *n = get_node(s, node);\n\n\t/*\n\t * May be called early in order to allocate a slab for the\n\t * kmem_cache_node structure. Solve the chicken-egg\n\t * dilemma by deferring the increment of the count during\n\t * bootstrap (see early_kmem_cache_node_alloc).\n\t */\n\tif (likely(n)) {\n\t\tatomic_long_inc(&n->nr_slabs);\n\t\tatomic_long_add(objects, &n->total_objects);\n\t}\n}", "project": "linux", "hash": 270063778587768170708360527382797456927, "size": 15, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280044 }, { "func": "static inline void inc_slabs_node(struct kmem_cache *s, int node,\n\t\t\t\t\t\t\tint objects) {}", "project": "linux", "hash": 79275815031060974800899063662181411767, "size": 2, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280231 }, { "func": "static int sctp_getsockopt_pr_streamstatus(struct sock *sk, int len,\n\t\t\t\t\t char __user *optval,\n\t\t\t\t\t int __user *optlen)\n{\n\tstruct sctp_stream_out_ext *streamoute;\n\tstruct sctp_association *asoc;\n\tstruct sctp_prstatus params;\n\tint retval = -EINVAL;\n\tint policy;\n\n\tif (len < sizeof(params))\n\t\tgoto out;\n\n\tlen = sizeof(params);\n\tif (copy_from_user(¶ms, optval, len)) {\n\t\tretval = -EFAULT;\n\t\tgoto out;\n\t}\n\n\tpolicy = params.sprstat_policy;\n\tif (!policy || (policy & ~(SCTP_PR_SCTP_MASK | SCTP_PR_SCTP_ALL)) ||\n\t ((policy & SCTP_PR_SCTP_ALL) && (policy & SCTP_PR_SCTP_MASK)))\n\t\tgoto out;\n\n\tasoc = sctp_id2assoc(sk, params.sprstat_assoc_id);\n\tif (!asoc || params.sprstat_sid >= asoc->stream.outcnt)\n\t\tgoto out;\n\n\tstreamoute = SCTP_SO(&asoc->stream, params.sprstat_sid)->ext;\n\tif (!streamoute) {\n\t\t/* Not allocated yet, means all stats are 0 */\n\t\tparams.sprstat_abandoned_unsent = 0;\n\t\tparams.sprstat_abandoned_sent = 0;\n\t\tretval = 0;\n\t\tgoto out;\n\t}\n\n\tif (policy == SCTP_PR_SCTP_ALL) {\n\t\tparams.sprstat_abandoned_unsent = 0;\n\t\tparams.sprstat_abandoned_sent = 0;\n\t\tfor (policy = 0; policy <= SCTP_PR_INDEX(MAX); policy++) {\n\t\t\tparams.sprstat_abandoned_unsent +=\n\t\t\t\tstreamoute->abandoned_unsent[policy];\n\t\t\tparams.sprstat_abandoned_sent +=\n\t\t\t\tstreamoute->abandoned_sent[policy];\n\t\t}\n\t} else {\n\t\tparams.sprstat_abandoned_unsent =\n\t\t\tstreamoute->abandoned_unsent[__SCTP_PR_INDEX(policy)];\n\t\tparams.sprstat_abandoned_sent =\n\t\t\tstreamoute->abandoned_sent[__SCTP_PR_INDEX(policy)];\n\t}\n\n\tif (put_user(len, optlen) || copy_to_user(optval, ¶ms, len)) {\n\t\tretval = -EFAULT;\n\t\tgoto out;\n\t}\n\n\tretval = 0;\n\nout:\n\treturn retval;\n}", "project": "linux", "hash": 82139070316255443332207836707723010545, "size": 63, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398153 }, { "func": "static inline int sysfs_slab_alias(struct kmem_cache *s, const char *p)\n\t\t\t\t\t\t\t{ return 0; }", "project": "linux", "hash": 76118283786031401962566455138489757022, "size": 2, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280128 }, { "func": "\nstatic int sysfs_slab_alias(struct kmem_cache *s, const char *name)\n{\n\tstruct saved_alias *al;\n\n\tif (slab_state == FULL) {\n\t\t/*\n\t\t * If we have a leftover link then remove it.\n\t\t */\n\t\tsysfs_remove_link(&slab_kset->kobj, name);\n\t\treturn sysfs_create_link(&slab_kset->kobj, &s->kobj, name);\n\t}\n\n\tal = kmalloc(sizeof(struct saved_alias), GFP_KERNEL);\n\tif (!al)\n\t\treturn -ENOMEM;\n\n\tal->s = s;\n\tal->name = name;\n\tal->next = alias_list;\n\talias_list = al;\n\treturn 0;", "project": "linux", "hash": 331976434300034875869816003297768431611, "size": 22, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280239 }, { "func": "int blosc_get_complib_info(const char* compname, char** complib, char** version) {\n int clibcode;\n const char* clibname;\n const char* clibversion = \"unknown\";\n\n#if (defined(HAVE_LZ4) && defined(LZ4_VERSION_MAJOR)) || \\\n (defined(HAVE_LIZARD) && defined(LIZARD_VERSION_MAJOR)) || \\\n (defined(HAVE_SNAPPY) && defined(SNAPPY_VERSION)) || \\\n (defined(HAVE_ZSTD) && defined(ZSTD_VERSION_MAJOR))\n char sbuffer[256];\n#endif\n\n clibcode = compname_to_clibcode(compname);\n clibname = clibcode_to_clibname(clibcode);\n\n /* complib version */\n if (clibcode == BLOSC_BLOSCLZ_LIB) {\n clibversion = BLOSCLZ_VERSION_STRING;\n }\n#if defined(HAVE_LZ4)\n else if (clibcode == BLOSC_LZ4_LIB) {\n#if defined(LZ4_VERSION_MAJOR)\n sprintf(sbuffer, \"%d.%d.%d\",\n LZ4_VERSION_MAJOR, LZ4_VERSION_MINOR, LZ4_VERSION_RELEASE);\n clibversion = sbuffer;\n#endif /* LZ4_VERSION_MAJOR */\n }\n#endif /* HAVE_LZ4 */\n#if defined(HAVE_LIZARD)\n else if (clibcode == BLOSC_LIZARD_LIB) {\n sprintf(sbuffer, \"%d.%d.%d\",\n LIZARD_VERSION_MAJOR, LIZARD_VERSION_MINOR, LIZARD_VERSION_RELEASE);\n clibversion = sbuffer;\n }\n#endif /* HAVE_LIZARD */\n#if defined(HAVE_SNAPPY)\n else if (clibcode == BLOSC_SNAPPY_LIB) {\n#if defined(SNAPPY_VERSION)\n sprintf(sbuffer, \"%d.%d.%d\", SNAPPY_MAJOR, SNAPPY_MINOR, SNAPPY_PATCHLEVEL);\n clibversion = sbuffer;\n#endif /* SNAPPY_VERSION */\n }\n#endif /* HAVE_SNAPPY */\n#if defined(HAVE_ZLIB)\n else if (clibcode == BLOSC_ZLIB_LIB) {\n clibversion = ZLIB_VERSION;\n }\n#endif /* HAVE_ZLIB */\n#if defined(HAVE_ZSTD)\n else if (clibcode == BLOSC_ZSTD_LIB) {\n sprintf(sbuffer, \"%d.%d.%d\",\n ZSTD_VERSION_MAJOR, ZSTD_VERSION_MINOR, ZSTD_VERSION_RELEASE);\n clibversion = sbuffer;\n }\n#endif /* HAVE_ZSTD */\n\n#ifdef _MSC_VER\n *complib = _strdup(clibname);\n *version = _strdup(clibversion);\n#else\n *complib = strdup(clibname);\n *version = strdup(clibversion);\n#endif\n return clibcode;\n}", "project": "c-blosc2", "hash": 293706114169066834349688077049788129163, "size": 65, "commit_id": "c4c6470e88210afc95262c8b9fcc27e30ca043ee", "message": "Fixed asan heap buffer overflow when not enough space to write compressed block size.", "target": 0, "dataset": "other", "idx": 303119 }, { "func": "extern int x11_delete_xauth(char *xauthority, char *host, uint16_t display)\n{\n\tint i=0, status;\n\tchar *result;\n\tchar **xauth_argv;\n\n\txauth_argv = xmalloc(sizeof(char *) * 10);\n\txauth_argv[i++] = xstrdup(\"xauth\");\n\txauth_argv[i++] = xstrdup(\"-v\");\n\txauth_argv[i++] = xstrdup(\"-f\");\n\txauth_argv[i++] = xstrdup(xauthority);\n\txauth_argv[i++] = xstrdup(\"remove\");\n\txauth_argv[i++] = xstrdup_printf(\"%s/unix:%u\", host, display);\n\txauth_argv[i++] = NULL;\n\txassert(i < 10);\n\n\tresult = run_command(\"xauth\", XAUTH_PATH, xauth_argv, 10000, 0,\n\t\t\t &status);\n\n\tfree_command_argv(xauth_argv);\n\n\tdebug2(\"%s: result from xauth: %s\", __func__, result);\n\txfree(result);\n\n\treturn status;\n}", "project": "slurm", "hash": 128496414230349176263839705694684206156, "size": 26, "commit_id": "07309deb45c33e735e191faf9dd31cca1054a15c", "message": "X11 forwarding - avoid unsafe use of magic cookie as arg to xauth command.\n\nMagic cookie can leak through /proc this way. There is a race here between\nthis usually short-lived xauth command running and an attacker scraping\nthe value from /proc. This can be exacerbated through use of\nX11Parameters=home_xauthority on a cluster with a shared home directory\nunder heavy load.\n\nCVE-2020-27746.", "target": 0, "dataset": "other", "idx": 323088 }, { "func": "JSONContainerType get_container_type_from_options(int64_t options) {\n if ((options & k_JSON_FB_STABLE_MAPS) ||\n (options & k_JSON_FB_COLLECTIONS)) {\n return JSONContainerType::COLLECTIONS;\n }\n\n if (options & k_JSON_FB_HACK_ARRAYS) {\n return JSONContainerType::HACK_ARRAYS;\n }\n\n if (options & k_JSON_FB_DARRAYS) {\n return JSONContainerType::DARRAYS;\n }\n\n if (options & k_JSON_FB_DARRAYS_AND_VARRAYS) {\n return JSONContainerType::DARRAYS_AND_VARRAYS;\n }\n\n if (options & k_JSON_FB_LEGACY_HACK_ARRAYS) {\n return JSONContainerType::LEGACY_HACK_ARRAYS;\n }\n\n return JSONContainerType::DARRAYS;\n}", "project": "hhvm", "hash": 212124143910281103910557803680464954153, "size": 24, "commit_id": "b3679121bb3c7017ff04b4c08402ffff5cf59b13", "message": "Fix buffer overrun in SimpleParser::handleBackslash\n\nSummary:\nIt read 4 chars, then checked for validity, but any of them could have\nbeen the end of the string, so check after each one instead.\n\nReviewed By: oulgen\n\nDifferential Revision: D19611163\n\nfbshipit-source-id: 3da0a39555cb85a93f4fd98048368f17cf37e2e4", "target": 0, "dataset": "other", "idx": 227301 }, { "func": " bool unsupportedTe() const { return teUnsupported_; }", "project": "squid", "hash": 202794605793058299856955616236584008380, "size": 1, "commit_id": "fd68382860633aca92065e6c343cfd1b12b126e7", "message": "Improve Transfer-Encoding handling (#702)\n\nReject messages containing Transfer-Encoding header with coding other\nthan chunked or identity. Squid does not support other codings.\n\nFor simplicity and security sake, also reject messages where\nTransfer-Encoding contains unnecessary complex values that are\ntechnically equivalent to \"chunked\" or \"identity\" (e.g., \",,chunked\" or\n\"identity, chunked\").\n\nRFC 7230 formally deprecated and removed identity coding, but it is\nstill used by some agents.", "target": 0, "dataset": "other", "idx": 402371 }, { "func": "static int io_prep_rw(struct io_kiocb *req, const struct io_uring_sqe *sqe)\n{\n\tstruct io_ring_ctx *ctx = req->ctx;\n\tstruct kiocb *kiocb = &req->rw.kiocb;\n\tstruct file *file = req->file;\n\tunsigned ioprio;\n\tint ret;\n\n\tif (!(req->flags & REQ_F_ISREG) && S_ISREG(file_inode(file)->i_mode))\n\t\treq->flags |= REQ_F_ISREG;\n\n\tkiocb->ki_pos = READ_ONCE(sqe->off);\n\tif (kiocb->ki_pos == -1 && !(file->f_mode & FMODE_STREAM)) {\n\t\treq->flags |= REQ_F_CUR_POS;\n\t\tkiocb->ki_pos = file->f_pos;\n\t}\n\tkiocb->ki_hint = ki_hint_validate(file_write_hint(kiocb->ki_filp));\n\tkiocb->ki_flags = iocb_flags(kiocb->ki_filp);\n\tret = kiocb_set_rw_flags(kiocb, READ_ONCE(sqe->rw_flags));\n\tif (unlikely(ret))\n\t\treturn ret;\n\n\t/* don't allow async punt for O_NONBLOCK or RWF_NOWAIT */\n\tif ((kiocb->ki_flags & IOCB_NOWAIT) || (file->f_flags & O_NONBLOCK))\n\t\treq->flags |= REQ_F_NOWAIT;\n\n\tioprio = READ_ONCE(sqe->ioprio);\n\tif (ioprio) {\n\t\tret = ioprio_check_cap(ioprio);\n\t\tif (ret)\n\t\t\treturn ret;\n\n\t\tkiocb->ki_ioprio = ioprio;\n\t} else\n\t\tkiocb->ki_ioprio = get_current_ioprio();\n\n\tif (ctx->flags & IORING_SETUP_IOPOLL) {\n\t\tif (!(kiocb->ki_flags & IOCB_DIRECT) ||\n\t\t !kiocb->ki_filp->f_op->iopoll)\n\t\t\treturn -EOPNOTSUPP;\n\n\t\tkiocb->ki_flags |= IOCB_HIPRI;\n\t\tkiocb->ki_complete = io_complete_rw_iopoll;\n\t\treq->iopoll_completed = 0;\n\t} else {\n\t\tif (kiocb->ki_flags & IOCB_HIPRI)\n\t\t\treturn -EINVAL;\n\t\tkiocb->ki_complete = io_complete_rw;\n\t}\n\n\tif (req->opcode == IORING_OP_READ_FIXED ||\n\t req->opcode == IORING_OP_WRITE_FIXED) {\n\t\treq->imu = NULL;\n\t\tio_req_set_rsrc_node(req);\n\t}\n\n\treq->rw.addr = READ_ONCE(sqe->addr);\n\treq->rw.len = READ_ONCE(sqe->len);\n\treq->buf_index = READ_ONCE(sqe->buf_index);\n\treturn 0;\n}", "project": "linux", "hash": 314798981194520896888274910920055320206, "size": 61, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338661 }, { "func": "static int io_prep_rw(struct io_kiocb *req, const struct io_uring_sqe *sqe,\n\t\t bool force_nonblock)\n{\n\tstruct io_ring_ctx *ctx = req->ctx;\n\tstruct kiocb *kiocb = &req->rw.kiocb;\n\tunsigned ioprio;\n\tint ret;\n\n\tif (S_ISREG(file_inode(req->file)->i_mode))\n\t\treq->flags |= REQ_F_ISREG;\n\n\tkiocb->ki_pos = READ_ONCE(sqe->off);\n\tif (kiocb->ki_pos == -1 && !(req->file->f_mode & FMODE_STREAM)) {\n\t\treq->flags |= REQ_F_CUR_POS;\n\t\tkiocb->ki_pos = req->file->f_pos;\n\t}\n\tkiocb->ki_hint = ki_hint_validate(file_write_hint(kiocb->ki_filp));\n\tkiocb->ki_flags = iocb_flags(kiocb->ki_filp);\n\tret = kiocb_set_rw_flags(kiocb, READ_ONCE(sqe->rw_flags));\n\tif (unlikely(ret))\n\t\treturn ret;\n\n\tioprio = READ_ONCE(sqe->ioprio);\n\tif (ioprio) {\n\t\tret = ioprio_check_cap(ioprio);\n\t\tif (ret)\n\t\t\treturn ret;\n\n\t\tkiocb->ki_ioprio = ioprio;\n\t} else\n\t\tkiocb->ki_ioprio = get_current_ioprio();\n\n\t/* don't allow async punt if RWF_NOWAIT was requested */\n\tif (kiocb->ki_flags & IOCB_NOWAIT)\n\t\treq->flags |= REQ_F_NOWAIT;\n\n\tif (kiocb->ki_flags & IOCB_DIRECT)\n\t\tio_get_req_task(req);\n\n\tif (force_nonblock)\n\t\tkiocb->ki_flags |= IOCB_NOWAIT;\n\n\tif (ctx->flags & IORING_SETUP_IOPOLL) {\n\t\tif (!(kiocb->ki_flags & IOCB_DIRECT) ||\n\t\t !kiocb->ki_filp->f_op->iopoll)\n\t\t\treturn -EOPNOTSUPP;\n\n\t\tkiocb->ki_flags |= IOCB_HIPRI;\n\t\tkiocb->ki_complete = io_complete_rw_iopoll;\n\t\treq->iopoll_completed = 0;\n\t\tio_get_req_task(req);\n\t} else {\n\t\tif (kiocb->ki_flags & IOCB_HIPRI)\n\t\t\treturn -EINVAL;\n\t\tkiocb->ki_complete = io_complete_rw;\n\t}\n\n\treq->rw.addr = READ_ONCE(sqe->addr);\n\treq->rw.len = READ_ONCE(sqe->len);\n\treq->buf_index = READ_ONCE(sqe->buf_index);\n\treturn 0;\n}", "project": "linux", "hash": 94709535243994667202579206340667819136, "size": 62, "commit_id": "6d816e088c359866f9867057e04f244c608c42fe", "message": "io_uring: hold 'ctx' reference around task_work queue + execute\n\nWe're holding the request reference, but we need to go one higher\nto ensure that the ctx remains valid after the request has finished.\nIf the ring is closed with pending task_work inflight, and the\ngiven io_kiocb finishes sync during issue, then we need a reference\nto the ring itself around the task_work execution cycle.\n\nCc: stable@vger.kernel.org # v5.7+\nReported-by: syzbot+9b260fc33297966f5a8e@syzkaller.appspotmail.com\nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 456907 }, { "func": " explicit operator bool() const { return (bool)m_str; }", "project": "hhvm", "hash": 123159794655211188622332454181202577025, "size": 1, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219320 }, { "project": "Chrome", "commit_id": "6834289784ed45b5524de0fb7ef43ae283b0d6d3", "target": 0, "func": "void AudioContext::updateAutomaticPullNodes()\n{\n ASSERT(isGraphOwner());\n\n if (m_automaticPullNodesNeedUpdating) {\n m_renderingAutomaticPullNodes.resize(m_automaticPullNodes.size());\n\n unsigned j = 0;\n for (HashSet::iterator i = m_automaticPullNodes.begin(); i != m_automaticPullNodes.end(); ++i, ++j) {\n AudioNode* output = *i;\n m_renderingAutomaticPullNodes[j] = output;\n }\n\n m_automaticPullNodesNeedUpdating = false;\n }\n}\n", "cwe": "", "big_vul_idx": 139697, "idx": 124845, "hash": 191523880527996470277699918775499673713 }, { "func": "static inline bool cmpxchg_double_slab(struct kmem_cache *s, struct page *page,\n\t\tvoid *freelist_old, unsigned long counters_old,\n\t\tvoid *freelist_new, unsigned long counters_new,\n\t\tconst char *n)\n{\n#if defined(CONFIG_HAVE_CMPXCHG_DOUBLE) && \\\n defined(CONFIG_HAVE_ALIGNED_STRUCT_PAGE)\n\tif (s->flags & __CMPXCHG_DOUBLE) {\n\t\tif (cmpxchg_double(&page->freelist, &page->counters,\n\t\t\t\t freelist_old, counters_old,\n\t\t\t\t freelist_new, counters_new))\n\t\t\treturn true;\n\t} else\n#endif\n\t{\n\t\tunsigned long flags;\n\n\t\tlocal_irq_save(flags);\n\t\tslab_lock(page);\n\t\tif (page->freelist == freelist_old &&\n\t\t\t\t\tpage->counters == counters_old) {\n\t\t\tpage->freelist = freelist_new;\n\t\t\tpage->counters = counters_new;\n\t\t\tslab_unlock(page);\n\t\t\tlocal_irq_restore(flags);\n\t\t\treturn true;\n\t\t}\n\t\tslab_unlock(page);\n\t\tlocal_irq_restore(flags);\n\t}\n\n\tcpu_relax();\n\tstat(s, CMPXCHG_DOUBLE_FAIL);\n\n#ifdef SLUB_DEBUG_CMPXCHG\n\tpr_info(\"%s %s: cmpxchg double redo \", n, s->name);\n#endif\n\n\treturn false;\n}", "project": "linux", "hash": 98226316039379516487039766217964209540, "size": 40, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280170 }, { "func": "static int io_recv(struct io_kiocb *req, unsigned int issue_flags)\n{\n\tstruct io_buffer *kbuf;\n\tstruct io_sr_msg *sr = &req->sr_msg;\n\tstruct msghdr msg;\n\tvoid __user *buf = sr->buf;\n\tstruct socket *sock;\n\tstruct iovec iov;\n\tunsigned flags;\n\tint min_ret = 0;\n\tint ret, cflags = 0;\n\tbool force_nonblock = issue_flags & IO_URING_F_NONBLOCK;\n\n\tsock = sock_from_file(req->file);\n\tif (unlikely(!sock))\n\t\treturn -ENOTSOCK;\n\n\tif (req->flags & REQ_F_BUFFER_SELECT) {\n\t\tkbuf = io_recv_buffer_select(req, !force_nonblock);\n\t\tif (IS_ERR(kbuf))\n\t\t\treturn PTR_ERR(kbuf);\n\t\tbuf = u64_to_user_ptr(kbuf->addr);\n\t}\n\n\tret = import_single_range(READ, buf, sr->len, &iov, &msg.msg_iter);\n\tif (unlikely(ret))\n\t\tgoto out_free;\n\n\tmsg.msg_name = NULL;\n\tmsg.msg_control = NULL;\n\tmsg.msg_controllen = 0;\n\tmsg.msg_namelen = 0;\n\tmsg.msg_iocb = NULL;\n\tmsg.msg_flags = 0;\n\n\tflags = req->sr_msg.msg_flags;\n\tif (force_nonblock)\n\t\tflags |= MSG_DONTWAIT;\n\tif (flags & MSG_WAITALL)\n\t\tmin_ret = iov_iter_count(&msg.msg_iter);\n\n\tret = sock_recvmsg(sock, &msg, flags);\n\tif (force_nonblock && ret == -EAGAIN)\n\t\treturn -EAGAIN;\n\tif (ret == -ERESTARTSYS)\n\t\tret = -EINTR;\nout_free:\n\tif (req->flags & REQ_F_BUFFER_SELECTED)\n\t\tcflags = io_put_recv_kbuf(req);\n\tif (ret < min_ret || ((flags & MSG_WAITALL) && (msg.msg_flags & (MSG_TRUNC | MSG_CTRUNC))))\n\t\treq_set_fail_links(req);\n\t__io_req_complete(req, issue_flags, ret, cflags);\n\treturn 0;\n}", "project": "linux", "hash": 130318709669643639161553451512761845350, "size": 54, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338544 }, { "func": "static int fuse_file_mmap(struct file *file, struct vm_area_struct *vma)\n{\n\tstruct fuse_file *ff = file->private_data;\n\n\t/* DAX mmap is superior to direct_io mmap */\n\tif (FUSE_IS_DAX(file_inode(file)))\n\t\treturn fuse_dax_mmap(file, vma);\n\n\tif (ff->open_flags & FOPEN_DIRECT_IO) {\n\t\t/* Can't provide the coherency needed for MAP_SHARED */\n\t\tif (vma->vm_flags & VM_MAYSHARE)\n\t\t\treturn -ENODEV;\n\n\t\tinvalidate_inode_pages2(file->f_mapping);\n\n\t\treturn generic_file_mmap(file, vma);\n\t}\n\n\tif ((vma->vm_flags & VM_SHARED) && (vma->vm_flags & VM_MAYWRITE))\n\t\tfuse_link_write_file(file);\n\n\tfile_accessed(file);\n\tvma->vm_ops = &fuse_file_vm_ops;\n\treturn 0;\n}", "project": "linux", "hash": 62185590084221552994159988764616717694, "size": 25, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341912 }, { "func": "static void encode_open(struct xdr_stream *xdr, const struct nfs_openargs *arg, struct compound_hdr *hdr)\n{\n\tencode_op_hdr(xdr, OP_OPEN, decode_open_maxsz, hdr);\n\tencode_openhdr(xdr, arg);\n\tencode_opentype(xdr, arg);\n\tswitch (arg->claim) {\n\tcase NFS4_OPEN_CLAIM_NULL:\n\t\tencode_claim_null(xdr, arg->name);\n\t\tbreak;\n\tcase NFS4_OPEN_CLAIM_PREVIOUS:\n\t\tencode_claim_previous(xdr, arg->u.delegation_type);\n\t\tbreak;\n\tcase NFS4_OPEN_CLAIM_DELEGATE_CUR:\n\t\tencode_claim_delegate_cur(xdr, arg->name, &arg->u.delegation);\n\t\tbreak;\n\tcase NFS4_OPEN_CLAIM_FH:\n\t\tencode_claim_fh(xdr);\n\t\tbreak;\n\tcase NFS4_OPEN_CLAIM_DELEG_CUR_FH:\n\t\tencode_claim_delegate_cur_fh(xdr, &arg->u.delegation);\n\t\tbreak;\n\tdefault:\n\t\tBUG();\n\t}\n}", "project": "linux", "hash": 244137855483373961755164172935268610706, "size": 25, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431511 }, { "func": "bool kvm_make_all_cpus_request_except(struct kvm *kvm, unsigned int req,\n\t\t\t\t struct kvm_vcpu *except)\n{\n\tcpumask_var_t cpus;\n\tbool called;\n\n\tzalloc_cpumask_var(&cpus, GFP_ATOMIC);\n\n\tcalled = kvm_make_vcpus_request_mask(kvm, req, except, NULL, cpus);\n\n\tfree_cpumask_var(cpus);\n\treturn called;\n}", "project": "linux", "hash": 35716901548660182396694322933267032423, "size": 13, "commit_id": "f8be156be163a052a067306417cd0ff679068c97", "message": "KVM: do not allow mapping valid but non-reference-counted pages\n\nIt's possible to create a region which maps valid but non-refcounted\npages (e.g., tail pages of non-compound higher order allocations). These\nhost pages can then be returned by gfn_to_page, gfn_to_pfn, etc., family\nof APIs, which take a reference to the page, which takes it from 0 to 1.\nWhen the reference is dropped, this will free the page incorrectly.\n\nFix this by only taking a reference on valid pages if it was non-zero,\nwhich indicates it is participating in normal refcounting (and can be\nreleased with put_page).\n\nThis addresses CVE-2021-22543.\n\nSigned-off-by: Nicholas Piggin \nTested-by: Paolo Bonzini \nCc: stable@vger.kernel.org\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 404095 }, { "func": "static int gethex(FILE *sfd, uint32 *val) {\n char tokbuf[100]; int ch;\n char *pt=tokbuf, *end = tokbuf+100-2;\n\n while ( isspace(ch = nlgetc(sfd)));\n if ( ch=='#' )\n\tch = nlgetc(sfd);\n if ( ch=='-' || ch=='+' ) {\n\t*pt++ = ch;\n\tch = nlgetc(sfd);\n }\n if ( ch=='0' ) {\n\tch = nlgetc(sfd);\n\tif ( ch=='x' || ch=='X' )\n\t ch = nlgetc(sfd);\n\telse {\n\t ungetc(ch,sfd);\n\t ch = '0';\n\t}\n }\n while ( isdigit(ch) || (ch>='a' && ch<='f') || (ch>='A' && ch<='F')) {\n\tif ( ptfontname string if it isn't set, fixing #4089 #4090 and many\n other potential issues (many downstream calls to strlen() on the value).", "target": 0, "dataset": "other", "idx": 417848 }, { "func": "static int __nd_alloc_stack(struct nameidata *nd)\n{\n\tstruct saved *p;\n\n\tif (nd->flags & LOOKUP_RCU) {\n\t\tp= kmalloc_array(MAXSYMLINKS, sizeof(struct saved),\n\t\t\t\t GFP_ATOMIC);\n\t\tif (unlikely(!p))\n\t\t\treturn -ECHILD;\n\t} else {\n\t\tp= kmalloc_array(MAXSYMLINKS, sizeof(struct saved),\n\t\t\t\t GFP_KERNEL);\n\t\tif (unlikely(!p))\n\t\t\treturn -ENOMEM;\n\t}\n\tmemcpy(p, nd->internal, sizeof(nd->internal));\n\tnd->stack = p;\n\treturn 0;\n}", "project": "linux", "hash": 1867739270290894777176532758006174498, "size": 19, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295372 }, { "func": "void CLua::load_persist()\n{\n if (Options.no_save)\n return;\n string persistfile = _get_persist_file();\n if (!file_exists(persistfile))\n return;\n FileLineInput f(persistfile.c_str());\n string script;\n while (!f.eof())\n script += f.get_line() + \"\\n\";\n execstring(script.c_str());\n}", "project": "crawl", "hash": 17657282072648524537309133168191123592, "size": 13, "commit_id": "768f60da87a3fa0b5561da5ade9309577c176d04", "message": "Disable lua bytecode loading", "target": 0, "dataset": "other", "idx": 230500 }, { "func": "int CServer::SendMsg(CMsgPacker *pMsg, int Flags, int ClientID)\n{\n\tCNetChunk Packet;\n\tif(!pMsg)\n\t\treturn -1;\n\n\t// drop packet to dummy client\n\tif(0 <= ClientID && ClientID < MAX_CLIENTS && GameServer()->IsClientBot(ClientID))\n\t\treturn 0;\n\n\tmem_zero(&Packet, sizeof(CNetChunk));\n\tPacket.m_ClientID = ClientID;\n\tPacket.m_pData = pMsg->Data();\n\tPacket.m_DataSize = pMsg->Size();\n\n\tif(Flags&MSGFLAG_VITAL)\n\t\tPacket.m_Flags |= NETSENDFLAG_VITAL;\n\tif(Flags&MSGFLAG_FLUSH)\n\t\tPacket.m_Flags |= NETSENDFLAG_FLUSH;\n\n\t// write message to demo recorder\n\tif(!(Flags&MSGFLAG_NORECORD))\n\t\tm_DemoRecorder.RecordMessage(pMsg->Data(), pMsg->Size());\n\n\tif(!(Flags&MSGFLAG_NOSEND))\n\t{\n\t\tif(ClientID == -1)\n\t\t{\n\t\t\t// broadcast\n\t\t\tint i;\n\t\t\tfor(i = 0; i < MAX_CLIENTS; i++)\n\t\t\t\tif(m_aClients[i].m_State == CClient::STATE_INGAME && !m_aClients[i].m_Quitting)\n\t\t\t\t{\n\t\t\t\t\tPacket.m_ClientID = i;\n\t\t\t\t\tm_NetServer.Send(&Packet);\n\t\t\t\t}\n\t\t}\n\t\telse\n\t\t\tm_NetServer.Send(&Packet);\n\t}\n\treturn 0;\n}", "project": "teeworlds", "hash": 145582132599251035090290965422339038739, "size": 42, "commit_id": "c68402fa7e279d42886d5951d1ea8ac2facc1ea5", "message": "changed a check", "target": 1, "dataset": "other", "idx": 206517 }, { "func": "int CServer::SendMsg(CMsgPacker *pMsg, int Flags, int ClientID)\n{\n\tCNetChunk Packet;\n\tif(!pMsg)\n\t\treturn -1;\n\n\t// drop invalid packet\n\tif(ClientID != -1 && (ClientID < 0 || ClientID >= MAX_CLIENTS || m_aClients[ClientID].m_State == CClient::STATE_EMPTY || m_aClients[ClientID].m_Quitting))\n\t\treturn 0;\n\n\tmem_zero(&Packet, sizeof(CNetChunk));\n\tPacket.m_ClientID = ClientID;\n\tPacket.m_pData = pMsg->Data();\n\tPacket.m_DataSize = pMsg->Size();\n\n\tif(Flags&MSGFLAG_VITAL)\n\t\tPacket.m_Flags |= NETSENDFLAG_VITAL;\n\tif(Flags&MSGFLAG_FLUSH)\n\t\tPacket.m_Flags |= NETSENDFLAG_FLUSH;\n\n\t// write message to demo recorder\n\tif(!(Flags&MSGFLAG_NORECORD))\n\t\tm_DemoRecorder.RecordMessage(pMsg->Data(), pMsg->Size());\n\n\tif(!(Flags&MSGFLAG_NOSEND))\n\t{\n\t\tif(ClientID == -1)\n\t\t{\n\t\t\t// broadcast\n\t\t\tint i;\n\t\t\tfor(i = 0; i < MAX_CLIENTS; i++)\n\t\t\t\tif(m_aClients[i].m_State == CClient::STATE_INGAME && !m_aClients[i].m_Quitting)\n\t\t\t\t{\n\t\t\t\t\tPacket.m_ClientID = i;\n\t\t\t\t\tm_NetServer.Send(&Packet);\n\t\t\t\t}\n\t\t}\n\t\telse\n\t\t\tm_NetServer.Send(&Packet);\n\t}\n\treturn 0;\n}", "project": "teeworlds", "hash": 329487471777399300626475999293740358602, "size": 42, "commit_id": "c68402fa7e279d42886d5951d1ea8ac2facc1ea5", "message": "changed a check", "target": 0, "dataset": "other", "idx": 381986 }, { "func": "static void set_cursor(struct vc_data *vc)\n{\n\tif (!con_is_fg(vc) || console_blanked || vc->vc_mode == KD_GRAPHICS)\n\t\treturn;\n\tif (vc->vc_deccm) {\n\t\tif (vc_is_sel(vc))\n\t\t\tclear_selection();\n\t\tadd_softcursor(vc);\n\t\tif ((vc->vc_cursor_type & 0x0f) != 1)\n\t\t\tvc->vc_sw->con_cursor(vc, CM_DRAW);\n\t} else\n\t\thide_cursor(vc);\n}", "project": "linux", "hash": 196524627584973067683977556464577048917, "size": 13, "commit_id": "ca4463bf8438b403596edd0ec961ca0d4fbe0220", "message": "vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console\n\nThe VT_DISALLOCATE ioctl can free a virtual console while tty_release()\nis still running, causing a use-after-free in con_shutdown(). This\noccurs because VT_DISALLOCATE considers a virtual console's\n'struct vc_data' to be unused as soon as the corresponding tty's\nrefcount hits 0. But actually it may be still being closed.\n\nFix this by making vc_data be reference-counted via the embedded\n'struct tty_port'. A newly allocated virtual console has refcount 1.\nOpening it for the first time increments the refcount to 2. Closing it\nfor the last time decrements the refcount (in tty_operations::cleanup()\nso that it happens late enough), as does VT_DISALLOCATE.\n\nReproducer:\n\t#include \n\t#include \n\t#include \n\t#include \n\n\tint main()\n\t{\n\t\tif (fork()) {\n\t\t\tfor (;;)\n\t\t\t\tclose(open(\"/dev/tty5\", O_RDWR));\n\t\t} else {\n\t\t\tint fd = open(\"/dev/tty10\", O_RDWR);\n\n\t\t\tfor (;;)\n\t\t\t\tioctl(fd, VT_DISALLOCATE, 5);\n\t\t}\n\t}\n\nKASAN report:\n\tBUG: KASAN: use-after-free in con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\tWrite of size 8 at addr ffff88806a4ec108 by task syz_vt/129\n\n\tCPU: 0 PID: 129 Comm: syz_vt Not tainted 5.6.0-rc2 #11\n\tHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20191223_100556-anatol 04/01/2014\n\tCall Trace:\n\t [...]\n\t con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\t release_tty+0xa8/0x410 drivers/tty/tty_io.c:1514\n\t tty_release_struct+0x34/0x50 drivers/tty/tty_io.c:1629\n\t tty_release+0x984/0xed0 drivers/tty/tty_io.c:1789\n\t [...]\n\n\tAllocated by task 129:\n\t [...]\n\t kzalloc include/linux/slab.h:669 [inline]\n\t vc_allocate drivers/tty/vt/vt.c:1085 [inline]\n\t vc_allocate+0x1ac/0x680 drivers/tty/vt/vt.c:1066\n\t con_install+0x4d/0x3f0 drivers/tty/vt/vt.c:3229\n\t tty_driver_install_tty drivers/tty/tty_io.c:1228 [inline]\n\t tty_init_dev+0x94/0x350 drivers/tty/tty_io.c:1341\n\t tty_open_by_driver drivers/tty/tty_io.c:1987 [inline]\n\t tty_open+0x3ca/0xb30 drivers/tty/tty_io.c:2035\n\t [...]\n\n\tFreed by task 130:\n\t [...]\n\t kfree+0xbf/0x1e0 mm/slab.c:3757\n\t vt_disallocate drivers/tty/vt/vt_ioctl.c:300 [inline]\n\t vt_ioctl+0x16dc/0x1e30 drivers/tty/vt/vt_ioctl.c:818\n\t tty_ioctl+0x9db/0x11b0 drivers/tty/tty_io.c:2660\n\t [...]\n\nFixes: 4001d7b7fc27 (\"vt: push down the tty lock so we can see what is left to tackle\")\nCc: # v3.4+\nReported-by: syzbot+522643ab5729b0421998@syzkaller.appspotmail.com\nAcked-by: Jiri Slaby \nSigned-off-by: Eric Biggers \nLink: https://lore.kernel.org/r/20200322034305.210082-2-ebiggers@kernel.org\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 437068 }, { "func": "otError Commissioner::SendRelayTransmit(void *aContext, Message &aMessage, const Ip6::MessageInfo &aMessageInfo)\n{\n return static_cast(aContext)->SendRelayTransmit(aMessage, aMessageInfo);\n}", "project": "openthread", "hash": 170357933472702676158690520233236352074, "size": 4, "commit_id": "c3a3a0c424322009fec3ab735fb20ce8f6e19e70", "message": "[commissioner] use strnlen instead of strlen (#4404)", "target": 0, "dataset": "other", "idx": 269879 }, { "func": "otError Commissioner::SendRelayTransmit(Message &aMessage, const Ip6::MessageInfo &aMessageInfo)\n{\n OT_UNUSED_VARIABLE(aMessageInfo);\n\n otError error = OT_ERROR_NONE;\n JoinerUdpPortTlv udpPort;\n JoinerIidTlv iid;\n JoinerRouterLocatorTlv rloc;\n ExtendedTlv tlv;\n Coap::Message * message;\n uint16_t offset;\n Ip6::MessageInfo messageInfo;\n\n VerifyOrExit((message = NewMeshCoPMessage(Get())) != NULL, error = OT_ERROR_NO_BUFS);\n\n message->Init(OT_COAP_TYPE_NON_CONFIRMABLE, OT_COAP_CODE_POST);\n SuccessOrExit(error = message->AppendUriPathOptions(OT_URI_PATH_RELAY_TX));\n SuccessOrExit(error = message->SetPayloadMarker());\n\n udpPort.Init();\n udpPort.SetUdpPort(mJoinerPort);\n SuccessOrExit(error = message->AppendTlv(udpPort));\n\n iid.Init();\n iid.SetIid(mJoinerIid);\n SuccessOrExit(error = message->AppendTlv(iid));\n\n rloc.Init();\n rloc.SetJoinerRouterLocator(mJoinerRloc);\n SuccessOrExit(error = message->AppendTlv(rloc));\n\n if (aMessage.GetSubType() == Message::kSubTypeJoinerFinalizeResponse)\n {\n JoinerRouterKekTlv kek;\n kek.Init();\n kek.SetKek(Get().GetKek());\n SuccessOrExit(error = message->AppendTlv(kek));\n }\n\n tlv.SetType(Tlv::kJoinerDtlsEncapsulation);\n tlv.SetLength(aMessage.GetLength());\n SuccessOrExit(error = message->Append(&tlv, sizeof(tlv)));\n offset = message->GetLength();\n SuccessOrExit(error = message->SetLength(offset + aMessage.GetLength()));\n aMessage.CopyTo(0, offset, aMessage.GetLength(), *message);\n\n messageInfo.SetPeerAddr(Get().GetMeshLocal16());\n messageInfo.GetPeerAddr().mFields.m16[7] = HostSwap16(mJoinerRloc);\n messageInfo.SetPeerPort(kCoapUdpPort);\n\n SuccessOrExit(error = Get().SendMessage(*message, messageInfo));\n\n aMessage.Free();\n\nexit:\n\n if (error != OT_ERROR_NONE && message != NULL)\n {\n message->Free();\n }\n\n return error;\n}", "project": "openthread", "hash": 102457042003672009996360475336743301028, "size": 63, "commit_id": "c3a3a0c424322009fec3ab735fb20ce8f6e19e70", "message": "[commissioner] use strnlen instead of strlen (#4404)", "target": 0, "dataset": "other", "idx": 269894 }, { "func": "AP_CORE_DECLARE(conn_rec *) ap_create_slave_connection(conn_rec *c)\n{\n apr_pool_t *pool;\n conn_slave_rec *new;\n conn_rec *sc = (conn_rec *) apr_palloc(c->pool, sizeof(conn_rec));\n\n apr_pool_create(&pool, c->pool);\n apr_pool_tag(pool, \"slave_conn\");\n memcpy(sc, c, sizeof(conn_rec));\n sc->slaves = NULL;\n sc->master = c;\n sc->input_filters = NULL;\n sc->output_filters = NULL;\n sc->pool = pool;\n new = apr_array_push(c->slaves);\n new->c = sc;\n return sc;\n}", "project": "httpd", "hash": 131792634887579171127174377676903305354, "size": 18, "commit_id": "4cc27823899e070268b906ca677ee838d07cf67a", "message": "core: Disallow Methods' registration at run time (.htaccess), they may be\nused only if registered at init time (httpd.conf).\n\nCalling ap_method_register() in children processes is not the right scope\nsince it won't be shared for all requests.\n\n\ngit-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1807655 13f79535-47bb-0310-9956-ffa450edef68", "target": 0, "dataset": "other", "idx": 246363 }, { "func": "static void set_mode(struct vc_data *vc, int on_off)\n{\n\tint i;\n\n\tfor (i = 0; i <= vc->vc_npar; i++)\n\t\tif (vc->vc_priv == EPdec) {\n\t\t\tswitch(vc->vc_par[i]) {\t/* DEC private modes set/reset */\n\t\t\tcase 1:\t\t\t/* Cursor keys send ^[Ox/^[[x */\n\t\t\t\tif (on_off)\n\t\t\t\t\tset_kbd(vc, decckm);\n\t\t\t\telse\n\t\t\t\t\tclr_kbd(vc, decckm);\n\t\t\t\tbreak;\n\t\t\tcase 3:\t/* 80/132 mode switch unimplemented */\n#if 0\n\t\t\t\tvc_resize(deccolm ? 132 : 80, vc->vc_rows);\n\t\t\t\t/* this alone does not suffice; some user mode\n\t\t\t\t utility has to change the hardware regs */\n#endif\n\t\t\t\tbreak;\n\t\t\tcase 5:\t\t\t/* Inverted screen on/off */\n\t\t\t\tif (vc->vc_decscnm != on_off) {\n\t\t\t\t\tvc->vc_decscnm = on_off;\n\t\t\t\t\tinvert_screen(vc, 0, vc->vc_screenbuf_size, 0);\n\t\t\t\t\tupdate_attr(vc);\n\t\t\t\t}\n\t\t\t\tbreak;\n\t\t\tcase 6:\t\t\t/* Origin relative/absolute */\n\t\t\t\tvc->vc_decom = on_off;\n\t\t\t\tgotoxay(vc, 0, 0);\n\t\t\t\tbreak;\n\t\t\tcase 7:\t\t\t/* Autowrap on/off */\n\t\t\t\tvc->vc_decawm = on_off;\n\t\t\t\tbreak;\n\t\t\tcase 8:\t\t\t/* Autorepeat on/off */\n\t\t\t\tif (on_off)\n\t\t\t\t\tset_kbd(vc, decarm);\n\t\t\t\telse\n\t\t\t\t\tclr_kbd(vc, decarm);\n\t\t\t\tbreak;\n\t\t\tcase 9:\n\t\t\t\tvc->vc_report_mouse = on_off ? 1 : 0;\n\t\t\t\tbreak;\n\t\t\tcase 25:\t\t/* Cursor on/off */\n\t\t\t\tvc->vc_deccm = on_off;\n\t\t\t\tbreak;\n\t\t\tcase 1000:\n\t\t\t\tvc->vc_report_mouse = on_off ? 2 : 0;\n\t\t\t\tbreak;\n\t\t\t}\n\t\t} else {\n\t\t\tswitch(vc->vc_par[i]) {\t/* ANSI modes set/reset */\n\t\t\tcase 3:\t\t\t/* Monitor (display ctrls) */\n\t\t\t\tvc->vc_disp_ctrl = on_off;\n\t\t\t\tbreak;\n\t\t\tcase 4:\t\t\t/* Insert Mode on/off */\n\t\t\t\tvc->vc_decim = on_off;\n\t\t\t\tbreak;\n\t\t\tcase 20:\t\t/* Lf, Enter == CrLf/Lf */\n\t\t\t\tif (on_off)\n\t\t\t\t\tset_kbd(vc, lnm);\n\t\t\t\telse\n\t\t\t\t\tclr_kbd(vc, lnm);\n\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n}", "project": "linux", "hash": 99309043964587624764859659695179934863, "size": 67, "commit_id": "ca4463bf8438b403596edd0ec961ca0d4fbe0220", "message": "vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console\n\nThe VT_DISALLOCATE ioctl can free a virtual console while tty_release()\nis still running, causing a use-after-free in con_shutdown(). This\noccurs because VT_DISALLOCATE considers a virtual console's\n'struct vc_data' to be unused as soon as the corresponding tty's\nrefcount hits 0. But actually it may be still being closed.\n\nFix this by making vc_data be reference-counted via the embedded\n'struct tty_port'. A newly allocated virtual console has refcount 1.\nOpening it for the first time increments the refcount to 2. Closing it\nfor the last time decrements the refcount (in tty_operations::cleanup()\nso that it happens late enough), as does VT_DISALLOCATE.\n\nReproducer:\n\t#include \n\t#include \n\t#include \n\t#include \n\n\tint main()\n\t{\n\t\tif (fork()) {\n\t\t\tfor (;;)\n\t\t\t\tclose(open(\"/dev/tty5\", O_RDWR));\n\t\t} else {\n\t\t\tint fd = open(\"/dev/tty10\", O_RDWR);\n\n\t\t\tfor (;;)\n\t\t\t\tioctl(fd, VT_DISALLOCATE, 5);\n\t\t}\n\t}\n\nKASAN report:\n\tBUG: KASAN: use-after-free in con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\tWrite of size 8 at addr ffff88806a4ec108 by task syz_vt/129\n\n\tCPU: 0 PID: 129 Comm: syz_vt Not tainted 5.6.0-rc2 #11\n\tHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20191223_100556-anatol 04/01/2014\n\tCall Trace:\n\t [...]\n\t con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\t release_tty+0xa8/0x410 drivers/tty/tty_io.c:1514\n\t tty_release_struct+0x34/0x50 drivers/tty/tty_io.c:1629\n\t tty_release+0x984/0xed0 drivers/tty/tty_io.c:1789\n\t [...]\n\n\tAllocated by task 129:\n\t [...]\n\t kzalloc include/linux/slab.h:669 [inline]\n\t vc_allocate drivers/tty/vt/vt.c:1085 [inline]\n\t vc_allocate+0x1ac/0x680 drivers/tty/vt/vt.c:1066\n\t con_install+0x4d/0x3f0 drivers/tty/vt/vt.c:3229\n\t tty_driver_install_tty drivers/tty/tty_io.c:1228 [inline]\n\t tty_init_dev+0x94/0x350 drivers/tty/tty_io.c:1341\n\t tty_open_by_driver drivers/tty/tty_io.c:1987 [inline]\n\t tty_open+0x3ca/0xb30 drivers/tty/tty_io.c:2035\n\t [...]\n\n\tFreed by task 130:\n\t [...]\n\t kfree+0xbf/0x1e0 mm/slab.c:3757\n\t vt_disallocate drivers/tty/vt/vt_ioctl.c:300 [inline]\n\t vt_ioctl+0x16dc/0x1e30 drivers/tty/vt/vt_ioctl.c:818\n\t tty_ioctl+0x9db/0x11b0 drivers/tty/tty_io.c:2660\n\t [...]\n\nFixes: 4001d7b7fc27 (\"vt: push down the tty lock so we can see what is left to tackle\")\nCc: # v3.4+\nReported-by: syzbot+522643ab5729b0421998@syzkaller.appspotmail.com\nAcked-by: Jiri Slaby \nSigned-off-by: Eric Biggers \nLink: https://lore.kernel.org/r/20200322034305.210082-2-ebiggers@kernel.org\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 437053 }, { "func": "\nstatic int io_poll_double_wake(struct wait_queue_entry *wait, unsigned mode,\n\t\t\t int sync, void *key)\n{\n\tstruct io_kiocb *req = wait->private;\n\tstruct io_poll_iocb *poll = io_poll_get_single(req);\n\t__poll_t mask = key_to_poll(key);\n\n\t/* for instances that support it check for an event match first: */\n\tif (mask && !(mask & poll->events))\n\t\treturn 0;\n\tif (!(poll->events & EPOLLONESHOT))\n\t\treturn poll->wait.func(&poll->wait, mode, sync, key);\n\n\tlist_del_init(&wait->entry);\n\n\tif (poll && poll->head) {\n\t\tbool done;\n\n\t\tspin_lock(&poll->head->lock);\n\t\tdone = list_empty(&poll->wait.entry);\n\t\tif (!done)\n\t\t\tlist_del_init(&poll->wait.entry);\n\t\t/* make sure double remove sees this as being gone */\n\t\twait->private = NULL;\n\t\tspin_unlock(&poll->head->lock);\n\t\tif (!done) {\n\t\t\t/* use wait func handler, so it matches the rq type */\n\t\t\tpoll->wait.func(&poll->wait, mode, sync, key);\n\t\t}\n\t}\n\treq_ref_put(req);\n\treturn 1;", "project": "linux", "hash": 271763760050896526165253549302636507097, "size": 33, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338702 }, { "func": "static int io_poll_double_wake(struct wait_queue_entry *wait, unsigned mode,\n\t\t\t int sync, void *key)\n{\n\tstruct io_kiocb *req = wait->private;\n\tstruct io_poll_iocb *poll = req->apoll->double_poll;\n\t__poll_t mask = key_to_poll(key);\n\n\t/* for instances that support it check for an event match first: */\n\tif (mask && !(mask & poll->events))\n\t\treturn 0;\n\n\tif (poll && poll->head) {\n\t\tbool done;\n\n\t\tspin_lock(&poll->head->lock);\n\t\tdone = list_empty(&poll->wait.entry);\n\t\tif (!done)\n\t\t\tlist_del_init(&poll->wait.entry);\n\t\tspin_unlock(&poll->head->lock);\n\t\tif (!done)\n\t\t\t__io_async_wake(req, poll, mask, io_poll_task_func);\n\t}\n\trefcount_dec(&req->refs);\n\treturn 1;\n}", "project": "linux", "hash": 182880079425565549904775218813381248340, "size": 25, "commit_id": "6d816e088c359866f9867057e04f244c608c42fe", "message": "io_uring: hold 'ctx' reference around task_work queue + execute\n\nWe're holding the request reference, but we need to go one higher\nto ensure that the ctx remains valid after the request has finished.\nIf the ring is closed with pending task_work inflight, and the\ngiven io_kiocb finishes sync during issue, then we need a reference\nto the ring itself around the task_work execution cycle.\n\nCc: stable@vger.kernel.org # v5.7+\nReported-by: syzbot+9b260fc33297966f5a8e@syzkaller.appspotmail.com\nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 456955 }, { "func": "static void dump_esp_combs(struct sk_buff *skb, const struct xfrm_tmpl *t)\n{\n\tstruct sadb_prop *p;\n\tint i, k;\n\n\tp = skb_put(skb, sizeof(struct sadb_prop));\n\tp->sadb_prop_len = sizeof(struct sadb_prop)/8;\n\tp->sadb_prop_exttype = SADB_EXT_PROPOSAL;\n\tp->sadb_prop_replay = 32;\n\tmemset(p->sadb_prop_reserved, 0, sizeof(p->sadb_prop_reserved));\n\n\tfor (i=0; ; i++) {\n\t\tconst struct xfrm_algo_desc *ealg = xfrm_ealg_get_byidx(i);\n\t\tif (!ealg)\n\t\t\tbreak;\n\n\t\tif (!ealg->pfkey_supported)\n\t\t\tcontinue;\n\n\t\tif (!(ealg_tmpl_set(t, ealg) && ealg->available))\n\t\t\tcontinue;\n\n\t\tfor (k = 1; ; k++) {\n\t\t\tstruct sadb_comb *c;\n\t\t\tconst struct xfrm_algo_desc *aalg = xfrm_aalg_get_byidx(k);\n\t\t\tif (!aalg)\n\t\t\t\tbreak;\n\t\t\tif (!aalg->pfkey_supported)\n\t\t\t\tcontinue;\n\t\t\tif (!(aalg_tmpl_set(t, aalg) && aalg->available))\n\t\t\t\tcontinue;\n\t\t\tc = skb_put(skb, sizeof(struct sadb_comb));\n\t\t\tmemset(c, 0, sizeof(*c));\n\t\t\tp->sadb_prop_len += sizeof(struct sadb_comb)/8;\n\t\t\tc->sadb_comb_auth = aalg->desc.sadb_alg_id;\n\t\t\tc->sadb_comb_auth_minbits = aalg->desc.sadb_alg_minbits;\n\t\t\tc->sadb_comb_auth_maxbits = aalg->desc.sadb_alg_maxbits;\n\t\t\tc->sadb_comb_encrypt = ealg->desc.sadb_alg_id;\n\t\t\tc->sadb_comb_encrypt_minbits = ealg->desc.sadb_alg_minbits;\n\t\t\tc->sadb_comb_encrypt_maxbits = ealg->desc.sadb_alg_maxbits;\n\t\t\tc->sadb_comb_hard_addtime = 24*60*60;\n\t\t\tc->sadb_comb_soft_addtime = 20*60*60;\n\t\t\tc->sadb_comb_hard_usetime = 8*60*60;\n\t\t\tc->sadb_comb_soft_usetime = 7*60*60;\n\t\t}\n\t}\n}", "project": "linux", "hash": 236008637276379103836296899238660569657, "size": 47, "commit_id": "9a564bccb78a76740ea9d75a259942df8143d02c", "message": "af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\n\nAdd __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\nto initialize the buffer of supp_skb to fix a kernel-info-leak issue.\n1) Function pfkey_register calls compose_sadb_supported to request\na sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate\na sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then\ncompose_sadb_supported treats the memory as a struct sadb_supported and\nbegins to initialize. But it just initializes the field sadb_supported_len\nand field sadb_supported_exttype without field sadb_supported_reserved.\n\nReported-by: TCS Robot \nSigned-off-by: Haimin Zhang \nSigned-off-by: Steffen Klassert ", "target": 0, "dataset": "other", "idx": 268082 }, { "func": " void validateStack(TraceIterator tIt, Stats& stats) {\n auto enteredName = m_stack.back().trace->symbol;\n auto exitedName = tIt->symbol;\n if ((exitedName != nullptr) &&\n ((enteredName == nullptr) || (strcmp(enteredName, exitedName) != 0))) {\n // We have a few special names that we form on entry. We don't\n // have the information to form them again on exit, so tolerate\n // them here. See EventHook::GetFunctionNameForProfiler().\n if ((enteredName != nullptr) &&\n ((strncmp(enteredName, \"run_init::\", 10) == 0) ||\n (strcmp(enteredName, \"_\") == 0))) return;\n bool fixed = false;\n if (m_stack.size() > 1) {\n auto callerName = (m_stack.end() - 2)->trace->symbol;\n if ((callerName != nullptr) && (strcmp(callerName, exitedName) == 0)) {\n // We have an exit for Foo(), but we were in Bar(). However,\n // it appears that Foo() was the caller of Bar(). This\n // suggests we've missed the exit event for Bar() and have\n // the exit event for Foo() in hand. So remove Bar() to\n // re-balance the stack.\n m_stack.pop_back();\n fixed = true;\n }\n }\n // The first few bad arcs typically point at the problem, so\n // report them. The rest we'll just count.\n if (++m_badArcCount < 20) {\n std::string badArc;\n if (fixed) {\n badArc = folly::format(\"(warning: corrected bad arc #{}: \"\n \"enter '{}', exit '{}')\",\n m_badArcCount,\n enteredName, exitedName).str();\n } else {\n badArc = folly::format(\"(error: bad arc #{}: \"\n \"enter '{}', exit '{}')\",\n m_badArcCount,\n enteredName, exitedName).str();\n }\n ++stats[badArc.data()].count;\n }\n }\n }", "project": "hhvm", "hash": 326286896420264939809209134861418535499, "size": 43, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219439 }, { "func": "void kvm_release_page_clean(struct page *page)\n{\n\tWARN_ON(is_error_page(page));\n\n\tkvm_release_pfn_clean(page_to_pfn(page));\n}", "project": "linux", "hash": 103314822072213561924240227015708031146, "size": 6, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354616 }, { "func": "static void hidinput_update_battery(struct hid_device *dev, int value)\n{\n}", "project": "linux", "hash": 238455999563060175786116256574849436789, "size": 3, "commit_id": "35556bed836f8dc07ac55f69c8d17dce3e7f0e25", "message": "HID: core: Sanitize event code and type when mapping input\n\nWhen calling into hid_map_usage(), the passed event code is\nblindly stored as is, even if it doesn't fit in the associated bitmap.\n\nThis event code can come from a variety of sources, including devices\nmasquerading as input devices, only a bit more \"programmable\".\n\nInstead of taking the event code at face value, check that it actually\nfits the corresponding bitmap, and if it doesn't:\n- spit out a warning so that we know which device is acting up\n- NULLify the bitmap pointer so that we catch unexpected uses\n\nCode paths that can make use of untrusted inputs can now check\nthat the mapping was indeed correct and bail out if not.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Marc Zyngier \nSigned-off-by: Benjamin Tissoires ", "target": 0, "dataset": "other", "idx": 458351 }, { "func": "static void hidinput_update_battery(struct hid_device *dev, int value)\n{\n\tint capacity;\n\n\tif (!dev->battery)\n\t\treturn;\n\n\tif (value == 0 || value < dev->battery_min || value > dev->battery_max)\n\t\treturn;\n\n\tcapacity = hidinput_scale_battery_capacity(dev, value);\n\n\tif (dev->battery_status != HID_BATTERY_REPORTED ||\n\t capacity != dev->battery_capacity) {\n\t\tdev->battery_capacity = capacity;\n\t\tdev->battery_status = HID_BATTERY_REPORTED;\n\t\tpower_supply_changed(dev->battery);\n\t}\n}", "project": "linux", "hash": 69953246149458042271688947359250228611, "size": 19, "commit_id": "35556bed836f8dc07ac55f69c8d17dce3e7f0e25", "message": "HID: core: Sanitize event code and type when mapping input\n\nWhen calling into hid_map_usage(), the passed event code is\nblindly stored as is, even if it doesn't fit in the associated bitmap.\n\nThis event code can come from a variety of sources, including devices\nmasquerading as input devices, only a bit more \"programmable\".\n\nInstead of taking the event code at face value, check that it actually\nfits the corresponding bitmap, and if it doesn't:\n- spit out a warning so that we know which device is acting up\n- NULLify the bitmap pointer so that we catch unexpected uses\n\nCode paths that can make use of untrusted inputs can now check\nthat the mapping was indeed correct and bail out if not.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Marc Zyngier \nSigned-off-by: Benjamin Tissoires ", "target": 0, "dataset": "other", "idx": 458388 }, { "func": "static inline struct kmem_cache_order_objects oo_make(unsigned int order,\n\t\tunsigned int size)\n{\n\tstruct kmem_cache_order_objects x = {\n\t\t(order << OO_SHIFT) + order_objects(order, size)\n\t};\n\n\treturn x;\n}", "project": "linux", "hash": 168806819730077646650798847663012832181, "size": 9, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280069 }, { "func": "static void nfs_fixup_secinfo_attributes(struct nfs_fattr *fattr)\n{\n\tfattr->valid |= NFS_ATTR_FATTR_TYPE | NFS_ATTR_FATTR_MODE |\n\t\tNFS_ATTR_FATTR_NLINK | NFS_ATTR_FATTR_MOUNTPOINT;\n\tfattr->mode = S_IFDIR | S_IRUGO | S_IXUGO;\n\tfattr->nlink = 2;\n}", "project": "linux", "hash": 40202347693955226111274561800456894591, "size": 7, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431378 }, { "project": "Chrome", "commit_id": "a5333583f14284a411abac2fef7caed889a8bba3", "target": 0, "func": "void CallWorkerContextDestroyedOnMainThread(int embedded_worker_id) {\n if (!RenderThreadImpl::current() ||\n !RenderThreadImpl::current()->embedded_worker_dispatcher())\n return;\n RenderThreadImpl::current()->embedded_worker_dispatcher()->\n WorkerContextDestroyed(embedded_worker_id);\n}\n", "cwe": "", "big_vul_idx": 121728, "idx": 109019, "hash": 340090864853605582182014759066866466182 }, { "func": "static req::ptr create_new_socket(\n const HostURL &hosturl,\n Variant& errnum,\n Variant& errstr,\n const Variant& context\n) {\n int domain = hosturl.isIPv6() ? AF_INET6 : AF_INET;\n int type = SOCK_STREAM;\n const std::string scheme = hosturl.getScheme();\n\n if (scheme == \"udp\" || scheme == \"udg\") {\n type = SOCK_DGRAM;\n }\n\n if (scheme == \"unix\" || scheme == \"udg\") {\n domain = AF_UNIX;\n }\n\n req::ptr sock;\n int fd = socket(domain, type, 0);\n double timeout = RequestInfo::s_requestInfo.getNoCheck()->\n m_reqInjectionData.getSocketDefaultTimeout();\n req::ptr streamctx;\n if (context.isResource()) {\n streamctx = cast(context.toResource());\n }\n\n auto sslsock = SSLSocket::Create(fd, domain, hosturl, timeout, streamctx);\n if (sslsock) {\n sock = sslsock;\n } else {\n sock = req::make(fd, domain, hosturl.getHost().c_str(),\n hosturl.getPort());\n }\n\n if (!sock->valid()) {\n SOCKET_ERROR(sock, \"unable to create socket\", errno);\n errnum = sock->getError();\n errstr = HHVM_FN(socket_strerror)(sock->getError());\n sock.reset();\n }\n return sock;\n}", "project": "hhvm", "hash": 109445886670473008202815351645613788849, "size": 43, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219424 }, { "func": "static void enable_trace_buffered_event(void *data)\n{\n\t/* Probably not needed, but do it anyway */\n\tsmp_rmb();\n\tthis_cpu_dec(trace_buffered_event_cnt);\n}", "project": "linux", "hash": 200444613896454350685740562567824176026, "size": 6, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445566 }, { "func": "static int default_handler(request_rec *r)\n{\n conn_rec *c = r->connection;\n apr_bucket_brigade *bb;\n apr_bucket *e;\n core_dir_config *d;\n int errstatus;\n apr_file_t *fd = NULL;\n apr_status_t status;\n /* XXX if/when somebody writes a content-md5 filter we either need to\n * remove this support or coordinate when to use the filter vs.\n * when to use this code\n * The current choice of when to compute the md5 here matches the 1.3\n * support fairly closely (unlike 1.3, we don't handle computing md5\n * when the charset is translated).\n */\n int bld_content_md5;\n\n d = (core_dir_config *)ap_get_core_module_config(r->per_dir_config);\n bld_content_md5 = (d->content_md5 == AP_CONTENT_MD5_ON)\n && r->output_filters->frec->ftype != AP_FTYPE_RESOURCE;\n\n ap_allow_standard_methods(r, MERGE_ALLOW, M_GET, M_OPTIONS, M_POST, -1);\n\n /* If filters intend to consume the request body, they must\n * register an InputFilter to slurp the contents of the POST\n * data from the POST input stream. It no longer exists when\n * the output filters are invoked by the default handler.\n */\n if ((errstatus = ap_discard_request_body(r)) != OK) {\n return errstatus;\n }\n\n if (r->method_number == M_GET || r->method_number == M_POST) {\n if (r->finfo.filetype == APR_NOFILE) {\n ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(00128)\n \"File does not exist: %s\",\n apr_pstrcat(r->pool, r->filename, r->path_info, NULL));\n return HTTP_NOT_FOUND;\n }\n\n /* Don't try to serve a dir. Some OSs do weird things with\n * raw I/O on a dir.\n */\n if (r->finfo.filetype == APR_DIR) {\n ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(00129)\n \"Attempt to serve directory: %s\", r->filename);\n return HTTP_NOT_FOUND;\n }\n\n if ((r->used_path_info != AP_REQ_ACCEPT_PATH_INFO) &&\n r->path_info && *r->path_info)\n {\n /* default to reject */\n ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(00130)\n \"File does not exist: %s\",\n apr_pstrcat(r->pool, r->filename, r->path_info, NULL));\n return HTTP_NOT_FOUND;\n }\n\n /* We understood the (non-GET) method, but it might not be legal for\n this particular resource. Check to see if the 'deliver_script'\n flag is set. If so, then we go ahead and deliver the file since\n it isn't really content (only GET normally returns content).\n\n Note: based on logic further above, the only possible non-GET\n method at this point is POST. In the future, we should enable\n script delivery for all methods. */\n if (r->method_number != M_GET) {\n core_request_config *req_cfg;\n\n req_cfg = ap_get_core_module_config(r->request_config);\n if (!req_cfg->deliver_script) {\n /* The flag hasn't been set for this request. Punt. */\n ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(00131)\n \"This resource does not accept the %s method.\",\n r->method);\n return HTTP_METHOD_NOT_ALLOWED;\n }\n }\n\n\n if ((status = apr_file_open(&fd, r->filename, APR_READ | APR_BINARY\n#if APR_HAS_SENDFILE\n | AP_SENDFILE_ENABLED(d->enable_sendfile)\n#endif\n , 0, r->pool)) != APR_SUCCESS) {\n ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, APLOGNO(00132)\n \"file permissions deny server access: %s\", r->filename);\n return HTTP_FORBIDDEN;\n }\n\n ap_update_mtime(r, r->finfo.mtime);\n ap_set_last_modified(r);\n ap_set_etag(r);\n ap_set_accept_ranges(r);\n ap_set_content_length(r, r->finfo.size);\n if (bld_content_md5) {\n apr_table_setn(r->headers_out, \"Content-MD5\",\n ap_md5digest(r->pool, fd));\n }\n\n bb = apr_brigade_create(r->pool, c->bucket_alloc);\n\n if ((errstatus = ap_meets_conditions(r)) != OK) {\n apr_file_close(fd);\n r->status = errstatus;\n }\n else {\n e = apr_brigade_insert_file(bb, fd, 0, r->finfo.size, r->pool);\n\n#if APR_HAS_MMAP\n if (d->enable_mmap == ENABLE_MMAP_OFF) {\n (void)apr_bucket_file_enable_mmap(e, 0);\n }\n#endif\n }\n\n e = apr_bucket_eos_create(c->bucket_alloc);\n APR_BRIGADE_INSERT_TAIL(bb, e);\n\n status = ap_pass_brigade(r->output_filters, bb);\n apr_brigade_cleanup(bb);\n\n if (status == APR_SUCCESS\n || r->status != HTTP_OK\n || c->aborted) {\n return OK;\n }\n else {\n /* no way to know what type of error occurred */\n ap_log_rerror(APLOG_MARK, APLOG_DEBUG, status, r, APLOGNO(00133)\n \"default_handler: ap_pass_brigade returned %i\",\n status);\n return AP_FILTER_ERROR;\n }\n }\n else { /* unusual method (not GET or POST) */\n if (r->method_number == M_INVALID) {\n /* See if this looks like an undecrypted SSL handshake attempt.\n * It's safe to look a couple bytes into the_request if it exists, as it's\n * always allocated at least MIN_LINE_ALLOC (80) bytes.\n */\n if (r->the_request\n && r->the_request[0] == 0x16\n && (r->the_request[1] == 0x2 || r->the_request[1] == 0x3)) {\n ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(00134)\n \"Invalid method in request %s - possible attempt to establish SSL connection on non-SSL port\", r->the_request);\n } else {\n ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(00135)\n \"Invalid method in request %s\", r->the_request);\n }\n return HTTP_NOT_IMPLEMENTED;\n }\n\n if (r->method_number == M_OPTIONS) {\n return ap_send_http_options(r);\n }\n return HTTP_METHOD_NOT_ALLOWED;\n }\n}", "project": "httpd", "hash": 290482243171538595386791193597151232491, "size": 161, "commit_id": "4cc27823899e070268b906ca677ee838d07cf67a", "message": "core: Disallow Methods' registration at run time (.htaccess), they may be\nused only if registered at init time (httpd.conf).\n\nCalling ap_method_register() in children processes is not the right scope\nsince it won't be shared for all requests.\n\n\ngit-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1807655 13f79535-47bb-0310-9956-ffa450edef68", "target": 0, "dataset": "other", "idx": 246390 }, { "func": "int64_t TensorByteSize(const TensorProto& t) {\n // num_elements returns -1 if shape is not fully defined.\n int64_t num_elems = TensorShape(t.tensor_shape()).num_elements();\n return num_elems < 0 ? -1 : num_elems * DataTypeSize(t.dtype());\n}", "project": "tensorflow", "hash": 12987503072502364739383952943830392043, "size": 5, "commit_id": "c2426bba00a01de6913738df8fa78e0215fcce02", "message": "Use `PartialTensorShape` instead of `TensorShape`.\n\n`TensorShape` constructor throws a CHECK-fail if shape is partial/overflows which the other doesn't. We are only determining the number of elements in the shape and partial shape should be used as it returns negative number when needed.\n\nPiperOrigin-RevId: 409205384\nChange-Id: Ia56542ff9ec758f2c9ffc7e4dcc9fa7eecd86e7b", "target": 1, "dataset": "other", "idx": 195244 }, { "func": "int64_t TensorByteSize(const TensorProto& t) {\n // num_elements returns -1 if shape is not fully defined.\n int64_t num_elems = PartialTensorShape(t.tensor_shape()).num_elements();\n return num_elems < 0 ? -1 : num_elems * DataTypeSize(t.dtype());\n}", "project": "tensorflow", "hash": 57172409333461341216253559449273971, "size": 5, "commit_id": "c2426bba00a01de6913738df8fa78e0215fcce02", "message": "Use `PartialTensorShape` instead of `TensorShape`.\n\n`TensorShape` constructor throws a CHECK-fail if shape is partial/overflows which the other doesn't. We are only determining the number of elements in the shape and partial shape should be used as it returns negative number when needed.\n\nPiperOrigin-RevId: 409205384\nChange-Id: Ia56542ff9ec758f2c9ffc7e4dcc9fa7eecd86e7b", "target": 0, "dataset": "other", "idx": 223149 }, { "func": "static void kvm_sched_out(struct preempt_notifier *pn,\n\t\t\t struct task_struct *next)\n{\n\tstruct kvm_vcpu *vcpu = preempt_notifier_to_vcpu(pn);\n\n\tif (current->state == TASK_RUNNING) {\n\t\tWRITE_ONCE(vcpu->preempted, true);\n\t\tWRITE_ONCE(vcpu->ready, true);\n\t}\n\tkvm_arch_vcpu_put(vcpu);\n\t__this_cpu_write(kvm_running_vcpu, NULL);\n}", "project": "linux", "hash": 35252587873809851268622374750504488831, "size": 12, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354591 }, { "func": "static void trace_create_eval_file(struct dentry *d_tracer)\n{\n\ttrace_create_file(\"eval_map\", 0444, d_tracer,\n\t\t\t NULL, &tracing_eval_map_fops);\n}", "project": "linux", "hash": 337055715710812972699401923318879217371, "size": 5, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445560 }, { "func": "static inline void trace_create_eval_file(struct dentry *d_tracer) { }", "project": "linux", "hash": 230201478444164901811582804519454023967, "size": 1, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445849 }, { "func": "static int parse_header_metadata(struct ecryptfs_crypt_stat *crypt_stat,\n\t\t\t\t char *virt, int *bytes_read,\n\t\t\t\t int validate_header_size)\n{\n\tint rc = 0;\n\tu32 header_extent_size;\n\tu16 num_header_extents_at_front;\n\n\theader_extent_size = get_unaligned_be32(virt);\n\tvirt += sizeof(__be32);\n\tnum_header_extents_at_front = get_unaligned_be16(virt);\n\tcrypt_stat->num_header_bytes_at_front =\n\t\t(((size_t)num_header_extents_at_front\n\t\t * (size_t)header_extent_size));\n\t(*bytes_read) = (sizeof(__be32) + sizeof(__be16));\n\tif ((validate_header_size == ECRYPTFS_VALIDATE_HEADER_SIZE)\n\t && (crypt_stat->num_header_bytes_at_front\n\t\t< ECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE)) {\n\t\trc = -EINVAL;\n\t\tprintk(KERN_WARNING \"Invalid header size: [%zd]\\n\",\n\t\t crypt_stat->num_header_bytes_at_front);\n\t}\n\treturn rc;\n}", "target": 0, "cwe": [ "CWE-189" ], "project": "linux-2.6", "commit_id": "8faece5f906725c10e7a1f6caf84452abadbdc7b", "hash": 196994619083552533712698247733369072927, "size": 24, "message": "eCryptfs: Allocate a variable number of pages for file headers\n\nWhen allocating the memory used to store the eCryptfs header contents, a\nsingle, zeroed page was being allocated with get_zeroed_page().\nHowever, the size of an eCryptfs header is either PAGE_CACHE_SIZE or\nECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE (8192), whichever is larger, and is\nstored in the file's private_data->crypt_stat->num_header_bytes_at_front\nfield.\n\necryptfs_write_metadata_to_contents() was using\nnum_header_bytes_at_front to decide how many bytes should be written to\nthe lower filesystem for the file header. Unfortunately, at least 8K\nwas being written from the page, despite the chance of the single,\nzeroed page being smaller than 8K. This resulted in random areas of\nkernel memory being written between the 0x1000 and 0x1FFF bytes offsets\nin the eCryptfs file headers if PAGE_SIZE was 4K.\n\nThis patch allocates a variable number of pages, calculated with\nnum_header_bytes_at_front, and passes the number of allocated pages\nalong to ecryptfs_write_metadata_to_contents().\n\nThanks to Florian Streibelt for reporting the data leak and working with\nme to find the problem. 2.6.28 is the only kernel release with this\nvulnerability. Corresponds to CVE-2009-0787\n\nSigned-off-by: Tyler Hicks \nAcked-by: Dustin Kirkland \nReviewed-by: Eric Sandeen \nReviewed-by: Eugene Teo \nCc: Greg KH \nCc: dann frazier \nCc: Serge E. Hallyn \nCc: Florian Streibelt \nCc: stable@kernel.org\nSigned-off-by: Linus Torvalds ", "dataset": "other", "idx": 490200 }, { "func": "static int nf_tables_updobj(const struct nft_ctx *ctx,\n\t\t\t const struct nft_object_type *type,\n\t\t\t const struct nlattr *attr,\n\t\t\t struct nft_object *obj)\n{\n\tstruct nft_object *newobj;\n\tstruct nft_trans *trans;\n\tint err;\n\n\ttrans = nft_trans_alloc(ctx, NFT_MSG_NEWOBJ,\n\t\t\t\tsizeof(struct nft_trans_obj));\n\tif (!trans)\n\t\treturn -ENOMEM;\n\n\tnewobj = nft_obj_init(ctx, type, attr);\n\tif (IS_ERR(newobj)) {\n\t\terr = PTR_ERR(newobj);\n\t\tgoto err_free_trans;\n\t}\n\n\tnft_trans_obj(trans) = obj;\n\tnft_trans_obj_update(trans) = true;\n\tnft_trans_obj_newobj(trans) = newobj;\n\tnft_trans_commit_list_add_tail(ctx->net, trans);\n\n\treturn 0;\n\nerr_free_trans:\n\tkfree(trans);\n\treturn err;\n}", "project": "linux", "hash": 86738068270006733141297898219956329698, "size": 31, "commit_id": "ad9f151e560b016b6ad3280b48e42fa11e1a5440", "message": "netfilter: nf_tables: initialize set before expression setup\n\nnft_set_elem_expr_alloc() needs an initialized set if expression sets on\nthe NFT_EXPR_GC flag. Move set fields initialization before expression\nsetup.\n\n[4512935.019450] ==================================================================\n[4512935.019456] BUG: KASAN: null-ptr-deref in nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019487] Read of size 8 at addr 0000000000000070 by task nft/23532\n[4512935.019494] CPU: 1 PID: 23532 Comm: nft Not tainted 5.12.0-rc4+ #48\n[...]\n[4512935.019502] Call Trace:\n[4512935.019505] dump_stack+0x89/0xb4\n[4512935.019512] ? nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019536] ? nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019560] kasan_report.cold.12+0x5f/0xd8\n[4512935.019566] ? nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019590] nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019615] nf_tables_newset+0xc7f/0x1460 [nf_tables]\n\nReported-by: syzbot+ce96ca2b1d0b37c6422d@syzkaller.appspotmail.com\nFixes: 65038428b2c6 (\"netfilter: nf_tables: allow to specify stateful expression in set definition\")\nSigned-off-by: Pablo Neira Ayuso ", "target": 0, "dataset": "other", "idx": 328347 }, { "func": " uint cols()\n { return result_type() == ROW_RESULT ? orig_item->cols() : 1; }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 168990032333582962184536028605453995691, "size": 2, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 508975 }, { "func": "static inline bool tcp_is_fack(const struct tcp_sock *tp)\n{\n\treturn tp->rx_opt.sack_ok & TCP_FACK_ENABLED;\n}", "project": "linux", "hash": 168494750444316153076116025319171665545, "size": 4, "commit_id": "bb1fceca22492109be12640d49f5ea5a544c6bb4", "message": "tcp: fix use after free in tcp_xmit_retransmit_queue()\n\nWhen tcp_sendmsg() allocates a fresh and empty skb, it puts it at the\ntail of the write queue using tcp_add_write_queue_tail()\n\nThen it attempts to copy user data into this fresh skb.\n\nIf the copy fails, we undo the work and remove the fresh skb.\n\nUnfortunately, this undo lacks the change done to tp->highest_sack and\nwe can leave a dangling pointer (to a freed skb)\n\nLater, tcp_xmit_retransmit_queue() can dereference this pointer and\naccess freed memory. For regular kernels where memory is not unmapped,\nthis might cause SACK bugs because tcp_highest_sack_seq() is buggy,\nreturning garbage instead of tp->snd_nxt, but with various debug\nfeatures like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel.\n\nThis bug was found by Marco Grassi thanks to syzkaller.\n\nFixes: 6859d49475d4 (\"[TCP]: Abstract tp->highest_sack accessing & point to next skb\")\nReported-by: Marco Grassi \nSigned-off-by: Eric Dumazet \nCc: Ilpo Järvinen \nCc: Yuchung Cheng \nCc: Neal Cardwell \nAcked-by: Neal Cardwell \nReviewed-by: Cong Wang \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 410740 }, { "project": "Chrome", "commit_id": "1da0daecc540238cb473f0d6322da51d3a544244", "target": 0, "func": " CaptureVideoDecoderTest() {\n message_loop_.reset(new MessageLoop(MessageLoop::TYPE_IO));\n message_loop_proxy_ =\n base::MessageLoopProxy::current().get();\n vc_manager_ = new MockVideoCaptureImplManager();\n media::VideoCaptureCapability capability;\n capability.width = kWidth;\n capability.height = kHeight;\n capability.frame_rate = kFPS;\n capability.expected_capture_delay = 0;\n capability.color = media::VideoCaptureCapability::kI420;\n capability.interlaced = false;\n\n decoder_ = new CaptureVideoDecoder(message_loop_proxy_,\n kVideoStreamId, vc_manager_, capability);\n EXPECT_CALL(statistics_cb_object_, OnStatistics(_))\n .Times(AnyNumber());\n\n read_cb_ = base::Bind(&CaptureVideoDecoderTest::FrameReady,\n base::Unretained(this));\n\n vc_impl_.reset(new MockVideoCaptureImpl(\n kVideoStreamId, message_loop_proxy_, new VideoCaptureMessageFilter()));\n }\n", "cwe": "", "big_vul_idx": 113322, "idx": 101615, "hash": 10316073798422769504084209597885774305 }, { "func": "int blosc_set_nthreads(int nthreads_new) {\n int ret = g_nthreads; /* the previous number of threads */\n\n /* Check whether the library should be initialized */\n if (!g_initlib) blosc_init();\n\n if (nthreads_new != ret) {\n g_nthreads = nthreads_new;\n g_global_context->new_nthreads = nthreads_new;\n check_nthreads(g_global_context);\n }\n\n return ret;\n}", "project": "c-blosc2", "hash": 74313815903007069517686865699775824207, "size": 14, "commit_id": "c4c6470e88210afc95262c8b9fcc27e30ca043ee", "message": "Fixed asan heap buffer overflow when not enough space to write compressed block size.", "target": 0, "dataset": "other", "idx": 303121 }, { "func": "static bool vhost_sock_xdp(struct socket *sock)\n{\n\treturn sock_flag(sock->sk, SOCK_XDP);\n}", "project": "linux", "hash": 25514646894129963651831480096993591312, "size": 4, "commit_id": "42d84c8490f9f0931786f1623191fcab397c3d64", "message": "vhost: Check docket sk_family instead of call getname\n\nDoing so, we save one call to get data we already have in the struct.\n\nAlso, since there is no guarantee that getname use sockaddr_ll\nparameter beyond its size, we add a little bit of security here.\nIt should do not do beyond MAX_ADDR_LEN, but syzbot found that\nax25_getname writes more (72 bytes, the size of full_sockaddr_ax25,\nversus 20 + 32 bytes of sockaddr_ll + MAX_ADDR_LEN in syzbot repro).\n\nFixes: 3a4d5c94e9593 (\"vhost_net: a kernel-level virtio server\")\nReported-by: syzbot+f2a62d07a5198c819c7b@syzkaller.appspotmail.com\nSigned-off-by: Eugenio Pérez \nAcked-by: Michael S. Tsirkin \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 441989 }, { "func": "uint32_t enc_untrusted_qe_get_quote(const sgx_report_t *app_report,\n uint32_t quote_size, uint8_t *quote) {\n uint32_t result;\n CHECK_OCALL(\n ocall_enc_untrusted_qe_get_quote(&result, app_report, quote_size, quote));\n return result;\n}", "project": "asylo", "hash": 121497157841830508204303990808782868016, "size": 7, "commit_id": "53ed5d8fd8118ced1466e509606dd2f473707a5c", "message": "Store untrusted output pointer in enclave\n\nValidate the pointer after it's stored in enclave to avoid unexpected\nmodifications after it's validated.\n\nPiperOrigin-RevId: 365648810\nChange-Id: I3079128040c142e86bab8255b07d03562a6fcb61", "target": 0, "dataset": "other", "idx": 232066 }, { "func": "TEST(Config, AlreadyExists) {\n QTemporaryDir dir;\n WriteConfig(dir.path());\n Process p(ZNC_BIN_DIR \"/znc\", QStringList() << \"--debug\"\n << \"--datadir\" << dir.path()\n << \"--makeconf\");\n p.ReadUntil(\"already exists\");\n p.CanDie();\n}", "project": "znc", "hash": 55817513496177583034211958728840523008, "size": 9, "commit_id": "d229761821da38d984a9e4098ad96842490dc001", "message": "Fix echo-message for *status\n\nClose #1705", "target": 0, "dataset": "other", "idx": 231583 }, { "func": "static int oidc_handle_session_management(request_rec *r, oidc_cfg *c,\n\t\toidc_session_t *session) {\n\tchar *cmd = NULL;\n\tconst char *id_token_hint = NULL;\n\toidc_provider_t *provider = NULL;\n\n\t/* get the command passed to the session management handler */\n\toidc_util_get_request_parameter(r, OIDC_REDIRECT_URI_REQUEST_SESSION, &cmd);\n\tif (cmd == NULL) {\n\t\toidc_error(r, \"session management handler called with no command\");\n\t\treturn HTTP_INTERNAL_SERVER_ERROR;\n\t}\n\n\t/* see if this is a local logout during session management */\n\tif (apr_strnatcmp(\"logout\", cmd) == 0) {\n\t\toidc_debug(r,\n\t\t\t\t\"[session=logout] calling oidc_handle_logout_request because of session mgmt local logout call.\");\n\t\treturn oidc_handle_logout_request(r, c, session, c->default_slo_url);\n\t}\n\n\tif (oidc_get_provider_from_session(r, c, session, &provider) == FALSE) {\n\t\tif ((oidc_provider_static_config(r, c, &provider) == FALSE)\n\t\t\t\t|| (provider == NULL))\n\t\t\treturn HTTP_NOT_FOUND;\n\t}\n\n\t/* see if this is a request for the OP iframe */\n\tif (apr_strnatcmp(\"iframe_op\", cmd) == 0) {\n\t\tif (provider->check_session_iframe != NULL) {\n\t\t\treturn oidc_handle_session_management_iframe_op(r, c, session,\n\t\t\t\t\tprovider->check_session_iframe);\n\t\t}\n\t\treturn HTTP_NOT_FOUND;\n\t}\n\n\t/* see if this is a request for the RP iframe */\n\tif (apr_strnatcmp(\"iframe_rp\", cmd) == 0) {\n\t\tif ((provider->client_id != NULL)\n\t\t\t\t&& (provider->check_session_iframe != NULL)) {\n\t\t\treturn oidc_handle_session_management_iframe_rp(r, c, session,\n\t\t\t\t\tprovider->client_id, provider->check_session_iframe);\n\t\t}\n\t\toidc_debug(r,\n\t\t\t\t\"iframe_rp command issued but no client (%s) and/or no check_session_iframe (%s) set\",\n\t\t\t\tprovider->client_id, provider->check_session_iframe);\n\t\treturn HTTP_NOT_FOUND;\n\t}\n\n\t/* see if this is a request check the login state with the OP */\n\tif (apr_strnatcmp(\"check\", cmd) == 0) {\n\t\tid_token_hint = oidc_session_get_idtoken(r, session);\n\t\t/*\n\t\t * TODO: this doesn't work with per-path provided auth_request_params and scopes\n\t\t * as oidc_dir_cfg_path_auth_request_params and oidc_dir_cfg_path_scope will pick\n\t\t * those for the redirect_uri itself; do we need to store those as part of the\n\t\t * session now?\n\t\t */\n\t\treturn oidc_authenticate_user(r, c, provider,\n\t\t\t\tapr_psprintf(r->pool, \"%s?session=iframe_rp\",\n\t\t\t\t\t\toidc_get_redirect_uri_iss(r, c, provider)), NULL,\n\t\t\t\t\t\tid_token_hint, \"none\", oidc_dir_cfg_path_auth_request_params(r),\n\t\t\t\t\t\toidc_dir_cfg_path_scope(r));\n\t}\n\n\t/* handle failure in fallthrough */\n\toidc_error(r, \"unknown command: %s\", cmd);\n\n\treturn HTTP_INTERNAL_SERVER_ERROR;\n}", "project": "mod_auth_openidc", "hash": 178178473837582039163126463883576443231, "size": 69, "commit_id": "00c315cb0c8ab77c67be4a2ac08a71a83ac58751", "message": "avoid XSS vulnerability when using OIDCPreservePost On\n\nand supplying URLs that contain single quotes; thanks @oss-aimoto\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 381976 }, { "func": "static int oidc_handle_session_management(request_rec *r, oidc_cfg *c,\n\t\toidc_session_t *session) {\n\tchar *cmd = NULL;\n\tconst char *id_token_hint = NULL;\n\toidc_provider_t *provider = NULL;\n\n\t/* get the command passed to the session management handler */\n\toidc_util_get_request_parameter(r, OIDC_REDIRECT_URI_REQUEST_SESSION, &cmd);\n\tif (cmd == NULL) {\n\t\toidc_error(r, \"session management handler called with no command\");\n\t\treturn HTTP_INTERNAL_SERVER_ERROR;\n\t}\n\n\t/* see if this is a local logout during session management */\n\tif (apr_strnatcmp(\"logout\", cmd) == 0) {\n\t\toidc_debug(r,\n\t\t\t\t\"[session=logout] calling oidc_handle_logout_request because of session mgmt local logout call.\");\n\t\treturn oidc_handle_logout_request(r, c, session, c->default_slo_url);\n\t}\n\n\toidc_get_provider_from_session(r, c, session, &provider);\n\n\t/* see if this is a request for the OP iframe */\n\tif (apr_strnatcmp(\"iframe_op\", cmd) == 0) {\n\t\tif (provider->check_session_iframe != NULL) {\n\t\t\treturn oidc_handle_session_management_iframe_op(r, c, session,\n\t\t\t\t\tprovider->check_session_iframe);\n\t\t}\n\t\treturn HTTP_NOT_FOUND;\n\t}\n\n\t/* see if this is a request for the RP iframe */\n\tif (apr_strnatcmp(\"iframe_rp\", cmd) == 0) {\n\t\tif ((provider->client_id != NULL)\n\t\t\t\t&& (provider->check_session_iframe != NULL)) {\n\t\t\treturn oidc_handle_session_management_iframe_rp(r, c, session,\n\t\t\t\t\tprovider->client_id, provider->check_session_iframe);\n\t\t}\n\t\toidc_debug(r,\n\t\t\t\t\"iframe_rp command issued but no client (%s) and/or no check_session_iframe (%s) set\",\n\t\t\t\tprovider->client_id, provider->check_session_iframe);\n\t\treturn HTTP_NOT_FOUND;\n\t}\n\n\t/* see if this is a request check the login state with the OP */\n\tif (apr_strnatcmp(\"check\", cmd) == 0) {\n\t\tid_token_hint = oidc_session_get_idtoken(r, session);\n\t\tif ((session->remote_user != NULL) && (provider != NULL)) {\n\t\t\t/*\n\t\t\t * TODO: this doesn't work with per-path provided auth_request_params and scopes\n\t\t\t * as oidc_dir_cfg_path_auth_request_params and oidc_dir_cfg_path_scope will pick\n\t\t\t * those for the redirect_uri itself; do we need to store those as part of the\n\t\t\t * session now?\n\t\t\t */\n\t\t\treturn oidc_authenticate_user(r, c, provider,\n\t\t\t\t\tapr_psprintf(r->pool, \"%s?session=iframe_rp\",\n\t\t\t\t\t\t\toidc_get_redirect_uri_iss(r, c, provider)), NULL,\n\t\t\t\t\t\t\tid_token_hint, \"none\",\n\t\t\t\t\t\t\toidc_dir_cfg_path_auth_request_params(r),\n\t\t\t\t\t\t\toidc_dir_cfg_path_scope(r));\n\t\t}\n\t\toidc_debug(r,\n\t\t\t\t\"[session=check] calling oidc_handle_logout_request because no session found.\");\n\t\treturn oidc_session_redirect_parent_window_to_logout(r, c);\n\t}\n\n\t/* handle failure in fallthrough */\n\toidc_error(r, \"unknown command: %s\", cmd);\n\n\treturn HTTP_INTERNAL_SERVER_ERROR;\n}", "project": "mod_auth_openidc", "hash": 10275197546443844504033264433503725166, "size": 71, "commit_id": "ce37080c6aea30aabae8b4a9b4eea7808445cc8e", "message": "2.4.0.2 oops\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 447715 }, { "func": "static void power_pmu_disable(struct pmu *pmu)\n{\n\tstruct cpu_hw_events *cpuhw;\n\tunsigned long flags, mmcr0, val, mmcra;\n\n\tif (!ppmu)\n\t\treturn;\n\tlocal_irq_save(flags);\n\tcpuhw = this_cpu_ptr(&cpu_hw_events);\n\n\tif (!cpuhw->disabled) {\n\t\t/*\n\t\t * Check if we ever enabled the PMU on this cpu.\n\t\t */\n\t\tif (!cpuhw->pmcs_enabled) {\n\t\t\tppc_enable_pmcs();\n\t\t\tcpuhw->pmcs_enabled = 1;\n\t\t}\n\n\t\t/*\n\t\t * Set the 'freeze counters' bit, clear EBE/BHRBA/PMCC/PMAO/FC56\n\t\t */\n\t\tval = mmcr0 = mfspr(SPRN_MMCR0);\n\t\tval |= MMCR0_FC;\n\t\tval &= ~(MMCR0_EBE | MMCR0_BHRBA | MMCR0_PMCC | MMCR0_PMAO |\n\t\t\t MMCR0_FC56);\n\t\t/* Set mmcr0 PMCCEXT for p10 */\n\t\tif (ppmu->flags & PPMU_ARCH_31)\n\t\t\tval |= MMCR0_PMCCEXT;\n\n\t\t/*\n\t\t * The barrier is to make sure the mtspr has been\n\t\t * executed and the PMU has frozen the events etc.\n\t\t * before we return.\n\t\t */\n\t\twrite_mmcr0(cpuhw, val);\n\t\tmb();\n\t\tisync();\n\n\t\tval = mmcra = cpuhw->mmcr.mmcra;\n\n\t\t/*\n\t\t * Disable instruction sampling if it was enabled\n\t\t */\n\t\tif (cpuhw->mmcr.mmcra & MMCRA_SAMPLE_ENABLE)\n\t\t\tval &= ~MMCRA_SAMPLE_ENABLE;\n\n\t\t/* Disable BHRB via mmcra (BHRBRD) for p10 */\n\t\tif (ppmu->flags & PPMU_ARCH_31)\n\t\t\tval |= MMCRA_BHRB_DISABLE;\n\n\t\t/*\n\t\t * Write SPRN_MMCRA if mmcra has either disabled\n\t\t * instruction sampling or BHRB.\n\t\t */\n\t\tif (val != mmcra) {\n\t\t\tmtspr(SPRN_MMCRA, mmcra);\n\t\t\tmb();\n\t\t\tisync();\n\t\t}\n\n\t\tcpuhw->disabled = 1;\n\t\tcpuhw->n_added = 0;\n\n\t\tebb_switch_out(mmcr0);\n\n#ifdef CONFIG_PPC64\n\t\t/*\n\t\t * These are readable by userspace, may contain kernel\n\t\t * addresses and are not switched by context switch, so clear\n\t\t * them now to avoid leaking anything to userspace in general\n\t\t * including to another process.\n\t\t */\n\t\tif (ppmu->flags & PPMU_ARCH_207S) {\n\t\t\tmtspr(SPRN_SDAR, 0);\n\t\t\tmtspr(SPRN_SIAR, 0);\n\t\t}\n#endif\n\t}\n\n\tlocal_irq_restore(flags);\n}", "project": "linux", "hash": 152159643883367136227415552177743421475, "size": 82, "commit_id": "60b7ed54a41b550d50caf7f2418db4a7e75b5bdc", "message": "powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set\n\nOn systems without any specific PMU driver support registered, running\nperf record causes Oops.\n\nThe relevant portion from call trace:\n\n BUG: Kernel NULL pointer dereference on read at 0x00000040\n Faulting instruction address: 0xc0021f0c\n Oops: Kernel access of bad area, sig: 11 [#1]\n BE PAGE_SIZE=4K PREEMPT CMPCPRO\n SAF3000 DIE NOTIFICATION\n CPU: 0 PID: 442 Comm: null_syscall Not tainted 5.13.0-rc6-s3k-dev-01645-g7649ee3d2957 #5164\n NIP: c0021f0c LR: c00e8ad8 CTR: c00d8a5c\n NIP perf_instruction_pointer+0x10/0x60\n LR perf_prepare_sample+0x344/0x674\n Call Trace:\n perf_prepare_sample+0x7c/0x674 (unreliable)\n perf_event_output_forward+0x3c/0x94\n __perf_event_overflow+0x74/0x14c\n perf_swevent_hrtimer+0xf8/0x170\n __hrtimer_run_queues.constprop.0+0x160/0x318\n hrtimer_interrupt+0x148/0x3b0\n timer_interrupt+0xc4/0x22c\n Decrementer_virt+0xb8/0xbc\n\nDuring perf record session, perf_instruction_pointer() is called to\ncapture the sample IP. This function in core-book3s accesses\nppmu->flags. If a platform specific PMU driver is not registered, ppmu\nis set to NULL and accessing its members results in a crash. Fix this\ncrash by checking if ppmu is set.\n\nFixes: 2ca13a4cc56c (\"powerpc/perf: Use regs->nip when SIAR is zero\")\nCc: stable@vger.kernel.org # v5.11+\nReported-by: Christophe Leroy \nSigned-off-by: Athira Rajeev \nTested-by: Christophe Leroy \nSigned-off-by: Michael Ellerman \nLink: https://lore.kernel.org/r/1623952506-1431-1-git-send-email-atrajeev@linux.vnet.ibm.com", "target": 0, "dataset": "other", "idx": 374672 }, { "func": "static int fuse_link(struct dentry *entry, struct inode *newdir,\n\t\t struct dentry *newent)\n{\n\tint err;\n\tstruct fuse_link_in inarg;\n\tstruct inode *inode = d_inode(entry);\n\tstruct fuse_mount *fm = get_fuse_mount(inode);\n\tFUSE_ARGS(args);\n\n\tmemset(&inarg, 0, sizeof(inarg));\n\tinarg.oldnodeid = get_node_id(inode);\n\targs.opcode = FUSE_LINK;\n\targs.in_numargs = 2;\n\targs.in_args[0].size = sizeof(inarg);\n\targs.in_args[0].value = &inarg;\n\targs.in_args[1].size = newent->d_name.len + 1;\n\targs.in_args[1].value = newent->d_name.name;\n\terr = create_new_entry(fm, &args, newdir, newent, inode->i_mode);\n\t/* Contrary to \"normal\" filesystems it can happen that link\n\t makes two \"logical\" inodes point to the same \"physical\"\n\t inode. We invalidate the attributes of the old one, so it\n\t will reflect changes in the backing inode (link count,\n\t etc.)\n\t*/\n\tif (!err) {\n\t\tstruct fuse_inode *fi = get_fuse_inode(inode);\n\n\t\tspin_lock(&fi->lock);\n\t\tfi->attr_version = atomic64_inc_return(&fm->fc->attr_version);\n\t\tif (likely(inode->i_nlink < UINT_MAX))\n\t\t\tinc_nlink(inode);\n\t\tspin_unlock(&fi->lock);\n\t\tfuse_invalidate_attr(inode);\n\t\tfuse_update_ctime(inode);\n\t} else if (err == -EINTR) {\n\t\tfuse_invalidate_attr(inode);\n\t}\n\treturn err;\n}", "project": "linux", "hash": 111204237123767712059222760576753747853, "size": 39, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342053 }, { "func": "static inline int serialize_float_array(kstring_t *s, size_t n, const float *a) {\n uint8_t *p;\n size_t i;\n size_t bytes = n * sizeof(float);\n\n if (bytes / sizeof(float) != n) return -1;\n if (ks_resize(s, s->l + bytes) < 0) return -1;\n\n p = (uint8_t *) s->s + s->l;\n for (i = 0; i < n; i++) {\n float_to_le(a[i], p);\n p += sizeof(float);\n }\n s->l += bytes;\n\n return 0;\n}", "project": "htslib", "hash": 277308658575035287402883612369540394905, "size": 17, "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c", "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields. It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097", "target": 0, "dataset": "other", "idx": 402226 }, { "func": "static void tipc_node_write_unlock_fast(struct tipc_node *n)\n{\n\twrite_unlock_bh(&n->lock);\n}", "project": "linux", "hash": 243428121259010494410250303608290365840, "size": 4, "commit_id": "0217ed2848e8538bcf9172d97ed2eeb4a26041bb", "message": "tipc: better validate user input in tipc_nl_retrieve_key()\n\nBefore calling tipc_aead_key_size(ptr), we need to ensure\nwe have enough data to dereference ptr->keylen.\n\nWe probably also want to make sure tipc_aead_key_size()\nwont overflow with malicious ptr->keylen values.\n\nSyzbot reported:\n\nBUG: KMSAN: uninit-value in __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\nBUG: KMSAN: uninit-value in tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\nCPU: 0 PID: 21060 Comm: syz-executor.5 Not tainted 5.11.0-rc7-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nCall Trace:\n __dump_stack lib/dump_stack.c:79 [inline]\n dump_stack+0x21c/0x280 lib/dump_stack.c:120\n kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118\n __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197\n __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\n tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\n genl_family_rcv_msg_doit net/netlink/genetlink.c:739 [inline]\n genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]\n genl_rcv_msg+0x1319/0x1610 net/netlink/genetlink.c:800\n netlink_rcv_skb+0x6fa/0x810 net/netlink/af_netlink.c:2494\n genl_rcv+0x63/0x80 net/netlink/genetlink.c:811\n netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]\n netlink_unicast+0x11d6/0x14a0 net/netlink/af_netlink.c:1330\n netlink_sendmsg+0x1740/0x1840 net/netlink/af_netlink.c:1919\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\nRIP: 0023:0xf7f60549\nCode: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00\nRSP: 002b:00000000f555a5fc EFLAGS: 00000296 ORIG_RAX: 0000000000000172\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000200\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n\nUninit was created at:\n kmsan_save_stack_with_flags mm/kmsan/kmsan.c:121 [inline]\n kmsan_internal_poison_shadow+0x5c/0xf0 mm/kmsan/kmsan.c:104\n kmsan_slab_alloc+0x8d/0xe0 mm/kmsan/kmsan_hooks.c:76\n slab_alloc_node mm/slub.c:2907 [inline]\n __kmalloc_node_track_caller+0xa37/0x1430 mm/slub.c:4527\n __kmalloc_reserve net/core/skbuff.c:142 [inline]\n __alloc_skb+0x2f8/0xb30 net/core/skbuff.c:210\n alloc_skb include/linux/skbuff.h:1099 [inline]\n netlink_alloc_large_skb net/netlink/af_netlink.c:1176 [inline]\n netlink_sendmsg+0xdbc/0x1840 net/netlink/af_netlink.c:1894\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\n\nFixes: e1f32190cf7d (\"tipc: add support for AEAD key setting via netlink\")\nSigned-off-by: Eric Dumazet \nCc: Tuong Lien \nCc: Jon Maloy \nCc: Ying Xue \nReported-by: syzbot \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 364908 }, { "func": "static inline void TCP_ECN_queue_cwr(struct tcp_sock *tp)\n{\n\tif (tp->ecn_flags & TCP_ECN_OK)\n\t\ttp->ecn_flags |= TCP_ECN_QUEUE_CWR;\n}", "project": "net-next", "hash": 117640427563543719336921923138588799332, "size": 5, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409924 }, { "func": "static void hci_cc_read_link_policy(struct hci_dev *hdev, struct sk_buff *skb)\n{\n\tstruct hci_rp_read_link_policy *rp = (void *) skb->data;\n\tstruct hci_conn *conn;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, rp->status);\n\n\tif (rp->status)\n\t\treturn;\n\n\thci_dev_lock(hdev);\n\n\tconn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));\n\tif (conn)\n\t\tconn->link_policy = __le16_to_cpu(rp->policy);\n\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 264285871933005987506813278501198176596, "size": 18, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 432031 }, { "func": "static void hci_remote_features_evt(struct hci_dev *hdev,\n\t\t\t\t struct sk_buff *skb)\n{\n\tstruct hci_ev_remote_features *ev = (void *) skb->data;\n\tstruct hci_conn *conn;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, ev->status);\n\n\thci_dev_lock(hdev);\n\n\tconn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));\n\tif (!conn)\n\t\tgoto unlock;\n\n\tif (!ev->status)\n\t\tmemcpy(conn->features[0], ev->features, 8);\n\n\tif (conn->state != BT_CONFIG)\n\t\tgoto unlock;\n\n\tif (!ev->status && lmp_ext_feat_capable(hdev) &&\n\t lmp_ext_feat_capable(conn)) {\n\t\tstruct hci_cp_read_remote_ext_features cp;\n\t\tcp.handle = ev->handle;\n\t\tcp.page = 0x01;\n\t\thci_send_cmd(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES,\n\t\t\t sizeof(cp), &cp);\n\t\tgoto unlock;\n\t}\n\n\tif (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {\n\t\tstruct hci_cp_remote_name_req cp;\n\t\tmemset(&cp, 0, sizeof(cp));\n\t\tbacpy(&cp.bdaddr, &conn->dst);\n\t\tcp.pscan_rep_mode = 0x02;\n\t\thci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);\n\t} else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))\n\t\tmgmt_device_connected(hdev, conn, 0, NULL, 0);\n\n\tif (!hci_outgoing_auth_needed(hdev, conn)) {\n\t\tconn->state = BT_CONNECTED;\n\t\thci_connect_cfm(conn, ev->status);\n\t\thci_conn_drop(conn);\n\t}\n\nunlock:\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 59692412449418474792936818336930779669, "size": 48, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431905 }, { "func": "static int __tipc_nl_add_node(struct tipc_nl_msg *msg, struct tipc_node *node)\n{\n\tvoid *hdr;\n\tstruct nlattr *attrs;\n\n\thdr = genlmsg_put(msg->skb, msg->portid, msg->seq, &tipc_genl_family,\n\t\t\t NLM_F_MULTI, TIPC_NL_NODE_GET);\n\tif (!hdr)\n\t\treturn -EMSGSIZE;\n\n\tattrs = nla_nest_start_noflag(msg->skb, TIPC_NLA_NODE);\n\tif (!attrs)\n\t\tgoto msg_full;\n\n\tif (nla_put_u32(msg->skb, TIPC_NLA_NODE_ADDR, node->addr))\n\t\tgoto attr_msg_full;\n\tif (node_is_up(node))\n\t\tif (nla_put_flag(msg->skb, TIPC_NLA_NODE_UP))\n\t\t\tgoto attr_msg_full;\n\n\tnla_nest_end(msg->skb, attrs);\n\tgenlmsg_end(msg->skb, hdr);\n\n\treturn 0;\n\nattr_msg_full:\n\tnla_nest_cancel(msg->skb, attrs);\nmsg_full:\n\tgenlmsg_cancel(msg->skb, hdr);\n\n\treturn -EMSGSIZE;\n}", "project": "linux", "hash": 196705740294430499932718532909320779894, "size": 32, "commit_id": "0217ed2848e8538bcf9172d97ed2eeb4a26041bb", "message": "tipc: better validate user input in tipc_nl_retrieve_key()\n\nBefore calling tipc_aead_key_size(ptr), we need to ensure\nwe have enough data to dereference ptr->keylen.\n\nWe probably also want to make sure tipc_aead_key_size()\nwont overflow with malicious ptr->keylen values.\n\nSyzbot reported:\n\nBUG: KMSAN: uninit-value in __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\nBUG: KMSAN: uninit-value in tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\nCPU: 0 PID: 21060 Comm: syz-executor.5 Not tainted 5.11.0-rc7-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nCall Trace:\n __dump_stack lib/dump_stack.c:79 [inline]\n dump_stack+0x21c/0x280 lib/dump_stack.c:120\n kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118\n __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197\n __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\n tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\n genl_family_rcv_msg_doit net/netlink/genetlink.c:739 [inline]\n genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]\n genl_rcv_msg+0x1319/0x1610 net/netlink/genetlink.c:800\n netlink_rcv_skb+0x6fa/0x810 net/netlink/af_netlink.c:2494\n genl_rcv+0x63/0x80 net/netlink/genetlink.c:811\n netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]\n netlink_unicast+0x11d6/0x14a0 net/netlink/af_netlink.c:1330\n netlink_sendmsg+0x1740/0x1840 net/netlink/af_netlink.c:1919\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\nRIP: 0023:0xf7f60549\nCode: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00\nRSP: 002b:00000000f555a5fc EFLAGS: 00000296 ORIG_RAX: 0000000000000172\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000200\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n\nUninit was created at:\n kmsan_save_stack_with_flags mm/kmsan/kmsan.c:121 [inline]\n kmsan_internal_poison_shadow+0x5c/0xf0 mm/kmsan/kmsan.c:104\n kmsan_slab_alloc+0x8d/0xe0 mm/kmsan/kmsan_hooks.c:76\n slab_alloc_node mm/slub.c:2907 [inline]\n __kmalloc_node_track_caller+0xa37/0x1430 mm/slub.c:4527\n __kmalloc_reserve net/core/skbuff.c:142 [inline]\n __alloc_skb+0x2f8/0xb30 net/core/skbuff.c:210\n alloc_skb include/linux/skbuff.h:1099 [inline]\n netlink_alloc_large_skb net/netlink/af_netlink.c:1176 [inline]\n netlink_sendmsg+0xdbc/0x1840 net/netlink/af_netlink.c:1894\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\n\nFixes: e1f32190cf7d (\"tipc: add support for AEAD key setting via netlink\")\nSigned-off-by: Eric Dumazet \nCc: Tuong Lien \nCc: Jon Maloy \nCc: Ying Xue \nReported-by: syzbot \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 364921 }, { "func": "int gdImageColorExact (gdImagePtr im, int r, int g, int b)\n{\n\treturn gdImageColorExactAlpha (im, r, g, b, gdAlphaOpaque);\n}", "project": "php-src", "hash": 79660373569015334613036103729434610741, "size": 4, "commit_id": "c395c6e5d7e8df37a21265ff76e48fe75ceb5ae6", "message": "iFixed bug #72446 - Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow", "target": 0, "dataset": "other", "idx": 295182 }, { "func": "static void ov518_i2c_w(struct sd *sd,\n\t\tu8 reg,\n\t\tu8 value)\n{\n\tstruct gspca_dev *gspca_dev = (struct gspca_dev *)sd;\n\n\tgspca_dbg(gspca_dev, D_USBO, \"ov518_i2c_w %02x %02x\\n\", reg, value);\n\n\t/* Select camera register */\n\treg_w(sd, R51x_I2C_SADDR_3, reg);\n\n\t/* Write \"value\" to I2C data port of OV511 */\n\treg_w(sd, R51x_I2C_DATA, value);\n\n\t/* Initiate 3-byte write cycle */\n\treg_w(sd, R518_I2C_CTL, 0x01);\n\n\t/* wait for write complete */\n\tmsleep(4);\n\treg_r8(sd, R518_I2C_CTL);\n}", "project": "linux", "hash": 189083040128127135456855615009831400621, "size": 21, "commit_id": "998912346c0da53a6dbb71fab3a138586b596b30", "message": "media: ov519: add missing endpoint sanity checks\n\nMake sure to check that we have at least one endpoint before accessing\nthe endpoint array to avoid dereferencing a NULL-pointer on stream\nstart.\n\nNote that these sanity checks are not redundant as the driver is mixing\nlooking up altsettings by index and by number, which need not coincide.\n\nFixes: 1876bb923c98 (\"V4L/DVB (12079): gspca_ov519: add support for the ov511 bridge\")\nFixes: b282d87332f5 (\"V4L/DVB (12080): gspca_ov519: Fix ov518+ with OV7620AE (Trust spacecam 320)\")\nCc: stable # 2.6.31\nCc: Hans de Goede \nSigned-off-by: Johan Hovold \nSigned-off-by: Hans Verkuil \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 306312 }, { "func": "TEMPO CSoundFile::ConvertST2Tempo(uint8 tempo)\n{\n\tstatic const uint8 ST2TempoFactor[] = { 140, 50, 25, 15, 10, 7, 6, 4, 3, 3, 2, 2, 2, 2, 1, 1 };\n\tstatic const uint32 st2MixingRate = 23863; // Highest possible setting in ST2\n\n\t// This underflows at tempo 06...0F, and the resulting tick lengths depend on the mixing rate.\n\tint32 samplesPerTick = st2MixingRate / (49 - ((ST2TempoFactor[tempo >> 4u] * (tempo & 0x0F)) >> 4u));\n\tif(samplesPerTick <= 0)\n\t\tsamplesPerTick += 65536;\n\treturn TEMPO().SetRaw(Util::muldivrfloor(st2MixingRate, 5 * TEMPO::fractFact, samplesPerTick * 2));\n}", "project": "openmpt", "hash": 175835188851026611040523461965368491825, "size": 11, "commit_id": "7ebf02af2e90f03e0dbd0e18b8b3164f372fb97c", "message": "[Fix] Possible out-of-bounds read when computing length of some IT files with pattern loops (OpenMPT: formats that are converted to IT, libopenmpt: IT/ITP/MO3), caught with afl-fuzz.\n\ngit-svn-id: https://source.openmpt.org/svn/openmpt/trunk/OpenMPT@10027 56274372-70c3-4bfc-bfc3-4c3a0b034d27", "target": 0, "dataset": "other", "idx": 255229 }, { "func": "static void nf_tables_setelem_notify(const struct nft_ctx *ctx,\n\t\t\t\t const struct nft_set *set,\n\t\t\t\t const struct nft_set_elem *elem,\n\t\t\t\t int event, u16 flags)\n{\n\tstruct nftables_pernet *nft_net;\n\tstruct net *net = ctx->net;\n\tu32 portid = ctx->portid;\n\tstruct sk_buff *skb;\n\tint err;\n\n\tif (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))\n\t\treturn;\n\n\tskb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);\n\tif (skb == NULL)\n\t\tgoto err;\n\n\terr = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,\n\t\t\t\t\t set, elem);\n\tif (err < 0) {\n\t\tkfree_skb(skb);\n\t\tgoto err;\n\t}\n\n\tnft_net = nft_pernet(net);\n\tnft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);\n\treturn;\nerr:\n\tnfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);\n}", "project": "linux", "hash": 82472266391893867342658367052863912134, "size": 31, "commit_id": "ad9f151e560b016b6ad3280b48e42fa11e1a5440", "message": "netfilter: nf_tables: initialize set before expression setup\n\nnft_set_elem_expr_alloc() needs an initialized set if expression sets on\nthe NFT_EXPR_GC flag. Move set fields initialization before expression\nsetup.\n\n[4512935.019450] ==================================================================\n[4512935.019456] BUG: KASAN: null-ptr-deref in nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019487] Read of size 8 at addr 0000000000000070 by task nft/23532\n[4512935.019494] CPU: 1 PID: 23532 Comm: nft Not tainted 5.12.0-rc4+ #48\n[...]\n[4512935.019502] Call Trace:\n[4512935.019505] dump_stack+0x89/0xb4\n[4512935.019512] ? nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019536] ? nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019560] kasan_report.cold.12+0x5f/0xd8\n[4512935.019566] ? nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019590] nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019615] nf_tables_newset+0xc7f/0x1460 [nf_tables]\n\nReported-by: syzbot+ce96ca2b1d0b37c6422d@syzkaller.appspotmail.com\nFixes: 65038428b2c6 (\"netfilter: nf_tables: allow to specify stateful expression in set definition\")\nSigned-off-by: Pablo Neira Ayuso ", "target": 0, "dataset": "other", "idx": 328357 }, { "func": "static int exif_process_IFD_in_JPEG(image_info_type *ImageInfo,\n char *dir_start, char *offset_base,\n char *end,\n size_t IFDlength, size_t displacement,\n int section_index) {\n int de;\n int NumDirEntries;\n int NextDirOffset;\n\n ImageInfo->sections_found |= FOUND_IFD0;\n\n CHECK_BUFFER_R(dir_start, end, 2, 0);\n NumDirEntries = php_ifd_get16u(dir_start, ImageInfo->motorola_intel);\n\n if ((dir_start+2+NumDirEntries*12) > (offset_base+IFDlength)) {\n raise_warning(\"Illegal IFD size: x%04X + 2 + x%04X*12 = x%04X > x%04lX\",\n (int)((size_t)dir_start+2-(size_t)offset_base),\n NumDirEntries,\n (int)((size_t)dir_start+2+\n NumDirEntries*12-(size_t)offset_base), IFDlength);\n return 0;\n }\n\n for (de=0;demotorola_intel);\n if (NextDirOffset) {\n /* the next line seems false but here IFDlength means\n length of all IFDs */\n if (offset_base + NextDirOffset < offset_base ||\n offset_base + NextDirOffset > offset_base+IFDlength) {\n raise_warning(\"Illegal IFD offset\");\n return 0;\n }\n /* That is the IFD for the first thumbnail */\n if (exif_process_IFD_in_JPEG(ImageInfo, offset_base + NextDirOffset,\n offset_base, end, IFDlength, displacement,\n SECTION_THUMBNAIL)) {\n if (ImageInfo->Thumbnail.filetype != IMAGE_FILETYPE_UNKNOWN &&\n ImageInfo->Thumbnail.size &&\n ImageInfo->Thumbnail.offset &&\n ImageInfo->read_thumbnail) {\n exif_thumbnail_extract(ImageInfo, offset_base, IFDlength);\n }\n return 1;\n } else {\n return 0;\n }\n }\n return 1;\n}", "project": "hhvm", "hash": 148864523671208231220944448700688414230, "size": 70, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219721 }, { "func": "static void setcontrast(struct gspca_dev *gspca_dev, s32 val)\n{\n\tstruct sd *sd = (struct sd *) gspca_dev;\n\tstatic const struct ov_i2c_regvals contrast_7660[][31] = {\n\t\t{{0x6c, 0xf0}, {0x6d, 0xf0}, {0x6e, 0xf8}, {0x6f, 0xa0},\n\t\t {0x70, 0x58}, {0x71, 0x38}, {0x72, 0x30}, {0x73, 0x30},\n\t\t {0x74, 0x28}, {0x75, 0x28}, {0x76, 0x24}, {0x77, 0x24},\n\t\t {0x78, 0x22}, {0x79, 0x28}, {0x7a, 0x2a}, {0x7b, 0x34},\n\t\t {0x7c, 0x0f}, {0x7d, 0x1e}, {0x7e, 0x3d}, {0x7f, 0x65},\n\t\t {0x80, 0x70}, {0x81, 0x77}, {0x82, 0x7d}, {0x83, 0x83},\n\t\t {0x84, 0x88}, {0x85, 0x8d}, {0x86, 0x96}, {0x87, 0x9f},\n\t\t {0x88, 0xb0}, {0x89, 0xc4}, {0x8a, 0xd9}},\n\t\t{{0x6c, 0xf0}, {0x6d, 0xf0}, {0x6e, 0xf8}, {0x6f, 0x94},\n\t\t {0x70, 0x58}, {0x71, 0x40}, {0x72, 0x30}, {0x73, 0x30},\n\t\t {0x74, 0x30}, {0x75, 0x30}, {0x76, 0x2c}, {0x77, 0x24},\n\t\t {0x78, 0x22}, {0x79, 0x28}, {0x7a, 0x2a}, {0x7b, 0x31},\n\t\t {0x7c, 0x0f}, {0x7d, 0x1e}, {0x7e, 0x3d}, {0x7f, 0x62},\n\t\t {0x80, 0x6d}, {0x81, 0x75}, {0x82, 0x7b}, {0x83, 0x81},\n\t\t {0x84, 0x87}, {0x85, 0x8d}, {0x86, 0x98}, {0x87, 0xa1},\n\t\t {0x88, 0xb2}, {0x89, 0xc6}, {0x8a, 0xdb}},\n\t\t{{0x6c, 0xf0}, {0x6d, 0xf0}, {0x6e, 0xf0}, {0x6f, 0x84},\n\t\t {0x70, 0x58}, {0x71, 0x48}, {0x72, 0x40}, {0x73, 0x40},\n\t\t {0x74, 0x28}, {0x75, 0x28}, {0x76, 0x28}, {0x77, 0x24},\n\t\t {0x78, 0x26}, {0x79, 0x28}, {0x7a, 0x28}, {0x7b, 0x34},\n\t\t {0x7c, 0x0f}, {0x7d, 0x1e}, {0x7e, 0x3c}, {0x7f, 0x5d},\n\t\t {0x80, 0x68}, {0x81, 0x71}, {0x82, 0x79}, {0x83, 0x81},\n\t\t {0x84, 0x86}, {0x85, 0x8b}, {0x86, 0x95}, {0x87, 0x9e},\n\t\t {0x88, 0xb1}, {0x89, 0xc5}, {0x8a, 0xd9}},\n\t\t{{0x6c, 0xf0}, {0x6d, 0xf0}, {0x6e, 0xf0}, {0x6f, 0x70},\n\t\t {0x70, 0x58}, {0x71, 0x58}, {0x72, 0x48}, {0x73, 0x48},\n\t\t {0x74, 0x38}, {0x75, 0x40}, {0x76, 0x34}, {0x77, 0x34},\n\t\t {0x78, 0x2e}, {0x79, 0x28}, {0x7a, 0x24}, {0x7b, 0x22},\n\t\t {0x7c, 0x0f}, {0x7d, 0x1e}, {0x7e, 0x3c}, {0x7f, 0x58},\n\t\t {0x80, 0x63}, {0x81, 0x6e}, {0x82, 0x77}, {0x83, 0x80},\n\t\t {0x84, 0x87}, {0x85, 0x8f}, {0x86, 0x9c}, {0x87, 0xa9},\n\t\t {0x88, 0xc0}, {0x89, 0xd4}, {0x8a, 0xe6}},\n\t\t{{0x6c, 0xa0}, {0x6d, 0xf0}, {0x6e, 0x90}, {0x6f, 0x80},\n\t\t {0x70, 0x70}, {0x71, 0x80}, {0x72, 0x60}, {0x73, 0x60},\n\t\t {0x74, 0x58}, {0x75, 0x60}, {0x76, 0x4c}, {0x77, 0x38},\n\t\t {0x78, 0x38}, {0x79, 0x2a}, {0x7a, 0x20}, {0x7b, 0x0e},\n\t\t {0x7c, 0x0a}, {0x7d, 0x14}, {0x7e, 0x26}, {0x7f, 0x46},\n\t\t {0x80, 0x54}, {0x81, 0x64}, {0x82, 0x70}, {0x83, 0x7c},\n\t\t {0x84, 0x87}, {0x85, 0x93}, {0x86, 0xa6}, {0x87, 0xb4},\n\t\t {0x88, 0xd0}, {0x89, 0xe5}, {0x8a, 0xf5}},\n\t\t{{0x6c, 0x60}, {0x6d, 0x80}, {0x6e, 0x60}, {0x6f, 0x80},\n\t\t {0x70, 0x80}, {0x71, 0x80}, {0x72, 0x88}, {0x73, 0x30},\n\t\t {0x74, 0x70}, {0x75, 0x68}, {0x76, 0x64}, {0x77, 0x50},\n\t\t {0x78, 0x3c}, {0x79, 0x22}, {0x7a, 0x10}, {0x7b, 0x08},\n\t\t {0x7c, 0x06}, {0x7d, 0x0e}, {0x7e, 0x1a}, {0x7f, 0x3a},\n\t\t {0x80, 0x4a}, {0x81, 0x5a}, {0x82, 0x6b}, {0x83, 0x7b},\n\t\t {0x84, 0x89}, {0x85, 0x96}, {0x86, 0xaf}, {0x87, 0xc3},\n\t\t {0x88, 0xe1}, {0x89, 0xf2}, {0x8a, 0xfa}},\n\t\t{{0x6c, 0x20}, {0x6d, 0x40}, {0x6e, 0x20}, {0x6f, 0x60},\n\t\t {0x70, 0x88}, {0x71, 0xc8}, {0x72, 0xc0}, {0x73, 0xb8},\n\t\t {0x74, 0xa8}, {0x75, 0xb8}, {0x76, 0x80}, {0x77, 0x5c},\n\t\t {0x78, 0x26}, {0x79, 0x10}, {0x7a, 0x08}, {0x7b, 0x04},\n\t\t {0x7c, 0x02}, {0x7d, 0x06}, {0x7e, 0x0a}, {0x7f, 0x22},\n\t\t {0x80, 0x33}, {0x81, 0x4c}, {0x82, 0x64}, {0x83, 0x7b},\n\t\t {0x84, 0x90}, {0x85, 0xa7}, {0x86, 0xc7}, {0x87, 0xde},\n\t\t {0x88, 0xf1}, {0x89, 0xf9}, {0x8a, 0xfd}},\n\t};\n\n\tswitch (sd->sensor) {\n\tcase SEN_OV7610:\n\tcase SEN_OV6620:\n\t\ti2c_w(sd, OV7610_REG_CNT, val);\n\t\tbreak;\n\tcase SEN_OV6630:\n\tcase SEN_OV66308AF:\n\t\ti2c_w_mask(sd, OV7610_REG_CNT, val >> 4, 0x0f);\n\t\tbreak;\n\tcase SEN_OV8610: {\n\t\tstatic const u8 ctab[] = {\n\t\t\t0x03, 0x09, 0x0b, 0x0f, 0x53, 0x6f, 0x35, 0x7f\n\t\t};\n\n\t\t/* Use Y gamma control instead. Bit 0 enables it. */\n\t\ti2c_w(sd, 0x64, ctab[val >> 5]);\n\t\tbreak;\n\t }\n\tcase SEN_OV7620:\n\tcase SEN_OV7620AE: {\n\t\tstatic const u8 ctab[] = {\n\t\t\t0x01, 0x05, 0x09, 0x11, 0x15, 0x35, 0x37, 0x57,\n\t\t\t0x5b, 0xa5, 0xa7, 0xc7, 0xc9, 0xcf, 0xef, 0xff\n\t\t};\n\n\t\t/* Use Y gamma control instead. Bit 0 enables it. */\n\t\ti2c_w(sd, 0x64, ctab[val >> 4]);\n\t\tbreak;\n\t }\n\tcase SEN_OV7660:\n\t\twrite_i2c_regvals(sd, contrast_7660[val],\n\t\t\t\t\tARRAY_SIZE(contrast_7660[0]));\n\t\tbreak;\n\tcase SEN_OV7670:\n\t\t/* check that this isn't just the same as ov7610 */\n\t\ti2c_w(sd, OV7670_R56_CONTRAS, val >> 1);\n\t\tbreak;\n\t}\n}", "project": "linux", "hash": 307293915917260478051535155330726268398, "size": 101, "commit_id": "998912346c0da53a6dbb71fab3a138586b596b30", "message": "media: ov519: add missing endpoint sanity checks\n\nMake sure to check that we have at least one endpoint before accessing\nthe endpoint array to avoid dereferencing a NULL-pointer on stream\nstart.\n\nNote that these sanity checks are not redundant as the driver is mixing\nlooking up altsettings by index and by number, which need not coincide.\n\nFixes: 1876bb923c98 (\"V4L/DVB (12079): gspca_ov519: add support for the ov511 bridge\")\nFixes: b282d87332f5 (\"V4L/DVB (12080): gspca_ov519: Fix ov518+ with OV7620AE (Trust spacecam 320)\")\nCc: stable # 2.6.31\nCc: Hans de Goede \nSigned-off-by: Johan Hovold \nSigned-off-by: Hans Verkuil \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 306288 }, { "func": "int nfs4_lock_delegation_recall(struct file_lock *fl, struct nfs4_state *state, const nfs4_stateid *stateid)\n{\n\tstruct nfs_server *server = NFS_SERVER(state->inode);\n\tint err;\n\n\terr = nfs4_set_lock_state(state, fl);\n\tif (err != 0)\n\t\treturn err;\n\terr = _nfs4_do_setlk(state, F_SETLK, fl, NFS_LOCK_NEW);\n\treturn nfs4_handle_delegation_recall_error(server, state, stateid, fl, err);\n}", "project": "linux", "hash": 329240239550223058725112689405112754815, "size": 11, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431255 }, { "func": "Status GraphConstructor::MakeNode(NodeDef&& node_def, Node** node) {\n // Add the node to the graph.\n Status status;\n *node = g_->AddNode(std::move(node_def), &status);\n if (!status.ok()) return status;\n if (opts_.expect_device_spec) {\n (*node)->set_assigned_device_name((*node)->def().device());\n }\n return Status::OK();\n}", "project": "tensorflow", "hash": 11950387068991207906836401582303512039, "size": 10, "commit_id": "0cc38aaa4064fd9e79101994ce9872c6d91f816b", "message": "Prevent unitialized memory access in `GraphConstructor::MakeEdge`\n\nThe `MakeEdge` implementation assumes that there exists an output at `output_index` of `src` node and an input at `input_index` of `dst` node. However, if this is not the case this results in accessing data out of bounds. Because we are accessing an array that is a private member of a class and only in read only mode, this usually results only in unitialized memory access. However, it is reasonable to think that malicious users could manipulate these indexes to actually read data outside the class, thus resulting in information leakage and further exploits.\n\nPiperOrigin-RevId: 346343288\nChange-Id: I2127da27c2023d27f26efd39afa6c853385cab6f", "target": 0, "dataset": "other", "idx": 268363 }, { "func": "int decode_attr_bl_single_value(map& attrs, const char *attr_name, T *result, T def_val)\n{\n map::iterator iter = attrs.find(attr_name);\n if (iter == attrs.end()) {\n *result = def_val;\n return 0;\n }\n bufferlist& bl = iter->second;\n if (bl.length() == 0) {\n *result = def_val;\n return 0;\n }\n bufferlist::iterator bliter = bl.begin();\n try {\n decode(*result, bliter);\n } catch (buffer::error& err) {\n return -EIO;\n }\n return 0;\n}", "project": "ceph", "hash": 68675102409870091580640502506188201806, "size": 20, "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 281327 }, { "func": "static int ca8210_xmit_async(struct ieee802154_hw *hw, struct sk_buff *skb)\n{\n\tstruct ca8210_priv *priv = hw->priv;\n\tint status;\n\n\tdev_dbg(&priv->spi->dev, \"calling %s\\n\", __func__);\n\n\tpriv->tx_skb = skb;\n\tpriv->async_tx_pending = true;\n\tstatus = ca8210_skb_tx(skb, priv->nextmsduhandle, priv);\n\treturn status;\n}", "project": "linux", "hash": 176824861544463818344815778736877375075, "size": 12, "commit_id": "6402939ec86eaf226c8b8ae00ed983936b164908", "message": "ieee802154: ca8210: prevent memory leak\n\nIn ca8210_probe the allocated pdata needs to be assigned to\nspi_device->dev.platform_data before calling ca8210_get_platform_data.\nOthrwise when ca8210_get_platform_data fails pdata cannot be released.\n\nSigned-off-by: Navid Emamdoost \nLink: https://lore.kernel.org/r/20190917224713.26371-1-navid.emamdoost@gmail.com\nSigned-off-by: Stefan Schmidt ", "target": 0, "dataset": "other", "idx": 408770 }, { "func": "static inline void encode_createmode(struct xdr_stream *xdr, const struct nfs_openargs *arg)\n{\n\t__be32 *p;\n\n\tp = reserve_space(xdr, 4);\n\tswitch(arg->createmode) {\n\tcase NFS4_CREATE_UNCHECKED:\n\t\t*p = cpu_to_be32(NFS4_CREATE_UNCHECKED);\n\t\tencode_attrs(xdr, arg->u.attrs, arg->label, &arg->umask,\n\t\t\t\targ->server, arg->server->attr_bitmask);\n\t\tbreak;\n\tcase NFS4_CREATE_GUARDED:\n\t\t*p = cpu_to_be32(NFS4_CREATE_GUARDED);\n\t\tencode_attrs(xdr, arg->u.attrs, arg->label, &arg->umask,\n\t\t\t\targ->server, arg->server->attr_bitmask);\n\t\tbreak;\n\tcase NFS4_CREATE_EXCLUSIVE:\n\t\t*p = cpu_to_be32(NFS4_CREATE_EXCLUSIVE);\n\t\tencode_nfs4_verifier(xdr, &arg->u.verifier);\n\t\tbreak;\n\tcase NFS4_CREATE_EXCLUSIVE4_1:\n\t\t*p = cpu_to_be32(NFS4_CREATE_EXCLUSIVE4_1);\n\t\tencode_nfs4_verifier(xdr, &arg->u.verifier);\n\t\tencode_attrs(xdr, arg->u.attrs, arg->label, &arg->umask,\n\t\t\t\targ->server, arg->server->exclcreat_bitmask);\n\t}\n}", "project": "linux", "hash": 66260680357764880605934724009391993331, "size": 27, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431352 }, { "func": "int hci_req_update_adv_data(struct hci_dev *hdev, u8 instance)\n{\n\tstruct hci_request req;\n\n\thci_req_init(&req, hdev);\n\t__hci_req_update_adv_data(&req, instance);\n\n\treturn hci_req_run(&req, NULL);\n}", "project": "linux", "hash": 106091634462658146333602328410332386347, "size": 9, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402572 }, { "func": "static u64 current_task_runtime_100ns(void)\n{\n\tu64 utime, stime;\n\n\ttask_cputime_adjusted(current, &utime, &stime);\n\n\treturn div_u64(utime + stime, 100);\n}", "project": "linux", "hash": 113663000410441515739466957556052490390, "size": 8, "commit_id": "919f4ebc598701670e80e31573a58f1f2d2bf918", "message": "KVM: x86: hyper-v: Fix Hyper-V context null-ptr-deref\n\nReported by syzkaller:\n\n KASAN: null-ptr-deref in range [0x0000000000000140-0x0000000000000147]\n CPU: 1 PID: 8370 Comm: syz-executor859 Not tainted 5.11.0-syzkaller #0\n RIP: 0010:synic_get arch/x86/kvm/hyperv.c:165 [inline]\n RIP: 0010:kvm_hv_set_sint_gsi arch/x86/kvm/hyperv.c:475 [inline]\n RIP: 0010:kvm_hv_irq_routing_update+0x230/0x460 arch/x86/kvm/hyperv.c:498\n Call Trace:\n kvm_set_irq_routing+0x69b/0x940 arch/x86/kvm/../../../virt/kvm/irqchip.c:223\n kvm_vm_ioctl+0x12d0/0x2800 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3959\n vfs_ioctl fs/ioctl.c:48 [inline]\n __do_sys_ioctl fs/ioctl.c:753 [inline]\n __se_sys_ioctl fs/ioctl.c:739 [inline]\n __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739\n do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nHyper-V context is lazily allocated until Hyper-V specific MSRs are accessed\nor SynIC is enabled. However, the syzkaller testcase sets irq routing table\ndirectly w/o enabling SynIC. This results in null-ptr-deref when accessing\nSynIC Hyper-V context. This patch fixes it.\n\nsyzkaller source: https://syzkaller.appspot.com/x/repro.c?x=163342ccd00000\n\nReported-by: syzbot+6987f3b2dbd9eda95f12@syzkaller.appspotmail.com\nFixes: 8f014550dfb1 (\"KVM: x86: hyper-v: Make Hyper-V emulation enablement conditional\")\nSigned-off-by: Wanpeng Li \nMessage-Id: <1614326399-5762-1-git-send-email-wanpengli@tencent.com>\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 343504 }, { "func": "static int lz4hc_wrap_compress(const char* input, size_t input_length,\n char* output, size_t maxout, int clevel) {\n int cbytes;\n if (input_length > (size_t)(UINT32_C(2) << 30))\n return -1; /* input larger than 2 GB is not supported */\n /* clevel for lz4hc goes up to 12, at least in LZ4 1.7.5\n * but levels larger than 9 do not buy much compression. */\n cbytes = LZ4_compress_HC(input, output, (int)input_length, (int)maxout,\n clevel);\n return cbytes;\n}", "project": "c-blosc2", "hash": 279215564769103879577758810273063110517, "size": 11, "commit_id": "c4c6470e88210afc95262c8b9fcc27e30ca043ee", "message": "Fixed asan heap buffer overflow when not enough space to write compressed block size.", "target": 0, "dataset": "other", "idx": 303106 }, { "func": "void kvm_arch_vcpu_block_finish(struct kvm_vcpu *vcpu)\n{\n\tvcpu->valid_wakeup = false;\n}", "project": "linux", "hash": 83816182886586903378065042854536401305, "size": 4, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354774 }, { "func": "DwaCompressor::compress\n (const char *inPtr,\n int inSize,\n int minY,\n const char *&outPtr)\n{\n return compress\n (inPtr,\n inSize, \n IMATH_NAMESPACE::Box2i (IMATH_NAMESPACE::V2i (_min[0], minY),\n IMATH_NAMESPACE::V2i (_max[0], minY + numScanLines() - 1)),\n outPtr);\n}", "project": "openexr", "hash": 115267357343848316313850686110162888004, "size": 13, "commit_id": "3eda5d70aba127bae9bd6bae9956fcf024b64031", "message": "fixes for DWA uncompress: sanity check unknown data reading, off-by-one error on max suffix string length\n\nSigned-off-by: Peter Hillman ", "target": 0, "dataset": "other", "idx": 440087 }, { "func": "DwaCompressor::compress\n (const char *inPtr,\n int inSize,\n IMATH_NAMESPACE::Box2i range,\n const char *&outPtr)\n{\n const char *inDataPtr = inPtr;\n char *packedAcEnd = 0;\n char *packedDcEnd = 0; \n int fileVersion = 2; // Starting with 2, we write the channel\n // classification rules into the file\n\n if (fileVersion < 2) \n initializeLegacyChannelRules();\n else \n initializeDefaultChannelRules();\n\n size_t outBufferSize = 0;\n initializeBuffers(outBufferSize);\n\n unsigned short channelRuleSize = 0;\n std::vector channelRules;\n if (fileVersion >= 2) \n {\n relevantChannelRules(channelRules);\n\n channelRuleSize = Xdr::size();\n for (size_t i = 0; i < channelRules.size(); ++i) \n channelRuleSize += channelRules[i].size();\n }\n\n //\n // Remember to allocate _outBuffer, if we haven't done so already.\n //\n\n outBufferSize += channelRuleSize;\n if (outBufferSize > _outBufferSize) \n {\n _outBufferSize = outBufferSize;\n if (_outBuffer != 0)\n delete[] _outBuffer; \n _outBuffer = new char[outBufferSize];\n }\n\n char *outDataPtr = &_outBuffer[NUM_SIZES_SINGLE * sizeof(OPENEXR_IMF_NAMESPACE::Int64) +\n channelRuleSize];\n\n //\n // We might not be dealing with any color data, in which\n // case the AC buffer size will be 0, and deferencing\n // a vector will not be a good thing to do.\n //\n\n if (_packedAcBuffer)\n packedAcEnd = _packedAcBuffer;\n\n if (_packedDcBuffer)\n packedDcEnd = _packedDcBuffer;\n\n #define OBIDX(x) (Int64 *)&_outBuffer[x * sizeof (Int64)]\n\n Int64 *version = OBIDX (VERSION);\n Int64 *unknownUncompressedSize = OBIDX (UNKNOWN_UNCOMPRESSED_SIZE);\n Int64 *unknownCompressedSize = OBIDX (UNKNOWN_COMPRESSED_SIZE);\n Int64 *acCompressedSize = OBIDX (AC_COMPRESSED_SIZE);\n Int64 *dcCompressedSize = OBIDX (DC_COMPRESSED_SIZE);\n Int64 *rleCompressedSize = OBIDX (RLE_COMPRESSED_SIZE);\n Int64 *rleUncompressedSize = OBIDX (RLE_UNCOMPRESSED_SIZE);\n Int64 *rleRawSize = OBIDX (RLE_RAW_SIZE);\n\n Int64 *totalAcUncompressedCount = OBIDX (AC_UNCOMPRESSED_COUNT);\n Int64 *totalDcUncompressedCount = OBIDX (DC_UNCOMPRESSED_COUNT);\n\n Int64 *acCompression = OBIDX (AC_COMPRESSION);\n\n int minX = range.min.x;\n int maxX = std::min(range.max.x, _max[0]);\n int minY = range.min.y;\n int maxY = std::min(range.max.y, _max[1]);\n\n //\n // Zero all the numbers in the chunk header\n //\n\n memset (_outBuffer, 0, NUM_SIZES_SINGLE * sizeof (Int64));\n\n //\n // Setup the AC compression strategy and the version in the data block,\n // then write the relevant channel classification rules if needed\n //\n *version = fileVersion; \n *acCompression = _acCompression;\n\n setupChannelData (minX, minY, maxX, maxY);\n\n if (fileVersion >= 2) \n {\n char *writePtr = &_outBuffer[NUM_SIZES_SINGLE * sizeof(OPENEXR_IMF_NAMESPACE::Int64)];\n Xdr::write (writePtr, channelRuleSize);\n \n for (size_t i = 0; i < channelRules.size(); ++i) \n channelRules[i].write(writePtr);\n }\n\n //\n // Determine the start of each row in the input buffer\n // Channels are interleaved by scanline\n //\n\n std::vector encodedChannels (_channelData.size());\n std::vector< std::vector > rowPtrs (_channelData.size());\n\n for (unsigned int chan = 0; chan < _channelData.size(); ++chan)\n encodedChannels[chan] = false;\n\n inDataPtr = inPtr;\n\n for (int y = minY; y <= maxY; ++y)\n {\n for (unsigned int chan = 0; chan < _channelData.size(); ++chan)\n {\n\n ChannelData *cd = &_channelData[chan];\n\n if (IMATH_NAMESPACE::modp(y, cd->ySampling) != 0)\n continue;\n\n rowPtrs[chan].push_back(inDataPtr);\n inDataPtr += cd->width * OPENEXR_IMF_NAMESPACE::pixelTypeSize(cd->type);\n }\n }\n\n inDataPtr = inPtr;\n\n // \n // Make a pass over all our CSC sets and try to encode them first\n // \n\n for (unsigned int csc = 0; csc < _cscSets.size(); ++csc)\n {\n\n LossyDctEncoderCsc encoder\n (_dwaCompressionLevel / 100000.f,\n rowPtrs[_cscSets[csc].idx[0]],\n rowPtrs[_cscSets[csc].idx[1]],\n rowPtrs[_cscSets[csc].idx[2]],\n packedAcEnd,\n packedDcEnd,\n dwaCompressorToNonlinear,\n _channelData[_cscSets[csc].idx[0]].width,\n _channelData[_cscSets[csc].idx[0]].height,\n _channelData[_cscSets[csc].idx[0]].type,\n _channelData[_cscSets[csc].idx[1]].type,\n _channelData[_cscSets[csc].idx[2]].type);\n\n encoder.execute();\n\n *totalAcUncompressedCount += encoder.numAcValuesEncoded();\n *totalDcUncompressedCount += encoder.numDcValuesEncoded();\n\n packedAcEnd += encoder.numAcValuesEncoded() * sizeof(unsigned short);\n packedDcEnd += encoder.numDcValuesEncoded() * sizeof(unsigned short);\n\n encodedChannels[_cscSets[csc].idx[0]] = true;\n encodedChannels[_cscSets[csc].idx[1]] = true;\n encodedChannels[_cscSets[csc].idx[2]] = true;\n }\n\n for (unsigned int chan = 0; chan < _channelData.size(); ++chan)\n {\n ChannelData *cd = &_channelData[chan];\n\n if (encodedChannels[chan])\n continue;\n\n switch (cd->compression)\n {\n case LOSSY_DCT:\n\n //\n // For LOSSY_DCT, treat this just like the CSC'd case,\n // but only operate on one channel\n //\n\n {\n const unsigned short *nonlinearLut = 0;\n\n if (!cd->pLinear)\n nonlinearLut = dwaCompressorToNonlinear; \n\n LossyDctEncoder encoder\n (_dwaCompressionLevel / 100000.f,\n rowPtrs[chan],\n packedAcEnd,\n packedDcEnd,\n nonlinearLut,\n cd->width,\n cd->height,\n cd->type);\n\n encoder.execute();\n\n *totalAcUncompressedCount += encoder.numAcValuesEncoded();\n *totalDcUncompressedCount += encoder.numDcValuesEncoded();\n\n packedAcEnd +=\n encoder.numAcValuesEncoded() * sizeof (unsigned short);\n\n packedDcEnd +=\n encoder.numDcValuesEncoded() * sizeof (unsigned short);\n }\n\n break;\n\n case RLE:\n\n //\n // For RLE, bash the bytes up so that the first bytes of each\n // pixel are contingous, as are the second bytes, and so on.\n //\n\n for (unsigned int y = 0; y < rowPtrs[chan].size(); ++y)\n {\n const char *row = rowPtrs[chan][y];\n\n for (int x = 0; x < cd->width; ++x)\n {\n for (int byte = 0;\n byte < OPENEXR_IMF_NAMESPACE::pixelTypeSize (cd->type);\n ++byte)\n {\n \n *cd->planarUncRleEnd[byte]++ = *row++;\n }\n }\n\n *rleRawSize += cd->width * OPENEXR_IMF_NAMESPACE::pixelTypeSize(cd->type);\n }\n\n break;\n\n case UNKNOWN:\n \n //\n // Otherwise, just copy data over verbatim\n //\n\n {\n int scanlineSize = cd->width * OPENEXR_IMF_NAMESPACE::pixelTypeSize(cd->type);\n\n for (unsigned int y = 0; y < rowPtrs[chan].size(); ++y)\n {\n memcpy (cd->planarUncBufferEnd,\n rowPtrs[chan][y],\n scanlineSize);\n \n cd->planarUncBufferEnd += scanlineSize;\n }\n\n *unknownUncompressedSize += cd->planarUncSize;\n }\n\n break;\n\n default:\n\n assert (false);\n }\n\n encodedChannels[chan] = true;\n }\n\n //\n // Pack the Unknown data into the output buffer first. Instead of\n // just copying it uncompressed, try zlib compression at least.\n //\n\n if (*unknownUncompressedSize > 0)\n {\n uLongf inSize = (uLongf)(*unknownUncompressedSize);\n uLongf outSize = compressBound (inSize);\n\n if (Z_OK != ::compress2 ((Bytef *)outDataPtr,\n &outSize,\n (const Bytef *)_planarUncBuffer[UNKNOWN],\n inSize,\n 9))\n {\n throw IEX_NAMESPACE::BaseExc (\"Data compression (zlib) failed.\");\n }\n\n outDataPtr += outSize;\n *unknownCompressedSize = outSize;\n }\n\n //\n // Now, pack all the Lossy DCT coefficients into our output\n // buffer, with Huffman encoding.\n //\n // Also, record the compressed size and the number of \n // uncompressed componentns we have.\n //\n\n if (*totalAcUncompressedCount > 0)\n { \n switch (_acCompression)\n {\n case STATIC_HUFFMAN:\n\n *acCompressedSize = (int)\n hufCompress((unsigned short *)_packedAcBuffer,\n (int)*totalAcUncompressedCount,\n outDataPtr); \n break;\n\n case DEFLATE:\n\n {\n uLongf destLen = compressBound (\n (*totalAcUncompressedCount) * sizeof (unsigned short));\n\n if (Z_OK != ::compress2\n ((Bytef *)outDataPtr,\n &destLen,\n (Bytef *)_packedAcBuffer, \n (uLong)(*totalAcUncompressedCount\n * sizeof (unsigned short)),\n 9))\n {\n throw IEX_NAMESPACE::InputExc (\"Data compression (zlib) failed.\");\n }\n\n *acCompressedSize = destLen; \n }\n\n break;\n\n default:\n \n assert (false);\n }\n\n outDataPtr += *acCompressedSize;\n }\n\n // \n // Handle the DC components separately\n //\n\n if (*totalDcUncompressedCount > 0)\n {\n *dcCompressedSize = _zip->compress\n (_packedDcBuffer,\n (int)(*totalDcUncompressedCount) * sizeof (unsigned short),\n outDataPtr);\n\n outDataPtr += *dcCompressedSize;\n }\n\n // \n // If we have RLE data, first RLE encode it and set the uncompressed\n // size. Then, deflate the results and set the compressed size.\n // \n\n if (*rleRawSize > 0)\n {\n *rleUncompressedSize = rleCompress\n ((int)(*rleRawSize),\n _planarUncBuffer[RLE],\n (signed char *)_rleBuffer);\n\n uLongf dstLen = compressBound ((uLongf)*rleUncompressedSize);\n\n if (Z_OK != ::compress2\n ((Bytef *)outDataPtr, \n &dstLen, \n (Bytef *)_rleBuffer, \n (uLong)(*rleUncompressedSize),\n 9))\n {\n throw IEX_NAMESPACE::BaseExc (\"Error compressing RLE'd data.\");\n }\n \n *rleCompressedSize = dstLen;\n outDataPtr += *rleCompressedSize;\n }\n\n // \n // Flip the counters to XDR format\n // \n\n for (int i = 0; i < NUM_SIZES_SINGLE; ++i)\n {\n Int64 src = *(((Int64 *)_outBuffer) + i);\n char *dst = (char *)(((Int64 *)_outBuffer) + i);\n\n Xdr::write (dst, src);\n }\n\n //\n // We're done - compute the number of bytes we packed\n //\n\n outPtr = _outBuffer;\n\n return static_cast(outDataPtr - _outBuffer + 1);\n}", "project": "openexr", "hash": 224486400876041024959734775900661501302, "size": 407, "commit_id": "3eda5d70aba127bae9bd6bae9956fcf024b64031", "message": "fixes for DWA uncompress: sanity check unknown data reading, off-by-one error on max suffix string length\n\nSigned-off-by: Peter Hillman ", "target": 0, "dataset": "other", "idx": 440091 }, { "func": "static int nfs4_do_fsinfo(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fsinfo *fsinfo)\n{\n\tstruct nfs4_exception exception = {\n\t\t.interruptible = true,\n\t};\n\tint err;\n\n\tdo {\n\t\terr = _nfs4_do_fsinfo(server, fhandle, fsinfo);\n\t\ttrace_nfs4_fsinfo(server, fhandle, fsinfo->fattr, err);\n\t\tif (err == 0) {\n\t\t\tnfs4_set_lease_period(server->nfs_client, fsinfo->lease_time * HZ);\n\t\t\tbreak;\n\t\t}\n\t\terr = nfs4_handle_exception(server, err, &exception);\n\t} while (exception.retry);\n\treturn err;\n}", "project": "linux", "hash": 6343356347002640392754873654283573524, "size": 18, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431008 }, { "func": "static void kvm_s390_set_crycb_format(struct kvm *kvm)\n{\n\tkvm->arch.crypto.crycbd = (__u32)(unsigned long) kvm->arch.crypto.crycb;\n\n\t/* Clear the CRYCB format bits - i.e., set format 0 by default */\n\tkvm->arch.crypto.crycbd &= ~(CRYCB_FORMAT_MASK);\n\n\t/* Check whether MSAX3 is installed */\n\tif (!test_kvm_facility(kvm, 76))\n\t\treturn;\n\n\tif (kvm_s390_apxa_installed())\n\t\tkvm->arch.crypto.crycbd |= CRYCB_FORMAT2;\n\telse\n\t\tkvm->arch.crypto.crycbd |= CRYCB_FORMAT1;\n}", "project": "linux", "hash": 318552957944837826941691377524506106065, "size": 16, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354564 }, { "func": "static inline u32 tcp_rto_min_us(struct sock *sk)\n{\n\treturn jiffies_to_usecs(tcp_rto_min(sk));\n}", "project": "linux", "hash": 152027381256072452252388638643992511309, "size": 4, "commit_id": "bb1fceca22492109be12640d49f5ea5a544c6bb4", "message": "tcp: fix use after free in tcp_xmit_retransmit_queue()\n\nWhen tcp_sendmsg() allocates a fresh and empty skb, it puts it at the\ntail of the write queue using tcp_add_write_queue_tail()\n\nThen it attempts to copy user data into this fresh skb.\n\nIf the copy fails, we undo the work and remove the fresh skb.\n\nUnfortunately, this undo lacks the change done to tp->highest_sack and\nwe can leave a dangling pointer (to a freed skb)\n\nLater, tcp_xmit_retransmit_queue() can dereference this pointer and\naccess freed memory. For regular kernels where memory is not unmapped,\nthis might cause SACK bugs because tcp_highest_sack_seq() is buggy,\nreturning garbage instead of tp->snd_nxt, but with various debug\nfeatures like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel.\n\nThis bug was found by Marco Grassi thanks to syzkaller.\n\nFixes: 6859d49475d4 (\"[TCP]: Abstract tp->highest_sack accessing & point to next skb\")\nReported-by: Marco Grassi \nSigned-off-by: Eric Dumazet \nCc: Ilpo Järvinen \nCc: Yuchung Cheng \nCc: Neal Cardwell \nAcked-by: Neal Cardwell \nReviewed-by: Cong Wang \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 410824 }, { "func": "static int nfs4_lock_reclaim(struct nfs4_state *state, struct file_lock *request)\n{\n\tstruct nfs_server *server = NFS_SERVER(state->inode);\n\tstruct nfs4_exception exception = {\n\t\t.inode = state->inode,\n\t};\n\tint err;\n\n\tdo {\n\t\t/* Cache the lock if possible... */\n\t\tif (test_bit(NFS_DELEGATED_STATE, &state->flags) != 0)\n\t\t\treturn 0;\n\t\terr = _nfs4_do_setlk(state, F_SETLK, request, NFS_LOCK_RECLAIM);\n\t\tif (err != -NFS4ERR_DELAY)\n\t\t\tbreak;\n\t\tnfs4_handle_exception(server, err, &exception);\n\t} while (exception.retry);\n\treturn err;\n}", "project": "linux", "hash": 66226475875697069342659284216485242193, "size": 19, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431007 }, { "func": "extern \"C\" bool enc_is_error_handler_set() { return error_handler != nullptr; }", "project": "asylo", "hash": 143632450360697652275702765859899619311, "size": 1, "commit_id": "90d7619e9dd99bcdb6cd28c7649d741d254d9a1a", "message": "Add sysno check in MessageReader\n\nThe sysno in MessageReader is interpreted from the Message header passed\nfrom the host. A malicious Message header may provide a modified sysno\nto bypass the validation, and overwrites enclave memory. This change\nadds a check for sysno to make sure it matches the expected value.\n\nThis issue was reported by Qinkun Bao, Zhaofeng Chen, Mingshen Sun, and\nKang Li from Baidu Security.\n\nPiperOrigin-RevId: 377328054\nChange-Id: I3ff6f60694d3390f66da89d139cf7cc7b49abaea", "target": 0, "dataset": "other", "idx": 248771 }, { "func": "static int initialize_context_compression(\n blosc2_context* context, const void* src, int32_t srcsize, void* dest,\n int32_t destsize, int clevel, uint8_t const *filters,\n uint8_t const *filters_meta, int32_t typesize, int compressor,\n int32_t blocksize, int new_nthreads, int nthreads, blosc2_schunk* schunk) {\n\n /* Set parameters */\n context->do_compress = 1;\n context->src = (const uint8_t*)src;\n context->srcsize = srcsize;\n context->dest = (uint8_t*)dest;\n context->output_bytes = 0;\n context->destsize = destsize;\n context->sourcesize = srcsize;\n context->typesize = (int32_t)typesize;\n context->filter_flags = filters_to_flags(filters);\n for (int i = 0; i < BLOSC2_MAX_FILTERS; i++) {\n context->filters[i] = filters[i];\n context->filters_meta[i] = filters_meta[i];\n }\n context->compcode = compressor;\n context->nthreads = nthreads;\n context->new_nthreads = new_nthreads;\n context->end_threads = 0;\n context->clevel = clevel;\n context->schunk = schunk;\n\n /* Tune some compression parameters */\n context->blocksize = (int32_t)blocksize;\n if (context->btune != NULL) {\n btune_next_cparams(context);\n } else {\n btune_next_blocksize(context);\n }\n\n char* envvar = getenv(\"BLOSC_WARN\");\n int warnlvl = 0;\n if (envvar != NULL) {\n warnlvl = strtol(envvar, NULL, 10);\n }\n\n /* Check buffer size limits */\n if (srcsize > BLOSC_MAX_BUFFERSIZE) {\n if (warnlvl > 0) {\n fprintf(stderr, \"Input buffer size cannot exceed %d bytes\\n\",\n BLOSC_MAX_BUFFERSIZE);\n }\n return 0;\n }\n\n if (destsize < BLOSC_MAX_OVERHEAD) {\n if (warnlvl > 0) {\n fprintf(stderr, \"Output buffer size should be larger than %d bytes\\n\",\n BLOSC_MAX_OVERHEAD);\n }\n return 0;\n }\n\n if (destsize < BLOSC_MAX_OVERHEAD) {\n if (warnlvl > 0) {\n fprintf(stderr, \"Output buffer size should be larger than %d bytes\\n\",\n BLOSC_MAX_OVERHEAD);\n }\n return -2;\n }\n if (destsize < BLOSC_MAX_OVERHEAD) {\n fprintf(stderr, \"Output buffer size should be larger than %d bytes\\n\",\n BLOSC_MAX_OVERHEAD);\n return -1;\n }\n\n /* Compression level */\n if (clevel < 0 || clevel > 9) {\n /* If clevel not in 0..9, print an error */\n fprintf(stderr, \"`clevel` parameter must be between 0 and 9!\\n\");\n return -10;\n }\n\n /* Check typesize limits */\n if (context->typesize > BLOSC_MAX_TYPESIZE) {\n /* If typesize is too large, treat buffer as an 1-byte stream. */\n context->typesize = 1;\n }\n\n /* Compute number of blocks in buffer */\n context->nblocks = context->sourcesize / context->blocksize;\n context->leftover = context->sourcesize % context->blocksize;\n context->nblocks = (context->leftover > 0) ?\n (context->nblocks + 1) : context->nblocks;\n\n return 1;\n}", "project": "c-blosc2", "hash": 256610020310038494476349722072121871962, "size": 92, "commit_id": "c4c6470e88210afc95262c8b9fcc27e30ca043ee", "message": "Fixed asan heap buffer overflow when not enough space to write compressed block size.", "target": 0, "dataset": "other", "idx": 303128 }, { "func": "std::shared_ptr CWebSock::GetSession() {\n if (m_spSession) {\n return m_spSession;\n }\n\n const CString sCookieSessionId = GetRequestCookie(\"SessionId\");\n std::shared_ptr* pSession =\n Sessions.m_mspSessions.GetItem(sCookieSessionId);\n\n if (pSession != nullptr) {\n // Refresh the timeout\n Sessions.m_mspSessions.AddItem((*pSession)->GetId(), *pSession);\n (*pSession)->UpdateLastActive();\n m_spSession = *pSession;\n DEBUG(\"Found existing session from cookie: [\" + sCookieSessionId +\n \"] IsLoggedIn(\" +\n CString((*pSession)->IsLoggedIn()\n ? \"true, \" + ((*pSession)->GetUser()->GetUserName())\n : \"false\") +\n \")\");\n return *pSession;\n }\n\n if (Sessions.m_mIPSessions.count(GetRemoteIP()) > m_uiMaxSessions) {\n pair p =\n Sessions.m_mIPSessions.equal_range(GetRemoteIP());\n mIPSessionsIterator it =\n std::min_element(p.first, p.second, compareLastActive);\n DEBUG(\"Remote IP: \" << GetRemoteIP() << \"; discarding session [\"\n << it->second->GetId() << \"]\");\n Sessions.m_mspSessions.RemItem(it->second->GetId());\n }\n\n CString sSessionID;\n do {\n sSessionID = CString::RandomString(32);\n sSessionID += \":\" + GetRemoteIP() + \":\" + CString(GetRemotePort());\n sSessionID += \":\" + GetLocalIP() + \":\" + CString(GetLocalPort());\n sSessionID += \":\" + CString(time(nullptr));\n sSessionID = sSessionID.SHA256();\n\n DEBUG(\"Auto generated session: [\" + sSessionID + \"]\");\n } while (Sessions.m_mspSessions.HasItem(sSessionID));\n\n std::shared_ptr spSession(\n new CWebSession(sSessionID, GetRemoteIP()));\n Sessions.m_mspSessions.AddItem(spSession->GetId(), spSession);\n\n m_spSession = spSession;\n\n return spSession;\n}", "project": "znc", "hash": 122866846816825854975414905122882811595, "size": 52, "commit_id": "a4a5aeeb17d32937d8c7d743dae9a4cc755ce773", "message": "Don't let web skin name ../../../../ access files outside of usual skins directories.\n\nThanks for Jeriko One for finding and reporting this.", "target": 0, "dataset": "other", "idx": 265778 }, { "func": "static __poll_t ep_eventpoll_poll(struct file *file, poll_table *wait)\n{\n\tstruct eventpoll *ep = file->private_data;\n\tint depth = 0;\n\n\t/* Insert inside our poll wait queue */\n\tpoll_wait(file, &ep->poll_wait, wait);\n\n\t/*\n\t * Proceed to find out if wanted events are really available inside\n\t * the ready list.\n\t */\n\treturn ep_scan_ready_list(ep, ep_read_events_proc,\n\t\t\t\t &depth, depth, false);\n}", "project": "linux", "hash": 231260843009780045507048968008679603471, "size": 15, "commit_id": "52c479697c9b73f628140dcdfcd39ea302d05482", "message": "do_epoll_ctl(): clean the failure exits up a bit\n\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 336280 }, { "project": "Chrome", "commit_id": "327585cb0eab0859518643a2d00917081f7e7645", "target": 0, "func": "WebString WebGraphicsContext3DDefaultImpl::getShaderInfoLog(WebGLId shader)\n{\n makeContextCurrent();\n\n ShaderSourceMap::iterator result = m_shaderSourceMap.find(shader);\n if (result != m_shaderSourceMap.end()) {\n ShaderSourceEntry* entry = result->second;\n ASSERT(entry);\n if (!entry->isValid) {\n if (!entry->log)\n return WebString();\n WebString res = WebString::fromUTF8(entry->log, strlen(entry->log));\n return res;\n }\n }\n\n GLint logLength = 0;\n glGetShaderiv(shader, GL_INFO_LOG_LENGTH, &logLength);\n if (logLength <= 1)\n return WebString();\n GLchar* log = 0;\n if (!tryFastMalloc(logLength * sizeof(GLchar)).getValue(log))\n return WebString();\n GLsizei returnedLogLength;\n glGetShaderInfoLog(shader, logLength, &returnedLogLength, log);\n ASSERT(logLength == returnedLogLength + 1);\n WebString res = WebString::fromUTF8(log, returnedLogLength);\n fastFree(log);\n return res;\n}\n", "cwe": "", "big_vul_idx": 99004, "idx": 89061, "hash": 187231434059223314861811821574173362991 }, { "func": "void no_tty(void)\n{\n\t/* FIXME: Review locking here. The tty_lock never covered any race\n\t between a new association and proc_clear_tty but possible we need\n\t to protect against this anyway */\n\tstruct task_struct *tsk = current;\n\tdisassociate_ctty(0);\n\tproc_clear_tty(tsk);\n}", "project": "linux", "hash": 329861109063172023348722777277518785763, "size": 9, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 325979 }, { "func": "static int fuse_create_open(struct inode *dir, struct dentry *entry,\n\t\t\t struct file *file, unsigned flags,\n\t\t\t umode_t mode)\n{\n\tint err;\n\tstruct inode *inode;\n\tstruct fuse_mount *fm = get_fuse_mount(dir);\n\tFUSE_ARGS(args);\n\tstruct fuse_forget_link *forget;\n\tstruct fuse_create_in inarg;\n\tstruct fuse_open_out outopen;\n\tstruct fuse_entry_out outentry;\n\tstruct fuse_inode *fi;\n\tstruct fuse_file *ff;\n\n\t/* Userspace expects S_IFREG in create mode */\n\tBUG_ON((mode & S_IFMT) != S_IFREG);\n\n\tforget = fuse_alloc_forget();\n\terr = -ENOMEM;\n\tif (!forget)\n\t\tgoto out_err;\n\n\terr = -ENOMEM;\n\tff = fuse_file_alloc(fm);\n\tif (!ff)\n\t\tgoto out_put_forget_req;\n\n\tif (!fm->fc->dont_mask)\n\t\tmode &= ~current_umask();\n\n\tflags &= ~O_NOCTTY;\n\tmemset(&inarg, 0, sizeof(inarg));\n\tmemset(&outentry, 0, sizeof(outentry));\n\tinarg.flags = flags;\n\tinarg.mode = mode;\n\tinarg.umask = current_umask();\n\n\tif (fm->fc->handle_killpriv_v2 && (flags & O_TRUNC) &&\n\t !(flags & O_EXCL) && !capable(CAP_FSETID)) {\n\t\tinarg.open_flags |= FUSE_OPEN_KILL_SUIDGID;\n\t}\n\n\targs.opcode = FUSE_CREATE;\n\targs.nodeid = get_node_id(dir);\n\targs.in_numargs = 2;\n\targs.in_args[0].size = sizeof(inarg);\n\targs.in_args[0].value = &inarg;\n\targs.in_args[1].size = entry->d_name.len + 1;\n\targs.in_args[1].value = entry->d_name.name;\n\targs.out_numargs = 2;\n\targs.out_args[0].size = sizeof(outentry);\n\targs.out_args[0].value = &outentry;\n\targs.out_args[1].size = sizeof(outopen);\n\targs.out_args[1].value = &outopen;\n\terr = fuse_simple_request(fm, &args);\n\tif (err)\n\t\tgoto out_free_ff;\n\n\terr = -EIO;\n\tif (!S_ISREG(outentry.attr.mode) || invalid_nodeid(outentry.nodeid) ||\n\t fuse_invalid_attr(&outentry.attr))\n\t\tgoto out_free_ff;\n\n\tff->fh = outopen.fh;\n\tff->nodeid = outentry.nodeid;\n\tff->open_flags = outopen.open_flags;\n\tinode = fuse_iget(dir->i_sb, outentry.nodeid, outentry.generation,\n\t\t\t &outentry.attr, entry_attr_timeout(&outentry), 0);\n\tif (!inode) {\n\t\tflags &= ~(O_CREAT | O_EXCL | O_TRUNC);\n\t\tfuse_sync_release(NULL, ff, flags);\n\t\tfuse_queue_forget(fm->fc, forget, outentry.nodeid, 1);\n\t\terr = -ENOMEM;\n\t\tgoto out_err;\n\t}\n\tkfree(forget);\n\td_instantiate(entry, inode);\n\tfuse_change_entry_timeout(entry, &outentry);\n\tfuse_dir_changed(dir);\n\terr = finish_open(file, entry, generic_file_open);\n\tif (err) {\n\t\tfi = get_fuse_inode(inode);\n\t\tfuse_sync_release(fi, ff, flags);\n\t} else {\n\t\tfile->private_data = ff;\n\t\tfuse_finish_open(inode, file);\n\t}\n\treturn err;\n\nout_free_ff:\n\tfuse_file_free(ff);\nout_put_forget_req:\n\tkfree(forget);\nout_err:\n\treturn err;\n}", "project": "linux", "hash": 318651719475874962073286589122577280307, "size": 97, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341947 }, { "func": "apr_byte_t oidc_get_provider_from_session(request_rec *r, oidc_cfg *c,\n\t\toidc_session_t *session, oidc_provider_t **provider) {\n\n\toidc_debug(r, \"enter\");\n\n\t/* get the issuer value from the session state */\n\tconst char *issuer = oidc_session_get_issuer(r, session);\n\tif (issuer == NULL) {\n\t\toidc_warn(r, \"empty or invalid session: no issuer found\");\n\t\treturn FALSE;\n\t}\n\n\t/* get the provider info associated with the issuer value */\n\toidc_provider_t *p = oidc_get_provider_for_issuer(r, c, issuer, FALSE);\n\tif (p == NULL) {\n\t\toidc_error(r, \"session corrupted: no provider found for issuer: %s\",\n\t\t\t\tissuer);\n\t\treturn FALSE;\n\t}\n\n\t*provider = p;\n\n\treturn TRUE;\n}", "project": "mod_auth_openidc", "hash": 46202633556846165568438185577215306943, "size": 24, "commit_id": "00c315cb0c8ab77c67be4a2ac08a71a83ac58751", "message": "avoid XSS vulnerability when using OIDCPreservePost On\n\nand supplying URLs that contain single quotes; thanks @oss-aimoto\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 381973 }, { "func": "apr_byte_t oidc_get_provider_from_session(request_rec *r, oidc_cfg *c,\n\t\toidc_session_t *session, oidc_provider_t **provider) {\n\n\toidc_debug(r, \"enter\");\n\n\t/* get the issuer value from the session state */\n\tconst char *issuer = oidc_session_get_issuer(r, session);\n\tif (issuer == NULL) {\n\t\toidc_error(r, \"session corrupted: no issuer found in session\");\n\t\treturn FALSE;\n\t}\n\n\t/* get the provider info associated with the issuer value */\n\toidc_provider_t *p = oidc_get_provider_for_issuer(r, c, issuer, FALSE);\n\tif (p == NULL) {\n\t\toidc_error(r, \"session corrupted: no provider found for issuer: %s\",\n\t\t\t\tissuer);\n\t\treturn FALSE;\n\t}\n\n\t*provider = p;\n\n\treturn TRUE;\n}", "project": "mod_auth_openidc", "hash": 148023288407249076105241101653455149207, "size": 24, "commit_id": "ce37080c6aea30aabae8b4a9b4eea7808445cc8e", "message": "2.4.0.2 oops\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 447690 }, { "func": " bool parseMixed() {\n auto const fp = top;\n if (!matchSeparator('}')) {\n if (++array_depth >= 0) return false;\n do {\n if (!matchSeparator('\\\"')) return false; // Only support string keys.\n if (!parseMixedKey()) return false;\n // TODO(14491721): Precompute and save hash to avoid deref in MakeMixed.\n if (!matchSeparator(':')) return false;\n if (!parseValue(true)) return false;\n } while (matchSeparator(','));\n --array_depth;\n if (!matchSeparator('}')) return false; // Trailing ',' not supported.\n }\n auto arr = [&] {\n if (container_type == JSONContainerType::HACK_ARRAYS) {\n return top == fp\n ? ArrayData::CreateDict()\n : MixedArray::MakeDict((top - fp) >> 1, fp)->asArrayData();\n }\n if (container_type == JSONContainerType::LEGACY_HACK_ARRAYS) {\n auto ret = top == fp\n ? staticEmptyDictArray()->copy()\n : MixedArray::MakeDict((top - fp) >> 1, fp)->asArrayData();\n ret->setLegacyArray(true);\n return ret;\n }\n assertx(container_type == JSONContainerType::DARRAYS ||\n container_type == JSONContainerType::DARRAYS_AND_VARRAYS);\n return top == fp\n ? ArrayData::CreateDArray()\n : MixedArray::MakeDArray((top - fp) >> 1, fp)->asArrayData();\n }();\n // MixedArray::MakeMixed can return nullptr if there are duplicate keys\n if (!arr) return false;\n top = fp;\n pushArrayData(arr);\n check_non_safepoint_surprise();\n return true;\n }", "project": "hhvm", "hash": 34280002432327838628327417245110293708, "size": 40, "commit_id": "b3679121bb3c7017ff04b4c08402ffff5cf59b13", "message": "Fix buffer overrun in SimpleParser::handleBackslash\n\nSummary:\nIt read 4 chars, then checked for validity, but any of them could have\nbeen the end of the string, so check after each one instead.\n\nReviewed By: oulgen\n\nDifferential Revision: D19611163\n\nfbshipit-source-id: 3da0a39555cb85a93f4fd98048368f17cf37e2e4", "target": 0, "dataset": "other", "idx": 227306 }, { "func": "void bn_from_bytes(const uint8_t *value, size_t value_len, bignum256 *val) {\n uint8_t pad_val[32];\n memset(pad_val, 0, sizeof(pad_val));\n memcpy(pad_val + (32 - value_len), value, value_len);\n bn_read_be(pad_val, val);\n memzero(pad_val, sizeof(pad_val));\n}", "project": "keepkey-firmware", "hash": 306755084621461261804128523306338788359, "size": 7, "commit_id": "e49d45594002d4d3fbc1f03488e6dfc0a0a65836", "message": "710 merge", "target": 0, "dataset": "other", "idx": 220896 }, { "func": "static int __kvm_io_bus_write(struct kvm_vcpu *vcpu, struct kvm_io_bus *bus,\n\t\t\t struct kvm_io_range *range, const void *val)\n{\n\tint idx;\n\n\tidx = kvm_io_bus_get_first_dev(bus, range->addr, range->len);\n\tif (idx < 0)\n\t\treturn -EOPNOTSUPP;\n\n\twhile (idx < bus->dev_count &&\n\t\tkvm_io_bus_cmp(range, &bus->range[idx]) == 0) {\n\t\tif (!kvm_iodevice_write(vcpu, bus->range[idx].dev, range->addr,\n\t\t\t\t\trange->len, val))\n\t\t\treturn idx;\n\t\tidx++;\n\t}\n\n\treturn -EOPNOTSUPP;\n}", "project": "linux", "hash": 26158548083416520017026082871451364625, "size": 19, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354707 }, { "func": "nfs41_free_lock_state(struct nfs_server *server, struct nfs4_lock_state *lsp)\n{\n\tconst struct cred *cred = lsp->ls_state->owner->so_cred;\n\n\tnfs41_free_stateid(server, &lsp->ls_stateid, cred, false);\n\tnfs4_free_lock_state(server, lsp);\n}", "project": "linux", "hash": 65648735761934045009477434122830249726, "size": 7, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 430960 }, { "func": "static int nfs41_free_stateid(struct nfs_server *server,\n\t\tconst nfs4_stateid *stateid,\n\t\tconst struct cred *cred,\n\t\tbool privileged)\n{\n\tstruct rpc_message msg = {\n\t\t.rpc_proc = &nfs4_procedures[NFSPROC4_CLNT_FREE_STATEID],\n\t\t.rpc_cred = cred,\n\t};\n\tstruct rpc_task_setup task_setup = {\n\t\t.rpc_client = server->client,\n\t\t.rpc_message = &msg,\n\t\t.callback_ops = &nfs41_free_stateid_ops,\n\t\t.flags = RPC_TASK_ASYNC,\n\t};\n\tstruct nfs_free_stateid_data *data;\n\tstruct rpc_task *task;\n\n\tnfs4_state_protect(server->nfs_client, NFS_SP4_MACH_CRED_STATEID,\n\t\t&task_setup.rpc_client, &msg);\n\n\tdprintk(\"NFS call free_stateid %p\\n\", stateid);\n\tdata = kmalloc(sizeof(*data), GFP_NOFS);\n\tif (!data)\n\t\treturn -ENOMEM;\n\tdata->server = server;\n\tnfs4_stateid_copy(&data->args.stateid, stateid);\n\n\ttask_setup.callback_data = data;\n\n\tmsg.rpc_argp = &data->args;\n\tmsg.rpc_resp = &data->res;\n\tnfs4_init_sequence(&data->args.seq_args, &data->res.seq_res, 1, privileged);\n\ttask = rpc_run_task(&task_setup);\n\tif (IS_ERR(task))\n\t\treturn PTR_ERR(task);\n\trpc_put_task(task);\n\treturn 0;\n}", "project": "linux", "hash": 302702843864597495866982065150527942629, "size": 39, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 430990 }, { "func": "static void vc_uniscr_insert(struct vc_data *vc, unsigned int nr)\n{\n\tstruct uni_screen *uniscr = get_vc_uniscr(vc);\n\n\tif (uniscr) {\n\t\tchar32_t *ln = uniscr->lines[vc->vc_y];\n\t\tunsigned int x = vc->vc_x, cols = vc->vc_cols;\n\n\t\tmemmove(&ln[x + nr], &ln[x], (cols - x - nr) * sizeof(*ln));\n\t\tmemset32(&ln[x], ' ', nr);\n\t}\n}", "project": "linux", "hash": 67972042316875229283068951928942645969, "size": 12, "commit_id": "ca4463bf8438b403596edd0ec961ca0d4fbe0220", "message": "vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console\n\nThe VT_DISALLOCATE ioctl can free a virtual console while tty_release()\nis still running, causing a use-after-free in con_shutdown(). This\noccurs because VT_DISALLOCATE considers a virtual console's\n'struct vc_data' to be unused as soon as the corresponding tty's\nrefcount hits 0. But actually it may be still being closed.\n\nFix this by making vc_data be reference-counted via the embedded\n'struct tty_port'. A newly allocated virtual console has refcount 1.\nOpening it for the first time increments the refcount to 2. Closing it\nfor the last time decrements the refcount (in tty_operations::cleanup()\nso that it happens late enough), as does VT_DISALLOCATE.\n\nReproducer:\n\t#include \n\t#include \n\t#include \n\t#include \n\n\tint main()\n\t{\n\t\tif (fork()) {\n\t\t\tfor (;;)\n\t\t\t\tclose(open(\"/dev/tty5\", O_RDWR));\n\t\t} else {\n\t\t\tint fd = open(\"/dev/tty10\", O_RDWR);\n\n\t\t\tfor (;;)\n\t\t\t\tioctl(fd, VT_DISALLOCATE, 5);\n\t\t}\n\t}\n\nKASAN report:\n\tBUG: KASAN: use-after-free in con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\tWrite of size 8 at addr ffff88806a4ec108 by task syz_vt/129\n\n\tCPU: 0 PID: 129 Comm: syz_vt Not tainted 5.6.0-rc2 #11\n\tHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20191223_100556-anatol 04/01/2014\n\tCall Trace:\n\t [...]\n\t con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\t release_tty+0xa8/0x410 drivers/tty/tty_io.c:1514\n\t tty_release_struct+0x34/0x50 drivers/tty/tty_io.c:1629\n\t tty_release+0x984/0xed0 drivers/tty/tty_io.c:1789\n\t [...]\n\n\tAllocated by task 129:\n\t [...]\n\t kzalloc include/linux/slab.h:669 [inline]\n\t vc_allocate drivers/tty/vt/vt.c:1085 [inline]\n\t vc_allocate+0x1ac/0x680 drivers/tty/vt/vt.c:1066\n\t con_install+0x4d/0x3f0 drivers/tty/vt/vt.c:3229\n\t tty_driver_install_tty drivers/tty/tty_io.c:1228 [inline]\n\t tty_init_dev+0x94/0x350 drivers/tty/tty_io.c:1341\n\t tty_open_by_driver drivers/tty/tty_io.c:1987 [inline]\n\t tty_open+0x3ca/0xb30 drivers/tty/tty_io.c:2035\n\t [...]\n\n\tFreed by task 130:\n\t [...]\n\t kfree+0xbf/0x1e0 mm/slab.c:3757\n\t vt_disallocate drivers/tty/vt/vt_ioctl.c:300 [inline]\n\t vt_ioctl+0x16dc/0x1e30 drivers/tty/vt/vt_ioctl.c:818\n\t tty_ioctl+0x9db/0x11b0 drivers/tty/tty_io.c:2660\n\t [...]\n\nFixes: 4001d7b7fc27 (\"vt: push down the tty lock so we can see what is left to tackle\")\nCc: # v3.4+\nReported-by: syzbot+522643ab5729b0421998@syzkaller.appspotmail.com\nAcked-by: Jiri Slaby \nSigned-off-by: Eric Biggers \nLink: https://lore.kernel.org/r/20200322034305.210082-2-ebiggers@kernel.org\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 437089 }, { "func": "static int pfkey_spdget(struct sock *sk, struct sk_buff *skb, const struct sadb_msg *hdr, void * const *ext_hdrs)\n{\n\tstruct net *net = sock_net(sk);\n\tunsigned int dir;\n\tint err = 0, delete;\n\tstruct sadb_x_policy *pol;\n\tstruct xfrm_policy *xp;\n\tstruct km_event c;\n\n\tif ((pol = ext_hdrs[SADB_X_EXT_POLICY-1]) == NULL)\n\t\treturn -EINVAL;\n\n\tdir = xfrm_policy_id2dir(pol->sadb_x_policy_id);\n\tif (dir >= XFRM_POLICY_MAX)\n\t\treturn -EINVAL;\n\n\tdelete = (hdr->sadb_msg_type == SADB_X_SPDDELETE2);\n\txp = xfrm_policy_byid(net, &dummy_mark, 0, XFRM_POLICY_TYPE_MAIN,\n\t\t\t dir, pol->sadb_x_policy_id, delete, &err);\n\tif (xp == NULL)\n\t\treturn -ENOENT;\n\n\tif (delete) {\n\t\txfrm_audit_policy_delete(xp, err ? 0 : 1, true);\n\n\t\tif (err)\n\t\t\tgoto out;\n\t\tc.seq = hdr->sadb_msg_seq;\n\t\tc.portid = hdr->sadb_msg_pid;\n\t\tc.data.byid = 1;\n\t\tc.event = XFRM_MSG_DELPOLICY;\n\t\tkm_policy_notify(xp, dir, &c);\n\t} else {\n\t\terr = key_pol_get_resp(sk, xp, hdr, dir);\n\t}\n\nout:\n\txfrm_pol_put(xp);\n\treturn err;\n}", "project": "linux", "hash": 78732548509953707284710640373507666575, "size": 40, "commit_id": "9a564bccb78a76740ea9d75a259942df8143d02c", "message": "af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\n\nAdd __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\nto initialize the buffer of supp_skb to fix a kernel-info-leak issue.\n1) Function pfkey_register calls compose_sadb_supported to request\na sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate\na sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then\ncompose_sadb_supported treats the memory as a struct sadb_supported and\nbegins to initialize. But it just initializes the field sadb_supported_len\nand field sadb_supported_exttype without field sadb_supported_reserved.\n\nReported-by: TCS Robot \nSigned-off-by: Haimin Zhang \nSigned-off-by: Steffen Klassert ", "target": 0, "dataset": "other", "idx": 268096 }, { "project": "Chrome", "commit_id": "1da0daecc540238cb473f0d6322da51d3a544244", "target": 0, "func": "int VideoRendererBase::NumFrames_Locked() const {\n lock_.AssertAcquired();\n int outstanding_frames =\n (current_frame_ ? 1 : 0) + (last_available_frame_ ? 1 : 0) +\n (current_frame_ && (current_frame_ == last_available_frame_) ? -1 : 0);\n return ready_frames_.size() + outstanding_frames;\n}\n", "cwe": "", "big_vul_idx": 113355, "idx": 101645, "hash": 337030609599144886507994409332153788035 }, { "func": "static u64 kvm_hv_flush_tlb(struct kvm_vcpu *vcpu, u64 ingpa, u16 rep_cnt, bool ex)\n{\n\tstruct kvm *kvm = vcpu->kvm;\n\tstruct kvm_vcpu_hv *hv_vcpu = to_hv_vcpu(vcpu);\n\tstruct hv_tlb_flush_ex flush_ex;\n\tstruct hv_tlb_flush flush;\n\tu64 vp_bitmap[KVM_HV_MAX_SPARSE_VCPU_SET_BITS];\n\tDECLARE_BITMAP(vcpu_bitmap, KVM_MAX_VCPUS);\n\tunsigned long *vcpu_mask;\n\tu64 valid_bank_mask;\n\tu64 sparse_banks[64];\n\tint sparse_banks_len;\n\tbool all_cpus;\n\n\tif (!ex) {\n\t\tif (unlikely(kvm_read_guest(kvm, ingpa, &flush, sizeof(flush))))\n\t\t\treturn HV_STATUS_INVALID_HYPERCALL_INPUT;\n\n\t\ttrace_kvm_hv_flush_tlb(flush.processor_mask,\n\t\t\t\t flush.address_space, flush.flags);\n\n\t\tvalid_bank_mask = BIT_ULL(0);\n\t\tsparse_banks[0] = flush.processor_mask;\n\n\t\t/*\n\t\t * Work around possible WS2012 bug: it sends hypercalls\n\t\t * with processor_mask = 0x0 and HV_FLUSH_ALL_PROCESSORS clear,\n\t\t * while also expecting us to flush something and crashing if\n\t\t * we don't. Let's treat processor_mask == 0 same as\n\t\t * HV_FLUSH_ALL_PROCESSORS.\n\t\t */\n\t\tall_cpus = (flush.flags & HV_FLUSH_ALL_PROCESSORS) ||\n\t\t\tflush.processor_mask == 0;\n\t} else {\n\t\tif (unlikely(kvm_read_guest(kvm, ingpa, &flush_ex,\n\t\t\t\t\t sizeof(flush_ex))))\n\t\t\treturn HV_STATUS_INVALID_HYPERCALL_INPUT;\n\n\t\ttrace_kvm_hv_flush_tlb_ex(flush_ex.hv_vp_set.valid_bank_mask,\n\t\t\t\t\t flush_ex.hv_vp_set.format,\n\t\t\t\t\t flush_ex.address_space,\n\t\t\t\t\t flush_ex.flags);\n\n\t\tvalid_bank_mask = flush_ex.hv_vp_set.valid_bank_mask;\n\t\tall_cpus = flush_ex.hv_vp_set.format !=\n\t\t\tHV_GENERIC_SET_SPARSE_4K;\n\n\t\tsparse_banks_len =\n\t\t\tbitmap_weight((unsigned long *)&valid_bank_mask, 64) *\n\t\t\tsizeof(sparse_banks[0]);\n\n\t\tif (!sparse_banks_len && !all_cpus)\n\t\t\tgoto ret_success;\n\n\t\tif (!all_cpus &&\n\t\t kvm_read_guest(kvm,\n\t\t\t\t ingpa + offsetof(struct hv_tlb_flush_ex,\n\t\t\t\t\t\t hv_vp_set.bank_contents),\n\t\t\t\t sparse_banks,\n\t\t\t\t sparse_banks_len))\n\t\t\treturn HV_STATUS_INVALID_HYPERCALL_INPUT;\n\t}\n\n\tcpumask_clear(&hv_vcpu->tlb_flush);\n\n\tvcpu_mask = all_cpus ? NULL :\n\t\tsparse_set_to_vcpu_mask(kvm, sparse_banks, valid_bank_mask,\n\t\t\t\t\tvp_bitmap, vcpu_bitmap);\n\n\t/*\n\t * vcpu->arch.cr3 may not be up-to-date for running vCPUs so we can't\n\t * analyze it here, flush TLB regardless of the specified address space.\n\t */\n\tkvm_make_vcpus_request_mask(kvm, KVM_REQ_HV_TLB_FLUSH,\n\t\t\t\t NULL, vcpu_mask, &hv_vcpu->tlb_flush);\n\nret_success:\n\t/* We always do full TLB flush, set rep_done = rep_cnt. */\n\treturn (u64)HV_STATUS_SUCCESS |\n\t\t((u64)rep_cnt << HV_HYPERCALL_REP_COMP_OFFSET);\n}", "project": "linux", "hash": 309477612204750163553638329585361222178, "size": 81, "commit_id": "919f4ebc598701670e80e31573a58f1f2d2bf918", "message": "KVM: x86: hyper-v: Fix Hyper-V context null-ptr-deref\n\nReported by syzkaller:\n\n KASAN: null-ptr-deref in range [0x0000000000000140-0x0000000000000147]\n CPU: 1 PID: 8370 Comm: syz-executor859 Not tainted 5.11.0-syzkaller #0\n RIP: 0010:synic_get arch/x86/kvm/hyperv.c:165 [inline]\n RIP: 0010:kvm_hv_set_sint_gsi arch/x86/kvm/hyperv.c:475 [inline]\n RIP: 0010:kvm_hv_irq_routing_update+0x230/0x460 arch/x86/kvm/hyperv.c:498\n Call Trace:\n kvm_set_irq_routing+0x69b/0x940 arch/x86/kvm/../../../virt/kvm/irqchip.c:223\n kvm_vm_ioctl+0x12d0/0x2800 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3959\n vfs_ioctl fs/ioctl.c:48 [inline]\n __do_sys_ioctl fs/ioctl.c:753 [inline]\n __se_sys_ioctl fs/ioctl.c:739 [inline]\n __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739\n do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nHyper-V context is lazily allocated until Hyper-V specific MSRs are accessed\nor SynIC is enabled. However, the syzkaller testcase sets irq routing table\ndirectly w/o enabling SynIC. This results in null-ptr-deref when accessing\nSynIC Hyper-V context. This patch fixes it.\n\nsyzkaller source: https://syzkaller.appspot.com/x/repro.c?x=163342ccd00000\n\nReported-by: syzbot+6987f3b2dbd9eda95f12@syzkaller.appspotmail.com\nFixes: 8f014550dfb1 (\"KVM: x86: hyper-v: Make Hyper-V emulation enablement conditional\")\nSigned-off-by: Wanpeng Li \nMessage-Id: <1614326399-5762-1-git-send-email-wanpengli@tencent.com>\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 343527 }, { "func": "void gdImageSetTile (gdImagePtr im, gdImagePtr tile)\n{\n\tint i;\n\tim->tile = tile;\n\tif (!im->trueColor && !im->tile->trueColor) {\n\t\tfor (i = 0; i < gdImageColorsTotal(tile); i++) {\n\t\t\tint index;\n\t\t\tindex = gdImageColorResolveAlpha(im, gdImageRed(tile, i), gdImageGreen(tile, i), gdImageBlue(tile, i), gdImageAlpha(tile, i));\n\t\t\tim->tileColorMap[i] = index;\n\t\t}\n\t}\n}", "project": "php-src", "hash": 201293191991337521785986292511390737698, "size": 12, "commit_id": "c395c6e5d7e8df37a21265ff76e48fe75ceb5ae6", "message": "iFixed bug #72446 - Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow", "target": 0, "dataset": "other", "idx": 295166 }, { "func": "\tMode()\n\t\t: ClientProtocol::Message(\"MODE\", ServerInstance->FakeClient)\n\t\t, chantarget(NULL)\n\t\t, usertarget(NULL)\n\t{\n\t}", "project": "inspircd", "hash": 82106735184720783485625130543107464909, "size": 6, "commit_id": "4350a11c663b0d75f8119743bffb7736d87abd4d", "message": "Fix sending malformed pong messages in some cases.", "target": 0, "dataset": "other", "idx": 273229 }, { "func": "static void hci_disconn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)\n{\n\tstruct hci_ev_disconn_complete *ev = (void *) skb->data;\n\tu8 reason;\n\tstruct hci_conn_params *params;\n\tstruct hci_conn *conn;\n\tbool mgmt_connected;\n\tu8 type;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, ev->status);\n\n\thci_dev_lock(hdev);\n\n\tconn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));\n\tif (!conn)\n\t\tgoto unlock;\n\n\tif (ev->status) {\n\t\tmgmt_disconnect_failed(hdev, &conn->dst, conn->type,\n\t\t\t\t conn->dst_type, ev->status);\n\t\tgoto unlock;\n\t}\n\n\tconn->state = BT_CLOSED;\n\n\tmgmt_connected = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags);\n\n\tif (test_bit(HCI_CONN_AUTH_FAILURE, &conn->flags))\n\t\treason = MGMT_DEV_DISCONN_AUTH_FAILURE;\n\telse\n\t\treason = hci_to_mgmt_reason(ev->reason);\n\n\tmgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type,\n\t\t\t\treason, mgmt_connected);\n\n\tif (conn->type == ACL_LINK) {\n\t\tif (test_bit(HCI_CONN_FLUSH_KEY, &conn->flags))\n\t\t\thci_remove_link_key(hdev, &conn->dst);\n\n\t\thci_req_update_scan(hdev);\n\t}\n\n\tparams = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);\n\tif (params) {\n\t\tswitch (params->auto_connect) {\n\t\tcase HCI_AUTO_CONN_LINK_LOSS:\n\t\t\tif (ev->reason != HCI_ERROR_CONNECTION_TIMEOUT)\n\t\t\t\tbreak;\n\t\t\t/* Fall through */\n\n\t\tcase HCI_AUTO_CONN_DIRECT:\n\t\tcase HCI_AUTO_CONN_ALWAYS:\n\t\t\tlist_del_init(¶ms->action);\n\t\t\tlist_add(¶ms->action, &hdev->pend_le_conns);\n\t\t\thci_update_background_scan(hdev);\n\t\t\tbreak;\n\n\t\tdefault:\n\t\t\tbreak;\n\t\t}\n\t}\n\n\ttype = conn->type;\n\n\thci_disconn_cfm(conn, ev->reason);\n\thci_conn_del(conn);\n\n\t/* The suspend notifier is waiting for all devices to disconnect so\n\t * clear the bit from pending tasks and inform the wait queue.\n\t */\n\tif (list_empty(&hdev->conn_hash.list) &&\n\t test_and_clear_bit(SUSPEND_DISCONNECTING, hdev->suspend_tasks)) {\n\t\twake_up(&hdev->suspend_wait_q);\n\t}\n\n\t/* Re-enable advertising if necessary, since it might\n\t * have been disabled by the connection. From the\n\t * HCI_LE_Set_Advertise_Enable command description in\n\t * the core specification (v4.0):\n\t * \"The Controller shall continue advertising until the Host\n\t * issues an LE_Set_Advertise_Enable command with\n\t * Advertising_Enable set to 0x00 (Advertising is disabled)\n\t * or until a connection is created or until the Advertising\n\t * is timed out due to Directed Advertising.\"\n\t */\n\tif (type == LE_LINK)\n\t\thci_req_reenable_advertising(hdev);\n\nunlock:\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 137106061716323759763946026139561927536, "size": 91, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431928 }, { "func": " Item_int(THD *thd, longlong i,uint length= MY_INT64_NUM_DECIMAL_DIGITS):\n Item_num(thd), value(i)\n { max_length=length; fixed= 1; }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 9907260531289038377869773919364616953, "size": 3, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 508973 }, { "func": " Item_float(THD *thd, const char *str, double val_arg, uint decimal_par,\n uint length): Item_num(thd), value(val_arg)\n {\n presentation= name=(char*) str;\n decimals=(uint8) decimal_par;\n max_length=length;\n fixed= 1;\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 305557796597475881077257148588368146818, "size": 8, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509047 }, { "func": " Item_cache_int(THD *thd): Item_cache(thd, MYSQL_TYPE_LONGLONG),\n value(0) {}", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 67112946606170347933823941612349690217, "size": 2, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509149 }, { "func": " Item_float(THD *thd, double value_par, uint decimal_par):\n Item_num(thd), presentation(0), value(value_par)\n {\n decimals= (uint8) decimal_par;\n fixed= 1;\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 221632066132237190818810250028927847017, "size": 6, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509216 }, { "func": " Item_int(THD *thd, const char *str_arg,longlong i,uint length):\n Item_num(thd), value(i)\n { max_length=length; name=(char*) str_arg; fixed= 1; }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 215805592764810018031988936240859025109, "size": 3, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509284 }, { "func": " Item_cache_real(THD *thd): Item_cache(thd, MYSQL_TYPE_DOUBLE),\n value(0) {}", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 25539190523917459970796540989102245902, "size": 2, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509402 }, { "func": " Item_cache_int(THD *thd, enum_field_types field_type_arg):\n Item_cache(thd, field_type_arg), value(0) {}", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 190429235066660754235926629009938869446, "size": 2, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509437 }, { "func": "UnicodeString::UnicodeString(UnicodeString &&src) U_NOEXCEPT {\n copyFieldsFrom(src, TRUE);\n}", "project": "icu", "hash": 85261875610387258348525578013854271122, "size": 3, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430852 }, { "func": "int blosc_free_resources(void) {\n /* Return if Blosc is not initialized */\n if (!g_initlib) return -1;\n\n return release_threadpool(g_global_context);\n}", "project": "c-blosc2", "hash": 212584608118437488638637644011795460735, "size": 6, "commit_id": "c4c6470e88210afc95262c8b9fcc27e30ca043ee", "message": "Fixed asan heap buffer overflow when not enough space to write compressed block size.", "target": 0, "dataset": "other", "idx": 303075 }, { "func": "static void input_start_autorepeat(struct input_dev *dev, int code)\n{\n\tif (test_bit(EV_REP, dev->evbit) &&\n\t dev->rep[REP_PERIOD] && dev->rep[REP_DELAY] &&\n\t dev->timer.function) {\n\t\tdev->repeat_key = code;\n\t\tmod_timer(&dev->timer,\n\t\t\t jiffies + msecs_to_jiffies(dev->rep[REP_DELAY]));\n\t}\n}", "project": "linux", "hash": 79626107812571802055127905248662616199, "size": 10, "commit_id": "cb222aed03d798fc074be55e59d9a112338ee784", "message": "Input: add safety guards to input_set_keycode()\n\nIf we happen to have a garbage in input device's keycode table with values\ntoo big we'll end up doing clear_bit() with offset way outside of our\nbitmaps, damaging other objects within an input device or even outside of\nit. Let's add sanity checks to the returned old keycodes.\n\nReported-by: syzbot+c769968809f9359b07aa@syzkaller.appspotmail.com\nReported-by: syzbot+76f3a30e88d256644c78@syzkaller.appspotmail.com\nLink: https://lore.kernel.org/r/20191207212757.GA245964@dtor-ws\nSigned-off-by: Dmitry Torokhov ", "target": 0, "dataset": "other", "idx": 353385 }, { "func": "static int cmd_queue_full (IMAP_DATA* idata)\n{\n if ((idata->nextcmd + 1) % idata->cmdslots == idata->lastcmd)\n return 1;\n\n return 0;\n}", "project": "mutt", "hash": 259918617130916900321952638882322973332, "size": 7, "commit_id": "9347b5c01dc52682cb6be11539d9b7ebceae4416", "message": "Handle NO response without message properly", "target": 0, "dataset": "other", "idx": 338025 }, { "func": "static int io_openat(struct io_kiocb *req, unsigned int issue_flags)\n{\n\treturn io_openat2(req, issue_flags);\n}", "project": "linux", "hash": 207544922998722174599177638230471459689, "size": 4, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338568 }, { "func": "void CWebSession::ClearMessageLoops() {\n m_vsErrorMsgs.clear();\n m_vsSuccessMsgs.clear();\n}", "project": "znc", "hash": 101338204833399313970510907662533200375, "size": 4, "commit_id": "a4a5aeeb17d32937d8c7d743dae9a4cc755ce773", "message": "Don't let web skin name ../../../../ access files outside of usual skins directories.\n\nThanks for Jeriko One for finding and reporting this.", "target": 0, "dataset": "other", "idx": 265798 }, { "func": "int kvm_hv_hypercall(struct kvm_vcpu *vcpu)\n{\n\tu64 param, ingpa, outgpa, ret = HV_STATUS_SUCCESS;\n\tuint16_t code, rep_idx, rep_cnt;\n\tbool fast, rep;\n\n\t/*\n\t * hypercall generates UD from non zero cpl and real mode\n\t * per HYPER-V spec\n\t */\n\tif (static_call(kvm_x86_get_cpl)(vcpu) != 0 || !is_protmode(vcpu)) {\n\t\tkvm_queue_exception(vcpu, UD_VECTOR);\n\t\treturn 1;\n\t}\n\n#ifdef CONFIG_X86_64\n\tif (is_64_bit_mode(vcpu)) {\n\t\tparam = kvm_rcx_read(vcpu);\n\t\tingpa = kvm_rdx_read(vcpu);\n\t\toutgpa = kvm_r8_read(vcpu);\n\t} else\n#endif\n\t{\n\t\tparam = ((u64)kvm_rdx_read(vcpu) << 32) |\n\t\t\t(kvm_rax_read(vcpu) & 0xffffffff);\n\t\tingpa = ((u64)kvm_rbx_read(vcpu) << 32) |\n\t\t\t(kvm_rcx_read(vcpu) & 0xffffffff);\n\t\toutgpa = ((u64)kvm_rdi_read(vcpu) << 32) |\n\t\t\t(kvm_rsi_read(vcpu) & 0xffffffff);\n\t}\n\n\tcode = param & 0xffff;\n\tfast = !!(param & HV_HYPERCALL_FAST_BIT);\n\trep_cnt = (param >> HV_HYPERCALL_REP_COMP_OFFSET) & 0xfff;\n\trep_idx = (param >> HV_HYPERCALL_REP_START_OFFSET) & 0xfff;\n\trep = !!(rep_cnt || rep_idx);\n\n\ttrace_kvm_hv_hypercall(code, fast, rep_cnt, rep_idx, ingpa, outgpa);\n\n\tswitch (code) {\n\tcase HVCALL_NOTIFY_LONG_SPIN_WAIT:\n\t\tif (unlikely(rep)) {\n\t\t\tret = HV_STATUS_INVALID_HYPERCALL_INPUT;\n\t\t\tbreak;\n\t\t}\n\t\tkvm_vcpu_on_spin(vcpu, true);\n\t\tbreak;\n\tcase HVCALL_SIGNAL_EVENT:\n\t\tif (unlikely(rep)) {\n\t\t\tret = HV_STATUS_INVALID_HYPERCALL_INPUT;\n\t\t\tbreak;\n\t\t}\n\t\tret = kvm_hvcall_signal_event(vcpu, fast, ingpa);\n\t\tif (ret != HV_STATUS_INVALID_PORT_ID)\n\t\t\tbreak;\n\t\tfallthrough;\t/* maybe userspace knows this conn_id */\n\tcase HVCALL_POST_MESSAGE:\n\t\t/* don't bother userspace if it has no way to handle it */\n\t\tif (unlikely(rep || !to_hv_synic(vcpu)->active)) {\n\t\t\tret = HV_STATUS_INVALID_HYPERCALL_INPUT;\n\t\t\tbreak;\n\t\t}\n\t\tvcpu->run->exit_reason = KVM_EXIT_HYPERV;\n\t\tvcpu->run->hyperv.type = KVM_EXIT_HYPERV_HCALL;\n\t\tvcpu->run->hyperv.u.hcall.input = param;\n\t\tvcpu->run->hyperv.u.hcall.params[0] = ingpa;\n\t\tvcpu->run->hyperv.u.hcall.params[1] = outgpa;\n\t\tvcpu->arch.complete_userspace_io =\n\t\t\t\tkvm_hv_hypercall_complete_userspace;\n\t\treturn 0;\n\tcase HVCALL_FLUSH_VIRTUAL_ADDRESS_LIST:\n\t\tif (unlikely(fast || !rep_cnt || rep_idx)) {\n\t\t\tret = HV_STATUS_INVALID_HYPERCALL_INPUT;\n\t\t\tbreak;\n\t\t}\n\t\tret = kvm_hv_flush_tlb(vcpu, ingpa, rep_cnt, false);\n\t\tbreak;\n\tcase HVCALL_FLUSH_VIRTUAL_ADDRESS_SPACE:\n\t\tif (unlikely(fast || rep)) {\n\t\t\tret = HV_STATUS_INVALID_HYPERCALL_INPUT;\n\t\t\tbreak;\n\t\t}\n\t\tret = kvm_hv_flush_tlb(vcpu, ingpa, rep_cnt, false);\n\t\tbreak;\n\tcase HVCALL_FLUSH_VIRTUAL_ADDRESS_LIST_EX:\n\t\tif (unlikely(fast || !rep_cnt || rep_idx)) {\n\t\t\tret = HV_STATUS_INVALID_HYPERCALL_INPUT;\n\t\t\tbreak;\n\t\t}\n\t\tret = kvm_hv_flush_tlb(vcpu, ingpa, rep_cnt, true);\n\t\tbreak;\n\tcase HVCALL_FLUSH_VIRTUAL_ADDRESS_SPACE_EX:\n\t\tif (unlikely(fast || rep)) {\n\t\t\tret = HV_STATUS_INVALID_HYPERCALL_INPUT;\n\t\t\tbreak;\n\t\t}\n\t\tret = kvm_hv_flush_tlb(vcpu, ingpa, rep_cnt, true);\n\t\tbreak;\n\tcase HVCALL_SEND_IPI:\n\t\tif (unlikely(rep)) {\n\t\t\tret = HV_STATUS_INVALID_HYPERCALL_INPUT;\n\t\t\tbreak;\n\t\t}\n\t\tret = kvm_hv_send_ipi(vcpu, ingpa, outgpa, false, fast);\n\t\tbreak;\n\tcase HVCALL_SEND_IPI_EX:\n\t\tif (unlikely(fast || rep)) {\n\t\t\tret = HV_STATUS_INVALID_HYPERCALL_INPUT;\n\t\t\tbreak;\n\t\t}\n\t\tret = kvm_hv_send_ipi(vcpu, ingpa, outgpa, true, false);\n\t\tbreak;\n\tcase HVCALL_POST_DEBUG_DATA:\n\tcase HVCALL_RETRIEVE_DEBUG_DATA:\n\t\tif (unlikely(fast)) {\n\t\t\tret = HV_STATUS_INVALID_PARAMETER;\n\t\t\tbreak;\n\t\t}\n\t\tfallthrough;\n\tcase HVCALL_RESET_DEBUG_SESSION: {\n\t\tstruct kvm_hv_syndbg *syndbg = to_hv_syndbg(vcpu);\n\n\t\tif (!kvm_hv_is_syndbg_enabled(vcpu)) {\n\t\t\tret = HV_STATUS_INVALID_HYPERCALL_CODE;\n\t\t\tbreak;\n\t\t}\n\n\t\tif (!(syndbg->options & HV_X64_SYNDBG_OPTION_USE_HCALLS)) {\n\t\t\tret = HV_STATUS_OPERATION_DENIED;\n\t\t\tbreak;\n\t\t}\n\t\tvcpu->run->exit_reason = KVM_EXIT_HYPERV;\n\t\tvcpu->run->hyperv.type = KVM_EXIT_HYPERV_HCALL;\n\t\tvcpu->run->hyperv.u.hcall.input = param;\n\t\tvcpu->run->hyperv.u.hcall.params[0] = ingpa;\n\t\tvcpu->run->hyperv.u.hcall.params[1] = outgpa;\n\t\tvcpu->arch.complete_userspace_io =\n\t\t\t\tkvm_hv_hypercall_complete_userspace;\n\t\treturn 0;\n\t}\n\tdefault:\n\t\tret = HV_STATUS_INVALID_HYPERCALL_CODE;\n\t\tbreak;\n\t}\n\n\treturn kvm_hv_hypercall_complete(vcpu, ret);\n}", "project": "linux", "hash": 106839050439551123444392042060997803790, "size": 147, "commit_id": "919f4ebc598701670e80e31573a58f1f2d2bf918", "message": "KVM: x86: hyper-v: Fix Hyper-V context null-ptr-deref\n\nReported by syzkaller:\n\n KASAN: null-ptr-deref in range [0x0000000000000140-0x0000000000000147]\n CPU: 1 PID: 8370 Comm: syz-executor859 Not tainted 5.11.0-syzkaller #0\n RIP: 0010:synic_get arch/x86/kvm/hyperv.c:165 [inline]\n RIP: 0010:kvm_hv_set_sint_gsi arch/x86/kvm/hyperv.c:475 [inline]\n RIP: 0010:kvm_hv_irq_routing_update+0x230/0x460 arch/x86/kvm/hyperv.c:498\n Call Trace:\n kvm_set_irq_routing+0x69b/0x940 arch/x86/kvm/../../../virt/kvm/irqchip.c:223\n kvm_vm_ioctl+0x12d0/0x2800 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3959\n vfs_ioctl fs/ioctl.c:48 [inline]\n __do_sys_ioctl fs/ioctl.c:753 [inline]\n __se_sys_ioctl fs/ioctl.c:739 [inline]\n __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739\n do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nHyper-V context is lazily allocated until Hyper-V specific MSRs are accessed\nor SynIC is enabled. However, the syzkaller testcase sets irq routing table\ndirectly w/o enabling SynIC. This results in null-ptr-deref when accessing\nSynIC Hyper-V context. This patch fixes it.\n\nsyzkaller source: https://syzkaller.appspot.com/x/repro.c?x=163342ccd00000\n\nReported-by: syzbot+6987f3b2dbd9eda95f12@syzkaller.appspotmail.com\nFixes: 8f014550dfb1 (\"KVM: x86: hyper-v: Make Hyper-V emulation enablement conditional\")\nSigned-off-by: Wanpeng Li \nMessage-Id: <1614326399-5762-1-git-send-email-wanpengli@tencent.com>\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 343489 }, { "func": "static inline void write_desc(struct intel_engine_execlists *execlists, u64 desc, u32 port)\n{\n\tif (execlists->ctrl_reg) {\n\t\twritel(lower_32_bits(desc), execlists->submit_reg + port * 2);\n\t\twritel(upper_32_bits(desc), execlists->submit_reg + port * 2 + 1);\n\t} else {\n\t\twritel(upper_32_bits(desc), execlists->submit_reg);\n\t\twritel(lower_32_bits(desc), execlists->submit_reg);\n\t}\n}", "project": "linux", "hash": 217313615008613525738167377358505125520, "size": 10, "commit_id": "bc8a76a152c5f9ef3b48104154a65a68a8b76946", "message": "drm/i915/gen9: Clear residual context state on context switch\n\nIntel ID: PSIRT-TA-201910-001\nCVEID: CVE-2019-14615\n\nIntel GPU Hardware prior to Gen11 does not clear EU state\nduring a context switch. This can result in information\nleakage between contexts.\n\nFor Gen8 and Gen9, hardware provides a mechanism for\nfast cleardown of the EU state, by issuing a PIPE_CONTROL\nwith bit 27 set. We can use this in a context batch buffer\nto explicitly cleardown the state on every context switch.\n\nAs this workaround is already in place for gen8, we can borrow\nthe code verbatim for Gen9.\n\nSigned-off-by: Mika Kuoppala \nSigned-off-by: Akeem G Abodunrin \nCc: Kumar Valsan Prathap \nCc: Chris Wilson \nCc: Balestrieri Francesco \nCc: Bloomfield Jon \nCc: Dutt Sudeep ", "target": 0, "dataset": "other", "idx": 281434 }, { "func": "static int php_imagefontsize(int size, int arg) {\n gdFontPtr font = php_find_gd_font(size);\n return (arg ? font->h : font->w);\n}", "project": "hhvm", "hash": 181137694819603576969912102354496621500, "size": 4, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219750 }, { "func": "static enum_func_status\nphp_mysqlnd_greet_read(void * _packet, MYSQLND_CONN_DATA * conn TSRMLS_DC)\n{\n\tzend_uchar buf[2048];\n\tzend_uchar *p = buf;\n\tzend_uchar *begin = buf;\n\tzend_uchar *pad_start = NULL;\n\tMYSQLND_PACKET_GREET *packet= (MYSQLND_PACKET_GREET *) _packet;\n\n\tDBG_ENTER(\"php_mysqlnd_greet_read\");\n\n\tPACKET_READ_HEADER_AND_BODY(packet, conn, buf, sizeof(buf), \"greeting\", PROT_GREET_PACKET);\n\tBAIL_IF_NO_MORE_DATA;\n\n\tpacket->auth_plugin_data = packet->intern_auth_plugin_data;\n\tpacket->auth_plugin_data_len = sizeof(packet->intern_auth_plugin_data);\n\n\tif (packet->header.size < sizeof(buf)) {\n\t\t/*\n\t\t Null-terminate the string, so strdup can work even if the packets have a string at the end,\n\t\t which is not ASCIIZ\n\t\t*/\n\t\tbuf[packet->header.size] = '\\0'; \n\t}\n\n\tpacket->protocol_version = uint1korr(p);\n\tp++;\n\tBAIL_IF_NO_MORE_DATA;\n\n\tif (ERROR_MARKER == packet->protocol_version) {\n\t\tphp_mysqlnd_read_error_from_line(p, packet->header.size - 1,\n\t\t\t\t\t\t\t\t\t\t packet->error, sizeof(packet->error),\n\t\t\t\t\t\t\t\t\t\t &packet->error_no, packet->sqlstate\n\t\t\t\t\t\t\t\t\t\t TSRMLS_CC);\n\t\t/*\n\t\t The server doesn't send sqlstate in the greet packet.\n\t\t It's a bug#26426 , so we have to set it correctly ourselves.\n\t\t It's probably \"Too many connections, which has SQL state 08004\".\n\t\t*/\n\t\tif (packet->error_no == 1040) {\n\t\t\tmemcpy(packet->sqlstate, \"08004\", MYSQLND_SQLSTATE_LENGTH);\n\t\t}\n\t\tDBG_RETURN(PASS);\n\t}\n\n\tpacket->server_version = estrdup((char *)p);\n\tp+= strlen(packet->server_version) + 1; /* eat the '\\0' */\n\tBAIL_IF_NO_MORE_DATA;\n\n\tpacket->thread_id = uint4korr(p);\n\tp+=4;\n\tBAIL_IF_NO_MORE_DATA;\n\n\tmemcpy(packet->auth_plugin_data, p, SCRAMBLE_LENGTH_323);\n\tp+= SCRAMBLE_LENGTH_323;\n\tBAIL_IF_NO_MORE_DATA;\n\n\t/* pad1 */\n\tp++;\n\tBAIL_IF_NO_MORE_DATA;\n\n\tpacket->server_capabilities = uint2korr(p);\n\tp+= 2;\n\tBAIL_IF_NO_MORE_DATA;\n\n\tpacket->charset_no = uint1korr(p);\n\tp++;\n\tBAIL_IF_NO_MORE_DATA;\n\n\tpacket->server_status = uint2korr(p);\n\tp+= 2;\n\tBAIL_IF_NO_MORE_DATA;\n\n\t/* pad2 */\n\tpad_start = p;\n\tp+= 13;\n\tBAIL_IF_NO_MORE_DATA;\n\n\tif ((size_t) (p - buf) < packet->header.size) {\n\t\t/* auth_plugin_data is split into two parts */\n\t\tmemcpy(packet->auth_plugin_data + SCRAMBLE_LENGTH_323, p, SCRAMBLE_LENGTH - SCRAMBLE_LENGTH_323);\n\t\tp+= SCRAMBLE_LENGTH - SCRAMBLE_LENGTH_323;\n\t\tp++; /* 0x0 at the end of the scramble and thus last byte in the packet in 5.1 and previous */\n\t} else {\n\t\tpacket->pre41 = TRUE;\n\t}\n\n\t/* Is this a 5.5+ server ? */\n\tif ((size_t) (p - buf) < packet->header.size) {\n\t\t /* backtrack one byte, the 0x0 at the end of the scramble in 5.1 and previous */\n\t\tp--;\n\n \t/* Additional 16 bits for server capabilities */\n\t\tpacket->server_capabilities |= uint2korr(pad_start) << 16;\n\t\t/* And a length of the server scramble in one byte */\n\t\tpacket->auth_plugin_data_len = uint1korr(pad_start + 2);\n\t\tif (packet->auth_plugin_data_len > SCRAMBLE_LENGTH) {\n\t\t\t/* more data*/\n\t\t\tzend_uchar * new_auth_plugin_data = emalloc(packet->auth_plugin_data_len);\n\t\t\tif (!new_auth_plugin_data) {\n\t\t\t\tgoto premature_end;\n\t\t\t}\n\t\t\t/* copy what we already have */\n\t\t\tmemcpy(new_auth_plugin_data, packet->auth_plugin_data, SCRAMBLE_LENGTH);\n\t\t\t/* add additional scramble data 5.5+ sent us */\n\t\t\tmemcpy(new_auth_plugin_data + SCRAMBLE_LENGTH, p, packet->auth_plugin_data_len - SCRAMBLE_LENGTH);\n\t\t\tp+= (packet->auth_plugin_data_len - SCRAMBLE_LENGTH);\n\t\t\tpacket->auth_plugin_data = new_auth_plugin_data;\n\t\t}\n\t}\n\n\tif (packet->server_capabilities & CLIENT_PLUGIN_AUTH) {\n\t\tBAIL_IF_NO_MORE_DATA;\n\t\t/* The server is 5.5.x and supports authentication plugins */\n\t\tpacket->auth_protocol = estrdup((char *)p);\n\t\tp+= strlen(packet->auth_protocol) + 1; /* eat the '\\0' */\n\t}\n\n\tDBG_INF_FMT(\"proto=%u server=%s thread_id=%u\",\n\t\t\t\tpacket->protocol_version, packet->server_version, packet->thread_id);\n\n\tDBG_INF_FMT(\"server_capabilities=%u charset_no=%u server_status=%i auth_protocol=%s scramble_length=%u\",\n\t\t\t\tpacket->server_capabilities, packet->charset_no, packet->server_status,\n\t\t\t\tpacket->auth_protocol? packet->auth_protocol:\"n/a\", packet->auth_plugin_data_len);\n\n\tDBG_RETURN(PASS);\npremature_end:\n\tDBG_ERR_FMT(\"GREET packet %d bytes shorter than expected\", p - begin - packet->header.size);\n\tphp_error_docref(NULL TSRMLS_CC, E_WARNING, \"GREET packet \"MYSQLND_SZ_T_SPEC\" bytes shorter than expected\",\n\t\t\t\t\t p - begin - packet->header.size);\n\tDBG_RETURN(FAIL);", "project": "php-src", "hash": 172504244377519178265390714742244233159, "size": 131, "commit_id": "28f80baf3c53e267c9ce46a2a0fadbb981585132", "message": "Fix bug #72293 - Heap overflow in mysqlnd related to BIT fields", "target": 0, "dataset": "other", "idx": 416645 }, { "func": "static void power_pmu_sched_task(struct perf_event_context *ctx, bool sched_in) {}", "project": "linux", "hash": 189810598979135775542751377549459975912, "size": 1, "commit_id": "60b7ed54a41b550d50caf7f2418db4a7e75b5bdc", "message": "powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set\n\nOn systems without any specific PMU driver support registered, running\nperf record causes Oops.\n\nThe relevant portion from call trace:\n\n BUG: Kernel NULL pointer dereference on read at 0x00000040\n Faulting instruction address: 0xc0021f0c\n Oops: Kernel access of bad area, sig: 11 [#1]\n BE PAGE_SIZE=4K PREEMPT CMPCPRO\n SAF3000 DIE NOTIFICATION\n CPU: 0 PID: 442 Comm: null_syscall Not tainted 5.13.0-rc6-s3k-dev-01645-g7649ee3d2957 #5164\n NIP: c0021f0c LR: c00e8ad8 CTR: c00d8a5c\n NIP perf_instruction_pointer+0x10/0x60\n LR perf_prepare_sample+0x344/0x674\n Call Trace:\n perf_prepare_sample+0x7c/0x674 (unreliable)\n perf_event_output_forward+0x3c/0x94\n __perf_event_overflow+0x74/0x14c\n perf_swevent_hrtimer+0xf8/0x170\n __hrtimer_run_queues.constprop.0+0x160/0x318\n hrtimer_interrupt+0x148/0x3b0\n timer_interrupt+0xc4/0x22c\n Decrementer_virt+0xb8/0xbc\n\nDuring perf record session, perf_instruction_pointer() is called to\ncapture the sample IP. This function in core-book3s accesses\nppmu->flags. If a platform specific PMU driver is not registered, ppmu\nis set to NULL and accessing its members results in a crash. Fix this\ncrash by checking if ppmu is set.\n\nFixes: 2ca13a4cc56c (\"powerpc/perf: Use regs->nip when SIAR is zero\")\nCc: stable@vger.kernel.org # v5.11+\nReported-by: Christophe Leroy \nSigned-off-by: Athira Rajeev \nTested-by: Christophe Leroy \nSigned-off-by: Michael Ellerman \nLink: https://lore.kernel.org/r/1623952506-1431-1-git-send-email-atrajeev@linux.vnet.ibm.com", "target": 0, "dataset": "other", "idx": 374681 }, { "func": "static void power_pmu_sched_task(struct perf_event_context *ctx, bool sched_in)\n{\n\tif (!ppmu->bhrb_nr)\n\t\treturn;\n\n\tif (sched_in)\n\t\tpower_pmu_bhrb_reset();\n}", "project": "linux", "hash": 122405699645860108439149128032020968318, "size": 8, "commit_id": "60b7ed54a41b550d50caf7f2418db4a7e75b5bdc", "message": "powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set\n\nOn systems without any specific PMU driver support registered, running\nperf record causes Oops.\n\nThe relevant portion from call trace:\n\n BUG: Kernel NULL pointer dereference on read at 0x00000040\n Faulting instruction address: 0xc0021f0c\n Oops: Kernel access of bad area, sig: 11 [#1]\n BE PAGE_SIZE=4K PREEMPT CMPCPRO\n SAF3000 DIE NOTIFICATION\n CPU: 0 PID: 442 Comm: null_syscall Not tainted 5.13.0-rc6-s3k-dev-01645-g7649ee3d2957 #5164\n NIP: c0021f0c LR: c00e8ad8 CTR: c00d8a5c\n NIP perf_instruction_pointer+0x10/0x60\n LR perf_prepare_sample+0x344/0x674\n Call Trace:\n perf_prepare_sample+0x7c/0x674 (unreliable)\n perf_event_output_forward+0x3c/0x94\n __perf_event_overflow+0x74/0x14c\n perf_swevent_hrtimer+0xf8/0x170\n __hrtimer_run_queues.constprop.0+0x160/0x318\n hrtimer_interrupt+0x148/0x3b0\n timer_interrupt+0xc4/0x22c\n Decrementer_virt+0xb8/0xbc\n\nDuring perf record session, perf_instruction_pointer() is called to\ncapture the sample IP. This function in core-book3s accesses\nppmu->flags. If a platform specific PMU driver is not registered, ppmu\nis set to NULL and accessing its members results in a crash. Fix this\ncrash by checking if ppmu is set.\n\nFixes: 2ca13a4cc56c (\"powerpc/perf: Use regs->nip when SIAR is zero\")\nCc: stable@vger.kernel.org # v5.11+\nReported-by: Christophe Leroy \nSigned-off-by: Athira Rajeev \nTested-by: Christophe Leroy \nSigned-off-by: Michael Ellerman \nLink: https://lore.kernel.org/r/1623952506-1431-1-git-send-email-atrajeev@linux.vnet.ibm.com", "target": 0, "dataset": "other", "idx": 374740 }, { "func": "static int prb_calc_retire_blk_tmo(struct packet_sock *po,\n\t\t\t\tint blk_size_in_bytes)\n{\n\tstruct net_device *dev;\n\tunsigned int mbits, div;\n\tstruct ethtool_link_ksettings ecmd;\n\tint err;\n\n\trtnl_lock();\n\tdev = __dev_get_by_index(sock_net(&po->sk), po->ifindex);\n\tif (unlikely(!dev)) {\n\t\trtnl_unlock();\n\t\treturn DEFAULT_PRB_RETIRE_TOV;\n\t}\n\terr = __ethtool_get_link_ksettings(dev, &ecmd);\n\trtnl_unlock();\n\tif (err)\n\t\treturn DEFAULT_PRB_RETIRE_TOV;\n\n\t/* If the link speed is so slow you don't really\n\t * need to worry about perf anyways\n\t */\n\tif (ecmd.base.speed < SPEED_1000 ||\n\t ecmd.base.speed == SPEED_UNKNOWN)\n\t\treturn DEFAULT_PRB_RETIRE_TOV;\n\n\tdiv = ecmd.base.speed / 1000;\n\tmbits = (blk_size_in_bytes * 8) / (1024 * 1024);\n\n\tif (div)\n\t\tmbits /= div;\n\n\tif (div)\n\t\treturn mbits + 1;\n\treturn mbits;\n}", "project": "linux", "hash": 33598296257023898883845479526754678698, "size": 36, "commit_id": "acf69c946233259ab4d64f8869d4037a198c7f06", "message": "net/packet: fix overflow in tpacket_rcv\n\nUsing tp_reserve to calculate netoff can overflow as\ntp_reserve is unsigned int and netoff is unsigned short.\n\nThis may lead to macoff receving a smaller value then\nsizeof(struct virtio_net_hdr), and if po->has_vnet_hdr\nis set, an out-of-bounds write will occur when\ncalling virtio_net_hdr_from_skb.\n\nThe bug is fixed by converting netoff to unsigned int\nand checking if it exceeds USHRT_MAX.\n\nThis addresses CVE-2020-14386\n\nFixes: 8913336a7e8d (\"packet: add PACKET_RESERVE sockopt\")\nSigned-off-by: Or Cohen \nSigned-off-by: Eric Dumazet \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 330367 }, { "func": " bool fix_fields(THD *thd, Item **it)\n {\n if ((!(*ref)->fixed && (*ref)->fix_fields(thd, ref)) ||\n (*ref)->check_cols(1))\n return TRUE;\n return Item_ref::fix_fields(thd, it);\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 59808732217342890432741734563936874705, "size": 7, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509238 }, { "func": " bool fix_fields(THD *thd, Item **it)\n {\n DBUG_ASSERT(ident->type() == FIELD_ITEM || ident->type() == REF_ITEM);\n if ((!ident->fixed && ident->fix_fields(thd, ref)) ||\n ident->check_cols(1))\n return TRUE;\n set_properties();\n return FALSE;\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 221371275040582589079523864344361757958, "size": 9, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509339 }, { "func": "static int select_cur_seq_no(HLSContext *c, struct playlist *pls)\n{\n int seq_no;\n\n if (!pls->finished && !c->first_packet &&\n av_gettime_relative() - pls->last_load_time >= default_reload_interval(pls))\n /* reload the playlist since it was suspended */\n parse_playlist(c, pls->url, pls, NULL);\n\n /* If playback is already in progress (we are just selecting a new\n * playlist) and this is a complete file, find the matching segment\n * by counting durations. */\n if (pls->finished && c->cur_timestamp != AV_NOPTS_VALUE) {\n find_timestamp_in_playlist(c, pls, c->cur_timestamp, &seq_no);\n return seq_no;\n }\n\n if (!pls->finished) {\n if (!c->first_packet && /* we are doing a segment selection during playback */\n c->cur_seq_no >= pls->start_seq_no &&\n c->cur_seq_no < pls->start_seq_no + pls->n_segments)\n /* While spec 3.4.3 says that we cannot assume anything about the\n * content at the same sequence number on different playlists,\n * in practice this seems to work and doing it otherwise would\n * require us to download a segment to inspect its timestamps. */\n return c->cur_seq_no;\n\n /* If this is a live stream, start live_start_index segments from the\n * start or end */\n if (c->live_start_index < 0)\n return pls->start_seq_no + FFMAX(pls->n_segments + c->live_start_index, 0);\n else\n return pls->start_seq_no + FFMIN(c->live_start_index, pls->n_segments - 1);\n }\n\n /* Otherwise just start on the first segment. */\n return pls->start_seq_no;\n}", "project": "FFmpeg", "hash": 7359447665895715108348408111566619797, "size": 38, "commit_id": "6959358683c7533f586c07a766acc5fe9544d8b2", "message": "avformat/hls: check segment duration value of EXTINF\n\nfix ticket: 8673\nset the default EXTINF duration to 1ms if duration is smaller than 1ms\n\nSigned-off-by: Steven Liu \n(cherry picked from commit 9dfb19baeb86a8bb02c53a441682c6e9a6e104cc)", "target": 0, "dataset": "other", "idx": 270451 }, { "func": "void rec_will(struct Curl_easy *data, int option)\n{\n struct TELNET *tn = data->req.p.telnet;\n switch(tn->him[option]) {\n case CURL_NO:\n if(tn->him_preferred[option] == CURL_YES) {\n tn->him[option] = CURL_YES;\n send_negotiation(data, CURL_DO, option);\n }\n else\n send_negotiation(data, CURL_DONT, option);\n\n break;\n\n case CURL_YES:\n /* Already enabled */\n break;\n\n case CURL_WANTNO:\n switch(tn->himq[option]) {\n case CURL_EMPTY:\n /* Error: DONT answered by WILL */\n tn->him[option] = CURL_NO;\n break;\n case CURL_OPPOSITE:\n /* Error: DONT answered by WILL */\n tn->him[option] = CURL_YES;\n tn->himq[option] = CURL_EMPTY;\n break;\n }\n break;\n\n case CURL_WANTYES:\n switch(tn->himq[option]) {\n case CURL_EMPTY:\n tn->him[option] = CURL_YES;\n break;\n case CURL_OPPOSITE:\n tn->him[option] = CURL_WANTNO;\n tn->himq[option] = CURL_EMPTY;\n send_negotiation(data, CURL_DONT, option);\n break;\n }\n break;\n }\n}", "project": "curl", "hash": 55283559216168891050890311999048428315, "size": 46, "commit_id": "39ce47f219b09c380b81f89fe54ac586c8db6bde", "message": "telnet: check sscanf() for correct number of matches\n\nCVE-2021-22898\n\nBug: https://curl.se/docs/CVE-2021-22898.html", "target": 0, "dataset": "other", "idx": 481490 }, { "func": "static int sctp_getsockopt_peeloff_flags(struct sock *sk, int len,\n\t\t\t\t\t char __user *optval, int __user *optlen)\n{\n\tsctp_peeloff_flags_arg_t peeloff;\n\tstruct file *newfile = NULL;\n\tint retval = 0;\n\n\tif (len < sizeof(sctp_peeloff_flags_arg_t))\n\t\treturn -EINVAL;\n\tlen = sizeof(sctp_peeloff_flags_arg_t);\n\tif (copy_from_user(&peeloff, optval, len))\n\t\treturn -EFAULT;\n\n\tretval = sctp_getsockopt_peeloff_common(sk, &peeloff.p_arg,\n\t\t\t\t\t\t&newfile, peeloff.flags);\n\tif (retval < 0)\n\t\tgoto out;\n\n\t/* Return the fd mapped to the new socket. */\n\tif (put_user(len, optlen)) {\n\t\tfput(newfile);\n\t\tput_unused_fd(retval);\n\t\treturn -EFAULT;\n\t}\n\n\tif (copy_to_user(optval, &peeloff, len)) {\n\t\tfput(newfile);\n\t\tput_unused_fd(retval);\n\t\treturn -EFAULT;\n\t}\n\tfd_install(retval, newfile);\nout:\n\treturn retval;\n}", "project": "linux", "hash": 200226370333107861413719339071624954323, "size": 34, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398084 }, { "func": "static inline void sctp_copy_descendant(struct sock *sk_to,\n\t\t\t\t\tconst struct sock *sk_from)\n{\n\tsize_t ancestor_size = sizeof(struct inet_sock);\n\n\tancestor_size += sk_from->sk_prot->obj_size;\n\tancestor_size -= offsetof(struct sctp_sock, pd_lobby);\n\t__inet_sk_copy_descendant(sk_to, sk_from, ancestor_size);\n}", "project": "linux", "hash": 121955608148461917430167957139480286658, "size": 9, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398177 }, { "func": "static bool is_ebb_event(struct perf_event *event) { return false; }", "project": "linux", "hash": 256618104461910013694530808909061034069, "size": 1, "commit_id": "60b7ed54a41b550d50caf7f2418db4a7e75b5bdc", "message": "powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set\n\nOn systems without any specific PMU driver support registered, running\nperf record causes Oops.\n\nThe relevant portion from call trace:\n\n BUG: Kernel NULL pointer dereference on read at 0x00000040\n Faulting instruction address: 0xc0021f0c\n Oops: Kernel access of bad area, sig: 11 [#1]\n BE PAGE_SIZE=4K PREEMPT CMPCPRO\n SAF3000 DIE NOTIFICATION\n CPU: 0 PID: 442 Comm: null_syscall Not tainted 5.13.0-rc6-s3k-dev-01645-g7649ee3d2957 #5164\n NIP: c0021f0c LR: c00e8ad8 CTR: c00d8a5c\n NIP perf_instruction_pointer+0x10/0x60\n LR perf_prepare_sample+0x344/0x674\n Call Trace:\n perf_prepare_sample+0x7c/0x674 (unreliable)\n perf_event_output_forward+0x3c/0x94\n __perf_event_overflow+0x74/0x14c\n perf_swevent_hrtimer+0xf8/0x170\n __hrtimer_run_queues.constprop.0+0x160/0x318\n hrtimer_interrupt+0x148/0x3b0\n timer_interrupt+0xc4/0x22c\n Decrementer_virt+0xb8/0xbc\n\nDuring perf record session, perf_instruction_pointer() is called to\ncapture the sample IP. This function in core-book3s accesses\nppmu->flags. If a platform specific PMU driver is not registered, ppmu\nis set to NULL and accessing its members results in a crash. Fix this\ncrash by checking if ppmu is set.\n\nFixes: 2ca13a4cc56c (\"powerpc/perf: Use regs->nip when SIAR is zero\")\nCc: stable@vger.kernel.org # v5.11+\nReported-by: Christophe Leroy \nSigned-off-by: Athira Rajeev \nTested-by: Christophe Leroy \nSigned-off-by: Michael Ellerman \nLink: https://lore.kernel.org/r/1623952506-1431-1-git-send-email-atrajeev@linux.vnet.ibm.com", "target": 0, "dataset": "other", "idx": 374704 }, { "func": "static bool is_ebb_event(struct perf_event *event)\n{\n\t/*\n\t * This could be a per-PMU callback, but we'd rather avoid the cost. We\n\t * check that the PMU supports EBB, meaning those that don't can still\n\t * use bit 63 of the event code for something else if they wish.\n\t */\n\treturn (ppmu->flags & PPMU_ARCH_207S) &&\n\t ((event->attr.config >> PERF_EVENT_CONFIG_EBB_SHIFT) & 1);\n}", "project": "linux", "hash": 210199240686882008269240572423171938431, "size": 10, "commit_id": "60b7ed54a41b550d50caf7f2418db4a7e75b5bdc", "message": "powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set\n\nOn systems without any specific PMU driver support registered, running\nperf record causes Oops.\n\nThe relevant portion from call trace:\n\n BUG: Kernel NULL pointer dereference on read at 0x00000040\n Faulting instruction address: 0xc0021f0c\n Oops: Kernel access of bad area, sig: 11 [#1]\n BE PAGE_SIZE=4K PREEMPT CMPCPRO\n SAF3000 DIE NOTIFICATION\n CPU: 0 PID: 442 Comm: null_syscall Not tainted 5.13.0-rc6-s3k-dev-01645-g7649ee3d2957 #5164\n NIP: c0021f0c LR: c00e8ad8 CTR: c00d8a5c\n NIP perf_instruction_pointer+0x10/0x60\n LR perf_prepare_sample+0x344/0x674\n Call Trace:\n perf_prepare_sample+0x7c/0x674 (unreliable)\n perf_event_output_forward+0x3c/0x94\n __perf_event_overflow+0x74/0x14c\n perf_swevent_hrtimer+0xf8/0x170\n __hrtimer_run_queues.constprop.0+0x160/0x318\n hrtimer_interrupt+0x148/0x3b0\n timer_interrupt+0xc4/0x22c\n Decrementer_virt+0xb8/0xbc\n\nDuring perf record session, perf_instruction_pointer() is called to\ncapture the sample IP. This function in core-book3s accesses\nppmu->flags. If a platform specific PMU driver is not registered, ppmu\nis set to NULL and accessing its members results in a crash. Fix this\ncrash by checking if ppmu is set.\n\nFixes: 2ca13a4cc56c (\"powerpc/perf: Use regs->nip when SIAR is zero\")\nCc: stable@vger.kernel.org # v5.11+\nReported-by: Christophe Leroy \nSigned-off-by: Athira Rajeev \nTested-by: Christophe Leroy \nSigned-off-by: Michael Ellerman \nLink: https://lore.kernel.org/r/1623952506-1431-1-git-send-email-atrajeev@linux.vnet.ibm.com", "target": 0, "dataset": "other", "idx": 374724 }, { "func": " bool needs_conversion() const\n {\n return final_character_set_of_str_value !=\n character_set_of_placeholder;\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 35433298356138449314105920033556814572, "size": 5, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509255 }, { "func": "static void power_pmu_bhrb_disable(struct perf_event *event)\n{\n\tstruct cpu_hw_events *cpuhw = this_cpu_ptr(&cpu_hw_events);\n\n\tif (!ppmu->bhrb_nr)\n\t\treturn;\n\n\tWARN_ON_ONCE(!cpuhw->bhrb_users);\n\tcpuhw->bhrb_users--;\n\tperf_sched_cb_dec(event->ctx->pmu);\n\n\tif (!cpuhw->disabled && !cpuhw->bhrb_users) {\n\t\t/* BHRB cannot be turned off when other\n\t\t * events are active on the PMU.\n\t\t */\n\n\t\t/* avoid stale pointer */\n\t\tcpuhw->bhrb_context = NULL;\n\t}\n}", "project": "linux", "hash": 212123149106754109369390422187349782562, "size": 20, "commit_id": "60b7ed54a41b550d50caf7f2418db4a7e75b5bdc", "message": "powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set\n\nOn systems without any specific PMU driver support registered, running\nperf record causes Oops.\n\nThe relevant portion from call trace:\n\n BUG: Kernel NULL pointer dereference on read at 0x00000040\n Faulting instruction address: 0xc0021f0c\n Oops: Kernel access of bad area, sig: 11 [#1]\n BE PAGE_SIZE=4K PREEMPT CMPCPRO\n SAF3000 DIE NOTIFICATION\n CPU: 0 PID: 442 Comm: null_syscall Not tainted 5.13.0-rc6-s3k-dev-01645-g7649ee3d2957 #5164\n NIP: c0021f0c LR: c00e8ad8 CTR: c00d8a5c\n NIP perf_instruction_pointer+0x10/0x60\n LR perf_prepare_sample+0x344/0x674\n Call Trace:\n perf_prepare_sample+0x7c/0x674 (unreliable)\n perf_event_output_forward+0x3c/0x94\n __perf_event_overflow+0x74/0x14c\n perf_swevent_hrtimer+0xf8/0x170\n __hrtimer_run_queues.constprop.0+0x160/0x318\n hrtimer_interrupt+0x148/0x3b0\n timer_interrupt+0xc4/0x22c\n Decrementer_virt+0xb8/0xbc\n\nDuring perf record session, perf_instruction_pointer() is called to\ncapture the sample IP. This function in core-book3s accesses\nppmu->flags. If a platform specific PMU driver is not registered, ppmu\nis set to NULL and accessing its members results in a crash. Fix this\ncrash by checking if ppmu is set.\n\nFixes: 2ca13a4cc56c (\"powerpc/perf: Use regs->nip when SIAR is zero\")\nCc: stable@vger.kernel.org # v5.11+\nReported-by: Christophe Leroy \nSigned-off-by: Athira Rajeev \nTested-by: Christophe Leroy \nSigned-off-by: Michael Ellerman \nLink: https://lore.kernel.org/r/1623952506-1431-1-git-send-email-atrajeev@linux.vnet.ibm.com", "target": 0, "dataset": "other", "idx": 374674 }, { "func": "static inline void power_pmu_bhrb_disable(struct perf_event *event) {}", "project": "linux", "hash": 14776220123800605816085089946874289667, "size": 1, "commit_id": "60b7ed54a41b550d50caf7f2418db4a7e75b5bdc", "message": "powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set\n\nOn systems without any specific PMU driver support registered, running\nperf record causes Oops.\n\nThe relevant portion from call trace:\n\n BUG: Kernel NULL pointer dereference on read at 0x00000040\n Faulting instruction address: 0xc0021f0c\n Oops: Kernel access of bad area, sig: 11 [#1]\n BE PAGE_SIZE=4K PREEMPT CMPCPRO\n SAF3000 DIE NOTIFICATION\n CPU: 0 PID: 442 Comm: null_syscall Not tainted 5.13.0-rc6-s3k-dev-01645-g7649ee3d2957 #5164\n NIP: c0021f0c LR: c00e8ad8 CTR: c00d8a5c\n NIP perf_instruction_pointer+0x10/0x60\n LR perf_prepare_sample+0x344/0x674\n Call Trace:\n perf_prepare_sample+0x7c/0x674 (unreliable)\n perf_event_output_forward+0x3c/0x94\n __perf_event_overflow+0x74/0x14c\n perf_swevent_hrtimer+0xf8/0x170\n __hrtimer_run_queues.constprop.0+0x160/0x318\n hrtimer_interrupt+0x148/0x3b0\n timer_interrupt+0xc4/0x22c\n Decrementer_virt+0xb8/0xbc\n\nDuring perf record session, perf_instruction_pointer() is called to\ncapture the sample IP. This function in core-book3s accesses\nppmu->flags. If a platform specific PMU driver is not registered, ppmu\nis set to NULL and accessing its members results in a crash. Fix this\ncrash by checking if ppmu is set.\n\nFixes: 2ca13a4cc56c (\"powerpc/perf: Use regs->nip when SIAR is zero\")\nCc: stable@vger.kernel.org # v5.11+\nReported-by: Christophe Leroy \nSigned-off-by: Athira Rajeev \nTested-by: Christophe Leroy \nSigned-off-by: Michael Ellerman \nLink: https://lore.kernel.org/r/1623952506-1431-1-git-send-email-atrajeev@linux.vnet.ibm.com", "target": 0, "dataset": "other", "idx": 374691 }, { "func": "static inline int keepalive_time_when(const struct tcp_sock *tp)\n{\n\tstruct net *net = sock_net((struct sock *)tp);\n\n\treturn tp->keepalive_time ? : net->ipv4.sysctl_tcp_keepalive_time;\n}", "project": "linux", "hash": 151154316067198811164511955375957491496, "size": 6, "commit_id": "bb1fceca22492109be12640d49f5ea5a544c6bb4", "message": "tcp: fix use after free in tcp_xmit_retransmit_queue()\n\nWhen tcp_sendmsg() allocates a fresh and empty skb, it puts it at the\ntail of the write queue using tcp_add_write_queue_tail()\n\nThen it attempts to copy user data into this fresh skb.\n\nIf the copy fails, we undo the work and remove the fresh skb.\n\nUnfortunately, this undo lacks the change done to tp->highest_sack and\nwe can leave a dangling pointer (to a freed skb)\n\nLater, tcp_xmit_retransmit_queue() can dereference this pointer and\naccess freed memory. For regular kernels where memory is not unmapped,\nthis might cause SACK bugs because tcp_highest_sack_seq() is buggy,\nreturning garbage instead of tp->snd_nxt, but with various debug\nfeatures like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel.\n\nThis bug was found by Marco Grassi thanks to syzkaller.\n\nFixes: 6859d49475d4 (\"[TCP]: Abstract tp->highest_sack accessing & point to next skb\")\nReported-by: Marco Grassi \nSigned-off-by: Eric Dumazet \nCc: Ilpo Järvinen \nCc: Yuchung Cheng \nCc: Neal Cardwell \nAcked-by: Neal Cardwell \nReviewed-by: Cong Wang \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 410819 }, { "func": "static_fn Sfdouble_t number(const char *s, char **p, int b, struct lval *lvalue) {\n Sfdouble_t r;\n char *t;\n int oerrno;\n int c;\n char base;\n struct lval v;\n\n oerrno = errno;\n errno = 0;\n base = b;\n\n if (!lvalue) {\n lvalue = &v;\n } else if (lvalue->shp->bltindata.bnode == SYSLET && !sh_isoption(lvalue->shp, SH_LETOCTAL)) {\n while (*s == '0' && isdigit(s[1])) s++;\n }\n lvalue->eflag = 0;\n lvalue->isfloat = 0;\n r = strton64(s, &t, &base, -1);\n if (*t == '8' || *t == '9') {\n base = 10;\n errno = 0;\n r = strton64(s, &t, &base, -1);\n }\n if (base <= 1) base = 10;\n if (*t == '_') {\n if ((r == 1 || r == 2) && strcmp(t, \"_PI\") == 0) {\n t += 3;\n r = Mtable[(int)r - 1].value;\n } else if (r == 2 && strcmp(t, \"_SQRTPI\") == 0) {\n t += 7;\n r = Mtable[2].value;\n }\n }\n c = r == LLONG_MAX && errno ? 'e' : *t;\n if (c == getdecimal() || c == 'e' || c == 'E' || (base == 16 && (c == 'p' || c == 'P'))) {\n r = strtold(s, &t);\n lvalue->isfloat = TYPE_LD;\n }\n if (t > s) {\n if (*t == 'f' || *t == 'F') {\n t++;\n lvalue->isfloat = TYPE_F;\n r = (float)r;\n } else if (*t == 'l' || *t == 'L') {\n t++;\n lvalue->isfloat = TYPE_LD;\n } else if (*t == 'd' || *t == 'D') {\n t++;\n lvalue->isfloat = TYPE_LD;\n r = (double)r;\n }\n }\n errno = oerrno;\n *p = t;\n return r;\n}", "project": "ast", "hash": 216455726719418154603367083385730228503, "size": 58, "commit_id": "c7de8b641266bac7c77942239ac659edfee9ecd2", "message": "Harden env var imports", "target": 0, "dataset": "other", "idx": 321866 }, { "func": "static int ctnetlink_dump_protoinfo(struct sk_buff *skb, struct nf_conn *ct)\n{\n\tconst struct nf_conntrack_l4proto *l4proto;\n\tstruct nlattr *nest_proto;\n\tint ret;\n\n\tl4proto = nf_ct_l4proto_find(nf_ct_protonum(ct));\n\tif (!l4proto->to_nlattr)\n\t\treturn 0;\n\n\tnest_proto = nla_nest_start(skb, CTA_PROTOINFO);\n\tif (!nest_proto)\n\t\tgoto nla_put_failure;\n\n\tret = l4proto->to_nlattr(skb, nest_proto, ct);\n\n\tnla_nest_end(skb, nest_proto);\n\n\treturn ret;\n\nnla_put_failure:\n\treturn -1;\n}", "project": "linux", "hash": 273590149370198880364543226168275789241, "size": 23, "commit_id": "1cc5ef91d2ff94d2bf2de3b3585423e8a1051cb6", "message": "netfilter: ctnetlink: add a range check for l3/l4 protonum\n\nThe indexes to the nf_nat_l[34]protos arrays come from userspace. So\ncheck the tuple's family, e.g. l3num, when creating the conntrack in\norder to prevent an OOB memory access during setup. Here is an example\nkernel panic on 4.14.180 when userspace passes in an index greater than\nNFPROTO_NUMPROTO.\n\nInternal error: Oops - BUG: 0 [#1] PREEMPT SMP\nModules linked in:...\nProcess poc (pid: 5614, stack limit = 0x00000000a3933121)\nCPU: 4 PID: 5614 Comm: poc Tainted: G S W O 4.14.180-g051355490483\nHardware name: Qualcomm Technologies, Inc. SM8150 V2 PM8150 Google Inc. MSM\ntask: 000000002a3dfffe task.stack: 00000000a3933121\npc : __cfi_check_fail+0x1c/0x24\nlr : __cfi_check_fail+0x1c/0x24\n...\nCall trace:\n__cfi_check_fail+0x1c/0x24\nname_to_dev_t+0x0/0x468\nnfnetlink_parse_nat_setup+0x234/0x258\nctnetlink_parse_nat_setup+0x4c/0x228\nctnetlink_new_conntrack+0x590/0xc40\nnfnetlink_rcv_msg+0x31c/0x4d4\nnetlink_rcv_skb+0x100/0x184\nnfnetlink_rcv+0xf4/0x180\nnetlink_unicast+0x360/0x770\nnetlink_sendmsg+0x5a0/0x6a4\n___sys_sendmsg+0x314/0x46c\nSyS_sendmsg+0xb4/0x108\nel0_svc_naked+0x34/0x38\n\nThis crash is not happening since 5.4+, however, ctnetlink still\nallows for creating entries with unsupported layer 3 protocol number.\n\nFixes: c1d10adb4a521 (\"[NETFILTER]: Add ctnetlink port for nf_conntrack\")\nSigned-off-by: Will McVicker \n[pablo@netfilter.org: rebased original patch on top of nf.git]\nSigned-off-by: Pablo Neira Ayuso ", "target": 0, "dataset": "other", "idx": 394224 }, { "func": "rdpGlyph* glyph_cache_get(rdpGlyphCache* glyphCache, UINT32 id, UINT32 index)\n{\n\trdpGlyph* glyph;\n\tWLog_Print(glyphCache->log, WLOG_DEBUG, \"GlyphCacheGet: id: %\" PRIu32 \" index: %\" PRIu32 \"\", id,\n\t index);\n\n\tif (id > 9)\n\t{\n\t\tWLog_ERR(TAG, \"invalid glyph cache id: %\" PRIu32 \"\", id);\n\t\treturn NULL;\n\t}\n\n\tif (index > glyphCache->glyphCache[id].number)\n\t{\n\t\tWLog_ERR(TAG, \"index %\" PRIu32 \" out of range for cache id: %\" PRIu32 \"\", index, id);\n\t\treturn NULL;\n\t}\n\n\tglyph = glyphCache->glyphCache[id].entries[index];\n\n\tif (!glyph)\n\t\tWLog_ERR(TAG, \"no glyph found at cache index: %\" PRIu32 \" in cache id: %\" PRIu32 \"\", index,\n\t\t id);\n\n\treturn glyph;\n}", "project": "FreeRDP", "hash": 258987078747334953993772732169607077553, "size": 26, "commit_id": "c0fd449ec0870b050d350d6d844b1ea6dad4bc7d", "message": "Fixed Out-of-bound read in glyph_cache_put\n\nCVE-2020-11098 thanks to @antonio-morales for finding this.", "target": 0, "dataset": "other", "idx": 432857 }, { "func": "static int dequeue_synchronous_signal(kernel_siginfo_t *info)\n{\n\tstruct task_struct *tsk = current;\n\tstruct sigpending *pending = &tsk->pending;\n\tstruct sigqueue *q, *sync = NULL;\n\n\t/*\n\t * Might a synchronous signal be in the queue?\n\t */\n\tif (!((pending->signal.sig[0] & ~tsk->blocked.sig[0]) & SYNCHRONOUS_MASK))\n\t\treturn 0;\n\n\t/*\n\t * Return the first synchronous signal in the queue.\n\t */\n\tlist_for_each_entry(q, &pending->list, list) {\n\t\t/* Synchronous signals have a postive si_code */\n\t\tif ((q->info.si_code > SI_USER) &&\n\t\t (sigmask(q->info.si_signo) & SYNCHRONOUS_MASK)) {\n\t\t\tsync = q;\n\t\t\tgoto next;\n\t\t}\n\t}\n\treturn 0;\nnext:\n\t/*\n\t * Check if there is another siginfo for the same signal.\n\t */\n\tlist_for_each_entry_continue(q, &pending->list, list) {\n\t\tif (q->info.si_signo == sync->info.si_signo)\n\t\t\tgoto still_pending;\n\t}\n\n\tsigdelset(&pending->signal, sync->info.si_signo);\n\trecalc_sigpending();\nstill_pending:\n\tlist_del_init(&sync->list);\n\tcopy_siginfo(info, &sync->info);\n\t__sigqueue_free(sync);\n\treturn info->si_signo;\n}", "project": "linux", "hash": 146931721021353705048872436466230840023, "size": 41, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375174 }, { "func": "static u8 hwme_set_request_sync(\n\tu8 hw_attribute,\n\tu8 hw_attribute_length,\n\tu8 *hw_attribute_value,\n\tvoid *device_ref\n)\n{\n\tstruct mac_message command, response;\n\n\tcommand.command_id = SPI_HWME_SET_REQUEST;\n\tcommand.length = 2 + hw_attribute_length;\n\tcommand.pdata.hwme_set_req.hw_attribute = hw_attribute;\n\tcommand.pdata.hwme_set_req.hw_attribute_length = hw_attribute_length;\n\tmemcpy(\n\t\tcommand.pdata.hwme_set_req.hw_attribute_value,\n\t\thw_attribute_value,\n\t\thw_attribute_length\n\t);\n\n\tif (cascoda_api_downstream(\n\t\t&command.command_id,\n\t\tcommand.length + 2,\n\t\t&response.command_id,\n\t\tdevice_ref)) {\n\t\treturn MAC_SYSTEM_ERROR;\n\t}\n\n\tif (response.command_id != SPI_HWME_SET_CONFIRM)\n\t\treturn MAC_SYSTEM_ERROR;\n\n\treturn response.pdata.hwme_set_cnf.status;\n}", "project": "linux", "hash": 51198892789438327985600952026209560520, "size": 32, "commit_id": "6402939ec86eaf226c8b8ae00ed983936b164908", "message": "ieee802154: ca8210: prevent memory leak\n\nIn ca8210_probe the allocated pdata needs to be assigned to\nspi_device->dev.platform_data before calling ca8210_get_platform_data.\nOthrwise when ca8210_get_platform_data fails pdata cannot be released.\n\nSigned-off-by: Navid Emamdoost \nLink: https://lore.kernel.org/r/20190917224713.26371-1-navid.emamdoost@gmail.com\nSigned-off-by: Stefan Schmidt ", "target": 0, "dataset": "other", "idx": 408786 }, { "func": "static ssize_t tty_read(struct file *file, char __user *buf, size_t count,\n\t\t\tloff_t *ppos)\n{\n\tint i;\n\tstruct inode *inode = file_inode(file);\n\tstruct tty_struct *tty = file_tty(file);\n\tstruct tty_ldisc *ld;\n\n\tif (tty_paranoia_check(tty, inode, \"tty_read\"))\n\t\treturn -EIO;\n\tif (!tty || tty_io_error(tty))\n\t\treturn -EIO;\n\n\t/* We want to wait for the line discipline to sort out in this\n\t situation */\n\tld = tty_ldisc_ref_wait(tty);\n\tif (!ld)\n\t\treturn hung_up_tty_read(file, buf, count, ppos);\n\tif (ld->ops->read)\n\t\ti = ld->ops->read(tty, file, buf, count);\n\telse\n\t\ti = -EIO;\n\ttty_ldisc_deref(ld);\n\n\tif (i > 0)\n\t\ttty_update_time(&inode->i_atime);\n\n\treturn i;\n}", "project": "linux", "hash": 15114801836919263385887925150332388030, "size": 29, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 326059 }, { "func": "static inline void memcg_propagate_slab_attrs(struct kmem_cache *s) { }", "project": "linux", "hash": 93047378226897399685310602758140755958, "size": 1, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280208 }, { "func": "\nstatic void memcg_propagate_slab_attrs(struct kmem_cache *s)\n{\n#ifdef CONFIG_MEMCG\n\tint i;\n\tchar *buffer = NULL;\n\tstruct kmem_cache *root_cache;\n\n\tif (is_root_cache(s))\n\t\treturn;\n\n\troot_cache = s->memcg_params.root_cache;\n\n\t/*\n\t * This mean this cache had no attribute written. Therefore, no point\n\t * in copying default values around\n\t */\n\tif (!root_cache->max_attr_size)\n\t\treturn;\n\n\tfor (i = 0; i < ARRAY_SIZE(slab_attrs); i++) {\n\t\tchar mbuf[64];\n\t\tchar *buf;\n\t\tstruct slab_attribute *attr = to_slab_attr(slab_attrs[i]);\n\t\tssize_t len;\n\n\t\tif (!attr || !attr->store || !attr->show)\n\t\t\tcontinue;\n\n\t\t/*\n\t\t * It is really bad that we have to allocate here, so we will\n\t\t * do it only as a fallback. If we actually allocate, though,\n\t\t * we can just use the allocated buffer until the end.\n\t\t *\n\t\t * Most of the slub attributes will tend to be very small in\n\t\t * size, but sysfs allows buffers up to a page, so they can\n\t\t * theoretically happen.\n\t\t */\n\t\tif (buffer)\n\t\t\tbuf = buffer;\n\t\telse if (root_cache->max_attr_size < ARRAY_SIZE(mbuf))\n\t\t\tbuf = mbuf;\n\t\telse {\n\t\t\tbuffer = (char *) get_zeroed_page(GFP_KERNEL);\n\t\t\tif (WARN_ON(!buffer))\n\t\t\t\tcontinue;\n\t\t\tbuf = buffer;\n\t\t}\n\n\t\tlen = attr->show(root_cache, buf);\n\t\tif (len > 0)\n\t\t\tattr->store(s, buf, len);\n\t}\n\n\tif (buffer)\n\t\tfree_page((unsigned long)buffer);\n#endif\t/* CONFIG_MEMCG */", "project": "linux", "hash": 261969672606639731524072745928360461571, "size": 57, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280225 }, { "func": "static void mix_pool_bytes(struct entropy_store *r, const void *in, int bytes)\n{\n mix_pool_bytes_extract(r, in, bytes, NULL);\n}", "target": 0, "cwe": [ "CWE-310" ], "project": "linux-2.6", "commit_id": "8a0a9bd4db63bc45e3017bedeafbd88d0eb84d02", "hash": 74710822036730524529271452644626459531, "size": 4, "message": "random: make get_random_int() more random\n\nIt's a really simple patch that basically just open-codes the current\n\"secure_ip_id()\" call, but when open-coding it we now use a _static_\nhashing area, so that it gets updated every time.\n\nAnd to make sure somebody can't just start from the same original seed of\nall-zeroes, and then do the \"half_md4_transform()\" over and over until\nthey get the same sequence as the kernel has, each iteration also mixes in\nthe same old \"current->pid + jiffies\" we used - so we should now have a\nregular strong pseudo-number generator, but we also have one that doesn't\nhave a single seed.\n\nNote: the \"pid + jiffies\" is just meant to be a tiny tiny bit of noise. It\nhas no real meaning. It could be anything. I just picked the previous\nseed, it's just that now we keep the state in between calls and that will\nfeed into the next result, and that should make all the difference.\n\nI made that hash be a per-cpu data just to avoid cache-line ping-pong:\nhaving multiple CPU's write to the same data would be fine for randomness,\nand add yet another layer of chaos to it, but since get_random_int() is\nsupposed to be a fast interface I did it that way instead. I considered\nusing \"__raw_get_cpu_var()\" to avoid any preemption overhead while still\ngetting the hash be _mostly_ ping-pong free, but in the end good taste won\nout.\n\nSigned-off-by: Ingo Molnar \nSigned-off-by: Linus Torvalds ", "dataset": "other", "idx": 499891 }, { "func": "static void pipe_grant_credits(struct sock *sk, gfp_t priority)\n{\n\tstruct pep_sock *pn = pep_sk(sk);\n\n\tBUG_ON(sk->sk_state != TCP_ESTABLISHED);\n\n\tswitch (pn->rx_fc) {\n\tcase PN_LEGACY_FLOW_CONTROL: /* TODO */\n\t\tbreak;\n\tcase PN_ONE_CREDIT_FLOW_CONTROL:\n\t\tif (pipe_snd_status(sk, PN_PEP_IND_FLOW_CONTROL,\n\t\t\t\t\tPEP_IND_READY, priority) == 0)\n\t\t\tpn->rx_credits = 1;\n\t\tbreak;\n\tcase PN_MULTI_CREDIT_FLOW_CONTROL:\n\t\tif ((pn->rx_credits + CREDITS_THR) > CREDITS_MAX)\n\t\t\tbreak;\n\t\tif (pipe_snd_status(sk, PN_PEP_IND_ID_MCFC_GRANT_CREDITS,\n\t\t\t\t\tCREDITS_MAX - pn->rx_credits,\n\t\t\t\t\tpriority) == 0)\n\t\t\tpn->rx_credits = CREDITS_MAX;\n\t\tbreak;\n\t}\n}", "project": "linux", "hash": 260098887685357429471471072391914990581, "size": 24, "commit_id": "bcd0f93353326954817a4f9fa55ec57fb38acbb0", "message": "phonet: refcount leak in pep_sock_accep\n\nsock_hold(sk) is invoked in pep_sock_accept(), but __sock_put(sk) is not\ninvoked in subsequent failure branches(pep_accept_conn() != 0).\n\nSigned-off-by: Hangyu Hua \nLink: https://lore.kernel.org/r/20211209082839.33985-1-hbh25y@gmail.com\nSigned-off-by: Jakub Kicinski ", "target": 0, "dataset": "other", "idx": 224806 }, { "func": "bool WindowsServiceControl::uninstall()\n{\n\tif( checkService() == false )\n\t{\n\t\treturn false;\n\t}\n\n\tif( stop() == false )\n\t{\n\t\treturn false;\n\t}\n\n\tif( DeleteService( m_serviceHandle ) == false )\n\t{\n\t\tvCritical() << qUtf8Printable( tr( \"The service \\\"%1\\\" could not be uninstalled.\" ).arg( m_name ) );\n\t\treturn false;\n\t}\n\n\tvInfo() << qUtf8Printable( tr( \"The service \\\"%1\\\" has been uninstalled successfully.\" ).arg( m_name ) );\n\n\treturn true;\n}", "project": "veyon", "hash": 312539570230243898716204018685037077374, "size": 22, "commit_id": "f231ec511b9a09f43f49b2c7bb7c60b8046276b1", "message": "WindowsServiceControl: quote service binary path\n\nFix unquoted service path vulnerability.\n\nCloses #657.", "target": 0, "dataset": "other", "idx": 241026 }, { "func": "ssize_t wsrep_sst_prepare (void** msg)\n{\n const ssize_t ip_max= 256;\n char ip_buf[ip_max];\n const char* addr_in= NULL;\n const char* addr_out= NULL;\n\n if (!strcmp(wsrep_sst_method, WSREP_SST_SKIP))\n {\n ssize_t ret = strlen(WSREP_STATE_TRANSFER_TRIVIAL) + 1;\n *msg = strdup(WSREP_STATE_TRANSFER_TRIVIAL);\n if (!msg)\n {\n WSREP_ERROR(\"Could not allocate %zd bytes for state request\", ret);\n unireg_abort(1);\n }\n return ret;\n }\n\n // Figure out SST address. Common for all SST methods\n if (wsrep_sst_receive_address &&\n strcmp (wsrep_sst_receive_address, WSREP_SST_ADDRESS_AUTO))\n {\n addr_in= wsrep_sst_receive_address;\n }\n else if (wsrep_node_address && strlen(wsrep_node_address))\n {\n size_t const addr_len= strlen(wsrep_node_address);\n size_t const host_len= wsrep_host_len(wsrep_node_address, addr_len);\n\n if (host_len < addr_len)\n {\n strncpy (ip_buf, wsrep_node_address, host_len);\n ip_buf[host_len]= '\\0';\n addr_in= ip_buf;\n }\n else\n {\n addr_in= wsrep_node_address;\n }\n }\n else\n {\n ssize_t ret= wsrep_guess_ip (ip_buf, ip_max);\n\n if (ret && ret < ip_max)\n {\n addr_in= ip_buf;\n }\n else\n {\n WSREP_ERROR(\"Could not prepare state transfer request: \"\n \"failed to guess address to accept state transfer at. \"\n \"wsrep_sst_receive_address must be set manually.\");\n unireg_abort(1);\n }\n }\n\n ssize_t addr_len= -ENOSYS;\n if (!strcmp(wsrep_sst_method, WSREP_SST_MYSQLDUMP))\n {\n addr_len= sst_prepare_mysqldump (addr_in, &addr_out);\n if (addr_len < 0) unireg_abort(1);\n }\n else\n {\n /*! A heuristic workaround until we learn how to stop and start engines */\n if (SE_initialized)\n {\n // we already did SST at initializaiton, now engines are running\n // sql_print_information() is here because the message is too long\n // for WSREP_INFO.\n sql_print_information (\"WSREP: \"\n \"You have configured '%s' state snapshot transfer method \"\n \"which cannot be performed on a running server. \"\n \"Wsrep provider won't be able to fall back to it \"\n \"if other means of state transfer are unavailable. \"\n \"In that case you will need to restart the server.\",\n wsrep_sst_method);\n *msg = 0;\n return 0;\n }\n\n addr_len = sst_prepare_other (wsrep_sst_method, sst_auth_real,\n addr_in, &addr_out);\n if (addr_len < 0)\n {\n WSREP_ERROR(\"Failed to prepare for '%s' SST. Unrecoverable.\",\n wsrep_sst_method);\n unireg_abort(1);\n }\n }\n\n size_t const method_len(strlen(wsrep_sst_method));\n size_t const msg_len (method_len + addr_len + 2 /* + auth_len + 1*/);\n\n *msg = malloc (msg_len);\n if (NULL != *msg) {\n char* const method_ptr(reinterpret_cast(*msg));\n strcpy (method_ptr, wsrep_sst_method);\n char* const addr_ptr(method_ptr + method_len + 1);\n strcpy (addr_ptr, addr_out);\n\n WSREP_INFO (\"Prepared SST request: %s|%s\", method_ptr, addr_ptr);\n }\n else {\n WSREP_ERROR(\"Failed to allocate SST request of size %zu. Can't continue.\",\n msg_len);\n unireg_abort(1);\n }\n\n if (addr_out != addr_in) /* malloc'ed */ free ((char*)addr_out);\n\n return msg_len;\n}", "project": "mysql-wsrep", "hash": 91616680658848494620341157415185794757, "size": 115, "commit_id": "4ea4b0c6a318209ac09b15aaa906c7b4a13b988c", "message": "codership/mysql-wsrep-bugs#758 Donor uses invalid SST methods", "target": 0, "dataset": "other", "idx": 454817 }, { "func": "static void hidinput_cleanup_battery(struct hid_device *dev)\n{\n\tconst struct power_supply_desc *psy_desc;\n\n\tif (!dev->battery)\n\t\treturn;\n\n\tpsy_desc = dev->battery->desc;\n\tpower_supply_unregister(dev->battery);\n\tkfree(psy_desc->name);\n\tkfree(psy_desc);\n\tdev->battery = NULL;\n}", "project": "linux", "hash": 88518329645500065764629787165187624302, "size": 13, "commit_id": "35556bed836f8dc07ac55f69c8d17dce3e7f0e25", "message": "HID: core: Sanitize event code and type when mapping input\n\nWhen calling into hid_map_usage(), the passed event code is\nblindly stored as is, even if it doesn't fit in the associated bitmap.\n\nThis event code can come from a variety of sources, including devices\nmasquerading as input devices, only a bit more \"programmable\".\n\nInstead of taking the event code at face value, check that it actually\nfits the corresponding bitmap, and if it doesn't:\n- spit out a warning so that we know which device is acting up\n- NULLify the bitmap pointer so that we catch unexpected uses\n\nCode paths that can make use of untrusted inputs can now check\nthat the mapping was indeed correct and bail out if not.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Marc Zyngier \nSigned-off-by: Benjamin Tissoires ", "target": 0, "dataset": "other", "idx": 458330 }, { "func": "static void hidinput_cleanup_battery(struct hid_device *dev)\n{\n}", "project": "linux", "hash": 339090025825949999426332434940156911760, "size": 3, "commit_id": "35556bed836f8dc07ac55f69c8d17dce3e7f0e25", "message": "HID: core: Sanitize event code and type when mapping input\n\nWhen calling into hid_map_usage(), the passed event code is\nblindly stored as is, even if it doesn't fit in the associated bitmap.\n\nThis event code can come from a variety of sources, including devices\nmasquerading as input devices, only a bit more \"programmable\".\n\nInstead of taking the event code at face value, check that it actually\nfits the corresponding bitmap, and if it doesn't:\n- spit out a warning so that we know which device is acting up\n- NULLify the bitmap pointer so that we catch unexpected uses\n\nCode paths that can make use of untrusted inputs can now check\nthat the mapping was indeed correct and bail out if not.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Marc Zyngier \nSigned-off-by: Benjamin Tissoires ", "target": 0, "dataset": "other", "idx": 458348 }, { "func": "static void init_window_mask(struct rar5* rar) {\n\tif (rar->cstate.window_size)\n\t\trar->cstate.window_mask = rar->cstate.window_size - 1;\n\telse\n\t\trar->cstate.window_mask = 0;\n}", "project": "libarchive", "hash": 131394031417827794778549697899934351860, "size": 6, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 0, "dataset": "other", "idx": 244777 }, { "func": "static int __init set_cmdline_ftrace(char *str)\n{\n\tstrlcpy(bootup_tracer_buf, str, MAX_TRACER_SIZE);\n\tdefault_bootup_tracer = bootup_tracer_buf;\n\t/* We are using ftrace early, expand it */\n\tring_buffer_expanded = true;\n\treturn 1;\n}", "project": "linux", "hash": 87607723712701573199094187683217998619, "size": 8, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445665 }, { "func": "static int tcp_process_frto(struct sock *sk, int flag)\n{\n\tstruct tcp_sock *tp = tcp_sk(sk);\n\n\ttcp_verify_left_out(tp);\n\n\t/* Duplicate the behavior from Loss state (fastretrans_alert) */\n\tif (flag & FLAG_DATA_ACKED)\n\t\tinet_csk(sk)->icsk_retransmits = 0;\n\n\tif ((flag & FLAG_NONHEAD_RETRANS_ACKED) ||\n\t ((tp->frto_counter >= 2) && (flag & FLAG_RETRANS_DATA_ACKED)))\n\t\ttp->undo_marker = 0;\n\n\tif (!before(tp->snd_una, tp->frto_highmark)) {\n\t\ttcp_enter_frto_loss(sk, (tp->frto_counter == 1 ? 2 : 3), flag);\n\t\treturn 1;\n\t}\n\n\tif (!tcp_is_sackfrto(tp)) {\n\t\t/* RFC4138 shortcoming in step 2; should also have case c):\n\t\t * ACK isn't duplicate nor advances window, e.g., opposite dir\n\t\t * data, winupdate\n\t\t */\n\t\tif (!(flag & FLAG_ANY_PROGRESS) && (flag & FLAG_NOT_DUP))\n\t\t\treturn 1;\n\n\t\tif (!(flag & FLAG_DATA_ACKED)) {\n\t\t\ttcp_enter_frto_loss(sk, (tp->frto_counter == 1 ? 0 : 3),\n\t\t\t\t\t flag);\n\t\t\treturn 1;\n\t\t}\n\t} else {\n\t\tif (!(flag & FLAG_DATA_ACKED) && (tp->frto_counter == 1)) {\n\t\t\t/* Prevent sending of new data. */\n\t\t\ttp->snd_cwnd = min(tp->snd_cwnd,\n\t\t\t\t\t tcp_packets_in_flight(tp));\n\t\t\treturn 1;\n\t\t}\n\n\t\tif ((tp->frto_counter >= 2) &&\n\t\t (!(flag & FLAG_FORWARD_PROGRESS) ||\n\t\t ((flag & FLAG_DATA_SACKED) &&\n\t\t !(flag & FLAG_ONLY_ORIG_SACKED)))) {\n\t\t\t/* RFC4138 shortcoming (see comment above) */\n\t\t\tif (!(flag & FLAG_FORWARD_PROGRESS) &&\n\t\t\t (flag & FLAG_NOT_DUP))\n\t\t\t\treturn 1;\n\n\t\t\ttcp_enter_frto_loss(sk, 3, flag);\n\t\t\treturn 1;\n\t\t}\n\t}\n\n\tif (tp->frto_counter == 1) {\n\t\t/* tcp_may_send_now needs to see updated state */\n\t\ttp->snd_cwnd = tcp_packets_in_flight(tp) + 2;\n\t\ttp->frto_counter = 2;\n\n\t\tif (!tcp_may_send_now(sk))\n\t\t\ttcp_enter_frto_loss(sk, 2, flag);\n\n\t\treturn 1;\n\t} else {\n\t\tswitch (sysctl_tcp_frto_response) {\n\t\tcase 2:\n\t\t\ttcp_undo_spur_to_response(sk, flag);\n\t\t\tbreak;\n\t\tcase 1:\n\t\t\ttcp_conservative_spur_to_response(tp);\n\t\t\tbreak;\n\t\tdefault:\n\t\t\ttcp_ratehalving_spur_to_response(sk);\n\t\t\tbreak;\n\t\t}\n\t\ttp->frto_counter = 0;\n\t\ttp->undo_marker = 0;\n\t\tNET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPSPURIOUSRTOS);\n\t}\n\treturn 0;\n}", "project": "net-next", "hash": 15587577588072619113682638902807127469, "size": 81, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409877 }, { "func": "void ItemStackMetadata::clearToolCapabilities()\n{\n\tsetString(TOOLCAP_KEY, \"\");\n}", "project": "minetest", "hash": 133434509702343024967214120276586774619, "size": 4, "commit_id": "b5956bde259faa240a81060ff4e598e25ad52dae", "message": "Sanitize ItemStack meta text", "target": 0, "dataset": "other", "idx": 279955 }, { "func": "int blosc2_decompress_ctx(blosc2_context* context, const void* src, int32_t srcsize,\n void* dest, int32_t destsize) {\n int result;\n\n if (context->do_compress != 0) {\n fprintf(stderr, \"Context is not meant for decompression. Giving up.\\n\");\n return -10;\n }\n\n result = blosc_run_decompression_with_context(context, src, srcsize, dest, destsize);\n\n // Reset a possible block_maskout\n if (context->block_maskout != NULL) {\n free(context->block_maskout);\n context->block_maskout = NULL;\n }\n context->block_maskout_nitems = 0;\n\n return result;\n}", "project": "c-blosc2", "hash": 271657193582461659602199750513137553770, "size": 20, "commit_id": "c4c6470e88210afc95262c8b9fcc27e30ca043ee", "message": "Fixed asan heap buffer overflow when not enough space to write compressed block size.", "target": 0, "dataset": "other", "idx": 303060 }, { "func": "static __init int init_trace_selftests(void)\n{\n\tstruct trace_selftests *p, *n;\n\tstruct tracer *t, **last;\n\tint ret;\n\n\tselftests_can_run = true;\n\n\tmutex_lock(&trace_types_lock);\n\n\tif (list_empty(&postponed_selftests))\n\t\tgoto out;\n\n\tpr_info(\"Running postponed tracer tests:\\n\");\n\n\tlist_for_each_entry_safe(p, n, &postponed_selftests, list) {\n\t\tret = run_tracer_selftest(p->type);\n\t\t/* If the test fails, then warn and remove from available_tracers */\n\t\tif (ret < 0) {\n\t\t\tWARN(1, \"tracer: %s failed selftest, disabling\\n\",\n\t\t\t p->type->name);\n\t\t\tlast = &trace_types;\n\t\t\tfor (t = trace_types; t; t = t->next) {\n\t\t\t\tif (t == p->type) {\n\t\t\t\t\t*last = t->next;\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t\tlast = &t->next;\n\t\t\t}\n\t\t}\n\t\tlist_del(&p->list);\n\t\tkfree(p);\n\t}\n\n out:\n\tmutex_unlock(&trace_types_lock);\n\n\treturn 0;\n}", "project": "linux", "hash": 78234929464889943073624584158520240477, "size": 39, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445671 }, { "func": "static int read_var(struct archive_read* a, uint64_t* pvalue,\n uint64_t* pvalue_len)\n{\n\tuint64_t result = 0;\n\tsize_t shift, i;\n\tconst uint8_t* p;\n\tuint8_t b;\n\n\t/* We will read maximum of 8 bytes. We don't have to handle the\n\t * situation to read the RAR5 variable-sized value stored at the end of\n\t * the file, because such situation will never happen. */\n\tif(!read_ahead(a, 8, &p))\n\t\treturn 0;\n\n\tfor(shift = 0, i = 0; i < 8; i++, shift += 7) {\n\t\tb = p[i];\n\n\t\t/* Strip the MSB from the input byte and add the resulting\n\t\t * number to the `result`. */\n\t\tresult += (b & (uint64_t)0x7F) << shift;\n\n\t\t/* MSB set to 1 means we need to continue decoding process.\n\t\t * MSB set to 0 means we're done.\n\t\t *\n\t\t * This conditional checks for the second case. */\n\t\tif((b & 0x80) == 0) {\n\t\t\tif(pvalue) {\n\t\t\t\t*pvalue = result;\n\t\t\t}\n\n\t\t\t/* If the caller has passed the `pvalue_len` pointer,\n\t\t\t * store the number of consumed bytes in it and do NOT\n\t\t\t * consume those bytes, since the caller has all the\n\t\t\t * information it needs to perform */\n\t\t\tif(pvalue_len) {\n\t\t\t\t*pvalue_len = 1 + i;\n\t\t\t} else {\n\t\t\t\t/* If the caller did not provide the\n\t\t\t\t * `pvalue_len` pointer, it will not have the\n\t\t\t\t * possibility to advance the file pointer,\n\t\t\t\t * because it will not know how many bytes it\n\t\t\t\t * needs to consume. This is why we handle\n\t\t\t\t * such situation here automatically. */\n\t\t\t\tif(ARCHIVE_OK != consume(a, 1 + i)) {\n\t\t\t\t\treturn 0;\n\t\t\t\t}\n\t\t\t}\n\n\t\t\t/* End of decoding process, return success. */\n\t\t\treturn 1;\n\t\t}\n\t}\n\n\t/* The decoded value takes the maximum number of 8 bytes.\n\t * It's a maximum number of bytes, so end decoding process here\n\t * even if the first bit of last byte is 1. */\n\tif(pvalue) {\n\t\t*pvalue = result;\n\t}\n\n\tif(pvalue_len) {\n\t\t*pvalue_len = 9;\n\t} else {\n\t\tif(ARCHIVE_OK != consume(a, 9)) {\n\t\t\treturn 0;\n\t\t}\n\t}\n\n\treturn 1;\n}", "project": "libarchive", "hash": 146126817281951335602180870586898148788, "size": 70, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 0, "dataset": "other", "idx": 244805 }, { "func": "static int fuse_setattr(struct dentry *entry, struct iattr *attr)\n{\n\tstruct inode *inode = d_inode(entry);\n\tstruct fuse_conn *fc = get_fuse_conn(inode);\n\tstruct file *file = (attr->ia_valid & ATTR_FILE) ? attr->ia_file : NULL;\n\tint ret;\n\n\tif (fuse_is_bad(inode))\n\t\treturn -EIO;\n\n\tif (!fuse_allow_current_process(get_fuse_conn(inode)))\n\t\treturn -EACCES;\n\n\tif (attr->ia_valid & (ATTR_KILL_SUID | ATTR_KILL_SGID)) {\n\t\tattr->ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID |\n\t\t\t\t ATTR_MODE);\n\n\t\t/*\n\t\t * The only sane way to reliably kill suid/sgid is to do it in\n\t\t * the userspace filesystem\n\t\t *\n\t\t * This should be done on write(), truncate() and chown().\n\t\t */\n\t\tif (!fc->handle_killpriv && !fc->handle_killpriv_v2) {\n\t\t\t/*\n\t\t\t * ia_mode calculation may have used stale i_mode.\n\t\t\t * Refresh and recalculate.\n\t\t\t */\n\t\t\tret = fuse_do_getattr(inode, NULL, file);\n\t\t\tif (ret)\n\t\t\t\treturn ret;\n\n\t\t\tattr->ia_mode = inode->i_mode;\n\t\t\tif (inode->i_mode & S_ISUID) {\n\t\t\t\tattr->ia_valid |= ATTR_MODE;\n\t\t\t\tattr->ia_mode &= ~S_ISUID;\n\t\t\t}\n\t\t\tif ((inode->i_mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) {\n\t\t\t\tattr->ia_valid |= ATTR_MODE;\n\t\t\t\tattr->ia_mode &= ~S_ISGID;\n\t\t\t}\n\t\t}\n\t}\n\tif (!attr->ia_valid)\n\t\treturn 0;\n\n\tret = fuse_do_setattr(entry, attr, file);\n\tif (!ret) {\n\t\t/*\n\t\t * If filesystem supports acls it may have updated acl xattrs in\n\t\t * the filesystem, so forget cached acls for the inode.\n\t\t */\n\t\tif (fc->posix_acl)\n\t\t\tforget_all_cached_acls(inode);\n\n\t\t/* Directory mode changed, may need to revalidate access */\n\t\tif (d_is_dir(entry) && (attr->ia_valid & ATTR_MODE))\n\t\t\tfuse_invalidate_entry_cache(entry);\n\t}\n\treturn ret;\n}", "project": "linux", "hash": 61551249408305545839353972446819399068, "size": 61, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341986 }, { "func": "int imap_open_connection(struct ImapAccountData *adata)\n{\n if (mutt_socket_open(adata->conn) < 0)\n return -1;\n\n adata->state = IMAP_CONNECTED;\n\n if (imap_cmd_step(adata) != IMAP_RES_OK)\n {\n imap_close_connection(adata);\n return -1;\n }\n\n if (mutt_istr_startswith(adata->buf, \"* OK\"))\n {\n if (!mutt_istr_startswith(adata->buf, \"* OK [CAPABILITY\") && check_capabilities(adata))\n {\n goto bail;\n }\n#ifdef USE_SSL\n /* Attempt STARTTLS if available and desired. */\n if ((adata->conn->ssf == 0) && (C_SslForceTls || (adata->capabilities & IMAP_CAP_STARTTLS)))\n {\n enum QuadOption ans;\n\n if (C_SslForceTls)\n ans = MUTT_YES;\n else if ((ans = query_quadoption(C_SslStarttls,\n _(\"Secure connection with TLS?\"))) == MUTT_ABORT)\n {\n goto err_close_conn;\n }\n if (ans == MUTT_YES)\n {\n enum ImapExecResult rc = imap_exec(adata, \"STARTTLS\", IMAP_CMD_SINGLE);\n // Clear any data after the STARTTLS acknowledgement\n mutt_socket_empty(adata->conn);\n\n if (rc == IMAP_EXEC_FATAL)\n goto bail;\n if (rc != IMAP_EXEC_ERROR)\n {\n if (mutt_ssl_starttls(adata->conn))\n {\n mutt_error(_(\"Could not negotiate TLS connection\"));\n goto err_close_conn;\n }\n else\n {\n /* RFC2595 demands we recheck CAPABILITY after TLS completes. */\n if (imap_exec(adata, \"CAPABILITY\", IMAP_CMD_NO_FLAGS))\n goto bail;\n }\n }\n }\n }\n\n if (C_SslForceTls && (adata->conn->ssf == 0))\n {\n mutt_error(_(\"Encrypted connection unavailable\"));\n goto err_close_conn;\n }\n#endif\n }\n else if (mutt_istr_startswith(adata->buf, \"* PREAUTH\"))\n {\n#ifdef USE_SSL\n /* Unless using a secure $tunnel, an unencrypted PREAUTH response may be a\n * MITM attack. The only way to stop \"STARTTLS\" MITM attacks is via\n * $ssl_force_tls: an attacker can easily spoof \"* OK\" and strip the\n * STARTTLS capability. So consult $ssl_force_tls, not $ssl_starttls, to\n * decide whether to abort. Note that if using $tunnel and\n * $tunnel_is_secure, adata->conn->ssf will be set to 1. */\n if ((adata->conn->ssf == 0) && C_SslForceTls)\n {\n mutt_error(_(\"Encrypted connection unavailable\"));\n goto err_close_conn;\n }\n#endif\n\n adata->state = IMAP_AUTHENTICATED;\n if (check_capabilities(adata) != 0)\n goto bail;\n FREE(&adata->capstr);\n }\n else\n {\n imap_error(\"imap_open_connection()\", adata->buf);\n goto bail;\n }\n\n return 0;\n\n#ifdef USE_SSL\nerr_close_conn:\n imap_close_connection(adata);\n#endif\nbail:\n FREE(&adata->capstr);\n return -1;\n}", "project": "neomutt", "hash": 116037772614219807053318355003276943446, "size": 101, "commit_id": "9c36717a3e2af1f2c1b7242035455ec8112b4b06", "message": "imap: close connection on all failures\n\nThanks to Gabriel Salles-Loustau for spotting the problem.\n\nCo-authored-by: Kevin McCarthy ", "target": 1, "dataset": "other", "idx": 204337 }, { "func": "int imap_open_connection(struct ImapAccountData *adata)\n{\n if (mutt_socket_open(adata->conn) < 0)\n return -1;\n\n adata->state = IMAP_CONNECTED;\n\n if (imap_cmd_step(adata) != IMAP_RES_OK)\n {\n imap_close_connection(adata);\n return -1;\n }\n\n if (mutt_istr_startswith(adata->buf, \"* OK\"))\n {\n if (!mutt_istr_startswith(adata->buf, \"* OK [CAPABILITY\") && check_capabilities(adata))\n {\n goto bail;\n }\n#ifdef USE_SSL\n /* Attempt STARTTLS if available and desired. */\n if ((adata->conn->ssf == 0) && (C_SslForceTls || (adata->capabilities & IMAP_CAP_STARTTLS)))\n {\n enum QuadOption ans;\n\n if (C_SslForceTls)\n ans = MUTT_YES;\n else if ((ans = query_quadoption(C_SslStarttls,\n _(\"Secure connection with TLS?\"))) == MUTT_ABORT)\n {\n goto bail;\n }\n if (ans == MUTT_YES)\n {\n enum ImapExecResult rc = imap_exec(adata, \"STARTTLS\", IMAP_CMD_SINGLE);\n // Clear any data after the STARTTLS acknowledgement\n mutt_socket_empty(adata->conn);\n\n if (rc == IMAP_EXEC_FATAL)\n goto bail;\n if (rc != IMAP_EXEC_ERROR)\n {\n if (mutt_ssl_starttls(adata->conn))\n {\n mutt_error(_(\"Could not negotiate TLS connection\"));\n goto bail;\n }\n else\n {\n /* RFC2595 demands we recheck CAPABILITY after TLS completes. */\n if (imap_exec(adata, \"CAPABILITY\", IMAP_CMD_NO_FLAGS))\n goto bail;\n }\n }\n }\n }\n\n if (C_SslForceTls && (adata->conn->ssf == 0))\n {\n mutt_error(_(\"Encrypted connection unavailable\"));\n goto bail;\n }\n#endif\n }\n else if (mutt_istr_startswith(adata->buf, \"* PREAUTH\"))\n {\n#ifdef USE_SSL\n /* Unless using a secure $tunnel, an unencrypted PREAUTH response may be a\n * MITM attack. The only way to stop \"STARTTLS\" MITM attacks is via\n * $ssl_force_tls: an attacker can easily spoof \"* OK\" and strip the\n * STARTTLS capability. So consult $ssl_force_tls, not $ssl_starttls, to\n * decide whether to abort. Note that if using $tunnel and\n * $tunnel_is_secure, adata->conn->ssf will be set to 1. */\n if ((adata->conn->ssf == 0) && C_SslForceTls)\n {\n mutt_error(_(\"Encrypted connection unavailable\"));\n goto bail;\n }\n#endif\n\n adata->state = IMAP_AUTHENTICATED;\n if (check_capabilities(adata) != 0)\n goto bail;\n FREE(&adata->capstr);\n }\n else\n {\n imap_error(\"imap_open_connection()\", adata->buf);\n goto bail;\n }\n\n return 0;\n\nbail:\n imap_close_connection(adata);\n FREE(&adata->capstr);\n return -1;\n}", "project": "neomutt", "hash": 72296476132372139826321996354956312569, "size": 98, "commit_id": "9c36717a3e2af1f2c1b7242035455ec8112b4b06", "message": "imap: close connection on all failures\n\nThanks to Gabriel Salles-Loustau for spotting the problem.\n\nCo-authored-by: Kevin McCarthy ", "target": 0, "dataset": "other", "idx": 357032 }, { "func": "static void hci_cc_read_local_commands(struct hci_dev *hdev,\n\t\t\t\t struct sk_buff *skb)\n{\n\tstruct hci_rp_read_local_commands *rp = (void *) skb->data;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, rp->status);\n\n\tif (rp->status)\n\t\treturn;\n\n\tif (hci_dev_test_flag(hdev, HCI_SETUP) ||\n\t hci_dev_test_flag(hdev, HCI_CONFIG))\n\t\tmemcpy(hdev->commands, rp->commands, sizeof(hdev->commands));\n}", "project": "linux", "hash": 197897638383067818133098626550146136446, "size": 14, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431896 }, { "func": "static int do_unpack(struct archive_read* a, struct rar5* rar,\n const void** buf, size_t* size, int64_t* offset)\n{\n\tenum COMPRESSION_METHOD {\n\t\tSTORE = 0, FASTEST = 1, FAST = 2, NORMAL = 3, GOOD = 4,\n\t\tBEST = 5\n\t};\n\n\tif(rar->file.service > 0) {\n\t\treturn do_unstore_file(a, rar, buf, size, offset);\n\t} else {\n\t\tswitch(rar->cstate.method) {\n\t\t\tcase STORE:\n\t\t\t\treturn do_unstore_file(a, rar, buf, size,\n\t\t\t\t offset);\n\t\t\tcase FASTEST:\n\t\t\t\t/* fallthrough */\n\t\t\tcase FAST:\n\t\t\t\t/* fallthrough */\n\t\t\tcase NORMAL:\n\t\t\t\t/* fallthrough */\n\t\t\tcase GOOD:\n\t\t\t\t/* fallthrough */\n\t\t\tcase BEST:\n\t\t\t\treturn uncompress_file(a);\n\t\t\tdefault:\n\t\t\t\tarchive_set_error(&a->archive,\n\t\t\t\t ARCHIVE_ERRNO_FILE_FORMAT,\n\t\t\t\t \"Compression method not supported: 0x%x\",\n\t\t\t\t rar->cstate.method);\n\n\t\t\t\treturn ARCHIVE_FATAL;\n\t\t}\n\t}\n\n#if !defined WIN32\n\t/* Not reached. */\n\treturn ARCHIVE_OK;\n#endif\n}", "project": "libarchive", "hash": 45646433394813524584309927782375381833, "size": 40, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 0, "dataset": "other", "idx": 244784 }, { "project": "opaque", "commit_id": "5ddda15d89f5ac82f4416208c5319ace4aecdc36", "target": 0, "func": "void ocall_throw(const char *message) {\n JNIEnv* env;\n jvm->AttachCurrentThread((void**) &env, NULL);\n jclass exception = env->FindClass(\"edu/berkeley/cs/rise/opaque/OpaqueException\");\n env->ThrowNew(exception, message);\n}", "idx": 519102, "cwe": "CWE-787", "hash": 109994141496379709938197426000164570545, "dataset": "other" }, { "func": "static void __stop_cpu_timer_accounting(struct kvm_vcpu *vcpu)\n{\n\tWARN_ON_ONCE(vcpu->arch.cputm_start == 0);\n\traw_write_seqcount_begin(&vcpu->arch.cputm_seqcount);\n\tvcpu->arch.sie_block->cputm -= get_tod_clock_fast() - vcpu->arch.cputm_start;\n\tvcpu->arch.cputm_start = 0;\n\traw_write_seqcount_end(&vcpu->arch.cputm_seqcount);\n}", "project": "linux", "hash": 109936714676800968304657362186263654417, "size": 8, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354463 }, { "func": "void nfc_send_to_raw_sock(struct nfc_dev *dev, struct sk_buff *skb,\n\t\t\t u8 payload_type, u8 direction)\n{\n\tstruct sk_buff *skb_copy = NULL, *nskb;\n\tstruct sock *sk;\n\tu8 *data;\n\n\tread_lock(&raw_sk_list.lock);\n\n\tsk_for_each(sk, &raw_sk_list.head) {\n\t\tif (!skb_copy) {\n\t\t\tskb_copy = __pskb_copy_fclone(skb, NFC_RAW_HEADER_SIZE,\n\t\t\t\t\t\t GFP_ATOMIC, true);\n\t\t\tif (!skb_copy)\n\t\t\t\tcontinue;\n\n\t\t\tdata = skb_push(skb_copy, NFC_RAW_HEADER_SIZE);\n\n\t\t\tdata[0] = dev ? dev->idx : 0xFF;\n\t\t\tdata[1] = direction & 0x01;\n\t\t\tdata[1] |= (payload_type << 1);\n\t\t}\n\n\t\tnskb = skb_clone(skb_copy, GFP_ATOMIC);\n\t\tif (!nskb)\n\t\t\tcontinue;\n\n\t\tif (sock_queue_rcv_skb(sk, nskb))\n\t\t\tkfree_skb(nskb);\n\t}\n\n\tread_unlock(&raw_sk_list.lock);\n\n\tkfree_skb(skb_copy);\n}", "project": "linux", "hash": 268815005060439951273938798718195311110, "size": 35, "commit_id": "26896f01467a28651f7a536143fe5ac8449d4041", "message": "net/nfc/rawsock.c: add CAP_NET_RAW check.\n\nWhen creating a raw AF_NFC socket, CAP_NET_RAW needs to be checked first.\n\nSigned-off-by: Qingyu Li \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 319225 }, { "func": "static void hci_mode_change_evt(struct hci_dev *hdev, struct sk_buff *skb)\n{\n\tstruct hci_ev_mode_change *ev = (void *) skb->data;\n\tstruct hci_conn *conn;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, ev->status);\n\n\thci_dev_lock(hdev);\n\n\tconn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));\n\tif (conn) {\n\t\tconn->mode = ev->mode;\n\n\t\tif (!test_and_clear_bit(HCI_CONN_MODE_CHANGE_PEND,\n\t\t\t\t\t&conn->flags)) {\n\t\t\tif (conn->mode == HCI_CM_ACTIVE)\n\t\t\t\tset_bit(HCI_CONN_POWER_SAVE, &conn->flags);\n\t\t\telse\n\t\t\t\tclear_bit(HCI_CONN_POWER_SAVE, &conn->flags);\n\t\t}\n\n\t\tif (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))\n\t\t\thci_sco_setup(conn, ev->status);\n\t}\n\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 334860426495801575555221407130230210439, "size": 27, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431923 }, { "func": "static int nfs41_sequence_process(struct rpc_task *task,\n\t\tstruct nfs4_sequence_res *res)\n{\n\tstruct nfs4_session *session;\n\tstruct nfs4_slot *slot = res->sr_slot;\n\tstruct nfs_client *clp;\n\tint status;\n\tint ret = 1;\n\n\tif (slot == NULL)\n\t\tgoto out_noaction;\n\t/* don't increment the sequence number if the task wasn't sent */\n\tif (!RPC_WAS_SENT(task) || slot->seq_done)\n\t\tgoto out;\n\n\tsession = slot->table->session;\n\n\ttrace_nfs4_sequence_done(session, res);\n\n\tstatus = res->sr_status;\n\tif (task->tk_status == -NFS4ERR_DEADSESSION)\n\t\tstatus = -NFS4ERR_DEADSESSION;\n\n\t/* Check the SEQUENCE operation status */\n\tswitch (status) {\n\tcase 0:\n\t\t/* Mark this sequence number as having been acked */\n\t\tnfs4_slot_sequence_acked(slot, slot->seq_nr);\n\t\t/* Update the slot's sequence and clientid lease timer */\n\t\tslot->seq_done = 1;\n\t\tclp = session->clp;\n\t\tdo_renew_lease(clp, res->sr_timestamp);\n\t\t/* Check sequence flags */\n\t\tnfs41_handle_sequence_flag_errors(clp, res->sr_status_flags,\n\t\t\t\t!!slot->privileged);\n\t\tnfs41_update_target_slotid(slot->table, slot, res);\n\t\tbreak;\n\tcase 1:\n\t\t/*\n\t\t * sr_status remains 1 if an RPC level error occurred.\n\t\t * The server may or may not have processed the sequence\n\t\t * operation..\n\t\t */\n\t\tnfs4_slot_sequence_record_sent(slot, slot->seq_nr);\n\t\tslot->seq_done = 1;\n\t\tgoto out;\n\tcase -NFS4ERR_DELAY:\n\t\t/* The server detected a resend of the RPC call and\n\t\t * returned NFS4ERR_DELAY as per Section 2.10.6.2\n\t\t * of RFC5661.\n\t\t */\n\t\tdprintk(\"%s: slot=%u seq=%u: Operation in progress\\n\",\n\t\t\t__func__,\n\t\t\tslot->slot_nr,\n\t\t\tslot->seq_nr);\n\t\tnfs4_slot_sequence_acked(slot, slot->seq_nr);\n\t\tgoto out_retry;\n\tcase -NFS4ERR_RETRY_UNCACHED_REP:\n\tcase -NFS4ERR_SEQ_FALSE_RETRY:\n\t\t/*\n\t\t * The server thinks we tried to replay a request.\n\t\t * Retry the call after bumping the sequence ID.\n\t\t */\n\t\tnfs4_slot_sequence_acked(slot, slot->seq_nr);\n\t\tgoto retry_new_seq;\n\tcase -NFS4ERR_BADSLOT:\n\t\t/*\n\t\t * The slot id we used was probably retired. Try again\n\t\t * using a different slot id.\n\t\t */\n\t\tif (slot->slot_nr < slot->table->target_highest_slotid)\n\t\t\tgoto session_recover;\n\t\tgoto retry_nowait;\n\tcase -NFS4ERR_SEQ_MISORDERED:\n\t\tnfs4_slot_sequence_record_sent(slot, slot->seq_nr);\n\t\t/*\n\t\t * Were one or more calls using this slot interrupted?\n\t\t * If the server never received the request, then our\n\t\t * transmitted slot sequence number may be too high.\n\t\t */\n\t\tif ((s32)(slot->seq_nr - slot->seq_nr_last_acked) > 1) {\n\t\t\tslot->seq_nr--;\n\t\t\tgoto retry_nowait;\n\t\t}\n\t\t/*\n\t\t * RFC5661:\n\t\t * A retry might be sent while the original request is\n\t\t * still in progress on the replier. The replier SHOULD\n\t\t * deal with the issue by returning NFS4ERR_DELAY as the\n\t\t * reply to SEQUENCE or CB_SEQUENCE operation, but\n\t\t * implementations MAY return NFS4ERR_SEQ_MISORDERED.\n\t\t *\n\t\t * Restart the search after a delay.\n\t\t */\n\t\tslot->seq_nr = slot->seq_nr_highest_sent;\n\t\tgoto out_retry;\n\tcase -NFS4ERR_BADSESSION:\n\tcase -NFS4ERR_DEADSESSION:\n\tcase -NFS4ERR_CONN_NOT_BOUND_TO_SESSION:\n\t\tgoto session_recover;\n\tdefault:\n\t\t/* Just update the slot sequence no. */\n\t\tslot->seq_done = 1;\n\t}\nout:\n\t/* The session may be reset by one of the error handlers. */\n\tdprintk(\"%s: Error %d free the slot \\n\", __func__, res->sr_status);\nout_noaction:\n\treturn ret;\nsession_recover:\n\tnfs4_schedule_session_recovery(session, status);\n\tdprintk(\"%s ERROR: %d Reset session\\n\", __func__, status);\n\tnfs41_sequence_free_slot(res);\n\tgoto out;\nretry_new_seq:\n\t++slot->seq_nr;\nretry_nowait:\n\tif (rpc_restart_call_prepare(task)) {\n\t\tnfs41_sequence_free_slot(res);\n\t\ttask->tk_status = 0;\n\t\tret = 0;\n\t}\n\tgoto out;\nout_retry:\n\tif (!rpc_restart_call(task))\n\t\tgoto out;\n\trpc_delay(task, NFS4_POLL_RETRY_MAX);\n\treturn 0;\n}", "project": "linux", "hash": 238388335377718115736113627190184497835, "size": 129, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431047 }, { "func": "static int fuse_parse_param(struct fs_context *fc, struct fs_parameter *param)\n{\n\tstruct fs_parse_result result;\n\tstruct fuse_fs_context *ctx = fc->fs_private;\n\tint opt;\n\n\tif (fc->purpose == FS_CONTEXT_FOR_RECONFIGURE) {\n\t\t/*\n\t\t * Ignore options coming from mount(MS_REMOUNT) for backward\n\t\t * compatibility.\n\t\t */\n\t\tif (fc->oldapi)\n\t\t\treturn 0;\n\n\t\treturn invalfc(fc, \"No changes allowed in reconfigure\");\n\t}\n\n\topt = fs_parse(fc, fuse_fs_parameters, param, &result);\n\tif (opt < 0)\n\t\treturn opt;\n\n\tswitch (opt) {\n\tcase OPT_SOURCE:\n\t\tif (fc->source)\n\t\t\treturn invalfc(fc, \"Multiple sources specified\");\n\t\tfc->source = param->string;\n\t\tparam->string = NULL;\n\t\tbreak;\n\n\tcase OPT_SUBTYPE:\n\t\tif (ctx->subtype)\n\t\t\treturn invalfc(fc, \"Multiple subtypes specified\");\n\t\tctx->subtype = param->string;\n\t\tparam->string = NULL;\n\t\treturn 0;\n\n\tcase OPT_FD:\n\t\tctx->fd = result.uint_32;\n\t\tctx->fd_present = true;\n\t\tbreak;\n\n\tcase OPT_ROOTMODE:\n\t\tif (!fuse_valid_type(result.uint_32))\n\t\t\treturn invalfc(fc, \"Invalid rootmode\");\n\t\tctx->rootmode = result.uint_32;\n\t\tctx->rootmode_present = true;\n\t\tbreak;\n\n\tcase OPT_USER_ID:\n\t\tctx->user_id = make_kuid(fc->user_ns, result.uint_32);\n\t\tif (!uid_valid(ctx->user_id))\n\t\t\treturn invalfc(fc, \"Invalid user_id\");\n\t\tctx->user_id_present = true;\n\t\tbreak;\n\n\tcase OPT_GROUP_ID:\n\t\tctx->group_id = make_kgid(fc->user_ns, result.uint_32);\n\t\tif (!gid_valid(ctx->group_id))\n\t\t\treturn invalfc(fc, \"Invalid group_id\");\n\t\tctx->group_id_present = true;\n\t\tbreak;\n\n\tcase OPT_DEFAULT_PERMISSIONS:\n\t\tctx->default_permissions = true;\n\t\tbreak;\n\n\tcase OPT_ALLOW_OTHER:\n\t\tctx->allow_other = true;\n\t\tbreak;\n\n\tcase OPT_MAX_READ:\n\t\tctx->max_read = result.uint_32;\n\t\tbreak;\n\n\tcase OPT_BLKSIZE:\n\t\tif (!ctx->is_bdev)\n\t\t\treturn invalfc(fc, \"blksize only supported for fuseblk\");\n\t\tctx->blksize = result.uint_32;\n\t\tbreak;\n\n\tdefault:\n\t\treturn -EINVAL;\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 82064191701000592774321065496272189411, "size": 86, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342074 }, { "func": "void count_cond_for_nj(SELECT_LEX *sel, TABLE_LIST *nested_join_table)\n{\n List_iterator li(nested_join_table->nested_join->join_list);\n List_iterator li2(nested_join_table->nested_join->join_list);\n bool have_another = FALSE;\n TABLE_LIST *table;\n\n while ((table= li++) || (have_another && (li=li2, have_another=FALSE,\n (table= li++))))\n if (table->nested_join)\n {\n if (!table->on_expr)\n {\n /* It's a semi-join nest. Walk into it as if it wasn't a nest */\n have_another= TRUE;\n li2= li;\n li= List_iterator(table->nested_join->join_list); \n }\n else\n count_cond_for_nj(sel, table); \n }\n if (nested_join_table->on_expr)\n nested_join_table->on_expr->walk(&Item::count_sargable_conds, 0, sel);\n \n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 262011855352463985482092038113897220219, "size": 25, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508732 }, { "func": " */\nstatic void bfq_finish_requeue_request(struct request *rq)\n{\n\tstruct bfq_queue *bfqq = RQ_BFQQ(rq);\n\tstruct bfq_data *bfqd;\n\n\t/*\n\t * Requeue and finish hooks are invoked in blk-mq without\n\t * checking whether the involved request is actually still\n\t * referenced in the scheduler. To handle this fact, the\n\t * following two checks make this function exit in case of\n\t * spurious invocations, for which there is nothing to do.\n\t *\n\t * First, check whether rq has nothing to do with an elevator.\n\t */\n\tif (unlikely(!(rq->rq_flags & RQF_ELVPRIV)))\n\t\treturn;\n\n\t/*\n\t * rq either is not associated with any icq, or is an already\n\t * requeued request that has not (yet) been re-inserted into\n\t * a bfq_queue.\n\t */\n\tif (!rq->elv.icq || !bfqq)\n\t\treturn;\n\n\tbfqd = bfqq->bfqd;\n\n\tif (rq->rq_flags & RQF_STARTED)\n\t\tbfqg_stats_update_completion(bfqq_group(bfqq),\n\t\t\t\t\t rq->start_time_ns,\n\t\t\t\t\t rq->io_start_time_ns,\n\t\t\t\t\t rq->cmd_flags);\n\n\tif (likely(rq->rq_flags & RQF_STARTED)) {\n\t\tunsigned long flags;\n\n\t\tspin_lock_irqsave(&bfqd->lock, flags);\n\n\t\tif (rq == bfqd->waited_rq)\n\t\t\tbfq_update_inject_limit(bfqd, bfqq);\n\n\t\tbfq_completed_request(bfqq, bfqd);\n\t\tbfq_finish_requeue_request_body(bfqq);\n\n\t\tspin_unlock_irqrestore(&bfqd->lock, flags);\n\t} else {\n\t\t/*\n\t\t * Request rq may be still/already in the scheduler,\n\t\t * in which case we need to remove it (this should\n\t\t * never happen in case of requeue). And we cannot\n\t\t * defer such a check and removal, to avoid\n\t\t * inconsistencies in the time interval from the end\n\t\t * of this function to the start of the deferred work.\n\t\t * This situation seems to occur only in process\n\t\t * context, as a consequence of a merge. In the\n\t\t * current version of the code, this implies that the\n\t\t * lock is held.\n\t\t */\n\n\t\tif (!RB_EMPTY_NODE(&rq->rb_node)) {\n\t\t\tbfq_remove_request(rq->q, rq);\n\t\t\tbfqg_stats_update_io_remove(bfqq_group(bfqq),\n\t\t\t\t\t\t rq->cmd_flags);\n\t\t}\n\t\tbfq_finish_requeue_request_body(bfqq);\n\t}\n\n\t/*\n\t * Reset private fields. In case of a requeue, this allows\n\t * this function to correctly do nothing if it is spuriously\n\t * invoked again on this same request (see the check at the\n\t * beginning of the function). Probably, a better general\n\t * design would be to prevent blk-mq from invoking the requeue\n\t * or finish hooks of an elevator, for a request that is not\n\t * referred by that elevator.\n\t *\n\t * Resetting the following fields would break the\n\t * request-insertion logic if rq is re-inserted into a bfq\n\t * internal queue, without a re-preparation. Here we assume\n\t * that re-insertions of requeued requests, without\n\t * re-preparation, can happen only for pass_through or at_head\n\t * requests (which are not re-inserted into bfq internal\n\t * queues).\n\t */\n\trq->elv.priv[0] = NULL;\n\trq->elv.priv[1] = NULL;", "project": "linux", "hash": 298684037738221996297044959339845402544, "size": 87, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453356 }, { "func": "static zend_bool php_auto_globals_create_files(zend_string *name)\n{\n\tif (Z_TYPE(PG(http_globals)[TRACK_VARS_FILES]) == IS_UNDEF) {\n\t\tarray_init(&PG(http_globals)[TRACK_VARS_FILES]);\n\t}\n\n\tzend_hash_update(&EG(symbol_table), name, &PG(http_globals)[TRACK_VARS_FILES]);\n\tZ_ADDREF(PG(http_globals)[TRACK_VARS_FILES]);\n\n\treturn 0; /* don't rearm */\n}", "project": "php-src", "hash": 111262757237845570378775345092253258995, "size": 11, "commit_id": "6559fe912661ca5ce5f0eeeb591d928451428ed0", "message": "Do not decode cookie names anymore", "target": 0, "dataset": "other", "idx": 374956 }, { "func": "void lj_debug_pushloc(lua_State *L, GCproto *pt, BCPos pc)\n{\n GCstr *name = proto_chunkname(pt);\n const char *s = strdata(name);\n MSize i, len = name->len;\n BCLine line = lj_debug_line(pt, pc);\n if (*s == '@') {\n s++; len--;\n for (i = len; i > 0; i--)\n if (s[i] == '/' || s[i] == '\\\\') {\n\ts += i+1;\n\tbreak;\n }\n lj_str_pushf(L, \"%s:%d\", s, line);\n } else if (len > 40) {\n lj_str_pushf(L, \"%p:%d\", pt, line);\n } else if (*s == '=') {\n lj_str_pushf(L, \"%s:%d\", s+1, line);\n } else {\n lj_str_pushf(L, \"\\\"%s\\\":%d\", s, line);\n }\n}", "project": "LuaJIT", "hash": 61279169538785307538433079448813185144, "size": 22, "commit_id": "e296f56b825c688c3530a981dc6b495d972f3d01", "message": "Call error function on rethrow after trace exit.", "target": 0, "dataset": "other", "idx": 394660 }, { "func": "static inline bool kvm_dirty_log_manual_protect_and_init_set(struct kvm *kvm)\n{\n\treturn !!(kvm->manual_dirty_log_protect & KVM_DIRTY_LOG_INITIALLY_SET);\n}", "project": "linux", "hash": 222133408794821308849252348348615441225, "size": 4, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354816 }, { "func": "int search_binary_handler(struct linux_binprm *bprm)\n{\n\tbool need_retry = IS_ENABLED(CONFIG_MODULES);\n\tstruct linux_binfmt *fmt;\n\tint retval;\n\n\t/* This allows 4 levels of binfmt rewrites before failing hard. */\n\tif (bprm->recursion_depth > 5)\n\t\treturn -ELOOP;\n\n\tretval = security_bprm_check(bprm);\n\tif (retval)\n\t\treturn retval;\n\n\tretval = -ENOENT;\n retry:\n\tread_lock(&binfmt_lock);\n\tlist_for_each_entry(fmt, &formats, lh) {\n\t\tif (!try_module_get(fmt->module))\n\t\t\tcontinue;\n\t\tread_unlock(&binfmt_lock);\n\n\t\tbprm->recursion_depth++;\n\t\tretval = fmt->load_binary(bprm);\n\t\tbprm->recursion_depth--;\n\n\t\tread_lock(&binfmt_lock);\n\t\tput_binfmt(fmt);\n\t\tif (retval < 0 && bprm->called_exec_mmap) {\n\t\t\t/* we got to flush_old_exec() and failed after it */\n\t\t\tread_unlock(&binfmt_lock);\n\t\t\tforce_sigsegv(SIGSEGV);\n\t\t\treturn retval;\n\t\t}\n\t\tif (retval != -ENOEXEC || !bprm->file) {\n\t\t\tread_unlock(&binfmt_lock);\n\t\t\treturn retval;\n\t\t}\n\t}\n\tread_unlock(&binfmt_lock);\n\n\tif (need_retry) {\n\t\tif (printable(bprm->buf[0]) && printable(bprm->buf[1]) &&\n\t\t printable(bprm->buf[2]) && printable(bprm->buf[3]))\n\t\t\treturn retval;\n\t\tif (request_module(\"binfmt-%04x\", *(ushort *)(bprm->buf + 2)) < 0)\n\t\t\treturn retval;\n\t\tneed_retry = false;\n\t\tgoto retry;\n\t}\n\n\treturn retval;\n}", "project": "linux", "hash": 71769548688471458132410733662573140175, "size": 53, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375168 }, { "func": "void unfix_fields(List &fields)\n{\n List_iterator li(fields);\n Item *item;\n while ((item= li++))\n item->unfix_fields();\n}", "target": 0, "cwe": [ "CWE-416" ], "project": "server", "commit_id": "0beed9b5e933f0ff79b3bb346524f7a451d14e38", "hash": 218587496214265495793535738261996137525, "size": 7, "message": "MDEV-28097 use-after-free when WHERE has subquery with an outer reference in HAVING\n\nwhen resolving WHERE and ON clauses, do not look in\nSELECT list/aliases.", "dataset": "other", "idx": 514573 }, { "func": "int bcf_update_format_string(const bcf_hdr_t *hdr, bcf1_t *line, const char *key, const char **values, int n)\n{\n if ( !n )\n return bcf_update_format(hdr,line,key,NULL,0,BCF_HT_STR);\n\n int i, max_len = 0;\n for (i=0; i max_len ) max_len = len;\n }\n char *out = (char*) malloc(max_len*n);\n if ( !out ) return -2;\n for (i=0; i(sf.m_PlayState))\n\t{\n\t\tReset();\n\t}", "project": "openmpt", "hash": 255726884015527824179833456534296217641, "size": 6, "commit_id": "7ebf02af2e90f03e0dbd0e18b8b3164f372fb97c", "message": "[Fix] Possible out-of-bounds read when computing length of some IT files with pattern loops (OpenMPT: formats that are converted to IT, libopenmpt: IT/ITP/MO3), caught with afl-fuzz.\n\ngit-svn-id: https://source.openmpt.org/svn/openmpt/trunk/OpenMPT@10027 56274372-70c3-4bfc-bfc3-4c3a0b034d27", "target": 0, "dataset": "other", "idx": 255234 }, { "func": "static void tty_del_file(struct file *file)\n{\n\tstruct tty_file_private *priv = file->private_data;\n\tstruct tty_struct *tty = priv->tty;\n\n\tspin_lock(&tty->files_lock);\n\tlist_del(&priv->list);\n\tspin_unlock(&tty->files_lock);\n\ttty_free_file(file);\n}", "project": "linux", "hash": 222371327392550313032276384291201596056, "size": 10, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 325950 }, { "func": "void LanLinkProvider::broadcastToNetwork()\n{\n if (!m_server->isListening()) {\n //Not started\n return;\n }\n\n Q_ASSERT(m_tcpPort != 0);\n\n qCDebug(KDECONNECT_CORE()) << \"Broadcasting identity packet\";\n\n QList destinations = getBroadcastAddresses();\n\n NetworkPacket np;\n NetworkPacket::createIdentityPacket(&np);\n np.set(QStringLiteral(\"tcpPort\"), m_tcpPort);\n\n#ifdef Q_OS_WIN\n //On Windows we need to broadcast from every local IP address to reach all networks\n QUdpSocket sendSocket;\n sendSocket.setProxy(QNetworkProxy::NoProxy);\n for (const QNetworkInterface& iface : QNetworkInterface::allInterfaces()) {\n if ( (iface.flags() & QNetworkInterface::IsUp)\n && (iface.flags() & QNetworkInterface::IsRunning)\n && (iface.flags() & QNetworkInterface::CanBroadcast)) {\n for (const QNetworkAddressEntry& ifaceAddress : iface.addressEntries()) {\n QHostAddress sourceAddress = ifaceAddress.ip();\n if (sourceAddress.protocol() == QAbstractSocket::IPv4Protocol && sourceAddress != QHostAddress::LocalHost) {\n qCDebug(KDECONNECT_CORE()) << \"Broadcasting as\" << sourceAddress;\n sendBroadcasts(sendSocket, np, destinations);\n sendSocket.close();\n }\n }\n }\n }\n#else\n sendBroadcasts(m_udpSocket, np, destinations);\n#endif\n}", "project": "kdeconnect-kde", "hash": 320505117664900909805336142857686565162, "size": 39, "commit_id": "542d94a70c56aa386c8d4d793481ce181b0422e8", "message": "Limit number of connected sockets from unpaired devices\n\nThanks Matthias Gerstner for reporting this.", "target": 0, "dataset": "other", "idx": 227362 }, { "func": "bool may_open_dev(const struct path *path)\n{\n\treturn !(path->mnt->mnt_flags & MNT_NODEV) &&\n\t\t!(path->mnt->mnt_sb->s_iflags & SB_I_NODEV);\n}", "project": "linux", "hash": 310357992215442006819686663670128847619, "size": 5, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295306 }, { "func": "void session_clear_tty(struct pid *session)\n{\n\tstruct task_struct *p;\n\tdo_each_pid_task(session, PIDTYPE_SID, p) {\n\t\tproc_clear_tty(p);\n\t} while_each_pid_task(session, PIDTYPE_SID, p);\n}", "project": "linux", "hash": 136378306219079236329642890969170022528, "size": 7, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 325965 }, { "func": "static void nfs4_layoutget_done(struct rpc_task *task, void *calldata)\n{\n\tstruct nfs4_layoutget *lgp = calldata;\n\n\tdprintk(\"--> %s\\n\", __func__);\n\tnfs41_sequence_process(task, &lgp->res.seq_res);\n\tdprintk(\"<-- %s\\n\", __func__);\n}", "project": "linux", "hash": 185560898216432793348364606483555935266, "size": 8, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431164 }, { "func": "int send_sig_fault(int sig, int code, void __user *addr\n\t___ARCH_SI_TRAPNO(int trapno)\n\t___ARCH_SI_IA64(int imm, unsigned int flags, unsigned long isr)\n\t, struct task_struct *t)\n{\n\tstruct kernel_siginfo info;\n\n\tclear_siginfo(&info);\n\tinfo.si_signo = sig;\n\tinfo.si_errno = 0;\n\tinfo.si_code = code;\n\tinfo.si_addr = addr;\n#ifdef __ARCH_SI_TRAPNO\n\tinfo.si_trapno = trapno;\n#endif\n#ifdef __ia64__\n\tinfo.si_imm = imm;\n\tinfo.si_flags = flags;\n\tinfo.si_isr = isr;\n#endif\n\treturn send_sig_info(info.si_signo, &info, t);\n}", "project": "linux", "hash": 23170441998750094598530671566937664137, "size": 22, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375141 }, { "func": "\nstatic void __bfq_put_async_bfqq(struct bfq_data *bfqd,\n\t\t\t\t struct bfq_queue **bfqq_ptr)\n{\n\tstruct bfq_queue *bfqq = *bfqq_ptr;\n\n\tbfq_log(bfqd, \"put_async_bfqq: %p\", bfqq);\n\tif (bfqq) {\n\t\tbfq_bfqq_move(bfqd, bfqq, bfqd->root_group);\n\n\t\tbfq_log_bfqq(bfqd, bfqq, \"put_async_bfqq: putting %p, %d\",\n\t\t\t bfqq, bfqq->ref);\n\t\tbfq_put_queue(bfqq);\n\t\t*bfqq_ptr = NULL;\n\t}", "project": "linux", "hash": 162457648469010610658573615602692741278, "size": 15, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453405 }, { "func": "bool __weak kvm_arch_dy_runnable(struct kvm_vcpu *vcpu)\n{\n\treturn kvm_arch_vcpu_runnable(vcpu);\n}", "project": "linux", "hash": 80672736991277018964383714599698161495, "size": 4, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354663 }, { "func": "static void * doExport(const struct indexEntry_s *hindex, int indexUsed,\n\t\t\theaderFlags flags, unsigned int *bsize)\n{\n int32_t * ei = NULL;\n entryInfo pe;\n char * dataStart;\n char * te;\n unsigned len, diff;\n int32_t il = 0;\n int32_t dl = 0;\n indexEntry entry; \n int i;\n int drlen, ndribbles;\n size_t ilen = indexUsed * sizeof(struct indexEntry_s);\n indexEntry index = memcpy(xmalloc(ilen), hindex, ilen);\n\n /* Sort entries by (offset,tag). */\n qsort(index, indexUsed, sizeof(*index), offsetCmp);\n\n /* Compute (il,dl) for all tags, including those deleted in region. */\n drlen = ndribbles = 0;\n for (i = 0, entry = index; i < indexUsed; i++, entry++) {\n\tif (ENTRY_IS_REGION(entry)) {\n\t int32_t rdl = -entry->info.offset;\t/* negative offset */\n\t int32_t ril = rdl/sizeof(*pe);\n\t int rid = entry->info.offset;\n\n\t il += ril;\n\t dl += entry->rdlen + entry->info.count;\n\t /* Reserve space for legacy region tag */\n\t if (i == 0 && (flags & HEADERFLAG_LEGACY))\n\t\til += 1;\n\n\t /* Skip rest of entries in region, but account for dribbles. */\n\t for (; i < indexUsed && entry->info.offset <= rid+1; i++, entry++) {\n\t\tif (entry->info.offset <= rid)\n\t\t continue;\n\n\t\t/* Alignment */\n\t\tdiff = alignDiff(entry->info.type, dl);\n\t\tif (diff) {\n\t\t drlen += diff;\n\t\t dl += diff; \n\t\t}\n\n\t\tndribbles++;\n\t\til++;\n\t\tdrlen += entry->length;\n\t\tdl += entry->length;\n\t }\n\t i--;\n\t entry--;\n\t continue;\n\t}\n\n\t/* Ignore deleted drips. */\n\tif (entry->data == NULL || entry->length <= 0)\n\t continue;\n\n\t/* Alignment */\n\tdl += alignDiff(entry->info.type, dl);\n\n\til++;\n\tdl += entry->length;\n }\n\n /* Sanity checks on header intro. */\n if (hdrchkTags(il) || hdrchkData(dl))\n\tgoto errxit;\n\n len = sizeof(il) + sizeof(dl) + (il * sizeof(*pe)) + dl;\n\n ei = xmalloc(len);\n ei[0] = htonl(il);\n ei[1] = htonl(dl);\n\n pe = (entryInfo) &ei[2];\n dataStart = te = (char *) (pe + il);\n\n for (i = 0, entry = index; i < indexUsed; i++, entry++) {\n\tconst char * src;\n\tunsigned char *t;\n\tint count;\n\tint rdlen;\n\tunsigned int diff;\n\n\tif (entry->data == NULL || entry->length <= 0)\n\t continue;\n\n\tt = (unsigned char*)te;\n\tpe->tag = htonl(entry->info.tag);\n\tpe->type = htonl(entry->info.type);\n\tpe->count = htonl(entry->info.count);\n\n\tif (ENTRY_IS_REGION(entry)) {\n\t int32_t rdl = -entry->info.offset;\t/* negative offset */\n\t int32_t ril = rdl/sizeof(*pe) + ndribbles;\n\t int rid = entry->info.offset;\n\n\t src = (char *)entry->data;\n\t rdlen = entry->rdlen;\n\n\t /* Legacy headers don't have regions originally, create one */\n\t if (i == 0 && (flags & HEADERFLAG_LEGACY)) {\n\t\tint32_t stei[4];\n\n\t\tmemcpy(pe+1, src, rdl);\n\t\tmemcpy(te, src + rdl, rdlen);\n\t\tte += rdlen;\n\n\t\tpe->offset = htonl(te - dataStart);\n\t\tstei[0] = pe->tag;\n\t\tstei[1] = pe->type;\n\t\tstei[2] = htonl(-rdl-entry->info.count);\n\t\tstei[3] = pe->count;\n\t\tmemcpy(te, stei, entry->info.count);\n\t\tte += entry->info.count;\n\t\tril++;\n\t\trdlen += entry->info.count;\n\n\t\tcount = regionSwab(NULL, ril, 0, pe, t, NULL, 0, 0);\n\t\tif (count != rdlen)\n\t\t goto errxit;\n\n\t } else {\n\n\t\tmemcpy(pe+1, src + sizeof(*pe), ((ril-1) * sizeof(*pe)));\n\t\tmemcpy(te, src + (ril * sizeof(*pe)), rdlen+entry->info.count+drlen);\n\t\tte += rdlen;\n\t\t{ \n\t\t entryInfo se = (entryInfo)src;\n\t\t int off = ntohl(se->offset);\n\t\t pe->offset = (off) ? htonl(te - dataStart) : htonl(off);\n\t\t}\n\t\tte += entry->info.count + drlen;\n\n\t\tcount = regionSwab(NULL, ril, 0, pe, t, NULL, 0, 0);\n\t\tif (count != (rdlen + entry->info.count + drlen))\n\t\t goto errxit;\n\t }\n\n\t /* Skip rest of entries in region. */\n\t while (i < indexUsed && entry->info.offset <= rid+1) {\n\t\ti++;\n\t\tentry++;\n\t }\n\t i--;\n\t entry--;\n\t pe += ril;\n\t continue;\n\t}\n\n\t/* Ignore deleted drips. */\n\tif (entry->data == NULL || entry->length <= 0)\n\t continue;\n\n\t/* Alignment */\n\tdiff = alignDiff(entry->info.type, (te - dataStart));\n\tif (diff) {\n\t memset(te, 0, diff);\n\t te += diff;\n\t}\n\n\tpe->offset = htonl(te - dataStart);\n\n\t/* copy data w/ endian conversions */\n\tswitch (entry->info.type) {\n\tcase RPM_INT64_TYPE:\n\t count = entry->info.count;\n\t src = entry->data;\n\t while (count--) {\n\t\t*((uint64_t *)te) = htonll(*((uint64_t *)src));\n\t\tte += sizeof(uint64_t);\n\t\tsrc += sizeof(uint64_t);\n\t }\n\t break;\n\n\tcase RPM_INT32_TYPE:\n\t count = entry->info.count;\n\t src = entry->data;\n\t while (count--) {\n\t\t*((int32_t *)te) = htonl(*((int32_t *)src));\n\t\tte += sizeof(int32_t);\n\t\tsrc += sizeof(int32_t);\n\t }\n\t break;\n\n\tcase RPM_INT16_TYPE:\n\t count = entry->info.count;\n\t src = entry->data;\n\t while (count--) {\n\t\t*((int16_t *)te) = htons(*((int16_t *)src));\n\t\tte += sizeof(int16_t);\n\t\tsrc += sizeof(int16_t);\n\t }\n\t break;\n\n\tdefault:\n\t memcpy(te, entry->data, entry->length);\n\t te += entry->length;\n\t break;\n\t}\n\tpe++;\n }\n \n /* Insure that there are no memcpy underruns/overruns. */\n if (((char *)pe) != dataStart)\n\tgoto errxit;\n if ((((char *)ei)+len) != te)\n\tgoto errxit;\n\n if (bsize)\n\t*bsize = len;\n\n free(index);\n return (void *) ei;\n\nerrxit:\n free(ei);\n free(index);\n return NULL;\n}", "project": "rpm", "hash": 318122539908248929131141522706551822558, "size": 222, "commit_id": "8f4b3c3cab8922a2022b9e47c71f1ecf906077ef", "message": "hdrblobInit() needs bounds checks too\n\nUsers can pass untrusted data to hdrblobInit() and it must be robust\nagainst this.", "target": 0, "dataset": "other", "idx": 318189 }, { "func": "static void tcp_mark_lost_retrans(struct sock *sk)\n{\n\tconst struct inet_connection_sock *icsk = inet_csk(sk);\n\tstruct tcp_sock *tp = tcp_sk(sk);\n\tstruct sk_buff *skb;\n\tint cnt = 0;\n\tu32 new_low_seq = tp->snd_nxt;\n\tu32 received_upto = tcp_highest_sack_seq(tp);\n\n\tif (!tcp_is_fack(tp) || !tp->retrans_out ||\n\t !after(received_upto, tp->lost_retrans_low) ||\n\t icsk->icsk_ca_state != TCP_CA_Recovery)\n\t\treturn;\n\n\ttcp_for_write_queue(skb, sk) {\n\t\tu32 ack_seq = TCP_SKB_CB(skb)->ack_seq;\n\n\t\tif (skb == tcp_send_head(sk))\n\t\t\tbreak;\n\t\tif (cnt == tp->retrans_out)\n\t\t\tbreak;\n\t\tif (!after(TCP_SKB_CB(skb)->end_seq, tp->snd_una))\n\t\t\tcontinue;\n\n\t\tif (!(TCP_SKB_CB(skb)->sacked & TCPCB_SACKED_RETRANS))\n\t\t\tcontinue;\n\n\t\t/* TODO: We would like to get rid of tcp_is_fack(tp) only\n\t\t * constraint here (see above) but figuring out that at\n\t\t * least tp->reordering SACK blocks reside between ack_seq\n\t\t * and received_upto is not easy task to do cheaply with\n\t\t * the available datastructures.\n\t\t *\n\t\t * Whether FACK should check here for tp->reordering segs\n\t\t * in-between one could argue for either way (it would be\n\t\t * rather simple to implement as we could count fack_count\n\t\t * during the walk and do tp->fackets_out - fack_count).\n\t\t */\n\t\tif (after(received_upto, ack_seq)) {\n\t\t\tTCP_SKB_CB(skb)->sacked &= ~TCPCB_SACKED_RETRANS;\n\t\t\ttp->retrans_out -= tcp_skb_pcount(skb);\n\n\t\t\ttcp_skb_mark_lost_uncond_verify(tp, skb);\n\t\t\tNET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPLOSTRETRANSMIT);\n\t\t} else {\n\t\t\tif (before(ack_seq, new_low_seq))\n\t\t\t\tnew_low_seq = ack_seq;\n\t\t\tcnt += tcp_skb_pcount(skb);\n\t\t}\n\t}\n\n\tif (tp->retrans_out)\n\t\ttp->lost_retrans_low = new_low_seq;\n}", "project": "net-next", "hash": 178422507902441992585884318252350042298, "size": 54, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409908 }, { "func": "static void ep_remove_wait_queue(struct eppoll_entry *pwq)\n{\n\twait_queue_head_t *whead;\n\n\trcu_read_lock();\n\t/*\n\t * If it is cleared by POLLFREE, it should be rcu-safe.\n\t * If we read NULL we need a barrier paired with\n\t * smp_store_release() in ep_poll_callback(), otherwise\n\t * we rely on whead->lock.\n\t */\n\twhead = smp_load_acquire(&pwq->whead);\n\tif (whead)\n\t\tremove_wait_queue(whead, &pwq->wait);\n\trcu_read_unlock();\n}", "project": "linux", "hash": 42537034107028600131136477263996958771, "size": 16, "commit_id": "52c479697c9b73f628140dcdfcd39ea302d05482", "message": "do_epoll_ctl(): clean the failure exits up a bit\n\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 336271 }, { "func": "R_API int r_sys_run(const ut8 *buf, int len) {\n\tconst int sz = 4096;\n\tint pdelta, ret, (*cb)();\n#if USE_FORK\n\tint st, pid;\n#endif\n// TODO: define R_SYS_ALIGN_FORWARD in r_util.h\n\tut8 *ptr, *p = malloc ((sz + len) << 1);\n\tptr = p;\n\tpdelta = ((size_t)(p)) & (4096 - 1);\n\tif (pdelta) {\n\t\tptr += (4096 - pdelta);\n\t}\n\tif (!ptr || !buf) {\n\t\teprintf (\"r_sys_run: Cannot run empty buffer\\n\");\n\t\tfree (p);\n\t\treturn false;\n\t}\n\tmemcpy (ptr, buf, len);\n\tr_mem_protect (ptr, sz, \"rx\");\n\t//r_mem_protect (ptr, sz, \"rwx\"); // try, ignore if fail\n\tcb = (int (*)())ptr;\n#if USE_FORK\n#if __UNIX__\n\tpid = r_sys_fork ();\n#else\n\tpid = -1;\n#endif\n\tif (pid < 0) {\n\t\treturn cb ();\n\t}\n\tif (!pid) {\n\t\tret = cb ();\n\t\texit (ret);\n\t\treturn ret;\n\t}\n\tst = 0;\n\twaitpid (pid, &st, 0);\n\tif (WIFSIGNALED (st)) {\n\t\tint num = WTERMSIG(st);\n\t\teprintf (\"Got signal %d\\n\", num);\n\t\tret = num;\n\t} else {\n\t\tret = WEXITSTATUS (st);\n\t}\n#else\n\tret = (*cb) ();\n#endif\n\tfree (p);\n\treturn ret;\n}", "project": "radare2", "hash": 246005373036837181005465223533834262601, "size": 51, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 0, "dataset": "other", "idx": 268827 }, { "func": "static void nfs4_xdr_enc_lookup_root(struct rpc_rqst *req,\n\t\t\t\t struct xdr_stream *xdr,\n\t\t\t\t const void *data)\n{\n\tconst struct nfs4_lookup_root_arg *args = data;\n\tstruct compound_hdr hdr = {\n\t\t.minorversion = nfs4_xdr_minorversion(&args->seq_args),\n\t};\n\n\tencode_compound_hdr(xdr, req, &hdr);\n\tencode_sequence(xdr, &args->seq_args, &hdr);\n\tencode_putrootfh(xdr, &hdr);\n\tencode_getfh(xdr, &hdr);\n\tencode_getfattr(xdr, args->bitmask, &hdr);\n\tencode_nops(&hdr);\n}", "project": "linux", "hash": 289288281168475312013490036368035620654, "size": 16, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431115 }, { "func": "static void path_put_conditional(struct path *path, struct nameidata *nd)\n{\n\tdput(path->dentry);\n\tif (path->mnt != nd->path.mnt)\n\t\tmntput(path->mnt);\n}", "project": "linux", "hash": 127242201292608657809530766909445776943, "size": 6, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295428 }, { "func": "static void usb_host_auto_timer(void *unused)\n{\n usb_host_scan(NULL, usb_host_auto_scan);\n qemu_mod_timer(usb_auto_timer, qemu_get_clock(rt_clock) + 2000);\n}", "project": "qemu", "hash": 259368891377666256453173737726281001138, "size": 5, "commit_id": "babd03fde68093482528010a5435c14ce9128e3f", "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel. However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris \nSigned-off-by: Anthony Liguori ", "target": 0, "dataset": "other", "idx": 346318 }, { "func": "join_read_first(JOIN_TAB *tab)\n{\n int error= 0;\n TABLE *table=tab->table;\n DBUG_ENTER(\"join_read_first\");\n\n DBUG_ASSERT(table->no_keyread ||\n !table->covering_keys.is_set(tab->index) ||\n table->file->keyread == tab->index);\n tab->table->status=0;\n tab->read_record.read_record_func= join_read_next;\n tab->read_record.table=table;\n if (!table->file->inited)\n error= table->file->ha_index_init(tab->index, tab->sorted);\n if (likely(!error))\n error= table->file->prepare_index_scan();\n if (unlikely(error) ||\n unlikely(error= tab->table->file->ha_index_first(tab->table->record[0])))\n {\n if (error != HA_ERR_KEY_NOT_FOUND && error != HA_ERR_END_OF_FILE)\n report_error(table, error);\n DBUG_RETURN(-1);\n }\n DBUG_RETURN(0);\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 309084581902200261841820802626125469286, "size": 25, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508457 }, { "func": "test_if_group_changed(List &list)\n{\n DBUG_ENTER(\"test_if_group_changed\");\n List_iterator li(list);\n int idx= -1,i;\n Cached_item *buff;\n\n for (i=(int) list.elements-1 ; (buff=li++) ; i--)\n {\n if (buff->cmp())\n idx=i;\n }\n DBUG_PRINT(\"info\", (\"idx: %d\", idx));\n DBUG_RETURN(idx);\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 150741675325574154665519024726135684069, "size": 15, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508566 }, { "func": "join_read_last(JOIN_TAB *tab)\n{\n TABLE *table=tab->table;\n int error= 0;\n DBUG_ENTER(\"join_read_last\");\n\n DBUG_ASSERT(table->no_keyread ||\n !table->covering_keys.is_set(tab->index) ||\n table->file->keyread == tab->index);\n tab->table->status=0;\n tab->read_record.read_record_func= join_read_prev;\n tab->read_record.table=table;\n if (!table->file->inited)\n error= table->file->ha_index_init(tab->index, 1);\n if (likely(!error))\n error= table->file->prepare_index_scan();\n if (unlikely(error) ||\n unlikely(error= tab->table->file->ha_index_last(tab->table->record[0])))\n DBUG_RETURN(report_error(table, error));\n\n DBUG_RETURN(0);\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 75739991367103885726959258072459697503, "size": 22, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508568 }, { "func": "end_unique_update(JOIN *join, JOIN_TAB *join_tab __attribute__((unused)),\n\t\t bool end_of_records)\n{\n TABLE *table= join_tab->table;\n int\t error;\n DBUG_ENTER(\"end_unique_update\");\n\n if (end_of_records)\n DBUG_RETURN(NESTED_LOOP_OK);\n\n init_tmptable_sum_functions(join->sum_funcs);\n copy_fields(join_tab->tmp_table_param);\t\t// Groups are copied twice.\n if (copy_funcs(join_tab->tmp_table_param->items_to_copy, join->thd))\n DBUG_RETURN(NESTED_LOOP_ERROR); /* purecov: inspected */\n\n if (likely(!(error= table->file->ha_write_tmp_row(table->record[0]))))\n join_tab->send_records++;\t\t\t// New group\n else\n {\n if (unlikely((int) table->file->get_dup_key(error) < 0))\n {\n table->file->print_error(error,MYF(0));\t/* purecov: inspected */\n DBUG_RETURN(NESTED_LOOP_ERROR); /* purecov: inspected */\n }\n /* Prepare table for random positioning */\n bool rnd_inited= (table->file->inited == handler::RND);\n if (!rnd_inited &&\n ((error= table->file->ha_index_end()) ||\n (error= table->file->ha_rnd_init(0))))\n {\n table->file->print_error(error, MYF(0));\n DBUG_RETURN(NESTED_LOOP_ERROR);\n }\n if (unlikely(table->file->ha_rnd_pos(table->record[1],table->file->dup_ref)))\n {\n table->file->print_error(error,MYF(0));\t/* purecov: inspected */\n DBUG_RETURN(NESTED_LOOP_ERROR); /* purecov: inspected */\n }\n restore_record(table,record[1]);\n update_tmptable_sum_func(join->sum_funcs,table);\n if (unlikely((error= table->file->ha_update_tmp_row(table->record[1],\n table->record[0]))))\n {\n table->file->print_error(error,MYF(0));\t/* purecov: inspected */\n DBUG_RETURN(NESTED_LOOP_ERROR); /* purecov: inspected */\n }\n if (!rnd_inited &&\n ((error= table->file->ha_rnd_end()) ||\n (error= table->file->ha_index_init(0, 0))))\n {\n table->file->print_error(error, MYF(0));\n DBUG_RETURN(NESTED_LOOP_ERROR);\n }\n }\n if (unlikely(join->thd->check_killed()))\n {\n DBUG_RETURN(NESTED_LOOP_KILLED); /* purecov: inspected */\n }\n DBUG_RETURN(NESTED_LOOP_OK);\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 299141716339449059425961670534928212272, "size": 60, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508575 }, { "func": "create_internal_tmp_table_from_heap(THD *thd, TABLE *table,\n TMP_ENGINE_COLUMNDEF *start_recinfo,\n TMP_ENGINE_COLUMNDEF **recinfo, \n int error,\n bool ignore_last_dupp_key_error,\n bool *is_duplicate)\n{\n TABLE new_table;\n TABLE_SHARE share;\n const char *save_proc_info;\n int write_err= 0;\n DBUG_ENTER(\"create_internal_tmp_table_from_heap\");\n if (is_duplicate)\n *is_duplicate= FALSE;\n\n if (table->s->db_type() != heap_hton || error != HA_ERR_RECORD_FILE_FULL)\n {\n /*\n We don't want this error to be converted to a warning, e.g. in case of\n INSERT IGNORE ... SELECT.\n */\n table->file->print_error(error, MYF(ME_FATALERROR));\n DBUG_RETURN(1);\n }\n new_table= *table;\n share= *table->s;\n new_table.s= &share;\n new_table.s->db_plugin= ha_lock_engine(thd, TMP_ENGINE_HTON);\n if (unlikely(!(new_table.file= get_new_handler(&share, &new_table.mem_root,\n new_table.s->db_type()))))\n DBUG_RETURN(1);\t\t\t\t// End of memory\n\n if (unlikely(new_table.file->set_ha_share_ref(&share.ha_share)))\n {\n delete new_table.file;\n DBUG_RETURN(1);\n }\n\n save_proc_info=thd->proc_info;\n THD_STAGE_INFO(thd, stage_converting_heap_to_myisam);\n\n new_table.no_rows= table->no_rows;\n if (create_internal_tmp_table(&new_table, table->key_info, start_recinfo,\n recinfo,\n thd->lex->select_lex.options | \n\t\t\t thd->variables.option_bits))\n goto err2;\n if (open_tmp_table(&new_table))\n goto err1;\n if (table->file->indexes_are_disabled())\n new_table.file->ha_disable_indexes(HA_KEY_SWITCH_ALL);\n table->file->ha_index_or_rnd_end();\n if (table->file->ha_rnd_init_with_error(1))\n DBUG_RETURN(1);\n if (new_table.no_rows)\n new_table.file->extra(HA_EXTRA_NO_ROWS);\n else\n {\n /* update table->file->stats.records */\n table->file->info(HA_STATUS_VARIABLE);\n new_table.file->ha_start_bulk_insert(table->file->stats.records);\n }\n\n /*\n copy all old rows from heap table to MyISAM table\n This is the only code that uses record[1] to read/write but this\n is safe as this is a temporary MyISAM table without timestamp/autoincrement\n or partitioning.\n */\n while (!table->file->ha_rnd_next(new_table.record[1]))\n {\n write_err= new_table.file->ha_write_tmp_row(new_table.record[1]);\n DBUG_EXECUTE_IF(\"raise_error\", write_err= HA_ERR_FOUND_DUPP_KEY ;);\n if (write_err)\n goto err;\n if (unlikely(thd->check_killed()))\n goto err_killed;\n }\n if (!new_table.no_rows && new_table.file->ha_end_bulk_insert())\n goto err;\n /* copy row that filled HEAP table */\n if (unlikely((write_err=new_table.file->ha_write_tmp_row(table->record[0]))))\n {\n if (new_table.file->is_fatal_error(write_err, HA_CHECK_DUP) ||\n\t!ignore_last_dupp_key_error)\n goto err;\n if (is_duplicate)\n *is_duplicate= TRUE;\n }\n else\n {\n if (is_duplicate)\n *is_duplicate= FALSE;\n }\n\n /* remove heap table and change to use myisam table */\n (void) table->file->ha_rnd_end();\n (void) table->file->ha_close(); // This deletes the table !\n delete table->file;\n table->file=0;\n plugin_unlock(0, table->s->db_plugin);\n share.db_plugin= my_plugin_lock(0, share.db_plugin);\n new_table.s= table->s; // Keep old share\n *table= new_table;\n *table->s= share;\n \n table->file->change_table_ptr(table, table->s);\n table->use_all_columns();\n if (save_proc_info)\n thd_proc_info(thd, (!strcmp(save_proc_info,\"Copying to tmp table\") ?\n \"Copying to tmp table on disk\" : save_proc_info));\n DBUG_RETURN(0);\n\n err:\n DBUG_PRINT(\"error\",(\"Got error: %d\",write_err));\n table->file->print_error(write_err, MYF(0));\nerr_killed:\n (void) table->file->ha_rnd_end();\n (void) new_table.file->ha_close();\n err1:\n new_table.file->ha_delete_table(new_table.s->path.str);\n err2:\n delete new_table.file;\n thd_proc_info(thd, save_proc_info);\n table->mem_root= new_table.mem_root;\n DBUG_RETURN(1);\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 106976030538815347748388383847739756927, "size": 127, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508730 }, { "func": "static int slab_memory_callback(struct notifier_block *self,\n\t\t\t\tunsigned long action, void *arg)\n{\n\tint ret = 0;\n\n\tswitch (action) {\n\tcase MEM_GOING_ONLINE:\n\t\tret = slab_mem_going_online_callback(arg);\n\t\tbreak;\n\tcase MEM_GOING_OFFLINE:\n\t\tret = slab_mem_going_offline_callback(arg);\n\t\tbreak;\n\tcase MEM_OFFLINE:\n\tcase MEM_CANCEL_ONLINE:\n\t\tslab_mem_offline_callback(arg);\n\t\tbreak;\n\tcase MEM_ONLINE:\n\tcase MEM_CANCEL_OFFLINE:\n\t\tbreak;\n\t}\n\tif (ret)\n\t\tret = notifier_from_errno(ret);\n\telse\n\t\tret = NOTIFY_OK;\n\treturn ret;\n}", "project": "linux", "hash": 72248129425065563896664721817066585986, "size": 26, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280103 }, { "func": "static void fuse_do_truncate(struct file *file)\n{\n\tstruct inode *inode = file->f_mapping->host;\n\tstruct iattr attr;\n\n\tattr.ia_valid = ATTR_SIZE;\n\tattr.ia_size = i_size_read(inode);\n\n\tattr.ia_file = file;\n\tattr.ia_valid |= ATTR_FILE;\n\n\tfuse_do_setattr(file_dentry(file), &attr, file);\n}", "project": "linux", "hash": 167842966524610878875997104665230093250, "size": 13, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342022 }, { "project": "Chrome", "commit_id": "957973753ec4159003ff7930d946b7e89c7e09f3", "target": 0, "func": "bool BlobURLRequestJob::ReadFile(const BlobData::Item& item) {\n DCHECK(stream_.get());\n DCHECK(stream_->IsOpen());\n DCHECK(read_buf_remaining_bytes_ >= bytes_to_read_);\n\n int rv = stream_->Read(read_buf_->data() + read_buf_offset_,\n bytes_to_read_,\n &io_callback_);\n\n if (rv == net::ERR_IO_PENDING) {\n SetStatus(net::URLRequestStatus(net::URLRequestStatus::IO_PENDING, 0));\n return false;\n }\n\n if (rv < 0) {\n NotifyFailure(net::ERR_FAILED);\n return false;\n }\n\n if (GetStatus().is_io_pending())\n DidRead(rv);\n else\n AdvanceBytesRead(rv);\n\n return true;\n}\n", "cwe": "", "big_vul_idx": 106421, "idx": 95572, "hash": 323457758710923424581881672078994379811 }, { "func": "static void hci_cc_pin_code_reply(struct hci_dev *hdev, struct sk_buff *skb)\n{\n\tstruct hci_rp_pin_code_reply *rp = (void *) skb->data;\n\tstruct hci_cp_pin_code_reply *cp;\n\tstruct hci_conn *conn;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, rp->status);\n\n\thci_dev_lock(hdev);\n\n\tif (hci_dev_test_flag(hdev, HCI_MGMT))\n\t\tmgmt_pin_code_reply_complete(hdev, &rp->bdaddr, rp->status);\n\n\tif (rp->status)\n\t\tgoto unlock;\n\n\tcp = hci_sent_cmd_data(hdev, HCI_OP_PIN_CODE_REPLY);\n\tif (!cp)\n\t\tgoto unlock;\n\n\tconn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);\n\tif (conn)\n\t\tconn->pin_length = cp->pin_len;\n\nunlock:\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 254315642852463050520938916908124743581, "size": 27, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431907 }, { "func": "static void msgfmt_do_parse(MessageFormatter_object *mfo, char *source, size_t src_len, zval *return_value)\n{\n\tzval *fargs;\n\tint count = 0;\n\tint i;\n\tUChar *usource = NULL;\n\tint usrc_len = 0;\n\n\tintl_convert_utf8_to_utf16(&usource, &usrc_len, source, src_len, &INTL_DATA_ERROR_CODE(mfo));\n\tINTL_METHOD_CHECK_STATUS(mfo, \"Converting parse string failed\");\n\n\tumsg_parse_helper(MSG_FORMAT_OBJECT(mfo), &count, &fargs, usource, usrc_len, &INTL_DATA_ERROR_CODE(mfo));\n\tif (usource) {\n\t\tefree(usource);\n\t}\n\tINTL_METHOD_CHECK_STATUS(mfo, \"Parsing failed\");\n\n\tarray_init(return_value);\n\tfor(i=0;i(env->GetArrayLength(sort_order));\n uint8_t *sort_order_ptr = reinterpret_cast(\n env->GetByteArrayElements(sort_order, &if_copy));\n\n size_t input_rows_length = static_cast(env->GetArrayLength(input_rows));\n uint8_t *input_rows_ptr = reinterpret_cast(\n env->GetByteArrayElements(input_rows, &if_copy));\n\n uint8_t *output_rows;\n size_t output_rows_length;\n\n sgx_check(\"External non-oblivious sort\",\n ecall_external_sort(eid,\n sort_order_ptr, sort_order_length,\n input_rows_ptr, input_rows_length,\n &output_rows, &output_rows_length));\n\n jbyteArray ret = env->NewByteArray(output_rows_length);\n env->SetByteArrayRegion(ret, 0, output_rows_length, reinterpret_cast(output_rows));\n free(output_rows);\n\n env->ReleaseByteArrayElements(sort_order, reinterpret_cast(sort_order_ptr), 0);\n env->ReleaseByteArrayElements(input_rows, reinterpret_cast(input_rows_ptr), 0);\n\n return ret;\n}", "idx": 519083, "cwe": "CWE-787", "hash": 5653392014745444211129879024348280652, "dataset": "other" }, { "func": "HeaderIterator headerInitIterator(Header h)\n{\n HeaderIterator hi = xmalloc(sizeof(*hi));\n\n headerSort(h);\n\n hi->h = headerLink(h);\n hi->next_index = 0;\n return hi;\n}", "project": "rpm", "hash": 196421666428932199063281109543991939350, "size": 10, "commit_id": "8f4b3c3cab8922a2022b9e47c71f1ecf906077ef", "message": "hdrblobInit() needs bounds checks too\n\nUsers can pass untrusted data to hdrblobInit() and it must be robust\nagainst this.", "target": 0, "dataset": "other", "idx": 318196 }, { "func": "static int follow_managed(struct path *path, struct nameidata *nd)\n{\n\tstruct vfsmount *mnt = path->mnt; /* held by caller, must be left alone */\n\tunsigned flags;\n\tbool need_mntput = false;\n\tint ret = 0;\n\n\t/* Given that we're not holding a lock here, we retain the value in a\n\t * local variable for each dentry as we look at it so that we don't see\n\t * the components of that value change under us */\n\twhile (flags = smp_load_acquire(&path->dentry->d_flags),\n\t unlikely(flags & DCACHE_MANAGED_DENTRY)) {\n\t\t/* Allow the filesystem to manage the transit without i_mutex\n\t\t * being held. */\n\t\tif (flags & DCACHE_MANAGE_TRANSIT) {\n\t\t\tBUG_ON(!path->dentry->d_op);\n\t\t\tBUG_ON(!path->dentry->d_op->d_manage);\n\t\t\tret = path->dentry->d_op->d_manage(path, false);\n\t\t\tflags = smp_load_acquire(&path->dentry->d_flags);\n\t\t\tif (ret < 0)\n\t\t\t\tbreak;\n\t\t}\n\n\t\t/* Transit to a mounted filesystem. */\n\t\tif (flags & DCACHE_MOUNTED) {\n\t\t\tstruct vfsmount *mounted = lookup_mnt(path);\n\t\t\tif (mounted) {\n\t\t\t\tdput(path->dentry);\n\t\t\t\tif (need_mntput)\n\t\t\t\t\tmntput(path->mnt);\n\t\t\t\tpath->mnt = mounted;\n\t\t\t\tpath->dentry = dget(mounted->mnt_root);\n\t\t\t\tneed_mntput = true;\n\t\t\t\tcontinue;\n\t\t\t}\n\n\t\t\t/* Something is mounted on this dentry in another\n\t\t\t * namespace and/or whatever was mounted there in this\n\t\t\t * namespace got unmounted before lookup_mnt() could\n\t\t\t * get it */\n\t\t}\n\n\t\t/* Handle an automount point */\n\t\tif (flags & DCACHE_NEED_AUTOMOUNT) {\n\t\t\tret = follow_automount(path, nd, &need_mntput);\n\t\t\tif (ret < 0)\n\t\t\t\tbreak;\n\t\t\tcontinue;\n\t\t}\n\n\t\t/* We didn't change the current path point */\n\t\tbreak;\n\t}\n\n\tif (need_mntput && path->mnt == mnt)\n\t\tmntput(path->mnt);\n\tif (need_mntput)\n\t\tnd->flags |= LOOKUP_JUMPED;\n\tif (ret == -EISDIR || !ret)\n\t\tret = 1;\n\tif (ret > 0 && unlikely(d_flags_negative(flags)))\n\t\tret = -ENOENT;\n\tif (unlikely(ret < 0))\n\t\tpath_put_conditional(path, nd);\n\treturn ret;\n}", "project": "linux", "hash": 188444383516434639197124127456016642297, "size": 66, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295431 }, { "func": "void tracer_tracing_off(struct trace_array *tr)\n{\n\tif (tr->trace_buffer.buffer)\n\t\tring_buffer_record_off(tr->trace_buffer.buffer);\n\t/*\n\t * This flag is looked at when buffers haven't been allocated\n\t * yet, or by some tracers (like irqsoff), that just want to\n\t * know if the ring buffer has been disabled, but it can handle\n\t * races of where it gets disabled but we still do a record.\n\t * As the check is in the fast path of the tracers, it is more\n\t * important to be fast than accurate.\n\t */\n\ttr->buffer_disabled = 1;\n\t/* Make the flag seen by readers */\n\tsmp_wmb();\n}", "project": "linux", "hash": 178752409160102132456201308863038696229, "size": 16, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445533 }, { "func": "static int bcf1_sync(bcf1_t *line)\n{\n char *shared_ori = line->shared.s;\n size_t prev_len;\n\n kstring_t tmp = {0,0,0};\n if ( !line->shared.l )\n {\n // New line created via API, BCF data blocks do not exist. Get it ready for BCF output\n tmp = line->shared;\n bcf1_sync_id(line, &tmp);\n line->unpack_size[0] = tmp.l; prev_len = tmp.l;\n\n bcf1_sync_alleles(line, &tmp);\n line->unpack_size[1] = tmp.l - prev_len; prev_len = tmp.l;\n\n bcf1_sync_filter(line, &tmp);\n line->unpack_size[2] = tmp.l - prev_len;\n\n bcf1_sync_info(line, &tmp);\n line->shared = tmp;\n }\n else if ( line->d.shared_dirty )\n {\n // The line was edited, update the BCF data block.\n\n if ( !(line->unpacked & BCF_UN_STR) ) bcf_unpack(line,BCF_UN_STR);\n\n // ptr_ori points to the original unchanged BCF data.\n uint8_t *ptr_ori = (uint8_t *) line->shared.s;\n\n // ID: single typed string\n if ( line->d.shared_dirty & BCF1_DIRTY_ID )\n bcf1_sync_id(line, &tmp);\n else\n kputsn_(ptr_ori, line->unpack_size[0], &tmp);\n ptr_ori += line->unpack_size[0];\n line->unpack_size[0] = tmp.l; prev_len = tmp.l;\n\n // REF+ALT: list of typed strings\n if ( line->d.shared_dirty & BCF1_DIRTY_ALS )\n bcf1_sync_alleles(line, &tmp);\n else\n {\n kputsn_(ptr_ori, line->unpack_size[1], &tmp);\n if ( !line->rlen && line->n_allele ) line->rlen = strlen(line->d.allele[0]);\n }\n ptr_ori += line->unpack_size[1];\n line->unpack_size[1] = tmp.l - prev_len; prev_len = tmp.l;\n\n if ( line->unpacked & BCF_UN_FLT )\n {\n // FILTER: typed vector of integers\n if ( line->d.shared_dirty & BCF1_DIRTY_FLT )\n bcf1_sync_filter(line, &tmp);\n else if ( line->d.n_flt )\n kputsn_(ptr_ori, line->unpack_size[2], &tmp);\n else\n bcf_enc_vint(&tmp, 0, 0, -1);\n ptr_ori += line->unpack_size[2];\n line->unpack_size[2] = tmp.l - prev_len;\n\n if ( line->unpacked & BCF_UN_INFO )\n {\n // INFO: pairs of typed vectors\n if ( line->d.shared_dirty & BCF1_DIRTY_INF )\n {\n bcf1_sync_info(line, &tmp);\n ptr_ori = (uint8_t*)line->shared.s + line->shared.l;\n }\n }\n }\n\n int size = line->shared.l - (size_t)ptr_ori + (size_t)line->shared.s;\n if ( size ) kputsn_(ptr_ori, size, &tmp);\n\n free(line->shared.s);\n line->shared = tmp;\n }\n if ( line->shared.s != shared_ori && line->unpacked & BCF_UN_INFO )\n {\n // Reallocated line->shared.s block invalidated line->d.info[].vptr pointers\n size_t off_new = line->unpack_size[0] + line->unpack_size[1] + line->unpack_size[2];\n int i;\n for (i=0; in_info; i++)\n {\n uint8_t *vptr_free = line->d.info[i].vptr_free ? line->d.info[i].vptr - line->d.info[i].vptr_off : NULL;\n line->d.info[i].vptr = (uint8_t*) line->shared.s + off_new + line->d.info[i].vptr_off;\n off_new += line->d.info[i].vptr_len + line->d.info[i].vptr_off;\n if ( vptr_free )\n {\n free(vptr_free);\n line->d.info[i].vptr_free = 0;\n }\n }\n }\n\n if ( line->n_sample && line->n_fmt && (!line->indiv.l || line->d.indiv_dirty) )\n {\n // The genotype fields changed or are not present\n tmp.l = tmp.m = 0; tmp.s = NULL;\n int i, irm = -1;\n for (i=0; in_fmt; i++)\n {\n bcf_fmt_t *fmt = &line->d.fmt[i];\n if ( !fmt->p )\n {\n // marked for removal\n if ( irm < 0 ) irm = i;\n continue;\n }\n kputsn_(fmt->p - fmt->p_off, fmt->p_len + fmt->p_off, &tmp);\n if ( irm >=0 )\n {\n bcf_fmt_t tfmt = line->d.fmt[irm]; line->d.fmt[irm] = line->d.fmt[i]; line->d.fmt[i] = tfmt;\n while ( irm<=i && line->d.fmt[irm].p ) irm++;\n }\n\n }\n if ( irm>=0 ) line->n_fmt = irm;\n free(line->indiv.s);\n line->indiv = tmp;\n\n // Reallocated line->indiv.s block invalidated line->d.fmt[].p pointers\n size_t off_new = 0;\n for (i=0; in_fmt; i++)\n {\n uint8_t *p_free = line->d.fmt[i].p_free ? line->d.fmt[i].p - line->d.fmt[i].p_off : NULL;\n line->d.fmt[i].p = (uint8_t*) line->indiv.s + off_new + line->d.fmt[i].p_off;\n off_new += line->d.fmt[i].p_len + line->d.fmt[i].p_off;\n if ( p_free )\n {\n free(p_free);\n line->d.fmt[i].p_free = 0;\n }\n }\n }\n if ( !line->n_sample ) line->n_fmt = 0;\n line->d.shared_dirty = line->d.indiv_dirty = 0;\n return 0;\n}", "project": "htslib", "hash": 257393337503667746167460519499097942577, "size": 141, "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c", "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields. It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097", "target": 0, "dataset": "other", "idx": 402212 }, { "func": "otError Commissioner::SendPetition(void)\n{\n otError error = OT_ERROR_NONE;\n Coap::Message * message = NULL;\n Ip6::MessageInfo messageInfo;\n CommissionerIdTlv commissionerId;\n\n mTransmitAttempts++;\n\n VerifyOrExit((message = NewMeshCoPMessage(Get())) != NULL, error = OT_ERROR_NO_BUFS);\n\n SuccessOrExit(error = message->Init(OT_COAP_TYPE_CONFIRMABLE, OT_COAP_CODE_POST, OT_URI_PATH_LEADER_PETITION));\n SuccessOrExit(error = message->SetPayloadMarker());\n\n commissionerId.Init();\n commissionerId.SetCommissionerId(\"OpenThread Commissioner\");\n\n SuccessOrExit(error = message->AppendTlv(commissionerId));\n\n SuccessOrExit(error = Get().GetLeaderAloc(messageInfo.GetPeerAddr()));\n messageInfo.SetPeerPort(kCoapUdpPort);\n messageInfo.SetSockAddr(Get().GetMeshLocal16());\n SuccessOrExit(\n error = Get().SendMessage(*message, messageInfo, Commissioner::HandleLeaderPetitionResponse, this));\n\n otLogInfoMeshCoP(\"sent petition\");\n\nexit:\n\n if (error != OT_ERROR_NONE && message != NULL)\n {\n message->Free();\n }\n\n return error;\n}", "project": "openthread", "hash": 269105408596970360099379729677495968523, "size": 36, "commit_id": "c3a3a0c424322009fec3ab735fb20ce8f6e19e70", "message": "[commissioner] use strnlen instead of strlen (#4404)", "target": 0, "dataset": "other", "idx": 269871 }, { "func": "static void stimer_expiration(struct kvm_vcpu_hv_stimer *stimer)\n{\n\tint r, direct = stimer->config.direct_mode;\n\n\tstimer->msg_pending = true;\n\tif (!direct)\n\t\tr = stimer_send_msg(stimer);\n\telse\n\t\tr = stimer_notify_direct(stimer);\n\ttrace_kvm_hv_stimer_expiration(hv_stimer_to_vcpu(stimer)->vcpu_id,\n\t\t\t\t stimer->index, direct, r);\n\tif (!r) {\n\t\tstimer->msg_pending = false;\n\t\tif (!(stimer->config.periodic))\n\t\t\tstimer->config.enable = 0;\n\t}\n}", "project": "linux", "hash": 85324269071768673707004854203763904668, "size": 17, "commit_id": "919f4ebc598701670e80e31573a58f1f2d2bf918", "message": "KVM: x86: hyper-v: Fix Hyper-V context null-ptr-deref\n\nReported by syzkaller:\n\n KASAN: null-ptr-deref in range [0x0000000000000140-0x0000000000000147]\n CPU: 1 PID: 8370 Comm: syz-executor859 Not tainted 5.11.0-syzkaller #0\n RIP: 0010:synic_get arch/x86/kvm/hyperv.c:165 [inline]\n RIP: 0010:kvm_hv_set_sint_gsi arch/x86/kvm/hyperv.c:475 [inline]\n RIP: 0010:kvm_hv_irq_routing_update+0x230/0x460 arch/x86/kvm/hyperv.c:498\n Call Trace:\n kvm_set_irq_routing+0x69b/0x940 arch/x86/kvm/../../../virt/kvm/irqchip.c:223\n kvm_vm_ioctl+0x12d0/0x2800 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3959\n vfs_ioctl fs/ioctl.c:48 [inline]\n __do_sys_ioctl fs/ioctl.c:753 [inline]\n __se_sys_ioctl fs/ioctl.c:739 [inline]\n __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739\n do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nHyper-V context is lazily allocated until Hyper-V specific MSRs are accessed\nor SynIC is enabled. However, the syzkaller testcase sets irq routing table\ndirectly w/o enabling SynIC. This results in null-ptr-deref when accessing\nSynIC Hyper-V context. This patch fixes it.\n\nsyzkaller source: https://syzkaller.appspot.com/x/repro.c?x=163342ccd00000\n\nReported-by: syzbot+6987f3b2dbd9eda95f12@syzkaller.appspotmail.com\nFixes: 8f014550dfb1 (\"KVM: x86: hyper-v: Make Hyper-V emulation enablement conditional\")\nSigned-off-by: Wanpeng Li \nMessage-Id: <1614326399-5762-1-git-send-email-wanpengli@tencent.com>\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 343496 }, { "func": "void input_inject_event(struct input_handle *handle,\n\t\t\tunsigned int type, unsigned int code, int value)\n{\n\tstruct input_dev *dev = handle->dev;\n\tstruct input_handle *grab;\n\tunsigned long flags;\n\n\tif (is_event_supported(type, dev->evbit, EV_MAX)) {\n\t\tspin_lock_irqsave(&dev->event_lock, flags);\n\n\t\trcu_read_lock();\n\t\tgrab = rcu_dereference(dev->grab);\n\t\tif (!grab || grab == handle)\n\t\t\tinput_handle_event(dev, type, code, value);\n\t\trcu_read_unlock();\n\n\t\tspin_unlock_irqrestore(&dev->event_lock, flags);\n\t}\n}", "project": "linux", "hash": 106878246953000455875760233139940068625, "size": 19, "commit_id": "cb222aed03d798fc074be55e59d9a112338ee784", "message": "Input: add safety guards to input_set_keycode()\n\nIf we happen to have a garbage in input device's keycode table with values\ntoo big we'll end up doing clear_bit() with offset way outside of our\nbitmaps, damaging other objects within an input device or even outside of\nit. Let's add sanity checks to the returned old keycodes.\n\nReported-by: syzbot+c769968809f9359b07aa@syzkaller.appspotmail.com\nReported-by: syzbot+76f3a30e88d256644c78@syzkaller.appspotmail.com\nLink: https://lore.kernel.org/r/20191207212757.GA245964@dtor-ws\nSigned-off-by: Dmitry Torokhov ", "target": 0, "dataset": "other", "idx": 353368 }, { "func": "void set_remote_option(struct Curl_easy *data, int option, int newstate)\n{\n struct TELNET *tn = data->req.p.telnet;\n if(newstate == CURL_YES) {\n switch(tn->him[option]) {\n case CURL_NO:\n tn->him[option] = CURL_WANTYES;\n send_negotiation(data, CURL_DO, option);\n break;\n\n case CURL_YES:\n /* Already enabled */\n break;\n\n case CURL_WANTNO:\n switch(tn->himq[option]) {\n case CURL_EMPTY:\n /* Already negotiating for CURL_YES, queue the request */\n tn->himq[option] = CURL_OPPOSITE;\n break;\n case CURL_OPPOSITE:\n /* Error: already queued an enable request */\n break;\n }\n break;\n\n case CURL_WANTYES:\n switch(tn->himq[option]) {\n case CURL_EMPTY:\n /* Error: already negotiating for enable */\n break;\n case CURL_OPPOSITE:\n tn->himq[option] = CURL_EMPTY;\n break;\n }\n break;\n }\n }\n else { /* NO */\n switch(tn->him[option]) {\n case CURL_NO:\n /* Already disabled */\n break;\n\n case CURL_YES:\n tn->him[option] = CURL_WANTNO;\n send_negotiation(data, CURL_DONT, option);\n break;\n\n case CURL_WANTNO:\n switch(tn->himq[option]) {\n case CURL_EMPTY:\n /* Already negotiating for NO */\n break;\n case CURL_OPPOSITE:\n tn->himq[option] = CURL_EMPTY;\n break;\n }\n break;\n\n case CURL_WANTYES:\n switch(tn->himq[option]) {\n case CURL_EMPTY:\n tn->himq[option] = CURL_OPPOSITE;\n break;\n case CURL_OPPOSITE:\n break;\n }\n break;\n }\n }\n}", "project": "curl", "hash": 84570495250595793801167133848826911391, "size": 72, "commit_id": "39ce47f219b09c380b81f89fe54ac586c8db6bde", "message": "telnet: check sscanf() for correct number of matches\n\nCVE-2021-22898\n\nBug: https://curl.se/docs/CVE-2021-22898.html", "target": 0, "dataset": "other", "idx": 481489 }, { "func": "static void hci_cs_add_sco(struct hci_dev *hdev, __u8 status)\n{\n\tstruct hci_cp_add_sco *cp;\n\tstruct hci_conn *acl, *sco;\n\t__u16 handle;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, status);\n\n\tif (!status)\n\t\treturn;\n\n\tcp = hci_sent_cmd_data(hdev, HCI_OP_ADD_SCO);\n\tif (!cp)\n\t\treturn;\n\n\thandle = __le16_to_cpu(cp->handle);\n\n\tBT_DBG(\"%s handle 0x%4.4x\", hdev->name, handle);\n\n\thci_dev_lock(hdev);\n\n\tacl = hci_conn_hash_lookup_handle(hdev, handle);\n\tif (acl) {\n\t\tsco = acl->link;\n\t\tif (sco) {\n\t\t\tsco->state = BT_CLOSED;\n\n\t\t\thci_connect_cfm(sco, status);\n\t\t\thci_conn_del(sco);\n\t\t}\n\t}\n\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 103267139175154913728728439780615251562, "size": 34, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431967 }, { "func": "static int unlink1(struct usbtest_dev *dev, int pipe, int size, int async)\n{\n\tstruct urb\t\t*urb;\n\tstruct completion\tcompletion;\n\tint\t\t\tretval = 0;\n\n\tinit_completion(&completion);\n\turb = simple_alloc_urb(testdev_to_usbdev(dev), pipe, size, 0);\n\tif (!urb)\n\t\treturn -ENOMEM;\n\turb->context = &completion;\n\turb->complete = unlink1_callback;\n\n\tif (usb_pipeout(urb->pipe)) {\n\t\tsimple_fill_buf(urb);\n\t\turb->transfer_flags |= URB_ZERO_PACKET;\n\t}\n\n\t/* keep the endpoint busy. there are lots of hc/hcd-internal\n\t * states, and testing should get to all of them over time.\n\t *\n\t * FIXME want additional tests for when endpoint is STALLing\n\t * due to errors, or is just NAKing requests.\n\t */\n\tretval = usb_submit_urb(urb, GFP_KERNEL);\n\tif (retval != 0) {\n\t\tdev_err(&dev->intf->dev, \"submit fail %d\\n\", retval);\n\t\treturn retval;\n\t}\n\n\t/* unlinking that should always work. variable delay tests more\n\t * hcd states and code paths, even with little other system load.\n\t */\n\tmsleep(jiffies % (2 * INTERRUPT_RATE));\n\tif (async) {\n\t\twhile (!completion_done(&completion)) {\n\t\t\tretval = usb_unlink_urb(urb);\n\n\t\t\tif (retval == 0 && usb_pipein(urb->pipe))\n\t\t\t\tretval = simple_check_buf(dev, urb);\n\n\t\t\tswitch (retval) {\n\t\t\tcase -EBUSY:\n\t\t\tcase -EIDRM:\n\t\t\t\t/* we can't unlink urbs while they're completing\n\t\t\t\t * or if they've completed, and we haven't\n\t\t\t\t * resubmitted. \"normal\" drivers would prevent\n\t\t\t\t * resubmission, but since we're testing unlink\n\t\t\t\t * paths, we can't.\n\t\t\t\t */\n\t\t\t\tERROR(dev, \"unlink retry\\n\");\n\t\t\t\tcontinue;\n\t\t\tcase 0:\n\t\t\tcase -EINPROGRESS:\n\t\t\t\tbreak;\n\n\t\t\tdefault:\n\t\t\t\tdev_err(&dev->intf->dev,\n\t\t\t\t\t\"unlink fail %d\\n\", retval);\n\t\t\t\treturn retval;\n\t\t\t}\n\n\t\t\tbreak;\n\t\t}\n\t} else\n\t\tusb_kill_urb(urb);\n\n\twait_for_completion(&completion);\n\tretval = urb->status;\n\tsimple_free_urb(urb);\n\n\tif (async)\n\t\treturn (retval == -ECONNRESET) ? 0 : retval - 1000;\n\telse\n\t\treturn (retval == -ENOENT || retval == -EPERM) ?\n\t\t\t\t0 : retval - 2000;\n}", "project": "linux", "hash": 161251435365483516824986832594548911961, "size": 77, "commit_id": "28ebeb8db77035e058a510ce9bd17c2b9a009dba", "message": "usb: usbtest: fix missing kfree(dev->buf) in usbtest_disconnect\n\nBUG: memory leak\nunreferenced object 0xffff888055046e00 (size 256):\n comm \"kworker/2:9\", pid 2570, jiffies 4294942129 (age 1095.500s)\n hex dump (first 32 bytes):\n 00 70 04 55 80 88 ff ff 18 bb 5a 81 ff ff ff ff .p.U......Z.....\n f5 96 78 81 ff ff ff ff 37 de 8e 81 ff ff ff ff ..x.....7.......\n backtrace:\n [<00000000d121dccf>] kmemleak_alloc_recursive\ninclude/linux/kmemleak.h:43 [inline]\n [<00000000d121dccf>] slab_post_alloc_hook mm/slab.h:586 [inline]\n [<00000000d121dccf>] slab_alloc_node mm/slub.c:2786 [inline]\n [<00000000d121dccf>] slab_alloc mm/slub.c:2794 [inline]\n [<00000000d121dccf>] kmem_cache_alloc_trace+0x15e/0x2d0 mm/slub.c:2811\n [<000000005c3c3381>] kmalloc include/linux/slab.h:555 [inline]\n [<000000005c3c3381>] usbtest_probe+0x286/0x19d0\ndrivers/usb/misc/usbtest.c:2790\n [<000000001cec6910>] usb_probe_interface+0x2bd/0x870\ndrivers/usb/core/driver.c:361\n [<000000007806c118>] really_probe+0x48d/0x8f0 drivers/base/dd.c:551\n [<00000000a3308c3e>] driver_probe_device+0xfc/0x2a0 drivers/base/dd.c:724\n [<000000003ef66004>] __device_attach_driver+0x1b6/0x240\ndrivers/base/dd.c:831\n [<00000000eee53e97>] bus_for_each_drv+0x14e/0x1e0 drivers/base/bus.c:431\n [<00000000bb0648d0>] __device_attach+0x1f9/0x350 drivers/base/dd.c:897\n [<00000000838b324a>] device_initial_probe+0x1a/0x20 drivers/base/dd.c:944\n [<0000000030d501c1>] bus_probe_device+0x1e1/0x280 drivers/base/bus.c:491\n [<000000005bd7adef>] device_add+0x131d/0x1c40 drivers/base/core.c:2504\n [<00000000a0937814>] usb_set_configuration+0xe84/0x1ab0\ndrivers/usb/core/message.c:2030\n [<00000000e3934741>] generic_probe+0x6a/0xe0 drivers/usb/core/generic.c:210\n [<0000000098ade0f1>] usb_probe_device+0x90/0xd0\ndrivers/usb/core/driver.c:266\n [<000000007806c118>] really_probe+0x48d/0x8f0 drivers/base/dd.c:551\n [<00000000a3308c3e>] driver_probe_device+0xfc/0x2a0 drivers/base/dd.c:724\n\nAcked-by: Alan Stern \nReported-by: Kyungtae Kim \nSigned-off-by: Zqiang \nLink: https://lore.kernel.org/r/20200612035210.20494-1-qiang.zhang@windriver.com\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 412251 }, { "func": "static void encode_renew(struct xdr_stream *xdr, clientid4 clid,\n\t\t\t struct compound_hdr *hdr)\n{\n\tencode_op_hdr(xdr, OP_RENEW, decode_renew_maxsz, hdr);\n\tencode_uint64(xdr, clid);\n}", "project": "linux", "hash": 253539013248198490359699633505261589837, "size": 6, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431554 }, { "func": "static void do_notify_parent_cldstop(struct task_struct *tsk,\n\t\t\t\t bool for_ptracer, int why)\n{\n\tstruct kernel_siginfo info;\n\tunsigned long flags;\n\tstruct task_struct *parent;\n\tstruct sighand_struct *sighand;\n\tu64 utime, stime;\n\n\tif (for_ptracer) {\n\t\tparent = tsk->parent;\n\t} else {\n\t\ttsk = tsk->group_leader;\n\t\tparent = tsk->real_parent;\n\t}\n\n\tclear_siginfo(&info);\n\tinfo.si_signo = SIGCHLD;\n\tinfo.si_errno = 0;\n\t/*\n\t * see comment in do_notify_parent() about the following 4 lines\n\t */\n\trcu_read_lock();\n\tinfo.si_pid = task_pid_nr_ns(tsk, task_active_pid_ns(parent));\n\tinfo.si_uid = from_kuid_munged(task_cred_xxx(parent, user_ns), task_uid(tsk));\n\trcu_read_unlock();\n\n\ttask_cputime(tsk, &utime, &stime);\n\tinfo.si_utime = nsec_to_clock_t(utime);\n\tinfo.si_stime = nsec_to_clock_t(stime);\n\n \tinfo.si_code = why;\n \tswitch (why) {\n \tcase CLD_CONTINUED:\n \t\tinfo.si_status = SIGCONT;\n \t\tbreak;\n \tcase CLD_STOPPED:\n \t\tinfo.si_status = tsk->signal->group_exit_code & 0x7f;\n \t\tbreak;\n \tcase CLD_TRAPPED:\n \t\tinfo.si_status = tsk->exit_code & 0x7f;\n \t\tbreak;\n \tdefault:\n \t\tBUG();\n \t}\n\n\tsighand = parent->sighand;\n\tspin_lock_irqsave(&sighand->siglock, flags);\n\tif (sighand->action[SIGCHLD-1].sa.sa_handler != SIG_IGN &&\n\t !(sighand->action[SIGCHLD-1].sa.sa_flags & SA_NOCLDSTOP))\n\t\t__group_send_sig_info(SIGCHLD, &info, parent);\n\t/*\n\t * Even if SIGCHLD is not generated, we must wake up wait4 calls.\n\t */\n\t__wake_up_parent(tsk, parent);\n\tspin_unlock_irqrestore(&sighand->siglock, flags);\n}", "project": "linux", "hash": 61976367797300044629619214851415760983, "size": 57, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375262 }, { "func": "enum QuadOption imap_continue(const char *msg, const char *resp)\n{\n imap_error(msg, resp);\n return mutt_yesorno(_(\"Continue?\"), MUTT_NO);\n}", "project": "neomutt", "hash": 256442921122041111317926748042223334506, "size": 5, "commit_id": "fa1db5785e5cfd9d3cd27b7571b9fe268d2ec2dc", "message": "Fix seqset iterator when it ends in a comma\n\nIf the seqset ended with a comma, the substr_end marker would be just\nbefore the trailing nul. In the next call, the loop to skip the\nmarker would iterate right past the end of string too.\n\nThe fix is simple: place the substr_end marker and skip past it\nimmediately.", "target": 0, "dataset": "other", "idx": 399275 }, { "func": "int oidc_handle_redirect_uri_request(request_rec *r, oidc_cfg *c,\n\t\toidc_session_t *session) {\n\n\tif (oidc_proto_is_redirect_authorization_response(r, c)) {\n\n\t\t/* this is an authorization response from the OP using the Basic Client profile or a Hybrid flow*/\n\t\treturn oidc_handle_redirect_authorization_response(r, c, session);\n\t\t/*\n\t\t *\n\t\t * Note that we are checking for logout *before* checking for a POST authorization response\n\t\t * to handle backchannel POST-based logout\n\t\t *\n\t\t * so any POST to the Redirect URI that does not have a logout query parameter will be handled\n\t\t * as an authorization response; alternatively we could assume that a POST response has no\n\t\t * parameters\n\t\t */\n\t} else if (oidc_util_request_has_parameter(r,\n\t\t\tOIDC_REDIRECT_URI_REQUEST_LOGOUT)) {\n\t\t/* handle logout */\n\t\treturn oidc_handle_logout(r, c, session);\n\n\t} else if (oidc_proto_is_post_authorization_response(r, c)) {\n\n\t\t/* this is an authorization response using the fragment(+POST) response_mode with the Implicit Client profile */\n\t\treturn oidc_handle_post_authorization_response(r, c, session);\n\n\t} else if (oidc_is_discovery_response(r, c)) {\n\n\t\t/* this is response from the OP discovery page */\n\t\treturn oidc_handle_discovery_response(r, c);\n\n\t} else if (oidc_util_request_has_parameter(r,\n\t\t\tOIDC_REDIRECT_URI_REQUEST_JWKS)) {\n\t\t/*\n\t\t * Will be handled in the content handler; avoid:\n\t\t * No authentication done but request not allowed without authentication\n\t\t * by setting r->user\n\t\t */\n\t\tr->user = \"\";\n\t\treturn OK;\n\n\t} else if (oidc_util_request_has_parameter(r,\n\t\t\tOIDC_REDIRECT_URI_REQUEST_SESSION)) {\n\n\t\t/* handle session management request */\n\t\treturn oidc_handle_session_management(r, c, session);\n\n\t} else if (oidc_util_request_has_parameter(r,\n\t\t\tOIDC_REDIRECT_URI_REQUEST_REFRESH)) {\n\n\t\t/* handle refresh token request */\n\t\treturn oidc_handle_refresh_token_request(r, c, session);\n\n\t} else if (oidc_util_request_has_parameter(r,\n\t\t\tOIDC_REDIRECT_URI_REQUEST_REQUEST_URI)) {\n\n\t\t/* handle request object by reference request */\n\t\treturn oidc_handle_request_uri(r, c);\n\n\t} else if (oidc_util_request_has_parameter(r,\n\t\t\tOIDC_REDIRECT_URI_REQUEST_REMOVE_AT_CACHE)) {\n\n\t\t/* handle request to invalidate access token cache */\n\t\treturn oidc_handle_remove_at_cache(r, c);\n\n\t} else if (oidc_util_request_has_parameter(r,\n\t\t\tOIDC_REDIRECT_URI_REQUEST_INFO)) {\n\n\t\tif (session->remote_user == NULL)\n\t\t\treturn HTTP_UNAUTHORIZED;\n\n\t\t/*\n\t\t * Will be handled in the content handler; avoid:\n\t\t * No authentication done but request not allowed without authentication\n\t\t * by setting r->user\n\t\t */\n\t\tr->user = \"\";\n\t\treturn OK;\n\n\t} else if ((r->args == NULL) || (apr_strnatcmp(r->args, \"\") == 0)) {\n\n\t\t/* this is a \"bare\" request to the redirect URI, indicating implicit flow using the fragment response_mode */\n\t\treturn oidc_proto_javascript_implicit(r, c);\n\t}\n\n\t/* this is not an authorization response or logout request */\n\n\t/* check for \"error\" response */\n\tif (oidc_util_request_has_parameter(r, OIDC_PROTO_ERROR)) {\n\n\t\t//\t\tchar *error = NULL, *descr = NULL;\n\t\t//\t\toidc_util_get_request_parameter(r, \"error\", &error);\n\t\t//\t\toidc_util_get_request_parameter(r, \"error_description\", &descr);\n\t\t//\n\t\t//\t\t/* send user facing error to browser */\n\t\t//\t\treturn oidc_util_html_send_error(r, error, descr, DONE);\n\t\treturn oidc_handle_redirect_authorization_response(r, c, session);\n\t}\n\n\toidc_error(r,\n\t\t\t\"The OpenID Connect callback URL received an invalid request: %s; returning HTTP_INTERNAL_SERVER_ERROR\",\n\t\t\tr->args);\n\n\t/* something went wrong */\n\treturn oidc_util_html_send_error(r, c->error_template, \"Invalid Request\",\n\t\t\tapr_psprintf(r->pool,\n\t\t\t\t\t\"The OpenID Connect callback URL received an invalid request\"),\n\t\t\t\t\tHTTP_INTERNAL_SERVER_ERROR);\n}", "project": "mod_auth_openidc", "hash": 287739443425073768435927812189928449047, "size": 109, "commit_id": "00c315cb0c8ab77c67be4a2ac08a71a83ac58751", "message": "avoid XSS vulnerability when using OIDCPreservePost On\n\nand supplying URLs that contain single quotes; thanks @oss-aimoto\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 381926 }, { "func": "int oidc_handle_redirect_uri_request(request_rec *r, oidc_cfg *c,\n\t\toidc_session_t *session) {\n\n\tif (oidc_proto_is_redirect_authorization_response(r, c)) {\n\n\t\t/* this is an authorization response from the OP using the Basic Client profile or a Hybrid flow*/\n\t\treturn oidc_handle_redirect_authorization_response(r, c, session);\n\t/*\n\t *\n\t * Note that we are checking for logout *before* checking for a POST authorization response\n\t * to handle backchannel POST-based logout\n\t *\n\t * so any POST to the Redirect URI that does not have a logout query parameter will be handled\n\t * as an authorization response; alternatively we could assume that a POST response has no\n\t * parameters\n\t */\n\t} else if (oidc_util_request_has_parameter(r,\n\t\t\tOIDC_REDIRECT_URI_REQUEST_LOGOUT)) {\n\t\t/* handle logout */\n\t\treturn oidc_handle_logout(r, c, session);\n\n\t} else if (oidc_proto_is_post_authorization_response(r, c)) {\n\n\t\t/* this is an authorization response using the fragment(+POST) response_mode with the Implicit Client profile */\n\t\treturn oidc_handle_post_authorization_response(r, c, session);\n\n\t} else if (oidc_is_discovery_response(r, c)) {\n\n\t\t/* this is response from the OP discovery page */\n\t\treturn oidc_handle_discovery_response(r, c);\n\n\t} else if (oidc_util_request_has_parameter(r,\n\t\t\tOIDC_REDIRECT_URI_REQUEST_JWKS)) {\n\n\t\t/* handle JWKs request */\n\t\treturn oidc_handle_jwks(r, c);\n\n\t} else if (oidc_util_request_has_parameter(r,\n\t\t\tOIDC_REDIRECT_URI_REQUEST_SESSION)) {\n\n\t\t/* handle session management request */\n\t\treturn oidc_handle_session_management(r, c, session);\n\n\t} else if (oidc_util_request_has_parameter(r,\n\t\t\tOIDC_REDIRECT_URI_REQUEST_REFRESH)) {\n\n\t\t/* handle refresh token request */\n\t\treturn oidc_handle_refresh_token_request(r, c, session);\n\n\t} else if (oidc_util_request_has_parameter(r,\n\t\t\tOIDC_REDIRECT_URI_REQUEST_REQUEST_URI)) {\n\n\t\t/* handle request object by reference request */\n\t\treturn oidc_handle_request_uri(r, c);\n\n\t} else if (oidc_util_request_has_parameter(r,\n\t\t\tOIDC_REDIRECT_URI_REQUEST_REMOVE_AT_CACHE)) {\n\n\t\t/* handle request to invalidate access token cache */\n\t\treturn oidc_handle_remove_at_cache(r, c);\n\n\t} else if (oidc_util_request_has_parameter(r,\n\t\t\tOIDC_REDIRECT_URI_REQUEST_INFO)) {\n\n\t\tif (session->remote_user == NULL)\n\t\t\treturn HTTP_UNAUTHORIZED;\n\n\t\t/* set r->user, set headers/env-vars, update expiry, update userinfo + AT */\n\t\tint rc = oidc_handle_existing_session(r, c, session);\n\t\tif (rc != OK)\n\t\t\treturn rc;\n\n\t\treturn oidc_handle_info_request(r, c, session);\n\n\t} else if ((r->args == NULL) || (apr_strnatcmp(r->args, \"\") == 0)) {\n\n\t\t/* this is a \"bare\" request to the redirect URI, indicating implicit flow using the fragment response_mode */\n\t\treturn oidc_proto_javascript_implicit(r, c);\n\t}\n\n\t/* this is not an authorization response or logout request */\n\n\t/* check for \"error\" response */\n\tif (oidc_util_request_has_parameter(r, OIDC_PROTO_ERROR)) {\n\n\t\t//\t\tchar *error = NULL, *descr = NULL;\n\t\t//\t\toidc_util_get_request_parameter(r, \"error\", &error);\n\t\t//\t\toidc_util_get_request_parameter(r, \"error_description\", &descr);\n\t\t//\n\t\t//\t\t/* send user facing error to browser */\n\t\t//\t\treturn oidc_util_html_send_error(r, error, descr, DONE);\n\t\treturn oidc_handle_redirect_authorization_response(r, c, session);\n\t}\n\n\toidc_error(r,\n\t\t\t\"The OpenID Connect callback URL received an invalid request: %s; returning HTTP_INTERNAL_SERVER_ERROR\",\n\t\t\tr->args);\n\n\t/* something went wrong */\n\treturn oidc_util_html_send_error(r, c->error_template, \"Invalid Request\",\n\t\t\tapr_psprintf(r->pool,\n\t\t\t\t\t\"The OpenID Connect callback URL received an invalid request\"),\n\t\t\t\t\tHTTP_INTERNAL_SERVER_ERROR);\n}", "project": "mod_auth_openidc", "hash": 116495596624343000853847569258216743942, "size": 104, "commit_id": "ce37080c6aea30aabae8b4a9b4eea7808445cc8e", "message": "2.4.0.2 oops\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 447695 }, { "func": "OPJ_BOOL opj_tcd_update_tile_data(opj_tcd_t *p_tcd,\n OPJ_BYTE * p_dest,\n OPJ_UINT32 p_dest_length\n )\n{\n OPJ_UINT32 i, j, k, l_data_size = 0;\n opj_image_comp_t * l_img_comp = 00;\n opj_tcd_tilecomp_t * l_tilec = 00;\n opj_tcd_resolution_t * l_res;\n OPJ_UINT32 l_size_comp, l_remaining;\n OPJ_UINT32 l_stride, l_width, l_height;\n\n l_data_size = opj_tcd_get_decoded_tile_size(p_tcd, OPJ_TRUE);\n if (l_data_size == UINT_MAX || l_data_size > p_dest_length) {\n return OPJ_FALSE;\n }\n\n l_tilec = p_tcd->tcd_image->tiles->comps;\n l_img_comp = p_tcd->image->comps;\n\n for (i = 0; i < p_tcd->image->numcomps; ++i) {\n const OPJ_INT32* l_src_data;\n l_size_comp = l_img_comp->prec >> 3; /*(/ 8)*/\n l_remaining = l_img_comp->prec & 7; /* (%8) */\n l_res = l_tilec->resolutions + l_img_comp->resno_decoded;\n if (p_tcd->whole_tile_decoding) {\n l_width = (OPJ_UINT32)(l_res->x1 - l_res->x0);\n l_height = (OPJ_UINT32)(l_res->y1 - l_res->y0);\n l_stride = (OPJ_UINT32)(l_tilec->resolutions[l_tilec->minimum_num_resolutions -\n 1].x1 -\n l_tilec->resolutions[l_tilec->minimum_num_resolutions - 1].x0) - l_width;\n l_src_data = l_tilec->data;\n } else {\n l_width = l_res->win_x1 - l_res->win_x0;\n l_height = l_res->win_y1 - l_res->win_y0;\n l_stride = 0;\n l_src_data = l_tilec->data_win;\n }\n\n if (l_remaining) {\n ++l_size_comp;\n }\n\n if (l_size_comp == 3) {\n l_size_comp = 4;\n }\n\n switch (l_size_comp) {\n case 1: {\n OPJ_CHAR * l_dest_ptr = (OPJ_CHAR *) p_dest;\n const OPJ_INT32 * l_src_ptr = l_src_data;\n\n if (l_img_comp->sgnd) {\n for (j = 0; j < l_height; ++j) {\n for (k = 0; k < l_width; ++k) {\n *(l_dest_ptr++) = (OPJ_CHAR)(*(l_src_ptr++));\n }\n l_src_ptr += l_stride;\n }\n } else {\n for (j = 0; j < l_height; ++j) {\n for (k = 0; k < l_width; ++k) {\n *(l_dest_ptr++) = (OPJ_CHAR)((*(l_src_ptr++)) & 0xff);\n }\n l_src_ptr += l_stride;\n }\n }\n\n p_dest = (OPJ_BYTE *)l_dest_ptr;\n }\n break;\n case 2: {\n const OPJ_INT32 * l_src_ptr = l_src_data;\n OPJ_INT16 * l_dest_ptr = (OPJ_INT16 *) p_dest;\n\n if (l_img_comp->sgnd) {\n for (j = 0; j < l_height; ++j) {\n for (k = 0; k < l_width; ++k) {\n OPJ_INT16 val = (OPJ_INT16)(*(l_src_ptr++));\n memcpy(l_dest_ptr, &val, sizeof(val));\n l_dest_ptr ++;\n }\n l_src_ptr += l_stride;\n }\n } else {\n for (j = 0; j < l_height; ++j) {\n for (k = 0; k < l_width; ++k) {\n OPJ_INT16 val = (OPJ_INT16)((*(l_src_ptr++)) & 0xffff);\n memcpy(l_dest_ptr, &val, sizeof(val));\n l_dest_ptr ++;\n }\n l_src_ptr += l_stride;\n }\n }\n\n p_dest = (OPJ_BYTE*) l_dest_ptr;\n }\n break;\n case 4: {\n OPJ_INT32 * l_dest_ptr = (OPJ_INT32 *) p_dest;\n const OPJ_INT32 * l_src_ptr = l_src_data;\n\n for (j = 0; j < l_height; ++j) {\n memcpy(l_dest_ptr, l_src_ptr, l_width * sizeof(OPJ_INT32));\n l_dest_ptr += l_width;\n l_src_ptr += l_width + l_stride;\n }\n\n p_dest = (OPJ_BYTE*) l_dest_ptr;\n }\n break;\n }\n\n ++l_img_comp;\n ++l_tilec;\n }\n\n return OPJ_TRUE;\n}", "project": "openjpeg", "hash": 116766104102173240649997175823338364893, "size": 119, "commit_id": "15cf3d95814dc931ca0ecb132f81cb152e051bae", "message": "Encoder: grow again buffer size in opj_tcd_code_block_enc_allocate_data() (fixes #1283)", "target": 0, "dataset": "other", "idx": 359193 }, { "func": "static void nfs4_delegreturn_done(struct rpc_task *task, void *calldata)\n{\n\tstruct nfs4_delegreturndata *data = calldata;\n\tstruct nfs4_exception exception = {\n\t\t.inode = data->inode,\n\t\t.stateid = &data->stateid,\n\t};\n\n\tif (!nfs4_sequence_done(task, &data->res.seq_res))\n\t\treturn;\n\n\ttrace_nfs4_delegreturn_exit(&data->args, &data->res, task->tk_status);\n\n\t/* Handle Layoutreturn errors */\n\tif (pnfs_roc_done(task, data->inode,\n\t\t\t\t&data->args.lr_args,\n\t\t\t\t&data->res.lr_res,\n\t\t\t\t&data->res.lr_ret) == -EAGAIN)\n\t\tgoto out_restart;\n\n\tswitch (task->tk_status) {\n\tcase 0:\n\t\trenew_lease(data->res.server, data->timestamp);\n\t\tbreak;\n\tcase -NFS4ERR_ADMIN_REVOKED:\n\tcase -NFS4ERR_DELEG_REVOKED:\n\tcase -NFS4ERR_EXPIRED:\n\t\tnfs4_free_revoked_stateid(data->res.server,\n\t\t\t\tdata->args.stateid,\n\t\t\t\ttask->tk_msg.rpc_cred);\n\t\t/* Fallthrough */\n\tcase -NFS4ERR_BAD_STATEID:\n\tcase -NFS4ERR_STALE_STATEID:\n\tcase -ETIMEDOUT:\n\t\ttask->tk_status = 0;\n\t\tbreak;\n\tcase -NFS4ERR_OLD_STATEID:\n\t\tif (!nfs4_refresh_delegation_stateid(&data->stateid, data->inode))\n\t\t\tnfs4_stateid_seqid_inc(&data->stateid);\n\t\tif (data->args.bitmask) {\n\t\t\tdata->args.bitmask = NULL;\n\t\t\tdata->res.fattr = NULL;\n\t\t}\n\t\tgoto out_restart;\n\tcase -NFS4ERR_ACCESS:\n\t\tif (data->args.bitmask) {\n\t\t\tdata->args.bitmask = NULL;\n\t\t\tdata->res.fattr = NULL;\n\t\t\tgoto out_restart;\n\t\t}\n\t\t/* Fallthrough */\n\tdefault:\n\t\ttask->tk_status = nfs4_async_handle_exception(task,\n\t\t\t\tdata->res.server, task->tk_status,\n\t\t\t\t&exception);\n\t\tif (exception.retry)\n\t\t\tgoto out_restart;\n\t}\n\tnfs_delegation_mark_returned(data->inode, data->args.stateid);\n\tdata->rpc_status = task->tk_status;\n\treturn;\nout_restart:\n\ttask->tk_status = 0;\n\trpc_restart_call_prepare(task);\n}", "project": "linux", "hash": 55931387804907011067774085730581136058, "size": 65, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431357 }, { "func": "static int ca8210_set_promiscuous_mode(struct ieee802154_hw *hw, const bool on)\n{\n\tu8 status;\n\tstruct ca8210_priv *priv = hw->priv;\n\n\tstatus = mlme_set_request_sync(\n\t\tMAC_PROMISCUOUS_MODE,\n\t\t0,\n\t\t1,\n\t\t(const void *)&on,\n\t\tpriv->spi\n\t);\n\tif (status) {\n\t\tdev_err(\n\t\t\t&priv->spi->dev,\n\t\t\t\"error setting promiscuous mode, MLME-SET.confirm status = %d\",\n\t\t\tstatus\n\t\t);\n\t} else {\n\t\tpriv->promiscuous = on;\n\t}\n\treturn link_to_linux_err(status);\n}", "project": "linux", "hash": 273175119781676239912984751725878921703, "size": 23, "commit_id": "6402939ec86eaf226c8b8ae00ed983936b164908", "message": "ieee802154: ca8210: prevent memory leak\n\nIn ca8210_probe the allocated pdata needs to be assigned to\nspi_device->dev.platform_data before calling ca8210_get_platform_data.\nOthrwise when ca8210_get_platform_data fails pdata cannot be released.\n\nSigned-off-by: Navid Emamdoost \nLink: https://lore.kernel.org/r/20190917224713.26371-1-navid.emamdoost@gmail.com\nSigned-off-by: Stefan Schmidt ", "target": 0, "dataset": "other", "idx": 408802 }, { "func": "static int kvm_s390_vm_set_crypto(struct kvm *kvm, struct kvm_device_attr *attr)\n{\n\tmutex_lock(&kvm->lock);\n\tswitch (attr->attr) {\n\tcase KVM_S390_VM_CRYPTO_ENABLE_AES_KW:\n\t\tif (!test_kvm_facility(kvm, 76)) {\n\t\t\tmutex_unlock(&kvm->lock);\n\t\t\treturn -EINVAL;\n\t\t}\n\t\tget_random_bytes(\n\t\t\tkvm->arch.crypto.crycb->aes_wrapping_key_mask,\n\t\t\tsizeof(kvm->arch.crypto.crycb->aes_wrapping_key_mask));\n\t\tkvm->arch.crypto.aes_kw = 1;\n\t\tVM_EVENT(kvm, 3, \"%s\", \"ENABLE: AES keywrapping support\");\n\t\tbreak;\n\tcase KVM_S390_VM_CRYPTO_ENABLE_DEA_KW:\n\t\tif (!test_kvm_facility(kvm, 76)) {\n\t\t\tmutex_unlock(&kvm->lock);\n\t\t\treturn -EINVAL;\n\t\t}\n\t\tget_random_bytes(\n\t\t\tkvm->arch.crypto.crycb->dea_wrapping_key_mask,\n\t\t\tsizeof(kvm->arch.crypto.crycb->dea_wrapping_key_mask));\n\t\tkvm->arch.crypto.dea_kw = 1;\n\t\tVM_EVENT(kvm, 3, \"%s\", \"ENABLE: DEA keywrapping support\");\n\t\tbreak;\n\tcase KVM_S390_VM_CRYPTO_DISABLE_AES_KW:\n\t\tif (!test_kvm_facility(kvm, 76)) {\n\t\t\tmutex_unlock(&kvm->lock);\n\t\t\treturn -EINVAL;\n\t\t}\n\t\tkvm->arch.crypto.aes_kw = 0;\n\t\tmemset(kvm->arch.crypto.crycb->aes_wrapping_key_mask, 0,\n\t\t\tsizeof(kvm->arch.crypto.crycb->aes_wrapping_key_mask));\n\t\tVM_EVENT(kvm, 3, \"%s\", \"DISABLE: AES keywrapping support\");\n\t\tbreak;\n\tcase KVM_S390_VM_CRYPTO_DISABLE_DEA_KW:\n\t\tif (!test_kvm_facility(kvm, 76)) {\n\t\t\tmutex_unlock(&kvm->lock);\n\t\t\treturn -EINVAL;\n\t\t}\n\t\tkvm->arch.crypto.dea_kw = 0;\n\t\tmemset(kvm->arch.crypto.crycb->dea_wrapping_key_mask, 0,\n\t\t\tsizeof(kvm->arch.crypto.crycb->dea_wrapping_key_mask));\n\t\tVM_EVENT(kvm, 3, \"%s\", \"DISABLE: DEA keywrapping support\");\n\t\tbreak;\n\tcase KVM_S390_VM_CRYPTO_ENABLE_APIE:\n\t\tif (!ap_instructions_available()) {\n\t\t\tmutex_unlock(&kvm->lock);\n\t\t\treturn -EOPNOTSUPP;\n\t\t}\n\t\tkvm->arch.crypto.apie = 1;\n\t\tbreak;\n\tcase KVM_S390_VM_CRYPTO_DISABLE_APIE:\n\t\tif (!ap_instructions_available()) {\n\t\t\tmutex_unlock(&kvm->lock);\n\t\t\treturn -EOPNOTSUPP;\n\t\t}\n\t\tkvm->arch.crypto.apie = 0;\n\t\tbreak;\n\tdefault:\n\t\tmutex_unlock(&kvm->lock);\n\t\treturn -ENXIO;\n\t}\n\n\tkvm_s390_vcpu_crypto_reset_all(kvm);\n\tmutex_unlock(&kvm->lock);\n\treturn 0;\n}", "project": "linux", "hash": 25130148568478915152911954650483026184, "size": 69, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354713 }, { "func": "static int parse_file_extra_version(struct archive_read* a,\n struct archive_entry* e, ssize_t* extra_data_size)\n{\n\tsize_t flags = 0;\n\tsize_t version = 0;\n\tsize_t value_len = 0;\n\tstruct archive_string version_string;\n\tstruct archive_string name_utf8_string;\n\tconst char* cur_filename;\n\n\t/* Flags are ignored. */\n\tif(!read_var_sized(a, &flags, &value_len))\n\t\treturn ARCHIVE_EOF;\n\n\t*extra_data_size -= value_len;\n\tif(ARCHIVE_OK != consume(a, value_len))\n\t\treturn ARCHIVE_EOF;\n\n\tif(!read_var_sized(a, &version, &value_len))\n\t\treturn ARCHIVE_EOF;\n\n\t*extra_data_size -= value_len;\n\tif(ARCHIVE_OK != consume(a, value_len))\n\t\treturn ARCHIVE_EOF;\n\n\t/* extra_data_size should be zero here. */\n\n\tcur_filename = archive_entry_pathname_utf8(e);\n\tif(cur_filename == NULL) {\n\t\tarchive_set_error(&a->archive, ARCHIVE_ERRNO_PROGRAMMER,\n\t\t \"Version entry without file name\");\n\t\treturn ARCHIVE_FATAL;\n\t}\n\n\tarchive_string_init(&version_string);\n\tarchive_string_init(&name_utf8_string);\n\n\t/* Prepare a ;123 suffix for the filename, where '123' is the version\n\t * value of this file. */\n\tarchive_string_sprintf(&version_string, \";%zu\", version);\n\n\t/* Build the new filename. */\n\tarchive_strcat(&name_utf8_string, cur_filename);\n\tarchive_strcat(&name_utf8_string, version_string.s);\n\n\t/* Apply the new filename into this file's context. */\n\tarchive_entry_update_pathname_utf8(e, name_utf8_string.s);\n\n\t/* Free buffers. */\n\tarchive_string_free(&version_string);\n\tarchive_string_free(&name_utf8_string);\n\treturn ARCHIVE_OK;\n}", "project": "libarchive", "hash": 47803419186494186904655100327187101220, "size": 53, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 0, "dataset": "other", "idx": 244769 }, { "func": "static int TTFFeatureIndex( uint32 tag, struct table_ordering *ord ) {\n /* This is the order in which features should be executed */\n int cnt = 0;\n\n if ( ord!=NULL ) {\n\tfor ( cnt=0; ord->ordered_features[cnt]!=0; ++cnt )\n\t if ( ord->ordered_features[cnt]==tag )\n\tbreak;\nreturn( cnt );\n }\n\n cnt+=2;\n\n switch ( tag ) {\n/* GSUB ordering */\n case CHR('c','c','m','p'):\t/* Must be first? */\nreturn( cnt-2 );\n case CHR('l','o','c','l'):\t/* Language dependent letter forms (serbian uses some different glyphs than russian) */\nreturn( cnt-1 );\n case CHR('i','s','o','l'):\nreturn( cnt );\n case CHR('j','a','l','t'):\t\t/* must come after 'isol' */\nreturn( cnt+1 );\n case CHR('f','i','n','a'):\nreturn( cnt+2 );\n case CHR('f','i','n','2'):\n case CHR('f','a','l','t'):\t\t/* must come after 'fina' */\nreturn( cnt+3 );\n case CHR('f','i','n','3'):\nreturn( cnt+4 );\n case CHR('m','e','d','i'):\nreturn( cnt+5 );\n case CHR('m','e','d','2'):\nreturn( cnt+6 );\n case CHR('i','n','i','t'):\nreturn( cnt+7 );\n\n case CHR('r','t','l','a'):\nreturn( cnt+100 );\n case CHR('s','m','c','p'): case CHR('c','2','s','c'):\nreturn( cnt+200 );\n\n case CHR('r','l','i','g'):\nreturn( cnt+300 );\n case CHR('c','a','l','t'):\nreturn( cnt+301 );\n case CHR('l','i','g','a'):\nreturn( cnt+302 );\n case CHR('d','l','i','g'): case CHR('h','l','i','g'):\nreturn( cnt+303 );\n case CHR('c','s','w','h'):\nreturn( cnt+304 );\n case CHR('m','s','e','t'):\nreturn( cnt+305 );\n\n case CHR('f','r','a','c'):\nreturn( cnt+306 );\n\n/* Indic processing */\n case CHR('n','u','k','t'):\n case CHR('p','r','e','f'):\nreturn( cnt+301 );\n case CHR('a','k','h','n'):\nreturn( cnt+302 );\n case CHR('r','p','h','f'):\nreturn( cnt+303 );\n case CHR('b','l','w','f'):\nreturn( cnt+304 );\n case CHR('h','a','l','f'):\n case CHR('a','b','v','f'):\nreturn( cnt+305 );\n case CHR('p','s','t','f'):\nreturn( cnt+306 );\n case CHR('v','a','t','u'):\nreturn( cnt+307 );\n\n case CHR('p','r','e','s'):\nreturn( cnt+310 );\n case CHR('b','l','w','s'):\nreturn( cnt+311 );\n case CHR('a','b','v','s'):\nreturn( cnt+312 );\n case CHR('p','s','t','s'):\nreturn( cnt+313 );\n case CHR('c','l','i','g'):\nreturn( cnt+314 );\n \n case CHR('h','a','l','n'):\nreturn( cnt+320 );\n/* end indic ordering */\n\n case CHR('a','f','r','c'):\n case CHR('l','j','m','o'):\n case CHR('v','j','m','o'):\nreturn( cnt+350 );\n case CHR('v','r','t','2'): case CHR('v','e','r','t'):\nreturn( cnt+1010 );\t\t/* Documented to come last */\n\n/* Unknown things come after everything but vert/vrt2 */\n default:\nreturn( cnt+1000 );\n\n }\n}", "project": "fontforge", "hash": 4869684038143534822534672180223663075, "size": 104, "commit_id": "048a91e2682c1a8936ae34dbc7bd70291ec05410", "message": "Fix for #4084 Use-after-free (heap) in the SFD_GetFontMetaData() function\nFix for #4086 NULL pointer dereference in the SFDGetSpiros() function\nFix for #4088 NULL pointer dereference in the SFD_AssignLookups() function\nAdd empty sf->fontname string if it isn't set, fixing #4089 #4090 and many\n other potential issues (many downstream calls to strlen() on the value).", "target": 0, "dataset": "other", "idx": 417786 }, { "func": "static void wake_futex(struct futex_q *q)\n{\n\tstruct task_struct *p = q->task;\n\n\t/*\n\t * We set q->lock_ptr = NULL _before_ we wake up the task. If\n\t * a non futex wake up happens on another CPU then the task\n\t * might exit and p would dereference a non existing task\n\t * struct. Prevent this by holding a reference on p across the\n\t * wake up.\n\t */\n\tget_task_struct(p);\n\n\tplist_del(&q->list, &q->list.plist);\n\t/*\n\t * The waiting task can free the futex_q as soon as\n\t * q->lock_ptr = NULL is written, without taking any locks. A\n\t * memory barrier is required here to prevent the following\n\t * store to lock_ptr from getting ahead of the plist_del.\n\t */\n\tsmp_wmb();\n\tq->lock_ptr = NULL;\n\n\twake_up_state(p, TASK_NORMAL);\n\tput_task_struct(p);\n}", "target": 0, "cwe": [], "project": "linux-2.6", "commit_id": "5ecb01cfdf96c5f465192bdb2a4fd4a61a24c6cc", "hash": 326625725873245469593807385295285218560, "size": 26, "message": "futex_lock_pi() key refcnt fix\n\nThis fixes a futex key reference count bug in futex_lock_pi(),\nwhere a key's reference count is incremented twice but decremented\nonly once, causing the backing object to not be released.\n\nIf the futex is created in a temporary file in an ext3 file system,\nthis bug causes the file's inode to become an \"undead\" orphan,\nwhich causes an oops from a BUG_ON() in ext3_put_super() when the\nfile system is unmounted. glibc's test suite is known to trigger this,\nsee .\n\nThe bug is a regression from 2.6.28-git3, namely Peter Zijlstra's\n38d47c1b7075bd7ec3881141bb3629da58f88dab \"[PATCH] futex: rely on\nget_user_pages() for shared futexes\". That commit made get_futex_key()\nalso increment the reference count of the futex key, and updated its\ncallers to decrement the key's reference count before returning.\nUnfortunately the normal exit path in futex_lock_pi() wasn't corrected:\nthe reference count is incremented by get_futex_key() and queue_lock(),\nbut the normal exit path only decrements once, via unqueue_me_pi().\nThe fix is to put_futex_key() after unqueue_me_pi(), since 2.6.31\nthis is easily done by 'goto out_put_key' rather than 'goto out'.\n\nSigned-off-by: Mikael Pettersson \nAcked-by: Peter Zijlstra \nAcked-by: Darren Hart \nSigned-off-by: Thomas Gleixner \nCc: ", "dataset": "other", "idx": 492320 }, { "func": "__s32 hidinput_calc_abs_res(const struct hid_field *field, __u16 code)\n{\n\t__s32 unit_exponent = field->unit_exponent;\n\t__s32 logical_extents = field->logical_maximum -\n\t\t\t\t\tfield->logical_minimum;\n\t__s32 physical_extents = field->physical_maximum -\n\t\t\t\t\tfield->physical_minimum;\n\t__s32 prev;\n\n\t/* Check if the extents are sane */\n\tif (logical_extents <= 0 || physical_extents <= 0)\n\t\treturn 0;\n\n\t/*\n\t * Verify and convert units.\n\t * See HID specification v1.11 6.2.2.7 Global Items for unit decoding\n\t */\n\tswitch (code) {\n\tcase ABS_X:\n\tcase ABS_Y:\n\tcase ABS_Z:\n\tcase ABS_MT_POSITION_X:\n\tcase ABS_MT_POSITION_Y:\n\tcase ABS_MT_TOOL_X:\n\tcase ABS_MT_TOOL_Y:\n\tcase ABS_MT_TOUCH_MAJOR:\n\tcase ABS_MT_TOUCH_MINOR:\n\t\tif (field->unit == 0x11) {\t\t/* If centimeters */\n\t\t\t/* Convert to millimeters */\n\t\t\tunit_exponent += 1;\n\t\t} else if (field->unit == 0x13) {\t/* If inches */\n\t\t\t/* Convert to millimeters */\n\t\t\tprev = physical_extents;\n\t\t\tphysical_extents *= 254;\n\t\t\tif (physical_extents < prev)\n\t\t\t\treturn 0;\n\t\t\tunit_exponent -= 1;\n\t\t} else {\n\t\t\treturn 0;\n\t\t}\n\t\tbreak;\n\n\tcase ABS_RX:\n\tcase ABS_RY:\n\tcase ABS_RZ:\n\tcase ABS_WHEEL:\n\tcase ABS_TILT_X:\n\tcase ABS_TILT_Y:\n\t\tif (field->unit == 0x14) {\t\t/* If degrees */\n\t\t\t/* Convert to radians */\n\t\t\tprev = logical_extents;\n\t\t\tlogical_extents *= 573;\n\t\t\tif (logical_extents < prev)\n\t\t\t\treturn 0;\n\t\t\tunit_exponent += 1;\n\t\t} else if (field->unit != 0x12) {\t/* If not radians */\n\t\t\treturn 0;\n\t\t}\n\t\tbreak;\n\n\tdefault:\n\t\treturn 0;\n\t}\n\n\t/* Apply negative unit exponent */\n\tfor (; unit_exponent < 0; unit_exponent++) {\n\t\tprev = logical_extents;\n\t\tlogical_extents *= 10;\n\t\tif (logical_extents < prev)\n\t\t\treturn 0;\n\t}\n\t/* Apply positive unit exponent */\n\tfor (; unit_exponent > 0; unit_exponent--) {\n\t\tprev = physical_extents;\n\t\tphysical_extents *= 10;\n\t\tif (physical_extents < prev)\n\t\t\treturn 0;\n\t}\n\n\t/* Calculate resolution */\n\treturn DIV_ROUND_CLOSEST(logical_extents, physical_extents);\n}", "project": "linux", "hash": 2422436458415941643826153795753331613, "size": 82, "commit_id": "35556bed836f8dc07ac55f69c8d17dce3e7f0e25", "message": "HID: core: Sanitize event code and type when mapping input\n\nWhen calling into hid_map_usage(), the passed event code is\nblindly stored as is, even if it doesn't fit in the associated bitmap.\n\nThis event code can come from a variety of sources, including devices\nmasquerading as input devices, only a bit more \"programmable\".\n\nInstead of taking the event code at face value, check that it actually\nfits the corresponding bitmap, and if it doesn't:\n- spit out a warning so that we know which device is acting up\n- NULLify the bitmap pointer so that we catch unexpected uses\n\nCode paths that can make use of untrusted inputs can now check\nthat the mapping was indeed correct and bail out if not.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Marc Zyngier \nSigned-off-by: Benjamin Tissoires ", "target": 0, "dataset": "other", "idx": 458376 }, { "func": "static int udp_send_skb(struct sk_buff *skb, struct flowi4 *fl4)\n{\n\tstruct sock *sk = skb->sk;\n\tstruct inet_sock *inet = inet_sk(sk);\n\tstruct udphdr *uh;\n\tint err = 0;\n\tint is_udplite = IS_UDPLITE(sk);\n\tint offset = skb_transport_offset(skb);\n\tint len = skb->len - offset;\n\t__wsum csum = 0;\n\n\t/*\n\t * Create a UDP header\n\t */\n\tuh = udp_hdr(skb);\n\tuh->source = inet->inet_sport;\n\tuh->dest = fl4->fl4_dport;\n\tuh->len = htons(len);\n\tuh->check = 0;\n\n\tif (is_udplite) \t\t\t\t /* UDP-Lite */\n\t\tcsum = udplite_csum(skb);\n\n\telse if (sk->sk_no_check_tx && !skb_is_gso(skb)) { /* UDP csum off */\n\n\t\tskb->ip_summed = CHECKSUM_NONE;\n\t\tgoto send;\n\n\t} else if (skb->ip_summed == CHECKSUM_PARTIAL) { /* UDP hardware csum */\n\n\t\tudp4_hwcsum(skb, fl4->saddr, fl4->daddr);\n\t\tgoto send;\n\n\t} else\n\t\tcsum = udp_csum(skb);\n\n\t/* add protocol-dependent pseudo-header */\n\tuh->check = csum_tcpudp_magic(fl4->saddr, fl4->daddr, len,\n\t\t\t\t sk->sk_protocol, csum);\n\tif (uh->check == 0)\n\t\tuh->check = CSUM_MANGLED_0;\n\nsend:\n\terr = ip_send_skb(sock_net(sk), skb);\n\tif (err) {\n\t\tif (err == -ENOBUFS && !inet->recverr) {\n\t\t\tUDP_INC_STATS(sock_net(sk),\n\t\t\t\t UDP_MIB_SNDBUFERRORS, is_udplite);\n\t\t\terr = 0;\n\t\t}\n\t} else\n\t\tUDP_INC_STATS(sock_net(sk),\n\t\t\t UDP_MIB_OUTDATAGRAMS, is_udplite);\n\treturn err;\n}", "project": "net", "hash": 260959883797401629023466073056872705985, "size": 55, "commit_id": "85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa", "message": "udp: consistently apply ufo or fragmentation\n\nWhen iteratively building a UDP datagram with MSG_MORE and that\ndatagram exceeds MTU, consistently choose UFO or fragmentation.\n\nOnce skb_is_gso, always apply ufo. Conversely, once a datagram is\nsplit across multiple skbs, do not consider ufo.\n\nSendpage already maintains the first invariant, only add the second.\nIPv6 does not have a sendpage implementation to modify.\n\nA gso skb must have a partial checksum, do not follow sk_no_check_tx\nin udp_send_skb.\n\nFound by syzkaller.\n\nFixes: e89e9cf539a2 (\"[IPv4/IPv6]: UFO Scatter-gather approach\")\nReported-by: Andrey Konovalov \nSigned-off-by: Willem de Bruijn \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 468956 }, { "func": "static void hci_user_passkey_request_evt(struct hci_dev *hdev,\n\t\t\t\t\t struct sk_buff *skb)\n{\n\tstruct hci_ev_user_passkey_req *ev = (void *) skb->data;\n\n\tBT_DBG(\"%s\", hdev->name);\n\n\tif (hci_dev_test_flag(hdev, HCI_MGMT))\n\t\tmgmt_user_passkey_request(hdev, &ev->bdaddr, ACL_LINK, 0);\n}", "project": "linux", "hash": 258104245790351489072116620025713879506, "size": 10, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431983 }, { "func": "static void hci_cs_exit_sniff_mode(struct hci_dev *hdev, __u8 status)\n{\n\tstruct hci_cp_exit_sniff_mode *cp;\n\tstruct hci_conn *conn;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, status);\n\n\tif (!status)\n\t\treturn;\n\n\tcp = hci_sent_cmd_data(hdev, HCI_OP_EXIT_SNIFF_MODE);\n\tif (!cp)\n\t\treturn;\n\n\thci_dev_lock(hdev);\n\n\tconn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));\n\tif (conn) {\n\t\tclear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);\n\n\t\tif (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))\n\t\t\thci_sco_setup(conn, status);\n\t}\n\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 313576551322728183475882479646638359972, "size": 26, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431975 }, { "func": "static bool tx_can_batch(struct vhost_virtqueue *vq, size_t total_len)\n{\n\treturn total_len < VHOST_NET_WEIGHT &&\n\t !vhost_vq_avail_empty(vq->dev, vq);\n}", "project": "linux", "hash": 246621952042636070242797125253441380078, "size": 5, "commit_id": "42d84c8490f9f0931786f1623191fcab397c3d64", "message": "vhost: Check docket sk_family instead of call getname\n\nDoing so, we save one call to get data we already have in the struct.\n\nAlso, since there is no guarantee that getname use sockaddr_ll\nparameter beyond its size, we add a little bit of security here.\nIt should do not do beyond MAX_ADDR_LEN, but syzbot found that\nax25_getname writes more (72 bytes, the size of full_sockaddr_ax25,\nversus 20 + 32 bytes of sockaddr_ll + MAX_ADDR_LEN in syzbot repro).\n\nFixes: 3a4d5c94e9593 (\"vhost_net: a kernel-level virtio server\")\nReported-by: syzbot+f2a62d07a5198c819c7b@syzkaller.appspotmail.com\nSigned-off-by: Eugenio Pérez \nAcked-by: Michael S. Tsirkin \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 441977 }, { "func": "int __hci_req_start_ext_adv(struct hci_request *req, u8 instance)\n{\n\tstruct hci_dev *hdev = req->hdev;\n\tstruct adv_info *adv_instance = hci_find_adv_instance(hdev, instance);\n\tint err;\n\n\t/* If instance isn't pending, the chip knows about it, and it's safe to\n\t * disable\n\t */\n\tif (adv_instance && !adv_instance->pending)\n\t\t__hci_req_disable_ext_adv_instance(req, instance);\n\n\terr = __hci_req_setup_ext_adv_instance(req, instance);\n\tif (err < 0)\n\t\treturn err;\n\n\t__hci_req_update_scan_rsp_data(req, instance);\n\t__hci_req_enable_ext_advertising(req, instance);\n\n\treturn 0;\n}", "project": "linux", "hash": 144765850677303345668601726136843026009, "size": 21, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402550 }, { "func": "bool RGWInfo_ObjStore_SWIFT::is_expired(const std::string& expires, CephContext* cct)\n{\n string err;\n const utime_t now = ceph_clock_now();\n const uint64_t expiration = (uint64_t)strict_strtoll(expires.c_str(),\n 10, &err);\n if (!err.empty()) {\n ldout(cct, 5) << \"failed to parse siginfo_expires: \" << err << dendl;\n return true;\n }\n\n if (expiration <= (uint64_t)now.sec()) {\n ldout(cct, 5) << \"siginfo expired: \" << expiration << \" <= \" << now.sec() << dendl;\n return true;\n }\n\n return false;\n}", "project": "ceph", "hash": 229357886059177479886568727406109680123, "size": 18, "commit_id": "f44a8ae8aa27ecef69528db9aec220f12492810e", "message": "rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name\n\nchecking for empty name avoids later assertion in RGWObjectCtx::set_atomic\n\nFixes: CVE-2021-3531\n\nReviewed-by: Casey Bodley \nSigned-off-by: Casey Bodley \n(cherry picked from commit 7196a469b4470f3c8628489df9a41ec8b00a5610)", "target": 0, "dataset": "other", "idx": 448822 }, { "func": "void rfbScaledScreenUpdate(rfbScreenInfoPtr screen, int x1, int y1, int x2, int y2)\n{\n /* ok, now the task is to update each and every scaled version of the framebuffer\n * and we only have to do this for this specific changed rectangle!\n */\n rfbScreenInfoPtr ptr;\n int count=0;\n\n /* We don't point to cl->screen as it is the original */\n for (ptr=screen->scaledScreenNext;ptr!=NULL;ptr=ptr->scaledScreenNext)\n {\n /* Only update if it has active clients... */\n if (ptr->scaledScreenRefCount>0)\n {\n rfbScaledScreenUpdateRect(screen, ptr, x1, y1, x2-x1, y2-y1);\n count++;\n }\n }\n}", "project": "libvncserver", "hash": 215326188155159813331711778647484824454, "size": 19, "commit_id": "a6788d1da719ae006605b78d22f5a9f170b423af", "message": "libvncserver: scale: cast to 64 bit before shifting\n\nSince pixel_value is 64 bit the data type of the shift operand should\nbe 64 bit too to prevent integer overflows.", "target": 0, "dataset": "other", "idx": 296794 }, { "func": "static void nfs4_free_revoked_stateid(struct nfs_server *server,\n\t\tconst nfs4_stateid *stateid,\n\t\tconst struct cred *cred)\n{\n\tnfs4_stateid tmp;\n\n\tnfs4_stateid_copy(&tmp, stateid);\n\t__nfs4_free_revoked_stateid(server, &tmp, cred);\n}", "project": "linux", "hash": 155463501926391975139466940187404931467, "size": 9, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431537 }, { "func": "static void autocomplete_ms_file(RCore* core, RLineCompletion *completion, const char *str) {\n\tr_return_if_fail (str);\n\tchar *pipe = strchr (str, '>');\n\tchar *path = (core->rfs && *(core->rfs->cwd)) ? *(core->rfs->cwd): \"/\";\n\tif (pipe) {\n\t\tstr = r_str_trim_head_ro (pipe + 1);\n\t}\n\tif (str && !*str) {\n\t\tautocomplete_ms_path (completion, core, str, path);\n\t} else {\n\t\tautocomplete_ms_path (completion, core, str, str);\n\t}\n}", "project": "radare2", "hash": 29120204039032935075906214479161737642, "size": 13, "commit_id": "cb8b683758edddae2d2f62e8e63a738c39f92683", "message": "Fix #16303 - c->table_query double free (#16318)", "target": 0, "dataset": "other", "idx": 232106 }, { "func": "static inline bool kvm_is_error_hva(unsigned long addr)\n{\n\treturn addr >= PAGE_OFFSET;\n}", "project": "linux", "hash": 69606152908155956130561182891401219683, "size": 4, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354585 }, { "func": "static void hci_hardware_error_evt(struct hci_dev *hdev, struct sk_buff *skb)\n{\n\tstruct hci_ev_hardware_error *ev = (void *) skb->data;\n\n\thdev->hw_error_code = ev->code;\n\n\tqueue_work(hdev->req_workqueue, &hdev->error_reset);\n}", "project": "linux", "hash": 132162669617075979755696638340300149595, "size": 8, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431888 }, { "func": "BOOL glyph_cache_put(rdpGlyphCache* glyphCache, UINT32 id, UINT32 index, rdpGlyph* glyph)\n{\n\trdpGlyph* prevGlyph;\n\n\tif (id > 9)\n\t{\n\t\tWLog_ERR(TAG, \"invalid glyph cache id: %\" PRIu32 \"\", id);\n\t\treturn FALSE;\n\t}\n\n\tif (index > glyphCache->glyphCache[id].number)\n\t{\n\t\tWLog_ERR(TAG, \"invalid glyph cache index: %\" PRIu32 \" in cache id: %\" PRIu32 \"\", index, id);\n\t\treturn FALSE;\n\t}\n\n\tWLog_Print(glyphCache->log, WLOG_DEBUG, \"GlyphCachePut: id: %\" PRIu32 \" index: %\" PRIu32 \"\", id,\n\t index);\n\tprevGlyph = glyphCache->glyphCache[id].entries[index];\n\n\tif (prevGlyph)\n\t\tprevGlyph->Free(glyphCache->context, prevGlyph);\n\n\tglyphCache->glyphCache[id].entries[index] = glyph;\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 73282285903996096925940375434935798209, "size": 26, "commit_id": "c0fd449ec0870b050d350d6d844b1ea6dad4bc7d", "message": "Fixed Out-of-bound read in glyph_cache_put\n\nCVE-2020-11098 thanks to @antonio-morales for finding this.", "target": 1, "dataset": "other", "idx": 210325 }, { "func": "BOOL glyph_cache_put(rdpGlyphCache* glyphCache, UINT32 id, UINT32 index, rdpGlyph* glyph)\n{\n\trdpGlyph* prevGlyph;\n\n\tif (id > 9)\n\t{\n\t\tWLog_ERR(TAG, \"invalid glyph cache id: %\" PRIu32 \"\", id);\n\t\treturn FALSE;\n\t}\n\n\tif (index >= glyphCache->glyphCache[id].number)\n\t{\n\t\tWLog_ERR(TAG, \"invalid glyph cache index: %\" PRIu32 \" in cache id: %\" PRIu32 \"\", index, id);\n\t\treturn FALSE;\n\t}\n\n\tWLog_Print(glyphCache->log, WLOG_DEBUG, \"GlyphCachePut: id: %\" PRIu32 \" index: %\" PRIu32 \"\", id,\n\t index);\n\tprevGlyph = glyphCache->glyphCache[id].entries[index];\n\n\tif (prevGlyph)\n\t\tprevGlyph->Free(glyphCache->context, prevGlyph);\n\n\tglyphCache->glyphCache[id].entries[index] = glyph;\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 206456276622603553888667254120967264481, "size": 26, "commit_id": "c0fd449ec0870b050d350d6d844b1ea6dad4bc7d", "message": "Fixed Out-of-bound read in glyph_cache_put\n\nCVE-2020-11098 thanks to @antonio-morales for finding this.", "target": 0, "dataset": "other", "idx": 432859 }, { "func": "apr_status_t h2_stream_prep_processing(h2_stream *stream)\n{\n if (stream->request) {\n const h2_request *r = stream->request;\n ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, stream->session->c,\n H2_STRM_MSG(stream, \"schedule %s %s://%s%s chunked=%d\"),\n r->method, r->scheme, r->authority, r->path, r->chunked);\n setup_input(stream);\n stream->scheduled = 1;\n return APR_SUCCESS;\n }\n return APR_EINVAL;\n}", "project": "httpd", "hash": 28298963098647301334483156649880746333, "size": 13, "commit_id": "f990e5ecad40b100a8a5c7c1033c46044a9cb244", "message": "mod_htt2: fix incomplete sync with latest changes in github, adjust version number.\n\n\n\ngit-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1889119 13f79535-47bb-0310-9956-ffa450edef68", "target": 0, "dataset": "other", "idx": 284265 }, { "func": "static int follow_automount(struct path *path, struct nameidata *nd,\n\t\t\t bool *need_mntput)\n{\n\tstruct vfsmount *mnt;\n\tint err;\n\n\tif (!path->dentry->d_op || !path->dentry->d_op->d_automount)\n\t\treturn -EREMOTE;\n\n\t/* We don't want to mount if someone's just doing a stat -\n\t * unless they're stat'ing a directory and appended a '/' to\n\t * the name.\n\t *\n\t * We do, however, want to mount if someone wants to open or\n\t * create a file of any type under the mountpoint, wants to\n\t * traverse through the mountpoint or wants to open the\n\t * mounted directory. Also, autofs may mark negative dentries\n\t * as being automount points. These will need the attentions\n\t * of the daemon to instantiate them before they can be used.\n\t */\n\tif (!(nd->flags & (LOOKUP_PARENT | LOOKUP_DIRECTORY |\n\t\t\t LOOKUP_OPEN | LOOKUP_CREATE | LOOKUP_AUTOMOUNT)) &&\n\t path->dentry->d_inode)\n\t\treturn -EISDIR;\n\n\tnd->total_link_count++;\n\tif (nd->total_link_count >= 40)\n\t\treturn -ELOOP;\n\n\tmnt = path->dentry->d_op->d_automount(path);\n\tif (IS_ERR(mnt)) {\n\t\t/*\n\t\t * The filesystem is allowed to return -EISDIR here to indicate\n\t\t * it doesn't want to automount. For instance, autofs would do\n\t\t * this so that its userspace daemon can mount on this dentry.\n\t\t *\n\t\t * However, we can only permit this if it's a terminal point in\n\t\t * the path being looked up; if it wasn't then the remainder of\n\t\t * the path is inaccessible and we should say so.\n\t\t */\n\t\tif (PTR_ERR(mnt) == -EISDIR && (nd->flags & LOOKUP_PARENT))\n\t\t\treturn -EREMOTE;\n\t\treturn PTR_ERR(mnt);\n\t}\n\n\tif (!mnt) /* mount collision */\n\t\treturn 0;\n\n\tif (!*need_mntput) {\n\t\t/* lock_mount() may release path->mnt on error */\n\t\tmntget(path->mnt);\n\t\t*need_mntput = true;\n\t}\n\terr = finish_automount(mnt, path);\n\n\tswitch (err) {\n\tcase -EBUSY:\n\t\t/* Someone else made a mount here whilst we were busy */\n\t\treturn 0;\n\tcase 0:\n\t\tpath_put(path);\n\t\tpath->mnt = mnt;\n\t\tpath->dentry = dget(mnt->mnt_root);\n\t\treturn 0;\n\tdefault:\n\t\treturn err;\n\t}\n\n}", "project": "linux", "hash": 96287292247155341627563035389055926784, "size": 69, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295371 }, { "func": "int unshare_fd(unsigned long unshare_flags, unsigned int max_fds,\n\t struct files_struct **new_fdp)\n{\n\tstruct files_struct *fd = current->files;\n\tint error = 0;\n\n\tif ((unshare_flags & CLONE_FILES) &&\n\t (fd && atomic_read(&fd->count) > 1)) {\n\t\t*new_fdp = dup_fd(fd, max_fds, &error);\n\t\tif (!*new_fdp)\n\t\t\treturn error;\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 325863295330174924710740234765467058386, "size": 15, "commit_id": "b4e00444cab4c3f3fec876dc0cccc8cbb0d1a948", "message": "fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent\n\ncurrent->group_leader->exit_signal may change during copy_process() if\ncurrent->real_parent exits.\n\nMove the assignment inside tasklist_lock to avoid the race.\n\nSigned-off-by: Eddy Wu \nAcked-by: Oleg Nesterov \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 293703 }, { "func": "int __attribute__((weak)) kvm_vm_ioctl_enable_cap(struct kvm *kvm,\n\t\t\t\t\t\t struct kvm_enable_cap *cap)\n{\n\treturn -EINVAL;\n}", "project": "linux", "hash": 255083166200203813889089931495130250238, "size": 5, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354433 }, { "func": "mysql_ssl_set(MYSQL *mysql __attribute__((unused)),\n const char *key __attribute__((unused)),\n const char *cert __attribute__((unused)),\n const char *ca __attribute__((unused)),\n const char *capath __attribute__((unused)),\n const char *cipher __attribute__((unused)))\n{\n#ifdef HAVE_TLS\n char enable= 1;\n return (mysql_optionsv(mysql, MYSQL_OPT_SSL_ENFORCE, &enable) |\n mysql_optionsv(mysql, MYSQL_OPT_SSL_KEY, key) |\n mysql_optionsv(mysql, MYSQL_OPT_SSL_CERT, cert) |\n mysql_optionsv(mysql, MYSQL_OPT_SSL_CA, ca) |\n mysql_optionsv(mysql, MYSQL_OPT_SSL_CAPATH, capath) |\n mysql_optionsv(mysql, MYSQL_OPT_SSL_CIPHER, cipher)) ? 1 : 0;\n#else\n return 0;\n#endif\n}", "project": "mariadb-connector-c", "hash": 43269556844178043153873153479020001807, "size": 19, "commit_id": "2759b87d72926b7c9b5426437a7c8dd15ff57945", "message": "sanity checks for client-supplied OK packet content\n\nreported by Matthias Kaiser, Apple Information Security", "target": 0, "dataset": "other", "idx": 429646 }, { "func": "uchar *ma_get_hash_keyval(const uchar *hash_entry,\n unsigned int *length,\n my_bool not_used __attribute__((unused)))\n{\n /* Hash entry has the following format:\n Offset: 0 key (\\0 terminated)\n key_length + 1 value (\\0 terminated)\n */\n uchar *p= (uchar *)hash_entry;\n size_t len= strlen((char *)p);\n *length= (unsigned int)len;\n return p;\n}", "project": "mariadb-connector-c", "hash": 285865340592128005453338079525569453899, "size": 13, "commit_id": "2759b87d72926b7c9b5426437a7c8dd15ff57945", "message": "sanity checks for client-supplied OK packet content\n\nreported by Matthias Kaiser, Apple Information Security", "target": 0, "dataset": "other", "idx": 429701 }, { "func": "make_cond_for_table_from_pred(THD *thd, Item *root_cond, Item *cond,\n table_map tables, table_map used_table,\n int join_tab_idx_arg,\n bool exclude_expensive_cond __attribute__\n ((unused)),\n bool retain_ref_cond,\n bool is_top_and_level)\n\n{\n table_map rand_table_bit= (table_map) RAND_TABLE_BIT;\n\n if (used_table && !(cond->used_tables() & used_table))\n return (COND*) 0;\t\t\t\t// Already checked\n\n if (cond->type() == Item::COND_ITEM)\n {\n if (((Item_cond*) cond)->functype() == Item_func::COND_AND_FUNC)\n {\n /* Create new top level AND item */\n Item_cond_and *new_cond=new (thd->mem_root) Item_cond_and(thd);\n if (!new_cond)\n\treturn (COND*) 0;\t\t\t// OOM /* purecov: inspected */\n List_iterator li(*((Item_cond*) cond)->argument_list());\n Item *item;\n while ((item=li++))\n {\n /*\n Special handling of top level conjuncts with RAND_TABLE_BIT:\n if such a conjunct contains a reference to a field that is not\n an outer field then it is pushed to the corresponding table by\n the same rule as all other conjuncts. Otherwise, if the conjunct\n is used in WHERE is is pushed to the last joined table, if is it\n is used in ON condition of an outer join it is pushed into the\n last inner table of the outer join. Such conjuncts are pushed in\n a call of make_cond_for_table_from_pred() with the\n parameter 'used_table' equal to PSEUDO_TABLE_BITS.\n */\n if (is_top_and_level && used_table == rand_table_bit &&\n (item->used_tables() & ~OUTER_REF_TABLE_BIT) != rand_table_bit)\n {\n /* The conjunct with RAND_TABLE_BIT has been allready pushed */\n continue;\n }\n\tItem *fix=make_cond_for_table_from_pred(thd, root_cond, item, \n tables, used_table,\n join_tab_idx_arg,\n exclude_expensive_cond,\n retain_ref_cond, false);\n\tif (fix)\n\t new_cond->argument_list()->push_back(fix, thd->mem_root);\n }\n switch (new_cond->argument_list()->elements) {\n case 0:\n\treturn (COND*) 0;\t\t\t// Always true\n case 1:\n\treturn new_cond->argument_list()->head();\n default:\n\t/*\n Call fix_fields to propagate all properties of the children to\n the new parent Item. This should not be expensive because all\n\t children of Item_cond_and should be fixed by now.\n\t*/\n\tif (new_cond->fix_fields(thd, 0))\n return (COND*) 0;\n\tnew_cond->used_tables_cache=\n\t ((Item_cond_and*) cond)->used_tables_cache &\n\t tables;\n\treturn new_cond;\n }\n }\n else\n {\t\t\t\t\t\t// Or list\n if (is_top_and_level && used_table == rand_table_bit &&\n (cond->used_tables() & ~OUTER_REF_TABLE_BIT) != rand_table_bit)\n {\n /* This top level formula with RAND_TABLE_BIT has been already pushed */\n return (COND*) 0;\n }\n\n Item_cond_or *new_cond=new (thd->mem_root) Item_cond_or(thd);\n if (!new_cond)\n\treturn (COND*) 0;\t\t\t// OOM /* purecov: inspected */\n List_iterator li(*((Item_cond*) cond)->argument_list());\n Item *item;\n while ((item=li++))\n {\n\tItem *fix=make_cond_for_table_from_pred(thd, root_cond, item,\n tables, 0L,\n join_tab_idx_arg,\n exclude_expensive_cond,\n retain_ref_cond, false);\n\tif (!fix)\n\t return (COND*) 0;\t\t\t// Always true\n\tnew_cond->argument_list()->push_back(fix, thd->mem_root);\n }\n /*\n Call fix_fields to propagate all properties of the children to\n the new parent Item. This should not be expensive because all\n children of Item_cond_and should be fixed by now.\n */\n new_cond->fix_fields(thd, 0);\n new_cond->used_tables_cache= ((Item_cond_or*) cond)->used_tables_cache;\n new_cond->top_level_item();\n return new_cond;\n }\n }\n\n if (is_top_and_level && used_table == rand_table_bit &&\n (cond->used_tables() & ~OUTER_REF_TABLE_BIT) != rand_table_bit)\n {\n /* This top level formula with RAND_TABLE_BIT has been already pushed */\n return (COND*) 0;\n }\n\n /*\n Because the following test takes a while and it can be done\n table_count times, we mark each item that we have examined with the result\n of the test\n */\n if ((cond->marker == 3 && !retain_ref_cond) ||\n (cond->used_tables() & ~tables))\n return (COND*) 0;\t\t\t\t// Can't check this yet\n\n if (cond->marker == 2 || cond->eq_cmp_result() == Item::COND_OK)\n {\n cond->set_join_tab_idx(join_tab_idx_arg);\n return cond;\t\t\t\t// Not boolean op\n }\n\n if (cond->type() == Item::FUNC_ITEM && \n ((Item_func*) cond)->functype() == Item_func::EQ_FUNC)\n {\n Item *left_item=\t((Item_func*) cond)->arguments()[0]->real_item();\n Item *right_item= ((Item_func*) cond)->arguments()[1]->real_item();\n if (left_item->type() == Item::FIELD_ITEM && !retain_ref_cond &&\n\ttest_if_ref(root_cond, (Item_field*) left_item,right_item))\n {\n cond->marker=3;\t\t\t// Checked when read\n return (COND*) 0;\n }\n if (right_item->type() == Item::FIELD_ITEM && !retain_ref_cond &&\n\ttest_if_ref(root_cond, (Item_field*) right_item,left_item))\n {\n cond->marker=3;\t\t\t// Checked when read\n return (COND*) 0;\n }\n /*\n If cond is an equality injected for split optimization then\n a. when retain_ref_cond == false : cond is removed unconditionally\n (cond that supports ref access is removed by the preceding code)\n b. when retain_ref_cond == true : cond is removed if it does not\n support ref access\n */\n if (left_item->type() == Item::FIELD_ITEM &&\n is_eq_cond_injected_for_split_opt((Item_func_eq *) cond) &&\n (!retain_ref_cond ||\n !test_if_ref(root_cond, (Item_field*) left_item,right_item)))\n {\n cond->marker=3;\n return (COND*) 0;\n }\n }\n cond->marker=2;\n cond->set_join_tab_idx(join_tab_idx_arg);\n return cond;\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 140465055103786167633392856058140550418, "size": 166, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508439 }, { "func": "update_tmptable_sum_func(Item_sum **func_ptr,\n\t\t\t TABLE *tmp_table __attribute__((unused)))\n{\n Item_sum *func;\n while ((func= *(func_ptr++)))\n func->update_field();\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 278632434407607167728031513185420154405, "size": 7, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508538 }, { "func": "make_cond_for_table(THD *thd, Item *cond, table_map tables,\n table_map used_table,\n int join_tab_idx_arg,\n bool exclude_expensive_cond __attribute__((unused)),\n\t\t bool retain_ref_cond)\n{\n return make_cond_for_table_from_pred(thd, cond, cond, tables, used_table,\n join_tab_idx_arg,\n exclude_expensive_cond,\n retain_ref_cond, true);\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 158157446389071029845361846849327157311, "size": 11, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508755 }, { "func": "static ssize_t trace_seq_to_buffer(struct trace_seq *s, void *buf, size_t cnt)\n{\n\tint len;\n\n\tif (trace_seq_used(s) <= s->seq.readpos)\n\t\treturn -EBUSY;\n\n\tlen = trace_seq_used(s) - s->seq.readpos;\n\tif (cnt > len)\n\t\tcnt = len;\n\tmemcpy(buf, s->buffer + s->seq.readpos, cnt);\n\n\ts->seq.readpos += cnt;\n\treturn cnt;\n}", "project": "linux", "hash": 97126844613096325745362791344319770921, "size": 15, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445798 }, { "func": "static void encode_attrs(struct xdr_stream *xdr, const struct iattr *iap,\n\t\t\t\tconst struct nfs4_label *label,\n\t\t\t\tconst umode_t *umask,\n\t\t\t\tconst struct nfs_server *server,\n\t\t\t\tconst uint32_t attrmask[])\n{\n\tchar owner_name[IDMAP_NAMESZ];\n\tchar owner_group[IDMAP_NAMESZ];\n\tint owner_namelen = 0;\n\tint owner_grouplen = 0;\n\t__be32 *p;\n\tuint32_t len = 0;\n\tuint32_t bmval[3] = { 0 };\n\n\t/*\n\t * We reserve enough space to write the entire attribute buffer at once.\n\t */\n\tif ((iap->ia_valid & ATTR_SIZE) && (attrmask[0] & FATTR4_WORD0_SIZE)) {\n\t\tbmval[0] |= FATTR4_WORD0_SIZE;\n\t\tlen += 8;\n\t}\n\tif (iap->ia_valid & ATTR_MODE) {\n\t\tif (umask && (attrmask[2] & FATTR4_WORD2_MODE_UMASK)) {\n\t\t\tbmval[2] |= FATTR4_WORD2_MODE_UMASK;\n\t\t\tlen += 8;\n\t\t} else if (attrmask[1] & FATTR4_WORD1_MODE) {\n\t\t\tbmval[1] |= FATTR4_WORD1_MODE;\n\t\t\tlen += 4;\n\t\t}\n\t}\n\tif ((iap->ia_valid & ATTR_UID) && (attrmask[1] & FATTR4_WORD1_OWNER)) {\n\t\towner_namelen = nfs_map_uid_to_name(server, iap->ia_uid, owner_name, IDMAP_NAMESZ);\n\t\tif (owner_namelen < 0) {\n\t\t\tdprintk(\"nfs: couldn't resolve uid %d to string\\n\",\n\t\t\t\t\tfrom_kuid(&init_user_ns, iap->ia_uid));\n\t\t\t/* XXX */\n\t\t\tstrcpy(owner_name, \"nobody\");\n\t\t\towner_namelen = sizeof(\"nobody\") - 1;\n\t\t\t/* goto out; */\n\t\t}\n\t\tbmval[1] |= FATTR4_WORD1_OWNER;\n\t\tlen += 4 + (XDR_QUADLEN(owner_namelen) << 2);\n\t}\n\tif ((iap->ia_valid & ATTR_GID) &&\n\t (attrmask[1] & FATTR4_WORD1_OWNER_GROUP)) {\n\t\towner_grouplen = nfs_map_gid_to_group(server, iap->ia_gid, owner_group, IDMAP_NAMESZ);\n\t\tif (owner_grouplen < 0) {\n\t\t\tdprintk(\"nfs: couldn't resolve gid %d to string\\n\",\n\t\t\t\t\tfrom_kgid(&init_user_ns, iap->ia_gid));\n\t\t\tstrcpy(owner_group, \"nobody\");\n\t\t\towner_grouplen = sizeof(\"nobody\") - 1;\n\t\t\t/* goto out; */\n\t\t}\n\t\tbmval[1] |= FATTR4_WORD1_OWNER_GROUP;\n\t\tlen += 4 + (XDR_QUADLEN(owner_grouplen) << 2);\n\t}\n\tif (attrmask[1] & FATTR4_WORD1_TIME_ACCESS_SET) {\n\t\tif (iap->ia_valid & ATTR_ATIME_SET) {\n\t\t\tbmval[1] |= FATTR4_WORD1_TIME_ACCESS_SET;\n\t\t\tlen += 4 + (nfstime4_maxsz << 2);\n\t\t} else if (iap->ia_valid & ATTR_ATIME) {\n\t\t\tbmval[1] |= FATTR4_WORD1_TIME_ACCESS_SET;\n\t\t\tlen += 4;\n\t\t}\n\t}\n\tif (attrmask[1] & FATTR4_WORD1_TIME_MODIFY_SET) {\n\t\tif (iap->ia_valid & ATTR_MTIME_SET) {\n\t\t\tbmval[1] |= FATTR4_WORD1_TIME_MODIFY_SET;\n\t\t\tlen += 4 + (nfstime4_maxsz << 2);\n\t\t} else if (iap->ia_valid & ATTR_MTIME) {\n\t\t\tbmval[1] |= FATTR4_WORD1_TIME_MODIFY_SET;\n\t\t\tlen += 4;\n\t\t}\n\t}\n\n\tif (label && (attrmask[2] & FATTR4_WORD2_SECURITY_LABEL)) {\n\t\tlen += 4 + 4 + 4 + (XDR_QUADLEN(label->len) << 2);\n\t\tbmval[2] |= FATTR4_WORD2_SECURITY_LABEL;\n\t}\n\n\txdr_encode_bitmap4(xdr, bmval, ARRAY_SIZE(bmval));\n\txdr_stream_encode_opaque_inline(xdr, (void **)&p, len);\n\n\tif (bmval[0] & FATTR4_WORD0_SIZE)\n\t\tp = xdr_encode_hyper(p, iap->ia_size);\n\tif (bmval[1] & FATTR4_WORD1_MODE)\n\t\t*p++ = cpu_to_be32(iap->ia_mode & S_IALLUGO);\n\tif (bmval[1] & FATTR4_WORD1_OWNER)\n\t\tp = xdr_encode_opaque(p, owner_name, owner_namelen);\n\tif (bmval[1] & FATTR4_WORD1_OWNER_GROUP)\n\t\tp = xdr_encode_opaque(p, owner_group, owner_grouplen);\n\tif (bmval[1] & FATTR4_WORD1_TIME_ACCESS_SET) {\n\t\tif (iap->ia_valid & ATTR_ATIME_SET) {\n\t\t\t*p++ = cpu_to_be32(NFS4_SET_TO_CLIENT_TIME);\n\t\t\tp = xdr_encode_nfstime4(p, &iap->ia_atime);\n\t\t} else\n\t\t\t*p++ = cpu_to_be32(NFS4_SET_TO_SERVER_TIME);\n\t}\n\tif (bmval[1] & FATTR4_WORD1_TIME_MODIFY_SET) {\n\t\tif (iap->ia_valid & ATTR_MTIME_SET) {\n\t\t\t*p++ = cpu_to_be32(NFS4_SET_TO_CLIENT_TIME);\n\t\t\tp = xdr_encode_nfstime4(p, &iap->ia_mtime);\n\t\t} else\n\t\t\t*p++ = cpu_to_be32(NFS4_SET_TO_SERVER_TIME);\n\t}\n\tif (label && (bmval[2] & FATTR4_WORD2_SECURITY_LABEL)) {\n\t\t*p++ = cpu_to_be32(label->lfs);\n\t\t*p++ = cpu_to_be32(label->pi);\n\t\t*p++ = cpu_to_be32(label->len);\n\t\tp = xdr_encode_opaque_fixed(p, label->label, label->len);\n\t}\n\tif (bmval[2] & FATTR4_WORD2_MODE_UMASK) {\n\t\t*p++ = cpu_to_be32(iap->ia_mode & S_IALLUGO);\n\t\t*p++ = cpu_to_be32(*umask);\n\t}\n\n/* out: */\n}", "project": "linux", "hash": 152764999571234600069583287924884281982, "size": 118, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431570 }, { "func": "static bool checkreturn decode_basic_field(pb_istream_t *stream, pb_wire_type_t wire_type, pb_field_iter_t *field)\n{\n switch (PB_LTYPE(field->type))\n {\n case PB_LTYPE_BOOL:\n if (wire_type != PB_WT_VARINT && wire_type != PB_WT_PACKED)\n PB_RETURN_ERROR(stream, \"wrong wire type\");\n\n return pb_dec_bool(stream, field);\n\n case PB_LTYPE_VARINT:\n case PB_LTYPE_UVARINT:\n case PB_LTYPE_SVARINT:\n if (wire_type != PB_WT_VARINT && wire_type != PB_WT_PACKED)\n PB_RETURN_ERROR(stream, \"wrong wire type\");\n\n return pb_dec_varint(stream, field);\n\n case PB_LTYPE_FIXED32:\n if (wire_type != PB_WT_32BIT && wire_type != PB_WT_PACKED)\n PB_RETURN_ERROR(stream, \"wrong wire type\");\n\n return pb_decode_fixed32(stream, field->pData);\n\n case PB_LTYPE_FIXED64:\n if (wire_type != PB_WT_64BIT && wire_type != PB_WT_PACKED)\n PB_RETURN_ERROR(stream, \"wrong wire type\");\n\n#ifdef PB_CONVERT_DOUBLE_FLOAT\n if (field->data_size == sizeof(float))\n {\n return pb_decode_double_as_float(stream, (float*)field->pData);\n }\n#endif\n\n#ifdef PB_WITHOUT_64BIT\n PB_RETURN_ERROR(stream, \"invalid data_size\");\n#else\n return pb_decode_fixed64(stream, field->pData);\n#endif\n\n case PB_LTYPE_BYTES:\n if (wire_type != PB_WT_STRING)\n PB_RETURN_ERROR(stream, \"wrong wire type\");\n\n return pb_dec_bytes(stream, field);\n\n case PB_LTYPE_STRING:\n if (wire_type != PB_WT_STRING)\n PB_RETURN_ERROR(stream, \"wrong wire type\");\n\n return pb_dec_string(stream, field);\n\n case PB_LTYPE_SUBMESSAGE:\n case PB_LTYPE_SUBMSG_W_CB:\n if (wire_type != PB_WT_STRING)\n PB_RETURN_ERROR(stream, \"wrong wire type\");\n\n return pb_dec_submessage(stream, field);\n\n case PB_LTYPE_FIXED_LENGTH_BYTES:\n if (wire_type != PB_WT_STRING)\n PB_RETURN_ERROR(stream, \"wrong wire type\");\n\n return pb_dec_fixed_length_bytes(stream, field);\n\n default:\n PB_RETURN_ERROR(stream, \"invalid field type\");\n }\n}", "project": "nanopb", "hash": 215221688130728931789501284781330492450, "size": 70, "commit_id": "e2f0ccf939d9f82931d085acb6df8e9a182a4261", "message": "Fix invalid free() with oneof (#647)\n\nNanopb would call free() or realloc() on an invalid\n(attacker controlled) pointer value when all the following\nconditions are true:\n\n- PB_ENABLE_MALLOC is defined at the compile time\n- Message definition contains an oneof field, and the oneof\n contains at least one pointer type field and at least one\n non-pointer type field.\n- Data being decoded first contains a non-pointer value for\n the oneof field, and later contains an overwriting pointer\n value.\n\nDepending on message layout, the bug may not be exploitable in all\ncases, but it is known to be exploitable at least with string and\nbytes fields. Actual security impact will also depend on the heap\nimplementation used.", "target": 0, "dataset": "other", "idx": 254704 }, { "func": "static int get_next_eof(FILE *fp)\n{\n int match, c;\n const char buf[] = \"%%EOF\";\n\n match = 0;\n while ((c = fgetc(fp)) != EOF)\n {\n if (c == buf[match])\n ++match;\n else\n match = 0;\n\n if (match == 5) /* strlen(\"%%EOF\") */\n return ftell(fp) - 5;\n }\n\n return -1;\n}", "project": "pdfresurrect", "hash": 125338062766821934452937689459187834105, "size": 19, "commit_id": "7e35d1806e111fd28610ccc86bb33f54792ac370", "message": "Fix possible infinite loop case when looking for a trailer.\n\nThanks to chibataiki for reporting and isolating this!", "target": 0, "dataset": "other", "idx": 355605 }, { "func": " bool xml_end(const char *el) override {\n if (!el)\n return false;\n\n location_constraint = get_data();\n\n return true;\n }", "project": "ceph", "hash": 251951571057446994477505730861106160439, "size": 8, "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 281321 }, { "func": "static int rlp_calculate_number_length(uint32_t number) {\n if (number <= 0x7f) {\n return 1;\n } else if (number <= 0xff) {\n return 2;\n } else if (number <= 0xffff) {\n return 3;\n } else if (number <= 0xffffff) {\n return 4;\n } else {\n return 5;\n }\n}", "project": "keepkey-firmware", "hash": 239238958703910344989551740558627891799, "size": 13, "commit_id": "e49d45594002d4d3fbc1f03488e6dfc0a0a65836", "message": "710 merge", "target": 0, "dataset": "other", "idx": 220880 }, { "func": " bool null_inside()\n { return result_type() == ROW_RESULT ? orig_item->null_inside() : 0; }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 260739373514755315328376860019313867231, "size": 2, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509108 }, { "func": "\nstatic bool idling_boosts_thr_without_issues(struct bfq_data *bfqd,\n\t\t\t\t\t struct bfq_queue *bfqq)\n{\n\tbool rot_without_queueing =\n\t\t!blk_queue_nonrot(bfqd->queue) && !bfqd->hw_tag,\n\t\tbfqq_sequential_and_IO_bound,\n\t\tidling_boosts_thr;\n\n\t/* No point in idling for bfqq if it won't get requests any longer */\n\tif (unlikely(!bfqq_process_refs(bfqq)))\n\t\treturn false;\n\n\tbfqq_sequential_and_IO_bound = !BFQQ_SEEKY(bfqq) &&\n\t\tbfq_bfqq_IO_bound(bfqq) && bfq_bfqq_has_short_ttime(bfqq);\n\n\t/*\n\t * The next variable takes into account the cases where idling\n\t * boosts the throughput.\n\t *\n\t * The value of the variable is computed considering, first, that\n\t * idling is virtually always beneficial for the throughput if:\n\t * (a) the device is not NCQ-capable and rotational, or\n\t * (b) regardless of the presence of NCQ, the device is rotational and\n\t * the request pattern for bfqq is I/O-bound and sequential, or\n\t * (c) regardless of whether it is rotational, the device is\n\t * not NCQ-capable and the request pattern for bfqq is\n\t * I/O-bound and sequential.\n\t *\n\t * Secondly, and in contrast to the above item (b), idling an\n\t * NCQ-capable flash-based device would not boost the\n\t * throughput even with sequential I/O; rather it would lower\n\t * the throughput in proportion to how fast the device\n\t * is. Accordingly, the next variable is true if any of the\n\t * above conditions (a), (b) or (c) is true, and, in\n\t * particular, happens to be false if bfqd is an NCQ-capable\n\t * flash-based device.\n\t */\n\tidling_boosts_thr = rot_without_queueing ||\n\t\t((!blk_queue_nonrot(bfqd->queue) || !bfqd->hw_tag) &&\n\t\t bfqq_sequential_and_IO_bound);\n\n\t/*\n\t * The return value of this function is equal to that of\n\t * idling_boosts_thr, unless a special case holds. In this\n\t * special case, described below, idling may cause problems to\n\t * weight-raised queues.\n\t *\n\t * When the request pool is saturated (e.g., in the presence\n\t * of write hogs), if the processes associated with\n\t * non-weight-raised queues ask for requests at a lower rate,\n\t * then processes associated with weight-raised queues have a\n\t * higher probability to get a request from the pool\n\t * immediately (or at least soon) when they need one. Thus\n\t * they have a higher probability to actually get a fraction\n\t * of the device throughput proportional to their high\n\t * weight. This is especially true with NCQ-capable drives,\n\t * which enqueue several requests in advance, and further\n\t * reorder internally-queued requests.\n\t *\n\t * For this reason, we force to false the return value if\n\t * there are weight-raised busy queues. In this case, and if\n\t * bfqq is not weight-raised, this guarantees that the device\n\t * is not idled for bfqq (if, instead, bfqq is weight-raised,\n\t * then idling will be guaranteed by another variable, see\n\t * below). Combined with the timestamping rules of BFQ (see\n\t * [1] for details), this behavior causes bfqq, and hence any\n\t * sync non-weight-raised queue, to get a lower number of\n\t * requests served, and thus to ask for a lower number of\n\t * requests from the request pool, before the busy\n\t * weight-raised queues get served again. This often mitigates\n\t * starvation problems in the presence of heavy write\n\t * workloads and NCQ, thereby guaranteeing a higher\n\t * application and system responsiveness in these hostile\n\t * scenarios.\n\t */\n\treturn idling_boosts_thr &&\n\t\tbfqd->wr_busy_queues == 0;", "project": "linux", "hash": 174636819163564927758447481428948902059, "size": 78, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453407 }, { "func": "static OPJ_UINT32 opj_j2k_get_max_coc_size(opj_j2k_t *p_j2k)\n{\n OPJ_UINT32 i, j;\n OPJ_UINT32 l_nb_comp;\n OPJ_UINT32 l_nb_tiles;\n OPJ_UINT32 l_max = 0;\n\n /* preconditions */\n\n l_nb_tiles = p_j2k->m_cp.tw * p_j2k->m_cp.th ;\n l_nb_comp = p_j2k->m_private_image->numcomps;\n\n for (i = 0; i < l_nb_tiles; ++i) {\n for (j = 0; j < l_nb_comp; ++j) {\n l_max = opj_uint_max(l_max, opj_j2k_get_SPCod_SPCoc_size(p_j2k, i, j));\n }\n }\n\n return 6 + l_max;\n}", "project": "openjpeg", "hash": 261104016426903573343122693373227869514, "size": 20, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357438 }, { "func": "Status GraphConstructor::InitFromEdges() {\n const int num_nodes = node_def_count();\n pending_count_.reserve(num_nodes);\n outputs_.resize(num_nodes);\n gtl::FlatSet next_iteration_nodes;\n for (int n = 0; n < node_def_count(); ++n) {\n const NodeDef& node_def = get_node_def(n);\n if (IsNextIteration(node_def)) {\n next_iteration_nodes.insert(node_def.name());\n }\n }\n\n // Parse the inputs for each node.\n for (int n = 0; n < num_nodes; ++n) {\n const NodeDef& node_def = get_node_def(n);\n int pending_count = node_def.input_size();\n if (IsMerge(node_def)) {\n // Cycles in the graph are only allowed for while loops. A while loop is\n // identified by an edge from a NextIteration node to a Merge node. For\n // such Merge nodes, only wait for one non-control input before\n // considering the node ready to process in Convert().\n int32 num_control_edges = 0;\n bool has_loop_back_edge = false;\n for (int i = 0; i < node_def.input_size(); ++i) {\n StringPiece input_name(node_def.input(i));\n if (absl::StartsWith(input_name, \"^\")) {\n num_control_edges++;\n } else {\n TensorId id(ParseTensorName(input_name));\n if (next_iteration_nodes.find(string(id.first)) !=\n next_iteration_nodes.end()) {\n has_loop_back_edge = true;\n }\n }\n }\n if (has_loop_back_edge) {\n pending_count = num_control_edges + 1;\n }\n }\n for (int i = 0; i < node_def.input_size(); ++i) {\n StringPiece input_name = node_def.input(i);\n TensorId id(ParseTensorName(input_name));\n if (opts_.input_map.count(id) == 0) {\n // If an input is not mapped, then the input should appear in the graph\n // being imported.\n auto iter = gdef_nodes_.find(id.first);\n if (iter == gdef_nodes_.end()) {\n return errors::InvalidArgument(\"Node '\", node_def.name(),\n \"': Unknown input node '\",\n node_def.input(i), \"'\");\n }\n outputs_[iter->second.gdef_index].push_back(n);\n } else {\n // This input is mapped to an existing edge. Therefore this input is\n // as good as being already processed.\n --pending_count;\n DCHECK_GE(pending_count, 0);\n }\n }\n if (pending_count == 0) {\n ready_.insert(n);\n }\n pending_count_.push_back(pending_count);\n }\n return Status::OK();\n}", "project": "tensorflow", "hash": 87941996683428271324502204861411441748, "size": 66, "commit_id": "0cc38aaa4064fd9e79101994ce9872c6d91f816b", "message": "Prevent unitialized memory access in `GraphConstructor::MakeEdge`\n\nThe `MakeEdge` implementation assumes that there exists an output at `output_index` of `src` node and an input at `input_index` of `dst` node. However, if this is not the case this results in accessing data out of bounds. Because we are accessing an array that is a private member of a class and only in read only mode, this usually results only in unitialized memory access. However, it is reasonable to think that malicious users could manipulate these indexes to actually read data outside the class, thus resulting in information leakage and further exploits.\n\nPiperOrigin-RevId: 346343288\nChange-Id: I2127da27c2023d27f26efd39afa6c853385cab6f", "target": 0, "dataset": "other", "idx": 268356 }, { "func": "static u8 tdme_setsfr_request_sync(\n\tu8 sfr_page,\n\tu8 sfr_address,\n\tu8 sfr_value,\n\tvoid *device_ref\n)\n{\n\tint ret;\n\tstruct mac_message command, response;\n\tstruct spi_device *spi = device_ref;\n\n\tcommand.command_id = SPI_TDME_SETSFR_REQUEST;\n\tcommand.length = 3;\n\tcommand.pdata.tdme_set_sfr_req.sfr_page = sfr_page;\n\tcommand.pdata.tdme_set_sfr_req.sfr_address = sfr_address;\n\tcommand.pdata.tdme_set_sfr_req.sfr_value = sfr_value;\n\tresponse.command_id = SPI_IDLE;\n\tret = cascoda_api_downstream(\n\t\t&command.command_id,\n\t\tcommand.length + 2,\n\t\t&response.command_id,\n\t\tdevice_ref\n\t);\n\tif (ret) {\n\t\tdev_crit(&spi->dev, \"cascoda_api_downstream returned %d\", ret);\n\t\treturn MAC_SYSTEM_ERROR;\n\t}\n\n\tif (response.command_id != SPI_TDME_SETSFR_CONFIRM) {\n\t\tdev_crit(\n\t\t\t&spi->dev,\n\t\t\t\"sync response to SPI_TDME_SETSFR_REQUEST was not SPI_TDME_SETSFR_CONFIRM, it was %d\\n\",\n\t\t\tresponse.command_id\n\t\t);\n\t\treturn MAC_SYSTEM_ERROR;\n\t}\n\n\treturn response.pdata.tdme_set_sfr_cnf.status;\n}", "project": "linux", "hash": 141689765972636671139840916925556428853, "size": 39, "commit_id": "6402939ec86eaf226c8b8ae00ed983936b164908", "message": "ieee802154: ca8210: prevent memory leak\n\nIn ca8210_probe the allocated pdata needs to be assigned to\nspi_device->dev.platform_data before calling ca8210_get_platform_data.\nOthrwise when ca8210_get_platform_data fails pdata cannot be released.\n\nSigned-off-by: Navid Emamdoost \nLink: https://lore.kernel.org/r/20190917224713.26371-1-navid.emamdoost@gmail.com\nSigned-off-by: Stefan Schmidt ", "target": 0, "dataset": "other", "idx": 408775 }, { "func": "blosc2_context* blosc2_create_cctx(blosc2_cparams cparams) {\n blosc2_context* context = (blosc2_context*)my_malloc(sizeof(blosc2_context));\n\n /* Populate the context, using zeros as default values */\n memset(context, 0, sizeof(blosc2_context));\n context->do_compress = 1; /* meant for compression */\n context->compcode = cparams.compcode;\n context->clevel = cparams.clevel;\n context->use_dict = cparams.use_dict;\n context->typesize = cparams.typesize;\n for (int i = 0; i < BLOSC2_MAX_FILTERS; i++) {\n context->filters[i] = cparams.filters[i];\n context->filters_meta[i] = cparams.filters_meta[i];\n }\n context->nthreads = cparams.nthreads;\n context->new_nthreads = context->nthreads;\n context->blocksize = cparams.blocksize;\n context->threads_started = 0;\n context->schunk = cparams.schunk;\n\n if (cparams.prefilter != NULL) {\n context->prefilter = cparams.prefilter;\n context->pparams = (blosc2_prefilter_params*)my_malloc(sizeof(blosc2_prefilter_params));\n memcpy(context->pparams, cparams.pparams, sizeof(blosc2_prefilter_params));\n }\n\n return context;\n}", "project": "c-blosc2", "hash": 339539519930346573194334671651708909689, "size": 28, "commit_id": "c4c6470e88210afc95262c8b9fcc27e30ca043ee", "message": "Fixed asan heap buffer overflow when not enough space to write compressed block size.", "target": 0, "dataset": "other", "idx": 303103 }, { "project": "opaque", "commit_id": "5ddda15d89f5ac82f4416208c5319ace4aecdc36", "target": 0, "func": "void ecall_filter(uint8_t *condition, size_t condition_length,\n uint8_t *input_rows, size_t input_rows_length,\n uint8_t **output_rows, size_t *output_rows_length) {\n // Guard against operating on arbitrary enclave memory\n assert(sgx_is_outside_enclave(input_rows, input_rows_length) == 1);\n sgx_lfence();\n\n try {\n filter(condition, condition_length,\n input_rows, input_rows_length,\n output_rows, output_rows_length);\n } catch (const std::runtime_error &e) {\n ocall_throw(e.what());\n }\n}", "idx": 519061, "cwe": "CWE-787", "hash": 174103564612522887634394868772755389787, "dataset": "other" }, { "func": "static void nfs41_release_slot(struct nfs4_slot *slot)\n{\n\tstruct nfs4_session *session;\n\tstruct nfs4_slot_table *tbl;\n\tbool send_new_highest_used_slotid = false;\n\n\tif (!slot)\n\t\treturn;\n\ttbl = slot->table;\n\tsession = tbl->session;\n\n\t/* Bump the slot sequence number */\n\tif (slot->seq_done)\n\t\tslot->seq_nr++;\n\tslot->seq_done = 0;\n\n\tspin_lock(&tbl->slot_tbl_lock);\n\t/* Be nice to the server: try to ensure that the last transmitted\n\t * value for highest_user_slotid <= target_highest_slotid\n\t */\n\tif (tbl->highest_used_slotid > tbl->target_highest_slotid)\n\t\tsend_new_highest_used_slotid = true;\n\n\tif (nfs41_wake_and_assign_slot(tbl, slot)) {\n\t\tsend_new_highest_used_slotid = false;\n\t\tgoto out_unlock;\n\t}\n\tnfs4_free_slot(tbl, slot);\n\n\tif (tbl->highest_used_slotid != NFS4_NO_SLOT)\n\t\tsend_new_highest_used_slotid = false;\nout_unlock:\n\tspin_unlock(&tbl->slot_tbl_lock);\n\tif (send_new_highest_used_slotid)\n\t\tnfs41_notify_server(session->clp);\n\tif (waitqueue_active(&tbl->slot_waitq))\n\t\twake_up_all(&tbl->slot_waitq);\n}", "project": "linux", "hash": 317295284521912548443155369148929440111, "size": 38, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431087 }, { "func": "static int fuse_mkdir(struct inode *dir, struct dentry *entry, umode_t mode)\n{\n\tstruct fuse_mkdir_in inarg;\n\tstruct fuse_mount *fm = get_fuse_mount(dir);\n\tFUSE_ARGS(args);\n\n\tif (!fm->fc->dont_mask)\n\t\tmode &= ~current_umask();\n\n\tmemset(&inarg, 0, sizeof(inarg));\n\tinarg.mode = mode;\n\tinarg.umask = current_umask();\n\targs.opcode = FUSE_MKDIR;\n\targs.in_numargs = 2;\n\targs.in_args[0].size = sizeof(inarg);\n\targs.in_args[0].value = &inarg;\n\targs.in_args[1].size = entry->d_name.len + 1;\n\targs.in_args[1].value = entry->d_name.name;\n\treturn create_new_entry(fm, &args, dir, entry, S_IFDIR);\n}", "project": "linux", "hash": 93861066328747322903123566245084279709, "size": 20, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342066 }, { "func": "static apr_byte_t oidc_handle_browser_back(request_rec *r, const char *r_state,\n\t\toidc_session_t *session) {\n\n\t/* see if we have an existing session and browser-back was used */\n\tconst char *s_state = NULL, *o_url = NULL;\n\n\tif (session->remote_user != NULL) {\n\n\t\ts_state = oidc_session_get_request_state(r, session);\n\t\to_url = oidc_session_get_original_url(r, session);\n\n\t\tif ((r_state != NULL) && (s_state != NULL)\n\t\t\t\t&& (apr_strnatcmp(r_state, s_state) == 0)) {\n\n\t\t\t/* log the browser back event detection */\n\t\t\toidc_warn(r,\n\t\t\t\t\t\"browser back detected, redirecting to original URL: %s\",\n\t\t\t\t\to_url);\n\n\t\t\t/* go back to the URL that he originally tried to access */\n\t\t\toidc_util_hdr_out_location_set(r, o_url);\n\n\t\t\treturn TRUE;\n\t\t}\n\t}\n\n\treturn FALSE;\n}", "project": "mod_auth_openidc", "hash": 265685986237428261047558490777047785320, "size": 28, "commit_id": "00c315cb0c8ab77c67be4a2ac08a71a83ac58751", "message": "avoid XSS vulnerability when using OIDCPreservePost On\n\nand supplying URLs that contain single quotes; thanks @oss-aimoto\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 381971 }, { "func": "static int fuse_perm_getattr(struct inode *inode, int mask)\n{\n\tif (mask & MAY_NOT_BLOCK)\n\t\treturn -ECHILD;\n\n\tforget_all_cached_acls(inode);\n\treturn fuse_do_getattr(inode, NULL, NULL);\n}", "project": "linux", "hash": 257497613598718802129957941320958101725, "size": 8, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342094 }, { "func": "\nstatic unsigned int bfq_wr_duration(struct bfq_data *bfqd)\n{\n\tu64 dur;\n\n\tif (bfqd->bfq_wr_max_time > 0)\n\t\treturn bfqd->bfq_wr_max_time;\n\n\tdur = bfqd->rate_dur_prod;\n\tdo_div(dur, bfqd->peak_rate);\n\n\t/*\n\t * Limit duration between 3 and 25 seconds. The upper limit\n\t * has been conservatively set after the following worst case:\n\t * on a QEMU/KVM virtual machine\n\t * - running in a slow PC\n\t * - with a virtual disk stacked on a slow low-end 5400rpm HDD\n\t * - serving a heavy I/O workload, such as the sequential reading\n\t * of several files\n\t * mplayer took 23 seconds to start, if constantly weight-raised.\n\t *\n\t * As for higher values than that accommodating the above bad\n\t * scenario, tests show that higher values would often yield\n\t * the opposite of the desired result, i.e., would worsen\n\t * responsiveness by allowing non-interactive applications to\n\t * preserve weight raising for too long.\n\t *\n\t * On the other end, lower values than 3 seconds make it\n\t * difficult for most interactive tasks to complete their jobs\n\t * before weight-raising finishes.\n\t */\n\treturn clamp_val(dur, msecs_to_jiffies(3000), msecs_to_jiffies(25000));", "project": "linux", "hash": 207520965061436129272170039102321063005, "size": 32, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453406 }, { "func": "static inline void bs(struct vc_data *vc)\n{\n\tif (vc->vc_x) {\n\t\tvc->vc_pos -= 2;\n\t\tvc->vc_x--;\n\t\tvc->vc_need_wrap = 0;\n\t\tnotify_write(vc, '\\b');\n\t}\n}", "project": "linux", "hash": 182198539474660599590102774466104447501, "size": 9, "commit_id": "ca4463bf8438b403596edd0ec961ca0d4fbe0220", "message": "vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console\n\nThe VT_DISALLOCATE ioctl can free a virtual console while tty_release()\nis still running, causing a use-after-free in con_shutdown(). This\noccurs because VT_DISALLOCATE considers a virtual console's\n'struct vc_data' to be unused as soon as the corresponding tty's\nrefcount hits 0. But actually it may be still being closed.\n\nFix this by making vc_data be reference-counted via the embedded\n'struct tty_port'. A newly allocated virtual console has refcount 1.\nOpening it for the first time increments the refcount to 2. Closing it\nfor the last time decrements the refcount (in tty_operations::cleanup()\nso that it happens late enough), as does VT_DISALLOCATE.\n\nReproducer:\n\t#include \n\t#include \n\t#include \n\t#include \n\n\tint main()\n\t{\n\t\tif (fork()) {\n\t\t\tfor (;;)\n\t\t\t\tclose(open(\"/dev/tty5\", O_RDWR));\n\t\t} else {\n\t\t\tint fd = open(\"/dev/tty10\", O_RDWR);\n\n\t\t\tfor (;;)\n\t\t\t\tioctl(fd, VT_DISALLOCATE, 5);\n\t\t}\n\t}\n\nKASAN report:\n\tBUG: KASAN: use-after-free in con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\tWrite of size 8 at addr ffff88806a4ec108 by task syz_vt/129\n\n\tCPU: 0 PID: 129 Comm: syz_vt Not tainted 5.6.0-rc2 #11\n\tHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20191223_100556-anatol 04/01/2014\n\tCall Trace:\n\t [...]\n\t con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\t release_tty+0xa8/0x410 drivers/tty/tty_io.c:1514\n\t tty_release_struct+0x34/0x50 drivers/tty/tty_io.c:1629\n\t tty_release+0x984/0xed0 drivers/tty/tty_io.c:1789\n\t [...]\n\n\tAllocated by task 129:\n\t [...]\n\t kzalloc include/linux/slab.h:669 [inline]\n\t vc_allocate drivers/tty/vt/vt.c:1085 [inline]\n\t vc_allocate+0x1ac/0x680 drivers/tty/vt/vt.c:1066\n\t con_install+0x4d/0x3f0 drivers/tty/vt/vt.c:3229\n\t tty_driver_install_tty drivers/tty/tty_io.c:1228 [inline]\n\t tty_init_dev+0x94/0x350 drivers/tty/tty_io.c:1341\n\t tty_open_by_driver drivers/tty/tty_io.c:1987 [inline]\n\t tty_open+0x3ca/0xb30 drivers/tty/tty_io.c:2035\n\t [...]\n\n\tFreed by task 130:\n\t [...]\n\t kfree+0xbf/0x1e0 mm/slab.c:3757\n\t vt_disallocate drivers/tty/vt/vt_ioctl.c:300 [inline]\n\t vt_ioctl+0x16dc/0x1e30 drivers/tty/vt/vt_ioctl.c:818\n\t tty_ioctl+0x9db/0x11b0 drivers/tty/tty_io.c:2660\n\t [...]\n\nFixes: 4001d7b7fc27 (\"vt: push down the tty lock so we can see what is left to tackle\")\nCc: # v3.4+\nReported-by: syzbot+522643ab5729b0421998@syzkaller.appspotmail.com\nAcked-by: Jiri Slaby \nSigned-off-by: Eric Biggers \nLink: https://lore.kernel.org/r/20200322034305.210082-2-ebiggers@kernel.org\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 437082 }, { "func": " static inline int GetSliceShape(const int slice_index, const int split_size,\n const int residual) {\n DCHECK_GT(split_size, 0);\n DCHECK_GE(slice_index, 0);\n if (residual == 0) return split_size;\n if (slice_index < residual) {\n return split_size + 1;\n } else {\n return split_size;\n }\n }", "project": "tensorflow", "hash": 328740743439105118636967783740263437639, "size": 11, "commit_id": "8ba6fa29cd8bf9cef9b718dc31c78c73081f5b31", "message": "Fix heap-buffer-overflow issue with `tf.raw_ops.SparseSplit`.\n\nPiperOrigin-RevId: 371242872\nChange-Id: I482bb3d12602c7c3cc9446f97fb9f584bb98e9a4", "target": 0, "dataset": "other", "idx": 277032 }, { "func": "static void hci_user_confirm_request_evt(struct hci_dev *hdev,\n\t\t\t\t\t struct sk_buff *skb)\n{\n\tstruct hci_ev_user_confirm_req *ev = (void *) skb->data;\n\tint loc_mitm, rem_mitm, confirm_hint = 0;\n\tstruct hci_conn *conn;\n\n\tBT_DBG(\"%s\", hdev->name);\n\n\thci_dev_lock(hdev);\n\n\tif (!hci_dev_test_flag(hdev, HCI_MGMT))\n\t\tgoto unlock;\n\n\tconn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);\n\tif (!conn)\n\t\tgoto unlock;\n\n\tloc_mitm = (conn->auth_type & 0x01);\n\trem_mitm = (conn->remote_auth & 0x01);\n\n\t/* If we require MITM but the remote device can't provide that\n\t * (it has NoInputNoOutput) then reject the confirmation\n\t * request. We check the security level here since it doesn't\n\t * necessarily match conn->auth_type.\n\t */\n\tif (conn->pending_sec_level > BT_SECURITY_MEDIUM &&\n\t conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) {\n\t\tBT_DBG(\"Rejecting request: remote device can't provide MITM\");\n\t\thci_send_cmd(hdev, HCI_OP_USER_CONFIRM_NEG_REPLY,\n\t\t\t sizeof(ev->bdaddr), &ev->bdaddr);\n\t\tgoto unlock;\n\t}\n\n\t/* If no side requires MITM protection; auto-accept */\n\tif ((!loc_mitm || conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) &&\n\t (!rem_mitm || conn->io_capability == HCI_IO_NO_INPUT_OUTPUT)) {\n\n\t\t/* If we're not the initiators request authorization to\n\t\t * proceed from user space (mgmt_user_confirm with\n\t\t * confirm_hint set to 1). The exception is if neither\n\t\t * side had MITM or if the local IO capability is\n\t\t * NoInputNoOutput, in which case we do auto-accept\n\t\t */\n\t\tif (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) &&\n\t\t conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&\n\t\t (loc_mitm || rem_mitm)) {\n\t\t\tBT_DBG(\"Confirming auto-accept as acceptor\");\n\t\t\tconfirm_hint = 1;\n\t\t\tgoto confirm;\n\t\t}\n\n\t\t/* If there already exists link key in local host, leave the\n\t\t * decision to user space since the remote device could be\n\t\t * legitimate or malicious.\n\t\t */\n\t\tif (hci_find_link_key(hdev, &ev->bdaddr)) {\n\t\t\tbt_dev_dbg(hdev, \"Local host already has link key\");\n\t\t\tconfirm_hint = 1;\n\t\t\tgoto confirm;\n\t\t}\n\n\t\tBT_DBG(\"Auto-accept of user confirmation with %ums delay\",\n\t\t hdev->auto_accept_delay);\n\n\t\tif (hdev->auto_accept_delay > 0) {\n\t\t\tint delay = msecs_to_jiffies(hdev->auto_accept_delay);\n\t\t\tqueue_delayed_work(conn->hdev->workqueue,\n\t\t\t\t\t &conn->auto_accept_work, delay);\n\t\t\tgoto unlock;\n\t\t}\n\n\t\thci_send_cmd(hdev, HCI_OP_USER_CONFIRM_REPLY,\n\t\t\t sizeof(ev->bdaddr), &ev->bdaddr);\n\t\tgoto unlock;\n\t}\n\nconfirm:\n\tmgmt_user_confirm_request(hdev, &ev->bdaddr, ACL_LINK, 0,\n\t\t\t\t le32_to_cpu(ev->passkey), confirm_hint);\n\nunlock:\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 287831433631904544498440890680179239384, "size": 84, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431999 }, { "func": "CHANNELINDEX CSoundFile::GetNNAChannel(CHANNELINDEX nChn) const\n{\n\tconst ModChannel *pChn = &m_PlayState.Chn[nChn];\n\n\t// Check for empty channel\n\tconst ModChannel *pi = &m_PlayState.Chn[m_nChannels];\n\tfor (CHANNELINDEX i = m_nChannels; i < MAX_CHANNELS; i++, pi++) if (!pi->nLength) return i;\n\tif (!pChn->nFadeOutVol) return 0;\n\n\t// All channels are used: check for lowest volume\n\tCHANNELINDEX result = 0;\n\tuint32 vol = (1u << (14 + 9)) / 4u;\t// 25%\n\tuint32 envpos = uint32_max;\n\tconst ModChannel *pj = &m_PlayState.Chn[m_nChannels];\n\tfor (CHANNELINDEX j = m_nChannels; j < MAX_CHANNELS; j++, pj++)\n\t{\n\t\tif (!pj->nFadeOutVol) return j;\n\t\t// Use a combination of real volume [14 bit] (which includes volume envelopes, but also potentially global volume) and note volume [9 bit].\n\t\t// Rationale: We need volume envelopes in case e.g. all NNA channels are playing at full volume but are looping on a 0-volume envelope node.\n\t\t// But if global volume is not applied to master and the global volume temporarily drops to 0, we would kill arbitrary channels. Hence, add the note volume as well.\n\t\tuint32 v = (pj->nRealVolume << 9) | pj->nVolume;\n\t\tif(pj->dwFlags[CHN_LOOP]) v >>= 1;\n\t\tif ((v < vol) || ((v == vol) && (pj->VolEnv.nEnvPosition > envpos)))\n\t\t{\n\t\t\tenvpos = pj->VolEnv.nEnvPosition;\n\t\t\tvol = v;\n\t\t\tresult = j;\n\t\t}\n\t}\n\treturn result;\n}", "project": "openmpt", "hash": 228301237525150765332797052517824274725, "size": 31, "commit_id": "7ebf02af2e90f03e0dbd0e18b8b3164f372fb97c", "message": "[Fix] Possible out-of-bounds read when computing length of some IT files with pattern loops (OpenMPT: formats that are converted to IT, libopenmpt: IT/ITP/MO3), caught with afl-fuzz.\n\ngit-svn-id: https://source.openmpt.org/svn/openmpt/trunk/OpenMPT@10027 56274372-70c3-4bfc-bfc3-4c3a0b034d27", "target": 0, "dataset": "other", "idx": 255179 }, { "func": " int dims() const { return shape_.size(); }", "project": "tensorflow", "hash": 73761426776873903377697239337692578414, "size": 1, "commit_id": "8ba6fa29cd8bf9cef9b718dc31c78c73081f5b31", "message": "Fix heap-buffer-overflow issue with `tf.raw_ops.SparseSplit`.\n\nPiperOrigin-RevId: 371242872\nChange-Id: I482bb3d12602c7c3cc9446f97fb9f584bb98e9a4", "target": 0, "dataset": "other", "idx": 277009 }, { "func": "delay_cpio_set_stat (struct cpio_file_stat *file_stat,\n\t\t mode_t invert_permissions)\n{\n size_t file_name_len = strlen (file_stat->c_name);\n struct delayed_set_stat *data =\n xmalloc (sizeof (struct delayed_set_stat) + file_name_len + 1);\n data->next = delayed_set_stat_head;\n memcpy (&data->stat, file_stat, sizeof data->stat);\n data->stat.c_name = (char*) (data + 1);\n strcpy (data->stat.c_name, file_stat->c_name);\n data->invert_permissions = invert_permissions;\n delayed_set_stat_head = data;\n}", "target": 0, "cwe": [ "CWE-190" ], "project": "cpio", "commit_id": "dd96882877721703e19272fe25034560b794061b", "hash": 81670323380595031687043491286410294833, "size": 13, "message": "Rewrite dynamic string support.\n\n* src/dstring.c (ds_init): Take a single argument.\n(ds_free): New function.\n(ds_resize): Take a single argument. Use x2nrealloc to expand\nthe storage.\n(ds_reset,ds_append,ds_concat,ds_endswith): New function.\n(ds_fgetstr): Rewrite. In particular, this fixes integer overflow.\n* src/dstring.h (dynamic_string): Keep both the allocated length\n(ds_size) and index of the next free byte in the string (ds_idx).\n(ds_init,ds_resize): Change signature.\n(ds_len): New macro.\n(ds_free,ds_reset,ds_append,ds_concat,ds_endswith): New protos.\n* src/copyin.c: Use new ds_ functions.\n* src/copyout.c: Likewise.\n* src/copypass.c: Likewise.\n* src/util.c: Likewise.", "dataset": "other", "idx": 499682 }, { "func": "static ssize_t tty_write(struct file *file, const char __user *buf,\n\t\t\t\t\t\tsize_t count, loff_t *ppos)\n{\n\tstruct tty_struct *tty = file_tty(file);\n \tstruct tty_ldisc *ld;\n\tssize_t ret;\n\n\tif (tty_paranoia_check(tty, file_inode(file), \"tty_write\"))\n\t\treturn -EIO;\n\tif (!tty || !tty->ops->write ||\ttty_io_error(tty))\n\t\t\treturn -EIO;\n\t/* Short term debug to catch buggy drivers */\n\tif (tty->ops->write_room == NULL)\n\t\ttty_err(tty, \"missing write_room method\\n\");\n\tld = tty_ldisc_ref_wait(tty);\n\tif (!ld)\n\t\treturn hung_up_tty_write(file, buf, count, ppos);\n\tif (!ld->ops->write)\n\t\tret = -EIO;\n\telse\n\t\tret = do_tty_write(ld->ops->write, tty, file, buf, count);\n\ttty_ldisc_deref(ld);\n\treturn ret;\n}", "project": "linux", "hash": 36517924548391823166339854063710497098, "size": 24, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 325953 }, { "func": "static int task_switch_interception(struct vcpu_svm *svm)\n{\n\tu16 tss_selector;\n\tint reason;\n\tint int_type = svm->vmcb->control.exit_int_info &\n\t\tSVM_EXITINTINFO_TYPE_MASK;\n\tint int_vec = svm->vmcb->control.exit_int_info & SVM_EVTINJ_VEC_MASK;\n\tuint32_t type =\n\t\tsvm->vmcb->control.exit_int_info & SVM_EXITINTINFO_TYPE_MASK;\n\tuint32_t idt_v =\n\t\tsvm->vmcb->control.exit_int_info & SVM_EXITINTINFO_VALID;\n\tbool has_error_code = false;\n\tu32 error_code = 0;\n\n\ttss_selector = (u16)svm->vmcb->control.exit_info_1;\n\n\tif (svm->vmcb->control.exit_info_2 &\n\t (1ULL << SVM_EXITINFOSHIFT_TS_REASON_IRET))\n\t\treason = TASK_SWITCH_IRET;\n\telse if (svm->vmcb->control.exit_info_2 &\n\t\t (1ULL << SVM_EXITINFOSHIFT_TS_REASON_JMP))\n\t\treason = TASK_SWITCH_JMP;\n\telse if (idt_v)\n\t\treason = TASK_SWITCH_GATE;\n\telse\n\t\treason = TASK_SWITCH_CALL;\n\n\tif (reason == TASK_SWITCH_GATE) {\n\t\tswitch (type) {\n\t\tcase SVM_EXITINTINFO_TYPE_NMI:\n\t\t\tsvm->vcpu.arch.nmi_injected = false;\n\t\t\tbreak;\n\t\tcase SVM_EXITINTINFO_TYPE_EXEPT:\n\t\t\tif (svm->vmcb->control.exit_info_2 &\n\t\t\t (1ULL << SVM_EXITINFOSHIFT_TS_HAS_ERROR_CODE)) {\n\t\t\t\thas_error_code = true;\n\t\t\t\terror_code =\n\t\t\t\t\t(u32)svm->vmcb->control.exit_info_2;\n\t\t\t}\n\t\t\tkvm_clear_exception_queue(&svm->vcpu);\n\t\t\tbreak;\n\t\tcase SVM_EXITINTINFO_TYPE_INTR:\n\t\t\tkvm_clear_interrupt_queue(&svm->vcpu);\n\t\t\tbreak;\n\t\tdefault:\n\t\t\tbreak;\n\t\t}\n\t}\n\n\tif (reason != TASK_SWITCH_GATE ||\n\t int_type == SVM_EXITINTINFO_TYPE_SOFT ||\n\t (int_type == SVM_EXITINTINFO_TYPE_EXEPT &&\n\t (int_vec == OF_VECTOR || int_vec == BP_VECTOR))) {\n\t\tif (!skip_emulated_instruction(&svm->vcpu))\n\t\t\treturn 0;\n\t}\n\n\tif (int_type != SVM_EXITINTINFO_TYPE_SOFT)\n\t\tint_vec = -1;\n\n\treturn kvm_task_switch(&svm->vcpu, tss_selector, int_vec, reason,\n\t\t\t has_error_code, error_code);\n}", "project": "linux", "hash": 33927038673742256379160150199079702142, "size": 63, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432646 }, { "func": "static int task_switch_interception(struct vcpu_svm *svm)\n{\n\tu16 tss_selector;\n\tint reason;\n\tint int_type = svm->vmcb->control.exit_int_info &\n\t\tSVM_EXITINTINFO_TYPE_MASK;\n\tint int_vec = svm->vmcb->control.exit_int_info & SVM_EVTINJ_VEC_MASK;\n\tuint32_t type =\n\t\tsvm->vmcb->control.exit_int_info & SVM_EXITINTINFO_TYPE_MASK;\n\tuint32_t idt_v =\n\t\tsvm->vmcb->control.exit_int_info & SVM_EXITINTINFO_VALID;\n\tbool has_error_code = false;\n\tu32 error_code = 0;\n\n\ttss_selector = (u16)svm->vmcb->control.exit_info_1;\n\n\tif (svm->vmcb->control.exit_info_2 &\n\t (1ULL << SVM_EXITINFOSHIFT_TS_REASON_IRET))\n\t\treason = TASK_SWITCH_IRET;\n\telse if (svm->vmcb->control.exit_info_2 &\n\t\t (1ULL << SVM_EXITINFOSHIFT_TS_REASON_JMP))\n\t\treason = TASK_SWITCH_JMP;\n\telse if (idt_v)\n\t\treason = TASK_SWITCH_GATE;\n\telse\n\t\treason = TASK_SWITCH_CALL;\n\n\tif (reason == TASK_SWITCH_GATE) {\n\t\tswitch (type) {\n\t\tcase SVM_EXITINTINFO_TYPE_NMI:\n\t\t\tsvm->vcpu.arch.nmi_injected = false;\n\t\t\tbreak;\n\t\tcase SVM_EXITINTINFO_TYPE_EXEPT:\n\t\t\tif (svm->vmcb->control.exit_info_2 &\n\t\t\t (1ULL << SVM_EXITINFOSHIFT_TS_HAS_ERROR_CODE)) {\n\t\t\t\thas_error_code = true;\n\t\t\t\terror_code =\n\t\t\t\t\t(u32)svm->vmcb->control.exit_info_2;\n\t\t\t}\n\t\t\tkvm_clear_exception_queue(&svm->vcpu);\n\t\t\tbreak;\n\t\tcase SVM_EXITINTINFO_TYPE_INTR:\n\t\t\tkvm_clear_interrupt_queue(&svm->vcpu);\n\t\t\tbreak;\n\t\tdefault:\n\t\t\tbreak;\n\t\t}\n\t}\n\n\tif (reason != TASK_SWITCH_GATE ||\n\t int_type == SVM_EXITINTINFO_TYPE_SOFT ||\n\t (int_type == SVM_EXITINTINFO_TYPE_EXEPT &&\n\t (int_vec == OF_VECTOR || int_vec == BP_VECTOR)))\n\t\tskip_emulated_instruction(&svm->vcpu);\n\n\tif (int_type != SVM_EXITINTINFO_TYPE_SOFT)\n\t\tint_vec = -1;\n\n\tif (kvm_task_switch(&svm->vcpu, tss_selector, int_vec, reason,\n\t\t\t\thas_error_code, error_code) == EMULATE_FAIL) {\n\t\tsvm->vcpu.run->exit_reason = KVM_EXIT_INTERNAL_ERROR;\n\t\tsvm->vcpu.run->internal.suberror = KVM_INTERNAL_ERROR_EMULATION;\n\t\tsvm->vcpu.run->internal.ndata = 0;\n\t\treturn 0;\n\t}\n\treturn 1;\n}", "project": "kvm", "hash": 326449878057302190424660942942188297276, "size": 67, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437565 }, { "func": " void set_result_field(Field *field_arg) {}", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 209737497012759020622965091467224429550, "size": 1, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509185 }, { "func": "void CServer::GenerateServerInfo(CPacker *pPacker, int Token)\n{\n\t// count the players\n\tint PlayerCount = 0, ClientCount = 0;\n\tfor(int i = 0; i < MAX_CLIENTS; i++)\n\t{\n\t\tif(m_aClients[i].m_State != CClient::STATE_EMPTY)\n\t\t{\n\t\t\tif(GameServer()->IsClientPlayer(i))\n\t\t\t\tPlayerCount++;\n\n\t\t\tClientCount++;\n\t\t}\n\t}\n\n\tif(Token != -1)\n\t{\n\t\tpPacker->Reset();\n\t\tpPacker->AddRaw(SERVERBROWSE_INFO, sizeof(SERVERBROWSE_INFO));\n\t\tpPacker->AddInt(Token);\n\t}\n\n\tpPacker->AddString(GameServer()->Version(), 32);\n\tpPacker->AddString(Config()->m_SvName, 64);\n\tpPacker->AddString(Config()->m_SvHostname, 128);\n\tpPacker->AddString(GetMapName(), 32);\n\n\t// gametype\n\tpPacker->AddString(GameServer()->GameType(), 16);\n\n\t// flags\n\tint Flags = 0;\n\tif(Config()->m_Password[0]) // password set\n\t\tFlags |= SERVERINFO_FLAG_PASSWORD;\n\tif(GameServer()->TimeScore())\n\t\tFlags |= SERVERINFO_FLAG_TIMESCORE;\n\tpPacker->AddInt(Flags);\n\n\tpPacker->AddInt(Config()->m_SvSkillLevel);\t// server skill level\n\tpPacker->AddInt(PlayerCount); // num players\n\tpPacker->AddInt(Config()->m_SvPlayerSlots); // max players\n\tpPacker->AddInt(ClientCount); // num clients\n\tpPacker->AddInt(max(ClientCount, Config()->m_SvMaxClients)); // max clients\n\n\tif(Token != -1)\n\t{\n\t\tfor(int i = 0; i < MAX_CLIENTS; i++)\n\t\t{\n\t\t\tif(m_aClients[i].m_State != CClient::STATE_EMPTY)\n\t\t\t{\n\t\t\t\tpPacker->AddString(ClientName(i), MAX_NAME_LENGTH); // client name\n\t\t\t\tpPacker->AddString(ClientClan(i), MAX_CLAN_LENGTH); // client clan\n\t\t\t\tpPacker->AddInt(m_aClients[i].m_Country); // client country\n\t\t\t\tpPacker->AddInt(m_aClients[i].m_Score); // client score\n\t\t\t\tpPacker->AddInt(GameServer()->IsClientPlayer(i)?0:1); // flag spectator=1, bot=2 (player=0)\n\t\t\t}\n\t\t}\n\t}\n}", "project": "teeworlds", "hash": 186563948073145747043296321760689057078, "size": 59, "commit_id": "c68402fa7e279d42886d5951d1ea8ac2facc1ea5", "message": "changed a check", "target": 0, "dataset": "other", "idx": 382009 }, { "func": " Item_uint(THD *thd, ulonglong i): Item_int(thd, i, 10) {}", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 113561084813007914580648402364289798821, "size": 1, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509017 }, { "func": "int kvm_arch_vcpu_ioctl_set_guest_debug(struct kvm_vcpu *vcpu,\n\t\t\t\t\tstruct kvm_guest_debug *dbg)\n{\n\tint rc = 0;\n\n\tvcpu_load(vcpu);\n\n\tvcpu->guest_debug = 0;\n\tkvm_s390_clear_bp_data(vcpu);\n\n\tif (dbg->control & ~VALID_GUESTDBG_FLAGS) {\n\t\trc = -EINVAL;\n\t\tgoto out;\n\t}\n\tif (!sclp.has_gpere) {\n\t\trc = -EINVAL;\n\t\tgoto out;\n\t}\n\n\tif (dbg->control & KVM_GUESTDBG_ENABLE) {\n\t\tvcpu->guest_debug = dbg->control;\n\t\t/* enforce guest PER */\n\t\tkvm_s390_set_cpuflags(vcpu, CPUSTAT_P);\n\n\t\tif (dbg->control & KVM_GUESTDBG_USE_HW_BP)\n\t\t\trc = kvm_s390_import_bp_data(vcpu, dbg);\n\t} else {\n\t\tkvm_s390_clear_cpuflags(vcpu, CPUSTAT_P);\n\t\tvcpu->arch.guestdbg.last_bp = 0;\n\t}\n\n\tif (rc) {\n\t\tvcpu->guest_debug = 0;\n\t\tkvm_s390_clear_bp_data(vcpu);\n\t\tkvm_s390_clear_cpuflags(vcpu, CPUSTAT_P);\n\t}\n\nout:\n\tvcpu_put(vcpu);\n\treturn rc;\n}", "project": "linux", "hash": 222586295836565218234523152091524437840, "size": 41, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354637 }, { "func": "static void set_preempt_timeout(struct intel_engine_cs *engine)\n{\n\tif (!intel_engine_has_preempt_reset(engine))\n\t\treturn;\n\n\tset_timer_ms(&engine->execlists.preempt,\n\t\t active_preempt_timeout(engine));\n}", "project": "linux", "hash": 109468050045683867693815692166714766569, "size": 8, "commit_id": "bc8a76a152c5f9ef3b48104154a65a68a8b76946", "message": "drm/i915/gen9: Clear residual context state on context switch\n\nIntel ID: PSIRT-TA-201910-001\nCVEID: CVE-2019-14615\n\nIntel GPU Hardware prior to Gen11 does not clear EU state\nduring a context switch. This can result in information\nleakage between contexts.\n\nFor Gen8 and Gen9, hardware provides a mechanism for\nfast cleardown of the EU state, by issuing a PIPE_CONTROL\nwith bit 27 set. We can use this in a context batch buffer\nto explicitly cleardown the state on every context switch.\n\nAs this workaround is already in place for gen8, we can borrow\nthe code verbatim for Gen9.\n\nSigned-off-by: Mika Kuoppala \nSigned-off-by: Akeem G Abodunrin \nCc: Kumar Valsan Prathap \nCc: Chris Wilson \nCc: Balestrieri Francesco \nCc: Bloomfield Jon \nCc: Dutt Sudeep ", "target": 0, "dataset": "other", "idx": 281433 }, { "func": "static void complicated_callback(struct urb *urb)\n{\n\tstruct transfer_context\t*ctx = urb->context;\n\tunsigned long flags;\n\n\tspin_lock_irqsave(&ctx->lock, flags);\n\tctx->count--;\n\n\tctx->packet_count += urb->number_of_packets;\n\tif (urb->error_count > 0)\n\t\tctx->errors += urb->error_count;\n\telse if (urb->status != 0)\n\t\tctx->errors += (ctx->is_iso ? urb->number_of_packets : 1);\n\telse if (urb->actual_length != urb->transfer_buffer_length)\n\t\tctx->errors++;\n\telse if (check_guard_bytes(ctx->dev, urb) != 0)\n\t\tctx->errors++;\n\n\tif (urb->status == 0 && ctx->count > (ctx->pending - 1)\n\t\t\t&& !ctx->submit_error) {\n\t\tint status = usb_submit_urb(urb, GFP_ATOMIC);\n\t\tswitch (status) {\n\t\tcase 0:\n\t\t\tgoto done;\n\t\tdefault:\n\t\t\tdev_err(&ctx->dev->intf->dev,\n\t\t\t\t\t\"resubmit err %d\\n\",\n\t\t\t\t\tstatus);\n\t\t\t/* FALLTHROUGH */\n\t\tcase -ENODEV:\t\t\t/* disconnected */\n\t\tcase -ESHUTDOWN:\t\t/* endpoint disabled */\n\t\t\tctx->submit_error = 1;\n\t\t\tbreak;\n\t\t}\n\t}\n\n\tctx->pending--;\n\tif (ctx->pending == 0) {\n\t\tif (ctx->errors)\n\t\t\tdev_err(&ctx->dev->intf->dev,\n\t\t\t\t\"during the test, %lu errors out of %lu\\n\",\n\t\t\t\tctx->errors, ctx->packet_count);\n\t\tcomplete(&ctx->done);\n\t}\ndone:\n\tspin_unlock_irqrestore(&ctx->lock, flags);\n}", "project": "linux", "hash": 1753540045121271739736515015407113493, "size": 47, "commit_id": "28ebeb8db77035e058a510ce9bd17c2b9a009dba", "message": "usb: usbtest: fix missing kfree(dev->buf) in usbtest_disconnect\n\nBUG: memory leak\nunreferenced object 0xffff888055046e00 (size 256):\n comm \"kworker/2:9\", pid 2570, jiffies 4294942129 (age 1095.500s)\n hex dump (first 32 bytes):\n 00 70 04 55 80 88 ff ff 18 bb 5a 81 ff ff ff ff .p.U......Z.....\n f5 96 78 81 ff ff ff ff 37 de 8e 81 ff ff ff ff ..x.....7.......\n backtrace:\n [<00000000d121dccf>] kmemleak_alloc_recursive\ninclude/linux/kmemleak.h:43 [inline]\n [<00000000d121dccf>] slab_post_alloc_hook mm/slab.h:586 [inline]\n [<00000000d121dccf>] slab_alloc_node mm/slub.c:2786 [inline]\n [<00000000d121dccf>] slab_alloc mm/slub.c:2794 [inline]\n [<00000000d121dccf>] kmem_cache_alloc_trace+0x15e/0x2d0 mm/slub.c:2811\n [<000000005c3c3381>] kmalloc include/linux/slab.h:555 [inline]\n [<000000005c3c3381>] usbtest_probe+0x286/0x19d0\ndrivers/usb/misc/usbtest.c:2790\n [<000000001cec6910>] usb_probe_interface+0x2bd/0x870\ndrivers/usb/core/driver.c:361\n [<000000007806c118>] really_probe+0x48d/0x8f0 drivers/base/dd.c:551\n [<00000000a3308c3e>] driver_probe_device+0xfc/0x2a0 drivers/base/dd.c:724\n [<000000003ef66004>] __device_attach_driver+0x1b6/0x240\ndrivers/base/dd.c:831\n [<00000000eee53e97>] bus_for_each_drv+0x14e/0x1e0 drivers/base/bus.c:431\n [<00000000bb0648d0>] __device_attach+0x1f9/0x350 drivers/base/dd.c:897\n [<00000000838b324a>] device_initial_probe+0x1a/0x20 drivers/base/dd.c:944\n [<0000000030d501c1>] bus_probe_device+0x1e1/0x280 drivers/base/bus.c:491\n [<000000005bd7adef>] device_add+0x131d/0x1c40 drivers/base/core.c:2504\n [<00000000a0937814>] usb_set_configuration+0xe84/0x1ab0\ndrivers/usb/core/message.c:2030\n [<00000000e3934741>] generic_probe+0x6a/0xe0 drivers/usb/core/generic.c:210\n [<0000000098ade0f1>] usb_probe_device+0x90/0xd0\ndrivers/usb/core/driver.c:266\n [<000000007806c118>] really_probe+0x48d/0x8f0 drivers/base/dd.c:551\n [<00000000a3308c3e>] driver_probe_device+0xfc/0x2a0 drivers/base/dd.c:724\n\nAcked-by: Alan Stern \nReported-by: Kyungtae Kim \nSigned-off-by: Zqiang \nLink: https://lore.kernel.org/r/20200612035210.20494-1-qiang.zhang@windriver.com\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 412260 }, { "func": "static int get_php_tiff_bytes_per_format(int format) {\n int size = sizeof(php_tiff_bytes_per_format)/sizeof(int);\n if (format >= size) {\n raise_warning(\"Invalid format %d\", format);\n format = 0;\n }\n return php_tiff_bytes_per_format[format];\n}", "project": "hhvm", "hash": 266991690940082949837074463930916099211, "size": 8, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219434 }, { "func": "static int read_consume_bits(struct rar5* rar, const uint8_t* p, int n,\n int* value)\n{\n\tuint16_t v;\n\tint ret, num;\n\n\tif(n == 0 || n > 16) {\n\t\t/* This is a programmer error and should never happen\n\t\t * in runtime. */\n\t\treturn ARCHIVE_FATAL;\n\t}\n\n\tret = read_bits_16(rar, p, &v);\n\tif(ret != ARCHIVE_OK)\n\t\treturn ret;\n\n\tnum = (int) v;\n\tnum >>= 16 - n;\n\n\tskip_bits(rar, n);\n\n\tif(value)\n\t\t*value = num;\n\n\treturn ARCHIVE_OK;\n}", "project": "libarchive", "hash": 254266707566038726402866984695949014388, "size": 26, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 0, "dataset": "other", "idx": 244717 }, { "func": "static inline int event2keytype(int event)\n{\n\tswitch (event) {\n\tcase XFRM_MSG_DELSA:\n\t\treturn SADB_DELETE;\n\tcase XFRM_MSG_NEWSA:\n\t\treturn SADB_ADD;\n\tcase XFRM_MSG_UPDSA:\n\t\treturn SADB_UPDATE;\n\tcase XFRM_MSG_EXPIRE:\n\t\treturn SADB_EXPIRE;\n\tdefault:\n\t\tpr_err(\"pfkey: Unknown SA event %d\\n\", event);\n\t\tbreak;\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 208345547332190974928256590384585687967, "size": 18, "commit_id": "9a564bccb78a76740ea9d75a259942df8143d02c", "message": "af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\n\nAdd __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\nto initialize the buffer of supp_skb to fix a kernel-info-leak issue.\n1) Function pfkey_register calls compose_sadb_supported to request\na sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate\na sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then\ncompose_sadb_supported treats the memory as a struct sadb_supported and\nbegins to initialize. But it just initializes the field sadb_supported_len\nand field sadb_supported_exttype without field sadb_supported_reserved.\n\nReported-by: TCS Robot \nSigned-off-by: Haimin Zhang \nSigned-off-by: Steffen Klassert ", "target": 0, "dataset": "other", "idx": 268062 }, { "func": "int kvm_set_memory_region(struct kvm *kvm,\n\t\t\t const struct kvm_userspace_memory_region *mem)\n{\n\tint r;\n\n\tmutex_lock(&kvm->slots_lock);\n\tr = __kvm_set_memory_region(kvm, mem);\n\tmutex_unlock(&kvm->slots_lock);\n\treturn r;\n}", "project": "linux", "hash": 205405659243273048287633697893663761085, "size": 10, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354414 }, { "func": "static inline void input_wakeup_procfs_readers(void)\n{\n\tinput_devices_state++;\n\twake_up(&input_devices_poll_wait);\n}", "project": "linux", "hash": 55776020386205557958655665214416192757, "size": 5, "commit_id": "cb222aed03d798fc074be55e59d9a112338ee784", "message": "Input: add safety guards to input_set_keycode()\n\nIf we happen to have a garbage in input device's keycode table with values\ntoo big we'll end up doing clear_bit() with offset way outside of our\nbitmaps, damaging other objects within an input device or even outside of\nit. Let's add sanity checks to the returned old keycodes.\n\nReported-by: syzbot+c769968809f9359b07aa@syzkaller.appspotmail.com\nReported-by: syzbot+76f3a30e88d256644c78@syzkaller.appspotmail.com\nLink: https://lore.kernel.org/r/20191207212757.GA245964@dtor-ws\nSigned-off-by: Dmitry Torokhov ", "target": 0, "dataset": "other", "idx": 353340 }, { "func": "static inline void input_wakeup_procfs_readers(void) { }", "project": "linux", "hash": 138071598997720272979437025202633293984, "size": 1, "commit_id": "cb222aed03d798fc074be55e59d9a112338ee784", "message": "Input: add safety guards to input_set_keycode()\n\nIf we happen to have a garbage in input device's keycode table with values\ntoo big we'll end up doing clear_bit() with offset way outside of our\nbitmaps, damaging other objects within an input device or even outside of\nit. Let's add sanity checks to the returned old keycodes.\n\nReported-by: syzbot+c769968809f9359b07aa@syzkaller.appspotmail.com\nReported-by: syzbot+76f3a30e88d256644c78@syzkaller.appspotmail.com\nLink: https://lore.kernel.org/r/20191207212757.GA245964@dtor-ws\nSigned-off-by: Dmitry Torokhov ", "target": 0, "dataset": "other", "idx": 353371 }, { "func": "long kvm_arch_vm_ioctl(struct file *filp,\n\t\t unsigned int ioctl, unsigned long arg)\n{\n\tstruct kvm *kvm = filp->private_data;\n\tvoid __user *argp = (void __user *)arg;\n\tstruct kvm_device_attr attr;\n\tint r;\n\n\tswitch (ioctl) {\n\tcase KVM_S390_INTERRUPT: {\n\t\tstruct kvm_s390_interrupt s390int;\n\n\t\tr = -EFAULT;\n\t\tif (copy_from_user(&s390int, argp, sizeof(s390int)))\n\t\t\tbreak;\n\t\tr = kvm_s390_inject_vm(kvm, &s390int);\n\t\tbreak;\n\t}\n\tcase KVM_CREATE_IRQCHIP: {\n\t\tstruct kvm_irq_routing_entry routing;\n\n\t\tr = -EINVAL;\n\t\tif (kvm->arch.use_irqchip) {\n\t\t\t/* Set up dummy routing. */\n\t\t\tmemset(&routing, 0, sizeof(routing));\n\t\t\tr = kvm_set_irq_routing(kvm, &routing, 0, 0);\n\t\t}\n\t\tbreak;\n\t}\n\tcase KVM_SET_DEVICE_ATTR: {\n\t\tr = -EFAULT;\n\t\tif (copy_from_user(&attr, (void __user *)arg, sizeof(attr)))\n\t\t\tbreak;\n\t\tr = kvm_s390_vm_set_attr(kvm, &attr);\n\t\tbreak;\n\t}\n\tcase KVM_GET_DEVICE_ATTR: {\n\t\tr = -EFAULT;\n\t\tif (copy_from_user(&attr, (void __user *)arg, sizeof(attr)))\n\t\t\tbreak;\n\t\tr = kvm_s390_vm_get_attr(kvm, &attr);\n\t\tbreak;\n\t}\n\tcase KVM_HAS_DEVICE_ATTR: {\n\t\tr = -EFAULT;\n\t\tif (copy_from_user(&attr, (void __user *)arg, sizeof(attr)))\n\t\t\tbreak;\n\t\tr = kvm_s390_vm_has_attr(kvm, &attr);\n\t\tbreak;\n\t}\n\tcase KVM_S390_GET_SKEYS: {\n\t\tstruct kvm_s390_skeys args;\n\n\t\tr = -EFAULT;\n\t\tif (copy_from_user(&args, argp,\n\t\t\t\t sizeof(struct kvm_s390_skeys)))\n\t\t\tbreak;\n\t\tr = kvm_s390_get_skeys(kvm, &args);\n\t\tbreak;\n\t}\n\tcase KVM_S390_SET_SKEYS: {\n\t\tstruct kvm_s390_skeys args;\n\n\t\tr = -EFAULT;\n\t\tif (copy_from_user(&args, argp,\n\t\t\t\t sizeof(struct kvm_s390_skeys)))\n\t\t\tbreak;\n\t\tr = kvm_s390_set_skeys(kvm, &args);\n\t\tbreak;\n\t}\n\tcase KVM_S390_GET_CMMA_BITS: {\n\t\tstruct kvm_s390_cmma_log args;\n\n\t\tr = -EFAULT;\n\t\tif (copy_from_user(&args, argp, sizeof(args)))\n\t\t\tbreak;\n\t\tmutex_lock(&kvm->slots_lock);\n\t\tr = kvm_s390_get_cmma_bits(kvm, &args);\n\t\tmutex_unlock(&kvm->slots_lock);\n\t\tif (!r) {\n\t\t\tr = copy_to_user(argp, &args, sizeof(args));\n\t\t\tif (r)\n\t\t\t\tr = -EFAULT;\n\t\t}\n\t\tbreak;\n\t}\n\tcase KVM_S390_SET_CMMA_BITS: {\n\t\tstruct kvm_s390_cmma_log args;\n\n\t\tr = -EFAULT;\n\t\tif (copy_from_user(&args, argp, sizeof(args)))\n\t\t\tbreak;\n\t\tmutex_lock(&kvm->slots_lock);\n\t\tr = kvm_s390_set_cmma_bits(kvm, &args);\n\t\tmutex_unlock(&kvm->slots_lock);\n\t\tbreak;\n\t}\n\tcase KVM_S390_PV_COMMAND: {\n\t\tstruct kvm_pv_cmd args;\n\n\t\t/* protvirt means user sigp */\n\t\tkvm->arch.user_cpu_state_ctrl = 1;\n\t\tr = 0;\n\t\tif (!is_prot_virt_host()) {\n\t\t\tr = -EINVAL;\n\t\t\tbreak;\n\t\t}\n\t\tif (copy_from_user(&args, argp, sizeof(args))) {\n\t\t\tr = -EFAULT;\n\t\t\tbreak;\n\t\t}\n\t\tif (args.flags) {\n\t\t\tr = -EINVAL;\n\t\t\tbreak;\n\t\t}\n\t\tmutex_lock(&kvm->lock);\n\t\tr = kvm_s390_handle_pv(kvm, &args);\n\t\tmutex_unlock(&kvm->lock);\n\t\tif (copy_to_user(argp, &args, sizeof(args))) {\n\t\t\tr = -EFAULT;\n\t\t\tbreak;\n\t\t}\n\t\tbreak;\n\t}\n\tdefault:\n\t\tr = -ENOTTY;\n\t}\n\n\treturn r;\n}", "project": "linux", "hash": 11306033882466288039448030085855717198, "size": 130, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354511 }, { "func": "static u8 update_white_list(struct hci_request *req)\n{\n\tstruct hci_dev *hdev = req->hdev;\n\tstruct hci_conn_params *params;\n\tstruct bdaddr_list *b;\n\tu8 num_entries = 0;\n\tbool pend_conn, pend_report;\n\t/* We allow whitelisting even with RPAs in suspend. In the worst case,\n\t * we won't be able to wake from devices that use the privacy1.2\n\t * features. Additionally, once we support privacy1.2 and IRK\n\t * offloading, we can update this to also check for those conditions.\n\t */\n\tbool allow_rpa = hdev->suspended;\n\n\t/* Go through the current white list programmed into the\n\t * controller one by one and check if that address is still\n\t * in the list of pending connections or list of devices to\n\t * report. If not present in either list, then queue the\n\t * command to remove it from the controller.\n\t */\n\tlist_for_each_entry(b, &hdev->le_white_list, list) {\n\t\tpend_conn = hci_pend_le_action_lookup(&hdev->pend_le_conns,\n\t\t\t\t\t\t &b->bdaddr,\n\t\t\t\t\t\t b->bdaddr_type);\n\t\tpend_report = hci_pend_le_action_lookup(&hdev->pend_le_reports,\n\t\t\t\t\t\t\t&b->bdaddr,\n\t\t\t\t\t\t\tb->bdaddr_type);\n\n\t\t/* If the device is not likely to connect or report,\n\t\t * remove it from the whitelist.\n\t\t */\n\t\tif (!pend_conn && !pend_report) {\n\t\t\tdel_from_white_list(req, &b->bdaddr, b->bdaddr_type);\n\t\t\tcontinue;\n\t\t}\n\n\t\t/* White list can not be used with RPAs */\n\t\tif (!allow_rpa &&\n\t\t !hci_dev_test_flag(hdev, HCI_ENABLE_LL_PRIVACY) &&\n\t\t hci_find_irk_by_addr(hdev, &b->bdaddr, b->bdaddr_type)) {\n\t\t\treturn 0x00;\n\t\t}\n\n\t\tnum_entries++;\n\t}\n\n\t/* Since all no longer valid white list entries have been\n\t * removed, walk through the list of pending connections\n\t * and ensure that any new device gets programmed into\n\t * the controller.\n\t *\n\t * If the list of the devices is larger than the list of\n\t * available white list entries in the controller, then\n\t * just abort and return filer policy value to not use the\n\t * white list.\n\t */\n\tlist_for_each_entry(params, &hdev->pend_le_conns, action) {\n\t\tif (add_to_white_list(req, params, &num_entries, allow_rpa))\n\t\t\treturn 0x00;\n\t}\n\n\t/* After adding all new pending connections, walk through\n\t * the list of pending reports and also add these to the\n\t * white list if there is still space. Abort if space runs out.\n\t */\n\tlist_for_each_entry(params, &hdev->pend_le_reports, action) {\n\t\tif (add_to_white_list(req, params, &num_entries, allow_rpa))\n\t\t\treturn 0x00;\n\t}\n\n\t/* Use the allowlist unless the following conditions are all true:\n\t * - We are not currently suspending\n\t * - There are 1 or more ADV monitors registered and it's not offloaded\n\t * - Interleaved scanning is not currently using the allowlist\n\t */\n\tif (!idr_is_empty(&hdev->adv_monitors_idr) && !hdev->suspended &&\n\t hci_get_adv_monitor_offload_ext(hdev) == HCI_ADV_MONITOR_EXT_NONE &&\n\t hdev->interleave_scan_state != INTERLEAVE_SCAN_ALLOWLIST)\n\t\treturn 0x00;\n\n\t/* Select filter policy to use white list */\n\treturn 0x01;\n}", "project": "linux", "hash": 229764722639183915322277921944930820604, "size": 83, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402563 }, { "func": "static int fuse_setlk(struct file *file, struct file_lock *fl, int flock)\n{\n\tstruct inode *inode = file_inode(file);\n\tstruct fuse_mount *fm = get_fuse_mount(inode);\n\tFUSE_ARGS(args);\n\tstruct fuse_lk_in inarg;\n\tint opcode = (fl->fl_flags & FL_SLEEP) ? FUSE_SETLKW : FUSE_SETLK;\n\tstruct pid *pid = fl->fl_type != F_UNLCK ? task_tgid(current) : NULL;\n\tpid_t pid_nr = pid_nr_ns(pid, fm->fc->pid_ns);\n\tint err;\n\n\tif (fl->fl_lmops && fl->fl_lmops->lm_grant) {\n\t\t/* NLM needs asynchronous locks, which we don't support yet */\n\t\treturn -ENOLCK;\n\t}\n\n\t/* Unlock on close is handled by the flush method */\n\tif ((fl->fl_flags & FL_CLOSE_POSIX) == FL_CLOSE_POSIX)\n\t\treturn 0;\n\n\tfuse_lk_fill(&args, file, fl, opcode, pid_nr, flock, &inarg);\n\terr = fuse_simple_request(fm, &args);\n\n\t/* locking is restartable */\n\tif (err == -EINTR)\n\t\terr = -ERESTARTSYS;\n\n\treturn err;\n}", "project": "linux", "hash": 226781634857367631612744904013387136577, "size": 29, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342116 }, { "func": "static void test_ftrace_alive(struct seq_file *m)\n{\n\tif (!ftrace_is_dead())\n\t\treturn;\n\tseq_puts(m, \"# WARNING: FUNCTION TRACING IS CORRUPTED\\n\"\n\t\t \"# MAY BE MISSING FUNCTION EVENTS\\n\");\n}", "project": "linux", "hash": 328865182034485996917421034148420902093, "size": 7, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445535 }, { "func": "UnicodeStringTest::TestNameSpace() {\n // Provoke name collision unless the UnicodeString macros properly\n // qualify the icu::UnicodeString class.\n using namespace bogus;\n\n // Use all UnicodeString macros from unistr.h.\n icu::UnicodeString s1=icu::UnicodeString(\"abc\", 3, US_INV);\n icu::UnicodeString s2=UNICODE_STRING(\"def\", 3);\n icu::UnicodeString s3=UNICODE_STRING_SIMPLE(\"ghi\");\n\n // Make sure the compiler does not optimize away instantiation of s1, s2, s3.\n icu::UnicodeString s4=s1+s2+s3;\n if(s4.length()!=9) {\n errln(\"Something wrong with UnicodeString::operator+().\");\n }\n}", "project": "icu", "hash": 101809439219988685169116033815131008918, "size": 16, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430747 }, { "func": "static apr_byte_t oidc_set_app_claims(request_rec *r, const oidc_cfg *const cfg,\n\t\toidc_session_t *session, const char *s_claims) {\n\n\tjson_t *j_claims = NULL;\n\n\t/* decode the string-encoded attributes in to a JSON structure */\n\tif (s_claims != NULL) {\n\t\tif (oidc_util_decode_json_object(r, s_claims, &j_claims) == FALSE)\n\t\t\treturn FALSE;\n\t}\n\n\t/* set the resolved claims a HTTP headers for the application */\n\tif (j_claims != NULL) {\n\t\toidc_util_set_app_infos(r, j_claims, oidc_cfg_claim_prefix(r),\n\t\t\t\tcfg->claim_delimiter, oidc_cfg_dir_pass_info_in_headers(r),\n\t\t\t\toidc_cfg_dir_pass_info_in_envvars(r),\n\t\t\t\toidc_cfg_dir_pass_info_base64url(r));\n\n\t\t/* release resources */\n\t\tjson_decref(j_claims);\n\t}\n\n\treturn TRUE;\n}", "project": "mod_auth_openidc", "hash": 83318982250174158256485802372077002304, "size": 24, "commit_id": "00c315cb0c8ab77c67be4a2ac08a71a83ac58751", "message": "avoid XSS vulnerability when using OIDCPreservePost On\n\nand supplying URLs that contain single quotes; thanks @oss-aimoto\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 381949 }, { "func": "static apr_byte_t oidc_set_app_claims(request_rec *r,\n\t\tconst oidc_cfg * const cfg, oidc_session_t *session,\n\t\tconst char *s_claims) {\n\n\tjson_t *j_claims = NULL;\n\n\t/* decode the string-encoded attributes in to a JSON structure */\n\tif (s_claims != NULL) {\n\t\tif (oidc_util_decode_json_object(r, s_claims, &j_claims) == FALSE)\n\t\t\treturn FALSE;\n\t}\n\n\t/* set the resolved claims a HTTP headers for the application */\n\tif (j_claims != NULL) {\n\t\toidc_util_set_app_infos(r, j_claims, oidc_cfg_claim_prefix(r),\n\t\t\t\tcfg->claim_delimiter, oidc_cfg_dir_pass_info_in_headers(r),\n\t\t\t\toidc_cfg_dir_pass_info_in_envvars(r));\n\n\t\t/* release resources */\n\t\tjson_decref(j_claims);\n\t}\n\n\treturn TRUE;\n}", "project": "mod_auth_openidc", "hash": 183099768971927827128593467855153926380, "size": 24, "commit_id": "ce37080c6aea30aabae8b4a9b4eea7808445cc8e", "message": "2.4.0.2 oops\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 447696 }, { "func": "static inline void __init check_numabalancing_enable(void)\n{\n}", "project": "linux", "hash": 283952581792305478996891965353284606545, "size": 3, "commit_id": "aa9f7d5172fac9bf1f09e678c35e287a40a7b7dd", "message": "mm: mempolicy: require at least one nodeid for MPOL_PREFERRED\n\nUsing an empty (malformed) nodelist that is not caught during mount option\nparsing leads to a stack-out-of-bounds access.\n\nThe option string that was used was: \"mpol=prefer:,\". However,\nMPOL_PREFERRED requires a single node number, which is not being provided\nhere.\n\nAdd a check that 'nodes' is not empty after parsing for MPOL_PREFERRED's\nnodeid.\n\nFixes: 095f1fc4ebf3 (\"mempolicy: rework shmem mpol parsing and display\")\nReported-by: Entropy Moe <3ntr0py1337@gmail.com>\nReported-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nSigned-off-by: Randy Dunlap \nSigned-off-by: Andrew Morton \nTested-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nCc: Lee Schermerhorn \nLink: http://lkml.kernel.org/r/89526377-7eb6-b662-e1d8-4430928abde9@infradead.org\nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 366749 }, { "func": "static void __init check_numabalancing_enable(void)\n{\n\tbool numabalancing_default = false;\n\n\tif (IS_ENABLED(CONFIG_NUMA_BALANCING_DEFAULT_ENABLED))\n\t\tnumabalancing_default = true;\n\n\t/* Parsed by setup_numabalancing. override == 1 enables, -1 disables */\n\tif (numabalancing_override)\n\t\tset_numabalancing_state(numabalancing_override == 1);\n\n\tif (num_online_nodes() > 1 && !numabalancing_override) {\n\t\tpr_info(\"%s automatic NUMA balancing. Configure with numa_balancing= or the kernel.numa_balancing sysctl\\n\",\n\t\t\tnumabalancing_default ? \"Enabling\" : \"Disabling\");\n\t\tset_numabalancing_state(numabalancing_default);\n\t}\n}", "project": "linux", "hash": 4733188371919145353098159184970653370, "size": 17, "commit_id": "aa9f7d5172fac9bf1f09e678c35e287a40a7b7dd", "message": "mm: mempolicy: require at least one nodeid for MPOL_PREFERRED\n\nUsing an empty (malformed) nodelist that is not caught during mount option\nparsing leads to a stack-out-of-bounds access.\n\nThe option string that was used was: \"mpol=prefer:,\". However,\nMPOL_PREFERRED requires a single node number, which is not being provided\nhere.\n\nAdd a check that 'nodes' is not empty after parsing for MPOL_PREFERRED's\nnodeid.\n\nFixes: 095f1fc4ebf3 (\"mempolicy: rework shmem mpol parsing and display\")\nReported-by: Entropy Moe <3ntr0py1337@gmail.com>\nReported-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nSigned-off-by: Randy Dunlap \nSigned-off-by: Andrew Morton \nTested-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nCc: Lee Schermerhorn \nLink: http://lkml.kernel.org/r/89526377-7eb6-b662-e1d8-4430928abde9@infradead.org\nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 366791 }, { "func": "static void fuse_sb_defaults(struct super_block *sb)\n{\n\tsb->s_magic = FUSE_SUPER_MAGIC;\n\tsb->s_op = &fuse_super_operations;\n\tsb->s_xattr = fuse_xattr_handlers;\n\tsb->s_maxbytes = MAX_LFS_FILESIZE;\n\tsb->s_time_gran = 1;\n\tsb->s_export_op = &fuse_export_operations;\n\tsb->s_iflags |= SB_I_IMA_UNVERIFIABLE_SIGNATURE;\n\tif (sb->s_user_ns != &init_user_ns)\n\t\tsb->s_iflags |= SB_I_UNTRUSTED_MOUNTER;\n\tsb->s_flags &= ~(SB_NOSEC | SB_I_VERSION);\n\n\t/*\n\t * If we are not in the initial user namespace posix\n\t * acls must be translated.\n\t */\n\tif (sb->s_user_ns != &init_user_ns)\n\t\tsb->s_xattr = fuse_no_acl_xattr_handlers;\n}", "project": "linux", "hash": 298668561959292799880461664926421312985, "size": 20, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341973 }, { "func": "static int io_sendmsg_prep_async(struct io_kiocb *req)\n{\n\tint ret;\n\n\tret = io_sendmsg_copy_hdr(req, req->async_data);\n\tif (!ret)\n\t\treq->flags |= REQ_F_NEED_CLEANUP;\n\treturn ret;\n}", "project": "linux", "hash": 52563757301562477909550539561971177394, "size": 9, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338585 }, { "func": "inline void xdr_commit_encode(struct xdr_stream *xdr)\n{\n\tint shift = xdr->scratch.iov_len;\n\tvoid *page;\n\n\tif (shift == 0)\n\t\treturn;\n\tpage = page_address(*xdr->page_ptr);\n\tmemcpy(xdr->scratch.iov_base, page, shift);\n\tmemmove(page, page + shift, (void *)xdr->p - page);\n\txdr_reset_scratch_buffer(xdr);\n}", "project": "linux", "hash": 231189338788174560264731694350492331468, "size": 12, "commit_id": "6d1c0f3d28f98ea2736128ed3e46821496dc3a8c", "message": "sunrpc: Avoid a KASAN slab-out-of-bounds bug in xdr_set_page_base()\n\nThis seems to happen fairly easily during READ_PLUS testing on NFS v4.2.\nI found that we could end up accessing xdr->buf->pages[pgnr] with a pgnr\ngreater than the number of pages in the array. So let's just return\nearly if we're setting base to a point at the end of the page data and\nlet xdr_set_tail_base() handle setting up the buffer pointers instead.\n\nSigned-off-by: Anna Schumaker \nFixes: 8d86e373b0ef (\"SUNRPC: Clean up helpers xdr_set_iov() and xdr_set_page_base()\")\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 481047 }, { "func": "rpmTagVal headerNextTag(HeaderIterator hi)\n{\n indexEntry entry = nextIndex(hi);\n return entry ? entry->info.tag : RPMTAG_NOT_FOUND;\n}", "project": "rpm", "hash": 149636414336300320572145640530329169871, "size": 5, "commit_id": "8f4b3c3cab8922a2022b9e47c71f1ecf906077ef", "message": "hdrblobInit() needs bounds checks too\n\nUsers can pass untrusted data to hdrblobInit() and it must be robust\nagainst this.", "target": 0, "dataset": "other", "idx": 318177 }, { "func": "static void fuse_send_destroy(struct fuse_mount *fm)\n{\n\tif (fm->fc->conn_init) {\n\t\tFUSE_ARGS(args);\n\n\t\targs.opcode = FUSE_DESTROY;\n\t\targs.force = true;\n\t\targs.nocreds = true;\n\t\tfuse_simple_request(fm, &args);\n\t}\n}", "project": "linux", "hash": 14269804179806168771798704842010284339, "size": 11, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341981 }, { "func": "static inline struct page *kvm_vcpu_gpa_to_page(struct kvm_vcpu *vcpu,\n\t\t\t\t\t\tgpa_t gpa)\n{\n\treturn kvm_vcpu_gfn_to_page(vcpu, gpa_to_gfn(gpa));\n}", "project": "linux", "hash": 10407794208080437035322420756817305432, "size": 5, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354454 }, { "func": "static inline int tcp_may_undo(const struct tcp_sock *tp)\n{\n\treturn tp->undo_marker && (!tp->undo_retrans || tcp_packet_delayed(tp));\n}", "project": "net-next", "hash": 250926681211986066431195874902653714767, "size": 4, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409855 }, { "func": "JOIN::optimize_distinct()\n{\n for (JOIN_TAB *last_join_tab= join_tab + top_join_tab_count - 1; ;)\n {\n if (select_lex->select_list_tables & last_join_tab->table->map ||\n last_join_tab->use_join_cache)\n break;\n last_join_tab->shortcut_for_distinct= true;\n if (last_join_tab == join_tab)\n break;\n --last_join_tab;\n }\n\n /* Optimize \"select distinct b from t1 order by key_part_1 limit #\" */\n if (order && skip_sort_order)\n {\n /* Should already have been optimized away */\n DBUG_ASSERT(ordered_index_usage == ordered_index_order_by);\n if (ordered_index_usage == ordered_index_order_by)\n {\n order= NULL;\n }\n }\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 273645282141844970919217312442316540377, "size": 24, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508512 }, { "func": "void disassociate_ctty(int on_exit)\n{\n\tstruct tty_struct *tty;\n\n\tif (!current->signal->leader)\n\t\treturn;\n\n\ttty = get_current_tty();\n\tif (tty) {\n\t\tif (on_exit && tty->driver->type != TTY_DRIVER_TYPE_PTY) {\n\t\t\ttty_vhangup_session(tty);\n\t\t} else {\n\t\t\tstruct pid *tty_pgrp = tty_get_pgrp(tty);\n\t\t\tif (tty_pgrp) {\n\t\t\t\tkill_pgrp(tty_pgrp, SIGHUP, on_exit);\n\t\t\t\tif (!on_exit)\n\t\t\t\t\tkill_pgrp(tty_pgrp, SIGCONT, on_exit);\n\t\t\t\tput_pid(tty_pgrp);\n\t\t\t}\n\t\t}\n\t\ttty_kref_put(tty);\n\n\t} else if (on_exit) {\n\t\tstruct pid *old_pgrp;\n\t\tspin_lock_irq(¤t->sighand->siglock);\n\t\told_pgrp = current->signal->tty_old_pgrp;\n\t\tcurrent->signal->tty_old_pgrp = NULL;\n\t\tspin_unlock_irq(¤t->sighand->siglock);\n\t\tif (old_pgrp) {\n\t\t\tkill_pgrp(old_pgrp, SIGHUP, on_exit);\n\t\t\tkill_pgrp(old_pgrp, SIGCONT, on_exit);\n\t\t\tput_pid(old_pgrp);\n\t\t}\n\t\treturn;\n\t}\n\n\tspin_lock_irq(¤t->sighand->siglock);\n\tput_pid(current->signal->tty_old_pgrp);\n\tcurrent->signal->tty_old_pgrp = NULL;\n\ttty = tty_kref_get(current->signal->tty);\n\tspin_unlock_irq(¤t->sighand->siglock);\n\n\tif (tty) {\n\t\tunsigned long flags;\n\n\t\ttty_lock(tty);\n\t\tspin_lock_irqsave(&tty->ctrl_lock, flags);\n\t\tput_pid(tty->session);\n\t\tput_pid(tty->pgrp);\n\t\ttty->session = NULL;\n\t\ttty->pgrp = NULL;\n\t\tspin_unlock_irqrestore(&tty->ctrl_lock, flags);\n\t\ttty_unlock(tty);\n\t\ttty_kref_put(tty);\n\t}\n\n\t/* Now clear signal->tty under the lock */\n\tread_lock(&tasklist_lock);\n\tsession_clear_tty(task_session(current));\n\tread_unlock(&tasklist_lock);\n}", "project": "linux", "hash": 87999751649603576135443280938140384080, "size": 61, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 325967 }, { "func": "show_transport_handle(struct device *dev, struct device_attribute *attr,\n\t\t char *buf)\n{\n\tstruct iscsi_internal *priv = dev_to_iscsi_internal(dev);\n\treturn sprintf(buf, \"%llu\\n\", (unsigned long long)iscsi_handle(priv->iscsi_transport));\n}", "project": "linux", "hash": 66310775771726253268071559706488050603, "size": 6, "commit_id": "688e8128b7a92df982709a4137ea4588d16f24aa", "message": "scsi: iscsi: Restrict sessions and handles to admin capabilities\n\nProtect the iSCSI transport handle, available in sysfs, by requiring\nCAP_SYS_ADMIN to read it. Also protect the netlink socket by restricting\nreception of messages to ones sent with CAP_SYS_ADMIN. This disables\nnormal users from being able to end arbitrary iSCSI sessions.\n\nCc: stable@vger.kernel.org\nReported-by: Adam Nichols \nReviewed-by: Chris Leech \nReviewed-by: Mike Christie \nSigned-off-by: Lee Duncan \nSigned-off-by: Martin K. Petersen ", "target": 1, "dataset": "other", "idx": 211869 }, { "func": "tcltklib_compile_info(void)\n{\n volatile VALUE ret;\n size_t size;\n static CONST char form[]\n = \"tcltklib %s :: Ruby%s (%s) %s pthread :: Tcl%s(%s)/Tk%s(%s) %s\";\n char *info;\n\n size = strlen(form)\n + strlen(TCLTKLIB_RELEASE_DATE)\n + strlen(RUBY_VERSION)\n + strlen(RUBY_RELEASE_DATE)\n + strlen(\"without\")\n + strlen(TCL_PATCH_LEVEL)\n + strlen(\"without stub\")\n + strlen(TK_PATCH_LEVEL)\n + strlen(\"without stub\")\n + strlen(\"unknown tcl_threads\");\n\n info = ALLOC_N(char, size);\n /* info = ckalloc(sizeof(char) * size); */ /* SEGV */\n\n sprintf(info, form,\n TCLTKLIB_RELEASE_DATE,\n RUBY_VERSION, RUBY_RELEASE_DATE,\n#ifdef HAVE_NATIVETHREAD\n \"with\",\n#else\n \"without\",\n#endif\n TCL_PATCH_LEVEL,\n#ifdef USE_TCL_STUBS\n \"with stub\",\n#else\n \"without stub\",\n#endif\n TK_PATCH_LEVEL,\n#ifdef USE_TK_STUBS\n \"with stub\",\n#else\n \"without stub\",\n#endif\n#ifdef WITH_TCL_ENABLE_THREAD\n# if WITH_TCL_ENABLE_THREAD\n \"with tcl_threads\"\n# else\n \"without tcl_threads\"\n# endif\n#else\n \"unknown tcl_threads\"\n#endif\n );\n\n ret = rb_obj_freeze(rb_str_new2(info));\n\n xfree(info);\n /* ckfree(info); */\n\n return ret;\n}", "project": "tk", "hash": 80407040752560616418227878032829551851, "size": 60, "commit_id": "ebd0fc80d62eeb7b8556522256f8d035e013eb65", "message": "tcltklib.c: check argument\n\n* ext/tk/tcltklib.c (ip_cancel_eval_core): check argument type and\n length.\n\ngit-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@51468 b2dd03c8-39d4-4d8f-98ff-823fe69b080e", "target": 0, "dataset": "other", "idx": 432848 }, { "func": "TEST_P(JSITest, JSErrorTest) {\n // JSError creation can lead to further errors. Make sure these\n // cases are handled and don't cause weird crashes or other issues.\n //\n // Getting message property can throw\n\n EXPECT_THROW(\n eval(\"var GetMessageThrows = {get message() { throw Error('ex'); }};\"\n \"throw GetMessageThrows;\"),\n JSIException);\n\n EXPECT_THROW(\n eval(\"var GetMessageThrows = {get message() { throw GetMessageThrows; }};\"\n \"throw GetMessageThrows;\"),\n JSIException);\n\n // Converting exception message to String can throw\n\n EXPECT_THROW(\n eval(\n \"Object.defineProperty(\"\n \" globalThis, 'String', {configurable:true, get() { var e = Error(); e.message = 23; throw e; }});\"\n \"var e = Error();\"\n \"e.message = 17;\"\n \"throw e;\"),\n JSIException);\n\n EXPECT_THROW(\n eval(\n \"var e = Error();\"\n \"Object.defineProperty(\"\n \" e, 'message', {configurable:true, get() { throw Error('getter'); }});\"\n \"throw e;\"),\n JSIException);\n\n EXPECT_THROW(\n eval(\"var e = Error();\"\n \"String = function() { throw Error('ctor'); };\"\n \"throw e;\"),\n JSIException);\n\n // Converting an exception message to String can return a non-String\n\n EXPECT_THROW(\n eval(\"String = function() { return 42; };\"\n \"var e = Error();\"\n \"e.message = 17;\"\n \"throw e;\"),\n JSIException);\n\n // Exception can be non-Object\n\n EXPECT_THROW(eval(\"throw 17;\"), JSIException);\n\n EXPECT_THROW(eval(\"throw undefined;\"), JSIException);\n\n // Converting exception with no message or stack property to String can throw\n\n EXPECT_THROW(\n eval(\"var e = {toString() { throw new Error('errstr'); }};\"\n \"throw e;\"),\n JSIException);\n}", "project": "hermes", "hash": 133832568390160474697930981391506386472, "size": 63, "commit_id": "fe52854cdf6725c2eaa9e125995da76e6ceb27da", "message": "[CVE-2020-1911] Look up HostObject computed properties on the right object in the prototype chain.\n\nSummary:\nThe change in the hermes repository fixes the security vulnerability\nCVE-2020-1911. This vulnerability only affects applications which\nallow evaluation of uncontrolled, untrusted JavaScript code not\nshipped with the app, so React Native apps will generally not be affected.\n\nThis revision includes a test for the bug. The test is generic JSI\ncode, so it is included in the hermes and react-native repositories.\n\nChangelog: [Internal]\n\nReviewed By: tmikov\n\nDifferential Revision: D23322992\n\nfbshipit-source-id: 4e88c974afe1ad33a263f9cac03e9dc98d33649a", "target": 0, "dataset": "other", "idx": 230215 }, { "func": "int lj_trace_flushall(lua_State *L)\n{\n jit_State *J = L2J(L);\n ptrdiff_t i;\n if ((J2G(J)->hookmask & HOOK_GC))\n return 1;\n for (i = (ptrdiff_t)J->sizetrace-1; i > 0; i--) {\n GCtrace *T = traceref(J, i);\n if (T) {\n if (T->root == 0)\n\ttrace_flushroot(J, T);\n lj_gdbjit_deltrace(J, T);\n T->traceno = 0;\n setgcrefnull(J->trace[i]);\n }\n }\n J->cur.traceno = 0;\n J->freetrace = 0;\n /* Clear penalty cache. */\n memset(J->penalty, 0, sizeof(J->penalty));\n /* Free the whole machine code and invalidate all exit stub groups. */\n lj_mcode_free(J);\n memset(J->exitstubgroup, 0, sizeof(J->exitstubgroup));\n lj_vmevent_send(L, TRACE,\n setstrV(L, L->top++, lj_str_newlit(L, \"flush\"));\n );\n return 0;\n}", "project": "LuaJIT", "hash": 217496737507803210298919267504045938561, "size": 28, "commit_id": "e296f56b825c688c3530a981dc6b495d972f3d01", "message": "Call error function on rethrow after trace exit.", "target": 0, "dataset": "other", "idx": 394639 }, { "func": "static bool compare_record(TABLE *table, Field **ptr)\n{\n for (; *ptr ; ptr++)\n {\n Field *f= *ptr;\n if (f->is_null() != f->is_null(table->s->rec_buff_length) ||\n (!f->is_null() && f->cmp_offset(table->s->rec_buff_length)))\n return 1;\n }\n return 0;\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 268885358523372125827801047306338701367, "size": 11, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508534 }, { "func": "static inline unsigned int init_tid(int cpu)\n{\n\treturn cpu;\n}", "project": "linux", "hash": 226438272863030974909948145373884178396, "size": 4, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280182 }, { "func": "int kvm_vcpu_read_guest_atomic(struct kvm_vcpu *vcpu, gpa_t gpa,\n\t\t\t void *data, unsigned long len)\n{\n\tgfn_t gfn = gpa >> PAGE_SHIFT;\n\tstruct kvm_memory_slot *slot = kvm_vcpu_gfn_to_memslot(vcpu, gfn);\n\tint offset = offset_in_page(gpa);\n\n\treturn __kvm_read_guest_atomic(slot, gfn, data, offset, len);\n}", "project": "linux", "hash": 193682101252362430300820717147644729031, "size": 9, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354619 }, { "func": "void imap_hcache_open(struct ImapAccountData *adata, struct ImapMboxData *mdata)\n{\n if (!adata || !mdata)\n return;\n\n if (mdata->hcache)\n return;\n\n struct HeaderCache *hc = NULL;\n struct Buffer *mbox = mutt_buffer_pool_get();\n struct Buffer *cachepath = mutt_buffer_pool_get();\n\n imap_cachepath(adata->delim, mdata->name, mbox);\n\n if (strstr(mutt_buffer_string(mbox), \"/../\") ||\n mutt_str_equal(mutt_buffer_string(mbox), \"..\") ||\n mutt_strn_equal(mutt_buffer_string(mbox), \"../\", 3))\n {\n goto cleanup;\n }\n size_t len = mutt_buffer_len(mbox);\n if ((len > 3) && (strcmp(mutt_buffer_string(mbox) + len - 3, \"/..\") == 0))\n goto cleanup;\n\n struct Url url = { 0 };\n mutt_account_tourl(&adata->conn->account, &url);\n url.path = mbox->data;\n url_tobuffer(&url, cachepath, U_PATH);\n\n const char *const c_header_cache =\n cs_subset_path(NeoMutt->sub, \"header_cache\");\n hc = mutt_hcache_open(c_header_cache, mutt_buffer_string(cachepath), imap_hcache_namer);\n\ncleanup:\n mutt_buffer_pool_release(&mbox);\n mutt_buffer_pool_release(&cachepath);\n mdata->hcache = hc;\n}", "project": "neomutt", "hash": 94317121144443585482088246517149429447, "size": 38, "commit_id": "fa1db5785e5cfd9d3cd27b7571b9fe268d2ec2dc", "message": "Fix seqset iterator when it ends in a comma\n\nIf the seqset ended with a comma, the substr_end marker would be just\nbefore the trailing nul. In the next call, the loop to skip the\nmarker would iterate right past the end of string too.\n\nThe fix is simple: place the substr_end marker and skip past it\nimmediately.", "target": 0, "dataset": "other", "idx": 399271 }, { "func": "static int req_run(struct hci_request *req, hci_req_complete_t complete,\n\t\t hci_req_complete_skb_t complete_skb)\n{\n\tstruct hci_dev *hdev = req->hdev;\n\tstruct sk_buff *skb;\n\tunsigned long flags;\n\n\tbt_dev_dbg(hdev, \"length %u\", skb_queue_len(&req->cmd_q));\n\n\t/* If an error occurred during request building, remove all HCI\n\t * commands queued on the HCI request queue.\n\t */\n\tif (req->err) {\n\t\tskb_queue_purge(&req->cmd_q);\n\t\treturn req->err;\n\t}\n\n\t/* Do not allow empty requests */\n\tif (skb_queue_empty(&req->cmd_q))\n\t\treturn -ENODATA;\n\n\tskb = skb_peek_tail(&req->cmd_q);\n\tif (complete) {\n\t\tbt_cb(skb)->hci.req_complete = complete;\n\t} else if (complete_skb) {\n\t\tbt_cb(skb)->hci.req_complete_skb = complete_skb;\n\t\tbt_cb(skb)->hci.req_flags |= HCI_REQ_SKB;\n\t}\n\n\tspin_lock_irqsave(&hdev->cmd_q.lock, flags);\n\tskb_queue_splice_tail(&req->cmd_q, &hdev->cmd_q);\n\tspin_unlock_irqrestore(&hdev->cmd_q.lock, flags);\n\n\tqueue_work(hdev->workqueue, &hdev->cmd_work);\n\n\treturn 0;\n}", "project": "linux", "hash": 47504896987757670692302226538706561052, "size": 37, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402502 }, { "func": "static int ecryptfs_write_headers_virt(char *page_virt, size_t max,\n\t\t\t\t size_t *size,\n\t\t\t\t struct ecryptfs_crypt_stat *crypt_stat,\n\t\t\t\t struct dentry *ecryptfs_dentry)\n{\n\tint rc;\n\tsize_t written;\n\tsize_t offset;\n\n\toffset = ECRYPTFS_FILE_SIZE_BYTES;\n\twrite_ecryptfs_marker((page_virt + offset), &written);\n\toffset += written;\n\twrite_ecryptfs_flags((page_virt + offset), crypt_stat, &written);\n\toffset += written;\n\tecryptfs_write_header_metadata((page_virt + offset), crypt_stat,\n\t\t\t\t &written);\n\toffset += written;\n\trc = ecryptfs_generate_key_packet_set((page_virt + offset), crypt_stat,\n\t\t\t\t\t ecryptfs_dentry, &written,\n\t\t\t\t\t max - offset);\n\tif (rc)\n\t\tecryptfs_printk(KERN_WARNING, \"Error generating key packet \"\n\t\t\t\t\"set; rc = [%d]\\n\", rc);\n\tif (size) {\n\t\toffset += written;\n\t\t*size = offset;\n\t}\n\treturn rc;\n}", "target": 0, "cwe": [ "CWE-189" ], "project": "linux-2.6", "commit_id": "8faece5f906725c10e7a1f6caf84452abadbdc7b", "hash": 57775577163903152946086425303489801343, "size": 29, "message": "eCryptfs: Allocate a variable number of pages for file headers\n\nWhen allocating the memory used to store the eCryptfs header contents, a\nsingle, zeroed page was being allocated with get_zeroed_page().\nHowever, the size of an eCryptfs header is either PAGE_CACHE_SIZE or\nECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE (8192), whichever is larger, and is\nstored in the file's private_data->crypt_stat->num_header_bytes_at_front\nfield.\n\necryptfs_write_metadata_to_contents() was using\nnum_header_bytes_at_front to decide how many bytes should be written to\nthe lower filesystem for the file header. Unfortunately, at least 8K\nwas being written from the page, despite the chance of the single,\nzeroed page being smaller than 8K. This resulted in random areas of\nkernel memory being written between the 0x1000 and 0x1FFF bytes offsets\nin the eCryptfs file headers if PAGE_SIZE was 4K.\n\nThis patch allocates a variable number of pages, calculated with\nnum_header_bytes_at_front, and passes the number of allocated pages\nalong to ecryptfs_write_metadata_to_contents().\n\nThanks to Florian Streibelt for reporting the data leak and working with\nme to find the problem. 2.6.28 is the only kernel release with this\nvulnerability. Corresponds to CVE-2009-0787\n\nSigned-off-by: Tyler Hicks \nAcked-by: Dustin Kirkland \nReviewed-by: Eric Sandeen \nReviewed-by: Eugene Teo \nCc: Greg KH \nCc: dann frazier \nCc: Serge E. Hallyn \nCc: Florian Streibelt \nCc: stable@kernel.org\nSigned-off-by: Linus Torvalds ", "dataset": "other", "idx": 490162 }, { "func": "auto CommonRegexParse(ExpressionContext* const expCtx,\n BSONElement expr,\n const VariablesParseState& vpsIn,\n StringData opName) {\n uassert(51103,\n str::stream() << opName\n << \" expects an object of named arguments but found: \" << expr.type(),\n expr.type() == BSONType::Object);\n\n struct {\n boost::intrusive_ptr input;\n boost::intrusive_ptr regex;\n boost::intrusive_ptr options;\n } parsed;\n for (auto&& elem : expr.embeddedObject()) {\n const auto field = elem.fieldNameStringData();\n if (field == \"input\"_sd) {\n parsed.input = Expression::parseOperand(expCtx, elem, vpsIn);\n } else if (field == \"regex\"_sd) {\n parsed.regex = Expression::parseOperand(expCtx, elem, vpsIn);\n } else if (field == \"options\"_sd) {\n parsed.options = Expression::parseOperand(expCtx, elem, vpsIn);\n } else {\n uasserted(31024,\n str::stream() << opName << \" found an unknown argument: \"\n << elem.fieldNameStringData());\n }\n }\n uassert(31022, str::stream() << opName << \" requires 'input' parameter\", parsed.input);\n uassert(31023, str::stream() << opName << \" requires 'regex' parameter\", parsed.regex);\n\n return parsed;\n}", "project": "mongo", "hash": 48909618454936740242208959286935383321, "size": 33, "commit_id": "1772b9a0393b55e6a280a35e8f0a1f75c014f301", "message": "SERVER-49404 Enforce additional checks in $arrayToObject", "target": 0, "dataset": "other", "idx": 370012 }, { "func": "unsigned long kvm_vcpu_gfn_to_hva(struct kvm_vcpu *vcpu, gfn_t gfn)\n{\n\treturn gfn_to_hva_many(kvm_vcpu_gfn_to_memslot(vcpu, gfn), gfn, NULL);\n}", "project": "linux", "hash": 172643149529453139802728096145136669912, "size": 4, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354802 }, { "func": "void putconsxy(struct vc_data *vc, unsigned char *p)\n{\n\thide_cursor(vc);\n\tgotoxy(vc, p[0], p[1]);\n\tset_cursor(vc);\n}", "project": "linux", "hash": 258862887221671538766044531469310074785, "size": 6, "commit_id": "ca4463bf8438b403596edd0ec961ca0d4fbe0220", "message": "vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console\n\nThe VT_DISALLOCATE ioctl can free a virtual console while tty_release()\nis still running, causing a use-after-free in con_shutdown(). This\noccurs because VT_DISALLOCATE considers a virtual console's\n'struct vc_data' to be unused as soon as the corresponding tty's\nrefcount hits 0. But actually it may be still being closed.\n\nFix this by making vc_data be reference-counted via the embedded\n'struct tty_port'. A newly allocated virtual console has refcount 1.\nOpening it for the first time increments the refcount to 2. Closing it\nfor the last time decrements the refcount (in tty_operations::cleanup()\nso that it happens late enough), as does VT_DISALLOCATE.\n\nReproducer:\n\t#include \n\t#include \n\t#include \n\t#include \n\n\tint main()\n\t{\n\t\tif (fork()) {\n\t\t\tfor (;;)\n\t\t\t\tclose(open(\"/dev/tty5\", O_RDWR));\n\t\t} else {\n\t\t\tint fd = open(\"/dev/tty10\", O_RDWR);\n\n\t\t\tfor (;;)\n\t\t\t\tioctl(fd, VT_DISALLOCATE, 5);\n\t\t}\n\t}\n\nKASAN report:\n\tBUG: KASAN: use-after-free in con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\tWrite of size 8 at addr ffff88806a4ec108 by task syz_vt/129\n\n\tCPU: 0 PID: 129 Comm: syz_vt Not tainted 5.6.0-rc2 #11\n\tHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20191223_100556-anatol 04/01/2014\n\tCall Trace:\n\t [...]\n\t con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\t release_tty+0xa8/0x410 drivers/tty/tty_io.c:1514\n\t tty_release_struct+0x34/0x50 drivers/tty/tty_io.c:1629\n\t tty_release+0x984/0xed0 drivers/tty/tty_io.c:1789\n\t [...]\n\n\tAllocated by task 129:\n\t [...]\n\t kzalloc include/linux/slab.h:669 [inline]\n\t vc_allocate drivers/tty/vt/vt.c:1085 [inline]\n\t vc_allocate+0x1ac/0x680 drivers/tty/vt/vt.c:1066\n\t con_install+0x4d/0x3f0 drivers/tty/vt/vt.c:3229\n\t tty_driver_install_tty drivers/tty/tty_io.c:1228 [inline]\n\t tty_init_dev+0x94/0x350 drivers/tty/tty_io.c:1341\n\t tty_open_by_driver drivers/tty/tty_io.c:1987 [inline]\n\t tty_open+0x3ca/0xb30 drivers/tty/tty_io.c:2035\n\t [...]\n\n\tFreed by task 130:\n\t [...]\n\t kfree+0xbf/0x1e0 mm/slab.c:3757\n\t vt_disallocate drivers/tty/vt/vt_ioctl.c:300 [inline]\n\t vt_ioctl+0x16dc/0x1e30 drivers/tty/vt/vt_ioctl.c:818\n\t tty_ioctl+0x9db/0x11b0 drivers/tty/tty_io.c:2660\n\t [...]\n\nFixes: 4001d7b7fc27 (\"vt: push down the tty lock so we can see what is left to tackle\")\nCc: # v3.4+\nReported-by: syzbot+522643ab5729b0421998@syzkaller.appspotmail.com\nAcked-by: Jiri Slaby \nSigned-off-by: Eric Biggers \nLink: https://lore.kernel.org/r/20200322034305.210082-2-ebiggers@kernel.org\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 437069 }, { "func": "static void tcp_remove_reno_sacks(struct sock *sk, int acked)\n{\n\tstruct tcp_sock *tp = tcp_sk(sk);\n\n\tif (acked > 0) {\n\t\t/* One ACK acked hole. The rest eat duplicate ACKs. */\n\t\tif (acked - 1 >= tp->sacked_out)\n\t\t\ttp->sacked_out = 0;\n\t\telse\n\t\t\ttp->sacked_out -= acked - 1;\n\t}\n\ttcp_check_reno_reordering(sk, acked);\n\ttcp_verify_left_out(tp);\n}", "project": "net-next", "hash": 103149588303260989007903079866918149263, "size": 14, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409941 }, { "func": "static rsRetVal qConstructDirect(qqueue_t __attribute__((unused)) *pThis)\n{\n\treturn RS_RET_OK;\n}", "project": "rsyslog", "hash": 98010345999831317686685384147143276683, "size": 4, "commit_id": "dfa88369d4ca4290db56b843f9eabdae1bfe0fd5", "message": "bugfix: memory leak when $RepeatedMsgReduction on was used\n\nbug tracker: http://bugzilla.adiscon.com/show_bug.cgi?id=225", "target": 0, "dataset": "other", "idx": 373818 }, { "func": "static CURLcode send_telnet_data(struct Curl_easy *data,\n char *buffer, ssize_t nread)\n{\n ssize_t escapes, i, outlen;\n unsigned char *outbuf = NULL;\n CURLcode result = CURLE_OK;\n ssize_t bytes_written, total_written;\n struct connectdata *conn = data->conn;\n\n /* Determine size of new buffer after escaping */\n escapes = 0;\n for(i = 0; i < nread; i++)\n if((unsigned char)buffer[i] == CURL_IAC)\n escapes++;\n outlen = nread + escapes;\n\n if(outlen == nread)\n outbuf = (unsigned char *)buffer;\n else {\n ssize_t j;\n outbuf = malloc(nread + escapes + 1);\n if(!outbuf)\n return CURLE_OUT_OF_MEMORY;\n\n j = 0;\n for(i = 0; i < nread; i++) {\n outbuf[j++] = buffer[i];\n if((unsigned char)buffer[i] == CURL_IAC)\n outbuf[j++] = CURL_IAC;\n }\n outbuf[j] = '\\0';\n }\n\n total_written = 0;\n while(!result && total_written < outlen) {\n /* Make sure socket is writable to avoid EWOULDBLOCK condition */\n struct pollfd pfd[1];\n pfd[0].fd = conn->sock[FIRSTSOCKET];\n pfd[0].events = POLLOUT;\n switch(Curl_poll(pfd, 1, -1)) {\n case -1: /* error, abort writing */\n case 0: /* timeout (will never happen) */\n result = CURLE_SEND_ERROR;\n break;\n default: /* write! */\n bytes_written = 0;\n result = Curl_write(data, conn->sock[FIRSTSOCKET],\n outbuf + total_written,\n outlen - total_written,\n &bytes_written);\n total_written += bytes_written;\n break;\n }\n }\n\n /* Free malloc copy if escaped */\n if(outbuf != (unsigned char *)buffer)\n free(outbuf);\n\n return result;\n}", "project": "curl", "hash": 328668583232468747660872637654188307350, "size": 61, "commit_id": "39ce47f219b09c380b81f89fe54ac586c8db6bde", "message": "telnet: check sscanf() for correct number of matches\n\nCVE-2021-22898\n\nBug: https://curl.se/docs/CVE-2021-22898.html", "target": 0, "dataset": "other", "idx": 481498 }, { "func": "static const char* clibcode_to_clibname(int clibcode) {\n if (clibcode == BLOSC_BLOSCLZ_LIB) return BLOSC_BLOSCLZ_LIBNAME;\n if (clibcode == BLOSC_LZ4_LIB) return BLOSC_LZ4_LIBNAME;\n if (clibcode == BLOSC_LIZARD_LIB) return BLOSC_LIZARD_LIBNAME;\n if (clibcode == BLOSC_SNAPPY_LIB) return BLOSC_SNAPPY_LIBNAME;\n if (clibcode == BLOSC_ZLIB_LIB) return BLOSC_ZLIB_LIBNAME;\n if (clibcode == BLOSC_ZSTD_LIB) return BLOSC_ZSTD_LIBNAME;\n return NULL; /* should never happen */\n}", "project": "c-blosc2", "hash": 74452425167312909258784164693701412199, "size": 9, "commit_id": "c4c6470e88210afc95262c8b9fcc27e30ca043ee", "message": "Fixed asan heap buffer overflow when not enough space to write compressed block size.", "target": 0, "dataset": "other", "idx": 303112 }, { "func": "TEST_P(JSITest, ExceptionStackTraceTest) {\n static const char invokeUndefinedScript[] =\n \"function hello() {\"\n \" var a = {}; a.log(); }\"\n \"function world() { hello(); }\"\n \"world()\";\n std::string stack;\n try {\n rt.evaluateJavaScript(\n std::make_unique(invokeUndefinedScript), \"\");\n } catch (JSError& e) {\n stack = e.getStack();\n }\n EXPECT_NE(stack.find(\"world\"), std::string::npos);\n}", "project": "hermes", "hash": 133291866735666199591732651443685647233, "size": 15, "commit_id": "fe52854cdf6725c2eaa9e125995da76e6ceb27da", "message": "[CVE-2020-1911] Look up HostObject computed properties on the right object in the prototype chain.\n\nSummary:\nThe change in the hermes repository fixes the security vulnerability\nCVE-2020-1911. This vulnerability only affects applications which\nallow evaluation of uncontrolled, untrusted JavaScript code not\nshipped with the app, so React Native apps will generally not be affected.\n\nThis revision includes a test for the bug. The test is generic JSI\ncode, so it is included in the hermes and react-native repositories.\n\nChangelog: [Internal]\n\nReviewed By: tmikov\n\nDifferential Revision: D23322992\n\nfbshipit-source-id: 4e88c974afe1ad33a263f9cac03e9dc98d33649a", "target": 0, "dataset": "other", "idx": 230251 }, { "func": "static void vc_uniscr_clear_line(struct vc_data *vc, unsigned int x,\n\t\t\t\t unsigned int nr)\n{\n\tstruct uni_screen *uniscr = get_vc_uniscr(vc);\n\n\tif (uniscr) {\n\t\tchar32_t *ln = uniscr->lines[vc->vc_y];\n\n\t\tmemset32(&ln[x], ' ', nr);\n\t}\n}", "project": "linux", "hash": 229648961764715036878754952103805049062, "size": 11, "commit_id": "ca4463bf8438b403596edd0ec961ca0d4fbe0220", "message": "vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console\n\nThe VT_DISALLOCATE ioctl can free a virtual console while tty_release()\nis still running, causing a use-after-free in con_shutdown(). This\noccurs because VT_DISALLOCATE considers a virtual console's\n'struct vc_data' to be unused as soon as the corresponding tty's\nrefcount hits 0. But actually it may be still being closed.\n\nFix this by making vc_data be reference-counted via the embedded\n'struct tty_port'. A newly allocated virtual console has refcount 1.\nOpening it for the first time increments the refcount to 2. Closing it\nfor the last time decrements the refcount (in tty_operations::cleanup()\nso that it happens late enough), as does VT_DISALLOCATE.\n\nReproducer:\n\t#include \n\t#include \n\t#include \n\t#include \n\n\tint main()\n\t{\n\t\tif (fork()) {\n\t\t\tfor (;;)\n\t\t\t\tclose(open(\"/dev/tty5\", O_RDWR));\n\t\t} else {\n\t\t\tint fd = open(\"/dev/tty10\", O_RDWR);\n\n\t\t\tfor (;;)\n\t\t\t\tioctl(fd, VT_DISALLOCATE, 5);\n\t\t}\n\t}\n\nKASAN report:\n\tBUG: KASAN: use-after-free in con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\tWrite of size 8 at addr ffff88806a4ec108 by task syz_vt/129\n\n\tCPU: 0 PID: 129 Comm: syz_vt Not tainted 5.6.0-rc2 #11\n\tHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20191223_100556-anatol 04/01/2014\n\tCall Trace:\n\t [...]\n\t con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\t release_tty+0xa8/0x410 drivers/tty/tty_io.c:1514\n\t tty_release_struct+0x34/0x50 drivers/tty/tty_io.c:1629\n\t tty_release+0x984/0xed0 drivers/tty/tty_io.c:1789\n\t [...]\n\n\tAllocated by task 129:\n\t [...]\n\t kzalloc include/linux/slab.h:669 [inline]\n\t vc_allocate drivers/tty/vt/vt.c:1085 [inline]\n\t vc_allocate+0x1ac/0x680 drivers/tty/vt/vt.c:1066\n\t con_install+0x4d/0x3f0 drivers/tty/vt/vt.c:3229\n\t tty_driver_install_tty drivers/tty/tty_io.c:1228 [inline]\n\t tty_init_dev+0x94/0x350 drivers/tty/tty_io.c:1341\n\t tty_open_by_driver drivers/tty/tty_io.c:1987 [inline]\n\t tty_open+0x3ca/0xb30 drivers/tty/tty_io.c:2035\n\t [...]\n\n\tFreed by task 130:\n\t [...]\n\t kfree+0xbf/0x1e0 mm/slab.c:3757\n\t vt_disallocate drivers/tty/vt/vt_ioctl.c:300 [inline]\n\t vt_ioctl+0x16dc/0x1e30 drivers/tty/vt/vt_ioctl.c:818\n\t tty_ioctl+0x9db/0x11b0 drivers/tty/tty_io.c:2660\n\t [...]\n\nFixes: 4001d7b7fc27 (\"vt: push down the tty lock so we can see what is left to tackle\")\nCc: # v3.4+\nReported-by: syzbot+522643ab5729b0421998@syzkaller.appspotmail.com\nAcked-by: Jiri Slaby \nSigned-off-by: Eric Biggers \nLink: https://lore.kernel.org/r/20200322034305.210082-2-ebiggers@kernel.org\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 437060 }, { "func": "static void ff_layout_encode_iostats_array(struct xdr_stream *xdr,\n\t\tconst struct nfs4_layoutreturn_args *args,\n\t\tstruct nfs4_flexfile_layoutreturn_args *ff_args)\n{\n\t__be32 *p;\n\tint i;\n\n\tp = xdr_reserve_space(xdr, 4);\n\t*p = cpu_to_be32(ff_args->num_dev);\n\tfor (i = 0; i < ff_args->num_dev; i++)\n\t\tff_layout_encode_ff_iostat(xdr,\n\t\t\t\t&args->layout->plh_stateid,\n\t\t\t\t&ff_args->devinfo[i]);\n}", "project": "linux", "hash": 89477345508837764053451710289994411395, "size": 14, "commit_id": "ed34695e15aba74f45247f1ee2cf7e09d449f925", "message": "pNFS/flexfiles: fix incorrect size check in decode_nfs_fh()\n\nWe (adam zabrocki, alexander matrosov, alexander tereshkin, maksym\nbazalii) observed the check:\n\n\tif (fh->size > sizeof(struct nfs_fh))\n\nshould not use the size of the nfs_fh struct which includes an extra two\nbytes from the size field.\n\nstruct nfs_fh {\n\tunsigned short size;\n\tunsigned char data[NFS_MAXFHSIZE];\n}\n\nbut should determine the size from data[NFS_MAXFHSIZE] so the memcpy\nwill not write 2 bytes beyond destination. The proposed fix is to\ncompare against the NFS_MAXFHSIZE directly, as is done elsewhere in fs\ncode base.\n\nFixes: d67ae825a59d (\"pnfs/flexfiles: Add the FlexFile Layout Driver\")\nSigned-off-by: Nikola Livic \nSigned-off-by: Dan Carpenter \nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 234426 }, { "func": "static int packet_release(struct socket *sock)\n{\n\tstruct sock *sk = sock->sk;\n\tstruct packet_sock *po;\n\tstruct packet_fanout *f;\n\tstruct net *net;\n\tunion tpacket_req_u req_u;\n\n\tif (!sk)\n\t\treturn 0;\n\n\tnet = sock_net(sk);\n\tpo = pkt_sk(sk);\n\n\tmutex_lock(&net->packet.sklist_lock);\n\tsk_del_node_init_rcu(sk);\n\tmutex_unlock(&net->packet.sklist_lock);\n\n\tpreempt_disable();\n\tsock_prot_inuse_add(net, sk->sk_prot, -1);\n\tpreempt_enable();\n\n\tspin_lock(&po->bind_lock);\n\tunregister_prot_hook(sk, false);\n\tpacket_cached_dev_reset(po);\n\n\tif (po->prot_hook.dev) {\n\t\tdev_put(po->prot_hook.dev);\n\t\tpo->prot_hook.dev = NULL;\n\t}\n\tspin_unlock(&po->bind_lock);\n\n\tpacket_flush_mclist(sk);\n\n\tlock_sock(sk);\n\tif (po->rx_ring.pg_vec) {\n\t\tmemset(&req_u, 0, sizeof(req_u));\n\t\tpacket_set_ring(sk, &req_u, 1, 0);\n\t}\n\n\tif (po->tx_ring.pg_vec) {\n\t\tmemset(&req_u, 0, sizeof(req_u));\n\t\tpacket_set_ring(sk, &req_u, 1, 1);\n\t}\n\trelease_sock(sk);\n\n\tf = fanout_release(sk);\n\n\tsynchronize_net();\n\n\tkfree(po->rollover);\n\tif (f) {\n\t\tfanout_release_data(f);\n\t\tkfree(f);\n\t}\n\t/*\n\t *\tNow the socket is dead. No more input will appear.\n\t */\n\tsock_orphan(sk);\n\tsock->sk = NULL;\n\n\t/* Purge queues */\n\n\tskb_queue_purge(&sk->sk_receive_queue);\n\tpacket_free_pending(po);\n\tsk_refcnt_debug_release(sk);\n\n\tsock_put(sk);\n\treturn 0;\n}", "project": "linux", "hash": 25403833601082879462435394072072287355, "size": 70, "commit_id": "acf69c946233259ab4d64f8869d4037a198c7f06", "message": "net/packet: fix overflow in tpacket_rcv\n\nUsing tp_reserve to calculate netoff can overflow as\ntp_reserve is unsigned int and netoff is unsigned short.\n\nThis may lead to macoff receving a smaller value then\nsizeof(struct virtio_net_hdr), and if po->has_vnet_hdr\nis set, an out-of-bounds write will occur when\ncalling virtio_net_hdr_from_skb.\n\nThe bug is fixed by converting netoff to unsigned int\nand checking if it exceeds USHRT_MAX.\n\nThis addresses CVE-2020-14386\n\nFixes: 8913336a7e8d (\"packet: add PACKET_RESERVE sockopt\")\nSigned-off-by: Or Cohen \nSigned-off-by: Eric Dumazet \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 330424 }, { "func": "void CSoundFile::SendMIDINote(CHANNELINDEX chn, uint16 note, uint16 volume)\n{\n#ifndef NO_PLUGINS\n\tauto &channel = m_PlayState.Chn[chn];\n\tconst ModInstrument *pIns = channel.pModInstrument;\n\t// instro sends to a midi chan\n\tif (pIns && pIns->HasValidMIDIChannel())\n\t{\n\t\tPLUGINDEX nPlug = pIns->nMixPlug;\n\t\tif ((nPlug) && (nPlug <= MAX_MIXPLUGINS))\n\t\t{\n\t\t\tIMixPlugin *pPlug = m_MixPlugins[nPlug-1].pMixPlugin;\n\t\t\tif (pPlug != nullptr)\n\t\t\t{\n\t\t\t\tpPlug->MidiCommand(GetBestMidiChannel(chn), pIns->nMidiProgram, pIns->wMidiBank, note, volume, chn);\n\t\t\t\tif(note < NOTE_MIN_SPECIAL)\n\t\t\t\t\tchannel.nLeftVU = channel.nRightVU = 0xFF;\n\t\t\t}\n\t\t}\n\t}\n#endif // NO_PLUGINS\n}", "project": "openmpt", "hash": 25835301218335695306153892308004020202, "size": 22, "commit_id": "7ebf02af2e90f03e0dbd0e18b8b3164f372fb97c", "message": "[Fix] Possible out-of-bounds read when computing length of some IT files with pattern loops (OpenMPT: formats that are converted to IT, libopenmpt: IT/ITP/MO3), caught with afl-fuzz.\n\ngit-svn-id: https://source.openmpt.org/svn/openmpt/trunk/OpenMPT@10027 56274372-70c3-4bfc-bfc3-4c3a0b034d27", "target": 0, "dataset": "other", "idx": 255180 }, { "func": "const char *lj_debug_uvname(GCproto *pt, uint32_t idx)\n{\n const uint8_t *p = proto_uvinfo(pt);\n lua_assert(idx < pt->sizeuv);\n if (!p) return \"\";\n if (idx) while (*p++ || --idx) ;\n return (const char *)p;\n}", "project": "LuaJIT", "hash": 330623531118087087321492757715390272318, "size": 8, "commit_id": "e296f56b825c688c3530a981dc6b495d972f3d01", "message": "Call error function on rethrow after trace exit.", "target": 0, "dataset": "other", "idx": 394641 }, { "func": "CallInfo *luaE_extendCI (lua_State *L) {\n CallInfo *ci;\n lua_assert(L->ci->next == NULL);\n luaE_enterCcall(L);\n ci = luaM_new(L, CallInfo);\n lua_assert(L->ci->next == NULL);\n L->ci->next = ci;\n ci->previous = L->ci;\n ci->next = NULL;\n ci->u.l.trap = 0;\n L->nci++;\n return ci;\n}", "project": "lua", "hash": 196644906996251020849717658261580670666, "size": 13, "commit_id": "a2195644d89812e5b157ce7bac35543e06db05e3", "message": "Fixed bug: invalid 'oldpc' when returning to a function\n\nThe field 'L->oldpc' is not always updated when control returns to a\nfunction; an invalid value can seg. fault when computing 'changedline'.\n(One example is an error in a finalizer; control can return to\n'luaV_execute' without executing 'luaD_poscall'.) Instead of trying to\nfix all possible corner cases, it seems safer to be resilient to invalid\nvalues for 'oldpc'. Valid but wrong values at most cause an extra call\nto a line hook.", "target": 0, "dataset": "other", "idx": 462771 }, { "func": "void CServer::RegisterCommands()\n{\n\t// register console commands\n\tConsole()->Register(\"kick\", \"i[id] ?r[reason]\", CFGFLAG_SERVER, ConKick, this, \"Kick player with specified id for any reason\");\n\tConsole()->Register(\"status\", \"\", CFGFLAG_SERVER, ConStatus, this, \"List players\");\n\tConsole()->Register(\"shutdown\", \"\", CFGFLAG_SERVER, ConShutdown, this, \"Shut down\");\n\tConsole()->Register(\"logout\", \"\", CFGFLAG_SERVER|CFGFLAG_BASICACCESS, ConLogout, this, \"Logout of rcon\");\n\n\tConsole()->Register(\"record\", \"?s[file]\", CFGFLAG_SERVER|CFGFLAG_STORE, ConRecord, this, \"Record to a file\");\n\tConsole()->Register(\"stoprecord\", \"\", CFGFLAG_SERVER, ConStopRecord, this, \"Stop recording\");\n\n\tConsole()->Register(\"reload\", \"\", CFGFLAG_SERVER, ConMapReload, this, \"Reload the map\");\n\n\tConsole()->Chain(\"sv_name\", ConchainSpecialInfoupdate, this);\n\tConsole()->Chain(\"password\", ConchainSpecialInfoupdate, this);\n\n\tConsole()->Chain(\"sv_player_slots\", ConchainPlayerSlotsUpdate, this);\n\tConsole()->Chain(\"sv_max_clients\", ConchainMaxclientsUpdate, this);\n\tConsole()->Chain(\"sv_max_clients\", ConchainSpecialInfoupdate, this);\n\tConsole()->Chain(\"sv_max_clients_per_ip\", ConchainMaxclientsperipUpdate, this);\n\tConsole()->Chain(\"mod_command\", ConchainModCommandUpdate, this);\n\tConsole()->Chain(\"console_output_level\", ConchainConsoleOutputLevelUpdate, this);\n\tConsole()->Chain(\"sv_rcon_password\", ConchainRconPasswordSet, this);\n\n\t// register console commands in sub parts\n\tm_ServerBan.InitServerBan(Console(), Storage(), this);\n\tm_pGameServer->OnConsoleInit();\n}", "project": "teeworlds", "hash": 7230852647582441342588953679187114025, "size": 28, "commit_id": "c68402fa7e279d42886d5951d1ea8ac2facc1ea5", "message": "changed a check", "target": 0, "dataset": "other", "idx": 381990 }, { "func": "static int irda_recvmsg_stream(struct kiocb *iocb, struct socket *sock,\n\t\t\t struct msghdr *msg, size_t size, int flags)\n{\n\tstruct sock *sk = sock->sk;\n\tstruct irda_sock *self = irda_sk(sk);\n\tint noblock = flags & MSG_DONTWAIT;\n\tsize_t copied = 0;\n\tint target, err;\n\tlong timeo;\n\n\tIRDA_DEBUG(3, \"%s()\\n\", __func__);\n\n\tif ((err = sock_error(sk)) < 0)\n\t\treturn err;\n\n\tif (sock->flags & __SO_ACCEPTCON)\n\t\treturn(-EINVAL);\n\n\tif (flags & MSG_OOB)\n\t\treturn -EOPNOTSUPP;\n\n\ttarget = sock_rcvlowat(sk, flags & MSG_WAITALL, size);\n\ttimeo = sock_rcvtimeo(sk, noblock);\n\n\tmsg->msg_namelen = 0;\n\n\tdo {\n\t\tint chunk;\n\t\tstruct sk_buff *skb = skb_dequeue(&sk->sk_receive_queue);\n\n\t\tif (skb == NULL) {\n\t\t\tDEFINE_WAIT(wait);\n\t\t\tint ret = 0;\n\n\t\t\tif (copied >= target)\n\t\t\t\tbreak;\n\n\t\t\tprepare_to_wait_exclusive(sk->sk_sleep, &wait, TASK_INTERRUPTIBLE);\n\n\t\t\t/*\n\t\t\t *\tPOSIX 1003.1g mandates this order.\n\t\t\t */\n\t\t\tret = sock_error(sk);\n\t\t\tif (ret)\n\t\t\t\t;\n\t\t\telse if (sk->sk_shutdown & RCV_SHUTDOWN)\n\t\t\t\t;\n\t\t\telse if (noblock)\n\t\t\t\tret = -EAGAIN;\n\t\t\telse if (signal_pending(current))\n\t\t\t\tret = sock_intr_errno(timeo);\n\t\t\telse if (sk->sk_state != TCP_ESTABLISHED)\n\t\t\t\tret = -ENOTCONN;\n\t\t\telse if (skb_peek(&sk->sk_receive_queue) == NULL)\n\t\t\t\t/* Wait process until data arrives */\n\t\t\t\tschedule();\n\n\t\t\tfinish_wait(sk->sk_sleep, &wait);\n\n\t\t\tif (ret)\n\t\t\t\treturn ret;\n\t\t\tif (sk->sk_shutdown & RCV_SHUTDOWN)\n\t\t\t\tbreak;\n\n\t\t\tcontinue;\n\t\t}\n\n\t\tchunk = min_t(unsigned int, skb->len, size);\n\t\tif (memcpy_toiovec(msg->msg_iov, skb->data, chunk)) {\n\t\t\tskb_queue_head(&sk->sk_receive_queue, skb);\n\t\t\tif (copied == 0)\n\t\t\t\tcopied = -EFAULT;\n\t\t\tbreak;\n\t\t}\n\t\tcopied += chunk;\n\t\tsize -= chunk;\n\n\t\t/* Mark read part of skb as used */\n\t\tif (!(flags & MSG_PEEK)) {\n\t\t\tskb_pull(skb, chunk);\n\n\t\t\t/* put the skb back if we didn't use it up.. */\n\t\t\tif (skb->len) {\n\t\t\t\tIRDA_DEBUG(1, \"%s(), back on q!\\n\",\n\t\t\t\t\t __func__);\n\t\t\t\tskb_queue_head(&sk->sk_receive_queue, skb);\n\t\t\t\tbreak;\n\t\t\t}\n\n\t\t\tkfree_skb(skb);\n\t\t} else {\n\t\t\tIRDA_DEBUG(0, \"%s() questionable!?\\n\", __func__);\n\n\t\t\t/* put message back and return */\n\t\t\tskb_queue_head(&sk->sk_receive_queue, skb);\n\t\t\tbreak;\n\t\t}\n\t} while (size);\n\n\t/*\n\t * Check if we have previously stopped IrTTP and we know\n\t * have more free space in our rx_queue. If so tell IrTTP\n\t * to start delivering frames again before our rx_queue gets\n\t * empty\n\t */\n\tif (self->rx_flow == FLOW_STOP) {\n\t\tif ((atomic_read(&sk->sk_rmem_alloc) << 2) <= sk->sk_rcvbuf) {\n\t\t\tIRDA_DEBUG(2, \"%s(), Starting IrTTP\\n\", __func__);\n\t\t\tself->rx_flow = FLOW_START;\n\t\t\tirttp_flow_request(self->tsap, FLOW_START);\n\t\t}\n\t}\n\n\treturn copied;\n}", "target": 0, "cwe": [ "CWE-200" ], "project": "linux-2.6", "commit_id": "09384dfc76e526c3993c09c42e016372dc9dd22c", "hash": 100568376165509204584153623292624290579, "size": 115, "message": "irda: Fix irda_getname() leak\n\nirda_getname() can leak kernel memory to user.\n\nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "dataset": "other", "idx": 490854 }, { "func": "static void __exit fini_umd(void)\n{\n\tstruct pid *tgid;\n\n\tbpf_preload_ops = NULL;\n\n\t/* kill UMD in case it's still there due to earlier error */\n\ttgid = umd_ops.info.tgid;\n\tif (tgid) {\n\t\tkill_pid(tgid, SIGKILL, 1);\n\n\t\twait_event(tgid->wait_pidfd, thread_group_exited(tgid));\n\t\tumd_cleanup_helper(&umd_ops.info);\n\t}\n\tumd_unload_blob(&umd_ops.info);\n}", "project": "linux", "hash": 151733976832668984896690193490784752085, "size": 16, "commit_id": "f60a85cad677c4f9bb4cadd764f1d106c38c7cf8", "message": "bpf: Fix umd memory leak in copy_process()\n\nThe syzbot reported a memleak as follows:\n\nBUG: memory leak\nunreferenced object 0xffff888101b41d00 (size 120):\n comm \"kworker/u4:0\", pid 8, jiffies 4294944270 (age 12.780s)\n backtrace:\n [] alloc_pid+0x66/0x560\n [] copy_process+0x1465/0x25e0\n [] kernel_clone+0xf3/0x670\n [] kernel_thread+0x61/0x80\n [] call_usermodehelper_exec_work\n [] call_usermodehelper_exec_work+0xc4/0x120\n [] process_one_work+0x2c9/0x600\n [] worker_thread+0x59/0x5d0\n [] kthread+0x178/0x1b0\n [] ret_from_fork+0x1f/0x30\n\nunreferenced object 0xffff888110ef5c00 (size 232):\n comm \"kworker/u4:0\", pid 8414, jiffies 4294944270 (age 12.780s)\n backtrace:\n [] kmem_cache_zalloc\n [] __alloc_file+0x1f/0xf0\n [] alloc_empty_file+0x69/0x120\n [] alloc_file+0x33/0x1b0\n [] alloc_file_pseudo+0xb2/0x140\n [] create_pipe_files+0x138/0x2e0\n [] umd_setup+0x33/0x220\n [] call_usermodehelper_exec_async+0xb4/0x1b0\n [] ret_from_fork+0x1f/0x30\n\nAfter the UMD process exits, the pipe_to_umh/pipe_from_umh and\ntgid need to be released.\n\nFixes: d71fa5c9763c (\"bpf: Add kernel module with user mode driver that populates bpffs.\")\nReported-by: syzbot+44908bb56d2bfe56b28e@syzkaller.appspotmail.com\nSigned-off-by: Zqiang \nSigned-off-by: Daniel Borkmann \nLink: https://lore.kernel.org/bpf/20210317030915.2865-1-qiang.zhang@windriver.com", "target": 0, "dataset": "other", "idx": 385294 }, { "func": "static void kvm_destroy_dirty_bitmap(struct kvm_memory_slot *memslot)\n{\n\tif (!memslot->dirty_bitmap)\n\t\treturn;\n\n\tkvfree(memslot->dirty_bitmap);\n\tmemslot->dirty_bitmap = NULL;\n}", "project": "linux", "hash": 213914596361402740155242883377460039747, "size": 8, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354662 }, { "func": "static void set_default_header_data(struct ecryptfs_crypt_stat *crypt_stat)\n{\n\tcrypt_stat->num_header_bytes_at_front =\n\t\tECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE;\n}", "target": 0, "cwe": [ "CWE-189" ], "project": "linux-2.6", "commit_id": "8faece5f906725c10e7a1f6caf84452abadbdc7b", "hash": 148302893039803205764036706636909849126, "size": 5, "message": "eCryptfs: Allocate a variable number of pages for file headers\n\nWhen allocating the memory used to store the eCryptfs header contents, a\nsingle, zeroed page was being allocated with get_zeroed_page().\nHowever, the size of an eCryptfs header is either PAGE_CACHE_SIZE or\nECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE (8192), whichever is larger, and is\nstored in the file's private_data->crypt_stat->num_header_bytes_at_front\nfield.\n\necryptfs_write_metadata_to_contents() was using\nnum_header_bytes_at_front to decide how many bytes should be written to\nthe lower filesystem for the file header. Unfortunately, at least 8K\nwas being written from the page, despite the chance of the single,\nzeroed page being smaller than 8K. This resulted in random areas of\nkernel memory being written between the 0x1000 and 0x1FFF bytes offsets\nin the eCryptfs file headers if PAGE_SIZE was 4K.\n\nThis patch allocates a variable number of pages, calculated with\nnum_header_bytes_at_front, and passes the number of allocated pages\nalong to ecryptfs_write_metadata_to_contents().\n\nThanks to Florian Streibelt for reporting the data leak and working with\nme to find the problem. 2.6.28 is the only kernel release with this\nvulnerability. Corresponds to CVE-2009-0787\n\nSigned-off-by: Tyler Hicks \nAcked-by: Dustin Kirkland \nReviewed-by: Eric Sandeen \nReviewed-by: Eugene Teo \nCc: Greg KH \nCc: dann frazier \nCc: Serge E. Hallyn \nCc: Florian Streibelt \nCc: stable@kernel.org\nSigned-off-by: Linus Torvalds ", "dataset": "other", "idx": 490163 }, { "func": "static int pfkey_broadcast(struct sk_buff *skb, gfp_t allocation,\n\t\t\t int broadcast_flags, struct sock *one_sk,\n\t\t\t struct net *net)\n{\n\tstruct netns_pfkey *net_pfkey = net_generic(net, pfkey_net_id);\n\tstruct sock *sk;\n\tint err = -ESRCH;\n\n\t/* XXX Do we need something like netlink_overrun? I think\n\t * XXX PF_KEY socket apps will not mind current behavior.\n\t */\n\tif (!skb)\n\t\treturn -ENOMEM;\n\n\trcu_read_lock();\n\tsk_for_each_rcu(sk, &net_pfkey->table) {\n\t\tstruct pfkey_sock *pfk = pfkey_sk(sk);\n\t\tint err2;\n\n\t\t/* Yes, it means that if you are meant to receive this\n\t\t * pfkey message you receive it twice as promiscuous\n\t\t * socket.\n\t\t */\n\t\tif (pfk->promisc)\n\t\t\tpfkey_broadcast_one(skb, GFP_ATOMIC, sk);\n\n\t\t/* the exact target will be processed later */\n\t\tif (sk == one_sk)\n\t\t\tcontinue;\n\t\tif (broadcast_flags != BROADCAST_ALL) {\n\t\t\tif (broadcast_flags & BROADCAST_PROMISC_ONLY)\n\t\t\t\tcontinue;\n\t\t\tif ((broadcast_flags & BROADCAST_REGISTERED) &&\n\t\t\t !pfk->registered)\n\t\t\t\tcontinue;\n\t\t\tif (broadcast_flags & BROADCAST_ONE)\n\t\t\t\tcontinue;\n\t\t}\n\n\t\terr2 = pfkey_broadcast_one(skb, GFP_ATOMIC, sk);\n\n\t\t/* Error is cleared after successful sending to at least one\n\t\t * registered KM */\n\t\tif ((broadcast_flags & BROADCAST_REGISTERED) && err)\n\t\t\terr = err2;\n\t}\n\trcu_read_unlock();\n\n\tif (one_sk != NULL)\n\t\terr = pfkey_broadcast_one(skb, allocation, one_sk);\n\n\tkfree_skb(skb);\n\treturn err;\n}", "project": "linux", "hash": 264168359463090926478595656903248492982, "size": 54, "commit_id": "9a564bccb78a76740ea9d75a259942df8143d02c", "message": "af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\n\nAdd __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\nto initialize the buffer of supp_skb to fix a kernel-info-leak issue.\n1) Function pfkey_register calls compose_sadb_supported to request\na sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate\na sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then\ncompose_sadb_supported treats the memory as a struct sadb_supported and\nbegins to initialize. But it just initializes the field sadb_supported_len\nand field sadb_supported_exttype without field sadb_supported_reserved.\n\nReported-by: TCS Robot \nSigned-off-by: Haimin Zhang \nSigned-off-by: Steffen Klassert ", "target": 0, "dataset": "other", "idx": 268052 }, { "func": "static long do_get_mempolicy(int *policy, nodemask_t *nmask,\n\t\t\t unsigned long addr, unsigned long flags)\n{\n\tint err;\n\tstruct mm_struct *mm = current->mm;\n\tstruct vm_area_struct *vma = NULL;\n\tstruct mempolicy *pol = current->mempolicy, *pol_refcount = NULL;\n\n\tif (flags &\n\t\t~(unsigned long)(MPOL_F_NODE|MPOL_F_ADDR|MPOL_F_MEMS_ALLOWED))\n\t\treturn -EINVAL;\n\n\tif (flags & MPOL_F_MEMS_ALLOWED) {\n\t\tif (flags & (MPOL_F_NODE|MPOL_F_ADDR))\n\t\t\treturn -EINVAL;\n\t\t*policy = 0;\t/* just so it's initialized */\n\t\ttask_lock(current);\n\t\t*nmask = cpuset_current_mems_allowed;\n\t\ttask_unlock(current);\n\t\treturn 0;\n\t}\n\n\tif (flags & MPOL_F_ADDR) {\n\t\t/*\n\t\t * Do NOT fall back to task policy if the\n\t\t * vma/shared policy at addr is NULL. We\n\t\t * want to return MPOL_DEFAULT in this case.\n\t\t */\n\t\tdown_read(&mm->mmap_sem);\n\t\tvma = find_vma_intersection(mm, addr, addr+1);\n\t\tif (!vma) {\n\t\t\tup_read(&mm->mmap_sem);\n\t\t\treturn -EFAULT;\n\t\t}\n\t\tif (vma->vm_ops && vma->vm_ops->get_policy)\n\t\t\tpol = vma->vm_ops->get_policy(vma, addr);\n\t\telse\n\t\t\tpol = vma->vm_policy;\n\t} else if (addr)\n\t\treturn -EINVAL;\n\n\tif (!pol)\n\t\tpol = &default_policy;\t/* indicates default behavior */\n\n\tif (flags & MPOL_F_NODE) {\n\t\tif (flags & MPOL_F_ADDR) {\n\t\t\t/*\n\t\t\t * Take a refcount on the mpol, lookup_node()\n\t\t\t * wil drop the mmap_sem, so after calling\n\t\t\t * lookup_node() only \"pol\" remains valid, \"vma\"\n\t\t\t * is stale.\n\t\t\t */\n\t\t\tpol_refcount = pol;\n\t\t\tvma = NULL;\n\t\t\tmpol_get(pol);\n\t\t\terr = lookup_node(mm, addr);\n\t\t\tif (err < 0)\n\t\t\t\tgoto out;\n\t\t\t*policy = err;\n\t\t} else if (pol == current->mempolicy &&\n\t\t\t\tpol->mode == MPOL_INTERLEAVE) {\n\t\t\t*policy = next_node_in(current->il_prev, pol->v.nodes);\n\t\t} else {\n\t\t\terr = -EINVAL;\n\t\t\tgoto out;\n\t\t}\n\t} else {\n\t\t*policy = pol == &default_policy ? MPOL_DEFAULT :\n\t\t\t\t\t\tpol->mode;\n\t\t/*\n\t\t * Internal mempolicy flags must be masked off before exposing\n\t\t * the policy to userspace.\n\t\t */\n\t\t*policy |= (pol->flags & MPOL_MODE_FLAGS);\n\t}\n\n\terr = 0;\n\tif (nmask) {\n\t\tif (mpol_store_user_nodemask(pol)) {\n\t\t\t*nmask = pol->w.user_nodemask;\n\t\t} else {\n\t\t\ttask_lock(current);\n\t\t\tget_policy_nodemask(pol, nmask);\n\t\t\ttask_unlock(current);\n\t\t}\n\t}\n\n out:\n\tmpol_cond_put(pol);\n\tif (vma)\n\t\tup_read(&mm->mmap_sem);\n\tif (pol_refcount)\n\t\tmpol_put(pol_refcount);\n\treturn err;\n}", "project": "linux", "hash": 333523887672433455284482084571596968670, "size": 95, "commit_id": "aa9f7d5172fac9bf1f09e678c35e287a40a7b7dd", "message": "mm: mempolicy: require at least one nodeid for MPOL_PREFERRED\n\nUsing an empty (malformed) nodelist that is not caught during mount option\nparsing leads to a stack-out-of-bounds access.\n\nThe option string that was used was: \"mpol=prefer:,\". However,\nMPOL_PREFERRED requires a single node number, which is not being provided\nhere.\n\nAdd a check that 'nodes' is not empty after parsing for MPOL_PREFERRED's\nnodeid.\n\nFixes: 095f1fc4ebf3 (\"mempolicy: rework shmem mpol parsing and display\")\nReported-by: Entropy Moe <3ntr0py1337@gmail.com>\nReported-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nSigned-off-by: Randy Dunlap \nSigned-off-by: Andrew Morton \nTested-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nCc: Lee Schermerhorn \nLink: http://lkml.kernel.org/r/89526377-7eb6-b662-e1d8-4430928abde9@infradead.org\nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 366735 }, { "func": "static int set_tracer_option(struct trace_array *tr, char *cmp, int neg)\n{\n\tstruct tracer *trace = tr->current_trace;\n\tstruct tracer_flags *tracer_flags = trace->flags;\n\tstruct tracer_opt *opts = NULL;\n\tint i;\n\n\tfor (i = 0; tracer_flags->opts[i].name; i++) {\n\t\topts = &tracer_flags->opts[i];\n\n\t\tif (strcmp(cmp, opts->name) == 0)\n\t\t\treturn __set_tracer_option(tr, trace->flags, opts, neg);\n\t}\n\n\treturn -EINVAL;\n}", "project": "linux", "hash": 287388256882755764945716411957971701285, "size": 16, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445634 }, { "func": "static inline void TCP_ECN_accept_cwr(struct tcp_sock *tp, const struct sk_buff *skb)\n{\n\tif (tcp_hdr(skb)->cwr)\n\t\ttp->ecn_flags &= ~TCP_ECN_DEMAND_CWR;\n}", "project": "net-next", "hash": 232880963295599500175789997479935698433, "size": 5, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409949 }, { "func": "static int _nfs4_proc_secinfo(struct inode *dir, const struct qstr *name, struct nfs4_secinfo_flavors *flavors, bool use_integrity)\n{\n\tint status;\n\tstruct rpc_clnt *clnt = NFS_SERVER(dir)->client;\n\tstruct nfs_client *clp = NFS_SERVER(dir)->nfs_client;\n\tstruct nfs4_secinfo_arg args = {\n\t\t.dir_fh = NFS_FH(dir),\n\t\t.name = name,\n\t};\n\tstruct nfs4_secinfo_res res = {\n\t\t.flavors = flavors,\n\t};\n\tstruct rpc_message msg = {\n\t\t.rpc_proc = &nfs4_procedures[NFSPROC4_CLNT_SECINFO],\n\t\t.rpc_argp = &args,\n\t\t.rpc_resp = &res,\n\t};\n\tstruct nfs4_call_sync_data data = {\n\t\t.seq_server = NFS_SERVER(dir),\n\t\t.seq_args = &args.seq_args,\n\t\t.seq_res = &res.seq_res,\n\t};\n\tstruct rpc_task_setup task_setup = {\n\t\t.rpc_client = clnt,\n\t\t.rpc_message = &msg,\n\t\t.callback_ops = clp->cl_mvops->call_sync_ops,\n\t\t.callback_data = &data,\n\t\t.flags = RPC_TASK_NO_ROUND_ROBIN,\n\t};\n\tconst struct cred *cred = NULL;\n\n\tif (use_integrity) {\n\t\tclnt = clp->cl_rpcclient;\n\t\ttask_setup.rpc_client = clnt;\n\n\t\tcred = nfs4_get_clid_cred(clp);\n\t\tmsg.rpc_cred = cred;\n\t}\n\n\tdprintk(\"NFS call secinfo %s\\n\", name->name);\n\n\tnfs4_state_protect(clp, NFS_SP4_MACH_CRED_SECINFO, &clnt, &msg);\n\tnfs4_init_sequence(&args.seq_args, &res.seq_res, 0, 0);\n\tstatus = nfs4_call_sync_custom(&task_setup);\n\n\tdprintk(\"NFS reply secinfo: %d\\n\", status);\n\n\tput_cred(cred);\n\treturn status;\n}", "project": "linux", "hash": 215125969679820697185665767429381781808, "size": 50, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431239 }, { "func": "static int nd_jump_root(struct nameidata *nd)\n{\n\tif (nd->flags & LOOKUP_RCU) {\n\t\tstruct dentry *d;\n\t\tnd->path = nd->root;\n\t\td = nd->path.dentry;\n\t\tnd->inode = d->d_inode;\n\t\tnd->seq = nd->root_seq;\n\t\tif (unlikely(read_seqcount_retry(&d->d_seq, nd->seq)))\n\t\t\treturn -ECHILD;\n\t} else {\n\t\tpath_put(&nd->path);\n\t\tnd->path = nd->root;\n\t\tpath_get(&nd->path);\n\t\tnd->inode = nd->path.dentry->d_inode;\n\t}\n\tnd->flags |= LOOKUP_JUMPED;\n\treturn 0;\n}", "project": "linux", "hash": 332564748476869823450787938321004311199, "size": 19, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295339 }, { "func": "static void trace_stop(jit_State *J)\n{\n BCIns *pc = mref(J->cur.startpc, BCIns);\n BCOp op = bc_op(J->cur.startins);\n GCproto *pt = &gcref(J->cur.startpt)->pt;\n TraceNo traceno = J->cur.traceno;\n GCtrace *T = trace_save_alloc(J); /* Do this first. May throw OOM. */\n lua_State *L;\n\n switch (op) {\n case BC_FORL:\n setbc_op(pc+bc_j(J->cur.startins), BC_JFORI); /* Patch FORI, too. */\n /* fallthrough */\n case BC_LOOP:\n case BC_ITERL:\n case BC_FUNCF:\n /* Patch bytecode of starting instruction in root trace. */\n setbc_op(pc, (int)op+(int)BC_JLOOP-(int)BC_LOOP);\n setbc_d(pc, traceno);\n addroot:\n /* Add to root trace chain in prototype. */\n J->cur.nextroot = pt->trace;\n pt->trace = (TraceNo1)traceno;\n break;\n case BC_RET:\n case BC_RET0:\n case BC_RET1:\n *pc = BCINS_AD(BC_JLOOP, J->cur.snap[0].nslots, traceno);\n goto addroot;\n case BC_JMP:\n /* Patch exit branch in parent to side trace entry. */\n lua_assert(J->parent != 0 && J->cur.root != 0);\n lj_asm_patchexit(J, traceref(J, J->parent), J->exitno, J->cur.mcode);\n /* Avoid compiling a side trace twice (stack resizing uses parent exit). */\n traceref(J, J->parent)->snap[J->exitno].count = SNAPCOUNT_DONE;\n /* Add to side trace chain in root trace. */\n {\n GCtrace *root = traceref(J, J->cur.root);\n root->nchild++;\n J->cur.nextside = root->nextside;\n root->nextside = (TraceNo1)traceno;\n }\n break;\n default:\n lua_assert(0);\n break;\n }\n\n /* Commit new mcode only after all patching is done. */\n lj_mcode_commit(J, J->cur.mcode);\n J->postproc = LJ_POST_NONE;\n trace_save(J, T);\n\n L = J->L;\n lj_vmevent_send(L, TRACE,\n setstrV(L, L->top++, lj_str_newlit(L, \"stop\"));\n setintV(L->top++, traceno);\n );\n}", "project": "LuaJIT", "hash": 37346103828020795477136344507640331726, "size": 59, "commit_id": "e296f56b825c688c3530a981dc6b495d972f3d01", "message": "Call error function on rethrow after trace exit.", "target": 0, "dataset": "other", "idx": 394620 }, { "func": "static int link_path_walk(const char *name, struct nameidata *nd)\n{\n\tint err;\n\n\tif (IS_ERR(name))\n\t\treturn PTR_ERR(name);\n\twhile (*name=='/')\n\t\tname++;\n\tif (!*name)\n\t\treturn 0;\n\n\t/* At this point we know we have a real path component. */\n\tfor(;;) {\n\t\tu64 hash_len;\n\t\tint type;\n\n\t\terr = may_lookup(nd);\n\t\tif (err)\n\t\t\treturn err;\n\n\t\thash_len = hash_name(nd->path.dentry, name);\n\n\t\ttype = LAST_NORM;\n\t\tif (name[0] == '.') switch (hashlen_len(hash_len)) {\n\t\t\tcase 2:\n\t\t\t\tif (name[1] == '.') {\n\t\t\t\t\ttype = LAST_DOTDOT;\n\t\t\t\t\tnd->flags |= LOOKUP_JUMPED;\n\t\t\t\t}\n\t\t\t\tbreak;\n\t\t\tcase 1:\n\t\t\t\ttype = LAST_DOT;\n\t\t}\n\t\tif (likely(type == LAST_NORM)) {\n\t\t\tstruct dentry *parent = nd->path.dentry;\n\t\t\tnd->flags &= ~LOOKUP_JUMPED;\n\t\t\tif (unlikely(parent->d_flags & DCACHE_OP_HASH)) {\n\t\t\t\tstruct qstr this = { { .hash_len = hash_len }, .name = name };\n\t\t\t\terr = parent->d_op->d_hash(parent, &this);\n\t\t\t\tif (err < 0)\n\t\t\t\t\treturn err;\n\t\t\t\thash_len = this.hash_len;\n\t\t\t\tname = this.name;\n\t\t\t}\n\t\t}\n\n\t\tnd->last.hash_len = hash_len;\n\t\tnd->last.name = name;\n\t\tnd->last_type = type;\n\n\t\tname += hashlen_len(hash_len);\n\t\tif (!*name)\n\t\t\tgoto OK;\n\t\t/*\n\t\t * If it wasn't NUL, we know it was '/'. Skip that\n\t\t * slash, and continue until no more slashes.\n\t\t */\n\t\tdo {\n\t\t\tname++;\n\t\t} while (unlikely(*name == '/'));\n\t\tif (unlikely(!*name)) {\nOK:\n\t\t\t/* pathname body, done */\n\t\t\tif (!nd->depth)\n\t\t\t\treturn 0;\n\t\t\tname = nd->stack[nd->depth - 1].name;\n\t\t\t/* trailing symlink, done */\n\t\t\tif (!name)\n\t\t\t\treturn 0;\n\t\t\t/* last component of nested symlink */\n\t\t\terr = walk_component(nd, WALK_FOLLOW);\n\t\t} else {\n\t\t\t/* not the last component */\n\t\t\terr = walk_component(nd, WALK_FOLLOW | WALK_MORE);\n\t\t}\n\t\tif (err < 0)\n\t\t\treturn err;\n\n\t\tif (err) {\n\t\t\tconst char *s = get_link(nd);\n\n\t\t\tif (IS_ERR(s))\n\t\t\t\treturn PTR_ERR(s);\n\t\t\terr = 0;\n\t\t\tif (unlikely(!s)) {\n\t\t\t\t/* jumped */\n\t\t\t\tput_link(nd);\n\t\t\t} else {\n\t\t\t\tnd->stack[nd->depth - 1].name = name;\n\t\t\t\tname = s;\n\t\t\t\tcontinue;\n\t\t\t}\n\t\t}\n\t\tif (unlikely(!d_can_lookup(nd->path.dentry))) {\n\t\t\tif (nd->flags & LOOKUP_RCU) {\n\t\t\t\tif (unlazy_walk(nd))\n\t\t\t\t\treturn -ECHILD;\n\t\t\t}\n\t\t\treturn -ENOTDIR;\n\t\t}\n\t}\n}", "project": "linux", "hash": 222649552887975054624771211839792920540, "size": 102, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295385 }, { "func": "static void __free_slab(struct kmem_cache *s, struct page *page)\n{\n\tint order = compound_order(page);\n\tint pages = 1 << order;\n\n\tif (s->flags & SLAB_CONSISTENCY_CHECKS) {\n\t\tvoid *p;\n\n\t\tslab_pad_check(s, page);\n\t\tfor_each_object(p, s, page_address(page),\n\t\t\t\t\t\tpage->objects)\n\t\t\tcheck_object(s, page, p, SLUB_RED_INACTIVE);\n\t}\n\n\t__ClearPageSlabPfmemalloc(page);\n\t__ClearPageSlab(page);\n\n\tpage->mapping = NULL;\n\tif (current->reclaim_state)\n\t\tcurrent->reclaim_state->reclaimed_slab += pages;\n\tuncharge_slab_page(page, order, s);\n\t__free_pages(page, order);\n}", "project": "linux", "hash": 286938284859953103921761804066617849261, "size": 23, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280132 }, { "func": "int nfs4_set_rw_stateid(nfs4_stateid *stateid,\n\t\tconst struct nfs_open_context *ctx,\n\t\tconst struct nfs_lock_context *l_ctx,\n\t\tfmode_t fmode)\n{\n\treturn nfs4_select_rw_stateid(ctx->state, fmode, l_ctx, stateid, NULL);\n}", "project": "linux", "hash": 174982644593267183593412956314513325195, "size": 7, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431585 }, { "func": "static void nfs4_xdr_enc_get_lease_time(struct rpc_rqst *req,\n\t\t\t\t\tstruct xdr_stream *xdr,\n\t\t\t\t\tconst void *data)\n{\n\tconst struct nfs4_get_lease_time_args *args = data;\n\tstruct compound_hdr hdr = {\n\t\t.minorversion = nfs4_xdr_minorversion(&args->la_seq_args),\n\t};\n\tconst u32 lease_bitmap[3] = { FATTR4_WORD0_LEASE_TIME };\n\n\tencode_compound_hdr(xdr, req, &hdr);\n\tencode_sequence(xdr, &args->la_seq_args, &hdr);\n\tencode_putrootfh(xdr, &hdr);\n\tencode_fsinfo(xdr, lease_bitmap, &hdr);\n\tencode_nops(&hdr);\n}", "project": "linux", "hash": 41453155033445129076246259114036355385, "size": 16, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 430944 }, { "project": "opaque", "commit_id": "5ddda15d89f5ac82f4416208c5319ace4aecdc36", "target": 0, "func": "void ecall_non_oblivious_aggregate_step2(\n uint8_t *agg_op, size_t agg_op_length,\n uint8_t *input_rows, size_t input_rows_length,\n uint8_t *next_partition_first_row, size_t next_partition_first_row_length,\n uint8_t *prev_partition_last_group, size_t prev_partition_last_group_length,\n uint8_t *prev_partition_last_row, size_t prev_partition_last_row_length,\n uint8_t **output_rows, size_t *output_rows_length) {\n // Guard against operating on arbitrary enclave memory\n assert(sgx_is_outside_enclave(input_rows, input_rows_length) == 1);\n assert(sgx_is_outside_enclave(next_partition_first_row, next_partition_first_row_length) == 1);\n assert(sgx_is_outside_enclave(prev_partition_last_group, prev_partition_last_group_length) == 1);\n assert(sgx_is_outside_enclave(prev_partition_last_row, prev_partition_last_row_length) == 1);\n sgx_lfence();\n\n try {\n non_oblivious_aggregate_step2(\n agg_op, agg_op_length,\n input_rows, input_rows_length,\n next_partition_first_row, next_partition_first_row_length,\n prev_partition_last_group, prev_partition_last_group_length,\n prev_partition_last_row, prev_partition_last_row_length,\n output_rows, output_rows_length);\n } catch (const std::runtime_error &e) {\n ocall_throw(e.what());\n }\n}", "idx": 519063, "cwe": "CWE-787", "hash": 114386530497392481529413721915554267925, "dataset": "other" }, { "func": " Cached_item_real(Item *item_par) :Cached_item_item(item_par),value(0.0) {}", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 16952466400864077959550437324019707128, "size": 1, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 508982 }, { "func": "static void php_autoglobal_merge(HashTable *dest, HashTable *src)\n{\n\tzval *src_entry, *dest_entry;\n\tzend_string *string_key;\n\tzend_ulong num_key;\n\tint globals_check = (dest == (&EG(symbol_table)));\n\n\tZEND_HASH_FOREACH_KEY_VAL(src, num_key, string_key, src_entry) {\n\t\tif (Z_TYPE_P(src_entry) != IS_ARRAY\n\t\t\t|| (string_key && (dest_entry = zend_hash_find(dest, string_key)) == NULL)\n\t\t\t|| (string_key == NULL && (dest_entry = zend_hash_index_find(dest, num_key)) == NULL)\n\t\t\t|| Z_TYPE_P(dest_entry) != IS_ARRAY) {\n\t\t\tif (Z_REFCOUNTED_P(src_entry)) {\n\t\t\t\tZ_ADDREF_P(src_entry);\n\t\t\t}\n\t\t\tif (string_key) {\n\t\t\t\tif (!globals_check || ZSTR_LEN(string_key) != sizeof(\"GLOBALS\") - 1\n\t\t\t\t\t\t|| memcmp(ZSTR_VAL(string_key), \"GLOBALS\", sizeof(\"GLOBALS\") - 1)) {\n\t\t\t\t\tzend_hash_update(dest, string_key, src_entry);\n\t\t\t\t} else if (Z_REFCOUNTED_P(src_entry)) {\n\t\t\t\t\tZ_DELREF_P(src_entry);\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\tzend_hash_index_update(dest, num_key, src_entry);\n\t\t\t}\n\t\t} else {\n\t\t\tSEPARATE_ARRAY(dest_entry);\n\t\t\tphp_autoglobal_merge(Z_ARRVAL_P(dest_entry), Z_ARRVAL_P(src_entry));\n\t\t}\n\t} ZEND_HASH_FOREACH_END();\n}", "project": "php-src", "hash": 84641929320697396895914746168792609001, "size": 31, "commit_id": "6559fe912661ca5ce5f0eeeb591d928451428ed0", "message": "Do not decode cookie names anymore", "target": 0, "dataset": "other", "idx": 374966 }, { "func": "void fuse_unlock_inode(struct inode *inode, bool locked)\n{\n\tif (locked)\n\t\tmutex_unlock(&get_fuse_inode(inode)->mutex);\n}", "project": "linux", "hash": 72906088815916265041580770531585048664, "size": 5, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341942 }, { "func": "void __init numa_policy_init(void)\n{\n\tnodemask_t interleave_nodes;\n\tunsigned long largest = 0;\n\tint nid, prefer = 0;\n\n\tpolicy_cache = kmem_cache_create(\"numa_policy\",\n\t\t\t\t\t sizeof(struct mempolicy),\n\t\t\t\t\t 0, SLAB_PANIC, NULL);\n\n\tsn_cache = kmem_cache_create(\"shared_policy_node\",\n\t\t\t\t sizeof(struct sp_node),\n\t\t\t\t 0, SLAB_PANIC, NULL);\n\n\tfor_each_node(nid) {\n\t\tpreferred_node_policy[nid] = (struct mempolicy) {\n\t\t\t.refcnt = ATOMIC_INIT(1),\n\t\t\t.mode = MPOL_PREFERRED,\n\t\t\t.flags = MPOL_F_MOF | MPOL_F_MORON,\n\t\t\t.v = { .preferred_node = nid, },\n\t\t};\n\t}\n\n\t/*\n\t * Set interleaving policy for system init. Interleaving is only\n\t * enabled across suitably sized nodes (default is >= 16MB), or\n\t * fall back to the largest node if they're all smaller.\n\t */\n\tnodes_clear(interleave_nodes);\n\tfor_each_node_state(nid, N_MEMORY) {\n\t\tunsigned long total_pages = node_present_pages(nid);\n\n\t\t/* Preserve the largest node */\n\t\tif (largest < total_pages) {\n\t\t\tlargest = total_pages;\n\t\t\tprefer = nid;\n\t\t}\n\n\t\t/* Interleave this node? */\n\t\tif ((total_pages << PAGE_SHIFT) >= (16 << 20))\n\t\t\tnode_set(nid, interleave_nodes);\n\t}\n\n\t/* All too small, use the largest */\n\tif (unlikely(nodes_empty(interleave_nodes)))\n\t\tnode_set(prefer, interleave_nodes);\n\n\tif (do_set_mempolicy(MPOL_INTERLEAVE, 0, &interleave_nodes))\n\t\tpr_err(\"%s: interleaving failed\\n\", __func__);\n\n\tcheck_numabalancing_enable();\n}", "project": "linux", "hash": 42639707545064196385574717475254455410, "size": 52, "commit_id": "aa9f7d5172fac9bf1f09e678c35e287a40a7b7dd", "message": "mm: mempolicy: require at least one nodeid for MPOL_PREFERRED\n\nUsing an empty (malformed) nodelist that is not caught during mount option\nparsing leads to a stack-out-of-bounds access.\n\nThe option string that was used was: \"mpol=prefer:,\". However,\nMPOL_PREFERRED requires a single node number, which is not being provided\nhere.\n\nAdd a check that 'nodes' is not empty after parsing for MPOL_PREFERRED's\nnodeid.\n\nFixes: 095f1fc4ebf3 (\"mempolicy: rework shmem mpol parsing and display\")\nReported-by: Entropy Moe <3ntr0py1337@gmail.com>\nReported-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nSigned-off-by: Randy Dunlap \nSigned-off-by: Andrew Morton \nTested-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nCc: Lee Schermerhorn \nLink: http://lkml.kernel.org/r/89526377-7eb6-b662-e1d8-4430928abde9@infradead.org\nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 366790 }, { "func": "void CClient::Timeout() { PutClient(\"ERROR :\" + t_s(\"Closing link: Timeout\")); }", "project": "znc", "hash": 270285490855744680927331984972504135501, "size": 1, "commit_id": "d229761821da38d984a9e4098ad96842490dc001", "message": "Fix echo-message for *status\n\nClose #1705", "target": 0, "dataset": "other", "idx": 231543 }, { "func": "int blosc2_compress(int clevel, int doshuffle, int32_t typesize,\n const void* src, int32_t srcsize, void* dest, int32_t destsize) {\n int error;\n int result;\n char* envvar;\n\n /* Check whether the library should be initialized */\n if (!g_initlib) blosc_init();\n\n /* Check for a BLOSC_CLEVEL environment variable */\n envvar = getenv(\"BLOSC_CLEVEL\");\n if (envvar != NULL) {\n long value;\n value = strtol(envvar, NULL, 10);\n if ((value != EINVAL) && (value >= 0)) {\n clevel = (int)value;\n }\n }\n\n /* Check for a BLOSC_SHUFFLE environment variable */\n envvar = getenv(\"BLOSC_SHUFFLE\");\n if (envvar != NULL) {\n if (strcmp(envvar, \"NOSHUFFLE\") == 0) {\n doshuffle = BLOSC_NOSHUFFLE;\n }\n if (strcmp(envvar, \"SHUFFLE\") == 0) {\n doshuffle = BLOSC_SHUFFLE;\n }\n if (strcmp(envvar, \"BITSHUFFLE\") == 0) {\n doshuffle = BLOSC_BITSHUFFLE;\n }\n }\n\n /* Check for a BLOSC_DELTA environment variable */\n envvar = getenv(\"BLOSC_DELTA\");\n if (envvar != NULL) {\n if (strcmp(envvar, \"1\") == 0) {\n blosc_set_delta(1);\n } else {\n blosc_set_delta(0);\n }\n }\n\n /* Check for a BLOSC_TYPESIZE environment variable */\n envvar = getenv(\"BLOSC_TYPESIZE\");\n if (envvar != NULL) {\n long value;\n value = strtol(envvar, NULL, 10);\n if ((value != EINVAL) && (value > 0)) {\n typesize = (size_t)value;\n }\n }\n\n /* Check for a BLOSC_COMPRESSOR environment variable */\n envvar = getenv(\"BLOSC_COMPRESSOR\");\n if (envvar != NULL) {\n result = blosc_set_compressor(envvar);\n if (result < 0) { return result; }\n }\n\n /* Check for a BLOSC_COMPRESSOR environment variable */\n envvar = getenv(\"BLOSC_BLOCKSIZE\");\n if (envvar != NULL) {\n long blocksize;\n blocksize = strtol(envvar, NULL, 10);\n if ((blocksize != EINVAL) && (blocksize > 0)) {\n blosc_set_blocksize((size_t)blocksize);\n }\n }\n\n /* Check for a BLOSC_NTHREADS environment variable */\n envvar = getenv(\"BLOSC_NTHREADS\");\n if (envvar != NULL) {\n long nthreads;\n nthreads = strtol(envvar, NULL, 10);\n if ((nthreads != EINVAL) && (nthreads > 0)) {\n result = blosc_set_nthreads((int)nthreads);\n if (result < 0) { return result; }\n }\n }\n\n /* Check for a BLOSC_NOLOCK environment variable. It is important\n that this should be the last env var so that it can take the\n previous ones into account */\n envvar = getenv(\"BLOSC_NOLOCK\");\n if (envvar != NULL) {\n // TODO: here is the only place that returns an extended header from\n // a blosc_compress() call. This should probably be fixed.\n const char *compname;\n blosc2_context *cctx;\n blosc2_cparams cparams = BLOSC2_CPARAMS_DEFAULTS;\n\n blosc_compcode_to_compname(g_compressor, &compname);\n /* Create a context for compression */\n build_filters(doshuffle, g_delta, typesize, cparams.filters);\n // TODO: cparams can be shared in a multithreaded environment. do a copy!\n cparams.typesize = (uint8_t)typesize;\n cparams.compcode = (uint8_t)g_compressor;\n cparams.clevel = (uint8_t)clevel;\n cparams.nthreads = (uint8_t)g_nthreads;\n cctx = blosc2_create_cctx(cparams);\n /* Do the actual compression */\n result = blosc2_compress_ctx(cctx, src, srcsize, dest, destsize);\n /* Release context resources */\n blosc2_free_ctx(cctx);\n return result;\n }\n\n pthread_mutex_lock(&global_comp_mutex);\n\n /* Initialize a context compression */\n uint8_t* filters = calloc(1, BLOSC2_MAX_FILTERS);\n uint8_t* filters_meta = calloc(1, BLOSC2_MAX_FILTERS);\n build_filters(doshuffle, g_delta, typesize, filters);\n error = initialize_context_compression(\n g_global_context, src, srcsize, dest, destsize, clevel, filters,\n filters_meta, (int32_t)typesize, g_compressor, g_force_blocksize, g_nthreads, g_nthreads,\n g_schunk);\n free(filters);\n free(filters_meta);\n if (error <= 0) {\n pthread_mutex_unlock(&global_comp_mutex);\n return error;\n }\n\n /* Write chunk header without extended header (Blosc1 compatibility mode) */\n error = write_compression_header(g_global_context, false);\n if (error < 0) {\n pthread_mutex_unlock(&global_comp_mutex);\n return error;\n }\n\n result = blosc_compress_context(g_global_context);\n\n pthread_mutex_unlock(&global_comp_mutex);\n\n return result;\n}", "project": "c-blosc2", "hash": 135355098405427261889797397828198822435, "size": 138, "commit_id": "c4c6470e88210afc95262c8b9fcc27e30ca043ee", "message": "Fixed asan heap buffer overflow when not enough space to write compressed block size.", "target": 0, "dataset": "other", "idx": 303123 }, { "func": "static inline void tcp_write_queue_purge(struct sock *sk)\n{\n\tstruct sk_buff *skb;\n\n\twhile ((skb = __skb_dequeue(&sk->sk_write_queue)) != NULL)\n\t\tsk_wmem_free_skb(sk, skb);\n\tsk_mem_reclaim(sk);\n\ttcp_clear_all_retrans_hints(tcp_sk(sk));\n}", "project": "linux", "hash": 209381983852559537873995372445989545451, "size": 9, "commit_id": "bb1fceca22492109be12640d49f5ea5a544c6bb4", "message": "tcp: fix use after free in tcp_xmit_retransmit_queue()\n\nWhen tcp_sendmsg() allocates a fresh and empty skb, it puts it at the\ntail of the write queue using tcp_add_write_queue_tail()\n\nThen it attempts to copy user data into this fresh skb.\n\nIf the copy fails, we undo the work and remove the fresh skb.\n\nUnfortunately, this undo lacks the change done to tp->highest_sack and\nwe can leave a dangling pointer (to a freed skb)\n\nLater, tcp_xmit_retransmit_queue() can dereference this pointer and\naccess freed memory. For regular kernels where memory is not unmapped,\nthis might cause SACK bugs because tcp_highest_sack_seq() is buggy,\nreturning garbage instead of tp->snd_nxt, but with various debug\nfeatures like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel.\n\nThis bug was found by Marco Grassi thanks to syzkaller.\n\nFixes: 6859d49475d4 (\"[TCP]: Abstract tp->highest_sack accessing & point to next skb\")\nReported-by: Marco Grassi \nSigned-off-by: Eric Dumazet \nCc: Ilpo Järvinen \nCc: Yuchung Cheng \nCc: Neal Cardwell \nAcked-by: Neal Cardwell \nReviewed-by: Cong Wang \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 410731 }, { "func": " longlong val_int_from_real()\n {\n DBUG_ASSERT(fixed == 1);\n return Converter_double_to_longlong_with_warn(val_real(), false).result();\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 292626457953168716405849313037329215379, "size": 5, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 508938 }, { "func": " */\nstatic bool bfq_may_expire_for_budg_timeout(struct bfq_queue *bfqq)\n{\n\tbfq_log_bfqq(bfqq->bfqd, bfqq,\n\t\t\"may_budget_timeout: wait_request %d left %d timeout %d\",\n\t\tbfq_bfqq_wait_request(bfqq),\n\t\t\tbfq_bfqq_budget_left(bfqq) >= bfqq->entity.budget / 3,\n\t\tbfq_bfqq_budget_timeout(bfqq));\n\n\treturn (!bfq_bfqq_wait_request(bfqq) ||\n\t\tbfq_bfqq_budget_left(bfqq) >= bfqq->entity.budget / 3)\n\t\t&&\n\t\tbfq_bfqq_budget_timeout(bfqq);", "project": "linux", "hash": 160278537886612213888851023390854926915, "size": 13, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453289 }, { "project": "Chrome", "commit_id": "6834289784ed45b5524de0fb7ef43ae283b0d6d3", "target": 0, "func": "void AudioContext::handleDeferredAudioNodeTasks()\n{\n ASSERT(isAudioThread() && isGraphOwner());\n\n for (unsigned i = 0; i < m_deferredBreakConnectionList.size(); ++i)\n m_deferredBreakConnectionList[i]->breakConnectionWithLock();\n m_deferredBreakConnectionList.clear();\n}\n", "cwe": "", "big_vul_idx": 139657, "idx": 124807, "hash": 271484049412036261660836033570862590932 }, { "func": "void UnicodeStringTest::TestLargeAppend() {\n if(quick) return;\n\n IcuTestErrorCode status(*this, \"TestLargeAppend\");\n // Make a large UnicodeString\n int32_t len = 0xAFFFFFF;\n UnicodeString str;\n char16_t *buf = str.getBuffer(len);\n // A fast way to set buffer to valid Unicode.\n // 4E4E is a valid unicode character\n uprv_memset(buf, 0x4e, len * 2);\n str.releaseBuffer(len);\n UnicodeString dest;\n // Append it 16 times\n // 0xAFFFFFF times 16 is 0xA4FFFFF1,\n // which is greater than INT32_MAX, which is 0x7FFFFFFF.\n int64_t total = 0;\n for (int32_t i = 0; i < 16; i++) {\n dest.append(str);\n total += len;\n if (total <= INT32_MAX) {\n assertFalse(\"dest is not bogus\", dest.isBogus());\n } else {\n assertTrue(\"dest should be bogus\", dest.isBogus());\n }\n }\n dest.remove();\n total = 0;\n for (int32_t i = 0; i < 16; i++) {\n dest.append(str);\n total += len;\n if (total + len <= INT32_MAX) {\n assertFalse(\"dest is not bogus\", dest.isBogus());\n } else if (total <= INT32_MAX) {\n // Check that a string of exactly the maximum size works\n UnicodeString str2;\n int32_t remain = INT32_MAX - total;\n char16_t *buf2 = str2.getBuffer(remain);\n if (buf2 == nullptr) {\n // if somehow memory allocation fail, return the test\n return;\n }\n uprv_memset(buf2, 0x4e, remain * 2);\n str2.releaseBuffer(remain);\n dest.append(str2);\n total += remain;\n assertEquals(\"When a string of exactly the maximum size works\", (int64_t)INT32_MAX, total);\n assertEquals(\"When a string of exactly the maximum size works\", INT32_MAX, dest.length());\n assertFalse(\"dest is not bogus\", dest.isBogus());\n\n // Check that a string size+1 goes bogus\n str2.truncate(1);\n dest.append(str2);\n total++;\n assertTrue(\"dest should be bogus\", dest.isBogus());\n } else {\n assertTrue(\"dest should be bogus\", dest.isBogus());\n }\n }\n}", "project": "icu", "hash": 5857343220965751928591678066815146998, "size": 60, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430842 }, { "func": "static int tcp_try_undo_partial(struct sock *sk, int acked)\n{\n\tstruct tcp_sock *tp = tcp_sk(sk);\n\t/* Partial ACK arrived. Force Hoe's retransmit. */\n\tint failed = tcp_is_reno(tp) || (tcp_fackets_out(tp) > tp->reordering);\n\n\tif (tcp_may_undo(tp)) {\n\t\t/* Plain luck! Hole if filled with delayed\n\t\t * packet, rather than with a retransmit.\n\t\t */\n\t\tif (!tcp_any_retrans_done(sk))\n\t\t\ttp->retrans_stamp = 0;\n\n\t\ttcp_update_reordering(sk, tcp_fackets_out(tp) + acked, 1);\n\n\t\tDBGUNDO(sk, \"Hoe\");\n\t\ttcp_undo_cwr(sk, false);\n\t\tNET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPPARTIALUNDO);\n\n\t\t/* So... Do not make Hoe's retransmit yet.\n\t\t * If the first packet was delayed, the rest\n\t\t * ones are most probably delayed as well.\n\t\t */\n\t\tfailed = 0;\n\t}\n\treturn failed;\n}", "project": "net-next", "hash": 306599549756648066052866813744812690530, "size": 27, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409939 }, { "func": "static void ACHasBaseLig(SplineFont1 *sf,AnchorClass1 *ac) {\n int gid,k;\n SplineFont1 *subsf;\n SplineChar *sc;\n AnchorPoint *ap;\n\n ac->has_bases = ac->has_ligatures = false;\n if ( ac->ac.type==act_mkmk || ac->ac.type==act_curs )\nreturn;\n k=0;\n do {\n\tsubsf = sf->sf.subfontcnt==0 ? sf : (SplineFont1 *) (sf->sf.subfonts[k]);\n\tfor ( gid=0; gidsf.glyphcnt; ++gid ) if ( (sc=subsf->sf.glyphs[gid])!=NULL ) {\n\t for ( ap=sc->anchor; ap!=NULL; ap=ap->next ) {\n\t\tif ( ap->anchor!=(AnchorClass *) ac )\n\t continue;\n\t\tif ( ap->type==at_basechar ) {\n\t\t ac->has_bases = true;\n\t\t if ( ac->has_ligatures )\nreturn;\n\t\t} else if ( ap->type==at_baselig ) {\n\t\t ac->has_ligatures = true;\n\t\t if ( ac->has_bases )\nreturn;\n\t\t}\n\t }\n\t}\n\t++k;\n } while ( ksf.subfontcnt );\n}", "project": "fontforge", "hash": 228585797551237866754873149971745711702, "size": 30, "commit_id": "048a91e2682c1a8936ae34dbc7bd70291ec05410", "message": "Fix for #4084 Use-after-free (heap) in the SFD_GetFontMetaData() function\nFix for #4086 NULL pointer dereference in the SFDGetSpiros() function\nFix for #4088 NULL pointer dereference in the SFD_AssignLookups() function\nAdd empty sf->fontname string if it isn't set, fixing #4089 #4090 and many\n other potential issues (many downstream calls to strlen() on the value).", "target": 0, "dataset": "other", "idx": 417814 }, { "func": " static Status BuildSparseFeatureReader(const Tensor& indices,\n const Tensor& values, int64 batch_size,\n FeatureReaders* features) {\n if (values.dtype() == DT_INT64) {\n features->emplace_back(\n new SparseFeatureReader(indices, values, batch_size));\n } else if (values.dtype() == DT_STRING) {\n features->emplace_back(\n new SparseFeatureReader(indices, values, batch_size));\n } else {\n return errors::InvalidArgument(\"Unexpected dtype for input \",\n (features->size() + 1), \": \",\n values.dtype());\n }\n return Status::OK();\n }", "project": "tensorflow", "hash": 173619292175495214326174187347202631469, "size": 16, "commit_id": "44b7f486c0143f68b56c34e2d01e146ee445134a", "message": "Fix out of bounds read in `ragged_cross_op.cc`.\n\nPiperOrigin-RevId: 369757702\nChange-Id: Ie6e5d2c21513a8d56bf41fcf35960caf76e890f9", "target": 0, "dataset": "other", "idx": 230064 }, { "func": "static int nfs4_proc_mkdir(struct inode *dir, struct dentry *dentry,\n\t\tstruct iattr *sattr)\n{\n\tstruct nfs_server *server = NFS_SERVER(dir);\n\tstruct nfs4_exception exception = {\n\t\t.interruptible = true,\n\t};\n\tstruct nfs4_label l, *label = NULL;\n\tint err;\n\n\tlabel = nfs4_label_init_security(dir, dentry, sattr, &l);\n\n\tif (!(server->attr_bitmask[2] & FATTR4_WORD2_MODE_UMASK))\n\t\tsattr->ia_mode &= ~current_umask();\n\tdo {\n\t\terr = _nfs4_proc_mkdir(dir, dentry, sattr, label);\n\t\ttrace_nfs4_mkdir(dir, &dentry->d_name, err);\n\t\terr = nfs4_handle_exception(NFS_SERVER(dir), err,\n\t\t\t\t&exception);\n\t} while (exception.retry);\n\tnfs4_label_release_security(label);\n\n\treturn err;\n}", "project": "linux", "hash": 90152803993360882973193066456369232014, "size": 24, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431013 }, { "func": "static inline int bcf1_sync_alleles(bcf1_t *line, kstring_t *str)\n{\n // list of typed strings\n int i;\n for (i=0; in_allele; i++) {\n if (bcf_enc_vchar(str, strlen(line->d.allele[i]), line->d.allele[i]) < 0)\n return -1;\n }\n if ( !line->rlen && line->n_allele ) line->rlen = strlen(line->d.allele[0]);\n return 0;\n}", "project": "htslib", "hash": 61888340793784064875485378426145892567, "size": 11, "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c", "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields. It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097", "target": 0, "dataset": "other", "idx": 402228 }, { "func": "static bool kvm_vcpu_eligible_for_directed_yield(struct kvm_vcpu *vcpu)\n{\n#ifdef CONFIG_HAVE_KVM_CPU_RELAX_INTERCEPT\n\tbool eligible;\n\n\teligible = !vcpu->spin_loop.in_spin_loop ||\n\t\t vcpu->spin_loop.dy_eligible;\n\n\tif (vcpu->spin_loop.in_spin_loop)\n\t\tkvm_vcpu_set_dy_eligible(vcpu, !vcpu->spin_loop.dy_eligible);\n\n\treturn eligible;\n#else\n\treturn true;\n#endif\n}", "project": "linux", "hash": 252657305145266393772217552151318185807, "size": 16, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354834 }, { "func": "static int cmd_handle_untagged (IMAP_DATA* idata)\n{\n char* s;\n char* pn;\n unsigned int count;\n\n s = imap_next_word (idata->buf);\n pn = imap_next_word (s);\n\n if ((idata->state >= IMAP_SELECTED) && isdigit ((unsigned char) *s))\n {\n pn = s;\n s = imap_next_word (s);\n\n /* EXISTS and EXPUNGE are always related to the SELECTED mailbox for the\n * connection, so update that one.\n */\n if (ascii_strncasecmp (\"EXISTS\", s, 6) == 0)\n {\n dprint (2, (debugfile, \"Handling EXISTS\\n\"));\n\n /* new mail arrived */\n mutt_atoui (pn, &count);\n\n if ( !(idata->reopen & IMAP_EXPUNGE_PENDING) &&\n\t count < idata->max_msn)\n {\n /* Notes 6.0.3 has a tendency to report fewer messages exist than\n * it should. */\n\tdprint (1, (debugfile, \"Message count is out of sync\"));\n\treturn 0;\n }\n /* at least the InterChange server sends EXISTS messages freely,\n * even when there is no new mail */\n else if (count == idata->max_msn)\n\tdprint (3, (debugfile,\n \"cmd_handle_untagged: superfluous EXISTS message.\\n\"));\n else\n {\n\tif (!(idata->reopen & IMAP_EXPUNGE_PENDING))\n {\n dprint (2, (debugfile,\n \"cmd_handle_untagged: New mail in %s - %d messages total.\\n\",\n idata->mailbox, count));\n\t idata->reopen |= IMAP_NEWMAIL_PENDING;\n }\n\tidata->newMailCount = count;\n }\n }\n /* pn vs. s: need initial seqno */\n else if (ascii_strncasecmp (\"EXPUNGE\", s, 7) == 0)\n cmd_parse_expunge (idata, pn);\n else if (ascii_strncasecmp (\"FETCH\", s, 5) == 0)\n cmd_parse_fetch (idata, pn);\n }\n else if (ascii_strncasecmp (\"CAPABILITY\", s, 10) == 0)\n cmd_parse_capability (idata, s);\n else if (!ascii_strncasecmp (\"OK [CAPABILITY\", s, 14))\n cmd_parse_capability (idata, pn);\n else if (!ascii_strncasecmp (\"OK [CAPABILITY\", pn, 14))\n cmd_parse_capability (idata, imap_next_word (pn));\n else if (ascii_strncasecmp (\"LIST\", s, 4) == 0)\n cmd_parse_list (idata, s);\n else if (ascii_strncasecmp (\"LSUB\", s, 4) == 0)\n cmd_parse_lsub (idata, s);\n else if (ascii_strncasecmp (\"MYRIGHTS\", s, 8) == 0)\n cmd_parse_myrights (idata, s);\n else if (ascii_strncasecmp (\"SEARCH\", s, 6) == 0)\n cmd_parse_search (idata, s);\n else if (ascii_strncasecmp (\"STATUS\", s, 6) == 0)\n cmd_parse_status (idata, s);\n else if (ascii_strncasecmp (\"ENABLED\", s, 7) == 0)\n cmd_parse_enabled (idata, s);\n else if (ascii_strncasecmp (\"BYE\", s, 3) == 0)\n {\n dprint (2, (debugfile, \"Handling BYE\\n\"));\n\n /* check if we're logging out */\n if (idata->status == IMAP_BYE)\n return 0;\n\n /* server shut down our connection */\n s += 3;\n SKIPWS (s);\n mutt_error (\"%s\", s);\n mutt_sleep (2);\n cmd_handle_fatal (idata);\n\n return -1;\n }\n else if (option (OPTIMAPSERVERNOISE) && (ascii_strncasecmp (\"NO\", s, 2) == 0))\n {\n dprint (2, (debugfile, \"Handling untagged NO\\n\"));\n\n /* Display the warning message from the server */\n mutt_error (\"%s\", s+3);\n mutt_sleep (2);\n }\n\n return 0;\n}", "project": "mutt", "hash": 50423773011428319367692617777736025326, "size": 101, "commit_id": "9347b5c01dc52682cb6be11539d9b7ebceae4416", "message": "Handle NO response without message properly", "target": 1, "dataset": "other", "idx": 202733 }, { "func": "static int cmd_handle_untagged (IMAP_DATA* idata)\n{\n char* s;\n char* pn;\n unsigned int count;\n\n s = imap_next_word (idata->buf);\n pn = imap_next_word (s);\n\n if ((idata->state >= IMAP_SELECTED) && isdigit ((unsigned char) *s))\n {\n pn = s;\n s = imap_next_word (s);\n\n /* EXISTS and EXPUNGE are always related to the SELECTED mailbox for the\n * connection, so update that one.\n */\n if (ascii_strncasecmp (\"EXISTS\", s, 6) == 0)\n {\n dprint (2, (debugfile, \"Handling EXISTS\\n\"));\n\n /* new mail arrived */\n mutt_atoui (pn, &count);\n\n if ( !(idata->reopen & IMAP_EXPUNGE_PENDING) &&\n\t count < idata->max_msn)\n {\n /* Notes 6.0.3 has a tendency to report fewer messages exist than\n * it should. */\n\tdprint (1, (debugfile, \"Message count is out of sync\"));\n\treturn 0;\n }\n /* at least the InterChange server sends EXISTS messages freely,\n * even when there is no new mail */\n else if (count == idata->max_msn)\n\tdprint (3, (debugfile,\n \"cmd_handle_untagged: superfluous EXISTS message.\\n\"));\n else\n {\n\tif (!(idata->reopen & IMAP_EXPUNGE_PENDING))\n {\n dprint (2, (debugfile,\n \"cmd_handle_untagged: New mail in %s - %d messages total.\\n\",\n idata->mailbox, count));\n\t idata->reopen |= IMAP_NEWMAIL_PENDING;\n }\n\tidata->newMailCount = count;\n }\n }\n /* pn vs. s: need initial seqno */\n else if (ascii_strncasecmp (\"EXPUNGE\", s, 7) == 0)\n cmd_parse_expunge (idata, pn);\n else if (ascii_strncasecmp (\"FETCH\", s, 5) == 0)\n cmd_parse_fetch (idata, pn);\n }\n else if (ascii_strncasecmp (\"CAPABILITY\", s, 10) == 0)\n cmd_parse_capability (idata, s);\n else if (!ascii_strncasecmp (\"OK [CAPABILITY\", s, 14))\n cmd_parse_capability (idata, pn);\n else if (!ascii_strncasecmp (\"OK [CAPABILITY\", pn, 14))\n cmd_parse_capability (idata, imap_next_word (pn));\n else if (ascii_strncasecmp (\"LIST\", s, 4) == 0)\n cmd_parse_list (idata, s);\n else if (ascii_strncasecmp (\"LSUB\", s, 4) == 0)\n cmd_parse_lsub (idata, s);\n else if (ascii_strncasecmp (\"MYRIGHTS\", s, 8) == 0)\n cmd_parse_myrights (idata, s);\n else if (ascii_strncasecmp (\"SEARCH\", s, 6) == 0)\n cmd_parse_search (idata, s);\n else if (ascii_strncasecmp (\"STATUS\", s, 6) == 0)\n cmd_parse_status (idata, s);\n else if (ascii_strncasecmp (\"ENABLED\", s, 7) == 0)\n cmd_parse_enabled (idata, s);\n else if (ascii_strncasecmp (\"BYE\", s, 3) == 0)\n {\n dprint (2, (debugfile, \"Handling BYE\\n\"));\n\n /* check if we're logging out */\n if (idata->status == IMAP_BYE)\n return 0;\n\n /* server shut down our connection */\n s += 3;\n SKIPWS (s);\n mutt_error (\"%s\", s);\n mutt_sleep (2);\n cmd_handle_fatal (idata);\n\n return -1;\n }\n else if (option (OPTIMAPSERVERNOISE) && (ascii_strncasecmp (\"NO\", s, 2) == 0))\n {\n dprint (2, (debugfile, \"Handling untagged NO\\n\"));\n\n /* Display the warning message from the server */\n mutt_error (\"%s\", s+2);\n mutt_sleep (2);\n }\n\n return 0;\n}", "project": "mutt", "hash": 87163458428751244929158289758255212737, "size": 101, "commit_id": "9347b5c01dc52682cb6be11539d9b7ebceae4416", "message": "Handle NO response without message properly", "target": 0, "dataset": "other", "idx": 338014 }, { "func": "void svm_leave_nested(struct vcpu_svm *svm)\n{\n\tif (is_guest_mode(&svm->vcpu)) {\n\t\tstruct vmcb *hsave = svm->nested.hsave;\n\t\tstruct vmcb *vmcb = svm->vmcb;\n\n\t\tsvm->nested.nested_run_pending = 0;\n\t\tleave_guest_mode(&svm->vcpu);\n\t\tcopy_vmcb_control_area(&vmcb->control, &hsave->control);\n\t\tnested_svm_uninit_mmu_context(&svm->vcpu);\n\t}\n\n\tkvm_clear_request(KVM_REQ_GET_NESTED_STATE_PAGES, &svm->vcpu);\n}", "project": "linux", "hash": 7004670762419567871602074252328456254, "size": 14, "commit_id": "a58d9166a756a0f4a6618e4f593232593d6df134", "message": "KVM: SVM: load control fields from VMCB12 before checking them\n\nAvoid races between check and use of the nested VMCB controls. This\nfor example ensures that the VMRUN intercept is always reflected to the\nnested hypervisor, instead of being processed by the host. Without this\npatch, it is possible to end up with svm->nested.hsave pointing to\nthe MSR permission bitmap for nested guests.\n\nThis bug is CVE-2021-29657.\n\nReported-by: Felix Wilhelm \nCc: stable@vger.kernel.org\nFixes: 2fcf4876ada (\"KVM: nSVM: implement on demand allocation of the nested state\")\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 376661 }, { "func": "static int get_swift_versioning_settings(\n req_state * const s,\n boost::optional& swift_ver_location)\n{\n /* Removing the Swift's versions location has lower priority than setting\n * a new one. That's the reason why we're handling it first. */\n const std::string vlocdel =\n s->info.env->get(\"HTTP_X_REMOVE_VERSIONS_LOCATION\", \"\");\n if (vlocdel.size()) {\n swift_ver_location = boost::in_place(std::string());\n }\n\n if (s->info.env->exists(\"HTTP_X_VERSIONS_LOCATION\")) {\n /* If the Swift's versioning is globally disabled but someone wants to\n * enable it for a given container, new version of Swift will generate\n * the precondition failed error. */\n if (! s->cct->_conf->rgw_swift_versioning_enabled) {\n return -ERR_PRECONDITION_FAILED;\n }\n\n swift_ver_location = s->info.env->get(\"HTTP_X_VERSIONS_LOCATION\", \"\");\n }\n\n return 0;\n}", "project": "ceph", "hash": 217279022993013680984741718333647324403, "size": 25, "commit_id": "f44a8ae8aa27ecef69528db9aec220f12492810e", "message": "rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name\n\nchecking for empty name avoids later assertion in RGWObjectCtx::set_atomic\n\nFixes: CVE-2021-3531\n\nReviewed-by: Casey Bodley \nSigned-off-by: Casey Bodley \n(cherry picked from commit 7196a469b4470f3c8628489df9a41ec8b00a5610)", "target": 0, "dataset": "other", "idx": 448818 }, { "func": "static void nfs4_layoutreturn_done(struct rpc_task *task, void *calldata)\n{\n\tstruct nfs4_layoutreturn *lrp = calldata;\n\tstruct nfs_server *server;\n\n\tdprintk(\"--> %s\\n\", __func__);\n\n\tif (!nfs41_sequence_process(task, &lrp->res.seq_res))\n\t\treturn;\n\n\t/*\n\t * Was there an RPC level error? Assume the call succeeded,\n\t * and that we need to release the layout\n\t */\n\tif (task->tk_rpc_status != 0 && RPC_WAS_SENT(task)) {\n\t\tlrp->res.lrs_present = 0;\n\t\treturn;\n\t}\n\n\tserver = NFS_SERVER(lrp->args.inode);\n\tswitch (task->tk_status) {\n\tcase -NFS4ERR_OLD_STATEID:\n\t\tif (nfs4_layout_refresh_old_stateid(&lrp->args.stateid,\n\t\t\t\t\t&lrp->args.range,\n\t\t\t\t\tlrp->args.inode))\n\t\t\tgoto out_restart;\n\t\t/* Fallthrough */\n\tdefault:\n\t\ttask->tk_status = 0;\n\t\t/* Fallthrough */\n\tcase 0:\n\t\tbreak;\n\tcase -NFS4ERR_DELAY:\n\t\tif (nfs4_async_handle_error(task, server, NULL, NULL) != -EAGAIN)\n\t\t\tbreak;\n\t\tgoto out_restart;\n\t}\n\tdprintk(\"<-- %s\\n\", __func__);\n\treturn;\nout_restart:\n\ttask->tk_status = 0;\n\tnfs4_sequence_free_slot(&lrp->res.seq_res);\n\trpc_restart_call_prepare(task);\n}", "project": "linux", "hash": 90547212060932929491760328807404456879, "size": 44, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431506 }, { "func": "void tcp_update_metrics(struct sock *sk)\n{\n\tstruct tcp_sock *tp = tcp_sk(sk);\n\tstruct dst_entry *dst = __sk_dst_get(sk);\n\n\tif (sysctl_tcp_nometrics_save)\n\t\treturn;\n\n\tdst_confirm(dst);\n\n\tif (dst && (dst->flags & DST_HOST)) {\n\t\tconst struct inet_connection_sock *icsk = inet_csk(sk);\n\t\tint m;\n\t\tunsigned long rtt;\n\n\t\tif (icsk->icsk_backoff || !tp->srtt) {\n\t\t\t/* This session failed to estimate rtt. Why?\n\t\t\t * Probably, no packets returned in time.\n\t\t\t * Reset our results.\n\t\t\t */\n\t\t\tif (!(dst_metric_locked(dst, RTAX_RTT)))\n\t\t\t\tdst_metric_set(dst, RTAX_RTT, 0);\n\t\t\treturn;\n\t\t}\n\n\t\trtt = dst_metric_rtt(dst, RTAX_RTT);\n\t\tm = rtt - tp->srtt;\n\n\t\t/* If newly calculated rtt larger than stored one,\n\t\t * store new one. Otherwise, use EWMA. Remember,\n\t\t * rtt overestimation is always better than underestimation.\n\t\t */\n\t\tif (!(dst_metric_locked(dst, RTAX_RTT))) {\n\t\t\tif (m <= 0)\n\t\t\t\tset_dst_metric_rtt(dst, RTAX_RTT, tp->srtt);\n\t\t\telse\n\t\t\t\tset_dst_metric_rtt(dst, RTAX_RTT, rtt - (m >> 3));\n\t\t}\n\n\t\tif (!(dst_metric_locked(dst, RTAX_RTTVAR))) {\n\t\t\tunsigned long var;\n\t\t\tif (m < 0)\n\t\t\t\tm = -m;\n\n\t\t\t/* Scale deviation to rttvar fixed point */\n\t\t\tm >>= 1;\n\t\t\tif (m < tp->mdev)\n\t\t\t\tm = tp->mdev;\n\n\t\t\tvar = dst_metric_rtt(dst, RTAX_RTTVAR);\n\t\t\tif (m >= var)\n\t\t\t\tvar = m;\n\t\t\telse\n\t\t\t\tvar -= (var - m) >> 2;\n\n\t\t\tset_dst_metric_rtt(dst, RTAX_RTTVAR, var);\n\t\t}\n\n\t\tif (tcp_in_initial_slowstart(tp)) {\n\t\t\t/* Slow start still did not finish. */\n\t\t\tif (dst_metric(dst, RTAX_SSTHRESH) &&\n\t\t\t !dst_metric_locked(dst, RTAX_SSTHRESH) &&\n\t\t\t (tp->snd_cwnd >> 1) > dst_metric(dst, RTAX_SSTHRESH))\n\t\t\t\tdst_metric_set(dst, RTAX_SSTHRESH, tp->snd_cwnd >> 1);\n\t\t\tif (!dst_metric_locked(dst, RTAX_CWND) &&\n\t\t\t tp->snd_cwnd > dst_metric(dst, RTAX_CWND))\n\t\t\t\tdst_metric_set(dst, RTAX_CWND, tp->snd_cwnd);\n\t\t} else if (tp->snd_cwnd > tp->snd_ssthresh &&\n\t\t\t icsk->icsk_ca_state == TCP_CA_Open) {\n\t\t\t/* Cong. avoidance phase, cwnd is reliable. */\n\t\t\tif (!dst_metric_locked(dst, RTAX_SSTHRESH))\n\t\t\t\tdst_metric_set(dst, RTAX_SSTHRESH,\n\t\t\t\t\t max(tp->snd_cwnd >> 1, tp->snd_ssthresh));\n\t\t\tif (!dst_metric_locked(dst, RTAX_CWND))\n\t\t\t\tdst_metric_set(dst, RTAX_CWND,\n\t\t\t\t\t (dst_metric(dst, RTAX_CWND) +\n\t\t\t\t\t\ttp->snd_cwnd) >> 1);\n\t\t} else {\n\t\t\t/* Else slow start did not finish, cwnd is non-sense,\n\t\t\t ssthresh may be also invalid.\n\t\t\t */\n\t\t\tif (!dst_metric_locked(dst, RTAX_CWND))\n\t\t\t\tdst_metric_set(dst, RTAX_CWND,\n\t\t\t\t\t (dst_metric(dst, RTAX_CWND) +\n\t\t\t\t\t\ttp->snd_ssthresh) >> 1);\n\t\t\tif (dst_metric(dst, RTAX_SSTHRESH) &&\n\t\t\t !dst_metric_locked(dst, RTAX_SSTHRESH) &&\n\t\t\t tp->snd_ssthresh > dst_metric(dst, RTAX_SSTHRESH))\n\t\t\t\tdst_metric_set(dst, RTAX_SSTHRESH, tp->snd_ssthresh);\n\t\t}\n\n\t\tif (!dst_metric_locked(dst, RTAX_REORDERING)) {\n\t\t\tif (dst_metric(dst, RTAX_REORDERING) < tp->reordering &&\n\t\t\t tp->reordering != sysctl_tcp_reordering)\n\t\t\t\tdst_metric_set(dst, RTAX_REORDERING, tp->reordering);\n\t\t}\n\t}\n}", "project": "net-next", "hash": 115409031882439790398857776641234611363, "size": 98, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409863 }, { "func": "ushort *LibRaw::make_decoder(const uchar *source)\n{\n return make_decoder_ref(&source);\n}", "project": "LibRaw", "hash": 132506516165626098041525681523289433232, "size": 4, "commit_id": "a6937d4046a7c4742b683a04c8564605fd9be4fb", "message": "more room for ljpeg row", "target": 0, "dataset": "other", "idx": 319445 }, { "func": "void * headerExport(Header h, unsigned int *bsize)\n{\n void *blob = NULL;\n\n if (h) {\n\tblob = doExport(h->index, h->indexUsed, h->flags, bsize);\n }\n\n return blob;\n}", "project": "rpm", "hash": 39746379978805902154093930675820422052, "size": 10, "commit_id": "8f4b3c3cab8922a2022b9e47c71f1ecf906077ef", "message": "hdrblobInit() needs bounds checks too\n\nUsers can pass untrusted data to hdrblobInit() and it must be robust\nagainst this.", "target": 0, "dataset": "other", "idx": 318190 }, { "func": "static int phar_copy_file_contents(phar_entry_info *entry, php_stream *fp TSRMLS_DC) /* {{{ */\n{\n\tchar *error;\n\toff_t offset;\n\tphar_entry_info *link;\n\n\tif (FAILURE == phar_open_entry_fp(entry, &error, 1 TSRMLS_CC)) {\n\t\tif (error) {\n\t\t\tzend_throw_exception_ex(spl_ce_UnexpectedValueException, 0 TSRMLS_CC,\n\t\t\t\t\"Cannot convert phar archive \\\"%s\\\", unable to open entry \\\"%s\\\" contents: %s\", entry->phar->fname, entry->filename, error);\n\t\t\tefree(error);\n\t\t} else {\n\t\t\tzend_throw_exception_ex(spl_ce_UnexpectedValueException, 0 TSRMLS_CC,\n\t\t\t\t\"Cannot convert phar archive \\\"%s\\\", unable to open entry \\\"%s\\\" contents\", entry->phar->fname, entry->filename);\n\t\t}\n\t\treturn FAILURE;\n\t}\n\n\t/* copy old contents in entirety */\n\tphar_seek_efp(entry, 0, SEEK_SET, 0, 1 TSRMLS_CC);\n\toffset = php_stream_tell(fp);\n\tlink = phar_get_link_source(entry TSRMLS_CC);\n\n\tif (!link) {\n\t\tlink = entry;\n\t}\n\n\tif (SUCCESS != phar_stream_copy_to_stream(phar_get_efp(link, 0 TSRMLS_CC), fp, link->uncompressed_filesize, NULL)) {\n\t\tzend_throw_exception_ex(spl_ce_UnexpectedValueException, 0 TSRMLS_CC,\n\t\t\t\"Cannot convert phar archive \\\"%s\\\", unable to copy entry \\\"%s\\\" contents\", entry->phar->fname, entry->filename);\n\t\treturn FAILURE;\n\t}\n\n\tif (entry->fp_type == PHAR_MOD) {\n\t\t/* save for potential restore on error */\n\t\tentry->cfp = entry->fp;\n\t\tentry->fp = NULL;\n\t}\n\n\t/* set new location of file contents */\n\tentry->fp_type = PHAR_FP;\n\tentry->offset = offset;\n\treturn SUCCESS;\n}", "project": "php-src", "hash": 149199722173207775519360602559082544966, "size": 44, "commit_id": "b2cf3f064b8f5efef89bb084521b61318c71781b", "message": "Fixed bug #68901 (use after free)", "target": 0, "dataset": "other", "idx": 413481 }, { "func": "CallResult JSObject::defineOwnProperty(\n Handle selfHandle,\n Runtime *runtime,\n SymbolID name,\n DefinePropertyFlags dpFlags,\n Handle<> valueOrAccessor,\n PropOpFlags opFlags) {\n assert(\n !opFlags.getMustExist() && \"cannot use mustExist with defineOwnProperty\");\n assert(\n !(dpFlags.setValue && dpFlags.isAccessor()) &&\n \"Cannot set both value and accessor\");\n assert(\n (dpFlags.setValue || dpFlags.isAccessor() ||\n valueOrAccessor.get().isUndefined()) &&\n \"value must be undefined when all of setValue/setSetter/setGetter are \"\n \"false\");\n#ifndef NDEBUG\n if (dpFlags.isAccessor()) {\n assert(valueOrAccessor.get().isPointer() && \"accessor must be non-empty\");\n assert(\n !dpFlags.setWritable && !dpFlags.writable &&\n \"writable must not be set with accessors\");\n }\n#endif\n\n // Is it an existing property.\n NamedPropertyDescriptor desc;\n auto pos = findProperty(selfHandle, runtime, name, desc);\n if (pos) {\n return updateOwnProperty(\n selfHandle,\n runtime,\n name,\n *pos,\n desc,\n dpFlags,\n valueOrAccessor,\n opFlags);\n }\n\n if (LLVM_UNLIKELY(\n selfHandle->flags_.lazyObject || selfHandle->flags_.proxyObject)) {\n if (selfHandle->flags_.proxyObject) {\n return JSProxy::defineOwnProperty(\n selfHandle, runtime, name, dpFlags, valueOrAccessor, opFlags);\n }\n assert(selfHandle->flags_.lazyObject && \"descriptor flags are impossible\");\n // if the property was not found and the object is lazy we need to\n // initialize it and try again.\n JSObject::initializeLazyObject(runtime, selfHandle);\n return defineOwnProperty(\n selfHandle, runtime, name, dpFlags, valueOrAccessor, opFlags);\n }\n\n return addOwnProperty(\n selfHandle, runtime, name, dpFlags, valueOrAccessor, opFlags);\n}", "project": "hermes", "hash": 127545893424623488547559872447865392790, "size": 58, "commit_id": "fe52854cdf6725c2eaa9e125995da76e6ceb27da", "message": "[CVE-2020-1911] Look up HostObject computed properties on the right object in the prototype chain.\n\nSummary:\nThe change in the hermes repository fixes the security vulnerability\nCVE-2020-1911. This vulnerability only affects applications which\nallow evaluation of uncontrolled, untrusted JavaScript code not\nshipped with the app, so React Native apps will generally not be affected.\n\nThis revision includes a test for the bug. The test is generic JSI\ncode, so it is included in the hermes and react-native repositories.\n\nChangelog: [Internal]\n\nReviewed By: tmikov\n\nDifferential Revision: D23322992\n\nfbshipit-source-id: 4e88c974afe1ad33a263f9cac03e9dc98d33649a", "target": 0, "dataset": "other", "idx": 230177 }, { "func": "static inline int free_consistency_checks(struct kmem_cache *s,\n\t\tstruct page *page, void *object, unsigned long addr)\n{\n\tif (!check_valid_pointer(s, page, object)) {\n\t\tslab_err(s, page, \"Invalid object pointer 0x%p\", object);\n\t\treturn 0;\n\t}\n\n\tif (on_freelist(s, page, object)) {\n\t\tobject_err(s, page, object, \"Object already free\");\n\t\treturn 0;\n\t}\n\n\tif (!check_object(s, page, object, SLUB_RED_ACTIVE))\n\t\treturn 0;\n\n\tif (unlikely(s != page->slab_cache)) {\n\t\tif (!PageSlab(page)) {\n\t\t\tslab_err(s, page, \"Attempt to free object(0x%p) outside of slab\",\n\t\t\t\t object);\n\t\t} else if (!page->slab_cache) {\n\t\t\tpr_err(\"SLUB : no slab for object 0x%p.\\n\",\n\t\t\t object);\n\t\t\tdump_stack();\n\t\t} else\n\t\t\tobject_err(s, page, object,\n\t\t\t\t\t\"page slab pointer corrupt.\");\n\t\treturn 0;\n\t}\n\treturn 1;\n}", "project": "linux", "hash": 286224660500613804860560345186346672384, "size": 31, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280245 }, { "func": "static bool legitimize_links(struct nameidata *nd)\n{\n\tint i;\n\tfor (i = 0; i < nd->depth; i++) {\n\t\tstruct saved *last = nd->stack + i;\n\t\tif (unlikely(!legitimize_path(nd, &last->link, last->seq))) {\n\t\t\tdrop_links(nd);\n\t\t\tnd->depth = i + 1;\n\t\t\treturn false;\n\t\t}\n\t}\n\treturn true;\n}", "project": "linux", "hash": 178169260802658932175864660607733292770, "size": 13, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295411 }, { "func": "\nstatic bool bfq_bfqq_idle_for_long_time(struct bfq_data *bfqd,\n\t\t\t\t\tstruct bfq_queue *bfqq)\n{\n\treturn bfqq->dispatched == 0 &&\n\t\ttime_is_before_jiffies(\n\t\t\tbfqq->budget_timeout +\n\t\t\tbfqd->bfq_wr_min_idle_time);", "project": "linux", "hash": 235968991479602178749455468249343844420, "size": 8, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453384 }, { "func": "static void autocomplete_minus(RCore *core, RLineCompletion *completion, const char *str) {\n\tr_return_if_fail (str);\n\tint count;\n\tint length = strlen (str);\n\tchar **keys = r_cmd_alias_keys(core->rcmd, &count);\n\tif (!keys) {\n\t\treturn;\n\t}\n\tint i;\n\tfor (i = 0; i < count; i++) {\n\t\tif (!strncmp (keys[i], str, length)) {\n\t\t\tr_line_completion_push (completion, keys[i]);\n\t\t}\n\t}\n}", "project": "radare2", "hash": 41992136917202227657432457487767198748, "size": 15, "commit_id": "cb8b683758edddae2d2f62e8e63a738c39f92683", "message": "Fix #16303 - c->table_query double free (#16318)", "target": 0, "dataset": "other", "idx": 232125 }, { "func": "static int check_acl(struct inode *inode, int mask)\n{\n#ifdef CONFIG_FS_POSIX_ACL\n\tstruct posix_acl *acl;\n\n\tif (mask & MAY_NOT_BLOCK) {\n\t\tacl = get_cached_acl_rcu(inode, ACL_TYPE_ACCESS);\n\t if (!acl)\n\t return -EAGAIN;\n\t\t/* no ->get_acl() calls in RCU mode... */\n\t\tif (is_uncached_acl(acl))\n\t\t\treturn -ECHILD;\n\t return posix_acl_permission(inode, acl, mask & ~MAY_NOT_BLOCK);\n\t}\n\n\tacl = get_acl(inode, ACL_TYPE_ACCESS);\n\tif (IS_ERR(acl))\n\t\treturn PTR_ERR(acl);\n\tif (acl) {\n\t int error = posix_acl_permission(inode, acl, mask);\n\t posix_acl_release(acl);\n\t return error;\n\t}\n#endif\n\n\treturn -EAGAIN;\n}", "project": "linux", "hash": 311192312908286173133498254845427803483, "size": 27, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295348 }, { "func": "static int stimer_send_msg(struct kvm_vcpu_hv_stimer *stimer)\n{\n\tstruct kvm_vcpu *vcpu = hv_stimer_to_vcpu(stimer);\n\tstruct hv_message *msg = &stimer->msg;\n\tstruct hv_timer_message_payload *payload =\n\t\t\t(struct hv_timer_message_payload *)&msg->u.payload;\n\n\t/*\n\t * To avoid piling up periodic ticks, don't retry message\n\t * delivery for them (within \"lazy\" lost ticks policy).\n\t */\n\tbool no_retry = stimer->config.periodic;\n\n\tpayload->expiration_time = stimer->exp_time;\n\tpayload->delivery_time = get_time_ref_counter(vcpu->kvm);\n\treturn synic_deliver_msg(to_hv_synic(vcpu),\n\t\t\t\t stimer->config.sintx, msg,\n\t\t\t\t no_retry);\n}", "project": "linux", "hash": 4618277971322665406541113532093507000, "size": 19, "commit_id": "919f4ebc598701670e80e31573a58f1f2d2bf918", "message": "KVM: x86: hyper-v: Fix Hyper-V context null-ptr-deref\n\nReported by syzkaller:\n\n KASAN: null-ptr-deref in range [0x0000000000000140-0x0000000000000147]\n CPU: 1 PID: 8370 Comm: syz-executor859 Not tainted 5.11.0-syzkaller #0\n RIP: 0010:synic_get arch/x86/kvm/hyperv.c:165 [inline]\n RIP: 0010:kvm_hv_set_sint_gsi arch/x86/kvm/hyperv.c:475 [inline]\n RIP: 0010:kvm_hv_irq_routing_update+0x230/0x460 arch/x86/kvm/hyperv.c:498\n Call Trace:\n kvm_set_irq_routing+0x69b/0x940 arch/x86/kvm/../../../virt/kvm/irqchip.c:223\n kvm_vm_ioctl+0x12d0/0x2800 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3959\n vfs_ioctl fs/ioctl.c:48 [inline]\n __do_sys_ioctl fs/ioctl.c:753 [inline]\n __se_sys_ioctl fs/ioctl.c:739 [inline]\n __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739\n do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nHyper-V context is lazily allocated until Hyper-V specific MSRs are accessed\nor SynIC is enabled. However, the syzkaller testcase sets irq routing table\ndirectly w/o enabling SynIC. This results in null-ptr-deref when accessing\nSynIC Hyper-V context. This patch fixes it.\n\nsyzkaller source: https://syzkaller.appspot.com/x/repro.c?x=163342ccd00000\n\nReported-by: syzbot+6987f3b2dbd9eda95f12@syzkaller.appspotmail.com\nFixes: 8f014550dfb1 (\"KVM: x86: hyper-v: Make Hyper-V emulation enablement conditional\")\nSigned-off-by: Wanpeng Li \nMessage-Id: <1614326399-5762-1-git-send-email-wanpengli@tencent.com>\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 343507 }, { "project": "Chrome", "commit_id": "9a3dbf43f97aa7cb6b4399f9b11ce1de20f0680f", "target": 0, "func": "void SpeechSynthesis::pause()\n{\n if (!m_isPaused)\n m_platformSpeechSynthesizer->pause();\n}\n", "cwe": "", "big_vul_idx": 129897, "idx": 116222, "hash": 330991056409091413673957212201878110518 }, { "func": "static void svm_set_cr0(struct kvm_vcpu *vcpu, unsigned long cr0)\n{\n\tstruct vcpu_svm *svm = to_svm(vcpu);\n\n#ifdef CONFIG_X86_64\n\tif (vcpu->arch.efer & EFER_LME) {\n\t\tif (!is_paging(vcpu) && (cr0 & X86_CR0_PG)) {\n\t\t\tvcpu->arch.efer |= EFER_LMA;\n\t\t\tsvm->vmcb->save.efer |= EFER_LMA | EFER_LME;\n\t\t}\n\n\t\tif (is_paging(vcpu) && !(cr0 & X86_CR0_PG)) {\n\t\t\tvcpu->arch.efer &= ~EFER_LMA;\n\t\t\tsvm->vmcb->save.efer &= ~(EFER_LMA | EFER_LME);\n\t\t}\n\t}\n#endif\n\tvcpu->arch.cr0 = cr0;\n\n\tif (!npt_enabled)\n\t\tcr0 |= X86_CR0_PG | X86_CR0_WP;\n\n\t/*\n\t * re-enable caching here because the QEMU bios\n\t * does not do it - this results in some delay at\n\t * reboot\n\t */\n\tif (kvm_check_has_quirk(vcpu->kvm, KVM_X86_QUIRK_CD_NW_CLEARED))\n\t\tcr0 &= ~(X86_CR0_CD | X86_CR0_NW);\n\tsvm->vmcb->save.cr0 = cr0;\n\tmark_dirty(svm->vmcb, VMCB_CR);\n\tupdate_cr0_intercept(svm);\n}", "project": "linux", "hash": 152841346834112601605938620527324718653, "size": 33, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432389 }, { "func": "static void svm_set_cr0(struct kvm_vcpu *vcpu, unsigned long cr0)\n{\n\tstruct vcpu_svm *svm = to_svm(vcpu);\n\n#ifdef CONFIG_X86_64\n\tif (vcpu->arch.efer & EFER_LME) {\n\t\tif (!is_paging(vcpu) && (cr0 & X86_CR0_PG)) {\n\t\t\tvcpu->arch.efer |= EFER_LMA;\n\t\t\tsvm->vmcb->save.efer |= EFER_LMA | EFER_LME;\n\t\t}\n\n\t\tif (is_paging(vcpu) && !(cr0 & X86_CR0_PG)) {\n\t\t\tvcpu->arch.efer &= ~EFER_LMA;\n\t\t\tsvm->vmcb->save.efer &= ~(EFER_LMA | EFER_LME);\n\t\t}\n\t}\n#endif\n\tvcpu->arch.cr0 = cr0;\n\n\tif (!npt_enabled)\n\t\tcr0 |= X86_CR0_PG | X86_CR0_WP;\n\n\tif (!vcpu->fpu_active)\n\t\tcr0 |= X86_CR0_TS;\n\t/*\n\t * re-enable caching here because the QEMU bios\n\t * does not do it - this results in some delay at\n\t * reboot\n\t */\n\tcr0 &= ~(X86_CR0_CD | X86_CR0_NW);\n\tsvm->vmcb->save.cr0 = cr0;\n\tmark_dirty(svm->vmcb, VMCB_CR);\n\tupdate_cr0_intercept(svm);\n}", "project": "kvm", "hash": 86077971601511379198275607354843492641, "size": 34, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437550 }, { "func": "int fuse_setxattr(struct inode *inode, const char *name, const void *value,\n\t\t size_t size, int flags)\n{\n\tstruct fuse_mount *fm = get_fuse_mount(inode);\n\tFUSE_ARGS(args);\n\tstruct fuse_setxattr_in inarg;\n\tint err;\n\n\tif (fm->fc->no_setxattr)\n\t\treturn -EOPNOTSUPP;\n\n\tmemset(&inarg, 0, sizeof(inarg));\n\tinarg.size = size;\n\tinarg.flags = flags;\n\targs.opcode = FUSE_SETXATTR;\n\targs.nodeid = get_node_id(inode);\n\targs.in_numargs = 3;\n\targs.in_args[0].size = sizeof(inarg);\n\targs.in_args[0].value = &inarg;\n\targs.in_args[1].size = strlen(name) + 1;\n\targs.in_args[1].value = name;\n\targs.in_args[2].size = size;\n\targs.in_args[2].value = value;\n\terr = fuse_simple_request(fm, &args);\n\tif (err == -ENOSYS) {\n\t\tfm->fc->no_setxattr = 1;\n\t\terr = -EOPNOTSUPP;\n\t}\n\tif (!err) {\n\t\tfuse_invalidate_attr(inode);\n\t\tfuse_update_ctime(inode);\n\t}\n\treturn err;\n}", "project": "linux", "hash": 273968553939909589250131294082600290976, "size": 34, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341971 }, { "func": "void RGWGetACLs_ObjStore_S3::send_response()\n{\n if (op_ret)\n set_req_state_err(s, op_ret);\n dump_errno(s);\n end_header(s, this, \"application/xml\");\n dump_start(s);\n rgw_flush_formatter(s, s->formatter);\n dump_body(s, acls);\n}", "project": "ceph", "hash": 102035919250205462405518694444600536079, "size": 10, "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 281250 }, { "func": "void RGWGetBucketLogging_ObjStore_S3::send_response()\n{\n dump_errno(s);\n end_header(s, this, \"application/xml\");\n dump_start(s);\n\n s->formatter->open_object_section_in_ns(\"BucketLoggingStatus\", XMLNS_AWS_S3);\n s->formatter->close_section();\n rgw_flush_formatter_and_reset(s, s->formatter);\n}", "project": "ceph", "hash": 320820111602409791486740936440976430058, "size": 10, "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 281252 }, { "func": "void RGWGetBucketLocation_ObjStore_S3::send_response()\n{\n dump_errno(s);\n end_header(s, this);\n dump_start(s);\n\n RGWZoneGroup zonegroup;\n string api_name;\n\n int ret = store->get_zonegroup(s->bucket_info.zonegroup, zonegroup);\n if (ret >= 0) {\n api_name = zonegroup.api_name;\n } else {\n if (s->bucket_info.zonegroup != \"default\") {\n api_name = s->bucket_info.zonegroup;\n }\n }\n\n s->formatter->dump_format_ns(\"LocationConstraint\", XMLNS_AWS_S3,\n\t\t\t \"%s\", api_name.c_str());\n rgw_flush_formatter_and_reset(s, s->formatter);\n}", "project": "ceph", "hash": 42236091833799678441870978321011031327, "size": 22, "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 281254 }, { "func": "void RGWGetBucketVersioning_ObjStore_S3::send_response()\n{\n dump_errno(s);\n end_header(s, this, \"application/xml\");\n dump_start(s);\n\n s->formatter->open_object_section_in_ns(\"VersioningConfiguration\", XMLNS_AWS_S3);\n if (versioned) {\n const char *status = (versioning_enabled ? \"Enabled\" : \"Suspended\");\n s->formatter->dump_string(\"Status\", status);\n const char *mfa_status = (mfa_enabled ? \"Enabled\" : \"Disabled\");\n s->formatter->dump_string(\"MfaDelete\", mfa_status);\n }\n s->formatter->close_section();\n rgw_flush_formatter_and_reset(s, s->formatter);\n}", "project": "ceph", "hash": 327776382920886535208806090783670617519, "size": 16, "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 281260 }, { "func": "void RGWPutLC_ObjStore_S3::send_response()\n{\n if (op_ret)\n set_req_state_err(s, op_ret);\n dump_errno(s);\n end_header(s, this, \"application/xml\");\n dump_start(s);\n}", "project": "ceph", "hash": 171244224191785020878179291190401701284, "size": 8, "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 281261 }, { "func": "void RGWInitMultipart_ObjStore_S3::send_response()\n{\n if (op_ret)\n set_req_state_err(s, op_ret);\n dump_errno(s);\n for (auto &it : crypt_http_responses)\n dump_header(s, it.first, it.second);\n end_header(s, this, \"application/xml\");\n if (op_ret == 0) {\n dump_start(s);\n s->formatter->open_object_section_in_ns(\"InitiateMultipartUploadResult\", XMLNS_AWS_S3);\n if (!s->bucket_tenant.empty())\n s->formatter->dump_string(\"Tenant\", s->bucket_tenant);\n s->formatter->dump_string(\"Bucket\", s->bucket_name);\n s->formatter->dump_string(\"Key\", s->object.name);\n s->formatter->dump_string(\"UploadId\", upload_id);\n s->formatter->close_section();\n rgw_flush_formatter_and_reset(s, s->formatter);\n }\n}", "project": "ceph", "hash": 257152075877020261820616130701178851686, "size": 20, "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 281262 }, { "func": "void RGWDeleteLC_ObjStore_S3::send_response()\n{\n if (op_ret == 0)\n op_ret = STATUS_NO_CONTENT;\n if (op_ret) { \n set_req_state_err(s, op_ret);\n }\n dump_errno(s);\n end_header(s, this, \"application/xml\");\n dump_start(s);\n}", "project": "ceph", "hash": 198272913473838834441696237492037242022, "size": 11, "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 281283 }, { "func": "void RGWPutCORS_ObjStore_S3::send_response()\n{\n if (op_ret)\n set_req_state_err(s, op_ret);\n dump_errno(s);\n end_header(s, NULL, \"application/xml\");\n dump_start(s);\n}", "project": "ceph", "hash": 34055620966368198647596253143461423019, "size": 8, "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 281285 }, { "func": "void RGWDeleteObj_ObjStore_S3::send_response()\n{\n int r = op_ret;\n if (r == -ENOENT)\n r = 0;\n if (!r)\n r = STATUS_NO_CONTENT;\n\n set_req_state_err(s, r);\n dump_errno(s);\n dump_header_if_nonempty(s, \"x-amz-version-id\", version_id);\n if (delete_marker) {\n dump_header(s, \"x-amz-delete-marker\", \"true\");\n }\n end_header(s, this);\n}", "project": "ceph", "hash": 141071879367334136086824374354385072372, "size": 16, "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 281286 }, { "func": "void RGWDeleteBucketWebsite_ObjStore_S3::send_response()\n{\n if (op_ret == 0) {\n op_ret = STATUS_NO_CONTENT;\n }\n set_req_state_err(s, op_ret);\n dump_errno(s);\n end_header(s, this, \"application/xml\");\n}", "project": "ceph", "hash": 296638325441225060792845063557811225819, "size": 9, "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 281287 }, { "func": "void RGWPutObjTags_ObjStore_S3::send_response()\n{\n if (op_ret)\n set_req_state_err(s, op_ret);\n dump_errno(s);\n end_header(s, this, \"application/xml\");\n dump_start(s);\n\n}", "project": "ceph", "hash": 297180463688978472247180464255239794571, "size": 9, "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 281295 }, { "func": "void RGWOptionsCORS_ObjStore_S3::send_response()\n{\n string hdrs, exp_hdrs;\n uint32_t max_age = CORS_MAX_AGE_INVALID;\n /*EACCES means, there is no CORS registered yet for the bucket\n *ENOENT means, there is no match of the Origin in the list of CORSRule\n */\n if (op_ret == -ENOENT)\n op_ret = -EACCES;\n if (op_ret < 0) {\n set_req_state_err(s, op_ret);\n dump_errno(s);\n end_header(s, NULL);\n return;\n }\n get_response_params(hdrs, exp_hdrs, &max_age);\n\n dump_errno(s);\n dump_access_control(s, origin, req_meth, hdrs.c_str(), exp_hdrs.c_str(),\n\t\t max_age);\n end_header(s, NULL);\n}", "project": "ceph", "hash": 314062703903787388012520595582591183142, "size": 22, "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 281300 }, { "func": "void RGWCopyObj_ObjStore_S3::send_response()\n{\n if (!sent_header)\n send_partial_response(0);\n\n if (op_ret == 0) {\n dump_time(s, \"LastModified\", &mtime);\n if (! etag.empty()) {\n s->formatter->dump_string(\"ETag\", std::move(etag));\n }\n s->formatter->close_section();\n rgw_flush_formatter_and_reset(s, s->formatter);\n }\n}", "project": "ceph", "hash": 164021238569425474331186321010141696726, "size": 14, "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 281305 }, { "func": "void RGWGetBucketWebsite_ObjStore_S3::send_response()\n{\n if (op_ret)\n set_req_state_err(s, op_ret);\n dump_errno(s);\n end_header(s, this, \"application/xml\");\n dump_start(s);\n\n if (op_ret < 0) {\n return;\n }\n\n RGWBucketWebsiteConf& conf = s->bucket_info.website_conf;\n\n s->formatter->open_object_section_in_ns(\"WebsiteConfiguration\", XMLNS_AWS_S3);\n conf.dump_xml(s->formatter);\n s->formatter->close_section(); // WebsiteConfiguration\n rgw_flush_formatter_and_reset(s, s->formatter);\n}", "project": "ceph", "hash": 111836340221196501787044481890943640882, "size": 19, "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 281308 }, { "func": "void RGWGetCORS_ObjStore_S3::send_response()\n{\n if (op_ret) {\n if (op_ret == -ENOENT)\n set_req_state_err(s, ERR_NO_SUCH_CORS_CONFIGURATION);\n else\n set_req_state_err(s, op_ret);\n }\n dump_errno(s);\n end_header(s, NULL, \"application/xml\");\n dump_start(s);\n if (! op_ret) {\n string cors;\n RGWCORSConfiguration_S3 *s3cors =\n static_cast(&bucket_cors);\n stringstream ss;\n\n s3cors->to_xml(ss);\n cors = ss.str();\n dump_body(s, cors);\n }\n}", "project": "ceph", "hash": 305114414352932644300053877765677770694, "size": 22, "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 281310 }, { "func": "void RGWListBucketMultiparts_ObjStore_S3::send_response()\n{\n if (op_ret < 0)\n set_req_state_err(s, op_ret);\n dump_errno(s);\n\n // Explicitly use chunked transfer encoding so that we can stream the result\n // to the user without having to wait for the full length of it.\n end_header(s, this, \"application/xml\", CHUNKED_TRANSFER_ENCODING);\n dump_start(s);\n if (op_ret < 0)\n return;\n\n s->formatter->open_object_section_in_ns(\"ListMultipartUploadsResult\", XMLNS_AWS_S3);\n if (!s->bucket_tenant.empty())\n s->formatter->dump_string(\"Tenant\", s->bucket_tenant);\n s->formatter->dump_string(\"Bucket\", s->bucket_name);\n if (!prefix.empty())\n s->formatter->dump_string(\"ListMultipartUploadsResult.Prefix\", prefix);\n string& key_marker = marker.get_key();\n if (!key_marker.empty())\n s->formatter->dump_string(\"KeyMarker\", key_marker);\n string& upload_id_marker = marker.get_upload_id();\n if (!upload_id_marker.empty())\n s->formatter->dump_string(\"UploadIdMarker\", upload_id_marker);\n string next_key = next_marker.mp.get_key();\n if (!next_key.empty())\n s->formatter->dump_string(\"NextKeyMarker\", next_key);\n string next_upload_id = next_marker.mp.get_upload_id();\n if (!next_upload_id.empty())\n s->formatter->dump_string(\"NextUploadIdMarker\", next_upload_id);\n s->formatter->dump_int(\"MaxUploads\", max_uploads);\n if (!delimiter.empty())\n s->formatter->dump_string(\"Delimiter\", delimiter);\n s->formatter->dump_string(\"IsTruncated\", (is_truncated ? \"true\" : \"false\"));\n\n if (op_ret >= 0) {\n vector::iterator iter;\n for (iter = uploads.begin(); iter != uploads.end(); ++iter) {\n RGWMPObj& mp = iter->mp;\n s->formatter->open_array_section(\"Upload\");\n s->formatter->dump_string(\"Key\", mp.get_key());\n s->formatter->dump_string(\"UploadId\", mp.get_upload_id());\n dump_owner(s, s->user->user_id, s->user->display_name, \"Initiator\");\n dump_owner(s, s->user->user_id, s->user->display_name);\n s->formatter->dump_string(\"StorageClass\", \"STANDARD\");\n dump_time(s, \"Initiated\", &iter->obj.meta.mtime);\n s->formatter->close_section();\n }\n if (!common_prefixes.empty()) {\n s->formatter->open_array_section(\"CommonPrefixes\");\n map::iterator pref_iter;\n for (pref_iter = common_prefixes.begin();\n\t pref_iter != common_prefixes.end(); ++pref_iter) {\n\ts->formatter->dump_string(\"CommonPrefixes.Prefix\", pref_iter->first);\n }\n s->formatter->close_section();\n }\n }\n s->formatter->close_section();\n rgw_flush_formatter_and_reset(s, s->formatter);\n}", "project": "ceph", "hash": 315642993525675284087938116131612589878, "size": 62, "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 281313 }, { "func": "void RGWGetObjLayout_ObjStore_S3::send_response()\n{\n if (op_ret)\n set_req_state_err(s, op_ret);\n dump_errno(s);\n end_header(s, this, \"application/json\");\n\n JSONFormatter f;\n\n if (op_ret < 0) {\n return;\n }\n\n f.open_object_section(\"result\");\n ::encode_json(\"head\", head_obj, &f);\n ::encode_json(\"manifest\", *manifest, &f);\n f.open_array_section(\"data_location\");\n for (auto miter = manifest->obj_begin(); miter != manifest->obj_end(); ++miter) {\n f.open_object_section(\"obj\");\n rgw_raw_obj raw_loc = miter.get_location().get_raw_obj(store);\n ::encode_json(\"ofs\", miter.get_ofs(), &f);\n ::encode_json(\"loc\", raw_loc, &f);\n ::encode_json(\"loc_ofs\", miter.location_ofs(), &f);\n ::encode_json(\"loc_size\", miter.get_stripe_size(), &f);\n f.close_section();\n rgw_flush_formatter(s, &f);\n }\n f.close_section();\n f.close_section();\n rgw_flush_formatter(s, &f);\n}", "project": "ceph", "hash": 166744299188515170915519080779177911092, "size": 31, "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 281314 }, { "func": "void RGWGetUsage_ObjStore_S3::send_response()\n{\n if (op_ret < 0)\n set_req_state_err(s, op_ret);\n dump_errno(s);\n\n // Explicitly use chunked transfer encoding so that we can stream the result\n // to the user without having to wait for the full length of it.\n end_header(s, this, \"application/xml\", CHUNKED_TRANSFER_ENCODING);\n dump_start(s);\n if (op_ret < 0)\n return;\n\n Formatter *formatter = s->formatter;\n string last_owner;\n bool user_section_open = false;\n \n formatter->open_object_section(\"Usage\");\n if (show_log_entries) {\n formatter->open_array_section(\"Entries\");\n }\n map::iterator iter;\n for (iter = usage.begin(); iter != usage.end(); ++iter) {\n const rgw_user_bucket& ub = iter->first;\n const rgw_usage_log_entry& entry = iter->second;\n\n if (show_log_entries) {\n if (ub.user.compare(last_owner) != 0) {\n if (user_section_open) {\n formatter->close_section();\n formatter->close_section();\n }\n formatter->open_object_section(\"User\");\n formatter->dump_string(\"Owner\", ub.user);\n formatter->open_array_section(\"Buckets\");\n user_section_open = true;\n last_owner = ub.user;\n }\n formatter->open_object_section(\"Bucket\");\n formatter->dump_string(\"Bucket\", ub.bucket);\n utime_t ut(entry.epoch, 0);\n ut.gmtime(formatter->dump_stream(\"Time\"));\n formatter->dump_int(\"Epoch\", entry.epoch);\n dump_usage_categories_info(formatter, entry, &categories);\n formatter->close_section(); // bucket\n }\n\n summary_map[ub.user].aggregate(entry, &categories);\n }\n\n if (show_log_entries) {\n if (user_section_open) {\n formatter->close_section(); // buckets\n formatter->close_section(); //user\n }\n formatter->close_section(); // entries\n }\n\n if (show_log_sum) {\n formatter->open_array_section(\"Summary\");\n map::iterator siter;\n for (siter = summary_map.begin(); siter != summary_map.end(); ++siter) {\n const rgw_usage_log_entry& entry = siter->second;\n formatter->open_object_section(\"User\");\n formatter->dump_string(\"User\", siter->first);\n dump_usage_categories_info(formatter, entry, &categories);\n rgw_usage_data total_usage;\n entry.sum(total_usage, categories);\n formatter->open_object_section(\"Total\");\n formatter->dump_int(\"BytesSent\", total_usage.bytes_sent);\n formatter->dump_int(\"BytesReceived\", total_usage.bytes_received);\n formatter->dump_int(\"Ops\", total_usage.ops);\n formatter->dump_int(\"SuccessfulOps\", total_usage.successful_ops);\n formatter->close_section(); // total\n formatter->close_section(); // user\n }\n\n if (s->cct->_conf->rgw_rest_getusage_op_compat) {\n formatter->open_object_section(\"Stats\");\n }\n\n formatter->dump_int(\"TotalBytes\", header.stats.total_bytes);\n formatter->dump_int(\"TotalBytesRounded\", header.stats.total_bytes_rounded);\n formatter->dump_int(\"TotalEntries\", header.stats.total_entries);\n\n if (s->cct->_conf->rgw_rest_getusage_op_compat) {\n formatter->close_section(); //Stats\n }\n\n formatter->close_section(); // summary\n }\n\n formatter->open_array_section(\"CapacityUsed\");\n formatter->open_object_section(\"User\");\n formatter->open_array_section(\"Buckets\");\n for (const auto& biter : buckets_usage) {\n const cls_user_bucket_entry& entry = biter.second;\n dump_usage_bucket_info(formatter, biter.first, entry);\n }\n formatter->close_section(); // Buckets\n formatter->close_section(); // User\n formatter->close_section(); // CapacityUsed\n\n formatter->close_section(); // usage\n rgw_flush_formatter_and_reset(s, s->formatter);\n}", "project": "ceph", "hash": 2461082376618945041579909722657330595, "size": 106, "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 281317 }, { "func": "void RGWPutObj_ObjStore_S3::send_response()\n{\n if (op_ret) {\n set_req_state_err(s, op_ret);\n dump_errno(s);\n } else {\n if (s->cct->_conf->rgw_s3_success_create_obj_status) {\n op_ret = get_success_retcode(\n\ts->cct->_conf->rgw_s3_success_create_obj_status);\n set_req_state_err(s, op_ret);\n }\n if (copy_source.empty()) {\n dump_errno(s);\n dump_etag(s, etag);\n dump_content_length(s, 0);\n dump_header_if_nonempty(s, \"x-amz-version-id\", version_id);\n for (auto &it : crypt_http_responses)\n dump_header(s, it.first, it.second);\n } else {\n dump_errno(s);\n dump_header_if_nonempty(s, \"x-amz-version-id\", version_id);\n end_header(s, this, \"application/xml\");\n dump_start(s);\n struct tm tmp;\n utime_t ut(mtime);\n time_t secs = (time_t)ut.sec();\n gmtime_r(&secs, &tmp);\n char buf[TIME_BUF_SIZE];\n s->formatter->open_object_section_in_ns(\"CopyPartResult\",\n \"http://s3.amazonaws.com/doc/2006-03-01/\");\n if (strftime(buf, sizeof(buf), \"%Y-%m-%dT%T.000Z\", &tmp) > 0) {\n s->formatter->dump_string(\"LastModified\", buf);\n }\n s->formatter->dump_string(\"ETag\", etag);\n s->formatter->close_section();\n rgw_flush_formatter_and_reset(s, s->formatter);\n return;\n }\n }\n if (s->system_request && !real_clock::is_zero(mtime)) {\n dump_epoch_header(s, \"Rgwx-Mtime\", mtime);\n }\n end_header(s, this);\n}", "project": "ceph", "hash": 74225156592836889735187864803282537981, "size": 44, "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 281325 }, { "func": "void RGWDeleteBucket_ObjStore_S3::send_response()\n{\n int r = op_ret;\n if (!r)\n r = STATUS_NO_CONTENT;\n\n set_req_state_err(s, r);\n dump_errno(s);\n end_header(s, this);\n\n if (s->system_request) {\n JSONFormatter f; /* use json formatter for system requests output */\n\n f.open_object_section(\"info\");\n encode_json(\"object_ver\", objv_tracker.read_version, &f);\n f.close_section();\n rgw_flush_formatter_and_reset(s, &f);\n }\n}", "project": "ceph", "hash": 259922003667013742571517430188959786748, "size": 19, "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 281328 }, { "func": "void RGWSetBucketWebsite_ObjStore_S3::send_response()\n{\n if (op_ret < 0)\n set_req_state_err(s, op_ret);\n dump_errno(s);\n end_header(s, this, \"application/xml\");\n}", "project": "ceph", "hash": 37429935496127806997958826390831771359, "size": 7, "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 281329 }, { "func": "void RGWCompleteMultipart_ObjStore_S3::send_response()\n{\n if (op_ret)\n set_req_state_err(s, op_ret);\n dump_errno(s);\n dump_header_if_nonempty(s, \"x-amz-version-id\", version_id);\n end_header(s, this, \"application/xml\");\n if (op_ret == 0) {\n dump_start(s);\n s->formatter->open_object_section_in_ns(\"CompleteMultipartUploadResult\", XMLNS_AWS_S3);\n std::string base_uri = compute_domain_uri(s);\n if (!s->bucket_tenant.empty()) {\n s->formatter->dump_format(\"Location\", \"%s/%s:%s/%s\",\n\t base_uri.c_str(),\n\t s->bucket_tenant.c_str(),\n\t s->bucket_name.c_str(),\n\t s->object.name.c_str()\n );\n s->formatter->dump_string(\"Tenant\", s->bucket_tenant);\n } else {\n s->formatter->dump_format(\"Location\", \"%s/%s/%s\",\n\t base_uri.c_str(),\n\t s->bucket_name.c_str(),\n\t s->object.name.c_str()\n );\n }\n s->formatter->dump_string(\"Bucket\", s->bucket_name);\n s->formatter->dump_string(\"Key\", s->object.name);\n s->formatter->dump_string(\"ETag\", etag);\n s->formatter->close_section();\n rgw_flush_formatter_and_reset(s, s->formatter);\n }\n}", "project": "ceph", "hash": 332582380544111851638800393760146399395, "size": 33, "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 281334 }, { "func": "void RGWListMultipart_ObjStore_S3::send_response()\n{\n if (op_ret)\n set_req_state_err(s, op_ret);\n dump_errno(s);\n // Explicitly use chunked transfer encoding so that we can stream the result\n // to the user without having to wait for the full length of it.\n end_header(s, this, \"application/xml\", CHUNKED_TRANSFER_ENCODING);\n\n if (op_ret == 0) {\n dump_start(s);\n s->formatter->open_object_section_in_ns(\"ListPartsResult\", XMLNS_AWS_S3);\n map::iterator iter;\n map::reverse_iterator test_iter;\n int cur_max = 0;\n\n iter = parts.begin();\n test_iter = parts.rbegin();\n if (test_iter != parts.rend()) {\n cur_max = test_iter->first;\n }\n if (!s->bucket_tenant.empty())\n s->formatter->dump_string(\"Tenant\", s->bucket_tenant);\n s->formatter->dump_string(\"Bucket\", s->bucket_name);\n s->formatter->dump_string(\"Key\", s->object.name);\n s->formatter->dump_string(\"UploadId\", upload_id);\n s->formatter->dump_string(\"StorageClass\", \"STANDARD\");\n s->formatter->dump_int(\"PartNumberMarker\", marker);\n s->formatter->dump_int(\"NextPartNumberMarker\", cur_max);\n s->formatter->dump_int(\"MaxParts\", max_parts);\n s->formatter->dump_string(\"IsTruncated\", (truncated ? \"true\" : \"false\"));\n\n ACLOwner& owner = policy.get_owner();\n dump_owner(s, owner.get_id(), owner.get_display_name());\n\n for (; iter != parts.end(); ++iter) {\n RGWUploadPartInfo& info = iter->second;\n\n s->formatter->open_object_section(\"Part\");\n\n dump_time(s, \"LastModified\", &info.modified);\n\n s->formatter->dump_unsigned(\"PartNumber\", info.num);\n s->formatter->dump_format(\"ETag\", \"\\\"%s\\\"\", info.etag.c_str());\n s->formatter->dump_unsigned(\"Size\", info.accounted_size);\n s->formatter->close_section();\n }\n s->formatter->close_section();\n rgw_flush_formatter_and_reset(s, s->formatter);\n }\n}", "project": "ceph", "hash": 194932142477180972428775831363637593969, "size": 51, "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 281346 }, { "func": "void RGWSetBucketVersioning_ObjStore_S3::send_response()\n{\n if (op_ret)\n set_req_state_err(s, op_ret);\n dump_errno(s);\n end_header(s, this, \"application/xml\");\n}", "project": "ceph", "hash": 105960450162664187474760250311683925372, "size": 7, "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 281350 }, { "func": "void RGWCreateBucket_ObjStore_S3::send_response()\n{\n if (op_ret == -ERR_BUCKET_EXISTS)\n op_ret = 0;\n if (op_ret)\n set_req_state_err(s, op_ret);\n dump_errno(s);\n end_header(s);\n\n if (op_ret < 0)\n return;\n\n if (s->system_request) {\n JSONFormatter f; /* use json formatter for system requests output */\n\n f.open_object_section(\"info\");\n encode_json(\"entry_point_object_ver\", ep_objv, &f);\n encode_json(\"object_ver\", info.objv_tracker.read_version, &f);\n encode_json(\"bucket_info\", info, &f);\n f.close_section();\n rgw_flush_formatter_and_reset(s, &f);\n }\n}", "project": "ceph", "hash": 7986738116598596188154139392902779019, "size": 23, "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 281356 }, { "func": "void RGWDelBucketMetaSearch_ObjStore_S3::send_response()\n{\n if (op_ret)\n set_req_state_err(s, op_ret);\n dump_errno(s);\n end_header(s, this);\n}", "project": "ceph", "hash": 96132855220406726730606812516976163729, "size": 7, "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 281363 }, { "func": "void RGWDeleteObjTags_ObjStore_S3::send_response()\n{\n int r = op_ret;\n if (r == -ENOENT)\n r = 0;\n if (!r)\n r = STATUS_NO_CONTENT;\n\n set_req_state_err(s, r);\n dump_errno(s);\n end_header(s, this);\n}", "project": "ceph", "hash": 162343440323791063833284569469604566310, "size": 12, "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 281368 }, { "func": "void RGWListBucket_ObjStore_S3::send_response()\n{\n if (op_ret < 0)\n set_req_state_err(s, op_ret);\n dump_errno(s);\n\n // Explicitly use chunked transfer encoding so that we can stream the result\n // to the user without having to wait for the full length of it.\n end_header(s, this, \"application/xml\", CHUNKED_TRANSFER_ENCODING);\n dump_start(s);\n if (op_ret < 0)\n return;\n\n if (list_versions) {\n send_versioned_response();\n return;\n }\n\n s->formatter->open_object_section_in_ns(\"ListBucketResult\", XMLNS_AWS_S3);\n if (!s->bucket_tenant.empty())\n s->formatter->dump_string(\"Tenant\", s->bucket_tenant);\n s->formatter->dump_string(\"Name\", s->bucket_name);\n s->formatter->dump_string(\"Prefix\", prefix);\n s->formatter->dump_string(\"Marker\", marker.name);\n if (is_truncated && !next_marker.empty())\n s->formatter->dump_string(\"NextMarker\", next_marker.name);\n s->formatter->dump_int(\"MaxKeys\", max);\n if (!delimiter.empty())\n s->formatter->dump_string(\"Delimiter\", delimiter);\n\n s->formatter->dump_string(\"IsTruncated\", (max && is_truncated ? \"true\"\n\t\t\t\t\t : \"false\"));\n\n bool encode_key = false;\n if (strcasecmp(encoding_type.c_str(), \"url\") == 0) {\n s->formatter->dump_string(\"EncodingType\", \"url\");\n encode_key = true;\n }\n\n if (op_ret >= 0) {\n vector::iterator iter;\n for (iter = objs.begin(); iter != objs.end(); ++iter) {\n rgw_obj_key key(iter->key);\n s->formatter->open_array_section(\"Contents\");\n if (encode_key) {\n\tstring key_name;\n\turl_encode(key.name, key_name);\n\ts->formatter->dump_string(\"Key\", key_name);\n } else {\n\ts->formatter->dump_string(\"Key\", key.name);\n }\n dump_time(s, \"LastModified\", &iter->meta.mtime);\n s->formatter->dump_format(\"ETag\", \"\\\"%s\\\"\", iter->meta.etag.c_str());\n s->formatter->dump_int(\"Size\", iter->meta.accounted_size);\n s->formatter->dump_string(\"StorageClass\", \"STANDARD\");\n dump_owner(s, iter->meta.owner, iter->meta.owner_display_name);\n if (s->system_request) {\n s->formatter->dump_string(\"RgwxTag\", iter->tag);\n }\n s->formatter->close_section();\n }\n if (!common_prefixes.empty()) {\n map::iterator pref_iter;\n for (pref_iter = common_prefixes.begin();\n\t pref_iter != common_prefixes.end(); ++pref_iter) {\n\ts->formatter->open_array_section(\"CommonPrefixes\");\n\ts->formatter->dump_string(\"Prefix\", pref_iter->first);\n\ts->formatter->close_section();\n }\n }\n }\n s->formatter->close_section();\n rgw_flush_formatter_and_reset(s, s->formatter);\n}", "project": "ceph", "hash": 116918762859435697200778472680716146536, "size": 74, "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 281372 }, { "func": "void RGWPostObj_ObjStore_S3::send_response()\n{\n if (op_ret == 0 && parts.count(\"success_action_redirect\")) {\n string redirect;\n\n part_str(parts, \"success_action_redirect\", &redirect);\n\n string tenant;\n string bucket;\n string key;\n string etag_str = \"\\\"\";\n\n etag_str.append(etag);\n etag_str.append(\"\\\"\");\n\n string etag_url;\n\n url_encode(s->bucket_tenant, tenant); /* surely overkill, but cheap */\n url_encode(s->bucket_name, bucket);\n url_encode(s->object.name, key);\n url_encode(etag_str, etag_url);\n\n if (!s->bucket_tenant.empty()) {\n /*\n * What we really would like is to quaily the bucket name, so\n * that the client could simply copy it and paste into next request.\n * Unfortunately, in S3 we cannot know if the client will decide\n * to come through DNS, with \"bucket.tenant\" sytanx, or through\n * URL with \"tenant\\bucket\" syntax. Therefore, we provide the\n * tenant separately.\n */\n redirect.append(\"?tenant=\");\n redirect.append(tenant);\n redirect.append(\"&bucket=\");\n redirect.append(bucket);\n } else {\n redirect.append(\"?bucket=\");\n redirect.append(bucket);\n }\n redirect.append(\"&key=\");\n redirect.append(key);\n redirect.append(\"&etag=\");\n redirect.append(etag_url);\n\n int r = check_utf8(redirect.c_str(), redirect.size());\n if (r < 0) {\n op_ret = r;\n goto done;\n }\n dump_redirect(s, redirect);\n op_ret = STATUS_REDIRECT;\n } else if (op_ret == 0 && parts.count(\"success_action_status\")) {\n string status_string;\n uint32_t status_int;\n\n part_str(parts, \"success_action_status\", &status_string);\n\n int r = stringtoul(status_string, &status_int);\n if (r < 0) {\n op_ret = r;\n goto done;\n }\n\n switch (status_int) {\n case 200:\n\tbreak;\n case 201:\n\top_ret = STATUS_CREATED;\n\tbreak;\n default:\n\top_ret = STATUS_NO_CONTENT;\n\tbreak;\n }\n } else if (! op_ret) {\n op_ret = STATUS_NO_CONTENT;\n }\n\ndone:\n if (op_ret == STATUS_CREATED) {\n for (auto &it : crypt_http_responses)\n dump_header(s, it.first, it.second);\n s->formatter->open_object_section(\"PostResponse\");\n if (g_conf->rgw_dns_name.length())\n s->formatter->dump_format(\"Location\", \"%s/%s\",\n\t\t\t\ts->info.script_uri.c_str(),\n\t\t\t\ts->object.name.c_str());\n if (!s->bucket_tenant.empty())\n s->formatter->dump_string(\"Tenant\", s->bucket_tenant);\n s->formatter->dump_string(\"Bucket\", s->bucket_name);\n s->formatter->dump_string(\"Key\", s->object.name);\n s->formatter->close_section();\n }\n s->err.message = err_msg;\n set_req_state_err(s, op_ret);\n dump_errno(s);\n if (op_ret >= 0) {\n dump_content_length(s, s->formatter->get_len());\n }\n end_header(s, this);\n if (op_ret != STATUS_CREATED)\n return;\n\n rgw_flush_formatter_and_reset(s, s->formatter);\n}", "project": "ceph", "hash": 204205268593137239494939591084912572894, "size": 104, "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 281374 }, { "func": "void RGWConfigBucketMetaSearch_ObjStore_S3::send_response()\n{\n if (op_ret)\n set_req_state_err(s, op_ret);\n dump_errno(s);\n end_header(s, this);\n}", "project": "ceph", "hash": 273011272871039144688727561315270284226, "size": 7, "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 281385 }, { "func": "void RGWDeleteCORS_ObjStore_S3::send_response()\n{\n int r = op_ret;\n if (!r || r == -ENOENT)\n r = STATUS_NO_CONTENT;\n\n set_req_state_err(s, r);\n dump_errno(s);\n end_header(s, NULL);\n}", "project": "ceph", "hash": 263353242162410651867276568187228008315, "size": 10, "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 281388 }, { "func": "void RGWGetRequestPayment_ObjStore_S3::send_response()\n{\n dump_errno(s);\n end_header(s, this, \"application/xml\");\n dump_start(s);\n\n s->formatter->open_object_section_in_ns(\"RequestPaymentConfiguration\", XMLNS_AWS_S3);\n const char *payer = requester_pays ? \"Requester\" : \"BucketOwner\";\n s->formatter->dump_string(\"Payer\", payer);\n s->formatter->close_section();\n rgw_flush_formatter_and_reset(s, s->formatter);\n}", "project": "ceph", "hash": 116465617990974953506258980908430703821, "size": 12, "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 281389 }, { "func": "void RGWSetRequestPayment_ObjStore_S3::send_response()\n{\n if (op_ret)\n set_req_state_err(s, op_ret);\n dump_errno(s);\n end_header(s);\n}", "project": "ceph", "hash": 317769928548221568283717612871084624497, "size": 7, "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 281393 }, { "func": "void RGWPutACLs_ObjStore_S3::send_response()\n{\n if (op_ret)\n set_req_state_err(s, op_ret);\n dump_errno(s);\n end_header(s, this, \"application/xml\");\n dump_start(s);\n}", "project": "ceph", "hash": 295744757263623392605021431989066458258, "size": 8, "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 281395 }, { "func": "void RGWGetLC_ObjStore_S3::send_response()\n{\n if (op_ret) {\n if (op_ret == -ENOENT) {\t\n set_req_state_err(s, ERR_NO_SUCH_LC);\n } else {\n set_req_state_err(s, op_ret);\n }\n }\n dump_errno(s);\n end_header(s, this, \"application/xml\");\n dump_start(s);\n\n if (op_ret < 0)\n return;\n\n config.dump_xml(s->formatter);\n rgw_flush_formatter_and_reset(s, s->formatter);\n}", "project": "ceph", "hash": 277645063966442398441816188671148077741, "size": 19, "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 281396 }, { "func": "void RGWGetBucketMetaSearch_ObjStore_S3::send_response()\n{\n if (op_ret)\n set_req_state_err(s, op_ret);\n dump_errno(s);\n end_header(s, NULL, \"application/xml\");\n\n Formatter *f = s->formatter;\n f->open_array_section(\"GetBucketMetaSearchResult\");\n for (auto& e : s->bucket_info.mdsearch_config) {\n f->open_object_section(\"Entry\");\n string k = string(\"x-amz-meta-\") + e.first;\n f->dump_string(\"Key\", k.c_str());\n const char *type;\n switch (e.second) {\n case ESEntityTypeMap::ES_ENTITY_INT:\n type = \"int\";\n break;\n case ESEntityTypeMap::ES_ENTITY_DATE:\n type = \"date\";\n break;\n default:\n type = \"str\";\n }\n f->dump_string(\"Type\", type);\n f->close_section();\n }\n f->close_section();\n rgw_flush_formatter(s, f);\n}", "project": "ceph", "hash": 289925251402115737619560314874088018620, "size": 30, "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 281398 }, { "func": "void RGWAbortMultipart_ObjStore_S3::send_response()\n{\n int r = op_ret;\n if (!r)\n r = STATUS_NO_CONTENT;\n\n set_req_state_err(s, r);\n dump_errno(s);\n end_header(s, this);\n}", "project": "ceph", "hash": 16037690870007205350511798007823368242, "size": 10, "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 281403 }, { "func": "void RGWStatBucket_ObjStore_S3::send_response()\n{\n if (op_ret >= 0) {\n dump_bucket_metadata(s, bucket);\n }\n\n set_req_state_err(s, op_ret);\n dump_errno(s);\n\n end_header(s, this);\n dump_start(s);\n}", "project": "ceph", "hash": 178380765933164291374361195299133740645, "size": 12, "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 281405 }, { "func": "void RGWListBucket_ObjStore_S3v2::send_response()\n{\n if (op_ret < 0) {\n set_req_state_err(s, op_ret);\n }\n dump_errno(s);\n\n // Explicitly use chunked transfer encoding so that we can stream the result\n // to the user without having to wait for the full length of it.\n end_header(s, this, \"application/xml\", CHUNKED_TRANSFER_ENCODING);\n dump_start(s);\n if (op_ret < 0) {\n return;\n }\n if (list_versions) {\n send_versioned_response();\n return;\n }\n\n s->formatter->open_object_section_in_ns(\"ListBucketResult\", XMLNS_AWS_S3);\n if (strcasecmp(encoding_type.c_str(), \"url\") == 0) {\n s->formatter->dump_string(\"EncodingType\", \"url\");\n encode_key = true;\n }\n\n RGWListBucket_ObjStore_S3::send_common_response();\n if (op_ret >= 0) {\n vector::iterator iter;\n for (iter = objs.begin(); iter != objs.end(); ++iter) {\n rgw_obj_key key(iter->key);\n s->formatter->open_array_section(\"Contents\");\n if (encode_key) {\n string key_name;\n url_encode(key.name, key_name);\n s->formatter->dump_string(\"Key\", key_name);\n }\n else {\n s->formatter->dump_string(\"Key\", key.name);\n }\n dump_time(s, \"LastModified\", &iter->meta.mtime);\n s->formatter->dump_format(\"ETag\", \"\\\"%s\\\"\", iter->meta.etag.c_str());\n s->formatter->dump_int(\"Size\", iter->meta.accounted_size);\n auto& storage_class = rgw_placement_rule::get_canonical_storage_class(iter->meta.storage_class);\n s->formatter->dump_string(\"StorageClass\", storage_class.c_str());\n if (fetchOwner == true) {\n dump_owner(s, s->user->user_id, s->user->display_name);\n }\n if (s->system_request) {\n s->formatter->dump_string(\"RgwxTag\", iter->tag);\n }\n if (iter->meta.appendable) {\n s->formatter->dump_string(\"Type\", \"Appendable\");\n } else {\n s->formatter->dump_string(\"Type\", \"Normal\");\n }\n s->formatter->close_section();\n }\n }\n if (continuation_token_exist) {\n s->formatter->dump_string(\"ContinuationToken\", continuation_token);\n }\n if (is_truncated && !next_marker.empty()) {\n s->formatter->dump_string(\"NextContinuationToken\", next_marker.name);\n }\n s->formatter->dump_int(\"KeyCount\",objs.size());\n if (start_after_exist) {\n s->formatter->dump_string(\"StartAfter\", startAfter);\n }\n s->formatter->close_section();\n rgw_flush_formatter_and_reset(s, s->formatter);\n}", "project": "ceph", "hash": 277956490411925946481546130122054877985, "size": 71, "commit_id": "fce0b267446d6f3f631bb4680ebc3527bbbea002", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 333797 }, { "func": "void RGWListBucketMultiparts_ObjStore_S3::send_response()\n{\n if (op_ret < 0)\n set_req_state_err(s, op_ret);\n dump_errno(s);\n\n // Explicitly use chunked transfer encoding so that we can stream the result\n // to the user without having to wait for the full length of it.\n end_header(s, this, \"application/xml\", CHUNKED_TRANSFER_ENCODING);\n dump_start(s);\n if (op_ret < 0)\n return;\n\n s->formatter->open_object_section_in_ns(\"ListMultipartUploadsResult\", XMLNS_AWS_S3);\n if (!s->bucket_tenant.empty())\n s->formatter->dump_string(\"Tenant\", s->bucket_tenant);\n s->formatter->dump_string(\"Bucket\", s->bucket_name);\n if (!prefix.empty())\n s->formatter->dump_string(\"ListMultipartUploadsResult.Prefix\", prefix);\n const string& key_marker = marker.get_key();\n if (!key_marker.empty())\n s->formatter->dump_string(\"KeyMarker\", key_marker);\n const string& upload_id_marker = marker.get_upload_id();\n if (!upload_id_marker.empty())\n s->formatter->dump_string(\"UploadIdMarker\", upload_id_marker);\n string next_key = next_marker.mp.get_key();\n if (!next_key.empty())\n s->formatter->dump_string(\"NextKeyMarker\", next_key);\n string next_upload_id = next_marker.mp.get_upload_id();\n if (!next_upload_id.empty())\n s->formatter->dump_string(\"NextUploadIdMarker\", next_upload_id);\n s->formatter->dump_int(\"MaxUploads\", max_uploads);\n if (!delimiter.empty())\n s->formatter->dump_string(\"Delimiter\", delimiter);\n s->formatter->dump_string(\"IsTruncated\", (is_truncated ? \"true\" : \"false\"));\n\n if (op_ret >= 0) {\n vector::iterator iter;\n for (iter = uploads.begin(); iter != uploads.end(); ++iter) {\n RGWMPObj& mp = iter->mp;\n s->formatter->open_array_section(\"Upload\");\n s->formatter->dump_string(\"Key\", mp.get_key());\n s->formatter->dump_string(\"UploadId\", mp.get_upload_id());\n dump_owner(s, s->user->user_id, s->user->display_name, \"Initiator\");\n dump_owner(s, s->user->user_id, s->user->display_name);\n s->formatter->dump_string(\"StorageClass\", \"STANDARD\");\n dump_time(s, \"Initiated\", &iter->obj.meta.mtime);\n s->formatter->close_section();\n }\n if (!common_prefixes.empty()) {\n s->formatter->open_array_section(\"CommonPrefixes\");\n map::iterator pref_iter;\n for (pref_iter = common_prefixes.begin();\n\t pref_iter != common_prefixes.end(); ++pref_iter) {\n\ts->formatter->dump_string(\"CommonPrefixes.Prefix\", pref_iter->first);\n }\n s->formatter->close_section();\n }\n }\n s->formatter->close_section();\n rgw_flush_formatter_and_reset(s, s->formatter);\n}", "project": "ceph", "hash": 322726187947405849093787499380706667000, "size": 62, "commit_id": "fce0b267446d6f3f631bb4680ebc3527bbbea002", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 333813 }, { "func": "void RGWGetBucketLocation_ObjStore_S3::send_response()\n{\n dump_errno(s);\n end_header(s, this);\n dump_start(s);\n\n RGWZoneGroup zonegroup;\n string api_name;\n\n int ret = store->svc.zone->get_zonegroup(s->bucket_info.zonegroup, zonegroup);\n if (ret >= 0) {\n api_name = zonegroup.api_name;\n } else {\n if (s->bucket_info.zonegroup != \"default\") {\n api_name = s->bucket_info.zonegroup;\n }\n }\n\n s->formatter->dump_format_ns(\"LocationConstraint\", XMLNS_AWS_S3,\n\t\t\t \"%s\", api_name.c_str());\n rgw_flush_formatter_and_reset(s, s->formatter);\n}", "project": "ceph", "hash": 145720930817035123221200810088123534090, "size": 22, "commit_id": "fce0b267446d6f3f631bb4680ebc3527bbbea002", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 333816 }, { "func": "void RGWPutObj_ObjStore_S3::send_response()\n{\n if (op_ret) {\n set_req_state_err(s, op_ret);\n dump_errno(s);\n } else {\n if (s->cct->_conf->rgw_s3_success_create_obj_status) {\n op_ret = get_success_retcode(\n\ts->cct->_conf->rgw_s3_success_create_obj_status);\n set_req_state_err(s, op_ret);\n }\n if (copy_source.empty()) {\n dump_errno(s);\n dump_etag(s, etag);\n dump_content_length(s, 0);\n dump_header_if_nonempty(s, \"x-amz-version-id\", version_id);\n for (auto &it : crypt_http_responses)\n dump_header(s, it.first, it.second);\n } else {\n dump_errno(s);\n dump_header_if_nonempty(s, \"x-amz-version-id\", version_id);\n end_header(s, this, \"application/xml\");\n dump_start(s);\n struct tm tmp;\n utime_t ut(mtime);\n time_t secs = (time_t)ut.sec();\n gmtime_r(&secs, &tmp);\n char buf[TIME_BUF_SIZE];\n s->formatter->open_object_section_in_ns(\"CopyPartResult\",\n \"http://s3.amazonaws.com/doc/2006-03-01/\");\n if (strftime(buf, sizeof(buf), \"%Y-%m-%dT%T.000Z\", &tmp) > 0) {\n s->formatter->dump_string(\"LastModified\", buf);\n }\n s->formatter->dump_string(\"ETag\", etag);\n s->formatter->close_section();\n rgw_flush_formatter_and_reset(s, s->formatter);\n return;\n }\n }\n if (append) {\n if (op_ret == 0 || op_ret == -ERR_POSITION_NOT_EQUAL_TO_LENGTH) {\n dump_header(s, \"x-rgw-next-append-position\", cur_accounted_size);\n }\n }\n if (s->system_request && !real_clock::is_zero(mtime)) {\n dump_epoch_header(s, \"Rgwx-Mtime\", mtime);\n }\n end_header(s, this);\n}", "project": "ceph", "hash": 67035135894489205074221317615983504369, "size": 49, "commit_id": "fce0b267446d6f3f631bb4680ebc3527bbbea002", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 333818 }, { "func": "void RGWGetObjLayout_ObjStore_S3::send_response()\n{\n if (op_ret)\n set_req_state_err(s, op_ret);\n dump_errno(s);\n end_header(s, this, \"application/json\");\n\n JSONFormatter f;\n\n if (op_ret < 0) {\n return;\n }\n\n f.open_object_section(\"result\");\n ::encode_json(\"head\", head_obj, &f);\n ::encode_json(\"manifest\", *manifest, &f);\n f.open_array_section(\"data_location\");\n for (auto miter = manifest->obj_begin(); miter != manifest->obj_end(); ++miter) {\n f.open_object_section(\"obj\");\n rgw_raw_obj raw_loc = miter.get_location().get_raw_obj(store);\n uint64_t ofs = miter.get_ofs();\n uint64_t left = manifest->get_obj_size() - ofs;\n ::encode_json(\"ofs\", miter.get_ofs(), &f);\n ::encode_json(\"loc\", raw_loc, &f);\n ::encode_json(\"loc_ofs\", miter.location_ofs(), &f);\n uint64_t loc_size = miter.get_stripe_size();\n if (loc_size > left) {\n loc_size = left;\n }\n ::encode_json(\"loc_size\", loc_size, &f);\n f.close_section();\n rgw_flush_formatter(s, &f);\n }\n f.close_section();\n f.close_section();\n rgw_flush_formatter(s, &f);\n}", "project": "ceph", "hash": 303670602768981072227788044924217323174, "size": 37, "commit_id": "fce0b267446d6f3f631bb4680ebc3527bbbea002", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 333819 }, { "func": "void RGWListBucket_ObjStore_S3::send_response()\n{\n if (op_ret < 0) {\n set_req_state_err(s, op_ret);\n }\n dump_errno(s);\n\n // Explicitly use chunked transfer encoding so that we can stream the result\n // to the user without having to wait for the full length of it.\n end_header(s, this, \"application/xml\", CHUNKED_TRANSFER_ENCODING);\n dump_start(s);\n if (op_ret < 0) {\n return;\n }\n if (list_versions) {\n send_versioned_response();\n return;\n }\n\n s->formatter->open_object_section_in_ns(\"ListBucketResult\", XMLNS_AWS_S3);\n if (strcasecmp(encoding_type.c_str(), \"url\") == 0) {\n s->formatter->dump_string(\"EncodingType\", \"url\");\n encode_key = true;\n }\n RGWListBucket_ObjStore_S3::send_common_response();\n if (op_ret >= 0) {\n vector::iterator iter;\n for (iter = objs.begin(); iter != objs.end(); ++iter) {\n rgw_obj_key key(iter->key);\n s->formatter->open_array_section(\"Contents\");\n if (encode_key) {\n string key_name;\n url_encode(key.name, key_name);\n s->formatter->dump_string(\"Key\", key_name);\n } else {\n s->formatter->dump_string(\"Key\", key.name);\n }\n dump_time(s, \"LastModified\", &iter->meta.mtime);\n s->formatter->dump_format(\"ETag\", \"\\\"%s\\\"\", iter->meta.etag.c_str());\n s->formatter->dump_int(\"Size\", iter->meta.accounted_size);\n auto& storage_class = rgw_placement_rule::get_canonical_storage_class(iter->meta.storage_class);\n s->formatter->dump_string(\"StorageClass\", storage_class.c_str());\n dump_owner(s, iter->meta.owner, iter->meta.owner_display_name);\n if (s->system_request) {\n s->formatter->dump_string(\"RgwxTag\", iter->tag);\n }\n if (iter->meta.appendable) {\n s->formatter->dump_string(\"Type\", \"Appendable\");\n } else {\n s->formatter->dump_string(\"Type\", \"Normal\");\n }\n s->formatter->close_section();\n }\n }\n s->formatter->dump_string(\"Marker\", marker.name);\n if (is_truncated && !next_marker.empty()) {\n s->formatter->dump_string(\"NextMarker\", next_marker.name);\n }\n s->formatter->close_section();\n rgw_flush_formatter_and_reset(s, s->formatter);\n}", "project": "ceph", "hash": 230727618532425533849310771617701646053, "size": 61, "commit_id": "fce0b267446d6f3f631bb4680ebc3527bbbea002", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 333820 }, { "func": "void RGWCopyObj_ObjStore_SWIFT::send_response()\n{\n if (! sent_header) {\n string content_type;\n if (! op_ret)\n op_ret = STATUS_CREATED;\n set_req_state_err(s, op_ret);\n dump_errno(s);\n dump_etag(s, etag);\n dump_last_modified(s, mtime);\n dump_copy_info();\n get_contype_from_attrs(attrs, content_type);\n dump_object_metadata(s, attrs);\n end_header(s, this, !content_type.empty() ? content_type.c_str()\n\t : \"binary/octet-stream\");\n } else {\n s->formatter->close_section();\n rgw_flush_formatter(s, s->formatter);\n }\n}", "project": "ceph", "hash": 232867162158535287336402917251096627004, "size": 20, "commit_id": "f44a8ae8aa27ecef69528db9aec220f12492810e", "message": "rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name\n\nchecking for empty name avoids later assertion in RGWObjectCtx::set_atomic\n\nFixes: CVE-2021-3531\n\nReviewed-by: Casey Bodley \nSigned-off-by: Casey Bodley \n(cherry picked from commit 7196a469b4470f3c8628489df9a41ec8b00a5610)", "target": 0, "dataset": "other", "idx": 448765 }, { "func": "void RGWBulkDelete_ObjStore_SWIFT::send_response()\n{\n set_req_state_err(s, op_ret);\n dump_errno(s);\n end_header(s, this /* RGWOp */, nullptr /* contype */,\n CHUNKED_TRANSFER_ENCODING);\n\n bulkdelete_respond(deleter->get_num_deleted(),\n deleter->get_num_unfound(),\n deleter->get_failures(),\n s->prot_flags,\n *s->formatter);\n rgw_flush_formatter_and_reset(s, s->formatter);\n}", "project": "ceph", "hash": 145929478182054177840297485770341343534, "size": 14, "commit_id": "f44a8ae8aa27ecef69528db9aec220f12492810e", "message": "rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name\n\nchecking for empty name avoids later assertion in RGWObjectCtx::set_atomic\n\nFixes: CVE-2021-3531\n\nReviewed-by: Casey Bodley \nSigned-off-by: Casey Bodley \n(cherry picked from commit 7196a469b4470f3c8628489df9a41ec8b00a5610)", "target": 0, "dataset": "other", "idx": 448776 }, { "func": "void RGWGetCrossDomainPolicy_ObjStore_SWIFT::send_response()\n{\n set_req_state_err(s, op_ret);\n dump_errno(s);\n end_header(s, this, \"application/xml\");\n\n std::stringstream ss;\n\n ss << R\"()\" << \"\\n\"\n << R\"()\" << \"\\n\"\n << R\"()\" << \"\\n\"\n << g_conf()->rgw_cross_domain_policy << \"\\n\"\n << R\"()\";\n\n dump_body(s, ss.str());\n}", "project": "ceph", "hash": 90626823672681891440657730770462208339, "size": 17, "commit_id": "f44a8ae8aa27ecef69528db9aec220f12492810e", "message": "rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name\n\nchecking for empty name avoids later assertion in RGWObjectCtx::set_atomic\n\nFixes: CVE-2021-3531\n\nReviewed-by: Casey Bodley \nSigned-off-by: Casey Bodley \n(cherry picked from commit 7196a469b4470f3c8628489df9a41ec8b00a5610)", "target": 0, "dataset": "other", "idx": 448784 }, { "func": "void RGWPutMetadataBucket_ObjStore_SWIFT::send_response()\n{\n const auto meta_ret = handle_metadata_errors(s, op_ret);\n if (meta_ret != op_ret) {\n op_ret = meta_ret;\n } else {\n if (!op_ret && (op_ret != -EINVAL)) {\n op_ret = STATUS_NO_CONTENT;\n }\n set_req_state_err(s, op_ret);\n }\n\n dump_errno(s);\n end_header(s, this);\n rgw_flush_formatter_and_reset(s, s->formatter);\n}", "project": "ceph", "hash": 26090728751516238376763539920459599798, "size": 16, "commit_id": "f44a8ae8aa27ecef69528db9aec220f12492810e", "message": "rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name\n\nchecking for empty name avoids later assertion in RGWObjectCtx::set_atomic\n\nFixes: CVE-2021-3531\n\nReviewed-by: Casey Bodley \nSigned-off-by: Casey Bodley \n(cherry picked from commit 7196a469b4470f3c8628489df9a41ec8b00a5610)", "target": 0, "dataset": "other", "idx": 448785 }, { "func": "void RGWListBucket_ObjStore_SWIFT::send_response()\n{\n vector::iterator iter = objs.begin();\n map::iterator pref_iter = common_prefixes.begin();\n\n dump_start(s);\n dump_container_metadata(s, bucket, bucket_quota,\n s->bucket_info.website_conf);\n\n s->formatter->open_array_section_with_attrs(\"container\",\n\t\t\t\t\t FormatterAttrs(\"name\",\n\t\t\t\t\t\t\t s->bucket.name.c_str(),\n\t\t\t\t\t\t\t NULL));\n\n while (iter != objs.end() || pref_iter != common_prefixes.end()) {\n bool do_pref = false;\n bool do_objs = false;\n rgw_obj_key key;\n if (iter != objs.end()) {\n key = iter->key;\n }\n if (pref_iter == common_prefixes.end())\n do_objs = true;\n else if (iter == objs.end())\n do_pref = true;\n else if (!key.empty() && key.name.compare(pref_iter->first) == 0) {\n do_objs = true;\n ++pref_iter;\n } else if (!key.empty() && key.name.compare(pref_iter->first) <= 0)\n do_objs = true;\n else\n do_pref = true;\n\n if (do_objs && (allow_unordered || marker.empty() || marker < key)) {\n if (key.name.compare(path) == 0)\n goto next;\n\n s->formatter->open_object_section(\"object\");\n s->formatter->dump_string(\"name\", key.name);\n s->formatter->dump_string(\"hash\", iter->meta.etag);\n s->formatter->dump_int(\"bytes\", iter->meta.accounted_size);\n if (!iter->meta.user_data.empty())\n s->formatter->dump_string(\"user_custom_data\", iter->meta.user_data);\n string single_content_type = iter->meta.content_type;\n if (iter->meta.content_type.size()) {\n // content type might hold multiple values, just dump the last one\n ssize_t pos = iter->meta.content_type.rfind(',');\n if (pos > 0) {\n ++pos;\n while (single_content_type[pos] == ' ')\n ++pos;\n single_content_type = single_content_type.substr(pos);\n }\n s->formatter->dump_string(\"content_type\", single_content_type);\n }\n dump_time(s, \"last_modified\", &iter->meta.mtime);\n s->formatter->close_section();\n }\n\n if (do_pref && (marker.empty() || pref_iter->first.compare(marker.name) > 0)) {\n const string& name = pref_iter->first;\n if (name.compare(delimiter) == 0)\n goto next;\n\n s->formatter->open_object_section_with_attrs(\"subdir\", FormatterAttrs(\"name\", name.c_str(), NULL));\n\n /* swift is a bit inconsistent here */\n switch (s->format) {\n case RGW_FORMAT_XML:\n s->formatter->dump_string(\"name\", name);\n break;\n default:\n s->formatter->dump_string(\"subdir\", name);\n }\n s->formatter->close_section();\n }\nnext:\n if (do_objs)\n ++iter;\n else\n ++pref_iter;\n }\n\n s->formatter->close_section();\n\n int64_t content_len = 0;\n if (! op_ret) {\n content_len = s->formatter->get_len();\n if (content_len == 0) {\n op_ret = STATUS_NO_CONTENT;\n }\n } else if (op_ret > 0) {\n op_ret = 0;\n }\n\n set_req_state_err(s, op_ret);\n dump_errno(s);\n end_header(s, this, NULL, content_len);\n if (op_ret < 0) {\n return;\n }\n\n rgw_flush_formatter_and_reset(s, s->formatter);\n} // RGWListBucket_ObjStore_SWIFT::send_response", "project": "ceph", "hash": 238862157336255120641334653247674533529, "size": 104, "commit_id": "f44a8ae8aa27ecef69528db9aec220f12492810e", "message": "rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name\n\nchecking for empty name avoids later assertion in RGWObjectCtx::set_atomic\n\nFixes: CVE-2021-3531\n\nReviewed-by: Casey Bodley \nSigned-off-by: Casey Bodley \n(cherry picked from commit 7196a469b4470f3c8628489df9a41ec8b00a5610)", "target": 0, "dataset": "other", "idx": 448793 }, { "func": "void RGWStatBucket_ObjStore_SWIFT::send_response()\n{\n if (op_ret >= 0) {\n op_ret = STATUS_NO_CONTENT;\n dump_container_metadata(s, bucket, bucket_quota,\n s->bucket_info.website_conf);\n }\n\n set_req_state_err(s, op_ret);\n dump_errno(s);\n\n end_header(s, this, NULL, 0, true);\n dump_start(s);\n}", "project": "ceph", "hash": 292309080201114850434616416152823757411, "size": 14, "commit_id": "f44a8ae8aa27ecef69528db9aec220f12492810e", "message": "rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name\n\nchecking for empty name avoids later assertion in RGWObjectCtx::set_atomic\n\nFixes: CVE-2021-3531\n\nReviewed-by: Casey Bodley \nSigned-off-by: Casey Bodley \n(cherry picked from commit 7196a469b4470f3c8628489df9a41ec8b00a5610)", "target": 0, "dataset": "other", "idx": 448795 }, { "func": "void RGWOptionsCORS_ObjStore_SWIFT::send_response()\n{\n string hdrs, exp_hdrs;\n uint32_t max_age = CORS_MAX_AGE_INVALID;\n /*EACCES means, there is no CORS registered yet for the bucket\n *ENOENT means, there is no match of the Origin in the list of CORSRule\n */\n if (op_ret == -ENOENT)\n op_ret = -EACCES;\n if (op_ret < 0) {\n set_req_state_err(s, op_ret);\n dump_errno(s);\n end_header(s, NULL);\n return;\n }\n get_response_params(hdrs, exp_hdrs, &max_age);\n dump_errno(s);\n dump_access_control(s, origin, req_meth, hdrs.c_str(), exp_hdrs.c_str(),\n\t\t max_age);\n end_header(s, NULL);\n}", "project": "ceph", "hash": 322559057045947270234550505398529758180, "size": 21, "commit_id": "f44a8ae8aa27ecef69528db9aec220f12492810e", "message": "rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name\n\nchecking for empty name avoids later assertion in RGWObjectCtx::set_atomic\n\nFixes: CVE-2021-3531\n\nReviewed-by: Casey Bodley \nSigned-off-by: Casey Bodley \n(cherry picked from commit 7196a469b4470f3c8628489df9a41ec8b00a5610)", "target": 0, "dataset": "other", "idx": 448808 }, { "func": "void RGWStatAccount_ObjStore_SWIFT::send_response()\n{\n if (op_ret >= 0) {\n op_ret = STATUS_NO_CONTENT;\n dump_account_metadata(s,\n global_stats,\n policies_stats,\n attrs,\n user_quota,\n static_cast(*s->user_acl));\n }\n\n set_req_state_err(s, op_ret);\n dump_errno(s);\n\n end_header(s, NULL, NULL, 0, true);\n\n dump_start(s);\n}", "project": "ceph", "hash": 323966525825634402486326760663406444378, "size": 19, "commit_id": "f44a8ae8aa27ecef69528db9aec220f12492810e", "message": "rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name\n\nchecking for empty name avoids later assertion in RGWObjectCtx::set_atomic\n\nFixes: CVE-2021-3531\n\nReviewed-by: Casey Bodley \nSigned-off-by: Casey Bodley \n(cherry picked from commit 7196a469b4470f3c8628489df9a41ec8b00a5610)", "target": 0, "dataset": "other", "idx": 448811 }, { "func": "void RGWFormPost::send_response()\n{\n std::string redirect = get_part_str(ctrl_parts, \"redirect\");\n if (! redirect.empty()) {\n op_ret = STATUS_REDIRECT;\n }\n\n set_req_state_err(s, op_ret);\n s->err.err_code = err_msg;\n dump_errno(s);\n if (! redirect.empty()) {\n dump_redirect(s, redirect);\n }\n end_header(s, this);\n}", "project": "ceph", "hash": 181661087857179896280186391467960227103, "size": 15, "commit_id": "f44a8ae8aa27ecef69528db9aec220f12492810e", "message": "rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name\n\nchecking for empty name avoids later assertion in RGWObjectCtx::set_atomic\n\nFixes: CVE-2021-3531\n\nReviewed-by: Casey Bodley \nSigned-off-by: Casey Bodley \n(cherry picked from commit 7196a469b4470f3c8628489df9a41ec8b00a5610)", "target": 0, "dataset": "other", "idx": 448819 }, { "func": "void RGWPutMetadataAccount_ObjStore_SWIFT::send_response()\n{\n const auto meta_ret = handle_metadata_errors(s, op_ret);\n if (meta_ret != op_ret) {\n op_ret = meta_ret;\n } else {\n if (!op_ret) {\n op_ret = STATUS_NO_CONTENT;\n }\n set_req_state_err(s, op_ret);\n }\n\n dump_errno(s);\n end_header(s, this);\n rgw_flush_formatter_and_reset(s, s->formatter);\n}", "project": "ceph", "hash": 196257675023195505831128819684541057009, "size": 16, "commit_id": "f44a8ae8aa27ecef69528db9aec220f12492810e", "message": "rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name\n\nchecking for empty name avoids later assertion in RGWObjectCtx::set_atomic\n\nFixes: CVE-2021-3531\n\nReviewed-by: Casey Bodley \nSigned-off-by: Casey Bodley \n(cherry picked from commit 7196a469b4470f3c8628489df9a41ec8b00a5610)", "target": 0, "dataset": "other", "idx": 448833 }, { "func": "void RGWPutMetadataObject_ObjStore_SWIFT::send_response()\n{\n const auto meta_ret = handle_metadata_errors(s, op_ret);\n if (meta_ret != op_ret) {\n op_ret = meta_ret;\n } else {\n if (!op_ret) {\n op_ret = STATUS_ACCEPTED;\n }\n set_req_state_err(s, op_ret);\n }\n\n if (!s->is_err()) {\n dump_content_length(s, 0);\n }\n\n dump_errno(s);\n end_header(s, this);\n rgw_flush_formatter_and_reset(s, s->formatter);\n}", "project": "ceph", "hash": 32529445957765303789328982466600699928, "size": 20, "commit_id": "f44a8ae8aa27ecef69528db9aec220f12492810e", "message": "rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name\n\nchecking for empty name avoids later assertion in RGWObjectCtx::set_atomic\n\nFixes: CVE-2021-3531\n\nReviewed-by: Casey Bodley \nSigned-off-by: Casey Bodley \n(cherry picked from commit 7196a469b4470f3c8628489df9a41ec8b00a5610)", "target": 0, "dataset": "other", "idx": 448841 }, { "func": "void RGWDeleteObj_ObjStore_SWIFT::send_response()\n{\n int r = op_ret;\n\n if (multipart_delete) {\n r = 0;\n } else if(!r) {\n r = STATUS_NO_CONTENT;\n }\n\n set_req_state_err(s, r);\n dump_errno(s);\n\n if (multipart_delete) {\n end_header(s, this /* RGWOp */, nullptr /* contype */,\n CHUNKED_TRANSFER_ENCODING);\n\n if (deleter) {\n bulkdelete_respond(deleter->get_num_deleted(),\n deleter->get_num_unfound(),\n deleter->get_failures(),\n s->prot_flags,\n *s->formatter);\n } else if (-ENOENT == op_ret) {\n bulkdelete_respond(0, 1, {}, s->prot_flags, *s->formatter);\n } else {\n RGWBulkDelete::acct_path_t path;\n path.bucket_name = s->bucket_name;\n path.obj_key = s->object;\n\n RGWBulkDelete::fail_desc_t fail_desc;\n fail_desc.err = op_ret;\n fail_desc.path = path;\n\n bulkdelete_respond(0, 0, { fail_desc }, s->prot_flags, *s->formatter);\n }\n } else {\n end_header(s, this);\n }\n\n rgw_flush_formatter_and_reset(s, s->formatter);\n\n}", "project": "ceph", "hash": 324398658232156797632558373060313383881, "size": 43, "commit_id": "f44a8ae8aa27ecef69528db9aec220f12492810e", "message": "rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name\n\nchecking for empty name avoids later assertion in RGWObjectCtx::set_atomic\n\nFixes: CVE-2021-3531\n\nReviewed-by: Casey Bodley \nSigned-off-by: Casey Bodley \n(cherry picked from commit 7196a469b4470f3c8628489df9a41ec8b00a5610)", "target": 0, "dataset": "other", "idx": 448846 }, { "func": "void RGWInfo_ObjStore_SWIFT::send_response()\n{\n if (op_ret < 0) {\n op_ret = STATUS_NO_CONTENT;\n }\n set_req_state_err(s, op_ret);\n dump_errno(s);\n end_header(s, this);\n rgw_flush_formatter_and_reset(s, s->formatter);\n}", "project": "ceph", "hash": 234618015619887736474459839579288368398, "size": 10, "commit_id": "f44a8ae8aa27ecef69528db9aec220f12492810e", "message": "rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name\n\nchecking for empty name avoids later assertion in RGWObjectCtx::set_atomic\n\nFixes: CVE-2021-3531\n\nReviewed-by: Casey Bodley \nSigned-off-by: Casey Bodley \n(cherry picked from commit 7196a469b4470f3c8628489df9a41ec8b00a5610)", "target": 0, "dataset": "other", "idx": 448848 }, { "func": "void RGWBulkUploadOp_ObjStore_SWIFT::send_response()\n{\n set_req_state_err(s, op_ret);\n dump_errno(s);\n end_header(s, this /* RGWOp */, nullptr /* contype */,\n CHUNKED_TRANSFER_ENCODING);\n rgw_flush_formatter_and_reset(s, s->formatter);\n\n s->formatter->open_object_section(\"delete\");\n\n std::string resp_status;\n std::string resp_body;\n\n if (! failures.empty()) {\n rgw_err err;\n\n const auto last_err = { failures.back().err };\n if (boost::algorithm::contains(last_err, terminal_errors)) {\n /* The terminal errors are affecting the status of the whole upload. */\n set_req_state_err(err, failures.back().err, s->prot_flags);\n } else {\n set_req_state_err(err, ERR_INVALID_REQUEST, s->prot_flags);\n }\n\n dump_errno(err, resp_status);\n } else if (0 == num_created && failures.empty()) {\n /* Nothing created, nothing failed. This means the archive contained no\n * entity we could understand (regular file or directory). We need to\n * send 400 Bad Request to an HTTP client in the internal status field. */\n dump_errno(400, resp_status);\n resp_body = \"Invalid Tar File: No Valid Files\";\n } else {\n /* 200 OK */\n dump_errno(201, resp_status);\n }\n\n encode_json(\"Number Files Created\", num_created, s->formatter);\n encode_json(\"Response Body\", resp_body, s->formatter);\n encode_json(\"Response Status\", resp_status, s->formatter);\n\n s->formatter->open_array_section(\"Errors\");\n for (const auto& fail_desc : failures) {\n s->formatter->open_array_section(\"object\");\n\n encode_json(\"Name\", fail_desc.path, s->formatter);\n\n rgw_err err;\n set_req_state_err(err, fail_desc.err, s->prot_flags);\n std::string status;\n dump_errno(err, status);\n encode_json(\"Status\", status, s->formatter);\n\n s->formatter->close_section();\n }\n s->formatter->close_section();\n\n s->formatter->close_section();\n rgw_flush_formatter_and_reset(s, s->formatter);\n}", "project": "ceph", "hash": 108078574273450945807236140392602467881, "size": 59, "commit_id": "f44a8ae8aa27ecef69528db9aec220f12492810e", "message": "rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name\n\nchecking for empty name avoids later assertion in RGWObjectCtx::set_atomic\n\nFixes: CVE-2021-3531\n\nReviewed-by: Casey Bodley \nSigned-off-by: Casey Bodley \n(cherry picked from commit 7196a469b4470f3c8628489df9a41ec8b00a5610)", "target": 0, "dataset": "other", "idx": 448850 }, { "func": "void RGWGetHealthCheck_ObjStore_SWIFT::send_response()\n{\n set_req_state_err(s, op_ret);\n dump_errno(s);\n end_header(s, this, \"application/xml\");\n\n if (op_ret) {\n static constexpr char DISABLED[] = \"DISABLED BY FILE\";\n dump_body(s, DISABLED, strlen(DISABLED));\n }\n}", "project": "ceph", "hash": 282145174345648765402946045798454545758, "size": 11, "commit_id": "f44a8ae8aa27ecef69528db9aec220f12492810e", "message": "rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name\n\nchecking for empty name avoids later assertion in RGWObjectCtx::set_atomic\n\nFixes: CVE-2021-3531\n\nReviewed-by: Casey Bodley \nSigned-off-by: Casey Bodley \n(cherry picked from commit 7196a469b4470f3c8628489df9a41ec8b00a5610)", "target": 0, "dataset": "other", "idx": 448862 }, { "func": "void RGWCreateBucket_ObjStore_SWIFT::send_response()\n{\n const auto meta_ret = handle_metadata_errors(s, op_ret);\n if (meta_ret != op_ret) {\n op_ret = meta_ret;\n } else {\n if (!op_ret) {\n op_ret = STATUS_CREATED;\n } else if (op_ret == -ERR_BUCKET_EXISTS) {\n op_ret = STATUS_ACCEPTED;\n }\n set_req_state_err(s, op_ret);\n }\n\n dump_errno(s);\n /* Propose ending HTTP header with 0 Content-Length header. */\n end_header(s, NULL, NULL, 0);\n rgw_flush_formatter_and_reset(s, s->formatter);\n}", "project": "ceph", "hash": 104893725902532735854656982859739038026, "size": 19, "commit_id": "f44a8ae8aa27ecef69528db9aec220f12492810e", "message": "rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name\n\nchecking for empty name avoids later assertion in RGWObjectCtx::set_atomic\n\nFixes: CVE-2021-3531\n\nReviewed-by: Casey Bodley \nSigned-off-by: Casey Bodley \n(cherry picked from commit 7196a469b4470f3c8628489df9a41ec8b00a5610)", "target": 0, "dataset": "other", "idx": 448864 }, { "func": "void RGWPutObj_ObjStore_SWIFT::send_response()\n{\n const auto meta_ret = handle_metadata_errors(s, op_ret);\n if (meta_ret) {\n op_ret = meta_ret;\n } else {\n if (!op_ret) {\n op_ret = STATUS_CREATED;\n }\n set_req_state_err(s, op_ret);\n }\n\n if (! lo_etag.empty()) {\n /* Static Large Object of Swift API has two etags represented by\n * following members:\n * - etag - for the manifest itself (it will be stored in xattrs),\n * - lo_etag - for the content composited from SLO's segments.\n * The value is calculated basing on segments' etags.\n * In response for PUT request we have to expose the second one.\n * The first one may be obtained by GET with \"multipart-manifest=get\"\n * in query string on a given SLO. */\n dump_etag(s, lo_etag, true /* quoted */);\n } else {\n dump_etag(s, etag);\n }\n\n dump_last_modified(s, mtime);\n set_req_state_err(s, op_ret);\n dump_errno(s);\n end_header(s, this);\n rgw_flush_formatter_and_reset(s, s->formatter);\n}", "project": "ceph", "hash": 122915302128667507457831360491393156973, "size": 32, "commit_id": "f44a8ae8aa27ecef69528db9aec220f12492810e", "message": "rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name\n\nchecking for empty name avoids later assertion in RGWObjectCtx::set_atomic\n\nFixes: CVE-2021-3531\n\nReviewed-by: Casey Bodley \nSigned-off-by: Casey Bodley \n(cherry picked from commit 7196a469b4470f3c8628489df9a41ec8b00a5610)", "target": 0, "dataset": "other", "idx": 448865 }, { "func": "void RGWDeleteBucket_ObjStore_SWIFT::send_response()\n{\n int r = op_ret;\n if (!r)\n r = STATUS_NO_CONTENT;\n\n set_req_state_err(s, r);\n dump_errno(s);\n end_header(s, this, NULL, 0);\n rgw_flush_formatter_and_reset(s, s->formatter);\n}", "project": "ceph", "hash": 280922390306326779962361842938252542267, "size": 11, "commit_id": "f44a8ae8aa27ecef69528db9aec220f12492810e", "message": "rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name\n\nchecking for empty name avoids later assertion in RGWObjectCtx::set_atomic\n\nFixes: CVE-2021-3531\n\nReviewed-by: Casey Bodley \nSigned-off-by: Casey Bodley \n(cherry picked from commit 7196a469b4470f3c8628489df9a41ec8b00a5610)", "target": 0, "dataset": "other", "idx": 448872 }, { "func": "static int _nfs4_proc_setlk(struct nfs4_state *state, int cmd, struct file_lock *request)\n{\n\tstruct nfs_inode *nfsi = NFS_I(state->inode);\n\tstruct nfs4_state_owner *sp = state->owner;\n\tunsigned char fl_flags = request->fl_flags;\n\tint status;\n\n\trequest->fl_flags |= FL_ACCESS;\n\tstatus = locks_lock_inode_wait(state->inode, request);\n\tif (status < 0)\n\t\tgoto out;\n\tmutex_lock(&sp->so_delegreturn_mutex);\n\tdown_read(&nfsi->rwsem);\n\tif (test_bit(NFS_DELEGATED_STATE, &state->flags)) {\n\t\t/* Yes: cache locks! */\n\t\t/* ...but avoid races with delegation recall... */\n\t\trequest->fl_flags = fl_flags & ~FL_SLEEP;\n\t\tstatus = locks_lock_inode_wait(state->inode, request);\n\t\tup_read(&nfsi->rwsem);\n\t\tmutex_unlock(&sp->so_delegreturn_mutex);\n\t\tgoto out;\n\t}\n\tup_read(&nfsi->rwsem);\n\tmutex_unlock(&sp->so_delegreturn_mutex);\n\tstatus = _nfs4_do_setlk(state, cmd, request, NFS_LOCK_NEW);\nout:\n\trequest->fl_flags = fl_flags;\n\treturn status;\n}", "project": "linux", "hash": 22311752553604418219731749522284368954, "size": 29, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431496 }, { "project": "Chrome", "commit_id": "6834289784ed45b5524de0fb7ef43ae283b0d6d3", "target": 0, "func": "AudioContext::~AudioContext()\n{\n#if DEBUG_AUDIONODE_REFERENCES\n fprintf(stderr, \"%p: AudioContext::~AudioContext()\\n\", this);\n#endif\n ASSERT(!m_isInitialized);\n ASSERT(!m_referencedNodes.size());\n ASSERT(!m_finishedNodes.size());\n ASSERT(!m_automaticPullNodes.size());\n if (m_automaticPullNodesNeedUpdating)\n m_renderingAutomaticPullNodes.resize(m_automaticPullNodes.size());\n ASSERT(!m_renderingAutomaticPullNodes.size());\n ASSERT(!m_suspendResolvers.size());\n ASSERT(!m_resumeResolvers.size());\n}\n", "cwe": "", "big_vul_idx": 139699, "idx": 124847, "hash": 57051692964526852406326044496971966166 }, { "func": "static void write_ecryptfs_marker(char *page_virt, size_t *written)\n{\n\tu32 m_1, m_2;\n\n\tget_random_bytes(&m_1, (MAGIC_ECRYPTFS_MARKER_SIZE_BYTES / 2));\n\tm_2 = (m_1 ^ MAGIC_ECRYPTFS_MARKER);\n\tput_unaligned_be32(m_1, page_virt);\n\tpage_virt += (MAGIC_ECRYPTFS_MARKER_SIZE_BYTES / 2);\n\tput_unaligned_be32(m_2, page_virt);\n\t(*written) = MAGIC_ECRYPTFS_MARKER_SIZE_BYTES;\n}", "target": 0, "cwe": [ "CWE-189" ], "project": "linux-2.6", "commit_id": "8faece5f906725c10e7a1f6caf84452abadbdc7b", "hash": 110246007373023761109754649626545043997, "size": 11, "message": "eCryptfs: Allocate a variable number of pages for file headers\n\nWhen allocating the memory used to store the eCryptfs header contents, a\nsingle, zeroed page was being allocated with get_zeroed_page().\nHowever, the size of an eCryptfs header is either PAGE_CACHE_SIZE or\nECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE (8192), whichever is larger, and is\nstored in the file's private_data->crypt_stat->num_header_bytes_at_front\nfield.\n\necryptfs_write_metadata_to_contents() was using\nnum_header_bytes_at_front to decide how many bytes should be written to\nthe lower filesystem for the file header. Unfortunately, at least 8K\nwas being written from the page, despite the chance of the single,\nzeroed page being smaller than 8K. This resulted in random areas of\nkernel memory being written between the 0x1000 and 0x1FFF bytes offsets\nin the eCryptfs file headers if PAGE_SIZE was 4K.\n\nThis patch allocates a variable number of pages, calculated with\nnum_header_bytes_at_front, and passes the number of allocated pages\nalong to ecryptfs_write_metadata_to_contents().\n\nThanks to Florian Streibelt for reporting the data leak and working with\nme to find the problem. 2.6.28 is the only kernel release with this\nvulnerability. Corresponds to CVE-2009-0787\n\nSigned-off-by: Tyler Hicks \nAcked-by: Dustin Kirkland \nReviewed-by: Eric Sandeen \nReviewed-by: Eugene Teo \nCc: Greg KH \nCc: dann frazier \nCc: Serge E. Hallyn \nCc: Florian Streibelt \nCc: stable@kernel.org\nSigned-off-by: Linus Torvalds ", "dataset": "other", "idx": 490180 }, { "func": "static void free_trace_buffers(struct trace_array *tr)\n{\n\tif (!tr)\n\t\treturn;\n\n\tfree_trace_buffer(&tr->trace_buffer);\n\n#ifdef CONFIG_TRACER_MAX_TRACE\n\tfree_trace_buffer(&tr->max_buffer);\n#endif\n}", "project": "linux", "hash": 271510224927644102898369910478531387332, "size": 11, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445765 }, { "func": "static void nfs4_setup_readdir(u64 cookie, __be32 *verifier, struct dentry *dentry,\n\t\tstruct nfs4_readdir_arg *readdir)\n{\n\tunsigned int attrs = FATTR4_WORD0_FILEID | FATTR4_WORD0_TYPE;\n\t__be32 *start, *p;\n\n\tif (cookie > 2) {\n\t\treaddir->cookie = cookie;\n\t\tmemcpy(&readdir->verifier, verifier, sizeof(readdir->verifier));\n\t\treturn;\n\t}\n\n\treaddir->cookie = 0;\n\tmemset(&readdir->verifier, 0, sizeof(readdir->verifier));\n\tif (cookie == 2)\n\t\treturn;\n\t\n\t/*\n\t * NFSv4 servers do not return entries for '.' and '..'\n\t * Therefore, we fake these entries here. We let '.'\n\t * have cookie 0 and '..' have cookie 1. Note that\n\t * when talking to the server, we always send cookie 0\n\t * instead of 1 or 2.\n\t */\n\tstart = p = kmap_atomic(*readdir->pages);\n\t\n\tif (cookie == 0) {\n\t\t*p++ = xdr_one; /* next */\n\t\t*p++ = xdr_zero; /* cookie, first word */\n\t\t*p++ = xdr_one; /* cookie, second word */\n\t\t*p++ = xdr_one; /* entry len */\n\t\tmemcpy(p, \".\\0\\0\\0\", 4); /* entry */\n\t\tp++;\n\t\t*p++ = xdr_one; /* bitmap length */\n\t\t*p++ = htonl(attrs); /* bitmap */\n\t\t*p++ = htonl(12); /* attribute buffer length */\n\t\t*p++ = htonl(NF4DIR);\n\t\tp = xdr_encode_hyper(p, NFS_FILEID(d_inode(dentry)));\n\t}\n\t\n\t*p++ = xdr_one; /* next */\n\t*p++ = xdr_zero; /* cookie, first word */\n\t*p++ = xdr_two; /* cookie, second word */\n\t*p++ = xdr_two; /* entry len */\n\tmemcpy(p, \"..\\0\\0\", 4); /* entry */\n\tp++;\n\t*p++ = xdr_one; /* bitmap length */\n\t*p++ = htonl(attrs); /* bitmap */\n\t*p++ = htonl(12); /* attribute buffer length */\n\t*p++ = htonl(NF4DIR);\n\tp = xdr_encode_hyper(p, NFS_FILEID(d_inode(dentry->d_parent)));\n\n\treaddir->pgbase = (char *)p - (char *)start;\n\treaddir->count -= readdir->pgbase;\n\tkunmap_atomic(start);\n}", "project": "linux", "hash": 339581074364276895671578299752937133255, "size": 56, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431083 }, { "func": "static void hci_cs_le_ext_create_conn(struct hci_dev *hdev, u8 status)\n{\n\tstruct hci_cp_le_ext_create_conn *cp;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, status);\n\n\t/* All connection failure handling is taken care of by the\n\t * hci_le_conn_failed function which is triggered by the HCI\n\t * request completion callbacks used for connecting.\n\t */\n\tif (status)\n\t\treturn;\n\n\tcp = hci_sent_cmd_data(hdev, HCI_OP_LE_EXT_CREATE_CONN);\n\tif (!cp)\n\t\treturn;\n\n\thci_dev_lock(hdev);\n\n\tcs_le_create_conn(hdev, &cp->peer_addr, cp->peer_addr_type,\n\t\t\t cp->own_addr_type, cp->filter_policy);\n\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 18287875596522012949998715261308000957, "size": 24, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431873 }, { "func": "static void node_lost_contact(struct tipc_node *n,\n\t\t\t struct sk_buff_head *inputq)\n{\n\tstruct tipc_sock_conn *conn, *safe;\n\tstruct tipc_link *l;\n\tstruct list_head *conns = &n->conn_sks;\n\tstruct sk_buff *skb;\n\tuint i;\n\n\tpr_debug(\"Lost contact with %x\\n\", n->addr);\n\tn->delete_at = jiffies + msecs_to_jiffies(NODE_CLEANUP_AFTER);\n\ttrace_tipc_node_lost_contact(n, true, \" \");\n\n\t/* Clean up broadcast state */\n\ttipc_bcast_remove_peer(n->net, n->bc_entry.link);\n\tskb_queue_purge(&n->bc_entry.namedq);\n\n\t/* Abort any ongoing link failover */\n\tfor (i = 0; i < MAX_BEARERS; i++) {\n\t\tl = n->links[i].link;\n\t\tif (l)\n\t\t\ttipc_link_fsm_evt(l, LINK_FAILOVER_END_EVT);\n\t}\n\n\t/* Notify publications from this node */\n\tn->action_flags |= TIPC_NOTIFY_NODE_DOWN;\n\tn->peer_net = NULL;\n\tn->peer_hash_mix = 0;\n\t/* Notify sockets connected to node */\n\tlist_for_each_entry_safe(conn, safe, conns, list) {\n\t\tskb = tipc_msg_create(TIPC_CRITICAL_IMPORTANCE, TIPC_CONN_MSG,\n\t\t\t\t SHORT_H_SIZE, 0, tipc_own_addr(n->net),\n\t\t\t\t conn->peer_node, conn->port,\n\t\t\t\t conn->peer_port, TIPC_ERR_NO_NODE);\n\t\tif (likely(skb))\n\t\t\tskb_queue_tail(inputq, skb);\n\t\tlist_del(&conn->list);\n\t\tkfree(conn);\n\t}\n}", "project": "linux", "hash": 113427308451920451074297645383099571126, "size": 40, "commit_id": "0217ed2848e8538bcf9172d97ed2eeb4a26041bb", "message": "tipc: better validate user input in tipc_nl_retrieve_key()\n\nBefore calling tipc_aead_key_size(ptr), we need to ensure\nwe have enough data to dereference ptr->keylen.\n\nWe probably also want to make sure tipc_aead_key_size()\nwont overflow with malicious ptr->keylen values.\n\nSyzbot reported:\n\nBUG: KMSAN: uninit-value in __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\nBUG: KMSAN: uninit-value in tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\nCPU: 0 PID: 21060 Comm: syz-executor.5 Not tainted 5.11.0-rc7-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nCall Trace:\n __dump_stack lib/dump_stack.c:79 [inline]\n dump_stack+0x21c/0x280 lib/dump_stack.c:120\n kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118\n __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197\n __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\n tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\n genl_family_rcv_msg_doit net/netlink/genetlink.c:739 [inline]\n genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]\n genl_rcv_msg+0x1319/0x1610 net/netlink/genetlink.c:800\n netlink_rcv_skb+0x6fa/0x810 net/netlink/af_netlink.c:2494\n genl_rcv+0x63/0x80 net/netlink/genetlink.c:811\n netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]\n netlink_unicast+0x11d6/0x14a0 net/netlink/af_netlink.c:1330\n netlink_sendmsg+0x1740/0x1840 net/netlink/af_netlink.c:1919\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\nRIP: 0023:0xf7f60549\nCode: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00\nRSP: 002b:00000000f555a5fc EFLAGS: 00000296 ORIG_RAX: 0000000000000172\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000200\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n\nUninit was created at:\n kmsan_save_stack_with_flags mm/kmsan/kmsan.c:121 [inline]\n kmsan_internal_poison_shadow+0x5c/0xf0 mm/kmsan/kmsan.c:104\n kmsan_slab_alloc+0x8d/0xe0 mm/kmsan/kmsan_hooks.c:76\n slab_alloc_node mm/slub.c:2907 [inline]\n __kmalloc_node_track_caller+0xa37/0x1430 mm/slub.c:4527\n __kmalloc_reserve net/core/skbuff.c:142 [inline]\n __alloc_skb+0x2f8/0xb30 net/core/skbuff.c:210\n alloc_skb include/linux/skbuff.h:1099 [inline]\n netlink_alloc_large_skb net/netlink/af_netlink.c:1176 [inline]\n netlink_sendmsg+0xdbc/0x1840 net/netlink/af_netlink.c:1894\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\n\nFixes: e1f32190cf7d (\"tipc: add support for AEAD key setting via netlink\")\nSigned-off-by: Eric Dumazet \nCc: Tuong Lien \nCc: Jon Maloy \nCc: Ying Xue \nReported-by: syzbot \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 364913 }, { "func": "void RGWAsioFrontend::join()\n{\n impl->join();\n}", "project": "ceph", "hash": 267653083219509037914238887260940801228, "size": 4, "commit_id": "ff72c50a2c43c57aead933eb4903ad1ca6d1748a", "message": "rgw: improve beast\n\nAvoid leaking connections that had partially-consumed\nclient data on unexpected disconnect.\n\nResolves CVE-2020-1700 (moderate impact flaw).\n\nFixes: https://tracker.ceph.com/issues/42531\n\nSigned-off-by: Or Friedmann \nSigned-off-by: Matt Benjamin ", "target": 0, "dataset": "other", "idx": 384538 }, { "func": "\n}\n\nstatic void stop_conn_work_fn(struct work_struct *work)\n{\n\tstruct iscsi_cls_conn *conn, *tmp;\n\tunsigned long flags;\n\tLIST_HEAD(recovery_list);\n\n\tspin_lock_irqsave(&connlock, flags);\n\tif (list_empty(&connlist_err)) {\n\t\tspin_unlock_irqrestore(&connlock, flags);\n\t\treturn;\n\t}\n\tlist_splice_init(&connlist_err, &recovery_list);\n\tspin_unlock_irqrestore(&connlock, flags);\n\n\tlist_for_each_entry_safe(conn, tmp, &recovery_list, conn_list_err) {\n\t\tuint32_t sid = iscsi_conn_get_sid(conn);\n\t\tstruct iscsi_cls_session *session;\n\n\t\tsession = iscsi_session_lookup(sid);\n\t\tif (session) {\n\t\t\tif (system_state != SYSTEM_RUNNING) {\n\t\t\t\tsession->recovery_tmo = 0;\n\t\t\t\tiscsi_if_stop_conn(conn, STOP_CONN_TERM);\n\t\t\t} else {\n\t\t\t\tiscsi_if_stop_conn(conn, STOP_CONN_RECOVER);\n\t\t\t}\n\t\t}\n", "project": "linux", "hash": 96843788183739694302026143624420345669, "size": 31, "commit_id": "f9dbdf97a5bd92b1a49cee3d591b55b11fd7a6d5", "message": "scsi: iscsi: Verify lengths on passthrough PDUs\n\nOpen-iSCSI sends passthrough PDUs over netlink, but the kernel should be\nverifying that the provided PDU header and data lengths fall within the\nnetlink message to prevent accessing beyond that in memory.\n\nCc: stable@vger.kernel.org\nReported-by: Adam Nichols \nReviewed-by: Lee Duncan \nReviewed-by: Mike Christie \nSigned-off-by: Chris Leech \nSigned-off-by: Martin K. Petersen ", "target": 0, "dataset": "other", "idx": 379948 }, { "func": "void __hci_req_update_class(struct hci_request *req)\n{\n\tstruct hci_dev *hdev = req->hdev;\n\tu8 cod[3];\n\n\tbt_dev_dbg(hdev, \"\");\n\n\tif (!hdev_is_powered(hdev))\n\t\treturn;\n\n\tif (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))\n\t\treturn;\n\n\tif (hci_dev_test_flag(hdev, HCI_SERVICE_CACHE))\n\t\treturn;\n\n\tcod[0] = hdev->minor_class;\n\tcod[1] = hdev->major_class;\n\tcod[2] = get_service_classes(hdev);\n\n\tif (hci_dev_test_flag(hdev, HCI_LIMITED_DISCOVERABLE))\n\t\tcod[1] |= 0x20;\n\n\tif (memcmp(cod, hdev->dev_class, 3) == 0)\n\t\treturn;\n\n\thci_req_add(req, HCI_OP_WRITE_CLASS_OF_DEV, sizeof(cod), cod);\n}", "project": "linux", "hash": 224924621518036096781489880306642076234, "size": 28, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402534 }, { "func": "test_if_quick_select(JOIN_TAB *tab)\n{\n DBUG_EXECUTE_IF(\"show_explain_probe_test_if_quick_select\", \n if (dbug_user_var_equals_int(tab->join->thd, \n \"show_explain_probe_select_id\", \n tab->join->select_lex->select_number))\n dbug_serve_apcs(tab->join->thd, 1);\n );\n\n\n delete tab->select->quick;\n tab->select->quick=0;\n\n if (tab->table->file->inited != handler::NONE)\n tab->table->file->ha_index_or_rnd_end();\n\n int res= tab->select->test_quick_select(tab->join->thd, tab->keys,\n (table_map) 0, HA_POS_ERROR, 0,\n FALSE, /*remove where parts*/FALSE);\n if (tab->explain_plan && tab->explain_plan->range_checked_fer)\n tab->explain_plan->range_checked_fer->collect_data(tab->select->quick);\n\n return res;\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 140752620489980952720848649283970436214, "size": 24, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508468 }, { "func": "void bcf_hdr_destroy(bcf_hdr_t *h)\n{\n int i;\n khint_t k;\n if (!h) return;\n for (i = 0; i < 3; ++i) {\n vdict_t *d = (vdict_t*)h->dict[i];\n if (d == 0) continue;\n for (k = kh_begin(d); k != kh_end(d); ++k)\n if (kh_exist(d, k)) free((char*)kh_key(d, k));\n kh_destroy(vdict, d);\n free(h->id[i]);\n }\n for (i=0; inhrec; i++)\n bcf_hrec_destroy(h->hrec[i]);\n if (h->nhrec) free(h->hrec);\n if (h->samples) free(h->samples);\n free(h->keep_samples);\n free(h->transl[0]); free(h->transl[1]);\n free(h->mem.s);\n free(h);\n}", "project": "htslib", "hash": 14187074896932821521128774378089806461, "size": 22, "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c", "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields. It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097", "target": 0, "dataset": "other", "idx": 402176 }, { "func": "inline StringData* StringData::Make(char* data, AttachStringMode) {\n SCOPE_EXIT { free(data); };\n return Make(data, CopyString);\n}", "project": "hhvm", "hash": 263485854907516973927746038522733244088, "size": 4, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219459 }, { "func": "inline StringData* StringData::Make(folly::StringPiece s) {\n return Make(s.begin(), s.size(), CopyString);\n}", "project": "hhvm", "hash": 13610616767818998312269108850163739427, "size": 3, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219519 }, { "func": "inline StringData* StringData::Make(const StringData* s1,\n folly::StringPiece s2) {\n return Make(s1->slice(), s2);\n}", "project": "hhvm", "hash": 236247363256474174160317372103037694601, "size": 4, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219662 }, { "func": "inline StringData* StringData::Make(const char* data, CopyStringMode) {\n return Make(data, strlen(data), CopyString);\n}", "project": "hhvm", "hash": 186575043677083658622322237484333378549, "size": 3, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219760 }, { "func": "inline StringData* StringData::Make(const StringData* s1, const char* lit2) {\n return Make(s1->slice(), lit2);\n}", "project": "hhvm", "hash": 163727563950024885035444631644850886027, "size": 3, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219855 }, { "func": "static int uncompress_file(struct archive_read* a) {\n\tint ret;\n\n\twhile(1) {\n\t\t/* Sometimes the uncompression function will return a\n\t\t * 'retry' signal. If this will happen, we have to retry\n\t\t * the function. */\n\t\tret = do_uncompress_file(a);\n\t\tif(ret != ARCHIVE_RETRY)\n\t\t\treturn ret;\n\t}\n}", "project": "libarchive", "hash": 3991428996473476272476684740014393336, "size": 12, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 0, "dataset": "other", "idx": 244770 }, { "func": " folly::MutableStringPiece reserve(size_t size) {\n if (!m_str) return folly::MutableStringPiece();\n auto const tmp = m_str->reserve(size);\n if (UNLIKELY(tmp != m_str)) {\n m_str = req::ptr::attach(tmp);\n }\n return m_str->bufferSlice();\n }", "project": "hhvm", "hash": 1583755848436890004239978411046689821, "size": 8, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219607 }, { "func": "static int kvm_io_bus_sort_cmp(const void *p1, const void *p2)\n{\n\treturn kvm_io_bus_cmp(p1, p2);\n}", "project": "linux", "hash": 107104061411856644232470210888439368634, "size": 4, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354462 }, { "func": "static inline int tcp_win_from_space(int space)\n{\n\treturn sysctl_tcp_adv_win_scale<=0 ?\n\t\t(space>>(-sysctl_tcp_adv_win_scale)) :\n\t\tspace - (space>>sysctl_tcp_adv_win_scale);\n}", "project": "linux", "hash": 11971523092522034604268414287771535111, "size": 6, "commit_id": "bb1fceca22492109be12640d49f5ea5a544c6bb4", "message": "tcp: fix use after free in tcp_xmit_retransmit_queue()\n\nWhen tcp_sendmsg() allocates a fresh and empty skb, it puts it at the\ntail of the write queue using tcp_add_write_queue_tail()\n\nThen it attempts to copy user data into this fresh skb.\n\nIf the copy fails, we undo the work and remove the fresh skb.\n\nUnfortunately, this undo lacks the change done to tp->highest_sack and\nwe can leave a dangling pointer (to a freed skb)\n\nLater, tcp_xmit_retransmit_queue() can dereference this pointer and\naccess freed memory. For regular kernels where memory is not unmapped,\nthis might cause SACK bugs because tcp_highest_sack_seq() is buggy,\nreturning garbage instead of tp->snd_nxt, but with various debug\nfeatures like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel.\n\nThis bug was found by Marco Grassi thanks to syzkaller.\n\nFixes: 6859d49475d4 (\"[TCP]: Abstract tp->highest_sack accessing & point to next skb\")\nReported-by: Marco Grassi \nSigned-off-by: Eric Dumazet \nCc: Ilpo Järvinen \nCc: Yuchung Cheng \nCc: Neal Cardwell \nAcked-by: Neal Cardwell \nReviewed-by: Cong Wang \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 410771 }, { "func": "bool mysql_explain_union(THD *thd, SELECT_LEX_UNIT *unit, select_result *result)\n{\n DBUG_ENTER(\"mysql_explain_union\");\n bool res= 0;\n SELECT_LEX *first= unit->first_select();\n\n for (SELECT_LEX *sl= first; sl; sl= sl->next_select())\n {\n sl->set_explain_type(FALSE);\n sl->options|= SELECT_DESCRIBE;\n }\n\n if (unit->is_unit_op() || unit->fake_select_lex)\n {\n if (unit->union_needs_tmp_table() && unit->fake_select_lex)\n {\n unit->fake_select_lex->select_number= FAKE_SELECT_LEX_ID; // just for initialization\n unit->fake_select_lex->type= unit_operation_text[unit->common_op()];\n unit->fake_select_lex->options|= SELECT_DESCRIBE;\n }\n if (!(res= unit->prepare(unit->derived, result,\n SELECT_NO_UNLOCK | SELECT_DESCRIBE)))\n res= unit->exec();\n }\n else\n {\n thd->lex->current_select= first;\n unit->set_limit(unit->global_parameters());\n res= mysql_select(thd, \n first->table_list.first,\n first->with_wild, first->item_list,\n first->where,\n first->order_list.elements + first->group_list.elements,\n first->order_list.first,\n first->group_list.first,\n first->having,\n thd->lex->proc_list.first,\n first->options | thd->variables.option_bits | SELECT_DESCRIBE,\n result, unit, first);\n }\n DBUG_RETURN(res || thd->is_error());\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 47620195965891247535249631998237839543, "size": 42, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508565 }, { "func": "void hidinput_disconnect(struct hid_device *hid)\n{\n\tstruct hid_input *hidinput, *next;\n\n\thidinput_cleanup_battery(hid);\n\n\tlist_for_each_entry_safe(hidinput, next, &hid->inputs, list) {\n\t\tlist_del(&hidinput->list);\n\t\tif (hidinput->registered)\n\t\t\tinput_unregister_device(hidinput->input);\n\t\telse\n\t\t\tinput_free_device(hidinput->input);\n\t\tkfree(hidinput->name);\n\t\tkfree(hidinput);\n\t}\n\n\t/* led_work is spawned by input_dev callbacks, but doesn't access the\n\t * parent input_dev at all. Once all input devices are removed, we\n\t * know that led_work will never get restarted, so we can cancel it\n\t * synchronously and are safe. */\n\tcancel_work_sync(&hid->led_work);\n}", "project": "linux", "hash": 157096175090968999731962083738692361365, "size": 22, "commit_id": "35556bed836f8dc07ac55f69c8d17dce3e7f0e25", "message": "HID: core: Sanitize event code and type when mapping input\n\nWhen calling into hid_map_usage(), the passed event code is\nblindly stored as is, even if it doesn't fit in the associated bitmap.\n\nThis event code can come from a variety of sources, including devices\nmasquerading as input devices, only a bit more \"programmable\".\n\nInstead of taking the event code at face value, check that it actually\nfits the corresponding bitmap, and if it doesn't:\n- spit out a warning so that we know which device is acting up\n- NULLify the bitmap pointer so that we catch unexpected uses\n\nCode paths that can make use of untrusted inputs can now check\nthat the mapping was indeed correct and bail out if not.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Marc Zyngier \nSigned-off-by: Benjamin Tissoires ", "target": 0, "dataset": "other", "idx": 458399 }, { "func": "static int fuse_copy_ioctl_iovec_old(struct iovec *dst, void *src,\n\t\t\t\t size_t transferred, unsigned count,\n\t\t\t\t bool is_compat)\n{\n#ifdef CONFIG_COMPAT\n\tif (count * sizeof(struct compat_iovec) == transferred) {\n\t\tstruct compat_iovec *ciov = src;\n\t\tunsigned i;\n\n\t\t/*\n\t\t * With this interface a 32bit server cannot support\n\t\t * non-compat (i.e. ones coming from 64bit apps) ioctl\n\t\t * requests\n\t\t */\n\t\tif (!is_compat)\n\t\t\treturn -EINVAL;\n\n\t\tfor (i = 0; i < count; i++) {\n\t\t\tdst[i].iov_base = compat_ptr(ciov[i].iov_base);\n\t\t\tdst[i].iov_len = ciov[i].iov_len;\n\t\t}\n\t\treturn 0;\n\t}\n#endif\n\n\tif (count * sizeof(struct iovec) != transferred)\n\t\treturn -EIO;\n\n\tmemcpy(dst, src, transferred);\n\treturn 0;\n}", "project": "linux", "hash": 258219595454792137120784164966206967198, "size": 31, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342110 }, { "func": "Status TF_TensorToPyArray(Safe_TF_TensorPtr tensor, PyObject** out_ndarray) {\n // A fetched operation will correspond to a null tensor, and a None\n // in Python.\n if (tensor == nullptr) {\n Py_INCREF(Py_None);\n *out_ndarray = Py_None;\n return Status::OK();\n }\n int64 nelems = -1;\n gtl::InlinedVector dims;\n TF_RETURN_IF_ERROR(\n GetPyArrayDimensionsForTensor(tensor.get(), &dims, &nelems));\n\n // If the type is neither string nor resource we can reuse the Tensor memory.\n TF_Tensor* original = tensor.get();\n TF_Tensor* moved = TF_TensorMaybeMove(tensor.release());\n if (moved != nullptr) {\n if (ArrayFromMemory(\n dims.size(), dims.data(), TF_TensorData(moved),\n static_cast(TF_TensorType(moved)),\n [moved] { TF_DeleteTensor(moved); }, out_ndarray)\n .ok()) {\n return Status::OK();\n }\n }\n tensor.reset(original);\n\n // Copy the TF_TensorData into a newly-created ndarray and return it.\n PyArray_Descr* descr = nullptr;\n TF_RETURN_IF_ERROR(GetPyArrayDescrForTensor(tensor.get(), &descr));\n Safe_PyObjectPtr safe_out_array =\n tensorflow::make_safe(PyArray_Empty(dims.size(), dims.data(), descr, 0));\n if (!safe_out_array) {\n return errors::Internal(\"Could not allocate ndarray\");\n }\n PyArrayObject* py_array =\n reinterpret_cast(safe_out_array.get());\n if (TF_TensorType(tensor.get()) == TF_STRING) {\n Status s = CopyTF_TensorStringsToPyArray(tensor.get(), nelems, py_array);\n if (!s.ok()) {\n return s;\n }\n } else if (static_cast(PyArray_NBYTES(py_array)) !=\n TF_TensorByteSize(tensor.get())) {\n return errors::Internal(\"ndarray was \", PyArray_NBYTES(py_array),\n \" bytes but TF_Tensor was \",\n TF_TensorByteSize(tensor.get()), \" bytes\");\n } else {\n FastMemcpy(PyArray_DATA(py_array), TF_TensorData(tensor.get()),\n PyArray_NBYTES(py_array));\n }\n\n *out_ndarray = safe_out_array.release();\n return Status::OK();\n}", "project": "tensorflow", "hash": 91951099828768955344830636711447929254, "size": 55, "commit_id": "030af767d357d1b4088c4a25c72cb3906abac489", "message": "Fix `tf.raw_ops.ResourceCountUpTo` null pointer dereference.\n\nPiperOrigin-RevId: 368294347\nChange-Id: I2c16fbfc9b4966c402c3d8e311f0d665a9c852d8", "target": 0, "dataset": "other", "idx": 232655 }, { "func": "static apr_byte_t oidc_is_xml_http_request(request_rec *r) {\n\n\tif ((oidc_util_hdr_in_x_requested_with_get(r) != NULL)\n\t\t\t&& (apr_strnatcasecmp(oidc_util_hdr_in_x_requested_with_get(r),\n\t\t\t\t\tOIDC_HTTP_HDR_VAL_XML_HTTP_REQUEST) == 0))\n\t\treturn TRUE;\n\n\tif ((oidc_util_hdr_in_accept_contains(r, OIDC_CONTENT_TYPE_TEXT_HTML)\n\t\t\t== FALSE) && (oidc_util_hdr_in_accept_contains(r,\n\t\t\t\t\tOIDC_CONTENT_TYPE_APP_XHTML_XML) == FALSE)\n\t\t\t\t\t&& (oidc_util_hdr_in_accept_contains(r,\n\t\t\t\t\t\t\tOIDC_CONTENT_TYPE_ANY) == FALSE))\n\t\treturn TRUE;\n\n\treturn FALSE;\n}", "project": "mod_auth_openidc", "hash": 86639009047491570693441835767738317583, "size": 16, "commit_id": "00c315cb0c8ab77c67be4a2ac08a71a83ac58751", "message": "avoid XSS vulnerability when using OIDCPreservePost On\n\nand supplying URLs that contain single quotes; thanks @oss-aimoto\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 381935 }, { "func": "static void add_timer_randomness(struct timer_rand_state *state, unsigned num)\n{\n\tstruct {\n\t\tcycles_t cycles;\n\t\tlong jiffies;\n\t\tunsigned num;\n\t} sample;\n\tlong delta, delta2, delta3;\n\n\tpreempt_disable();\n\t/* if over the trickle threshold, use only 1 in 4096 samples */\n\tif (input_pool.entropy_count > trickle_thresh &&\n\t (__get_cpu_var(trickle_count)++ & 0xfff))\n\t\tgoto out;\n\n\tsample.jiffies = jiffies;\n\tsample.cycles = get_cycles();\n\tsample.num = num;\n\tmix_pool_bytes(&input_pool, &sample, sizeof(sample));\n\n\t/*\n\t * Calculate number of bits of randomness we probably added.\n\t * We take into account the first, second and third-order deltas\n\t * in order to make our estimate.\n\t */\n\n\tif (!state->dont_count_entropy) {\n\t\tdelta = sample.jiffies - state->last_time;\n\t\tstate->last_time = sample.jiffies;\n\n\t\tdelta2 = delta - state->last_delta;\n\t\tstate->last_delta = delta;\n\n\t\tdelta3 = delta2 - state->last_delta2;\n\t\tstate->last_delta2 = delta2;\n\n\t\tif (delta < 0)\n\t\t\tdelta = -delta;\n\t\tif (delta2 < 0)\n\t\t\tdelta2 = -delta2;\n\t\tif (delta3 < 0)\n\t\t\tdelta3 = -delta3;\n\t\tif (delta > delta2)\n\t\t\tdelta = delta2;\n\t\tif (delta > delta3)\n\t\t\tdelta = delta3;\n\n\t\t/*\n\t\t * delta is now minimum absolute delta.\n\t\t * Round down by 1 bit on general principles,\n\t\t * and limit entropy entimate to 12 bits.\n\t\t */\n\t\tcredit_entropy_bits(&input_pool,\n\t\t\t\t min_t(int, fls(delta>>1), 11));\n\t}\nout:\n\tpreempt_enable();\n}", "target": 0, "cwe": [ "CWE-310" ], "project": "linux-2.6", "commit_id": "8a0a9bd4db63bc45e3017bedeafbd88d0eb84d02", "hash": 209157731149440156790869906201776768558, "size": 58, "message": "random: make get_random_int() more random\n\nIt's a really simple patch that basically just open-codes the current\n\"secure_ip_id()\" call, but when open-coding it we now use a _static_\nhashing area, so that it gets updated every time.\n\nAnd to make sure somebody can't just start from the same original seed of\nall-zeroes, and then do the \"half_md4_transform()\" over and over until\nthey get the same sequence as the kernel has, each iteration also mixes in\nthe same old \"current->pid + jiffies\" we used - so we should now have a\nregular strong pseudo-number generator, but we also have one that doesn't\nhave a single seed.\n\nNote: the \"pid + jiffies\" is just meant to be a tiny tiny bit of noise. It\nhas no real meaning. It could be anything. I just picked the previous\nseed, it's just that now we keep the state in between calls and that will\nfeed into the next result, and that should make all the difference.\n\nI made that hash be a per-cpu data just to avoid cache-line ping-pong:\nhaving multiple CPU's write to the same data would be fine for randomness,\nand add yet another layer of chaos to it, but since get_random_int() is\nsupposed to be a fast interface I did it that way instead. I considered\nusing \"__raw_get_cpu_var()\" to avoid any preemption overhead while still\ngetting the hash be _mostly_ ping-pong free, but in the end good taste won\nout.\n\nSigned-off-by: Ingo Molnar \nSigned-off-by: Linus Torvalds ", "dataset": "other", "idx": 499903 }, { "func": "static void s_stop(struct seq_file *m, void *p)\n{\n\tstruct trace_iterator *iter = m->private;\n\n#ifdef CONFIG_TRACER_MAX_TRACE\n\tif (iter->snapshot && iter->trace->use_max_tr)\n\t\treturn;\n#endif\n\n\tif (!iter->snapshot)\n\t\tatomic_dec(&trace_record_taskinfo_disabled);\n\n\ttrace_access_unlock(iter->cpu_file);\n\ttrace_event_read_unlock();\n}", "project": "linux", "hash": 278540253454517342288096496618462453667, "size": 15, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445615 }, { "func": "static int sctp_setsockopt_context(struct sock *sk,\n\t\t\t\t struct sctp_assoc_value *params,\n\t\t\t\t unsigned int optlen)\n{\n\tstruct sctp_sock *sp = sctp_sk(sk);\n\tstruct sctp_association *asoc;\n\n\tif (optlen != sizeof(struct sctp_assoc_value))\n\t\treturn -EINVAL;\n\n\tasoc = sctp_id2assoc(sk, params->assoc_id);\n\tif (!asoc && params->assoc_id > SCTP_ALL_ASSOC &&\n\t sctp_style(sk, UDP))\n\t\treturn -EINVAL;\n\n\tif (asoc) {\n\t\tasoc->default_rcv_context = params->assoc_value;\n\n\t\treturn 0;\n\t}\n\n\tif (sctp_style(sk, TCP))\n\t\tparams->assoc_id = SCTP_FUTURE_ASSOC;\n\n\tif (params->assoc_id == SCTP_FUTURE_ASSOC ||\n\t params->assoc_id == SCTP_ALL_ASSOC)\n\t\tsp->default_rcv_context = params->assoc_value;\n\n\tif (params->assoc_id == SCTP_CURRENT_ASSOC ||\n\t params->assoc_id == SCTP_ALL_ASSOC)\n\t\tlist_for_each_entry(asoc, &sp->ep->asocs, asocs)\n\t\t\tasoc->default_rcv_context = params->assoc_value;\n\n\treturn 0;\n}", "project": "linux", "hash": 112102104256443243852727235277889532991, "size": 35, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398072 }, { "func": "bool tipc_node_is_up(struct net *net, u32 addr)\n{\n\tstruct tipc_node *n;\n\tbool retval = false;\n\n\tif (in_own_node(net, addr))\n\t\treturn true;\n\n\tn = tipc_node_find(net, addr);\n\tif (!n)\n\t\treturn false;\n\tretval = node_is_up(n);\n\ttipc_node_put(n);\n\treturn retval;\n}", "project": "linux", "hash": 27168503082533113887794883970044021438, "size": 15, "commit_id": "0217ed2848e8538bcf9172d97ed2eeb4a26041bb", "message": "tipc: better validate user input in tipc_nl_retrieve_key()\n\nBefore calling tipc_aead_key_size(ptr), we need to ensure\nwe have enough data to dereference ptr->keylen.\n\nWe probably also want to make sure tipc_aead_key_size()\nwont overflow with malicious ptr->keylen values.\n\nSyzbot reported:\n\nBUG: KMSAN: uninit-value in __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\nBUG: KMSAN: uninit-value in tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\nCPU: 0 PID: 21060 Comm: syz-executor.5 Not tainted 5.11.0-rc7-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nCall Trace:\n __dump_stack lib/dump_stack.c:79 [inline]\n dump_stack+0x21c/0x280 lib/dump_stack.c:120\n kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118\n __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197\n __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\n tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\n genl_family_rcv_msg_doit net/netlink/genetlink.c:739 [inline]\n genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]\n genl_rcv_msg+0x1319/0x1610 net/netlink/genetlink.c:800\n netlink_rcv_skb+0x6fa/0x810 net/netlink/af_netlink.c:2494\n genl_rcv+0x63/0x80 net/netlink/genetlink.c:811\n netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]\n netlink_unicast+0x11d6/0x14a0 net/netlink/af_netlink.c:1330\n netlink_sendmsg+0x1740/0x1840 net/netlink/af_netlink.c:1919\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\nRIP: 0023:0xf7f60549\nCode: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00\nRSP: 002b:00000000f555a5fc EFLAGS: 00000296 ORIG_RAX: 0000000000000172\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000200\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n\nUninit was created at:\n kmsan_save_stack_with_flags mm/kmsan/kmsan.c:121 [inline]\n kmsan_internal_poison_shadow+0x5c/0xf0 mm/kmsan/kmsan.c:104\n kmsan_slab_alloc+0x8d/0xe0 mm/kmsan/kmsan_hooks.c:76\n slab_alloc_node mm/slub.c:2907 [inline]\n __kmalloc_node_track_caller+0xa37/0x1430 mm/slub.c:4527\n __kmalloc_reserve net/core/skbuff.c:142 [inline]\n __alloc_skb+0x2f8/0xb30 net/core/skbuff.c:210\n alloc_skb include/linux/skbuff.h:1099 [inline]\n netlink_alloc_large_skb net/netlink/af_netlink.c:1176 [inline]\n netlink_sendmsg+0xdbc/0x1840 net/netlink/af_netlink.c:1894\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\n\nFixes: e1f32190cf7d (\"tipc: add support for AEAD key setting via netlink\")\nSigned-off-by: Eric Dumazet \nCc: Tuong Lien \nCc: Jon Maloy \nCc: Ying Xue \nReported-by: syzbot \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 364946 }, { "func": "static int sctp_getsockopt_default_sndinfo(struct sock *sk, int len,\n\t\t\t\t\t char __user *optval,\n\t\t\t\t\t int __user *optlen)\n{\n\tstruct sctp_sock *sp = sctp_sk(sk);\n\tstruct sctp_association *asoc;\n\tstruct sctp_sndinfo info;\n\n\tif (len < sizeof(info))\n\t\treturn -EINVAL;\n\n\tlen = sizeof(info);\n\n\tif (copy_from_user(&info, optval, len))\n\t\treturn -EFAULT;\n\n\tasoc = sctp_id2assoc(sk, info.snd_assoc_id);\n\tif (!asoc && info.snd_assoc_id != SCTP_FUTURE_ASSOC &&\n\t sctp_style(sk, UDP))\n\t\treturn -EINVAL;\n\n\tif (asoc) {\n\t\tinfo.snd_sid = asoc->default_stream;\n\t\tinfo.snd_flags = asoc->default_flags;\n\t\tinfo.snd_ppid = asoc->default_ppid;\n\t\tinfo.snd_context = asoc->default_context;\n\t} else {\n\t\tinfo.snd_sid = sp->default_stream;\n\t\tinfo.snd_flags = sp->default_flags;\n\t\tinfo.snd_ppid = sp->default_ppid;\n\t\tinfo.snd_context = sp->default_context;\n\t}\n\n\tif (put_user(len, optlen))\n\t\treturn -EFAULT;\n\tif (copy_to_user(optval, &info, len))\n\t\treturn -EFAULT;\n\n\treturn 0;\n}", "project": "linux", "hash": 189290521105975477623791807909518588551, "size": 40, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398217 }, { "func": "static int kvm_s390_get_machine(struct kvm *kvm, struct kvm_device_attr *attr)\n{\n\tstruct kvm_s390_vm_cpu_machine *mach;\n\tint ret = 0;\n\n\tmach = kzalloc(sizeof(*mach), GFP_KERNEL);\n\tif (!mach) {\n\t\tret = -ENOMEM;\n\t\tgoto out;\n\t}\n\tget_cpu_id((struct cpuid *) &mach->cpuid);\n\tmach->ibc = sclp.ibc;\n\tmemcpy(&mach->fac_mask, kvm->arch.model.fac_mask,\n\t S390_ARCH_FAC_LIST_SIZE_BYTE);\n\tmemcpy((unsigned long *)&mach->fac_list, S390_lowcore.stfle_fac_list,\n\t sizeof(S390_lowcore.stfle_fac_list));\n\tVM_EVENT(kvm, 3, \"GET: host ibc: 0x%4.4x, host cpuid: 0x%16.16llx\",\n\t\t kvm->arch.model.ibc,\n\t\t kvm->arch.model.cpuid);\n\tVM_EVENT(kvm, 3, \"GET: host facmask: 0x%16.16llx.%16.16llx.%16.16llx\",\n\t\t mach->fac_mask[0],\n\t\t mach->fac_mask[1],\n\t\t mach->fac_mask[2]);\n\tVM_EVENT(kvm, 3, \"GET: host faclist: 0x%16.16llx.%16.16llx.%16.16llx\",\n\t\t mach->fac_list[0],\n\t\t mach->fac_list[1],\n\t\t mach->fac_list[2]);\n\tif (copy_to_user((void __user *)attr->addr, mach, sizeof(*mach)))\n\t\tret = -EFAULT;\n\tkfree(mach);\nout:\n\treturn ret;\n}", "project": "linux", "hash": 129192877327265731591428208269502582168, "size": 33, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354554 }, { "func": "static void init_wa_bb_reg_state(u32 * const regs,\n\t\t\t\t const struct intel_engine_cs *engine,\n\t\t\t\t u32 pos_bb_per_ctx)\n{\n\tconst struct i915_ctx_workarounds * const wa_ctx = &engine->wa_ctx;\n\n\tif (wa_ctx->per_ctx.size) {\n\t\tconst u32 ggtt_offset = i915_ggtt_offset(wa_ctx->vma);\n\n\t\tregs[pos_bb_per_ctx] =\n\t\t\t(ggtt_offset + wa_ctx->per_ctx.offset) | 0x01;\n\t}\n\n\tif (wa_ctx->indirect_ctx.size) {\n\t\tconst u32 ggtt_offset = i915_ggtt_offset(wa_ctx->vma);\n\n\t\tregs[pos_bb_per_ctx + 2] =\n\t\t\t(ggtt_offset + wa_ctx->indirect_ctx.offset) |\n\t\t\t(wa_ctx->indirect_ctx.size / CACHELINE_BYTES);\n\n\t\tregs[pos_bb_per_ctx + 4] =\n\t\t\tintel_lr_indirect_ctx_offset(engine) << 6;\n\t}\n}", "project": "linux", "hash": 251569311817343498172193834974045995018, "size": 24, "commit_id": "bc8a76a152c5f9ef3b48104154a65a68a8b76946", "message": "drm/i915/gen9: Clear residual context state on context switch\n\nIntel ID: PSIRT-TA-201910-001\nCVEID: CVE-2019-14615\n\nIntel GPU Hardware prior to Gen11 does not clear EU state\nduring a context switch. This can result in information\nleakage between contexts.\n\nFor Gen8 and Gen9, hardware provides a mechanism for\nfast cleardown of the EU state, by issuing a PIPE_CONTROL\nwith bit 27 set. We can use this in a context batch buffer\nto explicitly cleardown the state on every context switch.\n\nAs this workaround is already in place for gen8, we can borrow\nthe code verbatim for Gen9.\n\nSigned-off-by: Mika Kuoppala \nSigned-off-by: Akeem G Abodunrin \nCc: Kumar Valsan Prathap \nCc: Chris Wilson \nCc: Balestrieri Francesco \nCc: Bloomfield Jon \nCc: Dutt Sudeep ", "target": 0, "dataset": "other", "idx": 281492 }, { "func": "static void kvm_free_memslot(struct kvm *kvm, struct kvm_memory_slot *slot)\n{\n\tkvm_destroy_dirty_bitmap(slot);\n\n\tkvm_arch_free_memslot(kvm, slot);\n\n\tslot->flags = 0;\n\tslot->npages = 0;\n}", "project": "linux", "hash": 156751657768424981290314982811617448402, "size": 9, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354429 }, { "func": "static OPJ_BOOL opj_j2k_calculate_tp(opj_j2k_t *p_j2k,\n opj_cp_t *cp,\n OPJ_UINT32 * p_nb_tiles,\n opj_image_t *image,\n opj_event_mgr_t * p_manager\n )\n{\n OPJ_UINT32 pino, tileno;\n OPJ_UINT32 l_nb_tiles;\n opj_tcp_t *tcp;\n\n /* preconditions */\n assert(p_nb_tiles != 00);\n assert(cp != 00);\n assert(image != 00);\n assert(p_j2k != 00);\n assert(p_manager != 00);\n\n OPJ_UNUSED(p_j2k);\n OPJ_UNUSED(p_manager);\n\n l_nb_tiles = cp->tw * cp->th;\n * p_nb_tiles = 0;\n tcp = cp->tcps;\n\n /* INDEX >> */\n /* TODO mergeV2: check this part which use cstr_info */\n /*if (p_j2k->cstr_info) {\n opj_tile_info_t * l_info_tile_ptr = p_j2k->cstr_info->tile;\n\n for (tileno = 0; tileno < l_nb_tiles; ++tileno) {\n OPJ_UINT32 cur_totnum_tp = 0;\n\n opj_pi_update_encoding_parameters(image,cp,tileno);\n\n for (pino = 0; pino <= tcp->numpocs; ++pino)\n {\n OPJ_UINT32 tp_num = opj_j2k_get_num_tp(cp,pino,tileno);\n\n *p_nb_tiles = *p_nb_tiles + tp_num;\n\n cur_totnum_tp += tp_num;\n }\n\n tcp->m_nb_tile_parts = cur_totnum_tp;\n\n l_info_tile_ptr->tp = (opj_tp_info_t *) opj_malloc(cur_totnum_tp * sizeof(opj_tp_info_t));\n if (l_info_tile_ptr->tp == 00) {\n return OPJ_FALSE;\n }\n\n memset(l_info_tile_ptr->tp,0,cur_totnum_tp * sizeof(opj_tp_info_t));\n\n l_info_tile_ptr->num_tps = cur_totnum_tp;\n\n ++l_info_tile_ptr;\n ++tcp;\n }\n }\n else */{\n for (tileno = 0; tileno < l_nb_tiles; ++tileno) {\n OPJ_UINT32 cur_totnum_tp = 0;\n\n opj_pi_update_encoding_parameters(image, cp, tileno);\n\n for (pino = 0; pino <= tcp->numpocs; ++pino) {\n OPJ_UINT32 tp_num = opj_j2k_get_num_tp(cp, pino, tileno);\n\n *p_nb_tiles = *p_nb_tiles + tp_num;\n\n cur_totnum_tp += tp_num;\n }\n tcp->m_nb_tile_parts = cur_totnum_tp;\n\n ++tcp;\n }\n }\n\n return OPJ_TRUE;\n}", "project": "openjpeg", "hash": 326590153811561498533347154586125388821, "size": 80, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357276 }, { "func": "static void svm_fpu_activate(struct kvm_vcpu *vcpu)\n{\n\tstruct vcpu_svm *svm = to_svm(vcpu);\n\n\tclr_exception_intercept(svm, NM_VECTOR);\n\n\tsvm->vcpu.fpu_active = 1;\n\tupdate_cr0_intercept(svm);\n}", "project": "kvm", "hash": 132382296955569635065649018919273407291, "size": 9, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437651 }, { "func": "static void handle_tx(struct vhost_net *net)\n{\n\tstruct vhost_net_virtqueue *nvq = &net->vqs[VHOST_NET_VQ_TX];\n\tstruct vhost_virtqueue *vq = &nvq->vq;\n\tstruct socket *sock;\n\n\tmutex_lock_nested(&vq->mutex, VHOST_NET_VQ_TX);\n\tsock = vq->private_data;\n\tif (!sock)\n\t\tgoto out;\n\n\tif (!vq_meta_prefetch(vq))\n\t\tgoto out;\n\n\tvhost_disable_notify(&net->dev, vq);\n\tvhost_net_disable_vq(net, vq);\n\n\tif (vhost_sock_zcopy(sock))\n\t\thandle_tx_zerocopy(net, sock);\n\telse\n\t\thandle_tx_copy(net, sock);\n\nout:\n\tmutex_unlock(&vq->mutex);\n}", "project": "linux", "hash": 157815618268446450521324029809679155237, "size": 25, "commit_id": "42d84c8490f9f0931786f1623191fcab397c3d64", "message": "vhost: Check docket sk_family instead of call getname\n\nDoing so, we save one call to get data we already have in the struct.\n\nAlso, since there is no guarantee that getname use sockaddr_ll\nparameter beyond its size, we add a little bit of security here.\nIt should do not do beyond MAX_ADDR_LEN, but syzbot found that\nax25_getname writes more (72 bytes, the size of full_sockaddr_ax25,\nversus 20 + 32 bytes of sockaddr_ll + MAX_ADDR_LEN in syzbot repro).\n\nFixes: 3a4d5c94e9593 (\"vhost_net: a kernel-level virtio server\")\nReported-by: syzbot+f2a62d07a5198c819c7b@syzkaller.appspotmail.com\nSigned-off-by: Eugenio Pérez \nAcked-by: Michael S. Tsirkin \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 441975 }, { "func": "static bool io_rw_reissue(struct io_kiocb *req, long res)\n{\n#ifdef CONFIG_BLOCK\n\tint ret;\n\n\tif ((res != -EAGAIN && res != -EOPNOTSUPP) || io_wq_current_is_worker())\n\t\treturn false;\n\n\tinit_task_work(&req->task_work, io_rw_resubmit);\n\tpercpu_ref_get(&req->ctx->refs);\n\n\tret = io_req_task_work_add(req, &req->task_work);\n\tif (!ret)\n\t\treturn true;\n#endif\n\treturn false;\n}", "project": "linux", "hash": 303516945185282477614172207040517854928, "size": 17, "commit_id": "6d816e088c359866f9867057e04f244c608c42fe", "message": "io_uring: hold 'ctx' reference around task_work queue + execute\n\nWe're holding the request reference, but we need to go one higher\nto ensure that the ctx remains valid after the request has finished.\nIf the ring is closed with pending task_work inflight, and the\ngiven io_kiocb finishes sync during issue, then we need a reference\nto the ring itself around the task_work execution cycle.\n\nCc: stable@vger.kernel.org # v5.7+\nReported-by: syzbot+9b260fc33297966f5a8e@syzkaller.appspotmail.com\nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 456938 }, { "func": "int bcf_get_variant_types(bcf1_t *rec)\n{\n if ( rec->d.var_type==-1 ) bcf_set_variant_types(rec);\n return rec->d.var_type;\n}", "project": "htslib", "hash": 325662364669824388313595400787929233898, "size": 5, "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c", "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields. It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097", "target": 0, "dataset": "other", "idx": 402191 }, { "func": "\nstatic void io_req_caches_free(struct io_ring_ctx *ctx)\n{\n\tstruct io_submit_state *submit_state = &ctx->submit_state;\n\tstruct io_comp_state *cs = &ctx->submit_state.comp;\n\n\tmutex_lock(&ctx->uring_lock);\n\n\tif (submit_state->free_reqs) {\n\t\tkmem_cache_free_bulk(req_cachep, submit_state->free_reqs,\n\t\t\t\t submit_state->reqs);\n\t\tsubmit_state->free_reqs = 0;\n\t}\n\n\tio_flush_cached_locked_reqs(ctx, cs);\n\tio_req_cache_free(&cs->free_list, NULL);\n\tmutex_unlock(&ctx->uring_lock);", "project": "linux", "hash": 88368256665281746337505309299019406285, "size": 17, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338629 }, { "func": "static void cmd_parse_capability (IMAP_DATA* idata, char* s)\n{\n int x;\n char* bracket;\n\n dprint (3, (debugfile, \"Handling CAPABILITY\\n\"));\n\n s = imap_next_word (s);\n if ((bracket = strchr (s, ']')))\n *bracket = '\\0';\n FREE(&idata->capstr);\n idata->capstr = safe_strdup (s);\n\n memset (idata->capabilities, 0, sizeof (idata->capabilities));\n\n while (*s)\n {\n for (x = 0; x < CAPMAX; x++)\n if (imap_wordcasecmp(Capabilities[x], s) == 0)\n {\n\tmutt_bit_set (idata->capabilities, x);\n\tbreak;\n }\n s = imap_next_word (s);\n }\n}", "project": "mutt", "hash": 260547783607855135136564326327149590790, "size": 26, "commit_id": "9347b5c01dc52682cb6be11539d9b7ebceae4416", "message": "Handle NO response without message properly", "target": 0, "dataset": "other", "idx": 338023 }, { "func": "static int nfs4_lookup_root(struct nfs_server *server, struct nfs_fh *fhandle,\n\t\tstruct nfs_fsinfo *info)\n{\n\tstruct nfs4_exception exception = {\n\t\t.interruptible = true,\n\t};\n\tint err;\n\tdo {\n\t\terr = _nfs4_lookup_root(server, fhandle, info);\n\t\ttrace_nfs4_lookup_root(server, fhandle, info->fattr, err);\n\t\tswitch (err) {\n\t\tcase 0:\n\t\tcase -NFS4ERR_WRONGSEC:\n\t\t\tgoto out;\n\t\tdefault:\n\t\t\terr = nfs4_handle_exception(server, err, &exception);\n\t\t}\n\t} while (exception.retry);\nout:\n\treturn err;\n}", "project": "linux", "hash": 276242637842695243907938069045949870168, "size": 21, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431605 }, { "func": "static int fuse_writepage(struct page *page, struct writeback_control *wbc)\n{\n\tint err;\n\n\tif (fuse_page_is_writeback(page->mapping->host, page->index)) {\n\t\t/*\n\t\t * ->writepages() should be called for sync() and friends. We\n\t\t * should only get here on direct reclaim and then we are\n\t\t * allowed to skip a page which is already in flight\n\t\t */\n\t\tWARN_ON(wbc->sync_mode == WB_SYNC_ALL);\n\n\t\tredirty_page_for_writepage(wbc, page);\n\t\tunlock_page(page);\n\t\treturn 0;\n\t}\n\n\terr = fuse_writepage_locked(page);\n\tunlock_page(page);\n\n\treturn err;\n}", "project": "linux", "hash": 140915135077881779634151380933186149154, "size": 22, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341970 }, { "func": "static u8 pipe_negotiate_fc(const u8 *fcs, unsigned int n)\n{\n\tunsigned int i;\n\tu8 final_fc = PN_NO_FLOW_CONTROL;\n\n\tfor (i = 0; i < n; i++) {\n\t\tu8 fc = fcs[i];\n\n\t\tif (fc > final_fc && fc < PN_MAX_FLOW_CONTROL)\n\t\t\tfinal_fc = fc;\n\t}\n\treturn final_fc;\n}", "project": "linux", "hash": 592558187705884318000094601043963857, "size": 13, "commit_id": "bcd0f93353326954817a4f9fa55ec57fb38acbb0", "message": "phonet: refcount leak in pep_sock_accep\n\nsock_hold(sk) is invoked in pep_sock_accept(), but __sock_put(sk) is not\ninvoked in subsequent failure branches(pep_accept_conn() != 0).\n\nSigned-off-by: Hangyu Hua \nLink: https://lore.kernel.org/r/20211209082839.33985-1-hbh25y@gmail.com\nSigned-off-by: Jakub Kicinski ", "target": 0, "dataset": "other", "idx": 224820 }, { "func": "static void DSA_get0_pqg(const DSA *d, const BIGNUM **p, const BIGNUM **q, const BIGNUM **g)\n{\n\t*p = d->p;\n\t*q = d->q;\n\t*g = d->g;\n}", "project": "php-src", "hash": 326935654719382777551586472083815054202, "size": 6, "commit_id": "0216630ea2815a5789a24279a1211ac398d4de79", "message": "Fix bug #79601 (Wrong ciphertext/tag in AES-CCM encryption for a 12 bytes IV)", "target": 0, "dataset": "other", "idx": 291377 }, { "func": "static void cmd_authinfo_user(char *user)\n{\n const char *p;\n\n if (nntp_authstate) {\n\tprot_printf(nntp_out, \"502 Already authenticated\\r\\n\");\n\treturn;\n }\n\n /* possibly disallow USER */\n if (!(nntp_starttls_done || (extprops_ssf > 1) ||\n\t config_getswitch(IMAPOPT_ALLOWPLAINTEXT))) {\n\tprot_printf(nntp_out,\n\t\t \"483 AUTHINFO USER command only available under a layer\\r\\n\");\n\treturn;\n }\n\n if (nntp_userid) {\n\tfree(nntp_userid);\n\tnntp_userid = NULL;\n }\n\n if (!(p = canonify_userid(user, NULL, NULL))) {\n\tprot_printf(nntp_out, \"481 Invalid user\\r\\n\");\n\tsyslog(LOG_NOTICE,\n\t \"badlogin: %s plaintext %s invalid user\",\n\t nntp_clienthost, beautify_string(user));\n }\n else {\n\tnntp_userid = xstrdup(p);\n\tprot_printf(nntp_out, \"381 Give AUTHINFO PASS command\\r\\n\");\n }\n}", "project": "cyrus-imapd", "hash": 189133209797895329894296459332102778320, "size": 33, "commit_id": "0f8f026699829b65733c3081657b24e2174f4f4d", "message": "CVE-2011-3208 - fix buffer overflow in nntpd", "target": 0, "dataset": "other", "idx": 451903 }, { "func": "static void mark_eio(struct i915_request *rq)\n{\n\tif (i915_request_completed(rq))\n\t\treturn;\n\n\tGEM_BUG_ON(i915_request_signaled(rq));\n\n\tdma_fence_set_error(&rq->fence, -EIO);\n\ti915_request_mark_complete(rq);\n}", "project": "linux", "hash": 301580682682961318211142697434359639153, "size": 10, "commit_id": "bc8a76a152c5f9ef3b48104154a65a68a8b76946", "message": "drm/i915/gen9: Clear residual context state on context switch\n\nIntel ID: PSIRT-TA-201910-001\nCVEID: CVE-2019-14615\n\nIntel GPU Hardware prior to Gen11 does not clear EU state\nduring a context switch. This can result in information\nleakage between contexts.\n\nFor Gen8 and Gen9, hardware provides a mechanism for\nfast cleardown of the EU state, by issuing a PIPE_CONTROL\nwith bit 27 set. We can use this in a context batch buffer\nto explicitly cleardown the state on every context switch.\n\nAs this workaround is already in place for gen8, we can borrow\nthe code verbatim for Gen9.\n\nSigned-off-by: Mika Kuoppala \nSigned-off-by: Akeem G Abodunrin \nCc: Kumar Valsan Prathap \nCc: Chris Wilson \nCc: Balestrieri Francesco \nCc: Bloomfield Jon \nCc: Dutt Sudeep ", "target": 0, "dataset": "other", "idx": 281550 }, { "func": "static int sctp_getsockopt_maxburst(struct sock *sk, int len,\n\t\t\t\t char __user *optval,\n\t\t\t\t int __user *optlen)\n{\n\tstruct sctp_assoc_value params;\n\tstruct sctp_association *asoc;\n\n\tif (len == sizeof(int)) {\n\t\tpr_warn_ratelimited(DEPRECATED\n\t\t\t\t \"%s (pid %d) \"\n\t\t\t\t \"Use of int in max_burst socket option.\\n\"\n\t\t\t\t \"Use struct sctp_assoc_value instead\\n\",\n\t\t\t\t current->comm, task_pid_nr(current));\n\t\tparams.assoc_id = SCTP_FUTURE_ASSOC;\n\t} else if (len >= sizeof(struct sctp_assoc_value)) {\n\t\tlen = sizeof(struct sctp_assoc_value);\n\t\tif (copy_from_user(¶ms, optval, len))\n\t\t\treturn -EFAULT;\n\t} else\n\t\treturn -EINVAL;\n\n\tasoc = sctp_id2assoc(sk, params.assoc_id);\n\tif (!asoc && params.assoc_id != SCTP_FUTURE_ASSOC &&\n\t sctp_style(sk, UDP))\n\t\treturn -EINVAL;\n\n\tparams.assoc_value = asoc ? asoc->max_burst : sctp_sk(sk)->max_burst;\n\n\tif (len == sizeof(int)) {\n\t\tif (copy_to_user(optval, ¶ms.assoc_value, len))\n\t\t\treturn -EFAULT;\n\t} else {\n\t\tif (copy_to_user(optval, ¶ms, len))\n\t\t\treturn -EFAULT;\n\t}\n\n\treturn 0;\n\n}", "project": "linux", "hash": 253812671058695883576710387328542621547, "size": 39, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398049 }, { "func": "int oidc_handle_jwks(request_rec *r, oidc_cfg *c) {\n\n\t/* pickup requested JWKs type */\n\t//\tchar *jwks_type = NULL;\n\t//\toidc_util_get_request_parameter(r, OIDC_REDIRECT_URI_REQUEST_JWKS, &jwks_type);\n\tchar *jwks = apr_pstrdup(r->pool, \"{ \\\"keys\\\" : [\");\n\tint i = 0;\n\tapr_byte_t first = TRUE;\n\toidc_jose_error_t err;\n\n\tif (c->public_keys != NULL) {\n\n\t\t/* loop over the RSA public keys */\n\t\tfor (i = 0; i < c->public_keys->nelts; i++) {\n\t\t\tconst oidc_jwk_t *jwk =\n\t\t\t\t\t((const oidc_jwk_t**) c->public_keys->elts)[i];\n\t\t\tchar *s_json = NULL;\n\n\t\t\tif (oidc_jwk_to_json(r->pool, jwk, &s_json, &err) == TRUE) {\n\t\t\t\tjwks = apr_psprintf(r->pool, \"%s%s %s \", jwks, first ? \"\" : \",\",\n\t\t\t\t\t\ts_json);\n\t\t\t\tfirst = FALSE;\n\t\t\t} else {\n\t\t\t\toidc_error(r,\n\t\t\t\t\t\t\"could not convert RSA JWK to JSON using oidc_jwk_to_json: %s\",\n\t\t\t\t\t\toidc_jose_e2s(r->pool, err));\n\t\t\t}\n\t\t}\n\t}\n\n\t// TODO: send stuff if first == FALSE?\n\tjwks = apr_psprintf(r->pool, \"%s ] }\", jwks);\n\n\treturn oidc_util_http_send(r, jwks, strlen(jwks), OIDC_CONTENT_TYPE_JSON,\n\t\t\tOK);\n}", "project": "mod_auth_openidc", "hash": 254087742003725774597719232026706736409, "size": 36, "commit_id": "00c315cb0c8ab77c67be4a2ac08a71a83ac58751", "message": "avoid XSS vulnerability when using OIDCPreservePost On\n\nand supplying URLs that contain single quotes; thanks @oss-aimoto\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 381947 }, { "func": "int oidc_handle_jwks(request_rec *r, oidc_cfg *c) {\n\n\t/* pickup requested JWKs type */\n\t//\tchar *jwks_type = NULL;\n\t//\toidc_util_get_request_parameter(r, OIDC_REDIRECT_URI_REQUEST_JWKS, &jwks_type);\n\tchar *jwks = apr_pstrdup(r->pool, \"{ \\\"keys\\\" : [\");\n\tapr_hash_index_t *hi = NULL;\n\tapr_byte_t first = TRUE;\n\toidc_jose_error_t err;\n\n\tif (c->public_keys != NULL) {\n\n\t\t/* loop over the RSA public keys */\n\t\tfor (hi = apr_hash_first(r->pool, c->public_keys); hi; hi =\n\t\t\t\tapr_hash_next(hi)) {\n\n\t\t\tconst char *s_kid = NULL;\n\t\t\toidc_jwk_t *jwk = NULL;\n\t\t\tchar *s_json = NULL;\n\n\t\t\tapr_hash_this(hi, (const void**) &s_kid, NULL, (void**) &jwk);\n\n\t\t\tif (oidc_jwk_to_json(r->pool, jwk, &s_json, &err) == TRUE) {\n\t\t\t\tjwks = apr_psprintf(r->pool, \"%s%s %s \", jwks, first ? \"\" : \",\",\n\t\t\t\t\t\ts_json);\n\t\t\t\tfirst = FALSE;\n\t\t\t} else {\n\t\t\t\toidc_error(r,\n\t\t\t\t\t\t\"could not convert RSA JWK to JSON using oidc_jwk_to_json: %s\",\n\t\t\t\t\t\toidc_jose_e2s(r->pool, err));\n\t\t\t}\n\t\t}\n\t}\n\n\t// TODO: send stuff if first == FALSE?\n\tjwks = apr_psprintf(r->pool, \"%s ] }\", jwks);\n\n\treturn oidc_util_http_send(r, jwks, strlen(jwks), OIDC_CONTENT_TYPE_JSON,\n\t\t\tOK);\n}", "project": "mod_auth_openidc", "hash": 28265353297372668178176396538897778562, "size": 40, "commit_id": "ce37080c6aea30aabae8b4a9b4eea7808445cc8e", "message": "2.4.0.2 oops\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 447687 }, { "func": "void CLua::gc()\n{\n lua_gc(state(), LUA_GCCOLLECT, 0);\n}", "project": "crawl", "hash": 105643363427051459536339703939897638643, "size": 4, "commit_id": "768f60da87a3fa0b5561da5ade9309577c176d04", "message": "Disable lua bytecode loading", "target": 0, "dataset": "other", "idx": 230481 }, { "func": "static void intel_engine_context_in(struct intel_engine_cs *engine)\n{\n\tunsigned long flags;\n\n\tif (READ_ONCE(engine->stats.enabled) == 0)\n\t\treturn;\n\n\twrite_seqlock_irqsave(&engine->stats.lock, flags);\n\n\tif (engine->stats.enabled > 0) {\n\t\tif (engine->stats.active++ == 0)\n\t\t\tengine->stats.start = ktime_get();\n\t\tGEM_BUG_ON(engine->stats.active == 0);\n\t}\n\n\twrite_sequnlock_irqrestore(&engine->stats.lock, flags);\n}", "project": "linux", "hash": 113062128626784072033827509642539085004, "size": 17, "commit_id": "bc8a76a152c5f9ef3b48104154a65a68a8b76946", "message": "drm/i915/gen9: Clear residual context state on context switch\n\nIntel ID: PSIRT-TA-201910-001\nCVEID: CVE-2019-14615\n\nIntel GPU Hardware prior to Gen11 does not clear EU state\nduring a context switch. This can result in information\nleakage between contexts.\n\nFor Gen8 and Gen9, hardware provides a mechanism for\nfast cleardown of the EU state, by issuing a PIPE_CONTROL\nwith bit 27 set. We can use this in a context batch buffer\nto explicitly cleardown the state on every context switch.\n\nAs this workaround is already in place for gen8, we can borrow\nthe code verbatim for Gen9.\n\nSigned-off-by: Mika Kuoppala \nSigned-off-by: Akeem G Abodunrin \nCc: Kumar Valsan Prathap \nCc: Chris Wilson \nCc: Balestrieri Francesco \nCc: Bloomfield Jon \nCc: Dutt Sudeep ", "target": 0, "dataset": "other", "idx": 281511 }, { "func": "static void evdev_queue_syn_dropped(struct evdev_client *client)\n{\n\tunsigned long flags;\n\tstruct input_event ev;\n\tktime_t time;\n\n\ttime = ktime_get();\n\tif (client->clkid != CLOCK_MONOTONIC)\n\t\ttime = ktime_sub(time, ktime_get_monotonic_offset());\n\n\tev.time = ktime_to_timeval(time);\n\tev.type = EV_SYN;\n\tev.code = SYN_DROPPED;\n\tev.value = 0;\n\n\tspin_lock_irqsave(&client->buffer_lock, flags);\n\n\tclient->buffer[client->head++] = ev;\n\tclient->head &= client->bufsize - 1;\n\n\tif (unlikely(client->head == client->tail)) {\n\t\t/* drop queue but keep our SYN_DROPPED event */\n\t\tclient->tail = (client->head - 1) & (client->bufsize - 1);\n\t\tclient->packet_head = client->tail;\n\t}\n\n\tspin_unlock_irqrestore(&client->buffer_lock, flags);\n}", "project": "linux", "hash": 95716269054470066251998009548608943370, "size": 28, "commit_id": "483180281f0ac60d1138710eb21f4b9961901294", "message": "Input: evdev - flush queues during EVIOCGKEY-like ioctls\n\nIf userspace requests current KEY-state, they very likely assume that no\nsuch events are pending in the output queue of the evdev device.\nOtherwise, they will parse events which they already handled via\nEVIOCGKEY(). For XKB applications this can cause irreversible keyboard\nstates if a modifier is locked multiple times because a CTRL-DOWN event is\nhandled once via EVIOCGKEY() and once from the queue via read(), even\nthough it should handle it only once.\n\nTherefore, lets do the only logical thing and flush the evdev queue\natomically during this ioctl. We only flush events that are affected by\nthe given ioctl.\n\nThis only affects boolean events like KEY, SND, SW and LED. ABS, REL and\nothers are not affected as duplicate events can be handled gracefully by\nuser-space.\n\nNote: This actually breaks semantics of the evdev ABI. However,\ninvestigations showed that userspace already expects the new semantics and\nwe end up fixing at least all XKB applications.\nAll applications that are aware of this race-condition mirror the KEY\nstate for each open-file and detect/drop duplicate events. Hence, they do\nnot care whether duplicates are posted or not and work fine with this fix.\n\nAlso note that we need proper locking to guarantee atomicity and avoid\ndead-locks. event_lock must be locked before queue_lock (see input-core).\nHowever, we can safely release event_lock while flushing the queue. This\nallows the input-core to proceed with pending events and only stop if it\nneeds our queue_lock to post new events.\nThis should guarantee that we don't block event-dispatching for too long\nwhile flushing a single event queue.\n\nSigned-off-by: David Herrmann \nAcked-by: Peter Hutterer \nSigned-off-by: Dmitry Torokhov ", "target": 0, "dataset": "other", "idx": 381729 }, { "func": "static int pipe_handler_do_rcv(struct sock *sk, struct sk_buff *skb)\n{\n\tstruct pep_sock *pn = pep_sk(sk);\n\tstruct pnpipehdr *hdr = pnp_hdr(skb);\n\tint err = NET_RX_SUCCESS;\n\n\tswitch (hdr->message_id) {\n\tcase PNS_PIPE_ALIGNED_DATA:\n\t\t__skb_pull(skb, 1);\n\t\tfallthrough;\n\tcase PNS_PIPE_DATA:\n\t\t__skb_pull(skb, 3); /* Pipe data header */\n\t\tif (!pn_flow_safe(pn->rx_fc)) {\n\t\t\terr = sock_queue_rcv_skb(sk, skb);\n\t\t\tif (!err)\n\t\t\t\treturn NET_RX_SUCCESS;\n\t\t\terr = NET_RX_DROP;\n\t\t\tbreak;\n\t\t}\n\n\t\tif (pn->rx_credits == 0) {\n\t\t\tatomic_inc(&sk->sk_drops);\n\t\t\terr = NET_RX_DROP;\n\t\t\tbreak;\n\t\t}\n\t\tpn->rx_credits--;\n\t\tskb->dev = NULL;\n\t\tskb_set_owner_r(skb, sk);\n\t\tskb_queue_tail(&sk->sk_receive_queue, skb);\n\t\tif (!sock_flag(sk, SOCK_DEAD))\n\t\t\tsk->sk_data_ready(sk);\n\t\treturn NET_RX_SUCCESS;\n\n\tcase PNS_PEP_CONNECT_RESP:\n\t\tif (sk->sk_state != TCP_SYN_SENT)\n\t\t\tbreak;\n\t\tif (!sock_flag(sk, SOCK_DEAD))\n\t\t\tsk->sk_state_change(sk);\n\t\tif (pep_connresp_rcv(sk, skb)) {\n\t\t\tsk->sk_state = TCP_CLOSE_WAIT;\n\t\t\tbreak;\n\t\t}\n\t\tif (pn->init_enable == PN_PIPE_DISABLE)\n\t\t\tsk->sk_state = TCP_SYN_RECV;\n\t\telse {\n\t\t\tsk->sk_state = TCP_ESTABLISHED;\n\t\t\tpipe_start_flow_control(sk);\n\t\t}\n\t\tbreak;\n\n\tcase PNS_PEP_ENABLE_RESP:\n\t\tif (sk->sk_state != TCP_SYN_SENT)\n\t\t\tbreak;\n\n\t\tif (pep_enableresp_rcv(sk, skb)) {\n\t\t\tsk->sk_state = TCP_CLOSE_WAIT;\n\t\t\tbreak;\n\t\t}\n\n\t\tsk->sk_state = TCP_ESTABLISHED;\n\t\tpipe_start_flow_control(sk);\n\t\tbreak;\n\n\tcase PNS_PEP_DISCONNECT_RESP:\n\t\t/* sock should already be dead, nothing to do */\n\t\tbreak;\n\n\tcase PNS_PEP_STATUS_IND:\n\t\tpipe_rcv_status(sk, skb);\n\t\tbreak;\n\t}\n\tkfree_skb(skb);\n\treturn err;\n}", "project": "linux", "hash": 20348844570388638008458775290209935012, "size": 74, "commit_id": "bcd0f93353326954817a4f9fa55ec57fb38acbb0", "message": "phonet: refcount leak in pep_sock_accep\n\nsock_hold(sk) is invoked in pep_sock_accept(), but __sock_put(sk) is not\ninvoked in subsequent failure branches(pep_accept_conn() != 0).\n\nSigned-off-by: Hangyu Hua \nLink: https://lore.kernel.org/r/20211209082839.33985-1-hbh25y@gmail.com\nSigned-off-by: Jakub Kicinski ", "target": 0, "dataset": "other", "idx": 224812 }, { "func": "void ItemStackMetadata::setToolCapabilities(const ToolCapabilities &caps)\n{\n\tstd::ostringstream os;\n\tcaps.serializeJson(os);\n\tsetString(TOOLCAP_KEY, os.str());\n}", "project": "minetest", "hash": 219255252889812327031542229686091090374, "size": 6, "commit_id": "b5956bde259faa240a81060ff4e598e25ad52dae", "message": "Sanitize ItemStack meta text", "target": 0, "dataset": "other", "idx": 279957 }, { "func": "static int vcf_parse_info(kstring_t *str, const bcf_hdr_t *h, bcf1_t *v, char *p, char *q) {\n static int extreme_int_warned = 0, negative_rlen_warned = 0;\n int max_n_val = 0, overflow = 0;\n char *r, *key;\n khint_t k;\n vdict_t *d = (vdict_t*)h->dict[BCF_DT_ID];\n int32_t *a_val = NULL;\n\n v->n_info = 0;\n if (*(q-1) == ';') *(q-1) = 0;\n for (r = key = p;; ++r) {\n int c;\n char *val, *end;\n if (*r != ';' && *r != '=' && *r != 0) continue;\n if (v->n_info == UINT16_MAX) {\n hts_log_error(\"Too many INFO entries at %s:%\"PRIhts_pos,\n bcf_seqname_safe(h,v), v->pos+1);\n v->errcode |= BCF_ERR_LIMITS;\n return -1;\n }\n val = end = 0;\n c = *r; *r = 0;\n if (c == '=') {\n val = r + 1;\n for (end = val; *end != ';' && *end != 0; ++end);\n c = *end; *end = 0;\n } else end = r;\n if ( !*key ) { if (c==0) break; r = end; key = r + 1; continue; } // faulty VCF, \";;\" in the INFO\n k = kh_get(vdict, d, key);\n if (k == kh_end(d) || kh_val(d, k).info[BCF_HL_INFO] == 15)\n {\n hts_log_warning(\"INFO '%s' is not defined in the header, assuming Type=String\", key);\n kstring_t tmp = {0,0,0};\n int l;\n ksprintf(&tmp, \"##INFO=\", key);\n bcf_hrec_t *hrec = bcf_hdr_parse_line(h,tmp.s,&l);\n free(tmp.s);\n int res = hrec ? bcf_hdr_add_hrec((bcf_hdr_t*)h, hrec) : -1;\n if (res < 0) bcf_hrec_destroy(hrec);\n if (res > 0) res = bcf_hdr_sync((bcf_hdr_t*)h);\n k = kh_get(vdict, d, key);\n v->errcode = BCF_ERR_TAG_UNDEF;\n if (res || k == kh_end(d)) {\n hts_log_error(\"Could not add dummy header for INFO '%s' at %s:%\"PRIhts_pos, key, bcf_seqname_safe(h,v), v->pos+1);\n v->errcode |= BCF_ERR_TAG_INVALID;\n return -1;\n }\n }\n uint32_t y = kh_val(d, k).info[BCF_HL_INFO];\n ++v->n_info;\n bcf_enc_int1(str, kh_val(d, k).id);\n if (val == 0) {\n bcf_enc_size(str, 0, BCF_BT_NULL);\n } else if ((y>>4&0xf) == BCF_HT_FLAG || (y>>4&0xf) == BCF_HT_STR) { // if Flag has a value, treat it as a string\n bcf_enc_vchar(str, end - val, val);\n } else { // int/float value/array\n int i, n_val;\n char *t, *te;\n for (t = val, n_val = 1; *t; ++t) // count the number of values\n if (*t == ',') ++n_val;\n // Check both int and float size in one step for simplicity\n if (n_val > max_n_val) {\n int32_t *a_tmp = (int32_t *)realloc(a_val, n_val * sizeof(*a_val));\n if (!a_tmp) {\n hts_log_error(\"Could not allocate memory at %s:%\"PRIhts_pos, bcf_seqname_safe(h,v), v->pos+1);\n v->errcode |= BCF_ERR_LIMITS; // No appropriate code?\n return -1;\n }\n a_val = a_tmp;\n max_n_val = n_val;\n }\n if ((y>>4&0xf) == BCF_HT_INT) {\n i = 0, t = val;\n int64_t val1;\n int is_int64 = 0;\n#ifdef VCF_ALLOW_INT64\n if ( n_val==1 )\n {\n overflow = 0;\n long long int tmp_val = hts_str2int(val, &te, sizeof(tmp_val)*CHAR_BIT, &overflow);\n if ( te==val ) tmp_val = bcf_int32_missing;\n else if ( overflow || tmp_valBCF_MAX_BT_INT64 )\n {\n if ( !extreme_int_warned )\n {\n hts_log_warning(\"Extreme INFO/%s value encountered and set to missing at %s:%\"PRIhts_pos,key,bcf_seqname_safe(h,v), v->pos+1);\n extreme_int_warned = 1;\n }\n tmp_val = bcf_int32_missing;\n }\n else\n is_int64 = 1;\n val1 = tmp_val;\n t = te;\n i = 1; // this is just to avoid adding another nested block...\n }\n#endif\n for (; i < n_val; ++i, ++t)\n {\n overflow = 0;\n long int tmp_val = hts_str2int(t, &te, sizeof(tmp_val)*CHAR_BIT, &overflow);\n if ( te==t ) tmp_val = bcf_int32_missing;\n else if ( overflow || tmp_valBCF_MAX_BT_INT32 )\n {\n if ( !extreme_int_warned )\n {\n hts_log_warning(\"Extreme INFO/%s value encountered and set to missing at %s:%\"PRIhts_pos,key,bcf_seqname_safe(h,v), v->pos+1);\n extreme_int_warned = 1;\n }\n tmp_val = bcf_int32_missing;\n }\n a_val[i] = tmp_val;\n for (t = te; *t && *t != ','; t++);\n }\n if (n_val == 1) {\n#ifdef VCF_ALLOW_INT64\n if ( is_int64 )\n {\n v->unpacked |= BCF_IS_64BIT;\n bcf_enc_long1(str, val1);\n }\n else\n bcf_enc_int1(str, (int32_t)val1);\n#else\n val1 = a_val[0];\n bcf_enc_int1(str, (int32_t)val1);\n#endif\n } else {\n bcf_enc_vint(str, n_val, a_val, -1);\n }\n if (n_val==1 && (val1!=bcf_int32_missing || is_int64) && strcmp(key, \"END\") == 0)\n {\n if ( val1 <= v->pos )\n {\n if ( !negative_rlen_warned )\n {\n hts_log_warning(\"INFO/END=%\"PRIhts_pos\" is smaller than POS at %s:%\"PRIhts_pos,val1,bcf_seqname_safe(h,v),v->pos+1);\n negative_rlen_warned = 1;\n }\n }\n else\n v->rlen = val1 - v->pos;\n }\n } else if ((y>>4&0xf) == BCF_HT_REAL) {\n float *val_f = (float *)a_val;\n for (i = 0, t = val; i < n_val; ++i, ++t)\n {\n overflow = 0;\n val_f[i] = hts_str2dbl(t, &te, &overflow);\n if ( te==t || overflow ) // conversion failed\n bcf_float_set_missing(val_f[i]);\n for (t = te; *t && *t != ','; t++);\n }\n bcf_enc_vfloat(str, n_val, val_f);\n }\n }\n if (c == 0) break;\n r = end;\n key = r + 1;\n }\n\n free(a_val);\n return 0;\n}", "project": "htslib", "hash": 278508606662969127280817830265166112809, "size": 164, "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c", "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields. It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097", "target": 0, "dataset": "other", "idx": 402209 }, { "project": "phosphor-host-ipmid", "commit_id": "b265455a2518ece7c004b43c144199ec980fc620", "target": 0, "func": "std::string PasswdMgr::getPasswdByUserName(const std::string& userName)\n{\n checkAndReload();\n auto iter = passwdMapList.find(userName);\n if (iter == passwdMapList.end())\n {\n return std::string();\n }\n return iter->second;\n}", "idx": 519584, "cwe": "CWE-276", "hash": 23380786052098748817339926299854427010, "dataset": "other" }, { "func": "static u8 hwme_get_request_sync(\n\tu8 hw_attribute,\n\tu8 *hw_attribute_length,\n\tu8 *hw_attribute_value,\n\tvoid *device_ref\n)\n{\n\tstruct mac_message command, response;\n\n\tcommand.command_id = SPI_HWME_GET_REQUEST;\n\tcommand.length = 1;\n\tcommand.pdata.hwme_get_req.hw_attribute = hw_attribute;\n\n\tif (cascoda_api_downstream(\n\t\t&command.command_id,\n\t\tcommand.length + 2,\n\t\t&response.command_id,\n\t\tdevice_ref)) {\n\t\treturn MAC_SYSTEM_ERROR;\n\t}\n\n\tif (response.command_id != SPI_HWME_GET_CONFIRM)\n\t\treturn MAC_SYSTEM_ERROR;\n\n\tif (response.pdata.hwme_get_cnf.status == MAC_SUCCESS) {\n\t\t*hw_attribute_length =\n\t\t\tresponse.pdata.hwme_get_cnf.hw_attribute_length;\n\t\tmemcpy(\n\t\t\thw_attribute_value,\n\t\t\tresponse.pdata.hwme_get_cnf.hw_attribute_value,\n\t\t\t*hw_attribute_length\n\t\t);\n\t}\n\n\treturn response.pdata.hwme_get_cnf.status;\n}", "project": "linux", "hash": 208324478393219685620017886822379444683, "size": 36, "commit_id": "6402939ec86eaf226c8b8ae00ed983936b164908", "message": "ieee802154: ca8210: prevent memory leak\n\nIn ca8210_probe the allocated pdata needs to be assigned to\nspi_device->dev.platform_data before calling ca8210_get_platform_data.\nOthrwise when ca8210_get_platform_data fails pdata cannot be released.\n\nSigned-off-by: Navid Emamdoost \nLink: https://lore.kernel.org/r/20190917224713.26371-1-navid.emamdoost@gmail.com\nSigned-off-by: Stefan Schmidt ", "target": 0, "dataset": "other", "idx": 408810 }, { "func": "static ssize_t total_objects_show(struct kmem_cache *s, char *buf)\n{\n\treturn show_slab_objects(s, buf, SO_ALL|SO_TOTAL);\n}", "project": "linux", "hash": 73486761393548371791128321565458854822, "size": 4, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280234 }, { "func": "static int tracing_release_generic_tr(struct inode *inode, struct file *file)\n{\n\tstruct trace_array *tr = inode->i_private;\n\n\ttrace_array_put(tr);\n\treturn 0;\n}", "project": "linux", "hash": 125036954711214478319758815097951517795, "size": 7, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445563 }, { "func": "static enum_func_status\nphp_mysqlnd_auth_response_read(void * _packet, MYSQLND_CONN_DATA * conn TSRMLS_DC)\n{\n\tzend_uchar local_buf[AUTH_RESP_BUFFER_SIZE];\n\tsize_t buf_len = conn->net->cmd_buffer.buffer? conn->net->cmd_buffer.length: AUTH_RESP_BUFFER_SIZE;\n\tzend_uchar *buf = conn->net->cmd_buffer.buffer? (zend_uchar *) conn->net->cmd_buffer.buffer : local_buf;\n\tzend_uchar *p = buf;\n\tzend_uchar *begin = buf;\n\tunsigned long i;\n\tregister MYSQLND_PACKET_AUTH_RESPONSE * packet= (MYSQLND_PACKET_AUTH_RESPONSE *) _packet;\n\n\tDBG_ENTER(\"php_mysqlnd_auth_response_read\");\n\n\t/* leave space for terminating safety \\0 */\n\tbuf_len--;\n\tPACKET_READ_HEADER_AND_BODY(packet, conn, buf, buf_len, \"OK\", PROT_OK_PACKET);\n\tBAIL_IF_NO_MORE_DATA;\n\n\t/*\n\t zero-terminate the buffer for safety. We are sure there is place for the \\0\n\t because buf_len is -1 the size of the buffer pointed\n\t*/\n\tbuf[packet->header.size] = '\\0';\n\t\n\t/* Should be always 0x0 or ERROR_MARKER for error */\n\tpacket->response_code = uint1korr(p);\n\tp++;\n\tBAIL_IF_NO_MORE_DATA;\n\n\tif (ERROR_MARKER == packet->response_code) {\n\t\tphp_mysqlnd_read_error_from_line(p, packet->header.size - 1,\n\t\t\t\t\t\t\t\t\t\t packet->error, sizeof(packet->error),\n\t\t\t\t\t\t\t\t\t\t &packet->error_no, packet->sqlstate\n\t\t\t\t\t\t\t\t\t\t TSRMLS_CC);\n\t\tDBG_RETURN(PASS);\n\t}\n\tif (0xFE == packet->response_code) {\n\t\t/* Authentication Switch Response */\n\t\tif (packet->header.size > (size_t) (p - buf)) {\n\t\t\tpacket->new_auth_protocol = mnd_pestrdup((char *)p, FALSE);\n\t\t\tpacket->new_auth_protocol_len = strlen(packet->new_auth_protocol);\n\t\t\tp+= packet->new_auth_protocol_len + 1; /* +1 for the \\0 */\n\n\t\t\tpacket->new_auth_protocol_data_len = packet->header.size - (size_t) (p - buf);\n\t\t\tif (packet->new_auth_protocol_data_len) {\n\t\t\t\tpacket->new_auth_protocol_data = mnd_emalloc(packet->new_auth_protocol_data_len);\n\t\t\t\tmemcpy(packet->new_auth_protocol_data, p, packet->new_auth_protocol_data_len);\n\t\t\t}\n\t\t\tDBG_INF_FMT(\"The server requested switching auth plugin to : %s\", packet->new_auth_protocol);\n\t\t\tDBG_INF_FMT(\"Server salt : [%d][%.*s]\", packet->new_auth_protocol_data_len, packet->new_auth_protocol_data_len, packet->new_auth_protocol_data);\n\t\t}\n\t} else {\n\t\t/* Everything was fine! */\n\t\tpacket->affected_rows = php_mysqlnd_net_field_length_ll(&p);\n\t\tBAIL_IF_NO_MORE_DATA;\n\n\t\tpacket->last_insert_id = php_mysqlnd_net_field_length_ll(&p);\n\t\tBAIL_IF_NO_MORE_DATA;\n\n\t\tpacket->server_status = uint2korr(p);\n\t\tp+= 2;\n\t\tBAIL_IF_NO_MORE_DATA;\n\n\t\tpacket->warning_count = uint2korr(p);\n\t\tp+= 2;\n\t\tBAIL_IF_NO_MORE_DATA;\n\n\t\t/* There is a message */\n\t\tif (packet->header.size > (size_t) (p - buf) && (i = php_mysqlnd_net_field_length(&p))) {\n\t\t\tpacket->message_len = MIN(i, buf_len - (p - begin));\n\t\t\tpacket->message = mnd_pestrndup((char *)p, packet->message_len, FALSE);\n\t\t} else {\n\t\t\tpacket->message = NULL;\n\t\t\tpacket->message_len = 0;\n\t\t}\n\n\t\tDBG_INF_FMT(\"OK packet: aff_rows=%lld last_ins_id=%ld server_status=%u warnings=%u\",\n\t\t\t\t\tpacket->affected_rows, packet->last_insert_id, packet->server_status,\n\t\t\t\t\tpacket->warning_count);\n\t}\n\n\tDBG_RETURN(PASS);\npremature_end:\n\tDBG_ERR_FMT(\"OK packet %d bytes shorter than expected\", p - begin - packet->header.size);\n\tphp_error_docref(NULL TSRMLS_CC, E_WARNING, \"AUTH_RESPONSE packet \"MYSQLND_SZ_T_SPEC\" bytes shorter than expected\",\n\t\t\t\t\t p - begin - packet->header.size);\n\tDBG_RETURN(FAIL);", "project": "php-src", "hash": 208167077294731302826144475612610847242, "size": 87, "commit_id": "28f80baf3c53e267c9ce46a2a0fadbb981585132", "message": "Fix bug #72293 - Heap overflow in mysqlnd related to BIT fields", "target": 0, "dataset": "other", "idx": 416682 }, { "func": "static inline u32 __tcp_set_rto(const struct tcp_sock *tp)\n{\n\treturn usecs_to_jiffies((tp->srtt_us >> 3) + tp->rttvar_us);\n}", "project": "linux", "hash": 170463527557529761013909309062979360838, "size": 4, "commit_id": "bb1fceca22492109be12640d49f5ea5a544c6bb4", "message": "tcp: fix use after free in tcp_xmit_retransmit_queue()\n\nWhen tcp_sendmsg() allocates a fresh and empty skb, it puts it at the\ntail of the write queue using tcp_add_write_queue_tail()\n\nThen it attempts to copy user data into this fresh skb.\n\nIf the copy fails, we undo the work and remove the fresh skb.\n\nUnfortunately, this undo lacks the change done to tp->highest_sack and\nwe can leave a dangling pointer (to a freed skb)\n\nLater, tcp_xmit_retransmit_queue() can dereference this pointer and\naccess freed memory. For regular kernels where memory is not unmapped,\nthis might cause SACK bugs because tcp_highest_sack_seq() is buggy,\nreturning garbage instead of tp->snd_nxt, but with various debug\nfeatures like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel.\n\nThis bug was found by Marco Grassi thanks to syzkaller.\n\nFixes: 6859d49475d4 (\"[TCP]: Abstract tp->highest_sack accessing & point to next skb\")\nReported-by: Marco Grassi \nSigned-off-by: Eric Dumazet \nCc: Ilpo Järvinen \nCc: Yuchung Cheng \nCc: Neal Cardwell \nAcked-by: Neal Cardwell \nReviewed-by: Cong Wang \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 410737 }, { "func": "void wsrep_sst_auth_free()\n{\n if (wsrep_sst_auth) { my_free ((void*)wsrep_sst_auth); }\n if (sst_auth_real) { free (const_cast(sst_auth_real)); }\n wsrep_sst_auth= NULL;\n sst_auth_real= NULL;\n}", "project": "mysql-wsrep", "hash": 68345818993140302741700285975873774818, "size": 7, "commit_id": "4ea4b0c6a318209ac09b15aaa906c7b4a13b988c", "message": "codership/mysql-wsrep-bugs#758 Donor uses invalid SST methods", "target": 0, "dataset": "other", "idx": 454810 }, { "func": "static int add_missing_contig_hrec(bcf_hdr_t *h, const char *name) {\n bcf_hrec_t *hrec = calloc(1, sizeof(bcf_hrec_t));\n int save_errno;\n if (!hrec) goto fail;\n\n hrec->key = strdup(\"contig\");\n if (!hrec->key) goto fail;\n\n if (bcf_hrec_add_key(hrec, \"ID\", strlen(\"ID\")) < 0) goto fail;\n if (bcf_hrec_set_val(hrec, hrec->nkeys-1, name, strlen(name), 0) < 0)\n goto fail;\n if (bcf_hdr_add_hrec(h, hrec) < 0)\n goto fail;\n return 0;\n\n fail:\n save_errno = errno;\n hts_log_error(\"%s\", strerror(errno));\n if (hrec) bcf_hrec_destroy(hrec);\n errno = save_errno;\n return -1;\n}", "project": "htslib", "hash": 142772993206413148724811423884910863572, "size": 22, "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c", "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields. It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097", "target": 0, "dataset": "other", "idx": 402138 }, { "func": "static u8 append_appearance(struct hci_dev *hdev, u8 *ptr, u8 ad_len)\n{\n\treturn eir_append_le16(ptr, ad_len, EIR_APPEARANCE, hdev->appearance);\n}", "project": "linux", "hash": 111218508545443953171890168522708695273, "size": 4, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402520 }, { "func": "static void tcp_init_metrics(struct sock *sk)\n{\n\tstruct tcp_sock *tp = tcp_sk(sk);\n\tstruct dst_entry *dst = __sk_dst_get(sk);\n\n\tif (dst == NULL)\n\t\tgoto reset;\n\n\tdst_confirm(dst);\n\n\tif (dst_metric_locked(dst, RTAX_CWND))\n\t\ttp->snd_cwnd_clamp = dst_metric(dst, RTAX_CWND);\n\tif (dst_metric(dst, RTAX_SSTHRESH)) {\n\t\ttp->snd_ssthresh = dst_metric(dst, RTAX_SSTHRESH);\n\t\tif (tp->snd_ssthresh > tp->snd_cwnd_clamp)\n\t\t\ttp->snd_ssthresh = tp->snd_cwnd_clamp;\n\t} else {\n\t\t/* ssthresh may have been reduced unnecessarily during.\n\t\t * 3WHS. Restore it back to its initial default.\n\t\t */\n\t\ttp->snd_ssthresh = TCP_INFINITE_SSTHRESH;\n\t}\n\tif (dst_metric(dst, RTAX_REORDERING) &&\n\t tp->reordering != dst_metric(dst, RTAX_REORDERING)) {\n\t\ttcp_disable_fack(tp);\n\t\ttp->reordering = dst_metric(dst, RTAX_REORDERING);\n\t}\n\n\tif (dst_metric(dst, RTAX_RTT) == 0 || tp->srtt == 0)\n\t\tgoto reset;\n\n\t/* Initial rtt is determined from SYN,SYN-ACK.\n\t * The segment is small and rtt may appear much\n\t * less than real one. Use per-dst memory\n\t * to make it more realistic.\n\t *\n\t * A bit of theory. RTT is time passed after \"normal\" sized packet\n\t * is sent until it is ACKed. In normal circumstances sending small\n\t * packets force peer to delay ACKs and calculation is correct too.\n\t * The algorithm is adaptive and, provided we follow specs, it\n\t * NEVER underestimate RTT. BUT! If peer tries to make some clever\n\t * tricks sort of \"quick acks\" for time long enough to decrease RTT\n\t * to low value, and then abruptly stops to do it and starts to delay\n\t * ACKs, wait for troubles.\n\t */\n\tif (dst_metric_rtt(dst, RTAX_RTT) > tp->srtt) {\n\t\ttp->srtt = dst_metric_rtt(dst, RTAX_RTT);\n\t\ttp->rtt_seq = tp->snd_nxt;\n\t}\n\tif (dst_metric_rtt(dst, RTAX_RTTVAR) > tp->mdev) {\n\t\ttp->mdev = dst_metric_rtt(dst, RTAX_RTTVAR);\n\t\ttp->mdev_max = tp->rttvar = max(tp->mdev, tcp_rto_min(sk));\n\t}\n\ttcp_set_rto(sk);\nreset:\n\tif (tp->srtt == 0) {\n\t\t/* RFC2988bis: We've failed to get a valid RTT sample from\n\t\t * 3WHS. This is most likely due to retransmission,\n\t\t * including spurious one. Reset the RTO back to 3secs\n\t\t * from the more aggressive 1sec to avoid more spurious\n\t\t * retransmission.\n\t\t */\n\t\ttp->mdev = tp->mdev_max = tp->rttvar = TCP_TIMEOUT_FALLBACK;\n\t\tinet_csk(sk)->icsk_rto = TCP_TIMEOUT_FALLBACK;\n\t}\n\t/* Cut cwnd down to 1 per RFC5681 if SYN or SYN-ACK has been\n\t * retransmitted. In light of RFC2988bis' more aggressive 1sec\n\t * initRTO, we only reset cwnd when more than 1 SYN/SYN-ACK\n\t * retransmission has occurred.\n\t */\n\tif (tp->total_retrans > 1)\n\t\ttp->snd_cwnd = 1;\n\telse\n\t\ttp->snd_cwnd = tcp_init_cwnd(tp, dst);\n\ttp->snd_cwnd_stamp = tcp_time_stamp;\n}", "project": "net-next", "hash": 125613172294335096202995158225934837370, "size": 76, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409926 }, { "func": "static void write_filter_data(struct rar5* rar, uint32_t offset,\n uint32_t value)\n{\n\tarchive_le32enc(&rar->cstate.filtered_buf[offset], value);\n}", "project": "libarchive", "hash": 263652965156085510985832937753981160453, "size": 5, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 0, "dataset": "other", "idx": 244753 }, { "func": "static int ca8210_net_rx(struct ieee802154_hw *hw, u8 *command, size_t len)\n{\n\tstruct ca8210_priv *priv = hw->priv;\n\tunsigned long flags;\n\tu8 status;\n\n\tdev_dbg(&priv->spi->dev, \"%s: CmdID = %d\\n\", __func__, command[0]);\n\n\tif (command[0] == SPI_MCPS_DATA_INDICATION) {\n\t\t/* Received data */\n\t\tspin_lock_irqsave(&priv->lock, flags);\n\t\tif (command[26] == priv->last_dsn) {\n\t\t\tdev_dbg(\n\t\t\t\t&priv->spi->dev,\n\t\t\t\t\"DSN %d resend received, ignoring...\\n\",\n\t\t\t\tcommand[26]\n\t\t\t);\n\t\t\tspin_unlock_irqrestore(&priv->lock, flags);\n\t\t\treturn 0;\n\t\t}\n\t\tpriv->last_dsn = command[26];\n\t\tspin_unlock_irqrestore(&priv->lock, flags);\n\t\treturn ca8210_skb_rx(hw, len - 2, command + 2);\n\t} else if (command[0] == SPI_MCPS_DATA_CONFIRM) {\n\t\tstatus = command[3];\n\t\tif (priv->async_tx_pending) {\n\t\t\treturn ca8210_async_xmit_complete(\n\t\t\t\thw,\n\t\t\t\tcommand[2],\n\t\t\t\tstatus\n\t\t\t);\n\t\t}\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 53074794967362683222466084123001179276, "size": 36, "commit_id": "6402939ec86eaf226c8b8ae00ed983936b164908", "message": "ieee802154: ca8210: prevent memory leak\n\nIn ca8210_probe the allocated pdata needs to be assigned to\nspi_device->dev.platform_data before calling ca8210_get_platform_data.\nOthrwise when ca8210_get_platform_data fails pdata cannot be released.\n\nSigned-off-by: Navid Emamdoost \nLink: https://lore.kernel.org/r/20190917224713.26371-1-navid.emamdoost@gmail.com\nSigned-off-by: Stefan Schmidt ", "target": 0, "dataset": "other", "idx": 408792 }, { "func": "static inline void TCP_ECN_rcv_syn(struct tcp_sock *tp, const struct tcphdr *th)\n{\n\tif ((tp->ecn_flags & TCP_ECN_OK) && (!th->ece || !th->cwr))\n\t\ttp->ecn_flags &= ~TCP_ECN_OK;\n}", "project": "net-next", "hash": 11644127048326312328296394747189770201, "size": 5, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409894 }, { "func": "int kvm_s390_vcpu_start(struct kvm_vcpu *vcpu)\n{\n\tint i, online_vcpus, r = 0, started_vcpus = 0;\n\n\tif (!is_vcpu_stopped(vcpu))\n\t\treturn 0;\n\n\ttrace_kvm_s390_vcpu_start_stop(vcpu->vcpu_id, 1);\n\t/* Only one cpu at a time may enter/leave the STOPPED state. */\n\tspin_lock(&vcpu->kvm->arch.start_stop_lock);\n\tonline_vcpus = atomic_read(&vcpu->kvm->online_vcpus);\n\n\t/* Let's tell the UV that we want to change into the operating state */\n\tif (kvm_s390_pv_cpu_is_protected(vcpu)) {\n\t\tr = kvm_s390_pv_set_cpu_state(vcpu, PV_CPU_STATE_OPR);\n\t\tif (r) {\n\t\t\tspin_unlock(&vcpu->kvm->arch.start_stop_lock);\n\t\t\treturn r;\n\t\t}\n\t}\n\n\tfor (i = 0; i < online_vcpus; i++) {\n\t\tif (!is_vcpu_stopped(vcpu->kvm->vcpus[i]))\n\t\t\tstarted_vcpus++;\n\t}\n\n\tif (started_vcpus == 0) {\n\t\t/* we're the only active VCPU -> speed it up */\n\t\t__enable_ibs_on_vcpu(vcpu);\n\t} else if (started_vcpus == 1) {\n\t\t/*\n\t\t * As we are starting a second VCPU, we have to disable\n\t\t * the IBS facility on all VCPUs to remove potentially\n\t\t * oustanding ENABLE requests.\n\t\t */\n\t\t__disable_ibs_on_all_vcpus(vcpu->kvm);\n\t}\n\n\tkvm_s390_clear_cpuflags(vcpu, CPUSTAT_STOPPED);\n\t/*\n\t * The real PSW might have changed due to a RESTART interpreted by the\n\t * ultravisor. We block all interrupts and let the next sie exit\n\t * refresh our view.\n\t */\n\tif (kvm_s390_pv_cpu_is_protected(vcpu))\n\t\tvcpu->arch.sie_block->gpsw.mask &= ~PSW_INT_MASK;\n\t/*\n\t * Another VCPU might have used IBS while we were offline.\n\t * Let's play safe and flush the VCPU at startup.\n\t */\n\tkvm_make_request(KVM_REQ_TLB_FLUSH, vcpu);\n\tspin_unlock(&vcpu->kvm->arch.start_stop_lock);\n\treturn 0;\n}", "project": "linux", "hash": 98580303088621891565139406283556483470, "size": 54, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354417 }, { "func": "static int sctp_getsockopt_peeloff_common(struct sock *sk, sctp_peeloff_arg_t *peeloff,\n\t\t\t\t\t struct file **newfile, unsigned flags)\n{\n\tstruct socket *newsock;\n\tint retval;\n\n\tretval = sctp_do_peeloff(sk, peeloff->associd, &newsock);\n\tif (retval < 0)\n\t\tgoto out;\n\n\t/* Map the socket to an unused fd that can be returned to the user. */\n\tretval = get_unused_fd_flags(flags & SOCK_CLOEXEC);\n\tif (retval < 0) {\n\t\tsock_release(newsock);\n\t\tgoto out;\n\t}\n\n\t*newfile = sock_alloc_file(newsock, 0, NULL);\n\tif (IS_ERR(*newfile)) {\n\t\tput_unused_fd(retval);\n\t\tretval = PTR_ERR(*newfile);\n\t\t*newfile = NULL;\n\t\treturn retval;\n\t}\n\n\tpr_debug(\"%s: sk:%p, newsk:%p, sd:%d\\n\", __func__, sk, newsock->sk,\n\t\t retval);\n\n\tpeeloff->sd = retval;\n\n\tif (flags & SOCK_NONBLOCK)\n\t\t(*newfile)->f_flags |= O_NONBLOCK;\nout:\n\treturn retval;\n}", "project": "linux", "hash": 149972596017011789462229286255145163004, "size": 35, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398182 }, { "func": "static void nfs4_xdr_enc_getacl(struct rpc_rqst *req, struct xdr_stream *xdr,\n\t\t\t\tconst void *data)\n{\n\tconst struct nfs_getaclargs *args = data;\n\tstruct compound_hdr hdr = {\n\t\t.minorversion = nfs4_xdr_minorversion(&args->seq_args),\n\t};\n\tconst __u32 nfs4_acl_bitmap[1] = {\n\t\t[0] = FATTR4_WORD0_ACL,\n\t};\n\tuint32_t replen;\n\n\tencode_compound_hdr(xdr, req, &hdr);\n\tencode_sequence(xdr, &args->seq_args, &hdr);\n\tencode_putfh(xdr, args->fh, &hdr);\n\treplen = hdr.replen + op_decode_hdr_maxsz;\n\tencode_getattr(xdr, nfs4_acl_bitmap, NULL,\n\t\t\tARRAY_SIZE(nfs4_acl_bitmap), &hdr);\n\n\trpc_prepare_reply_pages(req, args->acl_pages, 0,\n\t\t\t\targs->acl_len, replen + 1);\n\tencode_nops(&hdr);\n}", "project": "linux", "hash": 239226373883514955160315642791458090979, "size": 23, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431302 }, { "func": "int blosc_compname_to_compcode(const char* compname) {\n int code = -1; /* -1 means non-existent compressor code */\n\n if (strcmp(compname, BLOSC_BLOSCLZ_COMPNAME) == 0) {\n code = BLOSC_BLOSCLZ;\n }\n#if defined(HAVE_LZ4)\n else if (strcmp(compname, BLOSC_LZ4_COMPNAME) == 0) {\n code = BLOSC_LZ4;\n }\n else if (strcmp(compname, BLOSC_LZ4HC_COMPNAME) == 0) {\n code = BLOSC_LZ4HC;\n }\n#endif /* HAVE_LZ4 */\n#if defined(HAVE_LIZARD)\n else if (strcmp(compname, BLOSC_LIZARD_COMPNAME) == 0) {\n code = BLOSC_LIZARD;\n }\n#endif /* HAVE_LIZARD */\n#if defined(HAVE_SNAPPY)\n else if (strcmp(compname, BLOSC_SNAPPY_COMPNAME) == 0) {\n code = BLOSC_SNAPPY;\n }\n#endif /* HAVE_SNAPPY */\n#if defined(HAVE_ZLIB)\n else if (strcmp(compname, BLOSC_ZLIB_COMPNAME) == 0) {\n code = BLOSC_ZLIB;\n }\n#endif /* HAVE_ZLIB */\n#if defined(HAVE_ZSTD)\n else if (strcmp(compname, BLOSC_ZSTD_COMPNAME) == 0) {\n code = BLOSC_ZSTD;\n }\n#endif /* HAVE_ZSTD */\n\n return code;\n}", "project": "c-blosc2", "hash": 140822477222778638385748022877366299003, "size": 37, "commit_id": "c4c6470e88210afc95262c8b9fcc27e30ca043ee", "message": "Fixed asan heap buffer overflow when not enough space to write compressed block size.", "target": 0, "dataset": "other", "idx": 303080 }, { "func": "static uint32 GetLinearSlideDownTable (const CSoundFile *sndFile, uint32 i) { MPT_ASSERT(i < CountOf(LinearSlideDownTable)); return sndFile->m_playBehaviour[kHertzInLinearMode] ? LinearSlideDownTable[i] : LinearSlideUpTable[i]; }", "project": "openmpt", "hash": 28798000402585471168465700067752999836, "size": 1, "commit_id": "7ebf02af2e90f03e0dbd0e18b8b3164f372fb97c", "message": "[Fix] Possible out-of-bounds read when computing length of some IT files with pattern loops (OpenMPT: formats that are converted to IT, libopenmpt: IT/ITP/MO3), caught with afl-fuzz.\n\ngit-svn-id: https://source.openmpt.org/svn/openmpt/trunk/OpenMPT@10027 56274372-70c3-4bfc-bfc3-4c3a0b034d27", "target": 0, "dataset": "other", "idx": 255190 }, { "func": "static void hci_cc_le_set_ext_scan_param(struct hci_dev *hdev,\n\t\t\t\t\t struct sk_buff *skb)\n{\n\tstruct hci_cp_le_set_ext_scan_params *cp;\n\t__u8 status = *((__u8 *) skb->data);\n\tstruct hci_cp_le_scan_phy_params *phy_param;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, status);\n\n\tif (status)\n\t\treturn;\n\n\tcp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_SCAN_PARAMS);\n\tif (!cp)\n\t\treturn;\n\n\tphy_param = (void *)cp->data;\n\n\thci_dev_lock(hdev);\n\n\thdev->le_scan_type = phy_param->type;\n\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 77661906828868756815164880978470671258, "size": 24, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431966 }, { "func": "void pcre_dump_cache(folly::File& file) {\n s_pcreCache.dump(file);\n}", "project": "hhvm", "hash": 288658546409473054940323821895841231108, "size": 3, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219826 }, { "func": "static long kvm_vm_ioctl_check_extension_generic(struct kvm *kvm, long arg)\n{\n\tswitch (arg) {\n\tcase KVM_CAP_USER_MEMORY:\n\tcase KVM_CAP_DESTROY_MEMORY_REGION_WORKS:\n\tcase KVM_CAP_JOIN_MEMORY_REGIONS_WORKS:\n\tcase KVM_CAP_INTERNAL_ERROR_DATA:\n#ifdef CONFIG_HAVE_KVM_MSI\n\tcase KVM_CAP_SIGNAL_MSI:\n#endif\n#ifdef CONFIG_HAVE_KVM_IRQFD\n\tcase KVM_CAP_IRQFD:\n\tcase KVM_CAP_IRQFD_RESAMPLE:\n#endif\n\tcase KVM_CAP_IOEVENTFD_ANY_LENGTH:\n\tcase KVM_CAP_CHECK_EXTENSION_VM:\n\tcase KVM_CAP_ENABLE_CAP_VM:\n\t\treturn 1;\n#ifdef CONFIG_KVM_MMIO\n\tcase KVM_CAP_COALESCED_MMIO:\n\t\treturn KVM_COALESCED_MMIO_PAGE_OFFSET;\n\tcase KVM_CAP_COALESCED_PIO:\n\t\treturn 1;\n#endif\n#ifdef CONFIG_KVM_GENERIC_DIRTYLOG_READ_PROTECT\n\tcase KVM_CAP_MANUAL_DIRTY_LOG_PROTECT2:\n\t\treturn KVM_DIRTY_LOG_MANUAL_CAPS;\n#endif\n#ifdef CONFIG_HAVE_KVM_IRQ_ROUTING\n\tcase KVM_CAP_IRQ_ROUTING:\n\t\treturn KVM_MAX_IRQ_ROUTES;\n#endif\n#if KVM_ADDRESS_SPACE_NUM > 1\n\tcase KVM_CAP_MULTI_ADDRESS_SPACE:\n\t\treturn KVM_ADDRESS_SPACE_NUM;\n#endif\n\tcase KVM_CAP_NR_MEMSLOTS:\n\t\treturn KVM_USER_MEM_SLOTS;\n\tdefault:\n\t\tbreak;\n\t}\n\treturn kvm_vm_ioctl_check_extension(kvm, arg);\n}", "project": "linux", "hash": 300347577846432705905522071031860422837, "size": 43, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354541 }, { "func": "static long kvm_vm_ioctl_check_extension_generic(struct kvm *kvm, long arg)\n{\n\tswitch (arg) {\n\tcase KVM_CAP_USER_MEMORY:\n\tcase KVM_CAP_DESTROY_MEMORY_REGION_WORKS:\n\tcase KVM_CAP_JOIN_MEMORY_REGIONS_WORKS:\n\tcase KVM_CAP_INTERNAL_ERROR_DATA:\n#ifdef CONFIG_HAVE_KVM_MSI\n\tcase KVM_CAP_SIGNAL_MSI:\n#endif\n#ifdef CONFIG_HAVE_KVM_IRQFD\n\tcase KVM_CAP_IRQFD:\n\tcase KVM_CAP_IRQFD_RESAMPLE:\n#endif\n\tcase KVM_CAP_IOEVENTFD_ANY_LENGTH:\n\tcase KVM_CAP_CHECK_EXTENSION_VM:\n\tcase KVM_CAP_ENABLE_CAP_VM:\n\tcase KVM_CAP_HALT_POLL:\n\t\treturn 1;\n#ifdef CONFIG_KVM_MMIO\n\tcase KVM_CAP_COALESCED_MMIO:\n\t\treturn KVM_COALESCED_MMIO_PAGE_OFFSET;\n\tcase KVM_CAP_COALESCED_PIO:\n\t\treturn 1;\n#endif\n#ifdef CONFIG_KVM_GENERIC_DIRTYLOG_READ_PROTECT\n\tcase KVM_CAP_MANUAL_DIRTY_LOG_PROTECT2:\n\t\treturn KVM_DIRTY_LOG_MANUAL_CAPS;\n#endif\n#ifdef CONFIG_HAVE_KVM_IRQ_ROUTING\n\tcase KVM_CAP_IRQ_ROUTING:\n\t\treturn KVM_MAX_IRQ_ROUTES;\n#endif\n#if KVM_ADDRESS_SPACE_NUM > 1\n\tcase KVM_CAP_MULTI_ADDRESS_SPACE:\n\t\treturn KVM_ADDRESS_SPACE_NUM;\n#endif\n\tcase KVM_CAP_NR_MEMSLOTS:\n\t\treturn KVM_USER_MEM_SLOTS;\n\tcase KVM_CAP_DIRTY_LOG_RING:\n#if KVM_DIRTY_LOG_PAGE_OFFSET > 0\n\t\treturn KVM_DIRTY_RING_MAX_ENTRIES * sizeof(struct kvm_dirty_gfn);\n#else\n\t\treturn 0;\n#endif\n\tdefault:\n\t\tbreak;\n\t}\n\treturn kvm_vm_ioctl_check_extension(kvm, arg);\n}", "project": "linux", "hash": 58741517141527969490768631679503898477, "size": 50, "commit_id": "f8be156be163a052a067306417cd0ff679068c97", "message": "KVM: do not allow mapping valid but non-reference-counted pages\n\nIt's possible to create a region which maps valid but non-refcounted\npages (e.g., tail pages of non-compound higher order allocations). These\nhost pages can then be returned by gfn_to_page, gfn_to_pfn, etc., family\nof APIs, which take a reference to the page, which takes it from 0 to 1.\nWhen the reference is dropped, this will free the page incorrectly.\n\nFix this by only taking a reference on valid pages if it was non-zero,\nwhich indicates it is participating in normal refcounting (and can be\nreleased with put_page).\n\nThis addresses CVE-2021-22543.\n\nSigned-off-by: Nicholas Piggin \nTested-by: Paolo Bonzini \nCc: stable@vger.kernel.org\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 404093 }, { "func": "static inline void sync_cr8_to_lapic(struct kvm_vcpu *vcpu)\n{\n\tstruct vcpu_svm *svm = to_svm(vcpu);\n\n\tif (svm_nested_virtualize_tpr(vcpu))\n\t\treturn;\n\n\tif (!is_cr_intercept(svm, INTERCEPT_CR8_WRITE)) {\n\t\tint cr8 = svm->vmcb->control.int_ctl & V_TPR_MASK;\n\t\tkvm_set_cr8(vcpu, cr8);\n\t}\n}", "project": "linux", "hash": 167244870332077239967136185146828491538, "size": 12, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432567 }, { "func": "static inline void sync_cr8_to_lapic(struct kvm_vcpu *vcpu)\n{\n\tstruct vcpu_svm *svm = to_svm(vcpu);\n\n\tif (is_guest_mode(vcpu) && (vcpu->arch.hflags & HF_VINTR_MASK))\n\t\treturn;\n\n\tif (!is_cr_intercept(svm, INTERCEPT_CR8_WRITE)) {\n\t\tint cr8 = svm->vmcb->control.int_ctl & V_TPR_MASK;\n\t\tkvm_set_cr8(vcpu, cr8);\n\t}\n}", "project": "kvm", "hash": 9825029085837951107666976674288786141, "size": 12, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437632 }, { "project": "Chrome", "commit_id": "ea994548ed483e234a6fadd0cbdfa10d58b75cef", "target": 0, "func": "SoftwareFrame::SoftwareFrame(\n base::WeakPtr frame_manager_client,\n uint32 output_surface_id,\n unsigned frame_id,\n float frame_device_scale_factor,\n gfx::Size frame_size_pixels,\n scoped_ptr shared_memory)\n : frame_manager_client_(frame_manager_client),\n output_surface_id_(output_surface_id),\n frame_id_(frame_id),\n frame_device_scale_factor_(frame_device_scale_factor),\n frame_size_pixels_(frame_size_pixels),\n shared_memory_(shared_memory.Pass()) {}\n", "cwe": "", "big_vul_idx": 129974, "idx": 179015, "hash": 30164852279931612110373215450954919070 }, { "func": "static void nfs4_xdr_enc_server_caps(struct rpc_rqst *req,\n\t\t\t\t struct xdr_stream *xdr,\n\t\t\t\t const void *data)\n{\n\tconst struct nfs4_server_caps_arg *args = data;\n\tconst u32 *bitmask = args->bitmask;\n\tstruct compound_hdr hdr = {\n\t\t.minorversion = nfs4_xdr_minorversion(&args->seq_args),\n\t};\n\n\tencode_compound_hdr(xdr, req, &hdr);\n\tencode_sequence(xdr, &args->seq_args, &hdr);\n\tencode_putfh(xdr, args->fhandle, &hdr);\n\tencode_getattr(xdr, bitmask, NULL, 3, &hdr);\n\tencode_nops(&hdr);\n}", "project": "linux", "hash": 57929323692189162422403358448506357701, "size": 16, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431350 }, { "func": "static void encode_fs_locations(struct xdr_stream *xdr, const u32* bitmask, struct compound_hdr *hdr)\n{\n\tencode_getattr(xdr, nfs4_fs_locations_bitmap, bitmask,\n\t\t\tARRAY_SIZE(nfs4_fs_locations_bitmap), hdr);\n}", "project": "linux", "hash": 238753366650804240293808893390498675935, "size": 5, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431430 }, { "func": "static void nfs4_bitmap_copy_adjust(__u32 *dst, const __u32 *src,\n\t\tstruct inode *inode)\n{\n\tunsigned long cache_validity;\n\n\tmemcpy(dst, src, NFS4_BITMASK_SZ*sizeof(*dst));\n\tif (!inode || !nfs4_have_delegation(inode, FMODE_READ))\n\t\treturn;\n\n\tcache_validity = READ_ONCE(NFS_I(inode)->cache_validity);\n\tif (!(cache_validity & NFS_INO_REVAL_FORCED))\n\t\tcache_validity &= ~(NFS_INO_INVALID_CHANGE\n\t\t\t\t| NFS_INO_INVALID_SIZE);\n\n\tif (!(cache_validity & NFS_INO_INVALID_SIZE))\n\t\tdst[0] &= ~FATTR4_WORD0_SIZE;\n\n\tif (!(cache_validity & NFS_INO_INVALID_CHANGE))\n\t\tdst[0] &= ~FATTR4_WORD0_CHANGE;\n}", "project": "linux", "hash": 333252411867111323315502188068411234405, "size": 20, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431192 }, { "func": "static OPJ_BOOL opj_j2k_write_coc(opj_j2k_t *p_j2k,\n OPJ_UINT32 p_comp_no,\n opj_stream_private_t *p_stream,\n opj_event_mgr_t * p_manager)\n{\n OPJ_UINT32 l_coc_size, l_remaining_size;\n OPJ_UINT32 l_comp_room;\n\n /* preconditions */\n assert(p_j2k != 00);\n assert(p_manager != 00);\n assert(p_stream != 00);\n\n l_comp_room = (p_j2k->m_private_image->numcomps <= 256) ? 1 : 2;\n\n l_coc_size = 5 + l_comp_room + opj_j2k_get_SPCod_SPCoc_size(p_j2k,\n p_j2k->m_current_tile_number, p_comp_no);\n\n if (l_coc_size > p_j2k->m_specific_param.m_encoder.m_header_tile_data_size) {\n OPJ_BYTE *new_header_tile_data;\n /*p_j2k->m_specific_param.m_encoder.m_header_tile_data\n = (OPJ_BYTE*)opj_realloc(\n p_j2k->m_specific_param.m_encoder.m_header_tile_data,\n l_coc_size);*/\n\n new_header_tile_data = (OPJ_BYTE *) opj_realloc(\n p_j2k->m_specific_param.m_encoder.m_header_tile_data, l_coc_size);\n if (! new_header_tile_data) {\n opj_free(p_j2k->m_specific_param.m_encoder.m_header_tile_data);\n p_j2k->m_specific_param.m_encoder.m_header_tile_data = NULL;\n p_j2k->m_specific_param.m_encoder.m_header_tile_data_size = 0;\n opj_event_msg(p_manager, EVT_ERROR, \"Not enough memory to write COC marker\\n\");\n return OPJ_FALSE;\n }\n p_j2k->m_specific_param.m_encoder.m_header_tile_data = new_header_tile_data;\n p_j2k->m_specific_param.m_encoder.m_header_tile_data_size = l_coc_size;\n }\n\n opj_j2k_write_coc_in_memory(p_j2k, p_comp_no,\n p_j2k->m_specific_param.m_encoder.m_header_tile_data, &l_remaining_size,\n p_manager);\n\n if (opj_stream_write_data(p_stream,\n p_j2k->m_specific_param.m_encoder.m_header_tile_data, l_coc_size,\n p_manager) != l_coc_size) {\n return OPJ_FALSE;\n }\n\n return OPJ_TRUE;\n}", "project": "openjpeg", "hash": 134059823596521987350951010149294359087, "size": 50, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357348 }, { "func": "static void SpatialMaxPoolWithArgMaxHelper(\n OpKernelContext* context, Tensor* output, Tensor* output_arg_max,\n Tensor* input_backprop, const Tensor& tensor_in, const Tensor& out_backprop,\n const PoolParameters& params, const bool include_batch_in_index) {\n if (input_backprop != nullptr) {\n OP_REQUIRES(\n context, include_batch_in_index,\n errors::Internal(\n \"SpatialMaxPoolWithArgMaxHelper requires include_batch_in_index \"\n \"to be True when input_backprop != nullptr\"));\n OP_REQUIRES(\n context, (std::is_same::value),\n errors::Internal(\"SpatialMaxPoolWithArgMaxHelper requires Targmax \"\n \"to be int64 when input_backprop != nullptr\"));\n }\n\n typedef Eigen::Map>\n ConstEigenMatrixMap;\n typedef Eigen::Map>\n EigenMatrixMap;\n typedef Eigen::Map>\n EigenIndexMatrixMap;\n\n ConstEigenMatrixMap in_mat(\n tensor_in.flat().data(), params.depth,\n params.tensor_in_cols * params.tensor_in_rows * params.tensor_in_batch);\n EigenMatrixMap out_mat(\n output->flat().data(), params.depth,\n params.out_width * params.out_height * params.tensor_in_batch);\n EigenIndexMatrixMap out_arg_max_mat(\n output_arg_max->flat().data(), params.depth,\n params.out_width * params.out_height * params.tensor_in_batch);\n\n const DeviceBase::CpuWorkerThreads& worker_threads =\n *(context->device()->tensorflow_cpu_worker_threads());\n\n // The following code basically does the following:\n // 1. Flattens the input and output tensors into two dimensional arrays.\n // tensor_in_as_matrix:\n // depth by (tensor_in_cols * tensor_in_rows * tensor_in_batch)\n // output_as_matrix:\n // depth by (out_width * out_height * tensor_in_batch)\n //\n // 2. Walks through the set of columns in the flattened tensor_in_as_matrix,\n // and updates the corresponding column(s) in output_as_matrix with the\n // max value.\n auto shard = [¶ms, &in_mat, &out_mat, &out_arg_max_mat, &input_backprop,\n &output_arg_max, &out_backprop,\n include_batch_in_index](int64 start, int64 limit) {\n const int32 depth = params.depth;\n const int32 in_rows = params.tensor_in_rows;\n const int32 in_cols = params.tensor_in_cols;\n const int32 pad_top = params.pad_top;\n const int32 pad_left = params.pad_left;\n const int32 window_rows = params.window_rows;\n const int32 window_cols = params.window_cols;\n const int32 row_stride = params.row_stride;\n const int32 col_stride = params.col_stride;\n const int32 out_height = params.out_height;\n const int32 out_width = params.out_width;\n\n {\n // Initializes the output tensor with MIN.\n const int32 output_image_size = out_height * out_width * depth;\n EigenMatrixMap out_shard(out_mat.data() + start * output_image_size, 1,\n (limit - start) * output_image_size);\n out_shard.setConstant(Eigen::NumTraits::lowest());\n EigenIndexMatrixMap out_arg_max_shard(\n out_arg_max_mat.data() + start * output_image_size, 1,\n (limit - start) * output_image_size);\n out_arg_max_shard.setConstant(kInvalidMaxPoolingIndex);\n }\n\n for (int64 b = start; b < limit; ++b) {\n for (int h = 0; h < in_rows; ++h) {\n for (int w = 0; w < in_cols; ++w) {\n // (h_start, h_end) * (w_start, w_end) is the range that the input\n // vector projects to.\n const int hpad = h + pad_top;\n const int wpad = w + pad_left;\n const int h_start =\n (hpad < window_rows) ? 0 : (hpad - window_rows) / row_stride + 1;\n const int h_end = std::min(hpad / row_stride + 1, out_height);\n const int w_start =\n (wpad < window_cols) ? 0 : (wpad - window_cols) / col_stride + 1;\n const int w_end = std::min(wpad / col_stride + 1, out_width);\n // compute elementwise max\n const int64 in_index = (b * in_rows + h) * in_cols + w;\n for (int ph = h_start; ph < h_end; ++ph) {\n const int64 out_index_base = (b * out_height + ph) * out_width;\n for (int pw = w_start; pw < w_end; ++pw) {\n const int64 out_index = out_index_base + pw;\n /// NOTES(zhengxq): not using the eigen matrix operation for\n /// now.\n for (int d = 0; d < depth; ++d) {\n const T& input_ref = in_mat.coeffRef(d, in_index);\n T& output_ref = out_mat.coeffRef(d, out_index);\n Targmax& out_arg_max_ref =\n out_arg_max_mat.coeffRef(d, out_index);\n if (output_ref < input_ref ||\n out_arg_max_ref == kInvalidMaxPoolingIndex) {\n output_ref = input_ref;\n if (include_batch_in_index) {\n out_arg_max_ref = in_index * depth + d;\n } else {\n out_arg_max_ref = (h * in_cols + w) * depth + d;\n }\n }\n }\n }\n }\n }\n }\n }\n\n if (input_backprop != nullptr) {\n auto input_backprop_flat = input_backprop->flat();\n auto out_arg_max_flat = output_arg_max->flat();\n auto out_backprop_flat = out_backprop.flat();\n\n // Initialize output to 0.\n const int64 in_size = in_rows * in_cols * depth;\n const int64 in_start = start * in_size;\n const int64 in_end = limit * in_size;\n EigenMatrixMap in_shard(input_backprop_flat.data() + in_start, 1,\n in_end - in_start);\n in_shard.setConstant(T(0));\n\n // Backpropagate.\n const int out_size = out_height * out_width * depth;\n const int out_start = start * out_size;\n const int out_end = limit * out_size;\n for (int index = out_start; index < out_end; ++index) {\n int input_backprop_index = out_arg_max_flat(index);\n // Although this check is in the inner loop, it is worth its value\n // so we don't end up with memory corruptions. Our benchmark shows that\n // the performance impact is quite small\n // CHECK(input_backprop_index >= in_start && input_backprop_index <\n // in_end)\n FastBoundsCheck(input_backprop_index - in_start, in_end - in_start);\n input_backprop_flat(input_backprop_index) += out_backprop_flat(index);\n }\n }\n };\n\n const int64 shard_cost = params.tensor_in_rows * params.tensor_in_cols *\n params.depth * params.window_rows *\n params.window_cols;\n Shard(worker_threads.num_threads, worker_threads.workers,\n params.tensor_in_batch, shard_cost, shard);\n}", "project": "tensorflow", "hash": 68179409679570044569453067278368921696, "size": 151, "commit_id": "a74768f8e4efbda4def9f16ee7e13cf3922ac5f7", "message": "Prevent heap OOB error in `MaxPoolGrad`\n\nPiperOrigin-RevId: 372424854\nChange-Id: Idac0f23867ad8b0601cafbaaa52d5e64269e63a7", "target": 1, "dataset": "other", "idx": 196935 }, { "func": "static void SpatialMaxPoolWithArgMaxHelper(\n OpKernelContext* context, Tensor* output, Tensor* output_arg_max,\n Tensor* input_backprop, const Tensor& tensor_in, const Tensor& out_backprop,\n const PoolParameters& params, const bool include_batch_in_index) {\n if (input_backprop != nullptr) {\n OP_REQUIRES(\n context, include_batch_in_index,\n errors::Internal(\n \"SpatialMaxPoolWithArgMaxHelper requires include_batch_in_index \"\n \"to be True when input_backprop != nullptr\"));\n OP_REQUIRES(\n context, (std::is_same::value),\n errors::Internal(\"SpatialMaxPoolWithArgMaxHelper requires Targmax \"\n \"to be int64 when input_backprop != nullptr\"));\n }\n\n typedef Eigen::Map>\n ConstEigenMatrixMap;\n typedef Eigen::Map>\n EigenMatrixMap;\n typedef Eigen::Map>\n EigenIndexMatrixMap;\n\n ConstEigenMatrixMap in_mat(\n tensor_in.flat().data(), params.depth,\n params.tensor_in_cols * params.tensor_in_rows * params.tensor_in_batch);\n EigenMatrixMap out_mat(\n output->flat().data(), params.depth,\n params.out_width * params.out_height * params.tensor_in_batch);\n EigenIndexMatrixMap out_arg_max_mat(\n output_arg_max->flat().data(), params.depth,\n params.out_width * params.out_height * params.tensor_in_batch);\n\n const DeviceBase::CpuWorkerThreads& worker_threads =\n *(context->device()->tensorflow_cpu_worker_threads());\n\n // The following code basically does the following:\n // 1. Flattens the input and output tensors into two dimensional arrays.\n // tensor_in_as_matrix:\n // depth by (tensor_in_cols * tensor_in_rows * tensor_in_batch)\n // output_as_matrix:\n // depth by (out_width * out_height * tensor_in_batch)\n //\n // 2. Walks through the set of columns in the flattened tensor_in_as_matrix,\n // and updates the corresponding column(s) in output_as_matrix with the\n // max value.\n auto shard = [¶ms, &in_mat, &out_mat, &out_arg_max_mat, &input_backprop,\n &output_arg_max, &out_backprop,\n include_batch_in_index](int64 start, int64 limit) {\n const int32 depth = params.depth;\n const int32 in_rows = params.tensor_in_rows;\n const int32 in_cols = params.tensor_in_cols;\n const int32 pad_top = params.pad_top;\n const int32 pad_left = params.pad_left;\n const int32 window_rows = params.window_rows;\n const int32 window_cols = params.window_cols;\n const int32 row_stride = params.row_stride;\n const int32 col_stride = params.col_stride;\n const int32 out_height = params.out_height;\n const int32 out_width = params.out_width;\n\n {\n // Initializes the output tensor with MIN.\n const int32 output_image_size = out_height * out_width * depth;\n EigenMatrixMap out_shard(out_mat.data() + start * output_image_size, 1,\n (limit - start) * output_image_size);\n out_shard.setConstant(Eigen::NumTraits::lowest());\n EigenIndexMatrixMap out_arg_max_shard(\n out_arg_max_mat.data() + start * output_image_size, 1,\n (limit - start) * output_image_size);\n out_arg_max_shard.setConstant(kInvalidMaxPoolingIndex);\n }\n\n for (int64 b = start; b < limit; ++b) {\n for (int h = 0; h < in_rows; ++h) {\n for (int w = 0; w < in_cols; ++w) {\n // (h_start, h_end) * (w_start, w_end) is the range that the input\n // vector projects to.\n const int hpad = h + pad_top;\n const int wpad = w + pad_left;\n const int h_start =\n (hpad < window_rows) ? 0 : (hpad - window_rows) / row_stride + 1;\n const int h_end = std::min(hpad / row_stride + 1, out_height);\n const int w_start =\n (wpad < window_cols) ? 0 : (wpad - window_cols) / col_stride + 1;\n const int w_end = std::min(wpad / col_stride + 1, out_width);\n // compute elementwise max\n const int64 in_index = (b * in_rows + h) * in_cols + w;\n for (int ph = h_start; ph < h_end; ++ph) {\n const int64 out_index_base = (b * out_height + ph) * out_width;\n for (int pw = w_start; pw < w_end; ++pw) {\n const int64 out_index = out_index_base + pw;\n /// NOTES(zhengxq): not using the eigen matrix operation for\n /// now.\n for (int d = 0; d < depth; ++d) {\n const T& input_ref = in_mat.coeffRef(d, in_index);\n T& output_ref = out_mat.coeffRef(d, out_index);\n Targmax& out_arg_max_ref =\n out_arg_max_mat.coeffRef(d, out_index);\n if (output_ref < input_ref ||\n out_arg_max_ref == kInvalidMaxPoolingIndex) {\n output_ref = input_ref;\n if (include_batch_in_index) {\n out_arg_max_ref = in_index * depth + d;\n } else {\n out_arg_max_ref = (h * in_cols + w) * depth + d;\n }\n }\n }\n }\n }\n }\n }\n }\n\n if (input_backprop != nullptr) {\n auto input_backprop_flat = input_backprop->flat();\n auto out_arg_max_flat = output_arg_max->flat();\n auto out_backprop_flat = out_backprop.flat();\n\n // Initialize output to 0.\n const int64 in_size = in_rows * in_cols * depth;\n const int64 in_start = start * in_size;\n const int64 in_end = limit * in_size;\n EigenMatrixMap in_shard(input_backprop_flat.data() + in_start, 1,\n in_end - in_start);\n in_shard.setConstant(T(0));\n\n // Backpropagate.\n const int out_size = out_height * out_width * depth;\n const int out_start = start * out_size;\n const int out_end = limit * out_size;\n for (int index = out_start; index < out_end; ++index) {\n int input_backprop_index = out_arg_max_flat(index);\n // Although this check is in the inner loop, it is worth its value\n // so we don't end up with memory corruptions. Our benchmark shows that\n // the performance impact is quite small\n // CHECK(input_backprop_index >= in_start && input_backprop_index <\n // in_end)\n FastBoundsCheck(input_backprop_index - in_start, in_end - in_start);\n if (index < out_backprop.NumElements()) {\n input_backprop_flat(input_backprop_index) += out_backprop_flat(index);\n }\n }\n }\n };\n\n const int64 shard_cost = params.tensor_in_rows * params.tensor_in_cols *\n params.depth * params.window_rows *\n params.window_cols;\n Shard(worker_threads.num_threads, worker_threads.workers,\n params.tensor_in_batch, shard_cost, shard);\n}", "project": "tensorflow", "hash": 19671573270094211449128076626686963676, "size": 153, "commit_id": "a74768f8e4efbda4def9f16ee7e13cf3922ac5f7", "message": "Prevent heap OOB error in `MaxPoolGrad`\n\nPiperOrigin-RevId: 372424854\nChange-Id: Idac0f23867ad8b0601cafbaaa52d5e64269e63a7", "target": 0, "dataset": "other", "idx": 248727 }, { "project": "Chrome", "commit_id": "6834289784ed45b5524de0fb7ef43ae283b0d6d3", "target": 0, "func": "AudioContext::AudioContext(Document* document)\n : ActiveDOMObject(document)\n , m_isStopScheduled(false)\n , m_isCleared(false)\n , m_isInitialized(false)\n , m_destinationNode(nullptr)\n , m_isResolvingResumePromises(false)\n , m_automaticPullNodesNeedUpdating(false)\n , m_connectionCount(0)\n , m_didInitializeContextGraphMutex(false)\n , m_audioThread(0)\n , m_isOfflineContext(false)\n , m_contextState(Suspended)\n , m_cachedSampleFrame(0)\n{\n m_didInitializeContextGraphMutex = true;\n m_destinationNode = DefaultAudioDestinationNode::create(this);\n\n initialize();\n#if DEBUG_AUDIONODE_REFERENCES\n fprintf(stderr, \"%p: AudioContext::AudioContext() #%u\\n\", this, AudioContext::s_hardwareContextCount);\n#endif\n}\n", "cwe": "", "big_vul_idx": 139618, "idx": 124770, "hash": 85700502182909809907935756093228418573 }, { "project": "Chrome", "commit_id": "6834289784ed45b5524de0fb7ef43ae283b0d6d3", "target": 0, "func": "AudioContext::AudioContext(Document* document, unsigned numberOfChannels, size_t numberOfFrames, float sampleRate)\n : ActiveDOMObject(document)\n , m_isStopScheduled(false)\n , m_isCleared(false)\n , m_isInitialized(false)\n , m_destinationNode(nullptr)\n , m_isResolvingResumePromises(false)\n , m_automaticPullNodesNeedUpdating(false)\n , m_connectionCount(0)\n , m_didInitializeContextGraphMutex(false)\n , m_audioThread(0)\n , m_isOfflineContext(true)\n , m_contextState(Suspended)\n , m_cachedSampleFrame(0)\n{\n m_didInitializeContextGraphMutex = true;\n m_renderTarget = AudioBuffer::create(numberOfChannels, numberOfFrames, sampleRate);\n if (m_renderTarget.get())\n m_destinationNode = OfflineAudioDestinationNode::create(this, m_renderTarget.get());\n\n initialize();\n}\n", "cwe": "", "big_vul_idx": 139619, "idx": 124771, "hash": 259393326163534500434292180674013441939 }, { "func": "static int fuse_unlink(struct inode *dir, struct dentry *entry)\n{\n\tint err;\n\tstruct fuse_mount *fm = get_fuse_mount(dir);\n\tFUSE_ARGS(args);\n\n\tif (fuse_is_bad(dir))\n\t\treturn -EIO;\n\n\targs.opcode = FUSE_UNLINK;\n\targs.nodeid = get_node_id(dir);\n\targs.in_numargs = 1;\n\targs.in_args[0].size = entry->d_name.len + 1;\n\targs.in_args[0].value = entry->d_name.name;\n\terr = fuse_simple_request(fm, &args);\n\tif (!err) {\n\t\tstruct inode *inode = d_inode(entry);\n\t\tstruct fuse_inode *fi = get_fuse_inode(inode);\n\n\t\tspin_lock(&fi->lock);\n\t\tfi->attr_version = atomic64_inc_return(&fm->fc->attr_version);\n\t\t/*\n\t\t * If i_nlink == 0 then unlink doesn't make sense, yet this can\n\t\t * happen if userspace filesystem is careless. It would be\n\t\t * difficult to enforce correct nlink usage so just ignore this\n\t\t * condition here\n\t\t */\n\t\tif (inode->i_nlink > 0)\n\t\t\tdrop_nlink(inode);\n\t\tspin_unlock(&fi->lock);\n\t\tfuse_invalidate_attr(inode);\n\t\tfuse_dir_changed(dir);\n\t\tfuse_invalidate_entry_cache(entry);\n\t\tfuse_update_ctime(inode);\n\t} else if (err == -EINTR)\n\t\tfuse_invalidate_entry(entry);\n\treturn err;\n}", "project": "linux", "hash": 118538667428979366447259431204518088917, "size": 38, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341920 }, { "func": "static void flush_sigqueue_mask(sigset_t *mask, struct sigpending *s)\n{\n\tstruct sigqueue *q, *n;\n\tsigset_t m;\n\n\tsigandsets(&m, mask, &s->signal);\n\tif (sigisemptyset(&m))\n\t\treturn;\n\n\tsigandnsets(&s->signal, &s->signal, mask);\n\tlist_for_each_entry_safe(q, n, &s->list, list) {\n\t\tif (sigismember(mask, q->info.si_signo)) {\n\t\t\tlist_del_init(&q->list);\n\t\t\t__sigqueue_free(q);\n\t\t}\n\t}\n}", "project": "linux", "hash": 116009833704452656395793081636747842284, "size": 17, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375238 }, { "func": "static int create_decode_tables(uint8_t* bit_length,\n struct decode_table* table, int size)\n{\n\tint code, upper_limit = 0, i, lc[16];\n\tuint32_t decode_pos_clone[rar5_countof(table->decode_pos)];\n\tssize_t cur_len, quick_data_size;\n\n\tmemset(&lc, 0, sizeof(lc));\n\tmemset(table->decode_num, 0, sizeof(table->decode_num));\n\ttable->size = size;\n\ttable->quick_bits = size == HUFF_NC ? 10 : 7;\n\n\tfor(i = 0; i < size; i++) {\n\t\tlc[bit_length[i] & 15]++;\n\t}\n\n\tlc[0] = 0;\n\ttable->decode_pos[0] = 0;\n\ttable->decode_len[0] = 0;\n\n\tfor(i = 1; i < 16; i++) {\n\t\tupper_limit += lc[i];\n\n\t\ttable->decode_len[i] = upper_limit << (16 - i);\n\t\ttable->decode_pos[i] = table->decode_pos[i - 1] + lc[i - 1];\n\n\t\tupper_limit <<= 1;\n\t}\n\n\tmemcpy(decode_pos_clone, table->decode_pos, sizeof(decode_pos_clone));\n\n\tfor(i = 0; i < size; i++) {\n\t\tuint8_t clen = bit_length[i] & 15;\n\t\tif(clen > 0) {\n\t\t\tint last_pos = decode_pos_clone[clen];\n\t\t\ttable->decode_num[last_pos] = i;\n\t\t\tdecode_pos_clone[clen]++;\n\t\t}\n\t}\n\n\tquick_data_size = (int64_t)1 << table->quick_bits;\n\tcur_len = 1;\n\tfor(code = 0; code < quick_data_size; code++) {\n\t\tint bit_field = code << (16 - table->quick_bits);\n\t\tint dist, pos;\n\n\t\twhile(cur_len < rar5_countof(table->decode_len) &&\n\t\t\t\tbit_field >= table->decode_len[cur_len]) {\n\t\t\tcur_len++;\n\t\t}\n\n\t\ttable->quick_len[code] = (uint8_t) cur_len;\n\n\t\tdist = bit_field - table->decode_len[cur_len - 1];\n\t\tdist >>= (16 - cur_len);\n\n\t\tpos = table->decode_pos[cur_len & 15] + dist;\n\t\tif(cur_len < rar5_countof(table->decode_pos) && pos < size) {\n\t\t\ttable->quick_num[code] = table->decode_num[pos];\n\t\t} else {\n\t\t\ttable->quick_num[code] = 0;\n\t\t}\n\t}\n\n\treturn ARCHIVE_OK;\n}", "project": "libarchive", "hash": 113521758484101004960205084296259281754, "size": 66, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 0, "dataset": "other", "idx": 244735 }, { "func": "static int oidc_authenticate_user(request_rec *r, oidc_cfg *c,\n\t\toidc_provider_t *provider, const char *original_url,\n\t\tconst char *login_hint, const char *id_token_hint, const char *prompt,\n\t\tconst char *auth_request_params, const char *path_scope) {\n\n\toidc_debug(r, \"enter\");\n\n\tif (provider == NULL) {\n\n\t\t// TODO: should we use an explicit redirect to the discovery endpoint (maybe a \"discovery\" param to the redirect_uri)?\n\t\tif (c->metadata_dir != NULL)\n\t\t\treturn oidc_discovery(r, c);\n\n\t\t/* we're not using multiple OP's configured in a metadata directory, pick the statically configured OP */\n\t\tif (oidc_provider_static_config(r, c, &provider) == FALSE)\n\t\t\treturn HTTP_INTERNAL_SERVER_ERROR;\n\t}\n\n\t/* generate the random nonce value that correlates requests and responses */\n\tchar *nonce = NULL;\n\tif (oidc_proto_generate_nonce(r, &nonce, OIDC_PROTO_NONCE_LENGTH) == FALSE)\n\t\treturn HTTP_INTERNAL_SERVER_ERROR;\n\n\tchar *pkce_state = NULL;\n\tchar *code_challenge = NULL;\n\n\tif ((oidc_util_spaced_string_contains(r->pool, provider->response_type,\n\t\t\tOIDC_PROTO_CODE) == TRUE) && (provider->pkce != NULL)) {\n\n\t\t/* generate the code verifier value that correlates authorization requests and code exchange requests */\n\t\tif (provider->pkce->state(r, &pkce_state) == FALSE)\n\t\t\treturn HTTP_INTERNAL_SERVER_ERROR;\n\n\t\t/* generate the PKCE code challenge */\n\t\tif (provider->pkce->challenge(r, pkce_state, &code_challenge) == FALSE)\n\t\t\treturn HTTP_INTERNAL_SERVER_ERROR;\n\t}\n\n\t/* create the state between request/response */\n\toidc_proto_state_t *proto_state = oidc_proto_state_new();\n\toidc_proto_state_set_original_url(proto_state, original_url);\n\toidc_proto_state_set_original_method(proto_state,\n\t\t\toidc_original_request_method(r, c, TRUE));\n\toidc_proto_state_set_issuer(proto_state, provider->issuer);\n\toidc_proto_state_set_response_type(proto_state, provider->response_type);\n\toidc_proto_state_set_nonce(proto_state, nonce);\n\toidc_proto_state_set_timestamp_now(proto_state);\n\tif (provider->response_mode)\n\t\toidc_proto_state_set_response_mode(proto_state,\n\t\t\t\tprovider->response_mode);\n\tif (prompt)\n\t\toidc_proto_state_set_prompt(proto_state, prompt);\n\tif (pkce_state)\n\t\toidc_proto_state_set_pkce_state(proto_state, pkce_state);\n\n\t/* get a hash value that fingerprints the browser concatenated with the random input */\n\tchar *state = oidc_get_browser_state_hash(r, c, nonce);\n\n\t/*\n\t * create state that restores the context when the authorization response comes in\n\t * and cryptographically bind it to the browser\n\t */\n\tint rc = oidc_authorization_request_set_cookie(r, c, state, proto_state);\n\tif (rc != OK) {\n\t\toidc_proto_state_destroy(proto_state);\n\t\treturn rc;\n\t}\n\n\t/*\n\t * printout errors if Cookie settings are not going to work\n\t * TODO: separate this code out into its own function\n\t */\n\tapr_uri_t o_uri;\n\tmemset(&o_uri, 0, sizeof(apr_uri_t));\n\tapr_uri_t r_uri;\n\tmemset(&r_uri, 0, sizeof(apr_uri_t));\n\tapr_uri_parse(r->pool, original_url, &o_uri);\n\tapr_uri_parse(r->pool, oidc_get_redirect_uri(r, c), &r_uri);\n\tif ((apr_strnatcmp(o_uri.scheme, r_uri.scheme) != 0)\n\t\t\t&& (apr_strnatcmp(r_uri.scheme, \"https\") == 0)) {\n\t\toidc_error(r,\n\t\t\t\t\"the URL scheme (%s) of the configured \" OIDCRedirectURI \" does not match the URL scheme of the URL being accessed (%s): the \\\"state\\\" and \\\"session\\\" cookies will not be shared between the two!\",\n\t\t\t\tr_uri.scheme, o_uri.scheme);\n\t\toidc_proto_state_destroy(proto_state);\n\t\treturn HTTP_INTERNAL_SERVER_ERROR;\n\t}\n\n\tif (c->cookie_domain == NULL) {\n\t\tif (apr_strnatcmp(o_uri.hostname, r_uri.hostname) != 0) {\n\t\t\tchar *p = strstr(o_uri.hostname, r_uri.hostname);\n\t\t\tif ((p == NULL) || (apr_strnatcmp(r_uri.hostname, p) != 0)) {\n\t\t\t\toidc_error(r,\n\t\t\t\t\t\t\"the URL hostname (%s) of the configured \" OIDCRedirectURI \" does not match the URL hostname of the URL being accessed (%s): the \\\"state\\\" and \\\"session\\\" cookies will not be shared between the two!\",\n\t\t\t\t\t\tr_uri.hostname, o_uri.hostname);\n\t\t\t\toidc_proto_state_destroy(proto_state);\n\t\t\t\treturn HTTP_INTERNAL_SERVER_ERROR;\n\t\t\t}\n\t\t}\n\t} else {\n\t\tif (!oidc_util_cookie_domain_valid(r_uri.hostname, c->cookie_domain)) {\n\t\t\toidc_error(r,\n\t\t\t\t\t\"the domain (%s) configured in \" OIDCCookieDomain \" does not match the URL hostname (%s) of the URL being accessed (%s): setting \\\"state\\\" and \\\"session\\\" cookies will not work!!\",\n\t\t\t\t\tc->cookie_domain, o_uri.hostname, original_url);\n\t\t\toidc_proto_state_destroy(proto_state);\n\t\t\treturn HTTP_INTERNAL_SERVER_ERROR;\n\t\t}\n\t}\n\n\t/* send off to the OpenID Connect Provider */\n\t// TODO: maybe show intermediate/progress screen \"redirecting to\"\n\treturn oidc_proto_authorization_request(r, provider, login_hint,\n\t\t\toidc_get_redirect_uri_iss(r, c, provider), state, proto_state,\n\t\t\tid_token_hint, code_challenge, auth_request_params, path_scope);\n}", "project": "mod_auth_openidc", "hash": 91906823671883848161419104300562504669, "size": 114, "commit_id": "00c315cb0c8ab77c67be4a2ac08a71a83ac58751", "message": "avoid XSS vulnerability when using OIDCPreservePost On\n\nand supplying URLs that contain single quotes; thanks @oss-aimoto\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 381933 }, { "func": "static int oidc_authenticate_user(request_rec *r, oidc_cfg *c,\n\t\toidc_provider_t *provider, const char *original_url,\n\t\tconst char *login_hint, const char *id_token_hint, const char *prompt,\n\t\tconst char *auth_request_params, const char *path_scope) {\n\n\toidc_debug(r, \"enter\");\n\n\tif (provider == NULL) {\n\n\t\t// TODO: should we use an explicit redirect to the discovery endpoint (maybe a \"discovery\" param to the redirect_uri)?\n\t\tif (c->metadata_dir != NULL)\n\t\t\treturn oidc_discovery(r, c);\n\n\t\t/* we're not using multiple OP's configured in a metadata directory, pick the statically configured OP */\n\t\tif (oidc_provider_static_config(r, c, &provider) == FALSE)\n\t\t\treturn HTTP_INTERNAL_SERVER_ERROR;\n\t}\n\n\t/* generate the random nonce value that correlates requests and responses */\n\tchar *nonce = NULL;\n\tif (oidc_proto_generate_nonce(r, &nonce, OIDC_PROTO_NONCE_LENGTH) == FALSE)\n\t\treturn HTTP_INTERNAL_SERVER_ERROR;\n\n\tchar *pkce_state = NULL;\n\tchar *code_challenge = NULL;\n\n\tif ((oidc_util_spaced_string_contains(r->pool, provider->response_type,\n\t\t\tOIDC_PROTO_CODE) == TRUE) && (provider->pkce != NULL)) {\n\n\t\t/* generate the code verifier value that correlates authorization requests and code exchange requests */\n\t\tif (provider->pkce->state(r, &pkce_state) == FALSE)\n\t\t\treturn HTTP_INTERNAL_SERVER_ERROR;\n\n\t\t/* generate the PKCE code challenge */\n\t\tif (provider->pkce->challenge(r, pkce_state, &code_challenge) == FALSE)\n\t\t\treturn HTTP_INTERNAL_SERVER_ERROR;\n\t}\n\n\t/* create the state between request/response */\n\toidc_proto_state_t *proto_state = oidc_proto_state_new();\n\toidc_proto_state_set_original_url(proto_state, original_url);\n\toidc_proto_state_set_original_method(proto_state,\n\t\t\toidc_original_request_method(r, c, TRUE));\n\toidc_proto_state_set_issuer(proto_state, provider->issuer);\n\toidc_proto_state_set_response_type(proto_state, provider->response_type);\n\toidc_proto_state_set_nonce(proto_state, nonce);\n\toidc_proto_state_set_timestamp_now(proto_state);\n\tif (provider->response_mode)\n\t\toidc_proto_state_set_response_mode(proto_state,\n\t\t\t\tprovider->response_mode);\n\tif (prompt)\n\t\toidc_proto_state_set_prompt(proto_state, prompt);\n\tif (pkce_state)\n\t\toidc_proto_state_set_pkce_state(proto_state, pkce_state);\n\n\t/* get a hash value that fingerprints the browser concatenated with the random input */\n\tchar *state = oidc_get_browser_state_hash(r, nonce);\n\n\t/*\n\t * create state that restores the context when the authorization response comes in\n\t * and cryptographically bind it to the browser\n\t */\n\tint rc = oidc_authorization_request_set_cookie(r, c, state, proto_state);\n\tif (rc != HTTP_OK) {\n\t\toidc_proto_state_destroy(proto_state);\n\t\treturn rc;\n\t}\n\n\t/*\n\t * printout errors if Cookie settings are not going to work\n\t * TODO: separate this code out into its own function\n\t */\n\tapr_uri_t o_uri;\n\tmemset(&o_uri, 0, sizeof(apr_uri_t));\n\tapr_uri_t r_uri;\n\tmemset(&r_uri, 0, sizeof(apr_uri_t));\n\tapr_uri_parse(r->pool, original_url, &o_uri);\n\tapr_uri_parse(r->pool, oidc_get_redirect_uri(r, c), &r_uri);\n\tif ((apr_strnatcmp(o_uri.scheme, r_uri.scheme) != 0)\n\t\t\t&& (apr_strnatcmp(r_uri.scheme, \"https\") == 0)) {\n\t\toidc_error(r,\n\t\t\t\t\"the URL scheme (%s) of the configured \" OIDCRedirectURI \" does not match the URL scheme of the URL being accessed (%s): the \\\"state\\\" and \\\"session\\\" cookies will not be shared between the two!\",\n\t\t\t\tr_uri.scheme, o_uri.scheme);\n\t\toidc_proto_state_destroy(proto_state);\n\t\treturn HTTP_INTERNAL_SERVER_ERROR;\n\t}\n\n\tif (c->cookie_domain == NULL) {\n\t\tif (apr_strnatcmp(o_uri.hostname, r_uri.hostname) != 0) {\n\t\t\tchar *p = strstr(o_uri.hostname, r_uri.hostname);\n\t\t\tif ((p == NULL) || (apr_strnatcmp(r_uri.hostname, p) != 0)) {\n\t\t\t\toidc_error(r,\n\t\t\t\t\t\t\"the URL hostname (%s) of the configured \" OIDCRedirectURI \" does not match the URL hostname of the URL being accessed (%s): the \\\"state\\\" and \\\"session\\\" cookies will not be shared between the two!\",\n\t\t\t\t\t\tr_uri.hostname, o_uri.hostname);\n\t\t\t\toidc_proto_state_destroy(proto_state);\n\t\t\t\treturn HTTP_INTERNAL_SERVER_ERROR;\n\t\t\t}\n\t\t}\n\t} else {\n\t\tif (!oidc_util_cookie_domain_valid(r_uri.hostname, c->cookie_domain)) {\n\t\t\toidc_error(r,\n\t\t\t\t\t\"the domain (%s) configured in \" OIDCCookieDomain \" does not match the URL hostname (%s) of the URL being accessed (%s): setting \\\"state\\\" and \\\"session\\\" cookies will not work!!\",\n\t\t\t\t\tc->cookie_domain, o_uri.hostname, original_url);\n\t\t\toidc_proto_state_destroy(proto_state);\n\t\t\treturn HTTP_INTERNAL_SERVER_ERROR;\n\t\t}\n\t}\n\n\t/* send off to the OpenID Connect Provider */\n\t// TODO: maybe show intermediate/progress screen \"redirecting to\"\n\treturn oidc_proto_authorization_request(r, provider, login_hint,\n\t\t\toidc_get_redirect_uri_iss(r, c, provider), state, proto_state,\n\t\t\tid_token_hint, code_challenge, auth_request_params, path_scope);\n}", "project": "mod_auth_openidc", "hash": 69684059611678259113729102953739071285, "size": 114, "commit_id": "ce37080c6aea30aabae8b4a9b4eea7808445cc8e", "message": "2.4.0.2 oops\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 447691 }, { "func": "static int check_tty_count(struct tty_struct *tty, const char *routine)\n{\n#ifdef CHECK_TTY_COUNT\n\tstruct list_head *p;\n\tint count = 0, kopen_count = 0;\n\n\tspin_lock(&tty->files_lock);\n\tlist_for_each(p, &tty->tty_files) {\n\t\tcount++;\n\t}\n\tspin_unlock(&tty->files_lock);\n\tif (tty->driver->type == TTY_DRIVER_TYPE_PTY &&\n\t tty->driver->subtype == PTY_TYPE_SLAVE &&\n\t tty->link && tty->link->count)\n\t\tcount++;\n\tif (tty_port_kopened(tty->port))\n\t\tkopen_count++;\n\tif (tty->count != (count + kopen_count)) {\n\t\ttty_warn(tty, \"%s: tty->count(%d) != (#fd's(%d) + #kopen's(%d))\\n\",\n\t\t\t routine, tty->count, count, kopen_count);\n\t\treturn (count + kopen_count);\n\t}\n#endif\n\treturn 0;\n}", "project": "linux", "hash": 82490531849414670767186938662512107130, "size": 25, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 326066 }, { "func": "static inline struct task_struct *alloc_task_struct_node(int node)\n{\n\treturn kmem_cache_alloc_node(task_struct_cachep, GFP_KERNEL, node);\n}", "project": "linux", "hash": 306254502431977517169758896124288882530, "size": 4, "commit_id": "b4e00444cab4c3f3fec876dc0cccc8cbb0d1a948", "message": "fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent\n\ncurrent->group_leader->exit_signal may change during copy_process() if\ncurrent->real_parent exits.\n\nMove the assignment inside tasklist_lock to avoid the race.\n\nSigned-off-by: Eddy Wu \nAcked-by: Oleg Nesterov \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 293707 }, { "func": "void exit_robust_list(struct task_struct *curr)\n{\n\tstruct robust_list_head __user *head = curr->robust_list;\n\tstruct robust_list __user *entry, *next_entry, *pending;\n\tunsigned int limit = ROBUST_LIST_LIMIT, pi, next_pi, pip;\n\tunsigned long futex_offset;\n\tint rc;\n\n\tif (!futex_cmpxchg_enabled)\n\t\treturn;\n\n\t/*\n\t * Fetch the list head (which was registered earlier, via\n\t * sys_set_robust_list()):\n\t */\n\tif (fetch_robust_entry(&entry, &head->list.next, &pi))\n\t\treturn;\n\t/*\n\t * Fetch the relative futex offset:\n\t */\n\tif (get_user(futex_offset, &head->futex_offset))\n\t\treturn;\n\t/*\n\t * Fetch any possibly pending lock-add first, and handle it\n\t * if it exists:\n\t */\n\tif (fetch_robust_entry(&pending, &head->list_op_pending, &pip))\n\t\treturn;\n\n\tnext_entry = NULL;\t/* avoid warning with gcc */\n\twhile (entry != &head->list) {\n\t\t/*\n\t\t * Fetch the next entry in the list before calling\n\t\t * handle_futex_death:\n\t\t */\n\t\trc = fetch_robust_entry(&next_entry, &entry->next, &next_pi);\n\t\t/*\n\t\t * A pending lock might already be on the list, so\n\t\t * don't process it twice:\n\t\t */\n\t\tif (entry != pending)\n\t\t\tif (handle_futex_death((void __user *)entry + futex_offset,\n\t\t\t\t\t\tcurr, pi))\n\t\t\t\treturn;\n\t\tif (rc)\n\t\t\treturn;\n\t\tentry = next_entry;\n\t\tpi = next_pi;\n\t\t/*\n\t\t * Avoid excessively long or circular lists:\n\t\t */\n\t\tif (!--limit)\n\t\t\tbreak;\n\n\t\tcond_resched();\n\t}\n\n\tif (pending)\n\t\thandle_futex_death((void __user *)pending + futex_offset,\n\t\t\t\t curr, pip);\n}", "target": 0, "cwe": [], "project": "linux-2.6", "commit_id": "5ecb01cfdf96c5f465192bdb2a4fd4a61a24c6cc", "hash": 75341996036952028756459547018310363613, "size": 61, "message": "futex_lock_pi() key refcnt fix\n\nThis fixes a futex key reference count bug in futex_lock_pi(),\nwhere a key's reference count is incremented twice but decremented\nonly once, causing the backing object to not be released.\n\nIf the futex is created in a temporary file in an ext3 file system,\nthis bug causes the file's inode to become an \"undead\" orphan,\nwhich causes an oops from a BUG_ON() in ext3_put_super() when the\nfile system is unmounted. glibc's test suite is known to trigger this,\nsee .\n\nThe bug is a regression from 2.6.28-git3, namely Peter Zijlstra's\n38d47c1b7075bd7ec3881141bb3629da58f88dab \"[PATCH] futex: rely on\nget_user_pages() for shared futexes\". That commit made get_futex_key()\nalso increment the reference count of the futex key, and updated its\ncallers to decrement the key's reference count before returning.\nUnfortunately the normal exit path in futex_lock_pi() wasn't corrected:\nthe reference count is incremented by get_futex_key() and queue_lock(),\nbut the normal exit path only decrements once, via unqueue_me_pi().\nThe fix is to put_futex_key() after unqueue_me_pi(), since 2.6.31\nthis is easily done by 'goto out_put_key' rather than 'goto out'.\n\nSigned-off-by: Mikael Pettersson \nAcked-by: Peter Zijlstra \nAcked-by: Darren Hart \nSigned-off-by: Thomas Gleixner \nCc: ", "dataset": "other", "idx": 492296 }, { "func": "static int cr8_write_interception(struct vcpu_svm *svm)\n{\n\tstruct kvm_run *kvm_run = svm->vcpu.run;\n\tint r;\n\n\tu8 cr8_prev = kvm_get_cr8(&svm->vcpu);\n\t/* instruction emulation calls kvm_set_cr8() */\n\tr = cr_interception(svm);\n\tif (lapic_in_kernel(&svm->vcpu))\n\t\treturn r;\n\tif (cr8_prev <= kvm_get_cr8(&svm->vcpu))\n\t\treturn r;\n\tkvm_run->exit_reason = KVM_EXIT_SET_TPR;\n\treturn 0;\n}", "project": "linux", "hash": 69141032292413456315683973905772320546, "size": 15, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432538 }, { "func": "static int cr8_write_interception(struct vcpu_svm *svm)\n{\n\tstruct kvm_run *kvm_run = svm->vcpu.run;\n\tint r;\n\n\tu8 cr8_prev = kvm_get_cr8(&svm->vcpu);\n\t/* instruction emulation calls kvm_set_cr8() */\n\tr = cr_interception(svm);\n\tif (irqchip_in_kernel(svm->vcpu.kvm))\n\t\treturn r;\n\tif (cr8_prev <= kvm_get_cr8(&svm->vcpu))\n\t\treturn r;\n\tkvm_run->exit_reason = KVM_EXIT_SET_TPR;\n\treturn 0;\n}", "project": "kvm", "hash": 166986490995465168356169507206206327133, "size": 15, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437546 }, { "func": "static int ep_loop_check(struct eventpoll *ep, struct file *file)\n{\n\tint ret;\n\tstruct eventpoll *ep_cur, *ep_next;\n\n\tret = ep_call_nested(&poll_loop_ncalls,\n\t\t\t ep_loop_check_proc, file, ep, current);\n\t/* clear visited list */\n\tlist_for_each_entry_safe(ep_cur, ep_next, &visited_list,\n\t\t\t\t\t\t\tvisited_list_link) {\n\t\tep_cur->visited = 0;\n\t\tlist_del(&ep_cur->visited_list_link);\n\t}\n\treturn ret;\n}", "project": "linux", "hash": 30047526051029469836262399201398702295, "size": 15, "commit_id": "52c479697c9b73f628140dcdfcd39ea302d05482", "message": "do_epoll_ctl(): clean the failure exits up a bit\n\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 336234 }, { "func": "static int kvm_s390_set_processor(struct kvm *kvm, struct kvm_device_attr *attr)\n{\n\tstruct kvm_s390_vm_cpu_processor *proc;\n\tu16 lowest_ibc, unblocked_ibc;\n\tint ret = 0;\n\n\tmutex_lock(&kvm->lock);\n\tif (kvm->created_vcpus) {\n\t\tret = -EBUSY;\n\t\tgoto out;\n\t}\n\tproc = kzalloc(sizeof(*proc), GFP_KERNEL);\n\tif (!proc) {\n\t\tret = -ENOMEM;\n\t\tgoto out;\n\t}\n\tif (!copy_from_user(proc, (void __user *)attr->addr,\n\t\t\t sizeof(*proc))) {\n\t\tkvm->arch.model.cpuid = proc->cpuid;\n\t\tlowest_ibc = sclp.ibc >> 16 & 0xfff;\n\t\tunblocked_ibc = sclp.ibc & 0xfff;\n\t\tif (lowest_ibc && proc->ibc) {\n\t\t\tif (proc->ibc > unblocked_ibc)\n\t\t\t\tkvm->arch.model.ibc = unblocked_ibc;\n\t\t\telse if (proc->ibc < lowest_ibc)\n\t\t\t\tkvm->arch.model.ibc = lowest_ibc;\n\t\t\telse\n\t\t\t\tkvm->arch.model.ibc = proc->ibc;\n\t\t}\n\t\tmemcpy(kvm->arch.model.fac_list, proc->fac_list,\n\t\t S390_ARCH_FAC_LIST_SIZE_BYTE);\n\t\tVM_EVENT(kvm, 3, \"SET: guest ibc: 0x%4.4x, guest cpuid: 0x%16.16llx\",\n\t\t\t kvm->arch.model.ibc,\n\t\t\t kvm->arch.model.cpuid);\n\t\tVM_EVENT(kvm, 3, \"SET: guest faclist: 0x%16.16llx.%16.16llx.%16.16llx\",\n\t\t\t kvm->arch.model.fac_list[0],\n\t\t\t kvm->arch.model.fac_list[1],\n\t\t\t kvm->arch.model.fac_list[2]);\n\t} else\n\t\tret = -EFAULT;\n\tkfree(proc);\nout:\n\tmutex_unlock(&kvm->lock);\n\treturn ret;\n}", "project": "linux", "hash": 263385628537947195316787481722678172615, "size": 45, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354470 }, { "func": "static void set_output_verbosity(int level, uchar priority)\n{\n\tint j;\n\n\tif (level > MAX_VERBOSITY)\n\t\tlevel = MAX_VERBOSITY;\n\n\tfor (j = 1; j <= level; j++) {\n\t\tparse_output_words(info_words, info_levels, info_verbosity[j], priority);\n\t\tparse_output_words(debug_words, debug_levels, debug_verbosity[j], priority);\n\t}\n}", "project": "rsync", "hash": 51223469629538172657077908633553665135, "size": 12, "commit_id": "7706303828fcde524222babb2833864a4bd09e07", "message": "Ignore --protect-args when already sent by client\n\nIn parse_arguments when --protect-args is encountered the function exits\nearly. The caller is expected to check protect_args, and recall\nparse_arguments setting protect_args to 2. This patch prevents the\nclient from resetting protect_args during the second pass of\nparse_arguments. This prevents parse_arguments returning early the\nsecond time before it's able to sanitize the arguments it received.", "target": 0, "dataset": "other", "idx": 364681 }, { "func": "SYSCALL_DEFINE0(fork)\n{\n#ifdef CONFIG_MMU\n\tstruct kernel_clone_args args = {\n\t\t.exit_signal = SIGCHLD,\n\t};\n\n\treturn kernel_clone(&args);\n#else\n\t/* can not support in nommu mode */\n\treturn -EINVAL;\n#endif\n}", "project": "linux", "hash": 197274845277362225630408411179096110837, "size": 13, "commit_id": "b4e00444cab4c3f3fec876dc0cccc8cbb0d1a948", "message": "fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent\n\ncurrent->group_leader->exit_signal may change during copy_process() if\ncurrent->real_parent exits.\n\nMove the assignment inside tasklist_lock to avoid the race.\n\nSigned-off-by: Eddy Wu \nAcked-by: Oleg Nesterov \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 293636 }, { "func": "SYSCALL_DEFINE5(clone, unsigned long, clone_flags, unsigned long, newsp,\n\t\t int __user *, parent_tidptr,\n\t\t int __user *, child_tidptr,\n\t\t unsigned long, tls)\n#endif\n{\n\tstruct kernel_clone_args args = {\n\t\t.flags\t\t= (lower_32_bits(clone_flags) & ~CSIGNAL),\n\t\t.pidfd\t\t= parent_tidptr,\n\t\t.child_tid\t= child_tidptr,\n\t\t.parent_tid\t= parent_tidptr,\n\t\t.exit_signal\t= (lower_32_bits(clone_flags) & CSIGNAL),\n\t\t.stack\t\t= newsp,\n\t\t.tls\t\t= tls,\n\t};\n\n\treturn kernel_clone(&args);\n}", "project": "linux", "hash": 109928052063704858875577188408380157364, "size": 18, "commit_id": "b4e00444cab4c3f3fec876dc0cccc8cbb0d1a948", "message": "fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent\n\ncurrent->group_leader->exit_signal may change during copy_process() if\ncurrent->real_parent exits.\n\nMove the assignment inside tasklist_lock to avoid the race.\n\nSigned-off-by: Eddy Wu \nAcked-by: Oleg Nesterov \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 293654 }, { "func": "SYSCALL_DEFINE0(vfork)\n{\n\tstruct kernel_clone_args args = {\n\t\t.flags\t\t= CLONE_VFORK | CLONE_VM,\n\t\t.exit_signal\t= SIGCHLD,\n\t};\n\n\treturn kernel_clone(&args);\n}", "project": "linux", "hash": 201344774276526707038053486631583882537, "size": 9, "commit_id": "b4e00444cab4c3f3fec876dc0cccc8cbb0d1a948", "message": "fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent\n\ncurrent->group_leader->exit_signal may change during copy_process() if\ncurrent->real_parent exits.\n\nMove the assignment inside tasklist_lock to avoid the race.\n\nSigned-off-by: Eddy Wu \nAcked-by: Oleg Nesterov \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 293682 }, { "func": "pid_t kernel_clone(struct kernel_clone_args *args)\n{\n\tu64 clone_flags = args->flags;\n\tstruct completion vfork;\n\tstruct pid *pid;\n\tstruct task_struct *p;\n\tint trace = 0;\n\tpid_t nr;\n\n\t/*\n\t * For legacy clone() calls, CLONE_PIDFD uses the parent_tid argument\n\t * to return the pidfd. Hence, CLONE_PIDFD and CLONE_PARENT_SETTID are\n\t * mutually exclusive. With clone3() CLONE_PIDFD has grown a separate\n\t * field in struct clone_args and it still doesn't make sense to have\n\t * them both point at the same memory location. Performing this check\n\t * here has the advantage that we don't need to have a separate helper\n\t * to check for legacy clone().\n\t */\n\tif ((args->flags & CLONE_PIDFD) &&\n\t (args->flags & CLONE_PARENT_SETTID) &&\n\t (args->pidfd == args->parent_tid))\n\t\treturn -EINVAL;\n\n\t/*\n\t * Determine whether and which event to report to ptracer. When\n\t * called from kernel_thread or CLONE_UNTRACED is explicitly\n\t * requested, no event is reported; otherwise, report if the event\n\t * for the type of forking is enabled.\n\t */\n\tif (!(clone_flags & CLONE_UNTRACED)) {\n\t\tif (clone_flags & CLONE_VFORK)\n\t\t\ttrace = PTRACE_EVENT_VFORK;\n\t\telse if (args->exit_signal != SIGCHLD)\n\t\t\ttrace = PTRACE_EVENT_CLONE;\n\t\telse\n\t\t\ttrace = PTRACE_EVENT_FORK;\n\n\t\tif (likely(!ptrace_event_enabled(current, trace)))\n\t\t\ttrace = 0;\n\t}\n\n\tp = copy_process(NULL, trace, NUMA_NO_NODE, args);\n\tadd_latent_entropy();\n\n\tif (IS_ERR(p))\n\t\treturn PTR_ERR(p);\n\n\t/*\n\t * Do this prior waking up the new thread - the thread pointer\n\t * might get invalid after that point, if the thread exits quickly.\n\t */\n\ttrace_sched_process_fork(current, p);\n\n\tpid = get_task_pid(p, PIDTYPE_PID);\n\tnr = pid_vnr(pid);\n\n\tif (clone_flags & CLONE_PARENT_SETTID)\n\t\tput_user(nr, args->parent_tid);\n\n\tif (clone_flags & CLONE_VFORK) {\n\t\tp->vfork_done = &vfork;\n\t\tinit_completion(&vfork);\n\t\tget_task_struct(p);\n\t}\n\n\twake_up_new_task(p);\n\n\t/* forking complete and child started to run, tell ptracer */\n\tif (unlikely(trace))\n\t\tptrace_event_pid(trace, pid);\n\n\tif (clone_flags & CLONE_VFORK) {\n\t\tif (!wait_for_vfork_done(p, &vfork))\n\t\t\tptrace_event_pid(PTRACE_EVENT_VFORK_DONE, pid);\n\t}\n\n\tput_pid(pid);\n\treturn nr;\n}", "project": "linux", "hash": 120498762154966336442322606690221288277, "size": 79, "commit_id": "b4e00444cab4c3f3fec876dc0cccc8cbb0d1a948", "message": "fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent\n\ncurrent->group_leader->exit_signal may change during copy_process() if\ncurrent->real_parent exits.\n\nMove the assignment inside tasklist_lock to avoid the race.\n\nSigned-off-by: Eddy Wu \nAcked-by: Oleg Nesterov \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 293700 }, { "func": "void Encode(const UnicodeEncoding encoding, const icu::UnicodeString& in,\n tstring* out) {\n if (encoding == UnicodeEncoding::UTF8) {\n out->clear();\n in.toUTF8String(*out);\n } else if (encoding == UnicodeEncoding::UTF16BE) {\n // TODO(gbillock): consider using the\n // extract(char *dest, int32_t destCapacity, UConverter *cnv)\n // for UTF16/32\n out->clear(); // subtle: must come before reserve()\n out->reserve(2 * in.length() + 1);\n const char16_t* buf = in.getBuffer();\n for (int i = 0; i < in.length(); ++i) {\n // Emit big-endian encoding for UTF-16 always.\n out->push_back((buf[i] & 0xFF00) >> 8);\n out->push_back(buf[i] & 0x00FF);\n }\n } else if (encoding == UnicodeEncoding::UTF32BE) {\n out->clear(); // subtle: must come before reserve()\n out->reserve(4 * in.countChar32() + 1);\n icu::StringCharacterIterator it(in);\n UChar32 ch;\n while (it.hasNext()) {\n ch = it.next32PostInc();\n out->push_back((ch & 0xFF000000) >> 24);\n out->push_back((ch & 0x00FF0000) >> 16);\n out->push_back((ch & 0x0000FF00) >> 8);\n out->push_back((ch & 0x000000FF));\n }\n }\n}", "project": "tensorflow", "hash": 325015518020846990460537373646485974423, "size": 31, "commit_id": "2e0ee46f1a47675152d3d865797a18358881d7a6", "message": "Ensure non-empty input_splits in tf.raw_ops.UnicodeEncode\n\nPiperOrigin-RevId: 387170080\nChange-Id: I3b489acc51c5cb4124c535b9df7cc6e62ef21766", "target": 0, "dataset": "other", "idx": 238843 }, { "func": "unsigned Utf8::Encode(char* str,\n uchar c,\n int previous,\n bool replace_invalid) {\n static const int kMask = ~(1 << 6);\n if (c <= kMaxOneByteChar) {\n str[0] = c;\n return 1;\n } else if (c <= kMaxTwoByteChar) {\n str[0] = 0xC0 | (c >> 6);\n str[1] = 0x80 | (c & kMask);\n return 2;\n } else if (c <= kMaxThreeByteChar) {\n if (Utf16::IsSurrogatePair(previous, c)) {\n const int kUnmatchedSize = kSizeOfUnmatchedSurrogate;\n return Encode(str - kUnmatchedSize,\n Utf16::CombineSurrogatePair(previous, c),\n Utf16::kNoPreviousCharacter,\n replace_invalid) - kUnmatchedSize;\n } else if (replace_invalid &&\n (Utf16::IsLeadSurrogate(c) ||\n Utf16::IsTrailSurrogate(c))) {\n c = kBadChar;\n }\n str[0] = 0xE0 | (c >> 12);\n str[1] = 0x80 | ((c >> 6) & kMask);\n str[2] = 0x80 | (c & kMask);\n return 3;\n } else {\n str[0] = 0xF0 | (c >> 18);\n str[1] = 0x80 | ((c >> 12) & kMask);\n str[2] = 0x80 | ((c >> 6) & kMask);\n str[3] = 0x80 | (c & kMask);\n return 4;\n }\n}", "project": "node", "hash": 75806488156192711699906250163092571060, "size": 36, "commit_id": "78b0e30954111cfaba0edbeee85450d8cbc6fdf6", "message": "deps: fix out-of-band write in utf8 decoder\n\nOriginally reported by: Kris Reeves \n\nReviewed-By: Trevor Norris ", "target": 0, "dataset": "other", "idx": 385612 }, { "func": "void exit_sie(struct kvm_vcpu *vcpu)\n{\n\tkvm_s390_set_cpuflags(vcpu, CPUSTAT_STOP_INT);\n\tkvm_s390_vsie_kick(vcpu);\n\twhile (vcpu->arch.sie_block->prog0c & PROG_IN_SIE)\n\t\tcpu_relax();\n}", "project": "linux", "hash": 313890394013667966891182479874177268092, "size": 7, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354666 }, { "func": "static inline int get_obj_attrs(RGWRados *store, struct req_state *s, rgw_obj& obj, map& attrs)\n{\n RGWRados::Object op_target(store, s->bucket_info, *static_cast(s->obj_ctx), obj);\n RGWRados::Object::Read read_op(&op_target);\n\n read_op.params.attrs = &attrs;\n\n return read_op.prepare();\n}", "project": "ceph", "hash": 291880496681531096382945414747670064330, "size": 9, "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 281369 }, { "func": "Header headerFree(Header h)\n{\n (void) headerUnlink(h);\n\n if (h == NULL || h->nrefs > 0)\n\treturn NULL;\n\n if (h->index) {\n\tindexEntry entry = h->index;\n\tint i;\n\tfor (i = 0; i < h->indexUsed; i++, entry++) {\n\t if ((h->flags & HEADERFLAG_ALLOCATED) && ENTRY_IS_REGION(entry)) {\n\t\tif (entry->length > 0) {\n\t\t int32_t * ei = entry->data;\n\t\t if ((ei - 2) == h->blob) h->blob = _free(h->blob);\n\t\t entry->data = NULL;\n\t\t}\n\t } else if (!ENTRY_IN_REGION(entry)) {\n\t\tentry->data = _free(entry->data);\n\t }\n\t entry->data = NULL;\n\t}\n\th->index = _free(h->index);\n }\n\n h = _free(h);\n return NULL;\n}", "project": "rpm", "hash": 143753715449910319025012408336313893531, "size": 28, "commit_id": "8f4b3c3cab8922a2022b9e47c71f1ecf906077ef", "message": "hdrblobInit() needs bounds checks too\n\nUsers can pass untrusted data to hdrblobInit() and it must be robust\nagainst this.", "target": 0, "dataset": "other", "idx": 318150 }, { "func": "static bool kvm_has_pckmo_subfunc(struct kvm *kvm, unsigned long nr)\n{\n\tif (test_bit_inv(nr, (unsigned long *)&kvm->arch.model.subfuncs.pckmo) &&\n\t test_bit_inv(nr, (unsigned long *)&kvm_s390_available_subfunc.pckmo))\n\t\treturn true;\n\treturn false;\n}", "project": "linux", "hash": 222080044320364383685170205204083263090, "size": 7, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354459 }, { "func": "static void umd_cleanup(struct subprocess_info *info)\n{\n\tstruct umd_info *umd_info = info->data;\n\n\t/* cleanup if umh_setup() was successful but exec failed */\n\tif (info->retval) {\n\t\tfput(umd_info->pipe_to_umh);\n\t\tfput(umd_info->pipe_from_umh);\n\t\tput_pid(umd_info->tgid);\n\t\tumd_info->tgid = NULL;\n\t}\n}", "project": "linux", "hash": 202261761255865455882373619018707547027, "size": 12, "commit_id": "f60a85cad677c4f9bb4cadd764f1d106c38c7cf8", "message": "bpf: Fix umd memory leak in copy_process()\n\nThe syzbot reported a memleak as follows:\n\nBUG: memory leak\nunreferenced object 0xffff888101b41d00 (size 120):\n comm \"kworker/u4:0\", pid 8, jiffies 4294944270 (age 12.780s)\n backtrace:\n [] alloc_pid+0x66/0x560\n [] copy_process+0x1465/0x25e0\n [] kernel_clone+0xf3/0x670\n [] kernel_thread+0x61/0x80\n [] call_usermodehelper_exec_work\n [] call_usermodehelper_exec_work+0xc4/0x120\n [] process_one_work+0x2c9/0x600\n [] worker_thread+0x59/0x5d0\n [] kthread+0x178/0x1b0\n [] ret_from_fork+0x1f/0x30\n\nunreferenced object 0xffff888110ef5c00 (size 232):\n comm \"kworker/u4:0\", pid 8414, jiffies 4294944270 (age 12.780s)\n backtrace:\n [] kmem_cache_zalloc\n [] __alloc_file+0x1f/0xf0\n [] alloc_empty_file+0x69/0x120\n [] alloc_file+0x33/0x1b0\n [] alloc_file_pseudo+0xb2/0x140\n [] create_pipe_files+0x138/0x2e0\n [] umd_setup+0x33/0x220\n [] call_usermodehelper_exec_async+0xb4/0x1b0\n [] ret_from_fork+0x1f/0x30\n\nAfter the UMD process exits, the pipe_to_umh/pipe_from_umh and\ntgid need to be released.\n\nFixes: d71fa5c9763c (\"bpf: Add kernel module with user mode driver that populates bpffs.\")\nReported-by: syzbot+44908bb56d2bfe56b28e@syzkaller.appspotmail.com\nSigned-off-by: Zqiang \nSigned-off-by: Daniel Borkmann \nLink: https://lore.kernel.org/bpf/20210317030915.2865-1-qiang.zhang@windriver.com", "target": 1, "dataset": "other", "idx": 206697 }, { "func": "static void umd_cleanup(struct subprocess_info *info)\n{\n\tstruct umd_info *umd_info = info->data;\n\n\t/* cleanup if umh_setup() was successful but exec failed */\n\tif (info->retval)\n\t\tumd_cleanup_helper(umd_info);\n}", "project": "linux", "hash": 164239646891437415065034800136492740579, "size": 8, "commit_id": "f60a85cad677c4f9bb4cadd764f1d106c38c7cf8", "message": "bpf: Fix umd memory leak in copy_process()\n\nThe syzbot reported a memleak as follows:\n\nBUG: memory leak\nunreferenced object 0xffff888101b41d00 (size 120):\n comm \"kworker/u4:0\", pid 8, jiffies 4294944270 (age 12.780s)\n backtrace:\n [] alloc_pid+0x66/0x560\n [] copy_process+0x1465/0x25e0\n [] kernel_clone+0xf3/0x670\n [] kernel_thread+0x61/0x80\n [] call_usermodehelper_exec_work\n [] call_usermodehelper_exec_work+0xc4/0x120\n [] process_one_work+0x2c9/0x600\n [] worker_thread+0x59/0x5d0\n [] kthread+0x178/0x1b0\n [] ret_from_fork+0x1f/0x30\n\nunreferenced object 0xffff888110ef5c00 (size 232):\n comm \"kworker/u4:0\", pid 8414, jiffies 4294944270 (age 12.780s)\n backtrace:\n [] kmem_cache_zalloc\n [] __alloc_file+0x1f/0xf0\n [] alloc_empty_file+0x69/0x120\n [] alloc_file+0x33/0x1b0\n [] alloc_file_pseudo+0xb2/0x140\n [] create_pipe_files+0x138/0x2e0\n [] umd_setup+0x33/0x220\n [] call_usermodehelper_exec_async+0xb4/0x1b0\n [] ret_from_fork+0x1f/0x30\n\nAfter the UMD process exits, the pipe_to_umh/pipe_from_umh and\ntgid need to be released.\n\nFixes: d71fa5c9763c (\"bpf: Add kernel module with user mode driver that populates bpffs.\")\nReported-by: syzbot+44908bb56d2bfe56b28e@syzkaller.appspotmail.com\nSigned-off-by: Zqiang \nSigned-off-by: Daniel Borkmann \nLink: https://lore.kernel.org/bpf/20210317030915.2865-1-qiang.zhang@windriver.com", "target": 0, "dataset": "other", "idx": 385297 }, { "func": "static int kvm_s390_set_tod_ext(struct kvm *kvm, struct kvm_device_attr *attr)\n{\n\tstruct kvm_s390_vm_tod_clock gtod;\n\n\tif (copy_from_user(>od, (void __user *)attr->addr, sizeof(gtod)))\n\t\treturn -EFAULT;\n\n\tif (!test_kvm_facility(kvm, 139) && gtod.epoch_idx)\n\t\treturn -EINVAL;\n\tkvm_s390_set_tod_clock(kvm, >od);\n\n\tVM_EVENT(kvm, 3, \"SET: TOD extension: 0x%x, TOD base: 0x%llx\",\n\t\tgtod.epoch_idx, gtod.tod);\n\n\treturn 0;\n}", "project": "linux", "hash": 151563610059494685510880492842752529566, "size": 16, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354750 }, { "func": "static OPJ_BOOL opj_j2k_setup_header_writing(opj_j2k_t *p_j2k,\n opj_event_mgr_t * p_manager)\n{\n /* preconditions */\n assert(p_j2k != 00);\n assert(p_manager != 00);\n\n if (! opj_procedure_list_add_procedure(p_j2k->m_procedure_list,\n (opj_procedure)opj_j2k_init_info, p_manager)) {\n return OPJ_FALSE;\n }\n if (! opj_procedure_list_add_procedure(p_j2k->m_procedure_list,\n (opj_procedure)opj_j2k_write_soc, p_manager)) {\n return OPJ_FALSE;\n }\n if (! opj_procedure_list_add_procedure(p_j2k->m_procedure_list,\n (opj_procedure)opj_j2k_write_siz, p_manager)) {\n return OPJ_FALSE;\n }\n if (! opj_procedure_list_add_procedure(p_j2k->m_procedure_list,\n (opj_procedure)opj_j2k_write_cod, p_manager)) {\n return OPJ_FALSE;\n }\n if (! opj_procedure_list_add_procedure(p_j2k->m_procedure_list,\n (opj_procedure)opj_j2k_write_qcd, p_manager)) {\n return OPJ_FALSE;\n }\n if (! opj_procedure_list_add_procedure(p_j2k->m_procedure_list,\n (opj_procedure)opj_j2k_write_all_coc, p_manager)) {\n return OPJ_FALSE;\n }\n if (! opj_procedure_list_add_procedure(p_j2k->m_procedure_list,\n (opj_procedure)opj_j2k_write_all_qcc, p_manager)) {\n return OPJ_FALSE;\n }\n\n if (OPJ_IS_CINEMA(p_j2k->m_cp.rsiz) || OPJ_IS_IMF(p_j2k->m_cp.rsiz)) {\n if (! opj_procedure_list_add_procedure(p_j2k->m_procedure_list,\n (opj_procedure)opj_j2k_write_tlm, p_manager)) {\n return OPJ_FALSE;\n }\n\n if (p_j2k->m_cp.rsiz == OPJ_PROFILE_CINEMA_4K) {\n if (! opj_procedure_list_add_procedure(p_j2k->m_procedure_list,\n (opj_procedure)opj_j2k_write_poc, p_manager)) {\n return OPJ_FALSE;\n }\n }\n }\n\n if (! opj_procedure_list_add_procedure(p_j2k->m_procedure_list,\n (opj_procedure)opj_j2k_write_regions, p_manager)) {\n return OPJ_FALSE;\n }\n\n if (p_j2k->m_cp.comment != 00) {\n if (! opj_procedure_list_add_procedure(p_j2k->m_procedure_list,\n (opj_procedure)opj_j2k_write_com, p_manager)) {\n return OPJ_FALSE;\n }\n }\n\n /* DEVELOPER CORNER, insert your custom procedures */\n if ((p_j2k->m_cp.rsiz & (OPJ_PROFILE_PART2 | OPJ_EXTENSION_MCT)) ==\n (OPJ_PROFILE_PART2 | OPJ_EXTENSION_MCT)) {\n if (! opj_procedure_list_add_procedure(p_j2k->m_procedure_list,\n (opj_procedure)opj_j2k_write_mct_data_group, p_manager)) {\n return OPJ_FALSE;\n }\n }\n /* End of Developer Corner */\n\n if (p_j2k->cstr_index) {\n if (! opj_procedure_list_add_procedure(p_j2k->m_procedure_list,\n (opj_procedure)opj_j2k_get_end_header, p_manager)) {\n return OPJ_FALSE;\n }\n }\n\n if (! opj_procedure_list_add_procedure(p_j2k->m_procedure_list,\n (opj_procedure)opj_j2k_create_tcd, p_manager)) {\n return OPJ_FALSE;\n }\n if (! opj_procedure_list_add_procedure(p_j2k->m_procedure_list,\n (opj_procedure)opj_j2k_update_rates, p_manager)) {\n return OPJ_FALSE;\n }\n\n return OPJ_TRUE;\n}", "project": "openjpeg", "hash": 240830578128397952653201209367049248762, "size": 90, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357409 }, { "func": "static bool sst_auth_real_set (const char* value)\n{\n const char* v = strdup (value);\n\n if (v)\n {\n if (sst_auth_real) free (const_cast(sst_auth_real));\n sst_auth_real = v;\n\n if (strlen(sst_auth_real))\n {\n if (wsrep_sst_auth)\n {\n my_free ((void*)wsrep_sst_auth);\n wsrep_sst_auth = my_strdup(WSREP_SST_AUTH_MASK, MYF(0));\n //strncpy (wsrep_sst_auth, WSREP_SST_AUTH_MASK,\n // sizeof(wsrep_sst_auth) - 1);\n }\n else\n wsrep_sst_auth = my_strdup (WSREP_SST_AUTH_MASK, MYF(0));\n }\n return 0;\n }\n\n return 1;\n}", "project": "mysql-wsrep", "hash": 41472240543977584317465478128304682498, "size": 26, "commit_id": "4ea4b0c6a318209ac09b15aaa906c7b4a13b988c", "message": "codership/mysql-wsrep-bugs#758 Donor uses invalid SST methods", "target": 0, "dataset": "other", "idx": 454788 }, { "func": "static size_t php_strnlen(char* str, size_t maxlen) {\n size_t len = 0;\n\n if (str && maxlen && *str) {\n do {\n len++;\n } while (--maxlen && *(++str));\n }\n return len;\n}", "project": "hhvm", "hash": 304250294004762649393543329635743478747, "size": 10, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219104 }, { "func": "\treturn err;\n}\n\nstatic int iscsi_logout_flashnode_sid(struct iscsi_transport *transport,\n\t\t\t\t struct iscsi_uevent *ev)\n{\n\tstruct Scsi_Host *shost;\n\tstruct iscsi_cls_session *session;\n\tint err = 0;\n\n\tif (!transport->logout_flashnode_sid) {\n\t\terr = -ENOSYS;\n\t\tgoto exit_logout_sid;\n\t}\n\n\tshost = scsi_host_lookup(ev->u.logout_flashnode_sid.host_no);\n\tif (!shost) {\n\t\tpr_err(\"%s could not find host no %u\\n\",\n\t\t __func__, ev->u.logout_flashnode.host_no);\n\t\terr = -ENODEV;\n\t\tgoto put_host;\n\t}\n\n\tsession = iscsi_session_lookup(ev->u.logout_flashnode_sid.sid);\n\tif (!session) {\n\t\tpr_err(\"%s could not find session id %u\\n\",\n\t\t __func__, ev->u.logout_flashnode_sid.sid);\n\t\terr = -EINVAL;\n\t\tgoto put_host;\n\t}\n\n\terr = transport->logout_flashnode_sid(session);\n\nput_host:\n\tscsi_host_put(shost);\n", "project": "linux", "hash": 47736808841879361483577274067601066423, "size": 36, "commit_id": "f9dbdf97a5bd92b1a49cee3d591b55b11fd7a6d5", "message": "scsi: iscsi: Verify lengths on passthrough PDUs\n\nOpen-iSCSI sends passthrough PDUs over netlink, but the kernel should be\nverifying that the provided PDU header and data lengths fall within the\nnetlink message to prevent accessing beyond that in memory.\n\nCc: stable@vger.kernel.org\nReported-by: Adam Nichols \nReviewed-by: Lee Duncan \nReviewed-by: Mike Christie \nSigned-off-by: Chris Leech \nSigned-off-by: Martin K. Petersen ", "target": 0, "dataset": "other", "idx": 380006 }, { "func": "R_API int r_socket_write(RSocket *s, void *buf, int len) {\n\treturn -1;\n}", "project": "radare2", "hash": 74870276966487807979861199998335443738, "size": 3, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 0, "dataset": "other", "idx": 268808 }, { "func": "R_API int r_socket_write(RSocket *s, void *buf, int len) {\n\tD { eprintf (\"WRITE \"); int i; ut8 *b = buf; for (i = 0; i len) {\n\t\t\tb = len;\n\t\t}\n#if HAVE_LIB_SSL\n\t\tif (s->is_ssl) {\n\t\t\tif (s->bio) {\n\t\t\t\tret = BIO_write (s->bio, buf+delta, b);\n\t\t\t} else {\n\t\t\t\tret = SSL_write (s->sfd, buf + delta, b);\n\t\t\t}\n\t\t} else\n#endif\n\t\t{\n\t\t\tret = send (s->fd, (char *)buf+delta, b, 0);\n\t\t}\n\t\t//if (ret == 0) return -1;\n\t\tif (ret < 1) {\n\t\t\tbreak;\n\t\t}\n\t\tif (ret == len) {\n\t\t\treturn len;\n\t\t}\n\t\tdelta += ret;\n\t\tlen -= ret;\n\t}\n\treturn (ret == -1)? -1 : delta;\n}", "project": "radare2", "hash": 326385580312013551116057600493322074618, "size": 35, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 0, "dataset": "other", "idx": 269009 }, { "func": "static void io_complete_rw_iopoll(struct kiocb *kiocb, long res, long res2)\n{\n\tstruct io_kiocb *req = container_of(kiocb, struct io_kiocb, rw.kiocb);\n\n\tif (kiocb->ki_flags & IOCB_WRITE)\n\t\tkiocb_end_write(req);\n\tif (unlikely(res != req->result)) {\n\t\tif (!(res == -EAGAIN && io_rw_should_reissue(req) &&\n\t\t io_resubmit_prep(req))) {\n\t\t\treq_set_fail_links(req);\n\t\t\treq->flags |= REQ_F_DONT_REISSUE;\n\t\t}\n\t}\n\n\tWRITE_ONCE(req->result, res);\n\t/* order with io_iopoll_complete() checking ->result */\n\tsmp_wmb();\n\tWRITE_ONCE(req->iopoll_completed, 1);\n}", "project": "linux", "hash": 227424868530147861198629497521979673636, "size": 19, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338572 }, { "func": "void __kmemcg_cache_deactivate_after_rcu(struct kmem_cache *s)\n{\n\t/*\n\t * Called with all the locks held after a sched RCU grace period.\n\t * Even if @s becomes empty after shrinking, we can't know that @s\n\t * doesn't have allocations already in-flight and thus can't\n\t * destroy @s until the associated memcg is released.\n\t *\n\t * However, let's remove the sysfs files for empty caches here.\n\t * Each cache has a lot of interface files which aren't\n\t * particularly useful for empty draining caches; otherwise, we can\n\t * easily end up with millions of unnecessary sysfs files on\n\t * systems which have a lot of memory and transient cgroups.\n\t */\n\tif (!__kmem_cache_shrink(s))\n\t\tsysfs_slab_remove(s);\n}", "project": "linux", "hash": 269378417123714427146833389041430793496, "size": 17, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280121 }, { "func": "static ssize_t show_slab_objects(struct kmem_cache *s,\n\t\t\t char *buf, unsigned long flags)\n{\n\tunsigned long total = 0;\n\tint node;\n\tint x;\n\tunsigned long *nodes;\n\n\tnodes = kcalloc(nr_node_ids, sizeof(unsigned long), GFP_KERNEL);\n\tif (!nodes)\n\t\treturn -ENOMEM;\n\n\tif (flags & SO_CPU) {\n\t\tint cpu;\n\n\t\tfor_each_possible_cpu(cpu) {\n\t\t\tstruct kmem_cache_cpu *c = per_cpu_ptr(s->cpu_slab,\n\t\t\t\t\t\t\t cpu);\n\t\t\tint node;\n\t\t\tstruct page *page;\n\n\t\t\tpage = READ_ONCE(c->page);\n\t\t\tif (!page)\n\t\t\t\tcontinue;\n\n\t\t\tnode = page_to_nid(page);\n\t\t\tif (flags & SO_TOTAL)\n\t\t\t\tx = page->objects;\n\t\t\telse if (flags & SO_OBJECTS)\n\t\t\t\tx = page->inuse;\n\t\t\telse\n\t\t\t\tx = 1;\n\n\t\t\ttotal += x;\n\t\t\tnodes[node] += x;\n\n\t\t\tpage = slub_percpu_partial_read_once(c);\n\t\t\tif (page) {\n\t\t\t\tnode = page_to_nid(page);\n\t\t\t\tif (flags & SO_TOTAL)\n\t\t\t\t\tWARN_ON_ONCE(1);\n\t\t\t\telse if (flags & SO_OBJECTS)\n\t\t\t\t\tWARN_ON_ONCE(1);\n\t\t\t\telse\n\t\t\t\t\tx = page->pages;\n\t\t\t\ttotal += x;\n\t\t\t\tnodes[node] += x;\n\t\t\t}\n\t\t}\n\t}\n\n\t/*\n\t * It is impossible to take \"mem_hotplug_lock\" here with \"kernfs_mutex\"\n\t * already held which will conflict with an existing lock order:\n\t *\n\t * mem_hotplug_lock->slab_mutex->kernfs_mutex\n\t *\n\t * We don't really need mem_hotplug_lock (to hold off\n\t * slab_mem_going_offline_callback) here because slab's memory hot\n\t * unplug code doesn't destroy the kmem_cache->node[] data.\n\t */\n\n#ifdef CONFIG_SLUB_DEBUG\n\tif (flags & SO_ALL) {\n\t\tstruct kmem_cache_node *n;\n\n\t\tfor_each_kmem_cache_node(s, node, n) {\n\n\t\t\tif (flags & SO_TOTAL)\n\t\t\t\tx = atomic_long_read(&n->total_objects);\n\t\t\telse if (flags & SO_OBJECTS)\n\t\t\t\tx = atomic_long_read(&n->total_objects) -\n\t\t\t\t\tcount_partial(n, count_free);\n\t\t\telse\n\t\t\t\tx = atomic_long_read(&n->nr_slabs);\n\t\t\ttotal += x;\n\t\t\tnodes[node] += x;\n\t\t}\n\n\t} else\n#endif\n\tif (flags & SO_PARTIAL) {\n\t\tstruct kmem_cache_node *n;\n\n\t\tfor_each_kmem_cache_node(s, node, n) {\n\t\t\tif (flags & SO_TOTAL)\n\t\t\t\tx = count_partial(n, count_total);\n\t\t\telse if (flags & SO_OBJECTS)\n\t\t\t\tx = count_partial(n, count_inuse);\n\t\t\telse\n\t\t\t\tx = n->nr_partial;\n\t\t\ttotal += x;\n\t\t\tnodes[node] += x;\n\t\t}\n\t}\n\tx = sprintf(buf, \"%lu\", total);\n#ifdef CONFIG_NUMA\n\tfor (node = 0; node < nr_node_ids; node++)\n\t\tif (nodes[node])\n\t\t\tx += sprintf(buf + x, \" N%d=%lu\",\n\t\t\t\t\tnode, nodes[node]);\n#endif\n\tkfree(nodes);\n\treturn x + sprintf(buf + x, \"\\n\");\n}", "project": "linux", "hash": 295735882247309783480397683510031563974, "size": 105, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280119 }, { "func": "static void reset_csb_pointers(struct intel_engine_cs *engine)\n{\n\tstruct intel_engine_execlists * const execlists = &engine->execlists;\n\tconst unsigned int reset_value = execlists->csb_size - 1;\n\n\tring_set_paused(engine, 0);\n\n\t/*\n\t * After a reset, the HW starts writing into CSB entry [0]. We\n\t * therefore have to set our HEAD pointer back one entry so that\n\t * the *first* entry we check is entry 0. To complicate this further,\n\t * as we don't wait for the first interrupt after reset, we have to\n\t * fake the HW write to point back to the last entry so that our\n\t * inline comparison of our cached head position against the last HW\n\t * write works even before the first interrupt.\n\t */\n\texeclists->csb_head = reset_value;\n\tWRITE_ONCE(*execlists->csb_write, reset_value);\n\twmb(); /* Make sure this is visible to HW (paranoia?) */\n\n\tinvalidate_csb_entries(&execlists->csb_status[0],\n\t\t\t &execlists->csb_status[reset_value]);\n}", "project": "linux", "hash": 91584166807580961121417295703274051234, "size": 23, "commit_id": "bc8a76a152c5f9ef3b48104154a65a68a8b76946", "message": "drm/i915/gen9: Clear residual context state on context switch\n\nIntel ID: PSIRT-TA-201910-001\nCVEID: CVE-2019-14615\n\nIntel GPU Hardware prior to Gen11 does not clear EU state\nduring a context switch. This can result in information\nleakage between contexts.\n\nFor Gen8 and Gen9, hardware provides a mechanism for\nfast cleardown of the EU state, by issuing a PIPE_CONTROL\nwith bit 27 set. We can use this in a context batch buffer\nto explicitly cleardown the state on every context switch.\n\nAs this workaround is already in place for gen8, we can borrow\nthe code verbatim for Gen9.\n\nSigned-off-by: Mika Kuoppala \nSigned-off-by: Akeem G Abodunrin \nCc: Kumar Valsan Prathap \nCc: Chris Wilson \nCc: Balestrieri Francesco \nCc: Bloomfield Jon \nCc: Dutt Sudeep ", "target": 0, "dataset": "other", "idx": 281513 }, { "func": "void CServer::SendMapListEntryRem(const CMapListEntry *pMapListEntry, int ClientID)\n{\n\tCMsgPacker Msg(NETMSG_MAPLIST_ENTRY_REM, true);\n\tMsg.AddString(pMapListEntry->m_aName, 256);\n\tSendMsg(&Msg, MSGFLAG_VITAL, ClientID);\n}", "project": "teeworlds", "hash": 269906179550471172260379183453163268810, "size": 6, "commit_id": "c68402fa7e279d42886d5951d1ea8ac2facc1ea5", "message": "changed a check", "target": 0, "dataset": "other", "idx": 382001 }, { "func": "static int kill_proc_info(int sig, struct kernel_siginfo *info, pid_t pid)\n{\n\tint error;\n\trcu_read_lock();\n\terror = kill_pid_info(sig, info, find_vpid(pid));\n\trcu_read_unlock();\n\treturn error;\n}", "project": "linux", "hash": 230172088068694532964643756630101309765, "size": 8, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375313 }, { "func": "kvm_pfn_t __gfn_to_pfn_memslot(struct kvm_memory_slot *slot, gfn_t gfn,\n\t\t\t bool atomic, bool *async, bool write_fault,\n\t\t\t bool *writable)\n{\n\tunsigned long addr = __gfn_to_hva_many(slot, gfn, NULL, write_fault);\n\n\tif (addr == KVM_HVA_ERR_RO_BAD) {\n\t\tif (writable)\n\t\t\t*writable = false;\n\t\treturn KVM_PFN_ERR_RO_FAULT;\n\t}\n\n\tif (kvm_is_error_hva(addr)) {\n\t\tif (writable)\n\t\t\t*writable = false;\n\t\treturn KVM_PFN_NOSLOT;\n\t}\n\n\t/* Do not map writable pfn in the readonly memslot. */\n\tif (writable && memslot_is_readonly(slot)) {\n\t\t*writable = false;\n\t\twritable = NULL;\n\t}\n\n\treturn hva_to_pfn(addr, atomic, async, write_fault,\n\t\t\t writable);\n}", "project": "linux", "hash": 280191626077449671904646365366207550728, "size": 27, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354727 }, { "func": "kvm_pfn_t __gfn_to_pfn_memslot(struct kvm_memory_slot *slot, gfn_t gfn,\n\t\t\t bool atomic, bool *async, bool write_fault,\n\t\t\t bool *writable, hva_t *hva)\n{\n\tunsigned long addr = __gfn_to_hva_many(slot, gfn, NULL, write_fault);\n\n\tif (hva)\n\t\t*hva = addr;\n\n\tif (addr == KVM_HVA_ERR_RO_BAD) {\n\t\tif (writable)\n\t\t\t*writable = false;\n\t\treturn KVM_PFN_ERR_RO_FAULT;\n\t}\n\n\tif (kvm_is_error_hva(addr)) {\n\t\tif (writable)\n\t\t\t*writable = false;\n\t\treturn KVM_PFN_NOSLOT;\n\t}\n\n\t/* Do not map writable pfn in the readonly memslot. */\n\tif (writable && memslot_is_readonly(slot)) {\n\t\t*writable = false;\n\t\twritable = NULL;\n\t}\n\n\treturn hva_to_pfn(addr, atomic, async, write_fault,\n\t\t\t writable);\n}", "project": "linux", "hash": 188122760387126548702255506930523317428, "size": 30, "commit_id": "f8be156be163a052a067306417cd0ff679068c97", "message": "KVM: do not allow mapping valid but non-reference-counted pages\n\nIt's possible to create a region which maps valid but non-refcounted\npages (e.g., tail pages of non-compound higher order allocations). These\nhost pages can then be returned by gfn_to_page, gfn_to_pfn, etc., family\nof APIs, which take a reference to the page, which takes it from 0 to 1.\nWhen the reference is dropped, this will free the page incorrectly.\n\nFix this by only taking a reference on valid pages if it was non-zero,\nwhich indicates it is participating in normal refcounting (and can be\nreleased with put_page).\n\nThis addresses CVE-2021-22543.\n\nSigned-off-by: Nicholas Piggin \nTested-by: Paolo Bonzini \nCc: stable@vger.kernel.org\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 404069 }, { "func": "\nstatic int io_uring_install_fd(struct io_ring_ctx *ctx, struct file *file)\n{\n\tint ret, fd;\n\n\tfd = get_unused_fd_flags(O_RDWR | O_CLOEXEC);\n\tif (fd < 0)\n\t\treturn fd;\n\n\tret = io_uring_add_task_file(ctx);\n\tif (ret) {\n\t\tput_unused_fd(fd);\n\t\treturn ret;\n\t}\n\tfd_install(fd, file);\n\treturn fd;", "project": "linux", "hash": 309147653659986615958449729380668004452, "size": 16, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338595 }, { "func": " Item_string_sys(THD *thd, const char *str):\n Item_string(thd, str, (uint) strlen(str), system_charset_info)\n { }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 176725020670734165901849493232099212408, "size": 3, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509441 }, { "func": "static void nfs4_handle_delay_or_session_error(struct nfs_server *server,\n\t\tint err, struct nfs4_exception *exception)\n{\n\texception->retry = 0;\n\tswitch(err) {\n\tcase -NFS4ERR_DELAY:\n\tcase -NFS4ERR_RETRY_UNCACHED_REP:\n\t\tnfs4_handle_exception(server, err, exception);\n\t\tbreak;\n\tcase -NFS4ERR_BADSESSION:\n\tcase -NFS4ERR_BADSLOT:\n\tcase -NFS4ERR_BAD_HIGH_SLOT:\n\tcase -NFS4ERR_CONN_NOT_BOUND_TO_SESSION:\n\tcase -NFS4ERR_DEADSESSION:\n\t\tnfs4_do_handle_exception(server, err, exception);\n\t}\n}", "project": "linux", "hash": 167987136162059555560235214669893506665, "size": 17, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431586 }, { "func": "static void hci_remote_host_features_evt(struct hci_dev *hdev,\n\t\t\t\t\t struct sk_buff *skb)\n{\n\tstruct hci_ev_remote_host_features *ev = (void *) skb->data;\n\tstruct inquiry_entry *ie;\n\tstruct hci_conn *conn;\n\n\tBT_DBG(\"%s\", hdev->name);\n\n\thci_dev_lock(hdev);\n\n\tconn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);\n\tif (conn)\n\t\tmemcpy(conn->features[1], ev->features, 8);\n\n\tie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);\n\tif (ie)\n\t\tie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);\n\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 188540522955836142494369038043430855543, "size": 21, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431939 }, { "func": "static void encode_lockt(struct xdr_stream *xdr, const struct nfs_lockt_args *args, struct compound_hdr *hdr)\n{\n\t__be32 *p;\n\n\tencode_op_hdr(xdr, OP_LOCKT, decode_lockt_maxsz, hdr);\n\tp = reserve_space(xdr, 20);\n\t*p++ = cpu_to_be32(nfs4_lock_type(args->fl, 0));\n\tp = xdr_encode_hyper(p, args->fl->fl_start);\n\tp = xdr_encode_hyper(p, nfs4_lock_length(args->fl));\n\tencode_lockowner(xdr, &args->lock_owner);\n}", "project": "linux", "hash": 69343129911486890840833892797128032724, "size": 11, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431224 }, { "func": "static int sst_append_auth_env(wsp::env& env, const char* sst_auth)\n{\n int const sst_auth_size= strlen(WSREP_SST_AUTH_ENV) + 1 /* = */\n + (sst_auth ? strlen(sst_auth) : 0) + 1 /* \\0 */;\n\n wsp::string sst_auth_str(sst_auth_size); // for automatic cleanup on return\n if (!sst_auth_str()) return -ENOMEM;\n\n int ret= snprintf(sst_auth_str(), sst_auth_size, \"%s=%s\",\n WSREP_SST_AUTH_ENV, sst_auth ? sst_auth : \"\");\n\n if (ret < 0 || ret >= sst_auth_size)\n {\n WSREP_ERROR(\"sst_append_auth_env(): snprintf() failed: %d\", ret);\n return (ret < 0 ? ret : -EMSGSIZE);\n }\n\n env.append(sst_auth_str());\n return -env.error();\n}", "project": "mysql-wsrep", "hash": 323030377199788048700337322514478354815, "size": 20, "commit_id": "4ea4b0c6a318209ac09b15aaa906c7b4a13b988c", "message": "codership/mysql-wsrep-bugs#758 Donor uses invalid SST methods", "target": 0, "dataset": "other", "idx": 454793 }, { "func": "opj_tcd_t* opj_tcd_create(OPJ_BOOL p_is_decoder)\n{\n opj_tcd_t *l_tcd = 00;\n\n /* create the tcd structure */\n l_tcd = (opj_tcd_t*) opj_calloc(1, sizeof(opj_tcd_t));\n if (!l_tcd) {\n return 00;\n }\n\n l_tcd->m_is_decoder = p_is_decoder ? 1 : 0;\n\n l_tcd->tcd_image = (opj_tcd_image_t*)opj_calloc(1, sizeof(opj_tcd_image_t));\n if (!l_tcd->tcd_image) {\n opj_free(l_tcd);\n return 00;\n }\n\n return l_tcd;\n}", "project": "openjpeg", "hash": 246127191734779815969299240678318834734, "size": 20, "commit_id": "15cf3d95814dc931ca0ecb132f81cb152e051bae", "message": "Encoder: grow again buffer size in opj_tcd_code_block_enc_allocate_data() (fixes #1283)", "target": 0, "dataset": "other", "idx": 359171 }, { "project": "opaque", "commit_id": "5ddda15d89f5ac82f4416208c5319ace4aecdc36", "target": 0, "func": "void sgx_check_quiet(const char* message, sgx_status_t ret)\n{\n if (ret != SGX_SUCCESS) {\n printf(\"%s failed\\n\", message);\n print_error_message(ret);\n }\n}", "idx": 519092, "cwe": "CWE-787", "hash": 459038718646860868340120936476906809, "dataset": "other" }, { "func": "int ip_queue_xmit(struct sock *sk, struct sk_buff *skb, struct flowi *fl)\n{\n\tstruct inet_sock *inet = inet_sk(sk);\n\tstruct net *net = sock_net(sk);\n\tstruct ip_options_rcu *inet_opt;\n\tstruct flowi4 *fl4;\n\tstruct rtable *rt;\n\tstruct iphdr *iph;\n\tint res;\n\n\t/* Skip all of this if the packet is already routed,\n\t * f.e. by something like SCTP.\n\t */\n\trcu_read_lock();\n\tinet_opt = rcu_dereference(inet->inet_opt);\n\tfl4 = &fl->u.ip4;\n\trt = skb_rtable(skb);\n\tif (rt)\n\t\tgoto packet_routed;\n\n\t/* Make sure we can route this packet. */\n\trt = (struct rtable *)__sk_dst_check(sk, 0);\n\tif (!rt) {\n\t\t__be32 daddr;\n\n\t\t/* Use correct destination address if we have options. */\n\t\tdaddr = inet->inet_daddr;\n\t\tif (inet_opt && inet_opt->opt.srr)\n\t\t\tdaddr = inet_opt->opt.faddr;\n\n\t\t/* If this fails, retransmit mechanism of transport layer will\n\t\t * keep trying until route appears or the connection times\n\t\t * itself out.\n\t\t */\n\t\trt = ip_route_output_ports(net, fl4, sk,\n\t\t\t\t\t daddr, inet->inet_saddr,\n\t\t\t\t\t inet->inet_dport,\n\t\t\t\t\t inet->inet_sport,\n\t\t\t\t\t sk->sk_protocol,\n\t\t\t\t\t RT_CONN_FLAGS(sk),\n\t\t\t\t\t sk->sk_bound_dev_if);\n\t\tif (IS_ERR(rt))\n\t\t\tgoto no_route;\n\t\tsk_setup_caps(sk, &rt->dst);\n\t}\n\tskb_dst_set_noref(skb, &rt->dst);\n\npacket_routed:\n\tif (inet_opt && inet_opt->opt.is_strictroute && rt->rt_uses_gateway)\n\t\tgoto no_route;\n\n\t/* OK, we know where to send it, allocate and build IP header. */\n\tskb_push(skb, sizeof(struct iphdr) + (inet_opt ? inet_opt->opt.optlen : 0));\n\tskb_reset_network_header(skb);\n\tiph = ip_hdr(skb);\n\t*((__be16 *)iph) = htons((4 << 12) | (5 << 8) | (inet->tos & 0xff));\n\tif (ip_dont_fragment(sk, &rt->dst) && !skb->ignore_df)\n\t\tiph->frag_off = htons(IP_DF);\n\telse\n\t\tiph->frag_off = 0;\n\tiph->ttl = ip_select_ttl(inet, &rt->dst);\n\tiph->protocol = sk->sk_protocol;\n\tip_copy_addrs(iph, fl4);\n\n\t/* Transport layer set skb->h.foo itself. */\n\n\tif (inet_opt && inet_opt->opt.optlen) {\n\t\tiph->ihl += inet_opt->opt.optlen >> 2;\n\t\tip_options_build(skb, &inet_opt->opt, inet->inet_daddr, rt, 0);\n\t}\n\n\tip_select_ident_segs(net, skb, sk,\n\t\t\t skb_shinfo(skb)->gso_segs ?: 1);\n\n\t/* TODO : should we use skb->sk here instead of sk ? */\n\tskb->priority = sk->sk_priority;\n\tskb->mark = sk->sk_mark;\n\n\tres = ip_local_out(net, sk, skb);\n\trcu_read_unlock();\n\treturn res;\n\nno_route:\n\trcu_read_unlock();\n\tIP_INC_STATS(net, IPSTATS_MIB_OUTNOROUTES);\n\tkfree_skb(skb);\n\treturn -EHOSTUNREACH;\n}", "project": "net", "hash": 154318104894509119207802258973055329952, "size": 88, "commit_id": "85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa", "message": "udp: consistently apply ufo or fragmentation\n\nWhen iteratively building a UDP datagram with MSG_MORE and that\ndatagram exceeds MTU, consistently choose UFO or fragmentation.\n\nOnce skb_is_gso, always apply ufo. Conversely, once a datagram is\nsplit across multiple skbs, do not consider ufo.\n\nSendpage already maintains the first invariant, only add the second.\nIPv6 does not have a sendpage implementation to modify.\n\nA gso skb must have a partial checksum, do not follow sk_no_check_tx\nin udp_send_skb.\n\nFound by syzkaller.\n\nFixes: e89e9cf539a2 (\"[IPv4/IPv6]: UFO Scatter-gather approach\")\nReported-by: Andrey Konovalov \nSigned-off-by: Willem de Bruijn \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 468951 }, { "func": "static void hci_cc_le_write_def_data_len(struct hci_dev *hdev,\n\t\t\t\t\t struct sk_buff *skb)\n{\n\tstruct hci_cp_le_write_def_data_len *sent;\n\t__u8 status = *((__u8 *) skb->data);\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, status);\n\n\tif (status)\n\t\treturn;\n\n\tsent = hci_sent_cmd_data(hdev, HCI_OP_LE_WRITE_DEF_DATA_LEN);\n\tif (!sent)\n\t\treturn;\n\n\thdev->le_def_tx_len = le16_to_cpu(sent->tx_len);\n\thdev->le_def_tx_time = le16_to_cpu(sent->tx_time);\n}", "project": "linux", "hash": 96695792820226616315600869619816936526, "size": 18, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 432042 }, { "func": "int udp_lib_get_port(struct sock *sk, unsigned short snum,\n\t\t unsigned int hash2_nulladdr)\n{\n\tstruct udp_hslot *hslot, *hslot2;\n\tstruct udp_table *udptable = sk->sk_prot->h.udp_table;\n\tint error = 1;\n\tstruct net *net = sock_net(sk);\n\n\tif (!snum) {\n\t\tint low, high, remaining;\n\t\tunsigned int rand;\n\t\tunsigned short first, last;\n\t\tDECLARE_BITMAP(bitmap, PORTS_PER_CHAIN);\n\n\t\tinet_get_local_port_range(net, &low, &high);\n\t\tremaining = (high - low) + 1;\n\n\t\trand = prandom_u32();\n\t\tfirst = reciprocal_scale(rand, remaining) + low;\n\t\t/*\n\t\t * force rand to be an odd multiple of UDP_HTABLE_SIZE\n\t\t */\n\t\trand = (rand | 1) * (udptable->mask + 1);\n\t\tlast = first + udptable->mask + 1;\n\t\tdo {\n\t\t\thslot = udp_hashslot(udptable, net, first);\n\t\t\tbitmap_zero(bitmap, PORTS_PER_CHAIN);\n\t\t\tspin_lock_bh(&hslot->lock);\n\t\t\tudp_lib_lport_inuse(net, snum, hslot, bitmap, sk,\n\t\t\t\t\t udptable->log);\n\n\t\t\tsnum = first;\n\t\t\t/*\n\t\t\t * Iterate on all possible values of snum for this hash.\n\t\t\t * Using steps of an odd multiple of UDP_HTABLE_SIZE\n\t\t\t * give us randomization and full range coverage.\n\t\t\t */\n\t\t\tdo {\n\t\t\t\tif (low <= snum && snum <= high &&\n\t\t\t\t !test_bit(snum >> udptable->log, bitmap) &&\n\t\t\t\t !inet_is_local_reserved_port(net, snum))\n\t\t\t\t\tgoto found;\n\t\t\t\tsnum += rand;\n\t\t\t} while (snum != first);\n\t\t\tspin_unlock_bh(&hslot->lock);\n\t\t\tcond_resched();\n\t\t} while (++first != last);\n\t\tgoto fail;\n\t} else {\n\t\thslot = udp_hashslot(udptable, net, snum);\n\t\tspin_lock_bh(&hslot->lock);\n\t\tif (hslot->count > 10) {\n\t\t\tint exist;\n\t\t\tunsigned int slot2 = udp_sk(sk)->udp_portaddr_hash ^ snum;\n\n\t\t\tslot2 &= udptable->mask;\n\t\t\thash2_nulladdr &= udptable->mask;\n\n\t\t\thslot2 = udp_hashslot2(udptable, slot2);\n\t\t\tif (hslot->count < hslot2->count)\n\t\t\t\tgoto scan_primary_hash;\n\n\t\t\texist = udp_lib_lport_inuse2(net, snum, hslot2, sk);\n\t\t\tif (!exist && (hash2_nulladdr != slot2)) {\n\t\t\t\thslot2 = udp_hashslot2(udptable, hash2_nulladdr);\n\t\t\t\texist = udp_lib_lport_inuse2(net, snum, hslot2,\n\t\t\t\t\t\t\t sk);\n\t\t\t}\n\t\t\tif (exist)\n\t\t\t\tgoto fail_unlock;\n\t\t\telse\n\t\t\t\tgoto found;\n\t\t}\nscan_primary_hash:\n\t\tif (udp_lib_lport_inuse(net, snum, hslot, NULL, sk, 0))\n\t\t\tgoto fail_unlock;\n\t}\nfound:\n\tinet_sk(sk)->inet_num = snum;\n\tudp_sk(sk)->udp_port_hash = snum;\n\tudp_sk(sk)->udp_portaddr_hash ^= snum;\n\tif (sk_unhashed(sk)) {\n\t\tif (sk->sk_reuseport &&\n\t\t udp_reuseport_add_sock(sk, hslot)) {\n\t\t\tinet_sk(sk)->inet_num = 0;\n\t\t\tudp_sk(sk)->udp_port_hash = 0;\n\t\t\tudp_sk(sk)->udp_portaddr_hash ^= snum;\n\t\t\tgoto fail_unlock;\n\t\t}\n\n\t\tsk_add_node_rcu(sk, &hslot->head);\n\t\thslot->count++;\n\t\tsock_prot_inuse_add(sock_net(sk), sk->sk_prot, 1);\n\n\t\thslot2 = udp_hashslot2(udptable, udp_sk(sk)->udp_portaddr_hash);\n\t\tspin_lock(&hslot2->lock);\n\t\tif (IS_ENABLED(CONFIG_IPV6) && sk->sk_reuseport &&\n\t\t sk->sk_family == AF_INET6)\n\t\t\thlist_add_tail_rcu(&udp_sk(sk)->udp_portaddr_node,\n\t\t\t\t\t &hslot2->head);\n\t\telse\n\t\t\thlist_add_head_rcu(&udp_sk(sk)->udp_portaddr_node,\n\t\t\t\t\t &hslot2->head);\n\t\thslot2->count++;\n\t\tspin_unlock(&hslot2->lock);\n\t}\n\tsock_set_flag(sk, SOCK_RCU_FREE);\n\terror = 0;\nfail_unlock:\n\tspin_unlock_bh(&hslot->lock);\nfail:\n\treturn error;\n}", "project": "net", "hash": 138790026074612893442762663876228210742, "size": 113, "commit_id": "85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa", "message": "udp: consistently apply ufo or fragmentation\n\nWhen iteratively building a UDP datagram with MSG_MORE and that\ndatagram exceeds MTU, consistently choose UFO or fragmentation.\n\nOnce skb_is_gso, always apply ufo. Conversely, once a datagram is\nsplit across multiple skbs, do not consider ufo.\n\nSendpage already maintains the first invariant, only add the second.\nIPv6 does not have a sendpage implementation to modify.\n\nA gso skb must have a partial checksum, do not follow sk_no_check_tx\nin udp_send_skb.\n\nFound by syzkaller.\n\nFixes: e89e9cf539a2 (\"[IPv4/IPv6]: UFO Scatter-gather approach\")\nReported-by: Andrey Konovalov \nSigned-off-by: Willem de Bruijn \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 468991 }, { "func": "static int phar_build(zend_object_iterator *iter, void *puser TSRMLS_DC) /* {{{ */\n{\n\tzval **value;\n\tzend_bool close_fp = 1;\n\tstruct _phar_t *p_obj = (struct _phar_t*) puser;\n\tuint str_key_len, base_len = p_obj->l, fname_len;\n\tphar_entry_data *data;\n\tphp_stream *fp;\n\tsize_t contents_len;\n\tchar *fname, *error = NULL, *base = p_obj->b, *opened, *save = NULL, *temp = NULL;\n\tchar *str_key;\n\tzend_class_entry *ce = p_obj->c;\n\tphar_archive_object *phar_obj = p_obj->p;\n\tchar *str = \"[stream]\";\n\n\titer->funcs->get_current_data(iter, &value TSRMLS_CC);\n\n\tif (EG(exception)) {\n\t\treturn ZEND_HASH_APPLY_STOP;\n\t}\n\n\tif (!value) {\n\t\t/* failure in get_current_data */\n\t\tzend_throw_exception_ex(spl_ce_UnexpectedValueException, 0 TSRMLS_CC, \"Iterator %v returned no value\", ce->name);\n\t\treturn ZEND_HASH_APPLY_STOP;\n\t}\n\n\tswitch (Z_TYPE_PP(value)) {\n\t\tcase IS_STRING:\n\t\t\tbreak;\n\t\tcase IS_RESOURCE:\n\t\t\tphp_stream_from_zval_no_verify(fp, value);\n\n\t\t\tif (!fp) {\n\t\t\t\tzend_throw_exception_ex(spl_ce_BadMethodCallException, 0 TSRMLS_CC, \"Iterator %v returned an invalid stream handle\", ce->name);\n\t\t\t\treturn ZEND_HASH_APPLY_STOP;\n\t\t\t}\n\n\t\t\tif (iter->funcs->get_current_key) {\n\t\t\t\tzval key;\n\t\t\t\titer->funcs->get_current_key(iter, &key TSRMLS_CC);\n\n\t\t\t\tif (EG(exception)) {\n\t\t\t\t\treturn ZEND_HASH_APPLY_STOP;\n\t\t\t\t}\n\n\t\t\t\tif (Z_TYPE(key) != IS_STRING) {\n\t\t\t\t\tzval_dtor(&key);\n\t\t\t\t\tzend_throw_exception_ex(spl_ce_UnexpectedValueException, 0 TSRMLS_CC, \"Iterator %v returned an invalid key (must return a string)\", ce->name);\n\t\t\t\t\treturn ZEND_HASH_APPLY_STOP;\n\t\t\t\t}\n\n\t\t\t\tstr_key_len = Z_STRLEN(key);\n\t\t\t\tstr_key = estrndup(Z_STRVAL(key), str_key_len);\n\n\t\t\t\tsave = str_key;\n\t\t\t\tzval_dtor(&key);\n\t\t\t} else {\n\t\t\t\tzend_throw_exception_ex(spl_ce_UnexpectedValueException, 0 TSRMLS_CC, \"Iterator %v returned an invalid key (must return a string)\", ce->name);\n\t\t\t\treturn ZEND_HASH_APPLY_STOP;\n\t\t\t}\n\n\t\t\tclose_fp = 0;\n\t\t\topened = (char *) estrndup(str, sizeof(\"[stream]\") - 1);\n\t\t\tgoto after_open_fp;\n\t\tcase IS_OBJECT:\n\t\t\tif (instanceof_function(Z_OBJCE_PP(value), spl_ce_SplFileInfo TSRMLS_CC)) {\n\t\t\t\tchar *test = NULL;\n\t\t\t\tzval dummy;\n\t\t\t\tspl_filesystem_object *intern = (spl_filesystem_object*)zend_object_store_get_object(*value TSRMLS_CC);\n\n\t\t\t\tif (!base_len) {\n\t\t\t\t\tzend_throw_exception_ex(spl_ce_BadMethodCallException, 0 TSRMLS_CC, \"Iterator %v returns an SplFileInfo object, so base directory must be specified\", ce->name);\n\t\t\t\t\treturn ZEND_HASH_APPLY_STOP;\n\t\t\t\t}\n\n\t\t\t\tswitch (intern->type) {\n\t\t\t\t\tcase SPL_FS_DIR:\n\t\t\t\t\t\ttest = spl_filesystem_object_get_path(intern, NULL TSRMLS_CC);\n\t\t\t\t\t\tfname_len = spprintf(&fname, 0, \"%s%c%s\", test, DEFAULT_SLASH, intern->u.dir.entry.d_name);\n\t\t\t\t\t\tphp_stat(fname, fname_len, FS_IS_DIR, &dummy TSRMLS_CC);\n\n\t\t\t\t\t\tif (Z_BVAL(dummy)) {\n\t\t\t\t\t\t\t/* ignore directories */\n\t\t\t\t\t\t\tefree(fname);\n\t\t\t\t\t\t\treturn ZEND_HASH_APPLY_KEEP;\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\ttest = expand_filepath(fname, NULL TSRMLS_CC);\n\t\t\t\t\t\tefree(fname);\n\n\t\t\t\t\t\tif (test) {\n\t\t\t\t\t\t\tfname = test;\n\t\t\t\t\t\t\tfname_len = strlen(fname);\n\t\t\t\t\t\t} else {\n\t\t\t\t\t\t\tzend_throw_exception_ex(spl_ce_UnexpectedValueException, 0 TSRMLS_CC, \"Could not resolve file path\");\n\t\t\t\t\t\t\treturn ZEND_HASH_APPLY_STOP;\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\tsave = fname;\n\t\t\t\t\t\tgoto phar_spl_fileinfo;\n\t\t\t\t\tcase SPL_FS_INFO:\n\t\t\t\t\tcase SPL_FS_FILE:\n\t\t\t\t\t\tfname = expand_filepath(intern->file_name, NULL TSRMLS_CC);\n\t\t\t\t\t\tif (!fname) {\n\t\t\t\t\t\t\tzend_throw_exception_ex(spl_ce_UnexpectedValueException, 0 TSRMLS_CC, \"Could not resolve file path\");\n\t\t\t\t\t\t\treturn ZEND_HASH_APPLY_STOP;\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\tfname_len = strlen(fname);\n\t\t\t\t\t\tsave = fname;\n\t\t\t\t\t\tgoto phar_spl_fileinfo;\n\t\t\t\t}\n\t\t\t}\n\t\t\t/* fall-through */\n\t\tdefault:\n\t\t\tzend_throw_exception_ex(spl_ce_UnexpectedValueException, 0 TSRMLS_CC, \"Iterator %v returned an invalid value (must return a string)\", ce->name);\n\t\t\treturn ZEND_HASH_APPLY_STOP;\n\t}\n\n\tfname = Z_STRVAL_PP(value);\n\tfname_len = Z_STRLEN_PP(value);\n\nphar_spl_fileinfo:\n\tif (base_len) {\n\t\ttemp = expand_filepath(base, NULL TSRMLS_CC);\n\t\tif (!temp) {\n\t\t\tzend_throw_exception_ex(spl_ce_UnexpectedValueException, 0 TSRMLS_CC, \"Could not resolve file path\");\n\t\t\tif (save) {\n\t\t\t\tefree(save);\n\t\t\t}\n\t\t\treturn ZEND_HASH_APPLY_STOP;\n\t\t}\n\t\t\n\t\tbase = temp;\n\t\tbase_len = strlen(base);\n\n\t\tif (strstr(fname, base)) {\n\t\t\tstr_key_len = fname_len - base_len;\n\n\t\t\tif (str_key_len <= 0) {\n\t\t\t\tif (save) {\n\t\t\t\t\tefree(save);\n\t\t\t\t\tefree(temp);\n\t\t\t\t}\n\t\t\t\treturn ZEND_HASH_APPLY_KEEP;\n\t\t\t}\n\n\t\t\tstr_key = fname + base_len;\n\n\t\t\tif (*str_key == '/' || *str_key == '\\\\') {\n\t\t\t\tstr_key++;\n\t\t\t\tstr_key_len--;\n\t\t\t}\n\n\t\t} else {\n\t\t\tzend_throw_exception_ex(spl_ce_UnexpectedValueException, 0 TSRMLS_CC, \"Iterator %v returned a path \\\"%s\\\" that is not in the base directory \\\"%s\\\"\", ce->name, fname, base);\n\n\t\t\tif (save) {\n\t\t\t\tefree(save);\n\t\t\t\tefree(temp);\n\t\t\t}\n\n\t\t\treturn ZEND_HASH_APPLY_STOP;\n\t\t}\n\t} else {\n\t\tif (iter->funcs->get_current_key) {\n\t\t\tzval key;\n\t\t\titer->funcs->get_current_key(iter, &key TSRMLS_CC);\n\n\t\t\tif (EG(exception)) {\n\t\t\t\treturn ZEND_HASH_APPLY_STOP;\n\t\t\t}\n\n\t\t\tif (Z_TYPE(key) != IS_STRING) {\n\t\t\t\tzval_dtor(&key);\n\t\t\t\tzend_throw_exception_ex(spl_ce_UnexpectedValueException, 0 TSRMLS_CC, \"Iterator %v returned an invalid key (must return a string)\", ce->name);\n\t\t\t\treturn ZEND_HASH_APPLY_STOP;\n\t\t\t}\n\n\t\t\tstr_key_len = Z_STRLEN(key);\n\t\t\tstr_key = estrndup(Z_STRVAL(key), str_key_len);\n\n\t\t\tsave = str_key;\n\t\t\tzval_dtor(&key);\n\t\t} else {\n\t\t\tzend_throw_exception_ex(spl_ce_UnexpectedValueException, 0 TSRMLS_CC, \"Iterator %v returned an invalid key (must return a string)\", ce->name);\n\t\t\treturn ZEND_HASH_APPLY_STOP;\n\t\t}\n\t}\n#if PHP_API_VERSION < 20100412\n\tif (PG(safe_mode) && (!php_checkuid(fname, NULL, CHECKUID_ALLOW_ONLY_FILE))) {\n\t\tzend_throw_exception_ex(spl_ce_UnexpectedValueException, 0 TSRMLS_CC, \"Iterator %v returned a path \\\"%s\\\" that safe mode prevents opening\", ce->name, fname);\n\n\t\tif (save) {\n\t\t\tefree(save);\n\t\t}\n\n\t\tif (temp) {\n\t\t\tefree(temp);\n\t\t}\n\n\t\treturn ZEND_HASH_APPLY_STOP;\n\t}\n#endif\n\n\tif (php_check_open_basedir(fname TSRMLS_CC)) {\n\t\tzend_throw_exception_ex(spl_ce_UnexpectedValueException, 0 TSRMLS_CC, \"Iterator %v returned a path \\\"%s\\\" that open_basedir prevents opening\", ce->name, fname);\n\n\t\tif (save) {\n\t\t\tefree(save);\n\t\t}\n\n\t\tif (temp) {\n\t\t\tefree(temp);\n\t\t}\n\n\t\treturn ZEND_HASH_APPLY_STOP;\n\t}\n\n\t/* try to open source file, then create internal phar file and copy contents */\n\tfp = php_stream_open_wrapper(fname, \"rb\", STREAM_MUST_SEEK|0, &opened);\n\n\tif (!fp) {\n\t\tzend_throw_exception_ex(spl_ce_UnexpectedValueException, 0 TSRMLS_CC, \"Iterator %v returned a file that could not be opened \\\"%s\\\"\", ce->name, fname);\n\n\t\tif (save) {\n\t\t\tefree(save);\n\t\t}\n\n\t\tif (temp) {\n\t\t\tefree(temp);\n\t\t}\n\n\t\treturn ZEND_HASH_APPLY_STOP;\n\t}\nafter_open_fp:\n\tif (str_key_len >= sizeof(\".phar\")-1 && !memcmp(str_key, \".phar\", sizeof(\".phar\")-1)) {\n\t\t/* silently skip any files that would be added to the magic .phar directory */\n\t\tif (save) {\n\t\t\tefree(save);\n\t\t}\n\n\t\tif (temp) {\n\t\t\tefree(temp);\n\t\t}\n\n\t\tif (opened) {\n\t\t\tefree(opened);\n\t\t}\n\n\t\tif (close_fp) {\n\t\t\tphp_stream_close(fp);\n\t\t}\n\n\t\treturn ZEND_HASH_APPLY_KEEP;\n\t}\n\n\tif (!(data = phar_get_or_create_entry_data(phar_obj->arc.archive->fname, phar_obj->arc.archive->fname_len, str_key, str_key_len, \"w+b\", 0, &error, 1 TSRMLS_CC))) {\n\t\tzend_throw_exception_ex(spl_ce_BadMethodCallException, 0 TSRMLS_CC, \"Entry %s cannot be created: %s\", str_key, error);\n\t\tefree(error);\n\n\t\tif (save) {\n\t\t\tefree(save);\n\t\t}\n\n\t\tif (opened) {\n\t\t\tefree(opened);\n\t\t}\n\n\t\tif (temp) {\n\t\t\tefree(temp);\n\t\t}\n\n\t\tif (close_fp) {\n\t\t\tphp_stream_close(fp);\n\t\t}\n\n\t\treturn ZEND_HASH_APPLY_STOP;\n\n\t} else {\n\t\tif (error) {\n\t\t\tefree(error);\n\t\t}\n\t\t/* convert to PHAR_UFP */\n\t\tif (data->internal_file->fp_type == PHAR_MOD) {\n\t\t\tphp_stream_close(data->internal_file->fp);\n\t\t}\n\n\t\tdata->internal_file->fp = NULL;\n\t\tdata->internal_file->fp_type = PHAR_UFP;\n\t\tdata->internal_file->offset_abs = data->internal_file->offset = php_stream_tell(p_obj->fp);\n\t\tdata->fp = NULL;\n\t\tphar_stream_copy_to_stream(fp, p_obj->fp, PHP_STREAM_COPY_ALL, &contents_len);\n\t\tdata->internal_file->uncompressed_filesize = data->internal_file->compressed_filesize =\n\t\t\tphp_stream_tell(p_obj->fp) - data->internal_file->offset;\n\t}\n\n\tif (close_fp) {\n\t\tphp_stream_close(fp);\n\t}\n\n\tadd_assoc_string(p_obj->ret, str_key, opened, 0);\n\n\tif (save) {\n\t\tefree(save);\n\t}\n\n\tif (temp) {\n\t\tefree(temp);\n\t}\n\n\tdata->internal_file->compressed_filesize = data->internal_file->uncompressed_filesize = contents_len;\n\tphar_entry_delref(data TSRMLS_CC);\n\n\treturn ZEND_HASH_APPLY_KEEP;\n}", "project": "php-src", "hash": 327746727037474962343820765316511337533, "size": 317, "commit_id": "b2cf3f064b8f5efef89bb084521b61318c71781b", "message": "Fixed bug #68901 (use after free)", "target": 0, "dataset": "other", "idx": 413474 }, { "func": "static int blackout_line_cmpskip(int n, int x, int y, char *dst, char *src,\n int w, int pixelsize) {\n\n\tint i, x1, y1, x2, y2, b, hit = 0;\n\tint beg = -1, end = -1; \n\n\tif (tile_blackout[n].cover == 0) {\n\t\treturn 0;\t/* 0 means do not skip it. */\n\t} else if (tile_blackout[n].cover == 2) {\n\t\treturn 1;\t/* 1 means skip it. */\n\t}\n\n\t/* tile has partial coverage: */\n\n\tfor (i=0; i < w * pixelsize; i++) {\n\t\tif (*(dst+i) != *(src+i)) {\n\t\t\tbeg = i/pixelsize;\t/* beginning difference */\n\t\t\tbreak;\n\t\t}\n\t}\n\tfor (i = w * pixelsize - 1; i >= 0; i--) {\n\t\tif (*(dst+i) != *(src+i)) {\n\t\t\tend = i/pixelsize;\t/* ending difference */\n\t\t\tbreak;\n\t\t}\n\t}\n\tif (beg < 0 || end < 0) {\n\t\t/* problem finding range... */\n\t\treturn 0;\n\t}\n\n\t/* loop over blackout rectangles: */\n\tfor (b=0; b < tile_blackout[n].count; b++) {\n\t\t\n\t\t/* y in full display space: */\n\t\ty1 = tile_blackout[n].bo[b].y1;\n\t\ty2 = tile_blackout[n].bo[b].y2;\n\n\t\t/* x relative to tile origin: */\n\t\tx1 = tile_blackout[n].bo[b].x1 - x;\n\t\tx2 = tile_blackout[n].bo[b].x2 - x;\n\n\t\tif (y1 > y || y >= y2) {\n\t\t\tcontinue;\n\t\t}\n\t\tif (x1 <= beg && end <= x2) {\n\t\t\thit = 1;\n\t\t\tbreak;\n\t\t}\n\t}\n\tif (hit) {\n\t\treturn 1;\n\t} else {\n\t\treturn 0;\n\t}\n}", "project": "x11vnc", "hash": 324725282367082920706861210914231875725, "size": 56, "commit_id": "69eeb9f7baa14ca03b16c9de821f9876def7a36a", "message": "scan: limit access to shared memory segments to current user", "target": 0, "dataset": "other", "idx": 360768 }, { "func": "JOIN::create_postjoin_aggr_table(JOIN_TAB *tab, List *table_fields,\n ORDER *table_group,\n bool save_sum_fields,\n bool distinct,\n bool keep_row_order)\n{\n DBUG_ENTER(\"JOIN::create_postjoin_aggr_table\");\n THD_STAGE_INFO(thd, stage_creating_tmp_table);\n\n /*\n Pushing LIMIT to the post-join temporary table creation is not applicable\n when there is ORDER BY or GROUP BY or there is no GROUP BY, but\n there are aggregate functions, because in all these cases we need\n all result rows.\n */\n ha_rows table_rows_limit= ((order == NULL || skip_sort_order) &&\n !table_group &&\n !select_lex->with_sum_func) ? select_limit\n : HA_POS_ERROR;\n\n if (!(tab->tmp_table_param= new TMP_TABLE_PARAM(tmp_table_param)))\n DBUG_RETURN(true);\n if (tmp_table_keep_current_rowid)\n add_fields_for_current_rowid(tab, table_fields);\n tab->tmp_table_param->skip_create_table= true;\n TABLE* table= create_tmp_table(thd, tab->tmp_table_param, *table_fields,\n table_group, distinct,\n save_sum_fields, select_options, table_rows_limit, \n &empty_clex_str, true, keep_row_order);\n if (!table)\n DBUG_RETURN(true);\n tmp_table_param.using_outer_summary_function=\n tab->tmp_table_param->using_outer_summary_function;\n tab->join= this;\n DBUG_ASSERT(tab > tab->join->join_tab || !top_join_tab_count || !tables_list);\n if (tab > join_tab)\n (tab - 1)->next_select= sub_select_postjoin_aggr;\n if (!(tab->aggr= new (thd->mem_root) AGGR_OP(tab)))\n goto err;\n tab->table= table;\n table->reginfo.join_tab= tab;\n\n /* if group or order on first table, sort first */\n if ((group_list && simple_group) ||\n (implicit_grouping && select_lex->have_window_funcs()))\n {\n DBUG_PRINT(\"info\",(\"Sorting for group\"));\n THD_STAGE_INFO(thd, stage_sorting_for_group);\n\n if (ordered_index_usage != ordered_index_group_by &&\n !only_const_tables() &&\n (join_tab + const_tables)->type != JT_CONST && // Don't sort 1 row\n !implicit_grouping &&\n add_sorting_to_table(join_tab + const_tables, group_list))\n goto err;\n\n if (alloc_group_fields(this, group_list))\n goto err;\n if (make_sum_func_list(all_fields, fields_list, true))\n goto err;\n if (prepare_sum_aggregators(sum_funcs,\n !(tables_list && \n join_tab->is_using_agg_loose_index_scan())))\n goto err;\n if (setup_sum_funcs(thd, sum_funcs))\n goto err;\n group_list= NULL;\n }\n else\n {\n if (make_sum_func_list(all_fields, fields_list, false))\n goto err;\n if (prepare_sum_aggregators(sum_funcs,\n !join_tab->is_using_agg_loose_index_scan()))\n goto err;\n if (setup_sum_funcs(thd, sum_funcs))\n goto err;\n\n if (!group_list && !table->distinct && order && simple_order &&\n tab == join_tab + const_tables)\n {\n DBUG_PRINT(\"info\",(\"Sorting for order\"));\n THD_STAGE_INFO(thd, stage_sorting_for_order);\n\n if (ordered_index_usage != ordered_index_order_by &&\n !only_const_tables() &&\n add_sorting_to_table(join_tab + const_tables, order))\n goto err;\n order= NULL;\n }\n }\n\n DBUG_RETURN(false);\n\nerr:\n if (table != NULL)\n free_tmp_table(thd, table);\n DBUG_RETURN(true);\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 135493985719226832804014125524707271360, "size": 99, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508484 }, { "func": "int __register_chrdev(unsigned int major, unsigned int baseminor,\n\t\t unsigned int count, const char *name,\n\t\t const struct file_operations *fops)\n{\n\tstruct char_device_struct *cd;\n\tstruct cdev *cdev;\n\tint err = -ENOMEM;\n\n\tcd = __register_chrdev_region(major, baseminor, count, name);\n\tif (IS_ERR(cd))\n\t\treturn PTR_ERR(cd);\n\n\tcdev = cdev_alloc();\n\tif (!cdev)\n\t\tgoto out2;\n\n\tcdev->owner = fops->owner;\n\tcdev->ops = fops;\n\tkobject_set_name(&cdev->kobj, \"%s\", name);\n\n\terr = cdev_add(cdev, MKDEV(cd->major, baseminor), count);\n\tif (err)\n\t\tgoto out;\n\n\tcd->cdev = cdev;\n\n\treturn major ? 0 : cd->major;\nout:\n\tkobject_put(&cdev->kobj);\nout2:\n\tkfree(__unregister_chrdev_region(cd->major, baseminor, count));\n\treturn err;\n}", "project": "linux", "hash": 285019813328013271015908696060525889136, "size": 33, "commit_id": "68faa679b8be1a74e6663c21c3a9d25d32f1c079", "message": "chardev: Avoid potential use-after-free in 'chrdev_open()'\n\n'chrdev_open()' calls 'cdev_get()' to obtain a reference to the\n'struct cdev *' stashed in the 'i_cdev' field of the target inode\nstructure. If the pointer is NULL, then it is initialised lazily by\nlooking up the kobject in the 'cdev_map' and so the whole procedure is\nprotected by the 'cdev_lock' spinlock to serialise initialisation of\nthe shared pointer.\n\nUnfortunately, it is possible for the initialising thread to fail *after*\ninstalling the new pointer, for example if the subsequent '->open()' call\non the file fails. In this case, 'cdev_put()' is called, the reference\ncount on the kobject is dropped and, if nobody else has taken a reference,\nthe release function is called which finally clears 'inode->i_cdev' from\n'cdev_purge()' before potentially freeing the object. The problem here\nis that a racing thread can happily take the 'cdev_lock' and see the\nnon-NULL pointer in the inode, which can result in a refcount increment\nfrom zero and a warning:\n\n | ------------[ cut here ]------------\n | refcount_t: addition on 0; use-after-free.\n | WARNING: CPU: 2 PID: 6385 at lib/refcount.c:25 refcount_warn_saturate+0x6d/0xf0\n | Modules linked in:\n | CPU: 2 PID: 6385 Comm: repro Not tainted 5.5.0-rc2+ #22\n | Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014\n | RIP: 0010:refcount_warn_saturate+0x6d/0xf0\n | Code: 05 55 9a 15 01 01 e8 9d aa c8 ff 0f 0b c3 80 3d 45 9a 15 01 00 75 ce 48 c7 c7 00 9c 62 b3 c6 08\n | RSP: 0018:ffffb524c1b9bc70 EFLAGS: 00010282\n | RAX: 0000000000000000 RBX: ffff9e9da1f71390 RCX: 0000000000000000\n | RDX: ffff9e9dbbd27618 RSI: ffff9e9dbbd18798 RDI: ffff9e9dbbd18798\n | RBP: 0000000000000000 R08: 000000000000095f R09: 0000000000000039\n | R10: 0000000000000000 R11: ffffb524c1b9bb20 R12: ffff9e9da1e8c700\n | R13: ffffffffb25ee8b0 R14: 0000000000000000 R15: ffff9e9da1e8c700\n | FS: 00007f3b87d26700(0000) GS:ffff9e9dbbd00000(0000) knlGS:0000000000000000\n | CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n | CR2: 00007fc16909c000 CR3: 000000012df9c000 CR4: 00000000000006e0\n | DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n | DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n | Call Trace:\n | kobject_get+0x5c/0x60\n | cdev_get+0x2b/0x60\n | chrdev_open+0x55/0x220\n | ? cdev_put.part.3+0x20/0x20\n | do_dentry_open+0x13a/0x390\n | path_openat+0x2c8/0x1470\n | do_filp_open+0x93/0x100\n | ? selinux_file_ioctl+0x17f/0x220\n | do_sys_open+0x186/0x220\n | do_syscall_64+0x48/0x150\n | entry_SYSCALL_64_after_hwframe+0x44/0xa9\n | RIP: 0033:0x7f3b87efcd0e\n | Code: 89 54 24 08 e8 a3 f4 ff ff 8b 74 24 0c 48 8b 3c 24 41 89 c0 44 8b 54 24 08 b8 01 01 00 00 89 f4\n | RSP: 002b:00007f3b87d259f0 EFLAGS: 00000293 ORIG_RAX: 0000000000000101\n | RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f3b87efcd0e\n | RDX: 0000000000000000 RSI: 00007f3b87d25a80 RDI: 00000000ffffff9c\n | RBP: 00007f3b87d25e90 R08: 0000000000000000 R09: 0000000000000000\n | R10: 0000000000000000 R11: 0000000000000293 R12: 00007ffe188f504e\n | R13: 00007ffe188f504f R14: 00007f3b87d26700 R15: 0000000000000000\n | ---[ end trace 24f53ca58db8180a ]---\n\nSince 'cdev_get()' can already fail to obtain a reference, simply move\nit over to use 'kobject_get_unless_zero()' instead of 'kobject_get()',\nwhich will cause the racing thread to return -ENXIO if the initialising\nthread fails unexpectedly.\n\nCc: Hillf Danton \nCc: Andrew Morton \nCc: Al Viro \nReported-by: syzbot+82defefbbd8527e1c2cb@syzkaller.appspotmail.com\nSigned-off-by: Will Deacon \nCc: stable \nLink: https://lore.kernel.org/r/20191219120203.32691-1-will@kernel.org\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 446373 }, { "func": "static char* ipProto2Name(u_int16_t proto_id) {\n static char proto[8];\n\n switch(proto_id) {\n case IPPROTO_TCP:\n return(\"TCP\");\n break;\n case IPPROTO_UDP:\n return(\"UDP\");\n break;\n case IPPROTO_ICMP:\n return(\"ICMP\");\n break;\n case IPPROTO_ICMPV6:\n return(\"ICMPV6\");\n break;\n case 112:\n return(\"VRRP\");\n break;\n case IPPROTO_IGMP:\n return(\"IGMP\");\n break;\n }\n\n snprintf(proto, sizeof(proto), \"%u\", proto_id);\n return(proto);\n}", "project": "nDPI", "hash": 247352540757455486375107137394529554671, "size": 27, "commit_id": "b7e666e465f138ae48ab81976726e67deed12701", "message": "Added fix to avoid potential heap buffer overflow in H.323 dissector\nModified HTTP report information to make it closer to the HTTP field names", "target": 0, "dataset": "other", "idx": 254831 }, { "func": "static int parse_sockaddr_pair(struct sockaddr *sa, int ext_len,\n\t\t\t xfrm_address_t *saddr, xfrm_address_t *daddr,\n\t\t\t u16 *family)\n{\n\tint af, socklen;\n\n\tif (ext_len < 2 || ext_len < pfkey_sockaddr_pair_size(sa->sa_family))\n\t\treturn -EINVAL;\n\n\taf = pfkey_sockaddr_extract(sa, saddr);\n\tif (!af)\n\t\treturn -EINVAL;\n\n\tsocklen = pfkey_sockaddr_len(af);\n\tif (pfkey_sockaddr_extract((struct sockaddr *) (((u8 *)sa) + socklen),\n\t\t\t\t daddr) != af)\n\t\treturn -EINVAL;\n\n\t*family = af;\n\treturn 0;\n}", "project": "linux", "hash": 232167002829326852452540016983625164905, "size": 21, "commit_id": "9a564bccb78a76740ea9d75a259942df8143d02c", "message": "af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\n\nAdd __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\nto initialize the buffer of supp_skb to fix a kernel-info-leak issue.\n1) Function pfkey_register calls compose_sadb_supported to request\na sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate\na sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then\ncompose_sadb_supported treats the memory as a struct sadb_supported and\nbegins to initialize. But it just initializes the field sadb_supported_len\nand field sadb_supported_exttype without field sadb_supported_reserved.\n\nReported-by: TCS Robot \nSigned-off-by: Haimin Zhang \nSigned-off-by: Steffen Klassert ", "target": 0, "dataset": "other", "idx": 267996 }, { "func": " bool get_date_from_item(Item *item, MYSQL_TIME *ltime, ulonglong fuzzydate)\n {\n bool rc= item->get_date(ltime, fuzzydate);\n null_value= MY_TEST(rc || item->null_value);\n return rc;\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 117489778135229172841191268268121472055, "size": 6, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509282 }, { "func": "void CLua::_getregistry(lua_State *ls, const char *name)\n{\n lua_pushstring(ls, name);\n lua_gettable(ls, LUA_REGISTRYINDEX);\n}", "project": "crawl", "hash": 212479241110064510490454767238650996978, "size": 5, "commit_id": "768f60da87a3fa0b5561da5ade9309577c176d04", "message": "Disable lua bytecode loading", "target": 0, "dataset": "other", "idx": 230475 }, { "func": "static int sctp_getsockopt_connectx3(struct sock *sk, int len,\n\t\t\t\t char __user *optval,\n\t\t\t\t int __user *optlen)\n{\n\tstruct sctp_getaddrs_old param;\n\tsctp_assoc_t assoc_id = 0;\n\tstruct sockaddr *kaddrs;\n\tint err = 0;\n\n#ifdef CONFIG_COMPAT\n\tif (in_compat_syscall()) {\n\t\tstruct compat_sctp_getaddrs_old param32;\n\n\t\tif (len < sizeof(param32))\n\t\t\treturn -EINVAL;\n\t\tif (copy_from_user(¶m32, optval, sizeof(param32)))\n\t\t\treturn -EFAULT;\n\n\t\tparam.assoc_id = param32.assoc_id;\n\t\tparam.addr_num = param32.addr_num;\n\t\tparam.addrs = compat_ptr(param32.addrs);\n\t} else\n#endif\n\t{\n\t\tif (len < sizeof(param))\n\t\t\treturn -EINVAL;\n\t\tif (copy_from_user(¶m, optval, sizeof(param)))\n\t\t\treturn -EFAULT;\n\t}\n\n\tkaddrs = memdup_user(param.addrs, param.addr_num);\n\tif (IS_ERR(kaddrs))\n\t\treturn PTR_ERR(kaddrs);\n\n\terr = __sctp_setsockopt_connectx(sk, kaddrs, param.addr_num, &assoc_id);\n\tkfree(kaddrs);\n\tif (err == 0 || err == -EINPROGRESS) {\n\t\tif (copy_to_user(optval, &assoc_id, sizeof(assoc_id)))\n\t\t\treturn -EFAULT;\n\t\tif (put_user(sizeof(assoc_id), optlen))\n\t\t\treturn -EFAULT;\n\t}\n\n\treturn err;\n}", "project": "linux", "hash": 254114471131735595024078384894307028932, "size": 45, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398213 }, { "func": "static void nfs4_xdr_enc_lock(struct rpc_rqst *req, struct xdr_stream *xdr,\n\t\t\t const void *data)\n{\n\tconst struct nfs_lock_args *args = data;\n\tstruct compound_hdr hdr = {\n\t\t.minorversion = nfs4_xdr_minorversion(&args->seq_args),\n\t};\n\n\tencode_compound_hdr(xdr, req, &hdr);\n\tencode_sequence(xdr, &args->seq_args, &hdr);\n\tencode_putfh(xdr, args->fh, &hdr);\n\tencode_lock(xdr, args, &hdr);\n\tencode_nops(&hdr);\n}", "project": "linux", "hash": 28324608313876031038510939596062248469, "size": 14, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431436 }, { "func": "static OPJ_BOOL opj_j2k_allocate_tile_element_cstr_index(opj_j2k_t *p_j2k)\n{\n OPJ_UINT32 it_tile = 0;\n\n p_j2k->cstr_index->nb_of_tiles = p_j2k->m_cp.tw * p_j2k->m_cp.th;\n p_j2k->cstr_index->tile_index = (opj_tile_index_t*)opj_calloc(\n p_j2k->cstr_index->nb_of_tiles, sizeof(opj_tile_index_t));\n if (!p_j2k->cstr_index->tile_index) {\n return OPJ_FALSE;\n }\n\n for (it_tile = 0; it_tile < p_j2k->cstr_index->nb_of_tiles; it_tile++) {\n p_j2k->cstr_index->tile_index[it_tile].maxmarknum = 100;\n p_j2k->cstr_index->tile_index[it_tile].marknum = 0;\n p_j2k->cstr_index->tile_index[it_tile].marker = (opj_marker_info_t*)\n opj_calloc(p_j2k->cstr_index->tile_index[it_tile].maxmarknum,\n sizeof(opj_marker_info_t));\n if (!p_j2k->cstr_index->tile_index[it_tile].marker) {\n return OPJ_FALSE;\n }\n }\n\n return OPJ_TRUE;\n}", "project": "openjpeg", "hash": 233581244737814379408423903346732079145, "size": 24, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357280 }, { "func": "void CWebSock::OnPageRequest(const CString& sURI) {\n CString sPageRet;\n EPageReqResult eRet = OnPageRequestInternal(sURI, sPageRet);\n switch (eRet) {\n case PAGE_PRINT:\n PrintPage(sPageRet);\n break;\n case PAGE_DEFERRED:\n // Something else will later call Close()\n break;\n case PAGE_DONE:\n // Redirect or something like that, it's done, just make sure\n // the connection will be closed\n Close(CLT_AFTERWRITE);\n break;\n case PAGE_NOTFOUND:\n default:\n PrintNotFound();\n break;\n }\n}", "project": "znc", "hash": 97677643255364125933348097148755651002, "size": 21, "commit_id": "a4a5aeeb17d32937d8c7d743dae9a4cc755ce773", "message": "Don't let web skin name ../../../../ access files outside of usual skins directories.\n\nThanks for Jeriko One for finding and reporting this.", "target": 0, "dataset": "other", "idx": 265789 }, { "func": "static int allocate_cmdlines_buffer(unsigned int val,\n\t\t\t\t struct saved_cmdlines_buffer *s)\n{\n\ts->map_cmdline_to_pid = kmalloc(val * sizeof(*s->map_cmdline_to_pid),\n\t\t\t\t\tGFP_KERNEL);\n\tif (!s->map_cmdline_to_pid)\n\t\treturn -ENOMEM;\n\n\ts->saved_cmdlines = kmalloc(val * TASK_COMM_LEN, GFP_KERNEL);\n\tif (!s->saved_cmdlines) {\n\t\tkfree(s->map_cmdline_to_pid);\n\t\treturn -ENOMEM;\n\t}\n\n\ts->cmdline_idx = 0;\n\ts->cmdline_num = val;\n\tmemset(&s->map_pid_to_cmdline, NO_CMDLINE_MAP,\n\t sizeof(s->map_pid_to_cmdline));\n\tmemset(s->map_cmdline_to_pid, NO_CMDLINE_MAP,\n\t val * sizeof(*s->map_cmdline_to_pid));\n\n\treturn 0;\n}", "project": "linux", "hash": 295365832150213454510572140029780862195, "size": 23, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445629 }, { "func": "static void hci_cc_inquiry_cancel(struct hci_dev *hdev, struct sk_buff *skb,\n\t\t\t\t u8 *new_status)\n{\n\t__u8 status = *((__u8 *) skb->data);\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, status);\n\n\t/* It is possible that we receive Inquiry Complete event right\n\t * before we receive Inquiry Cancel Command Complete event, in\n\t * which case the latter event should have status of Command\n\t * Disallowed (0x0c). This should not be treated as error, since\n\t * we actually achieve what Inquiry Cancel wants to achieve,\n\t * which is to end the last Inquiry session.\n\t */\n\tif (status == 0x0c && !test_bit(HCI_INQUIRY, &hdev->flags)) {\n\t\tbt_dev_warn(hdev, \"Ignoring error of Inquiry Cancel command\");\n\t\tstatus = 0x00;\n\t}\n\n\t*new_status = status;\n\n\tif (status)\n\t\treturn;\n\n\tclear_bit(HCI_INQUIRY, &hdev->flags);\n\tsmp_mb__after_atomic(); /* wake_up_bit advises about this barrier */\n\twake_up_bit(&hdev->flags, HCI_INQUIRY);\n\n\thci_dev_lock(hdev);\n\t/* Set discovery state to stopped if we're not doing LE active\n\t * scanning.\n\t */\n\tif (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||\n\t hdev->le_scan_type != LE_SCAN_ACTIVE)\n\t\thci_discovery_set_state(hdev, DISCOVERY_STOPPED);\n\thci_dev_unlock(hdev);\n\n\thci_conn_check_pending(hdev);\n}", "project": "linux", "hash": 188401050153067116116267442199699986302, "size": 39, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431889 }, { "func": "}\n\nstruct scsi_transport_template *\niscsi_register_transport(struct iscsi_transport *tt)\n{\n\tstruct iscsi_internal *priv;\n\tunsigned long flags;\n\tint err;\n\n\tBUG_ON(!tt);\n\n\tpriv = iscsi_if_transport_lookup(tt);\n\tif (priv)\n\t\treturn NULL;\n\n\tpriv = kzalloc(sizeof(*priv), GFP_KERNEL);\n\tif (!priv)\n\t\treturn NULL;\n\tINIT_LIST_HEAD(&priv->list);\n\tpriv->iscsi_transport = tt;\n\tpriv->t.user_scan = iscsi_user_scan;\n\tpriv->t.create_work_queue = 1;\n\n\tpriv->dev.class = &iscsi_transport_class;\n\tdev_set_name(&priv->dev, \"%s\", tt->name);\n\terr = device_register(&priv->dev);\n\tif (err)\n\t\tgoto free_priv;\n\n\terr = sysfs_create_group(&priv->dev.kobj, &iscsi_transport_group);\n\tif (err)\n\t\tgoto unregister_dev;\n\n\t/* host parameters */\n\tpriv->t.host_attrs.ac.class = &iscsi_host_class.class;\n\tpriv->t.host_attrs.ac.match = iscsi_host_match;\n\tpriv->t.host_attrs.ac.grp = &iscsi_host_group;\n\tpriv->t.host_size = sizeof(struct iscsi_cls_host);\n\ttransport_container_register(&priv->t.host_attrs);\n\n\t/* connection parameters */\n\tpriv->conn_cont.ac.class = &iscsi_connection_class.class;\n\tpriv->conn_cont.ac.match = iscsi_conn_match;\n\tpriv->conn_cont.ac.grp = &iscsi_conn_group;\n\ttransport_container_register(&priv->conn_cont);\n\n\t/* session parameters */\n\tpriv->session_cont.ac.class = &iscsi_session_class.class;\n\tpriv->session_cont.ac.match = iscsi_session_match;\n\tpriv->session_cont.ac.grp = &iscsi_session_group;\n\ttransport_container_register(&priv->session_cont);\n\n\tspin_lock_irqsave(&iscsi_transport_lock, flags);\n\tlist_add(&priv->list, &iscsi_transports);\n\tspin_unlock_irqrestore(&iscsi_transport_lock, flags);\n\n\tprintk(KERN_NOTICE \"iscsi: registered transport (%s)\\n\", tt->name);\n\treturn &priv->t;\n\nunregister_dev:\n\tdevice_unregister(&priv->dev);\n\treturn NULL;\nfree_priv:", "project": "linux", "hash": 124140167806389789359719425814228003148, "size": 63, "commit_id": "f9dbdf97a5bd92b1a49cee3d591b55b11fd7a6d5", "message": "scsi: iscsi: Verify lengths on passthrough PDUs\n\nOpen-iSCSI sends passthrough PDUs over netlink, but the kernel should be\nverifying that the provided PDU header and data lengths fall within the\nnetlink message to prevent accessing beyond that in memory.\n\nCc: stable@vger.kernel.org\nReported-by: Adam Nichols \nReviewed-by: Lee Duncan \nReviewed-by: Mike Christie \nSigned-off-by: Chris Leech \nSigned-off-by: Martin K. Petersen ", "target": 0, "dataset": "other", "idx": 379986 }, { "func": "static int oidc_handle_redirect_authorization_response(request_rec *r,\n\t\toidc_cfg *c, oidc_session_t *session) {\n\n\toidc_debug(r, \"enter\");\n\n\t/* read the parameters from the query string */\n\tapr_table_t *params = apr_table_make(r->pool, 8);\n\toidc_util_read_form_encoded_params(r, params, r->args);\n\n\t/* do the actual work */\n\treturn oidc_handle_authorization_response(r, c, session, params,\n\t\t\tOIDC_PROTO_RESPONSE_MODE_QUERY);\n}", "project": "mod_auth_openidc", "hash": 99944316641577737340338610668805292919, "size": 13, "commit_id": "00c315cb0c8ab77c67be4a2ac08a71a83ac58751", "message": "avoid XSS vulnerability when using OIDCPreservePost On\n\nand supplying URLs that contain single quotes; thanks @oss-aimoto\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 381960 }, { "func": "static int bredr_inquiry(struct hci_request *req, unsigned long opt)\n{\n\tu8 length = opt;\n\tconst u8 giac[3] = { 0x33, 0x8b, 0x9e };\n\tconst u8 liac[3] = { 0x00, 0x8b, 0x9e };\n\tstruct hci_cp_inquiry cp;\n\n\tbt_dev_dbg(req->hdev, \"\");\n\n\thci_dev_lock(req->hdev);\n\thci_inquiry_cache_flush(req->hdev);\n\thci_dev_unlock(req->hdev);\n\n\tmemset(&cp, 0, sizeof(cp));\n\n\tif (req->hdev->discovery.limited)\n\t\tmemcpy(&cp.lap, liac, sizeof(cp.lap));\n\telse\n\t\tmemcpy(&cp.lap, giac, sizeof(cp.lap));\n\n\tcp.length = length;\n\n\thci_req_add(req, HCI_OP_INQUIRY, sizeof(cp), &cp);\n\n\treturn 0;\n}", "project": "linux", "hash": 120158629423177077887175795770915126373, "size": 26, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402495 }, { "func": "static void nested_prepare_vmcb_save(struct vcpu_svm *svm, struct vmcb *vmcb12)\n{\n\t/* Load the nested guest state */\n\tsvm->vmcb->save.es = vmcb12->save.es;\n\tsvm->vmcb->save.cs = vmcb12->save.cs;\n\tsvm->vmcb->save.ss = vmcb12->save.ss;\n\tsvm->vmcb->save.ds = vmcb12->save.ds;\n\tsvm->vmcb->save.gdtr = vmcb12->save.gdtr;\n\tsvm->vmcb->save.idtr = vmcb12->save.idtr;\n\tkvm_set_rflags(&svm->vcpu, vmcb12->save.rflags);\n\tsvm_set_efer(&svm->vcpu, vmcb12->save.efer);\n\tsvm_set_cr0(&svm->vcpu, vmcb12->save.cr0);\n\tsvm_set_cr4(&svm->vcpu, vmcb12->save.cr4);\n\tsvm->vmcb->save.cr2 = svm->vcpu.arch.cr2 = vmcb12->save.cr2;\n\tkvm_rax_write(&svm->vcpu, vmcb12->save.rax);\n\tkvm_rsp_write(&svm->vcpu, vmcb12->save.rsp);\n\tkvm_rip_write(&svm->vcpu, vmcb12->save.rip);\n\n\t/* In case we don't even reach vcpu_run, the fields are not updated */\n\tsvm->vmcb->save.rax = vmcb12->save.rax;\n\tsvm->vmcb->save.rsp = vmcb12->save.rsp;\n\tsvm->vmcb->save.rip = vmcb12->save.rip;\n\tsvm->vmcb->save.dr7 = vmcb12->save.dr7;\n\tsvm->vcpu.arch.dr6 = vmcb12->save.dr6;\n\tsvm->vmcb->save.cpl = vmcb12->save.cpl;\n}", "project": "linux", "hash": 77161171875170870425394822736145818927, "size": 26, "commit_id": "a58d9166a756a0f4a6618e4f593232593d6df134", "message": "KVM: SVM: load control fields from VMCB12 before checking them\n\nAvoid races between check and use of the nested VMCB controls. This\nfor example ensures that the VMRUN intercept is always reflected to the\nnested hypervisor, instead of being processed by the host. Without this\npatch, it is possible to end up with svm->nested.hsave pointing to\nthe MSR permission bitmap for nested guests.\n\nThis bug is CVE-2021-29657.\n\nReported-by: Felix Wilhelm \nCc: stable@vger.kernel.org\nFixes: 2fcf4876ada (\"KVM: nSVM: implement on demand allocation of the nested state\")\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 376668 }, { "func": "uint32_t enc_untrusted_qe_get_target_info(sgx_target_info_t *qe_target_info) {\n uint32_t result;\n CHECK_OCALL(ocall_enc_untrusted_qe_get_target_info(&result, qe_target_info));\n return result;\n}", "project": "asylo", "hash": 179039491232485255664708358553163284329, "size": 5, "commit_id": "53ed5d8fd8118ced1466e509606dd2f473707a5c", "message": "Store untrusted output pointer in enclave\n\nValidate the pointer after it's stored in enclave to avoid unexpected\nmodifications after it's validated.\n\nPiperOrigin-RevId: 365648810\nChange-Id: I3079128040c142e86bab8255b07d03562a6fcb61", "target": 0, "dataset": "other", "idx": 232067 }, { "func": "static void nfs4_open_release(void *calldata)\n{\n\tstruct nfs4_opendata *data = calldata;\n\tstruct nfs4_state *state = NULL;\n\n\t/* If this request hasn't been cancelled, do nothing */\n\tif (!data->cancelled)\n\t\tgoto out_free;\n\t/* In case of error, no cleanup! */\n\tif (data->rpc_status != 0 || !data->rpc_done)\n\t\tgoto out_free;\n\t/* In case we need an open_confirm, no cleanup! */\n\tif (data->o_res.rflags & NFS4_OPEN_RESULT_CONFIRM)\n\t\tgoto out_free;\n\tstate = nfs4_opendata_to_nfs4_state(data);\n\tif (!IS_ERR(state))\n\t\tnfs4_close_state(state, data->o_arg.fmode);\nout_free:\n\tnfs4_opendata_put(data);\n}", "project": "linux", "hash": 46746214339519661724560228295035738636, "size": 20, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431572 }, { "func": "void CSoundFile::PanningSlide(ModChannel *pChn, ModCommand::PARAM param, bool memory)\n{\n\tif(memory)\n\t{\n\t\t// FT2 compatibility: Use effect memory (lxx and rxx in XM shouldn't use effect memory).\n\t\t// Test case: PanSlideMem.xm\n\t\tif(param)\n\t\t\tpChn->nOldPanSlide = param;\n\t\telse\n\t\t\tparam = pChn->nOldPanSlide;\n\t}\n\n\tif((GetType() & (MOD_TYPE_XM | MOD_TYPE_MT2)))\n\t{\n\t\t// XM nibble priority\n\t\tif((param & 0xF0) != 0)\n\t\t{\n\t\t\tparam &= 0xF0;\n\t\t} else\n\t\t{\n\t\t\tparam &= 0x0F;\n\t\t}\n\t}\n\n\tint32 nPanSlide = 0;\n\n\tif(!(GetType() & (MOD_TYPE_XM | MOD_TYPE_MT2)))\n\t{\n\t\tif (((param & 0x0F) == 0x0F) && (param & 0xF0))\n\t\t{\n\t\t\tif(m_SongFlags[SONG_FIRSTTICK])\n\t\t\t{\n\t\t\t\tparam = (param & 0xF0) / 4u;\n\t\t\t\tnPanSlide = - (int)param;\n\t\t\t}\n\t\t} else if (((param & 0xF0) == 0xF0) && (param & 0x0F))\n\t\t{\n\t\t\tif(m_SongFlags[SONG_FIRSTTICK])\n\t\t\t{\n\t\t\t\tnPanSlide = (param & 0x0F) * 4u;\n\t\t\t}\n\t\t} else if(!m_SongFlags[SONG_FIRSTTICK])\n\t\t{\n\t\t\tif (param & 0x0F)\n\t\t\t{\n\t\t\t\t// IT compatibility: Ignore slide commands with both nibbles set.\n\t\t\t\tif(!(GetType() & (MOD_TYPE_IT | MOD_TYPE_MPT)) || (param & 0xF0) == 0)\n\t\t\t\t\tnPanSlide = (int)((param & 0x0F) * 4u);\n\t\t\t} else\n\t\t\t{\n\t\t\t\tnPanSlide = -(int)((param & 0xF0) / 4u);\n\t\t\t}\n\t\t}\n\t} else\n\t{\n\t\tif(!m_SongFlags[SONG_FIRSTTICK])\n\t\t{\n\t\t\tif (param & 0xF0)\n\t\t\t{\n\t\t\t\tnPanSlide = (int)((param & 0xF0) / 4u);\n\t\t\t} else\n\t\t\t{\n\t\t\t\tnPanSlide = -(int)((param & 0x0F) * 4u);\n\t\t\t}\n\t\t\t// FT2 compatibility: FT2's panning slide is like IT's fine panning slide (not as deep)\n\t\t\tif(m_playBehaviour[kFT2PanSlide])\n\t\t\t\tnPanSlide /= 4;\n\t\t}\n\t}\n\tif (nPanSlide)\n\t{\n\t\tnPanSlide += pChn->nPan;\n\t\tnPanSlide = Clamp(nPanSlide, 0, 256);\n\t\tpChn->nPan = nPanSlide;\n\t\tpChn->nRestorePanOnNewNote = 0;\n\t}\n}", "project": "openmpt", "hash": 203489616701994819049033572170169167420, "size": 77, "commit_id": "7ebf02af2e90f03e0dbd0e18b8b3164f372fb97c", "message": "[Fix] Possible out-of-bounds read when computing length of some IT files with pattern loops (OpenMPT: formats that are converted to IT, libopenmpt: IT/ITP/MO3), caught with afl-fuzz.\n\ngit-svn-id: https://source.openmpt.org/svn/openmpt/trunk/OpenMPT@10027 56274372-70c3-4bfc-bfc3-4c3a0b034d27", "target": 0, "dataset": "other", "idx": 255218 }, { "func": "static OPJ_BOOL opj_j2k_merge_ppt(opj_tcp_t *p_tcp, opj_event_mgr_t * p_manager)\n{\n OPJ_UINT32 i, l_ppt_data_size;\n /* preconditions */\n assert(p_tcp != 00);\n assert(p_manager != 00);\n\n if (p_tcp->ppt_buffer != NULL) {\n opj_event_msg(p_manager, EVT_ERROR,\n \"opj_j2k_merge_ppt() has already been called\\n\");\n return OPJ_FALSE;\n }\n\n if (p_tcp->ppt == 0U) {\n return OPJ_TRUE;\n }\n\n l_ppt_data_size = 0U;\n for (i = 0U; i < p_tcp->ppt_markers_count; ++i) {\n l_ppt_data_size +=\n p_tcp->ppt_markers[i].m_data_size; /* can't overflow, max 256 markers of max 65536 bytes */\n }\n\n p_tcp->ppt_buffer = (OPJ_BYTE *) opj_malloc(l_ppt_data_size);\n if (p_tcp->ppt_buffer == 00) {\n opj_event_msg(p_manager, EVT_ERROR, \"Not enough memory to read PPT marker\\n\");\n return OPJ_FALSE;\n }\n p_tcp->ppt_len = l_ppt_data_size;\n l_ppt_data_size = 0U;\n for (i = 0U; i < p_tcp->ppt_markers_count; ++i) {\n if (p_tcp->ppt_markers[i].m_data !=\n NULL) { /* standard doesn't seem to require contiguous Zppt */\n memcpy(p_tcp->ppt_buffer + l_ppt_data_size, p_tcp->ppt_markers[i].m_data,\n p_tcp->ppt_markers[i].m_data_size);\n l_ppt_data_size +=\n p_tcp->ppt_markers[i].m_data_size; /* can't overflow, max 256 markers of max 65536 bytes */\n\n opj_free(p_tcp->ppt_markers[i].m_data);\n p_tcp->ppt_markers[i].m_data = NULL;\n p_tcp->ppt_markers[i].m_data_size = 0U;\n }\n }\n\n p_tcp->ppt_markers_count = 0U;\n opj_free(p_tcp->ppt_markers);\n p_tcp->ppt_markers = NULL;\n\n p_tcp->ppt_data = p_tcp->ppt_buffer;\n p_tcp->ppt_data_size = p_tcp->ppt_len;\n return OPJ_TRUE;\n}", "project": "openjpeg", "hash": 50373475000893370370250038849493974682, "size": 52, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357415 }, { "func": "static int tiocspgrp(struct tty_struct *tty, struct tty_struct *real_tty, pid_t __user *p)\n{\n\tstruct pid *pgrp;\n\tpid_t pgrp_nr;\n\tint retval = tty_check_change(real_tty);\n\n\tif (retval == -EIO)\n\t\treturn -ENOTTY;\n\tif (retval)\n\t\treturn retval;\n\n\tif (get_user(pgrp_nr, p))\n\t\treturn -EFAULT;\n\tif (pgrp_nr < 0)\n\t\treturn -EINVAL;\n\n\tspin_lock_irq(&real_tty->ctrl_lock);\n\tif (!current->signal->tty ||\n\t (current->signal->tty != real_tty) ||\n\t (real_tty->session != task_session(current))) {\n\t\tretval = -ENOTTY;\n\t\tgoto out_unlock_ctrl;\n\t}\n\trcu_read_lock();\n\tpgrp = find_vpid(pgrp_nr);\n\tretval = -ESRCH;\n\tif (!pgrp)\n\t\tgoto out_unlock;\n\tretval = -EPERM;\n\tif (session_of_pgrp(pgrp) != task_session(current))\n\t\tgoto out_unlock;\n\tretval = 0;\n\tput_pid(real_tty->pgrp);\n\treal_tty->pgrp = get_pid(pgrp);\nout_unlock:\n\trcu_read_unlock();\nout_unlock_ctrl:\n\tspin_unlock_irq(&real_tty->ctrl_lock);\n\treturn retval;\n}", "project": "linux", "hash": 221522046840646283376168364644074555686, "size": 40, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 326071 }, { "func": "static struct bfq_queue *\nbfq_setup_merge(struct bfq_queue *bfqq, struct bfq_queue *new_bfqq)\n{\n\tint process_refs, new_process_refs;\n\tstruct bfq_queue *__bfqq;\n\n\t/*\n\t * If there are no process references on the new_bfqq, then it is\n\t * unsafe to follow the ->new_bfqq chain as other bfqq's in the chain\n\t * may have dropped their last reference (not just their last process\n\t * reference).\n\t */\n\tif (!bfqq_process_refs(new_bfqq))\n\t\treturn NULL;\n\n\t/* Avoid a circular list and skip interim queue merges. */\n\twhile ((__bfqq = new_bfqq->new_bfqq)) {\n\t\tif (__bfqq == bfqq)\n\t\t\treturn NULL;\n\t\tnew_bfqq = __bfqq;\n\t}\n\n\tprocess_refs = bfqq_process_refs(bfqq);\n\tnew_process_refs = bfqq_process_refs(new_bfqq);\n\t/*\n\t * If the process for the bfqq has gone away, there is no\n\t * sense in merging the queues.\n\t */\n\tif (process_refs == 0 || new_process_refs == 0)\n\t\treturn NULL;\n\n\tbfq_log_bfqq(bfqq->bfqd, bfqq, \"scheduling merge with queue %d\",\n\t\tnew_bfqq->pid);\n\n\t/*\n\t * Merging is just a redirection: the requests of the process\n\t * owning one of the two queues are redirected to the other queue.\n\t * The latter queue, in its turn, is set as shared if this is the\n\t * first time that the requests of some process are redirected to\n\t * it.\n\t *\n\t * We redirect bfqq to new_bfqq and not the opposite, because\n\t * we are in the context of the process owning bfqq, thus we\n\t * have the io_cq of this process. So we can immediately\n\t * configure this io_cq to redirect the requests of the\n\t * process to new_bfqq. In contrast, the io_cq of new_bfqq is\n\t * not available any more (new_bfqq->bic == NULL).\n\t *\n\t * Anyway, even in case new_bfqq coincides with the in-service\n\t * queue, redirecting requests the in-service queue is the\n\t * best option, as we feed the in-service queue with new\n\t * requests close to the last request served and, by doing so,\n\t * are likely to increase the throughput.\n\t */\n\tbfqq->new_bfqq = new_bfqq;\n\tnew_bfqq->ref += process_refs;\n\treturn new_bfqq;", "project": "linux", "hash": 186133083719455719794531968066103711760, "size": 57, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453320 }, { "func": "void kvm_put_kvm_no_destroy(struct kvm *kvm)\n{\n\tWARN_ON(refcount_dec_and_test(&kvm->users_count));\n}", "project": "linux", "hash": 58411378787591231800480134854249429780, "size": 4, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354789 }, { "func": "static int oidc_handle_info_request(request_rec *r, oidc_cfg *c,\n\t\toidc_session_t *session, apr_byte_t needs_save) {\n\tint rc = HTTP_UNAUTHORIZED;\n\tchar *s_format = NULL, *s_interval = NULL, *r_value = NULL;\n\toidc_util_get_request_parameter(r, OIDC_REDIRECT_URI_REQUEST_INFO,\n\t\t\t&s_format);\n\toidc_util_get_request_parameter(r,\n\t\t\tOIDC_INFO_PARAM_ACCESS_TOKEN_REFRESH_INTERVAL, &s_interval);\n\n\t/* see if this is a request for a format that is supported */\n\tif ((apr_strnatcmp(OIDC_HOOK_INFO_FORMAT_JSON, s_format) != 0)\n\t\t\t&& (apr_strnatcmp(OIDC_HOOK_INFO_FORMAT_HTML, s_format) != 0)) {\n\t\toidc_warn(r, \"request for unknown format: %s\", s_format);\n\t\treturn HTTP_UNSUPPORTED_MEDIA_TYPE;\n\t}\n\n\t/* check that we actually have a user session and this is someone calling with a proper session cookie */\n\tif (session->remote_user == NULL) {\n\t\toidc_warn(r, \"no user session found\");\n\t\treturn HTTP_UNAUTHORIZED;\n\t}\n\n\t/* set the user in the main request for further (incl. sub-request and authz) processing */\n\tr->user = apr_pstrdup(r->pool, session->remote_user);\n\n\tif (c->info_hook_data == NULL) {\n\t\toidc_warn(r, \"no data configured to return in \" OIDCInfoHook);\n\t\treturn HTTP_NOT_FOUND;\n\t}\n\n\t/* see if we can and need to refresh the access token */\n\tif ((s_interval != NULL)\n\t\t\t&& (oidc_session_get_refresh_token(r, session) != NULL)) {\n\n\t\tapr_time_t t_interval;\n\t\tif (sscanf(s_interval, \"%\" APR_TIME_T_FMT, &t_interval) == 1) {\n\t\t\tt_interval = apr_time_from_sec(t_interval);\n\n\t\t\t/* get the last refresh timestamp from the session info */\n\t\t\tapr_time_t last_refresh =\n\t\t\t\t\toidc_session_get_access_token_last_refresh(r, session);\n\n\t\t\toidc_debug(r, \"refresh needed in: %\" APR_TIME_T_FMT \" seconds\",\n\t\t\t\t\tapr_time_sec(last_refresh + t_interval - apr_time_now()));\n\n\t\t\t/* see if we need to refresh again */\n\t\t\tif (last_refresh + t_interval < apr_time_now()) {\n\n\t\t\t\t/* get the current provider info */\n\t\t\t\toidc_provider_t *provider = NULL;\n\t\t\t\tif (oidc_get_provider_from_session(r, c, session, &provider)\n\t\t\t\t\t\t== FALSE)\n\t\t\t\t\treturn HTTP_INTERNAL_SERVER_ERROR;\n\n\t\t\t\t/* execute the actual refresh grant */\n\t\t\t\tif (oidc_refresh_access_token(r, c, session, provider,\n\t\t\t\t\t\tNULL) == FALSE)\n\t\t\t\t\toidc_warn(r, \"access_token could not be refreshed\");\n\t\t\t\telse\n\t\t\t\t\tneeds_save = TRUE;\n\t\t\t}\n\t\t}\n\t}\n\n\t/* create the JSON object */\n\tjson_t *json = json_object();\n\n\t/* add a timestamp of creation in there for the caller */\n\tif (apr_hash_get(c->info_hook_data, OIDC_HOOK_INFO_TIMESTAMP,\n\t\t\tAPR_HASH_KEY_STRING)) {\n\t\tjson_object_set_new(json, OIDC_HOOK_INFO_TIMESTAMP,\n\t\t\t\tjson_integer(apr_time_sec(apr_time_now())));\n\t}\n\n\t/*\n\t * refresh the claims from the userinfo endpoint\n\t * side-effect is that this may refresh the access token if not already done\n\t * note that OIDCUserInfoRefreshInterval should be set to control the refresh policy\n\t */\n\tneeds_save |= oidc_refresh_claims_from_userinfo_endpoint(r, c, session);\n\n\t/* include the access token in the session info */\n\tif (apr_hash_get(c->info_hook_data, OIDC_HOOK_INFO_ACCES_TOKEN,\n\t\t\tAPR_HASH_KEY_STRING)) {\n\t\tconst char *access_token = oidc_session_get_access_token(r, session);\n\t\tif (access_token != NULL)\n\t\t\tjson_object_set_new(json, OIDC_HOOK_INFO_ACCES_TOKEN,\n\t\t\t\t\tjson_string(access_token));\n\t}\n\n\t/* include the access token expiry timestamp in the session info */\n\tif (apr_hash_get(c->info_hook_data, OIDC_HOOK_INFO_ACCES_TOKEN_EXP,\n\t\t\tAPR_HASH_KEY_STRING)) {\n\t\tconst char *access_token_expires =\n\t\t\t\toidc_session_get_access_token_expires(r, session);\n\t\tif (access_token_expires != NULL)\n\t\t\tjson_object_set_new(json, OIDC_HOOK_INFO_ACCES_TOKEN_EXP,\n\t\t\t\t\tjson_string(access_token_expires));\n\t}\n\n\t/* include the id_token claims in the session info */\n\tif (apr_hash_get(c->info_hook_data, OIDC_HOOK_INFO_ID_TOKEN,\n\t\t\tAPR_HASH_KEY_STRING)) {\n\t\tjson_t *id_token = oidc_session_get_idtoken_claims_json(r, session);\n\t\tif (id_token)\n\t\t\tjson_object_set_new(json, OIDC_HOOK_INFO_ID_TOKEN, id_token);\n\t}\n\n\tif (apr_hash_get(c->info_hook_data, OIDC_HOOK_INFO_USER_INFO,\n\t\t\tAPR_HASH_KEY_STRING)) {\n\t\t/* include the claims from the userinfo endpoint the session info */\n\t\tjson_t *claims = oidc_session_get_userinfo_claims_json(r, session);\n\t\tif (claims)\n\t\t\tjson_object_set_new(json, OIDC_HOOK_INFO_USER_INFO, claims);\n\t}\n\n\t/* include the maximum session lifetime in the session info */\n\tif (apr_hash_get(c->info_hook_data, OIDC_HOOK_INFO_SESSION_EXP,\n\t\t\tAPR_HASH_KEY_STRING)) {\n\t\tapr_time_t session_expires = oidc_session_get_session_expires(r,\n\t\t\t\tsession);\n\t\tjson_object_set_new(json, OIDC_HOOK_INFO_SESSION_EXP,\n\t\t\t\tjson_integer(apr_time_sec(session_expires)));\n\t}\n\n\t/* include the inactivity timeout in the session info */\n\tif (apr_hash_get(c->info_hook_data, OIDC_HOOK_INFO_SESSION_TIMEOUT,\n\t\t\tAPR_HASH_KEY_STRING)) {\n\t\tjson_object_set_new(json, OIDC_HOOK_INFO_SESSION_TIMEOUT,\n\t\t\t\tjson_integer(apr_time_sec(session->expiry)));\n\t}\n\n\t/* include the remote_user in the session info */\n\tif (apr_hash_get(c->info_hook_data, OIDC_HOOK_INFO_SESSION_REMOTE_USER,\n\t\t\tAPR_HASH_KEY_STRING)) {\n\t\tjson_object_set_new(json, OIDC_HOOK_INFO_SESSION_REMOTE_USER,\n\t\t\t\tjson_string(session->remote_user));\n\t}\n\n\tif (apr_hash_get(c->info_hook_data, OIDC_HOOK_INFO_SESSION,\n\t\t\tAPR_HASH_KEY_STRING)) {\n\t\tjson_t *j_session = json_object();\n\t\tjson_object_set(j_session, OIDC_HOOK_INFO_SESSION_STATE,\n\t\t\t\tsession->state);\n\t\tjson_object_set_new(j_session, OIDC_HOOK_INFO_SESSION_UUID,\n\t\t\t\tjson_string(session->uuid));\n\t\tjson_object_set_new(json, OIDC_HOOK_INFO_SESSION, j_session);\n\n\t}\n\n\tif (apr_hash_get(c->info_hook_data, OIDC_HOOK_INFO_REFRESH_TOKEN,\n\t\t\tAPR_HASH_KEY_STRING)) {\n\t\t/* include the refresh token in the session info */\n\t\tconst char *refresh_token = oidc_session_get_refresh_token(r, session);\n\t\tif (refresh_token != NULL)\n\t\t\tjson_object_set_new(json, OIDC_HOOK_INFO_REFRESH_TOKEN,\n\t\t\t\t\tjson_string(refresh_token));\n\t}\n\n\t/* pass the tokens to the application and save the session, possibly updating the expiry */\n\tif (oidc_session_pass_tokens(r, c, session, &needs_save) == FALSE)\n\t\toidc_warn(r, \"error passing tokens\");\n\n\t/* check if something was updated in the session and we need to save it again */\n\tif (needs_save) {\n\t\tif (oidc_session_save(r, session, FALSE) == FALSE) {\n\t\t\toidc_warn(r, \"error saving session\");\n\t\t\trc = HTTP_INTERNAL_SERVER_ERROR;\n\t\t}\n\t}\n\n\tif (apr_strnatcmp(OIDC_HOOK_INFO_FORMAT_JSON, s_format) == 0) {\n\t\t/* JSON-encode the result */\n\t\tr_value = oidc_util_encode_json_object(r, json, 0);\n\t\t/* return the stringified JSON result */\n\t\trc = oidc_util_http_send(r, r_value, strlen(r_value),\n\t\t\t\tOIDC_CONTENT_TYPE_JSON, OK);\n\t} else if (apr_strnatcmp(OIDC_HOOK_INFO_FORMAT_HTML, s_format) == 0) {\n\t\t/* JSON-encode the result */\n\t\tr_value = oidc_util_encode_json_object(r, json, JSON_INDENT(2));\n\t\trc = oidc_util_html_send(r, \"Session Info\", NULL, NULL,\n\t\t\t\tapr_psprintf(r->pool, \"
%s
\", r_value), OK);\n\t}\n\n\t/* free the allocated resources */\n\tjson_decref(json);\n\n\treturn rc;\n}", "project": "mod_auth_openidc", "hash": 158523185974767932238829348635363430616, "size": 189, "commit_id": "00c315cb0c8ab77c67be4a2ac08a71a83ac58751", "message": "avoid XSS vulnerability when using OIDCPreservePost On\n\nand supplying URLs that contain single quotes; thanks @oss-aimoto\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 381967 }, { "func": "static int oidc_handle_info_request(request_rec *r, oidc_cfg *c,\n\t\toidc_session_t *session) {\n\tint rc = HTTP_UNAUTHORIZED;\n\tapr_byte_t needs_save = FALSE;\n\tchar *s_format = NULL, *s_interval = NULL, *r_value = NULL;\n\toidc_util_get_request_parameter(r, OIDC_REDIRECT_URI_REQUEST_INFO,\n\t\t\t&s_format);\n\toidc_util_get_request_parameter(r,\n\t\t\tOIDC_INFO_PARAM_ACCESS_TOKEN_REFRESH_INTERVAL, &s_interval);\n\n\t/* see if this is a request for a format that is supported */\n\tif ((apr_strnatcmp(OIDC_HOOK_INFO_FORMAT_JSON, s_format) != 0)\n\t\t\t&& (apr_strnatcmp(OIDC_HOOK_INFO_FORMAT_HTML, s_format) != 0)) {\n\t\toidc_warn(r, \"request for unknown format: %s\", s_format);\n\t\treturn HTTP_UNSUPPORTED_MEDIA_TYPE;\n\t}\n\n\t/* check that we actually have a user session and this is someone calling with a proper session cookie */\n\tif (session->remote_user == NULL) {\n\t\toidc_warn(r, \"no user session found\");\n\t\treturn HTTP_UNAUTHORIZED;\n\t}\n\n\t/* set the user in the main request for further (incl. sub-request and authz) processing */\n\tr->user = apr_pstrdup(r->pool, session->remote_user);\n\n\tif (c->info_hook_data == NULL) {\n\t\toidc_warn(r, \"no data configured to return in \" OIDCInfoHook);\n\t\treturn HTTP_NOT_FOUND;\n\t}\n\n\t/* see if we can and need to refresh the access token */\n\tif ((s_interval != NULL)\n\t\t\t&& (oidc_session_get_refresh_token(r, session) != NULL)) {\n\n\t\tapr_time_t t_interval;\n\t\tif (sscanf(s_interval, \"%\" APR_TIME_T_FMT, &t_interval) == 1) {\n\t\t\tt_interval = apr_time_from_sec(t_interval);\n\n\t\t\t/* get the last refresh timestamp from the session info */\n\t\t\tapr_time_t last_refresh =\n\t\t\t\t\toidc_session_get_access_token_last_refresh(r, session);\n\n\t\t\toidc_debug(r, \"refresh needed in: %\" APR_TIME_T_FMT \" seconds\",\n\t\t\t\t\tapr_time_sec(last_refresh + t_interval - apr_time_now()));\n\n\t\t\t/* see if we need to refresh again */\n\t\t\tif (last_refresh + t_interval < apr_time_now()) {\n\n\t\t\t\t/* get the current provider info */\n\t\t\t\toidc_provider_t *provider = NULL;\n\t\t\t\tif (oidc_get_provider_from_session(r, c, session,\n\t\t\t\t\t\t&provider) == FALSE)\n\t\t\t\t\treturn HTTP_INTERNAL_SERVER_ERROR;\n\n\t\t\t\t/* execute the actual refresh grant */\n\t\t\t\tif (oidc_refresh_access_token(r, c, session, provider,\n\t\t\t\t\t\tNULL) == FALSE)\n\t\t\t\t\toidc_warn(r, \"access_token could not be refreshed\");\n\t\t\t\telse\n\t\t\t\t\tneeds_save = TRUE;\n\t\t\t}\n\t\t}\n\t}\n\n\t/* create the JSON object */\n\tjson_t *json = json_object();\n\n\t/* add a timestamp of creation in there for the caller */\n\tif (apr_hash_get(c->info_hook_data, OIDC_HOOK_INFO_TIMESTAMP,\n\t\t\tAPR_HASH_KEY_STRING)) {\n\t\tjson_object_set_new(json, OIDC_HOOK_INFO_TIMESTAMP,\n\t\t\t\tjson_integer(apr_time_sec(apr_time_now())));\n\t}\n\n\t/*\n\t * refresh the claims from the userinfo endpoint\n\t * side-effect is that this may refresh the access token if not already done\n\t * note that OIDCUserInfoRefreshInterval should be set to control the refresh policy\n\t */\n\tneeds_save |= oidc_refresh_claims_from_userinfo_endpoint(r, c, session);\n\n\t/* include the access token in the session info */\n\tif (apr_hash_get(c->info_hook_data, OIDC_HOOK_INFO_ACCES_TOKEN,\n\t\t\tAPR_HASH_KEY_STRING)) {\n\t\tconst char *access_token = oidc_session_get_access_token(r, session);\n\t\tif (access_token != NULL)\n\t\t\tjson_object_set_new(json, OIDC_HOOK_INFO_ACCES_TOKEN,\n\t\t\t\t\tjson_string(access_token));\n\t}\n\n\t/* include the access token expiry timestamp in the session info */\n\tif (apr_hash_get(c->info_hook_data, OIDC_HOOK_INFO_ACCES_TOKEN_EXP,\n\t\t\tAPR_HASH_KEY_STRING)) {\n\t\tconst char *access_token_expires =\n\t\t\t\toidc_session_get_access_token_expires(r, session);\n\t\tif (access_token_expires != NULL)\n\t\t\tjson_object_set_new(json, OIDC_HOOK_INFO_ACCES_TOKEN_EXP,\n\t\t\t\t\tjson_string(access_token_expires));\n\t}\n\n\t/* include the id_token claims in the session info */\n\tif (apr_hash_get(c->info_hook_data, OIDC_HOOK_INFO_ID_TOKEN,\n\t\t\tAPR_HASH_KEY_STRING)) {\n\t\tjson_t *id_token = oidc_session_get_idtoken_claims_json(r, session);\n\t\tif (id_token)\n\t\t\tjson_object_set_new(json, OIDC_HOOK_INFO_ID_TOKEN, id_token);\n\t}\n\n\tif (apr_hash_get(c->info_hook_data, OIDC_HOOK_INFO_USER_INFO,\n\t\t\tAPR_HASH_KEY_STRING)) {\n\t\t/* include the claims from the userinfo endpoint the session info */\n\t\tjson_t *claims = oidc_session_get_userinfo_claims_json(r, session);\n\t\tif (claims)\n\t\t\tjson_object_set_new(json, OIDC_HOOK_INFO_USER_INFO, claims);\n\t}\n\n\tif (apr_hash_get(c->info_hook_data, OIDC_HOOK_INFO_SESSION,\n\t\t\tAPR_HASH_KEY_STRING)) {\n\t\tjson_t *j_session = json_object();\n\t\tjson_object_set(j_session, OIDC_HOOK_INFO_SESSION_STATE,\n\t\t\t\tsession->state);\n\t\tjson_object_set_new(j_session, OIDC_HOOK_INFO_SESSION_UUID,\n\t\t\t\tjson_string(session->uuid));\n\t\tjson_object_set_new(j_session, OIDC_HOOK_INFO_SESSION_TIMEOUT,\n\t\t\t\tjson_integer(apr_time_sec(session->expiry)));\n\t\tapr_time_t session_expires = oidc_session_get_session_expires(r,\n\t\t\t\tsession);\n\t\tjson_object_set_new(j_session, OIDC_HOOK_INFO_SESSION_EXP,\n\t\t\t\tjson_integer(apr_time_sec(session_expires)));\n\t\tjson_object_set_new(j_session, OIDC_HOOK_INFO_SESSION_REMOTE_USER,\n\t\t\t\tjson_string(session->remote_user));\n\t\tjson_object_set_new(json, OIDC_HOOK_INFO_SESSION, j_session);\n\n\t}\n\n\tif (apr_hash_get(c->info_hook_data, OIDC_HOOK_INFO_REFRESH_TOKEN,\n\t\t\tAPR_HASH_KEY_STRING)) {\n\t\t/* include the refresh token in the session info */\n\t\tconst char *refresh_token = oidc_session_get_refresh_token(r, session);\n\t\tif (refresh_token != NULL)\n\t\t\tjson_object_set_new(json, OIDC_HOOK_INFO_REFRESH_TOKEN,\n\t\t\t\t\tjson_string(refresh_token));\n\t}\n\n\tif (apr_strnatcmp(OIDC_HOOK_INFO_FORMAT_JSON, s_format) == 0) {\n\t\t/* JSON-encode the result */\n\t\tr_value = oidc_util_encode_json_object(r, json, 0);\n\t\t/* return the stringified JSON result */\n\t\trc = oidc_util_http_send(r, r_value, strlen(r_value),\n\t\t\t\tOIDC_CONTENT_TYPE_JSON, OK);\n\t} else if (apr_strnatcmp(OIDC_HOOK_INFO_FORMAT_HTML, s_format) == 0) {\n\t\t/* JSON-encode the result */\n\t\tr_value = oidc_util_encode_json_object(r, json, JSON_INDENT(2));\n\t\trc = oidc_util_html_send(r, \"Session Info\", NULL, NULL,\n\t\t\t\tapr_psprintf(r->pool, \"
%s
\", r_value), OK);\n\t}\n\n\t/* free the allocated resources */\n\tjson_decref(json);\n\n\t/* pass the tokens to the application and save the session, possibly updating the expiry */\n\tif (oidc_session_pass_tokens_and_save(r, c, session, needs_save) == FALSE) {\n\t\toidc_warn(r, \"error saving session\");\n\t\trc = HTTP_INTERNAL_SERVER_ERROR;\n\t}\n\n\treturn rc;\n}", "project": "mod_auth_openidc", "hash": 320747563192531400916270886595360893104, "size": 169, "commit_id": "ce37080c6aea30aabae8b4a9b4eea7808445cc8e", "message": "2.4.0.2 oops\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 447709 }, { "func": "\tif(pThis->pqParent == NULL) {\n\t\t/* if we are not a child, we allocated our own mutex, which we now need to destroy */\n\t\tpthread_mutex_destroy(pThis->mut);\n\t\tfree(pThis->mut);\n\t}", "project": "rsyslog", "hash": 95972490653857863502418230918176200030, "size": 5, "commit_id": "dfa88369d4ca4290db56b843f9eabdae1bfe0fd5", "message": "bugfix: memory leak when $RepeatedMsgReduction on was used\n\nbug tracker: http://bugzilla.adiscon.com/show_bug.cgi?id=225", "target": 0, "dataset": "other", "idx": 373765 }, { "func": "RAMBlock *qemu_ram_alloc_from_ptr(ram_addr_t size, void *host,\n MemoryRegion *mr, Error **errp)\n{\n return qemu_ram_alloc_internal(size, size, NULL, host, RAM_PREALLOC, mr,\n errp);\n}", "target": 0, "cwe": [ "CWE-908" ], "project": "qemu", "commit_id": "418ade7849ce7641c0f7333718caf5091a02fd4c", "hash": 146352255872202443101650634346018096969, "size": 6, "message": "softmmu: Always initialize xlat in address_space_translate_for_iotlb\n\nThe bug is an uninitialized memory read, along the translate_fail\npath, which results in garbage being read from iotlb_to_section,\nwhich can lead to a crash in io_readx/io_writex.\n\nThe bug may be fixed by writing any value with zero\nin ~TARGET_PAGE_MASK, so that the call to iotlb_to_section using\nthe xlat'ed address returns io_mem_unassigned, as desired by the\ntranslate_fail path.\n\nIt is most useful to record the original physical page address,\nwhich will eventually be logged by memory_region_access_valid\nwhen the access is rejected by unassigned_mem_accepts.\n\nResolves: https://gitlab.com/qemu-project/qemu/-/issues/1065\nSigned-off-by: Richard Henderson \nReviewed-by: Peter Maydell \nMessage-Id: <20220621153829.366423-1-richard.henderson@linaro.org>", "dataset": "other", "idx": 514771 }, { "func": "UnicodeString::findAndReplace(int32_t start,\n int32_t length,\n const UnicodeString& oldText,\n int32_t oldStart,\n int32_t oldLength,\n const UnicodeString& newText,\n int32_t newStart,\n int32_t newLength)\n{\n if(isBogus() || oldText.isBogus() || newText.isBogus()) {\n return *this;\n }\n\n pinIndices(start, length);\n oldText.pinIndices(oldStart, oldLength);\n newText.pinIndices(newStart, newLength);\n\n if(oldLength == 0) {\n return *this;\n }\n\n while(length > 0 && length >= oldLength) {\n int32_t pos = indexOf(oldText, oldStart, oldLength, start, length);\n if(pos < 0) {\n // no more oldText's here: done\n break;\n } else {\n // we found oldText, replace it by newText and go beyond it\n replace(pos, oldLength, newText, newStart, newLength);\n length -= pos + oldLength - start;\n start = pos + newLength;\n }\n }\n\n return *this;\n}", "project": "icu", "hash": 251526581807150820161682079469675712829, "size": 36, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430807 }, { "func": "static void hci_cs_switch_role(struct hci_dev *hdev, u8 status)\n{\n\tstruct hci_cp_switch_role *cp;\n\tstruct hci_conn *conn;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, status);\n\n\tif (!status)\n\t\treturn;\n\n\tcp = hci_sent_cmd_data(hdev, HCI_OP_SWITCH_ROLE);\n\tif (!cp)\n\t\treturn;\n\n\thci_dev_lock(hdev);\n\n\tconn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);\n\tif (conn)\n\t\tclear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);\n\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 239519176138232279516968224810174170058, "size": 22, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431992 }, { "func": "void ItemStackMetadata::serialize(std::ostream &os) const\n{\n\tstd::ostringstream os2;\n\tos2 << DESERIALIZE_START;\n\tfor (const auto &stringvar : m_stringvars) {\n\t\tif (!stringvar.first.empty() || !stringvar.second.empty())\n\t\t\tos2 << stringvar.first << DESERIALIZE_KV_DELIM\n\t\t\t\t<< stringvar.second << DESERIALIZE_PAIR_DELIM;\n\t}\n\tos << serializeJsonStringIfNeeded(os2.str());\n}", "project": "minetest", "hash": 109106528849940872215234710525608428098, "size": 11, "commit_id": "b5956bde259faa240a81060ff4e598e25ad52dae", "message": "Sanitize ItemStack meta text", "target": 0, "dataset": "other", "idx": 279954 }, { "func": "Value ExpressionReplaceBase::serialize(bool explain) const {\n return Value(Document{{getOpName(),\n Document{{\"input\", _input->serialize(explain)},\n {\"find\", _find->serialize(explain)},\n {\"replacement\", _replacement->serialize(explain)}}}});\n}", "project": "mongo", "hash": 156846265636504708485811561050201936628, "size": 6, "commit_id": "1772b9a0393b55e6a280a35e8f0a1f75c014f301", "message": "SERVER-49404 Enforce additional checks in $arrayToObject", "target": 0, "dataset": "other", "idx": 370027 }, { "func": "Value ExpressionRandom::serialize(const bool explain) const {\n return Value(DOC(getOpName() << Document()));\n}", "project": "mongo", "hash": 2225091999019153773971902387126474442, "size": 3, "commit_id": "1772b9a0393b55e6a280a35e8f0a1f75c014f301", "message": "SERVER-49404 Enforce additional checks in $arrayToObject", "target": 0, "dataset": "other", "idx": 370077 }, { "func": "int headerIsEntry(Header h, rpmTagVal tag)\n{\n \t\t/* FIX: h modified by sort. */\n return (findEntry(h, tag, RPM_NULL_TYPE) ? 1 : 0);\n \t\n}", "project": "rpm", "hash": 229009595779061934784296996762909969297, "size": 6, "commit_id": "8f4b3c3cab8922a2022b9e47c71f1ecf906077ef", "message": "hdrblobInit() needs bounds checks too\n\nUsers can pass untrusted data to hdrblobInit() and it must be robust\nagainst this.", "target": 0, "dataset": "other", "idx": 318206 }, { "func": "static void set_refuse_options(char *bp)\n{\n\tstruct poptOption *op;\n\tchar *cp, shortname[2];\n\tint is_wild, found_match;\n\n\tshortname[1] = '\\0';\n\n\twhile (1) {\n\t\twhile (*bp == ' ') bp++;\n\t\tif (!*bp)\n\t\t\tbreak;\n\t\tif ((cp = strchr(bp, ' ')) != NULL)\n\t\t\t*cp= '\\0';\n\t\tis_wild = strpbrk(bp, \"*?[\") != NULL;\n\t\tfound_match = 0;\n\t\tfor (op = long_options; ; op++) {\n\t\t\t*shortname = op->shortName;\n\t\t\tif (!op->longName && !*shortname)\n\t\t\t\tbreak;\n\t\t\tif ((op->longName && wildmatch(bp, op->longName))\n\t\t\t || (*shortname && wildmatch(bp, shortname))) {\n\t\t\t\tif (op->argInfo == POPT_ARG_VAL)\n\t\t\t\t\top->argInfo = POPT_ARG_NONE;\n\t\t\t\top->val = (op - long_options) + OPT_REFUSED_BASE;\n\t\t\t\tfound_match = 1;\n\t\t\t\t/* These flags are set to let us easily check\n\t\t\t\t * an implied option later in the code. */\n\t\t\t\tswitch (*shortname) {\n\t\t\t\tcase 'r': case 'd': case 'l': case 'p':\n\t\t\t\tcase 't': case 'g': case 'o': case 'D':\n\t\t\t\t\trefused_archive_part = op->val;\n\t\t\t\t\tbreak;\n\t\t\t\tcase 'z':\n\t\t\t\t\trefused_compress = op->val;\n\t\t\t\t\tbreak;\n\t\t\t\tcase '\\0':\n\t\t\t\t\tif (wildmatch(\"delete\", op->longName))\n\t\t\t\t\t\trefused_delete = op->val;\n\t\t\t\t\telse if (wildmatch(\"delete-before\", op->longName))\n\t\t\t\t\t\trefused_delete_before = op->val;\n\t\t\t\t\telse if (wildmatch(\"delete-during\", op->longName))\n\t\t\t\t\t\trefused_delete_during = op->val;\n\t\t\t\t\telse if (wildmatch(\"partial\", op->longName))\n\t\t\t\t\t\trefused_partial = op->val;\n\t\t\t\t\telse if (wildmatch(\"progress\", op->longName))\n\t\t\t\t\t\trefused_progress = op->val;\n\t\t\t\t\telse if (wildmatch(\"inplace\", op->longName))\n\t\t\t\t\t\trefused_inplace = op->val;\n\t\t\t\t\telse if (wildmatch(\"no-iconv\", op->longName))\n\t\t\t\t\t\trefused_no_iconv = op->val;\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t\tif (!is_wild)\n\t\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\t\tif (!found_match) {\n\t\t\trprintf(FLOG, \"No match for refuse-options string \\\"%s\\\"\\n\",\n\t\t\t\tbp);\n\t\t}\n\t\tif (!cp)\n\t\t\tbreak;\n\t\t*cp = ' ';\n\t\tbp = cp + 1;\n\t}\n}", "project": "rsync", "hash": 190454127924484073471555790667970441958, "size": 67, "commit_id": "7706303828fcde524222babb2833864a4bd09e07", "message": "Ignore --protect-args when already sent by client\n\nIn parse_arguments when --protect-args is encountered the function exits\nearly. The caller is expected to check protect_args, and recall\nparse_arguments setting protect_args to 2. This patch prevents the\nclient from resetting protect_args during the second pass of\nparse_arguments. This prevents parse_arguments returning early the\nsecond time before it's able to sanitize the arguments it received.", "target": 0, "dataset": "other", "idx": 364677 }, { "func": "int RGWPostObj_ObjStore_S3::get_data(ceph::bufferlist& bl, bool& again)\n{\n bool boundary;\n bool done;\n\n const uint64_t chunk_size = s->cct->_conf->rgw_max_chunk_size;\n int r = read_data(bl, chunk_size, boundary, done);\n if (r < 0) {\n return r;\n }\n\n if (boundary) {\n if (!done) {\n /* Reached end of data, let's drain the rest of the params */\n r = complete_get_params();\n if (r < 0) {\n return r;\n }\n }\n }\n\n again = !boundary;\n return bl.length();\n}", "project": "ceph", "hash": 80323153682462198996614282937508264654, "size": 24, "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 281332 }, { "func": "int RGWPutObj_ObjStore_S3::get_data(bufferlist& bl)\n{\n const int ret = RGWPutObj_ObjStore::get_data(bl);\n if (ret == 0) {\n const int ret_auth = do_aws4_auth_completion();\n if (ret_auth < 0) {\n return ret_auth;\n }\n }\n\n return ret;\n}", "project": "ceph", "hash": 225253066479551545750111881987154995376, "size": 12, "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 281401 }, { "func": "int RGWBulkDelete_ObjStore_SWIFT::get_data(\n list& items, bool * const is_truncated)\n{\n constexpr size_t MAX_LINE_SIZE = 2048;\n\n RGWClientIOStreamBuf ciosb(static_cast(*(s->cio)),\n\t\t\t size_t(s->cct->_conf->rgw_max_chunk_size));\n istream cioin(&ciosb);\n\n char buf[MAX_LINE_SIZE];\n while (cioin.getline(buf, sizeof(buf))) {\n string path_str(buf);\n\n ldout(s->cct, 20) << \"extracted Bulk Delete entry: \" << path_str << dendl;\n\n RGWBulkDelete::acct_path_t path;\n\n /* We need to skip all slashes at the beginning in order to preserve\n * compliance with Swift. */\n const size_t start_pos = path_str.find_first_not_of('/');\n\n if (string::npos != start_pos) {\n /* Seperator is the first slash after the leading ones. */\n const size_t sep_pos = path_str.find('/', start_pos);\n\n if (string::npos != sep_pos) {\n path.bucket_name = url_decode(path_str.substr(start_pos,\n sep_pos - start_pos));\n path.obj_key = url_decode(path_str.substr(sep_pos + 1));\n } else {\n /* It's guaranteed here that bucket name is at least one character\n * long and is different than slash. */\n path.bucket_name = url_decode(path_str.substr(start_pos));\n }\n\n items.push_back(path);\n }\n\n if (items.size() == MAX_CHUNK_ENTRIES) {\n *is_truncated = true;\n return 0;\n }\n }\n\n *is_truncated = false;\n return 0;\n}", "project": "ceph", "hash": 262914999060826116861874589013982653142, "size": 47, "commit_id": "f44a8ae8aa27ecef69528db9aec220f12492810e", "message": "rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name\n\nchecking for empty name avoids later assertion in RGWObjectCtx::set_atomic\n\nFixes: CVE-2021-3531\n\nReviewed-by: Casey Bodley \nSigned-off-by: Casey Bodley \n(cherry picked from commit 7196a469b4470f3c8628489df9a41ec8b00a5610)", "target": 0, "dataset": "other", "idx": 448767 }, { "func": "int RGWFormPost::get_data(ceph::bufferlist& bl, bool& again)\n{\n bool boundary;\n\n int r = read_data(bl, s->cct->_conf->rgw_max_chunk_size,\n boundary, stream_done);\n if (r < 0) {\n return r;\n }\n\n /* Tell RGWPostObj::execute() that it has some data to put. */\n again = !boundary;\n\n return bl.length();\n}", "project": "ceph", "hash": 278922684472818328153816169196609494990, "size": 15, "commit_id": "f44a8ae8aa27ecef69528db9aec220f12492810e", "message": "rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name\n\nchecking for empty name avoids later assertion in RGWObjectCtx::set_atomic\n\nFixes: CVE-2021-3531\n\nReviewed-by: Casey Bodley \nSigned-off-by: Casey Bodley \n(cherry picked from commit 7196a469b4470f3c8628489df9a41ec8b00a5610)", "target": 0, "dataset": "other", "idx": 448873 }, { "project": "opaque", "commit_id": "5ddda15d89f5ac82f4416208c5319ace4aecdc36", "target": 0, "func": "Java_edu_berkeley_cs_rise_opaque_execution_SGXEnclave_NonObliviousAggregateStep1(\n JNIEnv *env, jobject obj, jlong eid, jbyteArray agg_op, jbyteArray input_rows) {\n (void)obj;\n\n jboolean if_copy;\n\n uint32_t agg_op_length = (uint32_t) env->GetArrayLength(agg_op);\n uint8_t *agg_op_ptr = (uint8_t *) env->GetByteArrayElements(agg_op, &if_copy);\n\n uint32_t input_rows_length = (uint32_t) env->GetArrayLength(input_rows);\n uint8_t *input_rows_ptr = (uint8_t *) env->GetByteArrayElements(input_rows, &if_copy);\n\n uint8_t *first_row;\n size_t first_row_length;\n\n uint8_t *last_group;\n size_t last_group_length;\n\n uint8_t *last_row;\n size_t last_row_length;\n\n sgx_check(\"Non-Oblivious Aggregate Step 1\",\n ecall_non_oblivious_aggregate_step1(\n eid,\n agg_op_ptr, agg_op_length,\n input_rows_ptr, input_rows_length,\n &first_row, &first_row_length,\n &last_group, &last_group_length,\n &last_row, &last_row_length));\n\n jbyteArray first_row_array = env->NewByteArray(first_row_length);\n env->SetByteArrayRegion(first_row_array, 0, first_row_length, (jbyte *) first_row);\n free(first_row);\n\n jbyteArray last_group_array = env->NewByteArray(last_group_length);\n env->SetByteArrayRegion(last_group_array, 0, last_group_length, (jbyte *) last_group);\n free(last_group);\n\n jbyteArray last_row_array = env->NewByteArray(last_row_length);\n env->SetByteArrayRegion(last_row_array, 0, last_row_length, (jbyte *) last_row);\n free(last_row);\n\n env->ReleaseByteArrayElements(agg_op, (jbyte *) agg_op_ptr, 0);\n env->ReleaseByteArrayElements(input_rows, (jbyte *) input_rows_ptr, 0);\n\n jclass tuple3_class = env->FindClass(\"scala/Tuple3\");\n jobject ret = env->NewObject(\n tuple3_class,\n env->GetMethodID(tuple3_class, \"\",\n \"(Ljava/lang/Object;Ljava/lang/Object;Ljava/lang/Object;)V\"),\n first_row_array, last_group_array, last_row_array);\n\n return ret;\n}", "idx": 519053, "cwe": "CWE-787", "hash": 184215992129757841266078326379792998472, "dataset": "other" }, { "project": "opaque", "commit_id": "5ddda15d89f5ac82f4416208c5319ace4aecdc36", "target": 0, "func": "Java_edu_berkeley_cs_rise_opaque_execution_SGXEnclave_ScanCollectLastPrimary(\n JNIEnv *env, jobject obj, jlong eid, jbyteArray join_expr, jbyteArray input_rows) {\n (void)obj;\n\n jboolean if_copy;\n\n uint32_t join_expr_length = (uint32_t) env->GetArrayLength(join_expr);\n uint8_t *join_expr_ptr = (uint8_t *) env->GetByteArrayElements(join_expr, &if_copy);\n\n uint32_t input_rows_length = (uint32_t) env->GetArrayLength(input_rows);\n uint8_t *input_rows_ptr = (uint8_t *) env->GetByteArrayElements(input_rows, &if_copy);\n\n uint8_t *output_rows;\n size_t output_rows_length;\n\n sgx_check(\"Scan Collect Last Primary\",\n ecall_scan_collect_last_primary(\n eid,\n join_expr_ptr, join_expr_length,\n input_rows_ptr, input_rows_length,\n &output_rows, &output_rows_length));\n\n jbyteArray ret = env->NewByteArray(output_rows_length);\n env->SetByteArrayRegion(ret, 0, output_rows_length, (jbyte *) output_rows);\n free(output_rows);\n\n env->ReleaseByteArrayElements(join_expr, (jbyte *) join_expr_ptr, 0);\n env->ReleaseByteArrayElements(input_rows, (jbyte *) input_rows_ptr, 0);\n\n return ret;\n}", "idx": 519084, "cwe": "CWE-787", "hash": 46766488131872045731933508715103679765, "dataset": "other" }, { "project": "opaque", "commit_id": "5ddda15d89f5ac82f4416208c5319ace4aecdc36", "target": 0, "func": "Java_edu_berkeley_cs_rise_opaque_execution_SGXEnclave_NonObliviousSortMergeJoin(\n JNIEnv *env, jobject obj, jlong eid, jbyteArray join_expr, jbyteArray input_rows,\n jbyteArray join_row) {\n (void)obj;\n\n jboolean if_copy;\n\n uint32_t join_expr_length = (uint32_t) env->GetArrayLength(join_expr);\n uint8_t *join_expr_ptr = (uint8_t *) env->GetByteArrayElements(join_expr, &if_copy);\n\n uint32_t input_rows_length = (uint32_t) env->GetArrayLength(input_rows);\n uint8_t *input_rows_ptr = (uint8_t *) env->GetByteArrayElements(input_rows, &if_copy);\n\n uint32_t join_row_length = (uint32_t) env->GetArrayLength(join_row);\n uint8_t *join_row_ptr = (uint8_t *) env->GetByteArrayElements(join_row, &if_copy);\n\n uint8_t *output_rows;\n size_t output_rows_length;\n\n sgx_check(\"Non-oblivious SortMergeJoin\",\n ecall_non_oblivious_sort_merge_join(\n eid,\n join_expr_ptr, join_expr_length,\n input_rows_ptr, input_rows_length,\n join_row_ptr, join_row_length,\n &output_rows, &output_rows_length));\n \n jbyteArray ret = env->NewByteArray(output_rows_length);\n env->SetByteArrayRegion(ret, 0, output_rows_length, (jbyte *) output_rows);\n free(output_rows);\n\n env->ReleaseByteArrayElements(join_expr, (jbyte *) join_expr_ptr, 0);\n env->ReleaseByteArrayElements(input_rows, (jbyte *) input_rows_ptr, 0);\n env->ReleaseByteArrayElements(join_row, (jbyte *) join_row_ptr, 0);\n\n return ret;\n}", "idx": 519093, "cwe": "CWE-787", "hash": 51222327969131361425176257943886193299, "dataset": "other" }, { "project": "opaque", "commit_id": "5ddda15d89f5ac82f4416208c5319ace4aecdc36", "target": 0, "func": "Java_edu_berkeley_cs_rise_opaque_execution_SGXEnclave_NonObliviousAggregateStep2(\n JNIEnv *env, jobject obj, jlong eid, jbyteArray agg_op, jbyteArray input_rows,\n jbyteArray next_partition_first_row, jbyteArray prev_partition_last_group,\n jbyteArray prev_partition_last_row) {\n (void)obj;\n\n jboolean if_copy;\n\n uint32_t agg_op_length = (uint32_t) env->GetArrayLength(agg_op);\n uint8_t *agg_op_ptr = (uint8_t *) env->GetByteArrayElements(agg_op, &if_copy);\n\n uint32_t input_rows_length = (uint32_t) env->GetArrayLength(input_rows);\n uint8_t *input_rows_ptr = (uint8_t *) env->GetByteArrayElements(input_rows, &if_copy);\n\n uint32_t next_partition_first_row_length =\n (uint32_t) env->GetArrayLength(next_partition_first_row);\n uint8_t *next_partition_first_row_ptr =\n (uint8_t *) env->GetByteArrayElements(next_partition_first_row, &if_copy);\n\n uint32_t prev_partition_last_group_length =\n (uint32_t) env->GetArrayLength(prev_partition_last_group);\n uint8_t *prev_partition_last_group_ptr =\n (uint8_t *) env->GetByteArrayElements(prev_partition_last_group, &if_copy);\n\n uint32_t prev_partition_last_row_length =\n (uint32_t) env->GetArrayLength(prev_partition_last_row);\n uint8_t *prev_partition_last_row_ptr =\n (uint8_t *) env->GetByteArrayElements(prev_partition_last_row, &if_copy);\n\n uint8_t *output_rows;\n size_t output_rows_length;\n\n sgx_check(\"Non-Oblivious Aggregate Step 2\",\n ecall_non_oblivious_aggregate_step2(\n eid,\n agg_op_ptr, agg_op_length,\n input_rows_ptr, input_rows_length,\n next_partition_first_row_ptr, next_partition_first_row_length,\n prev_partition_last_group_ptr, prev_partition_last_group_length,\n prev_partition_last_row_ptr, prev_partition_last_row_length,\n &output_rows, &output_rows_length));\n\n jbyteArray ret = env->NewByteArray(output_rows_length);\n env->SetByteArrayRegion(ret, 0, output_rows_length, (jbyte *) output_rows);\n free(output_rows);\n\n env->ReleaseByteArrayElements(agg_op, (jbyte *) agg_op_ptr, 0);\n env->ReleaseByteArrayElements(input_rows, (jbyte *) input_rows_ptr, 0);\n env->ReleaseByteArrayElements(\n next_partition_first_row, (jbyte *) next_partition_first_row_ptr, 0);\n env->ReleaseByteArrayElements(\n prev_partition_last_group, (jbyte *) prev_partition_last_group_ptr, 0);\n env->ReleaseByteArrayElements(\n prev_partition_last_row, (jbyte *) prev_partition_last_row_ptr, 0);\n\n return ret;\n}", "idx": 519103, "cwe": "CWE-787", "hash": 28313930830870418508717079334935874797, "dataset": "other" }, { "func": "static void load_creator(FILE *fp, pdf_t *pdf)\n{\n int i, buf_idx;\n char c, *buf, obj_id_buf[32] = {0};\n long start;\n size_t sz;\n\n start = ftell(fp);\n\n /* For each PDF version */\n for (i=0; in_xrefs; ++i)\n {\n if (!pdf->xrefs[i].version)\n continue;\n\n /* Find trailer */\n fseek(fp, pdf->xrefs[i].start, SEEK_SET);\n while (SAFE_F(fp, (fgetc(fp) != 't')))\n ; /* Iterate to \"trailer\" */\n\n /* Look for \"<< ....... /Info ......\" */\n c = '\\0';\n while (SAFE_F(fp, ((c = fgetc(fp)) != '>')))\n if (SAFE_F(fp, ((c == '/') &&\n (fgetc(fp) == 'I') && ((fgetc(fp) == 'n')))))\n break;\n\n /* Could not find /Info in trailer */\n END_OF_TRAILER(c, start, fp);\n\n while (SAFE_F(fp, (!isspace(c = fgetc(fp)) && (c != '>'))))\n ; /* Iterate to first white space /Info */\n\n /* No space between /Info and its data */\n END_OF_TRAILER(c, start, fp);\n\n while (SAFE_F(fp, (isspace(c = fgetc(fp)) && (c != '>'))))\n ; /* Iterate right on top of first non-whitespace /Info data */\n\n /* No data for /Info */\n END_OF_TRAILER(c, start, fp);\n\n /* Get obj id as number */\n buf_idx = 0;\n obj_id_buf[buf_idx++] = c;\n while ((buf_idx < (sizeof(obj_id_buf) - 1)) &&\n SAFE_F(fp, (!isspace(c = fgetc(fp)) && (c != '>'))))\n obj_id_buf[buf_idx++] = c;\n\n END_OF_TRAILER(c, start, fp);\n \n /* Get the object for the creator data. If linear, try both xrefs */ \n buf = get_object(fp, atoll(obj_id_buf), &pdf->xrefs[i], &sz, NULL);\n if (!buf && pdf->xrefs[i].is_linear && (i+1 < pdf->n_xrefs))\n buf = get_object(fp, atoll(obj_id_buf), &pdf->xrefs[i+1], &sz, NULL);\n\n load_creator_from_buf(fp, &pdf->xrefs[i], buf, sz);\n free(buf);\n }\n\n fseek(fp, start, SEEK_SET);\n}", "project": "pdfresurrect", "hash": 276905914089088440442465257228477733766, "size": 62, "commit_id": "7e35d1806e111fd28610ccc86bb33f54792ac370", "message": "Fix possible infinite loop case when looking for a trailer.\n\nThanks to chibataiki for reporting and isolating this!", "target": 0, "dataset": "other", "idx": 355596 }, { "func": "UnicodeStringTest::TestExtract()\n{\n UnicodeString test1(\"Now is the time for all good men to come to the aid of their country.\", \"\");\n UnicodeString test2;\n UChar test3[13] = {1, 2, 3, 4, 5, 6, 7, 8, 8, 10, 11, 12, 13};\n char test4[13] = {1, 2, 3, 4, 5, 6, 7, 8, 8, 10, 11, 12, 13};\n UnicodeString test5;\n char test6[13] = {1, 2, 3, 4, 5, 6, 7, 8, 8, 10, 11, 12, 13};\n\n test1.extract(11, 12, test2);\n test1.extract(11, 12, test3);\n if (test1.extract(11, 12, test4) != 12 || test4[12] != 0) {\n errln(\"UnicodeString.extract(char *) failed to return the correct size of destination buffer.\");\n }\n\n // test proper pinning in extractBetween()\n test1.extractBetween(-3, 7, test5);\n if(test5!=UNICODE_STRING(\"Now is \", 7)) {\n errln(\"UnicodeString.extractBetween(-3, 7) did not pin properly.\");\n }\n\n test1.extractBetween(11, 23, test5);\n if (test1.extract(60, 71, test6) != 9) {\n errln(\"UnicodeString.extract() failed to return the correct size of destination buffer for end of buffer.\");\n }\n if (test1.extract(11, 12, test6) != 12) {\n errln(\"UnicodeString.extract() failed to return the correct size of destination buffer.\");\n }\n\n // convert test4 back to Unicode for comparison\n UnicodeString test4b(test4, 12);\n\n if (test1.extract(11, 12, (char *)NULL) != 12) {\n errln(\"UnicodeString.extract(NULL) failed to return the correct size of destination buffer.\");\n }\n if (test1.extract(11, -1, test6) != 0) {\n errln(\"UnicodeString.extract(-1) failed to stop reading the string.\");\n }\n\n for (int32_t i = 0; i < 12; i++) {\n if (test1.charAt((int32_t)(11 + i)) != test2.charAt(i)) {\n errln(UnicodeString(\"extracting into a UnicodeString failed at position \") + i);\n break;\n }\n if (test1.charAt((int32_t)(11 + i)) != test3[i]) {\n errln(UnicodeString(\"extracting into an array of UChar failed at position \") + i);\n break;\n }\n if (((char)test1.charAt((int32_t)(11 + i))) != test4b.charAt(i)) {\n errln(UnicodeString(\"extracting into an array of char failed at position \") + i);\n break;\n }\n if (test1.charAt((int32_t)(11 + i)) != test5.charAt(i)) {\n errln(UnicodeString(\"extracting with extractBetween failed at position \") + i);\n break;\n }\n }\n\n // test preflighting and overflows with invariant conversion\n if (test1.extract(0, 10, (char *)NULL, \"\") != 10) {\n errln(\"UnicodeString.extract(0, 10, (char *)NULL, \\\"\\\") != 10\");\n }\n\n test4[2] = (char)0xff;\n if (test1.extract(0, 10, test4, 2, \"\") != 10) {\n errln(\"UnicodeString.extract(0, 10, test4, 2, \\\"\\\") != 10\");\n }\n if (test4[2] != (char)0xff) {\n errln(\"UnicodeString.extract(0, 10, test4, 2, \\\"\\\") overwrote test4[2]\");\n }\n\n {\n // test new, NUL-terminating extract() function\n UnicodeString s(\"terminate\", \"\");\n UChar dest[20]={\n 0xa5, 0xa5, 0xa5, 0xa5, 0xa5, 0xa5, 0xa5, 0xa5, 0xa5, 0xa5,\n 0xa5, 0xa5, 0xa5, 0xa5, 0xa5, 0xa5, 0xa5, 0xa5, 0xa5, 0xa5\n };\n UErrorCode errorCode;\n int32_t length;\n\n errorCode=U_ZERO_ERROR;\n length=s.extract((UChar *)NULL, 0, errorCode);\n if(errorCode!=U_BUFFER_OVERFLOW_ERROR || length!=s.length()) {\n errln(\"UnicodeString.extract(NULL, 0)==%d (%s) expected %d (U_BUFFER_OVERFLOW_ERROR)\", length, s.length(), u_errorName(errorCode));\n }\n\n errorCode=U_ZERO_ERROR;\n length=s.extract(dest, s.length()-1, errorCode);\n if(errorCode!=U_BUFFER_OVERFLOW_ERROR || length!=s.length()) {\n errln(\"UnicodeString.extract(dest too short)==%d (%s) expected %d (U_BUFFER_OVERFLOW_ERROR)\",\n length, u_errorName(errorCode), s.length());\n }\n\n errorCode=U_ZERO_ERROR;\n length=s.extract(dest, s.length(), errorCode);\n if(errorCode!=U_STRING_NOT_TERMINATED_WARNING || length!=s.length()) {\n errln(\"UnicodeString.extract(dest just right without NUL)==%d (%s) expected %d (U_STRING_NOT_TERMINATED_WARNING)\",\n length, u_errorName(errorCode), s.length());\n }\n if(dest[length-1]!=s[length-1] || dest[length]!=0xa5) {\n errln(\"UnicodeString.extract(dest just right without NUL) did not extract the string correctly\");\n }\n\n errorCode=U_ZERO_ERROR;\n length=s.extract(dest, s.length()+1, errorCode);\n if(errorCode!=U_ZERO_ERROR || length!=s.length()) {\n errln(\"UnicodeString.extract(dest large enough)==%d (%s) expected %d (U_ZERO_ERROR)\",\n length, u_errorName(errorCode), s.length());\n }\n if(dest[length-1]!=s[length-1] || dest[length]!=0 || dest[length+1]!=0xa5) {\n errln(\"UnicodeString.extract(dest large enough) did not extract the string correctly\");\n }\n }\n\n {\n // test new UConverter extract() and constructor\n UnicodeString s=UNICODE_STRING(\"\\\\U0002f999\\\\U0001d15f\\\\u00c4\\\\u1ed0\", 32).unescape();\n char buffer[32];\n static const char expect[]={\n (char)0xf0, (char)0xaf, (char)0xa6, (char)0x99,\n (char)0xf0, (char)0x9d, (char)0x85, (char)0x9f,\n (char)0xc3, (char)0x84,\n (char)0xe1, (char)0xbb, (char)0x90\n };\n UErrorCode errorCode=U_ZERO_ERROR;\n UConverter *cnv=ucnv_open(\"UTF-8\", &errorCode);\n int32_t length;\n\n if(U_SUCCESS(errorCode)) {\n // test preflighting\n if( (length=s.extract(NULL, 0, cnv, errorCode))!=13 ||\n errorCode!=U_BUFFER_OVERFLOW_ERROR\n ) {\n errln(\"UnicodeString::extract(NULL, UConverter) preflighting failed (length=%ld, %s)\",\n length, u_errorName(errorCode));\n }\n errorCode=U_ZERO_ERROR;\n if( (length=s.extract(buffer, 2, cnv, errorCode))!=13 ||\n errorCode!=U_BUFFER_OVERFLOW_ERROR\n ) {\n errln(\"UnicodeString::extract(too small, UConverter) preflighting failed (length=%ld, %s)\",\n length, u_errorName(errorCode));\n }\n\n // try error cases\n errorCode=U_ZERO_ERROR;\n if( s.extract(NULL, 2, cnv, errorCode)==13 || U_SUCCESS(errorCode)) {\n errln(\"UnicodeString::extract(UConverter) succeeded with an illegal destination\");\n }\n errorCode=U_ILLEGAL_ARGUMENT_ERROR;\n if( s.extract(NULL, 0, cnv, errorCode)==13 || U_SUCCESS(errorCode)) {\n errln(\"UnicodeString::extract(UConverter) succeeded with a previous error code\");\n }\n errorCode=U_ZERO_ERROR;\n\n // extract for real\n if( (length=s.extract(buffer, sizeof(buffer), cnv, errorCode))!=13 ||\n uprv_memcmp(buffer, expect, 13)!=0 ||\n buffer[13]!=0 ||\n U_FAILURE(errorCode)\n ) {\n errln(\"UnicodeString::extract(UConverter) conversion failed (length=%ld, %s)\",\n length, u_errorName(errorCode));\n }\n // Test again with just the converter name.\n if( (length=s.extract(0, s.length(), buffer, sizeof(buffer), \"UTF-8\"))!=13 ||\n uprv_memcmp(buffer, expect, 13)!=0 ||\n buffer[13]!=0 ||\n U_FAILURE(errorCode)\n ) {\n errln(\"UnicodeString::extract(\\\"UTF-8\\\") conversion failed (length=%ld, %s)\",\n length, u_errorName(errorCode));\n }\n\n // try the constructor\n UnicodeString t(expect, sizeof(expect), cnv, errorCode);\n if(U_FAILURE(errorCode) || s!=t) {\n errln(\"UnicodeString(UConverter) conversion failed (%s)\",\n u_errorName(errorCode));\n }\n\n ucnv_close(cnv);\n }\n }\n}", "project": "icu", "hash": 320198067062485131505080990524431599341, "size": 186, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430802 }, { "func": "static void calc_group_buffer(JOIN *join, ORDER *group)\n{\n if (group)\n join->group= 1;\n calc_group_buffer(&join->tmp_table_param, group);\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 89665423698996090822109529832214387338, "size": 6, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508460 }, { "func": "void calc_group_buffer(TMP_TABLE_PARAM *param, ORDER *group)\n{\n uint key_length=0, parts=0, null_parts=0;\n\n for (; group ; group=group->next)\n {\n Item *group_item= *group->item;\n Field *field= group_item->get_tmp_table_field();\n if (field)\n {\n enum_field_types type;\n if ((type= field->type()) == MYSQL_TYPE_BLOB)\n\tkey_length+=MAX_BLOB_WIDTH;\t\t// Can't be used as a key\n else if (type == MYSQL_TYPE_VARCHAR || type == MYSQL_TYPE_VAR_STRING)\n key_length+= field->field_length + HA_KEY_BLOB_LENGTH;\n else if (type == MYSQL_TYPE_BIT)\n {\n /* Bit is usually stored as a longlong key for group fields */\n key_length+= 8; // Big enough\n }\n else\n\tkey_length+= field->pack_length();\n }\n else\n { \n switch (group_item->cmp_type()) {\n case REAL_RESULT:\n key_length+= sizeof(double);\n break;\n case INT_RESULT:\n key_length+= sizeof(longlong);\n break;\n case DECIMAL_RESULT:\n key_length+= my_decimal_get_binary_size(group_item->max_length - \n (group_item->decimals ? 1 : 0),\n group_item->decimals);\n break;\n case TIME_RESULT:\n {\n /*\n As items represented as DATE/TIME fields in the group buffer\n have STRING_RESULT result type, we increase the length \n by 8 as maximum pack length of such fields.\n */\n key_length+= 8;\n break;\n }\n case STRING_RESULT:\n {\n enum enum_field_types type= group_item->field_type();\n if (type == MYSQL_TYPE_BLOB)\n key_length+= MAX_BLOB_WIDTH;\t\t// Can't be used as a key\n else\n {\n /*\n Group strings are taken as varstrings and require an length field.\n A field is not yet created by create_tmp_field()\n and the sizes should match up.\n */\n key_length+= group_item->max_length + HA_KEY_BLOB_LENGTH;\n }\n break;\n }\n default:\n /* This case should never be choosen */\n DBUG_ASSERT(0);\n my_error(ER_OUT_OF_RESOURCES, MYF(ME_FATALERROR));\n }\n }\n parts++;\n if (group_item->maybe_null)\n null_parts++;\n }\n param->group_length= key_length + null_parts;\n param->group_parts= parts;\n param->group_null_parts= null_parts;\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 149229687667020165920035331972191512605, "size": 77, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508659 }, { "func": "void rec_dont(struct Curl_easy *data, int option)\n{\n struct TELNET *tn = data->req.p.telnet;\n switch(tn->us[option]) {\n case CURL_NO:\n /* Already disabled */\n break;\n\n case CURL_YES:\n tn->us[option] = CURL_NO;\n send_negotiation(data, CURL_WONT, option);\n break;\n\n case CURL_WANTNO:\n switch(tn->usq[option]) {\n case CURL_EMPTY:\n tn->us[option] = CURL_NO;\n break;\n\n case CURL_OPPOSITE:\n tn->us[option] = CURL_WANTYES;\n tn->usq[option] = CURL_EMPTY;\n send_negotiation(data, CURL_WILL, option);\n break;\n }\n break;\n\n case CURL_WANTYES:\n switch(tn->usq[option]) {\n case CURL_EMPTY:\n tn->us[option] = CURL_NO;\n break;\n case CURL_OPPOSITE:\n tn->us[option] = CURL_NO;\n tn->usq[option] = CURL_EMPTY;\n break;\n }\n break;\n }\n}", "project": "curl", "hash": 86118449358437253198817550366400571386, "size": 40, "commit_id": "39ce47f219b09c380b81f89fe54ac586c8db6bde", "message": "telnet: check sscanf() for correct number of matches\n\nCVE-2021-22898\n\nBug: https://curl.se/docs/CVE-2021-22898.html", "target": 0, "dataset": "other", "idx": 481499 }, { "func": "int pipeline_d(blosc2_context* context, const int32_t bsize, uint8_t* dest,\n const int32_t offset, uint8_t* src, uint8_t* tmp,\n uint8_t* tmp2, int last_filter_index) {\n int32_t typesize = context->typesize;\n uint8_t* filters = context->filters;\n uint8_t* filters_meta = context->filters_meta;\n uint8_t* _src = src;\n uint8_t* _dest = tmp;\n uint8_t* _tmp = tmp2;\n int errcode = 0;\n\n for (int i = BLOSC2_MAX_FILTERS - 1; i >= 0; i--) {\n // Delta filter requires the whole chunk ready\n int last_copy_filter = (last_filter_index == i) || (next_filter(filters, i, 'd') == BLOSC_DELTA);\n if (last_copy_filter) {\n _dest = dest + offset;\n }\n switch (filters[i]) {\n case BLOSC_SHUFFLE:\n for (int j = 0; j <= filters_meta[i]; j++) {\n unshuffle(typesize, bsize, _src, _dest);\n // Cycle filters when required\n if (j < filters_meta[i]) {\n _src = _dest;\n _dest = _tmp;\n _tmp = _src;\n }\n // Check whether we have to copy the intermediate _dest buffer to final destination\n if (last_copy_filter && (filters_meta[i] % 2) == 1 && j == filters_meta[i]) {\n memcpy(dest + offset, _dest, (unsigned int)bsize);\n }\n }\n break;\n case BLOSC_BITSHUFFLE:\n bitunshuffle(typesize, bsize, _src, _dest, _tmp, context->src[0]);\n break;\n case BLOSC_DELTA:\n if (context->nthreads == 1) {\n /* Serial mode */\n delta_decoder(dest, offset, bsize, typesize, _dest);\n } else {\n /* Force the thread in charge of the block 0 to go first */\n pthread_mutex_lock(&context->delta_mutex);\n if (context->dref_not_init) {\n if (offset != 0) {\n pthread_cond_wait(&context->delta_cv, &context->delta_mutex);\n } else {\n delta_decoder(dest, offset, bsize, typesize, _dest);\n context->dref_not_init = 0;\n pthread_cond_broadcast(&context->delta_cv);\n }\n }\n pthread_mutex_unlock(&context->delta_mutex);\n if (offset != 0) {\n delta_decoder(dest, offset, bsize, typesize, _dest);\n }\n }\n break;\n case BLOSC_TRUNC_PREC:\n // TRUNC_PREC filter does not need to be undone\n break;\n default:\n if (filters[i] != BLOSC_NOFILTER) {\n fprintf(stderr, \"Filter %d not handled during decompression\\n\",\n filters[i]);\n errcode = -1;\n }\n }\n if (last_filter_index == i) {\n return errcode;\n }\n // Cycle buffers when required\n if ((filters[i] != BLOSC_NOFILTER) && (filters[i] != BLOSC_TRUNC_PREC)) {\n _src = _dest;\n _dest = _tmp;\n _tmp = _src;\n }\n }\n\n return errcode;\n}", "project": "c-blosc2", "hash": 133776624211031932451082203182654230962, "size": 81, "commit_id": "c4c6470e88210afc95262c8b9fcc27e30ca043ee", "message": "Fixed asan heap buffer overflow when not enough space to write compressed block size.", "target": 0, "dataset": "other", "idx": 303066 }, { "func": "struct page *kvm_vcpu_gfn_to_page(struct kvm_vcpu *vcpu, gfn_t gfn)\n{\n\tkvm_pfn_t pfn;\n\n\tpfn = kvm_vcpu_gfn_to_pfn(vcpu, gfn);\n\n\treturn kvm_pfn_to_page(pfn);\n}", "project": "linux", "hash": 254449893337549480877543332295756343700, "size": 8, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354515 }, { "func": "struct page *gfn_to_page(struct kvm *kvm, gfn_t gfn)\n{\n\tkvm_pfn_t pfn;\n\n\tpfn = gfn_to_pfn(kvm, gfn);\n\n\treturn kvm_pfn_to_page(pfn);\n}", "project": "linux", "hash": 31974712814445181157718427274338882113, "size": 8, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354647 }, { "func": "static int nfs4_proc_symlink(struct inode *dir, struct dentry *dentry,\n\t\tstruct page *page, unsigned int len, struct iattr *sattr)\n{\n\tstruct nfs4_exception exception = {\n\t\t.interruptible = true,\n\t};\n\tstruct nfs4_label l, *label = NULL;\n\tint err;\n\n\tlabel = nfs4_label_init_security(dir, dentry, sattr, &l);\n\n\tdo {\n\t\terr = _nfs4_proc_symlink(dir, dentry, page, len, sattr, label);\n\t\ttrace_nfs4_symlink(dir, &dentry->d_name, err);\n\t\terr = nfs4_handle_exception(NFS_SERVER(dir), err,\n\t\t\t\t&exception);\n\t} while (exception.retry);\n\n\tnfs4_label_release_security(label);\n\treturn err;\n}", "project": "linux", "hash": 94983737574081602910487832925579117038, "size": 21, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431338 }, { "func": "int RGWSwiftWebsiteHandler::retarget_bucket(RGWOp* op, RGWOp** new_op)\n{\n ldout(s->cct, 10) << \"Starting retarget\" << dendl;\n RGWOp* op_override = nullptr;\n\n /* In Swift static web content is served if the request is anonymous or\n * has X-Web-Mode HTTP header specified to true. */\n if (can_be_website_req()) {\n const auto& ws_conf = s->bucket_info.website_conf;\n const auto& index = s->bucket_info.website_conf.get_index_doc();\n\n if (s->decoded_uri.back() != '/') {\n op_override = get_ws_redirect_op();\n } else if (! index.empty() && is_index_present(index)) {\n op_override = get_ws_index_op();\n } else if (ws_conf.listing_enabled) {\n op_override = get_ws_listing_op();\n }\n }\n\n if (op_override) {\n handler->put_op(op);\n op_override->init(store, s, handler);\n\n *new_op = op_override;\n } else {\n *new_op = op;\n }\n\n /* Return 404 Not Found is the request has web mode enforced but we static web\n * wasn't able to serve it accordingly. */\n return ! op_override && is_web_mode() ? -ENOENT : 0;\n}", "project": "ceph", "hash": 194075214191777108531765056994009732798, "size": 33, "commit_id": "f44a8ae8aa27ecef69528db9aec220f12492810e", "message": "rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name\n\nchecking for empty name avoids later assertion in RGWObjectCtx::set_atomic\n\nFixes: CVE-2021-3531\n\nReviewed-by: Casey Bodley \nSigned-off-by: Casey Bodley \n(cherry picked from commit 7196a469b4470f3c8628489df9a41ec8b00a5610)", "target": 0, "dataset": "other", "idx": 448770 }, { "func": "wStream* cliprdr_packet_format_list_new(const CLIPRDR_FORMAT_LIST* formatList,\n BOOL useLongFormatNames)\n{\n\twStream* s;\n\tUINT32 index;\n\tint cchWideChar;\n\tLPWSTR lpWideCharStr;\n\tint formatNameSize;\n\tchar* szFormatName;\n\tWCHAR* wszFormatName;\n\tBOOL asciiNames = FALSE;\n\tCLIPRDR_FORMAT* format;\n\n\tif (formatList->msgType != CB_FORMAT_LIST)\n\t\tWLog_WARN(TAG, \"[%s] called with invalid type %08\" PRIx32, __FUNCTION__,\n\t\t formatList->msgType);\n\n\tif (!useLongFormatNames)\n\t{\n\t\tUINT32 length = formatList->numFormats * 36;\n\t\ts = cliprdr_packet_new(CB_FORMAT_LIST, 0, length);\n\n\t\tif (!s)\n\t\t{\n\t\t\tWLog_ERR(TAG, \"cliprdr_packet_new failed!\");\n\t\t\treturn NULL;\n\t\t}\n\n\t\tfor (index = 0; index < formatList->numFormats; index++)\n\t\t{\n\t\t\tsize_t formatNameLength = 0;\n\t\t\tformat = (CLIPRDR_FORMAT*)&(formatList->formats[index]);\n\t\t\tStream_Write_UINT32(s, format->formatId); /* formatId (4 bytes) */\n\t\t\tformatNameSize = 0;\n\n\t\t\tszFormatName = format->formatName;\n\n\t\t\tif (asciiNames)\n\t\t\t{\n\t\t\t\tif (szFormatName)\n\t\t\t\t\tformatNameLength = strnlen(szFormatName, 32);\n\n\t\t\t\tif (formatNameLength > 31)\n\t\t\t\t\tformatNameLength = 31;\n\n\t\t\t\tStream_Write(s, szFormatName, formatNameLength);\n\t\t\t\tStream_Zero(s, 32 - formatNameLength);\n\t\t\t}\n\t\t\telse\n\t\t\t{\n\t\t\t\twszFormatName = NULL;\n\n\t\t\t\tif (szFormatName)\n\t\t\t\t\tformatNameSize =\n\t\t\t\t\t ConvertToUnicode(CP_UTF8, 0, szFormatName, -1, &wszFormatName, 0);\n\n\t\t\t\tif (formatNameSize < 0)\n\t\t\t\t\treturn NULL;\n\n\t\t\t\tif (formatNameSize > 15)\n\t\t\t\t\tformatNameSize = 15;\n\n\t\t\t\t/* size in bytes instead of wchar */\n\t\t\t\tformatNameSize *= 2;\n\n\t\t\t\tif (wszFormatName)\n\t\t\t\t\tStream_Write(s, wszFormatName, (size_t)formatNameSize);\n\n\t\t\t\tStream_Zero(s, (size_t)(32 - formatNameSize));\n\t\t\t\tfree(wszFormatName);\n\t\t\t}\n\t\t}\n\t}\n\telse\n\t{\n\t\tUINT32 length = 0;\n\t\tfor (index = 0; index < formatList->numFormats; index++)\n\t\t{\n\t\t\tformat = (CLIPRDR_FORMAT*)&(formatList->formats[index]);\n\t\t\tlength += 4;\n\t\t\tformatNameSize = 2;\n\n\t\t\tif (format->formatName)\n\t\t\t\tformatNameSize =\n\t\t\t\t MultiByteToWideChar(CP_UTF8, 0, format->formatName, -1, NULL, 0) * 2;\n\n\t\t\tif (formatNameSize < 0)\n\t\t\t\treturn NULL;\n\n\t\t\tlength += (UINT32)formatNameSize;\n\t\t}\n\n\t\ts = cliprdr_packet_new(CB_FORMAT_LIST, 0, length);\n\n\t\tif (!s)\n\t\t{\n\t\t\tWLog_ERR(TAG, \"cliprdr_packet_new failed!\");\n\t\t\treturn NULL;\n\t\t}\n\n\t\tfor (index = 0; index < formatList->numFormats; index++)\n\t\t{\n\t\t\tformat = (CLIPRDR_FORMAT*)&(formatList->formats[index]);\n\t\t\tStream_Write_UINT32(s, format->formatId); /* formatId (4 bytes) */\n\n\t\t\tif (format->formatName)\n\t\t\t{\n\t\t\t\tconst size_t cap = Stream_Capacity(s);\n\t\t\t\tconst size_t pos = Stream_GetPosition(s);\n\t\t\t\tconst size_t rem = cap - pos;\n\t\t\t\tif ((cap < pos) || ((rem / 2) > INT_MAX))\n\t\t\t\t\treturn NULL;\n\n\t\t\t\tlpWideCharStr = (LPWSTR)Stream_Pointer(s);\n\t\t\t\tcchWideChar = (int)(rem / 2);\n\t\t\t\tformatNameSize = MultiByteToWideChar(CP_UTF8, 0, format->formatName, -1,\n\t\t\t\t lpWideCharStr, cchWideChar) *\n\t\t\t\t 2;\n\t\t\t\tif (formatNameSize < 0)\n\t\t\t\t\treturn NULL;\n\t\t\t\tStream_Seek(s, (size_t)formatNameSize);\n\t\t\t}\n\t\t\telse\n\t\t\t{\n\t\t\t\tStream_Write_UINT16(s, 0);\n\t\t\t}\n\t\t}\n\t}\n\n\treturn s;\n}", "project": "FreeRDP", "hash": 175329036157774194714868056953144802401, "size": 131, "commit_id": "b73143cf7ee5fe4cdabcbf56908aa15d8a883821", "message": "Fixed oob read in cliprdr_read_format_list", "target": 0, "dataset": "other", "idx": 388321 }, { "func": "void Profiler::beginFrameEx(const char* /*symbol*/) {}", "project": "hhvm", "hash": 315743431892683349551349170953292982047, "size": 1, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219409 }, { "func": " void beginFrameEx(const char* /*symbol*/) override { sample_check(); }", "project": "hhvm", "hash": 223210270659427380911717107063953235145, "size": 1, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219823 }, { "func": "static void news2mail(message_data_t *msg)\n{\n struct buf attrib = BUF_INITIALIZER;\n int n, r;\n FILE *sm;\n static strarray_t smbuf = STRARRAY_INITIALIZER;\n static int smbuf_basic_count;\n int sm_stat;\n pid_t sm_pid;\n char buf[4096], to[1024] = \"\";\n\n if (!smbuf.count) {\n\tstrarray_append(&smbuf, \"sendmail\");\n\tstrarray_append(&smbuf, \"-i\");\t\t/* ignore dots */\n\tstrarray_append(&smbuf, \"-f\");\n\tstrarray_append(&smbuf, \"<>\");\n\tstrarray_append(&smbuf, \"--\");\n\tsmbuf_basic_count = smbuf.count;\n }\n\n for (n = 0; n < msg->rcpt.count ; n++) {\n\t/* see if we want to send this to a mailing list */\n\tbuf_free(&attrib);\n\tr = annotatemore_lookup(msg->rcpt.data[n],\n\t\t\t\t\"/vendor/cmu/cyrus-imapd/news2mail\", \"\",\n\t\t\t\t&attrib);\n\tif (r) continue;\n\n\t/* add the email address to our argv[] and to our To: header */\n\tif (attrib.s) {\n\t strarray_append(&smbuf, buf_cstring(&attrib));\n\n\t if (to[0]) strlcat(to, \", \", sizeof(to));\n\t strlcat(to, buf_cstring(&attrib), sizeof(to));\n\t}\n }\n buf_free(&attrib);\n\n /* send the message */\n if (smbuf.count > smbuf_basic_count) {\n\tsm_pid = open_sendmail((const char **)smbuf.data, &sm);\n\n\tif (!sm)\n\t syslog(LOG_ERR, \"news2mail: could not spawn sendmail process\");\n\telse {\n\t int body = 0, skip, found_to = 0;\n\n\t rewind(msg->f);\n\n\t while (fgets(buf, sizeof(buf), msg->f)) {\n\t\tif (!body && buf[0] == '\\r' && buf[1] == '\\n') {\n\t\t /* blank line between header and body */\n\t\t body = 1;\n\n\t\t /* insert a To: header if the message doesn't have one */\n\t\t if (!found_to) fprintf(sm, \"To: %s\\r\\n\", to);\n\t\t}\n\n\t\tskip = 0;\n\t\tif (!body) {\n\t\t /* munge various news-specific headers */\n\t\t if (!strncasecmp(buf, \"Newsgroups:\", 11)) {\n\t\t\t/* rename Newsgroups: to X-Newsgroups: */\n\t\t\tfprintf(sm, \"X-\");\n\t\t } else if (!strncasecmp(buf, \"Xref:\", 5) ||\n\t\t\t !strncasecmp(buf, \"Path:\", 5) ||\n\t\t\t !strncasecmp(buf, \"NNTP-Posting-\", 13)) {\n\t\t\t/* skip these (for now) */\n\t\t\tskip = 1;\n\t\t } else if (!strncasecmp(buf, \"To:\", 3)) {\n\t\t\t/* insert our mailing list RCPTs first, and then\n\t\t\t fold the header to accomodate the original RCPTs */\n\t\t\tfprintf(sm, \"To: %s,\\r\\n\", to);\n\t\t\t/* overwrite the original \"To:\" with spaces */\n\t\t\tmemset(buf, ' ', 3);\n\t\t\tfound_to = 1;\n\t\t } else if (!strncasecmp(buf, \"Reply-To:\", 9)) {\n\t\t\t/* strip any post addresses, skip if becomes empty */\n\t\t\tif (!strip_post_addresses(buf+9)) skip = 1;\n\t\t }\n\t\t}\n\n\t\tdo {\n\t\t if (!skip) fprintf(sm, \"%s\", buf);\n\t\t} while (buf[strlen(buf)-1] != '\\n' &&\n\t\t\t fgets(buf, sizeof(buf), msg->f));\n\t }\n\n\t /* Protect against messages not ending in CRLF */\n\t if (buf[strlen(buf)-1] != '\\n') fprintf(sm, \"\\r\\n\");\n\n\t fclose(sm);\n\t while (waitpid(sm_pid, &sm_stat, 0) < 0);\n\n\t if (sm_stat) /* sendmail exit value */\n\t\tsyslog(LOG_ERR, \"news2mail failed: %s\",\n\t\t sendmail_errstr(sm_stat));\n\t}\n\n\t/* free the RCPTs */\n\tstrarray_truncate(&smbuf, smbuf_basic_count);\n }\n\n return;\n}", "project": "cyrus-imapd", "hash": 40249138752899595203853703547421986086, "size": 105, "commit_id": "0f8f026699829b65733c3081657b24e2174f4f4d", "message": "CVE-2011-3208 - fix buffer overflow in nntpd", "target": 0, "dataset": "other", "idx": 451911 }, { "func": "static void SFDFixupBitmapRefs( BDFFont *bdf ) {\n BDFChar *bc, *rbc;\n BDFRefChar *head, *next, *prev;\n int i;\n\n for ( i=0; iglyphcnt; i++ ) if (( bc = bdf->glyphs[i] ) != NULL ) {\n\tprev = NULL;\n\tfor ( head = bc->refs; head != NULL; head = next ) {\n\t next = head->next;\n\t if (( rbc = bdf->glyphs[head->gid] ) != NULL ) {\n\t\thead->bdfc = rbc;\n\t\tBCMakeDependent( bc,rbc );\n\t\tprev = head;\n\t } else {\n\t\tLogError(_(\"Glyph %d in bitmap strike %d pixels refers to a missing glyph (%d)\"),\n\t\t bc->orig_pos, bdf->pixelsize, head->gid );\n\t\tif ( prev == NULL ) bc->refs = next;\n\t\telse prev->next = next;\n\t }\n\t}\n }\n\n}", "project": "fontforge", "hash": 339088949494878084519289667515522702289, "size": 23, "commit_id": "048a91e2682c1a8936ae34dbc7bd70291ec05410", "message": "Fix for #4084 Use-after-free (heap) in the SFD_GetFontMetaData() function\nFix for #4086 NULL pointer dereference in the SFDGetSpiros() function\nFix for #4088 NULL pointer dereference in the SFD_AssignLookups() function\nAdd empty sf->fontname string if it isn't set, fixing #4089 #4090 and many\n other potential issues (many downstream calls to strlen() on the value).", "target": 0, "dataset": "other", "idx": 417900 }, { "func": "unsigned long gfn_to_hva_memslot_prot(struct kvm_memory_slot *slot,\n\t\t\t\t gfn_t gfn, bool *writable)\n{\n\tunsigned long hva = __gfn_to_hva_many(slot, gfn, NULL, false);\n\n\tif (!kvm_is_error_hva(hva) && writable)\n\t\t*writable = !memslot_is_readonly(slot);\n\n\treturn hva;\n}", "project": "linux", "hash": 19857510644384323223440460791572429782, "size": 10, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354563 }, { "func": "static void process_slab(struct loc_track *t, struct kmem_cache *s,\n\t\tstruct page *page, enum track_item alloc)\n{\n\tvoid *addr = page_address(page);\n\tvoid *p;\n\tunsigned long *map;\n\n\tmap = get_map(s, page);\n\tfor_each_object(p, s, addr, page->objects)\n\t\tif (!test_bit(slab_index(p, s, addr), map))\n\t\t\tadd_location(t, s, get_track(s, p, alloc));\n\tput_map(map);\n}", "project": "linux", "hash": 311474122918854662205843661581444046347, "size": 13, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280092 }, { "func": "static void cmd_authinfo_pass(char *pass)\n{\n int failedloginpause;\n /* Conceal password in telemetry log */\n if (nntp_logfd != -1 && pass) {\n\t(void)ftruncate(nntp_logfd,\n\t\t lseek(nntp_logfd, -2, SEEK_CUR) - strlen(pass));\n\t(void)write(nntp_logfd, \"...\\r\\n\", 5);\n }\n\n if (nntp_authstate) {\n\tprot_printf(nntp_out, \"502 Already authenticated\\r\\n\");\n\treturn;\n }\n\n if (!nntp_userid) {\n\tprot_printf(nntp_out, \"482 Must give AUTHINFO USER command first\\r\\n\");\n\treturn;\n }\n\n if (!strcmp(nntp_userid, \"anonymous\")) {\n\tif (allowanonymous) {\n\t pass = beautify_string(pass);\n\t if (strlen(pass) > 500) pass[500] = '\\0';\n\t syslog(LOG_NOTICE, \"login: %s anonymous %s\",\n\t\t nntp_clienthost, pass);\n\t}\n\telse {\n\t syslog(LOG_NOTICE, \"badlogin: %s anonymous login refused\",\n\t\t nntp_clienthost);\n\t prot_printf(nntp_out, \"481 Invalid login\\r\\n\");\n\t return;\n\t}\n }\n else if (sasl_checkpass(nntp_saslconn,\n\t\t\t nntp_userid,\n\t\t\t strlen(nntp_userid),\n\t\t\t pass,\n\t\t\t strlen(pass))!=SASL_OK) { \n\tsyslog(LOG_NOTICE, \"badlogin: %s plaintext %s %s\",\n\t nntp_clienthost, nntp_userid, sasl_errdetail(nntp_saslconn));\n\tfailedloginpause = config_getint(IMAPOPT_FAILEDLOGINPAUSE);\n\tif (failedloginpause != 0) {\n\t sleep(failedloginpause);\n\t}\n\tprot_printf(nntp_out, \"481 Invalid login\\r\\n\");\n\tfree(nntp_userid);\n\tnntp_userid = 0;\n\n\treturn;\n }\n else {\n\tsyslog(LOG_NOTICE, \"login: %s %s plaintext%s %s\", nntp_clienthost,\n\t nntp_userid, nntp_starttls_done ? \"+TLS\" : \"\",\n\t \"User logged in\");\n\n\tprot_printf(nntp_out, \"281 User logged in\\r\\n\");\n\n\tnntp_authstate = auth_newstate(nntp_userid);\n\n\t/* Close IP-based telemetry log and create new log based on userid */\n\tif (nntp_logfd != -1) close(nntp_logfd);\n\tnntp_logfd = telemetry_log(nntp_userid, nntp_in, nntp_out, 0);\n }\n}", "project": "cyrus-imapd", "hash": 121358298806733080505958254339970736922, "size": 65, "commit_id": "0f8f026699829b65733c3081657b24e2174f4f4d", "message": "CVE-2011-3208 - fix buffer overflow in nntpd", "target": 0, "dataset": "other", "idx": 451900 }, { "func": "static void evdev_events(struct input_handle *handle,\n\t\t\t const struct input_value *vals, unsigned int count)\n{\n\tstruct evdev *evdev = handle->private;\n\tstruct evdev_client *client;\n\tktime_t time_mono, time_real;\n\n\ttime_mono = ktime_get();\n\ttime_real = ktime_sub(time_mono, ktime_get_monotonic_offset());\n\n\trcu_read_lock();\n\n\tclient = rcu_dereference(evdev->grab);\n\n\tif (client)\n\t\tevdev_pass_values(client, vals, count, time_mono, time_real);\n\telse\n\t\tlist_for_each_entry_rcu(client, &evdev->client_list, node)\n\t\t\tevdev_pass_values(client, vals, count,\n\t\t\t\t\t time_mono, time_real);\n\n\trcu_read_unlock();\n}", "project": "linux", "hash": 191733361644980227760516034416458873550, "size": 23, "commit_id": "483180281f0ac60d1138710eb21f4b9961901294", "message": "Input: evdev - flush queues during EVIOCGKEY-like ioctls\n\nIf userspace requests current KEY-state, they very likely assume that no\nsuch events are pending in the output queue of the evdev device.\nOtherwise, they will parse events which they already handled via\nEVIOCGKEY(). For XKB applications this can cause irreversible keyboard\nstates if a modifier is locked multiple times because a CTRL-DOWN event is\nhandled once via EVIOCGKEY() and once from the queue via read(), even\nthough it should handle it only once.\n\nTherefore, lets do the only logical thing and flush the evdev queue\natomically during this ioctl. We only flush events that are affected by\nthe given ioctl.\n\nThis only affects boolean events like KEY, SND, SW and LED. ABS, REL and\nothers are not affected as duplicate events can be handled gracefully by\nuser-space.\n\nNote: This actually breaks semantics of the evdev ABI. However,\ninvestigations showed that userspace already expects the new semantics and\nwe end up fixing at least all XKB applications.\nAll applications that are aware of this race-condition mirror the KEY\nstate for each open-file and detect/drop duplicate events. Hence, they do\nnot care whether duplicates are posted or not and work fine with this fix.\n\nAlso note that we need proper locking to guarantee atomicity and avoid\ndead-locks. event_lock must be locked before queue_lock (see input-core).\nHowever, we can safely release event_lock while flushing the queue. This\nallows the input-core to proceed with pending events and only stop if it\nneeds our queue_lock to post new events.\nThis should guarantee that we don't block event-dispatching for too long\nwhile flushing a single event queue.\n\nSigned-off-by: David Herrmann \nAcked-by: Peter Hutterer \nSigned-off-by: Dmitry Torokhov ", "target": 0, "dataset": "other", "idx": 381732 }, { "func": "int imap_sync_message_for_copy(struct Mailbox *m, struct Email *e,\n struct Buffer *cmd, enum QuadOption *err_continue)\n{\n struct ImapAccountData *adata = imap_adata_get(m);\n if (!adata || (adata->mailbox != m))\n return -1;\n\n char flags[1024];\n char *tags = NULL;\n char uid[11];\n\n if (!compare_flags_for_copy(e))\n {\n if (e->deleted == imap_edata_get(e)->deleted)\n e->changed = false;\n return 0;\n }\n\n snprintf(uid, sizeof(uid), \"%u\", imap_edata_get(e)->uid);\n mutt_buffer_reset(cmd);\n mutt_buffer_addstr(cmd, \"UID STORE \");\n mutt_buffer_addstr(cmd, uid);\n\n flags[0] = '\\0';\n\n set_flag(m, MUTT_ACL_SEEN, e->read, \"\\\\Seen \", flags, sizeof(flags));\n set_flag(m, MUTT_ACL_WRITE, e->old, \"Old \", flags, sizeof(flags));\n set_flag(m, MUTT_ACL_WRITE, e->flagged, \"\\\\Flagged \", flags, sizeof(flags));\n set_flag(m, MUTT_ACL_WRITE, e->replied, \"\\\\Answered \", flags, sizeof(flags));\n set_flag(m, MUTT_ACL_DELETE, imap_edata_get(e)->deleted, \"\\\\Deleted \", flags,\n sizeof(flags));\n\n if (m->rights & MUTT_ACL_WRITE)\n {\n /* restore system flags */\n if (imap_edata_get(e)->flags_system)\n mutt_str_cat(flags, sizeof(flags), imap_edata_get(e)->flags_system);\n /* set custom flags */\n tags = driver_tags_get_with_hidden(&e->tags);\n if (tags)\n {\n mutt_str_cat(flags, sizeof(flags), tags);\n FREE(&tags);\n }\n }\n\n mutt_str_remove_trailing_ws(flags);\n\n /* UW-IMAP is OK with null flags, Cyrus isn't. The only solution is to\n * explicitly revoke all system flags (if we have permission) */\n if (*flags == '\\0')\n {\n set_flag(m, MUTT_ACL_SEEN, 1, \"\\\\Seen \", flags, sizeof(flags));\n set_flag(m, MUTT_ACL_WRITE, 1, \"Old \", flags, sizeof(flags));\n set_flag(m, MUTT_ACL_WRITE, 1, \"\\\\Flagged \", flags, sizeof(flags));\n set_flag(m, MUTT_ACL_WRITE, 1, \"\\\\Answered \", flags, sizeof(flags));\n set_flag(m, MUTT_ACL_DELETE, !imap_edata_get(e)->deleted, \"\\\\Deleted \",\n flags, sizeof(flags));\n\n /* erase custom flags */\n if ((m->rights & MUTT_ACL_WRITE) && imap_edata_get(e)->flags_remote)\n mutt_str_cat(flags, sizeof(flags), imap_edata_get(e)->flags_remote);\n\n mutt_str_remove_trailing_ws(flags);\n\n mutt_buffer_addstr(cmd, \" -FLAGS.SILENT (\");\n }\n else\n mutt_buffer_addstr(cmd, \" FLAGS.SILENT (\");\n\n mutt_buffer_addstr(cmd, flags);\n mutt_buffer_addstr(cmd, \")\");\n\n /* after all this it's still possible to have no flags, if you\n * have no ACL rights */\n if (*flags && (imap_exec(adata, cmd->data, IMAP_CMD_NO_FLAGS) != IMAP_EXEC_SUCCESS) &&\n err_continue && (*err_continue != MUTT_YES))\n {\n *err_continue = imap_continue(\"imap_sync_message: STORE failed\", adata->buf);\n if (*err_continue != MUTT_YES)\n return -1;\n }\n\n /* server have now the updated flags */\n FREE(&imap_edata_get(e)->flags_remote);\n imap_edata_get(e)->flags_remote = driver_tags_get_with_hidden(&e->tags);\n\n if (e->deleted == imap_edata_get(e)->deleted)\n e->changed = false;\n\n return 0;\n}", "project": "neomutt", "hash": 275678759338279878030897209385819009087, "size": 92, "commit_id": "9c36717a3e2af1f2c1b7242035455ec8112b4b06", "message": "imap: close connection on all failures\n\nThanks to Gabriel Salles-Loustau for spotting the problem.\n\nCo-authored-by: Kevin McCarthy ", "target": 0, "dataset": "other", "idx": 357008 }, { "func": "void BPMDetect::inputSamples(const SAMPLETYPE *samples, int numSamples)\r\n{\r\n SAMPLETYPE decimated[DECIMATED_BLOCK_SIZE];\r\n\r\n // iterate so that max INPUT_BLOCK_SAMPLES processed per iteration\r\n while (numSamples > 0)\r\n {\r\n int block;\r\n int decSamples;\r\n\r\n block = (numSamples > INPUT_BLOCK_SIZE) ? INPUT_BLOCK_SIZE : numSamples;\r\n\r\n // decimate. note that converts to mono at the same time\r\n decSamples = decimate(decimated, samples, block);\r\n samples += block * channels;\r\n numSamples -= block;\r\n\r\n buffer->putSamples(decimated, decSamples);\r\n }\r\n\r\n // when the buffer has enough samples for processing...\r\n int req = max(windowLen + XCORR_UPDATE_SEQUENCE, 2 * XCORR_UPDATE_SEQUENCE);\r\n while ((int)buffer->numSamples() >= req) \r\n {\r\n // ... update autocorrelations...\r\n updateXCorr(XCORR_UPDATE_SEQUENCE);\r\n // ...update beat position calculation...\r\n updateBeatPos(XCORR_UPDATE_SEQUENCE / 2);\r\n // ... and remove proceessed samples from the buffer\r\n int n = XCORR_UPDATE_SEQUENCE / OVERLAP_FACTOR;\r\n buffer->receiveSamples(n);\r\n }\r\n}\r", "project": "soundtouch", "hash": 87111469138884629012526312494587393307, "size": 33, "commit_id": "a1c400eb2cff849c0e5f9d6916d69ffea3ad2c85", "message": "Fix issue CVE-2018-17096: Replace assert with runtime exception", "target": 0, "dataset": "other", "idx": 368099 }, { "func": "static bool is_event_blacklisted(u64 ev)\n{\n\tint i;\n\n\tfor (i=0; i < ppmu->n_blacklist_ev; i++) {\n\t\tif (ppmu->blacklist_ev[i] == ev)\n\t\t\treturn true;\n\t}\n\n\treturn false;\n}", "project": "linux", "hash": 283532356532761427289604893623513436763, "size": 11, "commit_id": "60b7ed54a41b550d50caf7f2418db4a7e75b5bdc", "message": "powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set\n\nOn systems without any specific PMU driver support registered, running\nperf record causes Oops.\n\nThe relevant portion from call trace:\n\n BUG: Kernel NULL pointer dereference on read at 0x00000040\n Faulting instruction address: 0xc0021f0c\n Oops: Kernel access of bad area, sig: 11 [#1]\n BE PAGE_SIZE=4K PREEMPT CMPCPRO\n SAF3000 DIE NOTIFICATION\n CPU: 0 PID: 442 Comm: null_syscall Not tainted 5.13.0-rc6-s3k-dev-01645-g7649ee3d2957 #5164\n NIP: c0021f0c LR: c00e8ad8 CTR: c00d8a5c\n NIP perf_instruction_pointer+0x10/0x60\n LR perf_prepare_sample+0x344/0x674\n Call Trace:\n perf_prepare_sample+0x7c/0x674 (unreliable)\n perf_event_output_forward+0x3c/0x94\n __perf_event_overflow+0x74/0x14c\n perf_swevent_hrtimer+0xf8/0x170\n __hrtimer_run_queues.constprop.0+0x160/0x318\n hrtimer_interrupt+0x148/0x3b0\n timer_interrupt+0xc4/0x22c\n Decrementer_virt+0xb8/0xbc\n\nDuring perf record session, perf_instruction_pointer() is called to\ncapture the sample IP. This function in core-book3s accesses\nppmu->flags. If a platform specific PMU driver is not registered, ppmu\nis set to NULL and accessing its members results in a crash. Fix this\ncrash by checking if ppmu is set.\n\nFixes: 2ca13a4cc56c (\"powerpc/perf: Use regs->nip when SIAR is zero\")\nCc: stable@vger.kernel.org # v5.11+\nReported-by: Christophe Leroy \nSigned-off-by: Athira Rajeev \nTested-by: Christophe Leroy \nSigned-off-by: Michael Ellerman \nLink: https://lore.kernel.org/r/1623952506-1431-1-git-send-email-atrajeev@linux.vnet.ibm.com", "target": 0, "dataset": "other", "idx": 374694 }, { "func": "static void encode_op_map(struct xdr_stream *xdr, const struct nfs4_op_map *op_map)\n{\n\tunsigned int i;\n\tencode_uint32(xdr, NFS4_OP_MAP_NUM_WORDS);\n\tfor (i = 0; i < NFS4_OP_MAP_NUM_WORDS; i++)\n\t\tencode_uint32(xdr, op_map->u.words[i]);\n}", "project": "linux", "hash": 242794805652440934488625517088178052698, "size": 7, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431022 }, { "func": "static OPJ_BOOL opj_j2k_write_qcc(opj_j2k_t *p_j2k,\n OPJ_UINT32 p_comp_no,\n opj_stream_private_t *p_stream,\n opj_event_mgr_t * p_manager\n )\n{\n OPJ_UINT32 l_qcc_size, l_remaining_size;\n\n /* preconditions */\n assert(p_j2k != 00);\n assert(p_manager != 00);\n assert(p_stream != 00);\n\n l_qcc_size = 5 + opj_j2k_get_SQcd_SQcc_size(p_j2k, p_j2k->m_current_tile_number,\n p_comp_no);\n l_qcc_size += p_j2k->m_private_image->numcomps <= 256 ? 0 : 1;\n l_remaining_size = l_qcc_size;\n\n if (l_qcc_size > p_j2k->m_specific_param.m_encoder.m_header_tile_data_size) {\n OPJ_BYTE *new_header_tile_data = (OPJ_BYTE *) opj_realloc(\n p_j2k->m_specific_param.m_encoder.m_header_tile_data, l_qcc_size);\n if (! new_header_tile_data) {\n opj_free(p_j2k->m_specific_param.m_encoder.m_header_tile_data);\n p_j2k->m_specific_param.m_encoder.m_header_tile_data = NULL;\n p_j2k->m_specific_param.m_encoder.m_header_tile_data_size = 0;\n opj_event_msg(p_manager, EVT_ERROR, \"Not enough memory to write QCC marker\\n\");\n return OPJ_FALSE;\n }\n p_j2k->m_specific_param.m_encoder.m_header_tile_data = new_header_tile_data;\n p_j2k->m_specific_param.m_encoder.m_header_tile_data_size = l_qcc_size;\n }\n\n opj_j2k_write_qcc_in_memory(p_j2k, p_comp_no,\n p_j2k->m_specific_param.m_encoder.m_header_tile_data, &l_remaining_size,\n p_manager);\n\n if (opj_stream_write_data(p_stream,\n p_j2k->m_specific_param.m_encoder.m_header_tile_data, l_qcc_size,\n p_manager) != l_qcc_size) {\n return OPJ_FALSE;\n }\n\n return OPJ_TRUE;\n}", "project": "openjpeg", "hash": 151465827610670827792152385080302057777, "size": 44, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357319 }, { "func": "static void hci_cc_le_set_default_phy(struct hci_dev *hdev, struct sk_buff *skb)\n{\n\t__u8 status = *((__u8 *) skb->data);\n\tstruct hci_cp_le_set_default_phy *cp;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, status);\n\n\tif (status)\n\t\treturn;\n\n\tcp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_DEFAULT_PHY);\n\tif (!cp)\n\t\treturn;\n\n\thci_dev_lock(hdev);\n\n\thdev->le_tx_def_phys = cp->tx_phys;\n\thdev->le_rx_def_phys = cp->rx_phys;\n\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 112472461828499293876613315212305312602, "size": 21, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431901 }, { "func": "static int io_write(struct io_kiocb *req, bool force_nonblock,\n\t\t struct io_comp_state *cs)\n{\n\tstruct iovec inline_vecs[UIO_FASTIOV], *iovec = inline_vecs;\n\tstruct kiocb *kiocb = &req->rw.kiocb;\n\tstruct iov_iter iter;\n\tsize_t iov_count;\n\tssize_t ret, ret2, io_size;\n\tunsigned long nr_segs;\n\n\tret = io_import_iovec(WRITE, req, &iovec, &iter, !force_nonblock);\n\tif (ret < 0)\n\t\treturn ret;\n\tio_size = ret;\n\treq->result = io_size;\n\n\t/* Ensure we clear previously set non-block flag */\n\tif (!force_nonblock)\n\t\treq->rw.kiocb.ki_flags &= ~IOCB_NOWAIT;\n\n\t/* If the file doesn't support async, just async punt */\n\tif (force_nonblock && !io_file_supports_async(req->file, WRITE))\n\t\tgoto copy_iov;\n\n\t/* file path doesn't support NOWAIT for non-direct_IO */\n\tif (force_nonblock && !(kiocb->ki_flags & IOCB_DIRECT) &&\n\t (req->flags & REQ_F_ISREG))\n\t\tgoto copy_iov;\n\n\tiov_count = iov_iter_count(&iter);\n\tnr_segs = iter.nr_segs;\n\tret = rw_verify_area(WRITE, req->file, &kiocb->ki_pos, iov_count);\n\tif (unlikely(ret))\n\t\tgoto out_free;\n\n\t/*\n\t * Open-code file_start_write here to grab freeze protection,\n\t * which will be released by another thread in\n\t * io_complete_rw(). Fool lockdep by telling it the lock got\n\t * released so that it doesn't complain about the held lock when\n\t * we return to userspace.\n\t */\n\tif (req->flags & REQ_F_ISREG) {\n\t\t__sb_start_write(file_inode(req->file)->i_sb,\n\t\t\t\t\tSB_FREEZE_WRITE, true);\n\t\t__sb_writers_release(file_inode(req->file)->i_sb,\n\t\t\t\t\tSB_FREEZE_WRITE);\n\t}\n\tkiocb->ki_flags |= IOCB_WRITE;\n\n\tif (req->file->f_op->write_iter)\n\t\tret2 = call_write_iter(req->file, kiocb, &iter);\n\telse if (req->file->f_op->write)\n\t\tret2 = loop_rw_iter(WRITE, req->file, kiocb, &iter);\n\telse\n\t\tret2 = -EINVAL;\n\n\t/*\n\t * Raw bdev writes will return -EOPNOTSUPP for IOCB_NOWAIT. Just\n\t * retry them without IOCB_NOWAIT.\n\t */\n\tif (ret2 == -EOPNOTSUPP && (kiocb->ki_flags & IOCB_NOWAIT))\n\t\tret2 = -EAGAIN;\n\tif (!force_nonblock || ret2 != -EAGAIN) {\n\t\tkiocb_done(kiocb, ret2, cs);\n\t} else {\n\t\titer.count = iov_count;\n\t\titer.nr_segs = nr_segs;\ncopy_iov:\n\t\tret = io_setup_async_rw(req, io_size, iovec, inline_vecs,\n\t\t\t\t\t&iter);\n\t\tif (ret)\n\t\t\tgoto out_free;\n\t\t/* it's copied and will be cleaned with ->io */\n\t\tiovec = NULL;\n\t\treturn -EAGAIN;\n\t}\nout_free:\n\tif (iovec)\n\t\tkfree(iovec);\n\treturn ret;\n}", "project": "linux", "hash": 170593925532555616035698533225461368482, "size": 82, "commit_id": "6d816e088c359866f9867057e04f244c608c42fe", "message": "io_uring: hold 'ctx' reference around task_work queue + execute\n\nWe're holding the request reference, but we need to go one higher\nto ensure that the ctx remains valid after the request has finished.\nIf the ring is closed with pending task_work inflight, and the\ngiven io_kiocb finishes sync during issue, then we need a reference\nto the ring itself around the task_work execution cycle.\n\nCc: stable@vger.kernel.org # v5.7+\nReported-by: syzbot+9b260fc33297966f5a8e@syzkaller.appspotmail.com\nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 456932 }, { "func": "static int rdmsr_interception(struct vcpu_svm *svm)\n{\n\treturn kvm_emulate_rdmsr(&svm->vcpu);\n}", "project": "linux", "hash": 240468354855876745393100419793155135709, "size": 4, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432547 }, { "func": "static int rdmsr_interception(struct vcpu_svm *svm)\n{\n\tu32 ecx = svm->vcpu.arch.regs[VCPU_REGS_RCX];\n\tu64 data;\n\n\tif (svm_get_msr(&svm->vcpu, ecx, &data)) {\n\t\ttrace_kvm_msr_read_ex(ecx);\n\t\tkvm_inject_gp(&svm->vcpu, 0);\n\t} else {\n\t\ttrace_kvm_msr_read(ecx, data);\n\n\t\tsvm->vcpu.arch.regs[VCPU_REGS_RAX] = data & 0xffffffff;\n\t\tsvm->vcpu.arch.regs[VCPU_REGS_RDX] = data >> 32;\n\t\tsvm->next_rip = kvm_rip_read(&svm->vcpu) + 2;\n\t\tskip_emulated_instruction(&svm->vcpu);\n\t}\n\treturn 1;\n}", "project": "kvm", "hash": 61801428657173878755785215164035880033, "size": 18, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437615 }, { "func": "void UntrustedCacheMalloc::PushToFreeList(void *buffer) {\n free_list_->buffers.get()[free_list_->count] = buffer;\n free_list_->count++;\n\n if (free_list_->count == kFreeListCapacity) {\n primitives::DeAllocateUntrustedBuffers(free_list_->buffers.get(),\n kFreeListCapacity);\n free_list_->count = 0;\n }\n}", "project": "asylo", "hash": 79612179185597693614760805935059586651, "size": 10, "commit_id": "a47ef55db2337d29de19c50cd29b0deb2871d31c", "message": "Fix vulnerability in UntrustedCacheMalloc\n\nThe pointer array is stored in untrusted memory, so we cannot trust the\nvalue even after validation. We should validate the pointer is pointing\nto untrusted memory after it's stored inside the enclave.\n\nPiperOrigin-RevId: 358474391\nChange-Id: I63cf6c251bdaf1b491dbf06cc0dcf77f7b141756", "target": 0, "dataset": "other", "idx": 264755 }, { "func": "void trace_default_header(struct seq_file *m)\n{\n\tstruct trace_iterator *iter = m->private;\n\tstruct trace_array *tr = iter->tr;\n\tunsigned long trace_flags = tr->trace_flags;\n\n\tif (!(trace_flags & TRACE_ITER_CONTEXT_INFO))\n\t\treturn;\n\n\tif (iter->iter_flags & TRACE_FILE_LAT_FMT) {\n\t\t/* print nothing if the buffers are empty */\n\t\tif (trace_empty(iter))\n\t\t\treturn;\n\t\tprint_trace_header(m, iter);\n\t\tif (!(trace_flags & TRACE_ITER_VERBOSE))\n\t\t\tprint_lat_help_header(m);\n\t} else {\n\t\tif (!(trace_flags & TRACE_ITER_VERBOSE)) {\n\t\t\tif (trace_flags & TRACE_ITER_IRQ_INFO)\n\t\t\t\tprint_func_help_header_irq(iter->trace_buffer,\n\t\t\t\t\t\t\t m, trace_flags);\n\t\t\telse\n\t\t\t\tprint_func_help_header(iter->trace_buffer, m,\n\t\t\t\t\t\t trace_flags);\n\t\t}\n\t}\n}", "project": "linux", "hash": 329940358336520717408280167618373518610, "size": 27, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445663 }, { "func": "static int power_pmu_commit_txn(struct pmu *pmu)\n{\n\tstruct cpu_hw_events *cpuhw;\n\tlong i, n;\n\n\tif (!ppmu)\n\t\treturn -EAGAIN;\n\n\tcpuhw = this_cpu_ptr(&cpu_hw_events);\n\tWARN_ON_ONCE(!cpuhw->txn_flags);\t/* no txn in flight */\n\n\tif (cpuhw->txn_flags & ~PERF_PMU_TXN_ADD) {\n\t\tcpuhw->txn_flags = 0;\n\t\treturn 0;\n\t}\n\n\tn = cpuhw->n_events;\n\tif (check_excludes(cpuhw->event, cpuhw->flags, 0, n))\n\t\treturn -EAGAIN;\n\ti = power_check_constraints(cpuhw, cpuhw->events, cpuhw->flags, n, cpuhw->event);\n\tif (i < 0)\n\t\treturn -EAGAIN;\n\n\tfor (i = cpuhw->n_txn_start; i < n; ++i)\n\t\tcpuhw->event[i]->hw.config = cpuhw->events[i];\n\n\tcpuhw->txn_flags = 0;\n\tperf_pmu_enable(pmu);\n\treturn 0;\n}", "project": "linux", "hash": 186589214117544433210869874985929194952, "size": 30, "commit_id": "60b7ed54a41b550d50caf7f2418db4a7e75b5bdc", "message": "powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set\n\nOn systems without any specific PMU driver support registered, running\nperf record causes Oops.\n\nThe relevant portion from call trace:\n\n BUG: Kernel NULL pointer dereference on read at 0x00000040\n Faulting instruction address: 0xc0021f0c\n Oops: Kernel access of bad area, sig: 11 [#1]\n BE PAGE_SIZE=4K PREEMPT CMPCPRO\n SAF3000 DIE NOTIFICATION\n CPU: 0 PID: 442 Comm: null_syscall Not tainted 5.13.0-rc6-s3k-dev-01645-g7649ee3d2957 #5164\n NIP: c0021f0c LR: c00e8ad8 CTR: c00d8a5c\n NIP perf_instruction_pointer+0x10/0x60\n LR perf_prepare_sample+0x344/0x674\n Call Trace:\n perf_prepare_sample+0x7c/0x674 (unreliable)\n perf_event_output_forward+0x3c/0x94\n __perf_event_overflow+0x74/0x14c\n perf_swevent_hrtimer+0xf8/0x170\n __hrtimer_run_queues.constprop.0+0x160/0x318\n hrtimer_interrupt+0x148/0x3b0\n timer_interrupt+0xc4/0x22c\n Decrementer_virt+0xb8/0xbc\n\nDuring perf record session, perf_instruction_pointer() is called to\ncapture the sample IP. This function in core-book3s accesses\nppmu->flags. If a platform specific PMU driver is not registered, ppmu\nis set to NULL and accessing its members results in a crash. Fix this\ncrash by checking if ppmu is set.\n\nFixes: 2ca13a4cc56c (\"powerpc/perf: Use regs->nip when SIAR is zero\")\nCc: stable@vger.kernel.org # v5.11+\nReported-by: Christophe Leroy \nSigned-off-by: Athira Rajeev \nTested-by: Christophe Leroy \nSigned-off-by: Michael Ellerman \nLink: https://lore.kernel.org/r/1623952506-1431-1-git-send-email-atrajeev@linux.vnet.ibm.com", "target": 0, "dataset": "other", "idx": 374743 }, { "func": "void DeAllocateUntrustedBuffers(void **free_list, size_t count) {\n if (!IsValidUntrustedAddress(free_list)) {\n TrustedPrimitives::BestEffortAbort(\n \"free_list expected to be in untrusted memory.\");\n }\n CHECK_OCALL(ocall_enc_untrusted_deallocate_free_list(\n free_list, static_cast(count)));\n}", "project": "asylo", "hash": 202847268029246040815389262879606709163, "size": 8, "commit_id": "53ed5d8fd8118ced1466e509606dd2f473707a5c", "message": "Store untrusted output pointer in enclave\n\nValidate the pointer after it's stored in enclave to avoid unexpected\nmodifications after it's validated.\n\nPiperOrigin-RevId: 365648810\nChange-Id: I3079128040c142e86bab8255b07d03562a6fcb61", "target": 0, "dataset": "other", "idx": 232060 }, { "func": "static int shm_create(XShmSegmentInfo *shm, XImage **ximg_ptr, int w, int h,\n char *name) {\n\n\tXImage *xim;\n\tstatic int reported_flip = 0;\n\tint db = 0;\n\n\tshm->shmid = -1;\n\tshm->shmaddr = (char *) -1;\n\t*ximg_ptr = NULL;\n\n\tif (nofb) {\n\t\treturn 1;\n\t}\n\n\tX_LOCK;\n\n\tif (! using_shm || xform24to32 || raw_fb) {\n\t\t/* we only need the XImage created */\n\t\txim = XCreateImage_wr(dpy, default_visual, depth, ZPixmap,\n\t\t 0, NULL, w, h, raw_fb ? 32 : BitmapPad(dpy), 0);\n\n\t\tX_UNLOCK;\n\n\t\tif (xim == NULL) {\n\t\t\trfbErr(\"XCreateImage(%s) failed.\\n\", name);\n\t\t\tif (quiet) {\n\t\t\t\tfprintf(stderr, \"XCreateImage(%s) failed.\\n\",\n\t\t\t\t name);\n\t\t\t}\n\t\t\treturn 0;\n\t\t}\n\t\tif (db) fprintf(stderr, \"shm_create simple %d %d\\t%p %s\\n\", w, h, (void *)xim, name);\n\t\txim->data = (char *) malloc(xim->bytes_per_line * xim->height);\n\t\tif (xim->data == NULL) {\n\t\t\trfbErr(\"XCreateImage(%s) data malloc failed.\\n\", name);\n\t\t\tif (quiet) {\n\t\t\t\tfprintf(stderr, \"XCreateImage(%s) data malloc\"\n\t\t\t\t \" failed.\\n\", name);\n\t\t\t}\n\t\t\treturn 0;\n\t\t}\n\t\tif (flip_byte_order) {\n\t\t\tchar *order = flip_ximage_byte_order(xim);\n\t\t\tif (! reported_flip && ! quiet) {\n\t\t\t\trfbLog(\"Changing XImage byte order\"\n\t\t\t\t \" to %s\\n\", order);\n\t\t\t\treported_flip = 1;\n\t\t\t}\n\t\t}\n\n\t\t*ximg_ptr = xim;\n\t\treturn 1;\n\t}\n\n\tif (! dpy) {\n\t\tX_UNLOCK;\n\t\treturn 0;\n\t}\n\n\txim = XShmCreateImage_wr(dpy, default_visual, depth, ZPixmap, NULL,\n\t shm, w, h);\n\n\tif (xim == NULL) {\n\t\trfbErr(\"XShmCreateImage(%s) failed.\\n\", name);\n\t\tif (quiet) {\n\t\t\tfprintf(stderr, \"XShmCreateImage(%s) failed.\\n\", name);\n\t\t}\n\t\tX_UNLOCK;\n\t\treturn 0;\n\t}\n\n\t*ximg_ptr = xim;\n\n#if HAVE_XSHM\n\tshm->shmid = shmget(IPC_PRIVATE,\n\t xim->bytes_per_line * xim->height, IPC_CREAT | 0777);\n\n\tif (shm->shmid == -1) {\n\t\trfbErr(\"shmget(%s) failed.\\n\", name);\n\t\trfbLogPerror(\"shmget\");\n\n\t\tXDestroyImage(xim);\n\t\t*ximg_ptr = NULL;\n\n\t\tX_UNLOCK;\n\t\treturn 0;\n\t}\n\n\tshm->shmaddr = xim->data = (char *) shmat(shm->shmid, 0, 0);\n\n\tif (shm->shmaddr == (char *)-1) {\n\t\trfbErr(\"shmat(%s) failed.\\n\", name);\n\t\trfbLogPerror(\"shmat\");\n\n\t\tXDestroyImage(xim);\n\t\t*ximg_ptr = NULL;\n\n\t\tshmctl(shm->shmid, IPC_RMID, 0);\n\t\tshm->shmid = -1;\n\n\t\tX_UNLOCK;\n\t\treturn 0;\n\t}\n\n\tshm->readOnly = False;\n\n\tif (! XShmAttach_wr(dpy, shm)) {\n\t\trfbErr(\"XShmAttach(%s) failed.\\n\", name);\n\t\tXDestroyImage(xim);\n\t\t*ximg_ptr = NULL;\n\n\t\tshmdt(shm->shmaddr);\n\t\tshm->shmaddr = (char *) -1;\n\n\t\tshmctl(shm->shmid, IPC_RMID, 0);\n\t\tshm->shmid = -1;\n\n\t\tX_UNLOCK;\n\t\treturn 0;\n\t}\n#endif\n\n\tX_UNLOCK;\n\treturn 1;\n}", "project": "x11vnc", "hash": 101234356332723009809336080171659591661, "size": 126, "commit_id": "69eeb9f7baa14ca03b16c9de821f9876def7a36a", "message": "scan: limit access to shared memory segments to current user", "target": 1, "dataset": "other", "idx": 204491 }, { "func": "static int shm_create(XShmSegmentInfo *shm, XImage **ximg_ptr, int w, int h,\n char *name) {\n\n\tXImage *xim;\n\tstatic int reported_flip = 0;\n\tint db = 0;\n\n\tshm->shmid = -1;\n\tshm->shmaddr = (char *) -1;\n\t*ximg_ptr = NULL;\n\n\tif (nofb) {\n\t\treturn 1;\n\t}\n\n\tX_LOCK;\n\n\tif (! using_shm || xform24to32 || raw_fb) {\n\t\t/* we only need the XImage created */\n\t\txim = XCreateImage_wr(dpy, default_visual, depth, ZPixmap,\n\t\t 0, NULL, w, h, raw_fb ? 32 : BitmapPad(dpy), 0);\n\n\t\tX_UNLOCK;\n\n\t\tif (xim == NULL) {\n\t\t\trfbErr(\"XCreateImage(%s) failed.\\n\", name);\n\t\t\tif (quiet) {\n\t\t\t\tfprintf(stderr, \"XCreateImage(%s) failed.\\n\",\n\t\t\t\t name);\n\t\t\t}\n\t\t\treturn 0;\n\t\t}\n\t\tif (db) fprintf(stderr, \"shm_create simple %d %d\\t%p %s\\n\", w, h, (void *)xim, name);\n\t\txim->data = (char *) malloc(xim->bytes_per_line * xim->height);\n\t\tif (xim->data == NULL) {\n\t\t\trfbErr(\"XCreateImage(%s) data malloc failed.\\n\", name);\n\t\t\tif (quiet) {\n\t\t\t\tfprintf(stderr, \"XCreateImage(%s) data malloc\"\n\t\t\t\t \" failed.\\n\", name);\n\t\t\t}\n\t\t\treturn 0;\n\t\t}\n\t\tif (flip_byte_order) {\n\t\t\tchar *order = flip_ximage_byte_order(xim);\n\t\t\tif (! reported_flip && ! quiet) {\n\t\t\t\trfbLog(\"Changing XImage byte order\"\n\t\t\t\t \" to %s\\n\", order);\n\t\t\t\treported_flip = 1;\n\t\t\t}\n\t\t}\n\n\t\t*ximg_ptr = xim;\n\t\treturn 1;\n\t}\n\n\tif (! dpy) {\n\t\tX_UNLOCK;\n\t\treturn 0;\n\t}\n\n\txim = XShmCreateImage_wr(dpy, default_visual, depth, ZPixmap, NULL,\n\t shm, w, h);\n\n\tif (xim == NULL) {\n\t\trfbErr(\"XShmCreateImage(%s) failed.\\n\", name);\n\t\tif (quiet) {\n\t\t\tfprintf(stderr, \"XShmCreateImage(%s) failed.\\n\", name);\n\t\t}\n\t\tX_UNLOCK;\n\t\treturn 0;\n\t}\n\n\t*ximg_ptr = xim;\n\n#if HAVE_XSHM\n\tshm->shmid = shmget(IPC_PRIVATE,\n\t xim->bytes_per_line * xim->height, IPC_CREAT | 0600);\n\n\tif (shm->shmid == -1) {\n\t\trfbErr(\"shmget(%s) failed.\\n\", name);\n\t\trfbLogPerror(\"shmget\");\n\n\t\tXDestroyImage(xim);\n\t\t*ximg_ptr = NULL;\n\n\t\tX_UNLOCK;\n\t\treturn 0;\n\t}\n\n\tshm->shmaddr = xim->data = (char *) shmat(shm->shmid, 0, 0);\n\n\tif (shm->shmaddr == (char *)-1) {\n\t\trfbErr(\"shmat(%s) failed.\\n\", name);\n\t\trfbLogPerror(\"shmat\");\n\n\t\tXDestroyImage(xim);\n\t\t*ximg_ptr = NULL;\n\n\t\tshmctl(shm->shmid, IPC_RMID, 0);\n\t\tshm->shmid = -1;\n\n\t\tX_UNLOCK;\n\t\treturn 0;\n\t}\n\n\tshm->readOnly = False;\n\n\tif (! XShmAttach_wr(dpy, shm)) {\n\t\trfbErr(\"XShmAttach(%s) failed.\\n\", name);\n\t\tXDestroyImage(xim);\n\t\t*ximg_ptr = NULL;\n\n\t\tshmdt(shm->shmaddr);\n\t\tshm->shmaddr = (char *) -1;\n\n\t\tshmctl(shm->shmid, IPC_RMID, 0);\n\t\tshm->shmid = -1;\n\n\t\tX_UNLOCK;\n\t\treturn 0;\n\t}\n#endif\n\n\tX_UNLOCK;\n\treturn 1;\n}", "project": "x11vnc", "hash": 251759810483318878247162187332724697979, "size": 126, "commit_id": "69eeb9f7baa14ca03b16c9de821f9876def7a36a", "message": "scan: limit access to shared memory segments to current user", "target": 0, "dataset": "other", "idx": 360762 }, { "func": "R_API int r_sys_cmdf(const char *fmt, ...) {\n\tint ret;\n\tchar cmd[4096];\n\tva_list ap;\n\tva_start(ap, fmt);\n\tvsnprintf (cmd, sizeof (cmd), fmt, ap);\n\tret = r_sys_cmd (cmd);\n\tva_end (ap);\n\treturn ret;\n}", "project": "radare2", "hash": 103912941489158972125913898892861193793, "size": 10, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 0, "dataset": "other", "idx": 269085 }, { "func": "static int db_interception(struct vcpu_svm *svm)\n{\n\tstruct kvm_run *kvm_run = svm->vcpu.run;\n\tstruct kvm_vcpu *vcpu = &svm->vcpu;\n\n\tif (!(svm->vcpu.guest_debug &\n\t (KVM_GUESTDBG_SINGLESTEP | KVM_GUESTDBG_USE_HW_BP)) &&\n\t\t!svm->nmi_singlestep) {\n\t\tkvm_queue_exception(&svm->vcpu, DB_VECTOR);\n\t\treturn 1;\n\t}\n\n\tif (svm->nmi_singlestep) {\n\t\tdisable_nmi_singlestep(svm);\n\t\t/* Make sure we check for pending NMIs upon entry */\n\t\tkvm_make_request(KVM_REQ_EVENT, vcpu);\n\t}\n\n\tif (svm->vcpu.guest_debug &\n\t (KVM_GUESTDBG_SINGLESTEP | KVM_GUESTDBG_USE_HW_BP)) {\n\t\tkvm_run->exit_reason = KVM_EXIT_DEBUG;\n\t\tkvm_run->debug.arch.pc =\n\t\t\tsvm->vmcb->save.cs.base + svm->vmcb->save.rip;\n\t\tkvm_run->debug.arch.exception = DB_VECTOR;\n\t\treturn 0;\n\t}\n\n\treturn 1;\n}", "project": "linux", "hash": 192730472788906377324788121181061102871, "size": 29, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432597 }, { "func": "static int db_interception(struct vcpu_svm *svm)\n{\n\tstruct kvm_run *kvm_run = svm->vcpu.run;\n\n\tif (!(svm->vcpu.guest_debug &\n\t (KVM_GUESTDBG_SINGLESTEP | KVM_GUESTDBG_USE_HW_BP)) &&\n\t\t!svm->nmi_singlestep) {\n\t\tkvm_queue_exception(&svm->vcpu, DB_VECTOR);\n\t\treturn 1;\n\t}\n\n\tif (svm->nmi_singlestep) {\n\t\tsvm->nmi_singlestep = false;\n\t\tif (!(svm->vcpu.guest_debug & KVM_GUESTDBG_SINGLESTEP))\n\t\t\tsvm->vmcb->save.rflags &=\n\t\t\t\t~(X86_EFLAGS_TF | X86_EFLAGS_RF);\n\t\tupdate_db_bp_intercept(&svm->vcpu);\n\t}\n\n\tif (svm->vcpu.guest_debug &\n\t (KVM_GUESTDBG_SINGLESTEP | KVM_GUESTDBG_USE_HW_BP)) {\n\t\tkvm_run->exit_reason = KVM_EXIT_DEBUG;\n\t\tkvm_run->debug.arch.pc =\n\t\t\tsvm->vmcb->save.cs.base + svm->vmcb->save.rip;\n\t\tkvm_run->debug.arch.exception = DB_VECTOR;\n\t\treturn 0;\n\t}\n\n\treturn 1;\n}", "project": "kvm", "hash": 250490354648615435700726842735474243846, "size": 30, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437569 }, { "func": "static int unlazy_walk(struct nameidata *nd)\n{\n\tstruct dentry *parent = nd->path.dentry;\n\n\tBUG_ON(!(nd->flags & LOOKUP_RCU));\n\n\tnd->flags &= ~LOOKUP_RCU;\n\tif (unlikely(!legitimize_links(nd)))\n\t\tgoto out1;\n\tif (unlikely(!legitimize_path(nd, &nd->path, nd->seq)))\n\t\tgoto out;\n\tif (unlikely(!legitimize_root(nd)))\n\t\tgoto out;\n\trcu_read_unlock();\n\tBUG_ON(nd->inode != parent->d_inode);\n\treturn 0;\n\nout1:\n\tnd->path.mnt = NULL;\n\tnd->path.dentry = NULL;\nout:\n\trcu_read_unlock();\n\treturn -ECHILD;\n}", "project": "linux", "hash": 82612802257057027968419851596265037483, "size": 24, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295377 }, { "func": "static bool tracing_record_taskinfo_skip(int flags)\n{\n\tif (unlikely(!(flags & (TRACE_RECORD_CMDLINE | TRACE_RECORD_TGID))))\n\t\treturn true;\n\tif (atomic_read(&trace_record_taskinfo_disabled) || !tracing_is_on())\n\t\treturn true;\n\tif (!__this_cpu_read(trace_taskinfo_save))\n\t\treturn true;\n\treturn false;\n}", "project": "linux", "hash": 208516016644872376545022496455204273558, "size": 10, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445662 }, { "func": "static int php_openssl_load_rand_file(const char * file, int *egdsocket, int *seeded) /* {{{ */\n{\n\tchar buffer[MAXPATHLEN];\n\n\t*egdsocket = 0;\n\t*seeded = 0;\n\n\tif (file == NULL) {\n\t\tfile = RAND_file_name(buffer, sizeof(buffer));\n#ifdef HAVE_RAND_EGD\n\t} else if (RAND_egd(file) > 0) {\n\t\t/* if the given filename is an EGD socket, don't\n\t\t * write anything back to it */\n\t\t*egdsocket = 1;\n\t\treturn SUCCESS;\n#endif\n\t}\n\tif (file == NULL || !RAND_load_file(file, -1)) {\n\t\tif (RAND_status() == 0) {\n\t\t\tphp_openssl_store_errors();\n\t\t\tphp_error_docref(NULL, E_WARNING, \"unable to load random state; not enough random data!\");\n\t\t\treturn FAILURE;\n\t\t}\n\t\treturn FAILURE;\n\t}\n\t*seeded = 1;\n\treturn SUCCESS;\n}", "project": "php-src", "hash": 223682461014880234308921665485200729293, "size": 28, "commit_id": "0216630ea2815a5789a24279a1211ac398d4de79", "message": "Fix bug #79601 (Wrong ciphertext/tag in AES-CCM encryption for a 12 bytes IV)", "target": 0, "dataset": "other", "idx": 291375 }, { "func": "static int sctp_apply_peer_addr_params(struct sctp_paddrparams *params,\n\t\t\t\t struct sctp_transport *trans,\n\t\t\t\t struct sctp_association *asoc,\n\t\t\t\t struct sctp_sock *sp,\n\t\t\t\t int hb_change,\n\t\t\t\t int pmtud_change,\n\t\t\t\t int sackdelay_change)\n{\n\tint error;\n\n\tif (params->spp_flags & SPP_HB_DEMAND && trans) {\n\t\terror = sctp_primitive_REQUESTHEARTBEAT(trans->asoc->base.net,\n\t\t\t\t\t\t\ttrans->asoc, trans);\n\t\tif (error)\n\t\t\treturn error;\n\t}\n\n\t/* Note that unless the spp_flag is set to SPP_HB_ENABLE the value of\n\t * this field is ignored. Note also that a value of zero indicates\n\t * the current setting should be left unchanged.\n\t */\n\tif (params->spp_flags & SPP_HB_ENABLE) {\n\n\t\t/* Re-zero the interval if the SPP_HB_TIME_IS_ZERO is\n\t\t * set. This lets us use 0 value when this flag\n\t\t * is set.\n\t\t */\n\t\tif (params->spp_flags & SPP_HB_TIME_IS_ZERO)\n\t\t\tparams->spp_hbinterval = 0;\n\n\t\tif (params->spp_hbinterval ||\n\t\t (params->spp_flags & SPP_HB_TIME_IS_ZERO)) {\n\t\t\tif (trans) {\n\t\t\t\ttrans->hbinterval =\n\t\t\t\t msecs_to_jiffies(params->spp_hbinterval);\n\t\t\t} else if (asoc) {\n\t\t\t\tasoc->hbinterval =\n\t\t\t\t msecs_to_jiffies(params->spp_hbinterval);\n\t\t\t} else {\n\t\t\t\tsp->hbinterval = params->spp_hbinterval;\n\t\t\t}\n\t\t}\n\t}\n\n\tif (hb_change) {\n\t\tif (trans) {\n\t\t\ttrans->param_flags =\n\t\t\t\t(trans->param_flags & ~SPP_HB) | hb_change;\n\t\t} else if (asoc) {\n\t\t\tasoc->param_flags =\n\t\t\t\t(asoc->param_flags & ~SPP_HB) | hb_change;\n\t\t} else {\n\t\t\tsp->param_flags =\n\t\t\t\t(sp->param_flags & ~SPP_HB) | hb_change;\n\t\t}\n\t}\n\n\t/* When Path MTU discovery is disabled the value specified here will\n\t * be the \"fixed\" path mtu (i.e. the value of the spp_flags field must\n\t * include the flag SPP_PMTUD_DISABLE for this field to have any\n\t * effect).\n\t */\n\tif ((params->spp_flags & SPP_PMTUD_DISABLE) && params->spp_pathmtu) {\n\t\tif (trans) {\n\t\t\ttrans->pathmtu = params->spp_pathmtu;\n\t\t\tsctp_assoc_sync_pmtu(asoc);\n\t\t} else if (asoc) {\n\t\t\tsctp_assoc_set_pmtu(asoc, params->spp_pathmtu);\n\t\t} else {\n\t\t\tsp->pathmtu = params->spp_pathmtu;\n\t\t}\n\t}\n\n\tif (pmtud_change) {\n\t\tif (trans) {\n\t\t\tint update = (trans->param_flags & SPP_PMTUD_DISABLE) &&\n\t\t\t\t(params->spp_flags & SPP_PMTUD_ENABLE);\n\t\t\ttrans->param_flags =\n\t\t\t\t(trans->param_flags & ~SPP_PMTUD) | pmtud_change;\n\t\t\tif (update) {\n\t\t\t\tsctp_transport_pmtu(trans, sctp_opt2sk(sp));\n\t\t\t\tsctp_assoc_sync_pmtu(asoc);\n\t\t\t}\n\t\t} else if (asoc) {\n\t\t\tasoc->param_flags =\n\t\t\t\t(asoc->param_flags & ~SPP_PMTUD) | pmtud_change;\n\t\t} else {\n\t\t\tsp->param_flags =\n\t\t\t\t(sp->param_flags & ~SPP_PMTUD) | pmtud_change;\n\t\t}\n\t}\n\n\t/* Note that unless the spp_flag is set to SPP_SACKDELAY_ENABLE the\n\t * value of this field is ignored. Note also that a value of zero\n\t * indicates the current setting should be left unchanged.\n\t */\n\tif ((params->spp_flags & SPP_SACKDELAY_ENABLE) && params->spp_sackdelay) {\n\t\tif (trans) {\n\t\t\ttrans->sackdelay =\n\t\t\t\tmsecs_to_jiffies(params->spp_sackdelay);\n\t\t} else if (asoc) {\n\t\t\tasoc->sackdelay =\n\t\t\t\tmsecs_to_jiffies(params->spp_sackdelay);\n\t\t} else {\n\t\t\tsp->sackdelay = params->spp_sackdelay;\n\t\t}\n\t}\n\n\tif (sackdelay_change) {\n\t\tif (trans) {\n\t\t\ttrans->param_flags =\n\t\t\t\t(trans->param_flags & ~SPP_SACKDELAY) |\n\t\t\t\tsackdelay_change;\n\t\t} else if (asoc) {\n\t\t\tasoc->param_flags =\n\t\t\t\t(asoc->param_flags & ~SPP_SACKDELAY) |\n\t\t\t\tsackdelay_change;\n\t\t} else {\n\t\t\tsp->param_flags =\n\t\t\t\t(sp->param_flags & ~SPP_SACKDELAY) |\n\t\t\t\tsackdelay_change;\n\t\t}\n\t}\n\n\t/* Note that a value of zero indicates the current setting should be\n\t left unchanged.\n\t */\n\tif (params->spp_pathmaxrxt) {\n\t\tif (trans) {\n\t\t\ttrans->pathmaxrxt = params->spp_pathmaxrxt;\n\t\t} else if (asoc) {\n\t\t\tasoc->pathmaxrxt = params->spp_pathmaxrxt;\n\t\t} else {\n\t\t\tsp->pathmaxrxt = params->spp_pathmaxrxt;\n\t\t}\n\t}\n\n\tif (params->spp_flags & SPP_IPV6_FLOWLABEL) {\n\t\tif (trans) {\n\t\t\tif (trans->ipaddr.sa.sa_family == AF_INET6) {\n\t\t\t\ttrans->flowlabel = params->spp_ipv6_flowlabel &\n\t\t\t\t\t\t SCTP_FLOWLABEL_VAL_MASK;\n\t\t\t\ttrans->flowlabel |= SCTP_FLOWLABEL_SET_MASK;\n\t\t\t}\n\t\t} else if (asoc) {\n\t\t\tstruct sctp_transport *t;\n\n\t\t\tlist_for_each_entry(t, &asoc->peer.transport_addr_list,\n\t\t\t\t\t transports) {\n\t\t\t\tif (t->ipaddr.sa.sa_family != AF_INET6)\n\t\t\t\t\tcontinue;\n\t\t\t\tt->flowlabel = params->spp_ipv6_flowlabel &\n\t\t\t\t\t SCTP_FLOWLABEL_VAL_MASK;\n\t\t\t\tt->flowlabel |= SCTP_FLOWLABEL_SET_MASK;\n\t\t\t}\n\t\t\tasoc->flowlabel = params->spp_ipv6_flowlabel &\n\t\t\t\t\t SCTP_FLOWLABEL_VAL_MASK;\n\t\t\tasoc->flowlabel |= SCTP_FLOWLABEL_SET_MASK;\n\t\t} else if (sctp_opt2sk(sp)->sk_family == AF_INET6) {\n\t\t\tsp->flowlabel = params->spp_ipv6_flowlabel &\n\t\t\t\t\tSCTP_FLOWLABEL_VAL_MASK;\n\t\t\tsp->flowlabel |= SCTP_FLOWLABEL_SET_MASK;\n\t\t}\n\t}\n\n\tif (params->spp_flags & SPP_DSCP) {\n\t\tif (trans) {\n\t\t\ttrans->dscp = params->spp_dscp & SCTP_DSCP_VAL_MASK;\n\t\t\ttrans->dscp |= SCTP_DSCP_SET_MASK;\n\t\t} else if (asoc) {\n\t\t\tstruct sctp_transport *t;\n\n\t\t\tlist_for_each_entry(t, &asoc->peer.transport_addr_list,\n\t\t\t\t\t transports) {\n\t\t\t\tt->dscp = params->spp_dscp &\n\t\t\t\t\t SCTP_DSCP_VAL_MASK;\n\t\t\t\tt->dscp |= SCTP_DSCP_SET_MASK;\n\t\t\t}\n\t\t\tasoc->dscp = params->spp_dscp & SCTP_DSCP_VAL_MASK;\n\t\t\tasoc->dscp |= SCTP_DSCP_SET_MASK;\n\t\t} else {\n\t\t\tsp->dscp = params->spp_dscp & SCTP_DSCP_VAL_MASK;\n\t\t\tsp->dscp |= SCTP_DSCP_SET_MASK;\n\t\t}\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 8581181332241377904622228568276984371, "size": 188, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398046 }, { "func": "TEST_P(JSITest, HostObjectTest) {\n class ConstantHostObject : public HostObject {\n Value get(Runtime&, const PropNameID& sym) override {\n return 9000;\n }\n\n void set(Runtime&, const PropNameID&, const Value&) override {}\n };\n\n Object cho =\n Object::createFromHostObject(rt, std::make_shared());\n EXPECT_TRUE(function(\"function (obj) { return obj.someRandomProp == 9000; }\")\n .call(rt, cho)\n .getBool());\n EXPECT_TRUE(cho.isHostObject(rt));\n EXPECT_TRUE(cho.getHostObject(rt).get() != nullptr);\n\n struct SameRuntimeHostObject : HostObject {\n SameRuntimeHostObject(Runtime& rt) : rt_(rt){};\n\n Value get(Runtime& rt, const PropNameID& sym) override {\n EXPECT_EQ(&rt, &rt_);\n return Value();\n }\n\n void set(Runtime& rt, const PropNameID& name, const Value& value) override {\n EXPECT_EQ(&rt, &rt_);\n }\n\n std::vector getPropertyNames(Runtime& rt) override {\n EXPECT_EQ(&rt, &rt_);\n return {};\n }\n\n Runtime& rt_;\n };\n\n Object srho = Object::createFromHostObject(\n rt, std::make_shared(rt));\n // Test get's Runtime is as expected\n function(\"function (obj) { return obj.isSame; }\").call(rt, srho);\n // ... and set\n function(\"function (obj) { obj['k'] = 'v'; }\").call(rt, srho);\n // ... and getPropertyNames\n function(\"function (obj) { for (k in obj) {} }\").call(rt, srho);\n\n class TwiceHostObject : public HostObject {\n Value get(Runtime& rt, const PropNameID& sym) override {\n return String::createFromUtf8(rt, sym.utf8(rt) + sym.utf8(rt));\n }\n\n void set(Runtime&, const PropNameID&, const Value&) override {}\n };\n\n Object tho =\n Object::createFromHostObject(rt, std::make_shared());\n EXPECT_TRUE(function(\"function (obj) { return obj.abc == 'abcabc'; }\")\n .call(rt, tho)\n .getBool());\n EXPECT_TRUE(function(\"function (obj) { return obj['def'] == 'defdef'; }\")\n .call(rt, tho)\n .getBool());\n EXPECT_TRUE(function(\"function (obj) { return obj[12] === '1212'; }\")\n .call(rt, tho)\n .getBool());\n EXPECT_TRUE(tho.isHostObject(rt));\n EXPECT_TRUE(\n std::dynamic_pointer_cast(tho.getHostObject(rt)) ==\n nullptr);\n EXPECT_TRUE(tho.getHostObject(rt).get() != nullptr);\n\n class PropNameIDHostObject : public HostObject {\n Value get(Runtime& rt, const PropNameID& sym) override {\n if (PropNameID::compare(rt, sym, PropNameID::forAscii(rt, \"undef\"))) {\n return Value::undefined();\n } else {\n return PropNameID::compare(\n rt, sym, PropNameID::forAscii(rt, \"somesymbol\"));\n }\n }\n\n void set(Runtime&, const PropNameID&, const Value&) override {}\n };\n\n Object sho = Object::createFromHostObject(\n rt, std::make_shared());\n EXPECT_TRUE(sho.isHostObject(rt));\n EXPECT_TRUE(function(\"function (obj) { return obj.undef; }\")\n .call(rt, sho)\n .isUndefined());\n EXPECT_TRUE(function(\"function (obj) { return obj.somesymbol; }\")\n .call(rt, sho)\n .getBool());\n EXPECT_FALSE(function(\"function (obj) { return obj.notsomuch; }\")\n .call(rt, sho)\n .getBool());\n\n class BagHostObject : public HostObject {\n public:\n const std::string& getThing() {\n return bag_[\"thing\"];\n }\n\n private:\n Value get(Runtime& rt, const PropNameID& sym) override {\n if (sym.utf8(rt) == \"thing\") {\n return String::createFromUtf8(rt, bag_[sym.utf8(rt)]);\n }\n return Value::undefined();\n }\n\n void set(Runtime& rt, const PropNameID& sym, const Value& val) override {\n std::string key(sym.utf8(rt));\n if (key == \"thing\") {\n bag_[key] = val.toString(rt).utf8(rt);\n }\n }\n\n std::unordered_map bag_;\n };\n\n std::shared_ptr shbho = std::make_shared();\n Object bho = Object::createFromHostObject(rt, shbho);\n EXPECT_TRUE(bho.isHostObject(rt));\n EXPECT_TRUE(function(\"function (obj) { return obj.undef; }\")\n .call(rt, bho)\n .isUndefined());\n EXPECT_EQ(\n function(\"function (obj) { obj.thing = 'hello'; return obj.thing; }\")\n .call(rt, bho)\n .toString(rt)\n .utf8(rt),\n \"hello\");\n EXPECT_EQ(shbho->getThing(), \"hello\");\n\n class ThrowingHostObject : public HostObject {\n Value get(Runtime& rt, const PropNameID& sym) override {\n throw std::runtime_error(\"Cannot get\");\n }\n\n void set(Runtime& rt, const PropNameID& sym, const Value& val) override {\n throw std::runtime_error(\"Cannot set\");\n }\n };\n\n Object thro =\n Object::createFromHostObject(rt, std::make_shared());\n EXPECT_TRUE(thro.isHostObject(rt));\n std::string exc;\n try {\n function(\"function (obj) { return obj.thing; }\").call(rt, thro);\n } catch (const JSError& ex) {\n exc = ex.what();\n }\n EXPECT_NE(exc.find(\"Cannot get\"), std::string::npos);\n exc = \"\";\n try {\n function(\"function (obj) { obj.thing = 'hello'; }\").call(rt, thro);\n } catch (const JSError& ex) {\n exc = ex.what();\n }\n EXPECT_NE(exc.find(\"Cannot set\"), std::string::npos);\n\n class NopHostObject : public HostObject {};\n Object nopHo =\n Object::createFromHostObject(rt, std::make_shared());\n EXPECT_TRUE(nopHo.isHostObject(rt));\n EXPECT_TRUE(function(\"function (obj) { return obj.thing; }\")\n .call(rt, nopHo)\n .isUndefined());\n\n std::string nopExc;\n try {\n function(\"function (obj) { obj.thing = 'pika'; }\").call(rt, nopHo);\n } catch (const JSError& ex) {\n nopExc = ex.what();\n }\n EXPECT_NE(nopExc.find(\"TypeError: \"), std::string::npos);\n\n class HostObjectWithPropertyNames : public HostObject {\n std::vector getPropertyNames(Runtime& rt) override {\n return PropNameID::names(\n rt, \"a_prop\", \"1\", \"false\", \"a_prop\", \"3\", \"c_prop\");\n }\n };\n\n Object howpn = Object::createFromHostObject(\n rt, std::make_shared());\n EXPECT_TRUE(\n function(\n \"function (o) { return Object.getOwnPropertyNames(o).length == 5 }\")\n .call(rt, howpn)\n .getBool());\n\n auto hasOwnPropertyName = function(\n \"function (o, p) {\"\n \" return Object.getOwnPropertyNames(o).indexOf(p) >= 0\"\n \"}\");\n EXPECT_TRUE(\n hasOwnPropertyName.call(rt, howpn, String::createFromAscii(rt, \"a_prop\"))\n .getBool());\n EXPECT_TRUE(\n hasOwnPropertyName.call(rt, howpn, String::createFromAscii(rt, \"1\"))\n .getBool());\n EXPECT_TRUE(\n hasOwnPropertyName.call(rt, howpn, String::createFromAscii(rt, \"false\"))\n .getBool());\n EXPECT_TRUE(\n hasOwnPropertyName.call(rt, howpn, String::createFromAscii(rt, \"3\"))\n .getBool());\n EXPECT_TRUE(\n hasOwnPropertyName.call(rt, howpn, String::createFromAscii(rt, \"c_prop\"))\n .getBool());\n EXPECT_FALSE(hasOwnPropertyName\n .call(rt, howpn, String::createFromAscii(rt, \"not_existing\"))\n .getBool());\n}", "project": "hermes", "hash": 89435710718206934018111920614127000873, "size": 217, "commit_id": "fe52854cdf6725c2eaa9e125995da76e6ceb27da", "message": "[CVE-2020-1911] Look up HostObject computed properties on the right object in the prototype chain.\n\nSummary:\nThe change in the hermes repository fixes the security vulnerability\nCVE-2020-1911. This vulnerability only affects applications which\nallow evaluation of uncontrolled, untrusted JavaScript code not\nshipped with the app, so React Native apps will generally not be affected.\n\nThis revision includes a test for the bug. The test is generic JSI\ncode, so it is included in the hermes and react-native repositories.\n\nChangelog: [Internal]\n\nReviewed By: tmikov\n\nDifferential Revision: D23322992\n\nfbshipit-source-id: 4e88c974afe1ad33a263f9cac03e9dc98d33649a", "target": 0, "dataset": "other", "idx": 230154 }, { "func": "TEST_P(JSITest, EqualsTest) {\n EXPECT_TRUE(Object::strictEquals(rt, rt.global(), rt.global()));\n EXPECT_TRUE(Value::strictEquals(rt, 1, 1));\n EXPECT_FALSE(Value::strictEquals(rt, true, 1));\n EXPECT_FALSE(Value::strictEquals(rt, true, false));\n EXPECT_TRUE(Value::strictEquals(rt, false, false));\n EXPECT_FALSE(Value::strictEquals(rt, nullptr, 1));\n EXPECT_TRUE(Value::strictEquals(rt, nullptr, nullptr));\n EXPECT_TRUE(Value::strictEquals(rt, Value::undefined(), Value()));\n EXPECT_TRUE(Value::strictEquals(rt, rt.global(), Value(rt.global())));\n EXPECT_FALSE(Value::strictEquals(\n rt,\n std::numeric_limits::quiet_NaN(),\n std::numeric_limits::quiet_NaN()));\n EXPECT_FALSE(Value::strictEquals(\n rt,\n std::numeric_limits::signaling_NaN(),\n std::numeric_limits::signaling_NaN()));\n EXPECT_TRUE(Value::strictEquals(rt, +0.0, -0.0));\n EXPECT_TRUE(Value::strictEquals(rt, -0.0, +0.0));\n\n Function noop = Function::createFromHostFunction(\n rt,\n PropNameID::forAscii(rt, \"noop\"),\n 0,\n [](const Runtime&, const Value&, const Value*, size_t) {\n return Value();\n });\n auto noopDup = Value(rt, noop).getObject(rt);\n EXPECT_TRUE(Object::strictEquals(rt, noop, noopDup));\n EXPECT_TRUE(Object::strictEquals(rt, noopDup, noop));\n EXPECT_FALSE(Object::strictEquals(rt, noop, rt.global()));\n EXPECT_TRUE(Object::strictEquals(rt, noop, noop));\n EXPECT_TRUE(Value::strictEquals(rt, Value(rt, noop), Value(rt, noop)));\n\n String str = String::createFromAscii(rt, \"rick\");\n String strDup = String::createFromAscii(rt, \"rick\");\n String otherStr = String::createFromAscii(rt, \"morty\");\n EXPECT_TRUE(String::strictEquals(rt, str, str));\n EXPECT_TRUE(String::strictEquals(rt, str, strDup));\n EXPECT_TRUE(String::strictEquals(rt, strDup, str));\n EXPECT_FALSE(String::strictEquals(rt, str, otherStr));\n EXPECT_TRUE(Value::strictEquals(rt, Value(rt, str), Value(rt, str)));\n EXPECT_FALSE(Value::strictEquals(rt, Value(rt, str), Value(rt, noop)));\n EXPECT_FALSE(Value::strictEquals(rt, Value(rt, str), 1.0));\n}", "project": "hermes", "hash": 121331723743286998477264096797706514365, "size": 46, "commit_id": "fe52854cdf6725c2eaa9e125995da76e6ceb27da", "message": "[CVE-2020-1911] Look up HostObject computed properties on the right object in the prototype chain.\n\nSummary:\nThe change in the hermes repository fixes the security vulnerability\nCVE-2020-1911. This vulnerability only affects applications which\nallow evaluation of uncontrolled, untrusted JavaScript code not\nshipped with the app, so React Native apps will generally not be affected.\n\nThis revision includes a test for the bug. The test is generic JSI\ncode, so it is included in the hermes and react-native repositories.\n\nChangelog: [Internal]\n\nReviewed By: tmikov\n\nDifferential Revision: D23322992\n\nfbshipit-source-id: 4e88c974afe1ad33a263f9cac03e9dc98d33649a", "target": 0, "dataset": "other", "idx": 230164 }, { "func": "TEST_P(JSITest, ObjectTest) {\n eval(\"x = {1:2, '3':4, 5:'six', 'seven':['eight', 'nine']}\");\n Object x = rt.global().getPropertyAsObject(rt, \"x\");\n EXPECT_EQ(x.getPropertyNames(rt).size(rt), 4);\n EXPECT_TRUE(x.hasProperty(rt, \"1\"));\n EXPECT_TRUE(x.hasProperty(rt, PropNameID::forAscii(rt, \"1\")));\n EXPECT_FALSE(x.hasProperty(rt, \"2\"));\n EXPECT_FALSE(x.hasProperty(rt, PropNameID::forAscii(rt, \"2\")));\n EXPECT_TRUE(x.hasProperty(rt, \"3\"));\n EXPECT_TRUE(x.hasProperty(rt, PropNameID::forAscii(rt, \"3\")));\n EXPECT_TRUE(x.hasProperty(rt, \"seven\"));\n EXPECT_TRUE(x.hasProperty(rt, PropNameID::forAscii(rt, \"seven\")));\n EXPECT_EQ(x.getProperty(rt, \"1\").getNumber(), 2);\n EXPECT_EQ(x.getProperty(rt, PropNameID::forAscii(rt, \"1\")).getNumber(), 2);\n EXPECT_EQ(x.getProperty(rt, \"3\").getNumber(), 4);\n Value five = 5;\n EXPECT_EQ(\n x.getProperty(rt, PropNameID::forString(rt, five.toString(rt)))\n .getString(rt)\n .utf8(rt),\n \"six\");\n\n x.setProperty(rt, \"ten\", 11);\n EXPECT_EQ(x.getPropertyNames(rt).size(rt), 5);\n EXPECT_TRUE(eval(\"x.ten == 11\").getBool());\n\n x.setProperty(rt, \"e_as_float\", 2.71f);\n EXPECT_TRUE(eval(\"Math.abs(x.e_as_float - 2.71) < 0.001\").getBool());\n\n x.setProperty(rt, \"e_as_double\", 2.71);\n EXPECT_TRUE(eval(\"x.e_as_double == 2.71\").getBool());\n\n uint8_t utf8[] = {0xF0, 0x9F, 0x86, 0x97};\n String nonAsciiName = String::createFromUtf8(rt, utf8, sizeof(utf8));\n x.setProperty(rt, PropNameID::forString(rt, nonAsciiName), \"emoji\");\n EXPECT_EQ(x.getPropertyNames(rt).size(rt), 8);\n EXPECT_TRUE(eval(\"x['\\\\uD83C\\\\uDD97'] == 'emoji'\").getBool());\n\n Object seven = x.getPropertyAsObject(rt, \"seven\");\n EXPECT_TRUE(seven.isArray(rt));\n Object evalf = rt.global().getPropertyAsObject(rt, \"eval\");\n EXPECT_TRUE(evalf.isFunction(rt));\n\n Object movedX = Object(rt);\n movedX = std::move(x);\n EXPECT_EQ(movedX.getPropertyNames(rt).size(rt), 8);\n EXPECT_EQ(movedX.getProperty(rt, \"1\").getNumber(), 2);\n\n Object obj = Object(rt);\n obj.setProperty(rt, \"roses\", \"red\");\n obj.setProperty(rt, \"violets\", \"blue\");\n Object oprop = Object(rt);\n obj.setProperty(rt, \"oprop\", oprop);\n obj.setProperty(rt, \"aprop\", Array(rt, 1));\n\n EXPECT_TRUE(function(\"function (obj) { return \"\n \"obj.roses == 'red' && \"\n \"obj['violets'] == 'blue' && \"\n \"typeof obj.oprop == 'object' && \"\n \"Array.isArray(obj.aprop); }\")\n .call(rt, obj)\n .getBool());\n\n // Check that getPropertyNames doesn't return non-enumerable\n // properties.\n obj = function(\n \"function () {\"\n \" obj = {};\"\n \" obj.a = 1;\"\n \" Object.defineProperty(obj, 'b', {\"\n \" enumerable: false,\"\n \" value: 2\"\n \" });\"\n \" return obj;\"\n \"}\")\n .call(rt)\n .getObject(rt);\n EXPECT_EQ(obj.getProperty(rt, \"a\").getNumber(), 1);\n EXPECT_EQ(obj.getProperty(rt, \"b\").getNumber(), 2);\n Array names = obj.getPropertyNames(rt);\n EXPECT_EQ(names.size(rt), 1);\n EXPECT_EQ(names.getValueAtIndex(rt, 0).getString(rt).utf8(rt), \"a\");\n}", "project": "hermes", "hash": 188910249810701595420153140185623820559, "size": 83, "commit_id": "fe52854cdf6725c2eaa9e125995da76e6ceb27da", "message": "[CVE-2020-1911] Look up HostObject computed properties on the right object in the prototype chain.\n\nSummary:\nThe change in the hermes repository fixes the security vulnerability\nCVE-2020-1911. This vulnerability only affects applications which\nallow evaluation of uncontrolled, untrusted JavaScript code not\nshipped with the app, so React Native apps will generally not be affected.\n\nThis revision includes a test for the bug. The test is generic JSI\ncode, so it is included in the hermes and react-native repositories.\n\nChangelog: [Internal]\n\nReviewed By: tmikov\n\nDifferential Revision: D23322992\n\nfbshipit-source-id: 4e88c974afe1ad33a263f9cac03e9dc98d33649a", "target": 0, "dataset": "other", "idx": 230187 }, { "func": "TEST_P(JSITest, ArrayTest) {\n eval(\"x = {1:2, '3':4, 5:'six', 'seven':['eight', 'nine']}\");\n\n Object x = rt.global().getPropertyAsObject(rt, \"x\");\n Array names = x.getPropertyNames(rt);\n EXPECT_EQ(names.size(rt), 4);\n std::unordered_set strNames;\n for (size_t i = 0; i < names.size(rt); ++i) {\n Value n = names.getValueAtIndex(rt, i);\n EXPECT_TRUE(n.isString());\n strNames.insert(n.getString(rt).utf8(rt));\n }\n\n EXPECT_EQ(strNames.size(), 4);\n EXPECT_EQ(strNames.count(\"1\"), 1);\n EXPECT_EQ(strNames.count(\"3\"), 1);\n EXPECT_EQ(strNames.count(\"5\"), 1);\n EXPECT_EQ(strNames.count(\"seven\"), 1);\n\n Object seven = x.getPropertyAsObject(rt, \"seven\");\n Array arr = seven.getArray(rt);\n\n EXPECT_EQ(arr.size(rt), 2);\n EXPECT_EQ(arr.getValueAtIndex(rt, 0).getString(rt).utf8(rt), \"eight\");\n EXPECT_EQ(arr.getValueAtIndex(rt, 1).getString(rt).utf8(rt), \"nine\");\n // TODO: test out of range\n\n EXPECT_EQ(x.getPropertyAsObject(rt, \"seven\").getArray(rt).size(rt), 2);\n\n // Check that property access with both symbols and strings can access\n // array values.\n EXPECT_EQ(seven.getProperty(rt, \"0\").getString(rt).utf8(rt), \"eight\");\n EXPECT_EQ(seven.getProperty(rt, \"1\").getString(rt).utf8(rt), \"nine\");\n seven.setProperty(rt, \"1\", \"modified\");\n EXPECT_EQ(seven.getProperty(rt, \"1\").getString(rt).utf8(rt), \"modified\");\n EXPECT_EQ(arr.getValueAtIndex(rt, 1).getString(rt).utf8(rt), \"modified\");\n EXPECT_EQ(\n seven.getProperty(rt, PropNameID::forAscii(rt, \"0\"))\n .getString(rt)\n .utf8(rt),\n \"eight\");\n seven.setProperty(rt, PropNameID::forAscii(rt, \"0\"), \"modified2\");\n EXPECT_EQ(arr.getValueAtIndex(rt, 0).getString(rt).utf8(rt), \"modified2\");\n\n Array alpha = Array(rt, 4);\n EXPECT_TRUE(alpha.getValueAtIndex(rt, 0).isUndefined());\n EXPECT_TRUE(alpha.getValueAtIndex(rt, 3).isUndefined());\n EXPECT_EQ(alpha.size(rt), 4);\n alpha.setValueAtIndex(rt, 0, \"a\");\n alpha.setValueAtIndex(rt, 1, \"b\");\n EXPECT_EQ(alpha.length(rt), 4);\n alpha.setValueAtIndex(rt, 2, \"c\");\n alpha.setValueAtIndex(rt, 3, \"d\");\n EXPECT_EQ(alpha.size(rt), 4);\n\n EXPECT_TRUE(\n function(\n \"function (arr) { return \"\n \"arr.length == 4 && \"\n \"['a','b','c','d'].every(function(v,i) { return v === arr[i]}); }\")\n .call(rt, alpha)\n .getBool());\n\n Array alpha2 = Array(rt, 1);\n alpha2 = std::move(alpha);\n EXPECT_EQ(alpha2.size(rt), 4);\n}", "project": "hermes", "hash": 246322908714404145127318538479730731874, "size": 67, "commit_id": "fe52854cdf6725c2eaa9e125995da76e6ceb27da", "message": "[CVE-2020-1911] Look up HostObject computed properties on the right object in the prototype chain.\n\nSummary:\nThe change in the hermes repository fixes the security vulnerability\nCVE-2020-1911. This vulnerability only affects applications which\nallow evaluation of uncontrolled, untrusted JavaScript code not\nshipped with the app, so React Native apps will generally not be affected.\n\nThis revision includes a test for the bug. The test is generic JSI\ncode, so it is included in the hermes and react-native repositories.\n\nChangelog: [Internal]\n\nReviewed By: tmikov\n\nDifferential Revision: D23322992\n\nfbshipit-source-id: 4e88c974afe1ad33a263f9cac03e9dc98d33649a", "target": 0, "dataset": "other", "idx": 230195 }, { "func": "TEST_P(JSITest, StringTest) {\n EXPECT_TRUE(checkValue(String::createFromAscii(rt, \"foobar\", 3), \"'foo'\"));\n EXPECT_TRUE(checkValue(String::createFromAscii(rt, \"foobar\"), \"'foobar'\"));\n\n std::string baz = \"baz\";\n EXPECT_TRUE(checkValue(String::createFromAscii(rt, baz), \"'baz'\"));\n\n uint8_t utf8[] = {0xF0, 0x9F, 0x86, 0x97};\n EXPECT_TRUE(checkValue(\n String::createFromUtf8(rt, utf8, sizeof(utf8)), \"'\\\\uD83C\\\\uDD97'\"));\n\n EXPECT_EQ(eval(\"'quux'\").getString(rt).utf8(rt), \"quux\");\n EXPECT_EQ(eval(\"'\\\\u20AC'\").getString(rt).utf8(rt), \"\\xe2\\x82\\xac\");\n\n String quux = String::createFromAscii(rt, \"quux\");\n String movedQuux = std::move(quux);\n EXPECT_EQ(movedQuux.utf8(rt), \"quux\");\n movedQuux = String::createFromAscii(rt, \"quux2\");\n EXPECT_EQ(movedQuux.utf8(rt), \"quux2\");\n}", "project": "hermes", "hash": 228673889781422601937252442211047091903, "size": 20, "commit_id": "fe52854cdf6725c2eaa9e125995da76e6ceb27da", "message": "[CVE-2020-1911] Look up HostObject computed properties on the right object in the prototype chain.\n\nSummary:\nThe change in the hermes repository fixes the security vulnerability\nCVE-2020-1911. This vulnerability only affects applications which\nallow evaluation of uncontrolled, untrusted JavaScript code not\nshipped with the app, so React Native apps will generally not be affected.\n\nThis revision includes a test for the bug. The test is generic JSI\ncode, so it is included in the hermes and react-native repositories.\n\nChangelog: [Internal]\n\nReviewed By: tmikov\n\nDifferential Revision: D23322992\n\nfbshipit-source-id: 4e88c974afe1ad33a263f9cac03e9dc98d33649a", "target": 0, "dataset": "other", "idx": 230202 }, { "func": "TEST_P(JSITest, ValueTest) {\n EXPECT_TRUE(checkValue(Value::undefined(), \"undefined\"));\n EXPECT_TRUE(checkValue(Value(), \"undefined\"));\n EXPECT_TRUE(checkValue(Value::null(), \"null\"));\n EXPECT_TRUE(checkValue(nullptr, \"null\"));\n\n EXPECT_TRUE(checkValue(Value(false), \"false\"));\n EXPECT_TRUE(checkValue(false, \"false\"));\n EXPECT_TRUE(checkValue(true, \"true\"));\n\n EXPECT_TRUE(checkValue(Value(1.5), \"1.5\"));\n EXPECT_TRUE(checkValue(2.5, \"2.5\"));\n\n EXPECT_TRUE(checkValue(Value(10), \"10\"));\n EXPECT_TRUE(checkValue(20, \"20\"));\n EXPECT_TRUE(checkValue(30, \"30\"));\n\n // rvalue implicit conversion\n EXPECT_TRUE(checkValue(String::createFromAscii(rt, \"one\"), \"'one'\"));\n // lvalue explicit copy\n String s = String::createFromAscii(rt, \"two\");\n EXPECT_TRUE(checkValue(Value(rt, s), \"'two'\"));\n\n {\n // rvalue assignment of trivial value\n Value v1 = 100;\n Value v2 = String::createFromAscii(rt, \"hundred\");\n v2 = std::move(v1);\n EXPECT_TRUE(v2.isNumber());\n EXPECT_EQ(v2.getNumber(), 100);\n }\n\n {\n // rvalue assignment of js heap value\n Value v1 = String::createFromAscii(rt, \"hundred\");\n Value v2 = 100;\n v2 = std::move(v1);\n EXPECT_TRUE(v2.isString());\n EXPECT_EQ(v2.getString(rt).utf8(rt), \"hundred\");\n }\n\n Object o = Object(rt);\n EXPECT_TRUE(function(\"function(value) { return typeof(value) == 'object'; }\")\n .call(rt, Value(rt, o))\n .getBool());\n\n uint8_t utf8[] = \"[null, 2, \\\"c\\\", \\\"emoji: \\xf0\\x9f\\x86\\x97\\\", {}]\";\n\n EXPECT_TRUE(\n function(\"function (arr) { return \"\n \"Array.isArray(arr) && \"\n \"arr.length == 5 && \"\n \"arr[0] === null && \"\n \"arr[1] == 2 && \"\n \"arr[2] == 'c' && \"\n \"arr[3] == 'emoji: \\\\uD83C\\\\uDD97' && \"\n \"typeof arr[4] == 'object'; }\")\n .call(rt, Value::createFromJsonUtf8(rt, utf8, sizeof(utf8) - 1))\n .getBool());\n\n EXPECT_TRUE(eval(\"undefined\").isUndefined());\n EXPECT_TRUE(eval(\"null\").isNull());\n EXPECT_TRUE(eval(\"true\").isBool());\n EXPECT_TRUE(eval(\"false\").isBool());\n EXPECT_TRUE(eval(\"123\").isNumber());\n EXPECT_TRUE(eval(\"123.4\").isNumber());\n EXPECT_TRUE(eval(\"'str'\").isString());\n // \"{}\" returns undefined. empty code block?\n EXPECT_TRUE(eval(\"({})\").isObject());\n EXPECT_TRUE(eval(\"[]\").isObject());\n EXPECT_TRUE(eval(\"(function(){})\").isObject());\n\n EXPECT_EQ(eval(\"123\").getNumber(), 123);\n EXPECT_EQ(eval(\"123.4\").getNumber(), 123.4);\n EXPECT_EQ(eval(\"'str'\").getString(rt).utf8(rt), \"str\");\n EXPECT_TRUE(eval(\"[]\").getObject(rt).isArray(rt));\n\n EXPECT_EQ(eval(\"456\").asNumber(), 456);\n EXPECT_THROW(eval(\"'word'\").asNumber(), JSIException);\n EXPECT_EQ(\n eval(\"({1:2, 3:4})\").asObject(rt).getProperty(rt, \"1\").getNumber(), 2);\n EXPECT_THROW(eval(\"'oops'\").asObject(rt), JSIException);\n\n EXPECT_EQ(eval(\"['zero',1,2,3]\").toString(rt).utf8(rt), \"zero,1,2,3\");\n}", "project": "hermes", "hash": 308592101981148354681805437647075181904, "size": 85, "commit_id": "fe52854cdf6725c2eaa9e125995da76e6ceb27da", "message": "[CVE-2020-1911] Look up HostObject computed properties on the right object in the prototype chain.\n\nSummary:\nThe change in the hermes repository fixes the security vulnerability\nCVE-2020-1911. This vulnerability only affects applications which\nallow evaluation of uncontrolled, untrusted JavaScript code not\nshipped with the app, so React Native apps will generally not be affected.\n\nThis revision includes a test for the bug. The test is generic JSI\ncode, so it is included in the hermes and react-native repositories.\n\nChangelog: [Internal]\n\nReviewed By: tmikov\n\nDifferential Revision: D23322992\n\nfbshipit-source-id: 4e88c974afe1ad33a263f9cac03e9dc98d33649a", "target": 0, "dataset": "other", "idx": 230247 }, { "func": "static rpmRC hdrblobVerifyLengths(rpmTagVal regionTag, uint32_t il, uint32_t dl,\n\t\t\t\t char **emsg) {\n uint32_t il_max = HEADER_TAGS_MAX;\n uint32_t dl_max = HEADER_DATA_MAX;\n if (regionTag == RPMTAG_HEADERSIGNATURES) {\n\til_max = 32;\n\tdl_max = 64 * 1024 * 1024;\n }\n if (hdrchkRange(il_max, il)) {\n\trasprintf(emsg, _(\"hdr tags: BAD, no. of tags(%\" PRIu32 \") out of range\"), il);\n\treturn RPMRC_FAIL;\n }\n if (hdrchkRange(dl_max, dl)) {\n\trasprintf(emsg, _(\"hdr data: BAD, no. of bytes(%\" PRIu32 \") out of range\"), dl);\n\treturn RPMRC_FAIL;\n }\n return RPMRC_OK;\n}", "project": "rpm", "hash": 111404683961002070584927484885093790886, "size": 18, "commit_id": "8f4b3c3cab8922a2022b9e47c71f1ecf906077ef", "message": "hdrblobInit() needs bounds checks too\n\nUsers can pass untrusted data to hdrblobInit() and it must be robust\nagainst this.", "target": 0, "dataset": "other", "idx": 318156 }, { "func": "Header headerLink(Header h)\n{\n if (h != NULL)\n\th->nrefs++;\n return h;\n}", "project": "rpm", "hash": 236391050723906815304736797876121710544, "size": 6, "commit_id": "8f4b3c3cab8922a2022b9e47c71f1ecf906077ef", "message": "hdrblobInit() needs bounds checks too\n\nUsers can pass untrusted data to hdrblobInit() and it must be robust\nagainst this.", "target": 0, "dataset": "other", "idx": 318173 }, { "func": "int tipc_node_get_linkname(struct net *net, u32 bearer_id, u32 addr,\n\t\t\t char *linkname, size_t len)\n{\n\tstruct tipc_link *link;\n\tint err = -EINVAL;\n\tstruct tipc_node *node = tipc_node_find(net, addr);\n\n\tif (!node)\n\t\treturn err;\n\n\tif (bearer_id >= MAX_BEARERS)\n\t\tgoto exit;\n\n\ttipc_node_read_lock(node);\n\tlink = node->links[bearer_id].link;\n\tif (link) {\n\t\tstrncpy(linkname, tipc_link_name(link), len);\n\t\terr = 0;\n\t}\n\ttipc_node_read_unlock(node);\nexit:\n\ttipc_node_put(node);\n\treturn err;\n}", "project": "linux", "hash": 307457072174863892236037054153944638427, "size": 24, "commit_id": "0217ed2848e8538bcf9172d97ed2eeb4a26041bb", "message": "tipc: better validate user input in tipc_nl_retrieve_key()\n\nBefore calling tipc_aead_key_size(ptr), we need to ensure\nwe have enough data to dereference ptr->keylen.\n\nWe probably also want to make sure tipc_aead_key_size()\nwont overflow with malicious ptr->keylen values.\n\nSyzbot reported:\n\nBUG: KMSAN: uninit-value in __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\nBUG: KMSAN: uninit-value in tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\nCPU: 0 PID: 21060 Comm: syz-executor.5 Not tainted 5.11.0-rc7-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nCall Trace:\n __dump_stack lib/dump_stack.c:79 [inline]\n dump_stack+0x21c/0x280 lib/dump_stack.c:120\n kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118\n __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197\n __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\n tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\n genl_family_rcv_msg_doit net/netlink/genetlink.c:739 [inline]\n genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]\n genl_rcv_msg+0x1319/0x1610 net/netlink/genetlink.c:800\n netlink_rcv_skb+0x6fa/0x810 net/netlink/af_netlink.c:2494\n genl_rcv+0x63/0x80 net/netlink/genetlink.c:811\n netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]\n netlink_unicast+0x11d6/0x14a0 net/netlink/af_netlink.c:1330\n netlink_sendmsg+0x1740/0x1840 net/netlink/af_netlink.c:1919\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\nRIP: 0023:0xf7f60549\nCode: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00\nRSP: 002b:00000000f555a5fc EFLAGS: 00000296 ORIG_RAX: 0000000000000172\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000200\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n\nUninit was created at:\n kmsan_save_stack_with_flags mm/kmsan/kmsan.c:121 [inline]\n kmsan_internal_poison_shadow+0x5c/0xf0 mm/kmsan/kmsan.c:104\n kmsan_slab_alloc+0x8d/0xe0 mm/kmsan/kmsan_hooks.c:76\n slab_alloc_node mm/slub.c:2907 [inline]\n __kmalloc_node_track_caller+0xa37/0x1430 mm/slub.c:4527\n __kmalloc_reserve net/core/skbuff.c:142 [inline]\n __alloc_skb+0x2f8/0xb30 net/core/skbuff.c:210\n alloc_skb include/linux/skbuff.h:1099 [inline]\n netlink_alloc_large_skb net/netlink/af_netlink.c:1176 [inline]\n netlink_sendmsg+0xdbc/0x1840 net/netlink/af_netlink.c:1894\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\n\nFixes: e1f32190cf7d (\"tipc: add support for AEAD key setting via netlink\")\nSigned-off-by: Eric Dumazet \nCc: Tuong Lien \nCc: Jon Maloy \nCc: Ying Xue \nReported-by: syzbot \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 364957 }, { "func": "static void opj_j2k_get_tile_data(opj_tcd_t * p_tcd, OPJ_BYTE * p_data)\n{\n OPJ_UINT32 i, j, k = 0;\n\n for (i = 0; i < p_tcd->image->numcomps; ++i) {\n opj_image_t * l_image = p_tcd->image;\n OPJ_INT32 * l_src_ptr;\n opj_tcd_tilecomp_t * l_tilec = p_tcd->tcd_image->tiles->comps + i;\n opj_image_comp_t * l_img_comp = l_image->comps + i;\n OPJ_UINT32 l_size_comp, l_width, l_height, l_offset_x, l_offset_y,\n l_image_width, l_stride, l_tile_offset;\n\n opj_get_tile_dimensions(l_image,\n l_tilec,\n l_img_comp,\n &l_size_comp,\n &l_width,\n &l_height,\n &l_offset_x,\n &l_offset_y,\n &l_image_width,\n &l_stride,\n &l_tile_offset);\n\n l_src_ptr = l_img_comp->data + l_tile_offset;\n\n switch (l_size_comp) {\n case 1: {\n OPJ_CHAR * l_dest_ptr = (OPJ_CHAR*) p_data;\n if (l_img_comp->sgnd) {\n for (j = 0; j < l_height; ++j) {\n for (k = 0; k < l_width; ++k) {\n *(l_dest_ptr) = (OPJ_CHAR)(*l_src_ptr);\n ++l_dest_ptr;\n ++l_src_ptr;\n }\n l_src_ptr += l_stride;\n }\n } else {\n for (j = 0; j < l_height; ++j) {\n for (k = 0; k < l_width; ++k) {\n *(l_dest_ptr) = (OPJ_CHAR)((*l_src_ptr) & 0xff);\n ++l_dest_ptr;\n ++l_src_ptr;\n }\n l_src_ptr += l_stride;\n }\n }\n\n p_data = (OPJ_BYTE*) l_dest_ptr;\n }\n break;\n case 2: {\n OPJ_INT16 * l_dest_ptr = (OPJ_INT16 *) p_data;\n if (l_img_comp->sgnd) {\n for (j = 0; j < l_height; ++j) {\n for (k = 0; k < l_width; ++k) {\n *(l_dest_ptr++) = (OPJ_INT16)(*(l_src_ptr++));\n }\n l_src_ptr += l_stride;\n }\n } else {\n for (j = 0; j < l_height; ++j) {\n for (k = 0; k < l_width; ++k) {\n *(l_dest_ptr++) = (OPJ_INT16)((*(l_src_ptr++)) & 0xffff);\n }\n l_src_ptr += l_stride;\n }\n }\n\n p_data = (OPJ_BYTE*) l_dest_ptr;\n }\n break;\n case 4: {\n OPJ_INT32 * l_dest_ptr = (OPJ_INT32 *) p_data;\n for (j = 0; j < l_height; ++j) {\n for (k = 0; k < l_width; ++k) {\n *(l_dest_ptr++) = *(l_src_ptr++);\n }\n l_src_ptr += l_stride;\n }\n\n p_data = (OPJ_BYTE*) l_dest_ptr;\n }\n break;\n }\n }\n}", "project": "openjpeg", "hash": 108820598520596700122489947781872145131, "size": 88, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357342 }, { "func": "static apr_status_t add_trailer(h2_stream *stream,\n const char *name, size_t nlen,\n const char *value, size_t vlen,\n size_t max_field_len, int *pwas_added)\n{\n conn_rec *c = stream->session->c;\n char *hname, *hvalue;\n const char *existing;\n\n *pwas_added = 0;\n if (nlen == 0 || name[0] == ':') {\n ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_EINVAL, c, \n H2_STRM_LOG(APLOGNO(03060), stream, \n \"pseudo header in trailer\"));\n return APR_EINVAL;\n }\n if (h2_req_ignore_trailer(name, nlen)) {\n return APR_SUCCESS;\n }\n if (!stream->trailers) {\n stream->trailers = apr_table_make(stream->pool, 5);\n }\n hname = apr_pstrndup(stream->pool, name, nlen);\n h2_util_camel_case_header(hname, nlen);\n existing = apr_table_get(stream->trailers, hname);\n if (max_field_len \n && ((existing? strlen(existing)+2 : 0) + vlen + nlen + 2 > max_field_len)) {\n /* \"key: (oldval, )?nval\" is too long */\n return APR_EINVAL;\n }\n if (!existing) *pwas_added = 1;\n hvalue = apr_pstrndup(stream->pool, value, vlen);\n apr_table_mergen(stream->trailers, hname, hvalue);\n ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c, \n H2_STRM_MSG(stream, \"added trailer '%s: %s'\"), hname, hvalue);\n \n return APR_SUCCESS;\n}", "project": "httpd", "hash": 152502919733944657092086342691584546074, "size": 38, "commit_id": "f990e5ecad40b100a8a5c7c1033c46044a9cb244", "message": "mod_htt2: fix incomplete sync with latest changes in github, adjust version number.\n\n\n\ngit-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1889119 13f79535-47bb-0310-9956-ffa450edef68", "target": 0, "dataset": "other", "idx": 284257 }, { "func": "inline bool StringData::isStrictlyInteger(int64_t& res) const {\n // Exploit the NUL terminator and unsigned comparison. This single comparison\n // checks whether the string is empty or if the first byte is greater than '9'\n // or less than '-'. Note that '-' == 45 and '0' == 48, which makes this\n // valid. (46 == '.' and 47 == '/', so if one of those is the first byte, this\n // check will be a false positive, but it will still be caught later.)\n if ((unsigned char)(data()[0] - '-') > ('9' - '-')) {\n return false;\n }\n if (m_hash < 0) return false;\n auto const s = slice();\n return is_strictly_integer(s.data(), s.size(), res);\n}", "project": "hhvm", "hash": 199393291830591250865046979658495273796, "size": 13, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219751 }, { "func": "UnicodeString::padTrailing(int32_t targetLength,\n UChar padChar)\n{\n int32_t oldLength = length();\n if(oldLength >= targetLength || !cloneArrayIfNeeded(targetLength)) {\n return FALSE;\n } else {\n // fill in padding character\n UChar *array = getArrayStart();\n int32_t length = targetLength;\n while(--length >= oldLength) {\n array[length] = padChar;\n }\n setLength(targetLength);\n return TRUE;\n }\n}", "project": "icu", "hash": 42065578189985534854801510868459210851, "size": 17, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430776 }, { "func": "static void put_huge_zero_page(void)\n{\n\t/*\n\t * Counter should never go to zero here. Only shrinker can put\n\t * last reference.\n\t */\n\tBUG_ON(atomic_dec_and_test(&huge_zero_refcount));\n}", "project": "linux", "hash": 31981563226722127334262684242826665678, "size": 8, "commit_id": "c444eb564fb16645c172d550359cb3d75fe8a040", "message": "mm: thp: make the THP mapcount atomic against __split_huge_pmd_locked()\n\nWrite protect anon page faults require an accurate mapcount to decide\nif to break the COW or not. This is implemented in the THP path with\nreuse_swap_page() ->\npage_trans_huge_map_swapcount()/page_trans_huge_mapcount().\n\nIf the COW triggers while the other processes sharing the page are\nunder a huge pmd split, to do an accurate reading, we must ensure the\nmapcount isn't computed while it's being transferred from the head\npage to the tail pages.\n\nreuse_swap_cache() already runs serialized by the page lock, so it's\nenough to add the page lock around __split_huge_pmd_locked too, in\norder to add the missing serialization.\n\nNote: the commit in \"Fixes\" is just to facilitate the backporting,\nbecause the code before such commit didn't try to do an accurate THP\nmapcount calculation and it instead used the page_count() to decide if\nto COW or not. Both the page_count and the pin_count are THP-wide\nrefcounts, so they're inaccurate if used in\nreuse_swap_page(). Reverting such commit (besides the unrelated fix to\nthe local anon_vma assignment) would have also opened the window for\nmemory corruption side effects to certain workloads as documented in\nsuch commit header.\n\nSigned-off-by: Andrea Arcangeli \nSuggested-by: Jann Horn \nReported-by: Jann Horn \nAcked-by: Kirill A. Shutemov \nFixes: 6d0a07edd17c (\"mm: thp: calculate the mapcount correctly for THP pages during WP faults\")\nCc: stable@vger.kernel.org\nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 364144 }, { "func": "}\n\nstatic int\niscsi_send_ping(struct iscsi_transport *transport, struct iscsi_uevent *ev)\n{\n\tstruct Scsi_Host *shost;\n\tstruct sockaddr *dst_addr;\n\tint err;\n\n\tif (!transport->send_ping)\n\t\treturn -ENOSYS;\n\n\tshost = scsi_host_lookup(ev->u.iscsi_ping.host_no);\n\tif (!shost) {\n\t\tprintk(KERN_ERR \"iscsi_ping could not find host no %u\\n\",\n\t\t ev->u.iscsi_ping.host_no);\n\t\treturn -ENODEV;\n\t}\n\n\tdst_addr = (struct sockaddr *)((char *)ev + sizeof(*ev));\n\terr = transport->send_ping(shost, ev->u.iscsi_ping.iface_num,\n\t\t\t\t ev->u.iscsi_ping.iface_type,\n\t\t\t\t ev->u.iscsi_ping.payload_size,\n\t\t\t\t ev->u.iscsi_ping.pid,\n\t\t\t\t dst_addr);", "project": "linux", "hash": 260298195741699614391737920748700139707, "size": 25, "commit_id": "f9dbdf97a5bd92b1a49cee3d591b55b11fd7a6d5", "message": "scsi: iscsi: Verify lengths on passthrough PDUs\n\nOpen-iSCSI sends passthrough PDUs over netlink, but the kernel should be\nverifying that the provided PDU header and data lengths fall within the\nnetlink message to prevent accessing beyond that in memory.\n\nCc: stable@vger.kernel.org\nReported-by: Adam Nichols \nReviewed-by: Lee Duncan \nReviewed-by: Mike Christie \nSigned-off-by: Chris Leech \nSigned-off-by: Martin K. Petersen ", "target": 0, "dataset": "other", "idx": 379930 }, { "project": "Chrome", "commit_id": "6834289784ed45b5524de0fb7ef43ae283b0d6d3", "target": 0, "func": "MediaStreamAudioSourceNode* AudioContext::createMediaStreamSource(MediaStream* mediaStream, ExceptionState& exceptionState)\n{\n ASSERT(isMainThread());\n if (!mediaStream) {\n exceptionState.throwDOMException(\n InvalidStateError,\n \"invalid MediaStream source\");\n return 0;\n }\n\n MediaStreamTrackVector audioTracks = mediaStream->getAudioTracks();\n if (audioTracks.isEmpty()) {\n exceptionState.throwDOMException(\n InvalidStateError,\n \"MediaStream has no audio track\");\n return 0;\n }\n\n MediaStreamTrack* audioTrack = audioTracks[0];\n OwnPtr provider = audioTrack->createWebAudioSource();\n MediaStreamAudioSourceNode* node = MediaStreamAudioSourceNode::create(this, mediaStream, audioTrack, provider.release());\n\n node->setFormat(2, sampleRate());\n\n refNode(node); // context keeps reference until node is disconnected\n return node;\n}\n", "cwe": "", "big_vul_idx": 139640, "idx": 124792, "hash": 42144094694095061055294316953509166814 }, { "func": "R_API bool r_socket_is_connected (RSocket *s) {\n\treturn false;\n}", "project": "radare2", "hash": 123264809935282376355229784940691843050, "size": 3, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 0, "dataset": "other", "idx": 268877 }, { "func": "R_API bool r_socket_is_connected(RSocket *s) {\n#if __WINDOWS__\n\tchar buf[2];\n\tr_socket_block_time (s, 0, 0, 0);\n#ifdef _MSC_VER\n\tint ret = recv (s->fd, (char*)&buf, 1, MSG_PEEK);\n#else\n\tssize_t ret = recv (s->fd, (char*)&buf, 1, MSG_PEEK);\n#endif\n\tr_socket_block_time (s, 1, 0, 0);\n\treturn ret == 1;\n#else\n\tint error = 0;\n\tsocklen_t len = sizeof (error);\n\tint ret = getsockopt (s->fd, SOL_SOCKET, SO_ERROR, &error, &len);\n\tif (ret != 0) {\n\t\tperror (\"getsockopt\");\n\t\treturn false;\n\t}\n\tif (error != 0) {\n\t\treturn false;\n\t}\n\treturn true;\n#endif\n}", "project": "radare2", "hash": 267309266600460961060509187821182575119, "size": 25, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 0, "dataset": "other", "idx": 269004 }, { "func": "static int acl_permission_check(struct inode *inode, int mask)\n{\n\tunsigned int mode = inode->i_mode;\n\n\tif (likely(uid_eq(current_fsuid(), inode->i_uid)))\n\t\tmode >>= 6;\n\telse {\n\t\tif (IS_POSIXACL(inode) && (mode & S_IRWXG)) {\n\t\t\tint error = check_acl(inode, mask);\n\t\t\tif (error != -EAGAIN)\n\t\t\t\treturn error;\n\t\t}\n\n\t\tif (in_group_p(inode->i_gid))\n\t\t\tmode >>= 3;\n\t}\n\n\t/*\n\t * If the DACs are ok we don't need any capability check.\n\t */\n\tif ((mask & ~mode & (MAY_READ | MAY_WRITE | MAY_EXEC)) == 0)\n\t\treturn 0;\n\treturn -EACCES;\n}", "project": "linux", "hash": 58935394503920067696223602475916246916, "size": 24, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295432 }, { "func": "static int _nfs4_proc_readlink(struct inode *inode, struct page *page,\n\t\tunsigned int pgbase, unsigned int pglen)\n{\n\tstruct nfs4_readlink args = {\n\t\t.fh = NFS_FH(inode),\n\t\t.pgbase\t = pgbase,\n\t\t.pglen = pglen,\n\t\t.pages = &page,\n\t};\n\tstruct nfs4_readlink_res res;\n\tstruct rpc_message msg = {\n\t\t.rpc_proc = &nfs4_procedures[NFSPROC4_CLNT_READLINK],\n\t\t.rpc_argp = &args,\n\t\t.rpc_resp = &res,\n\t};\n\n\treturn nfs4_call_sync(NFS_SERVER(inode)->client, NFS_SERVER(inode), &msg, &args.seq_args, &res.seq_res, 0);\n}", "project": "linux", "hash": 129022934549066746680679996361084706399, "size": 18, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 430962 }, { "func": "OPJ_BOOL opj_tcd_init_decode_tile(opj_tcd_t *p_tcd, OPJ_UINT32 p_tile_no,\n opj_event_mgr_t* p_manager)\n{\n return opj_tcd_init_tile(p_tcd, p_tile_no, OPJ_FALSE,\n sizeof(opj_tcd_cblk_dec_t), p_manager);\n}", "project": "openjpeg", "hash": 206897057948698144682954083056048242038, "size": 6, "commit_id": "15cf3d95814dc931ca0ecb132f81cb152e051bae", "message": "Encoder: grow again buffer size in opj_tcd_code_block_enc_allocate_data() (fixes #1283)", "target": 0, "dataset": "other", "idx": 359190 }, { "func": "static int exif_scan_JPEG_header(image_info_type *ImageInfo) {\n int section, sn;\n int marker = 0, last_marker = M_PSEUDO, comment_correction=1;\n int ll, lh;\n unsigned char *Data;\n size_t fpos, size, got, itemlen;\n jpeg_sof_info sof_info;\n\n for(section=0;;section++) {\n // get marker byte, swallowing possible padding\n // some software does not count the length bytes of COM section\n // one company doing so is very much envolved in JPEG...\n // so we accept too\n if (last_marker==M_COM && comment_correction) {\n comment_correction = 2;\n }\n do {\n if ((marker = ImageInfo->infile->getc()) == EOF) {\n raise_warning(\"File structure corrupted\");\n return 0;\n }\n if (last_marker==M_COM && comment_correction>0) {\n if (marker!=0xFF) {\n marker = 0xff;\n comment_correction--;\n } else {\n last_marker = M_PSEUDO; /* stop skipping 0 for M_COM */\n }\n }\n } while (marker == 0xff);\n if (last_marker==M_COM && !comment_correction) {\n raise_notice(\"Image has corrupt COM section: some software set \"\n \"wrong length information\");\n }\n if (last_marker==M_COM && comment_correction)\n return M_EOI; /* ah illegal: char after COM section not 0xFF */\n\n fpos = ImageInfo->infile->tell();\n\n if (marker == 0xff) {\n // 0xff is legal padding, but if we get that many, something's wrong.\n raise_warning(\"To many padding bytes\");\n return 0;\n }\n\n /* Read the length of the section. */\n\n if ((lh = ImageInfo->infile->getc()) == EOF) {\n raise_warning(\"File structure corrupted\");\n return 0;\n }\n\n if ((ll = ImageInfo->infile->getc()) == EOF) {\n raise_warning(\"File structure corrupted\");\n return 0;\n }\n\n itemlen = (lh << 8) | ll;\n\n if (itemlen < 2) {\n raise_warning(\"File structure corrupted\");\n return 0;\n }\n\n sn = exif_file_sections_add(ImageInfo, marker, itemlen+1, nullptr);\n if (sn == -1) return 0;\n Data = ImageInfo->file.list[sn].data;\n\n /* Store first two pre-read bytes. */\n Data[0] = (unsigned char)lh;\n Data[1] = (unsigned char)ll;\n\n String str = ImageInfo->infile->read(itemlen-2);\n got = str.length();\n if (got != itemlen-2) {\n raise_warning(\"Error reading from file: \"\n \"got=x%04lX(=%lu) != itemlen-2=x%04lX(=%lu)\",\n got, got, itemlen-2, itemlen-2);\n return 0;\n }\n memcpy(Data+2, str.c_str(), got);\n switch(marker) {\n case M_SOS: /* stop before hitting compressed data */\n // If reading entire image is requested, read the rest of the data.\n if (ImageInfo->read_all) {\n /* Determine how much file is left. */\n fpos = ImageInfo->infile->tell();\n size = ImageInfo->FileSize - fpos;\n sn = exif_file_sections_add(ImageInfo, M_PSEUDO, size, nullptr);\n if (sn == -1) return 0;\n Data = ImageInfo->file.list[sn].data;\n str = ImageInfo->infile->read(size);\n got = str.length();\n if (got != size) {\n raise_warning(\"Unexpected end of file reached\");\n return 0;\n }\n memcpy(Data, str.c_str(), got);\n }\n return 1;\n\n case M_EOI: /* in case it's a tables-only JPEG stream */\n raise_warning(\"No image in jpeg!\");\n return (ImageInfo->sections_found&(~FOUND_COMPUTED)) ? 1 : 0;\n\n case M_COM: /* Comment section */\n exif_process_COM(ImageInfo, (char *)Data, itemlen);\n break;\n\n case M_EXIF:\n if (!(ImageInfo->sections_found&FOUND_IFD0)) {\n /*ImageInfo->sections_found |= FOUND_EXIF;*/\n /* Seen files from some 'U-lead' software with Vivitar scanner\n that uses marker 31 later in the file (no clue what for!) */\n exif_process_APP1(ImageInfo, (char *)Data, itemlen, fpos);\n }\n break;\n\n case M_APP12:\n exif_process_APP12(ImageInfo, (char *)Data, itemlen);\n break;\n\n\n case M_SOF0:\n case M_SOF1:\n case M_SOF2:\n case M_SOF3:\n case M_SOF5:\n case M_SOF6:\n case M_SOF7:\n case M_SOF9:\n case M_SOF10:\n case M_SOF11:\n case M_SOF13:\n case M_SOF14:\n case M_SOF15:\n if ((itemlen - 2) < 6) {\n return 0;\n }\n\n exif_process_SOFn(Data, marker, &sof_info);\n ImageInfo->Width = sof_info.width;\n ImageInfo->Height = sof_info.height;\n if (sof_info.num_components == 3) {\n ImageInfo->IsColor = 1;\n } else {\n ImageInfo->IsColor = 0;\n }\n break;\n default:\n /* skip any other marker silently. */\n break;\n }\n\n /* keep track of last marker */\n last_marker = marker;\n }\n return 1;\n}", "project": "hhvm", "hash": 98383242084356043453005935804926288922, "size": 159, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219584 }, { "func": "void updateTopIpAddress(u_int32_t addr, u_int8_t version, const char *proto,\n int count, struct info_pair top[], int size) {\n struct info_pair pair;\n int min = count;\n int update = 0;\n int min_i = 0;\n int i;\n\n if(count == 0) return;\n\n pair.addr = addr;\n pair.version = version;\n pair.count = count;\n strncpy(pair.proto, proto, sizeof(pair.proto));\n\n for(i=0; icstate.window_buf);\n\tfree(rar->cstate.filtered_buf);\n\n\tfree(rar->vol.push_buf);\n\n\tfree_filters(rar);\n\tcdeque_free(&rar->cstate.filters);\n\n\tfree(rar);\n\ta->format->data = NULL;\n\n\treturn ARCHIVE_OK;\n}", "project": "libarchive", "hash": 289742123901746173943594582605408328767, "size": 16, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 0, "dataset": "other", "idx": 244698 }, { "func": "static inline void tcp_init_wl(struct tcp_sock *tp, u32 seq)\n{\n\ttp->snd_wl1 = seq;\n}", "project": "linux", "hash": 103536775211796446990678034237747718558, "size": 4, "commit_id": "bb1fceca22492109be12640d49f5ea5a544c6bb4", "message": "tcp: fix use after free in tcp_xmit_retransmit_queue()\n\nWhen tcp_sendmsg() allocates a fresh and empty skb, it puts it at the\ntail of the write queue using tcp_add_write_queue_tail()\n\nThen it attempts to copy user data into this fresh skb.\n\nIf the copy fails, we undo the work and remove the fresh skb.\n\nUnfortunately, this undo lacks the change done to tp->highest_sack and\nwe can leave a dangling pointer (to a freed skb)\n\nLater, tcp_xmit_retransmit_queue() can dereference this pointer and\naccess freed memory. For regular kernels where memory is not unmapped,\nthis might cause SACK bugs because tcp_highest_sack_seq() is buggy,\nreturning garbage instead of tp->snd_nxt, but with various debug\nfeatures like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel.\n\nThis bug was found by Marco Grassi thanks to syzkaller.\n\nFixes: 6859d49475d4 (\"[TCP]: Abstract tp->highest_sack accessing & point to next skb\")\nReported-by: Marco Grassi \nSigned-off-by: Eric Dumazet \nCc: Ilpo Järvinen \nCc: Yuchung Cheng \nCc: Neal Cardwell \nAcked-by: Neal Cardwell \nReviewed-by: Cong Wang \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 410741 }, { "func": "static int ep_alloc(struct eventpoll **pep)\n{\n\tint error;\n\tstruct user_struct *user;\n\tstruct eventpoll *ep;\n\n\tuser = get_current_user();\n\terror = -ENOMEM;\n\tep = kzalloc(sizeof(*ep), GFP_KERNEL);\n\tif (unlikely(!ep))\n\t\tgoto free_uid;\n\n\tmutex_init(&ep->mtx);\n\trwlock_init(&ep->lock);\n\tinit_waitqueue_head(&ep->wq);\n\tinit_waitqueue_head(&ep->poll_wait);\n\tINIT_LIST_HEAD(&ep->rdllist);\n\tep->rbr = RB_ROOT_CACHED;\n\tep->ovflist = EP_UNACTIVE_PTR;\n\tep->user = user;\n\n\t*pep = ep;\n\n\treturn 0;\n\nfree_uid:\n\tfree_uid(user);\n\treturn error;\n}", "project": "linux", "hash": 5331570047728276340140151571961819189, "size": 29, "commit_id": "52c479697c9b73f628140dcdfcd39ea302d05482", "message": "do_epoll_ctl(): clean the failure exits up a bit\n\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 336241 }, { "project": "Chrome", "commit_id": "3454ed7b88318dcd4539c6e1a50d27b0ca535686", "target": 0, "func": "void SearchEngineTabHelper::OnPageHasOSDD(\n const GURL& page_url,\n const GURL& osdd_url,\n const search_provider::OSDDType& msg_provider_type) {\n\n if (!osdd_url.is_valid() || !osdd_url.SchemeIsHTTPOrHTTPS())\n return;\n\n Profile* profile =\n Profile::FromBrowserContext(web_contents()->GetBrowserContext());\n if (page_url != web_contents()->GetLastCommittedURL() ||\n !TemplateURLFetcherFactory::GetForProfile(profile) ||\n profile->IsOffTheRecord())\n return;\n\n TemplateURLFetcher::ProviderType provider_type =\n (msg_provider_type == search_provider::AUTODETECTED_PROVIDER) ?\n TemplateURLFetcher::AUTODETECTED_PROVIDER :\n TemplateURLFetcher::EXPLICIT_PROVIDER;\n\n const NavigationController& controller = web_contents()->GetController();\n const NavigationEntry* entry = controller.GetLastCommittedEntry();\n for (int index = controller.GetLastCommittedEntryIndex();\n (index > 0) && IsFormSubmit(entry);\n entry = controller.GetEntryAtIndex(index))\n --index;\n if (!entry || IsFormSubmit(entry))\n return;\n\n base::string16 keyword;\n if (provider_type == TemplateURLFetcher::AUTODETECTED_PROVIDER) {\n keyword = GenerateKeywordFromNavigationEntry(\n entry, profile->GetPrefs()->GetString(prefs::kAcceptLanguages));\n if (keyword.empty())\n return;\n }\n\n TemplateURLFetcherFactory::GetForProfile(profile)->ScheduleDownload(\n keyword, osdd_url, entry->GetFavicon().url,\n base::Bind(&AssociateURLFetcherWithWebContents, web_contents()),\n base::Bind(&SearchEngineTabHelper::OnDownloadedOSDD,\n weak_ptr_factory_.GetWeakPtr()),\n provider_type);\n}\n", "cwe": "", "big_vul_idx": 130385, "idx": 116652, "hash": 182897409371535738547789380575538455655 }, { "func": "static int _nfs4_recover_proc_open(struct nfs4_opendata *data)\n{\n\tstruct inode *dir = d_inode(data->dir);\n\tstruct nfs_openres *o_res = &data->o_res;\n\tint status;\n\n\tstatus = nfs4_run_open_task(data, NULL);\n\tif (status != 0 || !data->rpc_done)\n\t\treturn status;\n\n\tnfs_fattr_map_and_free_names(NFS_SERVER(dir), &data->f_attr);\n\n\tif (o_res->rflags & NFS4_OPEN_RESULT_CONFIRM)\n\t\tstatus = _nfs4_proc_open_confirm(data);\n\n\treturn status;\n}", "project": "linux", "hash": 151701314737591287936230165952573184763, "size": 17, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431482 }, { "func": "\nstatic void io_async_find_and_cancel(struct io_ring_ctx *ctx,\n\t\t\t\t struct io_kiocb *req, __u64 sqe_addr,\n\t\t\t\t int success_ret)\n{\n\tunsigned long flags;\n\tint ret;\n\n\tret = io_async_cancel_one(req->task->io_uring, sqe_addr, ctx);\n\tspin_lock_irqsave(&ctx->completion_lock, flags);\n\tif (ret != -ENOENT)\n\t\tgoto done;\n\tret = io_timeout_cancel(ctx, sqe_addr);\n\tif (ret != -ENOENT)\n\t\tgoto done;\n\tret = io_poll_cancel(ctx, sqe_addr, false);\ndone:\n\tif (!ret)\n\t\tret = success_ret;\n\tio_cqring_fill_event(ctx, req->user_data, ret, 0);\n\tio_commit_cqring(ctx);\n\tspin_unlock_irqrestore(&ctx->completion_lock, flags);\n\tio_cqring_ev_posted(ctx);\n\n\tif (ret < 0)\n\t\treq_set_fail_links(req);", "project": "linux", "hash": 296462935515011063334113692191428646199, "size": 26, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338605 }, { "func": "PrimitiveStatus DonateThread(void *context, MessageReader *in,\n MessageWriter *out) {\n if (in) {\n ASYLO_RETURN_IF_INCORRECT_READER_ARGUMENTS(*in, 1);\n }\n int result = 0;\n try {\n ThreadManager *thread_manager = ThreadManager::GetInstance();\n result = thread_manager->StartThread(in->next());\n } catch (...) {\n TrustedPrimitives::BestEffortAbort(\n \"Uncaught exception in enclave entry handler: DonateThread. Failed to \"\n \"get ThreadManager instance or start the thread.\");\n }\n return PrimitiveStatus(result);\n}", "project": "asylo", "hash": 16270382450052720668047527174849234607, "size": 16, "commit_id": "53ed5d8fd8118ced1466e509606dd2f473707a5c", "message": "Store untrusted output pointer in enclave\n\nValidate the pointer after it's stored in enclave to avoid unexpected\nmodifications after it's validated.\n\nPiperOrigin-RevId: 365648810\nChange-Id: I3079128040c142e86bab8255b07d03562a6fcb61", "target": 0, "dataset": "other", "idx": 232052 }, { "func": "enum_func_status\nphp_mysqlnd_rowp_read_text_protocol_aux(MYSQLND_MEMORY_POOL_CHUNK * row_buffer, zval ** fields,\n\t\t\t\t\t\t\t\t\tunsigned int field_count, const MYSQLND_FIELD * fields_metadata,\n\t\t\t\t\t\t\t\t\tzend_bool as_int_or_float, zend_bool copy_data, MYSQLND_STATS * stats TSRMLS_DC)\n{\n\t\n\tunsigned int i;\n\tzend_bool last_field_was_string = FALSE;\n\tzval **current_field, **end_field, **start_field;\n\tzend_uchar * p = row_buffer->ptr;\n\tsize_t data_size = row_buffer->app;\n\tzend_uchar * bit_area = (zend_uchar*) row_buffer->ptr + data_size + 1; /* we allocate from here */\n\n\tDBG_ENTER(\"php_mysqlnd_rowp_read_text_protocol_aux\");\n\n\tif (!fields) {\n\t\tDBG_RETURN(FAIL);\n\t}\n\n\tend_field = (start_field = fields) + field_count;\n\n\tfor (i = 0, current_field = start_field; current_field < end_field; current_field++, i++) {\n\t\tDBG_INF(\"Directly creating zval\");\n\t\tMAKE_STD_ZVAL(*current_field);\n\t\tif (!*current_field) {\n\t\t\tDBG_RETURN(FAIL);\n\t\t}\n\t}\n\n\tfor (i = 0, current_field = start_field; current_field < end_field; current_field++, i++) {\n\t\t/* Don't reverse the order. It is significant!*/\n\t\tzend_uchar *this_field_len_pos = p;\n\t\t/* php_mysqlnd_net_field_length() call should be after *this_field_len_pos = p; */\n\t\tunsigned long len = php_mysqlnd_net_field_length(&p);\n\n\t\tif (copy_data == FALSE && current_field > start_field && last_field_was_string) {\n\t\t\t/*\n\t\t\t Normal queries:\n\t\t\t We have to put \\0 now to the end of the previous field, if it was\n\t\t\t a string. IS_NULL doesn't matter. Because we have already read our\n\t\t\t length, then we can overwrite it in the row buffer.\n\t\t\t This statement terminates the previous field, not the current one.\n\n\t\t\t NULL_LENGTH is encoded in one byte, so we can stick a \\0 there.\n\t\t\t Any string's length is encoded in at least one byte, so we can stick\n\t\t\t a \\0 there.\n\t\t\t*/\n\n\t\t\t*this_field_len_pos = '\\0';\n\t\t}\n\n\t\t/* NULL or NOT NULL, this is the question! */\n\t\tif (len == MYSQLND_NULL_LENGTH) {\n\t\t\tZVAL_NULL(*current_field);\n\t\t\tlast_field_was_string = FALSE;\n\t\t} else {\n#if defined(MYSQLND_STRING_TO_INT_CONVERSION)\n\t\t\tstruct st_mysqlnd_perm_bind perm_bind =\n\t\t\t\t\tmysqlnd_ps_fetch_functions[fields_metadata[i].type];\n#endif\n\t\t\tif (MYSQLND_G(collect_statistics)) {\n\t\t\t\tenum_mysqlnd_collected_stats statistic;\n\t\t\t\tswitch (fields_metadata[i].type) {\n\t\t\t\t\tcase MYSQL_TYPE_DECIMAL:\tstatistic = STAT_TEXT_TYPE_FETCHED_DECIMAL; break;\n\t\t\t\t\tcase MYSQL_TYPE_TINY:\t\tstatistic = STAT_TEXT_TYPE_FETCHED_INT8; break;\n\t\t\t\t\tcase MYSQL_TYPE_SHORT:\t\tstatistic = STAT_TEXT_TYPE_FETCHED_INT16; break;\n\t\t\t\t\tcase MYSQL_TYPE_LONG:\t\tstatistic = STAT_TEXT_TYPE_FETCHED_INT32; break;\n\t\t\t\t\tcase MYSQL_TYPE_FLOAT:\t\tstatistic = STAT_TEXT_TYPE_FETCHED_FLOAT; break;\n\t\t\t\t\tcase MYSQL_TYPE_DOUBLE:\t\tstatistic = STAT_TEXT_TYPE_FETCHED_DOUBLE; break;\n\t\t\t\t\tcase MYSQL_TYPE_NULL:\t\tstatistic = STAT_TEXT_TYPE_FETCHED_NULL; break;\n\t\t\t\t\tcase MYSQL_TYPE_TIMESTAMP:\tstatistic = STAT_TEXT_TYPE_FETCHED_TIMESTAMP; break;\n\t\t\t\t\tcase MYSQL_TYPE_LONGLONG:\tstatistic = STAT_TEXT_TYPE_FETCHED_INT64; break;\n\t\t\t\t\tcase MYSQL_TYPE_INT24:\t\tstatistic = STAT_TEXT_TYPE_FETCHED_INT24; break;\n\t\t\t\t\tcase MYSQL_TYPE_DATE:\t\tstatistic = STAT_TEXT_TYPE_FETCHED_DATE; break;\n\t\t\t\t\tcase MYSQL_TYPE_TIME:\t\tstatistic = STAT_TEXT_TYPE_FETCHED_TIME; break;\n\t\t\t\t\tcase MYSQL_TYPE_DATETIME:\tstatistic = STAT_TEXT_TYPE_FETCHED_DATETIME; break;\n\t\t\t\t\tcase MYSQL_TYPE_YEAR:\t\tstatistic = STAT_TEXT_TYPE_FETCHED_YEAR; break;\n\t\t\t\t\tcase MYSQL_TYPE_NEWDATE:\tstatistic = STAT_TEXT_TYPE_FETCHED_DATE; break;\n\t\t\t\t\tcase MYSQL_TYPE_VARCHAR:\tstatistic = STAT_TEXT_TYPE_FETCHED_STRING; break;\n\t\t\t\t\tcase MYSQL_TYPE_BIT:\t\tstatistic = STAT_TEXT_TYPE_FETCHED_BIT; break;\n\t\t\t\t\tcase MYSQL_TYPE_NEWDECIMAL:\tstatistic = STAT_TEXT_TYPE_FETCHED_DECIMAL; break;\n\t\t\t\t\tcase MYSQL_TYPE_ENUM:\t\tstatistic = STAT_TEXT_TYPE_FETCHED_ENUM; break;\n\t\t\t\t\tcase MYSQL_TYPE_SET:\t\tstatistic = STAT_TEXT_TYPE_FETCHED_SET; break;\n\t\t\t\t\tcase MYSQL_TYPE_JSON:\t\tstatistic = STAT_TEXT_TYPE_FETCHED_JSON; break;\n\t\t\t\t\tcase MYSQL_TYPE_TINY_BLOB:\tstatistic = STAT_TEXT_TYPE_FETCHED_BLOB; break;\n\t\t\t\t\tcase MYSQL_TYPE_MEDIUM_BLOB:statistic = STAT_TEXT_TYPE_FETCHED_BLOB; break;\n\t\t\t\t\tcase MYSQL_TYPE_LONG_BLOB:\tstatistic = STAT_TEXT_TYPE_FETCHED_BLOB; break;\n\t\t\t\t\tcase MYSQL_TYPE_BLOB:\t\tstatistic = STAT_TEXT_TYPE_FETCHED_BLOB; break;\n\t\t\t\t\tcase MYSQL_TYPE_VAR_STRING:\tstatistic = STAT_TEXT_TYPE_FETCHED_STRING; break;\n\t\t\t\t\tcase MYSQL_TYPE_STRING:\t\tstatistic = STAT_TEXT_TYPE_FETCHED_STRING; break;\n\t\t\t\t\tcase MYSQL_TYPE_GEOMETRY:\tstatistic = STAT_TEXT_TYPE_FETCHED_GEOMETRY; break;\n\t\t\t\t\tdefault: statistic = STAT_TEXT_TYPE_FETCHED_OTHER; break;\n\t\t\t\t}\n\t\t\t\tMYSQLND_INC_CONN_STATISTIC_W_VALUE2(stats, statistic, 1, STAT_BYTES_RECEIVED_PURE_DATA_TEXT, len);\n\t\t\t}\n#ifdef MYSQLND_STRING_TO_INT_CONVERSION\n\t\t\tif (as_int_or_float && perm_bind.php_type == IS_LONG) {\n\t\t\t\tzend_uchar save = *(p + len);\n\t\t\t\t/* We have to make it ASCIIZ temporarily */\n\t\t\t\t*(p + len) = '\\0';\n\t\t\t\tif (perm_bind.pack_len < SIZEOF_LONG) {\n\t\t\t\t\t/* direct conversion */\n\t\t\t\t\tint64_t v =\n#ifndef PHP_WIN32\n\t\t\t\t\t\tatoll((char *) p);\n#else\n\t\t\t\t\t\t_atoi64((char *) p);\n#endif\n\t\t\t\t\tZVAL_LONG(*current_field, (long) v); /* the cast is safe */\n\t\t\t\t} else {\n\t\t\t\t\tuint64_t v =\n#ifndef PHP_WIN32\n\t\t\t\t\t\t(uint64_t) atoll((char *) p);\n#else\n\t\t\t\t\t\t(uint64_t) _atoi64((char *) p);\n#endif\n\t\t\t\t\tzend_bool uns = fields_metadata[i].flags & UNSIGNED_FLAG? TRUE:FALSE;\n\t\t\t\t\t/* We have to make it ASCIIZ temporarily */\n#if SIZEOF_LONG==8\n\t\t\t\t\tif (uns == TRUE && v > 9223372036854775807L)\n#elif SIZEOF_LONG==4\n\t\t\t\t\tif ((uns == TRUE && v > L64(2147483647)) ||\n\t\t\t\t\t\t(uns == FALSE && (( L64(2147483647) < (int64_t) v) ||\n\t\t\t\t\t\t(L64(-2147483648) > (int64_t) v))))\n#else\n#error Need fix for this architecture\n#endif /* SIZEOF */\n\t\t\t\t\t{\n\t\t\t\t\t\tZVAL_STRINGL(*current_field, (char *)p, len, 0);\n\t\t\t\t\t} else {\n\t\t\t\t\t\tZVAL_LONG(*current_field, (long) v); /* the cast is safe */\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\t*(p + len) = save;\n\t\t\t} else if (as_int_or_float && perm_bind.php_type == IS_DOUBLE) {\n\t\t\t\tzend_uchar save = *(p + len);\n\t\t\t\t/* We have to make it ASCIIZ temporarily */\n\t\t\t\t*(p + len) = '\\0';\n\t\t\t\tZVAL_DOUBLE(*current_field, atof((char *) p));\n\t\t\t\t*(p + len) = save;\n\t\t\t} else\n#endif /* MYSQLND_STRING_TO_INT_CONVERSION */\n\t\t\tif (fields_metadata[i].type == MYSQL_TYPE_BIT) {\n\t\t\t\t/*\n\t\t\t\t BIT fields are specially handled. As they come as bit mask, we have\n\t\t\t\t to convert it to human-readable representation. As the bits take\n\t\t\t\t less space in the protocol than the numbers they represent, we don't\n\t\t\t\t have enough space in the packet buffer to overwrite inside.\n\t\t\t\t Thus, a bit more space is pre-allocated at the end of the buffer,\n\t\t\t\t see php_mysqlnd_rowp_read(). And we add the strings at the end.\n\t\t\t\t Definitely not nice, _hackish_ :(, but works.\n\t\t\t\t*/\n\t\t\t\tzend_uchar *start = bit_area;\n\t\t\t\tps_fetch_from_1_to_8_bytes(*current_field, &(fields_metadata[i]), 0, &p, len TSRMLS_CC);\n\t\t\t\t/*\n\t\t\t\t We have advanced in ps_fetch_from_1_to_8_bytes. We should go back because\n\t\t\t\t later in this function there will be an advancement.\n\t\t\t\t*/\n\t\t\t\tp -= len;\n\t\t\t\tif (Z_TYPE_PP(current_field) == IS_LONG) {\n\t\t\t\t\tbit_area += 1 + sprintf((char *)start, \"%ld\", Z_LVAL_PP(current_field));\n\t\t\t\t\tZVAL_STRINGL(*current_field, (char *) start, bit_area - start - 1, copy_data);\n\t\t\t\t} else if (Z_TYPE_PP(current_field) == IS_STRING){\n\t\t\t\t\tmemcpy(bit_area, Z_STRVAL_PP(current_field), Z_STRLEN_PP(current_field));\n\t\t\t\t\tbit_area += Z_STRLEN_PP(current_field);\n\t\t\t\t\t*bit_area++ = '\\0';\n\t\t\t\t\tzval_dtor(*current_field);\n\t\t\t\t\tZVAL_STRINGL(*current_field, (char *) start, bit_area - start - 1, copy_data);\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\tZVAL_STRINGL(*current_field, (char *)p, len, copy_data);\n\t\t\t}\n\t\t\tp += len;\n\t\t\tlast_field_was_string = TRUE;\n\t\t}\n\t}\n\tif (copy_data == FALSE && last_field_was_string) {\n\t\t/* Normal queries: The buffer has one more byte at the end, because we need it */\n\t\trow_buffer->ptr[data_size] = '\\0';\n\t}\n\n\tDBG_RETURN(PASS);", "project": "php-src", "hash": 185803420179456454427036827670396437100, "size": 182, "commit_id": "28f80baf3c53e267c9ce46a2a0fadbb981585132", "message": "Fix bug #72293 - Heap overflow in mysqlnd related to BIT fields", "target": 1, "dataset": "other", "idx": 208933 }, { "func": "enum_func_status\nphp_mysqlnd_rowp_read_text_protocol_aux(MYSQLND_MEMORY_POOL_CHUNK * row_buffer, zval ** fields,\n\t\t\t\t\t\t\t\t\tunsigned int field_count, const MYSQLND_FIELD * fields_metadata,\n\t\t\t\t\t\t\t\t\tzend_bool as_int_or_float, zend_bool copy_data, MYSQLND_STATS * stats TSRMLS_DC)\n{\n\t\n\tunsigned int i;\n\tzend_bool last_field_was_string = FALSE;\n\tzval **current_field, **end_field, **start_field;\n\tzend_uchar * p = row_buffer->ptr;\n\tsize_t data_size = row_buffer->app;\n\tzend_uchar * bit_area = (zend_uchar*) row_buffer->ptr + data_size + 1; /* we allocate from here */\n\tconst zend_uchar * const packet_end = (zend_uchar*) row_buffer->ptr + data_size;\n\n\tDBG_ENTER(\"php_mysqlnd_rowp_read_text_protocol_aux\");\n\n\tif (!fields) {\n\t\tDBG_RETURN(FAIL);\n\t}\n\n\tend_field = (start_field = fields) + field_count;\n\n\tfor (i = 0, current_field = start_field; current_field < end_field; current_field++, i++) {\n\t\tDBG_INF(\"Directly creating zval\");\n\t\tMAKE_STD_ZVAL(*current_field);\n\t\tif (!*current_field) {\n\t\t\tDBG_RETURN(FAIL);\n\t\t}\n\t}\n\n\tfor (i = 0, current_field = start_field; current_field < end_field; current_field++, i++) {\n\t\t/* Don't reverse the order. It is significant!*/\n\t\tzend_uchar *this_field_len_pos = p;\n\t\t/* php_mysqlnd_net_field_length() call should be after *this_field_len_pos = p; */\n\t\tconst unsigned long len = php_mysqlnd_net_field_length(&p);\n\n\t\tif (len != MYSQLND_NULL_LENGTH && ((p + len) > packet_end)) {\n\t\t\tphp_error_docref(NULL, E_WARNING, \"Malformed server packet. Field length pointing \"MYSQLND_SZ_T_SPEC\n\t\t\t\t\t\t\t\t\t\t\t \" bytes after end of packet\", (p + len) - packet_end - 1);\n\t\t\tDBG_RETURN(FAIL);\n\t\t}\n\t\tif (copy_data == FALSE && current_field > start_field && last_field_was_string) {\n\t\t\t/*\n\t\t\t Normal queries:\n\t\t\t We have to put \\0 now to the end of the previous field, if it was\n\t\t\t a string. IS_NULL doesn't matter. Because we have already read our\n\t\t\t length, then we can overwrite it in the row buffer.\n\t\t\t This statement terminates the previous field, not the current one.\n\n\t\t\t NULL_LENGTH is encoded in one byte, so we can stick a \\0 there.\n\t\t\t Any string's length is encoded in at least one byte, so we can stick\n\t\t\t a \\0 there.\n\t\t\t*/\n\n\t\t\t*this_field_len_pos = '\\0';\n\t\t}\n\n\t\t/* NULL or NOT NULL, this is the question! */\n\t\tif (len == MYSQLND_NULL_LENGTH) {\n\t\t\tZVAL_NULL(*current_field);\n\t\t\tlast_field_was_string = FALSE;\n\t\t} else {\n#if defined(MYSQLND_STRING_TO_INT_CONVERSION)\n\t\t\tstruct st_mysqlnd_perm_bind perm_bind =\n\t\t\t\t\tmysqlnd_ps_fetch_functions[fields_metadata[i].type];\n#endif\n\t\t\tif (MYSQLND_G(collect_statistics)) {\n\t\t\t\tenum_mysqlnd_collected_stats statistic;\n\t\t\t\tswitch (fields_metadata[i].type) {\n\t\t\t\t\tcase MYSQL_TYPE_DECIMAL:\tstatistic = STAT_TEXT_TYPE_FETCHED_DECIMAL; break;\n\t\t\t\t\tcase MYSQL_TYPE_TINY:\t\tstatistic = STAT_TEXT_TYPE_FETCHED_INT8; break;\n\t\t\t\t\tcase MYSQL_TYPE_SHORT:\t\tstatistic = STAT_TEXT_TYPE_FETCHED_INT16; break;\n\t\t\t\t\tcase MYSQL_TYPE_LONG:\t\tstatistic = STAT_TEXT_TYPE_FETCHED_INT32; break;\n\t\t\t\t\tcase MYSQL_TYPE_FLOAT:\t\tstatistic = STAT_TEXT_TYPE_FETCHED_FLOAT; break;\n\t\t\t\t\tcase MYSQL_TYPE_DOUBLE:\t\tstatistic = STAT_TEXT_TYPE_FETCHED_DOUBLE; break;\n\t\t\t\t\tcase MYSQL_TYPE_NULL:\t\tstatistic = STAT_TEXT_TYPE_FETCHED_NULL; break;\n\t\t\t\t\tcase MYSQL_TYPE_TIMESTAMP:\tstatistic = STAT_TEXT_TYPE_FETCHED_TIMESTAMP; break;\n\t\t\t\t\tcase MYSQL_TYPE_LONGLONG:\tstatistic = STAT_TEXT_TYPE_FETCHED_INT64; break;\n\t\t\t\t\tcase MYSQL_TYPE_INT24:\t\tstatistic = STAT_TEXT_TYPE_FETCHED_INT24; break;\n\t\t\t\t\tcase MYSQL_TYPE_DATE:\t\tstatistic = STAT_TEXT_TYPE_FETCHED_DATE; break;\n\t\t\t\t\tcase MYSQL_TYPE_TIME:\t\tstatistic = STAT_TEXT_TYPE_FETCHED_TIME; break;\n\t\t\t\t\tcase MYSQL_TYPE_DATETIME:\tstatistic = STAT_TEXT_TYPE_FETCHED_DATETIME; break;\n\t\t\t\t\tcase MYSQL_TYPE_YEAR:\t\tstatistic = STAT_TEXT_TYPE_FETCHED_YEAR; break;\n\t\t\t\t\tcase MYSQL_TYPE_NEWDATE:\tstatistic = STAT_TEXT_TYPE_FETCHED_DATE; break;\n\t\t\t\t\tcase MYSQL_TYPE_VARCHAR:\tstatistic = STAT_TEXT_TYPE_FETCHED_STRING; break;\n\t\t\t\t\tcase MYSQL_TYPE_BIT:\t\tstatistic = STAT_TEXT_TYPE_FETCHED_BIT; break;\n\t\t\t\t\tcase MYSQL_TYPE_NEWDECIMAL:\tstatistic = STAT_TEXT_TYPE_FETCHED_DECIMAL; break;\n\t\t\t\t\tcase MYSQL_TYPE_ENUM:\t\tstatistic = STAT_TEXT_TYPE_FETCHED_ENUM; break;\n\t\t\t\t\tcase MYSQL_TYPE_SET:\t\tstatistic = STAT_TEXT_TYPE_FETCHED_SET; break;\n\t\t\t\t\tcase MYSQL_TYPE_JSON:\t\tstatistic = STAT_TEXT_TYPE_FETCHED_JSON; break;\n\t\t\t\t\tcase MYSQL_TYPE_TINY_BLOB:\tstatistic = STAT_TEXT_TYPE_FETCHED_BLOB; break;\n\t\t\t\t\tcase MYSQL_TYPE_MEDIUM_BLOB:statistic = STAT_TEXT_TYPE_FETCHED_BLOB; break;\n\t\t\t\t\tcase MYSQL_TYPE_LONG_BLOB:\tstatistic = STAT_TEXT_TYPE_FETCHED_BLOB; break;\n\t\t\t\t\tcase MYSQL_TYPE_BLOB:\t\tstatistic = STAT_TEXT_TYPE_FETCHED_BLOB; break;\n\t\t\t\t\tcase MYSQL_TYPE_VAR_STRING:\tstatistic = STAT_TEXT_TYPE_FETCHED_STRING; break;\n\t\t\t\t\tcase MYSQL_TYPE_STRING:\t\tstatistic = STAT_TEXT_TYPE_FETCHED_STRING; break;\n\t\t\t\t\tcase MYSQL_TYPE_GEOMETRY:\tstatistic = STAT_TEXT_TYPE_FETCHED_GEOMETRY; break;\n\t\t\t\t\tdefault: statistic = STAT_TEXT_TYPE_FETCHED_OTHER; break;\n\t\t\t\t}\n\t\t\t\tMYSQLND_INC_CONN_STATISTIC_W_VALUE2(stats, statistic, 1, STAT_BYTES_RECEIVED_PURE_DATA_TEXT, len);\n\t\t\t}\n#ifdef MYSQLND_STRING_TO_INT_CONVERSION\n\t\t\tif (as_int_or_float && perm_bind.php_type == IS_LONG) {\n\t\t\t\tzend_uchar save = *(p + len);\n\t\t\t\t/* We have to make it ASCIIZ temporarily */\n\t\t\t\t*(p + len) = '\\0';\n\t\t\t\tif (perm_bind.pack_len < SIZEOF_LONG) {\n\t\t\t\t\t/* direct conversion */\n\t\t\t\t\tint64_t v =\n#ifndef PHP_WIN32\n\t\t\t\t\t\tatoll((char *) p);\n#else\n\t\t\t\t\t\t_atoi64((char *) p);\n#endif\n\t\t\t\t\tZVAL_LONG(*current_field, (long) v); /* the cast is safe */\n\t\t\t\t} else {\n\t\t\t\t\tuint64_t v =\n#ifndef PHP_WIN32\n\t\t\t\t\t\t(uint64_t) atoll((char *) p);\n#else\n\t\t\t\t\t\t(uint64_t) _atoi64((char *) p);\n#endif\n\t\t\t\t\tzend_bool uns = fields_metadata[i].flags & UNSIGNED_FLAG? TRUE:FALSE;\n\t\t\t\t\t/* We have to make it ASCIIZ temporarily */\n#if SIZEOF_LONG==8\n\t\t\t\t\tif (uns == TRUE && v > 9223372036854775807L)\n#elif SIZEOF_LONG==4\n\t\t\t\t\tif ((uns == TRUE && v > L64(2147483647)) ||\n\t\t\t\t\t\t(uns == FALSE && (( L64(2147483647) < (int64_t) v) ||\n\t\t\t\t\t\t(L64(-2147483648) > (int64_t) v))))\n#else\n#error Need fix for this architecture\n#endif /* SIZEOF */\n\t\t\t\t\t{\n\t\t\t\t\t\tZVAL_STRINGL(*current_field, (char *)p, len, 0);\n\t\t\t\t\t} else {\n\t\t\t\t\t\tZVAL_LONG(*current_field, (long) v); /* the cast is safe */\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\t*(p + len) = save;\n\t\t\t} else if (as_int_or_float && perm_bind.php_type == IS_DOUBLE) {\n\t\t\t\tzend_uchar save = *(p + len);\n\t\t\t\t/* We have to make it ASCIIZ temporarily */\n\t\t\t\t*(p + len) = '\\0';\n\t\t\t\tZVAL_DOUBLE(*current_field, atof((char *) p));\n\t\t\t\t*(p + len) = save;\n\t\t\t} else\n#endif /* MYSQLND_STRING_TO_INT_CONVERSION */\n\t\t\tif (fields_metadata[i].type == MYSQL_TYPE_BIT) {\n\t\t\t\t/*\n\t\t\t\t BIT fields are specially handled. As they come as bit mask, we have\n\t\t\t\t to convert it to human-readable representation. As the bits take\n\t\t\t\t less space in the protocol than the numbers they represent, we don't\n\t\t\t\t have enough space in the packet buffer to overwrite inside.\n\t\t\t\t Thus, a bit more space is pre-allocated at the end of the buffer,\n\t\t\t\t see php_mysqlnd_rowp_read(). And we add the strings at the end.\n\t\t\t\t Definitely not nice, _hackish_ :(, but works.\n\t\t\t\t*/\n\t\t\t\tzend_uchar *start = bit_area;\n\t\t\t\tps_fetch_from_1_to_8_bytes(*current_field, &(fields_metadata[i]), 0, &p, len TSRMLS_CC);\n\t\t\t\t/*\n\t\t\t\t We have advanced in ps_fetch_from_1_to_8_bytes. We should go back because\n\t\t\t\t later in this function there will be an advancement.\n\t\t\t\t*/\n\t\t\t\tp -= len;\n\t\t\t\tif (Z_TYPE_PP(current_field) == IS_LONG) {\n\t\t\t\t\tbit_area += 1 + sprintf((char *)start, \"%ld\", Z_LVAL_PP(current_field));\n\t\t\t\t\tZVAL_STRINGL(*current_field, (char *) start, bit_area - start - 1, copy_data);\n\t\t\t\t} else if (Z_TYPE_PP(current_field) == IS_STRING){\n\t\t\t\t\tmemcpy(bit_area, Z_STRVAL_PP(current_field), Z_STRLEN_PP(current_field));\n\t\t\t\t\tbit_area += Z_STRLEN_PP(current_field);\n\t\t\t\t\t*bit_area++ = '\\0';\n\t\t\t\t\tzval_dtor(*current_field);\n\t\t\t\t\tZVAL_STRINGL(*current_field, (char *) start, bit_area - start - 1, copy_data);\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\tZVAL_STRINGL(*current_field, (char *)p, len, copy_data);\n\t\t\t}\n\t\t\tp += len;\n\t\t\tlast_field_was_string = TRUE;\n\t\t}\n\t}\n\tif (copy_data == FALSE && last_field_was_string) {\n\t\t/* Normal queries: The buffer has one more byte at the end, because we need it */\n\t\trow_buffer->ptr[data_size] = '\\0';\n\t}\n\n\tDBG_RETURN(PASS);", "project": "php-src", "hash": 325703409906620959975800534935313037728, "size": 188, "commit_id": "28f80baf3c53e267c9ce46a2a0fadbb981585132", "message": "Fix bug #72293 - Heap overflow in mysqlnd related to BIT fields", "target": 0, "dataset": "other", "idx": 416671 }, { "func": "static int stimer_get_count(struct kvm_vcpu_hv_stimer *stimer, u64 *pcount)\n{\n\t*pcount = stimer->count;\n\treturn 0;\n}", "project": "linux", "hash": 83589671399602031254687140383809148459, "size": 5, "commit_id": "919f4ebc598701670e80e31573a58f1f2d2bf918", "message": "KVM: x86: hyper-v: Fix Hyper-V context null-ptr-deref\n\nReported by syzkaller:\n\n KASAN: null-ptr-deref in range [0x0000000000000140-0x0000000000000147]\n CPU: 1 PID: 8370 Comm: syz-executor859 Not tainted 5.11.0-syzkaller #0\n RIP: 0010:synic_get arch/x86/kvm/hyperv.c:165 [inline]\n RIP: 0010:kvm_hv_set_sint_gsi arch/x86/kvm/hyperv.c:475 [inline]\n RIP: 0010:kvm_hv_irq_routing_update+0x230/0x460 arch/x86/kvm/hyperv.c:498\n Call Trace:\n kvm_set_irq_routing+0x69b/0x940 arch/x86/kvm/../../../virt/kvm/irqchip.c:223\n kvm_vm_ioctl+0x12d0/0x2800 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3959\n vfs_ioctl fs/ioctl.c:48 [inline]\n __do_sys_ioctl fs/ioctl.c:753 [inline]\n __se_sys_ioctl fs/ioctl.c:739 [inline]\n __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739\n do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nHyper-V context is lazily allocated until Hyper-V specific MSRs are accessed\nor SynIC is enabled. However, the syzkaller testcase sets irq routing table\ndirectly w/o enabling SynIC. This results in null-ptr-deref when accessing\nSynIC Hyper-V context. This patch fixes it.\n\nsyzkaller source: https://syzkaller.appspot.com/x/repro.c?x=163342ccd00000\n\nReported-by: syzbot+6987f3b2dbd9eda95f12@syzkaller.appspotmail.com\nFixes: 8f014550dfb1 (\"KVM: x86: hyper-v: Make Hyper-V emulation enablement conditional\")\nSigned-off-by: Wanpeng Li \nMessage-Id: <1614326399-5762-1-git-send-email-wanpengli@tencent.com>\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 343521 }, { "func": "bool RGWSwiftWebsiteHandler::is_web_mode() const\n{\n const boost::string_ref webmode = s->info.env->get(\"HTTP_X_WEB_MODE\", \"\");\n return boost::algorithm::iequals(webmode, \"true\");\n}", "project": "ceph", "hash": 277723172323988988026634682349805143086, "size": 5, "commit_id": "f44a8ae8aa27ecef69528db9aec220f12492810e", "message": "rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name\n\nchecking for empty name avoids later assertion in RGWObjectCtx::set_atomic\n\nFixes: CVE-2021-3531\n\nReviewed-by: Casey Bodley \nSigned-off-by: Casey Bodley \n(cherry picked from commit 7196a469b4470f3c8628489df9a41ec8b00a5610)", "target": 0, "dataset": "other", "idx": 448839 }, { "func": "static int parse_file_extra_owner(struct archive_read* a,\n struct archive_entry* e, ssize_t* extra_data_size)\n{\n\tuint64_t flags = 0;\n\tuint64_t value_size = 0;\n\tuint64_t id = 0;\n\tsize_t name_len = 0;\n\tsize_t name_size = 0;\n\tchar namebuf[OWNER_MAXNAMELEN];\n\tconst uint8_t* p;\n\n\tif(!read_var(a, &flags, &value_size))\n\t\treturn ARCHIVE_EOF;\n\tif(ARCHIVE_OK != consume(a, (int64_t)value_size))\n\t\treturn ARCHIVE_EOF;\n\t*extra_data_size -= value_size;\n\n\tif ((flags & OWNER_USER_NAME) != 0) {\n\t\tif(!read_var_sized(a, &name_size, NULL))\n\t\t\treturn ARCHIVE_EOF;\n\t\t*extra_data_size -= name_size + 1;\n\n\t\tif(!read_ahead(a, name_size, &p))\n\t\t\treturn ARCHIVE_EOF;\n\n\t\tif (name_size >= OWNER_MAXNAMELEN) {\n\t\t\tname_len = OWNER_MAXNAMELEN - 1;\n\t\t} else {\n\t\t\tname_len = name_size;\n\t\t}\n\n\t\tmemcpy(namebuf, p, name_len);\n\t\tnamebuf[name_len] = 0;\n\t\tif(ARCHIVE_OK != consume(a, (int64_t)name_size))\n\t\t\treturn ARCHIVE_EOF;\n\n\t\tarchive_entry_set_uname(e, namebuf);\n\t}\n\tif ((flags & OWNER_GROUP_NAME) != 0) {\n\t\tif(!read_var_sized(a, &name_size, NULL))\n\t\t\treturn ARCHIVE_EOF;\n\t\t*extra_data_size -= name_size + 1;\n\n\t\tif(!read_ahead(a, name_size, &p))\n\t\t\treturn ARCHIVE_EOF;\n\n\t\tif (name_size >= OWNER_MAXNAMELEN) {\n\t\t\tname_len = OWNER_MAXNAMELEN - 1;\n\t\t} else {\n\t\t\tname_len = name_size;\n\t\t}\n\n\t\tmemcpy(namebuf, p, name_len);\n\t\tnamebuf[name_len] = 0;\n\t\tif(ARCHIVE_OK != consume(a, (int64_t)name_size))\n\t\t\treturn ARCHIVE_EOF;\n\n\t\tarchive_entry_set_gname(e, namebuf);\n\t}\n\tif ((flags & OWNER_USER_UID) != 0) {\n\t\tif(!read_var(a, &id, &value_size))\n\t\t\treturn ARCHIVE_EOF;\n\t\tif(ARCHIVE_OK != consume(a, (int64_t)value_size))\n\t\t\treturn ARCHIVE_EOF;\n\t\t*extra_data_size -= value_size;\n\n\t\tarchive_entry_set_uid(e, (la_int64_t)id);\n\t}\n\tif ((flags & OWNER_GROUP_GID) != 0) {\n\t\tif(!read_var(a, &id, &value_size))\n\t\t\treturn ARCHIVE_EOF;\n\t\tif(ARCHIVE_OK != consume(a, (int64_t)value_size))\n\t\t\treturn ARCHIVE_EOF;\n\t\t*extra_data_size -= value_size;\n\n\t\tarchive_entry_set_gid(e, (la_int64_t)id);\n\t}\n\treturn ARCHIVE_OK;\n}", "project": "libarchive", "hash": 16103955309312468803001971909843314468, "size": 79, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 0, "dataset": "other", "idx": 244780 }, { "func": "static __poll_t ep_read_events_proc(struct eventpoll *ep, struct list_head *head,\n\t\t\t void *priv)\n{\n\tstruct epitem *epi, *tmp;\n\tpoll_table pt;\n\tint depth = *(int *)priv;\n\n\tinit_poll_funcptr(&pt, NULL);\n\tdepth++;\n\n\tlist_for_each_entry_safe(epi, tmp, head, rdllink) {\n\t\tif (ep_item_poll(epi, &pt, depth)) {\n\t\t\treturn EPOLLIN | EPOLLRDNORM;\n\t\t} else {\n\t\t\t/*\n\t\t\t * Item has been dropped into the ready list by the poll\n\t\t\t * callback, but it's not actually ready, as far as\n\t\t\t * caller requested events goes. We can remove it here.\n\t\t\t */\n\t\t\t__pm_relax(ep_wakeup_source(epi));\n\t\t\tlist_del_init(&epi->rdllink);\n\t\t}\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 13226608264698593900700651708246783334, "size": 26, "commit_id": "52c479697c9b73f628140dcdfcd39ea302d05482", "message": "do_epoll_ctl(): clean the failure exits up a bit\n\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 336279 }, { "func": "static int test_halt(struct usbtest_dev *tdev, int ep, struct urb *urb)\n{\n\tint\tretval;\n\n\t/* shouldn't look or act halted now */\n\tretval = verify_not_halted(tdev, ep, urb);\n\tif (retval < 0)\n\t\treturn retval;\n\n\t/* set halt (protocol test only), verify it worked */\n\tretval = usb_control_msg(urb->dev, usb_sndctrlpipe(urb->dev, 0),\n\t\t\tUSB_REQ_SET_FEATURE, USB_RECIP_ENDPOINT,\n\t\t\tUSB_ENDPOINT_HALT, ep,\n\t\t\tNULL, 0, USB_CTRL_SET_TIMEOUT);\n\tif (retval < 0) {\n\t\tERROR(tdev, \"ep %02x couldn't set halt, %d\\n\", ep, retval);\n\t\treturn retval;\n\t}\n\tretval = verify_halted(tdev, ep, urb);\n\tif (retval < 0) {\n\t\tint ret;\n\n\t\t/* clear halt anyways, else further tests will fail */\n\t\tret = usb_clear_halt(urb->dev, urb->pipe);\n\t\tif (ret)\n\t\t\tERROR(tdev, \"ep %02x couldn't clear halt, %d\\n\",\n\t\t\t ep, ret);\n\n\t\treturn retval;\n\t}\n\n\t/* clear halt (tests API + protocol), verify it worked */\n\tretval = usb_clear_halt(urb->dev, urb->pipe);\n\tif (retval < 0) {\n\t\tERROR(tdev, \"ep %02x couldn't clear halt, %d\\n\", ep, retval);\n\t\treturn retval;\n\t}\n\tretval = verify_not_halted(tdev, ep, urb);\n\tif (retval < 0)\n\t\treturn retval;\n\n\t/* NOTE: could also verify SET_INTERFACE clear halts ... */\n\n\treturn 0;\n}", "project": "linux", "hash": 120929714525361762623402474661162733281, "size": 45, "commit_id": "28ebeb8db77035e058a510ce9bd17c2b9a009dba", "message": "usb: usbtest: fix missing kfree(dev->buf) in usbtest_disconnect\n\nBUG: memory leak\nunreferenced object 0xffff888055046e00 (size 256):\n comm \"kworker/2:9\", pid 2570, jiffies 4294942129 (age 1095.500s)\n hex dump (first 32 bytes):\n 00 70 04 55 80 88 ff ff 18 bb 5a 81 ff ff ff ff .p.U......Z.....\n f5 96 78 81 ff ff ff ff 37 de 8e 81 ff ff ff ff ..x.....7.......\n backtrace:\n [<00000000d121dccf>] kmemleak_alloc_recursive\ninclude/linux/kmemleak.h:43 [inline]\n [<00000000d121dccf>] slab_post_alloc_hook mm/slab.h:586 [inline]\n [<00000000d121dccf>] slab_alloc_node mm/slub.c:2786 [inline]\n [<00000000d121dccf>] slab_alloc mm/slub.c:2794 [inline]\n [<00000000d121dccf>] kmem_cache_alloc_trace+0x15e/0x2d0 mm/slub.c:2811\n [<000000005c3c3381>] kmalloc include/linux/slab.h:555 [inline]\n [<000000005c3c3381>] usbtest_probe+0x286/0x19d0\ndrivers/usb/misc/usbtest.c:2790\n [<000000001cec6910>] usb_probe_interface+0x2bd/0x870\ndrivers/usb/core/driver.c:361\n [<000000007806c118>] really_probe+0x48d/0x8f0 drivers/base/dd.c:551\n [<00000000a3308c3e>] driver_probe_device+0xfc/0x2a0 drivers/base/dd.c:724\n [<000000003ef66004>] __device_attach_driver+0x1b6/0x240\ndrivers/base/dd.c:831\n [<00000000eee53e97>] bus_for_each_drv+0x14e/0x1e0 drivers/base/bus.c:431\n [<00000000bb0648d0>] __device_attach+0x1f9/0x350 drivers/base/dd.c:897\n [<00000000838b324a>] device_initial_probe+0x1a/0x20 drivers/base/dd.c:944\n [<0000000030d501c1>] bus_probe_device+0x1e1/0x280 drivers/base/bus.c:491\n [<000000005bd7adef>] device_add+0x131d/0x1c40 drivers/base/core.c:2504\n [<00000000a0937814>] usb_set_configuration+0xe84/0x1ab0\ndrivers/usb/core/message.c:2030\n [<00000000e3934741>] generic_probe+0x6a/0xe0 drivers/usb/core/generic.c:210\n [<0000000098ade0f1>] usb_probe_device+0x90/0xd0\ndrivers/usb/core/driver.c:266\n [<000000007806c118>] really_probe+0x48d/0x8f0 drivers/base/dd.c:551\n [<00000000a3308c3e>] driver_probe_device+0xfc/0x2a0 drivers/base/dd.c:724\n\nAcked-by: Alan Stern \nReported-by: Kyungtae Kim \nSigned-off-by: Zqiang \nLink: https://lore.kernel.org/r/20200612035210.20494-1-qiang.zhang@windriver.com\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 412269 }, { "func": "void lua_datum::cleanup()\n{\n if (need_cleanup)\n {\n need_cleanup = false;\n lua.remove_shutdown_listener(this);\n\n lua_pushlightuserdata(lua, this);\n lua_pushnil(lua);\n lua_settable(lua, LUA_REGISTRYINDEX);\n }\n}", "project": "crawl", "hash": 122274877092730253987900254721100421970, "size": 12, "commit_id": "768f60da87a3fa0b5561da5ade9309577c176d04", "message": "Disable lua bytecode loading", "target": 0, "dataset": "other", "idx": 230474 }, { "func": " void cleanup() {\n codec_client_->close();\n if (fake_jwks_connection_ != nullptr) {\n AssertionResult result = fake_jwks_connection_->close();\n RELEASE_ASSERT(result, result.message());\n result = fake_jwks_connection_->waitForDisconnect();\n RELEASE_ASSERT(result, result.message());\n }\n if (fake_upstream_connection_ != nullptr) {\n AssertionResult result = fake_upstream_connection_->close();\n RELEASE_ASSERT(result, result.message());\n result = fake_upstream_connection_->waitForDisconnect();\n RELEASE_ASSERT(result, result.message());\n }\n }", "project": "envoy", "hash": 132143847998655344526433078555031186862, "size": 15, "commit_id": "9371333230b1a6e1be2eccf4868771e11af6253a", "message": "CVE-2021-43824\n\njwt_atuhn: fixed the crash when a CONNECT request is sent to JWT filter\nconfigured with regex match.\n\nSigned-off-by: Yan Avlasov ", "target": 0, "dataset": "other", "idx": 246615 }, { "func": "void JOIN_TAB::cleanup()\n{\n DBUG_ENTER(\"JOIN_TAB::cleanup\");\n \n DBUG_PRINT(\"enter\", (\"tab: %p table %s.%s\",\n this,\n (table ? table->s->db.str : \"?\"),\n (table ? table->s->table_name.str : \"?\")));\n delete select;\n select= 0;\n delete quick;\n quick= 0;\n if (cache)\n {\n cache->free();\n cache= 0;\n }\n limit= 0;\n // Free select that was created for filesort outside of create_sort_index\n if (filesort && filesort->select && !filesort->own_select)\n delete filesort->select;\n delete filesort;\n filesort= NULL;\n /* Skip non-existing derived tables/views result tables */\n if (table &&\n (table->s->tmp_table != INTERNAL_TMP_TABLE || table->is_created()))\n {\n table->file->ha_end_keyread();\n table->file->ha_index_or_rnd_end();\n }\n if (table)\n {\n table->file->ha_end_keyread();\n if (type == JT_FT)\n table->file->ha_ft_end();\n else\n table->file->ha_index_or_rnd_end();\n preread_init_done= FALSE;\n if (table->pos_in_table_list && \n table->pos_in_table_list->jtbm_subselect)\n {\n if (table->pos_in_table_list->jtbm_subselect->is_jtbm_const_tab)\n {\n /*\n Set this to NULL so that cleanup_empty_jtbm_semi_joins() doesn't\n attempt to make another free_tmp_table call.\n */\n table->pos_in_table_list->table= NULL;\n free_tmp_table(join->thd, table);\n table= NULL;\n }\n else\n {\n TABLE_LIST *tmp= table->pos_in_table_list;\n end_read_record(&read_record);\n tmp->jtbm_subselect->cleanup();\n /* \n The above call freed the materializedd temptable. Set it to NULL so\n that we don't attempt to touch it if JOIN_TAB::cleanup() is invoked\n multiple times (it may be)\n */\n tmp->table= NULL;\n table= NULL;\n }\n DBUG_VOID_RETURN;\n }\n /*\n We need to reset this for next select\n (Tested in part_of_refkey)\n */\n table->reginfo.join_tab= 0;\n }\n end_read_record(&read_record);\n explain_plan= NULL;\n DBUG_VOID_RETURN;\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 305366145323587102418023316539833589330, "size": 76, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508421 }, { "func": "void JOIN::cleanup(bool full)\n{\n DBUG_ENTER(\"JOIN::cleanup\");\n DBUG_PRINT(\"enter\", (\"full %u\", (uint) full));\n \n if (full)\n have_query_plan= QEP_DELETED;\n\n if (original_join_tab)\n {\n /* Free the original optimized join created for the group_by_handler */\n join_tab= original_join_tab;\n original_join_tab= 0;\n table_count= original_table_count;\n }\n\n if (join_tab)\n {\n JOIN_TAB *tab;\n\n if (full)\n {\n /*\n Call cleanup() on join tabs used by the join optimization\n (join->join_tab may now be pointing to result of make_simple_join\n reading from the temporary table)\n\n We also need to check table_count to handle various degenerate joins\n w/o tables: they don't have some members initialized and\n WALK_OPTIMIZATION_TABS may not work correctly for them.\n */\n if (top_join_tab_count && tables_list)\n {\n for (tab= first_breadth_first_tab(); tab;\n tab= next_breadth_first_tab(first_breadth_first_tab(),\n top_join_tab_count, tab))\n {\n tab->cleanup();\n delete tab->filesort_result;\n tab->filesort_result= NULL;\n }\n }\n cleaned= true;\n //psergey2: added (Q: why not in the above loop?)\n {\n JOIN_TAB *curr_tab= join_tab + exec_join_tab_cnt();\n for (uint i= 0; i < aggr_tables; i++, curr_tab++)\n {\n if (curr_tab->aggr)\n {\n free_tmp_table(thd, curr_tab->table);\n delete curr_tab->tmp_table_param;\n curr_tab->tmp_table_param= NULL;\n curr_tab->aggr= NULL;\n\n delete curr_tab->filesort_result;\n curr_tab->filesort_result= NULL;\n }\n }\n aggr_tables= 0; // psergey3\n }\n }\n else\n {\n for (tab= first_linear_tab(this, WITH_BUSH_ROOTS, WITH_CONST_TABLES); tab;\n tab= next_linear_tab(this, tab, WITH_BUSH_ROOTS))\n {\n tab->partial_cleanup();\n }\n }\n }\n if (full)\n {\n cleanup_empty_jtbm_semi_joins(this, join_list);\n\n // Run Cached_item DTORs!\n group_fields.delete_elements();\n\n /*\n We can't call delete_elements() on copy_funcs as this will cause\n problems in free_elements() as some of the elements are then deleted.\n */\n tmp_table_param.copy_funcs.empty();\n /*\n If we have tmp_join and 'this' JOIN is not tmp_join and\n tmp_table_param.copy_field's of them are equal then we have to remove\n pointer to tmp_table_param.copy_field from tmp_join, because it will\n be removed in tmp_table_param.cleanup().\n */\n tmp_table_param.cleanup();\n\n delete pushdown_query;\n pushdown_query= 0;\n\n if (!join_tab)\n {\n List_iterator li(*join_list);\n TABLE_LIST *table_ref;\n while ((table_ref= li++))\n {\n if (table_ref->table &&\n table_ref->jtbm_subselect &&\n table_ref->jtbm_subselect->is_jtbm_const_tab)\n {\n free_tmp_table(thd, table_ref->table);\n table_ref->table= NULL;\n }\n }\n }\n }\n /* Restore ref array to original state */\n if (current_ref_ptrs != items0)\n {\n set_items_ref_array(items0);\n set_group_rpa= false;\n }\n DBUG_VOID_RETURN;\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 124736876951185622253670890166056491739, "size": 118, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508499 }, { "func": " void cleanup()\n {\n clear();\n Item_basic_constant::cleanup();\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 229220410551256292987340013818590591547, "size": 5, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 508927 }, { "func": " void cleanup()\n {\n null_ref_table= NULL;\n item_equal= NULL;\n Item_direct_ref::cleanup();\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 168239218390682746596251215623047149230, "size": 6, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509241 }, { "func": "void TrustedPrimitives::DebugPuts(const char *message) {\n int result;\n CHECK_OCALL(ocall_untrusted_debug_puts(&result, message));\n if (result < 0) {\n errno = EOF;\n }\n}", "project": "asylo", "hash": 321557265978679641392065164098006622316, "size": 7, "commit_id": "53ed5d8fd8118ced1466e509606dd2f473707a5c", "message": "Store untrusted output pointer in enclave\n\nValidate the pointer after it's stored in enclave to avoid unexpected\nmodifications after it's validated.\n\nPiperOrigin-RevId: 365648810\nChange-Id: I3079128040c142e86bab8255b07d03562a6fcb61", "target": 0, "dataset": "other", "idx": 232061 }, { "func": "static void kvm_s390_crypto_init(struct kvm *kvm)\n{\n\tkvm->arch.crypto.crycb = &kvm->arch.sie_page2->crycb;\n\tkvm_s390_set_crycb_format(kvm);\n\n\tif (!test_kvm_facility(kvm, 76))\n\t\treturn;\n\n\t/* Enable AES/DEA protected key functions by default */\n\tkvm->arch.crypto.aes_kw = 1;\n\tkvm->arch.crypto.dea_kw = 1;\n\tget_random_bytes(kvm->arch.crypto.crycb->aes_wrapping_key_mask,\n\t\t\t sizeof(kvm->arch.crypto.crycb->aes_wrapping_key_mask));\n\tget_random_bytes(kvm->arch.crypto.crycb->dea_wrapping_key_mask,\n\t\t\t sizeof(kvm->arch.crypto.crycb->dea_wrapping_key_mask));\n}", "project": "linux", "hash": 92406306820889349361918646870773752876, "size": 16, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354836 }, { "func": "static long __video_do_ioctl(struct file *file,\n\t\tunsigned int cmd, void *arg)\n{\n\tstruct video_device *vfd = video_devdata(file);\n\tstruct mutex *req_queue_lock = NULL;\n\tstruct mutex *lock; /* ioctl serialization mutex */\n\tconst struct v4l2_ioctl_ops *ops = vfd->ioctl_ops;\n\tbool write_only = false;\n\tstruct v4l2_ioctl_info default_info;\n\tconst struct v4l2_ioctl_info *info;\n\tvoid *fh = file->private_data;\n\tstruct v4l2_fh *vfh = NULL;\n\tint dev_debug = vfd->dev_debug;\n\tlong ret = -ENOTTY;\n\n\tif (ops == NULL) {\n\t\tpr_warn(\"%s: has no ioctl_ops.\\n\",\n\t\t\t\tvideo_device_node_name(vfd));\n\t\treturn ret;\n\t}\n\n\tif (test_bit(V4L2_FL_USES_V4L2_FH, &vfd->flags))\n\t\tvfh = file->private_data;\n\n\t/*\n\t * We need to serialize streamon/off with queueing new requests.\n\t * These ioctls may trigger the cancellation of a streaming\n\t * operation, and that should not be mixed with queueing a new\n\t * request at the same time.\n\t */\n\tif (v4l2_device_supports_requests(vfd->v4l2_dev) &&\n\t (cmd == VIDIOC_STREAMON || cmd == VIDIOC_STREAMOFF)) {\n\t\treq_queue_lock = &vfd->v4l2_dev->mdev->req_queue_mutex;\n\n\t\tif (mutex_lock_interruptible(req_queue_lock))\n\t\t\treturn -ERESTARTSYS;\n\t}\n\n\tlock = v4l2_ioctl_get_lock(vfd, vfh, cmd, arg);\n\n\tif (lock && mutex_lock_interruptible(lock)) {\n\t\tif (req_queue_lock)\n\t\t\tmutex_unlock(req_queue_lock);\n\t\treturn -ERESTARTSYS;\n\t}\n\n\tif (!video_is_registered(vfd)) {\n\t\tret = -ENODEV;\n\t\tgoto unlock;\n\t}\n\n\tif (v4l2_is_known_ioctl(cmd)) {\n\t\tinfo = &v4l2_ioctls[_IOC_NR(cmd)];\n\n\t\tif (!test_bit(_IOC_NR(cmd), vfd->valid_ioctls) &&\n\t\t !((info->flags & INFO_FL_CTRL) && vfh && vfh->ctrl_handler))\n\t\t\tgoto done;\n\n\t\tif (vfh && (info->flags & INFO_FL_PRIO)) {\n\t\t\tret = v4l2_prio_check(vfd->prio, vfh->prio);\n\t\t\tif (ret)\n\t\t\t\tgoto done;\n\t\t}\n\t} else {\n\t\tdefault_info.ioctl = cmd;\n\t\tdefault_info.flags = 0;\n\t\tdefault_info.debug = v4l_print_default;\n\t\tinfo = &default_info;\n\t}\n\n\twrite_only = _IOC_DIR(cmd) == _IOC_WRITE;\n\tif (info != &default_info) {\n\t\tret = info->func(ops, file, fh, arg);\n\t} else if (!ops->vidioc_default) {\n\t\tret = -ENOTTY;\n\t} else {\n\t\tret = ops->vidioc_default(file, fh,\n\t\t\tvfh ? v4l2_prio_check(vfd->prio, vfh->prio) >= 0 : 0,\n\t\t\tcmd, arg);\n\t}\n\ndone:\n\tif (dev_debug & (V4L2_DEV_DEBUG_IOCTL | V4L2_DEV_DEBUG_IOCTL_ARG)) {\n\t\tif (!(dev_debug & V4L2_DEV_DEBUG_STREAMING) &&\n\t\t (cmd == VIDIOC_QBUF || cmd == VIDIOC_DQBUF))\n\t\t\tgoto unlock;\n\n\t\tv4l_printk_ioctl(video_device_node_name(vfd), cmd);\n\t\tif (ret < 0)\n\t\t\tpr_cont(\": error %ld\", ret);\n\t\tif (!(dev_debug & V4L2_DEV_DEBUG_IOCTL_ARG))\n\t\t\tpr_cont(\"\\n\");\n\t\telse if (_IOC_DIR(cmd) == _IOC_NONE)\n\t\t\tinfo->debug(arg, write_only);\n\t\telse {\n\t\t\tpr_cont(\": \");\n\t\t\tinfo->debug(arg, write_only);\n\t\t}\n\t}\n\nunlock:\n\tif (lock)\n\t\tmutex_unlock(lock);\n\tif (req_queue_lock)\n\t\tmutex_unlock(req_queue_lock);\n\treturn ret;\n}", "project": "linux", "hash": 163122289821129460480171940278289786653, "size": 107, "commit_id": "fb18802a338b36f675a388fc03d2aa504a0d0899", "message": "media: v4l: ioctl: Fix memory leak in video_usercopy\n\nWhen an IOCTL with argument size larger than 128 that also used array\narguments were handled, two memory allocations were made but alas, only\nthe latter one of them was released. This happened because there was only\na single local variable to hold such a temporary allocation.\n\nFix this by adding separate variables to hold the pointers to the\ntemporary allocations.\n\nReported-by: Arnd Bergmann \nReported-by: syzbot+1115e79c8df6472c612b@syzkaller.appspotmail.com\nFixes: d14e6d76ebf7 (\"[media] v4l: Add multi-planar ioctl handling code\")\nCc: stable@vger.kernel.org\nSigned-off-by: Sakari Ailus \nAcked-by: Arnd Bergmann \nAcked-by: Hans Verkuil \nReviewed-by: Laurent Pinchart \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 381521 }, { "func": "CString CWebSock::GetRequestCookie(const CString& sKey) {\n const CString sPrefixedKey = CString(GetLocalPort()) + \"-\" + sKey;\n CString sRet;\n\n if (!m_sModName.empty()) {\n sRet = CHTTPSock::GetRequestCookie(\"Mod-\" + m_sModName + \"-\" +\n sPrefixedKey);\n }\n\n if (sRet.empty()) {\n return CHTTPSock::GetRequestCookie(sPrefixedKey);\n }\n\n return sRet;\n}", "project": "znc", "hash": 92122543156373820475241834230552782250, "size": 15, "commit_id": "a4a5aeeb17d32937d8c7d743dae9a4cc755ce773", "message": "Don't let web skin name ../../../../ access files outside of usual skins directories.\n\nThanks for Jeriko One for finding and reporting this.", "target": 0, "dataset": "other", "idx": 265803 }, { "project": "Chrome", "commit_id": "1da0daecc540238cb473f0d6322da51d3a544244", "target": 0, "func": " void DecodeIFrameThenTestFile(const std::string& test_file_name,\n size_t expected_width,\n size_t expected_height) {\n Initialize();\n\n VideoDecoder::DecoderStatus status_a;\n VideoDecoder::DecoderStatus status_b;\n scoped_refptr video_frame_a;\n scoped_refptr video_frame_b;\n\n scoped_refptr buffer = ReadTestDataFile(test_file_name);\n\n EXPECT_CALL(*demuxer_, Read(_))\n .WillOnce(ReturnBuffer(i_frame_buffer_))\n .WillOnce(ReturnBuffer(buffer))\n .WillRepeatedly(ReturnBuffer(end_of_stream_buffer_));\n\n EXPECT_CALL(statistics_cb_, OnStatistics(_))\n .Times(2);\n\n Read(&status_a, &video_frame_a);\n Read(&status_b, &video_frame_b);\n\n size_t original_width = static_cast(kVisibleRect.width());\n size_t original_height = static_cast(kVisibleRect.height());\n\n EXPECT_EQ(status_a, VideoDecoder::kOk);\n EXPECT_EQ(status_b, VideoDecoder::kOk);\n ASSERT_TRUE(video_frame_a);\n ASSERT_TRUE(video_frame_b);\n EXPECT_EQ(original_width, video_frame_a->width());\n EXPECT_EQ(original_height, video_frame_a->height());\n EXPECT_EQ(expected_width, video_frame_b->width());\n EXPECT_EQ(expected_height, video_frame_b->height());\n }\n", "cwe": "", "big_vul_idx": 113336, "idx": 101628, "hash": 116378855721223469970369395500833957217 }, { "func": "\nstatic void io_clean_op(struct io_kiocb *req)\n{\n\tif (req->flags & REQ_F_BUFFER_SELECTED) {\n\t\tswitch (req->opcode) {\n\t\tcase IORING_OP_READV:\n\t\tcase IORING_OP_READ_FIXED:\n\t\tcase IORING_OP_READ:\n\t\t\tkfree((void *)(unsigned long)req->rw.addr);\n\t\t\tbreak;\n\t\tcase IORING_OP_RECVMSG:\n\t\tcase IORING_OP_RECV:\n\t\t\tkfree(req->sr_msg.kbuf);\n\t\t\tbreak;\n\t\t}\n\t\treq->flags &= ~REQ_F_BUFFER_SELECTED;\n\t}\n\n\tif (req->flags & REQ_F_NEED_CLEANUP) {\n\t\tswitch (req->opcode) {\n\t\tcase IORING_OP_READV:\n\t\tcase IORING_OP_READ_FIXED:\n\t\tcase IORING_OP_READ:\n\t\tcase IORING_OP_WRITEV:\n\t\tcase IORING_OP_WRITE_FIXED:\n\t\tcase IORING_OP_WRITE: {\n\t\t\tstruct io_async_rw *io = req->async_data;\n\t\t\tif (io->free_iovec)\n\t\t\t\tkfree(io->free_iovec);\n\t\t\tbreak;\n\t\t\t}\n\t\tcase IORING_OP_RECVMSG:\n\t\tcase IORING_OP_SENDMSG: {\n\t\t\tstruct io_async_msghdr *io = req->async_data;\n\n\t\t\tkfree(io->free_iov);\n\t\t\tbreak;\n\t\t\t}\n\t\tcase IORING_OP_SPLICE:\n\t\tcase IORING_OP_TEE:\n\t\t\tif (!(req->splice.flags & SPLICE_F_FD_IN_FIXED))\n\t\t\t\tio_put_file(req->splice.file_in);\n\t\t\tbreak;\n\t\tcase IORING_OP_OPENAT:\n\t\tcase IORING_OP_OPENAT2:\n\t\t\tif (req->open.filename)\n\t\t\t\tputname(req->open.filename);\n\t\t\tbreak;\n\t\tcase IORING_OP_RENAMEAT:\n\t\t\tputname(req->rename.oldpath);\n\t\t\tputname(req->rename.newpath);\n\t\t\tbreak;\n\t\tcase IORING_OP_UNLINKAT:\n\t\t\tputname(req->unlink.filename);\n\t\t\tbreak;\n\t\t}\n\t\treq->flags &= ~REQ_F_NEED_CLEANUP;\n\t}\n\tif ((req->flags & REQ_F_POLLED) && req->apoll) {\n\t\tkfree(req->apoll->double_poll);\n\t\tkfree(req->apoll);\n\t\treq->apoll = NULL;\n\t}\n\tif (req->flags & REQ_F_INFLIGHT) {\n\t\tstruct io_uring_task *tctx = req->task->io_uring;\n\n\t\tatomic_dec(&tctx->inflight_tracked);\n\t\treq->flags &= ~REQ_F_INFLIGHT;\n\t}", "project": "linux", "hash": 265467393207912939564643024748349837409, "size": 69, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338633 }, { "func": " static void Launch(OpKernelContext* context, const Tensor& in_x,\n const Tensor& in_y, bool adjoint, bool lower,\n const MatMulBCast& bcast, Tensor* out) {\n // Number of banded matrix triangular solves i.e. size of the batch.\n const int64 batch_size = bcast.output_batch_size();\n const int64 cost_per_unit =\n in_x.dim_size(1) * in_x.dim_size(2) * in_y.dim_size(2);\n auto worker_threads = *(context->device()->tensorflow_cpu_worker_threads());\n\n using Matrix =\n Eigen::Matrix;\n using ConstMatrixMap = Eigen::Map;\n using RealScalar = typename Eigen::NumTraits::Real;\n // Check diagonal before doing any solves. This is the first row in the\n // lower case and else is the last row.\n auto matrix = ConstMatrixMap(in_x.flat().data(), in_x.dim_size(1),\n in_x.dim_size(2));\n RealScalar min_abs_pivot;\n if (lower) {\n min_abs_pivot = matrix.row(0).cwiseAbs().minCoeff();\n } else {\n min_abs_pivot = matrix.row(in_x.dim_size(1) - 1).cwiseAbs().minCoeff();\n }\n OP_REQUIRES(context, min_abs_pivot > RealScalar(0),\n errors::InvalidArgument(\"Input matrix is not invertible.\"));\n\n Shard(worker_threads.num_threads, worker_threads.workers, batch_size,\n cost_per_unit,\n [&in_x, &in_y, adjoint, lower, &bcast, out](int64 start,\n int64 limit) {\n SequentialBandedTriangularSolveKernel::Run(\n in_x, in_y, lower, adjoint, bcast, out, start, limit);\n });\n }", "project": "tensorflow", "hash": 197313052313360241226367304417344763699, "size": 34, "commit_id": "0ab290774f91a23bebe30a358fde4e53ab4876a0", "message": "Ensure validation sticks in banded_triangular_solve_op\n\nPiperOrigin-RevId: 373275480\nChange-Id: Id7717cf275b2d6fdb9441fbbe166d555182d2e79", "target": 0, "dataset": "other", "idx": 232646 }, { "func": "static int vmload_interception(struct vcpu_svm *svm)\n{\n\tstruct vmcb *nested_vmcb;\n\tstruct kvm_host_map map;\n\tint ret;\n\n\tif (nested_svm_check_permissions(svm))\n\t\treturn 1;\n\n\tret = kvm_vcpu_map(&svm->vcpu, gpa_to_gfn(svm->vmcb->save.rax), &map);\n\tif (ret) {\n\t\tif (ret == -EINVAL)\n\t\t\tkvm_inject_gp(&svm->vcpu, 0);\n\t\treturn 1;\n\t}\n\n\tnested_vmcb = map.hva;\n\n\tret = kvm_skip_emulated_instruction(&svm->vcpu);\n\n\tnested_svm_vmloadsave(nested_vmcb, svm->vmcb);\n\tkvm_vcpu_unmap(&svm->vcpu, &map, true);\n\n\treturn ret;\n}", "project": "linux", "hash": 327826894884546518231715991041111520078, "size": 25, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432501 }, { "func": "static int vmload_interception(struct vcpu_svm *svm)\n{\n\tstruct vmcb *nested_vmcb;\n\tstruct page *page;\n\n\tif (nested_svm_check_permissions(svm))\n\t\treturn 1;\n\n\tnested_vmcb = nested_svm_map(svm, svm->vmcb->save.rax, &page);\n\tif (!nested_vmcb)\n\t\treturn 1;\n\n\tsvm->next_rip = kvm_rip_read(&svm->vcpu) + 3;\n\tskip_emulated_instruction(&svm->vcpu);\n\n\tnested_svm_vmloadsave(nested_vmcb, svm->vmcb);\n\tnested_svm_unmap(page);\n\n\treturn 1;\n}", "project": "kvm", "hash": 67499567796872205339990613055848417160, "size": 20, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437596 }, { "func": "int vfs_mkdir(struct inode *dir, struct dentry *dentry, umode_t mode)\n{\n\tint error = may_create(dir, dentry);\n\tunsigned max_links = dir->i_sb->s_max_links;\n\n\tif (error)\n\t\treturn error;\n\n\tif (!dir->i_op->mkdir)\n\t\treturn -EPERM;\n\n\tmode &= (S_IRWXUGO|S_ISVTX);\n\terror = security_inode_mkdir(dir, dentry, mode);\n\tif (error)\n\t\treturn error;\n\n\tif (max_links && dir->i_nlink >= max_links)\n\t\treturn -EMLINK;\n\n\terror = dir->i_op->mkdir(dir, dentry, mode);\n\tif (!error)\n\t\tfsnotify_mkdir(dir, dentry);\n\treturn error;\n}", "project": "linux", "hash": 190642966475613207285221502259134038949, "size": 24, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295296 }, { "func": "kvm_pfn_t kvm_vcpu_gfn_to_pfn_atomic(struct kvm_vcpu *vcpu, gfn_t gfn)\n{\n\treturn gfn_to_pfn_memslot_atomic(kvm_vcpu_gfn_to_memslot(vcpu, gfn), gfn);\n}", "project": "linux", "hash": 10071966100592570376260215400416506510, "size": 4, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354638 }, { "func": "static int complete_walk(struct nameidata *nd)\n{\n\tstruct dentry *dentry = nd->path.dentry;\n\tint status;\n\n\tif (nd->flags & LOOKUP_RCU) {\n\t\tif (!(nd->flags & LOOKUP_ROOT))\n\t\t\tnd->root.mnt = NULL;\n\t\tif (unlikely(unlazy_walk(nd)))\n\t\t\treturn -ECHILD;\n\t}\n\n\tif (likely(!(nd->flags & LOOKUP_JUMPED)))\n\t\treturn 0;\n\n\tif (likely(!(dentry->d_flags & DCACHE_OP_WEAK_REVALIDATE)))\n\t\treturn 0;\n\n\tstatus = dentry->d_op->d_weak_revalidate(dentry, nd->flags);\n\tif (status > 0)\n\t\treturn 0;\n\n\tif (!status)\n\t\tstatus = -ESTALE;\n\n\treturn status;\n}", "project": "linux", "hash": 247942064219933708425145994850154085894, "size": 27, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295370 }, { "func": "int follow_up(struct path *path)\n{\n\tstruct mount *mnt = real_mount(path->mnt);\n\tstruct mount *parent;\n\tstruct dentry *mountpoint;\n\n\tread_seqlock_excl(&mount_lock);\n\tparent = mnt->mnt_parent;\n\tif (parent == mnt) {\n\t\tread_sequnlock_excl(&mount_lock);\n\t\treturn 0;\n\t}\n\tmntget(&parent->mnt);\n\tmountpoint = dget(mnt->mnt_mountpoint);\n\tread_sequnlock_excl(&mount_lock);\n\tdput(path->dentry);\n\tpath->dentry = mountpoint;\n\tmntput(path->mnt);\n\tpath->mnt = &parent->mnt;\n\treturn 1;\n}", "project": "linux", "hash": 36250375087802196691688851418832778689, "size": 21, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295344 }, { "func": "static __u32 tpacket_get_timestamp(struct sk_buff *skb, struct timespec64 *ts,\n\t\t\t\t unsigned int flags)\n{\n\tstruct skb_shared_hwtstamps *shhwtstamps = skb_hwtstamps(skb);\n\n\tif (shhwtstamps &&\n\t (flags & SOF_TIMESTAMPING_RAW_HARDWARE) &&\n\t ktime_to_timespec64_cond(shhwtstamps->hwtstamp, ts))\n\t\treturn TP_STATUS_TS_RAW_HARDWARE;\n\n\tif (ktime_to_timespec64_cond(skb->tstamp, ts))\n\t\treturn TP_STATUS_TS_SOFTWARE;\n\n\treturn 0;\n}", "project": "linux", "hash": 160092551186294236614647215656499530495, "size": 15, "commit_id": "acf69c946233259ab4d64f8869d4037a198c7f06", "message": "net/packet: fix overflow in tpacket_rcv\n\nUsing tp_reserve to calculate netoff can overflow as\ntp_reserve is unsigned int and netoff is unsigned short.\n\nThis may lead to macoff receving a smaller value then\nsizeof(struct virtio_net_hdr), and if po->has_vnet_hdr\nis set, an out-of-bounds write will occur when\ncalling virtio_net_hdr_from_skb.\n\nThe bug is fixed by converting netoff to unsigned int\nand checking if it exceeds USHRT_MAX.\n\nThis addresses CVE-2020-14386\n\nFixes: 8913336a7e8d (\"packet: add PACKET_RESERVE sockopt\")\nSigned-off-by: Or Cohen \nSigned-off-by: Eric Dumazet \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 330370 }, { "func": "\nstatic void __io_sqe_buffers_unregister(struct io_ring_ctx *ctx)\n{\n\tunsigned int i;\n\n\tfor (i = 0; i < ctx->nr_user_bufs; i++)\n\t\tio_buffer_unmap(ctx, &ctx->user_bufs[i]);\n\tkfree(ctx->user_bufs);\n\tio_rsrc_data_free(ctx->buf_data);\n\tctx->user_bufs = NULL;\n\tctx->buf_data = NULL;\n\tctx->nr_user_bufs = 0;", "project": "linux", "hash": 327742382532826571911913139728702993314, "size": 12, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338569 }, { "func": "struct sock *x25_find_socket(unsigned int lci, struct x25_neigh *nb)\n{\n\tstruct sock *s;\n\n\tread_lock_bh(&x25_list_lock);\n\ts = __x25_find_socket(lci, nb);\n\tread_unlock_bh(&x25_list_lock);\n\treturn s;\n}", "project": "net", "hash": 178974331891633276488713384356387817149, "size": 9, "commit_id": "7781607938c8371d4c2b243527430241c62e39c2", "message": "net/x25: Fix null-ptr-deref caused by x25_disconnect\n\nWhen the link layer is terminating, x25->neighbour will be set to NULL\nin x25_disconnect(). As a result, it could cause null-ptr-deref bugs in\nx25_sendmsg(),x25_recvmsg() and x25_connect(). One of the bugs is\nshown below.\n\n (Thread 1) | (Thread 2)\nx25_link_terminated() | x25_recvmsg()\n x25_kill_by_neigh() | ...\n x25_disconnect() | lock_sock(sk)\n ... | ...\n x25->neighbour = NULL //(1) |\n ... | x25->neighbour->extended //(2)\n\nThe code sets NULL to x25->neighbour in position (1) and dereferences\nx25->neighbour in position (2), which could cause null-ptr-deref bug.\n\nThis patch adds lock_sock() in x25_kill_by_neigh() in order to synchronize\nwith x25_sendmsg(), x25_recvmsg() and x25_connect(). What`s more, the\nsock held by lock_sock() is not NULL, because it is extracted from x25_list\nand uses x25_list_lock to synchronize.\n\nFixes: 4becb7ee5b3d (\"net/x25: Fix x25_neigh refcnt leak when x25 disconnect\")\nSigned-off-by: Duoming Zhou \nReviewed-by: Lin Ma \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 449161 }, { "func": " CephContext* ctx() const { return env.store->ctx(); }", "project": "ceph", "hash": 87032854813163803745975282094687977364, "size": 1, "commit_id": "ff72c50a2c43c57aead933eb4903ad1ca6d1748a", "message": "rgw: improve beast\n\nAvoid leaking connections that had partially-consumed\nclient data on unexpected disconnect.\n\nResolves CVE-2020-1700 (moderate impact flaw).\n\nFixes: https://tracker.ceph.com/issues/42531\n\nSigned-off-by: Or Friedmann \nSigned-off-by: Matt Benjamin ", "target": 0, "dataset": "other", "idx": 384555 }, { "func": "static int is_valid_xref(FILE *fp, pdf_t *pdf, xref_t *xref)\n{\n int is_valid;\n long start;\n char *c, buf[16];\n \n memset(buf, 0, sizeof(buf));\n is_valid = 0;\n start = ftell(fp);\n fseek(fp, xref->start, SEEK_SET);\n\n if (fgets(buf, 16, fp) == NULL) {\n ERR(\"Failed to load xref string.\");\n exit(EXIT_FAILURE);\n }\n\n if (strncmp(buf, \"xref\", strlen(\"xref\")) == 0)\n is_valid = 1;\n else\n { \n /* PDFv1.5+ allows for xref data to be stored in streams vs plaintext */\n fseek(fp, xref->start, SEEK_SET);\n c = get_object_from_here(fp, NULL, &xref->is_stream);\n\n if (c && xref->is_stream)\n {\n pdf->has_xref_streams = 1;\n is_valid = 1;\n }\n free(c);\n }\n\n fseek(fp, start, SEEK_SET);\n return is_valid;\n}", "project": "pdfresurrect", "hash": 41275593350516910444704154557213457808, "size": 35, "commit_id": "7e35d1806e111fd28610ccc86bb33f54792ac370", "message": "Fix possible infinite loop case when looking for a trailer.\n\nThanks to chibataiki for reporting and isolating this!", "target": 0, "dataset": "other", "idx": 355606 }, { "func": " explicit RandomGammaOp(OpKernelConstruction* context) : OpKernel(context) {\n OP_REQUIRES_OK(context, generator_.Init(context));\n }", "project": "tensorflow", "hash": 4609262972755095816672528293266240095, "size": 3, "commit_id": "27b417360cbd671ef55915e4bb6bb06af8b8a832", "message": "Prevent `int64` to `int` truncation in `Shard` API usage.\n\nThe function argument in `Shard` must be a function of two `int64` arguments. However, we are passing in a function with two `int` arguments. Thus, for large workloads, these arguments get truncated from positive `int64` values to negative `int` ones, resulting in a buffer out of bounds write.\n\nPiperOrigin-RevId: 332557334\nChange-Id: I236c9a2e7f53580e520571da8ba941a3aa9fa0b5", "target": 0, "dataset": "other", "idx": 262653 }, { "func": "UnicodeStringAppendable::getAppendBuffer(int32_t minCapacity,\n int32_t desiredCapacityHint,\n UChar *scratch, int32_t scratchCapacity,\n int32_t *resultCapacity) {\n if(minCapacity < 1 || scratchCapacity < minCapacity) {\n *resultCapacity = 0;\n return NULL;\n }\n int32_t oldLength = str.length();\n if(minCapacity <= (kMaxCapacity - oldLength) &&\n desiredCapacityHint <= (kMaxCapacity - oldLength) &&\n str.cloneArrayIfNeeded(oldLength + minCapacity, oldLength + desiredCapacityHint)) {\n *resultCapacity = str.getCapacity() - oldLength;\n return str.getArrayStart() + oldLength;\n }\n *resultCapacity = scratchCapacity;\n return scratch;\n}", "project": "icu", "hash": 29733361828142241439251719193832932388, "size": 18, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430739 }, { "func": "int64 GetCufftWorkspaceLimit(const string& envvar_in_mb,\n int64 default_value_in_bytes) {\n const char* workspace_limit_in_mb_str = getenv(envvar_in_mb.c_str());\n if (workspace_limit_in_mb_str != nullptr &&\n strcmp(workspace_limit_in_mb_str, \"\") != 0) {\n int64 scratch_limit_in_mb = -1;\n Status status = ReadInt64FromEnvVar(envvar_in_mb, default_value_in_bytes,\n &scratch_limit_in_mb);\n if (!status.ok()) {\n LOG(WARNING) << \"Invalid value for env-var \" << envvar_in_mb << \": \"\n << workspace_limit_in_mb_str;\n } else {\n return scratch_limit_in_mb * (1 << 20);\n }\n }\n return default_value_in_bytes;\n}", "project": "tensorflow", "hash": 132793229462189450783937336349977942971, "size": 17, "commit_id": "31bd5026304677faa8a0b77602c6154171b9aec1", "message": "Prevent check fail in FFT\n\nPiperOrigin-RevId: 372031044\nChange-Id: I50994e3e8a5d1342d01bde80256f6bf2730ca299", "target": 0, "dataset": "other", "idx": 235724 }, { "func": "int kvm_arch_vcpu_precreate(struct kvm *kvm, unsigned int id)\n{\n\tif (!kvm_is_ucontrol(kvm) && !sca_can_add_vcpu(kvm, id))\n\t\treturn -EINVAL;\n\treturn 0;\n}", "project": "linux", "hash": 51726245742401085173942042903966340107, "size": 6, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354530 }, { "func": "int tty_hung_up_p(struct file *filp)\n{\n\treturn (filp && filp->f_op == &hung_up_tty_fops);\n}", "project": "linux", "hash": 248510093474782869356954527776839402100, "size": 4, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 326064 }, { "func": "static int nfs4_proc_renew(struct nfs_client *clp, const struct cred *cred)\n{\n\tstruct rpc_message msg = {\n\t\t.rpc_proc\t= &nfs4_procedures[NFSPROC4_CLNT_RENEW],\n\t\t.rpc_argp\t= clp,\n\t\t.rpc_cred\t= cred,\n\t};\n\tunsigned long now = jiffies;\n\tint status;\n\n\tstatus = rpc_call_sync(clp->cl_rpcclient, &msg, RPC_TASK_TIMEOUT);\n\tif (status < 0)\n\t\treturn status;\n\tdo_renew_lease(clp, now);\n\treturn 0;\n}", "project": "linux", "hash": 338305822587412240722691458646370395537, "size": 16, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431465 }, { "func": "static void unfreeze_partials(struct kmem_cache *s,\n\t\tstruct kmem_cache_cpu *c)\n{\n#ifdef CONFIG_SLUB_CPU_PARTIAL\n\tstruct kmem_cache_node *n = NULL, *n2 = NULL;\n\tstruct page *page, *discard_page = NULL;\n\n\twhile ((page = c->partial)) {\n\t\tstruct page new;\n\t\tstruct page old;\n\n\t\tc->partial = page->next;\n\n\t\tn2 = get_node(s, page_to_nid(page));\n\t\tif (n != n2) {\n\t\t\tif (n)\n\t\t\t\tspin_unlock(&n->list_lock);\n\n\t\t\tn = n2;\n\t\t\tspin_lock(&n->list_lock);\n\t\t}\n\n\t\tdo {\n\n\t\t\told.freelist = page->freelist;\n\t\t\told.counters = page->counters;\n\t\t\tVM_BUG_ON(!old.frozen);\n\n\t\t\tnew.counters = old.counters;\n\t\t\tnew.freelist = old.freelist;\n\n\t\t\tnew.frozen = 0;\n\n\t\t} while (!__cmpxchg_double_slab(s, page,\n\t\t\t\told.freelist, old.counters,\n\t\t\t\tnew.freelist, new.counters,\n\t\t\t\t\"unfreezing slab\"));\n\n\t\tif (unlikely(!new.inuse && n->nr_partial >= s->min_partial)) {\n\t\t\tpage->next = discard_page;\n\t\t\tdiscard_page = page;\n\t\t} else {\n\t\t\tadd_partial(n, page, DEACTIVATE_TO_TAIL);\n\t\t\tstat(s, FREE_ADD_PARTIAL);\n\t\t}\n\t}\n\n\tif (n)\n\t\tspin_unlock(&n->list_lock);\n\n\twhile (discard_page) {\n\t\tpage = discard_page;\n\t\tdiscard_page = discard_page->next;\n\n\t\tstat(s, DEACTIVATE_EMPTY);\n\t\tdiscard_slab(s, page);\n\t\tstat(s, FREE_SLAB);\n\t}\n#endif\t/* CONFIG_SLUB_CPU_PARTIAL */\n}", "project": "linux", "hash": 289138866362887783360494704344570509426, "size": 60, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280037 }, { "func": "static int sctp_connect_new_asoc(struct sctp_endpoint *ep,\n\t\t\t\t const union sctp_addr *daddr,\n\t\t\t\t const struct sctp_initmsg *init,\n\t\t\t\t struct sctp_transport **tp)\n{\n\tstruct sctp_association *asoc;\n\tstruct sock *sk = ep->base.sk;\n\tstruct net *net = sock_net(sk);\n\tenum sctp_scope scope;\n\tint err;\n\n\tif (sctp_endpoint_is_peeled_off(ep, daddr))\n\t\treturn -EADDRNOTAVAIL;\n\n\tif (!ep->base.bind_addr.port) {\n\t\tif (sctp_autobind(sk))\n\t\t\treturn -EAGAIN;\n\t} else {\n\t\tif (inet_port_requires_bind_service(net, ep->base.bind_addr.port) &&\n\t\t !ns_capable(net->user_ns, CAP_NET_BIND_SERVICE))\n\t\t\treturn -EACCES;\n\t}\n\n\tscope = sctp_scope(daddr);\n\tasoc = sctp_association_new(ep, sk, scope, GFP_KERNEL);\n\tif (!asoc)\n\t\treturn -ENOMEM;\n\n\terr = sctp_assoc_set_bind_addr_from_ep(asoc, scope, GFP_KERNEL);\n\tif (err < 0)\n\t\tgoto free;\n\n\t*tp = sctp_assoc_add_peer(asoc, daddr, GFP_KERNEL, SCTP_UNKNOWN);\n\tif (!*tp) {\n\t\terr = -ENOMEM;\n\t\tgoto free;\n\t}\n\n\tif (!init)\n\t\treturn 0;\n\n\tif (init->sinit_num_ostreams) {\n\t\t__u16 outcnt = init->sinit_num_ostreams;\n\n\t\tasoc->c.sinit_num_ostreams = outcnt;\n\t\t/* outcnt has been changed, need to re-init stream */\n\t\terr = sctp_stream_init(&asoc->stream, outcnt, 0, GFP_KERNEL);\n\t\tif (err)\n\t\t\tgoto free;\n\t}\n\n\tif (init->sinit_max_instreams)\n\t\tasoc->c.sinit_max_instreams = init->sinit_max_instreams;\n\n\tif (init->sinit_max_attempts)\n\t\tasoc->max_init_attempts = init->sinit_max_attempts;\n\n\tif (init->sinit_max_init_timeo)\n\t\tasoc->max_init_timeo =\n\t\t\tmsecs_to_jiffies(init->sinit_max_init_timeo);\n\n\treturn 0;\nfree:\n\tsctp_association_free(asoc);\n\treturn err;\n}", "project": "linux", "hash": 42426222420372309395237410461868565683, "size": 66, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398118 }, { "func": "static int detect_netkey(\n\tsc_pkcs15_card_t *p15card\n){\n\tsc_card_t *card=p15card->card;\n\tsc_path_t p;\n\tsc_file_t *f;\n\tint keylen;\n\tchar dir[10];\n\tconst char *c_auth;\n\n\t/* NKS-Applikation ? */\n\tmemset(&p, 0, sizeof(sc_path_t));\n\tp.type=SC_PATH_TYPE_DF_NAME;\n\tmemcpy(p.value, \"\\xD2\\x76\\x00\\x00\\x03\\x01\\x02\", p.len=7);\n\tif (sc_select_file(card,&p,&f)!=SC_SUCCESS) return 1;\n\tsprintf(dir,\"%04X\", f->id);\n\tsc_file_free(f);\n\n\tset_string(&p15card->tokeninfo->manufacturer_id, \"TeleSec GmbH\");\n\tset_string(&p15card->tokeninfo->label, card->type==SC_CARD_TYPE_TCOS_V3 ? \"NetKey V3 Card\" : \"NetKey Card\");\n\tkeylen= card->type==SC_CARD_TYPE_TCOS_V3 ? 2048 : 1024;\n\tc_auth= card->type==SC_CARD_TYPE_TCOS_V3 ? \"C500\" : \"C100\";\n\n\tinsert_cert(p15card, dirpath(dir,\"4331\"), 0x45, 1, \"Signatur Zertifikat 1\");\n\tinsert_cert(p15card, dirpath(dir,\"4332\"), 0x45, 1, \"Signatur Zertifikat 2\");\n\tinsert_cert(p15card, dirpath(dir,\"C000\"), 0x45, 0, \"Telesec Signatur Zertifikat\");\n\tinsert_cert(p15card, dirpath(dir,\"43B1\"), 0x46, 1, \"Verschluesselungs Zertifikat 1\");\n\tinsert_cert(p15card, dirpath(dir,\"43B2\"), 0x46, 1, \"Verschluesselungs Zertifikat 2\");\n\tinsert_cert(p15card, dirpath(dir,\"C200\"), 0x46, 0, \"Telesec Verschluesselungs Zertifikat\");\n\tinsert_cert(p15card, dirpath(dir,\"4371\"), 0x47, 1, \"Authentifizierungs Zertifikat 1\");\n\tinsert_cert(p15card, dirpath(dir,\"4372\"), 0x47, 1, \"Authentifizierungs Zertifikat 2\");\n\tinsert_cert(p15card, dirpath(dir,c_auth), 0x47, 0, \"Telesec Authentifizierungs Zertifikat\");\n\tinsert_cert(p15card, dirpath(dir,\"C201\"), 0x48, 0, \"Telesec 1024bit Zertifikat\");\n\n\tinsert_key(p15card, dirpath(dir,\"5331\"), 0x45, 0x80, keylen, 4, \"Signatur Schluessel\");\n\tinsert_key(p15card, dirpath(dir,\"53B1\"), 0x46, 0x81, keylen, 3, \"Verschluesselungs Schluessel\");\n\tinsert_key(p15card, dirpath(dir,\"5371\"), 0x47, 0x82, keylen, 3, \"Authentifizierungs Schluessel\");\n\tinsert_key(p15card, dirpath(dir,\"0000\"), 0x48, 0x83, 1024, 3, \"1024bit Schluessel\");\n\n\tinsert_pin(p15card, \"5000\", 1, 2, 0x00, 6, \"PIN\",\n\t\tSC_PKCS15_PIN_FLAG_CASE_SENSITIVE | SC_PKCS15_PIN_FLAG_INITIALIZED\n\t);\n\tinsert_pin(p15card, \"5001\", 2, 0, 0x01, 8, \"PUK\",\n\t\tSC_PKCS15_PIN_FLAG_CASE_SENSITIVE | SC_PKCS15_PIN_FLAG_INITIALIZED |\n\t\tSC_PKCS15_PIN_FLAG_UNBLOCKING_PIN | SC_PKCS15_PIN_FLAG_SO_PIN\n\t);\n\tif(card->type==SC_CARD_TYPE_TCOS_V3){\n\t\tinsert_pin(p15card, dirpath(dir,\"0000\"), 3, 1, 0x83, 6, \"NetKey PIN2\",\n\t\t\tSC_PKCS15_PIN_FLAG_CASE_SENSITIVE | SC_PKCS15_PIN_FLAG_LOCAL |\n\t\t\tSC_PKCS15_PIN_FLAG_INITIALIZED\n\t\t);\n\t} else {\n\t\tinsert_pin(p15card, dirpath(dir,\"5080\"), 3, 1, 0x80, 6, \"NetKey PIN0\",\n\t\t\tSC_PKCS15_PIN_FLAG_CASE_SENSITIVE | SC_PKCS15_PIN_FLAG_LOCAL |\n\t\t\tSC_PKCS15_PIN_FLAG_INITIALIZED\n\t\t);\n\t}\n\tinsert_pin(p15card, dirpath(dir,\"5081\"), 4, 1, 0x81, 6, \"NetKey PIN1\",\n\t\tSC_PKCS15_PIN_FLAG_CASE_SENSITIVE | SC_PKCS15_PIN_FLAG_LOCAL |\n\t\tSC_PKCS15_PIN_FLAG_INITIALIZED\n\t);\n\n\t/* SigG-Applikation */\n\tp.len=7; p.type=SC_PATH_TYPE_DF_NAME;\n\tmemcpy(p.value, \"\\xD2\\x76\\x00\\x00\\x66\\x01\", p.len=6);\n\tif (sc_select_file(card,&p,&f)==SC_SUCCESS){\n\t\tsprintf(dir,\"%04X\", f->id);\n\t\tsc_file_free(f);\n\n\t\tinsert_cert(p15card, dirpath(dir,\"C000\"), 0x49, 1, \"SigG Zertifikat 1\");\n\t\tinsert_cert(p15card, dirpath(dir,\"4331\"), 0x49, 1, \"SigG Zertifikat 2\");\n\t\tinsert_cert(p15card, dirpath(dir,\"4332\"), 0x49, 1, \"SigG Zertifikat 3\");\n\t\t\n\t\tif(card->type==SC_CARD_TYPE_TCOS_V3){\n\t\t\tinsert_key(p15card, dirpath(dir,\"0000\"), 0x49, 0x84, 2048, 5, \"SigG Schluessel\");\n\t\t} else {\n\t\t\tinsert_key(p15card, dirpath(dir,\"5331\"), 0x49, 0x80, 1024, 5, \"SigG Schluessel\");\n\t\t}\n\n\t\tinsert_pin(p15card, dirpath(dir,\"5081\"), 5, 0, 0x81, 6, \"SigG PIN\",\n\t\t\tSC_PKCS15_PIN_FLAG_CASE_SENSITIVE | SC_PKCS15_PIN_FLAG_LOCAL |\n\t\t\tSC_PKCS15_PIN_FLAG_INITIALIZED\n\t\t);\n\t\tif(card->type==SC_CARD_TYPE_TCOS_V3){\n\t\t\tinsert_pin(p15card, dirpath(dir,\"0000\"), 6, 0, 0x83, 8, \"SigG PIN2\",\n\t\t\t\tSC_PKCS15_PIN_FLAG_CASE_SENSITIVE | SC_PKCS15_PIN_FLAG_LOCAL |\n\t\t\t\tSC_PKCS15_PIN_FLAG_INITIALIZED\n\t\t\t);\n\t\t}\n\t}\n\n\treturn 0;\n}", "project": "OpenSC", "hash": 174515461565913801264967040808676143332, "size": 93, "commit_id": "5df913b7f57ad89b9832555d24c08d23a534311e", "message": "tcos: Check bounds in insert_pin()\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28383", "target": 0, "dataset": "other", "idx": 243966 }, { "func": "int ip_build_and_send_pkt(struct sk_buff *skb, const struct sock *sk,\n\t\t\t __be32 saddr, __be32 daddr, struct ip_options_rcu *opt)\n{\n\tstruct inet_sock *inet = inet_sk(sk);\n\tstruct rtable *rt = skb_rtable(skb);\n\tstruct net *net = sock_net(sk);\n\tstruct iphdr *iph;\n\n\t/* Build the IP header. */\n\tskb_push(skb, sizeof(struct iphdr) + (opt ? opt->opt.optlen : 0));\n\tskb_reset_network_header(skb);\n\tiph = ip_hdr(skb);\n\tiph->version = 4;\n\tiph->ihl = 5;\n\tiph->tos = inet->tos;\n\tiph->ttl = ip_select_ttl(inet, &rt->dst);\n\tiph->daddr = (opt && opt->opt.srr ? opt->opt.faddr : daddr);\n\tiph->saddr = saddr;\n\tiph->protocol = sk->sk_protocol;\n\tif (ip_dont_fragment(sk, &rt->dst)) {\n\t\tiph->frag_off = htons(IP_DF);\n\t\tiph->id = 0;\n\t} else {\n\t\tiph->frag_off = 0;\n\t\t__ip_select_ident(net, iph, 1);\n\t}\n\n\tif (opt && opt->opt.optlen) {\n\t\tiph->ihl += opt->opt.optlen>>2;\n\t\tip_options_build(skb, &opt->opt, daddr, rt, 0);\n\t}\n\n\tskb->priority = sk->sk_priority;\n\tif (!skb->mark)\n\t\tskb->mark = sk->sk_mark;\n\n\t/* Send it out. */\n\treturn ip_local_out(net, skb->sk, skb);\n}", "project": "net", "hash": 54492944013131714195334840614595654945, "size": 39, "commit_id": "85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa", "message": "udp: consistently apply ufo or fragmentation\n\nWhen iteratively building a UDP datagram with MSG_MORE and that\ndatagram exceeds MTU, consistently choose UFO or fragmentation.\n\nOnce skb_is_gso, always apply ufo. Conversely, once a datagram is\nsplit across multiple skbs, do not consider ufo.\n\nSendpage already maintains the first invariant, only add the second.\nIPv6 does not have a sendpage implementation to modify.\n\nA gso skb must have a partial checksum, do not follow sk_no_check_tx\nin udp_send_skb.\n\nFound by syzkaller.\n\nFixes: e89e9cf539a2 (\"[IPv4/IPv6]: UFO Scatter-gather approach\")\nReported-by: Andrey Konovalov \nSigned-off-by: Willem de Bruijn \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 468913 }, { "func": "static int kvm_delete_memslot(struct kvm *kvm,\n\t\t\t const struct kvm_userspace_memory_region *mem,\n\t\t\t struct kvm_memory_slot *old, int as_id)\n{\n\tstruct kvm_memory_slot new;\n\tint r;\n\n\tif (!old->npages)\n\t\treturn -EINVAL;\n\n\tmemset(&new, 0, sizeof(new));\n\tnew.id = old->id;\n\n\tr = kvm_set_memslot(kvm, mem, old, &new, as_id, KVM_MR_DELETE);\n\tif (r)\n\t\treturn r;\n\n\tkvm_free_memslot(kvm, old);\n\treturn 0;\n}", "project": "linux", "hash": 165114781863102541785556526989813823624, "size": 20, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354601 }, { "func": "static int kvm_delete_memslot(struct kvm *kvm,\n\t\t\t const struct kvm_userspace_memory_region *mem,\n\t\t\t struct kvm_memory_slot *old, int as_id)\n{\n\tstruct kvm_memory_slot new;\n\tint r;\n\n\tif (!old->npages)\n\t\treturn -EINVAL;\n\n\tmemset(&new, 0, sizeof(new));\n\tnew.id = old->id;\n\t/*\n\t * This is only for debugging purpose; it should never be referenced\n\t * for a removed memslot.\n\t */\n\tnew.as_id = as_id;\n\n\tr = kvm_set_memslot(kvm, mem, old, &new, as_id, KVM_MR_DELETE);\n\tif (r)\n\t\treturn r;\n\n\tkvm_free_memslot(kvm, old);\n\treturn 0;\n}", "project": "linux", "hash": 215288683941486941592139371908948047469, "size": 25, "commit_id": "f8be156be163a052a067306417cd0ff679068c97", "message": "KVM: do not allow mapping valid but non-reference-counted pages\n\nIt's possible to create a region which maps valid but non-refcounted\npages (e.g., tail pages of non-compound higher order allocations). These\nhost pages can then be returned by gfn_to_page, gfn_to_pfn, etc., family\nof APIs, which take a reference to the page, which takes it from 0 to 1.\nWhen the reference is dropped, this will free the page incorrectly.\n\nFix this by only taking a reference on valid pages if it was non-zero,\nwhich indicates it is participating in normal refcounting (and can be\nreleased with put_page).\n\nThis addresses CVE-2021-22543.\n\nSigned-off-by: Nicholas Piggin \nTested-by: Paolo Bonzini \nCc: stable@vger.kernel.org\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 404107 }, { "func": "static bool fuse_emit(struct file *file, struct dir_context *ctx,\n\t\t struct fuse_dirent *dirent)\n{\n\tstruct fuse_file *ff = file->private_data;\n\n\tif (ff->open_flags & FOPEN_CACHE_DIR)\n\t\tfuse_add_dirent_to_cache(file, dirent, ctx->pos);\n\n\treturn dir_emit(ctx, dirent->name, dirent->namelen, dirent->ino,\n\t\t\tdirent->type);\n}", "project": "linux", "hash": 237480378647448167114771388569962372604, "size": 11, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342099 }, { "project": "Chrome", "commit_id": "957973753ec4159003ff7930d946b7e89c7e09f3", "target": 0, "func": "bool BlobURLRequestJob::ReadLoop(int* bytes_read) {\n while (remaining_bytes_ > 0 && read_buf_remaining_bytes_ > 0) {\n if (!ReadItem())\n return false;\n }\n\n *bytes_read = ReadCompleted();\n return true;\n}\n", "cwe": "", "big_vul_idx": 106423, "idx": 95574, "hash": 303060359955446173481451551870515778478 }, { "func": "static void hci_cc_reset(struct hci_dev *hdev, struct sk_buff *skb)\n{\n\t__u8 status = *((__u8 *) skb->data);\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, status);\n\n\tclear_bit(HCI_RESET, &hdev->flags);\n\n\tif (status)\n\t\treturn;\n\n\t/* Reset all non-persistent flags */\n\thci_dev_clear_volatile_flags(hdev);\n\n\thci_discovery_set_state(hdev, DISCOVERY_STOPPED);\n\n\thdev->inq_tx_power = HCI_TX_POWER_INVALID;\n\thdev->adv_tx_power = HCI_TX_POWER_INVALID;\n\n\tmemset(hdev->adv_data, 0, sizeof(hdev->adv_data));\n\thdev->adv_data_len = 0;\n\n\tmemset(hdev->scan_rsp_data, 0, sizeof(hdev->scan_rsp_data));\n\thdev->scan_rsp_data_len = 0;\n\n\thdev->le_scan_type = LE_SCAN_PASSIVE;\n\n\thdev->ssp_debug_mode = 0;\n\n\thci_bdaddr_list_clear(&hdev->le_white_list);\n\thci_bdaddr_list_clear(&hdev->le_resolv_list);\n}", "project": "linux", "hash": 5148645741161040049884344450366174721, "size": 32, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431987 }, { "func": " bool isInvalid() const override {\n return m_td == MCRYPT_FAILED;\n }", "project": "hhvm", "hash": 190917410848672403453213549540895632041, "size": 3, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219824 }, { "func": "}\nEXPORT_SYMBOL_GPL(iscsi_register_transport);\n\nint iscsi_unregister_transport(struct iscsi_transport *tt)\n{\n\tstruct iscsi_internal *priv;\n\tunsigned long flags;\n\n\tBUG_ON(!tt);\n\n\tmutex_lock(&rx_queue_mutex);\n\n\tpriv = iscsi_if_transport_lookup(tt);\n\tBUG_ON (!priv);\n\n\tspin_lock_irqsave(&iscsi_transport_lock, flags);\n\tlist_del(&priv->list);\n\tspin_unlock_irqrestore(&iscsi_transport_lock, flags);\n\n\ttransport_container_unregister(&priv->conn_cont);\n\ttransport_container_unregister(&priv->session_cont);\n\ttransport_container_unregister(&priv->t.host_attrs);\n\n\tsysfs_remove_group(&priv->dev.kobj, &iscsi_transport_group);\n\tdevice_unregister(&priv->dev);\n\tmutex_unlock(&rx_queue_mutex);", "project": "linux", "hash": 233053179704437200322677213008097820204, "size": 26, "commit_id": "f9dbdf97a5bd92b1a49cee3d591b55b11fd7a6d5", "message": "scsi: iscsi: Verify lengths on passthrough PDUs\n\nOpen-iSCSI sends passthrough PDUs over netlink, but the kernel should be\nverifying that the provided PDU header and data lengths fall within the\nnetlink message to prevent accessing beyond that in memory.\n\nCc: stable@vger.kernel.org\nReported-by: Adam Nichols \nReviewed-by: Lee Duncan \nReviewed-by: Mike Christie \nSigned-off-by: Chris Leech \nSigned-off-by: Martin K. Petersen ", "target": 0, "dataset": "other", "idx": 379997 }, { "func": "static void update_options(char **dest, const char *name, void *src)\n{\n av_freep(dest);\n av_opt_get(src, name, 0, (uint8_t**)dest);\n if (*dest && !strlen(*dest))\n av_freep(dest);\n}", "project": "FFmpeg", "hash": 289354981901470636607965825103814974675, "size": 7, "commit_id": "6959358683c7533f586c07a766acc5fe9544d8b2", "message": "avformat/hls: check segment duration value of EXTINF\n\nfix ticket: 8673\nset the default EXTINF duration to 1ms if duration is smaller than 1ms\n\nSigned-off-by: Steven Liu \n(cherry picked from commit 9dfb19baeb86a8bb02c53a441682c6e9a6e104cc)", "target": 0, "dataset": "other", "idx": 270448 }, { "func": "static int nfs4_do_create(struct inode *dir, struct dentry *dentry, struct nfs4_createdata *data)\n{\n\tint status = nfs4_call_sync(NFS_SERVER(dir)->client, NFS_SERVER(dir), &data->msg,\n\t\t\t\t &data->arg.seq_args, &data->res.seq_res, 1);\n\tif (status == 0) {\n\t\tspin_lock(&dir->i_lock);\n\t\tnfs4_update_changeattr_locked(dir, &data->res.dir_cinfo,\n\t\t\t\tdata->res.fattr->time_start,\n\t\t\t\tNFS_INO_INVALID_DATA);\n\t\t/* Creating a directory bumps nlink in the parent */\n\t\tif (data->arg.ftype == NF4DIR)\n\t\t\tnfs4_inc_nlink_locked(dir);\n\t\tspin_unlock(&dir->i_lock);\n\t\tstatus = nfs_instantiate(dentry, data->res.fh, data->res.fattr, data->res.label);\n\t}\n\treturn status;\n}", "project": "linux", "hash": 300168238432737094815793861713218788212, "size": 17, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431333 }, { "func": "static BCPos debug_framepc(lua_State *L, GCfunc *fn, cTValue *nextframe)\n{\n const BCIns *ins;\n GCproto *pt;\n BCPos pos;\n lua_assert(fn->c.gct == ~LJ_TFUNC || fn->c.gct == ~LJ_TTHREAD);\n if (!isluafunc(fn)) { /* Cannot derive a PC for non-Lua functions. */\n return NO_BCPOS;\n } else if (nextframe == NULL) { /* Lua function on top. */\n void *cf = cframe_raw(L->cframe);\n if (cf == NULL || (char *)cframe_pc(cf) == (char *)cframe_L(cf))\n return NO_BCPOS;\n ins = cframe_pc(cf); /* Only happens during error/hook handling. */\n } else {\n if (frame_islua(nextframe)) {\n ins = frame_pc(nextframe);\n } else if (frame_iscont(nextframe)) {\n ins = frame_contpc(nextframe);\n } else {\n /* Lua function below errfunc/gc/hook: find cframe to get the PC. */\n void *cf = cframe_raw(L->cframe);\n TValue *f = L->base-1;\n for (;;) {\n\tif (cf == NULL)\n\t return NO_BCPOS;\n\twhile (cframe_nres(cf) < 0) {\n\t if (f >= restorestack(L, -cframe_nres(cf)))\n\t break;\n\t cf = cframe_raw(cframe_prev(cf));\n\t if (cf == NULL)\n\t return NO_BCPOS;\n\t}\n\tif (f < nextframe)\n\t break;\n\tif (frame_islua(f)) {\n\t f = frame_prevl(f);\n\t} else {\n\t if (frame_isc(f) || (LJ_HASFFI && frame_iscont(f) &&\n\t\t\t (f-1)->u32.lo == LJ_CONT_FFI_CALLBACK))\n\t cf = cframe_raw(cframe_prev(cf));\n\t f = frame_prevd(f);\n\t}\n }\n ins = cframe_pc(cf);\n if (!ins) return NO_BCPOS;\n }\n }\n pt = funcproto(fn);\n pos = proto_bcpos(pt, ins) - 1;\n#if LJ_HASJIT\n if (pos > pt->sizebc) { /* Undo the effects of lj_trace_exit for JLOOP. */\n GCtrace *T = (GCtrace *)((char *)(ins-1) - offsetof(GCtrace, startins));\n lua_assert(bc_isret(bc_op(ins[-1])));\n pos = proto_bcpos(pt, mref(T->startpc, const BCIns));\n }\n#endif\n return pos;\n}", "project": "LuaJIT", "hash": 222881566910464280460300267111993429460, "size": 58, "commit_id": "e296f56b825c688c3530a981dc6b495d972f3d01", "message": "Call error function on rethrow after trace exit.", "target": 0, "dataset": "other", "idx": 394628 }, { "func": "static apr_byte_t oidc_refresh_access_token_before_expiry(request_rec *r,\n\t\toidc_cfg *cfg, oidc_session_t *session, int ttl_minimum,\n\t\tint logout_on_error) {\n\n\tconst char *s_access_token_expires = NULL;\n\tapr_time_t t_expires = -1;\n\toidc_provider_t *provider = NULL;\n\n\toidc_debug(r, \"ttl_minimum=%d\", ttl_minimum);\n\n\tif (ttl_minimum < 0)\n\t\treturn FALSE;\n\n\ts_access_token_expires = oidc_session_get_access_token_expires(r, session);\n\tif (s_access_token_expires == NULL) {\n\t\toidc_debug(r,\n\t\t\t\t\"no access token expires_in stored in the session (i.e. returned from in the authorization response), so cannot refresh the access token based on TTL requirement\");\n\t\treturn FALSE;\n\t}\n\n\tif (oidc_session_get_refresh_token(r, session) == NULL) {\n\t\toidc_debug(r,\n\t\t\t\t\"no refresh token stored in the session, so cannot refresh the access token based on TTL requirement\");\n\t\treturn FALSE;\n\t}\n\n\tif (sscanf(s_access_token_expires, \"%\" APR_TIME_T_FMT, &t_expires) != 1) {\n\t\toidc_error(r, \"could not parse s_access_token_expires %s\",\n\t\t\t\ts_access_token_expires);\n\t\treturn FALSE;\n\t}\n\n\tt_expires = apr_time_from_sec(t_expires - ttl_minimum);\n\n\toidc_debug(r, \"refresh needed in: %\" APR_TIME_T_FMT \" seconds\",\n\t\t\tapr_time_sec(t_expires - apr_time_now()));\n\n\tif (t_expires > apr_time_now())\n\t\treturn FALSE;\n\n\tif (oidc_get_provider_from_session(r, cfg, session, &provider) == FALSE)\n\t\treturn FALSE;\n\n\tif (oidc_refresh_access_token(r, cfg, session, provider,\n\t\t\tNULL) == FALSE) {\n\t\toidc_warn(r, \"access_token could not be refreshed, logout=%d\",\n\t\t\t\tlogout_on_error & OIDC_LOGOUT_ON_ERROR_REFRESH);\n\t\tif (logout_on_error & OIDC_LOGOUT_ON_ERROR_REFRESH)\n\t\t\treturn OIDC_REFRESH_ERROR;\n\t\telse\n\t\t\treturn FALSE;\n\t}\n\n\treturn TRUE;\n}", "project": "mod_auth_openidc", "hash": 260306115495552344562949046458015676402, "size": 55, "commit_id": "00c315cb0c8ab77c67be4a2ac08a71a83ac58751", "message": "avoid XSS vulnerability when using OIDCPreservePost On\n\nand supplying URLs that contain single quotes; thanks @oss-aimoto\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 381966 }, { "func": "static apr_byte_t oidc_refresh_access_token_before_expiry(request_rec *r,\n\t\toidc_cfg *cfg, oidc_session_t *session, int ttl_minimum, int logout_on_error) {\n\n\tconst char *s_access_token_expires = NULL;\n\tapr_time_t t_expires = -1;\n\toidc_provider_t *provider = NULL;\n\n\toidc_debug(r, \"ttl_minimum=%d\", ttl_minimum);\n\n\tif (ttl_minimum < 0)\n\t\treturn FALSE;\n\n\ts_access_token_expires = oidc_session_get_access_token_expires(r, session);\n\tif (s_access_token_expires == NULL) {\n\t\toidc_debug(r,\n\t\t\t\t\"no access token expires_in stored in the session (i.e. returned from in the authorization response), so cannot refresh the access token based on TTL requirement\");\n\t\treturn FALSE;\n\t}\n\n\tif (oidc_session_get_refresh_token(r, session) == NULL) {\n\t\toidc_debug(r,\n\t\t\t\t\"no refresh token stored in the session, so cannot refresh the access token based on TTL requirement\");\n\t\treturn FALSE;\n\t}\n\n\tif (sscanf(s_access_token_expires, \"%\" APR_TIME_T_FMT, &t_expires) != 1) {\n\t\toidc_error(r, \"could not parse s_access_token_expires %s\",\n\t\t\t\ts_access_token_expires);\n\t\treturn FALSE;\n\t}\n\n\tt_expires = apr_time_from_sec(t_expires - ttl_minimum);\n\n\toidc_debug(r, \"refresh needed in: %\" APR_TIME_T_FMT \" seconds\",\n\t\t\tapr_time_sec(t_expires - apr_time_now()));\n\n\tif (t_expires > apr_time_now())\n\t\treturn FALSE;\n\n\tif (oidc_get_provider_from_session(r, cfg, session, &provider) == FALSE)\n\t\treturn FALSE;\n\n\tif (oidc_refresh_access_token(r, cfg, session, provider,\n\t\t\tNULL) == FALSE) {\n\t\toidc_warn(r, \"access_token could not be refreshed, logout=%d\", logout_on_error & OIDC_LOGOUT_ON_ERROR_REFRESH);\n\t\tif (logout_on_error & OIDC_LOGOUT_ON_ERROR_REFRESH)\n\t\t\treturn ERROR;\n\t\telse\n\t\t\treturn FALSE;\n\t}\n\n\treturn TRUE;\n}", "project": "mod_auth_openidc", "hash": 327631012462218665590804059455795263469, "size": 53, "commit_id": "ce37080c6aea30aabae8b4a9b4eea7808445cc8e", "message": "2.4.0.2 oops\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 447713 }, { "func": "static void ov6xx0_configure(struct sd *sd)\n{\n\tstruct gspca_dev *gspca_dev = (struct gspca_dev *)sd;\n\tint rc;\n\n\tgspca_dbg(gspca_dev, D_PROBE, \"starting OV6xx0 configuration\\n\");\n\n\t/* Detect sensor (sub)type */\n\trc = i2c_r(sd, OV7610_REG_COM_I);\n\tif (rc < 0) {\n\t\tgspca_err(gspca_dev, \"Error detecting sensor type\\n\");\n\t\treturn;\n\t}\n\n\t/* Ugh. The first two bits are the version bits, but\n\t * the entire register value must be used. I guess OVT\n\t * underestimated how many variants they would make. */\n\tswitch (rc) {\n\tcase 0x00:\n\t\tsd->sensor = SEN_OV6630;\n\t\tpr_warn(\"WARNING: Sensor is an OV66308. Your camera may have been misdetected in previous driver versions.\\n\");\n\t\tbreak;\n\tcase 0x01:\n\t\tsd->sensor = SEN_OV6620;\n\t\tgspca_dbg(gspca_dev, D_PROBE, \"Sensor is an OV6620\\n\");\n\t\tbreak;\n\tcase 0x02:\n\t\tsd->sensor = SEN_OV6630;\n\t\tgspca_dbg(gspca_dev, D_PROBE, \"Sensor is an OV66308AE\\n\");\n\t\tbreak;\n\tcase 0x03:\n\t\tsd->sensor = SEN_OV66308AF;\n\t\tgspca_dbg(gspca_dev, D_PROBE, \"Sensor is an OV66308AF\\n\");\n\t\tbreak;\n\tcase 0x90:\n\t\tsd->sensor = SEN_OV6630;\n\t\tpr_warn(\"WARNING: Sensor is an OV66307. Your camera may have been misdetected in previous driver versions.\\n\");\n\t\tbreak;\n\tdefault:\n\t\tgspca_err(gspca_dev, \"FATAL: Unknown sensor version: 0x%02x\\n\",\n\t\t\t rc);\n\t\treturn;\n\t}\n\n\t/* Set sensor-specific vars */\n\tsd->sif = 1;\n}", "project": "linux", "hash": 178564232116790771016419081825281197001, "size": 47, "commit_id": "998912346c0da53a6dbb71fab3a138586b596b30", "message": "media: ov519: add missing endpoint sanity checks\n\nMake sure to check that we have at least one endpoint before accessing\nthe endpoint array to avoid dereferencing a NULL-pointer on stream\nstart.\n\nNote that these sanity checks are not redundant as the driver is mixing\nlooking up altsettings by index and by number, which need not coincide.\n\nFixes: 1876bb923c98 (\"V4L/DVB (12079): gspca_ov519: add support for the ov511 bridge\")\nFixes: b282d87332f5 (\"V4L/DVB (12080): gspca_ov519: Fix ov518+ with OV7620AE (Trust spacecam 320)\")\nCc: stable # 2.6.31\nCc: Hans de Goede \nSigned-off-by: Johan Hovold \nSigned-off-by: Hans Verkuil \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 306295 }, { "func": "void CSoundFile::DoFreqSlide(ModChannel *pChn, int32 nFreqSlide) const\n{\n\tif(!pChn->nPeriod) return;\n\tif(GetType() == MOD_TYPE_669)\n\t{\n\t\t// Like other oldskool trackers, Composer 669 doesn't have linear slides...\n\t\t// But the slides are done in Hertz rather than periods, meaning that they\n\t\t// are more effective in the lower notes (rather than the higher notes).\n\t\tnFreqSlide *= -20;\n\t}\n\tif(m_SongFlags[SONG_LINEARSLIDES] && GetType() != MOD_TYPE_XM)\n\t{\n\t\t// IT Linear slides\n\t\tconst auto nOldPeriod = pChn->nPeriod;\n\t\tuint32 n = mpt::abs(nFreqSlide) / 4u;\n\t\tLimitMax(n, 255u);\n\t\tif(n != 0)\n\t\t{\n\t\t\tpChn->nPeriod = Util::muldivr(pChn->nPeriod, nFreqSlide < 0 ? GetLinearSlideUpTable(this, n) : GetLinearSlideDownTable(this, n), 65536);\n\t\t\tif(pChn->nPeriod == nOldPeriod)\n\t\t\t{\n\t\t\t\tconst bool incPeriod = m_playBehaviour[kHertzInLinearMode] == (nFreqSlide < 0);\n\t\t\t\tif(incPeriod && pChn->nPeriod < Util::MaxValueOfType(pChn->nPeriod))\n\t\t\t\t\tpChn->nPeriod++;\n\t\t\t\telse if(!incPeriod && pChn->nPeriod > 1)\n\t\t\t\t\tpChn->nPeriod--;\n\t\t\t}\n\t\t}\n\t} else\n\t{\n\t\tpChn->nPeriod += nFreqSlide;\n\t}\n\tif (pChn->nPeriod < 1)\n\t{\n\t\tpChn->nPeriod = 1;\n\t\tif(GetType() == MOD_TYPE_S3M)\n\t\t{\n\t\t\tpChn->nFadeOutVol = 0;\n\t\t\tpChn->dwFlags.set(CHN_NOTEFADE | CHN_FASTVOLRAMP);\n\t\t}\n\t}\n}", "project": "openmpt", "hash": 4224906431290912937422662137852332221, "size": 42, "commit_id": "7ebf02af2e90f03e0dbd0e18b8b3164f372fb97c", "message": "[Fix] Possible out-of-bounds read when computing length of some IT files with pattern loops (OpenMPT: formats that are converted to IT, libopenmpt: IT/ITP/MO3), caught with afl-fuzz.\n\ngit-svn-id: https://source.openmpt.org/svn/openmpt/trunk/OpenMPT@10027 56274372-70c3-4bfc-bfc3-4c3a0b034d27", "target": 0, "dataset": "other", "idx": 255208 }, { "func": "\nstatic int bfqq_process_refs(struct bfq_queue *bfqq)\n{\n\treturn bfqq->ref - bfqq->allocated - bfqq->entity.on_st_or_in_serv -\n\t\t(bfqq->weight_counter != NULL);", "project": "linux", "hash": 256883404429993911761844280611513344414, "size": 5, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453299 }, { "func": "lua_datum::lua_datum(CLua &_lua, int stackpos, bool pop)\n : lua(_lua), need_cleanup(true)\n{\n // Store the datum in the registry indexed by \"this\".\n lua_pushvalue(lua, stackpos);\n lua_pushlightuserdata(lua, this);\n // Move the key (this) before the value.\n lua_insert(lua, -2);\n lua_settable(lua, LUA_REGISTRYINDEX);\n\n if (pop && stackpos < 0)\n lua_pop(lua, -stackpos);\n\n lua.add_shutdown_listener(this);\n}", "project": "crawl", "hash": 184681427535715516333211832564119839205, "size": 15, "commit_id": "768f60da87a3fa0b5561da5ade9309577c176d04", "message": "Disable lua bytecode loading", "target": 0, "dataset": "other", "idx": 230493 }, { "func": "lua_datum::lua_datum(const lua_datum &o)\n : lua(o.lua), need_cleanup(true)\n{\n set_from(o);\n}", "project": "crawl", "hash": 172887788618101798235989300624395204627, "size": 5, "commit_id": "768f60da87a3fa0b5561da5ade9309577c176d04", "message": "Disable lua bytecode loading", "target": 0, "dataset": "other", "idx": 230510 }, { "func": "static void trace_module_add_evals(struct module *mod)\n{\n\tif (!mod->num_trace_evals)\n\t\treturn;\n\n\t/*\n\t * Modules with bad taint do not have events created, do\n\t * not bother with enums either.\n\t */\n\tif (trace_module_has_bad_taint(mod))\n\t\treturn;\n\n\ttrace_insert_eval_map(mod, mod->trace_evals, mod->num_trace_evals);\n}", "project": "linux", "hash": 31605630910683394160032526320822993016, "size": 14, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445543 }, { "func": "void nd_jump_link(struct path *path)\n{\n\tstruct nameidata *nd = current->nameidata;\n\tpath_put(&nd->path);\n\n\tnd->path = *path;\n\tnd->inode = nd->path.dentry->d_inode;\n\tnd->flags |= LOOKUP_JUMPED;\n}", "project": "linux", "hash": 5838847343620583619328710010344150186, "size": 9, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295438 }, { "func": "R_API int r_sys_cmd_str_full(const char *cmd, const char *input, char **output, int *len, char **sterr) {\n\tchar *mysterr = NULL;\n\tif (!sterr) {\n\t\tsterr = &mysterr;\n\t}\n\tchar buffer[1024], *outputptr = NULL;\n\tchar *inputptr = (char *)input;\n\tint pid, bytes = 0, status;\n\tint sh_in[2], sh_out[2], sh_err[2];\n\n\tif (len) {\n\t\t*len = 0;\n\t}\n\tif (pipe (sh_in)) {\n\t\treturn false;\n\t}\n\tif (output) {\n\t\tif (pipe (sh_out)) {\n\t\t\tclose (sh_in[0]);\n\t\t\tclose (sh_in[1]);\n\t\t\tclose (sh_out[0]);\n\t\t\tclose (sh_out[1]);\n\t\t\treturn false;\n\t\t}\n\t}\n\tif (pipe (sh_err)) {\n\t\tclose (sh_in[0]);\n\t\tclose (sh_in[1]);\n\t\treturn false;\n\t}\n\n\tswitch ((pid = r_sys_fork ())) {\n\tcase -1:\n\t\treturn false;\n\tcase 0:\n\t\tdup2 (sh_in[0], 0);\n\t\tclose (sh_in[0]);\n\t\tclose (sh_in[1]);\n\t\tif (output) {\n\t\t\tdup2 (sh_out[1], 1);\n\t\t\tclose (sh_out[0]);\n\t\t\tclose (sh_out[1]);\n\t\t}\n\t\tif (sterr) {\n\t\t\tdup2 (sh_err[1], 2);\n\t\t} else {\n\t\t\tclose (2);\n\t\t}\n\t\tclose (sh_err[0]);\n\t\tclose (sh_err[1]);\n\t\texit (r_sandbox_system (cmd, 0));\n\tdefault:\n\t\toutputptr = strdup (\"\");\n\t\tif (!outputptr) {\n\t\t\treturn false;\n\t\t}\n\t\tif (sterr) {\n\t\t\t*sterr = strdup (\"\");\n\t\t\tif (!*sterr) {\n\t\t\t\tfree (outputptr);\n\t\t\t\treturn false;\n\t\t\t}\n\t\t}\n\t\tif (output) {\n\t\t\tclose (sh_out[1]);\n\t\t}\n\t\tclose (sh_err[1]);\n\t\tclose (sh_in[0]);\n\t\tif (!inputptr || !*inputptr) {\n\t\t\tclose (sh_in[1]);\n\t\t}\n\t\t// we should handle broken pipes somehow better\n\t\tr_sys_signal (SIGPIPE, SIG_IGN);\n\t\tsize_t err_len = 0, out_len = 0;\n\t\tfor (;;) {\n\t\t\tfd_set rfds, wfds;\n\t\t\tint nfd;\n\t\t\tFD_ZERO (&rfds);\n\t\t\tFD_ZERO (&wfds);\n\t\t\tif (output) {\n\t\t\t\tFD_SET (sh_out[0], &rfds);\n\t\t\t}\n\t\t\tif (sterr) {\n\t\t\t\tFD_SET (sh_err[0], &rfds);\n\t\t\t}\n\t\t\tif (inputptr && *inputptr) {\n\t\t\t\tFD_SET (sh_in[1], &wfds);\n\t\t\t}\n\t\t\tmemset (buffer, 0, sizeof (buffer));\n\t\t\tnfd = select (sh_err[0] + 1, &rfds, &wfds, NULL, NULL);\n\t\t\tif (nfd < 0) {\n\t\t\t\tbreak;\n\t\t\t}\n\t\t\tif (output && FD_ISSET (sh_out[0], &rfds)) {\n\t\t\t\tif ((bytes = read (sh_out[0], buffer, sizeof (buffer))) < 1) {\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t\tchar *tmp = realloc (outputptr, out_len + bytes + 1);\n\t\t\t\tif (!tmp) {\n\t\t\t\t\tR_FREE (outputptr);\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t\toutputptr = tmp;\n\t\t\t\tmemcpy (outputptr + out_len, buffer, bytes);\n\t\t\t\tout_len += bytes;\n\t\t\t} else if (FD_ISSET (sh_err[0], &rfds) && sterr) {\n\t\t\t\tif ((bytes = read (sh_err[0], buffer, sizeof (buffer))) < 1) {\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t\tchar *tmp = realloc (*sterr, err_len + bytes + 1);\n\t\t\t\tif (!tmp) {\n\t\t\t\t\tR_FREE (*sterr);\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t\t*sterr = tmp;\n\t\t\t\tmemcpy (*sterr + err_len, buffer, bytes);\n\t\t\t\terr_len += bytes;\n\t\t\t} else if (FD_ISSET (sh_in[1], &wfds) && inputptr && *inputptr) {\n\t\t\t\tint inputptr_len = strlen (inputptr);\n\t\t\t\tbytes = write (sh_in[1], inputptr, inputptr_len);\n\t\t\t\tif (bytes != inputptr_len) {\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t\tinputptr += bytes;\n\t\t\t\tif (!*inputptr) {\n\t\t\t\t\tclose (sh_in[1]);\n\t\t\t\t\t/* If neither stdout nor stderr should be captured,\n\t\t\t\t\t * abort now - nothing more to do for select(). */\n\t\t\t\t\tif (!output && !sterr) {\n\t\t\t\t\t\tbreak;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\tif (output) {\n\t\t\tclose (sh_out[0]);\n\t\t}\n\t\tclose (sh_err[0]);\n\t\tclose (sh_in[1]);\n\t\twaitpid (pid, &status, 0);\n\t\tbool ret = true;\n\t\tif (status) {\n\t\t\t// char *escmd = r_str_escape (cmd);\n\t\t\t// eprintf (\"error code %d (%s): %s\\n\", WEXITSTATUS (status), escmd, *sterr);\n\t\t\t// eprintf (\"(%s)\\n\", output);\n\t\t\t// eprintf (\"%s: failed command '%s'\\n\", __func__, escmd);\n\t\t\t// free (escmd);\n\t\t\tret = false;\n\t\t}\n\n\t\tif (len) {\n\t\t\t*len = out_len;\n\t\t}\n\t\tif (*sterr) {\n\t\t\t(*sterr)[err_len] = 0;\n\t\t}\n\t\tif (outputptr) {\n\t\t\toutputptr[out_len] = 0;\n\t\t}\n\t\tif (output) {\n\t\t\t*output = outputptr;\n\t\t} else {\n\t\t\tfree (outputptr);\n\t\t}\n\t\treturn ret;\n\t}\n\treturn false;\n}", "project": "radare2", "hash": 305533594412101038109922586847202361067, "size": 168, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 0, "dataset": "other", "idx": 269051 }, { "func": "static int io_timeout_cancel(struct io_ring_ctx *ctx, __u64 user_data)\n{\n\tstruct io_kiocb *req;\n\tint ret = -ENOENT;\n\n\tlist_for_each_entry(req, &ctx->timeout_list, timeout.list) {\n\t\tif (user_data == req->user_data) {\n\t\t\tlist_del_init(&req->timeout.list);\n\t\t\tret = 0;\n\t\t\tbreak;\n\t\t}\n\t}\n\n\tif (ret == -ENOENT)\n\t\treturn ret;\n\n\tret = hrtimer_try_to_cancel(&req->io->timeout.timer);\n\tif (ret == -1)\n\t\treturn -EALREADY;\n\n\treq_set_fail_links(req);\n\treq->flags |= REQ_F_COMP_LOCKED;\n\tio_cqring_fill_event(req, -ECANCELED);\n\tio_put_req(req);\n\treturn 0;\n}", "project": "linux", "hash": 2207436233794814970474086948679451940, "size": 26, "commit_id": "6d816e088c359866f9867057e04f244c608c42fe", "message": "io_uring: hold 'ctx' reference around task_work queue + execute\n\nWe're holding the request reference, but we need to go one higher\nto ensure that the ctx remains valid after the request has finished.\nIf the ring is closed with pending task_work inflight, and the\ngiven io_kiocb finishes sync during issue, then we need a reference\nto the ring itself around the task_work execution cycle.\n\nCc: stable@vger.kernel.org # v5.7+\nReported-by: syzbot+9b260fc33297966f5a8e@syzkaller.appspotmail.com\nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 456921 }, { "func": "static int _nfs4_proc_open(struct nfs4_opendata *data,\n\t\t\t struct nfs_open_context *ctx)\n{\n\tstruct inode *dir = d_inode(data->dir);\n\tstruct nfs_server *server = NFS_SERVER(dir);\n\tstruct nfs_openargs *o_arg = &data->o_arg;\n\tstruct nfs_openres *o_res = &data->o_res;\n\tint status;\n\n\tstatus = nfs4_run_open_task(data, ctx);\n\tif (!data->rpc_done)\n\t\treturn status;\n\tif (status != 0) {\n\t\tif (status == -NFS4ERR_BADNAME &&\n\t\t\t\t!(o_arg->open_flags & O_CREAT))\n\t\t\treturn -ENOENT;\n\t\treturn status;\n\t}\n\n\tnfs_fattr_map_and_free_names(server, &data->f_attr);\n\n\tif (o_arg->open_flags & O_CREAT) {\n\t\tif (o_arg->open_flags & O_EXCL)\n\t\t\tdata->file_created = true;\n\t\telse if (o_res->cinfo.before != o_res->cinfo.after)\n\t\t\tdata->file_created = true;\n\t\tif (data->file_created ||\n\t\t inode_peek_iversion_raw(dir) != o_res->cinfo.after)\n\t\t\tnfs4_update_changeattr(dir, &o_res->cinfo,\n\t\t\t\t\to_res->f_attr->time_start,\n\t\t\t\t\tNFS_INO_INVALID_DATA);\n\t}\n\tif ((o_res->rflags & NFS4_OPEN_RESULT_LOCKTYPE_POSIX) == 0)\n\t\tserver->caps &= ~NFS_CAP_POSIX_LOCK;\n\tif(o_res->rflags & NFS4_OPEN_RESULT_CONFIRM) {\n\t\tstatus = _nfs4_proc_open_confirm(data);\n\t\tif (status != 0)\n\t\t\treturn status;\n\t}\n\tif (!(o_res->f_attr->valid & NFS_ATTR_FATTR)) {\n\t\tnfs4_sequence_free_slot(&o_res->seq_res);\n\t\tnfs4_proc_getattr(server, &o_res->fh, o_res->f_attr,\n\t\t\t\to_res->f_label, NULL);\n\t}\n\treturn 0;\n}", "project": "linux", "hash": 285154930549610678392547132708800876409, "size": 46, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431380 }, { "func": "CallResult> JSObject::getComputedPropertyValue_RJS(\n Handle selfHandle,\n Runtime *runtime,\n Handle propObj,\n ComputedPropertyDescriptor desc) {\n assert(\n !selfHandle->flags_.proxyObject && !propObj->flags_.proxyObject &&\n \"getComputedPropertyValue_RJS cannot be used with proxy objects\");\n\n if (LLVM_LIKELY(!desc.flags.accessor))\n return createPseudoHandle(\n getComputedSlotValue(propObj.get(), runtime, desc));\n\n auto *accessor = vmcast(\n getComputedSlotValue(propObj.get(), runtime, desc));\n if (!accessor->getter)\n return createPseudoHandle(HermesValue::encodeUndefinedValue());\n\n // Execute the accessor on this object.\n return accessor->getter.get(runtime)->executeCall0(\n runtime->makeHandle(accessor->getter), runtime, selfHandle);\n}", "project": "hermes", "hash": 187125283656323157641413437229525207298, "size": 22, "commit_id": "fe52854cdf6725c2eaa9e125995da76e6ceb27da", "message": "[CVE-2020-1911] Look up HostObject computed properties on the right object in the prototype chain.\n\nSummary:\nThe change in the hermes repository fixes the security vulnerability\nCVE-2020-1911. This vulnerability only affects applications which\nallow evaluation of uncontrolled, untrusted JavaScript code not\nshipped with the app, so React Native apps will generally not be affected.\n\nThis revision includes a test for the bug. The test is generic JSI\ncode, so it is included in the hermes and react-native repositories.\n\nChangelog: [Internal]\n\nReviewed By: tmikov\n\nDifferential Revision: D23322992\n\nfbshipit-source-id: 4e88c974afe1ad33a263f9cac03e9dc98d33649a", "target": 0, "dataset": "other", "idx": 230229 }, { "func": "CallResult> JSObject::getComputedPropertyValue_RJS(\n Handle selfHandle,\n Runtime *runtime,\n Handle propObj,\n ComputedPropertyDescriptor desc,\n Handle<> nameValHandle) {\n if (!propObj) {\n return createPseudoHandle(HermesValue::encodeEmptyValue());\n }\n\n if (LLVM_LIKELY(!desc.flags.proxyObject)) {\n return JSObject::getComputedPropertyValue_RJS(\n selfHandle, runtime, propObj, desc);\n }\n\n CallResult> keyRes = toPropertyKey(runtime, nameValHandle);\n if (LLVM_UNLIKELY(keyRes == ExecutionStatus::EXCEPTION)) {\n return ExecutionStatus::EXCEPTION;\n }\n CallResult hasRes = JSProxy::hasComputed(propObj, runtime, *keyRes);\n if (LLVM_UNLIKELY(hasRes == ExecutionStatus::EXCEPTION)) {\n return ExecutionStatus::EXCEPTION;\n }\n if (!*hasRes) {\n return createPseudoHandle(HermesValue::encodeEmptyValue());\n }\n return JSProxy::getComputed(propObj, runtime, *keyRes, selfHandle);\n}", "project": "hermes", "hash": 143412975591956759166484438891469001601, "size": 28, "commit_id": "fe52854cdf6725c2eaa9e125995da76e6ceb27da", "message": "[CVE-2020-1911] Look up HostObject computed properties on the right object in the prototype chain.\n\nSummary:\nThe change in the hermes repository fixes the security vulnerability\nCVE-2020-1911. This vulnerability only affects applications which\nallow evaluation of uncontrolled, untrusted JavaScript code not\nshipped with the app, so React Native apps will generally not be affected.\n\nThis revision includes a test for the bug. The test is generic JSI\ncode, so it is included in the hermes and react-native repositories.\n\nChangelog: [Internal]\n\nReviewed By: tmikov\n\nDifferential Revision: D23322992\n\nfbshipit-source-id: 4e88c974afe1ad33a263f9cac03e9dc98d33649a", "target": 0, "dataset": "other", "idx": 230259 }, { "func": "static int nfs4_do_handle_exception(struct nfs_server *server,\n\t\tint errorcode, struct nfs4_exception *exception)\n{\n\tstruct nfs_client *clp = server->nfs_client;\n\tstruct nfs4_state *state = exception->state;\n\tconst nfs4_stateid *stateid;\n\tstruct inode *inode = exception->inode;\n\tint ret = errorcode;\n\n\texception->delay = 0;\n\texception->recovering = 0;\n\texception->retry = 0;\n\n\tstateid = nfs4_recoverable_stateid(exception->stateid);\n\tif (stateid == NULL && state != NULL)\n\t\tstateid = nfs4_recoverable_stateid(&state->stateid);\n\n\tswitch(errorcode) {\n\t\tcase 0:\n\t\t\treturn 0;\n\t\tcase -NFS4ERR_BADHANDLE:\n\t\tcase -ESTALE:\n\t\t\tif (inode != NULL && S_ISREG(inode->i_mode))\n\t\t\t\tpnfs_destroy_layout(NFS_I(inode));\n\t\t\tbreak;\n\t\tcase -NFS4ERR_DELEG_REVOKED:\n\t\tcase -NFS4ERR_ADMIN_REVOKED:\n\t\tcase -NFS4ERR_EXPIRED:\n\t\tcase -NFS4ERR_BAD_STATEID:\n\t\tcase -NFS4ERR_PARTNER_NO_AUTH:\n\t\t\tif (inode != NULL && stateid != NULL) {\n\t\t\t\tnfs_inode_find_state_and_recover(inode,\n\t\t\t\t\t\tstateid);\n\t\t\t\tgoto wait_on_recovery;\n\t\t\t}\n\t\t\t/* Fall through */\n\t\tcase -NFS4ERR_OPENMODE:\n\t\t\tif (inode) {\n\t\t\t\tint err;\n\n\t\t\t\terr = nfs_async_inode_return_delegation(inode,\n\t\t\t\t\t\tstateid);\n\t\t\t\tif (err == 0)\n\t\t\t\t\tgoto wait_on_recovery;\n\t\t\t\tif (stateid != NULL && stateid->type == NFS4_DELEGATION_STATEID_TYPE) {\n\t\t\t\t\texception->retry = 1;\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t}\n\t\t\tif (state == NULL)\n\t\t\t\tbreak;\n\t\t\tret = nfs4_schedule_stateid_recovery(server, state);\n\t\t\tif (ret < 0)\n\t\t\t\tbreak;\n\t\t\tgoto wait_on_recovery;\n\t\tcase -NFS4ERR_STALE_STATEID:\n\t\tcase -NFS4ERR_STALE_CLIENTID:\n\t\t\tnfs4_schedule_lease_recovery(clp);\n\t\t\tgoto wait_on_recovery;\n\t\tcase -NFS4ERR_MOVED:\n\t\t\tret = nfs4_schedule_migration_recovery(server);\n\t\t\tif (ret < 0)\n\t\t\t\tbreak;\n\t\t\tgoto wait_on_recovery;\n\t\tcase -NFS4ERR_LEASE_MOVED:\n\t\t\tnfs4_schedule_lease_moved_recovery(clp);\n\t\t\tgoto wait_on_recovery;\n#if defined(CONFIG_NFS_V4_1)\n\t\tcase -NFS4ERR_BADSESSION:\n\t\tcase -NFS4ERR_BADSLOT:\n\t\tcase -NFS4ERR_BAD_HIGH_SLOT:\n\t\tcase -NFS4ERR_CONN_NOT_BOUND_TO_SESSION:\n\t\tcase -NFS4ERR_DEADSESSION:\n\t\tcase -NFS4ERR_SEQ_FALSE_RETRY:\n\t\tcase -NFS4ERR_SEQ_MISORDERED:\n\t\t\t/* Handled in nfs41_sequence_process() */\n\t\t\tgoto wait_on_recovery;\n#endif /* defined(CONFIG_NFS_V4_1) */\n\t\tcase -NFS4ERR_FILE_OPEN:\n\t\t\tif (exception->timeout > HZ) {\n\t\t\t\t/* We have retried a decent amount, time to\n\t\t\t\t * fail\n\t\t\t\t */\n\t\t\t\tret = -EBUSY;\n\t\t\t\tbreak;\n\t\t\t}\n\t\t\t/* Fall through */\n\t\tcase -NFS4ERR_DELAY:\n\t\t\tnfs_inc_server_stats(server, NFSIOS_DELAY);\n\t\t\t/* Fall through */\n\t\tcase -NFS4ERR_GRACE:\n\t\tcase -NFS4ERR_LAYOUTTRYLATER:\n\t\tcase -NFS4ERR_RECALLCONFLICT:\n\t\t\texception->delay = 1;\n\t\t\treturn 0;\n\n\t\tcase -NFS4ERR_RETRY_UNCACHED_REP:\n\t\tcase -NFS4ERR_OLD_STATEID:\n\t\t\texception->retry = 1;\n\t\t\tbreak;\n\t\tcase -NFS4ERR_BADOWNER:\n\t\t\t/* The following works around a Linux server bug! */\n\t\tcase -NFS4ERR_BADNAME:\n\t\t\tif (server->caps & NFS_CAP_UIDGID_NOMAP) {\n\t\t\t\tserver->caps &= ~NFS_CAP_UIDGID_NOMAP;\n\t\t\t\texception->retry = 1;\n\t\t\t\tprintk(KERN_WARNING \"NFS: v4 server %s \"\n\t\t\t\t\t\t\"does not accept raw \"\n\t\t\t\t\t\t\"uid/gids. \"\n\t\t\t\t\t\t\"Reenabling the idmapper.\\n\",\n\t\t\t\t\t\tserver->nfs_client->cl_hostname);\n\t\t\t}\n\t}\n\t/* We failed to handle the error */\n\treturn nfs4_map_errors(ret);\nwait_on_recovery:\n\texception->recovering = 1;\n\treturn 0;\n}", "project": "linux", "hash": 267558048812187564488924107247486725927, "size": 119, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431234 }, { "func": " bool isSpace(char ch) const {\n return ch == ' ' || ch == '\\n' || ch == '\\t' || ch == '\\f';\n }", "project": "hhvm", "hash": 288870755081423405143545915252806481578, "size": 3, "commit_id": "b3679121bb3c7017ff04b4c08402ffff5cf59b13", "message": "Fix buffer overrun in SimpleParser::handleBackslash\n\nSummary:\nIt read 4 chars, then checked for validity, but any of them could have\nbeen the end of the string, so check after each one instead.\n\nReviewed By: oulgen\n\nDifferential Revision: D19611163\n\nfbshipit-source-id: 3da0a39555cb85a93f4fd98048368f17cf37e2e4", "target": 0, "dataset": "other", "idx": 227314 }, { "project": "Chrome", "commit_id": "1da0daecc540238cb473f0d6322da51d3a544244", "target": 0, "func": "void VideoRendererBase::AttemptRead_Locked() {\n lock_.AssertAcquired();\n DCHECK_NE(kEnded, state_);\n\n if (pending_read_ ||\n NumFrames_Locked() == limits::kMaxVideoFrames ||\n (!ready_frames_.empty() && ready_frames_.back()->IsEndOfStream()) ||\n state_ == kFlushingDecoder ||\n state_ == kFlushing) {\n return;\n }\n\n pending_read_ = true;\n decoder_->Read(base::Bind(&VideoRendererBase::FrameReady, this));\n}\n", "cwe": "", "big_vul_idx": 113348, "idx": 101640, "hash": 88075289522328186600814917318863385927 }, { "func": "static int imap_tags_commit(struct Mailbox *m, struct Email *e, char *buf)\n{\n char uid[11];\n\n struct ImapAccountData *adata = imap_adata_get(m);\n\n if (*buf == '\\0')\n buf = NULL;\n\n if (!(adata->mailbox->rights & MUTT_ACL_WRITE))\n return 0;\n\n snprintf(uid, sizeof(uid), \"%u\", imap_edata_get(e)->uid);\n\n /* Remove old custom flags */\n if (imap_edata_get(e)->flags_remote)\n {\n struct Buffer cmd = mutt_buffer_make(128); // just a guess\n mutt_buffer_addstr(&cmd, \"UID STORE \");\n mutt_buffer_addstr(&cmd, uid);\n mutt_buffer_addstr(&cmd, \" -FLAGS.SILENT (\");\n mutt_buffer_addstr(&cmd, imap_edata_get(e)->flags_remote);\n mutt_buffer_addstr(&cmd, \")\");\n\n /* Should we return here, or we are fine and we could\n * continue to add new flags */\n int rc = imap_exec(adata, cmd.data, IMAP_CMD_NO_FLAGS);\n mutt_buffer_dealloc(&cmd);\n if (rc != IMAP_EXEC_SUCCESS)\n {\n return -1;\n }\n }\n\n /* Add new custom flags */\n if (buf)\n {\n struct Buffer cmd = mutt_buffer_make(128); // just a guess\n mutt_buffer_addstr(&cmd, \"UID STORE \");\n mutt_buffer_addstr(&cmd, uid);\n mutt_buffer_addstr(&cmd, \" +FLAGS.SILENT (\");\n mutt_buffer_addstr(&cmd, buf);\n mutt_buffer_addstr(&cmd, \")\");\n\n int rc = imap_exec(adata, cmd.data, IMAP_CMD_NO_FLAGS);\n mutt_buffer_dealloc(&cmd);\n if (rc != IMAP_EXEC_SUCCESS)\n {\n mutt_debug(LL_DEBUG1, \"fail to add new flags\\n\");\n return -1;\n }\n }\n\n /* We are good sync them */\n mutt_debug(LL_DEBUG1, \"NEW TAGS: %s\\n\", buf);\n driver_tags_replace(&e->tags, buf);\n FREE(&imap_edata_get(e)->flags_remote);\n imap_edata_get(e)->flags_remote = driver_tags_get_with_hidden(&e->tags);\n return 0;\n}", "project": "neomutt", "hash": 305719715603000136833746741931508978766, "size": 60, "commit_id": "9c36717a3e2af1f2c1b7242035455ec8112b4b06", "message": "imap: close connection on all failures\n\nThanks to Gabriel Salles-Loustau for spotting the problem.\n\nCo-authored-by: Kevin McCarthy ", "target": 0, "dataset": "other", "idx": 357007 }, { "func": "static uint32 GetLinearSlideUpTable (const CSoundFile *sndFile, uint32 i) { MPT_ASSERT(i < CountOf(LinearSlideDownTable)); return sndFile->m_playBehaviour[kHertzInLinearMode] ? LinearSlideUpTable[i] : LinearSlideDownTable[i]; }", "project": "openmpt", "hash": 33392614191546239599438964682128647631, "size": 1, "commit_id": "7ebf02af2e90f03e0dbd0e18b8b3164f372fb97c", "message": "[Fix] Possible out-of-bounds read when computing length of some IT files with pattern loops (OpenMPT: formats that are converted to IT, libopenmpt: IT/ITP/MO3), caught with afl-fuzz.\n\ngit-svn-id: https://source.openmpt.org/svn/openmpt/trunk/OpenMPT@10027 56274372-70c3-4bfc-bfc3-4c3a0b034d27", "target": 0, "dataset": "other", "idx": 255217 }, { "func": "static int kvm_s390_get_cmma(struct kvm *kvm, struct kvm_s390_cmma_log *args,\n\t\t\t u8 *res, unsigned long bufsize)\n{\n\tunsigned long mem_end, cur_gfn, next_gfn, hva, pgstev;\n\tstruct kvm_memslots *slots = kvm_memslots(kvm);\n\tstruct kvm_memory_slot *ms;\n\n\tcur_gfn = kvm_s390_next_dirty_cmma(slots, args->start_gfn);\n\tms = gfn_to_memslot(kvm, cur_gfn);\n\targs->count = 0;\n\targs->start_gfn = cur_gfn;\n\tif (!ms)\n\t\treturn 0;\n\tnext_gfn = kvm_s390_next_dirty_cmma(slots, cur_gfn + 1);\n\tmem_end = slots->memslots[0].base_gfn + slots->memslots[0].npages;\n\n\twhile (args->count < bufsize) {\n\t\thva = gfn_to_hva(kvm, cur_gfn);\n\t\tif (kvm_is_error_hva(hva))\n\t\t\treturn 0;\n\t\t/* Decrement only if we actually flipped the bit to 0 */\n\t\tif (test_and_clear_bit(cur_gfn - ms->base_gfn, kvm_second_dirty_bitmap(ms)))\n\t\t\tatomic64_dec(&kvm->arch.cmma_dirty_pages);\n\t\tif (get_pgste(kvm->mm, hva, &pgstev) < 0)\n\t\t\tpgstev = 0;\n\t\t/* Save the value */\n\t\tres[args->count++] = (pgstev >> 24) & 0x43;\n\t\t/* If the next bit is too far away, stop. */\n\t\tif (next_gfn > cur_gfn + KVM_S390_MAX_BIT_DISTANCE)\n\t\t\treturn 0;\n\t\t/* If we reached the previous \"next\", find the next one */\n\t\tif (cur_gfn == next_gfn)\n\t\t\tnext_gfn = kvm_s390_next_dirty_cmma(slots, cur_gfn + 1);\n\t\t/* Reached the end of memory or of the buffer, stop */\n\t\tif ((next_gfn >= mem_end) ||\n\t\t (next_gfn - args->start_gfn >= bufsize))\n\t\t\treturn 0;\n\t\tcur_gfn++;\n\t\t/* Reached the end of the current memslot, take the next one. */\n\t\tif (cur_gfn - ms->base_gfn >= ms->npages) {\n\t\t\tms = gfn_to_memslot(kvm, cur_gfn);\n\t\t\tif (!ms)\n\t\t\t\treturn 0;\n\t\t}\n\t}\n\treturn 0;\n}", "project": "linux", "hash": 69648874825348699945429887721025870530, "size": 47, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 1, "dataset": "other", "idx": 204189 }, { "func": "static int kvm_s390_get_cmma(struct kvm *kvm, struct kvm_s390_cmma_log *args,\n\t\t\t u8 *res, unsigned long bufsize)\n{\n\tunsigned long mem_end, cur_gfn, next_gfn, hva, pgstev;\n\tstruct kvm_memslots *slots = kvm_memslots(kvm);\n\tstruct kvm_memory_slot *ms;\n\n\tif (unlikely(!slots->used_slots))\n\t\treturn 0;\n\n\tcur_gfn = kvm_s390_next_dirty_cmma(slots, args->start_gfn);\n\tms = gfn_to_memslot(kvm, cur_gfn);\n\targs->count = 0;\n\targs->start_gfn = cur_gfn;\n\tif (!ms)\n\t\treturn 0;\n\tnext_gfn = kvm_s390_next_dirty_cmma(slots, cur_gfn + 1);\n\tmem_end = slots->memslots[0].base_gfn + slots->memslots[0].npages;\n\n\twhile (args->count < bufsize) {\n\t\thva = gfn_to_hva(kvm, cur_gfn);\n\t\tif (kvm_is_error_hva(hva))\n\t\t\treturn 0;\n\t\t/* Decrement only if we actually flipped the bit to 0 */\n\t\tif (test_and_clear_bit(cur_gfn - ms->base_gfn, kvm_second_dirty_bitmap(ms)))\n\t\t\tatomic64_dec(&kvm->arch.cmma_dirty_pages);\n\t\tif (get_pgste(kvm->mm, hva, &pgstev) < 0)\n\t\t\tpgstev = 0;\n\t\t/* Save the value */\n\t\tres[args->count++] = (pgstev >> 24) & 0x43;\n\t\t/* If the next bit is too far away, stop. */\n\t\tif (next_gfn > cur_gfn + KVM_S390_MAX_BIT_DISTANCE)\n\t\t\treturn 0;\n\t\t/* If we reached the previous \"next\", find the next one */\n\t\tif (cur_gfn == next_gfn)\n\t\t\tnext_gfn = kvm_s390_next_dirty_cmma(slots, cur_gfn + 1);\n\t\t/* Reached the end of memory or of the buffer, stop */\n\t\tif ((next_gfn >= mem_end) ||\n\t\t (next_gfn - args->start_gfn >= bufsize))\n\t\t\treturn 0;\n\t\tcur_gfn++;\n\t\t/* Reached the end of the current memslot, take the next one. */\n\t\tif (cur_gfn - ms->base_gfn >= ms->npages) {\n\t\t\tms = gfn_to_memslot(kvm, cur_gfn);\n\t\t\tif (!ms)\n\t\t\t\treturn 0;\n\t\t}\n\t}\n\treturn 0;\n}", "project": "linux", "hash": 13699562725589835050195546967713430426, "size": 50, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354690 }, { "func": "static void ov511_mode_init_regs(struct sd *sd)\n{\n\tstruct gspca_dev *gspca_dev = (struct gspca_dev *)sd;\n\tint hsegs, vsegs, packet_size, fps, needed;\n\tint interlaced = 0;\n\tstruct usb_host_interface *alt;\n\tstruct usb_interface *intf;\n\n\tintf = usb_ifnum_to_if(sd->gspca_dev.dev, sd->gspca_dev.iface);\n\talt = usb_altnum_to_altsetting(intf, sd->gspca_dev.alt);\n\tif (!alt) {\n\t\tgspca_err(gspca_dev, \"Couldn't get altsetting\\n\");\n\t\tsd->gspca_dev.usb_err = -EIO;\n\t\treturn;\n\t}\n\n\tpacket_size = le16_to_cpu(alt->endpoint[0].desc.wMaxPacketSize);\n\treg_w(sd, R51x_FIFO_PSIZE, packet_size >> 5);\n\n\treg_w(sd, R511_CAM_UV_EN, 0x01);\n\treg_w(sd, R511_SNAP_UV_EN, 0x01);\n\treg_w(sd, R511_SNAP_OPTS, 0x03);\n\n\t/* Here I'm assuming that snapshot size == image size.\n\t * I hope that's always true. --claudio\n\t */\n\thsegs = (sd->gspca_dev.pixfmt.width >> 3) - 1;\n\tvsegs = (sd->gspca_dev.pixfmt.height >> 3) - 1;\n\n\treg_w(sd, R511_CAM_PXCNT, hsegs);\n\treg_w(sd, R511_CAM_LNCNT, vsegs);\n\treg_w(sd, R511_CAM_PXDIV, 0x00);\n\treg_w(sd, R511_CAM_LNDIV, 0x00);\n\n\t/* YUV420, low pass filter on */\n\treg_w(sd, R511_CAM_OPTS, 0x03);\n\n\t/* Snapshot additions */\n\treg_w(sd, R511_SNAP_PXCNT, hsegs);\n\treg_w(sd, R511_SNAP_LNCNT, vsegs);\n\treg_w(sd, R511_SNAP_PXDIV, 0x00);\n\treg_w(sd, R511_SNAP_LNDIV, 0x00);\n\n\t/******** Set the framerate ********/\n\tif (frame_rate > 0)\n\t\tsd->frame_rate = frame_rate;\n\n\tswitch (sd->sensor) {\n\tcase SEN_OV6620:\n\t\t/* No framerate control, doesn't like higher rates yet */\n\t\tsd->clockdiv = 3;\n\t\tbreak;\n\n\t/* Note once the FIXME's in mode_init_ov_sensor_regs() are fixed\n\t for more sensors we need to do this for them too */\n\tcase SEN_OV7620:\n\tcase SEN_OV7620AE:\n\tcase SEN_OV7640:\n\tcase SEN_OV7648:\n\tcase SEN_OV76BE:\n\t\tif (sd->gspca_dev.pixfmt.width == 320)\n\t\t\tinterlaced = 1;\n\t\t/* Fall through */\n\tcase SEN_OV6630:\n\tcase SEN_OV7610:\n\tcase SEN_OV7670:\n\t\tswitch (sd->frame_rate) {\n\t\tcase 30:\n\t\tcase 25:\n\t\t\t/* Not enough bandwidth to do 640x480 @ 30 fps */\n\t\t\tif (sd->gspca_dev.pixfmt.width != 640) {\n\t\t\t\tsd->clockdiv = 0;\n\t\t\t\tbreak;\n\t\t\t}\n\t\t\t/* For 640x480 case */\n\t\t\t/* fall through */\n\t\tdefault:\n/*\t\tcase 20: */\n/*\t\tcase 15: */\n\t\t\tsd->clockdiv = 1;\n\t\t\tbreak;\n\t\tcase 10:\n\t\t\tsd->clockdiv = 2;\n\t\t\tbreak;\n\t\tcase 5:\n\t\t\tsd->clockdiv = 5;\n\t\t\tbreak;\n\t\t}\n\t\tif (interlaced) {\n\t\t\tsd->clockdiv = (sd->clockdiv + 1) * 2 - 1;\n\t\t\t/* Higher then 10 does not work */\n\t\t\tif (sd->clockdiv > 10)\n\t\t\t\tsd->clockdiv = 10;\n\t\t}\n\t\tbreak;\n\n\tcase SEN_OV8610:\n\t\t/* No framerate control ?? */\n\t\tsd->clockdiv = 0;\n\t\tbreak;\n\t}\n\n\t/* Check if we have enough bandwidth to disable compression */\n\tfps = (interlaced ? 60 : 30) / (sd->clockdiv + 1) + 1;\n\tneeded = fps * sd->gspca_dev.pixfmt.width *\n\t\t\tsd->gspca_dev.pixfmt.height * 3 / 2;\n\t/* 1000 isoc packets/sec */\n\tif (needed > 1000 * packet_size) {\n\t\t/* Enable Y and UV quantization and compression */\n\t\treg_w(sd, R511_COMP_EN, 0x07);\n\t\treg_w(sd, R511_COMP_LUT_EN, 0x03);\n\t} else {\n\t\treg_w(sd, R511_COMP_EN, 0x06);\n\t\treg_w(sd, R511_COMP_LUT_EN, 0x00);\n\t}\n\n\treg_w(sd, R51x_SYS_RESET, OV511_RESET_OMNICE);\n\treg_w(sd, R51x_SYS_RESET, 0);\n}", "project": "linux", "hash": 207420910822850441672571201896199052237, "size": 119, "commit_id": "998912346c0da53a6dbb71fab3a138586b596b30", "message": "media: ov519: add missing endpoint sanity checks\n\nMake sure to check that we have at least one endpoint before accessing\nthe endpoint array to avoid dereferencing a NULL-pointer on stream\nstart.\n\nNote that these sanity checks are not redundant as the driver is mixing\nlooking up altsettings by index and by number, which need not coincide.\n\nFixes: 1876bb923c98 (\"V4L/DVB (12079): gspca_ov519: add support for the ov511 bridge\")\nFixes: b282d87332f5 (\"V4L/DVB (12080): gspca_ov519: Fix ov518+ with OV7620AE (Trust spacecam 320)\")\nCc: stable # 2.6.31\nCc: Hans de Goede \nSigned-off-by: Johan Hovold \nSigned-off-by: Hans Verkuil \nSigned-off-by: Mauro Carvalho Chehab ", "target": 1, "dataset": "other", "idx": 200621 }, { "func": "static void ov511_mode_init_regs(struct sd *sd)\n{\n\tstruct gspca_dev *gspca_dev = (struct gspca_dev *)sd;\n\tint hsegs, vsegs, packet_size, fps, needed;\n\tint interlaced = 0;\n\tstruct usb_host_interface *alt;\n\tstruct usb_interface *intf;\n\n\tintf = usb_ifnum_to_if(sd->gspca_dev.dev, sd->gspca_dev.iface);\n\talt = usb_altnum_to_altsetting(intf, sd->gspca_dev.alt);\n\tif (!alt) {\n\t\tgspca_err(gspca_dev, \"Couldn't get altsetting\\n\");\n\t\tsd->gspca_dev.usb_err = -EIO;\n\t\treturn;\n\t}\n\n\tif (alt->desc.bNumEndpoints < 1) {\n\t\tsd->gspca_dev.usb_err = -ENODEV;\n\t\treturn;\n\t}\n\n\tpacket_size = le16_to_cpu(alt->endpoint[0].desc.wMaxPacketSize);\n\treg_w(sd, R51x_FIFO_PSIZE, packet_size >> 5);\n\n\treg_w(sd, R511_CAM_UV_EN, 0x01);\n\treg_w(sd, R511_SNAP_UV_EN, 0x01);\n\treg_w(sd, R511_SNAP_OPTS, 0x03);\n\n\t/* Here I'm assuming that snapshot size == image size.\n\t * I hope that's always true. --claudio\n\t */\n\thsegs = (sd->gspca_dev.pixfmt.width >> 3) - 1;\n\tvsegs = (sd->gspca_dev.pixfmt.height >> 3) - 1;\n\n\treg_w(sd, R511_CAM_PXCNT, hsegs);\n\treg_w(sd, R511_CAM_LNCNT, vsegs);\n\treg_w(sd, R511_CAM_PXDIV, 0x00);\n\treg_w(sd, R511_CAM_LNDIV, 0x00);\n\n\t/* YUV420, low pass filter on */\n\treg_w(sd, R511_CAM_OPTS, 0x03);\n\n\t/* Snapshot additions */\n\treg_w(sd, R511_SNAP_PXCNT, hsegs);\n\treg_w(sd, R511_SNAP_LNCNT, vsegs);\n\treg_w(sd, R511_SNAP_PXDIV, 0x00);\n\treg_w(sd, R511_SNAP_LNDIV, 0x00);\n\n\t/******** Set the framerate ********/\n\tif (frame_rate > 0)\n\t\tsd->frame_rate = frame_rate;\n\n\tswitch (sd->sensor) {\n\tcase SEN_OV6620:\n\t\t/* No framerate control, doesn't like higher rates yet */\n\t\tsd->clockdiv = 3;\n\t\tbreak;\n\n\t/* Note once the FIXME's in mode_init_ov_sensor_regs() are fixed\n\t for more sensors we need to do this for them too */\n\tcase SEN_OV7620:\n\tcase SEN_OV7620AE:\n\tcase SEN_OV7640:\n\tcase SEN_OV7648:\n\tcase SEN_OV76BE:\n\t\tif (sd->gspca_dev.pixfmt.width == 320)\n\t\t\tinterlaced = 1;\n\t\t/* Fall through */\n\tcase SEN_OV6630:\n\tcase SEN_OV7610:\n\tcase SEN_OV7670:\n\t\tswitch (sd->frame_rate) {\n\t\tcase 30:\n\t\tcase 25:\n\t\t\t/* Not enough bandwidth to do 640x480 @ 30 fps */\n\t\t\tif (sd->gspca_dev.pixfmt.width != 640) {\n\t\t\t\tsd->clockdiv = 0;\n\t\t\t\tbreak;\n\t\t\t}\n\t\t\t/* For 640x480 case */\n\t\t\t/* fall through */\n\t\tdefault:\n/*\t\tcase 20: */\n/*\t\tcase 15: */\n\t\t\tsd->clockdiv = 1;\n\t\t\tbreak;\n\t\tcase 10:\n\t\t\tsd->clockdiv = 2;\n\t\t\tbreak;\n\t\tcase 5:\n\t\t\tsd->clockdiv = 5;\n\t\t\tbreak;\n\t\t}\n\t\tif (interlaced) {\n\t\t\tsd->clockdiv = (sd->clockdiv + 1) * 2 - 1;\n\t\t\t/* Higher then 10 does not work */\n\t\t\tif (sd->clockdiv > 10)\n\t\t\t\tsd->clockdiv = 10;\n\t\t}\n\t\tbreak;\n\n\tcase SEN_OV8610:\n\t\t/* No framerate control ?? */\n\t\tsd->clockdiv = 0;\n\t\tbreak;\n\t}\n\n\t/* Check if we have enough bandwidth to disable compression */\n\tfps = (interlaced ? 60 : 30) / (sd->clockdiv + 1) + 1;\n\tneeded = fps * sd->gspca_dev.pixfmt.width *\n\t\t\tsd->gspca_dev.pixfmt.height * 3 / 2;\n\t/* 1000 isoc packets/sec */\n\tif (needed > 1000 * packet_size) {\n\t\t/* Enable Y and UV quantization and compression */\n\t\treg_w(sd, R511_COMP_EN, 0x07);\n\t\treg_w(sd, R511_COMP_LUT_EN, 0x03);\n\t} else {\n\t\treg_w(sd, R511_COMP_EN, 0x06);\n\t\treg_w(sd, R511_COMP_LUT_EN, 0x00);\n\t}\n\n\treg_w(sd, R51x_SYS_RESET, OV511_RESET_OMNICE);\n\treg_w(sd, R51x_SYS_RESET, 0);\n}", "project": "linux", "hash": 66031367225502192060724962502262196162, "size": 124, "commit_id": "998912346c0da53a6dbb71fab3a138586b596b30", "message": "media: ov519: add missing endpoint sanity checks\n\nMake sure to check that we have at least one endpoint before accessing\nthe endpoint array to avoid dereferencing a NULL-pointer on stream\nstart.\n\nNote that these sanity checks are not redundant as the driver is mixing\nlooking up altsettings by index and by number, which need not coincide.\n\nFixes: 1876bb923c98 (\"V4L/DVB (12079): gspca_ov519: add support for the ov511 bridge\")\nFixes: b282d87332f5 (\"V4L/DVB (12080): gspca_ov519: Fix ov518+ with OV7620AE (Trust spacecam 320)\")\nCc: stable # 2.6.31\nCc: Hans de Goede \nSigned-off-by: Johan Hovold \nSigned-off-by: Hans Verkuil \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 306343 }, { "func": "static ut64 getref (RCore *core, int n, char t, int type) {\n\tRAnalFunction *fcn = r_anal_get_fcn_in (core->anal, core->offset, 0);\n\tRListIter *iter;\n\tRAnalRef *r;\n\tRList *list;\n\tint i = 0;\n\tif (!fcn) {\n\t\treturn UT64_MAX;\n\t}\n#if FCN_OLD\n\tif (t == 'r') {\n\t\tlist = r_anal_function_get_refs (fcn);\n\t} else {\n\t\tlist = r_anal_function_get_xrefs (fcn);\n\t}\n\tr_list_foreach (list, iter, r) {\n\t\tif (r->type == type) {\n\t\t\tif (i == n) {\n\t\t\t\tut64 addr = r->addr;\n\t\t\t\tr_list_free (list);\n\t\t\t\treturn addr;\n\t\t\t}\n\t\t\ti++;\n\t\t}\n\t}\n\tr_list_free (list);\n#else\n#warning implement getref() using sdb\n#endif\n\treturn UT64_MAX;\n}", "project": "radare2", "hash": 211635675020231016790986412126407478558, "size": 31, "commit_id": "cb8b683758edddae2d2f62e8e63a738c39f92683", "message": "Fix #16303 - c->table_query double free (#16318)", "target": 0, "dataset": "other", "idx": 232198 }, { "func": "static void nfs4_xdr_enc_open_confirm(struct rpc_rqst *req,\n\t\t\t\t struct xdr_stream *xdr,\n\t\t\t\t const void *data)\n{\n\tconst struct nfs_open_confirmargs *args = data;\n\tstruct compound_hdr hdr = {\n\t\t.nops = 0,\n\t};\n\n\tencode_compound_hdr(xdr, req, &hdr);\n\tencode_putfh(xdr, args->fh, &hdr);\n\tencode_open_confirm(xdr, args, &hdr);\n\tencode_nops(&hdr);\n}", "project": "linux", "hash": 76780433007969722312910298087310488641, "size": 14, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431069 }, { "func": "static void negotiate(struct Curl_easy *data)\n{\n int i;\n struct TELNET *tn = data->req.p.telnet;\n\n for(i = 0; i < CURL_NTELOPTS; i++) {\n if(i == CURL_TELOPT_ECHO)\n continue;\n\n if(tn->us_preferred[i] == CURL_YES)\n set_local_option(data, i, CURL_YES);\n\n if(tn->him_preferred[i] == CURL_YES)\n set_remote_option(data, i, CURL_YES);\n }\n}", "project": "curl", "hash": 267555764004711548503290253963117147523, "size": 16, "commit_id": "39ce47f219b09c380b81f89fe54ac586c8db6bde", "message": "telnet: check sscanf() for correct number of matches\n\nCVE-2021-22898\n\nBug: https://curl.se/docs/CVE-2021-22898.html", "target": 0, "dataset": "other", "idx": 481493 }, { "func": "int fuse_set_acl(struct inode *inode, struct posix_acl *acl, int type)\n{\n\tstruct fuse_conn *fc = get_fuse_conn(inode);\n\tconst char *name;\n\tint ret;\n\n\tif (fuse_is_bad(inode))\n\t\treturn -EIO;\n\n\tif (!fc->posix_acl || fc->no_setxattr)\n\t\treturn -EOPNOTSUPP;\n\n\tif (type == ACL_TYPE_ACCESS)\n\t\tname = XATTR_NAME_POSIX_ACL_ACCESS;\n\telse if (type == ACL_TYPE_DEFAULT)\n\t\tname = XATTR_NAME_POSIX_ACL_DEFAULT;\n\telse\n\t\treturn -EINVAL;\n\n\tif (acl) {\n\t\t/*\n\t\t * Fuse userspace is responsible for updating access\n\t\t * permissions in the inode, if needed. fuse_setxattr\n\t\t * invalidates the inode attributes, which will force\n\t\t * them to be refreshed the next time they are used,\n\t\t * and it also updates i_ctime.\n\t\t */\n\t\tsize_t size = posix_acl_xattr_size(acl->a_count);\n\t\tvoid *value;\n\n\t\tif (size > PAGE_SIZE)\n\t\t\treturn -E2BIG;\n\n\t\tvalue = kmalloc(size, GFP_KERNEL);\n\t\tif (!value)\n\t\t\treturn -ENOMEM;\n\n\t\tret = posix_acl_to_xattr(fc->user_ns, acl, value, size);\n\t\tif (ret < 0) {\n\t\t\tkfree(value);\n\t\t\treturn ret;\n\t\t}\n\n\t\tret = fuse_setxattr(inode, name, value, size, 0);\n\t\tkfree(value);\n\t} else {\n\t\tret = fuse_removexattr(inode, name);\n\t}\n\tforget_all_cached_acls(inode);\n\tfuse_invalidate_attr(inode);\n\n\treturn ret;\n}", "project": "linux", "hash": 1883347907890635013157704421065069826, "size": 53, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341991 }, { "func": "static int hidinput_query_battery_capacity(struct hid_device *dev)\n{\n\tu8 *buf;\n\tint ret;\n\n\tbuf = kmalloc(4, GFP_KERNEL);\n\tif (!buf)\n\t\treturn -ENOMEM;\n\n\tret = hid_hw_raw_request(dev, dev->battery_report_id, buf, 4,\n\t\t\t\t dev->battery_report_type, HID_REQ_GET_REPORT);\n\tif (ret < 2) {\n\t\tkfree(buf);\n\t\treturn -ENODATA;\n\t}\n\n\tret = hidinput_scale_battery_capacity(dev, buf[1]);\n\tkfree(buf);\n\treturn ret;\n}", "project": "linux", "hash": 83596453438055909580032232467123015198, "size": 20, "commit_id": "35556bed836f8dc07ac55f69c8d17dce3e7f0e25", "message": "HID: core: Sanitize event code and type when mapping input\n\nWhen calling into hid_map_usage(), the passed event code is\nblindly stored as is, even if it doesn't fit in the associated bitmap.\n\nThis event code can come from a variety of sources, including devices\nmasquerading as input devices, only a bit more \"programmable\".\n\nInstead of taking the event code at face value, check that it actually\nfits the corresponding bitmap, and if it doesn't:\n- spit out a warning so that we know which device is acting up\n- NULLify the bitmap pointer so that we catch unexpected uses\n\nCode paths that can make use of untrusted inputs can now check\nthat the mapping was indeed correct and bail out if not.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Marc Zyngier \nSigned-off-by: Benjamin Tissoires ", "target": 0, "dataset": "other", "idx": 458357 }, { "func": "int vma_dup_policy(struct vm_area_struct *src, struct vm_area_struct *dst)\n{\n\tstruct mempolicy *pol = mpol_dup(vma_policy(src));\n\n\tif (IS_ERR(pol))\n\t\treturn PTR_ERR(pol);\n\tdst->vm_policy = pol;\n\treturn 0;\n}", "project": "linux", "hash": 144924905867760676853494841367850434107, "size": 9, "commit_id": "aa9f7d5172fac9bf1f09e678c35e287a40a7b7dd", "message": "mm: mempolicy: require at least one nodeid for MPOL_PREFERRED\n\nUsing an empty (malformed) nodelist that is not caught during mount option\nparsing leads to a stack-out-of-bounds access.\n\nThe option string that was used was: \"mpol=prefer:,\". However,\nMPOL_PREFERRED requires a single node number, which is not being provided\nhere.\n\nAdd a check that 'nodes' is not empty after parsing for MPOL_PREFERRED's\nnodeid.\n\nFixes: 095f1fc4ebf3 (\"mempolicy: rework shmem mpol parsing and display\")\nReported-by: Entropy Moe <3ntr0py1337@gmail.com>\nReported-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nSigned-off-by: Randy Dunlap \nSigned-off-by: Andrew Morton \nTested-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nCc: Lee Schermerhorn \nLink: http://lkml.kernel.org/r/89526377-7eb6-b662-e1d8-4430928abde9@infradead.org\nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 366754 }, { "func": "int tty_do_resize(struct tty_struct *tty, struct winsize *ws)\n{\n\tstruct pid *pgrp;\n\n\t/* Lock the tty */\n\tmutex_lock(&tty->winsize_mutex);\n\tif (!memcmp(ws, &tty->winsize, sizeof(*ws)))\n\t\tgoto done;\n\n\t/* Signal the foreground process group */\n\tpgrp = tty_get_pgrp(tty);\n\tif (pgrp)\n\t\tkill_pgrp(pgrp, SIGWINCH, 1);\n\tput_pid(pgrp);\n\n\ttty->winsize = *ws;\ndone:\n\tmutex_unlock(&tty->winsize_mutex);\n\treturn 0;\n}", "project": "linux", "hash": 291773438698044197060995566377154785845, "size": 20, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 326019 }, { "func": "static void hci_cc_le_read_def_data_len(struct hci_dev *hdev,\n\t\t\t\t\tstruct sk_buff *skb)\n{\n\tstruct hci_rp_le_read_def_data_len *rp = (void *) skb->data;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, rp->status);\n\n\tif (rp->status)\n\t\treturn;\n\n\thdev->le_def_tx_len = le16_to_cpu(rp->tx_len);\n\thdev->le_def_tx_time = le16_to_cpu(rp->tx_time);\n}", "project": "linux", "hash": 42158214115882352681565115376733160253, "size": 13, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431978 }, { "func": "static int ca8210_get_ed(struct ieee802154_hw *hw, u8 *level)\n{\n\tu8 lenvar;\n\tstruct ca8210_priv *priv = hw->priv;\n\n\treturn link_to_linux_err(\n\t\thwme_get_request_sync(HWME_EDVALUE, &lenvar, level, priv->spi)\n\t);\n}", "project": "linux", "hash": 120728684392339550896474032958077322897, "size": 9, "commit_id": "6402939ec86eaf226c8b8ae00ed983936b164908", "message": "ieee802154: ca8210: prevent memory leak\n\nIn ca8210_probe the allocated pdata needs to be assigned to\nspi_device->dev.platform_data before calling ca8210_get_platform_data.\nOthrwise when ca8210_get_platform_data fails pdata cannot be released.\n\nSigned-off-by: Navid Emamdoost \nLink: https://lore.kernel.org/r/20190917224713.26371-1-navid.emamdoost@gmail.com\nSigned-off-by: Stefan Schmidt ", "target": 0, "dataset": "other", "idx": 408781 }, { "func": "int kill_pgrp(struct pid *pid, int sig, int priv)\n{\n\tint ret;\n\n\tread_lock(&tasklist_lock);\n\tret = __kill_pgrp_info(sig, __si_special(priv), pid);\n\tread_unlock(&tasklist_lock);\n\n\treturn ret;\n}", "project": "linux", "hash": 223751540883095547201693581611308595865, "size": 10, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375227 }, { "func": "void CServer::SendConnectionReady(int ClientID)\n{\n\tCMsgPacker Msg(NETMSG_CON_READY, true);\n\tSendMsg(&Msg, MSGFLAG_VITAL|MSGFLAG_FLUSH, ClientID);\n}", "project": "teeworlds", "hash": 247789456450978071628568810610236803026, "size": 5, "commit_id": "c68402fa7e279d42886d5951d1ea8ac2facc1ea5", "message": "changed a check", "target": 0, "dataset": "other", "idx": 382041 }, { "func": "static int ecryptfs_copy_mount_wide_sigs_to_inode_sigs(\n\tstruct ecryptfs_crypt_stat *crypt_stat,\n\tstruct ecryptfs_mount_crypt_stat *mount_crypt_stat)\n{\n\tstruct ecryptfs_global_auth_tok *global_auth_tok;\n\tint rc = 0;\n\n\tmutex_lock(&mount_crypt_stat->global_auth_tok_list_mutex);\n\tlist_for_each_entry(global_auth_tok,\n\t\t\t &mount_crypt_stat->global_auth_tok_list,\n\t\t\t mount_crypt_stat_list) {\n\t\tif (global_auth_tok->flags & ECRYPTFS_AUTH_TOK_FNEK)\n\t\t\tcontinue;\n\t\trc = ecryptfs_add_keysig(crypt_stat, global_auth_tok->sig);\n\t\tif (rc) {\n\t\t\tprintk(KERN_ERR \"Error adding keysig; rc = [%d]\\n\", rc);\n\t\t\tmutex_unlock(\n\t\t\t\t&mount_crypt_stat->global_auth_tok_list_mutex);\n\t\t\tgoto out;\n\t\t}\n\t}\n\tmutex_unlock(&mount_crypt_stat->global_auth_tok_list_mutex);\nout:\n\treturn rc;\n}", "target": 0, "cwe": [ "CWE-189" ], "project": "linux-2.6", "commit_id": "8faece5f906725c10e7a1f6caf84452abadbdc7b", "hash": 293938321385783011607246204938135907718, "size": 25, "message": "eCryptfs: Allocate a variable number of pages for file headers\n\nWhen allocating the memory used to store the eCryptfs header contents, a\nsingle, zeroed page was being allocated with get_zeroed_page().\nHowever, the size of an eCryptfs header is either PAGE_CACHE_SIZE or\nECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE (8192), whichever is larger, and is\nstored in the file's private_data->crypt_stat->num_header_bytes_at_front\nfield.\n\necryptfs_write_metadata_to_contents() was using\nnum_header_bytes_at_front to decide how many bytes should be written to\nthe lower filesystem for the file header. Unfortunately, at least 8K\nwas being written from the page, despite the chance of the single,\nzeroed page being smaller than 8K. This resulted in random areas of\nkernel memory being written between the 0x1000 and 0x1FFF bytes offsets\nin the eCryptfs file headers if PAGE_SIZE was 4K.\n\nThis patch allocates a variable number of pages, calculated with\nnum_header_bytes_at_front, and passes the number of allocated pages\nalong to ecryptfs_write_metadata_to_contents().\n\nThanks to Florian Streibelt for reporting the data leak and working with\nme to find the problem. 2.6.28 is the only kernel release with this\nvulnerability. Corresponds to CVE-2009-0787\n\nSigned-off-by: Tyler Hicks \nAcked-by: Dustin Kirkland \nReviewed-by: Eric Sandeen \nReviewed-by: Eugene Teo \nCc: Greg KH \nCc: dann frazier \nCc: Serge E. Hallyn \nCc: Florian Streibelt \nCc: stable@kernel.org\nSigned-off-by: Linus Torvalds ", "dataset": "other", "idx": 490166 }, { "func": "static void hci_cc_le_set_scan_param(struct hci_dev *hdev, struct sk_buff *skb)\n{\n\tstruct hci_cp_le_set_scan_param *cp;\n\t__u8 status = *((__u8 *) skb->data);\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, status);\n\n\tif (status)\n\t\treturn;\n\n\tcp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_PARAM);\n\tif (!cp)\n\t\treturn;\n\n\thci_dev_lock(hdev);\n\n\thdev->le_scan_type = cp->type;\n\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 236586434227525250651538714417536742078, "size": 20, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431900 }, { "func": "CallResult> getForInPropertyNames(\n Runtime *runtime,\n Handle obj,\n uint32_t &beginIndex,\n uint32_t &endIndex) {\n Handle clazz(runtime, obj->getClass(runtime));\n\n // Fast case: Check the cache.\n MutableHandle arr(runtime, clazz->getForInCache(runtime));\n if (arr) {\n beginIndex = matchesProtoClasses(runtime, obj, arr);\n if (beginIndex) {\n // Cache is valid for this object, so use it.\n endIndex = arr->size();\n return arr;\n }\n // Invalid for this object. We choose to clear the cache since the\n // changes to the prototype chain probably affect other objects too.\n clazz->clearForInCache(runtime);\n // Clear arr to slightly reduce risk of OOM from allocation below.\n arr = nullptr;\n }\n\n // Slow case: Build the array of properties.\n auto ownPropEstimate = clazz->getNumProperties();\n auto arrRes = obj->shouldCacheForIn(runtime)\n ? BigStorage::createLongLived(runtime, ownPropEstimate)\n : BigStorage::create(runtime, ownPropEstimate);\n if (LLVM_UNLIKELY(arrRes == ExecutionStatus::EXCEPTION)) {\n return ExecutionStatus::EXCEPTION;\n }\n arr = std::move(*arrRes);\n if (setProtoClasses(runtime, obj, arr) == ExecutionStatus::EXCEPTION) {\n return ExecutionStatus::EXCEPTION;\n }\n beginIndex = arr->size();\n // If obj or any of its prototypes are unsuitable for caching, then\n // beginIndex is 0 and we return an array with only the property names.\n bool canCache = beginIndex;\n auto end = appendAllPropertyNames(obj, runtime, arr, beginIndex);\n if (end == ExecutionStatus::EXCEPTION) {\n return ExecutionStatus::EXCEPTION;\n }\n endIndex = *end;\n // Avoid degenerate memory explosion: if > 75% of the array is properties\n // or classes from prototypes, then don't cache it.\n const bool tooMuchProto = *end / 4 > ownPropEstimate;\n if (canCache && !tooMuchProto) {\n assert(beginIndex > 0 && \"cached array must start with proto classes\");\n#ifdef HERMES_SLOW_DEBUG\n assert(beginIndex == matchesProtoClasses(runtime, obj, arr) && \"matches\");\n#endif\n clazz->setForInCache(*arr, runtime);\n }\n return arr;\n}", "project": "hermes", "hash": 126819473946944834540159468707358249421, "size": 56, "commit_id": "fe52854cdf6725c2eaa9e125995da76e6ceb27da", "message": "[CVE-2020-1911] Look up HostObject computed properties on the right object in the prototype chain.\n\nSummary:\nThe change in the hermes repository fixes the security vulnerability\nCVE-2020-1911. This vulnerability only affects applications which\nallow evaluation of uncontrolled, untrusted JavaScript code not\nshipped with the app, so React Native apps will generally not be affected.\n\nThis revision includes a test for the bug. The test is generic JSI\ncode, so it is included in the hermes and react-native repositories.\n\nChangelog: [Internal]\n\nReviewed By: tmikov\n\nDifferential Revision: D23322992\n\nfbshipit-source-id: 4e88c974afe1ad33a263f9cac03e9dc98d33649a", "target": 0, "dataset": "other", "idx": 230268 }, { "func": "int tipc_nl_node_get_link(struct sk_buff *skb, struct genl_info *info)\n{\n\tstruct net *net = genl_info_net(info);\n\tstruct nlattr *attrs[TIPC_NLA_LINK_MAX + 1];\n\tstruct tipc_nl_msg msg;\n\tchar *name;\n\tint err;\n\n\tmsg.portid = info->snd_portid;\n\tmsg.seq = info->snd_seq;\n\n\tif (!info->attrs[TIPC_NLA_LINK])\n\t\treturn -EINVAL;\n\n\terr = nla_parse_nested_deprecated(attrs, TIPC_NLA_LINK_MAX,\n\t\t\t\t\t info->attrs[TIPC_NLA_LINK],\n\t\t\t\t\t tipc_nl_link_policy, info->extack);\n\tif (err)\n\t\treturn err;\n\n\tif (!attrs[TIPC_NLA_LINK_NAME])\n\t\treturn -EINVAL;\n\n\tname = nla_data(attrs[TIPC_NLA_LINK_NAME]);\n\n\tmsg.skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);\n\tif (!msg.skb)\n\t\treturn -ENOMEM;\n\n\tif (strcmp(name, tipc_bclink_name) == 0) {\n\t\terr = tipc_nl_add_bc_link(net, &msg, tipc_net(net)->bcl);\n\t\tif (err)\n\t\t\tgoto err_free;\n\t} else {\n\t\tint bearer_id;\n\t\tstruct tipc_node *node;\n\t\tstruct tipc_link *link;\n\n\t\tnode = tipc_node_find_by_name(net, name, &bearer_id);\n\t\tif (!node) {\n\t\t\terr = -EINVAL;\n\t\t\tgoto err_free;\n\t\t}\n\n\t\ttipc_node_read_lock(node);\n\t\tlink = node->links[bearer_id].link;\n\t\tif (!link) {\n\t\t\ttipc_node_read_unlock(node);\n\t\t\terr = -EINVAL;\n\t\t\tgoto err_free;\n\t\t}\n\n\t\terr = __tipc_nl_add_link(net, &msg, link, 0);\n\t\ttipc_node_read_unlock(node);\n\t\tif (err)\n\t\t\tgoto err_free;\n\t}\n\n\treturn genlmsg_reply(msg.skb, info);\n\nerr_free:\n\tnlmsg_free(msg.skb);\n\treturn err;\n}", "project": "linux", "hash": 131220177636193003751525746042750239089, "size": 64, "commit_id": "0217ed2848e8538bcf9172d97ed2eeb4a26041bb", "message": "tipc: better validate user input in tipc_nl_retrieve_key()\n\nBefore calling tipc_aead_key_size(ptr), we need to ensure\nwe have enough data to dereference ptr->keylen.\n\nWe probably also want to make sure tipc_aead_key_size()\nwont overflow with malicious ptr->keylen values.\n\nSyzbot reported:\n\nBUG: KMSAN: uninit-value in __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\nBUG: KMSAN: uninit-value in tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\nCPU: 0 PID: 21060 Comm: syz-executor.5 Not tainted 5.11.0-rc7-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nCall Trace:\n __dump_stack lib/dump_stack.c:79 [inline]\n dump_stack+0x21c/0x280 lib/dump_stack.c:120\n kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118\n __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197\n __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\n tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\n genl_family_rcv_msg_doit net/netlink/genetlink.c:739 [inline]\n genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]\n genl_rcv_msg+0x1319/0x1610 net/netlink/genetlink.c:800\n netlink_rcv_skb+0x6fa/0x810 net/netlink/af_netlink.c:2494\n genl_rcv+0x63/0x80 net/netlink/genetlink.c:811\n netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]\n netlink_unicast+0x11d6/0x14a0 net/netlink/af_netlink.c:1330\n netlink_sendmsg+0x1740/0x1840 net/netlink/af_netlink.c:1919\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\nRIP: 0023:0xf7f60549\nCode: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00\nRSP: 002b:00000000f555a5fc EFLAGS: 00000296 ORIG_RAX: 0000000000000172\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000200\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n\nUninit was created at:\n kmsan_save_stack_with_flags mm/kmsan/kmsan.c:121 [inline]\n kmsan_internal_poison_shadow+0x5c/0xf0 mm/kmsan/kmsan.c:104\n kmsan_slab_alloc+0x8d/0xe0 mm/kmsan/kmsan_hooks.c:76\n slab_alloc_node mm/slub.c:2907 [inline]\n __kmalloc_node_track_caller+0xa37/0x1430 mm/slub.c:4527\n __kmalloc_reserve net/core/skbuff.c:142 [inline]\n __alloc_skb+0x2f8/0xb30 net/core/skbuff.c:210\n alloc_skb include/linux/skbuff.h:1099 [inline]\n netlink_alloc_large_skb net/netlink/af_netlink.c:1176 [inline]\n netlink_sendmsg+0xdbc/0x1840 net/netlink/af_netlink.c:1894\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\n\nFixes: e1f32190cf7d (\"tipc: add support for AEAD key setting via netlink\")\nSigned-off-by: Eric Dumazet \nCc: Tuong Lien \nCc: Jon Maloy \nCc: Ying Xue \nReported-by: syzbot \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 364900 }, { "project": "Chrome", "commit_id": "327585cb0eab0859518643a2d00917081f7e7645", "target": 0, "func": "WebString WebGraphicsContext3DDefaultImpl::getString(unsigned long name)\n{\n makeContextCurrent();\n return WebString::fromUTF8(reinterpret_cast(glGetString(name)));\n}\n", "cwe": "", "big_vul_idx": 99006, "idx": 89063, "hash": 48916550759505221475693227135026443630 }, { "func": "static void hci_cs_remote_name_req(struct hci_dev *hdev, __u8 status)\n{\n\tstruct hci_cp_remote_name_req *cp;\n\tstruct hci_conn *conn;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, status);\n\n\t/* If successful wait for the name req complete event before\n\t * checking for the need to do authentication */\n\tif (!status)\n\t\treturn;\n\n\tcp = hci_sent_cmd_data(hdev, HCI_OP_REMOTE_NAME_REQ);\n\tif (!cp)\n\t\treturn;\n\n\thci_dev_lock(hdev);\n\n\tconn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);\n\n\tif (hci_dev_test_flag(hdev, HCI_MGMT))\n\t\thci_check_pending_name(hdev, conn, &cp->bdaddr, NULL, 0);\n\n\tif (!conn)\n\t\tgoto unlock;\n\n\tif (!hci_outgoing_auth_needed(hdev, conn))\n\t\tgoto unlock;\n\n\tif (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {\n\t\tstruct hci_cp_auth_requested auth_cp;\n\n\t\tset_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);\n\n\t\tauth_cp.handle = __cpu_to_le16(conn->handle);\n\t\thci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED,\n\t\t\t sizeof(auth_cp), &auth_cp);\n\t}\n\nunlock:\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 217982462603061029906396603797195608264, "size": 42, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 432029 }, { "func": "static int svm_set_cr4(struct kvm_vcpu *vcpu, unsigned long cr4)\n{\n\tunsigned long host_cr4_mce = cr4_read_shadow() & X86_CR4_MCE;\n\tunsigned long old_cr4 = to_svm(vcpu)->vmcb->save.cr4;\n\n\tif (cr4 & X86_CR4_VMXE)\n\t\treturn 1;\n\n\tif (npt_enabled && ((old_cr4 ^ cr4) & X86_CR4_PGE))\n\t\tsvm_flush_tlb(vcpu, true);\n\n\tvcpu->arch.cr4 = cr4;\n\tif (!npt_enabled)\n\t\tcr4 |= X86_CR4_PAE;\n\tcr4 |= host_cr4_mce;\n\tto_svm(vcpu)->vmcb->save.cr4 = cr4;\n\tmark_dirty(to_svm(vcpu)->vmcb, VMCB_CR);\n\treturn 0;\n}", "project": "linux", "hash": 87174512511506860318705980200567334975, "size": 19, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432417 }, { "func": "static int svm_set_cr4(struct kvm_vcpu *vcpu, unsigned long cr4)\n{\n\tunsigned long host_cr4_mce = read_cr4() & X86_CR4_MCE;\n\tunsigned long old_cr4 = to_svm(vcpu)->vmcb->save.cr4;\n\n\tif (cr4 & X86_CR4_VMXE)\n\t\treturn 1;\n\n\tif (npt_enabled && ((old_cr4 ^ cr4) & X86_CR4_PGE))\n\t\tsvm_flush_tlb(vcpu);\n\n\tvcpu->arch.cr4 = cr4;\n\tif (!npt_enabled)\n\t\tcr4 |= X86_CR4_PAE;\n\tcr4 |= host_cr4_mce;\n\tto_svm(vcpu)->vmcb->save.cr4 = cr4;\n\tmark_dirty(to_svm(vcpu)->vmcb, VMCB_CR);\n\treturn 0;\n}", "project": "kvm", "hash": 74999087636211038241300328909257603056, "size": 19, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437598 }, { "func": "static int init_kmem_cache_nodes(struct kmem_cache *s)\n{\n\tint node;\n\n\tfor_each_node_state(node, N_NORMAL_MEMORY) {\n\t\tstruct kmem_cache_node *n;\n\n\t\tif (slab_state == DOWN) {\n\t\t\tearly_kmem_cache_node_alloc(node);\n\t\t\tcontinue;\n\t\t}\n\t\tn = kmem_cache_alloc_node(kmem_cache_node,\n\t\t\t\t\t\tGFP_KERNEL, node);\n\n\t\tif (!n) {\n\t\t\tfree_kmem_cache_nodes(s);\n\t\t\treturn 0;\n\t\t}\n\n\t\tinit_kmem_cache_node(n);\n\t\ts->node[node] = n;\n\t}\n\treturn 1;\n}", "project": "linux", "hash": 174151605495999611138609025725499267774, "size": 24, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280059 }, { "func": "static int sctp_getsockopt_assoc_ids(struct sock *sk, int len,\n\t\t\t\t char __user *optval, int __user *optlen)\n{\n\tstruct sctp_sock *sp = sctp_sk(sk);\n\tstruct sctp_association *asoc;\n\tstruct sctp_assoc_ids *ids;\n\tu32 num = 0;\n\n\tif (sctp_style(sk, TCP))\n\t\treturn -EOPNOTSUPP;\n\n\tif (len < sizeof(struct sctp_assoc_ids))\n\t\treturn -EINVAL;\n\n\tlist_for_each_entry(asoc, &(sp->ep->asocs), asocs) {\n\t\tnum++;\n\t}\n\n\tif (len < sizeof(struct sctp_assoc_ids) + sizeof(sctp_assoc_t) * num)\n\t\treturn -EINVAL;\n\n\tlen = sizeof(struct sctp_assoc_ids) + sizeof(sctp_assoc_t) * num;\n\n\tids = kmalloc(len, GFP_USER | __GFP_NOWARN);\n\tif (unlikely(!ids))\n\t\treturn -ENOMEM;\n\n\tids->gaids_number_of_ids = num;\n\tnum = 0;\n\tlist_for_each_entry(asoc, &(sp->ep->asocs), asocs) {\n\t\tids->gaids_assoc_id[num++] = asoc->assoc_id;\n\t}\n\n\tif (put_user(len, optlen) || copy_to_user(optval, ids, len)) {\n\t\tkfree(ids);\n\t\treturn -EFAULT;\n\t}\n\n\tkfree(ids);\n\treturn 0;\n}", "project": "linux", "hash": 218576740402663930146077463379325221623, "size": 41, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398132 }, { "func": "ssize_t fuse_direct_io(struct fuse_io_priv *io, struct iov_iter *iter,\n\t\t loff_t *ppos, int flags)\n{\n\tint write = flags & FUSE_DIO_WRITE;\n\tint cuse = flags & FUSE_DIO_CUSE;\n\tstruct file *file = io->iocb->ki_filp;\n\tstruct inode *inode = file->f_mapping->host;\n\tstruct fuse_file *ff = file->private_data;\n\tstruct fuse_conn *fc = ff->fm->fc;\n\tsize_t nmax = write ? fc->max_write : fc->max_read;\n\tloff_t pos = *ppos;\n\tsize_t count = iov_iter_count(iter);\n\tpgoff_t idx_from = pos >> PAGE_SHIFT;\n\tpgoff_t idx_to = (pos + count - 1) >> PAGE_SHIFT;\n\tssize_t res = 0;\n\tint err = 0;\n\tstruct fuse_io_args *ia;\n\tunsigned int max_pages;\n\n\tmax_pages = iov_iter_npages(iter, fc->max_pages);\n\tia = fuse_io_alloc(io, max_pages);\n\tif (!ia)\n\t\treturn -ENOMEM;\n\n\tia->io = io;\n\tif (!cuse && fuse_range_is_writeback(inode, idx_from, idx_to)) {\n\t\tif (!write)\n\t\t\tinode_lock(inode);\n\t\tfuse_sync_writes(inode);\n\t\tif (!write)\n\t\t\tinode_unlock(inode);\n\t}\n\n\tio->should_dirty = !write && iter_is_iovec(iter);\n\twhile (count) {\n\t\tssize_t nres;\n\t\tfl_owner_t owner = current->files;\n\t\tsize_t nbytes = min(count, nmax);\n\n\t\terr = fuse_get_user_pages(&ia->ap, iter, &nbytes, write,\n\t\t\t\t\t max_pages);\n\t\tif (err && !nbytes)\n\t\t\tbreak;\n\n\t\tif (write) {\n\t\t\tif (!capable(CAP_FSETID))\n\t\t\t\tia->write.in.write_flags |= FUSE_WRITE_KILL_SUIDGID;\n\n\t\t\tnres = fuse_send_write(ia, pos, nbytes, owner);\n\t\t} else {\n\t\t\tnres = fuse_send_read(ia, pos, nbytes, owner);\n\t\t}\n\n\t\tif (!io->async || nres < 0) {\n\t\t\tfuse_release_user_pages(&ia->ap, io->should_dirty);\n\t\t\tfuse_io_free(ia);\n\t\t}\n\t\tia = NULL;\n\t\tif (nres < 0) {\n\t\t\tiov_iter_revert(iter, nbytes);\n\t\t\terr = nres;\n\t\t\tbreak;\n\t\t}\n\t\tWARN_ON(nres > nbytes);\n\n\t\tcount -= nres;\n\t\tres += nres;\n\t\tpos += nres;\n\t\tif (nres != nbytes) {\n\t\t\tiov_iter_revert(iter, nbytes - nres);\n\t\t\tbreak;\n\t\t}\n\t\tif (count) {\n\t\t\tmax_pages = iov_iter_npages(iter, fc->max_pages);\n\t\t\tia = fuse_io_alloc(io, max_pages);\n\t\t\tif (!ia)\n\t\t\t\tbreak;\n\t\t}\n\t}\n\tif (ia)\n\t\tfuse_io_free(ia);\n\tif (res > 0)\n\t\t*ppos = pos;\n\n\treturn res > 0 ? res : err;\n}", "project": "linux", "hash": 41515794609042733994223795289211835156, "size": 86, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342079 }, { "func": "Value ExpressionRegex::nextMatch(RegexExecutionState* regexState) const {\n int execResult = execute(regexState);\n\n // No match.\n if (execResult < 0) {\n return Value(BSONNULL);\n }\n\n // Use 'input' as StringData throughout the function to avoid copying the string on 'substr'\n // calls.\n StringData input = *(regexState->input);\n\n auto verifyBounds = [&input, this](auto startPos, auto limitPos, auto isCapture) {\n // If a capture group was not matched, then the 'startPos' and 'limitPos' will both be -1.\n // These bounds cannot occur for a match on the full string.\n if (startPos == -1 || limitPos == -1) {\n massert(31304,\n str::stream() << \"Unexpected error occurred while executing \" << _opName\n << \". startPos: \" << startPos << \", limitPos: \" << limitPos,\n isCapture && startPos == -1 && limitPos == -1);\n return;\n }\n\n massert(31305,\n str::stream() << \"Unexpected error occurred while executing \" << _opName\n << \". startPos: \" << startPos,\n (startPos >= 0 && static_cast(startPos) <= input.size()));\n massert(31306,\n str::stream() << \"Unexpected error occurred while executing \" << _opName\n << \". limitPos: \" << limitPos,\n (limitPos >= 0 && static_cast(limitPos) <= input.size()));\n massert(31307,\n str::stream() << \"Unexpected error occurred while executing \" << _opName\n << \". startPos: \" << startPos << \", limitPos: \" << limitPos,\n startPos <= limitPos);\n };\n\n // The first and second entries of the 'capturesBuffer' will have the start and (end+1) indices\n // of the matched string, as byte offsets. '(limit - startIndex)' would be the length of the\n // captured string.\n verifyBounds(regexState->capturesBuffer[0], regexState->capturesBuffer[1], false);\n const int matchStartByteIndex = regexState->capturesBuffer[0];\n StringData matchedStr =\n input.substr(matchStartByteIndex, regexState->capturesBuffer[1] - matchStartByteIndex);\n\n // We iterate through the input string's contents preceding the match index, in order to convert\n // the byte offset to a code point offset.\n for (int byteIx = regexState->startBytePos; byteIx < matchStartByteIndex;\n ++(regexState->startCodePointPos)) {\n byteIx += getCodePointLength(input[byteIx]);\n }\n\n // Set the start index for match to the new one.\n regexState->startBytePos = matchStartByteIndex;\n\n std::vector captures;\n captures.reserve(regexState->numCaptures);\n\n // The next '2 * numCaptures' entries (after the first two entries) of 'capturesBuffer' will\n // hold the start index and limit pairs, for each of the capture groups. We skip the first two\n // elements and start iteration from 3rd element so that we only construct the strings for\n // capture groups.\n for (int i = 0; i < regexState->numCaptures; ++i) {\n const int start = regexState->capturesBuffer[2 * (i + 1)];\n const int limit = regexState->capturesBuffer[2 * (i + 1) + 1];\n verifyBounds(start, limit, true);\n\n // The 'start' and 'limit' will be set to -1, if the 'input' didn't match the current\n // capture group. In this case we put a 'null' placeholder in place of the capture group.\n captures.push_back(start == -1 && limit == -1 ? Value(BSONNULL)\n : Value(input.substr(start, limit - start)));\n }\n\n MutableDocument match;\n match.addField(\"match\", Value(matchedStr));\n match.addField(\"idx\", Value(regexState->startCodePointPos));\n match.addField(\"captures\", Value(captures));\n return match.freezeToValue();\n}", "project": "mongo", "hash": 321234757498409186184219412329543115906, "size": 79, "commit_id": "1772b9a0393b55e6a280a35e8f0a1f75c014f301", "message": "SERVER-49404 Enforce additional checks in $arrayToObject", "target": 0, "dataset": "other", "idx": 370057 }, { "func": "bool vma_policy_mof(struct vm_area_struct *vma)\n{\n\tstruct mempolicy *pol;\n\n\tif (vma->vm_ops && vma->vm_ops->get_policy) {\n\t\tbool ret = false;\n\n\t\tpol = vma->vm_ops->get_policy(vma, vma->vm_start);\n\t\tif (pol && (pol->flags & MPOL_F_MOF))\n\t\t\tret = true;\n\t\tmpol_cond_put(pol);\n\n\t\treturn ret;\n\t}\n\n\tpol = vma->vm_policy;\n\tif (!pol)\n\t\tpol = get_task_policy(current);\n\n\treturn pol->flags & MPOL_F_MOF;\n}", "project": "linux", "hash": 86035000236446177868752701512839952578, "size": 21, "commit_id": "aa9f7d5172fac9bf1f09e678c35e287a40a7b7dd", "message": "mm: mempolicy: require at least one nodeid for MPOL_PREFERRED\n\nUsing an empty (malformed) nodelist that is not caught during mount option\nparsing leads to a stack-out-of-bounds access.\n\nThe option string that was used was: \"mpol=prefer:,\". However,\nMPOL_PREFERRED requires a single node number, which is not being provided\nhere.\n\nAdd a check that 'nodes' is not empty after parsing for MPOL_PREFERRED's\nnodeid.\n\nFixes: 095f1fc4ebf3 (\"mempolicy: rework shmem mpol parsing and display\")\nReported-by: Entropy Moe <3ntr0py1337@gmail.com>\nReported-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nSigned-off-by: Randy Dunlap \nSigned-off-by: Andrew Morton \nTested-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nCc: Lee Schermerhorn \nLink: http://lkml.kernel.org/r/89526377-7eb6-b662-e1d8-4430928abde9@infradead.org\nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 366792 }, { "func": "bool CClient::IsValidIdentifier(const CString& sIdentifier) {\n // ^[-\\w]+$\n\n if (sIdentifier.empty()) {\n return false;\n }\n\n const char* p = sIdentifier.c_str();\n while (*p) {\n if (*p != '_' && *p != '-' && !isalnum(*p)) {\n return false;\n }\n\n p++;\n }\n\n return true;\n}", "project": "znc", "hash": 289110523791817900122444168365582556639, "size": 18, "commit_id": "d229761821da38d984a9e4098ad96842490dc001", "message": "Fix echo-message for *status\n\nClose #1705", "target": 0, "dataset": "other", "idx": 231557 }, { "func": "static inline unsigned int slab_order(unsigned int size,\n\t\tunsigned int min_objects, unsigned int max_order,\n\t\tunsigned int fract_leftover)\n{\n\tunsigned int min_order = slub_min_order;\n\tunsigned int order;\n\n\tif (order_objects(min_order, size) > MAX_OBJS_PER_PAGE)\n\t\treturn get_order(size * MAX_OBJS_PER_PAGE) - 1;\n\n\tfor (order = max(min_order, (unsigned int)get_order(min_objects * size));\n\t\t\torder <= max_order; order++) {\n\n\t\tunsigned int slab_size = (unsigned int)PAGE_SIZE << order;\n\t\tunsigned int rem;\n\n\t\trem = slab_size % size;\n\n\t\tif (rem <= slab_size / fract_leftover)\n\t\t\tbreak;\n\t}\n\n\treturn order;\n}", "project": "linux", "hash": 235324817248815173742934594304925818897, "size": 24, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280096 }, { "func": "rpmRC hdrblobRead(FD_t fd, int magic, int exact_size, rpmTagVal regionTag, hdrblob blob, char **emsg)\n{\n int32_t block[4];\n int32_t *bs = (magic != 0) ? &block[0] : &block[2];\n int blen = (magic != 0) ? sizeof(block) : sizeof(block) / 2;\n int32_t il;\n int32_t dl;\n int32_t * ei = NULL;\n size_t uc;\n size_t nb;\n rpmRC rc = RPMRC_FAIL;\t\t/* assume failure */\n int xx;\n\n memset(block, 0, sizeof(block));\n if ((xx = Freadall(fd, bs, blen)) != blen) {\n\trasprintf(emsg,\n\t\t_(\"hdr size(%d): BAD, read returned %d\"), blen, xx);\n\tgoto exit;\n }\n if (magic && memcmp(block, rpm_header_magic, sizeof(rpm_header_magic))) {\n\trasprintf(emsg, _(\"hdr magic: BAD\"));\n\tgoto exit;\n }\n il = ntohl(block[2]);\n dl = ntohl(block[3]);\n if (hdrblobVerifyLengths(regionTag, il, dl, emsg))\n\tgoto exit;\n\n nb = (il * sizeof(struct entryInfo_s)) + dl;\n uc = sizeof(il) + sizeof(dl) + nb;\n ei = xmalloc(uc);\n ei[0] = block[2];\n ei[1] = block[3];\n if ((xx = Freadall(fd, (char *)&ei[2], nb)) != nb) {\n\trasprintf(emsg, _(\"hdr blob(%zd): BAD, read returned %d\"), nb, xx);\n\tgoto exit;\n }\n\n if (regionTag == RPMTAG_HEADERSIGNATURES) {\n\tsize_t sigSize = uc + sizeof(rpm_header_magic);\n\tsize_t pad = (8 - (sigSize % 8)) % 8;\n\tsize_t trc;\n\tif (pad && (trc = Freadall(fd, block, pad)) != pad) {\n\t rasprintf(emsg, _(\"sigh pad(%zd): BAD, read %zd bytes\"), pad, trc);\n\t goto exit;\n\t}\n }\n\n rc = hdrblobInit(ei, uc, regionTag, exact_size, blob, emsg);\n\nexit:\n if (rc != RPMRC_OK) {\n\tfree(ei);\n\tblob->ei = NULL;\n\tif (emsg && *emsg && regionTag == RPMTAG_HEADERSIGNATURES) {\n\t /* rstrscat() cannot handle overlap even if it claims so */\n\t char *tmp = rstrscat(NULL, _(\"signature \"), *emsg, NULL);\n\t free(*emsg);\n\t *emsg = tmp;\n\t}\n }\n\n return rc;\n}", "project": "rpm", "hash": 300748354672005893317369505807335642941, "size": 64, "commit_id": "8f4b3c3cab8922a2022b9e47c71f1ecf906077ef", "message": "hdrblobInit() needs bounds checks too\n\nUsers can pass untrusted data to hdrblobInit() and it must be robust\nagainst this.", "target": 0, "dataset": "other", "idx": 318195 }, { "func": "static ssize_t cpu_slabs_show(struct kmem_cache *s, char *buf)\n{\n\treturn show_slab_objects(s, buf, SO_CPU);\n}", "project": "linux", "hash": 158299427538454916390479914527966774273, "size": 4, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280173 }, { "func": "static int may_create_in_sticky(struct dentry * const dir,\n\t\t\t\tstruct inode * const inode)\n{\n\tif ((!sysctl_protected_fifos && S_ISFIFO(inode->i_mode)) ||\n\t (!sysctl_protected_regular && S_ISREG(inode->i_mode)) ||\n\t likely(!(dir->d_inode->i_mode & S_ISVTX)) ||\n\t uid_eq(inode->i_uid, dir->d_inode->i_uid) ||\n\t uid_eq(current_fsuid(), inode->i_uid))\n\t\treturn 0;\n\n\tif (likely(dir->d_inode->i_mode & 0002) ||\n\t (dir->d_inode->i_mode & 0020 &&\n\t ((sysctl_protected_fifos >= 2 && S_ISFIFO(inode->i_mode)) ||\n\t (sysctl_protected_regular >= 2 && S_ISREG(inode->i_mode))))) {\n\t\tconst char *operation = S_ISFIFO(inode->i_mode) ?\n\t\t\t\t\t\"sticky_create_fifo\" :\n\t\t\t\t\t\"sticky_create_regular\";\n\t\taudit_log_path_denied(AUDIT_ANOM_CREAT, operation);\n\t\treturn -EACCES;\n\t}\n\treturn 0;\n}", "project": "linux", "hash": 20871760417441141942075932160806615554, "size": 22, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 1, "dataset": "other", "idx": 199916 }, { "func": "static int may_create_in_sticky(umode_t dir_mode, kuid_t dir_uid,\n\t\t\t\tstruct inode * const inode)\n{\n\tif ((!sysctl_protected_fifos && S_ISFIFO(inode->i_mode)) ||\n\t (!sysctl_protected_regular && S_ISREG(inode->i_mode)) ||\n\t likely(!(dir_mode & S_ISVTX)) ||\n\t uid_eq(inode->i_uid, dir_uid) ||\n\t uid_eq(current_fsuid(), inode->i_uid))\n\t\treturn 0;\n\n\tif (likely(dir_mode & 0002) ||\n\t (dir_mode & 0020 &&\n\t ((sysctl_protected_fifos >= 2 && S_ISFIFO(inode->i_mode)) ||\n\t (sysctl_protected_regular >= 2 && S_ISREG(inode->i_mode))))) {\n\t\tconst char *operation = S_ISFIFO(inode->i_mode) ?\n\t\t\t\t\t\"sticky_create_fifo\" :\n\t\t\t\t\t\"sticky_create_regular\";\n\t\taudit_log_path_denied(AUDIT_ANOM_CREAT, operation);\n\t\treturn -EACCES;\n\t}\n\treturn 0;\n}", "project": "linux", "hash": 265796941351907819719857276883338893990, "size": 22, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295331 }, { "func": "\treturn err;\n}\n\nstatic int iscsi_set_chap(struct iscsi_transport *transport,\n\t\t\t struct iscsi_uevent *ev, uint32_t len)\n{\n\tchar *data = (char *)ev + sizeof(*ev);\n\tstruct Scsi_Host *shost;\n\tint err = 0;\n\n\tif (!transport->set_chap)\n\t\treturn -ENOSYS;\n\n\tshost = scsi_host_lookup(ev->u.set_path.host_no);\n\tif (!shost) {\n\t\tpr_err(\"%s could not find host no %u\\n\",\n\t\t __func__, ev->u.set_path.host_no);\n\t\treturn -ENODEV;\n\t}\n\n\terr = transport->set_chap(shost, data, len);", "project": "linux", "hash": 61752283917317876656621953013010915645, "size": 21, "commit_id": "f9dbdf97a5bd92b1a49cee3d591b55b11fd7a6d5", "message": "scsi: iscsi: Verify lengths on passthrough PDUs\n\nOpen-iSCSI sends passthrough PDUs over netlink, but the kernel should be\nverifying that the provided PDU header and data lengths fall within the\nnetlink message to prevent accessing beyond that in memory.\n\nCc: stable@vger.kernel.org\nReported-by: Adam Nichols \nReviewed-by: Lee Duncan \nReviewed-by: Mike Christie \nSigned-off-by: Chris Leech \nSigned-off-by: Martin K. Petersen ", "target": 0, "dataset": "other", "idx": 379985 }, { "func": "static int rle_uncompress(EXRContext *ctx, const uint8_t *src, int compressed_size,\n int uncompressed_size, EXRThreadData *td)\n{\n rle(td->tmp, src, compressed_size, uncompressed_size);\n\n av_assert1(uncompressed_size % 2 == 0);\n\n ctx->dsp.predictor(td->tmp, uncompressed_size);\n ctx->dsp.reorder_pixels(td->uncompressed_data, td->tmp, uncompressed_size);\n\n return 0;\n}", "project": "FFmpeg", "hash": 174804187851433231095850590988400826026, "size": 12, "commit_id": "26d3c81bc5ef2f8c3f09d45eaeacfb4b1139a777", "message": "avcodec/exr: More strictly check dc_count\n\nFixes: out of array access\nFixes: exr/deneme\n\nFound-by: Burak Çarıkçı \nSigned-off-by: Michael Niedermayer ", "target": 0, "dataset": "other", "idx": 262676 }, { "func": "static ssize_t fuse_async_req_send(struct fuse_mount *fm,\n\t\t\t\t struct fuse_io_args *ia, size_t num_bytes)\n{\n\tssize_t err;\n\tstruct fuse_io_priv *io = ia->io;\n\n\tspin_lock(&io->lock);\n\tkref_get(&io->refcnt);\n\tio->size += num_bytes;\n\tio->reqs++;\n\tspin_unlock(&io->lock);\n\n\tia->ap.args.end = fuse_aio_complete_req;\n\tia->ap.args.may_block = io->should_dirty;\n\terr = fuse_simple_background(fm, &ia->ap.args, GFP_KERNEL);\n\tif (err)\n\t\tfuse_aio_complete_req(fm, &ia->ap.args, err);\n\n\treturn num_bytes;\n}", "project": "linux", "hash": 134125376357340839744980995261214414711, "size": 20, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341881 }, { "func": "int kvm_vcpu_read_guest(struct kvm_vcpu *vcpu, gpa_t gpa, void *data, unsigned long len)\n{\n\tgfn_t gfn = gpa >> PAGE_SHIFT;\n\tint seg;\n\tint offset = offset_in_page(gpa);\n\tint ret;\n\n\twhile ((seg = next_segment(len, offset)) != 0) {\n\t\tret = kvm_vcpu_read_guest_page(vcpu, gfn, data, offset, seg);\n\t\tif (ret < 0)\n\t\t\treturn ret;\n\t\toffset = 0;\n\t\tlen -= seg;\n\t\tdata += seg;\n\t\t++gfn;\n\t}\n\treturn 0;\n}", "project": "linux", "hash": 190772551267259202188355344908266026325, "size": 18, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354481 }, { "func": "bool close_cached_tables(THD *thd, TABLE_LIST *tables,\n bool wait_for_refresh, ulong timeout)\n{\n DBUG_ENTER(\"close_cached_tables\");\n DBUG_ASSERT(thd || (!wait_for_refresh && !tables));\n DBUG_ASSERT(wait_for_refresh || !tables);\n\n if (!tables)\n {\n /* Free tables that are not used */\n purge_tables(false);\n if (!wait_for_refresh)\n DBUG_RETURN(false);\n }\n\n DBUG_PRINT(\"info\", (\"open table definitions: %d\",\n (int) tdc_records()));\n\n if (thd->locked_tables_mode)\n {\n /*\n If we are under LOCK TABLES, we need to reopen the tables without\n opening a door for any concurrent threads to sneak in and get\n lock on our tables. To achieve this we use exclusive metadata\n locks.\n */\n TABLE_LIST *tables_to_reopen= (tables ? tables :\n thd->locked_tables_list.locked_tables());\n bool result= false;\n\n /* close open HANDLER for this thread to allow table to be closed */\n mysql_ha_flush_tables(thd, tables_to_reopen);\n\n for (TABLE_LIST *table_list= tables_to_reopen; table_list;\n table_list= table_list->next_global)\n {\n int err;\n /* A check that the table was locked for write is done by the caller. */\n TABLE *table= find_table_for_mdl_upgrade(thd, table_list->db.str,\n table_list->table_name.str, &err);\n\n /* May return NULL if this table has already been closed via an alias. */\n if (! table)\n continue;\n\n if (thd->mdl_context.upgrade_shared_lock(table->mdl_ticket, MDL_EXCLUSIVE,\n timeout))\n {\n result= true;\n break;\n }\n table->file->extra(HA_EXTRA_PREPARE_FOR_FORCED_CLOSE);\n close_all_tables_for_name(thd, table->s, HA_EXTRA_NOT_USED, NULL);\n }\n /*\n No other thread has the locked tables open; reopen them and get the\n old locks. This should always succeed (unless some external process\n has removed the tables)\n */\n if (thd->locked_tables_list.reopen_tables(thd, false))\n result= true;\n\n /*\n Since downgrade_lock() won't do anything with shared\n metadata lock it is much simpler to go through all open tables rather\n than picking only those tables that were flushed.\n */\n for (TABLE *tab= thd->open_tables; tab; tab= tab->next)\n tab->mdl_ticket->downgrade_lock(MDL_SHARED_NO_READ_WRITE);\n\n DBUG_RETURN(result);\n }\n else if (tables)\n {\n /*\n Get an explicit MDL lock for all requested tables to ensure they are\n not used by any other thread\n */\n MDL_request_list mdl_requests;\n\n DBUG_PRINT(\"info\", (\"Waiting for other threads to close their open tables\"));\n DEBUG_SYNC(thd, \"after_flush_unlock\");\n\n /* close open HANDLER for this thread to allow table to be closed */\n mysql_ha_flush_tables(thd, tables);\n\n for (TABLE_LIST *table= tables; table; table= table->next_local)\n {\n MDL_request *mdl_request= new (thd->mem_root) MDL_request;\n if (mdl_request == NULL)\n DBUG_RETURN(true);\n mdl_request->init(&table->mdl_request.key, MDL_EXCLUSIVE, MDL_STATEMENT);\n mdl_requests.push_front(mdl_request);\n }\n\n if (thd->mdl_context.acquire_locks(&mdl_requests, timeout))\n DBUG_RETURN(true);\n\n for (TABLE_LIST *table= tables; table; table= table->next_local)\n tdc_remove_table(thd, TDC_RT_REMOVE_ALL, table->db.str,\n table->table_name.str, false);\n }\n DBUG_RETURN(false);\n}", "target": 0, "cwe": [ "CWE-416" ], "project": "server", "commit_id": "0beed9b5e933f0ff79b3bb346524f7a451d14e38", "hash": 229574670116056727972022425867888727172, "size": 104, "message": "MDEV-28097 use-after-free when WHERE has subquery with an outer reference in HAVING\n\nwhen resolving WHERE and ON clauses, do not look in\nSELECT list/aliases.", "dataset": "other", "idx": 514552 }, { "func": "sort_variables (array)\n SHELL_VAR **array;\n{\n qsort (array, strvec_len ((char **)array), sizeof (SHELL_VAR *), (QSFUNC *)qsort_var_comp);\n}", "project": "bash", "hash": 239995596564346812785319827220081425632, "size": 5, "commit_id": "863d31ae775d56b785dc5b0105b6d251515d81d5", "message": "commit bash-20120224 snapshot", "target": 0, "dataset": "other", "idx": 379561 }, { "func": "R_API void r_core_bind_cons(RCore *core) {\n\tcore->cons->num = core->num;\n\tcore->cons->cb_fkey = (RConsFunctionKey)__cons_cb_fkey;\n\tcore->cons->cb_editor = (RConsEditorCallback)r_core_editor;\n\tcore->cons->cb_break = (RConsBreakCallback)r_core_break;\n\tcore->cons->cb_sleep_begin = (RConsSleepBeginCallback)r_core_sleep_begin;\n\tcore->cons->cb_sleep_end = (RConsSleepEndCallback)r_core_sleep_end;\n\tcore->cons->cb_task_oneshot = (RConsQueueTaskOneshot) r_core_task_enqueue_oneshot;\n\tcore->cons->user = (void*)core;\n}", "project": "radare2", "hash": 2306955647772548218370958967825799394, "size": 10, "commit_id": "cb8b683758edddae2d2f62e8e63a738c39f92683", "message": "Fix #16303 - c->table_query double free (#16318)", "target": 0, "dataset": "other", "idx": 232144 }, { "func": "static void hci_cc_le_read_supported_states(struct hci_dev *hdev,\n\t\t\t\t\t struct sk_buff *skb)\n{\n\tstruct hci_rp_le_read_supported_states *rp = (void *) skb->data;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, rp->status);\n\n\tif (rp->status)\n\t\treturn;\n\n\tmemcpy(hdev->le_states, rp->le_states, 8);\n}", "project": "linux", "hash": 137532929018116948911329380733411730557, "size": 12, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431956 }, { "func": "static int sctp_setsockopt_auth_supported(struct sock *sk,\n\t\t\t\t\t struct sctp_assoc_value *params,\n\t\t\t\t\t unsigned int optlen)\n{\n\tstruct sctp_association *asoc;\n\tstruct sctp_endpoint *ep;\n\tint retval = -EINVAL;\n\n\tif (optlen != sizeof(*params))\n\t\tgoto out;\n\n\tasoc = sctp_id2assoc(sk, params->assoc_id);\n\tif (!asoc && params->assoc_id != SCTP_FUTURE_ASSOC &&\n\t sctp_style(sk, UDP))\n\t\tgoto out;\n\n\tep = sctp_sk(sk)->ep;\n\tif (params->assoc_value) {\n\t\tretval = sctp_auth_init(ep, GFP_KERNEL);\n\t\tif (retval)\n\t\t\tgoto out;\n\t\tif (ep->asconf_enable) {\n\t\t\tsctp_auth_ep_add_chunkid(ep, SCTP_CID_ASCONF);\n\t\t\tsctp_auth_ep_add_chunkid(ep, SCTP_CID_ASCONF_ACK);\n\t\t}\n\t}\n\n\tep->auth_enable = !!params->assoc_value;\n\tretval = 0;\n\nout:\n\treturn retval;\n}", "project": "linux", "hash": 503370115226636102757062858481243856, "size": 33, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398172 }, { "func": "static void ebb_switch_out(unsigned long mmcr0)\n{\n\tif (!(mmcr0 & MMCR0_EBE))\n\t\treturn;\n\n\tcurrent->thread.siar = mfspr(SPRN_SIAR);\n\tcurrent->thread.sier = mfspr(SPRN_SIER);\n\tcurrent->thread.sdar = mfspr(SPRN_SDAR);\n\tcurrent->thread.mmcr0 = mmcr0 & MMCR0_USER_MASK;\n\tcurrent->thread.mmcr2 = mfspr(SPRN_MMCR2) & MMCR2_USER_MASK;\n\tif (ppmu->flags & PPMU_ARCH_31) {\n\t\tcurrent->thread.mmcr3 = mfspr(SPRN_MMCR3);\n\t\tcurrent->thread.sier2 = mfspr(SPRN_SIER2);\n\t\tcurrent->thread.sier3 = mfspr(SPRN_SIER3);\n\t}\n}", "project": "linux", "hash": 111063688544843164926226523414594525819, "size": 16, "commit_id": "60b7ed54a41b550d50caf7f2418db4a7e75b5bdc", "message": "powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set\n\nOn systems without any specific PMU driver support registered, running\nperf record causes Oops.\n\nThe relevant portion from call trace:\n\n BUG: Kernel NULL pointer dereference on read at 0x00000040\n Faulting instruction address: 0xc0021f0c\n Oops: Kernel access of bad area, sig: 11 [#1]\n BE PAGE_SIZE=4K PREEMPT CMPCPRO\n SAF3000 DIE NOTIFICATION\n CPU: 0 PID: 442 Comm: null_syscall Not tainted 5.13.0-rc6-s3k-dev-01645-g7649ee3d2957 #5164\n NIP: c0021f0c LR: c00e8ad8 CTR: c00d8a5c\n NIP perf_instruction_pointer+0x10/0x60\n LR perf_prepare_sample+0x344/0x674\n Call Trace:\n perf_prepare_sample+0x7c/0x674 (unreliable)\n perf_event_output_forward+0x3c/0x94\n __perf_event_overflow+0x74/0x14c\n perf_swevent_hrtimer+0xf8/0x170\n __hrtimer_run_queues.constprop.0+0x160/0x318\n hrtimer_interrupt+0x148/0x3b0\n timer_interrupt+0xc4/0x22c\n Decrementer_virt+0xb8/0xbc\n\nDuring perf record session, perf_instruction_pointer() is called to\ncapture the sample IP. This function in core-book3s accesses\nppmu->flags. If a platform specific PMU driver is not registered, ppmu\nis set to NULL and accessing its members results in a crash. Fix this\ncrash by checking if ppmu is set.\n\nFixes: 2ca13a4cc56c (\"powerpc/perf: Use regs->nip when SIAR is zero\")\nCc: stable@vger.kernel.org # v5.11+\nReported-by: Christophe Leroy \nSigned-off-by: Athira Rajeev \nTested-by: Christophe Leroy \nSigned-off-by: Michael Ellerman \nLink: https://lore.kernel.org/r/1623952506-1431-1-git-send-email-atrajeev@linux.vnet.ibm.com", "target": 0, "dataset": "other", "idx": 374675 }, { "func": "static void ebb_switch_out(unsigned long mmcr0) { }", "project": "linux", "hash": 143220929522528422549339842343354204935, "size": 1, "commit_id": "60b7ed54a41b550d50caf7f2418db4a7e75b5bdc", "message": "powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set\n\nOn systems without any specific PMU driver support registered, running\nperf record causes Oops.\n\nThe relevant portion from call trace:\n\n BUG: Kernel NULL pointer dereference on read at 0x00000040\n Faulting instruction address: 0xc0021f0c\n Oops: Kernel access of bad area, sig: 11 [#1]\n BE PAGE_SIZE=4K PREEMPT CMPCPRO\n SAF3000 DIE NOTIFICATION\n CPU: 0 PID: 442 Comm: null_syscall Not tainted 5.13.0-rc6-s3k-dev-01645-g7649ee3d2957 #5164\n NIP: c0021f0c LR: c00e8ad8 CTR: c00d8a5c\n NIP perf_instruction_pointer+0x10/0x60\n LR perf_prepare_sample+0x344/0x674\n Call Trace:\n perf_prepare_sample+0x7c/0x674 (unreliable)\n perf_event_output_forward+0x3c/0x94\n __perf_event_overflow+0x74/0x14c\n perf_swevent_hrtimer+0xf8/0x170\n __hrtimer_run_queues.constprop.0+0x160/0x318\n hrtimer_interrupt+0x148/0x3b0\n timer_interrupt+0xc4/0x22c\n Decrementer_virt+0xb8/0xbc\n\nDuring perf record session, perf_instruction_pointer() is called to\ncapture the sample IP. This function in core-book3s accesses\nppmu->flags. If a platform specific PMU driver is not registered, ppmu\nis set to NULL and accessing its members results in a crash. Fix this\ncrash by checking if ppmu is set.\n\nFixes: 2ca13a4cc56c (\"powerpc/perf: Use regs->nip when SIAR is zero\")\nCc: stable@vger.kernel.org # v5.11+\nReported-by: Christophe Leroy \nSigned-off-by: Athira Rajeev \nTested-by: Christophe Leroy \nSigned-off-by: Michael Ellerman \nLink: https://lore.kernel.org/r/1623952506-1431-1-git-send-email-atrajeev@linux.vnet.ibm.com", "target": 0, "dataset": "other", "idx": 374680 }, { "func": "static void svm_vcpu_reset(struct kvm_vcpu *vcpu, bool init_event)\n{\n\tstruct vcpu_svm *svm = to_svm(vcpu);\n\tu32 dummy;\n\tu32 eax = 1;\n\n\tsvm->spec_ctrl = 0;\n\tsvm->virt_spec_ctrl = 0;\n\n\tif (!init_event) {\n\t\tsvm->vcpu.arch.apic_base = APIC_DEFAULT_PHYS_BASE |\n\t\t\t\t\t MSR_IA32_APICBASE_ENABLE;\n\t\tif (kvm_vcpu_is_reset_bsp(&svm->vcpu))\n\t\t\tsvm->vcpu.arch.apic_base |= MSR_IA32_APICBASE_BSP;\n\t}\n\tinit_vmcb(svm);\n\n\tkvm_cpuid(vcpu, &eax, &dummy, &dummy, &dummy, true);\n\tkvm_rdx_write(vcpu, eax);\n\n\tif (kvm_vcpu_apicv_active(vcpu) && !init_event)\n\t\tavic_update_vapic_bar(svm, APIC_DEFAULT_PHYS_BASE);\n}", "project": "linux", "hash": 299021880721079611394649108351599506017, "size": 23, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432470 }, { "func": "static void svm_vcpu_reset(struct kvm_vcpu *vcpu)\n{\n\tstruct vcpu_svm *svm = to_svm(vcpu);\n\tu32 dummy;\n\tu32 eax = 1;\n\n\tinit_vmcb(svm);\n\n\tkvm_cpuid(vcpu, &eax, &dummy, &dummy, &dummy);\n\tkvm_register_write(vcpu, VCPU_REGS_RDX, eax);\n}", "project": "kvm", "hash": 304349622747027344904182123330146996465, "size": 11, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437625 }, { "func": "static bool nfs_need_update_open_stateid(struct nfs4_state *state,\n\t\tconst nfs4_stateid *stateid)\n{\n\tif (test_bit(NFS_OPEN_STATE, &state->flags) == 0 ||\n\t !nfs4_stateid_match_other(stateid, &state->open_stateid)) {\n\t\tif (stateid->seqid == cpu_to_be32(1))\n\t\t\tnfs_state_log_update_open_stateid(state);\n\t\telse\n\t\t\tset_bit(NFS_STATE_CHANGE_WAIT, &state->flags);\n\t\treturn true;\n\t}\n\n\tif (nfs4_stateid_is_newer(stateid, &state->open_stateid)) {\n\t\tnfs_state_log_out_of_order_open_stateid(state, stateid);\n\t\treturn true;\n\t}\n\treturn false;\n}", "project": "linux", "hash": 203010163597051495902090048140898266577, "size": 18, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431098 }, { "func": "static void nf_tables_obj_notify(const struct nft_ctx *ctx,\n\t\t\t\t struct nft_object *obj, int event)\n{\n\tnft_obj_notify(ctx->net, ctx->table, obj, ctx->portid, ctx->seq, event,\n\t\t ctx->family, ctx->report, GFP_KERNEL);\n}", "project": "linux", "hash": 112422100910286661834279350989706390347, "size": 6, "commit_id": "ad9f151e560b016b6ad3280b48e42fa11e1a5440", "message": "netfilter: nf_tables: initialize set before expression setup\n\nnft_set_elem_expr_alloc() needs an initialized set if expression sets on\nthe NFT_EXPR_GC flag. Move set fields initialization before expression\nsetup.\n\n[4512935.019450] ==================================================================\n[4512935.019456] BUG: KASAN: null-ptr-deref in nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019487] Read of size 8 at addr 0000000000000070 by task nft/23532\n[4512935.019494] CPU: 1 PID: 23532 Comm: nft Not tainted 5.12.0-rc4+ #48\n[...]\n[4512935.019502] Call Trace:\n[4512935.019505] dump_stack+0x89/0xb4\n[4512935.019512] ? nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019536] ? nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019560] kasan_report.cold.12+0x5f/0xd8\n[4512935.019566] ? nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019590] nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019615] nf_tables_newset+0xc7f/0x1460 [nf_tables]\n\nReported-by: syzbot+ce96ca2b1d0b37c6422d@syzkaller.appspotmail.com\nFixes: 65038428b2c6 (\"netfilter: nf_tables: allow to specify stateful expression in set definition\")\nSigned-off-by: Pablo Neira Ayuso ", "target": 0, "dataset": "other", "idx": 328341 }, { "func": "static void tcp_add_reno_sack(struct sock *sk)\n{\n\tstruct tcp_sock *tp = tcp_sk(sk);\n\ttp->sacked_out++;\n\ttcp_check_reno_reordering(sk, 0);\n\ttcp_verify_left_out(tp);\n}", "project": "net-next", "hash": 122806066895695274309885267308191908281, "size": 7, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409903 }, { "func": "bool kvm_is_zone_device_pfn(kvm_pfn_t pfn)\n{\n\t/*\n\t * The metadata used by is_zone_device_page() to determine whether or\n\t * not a page is ZONE_DEVICE is guaranteed to be valid if and only if\n\t * the device has been pinned, e.g. by get_user_pages(). WARN if the\n\t * page_count() is zero to help detect bad usage of this helper.\n\t */\n\tif (!pfn_valid(pfn) || WARN_ON_ONCE(!page_count(pfn_to_page(pfn))))\n\t\treturn false;\n\n\treturn is_zone_device_page(pfn_to_page(pfn));\n}", "project": "linux", "hash": 319573104923100737466361862206234037322, "size": 13, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354560 }, { "func": "static int pep_ctrlreq_error(struct sock *sk, struct sk_buff *oskb, u8 code,\n\t\t\t\tgfp_t priority)\n{\n\tconst struct pnpipehdr *oph = pnp_hdr(oskb);\n\tstruct sk_buff *skb;\n\tstruct pnpipehdr *ph;\n\tstruct sockaddr_pn dst;\n\tu8 data[4] = {\n\t\toph->pep_type, /* PEP type */\n\t\tcode, /* error code, at an unusual offset */\n\t\tPAD, PAD,\n\t};\n\n\tskb = pep_alloc_skb(sk, data, 4, priority);\n\tif (!skb)\n\t\treturn -ENOMEM;\n\n\tph = pnp_hdr(skb);\n\tph->utid = oph->utid;\n\tph->message_id = PNS_PEP_CTRL_RESP;\n\tph->pipe_handle = oph->pipe_handle;\n\tph->data0 = oph->data[0]; /* CTRL id */\n\n\tpn_skb_get_src_sockaddr(oskb, &dst);\n\treturn pn_skb_send(sk, skb, &dst);\n}", "project": "linux", "hash": 57471703150354991787621597241706841296, "size": 26, "commit_id": "bcd0f93353326954817a4f9fa55ec57fb38acbb0", "message": "phonet: refcount leak in pep_sock_accep\n\nsock_hold(sk) is invoked in pep_sock_accept(), but __sock_put(sk) is not\ninvoked in subsequent failure branches(pep_accept_conn() != 0).\n\nSigned-off-by: Hangyu Hua \nLink: https://lore.kernel.org/r/20211209082839.33985-1-hbh25y@gmail.com\nSigned-off-by: Jakub Kicinski ", "target": 0, "dataset": "other", "idx": 224797 }, { "func": "static inline int get_archive_read(struct archive* a,\n struct archive_read** ar)\n{\n\t*ar = (struct archive_read*) a;\n\tarchive_check_magic(a, ARCHIVE_READ_MAGIC, ARCHIVE_STATE_NEW,\n\t \"archive_read_support_format_rar5\");\n\n\treturn ARCHIVE_OK;\n}", "project": "libarchive", "hash": 259140978845878524658637161436243802293, "size": 9, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 0, "dataset": "other", "idx": 244768 }, { "func": "CairoFont::CairoFont(Ref ref, cairo_font_face_t *cairo_font_face, FT_Face face,\n Gushort *codeToGID, int codeToGIDLen) : ref(ref), cairo_font_face(cairo_font_face),\n\t\t\t\t\t face(face), codeToGID(codeToGID),\n\t\t\t\t\t codeToGIDLen(codeToGIDLen) { }", "project": "poppler", "hash": 283006336515570246710077745196775015907, "size": 4, "commit_id": "1a531dcfee1c6fc79a414c38cbe7327fbf9a59d8", "message": "Fix a crash with invalid embedded fonts", "target": 0, "dataset": "other", "idx": 421887 }, { "func": "static int get_swift_container_settings(req_state * const s,\n RGWRados * const store,\n RGWAccessControlPolicy * const policy,\n bool * const has_policy,\n uint32_t * rw_mask,\n RGWCORSConfiguration * const cors_config,\n bool * const has_cors)\n{\n const char * const read_list = s->info.env->get(\"HTTP_X_CONTAINER_READ\");\n const char * const write_list = s->info.env->get(\"HTTP_X_CONTAINER_WRITE\");\n\n *has_policy = false;\n\n if (read_list || write_list) {\n RGWAccessControlPolicy_SWIFT swift_policy(s->cct);\n const auto r = swift_policy.create(store,\n s->user->user_id,\n s->user->display_name,\n read_list,\n write_list,\n *rw_mask);\n if (r < 0) {\n return r;\n }\n\n *policy = swift_policy;\n *has_policy = true;\n }\n\n *has_cors = false;\n\n /*Check and update CORS configuration*/\n const char *allow_origins = s->info.env->get(\"HTTP_X_CONTAINER_META_ACCESS_CONTROL_ALLOW_ORIGIN\");\n const char *allow_headers = s->info.env->get(\"HTTP_X_CONTAINER_META_ACCESS_CONTROL_ALLOW_HEADERS\");\n const char *expose_headers = s->info.env->get(\"HTTP_X_CONTAINER_META_ACCESS_CONTROL_EXPOSE_HEADERS\");\n const char *max_age = s->info.env->get(\"HTTP_X_CONTAINER_META_ACCESS_CONTROL_MAX_AGE\");\n if (allow_origins) {\n RGWCORSConfiguration_SWIFT *swift_cors = new RGWCORSConfiguration_SWIFT;\n int r = swift_cors->create_update(allow_origins, allow_headers, expose_headers, max_age);\n if (r < 0) {\n dout(0) << \"Error creating/updating the cors configuration\" << dendl;\n delete swift_cors;\n return r;\n }\n *has_cors = true;\n *cors_config = *swift_cors;\n cors_config->dump();\n delete swift_cors;\n }\n\n return 0;\n}", "project": "ceph", "hash": 76953042888846780398049025798878534245, "size": 52, "commit_id": "f44a8ae8aa27ecef69528db9aec220f12492810e", "message": "rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name\n\nchecking for empty name avoids later assertion in RGWObjectCtx::set_atomic\n\nFixes: CVE-2021-3531\n\nReviewed-by: Casey Bodley \nSigned-off-by: Casey Bodley \n(cherry picked from commit 7196a469b4470f3c8628489df9a41ec8b00a5610)", "target": 0, "dataset": "other", "idx": 448843 }, { "func": "static int input_defuzz_abs_event(int value, int old_val, int fuzz)\n{\n\tif (fuzz) {\n\t\tif (value > old_val - fuzz / 2 && value < old_val + fuzz / 2)\n\t\t\treturn old_val;\n\n\t\tif (value > old_val - fuzz && value < old_val + fuzz)\n\t\t\treturn (old_val * 3 + value) / 4;\n\n\t\tif (value > old_val - fuzz * 2 && value < old_val + fuzz * 2)\n\t\t\treturn (old_val + value) / 2;\n\t}\n\n\treturn value;\n}", "project": "linux", "hash": 134538726938588704368951598182139129729, "size": 15, "commit_id": "cb222aed03d798fc074be55e59d9a112338ee784", "message": "Input: add safety guards to input_set_keycode()\n\nIf we happen to have a garbage in input device's keycode table with values\ntoo big we'll end up doing clear_bit() with offset way outside of our\nbitmaps, damaging other objects within an input device or even outside of\nit. Let's add sanity checks to the returned old keycodes.\n\nReported-by: syzbot+c769968809f9359b07aa@syzkaller.appspotmail.com\nReported-by: syzbot+76f3a30e88d256644c78@syzkaller.appspotmail.com\nLink: https://lore.kernel.org/r/20191207212757.GA245964@dtor-ws\nSigned-off-by: Dmitry Torokhov ", "target": 0, "dataset": "other", "idx": 353305 }, { "func": "static bool scan_use_rpa(struct hci_dev *hdev)\n{\n\treturn hci_dev_test_flag(hdev, HCI_PRIVACY);\n}", "project": "linux", "hash": 116758202028591129547381912164410991337, "size": 4, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402498 }, { "func": "static bool pb_field_next(pb_field_iterator_t *iter)\n{\n bool notwrapped = true;\n size_t prev_size = iter->pos->data_size;\n \n if (PB_ATYPE(iter->pos->type) == PB_ATYPE_STATIC &&\n PB_HTYPE(iter->pos->type) == PB_HTYPE_REPEATED)\n {\n prev_size *= iter->pos->array_size;\n }\n else if (PB_ATYPE(iter->pos->type) == PB_ATYPE_POINTER)\n {\n prev_size = sizeof(void*);\n }\n \n if (iter->pos->tag == 0)\n return false; /* Only happens with empty message types */\n \n if (PB_HTYPE(iter->pos->type) == PB_HTYPE_REQUIRED)\n iter->required_field_index++;\n \n iter->pos++;\n iter->field_index++;\n if (iter->pos->tag == 0)\n {\n iter->pos = iter->start;\n iter->field_index = 0;\n iter->required_field_index = 0;\n iter->pData = iter->dest_struct;\n prev_size = 0;\n notwrapped = false;\n }\n \n iter->pData = (char*)iter->pData + prev_size + iter->pos->data_offset;\n iter->pSize = (char*)iter->pData + iter->pos->size_offset;\n return notwrapped;\n}", "project": "nanopb", "hash": 64559596038679460347182064961075009414, "size": 37, "commit_id": "7b396821ddd06df8e39143f16e1dc0a4645b89a3", "message": "Fix invalid free() after failed realloc() (GHSA-gcx3-7m76-287p)", "target": 0, "dataset": "other", "idx": 255324 }, { "func": "static inline void kvm_clear_request(int req, struct kvm_vcpu *vcpu)\n{\n\tclear_bit(req & KVM_REQUEST_MASK, (void *)&vcpu->requests);\n}", "project": "linux", "hash": 17050560743686720946678572108609814850, "size": 4, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354723 }, { "func": "static int futex_proxy_trylock_atomic(u32 __user *pifutex,\n\t\t\t\t struct futex_hash_bucket *hb1,\n\t\t\t\t struct futex_hash_bucket *hb2,\n\t\t\t\t union futex_key *key1, union futex_key *key2,\n\t\t\t\t struct futex_pi_state **ps, int set_waiters)\n{\n\tstruct futex_q *top_waiter = NULL;\n\tu32 curval;\n\tint ret;\n\n\tif (get_futex_value_locked(&curval, pifutex))\n\t\treturn -EFAULT;\n\n\t/*\n\t * Find the top_waiter and determine if there are additional waiters.\n\t * If the caller intends to requeue more than 1 waiter to pifutex,\n\t * force futex_lock_pi_atomic() to set the FUTEX_WAITERS bit now,\n\t * as we have means to handle the possible fault. If not, don't set\n\t * the bit unecessarily as it will force the subsequent unlock to enter\n\t * the kernel.\n\t */\n\ttop_waiter = futex_top_waiter(hb1, key1);\n\n\t/* There are no waiters, nothing for us to do. */\n\tif (!top_waiter)\n\t\treturn 0;\n\n\t/* Ensure we requeue to the expected futex. */\n\tif (!match_futex(top_waiter->requeue_pi_key, key2))\n\t\treturn -EINVAL;\n\n\t/*\n\t * Try to take the lock for top_waiter. Set the FUTEX_WAITERS bit in\n\t * the contended case or if set_waiters is 1. The pi_state is returned\n\t * in ps in contended cases.\n\t */\n\tret = futex_lock_pi_atomic(pifutex, hb2, key2, ps, top_waiter->task,\n\t\t\t\t set_waiters);\n\tif (ret == 1)\n\t\trequeue_pi_wake_futex(top_waiter, key2, hb2);\n\n\treturn ret;\n}", "target": 0, "cwe": [], "project": "linux-2.6", "commit_id": "5ecb01cfdf96c5f465192bdb2a4fd4a61a24c6cc", "hash": 5453227605552397602795484293661815856, "size": 43, "message": "futex_lock_pi() key refcnt fix\n\nThis fixes a futex key reference count bug in futex_lock_pi(),\nwhere a key's reference count is incremented twice but decremented\nonly once, causing the backing object to not be released.\n\nIf the futex is created in a temporary file in an ext3 file system,\nthis bug causes the file's inode to become an \"undead\" orphan,\nwhich causes an oops from a BUG_ON() in ext3_put_super() when the\nfile system is unmounted. glibc's test suite is known to trigger this,\nsee .\n\nThe bug is a regression from 2.6.28-git3, namely Peter Zijlstra's\n38d47c1b7075bd7ec3881141bb3629da58f88dab \"[PATCH] futex: rely on\nget_user_pages() for shared futexes\". That commit made get_futex_key()\nalso increment the reference count of the futex key, and updated its\ncallers to decrement the key's reference count before returning.\nUnfortunately the normal exit path in futex_lock_pi() wasn't corrected:\nthe reference count is incremented by get_futex_key() and queue_lock(),\nbut the normal exit path only decrements once, via unqueue_me_pi().\nThe fix is to put_futex_key() after unqueue_me_pi(), since 2.6.31\nthis is easily done by 'goto out_put_key' rather than 'goto out'.\n\nSigned-off-by: Mikael Pettersson \nAcked-by: Peter Zijlstra \nAcked-by: Darren Hart \nSigned-off-by: Thomas Gleixner \nCc: ", "dataset": "other", "idx": 492315 }, { "func": "static int avic_init_backing_page(struct kvm_vcpu *vcpu)\n{\n\tu64 *entry, new_entry;\n\tint id = vcpu->vcpu_id;\n\tstruct vcpu_svm *svm = to_svm(vcpu);\n\n\tif (id >= AVIC_MAX_PHYSICAL_ID_COUNT)\n\t\treturn -EINVAL;\n\n\tif (!svm->vcpu.arch.apic->regs)\n\t\treturn -EINVAL;\n\n\tif (kvm_apicv_activated(vcpu->kvm)) {\n\t\tint ret;\n\n\t\tret = avic_update_access_page(vcpu->kvm, true);\n\t\tif (ret)\n\t\t\treturn ret;\n\t}\n\n\tsvm->avic_backing_page = virt_to_page(svm->vcpu.arch.apic->regs);\n\n\t/* Setting AVIC backing page address in the phy APIC ID table */\n\tentry = avic_get_physical_id_entry(vcpu, id);\n\tif (!entry)\n\t\treturn -EINVAL;\n\n\tnew_entry = __sme_set((page_to_phys(svm->avic_backing_page) &\n\t\t\t AVIC_PHYSICAL_ID_ENTRY_BACKING_PAGE_MASK) |\n\t\t\t AVIC_PHYSICAL_ID_ENTRY_VALID_MASK);\n\tWRITE_ONCE(*entry, new_entry);\n\n\tsvm->avic_physical_id_cache = entry;\n\n\treturn 0;\n}", "project": "linux", "hash": 51380897533343607196473624854242649865, "size": 36, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432614 }, { "func": "void RGWListBuckets_ObjStore_SWIFT::handle_listing_chunk(RGWUserBuckets&& buckets)\n{\n if (wants_reversed) {\n /* Just store in the reversal buffer. Its content will be handled later,\n * in send_response_end(). */\n reverse_buffer.emplace(std::begin(reverse_buffer), std::move(buckets));\n } else {\n return send_response_data(buckets);\n }\n}", "project": "ceph", "hash": 10204849441236054329115888984674096533, "size": 10, "commit_id": "f44a8ae8aa27ecef69528db9aec220f12492810e", "message": "rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name\n\nchecking for empty name avoids later assertion in RGWObjectCtx::set_atomic\n\nFixes: CVE-2021-3531\n\nReviewed-by: Casey Bodley \nSigned-off-by: Casey Bodley \n(cherry picked from commit 7196a469b4470f3c8628489df9a41ec8b00a5610)", "target": 0, "dataset": "other", "idx": 448854 }, { "func": "static int core_create_proxy_req(request_rec *r, request_rec *pr)\n{\n return core_create_req(pr);\n}", "project": "httpd", "hash": 237081513539970072152885467529321833883, "size": 4, "commit_id": "4cc27823899e070268b906ca677ee838d07cf67a", "message": "core: Disallow Methods' registration at run time (.htaccess), they may be\nused only if registered at init time (httpd.conf).\n\nCalling ap_method_register() in children processes is not the right scope\nsince it won't be shared for all requests.\n\n\ngit-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1807655 13f79535-47bb-0310-9956-ffa450edef68", "target": 0, "dataset": "other", "idx": 246311 }, { "func": "static void sd_reset_snapshot(struct gspca_dev *gspca_dev)\n{\n\tstruct sd *sd = (struct sd *) gspca_dev;\n\n\tif (!sd->snapshot_needs_reset)\n\t\treturn;\n\n\t/* Note it is important that we clear sd->snapshot_needs_reset,\n\t before actually clearing the snapshot state in the bridge\n\t otherwise we might race with the pkt_scan interrupt handler */\n\tsd->snapshot_needs_reset = 0;\n\n\tswitch (sd->bridge) {\n\tcase BRIDGE_OV511:\n\tcase BRIDGE_OV511PLUS:\n\t\treg_w(sd, R51x_SYS_SNAP, 0x02);\n\t\treg_w(sd, R51x_SYS_SNAP, 0x00);\n\t\tbreak;\n\tcase BRIDGE_OV518:\n\tcase BRIDGE_OV518PLUS:\n\t\treg_w(sd, R51x_SYS_SNAP, 0x02); /* Reset */\n\t\treg_w(sd, R51x_SYS_SNAP, 0x01); /* Enable */\n\t\tbreak;\n\tcase BRIDGE_OV519:\n\t\treg_w(sd, R51x_SYS_RESET, 0x40);\n\t\treg_w(sd, R51x_SYS_RESET, 0x00);\n\t\tbreak;\n\t}\n}", "project": "linux", "hash": 194295921510584986106164648035422235032, "size": 29, "commit_id": "998912346c0da53a6dbb71fab3a138586b596b30", "message": "media: ov519: add missing endpoint sanity checks\n\nMake sure to check that we have at least one endpoint before accessing\nthe endpoint array to avoid dereferencing a NULL-pointer on stream\nstart.\n\nNote that these sanity checks are not redundant as the driver is mixing\nlooking up altsettings by index and by number, which need not coincide.\n\nFixes: 1876bb923c98 (\"V4L/DVB (12079): gspca_ov519: add support for the ov511 bridge\")\nFixes: b282d87332f5 (\"V4L/DVB (12080): gspca_ov519: Fix ov518+ with OV7620AE (Trust spacecam 320)\")\nCc: stable # 2.6.31\nCc: Hans de Goede \nSigned-off-by: Johan Hovold \nSigned-off-by: Hans Verkuil \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 306324 }, { "func": "static int verify_address_len(const void *p)\n{\n\tconst struct sadb_address *sp = p;\n\tconst struct sockaddr *addr = (const struct sockaddr *)(sp + 1);\n\tconst struct sockaddr_in *sin;\n#if IS_ENABLED(CONFIG_IPV6)\n\tconst struct sockaddr_in6 *sin6;\n#endif\n\tint len;\n\n\tif (sp->sadb_address_len <\n\t DIV_ROUND_UP(sizeof(*sp) + offsetofend(typeof(*addr), sa_family),\n\t\t\t sizeof(uint64_t)))\n\t\treturn -EINVAL;\n\n\tswitch (addr->sa_family) {\n\tcase AF_INET:\n\t\tlen = DIV_ROUND_UP(sizeof(*sp) + sizeof(*sin), sizeof(uint64_t));\n\t\tif (sp->sadb_address_len != len ||\n\t\t sp->sadb_address_prefixlen > 32)\n\t\t\treturn -EINVAL;\n\t\tbreak;\n#if IS_ENABLED(CONFIG_IPV6)\n\tcase AF_INET6:\n\t\tlen = DIV_ROUND_UP(sizeof(*sp) + sizeof(*sin6), sizeof(uint64_t));\n\t\tif (sp->sadb_address_len != len ||\n\t\t sp->sadb_address_prefixlen > 128)\n\t\t\treturn -EINVAL;\n\t\tbreak;\n#endif\n\tdefault:\n\t\t/* It is user using kernel to keep track of security\n\t\t * associations for another protocol, such as\n\t\t * OSPF/RSVP/RIPV2/MIP. It is user's job to verify\n\t\t * lengths.\n\t\t *\n\t\t * XXX Actually, association/policy database is not yet\n\t\t * XXX able to cope with arbitrary sockaddr families.\n\t\t * XXX When it can, remove this -EINVAL. -DaveM\n\t\t */\n\t\treturn -EINVAL;\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 92141699364073122282240988529733766944, "size": 45, "commit_id": "9a564bccb78a76740ea9d75a259942df8143d02c", "message": "af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\n\nAdd __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\nto initialize the buffer of supp_skb to fix a kernel-info-leak issue.\n1) Function pfkey_register calls compose_sadb_supported to request\na sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate\na sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then\ncompose_sadb_supported treats the memory as a struct sadb_supported and\nbegins to initialize. But it just initializes the field sadb_supported_len\nand field sadb_supported_exttype without field sadb_supported_reserved.\n\nReported-by: TCS Robot \nSigned-off-by: Haimin Zhang \nSigned-off-by: Steffen Klassert ", "target": 0, "dataset": "other", "idx": 268026 }, { "func": "static inline void tcp_bound_rto(const struct sock *sk)\n{\n\tif (inet_csk(sk)->icsk_rto > TCP_RTO_MAX)\n\t\tinet_csk(sk)->icsk_rto = TCP_RTO_MAX;\n}", "project": "linux", "hash": 318888941689821761225513917383216211305, "size": 5, "commit_id": "bb1fceca22492109be12640d49f5ea5a544c6bb4", "message": "tcp: fix use after free in tcp_xmit_retransmit_queue()\n\nWhen tcp_sendmsg() allocates a fresh and empty skb, it puts it at the\ntail of the write queue using tcp_add_write_queue_tail()\n\nThen it attempts to copy user data into this fresh skb.\n\nIf the copy fails, we undo the work and remove the fresh skb.\n\nUnfortunately, this undo lacks the change done to tp->highest_sack and\nwe can leave a dangling pointer (to a freed skb)\n\nLater, tcp_xmit_retransmit_queue() can dereference this pointer and\naccess freed memory. For regular kernels where memory is not unmapped,\nthis might cause SACK bugs because tcp_highest_sack_seq() is buggy,\nreturning garbage instead of tp->snd_nxt, but with various debug\nfeatures like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel.\n\nThis bug was found by Marco Grassi thanks to syzkaller.\n\nFixes: 6859d49475d4 (\"[TCP]: Abstract tp->highest_sack accessing & point to next skb\")\nReported-by: Marco Grassi \nSigned-off-by: Eric Dumazet \nCc: Ilpo Järvinen \nCc: Yuchung Cheng \nCc: Neal Cardwell \nAcked-by: Neal Cardwell \nReviewed-by: Cong Wang \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 410757 }, { "func": "static void mt_report(struct hid_device *hid, struct hid_report *report)\n{\n\tstruct mt_device *td = hid_get_drvdata(hid);\n\tstruct hid_field *field = report->field[0];\n\tstruct mt_report_data *rdata;\n\n\tif (!(hid->claimed & HID_CLAIMED_INPUT))\n\t\treturn;\n\n\trdata = mt_find_report_data(td, report);\n\tif (rdata && rdata->is_mt_collection)\n\t\treturn mt_touch_report(hid, rdata);\n\n\tif (field && field->hidinput && field->hidinput->input)\n\t\tinput_sync(field->hidinput->input);\n}", "project": "linux", "hash": 104088970672187378016747945176436264449, "size": 16, "commit_id": "35556bed836f8dc07ac55f69c8d17dce3e7f0e25", "message": "HID: core: Sanitize event code and type when mapping input\n\nWhen calling into hid_map_usage(), the passed event code is\nblindly stored as is, even if it doesn't fit in the associated bitmap.\n\nThis event code can come from a variety of sources, including devices\nmasquerading as input devices, only a bit more \"programmable\".\n\nInstead of taking the event code at face value, check that it actually\nfits the corresponding bitmap, and if it doesn't:\n- spit out a warning so that we know which device is acting up\n- NULLify the bitmap pointer so that we catch unexpected uses\n\nCode paths that can make use of untrusted inputs can now check\nthat the mapping was indeed correct and bail out if not.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Marc Zyngier \nSigned-off-by: Benjamin Tissoires ", "target": 0, "dataset": "other", "idx": 458340 }, { "func": "static void kvm_destroy_devices(struct kvm *kvm)\n{\n\tstruct kvm_device *dev, *tmp;\n\n\t/*\n\t * We do not need to take the kvm->lock here, because nobody else\n\t * has a reference to the struct kvm at this point and therefore\n\t * cannot access the devices list anyhow.\n\t */\n\tlist_for_each_entry_safe(dev, tmp, &kvm->devices, vm_node) {\n\t\tlist_del(&dev->vm_node);\n\t\tdev->ops->destroy(dev);\n\t}\n}", "project": "linux", "hash": 308966742199411145669656598989603838783, "size": 14, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354754 }, { "func": "int mnt_optstr_apply_flags(char **optstr, unsigned long flags,\n\t\t\t\tconst struct libmnt_optmap *map)\n{\n\tstruct libmnt_optmap const *maps[1];\n\tchar *name, *next, *val;\n\tsize_t namesz = 0, valsz = 0, multi = 0;\n\tunsigned long fl;\n\tint rc = 0;\n\n\tif (!optstr || !map)\n\t\treturn -EINVAL;\n\n\tDBG(CXT, ul_debug(\"applying 0x%08lx flags to '%s'\", flags, *optstr));\n\n\tmaps[0] = map;\n\tnext = *optstr;\n\tfl = flags;\n\n\t/*\n\t * There is a convention that 'rw/ro' flags are always at the beginning of\n\t * the string (although the 'rw' is unnecessary).\n\t */\n\tif (map == mnt_get_builtin_optmap(MNT_LINUX_MAP)) {\n\t\tconst char *o = (fl & MS_RDONLY) ? \"ro\" : \"rw\";\n\n\t\tif (next &&\n\t\t (!strncmp(next, \"rw\", 2) || !strncmp(next, \"ro\", 2)) &&\n\t\t (*(next + 2) == '\\0' || *(next + 2) == ',')) {\n\n\t\t\t/* already set, be paranoid and fix it */\n\t\t\tmemcpy(next, o, 2);\n\t\t} else {\n\t\t\trc = mnt_optstr_prepend_option(optstr, o, NULL);\n\t\t\tif (rc)\n\t\t\t\tgoto err;\n\t\t\tnext = *optstr;\t\t/* because realloc() */\n\t\t}\n\t\tfl &= ~MS_RDONLY;\n\t\tnext += 2;\n\t\tif (*next == ',')\n\t\t\tnext++;\n\t}\n\n\tif (next && *next) {\n\t\t/*\n\t\t * scan @optstr and remove options that are missing in\n\t\t * @flags\n\t\t */\n\t\twhile(!mnt_optstr_next_option(&next, &name, &namesz,\n\t\t\t\t\t\t\t&val, &valsz)) {\n\t\t\tconst struct libmnt_optmap *ent;\n\n\t\t\tif (mnt_optmap_get_entry(maps, 1, name, namesz, &ent)) {\n\t\t\t\t/*\n\t\t\t\t * remove unwanted option (rw/ro is already set)\n\t\t\t\t */\n\t\t\t\tif (!ent || !ent->id)\n\t\t\t\t\tcontinue;\n\t\t\t\t/* ignore name= if options map expects only */\n\t\t\t\tif (valsz && mnt_optmap_entry_novalue(ent))\n\t\t\t\t\tcontinue;\n\n\t\t\t\tif (ent->id == MS_RDONLY ||\n\t\t\t\t (ent->mask & MNT_INVERT) ||\n\t\t\t\t (fl & ent->id) != (unsigned long) ent->id) {\n\n\t\t\t\t\tchar *end = val ? val + valsz :\n\t\t\t\t\t\t\t name + namesz;\n\t\t\t\t\tnext = name;\n\t\t\t\t\trc = mnt_optstr_remove_option_at(\n\t\t\t\t\t\t\toptstr, name, end);\n\t\t\t\t\tif (rc)\n\t\t\t\t\t\tgoto err;\n\t\t\t\t}\n\t\t\t\tif (!(ent->mask & MNT_INVERT)) {\n\t\t\t\t\t/* allow options with prefix (X-mount.foo,X-mount.bar) more than once */\n\t\t\t\t\tif (ent->mask & MNT_PREFIX)\n\t\t\t\t\t\tmulti |= ent->id;\n\t\t\t\t\telse\n\t\t\t\t\t\tfl &= ~ent->id;\n\t\t\t\t\tif (ent->id & MS_REC)\n\t\t\t\t\t\tfl |= MS_REC;\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\n\t/* remove from flags options which are allowed more than once */\n\tfl &= ~multi;\n\n\t/* add missing options (but ignore fl if contains MS_REC only) */\n\tif (fl && fl != MS_REC) {\n\n\t\tconst struct libmnt_optmap *ent;\n\t\tstruct ul_buffer buf = UL_INIT_BUFFER;\n\t\tsize_t sz;\n\t\tchar *p;\n\n\t\tul_buffer_refer_string(&buf, *optstr);\n\n\t\tfor (ent = map; ent && ent->name; ent++) {\n\t\t\tif ((ent->mask & MNT_INVERT)\n\t\t\t || ent->id == 0\n\t\t\t || (fl & ent->id) != (unsigned long) ent->id)\n\t\t\t\tcontinue;\n\n\t\t\t/* don't add options which require values (e.g. offset=%d) */\n\t\t\tp = strchr(ent->name, '=');\n\t\t\tif (p) {\n\t\t\t\tif (p > ent->name && *(p - 1) == '[')\n\t\t\t\t\tp--;\t\t\t/* name[=] */\n\t\t\t\telse\n\t\t\t\t\tcontinue;\t\t/* name= */\n\t\t\t\tsz = p - ent->name;\n\t\t\t} else\n\t\t\t\tsz = strlen(ent->name);\n\n\t\t\trc = __buffer_append_option(&buf, ent->name, sz, NULL, 0);\n\t\t\tif (rc)\n\t\t\t\tgoto err;\n\t\t}\n\n\t\t*optstr = ul_buffer_get_data(&buf, NULL, NULL);\n\t}\n\n\tDBG(CXT, ul_debug(\"new optstr '%s'\", *optstr));\n\treturn rc;\nerr:\n\tDBG(CXT, ul_debug(\"failed to apply flags [rc=%d]\", rc));\n\treturn rc;\n}", "project": "util-linux", "hash": 170562214267544518608166999364206732816, "size": 131, "commit_id": "57202f5713afa2af20ffbb6ab5331481d0396f8d", "message": "libmount: fix UID check for FUSE umount [CVE-2021-3995]\n\nImproper UID check allows an unprivileged user to unmount FUSE\nfilesystems of users with similar UID.\n\nSigned-off-by: Karel Zak ", "target": 0, "dataset": "other", "idx": 410415 }, { "func": "static int do_o_path(struct nameidata *nd, unsigned flags, struct file *file)\n{\n\tstruct path path;\n\tint error = path_lookupat(nd, flags, &path);\n\tif (!error) {\n\t\taudit_inode(nd->name, path.dentry, 0);\n\t\terror = vfs_open(&path, file);\n\t\tpath_put(&path);\n\t}\n\treturn error;\n}", "project": "linux", "hash": 105381417473293618680446389570593201443, "size": 11, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295310 }, { "func": "static int video_get_user(void __user *arg, void *parg,\n\t\t\t unsigned int real_cmd, unsigned int cmd,\n\t\t\t bool *always_copy)\n{\n\tunsigned int n = _IOC_SIZE(real_cmd);\n\tint err = 0;\n\n\tif (!(_IOC_DIR(cmd) & _IOC_WRITE)) {\n\t\t/* read-only ioctl */\n\t\tmemset(parg, 0, n);\n\t\treturn 0;\n\t}\n\n\t/*\n\t * In some cases, only a few fields are used as input,\n\t * i.e. when the app sets \"index\" and then the driver\n\t * fills in the rest of the structure for the thing\n\t * with that index. We only need to copy up the first\n\t * non-input field.\n\t */\n\tif (v4l2_is_known_ioctl(real_cmd)) {\n\t\tu32 flags = v4l2_ioctls[_IOC_NR(real_cmd)].flags;\n\n\t\tif (flags & INFO_FL_CLEAR_MASK)\n\t\t\tn = (flags & INFO_FL_CLEAR_MASK) >> 16;\n\t\t*always_copy = flags & INFO_FL_ALWAYS_COPY;\n\t}\n\n\tif (cmd == real_cmd) {\n\t\tif (copy_from_user(parg, (void __user *)arg, n))\n\t\t\terr = -EFAULT;\n\t} else if (in_compat_syscall()) {\n\t\terr = v4l2_compat_get_user(arg, parg, cmd);\n\t} else {\n\t\tswitch (cmd) {\n#ifdef CONFIG_COMPAT_32BIT_TIME\n\t\tcase VIDIOC_QUERYBUF_TIME32:\n\t\tcase VIDIOC_QBUF_TIME32:\n\t\tcase VIDIOC_DQBUF_TIME32:\n\t\tcase VIDIOC_PREPARE_BUF_TIME32: {\n\t\t\tstruct v4l2_buffer_time32 vb32;\n\t\t\tstruct v4l2_buffer *vb = parg;\n\n\t\t\tif (copy_from_user(&vb32, arg, sizeof(vb32)))\n\t\t\t\treturn -EFAULT;\n\n\t\t\t*vb = (struct v4l2_buffer) {\n\t\t\t\t.index\t\t= vb32.index,\n\t\t\t\t\t.type\t\t= vb32.type,\n\t\t\t\t\t.bytesused\t= vb32.bytesused,\n\t\t\t\t\t.flags\t\t= vb32.flags,\n\t\t\t\t\t.field\t\t= vb32.field,\n\t\t\t\t\t.timestamp.tv_sec\t= vb32.timestamp.tv_sec,\n\t\t\t\t\t.timestamp.tv_usec\t= vb32.timestamp.tv_usec,\n\t\t\t\t\t.timecode\t= vb32.timecode,\n\t\t\t\t\t.sequence\t= vb32.sequence,\n\t\t\t\t\t.memory\t\t= vb32.memory,\n\t\t\t\t\t.m.userptr\t= vb32.m.userptr,\n\t\t\t\t\t.length\t\t= vb32.length,\n\t\t\t\t\t.request_fd\t= vb32.request_fd,\n\t\t\t};\n\t\t\tbreak;\n\t\t}\n#endif\n\t\t}\n\t}\n\n\t/* zero out anything we don't copy from userspace */\n\tif (!err && n < _IOC_SIZE(real_cmd))\n\t\tmemset((u8 *)parg + n, 0, _IOC_SIZE(real_cmd) - n);\n\treturn err;\n}", "project": "linux", "hash": 203697749687034282151891835533246911051, "size": 72, "commit_id": "fb18802a338b36f675a388fc03d2aa504a0d0899", "message": "media: v4l: ioctl: Fix memory leak in video_usercopy\n\nWhen an IOCTL with argument size larger than 128 that also used array\narguments were handled, two memory allocations were made but alas, only\nthe latter one of them was released. This happened because there was only\na single local variable to hold such a temporary allocation.\n\nFix this by adding separate variables to hold the pointers to the\ntemporary allocations.\n\nReported-by: Arnd Bergmann \nReported-by: syzbot+1115e79c8df6472c612b@syzkaller.appspotmail.com\nFixes: d14e6d76ebf7 (\"[media] v4l: Add multi-planar ioctl handling code\")\nCc: stable@vger.kernel.org\nSigned-off-by: Sakari Ailus \nAcked-by: Arnd Bergmann \nAcked-by: Hans Verkuil \nReviewed-by: Laurent Pinchart \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 381425 }, { "func": "static int check_excludes(struct perf_event **ctrs, unsigned int cflags[],\n\t\t\t int n_prev, int n_new)\n{\n\tint eu = 0, ek = 0, eh = 0;\n\tint i, n, first;\n\tstruct perf_event *event;\n\n\t/*\n\t * If the PMU we're on supports per event exclude settings then we\n\t * don't need to do any of this logic. NB. This assumes no PMU has both\n\t * per event exclude and limited PMCs.\n\t */\n\tif (ppmu->flags & PPMU_ARCH_207S)\n\t\treturn 0;\n\n\tn = n_prev + n_new;\n\tif (n <= 1)\n\t\treturn 0;\n\n\tfirst = 1;\n\tfor (i = 0; i < n; ++i) {\n\t\tif (cflags[i] & PPMU_LIMITED_PMC_OK) {\n\t\t\tcflags[i] &= ~PPMU_LIMITED_PMC_REQD;\n\t\t\tcontinue;\n\t\t}\n\t\tevent = ctrs[i];\n\t\tif (first) {\n\t\t\teu = event->attr.exclude_user;\n\t\t\tek = event->attr.exclude_kernel;\n\t\t\teh = event->attr.exclude_hv;\n\t\t\tfirst = 0;\n\t\t} else if (event->attr.exclude_user != eu ||\n\t\t\t event->attr.exclude_kernel != ek ||\n\t\t\t event->attr.exclude_hv != eh) {\n\t\t\treturn -EAGAIN;\n\t\t}\n\t}\n\n\tif (eu || ek || eh)\n\t\tfor (i = 0; i < n; ++i)\n\t\t\tif (cflags[i] & PPMU_LIMITED_PMC_OK)\n\t\t\t\tcflags[i] |= PPMU_LIMITED_PMC_REQD;\n\n\treturn 0;\n}", "project": "linux", "hash": 237941424940672411117955555299721801309, "size": 45, "commit_id": "60b7ed54a41b550d50caf7f2418db4a7e75b5bdc", "message": "powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set\n\nOn systems without any specific PMU driver support registered, running\nperf record causes Oops.\n\nThe relevant portion from call trace:\n\n BUG: Kernel NULL pointer dereference on read at 0x00000040\n Faulting instruction address: 0xc0021f0c\n Oops: Kernel access of bad area, sig: 11 [#1]\n BE PAGE_SIZE=4K PREEMPT CMPCPRO\n SAF3000 DIE NOTIFICATION\n CPU: 0 PID: 442 Comm: null_syscall Not tainted 5.13.0-rc6-s3k-dev-01645-g7649ee3d2957 #5164\n NIP: c0021f0c LR: c00e8ad8 CTR: c00d8a5c\n NIP perf_instruction_pointer+0x10/0x60\n LR perf_prepare_sample+0x344/0x674\n Call Trace:\n perf_prepare_sample+0x7c/0x674 (unreliable)\n perf_event_output_forward+0x3c/0x94\n __perf_event_overflow+0x74/0x14c\n perf_swevent_hrtimer+0xf8/0x170\n __hrtimer_run_queues.constprop.0+0x160/0x318\n hrtimer_interrupt+0x148/0x3b0\n timer_interrupt+0xc4/0x22c\n Decrementer_virt+0xb8/0xbc\n\nDuring perf record session, perf_instruction_pointer() is called to\ncapture the sample IP. This function in core-book3s accesses\nppmu->flags. If a platform specific PMU driver is not registered, ppmu\nis set to NULL and accessing its members results in a crash. Fix this\ncrash by checking if ppmu is set.\n\nFixes: 2ca13a4cc56c (\"powerpc/perf: Use regs->nip when SIAR is zero\")\nCc: stable@vger.kernel.org # v5.11+\nReported-by: Christophe Leroy \nSigned-off-by: Athira Rajeev \nTested-by: Christophe Leroy \nSigned-off-by: Michael Ellerman \nLink: https://lore.kernel.org/r/1623952506-1431-1-git-send-email-atrajeev@linux.vnet.ibm.com", "target": 0, "dataset": "other", "idx": 374701 }, { "func": "create_trace_option_core_file(struct trace_array *tr,\n\t\t\t const char *option, long index)\n{\n\tstruct dentry *t_options;\n\n\tt_options = trace_options_init_dentry(tr);\n\tif (!t_options)\n\t\treturn NULL;\n\n\treturn trace_create_file(option, 0644, t_options,\n\t\t\t\t (void *)&tr->trace_flags_index[index],\n\t\t\t\t &trace_options_core_fops);\n}", "project": "linux", "hash": 107890363129899197512551967931179166768, "size": 13, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445751 }, { "func": "init_tracer_tracefs(struct trace_array *tr, struct dentry *d_tracer)\n{\n\tint cpu;\n\n\ttrace_create_file(\"available_tracers\", 0444, d_tracer,\n\t\t\ttr, &show_traces_fops);\n\n\ttrace_create_file(\"current_tracer\", 0644, d_tracer,\n\t\t\ttr, &set_tracer_fops);\n\n\ttrace_create_file(\"tracing_cpumask\", 0644, d_tracer,\n\t\t\t tr, &tracing_cpumask_fops);\n\n\ttrace_create_file(\"trace_options\", 0644, d_tracer,\n\t\t\t tr, &tracing_iter_fops);\n\n\ttrace_create_file(\"trace\", 0644, d_tracer,\n\t\t\t tr, &tracing_fops);\n\n\ttrace_create_file(\"trace_pipe\", 0444, d_tracer,\n\t\t\t tr, &tracing_pipe_fops);\n\n\ttrace_create_file(\"buffer_size_kb\", 0644, d_tracer,\n\t\t\t tr, &tracing_entries_fops);\n\n\ttrace_create_file(\"buffer_total_size_kb\", 0444, d_tracer,\n\t\t\t tr, &tracing_total_entries_fops);\n\n\ttrace_create_file(\"free_buffer\", 0200, d_tracer,\n\t\t\t tr, &tracing_free_buffer_fops);\n\n\ttrace_create_file(\"trace_marker\", 0220, d_tracer,\n\t\t\t tr, &tracing_mark_fops);\n\n\ttrace_create_file(\"trace_marker_raw\", 0220, d_tracer,\n\t\t\t tr, &tracing_mark_raw_fops);\n\n\ttrace_create_file(\"trace_clock\", 0644, d_tracer, tr,\n\t\t\t &trace_clock_fops);\n\n\ttrace_create_file(\"tracing_on\", 0644, d_tracer,\n\t\t\t tr, &rb_simple_fops);\n\n\tcreate_trace_options_dir(tr);\n\n#if defined(CONFIG_TRACER_MAX_TRACE) || defined(CONFIG_HWLAT_TRACER)\n\ttrace_create_file(\"tracing_max_latency\", 0644, d_tracer,\n\t\t\t&tr->max_latency, &tracing_max_lat_fops);\n#endif\n\n\tif (ftrace_create_function_files(tr, d_tracer))\n\t\tWARN(1, \"Could not allocate function filter files\");\n\n#ifdef CONFIG_TRACER_SNAPSHOT\n\ttrace_create_file(\"snapshot\", 0644, d_tracer,\n\t\t\t tr, &snapshot_fops);\n#endif\n\n\tfor_each_tracing_cpu(cpu)\n\t\ttracing_init_tracefs_percpu(tr, cpu);\n\n\tftrace_init_tracefs(tr, d_tracer);\n}", "project": "linux", "hash": 112349043263015127679211204602169189859, "size": 63, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445797 }, { "project": "Chrome", "commit_id": "957973753ec4159003ff7930d946b7e89c7e09f3", "target": 0, "func": "bool BlobURLRequestJob::ReadBytes(const BlobData::Item& item) {\n DCHECK(read_buf_remaining_bytes_ >= bytes_to_read_);\n\n memcpy(read_buf_->data() + read_buf_offset_,\n &item.data().at(0) + item.offset() + current_item_offset_,\n bytes_to_read_);\n\n AdvanceBytesRead(bytes_to_read_);\n return true;\n}\n", "cwe": "", "big_vul_idx": 106420, "idx": 95571, "hash": 322415134837052592966202877205615719294 }, { "func": "void LibRaw::parseSonyLensType2(uchar a, uchar b)\n{\n ushort lid2;\n lid2 = (((ushort)a) << 8) | ((ushort)b);\n// printf (\"==>> 2: lid2 %d\\n\", lid2);\n if (!lid2)\n return;\n if (lid2 < 0x100)\n {\n if ((ilm.AdapterID != 0x4900) && (ilm.AdapterID != 0xef00))\n {\n ilm.AdapterID = lid2;\n switch (lid2)\n {\n case 1:\n case 2:\n case 3:\n case 6:\n ilm.LensMount = LIBRAW_MOUNT_Minolta_A;\n break;\n case 44:\n case 78:\n case 184:\n case 234:\n case 239:\n ilm.LensMount = LIBRAW_MOUNT_Canon_EF;\n break;\n }\n }\n }\n else\n ilm.LensID = lid2;\n\n if ((lid2 >= 50481) &&\n (lid2 < 50500)) {\n strcpy(ilm.Adapter, \"MC-11\");\n ilm.AdapterID = 0x4900;\n } else if ((lid2 > 0xef00) &&\n (lid2 < 0xffff) &&\n (lid2 != 0xff00)) {\n ilm.AdapterID = 0xef00;\n ilm.LensID -= ilm.AdapterID;\n ilm.LensMount = LIBRAW_MOUNT_Canon_EF;\n }\n\n return;\n}", "project": "LibRaw", "hash": 261139026819534864341742730209158774384, "size": 47, "commit_id": "c243f4539233053466c1309bde606815351bee81", "message": "additional checks in parseSonySRF\n\nparseSonySR2: buffer size check", "target": 0, "dataset": "other", "idx": 394104 }, { "func": "static void send_request_chunk(void) {\n layoutProgress(_(\"Signing\"), (data_total - data_left) * 1000 / data_total);\n msg_tx_request.has_data_length = true;\n msg_tx_request.data_length = data_left <= 1024 ? data_left : 1024;\n msg_write(MessageType_MessageType_EthereumTxRequest, &msg_tx_request);\n}", "project": "keepkey-firmware", "hash": 295824634507220500585581636769844548562, "size": 6, "commit_id": "e49d45594002d4d3fbc1f03488e6dfc0a0a65836", "message": "710 merge", "target": 0, "dataset": "other", "idx": 220888 }, { "func": "int input_set_keycode(struct input_dev *dev,\n\t\t const struct input_keymap_entry *ke)\n{\n\tunsigned long flags;\n\tunsigned int old_keycode;\n\tint retval;\n\n\tif (ke->keycode > KEY_MAX)\n\t\treturn -EINVAL;\n\n\tspin_lock_irqsave(&dev->event_lock, flags);\n\n\tretval = dev->setkeycode(dev, ke, &old_keycode);\n\tif (retval)\n\t\tgoto out;\n\n\t/* Make sure KEY_RESERVED did not get enabled. */\n\t__clear_bit(KEY_RESERVED, dev->keybit);\n\n\t/*\n\t * Simulate keyup event if keycode is not present\n\t * in the keymap anymore\n\t */\n\tif (test_bit(EV_KEY, dev->evbit) &&\n\t !is_event_supported(old_keycode, dev->keybit, KEY_MAX) &&\n\t __test_and_clear_bit(old_keycode, dev->key)) {\n\t\tstruct input_value vals[] = {\n\t\t\t{ EV_KEY, old_keycode, 0 },\n\t\t\tinput_value_sync\n\t\t};\n\n\t\tinput_pass_values(dev, vals, ARRAY_SIZE(vals));\n\t}\n\n out:\n\tspin_unlock_irqrestore(&dev->event_lock, flags);\n\n\treturn retval;\n}", "project": "linux", "hash": 337446137803997904056500807170028096296, "size": 39, "commit_id": "cb222aed03d798fc074be55e59d9a112338ee784", "message": "Input: add safety guards to input_set_keycode()\n\nIf we happen to have a garbage in input device's keycode table with values\ntoo big we'll end up doing clear_bit() with offset way outside of our\nbitmaps, damaging other objects within an input device or even outside of\nit. Let's add sanity checks to the returned old keycodes.\n\nReported-by: syzbot+c769968809f9359b07aa@syzkaller.appspotmail.com\nReported-by: syzbot+76f3a30e88d256644c78@syzkaller.appspotmail.com\nLink: https://lore.kernel.org/r/20191207212757.GA245964@dtor-ws\nSigned-off-by: Dmitry Torokhov ", "target": 1, "dataset": "other", "idx": 204147 }, { "func": "int input_set_keycode(struct input_dev *dev,\n\t\t const struct input_keymap_entry *ke)\n{\n\tunsigned long flags;\n\tunsigned int old_keycode;\n\tint retval;\n\n\tif (ke->keycode > KEY_MAX)\n\t\treturn -EINVAL;\n\n\tspin_lock_irqsave(&dev->event_lock, flags);\n\n\tretval = dev->setkeycode(dev, ke, &old_keycode);\n\tif (retval)\n\t\tgoto out;\n\n\t/* Make sure KEY_RESERVED did not get enabled. */\n\t__clear_bit(KEY_RESERVED, dev->keybit);\n\n\t/*\n\t * Simulate keyup event if keycode is not present\n\t * in the keymap anymore\n\t */\n\tif (old_keycode > KEY_MAX) {\n\t\tdev_warn(dev->dev.parent ?: &dev->dev,\n\t\t\t \"%s: got too big old keycode %#x\\n\",\n\t\t\t __func__, old_keycode);\n\t} else if (test_bit(EV_KEY, dev->evbit) &&\n\t\t !is_event_supported(old_keycode, dev->keybit, KEY_MAX) &&\n\t\t __test_and_clear_bit(old_keycode, dev->key)) {\n\t\tstruct input_value vals[] = {\n\t\t\t{ EV_KEY, old_keycode, 0 },\n\t\t\tinput_value_sync\n\t\t};\n\n\t\tinput_pass_values(dev, vals, ARRAY_SIZE(vals));\n\t}\n\n out:\n\tspin_unlock_irqrestore(&dev->event_lock, flags);\n\n\treturn retval;\n}", "project": "linux", "hash": 250661356441538656426884342920937476021, "size": 43, "commit_id": "cb222aed03d798fc074be55e59d9a112338ee784", "message": "Input: add safety guards to input_set_keycode()\n\nIf we happen to have a garbage in input device's keycode table with values\ntoo big we'll end up doing clear_bit() with offset way outside of our\nbitmaps, damaging other objects within an input device or even outside of\nit. Let's add sanity checks to the returned old keycodes.\n\nReported-by: syzbot+c769968809f9359b07aa@syzkaller.appspotmail.com\nReported-by: syzbot+76f3a30e88d256644c78@syzkaller.appspotmail.com\nLink: https://lore.kernel.org/r/20191207212757.GA245964@dtor-ws\nSigned-off-by: Dmitry Torokhov ", "target": 0, "dataset": "other", "idx": 353362 }, { "func": "void CSoundFile::ExtraFinePortamentoDown(ModChannel *pChn, ModCommand::PARAM param) const\n{\n\tif(GetType() == MOD_TYPE_XM)\n\t{\n\t\t// FT2 compatibility: E1x / E2x / X1x / X2x memory is not linked\n\t\t// Test case: Porta-LinkMem.xm\n\t\tif(param) pChn->nOldExtraFinePortaUpDown = (pChn->nOldExtraFinePortaUpDown & 0xF0) | (param & 0x0F); else param = (pChn->nOldExtraFinePortaUpDown & 0x0F);\n\t} else if(GetType() == MOD_TYPE_MT2)\n\t{\n\t\tif(param) pChn->nOldFinePortaUpDown = param; else param = pChn->nOldFinePortaUpDown;\n\t}\n\n\tif(pChn->isFirstTick)\n\t{\n\t\tif ((pChn->nPeriod) && (param))\n\t\t{\n\t\t\tif(m_SongFlags[SONG_LINEARSLIDES] && GetType() != MOD_TYPE_XM)\n\t\t\t{\n\t\t\t\tint oldPeriod = pChn->nPeriod;\n\t\t\t\tpChn->nPeriod = Util::muldivr(pChn->nPeriod, GetFineLinearSlideDownTable(this, param & 0x0F), 65536);\n\t\t\t\tif(oldPeriod == pChn->nPeriod) pChn->nPeriod--;\n\t\t\t} else\n\t\t\t{\n\t\t\t\tpChn->nPeriod += (int)(param);\n\t\t\t\tif (pChn->nPeriod > 0xFFFF) pChn->nPeriod = 0xFFFF;\n\t\t\t}\n\t\t}\n\t}\n}", "project": "openmpt", "hash": 183563627818181638259478116049519015722, "size": 29, "commit_id": "7ebf02af2e90f03e0dbd0e18b8b3164f372fb97c", "message": "[Fix] Possible out-of-bounds read when computing length of some IT files with pattern loops (OpenMPT: formats that are converted to IT, libopenmpt: IT/ITP/MO3), caught with afl-fuzz.\n\ngit-svn-id: https://source.openmpt.org/svn/openmpt/trunk/OpenMPT@10027 56274372-70c3-4bfc-bfc3-4c3a0b034d27", "target": 0, "dataset": "other", "idx": 255172 }, { "func": "static ssize_t evdev_write(struct file *file, const char __user *buffer,\n\t\t\t size_t count, loff_t *ppos)\n{\n\tstruct evdev_client *client = file->private_data;\n\tstruct evdev *evdev = client->evdev;\n\tstruct input_event event;\n\tint retval = 0;\n\n\tif (count != 0 && count < input_event_size())\n\t\treturn -EINVAL;\n\n\tretval = mutex_lock_interruptible(&evdev->mutex);\n\tif (retval)\n\t\treturn retval;\n\n\tif (!evdev->exist) {\n\t\tretval = -ENODEV;\n\t\tgoto out;\n\t}\n\n\twhile (retval + input_event_size() <= count) {\n\n\t\tif (input_event_from_user(buffer + retval, &event)) {\n\t\t\tretval = -EFAULT;\n\t\t\tgoto out;\n\t\t}\n\t\tretval += input_event_size();\n\n\t\tinput_inject_event(&evdev->handle,\n\t\t\t\t event.type, event.code, event.value);\n\t}\n\n out:\n\tmutex_unlock(&evdev->mutex);\n\treturn retval;\n}", "project": "linux", "hash": 219621455949675304056634687990954068617, "size": 36, "commit_id": "483180281f0ac60d1138710eb21f4b9961901294", "message": "Input: evdev - flush queues during EVIOCGKEY-like ioctls\n\nIf userspace requests current KEY-state, they very likely assume that no\nsuch events are pending in the output queue of the evdev device.\nOtherwise, they will parse events which they already handled via\nEVIOCGKEY(). For XKB applications this can cause irreversible keyboard\nstates if a modifier is locked multiple times because a CTRL-DOWN event is\nhandled once via EVIOCGKEY() and once from the queue via read(), even\nthough it should handle it only once.\n\nTherefore, lets do the only logical thing and flush the evdev queue\natomically during this ioctl. We only flush events that are affected by\nthe given ioctl.\n\nThis only affects boolean events like KEY, SND, SW and LED. ABS, REL and\nothers are not affected as duplicate events can be handled gracefully by\nuser-space.\n\nNote: This actually breaks semantics of the evdev ABI. However,\ninvestigations showed that userspace already expects the new semantics and\nwe end up fixing at least all XKB applications.\nAll applications that are aware of this race-condition mirror the KEY\nstate for each open-file and detect/drop duplicate events. Hence, they do\nnot care whether duplicates are posted or not and work fine with this fix.\n\nAlso note that we need proper locking to guarantee atomicity and avoid\ndead-locks. event_lock must be locked before queue_lock (see input-core).\nHowever, we can safely release event_lock while flushing the queue. This\nallows the input-core to proceed with pending events and only stop if it\nneeds our queue_lock to post new events.\nThis should guarantee that we don't block event-dispatching for too long\nwhile flushing a single event queue.\n\nSigned-off-by: David Herrmann \nAcked-by: Peter Hutterer \nSigned-off-by: Dmitry Torokhov ", "target": 0, "dataset": "other", "idx": 381725 }, { "func": "static inline unsigned int tid_to_cpu(unsigned long tid)\n{\n\treturn tid % TID_STEP;\n}", "project": "linux", "hash": 163641206523349216430619446797003119434, "size": 4, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280265 }, { "func": "void flush_itimer_signals(void)\n{\n\tstruct task_struct *tsk = current;\n\tunsigned long flags;\n\n\tspin_lock_irqsave(&tsk->sighand->siglock, flags);\n\t__flush_itimer_signals(&tsk->pending);\n\t__flush_itimer_signals(&tsk->signal->shared_pending);\n\tspin_unlock_irqrestore(&tsk->sighand->siglock, flags);\n}", "project": "linux", "hash": 272658411832886748011608164647214822423, "size": 10, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375300 }, { "func": "httpMakeVaryMark(HttpRequest * request, HttpReply const * reply)\n{\n SBuf vstr;\n String vary;\n\n vary = reply->header.getList(Http::HdrType::VARY);\n assembleVaryKey(vary, vstr, *request);\n\n#if X_ACCELERATOR_VARY\n vary.clean();\n vary = reply->header.getList(Http::HdrType::HDR_X_ACCELERATOR_VARY);\n assembleVaryKey(vary, vstr, *request);\n#endif\n\n debugs(11, 3, vstr);\n return vstr;\n}", "project": "squid", "hash": 115911664028354902836611485213770747777, "size": 17, "commit_id": "fd68382860633aca92065e6c343cfd1b12b126e7", "message": "Improve Transfer-Encoding handling (#702)\n\nReject messages containing Transfer-Encoding header with coding other\nthan chunked or identity. Squid does not support other codings.\n\nFor simplicity and security sake, also reject messages where\nTransfer-Encoding contains unnecessary complex values that are\ntechnically equivalent to \"chunked\" or \"identity\" (e.g., \",,chunked\" or\n\"identity, chunked\").\n\nRFC 7230 formally deprecated and removed identity coding, but it is\nstill used by some agents.", "target": 0, "dataset": "other", "idx": 402358 }, { "func": "static bool hci_get_cmd_complete(struct hci_dev *hdev, u16 opcode,\n\t\t\t\t u8 event, struct sk_buff *skb)\n{\n\tstruct hci_ev_cmd_complete *ev;\n\tstruct hci_event_hdr *hdr;\n\n\tif (!skb)\n\t\treturn false;\n\n\tif (skb->len < sizeof(*hdr)) {\n\t\tbt_dev_err(hdev, \"too short HCI event\");\n\t\treturn false;\n\t}\n\n\thdr = (void *) skb->data;\n\tskb_pull(skb, HCI_EVENT_HDR_SIZE);\n\n\tif (event) {\n\t\tif (hdr->evt != event)\n\t\t\treturn false;\n\t\treturn true;\n\t}\n\n\t/* Check if request ended in Command Status - no way to retreive\n\t * any extra parameters in this case.\n\t */\n\tif (hdr->evt == HCI_EV_CMD_STATUS)\n\t\treturn false;\n\n\tif (hdr->evt != HCI_EV_CMD_COMPLETE) {\n\t\tbt_dev_err(hdev, \"last event is not cmd complete (0x%2.2x)\",\n\t\t\t hdr->evt);\n\t\treturn false;\n\t}\n\n\tif (skb->len < sizeof(*ev)) {\n\t\tbt_dev_err(hdev, \"too short cmd_complete event\");\n\t\treturn false;\n\t}\n\n\tev = (void *) skb->data;\n\tskb_pull(skb, sizeof(*ev));\n\n\tif (opcode != __le16_to_cpu(ev->opcode)) {\n\t\tBT_DBG(\"opcode doesn't match (0x%2.2x != 0x%2.2x)\", opcode,\n\t\t __le16_to_cpu(ev->opcode));\n\t\treturn false;\n\t}\n\n\treturn true;\n}", "project": "linux", "hash": 165381828077807585481932638039325902392, "size": 51, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431882 }, { "func": "int CLua::execstring(const char *s, const char *context, int nresults)\n{\n int err = 0;\n if ((err = loadstring(s, context)))\n return err;\n\n lua_State *ls = state();\n lua_call_throttle strangler(this);\n err = lua_pcall(ls, 0, nresults, 0);\n set_error(err, ls);\n return err;\n}", "project": "crawl", "hash": 99245366131029121129347771171724308260, "size": 12, "commit_id": "768f60da87a3fa0b5561da5ade9309577c176d04", "message": "Disable lua bytecode loading", "target": 0, "dataset": "other", "idx": 230518 }, { "func": " static bool SplitHasAlignedOutputsInFirstDimension(\n const TensorShape& input_shape, int32_t split_dim,\n absl::Span split_sizes) {\n if (split_dim != 0) {\n return false;\n }\n Tlen start = 0;\n for (const Tlen split_size : split_sizes) {\n if (!IsDim0SliceAligned(input_shape, start, start + split_size)) {\n return false;\n }\n start += split_size;\n }\n return true;\n }", "project": "tensorflow", "hash": 201132693634114515502556207401297593585, "size": 15, "commit_id": "25d622ffc432acc736b14ca3904177579e733cc6", "message": "A negative size in one of the split sizes allowed the computed size of another\nto exceed the total dimension, leading to a segfault and security vulnerability.\nAdding a check for negative sizes prevents this.\n\nPiperOrigin-RevId: 401035665\nChange-Id: I79bbe329787dac82aa4bf60397a9129b716aedab", "target": 0, "dataset": "other", "idx": 233121 }, { "func": "static void ov7xx0_configure(struct sd *sd)\n{\n\tstruct gspca_dev *gspca_dev = (struct gspca_dev *)sd;\n\tint rc, high, low;\n\n\tgspca_dbg(gspca_dev, D_PROBE, \"starting OV7xx0 configuration\\n\");\n\n\t/* Detect sensor (sub)type */\n\trc = i2c_r(sd, OV7610_REG_COM_I);\n\n\t/* add OV7670 here\n\t * it appears to be wrongly detected as a 7610 by default */\n\tif (rc < 0) {\n\t\tgspca_err(gspca_dev, \"Error detecting sensor type\\n\");\n\t\treturn;\n\t}\n\tif ((rc & 3) == 3) {\n\t\t/* quick hack to make OV7670s work */\n\t\thigh = i2c_r(sd, 0x0a);\n\t\tlow = i2c_r(sd, 0x0b);\n\t\t/* info(\"%x, %x\", high, low); */\n\t\tif (high == 0x76 && (low & 0xf0) == 0x70) {\n\t\t\tgspca_dbg(gspca_dev, D_PROBE, \"Sensor is an OV76%02x\\n\",\n\t\t\t\t low);\n\t\t\tsd->sensor = SEN_OV7670;\n\t\t} else {\n\t\t\tgspca_dbg(gspca_dev, D_PROBE, \"Sensor is an OV7610\\n\");\n\t\t\tsd->sensor = SEN_OV7610;\n\t\t}\n\t} else if ((rc & 3) == 1) {\n\t\t/* I don't know what's different about the 76BE yet. */\n\t\tif (i2c_r(sd, 0x15) & 1) {\n\t\t\tgspca_dbg(gspca_dev, D_PROBE, \"Sensor is an OV7620AE\\n\");\n\t\t\tsd->sensor = SEN_OV7620AE;\n\t\t} else {\n\t\t\tgspca_dbg(gspca_dev, D_PROBE, \"Sensor is an OV76BE\\n\");\n\t\t\tsd->sensor = SEN_OV76BE;\n\t\t}\n\t} else if ((rc & 3) == 0) {\n\t\t/* try to read product id registers */\n\t\thigh = i2c_r(sd, 0x0a);\n\t\tif (high < 0) {\n\t\t\tgspca_err(gspca_dev, \"Error detecting camera chip PID\\n\");\n\t\t\treturn;\n\t\t}\n\t\tlow = i2c_r(sd, 0x0b);\n\t\tif (low < 0) {\n\t\t\tgspca_err(gspca_dev, \"Error detecting camera chip VER\\n\");\n\t\t\treturn;\n\t\t}\n\t\tif (high == 0x76) {\n\t\t\tswitch (low) {\n\t\t\tcase 0x30:\n\t\t\t\tgspca_err(gspca_dev, \"Sensor is an OV7630/OV7635\\n\");\n\t\t\t\tgspca_err(gspca_dev, \"7630 is not supported by this driver\\n\");\n\t\t\t\treturn;\n\t\t\tcase 0x40:\n\t\t\t\tgspca_dbg(gspca_dev, D_PROBE, \"Sensor is an OV7645\\n\");\n\t\t\t\tsd->sensor = SEN_OV7640; /* FIXME */\n\t\t\t\tbreak;\n\t\t\tcase 0x45:\n\t\t\t\tgspca_dbg(gspca_dev, D_PROBE, \"Sensor is an OV7645B\\n\");\n\t\t\t\tsd->sensor = SEN_OV7640; /* FIXME */\n\t\t\t\tbreak;\n\t\t\tcase 0x48:\n\t\t\t\tgspca_dbg(gspca_dev, D_PROBE, \"Sensor is an OV7648\\n\");\n\t\t\t\tsd->sensor = SEN_OV7648;\n\t\t\t\tbreak;\n\t\t\tcase 0x60:\n\t\t\t\tgspca_dbg(gspca_dev, D_PROBE, \"Sensor is a OV7660\\n\");\n\t\t\t\tsd->sensor = SEN_OV7660;\n\t\t\t\tbreak;\n\t\t\tdefault:\n\t\t\t\tgspca_err(gspca_dev, \"Unknown sensor: 0x76%02x\\n\",\n\t\t\t\t\t low);\n\t\t\t\treturn;\n\t\t\t}\n\t\t} else {\n\t\t\tgspca_dbg(gspca_dev, D_PROBE, \"Sensor is an OV7620\\n\");\n\t\t\tsd->sensor = SEN_OV7620;\n\t\t}\n\t} else {\n\t\tgspca_err(gspca_dev, \"Unknown image sensor version: %d\\n\",\n\t\t\t rc & 3);\n\t}\n}", "project": "linux", "hash": 254296375780868266388108546646277113021, "size": 86, "commit_id": "998912346c0da53a6dbb71fab3a138586b596b30", "message": "media: ov519: add missing endpoint sanity checks\n\nMake sure to check that we have at least one endpoint before accessing\nthe endpoint array to avoid dereferencing a NULL-pointer on stream\nstart.\n\nNote that these sanity checks are not redundant as the driver is mixing\nlooking up altsettings by index and by number, which need not coincide.\n\nFixes: 1876bb923c98 (\"V4L/DVB (12079): gspca_ov519: add support for the ov511 bridge\")\nFixes: b282d87332f5 (\"V4L/DVB (12080): gspca_ov519: Fix ov518+ with OV7620AE (Trust spacecam 320)\")\nCc: stable # 2.6.31\nCc: Hans de Goede \nSigned-off-by: Johan Hovold \nSigned-off-by: Hans Verkuil \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 306335 }, { "func": "char * ap_php_conv_10(register int64_t num, register bool is_unsigned,\n register int * is_negative, char *buf_end,\n register int *len) {\n register char *p = buf_end;\n register uint64_t magnitude;\n\n if (is_unsigned) {\n magnitude = (uint64_t) num;\n *is_negative = 0;\n } else {\n *is_negative = (num < 0);\n\n /*\n * On a 2's complement machine, negating the most negative integer\n * results in a number that cannot be represented as a signed integer.\n * Here is what we do to obtain the number's magnitude:\n * a. add 1 to the number\n * b. negate it (becomes positive)\n * c. convert it to unsigned\n * d. add 1\n */\n if (*is_negative) {\n int64_t t = num + 1;\n magnitude = ((uint64_t) - t) + 1;\n } else {\n magnitude = (uint64_t) num;\n }\n }\n\n /*\n * We use a do-while loop so that we write at least 1 digit\n */\n do {\n register uint64_t new_magnitude = magnitude / 10;\n\n *--p = (char)(magnitude - new_magnitude * 10 + '0');\n magnitude = new_magnitude;\n }\n while (magnitude);\n\n *len = buf_end - p;\n return (p);\n}", "project": "hhvm", "hash": 52258169761151421445903072130859482082, "size": 43, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219271 }, { "func": "static void mode_init_ov_sensor_regs(struct sd *sd)\n{\n\tstruct gspca_dev *gspca_dev = (struct gspca_dev *)sd;\n\tint qvga, xstart, xend, ystart, yend;\n\tu8 v;\n\n\tqvga = gspca_dev->cam.cam_mode[gspca_dev->curr_mode].priv & 1;\n\n\t/******** Mode (VGA/QVGA) and sensor specific regs ********/\n\tswitch (sd->sensor) {\n\tcase SEN_OV2610:\n\t\ti2c_w_mask(sd, 0x14, qvga ? 0x20 : 0x00, 0x20);\n\t\ti2c_w_mask(sd, 0x28, qvga ? 0x00 : 0x20, 0x20);\n\t\ti2c_w(sd, 0x24, qvga ? 0x20 : 0x3a);\n\t\ti2c_w(sd, 0x25, qvga ? 0x30 : 0x60);\n\t\ti2c_w_mask(sd, 0x2d, qvga ? 0x40 : 0x00, 0x40);\n\t\ti2c_w_mask(sd, 0x67, qvga ? 0xf0 : 0x90, 0xf0);\n\t\ti2c_w_mask(sd, 0x74, qvga ? 0x20 : 0x00, 0x20);\n\t\treturn;\n\tcase SEN_OV2610AE: {\n\t\tu8 v;\n\n\t\t/* frame rates:\n\t\t *\t10fps / 5 fps for 1600x1200\n\t\t *\t40fps / 20fps for 800x600\n\t\t */\n\t\tv = 80;\n\t\tif (qvga) {\n\t\t\tif (sd->frame_rate < 25)\n\t\t\t\tv = 0x81;\n\t\t} else {\n\t\t\tif (sd->frame_rate < 10)\n\t\t\t\tv = 0x81;\n\t\t}\n\t\ti2c_w(sd, 0x11, v);\n\t\ti2c_w(sd, 0x12, qvga ? 0x60 : 0x20);\n\t\treturn;\n\t }\n\tcase SEN_OV3610:\n\t\tif (qvga) {\n\t\t\txstart = (1040 - gspca_dev->pixfmt.width) / 2 +\n\t\t\t\t(0x1f << 4);\n\t\t\tystart = (776 - gspca_dev->pixfmt.height) / 2;\n\t\t} else {\n\t\t\txstart = (2076 - gspca_dev->pixfmt.width) / 2 +\n\t\t\t\t(0x10 << 4);\n\t\t\tystart = (1544 - gspca_dev->pixfmt.height) / 2;\n\t\t}\n\t\txend = xstart + gspca_dev->pixfmt.width;\n\t\tyend = ystart + gspca_dev->pixfmt.height;\n\t\t/* Writing to the COMH register resets the other windowing regs\n\t\t to their default values, so we must do this first. */\n\t\ti2c_w_mask(sd, 0x12, qvga ? 0x40 : 0x00, 0xf0);\n\t\ti2c_w_mask(sd, 0x32,\n\t\t\t (((xend >> 1) & 7) << 3) | ((xstart >> 1) & 7),\n\t\t\t 0x3f);\n\t\ti2c_w_mask(sd, 0x03,\n\t\t\t (((yend >> 1) & 3) << 2) | ((ystart >> 1) & 3),\n\t\t\t 0x0f);\n\t\ti2c_w(sd, 0x17, xstart >> 4);\n\t\ti2c_w(sd, 0x18, xend >> 4);\n\t\ti2c_w(sd, 0x19, ystart >> 3);\n\t\ti2c_w(sd, 0x1a, yend >> 3);\n\t\treturn;\n\tcase SEN_OV8610:\n\t\t/* For OV8610 qvga means qsvga */\n\t\ti2c_w_mask(sd, OV7610_REG_COM_C, qvga ? (1 << 5) : 0, 1 << 5);\n\t\ti2c_w_mask(sd, 0x13, 0x00, 0x20); /* Select 16 bit data bus */\n\t\ti2c_w_mask(sd, 0x12, 0x04, 0x06); /* AWB: 1 Test pattern: 0 */\n\t\ti2c_w_mask(sd, 0x2d, 0x00, 0x40); /* from windrv 090403 */\n\t\ti2c_w_mask(sd, 0x28, 0x20, 0x20); /* progressive mode on */\n\t\tbreak;\n\tcase SEN_OV7610:\n\t\ti2c_w_mask(sd, 0x14, qvga ? 0x20 : 0x00, 0x20);\n\t\ti2c_w(sd, 0x35, qvga ? 0x1e : 0x9e);\n\t\ti2c_w_mask(sd, 0x13, 0x00, 0x20); /* Select 16 bit data bus */\n\t\ti2c_w_mask(sd, 0x12, 0x04, 0x06); /* AWB: 1 Test pattern: 0 */\n\t\tbreak;\n\tcase SEN_OV7620:\n\tcase SEN_OV7620AE:\n\tcase SEN_OV76BE:\n\t\ti2c_w_mask(sd, 0x14, qvga ? 0x20 : 0x00, 0x20);\n\t\ti2c_w_mask(sd, 0x28, qvga ? 0x00 : 0x20, 0x20);\n\t\ti2c_w(sd, 0x24, qvga ? 0x20 : 0x3a);\n\t\ti2c_w(sd, 0x25, qvga ? 0x30 : 0x60);\n\t\ti2c_w_mask(sd, 0x2d, qvga ? 0x40 : 0x00, 0x40);\n\t\ti2c_w_mask(sd, 0x67, qvga ? 0xb0 : 0x90, 0xf0);\n\t\ti2c_w_mask(sd, 0x74, qvga ? 0x20 : 0x00, 0x20);\n\t\ti2c_w_mask(sd, 0x13, 0x00, 0x20); /* Select 16 bit data bus */\n\t\ti2c_w_mask(sd, 0x12, 0x04, 0x06); /* AWB: 1 Test pattern: 0 */\n\t\tif (sd->sensor == SEN_OV76BE)\n\t\t\ti2c_w(sd, 0x35, qvga ? 0x1e : 0x9e);\n\t\tbreak;\n\tcase SEN_OV7640:\n\tcase SEN_OV7648:\n\t\ti2c_w_mask(sd, 0x14, qvga ? 0x20 : 0x00, 0x20);\n\t\ti2c_w_mask(sd, 0x28, qvga ? 0x00 : 0x20, 0x20);\n\t\t/* Setting this undocumented bit in qvga mode removes a very\n\t\t annoying vertical shaking of the image */\n\t\ti2c_w_mask(sd, 0x2d, qvga ? 0x40 : 0x00, 0x40);\n\t\t/* Unknown */\n\t\ti2c_w_mask(sd, 0x67, qvga ? 0xf0 : 0x90, 0xf0);\n\t\t/* Allow higher automatic gain (to allow higher framerates) */\n\t\ti2c_w_mask(sd, 0x74, qvga ? 0x20 : 0x00, 0x20);\n\t\ti2c_w_mask(sd, 0x12, 0x04, 0x04); /* AWB: 1 */\n\t\tbreak;\n\tcase SEN_OV7670:\n\t\t/* set COM7_FMT_VGA or COM7_FMT_QVGA\n\t\t * do we need to set anything else?\n\t\t *\tHSTART etc are set in set_ov_sensor_window itself */\n\t\ti2c_w_mask(sd, OV7670_R12_COM7,\n\t\t\t qvga ? OV7670_COM7_FMT_QVGA : OV7670_COM7_FMT_VGA,\n\t\t\t OV7670_COM7_FMT_MASK);\n\t\ti2c_w_mask(sd, 0x13, 0x00, 0x20); /* Select 16 bit data bus */\n\t\ti2c_w_mask(sd, OV7670_R13_COM8, OV7670_COM8_AWB,\n\t\t\t\tOV7670_COM8_AWB);\n\t\tif (qvga) {\t\t/* QVGA from ov7670.c by\n\t\t\t\t\t * Jonathan Corbet */\n\t\t\txstart = 164;\n\t\t\txend = 28;\n\t\t\tystart = 14;\n\t\t\tyend = 494;\n\t\t} else {\t\t/* VGA */\n\t\t\txstart = 158;\n\t\t\txend = 14;\n\t\t\tystart = 10;\n\t\t\tyend = 490;\n\t\t}\n\t\t/* OV7670 hardware window registers are split across\n\t\t * multiple locations */\n\t\ti2c_w(sd, OV7670_R17_HSTART, xstart >> 3);\n\t\ti2c_w(sd, OV7670_R18_HSTOP, xend >> 3);\n\t\tv = i2c_r(sd, OV7670_R32_HREF);\n\t\tv = (v & 0xc0) | ((xend & 0x7) << 3) | (xstart & 0x07);\n\t\tmsleep(10);\t/* need to sleep between read and write to\n\t\t\t\t * same reg! */\n\t\ti2c_w(sd, OV7670_R32_HREF, v);\n\n\t\ti2c_w(sd, OV7670_R19_VSTART, ystart >> 2);\n\t\ti2c_w(sd, OV7670_R1A_VSTOP, yend >> 2);\n\t\tv = i2c_r(sd, OV7670_R03_VREF);\n\t\tv = (v & 0xc0) | ((yend & 0x3) << 2) | (ystart & 0x03);\n\t\tmsleep(10);\t/* need to sleep between read and write to\n\t\t\t\t * same reg! */\n\t\ti2c_w(sd, OV7670_R03_VREF, v);\n\t\tbreak;\n\tcase SEN_OV6620:\n\t\ti2c_w_mask(sd, 0x14, qvga ? 0x20 : 0x00, 0x20);\n\t\ti2c_w_mask(sd, 0x13, 0x00, 0x20); /* Select 16 bit data bus */\n\t\ti2c_w_mask(sd, 0x12, 0x04, 0x06); /* AWB: 1 Test pattern: 0 */\n\t\tbreak;\n\tcase SEN_OV6630:\n\tcase SEN_OV66308AF:\n\t\ti2c_w_mask(sd, 0x14, qvga ? 0x20 : 0x00, 0x20);\n\t\ti2c_w_mask(sd, 0x12, 0x04, 0x06); /* AWB: 1 Test pattern: 0 */\n\t\tbreak;\n\tcase SEN_OV9600: {\n\t\tconst struct ov_i2c_regvals *vals;\n\t\tstatic const struct ov_i2c_regvals sxga_15[] = {\n\t\t\t{0x11, 0x80}, {0x14, 0x3e}, {0x24, 0x85}, {0x25, 0x75}\n\t\t};\n\t\tstatic const struct ov_i2c_regvals sxga_7_5[] = {\n\t\t\t{0x11, 0x81}, {0x14, 0x3e}, {0x24, 0x85}, {0x25, 0x75}\n\t\t};\n\t\tstatic const struct ov_i2c_regvals vga_30[] = {\n\t\t\t{0x11, 0x81}, {0x14, 0x7e}, {0x24, 0x70}, {0x25, 0x60}\n\t\t};\n\t\tstatic const struct ov_i2c_regvals vga_15[] = {\n\t\t\t{0x11, 0x83}, {0x14, 0x3e}, {0x24, 0x80}, {0x25, 0x70}\n\t\t};\n\n\t\t/* frame rates:\n\t\t *\t15fps / 7.5 fps for 1280x1024\n\t\t *\t30fps / 15fps for 640x480\n\t\t */\n\t\ti2c_w_mask(sd, 0x12, qvga ? 0x40 : 0x00, 0x40);\n\t\tif (qvga)\n\t\t\tvals = sd->frame_rate < 30 ? vga_15 : vga_30;\n\t\telse\n\t\t\tvals = sd->frame_rate < 15 ? sxga_7_5 : sxga_15;\n\t\twrite_i2c_regvals(sd, vals, ARRAY_SIZE(sxga_15));\n\t\treturn;\n\t }\n\tdefault:\n\t\treturn;\n\t}\n\n\t/******** Clock programming ********/\n\ti2c_w(sd, 0x11, sd->clockdiv);\n}", "project": "linux", "hash": 50676981149842083875898350070526530417, "size": 190, "commit_id": "998912346c0da53a6dbb71fab3a138586b596b30", "message": "media: ov519: add missing endpoint sanity checks\n\nMake sure to check that we have at least one endpoint before accessing\nthe endpoint array to avoid dereferencing a NULL-pointer on stream\nstart.\n\nNote that these sanity checks are not redundant as the driver is mixing\nlooking up altsettings by index and by number, which need not coincide.\n\nFixes: 1876bb923c98 (\"V4L/DVB (12079): gspca_ov519: add support for the ov511 bridge\")\nFixes: b282d87332f5 (\"V4L/DVB (12080): gspca_ov519: Fix ov518+ with OV7620AE (Trust spacecam 320)\")\nCc: stable # 2.6.31\nCc: Hans de Goede \nSigned-off-by: Johan Hovold \nSigned-off-by: Hans Verkuil \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 306283 }, { "func": "void GraphConstructor::DFS(int cur_node, std::vector* cur_branch,\n std::vector* is_on_cur_branch,\n absl::flat_hash_set* unvisited) {\n cur_branch->push_back(cur_node);\n is_on_cur_branch->at(cur_node) = true;\n for (auto next_node : outputs_[cur_node]) {\n if (unvisited->find(next_node) != unvisited->end()) {\n if (is_on_cur_branch->at(next_node)) {\n auto iter =\n std::find(cur_branch->begin(), cur_branch->end(), next_node);\n LOG(WARNING) << \"Cycle detected:\";\n while (iter != cur_branch->end()) {\n LOG(WARNING) << SummarizeNodeDef(get_node_def(*iter));\n ++iter;\n }\n LOG(WARNING) << \"End of cycle\";\n } else {\n DFS(next_node, cur_branch, is_on_cur_branch, unvisited);\n }\n }\n }\n cur_branch->pop_back();\n is_on_cur_branch->at(cur_node) = false;\n unvisited->erase(cur_node);\n}", "project": "tensorflow", "hash": 20021764395770403235901874606682738088, "size": 25, "commit_id": "0cc38aaa4064fd9e79101994ce9872c6d91f816b", "message": "Prevent unitialized memory access in `GraphConstructor::MakeEdge`\n\nThe `MakeEdge` implementation assumes that there exists an output at `output_index` of `src` node and an input at `input_index` of `dst` node. However, if this is not the case this results in accessing data out of bounds. Because we are accessing an array that is a private member of a class and only in read only mode, this usually results only in unitialized memory access. However, it is reasonable to think that malicious users could manipulate these indexes to actually read data outside the class, thus resulting in information leakage and further exploits.\n\nPiperOrigin-RevId: 346343288\nChange-Id: I2127da27c2023d27f26efd39afa6c853385cab6f", "target": 0, "dataset": "other", "idx": 268302 }, { "func": "static inline u32 tcp_receive_window(const struct tcp_sock *tp)\n{\n\ts32 win = tp->rcv_wup + tp->rcv_wnd - tp->rcv_nxt;\n\n\tif (win < 0)\n\t\twin = 0;\n\treturn (u32) win;\n}", "project": "linux", "hash": 100107453147019431696666980722379630389, "size": 8, "commit_id": "bb1fceca22492109be12640d49f5ea5a544c6bb4", "message": "tcp: fix use after free in tcp_xmit_retransmit_queue()\n\nWhen tcp_sendmsg() allocates a fresh and empty skb, it puts it at the\ntail of the write queue using tcp_add_write_queue_tail()\n\nThen it attempts to copy user data into this fresh skb.\n\nIf the copy fails, we undo the work and remove the fresh skb.\n\nUnfortunately, this undo lacks the change done to tp->highest_sack and\nwe can leave a dangling pointer (to a freed skb)\n\nLater, tcp_xmit_retransmit_queue() can dereference this pointer and\naccess freed memory. For regular kernels where memory is not unmapped,\nthis might cause SACK bugs because tcp_highest_sack_seq() is buggy,\nreturning garbage instead of tp->snd_nxt, but with various debug\nfeatures like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel.\n\nThis bug was found by Marco Grassi thanks to syzkaller.\n\nFixes: 6859d49475d4 (\"[TCP]: Abstract tp->highest_sack accessing & point to next skb\")\nReported-by: Marco Grassi \nSigned-off-by: Eric Dumazet \nCc: Ilpo Järvinen \nCc: Yuchung Cheng \nCc: Neal Cardwell \nAcked-by: Neal Cardwell \nReviewed-by: Cong Wang \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 410739 }, { "func": "HttpStateData::proceedAfter1xx()\n{\n Must(flags.handling1xx);\n debugs(11, 2, \"continuing with \" << payloadSeen << \" bytes in buffer after 1xx\");\n CallJobHere(11, 3, this, HttpStateData, HttpStateData::processReply);\n}", "project": "squid", "hash": 35181425968864932673147133578055112757, "size": 6, "commit_id": "fd68382860633aca92065e6c343cfd1b12b126e7", "message": "Improve Transfer-Encoding handling (#702)\n\nReject messages containing Transfer-Encoding header with coding other\nthan chunked or identity. Squid does not support other codings.\n\nFor simplicity and security sake, also reject messages where\nTransfer-Encoding contains unnecessary complex values that are\ntechnically equivalent to \"chunked\" or \"identity\" (e.g., \",,chunked\" or\n\"identity, chunked\").\n\nRFC 7230 formally deprecated and removed identity coding, but it is\nstill used by some agents.", "target": 0, "dataset": "other", "idx": 402368 }, { "func": "void gdImagePaletteCopy (gdImagePtr to, gdImagePtr from)\n{\n\tint i;\n\tint x, y, p;\n\tint xlate[256];\n\tif (to->trueColor || from->trueColor) {\n\t\treturn;\n\t}\n\n\tfor (i = 0; i < 256; i++) {\n\t\txlate[i] = -1;\n\t}\n\n\tfor (y = 0; y < to->sy; y++) {\n\t\tfor (x = 0; x < to->sx; x++) {\n\t\t\tp = gdImageGetPixel(to, x, y);\n\t\t\tif (xlate[p] == -1) {\n\t\t\t\t/* This ought to use HWB, but we don't have an alpha-aware version of that yet. */\n\t\t\t\txlate[p] = gdImageColorClosestAlpha (from, to->red[p], to->green[p], to->blue[p], to->alpha[p]);\n\t\t\t}\n\t\t\tgdImageSetPixel(to, x, y, xlate[p]);\n\t\t}\n\t}\n\n\tfor (i = 0; i < from->colorsTotal; i++) {\n\t\tto->red[i] = from->red[i];\n\t\tto->blue[i] = from->blue[i];\n\t\tto->green[i] = from->green[i];\n\t\tto->alpha[i] = from->alpha[i];\n\t\tto->open[i] = 0;\n\t}\n\n\tfor (i = from->colorsTotal; i < to->colorsTotal; i++) {\n\t\tto->open[i] = 1;\n\t}\n\n\tto->colorsTotal = from->colorsTotal;\n}", "project": "php-src", "hash": 244273979421462605438644439995808529864, "size": 38, "commit_id": "c395c6e5d7e8df37a21265ff76e48fe75ceb5ae6", "message": "iFixed bug #72446 - Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow", "target": 0, "dataset": "other", "idx": 295160 }, { "func": "static int tiocgsid(struct tty_struct *tty, struct tty_struct *real_tty, pid_t __user *p)\n{\n\tunsigned long flags;\n\tpid_t sid;\n\n\t/*\n\t * (tty == real_tty) is a cheap way of\n\t * testing if the tty is NOT a master pty.\n\t*/\n\tif (tty == real_tty && current->signal->tty != real_tty)\n\t\treturn -ENOTTY;\n\n\tspin_lock_irqsave(&real_tty->ctrl_lock, flags);\n\tif (!real_tty->session)\n\t\tgoto err;\n\tsid = pid_vnr(real_tty->session);\n\tspin_unlock_irqrestore(&real_tty->ctrl_lock, flags);\n\n\treturn put_user(sid, p);\n\nerr:\n\tspin_unlock_irqrestore(&real_tty->ctrl_lock, flags);\n\treturn -ENOTTY;\n}", "project": "linux", "hash": 110781423859321214118289293812090626152, "size": 24, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 325991 }, { "func": "}\nEXPORT_SYMBOL_GPL(iscsi_unregister_transport);\n\nvoid iscsi_dbg_trace(void (*trace)(struct device *dev, struct va_format *),\n\t\t struct device *dev, const char *fmt, ...)\n{\n\tstruct va_format vaf;\n\tva_list args;\n\n\tva_start(args, fmt);\n\tvaf.fmt = fmt;\n\tvaf.va = &args;", "project": "linux", "hash": 233867678167828748474689633120775461233, "size": 12, "commit_id": "f9dbdf97a5bd92b1a49cee3d591b55b11fd7a6d5", "message": "scsi: iscsi: Verify lengths on passthrough PDUs\n\nOpen-iSCSI sends passthrough PDUs over netlink, but the kernel should be\nverifying that the provided PDU header and data lengths fall within the\nnetlink message to prevent accessing beyond that in memory.\n\nCc: stable@vger.kernel.org\nReported-by: Adam Nichols \nReviewed-by: Lee Duncan \nReviewed-by: Mike Christie \nSigned-off-by: Chris Leech \nSigned-off-by: Martin K. Petersen ", "target": 0, "dataset": "other", "idx": 379916 }, { "func": "static int getsint(FILE *sfd, int16 *val) {\n int val2;\n int ret = getint(sfd,&val2);\n *val = val2;\nreturn( ret );\n}", "project": "fontforge", "hash": 116326325597555035513105236122301750044, "size": 6, "commit_id": "048a91e2682c1a8936ae34dbc7bd70291ec05410", "message": "Fix for #4084 Use-after-free (heap) in the SFD_GetFontMetaData() function\nFix for #4086 NULL pointer dereference in the SFDGetSpiros() function\nFix for #4088 NULL pointer dereference in the SFD_AssignLookups() function\nAdd empty sf->fontname string if it isn't set, fixing #4089 #4090 and many\n other potential issues (many downstream calls to strlen() on the value).", "target": 0, "dataset": "other", "idx": 417821 }, { "func": "bool CWebSock::SendCookie(const CString& sKey, const CString& sValue) {\n const CString sPrefixedKey = CString(GetLocalPort()) + \"-\" + sKey;\n\n if (!m_sModName.empty()) {\n return CHTTPSock::SendCookie(\"Mod-\" + m_sModName + \"-\" + sPrefixedKey,\n sValue);\n }\n\n return CHTTPSock::SendCookie(sPrefixedKey, sValue);\n}", "project": "znc", "hash": 132869062394017302443727564526125347220, "size": 10, "commit_id": "a4a5aeeb17d32937d8c7d743dae9a4cc755ce773", "message": "Don't let web skin name ../../../../ access files outside of usual skins directories.\n\nThanks for Jeriko One for finding and reporting this.", "target": 0, "dataset": "other", "idx": 265792 }, { "func": "static int kvm_ioctl_create_device(struct kvm *kvm,\n\t\t\t\t struct kvm_create_device *cd)\n{\n\tconst struct kvm_device_ops *ops = NULL;\n\tstruct kvm_device *dev;\n\tbool test = cd->flags & KVM_CREATE_DEVICE_TEST;\n\tint type;\n\tint ret;\n\n\tif (cd->type >= ARRAY_SIZE(kvm_device_ops_table))\n\t\treturn -ENODEV;\n\n\ttype = array_index_nospec(cd->type, ARRAY_SIZE(kvm_device_ops_table));\n\tops = kvm_device_ops_table[type];\n\tif (ops == NULL)\n\t\treturn -ENODEV;\n\n\tif (test)\n\t\treturn 0;\n\n\tdev = kzalloc(sizeof(*dev), GFP_KERNEL_ACCOUNT);\n\tif (!dev)\n\t\treturn -ENOMEM;\n\n\tdev->ops = ops;\n\tdev->kvm = kvm;\n\n\tmutex_lock(&kvm->lock);\n\tret = ops->create(dev, type);\n\tif (ret < 0) {\n\t\tmutex_unlock(&kvm->lock);\n\t\tkfree(dev);\n\t\treturn ret;\n\t}\n\tlist_add(&dev->vm_node, &kvm->devices);\n\tmutex_unlock(&kvm->lock);\n\n\tif (ops->init)\n\t\tops->init(dev);\n\n\tkvm_get_kvm(kvm);\n\tret = anon_inode_getfd(ops->name, &kvm_device_fops, dev, O_RDWR | O_CLOEXEC);\n\tif (ret < 0) {\n\t\tkvm_put_kvm_no_destroy(kvm);\n\t\tmutex_lock(&kvm->lock);\n\t\tlist_del(&dev->vm_node);\n\t\tmutex_unlock(&kvm->lock);\n\t\tops->destroy(dev);\n\t\treturn ret;\n\t}\n\n\tcd->fd = ret;\n\treturn 0;\n}", "project": "linux", "hash": 290776873632612834494792394163841411028, "size": 54, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354838 }, { "func": "static bool preg_get_backref(const char** str, int* backref) {\n char in_brace = 0;\n const char* walk = *str;\n\n if (walk[1] == 0) {\n return false;\n }\n\n if (*walk == '$' && walk[1] == '{') {\n in_brace = 1;\n walk++;\n }\n walk++;\n\n if (*walk >= '0' && *walk <= '9') {\n *backref = *walk - '0';\n walk++;\n } else {\n return false;\n }\n\n if (*walk && *walk >= '0' && *walk <= '9') {\n *backref = *backref * 10 + *walk - '0';\n walk++;\n }\n\n if (in_brace) {\n if (*walk == 0 || *walk != '}') {\n return false;\n }\n walk++;\n }\n\n *str = walk;\n return true;\n}", "project": "hhvm", "hash": 234674313476103216581061587232587728724, "size": 36, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219419 }, { "func": "int ecryptfs_decrypt_page(struct page *page)\n{\n\tstruct inode *ecryptfs_inode;\n\tstruct ecryptfs_crypt_stat *crypt_stat;\n\tchar *enc_extent_virt;\n\tstruct page *enc_extent_page = NULL;\n\tunsigned long extent_offset;\n\tint rc = 0;\n\n\tecryptfs_inode = page->mapping->host;\n\tcrypt_stat =\n\t\t&(ecryptfs_inode_to_private(ecryptfs_inode)->crypt_stat);\n\tif (!(crypt_stat->flags & ECRYPTFS_ENCRYPTED)) {\n\t\trc = ecryptfs_read_lower_page_segment(page, page->index, 0,\n\t\t\t\t\t\t PAGE_CACHE_SIZE,\n\t\t\t\t\t\t ecryptfs_inode);\n\t\tif (rc)\n\t\t\tprintk(KERN_ERR \"%s: Error attempting to copy \"\n\t\t\t \"page at index [%ld]\\n\", __func__,\n\t\t\t page->index);\n\t\tgoto out;\n\t}\n\tenc_extent_page = alloc_page(GFP_USER);\n\tif (!enc_extent_page) {\n\t\trc = -ENOMEM;\n\t\tecryptfs_printk(KERN_ERR, \"Error allocating memory for \"\n\t\t\t\t\"encrypted extent\\n\");\n\t\tgoto out;\n\t}\n\tenc_extent_virt = kmap(enc_extent_page);\n\tfor (extent_offset = 0;\n\t extent_offset < (PAGE_CACHE_SIZE / crypt_stat->extent_size);\n\t extent_offset++) {\n\t\tloff_t offset;\n\n\t\tecryptfs_lower_offset_for_extent(\n\t\t\t&offset, ((page->index * (PAGE_CACHE_SIZE\n\t\t\t\t\t\t / crypt_stat->extent_size))\n\t\t\t\t + extent_offset), crypt_stat);\n\t\trc = ecryptfs_read_lower(enc_extent_virt, offset,\n\t\t\t\t\t crypt_stat->extent_size,\n\t\t\t\t\t ecryptfs_inode);\n\t\tif (rc) {\n\t\t\tecryptfs_printk(KERN_ERR, \"Error attempting \"\n\t\t\t\t\t\"to read lower page; rc = [%d]\"\n\t\t\t\t\t\"\\n\", rc);\n\t\t\tgoto out;\n\t\t}\n\t\trc = ecryptfs_decrypt_extent(page, crypt_stat, enc_extent_page,\n\t\t\t\t\t extent_offset);\n\t\tif (rc) {\n\t\t\tprintk(KERN_ERR \"%s: Error encrypting extent; \"\n\t\t\t \"rc = [%d]\\n\", __func__, rc);\n\t\t\tgoto out;\n\t\t}\n\t}\nout:\n\tif (enc_extent_page) {\n\t\tkunmap(enc_extent_page);\n\t\t__free_page(enc_extent_page);\n\t}\n\treturn rc;\n}", "target": 0, "cwe": [ "CWE-189" ], "project": "linux-2.6", "commit_id": "8faece5f906725c10e7a1f6caf84452abadbdc7b", "hash": 240630533125729279101446442850480779408, "size": 63, "message": "eCryptfs: Allocate a variable number of pages for file headers\n\nWhen allocating the memory used to store the eCryptfs header contents, a\nsingle, zeroed page was being allocated with get_zeroed_page().\nHowever, the size of an eCryptfs header is either PAGE_CACHE_SIZE or\nECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE (8192), whichever is larger, and is\nstored in the file's private_data->crypt_stat->num_header_bytes_at_front\nfield.\n\necryptfs_write_metadata_to_contents() was using\nnum_header_bytes_at_front to decide how many bytes should be written to\nthe lower filesystem for the file header. Unfortunately, at least 8K\nwas being written from the page, despite the chance of the single,\nzeroed page being smaller than 8K. This resulted in random areas of\nkernel memory being written between the 0x1000 and 0x1FFF bytes offsets\nin the eCryptfs file headers if PAGE_SIZE was 4K.\n\nThis patch allocates a variable number of pages, calculated with\nnum_header_bytes_at_front, and passes the number of allocated pages\nalong to ecryptfs_write_metadata_to_contents().\n\nThanks to Florian Streibelt for reporting the data leak and working with\nme to find the problem. 2.6.28 is the only kernel release with this\nvulnerability. Corresponds to CVE-2009-0787\n\nSigned-off-by: Tyler Hicks \nAcked-by: Dustin Kirkland \nReviewed-by: Eric Sandeen \nReviewed-by: Eugene Teo \nCc: Greg KH \nCc: dann frazier \nCc: Serge E. Hallyn \nCc: Florian Streibelt \nCc: stable@kernel.org\nSigned-off-by: Linus Torvalds ", "dataset": "other", "idx": 490153 }, { "func": "int ssh_buffer_add_ssh_string(struct ssh_buffer_struct *buffer,\n struct ssh_string_struct *string) {\n uint32_t len = 0;\n\n if (string == NULL) {\n return -1;\n }\n\n len = ssh_string_len(string);\n if (ssh_buffer_add_data(buffer, string, len + sizeof(uint32_t)) < 0) {\n return -1;\n }\n\n return 0;\n}", "project": "libssh-mirror", "hash": 211941625489555681136883604876629662369, "size": 15, "commit_id": "10b3ebbe61a7031a3dae97f05834442220447181", "message": "buffer: Reformat ssh_buffer_add_data()\n\nSigned-off-by: Andreas Schneider \nReviewed-by: Anderson Toshiyuki Sasaki \nReviewed-by: Jakub Jelen ", "target": 0, "dataset": "other", "idx": 345142 }, { "func": " bool agg_arg_charsets_for_string_result_with_comparison(DTCollation &c,\n Item **items,\n uint nitems,\n int item_sep= 1)\n {\n uint flags= MY_COLL_ALLOW_SUPERSET_CONV |\n MY_COLL_ALLOW_COERCIBLE_CONV |\n MY_COLL_ALLOW_NUMERIC_CONV |\n MY_COLL_DISALLOW_NONE;\n return agg_arg_charsets(c, items, nitems, flags, item_sep);\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 39137222918085424715659837252540030137, "size": 11, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509073 }, { "func": "static int cmd_start (IMAP_DATA* idata, const char* cmdstr, int flags)\n{\n int rc;\n\n if (idata->status == IMAP_FATAL)\n {\n cmd_handle_fatal (idata);\n return -1;\n }\n\n if (cmdstr && ((rc = cmd_queue (idata, cmdstr, flags)) < 0))\n return rc;\n\n if (flags & IMAP_CMD_QUEUE)\n return 0;\n\n if (idata->cmdbuf->dptr == idata->cmdbuf->data)\n return IMAP_CMD_BAD;\n\n rc = mutt_socket_write_d (idata->conn, idata->cmdbuf->data, -1,\n flags & IMAP_CMD_PASS ? IMAP_LOG_PASS : IMAP_LOG_CMD);\n idata->cmdbuf->dptr = idata->cmdbuf->data;\n\n /* unidle when command queue is flushed */\n if (idata->state == IMAP_IDLE)\n idata->state = IMAP_SELECTED;\n\n return (rc < 0) ? IMAP_CMD_BAD : 0;\n}", "project": "mutt", "hash": 134075931165318220042616329446942298357, "size": 29, "commit_id": "9347b5c01dc52682cb6be11539d9b7ebceae4416", "message": "Handle NO response without message properly", "target": 0, "dataset": "other", "idx": 338015 }, { "func": "static void __enable_cpu_timer_accounting(struct kvm_vcpu *vcpu)\n{\n\tWARN_ON_ONCE(vcpu->arch.cputm_enabled);\n\tvcpu->arch.cputm_enabled = true;\n\t__start_cpu_timer_accounting(vcpu);\n}", "project": "linux", "hash": 292652794969903982241573806636857696258, "size": 6, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354724 }, { "func": "static bool fuse_writepage_need_send(struct fuse_conn *fc, struct page *page,\n\t\t\t\t struct fuse_args_pages *ap,\n\t\t\t\t struct fuse_fill_wb_data *data)\n{\n\tWARN_ON(!ap->num_pages);\n\n\t/*\n\t * Being under writeback is unlikely but possible. For example direct\n\t * read to an mmaped fuse file will set the page dirty twice; once when\n\t * the pages are faulted with get_user_pages(), and then after the read\n\t * completed.\n\t */\n\tif (fuse_page_is_writeback(data->inode, page->index))\n\t\treturn true;\n\n\t/* Reached max pages */\n\tif (ap->num_pages == fc->max_pages)\n\t\treturn true;\n\n\t/* Reached max write bytes */\n\tif ((ap->num_pages + 1) * PAGE_SIZE > fc->max_write)\n\t\treturn true;\n\n\t/* Discontinuity */\n\tif (data->orig_pages[ap->num_pages - 1]->index + 1 != page->index)\n\t\treturn true;\n\n\t/* Need to grow the pages array? If so, did the expansion fail? */\n\tif (ap->num_pages == data->max_pages && !fuse_pages_realloc(data))\n\t\treturn true;\n\n\treturn false;\n}", "project": "linux", "hash": 322600943223765046280511607477149473585, "size": 33, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342164 }, { "func": "static int php_openssl_add_oid_section(struct php_x509_request * req) /* {{{ */\n{\n\tchar * str;\n\tSTACK_OF(CONF_VALUE) * sktmp;\n\tCONF_VALUE * cnf;\n\tint i;\n\n\tstr = CONF_get_string(req->req_config, NULL, \"oid_section\");\n\tif (str == NULL) {\n\t\tphp_openssl_store_errors();\n\t\treturn SUCCESS;\n\t}\n\tsktmp = CONF_get_section(req->req_config, str);\n\tif (sktmp == NULL) {\n\t\tphp_openssl_store_errors();\n\t\tphp_error_docref(NULL, E_WARNING, \"problem loading oid section %s\", str);\n\t\treturn FAILURE;\n\t}\n\tfor (i = 0; i < sk_CONF_VALUE_num(sktmp); i++) {\n\t\tcnf = sk_CONF_VALUE_value(sktmp, i);\n\t\tif (OBJ_sn2nid(cnf->name) == NID_undef && OBJ_ln2nid(cnf->name) == NID_undef &&\n\t\t\t\tOBJ_create(cnf->value, cnf->name, cnf->name) == NID_undef) {\n\t\t\tphp_openssl_store_errors();\n\t\t\tphp_error_docref(NULL, E_WARNING, \"problem creating object %s=%s\", cnf->name, cnf->value);\n\t\t\treturn FAILURE;\n\t\t}\n\t}\n\treturn SUCCESS;\n}", "project": "php-src", "hash": 135609476554207546016571348500345729119, "size": 29, "commit_id": "0216630ea2815a5789a24279a1211ac398d4de79", "message": "Fix bug #79601 (Wrong ciphertext/tag in AES-CCM encryption for a 12 bytes IV)", "target": 0, "dataset": "other", "idx": 291467 }, { "func": "static void svm_vcpu_init_msrpm(u32 *msrpm)\n{\n\tint i;\n\n\tmemset(msrpm, 0xff, PAGE_SIZE * (1 << MSRPM_ALLOC_ORDER));\n\n\tfor (i = 0; direct_access_msrs[i].index != MSR_INVALID; i++) {\n\t\tif (!direct_access_msrs[i].always)\n\t\t\tcontinue;\n\n\t\tset_msr_interception(msrpm, direct_access_msrs[i].index, 1, 1);\n\t}\n}", "project": "linux", "hash": 56790985420924090925583618250432148991, "size": 13, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432563 }, { "func": "int kern_path(const char *name, unsigned int flags, struct path *path)\n{\n\treturn filename_lookup(AT_FDCWD, getname_kernel(name),\n\t\t\t flags, path, NULL);\n}", "project": "linux", "hash": 46399290233392005841760268522449921707, "size": 5, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295446 }, { "func": "static int setCompDefaults(struct jpeg_compress_struct *cinfo,\n\tint pixelFormat, int subsamp, int jpegQual, int flags)\n{\n\tint retval=0;\n#ifndef NO_GETENV\n\tchar *env=NULL;\n#endif\n\n\tswitch(pixelFormat)\n\t{\n\t\tcase TJPF_GRAY:\n\t\t\tcinfo->in_color_space=JCS_GRAYSCALE; break;\n\t\t#if JCS_EXTENSIONS==1\n\t\tcase TJPF_RGB:\n\t\t\tcinfo->in_color_space=JCS_EXT_RGB; break;\n\t\tcase TJPF_BGR:\n\t\t\tcinfo->in_color_space=JCS_EXT_BGR; break;\n\t\tcase TJPF_RGBX:\n\t\tcase TJPF_RGBA:\n\t\t\tcinfo->in_color_space=JCS_EXT_RGBX; break;\n\t\tcase TJPF_BGRX:\n\t\tcase TJPF_BGRA:\n\t\t\tcinfo->in_color_space=JCS_EXT_BGRX; break;\n\t\tcase TJPF_XRGB:\n\t\tcase TJPF_ARGB:\n\t\t\tcinfo->in_color_space=JCS_EXT_XRGB; break;\n\t\tcase TJPF_XBGR:\n\t\tcase TJPF_ABGR:\n\t\t\tcinfo->in_color_space=JCS_EXT_XBGR; break;\n\t\t#else\n\t\tcase TJPF_RGB:\n\t\tcase TJPF_BGR:\n\t\tcase TJPF_RGBX:\n\t\tcase TJPF_BGRX:\n\t\tcase TJPF_XRGB:\n\t\tcase TJPF_XBGR:\n\t\tcase TJPF_RGBA:\n\t\tcase TJPF_BGRA:\n\t\tcase TJPF_ARGB:\n\t\tcase TJPF_ABGR:\n\t\t\tcinfo->in_color_space=JCS_RGB; pixelFormat=TJPF_RGB;\n\t\t\tbreak;\n\t\t#endif\n\t\tcase TJPF_CMYK:\n\t\t\tcinfo->in_color_space=JCS_CMYK; break;\n\t}\n\n\tcinfo->input_components=tjPixelSize[pixelFormat];\n\tjpeg_set_defaults(cinfo);\n\n#ifndef NO_GETENV\n\tif((env=getenv(\"TJ_OPTIMIZE\"))!=NULL && strlen(env)>0 && !strcmp(env, \"1\"))\n\t\tcinfo->optimize_coding=TRUE;\n\tif((env=getenv(\"TJ_ARITHMETIC\"))!=NULL && strlen(env)>0 && !strcmp(env, \"1\"))\n\t\tcinfo->arith_code=TRUE;\n\tif((env=getenv(\"TJ_RESTART\"))!=NULL && strlen(env)>0)\n\t{\n\t\tint temp=-1; char tempc=0;\n\t\tif(sscanf(env, \"%d%c\", &temp, &tempc)>=1 && temp>=0 && temp<=65535)\n\t\t{\n\t\t\tif(toupper(tempc)=='B')\n\t\t\t{\n\t\t\t\tcinfo->restart_interval=temp;\n\t\t\t\tcinfo->restart_in_rows=0;\n\t\t\t}\n\t\t\telse\n\t\t\t\tcinfo->restart_in_rows=temp;\n\t\t}\n\t}\n#endif\n\n\tif(jpegQual>=0)\n\t{\n\t\tjpeg_set_quality(cinfo, jpegQual, TRUE);\n\t\tif(jpegQual>=96 || flags&TJFLAG_ACCURATEDCT) cinfo->dct_method=JDCT_ISLOW;\n\t\telse cinfo->dct_method=JDCT_FASTEST;\n\t}\n\tif(subsamp==TJSAMP_GRAY)\n\t\tjpeg_set_colorspace(cinfo, JCS_GRAYSCALE);\n\telse if(pixelFormat==TJPF_CMYK)\n\t\tjpeg_set_colorspace(cinfo, JCS_YCCK);\n\telse jpeg_set_colorspace(cinfo, JCS_YCbCr);\n\n#ifndef NO_GETENV\n\tif((env=getenv(\"TJ_PROGRESSIVE\"))!=NULL && strlen(env)>0\n\t\t&& !strcmp(env, \"1\"))\n\t\tjpeg_simple_progression(cinfo);\n#endif\n\n\tcinfo->comp_info[0].h_samp_factor=tjMCUWidth[subsamp]/8;\n\tcinfo->comp_info[1].h_samp_factor=1;\n\tcinfo->comp_info[2].h_samp_factor=1;\n\tif(cinfo->num_components>3)\n\t\tcinfo->comp_info[3].h_samp_factor=tjMCUWidth[subsamp]/8;\n\tcinfo->comp_info[0].v_samp_factor=tjMCUHeight[subsamp]/8;\n\tcinfo->comp_info[1].v_samp_factor=1;\n\tcinfo->comp_info[2].v_samp_factor=1;\n\tif(cinfo->num_components>3)\n\t\tcinfo->comp_info[3].v_samp_factor=tjMCUHeight[subsamp]/8;\n\n\treturn retval;\n}", "project": "libjpeg-turbo", "hash": 304306491300280436695047602090971456160, "size": 102, "commit_id": "dab6be4cfb2f9307b5378d2d1dc74d9080383dc2", "message": "tjDecompressToYUV*(): Fix OOB write/double free\n\n... when attempting to decompress grayscale JPEG images with sampling\nfactors != 1.\n\nFixes #387", "target": 0, "dataset": "other", "idx": 311092 }, { "func": "unsigned countOccurences(const std::string& of, const std::string& in) {\n unsigned occurences = 0;\n std::string::size_type lastOccurence = -1;\n while ((lastOccurence = in.find(of, lastOccurence + 1)) !=\n std::string::npos) {\n occurences++;\n }\n return occurences;\n}", "project": "hermes", "hash": 152438888806001956643092147047449072468, "size": 9, "commit_id": "fe52854cdf6725c2eaa9e125995da76e6ceb27da", "message": "[CVE-2020-1911] Look up HostObject computed properties on the right object in the prototype chain.\n\nSummary:\nThe change in the hermes repository fixes the security vulnerability\nCVE-2020-1911. This vulnerability only affects applications which\nallow evaluation of uncontrolled, untrusted JavaScript code not\nshipped with the app, so React Native apps will generally not be affected.\n\nThis revision includes a test for the bug. The test is generic JSI\ncode, so it is included in the hermes and react-native repositories.\n\nChangelog: [Internal]\n\nReviewed By: tmikov\n\nDifferential Revision: D23322992\n\nfbshipit-source-id: 4e88c974afe1ad33a263f9cac03e9dc98d33649a", "target": 0, "dataset": "other", "idx": 230179 }, { "func": "static int ctnetlink_dump_tuples_proto(struct sk_buff *skb,\n\t\t\t\tconst struct nf_conntrack_tuple *tuple,\n\t\t\t\tconst struct nf_conntrack_l4proto *l4proto)\n{\n\tint ret = 0;\n\tstruct nlattr *nest_parms;\n\n\tnest_parms = nla_nest_start(skb, CTA_TUPLE_PROTO);\n\tif (!nest_parms)\n\t\tgoto nla_put_failure;\n\tif (nla_put_u8(skb, CTA_PROTO_NUM, tuple->dst.protonum))\n\t\tgoto nla_put_failure;\n\n\tif (likely(l4proto->tuple_to_nlattr))\n\t\tret = l4proto->tuple_to_nlattr(skb, tuple);\n\n\tnla_nest_end(skb, nest_parms);\n\n\treturn ret;\n\nnla_put_failure:\n\treturn -1;\n}", "project": "linux", "hash": 225821981117218829222370181016894372431, "size": 23, "commit_id": "1cc5ef91d2ff94d2bf2de3b3585423e8a1051cb6", "message": "netfilter: ctnetlink: add a range check for l3/l4 protonum\n\nThe indexes to the nf_nat_l[34]protos arrays come from userspace. So\ncheck the tuple's family, e.g. l3num, when creating the conntrack in\norder to prevent an OOB memory access during setup. Here is an example\nkernel panic on 4.14.180 when userspace passes in an index greater than\nNFPROTO_NUMPROTO.\n\nInternal error: Oops - BUG: 0 [#1] PREEMPT SMP\nModules linked in:...\nProcess poc (pid: 5614, stack limit = 0x00000000a3933121)\nCPU: 4 PID: 5614 Comm: poc Tainted: G S W O 4.14.180-g051355490483\nHardware name: Qualcomm Technologies, Inc. SM8150 V2 PM8150 Google Inc. MSM\ntask: 000000002a3dfffe task.stack: 00000000a3933121\npc : __cfi_check_fail+0x1c/0x24\nlr : __cfi_check_fail+0x1c/0x24\n...\nCall trace:\n__cfi_check_fail+0x1c/0x24\nname_to_dev_t+0x0/0x468\nnfnetlink_parse_nat_setup+0x234/0x258\nctnetlink_parse_nat_setup+0x4c/0x228\nctnetlink_new_conntrack+0x590/0xc40\nnfnetlink_rcv_msg+0x31c/0x4d4\nnetlink_rcv_skb+0x100/0x184\nnfnetlink_rcv+0xf4/0x180\nnetlink_unicast+0x360/0x770\nnetlink_sendmsg+0x5a0/0x6a4\n___sys_sendmsg+0x314/0x46c\nSyS_sendmsg+0xb4/0x108\nel0_svc_naked+0x34/0x38\n\nThis crash is not happening since 5.4+, however, ctnetlink still\nallows for creating entries with unsupported layer 3 protocol number.\n\nFixes: c1d10adb4a521 (\"[NETFILTER]: Add ctnetlink port for nf_conntrack\")\nSigned-off-by: Will McVicker \n[pablo@netfilter.org: rebased original patch on top of nf.git]\nSigned-off-by: Pablo Neira Ayuso ", "target": 0, "dataset": "other", "idx": 394227 }, { "func": "static int sctp_setsockopt_default_sndinfo(struct sock *sk,\n\t\t\t\t\t struct sctp_sndinfo *info,\n\t\t\t\t\t unsigned int optlen)\n{\n\tstruct sctp_sock *sp = sctp_sk(sk);\n\tstruct sctp_association *asoc;\n\n\tif (optlen != sizeof(*info))\n\t\treturn -EINVAL;\n\tif (info->snd_flags &\n\t ~(SCTP_UNORDERED | SCTP_ADDR_OVER |\n\t SCTP_ABORT | SCTP_EOF))\n\t\treturn -EINVAL;\n\n\tasoc = sctp_id2assoc(sk, info->snd_assoc_id);\n\tif (!asoc && info->snd_assoc_id > SCTP_ALL_ASSOC &&\n\t sctp_style(sk, UDP))\n\t\treturn -EINVAL;\n\n\tif (asoc) {\n\t\tasoc->default_stream = info->snd_sid;\n\t\tasoc->default_flags = info->snd_flags;\n\t\tasoc->default_ppid = info->snd_ppid;\n\t\tasoc->default_context = info->snd_context;\n\n\t\treturn 0;\n\t}\n\n\tif (sctp_style(sk, TCP))\n\t\tinfo->snd_assoc_id = SCTP_FUTURE_ASSOC;\n\n\tif (info->snd_assoc_id == SCTP_FUTURE_ASSOC ||\n\t info->snd_assoc_id == SCTP_ALL_ASSOC) {\n\t\tsp->default_stream = info->snd_sid;\n\t\tsp->default_flags = info->snd_flags;\n\t\tsp->default_ppid = info->snd_ppid;\n\t\tsp->default_context = info->snd_context;\n\t}\n\n\tif (info->snd_assoc_id == SCTP_CURRENT_ASSOC ||\n\t info->snd_assoc_id == SCTP_ALL_ASSOC) {\n\t\tlist_for_each_entry(asoc, &sp->ep->asocs, asocs) {\n\t\t\tasoc->default_stream = info->snd_sid;\n\t\t\tasoc->default_flags = info->snd_flags;\n\t\t\tasoc->default_ppid = info->snd_ppid;\n\t\t\tasoc->default_context = info->snd_context;\n\t\t}\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 15348127749340299598555918466426164559, "size": 51, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398078 }, { "func": "static int ModSF(FILE *asfd,SplineFont *sf) {\n Encoding *newmap;\n int cnt;\n int multilayer=0;\n char tok[200];\n int i,k;\n SplineChar *sc;\n SplineFont *ssf;\n SplineFont temp;\n int layercnt;\n\n memset(&temp,0,sizeof(temp));\n temp.layers = sf->layers;\n temp.layer_cnt = sf->layer_cnt;\n temp.layers[ly_back].order2 = sf->layers[ly_back].order2;\n temp.layers[ly_fore].order2 = sf->layers[ly_fore].order2;\n temp.ascent = sf->ascent; temp.descent = sf->descent;\n temp.multilayer = sf->multilayer;\n temp.gpos_lookups = sf->gpos_lookups;\n temp.gsub_lookups = sf->gsub_lookups;\n temp.anchor = sf->anchor;\n temp.sfd_version = 2;\n\n if ( getname(asfd,tok)!=1 || strcmp(tok,\"Encoding:\")!=0 )\nreturn(false);\n newmap = SFDGetEncoding(asfd,tok);\n if ( getname(asfd,tok)!=1 )\nreturn( false );\n if ( strcmp(tok,\"UnicodeInterp:\")==0 ) {\n\tsf->uni_interp = SFDGetUniInterp(asfd,tok,sf);\n\tif ( getname(asfd,tok)!=1 )\nreturn( false );\n }\n if ( sf->map!=NULL && sf->map->enc!=newmap ) {\n\tEncMap *map = EncMapFromEncoding(sf,newmap);\n\tEncMapFree(sf->map);\n\tsf->map = map;\n }\n temp.map = sf->map;\n if ( strcmp(tok,\"LayerCount:\")==0 ) {\n\tgetint(asfd,&layercnt);\n\tif ( layercnt>sf->layer_cnt ) {\n\t sf->layers = realloc(sf->layers,layercnt*sizeof(LayerInfo));\n\t memset(sf->layers+sf->layer_cnt,0,(layercnt-sf->layer_cnt)*sizeof(LayerInfo));\n\t}\n\tsf->layer_cnt = layercnt;\n\tif ( getname(asfd,tok)!=1 )\nreturn( false );\n }\n while ( strcmp(tok,\"Layer:\")==0 ) {\n\tint layer, o2;\n\tgetint(asfd,&layer);\n\tgetint(asfd,&o2);\n\tif ( layerlayer_cnt ) {\n\t sf->layers[layer].order2 = o2;\n\t\tif (sf->layers[layer].name)\n\t\t free(sf->layers[layer].name);\n\t sf->layers[layer].name = SFDReadUTF7Str(asfd);\n\t}\n\tif ( getname(asfd,tok)!=1 )\nreturn( false );\n }\n if ( strcmp(tok,\"MultiLayer:\")==0 ) {\n\tgetint(asfd,&multilayer);\n\tif ( getname(asfd,tok)!=1 )\nreturn( false );\n }\n if ( multilayer!=sf->multilayer ) {\n\tif ( !multilayer )\n\t SFSplinesFromLayers(sf,false);\n\tsf->multilayer = multilayer;\n\t/* SFLayerChange(sf);*/\t\t/* Shouldn't have any open windows, should not be needed */\n }\n if ( strcmp(tok,\"BeginChars:\")!=0 )\nreturn(false);\n SFRemoveDependencies(sf);\n\n getint(asfd,&cnt);\n if ( cnt>sf->glyphcnt ) {\n\tsf->glyphs = realloc(sf->glyphs,cnt*sizeof(SplineChar *));\n\tfor ( i=sf->glyphcnt; iglyphs[i] = NULL;\n\tsf->glyphcnt = sf->glyphmax = cnt;\n }\n while ( (sc = SFDGetChar(asfd,&temp,true))!=NULL ) {\n\tssf = sf;\n\tfor ( k=0; ksubfontcnt; ++k ) {\n\t if ( sc->orig_possubfonts[k]->glyphcnt ) {\n\t\tssf = sf->subfonts[k];\n\t\tif ( SCWorthOutputting(ssf->glyphs[sc->orig_pos]))\n\tbreak;\n\t }\n\t}\n\tif ( sc->orig_posglyphcnt ) {\n\t if ( ssf->glyphs[sc->orig_pos]!=NULL )\n\t\tSplineCharFree(ssf->glyphs[sc->orig_pos]);\n\t ssf->glyphs[sc->orig_pos] = sc;\n\t sc->parent = ssf;\n\t sc->changed = true;\n\t}\n }\n sf->changed = true;\n SFDFixupRefs(sf);\nreturn(true);\n}", "project": "fontforge", "hash": 61457283249943531759767374777991048433, "size": 105, "commit_id": "048a91e2682c1a8936ae34dbc7bd70291ec05410", "message": "Fix for #4084 Use-after-free (heap) in the SFD_GetFontMetaData() function\nFix for #4086 NULL pointer dereference in the SFDGetSpiros() function\nFix for #4088 NULL pointer dereference in the SFD_AssignLookups() function\nAdd empty sf->fontname string if it isn't set, fixing #4089 #4090 and many\n other potential issues (many downstream calls to strlen() on the value).", "target": 0, "dataset": "other", "idx": 417836 }, { "func": "bool build_tmp_join_prefix_cond(JOIN *join, JOIN_TAB *last_tab, Item **ret)\n{\n THD *const thd= join->thd;\n Item_cond_and *all_conds= NULL;\n\n Item *res= NULL;\n\n // Pick the ON-expression. Use the same logic as in get_sargable_cond():\n if (last_tab->on_expr_ref)\n res= *last_tab->on_expr_ref;\n else if (last_tab->table->pos_in_table_list &&\n last_tab->table->pos_in_table_list->embedding &&\n !last_tab->table->pos_in_table_list->embedding->sj_on_expr)\n {\n res= last_tab->table->pos_in_table_list->embedding->on_expr;\n }\n\n for (JOIN_TAB *tab= first_depth_first_tab(join);\n tab;\n tab= next_depth_first_tab(join, tab))\n {\n if (tab->select_cond)\n {\n if (!res)\n res= tab->select_cond;\n else\n {\n if (!all_conds)\n {\n if (!(all_conds= new (thd->mem_root)Item_cond_and(thd, res,\n tab->select_cond)))\n return true;\n res= all_conds;\n }\n else\n all_conds->add(tab->select_cond, thd->mem_root);\n }\n }\n if (tab == last_tab)\n break;\n }\n *ret= all_conds? all_conds: res;\n return false;\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 251014962819294945782230802872986325524, "size": 44, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508469 }, { "func": "static int nfs4_delay(long *timeout, bool interruptible)\n{\n\tif (interruptible)\n\t\treturn nfs4_delay_interruptible(timeout);\n\treturn nfs4_delay_killable(timeout);\n}", "project": "linux", "hash": 263132535877160736340167030342619276338, "size": 6, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 430956 }, { "func": "static int link_to_linux_err(int link_status)\n{\n\tif (link_status < 0) {\n\t\t/* status is already a Linux code */\n\t\treturn link_status;\n\t}\n\tswitch (link_status) {\n\tcase MAC_SUCCESS:\n\tcase MAC_REALIGNMENT:\n\t\treturn 0;\n\tcase MAC_IMPROPER_KEY_TYPE:\n\t\treturn -EKEYREJECTED;\n\tcase MAC_IMPROPER_SECURITY_LEVEL:\n\tcase MAC_UNSUPPORTED_LEGACY:\n\tcase MAC_DENIED:\n\t\treturn -EACCES;\n\tcase MAC_BEACON_LOST:\n\tcase MAC_NO_ACK:\n\tcase MAC_NO_BEACON:\n\t\treturn -ENETUNREACH;\n\tcase MAC_CHANNEL_ACCESS_FAILURE:\n\tcase MAC_TX_ACTIVE:\n\tcase MAC_SCAN_IN_PROGRESS:\n\t\treturn -EBUSY;\n\tcase MAC_DISABLE_TRX_FAILURE:\n\tcase MAC_OUT_OF_CAP:\n\t\treturn -EAGAIN;\n\tcase MAC_FRAME_TOO_LONG:\n\t\treturn -EMSGSIZE;\n\tcase MAC_INVALID_GTS:\n\tcase MAC_PAST_TIME:\n\t\treturn -EBADSLT;\n\tcase MAC_INVALID_HANDLE:\n\t\treturn -EBADMSG;\n\tcase MAC_INVALID_PARAMETER:\n\tcase MAC_UNSUPPORTED_ATTRIBUTE:\n\tcase MAC_ON_TIME_TOO_LONG:\n\tcase MAC_INVALID_INDEX:\n\t\treturn -EINVAL;\n\tcase MAC_NO_DATA:\n\t\treturn -ENODATA;\n\tcase MAC_NO_SHORT_ADDRESS:\n\t\treturn -EFAULT;\n\tcase MAC_PAN_ID_CONFLICT:\n\t\treturn -EADDRINUSE;\n\tcase MAC_TRANSACTION_EXPIRED:\n\t\treturn -ETIME;\n\tcase MAC_TRANSACTION_OVERFLOW:\n\t\treturn -ENOBUFS;\n\tcase MAC_UNAVAILABLE_KEY:\n\t\treturn -ENOKEY;\n\tcase MAC_INVALID_ADDRESS:\n\t\treturn -ENXIO;\n\tcase MAC_TRACKING_OFF:\n\tcase MAC_SUPERFRAME_OVERLAP:\n\t\treturn -EREMOTEIO;\n\tcase MAC_LIMIT_REACHED:\n\t\treturn -EDQUOT;\n\tcase MAC_READ_ONLY:\n\t\treturn -EROFS;\n\tdefault:\n\t\treturn -EPROTO;\n\t}\n}", "project": "linux", "hash": 44285308108965215484966188680221216343, "size": 64, "commit_id": "6402939ec86eaf226c8b8ae00ed983936b164908", "message": "ieee802154: ca8210: prevent memory leak\n\nIn ca8210_probe the allocated pdata needs to be assigned to\nspi_device->dev.platform_data before calling ca8210_get_platform_data.\nOthrwise when ca8210_get_platform_data fails pdata cannot be released.\n\nSigned-off-by: Navid Emamdoost \nLink: https://lore.kernel.org/r/20190917224713.26371-1-navid.emamdoost@gmail.com\nSigned-off-by: Stefan Schmidt ", "target": 0, "dataset": "other", "idx": 408785 }, { "func": "void __unregister_chrdev(unsigned int major, unsigned int baseminor,\n\t\t\t unsigned int count, const char *name)\n{\n\tstruct char_device_struct *cd;\n\n\tcd = __unregister_chrdev_region(major, baseminor, count);\n\tif (cd && cd->cdev)\n\t\tcdev_del(cd->cdev);\n\tkfree(cd);\n}", "project": "linux", "hash": 275982989527843504943513877984500765887, "size": 10, "commit_id": "68faa679b8be1a74e6663c21c3a9d25d32f1c079", "message": "chardev: Avoid potential use-after-free in 'chrdev_open()'\n\n'chrdev_open()' calls 'cdev_get()' to obtain a reference to the\n'struct cdev *' stashed in the 'i_cdev' field of the target inode\nstructure. If the pointer is NULL, then it is initialised lazily by\nlooking up the kobject in the 'cdev_map' and so the whole procedure is\nprotected by the 'cdev_lock' spinlock to serialise initialisation of\nthe shared pointer.\n\nUnfortunately, it is possible for the initialising thread to fail *after*\ninstalling the new pointer, for example if the subsequent '->open()' call\non the file fails. In this case, 'cdev_put()' is called, the reference\ncount on the kobject is dropped and, if nobody else has taken a reference,\nthe release function is called which finally clears 'inode->i_cdev' from\n'cdev_purge()' before potentially freeing the object. The problem here\nis that a racing thread can happily take the 'cdev_lock' and see the\nnon-NULL pointer in the inode, which can result in a refcount increment\nfrom zero and a warning:\n\n | ------------[ cut here ]------------\n | refcount_t: addition on 0; use-after-free.\n | WARNING: CPU: 2 PID: 6385 at lib/refcount.c:25 refcount_warn_saturate+0x6d/0xf0\n | Modules linked in:\n | CPU: 2 PID: 6385 Comm: repro Not tainted 5.5.0-rc2+ #22\n | Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014\n | RIP: 0010:refcount_warn_saturate+0x6d/0xf0\n | Code: 05 55 9a 15 01 01 e8 9d aa c8 ff 0f 0b c3 80 3d 45 9a 15 01 00 75 ce 48 c7 c7 00 9c 62 b3 c6 08\n | RSP: 0018:ffffb524c1b9bc70 EFLAGS: 00010282\n | RAX: 0000000000000000 RBX: ffff9e9da1f71390 RCX: 0000000000000000\n | RDX: ffff9e9dbbd27618 RSI: ffff9e9dbbd18798 RDI: ffff9e9dbbd18798\n | RBP: 0000000000000000 R08: 000000000000095f R09: 0000000000000039\n | R10: 0000000000000000 R11: ffffb524c1b9bb20 R12: ffff9e9da1e8c700\n | R13: ffffffffb25ee8b0 R14: 0000000000000000 R15: ffff9e9da1e8c700\n | FS: 00007f3b87d26700(0000) GS:ffff9e9dbbd00000(0000) knlGS:0000000000000000\n | CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n | CR2: 00007fc16909c000 CR3: 000000012df9c000 CR4: 00000000000006e0\n | DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n | DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n | Call Trace:\n | kobject_get+0x5c/0x60\n | cdev_get+0x2b/0x60\n | chrdev_open+0x55/0x220\n | ? cdev_put.part.3+0x20/0x20\n | do_dentry_open+0x13a/0x390\n | path_openat+0x2c8/0x1470\n | do_filp_open+0x93/0x100\n | ? selinux_file_ioctl+0x17f/0x220\n | do_sys_open+0x186/0x220\n | do_syscall_64+0x48/0x150\n | entry_SYSCALL_64_after_hwframe+0x44/0xa9\n | RIP: 0033:0x7f3b87efcd0e\n | Code: 89 54 24 08 e8 a3 f4 ff ff 8b 74 24 0c 48 8b 3c 24 41 89 c0 44 8b 54 24 08 b8 01 01 00 00 89 f4\n | RSP: 002b:00007f3b87d259f0 EFLAGS: 00000293 ORIG_RAX: 0000000000000101\n | RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f3b87efcd0e\n | RDX: 0000000000000000 RSI: 00007f3b87d25a80 RDI: 00000000ffffff9c\n | RBP: 00007f3b87d25e90 R08: 0000000000000000 R09: 0000000000000000\n | R10: 0000000000000000 R11: 0000000000000293 R12: 00007ffe188f504e\n | R13: 00007ffe188f504f R14: 00007f3b87d26700 R15: 0000000000000000\n | ---[ end trace 24f53ca58db8180a ]---\n\nSince 'cdev_get()' can already fail to obtain a reference, simply move\nit over to use 'kobject_get_unless_zero()' instead of 'kobject_get()',\nwhich will cause the racing thread to return -ENXIO if the initialising\nthread fails unexpectedly.\n\nCc: Hillf Danton \nCc: Andrew Morton \nCc: Al Viro \nReported-by: syzbot+82defefbbd8527e1c2cb@syzkaller.appspotmail.com\nSigned-off-by: Will Deacon \nCc: stable \nLink: https://lore.kernel.org/r/20191219120203.32691-1-will@kernel.org\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 446377 }, { "func": "static bool nfs4_write_stateid_changed(struct rpc_task *task,\n\t\tstruct nfs_pgio_args *args)\n{\n\n\tif (!nfs4_error_stateid_expired(task->tk_status) ||\n\t\tnfs4_stateid_is_current(&args->stateid,\n\t\t\t\targs->context,\n\t\t\t\targs->lock_context,\n\t\t\t\tFMODE_WRITE))\n\t\treturn false;\n\trpc_restart_call_prepare(task);\n\treturn true;\n}", "project": "linux", "hash": 182192961888971035413618247704873529079, "size": 13, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431136 }, { "func": "static void kvm_gmap_notifier(struct gmap *gmap, unsigned long start,\n\t\t\t unsigned long end)\n{\n\tstruct kvm *kvm = gmap->private;\n\tstruct kvm_vcpu *vcpu;\n\tunsigned long prefix;\n\tint i;\n\n\tif (gmap_is_shadow(gmap))\n\t\treturn;\n\tif (start >= 1UL << 31)\n\t\t/* We are only interested in prefix pages */\n\t\treturn;\n\tkvm_for_each_vcpu(i, vcpu, kvm) {\n\t\t/* match against both prefix pages */\n\t\tprefix = kvm_s390_get_prefix(vcpu);\n\t\tif (prefix <= end && start <= prefix + 2*PAGE_SIZE - 1) {\n\t\t\tVCPU_EVENT(vcpu, 2, \"gmap notifier for %lx-%lx\",\n\t\t\t\t start, end);\n\t\t\tkvm_s390_sync_request(KVM_REQ_MMU_RELOAD, vcpu);\n\t\t}\n\t}\n}", "project": "linux", "hash": 260163484763121933690501833393989031224, "size": 23, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354580 }, { "func": "static inline unsigned int fuse_wr_pages(loff_t pos, size_t len,\n\t\t\t\t unsigned int max_pages)\n{\n\treturn min_t(unsigned int,\n\t\t ((pos + len - 1) >> PAGE_SHIFT) -\n\t\t (pos >> PAGE_SHIFT) + 1,\n\t\t max_pages);\n}", "project": "linux", "hash": 283194044527427031754161370879654240068, "size": 8, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341887 }, { "func": "static int pfkey_do_dump(struct pfkey_sock *pfk)\n{\n\tstruct sadb_msg *hdr;\n\tint rc;\n\n\tmutex_lock(&pfk->dump_lock);\n\tif (!pfk->dump.dump) {\n\t\trc = 0;\n\t\tgoto out;\n\t}\n\n\trc = pfk->dump.dump(pfk);\n\tif (rc == -ENOBUFS) {\n\t\trc = 0;\n\t\tgoto out;\n\t}\n\n\tif (pfk->dump.skb) {\n\t\tif (!pfkey_can_dump(&pfk->sk)) {\n\t\t\trc = 0;\n\t\t\tgoto out;\n\t\t}\n\n\t\thdr = (struct sadb_msg *) pfk->dump.skb->data;\n\t\thdr->sadb_msg_seq = 0;\n\t\thdr->sadb_msg_errno = rc;\n\t\tpfkey_broadcast(pfk->dump.skb, GFP_ATOMIC, BROADCAST_ONE,\n\t\t\t\t&pfk->sk, sock_net(&pfk->sk));\n\t\tpfk->dump.skb = NULL;\n\t}\n\n\tpfkey_terminate_dump(pfk);\n\nout:\n\tmutex_unlock(&pfk->dump_lock);\n\treturn rc;\n}", "project": "linux", "hash": 36502211817720335226349217550003968327, "size": 37, "commit_id": "9a564bccb78a76740ea9d75a259942df8143d02c", "message": "af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\n\nAdd __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\nto initialize the buffer of supp_skb to fix a kernel-info-leak issue.\n1) Function pfkey_register calls compose_sadb_supported to request\na sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate\na sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then\ncompose_sadb_supported treats the memory as a struct sadb_supported and\nbegins to initialize. But it just initializes the field sadb_supported_len\nand field sadb_supported_exttype without field sadb_supported_reserved.\n\nReported-by: TCS Robot \nSigned-off-by: Haimin Zhang \nSigned-off-by: Steffen Klassert ", "target": 0, "dataset": "other", "idx": 268041 }, { "func": "static inline int do_inode_permission(struct inode *inode, int mask)\n{\n\tif (unlikely(!(inode->i_opflags & IOP_FASTPERM))) {\n\t\tif (likely(inode->i_op->permission))\n\t\t\treturn inode->i_op->permission(inode, mask);\n\n\t\t/* This gets set once for the inode lifetime */\n\t\tspin_lock(&inode->i_lock);\n\t\tinode->i_opflags |= IOP_FASTPERM;\n\t\tspin_unlock(&inode->i_lock);\n\t}\n\treturn generic_permission(inode, mask);\n}", "project": "linux", "hash": 298753770637367670139339757151522363625, "size": 13, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295303 }, { "func": "static void io_poll_remove_all(struct io_ring_ctx *ctx)\n{\n\tstruct hlist_node *tmp;\n\tstruct io_kiocb *req;\n\tint posted = 0, i;\n\n\tspin_lock_irq(&ctx->completion_lock);\n\tfor (i = 0; i < (1U << ctx->cancel_hash_bits); i++) {\n\t\tstruct hlist_head *list;\n\n\t\tlist = &ctx->cancel_hash[i];\n\t\thlist_for_each_entry_safe(req, tmp, list, hash_node)\n\t\t\tposted += io_poll_remove_one(req);\n\t}\n\tspin_unlock_irq(&ctx->completion_lock);\n\n\tif (posted)\n\t\tio_cqring_ev_posted(ctx);\n}", "project": "linux", "hash": 111271842566040705530436968360548608159, "size": 19, "commit_id": "6d816e088c359866f9867057e04f244c608c42fe", "message": "io_uring: hold 'ctx' reference around task_work queue + execute\n\nWe're holding the request reference, but we need to go one higher\nto ensure that the ctx remains valid after the request has finished.\nIf the ring is closed with pending task_work inflight, and the\ngiven io_kiocb finishes sync during issue, then we need a reference\nto the ring itself around the task_work execution cycle.\n\nCc: stable@vger.kernel.org # v5.7+\nReported-by: syzbot+9b260fc33297966f5a8e@syzkaller.appspotmail.com\nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 456952 }, { "func": "AWSBrowserUploadAbstractor::get_auth_data_v4(const req_state* const s) const\n{\n const boost::string_view credential = s->auth.s3_postobj_creds.x_amz_credential;\n\n /* grab access key id */\n const size_t pos = credential.find(\"/\");\n const boost::string_view access_key_id = credential.substr(0, pos);\n dout(10) << \"access key id = \" << access_key_id << dendl;\n\n /* grab credential scope */\n const boost::string_view credential_scope = credential.substr(pos + 1);\n dout(10) << \"credential scope = \" << credential_scope << dendl;\n\n const auto sig_factory = std::bind(rgw::auth::s3::get_v4_signature,\n credential_scope,\n std::placeholders::_1,\n std::placeholders::_2,\n std::placeholders::_3);\n\n return {\n access_key_id,\n s->auth.s3_postobj_creds.signature,\n s->auth.s3_postobj_creds.encoded_policy.to_str(),\n sig_factory,\n null_completer_factory\n };\n}", "project": "ceph", "hash": 242828706056946182458645152243318838587, "size": 27, "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 281289 }, { "func": "int spprintf(char **pbuf, size_t max_len, const char *format, ...)\n{\n int cc;\n va_list ap;\n\n va_start(ap, format);\n cc = vspprintf(pbuf, max_len, format, ap);\n va_end(ap);\n return (cc);\n}", "project": "hhvm", "hash": 284023635637484864615365032140650801293, "size": 10, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219559 }, { "func": "static apr_status_t session_identity_decode(request_rec * r, session_rec * z)\n{\n\n char *last = NULL;\n char *encoded, *pair;\n const char *sep = \"&\";\n\n /* sanity check - anything to decode? */\n if (!z->encoded) {\n return OK;\n }\n\n /* decode what we have */\n encoded = apr_pstrdup(r->pool, z->encoded);\n pair = apr_strtok(encoded, sep, &last);\n while (pair && pair[0]) {\n char *plast = NULL;\n const char *psep = \"=\";\n char *key = apr_strtok(pair, psep, &plast);\n char *val = apr_strtok(NULL, psep, &plast);\n if (key && *key) {\n if (!val || !*val) {\n apr_table_unset(z->entries, key);\n }\n else if (!ap_unescape_urlencoded(key) && !ap_unescape_urlencoded(val)) {\n if (!strcmp(SESSION_EXPIRY, key)) {\n z->expiry = (apr_time_t) apr_atoi64(val);\n }\n else {\n apr_table_set(z->entries, key, val);\n }\n }\n }\n pair = apr_strtok(NULL, sep, &last);\n }\n z->encoded = NULL;\n return OK;\n\n}", "project": "httpd", "hash": 31782505111206730096362741203917949504, "size": 39, "commit_id": "67bd9bfe6c38831e14fe7122f1d84391472498f8", "message": "mod_session: save one apr_strtok() in session_identity_decode().\n\nWhen the encoding is invalid (missing '='), no need to parse further.\n\ngit-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887050 13f79535-47bb-0310-9956-ffa450edef68", "target": 1, "dataset": "other", "idx": 209050 }, { "func": "static apr_status_t session_identity_decode(request_rec * r, session_rec * z)\n{\n\n char *last = NULL;\n char *encoded, *pair;\n const char *sep = \"&\";\n\n /* sanity check - anything to decode? */\n if (!z->encoded) {\n return OK;\n }\n\n /* decode what we have */\n encoded = apr_pstrdup(r->pool, z->encoded);\n pair = apr_strtok(encoded, sep, &last);\n while (pair && pair[0]) {\n char *plast = NULL;\n const char *psep = \"=\";\n char *key = apr_strtok(pair, psep, &plast);\n if (key && *key) {\n char *val = apr_strtok(NULL, sep, &plast);\n if (!val || !*val) {\n apr_table_unset(z->entries, key);\n }\n else if (!ap_unescape_urlencoded(key) && !ap_unescape_urlencoded(val)) {\n if (!strcmp(SESSION_EXPIRY, key)) {\n z->expiry = (apr_time_t) apr_atoi64(val);\n }\n else {\n apr_table_set(z->entries, key, val);\n }\n }\n }\n pair = apr_strtok(NULL, sep, &last);\n }\n z->encoded = NULL;\n return OK;\n\n}", "project": "httpd", "hash": 210721734400095372861771700303495039013, "size": 39, "commit_id": "7e09dd714fc62c08c5b0319ed7b9702594faf49b", "message": "mod_session: account for the '&' in identity_concat().\n\ngit-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887052 13f79535-47bb-0310-9956-ffa450edef68", "target": 0, "dataset": "other", "idx": 389208 }, { "func": "static int core_check_config(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *ptemp, server_rec *s)\n{\n int rv = OK;\n while (s) {\n if (check_errorlog_dir(ptemp, s) != OK)\n rv = !OK;\n s = s->next;\n }\n return rv;\n}", "project": "httpd", "hash": 312833448504841474769179906165079266797, "size": 10, "commit_id": "4cc27823899e070268b906ca677ee838d07cf67a", "message": "core: Disallow Methods' registration at run time (.htaccess), they may be\nused only if registered at init time (httpd.conf).\n\nCalling ap_method_register() in children processes is not the right scope\nsince it won't be shared for all requests.\n\n\ngit-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1807655 13f79535-47bb-0310-9956-ffa450edef68", "target": 0, "dataset": "other", "idx": 246263 }, { "project": "opaque", "commit_id": "5ddda15d89f5ac82f4416208c5319ace4aecdc36", "target": 0, "func": "JNIEXPORT jbyteArray JNICALL Java_edu_berkeley_cs_rise_opaque_execution_SGXEnclave_Sample(\n JNIEnv *env, jobject obj, jlong eid, jbyteArray input_rows) {\n (void)obj;\n\n jboolean if_copy;\n size_t input_rows_length = static_cast(env->GetArrayLength(input_rows));\n uint8_t *input_rows_ptr = reinterpret_cast(\n env->GetByteArrayElements(input_rows, &if_copy));\n\n uint8_t *output_rows;\n size_t output_rows_length;\n\n sgx_check(\"Sample\",\n ecall_sample(\n eid,\n input_rows_ptr, input_rows_length,\n &output_rows, &output_rows_length));\n\n jbyteArray ret = env->NewByteArray(output_rows_length);\n env->SetByteArrayRegion(ret, 0, output_rows_length, (jbyte *) output_rows);\n free(output_rows);\n\n env->ReleaseByteArrayElements(input_rows, (jbyte *) input_rows_ptr, 0);\n\n return ret;\n}", "idx": 519054, "cwe": "CWE-787", "hash": 177780029350921331552551620590773205235, "dataset": "other" }, { "func": "void recalc_sigpending_and_wake(struct task_struct *t)\n{\n\tif (recalc_sigpending_tsk(t))\n\t\tsignal_wake_up(t, 0);\n}", "project": "linux", "hash": 72174694727166305803618831470748714959, "size": 5, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375268 }, { "func": "uint64 TensorProtoHash(const TensorProto& tp) {\n Tensor tensor(tp.dtype());\n bool success = tensor.FromProto(tp);\n DCHECK(success);\n TensorProto p;\n tensor.AsProtoTensorContent(&p);\n return DeterministicProtoHash64(p);\n}", "project": "tensorflow", "hash": 30716395505624755563952832489254935115, "size": 8, "commit_id": "c2426bba00a01de6913738df8fa78e0215fcce02", "message": "Use `PartialTensorShape` instead of `TensorShape`.\n\n`TensorShape` constructor throws a CHECK-fail if shape is partial/overflows which the other doesn't. We are only determining the number of elements in the shape and partial shape should be used as it returns negative number when needed.\n\nPiperOrigin-RevId: 409205384\nChange-Id: Ia56542ff9ec758f2c9ffc7e4dcc9fa7eecd86e7b", "target": 0, "dataset": "other", "idx": 223159 }, { "project": "Chrome", "commit_id": "ea994548ed483e234a6fadd0cbdfa10d58b75cef", "target": 1, "func": "bool SoftwareFrameManager::SwapToNewFrame(\n uint32 output_surface_id,\n const cc::SoftwareFrameData* frame_data,\n float frame_device_scale_factor,\n base::ProcessHandle process_handle) {\n\n#ifdef OS_WIN\n scoped_ptr shared_memory(\n new base::SharedMemory(frame_data->handle, true,\n process_handle));\n#else\n scoped_ptr shared_memory(\n new base::SharedMemory(frame_data->handle, true));\n#endif\n \n if (base::SharedMemory::IsHandleValid(shared_memory->handle())) {\n const size_t size_in_bytes = 4 * frame_data->size.GetArea();\n #ifdef OS_WIN\n if (!shared_memory->Map(0)) {\n DLOG(ERROR) << \"Unable to map renderer memory.\";\n RecordAction(\n base::UserMetricsAction(\"BadMessageTerminate_SharedMemoryManager1\"));\n return false;\n }\n\n if (shared_memory->mapped_size() < size_in_bytes) {\n DLOG(ERROR) << \"Shared memory too small for given rectangle\";\n RecordAction(\n base::UserMetricsAction(\"BadMessageTerminate_SharedMemoryManager2\"));\n return false;\n }\n#else\n if (!shared_memory->Map(size_in_bytes)) {\n DLOG(ERROR) << \"Unable to map renderer memory.\";\n RecordAction(\n base::UserMetricsAction(\"BadMessageTerminate_SharedMemoryManager1\"));\n return false;\n }\n#endif\n }\n\n scoped_refptr next_frame(new SoftwareFrame(\n client_,\n output_surface_id,\n frame_data->id,\n frame_device_scale_factor,\n frame_data->size,\n shared_memory.Pass()));\n current_frame_.swap(next_frame);\n return true;\n}\n", "cwe": "", "big_vul_idx": 185417, "idx": 6270, "hash": 116003027451590305936545199542467169705 }, { "project": "Chrome", "commit_id": "ea994548ed483e234a6fadd0cbdfa10d58b75cef", "target": 0, "func": "bool SoftwareFrameManager::SwapToNewFrame(\n uint32 output_surface_id,\n const cc::SoftwareFrameData* frame_data,\n float frame_device_scale_factor,\n base::ProcessHandle process_handle) {\n\n#ifdef OS_WIN\n scoped_ptr shared_memory(\n new base::SharedMemory(frame_data->handle, true,\n process_handle));\n#else\n scoped_ptr shared_memory(\n new base::SharedMemory(frame_data->handle, true));\n#endif\n \n if (base::SharedMemory::IsHandleValid(shared_memory->handle())) {\n base::CheckedNumeric size_in_bytes_checked =\n base::CheckedNumeric(4) *\n base::CheckedNumeric(frame_data->size.width()) *\n base::CheckedNumeric(frame_data->size.height());\n if (!size_in_bytes_checked.IsValid()) {\n DLOG(ERROR) << \"Integer overflow when computing bytes to map.\";\n return false;\n }\n size_t size_in_bytes = size_in_bytes_checked.ValueOrDie();\n #ifdef OS_WIN\n if (!shared_memory->Map(0)) {\n DLOG(ERROR) << \"Unable to map renderer memory.\";\n RecordAction(\n base::UserMetricsAction(\"BadMessageTerminate_SharedMemoryManager1\"));\n return false;\n }\n\n if (shared_memory->mapped_size() < size_in_bytes) {\n DLOG(ERROR) << \"Shared memory too small for given rectangle\";\n RecordAction(\n base::UserMetricsAction(\"BadMessageTerminate_SharedMemoryManager2\"));\n return false;\n }\n#else\n if (!shared_memory->Map(size_in_bytes)) {\n DLOG(ERROR) << \"Unable to map renderer memory.\";\n RecordAction(\n base::UserMetricsAction(\"BadMessageTerminate_SharedMemoryManager1\"));\n return false;\n }\n#endif\n }\n\n scoped_refptr next_frame(new SoftwareFrame(\n client_,\n output_surface_id,\n frame_data->id,\n frame_device_scale_factor,\n frame_data->size,\n shared_memory.Pass()));\n current_frame_.swap(next_frame);\n return true;\n}\n", "cwe": "", "big_vul_idx": 185417, "idx": 163357, "hash": 38030128573621593790463547507154903710 }, { "func": "HttpStateData::handleMoreRequestBodyAvailable()\n{\n if (eof || !Comm::IsConnOpen(serverConnection)) {\n // XXX: we should check this condition in other callbacks then!\n // TODO: Check whether this can actually happen: We should unsubscribe\n // as a body consumer when the above condition(s) are detected.\n debugs(11, DBG_IMPORTANT, HERE << \"Transaction aborted while reading HTTP body\");\n return;\n }\n\n assert(requestBodySource != NULL);\n\n if (requestBodySource->buf().hasContent()) {\n // XXX: why does not this trigger a debug message on every request?\n\n if (flags.headers_parsed && !flags.abuse_detected) {\n flags.abuse_detected = true;\n debugs(11, DBG_IMPORTANT, \"http handleMoreRequestBodyAvailable: Likely proxy abuse detected '\" << request->client_addr << \"' -> '\" << entry->url() << \"'\" );\n\n if (virginReply()->sline.status() == Http::scInvalidHeader) {\n closeServer();\n mustStop(\"HttpStateData::handleMoreRequestBodyAvailable\");\n return;\n }\n }\n }\n\n HttpStateData::handleMoreRequestBodyAvailable();\n}", "project": "squid", "hash": 308246959370012709172097935507704475907, "size": 29, "commit_id": "fd68382860633aca92065e6c343cfd1b12b126e7", "message": "Improve Transfer-Encoding handling (#702)\n\nReject messages containing Transfer-Encoding header with coding other\nthan chunked or identity. Squid does not support other codings.\n\nFor simplicity and security sake, also reject messages where\nTransfer-Encoding contains unnecessary complex values that are\ntechnically equivalent to \"chunked\" or \"identity\" (e.g., \",,chunked\" or\n\"identity, chunked\").\n\nRFC 7230 formally deprecated and removed identity coding, but it is\nstill used by some agents.", "target": 0, "dataset": "other", "idx": 402372 }, { "func": "static apr_status_t ap_session_save(request_rec * r, session_rec * z)\n{\n if (z) {\n apr_time_t now = apr_time_now();\n apr_time_t initialExpiry = z->expiry;\n int rv = 0;\n\n session_dir_conf *dconf = ap_get_module_config(r->per_dir_config,\n &session_module);\n\n /* sanity checks, should we try save at all? */\n if (z->written) {\n ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01818)\n \"attempt made to save the session twice, \"\n \"session not saved: %s\", r->uri);\n return APR_EGENERAL;\n }\n if (z->expiry && z->expiry < now) {\n ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01819)\n \"attempt made to save a session when the session had already expired, \"\n \"session not saved: %s\", r->uri);\n return APR_EGENERAL;\n }\n\n /* reset the expiry back to maxage, if the expiry is present */\n if (dconf->maxage) {\n z->expiry = now + dconf->maxage * APR_USEC_PER_SEC;\n z->maxage = dconf->maxage;\n }\n\n /* reset the expiry before saving if present */\n if (z->dirty && z->maxage) {\n z->expiry = now + z->maxage * APR_USEC_PER_SEC;\n } \n\n /* don't save if the only change is the expiry by a small amount */\n if (!z->dirty && dconf->expiry_update_time\n && (z->expiry - initialExpiry < dconf->expiry_update_time)) {\n return APR_SUCCESS;\n }\n\n /* also don't save sessions that didn't change at all */\n if (!z->dirty && !z->maxage) {\n return APR_SUCCESS;\n }\n\n /* encode the session */\n rv = ap_run_session_encode(r, z);\n if (OK != rv) {\n ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(01820)\n \"error while encoding the session, \"\n \"session not saved: %s\", r->uri);\n return rv;\n }\n\n /* try the save */\n rv = ap_run_session_save(r, z);\n if (DECLINED == rv) {\n ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01821)\n \"session is enabled but no session modules have been configured, \"\n \"session not saved: %s\", r->uri);\n return APR_EGENERAL;\n }\n else if (OK != rv) {\n ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(01822)\n \"error while saving the session, \"\n \"session not saved: %s\", r->uri);\n return rv;\n }\n else {\n z->written = 1;\n }\n }\n\n return APR_SUCCESS;\n\n}", "project": "httpd", "hash": 192623774646756001174999105803027003453, "size": 77, "commit_id": "7e09dd714fc62c08c5b0319ed7b9702594faf49b", "message": "mod_session: account for the '&' in identity_concat().\n\ngit-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887052 13f79535-47bb-0310-9956-ffa450edef68", "target": 0, "dataset": "other", "idx": 389217 }, { "func": "static int io_recvmsg(struct io_kiocb *req, unsigned int issue_flags)\n{\n\tstruct io_async_msghdr iomsg, *kmsg;\n\tstruct socket *sock;\n\tstruct io_buffer *kbuf;\n\tunsigned flags;\n\tint min_ret = 0;\n\tint ret, cflags = 0;\n\tbool force_nonblock = issue_flags & IO_URING_F_NONBLOCK;\n\n\tsock = sock_from_file(req->file);\n\tif (unlikely(!sock))\n\t\treturn -ENOTSOCK;\n\n\tkmsg = req->async_data;\n\tif (!kmsg) {\n\t\tret = io_recvmsg_copy_hdr(req, &iomsg);\n\t\tif (ret)\n\t\t\treturn ret;\n\t\tkmsg = &iomsg;\n\t}\n\n\tif (req->flags & REQ_F_BUFFER_SELECT) {\n\t\tkbuf = io_recv_buffer_select(req, !force_nonblock);\n\t\tif (IS_ERR(kbuf))\n\t\t\treturn PTR_ERR(kbuf);\n\t\tkmsg->fast_iov[0].iov_base = u64_to_user_ptr(kbuf->addr);\n\t\tkmsg->fast_iov[0].iov_len = req->sr_msg.len;\n\t\tiov_iter_init(&kmsg->msg.msg_iter, READ, kmsg->fast_iov,\n\t\t\t\t1, req->sr_msg.len);\n\t}\n\n\tflags = req->sr_msg.msg_flags;\n\tif (force_nonblock)\n\t\tflags |= MSG_DONTWAIT;\n\tif (flags & MSG_WAITALL)\n\t\tmin_ret = iov_iter_count(&kmsg->msg.msg_iter);\n\n\tret = __sys_recvmsg_sock(sock, &kmsg->msg, req->sr_msg.umsg,\n\t\t\t\t\tkmsg->uaddr, flags);\n\tif (force_nonblock && ret == -EAGAIN)\n\t\treturn io_setup_async_msg(req, kmsg);\n\tif (ret == -ERESTARTSYS)\n\t\tret = -EINTR;\n\n\tif (req->flags & REQ_F_BUFFER_SELECTED)\n\t\tcflags = io_put_recv_kbuf(req);\n\t/* fast path, check for non-NULL to avoid function call */\n\tif (kmsg->free_iov)\n\t\tkfree(kmsg->free_iov);\n\treq->flags &= ~REQ_F_NEED_CLEANUP;\n\tif (ret < min_ret || ((flags & MSG_WAITALL) && (kmsg->msg.msg_flags & (MSG_TRUNC | MSG_CTRUNC))))\n\t\treq_set_fail_links(req);\n\t__io_req_complete(req, issue_flags, ret, cflags);\n\treturn 0;\n}", "project": "linux", "hash": 132642737828217150122628646089809721734, "size": 56, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338597 }, { "project": "Chrome", "commit_id": "87190165c55bcf3eecd8824dd8d083f5e3236552", "target": 0, "func": "void AudioManagerBase::Init() {\n base::AutoLock lock(audio_thread_lock_);\n DCHECK(!audio_thread_.get());\n audio_thread_.reset(new base::Thread(\"AudioThread\"));\n CHECK(audio_thread_->Start());\n}\n", "cwe": "", "big_vul_idx": 113843, "idx": 102044, "hash": 136877552478348595484759991036385542846 }, { "func": "void* Init(TfLiteContext* context, const char* buffer, size_t length) {\n // This is a builtin op, so we don't use the contents in 'buffer', if any.\n // Instead, we allocate a new object to carry information from Prepare() to\n // Eval().\n auto* op_data = new OpData();\n context->AddTensors(context, /*tensors_to_add=*/6,\n &op_data->scratch_tensor_index);\n return op_data;\n}", "project": "tensorflow", "hash": 185967211649439214818093917551899737438, "size": 9, "commit_id": "6c0b2b70eeee588591680f5b7d5d38175fd7cdf6", "message": "[lite] add validation check for sparse fully connected\n\nPiperOrigin-RevId: 417629354\nChange-Id: If96171c4bd4f5fdb01d6368d6deab19d1c9beca7", "target": 0, "dataset": "other", "idx": 220472 }, { "func": "void* Init(TfLiteContext* context, const char* buffer, size_t length) {\n // This is a builtin op, so we don't use the contents in 'buffer', if any.\n // Instead, we allocate a new object to carry information from Prepare() to\n // Eval().\n return new OpData;\n}", "project": "tensorflow", "hash": 199781823315611412040961016391025418488, "size": 6, "commit_id": "e5b0eec199c2d03de54fd6a7fd9275692218e2bc", "message": "[lite] Add validation check for dilation height/width to be positive integers.\n\nPiperOrigin-RevId: 416429178\nChange-Id: If7cdcddca54486434d9b2f06e7e2b401d7c3ee25", "target": 0, "dataset": "other", "idx": 223171 }, { "func": "Status KernelAndDeviceOp::Init(const Context& ctx, const NodeDef& ndef,\n GraphCollector* graph_collector) {\n OpKernel* k = nullptr;\n if (flr_ == nullptr) {\n return errors::Internal(\n \"A valid FunctionLibraryRuntime must be provided when running ops \"\n \"based on OpKernel.\");\n }\n std::shared_ptr props;\n TF_RETURN_IF_ERROR(NodeProperties::CreateFromNodeDef(\n ndef, flr_->GetFunctionLibraryDefinition(), &props));\n TF_RETURN_IF_ERROR(flr_->CreateKernel(props, &k));\n kernel_.reset(k);\n\n input_alloc_attrs_.resize(kernel_->num_inputs());\n input_devices_.resize(kernel_->num_inputs(), device_);\n for (size_t i = 0; i < input_alloc_attrs_.size(); ++i) {\n bool host = kernel_->input_memory_types()[i] == tensorflow::HOST_MEMORY;\n input_alloc_attrs_[i].set_on_host(host);\n if (host) {\n input_devices_[i] = host_cpu_device_;\n }\n }\n output_alloc_attrs_.resize(kernel_->num_outputs());\n for (size_t i = 0; i < output_alloc_attrs_.size(); ++i) {\n output_alloc_attrs_[i].set_on_host(kernel_->output_memory_types()[i] ==\n tensorflow::HOST_MEMORY);\n }\n\n return Status::OK();\n}", "project": "tensorflow", "hash": 129103471789584778121821819793936078113, "size": 31, "commit_id": "da8558533d925694483d2c136a9220d6d49d843c", "message": "Fix undefined behavior in `tf.raw_ops.Switch` in eager mode.\n\nPiperOrigin-RevId: 332578058\nChange-Id: I9727571d2f21476b10d8aa27c1b7176564b76ac9", "target": 0, "dataset": "other", "idx": 270135 }, { "func": "Status KernelAndDeviceFunc::Init(const Context& ctx, const NodeDef& ndef,\n GraphCollector* graph_collector) {\n TF_RETURN_IF_ERROR(InstantiateFunc(ctx, ndef, graph_collector));\n return pflr_->GetOutputDevices(handle_, &output_devices_,\n ctx.eager_lazy_copy);\n}", "project": "tensorflow", "hash": 300161328366532910256694603369829982422, "size": 6, "commit_id": "da8558533d925694483d2c136a9220d6d49d843c", "message": "Fix undefined behavior in `tf.raw_ops.Switch` in eager mode.\n\nPiperOrigin-RevId: 332578058\nChange-Id: I9727571d2f21476b10d8aa27c1b7176564b76ac9", "target": 0, "dataset": "other", "idx": 270140 }, { "func": "int CServer::Init()\n{\n\tfor(int i = 0; i < MAX_CLIENTS; i++)\n\t{\n\t\tm_aClients[i].m_State = CClient::STATE_EMPTY;\n\t\tm_aClients[i].m_aName[0] = 0;\n\t\tm_aClients[i].m_aClan[0] = 0;\n\t\tm_aClients[i].m_Country = -1;\n\t\tm_aClients[i].m_Snapshots.Init();\n\t}\n\n\tm_CurrentGameTick = 0;\n\n\treturn 0;\n}", "project": "teeworlds", "hash": 302169738846756367393684077208578486572, "size": 15, "commit_id": "c68402fa7e279d42886d5951d1ea8ac2facc1ea5", "message": "changed a check", "target": 0, "dataset": "other", "idx": 381996 }, { "func": "static int pfkey_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)\n{\n\tstruct sock *sk = sock->sk;\n\tstruct sk_buff *skb = NULL;\n\tstruct sadb_msg *hdr = NULL;\n\tint err;\n\tstruct net *net = sock_net(sk);\n\n\terr = -EOPNOTSUPP;\n\tif (msg->msg_flags & MSG_OOB)\n\t\tgoto out;\n\n\terr = -EMSGSIZE;\n\tif ((unsigned int)len > sk->sk_sndbuf - 32)\n\t\tgoto out;\n\n\terr = -ENOBUFS;\n\tskb = alloc_skb(len, GFP_KERNEL);\n\tif (skb == NULL)\n\t\tgoto out;\n\n\terr = -EFAULT;\n\tif (memcpy_from_msg(skb_put(skb,len), msg, len))\n\t\tgoto out;\n\n\thdr = pfkey_get_base_msg(skb, &err);\n\tif (!hdr)\n\t\tgoto out;\n\n\tmutex_lock(&net->xfrm.xfrm_cfg_mutex);\n\terr = pfkey_process(sk, skb, hdr);\n\tmutex_unlock(&net->xfrm.xfrm_cfg_mutex);\n\nout:\n\tif (err && hdr && pfkey_error(hdr, err, sk) == 0)\n\t\terr = 0;\n\tkfree_skb(skb);\n\n\treturn err ? : len;\n}", "project": "linux", "hash": 32540087688845928519664634578187107961, "size": 40, "commit_id": "9a564bccb78a76740ea9d75a259942df8143d02c", "message": "af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\n\nAdd __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\nto initialize the buffer of supp_skb to fix a kernel-info-leak issue.\n1) Function pfkey_register calls compose_sadb_supported to request\na sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate\na sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then\ncompose_sadb_supported treats the memory as a struct sadb_supported and\nbegins to initialize. But it just initializes the field sadb_supported_len\nand field sadb_supported_exttype without field sadb_supported_reserved.\n\nReported-by: TCS Robot \nSigned-off-by: Haimin Zhang \nSigned-off-by: Steffen Klassert ", "target": 0, "dataset": "other", "idx": 268092 }, { "func": "static int sctp_setsockopt_initmsg(struct sock *sk, struct sctp_initmsg *sinit,\n\t\t\t\t unsigned int optlen)\n{\n\tstruct sctp_sock *sp = sctp_sk(sk);\n\n\tif (optlen != sizeof(struct sctp_initmsg))\n\t\treturn -EINVAL;\n\n\tif (sinit->sinit_num_ostreams)\n\t\tsp->initmsg.sinit_num_ostreams = sinit->sinit_num_ostreams;\n\tif (sinit->sinit_max_instreams)\n\t\tsp->initmsg.sinit_max_instreams = sinit->sinit_max_instreams;\n\tif (sinit->sinit_max_attempts)\n\t\tsp->initmsg.sinit_max_attempts = sinit->sinit_max_attempts;\n\tif (sinit->sinit_max_init_timeo)\n\t\tsp->initmsg.sinit_max_init_timeo = sinit->sinit_max_init_timeo;\n\n\treturn 0;\n}", "project": "linux", "hash": 203177873798088093033484876065628849117, "size": 19, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398134 }, { "func": "int h2_stream_is_ready(h2_stream *stream)\n{\n if (stream->has_response) {\n return 1;\n }\n else if (stream->out_buffer && get_first_headers_bucket(stream->out_buffer)) {\n return 1;\n }\n return 0;\n}", "project": "httpd", "hash": 332951709422090844294306150370993033167, "size": 10, "commit_id": "f990e5ecad40b100a8a5c7c1033c46044a9cb244", "message": "mod_htt2: fix incomplete sync with latest changes in github, adjust version number.\n\n\n\ngit-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1889119 13f79535-47bb-0310-9956-ffa450edef68", "target": 0, "dataset": "other", "idx": 284267 }, { "func": "SYSCALL_DEFINE2(link, const char __user *, oldname, const char __user *, newname)\n{\n\treturn do_linkat(AT_FDCWD, oldname, AT_FDCWD, newname, 0);\n}", "project": "linux", "hash": 222431258246204189230636675426826738268, "size": 4, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295356 }, { "func": "SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname,\n\t\tint, newdfd, const char __user *, newname, int, flags)\n{\n\treturn do_linkat(olddfd, oldname, newdfd, newname, flags);\n}", "project": "linux", "hash": 191631824976920577742200457500708812852, "size": 5, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295364 }, { "func": "int do_linkat(int olddfd, const char __user *oldname, int newdfd,\n\t const char __user *newname, int flags)\n{\n\tstruct dentry *new_dentry;\n\tstruct path old_path, new_path;\n\tstruct inode *delegated_inode = NULL;\n\tint how = 0;\n\tint error;\n\n\tif ((flags & ~(AT_SYMLINK_FOLLOW | AT_EMPTY_PATH)) != 0)\n\t\treturn -EINVAL;\n\t/*\n\t * To use null names we require CAP_DAC_READ_SEARCH\n\t * This ensures that not everyone will be able to create\n\t * handlink using the passed filedescriptor.\n\t */\n\tif (flags & AT_EMPTY_PATH) {\n\t\tif (!capable(CAP_DAC_READ_SEARCH))\n\t\t\treturn -ENOENT;\n\t\thow = LOOKUP_EMPTY;\n\t}\n\n\tif (flags & AT_SYMLINK_FOLLOW)\n\t\thow |= LOOKUP_FOLLOW;\nretry:\n\terror = user_path_at(olddfd, oldname, how, &old_path);\n\tif (error)\n\t\treturn error;\n\n\tnew_dentry = user_path_create(newdfd, newname, &new_path,\n\t\t\t\t\t(how & LOOKUP_REVAL));\n\terror = PTR_ERR(new_dentry);\n\tif (IS_ERR(new_dentry))\n\t\tgoto out;\n\n\terror = -EXDEV;\n\tif (old_path.mnt != new_path.mnt)\n\t\tgoto out_dput;\n\terror = may_linkat(&old_path);\n\tif (unlikely(error))\n\t\tgoto out_dput;\n\terror = security_path_link(old_path.dentry, &new_path, new_dentry);\n\tif (error)\n\t\tgoto out_dput;\n\terror = vfs_link(old_path.dentry, new_path.dentry->d_inode, new_dentry, &delegated_inode);\nout_dput:\n\tdone_path_create(&new_path, new_dentry);\n\tif (delegated_inode) {\n\t\terror = break_deleg_wait(&delegated_inode);\n\t\tif (!error) {\n\t\t\tpath_put(&old_path);\n\t\t\tgoto retry;\n\t\t}\n\t}\n\tif (retry_estale(error, how)) {\n\t\tpath_put(&old_path);\n\t\thow |= LOOKUP_REVAL;\n\t\tgoto retry;\n\t}\nout:\n\tpath_put(&old_path);\n\n\treturn error;\n}", "project": "linux", "hash": 43138534553345209195220627849548765415, "size": 64, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295429 }, { "func": " bool is_result_field() { return false; }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 327054049896576895236265748684039646087, "size": 1, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509418 }, { "func": " bool is_result_field() { return true; }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 76316284706011968033408722210987616706, "size": 1, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509464 }, { "func": "static int io_tee(struct io_kiocb *req, unsigned int issue_flags)\n{\n\tstruct io_splice *sp = &req->splice;\n\tstruct file *in = sp->file_in;\n\tstruct file *out = sp->file_out;\n\tunsigned int flags = sp->flags & ~SPLICE_F_FD_IN_FIXED;\n\tlong ret = 0;\n\n\tif (issue_flags & IO_URING_F_NONBLOCK)\n\t\treturn -EAGAIN;\n\tif (sp->len)\n\t\tret = do_tee(in, out, sp->len, flags);\n\n\tif (!(sp->flags & SPLICE_F_FD_IN_FIXED))\n\t\tio_put_file(in);\n\treq->flags &= ~REQ_F_NEED_CLEANUP;\n\n\tif (ret != sp->len)\n\t\treq_set_fail_links(req);\n\tio_req_complete(req, ret);\n\treturn 0;\n}", "project": "linux", "hash": 336397536552832872822742648977948423336, "size": 22, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338538 }, { "func": "void f_hotprofiler_enable(int ikind) {\n auto kind = static_cast(ikind);\n long flags = 0;\n if (kind == ProfilerKind::Hierarchical) {\n flags = NoTrackBuiltins;\n } else if (kind == ProfilerKind::Memory) {\n kind = ProfilerKind::Hierarchical;\n flags = NoTrackBuiltins | TrackMemory;\n }\n if (RuntimeOption::EnableHotProfiler) {\n s_profiler_factory->start(kind, flags);\n }\n}", "project": "hhvm", "hash": 282928650114882596280636869022275425206, "size": 13, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219334 }, { "func": "void CServer::SendRconCmdAdd(const IConsole::CCommandInfo *pCommandInfo, int ClientID)\n{\n\tCMsgPacker Msg(NETMSG_RCON_CMD_ADD, true);\n\tMsg.AddString(pCommandInfo->m_pName, IConsole::TEMPCMD_NAME_LENGTH);\n\tMsg.AddString(pCommandInfo->m_pHelp, IConsole::TEMPCMD_HELP_LENGTH);\n\tMsg.AddString(pCommandInfo->m_pParams, IConsole::TEMPCMD_PARAMS_LENGTH);\n\tSendMsg(&Msg, MSGFLAG_VITAL, ClientID);\n}", "project": "teeworlds", "hash": 166964169404957097910902537121532905466, "size": 8, "commit_id": "c68402fa7e279d42886d5951d1ea8ac2facc1ea5", "message": "changed a check", "target": 0, "dataset": "other", "idx": 382000 }, { "func": "void CClient::HandleCap(const CMessage& Message) {\n CString sSubCmd = Message.GetParam(0);\n\n if (sSubCmd.Equals(\"LS\")) {\n SCString ssOfferCaps;\n for (const auto& it : m_mCoreCaps) {\n bool bServerDependent = std::get<0>(it.second);\n if (!bServerDependent ||\n m_ssServerDependentCaps.count(it.first) > 0)\n ssOfferCaps.insert(it.first);\n }\n GLOBALMODULECALL(OnClientCapLs(this, ssOfferCaps), NOTHING);\n CString sRes =\n CString(\" \").Join(ssOfferCaps.begin(), ssOfferCaps.end());\n RespondCap(\"LS :\" + sRes);\n m_bInCap = true;\n if (Message.GetParam(1).ToInt() >= 302) {\n m_bCapNotify = true;\n }\n } else if (sSubCmd.Equals(\"END\")) {\n m_bInCap = false;\n if (!IsAttached()) {\n if (!m_pUser && m_bGotUser && !m_bGotPass) {\n SendRequiredPasswordNotice();\n } else {\n AuthUser();\n }\n }\n } else if (sSubCmd.Equals(\"REQ\")) {\n VCString vsTokens;\n Message.GetParam(1).Split(\" \", vsTokens, false);\n\n for (const CString& sToken : vsTokens) {\n bool bVal = true;\n CString sCap = sToken;\n if (sCap.TrimPrefix(\"-\")) bVal = false;\n\n bool bAccepted = false;\n const auto& it = m_mCoreCaps.find(sCap);\n if (m_mCoreCaps.end() != it) {\n bool bServerDependent = std::get<0>(it->second);\n bAccepted = !bServerDependent ||\n m_ssServerDependentCaps.count(sCap) > 0;\n }\n GLOBALMODULECALL(IsClientCapSupported(this, sCap, bVal),\n &bAccepted);\n\n if (!bAccepted) {\n // Some unsupported capability is requested\n RespondCap(\"NAK :\" + Message.GetParam(1));\n return;\n }\n }\n\n // All is fine, we support what was requested\n for (const CString& sToken : vsTokens) {\n bool bVal = true;\n CString sCap = sToken;\n if (sCap.TrimPrefix(\"-\")) bVal = false;\n\n auto handler_it = m_mCoreCaps.find(sCap);\n if (m_mCoreCaps.end() != handler_it) {\n const auto& handler = std::get<1>(handler_it->second);\n handler(bVal);\n }\n GLOBALMODULECALL(OnClientCapRequest(this, sCap, bVal), NOTHING);\n\n if (bVal) {\n m_ssAcceptedCaps.insert(sCap);\n } else {\n m_ssAcceptedCaps.erase(sCap);\n }\n }\n\n RespondCap(\"ACK :\" + Message.GetParam(1));\n } else if (sSubCmd.Equals(\"LIST\")) {\n CString sList =\n CString(\" \").Join(m_ssAcceptedCaps.begin(), m_ssAcceptedCaps.end());\n RespondCap(\"LIST :\" + sList);\n } else {\n PutClient(\":irc.znc.in 410 \" + GetNick() + \" \" + sSubCmd +\n \" :Invalid CAP subcommand\");\n }\n}", "project": "znc", "hash": 329775152165987867312276323355932248469, "size": 84, "commit_id": "d229761821da38d984a9e4098ad96842490dc001", "message": "Fix echo-message for *status\n\nClose #1705", "target": 0, "dataset": "other", "idx": 231569 }, { "func": "/* static */ Status GraphConstructor::Construct(\n const Options& opts, NodeDefSlice node_defs, const VersionDef* versions,\n const FunctionDefLibrary* library, Graph* g, ShapeRefiner* refiner,\n std::vector>* return_tensors,\n std::vector* return_nodes,\n std::vector* missing_unused_input_map_keys) {\n if (versions) {\n TF_RETURN_IF_ERROR(CheckVersions(*versions, TF_GRAPH_DEF_VERSION,\n TF_GRAPH_DEF_VERSION_MIN_PRODUCER,\n \"GraphDef\", \"graph\"));\n }\n NodeDefCopyingGraphConstructor c(opts, node_defs, versions, library, g,\n refiner, return_tensors, return_nodes,\n missing_unused_input_map_keys);\n Status s = c.TryImport();\n if (!s.ok()) {\n c.Undo();\n s = MaybeAppendVersionWarning(versions, s);\n }\n return s;\n}", "project": "tensorflow", "hash": 242524685008094427659949756912795266737, "size": 21, "commit_id": "0cc38aaa4064fd9e79101994ce9872c6d91f816b", "message": "Prevent unitialized memory access in `GraphConstructor::MakeEdge`\n\nThe `MakeEdge` implementation assumes that there exists an output at `output_index` of `src` node and an input at `input_index` of `dst` node. However, if this is not the case this results in accessing data out of bounds. Because we are accessing an array that is a private member of a class and only in read only mode, this usually results only in unitialized memory access. However, it is reasonable to think that malicious users could manipulate these indexes to actually read data outside the class, thus resulting in information leakage and further exploits.\n\nPiperOrigin-RevId: 346343288\nChange-Id: I2127da27c2023d27f26efd39afa6c853385cab6f", "target": 0, "dataset": "other", "idx": 268306 }, { "func": "/* static */ Status GraphConstructor::Construct(\n const Options& opts, GraphDef&& graph_def, Graph* g, ShapeRefiner* refiner,\n std::vector>* return_tensors,\n std::vector* return_nodes,\n std::vector* missing_unused_input_map_keys) {\n TF_RETURN_IF_ERROR(CheckVersions(graph_def.versions(), TF_GRAPH_DEF_VERSION,\n TF_GRAPH_DEF_VERSION_MIN_PRODUCER,\n \"GraphDef\", \"graph\"));\n VersionDef version_def = graph_def.versions();\n NodeDefMovingGraphConstructor c(opts, std::move(graph_def), g, refiner,\n return_tensors, return_nodes,\n missing_unused_input_map_keys);\n Status s = c.TryImport();\n if (!s.ok()) {\n c.Undo();\n s = MaybeAppendVersionWarning(&version_def, s);\n }\n return s;\n}", "project": "tensorflow", "hash": 301356128206951199086185759676028392764, "size": 19, "commit_id": "0cc38aaa4064fd9e79101994ce9872c6d91f816b", "message": "Prevent unitialized memory access in `GraphConstructor::MakeEdge`\n\nThe `MakeEdge` implementation assumes that there exists an output at `output_index` of `src` node and an input at `input_index` of `dst` node. However, if this is not the case this results in accessing data out of bounds. Because we are accessing an array that is a private member of a class and only in read only mode, this usually results only in unitialized memory access. However, it is reasonable to think that malicious users could manipulate these indexes to actually read data outside the class, thus resulting in information leakage and further exploits.\n\nPiperOrigin-RevId: 346343288\nChange-Id: I2127da27c2023d27f26efd39afa6c853385cab6f", "target": 0, "dataset": "other", "idx": 268358 }, { "func": "int kill_pid_info(int sig, struct kernel_siginfo *info, struct pid *pid)\n{\n\tint error = -ESRCH;\n\tstruct task_struct *p;\n\n\tfor (;;) {\n\t\trcu_read_lock();\n\t\tp = pid_task(pid, PIDTYPE_PID);\n\t\tif (p)\n\t\t\terror = group_send_sig_info(sig, info, p, PIDTYPE_TGID);\n\t\trcu_read_unlock();\n\t\tif (likely(!p || error != -ESRCH))\n\t\t\treturn error;\n\n\t\t/*\n\t\t * The task was unhashed in between, try again. If it\n\t\t * is dead, pid_task() will return NULL, if we race with\n\t\t * de_thread() it will find the new leader.\n\t\t */\n\t}\n}", "project": "linux", "hash": 295811143143148107584250251224296297094, "size": 21, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375192 }, { "func": "void tcp_cwnd_application_limited(struct sock *sk)\n{\n\tstruct tcp_sock *tp = tcp_sk(sk);\n\n\tif (inet_csk(sk)->icsk_ca_state == TCP_CA_Open &&\n\t sk->sk_socket && !test_bit(SOCK_NOSPACE, &sk->sk_socket->flags)) {\n\t\t/* Limited by application or receiver window. */\n\t\tu32 init_win = tcp_init_cwnd(tp, __sk_dst_get(sk));\n\t\tu32 win_used = max(tp->snd_cwnd_used, init_win);\n\t\tif (win_used < tp->snd_cwnd) {\n\t\t\ttp->snd_ssthresh = tcp_current_ssthresh(sk);\n\t\t\ttp->snd_cwnd = (tp->snd_cwnd + win_used) >> 1;\n\t\t}\n\t\ttp->snd_cwnd_used = 0;\n\t}\n\ttp->snd_cwnd_stamp = tcp_time_stamp;\n}", "project": "net-next", "hash": 159144214877647063720405221608102504760, "size": 17, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409867 }, { "func": "static int svm_check_intercept(struct kvm_vcpu *vcpu,\n\t\t\t struct x86_instruction_info *info,\n\t\t\t enum x86_intercept_stage stage)\n{\n\tstruct vcpu_svm *svm = to_svm(vcpu);\n\tint vmexit, ret = X86EMUL_CONTINUE;\n\tstruct __x86_intercept icpt_info;\n\tstruct vmcb *vmcb = svm->vmcb;\n\n\tif (info->intercept >= ARRAY_SIZE(x86_intercept_map))\n\t\tgoto out;\n\n\ticpt_info = x86_intercept_map[info->intercept];\n\n\tif (stage != icpt_info.stage)\n\t\tgoto out;\n\n\tswitch (icpt_info.exit_code) {\n\tcase SVM_EXIT_READ_CR0:\n\t\tif (info->intercept == x86_intercept_cr_read)\n\t\t\ticpt_info.exit_code += info->modrm_reg;\n\t\tbreak;\n\tcase SVM_EXIT_WRITE_CR0: {\n\t\tunsigned long cr0, val;\n\t\tu64 intercept;\n\n\t\tif (info->intercept == x86_intercept_cr_write)\n\t\t\ticpt_info.exit_code += info->modrm_reg;\n\n\t\tif (icpt_info.exit_code != SVM_EXIT_WRITE_CR0 ||\n\t\t info->intercept == x86_intercept_clts)\n\t\t\tbreak;\n\n\t\tintercept = svm->nested.intercept;\n\n\t\tif (!(intercept & (1ULL << INTERCEPT_SELECTIVE_CR0)))\n\t\t\tbreak;\n\n\t\tcr0 = vcpu->arch.cr0 & ~SVM_CR0_SELECTIVE_MASK;\n\t\tval = info->src_val & ~SVM_CR0_SELECTIVE_MASK;\n\n\t\tif (info->intercept == x86_intercept_lmsw) {\n\t\t\tcr0 &= 0xfUL;\n\t\t\tval &= 0xfUL;\n\t\t\t/* lmsw can't clear PE - catch this here */\n\t\t\tif (cr0 & X86_CR0_PE)\n\t\t\t\tval |= X86_CR0_PE;\n\t\t}\n\n\t\tif (cr0 ^ val)\n\t\t\ticpt_info.exit_code = SVM_EXIT_CR0_SEL_WRITE;\n\n\t\tbreak;\n\t}\n\tcase SVM_EXIT_READ_DR0:\n\tcase SVM_EXIT_WRITE_DR0:\n\t\ticpt_info.exit_code += info->modrm_reg;\n\t\tbreak;\n\tcase SVM_EXIT_MSR:\n\t\tif (info->intercept == x86_intercept_wrmsr)\n\t\t\tvmcb->control.exit_info_1 = 1;\n\t\telse\n\t\t\tvmcb->control.exit_info_1 = 0;\n\t\tbreak;\n\tcase SVM_EXIT_PAUSE:\n\t\t/*\n\t\t * We get this for NOP only, but pause\n\t\t * is rep not, check this here\n\t\t */\n\t\tif (info->rep_prefix != REPE_PREFIX)\n\t\t\tgoto out;\n\t\tbreak;\n\tcase SVM_EXIT_IOIO: {\n\t\tu64 exit_info;\n\t\tu32 bytes;\n\n\t\tif (info->intercept == x86_intercept_in ||\n\t\t info->intercept == x86_intercept_ins) {\n\t\t\texit_info = ((info->src_val & 0xffff) << 16) |\n\t\t\t\tSVM_IOIO_TYPE_MASK;\n\t\t\tbytes = info->dst_bytes;\n\t\t} else {\n\t\t\texit_info = (info->dst_val & 0xffff) << 16;\n\t\t\tbytes = info->src_bytes;\n\t\t}\n\n\t\tif (info->intercept == x86_intercept_outs ||\n\t\t info->intercept == x86_intercept_ins)\n\t\t\texit_info |= SVM_IOIO_STR_MASK;\n\n\t\tif (info->rep_prefix)\n\t\t\texit_info |= SVM_IOIO_REP_MASK;\n\n\t\tbytes = min(bytes, 4u);\n\n\t\texit_info |= bytes << SVM_IOIO_SIZE_SHIFT;\n\n\t\texit_info |= (u32)info->ad_bytes << (SVM_IOIO_ASIZE_SHIFT - 1);\n\n\t\tvmcb->control.exit_info_1 = exit_info;\n\t\tvmcb->control.exit_info_2 = info->next_rip;\n\n\t\tbreak;\n\t}\n\tdefault:\n\t\tbreak;\n\t}\n\n\t/* TODO: Advertise NRIPS to guest hypervisor unconditionally */\n\tif (static_cpu_has(X86_FEATURE_NRIPS))\n\t\tvmcb->control.next_rip = info->next_rip;\n\tvmcb->control.exit_code = icpt_info.exit_code;\n\tvmexit = nested_svm_exit_handled(svm);\n\n\tret = (vmexit == NESTED_EXIT_DONE) ? X86EMUL_INTERCEPTED\n\t\t\t\t\t : X86EMUL_CONTINUE;\n\nout:\n\treturn ret;\n}", "project": "linux", "hash": 130077607650841600921391392444159025073, "size": 120, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432570 }, { "func": "static int svm_check_intercept(struct kvm_vcpu *vcpu,\n\t\t\t struct x86_instruction_info *info,\n\t\t\t enum x86_intercept_stage stage)\n{\n\tstruct vcpu_svm *svm = to_svm(vcpu);\n\tint vmexit, ret = X86EMUL_CONTINUE;\n\tstruct __x86_intercept icpt_info;\n\tstruct vmcb *vmcb = svm->vmcb;\n\n\tif (info->intercept >= ARRAY_SIZE(x86_intercept_map))\n\t\tgoto out;\n\n\ticpt_info = x86_intercept_map[info->intercept];\n\n\tif (stage != icpt_info.stage)\n\t\tgoto out;\n\n\tswitch (icpt_info.exit_code) {\n\tcase SVM_EXIT_READ_CR0:\n\t\tif (info->intercept == x86_intercept_cr_read)\n\t\t\ticpt_info.exit_code += info->modrm_reg;\n\t\tbreak;\n\tcase SVM_EXIT_WRITE_CR0: {\n\t\tunsigned long cr0, val;\n\t\tu64 intercept;\n\n\t\tif (info->intercept == x86_intercept_cr_write)\n\t\t\ticpt_info.exit_code += info->modrm_reg;\n\n\t\tif (icpt_info.exit_code != SVM_EXIT_WRITE_CR0 ||\n\t\t info->intercept == x86_intercept_clts)\n\t\t\tbreak;\n\n\t\tintercept = svm->nested.intercept;\n\n\t\tif (!(intercept & (1ULL << INTERCEPT_SELECTIVE_CR0)))\n\t\t\tbreak;\n\n\t\tcr0 = vcpu->arch.cr0 & ~SVM_CR0_SELECTIVE_MASK;\n\t\tval = info->src_val & ~SVM_CR0_SELECTIVE_MASK;\n\n\t\tif (info->intercept == x86_intercept_lmsw) {\n\t\t\tcr0 &= 0xfUL;\n\t\t\tval &= 0xfUL;\n\t\t\t/* lmsw can't clear PE - catch this here */\n\t\t\tif (cr0 & X86_CR0_PE)\n\t\t\t\tval |= X86_CR0_PE;\n\t\t}\n\n\t\tif (cr0 ^ val)\n\t\t\ticpt_info.exit_code = SVM_EXIT_CR0_SEL_WRITE;\n\n\t\tbreak;\n\t}\n\tcase SVM_EXIT_READ_DR0:\n\tcase SVM_EXIT_WRITE_DR0:\n\t\ticpt_info.exit_code += info->modrm_reg;\n\t\tbreak;\n\tcase SVM_EXIT_MSR:\n\t\tif (info->intercept == x86_intercept_wrmsr)\n\t\t\tvmcb->control.exit_info_1 = 1;\n\t\telse\n\t\t\tvmcb->control.exit_info_1 = 0;\n\t\tbreak;\n\tcase SVM_EXIT_PAUSE:\n\t\t/*\n\t\t * We get this for NOP only, but pause\n\t\t * is rep not, check this here\n\t\t */\n\t\tif (info->rep_prefix != REPE_PREFIX)\n\t\t\tgoto out;\n\tcase SVM_EXIT_IOIO: {\n\t\tu64 exit_info;\n\t\tu32 bytes;\n\n\t\tif (info->intercept == x86_intercept_in ||\n\t\t info->intercept == x86_intercept_ins) {\n\t\t\texit_info = ((info->src_val & 0xffff) << 16) |\n\t\t\t\tSVM_IOIO_TYPE_MASK;\n\t\t\tbytes = info->dst_bytes;\n\t\t} else {\n\t\t\texit_info = (info->dst_val & 0xffff) << 16;\n\t\t\tbytes = info->src_bytes;\n\t\t}\n\n\t\tif (info->intercept == x86_intercept_outs ||\n\t\t info->intercept == x86_intercept_ins)\n\t\t\texit_info |= SVM_IOIO_STR_MASK;\n\n\t\tif (info->rep_prefix)\n\t\t\texit_info |= SVM_IOIO_REP_MASK;\n\n\t\tbytes = min(bytes, 4u);\n\n\t\texit_info |= bytes << SVM_IOIO_SIZE_SHIFT;\n\n\t\texit_info |= (u32)info->ad_bytes << (SVM_IOIO_ASIZE_SHIFT - 1);\n\n\t\tvmcb->control.exit_info_1 = exit_info;\n\t\tvmcb->control.exit_info_2 = info->next_rip;\n\n\t\tbreak;\n\t}\n\tdefault:\n\t\tbreak;\n\t}\n\n\tvmcb->control.next_rip = info->next_rip;\n\tvmcb->control.exit_code = icpt_info.exit_code;\n\tvmexit = nested_svm_exit_handled(svm);\n\n\tret = (vmexit == NESTED_EXIT_DONE) ? X86EMUL_INTERCEPTED\n\t\t\t\t\t : X86EMUL_CONTINUE;\n\nout:\n\treturn ret;\n}", "project": "kvm", "hash": 31481495813422206979927941711226382150, "size": 117, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437610 }, { "func": "static void renew_lease(const struct nfs_server *server, unsigned long timestamp)\n{\n\tstruct nfs_client *clp = server->nfs_client;\n\n\tif (!nfs4_has_session(clp))\n\t\tdo_renew_lease(clp, timestamp);\n}", "project": "linux", "hash": 60260531499230675607432951801479451656, "size": 7, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431058 }, { "func": "bool WindowsServiceControl::checkService() const\n{\n\tif( m_serviceHandle == nullptr )\n\t{\n\t\tvCritical() << qUtf8Printable( tr( \"Service \\\"%1\\\" could not be found.\" ).arg( m_name ) );\n\t\treturn false;\n\t}\n\n\treturn true;\n}", "project": "veyon", "hash": 156825212691855464635295441431534292277, "size": 10, "commit_id": "f231ec511b9a09f43f49b2c7bb7c60b8046276b1", "message": "WindowsServiceControl: quote service binary path\n\nFix unquoted service path vulnerability.\n\nCloses #657.", "target": 0, "dataset": "other", "idx": 241027 }, { "func": "int mnt_context_next_umount(struct libmnt_context *cxt,\n\t\t\t struct libmnt_iter *itr,\n\t\t\t struct libmnt_fs **fs,\n\t\t\t int *mntrc,\n\t\t\t int *ignored)\n{\n\tstruct libmnt_table *mtab;\n\tconst char *tgt;\n\tint rc;\n\n\tif (ignored)\n\t\t*ignored = 0;\n\tif (mntrc)\n\t\t*mntrc = 0;\n\n\tif (!cxt || !fs || !itr)\n\t\treturn -EINVAL;\n\n\trc = mnt_context_get_mtab(cxt, &mtab);\n\tcxt->mtab = NULL;\t\t/* do not reset mtab */\n\tmnt_reset_context(cxt);\n\n\tif (rc)\n\t\treturn rc;\n\n\tcxt->mtab = mtab;\n\n\tdo {\n\t\trc = mnt_table_next_fs(mtab, itr, fs);\n\t\tif (rc != 0)\n\t\t\treturn rc;\t/* no more filesystems (or error) */\n\n\t\ttgt = mnt_fs_get_target(*fs);\n\t} while (!tgt);\n\n\tDBG(CXT, ul_debugobj(cxt, \"next-umount: trying %s [fstype: %s, t-pattern: %s, options: %s, O-pattern: %s]\", tgt,\n\t\t\t\t mnt_fs_get_fstype(*fs), cxt->fstype_pattern, mnt_fs_get_options(*fs), cxt->optstr_pattern));\n\n\t/* ignore filesystems which don't match options patterns */\n\tif ((cxt->fstype_pattern && !mnt_fs_match_fstype(*fs,\n\t\t\t\t\tcxt->fstype_pattern)) ||\n\n\t/* ignore filesystems which don't match type patterns */\n\t (cxt->optstr_pattern && !mnt_fs_match_options(*fs,\n\t\t\t\t\tcxt->optstr_pattern))) {\n\t\tif (ignored)\n\t\t\t*ignored = 1;\n\n\t\tDBG(CXT, ul_debugobj(cxt, \"next-umount: not-match\"));\n\t\treturn 0;\n\t}\n\n\trc = mnt_context_set_fs(cxt, *fs);\n\tif (rc)\n\t\treturn rc;\n\trc = mnt_context_umount(cxt);\n\tif (mntrc)\n\t\t*mntrc = rc;\n\treturn 0;\n}", "project": "util-linux", "hash": 304854321452657005001086951185505894659, "size": 60, "commit_id": "57202f5713afa2af20ffbb6ab5331481d0396f8d", "message": "libmount: fix UID check for FUSE umount [CVE-2021-3995]\n\nImproper UID check allows an unprivileged user to unmount FUSE\nfilesystems of users with similar UID.\n\nSigned-off-by: Karel Zak ", "target": 0, "dataset": "other", "idx": 410436 }, { "func": "static bool preempt_timeout(const struct intel_engine_cs *const engine)\n{\n\tconst struct timer_list *t = &engine->execlists.preempt;\n\n\tif (!CONFIG_DRM_I915_PREEMPT_TIMEOUT)\n\t\treturn false;\n\n\tif (!timer_expired(t))\n\t\treturn false;\n\n\treturn READ_ONCE(engine->execlists.pending[0]);\n}", "project": "linux", "hash": 245765829096735664912569186497744729854, "size": 12, "commit_id": "bc8a76a152c5f9ef3b48104154a65a68a8b76946", "message": "drm/i915/gen9: Clear residual context state on context switch\n\nIntel ID: PSIRT-TA-201910-001\nCVEID: CVE-2019-14615\n\nIntel GPU Hardware prior to Gen11 does not clear EU state\nduring a context switch. This can result in information\nleakage between contexts.\n\nFor Gen8 and Gen9, hardware provides a mechanism for\nfast cleardown of the EU state, by issuing a PIPE_CONTROL\nwith bit 27 set. We can use this in a context batch buffer\nto explicitly cleardown the state on every context switch.\n\nAs this workaround is already in place for gen8, we can borrow\nthe code verbatim for Gen9.\n\nSigned-off-by: Mika Kuoppala \nSigned-off-by: Akeem G Abodunrin \nCc: Kumar Valsan Prathap \nCc: Chris Wilson \nCc: Balestrieri Francesco \nCc: Bloomfield Jon \nCc: Dutt Sudeep ", "target": 0, "dataset": "other", "idx": 281424 }, { "func": "static __always_inline int kvm_handle_hva_range_no_flush(struct mmu_notifier *mn,\n\t\t\t\t\t\t\t unsigned long start,\n\t\t\t\t\t\t\t unsigned long end,\n\t\t\t\t\t\t\t hva_handler_t handler)\n{\n\tstruct kvm *kvm = mmu_notifier_to_kvm(mn);\n\tconst struct kvm_hva_range range = {\n\t\t.start\t\t= start,\n\t\t.end\t\t= end,\n\t\t.pte\t\t= __pte(0),\n\t\t.handler\t= handler,\n\t\t.on_lock\t= (void *)kvm_null_fn,\n\t\t.flush_on_ret\t= false,\n\t\t.may_block\t= false,\n\t};\n\n\treturn __kvm_handle_hva_range(kvm, &range);\n}", "project": "linux", "hash": 80923593476945904372865810720407997033, "size": 18, "commit_id": "f8be156be163a052a067306417cd0ff679068c97", "message": "KVM: do not allow mapping valid but non-reference-counted pages\n\nIt's possible to create a region which maps valid but non-refcounted\npages (e.g., tail pages of non-compound higher order allocations). These\nhost pages can then be returned by gfn_to_page, gfn_to_pfn, etc., family\nof APIs, which take a reference to the page, which takes it from 0 to 1.\nWhen the reference is dropped, this will free the page incorrectly.\n\nFix this by only taking a reference on valid pages if it was non-zero,\nwhich indicates it is participating in normal refcounting (and can be\nreleased with put_page).\n\nThis addresses CVE-2021-22543.\n\nSigned-off-by: Nicholas Piggin \nTested-by: Paolo Bonzini \nCc: stable@vger.kernel.org\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 404053 }, { "project": "Chrome", "commit_id": "1da0daecc540238cb473f0d6322da51d3a544244", "target": 0, "func": "void VideoRendererBase::AttemptFlush_Locked() {\n lock_.AssertAcquired();\n DCHECK_EQ(kFlushing, state_);\n\n ready_frames_.clear();\n\n if (!pending_paint_ && !pending_read_) {\n state_ = kFlushed;\n current_frame_ = NULL;\n base::ResetAndReturn(&flush_cb_).Run();\n }\n}\n", "cwe": "", "big_vul_idx": 113347, "idx": 101639, "hash": 328191754431339772768222573870395966515 }, { "func": "static X509 * php_openssl_x509_from_zval(zval * val, int makeresource, zend_resource **resourceval)\n{\n\tX509 *cert = NULL;\n\tBIO *in;\n\n\tif (resourceval) {\n\t\t*resourceval = NULL;\n\t}\n\tif (Z_TYPE_P(val) == IS_RESOURCE) {\n\t\t/* is it an x509 resource ? */\n\t\tvoid * what;\n\t\tzend_resource *res = Z_RES_P(val);\n\n\t\twhat = zend_fetch_resource(res, \"OpenSSL X.509\", le_x509);\n\t\tif (!what) {\n\t\t\treturn NULL;\n\t\t}\n\t\tif (resourceval) {\n\t\t\t*resourceval = res;\n\t\t\tif (makeresource) {\n\t\t\t\tZ_ADDREF_P(val);\n\t\t\t}\n\t\t}\n\t\treturn (X509*)what;\n\t}\n\n\tif (!(Z_TYPE_P(val) == IS_STRING || Z_TYPE_P(val) == IS_OBJECT)) {\n\t\treturn NULL;\n\t}\n\n\t/* force it to be a string and check if it refers to a file */\n\tconvert_to_string_ex(val);\n\n\tif (Z_STRLEN_P(val) > 7 && memcmp(Z_STRVAL_P(val), \"file://\", sizeof(\"file://\") - 1) == 0) {\n\n\t\tif (php_openssl_open_base_dir_chk(Z_STRVAL_P(val) + (sizeof(\"file://\") - 1))) {\n\t\t\treturn NULL;\n\t\t}\n\n\t\tin = BIO_new_file(Z_STRVAL_P(val) + (sizeof(\"file://\") - 1), PHP_OPENSSL_BIO_MODE_R(PKCS7_BINARY));\n\t\tif (in == NULL) {\n\t\t\tphp_openssl_store_errors();\n\t\t\treturn NULL;\n\t\t}\n\t\tcert = PEM_read_bio_X509(in, NULL, NULL, NULL);\n\n\t} else {\n\n\t\tin = BIO_new_mem_buf(Z_STRVAL_P(val), (int)Z_STRLEN_P(val));\n\t\tif (in == NULL) {\n\t\t\tphp_openssl_store_errors();\n\t\t\treturn NULL;\n\t\t}\n#ifdef TYPEDEF_D2I_OF\n\t\tcert = (X509 *) PEM_ASN1_read_bio((d2i_of_void *)d2i_X509, PEM_STRING_X509, in, NULL, NULL, NULL);\n#else\n\t\tcert = (X509 *) PEM_ASN1_read_bio((char *(*)())d2i_X509, PEM_STRING_X509, in, NULL, NULL, NULL);\n#endif\n\t}\n\n\tif (!BIO_free(in)) {\n\t\tphp_openssl_store_errors();\n\t}\n\n\tif (cert == NULL) {\n\t\tphp_openssl_store_errors();\n\t\treturn NULL;\n\t}\n\n\tif (makeresource && resourceval) {\n\t\t*resourceval = zend_register_resource(cert, le_x509);\n\t}\n\treturn cert;\n}", "project": "php-src", "hash": 321166144662947908932751801906786592949, "size": 74, "commit_id": "0216630ea2815a5789a24279a1211ac398d4de79", "message": "Fix bug #79601 (Wrong ciphertext/tag in AES-CCM encryption for a 12 bytes IV)", "target": 0, "dataset": "other", "idx": 291457 }, { "func": "static int nfs4_commit_done(struct rpc_task *task, struct nfs_commit_data *data)\n{\n\tif (!nfs4_sequence_done(task, &data->res.seq_res))\n\t\treturn -EAGAIN;\n\treturn data->commit_done_cb(task, data);\n}", "project": "linux", "hash": 186658999550899994251172812459129198265, "size": 6, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431622 }, { "func": "static bool find_autocomplete(RCore *core, RLineCompletion *completion, RLineBuffer *buf) {\n\tRCoreAutocomplete* child = NULL;\n\tRCoreAutocomplete* parent = core->autocomplete;\n\tconst char* p = buf->data;\n\tif (!*p) {\n\t\treturn false;\n\t}\n\tchar arg[256];\n\targ[0] = 0;\n\twhile (*p) {\n\t\tconst char* e = r_str_trim_head_wp (p);\n\t\tif (!e || (e - p) >= 256 || e == p) {\n\t\t\treturn false;\n\t\t}\n\t\tmemcpy (arg, p, e - p);\n\t\targ[e - p] = 0;\n\t\tchild = r_core_autocomplete_find (parent, arg, false);\n\t\tif (child && child->length < buf->length && p[child->length] == ' ') {\n\t\t\t// if is spaced then i can provide the\n\t\t\t// next subtree as suggestion..\n\t\t\tp = r_str_trim_head_ro (p + child->length);\n\t\t\tif (child->type == R_CORE_AUTOCMPLT_OPTN) {\n\t\t\t\tcontinue;\n\t\t\t}\n\t\t\tparent = child;\n\t\t} else {\n\t\t\tbreak;\n\t\t}\n\t}\n\tint i;\n\t/* if something went wrong this will prevent bad behavior */\n\tr_line_completion_clear (completion);\n\tswitch (parent->type) {\n\tcase R_CORE_AUTOCMPLT_SEEK:\n\t\tautocomplete_functions (core, completion, p);\n\tcase R_CORE_AUTOCMPLT_FLAG:\n\t\tautocomplete_flags (core, completion, p);\n\t\tbreak;\n\tcase R_CORE_AUTOCMPLT_FLSP:\n\t\tautocomplete_flagspaces (core, completion, p);\n\t\tbreak;\n\tcase R_CORE_AUTOCMPLT_FCN:\n\t\tautocomplete_functions (core, completion, p);\n\t\tbreak;\n\tcase R_CORE_AUTOCMPLT_ZIGN:\n\t\tautocomplete_zignatures (core, completion, p);\n\t\tbreak;\n\tcase R_CORE_AUTOCMPLT_EVAL:\n\t\tautocomplete_evals (core, completion, p);\n\t\tbreak;\n\tcase R_CORE_AUTOCMPLT_PRJT:\n\t\tautocomplete_project (core, completion, p);\n\t\tbreak;\n\tcase R_CORE_AUTOCMPLT_MINS:\n\t\tautocomplete_minus (core, completion, p);\n\t\tbreak;\n\tcase R_CORE_AUTOCMPLT_BRKP:\n\t\tautocomplete_breakpoints (core, completion, p);\n\t\tbreak;\n\tcase R_CORE_AUTOCMPLT_MACR:\n\t\tautocomplete_macro (core, completion, p);\n\t\tbreak;\n\tcase R_CORE_AUTOCMPLT_MS:\n\t\tautocomplete_ms_file(core, completion, p);\n\t\tbreak;\n\tcase R_CORE_AUTOCMPLT_FILE:\n\t\tautocomplete_file (completion, p);\n\t\tbreak;\n\tcase R_CORE_AUTOCMPLT_THME:\n\t\tautocomplete_theme (core, completion, p);\n\t\tbreak;\n\tcase R_CORE_AUTOCMPLT_SDB:\n\t\tautocomplete_sdb (core, completion, p);\n\t\tbreak;\n\tcase R_CORE_AUTOCMPLT_OPTN:\n\t\t// handled before\n\t\tbreak;\n\tdefault:\n\t\tif (r_config_get_i (core->config, \"cfg.newtab\")) {\n\t\t\tRCmdDescriptor *desc = &core->root_cmd_descriptor;\n\t\t\tfor (i = 0; arg[i] && desc; i++) {\n\t\t\t\tut8 c = arg[i];\n\t\t\t\tdesc = c < R_ARRAY_SIZE (desc->sub) ? desc->sub[c] : NULL;\n\t\t\t}\n\t\t\tif (desc && desc->help_msg) {\n\t\t\t\tr_core_cmd_help (core, desc->help_msg);\n\t\t\t\tr_cons_flush ();\n\t\t\t\treturn true;\n\t\t\t}\n\t\t\t// fallback to command listing\n\t\t}\n\t\tint length = strlen (arg);\n\t\tfor (i = 0; i < parent->n_subcmds; i++) {\n\t\t\tif (!strncmp (arg, parent->subcmds[i]->cmd, length)) {\n\t\t\t\tr_line_completion_push (completion, parent->subcmds[i]->cmd);\n\t\t\t}\n\t\t}\n\t\tbreak;\n\t}\n\treturn true;\n}", "project": "radare2", "hash": 328418969602554721937227879387773667144, "size": 101, "commit_id": "cb8b683758edddae2d2f62e8e63a738c39f92683", "message": "Fix #16303 - c->table_query double free (#16318)", "target": 0, "dataset": "other", "idx": 232156 }, { "func": "static void le_set_scan_enable_complete(struct hci_dev *hdev, u8 enable)\n{\n\thci_dev_lock(hdev);\n\n\tswitch (enable) {\n\tcase LE_SCAN_ENABLE:\n\t\thci_dev_set_flag(hdev, HCI_LE_SCAN);\n\t\tif (hdev->le_scan_type == LE_SCAN_ACTIVE)\n\t\t\tclear_pending_adv_report(hdev);\n\t\tbreak;\n\n\tcase LE_SCAN_DISABLE:\n\t\t/* We do this here instead of when setting DISCOVERY_STOPPED\n\t\t * since the latter would potentially require waiting for\n\t\t * inquiry to stop too.\n\t\t */\n\t\tif (has_pending_adv_report(hdev)) {\n\t\t\tstruct discovery_state *d = &hdev->discovery;\n\n\t\t\tmgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,\n\t\t\t\t\t d->last_adv_addr_type, NULL,\n\t\t\t\t\t d->last_adv_rssi, d->last_adv_flags,\n\t\t\t\t\t d->last_adv_data,\n\t\t\t\t\t d->last_adv_data_len, NULL, 0);\n\t\t}\n\n\t\t/* Cancel this timer so that we don't try to disable scanning\n\t\t * when it's already disabled.\n\t\t */\n\t\tcancel_delayed_work(&hdev->le_scan_disable);\n\n\t\thci_dev_clear_flag(hdev, HCI_LE_SCAN);\n\n\t\t/* The HCI_LE_SCAN_INTERRUPTED flag indicates that we\n\t\t * interrupted scanning due to a connect request. Mark\n\t\t * therefore discovery as stopped. If this was not\n\t\t * because of a connect request advertising might have\n\t\t * been disabled because of active scanning, so\n\t\t * re-enable it again if necessary.\n\t\t */\n\t\tif (hci_dev_test_and_clear_flag(hdev, HCI_LE_SCAN_INTERRUPTED))\n\t\t\thci_discovery_set_state(hdev, DISCOVERY_STOPPED);\n\t\telse if (!hci_dev_test_flag(hdev, HCI_LE_ADV) &&\n\t\t\t hdev->discovery.state == DISCOVERY_FINDING)\n\t\t\thci_req_reenable_advertising(hdev);\n\n\t\tbreak;\n\n\tdefault:\n\t\tbt_dev_err(hdev, \"use of reserved LE_Scan_Enable param %d\",\n\t\t\t enable);\n\t\tbreak;\n\t}\n\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 186513675884969153989075265572421487844, "size": 56, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431931 }, { "func": "bool test_r_str_replace_char(void) {\n\tchar* str = strdup (\"hello world\");\n\t(void) r_str_replace_char (str, 'l', 'x');\n\tmu_assert_streq (str, \"hexxo worxd\", \"error, replace char multi failed\");\n\tfree (str);\n\tmu_end;\n}", "project": "radare2", "hash": 120533736524274555706777072384871870758, "size": 7, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 0, "dataset": "other", "idx": 268908 }, { "func": "lua_call_throttle::lua_call_throttle(CLua *_lua)\n : lua(_lua)\n{\n lua->init_throttle();\n if (!lua->mixed_call_depth++)\n lua_map[lua->state()] = lua;\n}", "project": "crawl", "hash": 244801570621841998842931679529312715174, "size": 7, "commit_id": "768f60da87a3fa0b5561da5ade9309577c176d04", "message": "Disable lua bytecode loading", "target": 0, "dataset": "other", "idx": 230505 }, { "func": "static void iter_from_extension(pb_field_iter_t *iter, pb_extension_t *extension)\n{\n /* Fake a field iterator for the extension field.\n * It is not actually safe to advance this iterator, but decode_field\n * will not even try to. */\n const pb_field_t *field = (const pb_field_t*)extension->type->arg;\n (void)pb_field_iter_begin(iter, field, extension->dest);\n iter->pData = extension->dest;\n iter->pSize = &extension->found;\n \n if (PB_ATYPE(field->type) == PB_ATYPE_POINTER)\n {\n /* For pointer extensions, the pointer is stored directly\n * in the extension structure. This avoids having an extra\n * indirection. */\n iter->pData = &extension->dest;\n }\n}", "project": "nanopb", "hash": 231541681722291149473419743251445556620, "size": 18, "commit_id": "aa9d0d1ca78d6adec3adfeecf3a706c7f9df81f2", "message": "Fix invalid free() after failed realloc() (GHSA-gcx3-7m76-287p)", "target": 0, "dataset": "other", "idx": 252515 }, { "func": "static void iter_from_extension(pb_field_iterator_t *iter, pb_extension_t *extension)\n{\n const pb_field_t *field = (const pb_field_t*)extension->type->arg;\n \n iter->start = field;\n iter->pos = field;\n iter->field_index = 0;\n iter->required_field_index = 0;\n iter->dest_struct = extension->dest;\n iter->pData = extension->dest;\n iter->pSize = &extension->found;\n}", "project": "nanopb", "hash": 181836553075135912403008511090489395394, "size": 12, "commit_id": "7b396821ddd06df8e39143f16e1dc0a4645b89a3", "message": "Fix invalid free() after failed realloc() (GHSA-gcx3-7m76-287p)", "target": 0, "dataset": "other", "idx": 255319 }, { "func": "static inline void clr_intercept(struct vcpu_svm *svm, int bit)\n{\n\tstruct vmcb *vmcb = get_host_vmcb(svm);\n\n\tvmcb->control.intercept &= ~(1ULL << bit);\n\n\trecalc_intercepts(svm);\n}", "project": "linux", "hash": 331300975709190372935113451926445435129, "size": 8, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432588 }, { "func": "static int gethexints(FILE *sfd, uint32 *val, int cnt) {\n int i, ch;\n\n for ( i=0; ifontname string if it isn't set, fixing #4089 #4090 and many\n other potential issues (many downstream calls to strlen() on the value).", "target": 0, "dataset": "other", "idx": 417859 }, { "func": "static int compat_x25_ioctl(struct socket *sock, unsigned int cmd,\n\t\t\t\tunsigned long arg)\n{\n\tvoid __user *argp = compat_ptr(arg);\n\tint rc = -ENOIOCTLCMD;\n\n\tswitch(cmd) {\n\tcase TIOCOUTQ:\n\tcase TIOCINQ:\n\t\trc = x25_ioctl(sock, cmd, (unsigned long)argp);\n\t\tbreak;\n\tcase SIOCGIFADDR:\n\tcase SIOCSIFADDR:\n\tcase SIOCGIFDSTADDR:\n\tcase SIOCSIFDSTADDR:\n\tcase SIOCGIFBRDADDR:\n\tcase SIOCSIFBRDADDR:\n\tcase SIOCGIFNETMASK:\n\tcase SIOCSIFNETMASK:\n\tcase SIOCGIFMETRIC:\n\tcase SIOCSIFMETRIC:\n\t\trc = -EINVAL;\n\t\tbreak;\n\tcase SIOCADDRT:\n\tcase SIOCDELRT:\n\t\trc = -EPERM;\n\t\tif (!capable(CAP_NET_ADMIN))\n\t\t\tbreak;\n\t\trc = x25_route_ioctl(cmd, argp);\n\t\tbreak;\n\tcase SIOCX25GSUBSCRIP:\n\t\trc = compat_x25_subscr_ioctl(cmd, argp);\n\t\tbreak;\n\tcase SIOCX25SSUBSCRIP:\n\t\trc = -EPERM;\n\t\tif (!capable(CAP_NET_ADMIN))\n\t\t\tbreak;\n\t\trc = compat_x25_subscr_ioctl(cmd, argp);\n\t\tbreak;\n\tcase SIOCX25GFACILITIES:\n\tcase SIOCX25SFACILITIES:\n\tcase SIOCX25GDTEFACILITIES:\n\tcase SIOCX25SDTEFACILITIES:\n\tcase SIOCX25GCALLUSERDATA:\n\tcase SIOCX25SCALLUSERDATA:\n\tcase SIOCX25GCAUSEDIAG:\n\tcase SIOCX25SCAUSEDIAG:\n\tcase SIOCX25SCUDMATCHLEN:\n\tcase SIOCX25CALLACCPTAPPRV:\n\tcase SIOCX25SENDCALLACCPT:\n\t\trc = x25_ioctl(sock, cmd, (unsigned long)argp);\n\t\tbreak;\n\tdefault:\n\t\trc = -ENOIOCTLCMD;\n\t\tbreak;\n\t}\n\treturn rc;\n}", "project": "net", "hash": 118893290766005778397898360937485012790, "size": 58, "commit_id": "7781607938c8371d4c2b243527430241c62e39c2", "message": "net/x25: Fix null-ptr-deref caused by x25_disconnect\n\nWhen the link layer is terminating, x25->neighbour will be set to NULL\nin x25_disconnect(). As a result, it could cause null-ptr-deref bugs in\nx25_sendmsg(),x25_recvmsg() and x25_connect(). One of the bugs is\nshown below.\n\n (Thread 1) | (Thread 2)\nx25_link_terminated() | x25_recvmsg()\n x25_kill_by_neigh() | ...\n x25_disconnect() | lock_sock(sk)\n ... | ...\n x25->neighbour = NULL //(1) |\n ... | x25->neighbour->extended //(2)\n\nThe code sets NULL to x25->neighbour in position (1) and dereferences\nx25->neighbour in position (2), which could cause null-ptr-deref bug.\n\nThis patch adds lock_sock() in x25_kill_by_neigh() in order to synchronize\nwith x25_sendmsg(), x25_recvmsg() and x25_connect(). What`s more, the\nsock held by lock_sock() is not NULL, because it is extracted from x25_list\nand uses x25_list_lock to synchronize.\n\nFixes: 4becb7ee5b3d (\"net/x25: Fix x25_neigh refcnt leak when x25 disconnect\")\nSigned-off-by: Duoming Zhou \nReviewed-by: Lin Ma \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 449159 }, { "func": "int kvm_vm_ioctl_enable_cap(struct kvm *kvm, struct kvm_enable_cap *cap)\n{\n\tint r;\n\n\tif (cap->flags)\n\t\treturn -EINVAL;\n\n\tswitch (cap->cap) {\n\tcase KVM_CAP_S390_IRQCHIP:\n\t\tVM_EVENT(kvm, 3, \"%s\", \"ENABLE: CAP_S390_IRQCHIP\");\n\t\tkvm->arch.use_irqchip = 1;\n\t\tr = 0;\n\t\tbreak;\n\tcase KVM_CAP_S390_USER_SIGP:\n\t\tVM_EVENT(kvm, 3, \"%s\", \"ENABLE: CAP_S390_USER_SIGP\");\n\t\tkvm->arch.user_sigp = 1;\n\t\tr = 0;\n\t\tbreak;\n\tcase KVM_CAP_S390_VECTOR_REGISTERS:\n\t\tmutex_lock(&kvm->lock);\n\t\tif (kvm->created_vcpus) {\n\t\t\tr = -EBUSY;\n\t\t} else if (MACHINE_HAS_VX) {\n\t\t\tset_kvm_facility(kvm->arch.model.fac_mask, 129);\n\t\t\tset_kvm_facility(kvm->arch.model.fac_list, 129);\n\t\t\tif (test_facility(134)) {\n\t\t\t\tset_kvm_facility(kvm->arch.model.fac_mask, 134);\n\t\t\t\tset_kvm_facility(kvm->arch.model.fac_list, 134);\n\t\t\t}\n\t\t\tif (test_facility(135)) {\n\t\t\t\tset_kvm_facility(kvm->arch.model.fac_mask, 135);\n\t\t\t\tset_kvm_facility(kvm->arch.model.fac_list, 135);\n\t\t\t}\n\t\t\tif (test_facility(148)) {\n\t\t\t\tset_kvm_facility(kvm->arch.model.fac_mask, 148);\n\t\t\t\tset_kvm_facility(kvm->arch.model.fac_list, 148);\n\t\t\t}\n\t\t\tif (test_facility(152)) {\n\t\t\t\tset_kvm_facility(kvm->arch.model.fac_mask, 152);\n\t\t\t\tset_kvm_facility(kvm->arch.model.fac_list, 152);\n\t\t\t}\n\t\t\tr = 0;\n\t\t} else\n\t\t\tr = -EINVAL;\n\t\tmutex_unlock(&kvm->lock);\n\t\tVM_EVENT(kvm, 3, \"ENABLE: CAP_S390_VECTOR_REGISTERS %s\",\n\t\t\t r ? \"(not available)\" : \"(success)\");\n\t\tbreak;\n\tcase KVM_CAP_S390_RI:\n\t\tr = -EINVAL;\n\t\tmutex_lock(&kvm->lock);\n\t\tif (kvm->created_vcpus) {\n\t\t\tr = -EBUSY;\n\t\t} else if (test_facility(64)) {\n\t\t\tset_kvm_facility(kvm->arch.model.fac_mask, 64);\n\t\t\tset_kvm_facility(kvm->arch.model.fac_list, 64);\n\t\t\tr = 0;\n\t\t}\n\t\tmutex_unlock(&kvm->lock);\n\t\tVM_EVENT(kvm, 3, \"ENABLE: CAP_S390_RI %s\",\n\t\t\t r ? \"(not available)\" : \"(success)\");\n\t\tbreak;\n\tcase KVM_CAP_S390_AIS:\n\t\tmutex_lock(&kvm->lock);\n\t\tif (kvm->created_vcpus) {\n\t\t\tr = -EBUSY;\n\t\t} else {\n\t\t\tset_kvm_facility(kvm->arch.model.fac_mask, 72);\n\t\t\tset_kvm_facility(kvm->arch.model.fac_list, 72);\n\t\t\tr = 0;\n\t\t}\n\t\tmutex_unlock(&kvm->lock);\n\t\tVM_EVENT(kvm, 3, \"ENABLE: AIS %s\",\n\t\t\t r ? \"(not available)\" : \"(success)\");\n\t\tbreak;\n\tcase KVM_CAP_S390_GS:\n\t\tr = -EINVAL;\n\t\tmutex_lock(&kvm->lock);\n\t\tif (kvm->created_vcpus) {\n\t\t\tr = -EBUSY;\n\t\t} else if (test_facility(133)) {\n\t\t\tset_kvm_facility(kvm->arch.model.fac_mask, 133);\n\t\t\tset_kvm_facility(kvm->arch.model.fac_list, 133);\n\t\t\tr = 0;\n\t\t}\n\t\tmutex_unlock(&kvm->lock);\n\t\tVM_EVENT(kvm, 3, \"ENABLE: CAP_S390_GS %s\",\n\t\t\t r ? \"(not available)\" : \"(success)\");\n\t\tbreak;\n\tcase KVM_CAP_S390_HPAGE_1M:\n\t\tmutex_lock(&kvm->lock);\n\t\tif (kvm->created_vcpus)\n\t\t\tr = -EBUSY;\n\t\telse if (!hpage || kvm->arch.use_cmma || kvm_is_ucontrol(kvm))\n\t\t\tr = -EINVAL;\n\t\telse {\n\t\t\tr = 0;\n\t\t\tdown_write(&kvm->mm->mmap_sem);\n\t\t\tkvm->mm->context.allow_gmap_hpage_1m = 1;\n\t\t\tup_write(&kvm->mm->mmap_sem);\n\t\t\t/*\n\t\t\t * We might have to create fake 4k page\n\t\t\t * tables. To avoid that the hardware works on\n\t\t\t * stale PGSTEs, we emulate these instructions.\n\t\t\t */\n\t\t\tkvm->arch.use_skf = 0;\n\t\t\tkvm->arch.use_pfmfi = 0;\n\t\t}\n\t\tmutex_unlock(&kvm->lock);\n\t\tVM_EVENT(kvm, 3, \"ENABLE: CAP_S390_HPAGE %s\",\n\t\t\t r ? \"(not available)\" : \"(success)\");\n\t\tbreak;\n\tcase KVM_CAP_S390_USER_STSI:\n\t\tVM_EVENT(kvm, 3, \"%s\", \"ENABLE: CAP_S390_USER_STSI\");\n\t\tkvm->arch.user_stsi = 1;\n\t\tr = 0;\n\t\tbreak;\n\tcase KVM_CAP_S390_USER_INSTR0:\n\t\tVM_EVENT(kvm, 3, \"%s\", \"ENABLE: CAP_S390_USER_INSTR0\");\n\t\tkvm->arch.user_instr0 = 1;\n\t\ticpt_operexc_on_all_vcpus(kvm);\n\t\tr = 0;\n\t\tbreak;\n\tdefault:\n\t\tr = -EINVAL;\n\t\tbreak;\n\t}\n\treturn r;\n}", "project": "linux", "hash": 126886480246587259082167679017570443251, "size": 129, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354529 }, { "func": "\nstatic void io_queue_linked_timeout(struct io_kiocb *req)\n{\n\tstruct io_ring_ctx *ctx = req->ctx;\n\n\tspin_lock_irq(&ctx->completion_lock);\n\t/*\n\t * If the back reference is NULL, then our linked request finished\n\t * before we got a chance to setup the timer\n\t */\n\tif (req->timeout.head) {\n\t\tstruct io_timeout_data *data = req->async_data;\n\n\t\tdata->timer.function = io_link_timeout_fn;\n\t\thrtimer_start(&data->timer, timespec64_to_ktime(data->ts),\n\t\t\t\tdata->mode);\n\t}\n\tspin_unlock_irq(&ctx->completion_lock);\n\t/* drop submission reference */\n\tio_put_req(req);", "project": "linux", "hash": 64108447062268334895413926372570982687, "size": 20, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338607 }, { "func": "void fuse_read_args_fill(struct fuse_io_args *ia, struct file *file, loff_t pos,\n\t\t\t size_t count, int opcode)\n{\n\tstruct fuse_file *ff = file->private_data;\n\tstruct fuse_args *args = &ia->ap.args;\n\n\tia->read.in.fh = ff->fh;\n\tia->read.in.offset = pos;\n\tia->read.in.size = count;\n\tia->read.in.flags = file->f_flags;\n\targs->opcode = opcode;\n\targs->nodeid = ff->nodeid;\n\targs->in_numargs = 1;\n\targs->in_args[0].size = sizeof(ia->read.in);\n\targs->in_args[0].value = &ia->read.in;\n\targs->out_argvar = true;\n\targs->out_numargs = 1;\n\targs->out_args[0].size = count;\n}", "project": "linux", "hash": 7612123456620234119935866094246596742, "size": 19, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342093 }, { "func": "bool pb_decode_bool(pb_istream_t *stream, bool *dest)\n{\n return pb_dec_bool(stream, NULL, (void*)dest);\n}", "project": "nanopb", "hash": 15977175560772803078042996341961432761, "size": 4, "commit_id": "aa9d0d1ca78d6adec3adfeecf3a706c7f9df81f2", "message": "Fix invalid free() after failed realloc() (GHSA-gcx3-7m76-287p)", "target": 0, "dataset": "other", "idx": 252499 }, { "func": "static int do_tmpfile(struct nameidata *nd, unsigned flags,\n\t\tconst struct open_flags *op,\n\t\tstruct file *file)\n{\n\tstruct dentry *child;\n\tstruct path path;\n\tint error = path_lookupat(nd, flags | LOOKUP_DIRECTORY, &path);\n\tif (unlikely(error))\n\t\treturn error;\n\terror = mnt_want_write(path.mnt);\n\tif (unlikely(error))\n\t\tgoto out;\n\tchild = vfs_tmpfile(path.dentry, op->mode, op->open_flag);\n\terror = PTR_ERR(child);\n\tif (IS_ERR(child))\n\t\tgoto out2;\n\tdput(path.dentry);\n\tpath.dentry = child;\n\taudit_inode(nd->name, child, 0);\n\t/* Don't check for other permissions, the inode was just created */\n\terror = may_open(&path, 0, op->open_flag);\n\tif (error)\n\t\tgoto out2;\n\tfile->f_path.mnt = path.mnt;\n\terror = finish_open(file, child, NULL);\nout2:\n\tmnt_drop_write(path.mnt);\nout:\n\tpath_put(&path);\n\treturn error;\n}", "project": "linux", "hash": 201248843788969671690212661500916851381, "size": 31, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295400 }, { "func": "static void hci_cc_write_def_err_data_reporting(struct hci_dev *hdev,\n\t\t\t\t\t\tstruct sk_buff *skb)\n{\n\t__u8 status = *((__u8 *)skb->data);\n\tstruct hci_cp_write_def_err_data_reporting *cp;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, status);\n\n\tif (status)\n\t\treturn;\n\n\tcp = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_ERR_DATA_REPORTING);\n\tif (!cp)\n\t\treturn;\n\n\thdev->err_data_reporting = cp->err_data_reporting;\n}", "project": "linux", "hash": 318796239798050671718885675793768259472, "size": 17, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431941 }, { "func": "static void svm_inject_nmi(struct kvm_vcpu *vcpu)\n{\n\tstruct vcpu_svm *svm = to_svm(vcpu);\n\n\tsvm->vmcb->control.event_inj = SVM_EVTINJ_VALID | SVM_EVTINJ_TYPE_NMI;\n\tvcpu->arch.hflags |= HF_NMI_MASK;\n\tset_intercept(svm, INTERCEPT_IRET);\n\t++vcpu->stat.nmi_injections;\n}", "project": "linux", "hash": 33858585726712768655179395902886836951, "size": 9, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432481 }, { "func": "bool JOIN::alloc_func_list()\n{\n uint func_count, group_parts;\n DBUG_ENTER(\"alloc_func_list\");\n\n func_count= tmp_table_param.sum_func_count;\n /*\n If we are using rollup, we need a copy of the summary functions for\n each level\n */\n if (rollup.state != ROLLUP::STATE_NONE)\n func_count*= (send_group_parts+1);\n\n group_parts= send_group_parts;\n /*\n If distinct, reserve memory for possible\n disctinct->group_by optimization\n */\n if (select_distinct)\n {\n group_parts+= fields_list.elements;\n /*\n If the ORDER clause is specified then it's possible that\n it also will be optimized, so reserve space for it too\n */\n if (order)\n {\n ORDER *ord;\n for (ord= order; ord; ord= ord->next)\n group_parts++;\n }\n }\n\n /* This must use calloc() as rollup_make_fields depends on this */\n sum_funcs= (Item_sum**) thd->calloc(sizeof(Item_sum**) * (func_count+1) +\n\t\t\t\t sizeof(Item_sum***) * (group_parts+1));\n sum_funcs_end= (Item_sum***) (sum_funcs+func_count+1);\n DBUG_RETURN(sum_funcs == 0);\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 81884825787307812330372656325325827209, "size": 39, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508676 }, { "func": "static void hci_cc_read_inq_rsp_tx_power(struct hci_dev *hdev,\n\t\t\t\t\t struct sk_buff *skb)\n{\n\tstruct hci_rp_read_inq_rsp_tx_power *rp = (void *) skb->data;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, rp->status);\n\n\tif (rp->status)\n\t\treturn;\n\n\thdev->inq_tx_power = rp->tx_power;\n}", "project": "linux", "hash": 242191124642265944347628212061923315974, "size": 12, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 432010 }, { "func": "static void hci_num_comp_pkts_evt(struct hci_dev *hdev, struct sk_buff *skb)\n{\n\tstruct hci_ev_num_comp_pkts *ev = (void *) skb->data;\n\tint i;\n\n\tif (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_PACKET_BASED) {\n\t\tbt_dev_err(hdev, \"wrong event for mode %d\", hdev->flow_ctl_mode);\n\t\treturn;\n\t}\n\n\tif (skb->len < sizeof(*ev) ||\n\t skb->len < struct_size(ev, handles, ev->num_hndl)) {\n\t\tBT_DBG(\"%s bad parameters\", hdev->name);\n\t\treturn;\n\t}\n\n\tBT_DBG(\"%s num_hndl %d\", hdev->name, ev->num_hndl);\n\n\tfor (i = 0; i < ev->num_hndl; i++) {\n\t\tstruct hci_comp_pkts_info *info = &ev->handles[i];\n\t\tstruct hci_conn *conn;\n\t\t__u16 handle, count;\n\n\t\thandle = __le16_to_cpu(info->handle);\n\t\tcount = __le16_to_cpu(info->count);\n\n\t\tconn = hci_conn_hash_lookup_handle(hdev, handle);\n\t\tif (!conn)\n\t\t\tcontinue;\n\n\t\tconn->sent -= count;\n\n\t\tswitch (conn->type) {\n\t\tcase ACL_LINK:\n\t\t\thdev->acl_cnt += count;\n\t\t\tif (hdev->acl_cnt > hdev->acl_pkts)\n\t\t\t\thdev->acl_cnt = hdev->acl_pkts;\n\t\t\tbreak;\n\n\t\tcase LE_LINK:\n\t\t\tif (hdev->le_pkts) {\n\t\t\t\thdev->le_cnt += count;\n\t\t\t\tif (hdev->le_cnt > hdev->le_pkts)\n\t\t\t\t\thdev->le_cnt = hdev->le_pkts;\n\t\t\t} else {\n\t\t\t\thdev->acl_cnt += count;\n\t\t\t\tif (hdev->acl_cnt > hdev->acl_pkts)\n\t\t\t\t\thdev->acl_cnt = hdev->acl_pkts;\n\t\t\t}\n\t\t\tbreak;\n\n\t\tcase SCO_LINK:\n\t\t\thdev->sco_cnt += count;\n\t\t\tif (hdev->sco_cnt > hdev->sco_pkts)\n\t\t\t\thdev->sco_cnt = hdev->sco_pkts;\n\t\t\tbreak;\n\n\t\tdefault:\n\t\t\tbt_dev_err(hdev, \"unknown type %d conn %p\",\n\t\t\t\t conn->type, conn);\n\t\t\tbreak;\n\t\t}\n\t}\n\n\tqueue_work(hdev->workqueue, &hdev->tx_work);\n}", "project": "linux", "hash": 291913377004448412681893017551447264483, "size": 66, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 432020 }, { "func": "void imap_close_connection(struct ImapAccountData *adata)\n{\n if (adata->state != IMAP_DISCONNECTED)\n {\n mutt_socket_close(adata->conn);\n adata->state = IMAP_DISCONNECTED;\n }\n adata->seqno = 0;\n adata->nextcmd = 0;\n adata->lastcmd = 0;\n adata->status = 0;\n memset(adata->cmds, 0, sizeof(struct ImapCommand) * adata->cmdslots);\n}", "project": "neomutt", "hash": 43298347294703487743015918614523076816, "size": 13, "commit_id": "9c36717a3e2af1f2c1b7242035455ec8112b4b06", "message": "imap: close connection on all failures\n\nThanks to Gabriel Salles-Loustau for spotting the problem.\n\nCo-authored-by: Kevin McCarthy ", "target": 0, "dataset": "other", "idx": 357030 }, { "func": "static int _nfs4_proc_access(struct inode *inode, struct nfs_access_entry *entry)\n{\n\tstruct nfs_server *server = NFS_SERVER(inode);\n\tstruct nfs4_accessargs args = {\n\t\t.fh = NFS_FH(inode),\n\t\t.access = entry->mask,\n\t};\n\tstruct nfs4_accessres res = {\n\t\t.server = server,\n\t};\n\tstruct rpc_message msg = {\n\t\t.rpc_proc = &nfs4_procedures[NFSPROC4_CLNT_ACCESS],\n\t\t.rpc_argp = &args,\n\t\t.rpc_resp = &res,\n\t\t.rpc_cred = entry->cred,\n\t};\n\tint status = 0;\n\n\tif (!nfs4_have_delegation(inode, FMODE_READ)) {\n\t\tres.fattr = nfs_alloc_fattr();\n\t\tif (res.fattr == NULL)\n\t\t\treturn -ENOMEM;\n\t\targs.bitmask = server->cache_consistency_bitmask;\n\t}\n\tstatus = nfs4_call_sync(server->client, server, &msg, &args.seq_args, &res.seq_res, 0);\n\tif (!status) {\n\t\tnfs_access_set_mask(entry, res.access);\n\t\tif (res.fattr)\n\t\t\tnfs_refresh_inode(inode, res.fattr);\n\t}\n\tnfs_free_fattr(res.fattr);\n\treturn status;\n}", "project": "linux", "hash": 135192170216578743120369888135496349638, "size": 33, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431510 }, { "func": "void tipc_node_delete_links(struct net *net, int bearer_id)\n{\n\tstruct tipc_net *tn = net_generic(net, tipc_net_id);\n\tstruct tipc_node *n;\n\n\trcu_read_lock();\n\tlist_for_each_entry_rcu(n, &tn->node_list, list) {\n\t\ttipc_node_link_down(n, bearer_id, true);\n\t}\n\trcu_read_unlock();\n}", "project": "linux", "hash": 78745150280238076395794903977969047367, "size": 11, "commit_id": "0217ed2848e8538bcf9172d97ed2eeb4a26041bb", "message": "tipc: better validate user input in tipc_nl_retrieve_key()\n\nBefore calling tipc_aead_key_size(ptr), we need to ensure\nwe have enough data to dereference ptr->keylen.\n\nWe probably also want to make sure tipc_aead_key_size()\nwont overflow with malicious ptr->keylen values.\n\nSyzbot reported:\n\nBUG: KMSAN: uninit-value in __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\nBUG: KMSAN: uninit-value in tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\nCPU: 0 PID: 21060 Comm: syz-executor.5 Not tainted 5.11.0-rc7-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nCall Trace:\n __dump_stack lib/dump_stack.c:79 [inline]\n dump_stack+0x21c/0x280 lib/dump_stack.c:120\n kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118\n __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197\n __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\n tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\n genl_family_rcv_msg_doit net/netlink/genetlink.c:739 [inline]\n genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]\n genl_rcv_msg+0x1319/0x1610 net/netlink/genetlink.c:800\n netlink_rcv_skb+0x6fa/0x810 net/netlink/af_netlink.c:2494\n genl_rcv+0x63/0x80 net/netlink/genetlink.c:811\n netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]\n netlink_unicast+0x11d6/0x14a0 net/netlink/af_netlink.c:1330\n netlink_sendmsg+0x1740/0x1840 net/netlink/af_netlink.c:1919\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\nRIP: 0023:0xf7f60549\nCode: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00\nRSP: 002b:00000000f555a5fc EFLAGS: 00000296 ORIG_RAX: 0000000000000172\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000200\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n\nUninit was created at:\n kmsan_save_stack_with_flags mm/kmsan/kmsan.c:121 [inline]\n kmsan_internal_poison_shadow+0x5c/0xf0 mm/kmsan/kmsan.c:104\n kmsan_slab_alloc+0x8d/0xe0 mm/kmsan/kmsan_hooks.c:76\n slab_alloc_node mm/slub.c:2907 [inline]\n __kmalloc_node_track_caller+0xa37/0x1430 mm/slub.c:4527\n __kmalloc_reserve net/core/skbuff.c:142 [inline]\n __alloc_skb+0x2f8/0xb30 net/core/skbuff.c:210\n alloc_skb include/linux/skbuff.h:1099 [inline]\n netlink_alloc_large_skb net/netlink/af_netlink.c:1176 [inline]\n netlink_sendmsg+0xdbc/0x1840 net/netlink/af_netlink.c:1894\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\n\nFixes: e1f32190cf7d (\"tipc: add support for AEAD key setting via netlink\")\nSigned-off-by: Eric Dumazet \nCc: Tuong Lien \nCc: Jon Maloy \nCc: Ying Xue \nReported-by: syzbot \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 364975 }, { "func": "static void __trace_find_cmdline(int pid, char comm[])\n{\n\tunsigned map;\n\n\tif (!pid) {\n\t\tstrcpy(comm, \"\");\n\t\treturn;\n\t}\n\n\tif (WARN_ON_ONCE(pid < 0)) {\n\t\tstrcpy(comm, \"\");\n\t\treturn;\n\t}\n\n\tif (pid > PID_MAX_DEFAULT) {\n\t\tstrcpy(comm, \"<...>\");\n\t\treturn;\n\t}\n\n\tmap = savedcmd->map_pid_to_cmdline[pid];\n\tif (map != NO_CMDLINE_MAP)\n\t\tstrlcpy(comm, get_saved_cmdlines(map), TASK_COMM_LEN);\n\telse\n\t\tstrcpy(comm, \"<...>\");\n}", "project": "linux", "hash": 207327697008959165213639511350553489579, "size": 25, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445594 }, { "func": "static inline unsigned int oo_objects(struct kmem_cache_order_objects x)\n{\n\treturn x.x & OO_MASK;\n}", "project": "linux", "hash": 163502830502198966195081751851295208652, "size": 4, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280271 }, { "func": "static void r_core_debug_breakpoint_hit(RCore *core, RBreakpointItem *bpi) {\n\tconst char *cmdbp = r_config_get (core->config, \"cmd.bp\");\n\tconst bool cmdbp_exists = (cmdbp && *cmdbp);\n\tconst bool bpcmd_exists = (bpi->data && bpi->data[0]);\n\tconst bool may_output = (cmdbp_exists || bpcmd_exists);\n\tif (may_output) {\n\t\tr_cons_push ();\n\t}\n\tif (cmdbp_exists) {\n\t\tr_core_cmd0 (core, cmdbp);\n\t}\n\tif (bpcmd_exists) {\n\t\tr_core_cmd0 (core, bpi->data);\n\t}\n\tif (may_output) {\n\t\tr_cons_flush ();\n\t\tr_cons_pop ();\n\t}\n}", "project": "radare2", "hash": 241189649492956593603884145769279724203, "size": 19, "commit_id": "cb8b683758edddae2d2f62e8e63a738c39f92683", "message": "Fix #16303 - c->table_query double free (#16318)", "target": 0, "dataset": "other", "idx": 232170 }, { "func": "static long do_mbind(unsigned long start, unsigned long len,\n\t\t unsigned short mode, unsigned short mode_flags,\n\t\t nodemask_t *nmask, unsigned long flags)\n{\n\tstruct mm_struct *mm = current->mm;\n\tstruct mempolicy *new;\n\tunsigned long end;\n\tint err;\n\tint ret;\n\tLIST_HEAD(pagelist);\n\n\tif (flags & ~(unsigned long)MPOL_MF_VALID)\n\t\treturn -EINVAL;\n\tif ((flags & MPOL_MF_MOVE_ALL) && !capable(CAP_SYS_NICE))\n\t\treturn -EPERM;\n\n\tif (start & ~PAGE_MASK)\n\t\treturn -EINVAL;\n\n\tif (mode == MPOL_DEFAULT)\n\t\tflags &= ~MPOL_MF_STRICT;\n\n\tlen = (len + PAGE_SIZE - 1) & PAGE_MASK;\n\tend = start + len;\n\n\tif (end < start)\n\t\treturn -EINVAL;\n\tif (end == start)\n\t\treturn 0;\n\n\tnew = mpol_new(mode, mode_flags, nmask);\n\tif (IS_ERR(new))\n\t\treturn PTR_ERR(new);\n\n\tif (flags & MPOL_MF_LAZY)\n\t\tnew->flags |= MPOL_F_MOF;\n\n\t/*\n\t * If we are using the default policy then operation\n\t * on discontinuous address spaces is okay after all\n\t */\n\tif (!new)\n\t\tflags |= MPOL_MF_DISCONTIG_OK;\n\n\tpr_debug(\"mbind %lx-%lx mode:%d flags:%d nodes:%lx\\n\",\n\t\t start, start + len, mode, mode_flags,\n\t\t nmask ? nodes_addr(*nmask)[0] : NUMA_NO_NODE);\n\n\tif (flags & (MPOL_MF_MOVE | MPOL_MF_MOVE_ALL)) {\n\n\t\terr = migrate_prep();\n\t\tif (err)\n\t\t\tgoto mpol_out;\n\t}\n\t{\n\t\tNODEMASK_SCRATCH(scratch);\n\t\tif (scratch) {\n\t\t\tdown_write(&mm->mmap_sem);\n\t\t\ttask_lock(current);\n\t\t\terr = mpol_set_nodemask(new, nmask, scratch);\n\t\t\ttask_unlock(current);\n\t\t\tif (err)\n\t\t\t\tup_write(&mm->mmap_sem);\n\t\t} else\n\t\t\terr = -ENOMEM;\n\t\tNODEMASK_SCRATCH_FREE(scratch);\n\t}\n\tif (err)\n\t\tgoto mpol_out;\n\n\tret = queue_pages_range(mm, start, end, nmask,\n\t\t\t flags | MPOL_MF_INVERT, &pagelist);\n\n\tif (ret < 0) {\n\t\terr = ret;\n\t\tgoto up_out;\n\t}\n\n\terr = mbind_range(mm, start, end, new);\n\n\tif (!err) {\n\t\tint nr_failed = 0;\n\n\t\tif (!list_empty(&pagelist)) {\n\t\t\tWARN_ON_ONCE(flags & MPOL_MF_LAZY);\n\t\t\tnr_failed = migrate_pages(&pagelist, new_page, NULL,\n\t\t\t\tstart, MIGRATE_SYNC, MR_MEMPOLICY_MBIND);\n\t\t\tif (nr_failed)\n\t\t\t\tputback_movable_pages(&pagelist);\n\t\t}\n\n\t\tif ((ret > 0) || (nr_failed && (flags & MPOL_MF_STRICT)))\n\t\t\terr = -EIO;\n\t} else {\nup_out:\n\t\tif (!list_empty(&pagelist))\n\t\t\tputback_movable_pages(&pagelist);\n\t}\n\n\tup_write(&mm->mmap_sem);\nmpol_out:\n\tmpol_put(new);\n\treturn err;\n}", "project": "linux", "hash": 152550866531959783526910512436703583302, "size": 104, "commit_id": "aa9f7d5172fac9bf1f09e678c35e287a40a7b7dd", "message": "mm: mempolicy: require at least one nodeid for MPOL_PREFERRED\n\nUsing an empty (malformed) nodelist that is not caught during mount option\nparsing leads to a stack-out-of-bounds access.\n\nThe option string that was used was: \"mpol=prefer:,\". However,\nMPOL_PREFERRED requires a single node number, which is not being provided\nhere.\n\nAdd a check that 'nodes' is not empty after parsing for MPOL_PREFERRED's\nnodeid.\n\nFixes: 095f1fc4ebf3 (\"mempolicy: rework shmem mpol parsing and display\")\nReported-by: Entropy Moe <3ntr0py1337@gmail.com>\nReported-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nSigned-off-by: Randy Dunlap \nSigned-off-by: Andrew Morton \nTested-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nCc: Lee Schermerhorn \nLink: http://lkml.kernel.org/r/89526377-7eb6-b662-e1d8-4430928abde9@infradead.org\nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 366760 }, { "func": "static int hls_read_header(AVFormatContext *s)\n{\n URLContext *u = (s->flags & AVFMT_FLAG_CUSTOM_IO) ? NULL : s->pb->opaque;\n HLSContext *c = s->priv_data;\n int ret = 0, i, j, stream_offset = 0;\n\n c->interrupt_callback = &s->interrupt_callback;\n\n c->first_packet = 1;\n c->first_timestamp = AV_NOPTS_VALUE;\n c->cur_timestamp = AV_NOPTS_VALUE;\n\n // if the URL context is good, read important options we must broker later\n if (u && u->prot->priv_data_class) {\n // get the previous user agent & set back to null if string size is zero\n update_options(&c->user_agent, \"user-agent\", u->priv_data);\n\n // get the previous cookies & set back to null if string size is zero\n update_options(&c->cookies, \"cookies\", u->priv_data);\n\n // get the previous headers & set back to null if string size is zero\n update_options(&c->headers, \"headers\", u->priv_data);\n }\n\n if ((ret = parse_playlist(c, s->filename, NULL, s->pb)) < 0)\n goto fail;\n\n if ((ret = save_avio_options(s)) < 0)\n goto fail;\n\n /* Some HLS servers don't like being sent the range header */\n av_dict_set(&c->avio_opts, \"seekable\", \"0\", 0);\n\n if (c->n_variants == 0) {\n av_log(NULL, AV_LOG_WARNING, \"Empty playlist\\n\");\n ret = AVERROR_EOF;\n goto fail;\n }\n /* If the playlist only contained playlists (Master Playlist),\n * parse each individual playlist. */\n if (c->n_playlists > 1 || c->playlists[0]->n_segments == 0) {\n for (i = 0; i < c->n_playlists; i++) {\n struct playlist *pls = c->playlists[i];\n if ((ret = parse_playlist(c, pls->url, pls, NULL)) < 0)\n goto fail;\n }\n }\n\n if (c->variants[0]->playlists[0]->n_segments == 0) {\n av_log(NULL, AV_LOG_WARNING, \"Empty playlist\\n\");\n ret = AVERROR_EOF;\n goto fail;\n }\n\n /* If this isn't a live stream, calculate the total duration of the\n * stream. */\n if (c->variants[0]->playlists[0]->finished) {\n int64_t duration = 0;\n for (i = 0; i < c->variants[0]->playlists[0]->n_segments; i++)\n duration += c->variants[0]->playlists[0]->segments[i]->duration;\n s->duration = duration;\n }\n\n /* Associate renditions with variants */\n for (i = 0; i < c->n_variants; i++) {\n struct variant *var = c->variants[i];\n\n if (var->audio_group[0])\n add_renditions_to_variant(c, var, AVMEDIA_TYPE_AUDIO, var->audio_group);\n if (var->video_group[0])\n add_renditions_to_variant(c, var, AVMEDIA_TYPE_VIDEO, var->video_group);\n if (var->subtitles_group[0])\n add_renditions_to_variant(c, var, AVMEDIA_TYPE_SUBTITLE, var->subtitles_group);\n }\n\n /* Open the demuxer for each playlist */\n for (i = 0; i < c->n_playlists; i++) {\n struct playlist *pls = c->playlists[i];\n AVInputFormat *in_fmt = NULL;\n\n if (!(pls->ctx = avformat_alloc_context())) {\n ret = AVERROR(ENOMEM);\n goto fail;\n }\n\n if (pls->n_segments == 0)\n continue;\n\n pls->index = i;\n pls->needed = 1;\n pls->parent = s;\n pls->cur_seq_no = select_cur_seq_no(c, pls);\n\n pls->read_buffer = av_malloc(INITIAL_BUFFER_SIZE);\n if (!pls->read_buffer){\n ret = AVERROR(ENOMEM);\n avformat_free_context(pls->ctx);\n pls->ctx = NULL;\n goto fail;\n }\n ffio_init_context(&pls->pb, pls->read_buffer, INITIAL_BUFFER_SIZE, 0, pls,\n read_data, NULL, NULL);\n pls->pb.seekable = 0;\n ret = av_probe_input_buffer(&pls->pb, &in_fmt, pls->segments[0]->url,\n NULL, 0, 0);\n if (ret < 0) {\n /* Free the ctx - it isn't initialized properly at this point,\n * so avformat_close_input shouldn't be called. If\n * avformat_open_input fails below, it frees and zeros the\n * context, so it doesn't need any special treatment like this. */\n av_log(s, AV_LOG_ERROR, \"Error when loading first segment '%s'\\n\", pls->segments[0]->url);\n avformat_free_context(pls->ctx);\n pls->ctx = NULL;\n goto fail;\n }\n pls->ctx->pb = &pls->pb;\n pls->stream_offset = stream_offset;\n\n if ((ret = ff_copy_whitelists(pls->ctx, s)) < 0)\n goto fail;\n\n ret = avformat_open_input(&pls->ctx, pls->segments[0]->url, in_fmt, NULL);\n if (ret < 0)\n goto fail;\n\n if (pls->id3_deferred_extra && pls->ctx->nb_streams == 1) {\n ff_id3v2_parse_apic(pls->ctx, &pls->id3_deferred_extra);\n avformat_queue_attached_pictures(pls->ctx);\n ff_id3v2_free_extra_meta(&pls->id3_deferred_extra);\n pls->id3_deferred_extra = NULL;\n }\n\n pls->ctx->ctx_flags &= ~AVFMTCTX_NOHEADER;\n ret = avformat_find_stream_info(pls->ctx, NULL);\n if (ret < 0)\n goto fail;\n\n if (pls->is_id3_timestamped == -1)\n av_log(s, AV_LOG_WARNING, \"No expected HTTP requests have been made\\n\");\n\n /* Create new AVStreams for each stream in this playlist */\n for (j = 0; j < pls->ctx->nb_streams; j++) {\n AVStream *st = avformat_new_stream(s, NULL);\n AVStream *ist = pls->ctx->streams[j];\n if (!st) {\n ret = AVERROR(ENOMEM);\n goto fail;\n }\n st->id = i;\n\n avcodec_copy_context(st->codec, pls->ctx->streams[j]->codec);\n\n if (pls->is_id3_timestamped) /* custom timestamps via id3 */\n avpriv_set_pts_info(st, 33, 1, MPEG_TIME_BASE);\n else\n avpriv_set_pts_info(st, ist->pts_wrap_bits, ist->time_base.num, ist->time_base.den);\n }\n\n add_metadata_from_renditions(s, pls, AVMEDIA_TYPE_AUDIO);\n add_metadata_from_renditions(s, pls, AVMEDIA_TYPE_VIDEO);\n add_metadata_from_renditions(s, pls, AVMEDIA_TYPE_SUBTITLE);\n\n stream_offset += pls->ctx->nb_streams;\n }\n\n /* Create a program for each variant */\n for (i = 0; i < c->n_variants; i++) {\n struct variant *v = c->variants[i];\n AVProgram *program;\n\n program = av_new_program(s, i);\n if (!program)\n goto fail;\n av_dict_set_int(&program->metadata, \"variant_bitrate\", v->bandwidth, 0);\n\n for (j = 0; j < v->n_playlists; j++) {\n struct playlist *pls = v->playlists[j];\n int is_shared = playlist_in_multiple_variants(c, pls);\n int k;\n\n for (k = 0; k < pls->ctx->nb_streams; k++) {\n struct AVStream *st = s->streams[pls->stream_offset + k];\n\n ff_program_add_stream_index(s, i, pls->stream_offset + k);\n\n /* Set variant_bitrate for streams unique to this variant */\n if (!is_shared && v->bandwidth)\n av_dict_set_int(&st->metadata, \"variant_bitrate\", v->bandwidth, 0);\n }\n }\n }\n\n return 0;\nfail:\n free_playlist_list(c);\n free_variant_list(c);\n free_rendition_list(c);\n return ret;\n}", "project": "FFmpeg", "hash": 274555902415109147907735053774958559851, "size": 199, "commit_id": "6959358683c7533f586c07a766acc5fe9544d8b2", "message": "avformat/hls: check segment duration value of EXTINF\n\nfix ticket: 8673\nset the default EXTINF duration to 1ms if duration is smaller than 1ms\n\nSigned-off-by: Steven Liu \n(cherry picked from commit 9dfb19baeb86a8bb02c53a441682c6e9a6e104cc)", "target": 0, "dataset": "other", "idx": 270459 }, { "func": "uchar Utf8::CalculateValue(const byte* str,\n unsigned length,\n unsigned* cursor) {\n // We only get called for non-ASCII characters.\n if (length == 1) {\n *cursor += 1;\n return kBadChar;\n }\n byte first = str[0];\n byte second = str[1] ^ 0x80;\n if (second & 0xC0) {\n *cursor += 1;\n return kBadChar;\n }\n if (first < 0xE0) {\n if (first < 0xC0) {\n *cursor += 1;\n return kBadChar;\n }\n uchar code_point = ((first << 6) | second) & kMaxTwoByteChar;\n if (code_point <= kMaxOneByteChar) {\n *cursor += 1;\n return kBadChar;\n }\n *cursor += 2;\n return code_point;\n }\n if (length == 2) {\n *cursor += 1;\n return kBadChar;\n }\n byte third = str[2] ^ 0x80;\n if (third & 0xC0) {\n *cursor += 1;\n return kBadChar;\n }\n if (first < 0xF0) {\n uchar code_point = ((((first << 6) | second) << 6) | third)\n & kMaxThreeByteChar;\n if (code_point <= kMaxTwoByteChar) {\n *cursor += 1;\n return kBadChar;\n }\n *cursor += 3;\n return code_point;\n }\n if (length == 3) {\n *cursor += 1;\n return kBadChar;\n }\n byte fourth = str[3] ^ 0x80;\n if (fourth & 0xC0) {\n *cursor += 1;\n return kBadChar;\n }\n if (first < 0xF8) {\n uchar code_point = (((((first << 6 | second) << 6) | third) << 6) | fourth)\n & kMaxFourByteChar;\n if (code_point <= kMaxThreeByteChar) {\n *cursor += 1;\n return kBadChar;\n }\n *cursor += 4;\n return code_point;\n }\n *cursor += 1;\n return kBadChar;\n}", "project": "node", "hash": 250076823734244458889977399567652754693, "size": 68, "commit_id": "78b0e30954111cfaba0edbeee85450d8cbc6fdf6", "message": "deps: fix out-of-band write in utf8 decoder\n\nOriginally reported by: Kris Reeves \n\nReviewed-By: Trevor Norris ", "target": 0, "dataset": "other", "idx": 385629 }, { "func": "ConnStateData::buildFakeRequest(Http::MethodType const method, SBuf &useHost, unsigned short usePort, const SBuf &payload)\n{\n ClientHttpRequest *http = new ClientHttpRequest(this);\n Http::Stream *stream = new Http::Stream(clientConnection, http);\n\n StoreIOBuffer tempBuffer;\n tempBuffer.data = stream->reqbuf;\n tempBuffer.length = HTTP_REQBUF_SZ;\n\n ClientStreamData newServer = new clientReplyContext(http);\n ClientStreamData newClient = stream;\n clientStreamInit(&http->client_stream, clientGetMoreData, clientReplyDetach,\n clientReplyStatus, newServer, clientSocketRecipient,\n clientSocketDetach, newClient, tempBuffer);\n\n stream->flags.parsed_ok = 1; // Do we need it?\n stream->mayUseConnection(true);\n\n AsyncCall::Pointer timeoutCall = commCbCall(5, 4, \"clientLifetimeTimeout\",\n CommTimeoutCbPtrFun(clientLifetimeTimeout, stream->http));\n commSetConnTimeout(clientConnection, Config.Timeout.lifetime, timeoutCall);\n\n stream->registerWithConn();\n\n MasterXaction::Pointer mx = new MasterXaction(XactionInitiator::initClient);\n mx->tcpClient = clientConnection;\n // Setup Http::Request object. Maybe should be replaced by a call to (modified)\n // clientProcessRequest\n HttpRequest::Pointer request = new HttpRequest(mx);\n AnyP::ProtocolType proto = (method == Http::METHOD_NONE) ? AnyP::PROTO_AUTHORITY_FORM : AnyP::PROTO_HTTP;\n request->url.setScheme(proto, nullptr);\n request->method = method;\n request->url.host(useHost.c_str());\n request->url.port(usePort);\n\n http->uri = SBufToCstring(request->effectiveRequestUri());\n http->initRequest(request.getRaw());\n\n request->manager(this, http->al);\n\n if (proto == AnyP::PROTO_HTTP)\n request->header.putStr(Http::HOST, useHost.c_str());\n\n request->sources |= ((switchedToHttps() || port->transport.protocol == AnyP::PROTO_HTTPS) ? HttpMsg::srcHttps : HttpMsg::srcHttp);\n#if USE_AUTH\n if (getAuth())\n request->auth_user_request = getAuth();\n#endif\n\n inBuf = payload;\n flags.readMore = false;\n\n return http;\n}", "project": "squid", "hash": 201318675743323706812146052061630604934, "size": 54, "commit_id": "fd68382860633aca92065e6c343cfd1b12b126e7", "message": "Improve Transfer-Encoding handling (#702)\n\nReject messages containing Transfer-Encoding header with coding other\nthan chunked or identity. Squid does not support other codings.\n\nFor simplicity and security sake, also reject messages where\nTransfer-Encoding contains unnecessary complex values that are\ntechnically equivalent to \"chunked\" or \"identity\" (e.g., \",,chunked\" or\n\"identity, chunked\").\n\nRFC 7230 formally deprecated and removed identity coding, but it is\nstill used by some agents.", "target": 0, "dataset": "other", "idx": 402361 }, { "func": "static void mpol_rebind_policy(struct mempolicy *pol, const nodemask_t *newmask)\n{\n\tif (!pol)\n\t\treturn;\n\tif (!mpol_store_user_nodemask(pol) && !(pol->flags & MPOL_F_LOCAL) &&\n\t nodes_equal(pol->w.cpuset_mems_allowed, *newmask))\n\t\treturn;\n\n\tmpol_ops[pol->mode].rebind(pol, newmask);\n}", "project": "linux", "hash": 271600877683910860646619670519708401552, "size": 10, "commit_id": "aa9f7d5172fac9bf1f09e678c35e287a40a7b7dd", "message": "mm: mempolicy: require at least one nodeid for MPOL_PREFERRED\n\nUsing an empty (malformed) nodelist that is not caught during mount option\nparsing leads to a stack-out-of-bounds access.\n\nThe option string that was used was: \"mpol=prefer:,\". However,\nMPOL_PREFERRED requires a single node number, which is not being provided\nhere.\n\nAdd a check that 'nodes' is not empty after parsing for MPOL_PREFERRED's\nnodeid.\n\nFixes: 095f1fc4ebf3 (\"mempolicy: rework shmem mpol parsing and display\")\nReported-by: Entropy Moe <3ntr0py1337@gmail.com>\nReported-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nSigned-off-by: Randy Dunlap \nSigned-off-by: Andrew Morton \nTested-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nCc: Lee Schermerhorn \nLink: http://lkml.kernel.org/r/89526377-7eb6-b662-e1d8-4430928abde9@infradead.org\nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 366742 }, { "func": "void eventpoll_release_file(struct file *file)\n{\n\tstruct eventpoll *ep;\n\tstruct epitem *epi, *next;\n\n\t/*\n\t * We don't want to get \"file->f_lock\" because it is not\n\t * necessary. It is not necessary because we're in the \"struct file\"\n\t * cleanup path, and this means that no one is using this file anymore.\n\t * So, for example, epoll_ctl() cannot hit here since if we reach this\n\t * point, the file counter already went to zero and fget() would fail.\n\t * The only hit might come from ep_free() but by holding the mutex\n\t * will correctly serialize the operation. We do need to acquire\n\t * \"ep->mtx\" after \"epmutex\" because ep_remove() requires it when called\n\t * from anywhere but ep_free().\n\t *\n\t * Besides, ep_remove() acquires the lock, so we can't hold it here.\n\t */\n\tmutex_lock(&epmutex);\n\tlist_for_each_entry_safe(epi, next, &file->f_ep_links, fllink) {\n\t\tep = epi->ep;\n\t\tmutex_lock_nested(&ep->mtx, 0);\n\t\tep_remove(ep, epi);\n\t\tmutex_unlock(&ep->mtx);\n\t}\n\tmutex_unlock(&epmutex);\n}", "project": "linux", "hash": 244574600610565553449010938969821485833, "size": 27, "commit_id": "52c479697c9b73f628140dcdfcd39ea302d05482", "message": "do_epoll_ctl(): clean the failure exits up a bit\n\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 336272 }, { "func": "static int php_openssl_cipher_update(const EVP_CIPHER *cipher_type,\n\t\tEVP_CIPHER_CTX *cipher_ctx, struct php_openssl_cipher_mode *mode,\n\t\tzend_string **poutbuf, int *poutlen, char *data, size_t data_len,\n\t\tchar *aad, size_t aad_len, int enc) /* {{{ */\n{\n\tint i = 0;\n\n\tif (mode->is_single_run_aead && !EVP_CipherUpdate(cipher_ctx, NULL, &i, NULL, (int)data_len)) {\n\t\tphp_openssl_store_errors();\n\t\tphp_error_docref(NULL, E_WARNING, \"Setting of data length failed\");\n\t\treturn FAILURE;\n\t}\n\n\tif (mode->is_aead && !EVP_CipherUpdate(cipher_ctx, NULL, &i, (unsigned char *)aad, (int)aad_len)) {\n\t\tphp_openssl_store_errors();\n\t\tphp_error_docref(NULL, E_WARNING, \"Setting of additional application data failed\");\n\t\treturn FAILURE;\n\t}\n\n\t*poutbuf = zend_string_alloc((int)data_len + EVP_CIPHER_block_size(cipher_type), 0);\n\n\tif (!EVP_CipherUpdate(cipher_ctx, (unsigned char*)ZSTR_VAL(*poutbuf),\n\t\t\t\t\t&i, (unsigned char *)data, (int)data_len)) {\n\t\t/* we don't show warning when we fail but if we ever do, then it should look like this:\n\t\tif (mode->is_single_run_aead && !enc) {\n\t\t\tphp_error_docref(NULL, E_WARNING, \"Tag verifycation failed\");\n\t\t} else {\n\t\t\tphp_error_docref(NULL, E_WARNING, enc ? \"Encryption failed\" : \"Decryption failed\");\n\t\t}\n\t\t*/\n\t\tphp_openssl_store_errors();\n\t\tzend_string_release(*poutbuf);\n\t\treturn FAILURE;\n\t}\n\n\t*poutlen = i;\n\n\treturn SUCCESS;\n}", "project": "php-src", "hash": 62414657489232437479809170421784292857, "size": 39, "commit_id": "0216630ea2815a5789a24279a1211ac398d4de79", "message": "Fix bug #79601 (Wrong ciphertext/tag in AES-CCM encryption for a 12 bytes IV)", "target": 0, "dataset": "other", "idx": 291374 }, { "func": "static inline bool __io_cqring_fill_event(struct io_ring_ctx *ctx, u64 user_data,\n\t\t\t\t\t long res, unsigned int cflags)\n{\n\tstruct io_uring_cqe *cqe;\n\n\ttrace_io_uring_complete(ctx, user_data, res, cflags);\n\n\t/*\n\t * If we can't get a cq entry, userspace overflowed the\n\t * submission (by quite a lot). Increment the overflow count in\n\t * the ring.\n\t */\n\tcqe = io_get_cqring(ctx);\n\tif (likely(cqe)) {\n\t\tWRITE_ONCE(cqe->user_data, user_data);\n\t\tWRITE_ONCE(cqe->res, res);\n\t\tWRITE_ONCE(cqe->flags, cflags);\n\t\treturn true;\n\t}\n\treturn io_cqring_event_overflow(ctx, user_data, res, cflags);\n}", "project": "linux", "hash": 112936889177419040144023680727530467181, "size": 21, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338554 }, { "func": "static void __io_cqring_fill_event(struct io_kiocb *req, long res, long cflags)\n{\n\tstruct io_ring_ctx *ctx = req->ctx;\n\tstruct io_uring_cqe *cqe;\n\n\ttrace_io_uring_complete(ctx, req->user_data, res);\n\n\t/*\n\t * If we can't get a cq entry, userspace overflowed the\n\t * submission (by quite a lot). Increment the overflow count in\n\t * the ring.\n\t */\n\tcqe = io_get_cqring(ctx);\n\tif (likely(cqe)) {\n\t\tWRITE_ONCE(cqe->user_data, req->user_data);\n\t\tWRITE_ONCE(cqe->res, res);\n\t\tWRITE_ONCE(cqe->flags, cflags);\n\t} else if (ctx->cq_overflow_flushed) {\n\t\tWRITE_ONCE(ctx->rings->cq_overflow,\n\t\t\t\tatomic_inc_return(&ctx->cached_cq_overflow));\n\t} else {\n\t\tif (list_empty(&ctx->cq_overflow_list)) {\n\t\t\tset_bit(0, &ctx->sq_check_overflow);\n\t\t\tset_bit(0, &ctx->cq_check_overflow);\n\t\t\tctx->rings->sq_flags |= IORING_SQ_CQ_OVERFLOW;\n\t\t}\n\t\tio_clean_op(req);\n\t\treq->flags |= REQ_F_OVERFLOW;\n\t\treq->result = res;\n\t\treq->compl.cflags = cflags;\n\t\trefcount_inc(&req->refs);\n\t\tlist_add_tail(&req->compl.list, &ctx->cq_overflow_list);\n\t}\n}", "project": "linux", "hash": 113574187360988028638580077788304462175, "size": 34, "commit_id": "6d816e088c359866f9867057e04f244c608c42fe", "message": "io_uring: hold 'ctx' reference around task_work queue + execute\n\nWe're holding the request reference, but we need to go one higher\nto ensure that the ctx remains valid after the request has finished.\nIf the ring is closed with pending task_work inflight, and the\ngiven io_kiocb finishes sync during issue, then we need a reference\nto the ring itself around the task_work execution cycle.\n\nCc: stable@vger.kernel.org # v5.7+\nReported-by: syzbot+9b260fc33297966f5a8e@syzkaller.appspotmail.com\nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 456942 }, { "func": "int nested_svm_vmexit(struct vcpu_svm *svm)\n{\n\tint rc;\n\tstruct vmcb *vmcb12;\n\tstruct vmcb *hsave = svm->nested.hsave;\n\tstruct vmcb *vmcb = svm->vmcb;\n\tstruct kvm_host_map map;\n\n\trc = kvm_vcpu_map(&svm->vcpu, gpa_to_gfn(svm->nested.vmcb12_gpa), &map);\n\tif (rc) {\n\t\tif (rc == -EINVAL)\n\t\t\tkvm_inject_gp(&svm->vcpu, 0);\n\t\treturn 1;\n\t}\n\n\tvmcb12 = map.hva;\n\n\t/* Exit Guest-Mode */\n\tleave_guest_mode(&svm->vcpu);\n\tsvm->nested.vmcb12_gpa = 0;\n\tWARN_ON_ONCE(svm->nested.nested_run_pending);\n\n\t/* in case we halted in L2 */\n\tsvm->vcpu.arch.mp_state = KVM_MP_STATE_RUNNABLE;\n\n\t/* Give the current vmcb to the guest */\n\n\tvmcb12->save.es = vmcb->save.es;\n\tvmcb12->save.cs = vmcb->save.cs;\n\tvmcb12->save.ss = vmcb->save.ss;\n\tvmcb12->save.ds = vmcb->save.ds;\n\tvmcb12->save.gdtr = vmcb->save.gdtr;\n\tvmcb12->save.idtr = vmcb->save.idtr;\n\tvmcb12->save.efer = svm->vcpu.arch.efer;\n\tvmcb12->save.cr0 = kvm_read_cr0(&svm->vcpu);\n\tvmcb12->save.cr3 = kvm_read_cr3(&svm->vcpu);\n\tvmcb12->save.cr2 = vmcb->save.cr2;\n\tvmcb12->save.cr4 = svm->vcpu.arch.cr4;\n\tvmcb12->save.rflags = kvm_get_rflags(&svm->vcpu);\n\tvmcb12->save.rip = kvm_rip_read(&svm->vcpu);\n\tvmcb12->save.rsp = kvm_rsp_read(&svm->vcpu);\n\tvmcb12->save.rax = kvm_rax_read(&svm->vcpu);\n\tvmcb12->save.dr7 = vmcb->save.dr7;\n\tvmcb12->save.dr6 = svm->vcpu.arch.dr6;\n\tvmcb12->save.cpl = vmcb->save.cpl;\n\n\tvmcb12->control.int_state = vmcb->control.int_state;\n\tvmcb12->control.exit_code = vmcb->control.exit_code;\n\tvmcb12->control.exit_code_hi = vmcb->control.exit_code_hi;\n\tvmcb12->control.exit_info_1 = vmcb->control.exit_info_1;\n\tvmcb12->control.exit_info_2 = vmcb->control.exit_info_2;\n\n\tif (vmcb12->control.exit_code != SVM_EXIT_ERR)\n\t\tnested_vmcb_save_pending_event(svm, vmcb12);\n\n\tif (svm->nrips_enabled)\n\t\tvmcb12->control.next_rip = vmcb->control.next_rip;\n\n\tvmcb12->control.int_ctl = svm->nested.ctl.int_ctl;\n\tvmcb12->control.tlb_ctl = svm->nested.ctl.tlb_ctl;\n\tvmcb12->control.event_inj = svm->nested.ctl.event_inj;\n\tvmcb12->control.event_inj_err = svm->nested.ctl.event_inj_err;\n\n\tvmcb12->control.pause_filter_count =\n\t\tsvm->vmcb->control.pause_filter_count;\n\tvmcb12->control.pause_filter_thresh =\n\t\tsvm->vmcb->control.pause_filter_thresh;\n\n\t/* Restore the original control entries */\n\tcopy_vmcb_control_area(&vmcb->control, &hsave->control);\n\n\t/* On vmexit the GIF is set to false */\n\tsvm_set_gif(svm, false);\n\n\tsvm->vmcb->control.tsc_offset = svm->vcpu.arch.tsc_offset =\n\t\tsvm->vcpu.arch.l1_tsc_offset;\n\n\tsvm->nested.ctl.nested_cr3 = 0;\n\n\t/* Restore selected save entries */\n\tsvm->vmcb->save.es = hsave->save.es;\n\tsvm->vmcb->save.cs = hsave->save.cs;\n\tsvm->vmcb->save.ss = hsave->save.ss;\n\tsvm->vmcb->save.ds = hsave->save.ds;\n\tsvm->vmcb->save.gdtr = hsave->save.gdtr;\n\tsvm->vmcb->save.idtr = hsave->save.idtr;\n\tkvm_set_rflags(&svm->vcpu, hsave->save.rflags);\n\tsvm_set_efer(&svm->vcpu, hsave->save.efer);\n\tsvm_set_cr0(&svm->vcpu, hsave->save.cr0 | X86_CR0_PE);\n\tsvm_set_cr4(&svm->vcpu, hsave->save.cr4);\n\tkvm_rax_write(&svm->vcpu, hsave->save.rax);\n\tkvm_rsp_write(&svm->vcpu, hsave->save.rsp);\n\tkvm_rip_write(&svm->vcpu, hsave->save.rip);\n\tsvm->vmcb->save.dr7 = 0;\n\tsvm->vmcb->save.cpl = 0;\n\tsvm->vmcb->control.exit_int_info = 0;\n\n\tvmcb_mark_all_dirty(svm->vmcb);\n\n\ttrace_kvm_nested_vmexit_inject(vmcb12->control.exit_code,\n\t\t\t\t vmcb12->control.exit_info_1,\n\t\t\t\t vmcb12->control.exit_info_2,\n\t\t\t\t vmcb12->control.exit_int_info,\n\t\t\t\t vmcb12->control.exit_int_info_err,\n\t\t\t\t KVM_ISA_SVM);\n\n\tkvm_vcpu_unmap(&svm->vcpu, &map, true);\n\n\tnested_svm_uninit_mmu_context(&svm->vcpu);\n\n\trc = nested_svm_load_cr3(&svm->vcpu, hsave->save.cr3, false);\n\tif (rc)\n\t\treturn 1;\n\n\tif (npt_enabled)\n\t\tsvm->vmcb->save.cr3 = hsave->save.cr3;\n\n\t/*\n\t * Drop what we picked up for L2 via svm_complete_interrupts() so it\n\t * doesn't end up in L1.\n\t */\n\tsvm->vcpu.arch.nmi_injected = false;\n\tkvm_clear_exception_queue(&svm->vcpu);\n\tkvm_clear_interrupt_queue(&svm->vcpu);\n\n\treturn 0;\n}", "project": "linux", "hash": 216191050131287661080741760105293799241, "size": 127, "commit_id": "a58d9166a756a0f4a6618e4f593232593d6df134", "message": "KVM: SVM: load control fields from VMCB12 before checking them\n\nAvoid races between check and use of the nested VMCB controls. This\nfor example ensures that the VMRUN intercept is always reflected to the\nnested hypervisor, instead of being processed by the host. Without this\npatch, it is possible to end up with svm->nested.hsave pointing to\nthe MSR permission bitmap for nested guests.\n\nThis bug is CVE-2021-29657.\n\nReported-by: Felix Wilhelm \nCc: stable@vger.kernel.org\nFixes: 2fcf4876ada (\"KVM: nSVM: implement on demand allocation of the nested state\")\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 376656 }, { "func": "static int nested_svm_vmexit(struct vcpu_svm *svm)\n{\n\tint rc;\n\tstruct vmcb *nested_vmcb;\n\tstruct vmcb *hsave = svm->nested.hsave;\n\tstruct vmcb *vmcb = svm->vmcb;\n\tstruct kvm_host_map map;\n\n\ttrace_kvm_nested_vmexit_inject(vmcb->control.exit_code,\n\t\t\t\t vmcb->control.exit_info_1,\n\t\t\t\t vmcb->control.exit_info_2,\n\t\t\t\t vmcb->control.exit_int_info,\n\t\t\t\t vmcb->control.exit_int_info_err,\n\t\t\t\t KVM_ISA_SVM);\n\n\trc = kvm_vcpu_map(&svm->vcpu, gpa_to_gfn(svm->nested.vmcb), &map);\n\tif (rc) {\n\t\tif (rc == -EINVAL)\n\t\t\tkvm_inject_gp(&svm->vcpu, 0);\n\t\treturn 1;\n\t}\n\n\tnested_vmcb = map.hva;\n\n\t/* Exit Guest-Mode */\n\tleave_guest_mode(&svm->vcpu);\n\tsvm->nested.vmcb = 0;\n\n\t/* Give the current vmcb to the guest */\n\tdisable_gif(svm);\n\n\tnested_vmcb->save.es = vmcb->save.es;\n\tnested_vmcb->save.cs = vmcb->save.cs;\n\tnested_vmcb->save.ss = vmcb->save.ss;\n\tnested_vmcb->save.ds = vmcb->save.ds;\n\tnested_vmcb->save.gdtr = vmcb->save.gdtr;\n\tnested_vmcb->save.idtr = vmcb->save.idtr;\n\tnested_vmcb->save.efer = svm->vcpu.arch.efer;\n\tnested_vmcb->save.cr0 = kvm_read_cr0(&svm->vcpu);\n\tnested_vmcb->save.cr3 = kvm_read_cr3(&svm->vcpu);\n\tnested_vmcb->save.cr2 = vmcb->save.cr2;\n\tnested_vmcb->save.cr4 = svm->vcpu.arch.cr4;\n\tnested_vmcb->save.rflags = kvm_get_rflags(&svm->vcpu);\n\tnested_vmcb->save.rip = vmcb->save.rip;\n\tnested_vmcb->save.rsp = vmcb->save.rsp;\n\tnested_vmcb->save.rax = vmcb->save.rax;\n\tnested_vmcb->save.dr7 = vmcb->save.dr7;\n\tnested_vmcb->save.dr6 = vmcb->save.dr6;\n\tnested_vmcb->save.cpl = vmcb->save.cpl;\n\n\tnested_vmcb->control.int_ctl = vmcb->control.int_ctl;\n\tnested_vmcb->control.int_vector = vmcb->control.int_vector;\n\tnested_vmcb->control.int_state = vmcb->control.int_state;\n\tnested_vmcb->control.exit_code = vmcb->control.exit_code;\n\tnested_vmcb->control.exit_code_hi = vmcb->control.exit_code_hi;\n\tnested_vmcb->control.exit_info_1 = vmcb->control.exit_info_1;\n\tnested_vmcb->control.exit_info_2 = vmcb->control.exit_info_2;\n\tnested_vmcb->control.exit_int_info = vmcb->control.exit_int_info;\n\tnested_vmcb->control.exit_int_info_err = vmcb->control.exit_int_info_err;\n\n\tif (svm->nrips_enabled)\n\t\tnested_vmcb->control.next_rip = vmcb->control.next_rip;\n\n\t/*\n\t * If we emulate a VMRUN/#VMEXIT in the same host #vmexit cycle we have\n\t * to make sure that we do not lose injected events. So check event_inj\n\t * here and copy it to exit_int_info if it is valid.\n\t * Exit_int_info and event_inj can't be both valid because the case\n\t * below only happens on a VMRUN instruction intercept which has\n\t * no valid exit_int_info set.\n\t */\n\tif (vmcb->control.event_inj & SVM_EVTINJ_VALID) {\n\t\tstruct vmcb_control_area *nc = &nested_vmcb->control;\n\n\t\tnc->exit_int_info = vmcb->control.event_inj;\n\t\tnc->exit_int_info_err = vmcb->control.event_inj_err;\n\t}\n\n\tnested_vmcb->control.tlb_ctl = 0;\n\tnested_vmcb->control.event_inj = 0;\n\tnested_vmcb->control.event_inj_err = 0;\n\n\tnested_vmcb->control.pause_filter_count =\n\t\tsvm->vmcb->control.pause_filter_count;\n\tnested_vmcb->control.pause_filter_thresh =\n\t\tsvm->vmcb->control.pause_filter_thresh;\n\n\t/* We always set V_INTR_MASKING and remember the old value in hflags */\n\tif (!(svm->vcpu.arch.hflags & HF_VINTR_MASK))\n\t\tnested_vmcb->control.int_ctl &= ~V_INTR_MASKING_MASK;\n\n\t/* Restore the original control entries */\n\tcopy_vmcb_control_area(vmcb, hsave);\n\n\tsvm->vcpu.arch.tsc_offset = svm->vmcb->control.tsc_offset;\n\tkvm_clear_exception_queue(&svm->vcpu);\n\tkvm_clear_interrupt_queue(&svm->vcpu);\n\n\tsvm->nested.nested_cr3 = 0;\n\n\t/* Restore selected save entries */\n\tsvm->vmcb->save.es = hsave->save.es;\n\tsvm->vmcb->save.cs = hsave->save.cs;\n\tsvm->vmcb->save.ss = hsave->save.ss;\n\tsvm->vmcb->save.ds = hsave->save.ds;\n\tsvm->vmcb->save.gdtr = hsave->save.gdtr;\n\tsvm->vmcb->save.idtr = hsave->save.idtr;\n\tkvm_set_rflags(&svm->vcpu, hsave->save.rflags);\n\tsvm_set_efer(&svm->vcpu, hsave->save.efer);\n\tsvm_set_cr0(&svm->vcpu, hsave->save.cr0 | X86_CR0_PE);\n\tsvm_set_cr4(&svm->vcpu, hsave->save.cr4);\n\tif (npt_enabled) {\n\t\tsvm->vmcb->save.cr3 = hsave->save.cr3;\n\t\tsvm->vcpu.arch.cr3 = hsave->save.cr3;\n\t} else {\n\t\t(void)kvm_set_cr3(&svm->vcpu, hsave->save.cr3);\n\t}\n\tkvm_rax_write(&svm->vcpu, hsave->save.rax);\n\tkvm_rsp_write(&svm->vcpu, hsave->save.rsp);\n\tkvm_rip_write(&svm->vcpu, hsave->save.rip);\n\tsvm->vmcb->save.dr7 = 0;\n\tsvm->vmcb->save.cpl = 0;\n\tsvm->vmcb->control.exit_int_info = 0;\n\n\tmark_all_dirty(svm->vmcb);\n\n\tkvm_vcpu_unmap(&svm->vcpu, &map, true);\n\n\tnested_svm_uninit_mmu_context(&svm->vcpu);\n\tkvm_mmu_reset_context(&svm->vcpu);\n\tkvm_mmu_load(&svm->vcpu);\n\n\t/*\n\t * Drop what we picked up for L2 via svm_complete_interrupts() so it\n\t * doesn't end up in L1.\n\t */\n\tsvm->vcpu.arch.nmi_injected = false;\n\tkvm_clear_exception_queue(&svm->vcpu);\n\tkvm_clear_interrupt_queue(&svm->vcpu);\n\n\treturn 0;\n}", "project": "linux", "hash": 88772828637610892575723583498652490039, "size": 142, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432453 }, { "func": "static int nested_svm_vmexit(struct vcpu_svm *svm)\n{\n\tstruct vmcb *nested_vmcb;\n\tstruct vmcb *hsave = svm->nested.hsave;\n\tstruct vmcb *vmcb = svm->vmcb;\n\tstruct page *page;\n\n\ttrace_kvm_nested_vmexit_inject(vmcb->control.exit_code,\n\t\t\t\t vmcb->control.exit_info_1,\n\t\t\t\t vmcb->control.exit_info_2,\n\t\t\t\t vmcb->control.exit_int_info,\n\t\t\t\t vmcb->control.exit_int_info_err,\n\t\t\t\t KVM_ISA_SVM);\n\n\tnested_vmcb = nested_svm_map(svm, svm->nested.vmcb, &page);\n\tif (!nested_vmcb)\n\t\treturn 1;\n\n\t/* Exit Guest-Mode */\n\tleave_guest_mode(&svm->vcpu);\n\tsvm->nested.vmcb = 0;\n\n\t/* Give the current vmcb to the guest */\n\tdisable_gif(svm);\n\n\tnested_vmcb->save.es = vmcb->save.es;\n\tnested_vmcb->save.cs = vmcb->save.cs;\n\tnested_vmcb->save.ss = vmcb->save.ss;\n\tnested_vmcb->save.ds = vmcb->save.ds;\n\tnested_vmcb->save.gdtr = vmcb->save.gdtr;\n\tnested_vmcb->save.idtr = vmcb->save.idtr;\n\tnested_vmcb->save.efer = svm->vcpu.arch.efer;\n\tnested_vmcb->save.cr0 = kvm_read_cr0(&svm->vcpu);\n\tnested_vmcb->save.cr3 = kvm_read_cr3(&svm->vcpu);\n\tnested_vmcb->save.cr2 = vmcb->save.cr2;\n\tnested_vmcb->save.cr4 = svm->vcpu.arch.cr4;\n\tnested_vmcb->save.rflags = kvm_get_rflags(&svm->vcpu);\n\tnested_vmcb->save.rip = vmcb->save.rip;\n\tnested_vmcb->save.rsp = vmcb->save.rsp;\n\tnested_vmcb->save.rax = vmcb->save.rax;\n\tnested_vmcb->save.dr7 = vmcb->save.dr7;\n\tnested_vmcb->save.dr6 = vmcb->save.dr6;\n\tnested_vmcb->save.cpl = vmcb->save.cpl;\n\n\tnested_vmcb->control.int_ctl = vmcb->control.int_ctl;\n\tnested_vmcb->control.int_vector = vmcb->control.int_vector;\n\tnested_vmcb->control.int_state = vmcb->control.int_state;\n\tnested_vmcb->control.exit_code = vmcb->control.exit_code;\n\tnested_vmcb->control.exit_code_hi = vmcb->control.exit_code_hi;\n\tnested_vmcb->control.exit_info_1 = vmcb->control.exit_info_1;\n\tnested_vmcb->control.exit_info_2 = vmcb->control.exit_info_2;\n\tnested_vmcb->control.exit_int_info = vmcb->control.exit_int_info;\n\tnested_vmcb->control.exit_int_info_err = vmcb->control.exit_int_info_err;\n\tnested_vmcb->control.next_rip = vmcb->control.next_rip;\n\n\t/*\n\t * If we emulate a VMRUN/#VMEXIT in the same host #vmexit cycle we have\n\t * to make sure that we do not lose injected events. So check event_inj\n\t * here and copy it to exit_int_info if it is valid.\n\t * Exit_int_info and event_inj can't be both valid because the case\n\t * below only happens on a VMRUN instruction intercept which has\n\t * no valid exit_int_info set.\n\t */\n\tif (vmcb->control.event_inj & SVM_EVTINJ_VALID) {\n\t\tstruct vmcb_control_area *nc = &nested_vmcb->control;\n\n\t\tnc->exit_int_info = vmcb->control.event_inj;\n\t\tnc->exit_int_info_err = vmcb->control.event_inj_err;\n\t}\n\n\tnested_vmcb->control.tlb_ctl = 0;\n\tnested_vmcb->control.event_inj = 0;\n\tnested_vmcb->control.event_inj_err = 0;\n\n\t/* We always set V_INTR_MASKING and remember the old value in hflags */\n\tif (!(svm->vcpu.arch.hflags & HF_VINTR_MASK))\n\t\tnested_vmcb->control.int_ctl &= ~V_INTR_MASKING_MASK;\n\n\t/* Restore the original control entries */\n\tcopy_vmcb_control_area(vmcb, hsave);\n\n\tkvm_clear_exception_queue(&svm->vcpu);\n\tkvm_clear_interrupt_queue(&svm->vcpu);\n\n\tsvm->nested.nested_cr3 = 0;\n\n\t/* Restore selected save entries */\n\tsvm->vmcb->save.es = hsave->save.es;\n\tsvm->vmcb->save.cs = hsave->save.cs;\n\tsvm->vmcb->save.ss = hsave->save.ss;\n\tsvm->vmcb->save.ds = hsave->save.ds;\n\tsvm->vmcb->save.gdtr = hsave->save.gdtr;\n\tsvm->vmcb->save.idtr = hsave->save.idtr;\n\tkvm_set_rflags(&svm->vcpu, hsave->save.rflags);\n\tsvm_set_efer(&svm->vcpu, hsave->save.efer);\n\tsvm_set_cr0(&svm->vcpu, hsave->save.cr0 | X86_CR0_PE);\n\tsvm_set_cr4(&svm->vcpu, hsave->save.cr4);\n\tif (npt_enabled) {\n\t\tsvm->vmcb->save.cr3 = hsave->save.cr3;\n\t\tsvm->vcpu.arch.cr3 = hsave->save.cr3;\n\t} else {\n\t\t(void)kvm_set_cr3(&svm->vcpu, hsave->save.cr3);\n\t}\n\tkvm_register_write(&svm->vcpu, VCPU_REGS_RAX, hsave->save.rax);\n\tkvm_register_write(&svm->vcpu, VCPU_REGS_RSP, hsave->save.rsp);\n\tkvm_register_write(&svm->vcpu, VCPU_REGS_RIP, hsave->save.rip);\n\tsvm->vmcb->save.dr7 = 0;\n\tsvm->vmcb->save.cpl = 0;\n\tsvm->vmcb->control.exit_int_info = 0;\n\n\tmark_all_dirty(svm->vmcb);\n\n\tnested_svm_unmap(page);\n\n\tnested_svm_uninit_mmu_context(&svm->vcpu);\n\tkvm_mmu_reset_context(&svm->vcpu);\n\tkvm_mmu_load(&svm->vcpu);\n\n\treturn 0;\n}", "project": "kvm", "hash": 156627473827990897020862184261380910536, "size": 120, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437668 }, { "func": "static void hci_cmd_status_evt(struct hci_dev *hdev, struct sk_buff *skb,\n\t\t\t u16 *opcode, u8 *status,\n\t\t\t hci_req_complete_t *req_complete,\n\t\t\t hci_req_complete_skb_t *req_complete_skb)\n{\n\tstruct hci_ev_cmd_status *ev = (void *) skb->data;\n\n\tskb_pull(skb, sizeof(*ev));\n\n\t*opcode = __le16_to_cpu(ev->opcode);\n\t*status = ev->status;\n\n\tswitch (*opcode) {\n\tcase HCI_OP_INQUIRY:\n\t\thci_cs_inquiry(hdev, ev->status);\n\t\tbreak;\n\n\tcase HCI_OP_CREATE_CONN:\n\t\thci_cs_create_conn(hdev, ev->status);\n\t\tbreak;\n\n\tcase HCI_OP_DISCONNECT:\n\t\thci_cs_disconnect(hdev, ev->status);\n\t\tbreak;\n\n\tcase HCI_OP_ADD_SCO:\n\t\thci_cs_add_sco(hdev, ev->status);\n\t\tbreak;\n\n\tcase HCI_OP_AUTH_REQUESTED:\n\t\thci_cs_auth_requested(hdev, ev->status);\n\t\tbreak;\n\n\tcase HCI_OP_SET_CONN_ENCRYPT:\n\t\thci_cs_set_conn_encrypt(hdev, ev->status);\n\t\tbreak;\n\n\tcase HCI_OP_REMOTE_NAME_REQ:\n\t\thci_cs_remote_name_req(hdev, ev->status);\n\t\tbreak;\n\n\tcase HCI_OP_READ_REMOTE_FEATURES:\n\t\thci_cs_read_remote_features(hdev, ev->status);\n\t\tbreak;\n\n\tcase HCI_OP_READ_REMOTE_EXT_FEATURES:\n\t\thci_cs_read_remote_ext_features(hdev, ev->status);\n\t\tbreak;\n\n\tcase HCI_OP_SETUP_SYNC_CONN:\n\t\thci_cs_setup_sync_conn(hdev, ev->status);\n\t\tbreak;\n\n\tcase HCI_OP_SNIFF_MODE:\n\t\thci_cs_sniff_mode(hdev, ev->status);\n\t\tbreak;\n\n\tcase HCI_OP_EXIT_SNIFF_MODE:\n\t\thci_cs_exit_sniff_mode(hdev, ev->status);\n\t\tbreak;\n\n\tcase HCI_OP_SWITCH_ROLE:\n\t\thci_cs_switch_role(hdev, ev->status);\n\t\tbreak;\n\n\tcase HCI_OP_LE_CREATE_CONN:\n\t\thci_cs_le_create_conn(hdev, ev->status);\n\t\tbreak;\n\n\tcase HCI_OP_LE_READ_REMOTE_FEATURES:\n\t\thci_cs_le_read_remote_features(hdev, ev->status);\n\t\tbreak;\n\n\tcase HCI_OP_LE_START_ENC:\n\t\thci_cs_le_start_enc(hdev, ev->status);\n\t\tbreak;\n\n\tcase HCI_OP_LE_EXT_CREATE_CONN:\n\t\thci_cs_le_ext_create_conn(hdev, ev->status);\n\t\tbreak;\n\n\tdefault:\n\t\tBT_DBG(\"%s opcode 0x%4.4x\", hdev->name, *opcode);\n\t\tbreak;\n\t}\n\n\tif (*opcode != HCI_OP_NOP)\n\t\tcancel_delayed_work(&hdev->cmd_timer);\n\n\tif (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags))\n\t\tatomic_set(&hdev->cmd_cnt, 1);\n\n\t/* Indicate request completion if the command failed. Also, if\n\t * we're not waiting for a special event and we get a success\n\t * command status we should try to flag the request as completed\n\t * (since for this kind of commands there will not be a command\n\t * complete event).\n\t */\n\tif (ev->status ||\n\t (hdev->sent_cmd && !bt_cb(hdev->sent_cmd)->hci.req_event))\n\t\thci_req_cmd_complete(hdev, *opcode, ev->status, req_complete,\n\t\t\t\t req_complete_skb);\n\n\tif (hci_dev_test_flag(hdev, HCI_CMD_PENDING)) {\n\t\tbt_dev_err(hdev,\n\t\t\t \"unexpected event for opcode 0x%4.4x\", *opcode);\n\t\treturn;\n\t}\n\n\tif (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))\n\t\tqueue_work(hdev->workqueue, &hdev->cmd_work);\n}", "project": "linux", "hash": 218376217254394402489090150411010097253, "size": 112, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431943 }, { "func": "static int sctp_sendmsg(struct sock *sk, struct msghdr *msg, size_t msg_len)\n{\n\tstruct sctp_endpoint *ep = sctp_sk(sk)->ep;\n\tstruct sctp_transport *transport = NULL;\n\tstruct sctp_sndrcvinfo _sinfo, *sinfo;\n\tstruct sctp_association *asoc, *tmp;\n\tstruct sctp_cmsgs cmsgs;\n\tunion sctp_addr *daddr;\n\tbool new = false;\n\t__u16 sflags;\n\tint err;\n\n\t/* Parse and get snd_info */\n\terr = sctp_sendmsg_parse(sk, &cmsgs, &_sinfo, msg, msg_len);\n\tif (err)\n\t\tgoto out;\n\n\tsinfo = &_sinfo;\n\tsflags = sinfo->sinfo_flags;\n\n\t/* Get daddr from msg */\n\tdaddr = sctp_sendmsg_get_daddr(sk, msg, &cmsgs);\n\tif (IS_ERR(daddr)) {\n\t\terr = PTR_ERR(daddr);\n\t\tgoto out;\n\t}\n\n\tlock_sock(sk);\n\n\t/* SCTP_SENDALL process */\n\tif ((sflags & SCTP_SENDALL) && sctp_style(sk, UDP)) {\n\t\tlist_for_each_entry_safe(asoc, tmp, &ep->asocs, asocs) {\n\t\t\terr = sctp_sendmsg_check_sflags(asoc, sflags, msg,\n\t\t\t\t\t\t\tmsg_len);\n\t\t\tif (err == 0)\n\t\t\t\tcontinue;\n\t\t\tif (err < 0)\n\t\t\t\tgoto out_unlock;\n\n\t\t\tsctp_sendmsg_update_sinfo(asoc, sinfo, &cmsgs);\n\n\t\t\terr = sctp_sendmsg_to_asoc(asoc, msg, msg_len,\n\t\t\t\t\t\t NULL, sinfo);\n\t\t\tif (err < 0)\n\t\t\t\tgoto out_unlock;\n\n\t\t\tiov_iter_revert(&msg->msg_iter, err);\n\t\t}\n\n\t\tgoto out_unlock;\n\t}\n\n\t/* Get and check or create asoc */\n\tif (daddr) {\n\t\tasoc = sctp_endpoint_lookup_assoc(ep, daddr, &transport);\n\t\tif (asoc) {\n\t\t\terr = sctp_sendmsg_check_sflags(asoc, sflags, msg,\n\t\t\t\t\t\t\tmsg_len);\n\t\t\tif (err <= 0)\n\t\t\t\tgoto out_unlock;\n\t\t} else {\n\t\t\terr = sctp_sendmsg_new_asoc(sk, sflags, &cmsgs, daddr,\n\t\t\t\t\t\t &transport);\n\t\t\tif (err)\n\t\t\t\tgoto out_unlock;\n\n\t\t\tasoc = transport->asoc;\n\t\t\tnew = true;\n\t\t}\n\n\t\tif (!sctp_style(sk, TCP) && !(sflags & SCTP_ADDR_OVER))\n\t\t\ttransport = NULL;\n\t} else {\n\t\tasoc = sctp_id2assoc(sk, sinfo->sinfo_assoc_id);\n\t\tif (!asoc) {\n\t\t\terr = -EPIPE;\n\t\t\tgoto out_unlock;\n\t\t}\n\n\t\terr = sctp_sendmsg_check_sflags(asoc, sflags, msg, msg_len);\n\t\tif (err <= 0)\n\t\t\tgoto out_unlock;\n\t}\n\n\t/* Update snd_info with the asoc */\n\tsctp_sendmsg_update_sinfo(asoc, sinfo, &cmsgs);\n\n\t/* Send msg to the asoc */\n\terr = sctp_sendmsg_to_asoc(asoc, msg, msg_len, transport, sinfo);\n\tif (err < 0 && err != -ESRCH && new)\n\t\tsctp_association_free(asoc);\n\nout_unlock:\n\trelease_sock(sk);\nout:\n\treturn sctp_error(sk, msg->msg_flags, err);\n}", "project": "linux", "hash": 76853783868710364609486927282507006318, "size": 97, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398159 }, { "func": "void CServer::UpdateClientRconCommands()\n{\n\tfor(int ClientID = Tick() % MAX_RCONCMD_RATIO; ClientID < MAX_CLIENTS; ClientID += MAX_RCONCMD_RATIO)\n\t{\n\t\tif(m_aClients[ClientID].m_State != CClient::STATE_EMPTY && m_aClients[ClientID].m_Authed)\n\t\t{\n\t\t\tint ConsoleAccessLevel = m_aClients[ClientID].m_Authed == AUTHED_ADMIN ? IConsole::ACCESS_LEVEL_ADMIN : IConsole::ACCESS_LEVEL_MOD;\n\t\t\tfor(int i = 0; i < MAX_RCONCMD_SEND && m_aClients[ClientID].m_pRconCmdToSend; ++i)\n\t\t\t{\n\t\t\t\tSendRconCmdAdd(m_aClients[ClientID].m_pRconCmdToSend, ClientID);\n\t\t\t\tm_aClients[ClientID].m_pRconCmdToSend = m_aClients[ClientID].m_pRconCmdToSend->NextCommandInfo(ConsoleAccessLevel, CFGFLAG_SERVER);\n\t\t\t}\n\t\t}\n\t}\n}", "project": "teeworlds", "hash": 108248006850573652221908540042929144650, "size": 15, "commit_id": "c68402fa7e279d42886d5951d1ea8ac2facc1ea5", "message": "changed a check", "target": 0, "dataset": "other", "idx": 382045 }, { "func": "void fuse_release_common(struct file *file, bool isdir)\n{\n\tstruct fuse_inode *fi = get_fuse_inode(file_inode(file));\n\tstruct fuse_file *ff = file->private_data;\n\tstruct fuse_release_args *ra = ff->release_args;\n\tint opcode = isdir ? FUSE_RELEASEDIR : FUSE_RELEASE;\n\n\tfuse_prepare_release(fi, ff, file->f_flags, opcode);\n\n\tif (ff->flock) {\n\t\tra->inarg.release_flags |= FUSE_RELEASE_FLOCK_UNLOCK;\n\t\tra->inarg.lock_owner = fuse_lock_owner_id(ff->fm->fc,\n\t\t\t\t\t\t\t (fl_owner_t) file);\n\t}\n\t/* Hold inode until release is finished */\n\tra->inode = igrab(file_inode(file));\n\n\t/*\n\t * Normally this will send the RELEASE request, however if\n\t * some asynchronous READ or WRITE requests are outstanding,\n\t * the sending will be delayed.\n\t *\n\t * Make the release synchronous if this is a fuseblk mount,\n\t * synchronous RELEASE is allowed (and desirable) in this case\n\t * because the server can be trusted not to screw up.\n\t */\n\tfuse_file_put(ff, ff->fm->fc->destroy, isdir);\n}", "project": "linux", "hash": 102341718946475217828731460152947016790, "size": 28, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341999 }, { "func": "static inline unsigned int alignDiff(rpm_tagtype_t type, unsigned int alignsize)\n{\n int typesize = typeSizes[type];\n\n if (typesize > 1) {\n\tunsigned int diff = typesize - (alignsize % typesize);\n\tif (diff != typesize)\n\t return diff;\n }\n return 0;\n}", "project": "rpm", "hash": 45507507812396652723918185229232435473, "size": 11, "commit_id": "8f4b3c3cab8922a2022b9e47c71f1ecf906077ef", "message": "hdrblobInit() needs bounds checks too\n\nUsers can pass untrusted data to hdrblobInit() and it must be robust\nagainst this.", "target": 0, "dataset": "other", "idx": 318153 }, { "func": "static int fuse_dir_open(struct inode *inode, struct file *file)\n{\n\treturn fuse_open_common(inode, file, true);\n}", "project": "linux", "hash": 174624148422043706487947663184976833970, "size": 4, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342039 }, { "func": "static int compat_x25_subscr_ioctl(unsigned int cmd,\n\t\tstruct compat_x25_subscrip_struct __user *x25_subscr32)\n{\n\tstruct compat_x25_subscrip_struct x25_subscr;\n\tstruct x25_neigh *nb;\n\tstruct net_device *dev;\n\tint rc = -EINVAL;\n\n\trc = -EFAULT;\n\tif (copy_from_user(&x25_subscr, x25_subscr32, sizeof(*x25_subscr32)))\n\t\tgoto out;\n\n\trc = -EINVAL;\n\tdev = x25_dev_get(x25_subscr.device);\n\tif (dev == NULL)\n\t\tgoto out;\n\n\tnb = x25_get_neigh(dev);\n\tif (nb == NULL)\n\t\tgoto out_dev_put;\n\n\tdev_put(dev);\n\n\tif (cmd == SIOCX25GSUBSCRIP) {\n\t\tread_lock_bh(&x25_neigh_list_lock);\n\t\tx25_subscr.extended = nb->extended;\n\t\tx25_subscr.global_facil_mask = nb->global_facil_mask;\n\t\tread_unlock_bh(&x25_neigh_list_lock);\n\t\trc = copy_to_user(x25_subscr32, &x25_subscr,\n\t\t\t\tsizeof(*x25_subscr32)) ? -EFAULT : 0;\n\t} else {\n\t\trc = -EINVAL;\n\t\tif (x25_subscr.extended == 0 || x25_subscr.extended == 1) {\n\t\t\trc = 0;\n\t\t\twrite_lock_bh(&x25_neigh_list_lock);\n\t\t\tnb->extended = x25_subscr.extended;\n\t\t\tnb->global_facil_mask = x25_subscr.global_facil_mask;\n\t\t\twrite_unlock_bh(&x25_neigh_list_lock);\n\t\t}\n\t}\n\tx25_neigh_put(nb);\nout:\n\treturn rc;\nout_dev_put:\n\tdev_put(dev);\n\tgoto out;\n}", "project": "net", "hash": 256578881325786810638327836545615551403, "size": 47, "commit_id": "7781607938c8371d4c2b243527430241c62e39c2", "message": "net/x25: Fix null-ptr-deref caused by x25_disconnect\n\nWhen the link layer is terminating, x25->neighbour will be set to NULL\nin x25_disconnect(). As a result, it could cause null-ptr-deref bugs in\nx25_sendmsg(),x25_recvmsg() and x25_connect(). One of the bugs is\nshown below.\n\n (Thread 1) | (Thread 2)\nx25_link_terminated() | x25_recvmsg()\n x25_kill_by_neigh() | ...\n x25_disconnect() | lock_sock(sk)\n ... | ...\n x25->neighbour = NULL //(1) |\n ... | x25->neighbour->extended //(2)\n\nThe code sets NULL to x25->neighbour in position (1) and dereferences\nx25->neighbour in position (2), which could cause null-ptr-deref bug.\n\nThis patch adds lock_sock() in x25_kill_by_neigh() in order to synchronize\nwith x25_sendmsg(), x25_recvmsg() and x25_connect(). What`s more, the\nsock held by lock_sock() is not NULL, because it is extracted from x25_list\nand uses x25_list_lock to synchronize.\n\nFixes: 4becb7ee5b3d (\"net/x25: Fix x25_neigh refcnt leak when x25 disconnect\")\nSigned-off-by: Duoming Zhou \nReviewed-by: Lin Ma \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 449157 }, { "func": "static void printer_func_unbind(struct usb_configuration *c,\n\t\tstruct usb_function *f)\n{\n\tstruct printer_dev\t*dev;\n\tstruct usb_request\t*req;\n\n\tdev = func_to_printer(f);\n\n\tdevice_destroy(usb_gadget_class, MKDEV(major, dev->minor));\n\n\t/* Remove Character Device */\n\tcdev_del(&dev->printer_cdev);\n\n\t/* we must already have been disconnected ... no i/o may be active */\n\tWARN_ON(!list_empty(&dev->tx_reqs_active));\n\tWARN_ON(!list_empty(&dev->rx_reqs_active));\n\n\t/* Free all memory for this driver. */\n\twhile (!list_empty(&dev->tx_reqs)) {\n\t\treq = container_of(dev->tx_reqs.next, struct usb_request,\n\t\t\t\tlist);\n\t\tlist_del(&req->list);\n\t\tprinter_req_free(dev->in_ep, req);\n\t}\n\n\tif (dev->current_rx_req != NULL)\n\t\tprinter_req_free(dev->out_ep, dev->current_rx_req);\n\n\twhile (!list_empty(&dev->rx_reqs)) {\n\t\treq = container_of(dev->rx_reqs.next,\n\t\t\t\tstruct usb_request, list);\n\t\tlist_del(&req->list);\n\t\tprinter_req_free(dev->out_ep, req);\n\t}\n\n\twhile (!list_empty(&dev->rx_buffers)) {\n\t\treq = container_of(dev->rx_buffers.next,\n\t\t\t\tstruct usb_request, list);\n\t\tlist_del(&req->list);\n\t\tprinter_req_free(dev->out_ep, req);\n\t}\n\tusb_free_all_descriptors(f);\n}", "project": "linux", "hash": 148995604759837174431940707087705241557, "size": 43, "commit_id": "e8d5f92b8d30bb4ade76494490c3c065e12411b1", "message": "usb: gadget: function: printer: fix use-after-free in __lock_acquire\n\nFix this by increase object reference count.\n\nBUG: KASAN: use-after-free in __lock_acquire+0x3fd4/0x4180\nkernel/locking/lockdep.c:3831\nRead of size 8 at addr ffff8880683b0018 by task syz-executor.0/3377\n\nCPU: 1 PID: 3377 Comm: syz-executor.0 Not tainted 5.6.11 #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011\nCall Trace:\n __dump_stack lib/dump_stack.c:77 [inline]\n dump_stack+0xce/0x128 lib/dump_stack.c:118\n print_address_description.constprop.4+0x21/0x3c0 mm/kasan/report.c:374\n __kasan_report+0x131/0x1b0 mm/kasan/report.c:506\n kasan_report+0x12/0x20 mm/kasan/common.c:641\n __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135\n __lock_acquire+0x3fd4/0x4180 kernel/locking/lockdep.c:3831\n lock_acquire+0x127/0x350 kernel/locking/lockdep.c:4488\n __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]\n _raw_spin_lock_irqsave+0x35/0x50 kernel/locking/spinlock.c:159\n printer_ioctl+0x4a/0x110 drivers/usb/gadget/function/f_printer.c:723\n vfs_ioctl fs/ioctl.c:47 [inline]\n ksys_ioctl+0xfb/0x130 fs/ioctl.c:763\n __do_sys_ioctl fs/ioctl.c:772 [inline]\n __se_sys_ioctl fs/ioctl.c:770 [inline]\n __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:770\n do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294\n entry_SYSCALL_64_after_hwframe+0x49/0xbe\nRIP: 0033:0x4531a9\nCode: ed 60 fc ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48\n89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d\n01 f0 ff ff 0f 83 bb 60 fc ff c3 66 2e 0f 1f 84 00 00 00 00\nRSP: 002b:00007fd14ad72c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 000000000073bfa8 RCX: 00000000004531a9\nRDX: fffffffffffffff9 RSI: 000000000000009e RDI: 0000000000000003\nRBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 00000000004bbd61\nR13: 00000000004d0a98 R14: 00007fd14ad736d4 R15: 00000000ffffffff\n\nAllocated by task 2393:\n save_stack+0x21/0x90 mm/kasan/common.c:72\n set_track mm/kasan/common.c:80 [inline]\n __kasan_kmalloc.constprop.3+0xa7/0xd0 mm/kasan/common.c:515\n kasan_kmalloc+0x9/0x10 mm/kasan/common.c:529\n kmem_cache_alloc_trace+0xfa/0x2d0 mm/slub.c:2813\n kmalloc include/linux/slab.h:555 [inline]\n kzalloc include/linux/slab.h:669 [inline]\n gprinter_alloc+0xa1/0x870 drivers/usb/gadget/function/f_printer.c:1416\n usb_get_function+0x58/0xc0 drivers/usb/gadget/functions.c:61\n config_usb_cfg_link+0x1ed/0x3e0 drivers/usb/gadget/configfs.c:444\n configfs_symlink+0x527/0x11d0 fs/configfs/symlink.c:202\n vfs_symlink+0x33d/0x5b0 fs/namei.c:4201\n do_symlinkat+0x11b/0x1d0 fs/namei.c:4228\n __do_sys_symlinkat fs/namei.c:4242 [inline]\n __se_sys_symlinkat fs/namei.c:4239 [inline]\n __x64_sys_symlinkat+0x73/0xb0 fs/namei.c:4239\n do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294\n entry_SYSCALL_64_after_hwframe+0x49/0xbe\n\nFreed by task 3368:\n save_stack+0x21/0x90 mm/kasan/common.c:72\n set_track mm/kasan/common.c:80 [inline]\n kasan_set_free_info mm/kasan/common.c:337 [inline]\n __kasan_slab_free+0x135/0x190 mm/kasan/common.c:476\n kasan_slab_free+0xe/0x10 mm/kasan/common.c:485\n slab_free_hook mm/slub.c:1444 [inline]\n slab_free_freelist_hook mm/slub.c:1477 [inline]\n slab_free mm/slub.c:3034 [inline]\n kfree+0xf7/0x410 mm/slub.c:3995\n gprinter_free+0x49/0xd0 drivers/usb/gadget/function/f_printer.c:1353\n usb_put_function+0x38/0x50 drivers/usb/gadget/functions.c:87\n config_usb_cfg_unlink+0x2db/0x3b0 drivers/usb/gadget/configfs.c:485\n configfs_unlink+0x3b9/0x7f0 fs/configfs/symlink.c:250\n vfs_unlink+0x287/0x570 fs/namei.c:4073\n do_unlinkat+0x4f9/0x620 fs/namei.c:4137\n __do_sys_unlink fs/namei.c:4184 [inline]\n __se_sys_unlink fs/namei.c:4182 [inline]\n __x64_sys_unlink+0x42/0x50 fs/namei.c:4182\n do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294\n entry_SYSCALL_64_after_hwframe+0x49/0xbe\n\nThe buggy address belongs to the object at ffff8880683b0000\n which belongs to the cache kmalloc-1k of size 1024\nThe buggy address is located 24 bytes inside of\n 1024-byte region [ffff8880683b0000, ffff8880683b0400)\nThe buggy address belongs to the page:\npage:ffffea0001a0ec00 refcount:1 mapcount:0 mapping:ffff88806c00e300\nindex:0xffff8880683b1800 compound_mapcount: 0\nflags: 0x100000000010200(slab|head)\nraw: 0100000000010200 0000000000000000 0000000600000001 ffff88806c00e300\nraw: ffff8880683b1800 000000008010000a 00000001ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\n\nReported-by: Kyungtae Kim \nSigned-off-by: Zqiang \nSigned-off-by: Felipe Balbi ", "target": 0, "dataset": "other", "idx": 389351 }, { "project": "Chrome", "commit_id": "957973753ec4159003ff7930d946b7e89c7e09f3", "target": 0, "func": "void BlobURLRequestJob::DidOpen(base::PlatformFileError rv,\n base::PassPlatformFile file,\n bool created) {\n if (rv != base::PLATFORM_FILE_OK) {\n NotifyFailure(net::ERR_FAILED);\n return;\n }\n\n DCHECK(!stream_.get());\n stream_.reset(new net::FileStream(file.ReleaseValue(), kFileOpenFlags));\n\n const BlobData::Item& item = blob_data_->items().at(item_index_);\n {\n base::ThreadRestrictions::ScopedAllowIO allow_io;\n int64 offset = current_item_offset_ + static_cast(item.offset());\n if (offset > 0 && offset != stream_->Seek(net::FROM_BEGIN, offset)) {\n NotifyFailure(net::ERR_FAILED);\n return;\n }\n }\n\n ReadFile(item);\n}\n", "cwe": "", "big_vul_idx": 106409, "idx": 95562, "hash": 898010794753766619149878495542869350 }, { "func": "static bool checkreturn decode_pointer_field(pb_istream_t *stream, pb_wire_type_t wire_type, pb_field_iter_t *iter)\n{\n#ifndef PB_ENABLE_MALLOC\n PB_UNUSED(wire_type);\n PB_UNUSED(iter);\n PB_RETURN_ERROR(stream, \"no malloc support\");\n#else\n pb_type_t type;\n pb_decoder_t func;\n \n type = iter->pos->type;\n func = PB_DECODERS[PB_LTYPE(type)];\n \n switch (PB_HTYPE(type))\n {\n case PB_HTYPE_REQUIRED:\n case PB_HTYPE_OPTIONAL:\n case PB_HTYPE_ONEOF:\n if (PB_LTYPE(type) == PB_LTYPE_SUBMESSAGE &&\n *(void**)iter->pData != NULL)\n {\n /* Duplicate field, have to release the old allocation first. */\n pb_release_single_field(iter);\n }\n \n if (PB_HTYPE(type) == PB_HTYPE_ONEOF)\n {\n *(pb_size_t*)iter->pSize = iter->pos->tag;\n }\n\n if (PB_LTYPE(type) == PB_LTYPE_STRING ||\n PB_LTYPE(type) == PB_LTYPE_BYTES)\n {\n return func(stream, iter->pos, iter->pData);\n }\n else\n {\n if (!allocate_field(stream, iter->pData, iter->pos->data_size, 1))\n return false;\n \n initialize_pointer_field(*(void**)iter->pData, iter);\n return func(stream, iter->pos, *(void**)iter->pData);\n }\n \n case PB_HTYPE_REPEATED:\n if (wire_type == PB_WT_STRING\n && PB_LTYPE(type) <= PB_LTYPE_LAST_PACKABLE)\n {\n /* Packed array, multiple items come in at once. */\n bool status = true;\n pb_size_t *size = (pb_size_t*)iter->pSize;\n size_t allocated_size = *size;\n void *pItem;\n pb_istream_t substream;\n \n if (!pb_make_string_substream(stream, &substream))\n return false;\n \n while (substream.bytes_left)\n {\n if ((size_t)*size + 1 > allocated_size)\n {\n /* Allocate more storage. This tries to guess the\n * number of remaining entries. Round the division\n * upwards. */\n allocated_size += (substream.bytes_left - 1) / iter->pos->data_size + 1;\n \n if (!allocate_field(&substream, iter->pData, iter->pos->data_size, allocated_size))\n {\n status = false;\n break;\n }\n }\n\n /* Decode the array entry */\n pItem = *(char**)iter->pData + iter->pos->data_size * (*size);\n initialize_pointer_field(pItem, iter);\n if (!func(&substream, iter->pos, pItem))\n {\n status = false;\n break;\n }\n \n if (*size == PB_SIZE_MAX)\n {\n#ifndef PB_NO_ERRMSG\n stream->errmsg = \"too many array entries\";\n#endif\n status = false;\n break;\n }\n \n (*size)++;\n }\n if (!pb_close_string_substream(stream, &substream))\n return false;\n \n return status;\n }\n else\n {\n /* Normal repeated field, i.e. only one item at a time. */\n pb_size_t *size = (pb_size_t*)iter->pSize;\n void *pItem;\n \n if (*size == PB_SIZE_MAX)\n PB_RETURN_ERROR(stream, \"too many array entries\");\n \n (*size)++;\n if (!allocate_field(stream, iter->pData, iter->pos->data_size, *size))\n return false;\n \n pItem = *(char**)iter->pData + iter->pos->data_size * (*size - 1);\n initialize_pointer_field(pItem, iter);\n return func(stream, iter->pos, pItem);\n }\n\n default:\n PB_RETURN_ERROR(stream, \"invalid field type\");\n }\n#endif\n}", "project": "nanopb", "hash": 213075198701079106378906571658903743081, "size": 122, "commit_id": "aa9d0d1ca78d6adec3adfeecf3a706c7f9df81f2", "message": "Fix invalid free() after failed realloc() (GHSA-gcx3-7m76-287p)", "target": 1, "dataset": "other", "idx": 197114 }, { "func": "static bool checkreturn decode_pointer_field(pb_istream_t *stream, pb_wire_type_t wire_type, pb_field_iterator_t *iter)\n{\n#ifndef PB_ENABLE_MALLOC\n UNUSED(wire_type);\n UNUSED(iter);\n PB_RETURN_ERROR(stream, \"no malloc support\");\n#else\n pb_type_t type;\n pb_decoder_t func;\n \n type = iter->pos->type;\n func = PB_DECODERS[PB_LTYPE(type)];\n \n switch (PB_HTYPE(type))\n {\n case PB_HTYPE_REQUIRED:\n case PB_HTYPE_OPTIONAL:\n if (PB_LTYPE(type) == PB_LTYPE_SUBMESSAGE &&\n *(void**)iter->pData != NULL)\n {\n /* Duplicate field, have to release the old allocation first. */\n pb_release_single_field(iter);\n }\n \n if (PB_LTYPE(type) == PB_LTYPE_STRING ||\n PB_LTYPE(type) == PB_LTYPE_BYTES)\n {\n return func(stream, iter->pos, iter->pData);\n }\n else\n {\n if (!allocate_field(stream, iter->pData, iter->pos->data_size, 1))\n return false;\n \n initialize_pointer_field(*(void**)iter->pData, iter);\n return func(stream, iter->pos, *(void**)iter->pData);\n }\n \n case PB_HTYPE_REPEATED:\n if (wire_type == PB_WT_STRING\n && PB_LTYPE(type) <= PB_LTYPE_LAST_PACKABLE)\n {\n /* Packed array, multiple items come in at once. */\n bool status = true;\n size_t *size = (size_t*)iter->pSize;\n size_t allocated_size = *size;\n void *pItem;\n pb_istream_t substream;\n \n if (!pb_make_string_substream(stream, &substream))\n return false;\n \n while (substream.bytes_left)\n {\n if (*size + 1 > allocated_size)\n {\n /* Allocate more storage. This tries to guess the\n * number of remaining entries. Round the division\n * upwards. */\n allocated_size += (substream.bytes_left - 1) / iter->pos->data_size + 1;\n \n if (!allocate_field(&substream, iter->pData, iter->pos->data_size, allocated_size))\n {\n status = false;\n break;\n }\n }\n\n /* Decode the array entry */\n pItem = *(uint8_t**)iter->pData + iter->pos->data_size * (*size);\n initialize_pointer_field(pItem, iter);\n if (!func(&substream, iter->pos, pItem))\n {\n status = false;\n break;\n }\n (*size)++;\n }\n pb_close_string_substream(stream, &substream);\n \n return status;\n }\n else\n {\n /* Normal repeated field, i.e. only one item at a time. */\n size_t *size = (size_t*)iter->pSize;\n void *pItem;\n \n (*size)++;\n if (!allocate_field(stream, iter->pData, iter->pos->data_size, *size))\n return false;\n \n pItem = *(uint8_t**)iter->pData + iter->pos->data_size * (*size - 1);\n initialize_pointer_field(pItem, iter);\n return func(stream, iter->pos, pItem);\n }\n \n default:\n PB_RETURN_ERROR(stream, \"invalid field type\");\n }\n#endif\n}", "project": "nanopb", "hash": 44925250467000600069522886101534959296, "size": 102, "commit_id": "7b396821ddd06df8e39143f16e1dc0a4645b89a3", "message": "Fix invalid free() after failed realloc() (GHSA-gcx3-7m76-287p)", "target": 1, "dataset": "other", "idx": 197204 }, { "func": "static bool checkreturn decode_pointer_field(pb_istream_t *stream, pb_wire_type_t wire_type, pb_field_iter_t *iter)\n{\n#ifndef PB_ENABLE_MALLOC\n PB_UNUSED(wire_type);\n PB_UNUSED(iter);\n PB_RETURN_ERROR(stream, \"no malloc support\");\n#else\n pb_type_t type;\n pb_decoder_t func;\n \n type = iter->pos->type;\n func = PB_DECODERS[PB_LTYPE(type)];\n \n switch (PB_HTYPE(type))\n {\n case PB_HTYPE_REQUIRED:\n case PB_HTYPE_OPTIONAL:\n case PB_HTYPE_ONEOF:\n if (PB_LTYPE(type) == PB_LTYPE_SUBMESSAGE &&\n *(void**)iter->pData != NULL)\n {\n /* Duplicate field, have to release the old allocation first. */\n pb_release_single_field(iter);\n }\n \n if (PB_HTYPE(type) == PB_HTYPE_ONEOF)\n {\n *(pb_size_t*)iter->pSize = iter->pos->tag;\n }\n\n if (PB_LTYPE(type) == PB_LTYPE_STRING ||\n PB_LTYPE(type) == PB_LTYPE_BYTES)\n {\n return func(stream, iter->pos, iter->pData);\n }\n else\n {\n if (!allocate_field(stream, iter->pData, iter->pos->data_size, 1))\n return false;\n \n initialize_pointer_field(*(void**)iter->pData, iter);\n return func(stream, iter->pos, *(void**)iter->pData);\n }\n \n case PB_HTYPE_REPEATED:\n if (wire_type == PB_WT_STRING\n && PB_LTYPE(type) <= PB_LTYPE_LAST_PACKABLE)\n {\n /* Packed array, multiple items come in at once. */\n bool status = true;\n pb_size_t *size = (pb_size_t*)iter->pSize;\n size_t allocated_size = *size;\n void *pItem;\n pb_istream_t substream;\n \n if (!pb_make_string_substream(stream, &substream))\n return false;\n \n while (substream.bytes_left)\n {\n if ((size_t)*size + 1 > allocated_size)\n {\n /* Allocate more storage. This tries to guess the\n * number of remaining entries. Round the division\n * upwards. */\n allocated_size += (substream.bytes_left - 1) / iter->pos->data_size + 1;\n \n if (!allocate_field(&substream, iter->pData, iter->pos->data_size, allocated_size))\n {\n status = false;\n break;\n }\n }\n\n /* Decode the array entry */\n pItem = *(char**)iter->pData + iter->pos->data_size * (*size);\n initialize_pointer_field(pItem, iter);\n if (!func(&substream, iter->pos, pItem))\n {\n status = false;\n break;\n }\n \n if (*size == PB_SIZE_MAX)\n {\n#ifndef PB_NO_ERRMSG\n stream->errmsg = \"too many array entries\";\n#endif\n status = false;\n break;\n }\n \n (*size)++;\n }\n if (!pb_close_string_substream(stream, &substream))\n return false;\n \n return status;\n }\n else\n {\n /* Normal repeated field, i.e. only one item at a time. */\n pb_size_t *size = (pb_size_t*)iter->pSize;\n void *pItem;\n \n if (*size == PB_SIZE_MAX)\n PB_RETURN_ERROR(stream, \"too many array entries\");\n \n if (!allocate_field(stream, iter->pData, iter->pos->data_size, (size_t)(*size + 1)))\n return false;\n \n pItem = *(char**)iter->pData + iter->pos->data_size * (*size);\n (*size)++;\n initialize_pointer_field(pItem, iter);\n return func(stream, iter->pos, pItem);\n }\n\n default:\n PB_RETURN_ERROR(stream, \"invalid field type\");\n }\n#endif\n}", "project": "nanopb", "hash": 105540620865014349806580074661016441612, "size": 122, "commit_id": "aa9d0d1ca78d6adec3adfeecf3a706c7f9df81f2", "message": "Fix invalid free() after failed realloc() (GHSA-gcx3-7m76-287p)", "target": 0, "dataset": "other", "idx": 252505 }, { "func": "static bool checkreturn decode_pointer_field(pb_istream_t *stream, pb_wire_type_t wire_type, pb_field_iter_t *field)\n{\n#ifndef PB_ENABLE_MALLOC\n PB_UNUSED(wire_type);\n PB_UNUSED(field);\n PB_RETURN_ERROR(stream, \"no malloc support\");\n#else\n switch (PB_HTYPE(field->type))\n {\n case PB_HTYPE_REQUIRED:\n case PB_HTYPE_OPTIONAL:\n case PB_HTYPE_ONEOF:\n if (PB_LTYPE_IS_SUBMSG(field->type) && *(void**)field->pField != NULL)\n {\n /* Duplicate field, have to release the old allocation first. */\n /* FIXME: Does this work correctly for oneofs? */\n pb_release_single_field(field);\n }\n \n if (PB_HTYPE(field->type) == PB_HTYPE_ONEOF)\n {\n *(pb_size_t*)field->pSize = field->tag;\n }\n\n if (PB_LTYPE(field->type) == PB_LTYPE_STRING ||\n PB_LTYPE(field->type) == PB_LTYPE_BYTES)\n {\n /* pb_dec_string and pb_dec_bytes handle allocation themselves */\n field->pData = field->pField;\n return decode_basic_field(stream, wire_type, field);\n }\n else\n {\n if (!allocate_field(stream, field->pField, field->data_size, 1))\n return false;\n \n field->pData = *(void**)field->pField;\n initialize_pointer_field(field->pData, field);\n return decode_basic_field(stream, wire_type, field);\n }\n \n case PB_HTYPE_REPEATED:\n if (wire_type == PB_WT_STRING\n && PB_LTYPE(field->type) <= PB_LTYPE_LAST_PACKABLE)\n {\n /* Packed array, multiple items come in at once. */\n bool status = true;\n pb_size_t *size = (pb_size_t*)field->pSize;\n size_t allocated_size = *size;\n pb_istream_t substream;\n \n if (!pb_make_string_substream(stream, &substream))\n return false;\n \n while (substream.bytes_left)\n {\n if (*size == PB_SIZE_MAX)\n {\n#ifndef PB_NO_ERRMSG\n stream->errmsg = \"too many array entries\";\n#endif\n status = false;\n break;\n }\n\n if ((size_t)*size + 1 > allocated_size)\n {\n /* Allocate more storage. This tries to guess the\n * number of remaining entries. Round the division\n * upwards. */\n size_t remain = (substream.bytes_left - 1) / field->data_size + 1;\n if (remain < PB_SIZE_MAX - allocated_size)\n allocated_size += remain;\n else\n allocated_size += 1;\n \n if (!allocate_field(&substream, field->pField, field->data_size, allocated_size))\n {\n status = false;\n break;\n }\n }\n\n /* Decode the array entry */\n field->pData = *(char**)field->pField + field->data_size * (*size);\n initialize_pointer_field(field->pData, field);\n if (!decode_basic_field(&substream, PB_WT_PACKED, field))\n {\n status = false;\n break;\n }\n \n (*size)++;\n }\n if (!pb_close_string_substream(stream, &substream))\n return false;\n \n return status;\n }\n else\n {\n /* Normal repeated field, i.e. only one item at a time. */\n pb_size_t *size = (pb_size_t*)field->pSize;\n\n if (*size == PB_SIZE_MAX)\n PB_RETURN_ERROR(stream, \"too many array entries\");\n \n if (!allocate_field(stream, field->pField, field->data_size, (size_t)(*size + 1)))\n return false;\n \n field->pData = *(char**)field->pField + field->data_size * (*size);\n (*size)++;\n initialize_pointer_field(field->pData, field);\n return decode_basic_field(stream, wire_type, field);\n }\n\n default:\n PB_RETURN_ERROR(stream, \"invalid field type\");\n }\n#endif\n}", "project": "nanopb", "hash": 302991054970667470352122203999798631305, "size": 121, "commit_id": "e2f0ccf939d9f82931d085acb6df8e9a182a4261", "message": "Fix invalid free() with oneof (#647)\n\nNanopb would call free() or realloc() on an invalid\n(attacker controlled) pointer value when all the following\nconditions are true:\n\n- PB_ENABLE_MALLOC is defined at the compile time\n- Message definition contains an oneof field, and the oneof\n contains at least one pointer type field and at least one\n non-pointer type field.\n- Data being decoded first contains a non-pointer value for\n the oneof field, and later contains an overwriting pointer\n value.\n\nDepending on message layout, the bug may not be exploitable in all\ncases, but it is known to be exploitable at least with string and\nbytes fields. Actual security impact will also depend on the heap\nimplementation used.", "target": 0, "dataset": "other", "idx": 254703 }, { "func": "static bool checkreturn decode_pointer_field(pb_istream_t *stream, pb_wire_type_t wire_type, pb_field_iterator_t *iter)\n{\n#ifndef PB_ENABLE_MALLOC\n UNUSED(wire_type);\n UNUSED(iter);\n PB_RETURN_ERROR(stream, \"no malloc support\");\n#else\n pb_type_t type;\n pb_decoder_t func;\n \n type = iter->pos->type;\n func = PB_DECODERS[PB_LTYPE(type)];\n \n switch (PB_HTYPE(type))\n {\n case PB_HTYPE_REQUIRED:\n case PB_HTYPE_OPTIONAL:\n if (PB_LTYPE(type) == PB_LTYPE_SUBMESSAGE &&\n *(void**)iter->pData != NULL)\n {\n /* Duplicate field, have to release the old allocation first. */\n pb_release_single_field(iter);\n }\n \n if (PB_LTYPE(type) == PB_LTYPE_STRING ||\n PB_LTYPE(type) == PB_LTYPE_BYTES)\n {\n return func(stream, iter->pos, iter->pData);\n }\n else\n {\n if (!allocate_field(stream, iter->pData, iter->pos->data_size, 1))\n return false;\n \n initialize_pointer_field(*(void**)iter->pData, iter);\n return func(stream, iter->pos, *(void**)iter->pData);\n }\n \n case PB_HTYPE_REPEATED:\n if (wire_type == PB_WT_STRING\n && PB_LTYPE(type) <= PB_LTYPE_LAST_PACKABLE)\n {\n /* Packed array, multiple items come in at once. */\n bool status = true;\n size_t *size = (size_t*)iter->pSize;\n size_t allocated_size = *size;\n void *pItem;\n pb_istream_t substream;\n \n if (!pb_make_string_substream(stream, &substream))\n return false;\n \n while (substream.bytes_left)\n {\n if (*size + 1 > allocated_size)\n {\n /* Allocate more storage. This tries to guess the\n * number of remaining entries. Round the division\n * upwards. */\n allocated_size += (substream.bytes_left - 1) / iter->pos->data_size + 1;\n \n if (!allocate_field(&substream, iter->pData, iter->pos->data_size, allocated_size))\n {\n status = false;\n break;\n }\n }\n\n /* Decode the array entry */\n pItem = *(uint8_t**)iter->pData + iter->pos->data_size * (*size);\n initialize_pointer_field(pItem, iter);\n if (!func(&substream, iter->pos, pItem))\n {\n status = false;\n break;\n }\n (*size)++;\n }\n pb_close_string_substream(stream, &substream);\n \n return status;\n }\n else\n {\n /* Normal repeated field, i.e. only one item at a time. */\n size_t *size = (size_t*)iter->pSize;\n void *pItem;\n \n if (!allocate_field(stream, iter->pData, iter->pos->data_size, (size_t)(*size + 1)))\n return false;\n \n pItem = *(uint8_t**)iter->pData + iter->pos->data_size * (*size);\n (*size)++;\n initialize_pointer_field(pItem, iter);\n return func(stream, iter->pos, pItem);\n }\n \n default:\n PB_RETURN_ERROR(stream, \"invalid field type\");\n }\n#endif\n}", "project": "nanopb", "hash": 123490975432721035768232801290650758429, "size": 102, "commit_id": "7b396821ddd06df8e39143f16e1dc0a4645b89a3", "message": "Fix invalid free() after failed realloc() (GHSA-gcx3-7m76-287p)", "target": 0, "dataset": "other", "idx": 255326 }, { "func": "static int cdeque_init(struct cdeque* d, int max_capacity_power_of_2) {\n\tif(d == NULL || max_capacity_power_of_2 == 0)\n\t\treturn CDE_PARAM;\n\n\td->cap_mask = max_capacity_power_of_2 - 1;\n\td->arr = NULL;\n\n\tif((max_capacity_power_of_2 & d->cap_mask) != 0)\n\t\treturn CDE_PARAM;\n\n\tcdeque_clear(d);\n\td->arr = malloc(sizeof(void*) * max_capacity_power_of_2);\n\n\treturn d->arr ? CDE_OK : CDE_ALLOC;\n}", "project": "libarchive", "hash": 242286558433518879155115125230876799309, "size": 15, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 0, "dataset": "other", "idx": 244695 }, { "func": "static bool checkreturn pb_readbyte(pb_istream_t *stream, uint8_t *buf)\n{\n if (stream->bytes_left == 0)\n PB_RETURN_ERROR(stream, \"end-of-stream\");\n\n#ifndef PB_BUFFER_ONLY\n if (!stream->callback(stream, buf, 1))\n PB_RETURN_ERROR(stream, \"io error\");\n#else\n *buf = *(uint8_t*)stream->state;\n stream->state = (uint8_t*)stream->state + 1;\n#endif\n\n stream->bytes_left--;\n \n return true; \n}", "project": "nanopb", "hash": 208759917778108623863608265328152567554, "size": 17, "commit_id": "7b396821ddd06df8e39143f16e1dc0a4645b89a3", "message": "Fix invalid free() after failed realloc() (GHSA-gcx3-7m76-287p)", "target": 0, "dataset": "other", "idx": 255328 }, { "func": "static ut64 bbJump(RAnalFunction *fcn, ut64 addr) {\n\tRListIter *iter;\n\tRAnalBlock *bb;\n\tr_list_foreach (fcn->bbs, iter, bb) {\n\t\tif (R_BETWEEN (bb->addr, addr, bb->addr + bb->size - 1)) {\n\t\t\treturn bb->jump;\n\t\t}\n\t}\n\treturn UT64_MAX;\n}", "project": "radare2", "hash": 112497130772092524324636428605334308866, "size": 10, "commit_id": "cb8b683758edddae2d2f62e8e63a738c39f92683", "message": "Fix #16303 - c->table_query double free (#16318)", "target": 0, "dataset": "other", "idx": 232141 }, { "func": "static void write_regvals(struct sd *sd,\n\t\t\t const struct ov_regvals *regvals,\n\t\t\t int n)\n{\n\twhile (--n >= 0) {\n\t\treg_w(sd, regvals->reg, regvals->val);\n\t\tregvals++;\n\t}\n}", "project": "linux", "hash": 262430136895328494671589650081527347408, "size": 9, "commit_id": "998912346c0da53a6dbb71fab3a138586b596b30", "message": "media: ov519: add missing endpoint sanity checks\n\nMake sure to check that we have at least one endpoint before accessing\nthe endpoint array to avoid dereferencing a NULL-pointer on stream\nstart.\n\nNote that these sanity checks are not redundant as the driver is mixing\nlooking up altsettings by index and by number, which need not coincide.\n\nFixes: 1876bb923c98 (\"V4L/DVB (12079): gspca_ov519: add support for the ov511 bridge\")\nFixes: b282d87332f5 (\"V4L/DVB (12080): gspca_ov519: Fix ov518+ with OV7620AE (Trust spacecam 320)\")\nCc: stable # 2.6.31\nCc: Hans de Goede \nSigned-off-by: Johan Hovold \nSigned-off-by: Hans Verkuil \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 306296 }, { "func": "static OPJ_BOOL opj_j2k_write_plt_in_memory(opj_j2k_t *p_j2k,\n opj_tcd_marker_info_t* marker_info,\n OPJ_BYTE * p_data,\n OPJ_UINT32 * p_data_written,\n opj_event_mgr_t * p_manager)\n{\n OPJ_BYTE Zplt = 0;\n OPJ_UINT16 Lplt;\n OPJ_BYTE* p_data_start = p_data;\n OPJ_BYTE* p_data_Lplt = p_data + 2;\n OPJ_UINT32 i;\n\n OPJ_UNUSED(p_j2k);\n\n opj_write_bytes(p_data, J2K_MS_PLT, 2);\n p_data += 2;\n\n /* Reserve space for Lplt */\n p_data += 2;\n\n opj_write_bytes(p_data, Zplt, 1);\n p_data += 1;\n\n Lplt = 3;\n\n for (i = 0; i < marker_info->packet_count; i++) {\n OPJ_BYTE var_bytes[5];\n OPJ_UINT8 var_bytes_size = 0;\n OPJ_UINT32 packet_size = marker_info->p_packet_size[i];\n\n /* Packet size written in variable-length way, starting with LSB */\n var_bytes[var_bytes_size] = (OPJ_BYTE)(packet_size & 0x7f);\n var_bytes_size ++;\n packet_size >>= 7;\n while (packet_size > 0) {\n var_bytes[var_bytes_size] = (OPJ_BYTE)((packet_size & 0x7f) | 0x80);\n var_bytes_size ++;\n packet_size >>= 7;\n }\n\n /* Check if that can fit in the current PLT marker. If not, finish */\n /* current one, and start a new one */\n if (Lplt + var_bytes_size > 65535) {\n if (Zplt == 255) {\n opj_event_msg(p_manager, EVT_ERROR,\n \"More than 255 PLT markers would be needed for current tile-part !\\n\");\n return OPJ_FALSE;\n }\n\n /* Patch Lplt */\n opj_write_bytes(p_data_Lplt, Lplt, 2);\n\n /* Start new segment */\n opj_write_bytes(p_data, J2K_MS_PLT, 2);\n p_data += 2;\n\n /* Reserve space for Lplt */\n p_data_Lplt = p_data;\n p_data += 2;\n\n Zplt ++;\n opj_write_bytes(p_data, Zplt, 1);\n p_data += 1;\n\n Lplt = 3;\n }\n\n Lplt = (OPJ_UINT16)(Lplt + var_bytes_size);\n\n /* Serialize variable-length packet size, starting with MSB */\n for (; var_bytes_size > 0; --var_bytes_size) {\n opj_write_bytes(p_data, var_bytes[var_bytes_size - 1], 1);\n p_data += 1;\n }\n }\n\n *p_data_written = (OPJ_UINT32)(p_data - p_data_start);\n\n /* Patch Lplt */\n opj_write_bytes(p_data_Lplt, Lplt, 2);\n\n return OPJ_TRUE;\n}", "project": "openjpeg", "hash": 320834342744472221441617981082312547432, "size": 83, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357419 }, { "func": "static\nvoid bfq_release_process_ref(struct bfq_data *bfqd, struct bfq_queue *bfqq)\n{\n\t/*\n\t * To prevent bfqq's service guarantees from being violated,\n\t * bfqq may be left busy, i.e., queued for service, even if\n\t * empty (see comments in __bfq_bfqq_expire() for\n\t * details). But, if no process will send requests to bfqq any\n\t * longer, then there is no point in keeping bfqq queued for\n\t * service. In addition, keeping bfqq queued for service, but\n\t * with no process ref any longer, may have caused bfqq to be\n\t * freed when dequeued from service. But this is assumed to\n\t * never happen.\n\t */\n\tif (bfq_bfqq_busy(bfqq) && RB_EMPTY_ROOT(&bfqq->sort_list) &&\n\t bfqq != bfqd->in_service_queue)\n\t\tbfq_del_bfqq_busy(bfqd, bfqq, false);\n\n\tbfq_put_queue(bfqq);", "project": "linux", "hash": 329848591012663860070302862028589695599, "size": 19, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453345 }, { "func": "long tty_ioctl(struct file *file, unsigned int cmd, unsigned long arg)\n{\n\tstruct tty_struct *tty = file_tty(file);\n\tstruct tty_struct *real_tty;\n\tvoid __user *p = (void __user *)arg;\n\tint retval;\n\tstruct tty_ldisc *ld;\n\n\tif (tty_paranoia_check(tty, file_inode(file), \"tty_ioctl\"))\n\t\treturn -EINVAL;\n\n\treal_tty = tty_pair_get_tty(tty);\n\n\t/*\n\t * Factor out some common prep work\n\t */\n\tswitch (cmd) {\n\tcase TIOCSETD:\n\tcase TIOCSBRK:\n\tcase TIOCCBRK:\n\tcase TCSBRK:\n\tcase TCSBRKP:\n\t\tretval = tty_check_change(tty);\n\t\tif (retval)\n\t\t\treturn retval;\n\t\tif (cmd != TIOCCBRK) {\n\t\t\ttty_wait_until_sent(tty, 0);\n\t\t\tif (signal_pending(current))\n\t\t\t\treturn -EINTR;\n\t\t}\n\t\tbreak;\n\t}\n\n\t/*\n\t *\tNow do the stuff.\n\t */\n\tswitch (cmd) {\n\tcase TIOCSTI:\n\t\treturn tiocsti(tty, p);\n\tcase TIOCGWINSZ:\n\t\treturn tiocgwinsz(real_tty, p);\n\tcase TIOCSWINSZ:\n\t\treturn tiocswinsz(real_tty, p);\n\tcase TIOCCONS:\n\t\treturn real_tty != tty ? -EINVAL : tioccons(file);\n\tcase TIOCEXCL:\n\t\tset_bit(TTY_EXCLUSIVE, &tty->flags);\n\t\treturn 0;\n\tcase TIOCNXCL:\n\t\tclear_bit(TTY_EXCLUSIVE, &tty->flags);\n\t\treturn 0;\n\tcase TIOCGEXCL:\n\t{\n\t\tint excl = test_bit(TTY_EXCLUSIVE, &tty->flags);\n\t\treturn put_user(excl, (int __user *)p);\n\t}\n\tcase TIOCGETD:\n\t\treturn tiocgetd(tty, p);\n\tcase TIOCSETD:\n\t\treturn tiocsetd(tty, p);\n\tcase TIOCVHANGUP:\n\t\tif (!capable(CAP_SYS_ADMIN))\n\t\t\treturn -EPERM;\n\t\ttty_vhangup(tty);\n\t\treturn 0;\n\tcase TIOCGDEV:\n\t{\n\t\tunsigned int ret = new_encode_dev(tty_devnum(real_tty));\n\t\treturn put_user(ret, (unsigned int __user *)p);\n\t}\n\t/*\n\t * Break handling\n\t */\n\tcase TIOCSBRK:\t/* Turn break on, unconditionally */\n\t\tif (tty->ops->break_ctl)\n\t\t\treturn tty->ops->break_ctl(tty, -1);\n\t\treturn 0;\n\tcase TIOCCBRK:\t/* Turn break off, unconditionally */\n\t\tif (tty->ops->break_ctl)\n\t\t\treturn tty->ops->break_ctl(tty, 0);\n\t\treturn 0;\n\tcase TCSBRK: /* SVID version: non-zero arg --> no break */\n\t\t/* non-zero arg means wait for all output data\n\t\t * to be sent (performed above) but don't send break.\n\t\t * This is used by the tcdrain() termios function.\n\t\t */\n\t\tif (!arg)\n\t\t\treturn send_break(tty, 250);\n\t\treturn 0;\n\tcase TCSBRKP:\t/* support for POSIX tcsendbreak() */\n\t\treturn send_break(tty, arg ? arg*100 : 250);\n\n\tcase TIOCMGET:\n\t\treturn tty_tiocmget(tty, p);\n\tcase TIOCMSET:\n\tcase TIOCMBIC:\n\tcase TIOCMBIS:\n\t\treturn tty_tiocmset(tty, cmd, p);\n\tcase TIOCGICOUNT:\n\t\treturn tty_tiocgicount(tty, p);\n\tcase TCFLSH:\n\t\tswitch (arg) {\n\t\tcase TCIFLUSH:\n\t\tcase TCIOFLUSH:\n\t\t/* flush tty buffer and allow ldisc to process ioctl */\n\t\t\ttty_buffer_flush(tty, NULL);\n\t\t\tbreak;\n\t\t}\n\t\tbreak;\n\tcase TIOCSSERIAL:\n\t\treturn tty_tiocsserial(tty, p);\n\tcase TIOCGSERIAL:\n\t\treturn tty_tiocgserial(tty, p);\n\tcase TIOCGPTPEER:\n\t\t/* Special because the struct file is needed */\n\t\treturn ptm_open_peer(file, tty, (int)arg);\n\tdefault:\n\t\tretval = tty_jobctrl_ioctl(tty, real_tty, file, cmd, arg);\n\t\tif (retval != -ENOIOCTLCMD)\n\t\t\treturn retval;\n\t}\n\tif (tty->ops->ioctl) {\n\t\tretval = tty->ops->ioctl(tty, cmd, arg);\n\t\tif (retval != -ENOIOCTLCMD)\n\t\t\treturn retval;\n\t}\n\tld = tty_ldisc_ref_wait(tty);\n\tif (!ld)\n\t\treturn hung_up_tty_ioctl(file, cmd, arg);\n\tretval = -EINVAL;\n\tif (ld->ops->ioctl) {\n\t\tretval = ld->ops->ioctl(tty, file, cmd, arg);\n\t\tif (retval == -ENOIOCTLCMD)\n\t\t\tretval = -ENOTTY;\n\t}\n\ttty_ldisc_deref(ld);\n\treturn retval;\n}", "project": "linux", "hash": 4017962589967266714254804083642309044, "size": 138, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 326001 }, { "func": "DLLEXPORT unsigned long DLLCALL tjBufSize(int width, int height,\n\tint jpegSubsamp)\n{\n\tunsigned long retval=0; int mcuw, mcuh, chromasf;\n\tif(width<1 || height<1 || jpegSubsamp<0 || jpegSubsamp>=NUMSUBOPT)\n\t\t_throw(\"tjBufSize(): Invalid argument\");\n\n\t/* This allows for rare corner cases in which a JPEG image can actually be\n\t larger than the uncompressed input (we wouldn't mention it if it hadn't\n\t happened before.) */\n\tmcuw=tjMCUWidth[jpegSubsamp];\n\tmcuh=tjMCUHeight[jpegSubsamp];\n\tchromasf=jpegSubsamp==TJSAMP_GRAY? 0: 4*64/(mcuw*mcuh);\n\tretval=PAD(width, mcuw) * PAD(height, mcuh) * (2 + chromasf) + 2048;\n\n\tbailout:\n\treturn retval;\n}", "project": "libjpeg-turbo", "hash": 229916913510056965854116324895309326351, "size": 18, "commit_id": "dab6be4cfb2f9307b5378d2d1dc74d9080383dc2", "message": "tjDecompressToYUV*(): Fix OOB write/double free\n\n... when attempting to decompress grayscale JPEG images with sampling\nfactors != 1.\n\nFixes #387", "target": 0, "dataset": "other", "idx": 311096 }, { "func": "static int __do_execve_file(int fd, struct filename *filename,\n\t\t\t struct user_arg_ptr argv,\n\t\t\t struct user_arg_ptr envp,\n\t\t\t int flags, struct file *file)\n{\n\tchar *pathbuf = NULL;\n\tstruct linux_binprm *bprm;\n\tstruct files_struct *displaced;\n\tint retval;\n\n\tif (IS_ERR(filename))\n\t\treturn PTR_ERR(filename);\n\n\t/*\n\t * We move the actual failure in case of RLIMIT_NPROC excess from\n\t * set*uid() to execve() because too many poorly written programs\n\t * don't check setuid() return code. Here we additionally recheck\n\t * whether NPROC limit is still exceeded.\n\t */\n\tif ((current->flags & PF_NPROC_EXCEEDED) &&\n\t atomic_read(¤t_user()->processes) > rlimit(RLIMIT_NPROC)) {\n\t\tretval = -EAGAIN;\n\t\tgoto out_ret;\n\t}\n\n\t/* We're below the limit (still or again), so we don't want to make\n\t * further execve() calls fail. */\n\tcurrent->flags &= ~PF_NPROC_EXCEEDED;\n\n\tretval = unshare_files(&displaced);\n\tif (retval)\n\t\tgoto out_ret;\n\n\tretval = -ENOMEM;\n\tbprm = kzalloc(sizeof(*bprm), GFP_KERNEL);\n\tif (!bprm)\n\t\tgoto out_files;\n\n\tretval = prepare_bprm_creds(bprm);\n\tif (retval)\n\t\tgoto out_free;\n\n\tcheck_unsafe_exec(bprm);\n\tcurrent->in_execve = 1;\n\n\tif (!file)\n\t\tfile = do_open_execat(fd, filename, flags);\n\tretval = PTR_ERR(file);\n\tif (IS_ERR(file))\n\t\tgoto out_unmark;\n\n\tsched_exec();\n\n\tbprm->file = file;\n\tif (!filename) {\n\t\tbprm->filename = \"none\";\n\t} else if (fd == AT_FDCWD || filename->name[0] == '/') {\n\t\tbprm->filename = filename->name;\n\t} else {\n\t\tif (filename->name[0] == '\\0')\n\t\t\tpathbuf = kasprintf(GFP_KERNEL, \"/dev/fd/%d\", fd);\n\t\telse\n\t\t\tpathbuf = kasprintf(GFP_KERNEL, \"/dev/fd/%d/%s\",\n\t\t\t\t\t fd, filename->name);\n\t\tif (!pathbuf) {\n\t\t\tretval = -ENOMEM;\n\t\t\tgoto out_unmark;\n\t\t}\n\t\t/*\n\t\t * Record that a name derived from an O_CLOEXEC fd will be\n\t\t * inaccessible after exec. Relies on having exclusive access to\n\t\t * current->files (due to unshare_files above).\n\t\t */\n\t\tif (close_on_exec(fd, rcu_dereference_raw(current->files->fdt)))\n\t\t\tbprm->interp_flags |= BINPRM_FLAGS_PATH_INACCESSIBLE;\n\t\tbprm->filename = pathbuf;\n\t}\n\tbprm->interp = bprm->filename;\n\n\tretval = bprm_mm_init(bprm);\n\tif (retval)\n\t\tgoto out_unmark;\n\n\tretval = prepare_arg_pages(bprm, argv, envp);\n\tif (retval < 0)\n\t\tgoto out;\n\n\tretval = prepare_binprm(bprm);\n\tif (retval < 0)\n\t\tgoto out;\n\n\tretval = copy_strings_kernel(1, &bprm->filename, bprm);\n\tif (retval < 0)\n\t\tgoto out;\n\n\tbprm->exec = bprm->p;\n\tretval = copy_strings(bprm->envc, envp, bprm);\n\tif (retval < 0)\n\t\tgoto out;\n\n\tretval = copy_strings(bprm->argc, argv, bprm);\n\tif (retval < 0)\n\t\tgoto out;\n\n\twould_dump(bprm, bprm->file);\n\n\tretval = exec_binprm(bprm);\n\tif (retval < 0)\n\t\tgoto out;\n\n\t/* execve succeeded */\n\tcurrent->fs->in_exec = 0;\n\tcurrent->in_execve = 0;\n\trseq_execve(current);\n\tacct_update_integrals(current);\n\ttask_numa_free(current, false);\n\tfree_bprm(bprm);\n\tkfree(pathbuf);\n\tif (filename)\n\t\tputname(filename);\n\tif (displaced)\n\t\tput_files_struct(displaced);\n\treturn retval;\n\nout:\n\tif (bprm->mm) {\n\t\tacct_arg_size(bprm, 0);\n\t\tmmput(bprm->mm);\n\t}\n\nout_unmark:\n\tcurrent->fs->in_exec = 0;\n\tcurrent->in_execve = 0;\n\nout_free:\n\tfree_bprm(bprm);\n\tkfree(pathbuf);\n\nout_files:\n\tif (displaced)\n\t\treset_files_struct(displaced);\nout_ret:\n\tif (filename)\n\t\tputname(filename);\n\treturn retval;\n}", "project": "linux", "hash": 336055262056806719635267117551544767976, "size": 146, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375270 }, { "func": "static Header headerUnlink(Header h)\n{\n if (h != NULL)\n\th->nrefs--;\n return NULL;\n}", "project": "rpm", "hash": 267156688826515960540120750442479739851, "size": 6, "commit_id": "8f4b3c3cab8922a2022b9e47c71f1ecf906077ef", "message": "hdrblobInit() needs bounds checks too\n\nUsers can pass untrusted data to hdrblobInit() and it must be robust\nagainst this.", "target": 0, "dataset": "other", "idx": 318157 }, { "func": "static inline bool tcp_in_initial_slowstart(const struct tcp_sock *tp)\n{\n\treturn tp->snd_ssthresh >= TCP_INFINITE_SSTHRESH;\n}", "project": "linux", "hash": 125369313537949218530903926323081896938, "size": 4, "commit_id": "bb1fceca22492109be12640d49f5ea5a544c6bb4", "message": "tcp: fix use after free in tcp_xmit_retransmit_queue()\n\nWhen tcp_sendmsg() allocates a fresh and empty skb, it puts it at the\ntail of the write queue using tcp_add_write_queue_tail()\n\nThen it attempts to copy user data into this fresh skb.\n\nIf the copy fails, we undo the work and remove the fresh skb.\n\nUnfortunately, this undo lacks the change done to tp->highest_sack and\nwe can leave a dangling pointer (to a freed skb)\n\nLater, tcp_xmit_retransmit_queue() can dereference this pointer and\naccess freed memory. For regular kernels where memory is not unmapped,\nthis might cause SACK bugs because tcp_highest_sack_seq() is buggy,\nreturning garbage instead of tp->snd_nxt, but with various debug\nfeatures like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel.\n\nThis bug was found by Marco Grassi thanks to syzkaller.\n\nFixes: 6859d49475d4 (\"[TCP]: Abstract tp->highest_sack accessing & point to next skb\")\nReported-by: Marco Grassi \nSigned-off-by: Eric Dumazet \nCc: Ilpo Järvinen \nCc: Yuchung Cheng \nCc: Neal Cardwell \nAcked-by: Neal Cardwell \nReviewed-by: Cong Wang \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 410781 }, { "func": " bool store(struct st_value *value, ulonglong fuzzydate)\n {\n switch (cmp_type()) {\n case INT_RESULT:\n {\n value->m_type= unsigned_flag ? DYN_COL_UINT : DYN_COL_INT;\n value->value.m_longlong= val_int();\n break;\n }\n case REAL_RESULT:\n {\n value->m_type= DYN_COL_DOUBLE;\n value->value.m_double= val_real();\n break;\n }\n case DECIMAL_RESULT:\n {\n value->m_type= DYN_COL_DECIMAL;\n my_decimal *dec= val_decimal(&value->m_decimal);\n if (dec != &value->m_decimal && !null_value)\n my_decimal2decimal(dec, &value->m_decimal);\n break;\n }\n case STRING_RESULT:\n {\n value->m_type= DYN_COL_STRING;\n String *str= val_str(&value->m_string);\n if (str != &value->m_string && !null_value)\n value->m_string.set(str->ptr(), str->length(), str->charset());\n break;\n }\n case TIME_RESULT:\n {\n value->m_type= DYN_COL_DATETIME;\n get_date(&value->value.m_time, fuzzydate);\n break;\n }\n case ROW_RESULT:\n DBUG_ASSERT(false);\n null_value= true;\n break;\n }\n if (null_value)\n {\n value->m_type= DYN_COL_NULL;\n return true;\n }\n return false;\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 3519407706000255669588148702396783106, "size": 49, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509439 }, { "func": "void limit_output_verbosity(int level)\n{\n\tshort info_limits[COUNT_INFO], debug_limits[COUNT_DEBUG];\n\tint j;\n\n\tif (level > MAX_VERBOSITY)\n\t\treturn;\n\n\tmemset(info_limits, 0, sizeof info_limits);\n\tmemset(debug_limits, 0, sizeof debug_limits);\n\n\t/* Compute the level limits in the above arrays. */\n\tfor (j = 1; j <= level; j++) {\n\t\tparse_output_words(info_words, info_limits, info_verbosity[j], LIMIT_PRIORITY);\n\t\tparse_output_words(debug_words, debug_limits, debug_verbosity[j], LIMIT_PRIORITY);\n\t}\n\n\tfor (j = 0; j < COUNT_INFO; j++) {\n\t\tif (info_levels[j] > info_limits[j])\n\t\t\tinfo_levels[j] = info_limits[j];\n\t}\n\n\tfor (j = 0; j < COUNT_DEBUG; j++) {\n\t\tif (debug_levels[j] > debug_limits[j])\n\t\t\tdebug_levels[j] = debug_limits[j];\n\t}\n}", "project": "rsync", "hash": 185780126051631650936588785079670257460, "size": 27, "commit_id": "7706303828fcde524222babb2833864a4bd09e07", "message": "Ignore --protect-args when already sent by client\n\nIn parse_arguments when --protect-args is encountered the function exits\nearly. The caller is expected to check protect_args, and recall\nparse_arguments setting protect_args to 2. This patch prevents the\nclient from resetting protect_args during the second pass of\nparse_arguments. This prevents parse_arguments returning early the\nsecond time before it's able to sanitize the arguments it received.", "target": 0, "dataset": "other", "idx": 364680 }, { "func": "bool RGWSwiftWebsiteHandler::can_be_website_req() const\n{\n /* Static website works only with the GET or HEAD method. Nothing more. */\n static const std::set ws_methods = { \"GET\", \"HEAD\" };\n if (ws_methods.count(s->info.method) == 0) {\n return false;\n }\n\n /* We also need to handle early failures from the auth system. In such cases\n * req_state::auth.identity may be empty. Let's treat that the same way as\n * the anonymous access. */\n if (! s->auth.identity) {\n return true;\n }\n\n /* Swift serves websites only for anonymous requests unless client explicitly\n * requested this behaviour by supplying X-Web-Mode HTTP header set to true. */\n if (s->auth.identity->is_anonymous() || is_web_mode()) {\n return true;\n }\n\n return false;\n}", "project": "ceph", "hash": 201261342470728047653651710971301326326, "size": 23, "commit_id": "f44a8ae8aa27ecef69528db9aec220f12492810e", "message": "rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name\n\nchecking for empty name avoids later assertion in RGWObjectCtx::set_atomic\n\nFixes: CVE-2021-3531\n\nReviewed-by: Casey Bodley \nSigned-off-by: Casey Bodley \n(cherry picked from commit 7196a469b4470f3c8628489df9a41ec8b00a5610)", "target": 0, "dataset": "other", "idx": 448832 }, { "func": "void purge_tables(bool purge_flag)\n{\n /*\n Force close of all open tables.\n\n Note that code in TABLE_SHARE::wait_for_old_version() assumes that\n incrementing of refresh_version is followed by purge of unused table\n shares.\n */\n kill_delayed_threads();\n /*\n Get rid of all unused TABLE and TABLE_SHARE instances. By doing\n this we automatically close all tables which were marked as \"old\".\n */\n tc_purge(purge_flag);\n /* Free table shares which were not freed implicitly by loop above. */\n tdc_purge(true);\n}", "target": 0, "cwe": [ "CWE-416" ], "project": "server", "commit_id": "0beed9b5e933f0ff79b3bb346524f7a451d14e38", "hash": 304576711465336557806563815768445032973, "size": 18, "message": "MDEV-28097 use-after-free when WHERE has subquery with an outer reference in HAVING\n\nwhen resolving WHERE and ON clauses, do not look in\nSELECT list/aliases.", "dataset": "other", "idx": 514571 }, { "func": "static void opj_j2k_update_tlm(opj_j2k_t * p_j2k, OPJ_UINT32 p_tile_part_size)\n{\n opj_write_bytes(p_j2k->m_specific_param.m_encoder.m_tlm_sot_offsets_current,\n p_j2k->m_current_tile_number, 1); /* PSOT */\n ++p_j2k->m_specific_param.m_encoder.m_tlm_sot_offsets_current;\n\n opj_write_bytes(p_j2k->m_specific_param.m_encoder.m_tlm_sot_offsets_current,\n p_tile_part_size, 4); /* PSOT */\n p_j2k->m_specific_param.m_encoder.m_tlm_sot_offsets_current += 4;\n}", "project": "openjpeg", "hash": 156510329977028117212597371699961940012, "size": 10, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357336 }, { "func": "static OPJ_BOOL opj_j2k_update_image_data(opj_tcd_t * p_tcd,\n opj_image_t* p_output_image)\n{\n OPJ_UINT32 i, j;\n OPJ_UINT32 l_width_src, l_height_src;\n OPJ_UINT32 l_width_dest, l_height_dest;\n OPJ_INT32 l_offset_x0_src, l_offset_y0_src, l_offset_x1_src, l_offset_y1_src;\n OPJ_SIZE_T l_start_offset_src;\n OPJ_UINT32 l_start_x_dest, l_start_y_dest;\n OPJ_UINT32 l_x0_dest, l_y0_dest, l_x1_dest, l_y1_dest;\n OPJ_SIZE_T l_start_offset_dest;\n\n opj_image_comp_t * l_img_comp_src = 00;\n opj_image_comp_t * l_img_comp_dest = 00;\n\n opj_tcd_tilecomp_t * l_tilec = 00;\n opj_image_t * l_image_src = 00;\n OPJ_INT32 * l_dest_ptr;\n\n l_tilec = p_tcd->tcd_image->tiles->comps;\n l_image_src = p_tcd->image;\n l_img_comp_src = l_image_src->comps;\n\n l_img_comp_dest = p_output_image->comps;\n\n for (i = 0; i < l_image_src->numcomps;\n i++, ++l_img_comp_dest, ++l_img_comp_src, ++l_tilec) {\n OPJ_INT32 res_x0, res_x1, res_y0, res_y1;\n OPJ_UINT32 src_data_stride;\n const OPJ_INT32* p_src_data;\n\n /* Copy info from decoded comp image to output image */\n l_img_comp_dest->resno_decoded = l_img_comp_src->resno_decoded;\n\n if (p_tcd->whole_tile_decoding) {\n opj_tcd_resolution_t* l_res = l_tilec->resolutions +\n l_img_comp_src->resno_decoded;\n res_x0 = l_res->x0;\n res_y0 = l_res->y0;\n res_x1 = l_res->x1;\n res_y1 = l_res->y1;\n src_data_stride = (OPJ_UINT32)(\n l_tilec->resolutions[l_tilec->minimum_num_resolutions - 1].x1 -\n l_tilec->resolutions[l_tilec->minimum_num_resolutions - 1].x0);\n p_src_data = l_tilec->data;\n } else {\n opj_tcd_resolution_t* l_res = l_tilec->resolutions +\n l_img_comp_src->resno_decoded;\n res_x0 = (OPJ_INT32)l_res->win_x0;\n res_y0 = (OPJ_INT32)l_res->win_y0;\n res_x1 = (OPJ_INT32)l_res->win_x1;\n res_y1 = (OPJ_INT32)l_res->win_y1;\n src_data_stride = l_res->win_x1 - l_res->win_x0;\n p_src_data = l_tilec->data_win;\n }\n\n if (p_src_data == NULL) {\n /* Happens for partial component decoding */\n continue;\n }\n\n l_width_src = (OPJ_UINT32)(res_x1 - res_x0);\n l_height_src = (OPJ_UINT32)(res_y1 - res_y0);\n\n\n /* Current tile component size*/\n /*if (i == 0) {\n fprintf(stdout, \"SRC: l_res_x0=%d, l_res_x1=%d, l_res_y0=%d, l_res_y1=%d\\n\",\n res_x0, res_x1, res_y0, res_y1);\n }*/\n\n\n /* Border of the current output component*/\n l_x0_dest = opj_uint_ceildivpow2(l_img_comp_dest->x0, l_img_comp_dest->factor);\n l_y0_dest = opj_uint_ceildivpow2(l_img_comp_dest->y0, l_img_comp_dest->factor);\n l_x1_dest = l_x0_dest +\n l_img_comp_dest->w; /* can't overflow given that image->x1 is uint32 */\n l_y1_dest = l_y0_dest + l_img_comp_dest->h;\n\n /*if (i == 0) {\n fprintf(stdout, \"DEST: l_x0_dest=%d, l_x1_dest=%d, l_y0_dest=%d, l_y1_dest=%d (%d)\\n\",\n l_x0_dest, l_x1_dest, l_y0_dest, l_y1_dest, l_img_comp_dest->factor );\n }*/\n\n /*-----*/\n /* Compute the area (l_offset_x0_src, l_offset_y0_src, l_offset_x1_src, l_offset_y1_src)\n * of the input buffer (decoded tile component) which will be move\n * in the output buffer. Compute the area of the output buffer (l_start_x_dest,\n * l_start_y_dest, l_width_dest, l_height_dest) which will be modified\n * by this input area.\n * */\n assert(res_x0 >= 0);\n assert(res_x1 >= 0);\n if (l_x0_dest < (OPJ_UINT32)res_x0) {\n l_start_x_dest = (OPJ_UINT32)res_x0 - l_x0_dest;\n l_offset_x0_src = 0;\n\n if (l_x1_dest >= (OPJ_UINT32)res_x1) {\n l_width_dest = l_width_src;\n l_offset_x1_src = 0;\n } else {\n l_width_dest = l_x1_dest - (OPJ_UINT32)res_x0 ;\n l_offset_x1_src = (OPJ_INT32)(l_width_src - l_width_dest);\n }\n } else {\n l_start_x_dest = 0U;\n l_offset_x0_src = (OPJ_INT32)l_x0_dest - res_x0;\n\n if (l_x1_dest >= (OPJ_UINT32)res_x1) {\n l_width_dest = l_width_src - (OPJ_UINT32)l_offset_x0_src;\n l_offset_x1_src = 0;\n } else {\n l_width_dest = l_img_comp_dest->w ;\n l_offset_x1_src = res_x1 - (OPJ_INT32)l_x1_dest;\n }\n }\n\n if (l_y0_dest < (OPJ_UINT32)res_y0) {\n l_start_y_dest = (OPJ_UINT32)res_y0 - l_y0_dest;\n l_offset_y0_src = 0;\n\n if (l_y1_dest >= (OPJ_UINT32)res_y1) {\n l_height_dest = l_height_src;\n l_offset_y1_src = 0;\n } else {\n l_height_dest = l_y1_dest - (OPJ_UINT32)res_y0 ;\n l_offset_y1_src = (OPJ_INT32)(l_height_src - l_height_dest);\n }\n } else {\n l_start_y_dest = 0U;\n l_offset_y0_src = (OPJ_INT32)l_y0_dest - res_y0;\n\n if (l_y1_dest >= (OPJ_UINT32)res_y1) {\n l_height_dest = l_height_src - (OPJ_UINT32)l_offset_y0_src;\n l_offset_y1_src = 0;\n } else {\n l_height_dest = l_img_comp_dest->h ;\n l_offset_y1_src = res_y1 - (OPJ_INT32)l_y1_dest;\n }\n }\n\n if ((l_offset_x0_src < 0) || (l_offset_y0_src < 0) || (l_offset_x1_src < 0) ||\n (l_offset_y1_src < 0)) {\n return OPJ_FALSE;\n }\n /* testcase 2977.pdf.asan.67.2198 */\n if ((OPJ_INT32)l_width_dest < 0 || (OPJ_INT32)l_height_dest < 0) {\n return OPJ_FALSE;\n }\n /*-----*/\n\n /* Compute the input buffer offset */\n l_start_offset_src = (OPJ_SIZE_T)l_offset_x0_src + (OPJ_SIZE_T)l_offset_y0_src\n * (OPJ_SIZE_T)src_data_stride;\n\n /* Compute the output buffer offset */\n l_start_offset_dest = (OPJ_SIZE_T)l_start_x_dest + (OPJ_SIZE_T)l_start_y_dest\n * (OPJ_SIZE_T)l_img_comp_dest->w;\n\n /* Allocate output component buffer if necessary */\n if (l_img_comp_dest->data == NULL &&\n l_start_offset_src == 0 && l_start_offset_dest == 0 &&\n src_data_stride == l_img_comp_dest->w &&\n l_width_dest == l_img_comp_dest->w &&\n l_height_dest == l_img_comp_dest->h) {\n /* If the final image matches the tile buffer, then borrow it */\n /* directly to save a copy */\n if (p_tcd->whole_tile_decoding) {\n l_img_comp_dest->data = l_tilec->data;\n l_tilec->data = NULL;\n } else {\n l_img_comp_dest->data = l_tilec->data_win;\n l_tilec->data_win = NULL;\n }\n continue;\n } else if (l_img_comp_dest->data == NULL) {\n OPJ_SIZE_T l_width = l_img_comp_dest->w;\n OPJ_SIZE_T l_height = l_img_comp_dest->h;\n\n if ((l_height == 0U) || (l_width > (SIZE_MAX / l_height)) ||\n l_width * l_height > SIZE_MAX / sizeof(OPJ_INT32)) {\n /* would overflow */\n return OPJ_FALSE;\n }\n l_img_comp_dest->data = (OPJ_INT32*) opj_image_data_alloc(l_width * l_height *\n sizeof(OPJ_INT32));\n if (! l_img_comp_dest->data) {\n return OPJ_FALSE;\n }\n\n if (l_img_comp_dest->w != l_width_dest ||\n l_img_comp_dest->h != l_height_dest) {\n memset(l_img_comp_dest->data, 0,\n (OPJ_SIZE_T)l_img_comp_dest->w * l_img_comp_dest->h * sizeof(OPJ_INT32));\n }\n }\n\n /* Move the output buffer to the first place where we will write*/\n l_dest_ptr = l_img_comp_dest->data + l_start_offset_dest;\n\n {\n const OPJ_INT32 * l_src_ptr = p_src_data;\n l_src_ptr += l_start_offset_src;\n\n for (j = 0; j < l_height_dest; ++j) {\n memcpy(l_dest_ptr, l_src_ptr, l_width_dest * sizeof(OPJ_INT32));\n l_dest_ptr += l_img_comp_dest->w;\n l_src_ptr += src_data_stride;\n }\n }\n\n\n }\n\n return OPJ_TRUE;\n}", "project": "openjpeg", "hash": 109887170465419588123805932807083270079, "size": 216, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357437 }, { "func": "static int _nfs4_lookup_root(struct nfs_server *server, struct nfs_fh *fhandle,\n\t\tstruct nfs_fsinfo *info)\n{\n\tu32 bitmask[3];\n\tstruct nfs4_lookup_root_arg args = {\n\t\t.bitmask = bitmask,\n\t};\n\tstruct nfs4_lookup_res res = {\n\t\t.server = server,\n\t\t.fattr = info->fattr,\n\t\t.fh = fhandle,\n\t};\n\tstruct rpc_message msg = {\n\t\t.rpc_proc = &nfs4_procedures[NFSPROC4_CLNT_LOOKUP_ROOT],\n\t\t.rpc_argp = &args,\n\t\t.rpc_resp = &res,\n\t};\n\n\tbitmask[0] = nfs4_fattr_bitmap[0];\n\tbitmask[1] = nfs4_fattr_bitmap[1];\n\t/*\n\t * Process the label in the upcoming getfattr\n\t */\n\tbitmask[2] = nfs4_fattr_bitmap[2] & ~FATTR4_WORD2_SECURITY_LABEL;\n\n\tnfs_fattr_init(info->fattr);\n\treturn nfs4_call_sync(server->client, server, &msg, &args.seq_args, &res.seq_res, 0);\n}", "project": "linux", "hash": 277505166129180104894652438967254190320, "size": 28, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431110 }, { "func": "static int wait_for_vfork_done(struct task_struct *child,\n\t\t\t\tstruct completion *vfork)\n{\n\tint killed;\n\n\tfreezer_do_not_count();\n\tcgroup_enter_frozen();\n\tkilled = wait_for_completion_killable(vfork);\n\tcgroup_leave_frozen(false);\n\tfreezer_count();\n\n\tif (killed) {\n\t\ttask_lock(child);\n\t\tchild->vfork_done = NULL;\n\t\ttask_unlock(child);\n\t}\n\n\tput_task_struct(child);\n\treturn killed;\n}", "project": "linux", "hash": 136342354516786715051219750995700933011, "size": 20, "commit_id": "b4e00444cab4c3f3fec876dc0cccc8cbb0d1a948", "message": "fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent\n\ncurrent->group_leader->exit_signal may change during copy_process() if\ncurrent->real_parent exits.\n\nMove the assignment inside tasklist_lock to avoid the race.\n\nSigned-off-by: Eddy Wu \nAcked-by: Oleg Nesterov \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 293710 }, { "func": "static void set_min_partial(struct kmem_cache *s, unsigned long min)\n{\n\tif (min < MIN_PARTIAL)\n\t\tmin = MIN_PARTIAL;\n\telse if (min > MAX_PARTIAL)\n\t\tmin = MAX_PARTIAL;\n\ts->min_partial = min;\n}", "project": "linux", "hash": 183444896209207261914289269676584992362, "size": 8, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280123 }, { "func": " Item_default_value(THD *thd, Name_resolution_context *context_arg)\n :Item_field(thd, context_arg, (const char *)NULL, (const char *)NULL,\n (const char *)NULL),\n arg(NULL), cached_field(NULL) {}", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 294038020088971701855331334943320525792, "size": 4, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509330 }, { "func": " Item_default_value(THD *thd, Name_resolution_context *context_arg, Item *a)\n :Item_field(thd, context_arg, (const char *)NULL, (const char *)NULL,\n (const char *)NULL),\n arg(a), cached_field(NULL) {}", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 81529936513220147756786341738942574549, "size": 4, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509410 }, { "func": "int tty_standard_install(struct tty_driver *driver, struct tty_struct *tty)\n{\n\ttty_init_termios(tty);\n\ttty_driver_kref_get(driver);\n\ttty->count++;\n\tdriver->ttys[tty->index] = tty;\n\treturn 0;\n}", "project": "linux", "hash": 224836736637063235721720882108271544096, "size": 8, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 326045 }, { "func": "static int on_event(h2_stream* stream, h2_stream_event_t ev)\n{\n if (stream->monitor && stream->monitor->on_event) {\n stream->monitor->on_event(stream->monitor->ctx, stream, ev);\n }\n if (ev < H2_ALEN(trans_on_event)) {\n return on_map(stream->state, trans_on_event[ev]);\n }\n return stream->state;\n}", "project": "httpd", "hash": 92266038049971126119250587153489338426, "size": 10, "commit_id": "f990e5ecad40b100a8a5c7c1033c46044a9cb244", "message": "mod_htt2: fix incomplete sync with latest changes in github, adjust version number.\n\n\n\ngit-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1889119 13f79535-47bb-0310-9956-ffa450edef68", "target": 0, "dataset": "other", "idx": 284241 }, { "func": "static int flush_grep(struct grep_opt *opt,\n\t\t int argc, int arg0, const char **argv, int *kept)\n{\n\tint status;\n\tint count = argc - arg0;\n\tconst char *kept_0 = NULL;\n\n\tif (count <= 2) {\n\t\t/*\n\t\t * Because we keep at least 2 paths in the call from\n\t\t * the main loop (i.e. kept != NULL), and MAXARGS is\n\t\t * far greater than 2, this usually is a call to\n\t\t * conclude the grep. However, the user could attempt\n\t\t * to overflow the argv buffer by giving too many\n\t\t * options to leave very small number of real\n\t\t * arguments even for the call in the main loop.\n\t\t */\n\t\tif (kept)\n\t\t\tdie(\"insanely many options to grep\");\n\n\t\t/*\n\t\t * If we have two or more paths, we do not have to do\n\t\t * anything special, but we need to push /dev/null to\n\t\t * get \"-H\" behaviour of GNU grep portably but when we\n\t\t * are not doing \"-l\" nor \"-L\" nor \"-c\".\n\t\t */\n\t\tif (count == 1 &&\n\t\t !opt->name_only &&\n\t\t !opt->unmatch_name_only &&\n\t\t !opt->count) {\n\t\t\targv[argc++] = \"/dev/null\";\n\t\t\targv[argc] = NULL;\n\t\t}\n\t}\n\n\telse if (kept) {\n\t\t/*\n\t\t * Called because we found many paths and haven't finished\n\t\t * iterating over the cache yet. We keep two paths\n\t\t * for the concluding call. argv[argc-2] and argv[argc-1]\n\t\t * has the last two paths, so save the first one away,\n\t\t * replace it with NULL while sending the list to grep,\n\t\t * and recover them after we are done.\n\t\t */\n\t\t*kept = 2;\n\t\tkept_0 = argv[argc-2];\n\t\targv[argc-2] = NULL;\n\t\targc -= 2;\n\t}\n\n\tstatus = exec_grep(argc, argv);\n\n\tif (kept_0) {\n\t\t/*\n\t\t * Then recover them. Now the last arg is beyond the\n\t\t * terminating NULL which is at argc, and the second\n\t\t * from the last is what we saved away in kept_0\n\t\t */\n\t\targv[arg0++] = kept_0;\n\t\targv[arg0] = argv[argc+1];\n\t}\n\treturn status;\n}", "project": "git", "hash": 311437931101219790304831987392731280668, "size": 63, "commit_id": "620e2bb93785ed8eb60846d94fd4753d4817c8ec", "message": "Fix buffer overflow in git-grep\n\nIf PATH_MAX on your system is smaller than any path stored in the git\nrepository, that can cause memory corruption inside of the grep_tree\nfunction used by git-grep.\n\nSigned-off-by: Dmitry Potapov \nSigned-off-by: Junio C Hamano ", "target": 0, "dataset": "other", "idx": 446047 }, { "func": "static void cmd_authinfo_sasl(char *cmd, char *mech, char *resp)\n{\n int r, sasl_result;\n char *success_data;\n sasl_ssf_t ssf;\n char *ssfmsg = NULL;\n const void *val;\n int failedloginpause;\n struct proc_limits limits;\n\n /* Conceal initial response in telemetry log */\n if (nntp_logfd != -1 && resp) {\n\t(void)ftruncate(nntp_logfd,\n\t\t lseek(nntp_logfd, -2, SEEK_CUR) - strlen(resp));\n\t(void)write(nntp_logfd, \"...\\r\\n\", 5);\n }\n\n if (nntp_userid) {\n\tprot_printf(nntp_out, \"502 Already authenticated\\r\\n\");\n\treturn;\n }\n\n /* Stop telemetry logging during SASL exchange */\n if (nntp_logfd != -1 && mech) {\n\tprot_setlog(nntp_in, PROT_NO_FD);\n\tprot_setlog(nntp_out, PROT_NO_FD);\n }\n\n if (cmd[0] == 'g') {\n\t/* AUTHINFO GENERIC */\n\tif (!mech) {\n\t /* If client didn't specify any mech we give them the list */\n\t const char *sasllist;\n\t int mechnum;\n\n\t prot_printf(nntp_out, \"281 List of mechanisms follows\\r\\n\");\n \n\t /* CRLF separated, dot terminated */\n\t if (sasl_listmech(nntp_saslconn, NULL,\n\t\t\t \"\", \"\\r\\n\", \"\\r\\n\",\n\t\t\t &sasllist,\n\t\t\t NULL, &mechnum) == SASL_OK) {\n\t\tif (mechnum > 0) {\n\t\t prot_printf(nntp_out, \"%s\", sasllist);\n\t\t}\n\t }\n \n\t prot_printf(nntp_out, \".\\r\\n\");\n\t return;\n\t}\n\n\tr = saslserver(nntp_saslconn, mech, resp, \"AUTHINFO GENERIC \", \"381 \",\n\t\t \"\", nntp_in, nntp_out, &sasl_result, &success_data);\n }\n else {\n\t/* AUTHINFO SASL */\n\tr = saslserver(nntp_saslconn, mech, resp, \"\", \"383 \", \"=\",\n\t\t nntp_in, nntp_out, &sasl_result, &success_data);\n }\n\n /* Restart any telemetry logging */\n prot_setlog(nntp_in, nntp_logfd);\n prot_setlog(nntp_out, nntp_logfd);\n\n if (r) {\n\tint code;\n\tconst char *errorstring = NULL;\n\n\tswitch (r) {\n\tcase IMAP_SASL_CANCEL:\n\t prot_printf(nntp_out,\n\t\t\t\"481 Client canceled authentication\\r\\n\");\n\t break;\n\tcase IMAP_SASL_PROTERR:\n\t errorstring = prot_error(nntp_in);\n\n\t prot_printf(nntp_out,\n\t\t\t\"482 Error reading client response: %s\\r\\n\",\n\t\t\terrorstring ? errorstring : \"\");\n\t break;\n\tdefault: \n\t /* failed authentication */\n\t switch (sasl_result) {\n\t case SASL_NOMECH:\n\t case SASL_TOOWEAK:\n\t\tcode = 503;\n\t\tbreak;\n\t case SASL_ENCRYPT:\n\t\tcode = 483;\n\t\tbreak;\n\t case SASL_BADPROT:\n\t\tcode = 482;\n\t\tbreak;\n\t default:\n\t\tcode = 481;\n\t }\n\n\t syslog(LOG_NOTICE, \"badlogin: %s %s [%s]\",\n\t\t nntp_clienthost, mech, sasl_errdetail(nntp_saslconn));\n\n\t failedloginpause = config_getint(IMAPOPT_FAILEDLOGINPAUSE);\n\t if (failedloginpause != 0) {\n\t sleep(failedloginpause);\n\t }\n\n\t /* Don't allow user probing */\n\t if (sasl_result == SASL_NOUSER) sasl_result = SASL_BADAUTH;\n\n\t errorstring = sasl_errstring(sasl_result, NULL, NULL);\n\t if (errorstring) {\n\t\tprot_printf(nntp_out, \"%d %s\\r\\n\", code, errorstring);\n\t } else {\n\t\tprot_printf(nntp_out, \"%d Error authenticating\\r\\n\", code);\n\t }\n\t}\n\n\treset_saslconn(&nntp_saslconn);\n\treturn;\n }\n\n /* successful authentication */\n\n /* get the userid from SASL --- already canonicalized from\n * mysasl_proxy_policy()\n */\n sasl_result = sasl_getprop(nntp_saslconn, SASL_USERNAME, &val);\n if (sasl_result != SASL_OK) {\n\tprot_printf(nntp_out, \"481 weird SASL error %d SASL_USERNAME\\r\\n\", \n\t\t sasl_result);\n\tsyslog(LOG_ERR, \"weird SASL error %d getting SASL_USERNAME\", \n\t sasl_result);\n\treset_saslconn(&nntp_saslconn);\n\treturn;\n }\n nntp_userid = xstrdup((const char *) val);\n\n sasl_getprop(nntp_saslconn, SASL_SSF, &val);\n ssf = *((sasl_ssf_t *) val);\n\n /* really, we should be doing a sasl_getprop on SASL_SSF_EXTERNAL,\n but the current libsasl doesn't allow that. */\n if (nntp_starttls_done) {\n\tswitch(ssf) {\n\tcase 0: ssfmsg = \"tls protection\"; break;\n\tcase 1: ssfmsg = \"tls plus integrity protection\"; break;\n\tdefault: ssfmsg = \"tls plus privacy protection\"; break;\n\t}\n } else {\n\tswitch(ssf) {\n\tcase 0: ssfmsg = \"no protection\"; break;\n\tcase 1: ssfmsg = \"integrity protection\"; break;\n\tdefault: ssfmsg = \"privacy protection\"; break;\n\t}\n }\n\n limits.procname = \"nntpd\";\n limits.clienthost = nntp_clienthost;\n limits.userid = nntp_userid;\n if (proc_checklimits(&limits)) {\n\tconst char *sep = \"\";\n\tprot_printf(nntp_out,\n\t\t \"452 Too many open connections (\");\n\tif (limits.maxhost) {\n\t prot_printf(nntp_out, \"%s%d of %d from %s\", sep,\n\t\t\tlimits.host, limits.maxhost, nntp_clienthost);\n\t sep = \", \";\n\t}\n\tif (limits.maxuser) {\n\t prot_printf(nntp_out, \"%s%d of %d for %s\", sep,\n\t\t\tlimits.user, limits.maxuser, nntp_userid);\n\t}\n\tprot_printf(nntp_out, \")\\r\\n\");\n\treset_saslconn(&nntp_saslconn);\n\tfree(nntp_userid);\n\tnntp_userid = NULL;\n\treturn;\n }\n\n syslog(LOG_NOTICE, \"login: %s %s %s%s %s\", nntp_clienthost, nntp_userid,\n\t mech, nntp_starttls_done ? \"+TLS\" : \"\", \"User logged in\");\n\n proc_register(\"nntpd\", nntp_clienthost, nntp_userid, NULL);\n\n if (success_data) {\n\tprot_printf(nntp_out, \"283 %s\\r\\n\", success_data);\n\tfree(success_data);\n } else {\n\tprot_printf(nntp_out, \"281 Success (%s)\\r\\n\", ssfmsg);\n }\n\n prot_setsasl(nntp_in, nntp_saslconn);\n prot_setsasl(nntp_out, nntp_saslconn);\n\n /* Close IP-based telemetry log and create new log based on userid */\n if (nntp_logfd != -1) close(nntp_logfd);\n nntp_logfd = telemetry_log(nntp_userid, nntp_in, nntp_out, 0);\n\n if (ssf) {\n\t/* close any selected group */\n\tif (group_state)\n\t index_close(&group_state);\n\tif (backend_current) {\n\t proxy_downserver(backend_current);\n\t backend_current = NULL;\n\t}\n }\n}", "project": "cyrus-imapd", "hash": 22159206427793563762434478691683053091, "size": 207, "commit_id": "0f8f026699829b65733c3081657b24e2174f4f4d", "message": "CVE-2011-3208 - fix buffer overflow in nntpd", "target": 0, "dataset": "other", "idx": 451892 }, { "func": "static int pfkey_flush(struct sock *sk, struct sk_buff *skb, const struct sadb_msg *hdr, void * const *ext_hdrs)\n{\n\tstruct net *net = sock_net(sk);\n\tunsigned int proto;\n\tstruct km_event c;\n\tint err, err2;\n\n\tproto = pfkey_satype2proto(hdr->sadb_msg_satype);\n\tif (proto == 0)\n\t\treturn -EINVAL;\n\n\terr = xfrm_state_flush(net, proto, true, false);\n\terr2 = unicast_flush_resp(sk, hdr);\n\tif (err || err2) {\n\t\tif (err == -ESRCH) /* empty table - go quietly */\n\t\t\terr = 0;\n\t\treturn err ? err : err2;\n\t}\n\n\tc.data.proto = proto;\n\tc.seq = hdr->sadb_msg_seq;\n\tc.portid = hdr->sadb_msg_pid;\n\tc.event = XFRM_MSG_FLUSHSA;\n\tc.net = net;\n\tkm_state_notify(NULL, &c);\n\n\treturn 0;\n}", "project": "linux", "hash": 250212088441320074100437935753734042552, "size": 28, "commit_id": "9a564bccb78a76740ea9d75a259942df8143d02c", "message": "af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\n\nAdd __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\nto initialize the buffer of supp_skb to fix a kernel-info-leak issue.\n1) Function pfkey_register calls compose_sadb_supported to request\na sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate\na sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then\ncompose_sadb_supported treats the memory as a struct sadb_supported and\nbegins to initialize. But it just initializes the field sadb_supported_len\nand field sadb_supported_exttype without field sadb_supported_reserved.\n\nReported-by: TCS Robot \nSigned-off-by: Haimin Zhang \nSigned-off-by: Steffen Klassert ", "target": 0, "dataset": "other", "idx": 268065 }, { "func": "static int rar5_read_data_skip(struct archive_read *a) {\n\tstruct rar5* rar = get_context(a);\n\n\tif(rar->main.solid) {\n\t\t/* In solid archives, instead of skipping the data, we need to\n\t\t * extract it, and dispose the result. The side effect of this\n\t\t * operation will be setting up the initial window buffer state\n\t\t * needed to be able to extract the selected file. */\n\n\t\tint ret;\n\n\t\t/* Make sure to process all blocks in the compressed stream. */\n\t\twhile(rar->file.bytes_remaining > 0) {\n\t\t\t/* Setting the \"skip mode\" will allow us to skip\n\t\t\t * checksum checks during data skipping. Checking the\n\t\t\t * checksum of skipped data isn't really necessary and\n\t\t\t * it's only slowing things down.\n\t\t\t *\n\t\t\t * This is incremented instead of setting to 1 because\n\t\t\t * this data skipping function can be called\n\t\t\t * recursively. */\n\t\t\trar->skip_mode++;\n\n\t\t\t/* We're disposing 1 block of data, so we use triple\n\t\t\t * NULLs in arguments. */\n\t\t\tret = rar5_read_data(a, NULL, NULL, NULL);\n\n\t\t\t/* Turn off \"skip mode\". */\n\t\t\trar->skip_mode--;\n\n\t\t\tif(ret < 0 || ret == ARCHIVE_EOF) {\n\t\t\t\t/* Propagate any potential error conditions\n\t\t\t\t * to the caller. */\n\t\t\t\treturn ret;\n\t\t\t}\n\t\t}\n\t} else {\n\t\t/* In standard archives, we can just jump over the compressed\n\t\t * stream. Each file in non-solid archives starts from an empty\n\t\t * window buffer. */\n\n\t\tif(ARCHIVE_OK != consume(a, rar->file.bytes_remaining)) {\n\t\t\treturn ARCHIVE_FATAL;\n\t\t}\n\n\t\trar->file.bytes_remaining = 0;\n\t}\n\n\treturn ARCHIVE_OK;\n}", "project": "libarchive", "hash": 6430982064952522717844328157805847108, "size": 50, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 0, "dataset": "other", "idx": 244704 }, { "func": "bool pb_decode_fixed32(pb_istream_t *stream, void *dest)\n{\n pb_byte_t bytes[4];\n\n if (!pb_read(stream, bytes, 4))\n return false;\n \n *(uint32_t*)dest = ((uint32_t)bytes[0] << 0) |\n ((uint32_t)bytes[1] << 8) |\n ((uint32_t)bytes[2] << 16) |\n ((uint32_t)bytes[3] << 24);\n return true;\n}", "project": "nanopb", "hash": 219424728690319830255405138385570066234, "size": 13, "commit_id": "aa9d0d1ca78d6adec3adfeecf3a706c7f9df81f2", "message": "Fix invalid free() after failed realloc() (GHSA-gcx3-7m76-287p)", "target": 0, "dataset": "other", "idx": 252509 }, { "func": "bool pb_decode_fixed32(pb_istream_t *stream, void *dest)\n{\n #ifdef __BIG_ENDIAN__\n uint8_t *bytes = (uint8_t*)dest;\n uint8_t lebytes[4];\n \n if (!pb_read(stream, lebytes, 4))\n return false;\n \n bytes[0] = lebytes[3];\n bytes[1] = lebytes[2];\n bytes[2] = lebytes[1];\n bytes[3] = lebytes[0];\n return true;\n #else\n return pb_read(stream, (uint8_t*)dest, 4);\n #endif \n}", "project": "nanopb", "hash": 283972902788126220259599604847965434985, "size": 18, "commit_id": "7b396821ddd06df8e39143f16e1dc0a4645b89a3", "message": "Fix invalid free() after failed realloc() (GHSA-gcx3-7m76-287p)", "target": 0, "dataset": "other", "idx": 255349 }, { "func": "void kvm_s390_vcpu_block(struct kvm_vcpu *vcpu)\n{\n\tatomic_or(PROG_BLOCK_SIE, &vcpu->arch.sie_block->prog20);\n\texit_sie(vcpu);\n}", "project": "linux", "hash": 197639106730824646108219784873124054003, "size": 5, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354651 }, { "func": "\nstatic int bfq_rq_close_to_sector(void *io_struct, bool request,\n\t\t\t\t sector_t sector)\n{\n\treturn abs(bfq_io_struct_pos(io_struct, request) - sector) <=\n\t BFQQ_CLOSE_THR;", "project": "linux", "hash": 202881700539701228635551993072428533977, "size": 6, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453411 }, { "func": "void CClient::AuthUser() {\n if (!m_bGotNick || !m_bGotUser || !m_bGotPass || m_bInCap || IsAttached())\n return;\n\n m_spAuth = std::make_shared(this, m_sUser, m_sPass);\n\n CZNC::Get().AuthUser(m_spAuth);\n}", "project": "znc", "hash": 94337203323993464467772918272020439979, "size": 8, "commit_id": "d229761821da38d984a9e4098ad96842490dc001", "message": "Fix echo-message for *status\n\nClose #1705", "target": 0, "dataset": "other", "idx": 231547 }, { "func": "LanPairingHandler* LanLinkProvider::createPairingHandler(DeviceLink* link)\n{\n LanPairingHandler* ph = m_pairingHandlers.value(link->deviceId());\n if (!ph) {\n ph = new LanPairingHandler(link);\n qCDebug(KDECONNECT_CORE) << \"creating pairing handler for\" << link->deviceId();\n connect (ph, &LanPairingHandler::pairingError, link, &DeviceLink::pairingError);\n m_pairingHandlers[link->deviceId()] = ph;\n }\n return ph;\n}", "project": "kdeconnect-kde", "hash": 135145826685012669927949331897578584537, "size": 11, "commit_id": "542d94a70c56aa386c8d4d793481ce181b0422e8", "message": "Limit number of connected sockets from unpaired devices\n\nThanks Matthias Gerstner for reporting this.", "target": 0, "dataset": "other", "idx": 227372 }, { "func": "static void tipc_node_fsm_evt(struct tipc_node *n, int evt)\n{\n\tint state = n->state;\n\n\tswitch (state) {\n\tcase SELF_DOWN_PEER_DOWN:\n\t\tswitch (evt) {\n\t\tcase SELF_ESTABL_CONTACT_EVT:\n\t\t\tstate = SELF_UP_PEER_COMING;\n\t\t\tbreak;\n\t\tcase PEER_ESTABL_CONTACT_EVT:\n\t\t\tstate = SELF_COMING_PEER_UP;\n\t\t\tbreak;\n\t\tcase SELF_LOST_CONTACT_EVT:\n\t\tcase PEER_LOST_CONTACT_EVT:\n\t\t\tbreak;\n\t\tcase NODE_SYNCH_END_EVT:\n\t\tcase NODE_SYNCH_BEGIN_EVT:\n\t\tcase NODE_FAILOVER_BEGIN_EVT:\n\t\tcase NODE_FAILOVER_END_EVT:\n\t\tdefault:\n\t\t\tgoto illegal_evt;\n\t\t}\n\t\tbreak;\n\tcase SELF_UP_PEER_UP:\n\t\tswitch (evt) {\n\t\tcase SELF_LOST_CONTACT_EVT:\n\t\t\tstate = SELF_DOWN_PEER_LEAVING;\n\t\t\tbreak;\n\t\tcase PEER_LOST_CONTACT_EVT:\n\t\t\tstate = SELF_LEAVING_PEER_DOWN;\n\t\t\tbreak;\n\t\tcase NODE_SYNCH_BEGIN_EVT:\n\t\t\tstate = NODE_SYNCHING;\n\t\t\tbreak;\n\t\tcase NODE_FAILOVER_BEGIN_EVT:\n\t\t\tstate = NODE_FAILINGOVER;\n\t\t\tbreak;\n\t\tcase SELF_ESTABL_CONTACT_EVT:\n\t\tcase PEER_ESTABL_CONTACT_EVT:\n\t\tcase NODE_SYNCH_END_EVT:\n\t\tcase NODE_FAILOVER_END_EVT:\n\t\t\tbreak;\n\t\tdefault:\n\t\t\tgoto illegal_evt;\n\t\t}\n\t\tbreak;\n\tcase SELF_DOWN_PEER_LEAVING:\n\t\tswitch (evt) {\n\t\tcase PEER_LOST_CONTACT_EVT:\n\t\t\tstate = SELF_DOWN_PEER_DOWN;\n\t\t\tbreak;\n\t\tcase SELF_ESTABL_CONTACT_EVT:\n\t\tcase PEER_ESTABL_CONTACT_EVT:\n\t\tcase SELF_LOST_CONTACT_EVT:\n\t\t\tbreak;\n\t\tcase NODE_SYNCH_END_EVT:\n\t\tcase NODE_SYNCH_BEGIN_EVT:\n\t\tcase NODE_FAILOVER_BEGIN_EVT:\n\t\tcase NODE_FAILOVER_END_EVT:\n\t\tdefault:\n\t\t\tgoto illegal_evt;\n\t\t}\n\t\tbreak;\n\tcase SELF_UP_PEER_COMING:\n\t\tswitch (evt) {\n\t\tcase PEER_ESTABL_CONTACT_EVT:\n\t\t\tstate = SELF_UP_PEER_UP;\n\t\t\tbreak;\n\t\tcase SELF_LOST_CONTACT_EVT:\n\t\t\tstate = SELF_DOWN_PEER_DOWN;\n\t\t\tbreak;\n\t\tcase SELF_ESTABL_CONTACT_EVT:\n\t\tcase PEER_LOST_CONTACT_EVT:\n\t\tcase NODE_SYNCH_END_EVT:\n\t\tcase NODE_FAILOVER_BEGIN_EVT:\n\t\t\tbreak;\n\t\tcase NODE_SYNCH_BEGIN_EVT:\n\t\tcase NODE_FAILOVER_END_EVT:\n\t\tdefault:\n\t\t\tgoto illegal_evt;\n\t\t}\n\t\tbreak;\n\tcase SELF_COMING_PEER_UP:\n\t\tswitch (evt) {\n\t\tcase SELF_ESTABL_CONTACT_EVT:\n\t\t\tstate = SELF_UP_PEER_UP;\n\t\t\tbreak;\n\t\tcase PEER_LOST_CONTACT_EVT:\n\t\t\tstate = SELF_DOWN_PEER_DOWN;\n\t\t\tbreak;\n\t\tcase SELF_LOST_CONTACT_EVT:\n\t\tcase PEER_ESTABL_CONTACT_EVT:\n\t\t\tbreak;\n\t\tcase NODE_SYNCH_END_EVT:\n\t\tcase NODE_SYNCH_BEGIN_EVT:\n\t\tcase NODE_FAILOVER_BEGIN_EVT:\n\t\tcase NODE_FAILOVER_END_EVT:\n\t\tdefault:\n\t\t\tgoto illegal_evt;\n\t\t}\n\t\tbreak;\n\tcase SELF_LEAVING_PEER_DOWN:\n\t\tswitch (evt) {\n\t\tcase SELF_LOST_CONTACT_EVT:\n\t\t\tstate = SELF_DOWN_PEER_DOWN;\n\t\t\tbreak;\n\t\tcase SELF_ESTABL_CONTACT_EVT:\n\t\tcase PEER_ESTABL_CONTACT_EVT:\n\t\tcase PEER_LOST_CONTACT_EVT:\n\t\t\tbreak;\n\t\tcase NODE_SYNCH_END_EVT:\n\t\tcase NODE_SYNCH_BEGIN_EVT:\n\t\tcase NODE_FAILOVER_BEGIN_EVT:\n\t\tcase NODE_FAILOVER_END_EVT:\n\t\tdefault:\n\t\t\tgoto illegal_evt;\n\t\t}\n\t\tbreak;\n\tcase NODE_FAILINGOVER:\n\t\tswitch (evt) {\n\t\tcase SELF_LOST_CONTACT_EVT:\n\t\t\tstate = SELF_DOWN_PEER_LEAVING;\n\t\t\tbreak;\n\t\tcase PEER_LOST_CONTACT_EVT:\n\t\t\tstate = SELF_LEAVING_PEER_DOWN;\n\t\t\tbreak;\n\t\tcase NODE_FAILOVER_END_EVT:\n\t\t\tstate = SELF_UP_PEER_UP;\n\t\t\tbreak;\n\t\tcase NODE_FAILOVER_BEGIN_EVT:\n\t\tcase SELF_ESTABL_CONTACT_EVT:\n\t\tcase PEER_ESTABL_CONTACT_EVT:\n\t\t\tbreak;\n\t\tcase NODE_SYNCH_BEGIN_EVT:\n\t\tcase NODE_SYNCH_END_EVT:\n\t\tdefault:\n\t\t\tgoto illegal_evt;\n\t\t}\n\t\tbreak;\n\tcase NODE_SYNCHING:\n\t\tswitch (evt) {\n\t\tcase SELF_LOST_CONTACT_EVT:\n\t\t\tstate = SELF_DOWN_PEER_LEAVING;\n\t\t\tbreak;\n\t\tcase PEER_LOST_CONTACT_EVT:\n\t\t\tstate = SELF_LEAVING_PEER_DOWN;\n\t\t\tbreak;\n\t\tcase NODE_SYNCH_END_EVT:\n\t\t\tstate = SELF_UP_PEER_UP;\n\t\t\tbreak;\n\t\tcase NODE_FAILOVER_BEGIN_EVT:\n\t\t\tstate = NODE_FAILINGOVER;\n\t\t\tbreak;\n\t\tcase NODE_SYNCH_BEGIN_EVT:\n\t\tcase SELF_ESTABL_CONTACT_EVT:\n\t\tcase PEER_ESTABL_CONTACT_EVT:\n\t\t\tbreak;\n\t\tcase NODE_FAILOVER_END_EVT:\n\t\tdefault:\n\t\t\tgoto illegal_evt;\n\t\t}\n\t\tbreak;\n\tdefault:\n\t\tpr_err(\"Unknown node fsm state %x\\n\", state);\n\t\tbreak;\n\t}\n\ttrace_tipc_node_fsm(n->peer_id, n->state, state, evt);\n\tn->state = state;\n\treturn;\n\nillegal_evt:\n\tpr_err(\"Illegal node fsm evt %x in state %x\\n\", evt, state);\n\ttrace_tipc_node_fsm(n->peer_id, n->state, state, evt);\n}", "project": "linux", "hash": 143730287252713172699518628404549810108, "size": 175, "commit_id": "0217ed2848e8538bcf9172d97ed2eeb4a26041bb", "message": "tipc: better validate user input in tipc_nl_retrieve_key()\n\nBefore calling tipc_aead_key_size(ptr), we need to ensure\nwe have enough data to dereference ptr->keylen.\n\nWe probably also want to make sure tipc_aead_key_size()\nwont overflow with malicious ptr->keylen values.\n\nSyzbot reported:\n\nBUG: KMSAN: uninit-value in __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\nBUG: KMSAN: uninit-value in tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\nCPU: 0 PID: 21060 Comm: syz-executor.5 Not tainted 5.11.0-rc7-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nCall Trace:\n __dump_stack lib/dump_stack.c:79 [inline]\n dump_stack+0x21c/0x280 lib/dump_stack.c:120\n kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118\n __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197\n __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\n tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\n genl_family_rcv_msg_doit net/netlink/genetlink.c:739 [inline]\n genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]\n genl_rcv_msg+0x1319/0x1610 net/netlink/genetlink.c:800\n netlink_rcv_skb+0x6fa/0x810 net/netlink/af_netlink.c:2494\n genl_rcv+0x63/0x80 net/netlink/genetlink.c:811\n netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]\n netlink_unicast+0x11d6/0x14a0 net/netlink/af_netlink.c:1330\n netlink_sendmsg+0x1740/0x1840 net/netlink/af_netlink.c:1919\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\nRIP: 0023:0xf7f60549\nCode: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00\nRSP: 002b:00000000f555a5fc EFLAGS: 00000296 ORIG_RAX: 0000000000000172\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000200\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n\nUninit was created at:\n kmsan_save_stack_with_flags mm/kmsan/kmsan.c:121 [inline]\n kmsan_internal_poison_shadow+0x5c/0xf0 mm/kmsan/kmsan.c:104\n kmsan_slab_alloc+0x8d/0xe0 mm/kmsan/kmsan_hooks.c:76\n slab_alloc_node mm/slub.c:2907 [inline]\n __kmalloc_node_track_caller+0xa37/0x1430 mm/slub.c:4527\n __kmalloc_reserve net/core/skbuff.c:142 [inline]\n __alloc_skb+0x2f8/0xb30 net/core/skbuff.c:210\n alloc_skb include/linux/skbuff.h:1099 [inline]\n netlink_alloc_large_skb net/netlink/af_netlink.c:1176 [inline]\n netlink_sendmsg+0xdbc/0x1840 net/netlink/af_netlink.c:1894\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\n\nFixes: e1f32190cf7d (\"tipc: add support for AEAD key setting via netlink\")\nSigned-off-by: Eric Dumazet \nCc: Tuong Lien \nCc: Jon Maloy \nCc: Ying Xue \nReported-by: syzbot \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 364919 }, { "func": "static void on_state_event(h2_stream *stream, h2_stream_event_t ev) \n{\n if (stream->monitor && stream->monitor->on_state_event) {\n stream->monitor->on_state_event(stream->monitor->ctx, stream, ev);\n }\n}", "project": "httpd", "hash": 30970961311514313569698686001359218581, "size": 6, "commit_id": "f990e5ecad40b100a8a5c7c1033c46044a9cb244", "message": "mod_htt2: fix incomplete sync with latest changes in github, adjust version number.\n\n\n\ngit-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1889119 13f79535-47bb-0310-9956-ffa450edef68", "target": 0, "dataset": "other", "idx": 284261 }, { "project": "Chrome", "commit_id": "957973753ec4159003ff7930d946b7e89c7e09f3", "target": 0, "func": "void BlobURLRequestJob::NotifyFailure(int error_code) {\n error_ = true;\n\n if (headers_set_) {\n NotifyDone(net::URLRequestStatus(net::URLRequestStatus::FAILED,\n error_code));\n return;\n }\n\n int status_code = 0;\n std::string status_txt;\n switch (error_code) {\n case net::ERR_ACCESS_DENIED:\n status_code = kHTTPNotAllowed;\n status_txt = kHTTPNotAllowedText;\n break;\n case net::ERR_FILE_NOT_FOUND:\n status_code = kHTTPNotFound;\n status_txt = kHTTPNotFoundText;\n break;\n case net::ERR_METHOD_NOT_SUPPORTED:\n status_code = kHTTPMethodNotAllow;\n status_txt = kHTTPMethodNotAllowText;\n break;\n case net::ERR_REQUEST_RANGE_NOT_SATISFIABLE:\n status_code = kHTTPRequestedRangeNotSatisfiable;\n status_txt = kHTTPRequestedRangeNotSatisfiableText;\n break;\n case net::ERR_FAILED:\n status_code = kHTTPInternalError;\n status_txt = kHTTPInternalErrorText;\n break;\n default:\n DCHECK(false);\n status_code = kHTTPInternalError;\n status_txt = kHTTPInternalErrorText;\n break;\n }\n HeadersCompleted(status_code, status_txt);\n}\n", "cwe": "", "big_vul_idx": 106418, "idx": 95569, "hash": 130776088721465261192095750671179655679 }, { "func": "\treturn err;\n}\n\nstatic int iscsi_logout_flashnode(struct iscsi_transport *transport,\n\t\t\t\t struct iscsi_uevent *ev)\n{\n\tstruct Scsi_Host *shost;\n\tstruct iscsi_bus_flash_session *fnode_sess;\n\tstruct iscsi_bus_flash_conn *fnode_conn;\n\tstruct device *dev;\n\tuint32_t idx;\n\tint err = 0;\n\n\tif (!transport->logout_flashnode) {\n\t\terr = -ENOSYS;\n\t\tgoto exit_logout_fnode;\n\t}\n\n\tshost = scsi_host_lookup(ev->u.logout_flashnode.host_no);\n\tif (!shost) {\n\t\tpr_err(\"%s could not find host no %u\\n\",\n\t\t __func__, ev->u.logout_flashnode.host_no);\n\t\terr = -ENODEV;\n\t\tgoto put_host;\n\t}\n\n\tidx = ev->u.logout_flashnode.flashnode_idx;\n\tfnode_sess = iscsi_get_flashnode_by_index(shost, idx);\n\tif (!fnode_sess) {\n\t\tpr_err(\"%s could not find flashnode %u for host no %u\\n\",\n\t\t __func__, idx, ev->u.logout_flashnode.host_no);\n\t\terr = -ENODEV;\n\t\tgoto put_host;\n\t}\n\n\tdev = iscsi_find_flashnode_conn(fnode_sess);\n\tif (!dev) {\n\t\terr = -ENODEV;\n\t\tgoto put_sess;\n\t}\n\n\tfnode_conn = iscsi_dev_to_flash_conn(dev);\n\n\terr = transport->logout_flashnode(fnode_sess, fnode_conn);\n\tput_device(dev);\n\nput_sess:\n\tput_device(&fnode_sess->dev);\n\nput_host:\n\tscsi_host_put(shost);\n", "project": "linux", "hash": 162779946136049817552778348134516700198, "size": 52, "commit_id": "f9dbdf97a5bd92b1a49cee3d591b55b11fd7a6d5", "message": "scsi: iscsi: Verify lengths on passthrough PDUs\n\nOpen-iSCSI sends passthrough PDUs over netlink, but the kernel should be\nverifying that the provided PDU header and data lengths fall within the\nnetlink message to prevent accessing beyond that in memory.\n\nCc: stable@vger.kernel.org\nReported-by: Adam Nichols \nReviewed-by: Lee Duncan \nReviewed-by: Mike Christie \nSigned-off-by: Chris Leech \nSigned-off-by: Martin K. Petersen ", "target": 0, "dataset": "other", "idx": 379914 }, { "func": " virtual enum Type real_type() const { return type(); }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 12130122225665579828617810227456743241, "size": 1, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 508950 }, { "func": " enum Type real_type() const { return orig_item->type(); }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 202462608819521640638206772026372452794, "size": 1, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509154 }, { "func": " enum Type real_type() const { return ref ? (*ref)->type() :\n REF_ITEM; }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 23926468246914502755803826638287128064, "size": 2, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509362 }, { "func": "int kvm_arch_vcpu_ioctl_set_sregs(struct kvm_vcpu *vcpu,\n\t\t\t\t struct kvm_sregs *sregs)\n{\n\tvcpu_load(vcpu);\n\n\tmemcpy(&vcpu->run->s.regs.acrs, &sregs->acrs, sizeof(sregs->acrs));\n\tmemcpy(&vcpu->arch.sie_block->gcr, &sregs->crs, sizeof(sregs->crs));\n\n\tvcpu_put(vcpu);\n\treturn 0;\n}", "project": "linux", "hash": 229940534478517684793383961546396218255, "size": 11, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354589 }, { "func": "static inline unsigned long node_nr_slabs(struct kmem_cache_node *n)\n\t\t\t\t\t\t\t{ return 0; }", "project": "linux", "hash": 30086913516917219407617048514778330274, "size": 2, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280040 }, { "func": "static inline unsigned long node_nr_slabs(struct kmem_cache_node *n)\n{\n\treturn atomic_long_read(&n->nr_slabs);\n}", "project": "linux", "hash": 170215091421650769556803022785881995063, "size": 4, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280086 }, { "func": "\nstatic int io_req_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)\n{\n\tswitch (req->opcode) {\n\tcase IORING_OP_NOP:\n\t\treturn 0;\n\tcase IORING_OP_READV:\n\tcase IORING_OP_READ_FIXED:\n\tcase IORING_OP_READ:\n\t\treturn io_read_prep(req, sqe);\n\tcase IORING_OP_WRITEV:\n\tcase IORING_OP_WRITE_FIXED:\n\tcase IORING_OP_WRITE:\n\t\treturn io_write_prep(req, sqe);\n\tcase IORING_OP_POLL_ADD:\n\t\treturn io_poll_add_prep(req, sqe);\n\tcase IORING_OP_POLL_REMOVE:\n\t\treturn io_poll_update_prep(req, sqe);\n\tcase IORING_OP_FSYNC:\n\t\treturn io_fsync_prep(req, sqe);\n\tcase IORING_OP_SYNC_FILE_RANGE:\n\t\treturn io_sfr_prep(req, sqe);\n\tcase IORING_OP_SENDMSG:\n\tcase IORING_OP_SEND:\n\t\treturn io_sendmsg_prep(req, sqe);\n\tcase IORING_OP_RECVMSG:\n\tcase IORING_OP_RECV:\n\t\treturn io_recvmsg_prep(req, sqe);\n\tcase IORING_OP_CONNECT:\n\t\treturn io_connect_prep(req, sqe);\n\tcase IORING_OP_TIMEOUT:\n\t\treturn io_timeout_prep(req, sqe, false);\n\tcase IORING_OP_TIMEOUT_REMOVE:\n\t\treturn io_timeout_remove_prep(req, sqe);\n\tcase IORING_OP_ASYNC_CANCEL:\n\t\treturn io_async_cancel_prep(req, sqe);\n\tcase IORING_OP_LINK_TIMEOUT:\n\t\treturn io_timeout_prep(req, sqe, true);\n\tcase IORING_OP_ACCEPT:\n\t\treturn io_accept_prep(req, sqe);\n\tcase IORING_OP_FALLOCATE:\n\t\treturn io_fallocate_prep(req, sqe);\n\tcase IORING_OP_OPENAT:\n\t\treturn io_openat_prep(req, sqe);\n\tcase IORING_OP_CLOSE:\n\t\treturn io_close_prep(req, sqe);\n\tcase IORING_OP_FILES_UPDATE:\n\t\treturn io_rsrc_update_prep(req, sqe);\n\tcase IORING_OP_STATX:\n\t\treturn io_statx_prep(req, sqe);\n\tcase IORING_OP_FADVISE:\n\t\treturn io_fadvise_prep(req, sqe);\n\tcase IORING_OP_MADVISE:\n\t\treturn io_madvise_prep(req, sqe);\n\tcase IORING_OP_OPENAT2:\n\t\treturn io_openat2_prep(req, sqe);\n\tcase IORING_OP_EPOLL_CTL:\n\t\treturn io_epoll_ctl_prep(req, sqe);\n\tcase IORING_OP_SPLICE:\n\t\treturn io_splice_prep(req, sqe);\n\tcase IORING_OP_PROVIDE_BUFFERS:\n\t\treturn io_provide_buffers_prep(req, sqe);\n\tcase IORING_OP_REMOVE_BUFFERS:\n\t\treturn io_remove_buffers_prep(req, sqe);\n\tcase IORING_OP_TEE:\n\t\treturn io_tee_prep(req, sqe);\n\tcase IORING_OP_SHUTDOWN:\n\t\treturn io_shutdown_prep(req, sqe);\n\tcase IORING_OP_RENAMEAT:\n\t\treturn io_renameat_prep(req, sqe);\n\tcase IORING_OP_UNLINKAT:\n\t\treturn io_unlinkat_prep(req, sqe);\n\t}\n\n\tprintk_once(KERN_WARNING \"io_uring: unhandled opcode %d\\n\",\n\t\t\treq->opcode);\n\treturn -EINVAL;", "project": "linux", "hash": 43471782578356320135298505831809112919, "size": 77, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338583 }, { "func": "static int fuse_fsync(struct file *file, loff_t start, loff_t end,\n\t\t int datasync)\n{\n\tstruct inode *inode = file->f_mapping->host;\n\tstruct fuse_conn *fc = get_fuse_conn(inode);\n\tint err;\n\n\tif (fuse_is_bad(inode))\n\t\treturn -EIO;\n\n\tinode_lock(inode);\n\n\t/*\n\t * Start writeback against all dirty pages of the inode, then\n\t * wait for all outstanding writes, before sending the FSYNC\n\t * request.\n\t */\n\terr = file_write_and_wait_range(file, start, end);\n\tif (err)\n\t\tgoto out;\n\n\tfuse_sync_writes(inode);\n\n\t/*\n\t * Due to implementation of fuse writeback\n\t * file_write_and_wait_range() does not catch errors.\n\t * We have to do this directly after fuse_sync_writes()\n\t */\n\terr = file_check_and_advance_wb_err(file);\n\tif (err)\n\t\tgoto out;\n\n\terr = sync_inode_metadata(inode, 1);\n\tif (err)\n\t\tgoto out;\n\n\tif (fc->no_fsync)\n\t\tgoto out;\n\n\terr = fuse_fsync_common(file, start, end, datasync, FUSE_FSYNC);\n\tif (err == -ENOSYS) {\n\t\tfc->no_fsync = 1;\n\t\terr = 0;\n\t}\nout:\n\tinode_unlock(inode);\n\n\treturn err;\n}", "project": "linux", "hash": 319603906992492164360919242179012269389, "size": 49, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342088 }, { "func": "static int __init text_mode(char *str)\n{\n\tvgacon_text_mode_force = true;\n\n\tpr_warn(\"You have booted with nomodeset. This means your GPU drivers are DISABLED\\n\");\n\tpr_warn(\"Any video related functionality will be severely degraded, and you may not even be able to suspend the system properly\\n\");\n\tpr_warn(\"Unless you actually understand what nomodeset does, you should reboot without enabling it\\n\");\n\n\treturn 1;\n}", "project": "linux", "hash": 123721137876214921925028725843359503331, "size": 10, "commit_id": "973c096f6a85e5b5f2a295126ba6928d9a6afd45", "message": "vgacon: remove software scrollback support\n\nYunhai Zhang recently fixed a VGA software scrollback bug in commit\nebfdfeeae8c0 (\"vgacon: Fix for missing check in scrollback handling\"),\nbut that then made people look more closely at some of this code, and\nthere were more problems on the vgacon side, but also the fbcon software\nscrollback.\n\nWe don't really have anybody who maintains this code - probably because\nnobody actually _uses_ it any more. Sure, people still use both VGA and\nthe framebuffer consoles, but they are no longer the main user\ninterfaces to the kernel, and haven't been for decades, so these kinds\nof extra features end up bitrotting and not really being used.\n\nSo rather than try to maintain a likely unused set of code, I'll just\naggressively remove it, and see if anybody even notices. Maybe there\nare people who haven't jumped on the whole GUI badnwagon yet, and think\nit's just a fad. And maybe those people use the scrollback code.\n\nIf that turns out to be the case, we can resurrect this again, once\nwe've found the sucker^Wmaintainer for it who actually uses it.\n\nReported-by: NopNop Nop \nTested-by: Willy Tarreau \nCc: 张云海 \nAcked-by: Andy Lutomirski \nAcked-by: Willy Tarreau \nReviewed-by: Greg Kroah-Hartman \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 380807 }, { "func": "static int stimer_get_config(struct kvm_vcpu_hv_stimer *stimer, u64 *pconfig)\n{\n\t*pconfig = stimer->config.as_uint64;\n\treturn 0;\n}", "project": "linux", "hash": 309977316461071845636330300985402162693, "size": 5, "commit_id": "919f4ebc598701670e80e31573a58f1f2d2bf918", "message": "KVM: x86: hyper-v: Fix Hyper-V context null-ptr-deref\n\nReported by syzkaller:\n\n KASAN: null-ptr-deref in range [0x0000000000000140-0x0000000000000147]\n CPU: 1 PID: 8370 Comm: syz-executor859 Not tainted 5.11.0-syzkaller #0\n RIP: 0010:synic_get arch/x86/kvm/hyperv.c:165 [inline]\n RIP: 0010:kvm_hv_set_sint_gsi arch/x86/kvm/hyperv.c:475 [inline]\n RIP: 0010:kvm_hv_irq_routing_update+0x230/0x460 arch/x86/kvm/hyperv.c:498\n Call Trace:\n kvm_set_irq_routing+0x69b/0x940 arch/x86/kvm/../../../virt/kvm/irqchip.c:223\n kvm_vm_ioctl+0x12d0/0x2800 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3959\n vfs_ioctl fs/ioctl.c:48 [inline]\n __do_sys_ioctl fs/ioctl.c:753 [inline]\n __se_sys_ioctl fs/ioctl.c:739 [inline]\n __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739\n do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nHyper-V context is lazily allocated until Hyper-V specific MSRs are accessed\nor SynIC is enabled. However, the syzkaller testcase sets irq routing table\ndirectly w/o enabling SynIC. This results in null-ptr-deref when accessing\nSynIC Hyper-V context. This patch fixes it.\n\nsyzkaller source: https://syzkaller.appspot.com/x/repro.c?x=163342ccd00000\n\nReported-by: syzbot+6987f3b2dbd9eda95f12@syzkaller.appspotmail.com\nFixes: 8f014550dfb1 (\"KVM: x86: hyper-v: Make Hyper-V emulation enablement conditional\")\nSigned-off-by: Wanpeng Li \nMessage-Id: <1614326399-5762-1-git-send-email-wanpengli@tencent.com>\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 343492 }, { "func": "void LibRaw::lossless_jpeg_load_raw()\n{\n int jwide, jhigh, jrow, jcol, val, jidx, i, j, row = 0, col = 0;\n struct jhead jh;\n ushort *rp;\n\n if (!ljpeg_start(&jh, 0))\n return;\n\n if (jh.wide < 1 || jh.high < 1 || jh.clrs < 1 || jh.bits < 1)\n throw LIBRAW_EXCEPTION_IO_CORRUPT;\n jwide = jh.wide * jh.clrs;\n jhigh = jh.high;\n if (jh.clrs == 4 && jwide >= raw_width * 2)\n jhigh *= 2;\n\n try\n {\n for (jrow = 0; jrow < jh.high; jrow++)\n {\n checkCancel();\n rp = ljpeg_row(jrow, &jh);\n if (load_flags & 1)\n row = jrow & 1 ? height - 1 - jrow / 2 : jrow / 2;\n for (jcol = 0; jcol < jwide; jcol++)\n {\n val = curve[*rp++];\n if (cr2_slice[0])\n {\n jidx = jrow * jwide + jcol;\n i = jidx / (cr2_slice[1] * raw_height);\n if ((j = i >= cr2_slice[0]))\n i = cr2_slice[0];\n jidx -= i * (cr2_slice[1] * raw_height);\n row = jidx / cr2_slice[1 + j];\n col = jidx % cr2_slice[1 + j] + i * cr2_slice[1];\n }\n if (raw_width == 3984 && (col -= 2) < 0)\n col += (row--, raw_width);\n if (row > raw_height)\n throw LIBRAW_EXCEPTION_IO_CORRUPT;\n if ((unsigned)row < raw_height)\n RAW(row, col) = val;\n if (++col >= raw_width)\n col = (row++, 0);\n }\n }\n }\n catch (...)\n {\n ljpeg_end(&jh);\n throw;\n }\n ljpeg_end(&jh);\n}", "project": "LibRaw", "hash": 326569660359664958267546810492782568538, "size": 55, "commit_id": "a6937d4046a7c4742b683a04c8564605fd9be4fb", "message": "more room for ljpeg row", "target": 0, "dataset": "other", "idx": 319439 }, { "func": "static void nfs4_xdr_enc_statfs(struct rpc_rqst *req, struct xdr_stream *xdr,\n\t\t\t\tconst void *data)\n{\n\tconst struct nfs4_statfs_arg *args = data;\n\tstruct compound_hdr hdr = {\n\t\t.minorversion = nfs4_xdr_minorversion(&args->seq_args),\n\t};\n\n\tencode_compound_hdr(xdr, req, &hdr);\n\tencode_sequence(xdr, &args->seq_args, &hdr);\n\tencode_putfh(xdr, args->fh, &hdr);\n\tencode_getattr(xdr, nfs4_statfs_bitmap, args->bitmask,\n\t\t\tARRAY_SIZE(nfs4_statfs_bitmap), &hdr);\n\tencode_nops(&hdr);\n}", "project": "linux", "hash": 29283807482635891408437862144897459550, "size": 15, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431041 }, { "func": "static noinline void ep_destroy_wakeup_source(struct epitem *epi)\n{\n\tstruct wakeup_source *ws = ep_wakeup_source(epi);\n\n\tRCU_INIT_POINTER(epi->ws, NULL);\n\n\t/*\n\t * wait for ep_pm_stay_awake_rcu to finish, synchronize_rcu is\n\t * used internally by wakeup_source_remove, too (called by\n\t * wakeup_source_unregister), so we cannot use call_rcu\n\t */\n\tsynchronize_rcu();\n\twakeup_source_unregister(ws);\n}", "project": "linux", "hash": 57723554837102922527990180899087250367, "size": 14, "commit_id": "52c479697c9b73f628140dcdfcd39ea302d05482", "message": "do_epoll_ctl(): clean the failure exits up a bit\n\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 336258 }, { "func": "\nstatic int __io_async_wake(struct io_kiocb *req, struct io_poll_iocb *poll,\n\t\t\t __poll_t mask, task_work_func_t func)\n{\n\tint ret;\n\n\t/* for instances that support it check for an event match first: */\n\tif (mask && !(mask & poll->events))\n\t\treturn 0;\n\n\ttrace_io_uring_task_add(req->ctx, req->opcode, req->user_data, mask);\n\n\tlist_del_init(&poll->wait.entry);\n\n\treq->result = mask;\n\treq->task_work.func = func;\n\n\t/*\n\t * If this fails, then the task is exiting. When a task exits, the\n\t * work gets canceled, so just cancel this request as well instead\n\t * of executing it. We can't safely execute it anyway, as we may not\n\t * have the needed state needed for it anyway.\n\t */\n\tret = io_req_task_work_add(req);\n\tif (unlikely(ret)) {\n\t\tWRITE_ONCE(poll->canceled, true);\n\t\tio_req_task_work_add_fallback(req, func);\n\t}\n\treturn 1;", "project": "linux", "hash": 222376742699273789289584177918727184183, "size": 29, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338647 }, { "func": "static int __io_async_wake(struct io_kiocb *req, struct io_poll_iocb *poll,\n\t\t\t __poll_t mask, task_work_func_t func)\n{\n\tint ret;\n\n\t/* for instances that support it check for an event match first: */\n\tif (mask && !(mask & poll->events))\n\t\treturn 0;\n\n\ttrace_io_uring_task_add(req->ctx, req->opcode, req->user_data, mask);\n\n\tlist_del_init(&poll->wait.entry);\n\n\treq->result = mask;\n\tinit_task_work(&req->task_work, func);\n\tpercpu_ref_get(&req->ctx->refs);\n\n\t/*\n\t * If this fails, then the task is exiting. When a task exits, the\n\t * work gets canceled, so just cancel this request as well instead\n\t * of executing it. We can't safely execute it anyway, as we may not\n\t * have the needed state needed for it anyway.\n\t */\n\tret = io_req_task_work_add(req, &req->task_work);\n\tif (unlikely(ret)) {\n\t\tstruct task_struct *tsk;\n\n\t\tWRITE_ONCE(poll->canceled, true);\n\t\ttsk = io_wq_get_task(req->ctx->io_wq);\n\t\ttask_work_add(tsk, &req->task_work, 0);\n\t\twake_up_process(tsk);\n\t}\n\treturn 1;\n}", "project": "linux", "hash": 94849266735316676637475876789979632783, "size": 34, "commit_id": "6d816e088c359866f9867057e04f244c608c42fe", "message": "io_uring: hold 'ctx' reference around task_work queue + execute\n\nWe're holding the request reference, but we need to go one higher\nto ensure that the ctx remains valid after the request has finished.\nIf the ring is closed with pending task_work inflight, and the\ngiven io_kiocb finishes sync during issue, then we need a reference\nto the ring itself around the task_work execution cycle.\n\nCc: stable@vger.kernel.org # v5.7+\nReported-by: syzbot+9b260fc33297966f5a8e@syzkaller.appspotmail.com\nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 456964 }, { "func": "static Variant php_imagettftext_common(int mode, int extended,\n const Variant& arg1,\n const Variant& arg2,\n const Variant& arg3,\n const Variant& arg4,\n const Variant& arg5 = uninit_variant,\n const Variant& arg6 = uninit_variant,\n const Variant& arg7 = uninit_variant,\n const Variant& arg8 = uninit_variant,\n const Variant& arg9 = uninit_variant) {\n gdImagePtr im=nullptr;\n long col = -1, x = -1, y = -1;\n int brect[8];\n double ptsize, angle;\n String str;\n String fontname;\n Array extrainfo;\n char *error = nullptr;\n gdFTStringExtra strex = {0};\n\n if (mode == TTFTEXT_BBOX) {\n ptsize = arg1.toDouble();\n angle = arg2.toDouble();\n fontname = arg3.toString();\n str = arg4.toString();\n extrainfo = arg5;\n } else {\n Resource image = arg1.toResource();\n ptsize = arg2.toDouble();\n angle = arg3.toDouble();\n x = arg4.toInt64();\n y = arg5.toInt64();\n col = arg6.toInt64();\n fontname = arg7.toString();\n str = arg8.toString();\n extrainfo = arg9;\n im = get_valid_image_resource(image);\n if (!im) return false;\n }\n\n /* convert angle to radians */\n angle = angle * (M_PI/180);\n\n if (extended && !extrainfo.empty()) { /* parse extended info */\n\n /* walk the assoc array */\n for (ArrayIter iter(extrainfo); iter; ++iter) {\n Variant key = iter.first();\n if (!key.isString()) continue;\n Variant item = iter.second();\n if (equal(key, s_linespacing)) {\n strex.flags |= gdFTEX_LINESPACE;\n strex.linespacing = item.toDouble();\n }\n }\n }\n\n FILE *fp = nullptr;\n if (!RuntimeOption::FontPath.empty()) {\n fontname = String(RuntimeOption::FontPath.c_str()) +\n HHVM_FN(basename)(fontname);\n }\n auto stream = php_open_plain_file(fontname, \"rb\", &fp);\n if (!stream) {\n raise_warning(\"Invalid font filename %s\", fontname.c_str());\n return false;\n }\n stream->close();\n\n#ifdef USE_GD_IMGSTRTTF\n if (extended) {\n error = gdImageStringFTEx(im, brect, col, (char*)fontname.c_str(),\n ptsize, angle, x, y, (char*)str.c_str(),\n &strex);\n }\n else {\n error = gdImageStringFT(im, brect, col, (char*)fontname.c_str(),\n ptsize, angle, x, y, (char*)str.c_str());\n }\n#else /* !USE_GD_IMGSTRTTF */\n error = gdttf(im, brect, col, fontname.c_str(),\n ptsize, angle, x, y, str.c_str());\n#endif\n\n if (error) {\n raise_warning(\"%s\", error);\n return false;\n }\n\n /* return array with the text's bounding box */\n return make_varray(\n brect[0],\n brect[1],\n brect[2],\n brect[3],\n brect[4],\n brect[5],\n brect[6],\n brect[7]\n );\n}", "project": "hhvm", "hash": 35383424415646498033628525129247524544, "size": 101, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219207 }, { "func": " void walk(TraceIterator begin, TraceIterator end, TraceIterator final,\n Stats& stats) {\n if (begin == end) return;\n m_recursion.push_back(std::make_pair(nullptr, 0));\n // Trim exit traces off the front of the log. These may be due to\n // the return from turning tracing on.\n std::map functionLevel;\n auto current = begin;\n while (current != end && !current->symbol) ++current;\n while (current != end) {\n if (!current->is_func_exit) {\n unsigned level = ++functionLevel[current->symbol];\n if (level >= m_recursion.size()) {\n constexpr size_t bufferSize = 12;\n char *level_string = new char[bufferSize];\n snprintf(level_string, bufferSize, \"@%u\", level);\n m_recursion.push_back(std::make_pair(level_string,\n strlen(level_string)));\n }\n Frame fr;\n fr.trace = current;\n fr.level = level - 1;\n fr.len = strlen(current->symbol);\n checkArcBuff(fr.len);\n m_stack.push_back(fr);\n } else if (m_stack.size() > 1) {\n validateStack(current, stats); // NB: may update m_stack.\n --functionLevel[m_stack.back().trace->symbol];\n popFrame(current, stats);\n }\n ++current;\n }\n // Close the dangling stack with the last entry. This\n // under-represents any functions still on the stack.\n --current;\n while (m_stack.size() > 1) {\n popFrame(current, stats);\n }\n // Close main() with the final data from when profiling was turned\n // off. This ensures main() represents the entire run, even if we\n // run out of log space.\n if (!m_stack.empty()) {\n assertx(strcmp(m_stack.back().trace->symbol, \"main()\") == 0);\n incStats(m_stack.back().trace->symbol, final, m_stack.back(), stats);\n }\n if (m_badArcCount > 0) {\n stats[\"(trace has mismatched calls and returns)\"].count = m_badArcCount;\n }\n }", "project": "hhvm", "hash": 323720101069881367375023250921663311543, "size": 49, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219794 }, { "func": " bool walk(Item_processor processor, bool walk_subquery, void *args)\n {\n return (item->walk(processor, walk_subquery, args)) ||\n (this->*processor)(args);\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 325207680219276452765326899840173424632, "size": 5, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 508962 }, { "func": " bool walk(Item_processor processor, bool walk_subquery, void *arg)\n { \n if (ref && *ref)\n return (*ref)->walk(processor, walk_subquery, arg) ||\n (this->*processor)(arg); \n else\n return FALSE;\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 330453402430927513908163571420291826756, "size": 8, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509032 }, { "func": " bool walk(Item_processor processor, bool walk_subquery, void *arg)\n {\n if (walk_args(processor, walk_subquery, arg))\n return true;\n return (this->*processor)(arg);\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 101262755025312185136894921224675625125, "size": 6, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509109 }, { "func": " bool walk(Item_processor processor, bool walk_subquery, void *arg)\n { \n return (*ref)->walk(processor, walk_subquery, arg) ||\n (this->*processor)(arg);\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 334286877002375130987056951697212503348, "size": 5, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509117 }, { "func": " bool walk(Item_processor processor, bool walk_subquery, void *args)\n {\n return (arg && arg->walk(processor, walk_subquery, args)) ||\n (this->*processor)(args);\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 297152457921425312176239993996541407167, "size": 5, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509176 }, { "func": " bool walk(Item_processor processor, bool walk_subquery, void *args)\n {\n return arg->walk(processor, walk_subquery, args) ||\n\t (this->*processor)(args);\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 213880519817177820226413650841770503984, "size": 5, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509244 }, { "func": " bool walk(Item_processor processor, bool walk_subquery, void *arg)\n {\n return orig_item->walk(processor, walk_subquery, arg) ||\n (this->*processor)(arg);\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 220554356656939986152538310811828884166, "size": 5, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509258 }, { "func": " bool walk(Item_processor processor, bool walk_subquery, void *arg)\n {\n if (example && example->walk(processor, walk_subquery, arg))\n return TRUE;\n return (this->*processor)(arg);\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 226523705939916893955506326710030229088, "size": 6, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509393 }, { "func": " virtual bool walk(Item_processor processor, bool walk_subquery, void *arg)\n {\n return (this->*processor)(arg);\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 43848617064657168356770812867286613774, "size": 4, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509434 }, { "project": "Chrome", "commit_id": "6834289784ed45b5524de0fb7ef43ae283b0d6d3", "target": 0, "func": "bool AudioContext::isAudioThread() const\n{\n return currentThread() == m_audioThread;\n}\n", "cwe": "", "big_vul_idx": 139666, "idx": 124816, "hash": 300899718054017693265707207317742881197 }, { "func": "static void hidinput_handle_scroll(struct hid_usage *usage,\n\t\t\t\t struct input_dev *input,\n\t\t\t\t __s32 value)\n{\n\tint code;\n\tint hi_res, lo_res;\n\n\tif (value == 0)\n\t\treturn;\n\n\tif (usage->code == REL_WHEEL_HI_RES)\n\t\tcode = REL_WHEEL;\n\telse\n\t\tcode = REL_HWHEEL;\n\n\t/*\n\t * Windows reports one wheel click as value 120. Where a high-res\n\t * scroll wheel is present, a fraction of 120 is reported instead.\n\t * Our REL_WHEEL_HI_RES axis does the same because all HW must\n\t * adhere to the 120 expectation.\n\t */\n\thi_res = value * 120/usage->resolution_multiplier;\n\n\tusage->wheel_accumulated += hi_res;\n\tlo_res = usage->wheel_accumulated/120;\n\tif (lo_res)\n\t\tusage->wheel_accumulated -= lo_res * 120;\n\n\tinput_event(input, EV_REL, code, lo_res);\n\tinput_event(input, EV_REL, usage->code, hi_res);\n}", "project": "linux", "hash": 234956264777979874809059658472439569474, "size": 31, "commit_id": "35556bed836f8dc07ac55f69c8d17dce3e7f0e25", "message": "HID: core: Sanitize event code and type when mapping input\n\nWhen calling into hid_map_usage(), the passed event code is\nblindly stored as is, even if it doesn't fit in the associated bitmap.\n\nThis event code can come from a variety of sources, including devices\nmasquerading as input devices, only a bit more \"programmable\".\n\nInstead of taking the event code at face value, check that it actually\nfits the corresponding bitmap, and if it doesn't:\n- spit out a warning so that we know which device is acting up\n- NULLify the bitmap pointer so that we catch unexpected uses\n\nCode paths that can make use of untrusted inputs can now check\nthat the mapping was indeed correct and bail out if not.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Marc Zyngier \nSigned-off-by: Benjamin Tissoires ", "target": 0, "dataset": "other", "idx": 458418 }, { "func": "void Commissioner::UpdateJoinerExpirationTimer(void)\n{\n TimeMilli now = TimerMilli::GetNow();\n uint32_t nextTimeout = TimeMilli::kMaxDuration;\n\n // Check if timer should be set for next Joiner.\n for (Joiner *joiner = &mJoiners[0]; joiner < OT_ARRAY_END(mJoiners); joiner++)\n {\n uint32_t diff;\n\n if (!joiner->mValid)\n {\n continue;\n }\n\n if (now >= joiner->mExpirationTime)\n {\n nextTimeout = 0;\n break;\n }\n\n diff = joiner->mExpirationTime - now;\n\n if (diff < nextTimeout)\n {\n nextTimeout = diff;\n }\n }\n\n if (nextTimeout != TimeMilli::kMaxDuration)\n {\n // Update the timer to the timeout of the next Joiner.\n mJoinerExpirationTimer.Start(nextTimeout);\n }\n else\n {\n // No Joiners, stop the timer.\n mJoinerExpirationTimer.Stop();\n }\n}", "project": "openthread", "hash": 10044645714379015590310436701421296825, "size": 40, "commit_id": "c3a3a0c424322009fec3ab735fb20ce8f6e19e70", "message": "[commissioner] use strnlen instead of strlen (#4404)", "target": 0, "dataset": "other", "idx": 269888 }, { "func": "static void hash_rlp_number(uint32_t number) {\n if (!number) {\n return;\n }\n uint8_t data[4];\n data[0] = (number >> 24) & 0xff;\n data[1] = (number >> 16) & 0xff;\n data[2] = (number >> 8) & 0xff;\n data[3] = (number)&0xff;\n int offset = 0;\n while (!data[offset]) {\n offset++;\n }\n hash_rlp_field(data + offset, 4 - offset);\n}", "project": "keepkey-firmware", "hash": 86347190182802042536750398646768541308, "size": 15, "commit_id": "e49d45594002d4d3fbc1f03488e6dfc0a0a65836", "message": "710 merge", "target": 0, "dataset": "other", "idx": 220883 }, { "func": "static u8 mlme_set_request_sync(\n\tu8 pib_attribute,\n\tu8 pib_attribute_index,\n\tu8 pib_attribute_length,\n\tconst void *pib_attribute_value,\n\tvoid *device_ref\n)\n{\n\tu8 status;\n\tstruct mac_message command, response;\n\n\t/* pre-check the validity of pib_attribute values that are not checked\n\t * in MAC\n\t */\n\tif (tdme_checkpibattribute(\n\t\tpib_attribute, pib_attribute_length, pib_attribute_value)) {\n\t\treturn MAC_INVALID_PARAMETER;\n\t}\n\n\tif (pib_attribute == PHY_CURRENT_CHANNEL) {\n\t\tstatus = tdme_channelinit(\n\t\t\t*((u8 *)pib_attribute_value),\n\t\t\tdevice_ref\n\t\t);\n\t\tif (status)\n\t\t\treturn status;\n\t}\n\n\tif (pib_attribute == PHY_TRANSMIT_POWER) {\n\t\treturn tdme_settxpower(\n\t\t\t*((u8 *)pib_attribute_value),\n\t\t\tdevice_ref\n\t\t);\n\t}\n\n\tcommand.command_id = SPI_MLME_SET_REQUEST;\n\tcommand.length = sizeof(struct mlme_set_request_pset) -\n\t\tMAX_ATTRIBUTE_SIZE + pib_attribute_length;\n\tcommand.pdata.set_req.pib_attribute = pib_attribute;\n\tcommand.pdata.set_req.pib_attribute_index = pib_attribute_index;\n\tcommand.pdata.set_req.pib_attribute_length = pib_attribute_length;\n\tmemcpy(\n\t\tcommand.pdata.set_req.pib_attribute_value,\n\t\tpib_attribute_value,\n\t\tpib_attribute_length\n\t);\n\n\tif (cascoda_api_downstream(\n\t\t&command.command_id,\n\t\tcommand.length + 2,\n\t\t&response.command_id,\n\t\tdevice_ref)) {\n\t\treturn MAC_SYSTEM_ERROR;\n\t}\n\n\tif (response.command_id != SPI_MLME_SET_CONFIRM)\n\t\treturn MAC_SYSTEM_ERROR;\n\n\treturn response.pdata.status;\n}", "project": "linux", "hash": 84547131614121356468893700873383353092, "size": 60, "commit_id": "6402939ec86eaf226c8b8ae00ed983936b164908", "message": "ieee802154: ca8210: prevent memory leak\n\nIn ca8210_probe the allocated pdata needs to be assigned to\nspi_device->dev.platform_data before calling ca8210_get_platform_data.\nOthrwise when ca8210_get_platform_data fails pdata cannot be released.\n\nSigned-off-by: Navid Emamdoost \nLink: https://lore.kernel.org/r/20190917224713.26371-1-navid.emamdoost@gmail.com\nSigned-off-by: Stefan Schmidt ", "target": 0, "dataset": "other", "idx": 408796 }, { "func": "static void svm_set_nmi_mask(struct kvm_vcpu *vcpu, bool masked)\n{\n\tstruct vcpu_svm *svm = to_svm(vcpu);\n\n\tif (masked) {\n\t\tsvm->vcpu.arch.hflags |= HF_NMI_MASK;\n\t\tset_intercept(svm, INTERCEPT_IRET);\n\t} else {\n\t\tsvm->vcpu.arch.hflags &= ~HF_NMI_MASK;\n\t\tclr_intercept(svm, INTERCEPT_IRET);\n\t}\n}", "project": "linux", "hash": 87246263926793880852776618127224233593, "size": 12, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432400 }, { "func": " ~StaticString() {\n // prevent ~req::ptr from destroying contents.\n detach();\n }", "project": "hhvm", "hash": 182751694182222013217518907210474946544, "size": 4, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219460 }, { "func": " StringData* detach() { return m_str.detach(); }", "project": "hhvm", "hash": 136774828885727407298169007101421590922, "size": 1, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219605 }, { "func": "static void fuse_read_update_size(struct inode *inode, loff_t size,\n\t\t\t\t u64 attr_ver)\n{\n\tstruct fuse_conn *fc = get_fuse_conn(inode);\n\tstruct fuse_inode *fi = get_fuse_inode(inode);\n\n\tspin_lock(&fi->lock);\n\tif (attr_ver == fi->attr_version && size < inode->i_size &&\n\t !test_bit(FUSE_I_SIZE_UNSTABLE, &fi->state)) {\n\t\tfi->attr_version = atomic64_inc_return(&fc->attr_version);\n\t\ti_size_write(inode, size);\n\t}\n\tspin_unlock(&fi->lock);\n}", "project": "linux", "hash": 115014952799500969855957445241958005132, "size": 14, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341907 }, { "func": "static int sctp_getsockopt_ecn_supported(struct sock *sk, int len,\n\t\t\t\t\t char __user *optval,\n\t\t\t\t\t int __user *optlen)\n{\n\tstruct sctp_assoc_value params;\n\tstruct sctp_association *asoc;\n\tint retval = -EFAULT;\n\n\tif (len < sizeof(params)) {\n\t\tretval = -EINVAL;\n\t\tgoto out;\n\t}\n\n\tlen = sizeof(params);\n\tif (copy_from_user(¶ms, optval, len))\n\t\tgoto out;\n\n\tasoc = sctp_id2assoc(sk, params.assoc_id);\n\tif (!asoc && params.assoc_id != SCTP_FUTURE_ASSOC &&\n\t sctp_style(sk, UDP)) {\n\t\tretval = -EINVAL;\n\t\tgoto out;\n\t}\n\n\tparams.assoc_value = asoc ? asoc->peer.ecn_capable\n\t\t\t\t : sctp_sk(sk)->ep->ecn_enable;\n\n\tif (put_user(len, optlen))\n\t\tgoto out;\n\n\tif (copy_to_user(optval, ¶ms, len))\n\t\tgoto out;\n\n\tretval = 0;\n\nout:\n\treturn retval;\n}", "project": "linux", "hash": 248564965332686256413709525374354762749, "size": 38, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398120 }, { "func": "int AsioFrontend::init_ssl()\n{\n boost::system::error_code ec;\n auto& config = conf->get_config_map();\n\n // ssl configuration\n auto cert = config.find(\"ssl_certificate\");\n const bool have_cert = cert != config.end();\n if (have_cert) {\n // only initialize the ssl context if it's going to be used\n ssl_context = boost::in_place(ssl::context::tls);\n }\n\n auto key = config.find(\"ssl_private_key\");\n const bool have_private_key = key != config.end();\n if (have_private_key) {\n if (!have_cert) {\n lderr(ctx()) << \"no ssl_certificate configured for ssl_private_key\" << dendl;\n return -EINVAL;\n }\n ssl_context->use_private_key_file(key->second, ssl::context::pem, ec);\n if (ec) {\n lderr(ctx()) << \"failed to add ssl_private_key=\" << key->second\n << \": \" << ec.message() << dendl;\n return -ec.value();\n }\n }\n if (have_cert) {\n ssl_context->use_certificate_chain_file(cert->second, ec);\n if (ec) {\n lderr(ctx()) << \"failed to use ssl_certificate=\" << cert->second\n << \": \" << ec.message() << dendl;\n return -ec.value();\n }\n if (!have_private_key) {\n // attempt to use it as a private key if a separate one wasn't provided\n ssl_context->use_private_key_file(cert->second, ssl::context::pem, ec);\n if (ec) {\n lderr(ctx()) << \"failed to use ssl_certificate=\" << cert->second\n << \" as a private key: \" << ec.message() << dendl;\n return -ec.value();\n }\n }\n }\n\n // parse ssl endpoints\n auto ports = config.equal_range(\"ssl_port\");\n for (auto i = ports.first; i != ports.second; ++i) {\n if (!have_cert) {\n lderr(ctx()) << \"no ssl_certificate configured for ssl_port\" << dendl;\n return -EINVAL;\n }\n auto port = parse_port(i->second.c_str(), ec);\n if (ec) {\n lderr(ctx()) << \"failed to parse ssl_port=\" << i->second << dendl;\n return -ec.value();\n }\n listeners.emplace_back(context);\n listeners.back().endpoint.port(port);\n listeners.back().use_ssl = true;\n\n listeners.emplace_back(context);\n listeners.back().endpoint = tcp::endpoint(tcp::v6(), port);\n listeners.back().use_ssl = true;\n }\n\n auto endpoints = config.equal_range(\"ssl_endpoint\");\n for (auto i = endpoints.first; i != endpoints.second; ++i) {\n if (!have_cert) {\n lderr(ctx()) << \"no ssl_certificate configured for ssl_endpoint\" << dendl;\n return -EINVAL;\n }\n auto endpoint = parse_endpoint(i->second, 443, ec);\n if (ec) {\n lderr(ctx()) << \"failed to parse ssl_endpoint=\" << i->second << dendl;\n return -ec.value();\n }\n listeners.emplace_back(context);\n listeners.back().endpoint = endpoint;\n listeners.back().use_ssl = true;\n }\n return 0;\n}", "project": "ceph", "hash": 123323650529320244594480241042264422036, "size": 83, "commit_id": "ff72c50a2c43c57aead933eb4903ad1ca6d1748a", "message": "rgw: improve beast\n\nAvoid leaking connections that had partially-consumed\nclient data on unexpected disconnect.\n\nResolves CVE-2020-1700 (moderate impact flaw).\n\nFixes: https://tracker.ceph.com/issues/42531\n\nSigned-off-by: Or Friedmann \nSigned-off-by: Matt Benjamin ", "target": 0, "dataset": "other", "idx": 384561 }, { "func": "static int __tipc_nl_node_flush_key(struct sk_buff *skb,\n\t\t\t\t struct genl_info *info)\n{\n\tstruct net *net = sock_net(skb->sk);\n\tstruct tipc_net *tn = tipc_net(net);\n\tstruct tipc_node *n;\n\n\ttipc_crypto_key_flush(tn->crypto_tx);\n\trcu_read_lock();\n\tlist_for_each_entry_rcu(n, &tn->node_list, list)\n\t\ttipc_crypto_key_flush(n->crypto_rx);\n\trcu_read_unlock();\n\n\treturn 0;\n}", "project": "linux", "hash": 1070313887725001492529883159442380604, "size": 15, "commit_id": "0217ed2848e8538bcf9172d97ed2eeb4a26041bb", "message": "tipc: better validate user input in tipc_nl_retrieve_key()\n\nBefore calling tipc_aead_key_size(ptr), we need to ensure\nwe have enough data to dereference ptr->keylen.\n\nWe probably also want to make sure tipc_aead_key_size()\nwont overflow with malicious ptr->keylen values.\n\nSyzbot reported:\n\nBUG: KMSAN: uninit-value in __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\nBUG: KMSAN: uninit-value in tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\nCPU: 0 PID: 21060 Comm: syz-executor.5 Not tainted 5.11.0-rc7-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nCall Trace:\n __dump_stack lib/dump_stack.c:79 [inline]\n dump_stack+0x21c/0x280 lib/dump_stack.c:120\n kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118\n __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197\n __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\n tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\n genl_family_rcv_msg_doit net/netlink/genetlink.c:739 [inline]\n genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]\n genl_rcv_msg+0x1319/0x1610 net/netlink/genetlink.c:800\n netlink_rcv_skb+0x6fa/0x810 net/netlink/af_netlink.c:2494\n genl_rcv+0x63/0x80 net/netlink/genetlink.c:811\n netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]\n netlink_unicast+0x11d6/0x14a0 net/netlink/af_netlink.c:1330\n netlink_sendmsg+0x1740/0x1840 net/netlink/af_netlink.c:1919\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\nRIP: 0023:0xf7f60549\nCode: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00\nRSP: 002b:00000000f555a5fc EFLAGS: 00000296 ORIG_RAX: 0000000000000172\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000200\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n\nUninit was created at:\n kmsan_save_stack_with_flags mm/kmsan/kmsan.c:121 [inline]\n kmsan_internal_poison_shadow+0x5c/0xf0 mm/kmsan/kmsan.c:104\n kmsan_slab_alloc+0x8d/0xe0 mm/kmsan/kmsan_hooks.c:76\n slab_alloc_node mm/slub.c:2907 [inline]\n __kmalloc_node_track_caller+0xa37/0x1430 mm/slub.c:4527\n __kmalloc_reserve net/core/skbuff.c:142 [inline]\n __alloc_skb+0x2f8/0xb30 net/core/skbuff.c:210\n alloc_skb include/linux/skbuff.h:1099 [inline]\n netlink_alloc_large_skb net/netlink/af_netlink.c:1176 [inline]\n netlink_sendmsg+0xdbc/0x1840 net/netlink/af_netlink.c:1894\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\n\nFixes: e1f32190cf7d (\"tipc: add support for AEAD key setting via netlink\")\nSigned-off-by: Eric Dumazet \nCc: Tuong Lien \nCc: Jon Maloy \nCc: Ying Xue \nReported-by: syzbot \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 364940 }, { "func": "static int udp_reuseport_add_sock(struct sock *sk, struct udp_hslot *hslot)\n{\n\tstruct net *net = sock_net(sk);\n\tkuid_t uid = sock_i_uid(sk);\n\tstruct sock *sk2;\n\n\tsk_for_each(sk2, &hslot->head) {\n\t\tif (net_eq(sock_net(sk2), net) &&\n\t\t sk2 != sk &&\n\t\t sk2->sk_family == sk->sk_family &&\n\t\t ipv6_only_sock(sk2) == ipv6_only_sock(sk) &&\n\t\t (udp_sk(sk2)->udp_port_hash == udp_sk(sk)->udp_port_hash) &&\n\t\t (sk2->sk_bound_dev_if == sk->sk_bound_dev_if) &&\n\t\t sk2->sk_reuseport && uid_eq(uid, sock_i_uid(sk2)) &&\n\t\t inet_rcv_saddr_equal(sk, sk2, false)) {\n\t\t\treturn reuseport_add_sock(sk, sk2);\n\t\t}\n\t}\n\n\t/* Initial allocation may have already happened via setsockopt */\n\tif (!rcu_access_pointer(sk->sk_reuseport_cb))\n\t\treturn reuseport_alloc(sk);\n\treturn 0;\n}", "project": "net", "hash": 331237222757550814738954339896042007270, "size": 24, "commit_id": "85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa", "message": "udp: consistently apply ufo or fragmentation\n\nWhen iteratively building a UDP datagram with MSG_MORE and that\ndatagram exceeds MTU, consistently choose UFO or fragmentation.\n\nOnce skb_is_gso, always apply ufo. Conversely, once a datagram is\nsplit across multiple skbs, do not consider ufo.\n\nSendpage already maintains the first invariant, only add the second.\nIPv6 does not have a sendpage implementation to modify.\n\nA gso skb must have a partial checksum, do not follow sk_no_check_tx\nin udp_send_skb.\n\nFound by syzkaller.\n\nFixes: e89e9cf539a2 (\"[IPv4/IPv6]: UFO Scatter-gather approach\")\nReported-by: Andrey Konovalov \nSigned-off-by: Willem de Bruijn \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 468985 }, { "func": "int mnt_context_do_umount(struct libmnt_context *cxt)\n{\n\tint rc;\n\tstruct libmnt_ns *ns_old;\n\n\tassert(cxt);\n\tassert(cxt->fs);\n\tassert(cxt->helper_exec_status == 1);\n\tassert(cxt->syscall_status == 1);\n\tassert((cxt->flags & MNT_FL_PREPARED));\n\tassert((cxt->action == MNT_ACT_UMOUNT));\n\tassert((cxt->flags & MNT_FL_MOUNTFLAGS_MERGED));\n\n\tns_old = mnt_context_switch_target_ns(cxt);\n\tif (!ns_old)\n\t\treturn -MNT_ERR_NAMESPACE;\n\n\trc = do_umount(cxt);\n\tif (rc)\n\t\tgoto end;\n\n\tif (mnt_context_get_status(cxt) && !mnt_context_is_fake(cxt)) {\n\t\t/*\n\t\t * Umounted, do some post-umount operations\n\t\t *\t- remove loopdev\n\t\t *\t- refresh in-memory mtab stuff if remount rather than\n\t\t *\t umount has been performed\n\t\t */\n\t\tif (mnt_context_is_loopdel(cxt)\n\t\t && !(cxt->mountflags & MS_REMOUNT))\n\t\t\trc = mnt_context_delete_loopdev(cxt);\n\n\t\tif (!mnt_context_is_nomtab(cxt)\n\t\t && mnt_context_get_status(cxt)\n\t\t && !cxt->helper\n\t\t && mnt_context_is_rdonly_umount(cxt)\n\t\t && (cxt->mountflags & MS_REMOUNT)) {\n\n\t\t\t/* use \"remount\" instead of \"umount\" in /etc/mtab */\n\t\t\tif (!rc && cxt->update && mnt_context_mtab_writable(cxt))\n\t\t\t\trc = mnt_update_set_fs(cxt->update,\n\t\t\t\t\t\t cxt->mountflags, NULL, cxt->fs);\n\t\t}\n\t}\nend:\n\tif (!mnt_context_switch_ns(cxt, ns_old))\n\t\treturn -MNT_ERR_NAMESPACE;\n\n\treturn rc;\n}", "project": "util-linux", "hash": 42387994550754701996925202793872633338, "size": 50, "commit_id": "57202f5713afa2af20ffbb6ab5331481d0396f8d", "message": "libmount: fix UID check for FUSE umount [CVE-2021-3995]\n\nImproper UID check allows an unprivileged user to unmount FUSE\nfilesystems of users with similar UID.\n\nSigned-off-by: Karel Zak ", "target": 0, "dataset": "other", "idx": 410425 }, { "func": "std::unique_ptr MakeOutputWriter(const FeatureReaders& features,\n int64 num_buckets,\n uint64 hash_key,\n const Tensor* splits_out,\n Tensor* values_out) {\n if (values_out->dtype() == DT_INT64) {\n if (splits_out->dtype() == DT_INT64) {\n return std::make_unique>(\n features, num_buckets, hash_key, splits_out, values_out);\n } else {\n return std::make_unique>(\n features, num_buckets, hash_key, splits_out, values_out);\n }\n } else {\n if (splits_out->dtype() == DT_INT64) {\n return std::make_unique>(\n features, num_buckets, hash_key, splits_out, values_out);\n } else {\n return std::make_unique>(\n features, num_buckets, hash_key, splits_out, values_out);\n }\n }\n}", "project": "tensorflow", "hash": 60074875599503675777548526207515098301, "size": 23, "commit_id": "44b7f486c0143f68b56c34e2d01e146ee445134a", "message": "Fix out of bounds read in `ragged_cross_op.cc`.\n\nPiperOrigin-RevId: 369757702\nChange-Id: Ie6e5d2c21513a8d56bf41fcf35960caf76e890f9", "target": 0, "dataset": "other", "idx": 230078 }, { "func": "static inline u64 synic_read_sint(struct kvm_vcpu_hv_synic *synic, int sint)\n{\n\treturn atomic64_read(&synic->sint[sint]);\n}", "project": "linux", "hash": 96962761224889083421605268527948029032, "size": 4, "commit_id": "919f4ebc598701670e80e31573a58f1f2d2bf918", "message": "KVM: x86: hyper-v: Fix Hyper-V context null-ptr-deref\n\nReported by syzkaller:\n\n KASAN: null-ptr-deref in range [0x0000000000000140-0x0000000000000147]\n CPU: 1 PID: 8370 Comm: syz-executor859 Not tainted 5.11.0-syzkaller #0\n RIP: 0010:synic_get arch/x86/kvm/hyperv.c:165 [inline]\n RIP: 0010:kvm_hv_set_sint_gsi arch/x86/kvm/hyperv.c:475 [inline]\n RIP: 0010:kvm_hv_irq_routing_update+0x230/0x460 arch/x86/kvm/hyperv.c:498\n Call Trace:\n kvm_set_irq_routing+0x69b/0x940 arch/x86/kvm/../../../virt/kvm/irqchip.c:223\n kvm_vm_ioctl+0x12d0/0x2800 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3959\n vfs_ioctl fs/ioctl.c:48 [inline]\n __do_sys_ioctl fs/ioctl.c:753 [inline]\n __se_sys_ioctl fs/ioctl.c:739 [inline]\n __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739\n do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nHyper-V context is lazily allocated until Hyper-V specific MSRs are accessed\nor SynIC is enabled. However, the syzkaller testcase sets irq routing table\ndirectly w/o enabling SynIC. This results in null-ptr-deref when accessing\nSynIC Hyper-V context. This patch fixes it.\n\nsyzkaller source: https://syzkaller.appspot.com/x/repro.c?x=163342ccd00000\n\nReported-by: syzbot+6987f3b2dbd9eda95f12@syzkaller.appspotmail.com\nFixes: 8f014550dfb1 (\"KVM: x86: hyper-v: Make Hyper-V emulation enablement conditional\")\nSigned-off-by: Wanpeng Li \nMessage-Id: <1614326399-5762-1-git-send-email-wanpengli@tencent.com>\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 343540 }, { "func": "static int __ctnetlink_glue_build(struct sk_buff *skb, struct nf_conn *ct)\n{\n\tconst struct nf_conntrack_zone *zone;\n\tstruct nlattr *nest_parms;\n\n\tzone = nf_ct_zone(ct);\n\n\tnest_parms = nla_nest_start(skb, CTA_TUPLE_ORIG);\n\tif (!nest_parms)\n\t\tgoto nla_put_failure;\n\tif (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_ORIGINAL)) < 0)\n\t\tgoto nla_put_failure;\n\tif (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone,\n\t\t\t\t NF_CT_ZONE_DIR_ORIG) < 0)\n\t\tgoto nla_put_failure;\n\tnla_nest_end(skb, nest_parms);\n\n\tnest_parms = nla_nest_start(skb, CTA_TUPLE_REPLY);\n\tif (!nest_parms)\n\t\tgoto nla_put_failure;\n\tif (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_REPLY)) < 0)\n\t\tgoto nla_put_failure;\n\tif (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone,\n\t\t\t\t NF_CT_ZONE_DIR_REPL) < 0)\n\t\tgoto nla_put_failure;\n\tnla_nest_end(skb, nest_parms);\n\n\tif (ctnetlink_dump_zone_id(skb, CTA_ZONE, zone,\n\t\t\t\t NF_CT_DEFAULT_ZONE_DIR) < 0)\n\t\tgoto nla_put_failure;\n\n\tif (ctnetlink_dump_id(skb, ct) < 0)\n\t\tgoto nla_put_failure;\n\n\tif (ctnetlink_dump_status(skb, ct) < 0)\n\t\tgoto nla_put_failure;\n\n\tif (ctnetlink_dump_timeout(skb, ct) < 0)\n\t\tgoto nla_put_failure;\n\n\tif (ctnetlink_dump_protoinfo(skb, ct) < 0)\n\t\tgoto nla_put_failure;\n\n\tif (ctnetlink_dump_helpinfo(skb, ct) < 0)\n\t\tgoto nla_put_failure;\n\n#ifdef CONFIG_NF_CONNTRACK_SECMARK\n\tif (ct->secmark && ctnetlink_dump_secctx(skb, ct) < 0)\n\t\tgoto nla_put_failure;\n#endif\n\tif (ct->master && ctnetlink_dump_master(skb, ct) < 0)\n\t\tgoto nla_put_failure;\n\n\tif ((ct->status & IPS_SEQ_ADJUST) &&\n\t ctnetlink_dump_ct_seq_adj(skb, ct) < 0)\n\t\tgoto nla_put_failure;\n\n\tif (ctnetlink_dump_ct_synproxy(skb, ct) < 0)\n\t\tgoto nla_put_failure;\n\n#ifdef CONFIG_NF_CONNTRACK_MARK\n\tif (ct->mark && ctnetlink_dump_mark(skb, ct) < 0)\n\t\tgoto nla_put_failure;\n#endif\n\tif (ctnetlink_dump_labels(skb, ct) < 0)\n\t\tgoto nla_put_failure;\n\treturn 0;\n\nnla_put_failure:\n\treturn -ENOSPC;\n}", "project": "linux", "hash": 223164885306281947902217003985215542469, "size": 71, "commit_id": "1cc5ef91d2ff94d2bf2de3b3585423e8a1051cb6", "message": "netfilter: ctnetlink: add a range check for l3/l4 protonum\n\nThe indexes to the nf_nat_l[34]protos arrays come from userspace. So\ncheck the tuple's family, e.g. l3num, when creating the conntrack in\norder to prevent an OOB memory access during setup. Here is an example\nkernel panic on 4.14.180 when userspace passes in an index greater than\nNFPROTO_NUMPROTO.\n\nInternal error: Oops - BUG: 0 [#1] PREEMPT SMP\nModules linked in:...\nProcess poc (pid: 5614, stack limit = 0x00000000a3933121)\nCPU: 4 PID: 5614 Comm: poc Tainted: G S W O 4.14.180-g051355490483\nHardware name: Qualcomm Technologies, Inc. SM8150 V2 PM8150 Google Inc. MSM\ntask: 000000002a3dfffe task.stack: 00000000a3933121\npc : __cfi_check_fail+0x1c/0x24\nlr : __cfi_check_fail+0x1c/0x24\n...\nCall trace:\n__cfi_check_fail+0x1c/0x24\nname_to_dev_t+0x0/0x468\nnfnetlink_parse_nat_setup+0x234/0x258\nctnetlink_parse_nat_setup+0x4c/0x228\nctnetlink_new_conntrack+0x590/0xc40\nnfnetlink_rcv_msg+0x31c/0x4d4\nnetlink_rcv_skb+0x100/0x184\nnfnetlink_rcv+0xf4/0x180\nnetlink_unicast+0x360/0x770\nnetlink_sendmsg+0x5a0/0x6a4\n___sys_sendmsg+0x314/0x46c\nSyS_sendmsg+0xb4/0x108\nel0_svc_naked+0x34/0x38\n\nThis crash is not happening since 5.4+, however, ctnetlink still\nallows for creating entries with unsupported layer 3 protocol number.\n\nFixes: c1d10adb4a521 (\"[NETFILTER]: Add ctnetlink port for nf_conntrack\")\nSigned-off-by: Will McVicker \n[pablo@netfilter.org: rebased original patch on top of nf.git]\nSigned-off-by: Pablo Neira Ayuso ", "target": 0, "dataset": "other", "idx": 394204 }, { "func": "static uint8_t* my_malloc(size_t size) {\n void* block = NULL;\n int res = 0;\n\n/* Do an alignment to 32 bytes because AVX2 is supported */\n#if defined(_WIN32)\n /* A (void *) cast needed for avoiding a warning with MINGW :-/ */\n block = (void *)_aligned_malloc(size, 32);\n#elif _POSIX_C_SOURCE >= 200112L || _XOPEN_SOURCE >= 600\n /* Platform does have an implementation of posix_memalign */\n res = posix_memalign(&block, 32, size);\n#else\n block = malloc(size);\n#endif /* _WIN32 */\n\n if (block == NULL || res != 0) {\n printf(\"Error allocating memory!\");\n return NULL;\n }\n\n return (uint8_t*)block;\n}", "project": "c-blosc2", "hash": 96166035330611818969815982022462596115, "size": 22, "commit_id": "c4c6470e88210afc95262c8b9fcc27e30ca043ee", "message": "Fixed asan heap buffer overflow when not enough space to write compressed block size.", "target": 0, "dataset": "other", "idx": 303114 }, { "func": "void tracing_record_taskinfo_sched_switch(struct task_struct *prev,\n\t\t\t\t\t struct task_struct *next, int flags)\n{\n\tbool done;\n\n\tif (tracing_record_taskinfo_skip(flags))\n\t\treturn;\n\n\t/*\n\t * Record as much task information as possible. If some fail, continue\n\t * to try to record the others.\n\t */\n\tdone = !(flags & TRACE_RECORD_CMDLINE) || trace_save_cmdline(prev);\n\tdone &= !(flags & TRACE_RECORD_CMDLINE) || trace_save_cmdline(next);\n\tdone &= !(flags & TRACE_RECORD_TGID) || trace_save_tgid(prev);\n\tdone &= !(flags & TRACE_RECORD_TGID) || trace_save_tgid(next);\n\n\t/* If recording any information failed, retry again soon. */\n\tif (!done)\n\t\treturn;\n\n\t__this_cpu_write(trace_taskinfo_save, false);\n}", "project": "linux", "hash": 54510275838113271670002760297182755162, "size": 23, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445539 }, { "func": "bool IsValidNodeName(StringPiece s, bool allow_internal_ops) {\n using ::tensorflow::strings::Scanner;\n Scanner scanner(s);\n scanner\n .One(allow_internal_ops ? Scanner::LETTER_DIGIT_DOT_UNDERSCORE\n : Scanner::LETTER_DIGIT_DOT)\n .Any(Scanner::LETTER_DIGIT_DASH_DOT_SLASH_UNDERSCORE);\n\n while (true) {\n if (!scanner.GetResult()) // Some error in previous iteration.\n return false;\n if (scanner.empty()) // No error, but nothing left, good.\n return true;\n\n // Absorb another piece, starting with a '>'\n scanner.One(Scanner::RANGLE)\n .One(Scanner::LETTER_DIGIT_DOT)\n .Any(Scanner::LETTER_DIGIT_DASH_DOT_SLASH_UNDERSCORE);\n }\n}", "project": "tensorflow", "hash": 34347740848855248936753020630759479662, "size": 20, "commit_id": "0cc38aaa4064fd9e79101994ce9872c6d91f816b", "message": "Prevent unitialized memory access in `GraphConstructor::MakeEdge`\n\nThe `MakeEdge` implementation assumes that there exists an output at `output_index` of `src` node and an input at `input_index` of `dst` node. However, if this is not the case this results in accessing data out of bounds. Because we are accessing an array that is a private member of a class and only in read only mode, this usually results only in unitialized memory access. However, it is reasonable to think that malicious users could manipulate these indexes to actually read data outside the class, thus resulting in information leakage and further exploits.\n\nPiperOrigin-RevId: 346343288\nChange-Id: I2127da27c2023d27f26efd39afa6c853385cab6f", "target": 0, "dataset": "other", "idx": 268324 }, { "func": "static OPJ_BOOL opj_tcd_dwt_encode(opj_tcd_t *p_tcd)\n{\n opj_tcd_tile_t * l_tile = p_tcd->tcd_image->tiles;\n opj_tcd_tilecomp_t * l_tile_comp = p_tcd->tcd_image->tiles->comps;\n opj_tccp_t * l_tccp = p_tcd->tcp->tccps;\n OPJ_UINT32 compno;\n\n for (compno = 0; compno < l_tile->numcomps; ++compno) {\n if (l_tccp->qmfbid == 1) {\n if (! opj_dwt_encode(p_tcd, l_tile_comp)) {\n return OPJ_FALSE;\n }\n } else if (l_tccp->qmfbid == 0) {\n if (! opj_dwt_encode_real(p_tcd, l_tile_comp)) {\n return OPJ_FALSE;\n }\n }\n\n ++l_tile_comp;\n ++l_tccp;\n }\n\n return OPJ_TRUE;\n}", "project": "openjpeg", "hash": 16528236875111155640841045114598685364, "size": 24, "commit_id": "15cf3d95814dc931ca0ecb132f81cb152e051bae", "message": "Encoder: grow again buffer size in opj_tcd_code_block_enc_allocate_data() (fixes #1283)", "target": 0, "dataset": "other", "idx": 359156 }, { "func": "\nstatic void bfq_end_wr(struct bfq_data *bfqd)\n{\n\tstruct bfq_queue *bfqq;\n\n\tspin_lock_irq(&bfqd->lock);\n\n\tlist_for_each_entry(bfqq, &bfqd->active_list, bfqq_list)\n\t\tbfq_bfqq_end_wr(bfqq);\n\tlist_for_each_entry(bfqq, &bfqd->idle_list, bfqq_list)\n\t\tbfq_bfqq_end_wr(bfqq);\n\tbfq_end_wr_async(bfqd);\n\n\tspin_unlock_irq(&bfqd->lock);", "project": "linux", "hash": 66552426980642965784388263912051085679, "size": 14, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453398 }, { "func": "static void pfkey_sock_destruct(struct sock *sk)\n{\n\tstruct net *net = sock_net(sk);\n\tstruct netns_pfkey *net_pfkey = net_generic(net, pfkey_net_id);\n\n\tpfkey_terminate_dump(pfkey_sk(sk));\n\tskb_queue_purge(&sk->sk_receive_queue);\n\n\tif (!sock_flag(sk, SOCK_DEAD)) {\n\t\tpr_err(\"Attempt to release alive pfkey socket: %p\\n\", sk);\n\t\treturn;\n\t}\n\n\tWARN_ON(atomic_read(&sk->sk_rmem_alloc));\n\tWARN_ON(refcount_read(&sk->sk_wmem_alloc));\n\n\tatomic_dec(&net_pfkey->socks_nr);\n}", "project": "linux", "hash": 58508409504597337706104187079587200697, "size": 18, "commit_id": "9a564bccb78a76740ea9d75a259942df8143d02c", "message": "af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\n\nAdd __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\nto initialize the buffer of supp_skb to fix a kernel-info-leak issue.\n1) Function pfkey_register calls compose_sadb_supported to request\na sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate\na sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then\ncompose_sadb_supported treats the memory as a struct sadb_supported and\nbegins to initialize. But it just initializes the field sadb_supported_len\nand field sadb_supported_exttype without field sadb_supported_reserved.\n\nReported-by: TCS Robot \nSigned-off-by: Haimin Zhang \nSigned-off-by: Steffen Klassert ", "target": 0, "dataset": "other", "idx": 268051 }, { "func": "void JOIN_TAB::remove_redundant_bnl_scan_conds()\n{\n if (!(select_cond && cache_select && cache &&\n (cache->get_join_alg() == JOIN_CACHE::BNL_JOIN_ALG ||\n cache->get_join_alg() == JOIN_CACHE::BNLH_JOIN_ALG)))\n return;\n\n /*\n select->cond is not processed separately. This method assumes it is always\n the same as select_cond.\n */\n if (select && select->cond != select_cond)\n return;\n\n if (is_cond_and(select_cond))\n {\n List_iterator pushed_cond_li(*((Item_cond*) select_cond)->argument_list());\n Item *pushed_item;\n Item_cond_and *reduced_select_cond= new (join->thd->mem_root)\n Item_cond_and(join->thd);\n\n if (is_cond_and(cache_select->cond))\n {\n List_iterator scan_cond_li(*((Item_cond*) cache_select->cond)->argument_list());\n Item *scan_item;\n while ((pushed_item= pushed_cond_li++))\n {\n bool found_cond= false;\n scan_cond_li.rewind();\n while ((scan_item= scan_cond_li++))\n {\n if (pushed_item->eq(scan_item, 0))\n {\n found_cond= true;\n break;\n }\n }\n if (!found_cond)\n reduced_select_cond->add(pushed_item, join->thd->mem_root);\n }\n }\n else\n {\n while ((pushed_item= pushed_cond_li++))\n {\n if (!pushed_item->eq(cache_select->cond, 0))\n reduced_select_cond->add(pushed_item, join->thd->mem_root);\n }\n }\n\n /*\n JOIN_CACHE::check_match uses JOIN_TAB::select->cond instead of\n JOIN_TAB::select_cond. set_cond() sets both pointers.\n */\n if (reduced_select_cond->argument_list()->is_empty())\n set_cond(NULL);\n else if (reduced_select_cond->argument_list()->elements == 1)\n set_cond(reduced_select_cond->argument_list()->head());\n else\n {\n reduced_select_cond->quick_fix_field();\n set_cond(reduced_select_cond);\n }\n }\n else if (select_cond->eq(cache_select->cond, 0))\n set_cond(NULL);\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 230614769025832131148286208880784264192, "size": 67, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508476 }, { "func": "UnicodeStringTest::TestSizeofUnicodeString() {\n // See the comments in unistr.h near the declaration of UnicodeString's fields.\n // See the API comments for UNISTR_OBJECT_SIZE.\n size_t sizeofUniStr=sizeof(UnicodeString);\n size_t expected=UNISTR_OBJECT_SIZE;\n if(expected!=sizeofUniStr) {\n // Possible cause: UNISTR_OBJECT_SIZE may not be a multiple of sizeof(pointer),\n // of the compiler might add more internal padding than expected.\n errln(\"sizeof(UnicodeString)=%d, expected UNISTR_OBJECT_SIZE=%d\",\n (int)sizeofUniStr, (int)expected);\n }\n if(sizeofUniStr<32) {\n errln(\"sizeof(UnicodeString)=%d < 32, probably too small\", (int)sizeofUniStr);\n }\n // We assume that the entire UnicodeString object,\n // minus the vtable pointer and 2 bytes for flags and short length,\n // is available for internal storage of UChars.\n int32_t expectedStackBufferLength=((int32_t)UNISTR_OBJECT_SIZE-sizeof(void *)-2)/U_SIZEOF_UCHAR;\n UnicodeString s;\n const UChar *emptyBuffer=s.getBuffer();\n for(int32_t i=0; iinode,\n\t\t.interruptible = true,\n\t};\n\tint err;\n\n\tdo {\n\t\terr = _nfs4_proc_setlk(state, cmd, request);\n\t\tif (err == -NFS4ERR_DENIED)\n\t\t\terr = -EAGAIN;\n\t\terr = nfs4_handle_exception(NFS_SERVER(state->inode),\n\t\t\t\terr, &exception);\n\t} while (exception.retry);\n\treturn err;\n}", "project": "linux", "hash": 161982279459291884152049670817864014482, "size": 18, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431227 }, { "func": "static void fuse_kill_sb_blk(struct super_block *sb)\n{\n\tfuse_sb_destroy(sb);\n\tkill_block_super(sb);\n}", "project": "linux", "hash": 121061893566285012819882644055857988871, "size": 5, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342081 }, { "func": "static BOOL update_process_glyph_fragments(rdpContext* context, const BYTE* data, UINT32 length,\n UINT32 cacheId, UINT32 ulCharInc, UINT32 flAccel,\n UINT32 bgcolor, UINT32 fgcolor, INT32 x, INT32 y,\n INT32 bkX, INT32 bkY, INT32 bkWidth, INT32 bkHeight,\n INT32 opX, INT32 opY, INT32 opWidth, INT32 opHeight,\n BOOL fOpRedundant)\n{\n\tUINT32 n;\n\tUINT32 id;\n\tUINT32 size;\n\tUINT32 index = 0;\n\tBYTE* fragments;\n\trdpGraphics* graphics;\n\trdpGlyphCache* glyph_cache;\n\trdpGlyph* glyph;\n\tRDP_RECT bound;\n\n\tif (!context || !data || !context->graphics || !context->cache || !context->cache->glyph)\n\t\treturn FALSE;\n\n\tgraphics = context->graphics;\n\tglyph_cache = context->cache->glyph;\n\tglyph = graphics->Glyph_Prototype;\n\n\tif (!glyph)\n\t\treturn FALSE;\n\n\t/* Limit op rectangle to visible screen. */\n\tif (opX < 0)\n\t{\n\t\topWidth += opX;\n\t\topX = 0;\n\t}\n\n\tif (opY < 0)\n\t{\n\t\topHeight += opY;\n\t\topY = 0;\n\t}\n\n\tif (opWidth < 0)\n\t\topWidth = 0;\n\n\tif (opHeight < 0)\n\t\topHeight = 0;\n\n\t/* Limit bk rectangle to visible screen. */\n\tif (bkX < 0)\n\t{\n\t\tbkWidth += bkX;\n\t\tbkX = 0;\n\t}\n\n\tif (bkY < 0)\n\t{\n\t\tbkHeight += bkY;\n\t\tbkY = 0;\n\t}\n\n\tif (bkWidth < 0)\n\t\tbkWidth = 0;\n\n\tif (bkHeight < 0)\n\t\tbkHeight = 0;\n\n\tif (opX + opWidth > (INT64)context->settings->DesktopWidth)\n\t{\n\t\t/**\n\t\t * Some Microsoft servers send erroneous high values close to the\n\t\t * sint16 maximum in the OpRight field of the GlyphIndex, FastIndex and\n\t\t * FastGlyph drawing orders, probably a result of applications trying to\n\t\t * clear the text line to the very right end.\n\t\t * One example where this can be seen is typing in notepad.exe within\n\t\t * a RDP session to Windows XP Professional SP3.\n\t\t * This workaround prevents resulting problems in the UI callbacks.\n\t\t */\n\t\topWidth = context->settings->DesktopWidth - opX;\n\t}\n\n\tif (bkX + bkWidth > (INT64)context->settings->DesktopWidth)\n\t{\n\t\t/**\n\t\t * Some Microsoft servers send erroneous high values close to the\n\t\t * sint16 maximum in the OpRight field of the GlyphIndex, FastIndex and\n\t\t * FastGlyph drawing orders, probably a result of applications trying to\n\t\t * clear the text line to the very right end.\n\t\t * One example where this can be seen is typing in notepad.exe within\n\t\t * a RDP session to Windows XP Professional SP3.\n\t\t * This workaround prevents resulting problems in the UI callbacks.\n\t\t */\n\t\tbkWidth = context->settings->DesktopWidth - bkX;\n\t}\n\n\tbound.x = bkX;\n\tbound.y = bkY;\n\tbound.width = bkWidth;\n\tbound.height = bkHeight;\n\n\tif (!glyph->BeginDraw(context, opX, opY, opWidth, opHeight, bgcolor, fgcolor, fOpRedundant))\n\t\treturn FALSE;\n\n\tif (!IFCALLRESULT(TRUE, glyph->SetBounds, context, bkX, bkY, bkWidth, bkHeight))\n\t\treturn FALSE;\n\n\twhile (index < length)\n\t{\n\t\tconst UINT32 op = data[index++];\n\n\t\tswitch (op)\n\t\t{\n\t\t\tcase GLYPH_FRAGMENT_USE:\n\t\t\t\tif (index + 1 >= length)\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tid = data[index++];\n\t\t\t\tfragments = (BYTE*)glyph_cache_fragment_get(glyph_cache, id, &size);\n\n\t\t\t\tif (fragments == NULL)\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tfor (n = 0; n < size;)\n\t\t\t\t{\n\t\t\t\t\tconst UINT32 fop = fragments[n++];\n\t\t\t\t\tn = update_glyph_offset(fragments, size, n, &x, &y, ulCharInc, flAccel);\n\n\t\t\t\t\tif (!update_process_glyph(context, fragments, fop, &x, &y, cacheId, flAccel,\n\t\t\t\t\t fOpRedundant, &bound))\n\t\t\t\t\t\treturn FALSE;\n\t\t\t\t}\n\n\t\t\t\tbreak;\n\n\t\t\tcase GLYPH_FRAGMENT_ADD:\n\t\t\t\tif (index + 2 > length)\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tid = data[index++];\n\t\t\t\tsize = data[index++];\n\t\t\t\tglyph_cache_fragment_put(glyph_cache, id, size, data);\n\t\t\t\tbreak;\n\n\t\t\tdefault:\n\t\t\t\tindex = update_glyph_offset(data, length, index, &x, &y, ulCharInc, flAccel);\n\n\t\t\t\tif (!update_process_glyph(context, data, op, &x, &y, cacheId, flAccel, fOpRedundant,\n\t\t\t\t &bound))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\t\t}\n\t}\n\n\treturn glyph->EndDraw(context, opX, opY, opWidth, opHeight, bgcolor, fgcolor);\n}", "project": "FreeRDP", "hash": 160609502316268048828086113316533838808, "size": 154, "commit_id": "c0fd449ec0870b050d350d6d844b1ea6dad4bc7d", "message": "Fixed Out-of-bound read in glyph_cache_put\n\nCVE-2020-11098 thanks to @antonio-morales for finding this.", "target": 0, "dataset": "other", "idx": 432868 }, { "func": "static int tracing_clock_open(struct inode *inode, struct file *file)\n{\n\tstruct trace_array *tr = inode->i_private;\n\tint ret;\n\n\tif (tracing_disabled)\n\t\treturn -ENODEV;\n\n\tif (trace_array_get(tr))\n\t\treturn -ENODEV;\n\n\tret = single_open(file, tracing_clock_show, inode->i_private);\n\tif (ret < 0)\n\t\ttrace_array_put(tr);\n\n\treturn ret;\n}", "project": "linux", "hash": 324970104281712968184523847846483688899, "size": 17, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445669 }, { "func": "UnicodeString::doEquals(const UnicodeString &text, int32_t len) const {\n // Requires: this & text not bogus and have same lengths.\n // Byte-wise comparison works for equality regardless of endianness.\n return uprv_memcmp(getArrayStart(), text.getArrayStart(), len * U_SIZEOF_UCHAR) == 0;\n}", "project": "icu", "hash": 120588557732182676915452654338413364759, "size": 5, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430752 }, { "func": "static __always_inline int kvm_handle_hva_range(struct mmu_notifier *mn,\n\t\t\t\t\t\tunsigned long start,\n\t\t\t\t\t\tunsigned long end,\n\t\t\t\t\t\tpte_t pte,\n\t\t\t\t\t\thva_handler_t handler)\n{\n\tstruct kvm *kvm = mmu_notifier_to_kvm(mn);\n\tconst struct kvm_hva_range range = {\n\t\t.start\t\t= start,\n\t\t.end\t\t= end,\n\t\t.pte\t\t= pte,\n\t\t.handler\t= handler,\n\t\t.on_lock\t= (void *)kvm_null_fn,\n\t\t.flush_on_ret\t= true,\n\t\t.may_block\t= false,\n\t};\n\n\treturn __kvm_handle_hva_range(kvm, &range);\n}", "project": "linux", "hash": 124991062592686366933164898038925287182, "size": 19, "commit_id": "f8be156be163a052a067306417cd0ff679068c97", "message": "KVM: do not allow mapping valid but non-reference-counted pages\n\nIt's possible to create a region which maps valid but non-refcounted\npages (e.g., tail pages of non-compound higher order allocations). These\nhost pages can then be returned by gfn_to_page, gfn_to_pfn, etc., family\nof APIs, which take a reference to the page, which takes it from 0 to 1.\nWhen the reference is dropped, this will free the page incorrectly.\n\nFix this by only taking a reference on valid pages if it was non-zero,\nwhich indicates it is participating in normal refcounting (and can be\nreleased with put_page).\n\nThis addresses CVE-2021-22543.\n\nSigned-off-by: Nicholas Piggin \nTested-by: Paolo Bonzini \nCc: stable@vger.kernel.org\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 404111 }, { "func": "Status GraphConstructor::AddBackEdges() {\n // Add the back edges after all nodes are created.\n for (const auto& e : back_edges_) {\n Node* src_node = gdef_nodes_[e.src_name].node;\n if (e.src_index == Graph::kControlSlot) {\n g_->AddControlEdge(src_node, e.dst_node, kDoNotCheckDuplicates);\n } else {\n TF_RETURN_IF_ERROR(\n MakeEdge(src_node, e.src_index, e.dst_node, e.dst_index));\n }\n\n VLOG(2) << \"Add back edge: \" << src_node->name() << \" -> \"\n << e.dst_node->name();\n }\n return Status::OK();\n}", "project": "tensorflow", "hash": 126462323684339860077946690274116113093, "size": 16, "commit_id": "0cc38aaa4064fd9e79101994ce9872c6d91f816b", "message": "Prevent unitialized memory access in `GraphConstructor::MakeEdge`\n\nThe `MakeEdge` implementation assumes that there exists an output at `output_index` of `src` node and an input at `input_index` of `dst` node. However, if this is not the case this results in accessing data out of bounds. Because we are accessing an array that is a private member of a class and only in read only mode, this usually results only in unitialized memory access. However, it is reasonable to think that malicious users could manipulate these indexes to actually read data outside the class, thus resulting in information leakage and further exploits.\n\nPiperOrigin-RevId: 346343288\nChange-Id: I2127da27c2023d27f26efd39afa6c853385cab6f", "target": 0, "dataset": "other", "idx": 268350 }, { "func": "bool checkreturn pb_decode_varint(pb_istream_t *stream, uint64_t *dest)\n{\n uint8_t byte;\n uint8_t bitpos = 0;\n uint64_t result = 0;\n \n do\n {\n if (bitpos >= 64)\n PB_RETURN_ERROR(stream, \"varint overflow\");\n \n if (!pb_readbyte(stream, &byte))\n return false;\n\n result |= (uint64_t)(byte & 0x7F) << bitpos;\n bitpos = (uint8_t)(bitpos + 7);\n } while (byte & 0x80);\n \n *dest = result;\n return true;\n}", "project": "nanopb", "hash": 313430222284831998982669540192956100529, "size": 21, "commit_id": "7b396821ddd06df8e39143f16e1dc0a4645b89a3", "message": "Fix invalid free() after failed realloc() (GHSA-gcx3-7m76-287p)", "target": 0, "dataset": "other", "idx": 255343 }, { "func": "static inline void map_qs_metadata(struct req_state* s)\n{\n /* merge S3 valid user metadata from the query-string into\n * x_meta_map, which maps them to attributes */\n const auto& params = const_cast(s->info.args).get_params();\n for (const auto& elt : params) {\n std::string k = boost::algorithm::to_lower_copy(elt.first);\n if (k.find(\"x-amz-meta-\") == /* offset */ 0) {\n add_amz_meta_header(s->info.x_meta_map, k, elt.second);\n }\n }\n}", "project": "ceph", "hash": 169317895716053228996728781947053872650, "size": 12, "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 281390 }, { "func": "static void sctp_apply_asoc_delayed_ack(struct sctp_sack_info *params,\n\t\t\t\t\tstruct sctp_association *asoc)\n{\n\tstruct sctp_transport *trans;\n\n\tif (params->sack_delay) {\n\t\tasoc->sackdelay = msecs_to_jiffies(params->sack_delay);\n\t\tasoc->param_flags =\n\t\t\tsctp_spp_sackdelay_enable(asoc->param_flags);\n\t}\n\tif (params->sack_freq == 1) {\n\t\tasoc->param_flags =\n\t\t\tsctp_spp_sackdelay_disable(asoc->param_flags);\n\t} else if (params->sack_freq > 1) {\n\t\tasoc->sackfreq = params->sack_freq;\n\t\tasoc->param_flags =\n\t\t\tsctp_spp_sackdelay_enable(asoc->param_flags);\n\t}\n\n\tlist_for_each_entry(trans, &asoc->peer.transport_addr_list,\n\t\t\t transports) {\n\t\tif (params->sack_delay) {\n\t\t\ttrans->sackdelay = msecs_to_jiffies(params->sack_delay);\n\t\t\ttrans->param_flags =\n\t\t\t\tsctp_spp_sackdelay_enable(trans->param_flags);\n\t\t}\n\t\tif (params->sack_freq == 1) {\n\t\t\ttrans->param_flags =\n\t\t\t\tsctp_spp_sackdelay_disable(trans->param_flags);\n\t\t} else if (params->sack_freq > 1) {\n\t\t\ttrans->sackfreq = params->sack_freq;\n\t\t\ttrans->param_flags =\n\t\t\t\tsctp_spp_sackdelay_enable(trans->param_flags);\n\t\t}\n\t}\n}", "project": "linux", "hash": 257107458363545486674145051225346453462, "size": 36, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398143 }, { "func": "static int sctp_assoc_ulpevent_type_set(struct sctp_event *param,\n\t\t\t\t\tstruct sctp_association *asoc)\n{\n\tstruct sctp_ulpevent *event;\n\n\tsctp_ulpevent_type_set(&asoc->subscribe, param->se_type, param->se_on);\n\n\tif (param->se_type == SCTP_SENDER_DRY_EVENT && param->se_on) {\n\t\tif (sctp_outq_is_empty(&asoc->outqueue)) {\n\t\t\tevent = sctp_ulpevent_make_sender_dry_event(asoc,\n\t\t\t\t\tGFP_USER | __GFP_NOWARN);\n\t\t\tif (!event)\n\t\t\t\treturn -ENOMEM;\n\n\t\t\tasoc->stream.si->enqueue_event(&asoc->ulpq, event);\n\t\t}\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 71164762736094237861130297420124746276, "size": 20, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398057 }, { "func": "int kvm_hv_set_msr_common(struct kvm_vcpu *vcpu, u32 msr, u64 data, bool host)\n{\n\tstruct kvm_hv *hv = to_kvm_hv(vcpu->kvm);\n\n\tif (!host && !vcpu->arch.hyperv_enabled)\n\t\treturn 1;\n\n\tif (!to_hv_vcpu(vcpu)) {\n\t\tif (kvm_hv_vcpu_init(vcpu))\n\t\t\treturn 1;\n\t}\n\n\tif (kvm_hv_msr_partition_wide(msr)) {\n\t\tint r;\n\n\t\tmutex_lock(&hv->hv_lock);\n\t\tr = kvm_hv_set_msr_pw(vcpu, msr, data, host);\n\t\tmutex_unlock(&hv->hv_lock);\n\t\treturn r;\n\t} else\n\t\treturn kvm_hv_set_msr(vcpu, msr, data, host);\n}", "project": "linux", "hash": 240134465404821556621331851104700199531, "size": 22, "commit_id": "919f4ebc598701670e80e31573a58f1f2d2bf918", "message": "KVM: x86: hyper-v: Fix Hyper-V context null-ptr-deref\n\nReported by syzkaller:\n\n KASAN: null-ptr-deref in range [0x0000000000000140-0x0000000000000147]\n CPU: 1 PID: 8370 Comm: syz-executor859 Not tainted 5.11.0-syzkaller #0\n RIP: 0010:synic_get arch/x86/kvm/hyperv.c:165 [inline]\n RIP: 0010:kvm_hv_set_sint_gsi arch/x86/kvm/hyperv.c:475 [inline]\n RIP: 0010:kvm_hv_irq_routing_update+0x230/0x460 arch/x86/kvm/hyperv.c:498\n Call Trace:\n kvm_set_irq_routing+0x69b/0x940 arch/x86/kvm/../../../virt/kvm/irqchip.c:223\n kvm_vm_ioctl+0x12d0/0x2800 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3959\n vfs_ioctl fs/ioctl.c:48 [inline]\n __do_sys_ioctl fs/ioctl.c:753 [inline]\n __se_sys_ioctl fs/ioctl.c:739 [inline]\n __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739\n do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nHyper-V context is lazily allocated until Hyper-V specific MSRs are accessed\nor SynIC is enabled. However, the syzkaller testcase sets irq routing table\ndirectly w/o enabling SynIC. This results in null-ptr-deref when accessing\nSynIC Hyper-V context. This patch fixes it.\n\nsyzkaller source: https://syzkaller.appspot.com/x/repro.c?x=163342ccd00000\n\nReported-by: syzbot+6987f3b2dbd9eda95f12@syzkaller.appspotmail.com\nFixes: 8f014550dfb1 (\"KVM: x86: hyper-v: Make Hyper-V emulation enablement conditional\")\nSigned-off-by: Wanpeng Li \nMessage-Id: <1614326399-5762-1-git-send-email-wanpengli@tencent.com>\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 343510 }, { "func": "void CServer::ProcessClientPacket(CNetChunk *pPacket)\n{\n\tint ClientID = pPacket->m_ClientID;\n\tCUnpacker Unpacker;\n\tUnpacker.Reset(pPacket->m_pData, pPacket->m_DataSize);\n\n\t// unpack msgid and system flag\n\tint Msg = Unpacker.GetInt();\n\tint Sys = Msg&1;\n\tMsg >>= 1;\n\n\tif(Unpacker.Error())\n\t\treturn;\n\n\tif(Sys)\n\t{\n\t\t// system message\n\t\tif(Msg == NETMSG_INFO)\n\t\t{\n\t\t\tif((pPacket->m_Flags&NET_CHUNKFLAG_VITAL) != 0 && m_aClients[ClientID].m_State == CClient::STATE_AUTH)\n\t\t\t{\n\t\t\t\tconst char *pVersion = Unpacker.GetString(CUnpacker::SANITIZE_CC);\n\t\t\t\tif(str_comp(pVersion, GameServer()->NetVersion()) != 0)\n\t\t\t\t{\n\t\t\t\t\t// wrong version\n\t\t\t\t\tchar aReason[256];\n\t\t\t\t\tstr_format(aReason, sizeof(aReason), \"Wrong version. Server is running '%s' and client '%s'\", GameServer()->NetVersion(), pVersion);\n\t\t\t\t\tm_NetServer.Drop(ClientID, aReason);\n\t\t\t\t\treturn;\n\t\t\t\t}\n\n\t\t\t\tconst char *pPassword = Unpacker.GetString(CUnpacker::SANITIZE_CC);\n\t\t\t\tif(Config()->m_Password[0] != 0 && str_comp(Config()->m_Password, pPassword) != 0)\n\t\t\t\t{\n\t\t\t\t\t// wrong password\n\t\t\t\t\tm_NetServer.Drop(ClientID, \"Wrong password\");\n\t\t\t\t\treturn;\n\t\t\t\t}\n\n\t\t\t\tm_aClients[ClientID].m_Version = Unpacker.GetInt();\n\n\t\t\t\tm_aClients[ClientID].m_State = CClient::STATE_CONNECTING;\n\t\t\t\tSendMap(ClientID);\n\t\t\t}\n\t\t}\n\t\telse if(Msg == NETMSG_REQUEST_MAP_DATA)\n\t\t{\n\t\t\tif((pPacket->m_Flags&NET_CHUNKFLAG_VITAL) != 0 && (m_aClients[ClientID].m_State == CClient::STATE_CONNECTING || m_aClients[ClientID].m_State == CClient::STATE_CONNECTING_AS_SPEC))\n\t\t\t{\n\t\t\t\tint ChunkSize = MAP_CHUNK_SIZE;\n\n\t\t\t\t// send map chunks\n\t\t\t\tfor(int i = 0; i < m_MapChunksPerRequest && m_aClients[ClientID].m_MapChunk >= 0; ++i)\n\t\t\t\t{\n\t\t\t\t\tint Chunk = m_aClients[ClientID].m_MapChunk;\n\t\t\t\t\tint Offset = Chunk * ChunkSize;\n\n\t\t\t\t\t// check for last part\n\t\t\t\t\tif(Offset+ChunkSize >= m_CurrentMapSize)\n\t\t\t\t\t{\n\t\t\t\t\t\tChunkSize = m_CurrentMapSize-Offset;\n\t\t\t\t\t\tm_aClients[ClientID].m_MapChunk = -1;\n\t\t\t\t\t}\n\t\t\t\t\telse\n\t\t\t\t\t\tm_aClients[ClientID].m_MapChunk++;\n\n\t\t\t\t\tCMsgPacker Msg(NETMSG_MAP_DATA, true);\n\t\t\t\t\tMsg.AddRaw(&m_pCurrentMapData[Offset], ChunkSize);\n\t\t\t\t\tSendMsg(&Msg, MSGFLAG_VITAL|MSGFLAG_FLUSH, ClientID);\n\n\t\t\t\t\tif(Config()->m_Debug)\n\t\t\t\t\t{\n\t\t\t\t\t\tchar aBuf[64];\n\t\t\t\t\t\tstr_format(aBuf, sizeof(aBuf), \"sending chunk %d with size %d\", Chunk, ChunkSize);\n\t\t\t\t\t\tConsole()->Print(IConsole::OUTPUT_LEVEL_DEBUG, \"server\", aBuf);\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\telse if(Msg == NETMSG_READY)\n\t\t{\n\t\t\tif((pPacket->m_Flags&NET_CHUNKFLAG_VITAL) != 0 && (m_aClients[ClientID].m_State == CClient::STATE_CONNECTING || m_aClients[ClientID].m_State == CClient::STATE_CONNECTING_AS_SPEC))\n\t\t\t{\n\t\t\t\tchar aAddrStr[NETADDR_MAXSTRSIZE];\n\t\t\t\tnet_addr_str(m_NetServer.ClientAddr(ClientID), aAddrStr, sizeof(aAddrStr), true);\n\n\t\t\t\tchar aBuf[256];\n\t\t\t\tstr_format(aBuf, sizeof(aBuf), \"player is ready. ClientID=%d addr=%s\", ClientID, aAddrStr);\n\t\t\t\tConsole()->Print(IConsole::OUTPUT_LEVEL_ADDINFO, \"server\", aBuf);\n\n\t\t\t\tbool ConnectAsSpec = m_aClients[ClientID].m_State == CClient::STATE_CONNECTING_AS_SPEC;\n\t\t\t\tm_aClients[ClientID].m_State = CClient::STATE_READY;\n\t\t\t\tGameServer()->OnClientConnected(ClientID, ConnectAsSpec);\n\t\t\t\tSendConnectionReady(ClientID);\n\t\t\t}\n\t\t}\n\t\telse if(Msg == NETMSG_ENTERGAME)\n\t\t{\n\t\t\tif((pPacket->m_Flags&NET_CHUNKFLAG_VITAL) != 0 && m_aClients[ClientID].m_State == CClient::STATE_READY && GameServer()->IsClientReady(ClientID))\n\t\t\t{\n\t\t\t\tchar aAddrStr[NETADDR_MAXSTRSIZE];\n\t\t\t\tnet_addr_str(m_NetServer.ClientAddr(ClientID), aAddrStr, sizeof(aAddrStr), true);\n\n\t\t\t\tchar aBuf[256];\n\t\t\t\tstr_format(aBuf, sizeof(aBuf), \"player has entered the game. ClientID=%d addr=%s\", ClientID, aAddrStr);\n\t\t\t\tConsole()->Print(IConsole::OUTPUT_LEVEL_STANDARD, \"server\", aBuf);\n\t\t\t\tm_aClients[ClientID].m_State = CClient::STATE_INGAME;\n\t\t\t\tSendServerInfo(ClientID);\n\t\t\t\tGameServer()->OnClientEnter(ClientID);\n\t\t\t}\n\t\t}\n\t\telse if(Msg == NETMSG_INPUT)\n\t\t{\n\t\t\tCClient::CInput *pInput;\n\t\t\tint64 TagTime;\n\t\t\tint64 Now = time_get();\n\n\t\t\tm_aClients[ClientID].m_LastAckedSnapshot = Unpacker.GetInt();\n\t\t\tint IntendedTick = Unpacker.GetInt();\n\t\t\tint Size = Unpacker.GetInt();\n\n\t\t\t// check for errors\n\t\t\tif(Unpacker.Error() || Size/4 > MAX_INPUT_SIZE)\n\t\t\t\treturn;\n\n\t\t\tif(m_aClients[ClientID].m_LastAckedSnapshot > 0)\n\t\t\t\tm_aClients[ClientID].m_SnapRate = CClient::SNAPRATE_FULL;\n\n\t\t\t// add message to report the input timing\n\t\t\t// skip packets that are old\n\t\t\tif(IntendedTick > m_aClients[ClientID].m_LastInputTick)\n\t\t\t{\n\t\t\t\tint TimeLeft = ((TickStartTime(IntendedTick)-Now)*1000) / time_freq();\n\n\t\t\t\tCMsgPacker Msg(NETMSG_INPUTTIMING, true);\n\t\t\t\tMsg.AddInt(IntendedTick);\n\t\t\t\tMsg.AddInt(TimeLeft);\n\t\t\t\tSendMsg(&Msg, 0, ClientID);\n\t\t\t}\n\n\t\t\tm_aClients[ClientID].m_LastInputTick = IntendedTick;\n\n\t\t\tpInput = &m_aClients[ClientID].m_aInputs[m_aClients[ClientID].m_CurrentInput];\n\n\t\t\tif(IntendedTick <= Tick())\n\t\t\t\tIntendedTick = Tick()+1;\n\n\t\t\tpInput->m_GameTick = IntendedTick;\n\n\t\t\tfor(int i = 0; i < Size/4; i++)\n\t\t\t\tpInput->m_aData[i] = Unpacker.GetInt();\n\n\t\t\tint PingCorrection = clamp(Unpacker.GetInt(), 0, 50);\n\t\t\tif(m_aClients[ClientID].m_Snapshots.Get(m_aClients[ClientID].m_LastAckedSnapshot, &TagTime, 0, 0) >= 0)\n\t\t\t{\n\t\t\t\tm_aClients[ClientID].m_Latency = (int)(((Now-TagTime)*1000)/time_freq());\n\t\t\t\tm_aClients[ClientID].m_Latency = max(0, m_aClients[ClientID].m_Latency - PingCorrection);\n\t\t\t}\n\n\t\t\tmem_copy(m_aClients[ClientID].m_LatestInput.m_aData, pInput->m_aData, MAX_INPUT_SIZE*sizeof(int));\n\n\t\t\tm_aClients[ClientID].m_CurrentInput++;\n\t\t\tm_aClients[ClientID].m_CurrentInput %= 200;\n\n\t\t\t// call the mod with the fresh input data\n\t\t\tif(m_aClients[ClientID].m_State == CClient::STATE_INGAME)\n\t\t\t\tGameServer()->OnClientDirectInput(ClientID, m_aClients[ClientID].m_LatestInput.m_aData);\n\t\t}\n\t\telse if(Msg == NETMSG_RCON_CMD)\n\t\t{\n\t\t\tconst char *pCmd = Unpacker.GetString();\n\n\t\t\tif((pPacket->m_Flags&NET_CHUNKFLAG_VITAL) != 0 && Unpacker.Error() == 0 && m_aClients[ClientID].m_Authed)\n\t\t\t{\n\t\t\t\tchar aBuf[256];\n\t\t\t\tstr_format(aBuf, sizeof(aBuf), \"ClientID=%d rcon='%s'\", ClientID, pCmd);\n\t\t\t\tConsole()->Print(IConsole::OUTPUT_LEVEL_ADDINFO, \"server\", aBuf);\n\t\t\t\tm_RconClientID = ClientID;\n\t\t\t\tm_RconAuthLevel = m_aClients[ClientID].m_Authed;\n\t\t\t\tConsole()->SetAccessLevel(m_aClients[ClientID].m_Authed == AUTHED_ADMIN ? IConsole::ACCESS_LEVEL_ADMIN : IConsole::ACCESS_LEVEL_MOD);\n\t\t\t\tConsole()->ExecuteLineFlag(pCmd, CFGFLAG_SERVER);\n\t\t\t\tConsole()->SetAccessLevel(IConsole::ACCESS_LEVEL_ADMIN);\n\t\t\t\tm_RconClientID = IServer::RCON_CID_SERV;\n\t\t\t\tm_RconAuthLevel = AUTHED_ADMIN;\n\t\t\t}\n\t\t}\n\t\telse if(Msg == NETMSG_RCON_AUTH)\n\t\t{\n\t\t\tconst char *pPw = Unpacker.GetString(CUnpacker::SANITIZE_CC);\n\n\t\t\tif((pPacket->m_Flags&NET_CHUNKFLAG_VITAL) != 0 && Unpacker.Error() == 0)\n\t\t\t{\n\t\t\t\tif(Config()->m_SvRconPassword[0] == 0 && Config()->m_SvRconModPassword[0] == 0)\n\t\t\t\t{\n\t\t\t\t\tif(!m_aClients[ClientID].m_NoRconNote)\n\t\t\t\t\t{\n\t\t\t\t\t\tSendRconLine(ClientID, \"No rcon password set on server. Set sv_rcon_password and/or sv_rcon_mod_password to enable the remote console.\");\n\t\t\t\t\t\tm_aClients[ClientID].m_NoRconNote = true;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\telse if(Config()->m_SvRconPassword[0] && str_comp(pPw, Config()->m_SvRconPassword) == 0)\n\t\t\t\t{\n\t\t\t\t\tCMsgPacker Msg(NETMSG_RCON_AUTH_ON, true);\n\t\t\t\t\tSendMsg(&Msg, MSGFLAG_VITAL, ClientID);\n\n\t\t\t\t\tm_aClients[ClientID].m_Authed = AUTHED_ADMIN;\n\t\t\t\t\tm_aClients[ClientID].m_pRconCmdToSend = Console()->FirstCommandInfo(IConsole::ACCESS_LEVEL_ADMIN, CFGFLAG_SERVER);\n\t\t\t\t\tif(m_aClients[ClientID].m_Version >= MIN_MAPLIST_CLIENTVERSION)\n\t\t\t\t\t\tm_aClients[ClientID].m_pMapListEntryToSend = m_pFirstMapEntry;\n\t\t\t\t\tSendRconLine(ClientID, \"Admin authentication successful. Full remote console access granted.\");\n\t\t\t\t\tchar aBuf[256];\n\t\t\t\t\tstr_format(aBuf, sizeof(aBuf), \"ClientID=%d authed (admin)\", ClientID);\n\t\t\t\t\tConsole()->Print(IConsole::OUTPUT_LEVEL_STANDARD, \"server\", aBuf);\n\t\t\t\t}\n\t\t\t\telse if(Config()->m_SvRconModPassword[0] && str_comp(pPw, Config()->m_SvRconModPassword) == 0)\n\t\t\t\t{\n\t\t\t\t\tCMsgPacker Msg(NETMSG_RCON_AUTH_ON, true);\n\t\t\t\t\tSendMsg(&Msg, MSGFLAG_VITAL, ClientID);\n\n\t\t\t\t\tm_aClients[ClientID].m_Authed = AUTHED_MOD;\n\t\t\t\t\tm_aClients[ClientID].m_pRconCmdToSend = Console()->FirstCommandInfo(IConsole::ACCESS_LEVEL_MOD, CFGFLAG_SERVER);\n\t\t\t\t\tSendRconLine(ClientID, \"Moderator authentication successful. Limited remote console access granted.\");\n\t\t\t\t\tconst IConsole::CCommandInfo *pInfo = Console()->GetCommandInfo(\"sv_map\", CFGFLAG_SERVER, false);\n\t\t\t\t\tif(pInfo && pInfo->GetAccessLevel() == IConsole::ACCESS_LEVEL_MOD && m_aClients[ClientID].m_Version >= MIN_MAPLIST_CLIENTVERSION)\n\t\t\t\t\t\tm_aClients[ClientID].m_pMapListEntryToSend = m_pFirstMapEntry;\n\t\t\t\t\tchar aBuf[256];\n\t\t\t\t\tstr_format(aBuf, sizeof(aBuf), \"ClientID=%d authed (moderator)\", ClientID);\n\t\t\t\t\tConsole()->Print(IConsole::OUTPUT_LEVEL_STANDARD, \"server\", aBuf);\n\t\t\t\t}\n\t\t\t\telse if(Config()->m_SvRconMaxTries && m_ServerBan.IsBannable(m_NetServer.ClientAddr(ClientID)))\n\t\t\t\t{\n\t\t\t\t\tm_aClients[ClientID].m_AuthTries++;\n\t\t\t\t\tchar aBuf[128];\n\t\t\t\t\tstr_format(aBuf, sizeof(aBuf), \"Wrong password %d/%d.\", m_aClients[ClientID].m_AuthTries, Config()->m_SvRconMaxTries);\n\t\t\t\t\tSendRconLine(ClientID, aBuf);\n\t\t\t\t\tif(m_aClients[ClientID].m_AuthTries >= Config()->m_SvRconMaxTries)\n\t\t\t\t\t{\n\t\t\t\t\t\tif(!Config()->m_SvRconBantime)\n\t\t\t\t\t\t\tm_NetServer.Drop(ClientID, \"Too many remote console authentication tries\");\n\t\t\t\t\t\telse\n\t\t\t\t\t\t\tm_ServerBan.BanAddr(m_NetServer.ClientAddr(ClientID), Config()->m_SvRconBantime*60, \"Too many remote console authentication tries\");\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\telse\n\t\t\t\t{\n\t\t\t\t\tSendRconLine(ClientID, \"Wrong password.\");\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\telse if(Msg == NETMSG_PING)\n\t\t{\n\t\t\tCMsgPacker Msg(NETMSG_PING_REPLY, true);\n\t\t\tSendMsg(&Msg, 0, ClientID);\n\t\t}\n\t\telse\n\t\t{\n\t\t\tif(Config()->m_Debug)\n\t\t\t{\n\t\t\t\tchar aHex[] = \"0123456789ABCDEF\";\n\t\t\t\tchar aBuf[512];\n\n\t\t\t\tfor(int b = 0; b < pPacket->m_DataSize && b < 32; b++)\n\t\t\t\t{\n\t\t\t\t\taBuf[b*3] = aHex[((const unsigned char *)pPacket->m_pData)[b]>>4];\n\t\t\t\t\taBuf[b*3+1] = aHex[((const unsigned char *)pPacket->m_pData)[b]&0xf];\n\t\t\t\t\taBuf[b*3+2] = ' ';\n\t\t\t\t\taBuf[b*3+3] = 0;\n\t\t\t\t}\n\n\t\t\t\tchar aBufMsg[256];\n\t\t\t\tstr_format(aBufMsg, sizeof(aBufMsg), \"strange message ClientID=%d msg=%d data_size=%d\", ClientID, Msg, pPacket->m_DataSize);\n\t\t\t\tConsole()->Print(IConsole::OUTPUT_LEVEL_DEBUG, \"server\", aBufMsg);\n\t\t\t\tConsole()->Print(IConsole::OUTPUT_LEVEL_DEBUG, \"server\", aBuf);\n\t\t\t}\n\t\t}\n\t}\n\telse\n\t{\n\t\t// game message\n\t\tif((pPacket->m_Flags&NET_CHUNKFLAG_VITAL) != 0 && m_aClients[ClientID].m_State >= CClient::STATE_READY)\n\t\t\tGameServer()->OnMessage(Msg, &Unpacker, ClientID);\n\t}\n}", "project": "teeworlds", "hash": 251902769085037938225444032452487066689, "size": 283, "commit_id": "c68402fa7e279d42886d5951d1ea8ac2facc1ea5", "message": "changed a check", "target": 0, "dataset": "other", "idx": 382046 }, { "func": "static struct sock *pep_find_pipe(const struct hlist_head *hlist,\n\t\t\t\t\tconst struct sockaddr_pn *dst,\n\t\t\t\t\tu8 pipe_handle)\n{\n\tstruct sock *sknode;\n\tu16 dobj = pn_sockaddr_get_object(dst);\n\n\tsk_for_each(sknode, hlist) {\n\t\tstruct pep_sock *pnnode = pep_sk(sknode);\n\n\t\t/* Ports match, but addresses might not: */\n\t\tif (pnnode->pn_sk.sobject != dobj)\n\t\t\tcontinue;\n\t\tif (pnnode->pipe_handle != pipe_handle)\n\t\t\tcontinue;\n\t\tif (sknode->sk_state == TCP_CLOSE_WAIT)\n\t\t\tcontinue;\n\n\t\tsock_hold(sknode);\n\t\treturn sknode;\n\t}\n\treturn NULL;\n}", "project": "linux", "hash": 76980100235227017778827247980977038680, "size": 23, "commit_id": "bcd0f93353326954817a4f9fa55ec57fb38acbb0", "message": "phonet: refcount leak in pep_sock_accep\n\nsock_hold(sk) is invoked in pep_sock_accept(), but __sock_put(sk) is not\ninvoked in subsequent failure branches(pep_accept_conn() != 0).\n\nSigned-off-by: Hangyu Hua \nLink: https://lore.kernel.org/r/20211209082839.33985-1-hbh25y@gmail.com\nSigned-off-by: Jakub Kicinski ", "target": 0, "dataset": "other", "idx": 224828 }, { "func": "static struct sock *__x25_find_socket(unsigned int lci, struct x25_neigh *nb)\n{\n\tstruct sock *s;\n\n\tsk_for_each(s, &x25_list)\n\t\tif (x25_sk(s)->lci == lci && x25_sk(s)->neighbour == nb) {\n\t\t\tsock_hold(s);\n\t\t\tgoto found;\n\t\t}\n\ts = NULL;\nfound:\n\treturn s;\n}", "project": "net", "hash": 67079427656035143851933294068480089537, "size": 13, "commit_id": "7781607938c8371d4c2b243527430241c62e39c2", "message": "net/x25: Fix null-ptr-deref caused by x25_disconnect\n\nWhen the link layer is terminating, x25->neighbour will be set to NULL\nin x25_disconnect(). As a result, it could cause null-ptr-deref bugs in\nx25_sendmsg(),x25_recvmsg() and x25_connect(). One of the bugs is\nshown below.\n\n (Thread 1) | (Thread 2)\nx25_link_terminated() | x25_recvmsg()\n x25_kill_by_neigh() | ...\n x25_disconnect() | lock_sock(sk)\n ... | ...\n x25->neighbour = NULL //(1) |\n ... | x25->neighbour->extended //(2)\n\nThe code sets NULL to x25->neighbour in position (1) and dereferences\nx25->neighbour in position (2), which could cause null-ptr-deref bug.\n\nThis patch adds lock_sock() in x25_kill_by_neigh() in order to synchronize\nwith x25_sendmsg(), x25_recvmsg() and x25_connect(). What`s more, the\nsock held by lock_sock() is not NULL, because it is extracted from x25_list\nand uses x25_list_lock to synchronize.\n\nFixes: 4becb7ee5b3d (\"net/x25: Fix x25_neigh refcnt leak when x25 disconnect\")\nSigned-off-by: Duoming Zhou \nReviewed-by: Lin Ma \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 449156 }, { "func": "static int test_split(struct libmnt_test *ts, int argc, char *argv[])\n{\n\tchar *optstr, *user = NULL, *fs = NULL, *vfs = NULL;\n\tint rc;\n\n\tif (argc < 2)\n\t\treturn -EINVAL;\n\n\toptstr = xstrdup(argv[1]);\n\n\trc = mnt_split_optstr(optstr, &user, &vfs, &fs, 0, 0);\n\tif (!rc) {\n\t\tprintf(\"user : %s\\n\", user);\n\t\tprintf(\"vfs : %s\\n\", vfs);\n\t\tprintf(\"fs : %s\\n\", fs);\n\t}\n\n\tfree(user);\n\tfree(vfs);\n\tfree(fs);\n\tfree(optstr);\n\treturn rc;\n}", "project": "util-linux", "hash": 203797798810617987791782794267840034083, "size": 23, "commit_id": "57202f5713afa2af20ffbb6ab5331481d0396f8d", "message": "libmount: fix UID check for FUSE umount [CVE-2021-3995]\n\nImproper UID check allows an unprivileged user to unmount FUSE\nfilesystems of users with similar UID.\n\nSigned-off-by: Karel Zak ", "target": 0, "dataset": "other", "idx": 410401 }, { "func": "\nvoid bfq_end_wr_async_queues(struct bfq_data *bfqd,\n\t\t\t struct bfq_group *bfqg)\n{\n\tint i, j;\n\n\tfor (i = 0; i < 2; i++)\n\t\tfor (j = 0; j < IOPRIO_BE_NR; j++)\n\t\t\tif (bfqg->async_bfqq[i][j])\n\t\t\t\tbfq_bfqq_end_wr(bfqg->async_bfqq[i][j]);\n\tif (bfqg->async_idle_bfqq)\n\t\tbfq_bfqq_end_wr(bfqg->async_idle_bfqq);", "project": "linux", "hash": 128086798527104862783807040331236744359, "size": 12, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453308 }, { "func": "int gdImageColorResolve (gdImagePtr im, int r, int g, int b)\n{\n\treturn gdImageColorResolveAlpha(im, r, g, b, gdAlphaOpaque);\n}", "project": "php-src", "hash": 307998074707163198612123954678389074957, "size": 4, "commit_id": "c395c6e5d7e8df37a21265ff76e48fe75ceb5ae6", "message": "iFixed bug #72446 - Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow", "target": 0, "dataset": "other", "idx": 295122 }, { "func": "static int bid_standard(struct archive_read* a) {\n\tconst uint8_t* p;\n\n\tif(!read_ahead(a, rar5_signature_size, &p))\n\t\treturn -1;\n\n\tif(!memcmp(rar5_signature, p, rar5_signature_size))\n\t\treturn 30;\n\n\treturn -1;\n}", "project": "libarchive", "hash": 93361383480893186789694312554494157668, "size": 11, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 0, "dataset": "other", "idx": 244787 }, { "func": "static void vc_uniscr_delete(struct vc_data *vc, unsigned int nr)\n{\n\tstruct uni_screen *uniscr = get_vc_uniscr(vc);\n\n\tif (uniscr) {\n\t\tchar32_t *ln = uniscr->lines[vc->vc_y];\n\t\tunsigned int x = vc->vc_x, cols = vc->vc_cols;\n\n\t\tmemcpy(&ln[x], &ln[x + nr], (cols - x - nr) * sizeof(*ln));\n\t\tmemset32(&ln[cols - nr], ' ', nr);\n\t}\n}", "project": "linux", "hash": 58943792673451611686927375624633433331, "size": 12, "commit_id": "ca4463bf8438b403596edd0ec961ca0d4fbe0220", "message": "vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console\n\nThe VT_DISALLOCATE ioctl can free a virtual console while tty_release()\nis still running, causing a use-after-free in con_shutdown(). This\noccurs because VT_DISALLOCATE considers a virtual console's\n'struct vc_data' to be unused as soon as the corresponding tty's\nrefcount hits 0. But actually it may be still being closed.\n\nFix this by making vc_data be reference-counted via the embedded\n'struct tty_port'. A newly allocated virtual console has refcount 1.\nOpening it for the first time increments the refcount to 2. Closing it\nfor the last time decrements the refcount (in tty_operations::cleanup()\nso that it happens late enough), as does VT_DISALLOCATE.\n\nReproducer:\n\t#include \n\t#include \n\t#include \n\t#include \n\n\tint main()\n\t{\n\t\tif (fork()) {\n\t\t\tfor (;;)\n\t\t\t\tclose(open(\"/dev/tty5\", O_RDWR));\n\t\t} else {\n\t\t\tint fd = open(\"/dev/tty10\", O_RDWR);\n\n\t\t\tfor (;;)\n\t\t\t\tioctl(fd, VT_DISALLOCATE, 5);\n\t\t}\n\t}\n\nKASAN report:\n\tBUG: KASAN: use-after-free in con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\tWrite of size 8 at addr ffff88806a4ec108 by task syz_vt/129\n\n\tCPU: 0 PID: 129 Comm: syz_vt Not tainted 5.6.0-rc2 #11\n\tHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20191223_100556-anatol 04/01/2014\n\tCall Trace:\n\t [...]\n\t con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\t release_tty+0xa8/0x410 drivers/tty/tty_io.c:1514\n\t tty_release_struct+0x34/0x50 drivers/tty/tty_io.c:1629\n\t tty_release+0x984/0xed0 drivers/tty/tty_io.c:1789\n\t [...]\n\n\tAllocated by task 129:\n\t [...]\n\t kzalloc include/linux/slab.h:669 [inline]\n\t vc_allocate drivers/tty/vt/vt.c:1085 [inline]\n\t vc_allocate+0x1ac/0x680 drivers/tty/vt/vt.c:1066\n\t con_install+0x4d/0x3f0 drivers/tty/vt/vt.c:3229\n\t tty_driver_install_tty drivers/tty/tty_io.c:1228 [inline]\n\t tty_init_dev+0x94/0x350 drivers/tty/tty_io.c:1341\n\t tty_open_by_driver drivers/tty/tty_io.c:1987 [inline]\n\t tty_open+0x3ca/0xb30 drivers/tty/tty_io.c:2035\n\t [...]\n\n\tFreed by task 130:\n\t [...]\n\t kfree+0xbf/0x1e0 mm/slab.c:3757\n\t vt_disallocate drivers/tty/vt/vt_ioctl.c:300 [inline]\n\t vt_ioctl+0x16dc/0x1e30 drivers/tty/vt/vt_ioctl.c:818\n\t tty_ioctl+0x9db/0x11b0 drivers/tty/tty_io.c:2660\n\t [...]\n\nFixes: 4001d7b7fc27 (\"vt: push down the tty lock so we can see what is left to tackle\")\nCc: # v3.4+\nReported-by: syzbot+522643ab5729b0421998@syzkaller.appspotmail.com\nAcked-by: Jiri Slaby \nSigned-off-by: Eric Biggers \nLink: https://lore.kernel.org/r/20200322034305.210082-2-ebiggers@kernel.org\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 437079 }, { "func": "static inline void set_cr_intercept(struct vcpu_svm *svm, int bit)\n{\n\tstruct vmcb *vmcb = get_host_vmcb(svm);\n\n\tvmcb->control.intercept_cr |= (1U << bit);\n\n\trecalc_intercepts(svm);\n}", "project": "linux", "hash": 234070936784989686005899771100314595049, "size": 8, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432645 }, { "func": "int kvm_arch_vcpu_ioctl_set_mpstate(struct kvm_vcpu *vcpu,\n\t\t\t\t struct kvm_mp_state *mp_state)\n{\n\tint rc = 0;\n\n\tvcpu_load(vcpu);\n\n\t/* user space knows about this interface - let it control the state */\n\tvcpu->kvm->arch.user_cpu_state_ctrl = 1;\n\n\tswitch (mp_state->mp_state) {\n\tcase KVM_MP_STATE_STOPPED:\n\t\trc = kvm_s390_vcpu_stop(vcpu);\n\t\tbreak;\n\tcase KVM_MP_STATE_OPERATING:\n\t\trc = kvm_s390_vcpu_start(vcpu);\n\t\tbreak;\n\tcase KVM_MP_STATE_LOAD:\n\t\tif (!kvm_s390_pv_cpu_is_protected(vcpu)) {\n\t\t\trc = -ENXIO;\n\t\t\tbreak;\n\t\t}\n\t\trc = kvm_s390_pv_set_cpu_state(vcpu, PV_CPU_STATE_OPR_LOAD);\n\t\tbreak;\n\tcase KVM_MP_STATE_CHECK_STOP:\n\t\t/* fall through - CHECK_STOP and LOAD are not supported yet */\n\tdefault:\n\t\trc = -ENXIO;\n\t}\n\n\tvcpu_put(vcpu);\n\treturn rc;\n}", "project": "linux", "hash": 142194640729150577539896597636461501106, "size": 33, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354479 }, { "func": "static inline void set_exception_intercept(struct vcpu_svm *svm, int bit)\n{\n\tstruct vmcb *vmcb = get_host_vmcb(svm);\n\n\tvmcb->control.intercept_exceptions |= (1U << bit);\n\n\trecalc_intercepts(svm);\n}", "project": "linux", "hash": 66376699722315070583146734566220241110, "size": 8, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432413 }, { "func": "static void do_renew_lease(struct nfs_client *clp, unsigned long timestamp)\n{\n\tspin_lock(&clp->cl_lock);\n\tif (time_before(clp->cl_last_renewal,timestamp))\n\t\tclp->cl_last_renewal = timestamp;\n\tspin_unlock(&clp->cl_lock);\n}", "project": "linux", "hash": 260365560838148320759817588923704230948, "size": 7, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431105 }, { "func": "static void hci_req_start_scan(struct hci_request *req, u8 type, u16 interval,\n\t\t\t u16 window, u8 own_addr_type, u8 filter_policy,\n\t\t\t bool addr_resolv)\n{\n\tstruct hci_dev *hdev = req->hdev;\n\n\tif (hdev->scanning_paused) {\n\t\tbt_dev_dbg(hdev, \"Scanning is paused for suspend\");\n\t\treturn;\n\t}\n\n\tif (use_ll_privacy(hdev) &&\n\t hci_dev_test_flag(hdev, HCI_ENABLE_LL_PRIVACY) &&\n\t addr_resolv) {\n\t\tu8 enable = 0x01;\n\n\t\thci_req_add(req, HCI_OP_LE_SET_ADDR_RESOLV_ENABLE, 1, &enable);\n\t}\n\n\t/* Use ext scanning if set ext scan param and ext scan enable is\n\t * supported\n\t */\n\tif (use_ext_scan(hdev)) {\n\t\tstruct hci_cp_le_set_ext_scan_params *ext_param_cp;\n\t\tstruct hci_cp_le_set_ext_scan_enable ext_enable_cp;\n\t\tstruct hci_cp_le_scan_phy_params *phy_params;\n\t\tu8 data[sizeof(*ext_param_cp) + sizeof(*phy_params) * 2];\n\t\tu32 plen;\n\n\t\text_param_cp = (void *)data;\n\t\tphy_params = (void *)ext_param_cp->data;\n\n\t\tmemset(ext_param_cp, 0, sizeof(*ext_param_cp));\n\t\text_param_cp->own_addr_type = own_addr_type;\n\t\text_param_cp->filter_policy = filter_policy;\n\n\t\tplen = sizeof(*ext_param_cp);\n\n\t\tif (scan_1m(hdev) || scan_2m(hdev)) {\n\t\t\text_param_cp->scanning_phys |= LE_SCAN_PHY_1M;\n\n\t\t\tmemset(phy_params, 0, sizeof(*phy_params));\n\t\t\tphy_params->type = type;\n\t\t\tphy_params->interval = cpu_to_le16(interval);\n\t\t\tphy_params->window = cpu_to_le16(window);\n\n\t\t\tplen += sizeof(*phy_params);\n\t\t\tphy_params++;\n\t\t}\n\n\t\tif (scan_coded(hdev)) {\n\t\t\text_param_cp->scanning_phys |= LE_SCAN_PHY_CODED;\n\n\t\t\tmemset(phy_params, 0, sizeof(*phy_params));\n\t\t\tphy_params->type = type;\n\t\t\tphy_params->interval = cpu_to_le16(interval);\n\t\t\tphy_params->window = cpu_to_le16(window);\n\n\t\t\tplen += sizeof(*phy_params);\n\t\t\tphy_params++;\n\t\t}\n\n\t\thci_req_add(req, HCI_OP_LE_SET_EXT_SCAN_PARAMS,\n\t\t\t plen, ext_param_cp);\n\n\t\tmemset(&ext_enable_cp, 0, sizeof(ext_enable_cp));\n\t\text_enable_cp.enable = LE_SCAN_ENABLE;\n\t\text_enable_cp.filter_dup = LE_SCAN_FILTER_DUP_ENABLE;\n\n\t\thci_req_add(req, HCI_OP_LE_SET_EXT_SCAN_ENABLE,\n\t\t\t sizeof(ext_enable_cp), &ext_enable_cp);\n\t} else {\n\t\tstruct hci_cp_le_set_scan_param param_cp;\n\t\tstruct hci_cp_le_set_scan_enable enable_cp;\n\n\t\tmemset(¶m_cp, 0, sizeof(param_cp));\n\t\tparam_cp.type = type;\n\t\tparam_cp.interval = cpu_to_le16(interval);\n\t\tparam_cp.window = cpu_to_le16(window);\n\t\tparam_cp.own_address_type = own_addr_type;\n\t\tparam_cp.filter_policy = filter_policy;\n\t\thci_req_add(req, HCI_OP_LE_SET_SCAN_PARAM, sizeof(param_cp),\n\t\t\t ¶m_cp);\n\n\t\tmemset(&enable_cp, 0, sizeof(enable_cp));\n\t\tenable_cp.enable = LE_SCAN_ENABLE;\n\t\tenable_cp.filter_dup = LE_SCAN_FILTER_DUP_ENABLE;\n\t\thci_req_add(req, HCI_OP_LE_SET_SCAN_ENABLE, sizeof(enable_cp),\n\t\t\t &enable_cp);\n\t}\n}", "project": "linux", "hash": 46261537342179165105270171637064514033, "size": 91, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402519 }, { "func": "static void hidinput_led_worker(struct work_struct *work)\n{\n\tstruct hid_device *hid = container_of(work, struct hid_device,\n\t\t\t\t\t led_work);\n\tstruct hid_field *field;\n\tstruct hid_report *report;\n\tint ret;\n\tu32 len;\n\t__u8 *buf;\n\n\tfield = hidinput_get_led_field(hid);\n\tif (!field)\n\t\treturn;\n\n\t/*\n\t * field->report is accessed unlocked regarding HID core. So there might\n\t * be another incoming SET-LED request from user-space, which changes\n\t * the LED state while we assemble our outgoing buffer. However, this\n\t * doesn't matter as hid_output_report() correctly converts it into a\n\t * boolean value no matter what information is currently set on the LED\n\t * field (even garbage). So the remote device will always get a valid\n\t * request.\n\t * And in case we send a wrong value, a next led worker is spawned\n\t * for every SET-LED request so the following worker will send the\n\t * correct value, guaranteed!\n\t */\n\n\treport = field->report;\n\n\t/* use custom SET_REPORT request if possible (asynchronous) */\n\tif (hid->ll_driver->request)\n\t\treturn hid->ll_driver->request(hid, report, HID_REQ_SET_REPORT);\n\n\t/* fall back to generic raw-output-report */\n\tlen = hid_report_len(report);\n\tbuf = hid_alloc_report_buf(report, GFP_KERNEL);\n\tif (!buf)\n\t\treturn;\n\n\thid_output_report(report, buf);\n\t/* synchronous output report */\n\tret = hid_hw_output_report(hid, buf, len);\n\tif (ret == -ENOSYS)\n\t\thid_hw_raw_request(hid, report->id, buf, len, HID_OUTPUT_REPORT,\n\t\t\t\tHID_REQ_SET_REPORT);\n\tkfree(buf);\n}", "project": "linux", "hash": 141672526055011787379346793950355512524, "size": 47, "commit_id": "35556bed836f8dc07ac55f69c8d17dce3e7f0e25", "message": "HID: core: Sanitize event code and type when mapping input\n\nWhen calling into hid_map_usage(), the passed event code is\nblindly stored as is, even if it doesn't fit in the associated bitmap.\n\nThis event code can come from a variety of sources, including devices\nmasquerading as input devices, only a bit more \"programmable\".\n\nInstead of taking the event code at face value, check that it actually\nfits the corresponding bitmap, and if it doesn't:\n- spit out a warning so that we know which device is acting up\n- NULLify the bitmap pointer so that we catch unexpected uses\n\nCode paths that can make use of untrusted inputs can now check\nthat the mapping was indeed correct and bail out if not.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Marc Zyngier \nSigned-off-by: Benjamin Tissoires ", "target": 0, "dataset": "other", "idx": 458381 }, { "func": "static void runPcapLoop(u_int16_t thread_id) {\n if((!shutdown_app) && (ndpi_thread_info[thread_id].workflow->pcap_handle != NULL))\n if(pcap_loop(ndpi_thread_info[thread_id].workflow->pcap_handle, -1, &ndpi_process_packet, (u_char*)&thread_id) < 0)\n printf(\"Error while reading pcap file: '%s'\\n\", pcap_geterr(ndpi_thread_info[thread_id].workflow->pcap_handle));\n}", "project": "nDPI", "hash": 204961100344487912566299216440861186423, "size": 5, "commit_id": "b7e666e465f138ae48ab81976726e67deed12701", "message": "Added fix to avoid potential heap buffer overflow in H.323 dissector\nModified HTTP report information to make it closer to the HTTP field names", "target": 0, "dataset": "other", "idx": 254819 }, { "func": "int kvm_vcpu_write_guest(struct kvm_vcpu *vcpu, gpa_t gpa, const void *data,\n\t\t unsigned long len)\n{\n\tgfn_t gfn = gpa >> PAGE_SHIFT;\n\tint seg;\n\tint offset = offset_in_page(gpa);\n\tint ret;\n\n\twhile ((seg = next_segment(len, offset)) != 0) {\n\t\tret = kvm_vcpu_write_guest_page(vcpu, gfn, data, offset, seg);\n\t\tif (ret < 0)\n\t\t\treturn ret;\n\t\toffset = 0;\n\t\tlen -= seg;\n\t\tdata += seg;\n\t\t++gfn;\n\t}\n\treturn 0;\n}", "project": "linux", "hash": 333087034058875750391644404729569335014, "size": 19, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354683 }, { "func": "void freeIpTree(addr_node *root) {\n if(root == NULL)\n return;\n\n freeIpTree(root->left);\n freeIpTree(root->right);\n free(root);\n}", "project": "nDPI", "hash": 73863529929663294325896308262073606082, "size": 8, "commit_id": "b7e666e465f138ae48ab81976726e67deed12701", "message": "Added fix to avoid potential heap buffer overflow in H.323 dissector\nModified HTTP report information to make it closer to the HTTP field names", "target": 0, "dataset": "other", "idx": 254838 }, { "func": "static rsRetVal qDeqDisk(qqueue_t *pThis, void **ppUsr)\n{\n\tDEFiRet;\n\n\tCHKiRet(obj.Deserialize(ppUsr, (uchar*) \"msg\", pThis->tVars.disk.pReadDeq, NULL, NULL));\n\nfinalize_it:\n\tRETiRet;\n}", "project": "rsyslog", "hash": 186337802534788421000131859631713727071, "size": 9, "commit_id": "dfa88369d4ca4290db56b843f9eabdae1bfe0fd5", "message": "bugfix: memory leak when $RepeatedMsgReduction on was used\n\nbug tracker: http://bugzilla.adiscon.com/show_bug.cgi?id=225", "target": 0, "dataset": "other", "idx": 373774 }, { "func": "static void encode_bind_conn_to_session(struct xdr_stream *xdr,\n\t\t\t\t const struct nfs41_bind_conn_to_session_args *args,\n\t\t\t\t struct compound_hdr *hdr)\n{\n\t__be32 *p;\n\n\tencode_op_hdr(xdr, OP_BIND_CONN_TO_SESSION,\n\t\tdecode_bind_conn_to_session_maxsz, hdr);\n\tencode_opaque_fixed(xdr, args->sessionid.data, NFS4_MAX_SESSIONID_LEN);\n\tp = xdr_reserve_space(xdr, 8);\n\t*p++ = cpu_to_be32(args->dir);\n\t*p = (args->use_conn_in_rdma_mode) ? cpu_to_be32(1) : cpu_to_be32(0);\n}", "project": "linux", "hash": 49597477124874703222210153588934079115, "size": 13, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 430981 }, { "func": "static int snapshot_raw_open(struct inode *inode, struct file *filp)\n{\n\tstruct ftrace_buffer_info *info;\n\tint ret;\n\n\tret = tracing_buffers_open(inode, filp);\n\tif (ret < 0)\n\t\treturn ret;\n\n\tinfo = filp->private_data;\n\n\tif (info->iter.trace->use_max_tr) {\n\t\ttracing_buffers_release(inode, filp);\n\t\treturn -EBUSY;\n\t}\n\n\tinfo->iter.snapshot = true;\n\tinfo->iter.trace_buffer = &info->iter.tr->max_buffer;\n\n\treturn ret;\n}", "project": "linux", "hash": 27914529166289521812945508606014479827, "size": 21, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445839 }, { "func": "static int ep_remove(struct eventpoll *ep, struct epitem *epi)\n{\n\tstruct file *file = epi->ffd.file;\n\n\tlockdep_assert_irqs_enabled();\n\n\t/*\n\t * Removes poll wait queue hooks.\n\t */\n\tep_unregister_pollwait(ep, epi);\n\n\t/* Remove the current item from the list of epoll hooks */\n\tspin_lock(&file->f_lock);\n\tlist_del_rcu(&epi->fllink);\n\tspin_unlock(&file->f_lock);\n\n\trb_erase_cached(&epi->rbn, &ep->rbr);\n\n\twrite_lock_irq(&ep->lock);\n\tif (ep_is_linked(epi))\n\t\tlist_del_init(&epi->rdllink);\n\twrite_unlock_irq(&ep->lock);\n\n\twakeup_source_unregister(ep_wakeup_source(epi));\n\t/*\n\t * At this point it is safe to free the eventpoll item. Use the union\n\t * field epi->rcu, since we are trying to minimize the size of\n\t * 'struct epitem'. The 'rbn' field is no longer in use. Protected by\n\t * ep->mtx. The rcu read side, reverse_path_check_proc(), does not make\n\t * use of the rbn field.\n\t */\n\tcall_rcu(&epi->rcu, epi_rcu_free);\n\n\tatomic_long_dec(&ep->user->epoll_watches);\n\n\treturn 0;\n}", "project": "linux", "hash": 315728313464031737775235733693366323444, "size": 37, "commit_id": "52c479697c9b73f628140dcdfcd39ea302d05482", "message": "do_epoll_ctl(): clean the failure exits up a bit\n\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 336275 }, { "func": "void CServerBan::ConBanExt(IConsole::IResult *pResult, void *pUser)\n{\n\tCServerBan *pThis = static_cast(pUser);\n\n\tconst char *pStr = pResult->GetString(0);\n\tint Minutes = pResult->NumArguments()>1 ? clamp(pResult->GetInteger(1), 0, 44640) : 30;\n\tconst char *pReason = pResult->NumArguments()>2 ? pResult->GetString(2) : \"No reason given\";\n\n\tif(!str_is_number(pStr))\n\t{\n\t\tint ClientID = str_toint(pStr);\n\t\tif(ClientID < 0 || ClientID >= MAX_CLIENTS || pThis->Server()->m_aClients[ClientID].m_State == CServer::CClient::STATE_EMPTY)\n\t\t\tpThis->Console()->Print(IConsole::OUTPUT_LEVEL_STANDARD, \"net_ban\", \"ban error (invalid client id)\");\n\t\telse\n\t\t\tpThis->BanAddr(pThis->Server()->m_NetServer.ClientAddr(ClientID), Minutes*60, pReason);\n\t}\n\telse\n\t\tConBan(pResult, pUser);\n}", "project": "teeworlds", "hash": 296696146406437577954559951255387306515, "size": 19, "commit_id": "c68402fa7e279d42886d5951d1ea8ac2facc1ea5", "message": "changed a check", "target": 0, "dataset": "other", "idx": 382026 }, { "func": "static void lrc_destroy_wa_ctx(struct intel_engine_cs *engine)\n{\n\ti915_vma_unpin_and_release(&engine->wa_ctx.vma, 0);\n}", "project": "linux", "hash": 134955157101283435939690920990471624782, "size": 4, "commit_id": "bc8a76a152c5f9ef3b48104154a65a68a8b76946", "message": "drm/i915/gen9: Clear residual context state on context switch\n\nIntel ID: PSIRT-TA-201910-001\nCVEID: CVE-2019-14615\n\nIntel GPU Hardware prior to Gen11 does not clear EU state\nduring a context switch. This can result in information\nleakage between contexts.\n\nFor Gen8 and Gen9, hardware provides a mechanism for\nfast cleardown of the EU state, by issuing a PIPE_CONTROL\nwith bit 27 set. We can use this in a context batch buffer\nto explicitly cleardown the state on every context switch.\n\nAs this workaround is already in place for gen8, we can borrow\nthe code verbatim for Gen9.\n\nSigned-off-by: Mika Kuoppala \nSigned-off-by: Akeem G Abodunrin \nCc: Kumar Valsan Prathap \nCc: Chris Wilson \nCc: Balestrieri Francesco \nCc: Bloomfield Jon \nCc: Dutt Sudeep ", "target": 0, "dataset": "other", "idx": 281530 }, { "func": "\nstatic void bfq_update_rate_reset(struct bfq_data *bfqd, struct request *rq)\n{\n\tu32 rate, weight, divisor;\n\n\t/*\n\t * For the convergence property to hold (see comments on\n\t * bfq_update_peak_rate()) and for the assessment to be\n\t * reliable, a minimum number of samples must be present, and\n\t * a minimum amount of time must have elapsed. If not so, do\n\t * not compute new rate. Just reset parameters, to get ready\n\t * for a new evaluation attempt.\n\t */\n\tif (bfqd->peak_rate_samples < BFQ_RATE_MIN_SAMPLES ||\n\t bfqd->delta_from_first < BFQ_RATE_MIN_INTERVAL)\n\t\tgoto reset_computation;\n\n\t/*\n\t * If a new request completion has occurred after last\n\t * dispatch, then, to approximate the rate at which requests\n\t * have been served by the device, it is more precise to\n\t * extend the observation interval to the last completion.\n\t */\n\tbfqd->delta_from_first =\n\t\tmax_t(u64, bfqd->delta_from_first,\n\t\t bfqd->last_completion - bfqd->first_dispatch);\n\n\t/*\n\t * Rate computed in sects/usec, and not sects/nsec, for\n\t * precision issues.\n\t */\n\trate = div64_ul(bfqd->tot_sectors_dispatched<delta_from_first, NSEC_PER_USEC));\n\n\t/*\n\t * Peak rate not updated if:\n\t * - the percentage of sequential dispatches is below 3/4 of the\n\t * total, and rate is below the current estimated peak rate\n\t * - rate is unreasonably high (> 20M sectors/sec)\n\t */\n\tif ((bfqd->sequential_samples < (3 * bfqd->peak_rate_samples)>>2 &&\n\t rate <= bfqd->peak_rate) ||\n\t\trate > 20<sequential_samples cannot\n\t * become equal to bfqd->peak_rate_samples, which, in its\n\t * turn, holds true because bfqd->sequential_samples is not\n\t * incremented for the first sample.\n\t */\n\tweight = (9 * bfqd->sequential_samples) / bfqd->peak_rate_samples;\n\n\t/*\n\t * Second step: further refine the weight as a function of the\n\t * duration of the observation interval.\n\t */\n\tweight = min_t(u32, 8,\n\t\t div_u64(weight * bfqd->delta_from_first,\n\t\t\t BFQ_RATE_REF_INTERVAL));\n\n\t/*\n\t * Divisor ranging from 10, for minimum weight, to 2, for\n\t * maximum weight.\n\t */\n\tdivisor = 10 - weight;\n\n\t/*\n\t * Finally, update peak rate:\n\t *\n\t * peak_rate = peak_rate * (divisor-1) / divisor + rate / divisor\n\t */\n\tbfqd->peak_rate *= divisor-1;\n\tbfqd->peak_rate /= divisor;\n\trate /= divisor; /* smoothing constant alpha = 1/divisor */\n\n\tbfqd->peak_rate += rate;\n\n\t/*\n\t * For a very slow device, bfqd->peak_rate can reach 0 (see\n\t * the minimum representable values reported in the comments\n\t * on BFQ_RATE_SHIFT). Push to 1 if this happens, to avoid\n\t * divisions by zero where bfqd->peak_rate is used as a\n\t * divisor.\n\t */\n\tbfqd->peak_rate = max_t(u32, 1, bfqd->peak_rate);\n\n\tupdate_thr_responsiveness_params(bfqd);\n\nreset_computation:\n\tbfq_reset_rate_computation(bfqd, rq);", "project": "linux", "hash": 48361318216511847274326997165355033743, "size": 108, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453376 }, { "func": "static int test_remove(struct libmnt_test *ts, int argc, char *argv[])\n{\n\tconst char *name;\n\tchar *optstr;\n\tint rc;\n\n\tif (argc < 3)\n\t\treturn -EINVAL;\n\toptstr = xstrdup(argv[1]);\n\tname = argv[2];\n\n\trc = mnt_optstr_remove_option(&optstr, name);\n\tif (!rc)\n\t\tprintf(\"result: >%s<\\n\", optstr);\n\tfree(optstr);\n\treturn rc;\n}", "project": "util-linux", "hash": 190944558537508658361562931376618640888, "size": 17, "commit_id": "57202f5713afa2af20ffbb6ab5331481d0396f8d", "message": "libmount: fix UID check for FUSE umount [CVE-2021-3995]\n\nImproper UID check allows an unprivileged user to unmount FUSE\nfilesystems of users with similar UID.\n\nSigned-off-by: Karel Zak ", "target": 0, "dataset": "other", "idx": 410390 }, { "func": "static inline void sync_lapic_to_cr8(struct kvm_vcpu *vcpu)\n{\n\tstruct vcpu_svm *svm = to_svm(vcpu);\n\tu64 cr8;\n\n\tif (svm_nested_virtualize_tpr(vcpu) ||\n\t kvm_vcpu_apicv_active(vcpu))\n\t\treturn;\n\n\tcr8 = kvm_get_cr8(vcpu);\n\tsvm->vmcb->control.int_ctl &= ~V_TPR_MASK;\n\tsvm->vmcb->control.int_ctl |= cr8 & V_TPR_MASK;\n}", "project": "linux", "hash": 103679242238366148614244986739680305442, "size": 13, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432520 }, { "func": "static inline void sync_lapic_to_cr8(struct kvm_vcpu *vcpu)\n{\n\tstruct vcpu_svm *svm = to_svm(vcpu);\n\tu64 cr8;\n\n\tif (is_guest_mode(vcpu) && (vcpu->arch.hflags & HF_VINTR_MASK))\n\t\treturn;\n\n\tcr8 = kvm_get_cr8(vcpu);\n\tsvm->vmcb->control.int_ctl &= ~V_TPR_MASK;\n\tsvm->vmcb->control.int_ctl |= cr8 & V_TPR_MASK;\n}", "project": "kvm", "hash": 34539860826750011526765041595817949050, "size": 12, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437618 }, { "func": "static inline int sctp_wspace(struct sctp_association *asoc)\n{\n\tstruct sock *sk = asoc->base.sk;\n\n\treturn asoc->ep->sndbuf_policy ? sk->sk_sndbuf - asoc->sndbuf_used\n\t\t\t\t : sk_stream_wspace(sk);\n}", "project": "linux", "hash": 40953444117353527472217330358888098145, "size": 7, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398180 }, { "func": "static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry,\n char *offset_base, char *end, size_t IFDlength,\n size_t displacement, int section_index,\n int ReadNextIFD, tag_table_type tag_table) {\n size_t length;\n int tag, format, components;\n char *value_ptr, tagname[64], cbuf[32], *outside=nullptr;\n size_t byte_count, offset_val, fpos, fgot;\n int64_t byte_count_signed;\n xp_field_type *tmp_xp;\n\n /* Protect against corrupt headers */\n if (ImageInfo->ifd_nesting_level > MAX_IFD_NESTING_LEVEL) {\n raise_warning(\"corrupt EXIF header: maximum directory \"\n \"nesting level reached\");\n return 0;\n }\n ImageInfo->ifd_nesting_level++;\n\n CHECK_BUFFER_R(dir_entry+4, end, 4, 0);\n tag = php_ifd_get16u(dir_entry, ImageInfo->motorola_intel);\n format = php_ifd_get16u(dir_entry+2, ImageInfo->motorola_intel);\n components = php_ifd_get32u(dir_entry+4, ImageInfo->motorola_intel);\n\n if (!format || format > NUM_FORMATS) {\n /* (-1) catches illegal zero case as unsigned underflows to\n positive large. */\n raise_warning(\"Process tag(x%04X=%s): Illegal format code 0x%04X, \"\n \"suppose BYTE\", tag,\n exif_get_tagname(tag, tagname, -12, tag_table), format);\n format = TAG_FMT_BYTE;\n /*return TRUE;*/\n }\n\n if (components < 0) {\n raise_warning(\"Process tag(x%04X=%s): Illegal components(%d)\",\n tag, exif_get_tagname(tag, tagname, -12, tag_table),\n components);\n return 1;\n }\n\n byte_count_signed = (int64_t)components *\n get_php_tiff_bytes_per_format(format);\n\n if (byte_count_signed < 0 || (byte_count_signed > 2147483648)) {\n raise_warning(\"Process tag(x%04X=%s): Illegal byte_count(%ld)\",\n tag, exif_get_tagname(tag, tagname, -12, tag_table),\n byte_count_signed);\n return 1; // ignore that field, but don't abort parsing\n }\n byte_count = (size_t)byte_count_signed;\n\n if (byte_count > 4) {\n CHECK_BUFFER_R(dir_entry+8, end, 4, 0);\n offset_val = php_ifd_get32u(dir_entry+8, ImageInfo->motorola_intel);\n /* If its bigger than 4 bytes, the dir entry contains an offset. */\n value_ptr = offset_base+offset_val;\n if (byte_count > IFDlength ||\n offset_val > IFDlength-byte_count ||\n value_ptr < dir_entry ||\n offset_val < (size_t)(dir_entry-offset_base)) {\n /*\n // It is important to check for IMAGE_FILETYPE_TIFF\n // JPEG does not use absolute pointers instead\n // its pointers are relative to the start\n // of the TIFF header in APP1 section.\n */\n if (byte_count > ImageInfo->FileSize ||\n offset_val>ImageInfo->FileSize-byte_count ||\n (ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_II &&\n ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_MM &&\n ImageInfo->FileType!=IMAGE_FILETYPE_JPEG)) {\n if (value_ptr < dir_entry) {\n /* we can read this if offset_val > 0 */\n /* some files have their values in other parts of the file */\n raise_warning(\"Process tag(x%04X=%s): Illegal pointer offset\"\n \"(x%04lX < %04lX)\", tag,\n exif_get_tagname(tag, tagname, -12, tag_table),\n offset_val, dir_entry-offset_base);\n } else {\n /* this is for sure not allowed */\n /* exception are IFD pointers */\n raise_warning(\"Process tag(x%04X=%s): Illegal pointer offset\"\n \"(x%04lX + x%04lX = x%04lX > x%04lX)\", tag,\n exif_get_tagname(tag, tagname, -12, tag_table),\n offset_val, byte_count, offset_val+byte_count,\n IFDlength);\n }\n return 0;\n }\n if (byte_count>sizeof(cbuf)) {\n /* mark as outside range and get buffer */\n value_ptr = (char *)IM_MALLOC(byte_count);\n CHECK_ALLOC_R(value_ptr, byte_count, 0);\n outside = value_ptr;\n } else {\n /*\n // in most cases we only access a small range so\n // it is faster to use a static buffer there\n // BUT it offers also the possibility to have\n // pointers read without the need to free them\n // explicitley before returning.\n */\n memset(&cbuf, 0, sizeof(cbuf));\n value_ptr = cbuf;\n }\n\n fpos = ImageInfo->infile->tell();\n ImageInfo->infile->seek(displacement+offset_val, SEEK_SET);\n fgot = ImageInfo->infile->tell();\n if (fgot!=displacement+offset_val) {\n if (outside) IM_FREE(outside);\n raise_warning(\"Wrong file pointer: 0x%08lX != 0x%08lX\",\n fgot, displacement+offset_val);\n return 0;\n }\n String str = ImageInfo->infile->read(byte_count);\n fgot = str.length();\n memcpy(value_ptr, str.c_str(), fgot);\n ImageInfo->infile->seek(fpos, SEEK_SET);\n if (fgotsections_found |= FOUND_ANY_TAG;\n if (section_index==SECTION_THUMBNAIL) {\n if (!ImageInfo->Thumbnail.data) {\n REQUIRE_NON_EMPTY();\n switch(tag) {\n case TAG_IMAGEWIDTH:\n case TAG_COMP_IMAGE_WIDTH:\n ImageInfo->Thumbnail.width =\n exif_convert_any_to_int(value_ptr, format,\n ImageInfo->motorola_intel);\n break;\n\n case TAG_IMAGEHEIGHT:\n case TAG_COMP_IMAGE_HEIGHT:\n ImageInfo->Thumbnail.height =\n exif_convert_any_to_int(value_ptr, format,\n ImageInfo->motorola_intel);\n break;\n\n case TAG_STRIP_OFFSETS:\n case TAG_JPEG_INTERCHANGE_FORMAT:\n /* accept both formats */\n ImageInfo->Thumbnail.offset =\n exif_convert_any_to_int(value_ptr, format,\n ImageInfo->motorola_intel);\n break;\n\n case TAG_STRIP_BYTE_COUNTS:\n if (ImageInfo->FileType == IMAGE_FILETYPE_TIFF_II ||\n ImageInfo->FileType == IMAGE_FILETYPE_TIFF_MM) {\n ImageInfo->Thumbnail.filetype = ImageInfo->FileType;\n } else {\n /* motorola is easier to read */\n ImageInfo->Thumbnail.filetype = IMAGE_FILETYPE_TIFF_MM;\n }\n ImageInfo->Thumbnail.size =\n exif_convert_any_to_int(value_ptr, format,\n ImageInfo->motorola_intel);\n break;\n\n case TAG_JPEG_INTERCHANGE_FORMAT_LEN:\n if (ImageInfo->Thumbnail.filetype == IMAGE_FILETYPE_UNKNOWN) {\n ImageInfo->Thumbnail.filetype = IMAGE_FILETYPE_JPEG;\n ImageInfo->Thumbnail.size =\n exif_convert_any_to_int(value_ptr, format,\n ImageInfo->motorola_intel);\n }\n break;\n }\n }\n } else {\n if (section_index==SECTION_IFD0 || section_index==SECTION_EXIF)\n switch(tag) {\n case TAG_COPYRIGHT:\n /* check for \" NUL NUL\" */\n if (byte_count>1 && (length=php_strnlen(value_ptr, byte_count)) > 0) {\n if (lengthCopyrightPhotographer, value_ptr);\n PHP_STRNDUP(\n ImageInfo->CopyrightEditor,\n value_ptr + length + 1,\n byte_count - length - 1\n );\n if (ImageInfo->Copyright) IM_FREE(ImageInfo->Copyright);\n php_vspprintf(&ImageInfo->Copyright, 0, \"%s, %s\",\n value_ptr, ImageInfo->CopyrightEditor);\n /* format = TAG_FMT_UNDEFINED; this musn't be ASCII */\n /* but we are not supposed to change this */\n /* keep in mind that image_info does not store editor value */\n } else {\n PHP_STRNDUP(ImageInfo->Copyright, value_ptr, byte_count);\n }\n }\n break;\n\n case TAG_USERCOMMENT:\n ImageInfo->UserCommentLength =\n exif_process_user_comment(ImageInfo, &(ImageInfo->UserComment),\n &(ImageInfo->UserCommentEncoding),\n value_ptr, byte_count);\n break;\n\n case TAG_XP_TITLE:\n case TAG_XP_COMMENTS:\n case TAG_XP_AUTHOR:\n case TAG_XP_KEYWORDS:\n case TAG_XP_SUBJECT: {\n size_t realloc_size =\n (ImageInfo->xp_fields.count+1) * sizeof(xp_field_type);\n tmp_xp = (xp_field_type*)\n IM_REALLOC(ImageInfo->xp_fields.list, realloc_size);\n if (!tmp_xp) {\n if (outside) IM_FREE(outside);\n }\n CHECK_ALLOC_R(tmp_xp, realloc_size, 0);\n ImageInfo->sections_found |= FOUND_WINXP;\n ImageInfo->xp_fields.list = tmp_xp;\n ImageInfo->xp_fields.count++;\n exif_process_unicode(ImageInfo,\n &(ImageInfo->xp_fields.list[ImageInfo->xp_fields.count-1]),\n tag, value_ptr, byte_count);\n break;\n }\n case TAG_FNUMBER:\n /* Simplest way of expressing aperture, so I trust it the most.\n (overwrite previously computed value if there is one) */\n REQUIRE_NON_EMPTY();\n ImageInfo->ApertureFNumber =\n (float)exif_convert_any_format(value_ptr, format,\n ImageInfo->motorola_intel);\n break;\n\n case TAG_APERTURE:\n case TAG_MAX_APERTURE:\n /* More relevant info always comes earlier, so only use this\n field if we don't have appropriate aperture information yet. */\n if (ImageInfo->ApertureFNumber == 0) {\n REQUIRE_NON_EMPTY();\n ImageInfo->ApertureFNumber\n = (float)exp(exif_convert_any_format(value_ptr, format,\n ImageInfo->motorola_intel)*log(2)*0.5);\n }\n break;\n\n case TAG_SHUTTERSPEED:\n /* More complicated way of expressing exposure time, so only use\n this value if we don't already have it from somewhere else.\n SHUTTERSPEED comes after EXPOSURE TIME\n */\n if (ImageInfo->ExposureTime == 0) {\n REQUIRE_NON_EMPTY();\n ImageInfo->ExposureTime\n = (float)(1/exp(exif_convert_any_format(value_ptr, format,\n ImageInfo->motorola_intel)*log(2)));\n }\n break;\n case TAG_EXPOSURETIME:\n ImageInfo->ExposureTime = -1;\n break;\n\n case TAG_COMP_IMAGE_WIDTH:\n REQUIRE_NON_EMPTY();\n ImageInfo->ExifImageWidth =\n exif_convert_any_to_int(value_ptr, format,\n ImageInfo->motorola_intel);\n break;\n\n case TAG_FOCALPLANE_X_RES:\n REQUIRE_NON_EMPTY();\n ImageInfo->FocalplaneXRes =\n exif_convert_any_format(value_ptr, format,\n ImageInfo->motorola_intel);\n break;\n\n case TAG_SUBJECT_DISTANCE:\n /* Inidcates the distacne the autofocus camera is focused to.\n Tends to be less accurate as distance increases. */\n REQUIRE_NON_EMPTY();\n ImageInfo->Distance =\n (float)exif_convert_any_format(value_ptr, format,\n ImageInfo->motorola_intel);\n break;\n\n case TAG_FOCALPLANE_RESOLUTION_UNIT:\n REQUIRE_NON_EMPTY();\n switch((int)exif_convert_any_format(value_ptr, format,\n ImageInfo->motorola_intel)) {\n case 1: ImageInfo->FocalplaneUnits = 25.4; break; /* inch */\n case 2:\n /* According to the information I was using, 2 measn meters.\n But looking at the Cannon powershot's files, inches is the only\n sensible value. */\n ImageInfo->FocalplaneUnits = 25.4;\n break;\n\n case 3: ImageInfo->FocalplaneUnits = 10; break; /* centimeter */\n case 4: ImageInfo->FocalplaneUnits = 1; break; /* milimeter */\n case 5: ImageInfo->FocalplaneUnits = .001; break; /* micrometer */\n }\n break;\n\n case TAG_SUB_IFD:\n if (format==TAG_FMT_IFD) {\n /* If this is called we are either in a TIFFs thumbnail or\n a JPEG where we cannot handle it */\n /* TIFF thumbnail: our data structure cannot store a thumbnail\n of a thumbnail */\n /* JPEG do we have the data area and what to do with it */\n raise_notice(\"Skip SUB IFD\");\n }\n break;\n\n case TAG_MAKE:\n PHP_STRNDUP(ImageInfo->make, value_ptr, byte_count);\n break;\n case TAG_MODEL:\n PHP_STRNDUP(ImageInfo->model, value_ptr, byte_count);\n break;\n\n case TAG_MAKER_NOTE:\n exif_process_IFD_in_MAKERNOTE(ImageInfo, value_ptr, byte_count,\n offset_base, IFDlength, displacement);\n break;\n\n case TAG_EXIF_IFD_POINTER:\n case TAG_GPS_IFD_POINTER:\n case TAG_INTEROP_IFD_POINTER:\n if (ReadNextIFD) {\n REQUIRE_NON_EMPTY();\n char *Subdir_start;\n int sub_section_index = 0;\n switch(tag) {\n case TAG_EXIF_IFD_POINTER:\n ImageInfo->sections_found |= FOUND_EXIF;\n sub_section_index = SECTION_EXIF;\n break;\n case TAG_GPS_IFD_POINTER:\n ImageInfo->sections_found |= FOUND_GPS;\n sub_section_index = SECTION_GPS;\n break;\n case TAG_INTEROP_IFD_POINTER:\n ImageInfo->sections_found |= FOUND_INTEROP;\n sub_section_index = SECTION_INTEROP;\n break;\n }\n CHECK_BUFFER_R(value_ptr, end, 4, 0);\n Subdir_start = offset_base +\n php_ifd_get32u(value_ptr, ImageInfo->motorola_intel);\n if (Subdir_start < offset_base ||\n Subdir_start > offset_base+IFDlength) {\n raise_warning(\"Illegal IFD Pointer\");\n return 0;\n }\n if (!exif_process_IFD_in_JPEG(ImageInfo, Subdir_start,\n offset_base, end, IFDlength,\n displacement, sub_section_index)) {\n return 0;\n }\n }\n }\n }\n exif_iif_add_tag(ImageInfo, section_index,\n exif_get_tagname(tag, tagname, sizeof(tagname), tag_table),\n tag, format, components, value_ptr);\n if (outside) IM_FREE(outside);\n return 1;\n}", "project": "hhvm", "hash": 29871541396534005852542757880077599048, "size": 380, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219775 }, { "func": "static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, char *offset_base, size_t IFDlength, size_t displacement, int section_index, int ReadNextIFD, tag_table_type tag_table)\n{\n\tsize_t length;\n\tunsigned int tag, format, components;\n\tchar *value_ptr, tagname[64], cbuf[32], *outside=NULL;\n\tsize_t byte_count, offset_val, fpos, fgot;\n\tint64_t byte_count_signed;\n\txp_field_type *tmp_xp;\n#ifdef EXIF_DEBUG\n\tchar *dump_data;\n\tint dump_free;\n#endif /* EXIF_DEBUG */\n\n\t/* Protect against corrupt headers */\n\tif (ImageInfo->ifd_nesting_level > MAX_IFD_NESTING_LEVEL) {\n\t\texif_error_docref(\"exif_read_data#error_ifd\" EXIFERR_CC, ImageInfo, E_WARNING, \"corrupt EXIF header: maximum directory nesting level reached\");\n\t\treturn FALSE;\n\t}\n\tImageInfo->ifd_nesting_level++;\n\n\ttag = php_ifd_get16u(dir_entry, ImageInfo->motorola_intel);\n\tformat = php_ifd_get16u(dir_entry+2, ImageInfo->motorola_intel);\n\tcomponents = php_ifd_get32u(dir_entry+4, ImageInfo->motorola_intel);\n\n\tif (!format || format > NUM_FORMATS) {\n\t\t/* (-1) catches illegal zero case as unsigned underflows to positive large. */\n\t\texif_error_docref(\"exif_read_data#error_ifd\" EXIFERR_CC, ImageInfo, E_WARNING, \"Process tag(x%04X=%s): Illegal format code 0x%04X, suppose BYTE\", tag, exif_get_tagname(tag, tagname, -12, tag_table), format);\n\t\tformat = TAG_FMT_BYTE;\n\t\t/*return TRUE;*/\n\t}\n\n\tif (components <= 0) {\n\t\texif_error_docref(\"exif_read_data#error_ifd\" EXIFERR_CC, ImageInfo, E_WARNING, \"Process tag(x%04X=%s): Illegal components(%d)\", tag, exif_get_tagname(tag, tagname, -12, tag_table), components);\n\t\treturn FALSE;\n\t}\n\n\tbyte_count_signed = (int64_t)components * php_tiff_bytes_per_format[format];\n\n\tif (byte_count_signed < 0 || (byte_count_signed > INT32_MAX)) {\n\t\texif_error_docref(\"exif_read_data#error_ifd\" EXIFERR_CC, ImageInfo, E_WARNING, \"Process tag(x%04X=%s): Illegal byte_count\", tag, exif_get_tagname(tag, tagname, -12, tag_table));\n\t\treturn FALSE;\n\t}\n\n\tbyte_count = (size_t)byte_count_signed;\n\n\tif (byte_count > 4) {\n\t\toffset_val = php_ifd_get32u(dir_entry+8, ImageInfo->motorola_intel);\n\t\t/* If its bigger than 4 bytes, the dir entry contains an offset. */\n\t\tvalue_ptr = offset_base+offset_val;\n /*\n dir_entry is ImageInfo->file.list[sn].data+2+i*12\n offset_base is ImageInfo->file.list[sn].data-dir_offset\n dir_entry - offset_base is dir_offset+2+i*12\n */\n\t\tif (byte_count > IFDlength || offset_val > IFDlength-byte_count || value_ptr < dir_entry || offset_val < (size_t)(dir_entry-offset_base) || dir_entry <= offset_base) {\n\t\t\t/* It is important to check for IMAGE_FILETYPE_TIFF\n\t\t\t * JPEG does not use absolute pointers instead its pointers are\n\t\t\t * relative to the start of the TIFF header in APP1 section. */\n\t\t\tif (byte_count > ImageInfo->FileSize || offset_val>ImageInfo->FileSize-byte_count || (ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_II && ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_MM && ImageInfo->FileType!=IMAGE_FILETYPE_JPEG)) {\n\t\t\t\tif (value_ptr < dir_entry) {\n\t\t\t\t\t/* we can read this if offset_val > 0 */\n\t\t\t\t\t/* some files have their values in other parts of the file */\n\t\t\t\t\texif_error_docref(\"exif_read_data#error_ifd\" EXIFERR_CC, ImageInfo, E_WARNING, \"Process tag(x%04X=%s): Illegal pointer offset(x%04X < x%04X)\", tag, exif_get_tagname(tag, tagname, -12, tag_table), offset_val, dir_entry);\n\t\t\t\t} else {\n\t\t\t\t\t/* this is for sure not allowed */\n\t\t\t\t\t/* exception are IFD pointers */\n\t\t\t\t\texif_error_docref(\"exif_read_data#error_ifd\" EXIFERR_CC, ImageInfo, E_WARNING, \"Process tag(x%04X=%s): Illegal pointer offset(x%04X + x%04X = x%04X > x%04X)\", tag, exif_get_tagname(tag, tagname, -12, tag_table), offset_val, byte_count, offset_val+byte_count, IFDlength);\n\t\t\t\t}\n\t\t\t\treturn FALSE;\n\t\t\t}\n\t\t\tif (byte_count>sizeof(cbuf)) {\n\t\t\t\t/* mark as outside range and get buffer */\n\t\t\t\tvalue_ptr = safe_emalloc(byte_count, 1, 0);\n\t\t\t\toutside = value_ptr;\n\t\t\t} else {\n\t\t\t\t/* In most cases we only access a small range so\n\t\t\t\t * it is faster to use a static buffer there\n\t\t\t\t * BUT it offers also the possibility to have\n\t\t\t\t * pointers read without the need to free them\n\t\t\t\t * explicitley before returning. */\n\t\t\t\tmemset(&cbuf, 0, sizeof(cbuf));\n\t\t\t\tvalue_ptr = cbuf;\n\t\t\t}\n\n\t\t\tfpos = php_stream_tell(ImageInfo->infile);\n\t\t\tphp_stream_seek(ImageInfo->infile, displacement+offset_val, SEEK_SET);\n\t\t\tfgot = php_stream_tell(ImageInfo->infile);\n\t\t\tif (fgot!=displacement+offset_val) {\n\t\t\t\tEFREE_IF(outside);\n\t\t\t\texif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, \"Wrong file pointer: 0x%08X != 0x%08X\", fgot, displacement+offset_val);\n\t\t\t\treturn FALSE;\n\t\t\t}\n\t\t\tfgot = php_stream_read(ImageInfo->infile, value_ptr, byte_count);\n\t\t\tphp_stream_seek(ImageInfo->infile, fpos, SEEK_SET);\n\t\t\tif (fgotsections_found |= FOUND_ANY_TAG;\n#ifdef EXIF_DEBUG\n\tdump_data = exif_dump_data(&dump_free, format, components, length, ImageInfo->motorola_intel, value_ptr);\n\texif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, \"Process tag(x%04X=%s,@x%04X + x%04X(=%d)): %s%s %s\", tag, exif_get_tagname(tag, tagname, -12, tag_table), offset_val+displacement, byte_count, byte_count, (components>1)&&format!=TAG_FMT_UNDEFINED&&format!=TAG_FMT_STRING?\"ARRAY OF \":\"\", exif_get_tagformat(format), dump_data);\n\tif (dump_free) {\n\t\tefree(dump_data);\n\t}\n#endif\n\n\tif (section_index==SECTION_THUMBNAIL) {\n\t\tif (!ImageInfo->Thumbnail.data) {\n\t\t\tswitch(tag) {\n\t\t\t\tcase TAG_IMAGEWIDTH:\n\t\t\t\tcase TAG_COMP_IMAGE_WIDTH:\n\t\t\t\t\tImageInfo->Thumbnail.width = exif_convert_any_to_int(value_ptr, exif_rewrite_tag_format_to_unsigned(format), ImageInfo->motorola_intel);\n\t\t\t\t\tbreak;\n\n\t\t\t\tcase TAG_IMAGEHEIGHT:\n\t\t\t\tcase TAG_COMP_IMAGE_HEIGHT:\n\t\t\t\t\tImageInfo->Thumbnail.height = exif_convert_any_to_int(value_ptr, exif_rewrite_tag_format_to_unsigned(format), ImageInfo->motorola_intel);\n\t\t\t\t\tbreak;\n\n\t\t\t\tcase TAG_STRIP_OFFSETS:\n\t\t\t\tcase TAG_JPEG_INTERCHANGE_FORMAT:\n\t\t\t\t\t/* accept both formats */\n\t\t\t\t\tImageInfo->Thumbnail.offset = exif_convert_any_to_int(value_ptr, exif_rewrite_tag_format_to_unsigned(format), ImageInfo->motorola_intel);\n\t\t\t\t\tbreak;\n\n\t\t\t\tcase TAG_STRIP_BYTE_COUNTS:\n\t\t\t\t\tif (ImageInfo->FileType == IMAGE_FILETYPE_TIFF_II || ImageInfo->FileType == IMAGE_FILETYPE_TIFF_MM) {\n\t\t\t\t\t\tImageInfo->Thumbnail.filetype = ImageInfo->FileType;\n\t\t\t\t\t} else {\n\t\t\t\t\t\t/* motorola is easier to read */\n\t\t\t\t\t\tImageInfo->Thumbnail.filetype = IMAGE_FILETYPE_TIFF_MM;\n\t\t\t\t\t}\n\t\t\t\t\tImageInfo->Thumbnail.size = exif_convert_any_to_int(value_ptr, exif_rewrite_tag_format_to_unsigned(format), ImageInfo->motorola_intel);\n\t\t\t\t\tbreak;\n\n\t\t\t\tcase TAG_JPEG_INTERCHANGE_FORMAT_LEN:\n\t\t\t\t\tif (ImageInfo->Thumbnail.filetype == IMAGE_FILETYPE_UNKNOWN) {\n\t\t\t\t\t\tImageInfo->Thumbnail.filetype = IMAGE_FILETYPE_JPEG;\n\t\t\t\t\t\tImageInfo->Thumbnail.size = exif_convert_any_to_int(value_ptr, exif_rewrite_tag_format_to_unsigned(format), ImageInfo->motorola_intel);\n\t\t\t\t\t}\n\t\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\t} else {\n\t\tif (section_index==SECTION_IFD0 || section_index==SECTION_EXIF)\n\t\tswitch(tag) {\n\t\t\tcase TAG_COPYRIGHT:\n\t\t\t\t/* check for \" NUL NUL\" */\n\t\t\t\tif (byte_count>1 && (length=php_strnlen(value_ptr, byte_count)) > 0) {\n\t\t\t\t\tif (lengthCopyrightPhotographer = estrdup(value_ptr);\n\t\t\t\t\t\tImageInfo->CopyrightEditor = estrndup(value_ptr+length+1, byte_count-length-1);\n\t\t\t\t\t\tspprintf(&ImageInfo->Copyright, 0, \"%s, %s\", ImageInfo->CopyrightPhotographer, ImageInfo->CopyrightEditor);\n\t\t\t\t\t\t/* format = TAG_FMT_UNDEFINED; this musn't be ASCII */\n\t\t\t\t\t\t/* but we are not supposed to change this */\n\t\t\t\t\t\t/* keep in mind that image_info does not store editor value */\n\t\t\t\t\t} else {\n\t\t\t\t\t\tImageInfo->Copyright = estrndup(value_ptr, byte_count);\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\tbreak;\n\n\t\t\tcase TAG_USERCOMMENT:\n\t\t\t\tEFREE_IF(ImageInfo->UserComment);\n\t\t\t\tImageInfo->UserComment = NULL;\n\t\t\t\tEFREE_IF(ImageInfo->UserCommentEncoding);\n\t\t\t\tImageInfo->UserCommentEncoding = NULL;\n\t\t\t\tImageInfo->UserCommentLength = exif_process_user_comment(ImageInfo, &(ImageInfo->UserComment), &(ImageInfo->UserCommentEncoding), value_ptr, byte_count);\n\t\t\t\tbreak;\n\n\t\t\tcase TAG_XP_TITLE:\n\t\t\tcase TAG_XP_COMMENTS:\n\t\t\tcase TAG_XP_AUTHOR:\n\t\t\tcase TAG_XP_KEYWORDS:\n\t\t\tcase TAG_XP_SUBJECT:\n\t\t\t\ttmp_xp = (xp_field_type*)safe_erealloc(ImageInfo->xp_fields.list, (ImageInfo->xp_fields.count+1), sizeof(xp_field_type), 0);\n\t\t\t\tImageInfo->sections_found |= FOUND_WINXP;\n\t\t\t\tImageInfo->xp_fields.list = tmp_xp;\n\t\t\t\tImageInfo->xp_fields.count++;\n\t\t\t\texif_process_unicode(ImageInfo, &(ImageInfo->xp_fields.list[ImageInfo->xp_fields.count-1]), tag, value_ptr, byte_count);\n\t\t\t\tbreak;\n\n\t\t\tcase TAG_FNUMBER:\n\t\t\t\t/* Simplest way of expressing aperture, so I trust it the most.\n\t\t\t\t (overwrite previously computed value if there is one) */\n\t\t\t\tImageInfo->ApertureFNumber = (float)exif_convert_any_format(value_ptr, format, ImageInfo->motorola_intel);\n\t\t\t\tbreak;\n\n\t\t\tcase TAG_APERTURE:\n\t\t\tcase TAG_MAX_APERTURE:\n\t\t\t\t/* More relevant info always comes earlier, so only use this field if we don't\n\t\t\t\t have appropriate aperture information yet. */\n\t\t\t\tif (ImageInfo->ApertureFNumber == 0) {\n\t\t\t\t\tImageInfo->ApertureFNumber\n\t\t\t\t\t\t= (float)exp(exif_convert_any_format(value_ptr, format, ImageInfo->motorola_intel)*log(2)*0.5);\n\t\t\t\t}\n\t\t\t\tbreak;\n\n\t\t\tcase TAG_SHUTTERSPEED:\n\t\t\t\t/* More complicated way of expressing exposure time, so only use\n\t\t\t\t this value if we don't already have it from somewhere else.\n\t\t\t\t SHUTTERSPEED comes after EXPOSURE TIME\n\t\t\t\t */\n\t\t\t\tif (ImageInfo->ExposureTime == 0) {\n\t\t\t\t\tImageInfo->ExposureTime\n\t\t\t\t\t\t= (float)(1/exp(exif_convert_any_format(value_ptr, format, ImageInfo->motorola_intel)*log(2)));\n\t\t\t\t}\n\t\t\t\tbreak;\n\t\t\tcase TAG_EXPOSURETIME:\n\t\t\t\tImageInfo->ExposureTime = -1;\n\t\t\t\tbreak;\n\n\t\t\tcase TAG_COMP_IMAGE_WIDTH:\n\t\t\t\tImageInfo->ExifImageWidth = exif_convert_any_to_int(value_ptr, exif_rewrite_tag_format_to_unsigned(format), ImageInfo->motorola_intel);\n\t\t\t\tbreak;\n\n\t\t\tcase TAG_FOCALPLANE_X_RES:\n\t\t\t\tImageInfo->FocalplaneXRes = exif_convert_any_format(value_ptr, format, ImageInfo->motorola_intel);\n\t\t\t\tbreak;\n\n\t\t\tcase TAG_SUBJECT_DISTANCE:\n\t\t\t\t/* Inidcates the distacne the autofocus camera is focused to.\n\t\t\t\t Tends to be less accurate as distance increases. */\n\t\t\t\tImageInfo->Distance = (float)exif_convert_any_format(value_ptr, format, ImageInfo->motorola_intel);\n\t\t\t\tbreak;\n\n\t\t\tcase TAG_FOCALPLANE_RESOLUTION_UNIT:\n\t\t\t\tswitch((int)exif_convert_any_format(value_ptr, format, ImageInfo->motorola_intel)) {\n\t\t\t\t\tcase 1: ImageInfo->FocalplaneUnits = 25.4; break; /* inch */\n\t\t\t\t\tcase 2:\n\t\t\t\t\t\t/* According to the information I was using, 2 measn meters.\n\t\t\t\t\t\t But looking at the Cannon powershot's files, inches is the only\n\t\t\t\t\t\t sensible value. */\n\t\t\t\t\t\tImageInfo->FocalplaneUnits = 25.4;\n\t\t\t\t\t\tbreak;\n\n\t\t\t\t\tcase 3: ImageInfo->FocalplaneUnits = 10; break; /* centimeter */\n\t\t\t\t\tcase 4: ImageInfo->FocalplaneUnits = 1; break; /* milimeter */\n\t\t\t\t\tcase 5: ImageInfo->FocalplaneUnits = .001; break; /* micrometer */\n\t\t\t\t}\n\t\t\t\tbreak;\n\n\t\t\tcase TAG_SUB_IFD:\n\t\t\t\tif (format==TAG_FMT_IFD) {\n\t\t\t\t\t/* If this is called we are either in a TIFFs thumbnail or a JPEG where we cannot handle it */\n\t\t\t\t\t/* TIFF thumbnail: our data structure cannot store a thumbnail of a thumbnail */\n\t\t\t\t\t/* JPEG do we have the data area and what to do with it */\n\t\t\t\t\texif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, \"Skip SUB IFD\");\n\t\t\t\t}\n\t\t\t\tbreak;\n\n\t\t\tcase TAG_MAKE:\n\t\t\t\tImageInfo->make = estrndup(value_ptr, byte_count);\n\t\t\t\tbreak;\n\t\t\tcase TAG_MODEL:\n\t\t\t\tImageInfo->model = estrndup(value_ptr, byte_count);\n\t\t\t\tbreak;\n\n\t\t\tcase TAG_MAKER_NOTE:\n\t\t\t\tif (!exif_process_IFD_in_MAKERNOTE(ImageInfo, value_ptr, byte_count, offset_base, IFDlength, displacement)) {\n\t\t\t\t\tEFREE_IF(outside);\n\t\t\t\t\treturn FALSE;\n\t\t\t\t}\n\t\t\t\tbreak;\n\n\t\t\tcase TAG_EXIF_IFD_POINTER:\n\t\t\tcase TAG_GPS_IFD_POINTER:\n\t\t\tcase TAG_INTEROP_IFD_POINTER:\n\t\t\t\tif (ReadNextIFD) {\n\t\t\t\t\tchar *Subdir_start;\n\t\t\t\t\tint sub_section_index = 0;\n\t\t\t\t\tswitch(tag) {\n\t\t\t\t\t\tcase TAG_EXIF_IFD_POINTER:\n#ifdef EXIF_DEBUG\n\t\t\t\t\t\t\texif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, \"Found EXIF\");\n#endif\n\t\t\t\t\t\t\tImageInfo->sections_found |= FOUND_EXIF;\n\t\t\t\t\t\t\tsub_section_index = SECTION_EXIF;\n\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\tcase TAG_GPS_IFD_POINTER:\n#ifdef EXIF_DEBUG\n\t\t\t\t\t\t\texif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, \"Found GPS\");\n#endif\n\t\t\t\t\t\t\tImageInfo->sections_found |= FOUND_GPS;\n\t\t\t\t\t\t\tsub_section_index = SECTION_GPS;\n\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\tcase TAG_INTEROP_IFD_POINTER:\n#ifdef EXIF_DEBUG\n\t\t\t\t\t\t\texif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, \"Found INTEROPERABILITY\");\n#endif\n\t\t\t\t\t\t\tImageInfo->sections_found |= FOUND_INTEROP;\n\t\t\t\t\t\t\tsub_section_index = SECTION_INTEROP;\n\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t}\n\t\t\t\t\tSubdir_start = offset_base + php_ifd_get32u(value_ptr, ImageInfo->motorola_intel);\n\t\t\t\t\tif (Subdir_start < offset_base || Subdir_start > offset_base+IFDlength) {\n\t\t\t\t\t\texif_error_docref(\"exif_read_data#error_ifd\" EXIFERR_CC, ImageInfo, E_WARNING, \"Illegal IFD Pointer\");\n\t\t\t\t\t\treturn FALSE;\n\t\t\t\t\t}\n\t\t\t\t\tif (!exif_process_IFD_in_JPEG(ImageInfo, Subdir_start, offset_base, IFDlength, displacement, sub_section_index, tag)) {\n\t\t\t\t\t\treturn FALSE;\n\t\t\t\t\t}\n#ifdef EXIF_DEBUG\n\t\t\t\t\texif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, \"Subsection %s done\", exif_get_sectionname(sub_section_index));\n#endif\n\t\t\t\t}\n\t\t}\n\t}\n\texif_iif_add_tag(ImageInfo, section_index, exif_get_tagname(tag, tagname, sizeof(tagname), tag_table), tag, format, components, value_ptr, byte_count);\n\tEFREE_IF(outside);\n\treturn TRUE;\n}", "project": "php-src", "hash": 256723383184977226832041302213467252819, "size": 322, "commit_id": "e648fa4699e8d072db6db34fcc09826e8127fab8", "message": "Fix bug #78256 (heap-buffer-overflow on exif_process_user_comment)\n\n(cherry picked from commit aeb6d13185a2ea4f1496ede2697469faed98ce05)", "target": 0, "dataset": "other", "idx": 335784 }, { "func": "static void dump_container_metadata(struct req_state *s,\n const RGWBucketEnt& bucket,\n const RGWQuotaInfo& quota,\n const RGWBucketWebsiteConf& ws_conf)\n{\n /* Adding X-Timestamp to keep align with Swift API */\n dump_header(s, \"X-Timestamp\", utime_t(s->bucket_info.creation_time));\n\n dump_header(s, \"X-Container-Object-Count\", bucket.count);\n dump_header(s, \"X-Container-Bytes-Used\", bucket.size);\n dump_header(s, \"X-Container-Bytes-Used-Actual\", bucket.size_rounded);\n\n if (s->object.empty()) {\n auto swift_policy = \\\n static_cast(s->bucket_acl.get());\n std::string read_acl, write_acl;\n swift_policy->to_str(read_acl, write_acl);\n\n if (read_acl.size()) {\n dump_header(s, \"X-Container-Read\", read_acl);\n }\n if (write_acl.size()) {\n dump_header(s, \"X-Container-Write\", write_acl);\n }\n if (!s->bucket_info.placement_rule.name.empty()) {\n dump_header(s, \"X-Storage-Policy\", s->bucket_info.placement_rule.name);\n }\n dump_header(s, \"X-Storage-Class\", s->bucket_info.placement_rule.get_storage_class());\n\n /* Dump user-defined metadata items and generic attrs. */\n const size_t PREFIX_LEN = sizeof(RGW_ATTR_META_PREFIX) - 1;\n map::iterator iter;\n for (iter = s->bucket_attrs.lower_bound(RGW_ATTR_PREFIX);\n iter != s->bucket_attrs.end();\n ++iter) {\n const char *name = iter->first.c_str();\n map::const_iterator geniter = rgw_to_http_attrs.find(name);\n\n if (geniter != rgw_to_http_attrs.end()) {\n dump_header(s, geniter->second, iter->second);\n } else if (strncmp(name, RGW_ATTR_META_PREFIX, PREFIX_LEN) == 0) {\n dump_header_prefixed(s, \"X-Container-Meta-\",\n camelcase_dash_http_attr(name + PREFIX_LEN),\n iter->second);\n }\n }\n }\n\n /* Dump container versioning info. */\n if (! s->bucket_info.swift_ver_location.empty()) {\n dump_header(s, \"X-Versions-Location\",\n url_encode(s->bucket_info.swift_ver_location));\n }\n\n /* Dump quota headers. */\n if (quota.enabled) {\n if (quota.max_size >= 0) {\n dump_header(s, \"X-Container-Meta-Quota-Bytes\", quota.max_size);\n }\n\n if (quota.max_objects >= 0) {\n dump_header(s, \"X-Container-Meta-Quota-Count\", quota.max_objects);\n }\n }\n\n /* Dump Static Website headers. */\n if (! ws_conf.index_doc_suffix.empty()) {\n dump_header(s, \"X-Container-Meta-Web-Index\", ws_conf.index_doc_suffix);\n }\n\n if (! ws_conf.error_doc.empty()) {\n dump_header(s, \"X-Container-Meta-Web-Error\", ws_conf.error_doc);\n }\n\n if (! ws_conf.subdir_marker.empty()) {\n dump_header(s, \"X-Container-Meta-Web-Directory-Type\",\n ws_conf.subdir_marker);\n }\n\n if (! ws_conf.listing_css_doc.empty()) {\n dump_header(s, \"X-Container-Meta-Web-Listings-CSS\",\n ws_conf.listing_css_doc);\n }\n\n if (ws_conf.listing_enabled) {\n dump_header(s, \"X-Container-Meta-Web-Listings\", \"true\");\n }\n\n /* Dump bucket's modification time. Compliance with the Swift API really\n * needs that. */\n dump_last_modified(s, s->bucket_mtime);\n}", "project": "ceph", "hash": 232494149384138936246166347167457492270, "size": 92, "commit_id": "f44a8ae8aa27ecef69528db9aec220f12492810e", "message": "rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name\n\nchecking for empty name avoids later assertion in RGWObjectCtx::set_atomic\n\nFixes: CVE-2021-3531\n\nReviewed-by: Casey Bodley \nSigned-off-by: Casey Bodley \n(cherry picked from commit 7196a469b4470f3c8628489df9a41ec8b00a5610)", "target": 0, "dataset": "other", "idx": 448871 }, { "func": "void oidc_scrub_headers(request_rec *r) {\n\toidc_cfg *cfg = ap_get_module_config(r->server->module_config,\n\t\t\t&auth_openidc_module);\n\n\tconst char *prefix = oidc_cfg_claim_prefix(r);\n\tapr_hash_t *hdrs = apr_hash_make(r->pool);\n\n\tif (apr_strnatcmp(prefix, \"\") == 0) {\n\t\tif ((cfg->white_listed_claims != NULL)\n\t\t\t\t&& (apr_hash_count(cfg->white_listed_claims) > 0))\n\t\t\thdrs = apr_hash_overlay(r->pool, cfg->white_listed_claims, hdrs);\n\t\telse\n\t\t\toidc_warn(r,\n\t\t\t\t\t\"both \" OIDCClaimPrefix \" and \" OIDCWhiteListedClaims \" are empty: this renders an insecure setup!\");\n\t}\n\n\tchar *authn_hdr = oidc_cfg_dir_authn_header(r);\n\tif (authn_hdr != NULL)\n\t\tapr_hash_set(hdrs, authn_hdr, APR_HASH_KEY_STRING, authn_hdr);\n\n\t/*\n\t * scrub all headers starting with OIDC_ first\n\t */\n\toidc_scrub_request_headers(r, OIDC_DEFAULT_HEADER_PREFIX, hdrs);\n\n\t/*\n\t * then see if the claim headers need to be removed on top of that\n\t * (i.e. the prefix does not start with the default OIDC_)\n\t */\n\tif ((strstr(prefix, OIDC_DEFAULT_HEADER_PREFIX) != prefix)) {\n\t\toidc_scrub_request_headers(r, prefix, NULL);\n\t}\n}", "project": "mod_auth_openidc", "hash": 142496249550178039958805773705664253630, "size": 33, "commit_id": "00c315cb0c8ab77c67be4a2ac08a71a83ac58751", "message": "avoid XSS vulnerability when using OIDCPreservePost On\n\nand supplying URLs that contain single quotes; thanks @oss-aimoto\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 381963 }, { "func": "static ssize_t sst_prepare_mysqldump (const char* addr_in,\n const char** addr_out)\n{\n ssize_t ret = strlen (addr_in);\n\n if (!strrchr(addr_in, ':'))\n {\n ssize_t s = ret + 7;\n char* tmp = (char*) malloc (s);\n\n if (tmp)\n {\n ret= snprintf (tmp, s, \"%s:%u\", addr_in, mysqld_port);\n\n if (ret > 0 && ret < s)\n {\n *addr_out= tmp;\n return ret;\n }\n if (ret > 0) /* buffer too short */ ret = -EMSGSIZE;\n free (tmp);\n }\n else {\n ret= -ENOMEM;\n }\n\n WSREP_ERROR (\"Could not prepare state transfer request: \"\n \"adding default port failed: %zd.\", ret);\n }\n else {\n *addr_out= addr_in;\n }\n\n return ret;\n}", "project": "mysql-wsrep", "hash": 290623053408154854727316001257584389874, "size": 35, "commit_id": "4ea4b0c6a318209ac09b15aaa906c7b4a13b988c", "message": "codership/mysql-wsrep-bugs#758 Donor uses invalid SST methods", "target": 0, "dataset": "other", "idx": 454808 }, { "func": "static int tracing_resize_saved_cmdlines(unsigned int val)\n{\n\tstruct saved_cmdlines_buffer *s, *savedcmd_temp;\n\n\ts = kmalloc(sizeof(*s), GFP_KERNEL);\n\tif (!s)\n\t\treturn -ENOMEM;\n\n\tif (allocate_cmdlines_buffer(val, s) < 0) {\n\t\tkfree(s);\n\t\treturn -ENOMEM;\n\t}\n\n\tarch_spin_lock(&trace_cmdline_lock);\n\tsavedcmd_temp = savedcmd;\n\tsavedcmd = s;\n\tarch_spin_unlock(&trace_cmdline_lock);\n\tfree_saved_cmdlines_buffer(savedcmd_temp);\n\n\treturn 0;\n}", "project": "linux", "hash": 99290414268899107489456106516829492913, "size": 21, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445687 }, { "func": "static int sctp_sock_migrate(struct sock *oldsk, struct sock *newsk,\n\t\t\t struct sctp_association *assoc,\n\t\t\t enum sctp_socket_type type)\n{\n\tstruct sctp_sock *oldsp = sctp_sk(oldsk);\n\tstruct sctp_sock *newsp = sctp_sk(newsk);\n\tstruct sctp_bind_bucket *pp; /* hash list port iterator */\n\tstruct sctp_endpoint *newep = newsp->ep;\n\tstruct sk_buff *skb, *tmp;\n\tstruct sctp_ulpevent *event;\n\tstruct sctp_bind_hashbucket *head;\n\tint err;\n\n\t/* Migrate socket buffer sizes and all the socket level options to the\n\t * new socket.\n\t */\n\tnewsk->sk_sndbuf = oldsk->sk_sndbuf;\n\tnewsk->sk_rcvbuf = oldsk->sk_rcvbuf;\n\t/* Brute force copy old sctp opt. */\n\tsctp_copy_descendant(newsk, oldsk);\n\n\t/* Restore the ep value that was overwritten with the above structure\n\t * copy.\n\t */\n\tnewsp->ep = newep;\n\tnewsp->hmac = NULL;\n\n\t/* Hook this new socket in to the bind_hash list. */\n\thead = &sctp_port_hashtable[sctp_phashfn(sock_net(oldsk),\n\t\t\t\t\t\t inet_sk(oldsk)->inet_num)];\n\tspin_lock_bh(&head->lock);\n\tpp = sctp_sk(oldsk)->bind_hash;\n\tsk_add_bind_node(newsk, &pp->owner);\n\tsctp_sk(newsk)->bind_hash = pp;\n\tinet_sk(newsk)->inet_num = inet_sk(oldsk)->inet_num;\n\tspin_unlock_bh(&head->lock);\n\n\t/* Copy the bind_addr list from the original endpoint to the new\n\t * endpoint so that we can handle restarts properly\n\t */\n\terr = sctp_bind_addr_dup(&newsp->ep->base.bind_addr,\n\t\t\t\t &oldsp->ep->base.bind_addr, GFP_KERNEL);\n\tif (err)\n\t\treturn err;\n\n\t/* New ep's auth_hmacs should be set if old ep's is set, in case\n\t * that net->sctp.auth_enable has been changed to 0 by users and\n\t * new ep's auth_hmacs couldn't be set in sctp_endpoint_init().\n\t */\n\tif (oldsp->ep->auth_hmacs) {\n\t\terr = sctp_auth_init_hmacs(newsp->ep, GFP_KERNEL);\n\t\tif (err)\n\t\t\treturn err;\n\t}\n\n\t/* Move any messages in the old socket's receive queue that are for the\n\t * peeled off association to the new socket's receive queue.\n\t */\n\tsctp_skb_for_each(skb, &oldsk->sk_receive_queue, tmp) {\n\t\tevent = sctp_skb2event(skb);\n\t\tif (event->asoc == assoc) {\n\t\t\t__skb_unlink(skb, &oldsk->sk_receive_queue);\n\t\t\t__skb_queue_tail(&newsk->sk_receive_queue, skb);\n\t\t\tsctp_skb_set_owner_r_frag(skb, newsk);\n\t\t}\n\t}\n\n\t/* Clean up any messages pending delivery due to partial\n\t * delivery. Three cases:\n\t * 1) No partial deliver; no work.\n\t * 2) Peeling off partial delivery; keep pd_lobby in new pd_lobby.\n\t * 3) Peeling off non-partial delivery; move pd_lobby to receive_queue.\n\t */\n\tatomic_set(&sctp_sk(newsk)->pd_mode, assoc->ulpq.pd_mode);\n\n\tif (atomic_read(&sctp_sk(oldsk)->pd_mode)) {\n\t\tstruct sk_buff_head *queue;\n\n\t\t/* Decide which queue to move pd_lobby skbs to. */\n\t\tif (assoc->ulpq.pd_mode) {\n\t\t\tqueue = &newsp->pd_lobby;\n\t\t} else\n\t\t\tqueue = &newsk->sk_receive_queue;\n\n\t\t/* Walk through the pd_lobby, looking for skbs that\n\t\t * need moved to the new socket.\n\t\t */\n\t\tsctp_skb_for_each(skb, &oldsp->pd_lobby, tmp) {\n\t\t\tevent = sctp_skb2event(skb);\n\t\t\tif (event->asoc == assoc) {\n\t\t\t\t__skb_unlink(skb, &oldsp->pd_lobby);\n\t\t\t\t__skb_queue_tail(queue, skb);\n\t\t\t\tsctp_skb_set_owner_r_frag(skb, newsk);\n\t\t\t}\n\t\t}\n\n\t\t/* Clear up any skbs waiting for the partial\n\t\t * delivery to finish.\n\t\t */\n\t\tif (assoc->ulpq.pd_mode)\n\t\t\tsctp_clear_pd(oldsk, NULL);\n\n\t}\n\n\tsctp_for_each_rx_skb(assoc, newsk, sctp_skb_set_owner_r_frag);\n\n\t/* Set the type of socket to indicate that it is peeled off from the\n\t * original UDP-style socket or created with the accept() call on a\n\t * TCP-style socket..\n\t */\n\tnewsp->type = type;\n\n\t/* Mark the new socket \"in-use\" by the user so that any packets\n\t * that may arrive on the association after we've moved it are\n\t * queued to the backlog. This prevents a potential race between\n\t * backlog processing on the old socket and new-packet processing\n\t * on the new socket.\n\t *\n\t * The caller has just allocated newsk so we can guarantee that other\n\t * paths won't try to lock it and then oldsk.\n\t */\n\tlock_sock_nested(newsk, SINGLE_DEPTH_NESTING);\n\tsctp_for_each_tx_datachunk(assoc, true, sctp_clear_owner_w);\n\tsctp_assoc_migrate(assoc, newsk);\n\tsctp_for_each_tx_datachunk(assoc, false, sctp_set_owner_w);\n\n\t/* If the association on the newsk is already closed before accept()\n\t * is called, set RCV_SHUTDOWN flag.\n\t */\n\tif (sctp_state(assoc, CLOSED) && sctp_style(newsk, TCP)) {\n\t\tinet_sk_set_state(newsk, SCTP_SS_CLOSED);\n\t\tnewsk->sk_shutdown |= RCV_SHUTDOWN;\n\t} else {\n\t\tinet_sk_set_state(newsk, SCTP_SS_ESTABLISHED);\n\t}\n\n\trelease_sock(newsk);\n\n\treturn 0;\n}", "project": "linux", "hash": 115658049611796124374975558892157850243, "size": 140, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398164 }, { "func": "static int rar5_bid(struct archive_read* a, int best_bid) {\n\tint my_bid;\n\n\tif(best_bid > 30)\n\t\treturn -1;\n\n\tmy_bid = bid_standard(a);\n\tif(my_bid > -1) {\n\t\treturn my_bid;\n\t}\n\n\treturn -1;\n}", "project": "libarchive", "hash": 313385921906204502719105489584517909556, "size": 13, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 0, "dataset": "other", "idx": 244752 }, { "func": "static inline __u32 sctp_spp_sackdelay_disable(__u32 param_flags)\n{\n\treturn (param_flags & ~SPP_SACKDELAY) | SPP_SACKDELAY_DISABLE;\n}", "project": "linux", "hash": 103685872486300802030008614871193726244, "size": 4, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398169 }, { "func": "static void prb_setup_retire_blk_timer(struct packet_sock *po)\n{\n\tstruct tpacket_kbdq_core *pkc;\n\n\tpkc = GET_PBDQC_FROM_RB(&po->rx_ring);\n\ttimer_setup(&pkc->retire_blk_timer, prb_retire_rx_blk_timer_expired,\n\t\t 0);\n\tpkc->retire_blk_timer.expires = jiffies;\n}", "project": "linux", "hash": 63645835688754322542958399303873656025, "size": 9, "commit_id": "acf69c946233259ab4d64f8869d4037a198c7f06", "message": "net/packet: fix overflow in tpacket_rcv\n\nUsing tp_reserve to calculate netoff can overflow as\ntp_reserve is unsigned int and netoff is unsigned short.\n\nThis may lead to macoff receving a smaller value then\nsizeof(struct virtio_net_hdr), and if po->has_vnet_hdr\nis set, an out-of-bounds write will occur when\ncalling virtio_net_hdr_from_skb.\n\nThe bug is fixed by converting netoff to unsigned int\nand checking if it exceeds USHRT_MAX.\n\nThis addresses CVE-2020-14386\n\nFixes: 8913336a7e8d (\"packet: add PACKET_RESERVE sockopt\")\nSigned-off-by: Or Cohen \nSigned-off-by: Eric Dumazet \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 330364 }, { "func": "int __kill_pgrp_info(int sig, struct kernel_siginfo *info, struct pid *pgrp)\n{\n\tstruct task_struct *p = NULL;\n\tint retval, success;\n\n\tsuccess = 0;\n\tretval = -ESRCH;\n\tdo_each_pid_task(pgrp, PIDTYPE_PGID, p) {\n\t\tint err = group_send_sig_info(sig, info, p, PIDTYPE_PGID);\n\t\tsuccess |= !err;\n\t\tretval = err;\n\t} while_each_pid_task(pgrp, PIDTYPE_PGID, p);\n\treturn success ? 0 : retval;\n}", "project": "linux", "hash": 123039742833224375738504003325816947252, "size": 14, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375145 }, { "func": "static void sp_insert(struct shared_policy *sp, struct sp_node *new)\n{\n\tstruct rb_node **p = &sp->root.rb_node;\n\tstruct rb_node *parent = NULL;\n\tstruct sp_node *nd;\n\n\twhile (*p) {\n\t\tparent = *p;\n\t\tnd = rb_entry(parent, struct sp_node, nd);\n\t\tif (new->start < nd->start)\n\t\t\tp = &(*p)->rb_left;\n\t\telse if (new->end > nd->end)\n\t\t\tp = &(*p)->rb_right;\n\t\telse\n\t\t\tBUG();\n\t}\n\trb_link_node(&new->nd, parent, p);\n\trb_insert_color(&new->nd, &sp->root);\n\tpr_debug(\"inserting %lx-%lx: %d\\n\", new->start, new->end,\n\t\t new->policy ? new->policy->mode : 0);\n}", "project": "linux", "hash": 239767159726334593884662864796189789302, "size": 21, "commit_id": "aa9f7d5172fac9bf1f09e678c35e287a40a7b7dd", "message": "mm: mempolicy: require at least one nodeid for MPOL_PREFERRED\n\nUsing an empty (malformed) nodelist that is not caught during mount option\nparsing leads to a stack-out-of-bounds access.\n\nThe option string that was used was: \"mpol=prefer:,\". However,\nMPOL_PREFERRED requires a single node number, which is not being provided\nhere.\n\nAdd a check that 'nodes' is not empty after parsing for MPOL_PREFERRED's\nnodeid.\n\nFixes: 095f1fc4ebf3 (\"mempolicy: rework shmem mpol parsing and display\")\nReported-by: Entropy Moe <3ntr0py1337@gmail.com>\nReported-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nSigned-off-by: Randy Dunlap \nSigned-off-by: Andrew Morton \nTested-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nCc: Lee Schermerhorn \nLink: http://lkml.kernel.org/r/89526377-7eb6-b662-e1d8-4430928abde9@infradead.org\nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 366770 }, { "func": "static void thaw_limited_counters(struct cpu_hw_events *cpuhw,\n\t\t\t\t unsigned long pmc5, unsigned long pmc6)\n{\n\tstruct perf_event *event;\n\tu64 val, prev;\n\tint i;\n\n\tfor (i = 0; i < cpuhw->n_limited; ++i) {\n\t\tevent = cpuhw->limited_counter[i];\n\t\tevent->hw.idx = cpuhw->limited_hwidx[i];\n\t\tval = (event->hw.idx == 5) ? pmc5 : pmc6;\n\t\tprev = local64_read(&event->hw.prev_count);\n\t\tif (check_and_compute_delta(prev, val))\n\t\t\tlocal64_set(&event->hw.prev_count, val);\n\t\tperf_event_update_userpage(event);\n\t}\n}", "project": "linux", "hash": 107853306211031173031782435653335546911, "size": 17, "commit_id": "60b7ed54a41b550d50caf7f2418db4a7e75b5bdc", "message": "powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set\n\nOn systems without any specific PMU driver support registered, running\nperf record causes Oops.\n\nThe relevant portion from call trace:\n\n BUG: Kernel NULL pointer dereference on read at 0x00000040\n Faulting instruction address: 0xc0021f0c\n Oops: Kernel access of bad area, sig: 11 [#1]\n BE PAGE_SIZE=4K PREEMPT CMPCPRO\n SAF3000 DIE NOTIFICATION\n CPU: 0 PID: 442 Comm: null_syscall Not tainted 5.13.0-rc6-s3k-dev-01645-g7649ee3d2957 #5164\n NIP: c0021f0c LR: c00e8ad8 CTR: c00d8a5c\n NIP perf_instruction_pointer+0x10/0x60\n LR perf_prepare_sample+0x344/0x674\n Call Trace:\n perf_prepare_sample+0x7c/0x674 (unreliable)\n perf_event_output_forward+0x3c/0x94\n __perf_event_overflow+0x74/0x14c\n perf_swevent_hrtimer+0xf8/0x170\n __hrtimer_run_queues.constprop.0+0x160/0x318\n hrtimer_interrupt+0x148/0x3b0\n timer_interrupt+0xc4/0x22c\n Decrementer_virt+0xb8/0xbc\n\nDuring perf record session, perf_instruction_pointer() is called to\ncapture the sample IP. This function in core-book3s accesses\nppmu->flags. If a platform specific PMU driver is not registered, ppmu\nis set to NULL and accessing its members results in a crash. Fix this\ncrash by checking if ppmu is set.\n\nFixes: 2ca13a4cc56c (\"powerpc/perf: Use regs->nip when SIAR is zero\")\nCc: stable@vger.kernel.org # v5.11+\nReported-by: Christophe Leroy \nSigned-off-by: Athira Rajeev \nTested-by: Christophe Leroy \nSigned-off-by: Michael Ellerman \nLink: https://lore.kernel.org/r/1623952506-1431-1-git-send-email-atrajeev@linux.vnet.ibm.com", "target": 0, "dataset": "other", "idx": 374710 }, { "func": "static void hci_role_change_evt(struct hci_dev *hdev, struct sk_buff *skb)\n{\n\tstruct hci_ev_role_change *ev = (void *) skb->data;\n\tstruct hci_conn *conn;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, ev->status);\n\n\thci_dev_lock(hdev);\n\n\tconn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);\n\tif (conn) {\n\t\tif (!ev->status)\n\t\t\tconn->role = ev->role;\n\n\t\tclear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);\n\n\t\thci_role_switch_cfm(conn, ev->status, ev->role);\n\t}\n\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 310967950735144544065584850113931978056, "size": 21, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431952 }, { "func": " static v8::Local ToV8(v8::Isolate* isolate,\n const printing::PrinterBasicInfo& val) {\n gin_helper::Dictionary dict = gin::Dictionary::CreateEmpty(isolate);\n dict.Set(\"name\", val.printer_name);\n dict.Set(\"displayName\", val.display_name);\n dict.Set(\"description\", val.printer_description);\n dict.Set(\"status\", val.printer_status);\n dict.Set(\"isDefault\", val.is_default ? true : false);\n dict.Set(\"options\", val.options);\n return dict.GetHandle();\n }", "project": "electron", "hash": 147440164527828982785908037071682077745, "size": 11, "commit_id": "18613925610ba319da7f497b6deed85ad712c59b", "message": "refactor: wire will-navigate up to a navigation throttle instead of OpenURL (#25108)\n\n* refactor: wire will-navigate up to a navigation throttle instead of OpenURL (#25065)\r\n\r\n* refactor: wire will-navigate up to a navigation throttle instead of OpenURL\r\n\r\n* spec: add test for x-site _top navigation\r\n\r\n* chore: old code be old", "target": 0, "dataset": "other", "idx": 269729 }, { "func": " static v8::Local ToV8(v8::Isolate* isolate,\n electron::api::WebContents::Type val) {\n using Type = electron::api::WebContents::Type;\n std::string type;\n switch (val) {\n case Type::BACKGROUND_PAGE:\n type = \"backgroundPage\";\n break;\n case Type::BROWSER_WINDOW:\n type = \"window\";\n break;\n case Type::BROWSER_VIEW:\n type = \"browserView\";\n break;\n case Type::REMOTE:\n type = \"remote\";\n break;\n case Type::WEB_VIEW:\n type = \"webview\";\n break;\n case Type::OFF_SCREEN:\n type = \"offscreen\";\n break;\n default:\n break;\n }\n return gin::ConvertToV8(isolate, type);\n }", "project": "electron", "hash": 198287244686957396906114065395957157788, "size": 28, "commit_id": "18613925610ba319da7f497b6deed85ad712c59b", "message": "refactor: wire will-navigate up to a navigation throttle instead of OpenURL (#25108)\n\n* refactor: wire will-navigate up to a navigation throttle instead of OpenURL (#25065)\r\n\r\n* refactor: wire will-navigate up to a navigation throttle instead of OpenURL\r\n\r\n* spec: add test for x-site _top navigation\r\n\r\n* chore: old code be old", "target": 0, "dataset": "other", "idx": 269759 }, { "func": "int imap_mxcmp(const char *mx1, const char *mx2)\n{\n char *b1 = NULL;\n char *b2 = NULL;\n int rc;\n\n if (!mx1 || (*mx1 == '\\0'))\n mx1 = \"INBOX\";\n if (!mx2 || (*mx2 == '\\0'))\n mx2 = \"INBOX\";\n if (mutt_istr_equal(mx1, \"INBOX\") && mutt_istr_equal(mx2, \"INBOX\"))\n {\n return 0;\n }\n\n b1 = mutt_mem_malloc(strlen(mx1) + 1);\n b2 = mutt_mem_malloc(strlen(mx2) + 1);\n\n imap_fix_path('\\0', mx1, b1, strlen(mx1) + 1);\n imap_fix_path('\\0', mx2, b2, strlen(mx2) + 1);\n\n rc = mutt_str_cmp(b1, b2);\n FREE(&b1);\n FREE(&b2);\n\n return rc;\n}", "project": "neomutt", "hash": 152656555535181808835050406416756483890, "size": 27, "commit_id": "fa1db5785e5cfd9d3cd27b7571b9fe268d2ec2dc", "message": "Fix seqset iterator when it ends in a comma\n\nIf the seqset ended with a comma, the substr_end marker would be just\nbefore the trailing nul. In the next call, the loop to skip the\nmarker would iterate right past the end of string too.\n\nThe fix is simple: place the substr_end marker and skip past it\nimmediately.", "target": 0, "dataset": "other", "idx": 399281 }, { "func": "static int ssh_buffer_pack_allocate_va(struct ssh_buffer_struct *buffer,\n const char *format,\n size_t argc,\n va_list ap)\n{\n const char *p = NULL;\n ssh_string string = NULL;\n char *cstring = NULL;\n size_t needed_size = 0;\n size_t len;\n size_t count;\n int rc = SSH_OK;\n\n for (p = format, count = 0; *p != '\\0'; p++, count++) {\n /* Invalid number of arguments passed */\n if (count > argc) {\n return SSH_ERROR;\n }\n\n switch(*p) {\n case 'b':\n va_arg(ap, unsigned int);\n needed_size += sizeof(uint8_t);\n break;\n case 'w':\n va_arg(ap, unsigned int);\n needed_size += sizeof(uint16_t);\n break;\n case 'd':\n va_arg(ap, uint32_t);\n needed_size += sizeof(uint32_t);\n break;\n case 'q':\n va_arg(ap, uint64_t);\n needed_size += sizeof(uint64_t);\n break;\n case 'S':\n string = va_arg(ap, ssh_string);\n needed_size += 4 + ssh_string_len(string);\n string = NULL;\n break;\n case 's':\n cstring = va_arg(ap, char *);\n needed_size += sizeof(uint32_t) + strlen(cstring);\n cstring = NULL;\n break;\n case 'P':\n len = va_arg(ap, size_t);\n needed_size += len;\n va_arg(ap, void *);\n count++; /* increase argument count */\n break;\n case 'B':\n va_arg(ap, bignum);\n /*\n * Use a fixed size for a bignum\n * (they should normaly be around 32)\n */\n needed_size += 64;\n break;\n case 't':\n cstring = va_arg(ap, char *);\n needed_size += strlen(cstring);\n cstring = NULL;\n break;\n default:\n SSH_LOG(SSH_LOG_WARN, \"Invalid buffer format %c\", *p);\n rc = SSH_ERROR;\n }\n if (rc != SSH_OK){\n break;\n }\n }\n\n if (argc != count) {\n return SSH_ERROR;\n }\n\n if (rc != SSH_ERROR){\n /*\n * Check if our canary is intact, if not, something really bad happened.\n */\n uint32_t canary = va_arg(ap, uint32_t);\n if (canary != SSH_BUFFER_PACK_END) {\n abort();\n }\n }\n\n rc = ssh_buffer_allocate_size(buffer, needed_size);\n if (rc != 0) {\n return SSH_ERROR;\n }\n\n return SSH_OK;\n}", "project": "libssh-mirror", "hash": 33781552796874571012475500914717371939, "size": 95, "commit_id": "10b3ebbe61a7031a3dae97f05834442220447181", "message": "buffer: Reformat ssh_buffer_add_data()\n\nSigned-off-by: Andreas Schneider \nReviewed-by: Anderson Toshiyuki Sasaki \nReviewed-by: Jakub Jelen ", "target": 0, "dataset": "other", "idx": 345147 }, { "func": "void CSoundFile::ExtendedChannelEffect(ModChannel *pChn, uint32 param)\n{\n\t// S9x and X9x commands (S3M/XM/IT only)\n\tif(!m_SongFlags[SONG_FIRSTTICK]) return;\n\tswitch(param & 0x0F)\n\t{\n\t// S90: Surround Off\n\tcase 0x00:\tpChn->dwFlags.reset(CHN_SURROUND);\tbreak;\n\t// S91: Surround On\n\tcase 0x01:\tpChn->dwFlags.set(CHN_SURROUND); pChn->nPan = 128; break;\n\n\t////////////////////////////////////////////////////////////\n\t// ModPlug Extensions\n\t// S98: Reverb Off\n\tcase 0x08:\n\t\tpChn->dwFlags.reset(CHN_REVERB);\n\t\tpChn->dwFlags.set(CHN_NOREVERB);\n\t\tbreak;\n\t// S99: Reverb On\n\tcase 0x09:\n\t\tpChn->dwFlags.reset(CHN_NOREVERB);\n\t\tpChn->dwFlags.set(CHN_REVERB);\n\t\tbreak;\n\t// S9A: 2-Channels surround mode\n\tcase 0x0A:\n\t\tm_SongFlags.reset(SONG_SURROUNDPAN);\n\t\tbreak;\n\t// S9B: 4-Channels surround mode\n\tcase 0x0B:\n\t\tm_SongFlags.set(SONG_SURROUNDPAN);\n\t\tbreak;\n\t// S9C: IT Filter Mode\n\tcase 0x0C:\n\t\tm_SongFlags.reset(SONG_MPTFILTERMODE);\n\t\tbreak;\n\t// S9D: MPT Filter Mode\n\tcase 0x0D:\n\t\tm_SongFlags.set(SONG_MPTFILTERMODE);\n\t\tbreak;\n\t// S9E: Go forward\n\tcase 0x0E:\n\t\tpChn->dwFlags.reset(CHN_PINGPONGFLAG);\n\t\tbreak;\n\t// S9F: Go backward (and set playback position to the end if sample just started)\n\tcase 0x0F:\n\t\tif(pChn->position.IsZero() && pChn->nLength && (pChn->rowCommand.IsNote() || !pChn->dwFlags[CHN_LOOP]))\n\t\t{\n\t\t\tpChn->position.Set(pChn->nLength - 1, SamplePosition::fractMax);\n\t\t}\n\t\tpChn->dwFlags.set(CHN_PINGPONGFLAG);\n\t\tbreak;\n\t}\n}", "project": "openmpt", "hash": 206691539605833811125168023437856369529, "size": 53, "commit_id": "7ebf02af2e90f03e0dbd0e18b8b3164f372fb97c", "message": "[Fix] Possible out-of-bounds read when computing length of some IT files with pattern loops (OpenMPT: formats that are converted to IT, libopenmpt: IT/ITP/MO3), caught with afl-fuzz.\n\ngit-svn-id: https://source.openmpt.org/svn/openmpt/trunk/OpenMPT@10027 56274372-70c3-4bfc-bfc3-4c3a0b034d27", "target": 0, "dataset": "other", "idx": 255228 }, { "func": "static int tty_release_checks(struct tty_struct *tty, int idx)\n{\n#ifdef TTY_PARANOIA_CHECK\n\tif (idx < 0 || idx >= tty->driver->num) {\n\t\ttty_debug(tty, \"bad idx %d\\n\", idx);\n\t\treturn -1;\n\t}\n\n\t/* not much to check for devpts */\n\tif (tty->driver->flags & TTY_DRIVER_DEVPTS_MEM)\n\t\treturn 0;\n\n\tif (tty != tty->driver->ttys[idx]) {\n\t\ttty_debug(tty, \"bad driver table[%d] = %p\\n\",\n\t\t\t idx, tty->driver->ttys[idx]);\n\t\treturn -1;\n\t}\n\tif (tty->driver->other) {\n\t\tstruct tty_struct *o_tty = tty->link;\n\n\t\tif (o_tty != tty->driver->other->ttys[idx]) {\n\t\t\ttty_debug(tty, \"bad other table[%d] = %p\\n\",\n\t\t\t\t idx, tty->driver->other->ttys[idx]);\n\t\t\treturn -1;\n\t\t}\n\t\tif (o_tty->link != tty) {\n\t\t\ttty_debug(tty, \"bad link = %p\\n\", o_tty->link);\n\t\t\treturn -1;\n\t\t}\n\t}\n#endif\n\treturn 0;\n}", "project": "linux", "hash": 126680244576142220927963295708644222884, "size": 33, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 326067 }, { "func": "Variant strtr_fast(const String& str, const Array& arr,\n int minlen, int maxlen) {\n using PatternMask = uint64_t[256];\n auto mask = req::calloc_raw_array(maxlen);\n SCOPE_EXIT { req::free(mask); };\n\n int pattern_id = 0;\n for (ArrayIter iter(arr); iter; ++iter, pattern_id++) {\n auto const search = iter.first().toString();\n auto slice = search.slice();\n\n for (auto i = 0; i < slice.size(); i++) {\n mask[i][(unsigned char)slice.data()[i]] |= (1LL << pattern_id);\n }\n }\n auto s = str.data();\n auto slen = str.size();\n StringBuffer result(slen);\n String key(maxlen, ReserveString);\n\n for (auto i = 0; i < slen;) {\n if ((i + maxlen) > slen) {\n maxlen = slen - i;\n }\n uint64_t match = ~0x0ULL;\n bool possible_match = false;\n\n for (auto pos = 0; pos < maxlen; pos++) {\n match &= mask[pos][(unsigned char)s[i + pos]];\n if (!match) break;\n if (pos >= minlen - 1) {\n possible_match = true;\n break;\n }\n }\n bool found = false;\n if (possible_match) {\n found = strtr_slow(arr, result, key, s, i, minlen, maxlen);\n }\n if (!found) {\n result.append(s[i++]);\n }\n }\n return result.detach();\n}", "project": "hhvm", "hash": 255884408571971656241212476098698805618, "size": 45, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219517 }, { "func": "static int fuse_statfs(struct dentry *dentry, struct kstatfs *buf)\n{\n\tstruct super_block *sb = dentry->d_sb;\n\tstruct fuse_mount *fm = get_fuse_mount_super(sb);\n\tFUSE_ARGS(args);\n\tstruct fuse_statfs_out outarg;\n\tint err;\n\n\tif (!fuse_allow_current_process(fm->fc)) {\n\t\tbuf->f_type = FUSE_SUPER_MAGIC;\n\t\treturn 0;\n\t}\n\n\tmemset(&outarg, 0, sizeof(outarg));\n\targs.in_numargs = 0;\n\targs.opcode = FUSE_STATFS;\n\targs.nodeid = get_node_id(d_inode(dentry));\n\targs.out_numargs = 1;\n\targs.out_args[0].size = sizeof(outarg);\n\targs.out_args[0].value = &outarg;\n\terr = fuse_simple_request(fm, &args);\n\tif (!err)\n\t\tconvert_fuse_statfs(buf, &outarg.st);\n\treturn err;\n}", "project": "linux", "hash": 10844920337230020702000741279647853764, "size": 25, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341995 }, { "func": " Item_string(THD *thd, const char *name_par, const char *str, uint length,\n CHARSET_INFO *cs, Derivation dv, uint repertoire):\n Item_basic_constant(thd)\n {\n str_value.set_or_copy_aligned(str, length, cs);\n fix_from_value(dv, Metadata(&str_value, repertoire));\n set_name(thd, name_par, 0, system_charset_info);\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 76617826355763431280153842423314446880, "size": 8, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 508970 }, { "func": " Item_string(THD *thd, const char *str, uint length,\n CHARSET_INFO *cs, Derivation dv= DERIVATION_COERCIBLE):\n Item_basic_constant(thd)\n {\n str_value.set_or_copy_aligned(str, length, cs);\n fix_and_set_name_from_value(thd, dv, Metadata(&str_value));\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 283879224591634361466853502488059464125, "size": 7, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509010 }, { "func": " Item_string(THD *thd, CHARSET_INFO *csi, const char *str_arg, uint length_arg):\n Item_basic_constant(thd)\n {\n collation.set(csi, DERIVATION_COERCIBLE);\n set_name(thd, NULL, 0, system_charset_info);\n decimals= NOT_FIXED_DEC;\n fixed= 1;\n str_value.copy(str_arg, length_arg, csi);\n max_length= str_value.numchars() * csi->mbmaxlen;\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 191373478033148797583970658963460237269, "size": 10, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509195 }, { "func": " Item_null(THD *thd, char *name_par=0, CHARSET_INFO *cs= &my_charset_bin):\n Item_basic_constant(thd)\n {\n maybe_null= null_value= TRUE;\n max_length= 0;\n name= name_par ? name_par : (char*) \"NULL\";\n fixed= 1;\n collation.set(cs, DERIVATION_IGNORABLE, MY_REPERTOIRE_ASCII);\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 33633069362885225397788440530353483865, "size": 9, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509265 }, { "func": " Item_temporal_literal(THD *thd, MYSQL_TIME *ltime, uint dec_arg):\n Item_basic_constant(thd)\n {\n collation.set(&my_charset_numeric, DERIVATION_NUMERIC, MY_REPERTOIRE_ASCII);\n decimals= dec_arg;\n cached_time= *ltime;\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 131593961040658483613344493996083659957, "size": 7, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509278 }, { "func": " Item_string(THD *thd, const char *name_par, const char *str, uint length,\n CHARSET_INFO *cs, Derivation dv= DERIVATION_COERCIBLE):\n Item_basic_constant(thd)\n {\n str_value.set_or_copy_aligned(str, length, cs);\n fix_from_value(dv, Metadata(&str_value));\n set_name(thd, name_par, 0, system_charset_info);\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 35002537558666367717809150473633131591, "size": 8, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509389 }, { "func": " Item_string(THD *thd, CHARSET_INFO *cs, Derivation dv= DERIVATION_COERCIBLE):\n Item_basic_constant(thd)\n {\n collation.set(cs, dv);\n max_length= 0;\n set_name(thd, NULL, 0, system_charset_info);\n decimals= NOT_FIXED_DEC;\n fixed= 1;\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 112099213954144049241027563207880517719, "size": 9, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509419 }, { "func": " Item_hex_constant(THD *thd, const char *str, uint str_length):\n Item_basic_constant(thd)\n {\n hex_string_init(thd, str, str_length);\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 227099543670227297023612022212795731390, "size": 5, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509452 }, { "func": "static int ca8210_get_platform_data(\n\tstruct spi_device *spi_device,\n\tstruct ca8210_platform_data *pdata\n)\n{\n\tint ret = 0;\n\n\tif (!spi_device->dev.of_node)\n\t\treturn -EINVAL;\n\n\tpdata->extclockenable = of_property_read_bool(\n\t\tspi_device->dev.of_node,\n\t\t\"extclock-enable\"\n\t);\n\tif (pdata->extclockenable) {\n\t\tret = of_property_read_u32(\n\t\t\tspi_device->dev.of_node,\n\t\t\t\"extclock-freq\",\n\t\t\t&pdata->extclockfreq\n\t\t);\n\t\tif (ret < 0)\n\t\t\treturn ret;\n\n\t\tret = of_property_read_u32(\n\t\t\tspi_device->dev.of_node,\n\t\t\t\"extclock-gpio\",\n\t\t\t&pdata->extclockgpio\n\t\t);\n\t}\n\n\treturn ret;\n}", "project": "linux", "hash": 159237184251236689391577050399346077387, "size": 32, "commit_id": "6402939ec86eaf226c8b8ae00ed983936b164908", "message": "ieee802154: ca8210: prevent memory leak\n\nIn ca8210_probe the allocated pdata needs to be assigned to\nspi_device->dev.platform_data before calling ca8210_get_platform_data.\nOthrwise when ca8210_get_platform_data fails pdata cannot be released.\n\nSigned-off-by: Navid Emamdoost \nLink: https://lore.kernel.org/r/20190917224713.26371-1-navid.emamdoost@gmail.com\nSigned-off-by: Stefan Schmidt ", "target": 0, "dataset": "other", "idx": 408769 }, { "func": "static bool io_match_task(struct io_kiocb *head,\n\t\t\t struct task_struct *task,\n\t\t\t struct files_struct *files)\n{\n\tstruct io_kiocb *req;\n\n\tif (task && head->task != task)\n\t\treturn false;\n\tif (!files)\n\t\treturn true;\n\n\tio_for_each_link(req, head) {\n\t\tif (req->flags & REQ_F_INFLIGHT)\n\t\t\treturn true;\n\t}\n\treturn false;\n}", "project": "linux", "hash": 48601555804625382033410504015970878172, "size": 17, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338666 }, { "func": "static inline void hid_hw_request(struct hid_device *hdev,\n\t\t\t\t struct hid_report *report, int reqtype)\n{\n\tif (hdev->ll_driver->request)\n\t\treturn hdev->ll_driver->request(hdev, report, reqtype);\n\n\t__hid_request(hdev, report, reqtype);\n}", "project": "linux", "hash": 58201383756359841380630639574242206291, "size": 8, "commit_id": "35556bed836f8dc07ac55f69c8d17dce3e7f0e25", "message": "HID: core: Sanitize event code and type when mapping input\n\nWhen calling into hid_map_usage(), the passed event code is\nblindly stored as is, even if it doesn't fit in the associated bitmap.\n\nThis event code can come from a variety of sources, including devices\nmasquerading as input devices, only a bit more \"programmable\".\n\nInstead of taking the event code at face value, check that it actually\nfits the corresponding bitmap, and if it doesn't:\n- spit out a warning so that we know which device is acting up\n- NULLify the bitmap pointer so that we catch unexpected uses\n\nCode paths that can make use of untrusted inputs can now check\nthat the mapping was indeed correct and bail out if not.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Marc Zyngier \nSigned-off-by: Benjamin Tissoires ", "target": 0, "dataset": "other", "idx": 458405 }, { "func": "static void io_dismantle_req(struct io_kiocb *req)\n{\n\tunsigned int flags = req->flags;\n\n\tif (io_req_needs_clean(req))\n\t\tio_clean_op(req);\n\tif (!(flags & REQ_F_FIXED_FILE))\n\t\tio_put_file(req->file);\n\tif (req->fixed_rsrc_refs)\n\t\tpercpu_ref_put(req->fixed_rsrc_refs);\n\tif (req->async_data)\n\t\tkfree(req->async_data);\n\tif (req->work.creds) {\n\t\tput_cred(req->work.creds);\n\t\treq->work.creds = NULL;\n\t}\n}", "project": "linux", "hash": 129220617193476303160061960897894554831, "size": 17, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338718 }, { "func": "static bool io_dismantle_req(struct io_kiocb *req)\n{\n\tio_clean_op(req);\n\n\tif (req->io)\n\t\tkfree(req->io);\n\tif (req->file)\n\t\tio_put_file(req, req->file, (req->flags & REQ_F_FIXED_FILE));\n\n\tif (req->flags & REQ_F_INFLIGHT) {\n\t\tstruct io_ring_ctx *ctx = req->ctx;\n\t\tunsigned long flags;\n\n\t\tspin_lock_irqsave(&ctx->inflight_lock, flags);\n\t\tlist_del(&req->inflight_entry);\n\t\tif (waitqueue_active(&ctx->inflight_wait))\n\t\t\twake_up(&ctx->inflight_wait);\n\t\tspin_unlock_irqrestore(&ctx->inflight_lock, flags);\n\t}\n\n\treturn io_req_clean_work(req);\n}", "project": "linux", "hash": 235651850225066278212586412488175475317, "size": 22, "commit_id": "6d816e088c359866f9867057e04f244c608c42fe", "message": "io_uring: hold 'ctx' reference around task_work queue + execute\n\nWe're holding the request reference, but we need to go one higher\nto ensure that the ctx remains valid after the request has finished.\nIf the ring is closed with pending task_work inflight, and the\ngiven io_kiocb finishes sync during issue, then we need a reference\nto the ring itself around the task_work execution cycle.\n\nCc: stable@vger.kernel.org # v5.7+\nReported-by: syzbot+9b260fc33297966f5a8e@syzkaller.appspotmail.com\nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 456940 }, { "func": "static void free_rendition_list(HLSContext *c)\n{\n int i;\n for (i = 0; i < c->n_renditions; i++)\n av_freep(&c->renditions[i]);\n av_freep(&c->renditions);\n c->n_renditions = 0;\n}", "project": "FFmpeg", "hash": 157107821227274724800256383531386975180, "size": 8, "commit_id": "6959358683c7533f586c07a766acc5fe9544d8b2", "message": "avformat/hls: check segment duration value of EXTINF\n\nfix ticket: 8673\nset the default EXTINF duration to 1ms if duration is smaller than 1ms\n\nSigned-off-by: Steven Liu \n(cherry picked from commit 9dfb19baeb86a8bb02c53a441682c6e9a6e104cc)", "target": 0, "dataset": "other", "idx": 270449 }, { "func": "static int nfs4_proc_lookupp(struct inode *inode, struct nfs_fh *fhandle,\n\t\t\t struct nfs_fattr *fattr, struct nfs4_label *label)\n{\n\tstruct nfs4_exception exception = {\n\t\t.interruptible = true,\n\t};\n\tint err;\n\tdo {\n\t\terr = _nfs4_proc_lookupp(inode, fhandle, fattr, label);\n\t\ttrace_nfs4_lookupp(inode, err);\n\t\terr = nfs4_handle_exception(NFS_SERVER(inode), err,\n\t\t\t\t&exception);\n\t} while (exception.retry);\n\treturn err;\n}", "project": "linux", "hash": 125995754662276684282653321192100240449, "size": 15, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431054 }, { "func": "DLLEXPORT int tjPlaneHeight(int componentID, int height, int subsamp)\n{\n\tint ph, nc, retval=0;\n\n\tif(height<1 || subsamp<0 || subsamp>=TJ_NUMSAMP)\n\t\t_throw(\"tjPlaneHeight(): Invalid argument\");\n\tnc=(subsamp==TJSAMP_GRAY? 1:3);\n\tif(componentID<0 || componentID>=nc)\n\t\t_throw(\"tjPlaneHeight(): Invalid argument\");\n\n\tph=PAD(height, tjMCUHeight[subsamp]/8);\n\tif(componentID==0)\n\t\tretval=ph;\n\telse\n\t\tretval=ph*8/tjMCUHeight[subsamp];\n\n\tbailout:\n\treturn retval;\n}", "project": "libjpeg-turbo", "hash": 71724689303988175646472987920186291812, "size": 19, "commit_id": "dab6be4cfb2f9307b5378d2d1dc74d9080383dc2", "message": "tjDecompressToYUV*(): Fix OOB write/double free\n\n... when attempting to decompress grayscale JPEG images with sampling\nfactors != 1.\n\nFixes #387", "target": 0, "dataset": "other", "idx": 311131 }, { "func": "free_regexps (void)\n{\n pcre_free (re_fedora);\n pcre_free (re_rhel_old);\n pcre_free (re_rhel);\n pcre_free (re_rhel_no_minor);\n pcre_free (re_centos_old);\n pcre_free (re_centos);\n pcre_free (re_centos_no_minor);\n pcre_free (re_scientific_linux_old);\n pcre_free (re_scientific_linux);\n pcre_free (re_scientific_linux_no_minor);\n pcre_free (re_major_minor);\n pcre_free (re_xdev);\n pcre_free (re_cciss);\n pcre_free (re_mdN);\n pcre_free (re_freebsd);\n pcre_free (re_diskbyid);\n pcre_free (re_netbsd);\n pcre_free (re_opensuse);\n pcre_free (re_sles);\n pcre_free (re_nld);\n pcre_free (re_opensuse_version);\n pcre_free (re_sles_version);\n pcre_free (re_sles_patchlevel);\n}", "project": "libguestfs", "hash": 150436761020123213945771670123390690113, "size": 26, "commit_id": "ae8bb84ecd46d7b6ef557a87725923ac8d09dce0", "message": "inspection: Don't segfault if /etc/SuSE-release is an empty file.\n\nRelated to CVE-2013-2124.\n\nThanks: Olaf Hering.", "target": 0, "dataset": "other", "idx": 293576 }, { "func": "int mnt_optstr_fix_secontext(char **optstr,\n\t\t\t char *value,\n\t\t\t size_t valsz,\n\t\t\t char **next)\n{\n\tint rc = 0;\n\tchar *p, *val, *begin, *end, *raw = NULL;\n\tsize_t sz;\n\n\tif (!optstr || !*optstr || !value || !valsz)\n\t\treturn -EINVAL;\n\n\tDBG(CXT, ul_debug(\"fixing SELinux context\"));\n\n\tbegin = value;\n\tend = value + valsz;\n\n\t/* the selinux contexts are quoted */\n\tif (*value == '\"') {\n\t\tif (valsz <= 2 || *(value + valsz - 1) != '\"')\n\t\t\treturn -EINVAL;\t\t/* improperly quoted option string */\n\t\tvalue++;\n\t\tvalsz -= 2;\n\t}\n\n\tp = strndup(value, valsz);\n\tif (!p)\n\t\treturn -ENOMEM;\n\n\n\t/* translate the context */\n\trc = selinux_trans_to_raw_context(p, &raw);\n\n\tDBG(CXT, ul_debug(\"SELinux context '%s' translated to '%s'\",\n\t\t\tp, rc == -1 ? \"FAILED\" : (char *) raw));\n\n\tfree(p);\n\tif (rc == -1 ||\t!raw)\n\t\treturn -EINVAL;\n\n\n\t/* create a quoted string from the raw context */\n\tsz = strlen((char *) raw);\n\tif (!sz)\n\t\treturn -EINVAL;\n\n\tp = val = malloc(valsz + 3);\n\tif (!val)\n\t\treturn -ENOMEM;\n\n\t*p++ = '\"';\n\tmemcpy(p, raw, sz);\n\tp += sz;\n\t*p++ = '\"';\n\t*p = '\\0';\n\n\tfreecon(raw);\n\n\t/* set new context */\n\tmnt_optstr_remove_option_at(optstr, begin, end);\n\trc = insert_value(optstr, begin, val, next);\n\tfree(val);\n\n\treturn rc;\n}", "project": "util-linux", "hash": 20600465306056205266155692165477061433, "size": 65, "commit_id": "57202f5713afa2af20ffbb6ab5331481d0396f8d", "message": "libmount: fix UID check for FUSE umount [CVE-2021-3995]\n\nImproper UID check allows an unprivileged user to unmount FUSE\nfilesystems of users with similar UID.\n\nSigned-off-by: Karel Zak ", "target": 0, "dataset": "other", "idx": 410387 }, { "func": "int mnt_optstr_fix_secontext(char **optstr __attribute__ ((__unused__)),\n\t\t\t char *value __attribute__ ((__unused__)),\n\t\t\t size_t valsz __attribute__ ((__unused__)),\n\t\t\t char **next __attribute__ ((__unused__)))\n{\n\treturn 0;\n}", "project": "util-linux", "hash": 180702313326749159791942445496093203787, "size": 7, "commit_id": "57202f5713afa2af20ffbb6ab5331481d0396f8d", "message": "libmount: fix UID check for FUSE umount [CVE-2021-3995]\n\nImproper UID check allows an unprivileged user to unmount FUSE\nfilesystems of users with similar UID.\n\nSigned-off-by: Karel Zak ", "target": 0, "dataset": "other", "idx": 410434 }, { "func": "static void input_disconnect_device(struct input_dev *dev)\n{\n\tstruct input_handle *handle;\n\n\t/*\n\t * Mark device as going away. Note that we take dev->mutex here\n\t * not to protect access to dev->going_away but rather to ensure\n\t * that there are no threads in the middle of input_open_device()\n\t */\n\tmutex_lock(&dev->mutex);\n\tdev->going_away = true;\n\tmutex_unlock(&dev->mutex);\n\n\tspin_lock_irq(&dev->event_lock);\n\n\t/*\n\t * Simulate keyup events for all pressed keys so that handlers\n\t * are not left with \"stuck\" keys. The driver may continue\n\t * generate events even after we done here but they will not\n\t * reach any handlers.\n\t */\n\tinput_dev_release_keys(dev);\n\n\tlist_for_each_entry(handle, &dev->h_list, d_node)\n\t\thandle->open = 0;\n\n\tspin_unlock_irq(&dev->event_lock);\n}", "project": "linux", "hash": 103127396821684094499523421816918691299, "size": 28, "commit_id": "cb222aed03d798fc074be55e59d9a112338ee784", "message": "Input: add safety guards to input_set_keycode()\n\nIf we happen to have a garbage in input device's keycode table with values\ntoo big we'll end up doing clear_bit() with offset way outside of our\nbitmaps, damaging other objects within an input device or even outside of\nit. Let's add sanity checks to the returned old keycodes.\n\nReported-by: syzbot+c769968809f9359b07aa@syzkaller.appspotmail.com\nReported-by: syzbot+76f3a30e88d256644c78@syzkaller.appspotmail.com\nLink: https://lore.kernel.org/r/20191207212757.GA245964@dtor-ws\nSigned-off-by: Dmitry Torokhov ", "target": 0, "dataset": "other", "idx": 353351 }, { "func": "static vm_fault_t fuse_page_mkwrite(struct vm_fault *vmf)\n{\n\tstruct page *page = vmf->page;\n\tstruct inode *inode = file_inode(vmf->vma->vm_file);\n\n\tfile_update_time(vmf->vma->vm_file);\n\tlock_page(page);\n\tif (page->mapping != inode->i_mapping) {\n\t\tunlock_page(page);\n\t\treturn VM_FAULT_NOPAGE;\n\t}\n\n\tfuse_wait_on_page_writeback(inode, page->index);\n\treturn VM_FAULT_LOCKED;\n}", "project": "linux", "hash": 130079335290837270126509161286892256, "size": 15, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341905 }, { "func": "static void sync_regs_fmt2(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)\n{\n\tstruct runtime_instr_cb *riccb;\n\tstruct gs_cb *gscb;\n\n\triccb = (struct runtime_instr_cb *) &kvm_run->s.regs.riccb;\n\tgscb = (struct gs_cb *) &kvm_run->s.regs.gscb;\n\tvcpu->arch.sie_block->gpsw.mask = kvm_run->psw_mask;\n\tvcpu->arch.sie_block->gpsw.addr = kvm_run->psw_addr;\n\tif (kvm_run->kvm_dirty_regs & KVM_SYNC_ARCH0) {\n\t\tvcpu->arch.sie_block->todpr = kvm_run->s.regs.todpr;\n\t\tvcpu->arch.sie_block->pp = kvm_run->s.regs.pp;\n\t\tvcpu->arch.sie_block->gbea = kvm_run->s.regs.gbea;\n\t}\n\tif (kvm_run->kvm_dirty_regs & KVM_SYNC_PFAULT) {\n\t\tvcpu->arch.pfault_token = kvm_run->s.regs.pft;\n\t\tvcpu->arch.pfault_select = kvm_run->s.regs.pfs;\n\t\tvcpu->arch.pfault_compare = kvm_run->s.regs.pfc;\n\t\tif (vcpu->arch.pfault_token == KVM_S390_PFAULT_TOKEN_INVALID)\n\t\t\tkvm_clear_async_pf_completion_queue(vcpu);\n\t}\n\t/*\n\t * If userspace sets the riccb (e.g. after migration) to a valid state,\n\t * we should enable RI here instead of doing the lazy enablement.\n\t */\n\tif ((kvm_run->kvm_dirty_regs & KVM_SYNC_RICCB) &&\n\t test_kvm_facility(vcpu->kvm, 64) &&\n\t riccb->v &&\n\t !(vcpu->arch.sie_block->ecb3 & ECB3_RI)) {\n\t\tVCPU_EVENT(vcpu, 3, \"%s\", \"ENABLE: RI (sync_regs)\");\n\t\tvcpu->arch.sie_block->ecb3 |= ECB3_RI;\n\t}\n\t/*\n\t * If userspace sets the gscb (e.g. after migration) to non-zero,\n\t * we should enable GS here instead of doing the lazy enablement.\n\t */\n\tif ((kvm_run->kvm_dirty_regs & KVM_SYNC_GSCB) &&\n\t test_kvm_facility(vcpu->kvm, 133) &&\n\t gscb->gssm &&\n\t !vcpu->arch.gs_enabled) {\n\t\tVCPU_EVENT(vcpu, 3, \"%s\", \"ENABLE: GS (sync_regs)\");\n\t\tvcpu->arch.sie_block->ecb |= ECB_GS;\n\t\tvcpu->arch.sie_block->ecd |= ECD_HOSTREGMGMT;\n\t\tvcpu->arch.gs_enabled = 1;\n\t}\n\tif ((kvm_run->kvm_dirty_regs & KVM_SYNC_BPBC) &&\n\t test_kvm_facility(vcpu->kvm, 82)) {\n\t\tvcpu->arch.sie_block->fpf &= ~FPF_BPBC;\n\t\tvcpu->arch.sie_block->fpf |= kvm_run->s.regs.bpbc ? FPF_BPBC : 0;\n\t}\n\tif (MACHINE_HAS_GS) {\n\t\tpreempt_disable();\n\t\t__ctl_set_bit(2, 4);\n\t\tif (current->thread.gs_cb) {\n\t\t\tvcpu->arch.host_gscb = current->thread.gs_cb;\n\t\t\tsave_gs_cb(vcpu->arch.host_gscb);\n\t\t}\n\t\tif (vcpu->arch.gs_enabled) {\n\t\t\tcurrent->thread.gs_cb = (struct gs_cb *)\n\t\t\t\t\t\t&vcpu->run->s.regs.gscb;\n\t\t\trestore_gs_cb(current->thread.gs_cb);\n\t\t}\n\t\tpreempt_enable();\n\t}\n\t/* SIE will load etoken directly from SDNX and therefore kvm_run */\n}", "project": "linux", "hash": 81121971396793005240118862359739269167, "size": 66, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354682 }, { "func": "static int svm_get_nested_state(struct kvm_vcpu *vcpu,\n\t\t\t\tstruct kvm_nested_state __user *user_kvm_nested_state,\n\t\t\t\tu32 user_data_size)\n{\n\tstruct vcpu_svm *svm;\n\tstruct kvm_nested_state kvm_state = {\n\t\t.flags = 0,\n\t\t.format = KVM_STATE_NESTED_FORMAT_SVM,\n\t\t.size = sizeof(kvm_state),\n\t};\n\tstruct vmcb __user *user_vmcb = (struct vmcb __user *)\n\t\t&user_kvm_nested_state->data.svm[0];\n\n\tif (!vcpu)\n\t\treturn kvm_state.size + KVM_STATE_NESTED_SVM_VMCB_SIZE;\n\n\tsvm = to_svm(vcpu);\n\n\tif (user_data_size < kvm_state.size)\n\t\tgoto out;\n\n\t/* First fill in the header and copy it out. */\n\tif (is_guest_mode(vcpu)) {\n\t\tkvm_state.hdr.svm.vmcb_pa = svm->nested.vmcb12_gpa;\n\t\tkvm_state.size += KVM_STATE_NESTED_SVM_VMCB_SIZE;\n\t\tkvm_state.flags |= KVM_STATE_NESTED_GUEST_MODE;\n\n\t\tif (svm->nested.nested_run_pending)\n\t\t\tkvm_state.flags |= KVM_STATE_NESTED_RUN_PENDING;\n\t}\n\n\tif (gif_set(svm))\n\t\tkvm_state.flags |= KVM_STATE_NESTED_GIF_SET;\n\n\tif (copy_to_user(user_kvm_nested_state, &kvm_state, sizeof(kvm_state)))\n\t\treturn -EFAULT;\n\n\tif (!is_guest_mode(vcpu))\n\t\tgoto out;\n\n\t/*\n\t * Copy over the full size of the VMCB rather than just the size\n\t * of the structs.\n\t */\n\tif (clear_user(user_vmcb, KVM_STATE_NESTED_SVM_VMCB_SIZE))\n\t\treturn -EFAULT;\n\tif (copy_to_user(&user_vmcb->control, &svm->nested.ctl,\n\t\t\t sizeof(user_vmcb->control)))\n\t\treturn -EFAULT;\n\tif (copy_to_user(&user_vmcb->save, &svm->nested.hsave->save,\n\t\t\t sizeof(user_vmcb->save)))\n\t\treturn -EFAULT;\n\nout:\n\treturn kvm_state.size;\n}", "project": "linux", "hash": 258295812877421931771533780991313714129, "size": 56, "commit_id": "a58d9166a756a0f4a6618e4f593232593d6df134", "message": "KVM: SVM: load control fields from VMCB12 before checking them\n\nAvoid races between check and use of the nested VMCB controls. This\nfor example ensures that the VMRUN intercept is always reflected to the\nnested hypervisor, instead of being processed by the host. Without this\npatch, it is possible to end up with svm->nested.hsave pointing to\nthe MSR permission bitmap for nested guests.\n\nThis bug is CVE-2021-29657.\n\nReported-by: Felix Wilhelm \nCc: stable@vger.kernel.org\nFixes: 2fcf4876ada (\"KVM: nSVM: implement on demand allocation of the nested state\")\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 376646 }, { "func": "void kvm_arch_vcpu_postcreate(struct kvm_vcpu *vcpu)\n{\n\tmutex_lock(&vcpu->kvm->lock);\n\tpreempt_disable();\n\tvcpu->arch.sie_block->epoch = vcpu->kvm->arch.epoch;\n\tvcpu->arch.sie_block->epdx = vcpu->kvm->arch.epdx;\n\tpreempt_enable();\n\tmutex_unlock(&vcpu->kvm->lock);\n\tif (!kvm_is_ucontrol(vcpu->kvm)) {\n\t\tvcpu->arch.gmap = vcpu->kvm->arch.gmap;\n\t\tsca_add_vcpu(vcpu);\n\t}\n\tif (test_kvm_facility(vcpu->kvm, 74) || vcpu->kvm->arch.user_instr0)\n\t\tvcpu->arch.sie_block->ictl |= ICTL_OPEREXC;\n\t/* make vcpu_load load the right gmap on the first trigger */\n\tvcpu->arch.enabled_gmap = vcpu->arch.gmap;\n}", "project": "linux", "hash": 101741433154572411890263148316285999734, "size": 17, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354669 }, { "func": "static int __init powercap_init(void)\n{\n\tint result;\n\n\tresult = seed_constraint_attributes();\n\tif (result)\n\t\treturn result;\n\n\treturn class_register(&powercap_class);\n}", "project": "linux", "hash": 38690907768415582674392376017102805532, "size": 10, "commit_id": "949dd0104c496fa7c14991a23c03c62e44637e71", "message": "powercap: restrict energy meter to root access\n\nRemove non-privileged user access to power data contained in\n/sys/class/powercap/intel-rapl*/*/energy_uj\n\nNon-privileged users currently have read access to power data and can\nuse this data to form a security attack. Some privileged\ndrivers/applications need read access to this data, but don't expose it\nto non-privileged users.\n\nFor example, thermald uses this data to ensure that power management\nworks correctly. Thus removing non-privileged access is preferred over\ncompletely disabling this power reporting capability with\nCONFIG_INTEL_RAPL=n.\n\nFixes: 95677a9a3847 (\"PowerCap: Fix mode for energy counter\")\n\nSigned-off-by: Len Brown \nCc: stable@vger.kernel.org", "target": 0, "dataset": "other", "idx": 310342 }, { "func": "int user_path_at_empty(int dfd, const char __user *name, unsigned flags,\n\t\t struct path *path, int *empty)\n{\n\treturn filename_lookup(dfd, getname_flags(name, flags, empty),\n\t\t\t flags, path, NULL);\n}", "project": "linux", "hash": 56294185438695878400292955363031515262, "size": 6, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295388 }, { "project": "Chrome", "commit_id": "6834289784ed45b5524de0fb7ef43ae283b0d6d3", "target": 0, "func": "void AudioContext::handleDirtyAudioSummingJunctions()\n{\n ASSERT(isGraphOwner());\n\n for (HashSet::iterator i = m_dirtySummingJunctions.begin(); i != m_dirtySummingJunctions.end(); ++i)\n (*i)->updateRenderingState();\n\n m_dirtySummingJunctions.clear();\n}\n", "cwe": "", "big_vul_idx": 139659, "idx": 124809, "hash": 70309886079262593614750815471514392494 }, { "func": "bool JOIN::setup_subquery_caches()\n{\n DBUG_ENTER(\"JOIN::setup_subquery_caches\");\n\n /*\n We have to check all this condition together because items created in\n one of this clauses can be moved to another one by optimizer\n */\n if (select_lex->expr_cache_may_be_used[IN_WHERE] ||\n select_lex->expr_cache_may_be_used[IN_HAVING] ||\n select_lex->expr_cache_may_be_used[IN_ON] ||\n select_lex->expr_cache_may_be_used[NO_MATTER])\n {\n JOIN_TAB *tab;\n if (conds &&\n !(conds= conds->transform(thd, &Item::expr_cache_insert_transformer,\n NULL)))\n DBUG_RETURN(TRUE);\n for (tab= first_linear_tab(this, WITH_BUSH_ROOTS, WITHOUT_CONST_TABLES);\n tab; tab= next_linear_tab(this, tab, WITH_BUSH_ROOTS))\n {\n if (tab->select_cond &&\n !(tab->select_cond=\n tab->select_cond->transform(thd,\n &Item::expr_cache_insert_transformer,\n NULL)))\n\tDBUG_RETURN(TRUE);\n if (tab->cache_select && tab->cache_select->cond)\n if (!(tab->cache_select->cond=\n tab->cache_select->\n cond->transform(thd, &Item::expr_cache_insert_transformer,\n NULL)))\n DBUG_RETURN(TRUE);\n }\n\n if (having &&\n !(having= having->transform(thd,\n &Item::expr_cache_insert_transformer,\n NULL)))\n DBUG_RETURN(TRUE);\n\n if (tmp_having)\n {\n DBUG_ASSERT(having == NULL);\n if (!(tmp_having=\n tmp_having->transform(thd,\n &Item::expr_cache_insert_transformer,\n NULL)))\n\tDBUG_RETURN(TRUE);\n }\n }\n if (select_lex->expr_cache_may_be_used[SELECT_LIST] ||\n select_lex->expr_cache_may_be_used[IN_GROUP_BY] ||\n select_lex->expr_cache_may_be_used[NO_MATTER])\n {\n List_iterator li(all_fields);\n Item *item;\n while ((item= li++))\n {\n Item *new_item;\n if (!(new_item=\n item->transform(thd, &Item::expr_cache_insert_transformer,\n NULL)))\n DBUG_RETURN(TRUE);\n if (new_item != item)\n {\n thd->change_item_tree(li.ref(), new_item);\n }\n }\n for (ORDER *tmp_group= group_list; tmp_group ; tmp_group= tmp_group->next)\n {\n if (!(*tmp_group->item=\n (*tmp_group->item)->transform(thd,\n &Item::expr_cache_insert_transformer,\n NULL)))\n DBUG_RETURN(TRUE);\n }\n }\n if (select_lex->expr_cache_may_be_used[NO_MATTER])\n {\n for (ORDER *ord= order; ord; ord= ord->next)\n {\n if (!(*ord->item=\n (*ord->item)->transform(thd,\n &Item::expr_cache_insert_transformer,\n NULL)))\n\tDBUG_RETURN(TRUE);\n }\n }\n DBUG_RETURN(FALSE);\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 338691274093680825252973414889847891936, "size": 91, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508634 }, { "func": "static inline void init_freelist_randomization(void) { }", "project": "linux", "hash": 161416851726907431949805907403205639839, "size": 1, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280058 }, { "func": "static void __init init_freelist_randomization(void)\n{\n\tstruct kmem_cache *s;\n\n\tmutex_lock(&slab_mutex);\n\n\tlist_for_each_entry(s, &slab_caches, list)\n\t\tinit_cache_random_seq(s);\n\n\tmutex_unlock(&slab_mutex);\n}", "project": "linux", "hash": 322506689382810817769272591403827566190, "size": 11, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280081 }, { "func": "static Header headerCreate(void *blob, int32_t indexLen)\n{\n Header h = xcalloc(1, sizeof(*h));\n if (blob) {\n\th->blob = blob;\n\th->indexAlloced = indexLen + 1;\n\th->indexUsed = indexLen;\n } else {\n\th->indexAlloced = INDEX_MALLOC_SIZE;\n\th->indexUsed = 0;\n }\n h->instance = 0;\n h->sorted = 0;\n h->index = xcalloc(h->indexAlloced, sizeof(*h->index));\n\n h->nrefs = 0;\n return headerLink(h);\n}", "project": "rpm", "hash": 292508672864857619256646325294745427254, "size": 18, "commit_id": "8f4b3c3cab8922a2022b9e47c71f1ecf906077ef", "message": "hdrblobInit() needs bounds checks too\n\nUsers can pass untrusted data to hdrblobInit() and it must be robust\nagainst this.", "target": 0, "dataset": "other", "idx": 318185 }, { "func": "static int geteol(FILE *sfd, char *tokbuf) {\n char *pt=tokbuf, *end = tokbuf+2000-2; int ch;\n\n while ( isspace(ch = nlgetc(sfd)) && ch!='\\r' && ch!='\\n' );\n while ( ch!='\\n' && ch!='\\r' && ch!=EOF ) {\n\tif ( ptfontname string if it isn't set, fixing #4089 #4090 and many\n other potential issues (many downstream calls to strlen() on the value).", "target": 0, "dataset": "other", "idx": 417749 }, { "func": "static int resize_buffer_duplicate_size(struct trace_buffer *trace_buf,\n\t\t\t\t\tstruct trace_buffer *size_buf, int cpu_id)\n{\n\tint cpu, ret = 0;\n\n\tif (cpu_id == RING_BUFFER_ALL_CPUS) {\n\t\tfor_each_tracing_cpu(cpu) {\n\t\t\tret = ring_buffer_resize(trace_buf->buffer,\n\t\t\t\t per_cpu_ptr(size_buf->data, cpu)->entries, cpu);\n\t\t\tif (ret < 0)\n\t\t\t\tbreak;\n\t\t\tper_cpu_ptr(trace_buf->data, cpu)->entries =\n\t\t\t\tper_cpu_ptr(size_buf->data, cpu)->entries;\n\t\t}\n\t} else {\n\t\tret = ring_buffer_resize(trace_buf->buffer,\n\t\t\t\t per_cpu_ptr(size_buf->data, cpu_id)->entries, cpu_id);\n\t\tif (ret == 0)\n\t\t\tper_cpu_ptr(trace_buf->data, cpu_id)->entries =\n\t\t\t\tper_cpu_ptr(size_buf->data, cpu_id)->entries;\n\t}\n\n\treturn ret;\n}", "project": "linux", "hash": 282774662180757348783956278438700283482, "size": 24, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445627 }, { "func": "static void autocomplete_mount_point (RLineCompletion *completion, RCore *core, const char *path) {\n\tRFSRoot *r;\n\tRListIter *iter;\n\tr_list_foreach (core->fs->roots, iter, r) {\n\t\tchar *base = strdup (r->path);\n\t\tchar *ls = (char *) r_str_lchr (base, '/');\n\t\tif (ls) {\n\t\t\tls++;\n\t\t\t*ls = 0;\n\t\t}\n\t\tif (!strcmp (path, base)) {\n\t\t\tr_line_completion_push (completion, r->path);\n\t\t}\n\t\tfree (base);\n\t}\n}", "project": "radare2", "hash": 291369370763180612300627096337600578099, "size": 16, "commit_id": "cb8b683758edddae2d2f62e8e63a738c39f92683", "message": "Fix #16303 - c->table_query double free (#16318)", "target": 0, "dataset": "other", "idx": 232158 }, { "func": "static inline u64 hash_name(const void *salt, const char *name)\n{\n\tunsigned long a = 0, b, x = 0, y = (unsigned long)salt;\n\tunsigned long adata, bdata, mask, len;\n\tconst struct word_at_a_time constants = WORD_AT_A_TIME_CONSTANTS;\n\n\tlen = 0;\n\tgoto inside;\n\n\tdo {\n\t\tHASH_MIX(x, y, a);\n\t\tlen += sizeof(unsigned long);\ninside:\n\t\ta = load_unaligned_zeropad(name+len);\n\t\tb = a ^ REPEAT_BYTE('/');\n\t} while (!(has_zero(a, &adata, &constants) | has_zero(b, &bdata, &constants)));\n\n\tadata = prep_zero_mask(a, adata, &constants);\n\tbdata = prep_zero_mask(b, bdata, &constants);\n\tmask = create_zero_mask(adata | bdata);\n\tx ^= a & zero_bytemask(mask);\n\n\treturn hashlen_create(fold_hash(x, y), len + find_zero(mask));\n}", "project": "linux", "hash": 259478729851855301045425209638899467250, "size": 24, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295399 }, { "func": "static inline u64 hash_name(const void *salt, const char *name)\n{\n\tunsigned long hash = init_name_hash(salt);\n\tunsigned long len = 0, c;\n\n\tc = (unsigned char)*name;\n\tdo {\n\t\tlen++;\n\t\thash = partial_name_hash(c, hash);\n\t\tc = (unsigned char)name[len];\n\t} while (c && c != '/');\n\treturn hashlen_create(end_name_hash(hash), len);\n}", "project": "linux", "hash": 158360160220167560618047491565052139227, "size": 13, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295443 }, { "func": "set CClient::MatchChans(const CString& sPatterns) const {\n VCString vsPatterns;\n sPatterns.Replace_n(\",\", \" \")\n .Split(\" \", vsPatterns, false, \"\", \"\", true, true);\n\n set sChans;\n for (const CString& sPattern : vsPatterns) {\n vector vChans = m_pNetwork->FindChans(sPattern);\n sChans.insert(vChans.begin(), vChans.end());\n }\n return sChans;\n}", "project": "znc", "hash": 267917219290303061943192041541375507133, "size": 12, "commit_id": "d229761821da38d984a9e4098ad96842490dc001", "message": "Fix echo-message for *status\n\nClose #1705", "target": 0, "dataset": "other", "idx": 231596 }, { "func": "void PCRECache::DestroyStatic(StaticCache* cache) {\n // We delete uncounted keys while iterating the cache, which is OK for\n // AtomicHashArray, but not OK for other containers, such as\n // std::unordered_map. If you change the cache type make sure that property\n // holds or fix this function.\n static_assert(std::is_same>::value,\n \"StaticCache must be an AtomicHashArray or this destructor is wrong.\");\n for (auto& it : *cache) {\n if (it.first->isUncounted()) {\n StringData::ReleaseUncounted(it.first);\n }\n delete it.second;\n }\n StaticCache::destroy(cache);\n}", "project": "hhvm", "hash": 65475141233780004773921279531709857250, "size": 17, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219789 }, { "func": "int RGWPostObj_ObjStore_S3::complete_get_params()\n{\n bool done;\n do {\n struct post_form_part part;\n int r = read_form_part_header(&part, done);\n if (r < 0) {\n return r;\n }\n\n ceph::bufferlist part_data;\n bool boundary;\n uint64_t chunk_size = s->cct->_conf->rgw_max_chunk_size;\n r = read_data(part.data, chunk_size, boundary, done);\n if (r < 0 || !boundary) {\n return -EINVAL;\n }\n\n /* Just reading the data but not storing any results of that. */\n } while (!done);\n\n return 0;\n}", "project": "ceph", "hash": 758374819401984302926742313237230594, "size": 23, "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 281349 }, { "func": "static void trace_flushroot(jit_State *J, GCtrace *T)\n{\n GCproto *pt = &gcref(T->startpt)->pt;\n lua_assert(T->root == 0 && pt != NULL);\n /* First unpatch any modified bytecode. */\n trace_unpatch(J, T);\n /* Unlink root trace from chain anchored in prototype. */\n if (pt->trace == T->traceno) { /* Trace is first in chain. Easy. */\n pt->trace = T->nextroot;\n } else if (pt->trace) { /* Otherwise search in chain of root traces. */\n GCtrace *T2 = traceref(J, pt->trace);\n if (T2) {\n for (; T2->nextroot; T2 = traceref(J, T2->nextroot))\n\tif (T2->nextroot == T->traceno) {\n\t T2->nextroot = T->nextroot; /* Unlink from chain. */\n\t break;\n\t}\n }\n }\n}", "project": "LuaJIT", "hash": 144808102785577018879504784080023315922, "size": 20, "commit_id": "e296f56b825c688c3530a981dc6b495d972f3d01", "message": "Call error function on rethrow after trace exit.", "target": 0, "dataset": "other", "idx": 394631 }, { "func": "static int oidc_handle_unauthenticated_user(request_rec *r, oidc_cfg *c) {\n\n\t/* see if we've configured OIDCUnAuthAction for this path */\n\tswitch (oidc_dir_cfg_unauth_action(r)) {\n\tcase OIDC_UNAUTH_RETURN410:\n\t\treturn HTTP_GONE;\n\tcase OIDC_UNAUTH_RETURN407:\n\t\treturn HTTP_PROXY_AUTHENTICATION_REQUIRED;\n\tcase OIDC_UNAUTH_RETURN401:\n\t\treturn HTTP_UNAUTHORIZED;\n\tcase OIDC_UNAUTH_PASS:\n\t\tr->user = \"\";\n\n\t\t/*\n\t\t * we're not going to pass information about an authenticated user to the application,\n\t\t * but we do need to scrub the headers that mod_auth_openidc would set for security reasons\n\t\t */\n\t\toidc_scrub_headers(r);\n\n\t\treturn OK;\n\n\tcase OIDC_UNAUTH_AUTHENTICATE:\n\n\t\t/*\n\t\t * exception handling: if this looks like a XMLHttpRequest call we\n\t\t * won't redirect the user and thus avoid creating a state cookie\n\t\t * for a non-browser (= Javascript) call that will never return from the OP\n\t\t */\n\t\tif ((oidc_dir_cfg_unauth_expr_is_set(r) == FALSE)\n\t\t\t\t&& (oidc_is_xml_http_request(r) == TRUE))\n\t\t\treturn HTTP_UNAUTHORIZED;\n\t}\n\n\t/*\n\t * else: no session (regardless of whether it is main or sub-request),\n\t * and we need to authenticate the user\n\t */\n\treturn oidc_authenticate_user(r, c, NULL, oidc_get_current_url(r), NULL,\n\t\t\tNULL, NULL, oidc_dir_cfg_path_auth_request_params(r),\n\t\t\toidc_dir_cfg_path_scope(r));\n}", "project": "mod_auth_openidc", "hash": 18162468609399362753786312601337331580, "size": 41, "commit_id": "00c315cb0c8ab77c67be4a2ac08a71a83ac58751", "message": "avoid XSS vulnerability when using OIDCPreservePost On\n\nand supplying URLs that contain single quotes; thanks @oss-aimoto\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 381957 }, { "func": "static int oidc_handle_unauthenticated_user(request_rec *r, oidc_cfg *c) {\n\n\t/* see if we've configured OIDCUnAuthAction for this path */\n\tswitch (oidc_dir_cfg_unauth_action(r)) {\n\tcase OIDC_UNAUTH_RETURN410:\n\t\treturn HTTP_GONE;\n\tcase OIDC_UNAUTH_RETURN401:\n\t\treturn HTTP_UNAUTHORIZED;\n\tcase OIDC_UNAUTH_PASS:\n\t\tr->user = \"\";\n\n\t\t/*\n\t\t * we're not going to pass information about an authenticated user to the application,\n\t\t * but we do need to scrub the headers that mod_auth_openidc would set for security reasons\n\t\t */\n\t\toidc_scrub_headers(r);\n\n\t\treturn OK;\n\n\tcase OIDC_UNAUTH_AUTHENTICATE:\n\n\t\t/*\n\t\t * exception handling: if this looks like a XMLHttpRequest call we\n\t\t * won't redirect the user and thus avoid creating a state cookie\n\t\t * for a non-browser (= Javascript) call that will never return from the OP\n\t\t */\n\t\tif (oidc_is_xml_http_request(r) == TRUE)\n\t\t\treturn HTTP_UNAUTHORIZED;\n\t}\n\n\t/*\n\t * else: no session (regardless of whether it is main or sub-request),\n\t * and we need to authenticate the user\n\t */\n\treturn oidc_authenticate_user(r, c, NULL, oidc_get_current_url(r), NULL,\n\t\t\tNULL, NULL, oidc_dir_cfg_path_auth_request_params(r),\n\t\t\toidc_dir_cfg_path_scope(r));\n}", "project": "mod_auth_openidc", "hash": 296266240228399625658447643249307268006, "size": 38, "commit_id": "ce37080c6aea30aabae8b4a9b4eea7808445cc8e", "message": "2.4.0.2 oops\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 447681 }, { "func": "static void trace_printk_start_stop_comm(int enabled)\n{\n\tif (!buffers_allocated)\n\t\treturn;\n\n\tif (enabled)\n\t\ttracing_start_cmdline_record();\n\telse\n\t\ttracing_stop_cmdline_record();\n}", "project": "linux", "hash": 74989684561399630102619609028918770378, "size": 10, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445761 }, { "func": "static inline int tcp_fin_time(const struct sock *sk)\n{\n\tint fin_timeout = tcp_sk(sk)->linger2 ? : sock_net(sk)->ipv4.sysctl_tcp_fin_timeout;\n\tconst int rto = inet_csk(sk)->icsk_rto;\n\n\tif (fin_timeout < (rto << 2) - (rto >> 1))\n\t\tfin_timeout = (rto << 2) - (rto >> 1);\n\n\treturn fin_timeout;\n}", "project": "linux", "hash": 74447594894468816747152105125751826078, "size": 10, "commit_id": "bb1fceca22492109be12640d49f5ea5a544c6bb4", "message": "tcp: fix use after free in tcp_xmit_retransmit_queue()\n\nWhen tcp_sendmsg() allocates a fresh and empty skb, it puts it at the\ntail of the write queue using tcp_add_write_queue_tail()\n\nThen it attempts to copy user data into this fresh skb.\n\nIf the copy fails, we undo the work and remove the fresh skb.\n\nUnfortunately, this undo lacks the change done to tp->highest_sack and\nwe can leave a dangling pointer (to a freed skb)\n\nLater, tcp_xmit_retransmit_queue() can dereference this pointer and\naccess freed memory. For regular kernels where memory is not unmapped,\nthis might cause SACK bugs because tcp_highest_sack_seq() is buggy,\nreturning garbage instead of tp->snd_nxt, but with various debug\nfeatures like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel.\n\nThis bug was found by Marco Grassi thanks to syzkaller.\n\nFixes: 6859d49475d4 (\"[TCP]: Abstract tp->highest_sack accessing & point to next skb\")\nReported-by: Marco Grassi \nSigned-off-by: Eric Dumazet \nCc: Ilpo Järvinen \nCc: Yuchung Cheng \nCc: Neal Cardwell \nAcked-by: Neal Cardwell \nReviewed-by: Cong Wang \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 410750 }, { "func": "static void nfs_state_set_delegation(struct nfs4_state *state,\n\t\tconst nfs4_stateid *deleg_stateid,\n\t\tfmode_t fmode)\n{\n\t/*\n\t * Protect the call to nfs4_state_set_mode_locked and\n\t * serialise the stateid update\n\t */\n\twrite_seqlock(&state->seqlock);\n\tnfs4_stateid_copy(&state->stateid, deleg_stateid);\n\tset_bit(NFS_DELEGATED_STATE, &state->flags);\n\twrite_sequnlock(&state->seqlock);\n}", "project": "linux", "hash": 165901412451342052220431936415242149747, "size": 13, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431309 }, { "func": "void JOIN::exec()\n{\n DBUG_EXECUTE_IF(\"show_explain_probe_join_exec_start\", \n if (dbug_user_var_equals_int(thd, \n \"show_explain_probe_select_id\", \n select_lex->select_number))\n dbug_serve_apcs(thd, 1);\n );\n ANALYZE_START_TRACKING(&explain->time_tracker);\n exec_inner();\n ANALYZE_STOP_TRACKING(&explain->time_tracker);\n\n DBUG_EXECUTE_IF(\"show_explain_probe_join_exec_end\", \n if (dbug_user_var_equals_int(thd, \n \"show_explain_probe_select_id\", \n select_lex->select_number))\n dbug_serve_apcs(thd, 1);\n );\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 59230385444162662382088488490378928658, "size": 19, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508641 }, { "func": "SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags)\n{\n\treturn ksys_unshare(unshare_flags);\n}", "project": "linux", "hash": 37817809252192003675571064311224920415, "size": 4, "commit_id": "b4e00444cab4c3f3fec876dc0cccc8cbb0d1a948", "message": "fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent\n\ncurrent->group_leader->exit_signal may change during copy_process() if\ncurrent->real_parent exits.\n\nMove the assignment inside tasklist_lock to avoid the race.\n\nSigned-off-by: Eddy Wu \nAcked-by: Oleg Nesterov \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 293674 }, { "func": "int ksys_unshare(unsigned long unshare_flags)\n{\n\tstruct fs_struct *fs, *new_fs = NULL;\n\tstruct files_struct *fd, *new_fd = NULL;\n\tstruct cred *new_cred = NULL;\n\tstruct nsproxy *new_nsproxy = NULL;\n\tint do_sysvsem = 0;\n\tint err;\n\n\t/*\n\t * If unsharing a user namespace must also unshare the thread group\n\t * and unshare the filesystem root and working directories.\n\t */\n\tif (unshare_flags & CLONE_NEWUSER)\n\t\tunshare_flags |= CLONE_THREAD | CLONE_FS;\n\t/*\n\t * If unsharing vm, must also unshare signal handlers.\n\t */\n\tif (unshare_flags & CLONE_VM)\n\t\tunshare_flags |= CLONE_SIGHAND;\n\t/*\n\t * If unsharing a signal handlers, must also unshare the signal queues.\n\t */\n\tif (unshare_flags & CLONE_SIGHAND)\n\t\tunshare_flags |= CLONE_THREAD;\n\t/*\n\t * If unsharing namespace, must also unshare filesystem information.\n\t */\n\tif (unshare_flags & CLONE_NEWNS)\n\t\tunshare_flags |= CLONE_FS;\n\n\terr = check_unshare_flags(unshare_flags);\n\tif (err)\n\t\tgoto bad_unshare_out;\n\t/*\n\t * CLONE_NEWIPC must also detach from the undolist: after switching\n\t * to a new ipc namespace, the semaphore arrays from the old\n\t * namespace are unreachable.\n\t */\n\tif (unshare_flags & (CLONE_NEWIPC|CLONE_SYSVSEM))\n\t\tdo_sysvsem = 1;\n\terr = unshare_fs(unshare_flags, &new_fs);\n\tif (err)\n\t\tgoto bad_unshare_out;\n\terr = unshare_fd(unshare_flags, NR_OPEN_MAX, &new_fd);\n\tif (err)\n\t\tgoto bad_unshare_cleanup_fs;\n\terr = unshare_userns(unshare_flags, &new_cred);\n\tif (err)\n\t\tgoto bad_unshare_cleanup_fd;\n\terr = unshare_nsproxy_namespaces(unshare_flags, &new_nsproxy,\n\t\t\t\t\t new_cred, new_fs);\n\tif (err)\n\t\tgoto bad_unshare_cleanup_cred;\n\n\tif (new_fs || new_fd || do_sysvsem || new_cred || new_nsproxy) {\n\t\tif (do_sysvsem) {\n\t\t\t/*\n\t\t\t * CLONE_SYSVSEM is equivalent to sys_exit().\n\t\t\t */\n\t\t\texit_sem(current);\n\t\t}\n\t\tif (unshare_flags & CLONE_NEWIPC) {\n\t\t\t/* Orphan segments in old ns (see sem above). */\n\t\t\texit_shm(current);\n\t\t\tshm_init_task(current);\n\t\t}\n\n\t\tif (new_nsproxy)\n\t\t\tswitch_task_namespaces(current, new_nsproxy);\n\n\t\ttask_lock(current);\n\n\t\tif (new_fs) {\n\t\t\tfs = current->fs;\n\t\t\tspin_lock(&fs->lock);\n\t\t\tcurrent->fs = new_fs;\n\t\t\tif (--fs->users)\n\t\t\t\tnew_fs = NULL;\n\t\t\telse\n\t\t\t\tnew_fs = fs;\n\t\t\tspin_unlock(&fs->lock);\n\t\t}\n\n\t\tif (new_fd) {\n\t\t\tfd = current->files;\n\t\t\tcurrent->files = new_fd;\n\t\t\tnew_fd = fd;\n\t\t}\n\n\t\ttask_unlock(current);\n\n\t\tif (new_cred) {\n\t\t\t/* Install the new user namespace */\n\t\t\tcommit_creds(new_cred);\n\t\t\tnew_cred = NULL;\n\t\t}\n\t}\n\n\tperf_event_namespaces(current);\n\nbad_unshare_cleanup_cred:\n\tif (new_cred)\n\t\tput_cred(new_cred);\nbad_unshare_cleanup_fd:\n\tif (new_fd)\n\t\tput_files_struct(new_fd);\n\nbad_unshare_cleanup_fs:\n\tif (new_fs)\n\t\tfree_fs_struct(new_fs);\n\nbad_unshare_out:\n\treturn err;\n}", "project": "linux", "hash": 14034063557080867071513620400730402019, "size": 115, "commit_id": "b4e00444cab4c3f3fec876dc0cccc8cbb0d1a948", "message": "fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent\n\ncurrent->group_leader->exit_signal may change during copy_process() if\ncurrent->real_parent exits.\n\nMove the assignment inside tasklist_lock to avoid the race.\n\nSigned-off-by: Eddy Wu \nAcked-by: Oleg Nesterov \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 293701 }, { "func": "int mnt_context_find_umount_fs(struct libmnt_context *cxt,\n\t\t\t const char *tgt,\n\t\t\t struct libmnt_fs **pfs)\n{\n\tif (pfs)\n\t\t*pfs = NULL;\n\n\tif (!cxt || !tgt || !pfs)\n\t\treturn -EINVAL;\n\n\tDBG(CXT, ul_debugobj(cxt, \"umount: lookup FS for '%s'\", tgt));\n\n\tif (!*tgt)\n\t\treturn 1; /* empty string is not an error */\n\n\t/* In future this function should be extended to support for example\n\t * fsinfo() (or another cheap way kernel will support), for now the\n\t * default is expensive mountinfo/mtab.\n\t */\n\treturn __mtab_find_umount_fs(cxt, tgt, pfs);\n}", "project": "util-linux", "hash": 317113861792808335048873629485651917095, "size": 21, "commit_id": "57202f5713afa2af20ffbb6ab5331481d0396f8d", "message": "libmount: fix UID check for FUSE umount [CVE-2021-3995]\n\nImproper UID check allows an unprivileged user to unmount FUSE\nfilesystems of users with similar UID.\n\nSigned-off-by: Karel Zak ", "target": 0, "dataset": "other", "idx": 410431 }, { "func": "static int copyI18NEntry(Header h, indexEntry entry, rpmtd td, \n\t\t\t\t\t\theaderGetFlags flags)\n{\n const char *lang, *l, *le;\n indexEntry table;\n\n td->type = RPM_STRING_TYPE;\n td->count = 1;\n /* if no match, just return the first string */\n td->data = entry->data;\n\n /* XXX Drepper sez' this is the order. */\n if ((lang = getenv(\"LANGUAGE\")) == NULL &&\n\t(lang = getenv(\"LC_ALL\")) == NULL &&\n\t(lang = getenv(\"LC_MESSAGES\")) == NULL &&\n\t(lang = getenv(\"LANG\")) == NULL)\n\t goto exit;\n \n if ((table = findEntry(h, RPMTAG_HEADERI18NTABLE, RPM_STRING_ARRAY_TYPE)) == NULL)\n\tgoto exit;\n\n for (l = lang; *l != '\\0'; l = le) {\n\tconst char *t;\n\tchar *ed, *ed_weak = NULL;\n\tint langNum;\n\n\twhile (*l && *l == ':')\t\t\t/* skip leading colons */\n\t l++;\n\tif (*l == '\\0')\n\t break;\n\tfor (le = l; *le && *le != ':'; le++)\t/* find end of this locale */\n\t {};\n\n\t/* For each entry in the header ... */\n\tfor (langNum = 0, t = table->data, ed = entry->data;\n\t langNum < entry->info.count;\n\t langNum++, t += strlen(t) + 1, ed += strlen(ed) + 1) {\n\n\t int match = headerMatchLocale(t, l, le);\n\t if (match == 1) {\n\t\ttd->data = ed;\n\t\tgoto exit;\n\t } else if (match == 2) { \n\t\ted_weak = ed;\n\t }\n\t}\n\tif (ed_weak) {\n\t td->data = ed_weak;\n\t goto exit;\n\t}\n }\n\nexit:\n if (flags & HEADERGET_ALLOC) {\n\ttd->data = xstrdup(td->data);\n\ttd->flags |= RPMTD_ALLOCED;\n }\n\n return 1;\n}", "project": "rpm", "hash": 97026684631474962197656566729045586270, "size": 60, "commit_id": "8f4b3c3cab8922a2022b9e47c71f1ecf906077ef", "message": "hdrblobInit() needs bounds checks too\n\nUsers can pass untrusted data to hdrblobInit() and it must be robust\nagainst this.", "target": 0, "dataset": "other", "idx": 318155 }, { "func": "void CSoundFile::PortamentoUp(CHANNELINDEX nChn, ModCommand::PARAM param, const bool doFinePortamentoAsRegular)\n{\n\tModChannel *pChn = &m_PlayState.Chn[nChn];\n\n\tif(param)\n\t{\n\t\t// FT2 compatibility: Separate effect memory for all portamento commands\n\t\t// Test case: Porta-LinkMem.xm\n\t\tif(!m_playBehaviour[kFT2PortaUpDownMemory])\n\t\t\tpChn->nOldPortaDown = param;\n\t\tpChn->nOldPortaUp = param;\n\t} else\n\t{\n\t\tparam = pChn->nOldPortaUp;\n\t}\n\n\tconst bool doFineSlides = !doFinePortamentoAsRegular && !(GetType() & (MOD_TYPE_MOD | MOD_TYPE_XM | MOD_TYPE_MT2 | MOD_TYPE_MED | MOD_TYPE_AMF0 | MOD_TYPE_DIGI | MOD_TYPE_STP | MOD_TYPE_DTM));\n\n\t// Process MIDI pitch bend for instrument plugins\n\tMidiPortamento(nChn, param, doFineSlides);\n\n\tif(GetType() == MOD_TYPE_MPT && pChn->pModInstrument && pChn->pModInstrument->pTuning)\n\t{\n\t\t// Portamento for instruments with custom tuning\n\t\tif(param >= 0xF0 && !doFinePortamentoAsRegular)\n\t\t\tPortamentoFineMPT(pChn, param - 0xF0);\n\t\telse if(param >= 0xE0 && !doFinePortamentoAsRegular)\n\t\t\tPortamentoExtraFineMPT(pChn, param - 0xE0);\n\t\telse\n\t\t\tPortamentoMPT(pChn, param);\n\t\treturn;\n\t} else if(GetType() == MOD_TYPE_PLM)\n\t{\n\t\t// A normal portamento up or down makes a follow-up tone portamento go the same direction.\n\t\tpChn->nPortamentoDest = 1;\n\t}\n\n\tif (doFineSlides && param >= 0xE0)\n\t{\n\t\tif (param & 0x0F)\n\t\t{\n\t\t\tif ((param & 0xF0) == 0xF0)\n\t\t\t{\n\t\t\t\tFinePortamentoUp(pChn, param & 0x0F);\n\t\t\t\treturn;\n\t\t\t} else if ((param & 0xF0) == 0xE0 && GetType() != MOD_TYPE_DBM)\n\t\t\t{\n\t\t\t\tExtraFinePortamentoUp(pChn, param & 0x0F);\n\t\t\t\treturn;\n\t\t\t}\n\t\t}\n\t\tif(GetType() != MOD_TYPE_DBM)\n\t\t{\n\t\t\t// DBM only has fine slides, no extra-fine slides.\n\t\t\treturn;\n\t\t}\n\t}\n\t// Regular Slide\n\tif(!pChn->isFirstTick || (m_PlayState.m_nMusicSpeed == 1 && m_playBehaviour[kSlidesAtSpeed1]) || GetType() == MOD_TYPE_669)\n\t{\n\t\tDoFreqSlide(pChn, -int(param) * 4);\n\t}\n}", "project": "openmpt", "hash": 115472101345372300304122768238627219943, "size": 63, "commit_id": "7ebf02af2e90f03e0dbd0e18b8b3164f372fb97c", "message": "[Fix] Possible out-of-bounds read when computing length of some IT files with pattern loops (OpenMPT: formats that are converted to IT, libopenmpt: IT/ITP/MO3), caught with afl-fuzz.\n\ngit-svn-id: https://source.openmpt.org/svn/openmpt/trunk/OpenMPT@10027 56274372-70c3-4bfc-bfc3-4c3a0b034d27", "target": 0, "dataset": "other", "idx": 255186 }, { "func": "static int nfs4_open_reclaim(struct nfs4_state_owner *sp, struct nfs4_state *state)\n{\n\tstruct nfs_open_context *ctx;\n\tint ret;\n\n\tctx = nfs4_state_find_open_context(state);\n\tif (IS_ERR(ctx))\n\t\treturn -EAGAIN;\n\tclear_bit(NFS_DELEGATED_STATE, &state->flags);\n\tnfs_state_clear_open_state_flags(state);\n\tret = nfs4_do_open_reclaim(ctx, state);\n\tput_nfs_open_context(ctx);\n\treturn ret;\n}", "project": "linux", "hash": 135446999264662210794663328258103768280, "size": 14, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431288 }, { "func": "void kvm_flush_remote_tlbs(struct kvm *kvm)\n{\n\t/*\n\t * Read tlbs_dirty before setting KVM_REQ_TLB_FLUSH in\n\t * kvm_make_all_cpus_request.\n\t */\n\tlong dirty_count = smp_load_acquire(&kvm->tlbs_dirty);\n\n\t/*\n\t * We want to publish modifications to the page tables before reading\n\t * mode. Pairs with a memory barrier in arch-specific code.\n\t * - x86: smp_mb__after_srcu_read_unlock in vcpu_enter_guest\n\t * and smp_mb in walk_shadow_page_lockless_begin/end.\n\t * - powerpc: smp_mb in kvmppc_prepare_to_enter.\n\t *\n\t * There is already an smp_mb__after_atomic() before\n\t * kvm_make_all_cpus_request() reads vcpu->mode. We reuse that\n\t * barrier here.\n\t */\n\tif (!kvm_arch_flush_remote_tlb(kvm)\n\t || kvm_make_all_cpus_request(kvm, KVM_REQ_TLB_FLUSH))\n\t\t++kvm->stat.remote_tlb_flush;\n\tcmpxchg(&kvm->tlbs_dirty, dirty_count, 0);\n}", "project": "linux", "hash": 264562613130814209031066247905120295543, "size": 24, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354480 }, { "func": "static int kvm_s390_set_tod_high(struct kvm *kvm, struct kvm_device_attr *attr)\n{\n\tu8 gtod_high;\n\n\tif (copy_from_user(>od_high, (void __user *)attr->addr,\n\t\t\t\t\t sizeof(gtod_high)))\n\t\treturn -EFAULT;\n\n\tif (gtod_high != 0)\n\t\treturn -EINVAL;\n\tVM_EVENT(kvm, 3, \"SET: TOD extension: 0x%x\", gtod_high);\n\n\treturn 0;\n}", "project": "linux", "hash": 198613068508325623064426897698063873304, "size": 14, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354823 }, { "func": "VCString CWebSock::GetDirs(CModule* pModule, bool bIsTemplate) {\n CString sHomeSkinsDir(CZNC::Get().GetZNCPath() + \"/webskins/\");\n CString sSkinName(GetSkinName());\n VCString vsResult;\n\n // Module specific paths\n\n if (pModule) {\n const CString& sModName(pModule->GetModName());\n\n // 1. ~/.znc/webskins//mods//\n //\n if (!sSkinName.empty()) {\n vsResult.push_back(GetSkinPath(sSkinName) + \"/mods/\" + sModName +\n \"/\");\n }\n\n // 2. ~/.znc/webskins/_default_/mods//\n //\n vsResult.push_back(GetSkinPath(\"_default_\") + \"/mods/\" + sModName +\n \"/\");\n\n // 3. ./modules//tmpl/\n //\n vsResult.push_back(pModule->GetModDataDir() + \"/tmpl/\");\n\n // 4. ~/.znc/webskins//mods//\n //\n if (!sSkinName.empty()) {\n vsResult.push_back(GetSkinPath(sSkinName) + \"/mods/\" + sModName +\n \"/\");\n }\n\n // 5. ~/.znc/webskins/_default_/mods//\n //\n vsResult.push_back(GetSkinPath(\"_default_\") + \"/mods/\" + sModName +\n \"/\");\n }\n\n // 6. ~/.znc/webskins//\n //\n if (!sSkinName.empty()) {\n vsResult.push_back(GetSkinPath(sSkinName) +\n CString(bIsTemplate ? \"/tmpl/\" : \"/\"));\n }\n\n // 7. ~/.znc/webskins/_default_/\n //\n vsResult.push_back(GetSkinPath(\"_default_\") +\n CString(bIsTemplate ? \"/tmpl/\" : \"/\"));\n\n return vsResult;\n}", "project": "znc", "hash": 222012766692092478573633687477492761256, "size": 53, "commit_id": "a4a5aeeb17d32937d8c7d743dae9a4cc755ce773", "message": "Don't let web skin name ../../../../ access files outside of usual skins directories.\n\nThanks for Jeriko One for finding and reporting this.", "target": 0, "dataset": "other", "idx": 265782 }, { "func": "\treturn err;\n}\n\nstatic int iscsi_del_flashnode(struct iscsi_transport *transport,\n\t\t\t struct iscsi_uevent *ev)\n{\n\tstruct Scsi_Host *shost;\n\tstruct iscsi_bus_flash_session *fnode_sess;\n\tuint32_t idx;\n\tint err = 0;\n\n\tif (!transport->del_flashnode) {\n\t\terr = -ENOSYS;\n\t\tgoto exit_del_fnode;\n\t}\n\n\tshost = scsi_host_lookup(ev->u.del_flashnode.host_no);\n\tif (!shost) {\n\t\tpr_err(\"%s could not find host no %u\\n\",\n\t\t __func__, ev->u.del_flashnode.host_no);\n\t\terr = -ENODEV;\n\t\tgoto put_host;\n\t}\n\n\tidx = ev->u.del_flashnode.flashnode_idx;\n\tfnode_sess = iscsi_get_flashnode_by_index(shost, idx);\n\tif (!fnode_sess) {\n\t\tpr_err(\"%s could not find flashnode %u for host no %u\\n\",\n\t\t __func__, idx, ev->u.del_flashnode.host_no);\n\t\terr = -ENODEV;\n\t\tgoto put_host;\n\t}\n\n\terr = transport->del_flashnode(fnode_sess);\n\tput_device(&fnode_sess->dev);\n\nput_host:\n\tscsi_host_put(shost);\n", "project": "linux", "hash": 117493778595905123654846281000258662938, "size": 39, "commit_id": "f9dbdf97a5bd92b1a49cee3d591b55b11fd7a6d5", "message": "scsi: iscsi: Verify lengths on passthrough PDUs\n\nOpen-iSCSI sends passthrough PDUs over netlink, but the kernel should be\nverifying that the provided PDU header and data lengths fall within the\nnetlink message to prevent accessing beyond that in memory.\n\nCc: stable@vger.kernel.org\nReported-by: Adam Nichols \nReviewed-by: Lee Duncan \nReviewed-by: Mike Christie \nSigned-off-by: Chris Leech \nSigned-off-by: Martin K. Petersen ", "target": 0, "dataset": "other", "idx": 379933 }, { "func": "gin::Handle WebContents::From(v8::Isolate* isolate,\n content::WebContents* web_contents) {\n auto* existing = TrackableObject::FromWrappedClass(isolate, web_contents);\n if (existing)\n return gin::CreateHandle(isolate, static_cast(existing));\n else\n return gin::Handle();\n}", "project": "electron", "hash": 48116198513649562454110580447742825867, "size": 8, "commit_id": "18613925610ba319da7f497b6deed85ad712c59b", "message": "refactor: wire will-navigate up to a navigation throttle instead of OpenURL (#25108)\n\n* refactor: wire will-navigate up to a navigation throttle instead of OpenURL (#25065)\r\n\r\n* refactor: wire will-navigate up to a navigation throttle instead of OpenURL\r\n\r\n* spec: add test for x-site _top navigation\r\n\r\n* chore: old code be old", "target": 0, "dataset": "other", "idx": 269772 }, { "func": "void imap_get_parent(const char *mbox, char delim, char *buf, size_t buflen)\n{\n /* Make a copy of the mailbox name, but only if the pointers are different */\n if (mbox != buf)\n mutt_str_copy(buf, mbox, buflen);\n\n int n = mutt_str_len(buf);\n\n /* Let's go backwards until the next delimiter\n *\n * If buf[n] is a '/', the first n-- will allow us\n * to ignore it. If it isn't, then buf looks like\n * \"/aaaaa/bbbb\". There is at least one \"b\", so we can't skip\n * the \"/\" after the 'a's.\n *\n * If buf == '/', then n-- => n == 0, so the loop ends\n * immediately */\n for (n--; (n >= 0) && (buf[n] != delim); n--)\n ; // do nothing\n\n /* We stopped before the beginning. There is a trailing slash. */\n if (n > 0)\n {\n /* Strip the trailing delimiter. */\n buf[n] = '\\0';\n }\n else\n {\n buf[0] = (n == 0) ? delim : '\\0';\n }\n}", "project": "neomutt", "hash": 143020363752894995007010912368883203341, "size": 31, "commit_id": "fa1db5785e5cfd9d3cd27b7571b9fe268d2ec2dc", "message": "Fix seqset iterator when it ends in a comma\n\nIf the seqset ended with a comma, the substr_end marker would be just\nbefore the trailing nul. In the next call, the loop to skip the\nmarker would iterate right past the end of string too.\n\nThe fix is simple: place the substr_end marker and skip past it\nimmediately.", "target": 0, "dataset": "other", "idx": 399265 }, { "func": "void LanLinkProvider::configureSslSocket(QSslSocket* socket, const QString& deviceId, bool isDeviceTrusted)\n{\n // Setting supported ciphers manually, to match those on Android (FIXME: Test if this can be left unconfigured and still works for Android 4)\n QList socketCiphers;\n socketCiphers.append(QSslCipher(QStringLiteral(\"ECDHE-ECDSA-AES256-GCM-SHA384\")));\n socketCiphers.append(QSslCipher(QStringLiteral(\"ECDHE-ECDSA-AES128-GCM-SHA256\")));\n socketCiphers.append(QSslCipher(QStringLiteral(\"ECDHE-RSA-AES128-SHA\")));\n\n // Configure for ssl\n QSslConfiguration sslConfig;\n sslConfig.setCiphers(socketCiphers);\n sslConfig.setLocalCertificate(KdeConnectConfig::instance().certificate());\n\n QFile privateKeyFile(KdeConnectConfig::instance().privateKeyPath());\n QSslKey privateKey;\n if (privateKeyFile.open(QIODevice::ReadOnly)) {\n privateKey = QSslKey(privateKeyFile.readAll(), QSsl::Rsa);\n }\n privateKeyFile.close();\n sslConfig.setPrivateKey(privateKey);\n\n if (isDeviceTrusted) {\n QString certString = KdeConnectConfig::instance().getDeviceProperty(deviceId, QStringLiteral(\"certificate\"), QString());\n sslConfig.setCaCertificates({QSslCertificate(certString.toLatin1())});\n sslConfig.setPeerVerifyMode(QSslSocket::VerifyPeer);\n } else {\n sslConfig.setPeerVerifyMode(QSslSocket::QueryPeer);\n }\n socket->setSslConfiguration(sslConfig);\n socket->setPeerVerifyName(deviceId);\n\n\n //Usually SSL errors are only bad for trusted devices. Uncomment this section to log errors in any case, for debugging.\n //QObject::connect(socket, static_cast&)>(&QSslSocket::sslErrors), [](const QList& errors)\n //{\n // Q_FOREACH (const QSslError& error, errors) {\n // qCDebug(KDECONNECT_CORE) << \"SSL Error:\" << error.errorString();\n // }\n //});\n}", "project": "kdeconnect-kde", "hash": 278240168630685018233963162060301886604, "size": 40, "commit_id": "542d94a70c56aa386c8d4d793481ce181b0422e8", "message": "Limit number of connected sockets from unpaired devices\n\nThanks Matthias Gerstner for reporting this.", "target": 0, "dataset": "other", "idx": 227369 }, { "func": "bool checkreturn pb_make_string_substream(pb_istream_t *stream, pb_istream_t *substream)\n{\n uint32_t size;\n if (!pb_decode_varint32(stream, &size))\n return false;\n \n *substream = *stream;\n if (substream->bytes_left < size)\n PB_RETURN_ERROR(stream, \"parent stream too short\");\n \n substream->bytes_left = size;\n stream->bytes_left -= size;\n return true;\n}", "project": "nanopb", "hash": 335270963344981364468173969062582596710, "size": 14, "commit_id": "aa9d0d1ca78d6adec3adfeecf3a706c7f9df81f2", "message": "Fix invalid free() after failed realloc() (GHSA-gcx3-7m76-287p)", "target": 0, "dataset": "other", "idx": 252490 }, { "func": "static int ca8210_remove(struct spi_device *spi_device)\n{\n\tstruct ca8210_priv *priv;\n\tstruct ca8210_platform_data *pdata;\n\n\tdev_info(&spi_device->dev, \"Removing ca8210\\n\");\n\n\tpdata = spi_device->dev.platform_data;\n\tif (pdata) {\n\t\tif (pdata->extclockenable) {\n\t\t\tca8210_unregister_ext_clock(spi_device);\n\t\t\tca8210_config_extern_clk(pdata, spi_device, 0);\n\t\t}\n\t\tfree_irq(pdata->irq_id, spi_device->dev.driver_data);\n\t\tkfree(pdata);\n\t\tspi_device->dev.platform_data = NULL;\n\t}\n\t/* get spi_device private data */\n\tpriv = spi_get_drvdata(spi_device);\n\tif (priv) {\n\t\tdev_info(\n\t\t\t&spi_device->dev,\n\t\t\t\"sync_down = %d, sync_up = %d\\n\",\n\t\t\tpriv->sync_down,\n\t\t\tpriv->sync_up\n\t\t);\n\t\tca8210_dev_com_clear(spi_device->dev.driver_data);\n\t\tif (priv->hw) {\n\t\t\tif (priv->hw_registered)\n\t\t\t\tieee802154_unregister_hw(priv->hw);\n\t\t\tieee802154_free_hw(priv->hw);\n\t\t\tpriv->hw = NULL;\n\t\t\tdev_info(\n\t\t\t\t&spi_device->dev,\n\t\t\t\t\"Unregistered & freed ieee802154_hw.\\n\"\n\t\t\t);\n\t\t}\n\t\tif (IS_ENABLED(CONFIG_IEEE802154_CA8210_DEBUGFS))\n\t\t\tca8210_test_interface_clear(priv);\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 256060907182399267614391046177250384103, "size": 43, "commit_id": "6402939ec86eaf226c8b8ae00ed983936b164908", "message": "ieee802154: ca8210: prevent memory leak\n\nIn ca8210_probe the allocated pdata needs to be assigned to\nspi_device->dev.platform_data before calling ca8210_get_platform_data.\nOthrwise when ca8210_get_platform_data fails pdata cannot be released.\n\nSigned-off-by: Navid Emamdoost \nLink: https://lore.kernel.org/r/20190917224713.26371-1-navid.emamdoost@gmail.com\nSigned-off-by: Stefan Schmidt ", "target": 0, "dataset": "other", "idx": 408809 }, { "func": "static int lz4_wrap_compress(const char* input, size_t input_length,\n char* output, size_t maxout, int accel, void* hash_table) {\n BLOSC_UNUSED_PARAM(accel);\n int cbytes;\n#ifdef HAVE_IPP\n if (hash_table == NULL) {\n return -1; // the hash table should always be initialized\n }\n int outlen = (int)maxout;\n int inlen = (int)input_length;\n // I have not found any function that uses `accel` like in `LZ4_compress_fast`, but\n // the IPP LZ4Safe call does a pretty good job on compressing well, so let's use it\n IppStatus status = ippsEncodeLZ4Safe_8u((const Ipp8u*)input, &inlen,\n (Ipp8u*)output, &outlen, (Ipp8u*)hash_table);\n if (status == ippStsDstSizeLessExpected) {\n return 0; // we cannot compress in required outlen\n }\n else if (status != ippStsNoErr) {\n return -1; // an unexpected error happened\n }\n cbytes = outlen;\n#else\n BLOSC_UNUSED_PARAM(hash_table);\n accel = 1; // deactivate acceleration to match IPP behaviour\n cbytes = LZ4_compress_fast(input, output, (int)input_length, (int)maxout, accel);\n#endif\n return cbytes;\n}", "project": "c-blosc2", "hash": 334298733369643463082143835486594468923, "size": 28, "commit_id": "c4c6470e88210afc95262c8b9fcc27e30ca043ee", "message": "Fixed asan heap buffer overflow when not enough space to write compressed block size.", "target": 0, "dataset": "other", "idx": 303122 }, { "func": "ExecutionStatus JSObject::addOwnPropertyImpl(\n Handle selfHandle,\n Runtime *runtime,\n SymbolID name,\n PropertyFlags propertyFlags,\n Handle<> valueOrAccessor) {\n assert(\n !selfHandle->flags_.proxyObject &&\n \"Internal properties cannot be added to Proxy objects\");\n // Add a new property to the class.\n // TODO: if we check for OOM here in the future, we must undo the slot\n // allocation.\n auto addResult = HiddenClass::addProperty(\n runtime->makeHandle(selfHandle->clazz_), runtime, name, propertyFlags);\n if (LLVM_UNLIKELY(addResult == ExecutionStatus::EXCEPTION)) {\n return ExecutionStatus::EXCEPTION;\n }\n selfHandle->clazz_.set(runtime, *addResult->first, &runtime->getHeap());\n\n allocateNewSlotStorage(\n selfHandle, runtime, addResult->second, valueOrAccessor);\n\n // If this is an index-like property, we need to clear the fast path flags.\n if (LLVM_UNLIKELY(\n selfHandle->clazz_.getNonNull(runtime)->getHasIndexLikeProperties()))\n selfHandle->flags_.fastIndexProperties = false;\n\n return ExecutionStatus::RETURNED;\n}", "project": "hermes", "hash": 250299587233530593368045787285341216882, "size": 29, "commit_id": "fe52854cdf6725c2eaa9e125995da76e6ceb27da", "message": "[CVE-2020-1911] Look up HostObject computed properties on the right object in the prototype chain.\n\nSummary:\nThe change in the hermes repository fixes the security vulnerability\nCVE-2020-1911. This vulnerability only affects applications which\nallow evaluation of uncontrolled, untrusted JavaScript code not\nshipped with the app, so React Native apps will generally not be affected.\n\nThis revision includes a test for the bug. The test is generic JSI\ncode, so it is included in the hermes and react-native repositories.\n\nChangelog: [Internal]\n\nReviewed By: tmikov\n\nDifferential Revision: D23322992\n\nfbshipit-source-id: 4e88c974afe1ad33a263f9cac03e9dc98d33649a", "target": 0, "dataset": "other", "idx": 230163 }, { "func": "int input_grab_device(struct input_handle *handle)\n{\n\tstruct input_dev *dev = handle->dev;\n\tint retval;\n\n\tretval = mutex_lock_interruptible(&dev->mutex);\n\tif (retval)\n\t\treturn retval;\n\n\tif (dev->grab) {\n\t\tretval = -EBUSY;\n\t\tgoto out;\n\t}\n\n\trcu_assign_pointer(dev->grab, handle);\n\n out:\n\tmutex_unlock(&dev->mutex);\n\treturn retval;\n}", "project": "linux", "hash": 17027344625442918855704397076940758273, "size": 20, "commit_id": "cb222aed03d798fc074be55e59d9a112338ee784", "message": "Input: add safety guards to input_set_keycode()\n\nIf we happen to have a garbage in input device's keycode table with values\ntoo big we'll end up doing clear_bit() with offset way outside of our\nbitmaps, damaging other objects within an input device or even outside of\nit. Let's add sanity checks to the returned old keycodes.\n\nReported-by: syzbot+c769968809f9359b07aa@syzkaller.appspotmail.com\nReported-by: syzbot+76f3a30e88d256644c78@syzkaller.appspotmail.com\nLink: https://lore.kernel.org/r/20191207212757.GA245964@dtor-ws\nSigned-off-by: Dmitry Torokhov ", "target": 0, "dataset": "other", "idx": 353319 }, { "func": "static int kvm_vcpu_check_block(struct kvm_vcpu *vcpu)\n{\n\tint ret = -EINTR;\n\tint idx = srcu_read_lock(&vcpu->kvm->srcu);\n\n\tif (kvm_arch_vcpu_runnable(vcpu)) {\n\t\tkvm_make_request(KVM_REQ_UNHALT, vcpu);\n\t\tgoto out;\n\t}\n\tif (kvm_cpu_has_pending_timer(vcpu))\n\t\tgoto out;\n\tif (signal_pending(current))\n\t\tgoto out;\n\n\tret = 0;\nout:\n\tsrcu_read_unlock(&vcpu->kvm->srcu, idx);\n\treturn ret;\n}", "project": "linux", "hash": 171010295854446751490896326694679402938, "size": 19, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354559 }, { "func": "static int kvm_vcpu_check_block(struct kvm_vcpu *vcpu)\n{\n\tint ret = -EINTR;\n\tint idx = srcu_read_lock(&vcpu->kvm->srcu);\n\n\tif (kvm_arch_vcpu_runnable(vcpu)) {\n\t\tkvm_make_request(KVM_REQ_UNHALT, vcpu);\n\t\tgoto out;\n\t}\n\tif (kvm_cpu_has_pending_timer(vcpu))\n\t\tgoto out;\n\tif (signal_pending(current))\n\t\tgoto out;\n\tif (kvm_check_request(KVM_REQ_UNBLOCK, vcpu))\n\t\tgoto out;\n\n\tret = 0;\nout:\n\tsrcu_read_unlock(&vcpu->kvm->srcu, idx);\n\treturn ret;\n}", "project": "linux", "hash": 17441098357319595220703565828939353471, "size": 21, "commit_id": "f8be156be163a052a067306417cd0ff679068c97", "message": "KVM: do not allow mapping valid but non-reference-counted pages\n\nIt's possible to create a region which maps valid but non-refcounted\npages (e.g., tail pages of non-compound higher order allocations). These\nhost pages can then be returned by gfn_to_page, gfn_to_pfn, etc., family\nof APIs, which take a reference to the page, which takes it from 0 to 1.\nWhen the reference is dropped, this will free the page incorrectly.\n\nFix this by only taking a reference on valid pages if it was non-zero,\nwhich indicates it is participating in normal refcounting (and can be\nreleased with put_page).\n\nThis addresses CVE-2021-22543.\n\nSigned-off-by: Nicholas Piggin \nTested-by: Paolo Bonzini \nCc: stable@vger.kernel.org\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 404085 }, { "func": "static void fuse_fill_attr_from_inode(struct fuse_attr *attr,\n\t\t\t\t const struct fuse_inode *fi)\n{\n\t*attr = (struct fuse_attr){\n\t\t.ino\t\t= fi->inode.i_ino,\n\t\t.size\t\t= fi->inode.i_size,\n\t\t.blocks\t\t= fi->inode.i_blocks,\n\t\t.atime\t\t= fi->inode.i_atime.tv_sec,\n\t\t.mtime\t\t= fi->inode.i_mtime.tv_sec,\n\t\t.ctime\t\t= fi->inode.i_ctime.tv_sec,\n\t\t.atimensec\t= fi->inode.i_atime.tv_nsec,\n\t\t.mtimensec\t= fi->inode.i_mtime.tv_nsec,\n\t\t.ctimensec\t= fi->inode.i_ctime.tv_nsec,\n\t\t.mode\t\t= fi->inode.i_mode,\n\t\t.nlink\t\t= fi->inode.i_nlink,\n\t\t.uid\t\t= fi->inode.i_uid.val,\n\t\t.gid\t\t= fi->inode.i_gid.val,\n\t\t.rdev\t\t= fi->inode.i_rdev,\n\t\t.blksize\t= 1u << fi->inode.i_blkbits,\n\t};\n}", "project": "linux", "hash": 151765369027298041903295140354779173331, "size": 21, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342123 }, { "func": "void JOIN::join_free()\n{\n SELECT_LEX_UNIT *tmp_unit;\n SELECT_LEX *sl;\n /*\n Optimization: if not EXPLAIN and we are done with the JOIN,\n free all tables.\n */\n bool full= !(select_lex->uncacheable) && !(thd->lex->describe);\n bool can_unlock= full;\n DBUG_ENTER(\"JOIN::join_free\");\n\n cleanup(full);\n\n for (tmp_unit= select_lex->first_inner_unit();\n tmp_unit;\n tmp_unit= tmp_unit->next_unit())\n {\n if (tmp_unit->with_element && tmp_unit->with_element->is_recursive)\n continue;\n for (sl= tmp_unit->first_select(); sl; sl= sl->next_select())\n {\n Item_subselect *subselect= sl->master_unit()->item;\n bool full_local= full && (!subselect || subselect->is_evaluated());\n /*\n If this join is evaluated, we can fully clean it up and clean up all\n its underlying joins even if they are correlated -- they will not be\n used any more anyway.\n If this join is not yet evaluated, we still must clean it up to\n close its table cursors -- it may never get evaluated, as in case of\n ... HAVING FALSE OR a IN (SELECT ...))\n but all table cursors must be closed before the unlock.\n */\n sl->cleanup_all_joins(full_local);\n /* Can't unlock if at least one JOIN is still needed */\n can_unlock= can_unlock && full_local;\n }\n }\n /*\n We are not using tables anymore\n Unlock all tables. We may be in an INSERT .... SELECT statement.\n */\n if (can_unlock && lock && thd->lock && ! thd->locked_tables_mode &&\n !(select_options & SELECT_NO_UNLOCK) &&\n !select_lex->subquery_in_having &&\n (select_lex == (thd->lex->unit.fake_select_lex ?\n thd->lex->unit.fake_select_lex : &thd->lex->select_lex)))\n {\n /*\n TODO: unlock tables even if the join isn't top level select in the\n tree.\n */\n mysql_unlock_read_tables(thd, lock); // Don't free join->lock\n lock= 0;\n }\n\n DBUG_VOID_RETURN;\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 125723374436828748651215290431080608350, "size": 58, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508584 }, { "func": "static String preg_do_repl_func(const Variant& function, const String& subject,\n int* offsets, const char* const* subpat_names,\n int count) {\n Array subpats = Array::CreateDArray();\n for (int i = 0; i < count; i++) {\n auto off1 = offsets[i<<1];\n auto off2 = offsets[(i<<1)+1];\n auto sub = subject.substr(off1, off2 - off1);\n\n if (subpat_names[i]) {\n subpats.set(String(subpat_names[i]), sub);\n }\n subpats.set(i, sub);\n }\n\n return vm_call_user_func(function, make_varray(subpats)).toString();\n}", "project": "hhvm", "hash": 2508056443587811526491341341628553347, "size": 17, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219573 }, { "func": "static void\nbfq_bfqq_resume_state(struct bfq_queue *bfqq, struct bfq_data *bfqd,\n\t\t struct bfq_io_cq *bic, bool bfq_already_existing)\n{\n\tunsigned int old_wr_coeff = bfqq->wr_coeff;\n\tbool busy = bfq_already_existing && bfq_bfqq_busy(bfqq);\n\n\tif (bic->saved_has_short_ttime)\n\t\tbfq_mark_bfqq_has_short_ttime(bfqq);\n\telse\n\t\tbfq_clear_bfqq_has_short_ttime(bfqq);\n\n\tif (bic->saved_IO_bound)\n\t\tbfq_mark_bfqq_IO_bound(bfqq);\n\telse\n\t\tbfq_clear_bfqq_IO_bound(bfqq);\n\n\tbfqq->entity.new_weight = bic->saved_weight;\n\tbfqq->ttime = bic->saved_ttime;\n\tbfqq->wr_coeff = bic->saved_wr_coeff;\n\tbfqq->wr_start_at_switch_to_srt = bic->saved_wr_start_at_switch_to_srt;\n\tbfqq->last_wr_start_finish = bic->saved_last_wr_start_finish;\n\tbfqq->wr_cur_max_time = bic->saved_wr_cur_max_time;\n\n\tif (bfqq->wr_coeff > 1 && (bfq_bfqq_in_large_burst(bfqq) ||\n\t time_is_before_jiffies(bfqq->last_wr_start_finish +\n\t\t\t\t bfqq->wr_cur_max_time))) {\n\t\tif (bfqq->wr_cur_max_time == bfqd->bfq_wr_rt_max_time &&\n\t\t !bfq_bfqq_in_large_burst(bfqq) &&\n\t\t time_is_after_eq_jiffies(bfqq->wr_start_at_switch_to_srt +\n\t\t\t\t\t bfq_wr_duration(bfqd))) {\n\t\t\tswitch_back_to_interactive_wr(bfqq, bfqd);\n\t\t} else {\n\t\t\tbfqq->wr_coeff = 1;\n\t\t\tbfq_log_bfqq(bfqq->bfqd, bfqq,\n\t\t\t\t \"resume state: switching off wr\");\n\t\t}\n\t}\n\n\t/* make sure weight will be updated, however we got here */\n\tbfqq->entity.prio_changed = 1;\n\n\tif (likely(!busy))\n\t\treturn;\n\n\tif (old_wr_coeff == 1 && bfqq->wr_coeff > 1)\n\t\tbfqd->wr_busy_queues++;\n\telse if (old_wr_coeff > 1 && bfqq->wr_coeff == 1)\n\t\tbfqd->wr_busy_queues--;", "project": "linux", "hash": 140231614687559224724110695623838480026, "size": 49, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453276 }, { "func": "void enc_untrusted_notify(int32_t *const queue, int32_t num_threads) {\n enc_untrusted_sys_futex_wake(queue, num_threads);\n}", "project": "asylo", "hash": 309903256537095044267420272158050464169, "size": 3, "commit_id": "a37fb6a0e7daf30134dbbf357c9a518a1026aa02", "message": "Check untrusted queue is in outside enclave\n\nPiperOrigin-RevId: 333370935\nChange-Id: Ic3f15d5db1302d95c7cb199b44172474fecb81ca", "target": 0, "dataset": "other", "idx": 231078 }, { "func": "static void kvm_sched_in(struct preempt_notifier *pn, int cpu)\n{\n\tstruct kvm_vcpu *vcpu = preempt_notifier_to_vcpu(pn);\n\n\tWRITE_ONCE(vcpu->preempted, false);\n\tWRITE_ONCE(vcpu->ready, false);\n\n\t__this_cpu_write(kvm_running_vcpu, vcpu);\n\tkvm_arch_sched_in(vcpu, cpu);\n\tkvm_arch_vcpu_load(vcpu, cpu);\n}", "project": "linux", "hash": 84627367686383723987496170309560862230, "size": 11, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354509 }, { "func": "static void encode_lockowner(struct xdr_stream *xdr, const struct nfs_lowner *lowner)\n{\n\t__be32 *p;\n\n\tp = reserve_space(xdr, 32);\n\tp = xdr_encode_hyper(p, lowner->clientid);\n\t*p++ = cpu_to_be32(20);\n\tp = xdr_encode_opaque_fixed(p, \"lock id:\", 8);\n\t*p++ = cpu_to_be32(lowner->s_dev);\n\txdr_encode_hyper(p, lowner->id);\n}", "project": "linux", "hash": 168236897889990705594540667464239461798, "size": 11, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431604 }, { "func": "static void create_tmp_field_from_item_finalize(THD *thd,\n Field *new_field,\n Item *item,\n Item ***copy_func,\n bool modify_item)\n{\n if (copy_func &&\n (item->is_result_field() ||\n (item->real_item()->is_result_field())))\n *((*copy_func)++) = item;\t\t\t// Save for copy_funcs\n if (modify_item)\n item->set_result_field(new_field);\n if (item->type() == Item::NULL_ITEM)\n new_field->is_created_from_null_item= TRUE;\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 111199162229138509685688406920934734686, "size": 15, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508545 }, { "func": "static void popt_unalias(poptContext con, const char *opt)\n{\n\tstruct poptAlias unalias;\n\n\tunalias.longName = opt + 2; /* point past the leading \"--\" */\n\tunalias.shortName = '\\0';\n\tunalias.argc = 1;\n\tunalias.argv = new_array(const char*, 1);\n\tunalias.argv[0] = strdup(opt);\n\n\tpoptAddAlias(con, unalias, 0);\n}", "project": "rsync", "hash": 32946581138036417607528835270389784247, "size": 12, "commit_id": "7706303828fcde524222babb2833864a4bd09e07", "message": "Ignore --protect-args when already sent by client\n\nIn parse_arguments when --protect-args is encountered the function exits\nearly. The caller is expected to check protect_args, and recall\nparse_arguments setting protect_args to 2. This patch prevents the\nclient from resetting protect_args during the second pass of\nparse_arguments. This prevents parse_arguments returning early the\nsecond time before it's able to sanitize the arguments it received.", "target": 0, "dataset": "other", "idx": 364665 }, { "func": "bool ForwardCompatibilityWindowPassed(const VersionDef& versions) {\n // TF_GRAPH_DEF_VERSION is incremented daily.\n // TF has a 3 week forward compatibility guarantee.\n return (versions.producer() - TF_GRAPH_DEF_VERSION) > 21;\n}", "project": "tensorflow", "hash": 127993018178595077702476674925813011615, "size": 5, "commit_id": "0cc38aaa4064fd9e79101994ce9872c6d91f816b", "message": "Prevent unitialized memory access in `GraphConstructor::MakeEdge`\n\nThe `MakeEdge` implementation assumes that there exists an output at `output_index` of `src` node and an input at `input_index` of `dst` node. However, if this is not the case this results in accessing data out of bounds. Because we are accessing an array that is a private member of a class and only in read only mode, this usually results only in unitialized memory access. However, it is reasonable to think that malicious users could manipulate these indexes to actually read data outside the class, thus resulting in information leakage and further exploits.\n\nPiperOrigin-RevId: 346343288\nChange-Id: I2127da27c2023d27f26efd39afa6c853385cab6f", "target": 0, "dataset": "other", "idx": 268300 }, { "func": "static int imap_tags_edit(struct Mailbox *m, const char *tags, char *buf, size_t buflen)\n{\n struct ImapMboxData *mdata = imap_mdata_get(m);\n if (!mdata)\n return -1;\n\n char *new_tag = NULL;\n char *checker = NULL;\n\n /* Check for \\* flags capability */\n if (!imap_has_flag(&mdata->flags, NULL))\n {\n mutt_error(_(\"IMAP server doesn't support custom flags\"));\n return -1;\n }\n\n *buf = '\\0';\n if (tags)\n mutt_str_copy(buf, tags, buflen);\n\n if (mutt_get_field(\"Tags: \", buf, buflen, MUTT_COMP_NO_FLAGS) != 0)\n return -1;\n\n /* each keyword must be atom defined by rfc822 as:\n *\n * atom = 1*\n * CHAR = ( 0.-127. )\n * specials = \"(\" / \")\" / \"<\" / \">\" / \"@\"\n * / \",\" / \";\" / \":\" / \"\\\" / <\">\n * / \".\" / \"[\" / \"]\"\n * SPACE = ( 32. )\n * CTLS = ( 0.-31., 127.)\n *\n * And must be separated by one space.\n */\n\n new_tag = buf;\n checker = buf;\n SKIPWS(checker);\n while (*checker != '\\0')\n {\n if ((*checker < 32) || (*checker >= 127) || // We allow space because it's the separator\n (*checker == 40) || // (\n (*checker == 41) || // )\n (*checker == 60) || // <\n (*checker == 62) || // >\n (*checker == 64) || // @\n (*checker == 44) || // ,\n (*checker == 59) || // ;\n (*checker == 58) || // :\n (*checker == 92) || // backslash\n (*checker == 34) || // \"\n (*checker == 46) || // .\n (*checker == 91) || // [\n (*checker == 93)) // ]\n {\n mutt_error(_(\"Invalid IMAP flags\"));\n return 0;\n }\n\n /* Skip duplicate space */\n while ((checker[0] == ' ') && (checker[1] == ' '))\n checker++;\n\n /* copy char to new_tag and go the next one */\n *new_tag++ = *checker++;\n }\n *new_tag = '\\0';\n new_tag = buf; /* rewind */\n mutt_str_remove_trailing_ws(new_tag);\n\n return !mutt_str_equal(tags, buf);\n}", "project": "neomutt", "hash": 147803239687872200940617888503609193794, "size": 73, "commit_id": "9c36717a3e2af1f2c1b7242035455ec8112b4b06", "message": "imap: close connection on all failures\n\nThanks to Gabriel Salles-Loustau for spotting the problem.\n\nCo-authored-by: Kevin McCarthy ", "target": 0, "dataset": "other", "idx": 357015 }, { "func": "static BCLine debug_frameline(lua_State *L, GCfunc *fn, cTValue *nextframe)\n{\n BCPos pc = debug_framepc(L, fn, nextframe);\n if (pc != NO_BCPOS) {\n GCproto *pt = funcproto(fn);\n lua_assert(pc <= pt->sizebc);\n return lj_debug_line(pt, pc);\n }\n return -1;\n}", "project": "LuaJIT", "hash": 169345839042423902725037497783194215945, "size": 10, "commit_id": "e296f56b825c688c3530a981dc6b495d972f3d01", "message": "Call error function on rethrow after trace exit.", "target": 0, "dataset": "other", "idx": 394635 }, { "func": "static OPJ_BOOL opj_j2k_end_encoding(opj_j2k_t *p_j2k,\n struct opj_stream_private *p_stream,\n struct opj_event_mgr * p_manager)\n{\n /* preconditions */\n assert(p_j2k != 00);\n assert(p_manager != 00);\n assert(p_stream != 00);\n\n OPJ_UNUSED(p_stream);\n OPJ_UNUSED(p_manager);\n\n opj_tcd_destroy(p_j2k->m_tcd);\n p_j2k->m_tcd = 00;\n\n if (p_j2k->m_specific_param.m_encoder.m_tlm_sot_offsets_buffer) {\n opj_free(p_j2k->m_specific_param.m_encoder.m_tlm_sot_offsets_buffer);\n p_j2k->m_specific_param.m_encoder.m_tlm_sot_offsets_buffer = 0;\n p_j2k->m_specific_param.m_encoder.m_tlm_sot_offsets_current = 0;\n }\n\n if (p_j2k->m_specific_param.m_encoder.m_encoded_tile_data) {\n opj_free(p_j2k->m_specific_param.m_encoder.m_encoded_tile_data);\n p_j2k->m_specific_param.m_encoder.m_encoded_tile_data = 0;\n }\n\n p_j2k->m_specific_param.m_encoder.m_encoded_tile_size = 0;\n\n return OPJ_TRUE;\n}", "project": "openjpeg", "hash": 205256764157768625930692692609983187206, "size": 30, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357297 }, { "func": "static void restore_default_state(struct intel_context *ce,\n\t\t\t\t struct intel_engine_cs *engine)\n{\n\tu32 *regs = ce->lrc_reg_state;\n\n\tif (engine->pinned_default_state)\n\t\tmemcpy(regs, /* skip restoring the vanilla PPHWSP */\n\t\t engine->pinned_default_state + LRC_STATE_PN * PAGE_SIZE,\n\t\t engine->context_size - PAGE_SIZE);\n\n\texeclists_init_reg_state(regs, ce, engine, ce->ring, false);\n}", "project": "linux", "hash": 80806339222028932470610215785224862249, "size": 12, "commit_id": "bc8a76a152c5f9ef3b48104154a65a68a8b76946", "message": "drm/i915/gen9: Clear residual context state on context switch\n\nIntel ID: PSIRT-TA-201910-001\nCVEID: CVE-2019-14615\n\nIntel GPU Hardware prior to Gen11 does not clear EU state\nduring a context switch. This can result in information\nleakage between contexts.\n\nFor Gen8 and Gen9, hardware provides a mechanism for\nfast cleardown of the EU state, by issuing a PIPE_CONTROL\nwith bit 27 set. We can use this in a context batch buffer\nto explicitly cleardown the state on every context switch.\n\nAs this workaround is already in place for gen8, we can borrow\nthe code verbatim for Gen9.\n\nSigned-off-by: Mika Kuoppala \nSigned-off-by: Akeem G Abodunrin \nCc: Kumar Valsan Prathap \nCc: Chris Wilson \nCc: Balestrieri Francesco \nCc: Bloomfield Jon \nCc: Dutt Sudeep ", "target": 0, "dataset": "other", "idx": 281471 }, { "func": "void CSoundFile::ChannelVolSlide(ModChannel *pChn, ModCommand::PARAM param) const\n{\n\tint32 nChnSlide = 0;\n\tif (param) pChn->nOldChnVolSlide = param; else param = pChn->nOldChnVolSlide;\n\n\tif (((param & 0x0F) == 0x0F) && (param & 0xF0))\n\t{\n\t\tif(m_SongFlags[SONG_FIRSTTICK]) nChnSlide = param >> 4;\n\t} else if (((param & 0xF0) == 0xF0) && (param & 0x0F))\n\t{\n\t\tif(m_SongFlags[SONG_FIRSTTICK]) nChnSlide = - (int)(param & 0x0F);\n\t} else\n\t{\n\t\tif(!m_SongFlags[SONG_FIRSTTICK])\n\t\t{\n\t\t\tif (param & 0x0F)\n\t\t\t{\n\t\t\t\tif(!(GetType() & (MOD_TYPE_IT | MOD_TYPE_MPT | MOD_TYPE_J2B | MOD_TYPE_DBM)) || (param & 0xF0) == 0)\n\t\t\t\t\tnChnSlide = -(int)(param & 0x0F);\n\t\t\t} else\n\t\t\t{\n\t\t\t\tnChnSlide = (int)((param & 0xF0) >> 4);\n\t\t\t}\n\t\t}\n\t}\n\tif (nChnSlide)\n\t{\n\t\tnChnSlide += pChn->nGlobalVol;\n\t\tnChnSlide = Clamp(nChnSlide, 0, 64);\n\t\tpChn->nGlobalVol = nChnSlide;\n\t}\n}", "project": "openmpt", "hash": 228362526965483802804172733677850593000, "size": 32, "commit_id": "7ebf02af2e90f03e0dbd0e18b8b3164f372fb97c", "message": "[Fix] Possible out-of-bounds read when computing length of some IT files with pattern loops (OpenMPT: formats that are converted to IT, libopenmpt: IT/ITP/MO3), caught with afl-fuzz.\n\ngit-svn-id: https://source.openmpt.org/svn/openmpt/trunk/OpenMPT@10027 56274372-70c3-4bfc-bfc3-4c3a0b034d27", "target": 0, "dataset": "other", "idx": 255224 }, { "func": "void CSoundFile::SampleOffset(ModChannel &chn, SmpLength param) const\n{\n\tchn.proTrackerOffset += param;\n\n\tif(param >= chn.nLoopEnd && GetType() == MOD_TYPE_MTM && chn.dwFlags[CHN_LOOP] && chn.nLoopEnd > 0)\n\t{\n\t\t// Offset wrap-around\n\t\tparam = (param - chn.nLoopStart) % (chn.nLoopEnd - chn.nLoopStart) + chn.nLoopStart;\n\t}\n\n\tif(GetType() == MOD_TYPE_MDL && chn.dwFlags[CHN_16BIT])\n\t{\n\t\t// Digitrakker really uses byte offsets, not sample offsets. WTF!\n\t\tparam /= 2u;\n\t}\n\n\tif(chn.rowCommand.IsNote())\n\t{\n\t\t// IT compatibility: If this note is not mapped to a sample, ignore it.\n\t\t// Test case: empty_sample_offset.it\n\t\tif(chn.pModInstrument != nullptr)\n\t\t{\n\t\t\tSAMPLEINDEX smp = chn.pModInstrument->Keyboard[chn.rowCommand.note - NOTE_MIN];\n\t\t\tif(smp == 0 || smp > GetNumSamples())\n\t\t\t\treturn;\n\t\t}\n\n\t\tif(m_SongFlags[SONG_PT_MODE])\n\t\t{\n\t\t\t// ProTracker compatbility: PT1/2-style funky 9xx offset command\n\t\t\t// Test case: ptoffset.mod\n\t\t\tchn.position.Set(chn.proTrackerOffset);\n\t\t\tchn.proTrackerOffset += param;\n\t\t} else\n\t\t{\n\t\t\tchn.position.Set(param);\n\t\t}\n\n\t\tif (chn.position.GetUInt() >= chn.nLength || (chn.dwFlags[CHN_LOOP] && chn.position.GetUInt() >= chn.nLoopEnd))\n\t\t{\n\t\t\t// Offset beyond sample size\n\t\t\tif (!(GetType() & (MOD_TYPE_XM | MOD_TYPE_MT2 | MOD_TYPE_MOD | MOD_TYPE_MTM)))\n\t\t\t{\n\t\t\t\t// IT Compatibility: Offset\n\t\t\t\tif(m_playBehaviour[kITOffset])\n\t\t\t\t{\n\t\t\t\t\tif(m_SongFlags[SONG_ITOLDEFFECTS])\n\t\t\t\t\t\tchn.position.Set(chn.nLength); // Old FX: Clip to end of sample\n\t\t\t\t\telse\n\t\t\t\t\t\tchn.position.Set(0); // Reset to beginning of sample\n\t\t\t\t} else\n\t\t\t\t{\n\t\t\t\t\tchn.position.Set(chn.nLoopStart);\n\t\t\t\t\tif(m_SongFlags[SONG_ITOLDEFFECTS] && chn.nLength > 4)\n\t\t\t\t\t{\n\t\t\t\t\t\tchn.position.Set(chn.nLength - 2);\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t} else if(m_playBehaviour[kFT2OffsetOutOfRange] || GetType() == MOD_TYPE_MTM)\n\t\t\t{\n\t\t\t\t// FT2 Compatibility: Don't play note if offset is beyond sample length\n\t\t\t\t// Test case: 3xx-no-old-samp.xm\n\t\t\t\tchn.dwFlags.set(CHN_FASTVOLRAMP);\n\t\t\t\tchn.nPeriod = 0;\n\t\t\t} else if(GetType() == MOD_TYPE_MOD && chn.dwFlags[CHN_LOOP])\n\t\t\t{\n\t\t\t\tchn.position.Set(chn.nLoopStart);\n\t\t\t}\n\t\t}\n\t} else if ((param < chn.nLength) && (GetType() & (MOD_TYPE_MTM | MOD_TYPE_DMF | MOD_TYPE_MDL | MOD_TYPE_PLM)))\n\t{\n\t\t// Some trackers can also call offset effects without notes next to them...\n\t\tchn.position.Set(param);\n\t}\n}", "project": "openmpt", "hash": 179927350444786857027217002510630349034, "size": 75, "commit_id": "7ebf02af2e90f03e0dbd0e18b8b3164f372fb97c", "message": "[Fix] Possible out-of-bounds read when computing length of some IT files with pattern loops (OpenMPT: formats that are converted to IT, libopenmpt: IT/ITP/MO3), caught with afl-fuzz.\n\ngit-svn-id: https://source.openmpt.org/svn/openmpt/trunk/OpenMPT@10027 56274372-70c3-4bfc-bfc3-4c3a0b034d27", "target": 0, "dataset": "other", "idx": 255221 }, { "func": "int fuse_allow_current_process(struct fuse_conn *fc)\n{\n\tconst struct cred *cred;\n\n\tif (fc->allow_other)\n\t\treturn current_in_userns(fc->user_ns);\n\n\tcred = current_cred();\n\tif (uid_eq(cred->euid, fc->user_id) &&\n\t uid_eq(cred->suid, fc->user_id) &&\n\t uid_eq(cred->uid, fc->user_id) &&\n\t gid_eq(cred->egid, fc->group_id) &&\n\t gid_eq(cred->sgid, fc->group_id) &&\n\t gid_eq(cred->gid, fc->group_id))\n\t\treturn 1;\n\n\treturn 0;\n}", "project": "linux", "hash": 221647422812304244191081516684229414037, "size": 18, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342017 }, { "func": "static void power_pmu_stop(struct perf_event *event, int ef_flags)\n{\n\tunsigned long flags;\n\n\tif (!event->hw.idx || !event->hw.sample_period)\n\t\treturn;\n\n\tif (event->hw.state & PERF_HES_STOPPED)\n\t\treturn;\n\n\tlocal_irq_save(flags);\n\tperf_pmu_disable(event->pmu);\n\n\tpower_pmu_read(event);\n\tevent->hw.state |= PERF_HES_STOPPED | PERF_HES_UPTODATE;\n\twrite_pmc(event->hw.idx, 0);\n\n\tperf_event_update_userpage(event);\n\tperf_pmu_enable(event->pmu);\n\tlocal_irq_restore(flags);\n}", "project": "linux", "hash": 253041845434251440473630112400995856934, "size": 21, "commit_id": "60b7ed54a41b550d50caf7f2418db4a7e75b5bdc", "message": "powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set\n\nOn systems without any specific PMU driver support registered, running\nperf record causes Oops.\n\nThe relevant portion from call trace:\n\n BUG: Kernel NULL pointer dereference on read at 0x00000040\n Faulting instruction address: 0xc0021f0c\n Oops: Kernel access of bad area, sig: 11 [#1]\n BE PAGE_SIZE=4K PREEMPT CMPCPRO\n SAF3000 DIE NOTIFICATION\n CPU: 0 PID: 442 Comm: null_syscall Not tainted 5.13.0-rc6-s3k-dev-01645-g7649ee3d2957 #5164\n NIP: c0021f0c LR: c00e8ad8 CTR: c00d8a5c\n NIP perf_instruction_pointer+0x10/0x60\n LR perf_prepare_sample+0x344/0x674\n Call Trace:\n perf_prepare_sample+0x7c/0x674 (unreliable)\n perf_event_output_forward+0x3c/0x94\n __perf_event_overflow+0x74/0x14c\n perf_swevent_hrtimer+0xf8/0x170\n __hrtimer_run_queues.constprop.0+0x160/0x318\n hrtimer_interrupt+0x148/0x3b0\n timer_interrupt+0xc4/0x22c\n Decrementer_virt+0xb8/0xbc\n\nDuring perf record session, perf_instruction_pointer() is called to\ncapture the sample IP. This function in core-book3s accesses\nppmu->flags. If a platform specific PMU driver is not registered, ppmu\nis set to NULL and accessing its members results in a crash. Fix this\ncrash by checking if ppmu is set.\n\nFixes: 2ca13a4cc56c (\"powerpc/perf: Use regs->nip when SIAR is zero\")\nCc: stable@vger.kernel.org # v5.11+\nReported-by: Christophe Leroy \nSigned-off-by: Athira Rajeev \nTested-by: Christophe Leroy \nSigned-off-by: Michael Ellerman \nLink: https://lore.kernel.org/r/1623952506-1431-1-git-send-email-atrajeev@linux.vnet.ibm.com", "target": 0, "dataset": "other", "idx": 374726 }, { "func": "static uint8_t _intsetValueEncoding(int64_t v) {\n if (v < INT32_MIN || v > INT32_MAX)\n return INTSET_ENC_INT64;\n else if (v < INT16_MIN || v > INT16_MAX)\n return INTSET_ENC_INT32;\n else\n return INTSET_ENC_INT16;\n}", "project": "redis", "hash": 207312839834423048517522713096356514956, "size": 8, "commit_id": "789f10156009b404950ad717642a9496ed887083", "message": "Fix integer overflow in intset (CVE-2021-29478)\n\nAn integer overflow bug in Redis 6.2 could be exploited to corrupt the heap and\npotentially result with remote code execution.\n\nThe vulnerability involves changing the default set-max-intset-entries\nconfiguration value, creating a large set key that consists of integer values\nand using the COPY command to duplicate it.\n\nThe integer overflow bug exists in all versions of Redis starting with 2.6,\nwhere it could result with a corrupted RDB or DUMP payload, but not exploited\nthrough COPY (which did not exist before 6.2).\n\n(cherry picked from commit 29900d4e6bccdf3691bedf0ea9a5d84863fa3592)", "target": 0, "dataset": "other", "idx": 290643 }, { "func": "static int sctp_setsockopt_rtoinfo(struct sock *sk,\n\t\t\t\t struct sctp_rtoinfo *rtoinfo,\n\t\t\t\t unsigned int optlen)\n{\n\tstruct sctp_association *asoc;\n\tunsigned long rto_min, rto_max;\n\tstruct sctp_sock *sp = sctp_sk(sk);\n\n\tif (optlen != sizeof (struct sctp_rtoinfo))\n\t\treturn -EINVAL;\n\n\tasoc = sctp_id2assoc(sk, rtoinfo->srto_assoc_id);\n\n\t/* Set the values to the specific association */\n\tif (!asoc && rtoinfo->srto_assoc_id != SCTP_FUTURE_ASSOC &&\n\t sctp_style(sk, UDP))\n\t\treturn -EINVAL;\n\n\trto_max = rtoinfo->srto_max;\n\trto_min = rtoinfo->srto_min;\n\n\tif (rto_max)\n\t\trto_max = asoc ? msecs_to_jiffies(rto_max) : rto_max;\n\telse\n\t\trto_max = asoc ? asoc->rto_max : sp->rtoinfo.srto_max;\n\n\tif (rto_min)\n\t\trto_min = asoc ? msecs_to_jiffies(rto_min) : rto_min;\n\telse\n\t\trto_min = asoc ? asoc->rto_min : sp->rtoinfo.srto_min;\n\n\tif (rto_min > rto_max)\n\t\treturn -EINVAL;\n\n\tif (asoc) {\n\t\tif (rtoinfo->srto_initial != 0)\n\t\t\tasoc->rto_initial =\n\t\t\t\tmsecs_to_jiffies(rtoinfo->srto_initial);\n\t\tasoc->rto_max = rto_max;\n\t\tasoc->rto_min = rto_min;\n\t} else {\n\t\t/* If there is no association or the association-id = 0\n\t\t * set the values to the endpoint.\n\t\t */\n\t\tif (rtoinfo->srto_initial != 0)\n\t\t\tsp->rtoinfo.srto_initial = rtoinfo->srto_initial;\n\t\tsp->rtoinfo.srto_max = rto_max;\n\t\tsp->rtoinfo.srto_min = rto_min;\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 218229945103314601173792806443175458718, "size": 52, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398188 }, { "func": "static bool check_row_equality(THD *thd, const Arg_comparator *comparators,\n Item *left_row, Item_row *right_row,\n COND_EQUAL *cond_equal, List* eq_list)\n{ \n uint n= left_row->cols();\n for (uint i= 0 ; i < n; i++)\n {\n bool is_converted;\n Item *left_item= left_row->element_index(i);\n Item *right_item= right_row->element_index(i);\n if (left_item->type() == Item::ROW_ITEM &&\n right_item->type() == Item::ROW_ITEM)\n {\n /*\n Item_splocal for ROW SP variables return Item::ROW_ITEM.\n Here we know that left_item and right_item are not Item_splocal,\n because ROW SP variables with nested ROWs are not supported yet.\n It's safe to cast left_item and right_item to Item_row.\n */\n DBUG_ASSERT(!left_item->get_item_splocal());\n DBUG_ASSERT(!right_item->get_item_splocal());\n is_converted= check_row_equality(thd,\n comparators[i].subcomparators(),\n (Item_row *) left_item,\n (Item_row *) right_item,\n\t\t\t cond_equal, eq_list);\n }\n else\n { \n const Arg_comparator *tmp= &comparators[i];\n is_converted= check_simple_equality(thd,\n Item::Context(Item::ANY_SUBST,\n tmp->compare_type_handler(),\n tmp->compare_collation()),\n left_item, right_item,\n cond_equal);\n } \n \n if (!is_converted)\n {\n Item_func_eq *eq_item;\n if (!(eq_item= new (thd->mem_root) Item_func_eq(thd, left_item, right_item)) ||\n eq_item->set_cmp_func())\n return FALSE;\n eq_item->quick_fix_field();\n eq_list->push_back(eq_item, thd->mem_root);\n }\n }\n return TRUE;\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 205418749535743062124879468076197379261, "size": 50, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508513 }, { "func": "static void hci_req_clear_event_filter(struct hci_request *req)\n{\n\tstruct hci_cp_set_event_filter f;\n\n\tmemset(&f, 0, sizeof(f));\n\tf.flt_type = HCI_FLT_CLEAR_ALL;\n\thci_req_add(req, HCI_OP_SET_EVENT_FLT, 1, &f);\n\n\t/* Update page scan state (since we may have modified it when setting\n\t * the event filter).\n\t */\n\t__hci_req_update_scan(req);\n}", "project": "linux", "hash": 167100573408914909617610512541727508899, "size": 13, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402475 }, { "func": "int mnt_optstr_get_option(const char *optstr, const char *name,\n\t\t\t char **value, size_t *valsz)\n{\n\tstruct libmnt_optloc ol = MNT_INIT_OPTLOC;\n\tint rc;\n\n\tif (!optstr || !name)\n\t\treturn -EINVAL;\n\n\trc = mnt_optstr_locate_option((char *) optstr, name, &ol);\n\tif (!rc) {\n\t\tif (value)\n\t\t\t*value = ol.value;\n\t\tif (valsz)\n\t\t\t*valsz = ol.valsz;\n\t}\n\treturn rc;\n}", "project": "util-linux", "hash": 283358205537595746811907511206737713902, "size": 18, "commit_id": "57202f5713afa2af20ffbb6ab5331481d0396f8d", "message": "libmount: fix UID check for FUSE umount [CVE-2021-3995]\n\nImproper UID check allows an unprivileged user to unmount FUSE\nfilesystems of users with similar UID.\n\nSigned-off-by: Karel Zak ", "target": 0, "dataset": "other", "idx": 410413 }, { "func": "static int nfs4_write_done_cb(struct rpc_task *task,\n\t\t\t struct nfs_pgio_header *hdr)\n{\n\tstruct inode *inode = hdr->inode;\n\n\ttrace_nfs4_write(hdr, task->tk_status);\n\tif (task->tk_status < 0) {\n\t\tstruct nfs4_exception exception = {\n\t\t\t.inode = hdr->inode,\n\t\t\t.state = hdr->args.context->state,\n\t\t\t.stateid = &hdr->args.stateid,\n\t\t};\n\t\ttask->tk_status = nfs4_async_handle_exception(task,\n\t\t\t\tNFS_SERVER(inode), task->tk_status,\n\t\t\t\t&exception);\n\t\tif (exception.retry) {\n\t\t\trpc_restart_call_prepare(task);\n\t\t\treturn -EAGAIN;\n\t\t}\n\t}\n\tif (task->tk_status >= 0) {\n\t\trenew_lease(NFS_SERVER(inode), hdr->timestamp);\n\t\tnfs_writeback_update_inode(hdr);\n\t}\n\treturn 0;\n}", "project": "linux", "hash": 61763895325467197040611704248790649494, "size": 26, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431287 }, { "func": "DLLEXPORT int DLLCALL tjCompressFromYUV(tjhandle handle,\n\tconst unsigned char *srcBuf, int width, int pad, int height, int subsamp,\n\tunsigned char **jpegBuf, unsigned long *jpegSize, int jpegQual, int flags)\n{\n\tconst unsigned char *srcPlanes[3];\n\tint pw0, ph0, strides[3], retval=-1;\n\n\tif(srcBuf==NULL || width<=0 || pad<1 || height<=0 || subsamp<0\n\t\t|| subsamp>=NUMSUBOPT)\n\t\t_throw(\"tjCompressFromYUV(): Invalid argument\");\n\n\tpw0=tjPlaneWidth(0, width, subsamp);\n\tph0=tjPlaneHeight(0, height, subsamp);\n\tsrcPlanes[0]=srcBuf;\n\tstrides[0]=PAD(pw0, pad);\n\tif(subsamp==TJSAMP_GRAY)\n\t{\n\t\tstrides[1]=strides[2]=0;\n\t\tsrcPlanes[1]=srcPlanes[2]=NULL;\n\t}\n\telse\n\t{\n\t\tint pw1=tjPlaneWidth(1, width, subsamp);\n\t\tint ph1=tjPlaneHeight(1, height, subsamp);\n\t\tstrides[1]=strides[2]=PAD(pw1, pad);\n\t\tsrcPlanes[1]=srcPlanes[0]+strides[0]*ph0;\n\t\tsrcPlanes[2]=srcPlanes[1]+strides[1]*ph1;\n\t}\n\n\treturn tjCompressFromYUVPlanes(handle, srcPlanes, width, strides, height,\n\t\tsubsamp, jpegBuf, jpegSize, jpegQual, flags);\n\n\tbailout:\n\treturn retval;\n}", "project": "libjpeg-turbo", "hash": 329250274885044580664027806914638072748, "size": 35, "commit_id": "dab6be4cfb2f9307b5378d2d1dc74d9080383dc2", "message": "tjDecompressToYUV*(): Fix OOB write/double free\n\n... when attempting to decompress grayscale JPEG images with sampling\nfactors != 1.\n\nFixes #387", "target": 0, "dataset": "other", "idx": 311127 }, { "func": "std::string getAuthFilterConfig(const std::string& config_str, bool use_local_jwks) {\n JwtAuthentication proto_config;\n TestUtility::loadFromYaml(config_str, proto_config);\n\n if (use_local_jwks) {\n auto& provider0 = (*proto_config.mutable_providers())[std::string(ProviderName)];\n provider0.clear_remote_jwks();\n auto local_jwks = provider0.mutable_local_jwks();\n local_jwks->set_inline_string(PublicKey);\n }\n\n HttpFilter filter;\n filter.set_name(\"envoy.filters.http.jwt_authn\");\n filter.mutable_typed_config()->PackFrom(proto_config);\n return MessageUtil::getJsonStringFromMessageOrDie(filter);\n}", "project": "envoy", "hash": 11902332489148128910305586789002900182, "size": 16, "commit_id": "9371333230b1a6e1be2eccf4868771e11af6253a", "message": "CVE-2021-43824\n\njwt_atuhn: fixed the crash when a CONNECT request is sent to JWT filter\nconfigured with regex match.\n\nSigned-off-by: Yan Avlasov ", "target": 0, "dataset": "other", "idx": 246635 }, { "func": "static int power_pmu_event_init(struct perf_event *event)\n{\n\tu64 ev;\n\tunsigned long flags, irq_flags;\n\tstruct perf_event *ctrs[MAX_HWEVENTS];\n\tu64 events[MAX_HWEVENTS];\n\tunsigned int cflags[MAX_HWEVENTS];\n\tint n;\n\tint err;\n\tstruct cpu_hw_events *cpuhw;\n\n\tif (!ppmu)\n\t\treturn -ENOENT;\n\n\tif (has_branch_stack(event)) {\n\t /* PMU has BHRB enabled */\n\t\tif (!(ppmu->flags & PPMU_ARCH_207S))\n\t\t\treturn -EOPNOTSUPP;\n\t}\n\n\tswitch (event->attr.type) {\n\tcase PERF_TYPE_HARDWARE:\n\t\tev = event->attr.config;\n\t\tif (ev >= ppmu->n_generic || ppmu->generic_events[ev] == 0)\n\t\t\treturn -EOPNOTSUPP;\n\n\t\tif (ppmu->blacklist_ev && is_event_blacklisted(ev))\n\t\t\treturn -EINVAL;\n\t\tev = ppmu->generic_events[ev];\n\t\tbreak;\n\tcase PERF_TYPE_HW_CACHE:\n\t\terr = hw_perf_cache_event(event->attr.config, &ev);\n\t\tif (err)\n\t\t\treturn err;\n\n\t\tif (ppmu->blacklist_ev && is_event_blacklisted(ev))\n\t\t\treturn -EINVAL;\n\t\tbreak;\n\tcase PERF_TYPE_RAW:\n\t\tev = event->attr.config;\n\n\t\tif (ppmu->blacklist_ev && is_event_blacklisted(ev))\n\t\t\treturn -EINVAL;\n\t\tbreak;\n\tdefault:\n\t\treturn -ENOENT;\n\t}\n\n\t/*\n\t * PMU config registers have fields that are\n\t * reserved and some specific values for bit fields are reserved.\n\t * For ex., MMCRA[61:62] is Randome Sampling Mode (SM)\n\t * and value of 0b11 to this field is reserved.\n\t * Check for invalid values in attr.config.\n\t */\n\tif (ppmu->check_attr_config &&\n\t ppmu->check_attr_config(event))\n\t\treturn -EINVAL;\n\n\tevent->hw.config_base = ev;\n\tevent->hw.idx = 0;\n\n\t/*\n\t * If we are not running on a hypervisor, force the\n\t * exclude_hv bit to 0 so that we don't care what\n\t * the user set it to.\n\t */\n\tif (!firmware_has_feature(FW_FEATURE_LPAR))\n\t\tevent->attr.exclude_hv = 0;\n\n\t/*\n\t * If this is a per-task event, then we can use\n\t * PM_RUN_* events interchangeably with their non RUN_*\n\t * equivalents, e.g. PM_RUN_CYC instead of PM_CYC.\n\t * XXX we should check if the task is an idle task.\n\t */\n\tflags = 0;\n\tif (event->attach_state & PERF_ATTACH_TASK)\n\t\tflags |= PPMU_ONLY_COUNT_RUN;\n\n\t/*\n\t * If this machine has limited events, check whether this\n\t * event_id could go on a limited event.\n\t */\n\tif (ppmu->flags & PPMU_LIMITED_PMC5_6) {\n\t\tif (can_go_on_limited_pmc(event, ev, flags)) {\n\t\t\tflags |= PPMU_LIMITED_PMC_OK;\n\t\t} else if (ppmu->limited_pmc_event(ev)) {\n\t\t\t/*\n\t\t\t * The requested event_id is on a limited PMC,\n\t\t\t * but we can't use a limited PMC; see if any\n\t\t\t * alternative goes on a normal PMC.\n\t\t\t */\n\t\t\tev = normal_pmc_alternative(ev, flags);\n\t\t\tif (!ev)\n\t\t\t\treturn -EINVAL;\n\t\t}\n\t}\n\n\t/* Extra checks for EBB */\n\terr = ebb_event_check(event);\n\tif (err)\n\t\treturn err;\n\n\t/*\n\t * If this is in a group, check if it can go on with all the\n\t * other hardware events in the group. We assume the event\n\t * hasn't been linked into its leader's sibling list at this point.\n\t */\n\tn = 0;\n\tif (event->group_leader != event) {\n\t\tn = collect_events(event->group_leader, ppmu->n_counter - 1,\n\t\t\t\t ctrs, events, cflags);\n\t\tif (n < 0)\n\t\t\treturn -EINVAL;\n\t}\n\tevents[n] = ev;\n\tctrs[n] = event;\n\tcflags[n] = flags;\n\tif (check_excludes(ctrs, cflags, n, 1))\n\t\treturn -EINVAL;\n\n\tlocal_irq_save(irq_flags);\n\tcpuhw = this_cpu_ptr(&cpu_hw_events);\n\n\terr = power_check_constraints(cpuhw, events, cflags, n + 1, ctrs);\n\n\tif (has_branch_stack(event)) {\n\t\tu64 bhrb_filter = -1;\n\n\t\tif (ppmu->bhrb_filter_map)\n\t\t\tbhrb_filter = ppmu->bhrb_filter_map(\n\t\t\t\t\tevent->attr.branch_sample_type);\n\n\t\tif (bhrb_filter == -1) {\n\t\t\tlocal_irq_restore(irq_flags);\n\t\t\treturn -EOPNOTSUPP;\n\t\t}\n\t\tcpuhw->bhrb_filter = bhrb_filter;\n\t}\n\n\tlocal_irq_restore(irq_flags);\n\tif (err)\n\t\treturn -EINVAL;\n\n\tevent->hw.config = events[n];\n\tevent->hw.event_base = cflags[n];\n\tevent->hw.last_period = event->hw.sample_period;\n\tlocal64_set(&event->hw.period_left, event->hw.last_period);\n\n\t/*\n\t * For EBB events we just context switch the PMC value, we don't do any\n\t * of the sample_period logic. We use hw.prev_count for this.\n\t */\n\tif (is_ebb_event(event))\n\t\tlocal64_set(&event->hw.prev_count, 0);\n\n\t/*\n\t * See if we need to reserve the PMU.\n\t * If no events are currently in use, then we have to take a\n\t * mutex to ensure that we don't race with another task doing\n\t * reserve_pmc_hardware or release_pmc_hardware.\n\t */\n\terr = 0;\n\tif (!atomic_inc_not_zero(&num_events)) {\n\t\tmutex_lock(&pmc_reserve_mutex);\n\t\tif (atomic_read(&num_events) == 0 &&\n\t\t reserve_pmc_hardware(perf_event_interrupt))\n\t\t\terr = -EBUSY;\n\t\telse\n\t\t\tatomic_inc(&num_events);\n\t\tmutex_unlock(&pmc_reserve_mutex);\n\t}\n\tevent->destroy = hw_perf_event_destroy;\n\n\treturn err;\n}", "project": "linux", "hash": 102463839239755663662913056524261884187, "size": 177, "commit_id": "60b7ed54a41b550d50caf7f2418db4a7e75b5bdc", "message": "powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set\n\nOn systems without any specific PMU driver support registered, running\nperf record causes Oops.\n\nThe relevant portion from call trace:\n\n BUG: Kernel NULL pointer dereference on read at 0x00000040\n Faulting instruction address: 0xc0021f0c\n Oops: Kernel access of bad area, sig: 11 [#1]\n BE PAGE_SIZE=4K PREEMPT CMPCPRO\n SAF3000 DIE NOTIFICATION\n CPU: 0 PID: 442 Comm: null_syscall Not tainted 5.13.0-rc6-s3k-dev-01645-g7649ee3d2957 #5164\n NIP: c0021f0c LR: c00e8ad8 CTR: c00d8a5c\n NIP perf_instruction_pointer+0x10/0x60\n LR perf_prepare_sample+0x344/0x674\n Call Trace:\n perf_prepare_sample+0x7c/0x674 (unreliable)\n perf_event_output_forward+0x3c/0x94\n __perf_event_overflow+0x74/0x14c\n perf_swevent_hrtimer+0xf8/0x170\n __hrtimer_run_queues.constprop.0+0x160/0x318\n hrtimer_interrupt+0x148/0x3b0\n timer_interrupt+0xc4/0x22c\n Decrementer_virt+0xb8/0xbc\n\nDuring perf record session, perf_instruction_pointer() is called to\ncapture the sample IP. This function in core-book3s accesses\nppmu->flags. If a platform specific PMU driver is not registered, ppmu\nis set to NULL and accessing its members results in a crash. Fix this\ncrash by checking if ppmu is set.\n\nFixes: 2ca13a4cc56c (\"powerpc/perf: Use regs->nip when SIAR is zero\")\nCc: stable@vger.kernel.org # v5.11+\nReported-by: Christophe Leroy \nSigned-off-by: Athira Rajeev \nTested-by: Christophe Leroy \nSigned-off-by: Michael Ellerman \nLink: https://lore.kernel.org/r/1623952506-1431-1-git-send-email-atrajeev@linux.vnet.ibm.com", "target": 0, "dataset": "other", "idx": 374693 }, { "func": "static inline void mark_all_dirty(struct vmcb *vmcb)\n{\n\tvmcb->control.clean = 0;\n}", "project": "linux", "hash": 323672008394424049841747031218291877830, "size": 4, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432594 }, { "project": "Chrome", "commit_id": "6834289784ed45b5524de0fb7ef43ae283b0d6d3", "target": 0, "func": "void AudioContext::markAudioNodeOutputDirty(AudioNodeOutput* output)\n{\n ASSERT(isGraphOwner());\n ASSERT(isMainThread());\n m_dirtyAudioNodeOutputs.add(output);\n}\n", "cwe": "", "big_vul_idx": 139668, "idx": 124818, "hash": 185820242393535458300957480488804862352 }, { "func": "static ssize_t store_user_store(struct kmem_cache *s,\n\t\t\t\tconst char *buf, size_t length)\n{\n\tif (any_slab_objects(s))\n\t\treturn -EBUSY;\n\n\ts->flags &= ~SLAB_STORE_USER;\n\tif (buf[0] == '1') {\n\t\ts->flags &= ~__CMPXCHG_DOUBLE;\n\t\ts->flags |= SLAB_STORE_USER;\n\t}\n\tcalculate_sizes(s, -1);\n\treturn length;\n}", "project": "linux", "hash": 287211839027979008547800876199966231678, "size": 14, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280247 }, { "func": "static uint32_t read_filter_data(struct rar5* rar, uint32_t offset) {\n\tuint8_t linear_buf[4];\n\tcircular_memcpy(linear_buf, rar->cstate.window_buf,\n\t rar->cstate.window_mask, offset, offset + 4);\n\treturn archive_le32dec(linear_buf);\n}", "project": "libarchive", "hash": 110317872741313737335789438746813722761, "size": 6, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 0, "dataset": "other", "idx": 244696 }, { "func": "static inline void mark_all_clean(struct vmcb *vmcb)\n{\n\tvmcb->control.clean = ((1 << VMCB_DIRTY_MAX) - 1)\n\t\t\t & ~VMCB_ALWAYS_DIRTY_MASK;\n}", "project": "linux", "hash": 33568596912869682646120201617632438921, "size": 5, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432616 }, { "func": "static void cmd_parse_fetch (IMAP_DATA* idata, char* s)\n{\n unsigned int msn, uid;\n HEADER *h;\n int server_changes = 0;\n\n dprint (3, (debugfile, \"Handling FETCH\\n\"));\n\n if (mutt_atoui (s, &msn) < 0 ||\n msn < 1 || msn > idata->max_msn)\n {\n dprint (3, (debugfile, \"FETCH response ignored for this message\\n\"));\n return;\n }\n\n h = idata->msn_index[msn - 1];\n if (!h || !h->active)\n {\n dprint (3, (debugfile, \"FETCH response ignored for this message\\n\"));\n return;\n }\n\n dprint (2, (debugfile, \"Message UID %u updated\\n\", HEADER_DATA(h)->uid));\n /* skip FETCH */\n s = imap_next_word (s);\n s = imap_next_word (s);\n\n if (*s != '(')\n {\n dprint (1, (debugfile, \"Malformed FETCH response\"));\n return;\n }\n s++;\n\n while (*s)\n {\n SKIPWS (s);\n\n if (ascii_strncasecmp (\"FLAGS\", s, 5) == 0)\n {\n imap_set_flags (idata, h, s, &server_changes);\n if (server_changes)\n {\n /* If server flags could conflict with mutt's flags, reopen the mailbox. */\n if (h->changed)\n idata->reopen |= IMAP_EXPUNGE_PENDING;\n else\n idata->check_status = IMAP_FLAGS_PENDING;\n }\n return;\n }\n else if (ascii_strncasecmp (\"UID\", s, 3) == 0)\n {\n s += 3;\n SKIPWS (s);\n if (mutt_atoui (s, &uid) < 0)\n {\n dprint (2, (debugfile, \"Illegal UID. Skipping update.\\n\"));\n return;\n }\n if (uid != HEADER_DATA(h)->uid)\n {\n dprint (2, (debugfile, \"FETCH UID vs MSN mismatch. Skipping update.\\n\"));\n return;\n }\n s = imap_next_word (s);\n }\n else if (*s == ')')\n s++; /* end of request */\n else if (*s)\n {\n dprint (2, (debugfile, \"Only handle FLAGS updates\\n\"));\n return;\n }\n }\n}", "project": "mutt", "hash": 191614766047488130974730997099162946784, "size": 76, "commit_id": "9347b5c01dc52682cb6be11539d9b7ebceae4416", "message": "Handle NO response without message properly", "target": 0, "dataset": "other", "idx": 338026 }, { "func": "static void io_iopoll_complete(struct io_ring_ctx *ctx, unsigned int *nr_events,\n\t\t\t struct list_head *done)\n{\n\tstruct req_batch rb;\n\tstruct io_kiocb *req;\n\n\t/* order with ->result store in io_complete_rw_iopoll() */\n\tsmp_rmb();\n\n\tio_init_req_batch(&rb);\n\twhile (!list_empty(done)) {\n\t\tint cflags = 0;\n\n\t\treq = list_first_entry(done, struct io_kiocb, inflight_entry);\n\t\tlist_del(&req->inflight_entry);\n\n\t\tif (READ_ONCE(req->result) == -EAGAIN &&\n\t\t !(req->flags & REQ_F_DONT_REISSUE)) {\n\t\t\treq->iopoll_completed = 0;\n\t\t\treq_ref_get(req);\n\t\t\tio_queue_async_work(req);\n\t\t\tcontinue;\n\t\t}\n\n\t\tif (req->flags & REQ_F_BUFFER_SELECTED)\n\t\t\tcflags = io_put_rw_kbuf(req);\n\n\t\t__io_cqring_fill_event(ctx, req->user_data, req->result, cflags);\n\t\t(*nr_events)++;\n\n\t\tif (req_ref_put_and_test(req))\n\t\t\tio_req_free_batch(&rb, req, &ctx->submit_state);\n\t}\n\n\tio_commit_cqring(ctx);\n\tio_cqring_ev_posted_iopoll(ctx);\n\tio_req_free_batch_finish(ctx, &rb);\n}", "project": "linux", "hash": 278837877477061489446174840558538195264, "size": 38, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338689 }, { "func": "static void io_iopoll_complete(struct io_ring_ctx *ctx, unsigned int *nr_events,\n\t\t\t struct list_head *done)\n{\n\tstruct req_batch rb;\n\tstruct io_kiocb *req;\n\tLIST_HEAD(again);\n\n\t/* order with ->result store in io_complete_rw_iopoll() */\n\tsmp_rmb();\n\n\tio_init_req_batch(&rb);\n\twhile (!list_empty(done)) {\n\t\tint cflags = 0;\n\n\t\treq = list_first_entry(done, struct io_kiocb, inflight_entry);\n\t\tif (READ_ONCE(req->result) == -EAGAIN) {\n\t\t\treq->iopoll_completed = 0;\n\t\t\tlist_move_tail(&req->inflight_entry, &again);\n\t\t\tcontinue;\n\t\t}\n\t\tlist_del(&req->inflight_entry);\n\n\t\tif (req->flags & REQ_F_BUFFER_SELECTED)\n\t\t\tcflags = io_put_rw_kbuf(req);\n\n\t\t__io_cqring_fill_event(req, req->result, cflags);\n\t\t(*nr_events)++;\n\n\t\tif (refcount_dec_and_test(&req->refs))\n\t\t\tio_req_free_batch(&rb, req);\n\t}\n\n\tio_commit_cqring(ctx);\n\tif (ctx->flags & IORING_SETUP_SQPOLL)\n\t\tio_cqring_ev_posted(ctx);\n\tio_req_free_batch_finish(ctx, &rb);\n\n\tif (!list_empty(&again))\n\t\tio_iopoll_queue(&again);\n}", "project": "linux", "hash": 3865359336184848298532007371532592058, "size": 40, "commit_id": "6d816e088c359866f9867057e04f244c608c42fe", "message": "io_uring: hold 'ctx' reference around task_work queue + execute\n\nWe're holding the request reference, but we need to go one higher\nto ensure that the ctx remains valid after the request has finished.\nIf the ring is closed with pending task_work inflight, and the\ngiven io_kiocb finishes sync during issue, then we need a reference\nto the ring itself around the task_work execution cycle.\n\nCc: stable@vger.kernel.org # v5.7+\nReported-by: syzbot+9b260fc33297966f5a8e@syzkaller.appspotmail.com\nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 456948 }, { "func": "SYSCALL_DEFINE1(epoll_create, int, size)\n{\n\tif (size <= 0)\n\t\treturn -EINVAL;\n\n\treturn do_epoll_create(0);\n}", "project": "linux", "hash": 1143536726652428839936044884673264613, "size": 7, "commit_id": "52c479697c9b73f628140dcdfcd39ea302d05482", "message": "do_epoll_ctl(): clean the failure exits up a bit\n\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 336227 }, { "func": "SYSCALL_DEFINE1(epoll_create1, int, flags)\n{\n\treturn do_epoll_create(flags);\n}", "project": "linux", "hash": 95208952347659227265550854537773651900, "size": 4, "commit_id": "52c479697c9b73f628140dcdfcd39ea302d05482", "message": "do_epoll_ctl(): clean the failure exits up a bit\n\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 336229 }, { "func": "static int do_epoll_create(int flags)\n{\n\tint error, fd;\n\tstruct eventpoll *ep = NULL;\n\tstruct file *file;\n\n\t/* Check the EPOLL_* constant for consistency. */\n\tBUILD_BUG_ON(EPOLL_CLOEXEC != O_CLOEXEC);\n\n\tif (flags & ~EPOLL_CLOEXEC)\n\t\treturn -EINVAL;\n\t/*\n\t * Create the internal data structure (\"struct eventpoll\").\n\t */\n\terror = ep_alloc(&ep);\n\tif (error < 0)\n\t\treturn error;\n\t/*\n\t * Creates all the items needed to setup an eventpoll file. That is,\n\t * a file structure and a free file descriptor.\n\t */\n\tfd = get_unused_fd_flags(O_RDWR | (flags & O_CLOEXEC));\n\tif (fd < 0) {\n\t\terror = fd;\n\t\tgoto out_free_ep;\n\t}\n\tfile = anon_inode_getfile(\"[eventpoll]\", &eventpoll_fops, ep,\n\t\t\t\t O_RDWR | (flags & O_CLOEXEC));\n\tif (IS_ERR(file)) {\n\t\terror = PTR_ERR(file);\n\t\tgoto out_free_fd;\n\t}\n\tep->file = file;\n\tfd_install(fd, file);\n\treturn fd;\n\nout_free_fd:\n\tput_unused_fd(fd);\nout_free_ep:\n\tep_free(ep);\n\treturn error;\n}", "project": "linux", "hash": 10500765749719070689274795747828529753, "size": 42, "commit_id": "52c479697c9b73f628140dcdfcd39ea302d05482", "message": "do_epoll_ctl(): clean the failure exits up a bit\n\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 336285 }, { "func": "void LanLinkProvider::sendBroadcasts(\n QUdpSocket& socket, const NetworkPacket& np, const QList& addresses)\n{\n const QByteArray payload = np.serialize();\n\n for (auto& address : addresses) {\n socket.writeDatagram(payload, address, m_udpBroadcastPort);\n }\n}", "project": "kdeconnect-kde", "hash": 14145296914448729845302246143951064978, "size": 9, "commit_id": "542d94a70c56aa386c8d4d793481ce181b0422e8", "message": "Limit number of connected sockets from unpaired devices\n\nThanks Matthias Gerstner for reporting this.", "target": 0, "dataset": "other", "idx": 227359 }, { "func": "kvm_pfn_t gfn_to_pfn(struct kvm *kvm, gfn_t gfn)\n{\n\treturn gfn_to_pfn_memslot(gfn_to_memslot(kvm, gfn), gfn);\n}", "project": "linux", "hash": 256361296041032935271429915481119867803, "size": 4, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354413 }, { "func": "DLLEXPORT int DLLCALL tjEncodeYUVPlanes(tjhandle handle,\n\tconst unsigned char *srcBuf, int width, int pitch, int height,\n\tint pixelFormat, unsigned char **dstPlanes, int *strides, int subsamp,\n\tint flags)\n{\n\tint i, retval=0; JSAMPROW *row_pointer=NULL;\n\tJSAMPLE *_tmpbuf[MAX_COMPONENTS], *_tmpbuf2[MAX_COMPONENTS];\n\tJSAMPROW *tmpbuf[MAX_COMPONENTS], *tmpbuf2[MAX_COMPONENTS];\n\tJSAMPROW *outbuf[MAX_COMPONENTS];\n\tint row, pw0, ph0, pw[MAX_COMPONENTS], ph[MAX_COMPONENTS];\n\tJSAMPLE *ptr;\n\tjpeg_component_info *compptr;\n\t#ifndef JCS_EXTENSIONS\n\tunsigned char *rgbBuf=NULL;\n\t#endif\n\n\tgetcinstance(handle);\n\n\tfor(i=0; iinit&COMPRESS)==0)\n\t\t_throw(\"tjEncodeYUVPlanes(): Instance has not been initialized for compression\");\n\n\tif(srcBuf==NULL || width<=0 || pitch<0 || height<=0 || pixelFormat<0\n\t\t|| pixelFormat>=TJ_NUMPF || !dstPlanes || !dstPlanes[0] || subsamp<0\n\t\t|| subsamp>=NUMSUBOPT)\n\t\t_throw(\"tjEncodeYUVPlanes(): Invalid argument\");\n\tif(subsamp!=TJSAMP_GRAY && (!dstPlanes[1] || !dstPlanes[2]))\n\t\t_throw(\"tjEncodeYUVPlanes(): Invalid argument\");\n\n\tif(pixelFormat==TJPF_CMYK)\n\t\t_throw(\"tjEncodeYUVPlanes(): Cannot generate YUV images from CMYK pixels\");\n\n\tif(pitch==0) pitch=width*tjPixelSize[pixelFormat];\n\n\t#ifndef JCS_EXTENSIONS\n\tif(pixelFormat!=TJPF_GRAY && pixelFormat!=TJPF_CMYK)\n\t{\n\t\trgbBuf=(unsigned char *)malloc(width*height*RGB_PIXELSIZE);\n\t\tif(!rgbBuf) _throw(\"tjEncodeYUVPlanes(): Memory allocation failure\");\n\t\tsrcBuf=toRGB(srcBuf, width, pitch, height, pixelFormat, rgbBuf);\n\t\tpitch=width*RGB_PIXELSIZE;\n\t}\n\t#endif\n\n\tif(setjmp(this->jerr.setjmp_buffer))\n\t{\n\t\t/* If we get here, the JPEG code has signaled an error. */\n\t\tretval=-1; goto bailout;\n\t}\n\n\tcinfo->image_width=width;\n\tcinfo->image_height=height;\n\n#ifndef NO_PUTENV\n\tif(flags&TJFLAG_FORCEMMX) putenv(\"JSIMD_FORCEMMX=1\");\n\telse if(flags&TJFLAG_FORCESSE) putenv(\"JSIMD_FORCESSE=1\");\n\telse if(flags&TJFLAG_FORCESSE2) putenv(\"JSIMD_FORCESSE2=1\");\n#endif\n\n\tif(setCompDefaults(cinfo, pixelFormat, subsamp, -1, flags)==-1) return -1;\n\n\t/* Execute only the parts of jpeg_start_compress() that we need. If we\n\t were to call the whole jpeg_start_compress() function, then it would try\n\t to write the file headers, which could overflow the output buffer if the\n\t YUV image were very small. */\n\tif(cinfo->global_state!=CSTATE_START)\n\t\t_throw(\"tjEncodeYUVPlanes(): libjpeg API is in the wrong state\");\n\t(*cinfo->err->reset_error_mgr)((j_common_ptr)cinfo);\n\tjinit_c_master_control(cinfo, FALSE);\n\tjinit_color_converter(cinfo);\n\tjinit_downsampler(cinfo);\n\t(*cinfo->cconvert->start_pass)(cinfo);\n\n\tpw0=PAD(width, cinfo->max_h_samp_factor);\n\tph0=PAD(height, cinfo->max_v_samp_factor);\n\n\tif((row_pointer=(JSAMPROW *)malloc(sizeof(JSAMPROW)*ph0))==NULL)\n\t\t_throw(\"tjEncodeYUVPlanes(): Memory allocation failure\");\n\tfor(i=0; inum_components; i++)\n\t{\n\t\tcompptr=&cinfo->comp_info[i];\n\t\t_tmpbuf[i]=(JSAMPLE *)malloc(\n\t\t\tPAD((compptr->width_in_blocks*cinfo->max_h_samp_factor*DCTSIZE)\n\t\t\t\t/compptr->h_samp_factor, 16) * cinfo->max_v_samp_factor + 16);\n\t\tif(!_tmpbuf[i]) _throw(\"tjEncodeYUVPlanes(): Memory allocation failure\");\n\t\ttmpbuf[i]=(JSAMPROW *)malloc(sizeof(JSAMPROW)*cinfo->max_v_samp_factor);\n\t\tif(!tmpbuf[i]) _throw(\"tjEncodeYUVPlanes(): Memory allocation failure\");\n\t\tfor(row=0; rowmax_v_samp_factor; row++)\n\t\t{\n\t\t\tunsigned char *_tmpbuf_aligned=\n\t\t\t\t(unsigned char *)PAD((size_t)_tmpbuf[i], 16);\n\t\t\ttmpbuf[i][row]=&_tmpbuf_aligned[\n\t\t\t\tPAD((compptr->width_in_blocks*cinfo->max_h_samp_factor*DCTSIZE)\n\t\t\t\t\t/compptr->h_samp_factor, 16) * row];\n\t\t}\n\t\t_tmpbuf2[i]=(JSAMPLE *)malloc(PAD(compptr->width_in_blocks*DCTSIZE, 16)\n\t\t\t* compptr->v_samp_factor + 16);\n\t\tif(!_tmpbuf2[i]) _throw(\"tjEncodeYUVPlanes(): Memory allocation failure\");\n\t\ttmpbuf2[i]=(JSAMPROW *)malloc(sizeof(JSAMPROW)*compptr->v_samp_factor);\n\t\tif(!tmpbuf2[i]) _throw(\"tjEncodeYUVPlanes(): Memory allocation failure\");\n\t\tfor(row=0; rowv_samp_factor; row++)\n\t\t{\n\t\t\tunsigned char *_tmpbuf2_aligned=\n\t\t\t\t(unsigned char *)PAD((size_t)_tmpbuf2[i], 16);\n\t\t\ttmpbuf2[i][row]=&_tmpbuf2_aligned[\n\t\t\t\tPAD(compptr->width_in_blocks*DCTSIZE, 16) * row];\n\t\t}\n\t\tpw[i]=pw0*compptr->h_samp_factor/cinfo->max_h_samp_factor;\n\t\tph[i]=ph0*compptr->v_samp_factor/cinfo->max_v_samp_factor;\n\t\toutbuf[i]=(JSAMPROW *)malloc(sizeof(JSAMPROW)*ph[i]);\n\t\tif(!outbuf[i]) _throw(\"tjEncodeYUVPlanes(): Memory allocation failure\");\n\t\tptr=dstPlanes[i];\n\t\tfor(row=0; rowjerr.setjmp_buffer))\n\t{\n\t\t/* If we get here, the JPEG code has signaled an error. */\n\t\tretval=-1; goto bailout;\n\t}\n\n\tfor(row=0; rowmax_v_samp_factor)\n\t{\n\t\t(*cinfo->cconvert->color_convert)(cinfo, &row_pointer[row], tmpbuf, 0,\n\t\t\tcinfo->max_v_samp_factor);\n\t\t(cinfo->downsample->downsample)(cinfo, tmpbuf, 0, tmpbuf2, 0);\n\t\tfor(i=0, compptr=cinfo->comp_info; inum_components; i++, compptr++)\n\t\t\tjcopy_sample_rows(tmpbuf2[i], 0, outbuf[i],\n\t\t\t\trow*compptr->v_samp_factor/cinfo->max_v_samp_factor,\n\t\t\t\tcompptr->v_samp_factor, pw[i]);\n\t}\n\tcinfo->next_scanline+=height;\n\tjpeg_abort_compress(cinfo);\n\n\tbailout:\n\tif(cinfo->global_state>CSTATE_START) jpeg_abort_compress(cinfo);\n\t#ifndef JCS_EXTENSIONS\n\tif(rgbBuf) free(rgbBuf);\n\t#endif\n\tif(row_pointer) free(row_pointer);\n\tfor(i=0; ijerr.warning) retval=-1;\n\treturn retval;\n}", "project": "libjpeg-turbo", "hash": 130111392574317342058811357497099005362, "size": 169, "commit_id": "dab6be4cfb2f9307b5378d2d1dc74d9080383dc2", "message": "tjDecompressToYUV*(): Fix OOB write/double free\n\n... when attempting to decompress grayscale JPEG images with sampling\nfactors != 1.\n\nFixes #387", "target": 0, "dataset": "other", "idx": 311122 }, { "func": "mysql_read_query_result(MYSQL *mysql)\n{\n return test(mysql->methods->db_read_query_result(mysql)) ? 1 : 0;\n}", "project": "mariadb-connector-c", "hash": 153269090603512986601868294382564464345, "size": 4, "commit_id": "2759b87d72926b7c9b5426437a7c8dd15ff57945", "message": "sanity checks for client-supplied OK packet content\n\nreported by Matthias Kaiser, Apple Information Security", "target": 0, "dataset": "other", "idx": 429722 }, { "func": " enum_field_types field_type() const\n {\n return value_item->field_type();\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 218373519417023218783995873277766759821, "size": 4, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509100 }, { "func": " enum_field_types field_type() const\n {\n return result_field->type();\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 259655867173518109339641673240199224025, "size": 4, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509107 }, { "func": " enum_field_types field_type() const { return MYSQL_TYPE_DATE; }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 15281832083766472403148486179242587281, "size": 1, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509142 }, { "func": " enum_field_types field_type() const { return this_item()->field_type(); }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 72334243155644679458540858644789371216, "size": 1, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509161 }, { "func": " enum_field_types field_type() const { return MYSQL_TYPE_TIME; }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 199003567717387805947319107829896604250, "size": 1, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509182 }, { "func": " enum_field_types field_type() const { return orig_item->field_type(); }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 193509426350628672361385797833526337273, "size": 1, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509187 }, { "func": " enum_field_types field_type() const\n { return Type_handler_hybrid_field_type::field_type(); }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 1844243813635699632125047313236739872, "size": 2, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509214 }, { "func": " enum_field_types field_type() const\n { return Type_handler_hybrid_real_field_type::field_type(); }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 99857564481347334835225262102454190319, "size": 2, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509275 }, { "func": " enum_field_types field_type() const { return MYSQL_TYPE_DATETIME; }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 47162524588573982725080214335413193348, "size": 1, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509351 }, { "func": "static void fuse_wait_on_page_writeback(struct inode *inode, pgoff_t index)\n{\n\tstruct fuse_inode *fi = get_fuse_inode(inode);\n\n\twait_event(fi->page_waitq, !fuse_page_is_writeback(inode, index));\n}", "project": "linux", "hash": 185228279352422408949953456239562987228, "size": 6, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341982 }, { "func": "void kvm_s390_set_tod_clock(struct kvm *kvm,\n\t\t\t const struct kvm_s390_vm_tod_clock *gtod)\n{\n\tstruct kvm_vcpu *vcpu;\n\tstruct kvm_s390_tod_clock_ext htod;\n\tint i;\n\n\tmutex_lock(&kvm->lock);\n\tpreempt_disable();\n\n\tget_tod_clock_ext((char *)&htod);\n\n\tkvm->arch.epoch = gtod->tod - htod.tod;\n\tkvm->arch.epdx = 0;\n\tif (test_kvm_facility(kvm, 139)) {\n\t\tkvm->arch.epdx = gtod->epoch_idx - htod.epoch_idx;\n\t\tif (kvm->arch.epoch > gtod->tod)\n\t\t\tkvm->arch.epdx -= 1;\n\t}\n\n\tkvm_s390_vcpu_block_all(kvm);\n\tkvm_for_each_vcpu(i, vcpu, kvm) {\n\t\tvcpu->arch.sie_block->epoch = kvm->arch.epoch;\n\t\tvcpu->arch.sie_block->epdx = kvm->arch.epdx;\n\t}\n\n\tkvm_s390_vcpu_unblock_all(kvm);\n\tpreempt_enable();\n\tmutex_unlock(&kvm->lock);\n}", "project": "linux", "hash": 67288156690891132752750571534993189057, "size": 30, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354584 }, { "func": "static void setterm_command(struct vc_data *vc)\n{\n\tswitch (vc->vc_par[0]) {\n\tcase 1:\t/* set color for underline mode */\n\t\tif (vc->vc_can_do_color && vc->vc_par[1] < 16) {\n\t\t\tvc->vc_ulcolor = color_table[vc->vc_par[1]];\n\t\t\tif (vc->vc_underline)\n\t\t\t\tupdate_attr(vc);\n\t\t}\n\t\tbreak;\n\tcase 2:\t/* set color for half intensity mode */\n\t\tif (vc->vc_can_do_color && vc->vc_par[1] < 16) {\n\t\t\tvc->vc_halfcolor = color_table[vc->vc_par[1]];\n\t\t\tif (vc->vc_intensity == 0)\n\t\t\t\tupdate_attr(vc);\n\t\t}\n\t\tbreak;\n\tcase 8:\t/* store colors as defaults */\n\t\tvc->vc_def_color = vc->vc_attr;\n\t\tif (vc->vc_hi_font_mask == 0x100)\n\t\t\tvc->vc_def_color >>= 1;\n\t\tdefault_attr(vc);\n\t\tupdate_attr(vc);\n\t\tbreak;\n\tcase 9:\t/* set blanking interval */\n\t\tblankinterval = min(vc->vc_par[1], 60U) * 60;\n\t\tpoke_blanked_console();\n\t\tbreak;\n\tcase 10: /* set bell frequency in Hz */\n\t\tif (vc->vc_npar >= 1)\n\t\t\tvc->vc_bell_pitch = vc->vc_par[1];\n\t\telse\n\t\t\tvc->vc_bell_pitch = DEFAULT_BELL_PITCH;\n\t\tbreak;\n\tcase 11: /* set bell duration in msec */\n\t\tif (vc->vc_npar >= 1)\n\t\t\tvc->vc_bell_duration = (vc->vc_par[1] < 2000) ?\n\t\t\t\tmsecs_to_jiffies(vc->vc_par[1]) : 0;\n\t\telse\n\t\t\tvc->vc_bell_duration = DEFAULT_BELL_DURATION;\n\t\tbreak;\n\tcase 12: /* bring specified console to the front */\n\t\tif (vc->vc_par[1] >= 1 && vc_cons_allocated(vc->vc_par[1] - 1))\n\t\t\tset_console(vc->vc_par[1] - 1);\n\t\tbreak;\n\tcase 13: /* unblank the screen */\n\t\tpoke_blanked_console();\n\t\tbreak;\n\tcase 14: /* set vesa powerdown interval */\n\t\tvesa_off_interval = min(vc->vc_par[1], 60U) * 60 * HZ;\n\t\tbreak;\n\tcase 15: /* activate the previous console */\n\t\tset_console(last_console);\n\t\tbreak;\n\tcase 16: /* set cursor blink duration in msec */\n\t\tif (vc->vc_npar >= 1 && vc->vc_par[1] >= 50 &&\n\t\t\t\tvc->vc_par[1] <= USHRT_MAX)\n\t\t\tvc->vc_cur_blink_ms = vc->vc_par[1];\n\t\telse\n\t\t\tvc->vc_cur_blink_ms = DEFAULT_CURSOR_BLINK_MS;\n\t\tbreak;\n\t}\n}", "project": "linux", "hash": 12114567429869230923430233438323645058, "size": 63, "commit_id": "ca4463bf8438b403596edd0ec961ca0d4fbe0220", "message": "vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console\n\nThe VT_DISALLOCATE ioctl can free a virtual console while tty_release()\nis still running, causing a use-after-free in con_shutdown(). This\noccurs because VT_DISALLOCATE considers a virtual console's\n'struct vc_data' to be unused as soon as the corresponding tty's\nrefcount hits 0. But actually it may be still being closed.\n\nFix this by making vc_data be reference-counted via the embedded\n'struct tty_port'. A newly allocated virtual console has refcount 1.\nOpening it for the first time increments the refcount to 2. Closing it\nfor the last time decrements the refcount (in tty_operations::cleanup()\nso that it happens late enough), as does VT_DISALLOCATE.\n\nReproducer:\n\t#include \n\t#include \n\t#include \n\t#include \n\n\tint main()\n\t{\n\t\tif (fork()) {\n\t\t\tfor (;;)\n\t\t\t\tclose(open(\"/dev/tty5\", O_RDWR));\n\t\t} else {\n\t\t\tint fd = open(\"/dev/tty10\", O_RDWR);\n\n\t\t\tfor (;;)\n\t\t\t\tioctl(fd, VT_DISALLOCATE, 5);\n\t\t}\n\t}\n\nKASAN report:\n\tBUG: KASAN: use-after-free in con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\tWrite of size 8 at addr ffff88806a4ec108 by task syz_vt/129\n\n\tCPU: 0 PID: 129 Comm: syz_vt Not tainted 5.6.0-rc2 #11\n\tHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20191223_100556-anatol 04/01/2014\n\tCall Trace:\n\t [...]\n\t con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\t release_tty+0xa8/0x410 drivers/tty/tty_io.c:1514\n\t tty_release_struct+0x34/0x50 drivers/tty/tty_io.c:1629\n\t tty_release+0x984/0xed0 drivers/tty/tty_io.c:1789\n\t [...]\n\n\tAllocated by task 129:\n\t [...]\n\t kzalloc include/linux/slab.h:669 [inline]\n\t vc_allocate drivers/tty/vt/vt.c:1085 [inline]\n\t vc_allocate+0x1ac/0x680 drivers/tty/vt/vt.c:1066\n\t con_install+0x4d/0x3f0 drivers/tty/vt/vt.c:3229\n\t tty_driver_install_tty drivers/tty/tty_io.c:1228 [inline]\n\t tty_init_dev+0x94/0x350 drivers/tty/tty_io.c:1341\n\t tty_open_by_driver drivers/tty/tty_io.c:1987 [inline]\n\t tty_open+0x3ca/0xb30 drivers/tty/tty_io.c:2035\n\t [...]\n\n\tFreed by task 130:\n\t [...]\n\t kfree+0xbf/0x1e0 mm/slab.c:3757\n\t vt_disallocate drivers/tty/vt/vt_ioctl.c:300 [inline]\n\t vt_ioctl+0x16dc/0x1e30 drivers/tty/vt/vt_ioctl.c:818\n\t tty_ioctl+0x9db/0x11b0 drivers/tty/tty_io.c:2660\n\t [...]\n\nFixes: 4001d7b7fc27 (\"vt: push down the tty lock so we can see what is left to tackle\")\nCc: # v3.4+\nReported-by: syzbot+522643ab5729b0421998@syzkaller.appspotmail.com\nAcked-by: Jiri Slaby \nSigned-off-by: Eric Biggers \nLink: https://lore.kernel.org/r/20200322034305.210082-2-ebiggers@kernel.org\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 437041 }, { "func": "static int __init setup_numabalancing(char *str)\n{\n\tint ret = 0;\n\tif (!str)\n\t\tgoto out;\n\n\tif (!strcmp(str, \"enable\")) {\n\t\tnumabalancing_override = 1;\n\t\tret = 1;\n\t} else if (!strcmp(str, \"disable\")) {\n\t\tnumabalancing_override = -1;\n\t\tret = 1;\n\t}\nout:\n\tif (!ret)\n\t\tpr_warn(\"Unable to parse numa_balancing=\\n\");\n\n\treturn ret;\n}", "project": "linux", "hash": 137652432909719424110989274577504844332, "size": 19, "commit_id": "aa9f7d5172fac9bf1f09e678c35e287a40a7b7dd", "message": "mm: mempolicy: require at least one nodeid for MPOL_PREFERRED\n\nUsing an empty (malformed) nodelist that is not caught during mount option\nparsing leads to a stack-out-of-bounds access.\n\nThe option string that was used was: \"mpol=prefer:,\". However,\nMPOL_PREFERRED requires a single node number, which is not being provided\nhere.\n\nAdd a check that 'nodes' is not empty after parsing for MPOL_PREFERRED's\nnodeid.\n\nFixes: 095f1fc4ebf3 (\"mempolicy: rework shmem mpol parsing and display\")\nReported-by: Entropy Moe <3ntr0py1337@gmail.com>\nReported-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nSigned-off-by: Randy Dunlap \nSigned-off-by: Andrew Morton \nTested-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nCc: Lee Schermerhorn \nLink: http://lkml.kernel.org/r/89526377-7eb6-b662-e1d8-4430928abde9@infradead.org\nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 366715 }, { "func": "void CLua::save_persist()\n{\n string persist;\n // We load persist.lua immediately before calling c_save_persist so\n // that we know that it hasn't been overwritten by a player version.\n execfile(\"dlua/persist.lua\", true, true);\n callfn(\"c_save_persist\", \">s\", &persist);\n if (Options.no_save)\n return;\n\n FILE *f;\n const string persistfile = _get_persist_file();\n\n // Don't create the file if there's no need to do so.\n if (persist.empty() && !file_exists(persistfile))\n return;\n\n f = fopen_u(persistfile.c_str(), \"w\");\n if (!f)\n {\n mprf(MSGCH_ERROR, \"Couldn't open %s for writing!\", persistfile.c_str());\n return;\n }\n\n fprintf(f, \"-- %s %s persistent clua file\\n\"\n \"-- WARNING: This file is entirely auto-generated.\\n\"\n \"\\n\",\n OUTS(CRAWL), // ok, localizing the game name is not likely\n OUTS(Version::Long)); // nor the version string\n fprintf(f, \"%s\", persist.c_str());\n fclose(f);\n}", "project": "crawl", "hash": 241169108637635478475875230211972202869, "size": 32, "commit_id": "768f60da87a3fa0b5561da5ade9309577c176d04", "message": "Disable lua bytecode loading", "target": 0, "dataset": "other", "idx": 230501 }, { "func": "void CServer::ConchainModCommandUpdate(IConsole::IResult *pResult, void *pUserData, IConsole::FCommandCallback pfnCallback, void *pCallbackUserData)\n{\n\tif(pResult->NumArguments() == 2)\n\t{\n\t\tCServer *pThis = static_cast(pUserData);\n\t\tconst IConsole::CCommandInfo *pInfo = pThis->Console()->GetCommandInfo(pResult->GetString(0), CFGFLAG_SERVER, false);\n\t\tint OldAccessLevel = 0;\n\t\tif(pInfo)\n\t\t\tOldAccessLevel = pInfo->GetAccessLevel();\n\t\tpfnCallback(pResult, pCallbackUserData);\n\t\tif(pInfo && OldAccessLevel != pInfo->GetAccessLevel())\n\t\t{\n\t\t\tfor(int i = 0; i < MAX_CLIENTS; ++i)\n\t\t\t{\n\t\t\t\tif(pThis->m_aClients[i].m_State == CServer::CClient::STATE_EMPTY || pThis->m_aClients[i].m_Authed != CServer::AUTHED_MOD ||\n\t\t\t\t\t(pThis->m_aClients[i].m_pRconCmdToSend && str_comp(pResult->GetString(0), pThis->m_aClients[i].m_pRconCmdToSend->m_pName) >= 0))\n\t\t\t\t\tcontinue;\n\n\t\t\t\tif(OldAccessLevel == IConsole::ACCESS_LEVEL_ADMIN)\n\t\t\t\t\tpThis->SendRconCmdAdd(pInfo, i);\n\t\t\t\telse\n\t\t\t\t\tpThis->SendRconCmdRem(pInfo, i);\n\t\t\t}\n\t\t}\n\t}\n\telse\n\t\tpfnCallback(pResult, pCallbackUserData);\n}", "project": "teeworlds", "hash": 58815591601940539238239239887504471398, "size": 28, "commit_id": "c68402fa7e279d42886d5951d1ea8ac2facc1ea5", "message": "changed a check", "target": 0, "dataset": "other", "idx": 381988 }, { "func": "static void encode_free_stateid(struct xdr_stream *xdr,\n\t\t\t\tconst struct nfs41_free_stateid_args *args,\n\t\t\t\tstruct compound_hdr *hdr)\n{\n\tencode_op_hdr(xdr, OP_FREE_STATEID, decode_free_stateid_maxsz, hdr);\n\tencode_nfs4_stateid(xdr, &args->stateid);\n}", "project": "linux", "hash": 79143641581351827384395235911651323923, "size": 7, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431514 }, { "func": "static int lrc_setup_wa_ctx(struct intel_engine_cs *engine)\n{\n\tstruct drm_i915_gem_object *obj;\n\tstruct i915_vma *vma;\n\tint err;\n\n\tobj = i915_gem_object_create_shmem(engine->i915, CTX_WA_BB_OBJ_SIZE);\n\tif (IS_ERR(obj))\n\t\treturn PTR_ERR(obj);\n\n\tvma = i915_vma_instance(obj, &engine->gt->ggtt->vm, NULL);\n\tif (IS_ERR(vma)) {\n\t\terr = PTR_ERR(vma);\n\t\tgoto err;\n\t}\n\n\terr = i915_vma_pin(vma, 0, 0, PIN_GLOBAL | PIN_HIGH);\n\tif (err)\n\t\tgoto err;\n\n\tengine->wa_ctx.vma = vma;\n\treturn 0;\n\nerr:\n\ti915_gem_object_put(obj);\n\treturn err;\n}", "project": "linux", "hash": 217954593131887061101695540388310987915, "size": 27, "commit_id": "bc8a76a152c5f9ef3b48104154a65a68a8b76946", "message": "drm/i915/gen9: Clear residual context state on context switch\n\nIntel ID: PSIRT-TA-201910-001\nCVEID: CVE-2019-14615\n\nIntel GPU Hardware prior to Gen11 does not clear EU state\nduring a context switch. This can result in information\nleakage between contexts.\n\nFor Gen8 and Gen9, hardware provides a mechanism for\nfast cleardown of the EU state, by issuing a PIPE_CONTROL\nwith bit 27 set. We can use this in a context batch buffer\nto explicitly cleardown the state on every context switch.\n\nAs this workaround is already in place for gen8, we can borrow\nthe code verbatim for Gen9.\n\nSigned-off-by: Mika Kuoppala \nSigned-off-by: Akeem G Abodunrin \nCc: Kumar Valsan Prathap \nCc: Chris Wilson \nCc: Balestrieri Francesco \nCc: Bloomfield Jon \nCc: Dutt Sudeep ", "target": 0, "dataset": "other", "idx": 281484 }, { "func": "static int __nfs4_proc_set_acl(struct inode *inode, const void *buf, size_t buflen)\n{\n\tstruct nfs_server *server = NFS_SERVER(inode);\n\tstruct page *pages[NFS4ACL_MAXPAGES];\n\tstruct nfs_setaclargs arg = {\n\t\t.fh\t\t= NFS_FH(inode),\n\t\t.acl_pages\t= pages,\n\t\t.acl_len\t= buflen,\n\t};\n\tstruct nfs_setaclres res;\n\tstruct rpc_message msg = {\n\t\t.rpc_proc\t= &nfs4_procedures[NFSPROC4_CLNT_SETACL],\n\t\t.rpc_argp\t= &arg,\n\t\t.rpc_resp\t= &res,\n\t};\n\tunsigned int npages = DIV_ROUND_UP(buflen, PAGE_SIZE);\n\tint ret, i;\n\n\tif (!nfs4_server_supports_acls(server))\n\t\treturn -EOPNOTSUPP;\n\tif (npages > ARRAY_SIZE(pages))\n\t\treturn -ERANGE;\n\ti = nfs4_buf_to_pages_noslab(buf, buflen, arg.acl_pages);\n\tif (i < 0)\n\t\treturn i;\n\tnfs4_inode_make_writeable(inode);\n\tret = nfs4_call_sync(server->client, server, &msg, &arg.seq_args, &res.seq_res, 1);\n\n\t/*\n\t * Free each page after tx, so the only ref left is\n\t * held by the network stack\n\t */\n\tfor (; i > 0; i--)\n\t\tput_page(pages[i-1]);\n\n\t/*\n\t * Acl update can result in inode attribute update.\n\t * so mark the attribute cache invalid.\n\t */\n\tspin_lock(&inode->i_lock);\n\tNFS_I(inode)->cache_validity |= NFS_INO_INVALID_CHANGE\n\t\t| NFS_INO_INVALID_CTIME\n\t\t| NFS_INO_REVAL_FORCED;\n\tspin_unlock(&inode->i_lock);\n\tnfs_access_zap_cache(inode);\n\tnfs_zap_acl_cache(inode);\n\treturn ret;\n}", "project": "linux", "hash": 206897019631571922274769431132819484339, "size": 48, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431250 }, { "func": "static inline struct timespec64 ep_set_mstimeout(long ms)\n{\n\tstruct timespec64 now, ts = {\n\t\t.tv_sec = ms / MSEC_PER_SEC,\n\t\t.tv_nsec = NSEC_PER_MSEC * (ms % MSEC_PER_SEC),\n\t};\n\n\tktime_get_ts64(&now);\n\treturn timespec64_add_safe(now, ts);\n}", "project": "linux", "hash": 234374853771187813038845617681557297830, "size": 10, "commit_id": "52c479697c9b73f628140dcdfcd39ea302d05482", "message": "do_epoll_ctl(): clean the failure exits up a bit\n\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 336282 }, { "func": "static int ctnetlink_dump_tuples(struct sk_buff *skb,\n\t\t\t\t const struct nf_conntrack_tuple *tuple)\n{\n\tconst struct nf_conntrack_l4proto *l4proto;\n\tint ret;\n\n\trcu_read_lock();\n\tret = ctnetlink_dump_tuples_ip(skb, tuple);\n\n\tif (ret >= 0) {\n\t\tl4proto = nf_ct_l4proto_find(tuple->dst.protonum);\n\t\tret = ctnetlink_dump_tuples_proto(skb, tuple, l4proto);\n\t}\n\trcu_read_unlock();\n\treturn ret;\n}", "project": "linux", "hash": 289639088611004979666279269055015871829, "size": 16, "commit_id": "1cc5ef91d2ff94d2bf2de3b3585423e8a1051cb6", "message": "netfilter: ctnetlink: add a range check for l3/l4 protonum\n\nThe indexes to the nf_nat_l[34]protos arrays come from userspace. So\ncheck the tuple's family, e.g. l3num, when creating the conntrack in\norder to prevent an OOB memory access during setup. Here is an example\nkernel panic on 4.14.180 when userspace passes in an index greater than\nNFPROTO_NUMPROTO.\n\nInternal error: Oops - BUG: 0 [#1] PREEMPT SMP\nModules linked in:...\nProcess poc (pid: 5614, stack limit = 0x00000000a3933121)\nCPU: 4 PID: 5614 Comm: poc Tainted: G S W O 4.14.180-g051355490483\nHardware name: Qualcomm Technologies, Inc. SM8150 V2 PM8150 Google Inc. MSM\ntask: 000000002a3dfffe task.stack: 00000000a3933121\npc : __cfi_check_fail+0x1c/0x24\nlr : __cfi_check_fail+0x1c/0x24\n...\nCall trace:\n__cfi_check_fail+0x1c/0x24\nname_to_dev_t+0x0/0x468\nnfnetlink_parse_nat_setup+0x234/0x258\nctnetlink_parse_nat_setup+0x4c/0x228\nctnetlink_new_conntrack+0x590/0xc40\nnfnetlink_rcv_msg+0x31c/0x4d4\nnetlink_rcv_skb+0x100/0x184\nnfnetlink_rcv+0xf4/0x180\nnetlink_unicast+0x360/0x770\nnetlink_sendmsg+0x5a0/0x6a4\n___sys_sendmsg+0x314/0x46c\nSyS_sendmsg+0xb4/0x108\nel0_svc_naked+0x34/0x38\n\nThis crash is not happening since 5.4+, however, ctnetlink still\nallows for creating entries with unsupported layer 3 protocol number.\n\nFixes: c1d10adb4a521 (\"[NETFILTER]: Add ctnetlink port for nf_conntrack\")\nSigned-off-by: Will McVicker \n[pablo@netfilter.org: rebased original patch on top of nf.git]\nSigned-off-by: Pablo Neira Ayuso ", "target": 0, "dataset": "other", "idx": 394173 }, { "func": "void RGWGetLC_ObjStore_S3::execute()\n{\n config.set_ctx(s->cct);\n\n map::iterator aiter = s->bucket_attrs.find(RGW_ATTR_LC);\n if (aiter == s->bucket_attrs.end()) {\n op_ret = -ENOENT;\n return;\n }\n\n bufferlist::iterator iter(&aiter->second);\n try {\n config.decode(iter);\n } catch (const buffer::error& e) {\n ldout(s->cct, 0) << __func__ << \"decode life cycle config failed\" << dendl;\n op_ret = -EIO;\n return;\n }\n}", "project": "ceph", "hash": 42618565340766521665456844156278562017, "size": 19, "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 281342 }, { "func": "void RGWGetLC_ObjStore_S3::execute()\n{\n config.set_ctx(s->cct);\n\n map::iterator aiter = s->bucket_attrs.find(RGW_ATTR_LC);\n if (aiter == s->bucket_attrs.end()) {\n op_ret = -ENOENT;\n return;\n }\n\n bufferlist::const_iterator iter{&aiter->second};\n try {\n config.decode(iter);\n } catch (const buffer::error& e) {\n ldout(s->cct, 0) << __func__ << \"decode life cycle config failed\" << dendl;\n op_ret = -EIO;\n return;\n }\n}", "project": "ceph", "hash": 291326225764742250653401736816251809499, "size": 19, "commit_id": "fce0b267446d6f3f631bb4680ebc3527bbbea002", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 333801 }, { "func": "int ExpressionRegex::execute(RegexExecutionState* regexState) const {\n invariant(regexState);\n invariant(!regexState->nullish());\n invariant(regexState->pcrePtr);\n\n int execResult = pcre_exec(regexState->pcrePtr.get(),\n nullptr,\n regexState->input->c_str(),\n regexState->input->size(),\n regexState->startBytePos,\n 0, // No need to overwrite the options set during pcre_compile.\n &(regexState->capturesBuffer.front()),\n regexState->capturesBuffer.size());\n // The 'execResult' will be -1 if there is no match, 0 < execResult <= (numCaptures + 1)\n // depending on how many capture groups match, negative (other than -1) if there is an error\n // during execution, and zero if capturesBuffer's capacity is not sufficient to hold all the\n // results. The latter scenario should never occur.\n uassert(51156,\n str::stream() << \"Error occurred while executing the regular expression in \" << _opName\n << \". Result code: \" << execResult,\n execResult == -1 || (execResult > 0 && execResult <= (regexState->numCaptures + 1)));\n return execResult;\n}", "project": "mongo", "hash": 83232296561002568145793714774944045200, "size": 23, "commit_id": "1772b9a0393b55e6a280a35e8f0a1f75c014f301", "message": "SERVER-49404 Enforce additional checks in $arrayToObject", "target": 0, "dataset": "other", "idx": 370083 }, { "func": "LineBufferTaskIIF::execute()\n{\n try\n {\n //\n // Uncompress the data, if necessary\n //\n \n if (_lineBuffer->uncompressedData == 0)\n {\n size_t uncompressedSize = 0;\n int maxY = min (_lineBuffer->maxY, _ifd->maxY);\n \n for (int i = _lineBuffer->minY - _ifd->minY;\n i <= maxY - _ifd->minY;\n ++i)\n {\n uncompressedSize += _ifd->bytesPerLine[i];\n }\n \n if (_lineBuffer->compressor &&\n static_cast(_lineBuffer->dataSize) < uncompressedSize)\n {\n _lineBuffer->format = _lineBuffer->compressor->format();\n \n _lineBuffer->dataSize =\n _lineBuffer->compressor->uncompress (_lineBuffer->buffer,\n _lineBuffer->dataSize,\n _lineBuffer->minY,\n _lineBuffer->uncompressedData);\n }\n else\n {\n //\n // If the line is uncompressed, it's in XDR format,\n // regardless of the compressor's output format.\n //\n \n _lineBuffer->format = Compressor::XDR;\n _lineBuffer->uncompressedData = _lineBuffer->buffer;\n }\n }\n \n int yStart, yStop, dy;\n \n if (_ifd->lineOrder == INCREASING_Y)\n {\n yStart = _scanLineMin;\n yStop = _scanLineMax + 1;\n dy = 1;\n }\n else\n {\n yStart = _scanLineMax;\n yStop = _scanLineMin - 1;\n dy = -1;\n }\n \n for (int y = yStart; y != yStop; y += dy)\n {\n if (modp (y, _optimizationMode._ySampling) != 0)\n continue;\n \n //\n // Convert one scan line's worth of pixel data back\n // from the machine-independent representation, and\n // store the result in the frame buffer.\n //\n \n // Set the readPtr to read at the start of uncompressedData\n // but with an offet based on calculated array.\n // _ifd->offsetInLineBuffer contains offsets based on which\n // line we are currently processing.\n // Stride will be taken into consideration later.\n \n \n const char* readPtr = _lineBuffer->uncompressedData +\n _ifd->offsetInLineBuffer[y - _ifd->minY];\n \n size_t pixelsToCopySSE = 0;\n size_t pixelsToCopyNormal = 0;\n \n unsigned short* writePtrLeft = 0;\n unsigned short* writePtrRight = 0;\n \n size_t channels = _ifd->optimizationData.size();\n \n if(channels>4)\n {\n getWritePointerStereo(y, writePtrRight, writePtrLeft, pixelsToCopySSE, pixelsToCopyNormal);\n }\n else \n {\n getWritePointer(y, writePtrRight, pixelsToCopySSE, pixelsToCopyNormal);\n }\n \n if (writePtrRight == 0 && pixelsToCopySSE == 0 && pixelsToCopyNormal == 0)\n {\n continue;\n }\n \n \n //\n // support reading up to eight channels\n //\n unsigned short* readPointers[8];\n \n for (size_t i = 0; i < channels ; ++i)\n {\n readPointers[i] = (unsigned short*)readPtr + (_ifd->optimizationData[i].offset * (pixelsToCopySSE * 8 + pixelsToCopyNormal));\n }\n \n //RGB only\n if(channels==3 || channels == 6 )\n {\n optimizedWriteToRGB(readPointers[0], readPointers[1], readPointers[2], writePtrRight, pixelsToCopySSE, pixelsToCopyNormal);\n \n //stereo RGB\n if( channels == 6)\n {\n optimizedWriteToRGB(readPointers[3], readPointers[4], readPointers[5], writePtrLeft, pixelsToCopySSE, pixelsToCopyNormal);\n } \n //RGBA\n }else if(channels==4 || channels==8)\n {\n \n if(_ifd->optimizationData[3].fill)\n {\n optimizedWriteToRGBAFillA(readPointers[0], readPointers[1], readPointers[2], _ifd->optimizationData[3].fillValue.bits() , writePtrRight, pixelsToCopySSE, pixelsToCopyNormal);\n }else{\n optimizedWriteToRGBA(readPointers[0], readPointers[1], readPointers[2], readPointers[3] , writePtrRight, pixelsToCopySSE, pixelsToCopyNormal);\n }\n \n //stereo RGBA\n if( channels == 8)\n {\n if(_ifd->optimizationData[7].fill)\n {\n optimizedWriteToRGBAFillA(readPointers[4], readPointers[5], readPointers[6], _ifd->optimizationData[7].fillValue.bits() , writePtrLeft, pixelsToCopySSE, pixelsToCopyNormal);\n }else{\n optimizedWriteToRGBA(readPointers[4], readPointers[5], readPointers[6], readPointers[7] , writePtrLeft, pixelsToCopySSE, pixelsToCopyNormal);\n }\n }\n }\n else {\n throw(IEX_NAMESPACE::LogicExc(\"IIF mode called with incorrect channel pattern\"));\n }\n \n // If we are in NO_OPTIMIZATION mode, this class will never\n // get instantiated, so no need to check for it and duplicate\n // the code.\n }\n }\n catch (std::exception &e)\n {\n if (!_lineBuffer->hasException)\n {\n _lineBuffer->exception = e.what();\n _lineBuffer->hasException = true;\n }\n }\n catch (...)\n {\n if (!_lineBuffer->hasException)\n {\n _lineBuffer->exception = \"unrecognized exception\";\n _lineBuffer->hasException = true;\n }\n }\n}", "project": "openexr", "hash": 202295555654345552743308497153174419494, "size": 170, "commit_id": "bc88cdb6c97fbf5bc5d11ad8ca55306da931283a", "message": "sanity check ScanlineInput bytesPerLine instead of lineOffset size (#863)\n\nSigned-off-by: Peter Hillman \r\n\r\nCo-authored-by: Cary Phillips ", "target": 0, "dataset": "other", "idx": 446286 }, { "func": "LineBufferTask::execute ()\n{\n try\n {\n //\n // Uncompress the data, if necessary\n //\n \n if (_lineBuffer->uncompressedData == 0)\n {\n size_t uncompressedSize = 0;\n int maxY = min (_lineBuffer->maxY, _ifd->maxY);\n \n for (int i = _lineBuffer->minY - _ifd->minY;\n i <= maxY - _ifd->minY;\n\t\t ++i)\n\t {\n uncompressedSize += _ifd->bytesPerLine[i];\n\t }\n \n if (_lineBuffer->compressor &&\n static_cast(_lineBuffer->dataSize) < uncompressedSize)\n {\n _lineBuffer->format = _lineBuffer->compressor->format();\n\n _lineBuffer->dataSize = _lineBuffer->compressor->uncompress\n (_lineBuffer->buffer,\n _lineBuffer->dataSize,\n\t\t _lineBuffer->minY,\n _lineBuffer->uncompressedData);\n }\n else\n {\n //\n // If the line is uncompressed, it's in XDR format,\n // regardless of the compressor's output format.\n //\n \n _lineBuffer->format = Compressor::XDR;\n _lineBuffer->uncompressedData = _lineBuffer->buffer;\n }\n }\n \n int yStart, yStop, dy;\n\n if (_ifd->lineOrder == INCREASING_Y)\n {\n yStart = _scanLineMin;\n yStop = _scanLineMax + 1;\n dy = 1;\n }\n else\n {\n yStart = _scanLineMax;\n yStop = _scanLineMin - 1;\n dy = -1;\n }\n \n for (int y = yStart; y != yStop; y += dy)\n {\n //\n // Convert one scan line's worth of pixel data back\n // from the machine-independent representation, and\n // store the result in the frame buffer.\n //\n \n const char *readPtr = _lineBuffer->uncompressedData +\n _ifd->offsetInLineBuffer[y - _ifd->minY];\n \n //\n // Iterate over all image channels.\n //\n \n for (unsigned int i = 0; i < _ifd->slices.size(); ++i)\n {\n //\n // Test if scan line y of this channel contains any data\n\t\t// (the scan line contains data only if y % ySampling == 0).\n //\n \n const InSliceInfo &slice = _ifd->slices[i];\n \n if (modp (y, slice.ySampling) != 0)\n continue;\n \n //\n // Find the x coordinates of the leftmost and rightmost\n // sampled pixels (i.e. pixels within the data window\n // for which x % xSampling == 0).\n //\n \n int dMinX = divp (_ifd->minX, slice.xSampling);\n int dMaxX = divp (_ifd->maxX, slice.xSampling);\n \n //\n\t\t// Fill the frame buffer with pixel data.\n //\n \n if (slice.skip)\n {\n //\n // The file contains data for this channel, but\n // the frame buffer contains no slice for this channel.\n //\n \n skipChannel (readPtr, slice.typeInFile, dMaxX - dMinX + 1);\n }\n else\n {\n //\n // The frame buffer contains a slice for this channel.\n //\n \n intptr_t base = reinterpret_cast(slice.base);\n\n intptr_t linePtr = base +\n intptr_t( divp (y, slice.ySampling) ) *\n intptr_t( slice.yStride );\n \n char *writePtr = reinterpret_cast (linePtr + intptr_t( dMinX ) * intptr_t( slice.xStride ));\n char *endPtr = reinterpret_cast (linePtr + intptr_t( dMaxX ) * intptr_t( slice.xStride ));\n \n copyIntoFrameBuffer (readPtr, writePtr, endPtr,\n slice.xStride, slice.fill,\n slice.fillValue, _lineBuffer->format,\n slice.typeInFrameBuffer,\n slice.typeInFile);\n }\n }\n }\n }\n catch (std::exception &e)\n {\n if (!_lineBuffer->hasException)\n {\n _lineBuffer->exception = e.what();\n _lineBuffer->hasException = true;\n }\n }\n catch (...)\n {\n if (!_lineBuffer->hasException)\n {\n _lineBuffer->exception = \"unrecognized exception\";\n _lineBuffer->hasException = true;\n }\n }\n}", "project": "openexr", "hash": 20220137591361416517186311683542758850, "size": 148, "commit_id": "bc88cdb6c97fbf5bc5d11ad8ca55306da931283a", "message": "sanity check ScanlineInput bytesPerLine instead of lineOffset size (#863)\n\nSigned-off-by: Peter Hillman \r\n\r\nCo-authored-by: Cary Phillips ", "target": 0, "dataset": "other", "idx": 446311 }, { "func": "void RGWStatAccount_ObjStore_SWIFT::execute()\n{\n RGWStatAccount_ObjStore::execute();\n op_ret = rgw_get_user_attrs_by_uid(store, s->user->user_id, attrs);\n}", "project": "ceph", "hash": 30313397272980929092372764211851002535, "size": 5, "commit_id": "f44a8ae8aa27ecef69528db9aec220f12492810e", "message": "rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name\n\nchecking for empty name avoids later assertion in RGWObjectCtx::set_atomic\n\nFixes: CVE-2021-3531\n\nReviewed-by: Casey Bodley \nSigned-off-by: Casey Bodley \n(cherry picked from commit 7196a469b4470f3c8628489df9a41ec8b00a5610)", "target": 0, "dataset": "other", "idx": 448763 }, { "func": "void RGWInfo_ObjStore_SWIFT::execute()\n{\n bool is_admin_info_enabled = false;\n\n const string& swiftinfo_sig = s->info.args.get(\"swiftinfo_sig\");\n const string& swiftinfo_expires = s->info.args.get(\"swiftinfo_expires\");\n\n if (!swiftinfo_sig.empty() &&\n !swiftinfo_expires.empty() &&\n !is_expired(swiftinfo_expires, s->cct)) {\n is_admin_info_enabled = true;\n }\n\n s->formatter->open_object_section(\"info\");\n\n for (const auto& pair : swift_info) {\n if(!is_admin_info_enabled && pair.second.is_admin_info)\n continue;\n\n if (!pair.second.list_data) {\n s->formatter->open_object_section((pair.first).c_str());\n s->formatter->close_section();\n }\n else {\n pair.second.list_data(*(s->formatter), s->cct->_conf, *store);\n }\n }\n\n s->formatter->close_section();\n}", "project": "ceph", "hash": 255618319823841934247672967347878640902, "size": 30, "commit_id": "f44a8ae8aa27ecef69528db9aec220f12492810e", "message": "rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name\n\nchecking for empty name avoids later assertion in RGWObjectCtx::set_atomic\n\nFixes: CVE-2021-3531\n\nReviewed-by: Casey Bodley \nSigned-off-by: Casey Bodley \n(cherry picked from commit 7196a469b4470f3c8628489df9a41ec8b00a5610)", "target": 0, "dataset": "other", "idx": 448831 }, { "func": "static void hci_cc_write_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb)\n{\n\t__u8 status = *((__u8 *) skb->data);\n\tvoid *sent;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, status);\n\n\tsent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_CLASS_OF_DEV);\n\tif (!sent)\n\t\treturn;\n\n\thci_dev_lock(hdev);\n\n\tif (status == 0)\n\t\tmemcpy(hdev->dev_class, sent, 3);\n\n\tif (hci_dev_test_flag(hdev, HCI_MGMT))\n\t\tmgmt_set_class_of_dev_complete(hdev, sent, status);\n\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 53873383462996774007574929196171745876, "size": 21, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431947 }, { "func": "static void nfs4_xdr_enc_open_noattr(struct rpc_rqst *req,\n\t\t\t\t struct xdr_stream *xdr,\n\t\t\t\t const void *data)\n{\n\tconst struct nfs_openargs *args = data;\n\tstruct compound_hdr hdr = {\n\t\t.minorversion = nfs4_xdr_minorversion(&args->seq_args),\n\t};\n\n\tencode_compound_hdr(xdr, req, &hdr);\n\tencode_sequence(xdr, &args->seq_args, &hdr);\n\tencode_putfh(xdr, args->fh, &hdr);\n\tencode_open(xdr, args, &hdr);\n\tif (args->access)\n\t\tencode_access(xdr, args->access, &hdr);\n\tencode_getfattr_open(xdr, args->bitmask, args->open_bitmap, &hdr);\n\tif (args->lg_args) {\n\t\tencode_layoutget(xdr, args->lg_args, &hdr);\n\t\trpc_prepare_reply_pages(req, args->lg_args->layout.pages, 0,\n\t\t\t\t\targs->lg_args->layout.pglen,\n\t\t\t\t\thdr.replen);\n\t}\n\tencode_nops(&hdr);\n}", "project": "linux", "hash": 306494311094075198389002447323609380576, "size": 24, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431342 }, { "func": "static long fuse_file_compat_ioctl(struct file *file, unsigned int cmd,\n\t\t\t\t unsigned long arg)\n{\n\treturn fuse_ioctl_common(file, cmd, arg, FUSE_IOCTL_COMPAT);\n}", "project": "linux", "hash": 248231381643138426668334014223836442038, "size": 5, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341918 }, { "func": "static void svm_vcpu_run(struct kvm_vcpu *vcpu)\n{\n\tstruct vcpu_svm *svm = to_svm(vcpu);\n\n\tsvm->vmcb->save.rax = vcpu->arch.regs[VCPU_REGS_RAX];\n\tsvm->vmcb->save.rsp = vcpu->arch.regs[VCPU_REGS_RSP];\n\tsvm->vmcb->save.rip = vcpu->arch.regs[VCPU_REGS_RIP];\n\n\t/*\n\t * A vmexit emulation is required before the vcpu can be executed\n\t * again.\n\t */\n\tif (unlikely(svm->nested.exit_required))\n\t\treturn;\n\n\t/*\n\t * Disable singlestep if we're injecting an interrupt/exception.\n\t * We don't want our modified rflags to be pushed on the stack where\n\t * we might not be able to easily reset them if we disabled NMI\n\t * singlestep later.\n\t */\n\tif (svm->nmi_singlestep && svm->vmcb->control.event_inj) {\n\t\t/*\n\t\t * Event injection happens before external interrupts cause a\n\t\t * vmexit and interrupts are disabled here, so smp_send_reschedule\n\t\t * is enough to force an immediate vmexit.\n\t\t */\n\t\tdisable_nmi_singlestep(svm);\n\t\tsmp_send_reschedule(vcpu->cpu);\n\t}\n\n\tpre_svm_run(svm);\n\n\tsync_lapic_to_cr8(vcpu);\n\n\tsvm->vmcb->save.cr2 = vcpu->arch.cr2;\n\n\tclgi();\n\tkvm_load_guest_xsave_state(vcpu);\n\n\tif (lapic_in_kernel(vcpu) &&\n\t\tvcpu->arch.apic->lapic_timer.timer_advance_ns)\n\t\tkvm_wait_lapic_expire(vcpu);\n\n\t/*\n\t * If this vCPU has touched SPEC_CTRL, restore the guest's value if\n\t * it's non-zero. Since vmentry is serialising on affected CPUs, there\n\t * is no need to worry about the conditional branch over the wrmsr\n\t * being speculatively taken.\n\t */\n\tx86_spec_ctrl_set_guest(svm->spec_ctrl, svm->virt_spec_ctrl);\n\n\tlocal_irq_enable();\n\n\tasm volatile (\n\t\t\"push %%\" _ASM_BP \"; \\n\\t\"\n\t\t\"mov %c[rbx](%[svm]), %%\" _ASM_BX \" \\n\\t\"\n\t\t\"mov %c[rcx](%[svm]), %%\" _ASM_CX \" \\n\\t\"\n\t\t\"mov %c[rdx](%[svm]), %%\" _ASM_DX \" \\n\\t\"\n\t\t\"mov %c[rsi](%[svm]), %%\" _ASM_SI \" \\n\\t\"\n\t\t\"mov %c[rdi](%[svm]), %%\" _ASM_DI \" \\n\\t\"\n\t\t\"mov %c[rbp](%[svm]), %%\" _ASM_BP \" \\n\\t\"\n#ifdef CONFIG_X86_64\n\t\t\"mov %c[r8](%[svm]), %%r8 \\n\\t\"\n\t\t\"mov %c[r9](%[svm]), %%r9 \\n\\t\"\n\t\t\"mov %c[r10](%[svm]), %%r10 \\n\\t\"\n\t\t\"mov %c[r11](%[svm]), %%r11 \\n\\t\"\n\t\t\"mov %c[r12](%[svm]), %%r12 \\n\\t\"\n\t\t\"mov %c[r13](%[svm]), %%r13 \\n\\t\"\n\t\t\"mov %c[r14](%[svm]), %%r14 \\n\\t\"\n\t\t\"mov %c[r15](%[svm]), %%r15 \\n\\t\"\n#endif\n\n\t\t/* Enter guest mode */\n\t\t\"push %%\" _ASM_AX \" \\n\\t\"\n\t\t\"mov %c[vmcb](%[svm]), %%\" _ASM_AX \" \\n\\t\"\n\t\t__ex(\"vmload %%\" _ASM_AX) \"\\n\\t\"\n\t\t__ex(\"vmrun %%\" _ASM_AX) \"\\n\\t\"\n\t\t__ex(\"vmsave %%\" _ASM_AX) \"\\n\\t\"\n\t\t\"pop %%\" _ASM_AX \" \\n\\t\"\n\n\t\t/* Save guest registers, load host registers */\n\t\t\"mov %%\" _ASM_BX \", %c[rbx](%[svm]) \\n\\t\"\n\t\t\"mov %%\" _ASM_CX \", %c[rcx](%[svm]) \\n\\t\"\n\t\t\"mov %%\" _ASM_DX \", %c[rdx](%[svm]) \\n\\t\"\n\t\t\"mov %%\" _ASM_SI \", %c[rsi](%[svm]) \\n\\t\"\n\t\t\"mov %%\" _ASM_DI \", %c[rdi](%[svm]) \\n\\t\"\n\t\t\"mov %%\" _ASM_BP \", %c[rbp](%[svm]) \\n\\t\"\n#ifdef CONFIG_X86_64\n\t\t\"mov %%r8, %c[r8](%[svm]) \\n\\t\"\n\t\t\"mov %%r9, %c[r9](%[svm]) \\n\\t\"\n\t\t\"mov %%r10, %c[r10](%[svm]) \\n\\t\"\n\t\t\"mov %%r11, %c[r11](%[svm]) \\n\\t\"\n\t\t\"mov %%r12, %c[r12](%[svm]) \\n\\t\"\n\t\t\"mov %%r13, %c[r13](%[svm]) \\n\\t\"\n\t\t\"mov %%r14, %c[r14](%[svm]) \\n\\t\"\n\t\t\"mov %%r15, %c[r15](%[svm]) \\n\\t\"\n\t\t/*\n\t\t* Clear host registers marked as clobbered to prevent\n\t\t* speculative use.\n\t\t*/\n\t\t\"xor %%r8d, %%r8d \\n\\t\"\n\t\t\"xor %%r9d, %%r9d \\n\\t\"\n\t\t\"xor %%r10d, %%r10d \\n\\t\"\n\t\t\"xor %%r11d, %%r11d \\n\\t\"\n\t\t\"xor %%r12d, %%r12d \\n\\t\"\n\t\t\"xor %%r13d, %%r13d \\n\\t\"\n\t\t\"xor %%r14d, %%r14d \\n\\t\"\n\t\t\"xor %%r15d, %%r15d \\n\\t\"\n#endif\n\t\t\"xor %%ebx, %%ebx \\n\\t\"\n\t\t\"xor %%ecx, %%ecx \\n\\t\"\n\t\t\"xor %%edx, %%edx \\n\\t\"\n\t\t\"xor %%esi, %%esi \\n\\t\"\n\t\t\"xor %%edi, %%edi \\n\\t\"\n\t\t\"pop %%\" _ASM_BP\n\t\t:\n\t\t: [svm]\"a\"(svm),\n\t\t [vmcb]\"i\"(offsetof(struct vcpu_svm, vmcb_pa)),\n\t\t [rbx]\"i\"(offsetof(struct vcpu_svm, vcpu.arch.regs[VCPU_REGS_RBX])),\n\t\t [rcx]\"i\"(offsetof(struct vcpu_svm, vcpu.arch.regs[VCPU_REGS_RCX])),\n\t\t [rdx]\"i\"(offsetof(struct vcpu_svm, vcpu.arch.regs[VCPU_REGS_RDX])),\n\t\t [rsi]\"i\"(offsetof(struct vcpu_svm, vcpu.arch.regs[VCPU_REGS_RSI])),\n\t\t [rdi]\"i\"(offsetof(struct vcpu_svm, vcpu.arch.regs[VCPU_REGS_RDI])),\n\t\t [rbp]\"i\"(offsetof(struct vcpu_svm, vcpu.arch.regs[VCPU_REGS_RBP]))\n#ifdef CONFIG_X86_64\n\t\t , [r8]\"i\"(offsetof(struct vcpu_svm, vcpu.arch.regs[VCPU_REGS_R8])),\n\t\t [r9]\"i\"(offsetof(struct vcpu_svm, vcpu.arch.regs[VCPU_REGS_R9])),\n\t\t [r10]\"i\"(offsetof(struct vcpu_svm, vcpu.arch.regs[VCPU_REGS_R10])),\n\t\t [r11]\"i\"(offsetof(struct vcpu_svm, vcpu.arch.regs[VCPU_REGS_R11])),\n\t\t [r12]\"i\"(offsetof(struct vcpu_svm, vcpu.arch.regs[VCPU_REGS_R12])),\n\t\t [r13]\"i\"(offsetof(struct vcpu_svm, vcpu.arch.regs[VCPU_REGS_R13])),\n\t\t [r14]\"i\"(offsetof(struct vcpu_svm, vcpu.arch.regs[VCPU_REGS_R14])),\n\t\t [r15]\"i\"(offsetof(struct vcpu_svm, vcpu.arch.regs[VCPU_REGS_R15]))\n#endif\n\t\t: \"cc\", \"memory\"\n#ifdef CONFIG_X86_64\n\t\t, \"rbx\", \"rcx\", \"rdx\", \"rsi\", \"rdi\"\n\t\t, \"r8\", \"r9\", \"r10\", \"r11\" , \"r12\", \"r13\", \"r14\", \"r15\"\n#else\n\t\t, \"ebx\", \"ecx\", \"edx\", \"esi\", \"edi\"\n#endif\n\t\t);\n\n\t/* Eliminate branch target predictions from guest mode */\n\tvmexit_fill_RSB();\n\n#ifdef CONFIG_X86_64\n\twrmsrl(MSR_GS_BASE, svm->host.gs_base);\n#else\n\tloadsegment(fs, svm->host.fs);\n#ifndef CONFIG_X86_32_LAZY_GS\n\tloadsegment(gs, svm->host.gs);\n#endif\n#endif\n\n\t/*\n\t * We do not use IBRS in the kernel. If this vCPU has used the\n\t * SPEC_CTRL MSR it may have left it on; save the value and\n\t * turn it off. This is much more efficient than blindly adding\n\t * it to the atomic save/restore list. Especially as the former\n\t * (Saving guest MSRs on vmexit) doesn't even exist in KVM.\n\t *\n\t * For non-nested case:\n\t * If the L01 MSR bitmap does not intercept the MSR, then we need to\n\t * save it.\n\t *\n\t * For nested case:\n\t * If the L02 MSR bitmap does not intercept the MSR, then we need to\n\t * save it.\n\t */\n\tif (unlikely(!msr_write_intercepted(vcpu, MSR_IA32_SPEC_CTRL)))\n\t\tsvm->spec_ctrl = native_read_msr(MSR_IA32_SPEC_CTRL);\n\n\treload_tss(vcpu);\n\n\tlocal_irq_disable();\n\n\tx86_spec_ctrl_restore_host(svm->spec_ctrl, svm->virt_spec_ctrl);\n\n\tvcpu->arch.cr2 = svm->vmcb->save.cr2;\n\tvcpu->arch.regs[VCPU_REGS_RAX] = svm->vmcb->save.rax;\n\tvcpu->arch.regs[VCPU_REGS_RSP] = svm->vmcb->save.rsp;\n\tvcpu->arch.regs[VCPU_REGS_RIP] = svm->vmcb->save.rip;\n\n\tif (unlikely(svm->vmcb->control.exit_code == SVM_EXIT_NMI))\n\t\tkvm_before_interrupt(&svm->vcpu);\n\n\tkvm_load_host_xsave_state(vcpu);\n\tstgi();\n\n\t/* Any pending NMI will happen here */\n\n\tif (unlikely(svm->vmcb->control.exit_code == SVM_EXIT_NMI))\n\t\tkvm_after_interrupt(&svm->vcpu);\n\n\tsync_cr8_to_lapic(vcpu);\n\n\tsvm->next_rip = 0;\n\n\tsvm->vmcb->control.tlb_ctl = TLB_CONTROL_DO_NOTHING;\n\n\t/* if exit due to PF check for async PF */\n\tif (svm->vmcb->control.exit_code == SVM_EXIT_EXCP_BASE + PF_VECTOR)\n\t\tsvm->vcpu.arch.apf.host_apf_reason = kvm_read_and_reset_pf_reason();\n\n\tif (npt_enabled) {\n\t\tvcpu->arch.regs_avail &= ~(1 << VCPU_EXREG_PDPTR);\n\t\tvcpu->arch.regs_dirty &= ~(1 << VCPU_EXREG_PDPTR);\n\t}\n\n\t/*\n\t * We need to handle MC intercepts here before the vcpu has a chance to\n\t * change the physical cpu\n\t */\n\tif (unlikely(svm->vmcb->control.exit_code ==\n\t\t SVM_EXIT_EXCP_BASE + MC_VECTOR))\n\t\tsvm_handle_mce(svm);\n\n\tmark_all_clean(svm->vmcb);\n}", "project": "linux", "hash": 212682599904852590472424058891867253591, "size": 221, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432596 }, { "func": "static void svm_vcpu_run(struct kvm_vcpu *vcpu)\n{\n\tstruct vcpu_svm *svm = to_svm(vcpu);\n\n\tsvm->vmcb->save.rax = vcpu->arch.regs[VCPU_REGS_RAX];\n\tsvm->vmcb->save.rsp = vcpu->arch.regs[VCPU_REGS_RSP];\n\tsvm->vmcb->save.rip = vcpu->arch.regs[VCPU_REGS_RIP];\n\n\t/*\n\t * A vmexit emulation is required before the vcpu can be executed\n\t * again.\n\t */\n\tif (unlikely(svm->nested.exit_required))\n\t\treturn;\n\n\tpre_svm_run(svm);\n\n\tsync_lapic_to_cr8(vcpu);\n\n\tsvm->vmcb->save.cr2 = vcpu->arch.cr2;\n\n\tclgi();\n\n\tlocal_irq_enable();\n\n\tasm volatile (\n\t\t\"push %%\" _ASM_BP \"; \\n\\t\"\n\t\t\"mov %c[rbx](%[svm]), %%\" _ASM_BX \" \\n\\t\"\n\t\t\"mov %c[rcx](%[svm]), %%\" _ASM_CX \" \\n\\t\"\n\t\t\"mov %c[rdx](%[svm]), %%\" _ASM_DX \" \\n\\t\"\n\t\t\"mov %c[rsi](%[svm]), %%\" _ASM_SI \" \\n\\t\"\n\t\t\"mov %c[rdi](%[svm]), %%\" _ASM_DI \" \\n\\t\"\n\t\t\"mov %c[rbp](%[svm]), %%\" _ASM_BP \" \\n\\t\"\n#ifdef CONFIG_X86_64\n\t\t\"mov %c[r8](%[svm]), %%r8 \\n\\t\"\n\t\t\"mov %c[r9](%[svm]), %%r9 \\n\\t\"\n\t\t\"mov %c[r10](%[svm]), %%r10 \\n\\t\"\n\t\t\"mov %c[r11](%[svm]), %%r11 \\n\\t\"\n\t\t\"mov %c[r12](%[svm]), %%r12 \\n\\t\"\n\t\t\"mov %c[r13](%[svm]), %%r13 \\n\\t\"\n\t\t\"mov %c[r14](%[svm]), %%r14 \\n\\t\"\n\t\t\"mov %c[r15](%[svm]), %%r15 \\n\\t\"\n#endif\n\n\t\t/* Enter guest mode */\n\t\t\"push %%\" _ASM_AX \" \\n\\t\"\n\t\t\"mov %c[vmcb](%[svm]), %%\" _ASM_AX \" \\n\\t\"\n\t\t__ex(SVM_VMLOAD) \"\\n\\t\"\n\t\t__ex(SVM_VMRUN) \"\\n\\t\"\n\t\t__ex(SVM_VMSAVE) \"\\n\\t\"\n\t\t\"pop %%\" _ASM_AX \" \\n\\t\"\n\n\t\t/* Save guest registers, load host registers */\n\t\t\"mov %%\" _ASM_BX \", %c[rbx](%[svm]) \\n\\t\"\n\t\t\"mov %%\" _ASM_CX \", %c[rcx](%[svm]) \\n\\t\"\n\t\t\"mov %%\" _ASM_DX \", %c[rdx](%[svm]) \\n\\t\"\n\t\t\"mov %%\" _ASM_SI \", %c[rsi](%[svm]) \\n\\t\"\n\t\t\"mov %%\" _ASM_DI \", %c[rdi](%[svm]) \\n\\t\"\n\t\t\"mov %%\" _ASM_BP \", %c[rbp](%[svm]) \\n\\t\"\n#ifdef CONFIG_X86_64\n\t\t\"mov %%r8, %c[r8](%[svm]) \\n\\t\"\n\t\t\"mov %%r9, %c[r9](%[svm]) \\n\\t\"\n\t\t\"mov %%r10, %c[r10](%[svm]) \\n\\t\"\n\t\t\"mov %%r11, %c[r11](%[svm]) \\n\\t\"\n\t\t\"mov %%r12, %c[r12](%[svm]) \\n\\t\"\n\t\t\"mov %%r13, %c[r13](%[svm]) \\n\\t\"\n\t\t\"mov %%r14, %c[r14](%[svm]) \\n\\t\"\n\t\t\"mov %%r15, %c[r15](%[svm]) \\n\\t\"\n#endif\n\t\t\"pop %%\" _ASM_BP\n\t\t:\n\t\t: [svm]\"a\"(svm),\n\t\t [vmcb]\"i\"(offsetof(struct vcpu_svm, vmcb_pa)),\n\t\t [rbx]\"i\"(offsetof(struct vcpu_svm, vcpu.arch.regs[VCPU_REGS_RBX])),\n\t\t [rcx]\"i\"(offsetof(struct vcpu_svm, vcpu.arch.regs[VCPU_REGS_RCX])),\n\t\t [rdx]\"i\"(offsetof(struct vcpu_svm, vcpu.arch.regs[VCPU_REGS_RDX])),\n\t\t [rsi]\"i\"(offsetof(struct vcpu_svm, vcpu.arch.regs[VCPU_REGS_RSI])),\n\t\t [rdi]\"i\"(offsetof(struct vcpu_svm, vcpu.arch.regs[VCPU_REGS_RDI])),\n\t\t [rbp]\"i\"(offsetof(struct vcpu_svm, vcpu.arch.regs[VCPU_REGS_RBP]))\n#ifdef CONFIG_X86_64\n\t\t , [r8]\"i\"(offsetof(struct vcpu_svm, vcpu.arch.regs[VCPU_REGS_R8])),\n\t\t [r9]\"i\"(offsetof(struct vcpu_svm, vcpu.arch.regs[VCPU_REGS_R9])),\n\t\t [r10]\"i\"(offsetof(struct vcpu_svm, vcpu.arch.regs[VCPU_REGS_R10])),\n\t\t [r11]\"i\"(offsetof(struct vcpu_svm, vcpu.arch.regs[VCPU_REGS_R11])),\n\t\t [r12]\"i\"(offsetof(struct vcpu_svm, vcpu.arch.regs[VCPU_REGS_R12])),\n\t\t [r13]\"i\"(offsetof(struct vcpu_svm, vcpu.arch.regs[VCPU_REGS_R13])),\n\t\t [r14]\"i\"(offsetof(struct vcpu_svm, vcpu.arch.regs[VCPU_REGS_R14])),\n\t\t [r15]\"i\"(offsetof(struct vcpu_svm, vcpu.arch.regs[VCPU_REGS_R15]))\n#endif\n\t\t: \"cc\", \"memory\"\n#ifdef CONFIG_X86_64\n\t\t, \"rbx\", \"rcx\", \"rdx\", \"rsi\", \"rdi\"\n\t\t, \"r8\", \"r9\", \"r10\", \"r11\" , \"r12\", \"r13\", \"r14\", \"r15\"\n#else\n\t\t, \"ebx\", \"ecx\", \"edx\", \"esi\", \"edi\"\n#endif\n\t\t);\n\n#ifdef CONFIG_X86_64\n\twrmsrl(MSR_GS_BASE, svm->host.gs_base);\n#else\n\tloadsegment(fs, svm->host.fs);\n#ifndef CONFIG_X86_32_LAZY_GS\n\tloadsegment(gs, svm->host.gs);\n#endif\n#endif\n\n\treload_tss(vcpu);\n\n\tlocal_irq_disable();\n\n\tvcpu->arch.cr2 = svm->vmcb->save.cr2;\n\tvcpu->arch.regs[VCPU_REGS_RAX] = svm->vmcb->save.rax;\n\tvcpu->arch.regs[VCPU_REGS_RSP] = svm->vmcb->save.rsp;\n\tvcpu->arch.regs[VCPU_REGS_RIP] = svm->vmcb->save.rip;\n\n\ttrace_kvm_exit(svm->vmcb->control.exit_code, vcpu, KVM_ISA_SVM);\n\n\tif (unlikely(svm->vmcb->control.exit_code == SVM_EXIT_NMI))\n\t\tkvm_before_handle_nmi(&svm->vcpu);\n\n\tstgi();\n\n\t/* Any pending NMI will happen here */\n\n\tif (unlikely(svm->vmcb->control.exit_code == SVM_EXIT_NMI))\n\t\tkvm_after_handle_nmi(&svm->vcpu);\n\n\tsync_cr8_to_lapic(vcpu);\n\n\tsvm->next_rip = 0;\n\n\tsvm->vmcb->control.tlb_ctl = TLB_CONTROL_DO_NOTHING;\n\n\t/* if exit due to PF check for async PF */\n\tif (svm->vmcb->control.exit_code == SVM_EXIT_EXCP_BASE + PF_VECTOR)\n\t\tsvm->apf_reason = kvm_read_and_reset_pf_reason();\n\n\tif (npt_enabled) {\n\t\tvcpu->arch.regs_avail &= ~(1 << VCPU_EXREG_PDPTR);\n\t\tvcpu->arch.regs_dirty &= ~(1 << VCPU_EXREG_PDPTR);\n\t}\n\n\t/*\n\t * We need to handle MC intercepts here before the vcpu has a chance to\n\t * change the physical cpu\n\t */\n\tif (unlikely(svm->vmcb->control.exit_code ==\n\t\t SVM_EXIT_EXCP_BASE + MC_VECTOR))\n\t\tsvm_handle_mce(svm);\n\n\tmark_all_clean(svm->vmcb);\n}", "project": "kvm", "hash": 187662923434074754868518936086059733072, "size": 153, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437588 }, { "func": "static int pfkey_send_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,\n\t\t\t const struct xfrm_migrate *m, int num_bundles,\n\t\t\t const struct xfrm_kmaddress *k,\n\t\t\t const struct xfrm_encap_tmpl *encap)\n{\n\treturn -ENOPROTOOPT;\n}", "project": "linux", "hash": 3012220420515839625795292235950539187, "size": 7, "commit_id": "9a564bccb78a76740ea9d75a259942df8143d02c", "message": "af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\n\nAdd __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\nto initialize the buffer of supp_skb to fix a kernel-info-leak issue.\n1) Function pfkey_register calls compose_sadb_supported to request\na sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate\na sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then\ncompose_sadb_supported treats the memory as a struct sadb_supported and\nbegins to initialize. But it just initializes the field sadb_supported_len\nand field sadb_supported_exttype without field sadb_supported_reserved.\n\nReported-by: TCS Robot \nSigned-off-by: Haimin Zhang \nSigned-off-by: Steffen Klassert ", "target": 0, "dataset": "other", "idx": 268045 }, { "func": "static int pfkey_send_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,\n\t\t\t const struct xfrm_migrate *m, int num_bundles,\n\t\t\t const struct xfrm_kmaddress *k,\n\t\t\t const struct xfrm_encap_tmpl *encap)\n{\n\tint i;\n\tint sasize_sel;\n\tint size = 0;\n\tint size_pol = 0;\n\tstruct sk_buff *skb;\n\tstruct sadb_msg *hdr;\n\tstruct sadb_x_policy *pol;\n\tconst struct xfrm_migrate *mp;\n\n\tif (type != XFRM_POLICY_TYPE_MAIN)\n\t\treturn 0;\n\n\tif (num_bundles <= 0 || num_bundles > XFRM_MAX_DEPTH)\n\t\treturn -EINVAL;\n\n\tif (k != NULL) {\n\t\t/* addresses for KM */\n\t\tsize += PFKEY_ALIGN8(sizeof(struct sadb_x_kmaddress) +\n\t\t\t\t pfkey_sockaddr_pair_size(k->family));\n\t}\n\n\t/* selector */\n\tsasize_sel = pfkey_sockaddr_size(sel->family);\n\tif (!sasize_sel)\n\t\treturn -EINVAL;\n\tsize += (sizeof(struct sadb_address) + sasize_sel) * 2;\n\n\t/* policy info */\n\tsize_pol += sizeof(struct sadb_x_policy);\n\n\t/* ipsecrequests */\n\tfor (i = 0, mp = m; i < num_bundles; i++, mp++) {\n\t\t/* old locator pair */\n\t\tsize_pol += sizeof(struct sadb_x_ipsecrequest) +\n\t\t\t pfkey_sockaddr_pair_size(mp->old_family);\n\t\t/* new locator pair */\n\t\tsize_pol += sizeof(struct sadb_x_ipsecrequest) +\n\t\t\t pfkey_sockaddr_pair_size(mp->new_family);\n\t}\n\n\tsize += sizeof(struct sadb_msg) + size_pol;\n\n\t/* alloc buffer */\n\tskb = alloc_skb(size, GFP_ATOMIC);\n\tif (skb == NULL)\n\t\treturn -ENOMEM;\n\n\thdr = skb_put(skb, sizeof(struct sadb_msg));\n\thdr->sadb_msg_version = PF_KEY_V2;\n\thdr->sadb_msg_type = SADB_X_MIGRATE;\n\thdr->sadb_msg_satype = pfkey_proto2satype(m->proto);\n\thdr->sadb_msg_len = size / 8;\n\thdr->sadb_msg_errno = 0;\n\thdr->sadb_msg_reserved = 0;\n\thdr->sadb_msg_seq = 0;\n\thdr->sadb_msg_pid = 0;\n\n\t/* Addresses to be used by KM for negotiation, if ext is available */\n\tif (k != NULL && (set_sadb_kmaddress(skb, k) < 0))\n\t\tgoto err;\n\n\t/* selector src */\n\tset_sadb_address(skb, sasize_sel, SADB_EXT_ADDRESS_SRC, sel);\n\n\t/* selector dst */\n\tset_sadb_address(skb, sasize_sel, SADB_EXT_ADDRESS_DST, sel);\n\n\t/* policy information */\n\tpol = skb_put(skb, sizeof(struct sadb_x_policy));\n\tpol->sadb_x_policy_len = size_pol / 8;\n\tpol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;\n\tpol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;\n\tpol->sadb_x_policy_dir = dir + 1;\n\tpol->sadb_x_policy_reserved = 0;\n\tpol->sadb_x_policy_id = 0;\n\tpol->sadb_x_policy_priority = 0;\n\n\tfor (i = 0, mp = m; i < num_bundles; i++, mp++) {\n\t\t/* old ipsecrequest */\n\t\tint mode = pfkey_mode_from_xfrm(mp->mode);\n\t\tif (mode < 0)\n\t\t\tgoto err;\n\t\tif (set_ipsecrequest(skb, mp->proto, mode,\n\t\t\t\t (mp->reqid ? IPSEC_LEVEL_UNIQUE : IPSEC_LEVEL_REQUIRE),\n\t\t\t\t mp->reqid, mp->old_family,\n\t\t\t\t &mp->old_saddr, &mp->old_daddr) < 0)\n\t\t\tgoto err;\n\n\t\t/* new ipsecrequest */\n\t\tif (set_ipsecrequest(skb, mp->proto, mode,\n\t\t\t\t (mp->reqid ? IPSEC_LEVEL_UNIQUE : IPSEC_LEVEL_REQUIRE),\n\t\t\t\t mp->reqid, mp->new_family,\n\t\t\t\t &mp->new_saddr, &mp->new_daddr) < 0)\n\t\t\tgoto err;\n\t}\n\n\t/* broadcast migrate message to sockets */\n\tpfkey_broadcast(skb, GFP_ATOMIC, BROADCAST_ALL, NULL, &init_net);\n\n\treturn 0;\n\nerr:\n\tkfree_skb(skb);\n\treturn -EINVAL;\n}", "project": "linux", "hash": 39023366845223618327697721790241485693, "size": 110, "commit_id": "9a564bccb78a76740ea9d75a259942df8143d02c", "message": "af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\n\nAdd __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\nto initialize the buffer of supp_skb to fix a kernel-info-leak issue.\n1) Function pfkey_register calls compose_sadb_supported to request\na sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate\na sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then\ncompose_sadb_supported treats the memory as a struct sadb_supported and\nbegins to initialize. But it just initializes the field sadb_supported_len\nand field sadb_supported_exttype without field sadb_supported_reserved.\n\nReported-by: TCS Robot \nSigned-off-by: Haimin Zhang \nSigned-off-by: Steffen Klassert ", "target": 0, "dataset": "other", "idx": 268067 }, { "func": "static int* create_offset_array(const pcre_cache_entry* pce,\n int& size_offsets) {\n /* Allocate memory for the offsets array */\n size_offsets = pce->num_subpats * 3;\n return (int *)req::malloc_noptrs(size_offsets * sizeof(int));\n}", "project": "hhvm", "hash": 263246741525162302540746922291008785835, "size": 6, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219329 }, { "project": "Chrome", "commit_id": "a5333583f14284a411abac2fef7caed889a8bba3", "target": 0, "func": "void RunOnIOThread(const base::Closure& closure) {\n base::RunLoop run_loop;\n BrowserThread::PostTask(\n BrowserThread::IO, FROM_HERE,\n base::Bind(&RunAndQuit, closure, run_loop.QuitClosure(),\n base::MessageLoopProxy::current()));\n run_loop.Run();\n}\n", "cwe": "", "big_vul_idx": 121716, "idx": 109009, "hash": 75977218162920659801991377919857449616 }, { "func": "static void svm_vcpu_unblocking(struct kvm_vcpu *vcpu)\n{\n\tif (kvm_check_request(KVM_REQ_APICV_UPDATE, vcpu))\n\t\tkvm_vcpu_update_apicv(vcpu);\n\tavic_set_running(vcpu, true);\n}", "project": "linux", "hash": 124048636278078246217661820078727713896, "size": 6, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432429 }, { "func": "void AsioFrontend::accept(Listener& l, boost::system::error_code ec)\n{\n if (!l.acceptor.is_open()) {\n return;\n } else if (ec == boost::asio::error::operation_aborted) {\n return;\n } else if (ec) {\n ldout(ctx(), 1) << \"accept failed: \" << ec.message() << dendl;\n return;\n }\n auto socket = std::move(l.socket);\n tcp::no_delay options(l.use_nodelay);\n socket.set_option(options,ec);\n l.acceptor.async_accept(l.socket,\n [this, &l] (boost::system::error_code ec) {\n accept(l, ec);\n });\n\n // spawn a coroutine to handle the connection\n#ifdef WITH_RADOSGW_BEAST_OPENSSL\n if (l.use_ssl) {\n spawn::spawn(context,\n [this, s=std::move(socket)] (spawn::yield_context yield) mutable {\n Connection conn{s};\n auto c = connections.add(conn);\n // wrap the socket in an ssl stream\n ssl::stream stream{s, *ssl_context};\n auto buffer = std::make_unique();\n // do ssl handshake\n boost::system::error_code ec;\n auto bytes = stream.async_handshake(ssl::stream_base::server,\n buffer->data(), yield[ec]);\n if (ec) {\n ldout(ctx(), 1) << \"ssl handshake failed: \" << ec.message() << dendl;\n return;\n }\n buffer->consume(bytes);\n handle_connection(context, env, stream, *buffer, true, pause_mutex,\n scheduler.get(), ec, yield);\n if (!ec) {\n // ssl shutdown (ignoring errors)\n stream.async_shutdown(yield[ec]);\n }\n s.shutdown(tcp::socket::shutdown_both, ec);\n }, make_stack_allocator());\n } else {\n#else\n {\n#endif // WITH_RADOSGW_BEAST_OPENSSL\n spawn::spawn(context,\n [this, s=std::move(socket)] (spawn::yield_context yield) mutable {\n Connection conn{s};\n auto c = connections.add(conn);\n auto buffer = std::make_unique();\n boost::system::error_code ec;\n handle_connection(context, env, s, *buffer, false, pause_mutex,\n scheduler.get(), ec, yield);\n s.shutdown(tcp::socket::shutdown_both, ec);\n }, make_stack_allocator());\n }\n}\n\nint AsioFrontend::run()\n{\n auto cct = ctx();\n const int thread_count = cct->_conf->rgw_thread_pool_size;\n threads.reserve(thread_count);\n\n ldout(cct, 4) << \"frontend spawning \" << thread_count << \" threads\" << dendl;\n\n // the worker threads call io_context::run(), which will return when there's\n // no work left. hold a work guard to keep these threads going until join()\n work.emplace(boost::asio::make_work_guard(context));\n\n for (int i = 0; i < thread_count; i++) {\n threads.emplace_back([=] {\n // request warnings on synchronous librados calls in this thread\n is_asio_thread = true;\n boost::system::error_code ec;\n context.run(ec);\n });\n }\n return 0;\n}\n\nvoid AsioFrontend::stop()\n{\n ldout(ctx(), 4) << \"frontend initiating shutdown...\" << dendl;\n\n going_down = true;\n\n boost::system::error_code ec;\n // close all listeners\n for (auto& listener : listeners) {\n listener.acceptor.close(ec);\n }\n // close all connections\n connections.close(ec);\n pause_mutex.cancel();\n}\n\nvoid AsioFrontend::join()\n{\n if (!going_down) {\n stop();\n }\n work.reset();\n\n ldout(ctx(), 4) << \"frontend joining threads...\" << dendl;\n for (auto& thread : threads) {\n thread.join();\n }\n ldout(ctx(), 4) << \"frontend done\" << dendl;\n}\n\nvoid AsioFrontend::pause()\n{\n ldout(ctx(), 4) << \"frontend pausing connections...\" << dendl;\n\n // cancel pending calls to accept(), but don't close the sockets\n boost::system::error_code ec;\n for (auto& l : listeners) {\n l.acceptor.cancel(ec);\n }\n\n // pause and wait for outstanding requests to complete\n pause_mutex.lock(ec);\n\n if (ec) {\n ldout(ctx(), 1) << \"frontend failed to pause: \" << ec.message() << dendl;\n } else {\n ldout(ctx(), 4) << \"frontend paused\" << dendl;\n }\n}\n\nvoid AsioFrontend::unpause(rgw::sal::RGWRadosStore* const store,\n rgw_auth_registry_ptr_t auth_registry)\n{\n env.store = store;\n env.auth_registry = std::move(auth_registry);\n\n // unpause to unblock connections\n pause_mutex.unlock();\n\n // start accepting connections again\n for (auto& l : listeners) {\n l.acceptor.async_accept(l.socket,\n [this, &l] (boost::system::error_code ec) {\n accept(l, ec);\n });\n }\n\n ldout(ctx(), 4) << \"frontend unpaused\" << dendl;\n}\n\n} // anonymous namespace", "project": "ceph", "hash": 178207056862057802332148209046101801660, "size": 156, "commit_id": "ff72c50a2c43c57aead933eb4903ad1ca6d1748a", "message": "rgw: improve beast\n\nAvoid leaking connections that had partially-consumed\nclient data on unexpected disconnect.\n\nResolves CVE-2020-1700 (moderate impact flaw).\n\nFixes: https://tracker.ceph.com/issues/42531\n\nSigned-off-by: Or Friedmann \nSigned-off-by: Matt Benjamin ", "target": 0, "dataset": "other", "idx": 384554 }, { "func": "R_API bool r_core_autocomplete_remove(RCoreAutocomplete *parent, const char* cmd) {\n\tif (!parent || !cmd) {\n\t\treturn false;\n\t}\n\tint i, j;\n\tfor (i = 0; i < parent->n_subcmds; i++) {\n\t\tRCoreAutocomplete *ac = parent->subcmds[i];\n\t\tif (ac->locked) {\n\t\t\tcontinue;\n\t\t}\n\t\t// if (!strncmp (parent->subcmds[i]->cmd, cmd, parent->subcmds[i]->length)) {\n\t\tif (r_str_glob (ac->cmd, cmd)) {\n\t\t\tfor (j = i + 1; j < parent->n_subcmds; j++) {\n\t\t\t\tparent->subcmds[j - 1] = parent->subcmds[j];\n\t\t\t\tparent->subcmds[j] = NULL;\n\t\t\t}\n\t\t\tr_core_autocomplete_free (ac);\n\t\t\tRCoreAutocomplete **updated = realloc (parent->subcmds, (parent->n_subcmds - 1) * sizeof (RCoreAutocomplete*));\n\t\t\tif (!updated && (parent->n_subcmds - 1) > 0) {\n\t\t\t\teprintf (\"Something really bad has happen.. this should never ever happen..\\n\");\n\t\t\t\treturn false;\n\t\t\t}\n\t\t\tparent->subcmds = updated;\n\t\t\tparent->n_subcmds--;\n\t\t\ti--;\n\t\t}\n\t}\n\treturn false;\n}", "project": "radare2", "hash": 229361105160160950186615643180419625250, "size": 29, "commit_id": "cb8b683758edddae2d2f62e8e63a738c39f92683", "message": "Fix #16303 - c->table_query double free (#16318)", "target": 0, "dataset": "other", "idx": 232195 }, { "func": "static int io_openat2_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)\n{\n\tstruct open_how __user *how;\n\tsize_t len;\n\tint ret;\n\n\tif (req->flags & REQ_F_NEED_CLEANUP)\n\t\treturn 0;\n\thow = u64_to_user_ptr(READ_ONCE(sqe->addr2));\n\tlen = READ_ONCE(sqe->len);\n\tif (len < OPEN_HOW_SIZE_VER0)\n\t\treturn -EINVAL;\n\n\tret = copy_struct_from_user(&req->open.how, sizeof(req->open.how), how,\n\t\t\t\t\tlen);\n\tif (ret)\n\t\treturn ret;\n\n\treturn __io_openat_prep(req, sqe);\n}", "project": "linux", "hash": 157689027379124859133571290059965586974, "size": 20, "commit_id": "6d816e088c359866f9867057e04f244c608c42fe", "message": "io_uring: hold 'ctx' reference around task_work queue + execute\n\nWe're holding the request reference, but we need to go one higher\nto ensure that the ctx remains valid after the request has finished.\nIf the ring is closed with pending task_work inflight, and the\ngiven io_kiocb finishes sync during issue, then we need a reference\nto the ring itself around the task_work execution cycle.\n\nCc: stable@vger.kernel.org # v5.7+\nReported-by: syzbot+9b260fc33297966f5a8e@syzkaller.appspotmail.com\nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 456943 }, { "func": "static int send_break(struct tty_struct *tty, unsigned int duration)\n{\n\tint retval;\n\n\tif (tty->ops->break_ctl == NULL)\n\t\treturn 0;\n\n\tif (tty->driver->flags & TTY_DRIVER_HARDWARE_BREAK)\n\t\tretval = tty->ops->break_ctl(tty, duration);\n\telse {\n\t\t/* Do the work ourselves */\n\t\tif (tty_write_lock(tty, 0) < 0)\n\t\t\treturn -EINTR;\n\t\tretval = tty->ops->break_ctl(tty, -1);\n\t\tif (retval)\n\t\t\tgoto out;\n\t\tif (!signal_pending(current))\n\t\t\tmsleep_interruptible(duration);\n\t\tretval = tty->ops->break_ctl(tty, 0);\nout:\n\t\ttty_write_unlock(tty);\n\t\tif (signal_pending(current))\n\t\t\tretval = -EINTR;\n\t}\n\treturn retval;\n}", "project": "linux", "hash": 13763571077671214677903863689409629386, "size": 26, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 326060 }, { "func": "authz_status oidc_authz_checker(request_rec *r, const char *require_args,\n\t\tconst void *parsed_require_args,\n\t\toidc_authz_match_claim_fn_type match_claim_fn) {\n\n\toidc_debug(r, \"enter: require_args=\\\"%s\\\"\", require_args);\n\n\t/* check for anonymous access and PASS mode */\n\tif (r->user != NULL && strlen(r->user) == 0) {\n\t\tr->user = NULL;\n\t\tif (oidc_dir_cfg_unauth_action(r) == OIDC_UNAUTH_PASS)\n\t\t\treturn AUTHZ_GRANTED;\n\t}\n\n\t/* get the set of claims from the request state (they've been set in the authentication part earlier */\n\tjson_t *claims = NULL, *id_token = NULL;\n\toidc_authz_get_claims_and_idtoken(r, &claims, &id_token);\n\n\t/* merge id_token claims (e.g. \"iss\") in to claims json object */\n\tif (claims)\n\t\toidc_util_json_merge(r, id_token, claims);\n\n\t/* dispatch to the >=2.4 specific authz routine */\n\tauthz_status rc = oidc_authz_worker24(r, claims ? claims : id_token,\n\t\t\trequire_args, parsed_require_args, match_claim_fn);\n\n\t/* cleanup */\n\tif (claims)\n\t\tjson_decref(claims);\n\tif (id_token)\n\t\tjson_decref(id_token);\n\n\tif ((rc == AUTHZ_DENIED) && ap_auth_type(r))\n\t\trc = oidc_handle_unauthorized_user24(r);\n\n\treturn rc;\n}", "project": "mod_auth_openidc", "hash": 326300764250021261601469738349032759243, "size": 36, "commit_id": "00c315cb0c8ab77c67be4a2ac08a71a83ac58751", "message": "avoid XSS vulnerability when using OIDCPreservePost On\n\nand supplying URLs that contain single quotes; thanks @oss-aimoto\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 381958 }, { "func": "authz_status oidc_authz_checker(request_rec *r, const char *require_args,\n\t\tconst void *parsed_require_args,\n\t\toidc_authz_match_claim_fn_type match_claim_fn) {\n\n\toidc_debug(r, \"enter\");\n\n\t/* check for anonymous access and PASS mode */\n\tif (r->user != NULL && strlen(r->user) == 0) {\n\t\tr->user = NULL;\n\t\tif (oidc_dir_cfg_unauth_action(r) == OIDC_UNAUTH_PASS)\n\t\t\treturn AUTHZ_GRANTED;\n\t}\n\n\t/* get the set of claims from the request state (they've been set in the authentication part earlier */\n\tjson_t *claims = NULL, *id_token = NULL;\n\toidc_authz_get_claims_and_idtoken(r, &claims, &id_token);\n\n\t/* merge id_token claims (e.g. \"iss\") in to claims json object */\n\tif (claims)\n\t\toidc_util_json_merge(r, id_token, claims);\n\n\t/* dispatch to the >=2.4 specific authz routine */\n\tauthz_status rc = oidc_authz_worker24(r, claims ? claims : id_token,\n\t\t\trequire_args, match_claim_fn);\n\n\t/* cleanup */\n\tif (claims)\n\t\tjson_decref(claims);\n\tif (id_token)\n\t\tjson_decref(id_token);\n\n\tif ((rc == AUTHZ_DENIED) && ap_auth_type(r))\n\t\trc = oidc_handle_unauthorized_user24(r);\n\n\treturn rc;\n}", "project": "mod_auth_openidc", "hash": 290484643153437813698783524258733849702, "size": 36, "commit_id": "ce37080c6aea30aabae8b4a9b4eea7808445cc8e", "message": "2.4.0.2 oops\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 447705 }, { "func": "static int _nfs4_do_open(struct inode *dir,\n\t\t\tstruct nfs_open_context *ctx,\n\t\t\tint flags,\n\t\t\tconst struct nfs4_open_createattrs *c,\n\t\t\tint *opened)\n{\n\tstruct nfs4_state_owner *sp;\n\tstruct nfs4_state *state = NULL;\n\tstruct nfs_server *server = NFS_SERVER(dir);\n\tstruct nfs4_opendata *opendata;\n\tstruct dentry *dentry = ctx->dentry;\n\tconst struct cred *cred = ctx->cred;\n\tstruct nfs4_threshold **ctx_th = &ctx->mdsthreshold;\n\tfmode_t fmode = _nfs4_ctx_to_openmode(ctx);\n\tenum open_claim_type4 claim = NFS4_OPEN_CLAIM_NULL;\n\tstruct iattr *sattr = c->sattr;\n\tstruct nfs4_label *label = c->label;\n\tstruct nfs4_label *olabel = NULL;\n\tint status;\n\n\t/* Protect against reboot recovery conflicts */\n\tstatus = -ENOMEM;\n\tsp = nfs4_get_state_owner(server, cred, GFP_KERNEL);\n\tif (sp == NULL) {\n\t\tdprintk(\"nfs4_do_open: nfs4_get_state_owner failed!\\n\");\n\t\tgoto out_err;\n\t}\n\tstatus = nfs4_client_recover_expired_lease(server->nfs_client);\n\tif (status != 0)\n\t\tgoto err_put_state_owner;\n\tif (d_really_is_positive(dentry))\n\t\tnfs4_return_incompatible_delegation(d_inode(dentry), fmode);\n\tstatus = -ENOMEM;\n\tif (d_really_is_positive(dentry))\n\t\tclaim = NFS4_OPEN_CLAIM_FH;\n\topendata = nfs4_opendata_alloc(dentry, sp, fmode, flags,\n\t\t\tc, claim, GFP_KERNEL);\n\tif (opendata == NULL)\n\t\tgoto err_put_state_owner;\n\n\tif (label) {\n\t\tolabel = nfs4_label_alloc(server, GFP_KERNEL);\n\t\tif (IS_ERR(olabel)) {\n\t\t\tstatus = PTR_ERR(olabel);\n\t\t\tgoto err_opendata_put;\n\t\t}\n\t}\n\n\tif (server->attr_bitmask[2] & FATTR4_WORD2_MDSTHRESHOLD) {\n\t\tif (!opendata->f_attr.mdsthreshold) {\n\t\t\topendata->f_attr.mdsthreshold = pnfs_mdsthreshold_alloc();\n\t\t\tif (!opendata->f_attr.mdsthreshold)\n\t\t\t\tgoto err_free_label;\n\t\t}\n\t\topendata->o_arg.open_bitmap = &nfs4_pnfs_open_bitmap[0];\n\t}\n\tif (d_really_is_positive(dentry))\n\t\topendata->state = nfs4_get_open_state(d_inode(dentry), sp);\n\n\tstatus = _nfs4_open_and_get_state(opendata, flags, ctx);\n\tif (status != 0)\n\t\tgoto err_free_label;\n\tstate = ctx->state;\n\n\tif ((opendata->o_arg.open_flags & (O_CREAT|O_EXCL)) == (O_CREAT|O_EXCL) &&\n\t (opendata->o_arg.createmode != NFS4_CREATE_GUARDED)) {\n\t\tunsigned attrs = nfs4_exclusive_attrset(opendata, sattr, &label);\n\t\t/*\n\t\t * send create attributes which was not set by open\n\t\t * with an extra setattr.\n\t\t */\n\t\tif (attrs || label) {\n\t\t\tunsigned ia_old = sattr->ia_valid;\n\n\t\t\tsattr->ia_valid = attrs;\n\t\t\tnfs_fattr_init(opendata->o_res.f_attr);\n\t\t\tstatus = nfs4_do_setattr(state->inode, cred,\n\t\t\t\t\topendata->o_res.f_attr, sattr,\n\t\t\t\t\tctx, label, olabel);\n\t\t\tif (status == 0) {\n\t\t\t\tnfs_setattr_update_inode(state->inode, sattr,\n\t\t\t\t\t\topendata->o_res.f_attr);\n\t\t\t\tnfs_setsecurity(state->inode, opendata->o_res.f_attr, olabel);\n\t\t\t}\n\t\t\tsattr->ia_valid = ia_old;\n\t\t}\n\t}\n\tif (opened && opendata->file_created)\n\t\t*opened = 1;\n\n\tif (pnfs_use_threshold(ctx_th, opendata->f_attr.mdsthreshold, server)) {\n\t\t*ctx_th = opendata->f_attr.mdsthreshold;\n\t\topendata->f_attr.mdsthreshold = NULL;\n\t}\n\n\tnfs4_label_free(olabel);\n\n\tnfs4_opendata_put(opendata);\n\tnfs4_put_state_owner(sp);\n\treturn 0;\nerr_free_label:\n\tnfs4_label_free(olabel);\nerr_opendata_put:\n\tnfs4_opendata_put(opendata);\nerr_put_state_owner:\n\tnfs4_put_state_owner(sp);\nout_err:\n\treturn status;\n}", "project": "linux", "hash": 61114720342187107703321582950264142846, "size": 109, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 430948 }, { "func": "static void cmd_parse_lsub (IMAP_DATA* idata, char* s)\n{\n char buf[STRING];\n char errstr[STRING];\n BUFFER err, token;\n ciss_url_t url;\n IMAP_LIST list;\n\n if (idata->cmddata && idata->cmdtype == IMAP_CT_LIST)\n {\n /* caller will handle response itself */\n cmd_parse_list (idata, s);\n return;\n }\n\n if (!option (OPTIMAPCHECKSUBSCRIBED))\n return;\n\n idata->cmdtype = IMAP_CT_LIST;\n idata->cmddata = &list;\n cmd_parse_list (idata, s);\n idata->cmddata = NULL;\n /* noselect is for a gmail quirk (#3445) */\n if (!list.name || list.noselect)\n return;\n\n dprint (3, (debugfile, \"Subscribing to %s\\n\", list.name));\n\n strfcpy (buf, \"mailboxes \\\"\", sizeof (buf));\n mutt_account_tourl (&idata->conn->account, &url);\n /* escape \\ and \". Also escape ` because the resulting\n * string will be passed to mutt_parse_rc_line. */\n imap_quote_string_and_backquotes (errstr, sizeof (errstr), list.name);\n url.path = errstr + 1;\n url.path[strlen(url.path) - 1] = '\\0';\n if (!mutt_strcmp (url.user, ImapUser))\n url.user = NULL;\n url_ciss_tostring (&url, buf + 11, sizeof (buf) - 11, 0);\n safe_strcat (buf, sizeof (buf), \"\\\"\");\n mutt_buffer_init (&token);\n mutt_buffer_init (&err);\n err.data = errstr;\n err.dsize = sizeof (errstr);\n if (mutt_parse_rc_line (buf, &token, &err))\n dprint (1, (debugfile, \"Error adding subscribed mailbox: %s\\n\", errstr));\n FREE (&token.data);\n}", "project": "mutt", "hash": 1339619535767134597740301204041394316, "size": 47, "commit_id": "9347b5c01dc52682cb6be11539d9b7ebceae4416", "message": "Handle NO response without message properly", "target": 0, "dataset": "other", "idx": 338029 }, { "func": "static bool node_is_up(struct tipc_node *n)\n{\n\treturn n->active_links[0] != INVALID_BEARER_ID;\n}", "project": "linux", "hash": 324118090776836995565102580869790346399, "size": 4, "commit_id": "0217ed2848e8538bcf9172d97ed2eeb4a26041bb", "message": "tipc: better validate user input in tipc_nl_retrieve_key()\n\nBefore calling tipc_aead_key_size(ptr), we need to ensure\nwe have enough data to dereference ptr->keylen.\n\nWe probably also want to make sure tipc_aead_key_size()\nwont overflow with malicious ptr->keylen values.\n\nSyzbot reported:\n\nBUG: KMSAN: uninit-value in __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\nBUG: KMSAN: uninit-value in tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\nCPU: 0 PID: 21060 Comm: syz-executor.5 Not tainted 5.11.0-rc7-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nCall Trace:\n __dump_stack lib/dump_stack.c:79 [inline]\n dump_stack+0x21c/0x280 lib/dump_stack.c:120\n kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118\n __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197\n __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\n tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\n genl_family_rcv_msg_doit net/netlink/genetlink.c:739 [inline]\n genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]\n genl_rcv_msg+0x1319/0x1610 net/netlink/genetlink.c:800\n netlink_rcv_skb+0x6fa/0x810 net/netlink/af_netlink.c:2494\n genl_rcv+0x63/0x80 net/netlink/genetlink.c:811\n netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]\n netlink_unicast+0x11d6/0x14a0 net/netlink/af_netlink.c:1330\n netlink_sendmsg+0x1740/0x1840 net/netlink/af_netlink.c:1919\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\nRIP: 0023:0xf7f60549\nCode: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00\nRSP: 002b:00000000f555a5fc EFLAGS: 00000296 ORIG_RAX: 0000000000000172\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000200\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n\nUninit was created at:\n kmsan_save_stack_with_flags mm/kmsan/kmsan.c:121 [inline]\n kmsan_internal_poison_shadow+0x5c/0xf0 mm/kmsan/kmsan.c:104\n kmsan_slab_alloc+0x8d/0xe0 mm/kmsan/kmsan_hooks.c:76\n slab_alloc_node mm/slub.c:2907 [inline]\n __kmalloc_node_track_caller+0xa37/0x1430 mm/slub.c:4527\n __kmalloc_reserve net/core/skbuff.c:142 [inline]\n __alloc_skb+0x2f8/0xb30 net/core/skbuff.c:210\n alloc_skb include/linux/skbuff.h:1099 [inline]\n netlink_alloc_large_skb net/netlink/af_netlink.c:1176 [inline]\n netlink_sendmsg+0xdbc/0x1840 net/netlink/af_netlink.c:1894\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\n\nFixes: e1f32190cf7d (\"tipc: add support for AEAD key setting via netlink\")\nSigned-off-by: Eric Dumazet \nCc: Tuong Lien \nCc: Jon Maloy \nCc: Ying Xue \nReported-by: syzbot \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 364945 }, { "func": "uint8_t* pipeline_c(struct thread_context* thread_context, const int32_t bsize,\n const uint8_t* src, const int32_t offset,\n uint8_t* dest, uint8_t* tmp, uint8_t* tmp2) {\n blosc2_context* context = thread_context->parent_context;\n uint8_t* _src = (uint8_t*)src + offset;\n uint8_t* _tmp = tmp;\n uint8_t* _dest = dest;\n int32_t typesize = context->typesize;\n uint8_t* filters = context->filters;\n uint8_t* filters_meta = context->filters_meta;\n bool memcpyed = context->header_flags & (uint8_t)BLOSC_MEMCPYED;\n\n /* Prefilter function */\n if (context->prefilter != NULL) {\n // Create new prefilter parameters for this block (must be private for each thread)\n blosc2_prefilter_params pparams;\n memcpy(&pparams, context->pparams, sizeof(pparams));\n pparams.out = _dest;\n pparams.out_size = (size_t)bsize;\n pparams.out_typesize = typesize;\n pparams.out_offset = offset;\n pparams.tid = thread_context->tid;\n pparams.ttmp = thread_context->tmp;\n pparams.ttmp_nbytes = thread_context->tmp_nbytes;\n pparams.ctx = context;\n\n if (context->prefilter(&pparams) != 0) {\n fprintf(stderr, \"Execution of prefilter function failed\\n\");\n return NULL;\n }\n\n if (memcpyed) {\n // No more filters are required\n return _dest;\n }\n // Cycle buffers\n _src = _dest;\n _dest = _tmp;\n _tmp = _src;\n }\n\n /* Process the filter pipeline */\n for (int i = 0; i < BLOSC2_MAX_FILTERS; i++) {\n switch (filters[i]) {\n case BLOSC_SHUFFLE:\n for (int j = 0; j <= filters_meta[i]; j++) {\n shuffle(typesize, bsize, _src, _dest);\n // Cycle filters when required\n if (j < filters_meta[i]) {\n _src = _dest;\n _dest = _tmp;\n _tmp = _src;\n }\n }\n break;\n case BLOSC_BITSHUFFLE:\n bitshuffle(typesize, bsize, _src, _dest, tmp2);\n break;\n case BLOSC_DELTA:\n delta_encoder(src, offset, bsize, typesize, _src, _dest);\n break;\n case BLOSC_TRUNC_PREC:\n truncate_precision(filters_meta[i], typesize, bsize, _src, _dest);\n break;\n default:\n if (filters[i] != BLOSC_NOFILTER) {\n fprintf(stderr, \"Filter %d not handled during compression\\n\", filters[i]);\n return NULL;\n }\n }\n // Cycle buffers when required\n if (filters[i] != BLOSC_NOFILTER) {\n _src = _dest;\n _dest = _tmp;\n _tmp = _src;\n }\n }\n return _src;\n}", "project": "c-blosc2", "hash": 334393004504089323668008984135420260907, "size": 79, "commit_id": "c4c6470e88210afc95262c8b9fcc27e30ca043ee", "message": "Fixed asan heap buffer overflow when not enough space to write compressed block size.", "target": 0, "dataset": "other", "idx": 303071 }, { "func": "static inline void set_intercept(struct vcpu_svm *svm, int bit)\n{\n\tstruct vmcb *vmcb = get_host_vmcb(svm);\n\n\tvmcb->control.intercept |= (1ULL << bit);\n\n\trecalc_intercepts(svm);\n}", "project": "linux", "hash": 100802251932147906284168072003948411165, "size": 8, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432421 }, { "func": "static void hci_cc_le_add_to_resolv_list(struct hci_dev *hdev,\n\t\t\t\t\t struct sk_buff *skb)\n{\n\tstruct hci_cp_le_add_to_resolv_list *sent;\n\t__u8 status = *((__u8 *) skb->data);\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, status);\n\n\tif (status)\n\t\treturn;\n\n\tsent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_RESOLV_LIST);\n\tif (!sent)\n\t\treturn;\n\n\thci_bdaddr_list_add_with_irk(&hdev->le_resolv_list, &sent->bdaddr,\n\t\t\t\tsent->bdaddr_type, sent->peer_irk,\n\t\t\t\tsent->local_irk);\n}", "project": "linux", "hash": 198772705639231627309256545324402352839, "size": 19, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431926 }, { "func": " bool IsForward() const override { return Forward; }", "project": "tensorflow", "hash": 206097614571279828879277574587490117862, "size": 1, "commit_id": "31bd5026304677faa8a0b77602c6154171b9aec1", "message": "Prevent check fail in FFT\n\nPiperOrigin-RevId: 372031044\nChange-Id: I50994e3e8a5d1342d01bde80256f6bf2730ca299", "target": 0, "dataset": "other", "idx": 235716 }, { "func": "static void svm_set_efer(struct kvm_vcpu *vcpu, u64 efer)\n{\n\tvcpu->arch.efer = efer;\n\n\tif (!npt_enabled) {\n\t\t/* Shadow paging assumes NX to be available. */\n\t\tefer |= EFER_NX;\n\n\t\tif (!(efer & EFER_LMA))\n\t\t\tefer &= ~EFER_LME;\n\t}\n\n\tto_svm(vcpu)->vmcb->save.efer = efer | EFER_SVME;\n\tmark_dirty(to_svm(vcpu)->vmcb, VMCB_CR);\n}", "project": "linux", "hash": 74741783575843289221529657153088644512, "size": 15, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432534 }, { "func": "static void svm_set_efer(struct kvm_vcpu *vcpu, u64 efer)\n{\n\tvcpu->arch.efer = efer;\n\tif (!npt_enabled && !(efer & EFER_LMA))\n\t\tefer &= ~EFER_LME;\n\n\tto_svm(vcpu)->vmcb->save.efer = efer | EFER_SVME;\n\tmark_dirty(to_svm(vcpu)->vmcb, VMCB_CR);\n}", "project": "kvm", "hash": 124498625386778978307559806605176791748, "size": 9, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437659 }, { "func": "static int svm_interrupt_allowed(struct kvm_vcpu *vcpu)\n{\n\tstruct vcpu_svm *svm = to_svm(vcpu);\n\tstruct vmcb *vmcb = svm->vmcb;\n\tint ret;\n\n\tif (!gif_set(svm) ||\n\t (vmcb->control.int_state & SVM_INTERRUPT_SHADOW_MASK))\n\t\treturn 0;\n\n\tret = !!(kvm_get_rflags(vcpu) & X86_EFLAGS_IF);\n\n\tif (is_guest_mode(vcpu))\n\t\treturn ret && !(svm->vcpu.arch.hflags & HF_VINTR_MASK);\n\n\treturn ret;\n}", "project": "linux", "hash": 260829476844709213947127725952124864459, "size": 17, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432562 }, { "func": "int __tty_check_change(struct tty_struct *tty, int sig)\n{\n\tunsigned long flags;\n\tstruct pid *pgrp, *tty_pgrp;\n\tint ret = 0;\n\n\tif (current->signal->tty != tty)\n\t\treturn 0;\n\n\trcu_read_lock();\n\tpgrp = task_pgrp(current);\n\n\tspin_lock_irqsave(&tty->ctrl_lock, flags);\n\ttty_pgrp = tty->pgrp;\n\tspin_unlock_irqrestore(&tty->ctrl_lock, flags);\n\n\tif (tty_pgrp && pgrp != tty_pgrp) {\n\t\tif (is_ignored(sig)) {\n\t\t\tif (sig == SIGTTIN)\n\t\t\t\tret = -EIO;\n\t\t} else if (is_current_pgrp_orphaned())\n\t\t\tret = -EIO;\n\t\telse {\n\t\t\tkill_pgrp(pgrp, sig, 1);\n\t\t\tset_thread_flag(TIF_SIGPENDING);\n\t\t\tret = -ERESTARTSYS;\n\t\t}\n\t}\n\trcu_read_unlock();\n\n\tif (!tty_pgrp)\n\t\ttty_warn(tty, \"sig=%d, tty->pgrp == NULL!\\n\", sig);\n\n\treturn ret;\n}", "project": "linux", "hash": 310751825414766340436087027991380671589, "size": 35, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 326014 }, { "func": "ExecutionStatus JSObject::getComputedDescriptor(\n Handle selfHandle,\n Runtime *runtime,\n Handle<> nameValHandle,\n MutableHandle &propObj,\n ComputedPropertyDescriptor &desc) {\n auto converted = toPropertyKeyIfObject(runtime, nameValHandle);\n if (LLVM_UNLIKELY(converted == ExecutionStatus::EXCEPTION)) {\n return ExecutionStatus::EXCEPTION;\n }\n return getComputedPrimitiveDescriptor(\n selfHandle, runtime, *converted, propObj, desc);\n}", "project": "hermes", "hash": 44737016146784572484530708236548065841, "size": 13, "commit_id": "fe52854cdf6725c2eaa9e125995da76e6ceb27da", "message": "[CVE-2020-1911] Look up HostObject computed properties on the right object in the prototype chain.\n\nSummary:\nThe change in the hermes repository fixes the security vulnerability\nCVE-2020-1911. This vulnerability only affects applications which\nallow evaluation of uncontrolled, untrusted JavaScript code not\nshipped with the app, so React Native apps will generally not be affected.\n\nThis revision includes a test for the bug. The test is generic JSI\ncode, so it is included in the hermes and react-native repositories.\n\nChangelog: [Internal]\n\nReviewed By: tmikov\n\nDifferential Revision: D23322992\n\nfbshipit-source-id: 4e88c974afe1ad33a263f9cac03e9dc98d33649a", "target": 0, "dataset": "other", "idx": 230162 }, { "func": "static void mt_process_mt_event(struct hid_device *hid,\n\t\t\t\tstruct mt_application *app,\n\t\t\t\tstruct hid_field *field,\n\t\t\t\tstruct hid_usage *usage,\n\t\t\t\t__s32 value,\n\t\t\t\tbool first_packet)\n{\n\t__s32 quirks = app->quirks;\n\tstruct input_dev *input = field->hidinput->input;\n\n\tif (!usage->type || !(hid->claimed & HID_CLAIMED_INPUT))\n\t\treturn;\n\n\tif (quirks & MT_QUIRK_WIN8_PTP_BUTTONS) {\n\n\t\t/*\n\t\t * For Win8 PTP touchpads we should only look at\n\t\t * non finger/touch events in the first_packet of a\n\t\t * (possible) multi-packet frame.\n\t\t */\n\t\tif (!first_packet)\n\t\t\treturn;\n\n\t\t/*\n\t\t * For Win8 PTP touchpads we map both the clickpad click\n\t\t * and any \"external\" left buttons to BTN_LEFT if a\n\t\t * device claims to have both we need to report 1 for\n\t\t * BTN_LEFT if either is pressed, so we or all values\n\t\t * together and report the result in mt_sync_frame().\n\t\t */\n\t\tif (usage->type == EV_KEY && usage->code == BTN_LEFT) {\n\t\t\tapp->left_button_state |= value;\n\t\t\treturn;\n\t\t}\n\t}\n\n\tinput_event(input, usage->type, usage->code, value);\n}", "project": "linux", "hash": 300907701725349387864045233478388205590, "size": 38, "commit_id": "35556bed836f8dc07ac55f69c8d17dce3e7f0e25", "message": "HID: core: Sanitize event code and type when mapping input\n\nWhen calling into hid_map_usage(), the passed event code is\nblindly stored as is, even if it doesn't fit in the associated bitmap.\n\nThis event code can come from a variety of sources, including devices\nmasquerading as input devices, only a bit more \"programmable\".\n\nInstead of taking the event code at face value, check that it actually\nfits the corresponding bitmap, and if it doesn't:\n- spit out a warning so that we know which device is acting up\n- NULLify the bitmap pointer so that we catch unexpected uses\n\nCode paths that can make use of untrusted inputs can now check\nthat the mapping was indeed correct and bail out if not.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Marc Zyngier \nSigned-off-by: Benjamin Tissoires ", "target": 0, "dataset": "other", "idx": 458370 }, { "func": "UnicodeStringTest::TestNullPointers() {\n assertTrue(\"empty from nullptr\", UnicodeString(nullptr).isEmpty());\n assertTrue(\"empty from nullptr+length\", UnicodeString(nullptr, 2).isEmpty());\n assertTrue(\"empty from read-only-alias nullptr\", UnicodeString(TRUE, nullptr, 3).isEmpty());\n\n UnicodeString alias(nullptr, 4, 4); // empty, no alias\n assertTrue(\"empty from writable alias\", alias.isEmpty());\n alias.append(u'a').append(u'b').append(u'c');\n UnicodeString expected(u\"abc\");\n assertEquals(\"abc from writable alias\", expected, alias);\n\n UErrorCode errorCode = U_ZERO_ERROR;\n UnicodeString(u\"def\").extract(nullptr, 0, errorCode);\n assertEquals(\"buffer overflow extracting to nullptr\", U_BUFFER_OVERFLOW_ERROR, errorCode);\n}", "project": "icu", "hash": 226358492160398219716091378409875519569, "size": 15, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430867 }, { "func": " bool conflictingContentLength() const { return conflictingContentLength_; }", "project": "squid", "hash": 270893090724152409422058507263426292975, "size": 1, "commit_id": "fd68382860633aca92065e6c343cfd1b12b126e7", "message": "Improve Transfer-Encoding handling (#702)\n\nReject messages containing Transfer-Encoding header with coding other\nthan chunked or identity. Squid does not support other codings.\n\nFor simplicity and security sake, also reject messages where\nTransfer-Encoding contains unnecessary complex values that are\ntechnically equivalent to \"chunked\" or \"identity\" (e.g., \",,chunked\" or\n\"identity, chunked\").\n\nRFC 7230 formally deprecated and removed identity coding, but it is\nstill used by some agents.", "target": 0, "dataset": "other", "idx": 402346 }, { "func": "static int hci_outgoing_auth_needed(struct hci_dev *hdev,\n\t\t\t\t struct hci_conn *conn)\n{\n\tif (conn->state != BT_CONFIG || !conn->out)\n\t\treturn 0;\n\n\tif (conn->pending_sec_level == BT_SECURITY_SDP)\n\t\treturn 0;\n\n\t/* Only request authentication for SSP connections or non-SSP\n\t * devices with sec_level MEDIUM or HIGH or if MITM protection\n\t * is requested.\n\t */\n\tif (!hci_conn_ssp_enabled(conn) && !(conn->auth_type & 0x01) &&\n\t conn->pending_sec_level != BT_SECURITY_FIPS &&\n\t conn->pending_sec_level != BT_SECURITY_HIGH &&\n\t conn->pending_sec_level != BT_SECURITY_MEDIUM)\n\t\treturn 0;\n\n\treturn 1;\n}", "project": "linux", "hash": 274375456359511561210037519608889799625, "size": 21, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431881 }, { "func": "unsigned long kvm_host_page_size(struct kvm_vcpu *vcpu, gfn_t gfn)\n{\n\tstruct vm_area_struct *vma;\n\tunsigned long addr, size;\n\n\tsize = PAGE_SIZE;\n\n\taddr = kvm_vcpu_gfn_to_hva_prot(vcpu, gfn, NULL);\n\tif (kvm_is_error_hva(addr))\n\t\treturn PAGE_SIZE;\n\n\tdown_read(¤t->mm->mmap_sem);\n\tvma = find_vma(current->mm, addr);\n\tif (!vma)\n\t\tgoto out;\n\n\tsize = vma_kernel_pagesize(vma);\n\nout:\n\tup_read(¤t->mm->mmap_sem);\n\n\treturn size;\n}", "project": "linux", "hash": 154082477752549118391911813672941774769, "size": 23, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354828 }, { "func": "unsigned long kvm_host_page_size(struct kvm_vcpu *vcpu, gfn_t gfn)\n{\n\tstruct vm_area_struct *vma;\n\tunsigned long addr, size;\n\n\tsize = PAGE_SIZE;\n\n\taddr = kvm_vcpu_gfn_to_hva_prot(vcpu, gfn, NULL);\n\tif (kvm_is_error_hva(addr))\n\t\treturn PAGE_SIZE;\n\n\tmmap_read_lock(current->mm);\n\tvma = find_vma(current->mm, addr);\n\tif (!vma)\n\t\tgoto out;\n\n\tsize = vma_kernel_pagesize(vma);\n\nout:\n\tmmap_read_unlock(current->mm);\n\n\treturn size;\n}", "project": "linux", "hash": 123716133385332136043977067185489453755, "size": 23, "commit_id": "f8be156be163a052a067306417cd0ff679068c97", "message": "KVM: do not allow mapping valid but non-reference-counted pages\n\nIt's possible to create a region which maps valid but non-refcounted\npages (e.g., tail pages of non-compound higher order allocations). These\nhost pages can then be returned by gfn_to_page, gfn_to_pfn, etc., family\nof APIs, which take a reference to the page, which takes it from 0 to 1.\nWhen the reference is dropped, this will free the page incorrectly.\n\nFix this by only taking a reference on valid pages if it was non-zero,\nwhich indicates it is participating in normal refcounting (and can be\nreleased with put_page).\n\nThis addresses CVE-2021-22543.\n\nSigned-off-by: Nicholas Piggin \nTested-by: Paolo Bonzini \nCc: stable@vger.kernel.org\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 404097 }, { "func": "static ssize_t fuse_file_read_iter(struct kiocb *iocb, struct iov_iter *to)\n{\n\tstruct file *file = iocb->ki_filp;\n\tstruct fuse_file *ff = file->private_data;\n\tstruct inode *inode = file_inode(file);\n\n\tif (fuse_is_bad(inode))\n\t\treturn -EIO;\n\n\tif (FUSE_IS_DAX(inode))\n\t\treturn fuse_dax_read_iter(iocb, to);\n\n\tif (!(ff->open_flags & FOPEN_DIRECT_IO))\n\t\treturn fuse_cache_read_iter(iocb, to);\n\telse\n\t\treturn fuse_direct_read_iter(iocb, to);\n}", "project": "linux", "hash": 206775719786079208640984328152784338845, "size": 17, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342153 }, { "func": " table_map used_tables() const { return used_tables_cache; }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 267492981726561188980444528840319453586, "size": 1, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509013 }, { "func": " table_map used_tables() const { return orig_item->used_tables(); }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 99911701012299583070309964722714873112, "size": 1, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509305 }, { "func": "static int __init input_init(void)\n{\n\tint err;\n\n\terr = class_register(&input_class);\n\tif (err) {\n\t\tpr_err(\"unable to register input_dev class\\n\");\n\t\treturn err;\n\t}\n\n\terr = input_proc_init();\n\tif (err)\n\t\tgoto fail1;\n\n\terr = register_chrdev_region(MKDEV(INPUT_MAJOR, 0),\n\t\t\t\t INPUT_MAX_CHAR_DEVICES, \"input\");\n\tif (err) {\n\t\tpr_err(\"unable to register char major %d\", INPUT_MAJOR);\n\t\tgoto fail2;\n\t}\n\n\treturn 0;\n\n fail2:\tinput_proc_exit();\n fail1:\tclass_unregister(&input_class);\n\treturn err;\n}", "project": "linux", "hash": 73261212139575787019358695032467682091, "size": 27, "commit_id": "cb222aed03d798fc074be55e59d9a112338ee784", "message": "Input: add safety guards to input_set_keycode()\n\nIf we happen to have a garbage in input device's keycode table with values\ntoo big we'll end up doing clear_bit() with offset way outside of our\nbitmaps, damaging other objects within an input device or even outside of\nit. Let's add sanity checks to the returned old keycodes.\n\nReported-by: syzbot+c769968809f9359b07aa@syzkaller.appspotmail.com\nReported-by: syzbot+76f3a30e88d256644c78@syzkaller.appspotmail.com\nLink: https://lore.kernel.org/r/20191207212757.GA245964@dtor-ws\nSigned-off-by: Dmitry Torokhov ", "target": 0, "dataset": "other", "idx": 353320 }, { "func": "bool kvm_hv_assist_page_enabled(struct kvm_vcpu *vcpu)\n{\n\tstruct kvm_vcpu_hv *hv_vcpu = to_hv_vcpu(vcpu);\n\n\tif (!hv_vcpu)\n\t\treturn false;\n\n\tif (!(hv_vcpu->hv_vapic & HV_X64_MSR_VP_ASSIST_PAGE_ENABLE))\n\t\treturn false;\n\treturn vcpu->arch.pv_eoi.msr_val & KVM_MSR_ENABLED;\n}", "project": "linux", "hash": 256931770463992413813516951305280102198, "size": 11, "commit_id": "919f4ebc598701670e80e31573a58f1f2d2bf918", "message": "KVM: x86: hyper-v: Fix Hyper-V context null-ptr-deref\n\nReported by syzkaller:\n\n KASAN: null-ptr-deref in range [0x0000000000000140-0x0000000000000147]\n CPU: 1 PID: 8370 Comm: syz-executor859 Not tainted 5.11.0-syzkaller #0\n RIP: 0010:synic_get arch/x86/kvm/hyperv.c:165 [inline]\n RIP: 0010:kvm_hv_set_sint_gsi arch/x86/kvm/hyperv.c:475 [inline]\n RIP: 0010:kvm_hv_irq_routing_update+0x230/0x460 arch/x86/kvm/hyperv.c:498\n Call Trace:\n kvm_set_irq_routing+0x69b/0x940 arch/x86/kvm/../../../virt/kvm/irqchip.c:223\n kvm_vm_ioctl+0x12d0/0x2800 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3959\n vfs_ioctl fs/ioctl.c:48 [inline]\n __do_sys_ioctl fs/ioctl.c:753 [inline]\n __se_sys_ioctl fs/ioctl.c:739 [inline]\n __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739\n do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nHyper-V context is lazily allocated until Hyper-V specific MSRs are accessed\nor SynIC is enabled. However, the syzkaller testcase sets irq routing table\ndirectly w/o enabling SynIC. This results in null-ptr-deref when accessing\nSynIC Hyper-V context. This patch fixes it.\n\nsyzkaller source: https://syzkaller.appspot.com/x/repro.c?x=163342ccd00000\n\nReported-by: syzbot+6987f3b2dbd9eda95f12@syzkaller.appspotmail.com\nFixes: 8f014550dfb1 (\"KVM: x86: hyper-v: Make Hyper-V emulation enablement conditional\")\nSigned-off-by: Wanpeng Li \nMessage-Id: <1614326399-5762-1-git-send-email-wanpengli@tencent.com>\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 343485 }, { "func": "static int nfs4_open_recover_helper(struct nfs4_opendata *opendata,\n\t\tfmode_t fmode)\n{\n\tstruct nfs4_state *newstate;\n\tint ret;\n\n\tif (!nfs4_mode_match_open_stateid(opendata->state, fmode))\n\t\treturn 0;\n\topendata->o_arg.open_flags = 0;\n\topendata->o_arg.fmode = fmode;\n\topendata->o_arg.share_access = nfs4_map_atomic_open_share(\n\t\t\tNFS_SB(opendata->dentry->d_sb),\n\t\t\tfmode, 0);\n\tmemset(&opendata->o_res, 0, sizeof(opendata->o_res));\n\tmemset(&opendata->c_res, 0, sizeof(opendata->c_res));\n\tnfs4_init_opendata_res(opendata);\n\tret = _nfs4_recover_proc_open(opendata);\n\tif (ret != 0)\n\t\treturn ret; \n\tnewstate = nfs4_opendata_to_nfs4_state(opendata);\n\tif (IS_ERR(newstate))\n\t\treturn PTR_ERR(newstate);\n\tif (newstate != opendata->state)\n\t\tret = -ESTALE;\n\tnfs4_close_state(newstate, fmode);\n\treturn ret;\n}", "project": "linux", "hash": 22673175085252661417119567041918778618, "size": 27, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431595 }, { "func": "static bool msr_write_intercepted(struct kvm_vcpu *vcpu, unsigned msr)\n{\n\tu8 bit_write;\n\tunsigned long tmp;\n\tu32 offset;\n\tu32 *msrpm;\n\n\tmsrpm = is_guest_mode(vcpu) ? to_svm(vcpu)->nested.msrpm:\n\t\t\t\t to_svm(vcpu)->msrpm;\n\n\toffset = svm_msrpm_offset(msr);\n\tbit_write = 2 * (msr & 0x0f) + 1;\n\ttmp = msrpm[offset];\n\n\tBUG_ON(offset == MSR_INVALID);\n\n\treturn !!test_bit(bit_write, &tmp);\n}", "project": "linux", "hash": 177169912779367107070582777613817067264, "size": 18, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432422 }, { "func": "static OPJ_BOOL opj_j2k_decode_tiles(opj_j2k_t *p_j2k,\n opj_stream_private_t *p_stream,\n opj_event_mgr_t * p_manager)\n{\n OPJ_BOOL l_go_on = OPJ_TRUE;\n OPJ_UINT32 l_current_tile_no;\n OPJ_INT32 l_tile_x0, l_tile_y0, l_tile_x1, l_tile_y1;\n OPJ_UINT32 l_nb_comps;\n OPJ_UINT32 nr_tiles = 0;\n\n /* Particular case for whole single tile decoding */\n /* We can avoid allocating intermediate tile buffers */\n if (p_j2k->m_cp.tw == 1 && p_j2k->m_cp.th == 1 &&\n p_j2k->m_cp.tx0 == 0 && p_j2k->m_cp.ty0 == 0 &&\n p_j2k->m_output_image->x0 == 0 &&\n p_j2k->m_output_image->y0 == 0 &&\n p_j2k->m_output_image->x1 == p_j2k->m_cp.tdx &&\n p_j2k->m_output_image->y1 == p_j2k->m_cp.tdy) {\n OPJ_UINT32 i;\n if (! opj_j2k_read_tile_header(p_j2k,\n &l_current_tile_no,\n NULL,\n &l_tile_x0, &l_tile_y0,\n &l_tile_x1, &l_tile_y1,\n &l_nb_comps,\n &l_go_on,\n p_stream,\n p_manager)) {\n return OPJ_FALSE;\n }\n\n if (! opj_j2k_decode_tile(p_j2k, l_current_tile_no, NULL, 0,\n p_stream, p_manager)) {\n opj_event_msg(p_manager, EVT_ERROR, \"Failed to decode tile 1/1\\n\");\n return OPJ_FALSE;\n }\n\n /* Transfer TCD data to output image data */\n for (i = 0; i < p_j2k->m_output_image->numcomps; i++) {\n opj_image_data_free(p_j2k->m_output_image->comps[i].data);\n p_j2k->m_output_image->comps[i].data =\n p_j2k->m_tcd->tcd_image->tiles->comps[i].data;\n p_j2k->m_output_image->comps[i].resno_decoded =\n p_j2k->m_tcd->image->comps[i].resno_decoded;\n p_j2k->m_tcd->tcd_image->tiles->comps[i].data = NULL;\n }\n\n return OPJ_TRUE;\n }\n\n for (;;) {\n if (p_j2k->m_cp.tw == 1 && p_j2k->m_cp.th == 1 &&\n p_j2k->m_cp.tcps[0].m_data != NULL) {\n l_current_tile_no = 0;\n p_j2k->m_current_tile_number = 0;\n p_j2k->m_specific_param.m_decoder.m_state |= J2K_STATE_DATA;\n } else {\n if (! opj_j2k_read_tile_header(p_j2k,\n &l_current_tile_no,\n NULL,\n &l_tile_x0, &l_tile_y0,\n &l_tile_x1, &l_tile_y1,\n &l_nb_comps,\n &l_go_on,\n p_stream,\n p_manager)) {\n return OPJ_FALSE;\n }\n\n if (! l_go_on) {\n break;\n }\n }\n\n if (! opj_j2k_decode_tile(p_j2k, l_current_tile_no, NULL, 0,\n p_stream, p_manager)) {\n opj_event_msg(p_manager, EVT_ERROR, \"Failed to decode tile %d/%d\\n\",\n l_current_tile_no + 1, p_j2k->m_cp.th * p_j2k->m_cp.tw);\n return OPJ_FALSE;\n }\n\n opj_event_msg(p_manager, EVT_INFO, \"Tile %d/%d has been decoded.\\n\",\n l_current_tile_no + 1, p_j2k->m_cp.th * p_j2k->m_cp.tw);\n\n if (! opj_j2k_update_image_data(p_j2k->m_tcd,\n p_j2k->m_output_image)) {\n return OPJ_FALSE;\n }\n\n if (p_j2k->m_cp.tw == 1 && p_j2k->m_cp.th == 1 &&\n !(p_j2k->m_output_image->x0 == p_j2k->m_private_image->x0 &&\n p_j2k->m_output_image->y0 == p_j2k->m_private_image->y0 &&\n p_j2k->m_output_image->x1 == p_j2k->m_private_image->x1 &&\n p_j2k->m_output_image->y1 == p_j2k->m_private_image->y1)) {\n /* Keep current tcp data */\n } else {\n opj_j2k_tcp_data_destroy(&p_j2k->m_cp.tcps[l_current_tile_no]);\n }\n\n opj_event_msg(p_manager, EVT_INFO,\n \"Image data has been updated with tile %d.\\n\\n\", l_current_tile_no + 1);\n\n if (opj_stream_get_number_byte_left(p_stream) == 0\n && p_j2k->m_specific_param.m_decoder.m_state == J2K_STATE_NEOC) {\n break;\n }\n if (++nr_tiles == p_j2k->m_cp.th * p_j2k->m_cp.tw) {\n break;\n }\n }\n\n if (! opj_j2k_are_all_used_components_decoded(p_j2k, p_manager)) {\n return OPJ_FALSE;\n }\n\n return OPJ_TRUE;\n}", "project": "openjpeg", "hash": 81405669977073763329437344408592027764, "size": 117, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357412 }, { "func": "static bool io_rw_should_reissue(struct io_kiocb *req)\n{\n\treturn false;\n}", "project": "linux", "hash": 73640164275981585632031691887309741871, "size": 4, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338598 }, { "func": "static bool io_rw_should_reissue(struct io_kiocb *req)\n{\n\tumode_t mode = file_inode(req->file)->i_mode;\n\tstruct io_ring_ctx *ctx = req->ctx;\n\n\tif (!S_ISBLK(mode) && !S_ISREG(mode))\n\t\treturn false;\n\tif ((req->flags & REQ_F_NOWAIT) || (io_wq_current_is_worker() &&\n\t !(ctx->flags & IORING_SETUP_IOPOLL)))\n\t\treturn false;\n\t/*\n\t * If ref is dying, we might be running poll reap from the exit work.\n\t * Don't attempt to reissue from that path, just let it fail with\n\t * -EAGAIN.\n\t */\n\tif (percpu_ref_is_dying(&ctx->refs))\n\t\treturn false;\n\treturn true;\n}", "project": "linux", "hash": 299301863990261817994506488153947949737, "size": 19, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338655 }, { "func": " explicit InputInfo(const string& node_name, Node* n, int i)\n : name(node_name), node(n), index(i) {}", "project": "tensorflow", "hash": 226131366125569830328588786973111316547, "size": 2, "commit_id": "0cc38aaa4064fd9e79101994ce9872c6d91f816b", "message": "Prevent unitialized memory access in `GraphConstructor::MakeEdge`\n\nThe `MakeEdge` implementation assumes that there exists an output at `output_index` of `src` node and an input at `input_index` of `dst` node. However, if this is not the case this results in accessing data out of bounds. Because we are accessing an array that is a private member of a class and only in read only mode, this usually results only in unitialized memory access. However, it is reasonable to think that malicious users could manipulate these indexes to actually read data outside the class, thus resulting in information leakage and further exploits.\n\nPiperOrigin-RevId: 346343288\nChange-Id: I2127da27c2023d27f26efd39afa6c853385cab6f", "target": 0, "dataset": "other", "idx": 268336 }, { "func": "\nstatic void io_fixed_file_set(struct io_fixed_file *file_slot, struct file *file)\n{\n\tunsigned long file_ptr = (unsigned long) file;\n\n\tif (__io_file_supports_async(file, READ))\n\t\tfile_ptr |= FFS_ASYNC_READ;\n\tif (__io_file_supports_async(file, WRITE))\n\t\tfile_ptr |= FFS_ASYNC_WRITE;\n\tif (S_ISREG(file_inode(file)->i_mode))\n\t\tfile_ptr |= FFS_ISREG;\n\tfile_slot->file_ptr = file_ptr;", "project": "linux", "hash": 206072824997059802816782459883048294082, "size": 12, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338546 }, { "func": "static int zstd_wrap_compress(struct thread_context* thread_context,\n const char* input, size_t input_length,\n char* output, size_t maxout, int clevel) {\n size_t code;\n blosc2_context* context = thread_context->parent_context;\n\n clevel = (clevel < 9) ? clevel * 2 - 1 : ZSTD_maxCLevel();\n /* Make the level 8 close enough to maxCLevel */\n if (clevel == 8) clevel = ZSTD_maxCLevel() - 2;\n\n if (thread_context->zstd_cctx == NULL) {\n thread_context->zstd_cctx = ZSTD_createCCtx();\n }\n\n if (context->use_dict) {\n assert(context->dict_cdict != NULL);\n code = ZSTD_compress_usingCDict(\n thread_context->zstd_cctx, (void*)output, maxout, (void*)input,\n input_length, context->dict_cdict);\n } else {\n code = ZSTD_compressCCtx(thread_context->zstd_cctx,\n (void*)output, maxout, (void*)input, input_length, clevel);\n }\n if (ZSTD_isError(code) != ZSTD_error_no_error) {\n // Do not print anything because blosc will just memcpy this buffer\n // fprintf(stderr, \"Error in ZSTD compression: '%s'. Giving up.\\n\",\n // ZDICT_getErrorName(code));\n return 0;\n }\n return (int)code;\n}", "project": "c-blosc2", "hash": 194567712919906708607660912564476587385, "size": 31, "commit_id": "c4c6470e88210afc95262c8b9fcc27e30ca043ee", "message": "Fixed asan heap buffer overflow when not enough space to write compressed block size.", "target": 0, "dataset": "other", "idx": 303132 }, { "func": "void ethereum_signing_txack(EthereumTxAck *tx) {\n if (!ethereum_signing) {\n fsm_sendFailure(FailureType_Failure_UnexpectedMessage,\n _(\"Not in Ethereum signing mode\"));\n layoutHome();\n return;\n }\n\n if (tx->data_chunk.size > data_left) {\n fsm_sendFailure(FailureType_Failure_Other, _(\"Too much data\"));\n ethereum_signing_abort();\n return;\n }\n\n if (data_left > 0 && (!tx->has_data_chunk || tx->data_chunk.size == 0)) {\n fsm_sendFailure(FailureType_Failure_Other, _(\"Empty data chunk received\"));\n ethereum_signing_abort();\n return;\n }\n\n hash_data(tx->data_chunk.bytes, tx->data_chunk.size);\n\n data_left -= tx->data_chunk.size;\n\n if (data_left > 0) {\n send_request_chunk();\n } else {\n send_signature();\n }\n}", "project": "keepkey-firmware", "hash": 339840114160934349059703674487275452976, "size": 30, "commit_id": "e49d45594002d4d3fbc1f03488e6dfc0a0a65836", "message": "710 merge", "target": 0, "dataset": "other", "idx": 220876 }, { "func": "static inline unsigned long tid_to_event(unsigned long tid)\n{\n\treturn tid / TID_STEP;\n}", "project": "linux", "hash": 103206473160745273281230208786989449940, "size": 4, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280031 }, { "func": "int tty_register_driver(struct tty_driver *driver)\n{\n\tint error;\n\tint i;\n\tdev_t dev;\n\tstruct device *d;\n\n\tif (!driver->major) {\n\t\terror = alloc_chrdev_region(&dev, driver->minor_start,\n\t\t\t\t\t\tdriver->num, driver->name);\n\t\tif (!error) {\n\t\t\tdriver->major = MAJOR(dev);\n\t\t\tdriver->minor_start = MINOR(dev);\n\t\t}\n\t} else {\n\t\tdev = MKDEV(driver->major, driver->minor_start);\n\t\terror = register_chrdev_region(dev, driver->num, driver->name);\n\t}\n\tif (error < 0)\n\t\tgoto err;\n\n\tif (driver->flags & TTY_DRIVER_DYNAMIC_ALLOC) {\n\t\terror = tty_cdev_add(driver, dev, 0, driver->num);\n\t\tif (error)\n\t\t\tgoto err_unreg_char;\n\t}\n\n\tmutex_lock(&tty_mutex);\n\tlist_add(&driver->tty_drivers, &tty_drivers);\n\tmutex_unlock(&tty_mutex);\n\n\tif (!(driver->flags & TTY_DRIVER_DYNAMIC_DEV)) {\n\t\tfor (i = 0; i < driver->num; i++) {\n\t\t\td = tty_register_device(driver, i, NULL);\n\t\t\tif (IS_ERR(d)) {\n\t\t\t\terror = PTR_ERR(d);\n\t\t\t\tgoto err_unreg_devs;\n\t\t\t}\n\t\t}\n\t}\n\tproc_tty_register_driver(driver);\n\tdriver->flags |= TTY_DRIVER_INSTALLED;\n\treturn 0;\n\nerr_unreg_devs:\n\tfor (i--; i >= 0; i--)\n\t\ttty_unregister_device(driver, i);\n\n\tmutex_lock(&tty_mutex);\n\tlist_del(&driver->tty_drivers);\n\tmutex_unlock(&tty_mutex);\n\nerr_unreg_char:\n\tunregister_chrdev_region(dev, driver->num);\nerr:\n\treturn error;\n}", "project": "linux", "hash": 50127357038825212465991212602064409313, "size": 57, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 326011 }, { "func": "int fuse_fsync_common(struct file *file, loff_t start, loff_t end,\n\t\t int datasync, int opcode)\n{\n\tstruct inode *inode = file->f_mapping->host;\n\tstruct fuse_mount *fm = get_fuse_mount(inode);\n\tstruct fuse_file *ff = file->private_data;\n\tFUSE_ARGS(args);\n\tstruct fuse_fsync_in inarg;\n\n\tmemset(&inarg, 0, sizeof(inarg));\n\tinarg.fh = ff->fh;\n\tinarg.fsync_flags = datasync ? FUSE_FSYNC_FDATASYNC : 0;\n\targs.opcode = opcode;\n\targs.nodeid = get_node_id(inode);\n\targs.in_numargs = 1;\n\targs.in_args[0].size = sizeof(inarg);\n\targs.in_args[0].value = &inarg;\n\treturn fuse_simple_request(fm, &args);\n}", "project": "linux", "hash": 289184455093127175502056430845026289458, "size": 19, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341964 }, { "func": "OPJ_BOOL opj_j2k_decode_tile(opj_j2k_t * p_j2k,\n OPJ_UINT32 p_tile_index,\n OPJ_BYTE * p_data,\n OPJ_UINT32 p_data_size,\n opj_stream_private_t *p_stream,\n opj_event_mgr_t * p_manager)\n{\n OPJ_UINT32 l_current_marker;\n OPJ_BYTE l_data [2];\n opj_tcp_t * l_tcp;\n opj_image_t* l_image_for_bounds;\n\n /* preconditions */\n assert(p_stream != 00);\n assert(p_j2k != 00);\n assert(p_manager != 00);\n\n if (!(p_j2k->m_specific_param.m_decoder.m_state & J2K_STATE_DATA)\n || (p_tile_index != p_j2k->m_current_tile_number)) {\n return OPJ_FALSE;\n }\n\n l_tcp = &(p_j2k->m_cp.tcps[p_tile_index]);\n if (! l_tcp->m_data) {\n opj_j2k_tcp_destroy(l_tcp);\n return OPJ_FALSE;\n }\n\n /* When using the opj_read_tile_header / opj_decode_tile_data API */\n /* such as in test_tile_decoder, m_output_image is NULL, so fall back */\n /* to the full image dimension. This is a bit surprising that */\n /* opj_set_decode_area() is only used to determinte intersecting tiles, */\n /* but full tile decoding is done */\n l_image_for_bounds = p_j2k->m_output_image ? p_j2k->m_output_image :\n p_j2k->m_private_image;\n if (! opj_tcd_decode_tile(p_j2k->m_tcd,\n l_image_for_bounds->x0,\n l_image_for_bounds->y0,\n l_image_for_bounds->x1,\n l_image_for_bounds->y1,\n p_j2k->m_specific_param.m_decoder.m_numcomps_to_decode,\n p_j2k->m_specific_param.m_decoder.m_comps_indices_to_decode,\n l_tcp->m_data,\n l_tcp->m_data_size,\n p_tile_index,\n p_j2k->cstr_index, p_manager)) {\n opj_j2k_tcp_destroy(l_tcp);\n p_j2k->m_specific_param.m_decoder.m_state |= J2K_STATE_ERR;\n opj_event_msg(p_manager, EVT_ERROR, \"Failed to decode.\\n\");\n return OPJ_FALSE;\n }\n\n /* p_data can be set to NULL when the call will take care of using */\n /* itself the TCD data. This is typically the case for whole single */\n /* tile decoding optimization. */\n if (p_data != NULL) {\n if (! opj_tcd_update_tile_data(p_j2k->m_tcd, p_data, p_data_size)) {\n return OPJ_FALSE;\n }\n\n /* To avoid to destroy the tcp which can be useful when we try to decode a tile decoded before (cf j2k_random_tile_access)\n * we destroy just the data which will be re-read in read_tile_header*/\n /*opj_j2k_tcp_destroy(l_tcp);\n p_j2k->m_tcd->tcp = 0;*/\n opj_j2k_tcp_data_destroy(l_tcp);\n }\n\n p_j2k->m_specific_param.m_decoder.m_can_decode = 0;\n p_j2k->m_specific_param.m_decoder.m_state &= (~(OPJ_UINT32)J2K_STATE_DATA);\n\n if (opj_stream_get_number_byte_left(p_stream) == 0\n && p_j2k->m_specific_param.m_decoder.m_state == J2K_STATE_NEOC) {\n return OPJ_TRUE;\n }\n\n if (p_j2k->m_specific_param.m_decoder.m_state != J2K_STATE_EOC) {\n if (opj_stream_read_data(p_stream, l_data, 2, p_manager) != 2) {\n opj_event_msg(p_manager, EVT_ERROR, \"Stream too short\\n\");\n return OPJ_FALSE;\n }\n\n opj_read_bytes(l_data, &l_current_marker, 2);\n\n if (l_current_marker == J2K_MS_EOC) {\n p_j2k->m_current_tile_number = 0;\n p_j2k->m_specific_param.m_decoder.m_state = J2K_STATE_EOC;\n } else if (l_current_marker != J2K_MS_SOT) {\n if (opj_stream_get_number_byte_left(p_stream) == 0) {\n p_j2k->m_specific_param.m_decoder.m_state = J2K_STATE_NEOC;\n opj_event_msg(p_manager, EVT_WARNING, \"Stream does not end with EOC\\n\");\n return OPJ_TRUE;\n }\n opj_event_msg(p_manager, EVT_ERROR, \"Stream too short, expected SOT\\n\");\n return OPJ_FALSE;\n }\n }\n\n return OPJ_TRUE;\n}", "project": "openjpeg", "hash": 69201294516936705319602736516904945742, "size": 99, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357324 }, { "func": "static void execlists_destroy(struct intel_engine_cs *engine)\n{\n\tintel_engine_cleanup_common(engine);\n\tlrc_destroy_wa_ctx(engine);\n\tkfree(engine);\n}", "project": "linux", "hash": 188019138777606829283562820763226804347, "size": 6, "commit_id": "bc8a76a152c5f9ef3b48104154a65a68a8b76946", "message": "drm/i915/gen9: Clear residual context state on context switch\n\nIntel ID: PSIRT-TA-201910-001\nCVEID: CVE-2019-14615\n\nIntel GPU Hardware prior to Gen11 does not clear EU state\nduring a context switch. This can result in information\nleakage between contexts.\n\nFor Gen8 and Gen9, hardware provides a mechanism for\nfast cleardown of the EU state, by issuing a PIPE_CONTROL\nwith bit 27 set. We can use this in a context batch buffer\nto explicitly cleardown the state on every context switch.\n\nAs this workaround is already in place for gen8, we can borrow\nthe code verbatim for Gen9.\n\nSigned-off-by: Mika Kuoppala \nSigned-off-by: Akeem G Abodunrin \nCc: Kumar Valsan Prathap \nCc: Chris Wilson \nCc: Balestrieri Francesco \nCc: Bloomfield Jon \nCc: Dutt Sudeep ", "target": 0, "dataset": "other", "idx": 281520 }, { "func": "static void attach_zval(json_parser *json,\n const String& key,\n int assoc,\n JSONContainerType container_type) {\n if (json->top < 1) {\n return;\n }\n\n auto& root = json->stack[json->top - 1].val;\n auto& child = json->stack[json->top].val;\n auto up_mode = json->stack[json->top - 1].mode;\n\n if (up_mode == Mode::ARRAY) {\n if (container_type == JSONContainerType::COLLECTIONS) {\n collections::append(root.getObjectData(), child.asTypedValue());\n } else {\n root.asArrRef().append(child);\n }\n } else if (up_mode == Mode::OBJECT) {\n object_set(json, root, key, child, assoc, container_type);\n }\n}", "project": "hhvm", "hash": 304067488708235592947005398823381485197, "size": 22, "commit_id": "b3679121bb3c7017ff04b4c08402ffff5cf59b13", "message": "Fix buffer overrun in SimpleParser::handleBackslash\n\nSummary:\nIt read 4 chars, then checked for validity, but any of them could have\nbeen the end of the string, so check after each one instead.\n\nReviewed By: oulgen\n\nDifferential Revision: D19611163\n\nfbshipit-source-id: 3da0a39555cb85a93f4fd98048368f17cf37e2e4", "target": 0, "dataset": "other", "idx": 227328 }, { "func": " Item_copy(THD *thd, Item *i): Item(thd)\n {\n item= i;\n null_value=maybe_null=item->maybe_null;\n Type_std_attributes::set(item);\n name=item->name;\n set_handler_by_field_type(item->field_type());\n fixed= item->fixed;\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 271341915197729003153111840352127550149, "size": 9, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 508928 }, { "func": "static void stimer_mark_pending(struct kvm_vcpu_hv_stimer *stimer,\n\t\t\t\tbool vcpu_kick)\n{\n\tstruct kvm_vcpu *vcpu = hv_stimer_to_vcpu(stimer);\n\n\tset_bit(stimer->index,\n\t\tto_hv_vcpu(vcpu)->stimer_pending_bitmap);\n\tkvm_make_request(KVM_REQ_HV_STIMER, vcpu);\n\tif (vcpu_kick)\n\t\tkvm_vcpu_kick(vcpu);\n}", "project": "linux", "hash": 125861262679364139187441421885154143229, "size": 11, "commit_id": "919f4ebc598701670e80e31573a58f1f2d2bf918", "message": "KVM: x86: hyper-v: Fix Hyper-V context null-ptr-deref\n\nReported by syzkaller:\n\n KASAN: null-ptr-deref in range [0x0000000000000140-0x0000000000000147]\n CPU: 1 PID: 8370 Comm: syz-executor859 Not tainted 5.11.0-syzkaller #0\n RIP: 0010:synic_get arch/x86/kvm/hyperv.c:165 [inline]\n RIP: 0010:kvm_hv_set_sint_gsi arch/x86/kvm/hyperv.c:475 [inline]\n RIP: 0010:kvm_hv_irq_routing_update+0x230/0x460 arch/x86/kvm/hyperv.c:498\n Call Trace:\n kvm_set_irq_routing+0x69b/0x940 arch/x86/kvm/../../../virt/kvm/irqchip.c:223\n kvm_vm_ioctl+0x12d0/0x2800 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3959\n vfs_ioctl fs/ioctl.c:48 [inline]\n __do_sys_ioctl fs/ioctl.c:753 [inline]\n __se_sys_ioctl fs/ioctl.c:739 [inline]\n __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739\n do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nHyper-V context is lazily allocated until Hyper-V specific MSRs are accessed\nor SynIC is enabled. However, the syzkaller testcase sets irq routing table\ndirectly w/o enabling SynIC. This results in null-ptr-deref when accessing\nSynIC Hyper-V context. This patch fixes it.\n\nsyzkaller source: https://syzkaller.appspot.com/x/repro.c?x=163342ccd00000\n\nReported-by: syzbot+6987f3b2dbd9eda95f12@syzkaller.appspotmail.com\nFixes: 8f014550dfb1 (\"KVM: x86: hyper-v: Make Hyper-V emulation enablement conditional\")\nSigned-off-by: Wanpeng Li \nMessage-Id: <1614326399-5762-1-git-send-email-wanpengli@tencent.com>\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 343501 }, { "func": "static void print_page_info(struct page *page)\n{\n\tpr_err(\"INFO: Slab 0x%p objects=%u used=%u fp=0x%p flags=0x%04lx\\n\",\n\t page, page->objects, page->inuse, page->freelist, page->flags);\n\n}", "project": "linux", "hash": 253732536225010136664360933085736336697, "size": 6, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280169 }, { "func": "static void default_attr(struct vc_data *vc)\n{\n\tvc->vc_intensity = 1;\n\tvc->vc_italic = 0;\n\tvc->vc_underline = 0;\n\tvc->vc_reverse = 0;\n\tvc->vc_blink = 0;\n\tvc->vc_color = vc->vc_def_color;\n}", "project": "linux", "hash": 236923657292806600950665003378647311852, "size": 9, "commit_id": "ca4463bf8438b403596edd0ec961ca0d4fbe0220", "message": "vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console\n\nThe VT_DISALLOCATE ioctl can free a virtual console while tty_release()\nis still running, causing a use-after-free in con_shutdown(). This\noccurs because VT_DISALLOCATE considers a virtual console's\n'struct vc_data' to be unused as soon as the corresponding tty's\nrefcount hits 0. But actually it may be still being closed.\n\nFix this by making vc_data be reference-counted via the embedded\n'struct tty_port'. A newly allocated virtual console has refcount 1.\nOpening it for the first time increments the refcount to 2. Closing it\nfor the last time decrements the refcount (in tty_operations::cleanup()\nso that it happens late enough), as does VT_DISALLOCATE.\n\nReproducer:\n\t#include \n\t#include \n\t#include \n\t#include \n\n\tint main()\n\t{\n\t\tif (fork()) {\n\t\t\tfor (;;)\n\t\t\t\tclose(open(\"/dev/tty5\", O_RDWR));\n\t\t} else {\n\t\t\tint fd = open(\"/dev/tty10\", O_RDWR);\n\n\t\t\tfor (;;)\n\t\t\t\tioctl(fd, VT_DISALLOCATE, 5);\n\t\t}\n\t}\n\nKASAN report:\n\tBUG: KASAN: use-after-free in con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\tWrite of size 8 at addr ffff88806a4ec108 by task syz_vt/129\n\n\tCPU: 0 PID: 129 Comm: syz_vt Not tainted 5.6.0-rc2 #11\n\tHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20191223_100556-anatol 04/01/2014\n\tCall Trace:\n\t [...]\n\t con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\t release_tty+0xa8/0x410 drivers/tty/tty_io.c:1514\n\t tty_release_struct+0x34/0x50 drivers/tty/tty_io.c:1629\n\t tty_release+0x984/0xed0 drivers/tty/tty_io.c:1789\n\t [...]\n\n\tAllocated by task 129:\n\t [...]\n\t kzalloc include/linux/slab.h:669 [inline]\n\t vc_allocate drivers/tty/vt/vt.c:1085 [inline]\n\t vc_allocate+0x1ac/0x680 drivers/tty/vt/vt.c:1066\n\t con_install+0x4d/0x3f0 drivers/tty/vt/vt.c:3229\n\t tty_driver_install_tty drivers/tty/tty_io.c:1228 [inline]\n\t tty_init_dev+0x94/0x350 drivers/tty/tty_io.c:1341\n\t tty_open_by_driver drivers/tty/tty_io.c:1987 [inline]\n\t tty_open+0x3ca/0xb30 drivers/tty/tty_io.c:2035\n\t [...]\n\n\tFreed by task 130:\n\t [...]\n\t kfree+0xbf/0x1e0 mm/slab.c:3757\n\t vt_disallocate drivers/tty/vt/vt_ioctl.c:300 [inline]\n\t vt_ioctl+0x16dc/0x1e30 drivers/tty/vt/vt_ioctl.c:818\n\t tty_ioctl+0x9db/0x11b0 drivers/tty/tty_io.c:2660\n\t [...]\n\nFixes: 4001d7b7fc27 (\"vt: push down the tty lock so we can see what is left to tackle\")\nCc: # v3.4+\nReported-by: syzbot+522643ab5729b0421998@syzkaller.appspotmail.com\nAcked-by: Jiri Slaby \nSigned-off-by: Eric Biggers \nLink: https://lore.kernel.org/r/20200322034305.210082-2-ebiggers@kernel.org\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 437049 }, { "func": "static BOOL update_gdi_cache_glyph_v2(rdpContext* context, const CACHE_GLYPH_V2_ORDER* cacheGlyphV2)\n{\n\tUINT32 i;\n\trdpCache* cache;\n\n\tif (!context || !cacheGlyphV2 || !context->cache)\n\t\treturn FALSE;\n\n\tcache = context->cache;\n\n\tfor (i = 0; i < cacheGlyphV2->cGlyphs; i++)\n\t{\n\t\tconst GLYPH_DATA_V2* glyphData = &cacheGlyphV2->glyphData[i];\n\t\trdpGlyph* glyph;\n\n\t\tif (!glyphData)\n\t\t\treturn FALSE;\n\n\t\tglyph = Glyph_Alloc(context, glyphData->x, glyphData->y, glyphData->cx, glyphData->cy,\n\t\t glyphData->cb, glyphData->aj);\n\n\t\tif (!glyph)\n\t\t\treturn FALSE;\n\n\t\tif (!glyph_cache_put(cache->glyph, cacheGlyphV2->cacheId, glyphData->cacheIndex, glyph))\n\t\t{\n\t\t\tglyph->Free(context, glyph);\n\t\t\treturn FALSE;\n\t\t}\n\t}\n\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 79982794427439063948353495387790985929, "size": 33, "commit_id": "c0fd449ec0870b050d350d6d844b1ea6dad4bc7d", "message": "Fixed Out-of-bound read in glyph_cache_put\n\nCVE-2020-11098 thanks to @antonio-morales for finding this.", "target": 0, "dataset": "other", "idx": 432861 }, { "func": "static void printsub(struct Curl_easy *data,\n int direction, /* '<' or '>' */\n unsigned char *pointer, /* where suboption data is */\n size_t length) /* length of suboption data */\n{\n if(data->set.verbose) {\n unsigned int i = 0;\n if(direction) {\n infof(data, \"%s IAC SB \", (direction == '<')? \"RCVD\":\"SENT\");\n if(length >= 3) {\n int j;\n\n i = pointer[length-2];\n j = pointer[length-1];\n\n if(i != CURL_IAC || j != CURL_SE) {\n infof(data, \"(terminated by \");\n if(CURL_TELOPT_OK(i))\n infof(data, \"%s \", CURL_TELOPT(i));\n else if(CURL_TELCMD_OK(i))\n infof(data, \"%s \", CURL_TELCMD(i));\n else\n infof(data, \"%u \", i);\n if(CURL_TELOPT_OK(j))\n infof(data, \"%s\", CURL_TELOPT(j));\n else if(CURL_TELCMD_OK(j))\n infof(data, \"%s\", CURL_TELCMD(j));\n else\n infof(data, \"%d\", j);\n infof(data, \", not IAC SE!) \");\n }\n }\n length -= 2;\n }\n if(length < 1) {\n infof(data, \"(Empty suboption?)\");\n return;\n }\n\n if(CURL_TELOPT_OK(pointer[0])) {\n switch(pointer[0]) {\n case CURL_TELOPT_TTYPE:\n case CURL_TELOPT_XDISPLOC:\n case CURL_TELOPT_NEW_ENVIRON:\n case CURL_TELOPT_NAWS:\n infof(data, \"%s\", CURL_TELOPT(pointer[0]));\n break;\n default:\n infof(data, \"%s (unsupported)\", CURL_TELOPT(pointer[0]));\n break;\n }\n }\n else\n infof(data, \"%d (unknown)\", pointer[i]);\n\n switch(pointer[0]) {\n case CURL_TELOPT_NAWS:\n if(length > 4)\n infof(data, \"Width: %d ; Height: %d\", (pointer[1]<<8) | pointer[2],\n (pointer[3]<<8) | pointer[4]);\n break;\n default:\n switch(pointer[1]) {\n case CURL_TELQUAL_IS:\n infof(data, \" IS\");\n break;\n case CURL_TELQUAL_SEND:\n infof(data, \" SEND\");\n break;\n case CURL_TELQUAL_INFO:\n infof(data, \" INFO/REPLY\");\n break;\n case CURL_TELQUAL_NAME:\n infof(data, \" NAME\");\n break;\n }\n\n switch(pointer[0]) {\n case CURL_TELOPT_TTYPE:\n case CURL_TELOPT_XDISPLOC:\n pointer[length] = 0;\n infof(data, \" \\\"%s\\\"\", &pointer[2]);\n break;\n case CURL_TELOPT_NEW_ENVIRON:\n if(pointer[1] == CURL_TELQUAL_IS) {\n infof(data, \" \");\n for(i = 3; i < length; i++) {\n switch(pointer[i]) {\n case CURL_NEW_ENV_VAR:\n infof(data, \", \");\n break;\n case CURL_NEW_ENV_VALUE:\n infof(data, \" = \");\n break;\n default:\n infof(data, \"%c\", pointer[i]);\n break;\n }\n }\n }\n break;\n default:\n for(i = 2; i < length; i++)\n infof(data, \" %.2x\", pointer[i]);\n break;\n }\n }\n if(direction)\n infof(data, \"\\n\");\n }\n}", "project": "curl", "hash": 107780003244945718171113965764278638402, "size": 111, "commit_id": "39ce47f219b09c380b81f89fe54ac586c8db6bde", "message": "telnet: check sscanf() for correct number of matches\n\nCVE-2021-22898\n\nBug: https://curl.se/docs/CVE-2021-22898.html", "target": 0, "dataset": "other", "idx": 481503 }, { "func": "static int syndbg_get_msr(struct kvm_vcpu *vcpu, u32 msr, u64 *pdata, bool host)\n{\n\tstruct kvm_hv_syndbg *syndbg = to_hv_syndbg(vcpu);\n\n\tif (!kvm_hv_is_syndbg_enabled(vcpu) && !host)\n\t\treturn 1;\n\n\tswitch (msr) {\n\tcase HV_X64_MSR_SYNDBG_CONTROL:\n\t\t*pdata = syndbg->control.control;\n\t\tbreak;\n\tcase HV_X64_MSR_SYNDBG_STATUS:\n\t\t*pdata = syndbg->control.status;\n\t\tbreak;\n\tcase HV_X64_MSR_SYNDBG_SEND_BUFFER:\n\t\t*pdata = syndbg->control.send_page;\n\t\tbreak;\n\tcase HV_X64_MSR_SYNDBG_RECV_BUFFER:\n\t\t*pdata = syndbg->control.recv_page;\n\t\tbreak;\n\tcase HV_X64_MSR_SYNDBG_PENDING_BUFFER:\n\t\t*pdata = syndbg->control.pending_page;\n\t\tbreak;\n\tcase HV_X64_MSR_SYNDBG_OPTIONS:\n\t\t*pdata = syndbg->options;\n\t\tbreak;\n\tdefault:\n\t\tbreak;\n\t}\n\n\ttrace_kvm_hv_syndbg_get_msr(vcpu->vcpu_id, kvm_hv_get_vpindex(vcpu), msr, *pdata);\n\n\treturn 0;\n}", "project": "linux", "hash": 283467028841604152589645534821852061214, "size": 34, "commit_id": "919f4ebc598701670e80e31573a58f1f2d2bf918", "message": "KVM: x86: hyper-v: Fix Hyper-V context null-ptr-deref\n\nReported by syzkaller:\n\n KASAN: null-ptr-deref in range [0x0000000000000140-0x0000000000000147]\n CPU: 1 PID: 8370 Comm: syz-executor859 Not tainted 5.11.0-syzkaller #0\n RIP: 0010:synic_get arch/x86/kvm/hyperv.c:165 [inline]\n RIP: 0010:kvm_hv_set_sint_gsi arch/x86/kvm/hyperv.c:475 [inline]\n RIP: 0010:kvm_hv_irq_routing_update+0x230/0x460 arch/x86/kvm/hyperv.c:498\n Call Trace:\n kvm_set_irq_routing+0x69b/0x940 arch/x86/kvm/../../../virt/kvm/irqchip.c:223\n kvm_vm_ioctl+0x12d0/0x2800 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3959\n vfs_ioctl fs/ioctl.c:48 [inline]\n __do_sys_ioctl fs/ioctl.c:753 [inline]\n __se_sys_ioctl fs/ioctl.c:739 [inline]\n __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739\n do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nHyper-V context is lazily allocated until Hyper-V specific MSRs are accessed\nor SynIC is enabled. However, the syzkaller testcase sets irq routing table\ndirectly w/o enabling SynIC. This results in null-ptr-deref when accessing\nSynIC Hyper-V context. This patch fixes it.\n\nsyzkaller source: https://syzkaller.appspot.com/x/repro.c?x=163342ccd00000\n\nReported-by: syzbot+6987f3b2dbd9eda95f12@syzkaller.appspotmail.com\nFixes: 8f014550dfb1 (\"KVM: x86: hyper-v: Make Hyper-V emulation enablement conditional\")\nSigned-off-by: Wanpeng Li \nMessage-Id: <1614326399-5762-1-git-send-email-wanpengli@tencent.com>\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 343481 }, { "func": "void kvm_set_pfn_accessed(kvm_pfn_t pfn)\n{\n\tif (!kvm_is_reserved_pfn(pfn) && !kvm_is_zone_device_pfn(pfn))\n\t\tmark_page_accessed(pfn_to_page(pfn));\n}", "project": "linux", "hash": 53581553350523711389440718015542376047, "size": 5, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354652 }, { "func": "inline strhash_t StringData::hash(const char* s, size_t len) {\n return hash_string_i(s, len);\n}", "project": "hhvm", "hash": 298228525041018506662110148030796015876, "size": 3, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219410 }, { "func": "inline strhash_t StringData::hash() const {\n strhash_t h = m_hash & STRHASH_MASK;\n return h ? h : hashHelper();\n}", "project": "hhvm", "hash": 159634190557457019022580914235165629190, "size": 4, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219609 }, { "func": "uint16_t inline PatAndRepl::hash(int start, int len) const {\n assertx(pat.size() >= start + len);\n return strtr_hash(pat.data() + start, len);\n};", "project": "hhvm", "hash": 260755094520322546806096582536130765394, "size": 4, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219810 }, { "func": "static int sctp_setsockopt_paddr_thresholds(struct sock *sk,\n\t\t\t\t\t struct sctp_paddrthlds_v2 *val,\n\t\t\t\t\t unsigned int optlen, bool v2)\n{\n\tstruct sctp_transport *trans;\n\tstruct sctp_association *asoc;\n\tint len;\n\n\tlen = v2 ? sizeof(*val) : sizeof(struct sctp_paddrthlds);\n\tif (optlen < len)\n\t\treturn -EINVAL;\n\n\tif (v2 && val->spt_pathpfthld > val->spt_pathcpthld)\n\t\treturn -EINVAL;\n\n\tif (!sctp_is_any(sk, (const union sctp_addr *)&val->spt_address)) {\n\t\ttrans = sctp_addr_id2transport(sk, &val->spt_address,\n\t\t\t\t\t val->spt_assoc_id);\n\t\tif (!trans)\n\t\t\treturn -ENOENT;\n\n\t\tif (val->spt_pathmaxrxt)\n\t\t\ttrans->pathmaxrxt = val->spt_pathmaxrxt;\n\t\tif (v2)\n\t\t\ttrans->ps_retrans = val->spt_pathcpthld;\n\t\ttrans->pf_retrans = val->spt_pathpfthld;\n\n\t\treturn 0;\n\t}\n\n\tasoc = sctp_id2assoc(sk, val->spt_assoc_id);\n\tif (!asoc && val->spt_assoc_id != SCTP_FUTURE_ASSOC &&\n\t sctp_style(sk, UDP))\n\t\treturn -EINVAL;\n\n\tif (asoc) {\n\t\tlist_for_each_entry(trans, &asoc->peer.transport_addr_list,\n\t\t\t\t transports) {\n\t\t\tif (val->spt_pathmaxrxt)\n\t\t\t\ttrans->pathmaxrxt = val->spt_pathmaxrxt;\n\t\t\tif (v2)\n\t\t\t\ttrans->ps_retrans = val->spt_pathcpthld;\n\t\t\ttrans->pf_retrans = val->spt_pathpfthld;\n\t\t}\n\n\t\tif (val->spt_pathmaxrxt)\n\t\t\tasoc->pathmaxrxt = val->spt_pathmaxrxt;\n\t\tif (v2)\n\t\t\tasoc->ps_retrans = val->spt_pathcpthld;\n\t\tasoc->pf_retrans = val->spt_pathpfthld;\n\t} else {\n\t\tstruct sctp_sock *sp = sctp_sk(sk);\n\n\t\tif (val->spt_pathmaxrxt)\n\t\t\tsp->pathmaxrxt = val->spt_pathmaxrxt;\n\t\tif (v2)\n\t\t\tsp->ps_retrans = val->spt_pathcpthld;\n\t\tsp->pf_retrans = val->spt_pathpfthld;\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 44843011217872304835369423151793048943, "size": 62, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398094 }, { "func": "static void tcp_update_cwnd_in_recovery(struct sock *sk, int newly_acked_sacked,\n\t\t\t\t\tint fast_rexmit, int flag)\n{\n\tstruct tcp_sock *tp = tcp_sk(sk);\n\tint sndcnt = 0;\n\tint delta = tp->snd_ssthresh - tcp_packets_in_flight(tp);\n\n\tif (tcp_packets_in_flight(tp) > tp->snd_ssthresh) {\n\t\tu64 dividend = (u64)tp->snd_ssthresh * tp->prr_delivered +\n\t\t\t tp->prior_cwnd - 1;\n\t\tsndcnt = div_u64(dividend, tp->prior_cwnd) - tp->prr_out;\n\t} else {\n\t\tsndcnt = min_t(int, delta,\n\t\t\t max_t(int, tp->prr_delivered - tp->prr_out,\n\t\t\t\t newly_acked_sacked) + 1);\n\t}\n\n\tsndcnt = max(sndcnt, (fast_rexmit ? 1 : 0));\n\ttp->snd_cwnd = tcp_packets_in_flight(tp) + sndcnt;\n}", "project": "net-next", "hash": 237519313681513794917112432897670928119, "size": 20, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409849 }, { "project": "Chrome", "commit_id": "de5aa214ea77b3d2c4ff8a0c58f446896c107ce0", "target": 1, "func": " bool TranslateManager::IsTranslatableURL(const GURL& url) {\n return !url.SchemeIs(\"chrome\") && !url.SchemeIs(\"ftp\");\n }\n", "cwe": "", "big_vul_idx": 184203, "idx": 5195, "hash": 20652547426391300348351414890207477713 }, { "project": "Chrome", "commit_id": "de5aa214ea77b3d2c4ff8a0c58f446896c107ce0", "target": 0, "func": " bool TranslateManager::IsTranslatableURL(const GURL& url) {\n // A URLs is translatable unless it is one of the following:\n // - an internal URL (chrome:// and others)\n // - the devtools (which is considered UI)\n // - an FTP page (as FTP pages tend to have long lists of filenames that may\n // confuse the CLD)\n return !url.SchemeIs(chrome::kChromeUIScheme) &&\n !url.SchemeIs(chrome::kChromeDevToolsScheme) &&\n !url.SchemeIs(chrome::kFtpScheme);\n }\n", "cwe": "", "big_vul_idx": 184203, "idx": 162323, "hash": 230694675158635713903341958826298115184 }, { "func": "void opj_tcd_destroy(opj_tcd_t *tcd)\n{\n if (tcd) {\n opj_tcd_free_tile(tcd);\n\n if (tcd->tcd_image) {\n opj_free(tcd->tcd_image);\n tcd->tcd_image = 00;\n }\n\n opj_free(tcd->used_component);\n\n opj_free(tcd);\n }\n}", "project": "openjpeg", "hash": 161484100919507457479380356788992036772, "size": 15, "commit_id": "15cf3d95814dc931ca0ecb132f81cb152e051bae", "message": "Encoder: grow again buffer size in opj_tcd_code_block_enc_allocate_data() (fixes #1283)", "target": 0, "dataset": "other", "idx": 359169 }, { "func": "encode_layoutget(struct xdr_stream *xdr,\n\t\t const struct nfs4_layoutget_args *args,\n\t\t struct compound_hdr *hdr)\n{\n\t__be32 *p;\n\n\tencode_op_hdr(xdr, OP_LAYOUTGET, decode_layoutget_maxsz, hdr);\n\tp = reserve_space(xdr, 36);\n\t*p++ = cpu_to_be32(0); /* Signal layout available */\n\t*p++ = cpu_to_be32(args->type);\n\t*p++ = cpu_to_be32(args->range.iomode);\n\tp = xdr_encode_hyper(p, args->range.offset);\n\tp = xdr_encode_hyper(p, args->range.length);\n\tp = xdr_encode_hyper(p, args->minlength);\n\tencode_nfs4_stateid(xdr, &args->stateid);\n\tencode_uint32(xdr, args->maxcount);\n\n\tdprintk(\"%s: 1st type:0x%x iomode:%d off:%lu len:%lu mc:%d\\n\",\n\t\t__func__,\n\t\targs->type,\n\t\targs->range.iomode,\n\t\t(unsigned long)args->range.offset,\n\t\t(unsigned long)args->range.length,\n\t\targs->maxcount);\n}", "project": "linux", "hash": 24278900911706545131541490525383214005, "size": 25, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 430969 }, { "func": "static void encode_op_hdr(struct xdr_stream *xdr, enum nfs_opnum4 op,\n\t\tuint32_t replen,\n\t\tstruct compound_hdr *hdr)\n{\n\tencode_uint32(xdr, op);\n\thdr->nops++;\n\thdr->replen += replen;\n}", "project": "linux", "hash": 95805026175765475896194885018119760739, "size": 8, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431033 }, { "func": "encode_setacl(struct xdr_stream *xdr, const struct nfs_setaclargs *arg,\n\t\tstruct compound_hdr *hdr)\n{\n\t__be32 *p;\n\n\tencode_op_hdr(xdr, OP_SETATTR, decode_setacl_maxsz, hdr);\n\tencode_nfs4_stateid(xdr, &zero_stateid);\n\tp = reserve_space(xdr, 2*4);\n\t*p++ = cpu_to_be32(1);\n\t*p = cpu_to_be32(FATTR4_WORD0_ACL);\n\tp = reserve_space(xdr, 4);\n\t*p = cpu_to_be32(arg->acl_len);\n\txdr_write_pages(xdr, arg->acl_pages, 0, arg->acl_len);\n}", "project": "linux", "hash": 236417551809010947828108082745660739286, "size": 14, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431344 }, { "func": "encode_layoutreturn(struct xdr_stream *xdr,\n\t\t const struct nfs4_layoutreturn_args *args,\n\t\t struct compound_hdr *hdr)\n{\n\t__be32 *p;\n\n\tencode_op_hdr(xdr, OP_LAYOUTRETURN, decode_layoutreturn_maxsz, hdr);\n\tp = reserve_space(xdr, 16);\n\t*p++ = cpu_to_be32(0);\t\t/* reclaim. always 0 for now */\n\t*p++ = cpu_to_be32(args->layout_type);\n\t*p++ = cpu_to_be32(args->range.iomode);\n\t*p = cpu_to_be32(RETURN_FILE);\n\tp = reserve_space(xdr, 16);\n\tp = xdr_encode_hyper(p, args->range.offset);\n\tp = xdr_encode_hyper(p, args->range.length);\n\tspin_lock(&args->inode->i_lock);\n\tencode_nfs4_stateid(xdr, &args->stateid);\n\tspin_unlock(&args->inode->i_lock);\n\tif (args->ld_private->ops && args->ld_private->ops->encode)\n\t\targs->ld_private->ops->encode(xdr, args, args->ld_private);\n\telse\n\t\tencode_uint32(xdr, 0);\n}", "project": "linux", "hash": 86392191392610252855511264232352603989, "size": 23, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431358 }, { "func": "encode_getdeviceinfo(struct xdr_stream *xdr,\n\t\t const struct nfs4_getdeviceinfo_args *args,\n\t\t struct compound_hdr *hdr)\n{\n\t__be32 *p;\n\n\tencode_op_hdr(xdr, OP_GETDEVICEINFO, decode_getdeviceinfo_maxsz, hdr);\n\tp = reserve_space(xdr, NFS4_DEVICEID4_SIZE + 4 + 4);\n\tp = xdr_encode_opaque_fixed(p, args->pdev->dev_id.data,\n\t\t\t\t NFS4_DEVICEID4_SIZE);\n\t*p++ = cpu_to_be32(args->pdev->layout_type);\n\t*p++ = cpu_to_be32(args->pdev->maxcount);\t/* gdia_maxcount */\n\n\tp = reserve_space(xdr, 4 + 4);\n\t*p++ = cpu_to_be32(1);\t\t\t/* bitmap length */\n\t*p++ = cpu_to_be32(args->notify_types);\n}", "project": "linux", "hash": 135600904561097774442426930586810301198, "size": 17, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431484 }, { "func": "static int de_thread(struct task_struct *tsk)\n{\n\tstruct signal_struct *sig = tsk->signal;\n\tstruct sighand_struct *oldsighand = tsk->sighand;\n\tspinlock_t *lock = &oldsighand->siglock;\n\n\tif (thread_group_empty(tsk))\n\t\tgoto no_thread_group;\n\n\t/*\n\t * Kill all other threads in the thread group.\n\t */\n\tspin_lock_irq(lock);\n\tif (signal_group_exit(sig)) {\n\t\t/*\n\t\t * Another group action in progress, just\n\t\t * return so that the signal is processed.\n\t\t */\n\t\tspin_unlock_irq(lock);\n\t\treturn -EAGAIN;\n\t}\n\n\tsig->group_exit_task = tsk;\n\tsig->notify_count = zap_other_threads(tsk);\n\tif (!thread_group_leader(tsk))\n\t\tsig->notify_count--;\n\n\twhile (sig->notify_count) {\n\t\t__set_current_state(TASK_KILLABLE);\n\t\tspin_unlock_irq(lock);\n\t\tschedule();\n\t\tif (__fatal_signal_pending(tsk))\n\t\t\tgoto killed;\n\t\tspin_lock_irq(lock);\n\t}\n\tspin_unlock_irq(lock);\n\n\t/*\n\t * At this point all other threads have exited, all we have to\n\t * do is to wait for the thread group leader to become inactive,\n\t * and to assume its PID:\n\t */\n\tif (!thread_group_leader(tsk)) {\n\t\tstruct task_struct *leader = tsk->group_leader;\n\n\t\tfor (;;) {\n\t\t\tcgroup_threadgroup_change_begin(tsk);\n\t\t\twrite_lock_irq(&tasklist_lock);\n\t\t\t/*\n\t\t\t * Do this under tasklist_lock to ensure that\n\t\t\t * exit_notify() can't miss ->group_exit_task\n\t\t\t */\n\t\t\tsig->notify_count = -1;\n\t\t\tif (likely(leader->exit_state))\n\t\t\t\tbreak;\n\t\t\t__set_current_state(TASK_KILLABLE);\n\t\t\twrite_unlock_irq(&tasklist_lock);\n\t\t\tcgroup_threadgroup_change_end(tsk);\n\t\t\tschedule();\n\t\t\tif (__fatal_signal_pending(tsk))\n\t\t\t\tgoto killed;\n\t\t}\n\n\t\t/*\n\t\t * The only record we have of the real-time age of a\n\t\t * process, regardless of execs it's done, is start_time.\n\t\t * All the past CPU time is accumulated in signal_struct\n\t\t * from sister threads now dead. But in this non-leader\n\t\t * exec, nothing survives from the original leader thread,\n\t\t * whose birth marks the true age of this process now.\n\t\t * When we take on its identity by switching to its PID, we\n\t\t * also take its birthdate (always earlier than our own).\n\t\t */\n\t\ttsk->start_time = leader->start_time;\n\t\ttsk->start_boottime = leader->start_boottime;\n\n\t\tBUG_ON(!same_thread_group(leader, tsk));\n\t\tBUG_ON(has_group_leader_pid(tsk));\n\t\t/*\n\t\t * An exec() starts a new thread group with the\n\t\t * TGID of the previous thread group. Rehash the\n\t\t * two threads with a switched PID, and release\n\t\t * the former thread group leader:\n\t\t */\n\n\t\t/* Become a process group leader with the old leader's pid.\n\t\t * The old leader becomes a thread of the this thread group.\n\t\t * Note: The old leader also uses this pid until release_task\n\t\t * is called. Odd but simple and correct.\n\t\t */\n\t\ttsk->pid = leader->pid;\n\t\tchange_pid(tsk, PIDTYPE_PID, task_pid(leader));\n\t\ttransfer_pid(leader, tsk, PIDTYPE_TGID);\n\t\ttransfer_pid(leader, tsk, PIDTYPE_PGID);\n\t\ttransfer_pid(leader, tsk, PIDTYPE_SID);\n\n\t\tlist_replace_rcu(&leader->tasks, &tsk->tasks);\n\t\tlist_replace_init(&leader->sibling, &tsk->sibling);\n\n\t\ttsk->group_leader = tsk;\n\t\tleader->group_leader = tsk;\n\n\t\ttsk->exit_signal = SIGCHLD;\n\t\tleader->exit_signal = -1;\n\n\t\tBUG_ON(leader->exit_state != EXIT_ZOMBIE);\n\t\tleader->exit_state = EXIT_DEAD;\n\n\t\t/*\n\t\t * We are going to release_task()->ptrace_unlink() silently,\n\t\t * the tracer can sleep in do_wait(). EXIT_DEAD guarantees\n\t\t * the tracer wont't block again waiting for this thread.\n\t\t */\n\t\tif (unlikely(leader->ptrace))\n\t\t\t__wake_up_parent(leader, leader->parent);\n\t\twrite_unlock_irq(&tasklist_lock);\n\t\tcgroup_threadgroup_change_end(tsk);\n\n\t\trelease_task(leader);\n\t}\n\n\tsig->group_exit_task = NULL;\n\tsig->notify_count = 0;\n\nno_thread_group:\n\t/* we have changed execution domain */\n\ttsk->exit_signal = SIGCHLD;\n\n\tBUG_ON(!thread_group_leader(tsk));\n\treturn 0;\n\nkilled:\n\t/* protects against exit_notify() and __exit_signal() */\n\tread_lock(&tasklist_lock);\n\tsig->group_exit_task = NULL;\n\tsig->notify_count = 0;\n\tread_unlock(&tasklist_lock);\n\treturn -EAGAIN;\n}", "project": "linux", "hash": 132812988047259965679161114602295927698, "size": 139, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375311 }, { "func": "JOIN::add_sorting_to_table(JOIN_TAB *tab, ORDER *order)\n{\n tab->filesort= \n new (thd->mem_root) Filesort(order, HA_POS_ERROR, tab->keep_current_rowid,\n tab->select);\n if (!tab->filesort)\n return true;\n /*\n Select was moved to filesort->select to force join_init_read_record to use\n sorted result instead of reading table through select.\n */\n if (tab->select)\n {\n tab->select= NULL;\n tab->set_select_cond(NULL, __LINE__);\n }\n tab->read_first_record= join_init_read_record;\n return false;\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 146860103738806256443454543440074515957, "size": 19, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508569 }, { "func": "static int strncmp_skip_color_codes(const char *s1, const char *s2, int n) {\n\tint i = 0, j = 0;\n\tint count = 0;\n\tfor (i = 0, j = 0; s1[i] && s2[j] && count < n; i++, j++, count++) {\n\t\twhile (s1[i] == 0x1b) {\n\t\t\twhile (s1[i] && s1[i] != 'm') {\n\t\t\t\ti++;\n\t\t\t}\n\t\t\tif (s1[i]) {\n\t\t\t\ti++;\n\t\t\t}\n\t\t}\n\t\twhile (s2[j] == 0x1b) {\n\t\t\twhile (s2[j] && s2[j] != 'm') {\n\t\t\t\tj++;\n\t\t\t}\n\t\t\tif (s2[j]) {\n\t\t\t\tj++;\n\t\t\t}\n\t\t}\n\t\tif (s1[i] != s2[j]) {\n\t\t\treturn -1;\n\t\t}\n\t}\n\n\tif (count < n && s1[i] != s2[j]) {\n\t\treturn -1;\n\t}\n\n\treturn 0;\n}", "project": "radare2", "hash": 177766802417804302560829406067406260067, "size": 31, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 0, "dataset": "other", "idx": 268848 }, { "func": "int mnt_optstr_get_options(const char *optstr, char **subset,\n\t\t\t const struct libmnt_optmap *map, int ignore)\n{\n\tstruct libmnt_optmap const *maps[1];\n\tstruct ul_buffer buf = UL_INIT_BUFFER;\n\tchar *name, *val, *str = (char *) optstr;\n\tsize_t namesz, valsz;\n\tint rc = 0;\n\n\tif (!optstr || !subset)\n\t\treturn -EINVAL;\n\n\tmaps[0] = map;\n\n\tul_buffer_set_chunksize(&buf, strlen(optstr)/2);\n\n\twhile (!mnt_optstr_next_option(&str, &name, &namesz, &val, &valsz)) {\n\t\tconst struct libmnt_optmap *ent;\n\n\t\tmnt_optmap_get_entry(maps, 1, name, namesz, &ent);\n\n\t\tif (!ent || !ent->id)\n\t\t\tcontinue;\t/* ignore undefined options (comments) */\n\n\t\tif (ignore && (ent->mask & ignore))\n\t\t\tcontinue;\n\n\t\t/* ignore name= if options map expects only */\n\t\tif (valsz && mnt_optmap_entry_novalue(ent))\n\t\t\tcontinue;\n\n\t\trc = __buffer_append_option(&buf, name, namesz, val, valsz);\n\t\tif (rc)\n\t\t\tbreak;\n\t}\n\n\t*subset = rc ? NULL : ul_buffer_get_data(&buf, NULL, NULL);\n\tif (rc)\n\t\tul_buffer_free_data(&buf);\n\treturn rc;\n}", "project": "util-linux", "hash": 316190598492299065475635626781925087987, "size": 41, "commit_id": "57202f5713afa2af20ffbb6ab5331481d0396f8d", "message": "libmount: fix UID check for FUSE umount [CVE-2021-3995]\n\nImproper UID check allows an unprivileged user to unmount FUSE\nfilesystems of users with similar UID.\n\nSigned-off-by: Karel Zak ", "target": 0, "dataset": "other", "idx": 410419 }, { "func": " Item_ref_null_helper(THD *thd, Name_resolution_context *context_arg,\n Item_in_subselect* master, Item **item,\n\t\t const char *table_name_arg, const char *field_name_arg):\n Item_ref(thd, context_arg, item, table_name_arg, field_name_arg),\n owner(master) {}", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 218202456194176077410951304969892560548, "size": 5, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509074 }, { "func": "static int vmrun_interception(struct vcpu_svm *svm)\n{\n\tif (nested_svm_check_permissions(svm))\n\t\treturn 1;\n\n\treturn nested_svm_vmrun(svm);\n}", "project": "linux", "hash": 20834164584422987857352894399617333487, "size": 7, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432572 }, { "func": "static int vmrun_interception(struct vcpu_svm *svm)\n{\n\tif (nested_svm_check_permissions(svm))\n\t\treturn 1;\n\n\t/* Save rip after vmrun instruction */\n\tkvm_rip_write(&svm->vcpu, kvm_rip_read(&svm->vcpu) + 3);\n\n\tif (!nested_svm_vmrun(svm))\n\t\treturn 1;\n\n\tif (!nested_svm_vmrun_msrpm(svm))\n\t\tgoto failed;\n\n\treturn 1;\n\nfailed:\n\n\tsvm->vmcb->control.exit_code = SVM_EXIT_ERR;\n\tsvm->vmcb->control.exit_code_hi = 0;\n\tsvm->vmcb->control.exit_info_1 = 0;\n\tsvm->vmcb->control.exit_info_2 = 0;\n\n\tnested_svm_vmexit(svm);\n\n\treturn 1;\n}", "project": "kvm", "hash": 125043044785952637574167888758482764529, "size": 27, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437580 }, { "func": "static u64 svm_get_dr6(struct kvm_vcpu *vcpu)\n{\n\treturn to_svm(vcpu)->vmcb->save.dr6;\n}", "project": "linux", "hash": 211775760865355677076978966317801142761, "size": 4, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432545 }, { "func": "static ssize_t fuse_fill_write_pages(struct fuse_args_pages *ap,\n\t\t\t\t struct address_space *mapping,\n\t\t\t\t struct iov_iter *ii, loff_t pos,\n\t\t\t\t unsigned int max_pages)\n{\n\tstruct fuse_conn *fc = get_fuse_conn(mapping->host);\n\tunsigned offset = pos & (PAGE_SIZE - 1);\n\tsize_t count = 0;\n\tint err;\n\n\tap->args.in_pages = true;\n\tap->descs[0].offset = offset;\n\n\tdo {\n\t\tsize_t tmp;\n\t\tstruct page *page;\n\t\tpgoff_t index = pos >> PAGE_SHIFT;\n\t\tsize_t bytes = min_t(size_t, PAGE_SIZE - offset,\n\t\t\t\t iov_iter_count(ii));\n\n\t\tbytes = min_t(size_t, bytes, fc->max_write - count);\n\n again:\n\t\terr = -EFAULT;\n\t\tif (iov_iter_fault_in_readable(ii, bytes))\n\t\t\tbreak;\n\n\t\terr = -ENOMEM;\n\t\tpage = grab_cache_page_write_begin(mapping, index, 0);\n\t\tif (!page)\n\t\t\tbreak;\n\n\t\tif (mapping_writably_mapped(mapping))\n\t\t\tflush_dcache_page(page);\n\n\t\ttmp = iov_iter_copy_from_user_atomic(page, ii, offset, bytes);\n\t\tflush_dcache_page(page);\n\n\t\tiov_iter_advance(ii, tmp);\n\t\tif (!tmp) {\n\t\t\tunlock_page(page);\n\t\t\tput_page(page);\n\t\t\tbytes = min(bytes, iov_iter_single_seg_count(ii));\n\t\t\tgoto again;\n\t\t}\n\n\t\terr = 0;\n\t\tap->pages[ap->num_pages] = page;\n\t\tap->descs[ap->num_pages].length = tmp;\n\t\tap->num_pages++;\n\n\t\tcount += tmp;\n\t\tpos += tmp;\n\t\toffset += tmp;\n\t\tif (offset == PAGE_SIZE)\n\t\t\toffset = 0;\n\n\t\tif (!fc->big_writes)\n\t\t\tbreak;\n\t} while (iov_iter_count(ii) && count < fc->max_write &&\n\t\t ap->num_pages < max_pages && offset == 0);\n\n\treturn count > 0 ? count : err;\n}", "project": "linux", "hash": 169681706267021600062878228651273018876, "size": 64, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342072 }, { "func": " */\nstatic enum hrtimer_restart bfq_idle_slice_timer(struct hrtimer *timer)\n{\n\tstruct bfq_data *bfqd = container_of(timer, struct bfq_data,\n\t\t\t\t\t idle_slice_timer);\n\tstruct bfq_queue *bfqq = bfqd->in_service_queue;\n\n\t/*\n\t * Theoretical race here: the in-service queue can be NULL or\n\t * different from the queue that was idling if a new request\n\t * arrives for the current queue and there is a full dispatch\n\t * cycle that changes the in-service queue. This can hardly\n\t * happen, but in the worst case we just expire a queue too\n\t * early.\n\t */\n\tif (bfqq)\n\t\tbfq_idle_slice_timer_body(bfqd, bfqq);\n\n\treturn HRTIMER_NORESTART;", "project": "linux", "hash": 204387811118651489911854366274432156880, "size": 19, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453358 }, { "func": "static int exif_file_sections_realloc(image_info_type *ImageInfo,\n int section_index, size_t size) {\n void *tmp;\n\n /* This is not a malloc/realloc check. It is a plausibility check for the\n * function parameters (requirements engineering).\n */\n if (section_index >= ImageInfo->file.count) {\n raise_warning(\"Illegal reallocating of undefined file section\");\n return -1;\n }\n tmp = IM_REALLOC(ImageInfo->file.list[section_index].data, size);\n CHECK_ALLOC_R(tmp, size, -1);\n ImageInfo->file.list[section_index].data = (unsigned char *)tmp;\n ImageInfo->file.list[section_index].size = size;\n return 0;\n}", "project": "hhvm", "hash": 193237926283750417076734830336086154810, "size": 17, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219112 }, { "func": "static void hci_cc_read_num_supported_iac(struct hci_dev *hdev,\n\t\t\t\t\t struct sk_buff *skb)\n{\n\tstruct hci_rp_read_num_supported_iac *rp = (void *) skb->data;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, rp->status);\n\n\tif (rp->status)\n\t\treturn;\n\n\thdev->num_iac = rp->num_iac;\n\n\tBT_DBG(\"%s num iac %d\", hdev->name, hdev->num_iac);\n}", "project": "linux", "hash": 30468560380433844259219565485235185611, "size": 14, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 432028 }, { "func": "int kvm_s390_vcpu_setup_cmma(struct kvm_vcpu *vcpu)\n{\n\tvcpu->arch.sie_block->cbrlo = get_zeroed_page(GFP_KERNEL);\n\tif (!vcpu->arch.sie_block->cbrlo)\n\t\treturn -ENOMEM;\n\treturn 0;\n}", "project": "linux", "hash": 95977277150330693345486149645125411205, "size": 7, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354687 }, { "func": "static void init_std_data(struct entropy_store *r)\n{\n\tktime_t now;\n\tunsigned long flags;\n\n\tspin_lock_irqsave(&r->lock, flags);\n\tr->entropy_count = 0;\n\tspin_unlock_irqrestore(&r->lock, flags);\n\n\tnow = ktime_get_real();\n\tmix_pool_bytes(r, &now, sizeof(now));\n\tmix_pool_bytes(r, utsname(), sizeof(*(utsname())));\n}", "target": 0, "cwe": [ "CWE-310" ], "project": "linux-2.6", "commit_id": "8a0a9bd4db63bc45e3017bedeafbd88d0eb84d02", "hash": 256258926589397523579035303450359635071, "size": 13, "message": "random: make get_random_int() more random\n\nIt's a really simple patch that basically just open-codes the current\n\"secure_ip_id()\" call, but when open-coding it we now use a _static_\nhashing area, so that it gets updated every time.\n\nAnd to make sure somebody can't just start from the same original seed of\nall-zeroes, and then do the \"half_md4_transform()\" over and over until\nthey get the same sequence as the kernel has, each iteration also mixes in\nthe same old \"current->pid + jiffies\" we used - so we should now have a\nregular strong pseudo-number generator, but we also have one that doesn't\nhave a single seed.\n\nNote: the \"pid + jiffies\" is just meant to be a tiny tiny bit of noise. It\nhas no real meaning. It could be anything. I just picked the previous\nseed, it's just that now we keep the state in between calls and that will\nfeed into the next result, and that should make all the difference.\n\nI made that hash be a per-cpu data just to avoid cache-line ping-pong:\nhaving multiple CPU's write to the same data would be fine for randomness,\nand add yet another layer of chaos to it, but since get_random_int() is\nsupposed to be a fast interface I did it that way instead. I considered\nusing \"__raw_get_cpu_var()\" to avoid any preemption overhead while still\ngetting the hash be _mostly_ ping-pong free, but in the end good taste won\nout.\n\nSigned-off-by: Ingo Molnar \nSigned-off-by: Linus Torvalds ", "dataset": "other", "idx": 499902 }, { "func": "pop_args ()\n{\n#if defined (ARRAY_VARS) && defined (DEBUGGER)\n SHELL_VAR *bash_argv_v, *bash_argc_v;\n ARRAY *bash_argv_a, *bash_argc_a;\n ARRAY_ELEMENT *ce;\n intmax_t i;\n\n GET_ARRAY_FROM_VAR (\"BASH_ARGV\", bash_argv_v, bash_argv_a);\n GET_ARRAY_FROM_VAR (\"BASH_ARGC\", bash_argc_v, bash_argc_a);\n\n ce = array_shift (bash_argc_a, 1, 0);\n if (ce == 0 || legal_number (element_value (ce), &i) == 0)\n i = 0;\n\n for ( ; i > 0; i--)\n array_pop (bash_argv_a);\n array_dispose_element (ce);\n#endif /* ARRAY_VARS && DEBUGGER */\n}", "project": "bash", "hash": 94305724504912907394648987802521918355, "size": 20, "commit_id": "863d31ae775d56b785dc5b0105b6d251515d81d5", "message": "commit bash-20120224 snapshot", "target": 0, "dataset": "other", "idx": 379425 }, { "func": "push_args (list)\n WORD_LIST *list;\n{\n#if defined (ARRAY_VARS) && defined (DEBUGGER)\n SHELL_VAR *bash_argv_v, *bash_argc_v;\n ARRAY *bash_argv_a, *bash_argc_a;\n WORD_LIST *l;\n arrayind_t i;\n char *t;\n\n GET_ARRAY_FROM_VAR (\"BASH_ARGV\", bash_argv_v, bash_argv_a);\n GET_ARRAY_FROM_VAR (\"BASH_ARGC\", bash_argc_v, bash_argc_a);\n\n for (l = list, i = 0; l; l = l->next, i++)\n array_push (bash_argv_a, l->word->word);\n\n t = itos (i);\n array_push (bash_argc_a, t);\n free (t);\n#endif /* ARRAY_VARS && DEBUGGER */\n}", "project": "bash", "hash": 192078609095343719280768913215288230663, "size": 21, "commit_id": "863d31ae775d56b785dc5b0105b6d251515d81d5", "message": "commit bash-20120224 snapshot", "target": 0, "dataset": "other", "idx": 379554 }, { "func": "void extcap_interfaces() {\n printf(\"extcap {version=%s}\\n\", ndpi_revision());\n printf(\"interface {value=ndpi}{display=nDPI interface}\\n\");\n exit(0);\n}", "project": "nDPI", "hash": 36096365554513055093705310551336093304, "size": 5, "commit_id": "b7e666e465f138ae48ab81976726e67deed12701", "message": "Added fix to avoid potential heap buffer overflow in H.323 dissector\nModified HTTP report information to make it closer to the HTTP field names", "target": 0, "dataset": "other", "idx": 254856 }, { "func": "static void SFDParseChainContext(FILE *sfd,SplineFont *sf,FPST *fpst, char *tok, int old) {\n int ch, i, j, k, temp;\n SplineFont *sli_sf = sf->cidmaster ? sf->cidmaster : sf;\n\n fpst->type = strnmatch(tok,\"ContextPos\",10)==0 ? pst_contextpos :\n\t\tstrnmatch(tok,\"ContextSub\",10)==0 ? pst_contextsub :\n\t\tstrnmatch(tok,\"ChainPos\",8)==0 ? pst_chainpos :\n\t\tstrnmatch(tok,\"ChainSub\",8)==0 ? pst_chainsub : pst_reversesub;\n getname(sfd,tok);\n fpst->format = strmatch(tok,\"glyph\")==0 ? pst_glyphs :\n\t\t strmatch(tok,\"class\")==0 ? pst_class :\n\t\t strmatch(tok,\"coverage\")==0 ? pst_coverage : pst_reversecoverage;\n if ( old ) {\n\tfscanf(sfd, \"%hu %hu\", &((FPST1 *) fpst)->flags, &((FPST1 *) fpst)->script_lang_index );\n\tif ( ((FPST1 *) fpst)->script_lang_index>=((SplineFont1 *) sli_sf)->sli_cnt && ((FPST1 *) fpst)->script_lang_index!=SLI_NESTED ) {\n\t static int complained=false;\n\t if ( ((SplineFont1 *) sli_sf)->sli_cnt==0 )\n\t\tIError(\"'%c%c%c%c' has a script index out of bounds: %d\\nYou MUST fix this manually\",\n\t\t\t(((FPST1 *) fpst)->tag>>24), (((FPST1 *) fpst)->tag>>16)&0xff, (((FPST1 *) fpst)->tag>>8)&0xff, ((FPST1 *) fpst)->tag&0xff,\n\t\t\t((FPST1 *) fpst)->script_lang_index );\n\t else if ( !complained )\n\t\tIError(\"'%c%c%c%c' has a script index out of bounds: %d\",\n\t\t\t(((FPST1 *) fpst)->tag>>24), (((FPST1 *) fpst)->tag>>16)&0xff, (((FPST1 *) fpst)->tag>>8)&0xff, ((FPST1 *) fpst)->tag&0xff,\n\t\t\t((FPST1 *) fpst)->script_lang_index );\n\t else\n\t\tIError(\"'%c%c%c%c' has a script index out of bounds: %d\\n\",\n\t\t\t(((FPST1 *) fpst)->tag>>24), (((FPST1 *) fpst)->tag>>16)&0xff, (((FPST1 *) fpst)->tag>>8)&0xff, ((FPST1 *) fpst)->tag&0xff,\n\t\t\t((FPST1 *) fpst)->script_lang_index );\n\t if ( ((SplineFont1 *) sli_sf)->sli_cnt!=0 )\n\t\t((FPST1 *) fpst)->script_lang_index = ((SplineFont1 *) sli_sf)->sli_cnt-1;\n\t complained = true;\n\t}\n\twhile ( (ch=nlgetc(sfd))==' ' || ch=='\\t' );\n\tif ( ch=='\\'' ) {\n\t ungetc(ch,sfd);\n\t ((FPST1 *) fpst)->tag = gettag(sfd);\n\t} else\n\t ungetc(ch,sfd);\n } else {\n\tfpst->subtable = SFFindLookupSubtableAndFreeName(sf,SFDReadUTF7Str(sfd));\n if ( !fpst->subtable )\n LogError(_(\"Missing Subtable definition found in chained context\"));\n else\n\t fpst->subtable->fpst = fpst;\n }\n fscanf(sfd, \"%hu %hu %hu %hu\", &fpst->nccnt, &fpst->bccnt, &fpst->fccnt, &fpst->rule_cnt );\n if ( fpst->nccnt!=0 || fpst->bccnt!=0 || fpst->fccnt!=0 ) {\n\tfpst->nclass = malloc(fpst->nccnt*sizeof(char *));\n\tfpst->nclassnames = calloc(fpst->nccnt,sizeof(char *));\n\tif ( fpst->nccnt!=0 ) fpst->nclass[0] = NULL;\n\tif ( fpst->bccnt!=0 || fpst->fccnt!=0 ) {\n\t fpst->bclass = malloc(fpst->bccnt*sizeof(char *));\n\t fpst->bclassnames = calloc(fpst->bccnt,sizeof(char *));\n\t if (fpst->bccnt!=0 ) fpst->bclass[0] = NULL;\n\t fpst->fclass = malloc(fpst->fccnt*sizeof(char *));\n\t fpst->fclassnames = calloc(fpst->fccnt,sizeof(char *));\n\t if (fpst->fccnt!=0 ) fpst->fclass[0] = NULL;\n\t}\n }\n\n for ( j=0; j<3; ++j ) {\n\tfor ( i=1; i<(&fpst->nccnt)[j]; ++i ) {\n\t getname(sfd,tok);\n\t if ( i==1 && j==0 && strcmp(tok,\"Class0:\")==0 )\n\t\ti=0;\n\t getint(sfd,&temp);\n\t (&fpst->nclass)[j][i] = malloc(temp+1); (&fpst->nclass)[j][i][temp] = '\\0';\n\t nlgetc(sfd);\t/* skip space */\n\t fread((&fpst->nclass)[j][i],1,temp,sfd);\n\t}\n }\n\n fpst->rules = calloc(fpst->rule_cnt,sizeof(struct fpst_rule));\n for ( i=0; irule_cnt; ++i ) {\n\tswitch ( fpst->format ) {\n\t case pst_glyphs:\n\t for ( j=0; j<3; ++j ) {\n\t\tgetname(sfd,tok);\n\t\tgetint(sfd,&temp);\n\t\t(&fpst->rules[i].u.glyph.names)[j] = malloc(temp+1);\n\t\t(&fpst->rules[i].u.glyph.names)[j][temp] = '\\0';\n\t\tnlgetc(sfd);\t/* skip space */\n\t\tfread((&fpst->rules[i].u.glyph.names)[j],1,temp,sfd);\n\t }\n\t break;\n\t case pst_class:\n\t fscanf( sfd, \"%d %d %d\", &fpst->rules[i].u.class.ncnt, &fpst->rules[i].u.class.bcnt, &fpst->rules[i].u.class.fcnt );\n\t for ( j=0; j<3; ++j ) {\n\t\tgetname(sfd,tok);\n\t\t(&fpst->rules[i].u.class.nclasses)[j] = malloc((&fpst->rules[i].u.class.ncnt)[j]*sizeof(uint16));\n\t\tfor ( k=0; k<(&fpst->rules[i].u.class.ncnt)[j]; ++k ) {\n\t\t getusint(sfd,&(&fpst->rules[i].u.class.nclasses)[j][k]);\n\t\t}\n\t }\n\t break;\n\t case pst_coverage:\n\t case pst_reversecoverage:\n\t fscanf( sfd, \"%d %d %d\", &fpst->rules[i].u.coverage.ncnt, &fpst->rules[i].u.coverage.bcnt, &fpst->rules[i].u.coverage.fcnt );\n\t for ( j=0; j<3; ++j ) {\n\t\t(&fpst->rules[i].u.coverage.ncovers)[j] = malloc((&fpst->rules[i].u.coverage.ncnt)[j]*sizeof(char *));\n\t\tfor ( k=0; k<(&fpst->rules[i].u.coverage.ncnt)[j]; ++k ) {\n\t\t getname(sfd,tok);\n\t\t getint(sfd,&temp);\n\t\t (&fpst->rules[i].u.coverage.ncovers)[j][k] = malloc(temp+1);\n\t\t (&fpst->rules[i].u.coverage.ncovers)[j][k][temp] = '\\0';\n\t\t nlgetc(sfd);\t/* skip space */\n\t\t fread((&fpst->rules[i].u.coverage.ncovers)[j][k],1,temp,sfd);\n\t\t}\n\t }\n\t break;\n\t default:\n\t break;\n\t}\n\tswitch ( fpst->format ) {\n\t case pst_glyphs:\n\t case pst_class:\n\t case pst_coverage:\n\t getint(sfd,&fpst->rules[i].lookup_cnt);\n\t fpst->rules[i].lookups = malloc(fpst->rules[i].lookup_cnt*sizeof(struct seqlookup));\n\t for ( j=k=0; jrules[i].lookup_cnt; ++j ) {\n\t\tgetname(sfd,tok);\n\t\tgetint(sfd,&fpst->rules[i].lookups[j].seq);\n\t\tfpst->rules[i].lookups[k].lookup = SFD_ParseNestedLookup(sfd,sf,old);\n\t\tif ( fpst->rules[i].lookups[k].lookup!=NULL )\n\t\t ++k;\n\t }\n\t fpst->rules[i].lookup_cnt = k;\n\t break;\n\t case pst_reversecoverage:\n\t getname(sfd,tok);\n\t getint(sfd,&temp);\n\t fpst->rules[i].u.rcoverage.replacements = malloc(temp+1);\n\t fpst->rules[i].u.rcoverage.replacements[temp] = '\\0';\n\t nlgetc(sfd);\t/* skip space */\n\t fread(fpst->rules[i].u.rcoverage.replacements,1,temp,sfd);\n\t break;\n\t default:\n\t break;\n\t}\n }\n getname(sfd,tok);\t/* EndFPST, or one of the ClassName tokens (in newer sfds) */\n while ( strcmp(tok,\"ClassNames:\")==0 || strcmp(tok,\"BClassNames:\")==0 ||\n\t strcmp(tok,\"FClassNames:\")==0 ) {\n\tint which = strcmp(tok,\"ClassNames:\")==0 ? 0 :\n\t\t strcmp(tok,\"BClassNames:\")==0 ? 1 : 2;\n\tint cnt = (&fpst->nccnt)[which];\n\tchar **classnames = (&fpst->nclassnames)[which];\n\tint i;\n\n\tfor ( i=0; ifontname string if it isn't set, fixing #4089 #4090 and many\n other potential issues (many downstream calls to strlen() on the value).", "target": 0, "dataset": "other", "idx": 417929 }, { "func": "static void hci_reject_conn(struct hci_dev *hdev, bdaddr_t *bdaddr)\n{\n\tstruct hci_cp_reject_conn_req cp;\n\n\tbacpy(&cp.bdaddr, bdaddr);\n\tcp.reason = HCI_ERROR_REJ_BAD_ADDR;\n\thci_send_cmd(hdev, HCI_OP_REJECT_CONN_REQ, sizeof(cp), &cp);\n}", "project": "linux", "hash": 122828184324405106866783137750872113811, "size": 8, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 432015 }, { "func": "static int tioccons(struct file *file)\n{\n\tif (!capable(CAP_SYS_ADMIN))\n\t\treturn -EPERM;\n\tif (file->f_op->write == redirected_tty_write) {\n\t\tstruct file *f;\n\t\tspin_lock(&redirect_lock);\n\t\tf = redirect;\n\t\tredirect = NULL;\n\t\tspin_unlock(&redirect_lock);\n\t\tif (f)\n\t\t\tfput(f);\n\t\treturn 0;\n\t}\n\tspin_lock(&redirect_lock);\n\tif (redirect) {\n\t\tspin_unlock(&redirect_lock);\n\t\treturn -EBUSY;\n\t}\n\tredirect = get_file(file);\n\tspin_unlock(&redirect_lock);\n\treturn 0;\n}", "project": "linux", "hash": 184269875556615929518767181070388960736, "size": 23, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 326026 }, { "func": "static void csi_L(struct vc_data *vc, unsigned int nr)\n{\n\tif (nr > vc->vc_rows - vc->vc_y)\n\t\tnr = vc->vc_rows - vc->vc_y;\n\telse if (!nr)\n\t\tnr = 1;\n\tcon_scroll(vc, vc->vc_y, vc->vc_bottom, SM_DOWN, nr);\n\tvc->vc_need_wrap = 0;\n}", "project": "linux", "hash": 110673649301748111815745838950848144812, "size": 9, "commit_id": "ca4463bf8438b403596edd0ec961ca0d4fbe0220", "message": "vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console\n\nThe VT_DISALLOCATE ioctl can free a virtual console while tty_release()\nis still running, causing a use-after-free in con_shutdown(). This\noccurs because VT_DISALLOCATE considers a virtual console's\n'struct vc_data' to be unused as soon as the corresponding tty's\nrefcount hits 0. But actually it may be still being closed.\n\nFix this by making vc_data be reference-counted via the embedded\n'struct tty_port'. A newly allocated virtual console has refcount 1.\nOpening it for the first time increments the refcount to 2. Closing it\nfor the last time decrements the refcount (in tty_operations::cleanup()\nso that it happens late enough), as does VT_DISALLOCATE.\n\nReproducer:\n\t#include \n\t#include \n\t#include \n\t#include \n\n\tint main()\n\t{\n\t\tif (fork()) {\n\t\t\tfor (;;)\n\t\t\t\tclose(open(\"/dev/tty5\", O_RDWR));\n\t\t} else {\n\t\t\tint fd = open(\"/dev/tty10\", O_RDWR);\n\n\t\t\tfor (;;)\n\t\t\t\tioctl(fd, VT_DISALLOCATE, 5);\n\t\t}\n\t}\n\nKASAN report:\n\tBUG: KASAN: use-after-free in con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\tWrite of size 8 at addr ffff88806a4ec108 by task syz_vt/129\n\n\tCPU: 0 PID: 129 Comm: syz_vt Not tainted 5.6.0-rc2 #11\n\tHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20191223_100556-anatol 04/01/2014\n\tCall Trace:\n\t [...]\n\t con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\t release_tty+0xa8/0x410 drivers/tty/tty_io.c:1514\n\t tty_release_struct+0x34/0x50 drivers/tty/tty_io.c:1629\n\t tty_release+0x984/0xed0 drivers/tty/tty_io.c:1789\n\t [...]\n\n\tAllocated by task 129:\n\t [...]\n\t kzalloc include/linux/slab.h:669 [inline]\n\t vc_allocate drivers/tty/vt/vt.c:1085 [inline]\n\t vc_allocate+0x1ac/0x680 drivers/tty/vt/vt.c:1066\n\t con_install+0x4d/0x3f0 drivers/tty/vt/vt.c:3229\n\t tty_driver_install_tty drivers/tty/tty_io.c:1228 [inline]\n\t tty_init_dev+0x94/0x350 drivers/tty/tty_io.c:1341\n\t tty_open_by_driver drivers/tty/tty_io.c:1987 [inline]\n\t tty_open+0x3ca/0xb30 drivers/tty/tty_io.c:2035\n\t [...]\n\n\tFreed by task 130:\n\t [...]\n\t kfree+0xbf/0x1e0 mm/slab.c:3757\n\t vt_disallocate drivers/tty/vt/vt_ioctl.c:300 [inline]\n\t vt_ioctl+0x16dc/0x1e30 drivers/tty/vt/vt_ioctl.c:818\n\t tty_ioctl+0x9db/0x11b0 drivers/tty/tty_io.c:2660\n\t [...]\n\nFixes: 4001d7b7fc27 (\"vt: push down the tty lock so we can see what is left to tackle\")\nCc: # v3.4+\nReported-by: syzbot+522643ab5729b0421998@syzkaller.appspotmail.com\nAcked-by: Jiri Slaby \nSigned-off-by: Eric Biggers \nLink: https://lore.kernel.org/r/20200322034305.210082-2-ebiggers@kernel.org\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 437067 }, { "func": "int __kmem_cache_shutdown(struct kmem_cache *s)\n{\n\tint node;\n\tstruct kmem_cache_node *n;\n\n\tflush_all(s);\n\t/* Attempt to free all objects */\n\tfor_each_kmem_cache_node(s, node, n) {\n\t\tfree_partial(s, n);\n\t\tif (n->nr_partial || slabs_node(s, node))\n\t\t\treturn 1;\n\t}\n\tsysfs_slab_remove(s);\n\treturn 0;\n}", "project": "linux", "hash": 114712347373742231386465375213565770909, "size": 15, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280256 }, { "func": "static u64 execlists_update_context(struct i915_request *rq)\n{\n\tstruct intel_context *ce = rq->hw_context;\n\tu64 desc = ce->lrc_desc;\n\tu32 tail;\n\n\t/*\n\t * WaIdleLiteRestore:bdw,skl\n\t *\n\t * We should never submit the context with the same RING_TAIL twice\n\t * just in case we submit an empty ring, which confuses the HW.\n\t *\n\t * We append a couple of NOOPs (gen8_emit_wa_tail) after the end of\n\t * the normal request to be able to always advance the RING_TAIL on\n\t * subsequent resubmissions (for lite restore). Should that fail us,\n\t * and we try and submit the same tail again, force the context\n\t * reload.\n\t */\n\ttail = intel_ring_set_tail(rq->ring, rq->tail);\n\tif (unlikely(ce->lrc_reg_state[CTX_RING_TAIL] == tail))\n\t\tdesc |= CTX_DESC_FORCE_RESTORE;\n\tce->lrc_reg_state[CTX_RING_TAIL] = tail;\n\trq->tail = rq->wa_tail;\n\n\t/*\n\t * Make sure the context image is complete before we submit it to HW.\n\t *\n\t * Ostensibly, writes (including the WCB) should be flushed prior to\n\t * an uncached write such as our mmio register access, the empirical\n\t * evidence (esp. on Braswell) suggests that the WC write into memory\n\t * may not be visible to the HW prior to the completion of the UC\n\t * register write and that we may begin execution from the context\n\t * before its image is complete leading to invalid PD chasing.\n\t *\n\t * Furthermore, Braswell, at least, wants a full mb to be sure that\n\t * the writes are coherent in memory (visible to the GPU) prior to\n\t * execution, and not just visible to other CPUs (as is the result of\n\t * wmb).\n\t */\n\tmb();\n\n\t/* Wa_1607138340:tgl */\n\tif (IS_TGL_REVID(rq->i915, TGL_REVID_A0, TGL_REVID_A0))\n\t\tdesc |= CTX_DESC_FORCE_RESTORE;\n\n\tce->lrc_desc &= ~CTX_DESC_FORCE_RESTORE;\n\treturn desc;\n}", "project": "linux", "hash": 20513311832205395543884347643507501266, "size": 48, "commit_id": "bc8a76a152c5f9ef3b48104154a65a68a8b76946", "message": "drm/i915/gen9: Clear residual context state on context switch\n\nIntel ID: PSIRT-TA-201910-001\nCVEID: CVE-2019-14615\n\nIntel GPU Hardware prior to Gen11 does not clear EU state\nduring a context switch. This can result in information\nleakage between contexts.\n\nFor Gen8 and Gen9, hardware provides a mechanism for\nfast cleardown of the EU state, by issuing a PIPE_CONTROL\nwith bit 27 set. We can use this in a context batch buffer\nto explicitly cleardown the state on every context switch.\n\nAs this workaround is already in place for gen8, we can borrow\nthe code verbatim for Gen9.\n\nSigned-off-by: Mika Kuoppala \nSigned-off-by: Akeem G Abodunrin \nCc: Kumar Valsan Prathap \nCc: Chris Wilson \nCc: Balestrieri Francesco \nCc: Bloomfield Jon \nCc: Dutt Sudeep ", "target": 0, "dataset": "other", "idx": 281543 }, { "func": "static inline int kvm_vcpu_exiting_guest_mode(struct kvm_vcpu *vcpu)\n{\n\t/*\n\t * The memory barrier ensures a previous write to vcpu->requests cannot\n\t * be reordered with the read of vcpu->mode. It pairs with the general\n\t * memory barrier following the write of vcpu->mode in VCPU RUN.\n\t */\n\tsmp_mb__before_atomic();\n\treturn cmpxchg(&vcpu->mode, IN_GUEST_MODE, EXITING_GUEST_MODE);\n}", "project": "linux", "hash": 101007319347563684383150508148896041199, "size": 10, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354776 }, { "func": "int safe_index_read(JOIN_TAB *tab)\n{\n int error;\n TABLE *table= tab->table;\n if (unlikely((error=\n table->file->ha_index_read_map(table->record[0],\n tab->ref.key_buff,\n make_prev_keypart_map(tab->ref.key_parts),\n HA_READ_KEY_EXACT))))\n return report_error(table, error);\n return 0;\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 273149675789931664480138171096477285313, "size": 12, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508543 }, { "func": "static int sctp_bindx_add(struct sock *sk, struct sockaddr *addrs, int addrcnt)\n{\n\tint cnt;\n\tint retval = 0;\n\tvoid *addr_buf;\n\tstruct sockaddr *sa_addr;\n\tstruct sctp_af *af;\n\n\tpr_debug(\"%s: sk:%p, addrs:%p, addrcnt:%d\\n\", __func__, sk,\n\t\t addrs, addrcnt);\n\n\taddr_buf = addrs;\n\tfor (cnt = 0; cnt < addrcnt; cnt++) {\n\t\t/* The list may contain either IPv4 or IPv6 address;\n\t\t * determine the address length for walking thru the list.\n\t\t */\n\t\tsa_addr = addr_buf;\n\t\taf = sctp_get_af_specific(sa_addr->sa_family);\n\t\tif (!af) {\n\t\t\tretval = -EINVAL;\n\t\t\tgoto err_bindx_add;\n\t\t}\n\n\t\tretval = sctp_do_bind(sk, (union sctp_addr *)sa_addr,\n\t\t\t\t af->sockaddr_len);\n\n\t\taddr_buf += af->sockaddr_len;\n\nerr_bindx_add:\n\t\tif (retval < 0) {\n\t\t\t/* Failed. Cleanup the ones that have been added */\n\t\t\tif (cnt > 0)\n\t\t\t\tsctp_bindx_rem(sk, addrs, cnt);\n\t\t\treturn retval;\n\t\t}\n\t}\n\n\treturn retval;\n}", "project": "linux", "hash": 191307524664997934019958848497411456741, "size": 39, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398218 }, { "func": "}\nEXPORT_SYMBOL_GPL(iscsi_is_session_dev);\n\nstatic int iscsi_iter_session_fn(struct device *dev, void *data)\n{\n\tvoid (* fn) (struct iscsi_cls_session *) = data;\n\n\tif (!iscsi_is_session_dev(dev))\n\t\treturn 0;", "project": "linux", "hash": 22581281980064084661613322659957143431, "size": 9, "commit_id": "f9dbdf97a5bd92b1a49cee3d591b55b11fd7a6d5", "message": "scsi: iscsi: Verify lengths on passthrough PDUs\n\nOpen-iSCSI sends passthrough PDUs over netlink, but the kernel should be\nverifying that the provided PDU header and data lengths fall within the\nnetlink message to prevent accessing beyond that in memory.\n\nCc: stable@vger.kernel.org\nReported-by: Adam Nichols \nReviewed-by: Lee Duncan \nReviewed-by: Mike Christie \nSigned-off-by: Chris Leech \nSigned-off-by: Martin K. Petersen ", "target": 0, "dataset": "other", "idx": 380017 }, { "func": "static int tcp_prune_ofo_queue(struct sock *sk)\n{\n\tstruct tcp_sock *tp = tcp_sk(sk);\n\tint res = 0;\n\n\tif (!skb_queue_empty(&tp->out_of_order_queue)) {\n\t\tNET_INC_STATS_BH(sock_net(sk), LINUX_MIB_OFOPRUNED);\n\t\t__skb_queue_purge(&tp->out_of_order_queue);\n\n\t\t/* Reset SACK state. A conforming SACK implementation will\n\t\t * do the same at a timeout based retransmit. When a connection\n\t\t * is in a sad state like this, we care only about integrity\n\t\t * of the connection not performance.\n\t\t */\n\t\tif (tp->rx_opt.sack_ok)\n\t\t\ttcp_sack_reset(&tp->rx_opt);\n\t\tsk_mem_reclaim(sk);\n\t\tres = 1;\n\t}\n\treturn res;\n}", "project": "net-next", "hash": 93904245788278847562822050351161197255, "size": 21, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409912 }, { "func": "static void hci_encrypt_change_evt(struct hci_dev *hdev, struct sk_buff *skb)\n{\n\tstruct hci_ev_encrypt_change *ev = (void *) skb->data;\n\tstruct hci_conn *conn;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, ev->status);\n\n\thci_dev_lock(hdev);\n\n\tconn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));\n\tif (!conn)\n\t\tgoto unlock;\n\n\tif (!ev->status) {\n\t\tif (ev->encrypt) {\n\t\t\t/* Encryption implies authentication */\n\t\t\tset_bit(HCI_CONN_AUTH, &conn->flags);\n\t\t\tset_bit(HCI_CONN_ENCRYPT, &conn->flags);\n\t\t\tconn->sec_level = conn->pending_sec_level;\n\n\t\t\t/* P-256 authentication key implies FIPS */\n\t\t\tif (conn->key_type == HCI_LK_AUTH_COMBINATION_P256)\n\t\t\t\tset_bit(HCI_CONN_FIPS, &conn->flags);\n\n\t\t\tif ((conn->type == ACL_LINK && ev->encrypt == 0x02) ||\n\t\t\t conn->type == LE_LINK)\n\t\t\t\tset_bit(HCI_CONN_AES_CCM, &conn->flags);\n\t\t} else {\n\t\t\tclear_bit(HCI_CONN_ENCRYPT, &conn->flags);\n\t\t\tclear_bit(HCI_CONN_AES_CCM, &conn->flags);\n\t\t}\n\t}\n\n\t/* We should disregard the current RPA and generate a new one\n\t * whenever the encryption procedure fails.\n\t */\n\tif (ev->status && conn->type == LE_LINK) {\n\t\thci_dev_set_flag(hdev, HCI_RPA_EXPIRED);\n\t\thci_adv_instances_set_rpa_expired(hdev, true);\n\t}\n\n\tclear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);\n\n\t/* Check link security requirements are met */\n\tif (!hci_conn_check_link_mode(conn))\n\t\tev->status = HCI_ERROR_AUTH_FAILURE;\n\n\tif (ev->status && conn->state == BT_CONNECTED) {\n\t\tif (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING)\n\t\t\tset_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);\n\n\t\t/* Notify upper layers so they can cleanup before\n\t\t * disconnecting.\n\t\t */\n\t\thci_encrypt_cfm(conn, ev->status);\n\t\thci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);\n\t\thci_conn_drop(conn);\n\t\tgoto unlock;\n\t}\n\n\t/* Try reading the encryption key size for encrypted ACL links */\n\tif (!ev->status && ev->encrypt && conn->type == ACL_LINK) {\n\t\tstruct hci_cp_read_enc_key_size cp;\n\t\tstruct hci_request req;\n\n\t\t/* Only send HCI_Read_Encryption_Key_Size if the\n\t\t * controller really supports it. If it doesn't, assume\n\t\t * the default size (16).\n\t\t */\n\t\tif (!(hdev->commands[20] & 0x10)) {\n\t\t\tconn->enc_key_size = HCI_LINK_KEY_SIZE;\n\t\t\tgoto notify;\n\t\t}\n\n\t\thci_req_init(&req, hdev);\n\n\t\tcp.handle = cpu_to_le16(conn->handle);\n\t\thci_req_add(&req, HCI_OP_READ_ENC_KEY_SIZE, sizeof(cp), &cp);\n\n\t\tif (hci_req_run_skb(&req, read_enc_key_size_complete)) {\n\t\t\tbt_dev_err(hdev, \"sending read key size failed\");\n\t\t\tconn->enc_key_size = HCI_LINK_KEY_SIZE;\n\t\t\tgoto notify;\n\t\t}\n\n\t\tgoto unlock;\n\t}\n\n\t/* Set the default Authenticated Payload Timeout after\n\t * an LE Link is established. As per Core Spec v5.0, Vol 2, Part B\n\t * Section 3.3, the HCI command WRITE_AUTH_PAYLOAD_TIMEOUT should be\n\t * sent when the link is active and Encryption is enabled, the conn\n\t * type can be either LE or ACL and controller must support LMP Ping.\n\t * Ensure for AES-CCM encryption as well.\n\t */\n\tif (test_bit(HCI_CONN_ENCRYPT, &conn->flags) &&\n\t test_bit(HCI_CONN_AES_CCM, &conn->flags) &&\n\t ((conn->type == ACL_LINK && lmp_ping_capable(hdev)) ||\n\t (conn->type == LE_LINK && (hdev->le_features[0] & HCI_LE_PING)))) {\n\t\tstruct hci_cp_write_auth_payload_to cp;\n\n\t\tcp.handle = cpu_to_le16(conn->handle);\n\t\tcp.timeout = cpu_to_le16(hdev->auth_payload_timeout);\n\t\thci_send_cmd(conn->hdev, HCI_OP_WRITE_AUTH_PAYLOAD_TO,\n\t\t\t sizeof(cp), &cp);\n\t}\n\nnotify:\n\thci_encrypt_cfm(conn, ev->status);\n\nunlock:\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 77940094903681460147091783292129481702, "size": 113, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431892 }, { "func": "int ssh_buffer_pack_va(struct ssh_buffer_struct *buffer,\n const char *format,\n size_t argc,\n va_list ap)\n{\n int rc = SSH_ERROR;\n const char *p;\n union {\n uint8_t byte;\n uint16_t word;\n uint32_t dword;\n uint64_t qword;\n ssh_string string;\n void *data;\n } o;\n char *cstring;\n bignum b;\n size_t len;\n size_t count;\n\n if (argc > 256) {\n return SSH_ERROR;\n }\n\n for (p = format, count = 0; *p != '\\0'; p++, count++) {\n /* Invalid number of arguments passed */\n if (count > argc) {\n return SSH_ERROR;\n }\n\n switch(*p) {\n case 'b':\n o.byte = (uint8_t)va_arg(ap, unsigned int);\n rc = ssh_buffer_add_u8(buffer, o.byte);\n break;\n case 'w':\n o.word = (uint16_t)va_arg(ap, unsigned int);\n o.word = htons(o.word);\n rc = ssh_buffer_add_u16(buffer, o.word);\n break;\n case 'd':\n o.dword = va_arg(ap, uint32_t);\n o.dword = htonl(o.dword);\n rc = ssh_buffer_add_u32(buffer, o.dword);\n break;\n case 'q':\n o.qword = va_arg(ap, uint64_t);\n o.qword = htonll(o.qword);\n rc = ssh_buffer_add_u64(buffer, o.qword);\n break;\n case 'S':\n o.string = va_arg(ap, ssh_string);\n rc = ssh_buffer_add_ssh_string(buffer, o.string);\n o.string = NULL;\n break;\n case 's':\n cstring = va_arg(ap, char *);\n len = strlen(cstring);\n rc = ssh_buffer_add_u32(buffer, htonl(len));\n if (rc == SSH_OK){\n rc = ssh_buffer_add_data(buffer, cstring, len);\n }\n cstring = NULL;\n break;\n case 'P':\n len = va_arg(ap, size_t);\n\n o.data = va_arg(ap, void *);\n count++; /* increase argument count */\n\n rc = ssh_buffer_add_data(buffer, o.data, len);\n o.data = NULL;\n break;\n case 'B':\n b = va_arg(ap, bignum);\n o.string = ssh_make_bignum_string(b);\n if(o.string == NULL){\n rc = SSH_ERROR;\n break;\n }\n rc = ssh_buffer_add_ssh_string(buffer, o.string);\n SAFE_FREE(o.string);\n break;\n case 't':\n cstring = va_arg(ap, char *);\n len = strlen(cstring);\n rc = ssh_buffer_add_data(buffer, cstring, len);\n cstring = NULL;\n break;\n default:\n SSH_LOG(SSH_LOG_WARN, \"Invalid buffer format %c\", *p);\n rc = SSH_ERROR;\n }\n if (rc != SSH_OK){\n break;\n }\n }\n\n if (argc != count) {\n return SSH_ERROR;\n }\n\n if (rc != SSH_ERROR){\n /* Check if our canary is intact, if not something really bad happened */\n uint32_t canary = va_arg(ap, uint32_t);\n if (canary != SSH_BUFFER_PACK_END) {\n abort();\n }\n }\n return rc;\n}", "project": "libssh-mirror", "hash": 138917105499122272303201949691376335719, "size": 111, "commit_id": "10b3ebbe61a7031a3dae97f05834442220447181", "message": "buffer: Reformat ssh_buffer_add_data()\n\nSigned-off-by: Andreas Schneider \nReviewed-by: Anderson Toshiyuki Sasaki \nReviewed-by: Jakub Jelen ", "target": 0, "dataset": "other", "idx": 345160 }, { "project": "Chrome", "commit_id": "957973753ec4159003ff7930d946b7e89c7e09f3", "target": 0, "func": "bool BlobURLRequestJob::DispatchReadFile(const BlobData::Item& item) {\n if (stream_ != NULL)\n return ReadFile(item);\n\n base::FileUtilProxy::CreateOrOpen(\n file_thread_proxy_, item.file_path(), kFileOpenFlags,\n callback_factory_.NewCallback(&BlobURLRequestJob::DidOpen));\n SetStatus(net::URLRequestStatus(net::URLRequestStatus::IO_PENDING, 0));\n return false;\n}\n", "cwe": "", "big_vul_idx": 106413, "idx": 95565, "hash": 164895644887865292018152347030149184042 }, { "func": "void put_futex_key(int fshared, union futex_key *key)\n{\n\tdrop_futex_key_refs(key);\n}", "target": 0, "cwe": [], "project": "linux-2.6", "commit_id": "5ecb01cfdf96c5f465192bdb2a4fd4a61a24c6cc", "hash": 222136429201208286624387788825842551682, "size": 4, "message": "futex_lock_pi() key refcnt fix\n\nThis fixes a futex key reference count bug in futex_lock_pi(),\nwhere a key's reference count is incremented twice but decremented\nonly once, causing the backing object to not be released.\n\nIf the futex is created in a temporary file in an ext3 file system,\nthis bug causes the file's inode to become an \"undead\" orphan,\nwhich causes an oops from a BUG_ON() in ext3_put_super() when the\nfile system is unmounted. glibc's test suite is known to trigger this,\nsee .\n\nThe bug is a regression from 2.6.28-git3, namely Peter Zijlstra's\n38d47c1b7075bd7ec3881141bb3629da58f88dab \"[PATCH] futex: rely on\nget_user_pages() for shared futexes\". That commit made get_futex_key()\nalso increment the reference count of the futex key, and updated its\ncallers to decrement the key's reference count before returning.\nUnfortunately the normal exit path in futex_lock_pi() wasn't corrected:\nthe reference count is incremented by get_futex_key() and queue_lock(),\nbut the normal exit path only decrements once, via unqueue_me_pi().\nThe fix is to put_futex_key() after unqueue_me_pi(), since 2.6.31\nthis is easily done by 'goto out_put_key' rather than 'goto out'.\n\nSigned-off-by: Mikael Pettersson \nAcked-by: Peter Zijlstra \nAcked-by: Darren Hart \nSigned-off-by: Thomas Gleixner \nCc: ", "dataset": "other", "idx": 492313 }, { "project": "Chrome", "commit_id": "1da0daecc540238cb473f0d6322da51d3a544244", "target": 0, "func": "void VideoRendererBase::Pause(const base::Closure& callback) {\n base::AutoLock auto_lock(lock_);\n DCHECK(state_ != kUninitialized || state_ == kError);\n state_ = kPaused;\n callback.Run();\n}\n", "cwe": "", "big_vul_idx": 113357, "idx": 101647, "hash": 181692942634158660506982515895908406594 }, { "func": "static void interleave_scan_work(struct work_struct *work)\n{\n\tstruct hci_dev *hdev = container_of(work, struct hci_dev,\n\t\t\t\t\t interleave_scan.work);\n\tu8 status;\n\tunsigned long timeout;\n\n\tif (hdev->interleave_scan_state == INTERLEAVE_SCAN_ALLOWLIST) {\n\t\ttimeout = msecs_to_jiffies(hdev->advmon_allowlist_duration);\n\t} else if (hdev->interleave_scan_state == INTERLEAVE_SCAN_NO_FILTER) {\n\t\ttimeout = msecs_to_jiffies(hdev->advmon_no_filter_duration);\n\t} else {\n\t\tbt_dev_err(hdev, \"unexpected error\");\n\t\treturn;\n\t}\n\n\thci_req_sync(hdev, hci_req_add_le_interleaved_scan, 0,\n\t\t HCI_CMD_TIMEOUT, &status);\n\n\t/* Don't continue interleaving if it was canceled */\n\tif (is_interleave_scanning(hdev))\n\t\tqueue_delayed_work(hdev->req_workqueue,\n\t\t\t\t &hdev->interleave_scan, timeout);\n}", "project": "linux", "hash": 189522478090631771049373663649289541037, "size": 24, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402583 }, { "func": "\nstatic int io_poll_update_prep(struct io_kiocb *req,\n\t\t\t const struct io_uring_sqe *sqe)\n{\n\tstruct io_poll_update *upd = &req->poll_update;\n\tu32 flags;\n\n\tif (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))\n\t\treturn -EINVAL;\n\tif (sqe->ioprio || sqe->buf_index)\n\t\treturn -EINVAL;\n\tflags = READ_ONCE(sqe->len);\n\tif (flags & ~(IORING_POLL_UPDATE_EVENTS | IORING_POLL_UPDATE_USER_DATA |\n\t\t IORING_POLL_ADD_MULTI))\n\t\treturn -EINVAL;\n\t/* meaningless without update */\n\tif (flags == IORING_POLL_ADD_MULTI)\n\t\treturn -EINVAL;\n\n\tupd->old_user_data = READ_ONCE(sqe->addr);\n\tupd->update_events = flags & IORING_POLL_UPDATE_EVENTS;\n\tupd->update_user_data = flags & IORING_POLL_UPDATE_USER_DATA;\n\n\tupd->new_user_data = READ_ONCE(sqe->off);\n\tif (!upd->update_user_data && upd->new_user_data)\n\t\treturn -EINVAL;\n\tif (upd->update_events)\n\t\tupd->events = io_poll_parse_events(sqe, flags);\n\telse if (sqe->poll32_events)\n\t\treturn -EINVAL;\n\n\treturn 0;", "project": "linux", "hash": 157025784588933024651902263729169770978, "size": 32, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338587 }, { "func": "static int ca8210_skb_tx(\n\tstruct sk_buff *skb,\n\tu8 msduhandle,\n\tstruct ca8210_priv *priv\n)\n{\n\tint status;\n\tstruct ieee802154_hdr header = { };\n\tstruct secspec secspec;\n\tunsigned int mac_len;\n\n\tdev_dbg(&priv->spi->dev, \"%s called\\n\", __func__);\n\n\t/* Get addressing info from skb - ieee802154 layer creates a full\n\t * packet\n\t */\n\tmac_len = ieee802154_hdr_peek_addrs(skb, &header);\n\n\tsecspec.security_level = header.sec.level;\n\tsecspec.key_id_mode = header.sec.key_id_mode;\n\tif (secspec.key_id_mode == 2)\n\t\tmemcpy(secspec.key_source, &header.sec.short_src, 4);\n\telse if (secspec.key_id_mode == 3)\n\t\tmemcpy(secspec.key_source, &header.sec.extended_src, 8);\n\tsecspec.key_index = header.sec.key_id;\n\n\t/* Pass to Cascoda API */\n\tstatus = mcps_data_request(\n\t\theader.source.mode,\n\t\theader.dest.mode,\n\t\theader.dest.pan_id,\n\t\t(union macaddr *)&header.dest.extended_addr,\n\t\tskb->len - mac_len,\n\t\t&skb->data[mac_len],\n\t\tmsduhandle,\n\t\theader.fc.ack_request,\n\t\t&secspec,\n\t\tpriv->spi\n\t);\n\treturn link_to_linux_err(status);\n}", "project": "linux", "hash": 294797307043920676886182665875556747479, "size": 41, "commit_id": "6402939ec86eaf226c8b8ae00ed983936b164908", "message": "ieee802154: ca8210: prevent memory leak\n\nIn ca8210_probe the allocated pdata needs to be assigned to\nspi_device->dev.platform_data before calling ca8210_get_platform_data.\nOthrwise when ca8210_get_platform_data fails pdata cannot be released.\n\nSigned-off-by: Navid Emamdoost \nLink: https://lore.kernel.org/r/20190917224713.26371-1-navid.emamdoost@gmail.com\nSigned-off-by: Stefan Schmidt ", "target": 0, "dataset": "other", "idx": 408789 }, { "func": "static int kvm_clear_stat_per_vm(struct kvm *kvm, size_t offset)\n{\n\t*(ulong *)((void *)kvm + offset) = 0;\n\n\treturn 0;\n}", "project": "linux", "hash": 284316521044109956001158829123449178031, "size": 6, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354778 }, { "func": "int mnt_optstr_fix_gid(char **optstr, char *value, size_t valsz, char **next)\n{\n\tchar *end;\n\n\tif (!optstr || !*optstr || !value || !valsz)\n\t\treturn -EINVAL;\n\n\tDBG(CXT, ul_debug(\"fixing gid\"));\n\n\tend = value + valsz;\n\n\tif (valsz == 7 && !strncmp(value, \"usergid\", 7) &&\n\t (*(value + 7) == ',' || !*(value + 7)))\n\t\treturn set_uint_value(optstr, getgid(), value, end, next);\n\n\tif (!isdigit(*value)) {\n\t\tint rc;\n\t\tgid_t id;\n\t\tchar *p = strndup(value, valsz);\n\t\tif (!p)\n\t\t\treturn -ENOMEM;\n\t\trc = mnt_get_gid(p, &id);\n\t\tfree(p);\n\n\t\tif (!rc)\n\t\t\treturn set_uint_value(optstr, id, value, end, next);\n\n\t}\n\n\tif (next) {\n\t\t/* nothing */\n\t\t*next = value + valsz;\n\t\tif (**next == ',')\n\t\t\t(*next)++;\n\t}\n\treturn 0;\n}", "project": "util-linux", "hash": 331964951778050527754974724134365317193, "size": 37, "commit_id": "57202f5713afa2af20ffbb6ab5331481d0396f8d", "message": "libmount: fix UID check for FUSE umount [CVE-2021-3995]\n\nImproper UID check allows an unprivileged user to unmount FUSE\nfilesystems of users with similar UID.\n\nSigned-off-by: Karel Zak ", "target": 0, "dataset": "other", "idx": 410399 }, { "func": "static struct receiver *cutBackTo(struct receiver **rcvrs, u_int32_t size, u_int32_t max) {\n struct receiver *r, *tmp;\n int i=0;\n int count;\n\n if(size < max) //return the original table\n return *rcvrs;\n\n count = size - max;\n\n HASH_ITER(hh, *rcvrs, r, tmp) {\n if(i++ == count)\n return r;\n HASH_DEL(*rcvrs, r);\n free(r);\n }\n\n return(NULL);\n\n}", "project": "nDPI", "hash": 248993185648948931686092144337147566394, "size": 20, "commit_id": "b7e666e465f138ae48ab81976726e67deed12701", "message": "Added fix to avoid potential heap buffer overflow in H.323 dissector\nModified HTTP report information to make it closer to the HTTP field names", "target": 0, "dataset": "other", "idx": 254821 }, { "func": "int bcf_update_id(const bcf_hdr_t *hdr, bcf1_t *line, const char *id)\n{\n if ( !(line->unpacked & BCF_UN_STR) ) bcf_unpack(line, BCF_UN_STR);\n kstring_t tmp;\n tmp.l = 0; tmp.s = line->d.id; tmp.m = line->d.m_id;\n if ( id )\n kputs(id, &tmp);\n else\n kputs(\".\", &tmp);\n line->d.id = tmp.s; line->d.m_id = tmp.m;\n line->d.shared_dirty |= BCF1_DIRTY_ID;\n return 0;\n}", "project": "htslib", "hash": 98641924142923845701166169895378039572, "size": 13, "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c", "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields. It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097", "target": 0, "dataset": "other", "idx": 402198 }, { "func": "static int test_prepend(struct libmnt_test *ts, int argc, char *argv[])\n{\n\tconst char *value = NULL, *name;\n\tchar *optstr;\n\tint rc;\n\n\tif (argc < 3)\n\t\treturn -EINVAL;\n\toptstr = xstrdup(argv[1]);\n\tname = argv[2];\n\n\tif (argc == 4)\n\t\tvalue = argv[3];\n\n\trc = mnt_optstr_prepend_option(&optstr, name, value);\n\tif (!rc)\n\t\tprintf(\"result: >%s<\\n\", optstr);\n\tfree(optstr);\n\treturn rc;\n}", "project": "util-linux", "hash": 192545921395394759694605157987811745643, "size": 20, "commit_id": "57202f5713afa2af20ffbb6ab5331481d0396f8d", "message": "libmount: fix UID check for FUSE umount [CVE-2021-3995]\n\nImproper UID check allows an unprivileged user to unmount FUSE\nfilesystems of users with similar UID.\n\nSigned-off-by: Karel Zak ", "target": 0, "dataset": "other", "idx": 410396 }, { "func": "static zend_bool php_auto_globals_create_server(zend_string *name)\n{\n\tif (PG(variables_order) && (strchr(PG(variables_order),'S') || strchr(PG(variables_order),'s'))) {\n\t\tphp_register_server_variables();\n\n\t\tif (PG(register_argc_argv)) {\n\t\t\tif (SG(request_info).argc) {\n\t\t\t\tzval *argc, *argv;\n\n\t\t\t\tif ((argc = zend_hash_str_find_ind(&EG(symbol_table), \"argc\", sizeof(\"argc\")-1)) != NULL &&\n\t\t\t\t\t(argv = zend_hash_str_find_ind(&EG(symbol_table), \"argv\", sizeof(\"argv\")-1)) != NULL) {\n\t\t\t\t\tZ_ADDREF_P(argv);\n\t\t\t\t\tzend_hash_str_update(Z_ARRVAL(PG(http_globals)[TRACK_VARS_SERVER]), \"argv\", sizeof(\"argv\")-1, argv);\n\t\t\t\t\tzend_hash_str_update(Z_ARRVAL(PG(http_globals)[TRACK_VARS_SERVER]), \"argc\", sizeof(\"argc\")-1, argc);\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\tphp_build_argv(SG(request_info).query_string, &PG(http_globals)[TRACK_VARS_SERVER]);\n\t\t\t}\n\t\t}\n\n\t} else {\n\t\tzval_ptr_dtor(&PG(http_globals)[TRACK_VARS_SERVER]);\n\t\tarray_init(&PG(http_globals)[TRACK_VARS_SERVER]);\n\t}\n\n\tcheck_http_proxy(Z_ARRVAL(PG(http_globals)[TRACK_VARS_SERVER]));\n\tzend_hash_update(&EG(symbol_table), name, &PG(http_globals)[TRACK_VARS_SERVER]);\n\tZ_ADDREF(PG(http_globals)[TRACK_VARS_SERVER]);\n\n\t/* TODO: TRACK_VARS_SERVER is modified in a number of places (e.g. phar) past this point,\n\t * where rc>1 due to the $_SERVER global. Ideally this shouldn't happen, but for now we\n\t * ignore this issue, as it would probably require larger changes. */\n\tHT_ALLOW_COW_VIOLATION(Z_ARRVAL(PG(http_globals)[TRACK_VARS_SERVER]));\n\n\treturn 0; /* don't rearm */\n}", "project": "php-src", "hash": 299515390926668975526333184527572304703, "size": 36, "commit_id": "6559fe912661ca5ce5f0eeeb591d928451428ed0", "message": "Do not decode cookie names anymore", "target": 0, "dataset": "other", "idx": 374969 }, { "func": "static int kvm_vm_ioctl_enable_cap_generic(struct kvm *kvm,\n\t\t\t\t\t struct kvm_enable_cap *cap)\n{\n\tswitch (cap->cap) {\n#ifdef CONFIG_KVM_GENERIC_DIRTYLOG_READ_PROTECT\n\tcase KVM_CAP_MANUAL_DIRTY_LOG_PROTECT2: {\n\t\tu64 allowed_options = KVM_DIRTY_LOG_MANUAL_PROTECT_ENABLE;\n\n\t\tif (cap->args[0] & KVM_DIRTY_LOG_MANUAL_PROTECT_ENABLE)\n\t\t\tallowed_options = KVM_DIRTY_LOG_MANUAL_CAPS;\n\n\t\tif (cap->flags || (cap->args[0] & ~allowed_options))\n\t\t\treturn -EINVAL;\n\t\tkvm->manual_dirty_log_protect = cap->args[0];\n\t\treturn 0;\n\t}\n#endif\n\tdefault:\n\t\treturn kvm_vm_ioctl_enable_cap(kvm, cap);\n\t}\n}", "project": "linux", "hash": 311621621879060391012914026856482554850, "size": 21, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354613 }, { "func": "static int kvm_vm_ioctl_enable_cap_generic(struct kvm *kvm,\n\t\t\t\t\t struct kvm_enable_cap *cap)\n{\n\tswitch (cap->cap) {\n#ifdef CONFIG_KVM_GENERIC_DIRTYLOG_READ_PROTECT\n\tcase KVM_CAP_MANUAL_DIRTY_LOG_PROTECT2: {\n\t\tu64 allowed_options = KVM_DIRTY_LOG_MANUAL_PROTECT_ENABLE;\n\n\t\tif (cap->args[0] & KVM_DIRTY_LOG_MANUAL_PROTECT_ENABLE)\n\t\t\tallowed_options = KVM_DIRTY_LOG_MANUAL_CAPS;\n\n\t\tif (cap->flags || (cap->args[0] & ~allowed_options))\n\t\t\treturn -EINVAL;\n\t\tkvm->manual_dirty_log_protect = cap->args[0];\n\t\treturn 0;\n\t}\n#endif\n\tcase KVM_CAP_HALT_POLL: {\n\t\tif (cap->flags || cap->args[0] != (unsigned int)cap->args[0])\n\t\t\treturn -EINVAL;\n\n\t\tkvm->max_halt_poll_ns = cap->args[0];\n\t\treturn 0;\n\t}\n\tcase KVM_CAP_DIRTY_LOG_RING:\n\t\treturn kvm_vm_ioctl_enable_dirty_log_ring(kvm, cap->args[0]);\n\tdefault:\n\t\treturn kvm_vm_ioctl_enable_cap(kvm, cap);\n\t}\n}", "project": "linux", "hash": 270379403285373035441462730356426666678, "size": 30, "commit_id": "f8be156be163a052a067306417cd0ff679068c97", "message": "KVM: do not allow mapping valid but non-reference-counted pages\n\nIt's possible to create a region which maps valid but non-refcounted\npages (e.g., tail pages of non-compound higher order allocations). These\nhost pages can then be returned by gfn_to_page, gfn_to_pfn, etc., family\nof APIs, which take a reference to the page, which takes it from 0 to 1.\nWhen the reference is dropped, this will free the page incorrectly.\n\nFix this by only taking a reference on valid pages if it was non-zero,\nwhich indicates it is participating in normal refcounting (and can be\nreleased with put_page).\n\nThis addresses CVE-2021-22543.\n\nSigned-off-by: Nicholas Piggin \nTested-by: Paolo Bonzini \nCc: stable@vger.kernel.org\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 404060 }, { "func": "int nfs4_proc_exchange_id(struct nfs_client *clp, const struct cred *cred)\n{\n\trpc_authflavor_t authflavor = clp->cl_rpcclient->cl_auth->au_flavor;\n\tint status;\n\n\t/* try SP4_MACH_CRED if krb5i/p\t*/\n\tif (authflavor == RPC_AUTH_GSS_KRB5I ||\n\t authflavor == RPC_AUTH_GSS_KRB5P) {\n\t\tstatus = _nfs4_proc_exchange_id(clp, cred, SP4_MACH_CRED);\n\t\tif (!status)\n\t\t\treturn 0;\n\t}\n\n\t/* try SP4_NONE */\n\treturn _nfs4_proc_exchange_id(clp, cred, SP4_NONE);\n}", "project": "linux", "hash": 312387758785995487311705440944619208925, "size": 16, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 430974 }, { "func": "static int check_capabilities(struct ImapAccountData *adata)\n{\n if (imap_exec(adata, \"CAPABILITY\", IMAP_CMD_NO_FLAGS) != IMAP_EXEC_SUCCESS)\n {\n imap_error(\"check_capabilities\", adata->buf);\n return -1;\n }\n\n if (!((adata->capabilities & IMAP_CAP_IMAP4) || (adata->capabilities & IMAP_CAP_IMAP4REV1)))\n {\n mutt_error(\n _(\"This IMAP server is ancient. NeoMutt does not work with it.\"));\n return -1;\n }\n\n return 0;\n}", "project": "neomutt", "hash": 309626119943470115227781960177514045852, "size": 17, "commit_id": "9c36717a3e2af1f2c1b7242035455ec8112b4b06", "message": "imap: close connection on all failures\n\nThanks to Gabriel Salles-Loustau for spotting the problem.\n\nCo-authored-by: Kevin McCarthy ", "target": 0, "dataset": "other", "idx": 357027 }, { "func": "void CSoundFile::PortamentoDown(CHANNELINDEX nChn, ModCommand::PARAM param, const bool doFinePortamentoAsRegular)\n{\n\tModChannel *pChn = &m_PlayState.Chn[nChn];\n\n\tif(param)\n\t{\n\t\t// FT2 compatibility: Separate effect memory for all portamento commands\n\t\t// Test case: Porta-LinkMem.xm\n\t\tif(!m_playBehaviour[kFT2PortaUpDownMemory])\n\t\t\tpChn->nOldPortaUp = param;\n\t\tpChn->nOldPortaDown = param;\n\t} else\n\t{\n\t\tparam = pChn->nOldPortaDown;\n\t}\n\n\tconst bool doFineSlides = !doFinePortamentoAsRegular && !(GetType() & (MOD_TYPE_MOD | MOD_TYPE_XM | MOD_TYPE_MT2 | MOD_TYPE_MED | MOD_TYPE_AMF0 | MOD_TYPE_DIGI | MOD_TYPE_STP | MOD_TYPE_DTM));\n\n\t// Process MIDI pitch bend for instrument plugins\n\tMidiPortamento(nChn, -static_cast(param), doFineSlides);\n\n\tif(GetType() == MOD_TYPE_MPT && pChn->pModInstrument && pChn->pModInstrument->pTuning)\n\t{\n\t\t// Portamento for instruments with custom tuning\n\t\tif(param >= 0xF0 && !doFinePortamentoAsRegular)\n\t\t\tPortamentoFineMPT(pChn, -static_cast(param - 0xF0));\n\t\telse if(param >= 0xE0 && !doFinePortamentoAsRegular)\n\t\t\tPortamentoExtraFineMPT(pChn, -static_cast(param - 0xE0));\n\t\telse\n\t\t\tPortamentoMPT(pChn, -static_cast(param));\n\t\treturn;\n\t} else if(GetType() == MOD_TYPE_PLM)\n\t{\n\t\t// A normal portamento up or down makes a follow-up tone portamento go the same direction.\n\t\tpChn->nPortamentoDest = 65535;\n\t}\n\n\tif(doFineSlides && param >= 0xE0)\n\t{\n\t\tif (param & 0x0F)\n\t\t{\n\t\t\tif ((param & 0xF0) == 0xF0)\n\t\t\t{\n\t\t\t\tFinePortamentoDown(pChn, param & 0x0F);\n\t\t\t\treturn;\n\t\t\t} else if ((param & 0xF0) == 0xE0 && GetType() != MOD_TYPE_DBM)\n\t\t\t{\n\t\t\t\tExtraFinePortamentoDown(pChn, param & 0x0F);\n\t\t\t\treturn;\n\t\t\t}\n\t\t}\n\t\tif(GetType() != MOD_TYPE_DBM)\n\t\t{\n\t\t\t// DBM only has fine slides, no extra-fine slides.\n\t\t\treturn;\n\t\t}\n\t}\n\n\tif(!pChn->isFirstTick || (m_PlayState.m_nMusicSpeed == 1 && m_playBehaviour[kSlidesAtSpeed1]) || GetType() == MOD_TYPE_669)\n\t{\n\t\tDoFreqSlide(pChn, int(param) * 4);\n\t}\n}", "project": "openmpt", "hash": 326226076140514904106916992213849542737, "size": 63, "commit_id": "7ebf02af2e90f03e0dbd0e18b8b3164f372fb97c", "message": "[Fix] Possible out-of-bounds read when computing length of some IT files with pattern loops (OpenMPT: formats that are converted to IT, libopenmpt: IT/ITP/MO3), caught with afl-fuzz.\n\ngit-svn-id: https://source.openmpt.org/svn/openmpt/trunk/OpenMPT@10027 56274372-70c3-4bfc-bfc3-4c3a0b034d27", "target": 0, "dataset": "other", "idx": 255206 }, { "func": "static int invlpga_interception(struct vcpu_svm *svm)\n{\n\tstruct kvm_vcpu *vcpu = &svm->vcpu;\n\n\ttrace_kvm_invlpga(svm->vmcb->save.rip, kvm_rcx_read(&svm->vcpu),\n\t\t\t kvm_rax_read(&svm->vcpu));\n\n\t/* Let's treat INVLPGA the same as INVLPG (can be optimized!) */\n\tkvm_mmu_invlpg(vcpu, kvm_rax_read(&svm->vcpu));\n\n\treturn kvm_skip_emulated_instruction(&svm->vcpu);\n}", "project": "linux", "hash": 281378818839532455280237035664179351941, "size": 12, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432600 }, { "func": "static int invlpga_interception(struct vcpu_svm *svm)\n{\n\tstruct kvm_vcpu *vcpu = &svm->vcpu;\n\n\ttrace_kvm_invlpga(svm->vmcb->save.rip, vcpu->arch.regs[VCPU_REGS_RCX],\n\t\t\t vcpu->arch.regs[VCPU_REGS_RAX]);\n\n\t/* Let's treat INVLPGA the same as INVLPG (can be optimized!) */\n\tkvm_mmu_invlpg(vcpu, vcpu->arch.regs[VCPU_REGS_RAX]);\n\n\tsvm->next_rip = kvm_rip_read(&svm->vcpu) + 3;\n\tskip_emulated_instruction(&svm->vcpu);\n\treturn 1;\n}", "project": "kvm", "hash": 33277504675876966628455408378548785671, "size": 14, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437577 }, { "func": "void JOIN::cache_const_exprs()\n{\n bool cache_flag= FALSE;\n bool *analyzer_arg= &cache_flag;\n\n /* No need in cache if all tables are constant. */\n if (const_tables == table_count)\n return;\n\n if (conds)\n conds->compile(thd, &Item::cache_const_expr_analyzer, (uchar **)&analyzer_arg,\n &Item::cache_const_expr_transformer, (uchar *)&cache_flag);\n cache_flag= FALSE;\n if (having)\n having->compile(thd, &Item::cache_const_expr_analyzer, (uchar **)&analyzer_arg,\n &Item::cache_const_expr_transformer, (uchar *)&cache_flag);\n\n for (JOIN_TAB *tab= first_depth_first_tab(this); tab;\n tab= next_depth_first_tab(this, tab))\n {\n if (*tab->on_expr_ref)\n {\n cache_flag= FALSE;\n (*tab->on_expr_ref)->compile(thd, &Item::cache_const_expr_analyzer,\n (uchar **)&analyzer_arg,\n &Item::cache_const_expr_transformer,\n (uchar *)&cache_flag);\n }\n }\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 306661747668693064874961860148546768061, "size": 30, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508475 }, { "func": "static inline bool kvm_kick_many_cpus(const struct cpumask *cpus, bool wait)\n{\n\tif (unlikely(!cpus))\n\t\tcpus = cpu_online_mask;\n\n\tif (cpumask_empty(cpus))\n\t\treturn false;\n\n\tsmp_call_function_many(cpus, ack_flush, NULL, wait);\n\treturn true;\n}", "project": "linux", "hash": 115977780162903054781203652807054207861, "size": 11, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354573 }, { "func": "static int nfs4_xattr_get_nfs4_acl(const struct xattr_handler *handler,\n\t\t\t\t struct dentry *unused, struct inode *inode,\n\t\t\t\t const char *key, void *buf, size_t buflen)\n{\n\treturn nfs4_proc_get_acl(inode, buf, buflen);\n}", "project": "linux", "hash": 264011995754736511626862897215191881527, "size": 6, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 430963 }, { "func": "static int tcp_rcv_synsent_state_process(struct sock *sk, struct sk_buff *skb,\n\t\t\t\t\t const struct tcphdr *th, unsigned int len)\n{\n\tconst u8 *hash_location;\n\tstruct inet_connection_sock *icsk = inet_csk(sk);\n\tstruct tcp_sock *tp = tcp_sk(sk);\n\tstruct tcp_cookie_values *cvp = tp->cookie_values;\n\tint saved_clamp = tp->rx_opt.mss_clamp;\n\n\ttcp_parse_options(skb, &tp->rx_opt, &hash_location, 0);\n\n\tif (th->ack) {\n\t\t/* rfc793:\n\t\t * \"If the state is SYN-SENT then\n\t\t * first check the ACK bit\n\t\t * If the ACK bit is set\n\t\t *\t If SEG.ACK =< ISS, or SEG.ACK > SND.NXT, send\n\t\t * a reset (unless the RST bit is set, if so drop\n\t\t * the segment and return)\"\n\t\t *\n\t\t * We do not send data with SYN, so that RFC-correct\n\t\t * test reduces to:\n\t\t */\n\t\tif (TCP_SKB_CB(skb)->ack_seq != tp->snd_nxt)\n\t\t\tgoto reset_and_undo;\n\n\t\tif (tp->rx_opt.saw_tstamp && tp->rx_opt.rcv_tsecr &&\n\t\t !between(tp->rx_opt.rcv_tsecr, tp->retrans_stamp,\n\t\t\t tcp_time_stamp)) {\n\t\t\tNET_INC_STATS_BH(sock_net(sk), LINUX_MIB_PAWSACTIVEREJECTED);\n\t\t\tgoto reset_and_undo;\n\t\t}\n\n\t\t/* Now ACK is acceptable.\n\t\t *\n\t\t * \"If the RST bit is set\n\t\t * If the ACK was acceptable then signal the user \"error:\n\t\t * connection reset\", drop the segment, enter CLOSED state,\n\t\t * delete TCB, and return.\"\n\t\t */\n\n\t\tif (th->rst) {\n\t\t\ttcp_reset(sk);\n\t\t\tgoto discard;\n\t\t}\n\n\t\t/* rfc793:\n\t\t * \"fifth, if neither of the SYN or RST bits is set then\n\t\t * drop the segment and return.\"\n\t\t *\n\t\t * See note below!\n\t\t * --ANK(990513)\n\t\t */\n\t\tif (!th->syn)\n\t\t\tgoto discard_and_undo;\n\n\t\t/* rfc793:\n\t\t * \"If the SYN bit is on ...\n\t\t * are acceptable then ...\n\t\t * (our SYN has been ACKed), change the connection\n\t\t * state to ESTABLISHED...\"\n\t\t */\n\n\t\tTCP_ECN_rcv_synack(tp, th);\n\n\t\ttp->snd_wl1 = TCP_SKB_CB(skb)->seq;\n\t\ttcp_ack(sk, skb, FLAG_SLOWPATH);\n\n\t\t/* Ok.. it's good. Set up sequence numbers and\n\t\t * move to established.\n\t\t */\n\t\ttp->rcv_nxt = TCP_SKB_CB(skb)->seq + 1;\n\t\ttp->rcv_wup = TCP_SKB_CB(skb)->seq + 1;\n\n\t\t/* RFC1323: The window in SYN & SYN/ACK segments is\n\t\t * never scaled.\n\t\t */\n\t\ttp->snd_wnd = ntohs(th->window);\n\t\ttcp_init_wl(tp, TCP_SKB_CB(skb)->seq);\n\n\t\tif (!tp->rx_opt.wscale_ok) {\n\t\t\ttp->rx_opt.snd_wscale = tp->rx_opt.rcv_wscale = 0;\n\t\t\ttp->window_clamp = min(tp->window_clamp, 65535U);\n\t\t}\n\n\t\tif (tp->rx_opt.saw_tstamp) {\n\t\t\ttp->rx_opt.tstamp_ok\t = 1;\n\t\t\ttp->tcp_header_len =\n\t\t\t\tsizeof(struct tcphdr) + TCPOLEN_TSTAMP_ALIGNED;\n\t\t\ttp->advmss\t -= TCPOLEN_TSTAMP_ALIGNED;\n\t\t\ttcp_store_ts_recent(tp);\n\t\t} else {\n\t\t\ttp->tcp_header_len = sizeof(struct tcphdr);\n\t\t}\n\n\t\tif (tcp_is_sack(tp) && sysctl_tcp_fack)\n\t\t\ttcp_enable_fack(tp);\n\n\t\ttcp_mtup_init(sk);\n\t\ttcp_sync_mss(sk, icsk->icsk_pmtu_cookie);\n\t\ttcp_initialize_rcv_mss(sk);\n\n\t\t/* Remember, tcp_poll() does not lock socket!\n\t\t * Change state from SYN-SENT only after copied_seq\n\t\t * is initialized. */\n\t\ttp->copied_seq = tp->rcv_nxt;\n\n\t\tif (cvp != NULL &&\n\t\t cvp->cookie_pair_size > 0 &&\n\t\t tp->rx_opt.cookie_plus > 0) {\n\t\t\tint cookie_size = tp->rx_opt.cookie_plus\n\t\t\t\t\t- TCPOLEN_COOKIE_BASE;\n\t\t\tint cookie_pair_size = cookie_size\n\t\t\t\t\t + cvp->cookie_desired;\n\n\t\t\t/* A cookie extension option was sent and returned.\n\t\t\t * Note that each incoming SYNACK replaces the\n\t\t\t * Responder cookie. The initial exchange is most\n\t\t\t * fragile, as protection against spoofing relies\n\t\t\t * entirely upon the sequence and timestamp (above).\n\t\t\t * This replacement strategy allows the correct pair to\n\t\t\t * pass through, while any others will be filtered via\n\t\t\t * Responder verification later.\n\t\t\t */\n\t\t\tif (sizeof(cvp->cookie_pair) >= cookie_pair_size) {\n\t\t\t\tmemcpy(&cvp->cookie_pair[cvp->cookie_desired],\n\t\t\t\t hash_location, cookie_size);\n\t\t\t\tcvp->cookie_pair_size = cookie_pair_size;\n\t\t\t}\n\t\t}\n\n\t\tsmp_mb();\n\t\ttcp_set_state(sk, TCP_ESTABLISHED);\n\n\t\tsecurity_inet_conn_established(sk, skb);\n\n\t\t/* Make sure socket is routed, for correct metrics. */\n\t\ticsk->icsk_af_ops->rebuild_header(sk);\n\n\t\ttcp_init_metrics(sk);\n\n\t\ttcp_init_congestion_control(sk);\n\n\t\t/* Prevent spurious tcp_cwnd_restart() on first data\n\t\t * packet.\n\t\t */\n\t\ttp->lsndtime = tcp_time_stamp;\n\n\t\ttcp_init_buffer_space(sk);\n\n\t\tif (sock_flag(sk, SOCK_KEEPOPEN))\n\t\t\tinet_csk_reset_keepalive_timer(sk, keepalive_time_when(tp));\n\n\t\tif (!tp->rx_opt.snd_wscale)\n\t\t\t__tcp_fast_path_on(tp, tp->snd_wnd);\n\t\telse\n\t\t\ttp->pred_flags = 0;\n\n\t\tif (!sock_flag(sk, SOCK_DEAD)) {\n\t\t\tsk->sk_state_change(sk);\n\t\t\tsk_wake_async(sk, SOCK_WAKE_IO, POLL_OUT);\n\t\t}\n\n\t\tif (sk->sk_write_pending ||\n\t\t icsk->icsk_accept_queue.rskq_defer_accept ||\n\t\t icsk->icsk_ack.pingpong) {\n\t\t\t/* Save one ACK. Data will be ready after\n\t\t\t * several ticks, if write_pending is set.\n\t\t\t *\n\t\t\t * It may be deleted, but with this feature tcpdumps\n\t\t\t * look so _wonderfully_ clever, that I was not able\n\t\t\t * to stand against the temptation 8) --ANK\n\t\t\t */\n\t\t\tinet_csk_schedule_ack(sk);\n\t\t\ticsk->icsk_ack.lrcvtime = tcp_time_stamp;\n\t\t\ticsk->icsk_ack.ato\t = TCP_ATO_MIN;\n\t\t\ttcp_incr_quickack(sk);\n\t\t\ttcp_enter_quickack_mode(sk);\n\t\t\tinet_csk_reset_xmit_timer(sk, ICSK_TIME_DACK,\n\t\t\t\t\t\t TCP_DELACK_MAX, TCP_RTO_MAX);\n\ndiscard:\n\t\t\t__kfree_skb(skb);\n\t\t\treturn 0;\n\t\t} else {\n\t\t\ttcp_send_ack(sk);\n\t\t}\n\t\treturn -1;\n\t}\n\n\t/* No ACK in the segment */\n\n\tif (th->rst) {\n\t\t/* rfc793:\n\t\t * \"If the RST bit is set\n\t\t *\n\t\t * Otherwise (no ACK) drop the segment and return.\"\n\t\t */\n\n\t\tgoto discard_and_undo;\n\t}\n\n\t/* PAWS check. */\n\tif (tp->rx_opt.ts_recent_stamp && tp->rx_opt.saw_tstamp &&\n\t tcp_paws_reject(&tp->rx_opt, 0))\n\t\tgoto discard_and_undo;\n\n\tif (th->syn) {\n\t\t/* We see SYN without ACK. It is attempt of\n\t\t * simultaneous connect with crossed SYNs.\n\t\t * Particularly, it can be connect to self.\n\t\t */\n\t\ttcp_set_state(sk, TCP_SYN_RECV);\n\n\t\tif (tp->rx_opt.saw_tstamp) {\n\t\t\ttp->rx_opt.tstamp_ok = 1;\n\t\t\ttcp_store_ts_recent(tp);\n\t\t\ttp->tcp_header_len =\n\t\t\t\tsizeof(struct tcphdr) + TCPOLEN_TSTAMP_ALIGNED;\n\t\t} else {\n\t\t\ttp->tcp_header_len = sizeof(struct tcphdr);\n\t\t}\n\n\t\ttp->rcv_nxt = TCP_SKB_CB(skb)->seq + 1;\n\t\ttp->rcv_wup = TCP_SKB_CB(skb)->seq + 1;\n\n\t\t/* RFC1323: The window in SYN & SYN/ACK segments is\n\t\t * never scaled.\n\t\t */\n\t\ttp->snd_wnd = ntohs(th->window);\n\t\ttp->snd_wl1 = TCP_SKB_CB(skb)->seq;\n\t\ttp->max_window = tp->snd_wnd;\n\n\t\tTCP_ECN_rcv_syn(tp, th);\n\n\t\ttcp_mtup_init(sk);\n\t\ttcp_sync_mss(sk, icsk->icsk_pmtu_cookie);\n\t\ttcp_initialize_rcv_mss(sk);\n\n\t\ttcp_send_synack(sk);\n#if 0\n\t\t/* Note, we could accept data and URG from this segment.\n\t\t * There are no obstacles to make this.\n\t\t *\n\t\t * However, if we ignore data in ACKless segments sometimes,\n\t\t * we have no reasons to accept it sometimes.\n\t\t * Also, seems the code doing it in step6 of tcp_rcv_state_process\n\t\t * is not flawless. So, discard packet for sanity.\n\t\t * Uncomment this return to process the data.\n\t\t */\n\t\treturn -1;\n#else\n\t\tgoto discard;\n#endif\n\t}\n\t/* \"fifth, if neither of the SYN or RST bits is set then\n\t * drop the segment and return.\"\n\t */\n\ndiscard_and_undo:\n\ttcp_clear_options(&tp->rx_opt);\n\ttp->rx_opt.mss_clamp = saved_clamp;\n\tgoto discard;\n\nreset_and_undo:\n\ttcp_clear_options(&tp->rx_opt);\n\ttp->rx_opt.mss_clamp = saved_clamp;\n\treturn 1;\n}", "project": "net-next", "hash": 68692650440303910679689611941413034250, "size": 269, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409929 }, { "func": "int kvm_s390_vcpu_store_status(struct kvm_vcpu *vcpu, unsigned long addr)\n{\n\t/*\n\t * The guest FPRS and ACRS are in the host FPRS/ACRS due to the lazy\n\t * switch in the run ioctl. Let's update our copies before we save\n\t * it into the save area\n\t */\n\tsave_fpu_regs();\n\tvcpu->run->s.regs.fpc = current->thread.fpu.fpc;\n\tsave_access_regs(vcpu->run->s.regs.acrs);\n\n\treturn kvm_s390_store_status_unloaded(vcpu, addr);\n}", "project": "linux", "hash": 286095294029576517299079193849745708552, "size": 13, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354419 }, { "func": "rfbScreenInfoPtr rfbScaledScreenAllocate(rfbClientPtr cl, int width, int height)\n{\n rfbScreenInfoPtr ptr;\n ptr = malloc(sizeof(rfbScreenInfo));\n if (ptr!=NULL)\n {\n int allocSize;\n\n /* copy *everything* (we don't use most of it, but just in case) */\n memcpy(ptr, cl->screen, sizeof(rfbScreenInfo));\n\n /* SECURITY: make sure that no integer overflow will occur afterwards.\n * Note: this is defensive coding, as the check should have already been\n * performed during initial, non-scaled screen setup.\n */\n allocSize = pad4(width * (ptr->bitsPerPixel/8)); /* per protocol, width<2**16 and bpp<256 */\n if (height == 0 || allocSize >= SIZE_MAX / height)\n {\n free(ptr);\n return NULL; /* malloc() will allocate an incorrect buffer size - early abort */\n }\n\n /* Resume copy everything */\n ptr->width = width;\n ptr->height = height;\n ptr->paddedWidthInBytes = (ptr->bitsPerPixel/8)*ptr->width;\n\n /* Need to by multiples of 4 for Sparc systems */\n ptr->paddedWidthInBytes = pad4(ptr->paddedWidthInBytes);\n\n /* Reset the reference count to 0! */\n ptr->scaledScreenRefCount = 0;\n\n ptr->sizeInBytes = ptr->paddedWidthInBytes * ptr->height;\n ptr->serverFormat = cl->screen->serverFormat;\n\n ptr->frameBuffer = malloc(ptr->sizeInBytes);\n if (ptr->frameBuffer!=NULL)\n {\n /* Reset to a known condition: scale the entire framebuffer */\n rfbScaledScreenUpdateRect(cl->screen, ptr, 0, 0, cl->screen->width, cl->screen->height);\n /* Now, insert into the chain */\n LOCK(cl->updateMutex);\n ptr->scaledScreenNext = cl->screen->scaledScreenNext;\n cl->screen->scaledScreenNext = ptr;\n UNLOCK(cl->updateMutex);\n }\n else\n {\n /* Failed to malloc the new frameBuffer, cleanup */\n free(ptr);\n ptr=NULL;\n }\n }\n return ptr;\n}", "project": "libvncserver", "hash": 237062820211397516671086165696231264434, "size": 56, "commit_id": "a6788d1da719ae006605b78d22f5a9f170b423af", "message": "libvncserver: scale: cast to 64 bit before shifting\n\nSince pixel_value is 64 bit the data type of the shift operand should\nbe 64 bit too to prevent integer overflows.", "target": 0, "dataset": "other", "idx": 296796 }, { "func": "void gdImageSetBrush (gdImagePtr im, gdImagePtr brush)\n{\n\tint i;\n\tim->brush = brush;\n\tif (!im->trueColor && !im->brush->trueColor) {\n\t\tfor (i = 0; i < gdImageColorsTotal(brush); i++) {\n\t\t\tint index;\n\t\t\tindex = gdImageColorResolveAlpha(im, gdImageRed(brush, i), gdImageGreen(brush, i), gdImageBlue(brush, i), gdImageAlpha(brush, i));\n\t\t\tim->brushColorMap[i] = index;\n\t\t}\n\t}\n}", "project": "php-src", "hash": 241662379545899262892676211965218033043, "size": 12, "commit_id": "c395c6e5d7e8df37a21265ff76e48fe75ceb5ae6", "message": "iFixed bug #72446 - Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow", "target": 0, "dataset": "other", "idx": 295143 }, { "func": "static bool nested_vmcb_check_controls(struct vmcb_control_area *control)\n{\n\tif ((vmcb_is_intercept(control, INTERCEPT_VMRUN)) == 0)\n\t\treturn false;\n\n\tif (control->asid == 0)\n\t\treturn false;\n\n\tif ((control->nested_ctl & SVM_NESTED_CTL_NP_ENABLE) &&\n\t !npt_enabled)\n\t\treturn false;\n\n\treturn true;\n}", "project": "linux", "hash": 272986213928926303016380324399158128652, "size": 14, "commit_id": "a58d9166a756a0f4a6618e4f593232593d6df134", "message": "KVM: SVM: load control fields from VMCB12 before checking them\n\nAvoid races between check and use of the nested VMCB controls. This\nfor example ensures that the VMRUN intercept is always reflected to the\nnested hypervisor, instead of being processed by the host. Without this\npatch, it is possible to end up with svm->nested.hsave pointing to\nthe MSR permission bitmap for nested guests.\n\nThis bug is CVE-2021-29657.\n\nReported-by: Felix Wilhelm \nCc: stable@vger.kernel.org\nFixes: 2fcf4876ada (\"KVM: nSVM: implement on demand allocation of the nested state\")\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 376652 }, { "func": "int hci_req_run_skb(struct hci_request *req, hci_req_complete_skb_t complete)\n{\n\treturn req_run(req, NULL, complete);\n}", "project": "linux", "hash": 68241470291771928191831577933493053462, "size": 4, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402561 }, { "func": "int kvm_io_bus_unregister_dev(struct kvm *kvm, enum kvm_bus bus_idx,\n\t\t\t struct kvm_io_device *dev)\n{\n\tint i, j;\n\tstruct kvm_io_bus *new_bus, *bus;\n\n\tlockdep_assert_held(&kvm->slots_lock);\n\n\tbus = kvm_get_bus(kvm, bus_idx);\n\tif (!bus)\n\t\treturn 0;\n\n\tfor (i = 0; i < bus->dev_count; i++) {\n\t\tif (bus->range[i].dev == dev) {\n\t\t\tbreak;\n\t\t}\n\t}\n\n\tif (i == bus->dev_count)\n\t\treturn 0;\n\n\tnew_bus = kmalloc(struct_size(bus, range, bus->dev_count - 1),\n\t\t\t GFP_KERNEL_ACCOUNT);\n\tif (new_bus) {\n\t\tmemcpy(new_bus, bus, struct_size(bus, range, i));\n\t\tnew_bus->dev_count--;\n\t\tmemcpy(new_bus->range + i, bus->range + i + 1,\n\t\t\t\tflex_array_size(new_bus, range, new_bus->dev_count - i));\n\t}\n\n\trcu_assign_pointer(kvm->buses[bus_idx], new_bus);\n\tsynchronize_srcu_expedited(&kvm->srcu);\n\n\t/* Destroy the old bus _after_ installing the (null) bus. */\n\tif (!new_bus) {\n\t\tpr_err(\"kvm: failed to shrink bus, removing it completely\\n\");\n\t\tfor (j = 0; j < bus->dev_count; j++) {\n\t\t\tif (j == i)\n\t\t\t\tcontinue;\n\t\t\tkvm_iodevice_destructor(bus->range[j].dev);\n\t\t}\n\t}\n\n\tkfree(bus);\n\treturn new_bus ? 0 : -ENOMEM;\n}", "project": "linux", "hash": 140555675791757177387261675342357616269, "size": 46, "commit_id": "f8be156be163a052a067306417cd0ff679068c97", "message": "KVM: do not allow mapping valid but non-reference-counted pages\n\nIt's possible to create a region which maps valid but non-refcounted\npages (e.g., tail pages of non-compound higher order allocations). These\nhost pages can then be returned by gfn_to_page, gfn_to_pfn, etc., family\nof APIs, which take a reference to the page, which takes it from 0 to 1.\nWhen the reference is dropped, this will free the page incorrectly.\n\nFix this by only taking a reference on valid pages if it was non-zero,\nwhich indicates it is participating in normal refcounting (and can be\nreleased with put_page).\n\nThis addresses CVE-2021-22543.\n\nSigned-off-by: Nicholas Piggin \nTested-by: Paolo Bonzini \nCc: stable@vger.kernel.org\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 404057 }, { "func": "static void SFRemoveDependencies(SplineFont *sf) {\n int i;\n struct splinecharlist *dlist, *dnext;\n KernPair *kp;\n\n for ( i=0; iglyphcnt; ++i ) if ( sf->glyphs[i]!=NULL ) {\n\tfor ( dlist = sf->glyphs[i]->dependents; dlist!=NULL; dlist = dnext ) {\n\t dnext = dlist->next;\n\t chunkfree(dlist,sizeof(*dlist));\n\t}\n\tsf->glyphs[i]->dependents = NULL;\n\tfor ( kp=sf->glyphs[i]->kerns; kp!=NULL; kp=kp->next ) {\n\t kp->sc = (SplineChar *) (intpt) (kp->sc->orig_pos);\n\t kp->kcid = true;\t\t/* flag */\n\t}\n\tfor ( kp=sf->glyphs[i]->vkerns; kp!=NULL; kp=kp->next ) {\n\t kp->sc = (SplineChar *) (intpt) (kp->sc->orig_pos);\n\t kp->kcid = true;\n\t}\n }\n}", "project": "fontforge", "hash": 118938045615326046950205225791717848637, "size": 21, "commit_id": "048a91e2682c1a8936ae34dbc7bd70291ec05410", "message": "Fix for #4084 Use-after-free (heap) in the SFD_GetFontMetaData() function\nFix for #4086 NULL pointer dereference in the SFDGetSpiros() function\nFix for #4088 NULL pointer dereference in the SFD_AssignLookups() function\nAdd empty sf->fontname string if it isn't set, fixing #4089 #4090 and many\n other potential issues (many downstream calls to strlen() on the value).", "target": 0, "dataset": "other", "idx": 417904 }, { "func": " virtual inline void quick_fix_field() { fixed= 1; }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 21836185778125066073732884864249973442, "size": 1, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509197 }, { "func": "TEST_CASE(\"Invalid UTF-8 text test\", \"[general]\")\n{\n std::string s = \"a <- '\";\n s += static_cast(0xe8); // Make invalid utf8 text...\n\n parser parser(s.c_str());\n\n bool ret = parser;\n REQUIRE(ret == false);\n}", "project": "cpp-peglib", "hash": 66381458483230316359743314048551412590, "size": 10, "commit_id": "b3b29ce8f3acf3a32733d930105a17d7b0ba347e", "message": "Fix #122", "target": 0, "dataset": "other", "idx": 267829 }, { "func": "void JSObject::allocateNewSlotStorage(\n Handle selfHandle,\n Runtime *runtime,\n SlotIndex newSlotIndex,\n Handle<> valueHandle) {\n // If it is a direct property, just store the value and we are done.\n if (LLVM_LIKELY(newSlotIndex < DIRECT_PROPERTY_SLOTS)) {\n selfHandle->directProps()[newSlotIndex].set(\n *valueHandle, &runtime->getHeap());\n return;\n }\n\n // Make the slot index relative to the indirect storage.\n newSlotIndex -= DIRECT_PROPERTY_SLOTS;\n\n // Allocate a new property storage if not already allocated.\n if (LLVM_UNLIKELY(!selfHandle->propStorage_)) {\n // Allocate new storage.\n assert(newSlotIndex == 0 && \"allocated slot must be at end\");\n auto arrRes = runtime->ignoreAllocationFailure(\n PropStorage::create(runtime, DEFAULT_PROPERTY_CAPACITY));\n selfHandle->propStorage_.set(\n runtime, vmcast(arrRes), &runtime->getHeap());\n } else if (LLVM_UNLIKELY(\n newSlotIndex >=\n selfHandle->propStorage_.get(runtime)->capacity())) {\n // Reallocate the existing one.\n assert(\n newSlotIndex == selfHandle->propStorage_.get(runtime)->size() &&\n \"allocated slot must be at end\");\n auto hnd = runtime->makeMutableHandle(selfHandle->propStorage_);\n PropStorage::resize(hnd, runtime, newSlotIndex + 1);\n selfHandle->propStorage_.set(runtime, *hnd, &runtime->getHeap());\n }\n\n {\n NoAllocScope scope{runtime};\n auto *const propStorage = selfHandle->propStorage_.getNonNull(runtime);\n if (newSlotIndex >= propStorage->size()) {\n assert(\n newSlotIndex == propStorage->size() &&\n \"allocated slot must be at end\");\n PropStorage::resizeWithinCapacity(propStorage, runtime, newSlotIndex + 1);\n }\n // If we don't need to resize, just store it directly.\n propStorage->at(newSlotIndex).set(*valueHandle, &runtime->getHeap());\n }\n}", "project": "hermes", "hash": 209039212030881903778407715759051026613, "size": 48, "commit_id": "fe52854cdf6725c2eaa9e125995da76e6ceb27da", "message": "[CVE-2020-1911] Look up HostObject computed properties on the right object in the prototype chain.\n\nSummary:\nThe change in the hermes repository fixes the security vulnerability\nCVE-2020-1911. This vulnerability only affects applications which\nallow evaluation of uncontrolled, untrusted JavaScript code not\nshipped with the app, so React Native apps will generally not be affected.\n\nThis revision includes a test for the bug. The test is generic JSI\ncode, so it is included in the hermes and react-native repositories.\n\nChangelog: [Internal]\n\nReviewed By: tmikov\n\nDifferential Revision: D23322992\n\nfbshipit-source-id: 4e88c974afe1ad33a263f9cac03e9dc98d33649a", "target": 0, "dataset": "other", "idx": 230253 }, { "func": "static inline void note_cmpxchg_failure(const char *n,\n\t\tconst struct kmem_cache *s, unsigned long tid)\n{\n#ifdef SLUB_DEBUG_CMPXCHG\n\tunsigned long actual_tid = __this_cpu_read(s->cpu_slab->tid);\n\n\tpr_info(\"%s %s: cmpxchg redo \", n, s->name);\n\n#ifdef CONFIG_PREEMPTION\n\tif (tid_to_cpu(tid) != tid_to_cpu(actual_tid))\n\t\tpr_warn(\"due to cpu change %d -> %d\\n\",\n\t\t\ttid_to_cpu(tid), tid_to_cpu(actual_tid));\n\telse\n#endif\n\tif (tid_to_event(tid) != tid_to_event(actual_tid))\n\t\tpr_warn(\"due to cpu running other code. Event %ld->%ld\\n\",\n\t\t\ttid_to_event(tid), tid_to_event(actual_tid));\n\telse\n\t\tpr_warn(\"for unknown reason: actual=%lx was=%lx target=%lx\\n\",\n\t\t\tactual_tid, tid, next_tid(tid));\n#endif\n\tstat(s, CMPXCHG_DOUBLE_CPU_FAIL);\n}", "project": "linux", "hash": 308324338449963803540247017181714862176, "size": 23, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280217 }, { "func": "int intsetTest(int argc, char **argv) {\n uint8_t success;\n int i;\n intset *is;\n srand(time(NULL));\n\n UNUSED(argc);\n UNUSED(argv);\n\n printf(\"Value encodings: \"); {\n assert(_intsetValueEncoding(-32768) == INTSET_ENC_INT16);\n assert(_intsetValueEncoding(+32767) == INTSET_ENC_INT16);\n assert(_intsetValueEncoding(-32769) == INTSET_ENC_INT32);\n assert(_intsetValueEncoding(+32768) == INTSET_ENC_INT32);\n assert(_intsetValueEncoding(-2147483648) == INTSET_ENC_INT32);\n assert(_intsetValueEncoding(+2147483647) == INTSET_ENC_INT32);\n assert(_intsetValueEncoding(-2147483649) == INTSET_ENC_INT64);\n assert(_intsetValueEncoding(+2147483648) == INTSET_ENC_INT64);\n assert(_intsetValueEncoding(-9223372036854775808ull) ==\n INTSET_ENC_INT64);\n assert(_intsetValueEncoding(+9223372036854775807ull) ==\n INTSET_ENC_INT64);\n ok();\n }\n\n printf(\"Basic adding: \"); {\n is = intsetNew();\n is = intsetAdd(is,5,&success); assert(success);\n is = intsetAdd(is,6,&success); assert(success);\n is = intsetAdd(is,4,&success); assert(success);\n is = intsetAdd(is,4,&success); assert(!success);\n ok();\n }\n\n printf(\"Large number of random adds: \"); {\n uint32_t inserts = 0;\n is = intsetNew();\n for (i = 0; i < 1024; i++) {\n is = intsetAdd(is,rand()%0x800,&success);\n if (success) inserts++;\n }\n assert(intrev32ifbe(is->length) == inserts);\n checkConsistency(is);\n ok();\n }\n\n printf(\"Upgrade from int16 to int32: \"); {\n is = intsetNew();\n is = intsetAdd(is,32,NULL);\n assert(intrev32ifbe(is->encoding) == INTSET_ENC_INT16);\n is = intsetAdd(is,65535,NULL);\n assert(intrev32ifbe(is->encoding) == INTSET_ENC_INT32);\n assert(intsetFind(is,32));\n assert(intsetFind(is,65535));\n checkConsistency(is);\n\n is = intsetNew();\n is = intsetAdd(is,32,NULL);\n assert(intrev32ifbe(is->encoding) == INTSET_ENC_INT16);\n is = intsetAdd(is,-65535,NULL);\n assert(intrev32ifbe(is->encoding) == INTSET_ENC_INT32);\n assert(intsetFind(is,32));\n assert(intsetFind(is,-65535));\n checkConsistency(is);\n ok();\n }\n\n printf(\"Upgrade from int16 to int64: \"); {\n is = intsetNew();\n is = intsetAdd(is,32,NULL);\n assert(intrev32ifbe(is->encoding) == INTSET_ENC_INT16);\n is = intsetAdd(is,4294967295,NULL);\n assert(intrev32ifbe(is->encoding) == INTSET_ENC_INT64);\n assert(intsetFind(is,32));\n assert(intsetFind(is,4294967295));\n checkConsistency(is);\n\n is = intsetNew();\n is = intsetAdd(is,32,NULL);\n assert(intrev32ifbe(is->encoding) == INTSET_ENC_INT16);\n is = intsetAdd(is,-4294967295,NULL);\n assert(intrev32ifbe(is->encoding) == INTSET_ENC_INT64);\n assert(intsetFind(is,32));\n assert(intsetFind(is,-4294967295));\n checkConsistency(is);\n ok();\n }\n\n printf(\"Upgrade from int32 to int64: \"); {\n is = intsetNew();\n is = intsetAdd(is,65535,NULL);\n assert(intrev32ifbe(is->encoding) == INTSET_ENC_INT32);\n is = intsetAdd(is,4294967295,NULL);\n assert(intrev32ifbe(is->encoding) == INTSET_ENC_INT64);\n assert(intsetFind(is,65535));\n assert(intsetFind(is,4294967295));\n checkConsistency(is);\n\n is = intsetNew();\n is = intsetAdd(is,65535,NULL);\n assert(intrev32ifbe(is->encoding) == INTSET_ENC_INT32);\n is = intsetAdd(is,-4294967295,NULL);\n assert(intrev32ifbe(is->encoding) == INTSET_ENC_INT64);\n assert(intsetFind(is,65535));\n assert(intsetFind(is,-4294967295));\n checkConsistency(is);\n ok();\n }\n\n printf(\"Stress lookups: \"); {\n long num = 100000, size = 10000;\n int i, bits = 20;\n long long start;\n is = createSet(bits,size);\n checkConsistency(is);\n\n start = usec();\n for (i = 0; i < num; i++) intsetSearch(is,rand() % ((1<vc_hi_font_mask)\n\t\tc |= 0x100;\n\treturn c;\n}", "project": "linux", "hash": 249049035581329479736598515438364844706, "size": 9, "commit_id": "ca4463bf8438b403596edd0ec961ca0d4fbe0220", "message": "vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console\n\nThe VT_DISALLOCATE ioctl can free a virtual console while tty_release()\nis still running, causing a use-after-free in con_shutdown(). This\noccurs because VT_DISALLOCATE considers a virtual console's\n'struct vc_data' to be unused as soon as the corresponding tty's\nrefcount hits 0. But actually it may be still being closed.\n\nFix this by making vc_data be reference-counted via the embedded\n'struct tty_port'. A newly allocated virtual console has refcount 1.\nOpening it for the first time increments the refcount to 2. Closing it\nfor the last time decrements the refcount (in tty_operations::cleanup()\nso that it happens late enough), as does VT_DISALLOCATE.\n\nReproducer:\n\t#include \n\t#include \n\t#include \n\t#include \n\n\tint main()\n\t{\n\t\tif (fork()) {\n\t\t\tfor (;;)\n\t\t\t\tclose(open(\"/dev/tty5\", O_RDWR));\n\t\t} else {\n\t\t\tint fd = open(\"/dev/tty10\", O_RDWR);\n\n\t\t\tfor (;;)\n\t\t\t\tioctl(fd, VT_DISALLOCATE, 5);\n\t\t}\n\t}\n\nKASAN report:\n\tBUG: KASAN: use-after-free in con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\tWrite of size 8 at addr ffff88806a4ec108 by task syz_vt/129\n\n\tCPU: 0 PID: 129 Comm: syz_vt Not tainted 5.6.0-rc2 #11\n\tHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20191223_100556-anatol 04/01/2014\n\tCall Trace:\n\t [...]\n\t con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\t release_tty+0xa8/0x410 drivers/tty/tty_io.c:1514\n\t tty_release_struct+0x34/0x50 drivers/tty/tty_io.c:1629\n\t tty_release+0x984/0xed0 drivers/tty/tty_io.c:1789\n\t [...]\n\n\tAllocated by task 129:\n\t [...]\n\t kzalloc include/linux/slab.h:669 [inline]\n\t vc_allocate drivers/tty/vt/vt.c:1085 [inline]\n\t vc_allocate+0x1ac/0x680 drivers/tty/vt/vt.c:1066\n\t con_install+0x4d/0x3f0 drivers/tty/vt/vt.c:3229\n\t tty_driver_install_tty drivers/tty/tty_io.c:1228 [inline]\n\t tty_init_dev+0x94/0x350 drivers/tty/tty_io.c:1341\n\t tty_open_by_driver drivers/tty/tty_io.c:1987 [inline]\n\t tty_open+0x3ca/0xb30 drivers/tty/tty_io.c:2035\n\t [...]\n\n\tFreed by task 130:\n\t [...]\n\t kfree+0xbf/0x1e0 mm/slab.c:3757\n\t vt_disallocate drivers/tty/vt/vt_ioctl.c:300 [inline]\n\t vt_ioctl+0x16dc/0x1e30 drivers/tty/vt/vt_ioctl.c:818\n\t tty_ioctl+0x9db/0x11b0 drivers/tty/tty_io.c:2660\n\t [...]\n\nFixes: 4001d7b7fc27 (\"vt: push down the tty lock so we can see what is left to tackle\")\nCc: # v3.4+\nReported-by: syzbot+522643ab5729b0421998@syzkaller.appspotmail.com\nAcked-by: Jiri Slaby \nSigned-off-by: Eric Biggers \nLink: https://lore.kernel.org/r/20200322034305.210082-2-ebiggers@kernel.org\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 437036 }, { "func": "void CServer::SendRconCmdRem(const IConsole::CCommandInfo *pCommandInfo, int ClientID)\n{\n\tCMsgPacker Msg(NETMSG_RCON_CMD_REM, true);\n\tMsg.AddString(pCommandInfo->m_pName, 256);\n\tSendMsg(&Msg, MSGFLAG_VITAL, ClientID);\n}", "project": "teeworlds", "hash": 110533173294253575785908293014148621636, "size": 6, "commit_id": "c68402fa7e279d42886d5951d1ea8ac2facc1ea5", "message": "changed a check", "target": 0, "dataset": "other", "idx": 382012 }, { "func": "static void mt_release_pending_palms(struct mt_device *td,\n\t\t\t\t struct mt_application *app,\n\t\t\t\t struct input_dev *input)\n{\n\tint slotnum;\n\tbool need_sync = false;\n\n\tfor_each_set_bit(slotnum, app->pending_palm_slots, td->maxcontacts) {\n\t\tclear_bit(slotnum, app->pending_palm_slots);\n\n\t\tinput_mt_slot(input, slotnum);\n\t\tinput_mt_report_slot_inactive(input);\n\n\t\tneed_sync = true;\n\t}\n\n\tif (need_sync) {\n\t\tinput_mt_sync_frame(input);\n\t\tinput_sync(input);\n\t}\n}", "project": "linux", "hash": 297770006118394287489851675045185046228, "size": 21, "commit_id": "35556bed836f8dc07ac55f69c8d17dce3e7f0e25", "message": "HID: core: Sanitize event code and type when mapping input\n\nWhen calling into hid_map_usage(), the passed event code is\nblindly stored as is, even if it doesn't fit in the associated bitmap.\n\nThis event code can come from a variety of sources, including devices\nmasquerading as input devices, only a bit more \"programmable\".\n\nInstead of taking the event code at face value, check that it actually\nfits the corresponding bitmap, and if it doesn't:\n- spit out a warning so that we know which device is acting up\n- NULLify the bitmap pointer so that we catch unexpected uses\n\nCode paths that can make use of untrusted inputs can now check\nthat the mapping was indeed correct and bail out if not.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Marc Zyngier \nSigned-off-by: Benjamin Tissoires ", "target": 0, "dataset": "other", "idx": 458397 }, { "func": "static void opj_j2k_tcp_data_destroy(opj_tcp_t *p_tcp)\n{\n if (p_tcp->m_data) {\n opj_free(p_tcp->m_data);\n p_tcp->m_data = NULL;\n p_tcp->m_data_size = 0;\n }\n}", "project": "openjpeg", "hash": 296829233707920111879597515665402978778, "size": 8, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357423 }, { "func": "int bcf_add_filter(const bcf_hdr_t *hdr, bcf1_t *line, int flt_id)\n{\n if ( !(line->unpacked & BCF_UN_FLT) ) bcf_unpack(line, BCF_UN_FLT);\n int i;\n for (i=0; id.n_flt; i++)\n if ( flt_id==line->d.flt[i] ) break;\n if ( id.n_flt ) return 0; // this filter is already set\n line->d.shared_dirty |= BCF1_DIRTY_FLT;\n if ( flt_id==0 ) // set to PASS\n line->d.n_flt = 1;\n else if ( line->d.n_flt==1 && line->d.flt[0]==0 )\n line->d.n_flt = 1;\n else\n line->d.n_flt++;\n hts_expand(int, line->d.n_flt, line->d.m_flt, line->d.flt);\n line->d.flt[line->d.n_flt-1] = flt_id;\n return 1;\n}", "project": "htslib", "hash": 165034162948992705309496631450233312803, "size": 18, "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c", "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields. It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097", "target": 0, "dataset": "other", "idx": 402151 }, { "func": "Sfdouble_t sh_strnum(Shell_t *shp, const char *str, char **ptr, int mode) {\n Sfdouble_t d;\n char *last;\n\n if (*str == 0) {\n if (ptr) *ptr = (char *)str;\n return 0;\n }\n errno = 0;\n d = number(str, &last, shp->inarith ? 0 : 10, NULL);\n if (*last) {\n if (*last != '.' || last[1] != '.') {\n d = strval(shp, str, &last, arith, mode);\n Varsubscript = true;\n }\n if (!ptr && *last && mode > 0) errormsg(SH_DICT, ERROR_exit(1), e_lexbadchar, *last, str);\n } else if (!d && *str == '-') {\n d = -0.0;\n }\n if (ptr) *ptr = last;\n return d;\n}", "project": "ast", "hash": 309916825304971174344136967868648417012, "size": 22, "commit_id": "c7de8b641266bac7c77942239ac659edfee9ecd2", "message": "Harden env var imports", "target": 1, "dataset": "other", "idx": 201806 }, { "func": "Sfdouble_t sh_strnum(Shell_t *shp, const char *str, char **ptr, int mode) {\n Sfdouble_t d;\n char *last;\n\n if (*str == 0) {\n d = 0.0;\n last = (char *)str;\n } else {\n d = number(str, &last, shp->inarith ? 0 : 10, NULL);\n if (*last && !shp->inarith && sh_isstate(shp, SH_INIT)) {\n // This call is to handle \"base#value\" literals if we're importing untrusted env vars.\n d = number(str, &last, 0, NULL);\n }\n if (*last) {\n if (sh_isstate(shp, SH_INIT)) {\n // Initializing means importing untrusted env vars. Since the string does not appear\n // to be a recognized numeric literal give up. We can't safely call strval() since\n // that allows arbitrary expressions which would create a security vulnerability.\n d = 0.0;\n } else {\n if (*last != '.' || last[1] != '.') {\n d = strval(shp, str, &last, arith, mode);\n Varsubscript = true;\n }\n if (!ptr && *last && mode > 0) {\n errormsg(SH_DICT, ERROR_exit(1), e_lexbadchar, *last, str);\n }\n }\n } else if (d == 0.0 && *str == '-') {\n d = -0.0;\n }\n }\n if (ptr) *ptr = last;\n return d;\n}", "project": "ast", "hash": 84029568395809826570711187865149217968, "size": 35, "commit_id": "c7de8b641266bac7c77942239ac659edfee9ecd2", "message": "Harden env var imports", "target": 0, "dataset": "other", "idx": 321871 }, { "func": " virtual UBool appendCodeUnit(UChar c) { str.append(c); return TRUE; }", "project": "icu", "hash": 9749103510373366770808280385126395801, "size": 1, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430751 }, { "func": "UnicodeStringAppendable::appendCodeUnit(UChar c) {\n return str.doAppend(&c, 0, 1).isWritable();\n}", "project": "icu", "hash": 128011282222181687180785719549105930281, "size": 3, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430761 }, { "func": "int kvm_s390_store_status_unloaded(struct kvm_vcpu *vcpu, unsigned long gpa)\n{\n\tunsigned char archmode = 1;\n\tfreg_t fprs[NUM_FPRS];\n\tunsigned int px;\n\tu64 clkcomp, cputm;\n\tint rc;\n\n\tpx = kvm_s390_get_prefix(vcpu);\n\tif (gpa == KVM_S390_STORE_STATUS_NOADDR) {\n\t\tif (write_guest_abs(vcpu, 163, &archmode, 1))\n\t\t\treturn -EFAULT;\n\t\tgpa = 0;\n\t} else if (gpa == KVM_S390_STORE_STATUS_PREFIXED) {\n\t\tif (write_guest_real(vcpu, 163, &archmode, 1))\n\t\t\treturn -EFAULT;\n\t\tgpa = px;\n\t} else\n\t\tgpa -= __LC_FPREGS_SAVE_AREA;\n\n\t/* manually convert vector registers if necessary */\n\tif (MACHINE_HAS_VX) {\n\t\tconvert_vx_to_fp(fprs, (__vector128 *) vcpu->run->s.regs.vrs);\n\t\trc = write_guest_abs(vcpu, gpa + __LC_FPREGS_SAVE_AREA,\n\t\t\t\t fprs, 128);\n\t} else {\n\t\trc = write_guest_abs(vcpu, gpa + __LC_FPREGS_SAVE_AREA,\n\t\t\t\t vcpu->run->s.regs.fprs, 128);\n\t}\n\trc |= write_guest_abs(vcpu, gpa + __LC_GPREGS_SAVE_AREA,\n\t\t\t vcpu->run->s.regs.gprs, 128);\n\trc |= write_guest_abs(vcpu, gpa + __LC_PSW_SAVE_AREA,\n\t\t\t &vcpu->arch.sie_block->gpsw, 16);\n\trc |= write_guest_abs(vcpu, gpa + __LC_PREFIX_SAVE_AREA,\n\t\t\t &px, 4);\n\trc |= write_guest_abs(vcpu, gpa + __LC_FP_CREG_SAVE_AREA,\n\t\t\t &vcpu->run->s.regs.fpc, 4);\n\trc |= write_guest_abs(vcpu, gpa + __LC_TOD_PROGREG_SAVE_AREA,\n\t\t\t &vcpu->arch.sie_block->todpr, 4);\n\tcputm = kvm_s390_get_cpu_timer(vcpu);\n\trc |= write_guest_abs(vcpu, gpa + __LC_CPU_TIMER_SAVE_AREA,\n\t\t\t &cputm, 8);\n\tclkcomp = vcpu->arch.sie_block->ckc >> 8;\n\trc |= write_guest_abs(vcpu, gpa + __LC_CLOCK_COMP_SAVE_AREA,\n\t\t\t &clkcomp, 8);\n\trc |= write_guest_abs(vcpu, gpa + __LC_AREGS_SAVE_AREA,\n\t\t\t &vcpu->run->s.regs.acrs, 64);\n\trc |= write_guest_abs(vcpu, gpa + __LC_CREGS_SAVE_AREA,\n\t\t\t &vcpu->arch.sie_block->gcr, 128);\n\treturn rc ? -EFAULT : 0;\n}", "project": "linux", "hash": 12885955888395057079212344459632693580, "size": 51, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354621 }, { "func": "static inline bool is_valid_warning(int severity)\n{\n /* Not a warning at all */\n if ((severity & ERR_MASK) != ERR_WARNING)\n return false;\n\n return WARN_IDX(severity) < ERR_WARN_ALL;\n}", "project": "nasm", "hash": 285735039324678270898077234910360892010, "size": 8, "commit_id": "e996d28c70d45008085322b442b44a9224308548", "message": "labels: Don't nil dereference if no label provided\n\nAn equ without label may cause nil dereference\n\n |\tequ 0x100\n\nFixes 98578071b9d71ecaa2344dd9c185237c1765041e\n\nSigned-off-by: Cyrill Gorcunov ", "target": 0, "dataset": "other", "idx": 257464 }, { "func": "apr_status_t h2_stream_send_frame(h2_stream *stream, int ftype, int flags, size_t frame_len)\n{\n apr_status_t status = APR_SUCCESS;\n int new_state, eos = 0;\n\n new_state = on_frame_send(stream->state, ftype);\n if (new_state < 0) {\n ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, stream->session->c, \n H2_STRM_MSG(stream, \"invalid frame %d send\"), ftype);\n AP_DEBUG_ASSERT(new_state > S_XXX);\n return transit(stream, new_state);\n }\n\n ++stream->out_frames;\n stream->out_frame_octets += frame_len;\n switch (ftype) {\n case NGHTTP2_DATA:\n eos = (flags & NGHTTP2_FLAG_END_STREAM);\n break;\n \n case NGHTTP2_HEADERS:\n eos = (flags & NGHTTP2_FLAG_END_STREAM);\n break;\n \n case NGHTTP2_PUSH_PROMISE:\n /* start pushed stream */\n ap_assert(stream->request == NULL);\n ap_assert(stream->rtmp != NULL);\n status = h2_stream_end_headers(stream, 1, 0);\n if (status != APR_SUCCESS) goto leave;\n break;\n \n default:\n break;\n }\n ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, stream->session->c, \n H2_STRM_MSG(stream, \"send frame %d, eos=%d\"), ftype, eos);\n status = transit(stream, new_state);\n if (status == APR_SUCCESS && eos) {\n status = transit(stream, on_event(stream, H2_SEV_CLOSED_L));\n }\nleave:\n return status;\n}", "project": "httpd", "hash": 41109174471567266012421277614396332374, "size": 44, "commit_id": "f990e5ecad40b100a8a5c7c1033c46044a9cb244", "message": "mod_htt2: fix incomplete sync with latest changes in github, adjust version number.\n\n\n\ngit-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1889119 13f79535-47bb-0310-9956-ffa450edef68", "target": 0, "dataset": "other", "idx": 284255 }, { "func": "static u8 create_instance_scan_rsp_data(struct hci_dev *hdev, u8 instance,\n\t\t\t\t\tu8 *ptr)\n{\n\tstruct adv_info *adv_instance;\n\tu32 instance_flags;\n\tu8 scan_rsp_len = 0;\n\n\tadv_instance = hci_find_adv_instance(hdev, instance);\n\tif (!adv_instance)\n\t\treturn 0;\n\n\tinstance_flags = adv_instance->flags;\n\n\tif ((instance_flags & MGMT_ADV_FLAG_APPEARANCE) && hdev->appearance) {\n\t\tscan_rsp_len = append_appearance(hdev, ptr, scan_rsp_len);\n\t}\n\n\tmemcpy(&ptr[scan_rsp_len], adv_instance->scan_rsp_data,\n\t adv_instance->scan_rsp_len);\n\n\tscan_rsp_len += adv_instance->scan_rsp_len;\n\n\tif (instance_flags & MGMT_ADV_FLAG_LOCAL_NAME)\n\t\tscan_rsp_len = append_local_name(hdev, ptr, scan_rsp_len);\n\n\treturn scan_rsp_len;\n}", "project": "linux", "hash": 180971751114615872998900369214622662829, "size": 27, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402481 }, { "func": "zgetdevice(i_ctx_t *i_ctx_p)\n{\n os_ptr op = osp;\n const gx_device *dev;\n\n check_type(*op, t_integer);\n if (op->value.intval != (int)(op->value.intval))\n return_error(gs_error_rangecheck);\t/* won't fit in an int */\n dev = gs_getdevice((int)(op->value.intval));\n if (dev == 0)\t\t/* index out of range */\n return_error(gs_error_rangecheck);\n /* Device prototypes are read-only; */\n /* the cast is logically unnecessary. */\n make_tav(op, t_device, avm_foreign | a_readonly, pdevice,\n (gx_device *) dev);\n return 0;\n}", "project": "ghostpdl", "hash": 38566537178530888857350237427621453184, "size": 17, "commit_id": "661e8d8fb8248c38d67958beda32f3a5876d0c3f", "message": "Bug 700176: check the *output* device for LockSafetyParams\n\nWhen calling .setdevice we were checking if LockSafetyParams was set, and if so\nthrowing an invalidaccess error.\n\nThe problem is, if another device, for example the pdf14 compositor is the 'top'\ndevice, that does not (and cannot) honour LockSafetyParams.\n\nTo solve this, we'll now use the (relatively new) gxdso_current_output_device\nspec_op to retrieve the *actual* output device, and check the LockSafetyParams\nflag in that.", "target": 0, "dataset": "other", "idx": 410246 }, { "func": "static void* exif_ifd_make_value(image_info_data *info_data,\n int motorola_intel) {\n size_t byte_count;\n char *value_ptr, *data_ptr;\n size_t i;\n\n image_info_value *info_value;\n\n byte_count =\n get_php_tiff_bytes_per_format(info_data->format) * info_data->length;\n size_t malloc_size = byte_count > 4 ? byte_count : 4;\n value_ptr = (char *)IM_MALLOC(malloc_size);\n CHECK_ALLOC_R(value_ptr, malloc_size, nullptr);\n memset(value_ptr, 0, 4);\n if (!info_data->length) {\n return value_ptr;\n }\n if (info_data->format == TAG_FMT_UNDEFINED ||\n info_data->format == TAG_FMT_STRING ||\n (byte_count>1 && (info_data->format == TAG_FMT_BYTE ||\n info_data->format == TAG_FMT_SBYTE))) {\n memmove(value_ptr, info_data->value.s, byte_count);\n return value_ptr;\n } else if (info_data->format == TAG_FMT_BYTE) {\n *value_ptr = info_data->value.u;\n return value_ptr;\n } else if (info_data->format == TAG_FMT_SBYTE) {\n *value_ptr = info_data->value.i;\n return value_ptr;\n } else {\n data_ptr = value_ptr;\n for(i=0; ilength; i++) {\n if (info_data->length==1) {\n info_value = &info_data->value;\n } else {\n info_value = &info_data->value.list[i];\n }\n switch(info_data->format) {\n case TAG_FMT_USHORT:\n php_ifd_set16u(data_ptr, info_value->u, motorola_intel);\n data_ptr += 2;\n break;\n case TAG_FMT_ULONG:\n php_ifd_set32u(data_ptr, info_value->u, motorola_intel);\n data_ptr += 4;\n break;\n case TAG_FMT_SSHORT:\n php_ifd_set16u(data_ptr, info_value->i, motorola_intel);\n data_ptr += 2;\n break;\n case TAG_FMT_SLONG:\n php_ifd_set32u(data_ptr, info_value->i, motorola_intel);\n data_ptr += 4;\n break;\n case TAG_FMT_URATIONAL:\n php_ifd_set32u(data_ptr, info_value->sr.num, motorola_intel);\n php_ifd_set32u(data_ptr+4, info_value->sr.den, motorola_intel);\n data_ptr += 8;\n break;\n case TAG_FMT_SRATIONAL:\n php_ifd_set32u(data_ptr, info_value->ur.num, motorola_intel);\n php_ifd_set32u(data_ptr+4, info_value->ur.den, motorola_intel);\n data_ptr += 8;\n break;\n case TAG_FMT_SINGLE:\n memmove(data_ptr, &info_value->f, 4);\n data_ptr += 4;\n break;\n case TAG_FMT_DOUBLE:\n memmove(data_ptr, &info_value->d, 8);\n data_ptr += 8;\n break;\n }\n }\n }\n return value_ptr;\n}", "project": "hhvm", "hash": 97712952996351415320721632598085769613, "size": 77, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219560 }, { "func": "static void kvm_free_vcpus(struct kvm *kvm)\n{\n\tunsigned int i;\n\tstruct kvm_vcpu *vcpu;\n\n\tkvm_for_each_vcpu(i, vcpu, kvm)\n\t\tkvm_vcpu_destroy(vcpu);\n\n\tmutex_lock(&kvm->lock);\n\tfor (i = 0; i < atomic_read(&kvm->online_vcpus); i++)\n\t\tkvm->vcpus[i] = NULL;\n\n\tatomic_set(&kvm->online_vcpus, 0);\n\tmutex_unlock(&kvm->lock);\n}", "project": "linux", "hash": 127819875380240112454872822210011018697, "size": 15, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354822 }, { "func": "inline int klinux_sigismember(const klinux_sigset_t *klinux_set,\n int klinux_sig) {\n uint64_t sig = klinux_sig - 1;\n return 1 & (klinux_set->klinux_val[0] >> sig);\n}", "project": "asylo", "hash": 141862359762970045230405572342148359931, "size": 5, "commit_id": "bda9772e7872b0d2b9bee32930cf7a4983837b39", "message": "Check input length in FromLinuxSockAddr\n\nPiperOrigin-RevId: 333785506\nChange-Id: I1d68fb8954665eebc1018d80ff995cbe9e7ed6a9", "target": 0, "dataset": "other", "idx": 263457 }, { "func": "static void io_uring_cancel_files(struct io_ring_ctx *ctx,\n\t\t\t\t struct files_struct *files)\n{\n\tif (list_empty_careful(&ctx->inflight_list))\n\t\treturn;\n\n\t/* cancel all at once, should be faster than doing it one by one*/\n\tio_wq_cancel_cb(ctx->io_wq, io_wq_files_match, files, true);\n\n\twhile (!list_empty_careful(&ctx->inflight_list)) {\n\t\tstruct io_kiocb *cancel_req = NULL, *req;\n\t\tDEFINE_WAIT(wait);\n\n\t\tspin_lock_irq(&ctx->inflight_lock);\n\t\tlist_for_each_entry(req, &ctx->inflight_list, inflight_entry) {\n\t\t\tif (req->work.files != files)\n\t\t\t\tcontinue;\n\t\t\t/* req is being completed, ignore */\n\t\t\tif (!refcount_inc_not_zero(&req->refs))\n\t\t\t\tcontinue;\n\t\t\tcancel_req = req;\n\t\t\tbreak;\n\t\t}\n\t\tif (cancel_req)\n\t\t\tprepare_to_wait(&ctx->inflight_wait, &wait,\n\t\t\t\t\t\tTASK_UNINTERRUPTIBLE);\n\t\tspin_unlock_irq(&ctx->inflight_lock);\n\n\t\t/* We need to keep going until we don't find a matching req */\n\t\tif (!cancel_req)\n\t\t\tbreak;\n\n\t\tif (cancel_req->flags & REQ_F_OVERFLOW) {\n\t\t\tspin_lock_irq(&ctx->completion_lock);\n\t\t\tlist_del(&cancel_req->compl.list);\n\t\t\tcancel_req->flags &= ~REQ_F_OVERFLOW;\n\n\t\t\tio_cqring_mark_overflow(ctx);\n\t\t\tWRITE_ONCE(ctx->rings->cq_overflow,\n\t\t\t\tatomic_inc_return(&ctx->cached_cq_overflow));\n\t\t\tio_commit_cqring(ctx);\n\t\t\tspin_unlock_irq(&ctx->completion_lock);\n\n\t\t\t/*\n\t\t\t * Put inflight ref and overflow ref. If that's\n\t\t\t * all we had, then we're done with this request.\n\t\t\t */\n\t\t\tif (refcount_sub_and_test(2, &cancel_req->refs)) {\n\t\t\t\tio_free_req(cancel_req);\n\t\t\t\tfinish_wait(&ctx->inflight_wait, &wait);\n\t\t\t\tcontinue;\n\t\t\t}\n\t\t} else {\n\t\t\tio_wq_cancel_work(ctx->io_wq, &cancel_req->work);\n\t\t\tio_put_req(cancel_req);\n\t\t}\n\n\t\tschedule();\n\t\tfinish_wait(&ctx->inflight_wait, &wait);\n\t}\n}", "project": "linux", "hash": 121331718904647779571762509636068781511, "size": 61, "commit_id": "6d816e088c359866f9867057e04f244c608c42fe", "message": "io_uring: hold 'ctx' reference around task_work queue + execute\n\nWe're holding the request reference, but we need to go one higher\nto ensure that the ctx remains valid after the request has finished.\nIf the ring is closed with pending task_work inflight, and the\ngiven io_kiocb finishes sync during issue, then we need a reference\nto the ring itself around the task_work execution cycle.\n\nCc: stable@vger.kernel.org # v5.7+\nReported-by: syzbot+9b260fc33297966f5a8e@syzkaller.appspotmail.com\nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 456953 }, { "func": "gdImagePtr gdImageCreateTrueColor (int sx, int sy)\n{\n\tint i;\n\tgdImagePtr im;\n\n\tif (overflow2(sx, sy)) {\n\t\treturn NULL;\n\t}\n\n\tif (overflow2(sizeof(unsigned char *), sy)) {\n\t\treturn NULL;\n\t}\n\n\tif (overflow2(sizeof(int), sx)) {\n\t\treturn NULL;\n\t}\n\n\tim = (gdImage *) gdMalloc(sizeof(gdImage));\n\tmemset(im, 0, sizeof(gdImage));\n\tim->tpixels = (int **) gdMalloc(sizeof(int *) * sy);\n\tim->AA_opacity = (unsigned char **) gdMalloc(sizeof(unsigned char *) * sy);\n\tim->polyInts = 0;\n\tim->polyAllocated = 0;\n\tim->brush = 0;\n\tim->tile = 0;\n\tim->style = 0;\n\tfor (i = 0; i < sy; i++) {\n\t\tim->tpixels[i] = (int *) gdCalloc(sx, sizeof(int));\n\t\tim->AA_opacity[i] = (unsigned char *) gdCalloc(sx, sizeof(unsigned char));\n\t}\n\tim->sx = sx;\n\tim->sy = sy;\n\tim->transparent = (-1);\n\tim->interlace = 0;\n\tim->trueColor = 1;\n\t/* 2.0.2: alpha blending is now on by default, and saving of alpha is\n\t * off by default. This allows font antialiasing to work as expected\n\t * on the first try in JPEGs -- quite important -- and also allows\n\t * for smaller PNGs when saving of alpha channel is not really\n\t * desired, which it usually isn't!\n\t */\n\tim->saveAlphaFlag = 0;\n\tim->alphaBlendingFlag = 1;\n\tim->thick = 1;\n\tim->AA = 0;\n\tim->AA_polygon = 0;\n\tim->cx1 = 0;\n\tim->cy1 = 0;\n\tim->cx2 = im->sx - 1;\n\tim->cy2 = im->sy - 1;\n\tim->interpolation = NULL;\n\tim->interpolation_id = GD_BILINEAR_FIXED;\n\treturn im;\n}", "project": "php-src", "hash": 204055890840392249307188644743967600353, "size": 54, "commit_id": "c395c6e5d7e8df37a21265ff76e48fe75ceb5ae6", "message": "iFixed bug #72446 - Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow", "target": 0, "dataset": "other", "idx": 295126 }, { "func": " uint decimal_scale() const\n {\n return decimals < NOT_FIXED_DEC ? decimals :\n is_temporal_type_with_time(field_type()) ?\n TIME_SECOND_PART_DIGITS :\n MY_MIN(max_length, DECIMAL_MAX_SCALE);\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 336060096048009587019696862837867602014, "size": 7, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509459 }, { "func": " VarDimArray order() const { return order_; }", "project": "tensorflow", "hash": 147308762391533567519057522463992555122, "size": 1, "commit_id": "8ba6fa29cd8bf9cef9b718dc31c78c73081f5b31", "message": "Fix heap-buffer-overflow issue with `tf.raw_ops.SparseSplit`.\n\nPiperOrigin-RevId: 371242872\nChange-Id: I482bb3d12602c7c3cc9446f97fb9f584bb98e9a4", "target": 0, "dataset": "other", "idx": 277017 }, { "func": "static enum uni_interp SFDGetUniInterp(FILE *sfd, char *tok, SplineFont *sf) {\n int uniinterp = ui_none;\n int i;\n\n geteol(sfd,tok);\n for ( i=0; unicode_interp_names[i]!=NULL; ++i )\n\tif ( strcmp(tok,unicode_interp_names[i])==0 ) {\n\t uniinterp = i;\n break;\n\t}\n /* These values are now handled by namelists */\n if ( uniinterp == ui_adobe ) {\n\tsf->for_new_glyphs = NameListByName(\"AGL with PUA\");\n\tuniinterp = ui_none;\n } else if ( uniinterp == ui_greek ) {\n\tsf->for_new_glyphs = NameListByName(\"Greek small caps\");\n\tuniinterp = ui_none;\n } else if ( uniinterp == ui_ams ) {\n\tsf->for_new_glyphs = NameListByName(\"AMS Names\");\n\tuniinterp = ui_none;\n }\n\nreturn( uniinterp );\n}", "project": "fontforge", "hash": 232423068468597978273531354523836315750, "size": 24, "commit_id": "048a91e2682c1a8936ae34dbc7bd70291ec05410", "message": "Fix for #4084 Use-after-free (heap) in the SFD_GetFontMetaData() function\nFix for #4086 NULL pointer dereference in the SFDGetSpiros() function\nFix for #4088 NULL pointer dereference in the SFD_AssignLookups() function\nAdd empty sf->fontname string if it isn't set, fixing #4089 #4090 and many\n other potential issues (many downstream calls to strlen() on the value).", "target": 0, "dataset": "other", "idx": 417769 }, { "func": "static enum_func_status\nphp_mysqlnd_ok_read(void * _packet, MYSQLND_CONN_DATA * conn TSRMLS_DC)\n{\n\tzend_uchar local_buf[OK_BUFFER_SIZE];\n\tsize_t buf_len = conn->net->cmd_buffer.buffer? conn->net->cmd_buffer.length : OK_BUFFER_SIZE;\n\tzend_uchar *buf = conn->net->cmd_buffer.buffer? (zend_uchar *) conn->net->cmd_buffer.buffer : local_buf;\n\tzend_uchar *p = buf;\n\tzend_uchar *begin = buf;\n\tunsigned long i;\n\tregister MYSQLND_PACKET_OK *packet= (MYSQLND_PACKET_OK *) _packet;\n\n\tDBG_ENTER(\"php_mysqlnd_ok_read\");\n\n\tPACKET_READ_HEADER_AND_BODY(packet, conn, buf, buf_len, \"OK\", PROT_OK_PACKET);\n\tBAIL_IF_NO_MORE_DATA;\n\n\t/* Should be always 0x0 or ERROR_MARKER for error */\n\tpacket->field_count = uint1korr(p);\n\tp++;\n\tBAIL_IF_NO_MORE_DATA;\n\n\tif (ERROR_MARKER == packet->field_count) {\n\t\tphp_mysqlnd_read_error_from_line(p, packet->header.size - 1,\n\t\t\t\t\t\t\t\t\t\t packet->error, sizeof(packet->error),\n\t\t\t\t\t\t\t\t\t\t &packet->error_no, packet->sqlstate\n\t\t\t\t\t\t\t\t\t\t TSRMLS_CC);\n\t\tDBG_INF_FMT(\"conn->server_status=%u\", conn->upsert_status->server_status);\n\t\tDBG_RETURN(PASS);\n\t}\n\t/* Everything was fine! */\n\tpacket->affected_rows = php_mysqlnd_net_field_length_ll(&p);\n\tBAIL_IF_NO_MORE_DATA;\n\n\tpacket->last_insert_id = php_mysqlnd_net_field_length_ll(&p);\n\tBAIL_IF_NO_MORE_DATA;\n\n\tpacket->server_status = uint2korr(p);\n\tp+= 2;\n\tBAIL_IF_NO_MORE_DATA;\n\n\tpacket->warning_count = uint2korr(p);\n\tp+= 2;\n\tBAIL_IF_NO_MORE_DATA;\n\n\t/* There is a message */\n\tif (packet->header.size > (size_t) (p - buf) && (i = php_mysqlnd_net_field_length(&p))) {\n\t\tpacket->message_len = MIN(i, buf_len - (p - begin));\n\t\tpacket->message = mnd_pestrndup((char *)p, packet->message_len, FALSE);\n\t} else {\n\t\tpacket->message = NULL;\n\t\tpacket->message_len = 0;\n\t}\n\n\tDBG_INF_FMT(\"OK packet: aff_rows=%lld last_ins_id=%ld server_status=%u warnings=%u\",\n\t\t\t\tpacket->affected_rows, packet->last_insert_id, packet->server_status,\n\t\t\t\tpacket->warning_count);\n\n\tBAIL_IF_NO_MORE_DATA;\n\n\tDBG_RETURN(PASS);\npremature_end:\n\tDBG_ERR_FMT(\"OK packet %d bytes shorter than expected\", p - begin - packet->header.size);\n\tphp_error_docref(NULL TSRMLS_CC, E_WARNING, \"OK packet \"MYSQLND_SZ_T_SPEC\" bytes shorter than expected\",\n\t\t\t\t\t p - begin - packet->header.size);\n\tDBG_RETURN(FAIL);", "project": "php-src", "hash": 108624543677672475673288086902662832206, "size": 65, "commit_id": "28f80baf3c53e267c9ce46a2a0fadbb981585132", "message": "Fix bug #72293 - Heap overflow in mysqlnd related to BIT fields", "target": 0, "dataset": "other", "idx": 416684 }, { "func": "static int kvm_s390_set_cmma_bits(struct kvm *kvm,\n\t\t\t\t const struct kvm_s390_cmma_log *args)\n{\n\tunsigned long hva, mask, pgstev, i;\n\tuint8_t *bits;\n\tint srcu_idx, r = 0;\n\n\tmask = args->mask;\n\n\tif (!kvm->arch.use_cmma)\n\t\treturn -ENXIO;\n\t/* invalid/unsupported flags */\n\tif (args->flags != 0)\n\t\treturn -EINVAL;\n\t/* Enforce sane limit on memory allocation */\n\tif (args->count > KVM_S390_CMMA_SIZE_MAX)\n\t\treturn -EINVAL;\n\t/* Nothing to do */\n\tif (args->count == 0)\n\t\treturn 0;\n\n\tbits = vmalloc(array_size(sizeof(*bits), args->count));\n\tif (!bits)\n\t\treturn -ENOMEM;\n\n\tr = copy_from_user(bits, (void __user *)args->values, args->count);\n\tif (r) {\n\t\tr = -EFAULT;\n\t\tgoto out;\n\t}\n\n\tdown_read(&kvm->mm->mmap_sem);\n\tsrcu_idx = srcu_read_lock(&kvm->srcu);\n\tfor (i = 0; i < args->count; i++) {\n\t\thva = gfn_to_hva(kvm, args->start_gfn + i);\n\t\tif (kvm_is_error_hva(hva)) {\n\t\t\tr = -EFAULT;\n\t\t\tbreak;\n\t\t}\n\n\t\tpgstev = bits[i];\n\t\tpgstev = pgstev << 24;\n\t\tmask &= _PGSTE_GPS_USAGE_MASK | _PGSTE_GPS_NODAT;\n\t\tset_pgste_bits(kvm->mm, hva, mask, pgstev);\n\t}\n\tsrcu_read_unlock(&kvm->srcu, srcu_idx);\n\tup_read(&kvm->mm->mmap_sem);\n\n\tif (!kvm->mm->context.uses_cmm) {\n\t\tdown_write(&kvm->mm->mmap_sem);\n\t\tkvm->mm->context.uses_cmm = 1;\n\t\tup_write(&kvm->mm->mmap_sem);\n\t}\nout:\n\tvfree(bits);\n\treturn r;\n}", "project": "linux", "hash": 280265359180130729911031183250377968785, "size": 57, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354686 }, { "func": "static ssize_t io_import_iovec(int rw, struct io_kiocb *req,\n\t\t\t struct iovec **iovec, struct iov_iter *iter,\n\t\t\t bool needs_lock)\n{\n\tvoid __user *buf = u64_to_user_ptr(req->rw.addr);\n\tsize_t sqe_len = req->rw.len;\n\tssize_t ret;\n\tu8 opcode;\n\n\topcode = req->opcode;\n\tif (opcode == IORING_OP_READ_FIXED || opcode == IORING_OP_WRITE_FIXED) {\n\t\t*iovec = NULL;\n\t\treturn io_import_fixed(req, rw, iter);\n\t}\n\n\t/* buffer index only valid with fixed read/write, or buffer select */\n\tif (req->buf_index && !(req->flags & REQ_F_BUFFER_SELECT))\n\t\treturn -EINVAL;\n\n\tif (opcode == IORING_OP_READ || opcode == IORING_OP_WRITE) {\n\t\tif (req->flags & REQ_F_BUFFER_SELECT) {\n\t\t\tbuf = io_rw_buffer_select(req, &sqe_len, needs_lock);\n\t\t\tif (IS_ERR(buf)) {\n\t\t\t\t*iovec = NULL;\n\t\t\t\treturn PTR_ERR(buf);\n\t\t\t}\n\t\t\treq->rw.len = sqe_len;\n\t\t}\n\n\t\tret = import_single_range(rw, buf, sqe_len, *iovec, iter);\n\t\t*iovec = NULL;\n\t\treturn ret < 0 ? ret : sqe_len;\n\t}\n\n\tif (req->io) {\n\t\tstruct io_async_rw *iorw = &req->io->rw;\n\n\t\tiov_iter_init(iter, rw, iorw->iov, iorw->nr_segs, iorw->size);\n\t\t*iovec = NULL;\n\t\treturn iorw->size;\n\t}\n\n\tif (req->flags & REQ_F_BUFFER_SELECT) {\n\t\tret = io_iov_buffer_select(req, *iovec, needs_lock);\n\t\tif (!ret) {\n\t\t\tret = (*iovec)->iov_len;\n\t\t\tiov_iter_init(iter, rw, *iovec, 1, ret);\n\t\t}\n\t\t*iovec = NULL;\n\t\treturn ret;\n\t}\n\n#ifdef CONFIG_COMPAT\n\tif (req->ctx->compat)\n\t\treturn compat_import_iovec(rw, buf, sqe_len, UIO_FASTIOV,\n\t\t\t\t\t\tiovec, iter);\n#endif\n\n\treturn import_iovec(rw, buf, sqe_len, UIO_FASTIOV, iovec, iter);\n}", "project": "linux", "hash": 107975642534168698639940628442059096448, "size": 60, "commit_id": "6d816e088c359866f9867057e04f244c608c42fe", "message": "io_uring: hold 'ctx' reference around task_work queue + execute\n\nWe're holding the request reference, but we need to go one higher\nto ensure that the ctx remains valid after the request has finished.\nIf the ring is closed with pending task_work inflight, and the\ngiven io_kiocb finishes sync during issue, then we need a reference\nto the ring itself around the task_work execution cycle.\n\nCc: stable@vger.kernel.org # v5.7+\nReported-by: syzbot+9b260fc33297966f5a8e@syzkaller.appspotmail.com\nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 456941 }, { "func": "TEST_F(ZNCTest, InvalidConfigInChan) {\n QFile conf(m_dir.path() + \"/configs/znc.conf\");\n ASSERT_TRUE(conf.open(QIODevice::Append | QIODevice::Text));\n QTextStream out(&conf);\n out << R\"(\n \n \n \n Invalid = Line\n \n \n \n )\";\n out.flush();\n auto znc = Run();\n znc->ShouldFinishItself(1);\n}", "project": "znc", "hash": 104503709948621957574469579547083434588, "size": 17, "commit_id": "d229761821da38d984a9e4098ad96842490dc001", "message": "Fix echo-message for *status\n\nClose #1705", "target": 0, "dataset": "other", "idx": 231549 }, { "func": "TEST_F(ZNCTest, JoinKey) {\n QFile conf(m_dir.path() + \"/configs/znc.conf\");\n ASSERT_TRUE(conf.open(QIODevice::Append | QIODevice::Text));\n QTextStream(&conf) << \"ServerThrottle = 1\\n\";\n auto znc = Run();\n\n auto ircd = ConnectIRCd();\n auto client = LoginClient();\n ircd.Write(\":server 001 nick :Hello\");\n client.Write(\"JOIN #znc secret\");\n ircd.ReadUntil(\"JOIN #znc secret\");\n ircd.Write(\":nick JOIN :#znc\");\n client.ReadUntil(\"JOIN :#znc\");\n ircd.Close();\n\n ircd = ConnectIRCd();\n ircd.Write(\":server 001 nick :Hello\");\n ircd.ReadUntil(\"JOIN #znc secret\");\n}", "project": "znc", "hash": 162224489418738574947700002538769696851, "size": 19, "commit_id": "d229761821da38d984a9e4098ad96842490dc001", "message": "Fix echo-message for *status\n\nClose #1705", "target": 0, "dataset": "other", "idx": 231558 }, { "func": "void free_underlaid_joins(THD *thd, SELECT_LEX *select)\n{\n for (SELECT_LEX_UNIT *unit= select->first_inner_unit();\n unit;\n unit= unit->next_unit())\n unit->cleanup();\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 273861763020787899535632151314684849545, "size": 7, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508701 }, { "func": "\tvoid InitCommand(unsigned int number)\n\t{\n\t\tsnprintf(numericstr, sizeof(numericstr), \"%03u\", number);\n\t\tSetCommand(numericstr);\n\t}", "project": "inspircd", "hash": 187349355340270507792574861178658340598, "size": 5, "commit_id": "4350a11c663b0d75f8119743bffb7736d87abd4d", "message": "Fix sending malformed pong messages in some cases.", "target": 0, "dataset": "other", "idx": 273253 }, { "func": "\tNumeric(unsigned int num)\n\t\t: ClientProtocol::Message(NULL, ServerInstance->Config->GetServerName())\n\t{\n\t\tInitCommand(num);\n\t\tPushParam(\"*\");\n\t}", "project": "inspircd", "hash": 159610573069597941163290623798848324207, "size": 6, "commit_id": "4350a11c663b0d75f8119743bffb7736d87abd4d", "message": "Fix sending malformed pong messages in some cases.", "target": 0, "dataset": "other", "idx": 273264 }, { "func": "void WebContents::AddNewContents(\n content::WebContents* source,\n std::unique_ptr new_contents,\n const GURL& target_url,\n WindowOpenDisposition disposition,\n const gfx::Rect& initial_rect,\n bool user_gesture,\n bool* was_blocked) {\n auto* tracker = ChildWebContentsTracker::FromWebContents(new_contents.get());\n DCHECK(tracker);\n\n v8::Locker locker(isolate());\n v8::HandleScope handle_scope(isolate());\n auto api_web_contents =\n CreateAndTake(isolate(), std::move(new_contents), Type::BROWSER_WINDOW);\n if (Emit(\"-add-new-contents\", api_web_contents, disposition, user_gesture,\n initial_rect.x(), initial_rect.y(), initial_rect.width(),\n initial_rect.height(), tracker->url, tracker->frame_name,\n tracker->referrer, tracker->raw_features, tracker->body)) {\n // TODO(zcbenz): Can we make this sync?\n api_web_contents->DestroyWebContents(true /* async */);\n }\n}", "project": "electron", "hash": 44605579430673646050364468184965905656, "size": 23, "commit_id": "18613925610ba319da7f497b6deed85ad712c59b", "message": "refactor: wire will-navigate up to a navigation throttle instead of OpenURL (#25108)\n\n* refactor: wire will-navigate up to a navigation throttle instead of OpenURL (#25065)\r\n\r\n* refactor: wire will-navigate up to a navigation throttle instead of OpenURL\r\n\r\n* spec: add test for x-site _top navigation\r\n\r\n* chore: old code be old", "target": 0, "dataset": "other", "idx": 269743 }, { "func": "static int hva_to_pfn_remapped(struct vm_area_struct *vma,\n\t\t\t unsigned long addr, bool *async,\n\t\t\t bool write_fault, bool *writable,\n\t\t\t kvm_pfn_t *p_pfn)\n{\n\tkvm_pfn_t pfn;\n\tpte_t *ptep;\n\tspinlock_t *ptl;\n\tint r;\n\n\tr = follow_pte(vma->vm_mm, addr, &ptep, &ptl);\n\tif (r) {\n\t\t/*\n\t\t * get_user_pages fails for VM_IO and VM_PFNMAP vmas and does\n\t\t * not call the fault handler, so do it here.\n\t\t */\n\t\tbool unlocked = false;\n\t\tr = fixup_user_fault(current->mm, addr,\n\t\t\t\t (write_fault ? FAULT_FLAG_WRITE : 0),\n\t\t\t\t &unlocked);\n\t\tif (unlocked)\n\t\t\treturn -EAGAIN;\n\t\tif (r)\n\t\t\treturn r;\n\n\t\tr = follow_pte(vma->vm_mm, addr, &ptep, &ptl);\n\t\tif (r)\n\t\t\treturn r;\n\t}\n\n\tif (write_fault && !pte_write(*ptep)) {\n\t\tpfn = KVM_PFN_ERR_RO_FAULT;\n\t\tgoto out;\n\t}\n\n\tif (writable)\n\t\t*writable = pte_write(*ptep);\n\tpfn = pte_pfn(*ptep);\n\n\t/*\n\t * Get a reference here because callers of *hva_to_pfn* and\n\t * *gfn_to_pfn* ultimately call kvm_release_pfn_clean on the\n\t * returned pfn. This is only needed if the VMA has VM_MIXEDMAP\n\t * set, but the kvm_get_pfn/kvm_release_pfn_clean pair will\n\t * simply do nothing for reserved pfns.\n\t *\n\t * Whoever called remap_pfn_range is also going to call e.g.\n\t * unmap_mapping_range before the underlying pages are freed,\n\t * causing a call to our MMU notifier.\n\t */ \n\tkvm_get_pfn(pfn);\n\nout:\n\tpte_unmap_unlock(ptep, ptl);\n\t*p_pfn = pfn;\n\treturn 0;\n}", "project": "linux", "hash": 260764785426289038088174052083851102831, "size": 57, "commit_id": "f8be156be163a052a067306417cd0ff679068c97", "message": "KVM: do not allow mapping valid but non-reference-counted pages\n\nIt's possible to create a region which maps valid but non-refcounted\npages (e.g., tail pages of non-compound higher order allocations). These\nhost pages can then be returned by gfn_to_page, gfn_to_pfn, etc., family\nof APIs, which take a reference to the page, which takes it from 0 to 1.\nWhen the reference is dropped, this will free the page incorrectly.\n\nFix this by only taking a reference on valid pages if it was non-zero,\nwhich indicates it is participating in normal refcounting (and can be\nreleased with put_page).\n\nThis addresses CVE-2021-22543.\n\nSigned-off-by: Nicholas Piggin \nTested-by: Paolo Bonzini \nCc: stable@vger.kernel.org\nSigned-off-by: Paolo Bonzini ", "target": 1, "dataset": "other", "idx": 207984 }, { "func": "static int hva_to_pfn_remapped(struct vm_area_struct *vma,\n\t\t\t unsigned long addr, bool *async,\n\t\t\t bool write_fault, bool *writable,\n\t\t\t kvm_pfn_t *p_pfn)\n{\n\tunsigned long pfn;\n\tint r;\n\n\tr = follow_pfn(vma, addr, &pfn);\n\tif (r) {\n\t\t/*\n\t\t * get_user_pages fails for VM_IO and VM_PFNMAP vmas and does\n\t\t * not call the fault handler, so do it here.\n\t\t */\n\t\tbool unlocked = false;\n\t\tr = fixup_user_fault(current, current->mm, addr,\n\t\t\t\t (write_fault ? FAULT_FLAG_WRITE : 0),\n\t\t\t\t &unlocked);\n\t\tif (unlocked)\n\t\t\treturn -EAGAIN;\n\t\tif (r)\n\t\t\treturn r;\n\n\t\tr = follow_pfn(vma, addr, &pfn);\n\t\tif (r)\n\t\t\treturn r;\n\n\t}\n\n\tif (writable)\n\t\t*writable = true;\n\n\t/*\n\t * Get a reference here because callers of *hva_to_pfn* and\n\t * *gfn_to_pfn* ultimately call kvm_release_pfn_clean on the\n\t * returned pfn. This is only needed if the VMA has VM_MIXEDMAP\n\t * set, but the kvm_get_pfn/kvm_release_pfn_clean pair will\n\t * simply do nothing for reserved pfns.\n\t *\n\t * Whoever called remap_pfn_range is also going to call e.g.\n\t * unmap_mapping_range before the underlying pages are freed,\n\t * causing a call to our MMU notifier.\n\t */ \n\tkvm_get_pfn(pfn);\n\n\t*p_pfn = pfn;\n\treturn 0;\n}", "project": "linux", "hash": 165521394941430066219121110074385366168, "size": 48, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354807 }, { "func": "static int hva_to_pfn_remapped(struct vm_area_struct *vma,\n\t\t\t unsigned long addr, bool *async,\n\t\t\t bool write_fault, bool *writable,\n\t\t\t kvm_pfn_t *p_pfn)\n{\n\tkvm_pfn_t pfn;\n\tpte_t *ptep;\n\tspinlock_t *ptl;\n\tint r;\n\n\tr = follow_pte(vma->vm_mm, addr, &ptep, &ptl);\n\tif (r) {\n\t\t/*\n\t\t * get_user_pages fails for VM_IO and VM_PFNMAP vmas and does\n\t\t * not call the fault handler, so do it here.\n\t\t */\n\t\tbool unlocked = false;\n\t\tr = fixup_user_fault(current->mm, addr,\n\t\t\t\t (write_fault ? FAULT_FLAG_WRITE : 0),\n\t\t\t\t &unlocked);\n\t\tif (unlocked)\n\t\t\treturn -EAGAIN;\n\t\tif (r)\n\t\t\treturn r;\n\n\t\tr = follow_pte(vma->vm_mm, addr, &ptep, &ptl);\n\t\tif (r)\n\t\t\treturn r;\n\t}\n\n\tif (write_fault && !pte_write(*ptep)) {\n\t\tpfn = KVM_PFN_ERR_RO_FAULT;\n\t\tgoto out;\n\t}\n\n\tif (writable)\n\t\t*writable = pte_write(*ptep);\n\tpfn = pte_pfn(*ptep);\n\n\t/*\n\t * Get a reference here because callers of *hva_to_pfn* and\n\t * *gfn_to_pfn* ultimately call kvm_release_pfn_clean on the\n\t * returned pfn. This is only needed if the VMA has VM_MIXEDMAP\n\t * set, but the kvm_get_pfn/kvm_release_pfn_clean pair will\n\t * simply do nothing for reserved pfns.\n\t *\n\t * Whoever called remap_pfn_range is also going to call e.g.\n\t * unmap_mapping_range before the underlying pages are freed,\n\t * causing a call to our MMU notifier.\n\t *\n\t * Certain IO or PFNMAP mappings can be backed with valid\n\t * struct pages, but be allocated without refcounting e.g.,\n\t * tail pages of non-compound higher order allocations, which\n\t * would then underflow the refcount when the caller does the\n\t * required put_page. Don't allow those pages here.\n\t */ \n\tif (!kvm_try_get_pfn(pfn))\n\t\tr = -EFAULT;\n\nout:\n\tpte_unmap_unlock(ptep, ptl);\n\t*p_pfn = pfn;\n\n\treturn r;\n}", "project": "linux", "hash": 119627960290880640791677244710201346582, "size": 65, "commit_id": "f8be156be163a052a067306417cd0ff679068c97", "message": "KVM: do not allow mapping valid but non-reference-counted pages\n\nIt's possible to create a region which maps valid but non-refcounted\npages (e.g., tail pages of non-compound higher order allocations). These\nhost pages can then be returned by gfn_to_page, gfn_to_pfn, etc., family\nof APIs, which take a reference to the page, which takes it from 0 to 1.\nWhen the reference is dropped, this will free the page incorrectly.\n\nFix this by only taking a reference on valid pages if it was non-zero,\nwhich indicates it is participating in normal refcounting (and can be\nreleased with put_page).\n\nThis addresses CVE-2021-22543.\n\nSigned-off-by: Nicholas Piggin \nTested-by: Paolo Bonzini \nCc: stable@vger.kernel.org\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 404071 }, { "func": "static fmode_t _nfs4_ctx_to_openmode(const struct nfs_open_context *ctx)\n{\n\tfmode_t ret = ctx->mode & (FMODE_READ|FMODE_WRITE);\n\n\treturn (ctx->mode & FMODE_EXEC) ? FMODE_READ | ret : ret;\n}", "project": "linux", "hash": 251368460972945072390879560915632825448, "size": 6, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431102 }, { "func": "TfLiteStatus Subgraph::Invoke() {\n SubgraphGuard guard(&context_, &is_subgraph_in_use_);\n TF_LITE_ENSURE_OK(&context_, guard.status());\n\n if (!consistent_) {\n ReportError(\"Invoke called on model that is not consistent.\");\n return kTfLiteError;\n }\n\n TfLiteStatus status = kTfLiteOk;\n if (state_ == kStateUninvokable) {\n ReportError(\"Invoke called on model that is not ready.\");\n return kTfLiteError;\n } else if (memory_planner_ && !memory_planner_->HasNonPersistentMemory()) {\n ReportError(\"Non-persistent memory is not available.\");\n return kTfLiteError;\n }\n TFLITE_SCOPED_TAGGED_DEFAULT_PROFILE(profiler_.get(), \"Invoke\");\n\n // Invocations are always done in node order.\n // Note that calling Invoke repeatedly will cause the original memory plan to\n // be reused, unless either ResizeInputTensor() or AllocateTensors() has been\n // called.\n for (int execution_plan_index = 0;\n execution_plan_index < execution_plan_.size(); execution_plan_index++) {\n if (execution_plan_index == next_execution_plan_index_to_prepare_) {\n TF_LITE_ENSURE_STATUS(PrepareOpsAndTensors());\n TF_LITE_ENSURE(&context_, next_execution_plan_index_to_prepare_ >=\n execution_plan_index);\n }\n int node_index = execution_plan_[execution_plan_index];\n TfLiteNode& node = nodes_and_registration_[node_index].first;\n const TfLiteRegistration& registration =\n nodes_and_registration_[node_index].second;\n\n const char* op_name = nullptr;\n if (profiler_) op_name = GetTFLiteOpName(registration);\n TFLITE_SCOPED_TAGGED_OPERATOR_PROFILE(profiler_.get(), op_name, node_index);\n\n for (int i = 0; i < node.inputs->size; ++i) {\n int tensor_index = node.inputs->data[i];\n if (tensor_index == kTfLiteOptionalTensor) {\n continue;\n }\n TfLiteTensor* tensor = &tensors_[tensor_index];\n if (tensor->delegate && tensor->delegate != node.delegate &&\n tensor->data_is_stale) {\n TF_LITE_ENSURE_STATUS(EnsureTensorDataIsReadable(tensor_index));\n }\n if (tensor->data.raw == nullptr && tensor->bytes > 0) {\n if (registration.builtin_code == kTfLiteBuiltinReshape && i == 1 &&\n tensor->dims->size != 1) {\n // In general, having a tensor here with no buffer will be an error.\n // However, for the reshape operator, the second input tensor is\n // sometimes only used for the shape, not for the data. Thus, null\n // buffer is ok in this situation.\n // The situation where null buffer is not ok for reshape operator is\n // only when there are 2 inputs given to the node and the one\n // corresponding to the shape (i == 1) is a vector that contains all\n // dimensions. See `GetOutputShape()` function in\n // `tensorflow/lite/kernels/reshape.cc`\n continue;\n } else {\n // In all other cases, we need to return an error as otherwise we will\n // trigger a null pointer dereference (likely).\n ReportError(\"Input tensor %d lacks data\", tensor_index);\n return kTfLiteError;\n }\n }\n }\n\n if (check_cancelled_func_ != nullptr &&\n check_cancelled_func_(cancellation_data_)) {\n ReportError(\"Client requested cancel during Invoke()\");\n return kTfLiteError;\n }\n\n EnsureTensorsVectorCapacity();\n tensor_resized_since_op_invoke_ = false;\n if (OpInvoke(registration, &node) != kTfLiteOk) {\n return ReportOpError(&context_, node, registration, node_index,\n \"failed to invoke\");\n }\n\n // Force execution prep for downstream ops if the latest op triggered the\n // resize of a dynamic tensor.\n if (tensor_resized_since_op_invoke_ &&\n HasDynamicTensor(context_, node.outputs)) {\n next_execution_plan_index_to_prepare_ = execution_plan_index + 1;\n\n // This happens when an intermediate dynamic tensor is resized.\n // We don't have to prepare all the ops, but we need to recompute\n // the allocation plan.\n if (next_execution_plan_index_to_plan_allocation_ >\n next_execution_plan_index_to_prepare_) {\n next_execution_plan_index_to_plan_allocation_ =\n next_execution_plan_index_to_prepare_;\n if (memory_planner_) {\n TF_LITE_ENSURE_STATUS(memory_planner_->ResetAllocationsAfter(\n next_execution_plan_index_to_plan_allocation_ - 1));\n }\n }\n }\n }\n\n return status;\n}", "project": "tensorflow", "hash": 214418019246832139783576388598834115620, "size": 107, "commit_id": "c6173f5fe66cdbab74f4f869311fe6aae2ba35f4", "message": "TFLite: Error out when the graph has a recurion.\n\nRecursion is currently unsupported.\n\nPiperOrigin-RevId: 371708957\nChange-Id: I8dfad0d85cbfe08e39ae8ea7bad21254ddee5003", "target": 0, "dataset": "other", "idx": 269622 }, { "func": "static int sctp_getsockopt_enable_strreset(struct sock *sk, int len,\n\t\t\t\t\t char __user *optval,\n\t\t\t\t\t int __user *optlen)\n{\n\tstruct sctp_assoc_value params;\n\tstruct sctp_association *asoc;\n\tint retval = -EFAULT;\n\n\tif (len < sizeof(params)) {\n\t\tretval = -EINVAL;\n\t\tgoto out;\n\t}\n\n\tlen = sizeof(params);\n\tif (copy_from_user(¶ms, optval, len))\n\t\tgoto out;\n\n\tasoc = sctp_id2assoc(sk, params.assoc_id);\n\tif (!asoc && params.assoc_id != SCTP_FUTURE_ASSOC &&\n\t sctp_style(sk, UDP)) {\n\t\tretval = -EINVAL;\n\t\tgoto out;\n\t}\n\n\tparams.assoc_value = asoc ? asoc->strreset_enable\n\t\t\t\t : sctp_sk(sk)->ep->strreset_enable;\n\n\tif (put_user(len, optlen))\n\t\tgoto out;\n\n\tif (copy_to_user(optval, ¶ms, len))\n\t\tgoto out;\n\n\tretval = 0;\n\nout:\n\treturn retval;\n}", "project": "linux", "hash": 310857882155496481472338366808673051015, "size": 38, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398107 }, { "func": "static int x25_connect(struct socket *sock, struct sockaddr *uaddr,\n\t\t int addr_len, int flags)\n{\n\tstruct sock *sk = sock->sk;\n\tstruct x25_sock *x25 = x25_sk(sk);\n\tstruct sockaddr_x25 *addr = (struct sockaddr_x25 *)uaddr;\n\tstruct x25_route *rt;\n\tint rc = 0;\n\n\tlock_sock(sk);\n\tif (sk->sk_state == TCP_ESTABLISHED && sock->state == SS_CONNECTING) {\n\t\tsock->state = SS_CONNECTED;\n\t\tgoto out; /* Connect completed during a ERESTARTSYS event */\n\t}\n\n\trc = -ECONNREFUSED;\n\tif (sk->sk_state == TCP_CLOSE && sock->state == SS_CONNECTING) {\n\t\tsock->state = SS_UNCONNECTED;\n\t\tgoto out;\n\t}\n\n\trc = -EISCONN;\t/* No reconnect on a seqpacket socket */\n\tif (sk->sk_state == TCP_ESTABLISHED)\n\t\tgoto out;\n\n\trc = -EALREADY;\t/* Do nothing if call is already in progress */\n\tif (sk->sk_state == TCP_SYN_SENT)\n\t\tgoto out;\n\n\tsk->sk_state = TCP_CLOSE;\n\tsock->state = SS_UNCONNECTED;\n\n\trc = -EINVAL;\n\tif (addr_len != sizeof(struct sockaddr_x25) ||\n\t addr->sx25_family != AF_X25 ||\n\t strnlen(addr->sx25_addr.x25_addr, X25_ADDR_LEN) == X25_ADDR_LEN)\n\t\tgoto out;\n\n\trc = -ENETUNREACH;\n\trt = x25_get_route(&addr->sx25_addr);\n\tif (!rt)\n\t\tgoto out;\n\n\tx25->neighbour = x25_get_neigh(rt->dev);\n\tif (!x25->neighbour)\n\t\tgoto out_put_route;\n\n\tx25_limit_facilities(&x25->facilities, x25->neighbour);\n\n\tx25->lci = x25_new_lci(x25->neighbour);\n\tif (!x25->lci)\n\t\tgoto out_put_neigh;\n\n\trc = -EINVAL;\n\tif (sock_flag(sk, SOCK_ZAPPED)) /* Must bind first - autobinding does not work */\n\t\tgoto out_put_neigh;\n\n\tif (!strcmp(x25->source_addr.x25_addr, null_x25_address.x25_addr))\n\t\tmemset(&x25->source_addr, '\\0', X25_ADDR_LEN);\n\n\tx25->dest_addr = addr->sx25_addr;\n\n\t/* Move to connecting socket, start sending Connect Requests */\n\tsock->state = SS_CONNECTING;\n\tsk->sk_state = TCP_SYN_SENT;\n\n\tx25->state = X25_STATE_1;\n\n\tx25_write_internal(sk, X25_CALL_REQUEST);\n\n\tx25_start_heartbeat(sk);\n\tx25_start_t21timer(sk);\n\n\t/* Now the loop */\n\trc = -EINPROGRESS;\n\tif (sk->sk_state != TCP_ESTABLISHED && (flags & O_NONBLOCK))\n\t\tgoto out;\n\n\trc = x25_wait_for_connection_establishment(sk);\n\tif (rc)\n\t\tgoto out_put_neigh;\n\n\tsock->state = SS_CONNECTED;\n\trc = 0;\nout_put_neigh:\n\tif (rc && x25->neighbour) {\n\t\tread_lock_bh(&x25_list_lock);\n\t\tx25_neigh_put(x25->neighbour);\n\t\tx25->neighbour = NULL;\n\t\tread_unlock_bh(&x25_list_lock);\n\t\tx25->state = X25_STATE_0;\n\t}\nout_put_route:\n\tx25_route_put(rt);\nout:\n\trelease_sock(sk);\n\treturn rc;\n}", "project": "net", "hash": 138209202926913207108585650655261822808, "size": 98, "commit_id": "7781607938c8371d4c2b243527430241c62e39c2", "message": "net/x25: Fix null-ptr-deref caused by x25_disconnect\n\nWhen the link layer is terminating, x25->neighbour will be set to NULL\nin x25_disconnect(). As a result, it could cause null-ptr-deref bugs in\nx25_sendmsg(),x25_recvmsg() and x25_connect(). One of the bugs is\nshown below.\n\n (Thread 1) | (Thread 2)\nx25_link_terminated() | x25_recvmsg()\n x25_kill_by_neigh() | ...\n x25_disconnect() | lock_sock(sk)\n ... | ...\n x25->neighbour = NULL //(1) |\n ... | x25->neighbour->extended //(2)\n\nThe code sets NULL to x25->neighbour in position (1) and dereferences\nx25->neighbour in position (2), which could cause null-ptr-deref bug.\n\nThis patch adds lock_sock() in x25_kill_by_neigh() in order to synchronize\nwith x25_sendmsg(), x25_recvmsg() and x25_connect(). What`s more, the\nsock held by lock_sock() is not NULL, because it is extracted from x25_list\nand uses x25_list_lock to synchronize.\n\nFixes: 4becb7ee5b3d (\"net/x25: Fix x25_neigh refcnt leak when x25 disconnect\")\nSigned-off-by: Duoming Zhou \nReviewed-by: Lin Ma \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 449166 }, { "func": "static int powered_update_hci(struct hci_request *req, unsigned long opt)\n{\n\tstruct hci_dev *hdev = req->hdev;\n\tu8 link_sec;\n\n\thci_dev_lock(hdev);\n\n\tif (hci_dev_test_flag(hdev, HCI_SSP_ENABLED) &&\n\t !lmp_host_ssp_capable(hdev)) {\n\t\tu8 mode = 0x01;\n\n\t\thci_req_add(req, HCI_OP_WRITE_SSP_MODE, sizeof(mode), &mode);\n\n\t\tif (bredr_sc_enabled(hdev) && !lmp_host_sc_capable(hdev)) {\n\t\t\tu8 support = 0x01;\n\n\t\t\thci_req_add(req, HCI_OP_WRITE_SC_SUPPORT,\n\t\t\t\t sizeof(support), &support);\n\t\t}\n\t}\n\n\tif (hci_dev_test_flag(hdev, HCI_LE_ENABLED) &&\n\t lmp_bredr_capable(hdev)) {\n\t\tstruct hci_cp_write_le_host_supported cp;\n\n\t\tcp.le = 0x01;\n\t\tcp.simul = 0x00;\n\n\t\t/* Check first if we already have the right\n\t\t * host state (host features set)\n\t\t */\n\t\tif (cp.le != lmp_host_le_capable(hdev) ||\n\t\t cp.simul != lmp_host_le_br_capable(hdev))\n\t\t\thci_req_add(req, HCI_OP_WRITE_LE_HOST_SUPPORTED,\n\t\t\t\t sizeof(cp), &cp);\n\t}\n\n\tif (hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {\n\t\t/* Make sure the controller has a good default for\n\t\t * advertising data. This also applies to the case\n\t\t * where BR/EDR was toggled during the AUTO_OFF phase.\n\t\t */\n\t\tif (hci_dev_test_flag(hdev, HCI_ADVERTISING) ||\n\t\t list_empty(&hdev->adv_instances)) {\n\t\t\tint err;\n\n\t\t\tif (ext_adv_capable(hdev)) {\n\t\t\t\terr = __hci_req_setup_ext_adv_instance(req,\n\t\t\t\t\t\t\t\t 0x00);\n\t\t\t\tif (!err)\n\t\t\t\t\t__hci_req_update_scan_rsp_data(req,\n\t\t\t\t\t\t\t\t 0x00);\n\t\t\t} else {\n\t\t\t\terr = 0;\n\t\t\t\t__hci_req_update_adv_data(req, 0x00);\n\t\t\t\t__hci_req_update_scan_rsp_data(req, 0x00);\n\t\t\t}\n\n\t\t\tif (hci_dev_test_flag(hdev, HCI_ADVERTISING)) {\n\t\t\t\tif (!ext_adv_capable(hdev))\n\t\t\t\t\t__hci_req_enable_advertising(req);\n\t\t\t\telse if (!err)\n\t\t\t\t\t__hci_req_enable_ext_advertising(req,\n\t\t\t\t\t\t\t\t\t 0x00);\n\t\t\t}\n\t\t} else if (!list_empty(&hdev->adv_instances)) {\n\t\t\tstruct adv_info *adv_instance;\n\n\t\t\tadv_instance = list_first_entry(&hdev->adv_instances,\n\t\t\t\t\t\t\tstruct adv_info, list);\n\t\t\t__hci_req_schedule_adv_instance(req,\n\t\t\t\t\t\t\tadv_instance->instance,\n\t\t\t\t\t\t\ttrue);\n\t\t}\n\t}\n\n\tlink_sec = hci_dev_test_flag(hdev, HCI_LINK_SECURITY);\n\tif (link_sec != test_bit(HCI_AUTH, &hdev->flags))\n\t\thci_req_add(req, HCI_OP_WRITE_AUTH_ENABLE,\n\t\t\t sizeof(link_sec), &link_sec);\n\n\tif (lmp_bredr_capable(hdev)) {\n\t\tif (hci_dev_test_flag(hdev, HCI_FAST_CONNECTABLE))\n\t\t\t__hci_req_write_fast_connectable(req, true);\n\t\telse\n\t\t\t__hci_req_write_fast_connectable(req, false);\n\t\t__hci_req_update_scan(req);\n\t\t__hci_req_update_class(req);\n\t\t__hci_req_update_name(req);\n\t\t__hci_req_update_eir(req);\n\t}\n\n\thci_dev_unlock(hdev);\n\treturn 0;\n}", "project": "linux", "hash": 213130640370671730196682149588160213653, "size": 95, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402537 }, { "func": "CtPtr ProtocolV1::client_ready() {\n ldout(cct, 20) << __func__ << dendl;\n\n // hooray!\n peer_global_seq = connect_reply.global_seq;\n connection->policy.lossy = connect_reply.flags & CEPH_MSG_CONNECT_LOSSY;\n\n once_ready = true;\n connect_seq += 1;\n ceph_assert(connect_seq == connect_reply.connect_seq);\n backoff = utime_t();\n connection->set_features((uint64_t)connect_reply.features &\n (uint64_t)connection->policy.features_supported);\n ldout(cct, 10) << __func__ << \" connect success \" << connect_seq\n << \", lossy = \" << connection->policy.lossy << \", features \"\n << connection->get_features() << dendl;\n\n // If we have an authorizer, get a new AuthSessionHandler to deal with\n // ongoing security of the connection. PLR\n if (auth_meta->authorizer) {\n ldout(cct, 10) << __func__ << \" setting up session_security with auth \"\n\t\t << auth_meta->authorizer.get() << dendl;\n session_security.reset(get_auth_session_handler(\n cct, auth_meta->authorizer->protocol,\n\tauth_meta->session_key,\n connection->get_features()));\n } else {\n // We have no authorizer, so we shouldn't be applying security to messages\n // in this AsyncConnection. PLR\n ldout(cct, 10) << __func__ << \" no authorizer, clearing session_security\"\n\t\t << dendl;\n session_security.reset();\n }\n\n if (connection->delay_state) {\n ceph_assert(connection->delay_state->ready());\n }\n connection->dispatch_queue->queue_connect(connection);\n messenger->ms_deliver_handle_fast_connect(connection);\n\n return ready();\n}", "project": "ceph", "hash": 50763611480618995943255619778966372729, "size": 42, "commit_id": "bafdfec8f974f1a3f7d404bcfd0a4cfad784937d", "message": "msg/async/ProtocolV1: resurrect \"implement cephx_*require_version options\"\n\nThis was added in commit 9bcbc2a3621f (\"mon,msg: implement\ncephx_*_require_version options\") and inadvertently dropped in\ncommit e6f043f7d2dc (\"msgr/async: huge refactoring of protocol V1\").\nAs a result, service daemons don't enforce cephx_require_version\nand cephx_cluster_require_version options and connections without\nCEPH_FEATURE_CEPHX_V2 are allowed through.\n\n(cephx_service_require_version enforcement was brought back a\nyear later in commit 321548010578 (\"mon/MonClient: skip CEPHX_V2\nchallenge if client doesn't support it\"), although the peer gets\nTAG_BADAUTHORIZER instead of TAG_FEATURES.)\n\nResurrect the original behaviour: all cephx_*require_version\noptions are enforced and the peer gets TAG_FEATURES, signifying\nthat it is missing a required feature.\n\nSigned-off-by: Ilya Dryomov \n(cherry picked from commit 6f5c4152ca2c6423e665cde2196c6301f76043a2)", "target": 0, "dataset": "other", "idx": 356888 }, { "func": "lua_text_pattern::lua_text_pattern(const string &_pattern)\n : translated(false), isvalid(true), pattern(_pattern),\n lua_fn_name(new_fn_name())\n{\n}", "project": "crawl", "hash": 229155740335488456095648684376034590328, "size": 5, "commit_id": "768f60da87a3fa0b5561da5ade9309577c176d04", "message": "Disable lua bytecode loading", "target": 0, "dataset": "other", "idx": 230492 }, { "func": "static int nfs41_lock_expired(struct nfs4_state *state, struct file_lock *request)\n{\n\tstruct nfs4_lock_state *lsp;\n\tint status;\n\n\tstatus = nfs4_set_lock_state(state, request);\n\tif (status != 0)\n\t\treturn status;\n\tlsp = request->fl_u.nfs4_fl.owner;\n\tif (test_bit(NFS_LOCK_INITIALIZED, &lsp->ls_flags) ||\n\t test_bit(NFS_LOCK_LOST, &lsp->ls_flags))\n\t\treturn 0;\n\treturn nfs4_lock_expired(state, request);\n}", "project": "linux", "hash": 214023070812042505946357128454877312381, "size": 14, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431304 }, { "func": "R_API bool r_core_init(RCore *core) {\n\tcore->blocksize = R_CORE_BLOCKSIZE;\n\tcore->block = (ut8 *)calloc (R_CORE_BLOCKSIZE + 1, 1);\n\tif (!core->block) {\n\t\teprintf (\"Cannot allocate %d byte(s)\\n\", R_CORE_BLOCKSIZE);\n\t\t/* XXX memory leak */\n\t\treturn false;\n\t}\n\tr_core_setenv (core);\n\tcore->ev = r_event_new (core);\n\tr_event_hook (core->ev, R_EVENT_ALL, cb_event_handler, NULL);\n\tcore->max_cmd_depth = R_CONS_CMD_DEPTH + 1;\n\tcore->sdb = sdb_new (NULL, \"r2kv.sdb\", 0); // XXX: path must be in home?\n\tcore->lastsearch = NULL;\n\tcore->cmdfilter = NULL;\n\tcore->switch_file_view = 0;\n\tcore->cmdremote = 0;\n\tcore->incomment = false;\n\tcore->config = NULL;\n\tcore->http_up = false;\n\tcore->use_tree_sitter_r2cmd = false;\n\tZERO_FILL (core->root_cmd_descriptor);\n\tcore->print = r_print_new ();\n\tcore->ropchain = r_list_newf ((RListFree)free);\n\tr_core_bind (core, &(core->print->coreb));\n\tcore->print->user = core;\n\tcore->print->num = core->num;\n\tcore->print->offname = r_core_print_offname;\n\tcore->print->offsize = r_core_print_offsize;\n\tcore->print->cb_printf = r_cons_printf;\n#if __WINDOWS__\n\tcore->print->cb_eprintf = win_eprintf;\n#endif\n\tcore->print->cb_color = r_cons_rainbow_get;\n\tcore->print->write = mywrite;\n\tcore->print->exists_var = exists_var;\n\tcore->print->disasm = __disasm;\n\tcore->print->colorfor = colorfor_cb;\n\tcore->print->hasrefs = hasrefs_cb;\n\tcore->print->get_comments = get_comments_cb;\n\tcore->print->get_section_name = get_section_name;\n\tcore->print->use_comments = false;\n\tcore->rtr_n = 0;\n\tcore->blocksize_max = R_CORE_BLOCKSIZE_MAX;\n\tr_core_task_scheduler_init (&core->tasks, core);\n\tcore->watchers = r_list_new ();\n\tcore->watchers->free = (RListFree)r_core_cmpwatch_free;\n\tcore->scriptstack = r_list_new ();\n\tcore->scriptstack->free = (RListFree)free;\n\tcore->log = r_core_log_new ();\n\tcore->times = R_NEW0 (RCoreTimes);\n\tcore->vmode = false;\n\tcore->printidx = 0;\n\tcore->lastcmd = NULL;\n\tcore->cmdlog = NULL;\n\tcore->stkcmd = NULL;\n\tcore->cmdqueue = NULL;\n\tcore->cmdrepeat = true;\n\tcore->yank_buf = r_buf_new ();\n\tcore->num = r_num_new (&num_callback, &str_callback, core);\n\tcore->egg = r_egg_new ();\n\tr_egg_setup (core->egg, R_SYS_ARCH, R_SYS_BITS, 0, R_SYS_OS);\n\n\tcore->undos = r_list_newf ((RListFree)r_core_undo_free);\n\tcore->fixedarch = false;\n\tcore->fixedbits = false;\n\n\t/* initialize libraries */\n\tcore->cons = r_cons_new ();\n\tif (core->cons->refcnt == 1) {\n\t\tcore->cons = r_cons_singleton ();\n\t\tif (core->cons->line) {\n\t\t\tcore->cons->line->user = core;\n\t\t\tcore->cons->line->cb_editor = \\\n\t\t\t\t(RLineEditorCb)&r_core_editor;\n\t\t\tcore->cons->line->cb_fkey = core->cons->cb_fkey;\n\t\t}\n#if __EMSCRIPTEN__\n\t\tcore->cons->user_fgets = NULL;\n#else\n\t\tcore->cons->user_fgets = (void *)r_core_fgets;\n#endif\n\t\t//r_line_singleton ()->user = (void *)core;\n\t\tr_line_hist_load (R2_HOME_HISTORY);\n\t}\n\tcore->print->cons = core->cons;\n\tr_cons_bind (&core->print->consbind);\n\n\t// We save the old num ad user, in order to restore it after free\n\tcore->lang = r_lang_new ();\n\tcore->lang->cmd_str = (char *(*)(void *, const char *))r_core_cmd_str;\n\tcore->lang->cmdf = (int (*)(void *, const char *, ...))r_core_cmdf;\n\tr_core_bind_cons (core);\n\tcore->lang->cb_printf = r_cons_printf;\n\tr_lang_define (core->lang, \"RCore\", \"core\", core);\n\tr_lang_set_user_ptr (core->lang, core);\n\tcore->assembler = r_asm_new ();\n\tcore->assembler->num = core->num;\n\tr_asm_set_user_ptr (core->assembler, core);\n\tcore->anal = r_anal_new ();\n\tcore->gadgets = r_list_newf ((RListFree)r_core_gadget_free);\n\tcore->anal->ev = core->ev;\n\tcore->anal->log = r_core_anal_log;\n\tcore->anal->read_at = r_core_anal_read_at;\n\tcore->anal->flag_get = r_core_flag_get_by_spaces;\n\tcore->anal->cb.on_fcn_new = on_fcn_new;\n\tcore->anal->cb.on_fcn_delete = on_fcn_delete;\n\tcore->anal->cb.on_fcn_rename = on_fcn_rename;\n\tcore->print->sdb_types = core->anal->sdb_types;\n\tcore->assembler->syscall = r_syscall_ref (core->anal->syscall); // BIND syscall anal/asm\n\tr_anal_set_user_ptr (core->anal, core);\n\tcore->anal->cb_printf = (void *) r_cons_printf;\n\tcore->parser = r_parse_new ();\n\tr_anal_bind (core->anal, &(core->parser->analb));\n\tcore->parser->varlist = r_anal_var_list;\n\t/// XXX shouhld be using coreb\n\tr_parse_set_user_ptr (core->parser, core);\n\tcore->bin = r_bin_new ();\n\tr_cons_bind (&core->bin->consb);\n\t// XXX we shuold use RConsBind instead of this hardcoded pointer\n\tcore->bin->cb_printf = (PrintfCallback) r_cons_printf;\n\tr_bin_set_user_ptr (core->bin, core);\n\tcore->io = r_io_new ();\n\tcore->io->ff = 1;\n\tcore->io->user = (void *)core;\n\tcore->io->cb_core_cmd = core_cmd_callback;\n\tcore->io->cb_core_cmdstr = core_cmdstr_callback;\n\tcore->io->cb_core_post_write = core_post_write_callback;\n\tcore->search = r_search_new (R_SEARCH_KEYWORD);\n\tr_io_undo_enable (core->io, 1, 0); // TODO: configurable via eval\n\tcore->fs = r_fs_new ();\n\tcore->flags = r_flag_new ();\n\tcore->flags->cb_printf = r_cons_printf;\n\tcore->graph = r_agraph_new (r_cons_canvas_new (1, 1));\n\tcore->graph->need_reload_nodes = false;\n\tcore->asmqjmps_size = R_CORE_ASMQJMPS_NUM;\n\tif (sizeof (ut64) * core->asmqjmps_size < core->asmqjmps_size) {\n\t\tcore->asmqjmps_size = 0;\n\t\tcore->asmqjmps = NULL;\n\t} else {\n\t\tcore->asmqjmps = R_NEWS (ut64, core->asmqjmps_size);\n\t}\n\n\tr_bin_bind (core->bin, &(core->assembler->binb));\n\tr_bin_bind (core->bin, &(core->anal->binb));\n\tr_bin_bind (core->bin, &(core->anal->binb));\n\n\tr_io_bind (core->io, &(core->search->iob));\n\tr_io_bind (core->io, &(core->print->iob));\n\tr_io_bind (core->io, &(core->anal->iob));\n\tr_io_bind (core->io, &(core->fs->iob));\n\tr_cons_bind (&(core->fs->csb));\n\tr_core_bind (core, &(core->fs->cob));\n\tr_io_bind (core->io, &(core->bin->iob));\n\tr_flag_bind (core->flags, &(core->anal->flb));\n\tcore->anal->flg_class_set = core_flg_class_set;\n\tcore->anal->flg_class_get = core_flg_class_get;\n\tcore->anal->flg_fcn_set = core_flg_fcn_set;\n\tr_anal_bind (core->anal, &(core->parser->analb));\n\tcore->parser->flag_get = r_core_flag_get_by_spaces;\n\tcore->parser->label_get = r_anal_fcn_label_at;\n\n\tr_core_bind (core, &(core->anal->coreb));\n\n\tcore->file = NULL;\n\tcore->files = r_list_newf ((RListFree)r_core_file_free);\n\tcore->offset = 0LL;\n\tcore->prompt_offset = 0LL;\n\tr_core_cmd_init (core);\n\tcore->dbg = r_debug_new (true);\n\n\tr_io_bind (core->io, &(core->dbg->iob));\n\tr_io_bind (core->io, &(core->dbg->bp->iob));\n\tr_core_bind (core, &core->dbg->corebind);\n\tr_core_bind (core, &core->dbg->bp->corebind);\n\tcore->dbg->anal = core->anal; // XXX: dupped instance.. can cause lost pointerz\n\t//r_debug_use (core->dbg, \"native\");\n// XXX pushing uninitialized regstate results in trashed reg values\n//\tr_reg_arena_push (core->dbg->reg); // create a 2 level register state stack\n//\tcore->dbg->anal->reg = core->anal->reg; // XXX: dupped instance.. can cause lost pointerz\n\tcore->io->cb_printf = r_cons_printf;\n\tcore->dbg->cb_printf = r_cons_printf;\n\tcore->dbg->bp->cb_printf = r_cons_printf;\n\tcore->dbg->ev = core->ev;\n\t// initialize config before any corebind\n\tr_core_config_init (core);\n\n\tr_core_loadlibs_init (core);\n\t//r_core_loadlibs (core);\n\n\t// TODO: get arch from r_bin or from native arch\n\tr_asm_use (core->assembler, R_SYS_ARCH);\n\tr_anal_use (core->anal, R_SYS_ARCH);\n\tif (R_SYS_BITS & R_SYS_BITS_64) {\n\t\tr_config_set_i (core->config, \"asm.bits\", 64);\n\t} else {\n\t\tif (R_SYS_BITS & R_SYS_BITS_32) {\n\t\t\tr_config_set_i (core->config, \"asm.bits\", 32);\n\t\t}\n\t}\n\tr_config_set (core->config, \"asm.arch\", R_SYS_ARCH);\n\tr_bp_use (core->dbg->bp, R_SYS_ARCH, core->anal->bits);\n\tupdate_sdb (core);\n\t{\n\t\tchar *a = r_str_r2_prefix (R2_FLAGS);\n\t\tif (a) {\n\t\t\tchar *file = r_str_newf (\"%s/tags.r2\", a);\n\t\t\t(void)r_core_run_script (core, file);\n\t\t\tfree (file);\n\t\t\tfree (a);\n\t\t}\n\t}\n\tr_core_anal_type_init (core);\n\t__init_autocomplete (core);\n\treturn 0;\n}", "project": "radare2", "hash": 65264357371373169483954119837735415493, "size": 216, "commit_id": "cb8b683758edddae2d2f62e8e63a738c39f92683", "message": "Fix #16303 - c->table_query double free (#16318)", "target": 0, "dataset": "other", "idx": 232167 }, { "func": "int tipc_node_xmit_skb(struct net *net, struct sk_buff *skb, u32 dnode,\n\t\t u32 selector)\n{\n\tstruct sk_buff_head head;\n\n\t__skb_queue_head_init(&head);\n\t__skb_queue_tail(&head, skb);\n\ttipc_node_xmit(net, &head, dnode, selector);\n\treturn 0;\n}", "project": "linux", "hash": 182044953146707051827380928256603820271, "size": 10, "commit_id": "0217ed2848e8538bcf9172d97ed2eeb4a26041bb", "message": "tipc: better validate user input in tipc_nl_retrieve_key()\n\nBefore calling tipc_aead_key_size(ptr), we need to ensure\nwe have enough data to dereference ptr->keylen.\n\nWe probably also want to make sure tipc_aead_key_size()\nwont overflow with malicious ptr->keylen values.\n\nSyzbot reported:\n\nBUG: KMSAN: uninit-value in __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\nBUG: KMSAN: uninit-value in tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\nCPU: 0 PID: 21060 Comm: syz-executor.5 Not tainted 5.11.0-rc7-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nCall Trace:\n __dump_stack lib/dump_stack.c:79 [inline]\n dump_stack+0x21c/0x280 lib/dump_stack.c:120\n kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118\n __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197\n __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\n tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\n genl_family_rcv_msg_doit net/netlink/genetlink.c:739 [inline]\n genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]\n genl_rcv_msg+0x1319/0x1610 net/netlink/genetlink.c:800\n netlink_rcv_skb+0x6fa/0x810 net/netlink/af_netlink.c:2494\n genl_rcv+0x63/0x80 net/netlink/genetlink.c:811\n netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]\n netlink_unicast+0x11d6/0x14a0 net/netlink/af_netlink.c:1330\n netlink_sendmsg+0x1740/0x1840 net/netlink/af_netlink.c:1919\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\nRIP: 0023:0xf7f60549\nCode: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00\nRSP: 002b:00000000f555a5fc EFLAGS: 00000296 ORIG_RAX: 0000000000000172\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000200\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n\nUninit was created at:\n kmsan_save_stack_with_flags mm/kmsan/kmsan.c:121 [inline]\n kmsan_internal_poison_shadow+0x5c/0xf0 mm/kmsan/kmsan.c:104\n kmsan_slab_alloc+0x8d/0xe0 mm/kmsan/kmsan_hooks.c:76\n slab_alloc_node mm/slub.c:2907 [inline]\n __kmalloc_node_track_caller+0xa37/0x1430 mm/slub.c:4527\n __kmalloc_reserve net/core/skbuff.c:142 [inline]\n __alloc_skb+0x2f8/0xb30 net/core/skbuff.c:210\n alloc_skb include/linux/skbuff.h:1099 [inline]\n netlink_alloc_large_skb net/netlink/af_netlink.c:1176 [inline]\n netlink_sendmsg+0xdbc/0x1840 net/netlink/af_netlink.c:1894\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\n\nFixes: e1f32190cf7d (\"tipc: add support for AEAD key setting via netlink\")\nSigned-off-by: Eric Dumazet \nCc: Tuong Lien \nCc: Jon Maloy \nCc: Ying Xue \nReported-by: syzbot \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 364976 }, { "func": "void tracing_start(void)\n{\n\tstruct ring_buffer *buffer;\n\tunsigned long flags;\n\n\tif (tracing_disabled)\n\t\treturn;\n\n\traw_spin_lock_irqsave(&global_trace.start_lock, flags);\n\tif (--global_trace.stop_count) {\n\t\tif (global_trace.stop_count < 0) {\n\t\t\t/* Someone screwed up their debugging */\n\t\t\tWARN_ON_ONCE(1);\n\t\t\tglobal_trace.stop_count = 0;\n\t\t}\n\t\tgoto out;\n\t}\n\n\t/* Prevent the buffers from switching */\n\tarch_spin_lock(&global_trace.max_lock);\n\n\tbuffer = global_trace.trace_buffer.buffer;\n\tif (buffer)\n\t\tring_buffer_record_enable(buffer);\n\n#ifdef CONFIG_TRACER_MAX_TRACE\n\tbuffer = global_trace.max_buffer.buffer;\n\tif (buffer)\n\t\tring_buffer_record_enable(buffer);\n#endif\n\n\tarch_spin_unlock(&global_trace.max_lock);\n\n out:\n\traw_spin_unlock_irqrestore(&global_trace.start_lock, flags);\n}", "project": "linux", "hash": 86262480888928660765078302352718866159, "size": 36, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445612 }, { "func": "__be32 *xdr_encode_opaque(__be32 *p, const void *ptr, unsigned int nbytes)\n{\n\t*p++ = cpu_to_be32(nbytes);\n\treturn xdr_encode_opaque_fixed(p, ptr, nbytes);\n}", "project": "linux", "hash": 337265523703772103040358953908265313840, "size": 5, "commit_id": "6d1c0f3d28f98ea2736128ed3e46821496dc3a8c", "message": "sunrpc: Avoid a KASAN slab-out-of-bounds bug in xdr_set_page_base()\n\nThis seems to happen fairly easily during READ_PLUS testing on NFS v4.2.\nI found that we could end up accessing xdr->buf->pages[pgnr] with a pgnr\ngreater than the number of pages in the array. So let's just return\nearly if we're setting base to a point at the end of the page data and\nlet xdr_set_tail_base() handle setting up the buffer pointers instead.\n\nSigned-off-by: Anna Schumaker \nFixes: 8d86e373b0ef (\"SUNRPC: Clean up helpers xdr_set_iov() and xdr_set_page_base()\")\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 481056 }, { "func": "static int parserange(char *str, uint32_t *uid, uint32_t *last,\n\t\t char **msgid, struct backend **ret)\n{\n const char *p = NULL;\n char *mboxname;\n int r = 0;\n\n *uid = 0;\n if (last) *last = 0;\n if (msgid) *msgid = NULL;\n if (ret) *ret = NULL;\n\n if (!str || !*str) {\n\t/* no argument, use current article */\n\tif (backend_current) {\n\t if (ret) *ret = backend_current;\n\t}\n\telse if (!group_state) goto noopengroup;\n\telse if (!nntp_current) goto nocurrent;\n\telse {\n\t *uid = index_getuid(group_state, nntp_current);\n\t if (last) *last = *uid;\n\t}\n }\n else if (*str == '<') {\n\t/* message-id, find server and/or mailbox */\n\tif (!msgid) goto badrange;\n\tif (!my_find_msgid(str, &mboxname, uid)) goto nomsgid;\n\n\t*msgid = str;\n\n\t/* open group if its different from our current one */\n\tif (!group_state || strcmp(mboxname, group_state->mailbox->name)) {\n\t if ((r = open_group(mboxname, 1, ret, NULL))) goto nomsgid;\n\t}\n }\n else if (backend_current)\n\t*ret = backend_current;\n else if (!group_state) goto noopengroup;\n else if (parseuint32(str, &p, uid) || uid == 0) goto badrange;\n else if (p && *p) {\n\t/* extra stuff, check for range */\n\tif (!last || (*p != '-')) goto badrange;\n\tif (*++p) {\n\t if (parseuint32(p, NULL, last))\n\t\t*last = 0;\n\t}\n\telse\n\t *last = UINT32_MAX; /* open range -> use highest possible UID */\n }\n\n if (last && !*last) *last = *uid;\n\n return 0;\n\n noopengroup:\n prot_printf(nntp_out, \"412 No newsgroup selected\\r\\n\");\n return -1;\n\n nocurrent:\n prot_printf(nntp_out, \"420 Current article number is invalid\\r\\n\");\n return -1;\n\n nomsgid:\n prot_printf(nntp_out, \"430 No article found with that message-id\");\n if (r) prot_printf(nntp_out, \" (%s)\", error_message(r));\n prot_printf(nntp_out, \"\\r\\n\");\n return -1;\n\n badrange:\n prot_printf(nntp_out, \"501 Bad message-id, message number, or range\\r\\n\");\n return -1;\n}", "project": "cyrus-imapd", "hash": 6167441135182755989944764184035836029, "size": 73, "commit_id": "0f8f026699829b65733c3081657b24e2174f4f4d", "message": "CVE-2011-3208 - fix buffer overflow in nntpd", "target": 0, "dataset": "other", "idx": 451907 }, { "func": "static int kvm_hv_vcpu_init(struct kvm_vcpu *vcpu)\n{\n\tstruct kvm_vcpu_hv *hv_vcpu;\n\tint i;\n\n\thv_vcpu = kzalloc(sizeof(struct kvm_vcpu_hv), GFP_KERNEL_ACCOUNT);\n\tif (!hv_vcpu)\n\t\treturn -ENOMEM;\n\n\tvcpu->arch.hyperv = hv_vcpu;\n\thv_vcpu->vcpu = vcpu;\n\n\tsynic_init(&hv_vcpu->synic);\n\n\tbitmap_zero(hv_vcpu->stimer_pending_bitmap, HV_SYNIC_STIMER_COUNT);\n\tfor (i = 0; i < ARRAY_SIZE(hv_vcpu->stimer); i++)\n\t\tstimer_init(&hv_vcpu->stimer[i], i);\n\n\thv_vcpu->vp_index = kvm_vcpu_get_idx(vcpu);\n\n\treturn 0;\n}", "project": "linux", "hash": 220816799584764099533469309654717571552, "size": 22, "commit_id": "919f4ebc598701670e80e31573a58f1f2d2bf918", "message": "KVM: x86: hyper-v: Fix Hyper-V context null-ptr-deref\n\nReported by syzkaller:\n\n KASAN: null-ptr-deref in range [0x0000000000000140-0x0000000000000147]\n CPU: 1 PID: 8370 Comm: syz-executor859 Not tainted 5.11.0-syzkaller #0\n RIP: 0010:synic_get arch/x86/kvm/hyperv.c:165 [inline]\n RIP: 0010:kvm_hv_set_sint_gsi arch/x86/kvm/hyperv.c:475 [inline]\n RIP: 0010:kvm_hv_irq_routing_update+0x230/0x460 arch/x86/kvm/hyperv.c:498\n Call Trace:\n kvm_set_irq_routing+0x69b/0x940 arch/x86/kvm/../../../virt/kvm/irqchip.c:223\n kvm_vm_ioctl+0x12d0/0x2800 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3959\n vfs_ioctl fs/ioctl.c:48 [inline]\n __do_sys_ioctl fs/ioctl.c:753 [inline]\n __se_sys_ioctl fs/ioctl.c:739 [inline]\n __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739\n do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nHyper-V context is lazily allocated until Hyper-V specific MSRs are accessed\nor SynIC is enabled. However, the syzkaller testcase sets irq routing table\ndirectly w/o enabling SynIC. This results in null-ptr-deref when accessing\nSynIC Hyper-V context. This patch fixes it.\n\nsyzkaller source: https://syzkaller.appspot.com/x/repro.c?x=163342ccd00000\n\nReported-by: syzbot+6987f3b2dbd9eda95f12@syzkaller.appspotmail.com\nFixes: 8f014550dfb1 (\"KVM: x86: hyper-v: Make Hyper-V emulation enablement conditional\")\nSigned-off-by: Wanpeng Li \nMessage-Id: <1614326399-5762-1-git-send-email-wanpengli@tencent.com>\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 343526 }, { "func": "void tipc_node_unsubscribe(struct net *net, struct list_head *subscr, u32 addr)\n{\n\tstruct tipc_node *n;\n\n\tif (in_own_node(net, addr))\n\t\treturn;\n\n\tn = tipc_node_find(net, addr);\n\tif (!n) {\n\t\tpr_warn(\"Node unsubscribe rejected, unknown node 0x%x\\n\", addr);\n\t\treturn;\n\t}\n\ttipc_node_write_lock(n);\n\tlist_del_init(subscr);\n\ttipc_node_write_unlock_fast(n);\n\ttipc_node_put(n);\n}", "project": "linux", "hash": 74604193619775447840735602209124554814, "size": 17, "commit_id": "0217ed2848e8538bcf9172d97ed2eeb4a26041bb", "message": "tipc: better validate user input in tipc_nl_retrieve_key()\n\nBefore calling tipc_aead_key_size(ptr), we need to ensure\nwe have enough data to dereference ptr->keylen.\n\nWe probably also want to make sure tipc_aead_key_size()\nwont overflow with malicious ptr->keylen values.\n\nSyzbot reported:\n\nBUG: KMSAN: uninit-value in __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\nBUG: KMSAN: uninit-value in tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\nCPU: 0 PID: 21060 Comm: syz-executor.5 Not tainted 5.11.0-rc7-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nCall Trace:\n __dump_stack lib/dump_stack.c:79 [inline]\n dump_stack+0x21c/0x280 lib/dump_stack.c:120\n kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118\n __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197\n __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\n tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\n genl_family_rcv_msg_doit net/netlink/genetlink.c:739 [inline]\n genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]\n genl_rcv_msg+0x1319/0x1610 net/netlink/genetlink.c:800\n netlink_rcv_skb+0x6fa/0x810 net/netlink/af_netlink.c:2494\n genl_rcv+0x63/0x80 net/netlink/genetlink.c:811\n netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]\n netlink_unicast+0x11d6/0x14a0 net/netlink/af_netlink.c:1330\n netlink_sendmsg+0x1740/0x1840 net/netlink/af_netlink.c:1919\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\nRIP: 0023:0xf7f60549\nCode: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00\nRSP: 002b:00000000f555a5fc EFLAGS: 00000296 ORIG_RAX: 0000000000000172\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000200\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n\nUninit was created at:\n kmsan_save_stack_with_flags mm/kmsan/kmsan.c:121 [inline]\n kmsan_internal_poison_shadow+0x5c/0xf0 mm/kmsan/kmsan.c:104\n kmsan_slab_alloc+0x8d/0xe0 mm/kmsan/kmsan_hooks.c:76\n slab_alloc_node mm/slub.c:2907 [inline]\n __kmalloc_node_track_caller+0xa37/0x1430 mm/slub.c:4527\n __kmalloc_reserve net/core/skbuff.c:142 [inline]\n __alloc_skb+0x2f8/0xb30 net/core/skbuff.c:210\n alloc_skb include/linux/skbuff.h:1099 [inline]\n netlink_alloc_large_skb net/netlink/af_netlink.c:1176 [inline]\n netlink_sendmsg+0xdbc/0x1840 net/netlink/af_netlink.c:1894\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\n\nFixes: e1f32190cf7d (\"tipc: add support for AEAD key setting via netlink\")\nSigned-off-by: Eric Dumazet \nCc: Tuong Lien \nCc: Jon Maloy \nCc: Ying Xue \nReported-by: syzbot \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 364912 }, { "func": "static void cliprdr_write_lock_clipdata(wStream* s,\n const CLIPRDR_LOCK_CLIPBOARD_DATA* lockClipboardData)\n{\n\tcliprdr_write_lock_unlock_clipdata(s, lockClipboardData->clipDataId);\n}", "project": "FreeRDP", "hash": 101844335629430643268514042659151470580, "size": 5, "commit_id": "b73143cf7ee5fe4cdabcbf56908aa15d8a883821", "message": "Fixed oob read in cliprdr_read_format_list", "target": 0, "dataset": "other", "idx": 388308 }, { "func": "static int dist_cache_touch(struct rar5* rar, int idx) {\n\tint* q = rar->cstate.dist_cache;\n\tint i, dist = q[idx];\n\n\tfor(i = idx; i > 0; i--)\n\t\tq[i] = q[i - 1];\n\n\tq[0] = dist;\n\treturn dist;\n}", "project": "libarchive", "hash": 142992688766902161559830717454002408643, "size": 10, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 0, "dataset": "other", "idx": 244816 }, { "func": "\nstatic int io_submit_sqes(struct io_ring_ctx *ctx, unsigned int nr)\n{\n\tint submitted = 0;\n\n\t/* make sure SQ entry isn't read before tail */\n\tnr = min3(nr, ctx->sq_entries, io_sqring_entries(ctx));\n\n\tif (!percpu_ref_tryget_many(&ctx->refs, nr))\n\t\treturn -EAGAIN;\n\n\tpercpu_counter_add(¤t->io_uring->inflight, nr);\n\trefcount_add(nr, ¤t->usage);\n\tio_submit_state_start(&ctx->submit_state, nr);\n\n\twhile (submitted < nr) {\n\t\tconst struct io_uring_sqe *sqe;\n\t\tstruct io_kiocb *req;\n\n\t\treq = io_alloc_req(ctx);\n\t\tif (unlikely(!req)) {\n\t\t\tif (!submitted)\n\t\t\t\tsubmitted = -EAGAIN;\n\t\t\tbreak;\n\t\t}\n\t\tsqe = io_get_sqe(ctx);\n\t\tif (unlikely(!sqe)) {\n\t\t\tkmem_cache_free(req_cachep, req);\n\t\t\tbreak;\n\t\t}\n\t\t/* will complete beyond this point, count as submitted */\n\t\tsubmitted++;\n\t\tif (io_submit_sqe(ctx, req, sqe))\n\t\t\tbreak;\n\t}\n\n\tif (unlikely(submitted != nr)) {\n\t\tint ref_used = (submitted == -EAGAIN) ? 0 : submitted;\n\t\tstruct io_uring_task *tctx = current->io_uring;\n\t\tint unused = nr - ref_used;\n\n\t\tpercpu_ref_put_many(&ctx->refs, unused);\n\t\tpercpu_counter_sub(&tctx->inflight, unused);\n\t\tput_task_struct_many(current, unused);\n\t}\n\n\tio_submit_state_end(&ctx->submit_state, ctx);\n\t /* Commit SQ ring head once we've consumed and submitted all SQEs */\n\tio_commit_sqring(ctx);\n\n\treturn submitted;", "project": "linux", "hash": 284628122427103798484479023668606461660, "size": 51, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338638 }, { "func": "static int io_submit_sqes(struct io_ring_ctx *ctx, unsigned int nr,\n\t\t\t struct file *ring_file, int ring_fd)\n{\n\tstruct io_submit_state state;\n\tstruct io_kiocb *link = NULL;\n\tint i, submitted = 0;\n\n\t/* if we have a backlog and couldn't flush it all, return BUSY */\n\tif (test_bit(0, &ctx->sq_check_overflow)) {\n\t\tif (!list_empty(&ctx->cq_overflow_list) &&\n\t\t !io_cqring_overflow_flush(ctx, false))\n\t\t\treturn -EBUSY;\n\t}\n\n\t/* make sure SQ entry isn't read before tail */\n\tnr = min3(nr, ctx->sq_entries, io_sqring_entries(ctx));\n\n\tif (!percpu_ref_tryget_many(&ctx->refs, nr))\n\t\treturn -EAGAIN;\n\n\tio_submit_state_start(&state, ctx, nr);\n\n\tctx->ring_fd = ring_fd;\n\tctx->ring_file = ring_file;\n\n\tfor (i = 0; i < nr; i++) {\n\t\tconst struct io_uring_sqe *sqe;\n\t\tstruct io_kiocb *req;\n\t\tint err;\n\n\t\tsqe = io_get_sqe(ctx);\n\t\tif (unlikely(!sqe)) {\n\t\t\tio_consume_sqe(ctx);\n\t\t\tbreak;\n\t\t}\n\t\treq = io_alloc_req(ctx, &state);\n\t\tif (unlikely(!req)) {\n\t\t\tif (!submitted)\n\t\t\t\tsubmitted = -EAGAIN;\n\t\t\tbreak;\n\t\t}\n\n\t\terr = io_init_req(ctx, req, sqe, &state);\n\t\tio_consume_sqe(ctx);\n\t\t/* will complete beyond this point, count as submitted */\n\t\tsubmitted++;\n\n\t\tif (unlikely(err)) {\nfail_req:\n\t\t\tio_put_req(req);\n\t\t\tio_req_complete(req, err);\n\t\t\tbreak;\n\t\t}\n\n\t\ttrace_io_uring_submit_sqe(ctx, req->opcode, req->user_data,\n\t\t\t\t\t\ttrue, io_async_submit(ctx));\n\t\terr = io_submit_sqe(req, sqe, &link, &state.comp);\n\t\tif (err)\n\t\t\tgoto fail_req;\n\t}\n\n\tif (unlikely(submitted != nr)) {\n\t\tint ref_used = (submitted == -EAGAIN) ? 0 : submitted;\n\n\t\tpercpu_ref_put_many(&ctx->refs, nr - ref_used);\n\t}\n\tif (link)\n\t\tio_queue_link_head(link, &state.comp);\n\tio_submit_state_end(&state);\n\n\t /* Commit SQ ring head once we've consumed and submitted all SQEs */\n\tio_commit_sqring(ctx);\n\n\treturn submitted;\n}", "project": "linux", "hash": 242873395328275834106332849159636828766, "size": 75, "commit_id": "6d816e088c359866f9867057e04f244c608c42fe", "message": "io_uring: hold 'ctx' reference around task_work queue + execute\n\nWe're holding the request reference, but we need to go one higher\nto ensure that the ctx remains valid after the request has finished.\nIf the ring is closed with pending task_work inflight, and the\ngiven io_kiocb finishes sync during issue, then we need a reference\nto the ring itself around the task_work execution cycle.\n\nCc: stable@vger.kernel.org # v5.7+\nReported-by: syzbot+9b260fc33297966f5a8e@syzkaller.appspotmail.com\nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 456924 }, { "project": "Chrome", "commit_id": "327585cb0eab0859518643a2d00917081f7e7645", "target": 0, "func": "bool WebGraphicsContext3DDefaultImpl::readBackFramebuffer(unsigned char* pixels, size_t bufferSize)\n{\n if (bufferSize != static_cast(4 * width() * height()))\n return false;\n\n makeContextCurrent();\n\n\n resolveMultisampledFramebuffer(0, 0, m_cachedWidth, m_cachedHeight);\n glBindFramebufferEXT(GL_FRAMEBUFFER_EXT, m_fbo);\n\n GLint packAlignment = 4;\n bool mustRestorePackAlignment = false;\n glGetIntegerv(GL_PACK_ALIGNMENT, &packAlignment);\n if (packAlignment > 4) {\n glPixelStorei(GL_PACK_ALIGNMENT, 4);\n mustRestorePackAlignment = true;\n }\n\n glReadPixels(0, 0, m_cachedWidth, m_cachedHeight, GL_BGRA, GL_UNSIGNED_BYTE, pixels);\n\n if (mustRestorePackAlignment)\n glPixelStorei(GL_PACK_ALIGNMENT, packAlignment);\n\n glBindFramebufferEXT(GL_FRAMEBUFFER_EXT, m_boundFBO);\n\n#ifdef FLIP_FRAMEBUFFER_VERTICALLY\n if (pixels)\n flipVertically(pixels, m_cachedWidth, m_cachedHeight);\n#endif\n\n return true;\n}\n", "cwe": "", "big_vul_idx": 99017, "idx": 89072, "hash": 301870838355393265185129945551505142253 }, { "func": "bool FromkLinuxSiginfo(const klinux_siginfo_t *input, siginfo_t *output) {\n if (!input || !output) {\n return false;\n }\n output->si_signo = FromkLinuxSignalNumber(input->si_signo);\n output->si_code = FromkLinuxSignalNumber(input->si_code);\n return true;\n}", "project": "asylo", "hash": 144874498809584382847691113440055511756, "size": 8, "commit_id": "bda9772e7872b0d2b9bee32930cf7a4983837b39", "message": "Check input length in FromLinuxSockAddr\n\nPiperOrigin-RevId: 333785506\nChange-Id: I1d68fb8954665eebc1018d80ff995cbe9e7ed6a9", "target": 0, "dataset": "other", "idx": 263473 }, { "func": "static bool hva_to_pfn_fast(unsigned long addr, bool write_fault,\n\t\t\t bool *writable, kvm_pfn_t *pfn)\n{\n\tstruct page *page[1];\n\tint npages;\n\n\t/*\n\t * Fast pin a writable pfn only if it is a write fault request\n\t * or the caller allows to map a writable pfn for a read fault\n\t * request.\n\t */\n\tif (!(write_fault || writable))\n\t\treturn false;\n\n\tnpages = __get_user_pages_fast(addr, 1, 1, page);\n\tif (npages == 1) {\n\t\t*pfn = page_to_pfn(page[0]);\n\n\t\tif (writable)\n\t\t\t*writable = true;\n\t\treturn true;\n\t}\n\n\treturn false;\n}", "project": "linux", "hash": 167073161450590742705788658564473033097, "size": 25, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354622 }, { "func": "static bool hva_to_pfn_fast(unsigned long addr, bool write_fault,\n\t\t\t bool *writable, kvm_pfn_t *pfn)\n{\n\tstruct page *page[1];\n\n\t/*\n\t * Fast pin a writable pfn only if it is a write fault request\n\t * or the caller allows to map a writable pfn for a read fault\n\t * request.\n\t */\n\tif (!(write_fault || writable))\n\t\treturn false;\n\n\tif (get_user_page_fast_only(addr, FOLL_WRITE, page)) {\n\t\t*pfn = page_to_pfn(page[0]);\n\n\t\tif (writable)\n\t\t\t*writable = true;\n\t\treturn true;\n\t}\n\n\treturn false;\n}", "project": "linux", "hash": 205917757214246327302310035338319189474, "size": 23, "commit_id": "f8be156be163a052a067306417cd0ff679068c97", "message": "KVM: do not allow mapping valid but non-reference-counted pages\n\nIt's possible to create a region which maps valid but non-refcounted\npages (e.g., tail pages of non-compound higher order allocations). These\nhost pages can then be returned by gfn_to_page, gfn_to_pfn, etc., family\nof APIs, which take a reference to the page, which takes it from 0 to 1.\nWhen the reference is dropped, this will free the page incorrectly.\n\nFix this by only taking a reference on valid pages if it was non-zero,\nwhich indicates it is participating in normal refcounting (and can be\nreleased with put_page).\n\nThis addresses CVE-2021-22543.\n\nSigned-off-by: Nicholas Piggin \nTested-by: Paolo Bonzini \nCc: stable@vger.kernel.org\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 404083 }, { "func": "static void nfs4_xdr_enc_rename(struct rpc_rqst *req, struct xdr_stream *xdr,\n\t\t\t\tconst void *data)\n{\n\tconst struct nfs_renameargs *args = data;\n\tstruct compound_hdr hdr = {\n\t\t.minorversion = nfs4_xdr_minorversion(&args->seq_args),\n\t};\n\n\tencode_compound_hdr(xdr, req, &hdr);\n\tencode_sequence(xdr, &args->seq_args, &hdr);\n\tencode_putfh(xdr, args->old_dir, &hdr);\n\tencode_savefh(xdr, &hdr);\n\tencode_putfh(xdr, args->new_dir, &hdr);\n\tencode_rename(xdr, args->old_name, args->new_name, &hdr);\n\tencode_nops(&hdr);\n}", "project": "linux", "hash": 313073862523986301914883150858628935370, "size": 16, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431617 }, { "func": "static int trace_set_options(struct trace_array *tr, char *option)\n{\n\tchar *cmp;\n\tint neg = 0;\n\tint ret = -ENODEV;\n\tint i;\n\tsize_t orig_len = strlen(option);\n\n\tcmp = strstrip(option);\n\n\tif (strncmp(cmp, \"no\", 2) == 0) {\n\t\tneg = 1;\n\t\tcmp += 2;\n\t}\n\n\tmutex_lock(&trace_types_lock);\n\n\tfor (i = 0; trace_options[i]; i++) {\n\t\tif (strcmp(cmp, trace_options[i]) == 0) {\n\t\t\tret = set_tracer_flag(tr, 1 << i, !neg);\n\t\t\tbreak;\n\t\t}\n\t}\n\n\t/* If no option could be set, test the specific tracer options */\n\tif (!trace_options[i])\n\t\tret = set_tracer_option(tr, cmp, neg);\n\n\tmutex_unlock(&trace_types_lock);\n\n\t/*\n\t * If the first trailing whitespace is replaced with '\\0' by strstrip,\n\t * turn it back into a space.\n\t */\n\tif (orig_len > strlen(option))\n\t\toption[strlen(option)] = ' ';\n\n\treturn ret;\n}", "project": "linux", "hash": 158664963126932102639151648681406642038, "size": 39, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445670 }, { "func": "static inline void tcp_rcv_rtt_measure(struct tcp_sock *tp)\n{\n\tif (tp->rcv_rtt_est.time == 0)\n\t\tgoto new_measure;\n\tif (before(tp->rcv_nxt, tp->rcv_rtt_est.seq))\n\t\treturn;\n\ttcp_rcv_rtt_update(tp, jiffies - tp->rcv_rtt_est.time, 1);\n\nnew_measure:\n\ttp->rcv_rtt_est.seq = tp->rcv_nxt + tp->rcv_wnd;\n\ttp->rcv_rtt_est.time = tcp_time_stamp;\n}", "project": "net-next", "hash": 252954956887700308005478912006655974867, "size": 12, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409851 }, { "func": "static int kvm_s390_get_tod_high(struct kvm *kvm, struct kvm_device_attr *attr)\n{\n\tu8 gtod_high = 0;\n\n\tif (copy_to_user((void __user *)attr->addr, >od_high,\n\t\t\t\t\t sizeof(gtod_high)))\n\t\treturn -EFAULT;\n\tVM_EVENT(kvm, 3, \"QUERY: TOD extension: 0x%x\", gtod_high);\n\n\treturn 0;\n}", "project": "linux", "hash": 44076922097640757939142916434631424034, "size": 11, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354716 }, { "func": "gin::Handle WebContents::CreateAndTake(\n v8::Isolate* isolate,\n std::unique_ptr web_contents,\n Type type) {\n return gin::CreateHandle(\n isolate, new WebContents(isolate, std::move(web_contents), type));\n}", "project": "electron", "hash": 222134975986660895007898189444895627705, "size": 7, "commit_id": "18613925610ba319da7f497b6deed85ad712c59b", "message": "refactor: wire will-navigate up to a navigation throttle instead of OpenURL (#25108)\n\n* refactor: wire will-navigate up to a navigation throttle instead of OpenURL (#25065)\r\n\r\n* refactor: wire will-navigate up to a navigation throttle instead of OpenURL\r\n\r\n* spec: add test for x-site _top navigation\r\n\r\n* chore: old code be old", "target": 0, "dataset": "other", "idx": 269716 }, { "func": "static int detect_datev(\n\tsc_pkcs15_card_t *p15card\n){\n\tif(insert_cert(p15card,\"3000C500\", 0x45, 0, \"Signatur Zertifikat\")) return 1;\n\tset_string(&p15card->tokeninfo->manufacturer_id, \"DATEV\");\n\tset_string(&p15card->tokeninfo->label, \"DATEV Classic\");\n\n\tinsert_cert(p15card,\"DF02C200\", 0x46, 0, \"Verschluesselungs Zertifikat\");\n\tinsert_cert(p15card,\"DF02C500\", 0x47, 0, \"Authentifizierungs Zertifikat\");\n\n\tinsert_key(p15card,\"30005371\", 0x45, 0x82, 1024, 1, \"Signatur Schluessel\");\n\tinsert_key(p15card,\"DF0253B1\", 0x46, 0x81, 1024, 1, \"Verschluesselungs Schluessel\");\n\tinsert_key(p15card,\"DF025371\", 0x47, 0x82, 1024, 1, \"Authentifizierungs Schluessel\");\n\n\tinsert_pin(p15card,\"5001\", 1, 0, 0x01, 6, \"PIN\",\n\t\tSC_PKCS15_PIN_FLAG_CASE_SENSITIVE | SC_PKCS15_PIN_FLAG_INITIALIZED\n\t);\n\n\treturn 0;\n}", "project": "OpenSC", "hash": 114699523237813016827649140040400777209, "size": 20, "commit_id": "5df913b7f57ad89b9832555d24c08d23a534311e", "message": "tcos: Check bounds in insert_pin()\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28383", "target": 0, "dataset": "other", "idx": 243965 }, { "func": "void rfbScalingSetup(rfbClientPtr cl, int width, int height)\n{\n rfbScreenInfoPtr ptr;\n\n ptr = rfbScalingFind(cl,width,height);\n if (ptr==NULL)\n ptr = rfbScaledScreenAllocate(cl,width,height);\n /* Now, there is a new screen available (if ptr is not NULL) */\n if (ptr!=NULL)\n {\n /* Update it! */\n if (ptr->scaledScreenRefCount<1)\n rfbScaledScreenUpdateRect(cl->screen, ptr, 0, 0, cl->screen->width, cl->screen->height);\n /*\n * rfbLog(\"Taking one from %dx%d-%d and adding it to %dx%d-%d\\n\",\n * cl->scaledScreen->width, cl->scaledScreen->height,\n * cl->scaledScreen->scaledScreenRefCount,\n * ptr->width, ptr->height, ptr->scaledScreenRefCount);\n */\n\n LOCK(cl->updateMutex);\n cl->scaledScreen->scaledScreenRefCount--;\n ptr->scaledScreenRefCount++;\n cl->scaledScreen=ptr;\n cl->newFBSizePending = TRUE;\n UNLOCK(cl->updateMutex);\n\n rfbLog(\"Scaling to %dx%d (refcount=%d)\\n\",width,height,ptr->scaledScreenRefCount);\n }\n else\n rfbLog(\"Scaling to %dx%d failed, leaving things alone\\n\",width,height);\n}", "project": "libvncserver", "hash": 292186202093243541733955764527821257144, "size": 32, "commit_id": "a6788d1da719ae006605b78d22f5a9f170b423af", "message": "libvncserver: scale: cast to 64 bit before shifting\n\nSince pixel_value is 64 bit the data type of the shift operand should\nbe 64 bit too to prevent integer overflows.", "target": 0, "dataset": "other", "idx": 296798 }, { "func": "HttpStateData::finishingBrokenPost()\n{\n#if USE_HTTP_VIOLATIONS\n if (!Config.accessList.brokenPosts) {\n debugs(11, 5, HERE << \"No brokenPosts list\");\n return false;\n }\n\n ACLFilledChecklist ch(Config.accessList.brokenPosts, originalRequest(), NULL);\n ch.al = fwd->al;\n ch.syncAle(originalRequest(), nullptr);\n if (!ch.fastCheck().allowed()) {\n debugs(11, 5, HERE << \"didn't match brokenPosts\");\n return false;\n }\n\n if (!Comm::IsConnOpen(serverConnection)) {\n debugs(11, 3, HERE << \"ignoring broken POST for closed \" << serverConnection);\n assert(closeHandler != NULL);\n return true; // prevent caller from proceeding as if nothing happened\n }\n\n debugs(11, 3, \"finishingBrokenPost: fixing broken POST\");\n typedef CommCbMemFunT Dialer;\n requestSender = JobCallback(11,5,\n Dialer, this, HttpStateData::wroteLast);\n Comm::Write(serverConnection, \"\\r\\n\", 2, requestSender, NULL);\n return true;\n#else\n return false;\n#endif /* USE_HTTP_VIOLATIONS */\n}", "project": "squid", "hash": 216016484772842462793172756961962305506, "size": 32, "commit_id": "fd68382860633aca92065e6c343cfd1b12b126e7", "message": "Improve Transfer-Encoding handling (#702)\n\nReject messages containing Transfer-Encoding header with coding other\nthan chunked or identity. Squid does not support other codings.\n\nFor simplicity and security sake, also reject messages where\nTransfer-Encoding contains unnecessary complex values that are\ntechnically equivalent to \"chunked\" or \"identity\" (e.g., \",,chunked\" or\n\"identity, chunked\").\n\nRFC 7230 formally deprecated and removed identity coding, but it is\nstill used by some agents.", "target": 0, "dataset": "other", "idx": 402383 }, { "func": "int CLua::loadbuffer(const char *buf, size_t size, const char *context)\n{\n const int err = luaL_loadbuffer(state(), buf, size, context);\n set_error(err, state());\n return err;\n}", "project": "crawl", "hash": 149367917443424652101400754818033201907, "size": 6, "commit_id": "768f60da87a3fa0b5561da5ade9309577c176d04", "message": "Disable lua bytecode loading", "target": 0, "dataset": "other", "idx": 230513 }, { "func": "static __poll_t pidfd_poll(struct file *file, struct poll_table_struct *pts)\n{\n\tstruct pid *pid = file->private_data;\n\t__poll_t poll_flags = 0;\n\n\tpoll_wait(file, &pid->wait_pidfd, pts);\n\n\t/*\n\t * Inform pollers only when the whole thread group exits.\n\t * If the thread group leader exits before all other threads in the\n\t * group, then poll(2) should block, similar to the wait(2) family.\n\t */\n\tif (thread_group_exited(pid))\n\t\tpoll_flags = EPOLLIN | EPOLLRDNORM;\n\n\treturn poll_flags;\n}", "project": "linux", "hash": 176966392638968694079828335067918131657, "size": 17, "commit_id": "b4e00444cab4c3f3fec876dc0cccc8cbb0d1a948", "message": "fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent\n\ncurrent->group_leader->exit_signal may change during copy_process() if\ncurrent->real_parent exits.\n\nMove the assignment inside tasklist_lock to avoid the race.\n\nSigned-off-by: Eddy Wu \nAcked-by: Oleg Nesterov \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 293665 }, { "func": "void tracing_off(void)\n{\n\ttracer_tracing_off(&global_trace);\n}", "project": "linux", "hash": 324380580455878408365717676470770109916, "size": 4, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445624 }, { "func": "static int nfs4_write_done(struct rpc_task *task, struct nfs_pgio_header *hdr)\n{\n\tif (!nfs4_sequence_done(task, &hdr->res.seq_res))\n\t\treturn -EAGAIN;\n\tif (nfs4_write_stateid_changed(task, &hdr->args))\n\t\treturn -EAGAIN;\n\treturn hdr->pgio_done_cb ? hdr->pgio_done_cb(task, hdr) :\n\t\tnfs4_write_done_cb(task, hdr);\n}", "project": "linux", "hash": 68080591723826361213192728967557460587, "size": 9, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431157 }, { "func": "static void tcp_rtt_estimator(struct sock *sk, const __u32 mrtt)\n{\n\tstruct tcp_sock *tp = tcp_sk(sk);\n\tlong m = mrtt; /* RTT */\n\n\t/*\tThe following amusing code comes from Jacobson's\n\t *\tarticle in SIGCOMM '88. Note that rtt and mdev\n\t *\tare scaled versions of rtt and mean deviation.\n\t *\tThis is designed to be as fast as possible\n\t *\tm stands for \"measurement\".\n\t *\n\t *\tOn a 1990 paper the rto value is changed to:\n\t *\tRTO = rtt + 4 * mdev\n\t *\n\t * Funny. This algorithm seems to be very broken.\n\t * These formulae increase RTO, when it should be decreased, increase\n\t * too slowly, when it should be increased quickly, decrease too quickly\n\t * etc. I guess in BSD RTO takes ONE value, so that it is absolutely\n\t * does not matter how to _calculate_ it. Seems, it was trap\n\t * that VJ failed to avoid. 8)\n\t */\n\tif (m == 0)\n\t\tm = 1;\n\tif (tp->srtt != 0) {\n\t\tm -= (tp->srtt >> 3);\t/* m is now error in rtt est */\n\t\ttp->srtt += m;\t\t/* rtt = 7/8 rtt + 1/8 new */\n\t\tif (m < 0) {\n\t\t\tm = -m;\t\t/* m is now abs(error) */\n\t\t\tm -= (tp->mdev >> 2); /* similar update on mdev */\n\t\t\t/* This is similar to one of Eifel findings.\n\t\t\t * Eifel blocks mdev updates when rtt decreases.\n\t\t\t * This solution is a bit different: we use finer gain\n\t\t\t * for mdev in this case (alpha*beta).\n\t\t\t * Like Eifel it also prevents growth of rto,\n\t\t\t * but also it limits too fast rto decreases,\n\t\t\t * happening in pure Eifel.\n\t\t\t */\n\t\t\tif (m > 0)\n\t\t\t\tm >>= 3;\n\t\t} else {\n\t\t\tm -= (tp->mdev >> 2); /* similar update on mdev */\n\t\t}\n\t\ttp->mdev += m;\t \t/* mdev = 3/4 mdev + 1/4 new */\n\t\tif (tp->mdev > tp->mdev_max) {\n\t\t\ttp->mdev_max = tp->mdev;\n\t\t\tif (tp->mdev_max > tp->rttvar)\n\t\t\t\ttp->rttvar = tp->mdev_max;\n\t\t}\n\t\tif (after(tp->snd_una, tp->rtt_seq)) {\n\t\t\tif (tp->mdev_max < tp->rttvar)\n\t\t\t\ttp->rttvar -= (tp->rttvar - tp->mdev_max) >> 2;\n\t\t\ttp->rtt_seq = tp->snd_nxt;\n\t\t\ttp->mdev_max = tcp_rto_min(sk);\n\t\t}\n\t} else {\n\t\t/* no previous measure. */\n\t\ttp->srtt = m << 3;\t/* take the measured time to be rtt */\n\t\ttp->mdev = m << 1;\t/* make sure rto = 3*rtt */\n\t\ttp->mdev_max = tp->rttvar = max(tp->mdev, tcp_rto_min(sk));\n\t\ttp->rtt_seq = tp->snd_nxt;\n\t}\n}", "project": "net-next", "hash": 253367187917757993234851751824946241227, "size": 62, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409837 }, { "func": "static int sst_donate_other (const char* method,\n const char* addr,\n const char* uuid,\n wsrep_seqno_t seqno,\n bool bypass,\n char** env) // carries auth info\n{\n int const cmd_len= 4096;\n wsp::string cmd_str(cmd_len);\n\n if (!cmd_str())\n {\n WSREP_ERROR(\"sst_donate_other(): \"\n \"could not allocate cmd buffer of %d bytes\", cmd_len);\n return -ENOMEM;\n }\n\n const char* binlog_opt= \"\";\n char* binlog_opt_val= NULL;\n\n int ret;\n if ((ret= generate_binlog_opt_val(&binlog_opt_val)))\n {\n WSREP_ERROR(\"sst_donate_other(): generate_binlog_opt_val() failed: %d\",ret);\n return ret;\n }\n if (strlen(binlog_opt_val)) binlog_opt= WSREP_SST_OPT_BINLOG;\n\n ret= snprintf (cmd_str(), cmd_len,\n \"wsrep_sst_%s \"\n WSREP_SST_OPT_ROLE\" 'donor' \"\n WSREP_SST_OPT_ADDR\" '%s' \"\n WSREP_SST_OPT_SOCKET\" '%s' \"\n WSREP_SST_OPT_DATA\" '%s' \"\n WSREP_SST_OPT_CONF\" '%s' \"\n WSREP_SST_OPT_CONF_SUFFIX\" '%s' \"\n \" %s '%s' \"\n WSREP_SST_OPT_GTID\" '%s:%lld'\"\n \"%s\",\n method, addr, mysqld_unix_port, mysql_real_data_home,\n wsrep_defaults_file, wsrep_defaults_group_suffix,\n binlog_opt, binlog_opt_val,\n uuid, (long long) seqno,\n bypass ? \" \" WSREP_SST_OPT_BYPASS : \"\");\n my_free(binlog_opt_val);\n\n if (ret < 0 || ret >= cmd_len)\n {\n WSREP_ERROR(\"sst_donate_other(): snprintf() failed: %d\", ret);\n return (ret < 0 ? ret : -EMSGSIZE);\n }\n\n if (!bypass && wsrep_sst_donor_rejects_queries) sst_reject_queries(FALSE);\n\n pthread_t tmp;\n sst_thread_arg arg(cmd_str(), env);\n mysql_mutex_lock (&arg.lock);\n ret = pthread_create (&tmp, NULL, sst_donor_thread, &arg);\n if (ret)\n {\n WSREP_ERROR(\"sst_donate_other(): pthread_create() failed: %d (%s)\",\n ret, strerror(ret));\n return ret;\n }\n mysql_cond_wait (&arg.cond, &arg.lock);\n\n WSREP_INFO(\"sst_donor_thread signaled with %d\", arg.err);\n return arg.err;\n}", "project": "mysql-wsrep", "hash": 244109464017124074418548869854291394313, "size": 69, "commit_id": "4ea4b0c6a318209ac09b15aaa906c7b4a13b988c", "message": "codership/mysql-wsrep-bugs#758 Donor uses invalid SST methods", "target": 0, "dataset": "other", "idx": 454789 }, { "func": "static void hci_phy_link_complete_evt(struct hci_dev *hdev,\n\t\t\t\t struct sk_buff *skb)\n{\n\tstruct hci_ev_phy_link_complete *ev = (void *) skb->data;\n\tstruct hci_conn *hcon, *bredr_hcon;\n\n\tBT_DBG(\"%s handle 0x%2.2x status 0x%2.2x\", hdev->name, ev->phy_handle,\n\t ev->status);\n\n\thci_dev_lock(hdev);\n\n\thcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);\n\tif (!hcon) {\n\t\thci_dev_unlock(hdev);\n\t\treturn;\n\t}\n\n\tif (ev->status) {\n\t\thci_conn_del(hcon);\n\t\thci_dev_unlock(hdev);\n\t\treturn;\n\t}\n\n\tbredr_hcon = hcon->amp_mgr->l2cap_conn->hcon;\n\n\thcon->state = BT_CONNECTED;\n\tbacpy(&hcon->dst, &bredr_hcon->dst);\n\n\thci_conn_hold(hcon);\n\thcon->disc_timeout = HCI_DISCONN_TIMEOUT;\n\thci_conn_drop(hcon);\n\n\thci_debugfs_create_conn(hcon);\n\thci_conn_add_sysfs(hcon);\n\n\tamp_physical_cfm(bredr_hcon, hcon);\n\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 154197136804379634324834287817988503215, "size": 39, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431985 }, { "func": "void force_sig(int sig)\n{\n\tstruct kernel_siginfo info;\n\n\tclear_siginfo(&info);\n\tinfo.si_signo = sig;\n\tinfo.si_errno = 0;\n\tinfo.si_code = SI_KERNEL;\n\tinfo.si_pid = 0;\n\tinfo.si_uid = 0;\n\tforce_sig_info(&info);\n}", "project": "linux", "hash": 234795060700786913651397383932038912594, "size": 12, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375235 }, { "project": "Chrome", "commit_id": "1da0daecc540238cb473f0d6322da51d3a544244", "target": 0, "func": "void VideoRendererBase::DoStopOrError_Locked() {\n DCHECK(!pending_paint_);\n DCHECK(!pending_paint_with_last_available_);\n lock_.AssertAcquired();\n current_frame_ = NULL;\n last_available_frame_ = NULL;\n ready_frames_.clear();\n}\n", "cwe": "", "big_vul_idx": 113350, "idx": 177165, "hash": 1300480097053425814894007598811684562 }, { "func": "struct vm_area_struct *vm_area_alloc(struct mm_struct *mm)\n{\n\tstruct vm_area_struct *vma;\n\n\tvma = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);\n\tif (vma)\n\t\tvma_init(vma, mm);\n\treturn vma;\n}", "project": "linux", "hash": 235444343292487890093703098440409331528, "size": 9, "commit_id": "b4e00444cab4c3f3fec876dc0cccc8cbb0d1a948", "message": "fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent\n\ncurrent->group_leader->exit_signal may change during copy_process() if\ncurrent->real_parent exits.\n\nMove the assignment inside tasklist_lock to avoid the race.\n\nSigned-off-by: Eddy Wu \nAcked-by: Oleg Nesterov \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 293670 }, { "func": "void gdImageStringUp16 (gdImagePtr im, gdFontPtr f, int x, int y, unsigned short *s, int color)\n{\n\tint i;\n\tint l;\n\tl = strlen16(s);\n\tfor (i = 0; i < l; i++) {\n\t\tgdImageCharUp(im, f, x, y, s[i], color);\n\t\ty -= f->w;\n\t}\n}", "project": "php-src", "hash": 138691917778858231888483155906246880506, "size": 10, "commit_id": "c395c6e5d7e8df37a21265ff76e48fe75ceb5ae6", "message": "iFixed bug #72446 - Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow", "target": 0, "dataset": "other", "idx": 295123 }, { "func": "static int kvm_s390_get_machine_feat(struct kvm *kvm,\n\t\t\t\t struct kvm_device_attr *attr)\n{\n\tstruct kvm_s390_vm_cpu_feat data;\n\n\tbitmap_copy((unsigned long *) data.feat,\n\t\t kvm_s390_available_cpu_feat,\n\t\t KVM_S390_VM_CPU_FEAT_NR_BITS);\n\tif (copy_to_user((void __user *)attr->addr, &data, sizeof(data)))\n\t\treturn -EFAULT;\n\tVM_EVENT(kvm, 3, \"GET: host feat: 0x%16.16llx.0x%16.16llx.0x%16.16llx\",\n\t\t\t data.feat[0],\n\t\t\t data.feat[1],\n\t\t\t data.feat[2]);\n\treturn 0;\n}", "project": "linux", "hash": 249002563414450209767495606546420877604, "size": 16, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354430 }, { "func": "static void hci_cc_read_page_scan_type(struct hci_dev *hdev,\n\t\t\t\t\t struct sk_buff *skb)\n{\n\tstruct hci_rp_read_page_scan_type *rp = (void *) skb->data;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, rp->status);\n\n\tif (rp->status)\n\t\treturn;\n\n\tif (test_bit(HCI_INIT, &hdev->flags))\n\t\thdev->page_scan_type = rp->type;\n}", "project": "linux", "hash": 32729273388412427941095835340403179754, "size": 13, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431934 }, { "func": "static int io_sendmsg(struct io_kiocb *req, unsigned int issue_flags)\n{\n\tstruct io_async_msghdr iomsg, *kmsg;\n\tstruct socket *sock;\n\tunsigned flags;\n\tint min_ret = 0;\n\tint ret;\n\n\tsock = sock_from_file(req->file);\n\tif (unlikely(!sock))\n\t\treturn -ENOTSOCK;\n\n\tkmsg = req->async_data;\n\tif (!kmsg) {\n\t\tret = io_sendmsg_copy_hdr(req, &iomsg);\n\t\tif (ret)\n\t\t\treturn ret;\n\t\tkmsg = &iomsg;\n\t}\n\n\tflags = req->sr_msg.msg_flags;\n\tif (issue_flags & IO_URING_F_NONBLOCK)\n\t\tflags |= MSG_DONTWAIT;\n\tif (flags & MSG_WAITALL)\n\t\tmin_ret = iov_iter_count(&kmsg->msg.msg_iter);\n\n\tret = __sys_sendmsg_sock(sock, &kmsg->msg, flags);\n\tif ((issue_flags & IO_URING_F_NONBLOCK) && ret == -EAGAIN)\n\t\treturn io_setup_async_msg(req, kmsg);\n\tif (ret == -ERESTARTSYS)\n\t\tret = -EINTR;\n\n\t/* fast path, check for non-NULL to avoid function call */\n\tif (kmsg->free_iov)\n\t\tkfree(kmsg->free_iov);\n\treq->flags &= ~REQ_F_NEED_CLEANUP;\n\tif (ret < min_ret)\n\t\treq_set_fail_links(req);\n\t__io_req_complete(req, issue_flags, ret, 0);\n\treturn 0;\n}", "project": "linux", "hash": 305949513044584659922029267589445349527, "size": 41, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338570 }, { "func": "Expression::Parser makeConversionAlias(const StringData shortcutName, BSONType toType) {\n return [=](ExpressionContext* const expCtx,\n BSONElement elem,\n const VariablesParseState& vps) -> intrusive_ptr {\n // Use parseArguments to allow for a singleton array, or the unwrapped version.\n auto operands = ExpressionNary::parseArguments(expCtx, elem, vps);\n\n uassert(50723,\n str::stream() << shortcutName << \" requires a single argument, got \"\n << operands.size(),\n operands.size() == 1);\n return ExpressionConvert::create(expCtx, std::move(operands[0]), toType);\n };\n}", "project": "mongo", "hash": 147915273606136017268622217469488519004, "size": 14, "commit_id": "1772b9a0393b55e6a280a35e8f0a1f75c014f301", "message": "SERVER-49404 Enforce additional checks in $arrayToObject", "target": 0, "dataset": "other", "idx": 370038 }, { "func": "static int count_args(const char **argv)\n{\n\tint i = 0;\n\n\tif (argv) {\n\t\twhile (argv[i] != NULL)\n\t\t\ti++;\n\t}\n\n\treturn i;\n}", "project": "rsync", "hash": 36636948113202884808124224356775758302, "size": 11, "commit_id": "7706303828fcde524222babb2833864a4bd09e07", "message": "Ignore --protect-args when already sent by client\n\nIn parse_arguments when --protect-args is encountered the function exits\nearly. The caller is expected to check protect_args, and recall\nparse_arguments setting protect_args to 2. This patch prevents the\nclient from resetting protect_args during the second pass of\nparse_arguments. This prevents parse_arguments returning early the\nsecond time before it's able to sanitize the arguments it received.", "target": 0, "dataset": "other", "idx": 364668 }, { "func": " longlong val_int_from_item(Item *item)\n {\n DBUG_ASSERT(fixed == 1);\n longlong value= item->val_int();\n null_value= item->null_value;\n return value;\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 218828232502714336935793970381001877640, "size": 7, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509234 }, { "func": "void printPortStats(struct port_stats *stats) {\n struct port_stats *s, *tmp;\n char addr_name[48];\n int i = 0, j = 0;\n\n HASH_ITER(hh, stats, s, tmp) {\n i++;\n printf(\"\\t%2d\\tPort %5u\\t[%u IP address(es)/%u flows/%u pkts/%u bytes]\\n\\t\\tTop IP Stats:\\n\",\n\t i, s->port, s->num_addr, s->num_flows, s->num_pkts, s->num_bytes);\n\n qsort(&s->top_ip_addrs[0], MAX_NUM_IP_ADDRESS, sizeof(struct info_pair), info_pair_cmp);\n\n for(j=0; jtop_ip_addrs[j].count != 0) {\n if(s->top_ip_addrs[j].version == IPVERSION) {\n inet_ntop(AF_INET, &(s->top_ip_addrs[j].addr), addr_name, sizeof(addr_name));\n } else {\n inet_ntop(AF_INET6, &(s->top_ip_addrs[j].addr), addr_name, sizeof(addr_name));\n }\n\n\tprintf(\"\\t\\t%-36s ~ %.2f%%\\n\", addr_name,\n\t ((s->top_ip_addrs[j].count) * 100.0) / s->cumulative_addr);\n }\n }\n\n printf(\"\\n\");\n if(i >= 10) break;\n }\n}", "project": "nDPI", "hash": 111346743997709192055324807953000857097, "size": 29, "commit_id": "b7e666e465f138ae48ab81976726e67deed12701", "message": "Added fix to avoid potential heap buffer overflow in H.323 dissector\nModified HTTP report information to make it closer to the HTTP field names", "target": 0, "dataset": "other", "idx": 254837 }, { "func": "static inline int nd_alloc_stack(struct nameidata *nd)\n{\n\tif (likely(nd->depth != EMBEDDED_LEVELS))\n\t\treturn 0;\n\tif (likely(nd->stack != nd->internal))\n\t\treturn 0;\n\treturn __nd_alloc_stack(nd);\n}", "project": "linux", "hash": 320839394815688376365172952359691952267, "size": 8, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295420 }, { "func": "void generate_random_uuid(unsigned char uuid_out[16])\n{\n\tget_random_bytes(uuid_out, 16);\n\t/* Set UUID version to 4 --- truely random generation */\n\tuuid_out[6] = (uuid_out[6] & 0x0F) | 0x40;\n\t/* Set the UUID variant to DCE */\n\tuuid_out[8] = (uuid_out[8] & 0x3F) | 0x80;\n}", "target": 0, "cwe": [ "CWE-310" ], "project": "linux-2.6", "commit_id": "8a0a9bd4db63bc45e3017bedeafbd88d0eb84d02", "hash": 172493105324136470680196368093038454091, "size": 8, "message": "random: make get_random_int() more random\n\nIt's a really simple patch that basically just open-codes the current\n\"secure_ip_id()\" call, but when open-coding it we now use a _static_\nhashing area, so that it gets updated every time.\n\nAnd to make sure somebody can't just start from the same original seed of\nall-zeroes, and then do the \"half_md4_transform()\" over and over until\nthey get the same sequence as the kernel has, each iteration also mixes in\nthe same old \"current->pid + jiffies\" we used - so we should now have a\nregular strong pseudo-number generator, but we also have one that doesn't\nhave a single seed.\n\nNote: the \"pid + jiffies\" is just meant to be a tiny tiny bit of noise. It\nhas no real meaning. It could be anything. I just picked the previous\nseed, it's just that now we keep the state in between calls and that will\nfeed into the next result, and that should make all the difference.\n\nI made that hash be a per-cpu data just to avoid cache-line ping-pong:\nhaving multiple CPU's write to the same data would be fine for randomness,\nand add yet another layer of chaos to it, but since get_random_int() is\nsupposed to be a fast interface I did it that way instead. I considered\nusing \"__raw_get_cpu_var()\" to avoid any preemption overhead while still\ngetting the hash be _mostly_ ping-pong free, but in the end good taste won\nout.\n\nSigned-off-by: Ingo Molnar \nSigned-off-by: Linus Torvalds ", "dataset": "other", "idx": 499884 }, { "func": "static void insert_char(struct vc_data *vc, unsigned int nr)\n{\n\tunsigned short *p = (unsigned short *) vc->vc_pos;\n\n\tvc_uniscr_insert(vc, nr);\n\tscr_memmovew(p + nr, p, (vc->vc_cols - vc->vc_x - nr) * 2);\n\tscr_memsetw(p, vc->vc_video_erase_char, nr * 2);\n\tvc->vc_need_wrap = 0;\n\tif (con_should_update(vc))\n\t\tdo_update_region(vc, (unsigned long) p,\n\t\t\tvc->vc_cols - vc->vc_x);\n}", "project": "linux", "hash": 26432510029923962518223248895436981912, "size": 12, "commit_id": "ca4463bf8438b403596edd0ec961ca0d4fbe0220", "message": "vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console\n\nThe VT_DISALLOCATE ioctl can free a virtual console while tty_release()\nis still running, causing a use-after-free in con_shutdown(). This\noccurs because VT_DISALLOCATE considers a virtual console's\n'struct vc_data' to be unused as soon as the corresponding tty's\nrefcount hits 0. But actually it may be still being closed.\n\nFix this by making vc_data be reference-counted via the embedded\n'struct tty_port'. A newly allocated virtual console has refcount 1.\nOpening it for the first time increments the refcount to 2. Closing it\nfor the last time decrements the refcount (in tty_operations::cleanup()\nso that it happens late enough), as does VT_DISALLOCATE.\n\nReproducer:\n\t#include \n\t#include \n\t#include \n\t#include \n\n\tint main()\n\t{\n\t\tif (fork()) {\n\t\t\tfor (;;)\n\t\t\t\tclose(open(\"/dev/tty5\", O_RDWR));\n\t\t} else {\n\t\t\tint fd = open(\"/dev/tty10\", O_RDWR);\n\n\t\t\tfor (;;)\n\t\t\t\tioctl(fd, VT_DISALLOCATE, 5);\n\t\t}\n\t}\n\nKASAN report:\n\tBUG: KASAN: use-after-free in con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\tWrite of size 8 at addr ffff88806a4ec108 by task syz_vt/129\n\n\tCPU: 0 PID: 129 Comm: syz_vt Not tainted 5.6.0-rc2 #11\n\tHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20191223_100556-anatol 04/01/2014\n\tCall Trace:\n\t [...]\n\t con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\t release_tty+0xa8/0x410 drivers/tty/tty_io.c:1514\n\t tty_release_struct+0x34/0x50 drivers/tty/tty_io.c:1629\n\t tty_release+0x984/0xed0 drivers/tty/tty_io.c:1789\n\t [...]\n\n\tAllocated by task 129:\n\t [...]\n\t kzalloc include/linux/slab.h:669 [inline]\n\t vc_allocate drivers/tty/vt/vt.c:1085 [inline]\n\t vc_allocate+0x1ac/0x680 drivers/tty/vt/vt.c:1066\n\t con_install+0x4d/0x3f0 drivers/tty/vt/vt.c:3229\n\t tty_driver_install_tty drivers/tty/tty_io.c:1228 [inline]\n\t tty_init_dev+0x94/0x350 drivers/tty/tty_io.c:1341\n\t tty_open_by_driver drivers/tty/tty_io.c:1987 [inline]\n\t tty_open+0x3ca/0xb30 drivers/tty/tty_io.c:2035\n\t [...]\n\n\tFreed by task 130:\n\t [...]\n\t kfree+0xbf/0x1e0 mm/slab.c:3757\n\t vt_disallocate drivers/tty/vt/vt_ioctl.c:300 [inline]\n\t vt_ioctl+0x16dc/0x1e30 drivers/tty/vt/vt_ioctl.c:818\n\t tty_ioctl+0x9db/0x11b0 drivers/tty/tty_io.c:2660\n\t [...]\n\nFixes: 4001d7b7fc27 (\"vt: push down the tty lock so we can see what is left to tackle\")\nCc: # v3.4+\nReported-by: syzbot+522643ab5729b0421998@syzkaller.appspotmail.com\nAcked-by: Jiri Slaby \nSigned-off-by: Eric Biggers \nLink: https://lore.kernel.org/r/20200322034305.210082-2-ebiggers@kernel.org\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 437040 }, { "func": "bool TrustedPrimitives::IsOutsideEnclave(const void *addr, size_t size) {\n return sgx_is_outside_enclave(addr, size) == 1;\n}", "project": "asylo", "hash": 214314555397115948523793920204810966647, "size": 3, "commit_id": "53ed5d8fd8118ced1466e509606dd2f473707a5c", "message": "Store untrusted output pointer in enclave\n\nValidate the pointer after it's stored in enclave to avoid unexpected\nmodifications after it's validated.\n\nPiperOrigin-RevId: 365648810\nChange-Id: I3079128040c142e86bab8255b07d03562a6fcb61", "target": 0, "dataset": "other", "idx": 232063 }, { "func": "static void framebuffer_update_request(VncState *vs, int incremental,\n int x, int y, int w, int h)\n{\n vs->need_update = 1;\n\n if (incremental) {\n return;\n }\n\n vs->force_update = 1;\n vnc_set_area_dirty(vs->dirty, vs->vd, x, y, w, h);\n}", "project": "qemu", "hash": 46490559158844347239735067639001304241, "size": 12, "commit_id": "4c65fed8bdf96780735dbdb92a8bd0d6b6526cc3", "message": "ui: vnc: avoid floating point exception\n\nWhile sending 'SetPixelFormat' messages to a VNC server,\nthe client could set the 'red-max', 'green-max' and 'blue-max'\nvalues to be zero. This leads to a floating point exception in\nwrite_png_palette while doing frame buffer updates.\n\nReported-by: Lian Yihan \nSigned-off-by: Prasad J Pandit \nReviewed-by: Gerd Hoffmann \nSigned-off-by: Peter Maydell ", "target": 0, "dataset": "other", "idx": 330494 }, { "func": "static void __exit input_exit(void)\n{\n\tinput_proc_exit();\n\tunregister_chrdev_region(MKDEV(INPUT_MAJOR, 0),\n\t\t\t\t INPUT_MAX_CHAR_DEVICES);\n\tclass_unregister(&input_class);\n}", "project": "linux", "hash": 102609768236596058322264534501685176328, "size": 7, "commit_id": "cb222aed03d798fc074be55e59d9a112338ee784", "message": "Input: add safety guards to input_set_keycode()\n\nIf we happen to have a garbage in input device's keycode table with values\ntoo big we'll end up doing clear_bit() with offset way outside of our\nbitmaps, damaging other objects within an input device or even outside of\nit. Let's add sanity checks to the returned old keycodes.\n\nReported-by: syzbot+c769968809f9359b07aa@syzkaller.appspotmail.com\nReported-by: syzbot+76f3a30e88d256644c78@syzkaller.appspotmail.com\nLink: https://lore.kernel.org/r/20191207212757.GA245964@dtor-ws\nSigned-off-by: Dmitry Torokhov ", "target": 0, "dataset": "other", "idx": 353367 }, { "project": "Chrome", "commit_id": "327585cb0eab0859518643a2d00917081f7e7645", "target": 0, "func": "int WebGraphicsContext3DDefaultImpl::width()\n{\n return m_cachedWidth;\n}\n", "cwe": "", "big_vul_idx": 99033, "idx": 89086, "hash": 257933336786433905348557284028129435830 }, { "func": "bool timerqueue_add(struct timerqueue_head *head, struct timerqueue_node *node)\n{\n\tstruct rb_node **p = &head->head.rb_node;\n\tstruct rb_node *parent = NULL;\n\tstruct timerqueue_node *ptr;\n\n\t/* Make sure we don't add nodes that are already added */\n\tWARN_ON_ONCE(!RB_EMPTY_NODE(&node->node));\n\n\twhile (*p) {\n\t\tparent = *p;\n\t\tptr = rb_entry(parent, struct timerqueue_node, node);\n\t\tif (node->expires < ptr->expires)\n\t\t\tp = &(*p)->rb_left;\n\t\telse\n\t\t\tp = &(*p)->rb_right;\n\t}\n\trb_link_node(&node->node, parent, p);\n\trb_insert_color(&node->node, &head->head);\n\n\tif (!head->next || node->expires < head->next->expires) {\n\t\thead->next = node;\n\t\treturn true;\n\t}\n\treturn false;\n}", "project": "tip", "hash": 295643821598703418675091892895767224857, "size": 26, "commit_id": "511885d7061eda3eb1faf3f57dcc936ff75863f1", "message": "lib/timerqueue: Rely on rbtree semantics for next timer\n\nSimplify the timerqueue code by using cached rbtrees and rely on the tree\nleftmost node semantics to get the timer with earliest expiration time.\nThis is a drop in conversion, and therefore semantics remain untouched.\n\nThe runtime overhead of cached rbtrees is be pretty much the same as the\ncurrent head->next method, noting that when removing the leftmost node,\na common operation for the timerqueue, the rb_next(leftmost) is O(1) as\nwell, so the next timer will either be the right node or its parent.\nTherefore no extra pointer chasing. Finally, the size of the struct\ntimerqueue_head remains the same.\n\nPasses several hours of rcutorture.\n\nSigned-off-by: Davidlohr Bueso \nSigned-off-by: Thomas Gleixner \nLink: https://lkml.kernel.org/r/20190724152323.bojciei3muvfxalm@linux-r8p5", "target": 1, "dataset": "other", "idx": 202574 }, { "func": "bool timerqueue_add(struct timerqueue_head *head, struct timerqueue_node *node)\n{\n\tstruct rb_node **p = &head->rb_root.rb_root.rb_node;\n\tstruct rb_node *parent = NULL;\n\tstruct timerqueue_node *ptr;\n\tbool leftmost = true;\n\n\t/* Make sure we don't add nodes that are already added */\n\tWARN_ON_ONCE(!RB_EMPTY_NODE(&node->node));\n\n\twhile (*p) {\n\t\tparent = *p;\n\t\tptr = rb_entry(parent, struct timerqueue_node, node);\n\t\tif (node->expires < ptr->expires) {\n\t\t\tp = &(*p)->rb_left;\n\t\t} else {\n\t\t\tp = &(*p)->rb_right;\n\t\t\tleftmost = false;\n\t\t}\n\t}\n\trb_link_node(&node->node, parent, p);\n\trb_insert_color_cached(&node->node, &head->rb_root, leftmost);\n\n\treturn leftmost;\n}", "project": "tip", "hash": 121492852338608162479188929864215178822, "size": 25, "commit_id": "511885d7061eda3eb1faf3f57dcc936ff75863f1", "message": "lib/timerqueue: Rely on rbtree semantics for next timer\n\nSimplify the timerqueue code by using cached rbtrees and rely on the tree\nleftmost node semantics to get the timer with earliest expiration time.\nThis is a drop in conversion, and therefore semantics remain untouched.\n\nThe runtime overhead of cached rbtrees is be pretty much the same as the\ncurrent head->next method, noting that when removing the leftmost node,\na common operation for the timerqueue, the rb_next(leftmost) is O(1) as\nwell, so the next timer will either be the right node or its parent.\nTherefore no extra pointer chasing. Finally, the size of the struct\ntimerqueue_head remains the same.\n\nPasses several hours of rcutorture.\n\nSigned-off-by: Davidlohr Bueso \nSigned-off-by: Thomas Gleixner \nLink: https://lkml.kernel.org/r/20190724152323.bojciei3muvfxalm@linux-r8p5", "target": 0, "dataset": "other", "idx": 335107 }, { "func": "static int pfkey_broadcast_one(struct sk_buff *skb, gfp_t allocation,\n\t\t\t struct sock *sk)\n{\n\tint err = -ENOBUFS;\n\n\tif (atomic_read(&sk->sk_rmem_alloc) > sk->sk_rcvbuf)\n\t\treturn err;\n\n\tskb = skb_clone(skb, allocation);\n\n\tif (skb) {\n\t\tskb_set_owner_r(skb, sk);\n\t\tskb_queue_tail(&sk->sk_receive_queue, skb);\n\t\tsk->sk_data_ready(sk);\n\t\terr = 0;\n\t}\n\treturn err;\n}", "project": "linux", "hash": 205519060770763237334411340407810342495, "size": 18, "commit_id": "9a564bccb78a76740ea9d75a259942df8143d02c", "message": "af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\n\nAdd __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\nto initialize the buffer of supp_skb to fix a kernel-info-leak issue.\n1) Function pfkey_register calls compose_sadb_supported to request\na sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate\na sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then\ncompose_sadb_supported treats the memory as a struct sadb_supported and\nbegins to initialize. But it just initializes the field sadb_supported_len\nand field sadb_supported_exttype without field sadb_supported_reserved.\n\nReported-by: TCS Robot \nSigned-off-by: Haimin Zhang \nSigned-off-by: Steffen Klassert ", "target": 0, "dataset": "other", "idx": 268017 }, { "func": "\nstatic int io_register_rsrc_update(struct io_ring_ctx *ctx, void __user *arg,\n\t\t\t\t unsigned size)\n{\n\tstruct io_uring_rsrc_update2 up;\n\n\tif (size != sizeof(up))\n\t\treturn -EINVAL;\n\tif (copy_from_user(&up, arg, sizeof(up)))\n\t\treturn -EFAULT;\n\tif (!up.nr)\n\t\treturn -EINVAL;\n\treturn __io_register_rsrc_update(ctx, up.type, &up, up.nr);", "project": "linux", "hash": 210992885425962423862851848843615800827, "size": 13, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338539 }, { "func": "\nstatic void bfq_completed_request(struct bfq_queue *bfqq, struct bfq_data *bfqd)\n{\n\tu64 now_ns;\n\tu32 delta_us;\n\n\tbfq_update_hw_tag(bfqd);\n\n\tbfqd->rq_in_driver--;\n\tbfqq->dispatched--;\n\n\tif (!bfqq->dispatched && !bfq_bfqq_busy(bfqq)) {\n\t\t/*\n\t\t * Set budget_timeout (which we overload to store the\n\t\t * time at which the queue remains with no backlog and\n\t\t * no outstanding request; used by the weight-raising\n\t\t * mechanism).\n\t\t */\n\t\tbfqq->budget_timeout = jiffies;\n\n\t\tbfq_weights_tree_remove(bfqd, bfqq);\n\t}\n\n\tnow_ns = ktime_get_ns();\n\n\tbfqq->ttime.last_end_request = now_ns;\n\n\t/*\n\t * Using us instead of ns, to get a reasonable precision in\n\t * computing rate in next check.\n\t */\n\tdelta_us = div_u64(now_ns - bfqd->last_completion, NSEC_PER_USEC);\n\n\t/*\n\t * If the request took rather long to complete, and, according\n\t * to the maximum request size recorded, this completion latency\n\t * implies that the request was certainly served at a very low\n\t * rate (less than 1M sectors/sec), then the whole observation\n\t * interval that lasts up to this time instant cannot be a\n\t * valid time interval for computing a new peak rate. Invoke\n\t * bfq_update_rate_reset to have the following three steps\n\t * taken:\n\t * - close the observation interval at the last (previous)\n\t * request dispatch or completion\n\t * - compute rate, if possible, for that observation interval\n\t * - reset to zero samples, which will trigger a proper\n\t * re-initialization of the observation interval on next\n\t * dispatch\n\t */\n\tif (delta_us > BFQ_MIN_TT/NSEC_PER_USEC &&\n\t (bfqd->last_rq_max_size<last_completion = now_ns;\n\tbfqd->last_completed_rq_bfqq = bfqq;\n\n\t/*\n\t * If we are waiting to discover whether the request pattern\n\t * of the task associated with the queue is actually\n\t * isochronous, and both requisites for this condition to hold\n\t * are now satisfied, then compute soft_rt_next_start (see the\n\t * comments on the function bfq_bfqq_softrt_next_start()). We\n\t * do not compute soft_rt_next_start if bfqq is in interactive\n\t * weight raising (see the comments in bfq_bfqq_expire() for\n\t * an explanation). We schedule this delayed update when bfqq\n\t * expires, if it still has in-flight requests.\n\t */\n\tif (bfq_bfqq_softrt_update(bfqq) && bfqq->dispatched == 0 &&\n\t RB_EMPTY_ROOT(&bfqq->sort_list) &&\n\t bfqq->wr_coeff != bfqd->bfq_wr_coeff)\n\t\tbfqq->soft_rt_next_start =\n\t\t\tbfq_bfqq_softrt_next_start(bfqd, bfqq);\n\n\t/*\n\t * If this is the in-service queue, check if it needs to be expired,\n\t * or if we want to idle in case it has no pending requests.\n\t */\n\tif (bfqd->in_service_queue == bfqq) {\n\t\tif (bfq_bfqq_must_idle(bfqq)) {\n\t\t\tif (bfqq->dispatched == 0)\n\t\t\t\tbfq_arm_slice_timer(bfqd);\n\t\t\t/*\n\t\t\t * If we get here, we do not expire bfqq, even\n\t\t\t * if bfqq was in budget timeout or had no\n\t\t\t * more requests (as controlled in the next\n\t\t\t * conditional instructions). The reason for\n\t\t\t * not expiring bfqq is as follows.\n\t\t\t *\n\t\t\t * Here bfqq->dispatched > 0 holds, but\n\t\t\t * bfq_bfqq_must_idle() returned true. This\n\t\t\t * implies that, even if no request arrives\n\t\t\t * for bfqq before bfqq->dispatched reaches 0,\n\t\t\t * bfqq will, however, not be expired on the\n\t\t\t * completion event that causes bfqq->dispatch\n\t\t\t * to reach zero. In contrast, on this event,\n\t\t\t * bfqq will start enjoying device idling\n\t\t\t * (I/O-dispatch plugging).\n\t\t\t *\n\t\t\t * But, if we expired bfqq here, bfqq would\n\t\t\t * not have the chance to enjoy device idling\n\t\t\t * when bfqq->dispatched finally reaches\n\t\t\t * zero. This would expose bfqq to violation\n\t\t\t * of its reserved service guarantees.\n\t\t\t */\n\t\t\treturn;\n\t\t} else if (bfq_may_expire_for_budg_timeout(bfqq))\n\t\t\tbfq_bfqq_expire(bfqd, bfqq, false,\n\t\t\t\t\tBFQQE_BUDGET_TIMEOUT);\n\t\telse if (RB_EMPTY_ROOT(&bfqq->sort_list) &&\n\t\t\t (bfqq->dispatched == 0 ||\n\t\t\t !bfq_better_to_idle(bfqq)))\n\t\t\tbfq_bfqq_expire(bfqd, bfqq, false,\n\t\t\t\t\tBFQQE_NO_MORE_REQUESTS);\n\t}\n\n\tif (!bfqd->rq_in_driver)\n\t\tbfq_schedule_dispatch(bfqd);", "project": "linux", "hash": 267188755233808688372657745442162997240, "size": 117, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453383 }, { "func": "static void hci_le_meta_evt(struct hci_dev *hdev, struct sk_buff *skb)\n{\n\tstruct hci_ev_le_meta *le_ev = (void *) skb->data;\n\n\tskb_pull(skb, sizeof(*le_ev));\n\n\tswitch (le_ev->subevent) {\n\tcase HCI_EV_LE_CONN_COMPLETE:\n\t\thci_le_conn_complete_evt(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_EV_LE_CONN_UPDATE_COMPLETE:\n\t\thci_le_conn_update_complete_evt(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_EV_LE_ADVERTISING_REPORT:\n\t\thci_le_adv_report_evt(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_EV_LE_REMOTE_FEAT_COMPLETE:\n\t\thci_le_remote_feat_complete_evt(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_EV_LE_LTK_REQ:\n\t\thci_le_ltk_request_evt(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_EV_LE_REMOTE_CONN_PARAM_REQ:\n\t\thci_le_remote_conn_param_req_evt(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_EV_LE_DIRECT_ADV_REPORT:\n\t\thci_le_direct_adv_report_evt(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_EV_LE_PHY_UPDATE_COMPLETE:\n\t\thci_le_phy_update_evt(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_EV_LE_EXT_ADV_REPORT:\n\t\thci_le_ext_adv_report_evt(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_EV_LE_ENHANCED_CONN_COMPLETE:\n\t\thci_le_enh_conn_complete_evt(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_EV_LE_EXT_ADV_SET_TERM:\n\t\thci_le_ext_adv_term_evt(hdev, skb);\n\t\tbreak;\n\n\tdefault:\n\t\tbreak;\n\t}\n}", "project": "linux", "hash": 20928650129390823543040262782058325762, "size": 55, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431908 }, { "func": "bool CClient::OnTextMessage(CTextMessage& Message) {\n CString sTargets = Message.GetTarget();\n\n VCString vTargets;\n sTargets.Split(\",\", vTargets, false);\n\n for (CString& sTarget : vTargets) {\n Message.SetTarget(sTarget);\n if (m_pNetwork) {\n // May be nullptr.\n Message.SetChan(m_pNetwork->FindChan(sTarget));\n }\n\n if (sTarget.TrimPrefix(m_pUser->GetStatusPrefix())) {\n if (sTarget.Equals(\"status\")) {\n CString sMsg = Message.GetText();\n UserCommand(sMsg);\n } else {\n CALLMOD(sTarget, this, m_pUser, m_pNetwork,\n OnModCommand(Message.GetText()));\n }\n continue;\n }\n\n bool bContinue = false;\n NETWORKMODULECALL(OnUserTextMessage(Message), m_pUser, m_pNetwork, this,\n &bContinue);\n if (bContinue) continue;\n\n if (!GetIRCSock()) {\n // Some lagmeters do a PRIVMSG to their own nick, ignore those.\n if (!sTarget.Equals(m_sNick))\n PutStatus(\n t_f(\"Your message to {1} got lost, you are not connected \"\n \"to IRC!\")(Message.GetTarget()));\n continue;\n }\n\n if (m_pNetwork) {\n AddBuffer(Message);\n EchoMessage(Message);\n PutIRC(Message.ToString(CMessage::ExcludePrefix |\n CMessage::ExcludeTags));\n }\n }\n\n return true;\n}", "project": "znc", "hash": 89511507100186789300014022416773480646, "size": 48, "commit_id": "d229761821da38d984a9e4098ad96842490dc001", "message": "Fix echo-message for *status\n\nClose #1705", "target": 1, "dataset": "other", "idx": 195717 }, { "func": "bool CClient::OnTextMessage(CTextMessage& Message) {\n CString sTargets = Message.GetTarget();\n\n VCString vTargets;\n sTargets.Split(\",\", vTargets, false);\n\n for (CString& sTarget : vTargets) {\n Message.SetTarget(sTarget);\n if (m_pNetwork) {\n // May be nullptr.\n Message.SetChan(m_pNetwork->FindChan(sTarget));\n }\n\n if (sTarget.TrimPrefix(m_pUser->GetStatusPrefix())) {\n EchoMessage(Message);\n\n if (sTarget.Equals(\"status\")) {\n CString sMsg = Message.GetText();\n UserCommand(sMsg);\n } else {\n CALLMOD(sTarget, this, m_pUser, m_pNetwork,\n OnModCommand(Message.GetText()));\n }\n continue;\n }\n\n bool bContinue = false;\n NETWORKMODULECALL(OnUserTextMessage(Message), m_pUser, m_pNetwork, this,\n &bContinue);\n if (bContinue) continue;\n\n if (!GetIRCSock()) {\n // Some lagmeters do a PRIVMSG to their own nick, ignore those.\n if (!sTarget.Equals(m_sNick))\n PutStatus(\n t_f(\"Your message to {1} got lost, you are not connected \"\n \"to IRC!\")(Message.GetTarget()));\n continue;\n }\n\n if (m_pNetwork) {\n AddBuffer(Message);\n EchoMessage(Message);\n PutIRC(Message.ToString(CMessage::ExcludePrefix |\n CMessage::ExcludeTags));\n }\n }\n\n return true;\n}", "project": "znc", "hash": 224787576817106767054259735051627673489, "size": 50, "commit_id": "d229761821da38d984a9e4098ad96842490dc001", "message": "Fix echo-message for *status\n\nClose #1705", "target": 0, "dataset": "other", "idx": 231582 }, { "func": "static const char* oidc_retrieve_claims_from_userinfo_endpoint(request_rec *r,\n\t\toidc_cfg *c, oidc_provider_t *provider, const char *access_token,\n\t\toidc_session_t *session, char *id_token_sub, char **userinfo_jwt) {\n\n\toidc_debug(r, \"enter\");\n\n\tchar *result = NULL;\n\tchar *refreshed_access_token = NULL;\n\n\t/* see if a userinfo endpoint is set, otherwise there's nothing to do for us */\n\tif (provider->userinfo_endpoint_url == NULL) {\n\t\toidc_debug(r,\n\t\t\t\t\"not retrieving userinfo claims because userinfo_endpoint is not set\");\n\t\treturn NULL;\n\t}\n\n\t/* see if there's an access token, otherwise we can't call the userinfo endpoint at all */\n\tif (access_token == NULL) {\n\t\toidc_debug(r,\n\t\t\t\t\"not retrieving userinfo claims because access_token is not provided\");\n\t\treturn NULL;\n\t}\n\n\tif ((id_token_sub == NULL) && (session != NULL)) {\n\n\t\t// when refreshing claims from the userinfo endpoint\n\t\tjson_t *id_token_claims = oidc_session_get_idtoken_claims_json(r,\n\t\t\t\tsession);\n\t\tif (id_token_claims == NULL) {\n\t\t\toidc_error(r, \"no id_token_claims found in session\");\n\t\t\treturn NULL;\n\t\t}\n\n\t\toidc_jose_get_string(r->pool, id_token_claims, OIDC_CLAIM_SUB, FALSE,\n\t\t\t\t&id_token_sub, NULL);\n\t}\n\n\t// TODO: return code should indicate whether the token expired or some other error occurred\n\t// TODO: long-term: session storage should be JSON (with explicit types and less conversion, using standard routines)\n\n\t/* try to get claims from the userinfo endpoint using the provided access token */\n\tif (oidc_proto_resolve_userinfo(r, c, provider, id_token_sub, access_token,\n\t\t\t&result, userinfo_jwt) == FALSE) {\n\n\t\t/* see if we have an existing session and we are refreshing the user info claims */\n\t\tif (session != NULL) {\n\n\t\t\t/* first call to user info endpoint failed, but the access token may have just expired, so refresh it */\n\t\t\tif (oidc_refresh_access_token(r, c, session, provider,\n\t\t\t\t\t&refreshed_access_token) == TRUE) {\n\n\t\t\t\t/* try again with the new access token */\n\t\t\t\tif (oidc_proto_resolve_userinfo(r, c, provider, id_token_sub,\n\t\t\t\t\t\trefreshed_access_token, &result, userinfo_jwt)\n\t\t\t\t\t\t== FALSE) {\n\n\t\t\t\t\toidc_error(r,\n\t\t\t\t\t\t\t\"resolving user info claims with the refreshed access token failed, nothing will be stored in the session\");\n\t\t\t\t\tresult = NULL;\n\n\t\t\t\t}\n\n\t\t\t} else {\n\n\t\t\t\toidc_warn(r,\n\t\t\t\t\t\t\"refreshing access token failed, claims will not be retrieved/refreshed from the userinfo endpoint\");\n\t\t\t\tresult = NULL;\n\n\t\t\t}\n\n\t\t} else {\n\n\t\t\toidc_error(r,\n\t\t\t\t\t\"resolving user info claims with the existing/provided access token failed, nothing will be stored in the session\");\n\t\t\tresult = NULL;\n\n\t\t}\n\t}\n\n\treturn result;\n}", "project": "mod_auth_openidc", "hash": 278527893881429992778738053506757428396, "size": 81, "commit_id": "00c315cb0c8ab77c67be4a2ac08a71a83ac58751", "message": "avoid XSS vulnerability when using OIDCPreservePost On\n\nand supplying URLs that contain single quotes; thanks @oss-aimoto\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 381953 }, { "func": "\nstatic int io_rsrc_node_switch_start(struct io_ring_ctx *ctx)\n{\n\tif (ctx->rsrc_backup_node)\n\t\treturn 0;\n\tctx->rsrc_backup_node = io_rsrc_node_alloc(ctx);\n\treturn ctx->rsrc_backup_node ? 0 : -ENOMEM;", "project": "linux", "hash": 124476896966925295707262292782144024757, "size": 7, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338618 }, { "func": "static int ecryptfs_calculate_md5(char *dst,\n\t\t\t\t struct ecryptfs_crypt_stat *crypt_stat,\n\t\t\t\t char *src, int len)\n{\n\tstruct scatterlist sg;\n\tstruct hash_desc desc = {\n\t\t.tfm = crypt_stat->hash_tfm,\n\t\t.flags = CRYPTO_TFM_REQ_MAY_SLEEP\n\t};\n\tint rc = 0;\n\n\tmutex_lock(&crypt_stat->cs_hash_tfm_mutex);\n\tsg_init_one(&sg, (u8 *)src, len);\n\tif (!desc.tfm) {\n\t\tdesc.tfm = crypto_alloc_hash(ECRYPTFS_DEFAULT_HASH, 0,\n\t\t\t\t\t CRYPTO_ALG_ASYNC);\n\t\tif (IS_ERR(desc.tfm)) {\n\t\t\trc = PTR_ERR(desc.tfm);\n\t\t\tecryptfs_printk(KERN_ERR, \"Error attempting to \"\n\t\t\t\t\t\"allocate crypto context; rc = [%d]\\n\",\n\t\t\t\t\trc);\n\t\t\tgoto out;\n\t\t}\n\t\tcrypt_stat->hash_tfm = desc.tfm;\n\t}\n\trc = crypto_hash_init(&desc);\n\tif (rc) {\n\t\tprintk(KERN_ERR\n\t\t \"%s: Error initializing crypto hash; rc = [%d]\\n\",\n\t\t __func__, rc);\n\t\tgoto out;\n\t}\n\trc = crypto_hash_update(&desc, &sg, len);\n\tif (rc) {\n\t\tprintk(KERN_ERR\n\t\t \"%s: Error updating crypto hash; rc = [%d]\\n\",\n\t\t __func__, rc);\n\t\tgoto out;\n\t}\n\trc = crypto_hash_final(&desc, dst);\n\tif (rc) {\n\t\tprintk(KERN_ERR\n\t\t \"%s: Error finalizing crypto hash; rc = [%d]\\n\",\n\t\t __func__, rc);\n\t\tgoto out;\n\t}\nout:\n\tmutex_unlock(&crypt_stat->cs_hash_tfm_mutex);\n\treturn rc;\n}", "target": 0, "cwe": [ "CWE-189" ], "project": "linux-2.6", "commit_id": "8faece5f906725c10e7a1f6caf84452abadbdc7b", "hash": 191774055951855200143392096436885601671, "size": 50, "message": "eCryptfs: Allocate a variable number of pages for file headers\n\nWhen allocating the memory used to store the eCryptfs header contents, a\nsingle, zeroed page was being allocated with get_zeroed_page().\nHowever, the size of an eCryptfs header is either PAGE_CACHE_SIZE or\nECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE (8192), whichever is larger, and is\nstored in the file's private_data->crypt_stat->num_header_bytes_at_front\nfield.\n\necryptfs_write_metadata_to_contents() was using\nnum_header_bytes_at_front to decide how many bytes should be written to\nthe lower filesystem for the file header. Unfortunately, at least 8K\nwas being written from the page, despite the chance of the single,\nzeroed page being smaller than 8K. This resulted in random areas of\nkernel memory being written between the 0x1000 and 0x1FFF bytes offsets\nin the eCryptfs file headers if PAGE_SIZE was 4K.\n\nThis patch allocates a variable number of pages, calculated with\nnum_header_bytes_at_front, and passes the number of allocated pages\nalong to ecryptfs_write_metadata_to_contents().\n\nThanks to Florian Streibelt for reporting the data leak and working with\nme to find the problem. 2.6.28 is the only kernel release with this\nvulnerability. Corresponds to CVE-2009-0787\n\nSigned-off-by: Tyler Hicks \nAcked-by: Dustin Kirkland \nReviewed-by: Eric Sandeen \nReviewed-by: Eugene Teo \nCc: Greg KH \nCc: dann frazier \nCc: Serge E. Hallyn \nCc: Florian Streibelt \nCc: stable@kernel.org\nSigned-off-by: Linus Torvalds ", "dataset": "other", "idx": 490198 }, { "func": "static __always_inline void kfree_hook(void *x)\n{\n\tkmemleak_free(x);\n\tkasan_kfree_large(x, _RET_IP_);\n}", "project": "linux", "hash": 141241320416475448799719379220619301605, "size": 5, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280100 }, { "func": " bool check_null_ref()\n {\n DBUG_ASSERT(null_ref_table);\n if (null_ref_table != NO_NULL_TABLE && null_ref_table->null_row)\n {\n null_value= 1;\n return TRUE;\n }\n return FALSE;\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 220567177138030233692682304664632611092, "size": 10, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509157 }, { "func": "static int tty_write_lock(struct tty_struct *tty, int ndelay)\n{\n\tif (!mutex_trylock(&tty->atomic_write_lock)) {\n\t\tif (ndelay)\n\t\t\treturn -EAGAIN;\n\t\tif (mutex_lock_interruptible(&tty->atomic_write_lock))\n\t\t\treturn -ERESTARTSYS;\n\t}\n\treturn 0;\n}", "project": "linux", "hash": 126671996112002610185662517472552766437, "size": 10, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 325989 }, { "func": "static int io_account_mem(struct io_ring_ctx *ctx, unsigned long nr_pages,\n\t\t\t enum io_mem_account acct)\n{\n\tint ret;\n\n\tif (ctx->limit_mem) {\n\t\tret = __io_account_mem(ctx->user, nr_pages);\n\t\tif (ret)\n\t\t\treturn ret;\n\t}\n\n\tif (ctx->sqo_mm) {\n\t\tif (acct == ACCT_LOCKED)\n\t\t\tctx->sqo_mm->locked_vm += nr_pages;\n\t\telse if (acct == ACCT_PINNED)\n\t\t\tatomic64_add(nr_pages, &ctx->sqo_mm->pinned_vm);\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 264920344800481593393384849471915985822, "size": 20, "commit_id": "6d816e088c359866f9867057e04f244c608c42fe", "message": "io_uring: hold 'ctx' reference around task_work queue + execute\n\nWe're holding the request reference, but we need to go one higher\nto ensure that the ctx remains valid after the request has finished.\nIf the ring is closed with pending task_work inflight, and the\ngiven io_kiocb finishes sync during issue, then we need a reference\nto the ring itself around the task_work execution cycle.\n\nCc: stable@vger.kernel.org # v5.7+\nReported-by: syzbot+9b260fc33297966f5a8e@syzkaller.appspotmail.com\nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 456962 }, { "func": "lka_proc_config(struct processor_instance *pi)\n{\n\tio_printf(pi->io, \"config|smtpd-version|%s\\n\", SMTPD_VERSION);\n\tio_printf(pi->io, \"config|smtp-session-timeout|%d\\n\", SMTPD_SESSION_TIMEOUT);\n\tif (pi->subsystems & FILTER_SUBSYSTEM_SMTP_IN)\n\t\tio_printf(pi->io, \"config|subsystem|smtp-in\\n\");\n\tif (pi->subsystems & FILTER_SUBSYSTEM_SMTP_OUT)\n\t\tio_printf(pi->io, \"config|subsystem|smtp-out\\n\");\n\tio_printf(pi->io, \"config|admd|%s\\n\",\n\t env->sc_admd != NULL ? env->sc_admd : env->sc_hostname);\n\tio_printf(pi->io, \"config|ready\\n\");\n}", "project": "src", "hash": 160235518940686007747515146837053603241, "size": 12, "commit_id": "6c3220444ed06b5796dedfd53a0f4becd903c0d1", "message": "smtpd's filter state machine can prematurely release resources\nleading to a crash. From gilles@", "target": 0, "dataset": "other", "idx": 421525 }, { "func": "static inline int align_mem(kstring_t *s)\n{\n int e = 0;\n if (s->l&7) {\n uint64_t zero = 0;\n e = kputsn((char*)&zero, 8 - (s->l&7), s) < 0;\n }\n return e == 0 ? 0 : -1;\n}", "project": "htslib", "hash": 34272267415144319486893047095897443367, "size": 9, "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c", "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields. It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097", "target": 0, "dataset": "other", "idx": 402216 }, { "func": "static void add_not_null_conds(JOIN *join)\n{\n JOIN_TAB *tab;\n DBUG_ENTER(\"add_not_null_conds\");\n \n for (tab= first_linear_tab(join, WITH_BUSH_ROOTS, WITHOUT_CONST_TABLES);\n tab; \n tab= next_linear_tab(join, tab, WITH_BUSH_ROOTS))\n {\n if (tab->type == JT_REF || tab->type == JT_EQ_REF || \n tab->type == JT_REF_OR_NULL)\n {\n for (uint keypart= 0; keypart < tab->ref.key_parts; keypart++)\n {\n if (tab->ref.null_rejecting & ((key_part_map)1 << keypart))\n {\n Item *item= tab->ref.items[keypart];\n Item *notnull;\n Item *real= item->real_item();\n\t if (real->const_item() && real->type() != Item::FIELD_ITEM && \n !real->is_expensive())\n {\n /*\n It could be constant instead of field after constant\n propagation.\n */\n continue;\n }\n DBUG_ASSERT(real->type() == Item::FIELD_ITEM);\n Item_field *not_null_item= (Item_field*)real;\n JOIN_TAB *referred_tab= not_null_item->field->table->reginfo.join_tab;\n /*\n For UPDATE queries such as:\n UPDATE t1 SET t1.f2=(SELECT MAX(t2.f4) FROM t2 WHERE t2.f3=t1.f1);\n not_null_item is the t1.f1, but it's referred_tab is 0.\n */\n if (!(notnull= new (join->thd->mem_root)\n Item_func_isnotnull(join->thd, item)))\n DBUG_VOID_RETURN;\n /*\n We need to do full fix_fields() call here in order to have correct\n notnull->const_item(). This is needed e.g. by test_quick_select \n when it is called from make_join_select after this function is \n called.\n */\n if (notnull->fix_fields(join->thd, ¬null))\n DBUG_VOID_RETURN;\n\n DBUG_EXECUTE(\"where\",print_where(notnull,\n (referred_tab ?\n referred_tab->table->alias.c_ptr() :\n \"outer_ref_cond\"),\n QT_ORDINARY););\n if (!tab->first_inner)\n {\n COND *new_cond= (referred_tab && referred_tab->join == join) ?\n referred_tab->select_cond :\n join->outer_ref_cond;\n add_cond_and_fix(join->thd, &new_cond, notnull);\n if (referred_tab && referred_tab->join == join)\n referred_tab->set_select_cond(new_cond, __LINE__);\n else \n join->outer_ref_cond= new_cond;\n }\n else\n add_cond_and_fix(join->thd, tab->first_inner->on_expr_ref, notnull);\n }\n }\n }\n }\n DBUG_VOID_RETURN;\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 150624850476927666306806381386456589052, "size": 72, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508424 }, { "func": "static int sd_start(struct gspca_dev *gspca_dev)\n{\n\tstruct sd *sd = (struct sd *) gspca_dev;\n\n\t/* Default for most bridges, allow bridge_mode_init_regs to override */\n\tsd->sensor_width = sd->gspca_dev.pixfmt.width;\n\tsd->sensor_height = sd->gspca_dev.pixfmt.height;\n\n\tswitch (sd->bridge) {\n\tcase BRIDGE_OV511:\n\tcase BRIDGE_OV511PLUS:\n\t\tov511_mode_init_regs(sd);\n\t\tbreak;\n\tcase BRIDGE_OV518:\n\tcase BRIDGE_OV518PLUS:\n\t\tov518_mode_init_regs(sd);\n\t\tbreak;\n\tcase BRIDGE_OV519:\n\t\tov519_mode_init_regs(sd);\n\t\tbreak;\n\t/* case BRIDGE_OVFX2: nothing to do */\n\tcase BRIDGE_W9968CF:\n\t\tw9968cf_mode_init_regs(sd);\n\t\tbreak;\n\t}\n\n\tset_ov_sensor_window(sd);\n\n\t/* Force clear snapshot state in case the snapshot button was\n\t pressed while we weren't streaming */\n\tsd->snapshot_needs_reset = 1;\n\tsd_reset_snapshot(gspca_dev);\n\n\tsd->first_frame = 3;\n\n\tov51x_restart(sd);\n\tov51x_led_control(sd, 1);\n\treturn gspca_dev->usb_err;\n}", "project": "linux", "hash": 62274576289845408590854680109211484825, "size": 39, "commit_id": "998912346c0da53a6dbb71fab3a138586b596b30", "message": "media: ov519: add missing endpoint sanity checks\n\nMake sure to check that we have at least one endpoint before accessing\nthe endpoint array to avoid dereferencing a NULL-pointer on stream\nstart.\n\nNote that these sanity checks are not redundant as the driver is mixing\nlooking up altsettings by index and by number, which need not coincide.\n\nFixes: 1876bb923c98 (\"V4L/DVB (12079): gspca_ov519: add support for the ov511 bridge\")\nFixes: b282d87332f5 (\"V4L/DVB (12080): gspca_ov519: Fix ov518+ with OV7620AE (Trust spacecam 320)\")\nCc: stable # 2.6.31\nCc: Hans de Goede \nSigned-off-by: Johan Hovold \nSigned-off-by: Hans Verkuil \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 306327 }, { "func": "static void set_origin(struct vc_data *vc)\n{\n\tWARN_CONSOLE_UNLOCKED();\n\n\tif (!con_is_visible(vc) ||\n\t !vc->vc_sw->con_set_origin ||\n\t !vc->vc_sw->con_set_origin(vc))\n\t\tvc->vc_origin = (unsigned long)vc->vc_screenbuf;\n\tvc->vc_visible_origin = vc->vc_origin;\n\tvc->vc_scr_end = vc->vc_origin + vc->vc_screenbuf_size;\n\tvc->vc_pos = vc->vc_origin + vc->vc_size_row * vc->vc_y + 2 * vc->vc_x;\n}", "project": "linux", "hash": 48791795075987142781329128348395085389, "size": 12, "commit_id": "ca4463bf8438b403596edd0ec961ca0d4fbe0220", "message": "vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console\n\nThe VT_DISALLOCATE ioctl can free a virtual console while tty_release()\nis still running, causing a use-after-free in con_shutdown(). This\noccurs because VT_DISALLOCATE considers a virtual console's\n'struct vc_data' to be unused as soon as the corresponding tty's\nrefcount hits 0. But actually it may be still being closed.\n\nFix this by making vc_data be reference-counted via the embedded\n'struct tty_port'. A newly allocated virtual console has refcount 1.\nOpening it for the first time increments the refcount to 2. Closing it\nfor the last time decrements the refcount (in tty_operations::cleanup()\nso that it happens late enough), as does VT_DISALLOCATE.\n\nReproducer:\n\t#include \n\t#include \n\t#include \n\t#include \n\n\tint main()\n\t{\n\t\tif (fork()) {\n\t\t\tfor (;;)\n\t\t\t\tclose(open(\"/dev/tty5\", O_RDWR));\n\t\t} else {\n\t\t\tint fd = open(\"/dev/tty10\", O_RDWR);\n\n\t\t\tfor (;;)\n\t\t\t\tioctl(fd, VT_DISALLOCATE, 5);\n\t\t}\n\t}\n\nKASAN report:\n\tBUG: KASAN: use-after-free in con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\tWrite of size 8 at addr ffff88806a4ec108 by task syz_vt/129\n\n\tCPU: 0 PID: 129 Comm: syz_vt Not tainted 5.6.0-rc2 #11\n\tHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20191223_100556-anatol 04/01/2014\n\tCall Trace:\n\t [...]\n\t con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\t release_tty+0xa8/0x410 drivers/tty/tty_io.c:1514\n\t tty_release_struct+0x34/0x50 drivers/tty/tty_io.c:1629\n\t tty_release+0x984/0xed0 drivers/tty/tty_io.c:1789\n\t [...]\n\n\tAllocated by task 129:\n\t [...]\n\t kzalloc include/linux/slab.h:669 [inline]\n\t vc_allocate drivers/tty/vt/vt.c:1085 [inline]\n\t vc_allocate+0x1ac/0x680 drivers/tty/vt/vt.c:1066\n\t con_install+0x4d/0x3f0 drivers/tty/vt/vt.c:3229\n\t tty_driver_install_tty drivers/tty/tty_io.c:1228 [inline]\n\t tty_init_dev+0x94/0x350 drivers/tty/tty_io.c:1341\n\t tty_open_by_driver drivers/tty/tty_io.c:1987 [inline]\n\t tty_open+0x3ca/0xb30 drivers/tty/tty_io.c:2035\n\t [...]\n\n\tFreed by task 130:\n\t [...]\n\t kfree+0xbf/0x1e0 mm/slab.c:3757\n\t vt_disallocate drivers/tty/vt/vt_ioctl.c:300 [inline]\n\t vt_ioctl+0x16dc/0x1e30 drivers/tty/vt/vt_ioctl.c:818\n\t tty_ioctl+0x9db/0x11b0 drivers/tty/tty_io.c:2660\n\t [...]\n\nFixes: 4001d7b7fc27 (\"vt: push down the tty lock so we can see what is left to tackle\")\nCc: # v3.4+\nReported-by: syzbot+522643ab5729b0421998@syzkaller.appspotmail.com\nAcked-by: Jiri Slaby \nSigned-off-by: Eric Biggers \nLink: https://lore.kernel.org/r/20200322034305.210082-2-ebiggers@kernel.org\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 437058 }, { "func": "static int nfs4_do_setattr(struct inode *inode, const struct cred *cred,\n\t\t\t struct nfs_fattr *fattr, struct iattr *sattr,\n\t\t\t struct nfs_open_context *ctx, struct nfs4_label *ilabel,\n\t\t\t struct nfs4_label *olabel)\n{\n\tstruct nfs_server *server = NFS_SERVER(inode);\n\t__u32 bitmask[NFS4_BITMASK_SZ];\n\tstruct nfs4_state *state = ctx ? ctx->state : NULL;\n\tstruct nfs_setattrargs\targ = {\n\t\t.fh\t\t= NFS_FH(inode),\n\t\t.iap\t\t= sattr,\n\t\t.server\t\t= server,\n\t\t.bitmask = bitmask,\n\t\t.label\t\t= ilabel,\n\t};\n\tstruct nfs_setattrres res = {\n\t\t.fattr\t\t= fattr,\n\t\t.label\t\t= olabel,\n\t\t.server\t\t= server,\n\t};\n\tstruct nfs4_exception exception = {\n\t\t.state = state,\n\t\t.inode = inode,\n\t\t.stateid = &arg.stateid,\n\t};\n\tint err;\n\n\tdo {\n\t\tnfs4_bitmap_copy_adjust_setattr(bitmask,\n\t\t\t\tnfs4_bitmask(server, olabel),\n\t\t\t\tinode);\n\n\t\terr = _nfs4_do_setattr(inode, &arg, &res, cred, ctx);\n\t\tswitch (err) {\n\t\tcase -NFS4ERR_OPENMODE:\n\t\t\tif (!(sattr->ia_valid & ATTR_SIZE)) {\n\t\t\t\tpr_warn_once(\"NFSv4: server %s is incorrectly \"\n\t\t\t\t\t\t\"applying open mode checks to \"\n\t\t\t\t\t\t\"a SETATTR that is not \"\n\t\t\t\t\t\t\"changing file size.\\n\",\n\t\t\t\t\t\tserver->nfs_client->cl_hostname);\n\t\t\t}\n\t\t\tif (state && !(state->state & FMODE_WRITE)) {\n\t\t\t\terr = -EBADF;\n\t\t\t\tif (sattr->ia_valid & ATTR_OPEN)\n\t\t\t\t\terr = -EACCES;\n\t\t\t\tgoto out;\n\t\t\t}\n\t\t}\n\t\terr = nfs4_handle_exception(server, err, &exception);\n\t} while (exception.retry);\nout:\n\treturn err;\n}", "project": "linux", "hash": 250635117589070998505656622935439644630, "size": 54, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431244 }, { "func": "static zend_bool php_auto_globals_create_env(zend_string *name)\n{\n\tzval_ptr_dtor(&PG(http_globals)[TRACK_VARS_ENV]);\n\tarray_init(&PG(http_globals)[TRACK_VARS_ENV]);\n\n\tif (PG(variables_order) && (strchr(PG(variables_order),'E') || strchr(PG(variables_order),'e'))) {\n\t\tphp_import_environment_variables(&PG(http_globals)[TRACK_VARS_ENV]);\n\t}\n\n\tcheck_http_proxy(Z_ARRVAL(PG(http_globals)[TRACK_VARS_ENV]));\n\tzend_hash_update(&EG(symbol_table), name, &PG(http_globals)[TRACK_VARS_ENV]);\n\tZ_ADDREF(PG(http_globals)[TRACK_VARS_ENV]);\n\n\treturn 0; /* don't rearm */\n}", "project": "php-src", "hash": 155715304010678221726826779486502835709, "size": 15, "commit_id": "6559fe912661ca5ce5f0eeeb591d928451428ed0", "message": "Do not decode cookie names anymore", "target": 0, "dataset": "other", "idx": 374959 }, { "func": "\nstatic void bfq_put_cooperator(struct bfq_queue *bfqq)\n{\n\tstruct bfq_queue *__bfqq, *next;\n\n\t/*\n\t * If this queue was scheduled to merge with another queue, be\n\t * sure to drop the reference taken on that queue (and others in\n\t * the merge chain). See bfq_setup_merge and bfq_merge_bfqqs.\n\t */\n\t__bfqq = bfqq->new_bfqq;\n\twhile (__bfqq) {\n\t\tif (__bfqq == bfqq)\n\t\t\tbreak;\n\t\tnext = __bfqq->new_bfqq;\n\t\tbfq_put_queue(__bfqq);\n\t\t__bfqq = next;\n\t}", "project": "linux", "hash": 329138637149612219987080569225165973267, "size": 18, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453368 }, { "func": "void CSoundFile::ExtraFinePortamentoUp(ModChannel *pChn, ModCommand::PARAM param) const\n{\n\tif(GetType() == MOD_TYPE_XM)\n\t{\n\t\t// FT2 compatibility: E1x / E2x / X1x / X2x memory is not linked\n\t\t// Test case: Porta-LinkMem.xm\n\t\tif(param) pChn->nOldExtraFinePortaUpDown = (pChn->nOldExtraFinePortaUpDown & 0x0F) | (param << 4); else param = (pChn->nOldExtraFinePortaUpDown >> 4);\n\t} else if(GetType() == MOD_TYPE_MT2)\n\t{\n\t\tif(param) pChn->nOldFinePortaUpDown = param; else param = pChn->nOldFinePortaUpDown;\n\t}\n\n\tif(pChn->isFirstTick)\n\t{\n\t\tif ((pChn->nPeriod) && (param))\n\t\t{\n\t\t\tif(m_SongFlags[SONG_LINEARSLIDES] && GetType() != MOD_TYPE_XM)\n\t\t\t{\n\t\t\t\tint oldPeriod = pChn->nPeriod;\n\t\t\t\tpChn->nPeriod = Util::muldivr(pChn->nPeriod, GetFineLinearSlideUpTable(this, param & 0x0F), 65536);\n\t\t\t\tif(oldPeriod == pChn->nPeriod) pChn->nPeriod++;\n\t\t\t} else\n\t\t\t{\n\t\t\t\tpChn->nPeriod -= (int)(param);\n\t\t\t\tif (pChn->nPeriod < 1)\n\t\t\t\t{\n\t\t\t\t\tpChn->nPeriod = 1;\n\t\t\t\t\tif(GetType() == MOD_TYPE_S3M)\n\t\t\t\t\t{\n\t\t\t\t\t\tpChn->nFadeOutVol = 0;\n\t\t\t\t\t\tpChn->dwFlags.set(CHN_NOTEFADE | CHN_FASTVOLRAMP);\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n}", "project": "openmpt", "hash": 153802790358502066505144676423125361627, "size": 37, "commit_id": "7ebf02af2e90f03e0dbd0e18b8b3164f372fb97c", "message": "[Fix] Possible out-of-bounds read when computing length of some IT files with pattern loops (OpenMPT: formats that are converted to IT, libopenmpt: IT/ITP/MO3), caught with afl-fuzz.\n\ngit-svn-id: https://source.openmpt.org/svn/openmpt/trunk/OpenMPT@10027 56274372-70c3-4bfc-bfc3-4c3a0b034d27", "target": 0, "dataset": "other", "idx": 255199 }, { "func": "static int nested_svm_exit_handled(struct vcpu_svm *svm)\n{\n\tint vmexit;\n\n\tvmexit = nested_svm_intercept(svm);\n\n\tif (vmexit == NESTED_EXIT_DONE)\n\t\tnested_svm_vmexit(svm);\n\n\treturn vmexit;\n}", "project": "linux", "hash": 181522421398033432190407759813926273315, "size": 11, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432415 }, { "func": "static int fuse_open(struct inode *inode, struct file *file)\n{\n\treturn fuse_open_common(inode, file, false);\n}", "project": "linux", "hash": 115842783478986056881817805198399125202, "size": 4, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342076 }, { "func": "static int input_attach_handler(struct input_dev *dev, struct input_handler *handler)\n{\n\tconst struct input_device_id *id;\n\tint error;\n\n\tid = input_match_device(handler, dev);\n\tif (!id)\n\t\treturn -ENODEV;\n\n\terror = handler->connect(handler, dev, id);\n\tif (error && error != -ENODEV)\n\t\tpr_err(\"failed to attach handler %s to device %s, error: %d\\n\",\n\t\t handler->name, kobject_name(&dev->dev.kobj), error);\n\n\treturn error;\n}", "project": "linux", "hash": 67661564468065760448020383929587016438, "size": 16, "commit_id": "cb222aed03d798fc074be55e59d9a112338ee784", "message": "Input: add safety guards to input_set_keycode()\n\nIf we happen to have a garbage in input device's keycode table with values\ntoo big we'll end up doing clear_bit() with offset way outside of our\nbitmaps, damaging other objects within an input device or even outside of\nit. Let's add sanity checks to the returned old keycodes.\n\nReported-by: syzbot+c769968809f9359b07aa@syzkaller.appspotmail.com\nReported-by: syzbot+76f3a30e88d256644c78@syzkaller.appspotmail.com\nLink: https://lore.kernel.org/r/20191207212757.GA245964@dtor-ws\nSigned-off-by: Dmitry Torokhov ", "target": 0, "dataset": "other", "idx": 353308 }, { "func": "static apr_byte_t oidc_provider_static_config(request_rec *r, oidc_cfg *c,\n\t\toidc_provider_t **provider) {\n\n\tjson_t *j_provider = NULL;\n\tchar *s_json = NULL;\n\n\t/* see if we should configure a static provider based on external (cached) metadata */\n\tif ((c->metadata_dir != NULL) || (c->provider.metadata_url == NULL)) {\n\t\t*provider = &c->provider;\n\t\treturn TRUE;\n\t}\n\n\toidc_cache_get_provider(r, c->provider.metadata_url, &s_json);\n\n\tif (s_json == NULL) {\n\n\t\tif (oidc_metadata_provider_retrieve(r, c, NULL,\n\t\t\t\tc->provider.metadata_url, &j_provider, &s_json) == FALSE) {\n\t\t\toidc_error(r, \"could not retrieve metadata from url: %s\",\n\t\t\t\t\tc->provider.metadata_url);\n\t\t\treturn FALSE;\n\t\t}\n\n\t\toidc_cache_set_provider(r, c->provider.metadata_url, s_json,\n\t\t\t\tapr_time_now() + (c->provider_metadata_refresh_interval <= 0 ? apr_time_from_sec( OIDC_CACHE_PROVIDER_METADATA_EXPIRY_DEFAULT) : c->provider_metadata_refresh_interval));\n\n\t} else {\n\n\t\toidc_util_decode_json_object(r, s_json, &j_provider);\n\n\t\t/* check to see if it is valid metadata */\n\t\tif (oidc_metadata_provider_is_valid(r, c, j_provider, NULL) == FALSE) {\n\t\t\toidc_error(r,\n\t\t\t\t\t\"cache corruption detected: invalid metadata from url: %s\",\n\t\t\t\t\tc->provider.metadata_url);\n\t\t\treturn FALSE;\n\t\t}\n\t}\n\n\t*provider = apr_pcalloc(r->pool, sizeof(oidc_provider_t));\n\tmemcpy(*provider, &c->provider, sizeof(oidc_provider_t));\n\n\tif (oidc_metadata_provider_parse(r, c, j_provider, *provider) == FALSE) {\n\t\toidc_error(r, \"could not parse metadata from url: %s\",\n\t\t\t\tc->provider.metadata_url);\n\t\tif (j_provider)\n\t\t\tjson_decref(j_provider);\n\t\treturn FALSE;\n\t}\n\n\tjson_decref(j_provider);\n\n\treturn TRUE;\n}", "project": "mod_auth_openidc", "hash": 140293185629259522321601029889314110500, "size": 54, "commit_id": "00c315cb0c8ab77c67be4a2ac08a71a83ac58751", "message": "avoid XSS vulnerability when using OIDCPreservePost On\n\nand supplying URLs that contain single quotes; thanks @oss-aimoto\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 381952 }, { "func": "char * ap_php_conv_p2(register uint64_t num, register int nbits,\n char format, char *buf_end, register int *len)\n{\n register int mask = (1 << nbits) - 1;\n register char *p = buf_end;\n static char low_digits[] = \"0123456789abcdef\";\n static char upper_digits[] = \"0123456789ABCDEF\";\n register char *digits = (format == 'X') ? upper_digits : low_digits;\n\n do {\n *--p = digits[num & mask];\n num >>= nbits;\n }\n while (num);\n\n *len = buf_end - p;\n return (p);\n}", "project": "hhvm", "hash": 279103982584113680938316354499071852622, "size": 18, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219632 }, { "func": "void cdev_init(struct cdev *cdev, const struct file_operations *fops)\n{\n\tmemset(cdev, 0, sizeof *cdev);\n\tINIT_LIST_HEAD(&cdev->list);\n\tkobject_init(&cdev->kobj, &ktype_cdev_default);\n\tcdev->ops = fops;\n}", "project": "linux", "hash": 317269742937612548306997334009891455581, "size": 7, "commit_id": "68faa679b8be1a74e6663c21c3a9d25d32f1c079", "message": "chardev: Avoid potential use-after-free in 'chrdev_open()'\n\n'chrdev_open()' calls 'cdev_get()' to obtain a reference to the\n'struct cdev *' stashed in the 'i_cdev' field of the target inode\nstructure. If the pointer is NULL, then it is initialised lazily by\nlooking up the kobject in the 'cdev_map' and so the whole procedure is\nprotected by the 'cdev_lock' spinlock to serialise initialisation of\nthe shared pointer.\n\nUnfortunately, it is possible for the initialising thread to fail *after*\ninstalling the new pointer, for example if the subsequent '->open()' call\non the file fails. In this case, 'cdev_put()' is called, the reference\ncount on the kobject is dropped and, if nobody else has taken a reference,\nthe release function is called which finally clears 'inode->i_cdev' from\n'cdev_purge()' before potentially freeing the object. The problem here\nis that a racing thread can happily take the 'cdev_lock' and see the\nnon-NULL pointer in the inode, which can result in a refcount increment\nfrom zero and a warning:\n\n | ------------[ cut here ]------------\n | refcount_t: addition on 0; use-after-free.\n | WARNING: CPU: 2 PID: 6385 at lib/refcount.c:25 refcount_warn_saturate+0x6d/0xf0\n | Modules linked in:\n | CPU: 2 PID: 6385 Comm: repro Not tainted 5.5.0-rc2+ #22\n | Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014\n | RIP: 0010:refcount_warn_saturate+0x6d/0xf0\n | Code: 05 55 9a 15 01 01 e8 9d aa c8 ff 0f 0b c3 80 3d 45 9a 15 01 00 75 ce 48 c7 c7 00 9c 62 b3 c6 08\n | RSP: 0018:ffffb524c1b9bc70 EFLAGS: 00010282\n | RAX: 0000000000000000 RBX: ffff9e9da1f71390 RCX: 0000000000000000\n | RDX: ffff9e9dbbd27618 RSI: ffff9e9dbbd18798 RDI: ffff9e9dbbd18798\n | RBP: 0000000000000000 R08: 000000000000095f R09: 0000000000000039\n | R10: 0000000000000000 R11: ffffb524c1b9bb20 R12: ffff9e9da1e8c700\n | R13: ffffffffb25ee8b0 R14: 0000000000000000 R15: ffff9e9da1e8c700\n | FS: 00007f3b87d26700(0000) GS:ffff9e9dbbd00000(0000) knlGS:0000000000000000\n | CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n | CR2: 00007fc16909c000 CR3: 000000012df9c000 CR4: 00000000000006e0\n | DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n | DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n | Call Trace:\n | kobject_get+0x5c/0x60\n | cdev_get+0x2b/0x60\n | chrdev_open+0x55/0x220\n | ? cdev_put.part.3+0x20/0x20\n | do_dentry_open+0x13a/0x390\n | path_openat+0x2c8/0x1470\n | do_filp_open+0x93/0x100\n | ? selinux_file_ioctl+0x17f/0x220\n | do_sys_open+0x186/0x220\n | do_syscall_64+0x48/0x150\n | entry_SYSCALL_64_after_hwframe+0x44/0xa9\n | RIP: 0033:0x7f3b87efcd0e\n | Code: 89 54 24 08 e8 a3 f4 ff ff 8b 74 24 0c 48 8b 3c 24 41 89 c0 44 8b 54 24 08 b8 01 01 00 00 89 f4\n | RSP: 002b:00007f3b87d259f0 EFLAGS: 00000293 ORIG_RAX: 0000000000000101\n | RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f3b87efcd0e\n | RDX: 0000000000000000 RSI: 00007f3b87d25a80 RDI: 00000000ffffff9c\n | RBP: 00007f3b87d25e90 R08: 0000000000000000 R09: 0000000000000000\n | R10: 0000000000000000 R11: 0000000000000293 R12: 00007ffe188f504e\n | R13: 00007ffe188f504f R14: 00007f3b87d26700 R15: 0000000000000000\n | ---[ end trace 24f53ca58db8180a ]---\n\nSince 'cdev_get()' can already fail to obtain a reference, simply move\nit over to use 'kobject_get_unless_zero()' instead of 'kobject_get()',\nwhich will cause the racing thread to return -ENXIO if the initialising\nthread fails unexpectedly.\n\nCc: Hillf Danton \nCc: Andrew Morton \nCc: Al Viro \nReported-by: syzbot+82defefbbd8527e1c2cb@syzkaller.appspotmail.com\nSigned-off-by: Will Deacon \nCc: stable \nLink: https://lore.kernel.org/r/20191219120203.32691-1-will@kernel.org\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 446372 }, { "func": "static void encode_uint32(struct xdr_stream *xdr, u32 n)\n{\n\tWARN_ON_ONCE(xdr_stream_encode_u32(xdr, n) < 0);\n}", "project": "linux", "hash": 90534039030789395362889448852359515109, "size": 4, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431527 }, { "func": "static BOOL update_gdi_fast_index(rdpContext* context, const FAST_INDEX_ORDER* fastIndex)\n{\n\tINT32 x, y;\n\tINT32 opLeft, opTop;\n\tINT32 opRight, opBottom;\n\tINT32 opWidth = 0, opHeight = 0;\n\tINT32 bkWidth = 0, bkHeight = 0;\n\n\tif (!context || !fastIndex || !context->cache)\n\t\treturn FALSE;\n\n\topLeft = fastIndex->opLeft;\n\topTop = fastIndex->opTop;\n\topRight = fastIndex->opRight;\n\topBottom = fastIndex->opBottom;\n\tx = fastIndex->x;\n\ty = fastIndex->y;\n\n\tif (opBottom == -32768)\n\t{\n\t\tBYTE flags = (BYTE)(opTop & 0x0F);\n\n\t\tif (flags & 0x01)\n\t\t\topBottom = fastIndex->bkBottom;\n\n\t\tif (flags & 0x02)\n\t\t\topRight = fastIndex->bkRight;\n\n\t\tif (flags & 0x04)\n\t\t\topTop = fastIndex->bkTop;\n\n\t\tif (flags & 0x08)\n\t\t\topLeft = fastIndex->bkLeft;\n\t}\n\n\tif (opLeft == 0)\n\t\topLeft = fastIndex->bkLeft;\n\n\tif (opRight == 0)\n\t\topRight = fastIndex->bkRight;\n\n\t/* Server can send a massive number (32766) which appears to be\n\t * undocumented special behavior for \"Erase all the way right\".\n\t * X11 has nondeterministic results asking for a draw that wide. */\n\tif (opRight > (INT64)context->instance->settings->DesktopWidth)\n\t\topRight = (int)context->instance->settings->DesktopWidth;\n\n\tif (x == -32768)\n\t\tx = fastIndex->bkLeft;\n\n\tif (y == -32768)\n\t\ty = fastIndex->bkTop;\n\n\tif (fastIndex->bkRight > fastIndex->bkLeft)\n\t\tbkWidth = fastIndex->bkRight - fastIndex->bkLeft + 1;\n\n\tif (fastIndex->bkBottom > fastIndex->bkTop)\n\t\tbkHeight = fastIndex->bkBottom - fastIndex->bkTop + 1;\n\n\tif (opRight > opLeft)\n\t\topWidth = opRight - opLeft + 1;\n\n\tif (opBottom > opTop)\n\t\topHeight = opBottom - opTop + 1;\n\n\treturn update_process_glyph_fragments(\n\t context, fastIndex->data, fastIndex->cbData, fastIndex->cacheId, fastIndex->ulCharInc,\n\t fastIndex->flAccel, fastIndex->backColor, fastIndex->foreColor, x, y, fastIndex->bkLeft,\n\t fastIndex->bkTop, bkWidth, bkHeight, opLeft, opTop, opWidth, opHeight, FALSE);\n}", "project": "FreeRDP", "hash": 226828057383695974956659717640335737721, "size": 70, "commit_id": "c0fd449ec0870b050d350d6d844b1ea6dad4bc7d", "message": "Fixed Out-of-bound read in glyph_cache_put\n\nCVE-2020-11098 thanks to @antonio-morales for finding this.", "target": 0, "dataset": "other", "idx": 432869 }, { "func": "static int kvm_vm_ioctl_set_memory_region(struct kvm *kvm,\n\t\t\t\t\t struct kvm_userspace_memory_region *mem)\n{\n\tif ((u16)mem->slot >= KVM_USER_MEM_SLOTS)\n\t\treturn -EINVAL;\n\n\treturn kvm_set_memory_region(kvm, mem);\n}", "project": "linux", "hash": 337511096356182299001504355481568635615, "size": 8, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354576 }, { "func": "static rsRetVal qDestructDirect(qqueue_t __attribute__((unused)) *pThis)\n{\n\treturn RS_RET_OK;\n}", "project": "rsyslog", "hash": 309636193111718116918802417194384548649, "size": 4, "commit_id": "dfa88369d4ca4290db56b843f9eabdae1bfe0fd5", "message": "bugfix: memory leak when $RepeatedMsgReduction on was used\n\nbug tracker: http://bugzilla.adiscon.com/show_bug.cgi?id=225", "target": 0, "dataset": "other", "idx": 373786 }, { "func": "static Variant strtok(const String& str, const Variant& token) {\n String stoken;\n if (!token.isNull()) {\n s_tokenizer_data->str = str;\n s_tokenizer_data->pos = 0;\n stoken = token.toString();\n } else {\n stoken = str;\n }\n\n String sstr = s_tokenizer_data->str;\n int pos = s_tokenizer_data->pos;\n if (pos >= sstr.size()) {\n return false;\n }\n\n // set up mask\n int *mask = s_tokenizer_data->mask;\n for (int i = 0; i < stoken.size(); i++) {\n mask[(unsigned char)stoken.data()[i]] = 1;\n }\n\n // skip leading delimiters\n const char *s0 = sstr.data();\n int i = pos;\n for (; i < sstr.size(); i++) {\n if (!mask[(unsigned char)s0[i]]) {\n break;\n }\n }\n int pos0 = i;\n for (; i < sstr.size(); i++) {\n if (mask[(unsigned char)s0[i]]) {\n break;\n }\n }\n\n // reset mask\n for (int i2 = 0; i2 < stoken.size(); i2++) {\n mask[(unsigned char)stoken.data()[i2]] = 0;\n }\n\n if (pos0 == sstr.size()) {\n return false;\n }\n\n String ret(s0 + pos0, i - pos0, CopyString);\n s_tokenizer_data->pos = i + 1;\n\n return ret;\n}", "project": "hhvm", "hash": 124093927874955286487691458329200483478, "size": 51, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219747 }, { "func": "static void drop_rmap_locks(struct vm_area_struct *vma)\n{\n\tif (vma->anon_vma)\n\t\tanon_vma_unlock_write(vma->anon_vma);\n\tif (vma->vm_file)\n\t\ti_mmap_unlock_write(vma->vm_file->f_mapping);\n}", "project": "linux", "hash": 210220913787004529053591004131239622679, "size": 7, "commit_id": "5bfea2d9b17f1034a68147a8b03b9789af5700f9", "message": "mm: Fix mremap not considering huge pmd devmap\n\nThe original code in mm/mremap.c checks huge pmd by:\n\n\t\tif (is_swap_pmd(*old_pmd) || pmd_trans_huge(*old_pmd)) {\n\nHowever, a DAX mapped nvdimm is mapped as huge page (by default) but it\nis not transparent huge page (_PAGE_PSE | PAGE_DEVMAP). This commit\nchanges the condition to include the case.\n\nThis addresses CVE-2020-10757.\n\nFixes: 5c7fb56e5e3f (\"mm, dax: dax-pmd vs thp-pmd vs hugetlbfs-pmd\")\nCc: \nReported-by: Fan Yang \nSigned-off-by: Fan Yang \nTested-by: Fan Yang \nTested-by: Dan Williams \nReviewed-by: Dan Williams \nAcked-by: Kirill A. Shutemov \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 321579 }, { "func": "void CClient::ReadLine(const CString& sData) {\n CLanguageScope user_lang(GetUser() ? GetUser()->GetLanguage() : \"\");\n CString sLine = sData;\n\n sLine.Replace(\"\\n\", \"\");\n sLine.Replace(\"\\r\", \"\");\n\n DEBUG(\"(\" << GetFullName() << \") CLI -> ZNC [\"\n << CDebug::Filter(sLine) << \"]\");\n\n bool bReturn = false;\n if (IsAttached()) {\n NETWORKMODULECALL(OnUserRaw(sLine), m_pUser, m_pNetwork, this,\n &bReturn);\n } else {\n GLOBALMODULECALL(OnUnknownUserRaw(this, sLine), &bReturn);\n }\n if (bReturn) return;\n\n CMessage Message(sLine);\n Message.SetClient(this);\n\n if (IsAttached()) {\n NETWORKMODULECALL(OnUserRawMessage(Message), m_pUser, m_pNetwork, this,\n &bReturn);\n } else {\n GLOBALMODULECALL(OnUnknownUserRawMessage(Message), &bReturn);\n }\n if (bReturn) return;\n\n CString sCommand = Message.GetCommand();\n\n if (!IsAttached()) {\n // The following commands happen before authentication with ZNC\n if (sCommand.Equals(\"PASS\")) {\n m_bGotPass = true;\n\n CString sAuthLine = Message.GetParam(0);\n ParsePass(sAuthLine);\n\n AuthUser();\n // Don't forward this msg. ZNC has already registered us.\n return;\n } else if (sCommand.Equals(\"NICK\")) {\n CString sNick = Message.GetParam(0);\n\n m_sNick = sNick;\n m_bGotNick = true;\n\n AuthUser();\n // Don't forward this msg. ZNC will handle nick changes until auth\n // is complete\n return;\n } else if (sCommand.Equals(\"USER\")) {\n CString sAuthLine = Message.GetParam(0);\n\n if (m_sUser.empty() && !sAuthLine.empty()) {\n ParseUser(sAuthLine);\n }\n\n m_bGotUser = true;\n if (m_bGotPass) {\n AuthUser();\n } else if (!m_bInCap) {\n SendRequiredPasswordNotice();\n }\n\n // Don't forward this msg. ZNC has already registered us.\n return;\n }\n }\n\n if (Message.GetType() == CMessage::Type::Capability) {\n HandleCap(Message);\n\n // Don't let the client talk to the server directly about CAP,\n // we don't want anything enabled that ZNC does not support.\n return;\n }\n\n if (!m_pUser) {\n // Only CAP, NICK, USER and PASS are allowed before login\n return;\n }\n\n switch (Message.GetType()) {\n case CMessage::Type::Action:\n bReturn = OnActionMessage(Message);\n break;\n case CMessage::Type::CTCP:\n bReturn = OnCTCPMessage(Message);\n break;\n case CMessage::Type::Join:\n bReturn = OnJoinMessage(Message);\n break;\n case CMessage::Type::Mode:\n bReturn = OnModeMessage(Message);\n break;\n case CMessage::Type::Notice:\n bReturn = OnNoticeMessage(Message);\n break;\n case CMessage::Type::Part:\n bReturn = OnPartMessage(Message);\n break;\n case CMessage::Type::Ping:\n bReturn = OnPingMessage(Message);\n break;\n case CMessage::Type::Pong:\n bReturn = OnPongMessage(Message);\n break;\n case CMessage::Type::Quit:\n bReturn = OnQuitMessage(Message);\n break;\n case CMessage::Type::Text:\n bReturn = OnTextMessage(Message);\n break;\n case CMessage::Type::Topic:\n bReturn = OnTopicMessage(Message);\n break;\n default:\n bReturn = OnOtherMessage(Message);\n break;\n }\n\n if (bReturn) return;\n\n PutIRC(Message.ToString(CMessage::ExcludePrefix | CMessage::ExcludeTags));\n}", "project": "znc", "hash": 276552662369059485952444734566278162769, "size": 128, "commit_id": "d229761821da38d984a9e4098ad96842490dc001", "message": "Fix echo-message for *status\n\nClose #1705", "target": 0, "dataset": "other", "idx": 231555 }, { "func": "static int avic_ga_log_notifier(u32 ga_tag)\n{\n\tunsigned long flags;\n\tstruct kvm_svm *kvm_svm;\n\tstruct kvm_vcpu *vcpu = NULL;\n\tu32 vm_id = AVIC_GATAG_TO_VMID(ga_tag);\n\tu32 vcpu_id = AVIC_GATAG_TO_VCPUID(ga_tag);\n\n\tpr_debug(\"SVM: %s: vm_id=%#x, vcpu_id=%#x\\n\", __func__, vm_id, vcpu_id);\n\n\tspin_lock_irqsave(&svm_vm_data_hash_lock, flags);\n\thash_for_each_possible(svm_vm_data_hash, kvm_svm, hnode, vm_id) {\n\t\tif (kvm_svm->avic_vm_id != vm_id)\n\t\t\tcontinue;\n\t\tvcpu = kvm_get_vcpu_by_id(&kvm_svm->kvm, vcpu_id);\n\t\tbreak;\n\t}\n\tspin_unlock_irqrestore(&svm_vm_data_hash_lock, flags);\n\n\t/* Note:\n\t * At this point, the IOMMU should have already set the pending\n\t * bit in the vAPIC backing page. So, we just need to schedule\n\t * in the vcpu.\n\t */\n\tif (vcpu)\n\t\tkvm_vcpu_wake_up(vcpu);\n\n\treturn 0;\n}", "project": "linux", "hash": 106722110315549230223680947832599593932, "size": 29, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432623 }, { "func": "static void cancel_interleave_scan(struct hci_dev *hdev)\n{\n\tbt_dev_dbg(hdev, \"cancelling interleave scan\");\n\n\tcancel_delayed_work_sync(&hdev->interleave_scan);\n\n\thdev->interleave_scan_state = INTERLEAVE_SCAN_NONE;\n}", "project": "linux", "hash": 305229854460879791117747528173316298690, "size": 8, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402480 }, { "func": "bool CClient::OnModeMessage(CModeMessage& Message) {\n CString sTarget = Message.GetTarget();\n\n if (m_pNetwork && m_pNetwork->IsChan(sTarget) && !Message.HasModes()) {\n // If we are on that channel and already received a\n // /mode reply from the server, we can answer this\n // request ourself.\n\n CChan* pChan = m_pNetwork->FindChan(sTarget);\n if (pChan && pChan->IsOn() && !pChan->GetModeString().empty()) {\n PutClient(\":\" + m_pNetwork->GetIRCServer() + \" 324 \" + GetNick() +\n \" \" + sTarget + \" \" + pChan->GetModeString());\n if (pChan->GetCreationDate() > 0) {\n PutClient(\":\" + m_pNetwork->GetIRCServer() + \" 329 \" +\n GetNick() + \" \" + sTarget + \" \" +\n CString(pChan->GetCreationDate()));\n }\n return true;\n }\n }\n\n return false;\n}", "project": "znc", "hash": 287409066717257819824193582637598507881, "size": 23, "commit_id": "d229761821da38d984a9e4098ad96842490dc001", "message": "Fix echo-message for *status\n\nClose #1705", "target": 0, "dataset": "other", "idx": 231554 }, { "func": "UnicodeStringTest::TestUTF8() {\n static const uint8_t utf8[] = {\n // Code points:\n // 0x41, 0xd900,\n // 0x61, 0xdc00,\n // 0x110000, 0x5a,\n // 0x50000, 0x7a,\n // 0x10000, 0x20000,\n // 0xe0000, 0x10ffff\n 0x41, 0xed, 0xa4, 0x80,\n 0x61, 0xed, 0xb0, 0x80,\n 0xf4, 0x90, 0x80, 0x80, 0x5a,\n 0xf1, 0x90, 0x80, 0x80, 0x7a,\n 0xf0, 0x90, 0x80, 0x80, 0xf0, 0xa0, 0x80, 0x80,\n 0xf3, 0xa0, 0x80, 0x80, 0xf4, 0x8f, 0xbf, 0xbf\n };\n static const UChar expected_utf16[] = {\n 0x41, 0xfffd, 0xfffd, 0xfffd,\n 0x61, 0xfffd, 0xfffd, 0xfffd,\n 0xfffd, 0xfffd, 0xfffd, 0xfffd,0x5a,\n 0xd900, 0xdc00, 0x7a,\n 0xd800, 0xdc00, 0xd840, 0xdc00,\n 0xdb40, 0xdc00, 0xdbff, 0xdfff\n };\n UnicodeString from8 = UnicodeString::fromUTF8(StringPiece((const char *)utf8, (int32_t)sizeof(utf8)));\n UnicodeString expected(FALSE, expected_utf16, UPRV_LENGTHOF(expected_utf16));\n\n if(from8 != expected) {\n errln(\"UnicodeString::fromUTF8(StringPiece) did not create the expected string.\");\n }\n std::string utf8_string((const char *)utf8, sizeof(utf8));\n UnicodeString from8b = UnicodeString::fromUTF8(utf8_string);\n if(from8b != expected) {\n errln(\"UnicodeString::fromUTF8(std::string) did not create the expected string.\");\n }\n\n static const UChar utf16[] = {\n 0x41, 0xd900, 0x61, 0xdc00, 0x5a, 0xd900, 0xdc00, 0x7a, 0xd800, 0xdc00, 0xdbff, 0xdfff\n };\n static const uint8_t expected_utf8[] = {\n 0x41, 0xef, 0xbf, 0xbd, 0x61, 0xef, 0xbf, 0xbd, 0x5a, 0xf1, 0x90, 0x80, 0x80, 0x7a,\n 0xf0, 0x90, 0x80, 0x80, 0xf4, 0x8f, 0xbf, 0xbf\n };\n UnicodeString us(FALSE, utf16, UPRV_LENGTHOF(utf16));\n\n char buffer[64];\n TestCheckedArrayByteSink sink(buffer, (int32_t)sizeof(buffer));\n us.toUTF8(sink);\n if( sink.NumberOfBytesWritten() != (int32_t)sizeof(expected_utf8) ||\n 0 != uprv_memcmp(buffer, expected_utf8, sizeof(expected_utf8))\n ) {\n errln(\"UnicodeString::toUTF8() did not create the expected string.\");\n }\n if(!sink.calledFlush) {\n errln(\"UnicodeString::toUTF8(sink) did not sink.Flush().\");\n }\n // Initial contents for testing that toUTF8String() appends.\n std::string result8 = \"-->\";\n std::string expected8 = \"-->\" + std::string((const char *)expected_utf8, sizeof(expected_utf8));\n // Use the return value just for testing.\n std::string &result8r = us.toUTF8String(result8);\n if(result8r != expected8 || &result8r != &result8) {\n errln(\"UnicodeString::toUTF8String() did not create the expected string.\");\n }\n}", "project": "icu", "hash": 3112851489125874582312114163595940175, "size": 65, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430748 }, { "func": "void WebContents::AddWorkSpace(gin_helper::Arguments* args,\n const base::FilePath& path) {\n if (path.empty()) {\n args->ThrowError(\"path cannot be empty\");\n return;\n }\n DevToolsAddFileSystem(std::string(), path);\n}", "project": "electron", "hash": 219261692650382949354716935745034296692, "size": 8, "commit_id": "18613925610ba319da7f497b6deed85ad712c59b", "message": "refactor: wire will-navigate up to a navigation throttle instead of OpenURL (#25108)\n\n* refactor: wire will-navigate up to a navigation throttle instead of OpenURL (#25065)\r\n\r\n* refactor: wire will-navigate up to a navigation throttle instead of OpenURL\r\n\r\n* spec: add test for x-site _top navigation\r\n\r\n* chore: old code be old", "target": 0, "dataset": "other", "idx": 269717 }, { "func": "int tipc_nl_node_reset_link_stats(struct sk_buff *skb, struct genl_info *info)\n{\n\tint err;\n\tchar *link_name;\n\tunsigned int bearer_id;\n\tstruct tipc_link *link;\n\tstruct tipc_node *node;\n\tstruct nlattr *attrs[TIPC_NLA_LINK_MAX + 1];\n\tstruct net *net = sock_net(skb->sk);\n\tstruct tipc_net *tn = tipc_net(net);\n\tstruct tipc_link_entry *le;\n\n\tif (!info->attrs[TIPC_NLA_LINK])\n\t\treturn -EINVAL;\n\n\terr = nla_parse_nested_deprecated(attrs, TIPC_NLA_LINK_MAX,\n\t\t\t\t\t info->attrs[TIPC_NLA_LINK],\n\t\t\t\t\t tipc_nl_link_policy, info->extack);\n\tif (err)\n\t\treturn err;\n\n\tif (!attrs[TIPC_NLA_LINK_NAME])\n\t\treturn -EINVAL;\n\n\tlink_name = nla_data(attrs[TIPC_NLA_LINK_NAME]);\n\n\terr = -EINVAL;\n\tif (!strcmp(link_name, tipc_bclink_name)) {\n\t\terr = tipc_bclink_reset_stats(net, tipc_bc_sndlink(net));\n\t\tif (err)\n\t\t\treturn err;\n\t\treturn 0;\n\t} else if (strstr(link_name, tipc_bclink_name)) {\n\t\trcu_read_lock();\n\t\tlist_for_each_entry_rcu(node, &tn->node_list, list) {\n\t\t\ttipc_node_read_lock(node);\n\t\t\tlink = node->bc_entry.link;\n\t\t\tif (link && !strcmp(link_name, tipc_link_name(link))) {\n\t\t\t\terr = tipc_bclink_reset_stats(net, link);\n\t\t\t\ttipc_node_read_unlock(node);\n\t\t\t\tbreak;\n\t\t\t}\n\t\t\ttipc_node_read_unlock(node);\n\t\t}\n\t\trcu_read_unlock();\n\t\treturn err;\n\t}\n\n\tnode = tipc_node_find_by_name(net, link_name, &bearer_id);\n\tif (!node)\n\t\treturn -EINVAL;\n\n\tle = &node->links[bearer_id];\n\ttipc_node_read_lock(node);\n\tspin_lock_bh(&le->lock);\n\tlink = node->links[bearer_id].link;\n\tif (!link) {\n\t\tspin_unlock_bh(&le->lock);\n\t\ttipc_node_read_unlock(node);\n\t\treturn -EINVAL;\n\t}\n\ttipc_link_reset_stats(link);\n\tspin_unlock_bh(&le->lock);\n\ttipc_node_read_unlock(node);\n\treturn 0;\n}", "project": "linux", "hash": 129696194063365033804478008866621951405, "size": 66, "commit_id": "0217ed2848e8538bcf9172d97ed2eeb4a26041bb", "message": "tipc: better validate user input in tipc_nl_retrieve_key()\n\nBefore calling tipc_aead_key_size(ptr), we need to ensure\nwe have enough data to dereference ptr->keylen.\n\nWe probably also want to make sure tipc_aead_key_size()\nwont overflow with malicious ptr->keylen values.\n\nSyzbot reported:\n\nBUG: KMSAN: uninit-value in __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\nBUG: KMSAN: uninit-value in tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\nCPU: 0 PID: 21060 Comm: syz-executor.5 Not tainted 5.11.0-rc7-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nCall Trace:\n __dump_stack lib/dump_stack.c:79 [inline]\n dump_stack+0x21c/0x280 lib/dump_stack.c:120\n kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118\n __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197\n __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\n tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\n genl_family_rcv_msg_doit net/netlink/genetlink.c:739 [inline]\n genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]\n genl_rcv_msg+0x1319/0x1610 net/netlink/genetlink.c:800\n netlink_rcv_skb+0x6fa/0x810 net/netlink/af_netlink.c:2494\n genl_rcv+0x63/0x80 net/netlink/genetlink.c:811\n netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]\n netlink_unicast+0x11d6/0x14a0 net/netlink/af_netlink.c:1330\n netlink_sendmsg+0x1740/0x1840 net/netlink/af_netlink.c:1919\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\nRIP: 0023:0xf7f60549\nCode: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00\nRSP: 002b:00000000f555a5fc EFLAGS: 00000296 ORIG_RAX: 0000000000000172\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000200\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n\nUninit was created at:\n kmsan_save_stack_with_flags mm/kmsan/kmsan.c:121 [inline]\n kmsan_internal_poison_shadow+0x5c/0xf0 mm/kmsan/kmsan.c:104\n kmsan_slab_alloc+0x8d/0xe0 mm/kmsan/kmsan_hooks.c:76\n slab_alloc_node mm/slub.c:2907 [inline]\n __kmalloc_node_track_caller+0xa37/0x1430 mm/slub.c:4527\n __kmalloc_reserve net/core/skbuff.c:142 [inline]\n __alloc_skb+0x2f8/0xb30 net/core/skbuff.c:210\n alloc_skb include/linux/skbuff.h:1099 [inline]\n netlink_alloc_large_skb net/netlink/af_netlink.c:1176 [inline]\n netlink_sendmsg+0xdbc/0x1840 net/netlink/af_netlink.c:1894\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\n\nFixes: e1f32190cf7d (\"tipc: add support for AEAD key setting via netlink\")\nSigned-off-by: Eric Dumazet \nCc: Tuong Lien \nCc: Jon Maloy \nCc: Ying Xue \nReported-by: syzbot \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 364906 }, { "func": "int x25_addr_ntoa(unsigned char *p, struct x25_address *called_addr,\n\t\t struct x25_address *calling_addr)\n{\n\tunsigned int called_len, calling_len;\n\tchar *called, *calling;\n\tunsigned int i;\n\n\tcalled_len = (*p >> 0) & 0x0F;\n\tcalling_len = (*p >> 4) & 0x0F;\n\n\tcalled = called_addr->x25_addr;\n\tcalling = calling_addr->x25_addr;\n\tp++;\n\n\tfor (i = 0; i < (called_len + calling_len); i++) {\n\t\tif (i < called_len) {\n\t\t\tif (i % 2 != 0) {\n\t\t\t\t*called++ = ((*p >> 0) & 0x0F) + '0';\n\t\t\t\tp++;\n\t\t\t} else {\n\t\t\t\t*called++ = ((*p >> 4) & 0x0F) + '0';\n\t\t\t}\n\t\t} else {\n\t\t\tif (i % 2 != 0) {\n\t\t\t\t*calling++ = ((*p >> 0) & 0x0F) + '0';\n\t\t\t\tp++;\n\t\t\t} else {\n\t\t\t\t*calling++ = ((*p >> 4) & 0x0F) + '0';\n\t\t\t}\n\t\t}\n\t}\n\n\t*called = *calling = '\\0';\n\n\treturn 1 + (called_len + calling_len + 1) / 2;\n}", "project": "net", "hash": 33328550190335230436665594216855289254, "size": 36, "commit_id": "7781607938c8371d4c2b243527430241c62e39c2", "message": "net/x25: Fix null-ptr-deref caused by x25_disconnect\n\nWhen the link layer is terminating, x25->neighbour will be set to NULL\nin x25_disconnect(). As a result, it could cause null-ptr-deref bugs in\nx25_sendmsg(),x25_recvmsg() and x25_connect(). One of the bugs is\nshown below.\n\n (Thread 1) | (Thread 2)\nx25_link_terminated() | x25_recvmsg()\n x25_kill_by_neigh() | ...\n x25_disconnect() | lock_sock(sk)\n ... | ...\n x25->neighbour = NULL //(1) |\n ... | x25->neighbour->extended //(2)\n\nThe code sets NULL to x25->neighbour in position (1) and dereferences\nx25->neighbour in position (2), which could cause null-ptr-deref bug.\n\nThis patch adds lock_sock() in x25_kill_by_neigh() in order to synchronize\nwith x25_sendmsg(), x25_recvmsg() and x25_connect(). What`s more, the\nsock held by lock_sock() is not NULL, because it is extracted from x25_list\nand uses x25_list_lock to synchronize.\n\nFixes: 4becb7ee5b3d (\"net/x25: Fix x25_neigh refcnt leak when x25 disconnect\")\nSigned-off-by: Duoming Zhou \nReviewed-by: Lin Ma \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 449180 }, { "func": "CWebSession::~CWebSession() {\n // Find our entry in mIPSessions\n pair p =\n Sessions.m_mIPSessions.equal_range(m_sIP);\n mIPSessionsIterator it = p.first;\n mIPSessionsIterator end = p.second;\n\n while (it != end) {\n if (it->second == this) {\n Sessions.m_mIPSessions.erase(it++);\n } else {\n ++it;\n }\n }\n}", "project": "znc", "hash": 79413526171961190514028414261751574218, "size": 15, "commit_id": "a4a5aeeb17d32937d8c7d743dae9a4cc755ce773", "message": "Don't let web skin name ../../../../ access files outside of usual skins directories.\n\nThanks for Jeriko One for finding and reporting this.", "target": 0, "dataset": "other", "idx": 265788 }, { "func": "static int check_memory_region_flags(const struct kvm_userspace_memory_region *mem)\n{\n\tu32 valid_flags = KVM_MEM_LOG_DIRTY_PAGES;\n\n#ifdef __KVM_HAVE_READONLY_MEM\n\tvalid_flags |= KVM_MEM_READONLY;\n#endif\n\n\tif (mem->flags & ~valid_flags)\n\t\treturn -EINVAL;\n\n\treturn 0;\n}", "project": "linux", "hash": 44988961156300470031206111071900692884, "size": 13, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354624 }, { "func": "Status NdarrayToTensor(TFE_Context* ctx, PyObject* ndarray,\n Safe_TF_TensorPtr* ret) {\n DCHECK(ret != nullptr);\n\n // Make sure we dereference this array object in case of error, etc.\n Safe_PyObjectPtr array_safe(make_safe(\n PyArray_FromAny(ndarray, nullptr, 0, 0, NPY_ARRAY_CARRAY_RO, nullptr)));\n if (!array_safe) return errors::InvalidArgument(\"Not a ndarray.\");\n PyArrayObject* array = reinterpret_cast(array_safe.get());\n\n // Convert numpy dtype to TensorFlow dtype.\n TF_DataType dtype = TF_FLOAT;\n TF_RETURN_IF_ERROR(PyArray_TYPE_to_TF_DataType(array, &dtype));\n\n tensorflow::int64 nelems = 1;\n gtl::InlinedVector dims;\n for (int i = 0; i < PyArray_NDIM(array); ++i) {\n dims.push_back(PyArray_SHAPE(array)[i]);\n nelems *= dims[i];\n }\n\n // Create a TF_Tensor based on the fed data. In the case of non-string data\n // type, this steals a reference to array, which will be relinquished when\n // the underlying buffer is deallocated. For string, a new temporary buffer\n // is allocated into which the strings are encoded.\n if (dtype == TF_RESOURCE) {\n size_t size = PyArray_NBYTES(array);\n array_safe.release();\n\n if (ctx) {\n *ret = make_safe(new TF_Tensor{tensorflow::unwrap(ctx)->CreateTensor(\n static_cast(dtype), {}, 0, PyArray_DATA(array),\n size, &DelayedNumpyDecref, array)});\n } else {\n *ret = make_safe(TF_NewTensor(dtype, {}, 0, PyArray_DATA(array), size,\n &DelayedNumpyDecref, array));\n }\n\n } else if (dtype != TF_STRING) {\n size_t size = PyArray_NBYTES(array);\n array_safe.release();\n if (ctx) {\n *ret = make_safe(new TF_Tensor{tensorflow::unwrap(ctx)->CreateTensor(\n static_cast(dtype), dims.data(), dims.size(),\n PyArray_DATA(array), size, &DelayedNumpyDecref, array)});\n } else {\n *ret = make_safe(TF_NewTensor(dtype, dims.data(), dims.size(),\n PyArray_DATA(array), size,\n &DelayedNumpyDecref, array));\n }\n\n } else {\n size_t size = 0;\n void* encoded = nullptr;\n TF_RETURN_IF_ERROR(EncodePyBytesArray(array, nelems, &size, &encoded));\n if (ctx) {\n *ret = make_safe(new TF_Tensor{tensorflow::unwrap(ctx)->CreateTensor(\n static_cast(dtype), dims.data(), dims.size(),\n encoded, size,\n [](void* data, size_t len, void* arg) {\n delete[] reinterpret_cast(data);\n },\n nullptr)});\n } else {\n *ret = make_safe(TF_NewTensor(\n dtype, dims.data(), dims.size(), encoded, size,\n [](void* data, size_t len, void* arg) {\n delete[] reinterpret_cast(data);\n },\n nullptr));\n }\n }\n\n return Status::OK();\n}", "project": "tensorflow", "hash": 185545514328281235616812629286784894189, "size": 75, "commit_id": "030af767d357d1b4088c4a25c72cb3906abac489", "message": "Fix `tf.raw_ops.ResourceCountUpTo` null pointer dereference.\n\nPiperOrigin-RevId: 368294347\nChange-Id: I2c16fbfc9b4966c402c3d8e311f0d665a9c852d8", "target": 0, "dataset": "other", "idx": 232656 }, { "func": "Status NdarrayToTensor(PyObject* obj, Tensor* ret) {\n Safe_TF_TensorPtr tf_tensor = make_safe(static_cast(nullptr));\n Status s = NdarrayToTensor(nullptr /*ctx*/, obj, &tf_tensor);\n if (!s.ok()) {\n return s;\n }\n return TF_TensorToTensor(tf_tensor.get(), ret);\n}", "project": "tensorflow", "hash": 115701244858147944634378314121383857324, "size": 8, "commit_id": "030af767d357d1b4088c4a25c72cb3906abac489", "message": "Fix `tf.raw_ops.ResourceCountUpTo` null pointer dereference.\n\nPiperOrigin-RevId: 368294347\nChange-Id: I2c16fbfc9b4966c402c3d8e311f0d665a9c852d8", "target": 0, "dataset": "other", "idx": 232660 }, { "func": "CLua &CLua::get_vm(lua_State *ls)\n{\n lua_stack_cleaner clean(ls);\n _getregistry(ls, \"__clua\");\n CLua *vm = clua_get_lightuserdata(ls, -1);\n if (!vm)\n luaL_error(ls, \"Could not find matching clua for lua state\");\n return *vm;\n}", "project": "crawl", "hash": 106227710601174189798472681613024734862, "size": 9, "commit_id": "768f60da87a3fa0b5561da5ade9309577c176d04", "message": "Disable lua bytecode loading", "target": 0, "dataset": "other", "idx": 230528 }, { "func": "HttpHeader::clean()\n{\n\n assert(owner > hoNone && owner < hoEnd);\n debugs(55, 7, \"cleaning hdr: \" << this << \" owner: \" << owner);\n\n PROF_start(HttpHeaderClean);\n\n if (owner <= hoReply) {\n /*\n * An unfortunate bug. The entries array is initialized\n * such that count is set to zero. httpHeaderClean() seems to\n * be called both when 'hdr' is created, and destroyed. Thus,\n * we accumulate a large number of zero counts for 'hdr' before\n * it is ever used. Can't think of a good way to fix it, except\n * adding a state variable that indicates whether or not 'hdr'\n * has been used. As a hack, just never count zero-sized header\n * arrays.\n */\n if (!entries.empty())\n HttpHeaderStats[owner].hdrUCountDistr.count(entries.size());\n\n ++ HttpHeaderStats[owner].destroyedCount;\n\n HttpHeaderStats[owner].busyDestroyedCount += entries.size() > 0;\n } // if (owner <= hoReply)\n\n for (HttpHeaderEntry *e : entries) {\n if (e == nullptr)\n continue;\n if (!Http::any_valid_header(e->id)) {\n debugs(55, DBG_CRITICAL, \"BUG: invalid entry (\" << e->id << \"). Ignored.\");\n } else {\n if (owner <= hoReply)\n HttpHeaderStats[owner].fieldTypeDistr.count(e->id);\n delete e;\n }\n }\n\n entries.clear();\n httpHeaderMaskInit(&mask, 0);\n len = 0;\n conflictingContentLength_ = false;\n teUnsupported_ = false;\n PROF_stop(HttpHeaderClean);\n}", "project": "squid", "hash": 261911105716158508247823090657923882159, "size": 46, "commit_id": "fd68382860633aca92065e6c343cfd1b12b126e7", "message": "Improve Transfer-Encoding handling (#702)\n\nReject messages containing Transfer-Encoding header with coding other\nthan chunked or identity. Squid does not support other codings.\n\nFor simplicity and security sake, also reject messages where\nTransfer-Encoding contains unnecessary complex values that are\ntechnically equivalent to \"chunked\" or \"identity\" (e.g., \",,chunked\" or\n\"identity, chunked\").\n\nRFC 7230 formally deprecated and removed identity coding, but it is\nstill used by some agents.", "target": 0, "dataset": "other", "idx": 402388 }, { "func": "static void nested_svm_intr(struct vcpu_svm *svm)\n{\n\ttrace_kvm_nested_intr_vmexit(svm->vmcb->save.rip);\n\n\tsvm->vmcb->control.exit_code = SVM_EXIT_INTR;\n\tsvm->vmcb->control.exit_info_1 = 0;\n\tsvm->vmcb->control.exit_info_2 = 0;\n\n\tnested_svm_vmexit(svm);\n}", "project": "linux", "hash": 185757299346066043571161119689141000267, "size": 10, "commit_id": "a58d9166a756a0f4a6618e4f593232593d6df134", "message": "KVM: SVM: load control fields from VMCB12 before checking them\n\nAvoid races between check and use of the nested VMCB controls. This\nfor example ensures that the VMRUN intercept is always reflected to the\nnested hypervisor, instead of being processed by the host. Without this\npatch, it is possible to end up with svm->nested.hsave pointing to\nthe MSR permission bitmap for nested guests.\n\nThis bug is CVE-2021-29657.\n\nReported-by: Felix Wilhelm \nCc: stable@vger.kernel.org\nFixes: 2fcf4876ada (\"KVM: nSVM: implement on demand allocation of the nested state\")\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 376653 }, { "func": "static inline bool nested_svm_intr(struct vcpu_svm *svm)\n{\n\tif (!is_guest_mode(&svm->vcpu))\n\t\treturn true;\n\n\tif (!(svm->vcpu.arch.hflags & HF_VINTR_MASK))\n\t\treturn true;\n\n\tif (!(svm->vcpu.arch.hflags & HF_HIF_MASK))\n\t\treturn false;\n\n\t/*\n\t * if vmexit was already requested (by intercepted exception\n\t * for instance) do not overwrite it with \"external interrupt\"\n\t * vmexit.\n\t */\n\tif (svm->nested.exit_required)\n\t\treturn false;\n\n\tsvm->vmcb->control.exit_code = SVM_EXIT_INTR;\n\tsvm->vmcb->control.exit_info_1 = 0;\n\tsvm->vmcb->control.exit_info_2 = 0;\n\n\tif (svm->nested.intercept & 1ULL) {\n\t\t/*\n\t\t * The #vmexit can't be emulated here directly because this\n\t\t * code path runs with irqs and preemption disabled. A\n\t\t * #vmexit emulation might sleep. Only signal request for\n\t\t * the #vmexit here.\n\t\t */\n\t\tsvm->nested.exit_required = true;\n\t\ttrace_kvm_nested_intr_vmexit(svm->vmcb->save.rip);\n\t\treturn false;\n\t}\n\n\treturn true;\n}", "project": "linux", "hash": 187391527966134190854799097001186563340, "size": 37, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432528 }, { "func": "void pb_close_string_substream(pb_istream_t *stream, pb_istream_t *substream)\n{\n stream->state = substream->state;\n\n#ifndef PB_NO_ERRMSG\n stream->errmsg = substream->errmsg;\n#endif\n}", "project": "nanopb", "hash": 330717017690195082167853743545264490064, "size": 8, "commit_id": "7b396821ddd06df8e39143f16e1dc0a4645b89a3", "message": "Fix invalid free() after failed realloc() (GHSA-gcx3-7m76-287p)", "target": 0, "dataset": "other", "idx": 255347 }, { "func": "int mnt_optstr_get_flags(const char *optstr, unsigned long *flags,\n\t\tconst struct libmnt_optmap *map)\n{\n\tstruct libmnt_optmap const *maps[2];\n\tchar *name, *str = (char *) optstr;\n\tsize_t namesz = 0, valsz = 0;\n\tint nmaps = 0;\n\n\tif (!optstr || !flags || !map)\n\t\treturn -EINVAL;\n\n\tmaps[nmaps++] = map;\n\n\tif (map == mnt_get_builtin_optmap(MNT_LINUX_MAP))\n\t\t/*\n\t\t * Add userspace map -- the \"user\" is interpreted as\n\t\t * MS_NO{EXEC,SUID,DEV}.\n\t\t */\n\t\tmaps[nmaps++] = mnt_get_builtin_optmap(MNT_USERSPACE_MAP);\n\n\twhile(!mnt_optstr_next_option(&str, &name, &namesz, NULL, &valsz)) {\n\t\tconst struct libmnt_optmap *ent;\n\t\tconst struct libmnt_optmap *m;\n\n\t\tm = mnt_optmap_get_entry(maps, nmaps, name, namesz, &ent);\n\t\tif (!m || !ent || !ent->id)\n\t\t\tcontinue;\n\n\t\t/* ignore name= if options map expects only */\n\t\tif (valsz && mnt_optmap_entry_novalue(ent))\n\t\t\tcontinue;\n\n\t\tif (m == map) {\t\t\t\t/* requested map */\n\t\t\tif (ent->mask & MNT_INVERT)\n\t\t\t\t*flags &= ~ent->id;\n\t\t\telse\n\t\t\t\t*flags |= ent->id;\n\n\t\t} else if (nmaps == 2 && m == maps[1] && valsz == 0) {\n\t\t\t/*\n\t\t\t * Special case -- translate \"user\" (but no user=) to\n\t\t\t * MS_ options\n\t\t\t */\n\t\t\tif (ent->mask & MNT_INVERT)\n\t\t\t\tcontinue;\n\t\t\tif (ent->id & (MNT_MS_OWNER | MNT_MS_GROUP))\n\t\t\t\t*flags |= MS_OWNERSECURE;\n\t\t\telse if (ent->id & (MNT_MS_USER | MNT_MS_USERS))\n\t\t\t\t*flags |= MS_SECURE;\n\t\t}\n\t}\n\n\treturn 0;\n}", "project": "util-linux", "hash": 175386917214118942898615350051788243948, "size": 54, "commit_id": "57202f5713afa2af20ffbb6ab5331481d0396f8d", "message": "libmount: fix UID check for FUSE umount [CVE-2021-3995]\n\nImproper UID check allows an unprivileged user to unmount FUSE\nfilesystems of users with similar UID.\n\nSigned-off-by: Karel Zak ", "target": 0, "dataset": "other", "idx": 410428 }, { "func": "static int ca8210_set_cca_ed_level(struct ieee802154_hw *hw, s32 level)\n{\n\tu8 status;\n\tu8 ed_threshold = (level / 100) * 2 + 256;\n\tstruct ca8210_priv *priv = hw->priv;\n\n\tstatus = hwme_set_request_sync(\n\t\tHWME_EDTHRESHOLD,\n\t\t1,\n\t\t&ed_threshold,\n\t\tpriv->spi\n\t);\n\tif (status) {\n\t\tdev_err(\n\t\t\t&priv->spi->dev,\n\t\t\t\"error setting ed threshold, HWME-SET.confirm status = %d\",\n\t\t\tstatus\n\t\t);\n\t}\n\treturn link_to_linux_err(status);\n}", "project": "linux", "hash": 8267179837927204294064072691557985628, "size": 21, "commit_id": "6402939ec86eaf226c8b8ae00ed983936b164908", "message": "ieee802154: ca8210: prevent memory leak\n\nIn ca8210_probe the allocated pdata needs to be assigned to\nspi_device->dev.platform_data before calling ca8210_get_platform_data.\nOthrwise when ca8210_get_platform_data fails pdata cannot be released.\n\nSigned-off-by: Navid Emamdoost \nLink: https://lore.kernel.org/r/20190917224713.26371-1-navid.emamdoost@gmail.com\nSigned-off-by: Stefan Schmidt ", "target": 0, "dataset": "other", "idx": 408778 }, { "project": "Chrome", "commit_id": "1da0daecc540238cb473f0d6322da51d3a544244", "target": 0, "func": "void VideoRendererBase::Flush(const base::Closure& callback) {\n base::AutoLock auto_lock(lock_);\n DCHECK_EQ(state_, kPaused);\n flush_cb_ = callback;\n state_ = kFlushingDecoder;\n\n base::AutoUnlock auto_unlock(lock_);\n decoder_->Reset(base::Bind(&VideoRendererBase::OnDecoderFlushDone, this));\n}\n", "cwe": "", "big_vul_idx": 113351, "idx": 101642, "hash": 65586851753357260077486521128588176055 }, { "func": " virtual void Flush() { calledFlush = TRUE; }", "project": "icu", "hash": 319195582301832746736920396769113854475, "size": 1, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430740 }, { "func": "SYSCALL_DEFINE1(set_tid_address, int __user *, tidptr)\n{\n\tcurrent->clear_child_tid = tidptr;\n\n\treturn task_pid_vnr(current);\n}", "project": "linux", "hash": 229501896955537319861723464784470964585, "size": 6, "commit_id": "b4e00444cab4c3f3fec876dc0cccc8cbb0d1a948", "message": "fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent\n\ncurrent->group_leader->exit_signal may change during copy_process() if\ncurrent->real_parent exits.\n\nMove the assignment inside tasklist_lock to avoid the race.\n\nSigned-off-by: Eddy Wu \nAcked-by: Oleg Nesterov \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 293648 }, { "func": "bool IsDeviceNameValid(const base::string16& device_name) {\n#if defined(OS_MACOSX)\n base::ScopedCFTypeRef new_printer_id(\n base::SysUTF16ToCFStringRef(device_name));\n PMPrinter new_printer = PMPrinterCreateFromPrinterID(new_printer_id.get());\n bool printer_exists = new_printer != nullptr;\n PMRelease(new_printer);\n return printer_exists;\n#elif defined(OS_WIN)\n printing::ScopedPrinterHandle printer;\n return printer.OpenPrinterWithName(device_name.c_str());\n#endif\n return true;\n}", "project": "electron", "hash": 201038427492636891833861482148512888651, "size": 14, "commit_id": "18613925610ba319da7f497b6deed85ad712c59b", "message": "refactor: wire will-navigate up to a navigation throttle instead of OpenURL (#25108)\n\n* refactor: wire will-navigate up to a navigation throttle instead of OpenURL (#25065)\r\n\r\n* refactor: wire will-navigate up to a navigation throttle instead of OpenURL\r\n\r\n* spec: add test for x-site _top navigation\r\n\r\n* chore: old code be old", "target": 0, "dataset": "other", "idx": 269754 }, { "func": "UnicodeStringTest::doTestAppendable(UnicodeString &dest, Appendable &app) {\n static const UChar cde[3]={ 0x63, 0x64, 0x65 };\n static const UChar fg[3]={ 0x66, 0x67, 0 };\n if(!app.reserveAppendCapacity(12)) {\n errln(\"Appendable.reserve(12) failed\");\n }\n app.appendCodeUnit(0x61);\n app.appendCodePoint(0x62);\n app.appendCodePoint(0x50000);\n app.appendString(cde, 3);\n app.appendString(fg, -1);\n UChar scratch[3];\n int32_t capacity=-1;\n UChar *buffer=app.getAppendBuffer(3, 3, scratch, 3, &capacity);\n if(capacity<3) {\n errln(\"Appendable.getAppendBuffer(min=3) returned capacity=%d<3\", (int)capacity);\n return;\n }\n static const UChar hij[3]={ 0x68, 0x69, 0x6a };\n u_memcpy(buffer, hij, 3);\n app.appendString(buffer, 3);\n if(dest!=UNICODE_STRING_SIMPLE(\"ab\\\\U00050000cdefghij\").unescape()) {\n errln(\"Appendable.append(...) failed\");\n }\n buffer=app.getAppendBuffer(0, 3, scratch, 3, &capacity);\n if(buffer!=NULL || capacity!=0) {\n errln(\"Appendable.getAppendBuffer(min=0) failed\");\n }\n capacity=1;\n buffer=app.getAppendBuffer(3, 3, scratch, 2, &capacity);\n if(buffer!=NULL || capacity!=0) {\n errln(\"Appendable.getAppendBuffer(scratch 256) {\n rc = SSH_ERROR;\n goto cleanup;\n }\n\n for (count = 0; *p != '\\0'; p++, count++) {\n /* Invalid number of arguments passed */\n if (count > argc) {\n rc = SSH_ERROR;\n goto cleanup;\n }\n\n rc = SSH_ERROR;\n switch (*p) {\n case 'b':\n o.byte = va_arg(ap, uint8_t *);\n rlen = ssh_buffer_get_u8(buffer, o.byte);\n rc = rlen==1 ? SSH_OK : SSH_ERROR;\n break;\n case 'w':\n o.word = va_arg(ap, uint16_t *);\n rlen = ssh_buffer_get_data(buffer, o.word, sizeof(uint16_t));\n if (rlen == 2) {\n *o.word = ntohs(*o.word);\n rc = SSH_OK;\n }\n break;\n case 'd':\n o.dword = va_arg(ap, uint32_t *);\n rlen = ssh_buffer_get_u32(buffer, o.dword);\n if (rlen == 4) {\n *o.dword = ntohl(*o.dword);\n rc = SSH_OK;\n }\n break;\n case 'q':\n o.qword = va_arg(ap, uint64_t*);\n rlen = ssh_buffer_get_u64(buffer, o.qword);\n if (rlen == 8) {\n *o.qword = ntohll(*o.qword);\n rc = SSH_OK;\n }\n break;\n case 'B':\n o.bignum = va_arg(ap, bignum *);\n *o.bignum = NULL;\n tmp_string = ssh_buffer_get_ssh_string(buffer);\n if (tmp_string == NULL) {\n break;\n }\n *o.bignum = ssh_make_string_bn(tmp_string);\n ssh_string_burn(tmp_string);\n SSH_STRING_FREE(tmp_string);\n rc = (*o.bignum != NULL) ? SSH_OK : SSH_ERROR;\n break;\n case 'S':\n o.string = va_arg(ap, ssh_string *);\n *o.string = ssh_buffer_get_ssh_string(buffer);\n rc = *o.string != NULL ? SSH_OK : SSH_ERROR;\n o.string = NULL;\n break;\n case 's': {\n uint32_t u32len = 0;\n\n o.cstring = va_arg(ap, char **);\n *o.cstring = NULL;\n rlen = ssh_buffer_get_u32(buffer, &u32len);\n if (rlen != 4){\n break;\n }\n len = ntohl(u32len);\n if (len > max_len - 1) {\n break;\n }\n\n rc = ssh_buffer_validate_length(buffer, len);\n if (rc != SSH_OK) {\n break;\n }\n\n *o.cstring = malloc(len + 1);\n if (*o.cstring == NULL){\n rc = SSH_ERROR;\n break;\n }\n rlen = ssh_buffer_get_data(buffer, *o.cstring, len);\n if (rlen != len){\n SAFE_FREE(*o.cstring);\n rc = SSH_ERROR;\n break;\n }\n (*o.cstring)[len] = '\\0';\n o.cstring = NULL;\n rc = SSH_OK;\n break;\n }\n case 'P':\n len = va_arg(ap, size_t);\n if (len > max_len - 1) {\n rc = SSH_ERROR;\n break;\n }\n\n rc = ssh_buffer_validate_length(buffer, len);\n if (rc != SSH_OK) {\n break;\n }\n\n o.data = va_arg(ap, void **);\n count++;\n\n *o.data = malloc(len);\n if(*o.data == NULL){\n rc = SSH_ERROR;\n break;\n }\n rlen = ssh_buffer_get_data(buffer, *o.data, len);\n if (rlen != len){\n SAFE_FREE(*o.data);\n rc = SSH_ERROR;\n break;\n }\n o.data = NULL;\n rc = SSH_OK;\n break;\n default:\n SSH_LOG(SSH_LOG_WARN, \"Invalid buffer format %c\", *p);\n }\n if (rc != SSH_OK) {\n break;\n }\n }\n\n if (argc != count) {\n rc = SSH_ERROR;\n }\n\ncleanup:\n if (rc != SSH_ERROR){\n /* Check if our canary is intact, if not something really bad happened */\n uint32_t canary = va_arg(ap, uint32_t);\n if (canary != SSH_BUFFER_PACK_END){\n abort();\n }\n }\n\n if (rc != SSH_OK){\n /* Reset the format string and erase everything that was allocated */\n last = p;\n for(p=format;psecure) {\n explicit_bzero(o.byte, sizeof(uint8_t));\n break;\n }\n break;\n case 'w':\n o.word = va_arg(ap_copy, uint16_t *);\n if (buffer->secure) {\n explicit_bzero(o.word, sizeof(uint16_t));\n break;\n }\n break;\n case 'd':\n o.dword = va_arg(ap_copy, uint32_t *);\n if (buffer->secure) {\n explicit_bzero(o.dword, sizeof(uint32_t));\n break;\n }\n break;\n case 'q':\n o.qword = va_arg(ap_copy, uint64_t *);\n if (buffer->secure) {\n explicit_bzero(o.qword, sizeof(uint64_t));\n break;\n }\n break;\n case 'B':\n o.bignum = va_arg(ap_copy, bignum *);\n bignum_safe_free(*o.bignum);\n break;\n case 'S':\n o.string = va_arg(ap_copy, ssh_string *);\n if (buffer->secure) {\n ssh_string_burn(*o.string);\n }\n SAFE_FREE(*o.string);\n break;\n case 's':\n o.cstring = va_arg(ap_copy, char **);\n if (buffer->secure) {\n explicit_bzero(*o.cstring, strlen(*o.cstring));\n }\n SAFE_FREE(*o.cstring);\n break;\n case 'P':\n len = va_arg(ap_copy, size_t);\n o.data = va_arg(ap_copy, void **);\n if (buffer->secure) {\n explicit_bzero(*o.data, len);\n }\n SAFE_FREE(*o.data);\n break;\n default:\n (void)va_arg(ap_copy, void *);\n break;\n }\n }\n }\n va_end(ap_copy);\n\n return rc;\n}", "project": "libssh-mirror", "hash": 326119674323509013972628163845730928945, "size": 242, "commit_id": "10b3ebbe61a7031a3dae97f05834442220447181", "message": "buffer: Reformat ssh_buffer_add_data()\n\nSigned-off-by: Andreas Schneider \nReviewed-by: Anderson Toshiyuki Sasaki \nReviewed-by: Jakub Jelen ", "target": 0, "dataset": "other", "idx": 345151 }, { "func": "OPJ_BOOL opj_tcd_init_encode_tile(opj_tcd_t *p_tcd, OPJ_UINT32 p_tile_no,\n opj_event_mgr_t* p_manager)\n{\n return opj_tcd_init_tile(p_tcd, p_tile_no, OPJ_TRUE,\n sizeof(opj_tcd_cblk_enc_t), p_manager);\n}", "project": "openjpeg", "hash": 230012113989698909899657936887144495239, "size": 6, "commit_id": "15cf3d95814dc931ca0ecb132f81cb152e051bae", "message": "Encoder: grow again buffer size in opj_tcd_code_block_enc_allocate_data() (fixes #1283)", "target": 0, "dataset": "other", "idx": 359175 }, { "func": "static inline void tcp_enable_fack(struct tcp_sock *tp)\n{\n\ttp->rx_opt.sack_ok |= TCP_FACK_ENABLED;\n}", "project": "linux", "hash": 318441773885014473006049725303039606597, "size": 4, "commit_id": "bb1fceca22492109be12640d49f5ea5a544c6bb4", "message": "tcp: fix use after free in tcp_xmit_retransmit_queue()\n\nWhen tcp_sendmsg() allocates a fresh and empty skb, it puts it at the\ntail of the write queue using tcp_add_write_queue_tail()\n\nThen it attempts to copy user data into this fresh skb.\n\nIf the copy fails, we undo the work and remove the fresh skb.\n\nUnfortunately, this undo lacks the change done to tp->highest_sack and\nwe can leave a dangling pointer (to a freed skb)\n\nLater, tcp_xmit_retransmit_queue() can dereference this pointer and\naccess freed memory. For regular kernels where memory is not unmapped,\nthis might cause SACK bugs because tcp_highest_sack_seq() is buggy,\nreturning garbage instead of tp->snd_nxt, but with various debug\nfeatures like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel.\n\nThis bug was found by Marco Grassi thanks to syzkaller.\n\nFixes: 6859d49475d4 (\"[TCP]: Abstract tp->highest_sack accessing & point to next skb\")\nReported-by: Marco Grassi \nSigned-off-by: Eric Dumazet \nCc: Ilpo Järvinen \nCc: Yuchung Cheng \nCc: Neal Cardwell \nAcked-by: Neal Cardwell \nReviewed-by: Cong Wang \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 410814 }, { "func": "bool WebContents::SendIPCMessage(bool internal,\n bool send_to_all,\n const std::string& channel,\n v8::Local args) {\n blink::CloneableMessage message;\n if (!gin::ConvertFromV8(isolate(), args, &message)) {\n isolate()->ThrowException(v8::Exception::Error(\n gin::StringToV8(isolate(), \"Failed to serialize arguments\")));\n return false;\n }\n return SendIPCMessageWithSender(internal, send_to_all, channel,\n std::move(message));\n}", "project": "electron", "hash": 126284063648054077878236102374110868811, "size": 13, "commit_id": "18613925610ba319da7f497b6deed85ad712c59b", "message": "refactor: wire will-navigate up to a navigation throttle instead of OpenURL (#25108)\n\n* refactor: wire will-navigate up to a navigation throttle instead of OpenURL (#25065)\r\n\r\n* refactor: wire will-navigate up to a navigation throttle instead of OpenURL\r\n\r\n* spec: add test for x-site _top navigation\r\n\r\n* chore: old code be old", "target": 0, "dataset": "other", "idx": 269720 }, { "func": "static void encode_getattr(struct xdr_stream *xdr,\n\t\tconst __u32 *bitmap, const __u32 *mask, size_t len,\n\t\tstruct compound_hdr *hdr)\n{\n\t__u32 masked_bitmap[nfs4_fattr_bitmap_maxsz];\n\n\tencode_op_hdr(xdr, OP_GETATTR, decode_getattr_maxsz, hdr);\n\tif (mask) {\n\t\tif (WARN_ON_ONCE(len > ARRAY_SIZE(masked_bitmap)))\n\t\t\tlen = ARRAY_SIZE(masked_bitmap);\n\t\tlen = mask_bitmap4(bitmap, mask, masked_bitmap, len);\n\t\tbitmap = masked_bitmap;\n\t}\n\txdr_encode_bitmap4(xdr, bitmap, len);\n}", "project": "linux", "hash": 139702078283096904355722286365272190111, "size": 15, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 430985 }, { "func": "static int oidc_authorization_request_set_cookie(request_rec *r, oidc_cfg *c,\n\t\tconst char *state, oidc_proto_state_t *proto_state) {\n\t/*\n\t * create a cookie consisting of 8 elements:\n\t * random value, original URL, original method, issuer, response_type, response_mod, prompt and timestamp\n\t * encoded as JSON, encrypting the resulting JSON value\n\t */\n\tchar *cookieValue = oidc_proto_state_to_cookie(r, c, proto_state);\n\tif (cookieValue == NULL)\n\t\treturn HTTP_INTERNAL_SERVER_ERROR;\n\n\t/*\n\t * clean expired state cookies to avoid pollution and optionally\n\t * try to avoid the number of state cookies exceeding a max\n\t */\n\tint number_of_cookies = oidc_clean_expired_state_cookies(r, c, NULL,\n\t\t\toidc_cfg_delete_oldest_state_cookies(c));\n\tint max_number_of_cookies = oidc_cfg_max_number_of_state_cookies(c);\n\tif ((max_number_of_cookies > 0)\n\t\t\t&& (number_of_cookies >= max_number_of_cookies)) {\n\n\t\toidc_warn(r,\n\t\t\t\t\"the number of existing, valid state cookies (%d) has exceeded the limit (%d), no additional authorization request + state cookie can be generated, aborting the request\",\n\t\t\t\tnumber_of_cookies, max_number_of_cookies);\n\t\t/*\n\t\t * TODO: the html_send code below caters for the case that there's a user behind a\n\t\t * browser generating this request, rather than a piece of XHR code; how would an\n\t\t * XHR client handle this?\n\t\t */\n\n\t\t/*\n\t\t * it appears that sending content with a 503 turns the HTTP status code\n\t\t * into a 200 so we'll avoid that for now: the user will see Apache specific\n\t\t * readable text anyway\n\t\t *\n\t\t return oidc_util_html_send_error(r, c->error_template,\n\t\t \"Too Many Outstanding Requests\",\n\t\t apr_psprintf(r->pool,\n\t\t \"No authentication request could be generated since there are too many outstanding authentication requests already; you may have to wait up to %d seconds to be able to create a new request\",\n\t\t c->state_timeout),\n\t\t HTTP_SERVICE_UNAVAILABLE);\n\t\t */\n\n\t\treturn HTTP_SERVICE_UNAVAILABLE;\n\t}\n\n\t/* assemble the cookie name for the state cookie */\n\tconst char *cookieName = oidc_get_state_cookie_name(r, state);\n\n\t/* set it as a cookie */\n\toidc_util_set_cookie(r, cookieName, cookieValue, -1,\n\t\t\tOIDC_COOKIE_SAMESITE_LAX(c, r));\n\n\treturn OK;\n}", "project": "mod_auth_openidc", "hash": 219782991475465060535090073946713710867, "size": 55, "commit_id": "00c315cb0c8ab77c67be4a2ac08a71a83ac58751", "message": "avoid XSS vulnerability when using OIDCPreservePost On\n\nand supplying URLs that contain single quotes; thanks @oss-aimoto\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 381911 }, { "func": "static int oidc_authorization_request_set_cookie(request_rec *r, oidc_cfg *c,\n\t\tconst char *state, oidc_proto_state_t *proto_state) {\n\t/*\n\t * create a cookie consisting of 8 elements:\n\t * random value, original URL, original method, issuer, response_type, response_mod, prompt and timestamp\n\t * encoded as JSON, encrypting the resulting JSON value\n\t */\n\tchar *cookieValue = oidc_proto_state_to_cookie(r, c, proto_state);\n\tif (cookieValue == NULL)\n\t\treturn HTTP_INTERNAL_SERVER_ERROR;\n\n\t/*\n\t * clean expired state cookies to avoid pollution and optionally\n\t * try to avoid the number of state cookies exceeding a max\n\t */\n\tint number_of_cookies = oidc_clean_expired_state_cookies(r, c, NULL,\n\t\t\toidc_cfg_delete_oldest_state_cookies(c));\n\tint max_number_of_cookies = oidc_cfg_max_number_of_state_cookies(c);\n\tif ((max_number_of_cookies > 0)\n\t\t\t&& (number_of_cookies >= max_number_of_cookies)) {\n\n\t\toidc_warn(r,\n\t\t\t\t\"the number of existing, valid state cookies (%d) has exceeded the limit (%d), no additional authorization request + state cookie can be generated, aborting the request\",\n\t\t\t\tnumber_of_cookies, max_number_of_cookies);\n\t\t/*\n\t\t * TODO: the html_send code below caters for the case that there's a user behind a\n\t\t * browser generating this request, rather than a piece of XHR code; how would an\n\t\t * XHR client handle this?\n\t\t */\n\n\t\t/*\n\t\t * it appears that sending content with a 503 turns the HTTP status code\n\t\t * into a 200 so we'll avoid that for now: the user will see Apache specific\n\t\t * readable text anyway\n\t\t *\n\t\treturn oidc_util_html_send_error(r, c->error_template,\n\t\t\t\t\"Too Many Outstanding Requests\",\n\t\t\t\tapr_psprintf(r->pool,\n\t\t\t\t\t\t\"No authentication request could be generated since there are too many outstanding authentication requests already; you may have to wait up to %d seconds to be able to create a new request\",\n\t\t\t\t\t\tc->state_timeout),\n\t\t\t\t\t\tHTTP_SERVICE_UNAVAILABLE);\n\t\t*/\n\n\t\treturn HTTP_SERVICE_UNAVAILABLE;\n\t}\n\n\t/* assemble the cookie name for the state cookie */\n\tconst char *cookieName = oidc_get_state_cookie_name(r, state);\n\n\t/* set it as a cookie */\n\toidc_util_set_cookie(r, cookieName, cookieValue, -1,\n\t\t\tc->cookie_same_site ? OIDC_COOKIE_EXT_SAME_SITE_LAX : NULL);\n\n\treturn HTTP_OK;\n}", "project": "mod_auth_openidc", "hash": 170079760762584103057408742329778149572, "size": 55, "commit_id": "ce37080c6aea30aabae8b4a9b4eea7808445cc8e", "message": "2.4.0.2 oops\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 447683 }, { "func": "static void fuse_write_args_fill(struct fuse_io_args *ia, struct fuse_file *ff,\n\t\t\t\t loff_t pos, size_t count)\n{\n\tstruct fuse_args *args = &ia->ap.args;\n\n\tia->write.in.fh = ff->fh;\n\tia->write.in.offset = pos;\n\tia->write.in.size = count;\n\targs->opcode = FUSE_WRITE;\n\targs->nodeid = ff->nodeid;\n\targs->in_numargs = 2;\n\tif (ff->fm->fc->minor < 9)\n\t\targs->in_args[0].size = FUSE_COMPAT_WRITE_IN_SIZE;\n\telse\n\t\targs->in_args[0].size = sizeof(ia->write.in);\n\targs->in_args[0].value = &ia->write.in;\n\targs->in_args[1].size = count;\n\targs->out_numargs = 1;\n\targs->out_args[0].size = sizeof(ia->write.out);\n\targs->out_args[0].value = &ia->write.out;\n}", "project": "linux", "hash": 168803808716496158944653564669654330181, "size": 21, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342139 }, { "func": "static OPJ_BOOL opj_tcd_code_block_enc_allocate(opj_tcd_cblk_enc_t *\n p_code_block)\n{\n if (! p_code_block->layers) {\n /* no memset since data */\n p_code_block->layers = (opj_tcd_layer_t*) opj_calloc(100,\n sizeof(opj_tcd_layer_t));\n if (! p_code_block->layers) {\n return OPJ_FALSE;\n }\n }\n if (! p_code_block->passes) {\n p_code_block->passes = (opj_tcd_pass_t*) opj_calloc(100,\n sizeof(opj_tcd_pass_t));\n if (! p_code_block->passes) {\n return OPJ_FALSE;\n }\n }\n return OPJ_TRUE;\n}", "project": "openjpeg", "hash": 230856815831030897250332891515279083285, "size": 20, "commit_id": "15cf3d95814dc931ca0ecb132f81cb152e051bae", "message": "Encoder: grow again buffer size in opj_tcd_code_block_enc_allocate_data() (fixes #1283)", "target": 0, "dataset": "other", "idx": 359173 }, { "func": "static void gprinter_free_inst(struct usb_function_instance *f)\n{\n\tstruct f_printer_opts *opts;\n\n\topts = container_of(f, struct f_printer_opts, func_inst);\n\n\tmutex_lock(&printer_ida_lock);\n\n\tgprinter_put_minor(opts->minor);\n\tif (ida_is_empty(&printer_ida))\n\t\tgprinter_cleanup();\n\n\tmutex_unlock(&printer_ida_lock);\n\n\tif (opts->pnp_string_allocated)\n\t\tkfree(opts->pnp_string);\n\tkfree(opts);\n}", "project": "linux", "hash": 116122611746962652206741108019138126206, "size": 18, "commit_id": "e8d5f92b8d30bb4ade76494490c3c065e12411b1", "message": "usb: gadget: function: printer: fix use-after-free in __lock_acquire\n\nFix this by increase object reference count.\n\nBUG: KASAN: use-after-free in __lock_acquire+0x3fd4/0x4180\nkernel/locking/lockdep.c:3831\nRead of size 8 at addr ffff8880683b0018 by task syz-executor.0/3377\n\nCPU: 1 PID: 3377 Comm: syz-executor.0 Not tainted 5.6.11 #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011\nCall Trace:\n __dump_stack lib/dump_stack.c:77 [inline]\n dump_stack+0xce/0x128 lib/dump_stack.c:118\n print_address_description.constprop.4+0x21/0x3c0 mm/kasan/report.c:374\n __kasan_report+0x131/0x1b0 mm/kasan/report.c:506\n kasan_report+0x12/0x20 mm/kasan/common.c:641\n __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135\n __lock_acquire+0x3fd4/0x4180 kernel/locking/lockdep.c:3831\n lock_acquire+0x127/0x350 kernel/locking/lockdep.c:4488\n __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]\n _raw_spin_lock_irqsave+0x35/0x50 kernel/locking/spinlock.c:159\n printer_ioctl+0x4a/0x110 drivers/usb/gadget/function/f_printer.c:723\n vfs_ioctl fs/ioctl.c:47 [inline]\n ksys_ioctl+0xfb/0x130 fs/ioctl.c:763\n __do_sys_ioctl fs/ioctl.c:772 [inline]\n __se_sys_ioctl fs/ioctl.c:770 [inline]\n __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:770\n do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294\n entry_SYSCALL_64_after_hwframe+0x49/0xbe\nRIP: 0033:0x4531a9\nCode: ed 60 fc ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48\n89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d\n01 f0 ff ff 0f 83 bb 60 fc ff c3 66 2e 0f 1f 84 00 00 00 00\nRSP: 002b:00007fd14ad72c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 000000000073bfa8 RCX: 00000000004531a9\nRDX: fffffffffffffff9 RSI: 000000000000009e RDI: 0000000000000003\nRBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 00000000004bbd61\nR13: 00000000004d0a98 R14: 00007fd14ad736d4 R15: 00000000ffffffff\n\nAllocated by task 2393:\n save_stack+0x21/0x90 mm/kasan/common.c:72\n set_track mm/kasan/common.c:80 [inline]\n __kasan_kmalloc.constprop.3+0xa7/0xd0 mm/kasan/common.c:515\n kasan_kmalloc+0x9/0x10 mm/kasan/common.c:529\n kmem_cache_alloc_trace+0xfa/0x2d0 mm/slub.c:2813\n kmalloc include/linux/slab.h:555 [inline]\n kzalloc include/linux/slab.h:669 [inline]\n gprinter_alloc+0xa1/0x870 drivers/usb/gadget/function/f_printer.c:1416\n usb_get_function+0x58/0xc0 drivers/usb/gadget/functions.c:61\n config_usb_cfg_link+0x1ed/0x3e0 drivers/usb/gadget/configfs.c:444\n configfs_symlink+0x527/0x11d0 fs/configfs/symlink.c:202\n vfs_symlink+0x33d/0x5b0 fs/namei.c:4201\n do_symlinkat+0x11b/0x1d0 fs/namei.c:4228\n __do_sys_symlinkat fs/namei.c:4242 [inline]\n __se_sys_symlinkat fs/namei.c:4239 [inline]\n __x64_sys_symlinkat+0x73/0xb0 fs/namei.c:4239\n do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294\n entry_SYSCALL_64_after_hwframe+0x49/0xbe\n\nFreed by task 3368:\n save_stack+0x21/0x90 mm/kasan/common.c:72\n set_track mm/kasan/common.c:80 [inline]\n kasan_set_free_info mm/kasan/common.c:337 [inline]\n __kasan_slab_free+0x135/0x190 mm/kasan/common.c:476\n kasan_slab_free+0xe/0x10 mm/kasan/common.c:485\n slab_free_hook mm/slub.c:1444 [inline]\n slab_free_freelist_hook mm/slub.c:1477 [inline]\n slab_free mm/slub.c:3034 [inline]\n kfree+0xf7/0x410 mm/slub.c:3995\n gprinter_free+0x49/0xd0 drivers/usb/gadget/function/f_printer.c:1353\n usb_put_function+0x38/0x50 drivers/usb/gadget/functions.c:87\n config_usb_cfg_unlink+0x2db/0x3b0 drivers/usb/gadget/configfs.c:485\n configfs_unlink+0x3b9/0x7f0 fs/configfs/symlink.c:250\n vfs_unlink+0x287/0x570 fs/namei.c:4073\n do_unlinkat+0x4f9/0x620 fs/namei.c:4137\n __do_sys_unlink fs/namei.c:4184 [inline]\n __se_sys_unlink fs/namei.c:4182 [inline]\n __x64_sys_unlink+0x42/0x50 fs/namei.c:4182\n do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294\n entry_SYSCALL_64_after_hwframe+0x49/0xbe\n\nThe buggy address belongs to the object at ffff8880683b0000\n which belongs to the cache kmalloc-1k of size 1024\nThe buggy address is located 24 bytes inside of\n 1024-byte region [ffff8880683b0000, ffff8880683b0400)\nThe buggy address belongs to the page:\npage:ffffea0001a0ec00 refcount:1 mapcount:0 mapping:ffff88806c00e300\nindex:0xffff8880683b1800 compound_mapcount: 0\nflags: 0x100000000010200(slab|head)\nraw: 0100000000010200 0000000000000000 0000000600000001 ffff88806c00e300\nraw: ffff8880683b1800 000000008010000a 00000001ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\n\nReported-by: Kyungtae Kim \nSigned-off-by: Zqiang \nSigned-off-by: Felipe Balbi ", "target": 0, "dataset": "other", "idx": 389356 }, { "func": "static void hci_cc_read_data_block_size(struct hci_dev *hdev,\n\t\t\t\t\tstruct sk_buff *skb)\n{\n\tstruct hci_rp_read_data_block_size *rp = (void *) skb->data;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, rp->status);\n\n\tif (rp->status)\n\t\treturn;\n\n\thdev->block_mtu = __le16_to_cpu(rp->max_acl_len);\n\thdev->block_len = __le16_to_cpu(rp->block_len);\n\thdev->num_blocks = __le16_to_cpu(rp->num_blocks);\n\n\thdev->block_cnt = hdev->num_blocks;\n\n\tBT_DBG(\"%s blk mtu %d cnt %d len %d\", hdev->name, hdev->block_mtu,\n\t hdev->block_cnt, hdev->block_len);\n}", "project": "linux", "hash": 4766836271438724171464705138642500398, "size": 19, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 432014 }, { "func": "static void hci_cc_read_local_oob_data(struct hci_dev *hdev,\n\t\t\t\t struct sk_buff *skb)\n{\n\tstruct hci_rp_read_local_oob_data *rp = (void *) skb->data;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, rp->status);\n}", "project": "linux", "hash": 201173338632578010076656390311247399643, "size": 7, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431962 }, { "func": "static int enable_smi_window(struct kvm_vcpu *vcpu)\n{\n\tstruct vcpu_svm *svm = to_svm(vcpu);\n\n\tif (!gif_set(svm)) {\n\t\tif (vgif_enabled(svm))\n\t\t\tset_intercept(svm, INTERCEPT_STGI);\n\t\t/* STGI will cause a vm exit */\n\t\treturn 1;\n\t}\n\treturn 0;\n}", "project": "linux", "hash": 270342376980480331251210425268045823350, "size": 12, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432633 }, { "func": "void fuse_set_nowrite(struct inode *inode)\n{\n\tstruct fuse_inode *fi = get_fuse_inode(inode);\n\n\tBUG_ON(!inode_is_locked(inode));\n\n\tspin_lock(&fi->lock);\n\tBUG_ON(fi->writectr < 0);\n\tfi->writectr += FUSE_NOWRITE;\n\tspin_unlock(&fi->lock);\n\twait_event(fi->page_waitq, fi->writectr == FUSE_NOWRITE);\n}", "project": "linux", "hash": 167114056200763956957312909657618322102, "size": 12, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342085 }, { "func": "inline static void gdImageSetAAPixelColor(gdImagePtr im, int x, int y, int color, int t)\n{\n\tint dr,dg,db,p,r,g,b;\n\tdr = gdTrueColorGetRed(color);\n\tdg = gdTrueColorGetGreen(color);\n\tdb = gdTrueColorGetBlue(color);\n\n\tp = gdImageGetPixel(im,x,y);\n\tr = gdTrueColorGetRed(p);\n\tg = gdTrueColorGetGreen(p);\n\tb = gdTrueColorGetBlue(p);\n\n\tBLEND_COLOR(t, dr, r, dr);\n\tBLEND_COLOR(t, dg, g, dg);\n\tBLEND_COLOR(t, db, b, db);\n\tim->tpixels[y][x]=gdTrueColorAlpha(dr, dg, db, gdAlphaOpaque);\n}", "project": "php-src", "hash": 211104644967794463259998400208450127634, "size": 17, "commit_id": "c395c6e5d7e8df37a21265ff76e48fe75ceb5ae6", "message": "iFixed bug #72446 - Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow", "target": 0, "dataset": "other", "idx": 295127 }, { "func": "void kvm_sigset_activate(struct kvm_vcpu *vcpu)\n{\n\tif (!vcpu->sigset_active)\n\t\treturn;\n\n\t/*\n\t * This does a lockless modification of ->real_blocked, which is fine\n\t * because, only current can change ->real_blocked and all readers of\n\t * ->real_blocked don't care as long ->real_blocked is always a subset\n\t * of ->blocked.\n\t */\n\tsigprocmask(SIG_SETMASK, &vcpu->sigset, ¤t->real_blocked);\n}", "project": "linux", "hash": 286871643942236612892830672550562966941, "size": 13, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354678 }, { "func": "static void kvm_s390_vcpu_setup_model(struct kvm_vcpu *vcpu)\n{\n\tstruct kvm_s390_cpu_model *model = &vcpu->kvm->arch.model;\n\n\tvcpu->arch.sie_block->ibc = model->ibc;\n\tif (test_kvm_facility(vcpu->kvm, 7))\n\t\tvcpu->arch.sie_block->fac = (u32)(u64) model->fac_list;\n}", "project": "linux", "hash": 287129500446428470921792714411873139916, "size": 8, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354679 }, { "func": "static inline __init int register_snapshot_cmd(void) { return 0; }", "project": "linux", "hash": 104709016675497330192130097756393942337, "size": 1, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445541 }, { "func": "static __init int register_snapshot_cmd(void)\n{\n\treturn register_ftrace_command(&ftrace_snapshot_cmd);\n}", "project": "linux", "hash": 260126472777639130312920953525957614559, "size": 4, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445626 }, { "func": "R_API int r_str_replace_char_once(char *s, int a, int b) {\n\treturn r_str_replace_ch (s, a, b, false);\n}", "project": "radare2", "hash": 164467729443966549979307714180123567187, "size": 3, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 0, "dataset": "other", "idx": 268980 }, { "func": "static char* print_cipher(ndpi_cipher_weakness c) {\n switch(c) {\n case ndpi_cipher_insecure:\n return(\" (INSECURE)\");\n break;\n\n case ndpi_cipher_weak:\n return(\" (WEAK)\");\n break;\n\n default:\n return(\"\");\n }\n}", "project": "nDPI", "hash": 333054213513044045058711995458805817707, "size": 14, "commit_id": "b7e666e465f138ae48ab81976726e67deed12701", "message": "Added fix to avoid potential heap buffer overflow in H.323 dissector\nModified HTTP report information to make it closer to the HTTP field names", "target": 0, "dataset": "other", "idx": 254815 }, { "func": "static OPJ_BOOL opj_j2k_read_sod(opj_j2k_t *p_j2k,\n opj_stream_private_t *p_stream,\n opj_event_mgr_t * p_manager\n )\n{\n OPJ_SIZE_T l_current_read_size;\n opj_codestream_index_t * l_cstr_index = 00;\n OPJ_BYTE ** l_current_data = 00;\n opj_tcp_t * l_tcp = 00;\n OPJ_UINT32 * l_tile_len = 00;\n OPJ_BOOL l_sot_length_pb_detected = OPJ_FALSE;\n\n /* preconditions */\n assert(p_j2k != 00);\n assert(p_manager != 00);\n assert(p_stream != 00);\n\n l_tcp = &(p_j2k->m_cp.tcps[p_j2k->m_current_tile_number]);\n\n if (p_j2k->m_specific_param.m_decoder.m_last_tile_part) {\n /* opj_stream_get_number_byte_left returns OPJ_OFF_T\n // but we are in the last tile part,\n // so its result will fit on OPJ_UINT32 unless we find\n // a file with a single tile part of more than 4 GB...*/\n p_j2k->m_specific_param.m_decoder.m_sot_length = (OPJ_UINT32)(\n opj_stream_get_number_byte_left(p_stream) - 2);\n } else {\n /* Check to avoid pass the limit of OPJ_UINT32 */\n if (p_j2k->m_specific_param.m_decoder.m_sot_length >= 2) {\n p_j2k->m_specific_param.m_decoder.m_sot_length -= 2;\n } else {\n /* MSD: case commented to support empty SOT marker (PHR data) */\n }\n }\n\n l_current_data = &(l_tcp->m_data);\n l_tile_len = &l_tcp->m_data_size;\n\n /* Patch to support new PHR data */\n if (p_j2k->m_specific_param.m_decoder.m_sot_length) {\n /* If we are here, we'll try to read the data after allocation */\n /* Check enough bytes left in stream before allocation */\n if ((OPJ_OFF_T)p_j2k->m_specific_param.m_decoder.m_sot_length >\n opj_stream_get_number_byte_left(p_stream)) {\n opj_event_msg(p_manager, EVT_ERROR,\n \"Tile part length size inconsistent with stream length\\n\");\n return OPJ_FALSE;\n }\n if (p_j2k->m_specific_param.m_decoder.m_sot_length >\n UINT_MAX - OPJ_COMMON_CBLK_DATA_EXTRA) {\n opj_event_msg(p_manager, EVT_ERROR,\n \"p_j2k->m_specific_param.m_decoder.m_sot_length > \"\n \"UINT_MAX - OPJ_COMMON_CBLK_DATA_EXTRA\");\n return OPJ_FALSE;\n }\n /* Add a margin of OPJ_COMMON_CBLK_DATA_EXTRA to the allocation we */\n /* do so that opj_mqc_init_dec_common() can safely add a synthetic */\n /* 0xFFFF marker. */\n if (! *l_current_data) {\n /* LH: oddly enough, in this path, l_tile_len!=0.\n * TODO: If this was consistent, we could simplify the code to only use realloc(), as realloc(0,...) default to malloc(0,...).\n */\n *l_current_data = (OPJ_BYTE*) opj_malloc(\n p_j2k->m_specific_param.m_decoder.m_sot_length + OPJ_COMMON_CBLK_DATA_EXTRA);\n } else {\n OPJ_BYTE *l_new_current_data;\n if (*l_tile_len > UINT_MAX - OPJ_COMMON_CBLK_DATA_EXTRA -\n p_j2k->m_specific_param.m_decoder.m_sot_length) {\n opj_event_msg(p_manager, EVT_ERROR,\n \"*l_tile_len > UINT_MAX - OPJ_COMMON_CBLK_DATA_EXTRA - \"\n \"p_j2k->m_specific_param.m_decoder.m_sot_length\");\n return OPJ_FALSE;\n }\n\n l_new_current_data = (OPJ_BYTE *) opj_realloc(*l_current_data,\n *l_tile_len + p_j2k->m_specific_param.m_decoder.m_sot_length +\n OPJ_COMMON_CBLK_DATA_EXTRA);\n if (! l_new_current_data) {\n opj_free(*l_current_data);\n /*nothing more is done as l_current_data will be set to null, and just\n afterward we enter in the error path\n and the actual tile_len is updated (committed) at the end of the\n function. */\n }\n *l_current_data = l_new_current_data;\n }\n\n if (*l_current_data == 00) {\n opj_event_msg(p_manager, EVT_ERROR, \"Not enough memory to decode tile\\n\");\n return OPJ_FALSE;\n }\n } else {\n l_sot_length_pb_detected = OPJ_TRUE;\n }\n\n /* Index */\n l_cstr_index = p_j2k->cstr_index;\n if (l_cstr_index) {\n OPJ_OFF_T l_current_pos = opj_stream_tell(p_stream) - 2;\n\n OPJ_UINT32 l_current_tile_part =\n l_cstr_index->tile_index[p_j2k->m_current_tile_number].current_tpsno;\n l_cstr_index->tile_index[p_j2k->m_current_tile_number].tp_index[l_current_tile_part].end_header\n =\n l_current_pos;\n l_cstr_index->tile_index[p_j2k->m_current_tile_number].tp_index[l_current_tile_part].end_pos\n =\n l_current_pos + p_j2k->m_specific_param.m_decoder.m_sot_length + 2;\n\n if (OPJ_FALSE == opj_j2k_add_tlmarker(p_j2k->m_current_tile_number,\n l_cstr_index,\n J2K_MS_SOD,\n l_current_pos,\n p_j2k->m_specific_param.m_decoder.m_sot_length + 2)) {\n opj_event_msg(p_manager, EVT_ERROR, \"Not enough memory to add tl marker\\n\");\n return OPJ_FALSE;\n }\n\n /*l_cstr_index->packno = 0;*/\n }\n\n /* Patch to support new PHR data */\n if (!l_sot_length_pb_detected) {\n l_current_read_size = opj_stream_read_data(\n p_stream,\n *l_current_data + *l_tile_len,\n p_j2k->m_specific_param.m_decoder.m_sot_length,\n p_manager);\n } else {\n l_current_read_size = 0;\n }\n\n if (l_current_read_size != p_j2k->m_specific_param.m_decoder.m_sot_length) {\n p_j2k->m_specific_param.m_decoder.m_state = J2K_STATE_NEOC;\n } else {\n p_j2k->m_specific_param.m_decoder.m_state = J2K_STATE_TPHSOT;\n }\n\n *l_tile_len += (OPJ_UINT32)l_current_read_size;\n\n return OPJ_TRUE;\n}", "project": "openjpeg", "hash": 103299010359441668930828819585717026601, "size": 142, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357425 }, { "func": "void mmput(struct mm_struct *mm)\n{\n\tmight_sleep();\n\n\tif (atomic_dec_and_test(&mm->mm_users))\n\t\t__mmput(mm);\n}", "project": "linux", "hash": 267348185149962034098753073434497058656, "size": 7, "commit_id": "b4e00444cab4c3f3fec876dc0cccc8cbb0d1a948", "message": "fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent\n\ncurrent->group_leader->exit_signal may change during copy_process() if\ncurrent->real_parent exits.\n\nMove the assignment inside tasklist_lock to avoid the race.\n\nSigned-off-by: Eddy Wu \nAcked-by: Oleg Nesterov \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 293660 }, { "func": "static void autocomplete_process_path(RLineCompletion *completion, const char *str, const char *path) {\n\tchar *lpath = NULL, *dirname = NULL , *basename = NULL;\n\tchar *home = NULL, *filename = NULL, *p = NULL;\n\tint n = 0;\n\tRList *list;\n\tRListIter *iter;\n\n\tif (!path) {\n\t\tgoto out;\n\t}\n\n\tlpath = r_str_new (path);\n#if __WINDOWS__\n\tr_str_replace_ch (lpath, '/', '\\\\', true);\n#endif\n\tp = (char *)r_str_last (lpath, R_SYS_DIR);\n\tif (p) {\n\t\t*p = 0;\n\t\tif (p == lpath) { // /xxx\n#if __WINDOWS__\n\t\t\tdirname = strdup (\"\\\\.\\\\\");\n#else\n\t\t\tdirname = r_str_new (R_SYS_DIR);\n#endif\n\t\t} else if (lpath[0] == '~' && lpath[1]) { // ~/xxx/yyy\n\t\t\tdirname = r_str_home (lpath + 2);\n\t\t} else if (lpath[0] == '~') { // ~/xxx\n\t\t\tif (!(home = r_str_home (NULL))) {\n\t\t\t\tgoto out;\n\t\t\t}\n\t\t\tdirname = r_str_newf (\"%s%s\", home, R_SYS_DIR);\n\t\t\tfree (home);\n\t\t} else if (lpath[0] == '.' || lpath[0] == R_SYS_DIR[0] ) { // ./xxx/yyy || /xxx/yyy\n\t\t\tdirname = r_str_newf (\"%s%s\", lpath, R_SYS_DIR);\n\t\t} else { // xxx/yyy\n\t\t\tchar *fmt = \".%s%s%s\";\n#if __WINDOWS__\n\t\t\tif (strchr (path, ':')) {\n\t\t\t\tfmt = \"%.0s%s%s\";\n\t\t\t}\n#endif\n\t\t\tdirname = r_str_newf (fmt, R_SYS_DIR, lpath, R_SYS_DIR);\n\t\t}\n\t\tbasename = r_str_new (p + 1);\n\t} else { // xxx\n\t\tdirname = r_str_newf (\".%s\", R_SYS_DIR);\n\t\tbasename = r_str_new (lpath);\n\t}\n\n\tif (!dirname || !basename) {\n\t\tgoto out;\n\t}\n\n\tlist= r_sys_dir (dirname);\n\tn = strlen (basename);\n\tbool chgdir = !strncmp (str, \"cd \", 3);\n\tif (list) {\n\t\tr_list_foreach (list, iter, filename) {\n\t\t\tif (*filename == '.') {\n\t\t\t\tcontinue;\n\t\t\t}\n\t\t\tif (!basename[0] || !strncmp (filename, basename, n)) {\n\t\t\t\tchar *tmpstring = r_str_newf (\"%s%s\", dirname, filename);\n\t\t\t\tif (r_file_is_directory (tmpstring)) {\n\t\t\t\t\tchar *s = r_str_newf (\"%s%s\", tmpstring, R_SYS_DIR);\n\t\t\t\t\tr_line_completion_push (completion, s);\n\t\t\t\t\tfree (s);\n\t\t\t\t} else if (!chgdir) {\n\t\t\t\t\tr_line_completion_push (completion, tmpstring);\n\t\t\t\t}\n\t\t\t\tfree (tmpstring);\n\t\t\t}\n\t\t}\n\t\tr_list_free (list);\n\t}\nout:\n\tfree (lpath);\n\tfree (dirname);\n\tfree (basename);\n}", "project": "radare2", "hash": 323949318309512785256381740325492535478, "size": 80, "commit_id": "cb8b683758edddae2d2f62e8e63a738c39f92683", "message": "Fix #16303 - c->table_query double free (#16318)", "target": 0, "dataset": "other", "idx": 232121 }, { "func": "}\n\nstatic int\niscsi_tgt_dscvr(struct iscsi_transport *transport,\n\t\tstruct iscsi_uevent *ev)\n{\n\tstruct Scsi_Host *shost;\n\tstruct sockaddr *dst_addr;\n\tint err;\n\n\tif (!transport->tgt_dscvr)\n\t\treturn -EINVAL;\n\n\tshost = scsi_host_lookup(ev->u.tgt_dscvr.host_no);\n\tif (!shost) {\n\t\tprintk(KERN_ERR \"target discovery could not find host no %u\\n\",\n\t\t ev->u.tgt_dscvr.host_no);\n\t\treturn -ENODEV;\n\t}\n\n\n\tdst_addr = (struct sockaddr *)((char*)ev + sizeof(*ev));\n\terr = transport->tgt_dscvr(shost, ev->u.tgt_dscvr.type,\n\t\t\t\t ev->u.tgt_dscvr.enable, dst_addr);", "project": "linux", "hash": 117045133168963248683854419254088214976, "size": 24, "commit_id": "f9dbdf97a5bd92b1a49cee3d591b55b11fd7a6d5", "message": "scsi: iscsi: Verify lengths on passthrough PDUs\n\nOpen-iSCSI sends passthrough PDUs over netlink, but the kernel should be\nverifying that the provided PDU header and data lengths fall within the\nnetlink message to prevent accessing beyond that in memory.\n\nCc: stable@vger.kernel.org\nReported-by: Adam Nichols \nReviewed-by: Lee Duncan \nReviewed-by: Mike Christie \nSigned-off-by: Chris Leech \nSigned-off-by: Martin K. Petersen ", "target": 0, "dataset": "other", "idx": 379920 }, { "func": "static void tipc_node_write_lock(struct tipc_node *n)\n{\n\twrite_lock_bh(&n->lock);\n}", "project": "linux", "hash": 329287218683220741852031912317732481138, "size": 4, "commit_id": "0217ed2848e8538bcf9172d97ed2eeb4a26041bb", "message": "tipc: better validate user input in tipc_nl_retrieve_key()\n\nBefore calling tipc_aead_key_size(ptr), we need to ensure\nwe have enough data to dereference ptr->keylen.\n\nWe probably also want to make sure tipc_aead_key_size()\nwont overflow with malicious ptr->keylen values.\n\nSyzbot reported:\n\nBUG: KMSAN: uninit-value in __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\nBUG: KMSAN: uninit-value in tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\nCPU: 0 PID: 21060 Comm: syz-executor.5 Not tainted 5.11.0-rc7-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nCall Trace:\n __dump_stack lib/dump_stack.c:79 [inline]\n dump_stack+0x21c/0x280 lib/dump_stack.c:120\n kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118\n __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197\n __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\n tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\n genl_family_rcv_msg_doit net/netlink/genetlink.c:739 [inline]\n genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]\n genl_rcv_msg+0x1319/0x1610 net/netlink/genetlink.c:800\n netlink_rcv_skb+0x6fa/0x810 net/netlink/af_netlink.c:2494\n genl_rcv+0x63/0x80 net/netlink/genetlink.c:811\n netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]\n netlink_unicast+0x11d6/0x14a0 net/netlink/af_netlink.c:1330\n netlink_sendmsg+0x1740/0x1840 net/netlink/af_netlink.c:1919\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\nRIP: 0023:0xf7f60549\nCode: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00\nRSP: 002b:00000000f555a5fc EFLAGS: 00000296 ORIG_RAX: 0000000000000172\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000200\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n\nUninit was created at:\n kmsan_save_stack_with_flags mm/kmsan/kmsan.c:121 [inline]\n kmsan_internal_poison_shadow+0x5c/0xf0 mm/kmsan/kmsan.c:104\n kmsan_slab_alloc+0x8d/0xe0 mm/kmsan/kmsan_hooks.c:76\n slab_alloc_node mm/slub.c:2907 [inline]\n __kmalloc_node_track_caller+0xa37/0x1430 mm/slub.c:4527\n __kmalloc_reserve net/core/skbuff.c:142 [inline]\n __alloc_skb+0x2f8/0xb30 net/core/skbuff.c:210\n alloc_skb include/linux/skbuff.h:1099 [inline]\n netlink_alloc_large_skb net/netlink/af_netlink.c:1176 [inline]\n netlink_sendmsg+0xdbc/0x1840 net/netlink/af_netlink.c:1894\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\n\nFixes: e1f32190cf7d (\"tipc: add support for AEAD key setting via netlink\")\nSigned-off-by: Eric Dumazet \nCc: Tuong Lien \nCc: Jon Maloy \nCc: Ying Xue \nReported-by: syzbot \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 364968 }, { "func": "void tty_kclose(struct tty_struct *tty)\n{\n\t/*\n\t * Ask the line discipline code to release its structures\n\t */\n\ttty_ldisc_release(tty);\n\n\t/* Wait for pending work before tty destruction commmences */\n\ttty_flush_works(tty);\n\n\ttty_debug_hangup(tty, \"freeing structure\\n\");\n\t/*\n\t * The release_tty function takes care of the details of clearing\n\t * the slots and preserving the termios structure.\n\t */\n\tmutex_lock(&tty_mutex);\n\ttty_port_set_kopened(tty->port, 0);\n\trelease_tty(tty, tty->index);\n\tmutex_unlock(&tty_mutex);\n}", "project": "linux", "hash": 138692642064310672522730413453645177538, "size": 20, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 326051 }, { "func": "void __start_tty(struct tty_struct *tty)\n{\n\tif (!tty->stopped || tty->flow_stopped)\n\t\treturn;\n\ttty->stopped = 0;\n\tif (tty->ops->start)\n\t\ttty->ops->start(tty);\n\ttty_wakeup(tty);\n}", "project": "linux", "hash": 4012949153144240087868122760687350997, "size": 9, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 325952 }, { "func": "static void tcp_mtup_probe_success(struct sock *sk)\n{\n\tstruct tcp_sock *tp = tcp_sk(sk);\n\tstruct inet_connection_sock *icsk = inet_csk(sk);\n\n\t/* FIXME: breaks with very large cwnd */\n\ttp->prior_ssthresh = tcp_current_ssthresh(sk);\n\ttp->snd_cwnd = tp->snd_cwnd *\n\t\t tcp_mss_to_mtu(sk, tp->mss_cache) /\n\t\t icsk->icsk_mtup.probe_size;\n\ttp->snd_cwnd_cnt = 0;\n\ttp->snd_cwnd_stamp = tcp_time_stamp;\n\ttp->snd_ssthresh = tcp_current_ssthresh(sk);\n\n\ticsk->icsk_mtup.search_low = icsk->icsk_mtup.probe_size;\n\ticsk->icsk_mtup.probe_size = 0;\n\ttcp_sync_mss(sk, icsk->icsk_pmtu_cookie);\n}", "project": "net-next", "hash": 218963676624803440659283646574256295516, "size": 18, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409916 }, { "func": " Item_iterator_row(Item *base) : base_item(base), current(0) {}", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 315064114395241385993514917804300423170, "size": 1, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509061 }, { "func": "static void nfs4_xdr_enc_renew(struct rpc_rqst *req, struct xdr_stream *xdr,\n\t\t\t const void *data)\n\n{\n\tconst struct nfs_client *clp = data;\n\tstruct compound_hdr hdr = {\n\t\t.nops\t= 0,\n\t};\n\n\tencode_compound_hdr(xdr, req, &hdr);\n\tencode_renew(xdr, clp->cl_clientid, &hdr);\n\tencode_nops(&hdr);\n}", "project": "linux", "hash": 239939988679345867134210543159368206779, "size": 13, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431017 }, { "func": "\nstatic void bfq_insert_requests(struct blk_mq_hw_ctx *hctx,\n\t\t\t\tstruct list_head *list, bool at_head)\n{\n\twhile (!list_empty(list)) {\n\t\tstruct request *rq;\n\n\t\trq = list_first_entry(list, struct request, queuelist);\n\t\tlist_del_init(&rq->queuelist);\n\t\tbfq_insert_request(hctx, rq, at_head);\n\t}", "project": "linux", "hash": 48444941598194738257369394565680202524, "size": 11, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453329 }, { "func": "void CWebSock::GetAvailSkins(VCString& vRet) const {\n vRet.clear();\n\n CString sRoot(GetSkinPath(\"_default_\"));\n\n sRoot.TrimRight(\"/\");\n sRoot.TrimRight(\"_default_\");\n sRoot.TrimRight(\"/\");\n\n if (!sRoot.empty()) {\n sRoot += \"/\";\n }\n\n if (!sRoot.empty() && CFile::IsDir(sRoot)) {\n CDir Dir(sRoot);\n\n for (const CFile* pSubDir : Dir) {\n if (pSubDir->IsDir() && pSubDir->GetShortName() == \"_default_\") {\n vRet.push_back(pSubDir->GetShortName());\n break;\n }\n }\n\n for (const CFile* pSubDir : Dir) {\n if (pSubDir->IsDir() && pSubDir->GetShortName() != \"_default_\" &&\n pSubDir->GetShortName() != \".svn\") {\n vRet.push_back(pSubDir->GetShortName());\n }\n }\n }\n}", "project": "znc", "hash": 102792594992372709205934559139145801156, "size": 31, "commit_id": "a4a5aeeb17d32937d8c7d743dae9a4cc755ce773", "message": "Don't let web skin name ../../../../ access files outside of usual skins directories.\n\nThanks for Jeriko One for finding and reporting this.", "target": 0, "dataset": "other", "idx": 265796 }, { "func": "static int sctp_setsockopt_fragment_interleave(struct sock *sk, int *val,\n\t\t\t\t\t unsigned int optlen)\n{\n\tif (optlen != sizeof(int))\n\t\treturn -EINVAL;\n\n\tsctp_sk(sk)->frag_interleave = !!*val;\n\n\tif (!sctp_sk(sk)->frag_interleave)\n\t\tsctp_sk(sk)->ep->intl_enable = 0;\n\n\treturn 0;\n}", "project": "linux", "hash": 23424929722019602493671103879995780998, "size": 13, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398170 }, { "func": "static void tipc_node_calculate_timer(struct tipc_node *n, struct tipc_link *l)\n{\n\tunsigned long tol = tipc_link_tolerance(l);\n\tunsigned long intv = ((tol / 4) > 500) ? 500 : tol / 4;\n\n\t/* Link with lowest tolerance determines timer interval */\n\tif (intv < n->keepalive_intv)\n\t\tn->keepalive_intv = intv;\n\n\t/* Ensure link's abort limit corresponds to current tolerance */\n\ttipc_link_set_abort_limit(l, tol / n->keepalive_intv);\n}", "project": "linux", "hash": 123914334988227007376994022046542434562, "size": 12, "commit_id": "0217ed2848e8538bcf9172d97ed2eeb4a26041bb", "message": "tipc: better validate user input in tipc_nl_retrieve_key()\n\nBefore calling tipc_aead_key_size(ptr), we need to ensure\nwe have enough data to dereference ptr->keylen.\n\nWe probably also want to make sure tipc_aead_key_size()\nwont overflow with malicious ptr->keylen values.\n\nSyzbot reported:\n\nBUG: KMSAN: uninit-value in __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\nBUG: KMSAN: uninit-value in tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\nCPU: 0 PID: 21060 Comm: syz-executor.5 Not tainted 5.11.0-rc7-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nCall Trace:\n __dump_stack lib/dump_stack.c:79 [inline]\n dump_stack+0x21c/0x280 lib/dump_stack.c:120\n kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118\n __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197\n __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\n tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\n genl_family_rcv_msg_doit net/netlink/genetlink.c:739 [inline]\n genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]\n genl_rcv_msg+0x1319/0x1610 net/netlink/genetlink.c:800\n netlink_rcv_skb+0x6fa/0x810 net/netlink/af_netlink.c:2494\n genl_rcv+0x63/0x80 net/netlink/genetlink.c:811\n netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]\n netlink_unicast+0x11d6/0x14a0 net/netlink/af_netlink.c:1330\n netlink_sendmsg+0x1740/0x1840 net/netlink/af_netlink.c:1919\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\nRIP: 0023:0xf7f60549\nCode: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00\nRSP: 002b:00000000f555a5fc EFLAGS: 00000296 ORIG_RAX: 0000000000000172\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000200\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n\nUninit was created at:\n kmsan_save_stack_with_flags mm/kmsan/kmsan.c:121 [inline]\n kmsan_internal_poison_shadow+0x5c/0xf0 mm/kmsan/kmsan.c:104\n kmsan_slab_alloc+0x8d/0xe0 mm/kmsan/kmsan_hooks.c:76\n slab_alloc_node mm/slub.c:2907 [inline]\n __kmalloc_node_track_caller+0xa37/0x1430 mm/slub.c:4527\n __kmalloc_reserve net/core/skbuff.c:142 [inline]\n __alloc_skb+0x2f8/0xb30 net/core/skbuff.c:210\n alloc_skb include/linux/skbuff.h:1099 [inline]\n netlink_alloc_large_skb net/netlink/af_netlink.c:1176 [inline]\n netlink_sendmsg+0xdbc/0x1840 net/netlink/af_netlink.c:1894\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\n\nFixes: e1f32190cf7d (\"tipc: add support for AEAD key setting via netlink\")\nSigned-off-by: Eric Dumazet \nCc: Tuong Lien \nCc: Jon Maloy \nCc: Ying Xue \nReported-by: syzbot \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 364969 }, { "func": "static int _nfs4_do_fsinfo(struct nfs_server *server, struct nfs_fh *fhandle,\n\t\tstruct nfs_fsinfo *fsinfo)\n{\n\tstruct nfs4_fsinfo_arg args = {\n\t\t.fh = fhandle,\n\t\t.bitmask = server->attr_bitmask,\n\t};\n\tstruct nfs4_fsinfo_res res = {\n\t\t.fsinfo = fsinfo,\n\t};\n\tstruct rpc_message msg = {\n\t\t.rpc_proc = &nfs4_procedures[NFSPROC4_CLNT_FSINFO],\n\t\t.rpc_argp = &args,\n\t\t.rpc_resp = &res,\n\t};\n\n\treturn nfs4_call_sync(server->client, server, &msg, &args.seq_args, &res.seq_res, 0);\n}", "project": "linux", "hash": 315886923901609517254941233367288833064, "size": 18, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431217 }, { "project": "Chrome", "commit_id": "327585cb0eab0859518643a2d00917081f7e7645", "target": 0, "func": "void WebGraphicsContext3DDefaultImpl::flipVertically(unsigned char* framebuffer,\n unsigned int width,\n unsigned int height)\n{\n unsigned char* scanline = m_scanline;\n if (!scanline)\n return;\n unsigned int rowBytes = width * 4;\n unsigned int count = height / 2;\n for (unsigned int i = 0; i < count; i++) {\n unsigned char* rowA = framebuffer + i * rowBytes;\n unsigned char* rowB = framebuffer + (height - i - 1) * rowBytes;\n memcpy(scanline, rowB, rowBytes);\n memcpy(rowB, rowA, rowBytes);\n memcpy(rowA, scanline, rowBytes);\n }\n}\n", "cwe": "", "big_vul_idx": 98993, "idx": 89050, "hash": 140870444781241311745265638293863113959 }, { "func": "double table_cond_selectivity(JOIN *join, uint idx, JOIN_TAB *s,\n table_map rem_tables)\n{\n uint16 ref_keyuse_steps_buf[MAX_REF_PARTS];\n uint ref_keyuse_size= MAX_REF_PARTS;\n uint16 *ref_keyuse_steps= ref_keyuse_steps_buf;\n Field *field;\n TABLE *table= s->table;\n MY_BITMAP *read_set= table->read_set;\n double sel= s->table->cond_selectivity;\n POSITION *pos= &join->positions[idx];\n uint keyparts= 0;\n uint found_part_ref_or_null= 0;\n\n if (pos->key != 0)\n {\n /* \n A ref access or hash join is used for this table. ref access is created\n from\n\n tbl.keypart1=expr1 AND tbl.keypart2=expr2 AND ...\n \n and it will only return rows for which this condition is satisified.\n Suppose, certain expr{i} is a constant. Since ref access only returns\n rows that satisfy\n \n tbl.keypart{i}=const (*)\n\n then selectivity of this equality should not be counted in return value \n of this function. This function uses the value of \n \n table->cond_selectivity=selectivity(COND(tbl)) (**)\n \n as a starting point. This value includes selectivity of equality (*). We\n should somehow discount it. \n \n Looking at calculate_cond_selectivity_for_table(), one can see that that\n the value is not necessarily a direct multiplicand in \n table->cond_selectivity\n\n There are three possible ways to discount\n 1. There is a potential range access on t.keypart{i}=const. \n (an important special case: the used ref access has a const prefix for\n which a range estimate is available)\n \n 2. The field has a histogram. field[x]->cond_selectivity has the data.\n \n 3. Use index stats on this index:\n rec_per_key[key_part+1]/rec_per_key[key_part]\n\n (TODO: more details about the \"t.key=othertable.col\" case)\n */\n KEYUSE *keyuse= pos->key;\n KEYUSE *prev_ref_keyuse= keyuse;\n uint key= keyuse->key;\n bool used_range_selectivity= false;\n \n /*\n Check if we have a prefix of key=const that matches a quick select.\n */\n if (!is_hash_join_key_no(key) && table->quick_keys.is_set(key))\n {\n key_part_map quick_key_map= (key_part_map(1) << table->quick_key_parts[key]) - 1;\n if (table->quick_rows[key] && \n !(quick_key_map & ~table->const_key_parts[key]))\n {\n /* \n Ok, there is an equality for each of the key parts used by the\n quick select. This means, quick select's estimate can be reused to\n discount the selectivity of a prefix of a ref access.\n */\n for (; quick_key_map & 1 ; quick_key_map>>= 1)\n {\n while (keyuse->table == table && keyuse->key == key && \n keyuse->keypart == keyparts)\n {\n keyuse++;\n }\n keyparts++;\n }\n /*\n Here we discount selectivity of the constant range CR. To calculate\n this selectivity we use elements from the quick_rows[] array.\n If we have indexes i1,...,ik with the same prefix compatible\n with CR any of the estimate quick_rows[i1], ... quick_rows[ik] could\n be used for this calculation but here we don't know which one was\n actually used. So sel could be greater than 1 and we have to cap it.\n However if sel becomes greater than 2 then with high probability\n something went wrong.\n\t*/\n sel /= (double)table->quick_rows[key] / (double) table->stat_records();\n set_if_smaller(sel, 1.0);\n used_range_selectivity= true;\n }\n }\n \n /*\n Go through the \"keypart{N}=...\" equalities and find those that were\n already taken into account in table->cond_selectivity.\n */\n keyuse= pos->key;\n keyparts=0;\n while (keyuse->table == table && keyuse->key == key)\n {\n if (!(keyuse->used_tables & (rem_tables | table->map)))\n {\n if (are_tables_local(s, keyuse->val->used_tables()))\n\t{\n if (is_hash_join_key_no(key))\n\t {\n if (keyparts == keyuse->keypart)\n keyparts++;\n }\n else\n\t {\n if (keyparts == keyuse->keypart &&\n !((keyuse->val->used_tables()) & ~pos->ref_depend_map) &&\n !(found_part_ref_or_null & keyuse->optimize))\n\t {\n /* Found a KEYUSE object that will be used by ref access */\n keyparts++;\n found_part_ref_or_null|= keyuse->optimize & ~KEY_OPTIMIZE_EQ;\n }\n }\n\n if (keyparts > keyuse->keypart)\n\t {\n /* Ok this is the keyuse that will be used for ref access */\n if (!used_range_selectivity && keyuse->val->const_item())\n { \n uint fldno;\n if (is_hash_join_key_no(key))\n fldno= keyuse->keypart;\n else\n fldno= table->key_info[key].key_part[keyparts-1].fieldnr - 1;\n\n if (table->field[fldno]->cond_selectivity > 0)\n\t { \n sel /= table->field[fldno]->cond_selectivity;\n set_if_smaller(sel, 1.0);\n }\n /* \n TODO: we could do better here:\n 1. cond_selectivity might be =1 (the default) because quick \n select on some index prevented us from analyzing \n histogram for this column.\n 2. we could get an estimate through this?\n rec_per_key[key_part-1] / rec_per_key[key_part]\n */\n }\n if (keyparts > 1)\n\t {\n /*\n Prepare to set ref_keyuse_steps[keyparts-2]: resize the array\n if it is not large enough\n */\n if (keyparts - 2 >= ref_keyuse_size)\n {\n uint new_size= MY_MAX(ref_keyuse_size*2, keyparts);\n void *new_buf;\n if (!(new_buf= my_malloc(sizeof(*ref_keyuse_steps)*new_size,\n MYF(0))))\n {\n sel= 1.0; // As if no selectivity was computed\n goto exit;\n }\n memcpy(new_buf, ref_keyuse_steps,\n sizeof(*ref_keyuse_steps)*ref_keyuse_size);\n if (ref_keyuse_steps != ref_keyuse_steps_buf)\n my_free(ref_keyuse_steps);\n\n ref_keyuse_steps= (uint16*)new_buf;\n ref_keyuse_size= new_size;\n }\n\n ref_keyuse_steps[keyparts-2]= (uint16)(keyuse - prev_ref_keyuse);\n prev_ref_keyuse= keyuse;\n }\n }\n\t}\n }\n keyuse++;\n }\n }\n else\n {\n /*\n The table is accessed with full table scan, or quick select.\n Selectivity of COND(table) is already accounted for in \n matching_candidates_in_table().\n */\n sel= 1;\n }\n\n /* \n If the field f from the table is equal to a field from one the\n earlier joined tables then the selectivity of the range conditions\n over the field f must be discounted.\n\n We need to discount selectivity only if we're using ref-based \n access method (and have sel!=1).\n If we use ALL/range/index_merge, then sel==1, and no need to discount.\n */\n if (pos->key != NULL)\n {\n for (Field **f_ptr=table->field ; (field= *f_ptr) ; f_ptr++)\n {\n if (!bitmap_is_set(read_set, field->field_index) ||\n !field->next_equal_field)\n continue; \n for (Field *next_field= field->next_equal_field; \n next_field != field; \n next_field= next_field->next_equal_field)\n {\n if (!(next_field->table->map & rem_tables) && next_field->table != table)\n { \n if (field->cond_selectivity > 0)\n\t {\n sel/= field->cond_selectivity;\n set_if_smaller(sel, 1.0);\n }\n break;\n }\n }\n }\n }\n\n sel*= table_multi_eq_cond_selectivity(join, idx, s, rem_tables,\n keyparts, ref_keyuse_steps);\nexit:\n if (ref_keyuse_steps != ref_keyuse_steps_buf)\n my_free(ref_keyuse_steps);\n return sel;\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 90313163573283483810532527187610437021, "size": 234, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508745 }, { "func": "static inline bool si_fromuser(const struct kernel_siginfo *info)\n{\n\treturn info == SEND_SIG_NOINFO ||\n\t\t(!is_si_special(info) && SI_FROMUSER(info));\n}", "project": "linux", "hash": 136449302543562573290440358363122978607, "size": 5, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375294 }, { "func": "UnicodeString::cloneArrayIfNeeded(int32_t newCapacity,\n int32_t growCapacity,\n UBool doCopyArray,\n int32_t **pBufferToDelete,\n UBool forceClone) {\n // default parameters need to be static, therefore\n // the defaults are -1 to have convenience defaults\n if(newCapacity == -1) {\n newCapacity = getCapacity();\n }\n\n // while a getBuffer(minCapacity) is \"open\",\n // prevent any modifications of the string by returning FALSE here\n // if the string is bogus, then only an assignment or similar can revive it\n if(!isWritable()) {\n return FALSE;\n }\n\n /*\n * We need to make a copy of the array if\n * the buffer is read-only, or\n * the buffer is refCounted (shared), and refCount>1, or\n * the buffer is too small.\n * Return FALSE if memory could not be allocated.\n */\n if(forceClone ||\n fUnion.fFields.fLengthAndFlags & kBufferIsReadonly ||\n (fUnion.fFields.fLengthAndFlags & kRefCounted && refCount() > 1) ||\n newCapacity > getCapacity()\n ) {\n // check growCapacity for default value and use of the stack buffer\n if(growCapacity < 0) {\n growCapacity = newCapacity;\n } else if(newCapacity <= US_STACKBUF_SIZE && growCapacity > US_STACKBUF_SIZE) {\n growCapacity = US_STACKBUF_SIZE;\n }\n\n // save old values\n UChar oldStackBuffer[US_STACKBUF_SIZE];\n UChar *oldArray;\n int32_t oldLength = length();\n int16_t flags = fUnion.fFields.fLengthAndFlags;\n\n if(flags&kUsingStackBuffer) {\n U_ASSERT(!(flags&kRefCounted)); /* kRefCounted and kUsingStackBuffer are mutally exclusive */\n if(doCopyArray && growCapacity > US_STACKBUF_SIZE) {\n // copy the stack buffer contents because it will be overwritten with\n // fUnion.fFields values\n us_arrayCopy(fUnion.fStackFields.fBuffer, 0, oldStackBuffer, 0, oldLength);\n oldArray = oldStackBuffer;\n } else {\n oldArray = NULL; // no need to copy from the stack buffer to itself\n }\n } else {\n oldArray = fUnion.fFields.fArray;\n U_ASSERT(oldArray!=NULL); /* when stack buffer is not used, oldArray must have a non-NULL reference */\n }\n\n // allocate a new array\n if(allocate(growCapacity) ||\n (newCapacity < growCapacity && allocate(newCapacity))\n ) {\n if(doCopyArray) {\n // copy the contents\n // do not copy more than what fits - it may be smaller than before\n int32_t minLength = oldLength;\n newCapacity = getCapacity();\n if(newCapacity < minLength) {\n minLength = newCapacity;\n }\n if(oldArray != NULL) {\n us_arrayCopy(oldArray, 0, getArrayStart(), 0, minLength);\n }\n setLength(minLength);\n } else {\n setZeroLength();\n }\n\n // release the old array\n if(flags & kRefCounted) {\n // the array is refCounted; decrement and release if 0\n u_atomic_int32_t *pRefCount = ((u_atomic_int32_t *)oldArray - 1);\n if(umtx_atomic_dec(pRefCount) == 0) {\n if(pBufferToDelete == 0) {\n // Note: cast to (void *) is needed with MSVC, where u_atomic_int32_t\n // is defined as volatile. (Volatile has useful non-standard behavior\n // with this compiler.)\n uprv_free((void *)pRefCount);\n } else {\n // the caller requested to delete it himself\n *pBufferToDelete = (int32_t *)pRefCount;\n }\n }\n }\n } else {\n // not enough memory for growCapacity and not even for the smaller newCapacity\n // reset the old values for setToBogus() to release the array\n if(!(flags&kUsingStackBuffer)) {\n fUnion.fFields.fArray = oldArray;\n }\n fUnion.fFields.fLengthAndFlags = flags;\n setToBogus();\n return FALSE;\n }\n }\n return TRUE;\n}", "project": "icu", "hash": 221729827372075864304116448596169442941, "size": 107, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430818 }, { "func": "static rsRetVal qAddDisk(qqueue_t *pThis, void* pUsr)\n{\n\tDEFiRet;\n\tnumber_t nWriteCount;\n\n\tASSERT(pThis != NULL);\n\n\tCHKiRet(strm.SetWCntr(pThis->tVars.disk.pWrite, &nWriteCount));\n\tCHKiRet((objSerialize(pUsr))(pUsr, pThis->tVars.disk.pWrite));\n\tCHKiRet(strm.Flush(pThis->tVars.disk.pWrite));\n\tCHKiRet(strm.SetWCntr(pThis->tVars.disk.pWrite, NULL)); /* no more counting for now... */\n\n\tpThis->tVars.disk.sizeOnDisk += nWriteCount;\n\n\t/* we have enqueued the user element to disk. So we now need to destruct\n\t * the in-memory representation. The instance will be re-created upon\n\t * dequeue. -- rgerhards, 2008-07-09\n\t */\n\tobjDestruct(pUsr);\n\n\tDBGOPRINT((obj_t*) pThis, \"write wrote %lld octets to disk, queue disk size now %lld octets, EnqOnly:%d\\n\",\n\t\t nWriteCount, pThis->tVars.disk.sizeOnDisk, pThis->bEnqOnly);\n\nfinalize_it:\n\tRETiRet;\n}", "project": "rsyslog", "hash": 284068089063286999538570066117405167218, "size": 26, "commit_id": "dfa88369d4ca4290db56b843f9eabdae1bfe0fd5", "message": "bugfix: memory leak when $RepeatedMsgReduction on was used\n\nbug tracker: http://bugzilla.adiscon.com/show_bug.cgi?id=225", "target": 0, "dataset": "other", "idx": 373768 }, { "func": "static int __mtab_find_umount_fs(struct libmnt_context *cxt,\n\t\t\t const char *tgt,\n\t\t\t struct libmnt_fs **pfs)\n{\n\tint rc;\n\tstruct libmnt_ns *ns_old;\n\tstruct libmnt_table *mtab = NULL;\n\tstruct libmnt_fs *fs;\n\tchar *loopdev = NULL;\n\n\tassert(cxt);\n\tassert(tgt);\n\tassert(pfs);\n\n\t*pfs = NULL;\n\tDBG(CXT, ul_debugobj(cxt, \" search %s in mountinfo\", tgt));\n\n\t/*\n\t * The mount table may be huge, and on systems with utab we have to\n\t * merge userspace mount options into /proc/self/mountinfo. This all is\n\t * expensive. The tab filter can be used to filter out entries, then a mount\n\t * table and utab are very tiny files.\n\t *\n\t * The filter uses mnt_fs_streq_{target,srcpath} function where all\n\t * paths should be absolute and canonicalized. This is done within\n\t * mnt_context_get_mtab_for_target() where LABEL, UUID or symlinks are\n\t * canonicalized. If --no-canonicalize is enabled than the target path\n\t * is expected already canonical.\n\t *\n\t * Anyway it's better to read huge mount table than canonicalize target\n\t * paths. It means we use the filter only if --no-canonicalize enabled.\n\t *\n\t * It also means that we have to read mount table from kernel\n\t * (non-writable mtab).\n\t */\n\tif (mnt_context_is_nocanonicalize(cxt) &&\n\t !mnt_context_mtab_writable(cxt) && *tgt == '/')\n\t\trc = mnt_context_get_mtab_for_target(cxt, &mtab, tgt);\n\telse\n\t\trc = mnt_context_get_mtab(cxt, &mtab);\n\n\tif (rc) {\n\t\tDBG(CXT, ul_debugobj(cxt, \"umount: failed to read mtab\"));\n\t\treturn rc;\n\t}\n\n\tif (mnt_table_get_nents(mtab) == 0) {\n\t\tDBG(CXT, ul_debugobj(cxt, \"umount: mtab empty\"));\n\t\treturn 1;\n\t}\n\n\tns_old = mnt_context_switch_target_ns(cxt);\n\tif (!ns_old)\n\t\treturn -MNT_ERR_NAMESPACE;\n\ntry_loopdev:\n\tfs = mnt_table_find_target(mtab, tgt, MNT_ITER_BACKWARD);\n\tif (!fs && mnt_context_is_swapmatch(cxt)) {\n\t\t/*\n\t\t * Maybe the option is source rather than target (sometimes\n\t\t * people use e.g. \"umount /dev/sda1\")\n\t\t */\n\t\tfs = mnt_table_find_source(mtab, tgt, MNT_ITER_BACKWARD);\n\n\t\tif (fs) {\n\t\t\tstruct libmnt_fs *fs1 = mnt_table_find_target(mtab,\n\t\t\t\t\t\t\tmnt_fs_get_target(fs),\n\t\t\t\t\t\t\tMNT_ITER_BACKWARD);\n\t\t\tif (!fs1) {\n\t\t\t\tDBG(CXT, ul_debugobj(cxt, \"mtab is broken?!?!\"));\n\t\t\t\trc = -EINVAL;\n\t\t\t\tgoto err;\n\t\t\t}\n\t\t\tif (fs != fs1) {\n\t\t\t\t/* Something was stacked over `file' on the\n\t\t\t\t * same mount point. */\n\t\t\t\tDBG(CXT, ul_debugobj(cxt,\n\t\t\t\t\t\t\"umount: %s: %s is mounted \"\n\t\t\t\t\t\t\"over it on the same point\",\n\t\t\t\t\t\ttgt, mnt_fs_get_source(fs1)));\n\t\t\t\trc = -EINVAL;\n\t\t\t\tgoto err;\n\t\t\t}\n\t\t}\n\t}\n\n\tif (!fs && !loopdev && mnt_context_is_swapmatch(cxt)) {\n\t\t/*\n\t\t * Maybe the option is /path/file.img, try to convert to /dev/loopN\n\t\t */\n\t\tstruct stat st;\n\n\t\tif (mnt_stat_mountpoint(tgt, &st) == 0 && S_ISREG(st.st_mode)) {\n\t\t\tint count;\n\t\t\tstruct libmnt_cache *cache = mnt_context_get_cache(cxt);\n\t\t\tconst char *bf = cache ? mnt_resolve_path(tgt, cache) : tgt;\n\n\t\t\tcount = loopdev_count_by_backing_file(bf, &loopdev);\n\t\t\tif (count == 1) {\n\t\t\t\tDBG(CXT, ul_debugobj(cxt,\n\t\t\t\t\t\"umount: %s --> %s (retry)\", tgt, loopdev));\n\t\t\t\ttgt = loopdev;\n\t\t\t\tgoto try_loopdev;\n\n\t\t\t} else if (count > 1)\n\t\t\t\tDBG(CXT, ul_debugobj(cxt,\n\t\t\t\t\t\"umount: warning: %s is associated \"\n\t\t\t\t\t\"with more than one loopdev\", tgt));\n\t\t}\n\t}\n\n\t*pfs = fs;\n\tfree(loopdev);\n\tif (!mnt_context_switch_ns(cxt, ns_old))\n\t\treturn -MNT_ERR_NAMESPACE;\n\n\tDBG(CXT, ul_debugobj(cxt, \"umount fs: %s\", fs ? mnt_fs_get_target(fs) :\n\t\t\t\t\t\t\t\"\"));\n\treturn fs ? 0 : 1;\nerr:\n\tfree(loopdev);\n\tif (!mnt_context_switch_ns(cxt, ns_old))\n\t\treturn -MNT_ERR_NAMESPACE;\n\treturn rc;\n}", "project": "util-linux", "hash": 77984116704849658636548078659924635824, "size": 125, "commit_id": "57202f5713afa2af20ffbb6ab5331481d0396f8d", "message": "libmount: fix UID check for FUSE umount [CVE-2021-3995]\n\nImproper UID check allows an unprivileged user to unmount FUSE\nfilesystems of users with similar UID.\n\nSigned-off-by: Karel Zak ", "target": 0, "dataset": "other", "idx": 410429 }, { "func": "ProtocolV1::ProtocolV1(AsyncConnection *connection)\n : Protocol(1, connection),\n temp_buffer(nullptr),\n can_write(WriteStatus::NOWRITE),\n keepalive(false),\n connect_seq(0),\n peer_global_seq(0),\n msg_left(0),\n cur_msg_size(0),\n replacing(false),\n is_reset_from_peer(false),\n once_ready(false),\n state(NONE),\n global_seq(0),\n wait_for_seq(false) {\n temp_buffer = new char[4096];\n}", "project": "ceph", "hash": 231347220570098308545363597220820120148, "size": 17, "commit_id": "bafdfec8f974f1a3f7d404bcfd0a4cfad784937d", "message": "msg/async/ProtocolV1: resurrect \"implement cephx_*require_version options\"\n\nThis was added in commit 9bcbc2a3621f (\"mon,msg: implement\ncephx_*_require_version options\") and inadvertently dropped in\ncommit e6f043f7d2dc (\"msgr/async: huge refactoring of protocol V1\").\nAs a result, service daemons don't enforce cephx_require_version\nand cephx_cluster_require_version options and connections without\nCEPH_FEATURE_CEPHX_V2 are allowed through.\n\n(cephx_service_require_version enforcement was brought back a\nyear later in commit 321548010578 (\"mon/MonClient: skip CEPHX_V2\nchallenge if client doesn't support it\"), although the peer gets\nTAG_BADAUTHORIZER instead of TAG_FEATURES.)\n\nResurrect the original behaviour: all cephx_*require_version\noptions are enforced and the peer gets TAG_FEATURES, signifying\nthat it is missing a required feature.\n\nSigned-off-by: Ilya Dryomov \n(cherry picked from commit 6f5c4152ca2c6423e665cde2196c6301f76043a2)", "target": 0, "dataset": "other", "idx": 356884 }, { "func": "R_API bool r_sys_tts(const char *txt, bool bg) {\n\tint i;\n\tr_return_val_if_fail (txt, false);\n\tconst char *says[] = {\n\t\t\"say\", \"termux-tts-speak\", NULL\n\t};\n\tfor (i = 0; says[i]; i++) {\n\t\tchar *sayPath = r_file_path (says[i]);\n\t\tif (sayPath) {\n\t\t\tchar *line = r_str_replace (strdup (txt), \"'\", \"\\\"\", 1);\n\t\t\tr_sys_cmdf (\"\\\"%s\\\" '%s'%s\", sayPath, line, bg? \" &\": \"\");\n\t\t\tfree (line);\n\t\t\tfree (sayPath);\n\t\t\treturn true;\n\t\t}\n\t}\n\treturn false;\n}", "project": "radare2", "hash": 212809080512070005047144757998587224782, "size": 18, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 0, "dataset": "other", "idx": 268851 }, { "func": "static int packet_rcv(struct sk_buff *skb, struct net_device *dev,\n\t\t struct packet_type *pt, struct net_device *orig_dev)\n{\n\tstruct sock *sk;\n\tstruct sockaddr_ll *sll;\n\tstruct packet_sock *po;\n\tu8 *skb_head = skb->data;\n\tint skb_len = skb->len;\n\tunsigned int snaplen, res;\n\tbool is_drop_n_account = false;\n\n\tif (skb->pkt_type == PACKET_LOOPBACK)\n\t\tgoto drop;\n\n\tsk = pt->af_packet_priv;\n\tpo = pkt_sk(sk);\n\n\tif (!net_eq(dev_net(dev), sock_net(sk)))\n\t\tgoto drop;\n\n\tskb->dev = dev;\n\n\tif (dev->header_ops) {\n\t\t/* The device has an explicit notion of ll header,\n\t\t * exported to higher levels.\n\t\t *\n\t\t * Otherwise, the device hides details of its frame\n\t\t * structure, so that corresponding packet head is\n\t\t * never delivered to user.\n\t\t */\n\t\tif (sk->sk_type != SOCK_DGRAM)\n\t\t\tskb_push(skb, skb->data - skb_mac_header(skb));\n\t\telse if (skb->pkt_type == PACKET_OUTGOING) {\n\t\t\t/* Special case: outgoing packets have ll header at head */\n\t\t\tskb_pull(skb, skb_network_offset(skb));\n\t\t}\n\t}\n\n\tsnaplen = skb->len;\n\n\tres = run_filter(skb, sk, snaplen);\n\tif (!res)\n\t\tgoto drop_n_restore;\n\tif (snaplen > res)\n\t\tsnaplen = res;\n\n\tif (atomic_read(&sk->sk_rmem_alloc) >= sk->sk_rcvbuf)\n\t\tgoto drop_n_acct;\n\n\tif (skb_shared(skb)) {\n\t\tstruct sk_buff *nskb = skb_clone(skb, GFP_ATOMIC);\n\t\tif (nskb == NULL)\n\t\t\tgoto drop_n_acct;\n\n\t\tif (skb_head != skb->data) {\n\t\t\tskb->data = skb_head;\n\t\t\tskb->len = skb_len;\n\t\t}\n\t\tconsume_skb(skb);\n\t\tskb = nskb;\n\t}\n\n\tsock_skb_cb_check_size(sizeof(*PACKET_SKB_CB(skb)) + MAX_ADDR_LEN - 8);\n\n\tsll = &PACKET_SKB_CB(skb)->sa.ll;\n\tsll->sll_hatype = dev->type;\n\tsll->sll_pkttype = skb->pkt_type;\n\tif (unlikely(po->origdev))\n\t\tsll->sll_ifindex = orig_dev->ifindex;\n\telse\n\t\tsll->sll_ifindex = dev->ifindex;\n\n\tsll->sll_halen = dev_parse_header(skb, sll->sll_addr);\n\n\t/* sll->sll_family and sll->sll_protocol are set in packet_recvmsg().\n\t * Use their space for storing the original skb length.\n\t */\n\tPACKET_SKB_CB(skb)->sa.origlen = skb->len;\n\n\tif (pskb_trim(skb, snaplen))\n\t\tgoto drop_n_acct;\n\n\tskb_set_owner_r(skb, sk);\n\tskb->dev = NULL;\n\tskb_dst_drop(skb);\n\n\t/* drop conntrack reference */\n\tnf_reset_ct(skb);\n\n\tspin_lock(&sk->sk_receive_queue.lock);\n\tpo->stats.stats1.tp_packets++;\n\tsock_skb_set_dropcount(sk, skb);\n\t__skb_queue_tail(&sk->sk_receive_queue, skb);\n\tspin_unlock(&sk->sk_receive_queue.lock);\n\tsk->sk_data_ready(sk);\n\treturn 0;\n\ndrop_n_acct:\n\tis_drop_n_account = true;\n\tatomic_inc(&po->tp_drops);\n\tatomic_inc(&sk->sk_drops);\n\ndrop_n_restore:\n\tif (skb_head != skb->data && skb_shared(skb)) {\n\t\tskb->data = skb_head;\n\t\tskb->len = skb_len;\n\t}\ndrop:\n\tif (!is_drop_n_account)\n\t\tconsume_skb(skb);\n\telse\n\t\tkfree_skb(skb);\n\treturn 0;\n}", "project": "linux", "hash": 162871960946811885115915564576227897964, "size": 114, "commit_id": "acf69c946233259ab4d64f8869d4037a198c7f06", "message": "net/packet: fix overflow in tpacket_rcv\n\nUsing tp_reserve to calculate netoff can overflow as\ntp_reserve is unsigned int and netoff is unsigned short.\n\nThis may lead to macoff receving a smaller value then\nsizeof(struct virtio_net_hdr), and if po->has_vnet_hdr\nis set, an out-of-bounds write will occur when\ncalling virtio_net_hdr_from_skb.\n\nThe bug is fixed by converting netoff to unsigned int\nand checking if it exceeds USHRT_MAX.\n\nThis addresses CVE-2020-14386\n\nFixes: 8913336a7e8d (\"packet: add PACKET_RESERVE sockopt\")\nSigned-off-by: Or Cohen \nSigned-off-by: Eric Dumazet \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 330410 }, { "func": "bool CPlayListASX::LoadAsxIniInfo(std::istream &stream)\n{\n CLog::Log(LOGINFO, \"Parsing INI style ASX\");\n\n std::string name, value;\n\n while( stream.good() )\n {\n // consume blank rows, and blanks\n while((stream.peek() == '\\r' || stream.peek() == '\\n' || stream.peek() == ' ') && stream.good())\n stream.get();\n\n if(stream.peek() == '[')\n {\n // this is an [section] part, just ignore it\n while(stream.good() && stream.peek() != '\\r' && stream.peek() != '\\n')\n stream.get();\n continue;\n }\n name = \"\";\n value = \"\";\n // consume name\n while(stream.peek() != '\\r' && stream.peek() != '\\n' && stream.peek() != '=' && stream.good())\n name += stream.get();\n\n // consume =\n if(stream.get() != '=')\n continue;\n\n // consume value\n while(stream.peek() != '\\r' && stream.peek() != '\\n' && stream.good())\n value += stream.get();\n\n CLog::Log(LOGINFO, \"Adding element {}={}\", name, value);\n CFileItemPtr newItem(new CFileItem(value));\n newItem->SetPath(value);\n if (newItem->IsVideo() && !newItem->HasVideoInfoTag()) // File is a video and needs a VideoInfoTag\n newItem->GetVideoInfoTag()->Reset(); // Force VideoInfoTag creation\n Add(newItem);\n }\n\n return true;\n}", "project": "xbmc", "hash": 94968456636627793010893966724900788334, "size": 43, "commit_id": "80c8138c09598e88b4ddb6dbb279fa193bbb3237", "message": "[Playlist] dont use istream directly to a tinyxml structure\n\nTurn istream into a std::string to handle large buffers (#20305)", "target": 0, "dataset": "other", "idx": 219937 }, { "func": "R_API void r_core_autocomplete(R_NULLABLE RCore *core, RLineCompletion *completion, RLineBuffer *buf, RLinePromptType prompt_type) {\n\tif (!core) {\n\t\tautocomplete_default (core, completion, buf);\n\t\treturn;\n\t}\n\tr_line_completion_clear (completion);\n\tchar *pipe = strchr (buf->data, '>');\n\tchar *ptr = strchr (buf->data, '@');\n\tif (pipe && strchr (pipe + 1, ' ') && buf->data + buf->index >= pipe) {\n\t\tautocompleteFilename (completion, buf, NULL, 1);\n\t} else if (ptr && strchr (ptr + 1, ' ') && buf->data + buf->index >= ptr) {\n\t\tint sdelta, n;\n\t\tptr = (char *)r_str_trim_head_ro (ptr + 1);\n\t\tn = strlen (ptr);//(buf->data+sdelta);\n\t\tsdelta = (int)(size_t)(ptr - buf->data);\n\t\tr_flag_foreach_prefix (core->flags, buf->data + sdelta, n, add_argv, completion);\n\t} else if (!strncmp (buf->data, \"#!pipe \", 7)) {\n\t\tif (strchr (buf->data + 7, ' ')) {\n\t\t\tautocompleteFilename (completion, buf, NULL, 2);\n\t\t} else {\n\t\t\tint chr = 7;\n\t\t\tADDARG (\"node\");\n\t\t\tADDARG (\"vala\");\n\t\t\tADDARG (\"ruby\");\n\t\t\tADDARG (\"newlisp\");\n\t\t\tADDARG (\"perl\");\n\t\t\tADDARG (\"python\");\n\t\t}\n\t} else if (!strncmp (buf->data, \"ec \", 3)) {\n\t\tif (strchr (buf->data + 3, ' ')) {\n\t\t\tautocompleteFilename (completion, buf, NULL, 2);\n\t\t} else {\n\t\t\tint chr = 3;\n\t\t\tADDARG(\"comment\")\n\t\t\tADDARG(\"usrcmt\")\n\t\t\tADDARG(\"args\")\n\t\t\tADDARG(\"fname\")\n\t\t\tADDARG(\"floc\")\n\t\t\tADDARG(\"fline\")\n\t\t\tADDARG(\"flag\")\n\t\t\tADDARG(\"label\")\n\t\t\tADDARG(\"help\")\n\t\t\tADDARG(\"flow\")\n\t\t\tADDARG(\"prompt\")\n\t\t\tADDARG(\"offset\")\n\t\t\tADDARG(\"input\")\n\t\t\tADDARG(\"invalid\")\n\t\t\tADDARG(\"other\")\n\t\t\tADDARG(\"b0x00\")\n\t\t\tADDARG(\"b0x7f\")\n\t\t\tADDARG(\"b0xff\")\n\t\t\tADDARG(\"math\")\n\t\t\tADDARG(\"bin\")\n\t\t\tADDARG(\"btext\")\n\t\t\tADDARG(\"push\")\n\t\t\tADDARG(\"pop\")\n\t\t\tADDARG(\"crypto\")\n\t\t\tADDARG(\"jmp\")\n\t\t\tADDARG(\"cjmp\")\n\t\t\tADDARG(\"call\")\n\t\t\tADDARG(\"nop\")\n\t\t\tADDARG(\"ret\")\n\t\t\tADDARG(\"trap\")\n\t\t\tADDARG(\"swi\")\n\t\t\tADDARG(\"cmp\")\n\t\t\tADDARG(\"reg\")\n\t\t\tADDARG(\"creg\")\n\t\t\tADDARG(\"num\")\n\t\t\tADDARG(\"mov\")\n\t\t\tADDARG(\"func_var\")\n\t\t\tADDARG(\"func_var_type\")\n\t\t\tADDARG(\"func_var_addr\")\n\t\t\tADDARG(\"widget_bg\")\n\t\t\tADDARG(\"widget_sel\")\n\t\t\tADDARG(\"ai.read\")\n\t\t\tADDARG(\"ai.write\")\n\t\t\tADDARG(\"ai.exec\")\n\t\t\tADDARG(\"ai.seq\")\n\t\t\tADDARG(\"ai.ascii\")\n\t\t\tADDARG(\"ai.unmap\")\n\t\t\tADDARG(\"graph.box\")\n\t\t\tADDARG(\"graph.box2\")\n\t\t\tADDARG(\"graph.box3\")\n\t\t\tADDARG(\"graph.box4\")\n\t\t\tADDARG(\"graph.true\")\n\t\t\tADDARG(\"graph.false\")\n\t\t\tADDARG(\"graph.trufae\")\n\t\t\tADDARG(\"graph.current\")\n\t\t\tADDARG(\"graph.traced\")\n\t\t\tADDARG(\"gui.cflow\")\n\t\t\tADDARG(\"gui.dataoffset\")\n\t\t\tADDARG(\"gui.background\")\n\t\t\tADDARG(\"gui.alt_background\")\n\t\t\tADDARG(\"gui.border\")\n\t\t}\n\t} else if (!strncmp (buf->data, \"pf.\", 3)\n\t|| !strncmp (buf->data, \"pf*.\", 4)\n\t|| !strncmp (buf->data, \"pfd.\", 4)\n\t|| !strncmp (buf->data, \"pfv.\", 4)\n\t|| !strncmp (buf->data, \"pfj.\", 4)) {\n\t\tchar pfx[2];\n\t\tint chr = (buf->data[2]=='.')? 3: 4;\n\t\tif (chr == 4) {\n\t\t\tpfx[0] = buf->data[2];\n\t\t\tpfx[1] = 0;\n\t\t} else {\n\t\t\t*pfx = 0;\n\t\t}\n\t\tSdbList *sls = sdb_foreach_list (core->print->formats, false);\n\t\tSdbListIter *iter;\n\t\tSdbKv *kv;\n\t\tint j = 0;\n\t\tls_foreach (sls, iter, kv) {\n\t\t\tint len = strlen (buf->data + chr);\n\t\t\tint minlen = R_MIN (len, strlen (sdbkv_key (kv)));\n\t\t\tif (!len || !strncmp (buf->data + chr, sdbkv_key (kv), minlen)) {\n\t\t\t\tchar *p = strchr (buf->data + chr, '.');\n\t\t\t\tif (p) {\n\t\t\t\t\tj += autocomplete_pfele (core, completion, sdbkv_key (kv), pfx, j, p + 1);\n\t\t\t\t\tbreak;\n\t\t\t\t} else {\n\t\t\t\t\tchar *s = r_str_newf (\"pf%s.%s\", pfx, sdbkv_key (kv));\n\t\t\t\t\tr_line_completion_push (completion, s);\n\t\t\t\t\tfree (s);\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t} else if ((!strncmp (buf->data, \"afvn \", 5))\n\t|| (!strncmp (buf->data, \"afan \", 5))) {\n\t\tRAnalFunction *fcn = r_anal_get_fcn_in (core->anal, core->offset, 0);\n\t\tRList *vars;\n\t\tif (!strncmp (buf->data, \"afvn \", 5)) {\n\t\t\tvars = r_anal_var_list (core->anal, fcn, R_ANAL_VAR_KIND_BPV);\n\t\t} else {\n\t\t\tvars = r_anal_var_list (core->anal, fcn, R_ANAL_VAR_KIND_ARG);\n\t\t}\n\t\tconst char *f_ptr, *l_ptr;\n\t\tRAnalVar *var;\n\t\tint len = strlen (buf->data);\n\n\t\tf_ptr = r_sub_str_lchr (buf->data, 0, buf->index, ' ');\n\t\tf_ptr = f_ptr != NULL ? f_ptr + 1 : buf->data;\n\t\tl_ptr = r_sub_str_rchr (buf->data, buf->index, len, ' ');\n\t\tif (!l_ptr) {\n\t\t\tl_ptr = buf->data + len;\n\t\t}\n\t\tRListIter *iter;\n\t\tr_list_foreach (vars, iter, var) {\n\t\t\tif (!strncmp (f_ptr, var->name, l_ptr - f_ptr)) {\n\t\t\t\tr_line_completion_push (completion, var->name);\n\t\t\t}\n\t\t}\n\t\tr_list_free (vars);\n\t} else if (!strncmp (buf->data, \"t \", 2)\n\t|| !strncmp (buf->data, \"t- \", 3)) {\n\t\tSdbList *l = sdb_foreach_list (core->anal->sdb_types, true);\n\t\tSdbListIter *iter;\n\t\tSdbKv *kv;\n\t\tint chr = (buf->data[1] == ' ')? 2: 3;\n\t\tls_foreach (l, iter, kv) {\n\t\t\tint len = strlen (buf->data + chr);\n\t\t\tif (!len || !strncmp (buf->data + chr, sdbkv_key (kv), len)) {\n\t\t\t\tif (!strcmp (sdbkv_value (kv), \"type\") || !strcmp (sdbkv_value (kv), \"enum\")\n\t\t\t\t|| !strcmp (sdbkv_value (kv), \"struct\")) {\n\t\t\t\t\tr_line_completion_push (completion, sdbkv_key (kv));\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\tls_free (l);\n\t} else if ((!strncmp (buf->data, \"te \", 3))) {\n\t\tSdbList *l = sdb_foreach_list (core->anal->sdb_types, true);\n\t\tSdbListIter *iter;\n\t\tSdbKv *kv;\n\t\tint chr = 3;\n\t\tls_foreach (l, iter, kv) {\n\t\t\tint len = strlen (buf->data + chr);\n\t\t\tif (!len || !strncmp (buf->data + chr, sdbkv_key (kv), len)) {\n\t\t\t\tif (!strcmp (sdbkv_value (kv), \"enum\")) {\n\t\t\t\t\tr_line_completion_push (completion, sdbkv_key (kv));\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\tls_free (l);\n\t} else if (!strncmp (buf->data, \"$\", 1)) {\n\t\tint i;\n\t\tfor (i = 0; i < core->rcmd->aliases.count; i++) {\n\t\t\tconst char *key = core->rcmd->aliases.keys[i];\n\t\t\tint len = strlen (buf->data);\n\t\t\tif (!len || !strncmp (buf->data, key, len)) {\n\t\t\t\tr_line_completion_push (completion, key);\n\t\t\t}\n\t\t}\n\t} else if (!strncmp (buf->data, \"ts \", 3)\n\t|| !strncmp (buf->data, \"ta \", 3)\n\t|| !strncmp (buf->data, \"tp \", 3)\n\t|| !strncmp (buf->data, \"tl \", 3)\n\t|| !strncmp (buf->data, \"tpx \", 4)\n\t|| !strncmp (buf->data, \"tss \", 4)\n\t|| !strncmp (buf->data, \"ts* \", 4)) {\n\t\tSdbList *l = sdb_foreach_list (core->anal->sdb_types, true);\n\t\tSdbListIter *iter;\n\t\tSdbKv *kv;\n\t\tint chr = (buf->data[2] == ' ')? 3: 4;\n\t\tls_foreach (l, iter, kv) {\n\t\t\tint len = strlen (buf->data + chr);\n\t\t\tconst char *key = sdbkv_key (kv);\n\t\t\tif (!len || !strncmp (buf->data + chr, key, len)) {\n\t\t\t\tif (!strncmp (sdbkv_value (kv), \"struct\", strlen (\"struct\") + 1)) {\n\t\t\t\t\tr_line_completion_push (completion, key);\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\tls_free (l);\n\t} else if (!strncmp (buf->data, \"zo \", 3)\n\t|| !strncmp (buf->data, \"zoz \", 4)) {\n\t\tif (core->anal->zign_path && core->anal->zign_path[0]) {\n\t\t\tchar *zignpath = r_file_abspath (core->anal->zign_path);\n\t\t\tchar *paths[2] = { zignpath, NULL };\n\t\t\tautocompleteFilename (completion, buf, paths, 1);\n\t\t\tfree (zignpath);\n\t\t} else {\n\t\t\tautocompleteFilename (completion, buf, NULL, 1);\n\t\t}\n\t} else if (find_e_opts (core, completion, buf)) {\n\t\treturn;\n\t} else if (prompt_type == R_LINE_PROMPT_OFFSET) {\n\t\tautocomplete_flags (core, completion, buf->data);\n\t} else if (prompt_type == R_LINE_PROMPT_FILE) {\n\t\tautocomplete_file (completion, buf->data);\n\t} else if (!find_autocomplete (core, completion, buf)) {\n\t\tautocomplete_default (core, completion, buf);\n\t}\n}", "project": "radare2", "hash": 153902047665659613424858092089865771182, "size": 233, "commit_id": "cb8b683758edddae2d2f62e8e63a738c39f92683", "message": "Fix #16303 - c->table_query double free (#16318)", "target": 0, "dataset": "other", "idx": 232120 }, { "func": "static void __flush_itimer_signals(struct sigpending *pending)\n{\n\tsigset_t signal, retain;\n\tstruct sigqueue *q, *n;\n\n\tsignal = pending->signal;\n\tsigemptyset(&retain);\n\n\tlist_for_each_entry_safe(q, n, &pending->list, list) {\n\t\tint sig = q->info.si_signo;\n\n\t\tif (likely(q->info.si_code != SI_TIMER)) {\n\t\t\tsigaddset(&retain, sig);\n\t\t} else {\n\t\t\tsigdelset(&signal, sig);\n\t\t\tlist_del_init(&q->list);\n\t\t\t__sigqueue_free(q);\n\t\t}\n\t}\n\n\tsigorsets(&pending->signal, &signal, &retain);\n}", "project": "linux", "hash": 287095271771864296382209696546935546064, "size": 22, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375220 }, { "func": "void SFD_GetFontMetaDataData_Init( SFD_GetFontMetaDataData* d )\n{\n memset( d, 0, sizeof(SFD_GetFontMetaDataData));\n}", "project": "fontforge", "hash": 304828189728311871476206170896626818594, "size": 4, "commit_id": "048a91e2682c1a8936ae34dbc7bd70291ec05410", "message": "Fix for #4084 Use-after-free (heap) in the SFD_GetFontMetaData() function\nFix for #4086 NULL pointer dereference in the SFDGetSpiros() function\nFix for #4088 NULL pointer dereference in the SFD_AssignLookups() function\nAdd empty sf->fontname string if it isn't set, fixing #4089 #4090 and many\n other potential issues (many downstream calls to strlen() on the value).", "target": 0, "dataset": "other", "idx": 417867 }, { "func": "int fuse_valid_type(int m)\n{\n\treturn S_ISREG(m) || S_ISDIR(m) || S_ISLNK(m) || S_ISCHR(m) ||\n\t\tS_ISBLK(m) || S_ISFIFO(m) || S_ISSOCK(m);\n}", "project": "linux", "hash": 131317363103115628442667186495826140143, "size": 5, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342006 }, { "func": "static void load_xref_from_stream(FILE *fp, xref_t *xref)\n{\n long start;\n int is_stream;\n char *stream;\n size_t size;\n\n start = ftell(fp);\n fseek(fp, xref->start, SEEK_SET);\n\n stream = NULL;\n stream = get_object_from_here(fp, &size, &is_stream);\n fseek(fp, start, SEEK_SET);\n\n /* TODO: decode and analyize stream */\n free(stream);\n return;\n}", "project": "pdfresurrect", "hash": 282892102468595416727434263323075688639, "size": 18, "commit_id": "7e35d1806e111fd28610ccc86bb33f54792ac370", "message": "Fix possible infinite loop case when looking for a trailer.\n\nThanks to chibataiki for reporting and isolating this!", "target": 0, "dataset": "other", "idx": 355600 }, { "func": "rfbSendXvp(rfbClientPtr cl, uint8_t version, uint8_t code)\n{\n rfbXvpMsg xvp;\n\n xvp.type = rfbXvp;\n xvp.pad = 0;\n xvp.version = version;\n xvp.code = code;\n\n LOCK(cl->sendMutex);\n if (rfbWriteExact(cl, (char *)&xvp, sz_rfbXvpMsg) < 0) {\n rfbLogPerror(\"rfbSendXvp: write\");\n rfbCloseClient(cl);\n }\n UNLOCK(cl->sendMutex);\n\n rfbStatRecordMessageSent(cl, rfbXvp, sz_rfbXvpMsg, sz_rfbXvpMsg);\n\n return TRUE;\n}", "project": "libvncserver", "hash": 113355981407446235715846320900647376527, "size": 20, "commit_id": "673c07a75ed844d74676f3ccdcfdc706a7052dba", "message": "libvncserver/rfbserver: fix possible divide-by-zero\n\nCloses #409", "target": 0, "dataset": "other", "idx": 295853 }, { "func": "static int svm_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr)\n{\n\tstruct vcpu_svm *svm = to_svm(vcpu);\n\n\tu32 ecx = msr->index;\n\tu64 data = msr->data;\n\tswitch (ecx) {\n\tcase MSR_IA32_CR_PAT:\n\t\tif (!kvm_mtrr_valid(vcpu, MSR_IA32_CR_PAT, data))\n\t\t\treturn 1;\n\t\tvcpu->arch.pat = data;\n\t\tsvm->vmcb->save.g_pat = data;\n\t\tmark_dirty(svm->vmcb, VMCB_NPT);\n\t\tbreak;\n\tcase MSR_IA32_SPEC_CTRL:\n\t\tif (!msr->host_initiated &&\n\t\t !guest_cpuid_has(vcpu, X86_FEATURE_SPEC_CTRL) &&\n\t\t !guest_cpuid_has(vcpu, X86_FEATURE_AMD_STIBP) &&\n\t\t !guest_cpuid_has(vcpu, X86_FEATURE_AMD_IBRS) &&\n\t\t !guest_cpuid_has(vcpu, X86_FEATURE_AMD_SSBD))\n\t\t\treturn 1;\n\n\t\tif (data & ~kvm_spec_ctrl_valid_bits(vcpu))\n\t\t\treturn 1;\n\n\t\tsvm->spec_ctrl = data;\n\t\tif (!data)\n\t\t\tbreak;\n\n\t\t/*\n\t\t * For non-nested:\n\t\t * When it's written (to non-zero) for the first time, pass\n\t\t * it through.\n\t\t *\n\t\t * For nested:\n\t\t * The handling of the MSR bitmap for L2 guests is done in\n\t\t * nested_svm_vmrun_msrpm.\n\t\t * We update the L1 MSR bit as well since it will end up\n\t\t * touching the MSR anyway now.\n\t\t */\n\t\tset_msr_interception(svm->msrpm, MSR_IA32_SPEC_CTRL, 1, 1);\n\t\tbreak;\n\tcase MSR_IA32_PRED_CMD:\n\t\tif (!msr->host_initiated &&\n\t\t !guest_cpuid_has(vcpu, X86_FEATURE_AMD_IBPB))\n\t\t\treturn 1;\n\n\t\tif (data & ~PRED_CMD_IBPB)\n\t\t\treturn 1;\n\t\tif (!boot_cpu_has(X86_FEATURE_AMD_IBPB))\n\t\t\treturn 1;\n\t\tif (!data)\n\t\t\tbreak;\n\n\t\twrmsrl(MSR_IA32_PRED_CMD, PRED_CMD_IBPB);\n\t\tset_msr_interception(svm->msrpm, MSR_IA32_PRED_CMD, 0, 1);\n\t\tbreak;\n\tcase MSR_AMD64_VIRT_SPEC_CTRL:\n\t\tif (!msr->host_initiated &&\n\t\t !guest_cpuid_has(vcpu, X86_FEATURE_VIRT_SSBD))\n\t\t\treturn 1;\n\n\t\tif (data & ~SPEC_CTRL_SSBD)\n\t\t\treturn 1;\n\n\t\tsvm->virt_spec_ctrl = data;\n\t\tbreak;\n\tcase MSR_STAR:\n\t\tsvm->vmcb->save.star = data;\n\t\tbreak;\n#ifdef CONFIG_X86_64\n\tcase MSR_LSTAR:\n\t\tsvm->vmcb->save.lstar = data;\n\t\tbreak;\n\tcase MSR_CSTAR:\n\t\tsvm->vmcb->save.cstar = data;\n\t\tbreak;\n\tcase MSR_KERNEL_GS_BASE:\n\t\tsvm->vmcb->save.kernel_gs_base = data;\n\t\tbreak;\n\tcase MSR_SYSCALL_MASK:\n\t\tsvm->vmcb->save.sfmask = data;\n\t\tbreak;\n#endif\n\tcase MSR_IA32_SYSENTER_CS:\n\t\tsvm->vmcb->save.sysenter_cs = data;\n\t\tbreak;\n\tcase MSR_IA32_SYSENTER_EIP:\n\t\tsvm->sysenter_eip = data;\n\t\tsvm->vmcb->save.sysenter_eip = data;\n\t\tbreak;\n\tcase MSR_IA32_SYSENTER_ESP:\n\t\tsvm->sysenter_esp = data;\n\t\tsvm->vmcb->save.sysenter_esp = data;\n\t\tbreak;\n\tcase MSR_TSC_AUX:\n\t\tif (!boot_cpu_has(X86_FEATURE_RDTSCP))\n\t\t\treturn 1;\n\n\t\t/*\n\t\t * This is rare, so we update the MSR here instead of using\n\t\t * direct_access_msrs. Doing that would require a rdmsr in\n\t\t * svm_vcpu_put.\n\t\t */\n\t\tsvm->tsc_aux = data;\n\t\twrmsrl(MSR_TSC_AUX, svm->tsc_aux);\n\t\tbreak;\n\tcase MSR_IA32_DEBUGCTLMSR:\n\t\tif (!boot_cpu_has(X86_FEATURE_LBRV)) {\n\t\t\tvcpu_unimpl(vcpu, \"%s: MSR_IA32_DEBUGCTL 0x%llx, nop\\n\",\n\t\t\t\t __func__, data);\n\t\t\tbreak;\n\t\t}\n\t\tif (data & DEBUGCTL_RESERVED_BITS)\n\t\t\treturn 1;\n\n\t\tsvm->vmcb->save.dbgctl = data;\n\t\tmark_dirty(svm->vmcb, VMCB_LBR);\n\t\tif (data & (1ULL<<0))\n\t\t\tsvm_enable_lbrv(svm);\n\t\telse\n\t\t\tsvm_disable_lbrv(svm);\n\t\tbreak;\n\tcase MSR_VM_HSAVE_PA:\n\t\tsvm->nested.hsave_msr = data;\n\t\tbreak;\n\tcase MSR_VM_CR:\n\t\treturn svm_set_vm_cr(vcpu, data);\n\tcase MSR_VM_IGNNE:\n\t\tvcpu_unimpl(vcpu, \"unimplemented wrmsr: 0x%x data 0x%llx\\n\", ecx, data);\n\t\tbreak;\n\tcase MSR_F10H_DECFG: {\n\t\tstruct kvm_msr_entry msr_entry;\n\n\t\tmsr_entry.index = msr->index;\n\t\tif (svm_get_msr_feature(&msr_entry))\n\t\t\treturn 1;\n\n\t\t/* Check the supported bits */\n\t\tif (data & ~msr_entry.data)\n\t\t\treturn 1;\n\n\t\t/* Don't allow the guest to change a bit, #GP */\n\t\tif (!msr->host_initiated && (data ^ msr_entry.data))\n\t\t\treturn 1;\n\n\t\tsvm->msr_decfg = data;\n\t\tbreak;\n\t}\n\tcase MSR_IA32_APICBASE:\n\t\tif (kvm_vcpu_apicv_active(vcpu))\n\t\t\tavic_update_vapic_bar(to_svm(vcpu), data);\n\t\t/* Fall through */\n\tdefault:\n\t\treturn kvm_set_msr_common(vcpu, msr);\n\t}\n\treturn 0;\n}", "project": "linux", "hash": 222418696866220443531119382103597394964, "size": 158, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432598 }, { "func": "static int svm_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr)\n{\n\tstruct vcpu_svm *svm = to_svm(vcpu);\n\n\tu32 ecx = msr->index;\n\tu64 data = msr->data;\n\tswitch (ecx) {\n\tcase MSR_IA32_TSC:\n\t\tkvm_write_tsc(vcpu, msr);\n\t\tbreak;\n\tcase MSR_STAR:\n\t\tsvm->vmcb->save.star = data;\n\t\tbreak;\n#ifdef CONFIG_X86_64\n\tcase MSR_LSTAR:\n\t\tsvm->vmcb->save.lstar = data;\n\t\tbreak;\n\tcase MSR_CSTAR:\n\t\tsvm->vmcb->save.cstar = data;\n\t\tbreak;\n\tcase MSR_KERNEL_GS_BASE:\n\t\tsvm->vmcb->save.kernel_gs_base = data;\n\t\tbreak;\n\tcase MSR_SYSCALL_MASK:\n\t\tsvm->vmcb->save.sfmask = data;\n\t\tbreak;\n#endif\n\tcase MSR_IA32_SYSENTER_CS:\n\t\tsvm->vmcb->save.sysenter_cs = data;\n\t\tbreak;\n\tcase MSR_IA32_SYSENTER_EIP:\n\t\tsvm->sysenter_eip = data;\n\t\tsvm->vmcb->save.sysenter_eip = data;\n\t\tbreak;\n\tcase MSR_IA32_SYSENTER_ESP:\n\t\tsvm->sysenter_esp = data;\n\t\tsvm->vmcb->save.sysenter_esp = data;\n\t\tbreak;\n\tcase MSR_IA32_DEBUGCTLMSR:\n\t\tif (!boot_cpu_has(X86_FEATURE_LBRV)) {\n\t\t\tvcpu_unimpl(vcpu, \"%s: MSR_IA32_DEBUGCTL 0x%llx, nop\\n\",\n\t\t\t\t __func__, data);\n\t\t\tbreak;\n\t\t}\n\t\tif (data & DEBUGCTL_RESERVED_BITS)\n\t\t\treturn 1;\n\n\t\tsvm->vmcb->save.dbgctl = data;\n\t\tmark_dirty(svm->vmcb, VMCB_LBR);\n\t\tif (data & (1ULL<<0))\n\t\t\tsvm_enable_lbrv(svm);\n\t\telse\n\t\t\tsvm_disable_lbrv(svm);\n\t\tbreak;\n\tcase MSR_VM_HSAVE_PA:\n\t\tsvm->nested.hsave_msr = data;\n\t\tbreak;\n\tcase MSR_VM_CR:\n\t\treturn svm_set_vm_cr(vcpu, data);\n\tcase MSR_VM_IGNNE:\n\t\tvcpu_unimpl(vcpu, \"unimplemented wrmsr: 0x%x data 0x%llx\\n\", ecx, data);\n\t\tbreak;\n\tdefault:\n\t\treturn kvm_set_msr_common(vcpu, msr);\n\t}\n\treturn 0;\n}", "project": "kvm", "hash": 3680184216697519334491668226884412676, "size": 67, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437605 }, { "func": "ff_layout_encode_ff_layoutupdate(struct xdr_stream *xdr,\n\t\t\t const struct nfs42_layoutstat_devinfo *devinfo,\n\t\t\t struct nfs4_ff_layout_mirror *mirror)\n{\n\tstruct nfs4_pnfs_ds_addr *da;\n\tstruct nfs4_pnfs_ds *ds = mirror->mirror_ds->ds;\n\tstruct nfs_fh *fh = &mirror->fh_versions[0];\n\t__be32 *p;\n\n\tda = list_first_entry(&ds->ds_addrs, struct nfs4_pnfs_ds_addr, da_node);\n\tdprintk(\"%s: DS %s: encoding address %s\\n\",\n\t\t__func__, ds->ds_remotestr, da->da_remotestr);\n\t/* netaddr4 */\n\tff_layout_encode_netaddr(xdr, da);\n\t/* nfs_fh4 */\n\tp = xdr_reserve_space(xdr, 4 + fh->size);\n\txdr_encode_opaque(p, fh->data, fh->size);\n\t/* ff_io_latency4 read */\n\tspin_lock(&mirror->lock);\n\tff_layout_encode_io_latency(xdr, &mirror->read_stat.io_stat);\n\t/* ff_io_latency4 write */\n\tff_layout_encode_io_latency(xdr, &mirror->write_stat.io_stat);\n\tspin_unlock(&mirror->lock);\n\t/* nfstime4 */\n\tff_layout_encode_nfstime(xdr, ktime_sub(ktime_get(), mirror->start_time));\n\t/* bool */\n\tp = xdr_reserve_space(xdr, 4);\n\t*p = cpu_to_be32(false);\n}", "project": "linux", "hash": 300891564676636988955802473786551109878, "size": 29, "commit_id": "ed34695e15aba74f45247f1ee2cf7e09d449f925", "message": "pNFS/flexfiles: fix incorrect size check in decode_nfs_fh()\n\nWe (adam zabrocki, alexander matrosov, alexander tereshkin, maksym\nbazalii) observed the check:\n\n\tif (fh->size > sizeof(struct nfs_fh))\n\nshould not use the size of the nfs_fh struct which includes an extra two\nbytes from the size field.\n\nstruct nfs_fh {\n\tunsigned short size;\n\tunsigned char data[NFS_MAXFHSIZE];\n}\n\nbut should determine the size from data[NFS_MAXFHSIZE] so the memcpy\nwill not write 2 bytes beyond destination. The proposed fix is to\ncompare against the NFS_MAXFHSIZE directly, as is done elsewhere in fs\ncode base.\n\nFixes: d67ae825a59d (\"pnfs/flexfiles: Add the FlexFile Layout Driver\")\nSigned-off-by: Nikola Livic \nSigned-off-by: Dan Carpenter \nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 234471 }, { "func": "static int compat_tty_tiocsserial(struct tty_struct *tty,\n\t\tstruct serial_struct32 __user *ss)\n{\n\tstatic DEFINE_RATELIMIT_STATE(depr_flags,\n\t\t\tDEFAULT_RATELIMIT_INTERVAL,\n\t\t\tDEFAULT_RATELIMIT_BURST);\n\tchar comm[TASK_COMM_LEN];\n\tstruct serial_struct32 v32;\n\tstruct serial_struct v;\n\tint flags;\n\n\tif (copy_from_user(&v32, ss, sizeof(*ss)))\n\t\treturn -EFAULT;\n\n\tmemcpy(&v, &v32, offsetof(struct serial_struct32, iomem_base));\n\tv.iomem_base = compat_ptr(v32.iomem_base);\n\tv.iomem_reg_shift = v32.iomem_reg_shift;\n\tv.port_high = v32.port_high;\n\tv.iomap_base = 0;\n\n\tflags = v.flags & ASYNC_DEPRECATED;\n\n\tif (flags && __ratelimit(&depr_flags))\n\t\tpr_warn(\"%s: '%s' is using deprecated serial flags (with no effect): %.8x\\n\",\n\t\t\t__func__, get_task_comm(comm, current), flags);\n\tif (!tty->ops->set_serial)\n\t\treturn -ENOTTY;\n\treturn tty->ops->set_serial(tty, &v);\n}", "project": "linux", "hash": 173233801073207616180244739160705787020, "size": 29, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 326027 }, { "func": "static inline unsigned long node_nr_objs(struct kmem_cache_node *n)\n{\n\treturn atomic_long_read(&n->total_objects);\n}", "project": "linux", "hash": 301282810971406631224795824250621287940, "size": 4, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280134 }, { "func": "static inline bool tcp_is_reno(const struct tcp_sock *tp)\n{\n\treturn !tcp_is_sack(tp);\n}", "project": "linux", "hash": 75216034292096367941405906994647262500, "size": 4, "commit_id": "bb1fceca22492109be12640d49f5ea5a544c6bb4", "message": "tcp: fix use after free in tcp_xmit_retransmit_queue()\n\nWhen tcp_sendmsg() allocates a fresh and empty skb, it puts it at the\ntail of the write queue using tcp_add_write_queue_tail()\n\nThen it attempts to copy user data into this fresh skb.\n\nIf the copy fails, we undo the work and remove the fresh skb.\n\nUnfortunately, this undo lacks the change done to tp->highest_sack and\nwe can leave a dangling pointer (to a freed skb)\n\nLater, tcp_xmit_retransmit_queue() can dereference this pointer and\naccess freed memory. For regular kernels where memory is not unmapped,\nthis might cause SACK bugs because tcp_highest_sack_seq() is buggy,\nreturning garbage instead of tp->snd_nxt, but with various debug\nfeatures like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel.\n\nThis bug was found by Marco Grassi thanks to syzkaller.\n\nFixes: 6859d49475d4 (\"[TCP]: Abstract tp->highest_sack accessing & point to next skb\")\nReported-by: Marco Grassi \nSigned-off-by: Eric Dumazet \nCc: Ilpo Järvinen \nCc: Yuchung Cheng \nCc: Neal Cardwell \nAcked-by: Neal Cardwell \nReviewed-by: Cong Wang \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 410806 }, { "func": " Item_hex_string(THD *thd, const char *str, uint str_length):\n Item_hex_constant(thd, str, str_length) {}", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 132503181396968856342796067552118538581, "size": 2, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 508953 }, { "func": " Item_hex_constant(THD *thd): Item_basic_constant(thd)\n {\n hex_string_init(thd, \"\", 0);\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 287751027259230620940524255479720467685, "size": 4, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509023 }, { "func": " Item_hex_hybrid(THD *thd, const char *str, uint str_length):\n Item_hex_constant(thd, str, str_length) {}", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 279830441740895296284247229618598188441, "size": 2, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509407 }, { "func": "static uint8_t filters_to_flags(const uint8_t* filters) {\n uint8_t flags = 0;\n\n for (int i = 0; i < BLOSC2_MAX_FILTERS; i++) {\n switch (filters[i]) {\n case BLOSC_SHUFFLE:\n flags |= BLOSC_DOSHUFFLE;\n break;\n case BLOSC_BITSHUFFLE:\n flags |= BLOSC_DOBITSHUFFLE;\n break;\n case BLOSC_DELTA:\n flags |= BLOSC_DODELTA;\n break;\n default :\n break;\n }\n }\n return flags;\n}", "project": "c-blosc2", "hash": 333433885566087138836148227551627214650, "size": 20, "commit_id": "c4c6470e88210afc95262c8b9fcc27e30ca043ee", "message": "Fixed asan heap buffer overflow when not enough space to write compressed block size.", "target": 0, "dataset": "other", "idx": 303076 }, { "func": "int force_sig_bnderr(void __user *addr, void __user *lower, void __user *upper)\n{\n\tstruct kernel_siginfo info;\n\n\tclear_siginfo(&info);\n\tinfo.si_signo = SIGSEGV;\n\tinfo.si_errno = 0;\n\tinfo.si_code = SEGV_BNDERR;\n\tinfo.si_addr = addr;\n\tinfo.si_lower = lower;\n\tinfo.si_upper = upper;\n\treturn force_sig_info(&info);\n}", "project": "linux", "hash": 248868642997850555242179186219215516684, "size": 13, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375142 }, { "func": "void mpol_rebind_mm(struct mm_struct *mm, nodemask_t *new)\n{\n\tstruct vm_area_struct *vma;\n\n\tdown_write(&mm->mmap_sem);\n\tfor (vma = mm->mmap; vma; vma = vma->vm_next)\n\t\tmpol_rebind_policy(vma->vm_policy, new);\n\tup_write(&mm->mmap_sem);\n}", "project": "linux", "hash": 192565344377833379861388505048085696949, "size": 9, "commit_id": "aa9f7d5172fac9bf1f09e678c35e287a40a7b7dd", "message": "mm: mempolicy: require at least one nodeid for MPOL_PREFERRED\n\nUsing an empty (malformed) nodelist that is not caught during mount option\nparsing leads to a stack-out-of-bounds access.\n\nThe option string that was used was: \"mpol=prefer:,\". However,\nMPOL_PREFERRED requires a single node number, which is not being provided\nhere.\n\nAdd a check that 'nodes' is not empty after parsing for MPOL_PREFERRED's\nnodeid.\n\nFixes: 095f1fc4ebf3 (\"mempolicy: rework shmem mpol parsing and display\")\nReported-by: Entropy Moe <3ntr0py1337@gmail.com>\nReported-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nSigned-off-by: Randy Dunlap \nSigned-off-by: Andrew Morton \nTested-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nCc: Lee Schermerhorn \nLink: http://lkml.kernel.org/r/89526377-7eb6-b662-e1d8-4430928abde9@infradead.org\nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 366794 }, { "func": "void optimize_wo_join_buffering(JOIN *join, uint first_tab, uint last_tab, \n table_map last_remaining_tables, \n bool first_alt, uint no_jbuf_before,\n double *outer_rec_count, double *reopt_cost)\n{\n double cost, rec_count;\n table_map reopt_remaining_tables= last_remaining_tables;\n uint i;\n\n if (first_tab > join->const_tables)\n {\n cost= join->positions[first_tab - 1].prefix_cost.total_cost();\n rec_count= join->positions[first_tab - 1].prefix_record_count;\n }\n else\n {\n cost= 0.0;\n rec_count= 1;\n }\n\n *outer_rec_count= rec_count;\n for (i= first_tab; i <= last_tab; i++)\n reopt_remaining_tables |= join->positions[i].table->table->map;\n \n /*\n best_access_path() optimization depends on the value of \n join->cur_sj_inner_tables. Our goal in this function is to do a\n re-optimization with disabled join buffering, but no other changes.\n In order to achieve this, cur_sj_inner_tables needs have the same \n value it had during the original invocations of best_access_path. \n\n We know that this function, optimize_wo_join_buffering() is called to\n re-optimize semi-join join order range, which allows to conclude that \n the \"original\" value of cur_sj_inner_tables was 0.\n */\n table_map save_cur_sj_inner_tables= join->cur_sj_inner_tables;\n join->cur_sj_inner_tables= 0;\n\n for (i= first_tab; i <= last_tab; i++)\n {\n JOIN_TAB *rs= join->positions[i].table;\n POSITION pos, loose_scan_pos;\n \n if ((i == first_tab && first_alt) || join->positions[i].use_join_buffer)\n {\n /* Find the best access method that would not use join buffering */\n best_access_path(join, rs, reopt_remaining_tables,\n join->positions, i,\n TRUE, rec_count,\n &pos, &loose_scan_pos);\n }\n else \n pos= join->positions[i];\n\n if ((i == first_tab && first_alt))\n pos= loose_scan_pos;\n\n reopt_remaining_tables &= ~rs->table->map;\n rec_count= COST_MULT(rec_count, pos.records_read);\n cost= COST_ADD(cost, pos.read_time);\n cost= COST_ADD(cost, rec_count / (double) TIME_FOR_COMPARE);\n //TODO: take into account join condition selectivity here\n double pushdown_cond_selectivity= 1.0;\n table_map real_table_bit= rs->table->map;\n if (join->thd->variables.optimizer_use_condition_selectivity > 1)\n {\n pushdown_cond_selectivity= table_cond_selectivity(join, i, rs,\n reopt_remaining_tables &\n ~real_table_bit);\n }\n (*outer_rec_count) *= pushdown_cond_selectivity;\n if (!rs->emb_sj_nest)\n *outer_rec_count= COST_MULT(*outer_rec_count, pos.records_read);\n\n }\n join->cur_sj_inner_tables= save_cur_sj_inner_tables;\n\n *reopt_cost= cost;\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 186993162052931075175568555489051031035, "size": 79, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508661 }, { "func": "static void nfs4_xdr_enc_free_stateid(struct rpc_rqst *req,\n\t\t\t\t struct xdr_stream *xdr,\n\t\t\t\t const void *data)\n{\n\tconst struct nfs41_free_stateid_args *args = data;\n\tstruct compound_hdr hdr = {\n\t\t.minorversion = nfs4_xdr_minorversion(&args->seq_args),\n\t};\n\n\tencode_compound_hdr(xdr, req, &hdr);\n\tencode_sequence(xdr, &args->seq_args, &hdr);\n\tencode_free_stateid(xdr, args, &hdr);\n\tencode_nops(&hdr);\n}", "project": "linux", "hash": 337211526697855369150711940055421580105, "size": 14, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431513 }, { "func": "CtPtr ProtocolV1::handle_connect_reply_auth(char *buffer, int r) {\n ldout(cct, 20) << __func__ << \" r=\" << r << dendl;\n\n if (r < 0) {\n ldout(cct, 1) << __func__ << \" read connect reply authorizer failed\"\n << dendl;\n return _fault();\n }\n\n bufferlist authorizer_reply;\n authorizer_reply.append(buffer, connect_reply.authorizer_len);\n\n if (connection->peer_type != CEPH_ENTITY_TYPE_MON ||\n messenger->get_myname().type() == CEPH_ENTITY_TYPE_MON) {\n auto am = auth_meta;\n bool more = (connect_reply.tag == CEPH_MSGR_TAG_CHALLENGE_AUTHORIZER);\n bufferlist auth_retry_bl;\n int r;\n connection->lock.unlock();\n if (more) {\n r = messenger->auth_client->handle_auth_reply_more(\n\tconnection, am.get(), authorizer_reply, &auth_retry_bl);\n } else {\n // these aren't used for v1\n CryptoKey skey;\n string con_secret;\n r = messenger->auth_client->handle_auth_done(\n\tconnection, am.get(),\n\t0 /* global id */, 0 /* con mode */,\n\tauthorizer_reply,\n\t&skey, &con_secret);\n }\n connection->lock.lock();\n if (state != CONNECTING_SEND_CONNECT_MSG) {\n ldout(cct, 1) << __func__ << \" state changed\" << dendl;\n return _fault();\n }\n if (r < 0) {\n return _fault();\n }\n if (more && r == 0) {\n authorizer_more = auth_retry_bl;\n return CONTINUE(send_connect_message);\n }\n }\n\n return handle_connect_reply_2();\n}", "project": "ceph", "hash": 251209217199090615874511901709319256236, "size": 48, "commit_id": "bafdfec8f974f1a3f7d404bcfd0a4cfad784937d", "message": "msg/async/ProtocolV1: resurrect \"implement cephx_*require_version options\"\n\nThis was added in commit 9bcbc2a3621f (\"mon,msg: implement\ncephx_*_require_version options\") and inadvertently dropped in\ncommit e6f043f7d2dc (\"msgr/async: huge refactoring of protocol V1\").\nAs a result, service daemons don't enforce cephx_require_version\nand cephx_cluster_require_version options and connections without\nCEPH_FEATURE_CEPHX_V2 are allowed through.\n\n(cephx_service_require_version enforcement was brought back a\nyear later in commit 321548010578 (\"mon/MonClient: skip CEPHX_V2\nchallenge if client doesn't support it\"), although the peer gets\nTAG_BADAUTHORIZER instead of TAG_FEATURES.)\n\nResurrect the original behaviour: all cephx_*require_version\noptions are enforced and the peer gets TAG_FEATURES, signifying\nthat it is missing a required feature.\n\nSigned-off-by: Ilya Dryomov \n(cherry picked from commit 6f5c4152ca2c6423e665cde2196c6301f76043a2)", "target": 0, "dataset": "other", "idx": 356900 }, { "func": "static int vhost_vdpa_probe(struct vdpa_device *vdpa)\n{\n\tconst struct vdpa_config_ops *ops = vdpa->config;\n\tstruct vhost_vdpa *v;\n\tint minor;\n\tint r;\n\n\t/* Currently, we only accept the network devices. */\n\tif (ops->get_device_id(vdpa) != VIRTIO_ID_NET)\n\t\treturn -ENOTSUPP;\n\n\tv = kzalloc(sizeof(*v), GFP_KERNEL | __GFP_RETRY_MAYFAIL);\n\tif (!v)\n\t\treturn -ENOMEM;\n\n\tminor = ida_simple_get(&vhost_vdpa_ida, 0,\n\t\t\t VHOST_VDPA_DEV_MAX, GFP_KERNEL);\n\tif (minor < 0) {\n\t\tkfree(v);\n\t\treturn minor;\n\t}\n\n\tatomic_set(&v->opened, 0);\n\tv->minor = minor;\n\tv->vdpa = vdpa;\n\tv->nvqs = vdpa->nvqs;\n\tv->virtio_id = ops->get_device_id(vdpa);\n\n\tdevice_initialize(&v->dev);\n\tv->dev.release = vhost_vdpa_release_dev;\n\tv->dev.parent = &vdpa->dev;\n\tv->dev.devt = MKDEV(MAJOR(vhost_vdpa_major), minor);\n\tv->vqs = kmalloc_array(v->nvqs, sizeof(struct vhost_virtqueue),\n\t\t\t GFP_KERNEL);\n\tif (!v->vqs) {\n\t\tr = -ENOMEM;\n\t\tgoto err;\n\t}\n\n\tr = dev_set_name(&v->dev, \"vhost-vdpa-%u\", minor);\n\tif (r)\n\t\tgoto err;\n\n\tcdev_init(&v->cdev, &vhost_vdpa_fops);\n\tv->cdev.owner = THIS_MODULE;\n\n\tr = cdev_device_add(&v->cdev, &v->dev);\n\tif (r)\n\t\tgoto err;\n\n\tinit_completion(&v->completion);\n\tvdpa_set_drvdata(vdpa, v);\n\n\treturn 0;\n\nerr:\n\tput_device(&v->dev);\n\treturn r;\n}", "project": "linux", "hash": 77334092659099883240405602304049988523, "size": 59, "commit_id": "f6bbf0010ba004f5e90c7aefdebc0ee4bd3283b9", "message": "vhost-vdpa: fix use-after-free of v->config_ctx\n\nWhen the 'v->config_ctx' eventfd_ctx reference is released we didn't\nset it to NULL. So if the same character device (e.g. /dev/vhost-vdpa-0)\nis re-opened, the 'v->config_ctx' is invalid and calling again\nvhost_vdpa_config_put() causes use-after-free issues like the\nfollowing refcount_t underflow:\n\n refcount_t: underflow; use-after-free.\n WARNING: CPU: 2 PID: 872 at lib/refcount.c:28 refcount_warn_saturate+0xae/0xf0\n RIP: 0010:refcount_warn_saturate+0xae/0xf0\n Call Trace:\n eventfd_ctx_put+0x5b/0x70\n vhost_vdpa_release+0xcd/0x150 [vhost_vdpa]\n __fput+0x8e/0x240\n ____fput+0xe/0x10\n task_work_run+0x66/0xa0\n exit_to_user_mode_prepare+0x118/0x120\n syscall_exit_to_user_mode+0x21/0x50\n ? __x64_sys_close+0x12/0x40\n do_syscall_64+0x45/0x50\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nFixes: 776f395004d8 (\"vhost_vdpa: Support config interrupt in vdpa\")\nCc: lingshan.zhu@intel.com\nCc: stable@vger.kernel.org\nSigned-off-by: Stefano Garzarella \nLink: https://lore.kernel.org/r/20210311135257.109460-2-sgarzare@redhat.com\nSigned-off-by: Michael S. Tsirkin \nReviewed-by: Zhu Lingshan \nAcked-by: Jason Wang ", "target": 0, "dataset": "other", "idx": 478247 }, { "func": "bool CPlayListPLS::Load(const std::string &strFile)\n{\n //read it from the file\n std::string strFileName(strFile);\n m_strPlayListName = URIUtils::GetFileName(strFileName);\n\n Clear();\n\n bool bShoutCast = false;\n if( StringUtils::StartsWithNoCase(strFileName, \"shout://\") )\n {\n strFileName.replace(0, 8, \"http://\");\n m_strBasePath = \"\";\n bShoutCast = true;\n }\n else\n URIUtils::GetParentPath(strFileName, m_strBasePath);\n\n CFile file;\n if (!file.Open(strFileName) )\n {\n file.Close();\n return false;\n }\n\n if (file.GetLength() > 1024*1024)\n {\n CLog::Log(LOGWARNING, \"{} - File is larger than 1 MB, most likely not a playlist\",\n __FUNCTION__);\n return false;\n }\n\n char szLine[4096];\n std::string strLine;\n\n // run through looking for the [playlist] marker.\n // if we find another http stream, then load it.\n while (true)\n {\n if ( !file.ReadString(szLine, sizeof(szLine) ) )\n {\n file.Close();\n return size() > 0;\n }\n strLine = szLine;\n StringUtils::Trim(strLine);\n if(StringUtils::EqualsNoCase(strLine, START_PLAYLIST_MARKER))\n break;\n\n // if there is something else before playlist marker, this isn't a pls file\n if(!strLine.empty())\n return false;\n }\n\n bool bFailed = false;\n while (file.ReadString(szLine, sizeof(szLine) ) )\n {\n strLine = szLine;\n StringUtils::RemoveCRLF(strLine);\n size_t iPosEqual = strLine.find('=');\n if (iPosEqual != std::string::npos)\n {\n std::string strLeft = strLine.substr(0, iPosEqual);\n iPosEqual++;\n std::string strValue = strLine.substr(iPosEqual);\n StringUtils::ToLower(strLeft);\n StringUtils::TrimLeft(strLeft);\n\n if (strLeft == \"numberofentries\")\n {\n m_vecItems.reserve(atoi(strValue.c_str()));\n }\n else if (StringUtils::StartsWith(strLeft, \"file\"))\n {\n std::vector ::size_type idx = atoi(strLeft.c_str() + 4);\n if (!Resize(idx))\n {\n bFailed = true;\n break;\n }\n\n // Skip self - do not load playlist recursively\n if (StringUtils::EqualsNoCase(URIUtils::GetFileName(strValue),\n URIUtils::GetFileName(strFileName)))\n continue;\n\n if (m_vecItems[idx - 1]->GetLabel().empty())\n m_vecItems[idx - 1]->SetLabel(URIUtils::GetFileName(strValue));\n CFileItem item(strValue, false);\n if (bShoutCast && !item.IsAudio())\n strValue.replace(0, 7, \"shout://\");\n\n strValue = URIUtils::SubstitutePath(strValue);\n CUtil::GetQualifiedFilename(m_strBasePath, strValue);\n g_charsetConverter.unknownToUTF8(strValue);\n m_vecItems[idx - 1]->SetPath(strValue);\n }\n else if (StringUtils::StartsWith(strLeft, \"title\"))\n {\n std::vector ::size_type idx = atoi(strLeft.c_str() + 5);\n if (!Resize(idx))\n {\n bFailed = true;\n break;\n }\n g_charsetConverter.unknownToUTF8(strValue);\n m_vecItems[idx - 1]->SetLabel(strValue);\n }\n else if (StringUtils::StartsWith(strLeft, \"length\"))\n {\n std::vector ::size_type idx = atoi(strLeft.c_str() + 6);\n if (!Resize(idx))\n {\n bFailed = true;\n break;\n }\n m_vecItems[idx - 1]->GetMusicInfoTag()->SetDuration(atol(strValue.c_str()));\n }\n else if (strLeft == \"playlistname\")\n {\n m_strPlayListName = strValue;\n g_charsetConverter.unknownToUTF8(m_strPlayListName);\n }\n }\n }\n file.Close();\n\n if (bFailed)\n {\n CLog::Log(LOGERROR,\n \"File {} is not a valid PLS playlist. Location of first file,title or length is not \"\n \"permitted (eg. File0 should be File1)\",\n URIUtils::GetFileName(strFileName));\n return false;\n }\n\n // check for missing entries\n ivecItems p = m_vecItems.begin();\n while ( p != m_vecItems.end())\n {\n if ((*p)->GetPath().empty())\n {\n p = m_vecItems.erase(p);\n }\n else\n {\n ++p;\n }\n }\n\n return true;\n}", "project": "xbmc", "hash": 59906705951591163956656659105581448944, "size": 152, "commit_id": "80c8138c09598e88b4ddb6dbb279fa193bbb3237", "message": "[Playlist] dont use istream directly to a tinyxml structure\n\nTurn istream into a std::string to handle large buffers (#20305)", "target": 0, "dataset": "other", "idx": 219932 }, { "func": "static int mnt_optstr_locate_option(char *optstr, const char *name,\n\t\t\t\t\tstruct libmnt_optloc *ol)\n{\n\tchar *n;\n\tsize_t namesz, nsz;\n\tint rc;\n\n\tif (!optstr)\n\t\treturn 1;\n\n\tassert(name);\n\n\tnamesz = strlen(name);\n\n\tdo {\n\t\trc = mnt_optstr_parse_next(&optstr, &n, &nsz,\n\t\t\t\t\t&ol->value, &ol->valsz);\n\t\tif (rc)\n\t\t\tbreak;\n\n\t\tif (namesz == nsz && strncmp(n, name, nsz) == 0) {\n\t\t\tol->begin = n;\n\t\t\tol->end = *(optstr - 1) == ',' ? optstr - 1 : optstr;\n\t\t\tol->namesz = nsz;\n\t\t\treturn 0;\n\t\t}\n\t} while(1);\n\n\treturn rc;\n}", "project": "util-linux", "hash": 235280143139768200641354125365883357101, "size": 30, "commit_id": "57202f5713afa2af20ffbb6ab5331481d0396f8d", "message": "libmount: fix UID check for FUSE umount [CVE-2021-3995]\n\nImproper UID check allows an unprivileged user to unmount FUSE\nfilesystems of users with similar UID.\n\nSigned-off-by: Karel Zak ", "target": 0, "dataset": "other", "idx": 410394 }, { "func": "static int ca8210_probe(struct spi_device *spi_device)\n{\n\tstruct ca8210_priv *priv;\n\tstruct ieee802154_hw *hw;\n\tstruct ca8210_platform_data *pdata;\n\tint ret;\n\n\tdev_info(&spi_device->dev, \"Inserting ca8210\\n\");\n\n\t/* allocate ieee802154_hw and private data */\n\thw = ieee802154_alloc_hw(sizeof(struct ca8210_priv), &ca8210_phy_ops);\n\tif (!hw) {\n\t\tdev_crit(&spi_device->dev, \"ieee802154_alloc_hw failed\\n\");\n\t\tret = -ENOMEM;\n\t\tgoto error;\n\t}\n\n\tpriv = hw->priv;\n\tpriv->hw = hw;\n\tpriv->spi = spi_device;\n\thw->parent = &spi_device->dev;\n\tspin_lock_init(&priv->lock);\n\tpriv->async_tx_pending = false;\n\tpriv->hw_registered = false;\n\tpriv->sync_up = 0;\n\tpriv->sync_down = 0;\n\tpriv->promiscuous = false;\n\tpriv->retries = 0;\n\tinit_completion(&priv->ca8210_is_awake);\n\tinit_completion(&priv->spi_transfer_complete);\n\tinit_completion(&priv->sync_exchange_complete);\n\tspi_set_drvdata(priv->spi, priv);\n\tif (IS_ENABLED(CONFIG_IEEE802154_CA8210_DEBUGFS)) {\n\t\tcascoda_api_upstream = ca8210_test_int_driver_write;\n\t\tca8210_test_interface_init(priv);\n\t} else {\n\t\tcascoda_api_upstream = NULL;\n\t}\n\tca8210_hw_setup(hw);\n\tieee802154_random_extended_addr(&hw->phy->perm_extended_addr);\n\n\tpdata = kmalloc(sizeof(*pdata), GFP_KERNEL);\n\tif (!pdata) {\n\t\tret = -ENOMEM;\n\t\tgoto error;\n\t}\n\n\tret = ca8210_get_platform_data(priv->spi, pdata);\n\tif (ret) {\n\t\tdev_crit(&spi_device->dev, \"ca8210_get_platform_data failed\\n\");\n\t\tgoto error;\n\t}\n\tpriv->spi->dev.platform_data = pdata;\n\n\tret = ca8210_dev_com_init(priv);\n\tif (ret) {\n\t\tdev_crit(&spi_device->dev, \"ca8210_dev_com_init failed\\n\");\n\t\tgoto error;\n\t}\n\tret = ca8210_reset_init(priv->spi);\n\tif (ret) {\n\t\tdev_crit(&spi_device->dev, \"ca8210_reset_init failed\\n\");\n\t\tgoto error;\n\t}\n\n\tret = ca8210_interrupt_init(priv->spi);\n\tif (ret) {\n\t\tdev_crit(&spi_device->dev, \"ca8210_interrupt_init failed\\n\");\n\t\tgoto error;\n\t}\n\n\tmsleep(100);\n\n\tca8210_reset_send(priv->spi, 1);\n\n\tret = tdme_chipinit(priv->spi);\n\tif (ret) {\n\t\tdev_crit(&spi_device->dev, \"tdme_chipinit failed\\n\");\n\t\tgoto error;\n\t}\n\n\tif (pdata->extclockenable) {\n\t\tret = ca8210_config_extern_clk(pdata, priv->spi, 1);\n\t\tif (ret) {\n\t\t\tdev_crit(\n\t\t\t\t&spi_device->dev,\n\t\t\t\t\"ca8210_config_extern_clk failed\\n\"\n\t\t\t);\n\t\t\tgoto error;\n\t\t}\n\t\tret = ca8210_register_ext_clock(priv->spi);\n\t\tif (ret) {\n\t\t\tdev_crit(\n\t\t\t\t&spi_device->dev,\n\t\t\t\t\"ca8210_register_ext_clock failed\\n\"\n\t\t\t);\n\t\t\tgoto error;\n\t\t}\n\t}\n\n\tret = ieee802154_register_hw(hw);\n\tif (ret) {\n\t\tdev_crit(&spi_device->dev, \"ieee802154_register_hw failed\\n\");\n\t\tgoto error;\n\t}\n\tpriv->hw_registered = true;\n\n\treturn 0;\nerror:\n\tmsleep(100); /* wait for pending spi transfers to complete */\n\tca8210_remove(spi_device);\n\treturn link_to_linux_err(ret);\n}", "project": "linux", "hash": 140536448521281187745613931545799203059, "size": 113, "commit_id": "6402939ec86eaf226c8b8ae00ed983936b164908", "message": "ieee802154: ca8210: prevent memory leak\n\nIn ca8210_probe the allocated pdata needs to be assigned to\nspi_device->dev.platform_data before calling ca8210_get_platform_data.\nOthrwise when ca8210_get_platform_data fails pdata cannot be released.\n\nSigned-off-by: Navid Emamdoost \nLink: https://lore.kernel.org/r/20190917224713.26371-1-navid.emamdoost@gmail.com\nSigned-off-by: Stefan Schmidt ", "target": 1, "dataset": "other", "idx": 208360 }, { "func": "static int ca8210_probe(struct spi_device *spi_device)\n{\n\tstruct ca8210_priv *priv;\n\tstruct ieee802154_hw *hw;\n\tstruct ca8210_platform_data *pdata;\n\tint ret;\n\n\tdev_info(&spi_device->dev, \"Inserting ca8210\\n\");\n\n\t/* allocate ieee802154_hw and private data */\n\thw = ieee802154_alloc_hw(sizeof(struct ca8210_priv), &ca8210_phy_ops);\n\tif (!hw) {\n\t\tdev_crit(&spi_device->dev, \"ieee802154_alloc_hw failed\\n\");\n\t\tret = -ENOMEM;\n\t\tgoto error;\n\t}\n\n\tpriv = hw->priv;\n\tpriv->hw = hw;\n\tpriv->spi = spi_device;\n\thw->parent = &spi_device->dev;\n\tspin_lock_init(&priv->lock);\n\tpriv->async_tx_pending = false;\n\tpriv->hw_registered = false;\n\tpriv->sync_up = 0;\n\tpriv->sync_down = 0;\n\tpriv->promiscuous = false;\n\tpriv->retries = 0;\n\tinit_completion(&priv->ca8210_is_awake);\n\tinit_completion(&priv->spi_transfer_complete);\n\tinit_completion(&priv->sync_exchange_complete);\n\tspi_set_drvdata(priv->spi, priv);\n\tif (IS_ENABLED(CONFIG_IEEE802154_CA8210_DEBUGFS)) {\n\t\tcascoda_api_upstream = ca8210_test_int_driver_write;\n\t\tca8210_test_interface_init(priv);\n\t} else {\n\t\tcascoda_api_upstream = NULL;\n\t}\n\tca8210_hw_setup(hw);\n\tieee802154_random_extended_addr(&hw->phy->perm_extended_addr);\n\n\tpdata = kmalloc(sizeof(*pdata), GFP_KERNEL);\n\tif (!pdata) {\n\t\tret = -ENOMEM;\n\t\tgoto error;\n\t}\n\n\tpriv->spi->dev.platform_data = pdata;\n\tret = ca8210_get_platform_data(priv->spi, pdata);\n\tif (ret) {\n\t\tdev_crit(&spi_device->dev, \"ca8210_get_platform_data failed\\n\");\n\t\tgoto error;\n\t}\n\n\tret = ca8210_dev_com_init(priv);\n\tif (ret) {\n\t\tdev_crit(&spi_device->dev, \"ca8210_dev_com_init failed\\n\");\n\t\tgoto error;\n\t}\n\tret = ca8210_reset_init(priv->spi);\n\tif (ret) {\n\t\tdev_crit(&spi_device->dev, \"ca8210_reset_init failed\\n\");\n\t\tgoto error;\n\t}\n\n\tret = ca8210_interrupt_init(priv->spi);\n\tif (ret) {\n\t\tdev_crit(&spi_device->dev, \"ca8210_interrupt_init failed\\n\");\n\t\tgoto error;\n\t}\n\n\tmsleep(100);\n\n\tca8210_reset_send(priv->spi, 1);\n\n\tret = tdme_chipinit(priv->spi);\n\tif (ret) {\n\t\tdev_crit(&spi_device->dev, \"tdme_chipinit failed\\n\");\n\t\tgoto error;\n\t}\n\n\tif (pdata->extclockenable) {\n\t\tret = ca8210_config_extern_clk(pdata, priv->spi, 1);\n\t\tif (ret) {\n\t\t\tdev_crit(\n\t\t\t\t&spi_device->dev,\n\t\t\t\t\"ca8210_config_extern_clk failed\\n\"\n\t\t\t);\n\t\t\tgoto error;\n\t\t}\n\t\tret = ca8210_register_ext_clock(priv->spi);\n\t\tif (ret) {\n\t\t\tdev_crit(\n\t\t\t\t&spi_device->dev,\n\t\t\t\t\"ca8210_register_ext_clock failed\\n\"\n\t\t\t);\n\t\t\tgoto error;\n\t\t}\n\t}\n\n\tret = ieee802154_register_hw(hw);\n\tif (ret) {\n\t\tdev_crit(&spi_device->dev, \"ieee802154_register_hw failed\\n\");\n\t\tgoto error;\n\t}\n\tpriv->hw_registered = true;\n\n\treturn 0;\nerror:\n\tmsleep(100); /* wait for pending spi transfers to complete */\n\tca8210_remove(spi_device);\n\treturn link_to_linux_err(ret);\n}", "project": "linux", "hash": 188473089036627924087079919084020542406, "size": 113, "commit_id": "6402939ec86eaf226c8b8ae00ed983936b164908", "message": "ieee802154: ca8210: prevent memory leak\n\nIn ca8210_probe the allocated pdata needs to be assigned to\nspi_device->dev.platform_data before calling ca8210_get_platform_data.\nOthrwise when ca8210_get_platform_data fails pdata cannot be released.\n\nSigned-off-by: Navid Emamdoost \nLink: https://lore.kernel.org/r/20190917224713.26371-1-navid.emamdoost@gmail.com\nSigned-off-by: Stefan Schmidt ", "target": 0, "dataset": "other", "idx": 408790 }, { "func": "Status GraphConstructor::PopulateReturnTensors() {\n if (opts_.return_tensors.empty()) return Status::OK();\n for (const TensorId& id : opts_.return_tensors) {\n auto iter = opts_.input_map.find(id);\n if (iter == opts_.input_map.end()) {\n // Locate id in imported nodes\n auto iter = gdef_nodes_.find(id.first);\n if (iter == gdef_nodes_.end()) {\n return errors::InvalidArgument(\"Requested return tensor '\",\n id.ToString(),\n \"' not found in graph def\");\n }\n int num_outputs = iter->second.node->num_outputs();\n if ((id.second < 0 || id.second >= num_outputs) &&\n id.second != Graph::kControlSlot) {\n return errors::InvalidArgument(\"Invalid return output \", id.second,\n \" of node '\", id.first, \"', which has \",\n num_outputs, \" output(s)\");\n }\n return_tensors_->push_back({iter->second.node, id.second});\n } else {\n // id was remapped to existing node\n TensorId remapped_id = iter->second;\n DCHECK_GT(existing_nodes_.count(remapped_id.first), 0);\n Node* node = existing_nodes_[remapped_id.first];\n return_tensors_->push_back({node, remapped_id.second});\n }\n }\n return Status::OK();\n}", "project": "tensorflow", "hash": 77896923186187324083429288512768216463, "size": 30, "commit_id": "0cc38aaa4064fd9e79101994ce9872c6d91f816b", "message": "Prevent unitialized memory access in `GraphConstructor::MakeEdge`\n\nThe `MakeEdge` implementation assumes that there exists an output at `output_index` of `src` node and an input at `input_index` of `dst` node. However, if this is not the case this results in accessing data out of bounds. Because we are accessing an array that is a private member of a class and only in read only mode, this usually results only in unitialized memory access. However, it is reasonable to think that malicious users could manipulate these indexes to actually read data outside the class, thus resulting in information leakage and further exploits.\n\nPiperOrigin-RevId: 346343288\nChange-Id: I2127da27c2023d27f26efd39afa6c853385cab6f", "target": 0, "dataset": "other", "idx": 268344 }, { "func": "static int pfkey_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,\n\t\t\t int flags)\n{\n\tstruct sock *sk = sock->sk;\n\tstruct pfkey_sock *pfk = pfkey_sk(sk);\n\tstruct sk_buff *skb;\n\tint copied, err;\n\n\terr = -EINVAL;\n\tif (flags & ~(MSG_PEEK|MSG_DONTWAIT|MSG_TRUNC|MSG_CMSG_COMPAT))\n\t\tgoto out;\n\n\tskb = skb_recv_datagram(sk, flags, flags & MSG_DONTWAIT, &err);\n\tif (skb == NULL)\n\t\tgoto out;\n\n\tcopied = skb->len;\n\tif (copied > len) {\n\t\tmsg->msg_flags |= MSG_TRUNC;\n\t\tcopied = len;\n\t}\n\n\tskb_reset_transport_header(skb);\n\terr = skb_copy_datagram_msg(skb, 0, msg, copied);\n\tif (err)\n\t\tgoto out_free;\n\n\tsock_recv_ts_and_drops(msg, sk, skb);\n\n\terr = (flags & MSG_TRUNC) ? skb->len : copied;\n\n\tif (pfk->dump.dump != NULL &&\n\t 3 * atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf)\n\t\tpfkey_do_dump(pfk);\n\nout_free:\n\tskb_free_datagram(sk, skb);\nout:\n\treturn err;\n}", "project": "linux", "hash": 83363326648198952151091803245994577661, "size": 40, "commit_id": "9a564bccb78a76740ea9d75a259942df8143d02c", "message": "af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\n\nAdd __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\nto initialize the buffer of supp_skb to fix a kernel-info-leak issue.\n1) Function pfkey_register calls compose_sadb_supported to request\na sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate\na sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then\ncompose_sadb_supported treats the memory as a struct sadb_supported and\nbegins to initialize. But it just initializes the field sadb_supported_len\nand field sadb_supported_exttype without field sadb_supported_reserved.\n\nReported-by: TCS Robot \nSigned-off-by: Haimin Zhang \nSigned-off-by: Steffen Klassert ", "target": 0, "dataset": "other", "idx": 268057 }, { "func": "static inline bool vcpu_valid_wakeup(struct kvm_vcpu *vcpu)\n{\n\treturn vcpu->valid_wakeup;\n}", "project": "linux", "hash": 318984183417775891685792730048561543746, "size": 4, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354556 }, { "func": "static inline bool vcpu_valid_wakeup(struct kvm_vcpu *vcpu)\n{\n\treturn true;\n}", "project": "linux", "hash": 59212849075887637699440866448372692477, "size": 4, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354767 }, { "func": " bool const_item() const { return used_tables() == 0; }", "target": 1, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 176129634520084965565043652739444849021, "size": 1, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 216904 }, { "func": " bool const_item() const \n {\n return (*ref)->const_item();\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 210446349285880403052421643057703286295, "size": 4, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509033 }, { "func": " bool const_item() const\n {\n return (*ref)->const_item() && (null_ref_table == NO_NULL_TABLE);\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 202244787198670919560882068325395126598, "size": 4, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509263 }, { "func": " bool const_item() const { return orig_item->const_item(); }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 194433948025839653736822275770283453939, "size": 1, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509266 }, { "func": " bool const_item() const { return const_item_cache; }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 316593702129497556343118970735018652114, "size": 1, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509308 }, { "func": " bool const_item() const { return true; }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 159584463450720417609161999255773197240, "size": 1, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509429 }, { "func": "static void ep_poll_safewake(struct eventpoll *ep, struct epitem *epi)\n{\n\twake_up_poll(&ep->poll_wait, EPOLLIN);\n}", "project": "linux", "hash": 288615169621263003736398605718770264487, "size": 4, "commit_id": "52c479697c9b73f628140dcdfcd39ea302d05482", "message": "do_epoll_ctl(): clean the failure exits up a bit\n\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 336228 }, { "func": "static void ep_poll_safewake(struct eventpoll *ep, struct epitem *epi)\n{\n\tstruct eventpoll *ep_src;\n\tunsigned long flags;\n\tu8 nests = 0;\n\n\t/*\n\t * To set the subclass or nesting level for spin_lock_irqsave_nested()\n\t * it might be natural to create a per-cpu nest count. However, since\n\t * we can recurse on ep->poll_wait.lock, and a non-raw spinlock can\n\t * schedule() in the -rt kernel, the per-cpu variable are no longer\n\t * protected. Thus, we are introducing a per eventpoll nest field.\n\t * If we are not being call from ep_poll_callback(), epi is NULL and\n\t * we are at the first level of nesting, 0. Otherwise, we are being\n\t * called from ep_poll_callback() and if a previous wakeup source is\n\t * not an epoll file itself, we are at depth 1 since the wakeup source\n\t * is depth 0. If the wakeup source is a previous epoll file in the\n\t * wakeup chain then we use its nests value and record ours as\n\t * nests + 1. The previous epoll file nests value is stable since its\n\t * already holding its own poll_wait.lock.\n\t */\n\tif (epi) {\n\t\tif ((is_file_epoll(epi->ffd.file))) {\n\t\t\tep_src = epi->ffd.file->private_data;\n\t\t\tnests = ep_src->nests;\n\t\t} else {\n\t\t\tnests = 1;\n\t\t}\n\t}\n\tspin_lock_irqsave_nested(&ep->poll_wait.lock, flags, nests);\n\tep->nests = nests + 1;\n\twake_up_locked_poll(&ep->poll_wait, EPOLLIN);\n\tep->nests = 0;\n\tspin_unlock_irqrestore(&ep->poll_wait.lock, flags);\n}", "project": "linux", "hash": 146831545197742363312457846434512769846, "size": 35, "commit_id": "52c479697c9b73f628140dcdfcd39ea302d05482", "message": "do_epoll_ctl(): clean the failure exits up a bit\n\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 336276 }, { "func": "Status CompressElement(const std::vector& element,\n CompressedElement* out) {\n // Step 1: Determine the total uncompressed size. This requires serializing\n // non-memcopyable tensors, which we save to use again later.\n std::vector non_memcpy_components;\n int64 total_size = 0;\n for (auto& component : element) {\n if (DataTypeCanUseMemcpy(component.dtype())) {\n // Some datatypes can be memcopied, allowing us to save two copies\n // (AsProtoTensorContent and SerializeToArray).\n total_size += DMAHelper::buffer(&component)->size();\n } else {\n non_memcpy_components.emplace_back();\n component.AsProtoTensorContent(&non_memcpy_components.back());\n total_size += non_memcpy_components.back().ByteSizeLong();\n }\n }\n\n // Step 2: Write the tensor data to a buffer, and compress that buffer.\n // We use tstring for access to resize_uninitialized.\n tstring uncompressed;\n uncompressed.resize_uninitialized(total_size);\n // Position in `uncompressed` to write the next component.\n char* position = uncompressed.mdata();\n int non_memcpy_component_index = 0;\n for (auto& component : element) {\n CompressedComponentMetadata* metadata =\n out->mutable_component_metadata()->Add();\n metadata->set_dtype(component.dtype());\n component.shape().AsProto(metadata->mutable_tensor_shape());\n if (DataTypeCanUseMemcpy(component.dtype())) {\n const TensorBuffer* buffer = DMAHelper::buffer(&component);\n memcpy(position, buffer->data(), buffer->size());\n metadata->set_tensor_size_bytes(buffer->size());\n } else {\n TensorProto& proto = non_memcpy_components[non_memcpy_component_index++];\n proto.SerializeToArray(position, proto.ByteSizeLong());\n metadata->set_tensor_size_bytes(proto.ByteSizeLong());\n }\n position += metadata->tensor_size_bytes();\n }\n DCHECK_EQ(position, uncompressed.mdata() + total_size);\n\n if (!port::Snappy_Compress(uncompressed.mdata(), total_size,\n out->mutable_data())) {\n return errors::Internal(\"Failed to compress using snappy.\");\n }\n VLOG(3) << \"Compressed element from \" << total_size << \" bytes to \"\n << out->data().size() << \" bytes\";\n return Status::OK();\n}", "project": "tensorflow", "hash": 221515392574513944494740423419101303962, "size": 51, "commit_id": "5dc7f6981fdaf74c8c5be41f393df705841fb7c5", "message": "Fix accessing possible nullptr in tensorflow::data::CompressElement and UncompressElement which are used in tf.data.service.\n\nPiperOrigin-RevId: 373920841\nChange-Id: Ia88d78aee09fa19bb53a0f163fd19620d0c68743", "target": 1, "dataset": "other", "idx": 196856 }, { "func": "Status CompressElement(const std::vector& element,\n CompressedElement* out) {\n // Step 1: Determine the total uncompressed size. This requires serializing\n // non-memcopyable tensors, which we save to use again later.\n std::vector non_memcpy_components;\n int64 total_size = 0;\n for (auto& component : element) {\n if (DataTypeCanUseMemcpy(component.dtype())) {\n const TensorBuffer* buffer = DMAHelper::buffer(&component);\n if (buffer) {\n total_size += buffer->size();\n }\n } else {\n non_memcpy_components.emplace_back();\n component.AsProtoTensorContent(&non_memcpy_components.back());\n total_size += non_memcpy_components.back().ByteSizeLong();\n }\n }\n\n // Step 2: Write the tensor data to a buffer, and compress that buffer.\n // We use tstring for access to resize_uninitialized.\n tstring uncompressed;\n uncompressed.resize_uninitialized(total_size);\n // Position in `uncompressed` to write the next component.\n char* position = uncompressed.mdata();\n int non_memcpy_component_index = 0;\n for (auto& component : element) {\n CompressedComponentMetadata* metadata =\n out->mutable_component_metadata()->Add();\n metadata->set_dtype(component.dtype());\n component.shape().AsProto(metadata->mutable_tensor_shape());\n if (DataTypeCanUseMemcpy(component.dtype())) {\n const TensorBuffer* buffer = DMAHelper::buffer(&component);\n if (buffer) {\n memcpy(position, buffer->data(), buffer->size());\n metadata->set_tensor_size_bytes(buffer->size());\n }\n } else {\n TensorProto& proto = non_memcpy_components[non_memcpy_component_index++];\n proto.SerializeToArray(position, proto.ByteSizeLong());\n metadata->set_tensor_size_bytes(proto.ByteSizeLong());\n }\n position += metadata->tensor_size_bytes();\n }\n DCHECK_EQ(position, uncompressed.mdata() + total_size);\n\n if (!port::Snappy_Compress(uncompressed.mdata(), total_size,\n out->mutable_data())) {\n return errors::Internal(\"Failed to compress using snappy.\");\n }\n VLOG(3) << \"Compressed element from \" << total_size << \" bytes to \"\n << out->data().size() << \" bytes\";\n return Status::OK();\n}", "project": "tensorflow", "hash": 20244254151554116869938450542850593726, "size": 54, "commit_id": "5dc7f6981fdaf74c8c5be41f393df705841fb7c5", "message": "Fix accessing possible nullptr in tensorflow::data::CompressElement and UncompressElement which are used in tf.data.service.\n\nPiperOrigin-RevId: 373920841\nChange-Id: Ia88d78aee09fa19bb53a0f163fd19620d0c68743", "target": 0, "dataset": "other", "idx": 246589 }, { "func": "static int on_fcn_new(RAnal *_anal, void* _user, RAnalFunction *fcn) {\n\tRCore *core = (RCore*)_user;\n\tconst char *cmd = r_config_get (core->config, \"cmd.fcn.new\");\n\tif (cmd && *cmd) {\n\t\tut64 oaddr = core->offset;\n\t\tut64 addr = fcn->addr;\n\t\tr_core_seek (core, addr, 1);\n\t\tr_core_cmd0 (core, cmd);\n\t\tr_core_seek (core, oaddr, 1);\n\t}\n\treturn 0;\n}", "project": "radare2", "hash": 310204318986827328535220437842751994678, "size": 12, "commit_id": "cb8b683758edddae2d2f62e8e63a738c39f92683", "message": "Fix #16303 - c->table_query double free (#16318)", "target": 0, "dataset": "other", "idx": 232094 }, { "func": "\nstatic s64 tctx_inflight(struct io_uring_task *tctx, bool tracked)\n{\n\tif (tracked)\n\t\treturn atomic_read(&tctx->inflight_tracked);\n\treturn percpu_counter_sum(&tctx->inflight);", "project": "linux", "hash": 228008637457185664735450136705737084977, "size": 6, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338614 }, { "func": "Variant f_hotprofiler_disable() {\n return s_profiler_factory->stop();\n}", "project": "hhvm", "hash": 48258536020267463882251806729339044753, "size": 3, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219778 }, { "func": "void hci_req_add_le_passive_scan(struct hci_request *req)\n{\n\tstruct hci_dev *hdev = req->hdev;\n\tu8 own_addr_type;\n\tu8 filter_policy;\n\tu16 window, interval;\n\t/* Background scanning should run with address resolution */\n\tbool addr_resolv = true;\n\n\tif (hdev->scanning_paused) {\n\t\tbt_dev_dbg(hdev, \"Scanning is paused for suspend\");\n\t\treturn;\n\t}\n\n\t/* Set require_privacy to false since no SCAN_REQ are send\n\t * during passive scanning. Not using an non-resolvable address\n\t * here is important so that peer devices using direct\n\t * advertising with our address will be correctly reported\n\t * by the controller.\n\t */\n\tif (hci_update_random_address(req, false, scan_use_rpa(hdev),\n\t\t\t\t &own_addr_type))\n\t\treturn;\n\n\tif (hdev->enable_advmon_interleave_scan &&\n\t __hci_update_interleaved_scan(hdev))\n\t\treturn;\n\n\tbt_dev_dbg(hdev, \"interleave state %d\", hdev->interleave_scan_state);\n\t/* Adding or removing entries from the white list must\n\t * happen before enabling scanning. The controller does\n\t * not allow white list modification while scanning.\n\t */\n\tfilter_policy = update_white_list(req);\n\n\t/* When the controller is using random resolvable addresses and\n\t * with that having LE privacy enabled, then controllers with\n\t * Extended Scanner Filter Policies support can now enable support\n\t * for handling directed advertising.\n\t *\n\t * So instead of using filter polices 0x00 (no whitelist)\n\t * and 0x01 (whitelist enabled) use the new filter policies\n\t * 0x02 (no whitelist) and 0x03 (whitelist enabled).\n\t */\n\tif (hci_dev_test_flag(hdev, HCI_PRIVACY) &&\n\t (hdev->le_features[0] & HCI_LE_EXT_SCAN_POLICY))\n\t\tfilter_policy |= 0x02;\n\n\tif (hdev->suspended) {\n\t\twindow = hdev->le_scan_window_suspend;\n\t\tinterval = hdev->le_scan_int_suspend;\n\n\t\tset_bit(SUSPEND_SCAN_ENABLE, hdev->suspend_tasks);\n\t} else if (hci_is_le_conn_scanning(hdev)) {\n\t\twindow = hdev->le_scan_window_connect;\n\t\tinterval = hdev->le_scan_int_connect;\n\t} else if (hci_is_adv_monitoring(hdev)) {\n\t\twindow = hdev->le_scan_window_adv_monitor;\n\t\tinterval = hdev->le_scan_int_adv_monitor;\n\t} else {\n\t\twindow = hdev->le_scan_window;\n\t\tinterval = hdev->le_scan_interval;\n\t}\n\n\tbt_dev_dbg(hdev, \"LE passive scan with whitelist = %d\", filter_policy);\n\thci_req_start_scan(req, LE_SCAN_PASSIVE, interval, window,\n\t\t\t own_addr_type, filter_policy, addr_resolv);\n}", "project": "linux", "hash": 80396666018070555948361117591282673006, "size": 68, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402479 }, { "func": "static void print_lat_help_header(struct seq_file *m)\n{\n\tseq_puts(m, \"# _------=> CPU# \\n\"\n\t\t \"# / _-----=> irqs-off \\n\"\n\t\t \"# | / _----=> need-resched \\n\"\n\t\t \"# || / _---=> hardirq/softirq \\n\"\n\t\t \"# ||| / _--=> preempt-depth \\n\"\n\t\t \"# |||| / delay \\n\"\n\t\t \"# cmd pid ||||| time | caller \\n\"\n\t\t \"# \\\\ / ||||| \\\\ | / \\n\");\n}", "project": "linux", "hash": 192576545767718728068752091350658765214, "size": 11, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445777 }, { "func": "static OPJ_BOOL opj_j2k_need_nb_tile_parts_correction(opj_stream_private_t\n *p_stream, OPJ_UINT32 tile_no, OPJ_BOOL* p_correction_needed,\n opj_event_mgr_t * p_manager)\n{\n OPJ_BYTE l_header_data[10];\n OPJ_OFF_T l_stream_pos_backup;\n OPJ_UINT32 l_current_marker;\n OPJ_UINT32 l_marker_size;\n OPJ_UINT32 l_tile_no, l_tot_len, l_current_part, l_num_parts;\n\n /* initialize to no correction needed */\n *p_correction_needed = OPJ_FALSE;\n\n if (!opj_stream_has_seek(p_stream)) {\n /* We can't do much in this case, seek is needed */\n return OPJ_TRUE;\n }\n\n l_stream_pos_backup = opj_stream_tell(p_stream);\n if (l_stream_pos_backup == -1) {\n /* let's do nothing */\n return OPJ_TRUE;\n }\n\n for (;;) {\n /* Try to read 2 bytes (the next marker ID) from stream and copy them into the buffer */\n if (opj_stream_read_data(p_stream, l_header_data, 2, p_manager) != 2) {\n /* assume all is OK */\n if (! opj_stream_seek(p_stream, l_stream_pos_backup, p_manager)) {\n return OPJ_FALSE;\n }\n return OPJ_TRUE;\n }\n\n /* Read 2 bytes from buffer as the new marker ID */\n opj_read_bytes(l_header_data, &l_current_marker, 2);\n\n if (l_current_marker != J2K_MS_SOT) {\n /* assume all is OK */\n if (! opj_stream_seek(p_stream, l_stream_pos_backup, p_manager)) {\n return OPJ_FALSE;\n }\n return OPJ_TRUE;\n }\n\n /* Try to read 2 bytes (the marker size) from stream and copy them into the buffer */\n if (opj_stream_read_data(p_stream, l_header_data, 2, p_manager) != 2) {\n opj_event_msg(p_manager, EVT_ERROR, \"Stream too short\\n\");\n return OPJ_FALSE;\n }\n\n /* Read 2 bytes from the buffer as the marker size */\n opj_read_bytes(l_header_data, &l_marker_size, 2);\n\n /* Check marker size for SOT Marker */\n if (l_marker_size != 10) {\n opj_event_msg(p_manager, EVT_ERROR, \"Inconsistent marker size\\n\");\n return OPJ_FALSE;\n }\n l_marker_size -= 2;\n\n if (opj_stream_read_data(p_stream, l_header_data, l_marker_size,\n p_manager) != l_marker_size) {\n opj_event_msg(p_manager, EVT_ERROR, \"Stream too short\\n\");\n return OPJ_FALSE;\n }\n\n if (! opj_j2k_get_sot_values(l_header_data, l_marker_size, &l_tile_no,\n &l_tot_len, &l_current_part, &l_num_parts, p_manager)) {\n return OPJ_FALSE;\n }\n\n if (l_tile_no == tile_no) {\n /* we found what we were looking for */\n break;\n }\n\n if (l_tot_len < 14U) {\n /* last SOT until EOC or invalid Psot value */\n /* assume all is OK */\n if (! opj_stream_seek(p_stream, l_stream_pos_backup, p_manager)) {\n return OPJ_FALSE;\n }\n return OPJ_TRUE;\n }\n l_tot_len -= 12U;\n /* look for next SOT marker */\n if (opj_stream_skip(p_stream, (OPJ_OFF_T)(l_tot_len),\n p_manager) != (OPJ_OFF_T)(l_tot_len)) {\n /* assume all is OK */\n if (! opj_stream_seek(p_stream, l_stream_pos_backup, p_manager)) {\n return OPJ_FALSE;\n }\n return OPJ_TRUE;\n }\n }\n\n /* check for correction */\n if (l_current_part == l_num_parts) {\n *p_correction_needed = OPJ_TRUE;\n }\n\n if (! opj_stream_seek(p_stream, l_stream_pos_backup, p_manager)) {\n return OPJ_FALSE;\n }\n return OPJ_TRUE;\n}", "project": "openjpeg", "hash": 15936519339916687913985518216745115854, "size": 107, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357361 }, { "func": "void luaV_execute (lua_State *L, CallInfo *ci) {\n LClosure *cl;\n TValue *k;\n StkId base;\n const Instruction *pc;\n int trap;\n#if LUA_USE_JUMPTABLE\n#include \"ljumptab.h\"\n#endif\n tailcall:\n trap = L->hookmask;\n cl = clLvalue(s2v(ci->func));\n k = cl->p->k;\n pc = ci->u.l.savedpc;\n if (trap) {\n if (cl->p->is_vararg)\n trap = 0; /* hooks will start after VARARGPREP instruction */\n else if (pc == cl->p->code) /* first instruction (not resuming)? */\n luaD_hookcall(L, ci);\n ci->u.l.trap = 1; /* there may be other hooks */\n }\n base = ci->func + 1;\n /* main loop of interpreter */\n for (;;) {\n Instruction i; /* instruction being executed */\n StkId ra; /* instruction's A register */\n vmfetch();\n lua_assert(base == ci->func + 1);\n lua_assert(base <= L->top && L->top < L->stack + L->stacksize);\n /* invalidate top for instructions not expecting it */\n lua_assert(isIT(i) || (cast_void(L->top = base), 1));\n vmdispatch (GET_OPCODE(i)) {\n vmcase(OP_MOVE) {\n setobjs2s(L, ra, RB(i));\n vmbreak;\n }\n vmcase(OP_LOADI) {\n lua_Integer b = GETARG_sBx(i);\n setivalue(s2v(ra), b);\n vmbreak;\n }\n vmcase(OP_LOADF) {\n int b = GETARG_sBx(i);\n setfltvalue(s2v(ra), cast_num(b));\n vmbreak;\n }\n vmcase(OP_LOADK) {\n TValue *rb = k + GETARG_Bx(i);\n setobj2s(L, ra, rb);\n vmbreak;\n }\n vmcase(OP_LOADKX) {\n TValue *rb;\n rb = k + GETARG_Ax(*pc); pc++;\n setobj2s(L, ra, rb);\n vmbreak;\n }\n vmcase(OP_LOADFALSE) {\n setbfvalue(s2v(ra));\n vmbreak;\n }\n vmcase(OP_LFALSESKIP) {\n setbfvalue(s2v(ra));\n pc++; /* skip next instruction */\n vmbreak;\n }\n vmcase(OP_LOADTRUE) {\n setbtvalue(s2v(ra));\n vmbreak;\n }\n vmcase(OP_LOADNIL) {\n int b = GETARG_B(i);\n do {\n setnilvalue(s2v(ra++));\n } while (b--);\n vmbreak;\n }\n vmcase(OP_GETUPVAL) {\n int b = GETARG_B(i);\n setobj2s(L, ra, cl->upvals[b]->v);\n vmbreak;\n }\n vmcase(OP_SETUPVAL) {\n UpVal *uv = cl->upvals[GETARG_B(i)];\n setobj(L, uv->v, s2v(ra));\n luaC_barrier(L, uv, s2v(ra));\n vmbreak;\n }\n vmcase(OP_GETTABUP) {\n const TValue *slot;\n TValue *upval = cl->upvals[GETARG_B(i)]->v;\n TValue *rc = KC(i);\n TString *key = tsvalue(rc); /* key must be a string */\n if (luaV_fastget(L, upval, key, slot, luaH_getshortstr)) {\n setobj2s(L, ra, slot);\n }\n else\n Protect(luaV_finishget(L, upval, rc, ra, slot));\n vmbreak;\n }\n vmcase(OP_GETTABLE) {\n const TValue *slot;\n TValue *rb = vRB(i);\n TValue *rc = vRC(i);\n lua_Unsigned n;\n if (ttisinteger(rc) /* fast track for integers? */\n ? (cast_void(n = ivalue(rc)), luaV_fastgeti(L, rb, n, slot))\n : luaV_fastget(L, rb, rc, slot, luaH_get)) {\n setobj2s(L, ra, slot);\n }\n else\n Protect(luaV_finishget(L, rb, rc, ra, slot));\n vmbreak;\n }\n vmcase(OP_GETI) {\n const TValue *slot;\n TValue *rb = vRB(i);\n int c = GETARG_C(i);\n if (luaV_fastgeti(L, rb, c, slot)) {\n setobj2s(L, ra, slot);\n }\n else {\n TValue key;\n setivalue(&key, c);\n Protect(luaV_finishget(L, rb, &key, ra, slot));\n }\n vmbreak;\n }\n vmcase(OP_GETFIELD) {\n const TValue *slot;\n TValue *rb = vRB(i);\n TValue *rc = KC(i);\n TString *key = tsvalue(rc); /* key must be a string */\n if (luaV_fastget(L, rb, key, slot, luaH_getshortstr)) {\n setobj2s(L, ra, slot);\n }\n else\n Protect(luaV_finishget(L, rb, rc, ra, slot));\n vmbreak;\n }\n vmcase(OP_SETTABUP) {\n const TValue *slot;\n TValue *upval = cl->upvals[GETARG_A(i)]->v;\n TValue *rb = KB(i);\n TValue *rc = RKC(i);\n TString *key = tsvalue(rb); /* key must be a string */\n if (luaV_fastget(L, upval, key, slot, luaH_getshortstr)) {\n luaV_finishfastset(L, upval, slot, rc);\n }\n else\n Protect(luaV_finishset(L, upval, rb, rc, slot));\n vmbreak;\n }\n vmcase(OP_SETTABLE) {\n const TValue *slot;\n TValue *rb = vRB(i); /* key (table is in 'ra') */\n TValue *rc = RKC(i); /* value */\n lua_Unsigned n;\n if (ttisinteger(rb) /* fast track for integers? */\n ? (cast_void(n = ivalue(rb)), luaV_fastgeti(L, s2v(ra), n, slot))\n : luaV_fastget(L, s2v(ra), rb, slot, luaH_get)) {\n luaV_finishfastset(L, s2v(ra), slot, rc);\n }\n else\n Protect(luaV_finishset(L, s2v(ra), rb, rc, slot));\n vmbreak;\n }\n vmcase(OP_SETI) {\n const TValue *slot;\n int c = GETARG_B(i);\n TValue *rc = RKC(i);\n if (luaV_fastgeti(L, s2v(ra), c, slot)) {\n luaV_finishfastset(L, s2v(ra), slot, rc);\n }\n else {\n TValue key;\n setivalue(&key, c);\n Protect(luaV_finishset(L, s2v(ra), &key, rc, slot));\n }\n vmbreak;\n }\n vmcase(OP_SETFIELD) {\n const TValue *slot;\n TValue *rb = KB(i);\n TValue *rc = RKC(i);\n TString *key = tsvalue(rb); /* key must be a string */\n if (luaV_fastget(L, s2v(ra), key, slot, luaH_getshortstr)) {\n luaV_finishfastset(L, s2v(ra), slot, rc);\n }\n else\n Protect(luaV_finishset(L, s2v(ra), rb, rc, slot));\n vmbreak;\n }\n vmcase(OP_NEWTABLE) {\n int b = GETARG_B(i); /* log2(hash size) + 1 */\n int c = GETARG_C(i); /* array size */\n Table *t;\n if (b > 0)\n b = 1 << (b - 1); /* size is 2^(b - 1) */\n lua_assert((!TESTARG_k(i)) == (GETARG_Ax(*pc) == 0));\n if (TESTARG_k(i)) /* non-zero extra argument? */\n c += GETARG_Ax(*pc) * (MAXARG_C + 1); /* add it to size */\n pc++; /* skip extra argument */\n L->top = ra + 1; /* correct top in case of emergency GC */\n t = luaH_new(L); /* memory allocation */\n sethvalue2s(L, ra, t);\n if (b != 0 || c != 0)\n luaH_resize(L, t, c, b); /* idem */\n checkGC(L, ra + 1);\n vmbreak;\n }\n vmcase(OP_SELF) {\n const TValue *slot;\n TValue *rb = vRB(i);\n TValue *rc = RKC(i);\n TString *key = tsvalue(rc); /* key must be a string */\n setobj2s(L, ra + 1, rb);\n if (luaV_fastget(L, rb, key, slot, luaH_getstr)) {\n setobj2s(L, ra, slot);\n }\n else\n Protect(luaV_finishget(L, rb, rc, ra, slot));\n vmbreak;\n }\n vmcase(OP_ADDI) {\n op_arithI(L, l_addi, luai_numadd);\n vmbreak;\n }\n vmcase(OP_ADDK) {\n op_arithK(L, l_addi, luai_numadd);\n vmbreak;\n }\n vmcase(OP_SUBK) {\n op_arithK(L, l_subi, luai_numsub);\n vmbreak;\n }\n vmcase(OP_MULK) {\n op_arithK(L, l_muli, luai_nummul);\n vmbreak;\n }\n vmcase(OP_MODK) {\n op_arithK(L, luaV_mod, luaV_modf);\n vmbreak;\n }\n vmcase(OP_POWK) {\n op_arithfK(L, luai_numpow);\n vmbreak;\n }\n vmcase(OP_DIVK) {\n op_arithfK(L, luai_numdiv);\n vmbreak;\n }\n vmcase(OP_IDIVK) {\n op_arithK(L, luaV_idiv, luai_numidiv);\n vmbreak;\n }\n vmcase(OP_BANDK) {\n op_bitwiseK(L, l_band);\n vmbreak;\n }\n vmcase(OP_BORK) {\n op_bitwiseK(L, l_bor);\n vmbreak;\n }\n vmcase(OP_BXORK) {\n op_bitwiseK(L, l_bxor);\n vmbreak;\n }\n vmcase(OP_SHRI) {\n TValue *rb = vRB(i);\n int ic = GETARG_sC(i);\n lua_Integer ib;\n if (tointegerns(rb, &ib)) {\n pc++; setivalue(s2v(ra), luaV_shiftl(ib, -ic));\n }\n vmbreak;\n }\n vmcase(OP_SHLI) {\n TValue *rb = vRB(i);\n int ic = GETARG_sC(i);\n lua_Integer ib;\n if (tointegerns(rb, &ib)) {\n pc++; setivalue(s2v(ra), luaV_shiftl(ic, ib));\n }\n vmbreak;\n }\n vmcase(OP_ADD) {\n op_arith(L, l_addi, luai_numadd);\n vmbreak;\n }\n vmcase(OP_SUB) {\n op_arith(L, l_subi, luai_numsub);\n vmbreak;\n }\n vmcase(OP_MUL) {\n op_arith(L, l_muli, luai_nummul);\n vmbreak;\n }\n vmcase(OP_MOD) {\n op_arith(L, luaV_mod, luaV_modf);\n vmbreak;\n }\n vmcase(OP_POW) {\n op_arithf(L, luai_numpow);\n vmbreak;\n }\n vmcase(OP_DIV) { /* float division (always with floats) */\n op_arithf(L, luai_numdiv);\n vmbreak;\n }\n vmcase(OP_IDIV) { /* floor division */\n op_arith(L, luaV_idiv, luai_numidiv);\n vmbreak;\n }\n vmcase(OP_BAND) {\n op_bitwise(L, l_band);\n vmbreak;\n }\n vmcase(OP_BOR) {\n op_bitwise(L, l_bor);\n vmbreak;\n }\n vmcase(OP_BXOR) {\n op_bitwise(L, l_bxor);\n vmbreak;\n }\n vmcase(OP_SHR) {\n op_bitwise(L, luaV_shiftr);\n vmbreak;\n }\n vmcase(OP_SHL) {\n op_bitwise(L, luaV_shiftl);\n vmbreak;\n }\n vmcase(OP_MMBIN) {\n Instruction pi = *(pc - 2); /* original arith. expression */\n TValue *rb = vRB(i);\n TMS tm = (TMS)GETARG_C(i);\n StkId result = RA(pi);\n lua_assert(OP_ADD <= GET_OPCODE(pi) && GET_OPCODE(pi) <= OP_SHR);\n Protect(luaT_trybinTM(L, s2v(ra), rb, result, tm));\n vmbreak;\n }\n vmcase(OP_MMBINI) {\n Instruction pi = *(pc - 2); /* original arith. expression */\n int imm = GETARG_sB(i);\n TMS tm = (TMS)GETARG_C(i);\n int flip = GETARG_k(i);\n StkId result = RA(pi);\n Protect(luaT_trybiniTM(L, s2v(ra), imm, flip, result, tm));\n vmbreak;\n }\n vmcase(OP_MMBINK) {\n Instruction pi = *(pc - 2); /* original arith. expression */\n TValue *imm = KB(i);\n TMS tm = (TMS)GETARG_C(i);\n int flip = GETARG_k(i);\n StkId result = RA(pi);\n Protect(luaT_trybinassocTM(L, s2v(ra), imm, flip, result, tm));\n vmbreak;\n }\n vmcase(OP_UNM) {\n TValue *rb = vRB(i);\n lua_Number nb;\n if (ttisinteger(rb)) {\n lua_Integer ib = ivalue(rb);\n setivalue(s2v(ra), intop(-, 0, ib));\n }\n else if (tonumberns(rb, nb)) {\n setfltvalue(s2v(ra), luai_numunm(L, nb));\n }\n else\n Protect(luaT_trybinTM(L, rb, rb, ra, TM_UNM));\n vmbreak;\n }\n vmcase(OP_BNOT) {\n TValue *rb = vRB(i);\n lua_Integer ib;\n if (tointegerns(rb, &ib)) {\n setivalue(s2v(ra), intop(^, ~l_castS2U(0), ib));\n }\n else\n Protect(luaT_trybinTM(L, rb, rb, ra, TM_BNOT));\n vmbreak;\n }\n vmcase(OP_NOT) {\n TValue *rb = vRB(i);\n if (l_isfalse(rb))\n setbtvalue(s2v(ra));\n else\n setbfvalue(s2v(ra));\n vmbreak;\n }\n vmcase(OP_LEN) {\n Protect(luaV_objlen(L, ra, vRB(i)));\n vmbreak;\n }\n vmcase(OP_CONCAT) {\n int n = GETARG_B(i); /* number of elements to concatenate */\n L->top = ra + n; /* mark the end of concat operands */\n ProtectNT(luaV_concat(L, n));\n checkGC(L, L->top); /* 'luaV_concat' ensures correct top */\n vmbreak;\n }\n vmcase(OP_CLOSE) {\n Protect(luaF_close(L, ra, LUA_OK));\n vmbreak;\n }\n vmcase(OP_TBC) {\n /* create new to-be-closed upvalue */\n halfProtect(luaF_newtbcupval(L, ra));\n vmbreak;\n }\n vmcase(OP_JMP) {\n dojump(ci, i, 0);\n vmbreak;\n }\n vmcase(OP_EQ) {\n int cond;\n TValue *rb = vRB(i);\n Protect(cond = luaV_equalobj(L, s2v(ra), rb));\n docondjump();\n vmbreak;\n }\n vmcase(OP_LT) {\n op_order(L, l_lti, LTnum, lessthanothers);\n vmbreak;\n }\n vmcase(OP_LE) {\n op_order(L, l_lei, LEnum, lessequalothers);\n vmbreak;\n }\n vmcase(OP_EQK) {\n TValue *rb = KB(i);\n /* basic types do not use '__eq'; we can use raw equality */\n int cond = luaV_rawequalobj(s2v(ra), rb);\n docondjump();\n vmbreak;\n }\n vmcase(OP_EQI) {\n int cond;\n int im = GETARG_sB(i);\n if (ttisinteger(s2v(ra)))\n cond = (ivalue(s2v(ra)) == im);\n else if (ttisfloat(s2v(ra)))\n cond = luai_numeq(fltvalue(s2v(ra)), cast_num(im));\n else\n cond = 0; /* other types cannot be equal to a number */\n docondjump();\n vmbreak;\n }\n vmcase(OP_LTI) {\n op_orderI(L, l_lti, luai_numlt, 0, TM_LT);\n vmbreak;\n }\n vmcase(OP_LEI) {\n op_orderI(L, l_lei, luai_numle, 0, TM_LE);\n vmbreak;\n }\n vmcase(OP_GTI) {\n op_orderI(L, l_gti, luai_numgt, 1, TM_LT);\n vmbreak;\n }\n vmcase(OP_GEI) {\n op_orderI(L, l_gei, luai_numge, 1, TM_LE);\n vmbreak;\n }\n vmcase(OP_TEST) {\n int cond = !l_isfalse(s2v(ra));\n docondjump();\n vmbreak;\n }\n vmcase(OP_TESTSET) {\n TValue *rb = vRB(i);\n if (l_isfalse(rb) == GETARG_k(i))\n pc++;\n else {\n setobj2s(L, ra, rb);\n donextjump(ci);\n }\n vmbreak;\n }\n vmcase(OP_CALL) {\n int b = GETARG_B(i);\n int nresults = GETARG_C(i) - 1;\n if (b != 0) /* fixed number of arguments? */\n L->top = ra + b; /* top signals number of arguments */\n /* else previous instruction set top */\n ProtectNT(luaD_call(L, ra, nresults));\n vmbreak;\n }\n vmcase(OP_TAILCALL) {\n int b = GETARG_B(i); /* number of arguments + 1 (function) */\n int nparams1 = GETARG_C(i);\n /* delat is virtual 'func' - real 'func' (vararg functions) */\n int delta = (nparams1) ? ci->u.l.nextraargs + nparams1 : 0;\n if (b != 0)\n L->top = ra + b;\n else /* previous instruction set top */\n b = cast_int(L->top - ra);\n savepc(ci); /* some calls here can raise errors */\n if (TESTARG_k(i)) {\n /* close upvalues from current call; the compiler ensures\n that there are no to-be-closed variables here, so this\n call cannot change the stack */\n luaF_close(L, base, NOCLOSINGMETH);\n lua_assert(base == ci->func + 1);\n }\n while (!ttisfunction(s2v(ra))) { /* not a function? */\n luaD_tryfuncTM(L, ra); /* try '__call' metamethod */\n b++; /* there is now one extra argument */\n checkstackGCp(L, 1, ra);\n }\n if (!ttisLclosure(s2v(ra))) { /* C function? */\n luaD_call(L, ra, LUA_MULTRET); /* call it */\n updatetrap(ci);\n updatestack(ci); /* stack may have been relocated */\n ci->func -= delta;\n luaD_poscall(L, ci, cast_int(L->top - ra));\n return;\n }\n ci->func -= delta;\n luaD_pretailcall(L, ci, ra, b); /* prepare call frame */\n goto tailcall;\n }\n vmcase(OP_RETURN) {\n int n = GETARG_B(i) - 1; /* number of results */\n int nparams1 = GETARG_C(i);\n if (n < 0) /* not fixed? */\n n = cast_int(L->top - ra); /* get what is available */\n savepc(ci);\n if (TESTARG_k(i)) { /* may there be open upvalues? */\n if (L->top < ci->top)\n L->top = ci->top;\n luaF_close(L, base, LUA_OK);\n updatetrap(ci);\n updatestack(ci);\n }\n if (nparams1) /* vararg function? */\n ci->func -= ci->u.l.nextraargs + nparams1;\n L->top = ra + n; /* set call for 'luaD_poscall' */\n luaD_poscall(L, ci, n);\n return;\n }\n vmcase(OP_RETURN0) {\n if (L->hookmask) {\n L->top = ra;\n halfProtectNT(luaD_poscall(L, ci, 0)); /* no hurry... */\n }\n else { /* do the 'poscall' here */\n int nres = ci->nresults;\n L->ci = ci->previous; /* back to caller */\n L->top = base - 1;\n while (nres-- > 0)\n setnilvalue(s2v(L->top++)); /* all results are nil */\n }\n return;\n }\n vmcase(OP_RETURN1) {\n if (L->hookmask) {\n L->top = ra + 1;\n halfProtectNT(luaD_poscall(L, ci, 1)); /* no hurry... */\n }\n else { /* do the 'poscall' here */\n int nres = ci->nresults;\n L->ci = ci->previous; /* back to caller */\n if (nres == 0)\n L->top = base - 1; /* asked for no results */\n else {\n setobjs2s(L, base - 1, ra); /* at least this result */\n L->top = base;\n while (--nres > 0) /* complete missing results */\n setnilvalue(s2v(L->top++));\n }\n }\n return;\n }\n vmcase(OP_FORLOOP) {\n if (ttisinteger(s2v(ra + 2))) { /* integer loop? */\n lua_Unsigned count = l_castS2U(ivalue(s2v(ra + 1)));\n if (count > 0) { /* still more iterations? */\n lua_Integer step = ivalue(s2v(ra + 2));\n lua_Integer idx = ivalue(s2v(ra)); /* internal index */\n chgivalue(s2v(ra + 1), count - 1); /* update counter */\n idx = intop(+, idx, step); /* add step to index */\n chgivalue(s2v(ra), idx); /* update internal index */\n setivalue(s2v(ra + 3), idx); /* and control variable */\n pc -= GETARG_Bx(i); /* jump back */\n }\n }\n else if (floatforloop(ra)) /* float loop */\n pc -= GETARG_Bx(i); /* jump back */\n updatetrap(ci); /* allows a signal to break the loop */\n vmbreak;\n }\n vmcase(OP_FORPREP) {\n savestate(L, ci); /* in case of errors */\n if (forprep(L, ra))\n pc += GETARG_Bx(i) + 1; /* skip the loop */\n vmbreak;\n }\n vmcase(OP_TFORPREP) {\n /* create to-be-closed upvalue (if needed) */\n halfProtect(luaF_newtbcupval(L, ra + 3));\n pc += GETARG_Bx(i);\n i = *(pc++); /* go to next instruction */\n lua_assert(GET_OPCODE(i) == OP_TFORCALL && ra == RA(i));\n goto l_tforcall;\n }\n vmcase(OP_TFORCALL) {\n l_tforcall:\n /* 'ra' has the iterator function, 'ra + 1' has the state,\n 'ra + 2' has the control variable, and 'ra + 3' has the\n to-be-closed variable. The call will use the stack after\n these values (starting at 'ra + 4')\n */\n /* push function, state, and control variable */\n memcpy(ra + 4, ra, 3 * sizeof(*ra));\n L->top = ra + 4 + 3;\n ProtectNT(luaD_call(L, ra + 4, GETARG_C(i))); /* do the call */\n updatestack(ci); /* stack may have changed */\n i = *(pc++); /* go to next instruction */\n lua_assert(GET_OPCODE(i) == OP_TFORLOOP && ra == RA(i));\n goto l_tforloop;\n }\n vmcase(OP_TFORLOOP) {\n l_tforloop:\n if (!ttisnil(s2v(ra + 4))) { /* continue loop? */\n setobjs2s(L, ra + 2, ra + 4); /* save control variable */\n pc -= GETARG_Bx(i); /* jump back */\n }\n vmbreak;\n }\n vmcase(OP_SETLIST) {\n int n = GETARG_B(i);\n unsigned int last = GETARG_C(i);\n Table *h = hvalue(s2v(ra));\n if (n == 0)\n n = cast_int(L->top - ra) - 1; /* get up to the top */\n else\n L->top = ci->top; /* correct top in case of emergency GC */\n last += n;\n if (TESTARG_k(i)) {\n last += GETARG_Ax(*pc) * (MAXARG_C + 1);\n pc++;\n }\n if (last > luaH_realasize(h)) /* needs more space? */\n luaH_resizearray(L, h, last); /* preallocate it at once */\n for (; n > 0; n--) {\n TValue *val = s2v(ra + n);\n setobj2t(L, &h->array[last - 1], val);\n last--;\n luaC_barrierback(L, obj2gco(h), val);\n }\n vmbreak;\n }\n vmcase(OP_CLOSURE) {\n Proto *p = cl->p->p[GETARG_Bx(i)];\n halfProtect(pushclosure(L, p, cl->upvals, base, ra));\n checkGC(L, ra + 1);\n vmbreak;\n }\n vmcase(OP_VARARG) {\n int n = GETARG_C(i) - 1; /* required results */\n Protect(luaT_getvarargs(L, ci, ra, n));\n vmbreak;\n }\n vmcase(OP_VARARGPREP) {\n ProtectNT(luaT_adjustvarargs(L, GETARG_A(i), ci, cl->p));\n if (trap) {\n luaD_hookcall(L, ci);\n L->oldpc = 1; /* next opcode will be seen as a \"new\" line */\n }\n updatebase(ci); /* function has new base after adjustment */\n vmbreak;\n }\n vmcase(OP_EXTRAARG) {\n lua_assert(0);\n vmbreak;\n }\n }\n }\n}", "project": "lua", "hash": 12654084729027551641639891061864169911, "size": 683, "commit_id": "a2195644d89812e5b157ce7bac35543e06db05e3", "message": "Fixed bug: invalid 'oldpc' when returning to a function\n\nThe field 'L->oldpc' is not always updated when control returns to a\nfunction; an invalid value can seg. fault when computing 'changedline'.\n(One example is an error in a finalizer; control can return to\n'luaV_execute' without executing 'luaD_poscall'.) Instead of trying to\nfix all possible corner cases, it seems safer to be resilient to invalid\nvalues for 'oldpc'. Valid but wrong values at most cause an extra call\nto a line hook.", "target": 0, "dataset": "other", "idx": 462772 }, { "project": "Chrome", "commit_id": "1da0daecc540238cb473f0d6322da51d3a544244", "target": 0, "func": "base::TimeDelta VideoRendererBase::CalculateSleepDuration(\n const scoped_refptr& next_frame,\n float playback_rate) {\n base::TimeDelta now = host()->GetTime();\n base::TimeDelta this_pts = current_frame_->GetTimestamp();\n base::TimeDelta next_pts;\n if (!next_frame->IsEndOfStream()) {\n next_pts = next_frame->GetTimestamp();\n } else {\n next_pts = this_pts + current_frame_->GetDuration();\n }\n\n base::TimeDelta sleep = next_pts - now;\n return base::TimeDelta::FromMicroseconds(\n static_cast(sleep.InMicroseconds() / playback_rate));\n}\n", "cwe": "", "big_vul_idx": 113349, "idx": 101641, "hash": 106933282356503288536718343274071895735 }, { "func": "int unshare_files(struct files_struct **displaced)\n{\n\tstruct task_struct *task = current;\n\tstruct files_struct *copy = NULL;\n\tint error;\n\n\terror = unshare_fd(CLONE_FILES, NR_OPEN_MAX, ©);\n\tif (error || !copy) {\n\t\t*displaced = NULL;\n\t\treturn error;\n\t}\n\t*displaced = task->files;\n\ttask_lock(task);\n\ttask->files = copy;\n\ttask_unlock(task);\n\treturn 0;\n}", "project": "linux", "hash": 132386605578915605621385381123631900701, "size": 17, "commit_id": "b4e00444cab4c3f3fec876dc0cccc8cbb0d1a948", "message": "fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent\n\ncurrent->group_leader->exit_signal may change during copy_process() if\ncurrent->real_parent exits.\n\nMove the assignment inside tasklist_lock to avoid the race.\n\nSigned-off-by: Eddy Wu \nAcked-by: Oleg Nesterov \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 293649 }, { "func": "static void fuse_writepage_end(struct fuse_mount *fm, struct fuse_args *args,\n\t\t\t int error)\n{\n\tstruct fuse_writepage_args *wpa =\n\t\tcontainer_of(args, typeof(*wpa), ia.ap.args);\n\tstruct inode *inode = wpa->inode;\n\tstruct fuse_inode *fi = get_fuse_inode(inode);\n\n\tmapping_set_error(inode->i_mapping, error);\n\tspin_lock(&fi->lock);\n\trb_erase(&wpa->writepages_entry, &fi->writepages);\n\twhile (wpa->next) {\n\t\tstruct fuse_mount *fm = get_fuse_mount(inode);\n\t\tstruct fuse_write_in *inarg = &wpa->ia.write.in;\n\t\tstruct fuse_writepage_args *next = wpa->next;\n\n\t\twpa->next = next->next;\n\t\tnext->next = NULL;\n\t\tnext->ia.ff = fuse_file_get(wpa->ia.ff);\n\t\ttree_insert(&fi->writepages, next);\n\n\t\t/*\n\t\t * Skip fuse_flush_writepages() to make it easy to crop requests\n\t\t * based on primary request size.\n\t\t *\n\t\t * 1st case (trivial): there are no concurrent activities using\n\t\t * fuse_set/release_nowrite. Then we're on safe side because\n\t\t * fuse_flush_writepages() would call fuse_send_writepage()\n\t\t * anyway.\n\t\t *\n\t\t * 2nd case: someone called fuse_set_nowrite and it is waiting\n\t\t * now for completion of all in-flight requests. This happens\n\t\t * rarely and no more than once per page, so this should be\n\t\t * okay.\n\t\t *\n\t\t * 3rd case: someone (e.g. fuse_do_setattr()) is in the middle\n\t\t * of fuse_set_nowrite..fuse_release_nowrite section. The fact\n\t\t * that fuse_set_nowrite returned implies that all in-flight\n\t\t * requests were completed along with all of their secondary\n\t\t * requests. Further primary requests are blocked by negative\n\t\t * writectr. Hence there cannot be any in-flight requests and\n\t\t * no invocations of fuse_writepage_end() while we're in\n\t\t * fuse_set_nowrite..fuse_release_nowrite section.\n\t\t */\n\t\tfuse_send_writepage(fm, next, inarg->offset + inarg->size);\n\t}\n\tfi->writectr--;\n\tfuse_writepage_finish(fm, wpa);\n\tspin_unlock(&fi->lock);\n\tfuse_writepage_free(wpa);\n}", "project": "linux", "hash": 247104158633229230633115309336689436954, "size": 51, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342100 }, { "func": "size_t CWebSession::AddError(const CString& sMessage) {\n m_vsErrorMsgs.push_back(sMessage);\n return m_vsErrorMsgs.size();\n}", "project": "znc", "hash": 13329180945575269134453765244606112887, "size": 4, "commit_id": "a4a5aeeb17d32937d8c7d743dae9a4cc755ce773", "message": "Don't let web skin name ../../../../ access files outside of usual skins directories.\n\nThanks for Jeriko One for finding and reporting this.", "target": 0, "dataset": "other", "idx": 265795 }, { "func": "static bool ethereum_signing_check(EthereumSignTx *msg) {\n if (!msg->has_gas_price || !msg->has_gas_limit) {\n return false;\n }\n\n if (msg->to.size != 20 && msg->to.size != 0) {\n /* Address has wrong length */\n return false;\n }\n\n // sending transaction to address 0 (contract creation) without a data field\n if (msg->to.size == 0 && (!msg->has_data_length || msg->data_length == 0)) {\n return false;\n }\n\n if (msg->gas_price.size + msg->gas_limit.size > 30) {\n // sanity check that fee doesn't overflow\n return false;\n }\n\n return true;\n}", "project": "keepkey-firmware", "hash": 256054471165700136793732784187082402665, "size": 22, "commit_id": "e49d45594002d4d3fbc1f03488e6dfc0a0a65836", "message": "710 merge", "target": 0, "dataset": "other", "idx": 220871 }, { "func": "static inline void encode_claim_null(struct xdr_stream *xdr, const struct qstr *name)\n{\n\t__be32 *p;\n\n\tp = reserve_space(xdr, 4);\n\t*p = cpu_to_be32(NFS4_OPEN_CLAIM_NULL);\n\tencode_string(xdr, name->len, name->name);\n}", "project": "linux", "hash": 257908789464207471492046110722958674077, "size": 8, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431319 }, { "func": "static void nfs_clear_open_stateid_locked(struct nfs4_state *state,\n\t\tnfs4_stateid *stateid, fmode_t fmode)\n{\n\tclear_bit(NFS_O_RDWR_STATE, &state->flags);\n\tswitch (fmode & (FMODE_READ|FMODE_WRITE)) {\n\tcase FMODE_WRITE:\n\t\tclear_bit(NFS_O_RDONLY_STATE, &state->flags);\n\t\tbreak;\n\tcase FMODE_READ:\n\t\tclear_bit(NFS_O_WRONLY_STATE, &state->flags);\n\t\tbreak;\n\tcase 0:\n\t\tclear_bit(NFS_O_RDONLY_STATE, &state->flags);\n\t\tclear_bit(NFS_O_WRONLY_STATE, &state->flags);\n\t\tclear_bit(NFS_OPEN_STATE, &state->flags);\n\t}\n\tif (stateid == NULL)\n\t\treturn;\n\t/* Handle OPEN+OPEN_DOWNGRADE races */\n\tif (nfs4_stateid_match_other(stateid, &state->open_stateid) &&\n\t !nfs4_stateid_is_newer(stateid, &state->open_stateid)) {\n\t\tnfs_resync_open_stateid_locked(state);\n\t\tgoto out;\n\t}\n\tif (test_bit(NFS_DELEGATED_STATE, &state->flags) == 0)\n\t\tnfs4_stateid_copy(&state->stateid, stateid);\n\tnfs4_stateid_copy(&state->open_stateid, stateid);\n\ttrace_nfs4_open_stateid_update(state->inode, stateid, 0);\nout:\n\tnfs_state_log_update_open_stateid(state);\n}", "project": "linux", "hash": 8515885471205015477585602104350887420, "size": 31, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431323 }, { "func": "static int oidc_handle_post_authorization_response(request_rec *r, oidc_cfg *c,\n\t\toidc_session_t *session) {\n\n\toidc_debug(r, \"enter\");\n\n\t/* initialize local variables */\n\tchar *response_mode = NULL;\n\n\t/* read the parameters that are POST-ed to us */\n\tapr_table_t *params = apr_table_make(r->pool, 8);\n\tif (oidc_util_read_post_params(r, params, FALSE, NULL) == FALSE) {\n\t\toidc_error(r, \"something went wrong when reading the POST parameters\");\n\t\treturn HTTP_INTERNAL_SERVER_ERROR;\n\t}\n\n\t/* see if we've got any POST-ed data at all */\n\tif ((apr_table_elts(params)->nelts < 1)\n\t\t\t|| ((apr_table_elts(params)->nelts == 1)\n\t\t\t\t\t&& apr_table_get(params, OIDC_PROTO_RESPONSE_MODE)\n\t\t\t\t\t&& (apr_strnatcmp(\n\t\t\t\t\t\t\tapr_table_get(params, OIDC_PROTO_RESPONSE_MODE),\n\t\t\t\t\t\t\tOIDC_PROTO_RESPONSE_MODE_FRAGMENT) == 0))) {\n\t\treturn oidc_util_html_send_error(r, c->error_template,\n\t\t\t\t\"Invalid Request\",\n\t\t\t\t\"You've hit an OpenID Connect Redirect URI with no parameters, this is an invalid request; you should not open this URL in your browser directly, or have the server administrator use a different \" OIDCRedirectURI \" setting.\",\n\t\t\t\tHTTP_INTERNAL_SERVER_ERROR);\n\t}\n\n\t/* get the parameters */\n\tresponse_mode = (char*) apr_table_get(params, OIDC_PROTO_RESPONSE_MODE);\n\n\t/* do the actual implicit work */\n\treturn oidc_handle_authorization_response(r, c, session, params,\n\t\t\tresponse_mode ? response_mode : OIDC_PROTO_RESPONSE_MODE_FORM_POST);\n}", "project": "mod_auth_openidc", "hash": 330090045397316331719427539111756370955, "size": 35, "commit_id": "00c315cb0c8ab77c67be4a2ac08a71a83ac58751", "message": "avoid XSS vulnerability when using OIDCPreservePost On\n\nand supplying URLs that contain single quotes; thanks @oss-aimoto\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 381937 }, { "func": "static int oidc_handle_post_authorization_response(request_rec *r, oidc_cfg *c,\n\t\toidc_session_t *session) {\n\n\toidc_debug(r, \"enter\");\n\n\t/* initialize local variables */\n\tchar *response_mode = NULL;\n\n\t/* read the parameters that are POST-ed to us */\n\tapr_table_t *params = apr_table_make(r->pool, 8);\n\tif (oidc_util_read_post_params(r, params, FALSE, NULL) == FALSE) {\n\t\toidc_error(r, \"something went wrong when reading the POST parameters\");\n\t\treturn HTTP_INTERNAL_SERVER_ERROR;\n\t}\n\n\t/* see if we've got any POST-ed data at all */\n\tif ((apr_table_elts(params)->nelts < 1)\n\t\t\t|| ((apr_table_elts(params)->nelts == 1)\n\t\t\t\t\t&& apr_table_get(params, OIDC_PROTO_RESPONSE_MODE)\n\t\t\t\t\t&& (apr_strnatcmp(\n\t\t\t\t\t\t\tapr_table_get(params, OIDC_PROTO_RESPONSE_MODE),\n\t\t\t\t\t\t\tOIDC_PROTO_RESPONSE_MODE_FRAGMENT) == 0))) {\n\t\treturn oidc_util_html_send_error(r, c->error_template,\n\t\t\t\t\"Invalid Request\",\n\t\t\t\t\"You've hit an OpenID Connect Redirect URI with no parameters, this is an invalid request; you should not open this URL in your browser directly, or have the server administrator use a different \" OIDCRedirectURI \" setting.\",\n\t\t\t\tHTTP_INTERNAL_SERVER_ERROR);\n\t}\n\n\t/* get the parameters */\n\tresponse_mode = (char *) apr_table_get(params, OIDC_PROTO_RESPONSE_MODE);\n\n\t/* do the actual implicit work */\n\treturn oidc_handle_authorization_response(r, c, session, params,\n\t\t\tresponse_mode ? response_mode : OIDC_PROTO_RESPONSE_MODE_FORM_POST);\n}", "project": "mod_auth_openidc", "hash": 80369412890759453007363596020820632615, "size": 35, "commit_id": "ce37080c6aea30aabae8b4a9b4eea7808445cc8e", "message": "2.4.0.2 oops\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 447684 }, { "func": "static struct bfq_queue *\nbfq_setup_cooperator(struct bfq_data *bfqd, struct bfq_queue *bfqq,\n\t\t void *io_struct, bool request)\n{\n\tstruct bfq_queue *in_service_bfqq, *new_bfqq;\n\n\t/*\n\t * Do not perform queue merging if the device is non\n\t * rotational and performs internal queueing. In fact, such a\n\t * device reaches a high speed through internal parallelism\n\t * and pipelining. This means that, to reach a high\n\t * throughput, it must have many requests enqueued at the same\n\t * time. But, in this configuration, the internal scheduling\n\t * algorithm of the device does exactly the job of queue\n\t * merging: it reorders requests so as to obtain as much as\n\t * possible a sequential I/O pattern. As a consequence, with\n\t * the workload generated by processes doing interleaved I/O,\n\t * the throughput reached by the device is likely to be the\n\t * same, with and without queue merging.\n\t *\n\t * Disabling merging also provides a remarkable benefit in\n\t * terms of throughput. Merging tends to make many workloads\n\t * artificially more uneven, because of shared queues\n\t * remaining non empty for incomparably more time than\n\t * non-merged queues. This may accentuate workload\n\t * asymmetries. For example, if one of the queues in a set of\n\t * merged queues has a higher weight than a normal queue, then\n\t * the shared queue may inherit such a high weight and, by\n\t * staying almost always active, may force BFQ to perform I/O\n\t * plugging most of the time. This evidently makes it harder\n\t * for BFQ to let the device reach a high throughput.\n\t *\n\t * Finally, the likely() macro below is not used because one\n\t * of the two branches is more likely than the other, but to\n\t * have the code path after the following if() executed as\n\t * fast as possible for the case of a non rotational device\n\t * with queueing. We want it because this is the fastest kind\n\t * of device. On the opposite end, the likely() may lengthen\n\t * the execution time of BFQ for the case of slower devices\n\t * (rotational or at least without queueing). But in this case\n\t * the execution time of BFQ matters very little, if not at\n\t * all.\n\t */\n\tif (likely(bfqd->nonrot_with_queueing))\n\t\treturn NULL;\n\n\t/*\n\t * Prevent bfqq from being merged if it has been created too\n\t * long ago. The idea is that true cooperating processes, and\n\t * thus their associated bfq_queues, are supposed to be\n\t * created shortly after each other. This is the case, e.g.,\n\t * for KVM/QEMU and dump I/O threads. Basing on this\n\t * assumption, the following filtering greatly reduces the\n\t * probability that two non-cooperating processes, which just\n\t * happen to do close I/O for some short time interval, have\n\t * their queues merged by mistake.\n\t */\n\tif (bfq_too_late_for_merging(bfqq))\n\t\treturn NULL;\n\n\tif (bfqq->new_bfqq)\n\t\treturn bfqq->new_bfqq;\n\n\tif (!io_struct || unlikely(bfqq == &bfqd->oom_bfqq))\n\t\treturn NULL;\n\n\t/* If there is only one backlogged queue, don't search. */\n\tif (bfq_tot_busy_queues(bfqd) == 1)\n\t\treturn NULL;\n\n\tin_service_bfqq = bfqd->in_service_queue;\n\n\tif (in_service_bfqq && in_service_bfqq != bfqq &&\n\t likely(in_service_bfqq != &bfqd->oom_bfqq) &&\n\t bfq_rq_close_to_sector(io_struct, request,\n\t\t\t\t bfqd->in_serv_last_pos) &&\n\t bfqq->entity.parent == in_service_bfqq->entity.parent &&\n\t bfq_may_be_close_cooperator(bfqq, in_service_bfqq)) {\n\t\tnew_bfqq = bfq_setup_merge(bfqq, in_service_bfqq);\n\t\tif (new_bfqq)\n\t\t\treturn new_bfqq;\n\t}\n\t/*\n\t * Check whether there is a cooperator among currently scheduled\n\t * queues. The only thing we need is that the bio/request is not\n\t * NULL, as we need it to establish whether a cooperator exists.\n\t */\n\tnew_bfqq = bfq_find_close_cooperator(bfqd, bfqq,\n\t\t\tbfq_io_struct_pos(io_struct, request));\n\n\tif (new_bfqq && likely(new_bfqq != &bfqd->oom_bfqq) &&\n\t bfq_may_be_close_cooperator(bfqq, new_bfqq))\n\t\treturn bfq_setup_merge(bfqq, new_bfqq);\n\n\treturn NULL;", "project": "linux", "hash": 161905058463487260307130057892143698245, "size": 95, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453303 }, { "func": "void UnionSparseIndicesAndValues(\n typename TTypes::ConstMatrix a_indices_mat,\n typename TTypes::ConstFlat a_values, int64 a_nnz,\n typename TTypes::ConstMatrix b_indices_mat,\n typename TTypes::ConstFlat b_values, int64 b_nnz, int num_dims,\n std::vector *a_augmented_values, std::vector *b_augmented_values,\n std::vector> *entries_to_copy) {\n entries_to_copy->reserve(a_nnz + b_nnz);\n a_augmented_values->reserve(a_nnz);\n b_augmented_values->reserve(b_nnz);\n\n int64 i = 0, j = 0;\n const T kZero = T(0);\n while (i < a_nnz && j < b_nnz) {\n switch (sparse::DimComparator::cmp(a_indices_mat, b_indices_mat, i, j,\n num_dims)) {\n case -1:\n entries_to_copy->emplace_back(true, i);\n a_augmented_values->push_back(a_values(i));\n b_augmented_values->push_back(kZero);\n ++i;\n break;\n case 0:\n entries_to_copy->emplace_back(true, i);\n a_augmented_values->push_back(a_values(i));\n b_augmented_values->push_back(b_values(j));\n ++i;\n ++j;\n break;\n case 1:\n entries_to_copy->emplace_back(false, j);\n a_augmented_values->push_back(kZero);\n b_augmented_values->push_back(b_values(j));\n ++j;\n break;\n }\n }\n // Handles leftovers; at most one loop runs.\n while (i < a_nnz) {\n entries_to_copy->emplace_back(/* is_a */ true, i);\n a_augmented_values->push_back(a_values(i++));\n b_augmented_values->push_back(kZero);\n }\n while (j < b_nnz) {\n entries_to_copy->emplace_back(/* is_a */ false, j);\n a_augmented_values->push_back(kZero);\n b_augmented_values->push_back(b_values(j++));\n }\n}", "project": "tensorflow", "hash": 49323204121851936125334884891274742669, "size": 49, "commit_id": "f6fde895ef9c77d848061c0517f19d0ec2682f3a", "message": "Validate that a and b are proper sparse tensors\n\nPiperOrigin-RevId: 373274848\nChange-Id: I3a665ac3a29dee9fb69bdf408a939330cb93ea75", "target": 0, "dataset": "other", "idx": 246591 }, { "func": "bool pb_decode_double_as_float(pb_istream_t *stream, float *dest)\n{\n uint_least8_t sign;\n int exponent;\n uint32_t mantissa;\n uint64_t value;\n union { float f; uint32_t i; } out;\n\n if (!pb_decode_fixed64(stream, &value))\n return false;\n\n /* Decompose input value */\n sign = (uint_least8_t)((value >> 63) & 1);\n exponent = (int)((value >> 52) & 0x7FF) - 1023;\n mantissa = (value >> 28) & 0xFFFFFF; /* Highest 24 bits */\n\n /* Figure if value is in range representable by floats. */\n if (exponent == 1024)\n {\n /* Special value */\n exponent = 128;\n mantissa >>= 1;\n }\n else\n {\n if (exponent > 127)\n {\n /* Too large, convert to infinity */\n exponent = 128;\n mantissa = 0;\n }\n else if (exponent < -150)\n {\n /* Too small, convert to zero */\n exponent = -127;\n mantissa = 0;\n }\n else if (exponent < -126)\n {\n /* Denormalized */\n mantissa |= 0x1000000;\n mantissa >>= (-126 - exponent);\n exponent = -127;\n }\n\n /* Round off mantissa */\n mantissa = (mantissa + 1) >> 1;\n\n /* Check if mantissa went over 2.0 */\n if (mantissa & 0x800000)\n {\n exponent += 1;\n mantissa &= 0x7FFFFF;\n mantissa >>= 1;\n }\n }\n\n /* Combine fields */\n out.i = mantissa;\n out.i |= (uint32_t)(exponent + 127) << 23;\n out.i |= (uint32_t)sign << 31;\n\n *dest = out.f;\n return true;\n}", "project": "nanopb", "hash": 128618826092059821217500517905007335089, "size": 65, "commit_id": "e2f0ccf939d9f82931d085acb6df8e9a182a4261", "message": "Fix invalid free() with oneof (#647)\n\nNanopb would call free() or realloc() on an invalid\n(attacker controlled) pointer value when all the following\nconditions are true:\n\n- PB_ENABLE_MALLOC is defined at the compile time\n- Message definition contains an oneof field, and the oneof\n contains at least one pointer type field and at least one\n non-pointer type field.\n- Data being decoded first contains a non-pointer value for\n the oneof field, and later contains an overwriting pointer\n value.\n\nDepending on message layout, the bug may not be exploitable in all\ncases, but it is known to be exploitable at least with string and\nbytes fields. Actual security impact will also depend on the heap\nimplementation used.", "target": 0, "dataset": "other", "idx": 254692 }, { "func": "static OPJ_BOOL opj_j2k_move_data_from_codec_to_output_image(opj_j2k_t * p_j2k,\n opj_image_t * p_image)\n{\n OPJ_UINT32 compno;\n\n /* Move data and copy one information from codec to output image*/\n if (p_j2k->m_specific_param.m_decoder.m_numcomps_to_decode > 0) {\n opj_image_comp_t* newcomps =\n (opj_image_comp_t*) opj_malloc(\n p_j2k->m_specific_param.m_decoder.m_numcomps_to_decode *\n sizeof(opj_image_comp_t));\n if (newcomps == NULL) {\n opj_image_destroy(p_j2k->m_private_image);\n p_j2k->m_private_image = NULL;\n return OPJ_FALSE;\n }\n for (compno = 0; compno < p_image->numcomps; compno++) {\n opj_image_data_free(p_image->comps[compno].data);\n p_image->comps[compno].data = NULL;\n }\n for (compno = 0;\n compno < p_j2k->m_specific_param.m_decoder.m_numcomps_to_decode; compno++) {\n OPJ_UINT32 src_compno =\n p_j2k->m_specific_param.m_decoder.m_comps_indices_to_decode[compno];\n memcpy(&(newcomps[compno]),\n &(p_j2k->m_output_image->comps[src_compno]),\n sizeof(opj_image_comp_t));\n newcomps[compno].resno_decoded =\n p_j2k->m_output_image->comps[src_compno].resno_decoded;\n newcomps[compno].data = p_j2k->m_output_image->comps[src_compno].data;\n p_j2k->m_output_image->comps[src_compno].data = NULL;\n }\n for (compno = 0; compno < p_image->numcomps; compno++) {\n assert(p_j2k->m_output_image->comps[compno].data == NULL);\n opj_image_data_free(p_j2k->m_output_image->comps[compno].data);\n p_j2k->m_output_image->comps[compno].data = NULL;\n }\n p_image->numcomps = p_j2k->m_specific_param.m_decoder.m_numcomps_to_decode;\n opj_free(p_image->comps);\n p_image->comps = newcomps;\n } else {\n for (compno = 0; compno < p_image->numcomps; compno++) {\n p_image->comps[compno].resno_decoded =\n p_j2k->m_output_image->comps[compno].resno_decoded;\n opj_image_data_free(p_image->comps[compno].data);\n p_image->comps[compno].data = p_j2k->m_output_image->comps[compno].data;\n#if 0\n char fn[256];\n sprintf(fn, \"/tmp/%d.raw\", compno);\n FILE *debug = fopen(fn, \"wb\");\n fwrite(p_image->comps[compno].data, sizeof(OPJ_INT32),\n p_image->comps[compno].w * p_image->comps[compno].h, debug);\n fclose(debug);\n#endif\n p_j2k->m_output_image->comps[compno].data = NULL;\n }\n }\n return OPJ_TRUE;\n}", "project": "openjpeg", "hash": 303725051485575346617780021480330291783, "size": 59, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357421 }, { "func": "int php_get_wbmp(const req::ptr& file,\n struct gfxinfo **result,\n int check) {\n int i, width = 0, height = 0;\n\n if (!file->rewind()) {\n return 0;\n }\n\n /* get type */\n if (file->getc() != 0) {\n return 0;\n }\n\n /* skip header */\n do {\n i = file->getc();\n if (i < 0) {\n return 0;\n }\n } while (i & 0x80);\n\n /* get width */\n do {\n i = file->getc();\n if (i < 0) {\n return 0;\n }\n width = (width << 7) | (i & 0x7f);\n } while (i & 0x80);\n\n /* get height */\n do {\n i = file->getc();\n if (i < 0) {\n return 0;\n }\n height = (height << 7) | (i & 0x7f);\n } while (i & 0x80);\n\n // maximum valid sizes for wbmp (although 127x127 may be a\n // more accurate one)\n if (!height || !width || height > 2048 || width > 2048) {\n return 0;\n }\n\n if (!check) {\n (*result)->width = width;\n (*result)->height = height;\n }\n\n return IMAGE_FILETYPE_WBMP;\n}", "project": "hhvm", "hash": 270077974021075898328019331829095185932, "size": 53, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219696 }, { "func": "int kvm_clear_guest_page(struct kvm *kvm, gfn_t gfn, int offset, int len)\n{\n\tconst void *zero_page = (const void *) __va(page_to_phys(ZERO_PAGE(0)));\n\n\treturn kvm_write_guest_page(kvm, gfn, zero_page, offset, len);\n}", "project": "linux", "hash": 337123867647836842166589209376226091493, "size": 6, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354542 }, { "func": "void kvm_s390_set_cpu_timer(struct kvm_vcpu *vcpu, __u64 cputm)\n{\n\tpreempt_disable(); /* protect from TOD sync and vcpu_load/put */\n\traw_write_seqcount_begin(&vcpu->arch.cputm_seqcount);\n\tif (vcpu->arch.cputm_enabled)\n\t\tvcpu->arch.cputm_start = get_tod_clock_fast();\n\tvcpu->arch.sie_block->cputm = cputm;\n\traw_write_seqcount_end(&vcpu->arch.cputm_seqcount);\n\tpreempt_enable();\n}", "project": "linux", "hash": 311513630486077569863120878060066728255, "size": 10, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354800 }, { "func": "int gdImageColorClosestAlpha (gdImagePtr im, int r, int g, int b, int a)\n{\n\tint i;\n\tlong rd, gd, bd, ad;\n\tint ct = (-1);\n\tint first = 1;\n\tlong mindist = 0;\n\n\tif (im->trueColor) {\n\t\treturn gdTrueColorAlpha(r, g, b, a);\n\t}\n\tfor (i = 0; i < im->colorsTotal; i++) {\n\t\tlong dist;\n\t\tif (im->open[i]) {\n\t\t\tcontinue;\n\t\t}\n\t\trd = im->red[i] - r;\n\t\tgd = im->green[i] - g;\n\t\tbd = im->blue[i] - b;\n\t\t/* gd 2.02: whoops, was - b (thanks to David Marwood) */\n\t\tad = im->alpha[i] - a;\n\t\tdist = rd * rd + gd * gd + bd * bd + ad * ad;\n\t\tif (first || (dist < mindist)) {\n\t\t\tmindist = dist;\n\t\t\tct = i;\n\t\t\tfirst = 0;\n\t\t}\n\t}\n\treturn ct;\n}", "project": "php-src", "hash": 324055378228120180850746730308796864416, "size": 30, "commit_id": "c395c6e5d7e8df37a21265ff76e48fe75ceb5ae6", "message": "iFixed bug #72446 - Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow", "target": 0, "dataset": "other", "idx": 295150 }, { "func": "static int sctp_setsockopt_default_prinfo(struct sock *sk,\n\t\t\t\t\t struct sctp_default_prinfo *info,\n\t\t\t\t\t unsigned int optlen)\n{\n\tstruct sctp_sock *sp = sctp_sk(sk);\n\tstruct sctp_association *asoc;\n\tint retval = -EINVAL;\n\n\tif (optlen != sizeof(*info))\n\t\tgoto out;\n\n\tif (info->pr_policy & ~SCTP_PR_SCTP_MASK)\n\t\tgoto out;\n\n\tif (info->pr_policy == SCTP_PR_SCTP_NONE)\n\t\tinfo->pr_value = 0;\n\n\tasoc = sctp_id2assoc(sk, info->pr_assoc_id);\n\tif (!asoc && info->pr_assoc_id > SCTP_ALL_ASSOC &&\n\t sctp_style(sk, UDP))\n\t\tgoto out;\n\n\tretval = 0;\n\n\tif (asoc) {\n\t\tSCTP_PR_SET_POLICY(asoc->default_flags, info->pr_policy);\n\t\tasoc->default_timetolive = info->pr_value;\n\t\tgoto out;\n\t}\n\n\tif (sctp_style(sk, TCP))\n\t\tinfo->pr_assoc_id = SCTP_FUTURE_ASSOC;\n\n\tif (info->pr_assoc_id == SCTP_FUTURE_ASSOC ||\n\t info->pr_assoc_id == SCTP_ALL_ASSOC) {\n\t\tSCTP_PR_SET_POLICY(sp->default_flags, info->pr_policy);\n\t\tsp->default_timetolive = info->pr_value;\n\t}\n\n\tif (info->pr_assoc_id == SCTP_CURRENT_ASSOC ||\n\t info->pr_assoc_id == SCTP_ALL_ASSOC) {\n\t\tlist_for_each_entry(asoc, &sp->ep->asocs, asocs) {\n\t\t\tSCTP_PR_SET_POLICY(asoc->default_flags,\n\t\t\t\t\t info->pr_policy);\n\t\t\tasoc->default_timetolive = info->pr_value;\n\t\t}\n\t}\n\nout:\n\treturn retval;\n}", "project": "linux", "hash": 315926813239797917315707650922444623822, "size": 51, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398154 }, { "func": "static int _nfs4_proc_lookup(struct rpc_clnt *clnt, struct inode *dir,\n\t\tstruct dentry *dentry, struct nfs_fh *fhandle,\n\t\tstruct nfs_fattr *fattr, struct nfs4_label *label)\n{\n\tstruct nfs_server *server = NFS_SERVER(dir);\n\tint\t\t status;\n\tstruct nfs4_lookup_arg args = {\n\t\t.bitmask = server->attr_bitmask,\n\t\t.dir_fh = NFS_FH(dir),\n\t\t.name = &dentry->d_name,\n\t};\n\tstruct nfs4_lookup_res res = {\n\t\t.server = server,\n\t\t.fattr = fattr,\n\t\t.label = label,\n\t\t.fh = fhandle,\n\t};\n\tstruct rpc_message msg = {\n\t\t.rpc_proc = &nfs4_procedures[NFSPROC4_CLNT_LOOKUP],\n\t\t.rpc_argp = &args,\n\t\t.rpc_resp = &res,\n\t};\n\tunsigned short task_flags = 0;\n\n\t/* Is this is an attribute revalidation, subject to softreval? */\n\tif (nfs_lookup_is_soft_revalidate(dentry))\n\t\ttask_flags |= RPC_TASK_TIMEOUT;\n\n\targs.bitmask = nfs4_bitmask(server, label);\n\n\tnfs_fattr_init(fattr);\n\n\tdprintk(\"NFS call lookup %pd2\\n\", dentry);\n\tnfs4_init_sequence(&args.seq_args, &res.seq_res, 0, 0);\n\tstatus = nfs4_do_call_sync(clnt, server, &msg,\n\t\t\t&args.seq_args, &res.seq_res, task_flags);\n\tdprintk(\"NFS reply lookup: %d\\n\", status);\n\treturn status;\n}", "project": "linux", "hash": 281597352484468669201015876169559503103, "size": 39, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431123 }, { "func": "static void hci_cc_read_tx_power(struct hci_dev *hdev, struct sk_buff *skb)\n{\n\tstruct hci_cp_read_tx_power *sent;\n\tstruct hci_rp_read_tx_power *rp = (void *) skb->data;\n\tstruct hci_conn *conn;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, rp->status);\n\n\tif (rp->status)\n\t\treturn;\n\n\tsent = hci_sent_cmd_data(hdev, HCI_OP_READ_TX_POWER);\n\tif (!sent)\n\t\treturn;\n\n\thci_dev_lock(hdev);\n\n\tconn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));\n\tif (!conn)\n\t\tgoto unlock;\n\n\tswitch (sent->type) {\n\tcase 0x00:\n\t\tconn->tx_power = rp->tx_power;\n\t\tbreak;\n\tcase 0x01:\n\t\tconn->max_tx_power = rp->tx_power;\n\t\tbreak;\n\t}\n\nunlock:\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 251763639941745849344156587738421870324, "size": 33, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 432013 }, { "func": "static void ep_unregister_pollwait(struct eventpoll *ep, struct epitem *epi)\n{\n\tstruct list_head *lsthead = &epi->pwqlist;\n\tstruct eppoll_entry *pwq;\n\n\twhile (!list_empty(lsthead)) {\n\t\tpwq = list_first_entry(lsthead, struct eppoll_entry, llink);\n\n\t\tlist_del(&pwq->llink);\n\t\tep_remove_wait_queue(pwq);\n\t\tkmem_cache_free(pwq_cache, pwq);\n\t}\n}", "project": "linux", "hash": 46358005133422525717578023626926255756, "size": 13, "commit_id": "52c479697c9b73f628140dcdfcd39ea302d05482", "message": "do_epoll_ctl(): clean the failure exits up a bit\n\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 336239 }, { "func": "static bool isAddLiquidityEthCall(const EthereumSignTx *msg) {\n if (memcmp(msg->data_initial_chunk.bytes, \"\\xf3\\x05\\xd7\\x19\", 4) == 0)\n return true;\n\n return false;\n}", "project": "keepkey-firmware", "hash": 300624395446829731452753806347475254866, "size": 6, "commit_id": "e49d45594002d4d3fbc1f03488e6dfc0a0a65836", "message": "710 merge", "target": 0, "dataset": "other", "idx": 220899 }, { "func": "void CServer::ConchainSpecialInfoupdate(IConsole::IResult *pResult, void *pUserData, IConsole::FCommandCallback pfnCallback, void *pCallbackUserData)\n{\n\tpfnCallback(pResult, pCallbackUserData);\n\tCServer *pSelf = (CServer *)pUserData;\n\tif(pResult->NumArguments())\n\t{\n\t\tstr_clean_whitespaces(pSelf->Config()->m_SvName);\n\t\tpSelf->SendServerInfo(-1);\n\t}\n}", "project": "teeworlds", "hash": 266060629847273097848414328262274846858, "size": 10, "commit_id": "c68402fa7e279d42886d5951d1ea8ac2facc1ea5", "message": "changed a check", "target": 0, "dataset": "other", "idx": 382034 }, { "func": "static size_t exif_convert_any_to_int(void *value, int format,\n int motorola_intel) {\n int s_den;\n unsigned u_den;\n\n switch(format) {\n case TAG_FMT_SBYTE:\n return *(signed char *)value;\n case TAG_FMT_BYTE:\n return *(unsigned char *)value;\n\n case TAG_FMT_USHORT:\n return php_ifd_get16u(value, motorola_intel);\n case TAG_FMT_ULONG:\n return php_ifd_get32u(value, motorola_intel);\n\n case TAG_FMT_URATIONAL:\n u_den = php_ifd_get32u(4+(char *)value, motorola_intel);\n if (u_den == 0) {\n return 0;\n } else {\n return php_ifd_get32u(value, motorola_intel) / u_den;\n }\n\n case TAG_FMT_SRATIONAL:\n s_den = php_ifd_get32s(4+(char *)value, motorola_intel);\n if (s_den == 0) {\n return 0;\n } else {\n return (size_t)((double)php_ifd_get32s(value, motorola_intel) / s_den);\n }\n\n case TAG_FMT_SSHORT:\n return php_ifd_get16u(value, motorola_intel);\n case TAG_FMT_SLONG:\n return php_ifd_get32s(value, motorola_intel);\n\n /* Not sure if this is correct (never seen float used in Exif format) */\n case TAG_FMT_SINGLE:\n return (size_t)*(float *)value;\n case TAG_FMT_DOUBLE:\n return (size_t)*(double *)value;\n }\n return 0;\n}", "project": "hhvm", "hash": 1216025315962177127927748879091701768, "size": 45, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219361 }, { "func": "void set_offset(void) {\n\tWindow w;\n\tif (! subwin) {\n\t\treturn;\n\t}\n\tX_LOCK;\n\txtranslate(window, rootwin, 0, 0, &off_x, &off_y, &w, 0);\n\tX_UNLOCK;\n}", "project": "x11vnc", "hash": 287800007472450452736940969321504964598, "size": 9, "commit_id": "69eeb9f7baa14ca03b16c9de821f9876def7a36a", "message": "scan: limit access to shared memory segments to current user", "target": 0, "dataset": "other", "idx": 360778 }, { "func": "static void mpol_rebind_preferred(struct mempolicy *pol,\n\t\t\t\t\t\tconst nodemask_t *nodes)\n{\n\tnodemask_t tmp;\n\n\tif (pol->flags & MPOL_F_STATIC_NODES) {\n\t\tint node = first_node(pol->w.user_nodemask);\n\n\t\tif (node_isset(node, *nodes)) {\n\t\t\tpol->v.preferred_node = node;\n\t\t\tpol->flags &= ~MPOL_F_LOCAL;\n\t\t} else\n\t\t\tpol->flags |= MPOL_F_LOCAL;\n\t} else if (pol->flags & MPOL_F_RELATIVE_NODES) {\n\t\tmpol_relative_nodemask(&tmp, &pol->w.user_nodemask, nodes);\n\t\tpol->v.preferred_node = first_node(tmp);\n\t} else if (!(pol->flags & MPOL_F_LOCAL)) {\n\t\tpol->v.preferred_node = node_remap(pol->v.preferred_node,\n\t\t\t\t\t\t pol->w.cpuset_mems_allowed,\n\t\t\t\t\t\t *nodes);\n\t\tpol->w.cpuset_mems_allowed = *nodes;\n\t}\n}", "project": "linux", "hash": 105085778844314681937167786159206375136, "size": 23, "commit_id": "aa9f7d5172fac9bf1f09e678c35e287a40a7b7dd", "message": "mm: mempolicy: require at least one nodeid for MPOL_PREFERRED\n\nUsing an empty (malformed) nodelist that is not caught during mount option\nparsing leads to a stack-out-of-bounds access.\n\nThe option string that was used was: \"mpol=prefer:,\". However,\nMPOL_PREFERRED requires a single node number, which is not being provided\nhere.\n\nAdd a check that 'nodes' is not empty after parsing for MPOL_PREFERRED's\nnodeid.\n\nFixes: 095f1fc4ebf3 (\"mempolicy: rework shmem mpol parsing and display\")\nReported-by: Entropy Moe <3ntr0py1337@gmail.com>\nReported-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nSigned-off-by: Randy Dunlap \nSigned-off-by: Andrew Morton \nTested-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nCc: Lee Schermerhorn \nLink: http://lkml.kernel.org/r/89526377-7eb6-b662-e1d8-4430928abde9@infradead.org\nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 366772 }, { "func": "static void tcp_update_scoreboard(struct sock *sk, int fast_rexmit)\n{\n\tstruct tcp_sock *tp = tcp_sk(sk);\n\n\tif (tcp_is_reno(tp)) {\n\t\ttcp_mark_head_lost(sk, 1, 1);\n\t} else if (tcp_is_fack(tp)) {\n\t\tint lost = tp->fackets_out - tp->reordering;\n\t\tif (lost <= 0)\n\t\t\tlost = 1;\n\t\ttcp_mark_head_lost(sk, lost, 0);\n\t} else {\n\t\tint sacked_upto = tp->sacked_out - tp->reordering;\n\t\tif (sacked_upto >= 0)\n\t\t\ttcp_mark_head_lost(sk, sacked_upto, 0);\n\t\telse if (fast_rexmit)\n\t\t\ttcp_mark_head_lost(sk, 1, 1);\n\t}\n\n\ttcp_timeout_skbs(sk);\n}", "project": "net-next", "hash": 45270581961595900117080875457291664531, "size": 21, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409942 }, { "func": "static void free_constraint_attributes(void)\n{\n\tint i;\n\n\tfor (i = 0; i < MAX_CONSTRAINTS_PER_ZONE; ++i) {\n\t\tkfree(constraint_attrs[i].power_limit_attr.attr.name);\n\t\tkfree(constraint_attrs[i].time_window_attr.attr.name);\n\t\tkfree(constraint_attrs[i].name_attr.attr.name);\n\t\tkfree(constraint_attrs[i].max_power_attr.attr.name);\n\t\tkfree(constraint_attrs[i].min_power_attr.attr.name);\n\t\tkfree(constraint_attrs[i].max_time_window_attr.attr.name);\n\t\tkfree(constraint_attrs[i].min_time_window_attr.attr.name);\n\t}\n}", "project": "linux", "hash": 92596723278694606115807547533921320562, "size": 14, "commit_id": "949dd0104c496fa7c14991a23c03c62e44637e71", "message": "powercap: restrict energy meter to root access\n\nRemove non-privileged user access to power data contained in\n/sys/class/powercap/intel-rapl*/*/energy_uj\n\nNon-privileged users currently have read access to power data and can\nuse this data to form a security attack. Some privileged\ndrivers/applications need read access to this data, but don't expose it\nto non-privileged users.\n\nFor example, thermald uses this data to ensure that power management\nworks correctly. Thus removing non-privileged access is preferred over\ncompletely disabling this power reporting capability with\nCONFIG_INTEL_RAPL=n.\n\nFixes: 95677a9a3847 (\"PowerCap: Fix mode for energy counter\")\n\nSigned-off-by: Len Brown \nCc: stable@vger.kernel.org", "target": 0, "dataset": "other", "idx": 310351 }, { "func": "ofpact_finish(struct ofpbuf *ofpacts, struct ofpact *ofpact)\n{\n ptrdiff_t len;\n\n ovs_assert(ofpact == ofpacts->header);\n len = (char *) ofpbuf_tail(ofpacts) - (char *) ofpact;\n ovs_assert(len > 0 && len <= UINT16_MAX);\n ofpact->len = len;\n ofpbuf_padto(ofpacts, OFPACT_ALIGN(ofpacts->size));\n\n return ofpacts->header;\n}", "project": "ovs", "hash": 179897345502609215492396615712613502496, "size": 12, "commit_id": "65c61b0c23a0d474696d7b1cea522a5016a8aeb3", "message": "ofp-actions: Fix use-after-free while decoding RAW_ENCAP.\n\nWhile decoding RAW_ENCAP action, decode_ed_prop() might re-allocate\nofpbuf if there is no enough space left. However, function\n'decode_NXAST_RAW_ENCAP' continues to use old pointer to 'encap'\nstructure leading to write-after-free and incorrect decoding.\n\n ==3549105==ERROR: AddressSanitizer: heap-use-after-free on address\n 0x60600000011a at pc 0x0000005f6cc6 bp 0x7ffc3a2d4410 sp 0x7ffc3a2d4408\n WRITE of size 2 at 0x60600000011a thread T0\n #0 0x5f6cc5 in decode_NXAST_RAW_ENCAP lib/ofp-actions.c:4461:20\n #1 0x5f0551 in ofpact_decode ./lib/ofp-actions.inc2:4777:16\n #2 0x5ed17c in ofpacts_decode lib/ofp-actions.c:7752:21\n #3 0x5eba9a in ofpacts_pull_openflow_actions__ lib/ofp-actions.c:7791:13\n #4 0x5eb9fc in ofpacts_pull_openflow_actions lib/ofp-actions.c:7835:12\n #5 0x64bb8b in ofputil_decode_packet_out lib/ofp-packet.c:1113:17\n #6 0x65b6f4 in ofp_print_packet_out lib/ofp-print.c:148:13\n #7 0x659e3f in ofp_to_string__ lib/ofp-print.c:1029:16\n #8 0x659b24 in ofp_to_string lib/ofp-print.c:1244:21\n #9 0x65a28c in ofp_print lib/ofp-print.c:1288:28\n #10 0x540d11 in ofctl_ofp_parse utilities/ovs-ofctl.c:2814:9\n #11 0x564228 in ovs_cmdl_run_command__ lib/command-line.c:247:17\n #12 0x56408a in ovs_cmdl_run_command lib/command-line.c:278:5\n #13 0x5391ae in main utilities/ovs-ofctl.c:179:9\n #14 0x7f6911ce9081 in __libc_start_main (/lib64/libc.so.6+0x27081)\n #15 0x461fed in _start (utilities/ovs-ofctl+0x461fed)\n\nFix that by getting a new pointer before using.\n\nCredit to OSS-Fuzz.\n\nFuzzer regression test will fail only with AddressSanitizer enabled.\n\nReported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27851\nFixes: f839892a206a (\"OF support and translation of generic encap and decap\")\nAcked-by: William Tu \nSigned-off-by: Ilya Maximets ", "target": 0, "dataset": "other", "idx": 280625 }, { "func": "put_reg_load(struct ofpbuf *openflow,\n const struct mf_subfield *dst, uint64_t value)\n{\n ovs_assert(dst->n_bits <= 64);\n\n struct nx_action_reg_load *narl = put_NXAST_REG_LOAD(openflow);\n narl->ofs_nbits = nxm_encode_ofs_nbits(dst->ofs, dst->n_bits);\n narl->dst = htonl(nxm_header_from_mff(dst->field));\n narl->value = htonll(value);\n}", "project": "ovs", "hash": 133823203891670223489898107288284590753, "size": 10, "commit_id": "65c61b0c23a0d474696d7b1cea522a5016a8aeb3", "message": "ofp-actions: Fix use-after-free while decoding RAW_ENCAP.\n\nWhile decoding RAW_ENCAP action, decode_ed_prop() might re-allocate\nofpbuf if there is no enough space left. However, function\n'decode_NXAST_RAW_ENCAP' continues to use old pointer to 'encap'\nstructure leading to write-after-free and incorrect decoding.\n\n ==3549105==ERROR: AddressSanitizer: heap-use-after-free on address\n 0x60600000011a at pc 0x0000005f6cc6 bp 0x7ffc3a2d4410 sp 0x7ffc3a2d4408\n WRITE of size 2 at 0x60600000011a thread T0\n #0 0x5f6cc5 in decode_NXAST_RAW_ENCAP lib/ofp-actions.c:4461:20\n #1 0x5f0551 in ofpact_decode ./lib/ofp-actions.inc2:4777:16\n #2 0x5ed17c in ofpacts_decode lib/ofp-actions.c:7752:21\n #3 0x5eba9a in ofpacts_pull_openflow_actions__ lib/ofp-actions.c:7791:13\n #4 0x5eb9fc in ofpacts_pull_openflow_actions lib/ofp-actions.c:7835:12\n #5 0x64bb8b in ofputil_decode_packet_out lib/ofp-packet.c:1113:17\n #6 0x65b6f4 in ofp_print_packet_out lib/ofp-print.c:148:13\n #7 0x659e3f in ofp_to_string__ lib/ofp-print.c:1029:16\n #8 0x659b24 in ofp_to_string lib/ofp-print.c:1244:21\n #9 0x65a28c in ofp_print lib/ofp-print.c:1288:28\n #10 0x540d11 in ofctl_ofp_parse utilities/ovs-ofctl.c:2814:9\n #11 0x564228 in ovs_cmdl_run_command__ lib/command-line.c:247:17\n #12 0x56408a in ovs_cmdl_run_command lib/command-line.c:278:5\n #13 0x5391ae in main utilities/ovs-ofctl.c:179:9\n #14 0x7f6911ce9081 in __libc_start_main (/lib64/libc.so.6+0x27081)\n #15 0x461fed in _start (utilities/ovs-ofctl+0x461fed)\n\nFix that by getting a new pointer before using.\n\nCredit to OSS-Fuzz.\n\nFuzzer regression test will fail only with AddressSanitizer enabled.\n\nReported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27851\nFixes: f839892a206a (\"OF support and translation of generic encap and decap\")\nAcked-by: William Tu \nSigned-off-by: Ilya Maximets ", "target": 0, "dataset": "other", "idx": 280853 }, { "func": "static int any_slab_objects(struct kmem_cache *s)\n{\n\tint node;\n\tstruct kmem_cache_node *n;\n\n\tfor_each_kmem_cache_node(s, node, n)\n\t\tif (atomic_long_read(&n->total_objects))\n\t\t\treturn 1;\n\n\treturn 0;\n}", "project": "linux", "hash": 292045607052649518081755618503441522297, "size": 11, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280053 }, { "func": "static void vhost_tx_batch(struct vhost_net *net,\n\t\t\t struct vhost_net_virtqueue *nvq,\n\t\t\t struct socket *sock,\n\t\t\t struct msghdr *msghdr)\n{\n\tstruct tun_msg_ctl ctl = {\n\t\t.type = TUN_MSG_PTR,\n\t\t.num = nvq->batched_xdp,\n\t\t.ptr = nvq->xdp,\n\t};\n\tint err;\n\n\tif (nvq->batched_xdp == 0)\n\t\tgoto signal_used;\n\n\tmsghdr->msg_control = &ctl;\n\terr = sock->ops->sendmsg(sock, msghdr, 0);\n\tif (unlikely(err < 0)) {\n\t\tvq_err(&nvq->vq, \"Fail to batch sending packets\\n\");\n\t\treturn;\n\t}\n\nsignal_used:\n\tvhost_net_signal_used(nvq);\n\tnvq->batched_xdp = 0;\n}", "project": "linux", "hash": 111316456496463102138882384158298621038, "size": 26, "commit_id": "42d84c8490f9f0931786f1623191fcab397c3d64", "message": "vhost: Check docket sk_family instead of call getname\n\nDoing so, we save one call to get data we already have in the struct.\n\nAlso, since there is no guarantee that getname use sockaddr_ll\nparameter beyond its size, we add a little bit of security here.\nIt should do not do beyond MAX_ADDR_LEN, but syzbot found that\nax25_getname writes more (72 bytes, the size of full_sockaddr_ax25,\nversus 20 + 32 bytes of sockaddr_ll + MAX_ADDR_LEN in syzbot repro).\n\nFixes: 3a4d5c94e9593 (\"vhost_net: a kernel-level virtio server\")\nReported-by: syzbot+f2a62d07a5198c819c7b@syzkaller.appspotmail.com\nSigned-off-by: Eugenio Pérez \nAcked-by: Michael S. Tsirkin \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 441970 }, { "func": "static void input_pass_values(struct input_dev *dev,\n\t\t\t struct input_value *vals, unsigned int count)\n{\n\tstruct input_handle *handle;\n\tstruct input_value *v;\n\n\tif (!count)\n\t\treturn;\n\n\trcu_read_lock();\n\n\thandle = rcu_dereference(dev->grab);\n\tif (handle) {\n\t\tcount = input_to_handler(handle, vals, count);\n\t} else {\n\t\tlist_for_each_entry_rcu(handle, &dev->h_list, d_node)\n\t\t\tif (handle->open) {\n\t\t\t\tcount = input_to_handler(handle, vals, count);\n\t\t\t\tif (!count)\n\t\t\t\t\tbreak;\n\t\t\t}\n\t}\n\n\trcu_read_unlock();\n\n\t/* trigger auto repeat for key events */\n\tif (test_bit(EV_REP, dev->evbit) && test_bit(EV_KEY, dev->evbit)) {\n\t\tfor (v = vals; v != vals + count; v++) {\n\t\t\tif (v->type == EV_KEY && v->value != 2) {\n\t\t\t\tif (v->value)\n\t\t\t\t\tinput_start_autorepeat(dev, v->code);\n\t\t\t\telse\n\t\t\t\t\tinput_stop_autorepeat(dev);\n\t\t\t}\n\t\t}\n\t}\n}", "project": "linux", "hash": 49454291393528569881551733485997791485, "size": 37, "commit_id": "cb222aed03d798fc074be55e59d9a112338ee784", "message": "Input: add safety guards to input_set_keycode()\n\nIf we happen to have a garbage in input device's keycode table with values\ntoo big we'll end up doing clear_bit() with offset way outside of our\nbitmaps, damaging other objects within an input device or even outside of\nit. Let's add sanity checks to the returned old keycodes.\n\nReported-by: syzbot+c769968809f9359b07aa@syzkaller.appspotmail.com\nReported-by: syzbot+76f3a30e88d256644c78@syzkaller.appspotmail.com\nLink: https://lore.kernel.org/r/20191207212757.GA245964@dtor-ws\nSigned-off-by: Dmitry Torokhov ", "target": 0, "dataset": "other", "idx": 353365 }, { "func": "int nfs4_server_capabilities(struct nfs_server *server, struct nfs_fh *fhandle)\n{\n\tstruct nfs4_exception exception = {\n\t\t.interruptible = true,\n\t};\n\tint err;\n\tdo {\n\t\terr = nfs4_handle_exception(server,\n\t\t\t\t_nfs4_server_capabilities(server, fhandle),\n\t\t\t\t&exception);\n\t} while (exception.retry);\n\treturn err;\n}", "project": "linux", "hash": 320073146801118275768005726999394613630, "size": 13, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431223 }, { "func": "void umd_cleanup_helper(struct umd_info *info)\n{\n\tfput(info->pipe_to_umh);\n\tfput(info->pipe_from_umh);\n\tput_pid(info->tgid);\n\tinfo->tgid = NULL;\n}", "project": "linux", "hash": 94224630803158495459545766312811877039, "size": 7, "commit_id": "f60a85cad677c4f9bb4cadd764f1d106c38c7cf8", "message": "bpf: Fix umd memory leak in copy_process()\n\nThe syzbot reported a memleak as follows:\n\nBUG: memory leak\nunreferenced object 0xffff888101b41d00 (size 120):\n comm \"kworker/u4:0\", pid 8, jiffies 4294944270 (age 12.780s)\n backtrace:\n [] alloc_pid+0x66/0x560\n [] copy_process+0x1465/0x25e0\n [] kernel_clone+0xf3/0x670\n [] kernel_thread+0x61/0x80\n [] call_usermodehelper_exec_work\n [] call_usermodehelper_exec_work+0xc4/0x120\n [] process_one_work+0x2c9/0x600\n [] worker_thread+0x59/0x5d0\n [] kthread+0x178/0x1b0\n [] ret_from_fork+0x1f/0x30\n\nunreferenced object 0xffff888110ef5c00 (size 232):\n comm \"kworker/u4:0\", pid 8414, jiffies 4294944270 (age 12.780s)\n backtrace:\n [] kmem_cache_zalloc\n [] __alloc_file+0x1f/0xf0\n [] alloc_empty_file+0x69/0x120\n [] alloc_file+0x33/0x1b0\n [] alloc_file_pseudo+0xb2/0x140\n [] create_pipe_files+0x138/0x2e0\n [] umd_setup+0x33/0x220\n [] call_usermodehelper_exec_async+0xb4/0x1b0\n [] ret_from_fork+0x1f/0x30\n\nAfter the UMD process exits, the pipe_to_umh/pipe_from_umh and\ntgid need to be released.\n\nFixes: d71fa5c9763c (\"bpf: Add kernel module with user mode driver that populates bpffs.\")\nReported-by: syzbot+44908bb56d2bfe56b28e@syzkaller.appspotmail.com\nSigned-off-by: Zqiang \nSigned-off-by: Daniel Borkmann \nLink: https://lore.kernel.org/bpf/20210317030915.2865-1-qiang.zhang@windriver.com", "target": 0, "dataset": "other", "idx": 385302 }, { "func": "static void add_tracer_options(struct trace_array *tr, struct tracer *t)\n{\n\t/* Only enable if the directory has been created already. */\n\tif (!tr->dir)\n\t\treturn;\n\n\tcreate_trace_option_files(tr, t);\n}", "project": "linux", "hash": 301768794101988203262821277708731899727, "size": 8, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445664 }, { "func": "bool CWebSession::IsAdmin() const { return IsLoggedIn() && m_pUser->IsAdmin(); }", "project": "znc", "hash": 5239729587371486677418440059251952812, "size": 1, "commit_id": "a4a5aeeb17d32937d8c7d743dae9a4cc755ce773", "message": "Don't let web skin name ../../../../ access files outside of usual skins directories.\n\nThanks for Jeriko One for finding and reporting this.", "target": 0, "dataset": "other", "idx": 265801 }, { "func": "static uint64_t htonll(uint64_t n)\n{\n#if __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__\n uint32_t *i = (uint32_t*)&n;\n uint32_t b = i[0];\n i[0] = htonl(i[1]);\n i[1] = htonl(b);\n#endif\n return n;\n}", "project": "rpm", "hash": 87034243933017261877002486146668910196, "size": 10, "commit_id": "8f4b3c3cab8922a2022b9e47c71f1ecf906077ef", "message": "hdrblobInit() needs bounds checks too\n\nUsers can pass untrusted data to hdrblobInit() and it must be robust\nagainst this.", "target": 0, "dataset": "other", "idx": 318191 }, { "func": "static ssize_t tracing_splice_read_pipe(struct file *filp,\n\t\t\t\t\tloff_t *ppos,\n\t\t\t\t\tstruct pipe_inode_info *pipe,\n\t\t\t\t\tsize_t len,\n\t\t\t\t\tunsigned int flags)\n{\n\tstruct page *pages_def[PIPE_DEF_BUFFERS];\n\tstruct partial_page partial_def[PIPE_DEF_BUFFERS];\n\tstruct trace_iterator *iter = filp->private_data;\n\tstruct splice_pipe_desc spd = {\n\t\t.pages\t\t= pages_def,\n\t\t.partial\t= partial_def,\n\t\t.nr_pages\t= 0, /* This gets updated below. */\n\t\t.nr_pages_max\t= PIPE_DEF_BUFFERS,\n\t\t.ops\t\t= &tracing_pipe_buf_ops,\n\t\t.spd_release\t= tracing_spd_release_pipe,\n\t};\n\tssize_t ret;\n\tsize_t rem;\n\tunsigned int i;\n\n\tif (splice_grow_spd(pipe, &spd))\n\t\treturn -ENOMEM;\n\n\tmutex_lock(&iter->mutex);\n\n\tif (iter->trace->splice_read) {\n\t\tret = iter->trace->splice_read(iter, filp,\n\t\t\t\t\t ppos, pipe, len, flags);\n\t\tif (ret)\n\t\t\tgoto out_err;\n\t}\n\n\tret = tracing_wait_pipe(filp);\n\tif (ret <= 0)\n\t\tgoto out_err;\n\n\tif (!iter->ent && !trace_find_next_entry_inc(iter)) {\n\t\tret = -EFAULT;\n\t\tgoto out_err;\n\t}\n\n\ttrace_event_read_lock();\n\ttrace_access_lock(iter->cpu_file);\n\n\t/* Fill as many pages as possible. */\n\tfor (i = 0, rem = len; i < spd.nr_pages_max && rem; i++) {\n\t\tspd.pages[i] = alloc_page(GFP_KERNEL);\n\t\tif (!spd.pages[i])\n\t\t\tbreak;\n\n\t\trem = tracing_fill_pipe_page(rem, iter);\n\n\t\t/* Copy the data into the page, so we can start over. */\n\t\tret = trace_seq_to_buffer(&iter->seq,\n\t\t\t\t\t page_address(spd.pages[i]),\n\t\t\t\t\t trace_seq_used(&iter->seq));\n\t\tif (ret < 0) {\n\t\t\t__free_page(spd.pages[i]);\n\t\t\tbreak;\n\t\t}\n\t\tspd.partial[i].offset = 0;\n\t\tspd.partial[i].len = trace_seq_used(&iter->seq);\n\n\t\ttrace_seq_init(&iter->seq);\n\t}\n\n\ttrace_access_unlock(iter->cpu_file);\n\ttrace_event_read_unlock();\n\tmutex_unlock(&iter->mutex);\n\n\tspd.nr_pages = i;\n\n\tif (i)\n\t\tret = splice_to_pipe(pipe, &spd);\n\telse\n\t\tret = 0;\nout:\n\tsplice_shrink_spd(&spd);\n\treturn ret;\n\nout_err:\n\tmutex_unlock(&iter->mutex);\n\tgoto out;\n}", "project": "linux", "hash": 3438063633939440035979747907346381536, "size": 85, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445620 }, { "func": "static void opj_j2k_write_poc_in_memory(opj_j2k_t *p_j2k,\n OPJ_BYTE * p_data,\n OPJ_UINT32 * p_data_written,\n opj_event_mgr_t * p_manager\n )\n{\n OPJ_UINT32 i;\n OPJ_BYTE * l_current_data = 00;\n OPJ_UINT32 l_nb_comp;\n OPJ_UINT32 l_nb_poc;\n OPJ_UINT32 l_poc_size;\n opj_image_t *l_image = 00;\n opj_tcp_t *l_tcp = 00;\n opj_tccp_t *l_tccp = 00;\n opj_poc_t *l_current_poc = 00;\n OPJ_UINT32 l_poc_room;\n\n /* preconditions */\n assert(p_j2k != 00);\n assert(p_manager != 00);\n\n OPJ_UNUSED(p_manager);\n\n l_tcp = &p_j2k->m_cp.tcps[p_j2k->m_current_tile_number];\n l_tccp = &l_tcp->tccps[0];\n l_image = p_j2k->m_private_image;\n l_nb_comp = l_image->numcomps;\n l_nb_poc = 1 + l_tcp->numpocs;\n\n if (l_nb_comp <= 256) {\n l_poc_room = 1;\n } else {\n l_poc_room = 2;\n }\n\n l_poc_size = 4 + (5 + 2 * l_poc_room) * l_nb_poc;\n\n l_current_data = p_data;\n\n opj_write_bytes(l_current_data, J2K_MS_POC,\n 2); /* POC */\n l_current_data += 2;\n\n opj_write_bytes(l_current_data, l_poc_size - 2,\n 2); /* Lpoc */\n l_current_data += 2;\n\n l_current_poc = l_tcp->pocs;\n for (i = 0; i < l_nb_poc; ++i) {\n opj_write_bytes(l_current_data, l_current_poc->resno0,\n 1); /* RSpoc_i */\n ++l_current_data;\n\n opj_write_bytes(l_current_data, l_current_poc->compno0,\n l_poc_room); /* CSpoc_i */\n l_current_data += l_poc_room;\n\n opj_write_bytes(l_current_data, l_current_poc->layno1,\n 2); /* LYEpoc_i */\n l_current_data += 2;\n\n opj_write_bytes(l_current_data, l_current_poc->resno1,\n 1); /* REpoc_i */\n ++l_current_data;\n\n opj_write_bytes(l_current_data, l_current_poc->compno1,\n l_poc_room); /* CEpoc_i */\n l_current_data += l_poc_room;\n\n opj_write_bytes(l_current_data, (OPJ_UINT32)l_current_poc->prg,\n 1); /* Ppoc_i */\n ++l_current_data;\n\n /* change the value of the max layer according to the actual number of layers in the file, components and resolutions*/\n l_current_poc->layno1 = (OPJ_UINT32)opj_int_min((OPJ_INT32)\n l_current_poc->layno1, (OPJ_INT32)l_tcp->numlayers);\n l_current_poc->resno1 = (OPJ_UINT32)opj_int_min((OPJ_INT32)\n l_current_poc->resno1, (OPJ_INT32)l_tccp->numresolutions);\n l_current_poc->compno1 = (OPJ_UINT32)opj_int_min((OPJ_INT32)\n l_current_poc->compno1, (OPJ_INT32)l_nb_comp);\n\n ++l_current_poc;\n }\n\n *p_data_written = l_poc_size;\n}", "project": "openjpeg", "hash": 184153072910468452157733230005915590532, "size": 86, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357287 }, { "func": "static int tracing_open_pipe(struct inode *inode, struct file *filp)\n{\n\tstruct trace_array *tr = inode->i_private;\n\tstruct trace_iterator *iter;\n\tint ret = 0;\n\n\tif (tracing_disabled)\n\t\treturn -ENODEV;\n\n\tif (trace_array_get(tr) < 0)\n\t\treturn -ENODEV;\n\n\tmutex_lock(&trace_types_lock);\n\n\t/* create a buffer to store the information to pass to userspace */\n\titer = kzalloc(sizeof(*iter), GFP_KERNEL);\n\tif (!iter) {\n\t\tret = -ENOMEM;\n\t\t__trace_array_put(tr);\n\t\tgoto out;\n\t}\n\n\ttrace_seq_init(&iter->seq);\n\titer->trace = tr->current_trace;\n\n\tif (!alloc_cpumask_var(&iter->started, GFP_KERNEL)) {\n\t\tret = -ENOMEM;\n\t\tgoto fail;\n\t}\n\n\t/* trace pipe does not show start of buffer */\n\tcpumask_setall(iter->started);\n\n\tif (tr->trace_flags & TRACE_ITER_LATENCY_FMT)\n\t\titer->iter_flags |= TRACE_FILE_LAT_FMT;\n\n\t/* Output in nanoseconds only if we are using a clock in nanoseconds. */\n\tif (trace_clocks[tr->clock_id].in_ns)\n\t\titer->iter_flags |= TRACE_FILE_TIME_IN_NS;\n\n\titer->tr = tr;\n\titer->trace_buffer = &tr->trace_buffer;\n\titer->cpu_file = tracing_get_cpu(inode);\n\tmutex_init(&iter->mutex);\n\tfilp->private_data = iter;\n\n\tif (iter->trace->pipe_open)\n\t\titer->trace->pipe_open(iter);\n\n\tnonseekable_open(inode, filp);\n\n\ttr->current_trace->ref++;\nout:\n\tmutex_unlock(&trace_types_lock);\n\treturn ret;\n\nfail:\n\tkfree(iter->trace);\n\tkfree(iter);\n\t__trace_array_put(tr);\n\tmutex_unlock(&trace_types_lock);\n\treturn ret;\n}", "project": "linux", "hash": 234273526731274008527877028732063736713, "size": 63, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445745 }, { "func": "\nstatic void bfq_update_wr_data(struct bfq_data *bfqd, struct bfq_queue *bfqq)\n{\n\tstruct bfq_entity *entity = &bfqq->entity;\n\n\tif (bfqq->wr_coeff > 1) { /* queue is being weight-raised */\n\t\tbfq_log_bfqq(bfqd, bfqq,\n\t\t\t\"raising period dur %u/%u msec, old coeff %u, w %d(%d)\",\n\t\t\tjiffies_to_msecs(jiffies - bfqq->last_wr_start_finish),\n\t\t\tjiffies_to_msecs(bfqq->wr_cur_max_time),\n\t\t\tbfqq->wr_coeff,\n\t\t\tbfqq->entity.weight, bfqq->entity.orig_weight);\n\n\t\tif (entity->prio_changed)\n\t\t\tbfq_log_bfqq(bfqd, bfqq, \"WARN: pending prio change\");\n\n\t\t/*\n\t\t * If the queue was activated in a burst, or too much\n\t\t * time has elapsed from the beginning of this\n\t\t * weight-raising period, then end weight raising.\n\t\t */\n\t\tif (bfq_bfqq_in_large_burst(bfqq))\n\t\t\tbfq_bfqq_end_wr(bfqq);\n\t\telse if (time_is_before_jiffies(bfqq->last_wr_start_finish +\n\t\t\t\t\t\tbfqq->wr_cur_max_time)) {\n\t\t\tif (bfqq->wr_cur_max_time != bfqd->bfq_wr_rt_max_time ||\n\t\t\ttime_is_before_jiffies(bfqq->wr_start_at_switch_to_srt +\n\t\t\t\t\t bfq_wr_duration(bfqd)))\n\t\t\t\tbfq_bfqq_end_wr(bfqq);\n\t\t\telse {\n\t\t\t\tswitch_back_to_interactive_wr(bfqq, bfqd);\n\t\t\t\tbfqq->entity.prio_changed = 1;\n\t\t\t}\n\t\t}\n\t\tif (bfqq->wr_coeff > 1 &&\n\t\t bfqq->wr_cur_max_time != bfqd->bfq_wr_rt_max_time &&\n\t\t bfqq->service_from_wr > max_service_from_wr) {\n\t\t\t/* see comments on max_service_from_wr */\n\t\t\tbfq_bfqq_end_wr(bfqq);\n\t\t}\n\t}\n\t/*\n\t * To improve latency (for this or other queues), immediately\n\t * update weight both if it must be raised and if it must be\n\t * lowered. Since, entity may be on some active tree here, and\n\t * might have a pending change of its ioprio class, invoke\n\t * next function with the last parameter unset (see the\n\t * comments on the function).\n\t */\n\tif ((entity->weight > entity->orig_weight) != (bfqq->wr_coeff > 1))\n\t\t__bfq_entity_update_weight_prio(bfq_entity_service_tree(entity),\n\t\t\t\t\t\tentity, false);", "project": "linux", "hash": 103647025553299072634605087320223567978, "size": 52, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453404 }, { "func": "static int sctp_get_port(struct sock *sk, unsigned short snum)\n{\n\tunion sctp_addr addr;\n\tstruct sctp_af *af = sctp_sk(sk)->pf->af;\n\n\t/* Set up a dummy address struct from the sk. */\n\taf->from_sk(&addr, sk);\n\taddr.v4.sin_port = htons(snum);\n\n\t/* Note: sk->sk_num gets filled in if ephemeral port request. */\n\treturn sctp_get_port_local(sk, &addr);\n}", "project": "linux", "hash": 169282626039339151093492951259923841001, "size": 12, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398099 }, { "func": "static size_t strnlen(const char *s, size_t maxlen) {\n char *r = (char *)memchr(s, '\\0', maxlen);\n return r ? r-s : maxlen;\n}", "project": "php-src", "hash": 6228187960077737528164619605847136269, "size": 4, "commit_id": "07c7df68bd68bbe706371fccc77c814ebb335d9e", "message": "Fixed bug #71488: Stack overflow when decompressing tar archives", "target": 0, "dataset": "other", "idx": 355576 }, { "func": "static int toggle_sync_simple(struct usbtest_dev *dev)\n{\n\tint\t\t\tep;\n\tint\t\t\tretval = 0;\n\tstruct urb\t\t*urb;\n\tstruct usb_device\t*udev = testdev_to_usbdev(dev);\n\tunsigned\t\tmaxp = get_maxpacket(udev, dev->out_pipe);\n\n\t/*\n\t * Create a URB that causes a transfer of uneven amount of data packets\n\t * This way the clear toggle has an impact on the data toggle sequence.\n\t * Use 2 maxpacket length packets and one zero packet.\n\t */\n\turb = simple_alloc_urb(udev, 0, 2 * maxp, 0);\n\tif (urb == NULL)\n\t\treturn -ENOMEM;\n\n\turb->transfer_flags |= URB_ZERO_PACKET;\n\n\tep = usb_pipeendpoint(dev->out_pipe);\n\turb->pipe = dev->out_pipe;\n\tretval = test_toggle_sync(dev, ep, urb);\n\n\tsimple_free_urb(urb);\n\treturn retval;\n}", "project": "linux", "hash": 122520746921348765469998614284492558023, "size": 26, "commit_id": "28ebeb8db77035e058a510ce9bd17c2b9a009dba", "message": "usb: usbtest: fix missing kfree(dev->buf) in usbtest_disconnect\n\nBUG: memory leak\nunreferenced object 0xffff888055046e00 (size 256):\n comm \"kworker/2:9\", pid 2570, jiffies 4294942129 (age 1095.500s)\n hex dump (first 32 bytes):\n 00 70 04 55 80 88 ff ff 18 bb 5a 81 ff ff ff ff .p.U......Z.....\n f5 96 78 81 ff ff ff ff 37 de 8e 81 ff ff ff ff ..x.....7.......\n backtrace:\n [<00000000d121dccf>] kmemleak_alloc_recursive\ninclude/linux/kmemleak.h:43 [inline]\n [<00000000d121dccf>] slab_post_alloc_hook mm/slab.h:586 [inline]\n [<00000000d121dccf>] slab_alloc_node mm/slub.c:2786 [inline]\n [<00000000d121dccf>] slab_alloc mm/slub.c:2794 [inline]\n [<00000000d121dccf>] kmem_cache_alloc_trace+0x15e/0x2d0 mm/slub.c:2811\n [<000000005c3c3381>] kmalloc include/linux/slab.h:555 [inline]\n [<000000005c3c3381>] usbtest_probe+0x286/0x19d0\ndrivers/usb/misc/usbtest.c:2790\n [<000000001cec6910>] usb_probe_interface+0x2bd/0x870\ndrivers/usb/core/driver.c:361\n [<000000007806c118>] really_probe+0x48d/0x8f0 drivers/base/dd.c:551\n [<00000000a3308c3e>] driver_probe_device+0xfc/0x2a0 drivers/base/dd.c:724\n [<000000003ef66004>] __device_attach_driver+0x1b6/0x240\ndrivers/base/dd.c:831\n [<00000000eee53e97>] bus_for_each_drv+0x14e/0x1e0 drivers/base/bus.c:431\n [<00000000bb0648d0>] __device_attach+0x1f9/0x350 drivers/base/dd.c:897\n [<00000000838b324a>] device_initial_probe+0x1a/0x20 drivers/base/dd.c:944\n [<0000000030d501c1>] bus_probe_device+0x1e1/0x280 drivers/base/bus.c:491\n [<000000005bd7adef>] device_add+0x131d/0x1c40 drivers/base/core.c:2504\n [<00000000a0937814>] usb_set_configuration+0xe84/0x1ab0\ndrivers/usb/core/message.c:2030\n [<00000000e3934741>] generic_probe+0x6a/0xe0 drivers/usb/core/generic.c:210\n [<0000000098ade0f1>] usb_probe_device+0x90/0xd0\ndrivers/usb/core/driver.c:266\n [<000000007806c118>] really_probe+0x48d/0x8f0 drivers/base/dd.c:551\n [<00000000a3308c3e>] driver_probe_device+0xfc/0x2a0 drivers/base/dd.c:724\n\nAcked-by: Alan Stern \nReported-by: Kyungtae Kim \nSigned-off-by: Zqiang \nLink: https://lore.kernel.org/r/20200612035210.20494-1-qiang.zhang@windriver.com\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 412239 }, { "func": "static bool pmc_overflow(unsigned long val)\n{\n\tif ((int)val < 0)\n\t\treturn true;\n\n\treturn false;\n}", "project": "linux", "hash": 102320273277261004415327230599737878508, "size": 7, "commit_id": "60b7ed54a41b550d50caf7f2418db4a7e75b5bdc", "message": "powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set\n\nOn systems without any specific PMU driver support registered, running\nperf record causes Oops.\n\nThe relevant portion from call trace:\n\n BUG: Kernel NULL pointer dereference on read at 0x00000040\n Faulting instruction address: 0xc0021f0c\n Oops: Kernel access of bad area, sig: 11 [#1]\n BE PAGE_SIZE=4K PREEMPT CMPCPRO\n SAF3000 DIE NOTIFICATION\n CPU: 0 PID: 442 Comm: null_syscall Not tainted 5.13.0-rc6-s3k-dev-01645-g7649ee3d2957 #5164\n NIP: c0021f0c LR: c00e8ad8 CTR: c00d8a5c\n NIP perf_instruction_pointer+0x10/0x60\n LR perf_prepare_sample+0x344/0x674\n Call Trace:\n perf_prepare_sample+0x7c/0x674 (unreliable)\n perf_event_output_forward+0x3c/0x94\n __perf_event_overflow+0x74/0x14c\n perf_swevent_hrtimer+0xf8/0x170\n __hrtimer_run_queues.constprop.0+0x160/0x318\n hrtimer_interrupt+0x148/0x3b0\n timer_interrupt+0xc4/0x22c\n Decrementer_virt+0xb8/0xbc\n\nDuring perf record session, perf_instruction_pointer() is called to\ncapture the sample IP. This function in core-book3s accesses\nppmu->flags. If a platform specific PMU driver is not registered, ppmu\nis set to NULL and accessing its members results in a crash. Fix this\ncrash by checking if ppmu is set.\n\nFixes: 2ca13a4cc56c (\"powerpc/perf: Use regs->nip when SIAR is zero\")\nCc: stable@vger.kernel.org # v5.11+\nReported-by: Christophe Leroy \nSigned-off-by: Athira Rajeev \nTested-by: Christophe Leroy \nSigned-off-by: Michael Ellerman \nLink: https://lore.kernel.org/r/1623952506-1431-1-git-send-email-atrajeev@linux.vnet.ibm.com", "target": 0, "dataset": "other", "idx": 374699 }, { "func": "static int queue_prio(const struct intel_engine_execlists *execlists)\n{\n\tstruct i915_priolist *p;\n\tstruct rb_node *rb;\n\n\trb = rb_first_cached(&execlists->queue);\n\tif (!rb)\n\t\treturn INT_MIN;\n\n\t/*\n\t * As the priolist[] are inverted, with the highest priority in [0],\n\t * we have to flip the index value to become priority.\n\t */\n\tp = to_priolist(rb);\n\treturn ((p->priority + 1) << I915_USER_PRIORITY_SHIFT) - ffs(p->used);\n}", "project": "linux", "hash": 246861248937691279521389000381287235821, "size": 16, "commit_id": "bc8a76a152c5f9ef3b48104154a65a68a8b76946", "message": "drm/i915/gen9: Clear residual context state on context switch\n\nIntel ID: PSIRT-TA-201910-001\nCVEID: CVE-2019-14615\n\nIntel GPU Hardware prior to Gen11 does not clear EU state\nduring a context switch. This can result in information\nleakage between contexts.\n\nFor Gen8 and Gen9, hardware provides a mechanism for\nfast cleardown of the EU state, by issuing a PIPE_CONTROL\nwith bit 27 set. We can use this in a context batch buffer\nto explicitly cleardown the state on every context switch.\n\nAs this workaround is already in place for gen8, we can borrow\nthe code verbatim for Gen9.\n\nSigned-off-by: Mika Kuoppala \nSigned-off-by: Akeem G Abodunrin \nCc: Kumar Valsan Prathap \nCc: Chris Wilson \nCc: Balestrieri Francesco \nCc: Bloomfield Jon \nCc: Dutt Sudeep ", "target": 0, "dataset": "other", "idx": 281476 }, { "func": " explicit RandomUniformIntOp(OpKernelConstruction* ctx) : OpKernel(ctx) {\n OP_REQUIRES_OK(ctx, generator_.Init(ctx));\n }", "project": "tensorflow", "hash": 201012116430023574776998750883971987882, "size": 3, "commit_id": "27b417360cbd671ef55915e4bb6bb06af8b8a832", "message": "Prevent `int64` to `int` truncation in `Shard` API usage.\n\nThe function argument in `Shard` must be a function of two `int64` arguments. However, we are passing in a function with two `int` arguments. Thus, for large workloads, these arguments get truncated from positive `int64` values to negative `int` ones, resulting in a buffer out of bounds write.\n\nPiperOrigin-RevId: 332557334\nChange-Id: I236c9a2e7f53580e520571da8ba941a3aa9fa0b5", "target": 0, "dataset": "other", "idx": 262656 }, { "func": "static inline size_t fuse_get_frag_size(const struct iov_iter *ii,\n\t\t\t\t\tsize_t max_size)\n{\n\treturn min(iov_iter_single_seg_count(ii), max_size);\n}", "project": "linux", "hash": 36875066126281562643659000727133389297, "size": 5, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341899 }, { "func": "static OPJ_BOOL opj_tcd_dc_level_shift_decode(opj_tcd_t *p_tcd)\n{\n OPJ_UINT32 compno;\n opj_tcd_tilecomp_t * l_tile_comp = 00;\n opj_tccp_t * l_tccp = 00;\n opj_image_comp_t * l_img_comp = 00;\n opj_tcd_resolution_t* l_res = 00;\n opj_tcd_tile_t * l_tile;\n OPJ_UINT32 l_width, l_height, i, j;\n OPJ_INT32 * l_current_ptr;\n OPJ_INT32 l_min, l_max;\n OPJ_UINT32 l_stride;\n\n l_tile = p_tcd->tcd_image->tiles;\n l_tile_comp = l_tile->comps;\n l_tccp = p_tcd->tcp->tccps;\n l_img_comp = p_tcd->image->comps;\n\n for (compno = 0; compno < l_tile->numcomps;\n compno++, ++l_img_comp, ++l_tccp, ++l_tile_comp) {\n\n if (p_tcd->used_component != NULL && !p_tcd->used_component[compno]) {\n continue;\n }\n\n l_res = l_tile_comp->resolutions + l_img_comp->resno_decoded;\n\n if (!p_tcd->whole_tile_decoding) {\n l_width = l_res->win_x1 - l_res->win_x0;\n l_height = l_res->win_y1 - l_res->win_y0;\n l_stride = 0;\n l_current_ptr = l_tile_comp->data_win;\n } else {\n l_width = (OPJ_UINT32)(l_res->x1 - l_res->x0);\n l_height = (OPJ_UINT32)(l_res->y1 - l_res->y0);\n l_stride = (OPJ_UINT32)(\n l_tile_comp->resolutions[l_tile_comp->minimum_num_resolutions - 1].x1 -\n l_tile_comp->resolutions[l_tile_comp->minimum_num_resolutions - 1].x0)\n - l_width;\n l_current_ptr = l_tile_comp->data;\n\n assert(l_height == 0 ||\n l_width + l_stride <= l_tile_comp->data_size / l_height); /*MUPDF*/\n }\n\n if (l_img_comp->sgnd) {\n l_min = -(1 << (l_img_comp->prec - 1));\n l_max = (1 << (l_img_comp->prec - 1)) - 1;\n } else {\n l_min = 0;\n l_max = (OPJ_INT32)((1U << l_img_comp->prec) - 1);\n }\n\n\n if (l_tccp->qmfbid == 1) {\n for (j = 0; j < l_height; ++j) {\n for (i = 0; i < l_width; ++i) {\n /* TODO: do addition on int64 ? */\n *l_current_ptr = opj_int_clamp(*l_current_ptr + l_tccp->m_dc_level_shift, l_min,\n l_max);\n ++l_current_ptr;\n }\n l_current_ptr += l_stride;\n }\n } else {\n for (j = 0; j < l_height; ++j) {\n for (i = 0; i < l_width; ++i) {\n OPJ_FLOAT32 l_value = *((OPJ_FLOAT32 *) l_current_ptr);\n if (l_value > INT_MAX) {\n *l_current_ptr = l_max;\n } else if (l_value < INT_MIN) {\n *l_current_ptr = l_min;\n } else {\n /* Do addition on int64 to avoid overflows */\n OPJ_INT64 l_value_int = (OPJ_INT64)opj_lrintf(l_value);\n *l_current_ptr = (OPJ_INT32)opj_int64_clamp(\n l_value_int + l_tccp->m_dc_level_shift, l_min, l_max);\n }\n ++l_current_ptr;\n }\n l_current_ptr += l_stride;\n }\n }\n }\n\n return OPJ_TRUE;\n}", "project": "openjpeg", "hash": 20576461197631196313001035400556105689, "size": 87, "commit_id": "15cf3d95814dc931ca0ecb132f81cb152e051bae", "message": "Encoder: grow again buffer size in opj_tcd_code_block_enc_allocate_data() (fixes #1283)", "target": 0, "dataset": "other", "idx": 359155 }, { "func": "int ssh_buffer_prepend_data(struct ssh_buffer_struct *buffer, const void *data,\n uint32_t len) {\n buffer_verify(buffer);\n\n if(len <= buffer->pos){\n /* It's possible to insert data between begin and pos */\n memcpy(buffer->data + (buffer->pos - len), data, len);\n buffer->pos -= len;\n buffer_verify(buffer);\n return 0;\n }\n /* pos isn't high enough */\n if (buffer->used - buffer->pos + len < len) {\n return -1;\n }\n\n if (buffer->allocated < (buffer->used - buffer->pos + len)) {\n if (realloc_buffer(buffer, buffer->used - buffer->pos + len) < 0) {\n return -1;\n }\n }\n memmove(buffer->data + len, buffer->data + buffer->pos, buffer->used - buffer->pos);\n memcpy(buffer->data, data, len);\n buffer->used += len - buffer->pos;\n buffer->pos = 0;\n buffer_verify(buffer);\n return 0;\n}", "project": "libssh-mirror", "hash": 304615713793485052039706869132691569107, "size": 28, "commit_id": "10b3ebbe61a7031a3dae97f05834442220447181", "message": "buffer: Reformat ssh_buffer_add_data()\n\nSigned-off-by: Andreas Schneider \nReviewed-by: Anderson Toshiyuki Sasaki \nReviewed-by: Jakub Jelen ", "target": 0, "dataset": "other", "idx": 345167 }, { "func": "static void io_get_req_task(struct io_kiocb *req)\n{\n\tif (req->flags & REQ_F_TASK_PINNED)\n\t\treturn;\n\tget_task_struct(req->task);\n\treq->flags |= REQ_F_TASK_PINNED;\n}", "project": "linux", "hash": 145123518348712426394918396125077054300, "size": 7, "commit_id": "6d816e088c359866f9867057e04f244c608c42fe", "message": "io_uring: hold 'ctx' reference around task_work queue + execute\n\nWe're holding the request reference, but we need to go one higher\nto ensure that the ctx remains valid after the request has finished.\nIf the ring is closed with pending task_work inflight, and the\ngiven io_kiocb finishes sync during issue, then we need a reference\nto the ring itself around the task_work execution cycle.\n\nCc: stable@vger.kernel.org # v5.7+\nReported-by: syzbot+9b260fc33297966f5a8e@syzkaller.appspotmail.com\nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 456958 }, { "func": "static int tpacket_snd(struct packet_sock *po, struct msghdr *msg)\n{\n\tstruct sk_buff *skb = NULL;\n\tstruct net_device *dev;\n\tstruct virtio_net_hdr *vnet_hdr = NULL;\n\tstruct sockcm_cookie sockc;\n\t__be16 proto;\n\tint err, reserve = 0;\n\tvoid *ph;\n\tDECLARE_SOCKADDR(struct sockaddr_ll *, saddr, msg->msg_name);\n\tbool need_wait = !(msg->msg_flags & MSG_DONTWAIT);\n\tunsigned char *addr = NULL;\n\tint tp_len, size_max;\n\tvoid *data;\n\tint len_sum = 0;\n\tint status = TP_STATUS_AVAILABLE;\n\tint hlen, tlen, copylen = 0;\n\tlong timeo = 0;\n\n\tmutex_lock(&po->pg_vec_lock);\n\n\t/* packet_sendmsg() check on tx_ring.pg_vec was lockless,\n\t * we need to confirm it under protection of pg_vec_lock.\n\t */\n\tif (unlikely(!po->tx_ring.pg_vec)) {\n\t\terr = -EBUSY;\n\t\tgoto out;\n\t}\n\tif (likely(saddr == NULL)) {\n\t\tdev\t= packet_cached_dev_get(po);\n\t\tproto\t= po->num;\n\t} else {\n\t\terr = -EINVAL;\n\t\tif (msg->msg_namelen < sizeof(struct sockaddr_ll))\n\t\t\tgoto out;\n\t\tif (msg->msg_namelen < (saddr->sll_halen\n\t\t\t\t\t+ offsetof(struct sockaddr_ll,\n\t\t\t\t\t\tsll_addr)))\n\t\t\tgoto out;\n\t\tproto\t= saddr->sll_protocol;\n\t\tdev = dev_get_by_index(sock_net(&po->sk), saddr->sll_ifindex);\n\t\tif (po->sk.sk_socket->type == SOCK_DGRAM) {\n\t\t\tif (dev && msg->msg_namelen < dev->addr_len +\n\t\t\t\t offsetof(struct sockaddr_ll, sll_addr))\n\t\t\t\tgoto out_put;\n\t\t\taddr = saddr->sll_addr;\n\t\t}\n\t}\n\n\terr = -ENXIO;\n\tif (unlikely(dev == NULL))\n\t\tgoto out;\n\terr = -ENETDOWN;\n\tif (unlikely(!(dev->flags & IFF_UP)))\n\t\tgoto out_put;\n\n\tsockcm_init(&sockc, &po->sk);\n\tif (msg->msg_controllen) {\n\t\terr = sock_cmsg_send(&po->sk, msg, &sockc);\n\t\tif (unlikely(err))\n\t\t\tgoto out_put;\n\t}\n\n\tif (po->sk.sk_socket->type == SOCK_RAW)\n\t\treserve = dev->hard_header_len;\n\tsize_max = po->tx_ring.frame_size\n\t\t- (po->tp_hdrlen - sizeof(struct sockaddr_ll));\n\n\tif ((size_max > dev->mtu + reserve + VLAN_HLEN) && !po->has_vnet_hdr)\n\t\tsize_max = dev->mtu + reserve + VLAN_HLEN;\n\n\treinit_completion(&po->skb_completion);\n\n\tdo {\n\t\tph = packet_current_frame(po, &po->tx_ring,\n\t\t\t\t\t TP_STATUS_SEND_REQUEST);\n\t\tif (unlikely(ph == NULL)) {\n\t\t\tif (need_wait && skb) {\n\t\t\t\ttimeo = sock_sndtimeo(&po->sk, msg->msg_flags & MSG_DONTWAIT);\n\t\t\t\ttimeo = wait_for_completion_interruptible_timeout(&po->skb_completion, timeo);\n\t\t\t\tif (timeo <= 0) {\n\t\t\t\t\terr = !timeo ? -ETIMEDOUT : -ERESTARTSYS;\n\t\t\t\t\tgoto out_put;\n\t\t\t\t}\n\t\t\t}\n\t\t\t/* check for additional frames */\n\t\t\tcontinue;\n\t\t}\n\n\t\tskb = NULL;\n\t\ttp_len = tpacket_parse_header(po, ph, size_max, &data);\n\t\tif (tp_len < 0)\n\t\t\tgoto tpacket_error;\n\n\t\tstatus = TP_STATUS_SEND_REQUEST;\n\t\thlen = LL_RESERVED_SPACE(dev);\n\t\ttlen = dev->needed_tailroom;\n\t\tif (po->has_vnet_hdr) {\n\t\t\tvnet_hdr = data;\n\t\t\tdata += sizeof(*vnet_hdr);\n\t\t\ttp_len -= sizeof(*vnet_hdr);\n\t\t\tif (tp_len < 0 ||\n\t\t\t __packet_snd_vnet_parse(vnet_hdr, tp_len)) {\n\t\t\t\ttp_len = -EINVAL;\n\t\t\t\tgoto tpacket_error;\n\t\t\t}\n\t\t\tcopylen = __virtio16_to_cpu(vio_le(),\n\t\t\t\t\t\t vnet_hdr->hdr_len);\n\t\t}\n\t\tcopylen = max_t(int, copylen, dev->hard_header_len);\n\t\tskb = sock_alloc_send_skb(&po->sk,\n\t\t\t\thlen + tlen + sizeof(struct sockaddr_ll) +\n\t\t\t\t(copylen - dev->hard_header_len),\n\t\t\t\t!need_wait, &err);\n\n\t\tif (unlikely(skb == NULL)) {\n\t\t\t/* we assume the socket was initially writeable ... */\n\t\t\tif (likely(len_sum > 0))\n\t\t\t\terr = len_sum;\n\t\t\tgoto out_status;\n\t\t}\n\t\ttp_len = tpacket_fill_skb(po, skb, ph, dev, data, tp_len, proto,\n\t\t\t\t\t addr, hlen, copylen, &sockc);\n\t\tif (likely(tp_len >= 0) &&\n\t\t tp_len > dev->mtu + reserve &&\n\t\t !po->has_vnet_hdr &&\n\t\t !packet_extra_vlan_len_allowed(dev, skb))\n\t\t\ttp_len = -EMSGSIZE;\n\n\t\tif (unlikely(tp_len < 0)) {\ntpacket_error:\n\t\t\tif (po->tp_loss) {\n\t\t\t\t__packet_set_status(po, ph,\n\t\t\t\t\t\tTP_STATUS_AVAILABLE);\n\t\t\t\tpacket_increment_head(&po->tx_ring);\n\t\t\t\tkfree_skb(skb);\n\t\t\t\tcontinue;\n\t\t\t} else {\n\t\t\t\tstatus = TP_STATUS_WRONG_FORMAT;\n\t\t\t\terr = tp_len;\n\t\t\t\tgoto out_status;\n\t\t\t}\n\t\t}\n\n\t\tif (po->has_vnet_hdr) {\n\t\t\tif (virtio_net_hdr_to_skb(skb, vnet_hdr, vio_le())) {\n\t\t\t\ttp_len = -EINVAL;\n\t\t\t\tgoto tpacket_error;\n\t\t\t}\n\t\t\tvirtio_net_hdr_set_proto(skb, vnet_hdr);\n\t\t}\n\n\t\tskb->destructor = tpacket_destruct_skb;\n\t\t__packet_set_status(po, ph, TP_STATUS_SENDING);\n\t\tpacket_inc_pending(&po->tx_ring);\n\n\t\tstatus = TP_STATUS_SEND_REQUEST;\n\t\terr = po->xmit(skb);\n\t\tif (unlikely(err > 0)) {\n\t\t\terr = net_xmit_errno(err);\n\t\t\tif (err && __packet_get_status(po, ph) ==\n\t\t\t\t TP_STATUS_AVAILABLE) {\n\t\t\t\t/* skb was destructed already */\n\t\t\t\tskb = NULL;\n\t\t\t\tgoto out_status;\n\t\t\t}\n\t\t\t/*\n\t\t\t * skb was dropped but not destructed yet;\n\t\t\t * let's treat it like congestion or err < 0\n\t\t\t */\n\t\t\terr = 0;\n\t\t}\n\t\tpacket_increment_head(&po->tx_ring);\n\t\tlen_sum += tp_len;\n\t} while (likely((ph != NULL) ||\n\t\t/* Note: packet_read_pending() might be slow if we have\n\t\t * to call it as it's per_cpu variable, but in fast-path\n\t\t * we already short-circuit the loop with the first\n\t\t * condition, and luckily don't have to go that path\n\t\t * anyway.\n\t\t */\n\t\t (need_wait && packet_read_pending(&po->tx_ring))));\n\n\terr = len_sum;\n\tgoto out_put;\n\nout_status:\n\t__packet_set_status(po, ph, status);\n\tkfree_skb(skb);\nout_put:\n\tdev_put(dev);\nout:\n\tmutex_unlock(&po->pg_vec_lock);\n\treturn err;\n}", "project": "linux", "hash": 214877709506968461625713048686460234746, "size": 195, "commit_id": "acf69c946233259ab4d64f8869d4037a198c7f06", "message": "net/packet: fix overflow in tpacket_rcv\n\nUsing tp_reserve to calculate netoff can overflow as\ntp_reserve is unsigned int and netoff is unsigned short.\n\nThis may lead to macoff receving a smaller value then\nsizeof(struct virtio_net_hdr), and if po->has_vnet_hdr\nis set, an out-of-bounds write will occur when\ncalling virtio_net_hdr_from_skb.\n\nThe bug is fixed by converting netoff to unsigned int\nand checking if it exceeds USHRT_MAX.\n\nThis addresses CVE-2020-14386\n\nFixes: 8913336a7e8d (\"packet: add PACKET_RESERVE sockopt\")\nSigned-off-by: Or Cohen \nSigned-off-by: Eric Dumazet \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 330407 }, { "func": "static int vmmcall_interception(struct vcpu_svm *svm)\n{\n\treturn kvm_emulate_hypercall(&svm->vcpu);\n}", "project": "linux", "hash": 103186546093749325616612162986442074007, "size": 4, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432543 }, { "func": "static int vmmcall_interception(struct vcpu_svm *svm)\n{\n\tsvm->next_rip = kvm_rip_read(&svm->vcpu) + 3;\n\tskip_emulated_instruction(&svm->vcpu);\n\tkvm_emulate_hypercall(&svm->vcpu);\n\treturn 1;\n}", "project": "kvm", "hash": 219377873161635330426355991576950207996, "size": 7, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437544 }, { "func": "void kernel_sigaction(int sig, __sighandler_t action)\n{\n\tspin_lock_irq(¤t->sighand->siglock);\n\tcurrent->sighand->action[sig - 1].sa.sa_handler = action;\n\tif (action == SIG_IGN) {\n\t\tsigset_t mask;\n\n\t\tsigemptyset(&mask);\n\t\tsigaddset(&mask, sig);\n\n\t\tflush_sigqueue_mask(&mask, ¤t->signal->shared_pending);\n\t\tflush_sigqueue_mask(&mask, ¤t->pending);\n\t\trecalc_sigpending();\n\t}\n\tspin_unlock_irq(¤t->sighand->siglock);\n}", "project": "linux", "hash": 323021497661370637618794708924581569205, "size": 16, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375200 }, { "func": " Item_return_date_time(THD *thd, const char *name_arg, uint length_arg,\n enum_field_types field_type_arg):\n Item_partition_func_safe_string(thd, name_arg, length_arg, &my_charset_bin),\n date_time_field_type(field_type_arg)\n { decimals= 0; }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 293619307122790628889357235772177720664, "size": 5, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509081 }, { "func": "void unregister_chrdev_region(dev_t from, unsigned count)\n{\n\tdev_t to = from + count;\n\tdev_t n, next;\n\n\tfor (n = from; n < to; n = next) {\n\t\tnext = MKDEV(MAJOR(n)+1, 0);\n\t\tif (next > to)\n\t\t\tnext = to;\n\t\tkfree(__unregister_chrdev_region(MAJOR(n), MINOR(n), next - n));\n\t}\n}", "project": "linux", "hash": 243365016169521060104980853350799785603, "size": 12, "commit_id": "68faa679b8be1a74e6663c21c3a9d25d32f1c079", "message": "chardev: Avoid potential use-after-free in 'chrdev_open()'\n\n'chrdev_open()' calls 'cdev_get()' to obtain a reference to the\n'struct cdev *' stashed in the 'i_cdev' field of the target inode\nstructure. If the pointer is NULL, then it is initialised lazily by\nlooking up the kobject in the 'cdev_map' and so the whole procedure is\nprotected by the 'cdev_lock' spinlock to serialise initialisation of\nthe shared pointer.\n\nUnfortunately, it is possible for the initialising thread to fail *after*\ninstalling the new pointer, for example if the subsequent '->open()' call\non the file fails. In this case, 'cdev_put()' is called, the reference\ncount on the kobject is dropped and, if nobody else has taken a reference,\nthe release function is called which finally clears 'inode->i_cdev' from\n'cdev_purge()' before potentially freeing the object. The problem here\nis that a racing thread can happily take the 'cdev_lock' and see the\nnon-NULL pointer in the inode, which can result in a refcount increment\nfrom zero and a warning:\n\n | ------------[ cut here ]------------\n | refcount_t: addition on 0; use-after-free.\n | WARNING: CPU: 2 PID: 6385 at lib/refcount.c:25 refcount_warn_saturate+0x6d/0xf0\n | Modules linked in:\n | CPU: 2 PID: 6385 Comm: repro Not tainted 5.5.0-rc2+ #22\n | Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014\n | RIP: 0010:refcount_warn_saturate+0x6d/0xf0\n | Code: 05 55 9a 15 01 01 e8 9d aa c8 ff 0f 0b c3 80 3d 45 9a 15 01 00 75 ce 48 c7 c7 00 9c 62 b3 c6 08\n | RSP: 0018:ffffb524c1b9bc70 EFLAGS: 00010282\n | RAX: 0000000000000000 RBX: ffff9e9da1f71390 RCX: 0000000000000000\n | RDX: ffff9e9dbbd27618 RSI: ffff9e9dbbd18798 RDI: ffff9e9dbbd18798\n | RBP: 0000000000000000 R08: 000000000000095f R09: 0000000000000039\n | R10: 0000000000000000 R11: ffffb524c1b9bb20 R12: ffff9e9da1e8c700\n | R13: ffffffffb25ee8b0 R14: 0000000000000000 R15: ffff9e9da1e8c700\n | FS: 00007f3b87d26700(0000) GS:ffff9e9dbbd00000(0000) knlGS:0000000000000000\n | CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n | CR2: 00007fc16909c000 CR3: 000000012df9c000 CR4: 00000000000006e0\n | DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n | DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n | Call Trace:\n | kobject_get+0x5c/0x60\n | cdev_get+0x2b/0x60\n | chrdev_open+0x55/0x220\n | ? cdev_put.part.3+0x20/0x20\n | do_dentry_open+0x13a/0x390\n | path_openat+0x2c8/0x1470\n | do_filp_open+0x93/0x100\n | ? selinux_file_ioctl+0x17f/0x220\n | do_sys_open+0x186/0x220\n | do_syscall_64+0x48/0x150\n | entry_SYSCALL_64_after_hwframe+0x44/0xa9\n | RIP: 0033:0x7f3b87efcd0e\n | Code: 89 54 24 08 e8 a3 f4 ff ff 8b 74 24 0c 48 8b 3c 24 41 89 c0 44 8b 54 24 08 b8 01 01 00 00 89 f4\n | RSP: 002b:00007f3b87d259f0 EFLAGS: 00000293 ORIG_RAX: 0000000000000101\n | RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f3b87efcd0e\n | RDX: 0000000000000000 RSI: 00007f3b87d25a80 RDI: 00000000ffffff9c\n | RBP: 00007f3b87d25e90 R08: 0000000000000000 R09: 0000000000000000\n | R10: 0000000000000000 R11: 0000000000000293 R12: 00007ffe188f504e\n | R13: 00007ffe188f504f R14: 00007f3b87d26700 R15: 0000000000000000\n | ---[ end trace 24f53ca58db8180a ]---\n\nSince 'cdev_get()' can already fail to obtain a reference, simply move\nit over to use 'kobject_get_unless_zero()' instead of 'kobject_get()',\nwhich will cause the racing thread to return -ENXIO if the initialising\nthread fails unexpectedly.\n\nCc: Hillf Danton \nCc: Andrew Morton \nCc: Al Viro \nReported-by: syzbot+82defefbbd8527e1c2cb@syzkaller.appspotmail.com\nSigned-off-by: Will Deacon \nCc: stable \nLink: https://lore.kernel.org/r/20191219120203.32691-1-will@kernel.org\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 446399 }, { "func": "int send_sigqueue(struct sigqueue *q, struct pid *pid, enum pid_type type)\n{\n\tint sig = q->info.si_signo;\n\tstruct sigpending *pending;\n\tstruct task_struct *t;\n\tunsigned long flags;\n\tint ret, result;\n\n\tBUG_ON(!(q->flags & SIGQUEUE_PREALLOC));\n\n\tret = -1;\n\trcu_read_lock();\n\tt = pid_task(pid, type);\n\tif (!t || !likely(lock_task_sighand(t, &flags)))\n\t\tgoto ret;\n\n\tret = 1; /* the signal is ignored */\n\tresult = TRACE_SIGNAL_IGNORED;\n\tif (!prepare_signal(sig, t, false))\n\t\tgoto out;\n\n\tret = 0;\n\tif (unlikely(!list_empty(&q->list))) {\n\t\t/*\n\t\t * If an SI_TIMER entry is already queue just increment\n\t\t * the overrun count.\n\t\t */\n\t\tBUG_ON(q->info.si_code != SI_TIMER);\n\t\tq->info.si_overrun++;\n\t\tresult = TRACE_SIGNAL_ALREADY_PENDING;\n\t\tgoto out;\n\t}\n\tq->info.si_overrun = 0;\n\n\tsignalfd_notify(t, sig);\n\tpending = (type != PIDTYPE_PID) ? &t->signal->shared_pending : &t->pending;\n\tlist_add_tail(&q->list, &pending->list);\n\tsigaddset(&pending->signal, sig);\n\tcomplete_signal(sig, t, type);\n\tresult = TRACE_SIGNAL_DELIVERED;\nout:\n\ttrace_signal_generate(sig, &q->info, t, type != PIDTYPE_PID, result);\n\tunlock_task_sighand(t, &flags);\nret:\n\trcu_read_unlock();\n\treturn ret;\n}", "project": "linux", "hash": 76471198231412244391797981619751411503, "size": 47, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375209 }, { "func": "static int kvm_set_memslot(struct kvm *kvm,\n\t\t\t const struct kvm_userspace_memory_region *mem,\n\t\t\t struct kvm_memory_slot *old,\n\t\t\t struct kvm_memory_slot *new, int as_id,\n\t\t\t enum kvm_mr_change change)\n{\n\tstruct kvm_memory_slot *slot;\n\tstruct kvm_memslots *slots;\n\tint r;\n\n\tslots = kvm_dup_memslots(__kvm_memslots(kvm, as_id), change);\n\tif (!slots)\n\t\treturn -ENOMEM;\n\n\tif (change == KVM_MR_DELETE || change == KVM_MR_MOVE) {\n\t\t/*\n\t\t * Note, the INVALID flag needs to be in the appropriate entry\n\t\t * in the freshly allocated memslots, not in @old or @new.\n\t\t */\n\t\tslot = id_to_memslot(slots, old->id);\n\t\tslot->flags |= KVM_MEMSLOT_INVALID;\n\n\t\t/*\n\t\t * We can re-use the old memslots, the only difference from the\n\t\t * newly installed memslots is the invalid flag, which will get\n\t\t * dropped by update_memslots anyway. We'll also revert to the\n\t\t * old memslots if preparing the new memory region fails.\n\t\t */\n\t\tslots = install_new_memslots(kvm, as_id, slots);\n\n\t\t/* From this point no new shadow pages pointing to a deleted,\n\t\t * or moved, memslot will be created.\n\t\t *\n\t\t * validation of sp->gfn happens in:\n\t\t *\t- gfn_to_hva (kvm_read_guest, gfn_to_pfn)\n\t\t *\t- kvm_is_visible_gfn (mmu_check_root)\n\t\t */\n\t\tkvm_arch_flush_shadow_memslot(kvm, slot);\n\t}\n\n\tr = kvm_arch_prepare_memory_region(kvm, new, mem, change);\n\tif (r)\n\t\tgoto out_slots;\n\n\tupdate_memslots(slots, new, change);\n\tslots = install_new_memslots(kvm, as_id, slots);\n\n\tkvm_arch_commit_memory_region(kvm, mem, old, new, change);\n\n\tkvfree(slots);\n\treturn 0;\n\nout_slots:\n\tif (change == KVM_MR_DELETE || change == KVM_MR_MOVE)\n\t\tslots = install_new_memslots(kvm, as_id, slots);\n\tkvfree(slots);\n\treturn r;\n}", "project": "linux", "hash": 234034777287464892974215550539250911274, "size": 58, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354810 }, { "func": "static unsigned char ov7670_abs_to_sm(unsigned char v)\n{\n\tif (v > 127)\n\t\treturn v & 0x7f;\n\treturn (128 - v) | 0x80;\n}", "project": "linux", "hash": 253752588324482998588680869076174260061, "size": 6, "commit_id": "998912346c0da53a6dbb71fab3a138586b596b30", "message": "media: ov519: add missing endpoint sanity checks\n\nMake sure to check that we have at least one endpoint before accessing\nthe endpoint array to avoid dereferencing a NULL-pointer on stream\nstart.\n\nNote that these sanity checks are not redundant as the driver is mixing\nlooking up altsettings by index and by number, which need not coincide.\n\nFixes: 1876bb923c98 (\"V4L/DVB (12079): gspca_ov519: add support for the ov511 bridge\")\nFixes: b282d87332f5 (\"V4L/DVB (12080): gspca_ov519: Fix ov518+ with OV7620AE (Trust spacecam 320)\")\nCc: stable # 2.6.31\nCc: Hans de Goede \nSigned-off-by: Johan Hovold \nSigned-off-by: Hans Verkuil \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 306317 }, { "func": "static inline void ep_pm_stay_awake(struct epitem *epi)\n{\n\tstruct wakeup_source *ws = ep_wakeup_source(epi);\n\n\tif (ws)\n\t\t__pm_stay_awake(ws);\n}", "project": "linux", "hash": 321913693836211737826920560390901345432, "size": 7, "commit_id": "52c479697c9b73f628140dcdfcd39ea302d05482", "message": "do_epoll_ctl(): clean the failure exits up a bit\n\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 336261 }, { "func": "static int kvm_stat_data_clear(void *data, u64 val)\n{\n\tint r = -EFAULT;\n\tstruct kvm_stat_data *stat_data = (struct kvm_stat_data *)data;\n\n\tif (val)\n\t\treturn -EINVAL;\n\n\tswitch (stat_data->dbgfs_item->kind) {\n\tcase KVM_STAT_VM:\n\t\tr = kvm_clear_stat_per_vm(stat_data->kvm,\n\t\t\t\t\t stat_data->dbgfs_item->offset);\n\t\tbreak;\n\tcase KVM_STAT_VCPU:\n\t\tr = kvm_clear_stat_per_vcpu(stat_data->kvm,\n\t\t\t\t\t stat_data->dbgfs_item->offset);\n\t\tbreak;\n\t}\n\n\treturn r;\n}", "project": "linux", "hash": 250423443293090754343823780285856512161, "size": 21, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354614 }, { "project": "Chrome", "commit_id": "1da0daecc540238cb473f0d6322da51d3a544244", "target": 0, "func": "VideoRendererBase::VideoRendererBase(const base::Closure& paint_cb,\n const SetOpaqueCB& set_opaque_cb,\n bool drop_frames)\n : frame_available_(&lock_),\n state_(kUninitialized),\n thread_(base::kNullThreadHandle),\n pending_read_(false),\n pending_paint_(false),\n pending_paint_with_last_available_(false),\n drop_frames_(drop_frames),\n playback_rate_(0),\n paint_cb_(paint_cb),\n set_opaque_cb_(set_opaque_cb) {\n DCHECK(!paint_cb_.is_null());\n}\n", "cwe": "", "big_vul_idx": 113364, "idx": 101653, "hash": 59027949822532744512999527691870937921 }, { "func": "\nstatic void bfq_reset_inject_limit(struct bfq_data *bfqd,\n\t\t\t\t struct bfq_queue *bfqq)\n{\n\t/* invalidate baseline total service time */\n\tbfqq->last_serv_time_ns = 0;\n\n\t/*\n\t * Reset pointer in case we are waiting for\n\t * some request completion.\n\t */\n\tbfqd->waited_rq = NULL;\n\n\t/*\n\t * If bfqq has a short think time, then start by setting the\n\t * inject limit to 0 prudentially, because the service time of\n\t * an injected I/O request may be higher than the think time\n\t * of bfqq, and therefore, if one request was injected when\n\t * bfqq remains empty, this injected request might delay the\n\t * service of the next I/O request for bfqq significantly. In\n\t * case bfqq can actually tolerate some injection, then the\n\t * adaptive update will however raise the limit soon. This\n\t * lucky circumstance holds exactly because bfqq has a short\n\t * think time, and thus, after remaining empty, is likely to\n\t * get new I/O enqueued---and then completed---before being\n\t * expired. This is the very pattern that gives the\n\t * limit-update algorithm the chance to measure the effect of\n\t * injection on request service times, and then to update the\n\t * limit accordingly.\n\t *\n\t * However, in the following special case, the inject limit is\n\t * left to 1 even if the think time is short: bfqq's I/O is\n\t * synchronized with that of some other queue, i.e., bfqq may\n\t * receive new I/O only after the I/O of the other queue is\n\t * completed. Keeping the inject limit to 1 allows the\n\t * blocking I/O to be served while bfqq is in service. And\n\t * this is very convenient both for bfqq and for overall\n\t * throughput, as explained in detail in the comments in\n\t * bfq_update_has_short_ttime().\n\t *\n\t * On the opposite end, if bfqq has a long think time, then\n\t * start directly by 1, because:\n\t * a) on the bright side, keeping at most one request in\n\t * service in the drive is unlikely to cause any harm to the\n\t * latency of bfqq's requests, as the service time of a single\n\t * request is likely to be lower than the think time of bfqq;\n\t * b) on the downside, after becoming empty, bfqq is likely to\n\t * expire before getting its next request. With this request\n\t * arrival pattern, it is very hard to sample total service\n\t * times and update the inject limit accordingly (see comments\n\t * on bfq_update_inject_limit()). So the limit is likely to be\n\t * never, or at least seldom, updated. As a consequence, by\n\t * setting the limit to 1, we avoid that no injection ever\n\t * occurs with bfqq. On the downside, this proactive step\n\t * further reduces chances to actually compute the baseline\n\t * total service time. Thus it reduces chances to execute the\n\t * limit-update algorithm and possibly raise the limit to more\n\t * than 1.\n\t */\n\tif (bfq_bfqq_has_short_ttime(bfqq))\n\t\tbfqq->inject_limit = 0;\n\telse\n\t\tbfqq->inject_limit = 1;\n\n\tbfqq->decrease_time_jif = jiffies;", "project": "linux", "hash": 119510864597458451619590858510815986719, "size": 65, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453393 }, { "func": "static int pfkey_send_acquire(struct xfrm_state *x, struct xfrm_tmpl *t, struct xfrm_policy *xp)\n{\n\tstruct sk_buff *skb;\n\tstruct sadb_msg *hdr;\n\tstruct sadb_address *addr;\n\tstruct sadb_x_policy *pol;\n\tint sockaddr_size;\n\tint size;\n\tstruct sadb_x_sec_ctx *sec_ctx;\n\tstruct xfrm_sec_ctx *xfrm_ctx;\n\tint ctx_size = 0;\n\n\tsockaddr_size = pfkey_sockaddr_size(x->props.family);\n\tif (!sockaddr_size)\n\t\treturn -EINVAL;\n\n\tsize = sizeof(struct sadb_msg) +\n\t\t(sizeof(struct sadb_address) * 2) +\n\t\t(sockaddr_size * 2) +\n\t\tsizeof(struct sadb_x_policy);\n\n\tif (x->id.proto == IPPROTO_AH)\n\t\tsize += count_ah_combs(t);\n\telse if (x->id.proto == IPPROTO_ESP)\n\t\tsize += count_esp_combs(t);\n\n\tif ((xfrm_ctx = x->security)) {\n\t\tctx_size = PFKEY_ALIGN8(xfrm_ctx->ctx_len);\n\t\tsize += sizeof(struct sadb_x_sec_ctx) + ctx_size;\n\t}\n\n\tskb = alloc_skb(size + 16, GFP_ATOMIC);\n\tif (skb == NULL)\n\t\treturn -ENOMEM;\n\n\thdr = skb_put(skb, sizeof(struct sadb_msg));\n\thdr->sadb_msg_version = PF_KEY_V2;\n\thdr->sadb_msg_type = SADB_ACQUIRE;\n\thdr->sadb_msg_satype = pfkey_proto2satype(x->id.proto);\n\thdr->sadb_msg_len = size / sizeof(uint64_t);\n\thdr->sadb_msg_errno = 0;\n\thdr->sadb_msg_reserved = 0;\n\thdr->sadb_msg_seq = x->km.seq = get_acqseq();\n\thdr->sadb_msg_pid = 0;\n\n\t/* src address */\n\taddr = skb_put(skb, sizeof(struct sadb_address) + sockaddr_size);\n\taddr->sadb_address_len =\n\t\t(sizeof(struct sadb_address)+sockaddr_size)/\n\t\t\tsizeof(uint64_t);\n\taddr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;\n\taddr->sadb_address_proto = 0;\n\taddr->sadb_address_reserved = 0;\n\taddr->sadb_address_prefixlen =\n\t\tpfkey_sockaddr_fill(&x->props.saddr, 0,\n\t\t\t\t (struct sockaddr *) (addr + 1),\n\t\t\t\t x->props.family);\n\tif (!addr->sadb_address_prefixlen)\n\t\tBUG();\n\n\t/* dst address */\n\taddr = skb_put(skb, sizeof(struct sadb_address) + sockaddr_size);\n\taddr->sadb_address_len =\n\t\t(sizeof(struct sadb_address)+sockaddr_size)/\n\t\t\tsizeof(uint64_t);\n\taddr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;\n\taddr->sadb_address_proto = 0;\n\taddr->sadb_address_reserved = 0;\n\taddr->sadb_address_prefixlen =\n\t\tpfkey_sockaddr_fill(&x->id.daddr, 0,\n\t\t\t\t (struct sockaddr *) (addr + 1),\n\t\t\t\t x->props.family);\n\tif (!addr->sadb_address_prefixlen)\n\t\tBUG();\n\n\tpol = skb_put(skb, sizeof(struct sadb_x_policy));\n\tpol->sadb_x_policy_len = sizeof(struct sadb_x_policy)/sizeof(uint64_t);\n\tpol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;\n\tpol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;\n\tpol->sadb_x_policy_dir = XFRM_POLICY_OUT + 1;\n\tpol->sadb_x_policy_reserved = 0;\n\tpol->sadb_x_policy_id = xp->index;\n\tpol->sadb_x_policy_priority = xp->priority;\n\n\t/* Set sadb_comb's. */\n\tif (x->id.proto == IPPROTO_AH)\n\t\tdump_ah_combs(skb, t);\n\telse if (x->id.proto == IPPROTO_ESP)\n\t\tdump_esp_combs(skb, t);\n\n\t/* security context */\n\tif (xfrm_ctx) {\n\t\tsec_ctx = skb_put(skb,\n\t\t\t\t sizeof(struct sadb_x_sec_ctx) + ctx_size);\n\t\tsec_ctx->sadb_x_sec_len =\n\t\t (sizeof(struct sadb_x_sec_ctx) + ctx_size) / sizeof(uint64_t);\n\t\tsec_ctx->sadb_x_sec_exttype = SADB_X_EXT_SEC_CTX;\n\t\tsec_ctx->sadb_x_ctx_doi = xfrm_ctx->ctx_doi;\n\t\tsec_ctx->sadb_x_ctx_alg = xfrm_ctx->ctx_alg;\n\t\tsec_ctx->sadb_x_ctx_len = xfrm_ctx->ctx_len;\n\t\tmemcpy(sec_ctx + 1, xfrm_ctx->ctx_str,\n\t\t xfrm_ctx->ctx_len);\n\t}\n\n\treturn pfkey_broadcast(skb, GFP_ATOMIC, BROADCAST_REGISTERED, NULL,\n\t\t\t xs_net(x));\n}", "project": "linux", "hash": 336367271229670270878453821952736777926, "size": 107, "commit_id": "9a564bccb78a76740ea9d75a259942df8143d02c", "message": "af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\n\nAdd __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\nto initialize the buffer of supp_skb to fix a kernel-info-leak issue.\n1) Function pfkey_register calls compose_sadb_supported to request\na sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate\na sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then\ncompose_sadb_supported treats the memory as a struct sadb_supported and\nbegins to initialize. But it just initializes the field sadb_supported_len\nand field sadb_supported_exttype without field sadb_supported_reserved.\n\nReported-by: TCS Robot \nSigned-off-by: Haimin Zhang \nSigned-off-by: Steffen Klassert ", "target": 0, "dataset": "other", "idx": 268058 }, { "func": "static int php_openssl_parse_config(struct php_x509_request * req, zval * optional_args) /* {{{ */\n{\n\tchar * str;\n\tzval * item;\n\n\tSET_OPTIONAL_STRING_ARG(\"config\", req->config_filename, default_ssl_conf_filename);\n\tSET_OPTIONAL_STRING_ARG(\"config_section_name\", req->section_name, \"req\");\n\treq->global_config = CONF_load(NULL, default_ssl_conf_filename, NULL);\n\tif (req->global_config == NULL) {\n\t\tphp_openssl_store_errors();\n\t}\n\treq->req_config = CONF_load(NULL, req->config_filename, NULL);\n\tif (req->req_config == NULL) {\n\t\tphp_openssl_store_errors();\n\t\treturn FAILURE;\n\t}\n\n\t/* read in the oids */\n\tstr = CONF_get_string(req->req_config, NULL, \"oid_file\");\n\tif (str == NULL) {\n\t\tphp_openssl_store_errors();\n\t} else if (!php_openssl_open_base_dir_chk(str)) {\n\t\tBIO *oid_bio = BIO_new_file(str, PHP_OPENSSL_BIO_MODE_R(PKCS7_BINARY));\n\t\tif (oid_bio) {\n\t\t\tOBJ_create_objects(oid_bio);\n\t\t\tBIO_free(oid_bio);\n\t\t\tphp_openssl_store_errors();\n\t\t}\n\t}\n\tif (php_openssl_add_oid_section(req) == FAILURE) {\n\t\treturn FAILURE;\n\t}\n\tSET_OPTIONAL_STRING_ARG(\"digest_alg\", req->digest_name,\n\t\tCONF_get_string(req->req_config, req->section_name, \"default_md\"));\n\tSET_OPTIONAL_STRING_ARG(\"x509_extensions\", req->extensions_section,\n\t\tCONF_get_string(req->req_config, req->section_name, \"x509_extensions\"));\n\tSET_OPTIONAL_STRING_ARG(\"req_extensions\", req->request_extensions_section,\n\t\tCONF_get_string(req->req_config, req->section_name, \"req_extensions\"));\n\tSET_OPTIONAL_LONG_ARG(\"private_key_bits\", req->priv_key_bits,\n\t\tCONF_get_number(req->req_config, req->section_name, \"default_bits\"));\n\n\tSET_OPTIONAL_LONG_ARG(\"private_key_type\", req->priv_key_type, OPENSSL_KEYTYPE_DEFAULT);\n\n\tif (optional_args && (item = zend_hash_str_find(Z_ARRVAL_P(optional_args), \"encrypt_key\", sizeof(\"encrypt_key\")-1)) != NULL) {\n\t\treq->priv_key_encrypt = Z_TYPE_P(item) == IS_TRUE ? 1 : 0;\n\t} else {\n\t\tstr = CONF_get_string(req->req_config, req->section_name, \"encrypt_rsa_key\");\n\t\tif (str == NULL) {\n\t\t\tstr = CONF_get_string(req->req_config, req->section_name, \"encrypt_key\");\n\t\t\t/* it is sure that there are some errrors as str was NULL for encrypt_rsa_key */\n\t\t\tphp_openssl_store_errors();\n\t\t}\n\t\tif (str != NULL && strcmp(str, \"no\") == 0) {\n\t\t\treq->priv_key_encrypt = 0;\n\t\t} else {\n\t\t\treq->priv_key_encrypt = 1;\n\t\t}\n\t}\n\n\tif (req->priv_key_encrypt &&\n\t\toptional_args &&\n\t\t(item = zend_hash_str_find(Z_ARRVAL_P(optional_args), \"encrypt_key_cipher\", sizeof(\"encrypt_key_cipher\")-1)) != NULL &&\n\t\tZ_TYPE_P(item) == IS_LONG\n\t) {\n\t\tzend_long cipher_algo = Z_LVAL_P(item);\n\t\tconst EVP_CIPHER* cipher = php_openssl_get_evp_cipher_from_algo(cipher_algo);\n\t\tif (cipher == NULL) {\n\t\t\tphp_error_docref(NULL, E_WARNING, \"Unknown cipher algorithm for private key.\");\n\t\t\treturn FAILURE;\n\t\t} else {\n\t\t\treq->priv_key_encrypt_cipher = cipher;\n\t\t}\n\t} else {\n\t\treq->priv_key_encrypt_cipher = NULL;\n\t}\n\n\t/* digest alg */\n\tif (req->digest_name == NULL) {\n\t\treq->digest_name = CONF_get_string(req->req_config, req->section_name, \"default_md\");\n\t}\n\tif (req->digest_name != NULL) {\n\t\treq->digest = req->md_alg = EVP_get_digestbyname(req->digest_name);\n\t} else {\n\t\tphp_openssl_store_errors();\n\t}\n\tif (req->md_alg == NULL) {\n\t\treq->md_alg = req->digest = EVP_sha1();\n\t\tphp_openssl_store_errors();\n\t}\n\n\tPHP_SSL_CONFIG_SYNTAX_CHECK(extensions_section);\n#ifdef HAVE_EVP_PKEY_EC\n\t/* set the ec group curve name */\n\treq->curve_name = NID_undef;\n\tif (optional_args && (item = zend_hash_str_find(Z_ARRVAL_P(optional_args), \"curve_name\", sizeof(\"curve_name\")-1)) != NULL\n\t\t&& Z_TYPE_P(item) == IS_STRING) {\n\t\treq->curve_name = OBJ_sn2nid(Z_STRVAL_P(item));\n\t\tif (req->curve_name == NID_undef) {\n\t\t\tphp_error_docref(NULL, E_WARNING, \"Unknown elliptic curve (short) name %s\", Z_STRVAL_P(item));\n\t\t\treturn FAILURE;\n\t\t}\n\t}\n#endif\n\n\t/* set the string mask */\n\tstr = CONF_get_string(req->req_config, req->section_name, \"string_mask\");\n\tif (str == NULL) {\n\t\tphp_openssl_store_errors();\n\t} else if (!ASN1_STRING_set_default_mask_asc(str)) {\n\t\tphp_error_docref(NULL, E_WARNING, \"Invalid global string mask setting %s\", str);\n\t\treturn FAILURE;\n\t}\n\n\tPHP_SSL_CONFIG_SYNTAX_CHECK(request_extensions_section);\n\n\treturn SUCCESS;\n}", "project": "php-src", "hash": 327457292021406050992263846018265855991, "size": 117, "commit_id": "0216630ea2815a5789a24279a1211ac398d4de79", "message": "Fix bug #79601 (Wrong ciphertext/tag in AES-CCM encryption for a 12 bytes IV)", "target": 0, "dataset": "other", "idx": 291460 }, { "func": "create_tree (re_dfa_t *dfa, bin_tree_t *left, bin_tree_t *right,\n\t re_token_type_t type)\n{\n re_token_t t;\n t.type = type;\n return create_token_tree (dfa, left, right, &t);\n}", "project": "gnulib", "hash": 294276744154875085719339973889409418672, "size": 7, "commit_id": "5513b40999149090987a0341c018d05d3eea1272", "message": "Diagnose ERE '()|\\1'\n\nProblem reported by Hanno Böck in: http://bugs.gnu.org/21513\n* lib/regcomp.c (parse_reg_exp): While parsing alternatives, keep\ntrack of the set of previously-completed subexpressions available\nbefore the first alternative, and restore this set just before\nparsing each subsequent alternative. This lets us diagnose the\ninvalid back-reference in the ERE '()|\\1'.", "target": 0, "dataset": "other", "idx": 285529 }, { "func": " */\nstatic bool bfq_better_to_idle(struct bfq_queue *bfqq)\n{\n\tstruct bfq_data *bfqd = bfqq->bfqd;\n\tbool idling_boosts_thr_with_no_issue, idling_needed_for_service_guar;\n\n\t/* No point in idling for bfqq if it won't get requests any longer */\n\tif (unlikely(!bfqq_process_refs(bfqq)))\n\t\treturn false;\n\n\tif (unlikely(bfqd->strict_guarantees))\n\t\treturn true;\n\n\t/*\n\t * Idling is performed only if slice_idle > 0. In addition, we\n\t * do not idle if\n\t * (a) bfqq is async\n\t * (b) bfqq is in the idle io prio class: in this case we do\n\t * not idle because we want to minimize the bandwidth that\n\t * queues in this class can steal to higher-priority queues\n\t */\n\tif (bfqd->bfq_slice_idle == 0 || !bfq_bfqq_sync(bfqq) ||\n\t bfq_class_idle(bfqq))\n\t\treturn false;\n\n\tidling_boosts_thr_with_no_issue =\n\t\tidling_boosts_thr_without_issues(bfqd, bfqq);\n\n\tidling_needed_for_service_guar =\n\t\tidling_needed_for_service_guarantees(bfqd, bfqq);\n\n\t/*\n\t * We have now the two components we need to compute the\n\t * return value of the function, which is true only if idling\n\t * either boosts the throughput (without issues), or is\n\t * necessary to preserve service guarantees.\n\t */\n\treturn idling_boosts_thr_with_no_issue ||\n\t\tidling_needed_for_service_guar;", "project": "linux", "hash": 48373277922037566788990063554095698720, "size": 39, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453373 }, { "func": "static bool sctp_writeable(struct sock *sk)\n{\n\treturn sk->sk_sndbuf > sk->sk_wmem_queued;\n}", "project": "linux", "hash": 9707974687925791856626427872108713617, "size": 4, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398178 }, { "func": "static void hash_rlp_field(const uint8_t *buf, size_t size) {\n hash_rlp_length(size, buf[0]);\n hash_data(buf, size);\n}", "project": "keepkey-firmware", "hash": 248102671482566685532339028855093440563, "size": 4, "commit_id": "e49d45594002d4d3fbc1f03488e6dfc0a0a65836", "message": "710 merge", "target": 0, "dataset": "other", "idx": 220892 }, { "func": "R_API void r_str_ncpy(char *dst, const char *src, size_t n) {\n\tint i;\n\n\t// do not do anything if n is 0\n\tif (n == 0) {\n\t\treturn;\n\t}\n\n\tn--;\n\tfor (i = 0; src[i] && n > 0; i++, n--) {\n\t\tdst[i] = src[i];\n\t}\n\tdst[i] = 0;\n}", "project": "radare2", "hash": 221503279956436238959291759103249833060, "size": 14, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 0, "dataset": "other", "idx": 269039 }, { "func": "static int sctp_getsockopt_peer_addrs(struct sock *sk, int len,\n\t\t\t\t char __user *optval, int __user *optlen)\n{\n\tstruct sctp_association *asoc;\n\tint cnt = 0;\n\tstruct sctp_getaddrs getaddrs;\n\tstruct sctp_transport *from;\n\tvoid __user *to;\n\tunion sctp_addr temp;\n\tstruct sctp_sock *sp = sctp_sk(sk);\n\tint addrlen;\n\tsize_t space_left;\n\tint bytes_copied;\n\n\tif (len < sizeof(struct sctp_getaddrs))\n\t\treturn -EINVAL;\n\n\tif (copy_from_user(&getaddrs, optval, sizeof(struct sctp_getaddrs)))\n\t\treturn -EFAULT;\n\n\t/* For UDP-style sockets, id specifies the association to query. */\n\tasoc = sctp_id2assoc(sk, getaddrs.assoc_id);\n\tif (!asoc)\n\t\treturn -EINVAL;\n\n\tto = optval + offsetof(struct sctp_getaddrs, addrs);\n\tspace_left = len - offsetof(struct sctp_getaddrs, addrs);\n\n\tlist_for_each_entry(from, &asoc->peer.transport_addr_list,\n\t\t\t\ttransports) {\n\t\tmemcpy(&temp, &from->ipaddr, sizeof(temp));\n\t\taddrlen = sctp_get_pf_specific(sk->sk_family)\n\t\t\t ->addr_to_user(sp, &temp);\n\t\tif (space_left < addrlen)\n\t\t\treturn -ENOMEM;\n\t\tif (copy_to_user(to, &temp, addrlen))\n\t\t\treturn -EFAULT;\n\t\tto += addrlen;\n\t\tcnt++;\n\t\tspace_left -= addrlen;\n\t}\n\n\tif (put_user(cnt, &((struct sctp_getaddrs __user *)optval)->addr_num))\n\t\treturn -EFAULT;\n\tbytes_copied = ((char __user *)to) - optval;\n\tif (put_user(bytes_copied, optlen))\n\t\treturn -EFAULT;\n\n\treturn 0;\n}", "project": "linux", "hash": 286153234572494955023026948389716536038, "size": 50, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398174 }, { "func": "static void encode_secinfo(struct xdr_stream *xdr, const struct qstr *name, struct compound_hdr *hdr)\n{\n\tencode_op_hdr(xdr, OP_SECINFO, decode_secinfo_maxsz, hdr);\n\tencode_string(xdr, name->len, name->name);\n}", "project": "linux", "hash": 324500992499564461888272312578238021408, "size": 5, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431521 }, { "func": "authz_status oidc_authz_checker_claim(request_rec *r, const char *require_args,\n\t\tconst void *parsed_require_args) {\n\treturn oidc_authz_checker(r, require_args, parsed_require_args,\n\t\t\toidc_authz_match_claim);\n}", "project": "mod_auth_openidc", "hash": 259400259575057387662303018578795586947, "size": 5, "commit_id": "00c315cb0c8ab77c67be4a2ac08a71a83ac58751", "message": "avoid XSS vulnerability when using OIDCPreservePost On\n\nand supplying URLs that contain single quotes; thanks @oss-aimoto\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 381950 }, { "func": "void ip_flush_pending_frames(struct sock *sk)\n{\n\t__ip_flush_pending_frames(sk, &sk->sk_write_queue, &inet_sk(sk)->cork.base);\n}", "project": "net", "hash": 77764407360499456553498857884711566203, "size": 4, "commit_id": "85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa", "message": "udp: consistently apply ufo or fragmentation\n\nWhen iteratively building a UDP datagram with MSG_MORE and that\ndatagram exceeds MTU, consistently choose UFO or fragmentation.\n\nOnce skb_is_gso, always apply ufo. Conversely, once a datagram is\nsplit across multiple skbs, do not consider ufo.\n\nSendpage already maintains the first invariant, only add the second.\nIPv6 does not have a sendpage implementation to modify.\n\nA gso skb must have a partial checksum, do not follow sk_no_check_tx\nin udp_send_skb.\n\nFound by syzkaller.\n\nFixes: e89e9cf539a2 (\"[IPv4/IPv6]: UFO Scatter-gather approach\")\nReported-by: Andrey Konovalov \nSigned-off-by: Willem de Bruijn \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 468980 }, { "func": "static long ca8210_test_int_ioctl(\n\tstruct file *filp,\n\tunsigned int ioctl_num,\n\tunsigned long ioctl_param\n)\n{\n\tstruct ca8210_priv *priv = filp->private_data;\n\n\tswitch (ioctl_num) {\n\tcase CA8210_IOCTL_HARD_RESET:\n\t\tca8210_reset_send(priv->spi, ioctl_param);\n\t\tbreak;\n\tdefault:\n\t\tbreak;\n\t}\n\treturn 0;\n}", "project": "linux", "hash": 77285871272873937586357682055983716012, "size": 17, "commit_id": "6402939ec86eaf226c8b8ae00ed983936b164908", "message": "ieee802154: ca8210: prevent memory leak\n\nIn ca8210_probe the allocated pdata needs to be assigned to\nspi_device->dev.platform_data before calling ca8210_get_platform_data.\nOthrwise when ca8210_get_platform_data fails pdata cannot be released.\n\nSigned-off-by: Navid Emamdoost \nLink: https://lore.kernel.org/r/20190917224713.26371-1-navid.emamdoost@gmail.com\nSigned-off-by: Stefan Schmidt ", "target": 0, "dataset": "other", "idx": 408782 }, { "func": "void mpol_rebind_task(struct task_struct *tsk, const nodemask_t *new)\n{\n\tmpol_rebind_policy(tsk->mempolicy, new);\n}", "project": "linux", "hash": 228566525221679737360285786275383728799, "size": 4, "commit_id": "aa9f7d5172fac9bf1f09e678c35e287a40a7b7dd", "message": "mm: mempolicy: require at least one nodeid for MPOL_PREFERRED\n\nUsing an empty (malformed) nodelist that is not caught during mount option\nparsing leads to a stack-out-of-bounds access.\n\nThe option string that was used was: \"mpol=prefer:,\". However,\nMPOL_PREFERRED requires a single node number, which is not being provided\nhere.\n\nAdd a check that 'nodes' is not empty after parsing for MPOL_PREFERRED's\nnodeid.\n\nFixes: 095f1fc4ebf3 (\"mempolicy: rework shmem mpol parsing and display\")\nReported-by: Entropy Moe <3ntr0py1337@gmail.com>\nReported-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nSigned-off-by: Randy Dunlap \nSigned-off-by: Andrew Morton \nTested-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nCc: Lee Schermerhorn \nLink: http://lkml.kernel.org/r/89526377-7eb6-b662-e1d8-4430928abde9@infradead.org\nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 366729 }, { "func": "static int session_fixups(request_rec * r)\n{\n session_dir_conf *conf = ap_get_module_config(r->per_dir_config,\n &session_module);\n\n session_rec *z = NULL;\n\n /* if an error occurs or no session has been configured, we ignore\n * the broken session and allow it to be recreated from scratch on save\n * if necessary.\n */\n ap_session_load(r, &z);\n\n if (conf->env) {\n if (z) {\n session_identity_encode(r, z);\n if (z->encoded) {\n apr_table_set(r->subprocess_env, HTTP_SESSION, z->encoded);\n z->encoded = NULL;\n }\n }\n apr_table_unset(r->headers_in, \"Session\");\n }\n\n return OK;\n\n}", "project": "httpd", "hash": 154870701715334092979372112757642180459, "size": 27, "commit_id": "7e09dd714fc62c08c5b0319ed7b9702594faf49b", "message": "mod_session: account for the '&' in identity_concat().\n\ngit-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887052 13f79535-47bb-0310-9956-ffa450edef68", "target": 0, "dataset": "other", "idx": 389216 }, { "func": "static int process_head_service(struct archive_read* a, struct rar5* rar,\n struct archive_entry* entry, size_t block_flags)\n{\n\t/* Process this SERVICE block the same way as FILE blocks. */\n\tint ret = process_head_file(a, rar, entry, block_flags);\n\tif(ret != ARCHIVE_OK)\n\t\treturn ret;\n\n\trar->file.service = 1;\n\n\t/* But skip the data part automatically. It's no use for the user\n\t * anyway. It contains only service data, not even needed to\n\t * properly unpack the file. */\n\tret = rar5_read_data_skip(a);\n\tif(ret != ARCHIVE_OK)\n\t\treturn ret;\n\n\t/* After skipping, try parsing another block automatically. */\n\treturn ARCHIVE_RETRY;\n}", "project": "libarchive", "hash": 332297479518962615974518067950662074718, "size": 20, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 0, "dataset": "other", "idx": 244739 }, { "func": "bool test_r_str_newf(void) {\n\tchar *a = r_str_newf (\"hello\");\n\tmu_assert_streq (a, \"hello\", \"oops\");\n\tfree (a);\n\n\ta = r_str_newf (\"%s/%s\", \"hello\", \"world\");\n\tmu_assert_streq (a, \"hello/world\", \"oops\");\n\tfree (a);\n\n\ta = r_str_newf (\"%s/%s\", \"hello\", \"world\");\n\ta = r_str_appendf (a, \"..%s/%s\", \"cow\", \"low\");\n\ta = r_str_appendf (a, \"PWN\");\n\tmu_assert_streq (a, \"hello/world..cow/lowPWN\", \"oops\");\n\tfree (a);\n\tmu_end;\n}", "project": "radare2", "hash": 107173779058833681571790595142546552023, "size": 16, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 0, "dataset": "other", "idx": 268811 }, { "func": "static void fuse_add_dirent_to_cache(struct file *file,\n\t\t\t\t struct fuse_dirent *dirent, loff_t pos)\n{\n\tstruct fuse_inode *fi = get_fuse_inode(file_inode(file));\n\tsize_t reclen = FUSE_DIRENT_SIZE(dirent);\n\tpgoff_t index;\n\tstruct page *page;\n\tloff_t size;\n\tu64 version;\n\tunsigned int offset;\n\tvoid *addr;\n\n\tspin_lock(&fi->rdc.lock);\n\t/*\n\t * Is cache already completed? Or this entry does not go at the end of\n\t * cache?\n\t */\n\tif (fi->rdc.cached || pos != fi->rdc.pos) {\n\t\tspin_unlock(&fi->rdc.lock);\n\t\treturn;\n\t}\n\tversion = fi->rdc.version;\n\tsize = fi->rdc.size;\n\toffset = size & ~PAGE_MASK;\n\tindex = size >> PAGE_SHIFT;\n\t/* Dirent doesn't fit in current page? Jump to next page. */\n\tif (offset + reclen > PAGE_SIZE) {\n\t\tindex++;\n\t\toffset = 0;\n\t}\n\tspin_unlock(&fi->rdc.lock);\n\n\tif (offset) {\n\t\tpage = find_lock_page(file->f_mapping, index);\n\t} else {\n\t\tpage = find_or_create_page(file->f_mapping, index,\n\t\t\t\t\t mapping_gfp_mask(file->f_mapping));\n\t}\n\tif (!page)\n\t\treturn;\n\n\tspin_lock(&fi->rdc.lock);\n\t/* Raced with another readdir */\n\tif (fi->rdc.version != version || fi->rdc.size != size ||\n\t WARN_ON(fi->rdc.pos != pos))\n\t\tgoto unlock;\n\n\taddr = kmap_atomic(page);\n\tif (!offset)\n\t\tclear_page(addr);\n\tmemcpy(addr + offset, dirent, reclen);\n\tkunmap_atomic(addr);\n\tfi->rdc.size = (index << PAGE_SHIFT) + offset + reclen;\n\tfi->rdc.pos = dirent->off;\nunlock:\n\tspin_unlock(&fi->rdc.lock);\n\tunlock_page(page);\n\tput_page(page);\n}", "project": "linux", "hash": 313745133373667905359662390862006468029, "size": 59, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341898 }, { "func": "static int core_create_req(request_rec *r)\n{\n /* Alloc the config struct and the array of request notes in\n * a single block for efficiency\n */\n core_request_config *req_cfg;\n\n req_cfg = apr_pcalloc(r->pool, sizeof(core_request_config) +\n sizeof(void *) * num_request_notes);\n req_cfg->notes = (void **)((char *)req_cfg + sizeof(core_request_config));\n\n /* ### temporarily enable script delivery as the default */\n req_cfg->deliver_script = 1;\n\n if (r->main) {\n core_request_config *main_req_cfg = (core_request_config *)\n ap_get_core_module_config(r->main->request_config);\n req_cfg->bb = main_req_cfg->bb;\n }\n else {\n req_cfg->bb = apr_brigade_create(r->pool, r->connection->bucket_alloc);\n }\n\n ap_set_core_module_config(r->request_config, req_cfg);\n\n return OK;\n}", "project": "httpd", "hash": 41918127210313842555276670459469745843, "size": 27, "commit_id": "4cc27823899e070268b906ca677ee838d07cf67a", "message": "core: Disallow Methods' registration at run time (.htaccess), they may be\nused only if registered at init time (httpd.conf).\n\nCalling ap_method_register() in children processes is not the right scope\nsince it won't be shared for all requests.\n\n\ngit-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1807655 13f79535-47bb-0310-9956-ffa450edef68", "target": 0, "dataset": "other", "idx": 246334 }, { "func": "static OPJ_BOOL opj_tcd_t2_decode(opj_tcd_t *p_tcd,\n OPJ_BYTE * p_src_data,\n OPJ_UINT32 * p_data_read,\n OPJ_UINT32 p_max_src_size,\n opj_codestream_index_t *p_cstr_index,\n opj_event_mgr_t *p_manager\n )\n{\n opj_t2_t * l_t2;\n\n l_t2 = opj_t2_create(p_tcd->image, p_tcd->cp);\n if (l_t2 == 00) {\n return OPJ_FALSE;\n }\n\n if (! opj_t2_decode_packets(\n p_tcd,\n l_t2,\n p_tcd->tcd_tileno,\n p_tcd->tcd_image->tiles,\n p_src_data,\n p_data_read,\n p_max_src_size,\n p_cstr_index,\n p_manager)) {\n opj_t2_destroy(l_t2);\n return OPJ_FALSE;\n }\n\n opj_t2_destroy(l_t2);\n\n /*---------------CLEAN-------------------*/\n return OPJ_TRUE;\n}", "project": "openjpeg", "hash": 189505213031551151049311564877255323333, "size": 34, "commit_id": "15cf3d95814dc931ca0ecb132f81cb152e051bae", "message": "Encoder: grow again buffer size in opj_tcd_code_block_enc_allocate_data() (fixes #1283)", "target": 0, "dataset": "other", "idx": 359177 }, { "project": "Chrome", "commit_id": "ea994548ed483e234a6fadd0cbdfa10d58b75cef", "target": 0, "func": "bool SoftwareFrameManager::HasCurrentFrame() const {\n return current_frame_.get() ? true : false;\n}\n", "cwe": "", "big_vul_idx": 129971, "idx": 116283, "hash": 301791221099811178949901386040337354175 }, { "func": "static void free_filters(struct rar5* rar) {\n\tstruct cdeque* d = &rar->cstate.filters;\n\n\t/* Free any remaining filters. All filters should be naturally\n\t * consumed by the unpacking function, so remaining filters after\n\t * unpacking normally mean that unpacking wasn't successful.\n\t * But still of course we shouldn't leak memory in such case. */\n\n\t/* cdeque_size() is a fast operation, so we can use it as a loop\n\t * expression. */\n\twhile(cdeque_size(d) > 0) {\n\t\tstruct filter_info* f = NULL;\n\n\t\t/* Pop_front will also decrease the collection's size. */\n\t\tif (CDE_OK == cdeque_pop_front(d, cdeque_filter_p(&f)))\n\t\t\tfree(f);\n\t}\n\n\tcdeque_clear(d);\n\n\t/* Also clear out the variables needed for sanity checking. */\n\trar->cstate.last_block_start = 0;\n\trar->cstate.last_block_length = 0;\n}", "project": "libarchive", "hash": 187394408543833351154295954867891611155, "size": 24, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 0, "dataset": "other", "idx": 244755 }, { "func": "void CWebSession::FillMessageLoops(CTemplate& Tmpl) {\n for (const CString& sMessage : m_vsErrorMsgs) {\n CTemplate& Row = Tmpl.AddRow(\"ErrorLoop\");\n Row[\"Message\"] = sMessage;\n }\n\n for (const CString& sMessage : m_vsSuccessMsgs) {\n CTemplate& Row = Tmpl.AddRow(\"SuccessLoop\");\n Row[\"Message\"] = sMessage;\n }\n}", "project": "znc", "hash": 307927834937208473767507298733482040927, "size": 11, "commit_id": "a4a5aeeb17d32937d8c7d743dae9a4cc755ce773", "message": "Don't let web skin name ../../../../ access files outside of usual skins directories.\n\nThanks for Jeriko One for finding and reporting this.", "target": 0, "dataset": "other", "idx": 265804 }, { "func": "\treturn dev->release == iscsi_conn_release;\n}\n\nstatic int iscsi_iter_destroy_conn_fn(struct device *dev, void *data)\n{\n\tif (!iscsi_is_conn_dev(dev))", "project": "linux", "hash": 246421402826205888638550956690545867626, "size": 6, "commit_id": "f9dbdf97a5bd92b1a49cee3d591b55b11fd7a6d5", "message": "scsi: iscsi: Verify lengths on passthrough PDUs\n\nOpen-iSCSI sends passthrough PDUs over netlink, but the kernel should be\nverifying that the provided PDU header and data lengths fall within the\nnetlink message to prevent accessing beyond that in memory.\n\nCc: stable@vger.kernel.org\nReported-by: Adam Nichols \nReviewed-by: Lee Duncan \nReviewed-by: Mike Christie \nSigned-off-by: Chris Leech \nSigned-off-by: Martin K. Petersen ", "target": 0, "dataset": "other", "idx": 379912 }, { "func": "void __split_huge_pmd(struct vm_area_struct *vma, pmd_t *pmd,\n\t\tunsigned long address, bool freeze, struct page *page)\n{\n\tspinlock_t *ptl;\n\tstruct mmu_notifier_range range;\n\n\tmmu_notifier_range_init(&range, MMU_NOTIFY_CLEAR, 0, vma, vma->vm_mm,\n\t\t\t\taddress & HPAGE_PMD_MASK,\n\t\t\t\t(address & HPAGE_PMD_MASK) + HPAGE_PMD_SIZE);\n\tmmu_notifier_invalidate_range_start(&range);\n\tptl = pmd_lock(vma->vm_mm, pmd);\n\n\t/*\n\t * If caller asks to setup a migration entries, we need a page to check\n\t * pmd against. Otherwise we can end up replacing wrong page.\n\t */\n\tVM_BUG_ON(freeze && !page);\n\tif (page && page != pmd_page(*pmd))\n\t goto out;\n\n\tif (pmd_trans_huge(*pmd)) {\n\t\tpage = pmd_page(*pmd);\n\t\tif (PageMlocked(page))\n\t\t\tclear_page_mlock(page);\n\t} else if (!(pmd_devmap(*pmd) || is_pmd_migration_entry(*pmd)))\n\t\tgoto out;\n\t__split_huge_pmd_locked(vma, pmd, range.start, freeze);\nout:\n\tspin_unlock(ptl);\n\t/*\n\t * No need to double call mmu_notifier->invalidate_range() callback.\n\t * They are 3 cases to consider inside __split_huge_pmd_locked():\n\t * 1) pmdp_huge_clear_flush_notify() call invalidate_range() obvious\n\t * 2) __split_huge_zero_page_pmd() read only zero page and any write\n\t * fault will trigger a flush_notify before pointing to a new page\n\t * (it is fine if the secondary mmu keeps pointing to the old zero\n\t * page in the meantime)\n\t * 3) Split a huge pmd into pte pointing to the same page. No need\n\t * to invalidate secondary tlb entry they are all still valid.\n\t * any further changes to individual pte will notify. So no need\n\t * to call mmu_notifier->invalidate_range()\n\t */\n\tmmu_notifier_invalidate_range_only_end(&range);\n}", "project": "linux", "hash": 232560186172248161602253290668425073906, "size": 44, "commit_id": "c444eb564fb16645c172d550359cb3d75fe8a040", "message": "mm: thp: make the THP mapcount atomic against __split_huge_pmd_locked()\n\nWrite protect anon page faults require an accurate mapcount to decide\nif to break the COW or not. This is implemented in the THP path with\nreuse_swap_page() ->\npage_trans_huge_map_swapcount()/page_trans_huge_mapcount().\n\nIf the COW triggers while the other processes sharing the page are\nunder a huge pmd split, to do an accurate reading, we must ensure the\nmapcount isn't computed while it's being transferred from the head\npage to the tail pages.\n\nreuse_swap_cache() already runs serialized by the page lock, so it's\nenough to add the page lock around __split_huge_pmd_locked too, in\norder to add the missing serialization.\n\nNote: the commit in \"Fixes\" is just to facilitate the backporting,\nbecause the code before such commit didn't try to do an accurate THP\nmapcount calculation and it instead used the page_count() to decide if\nto COW or not. Both the page_count and the pin_count are THP-wide\nrefcounts, so they're inaccurate if used in\nreuse_swap_page(). Reverting such commit (besides the unrelated fix to\nthe local anon_vma assignment) would have also opened the window for\nmemory corruption side effects to certain workloads as documented in\nsuch commit header.\n\nSigned-off-by: Andrea Arcangeli \nSuggested-by: Jann Horn \nReported-by: Jann Horn \nAcked-by: Kirill A. Shutemov \nFixes: 6d0a07edd17c (\"mm: thp: calculate the mapcount correctly for THP pages during WP faults\")\nCc: stable@vger.kernel.org\nSigned-off-by: Linus Torvalds ", "target": 1, "dataset": "other", "idx": 204725 }, { "func": "void __split_huge_pmd(struct vm_area_struct *vma, pmd_t *pmd,\n\t\tunsigned long address, bool freeze, struct page *page)\n{\n\tspinlock_t *ptl;\n\tstruct mmu_notifier_range range;\n\tbool was_locked = false;\n\tpmd_t _pmd;\n\n\tmmu_notifier_range_init(&range, MMU_NOTIFY_CLEAR, 0, vma, vma->vm_mm,\n\t\t\t\taddress & HPAGE_PMD_MASK,\n\t\t\t\t(address & HPAGE_PMD_MASK) + HPAGE_PMD_SIZE);\n\tmmu_notifier_invalidate_range_start(&range);\n\tptl = pmd_lock(vma->vm_mm, pmd);\n\n\t/*\n\t * If caller asks to setup a migration entries, we need a page to check\n\t * pmd against. Otherwise we can end up replacing wrong page.\n\t */\n\tVM_BUG_ON(freeze && !page);\n\tif (page) {\n\t\tVM_WARN_ON_ONCE(!PageLocked(page));\n\t\twas_locked = true;\n\t\tif (page != pmd_page(*pmd))\n\t\t\tgoto out;\n\t}\n\nrepeat:\n\tif (pmd_trans_huge(*pmd)) {\n\t\tif (!page) {\n\t\t\tpage = pmd_page(*pmd);\n\t\t\tif (unlikely(!trylock_page(page))) {\n\t\t\t\tget_page(page);\n\t\t\t\t_pmd = *pmd;\n\t\t\t\tspin_unlock(ptl);\n\t\t\t\tlock_page(page);\n\t\t\t\tspin_lock(ptl);\n\t\t\t\tif (unlikely(!pmd_same(*pmd, _pmd))) {\n\t\t\t\t\tunlock_page(page);\n\t\t\t\t\tput_page(page);\n\t\t\t\t\tpage = NULL;\n\t\t\t\t\tgoto repeat;\n\t\t\t\t}\n\t\t\t\tput_page(page);\n\t\t\t}\n\t\t}\n\t\tif (PageMlocked(page))\n\t\t\tclear_page_mlock(page);\n\t} else if (!(pmd_devmap(*pmd) || is_pmd_migration_entry(*pmd)))\n\t\tgoto out;\n\t__split_huge_pmd_locked(vma, pmd, range.start, freeze);\nout:\n\tspin_unlock(ptl);\n\tif (!was_locked && page)\n\t\tunlock_page(page);\n\t/*\n\t * No need to double call mmu_notifier->invalidate_range() callback.\n\t * They are 3 cases to consider inside __split_huge_pmd_locked():\n\t * 1) pmdp_huge_clear_flush_notify() call invalidate_range() obvious\n\t * 2) __split_huge_zero_page_pmd() read only zero page and any write\n\t * fault will trigger a flush_notify before pointing to a new page\n\t * (it is fine if the secondary mmu keeps pointing to the old zero\n\t * page in the meantime)\n\t * 3) Split a huge pmd into pte pointing to the same page. No need\n\t * to invalidate secondary tlb entry they are all still valid.\n\t * any further changes to individual pte will notify. So no need\n\t * to call mmu_notifier->invalidate_range()\n\t */\n\tmmu_notifier_invalidate_range_only_end(&range);\n}", "project": "linux", "hash": 305184181549084038258030671746596105420, "size": 69, "commit_id": "c444eb564fb16645c172d550359cb3d75fe8a040", "message": "mm: thp: make the THP mapcount atomic against __split_huge_pmd_locked()\n\nWrite protect anon page faults require an accurate mapcount to decide\nif to break the COW or not. This is implemented in the THP path with\nreuse_swap_page() ->\npage_trans_huge_map_swapcount()/page_trans_huge_mapcount().\n\nIf the COW triggers while the other processes sharing the page are\nunder a huge pmd split, to do an accurate reading, we must ensure the\nmapcount isn't computed while it's being transferred from the head\npage to the tail pages.\n\nreuse_swap_cache() already runs serialized by the page lock, so it's\nenough to add the page lock around __split_huge_pmd_locked too, in\norder to add the missing serialization.\n\nNote: the commit in \"Fixes\" is just to facilitate the backporting,\nbecause the code before such commit didn't try to do an accurate THP\nmapcount calculation and it instead used the page_count() to decide if\nto COW or not. Both the page_count and the pin_count are THP-wide\nrefcounts, so they're inaccurate if used in\nreuse_swap_page(). Reverting such commit (besides the unrelated fix to\nthe local anon_vma assignment) would have also opened the window for\nmemory corruption side effects to certain workloads as documented in\nsuch commit header.\n\nSigned-off-by: Andrea Arcangeli \nSuggested-by: Jann Horn \nReported-by: Jann Horn \nAcked-by: Kirill A. Shutemov \nFixes: 6d0a07edd17c (\"mm: thp: calculate the mapcount correctly for THP pages during WP faults\")\nCc: stable@vger.kernel.org\nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 364123 }, { "func": "\tvoid RenderChannel(CHANNELINDEX channel, uint32 tickDuration, uint32 portaStart = uint32_max)\n\t{\n\t\tModChannel &chn = state->Chn[channel];\n\t\tuint32 numTicks = chnSettings[channel].ticksToRender;\n\t\tif(numTicks == IGNORE_CHANNEL || numTicks == 0 || (!chn.IsSamplePlaying() && !chnSettings[channel].incChanged) || chn.pModSample == nullptr)\n\t\t{\n\t\t\treturn;\n\t\t}\n\n\t\tconst SmpLength sampleEnd = chn.dwFlags[CHN_LOOP] ? chn.nLoopEnd : chn.nLength;\n\t\tconst SmpLength loopLength = chn.nLoopEnd - chn.nLoopStart;\n\t\tconst bool itEnvMode = sndFile.m_playBehaviour[kITEnvelopePositionHandling];\n\t\tconst bool updatePitchEnv = (chn.PitchEnv.flags & (ENV_ENABLED | ENV_FILTER)) == ENV_ENABLED;\n\t\tbool stopNote = false;\n\n\t\tSamplePosition inc = chn.increment * tickDuration;\n\t\tif(chn.dwFlags[CHN_PINGPONGFLAG]) inc.Negate();\n\n\t\tfor(uint32 i = 0; i < numTicks; i++)\n\t\t{\n\t\t\tbool updateInc = (chn.PitchEnv.flags & (ENV_ENABLED | ENV_FILTER)) == ENV_ENABLED;\n\t\t\tif(i >= portaStart)\n\t\t\t{\n\t\t\t\tchn.isFirstTick = false;\n\t\t\t\tconst ModCommand &p = *sndFile.Patterns[state->m_nPattern].GetpModCommand(state->m_nRow, channel);\n\t\t\t\tif(p.command == CMD_TONEPORTAMENTO) sndFile.TonePortamento(&chn, p.param);\n\t\t\t\telse if(p.command == CMD_TONEPORTAVOL) sndFile.TonePortamento(&chn, 0);\n\t\t\t\tif(p.volcmd == VOLCMD_TONEPORTAMENTO)\n\t\t\t\t{\n\t\t\t\t\tuint32 param = p.vol;\n\t\t\t\t\tif(sndFile.GetType() & (MOD_TYPE_IT | MOD_TYPE_MPT | MOD_TYPE_AMS | MOD_TYPE_AMS2 | MOD_TYPE_DMF | MOD_TYPE_DBM | MOD_TYPE_IMF | MOD_TYPE_PSM | MOD_TYPE_J2B | MOD_TYPE_ULT | MOD_TYPE_OKT | MOD_TYPE_MT2 | MOD_TYPE_MDL))\n\t\t\t\t\t{\n\t\t\t\t\t\tparam = ImpulseTrackerPortaVolCmd[param & 0x0F];\n\t\t\t\t\t} else\n\t\t\t\t\t{\n\t\t\t\t\t\t// Close enough. Do not bother with idiosyncratic FT2 behaviour here.\n\t\t\t\t\t\tparam <<= 4;\n\t\t\t\t\t}\n\t\t\t\t\tsndFile.TonePortamento(&chn, param);\n\t\t\t\t}\n\t\t\t\tupdateInc = true;\n\t\t\t}\n\n\t\t\tint period = chn.nPeriod;\n\t\t\tif(itEnvMode) sndFile.IncrementEnvelopePositions(&chn);\n\t\t\tif(updatePitchEnv)\n\t\t\t{\n\t\t\t\tsndFile.ProcessPitchFilterEnvelope(&chn, period);\n\t\t\t\tupdateInc = true;\n\t\t\t}\n\t\t\tif(!itEnvMode) sndFile.IncrementEnvelopePositions(&chn);\n\t\t\tint vol = 0;\n\t\t\tsndFile.ProcessInstrumentFade(&chn, vol);\n\n\t\t\tif(updateInc || chnSettings[channel].incChanged)\n\t\t\t{\n\t\t\t\tchn.increment = sndFile.GetChannelIncrement(&chn, period, 0);\n\t\t\t\tchnSettings[channel].incChanged = false;\n\t\t\t\tinc = chn.increment * tickDuration;\n\t\t\t\tif(chn.dwFlags[CHN_PINGPONGFLAG]) inc.Negate();\n\t\t\t}\n\n\t\t\tchn.position += inc;\n\n\t\t\tif(chn.position.GetUInt() >= sampleEnd)\n\t\t\t{\n\t\t\t\tif(chn.dwFlags[CHN_LOOP])\n\t\t\t\t{\n\t\t\t\t\t// We exceeded the sample loop, go back to loop start.\n\t\t\t\t\tif(chn.dwFlags[CHN_PINGPONGLOOP])\n\t\t\t\t\t{\n\t\t\t\t\t\tif(chn.position < SamplePosition(chn.nLoopStart, 0))\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tchn.position = SamplePosition(chn.nLoopStart + chn.nLoopStart, 0) - chn.position;\n\t\t\t\t\t\t\tchn.dwFlags.flip(CHN_PINGPONGFLAG);\n\t\t\t\t\t\t\tinc.Negate();\n\t\t\t\t\t\t}\n\t\t\t\t\t\tSmpLength posInt = chn.position.GetUInt() - chn.nLoopStart;\n\t\t\t\t\t\tSmpLength pingpongLength = loopLength * 2;\n\t\t\t\t\t\tif(sndFile.m_playBehaviour[kITPingPongMode]) pingpongLength--;\n\t\t\t\t\t\tposInt %= pingpongLength;\n\t\t\t\t\t\tbool forward = (posInt < loopLength);\n\t\t\t\t\t\tif(forward)\n\t\t\t\t\t\t\tchn.position.SetInt(chn.nLoopStart + posInt);\n\t\t\t\t\t\telse\n\t\t\t\t\t\t\tchn.position.SetInt(chn.nLoopEnd - (posInt - loopLength));\n\t\t\t\t\t\tif(forward == chn.dwFlags[CHN_PINGPONGFLAG])\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tchn.dwFlags.flip(CHN_PINGPONGFLAG);\n\t\t\t\t\t\t\tinc.Negate();\n\t\t\t\t\t\t}\n\t\t\t\t\t} else\n\t\t\t\t\t{\n\t\t\t\t\t\tSmpLength posInt = chn.position.GetUInt();\n\t\t\t\t\t\tif(posInt >= chn.nLoopEnd + loopLength)\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tconst SmpLength overshoot = posInt - chn.nLoopEnd;\n\t\t\t\t\t\t\tposInt -= (overshoot / loopLength) * loopLength;\n\t\t\t\t\t\t}\n\t\t\t\t\t\twhile(posInt >= chn.nLoopEnd)\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tposInt -= loopLength;\n\t\t\t\t\t\t}\n\t\t\t\t\t\tchn.position.SetInt(posInt);\n\t\t\t\t\t}\n\t\t\t\t} else\n\t\t\t\t{\n\t\t\t\t\t// Past sample end.\n\t\t\t\t\tstopNote = true;\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\tif(stopNote)\n\t\t{\n\t\t\tchn.Stop();\n\t\t\tchn.nPortamentoDest = 0;\n\t\t}\n\t\tchnSettings[channel].ticksToRender = 0;\n\t}", "project": "openmpt", "hash": 269797184167584269125064682700239232909, "size": 121, "commit_id": "7ebf02af2e90f03e0dbd0e18b8b3164f372fb97c", "message": "[Fix] Possible out-of-bounds read when computing length of some IT files with pattern loops (OpenMPT: formats that are converted to IT, libopenmpt: IT/ITP/MO3), caught with afl-fuzz.\n\ngit-svn-id: https://source.openmpt.org/svn/openmpt/trunk/OpenMPT@10027 56274372-70c3-4bfc-bfc3-4c3a0b034d27", "target": 0, "dataset": "other", "idx": 255177 }, { "func": "bool pcre_literal_data::isLiteral() const {\n return literal_str.has_value();\n}", "project": "hhvm", "hash": 56876680887457594075591079830777829746, "size": 3, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219136 }, { "func": "static void SFDParseLookup(FILE *sfd,OTLookup *otl) {\n int ch;\n struct lookup_subtable *sub, *lastsub;\n FeatureScriptLangList *fl, *lastfl;\n struct scriptlanglist *sl, *lastsl;\n int i, lcnt, lmax=0;\n uint32 *langs=NULL;\n char *subname;\n\n while ( (ch=nlgetc(sfd))==' ' );\n if ( ch=='{' ) {\n\tlastsub = NULL;\n\twhile ( (subname = SFDReadUTF7Str(sfd))!=NULL ) {\n\t while ( (ch=nlgetc(sfd))==' ' );\n\t ungetc(ch,sfd);\n\t sub = chunkalloc(sizeof(struct lookup_subtable));\n\t sub->subtable_name = subname;\n\t sub->lookup = otl;\n\t switch ( otl->lookup_type ) {\n\t case gsub_single:\n\t\twhile ( (ch=nlgetc(sfd))==' ' );\n\t\tif ( ch=='(' ) {\n\t\t sub->suffix = SFDReadUTF7Str(sfd);\n\t\t while ( (ch=nlgetc(sfd))==' ' );\n\t\t\t/* slurp final paren */\n\t\t} else\n\t\t ungetc(ch,sfd);\n\t\tsub->per_glyph_pst_or_kern = true;\n\t break;\n\t case gsub_multiple: case gsub_alternate: case gsub_ligature:\n\t case gpos_single:\n\t\tsub->per_glyph_pst_or_kern = true;\n\t break;\n\t case gpos_pair:\n\t\tif ( (ch=nlgetc(sfd))=='(' ) {\n\t\t ch = nlgetc(sfd);\n\t\t sub->vertical_kerning = (ch=='1');\n\t\t nlgetc(sfd);\t/* slurp final paren */\n\t\t ch=nlgetc(sfd);\n\t\t}\n\t\tif ( ch=='[' ) {\n\t\t getsint(sfd,&sub->separation);\n\t\t nlgetc(sfd);\t/* slurp comma */\n\t\t getsint(sfd,&sub->minkern);\n\t\t nlgetc(sfd);\t/* slurp comma */\n\t\t ch = nlgetc(sfd);\n\t\t sub->kerning_by_touch = ((ch-'0')&1)?1:0;\n\t\t sub->onlyCloser = ((ch-'0')&2)?1:0;\n\t\t sub->dontautokern = ((ch-'0')&4)?1:0;\n\t\t nlgetc(sfd);\t/* slurp final bracket */\n\t\t} else {\n\t\t ungetc(ch,sfd);\n\t\t}\n\t\tsub->per_glyph_pst_or_kern = true;\n\t break;\n\t case gpos_cursive: case gpos_mark2base: case gpos_mark2ligature: case gpos_mark2mark:\n\t\tsub->anchor_classes = true;\n\t break;\n\t default:\n\t break;\n\t }\n\t if ( lastsub==NULL )\n\t\totl->subtables = sub;\n\t else\n\t\tlastsub->next = sub;\n\t lastsub = sub;\n\t}\n\twhile ( (ch=nlgetc(sfd))==' ' );\n\tif ( ch=='}' )\n\t ch = nlgetc(sfd);\n }\n while ( ch==' ' )\n\tch = nlgetc(sfd);\n if ( ch=='[' ) {\n\tlastfl = NULL;\n\tfor (;;) {\n\t while ( (ch=nlgetc(sfd))==' ' );\n\t if ( ch==']' )\n\tbreak;\n\t fl = chunkalloc(sizeof(FeatureScriptLangList));\n\t if ( lastfl==NULL )\n\t\totl->features = fl;\n\t else\n\t\tlastfl->next = fl;\n\t lastfl = fl;\n\t if ( ch=='<' ) {\n\t\tint ft=0,fs=0;\n\t\tfscanf(sfd,\"%d,%d>\", &ft, &fs );\n\t\tfl->ismac = true;\n\t\tfl->featuretag = (ft<<16) | fs;\n\t } else if ( ch=='\\'' ) {\n\t\tungetc(ch,sfd);\n\t\tfl->featuretag = gettag(sfd);\n\t }\n\t while ( (ch=nlgetc(sfd))==' ' );\n\t if ( ch=='(' ) {\n\t\tlastsl = NULL;\n\t\tfor (;;) {\n\t\t while ( (ch=nlgetc(sfd))==' ' );\n\t\t if ( ch==')' )\n\t\tbreak;\n\t\t sl = chunkalloc(sizeof(struct scriptlanglist));\n\t\t if ( lastsl==NULL )\n\t\t\tfl->scripts = sl;\n\t\t else\n\t\t\tlastsl->next = sl;\n\t\t lastsl = sl;\n\t\t if ( ch=='\\'' ) {\n\t\t\tungetc(ch,sfd);\n\t\t\tsl->script = gettag(sfd);\n\t\t }\n\t\t while ( (ch=nlgetc(sfd))==' ' );\n\t\t if ( ch=='<' ) {\n\t\t\tlcnt = 0;\n\t\t\tfor (;;) {\n\t\t\t while ( (ch=nlgetc(sfd))==' ' );\n\t\t\t if ( ch=='>' )\n\t\t\tbreak;\n\t\t\t if ( ch=='\\'' ) {\n\t\t\t\tungetc(ch,sfd);\n\t\t\t if ( lcnt>=lmax )\n\t\t\t\t langs = realloc(langs,(lmax+=10)*sizeof(uint32));\n\t\t\t\tlangs[lcnt++] = gettag(sfd);\n\t\t\t }\n\t\t\t}\n\t\t\tsl->lang_cnt = lcnt;\n\t\t\tif ( lcnt>MAX_LANG )\n\t\t\t sl->morelangs = malloc((lcnt-MAX_LANG)*sizeof(uint32));\n\t\t\tfor ( i=0; ilangs[i] = langs[i];\n\t\t\t else\n\t\t\t\tsl->morelangs[i-MAX_LANG] = langs[i];\n\t\t\t}\n\t\t }\n\t\t}\n\t }\n\t}\n }\n free(langs);\n}", "project": "fontforge", "hash": 167023123838304845357260884800226910936, "size": 141, "commit_id": "048a91e2682c1a8936ae34dbc7bd70291ec05410", "message": "Fix for #4084 Use-after-free (heap) in the SFD_GetFontMetaData() function\nFix for #4086 NULL pointer dereference in the SFDGetSpiros() function\nFix for #4088 NULL pointer dereference in the SFD_AssignLookups() function\nAdd empty sf->fontname string if it isn't set, fixing #4089 #4090 and many\n other potential issues (many downstream calls to strlen() on the value).", "target": 0, "dataset": "other", "idx": 417832 }, { "func": "static void nfs4_handle_setlk_error(struct nfs_server *server, struct nfs4_lock_state *lsp, int new_lock_owner, int error)\n{\n\tswitch (error) {\n\tcase -NFS4ERR_ADMIN_REVOKED:\n\tcase -NFS4ERR_EXPIRED:\n\tcase -NFS4ERR_BAD_STATEID:\n\t\tlsp->ls_seqid.flags &= ~NFS_SEQID_CONFIRMED;\n\t\tif (new_lock_owner != 0 ||\n\t\t test_bit(NFS_LOCK_INITIALIZED, &lsp->ls_flags) != 0)\n\t\t\tnfs4_schedule_stateid_recovery(server, lsp->ls_state);\n\t\tbreak;\n\tcase -NFS4ERR_STALE_STATEID:\n\t\tlsp->ls_seqid.flags &= ~NFS_SEQID_CONFIRMED;\n\t\tnfs4_schedule_lease_recovery(server->nfs_client);\n\t}\n}", "project": "linux", "hash": 176139346183606581552102684235709598820, "size": 16, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431095 }, { "func": "static void process_init_reply(struct fuse_mount *fm, struct fuse_args *args,\n\t\t\t int error)\n{\n\tstruct fuse_conn *fc = fm->fc;\n\tstruct fuse_init_args *ia = container_of(args, typeof(*ia), args);\n\tstruct fuse_init_out *arg = &ia->out;\n\tbool ok = true;\n\n\tif (error || arg->major != FUSE_KERNEL_VERSION)\n\t\tok = false;\n\telse {\n\t\tunsigned long ra_pages;\n\n\t\tprocess_init_limits(fc, arg);\n\n\t\tif (arg->minor >= 6) {\n\t\t\tra_pages = arg->max_readahead / PAGE_SIZE;\n\t\t\tif (arg->flags & FUSE_ASYNC_READ)\n\t\t\t\tfc->async_read = 1;\n\t\t\tif (!(arg->flags & FUSE_POSIX_LOCKS))\n\t\t\t\tfc->no_lock = 1;\n\t\t\tif (arg->minor >= 17) {\n\t\t\t\tif (!(arg->flags & FUSE_FLOCK_LOCKS))\n\t\t\t\t\tfc->no_flock = 1;\n\t\t\t} else {\n\t\t\t\tif (!(arg->flags & FUSE_POSIX_LOCKS))\n\t\t\t\t\tfc->no_flock = 1;\n\t\t\t}\n\t\t\tif (arg->flags & FUSE_ATOMIC_O_TRUNC)\n\t\t\t\tfc->atomic_o_trunc = 1;\n\t\t\tif (arg->minor >= 9) {\n\t\t\t\t/* LOOKUP has dependency on proto version */\n\t\t\t\tif (arg->flags & FUSE_EXPORT_SUPPORT)\n\t\t\t\t\tfc->export_support = 1;\n\t\t\t}\n\t\t\tif (arg->flags & FUSE_BIG_WRITES)\n\t\t\t\tfc->big_writes = 1;\n\t\t\tif (arg->flags & FUSE_DONT_MASK)\n\t\t\t\tfc->dont_mask = 1;\n\t\t\tif (arg->flags & FUSE_AUTO_INVAL_DATA)\n\t\t\t\tfc->auto_inval_data = 1;\n\t\t\telse if (arg->flags & FUSE_EXPLICIT_INVAL_DATA)\n\t\t\t\tfc->explicit_inval_data = 1;\n\t\t\tif (arg->flags & FUSE_DO_READDIRPLUS) {\n\t\t\t\tfc->do_readdirplus = 1;\n\t\t\t\tif (arg->flags & FUSE_READDIRPLUS_AUTO)\n\t\t\t\t\tfc->readdirplus_auto = 1;\n\t\t\t}\n\t\t\tif (arg->flags & FUSE_ASYNC_DIO)\n\t\t\t\tfc->async_dio = 1;\n\t\t\tif (arg->flags & FUSE_WRITEBACK_CACHE)\n\t\t\t\tfc->writeback_cache = 1;\n\t\t\tif (arg->flags & FUSE_PARALLEL_DIROPS)\n\t\t\t\tfc->parallel_dirops = 1;\n\t\t\tif (arg->flags & FUSE_HANDLE_KILLPRIV)\n\t\t\t\tfc->handle_killpriv = 1;\n\t\t\tif (arg->time_gran && arg->time_gran <= 1000000000)\n\t\t\t\tfm->sb->s_time_gran = arg->time_gran;\n\t\t\tif ((arg->flags & FUSE_POSIX_ACL)) {\n\t\t\t\tfc->default_permissions = 1;\n\t\t\t\tfc->posix_acl = 1;\n\t\t\t\tfm->sb->s_xattr = fuse_acl_xattr_handlers;\n\t\t\t}\n\t\t\tif (arg->flags & FUSE_CACHE_SYMLINKS)\n\t\t\t\tfc->cache_symlinks = 1;\n\t\t\tif (arg->flags & FUSE_ABORT_ERROR)\n\t\t\t\tfc->abort_err = 1;\n\t\t\tif (arg->flags & FUSE_MAX_PAGES) {\n\t\t\t\tfc->max_pages =\n\t\t\t\t\tmin_t(unsigned int, FUSE_MAX_MAX_PAGES,\n\t\t\t\t\tmax_t(unsigned int, arg->max_pages, 1));\n\t\t\t}\n\t\t\tif (IS_ENABLED(CONFIG_FUSE_DAX) &&\n\t\t\t arg->flags & FUSE_MAP_ALIGNMENT &&\n\t\t\t !fuse_dax_check_alignment(fc, arg->map_alignment)) {\n\t\t\t\tok = false;\n\t\t\t}\n\t\t\tif (arg->flags & FUSE_HANDLE_KILLPRIV_V2) {\n\t\t\t\tfc->handle_killpriv_v2 = 1;\n\t\t\t\tfm->sb->s_flags |= SB_NOSEC;\n\t\t\t}\n\t\t} else {\n\t\t\tra_pages = fc->max_read / PAGE_SIZE;\n\t\t\tfc->no_lock = 1;\n\t\t\tfc->no_flock = 1;\n\t\t}\n\n\t\tfm->sb->s_bdi->ra_pages =\n\t\t\t\tmin(fm->sb->s_bdi->ra_pages, ra_pages);\n\t\tfc->minor = arg->minor;\n\t\tfc->max_write = arg->minor < 5 ? 4096 : arg->max_write;\n\t\tfc->max_write = max_t(unsigned, 4096, fc->max_write);\n\t\tfc->conn_init = 1;\n\t}\n\tkfree(ia);\n\n\tif (!ok) {\n\t\tfc->conn_init = 0;\n\t\tfc->conn_error = 1;\n\t}\n\n\tfuse_set_initialized(fc);\n\twake_up_all(&fc->blocked_waitq);\n}", "project": "linux", "hash": 60052522880388477479416127411309252244, "size": 104, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341944 }, { "func": "static int regionSwab(indexEntry entry, int il, int dl,\n\t\tentryInfo pe,\n\t\tunsigned char * dataStart,\n\t\tconst unsigned char * dataEnd,\n\t\tint regionid, int fast)\n{\n if ((entry != NULL && regionid >= 0) || (entry == NULL && regionid != 0))\n\treturn -1;\n\n for (; il > 0; il--, pe++) {\n\tstruct indexEntry_s ie;\n\n\tei2h(pe, &ie.info);\n\n\tif (hdrchkType(ie.info.type))\n\t return -1;\n\tif (hdrchkData(ie.info.count))\n\t return -1;\n\tif (hdrchkData(ie.info.offset))\n\t return -1;\n\tif (hdrchkAlign(ie.info.type, ie.info.offset))\n\t return -1;\n\n\tie.data = dataStart + ie.info.offset;\n\tif (dataEnd && (unsigned char *)ie.data >= dataEnd)\n\t return -1;\n\n\t/* The offset optimization is only relevant for string types */\n\tif (fast && il > 1 && typeSizes[ie.info.type] == -1) {\n\t ie.length = ntohl(pe[1].offset) - ie.info.offset;\n\t} else {\n\t ie.length = dataLength(ie.info.type, ie.data, ie.info.count,\n\t\t\t\t 1, dataEnd);\n\t}\n\tif (ie.length < 0 || hdrchkData(ie.length))\n\t return -1;\n\n\tie.rdlen = 0;\n\n\tif (entry) {\n\t ie.info.offset = regionid;\n\t *entry = ie;\t/* structure assignment */\n\t entry++;\n\t}\n\n\t/* Alignment */\n\tdl += alignDiff(ie.info.type, dl);\n\n\t/* Perform endian conversions */\n\tswitch (ntohl(pe->type)) {\n\tcase RPM_INT64_TYPE:\n\t{ uint64_t * it = ie.data;\n\t for (; ie.info.count > 0; ie.info.count--, it += 1) {\n\t\tif (dataEnd && ((unsigned char *)it) >= dataEnd)\n\t\t return -1;\n\t\t*it = htonll(*it);\n\t }\n\t} break;\n\tcase RPM_INT32_TYPE:\n\t{ int32_t * it = ie.data;\n\t for (; ie.info.count > 0; ie.info.count--, it += 1) {\n\t\tif (dataEnd && ((unsigned char *)it) >= dataEnd)\n\t\t return -1;\n\t\t*it = htonl(*it);\n\t }\n\t} break;\n\tcase RPM_INT16_TYPE:\n\t{ int16_t * it = ie.data;\n\t for (; ie.info.count > 0; ie.info.count--, it += 1) {\n\t\tif (dataEnd && ((unsigned char *)it) >= dataEnd)\n\t\t return -1;\n\t\t*it = htons(*it);\n\t }\n\t} break;\n\t}\n\n\tdl += ie.length;\n }\n\n return dl;\n}", "project": "rpm", "hash": 277141718891988486414261734710225833280, "size": 81, "commit_id": "8f4b3c3cab8922a2022b9e47c71f1ecf906077ef", "message": "hdrblobInit() needs bounds checks too\n\nUsers can pass untrusted data to hdrblobInit() and it must be robust\nagainst this.", "target": 0, "dataset": "other", "idx": 318197 }, { "func": "nfs4_state_find_open_context(struct nfs4_state *state)\n{\n\tstruct nfs_open_context *ctx;\n\n\tctx = nfs4_state_find_open_context_mode(state, FMODE_READ|FMODE_WRITE);\n\tif (!IS_ERR(ctx))\n\t\treturn ctx;\n\tctx = nfs4_state_find_open_context_mode(state, FMODE_WRITE);\n\tif (!IS_ERR(ctx))\n\t\treturn ctx;\n\treturn nfs4_state_find_open_context_mode(state, FMODE_READ);\n}", "project": "linux", "hash": 150820697937567262270392749879821024326, "size": 12, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431405 }, { "func": "static int set_ipsecrequest(struct sk_buff *skb,\n\t\t\t uint8_t proto, uint8_t mode, int level,\n\t\t\t uint32_t reqid, uint8_t family,\n\t\t\t const xfrm_address_t *src, const xfrm_address_t *dst)\n{\n\tstruct sadb_x_ipsecrequest *rq;\n\tu8 *sa;\n\tint socklen = pfkey_sockaddr_len(family);\n\tint size_req;\n\n\tsize_req = sizeof(struct sadb_x_ipsecrequest) +\n\t\t pfkey_sockaddr_pair_size(family);\n\n\trq = skb_put_zero(skb, size_req);\n\trq->sadb_x_ipsecrequest_len = size_req;\n\trq->sadb_x_ipsecrequest_proto = proto;\n\trq->sadb_x_ipsecrequest_mode = mode;\n\trq->sadb_x_ipsecrequest_level = level;\n\trq->sadb_x_ipsecrequest_reqid = reqid;\n\n\tsa = (u8 *) (rq + 1);\n\tif (!pfkey_sockaddr_fill(src, 0, (struct sockaddr *)sa, family) ||\n\t !pfkey_sockaddr_fill(dst, 0, (struct sockaddr *)(sa + socklen), family))\n\t\treturn -EINVAL;\n\n\treturn 0;\n}", "project": "linux", "hash": 144572432772891636449878048740657994740, "size": 27, "commit_id": "9a564bccb78a76740ea9d75a259942df8143d02c", "message": "af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\n\nAdd __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\nto initialize the buffer of supp_skb to fix a kernel-info-leak issue.\n1) Function pfkey_register calls compose_sadb_supported to request\na sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate\na sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then\ncompose_sadb_supported treats the memory as a struct sadb_supported and\nbegins to initialize. But it just initializes the field sadb_supported_len\nand field sadb_supported_exttype without field sadb_supported_reserved.\n\nReported-by: TCS Robot \nSigned-off-by: Haimin Zhang \nSigned-off-by: Steffen Klassert ", "target": 0, "dataset": "other", "idx": 268014 }, { "func": "int CServerBan::BanRange(const CNetRange *pRange, int Seconds, const char *pReason)\n{\n\tif(pRange->IsValid())\n\t\treturn BanExt(&m_BanRangePool, pRange, Seconds, pReason);\n\n\tConsole()->Print(IConsole::OUTPUT_LEVEL_STANDARD, \"net_ban\", \"ban failed (invalid range)\");\n\treturn -1;\n}", "project": "teeworlds", "hash": 59517285142961778467709764921127604076, "size": 8, "commit_id": "c68402fa7e279d42886d5951d1ea8ac2facc1ea5", "message": "changed a check", "target": 0, "dataset": "other", "idx": 382044 }, { "func": "void LanLinkProvider::incomingPairPacket(DeviceLink* deviceLink, const NetworkPacket& np)\n{\n LanPairingHandler* ph = createPairingHandler(deviceLink);\n ph->packetReceived(np);\n}", "project": "kdeconnect-kde", "hash": 79488239541714384815977303622264441102, "size": 5, "commit_id": "542d94a70c56aa386c8d4d793481ce181b0422e8", "message": "Limit number of connected sockets from unpaired devices\n\nThanks Matthias Gerstner for reporting this.", "target": 0, "dataset": "other", "idx": 227371 }, { "func": "static int process_head_main(struct archive_read* a, struct rar5* rar,\n struct archive_entry* entry, size_t block_flags)\n{\n\tint ret;\n\tsize_t extra_data_size = 0;\n\tsize_t extra_field_size = 0;\n\tsize_t extra_field_id = 0;\n\tsize_t archive_flags = 0;\n\n\tenum MAIN_FLAGS {\n\t\tVOLUME = 0x0001, /* multi-volume archive */\n\t\tVOLUME_NUMBER = 0x0002, /* volume number, first vol doesn't\n\t\t\t\t\t * have it */\n\t\tSOLID = 0x0004, /* solid archive */\n\t\tPROTECT = 0x0008, /* contains Recovery info */\n\t\tLOCK = 0x0010, /* readonly flag, not used */\n\t};\n\n\tenum MAIN_EXTRA {\n\t\t// Just one attribute here.\n\t\tLOCATOR = 0x01,\n\t};\n\n\t(void) entry;\n\n\tif(block_flags & HFL_EXTRA_DATA) {\n\t\tif(!read_var_sized(a, &extra_data_size, NULL))\n\t\t\treturn ARCHIVE_EOF;\n\t} else {\n\t\textra_data_size = 0;\n\t}\n\n\tif(!read_var_sized(a, &archive_flags, NULL)) {\n\t\treturn ARCHIVE_EOF;\n\t}\n\n\trar->main.volume = (archive_flags & VOLUME) > 0;\n\trar->main.solid = (archive_flags & SOLID) > 0;\n\n\tif(archive_flags & VOLUME_NUMBER) {\n\t\tsize_t v = 0;\n\t\tif(!read_var_sized(a, &v, NULL)) {\n\t\t\treturn ARCHIVE_EOF;\n\t\t}\n\n\t\tif (v > UINT_MAX) {\n\t\t\tarchive_set_error(&a->archive,\n\t\t\t ARCHIVE_ERRNO_FILE_FORMAT,\n\t\t\t \"Invalid volume number\");\n\t\t\treturn ARCHIVE_FATAL;\n\t\t}\n\n\t\trar->main.vol_no = (unsigned int) v;\n\t} else {\n\t\trar->main.vol_no = 0;\n\t}\n\n\tif(rar->vol.expected_vol_no > 0 &&\n\t\trar->main.vol_no != rar->vol.expected_vol_no)\n\t{\n\t\t/* Returning EOF instead of FATAL because of strange\n\t\t * libarchive behavior. When opening multiple files via\n\t\t * archive_read_open_filenames(), after reading up the whole\n\t\t * last file, the __archive_read_ahead function wraps up to\n\t\t * the first archive instead of returning EOF. */\n\t\treturn ARCHIVE_EOF;\n\t}\n\n\tif(extra_data_size == 0) {\n\t\t/* Early return. */\n\t\treturn ARCHIVE_OK;\n\t}\n\n\tif(!read_var_sized(a, &extra_field_size, NULL)) {\n\t\treturn ARCHIVE_EOF;\n\t}\n\n\tif(!read_var_sized(a, &extra_field_id, NULL)) {\n\t\treturn ARCHIVE_EOF;\n\t}\n\n\tif(extra_field_size == 0) {\n\t\tarchive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,\n\t\t \"Invalid extra field size\");\n\t\treturn ARCHIVE_FATAL;\n\t}\n\n\tswitch(extra_field_id) {\n\t\tcase LOCATOR:\n\t\t\tret = process_main_locator_extra_block(a, rar);\n\t\t\tif(ret != ARCHIVE_OK) {\n\t\t\t\t/* Error while parsing main locator extra\n\t\t\t\t * block. */\n\t\t\t\treturn ret;\n\t\t\t}\n\n\t\t\tbreak;\n\t\tdefault:\n\t\t\tarchive_set_error(&a->archive,\n\t\t\t ARCHIVE_ERRNO_FILE_FORMAT,\n\t\t\t \"Unsupported extra type (0x%x)\",\n\t\t\t (int) extra_field_id);\n\t\t\treturn ARCHIVE_FATAL;\n\t}\n\n\treturn ARCHIVE_OK;\n}", "project": "libarchive", "hash": 193111891357018531929772239733858896202, "size": 107, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 0, "dataset": "other", "idx": 244721 }, { "func": "static bool get_run(const uint8_t* ip, const uint8_t* ip_bound) {\n uint8_t x = *ip;\n int64_t value, value2;\n /* Broadcast the value for every byte in a 64-bit register */\n memset(&value, x, 8);\n while (ip < (ip_bound - 8)) {\n#if defined(BLOSC_STRICT_ALIGN)\n memcpy(&value2, ref, 8);\n#else\n value2 = *(int64_t*)ip;\n#endif\n if (value != value2) {\n // Values differ. We don't have a run.\n return false;\n }\n else {\n ip += 8;\n }\n }\n /* Look into the remainder */\n while ((ip < ip_bound) && (*ip == x)) ip++;\n return ip == ip_bound ? true : false;\n}", "project": "c-blosc2", "hash": 134702566463293177997012908408268404941, "size": 23, "commit_id": "c4c6470e88210afc95262c8b9fcc27e30ca043ee", "message": "Fixed asan heap buffer overflow when not enough space to write compressed block size.", "target": 0, "dataset": "other", "idx": 303057 }, { "func": "int phar_parse_tarfile(php_stream* fp, char *fname, int fname_len, char *alias, int alias_len, phar_archive_data** pphar, int is_data, php_uint32 compression, char **error TSRMLS_DC) /* {{{ */\n{\n\tchar buf[512], *actual_alias = NULL, *p;\n\tphar_entry_info entry = {0};\n\tsize_t pos = 0, read, totalsize;\n\ttar_header *hdr;\n\tphp_uint32 sum1, sum2, size, old;\n\tphar_archive_data *myphar, **actual;\n\tint last_was_longlink = 0;\n\n\tif (error) {\n\t\t*error = NULL;\n\t}\n\n\tphp_stream_seek(fp, 0, SEEK_END);\n\ttotalsize = php_stream_tell(fp);\n\tphp_stream_seek(fp, 0, SEEK_SET);\n\tread = php_stream_read(fp, buf, sizeof(buf));\n\n\tif (read != sizeof(buf)) {\n\t\tif (error) {\n\t\t\tspprintf(error, 4096, \"phar error: \\\"%s\\\" is not a tar file or is truncated\", fname);\n\t\t}\n\t\tphp_stream_close(fp);\n\t\treturn FAILURE;\n\t}\n\n\thdr = (tar_header*)buf;\n\told = (memcmp(hdr->magic, \"ustar\", sizeof(\"ustar\")-1) != 0);\n\n\tmyphar = (phar_archive_data *) pecalloc(1, sizeof(phar_archive_data), PHAR_G(persist));\n\tmyphar->is_persistent = PHAR_G(persist);\n\t/* estimate number of entries, can't be certain with tar files */\n\tzend_hash_init(&myphar->manifest, 2 + (totalsize >> 12),\n\t\tzend_get_hash_value, destroy_phar_manifest_entry, (zend_bool)myphar->is_persistent);\n\tzend_hash_init(&myphar->mounted_dirs, 5,\n\t\tzend_get_hash_value, NULL, (zend_bool)myphar->is_persistent);\n\tzend_hash_init(&myphar->virtual_dirs, 4 + (totalsize >> 11),\n\t\tzend_get_hash_value, NULL, (zend_bool)myphar->is_persistent);\n\tmyphar->is_tar = 1;\n\t/* remember whether this entire phar was compressed with gz/bzip2 */\n\tmyphar->flags = compression;\n\n\tentry.is_tar = 1;\n\tentry.is_crc_checked = 1;\n\tentry.phar = myphar;\n\tpos += sizeof(buf);\n\n\tdo {\n\t\tphar_entry_info *newentry;\n\n\t\tpos = php_stream_tell(fp);\n\t\thdr = (tar_header*) buf;\n\t\tsum1 = phar_tar_number(hdr->checksum, sizeof(hdr->checksum));\n\t\tif (sum1 == 0 && phar_tar_checksum(buf, sizeof(buf)) == 0) {\n\t\t\tbreak;\n\t\t}\n\t\tmemset(hdr->checksum, ' ', sizeof(hdr->checksum));\n\t\tsum2 = phar_tar_checksum(buf, old?sizeof(old_tar_header):sizeof(tar_header));\n\n\t\tsize = entry.uncompressed_filesize = entry.compressed_filesize =\n\t\t\tphar_tar_number(hdr->size, sizeof(hdr->size));\n\n\t\t/* skip global/file headers (pax) */\n\t\tif (!old && (hdr->typeflag == TAR_GLOBAL_HDR || hdr->typeflag == TAR_FILE_HDR)) {\n\t\t\tsize = (size+511)&~511;\n\t\t\tgoto next;\n\t\t}\n\n\t\tif (((!old && hdr->prefix[0] == 0) || old) && strlen(hdr->name) == sizeof(\".phar/signature.bin\")-1 && !strncmp(hdr->name, \".phar/signature.bin\", sizeof(\".phar/signature.bin\")-1)) {\n\t\t\toff_t curloc;\n\n\t\t\tif (size > 511) {\n\t\t\t\tif (error) {\n\t\t\t\t\tspprintf(error, 4096, \"phar error: tar-based phar \\\"%s\\\" has signature that is larger than 511 bytes, cannot process\", fname);\n\t\t\t\t}\nbail:\n\t\t\t\tphp_stream_close(fp);\n\t\t\t\tphar_destroy_phar_data(myphar TSRMLS_CC);\n\t\t\t\treturn FAILURE;\n\t\t\t}\n\t\t\tcurloc = php_stream_tell(fp);\n\t\t\tread = php_stream_read(fp, buf, size);\n\t\t\tif (read != size) {\n\t\t\t\tif (error) {\n\t\t\t\t\tspprintf(error, 4096, \"phar error: tar-based phar \\\"%s\\\" signature cannot be read\", fname);\n\t\t\t\t}\n\t\t\t\tgoto bail;\n\t\t\t}\n#ifdef WORDS_BIGENDIAN\n# define PHAR_GET_32(buffer) \\\n\t(((((unsigned char*)(buffer))[3]) << 24) \\\n\t\t| ((((unsigned char*)(buffer))[2]) << 16) \\\n\t\t| ((((unsigned char*)(buffer))[1]) << 8) \\\n\t\t| (((unsigned char*)(buffer))[0]))\n#else\n# define PHAR_GET_32(buffer) (php_uint32) *(buffer)\n#endif\n\t\t\tmyphar->sig_flags = PHAR_GET_32(buf);\n\t\t\tif (FAILURE == phar_verify_signature(fp, php_stream_tell(fp) - size - 512, myphar->sig_flags, buf + 8, size - 8, fname, &myphar->signature, &myphar->sig_len, error TSRMLS_CC)) {\n\t\t\t\tif (error) {\n\t\t\t\t\tchar *save = *error;\n\t\t\t\t\tspprintf(error, 4096, \"phar error: tar-based phar \\\"%s\\\" signature cannot be verified: %s\", fname, save);\n\t\t\t\t\tefree(save);\n\t\t\t\t}\n\t\t\t\tgoto bail;\n\t\t\t}\n\t\t\tphp_stream_seek(fp, curloc + 512, SEEK_SET);\n\t\t\t/* signature checked out, let's ensure this is the last file in the phar */\n\t\t\tif (((hdr->typeflag == '\\0') || (hdr->typeflag == TAR_FILE)) && size > 0) {\n\t\t\t\t/* this is not good enough - seek succeeds even on truncated tars */\n\t\t\t\tphp_stream_seek(fp, 512, SEEK_CUR);\n\t\t\t\tif ((uint)php_stream_tell(fp) > totalsize) {\n\t\t\t\t\tif (error) {\n\t\t\t\t\t\tspprintf(error, 4096, \"phar error: \\\"%s\\\" is a corrupted tar file (truncated)\", fname);\n\t\t\t\t\t}\n\t\t\t\t\tphp_stream_close(fp);\n\t\t\t\t\tphar_destroy_phar_data(myphar TSRMLS_CC);\n\t\t\t\t\treturn FAILURE;\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tread = php_stream_read(fp, buf, sizeof(buf));\n\n\t\t\tif (read != sizeof(buf)) {\n\t\t\t\tif (error) {\n\t\t\t\t\tspprintf(error, 4096, \"phar error: \\\"%s\\\" is a corrupted tar file (truncated)\", fname);\n\t\t\t\t}\n\t\t\t\tphp_stream_close(fp);\n\t\t\t\tphar_destroy_phar_data(myphar TSRMLS_CC);\n\t\t\t\treturn FAILURE;\n\t\t\t}\n\n\t\t\thdr = (tar_header*) buf;\n\t\t\tsum1 = phar_tar_number(hdr->checksum, sizeof(hdr->checksum));\n\n\t\t\tif (sum1 == 0 && phar_tar_checksum(buf, sizeof(buf)) == 0) {\n\t\t\t\tbreak;\n\t\t\t}\n\n\t\t\tif (error) {\n\t\t\t\tspprintf(error, 4096, \"phar error: \\\"%s\\\" has entries after signature, invalid phar\", fname);\n\t\t\t}\n\n\t\t\tgoto bail;\n\t\t}\n\n\t\tif (!last_was_longlink && hdr->typeflag == 'L') {\n\t\t\tlast_was_longlink = 1;\n\t\t\t/* support the ././@LongLink system for storing long filenames */\n\t\t\tentry.filename_len = entry.uncompressed_filesize;\n\n\t\t\t/* Check for overflow - bug 61065 */\n\t\t\tif (entry.filename_len == UINT_MAX) {\n\t\t\t\tif (error) {\n\t\t\t\t\tspprintf(error, 4096, \"phar error: \\\"%s\\\" is a corrupted tar file (invalid entry size)\", fname);\n\t\t\t\t}\n\t\t\t\tphp_stream_close(fp);\n\t\t\t\tphar_destroy_phar_data(myphar TSRMLS_CC);\n\t\t\t\treturn FAILURE;\n\t\t\t}\n\t\t\tentry.filename = pemalloc(entry.filename_len+1, myphar->is_persistent);\n\n\t\t\tread = php_stream_read(fp, entry.filename, entry.filename_len);\n\t\t\tif (read != entry.filename_len) {\n\t\t\t\tefree(entry.filename);\n\t\t\t\tif (error) {\n\t\t\t\t\tspprintf(error, 4096, \"phar error: \\\"%s\\\" is a corrupted tar file (truncated)\", fname);\n\t\t\t\t}\n\t\t\t\tphp_stream_close(fp);\n\t\t\t\tphar_destroy_phar_data(myphar TSRMLS_CC);\n\t\t\t\treturn FAILURE;\n\t\t\t}\n\t\t\tentry.filename[entry.filename_len] = '\\0';\n\n\t\t\t/* skip blank stuff */\n\t\t\tsize = ((size+511)&~511) - size;\n\n\t\t\t/* this is not good enough - seek succeeds even on truncated tars */\n\t\t\tphp_stream_seek(fp, size, SEEK_CUR);\n\t\t\tif ((uint)php_stream_tell(fp) > totalsize) {\n\t\t\t\tefree(entry.filename);\n\t\t\t\tif (error) {\n\t\t\t\t\tspprintf(error, 4096, \"phar error: \\\"%s\\\" is a corrupted tar file (truncated)\", fname);\n\t\t\t\t}\n\t\t\t\tphp_stream_close(fp);\n\t\t\t\tphar_destroy_phar_data(myphar TSRMLS_CC);\n\t\t\t\treturn FAILURE;\n\t\t\t}\n\n\t\t\tread = php_stream_read(fp, buf, sizeof(buf));\n\n\t\t\tif (read != sizeof(buf)) {\n\t\t\t\tefree(entry.filename);\n\t\t\t\tif (error) {\n\t\t\t\t\tspprintf(error, 4096, \"phar error: \\\"%s\\\" is a corrupted tar file (truncated)\", fname);\n\t\t\t\t}\n\t\t\t\tphp_stream_close(fp);\n\t\t\t\tphar_destroy_phar_data(myphar TSRMLS_CC);\n\t\t\t\treturn FAILURE;\n\t\t\t}\n\t\t\tcontinue;\n\t\t} else if (!last_was_longlink && !old && hdr->prefix[0] != 0) {\n\t\t\tchar name[256];\n\t\t\tint i, j;\n\n\t\t\tfor (i = 0; i < 155; i++) {\n\t\t\t\tname[i] = hdr->prefix[i];\n\t\t\t\tif (name[i] == '\\0') {\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t}\n\t\t\tname[i++] = '/';\n\t\t\tfor (j = 0; j < 100; j++) {\n\t\t\t\tname[i+j] = hdr->name[j];\n\t\t\t\tif (name[i+j] == '\\0') {\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tentry.filename_len = i+j;\n\n\t\t\tif (name[entry.filename_len - 1] == '/') {\n\t\t\t\t/* some tar programs store directories with trailing slash */\n\t\t\t\tentry.filename_len--;\n\t\t\t}\n\t\t\tentry.filename = pestrndup(name, entry.filename_len, myphar->is_persistent);\n\t\t} else if (!last_was_longlink) {\n\t\t\tint i;\n\n\t\t\t/* calculate strlen, which can be no longer than 100 */\n\t\t\tfor (i = 0; i < 100; i++) {\n\t\t\t\tif (hdr->name[i] == '\\0') {\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t}\n\t\t\tentry.filename_len = i;\n\t\t\tentry.filename = pestrndup(hdr->name, i, myphar->is_persistent);\n\n\t\t\tif (i > 0 && entry.filename[entry.filename_len - 1] == '/') {\n\t\t\t\t/* some tar programs store directories with trailing slash */\n\t\t\t\tentry.filename[entry.filename_len - 1] = '\\0';\n\t\t\t\tentry.filename_len--;\n\t\t\t}\n\t\t}\n\t\tlast_was_longlink = 0;\n\n\t\tphar_add_virtual_dirs(myphar, entry.filename, entry.filename_len TSRMLS_CC);\n\n\t\tif (sum1 != sum2) {\n\t\t\tif (error) {\n\t\t\t\tspprintf(error, 4096, \"phar error: \\\"%s\\\" is a corrupted tar file (checksum mismatch of file \\\"%s\\\")\", fname, entry.filename);\n\t\t\t}\n\t\t\tpefree(entry.filename, myphar->is_persistent);\n\t\t\tphp_stream_close(fp);\n\t\t\tphar_destroy_phar_data(myphar TSRMLS_CC);\n\t\t\treturn FAILURE;\n\t\t}\n\n\t\tentry.tar_type = ((old & (hdr->typeflag == '\\0')) ? TAR_FILE : hdr->typeflag);\n\t\tentry.offset = entry.offset_abs = pos; /* header_offset unused in tar */\n\t\tentry.fp_type = PHAR_FP;\n\t\tentry.flags = phar_tar_number(hdr->mode, sizeof(hdr->mode)) & PHAR_ENT_PERM_MASK;\n\t\tentry.timestamp = phar_tar_number(hdr->mtime, sizeof(hdr->mtime));\n\t\tentry.is_persistent = myphar->is_persistent;\n#ifndef S_ISDIR\n#define S_ISDIR(mode)\t(((mode)&S_IFMT) == S_IFDIR)\n#endif\n\t\tif (old && entry.tar_type == TAR_FILE && S_ISDIR(entry.flags)) {\n\t\t\tentry.tar_type = TAR_DIR;\n\t\t}\n\n\t\tif (entry.tar_type == TAR_DIR) {\n\t\t\tentry.is_dir = 1;\n\t\t} else {\n\t\t\tentry.is_dir = 0;\n\t\t}\n\n\t\tentry.link = NULL;\n\n\t\tif (entry.tar_type == TAR_LINK) {\n\t\t\tif (!zend_hash_exists(&myphar->manifest, hdr->linkname, strlen(hdr->linkname))) {\n\t\t\t\tif (error) {\n\t\t\t\t\tspprintf(error, 4096, \"phar error: \\\"%s\\\" is a corrupted tar file - hard link to non-existent file \\\"%s\\\"\", fname, hdr->linkname);\n\t\t\t\t}\n\t\t\t\tpefree(entry.filename, entry.is_persistent);\n\t\t\t\tphp_stream_close(fp);\n\t\t\t\tphar_destroy_phar_data(myphar TSRMLS_CC);\n\t\t\t\treturn FAILURE;\n\t\t\t}\n\t\t\tentry.link = estrdup(hdr->linkname);\n\t\t} else if (entry.tar_type == TAR_SYMLINK) {\n\t\t\tentry.link = estrdup(hdr->linkname);\n\t\t}\n\t\tphar_set_inode(&entry TSRMLS_CC);\n\t\tzend_hash_add(&myphar->manifest, entry.filename, entry.filename_len, (void*)&entry, sizeof(phar_entry_info), (void **) &newentry);\n\n\t\tif (entry.is_persistent) {\n\t\t\t++entry.manifest_pos;\n\t\t}\n\n\t\tif (entry.filename_len >= sizeof(\".phar/.metadata\")-1 && !memcmp(entry.filename, \".phar/.metadata\", sizeof(\".phar/.metadata\")-1)) {\n\t\t\tif (FAILURE == phar_tar_process_metadata(newentry, fp TSRMLS_CC)) {\n\t\t\t\tif (error) {\n\t\t\t\t\tspprintf(error, 4096, \"phar error: tar-based phar \\\"%s\\\" has invalid metadata in magic file \\\"%s\\\"\", fname, entry.filename);\n\t\t\t\t}\n\t\t\t\tphp_stream_close(fp);\n\t\t\t\tphar_destroy_phar_data(myphar TSRMLS_CC);\n\t\t\t\treturn FAILURE;\n\t\t\t}\n\t\t}\n\n\t\tif (!actual_alias && entry.filename_len == sizeof(\".phar/alias.txt\")-1 && !strncmp(entry.filename, \".phar/alias.txt\", sizeof(\".phar/alias.txt\")-1)) {\n\t\t\t/* found explicit alias */\n\t\t\tif (size > 511) {\n\t\t\t\tif (error) {\n\t\t\t\t\tspprintf(error, 4096, \"phar error: tar-based phar \\\"%s\\\" has alias that is larger than 511 bytes, cannot process\", fname);\n\t\t\t\t}\n\t\t\t\tphp_stream_close(fp);\n\t\t\t\tphar_destroy_phar_data(myphar TSRMLS_CC);\n\t\t\t\treturn FAILURE;\n\t\t\t}\n\n\t\t\tread = php_stream_read(fp, buf, size);\n\n\t\t\tif (read == size) {\n\t\t\t\tbuf[size] = '\\0';\n\t\t\t\tif (!phar_validate_alias(buf, size)) {\n\t\t\t\t\tif (size > 50) {\n\t\t\t\t\t\tbuf[50] = '.';\n\t\t\t\t\t\tbuf[51] = '.';\n\t\t\t\t\t\tbuf[52] = '.';\n\t\t\t\t\t\tbuf[53] = '\\0';\n\t\t\t\t\t}\n\n\t\t\t\t\tif (error) {\n\t\t\t\t\t\tspprintf(error, 4096, \"phar error: invalid alias \\\"%s\\\" in tar-based phar \\\"%s\\\"\", buf, fname);\n\t\t\t\t\t}\n\n\t\t\t\t\tphp_stream_close(fp);\n\t\t\t\t\tphar_destroy_phar_data(myphar TSRMLS_CC);\n\t\t\t\t\treturn FAILURE;\n\t\t\t\t}\n\n\t\t\t\tactual_alias = pestrndup(buf, size, myphar->is_persistent);\n\t\t\t\tmyphar->alias = actual_alias;\n\t\t\t\tmyphar->alias_len = size;\n\t\t\t\tphp_stream_seek(fp, pos, SEEK_SET);\n\t\t\t} else {\n\t\t\t\tif (error) {\n\t\t\t\t\tspprintf(error, 4096, \"phar error: Unable to read alias from tar-based phar \\\"%s\\\"\", fname);\n\t\t\t\t}\n\n\t\t\t\tphp_stream_close(fp);\n\t\t\t\tphar_destroy_phar_data(myphar TSRMLS_CC);\n\t\t\t\treturn FAILURE;\n\t\t\t}\n\t\t}\n\n\t\tsize = (size+511)&~511;\n\n\t\tif (((hdr->typeflag == '\\0') || (hdr->typeflag == TAR_FILE)) && size > 0) {\nnext:\n\t\t\t/* this is not good enough - seek succeeds even on truncated tars */\n\t\t\tphp_stream_seek(fp, size, SEEK_CUR);\n\t\t\tif ((uint)php_stream_tell(fp) > totalsize) {\n\t\t\t\tif (error) {\n\t\t\t\t\tspprintf(error, 4096, \"phar error: \\\"%s\\\" is a corrupted tar file (truncated)\", fname);\n\t\t\t\t}\n\t\t\t\tphp_stream_close(fp);\n\t\t\t\tphar_destroy_phar_data(myphar TSRMLS_CC);\n\t\t\t\treturn FAILURE;\n\t\t\t}\n\t\t}\n\n\t\tread = php_stream_read(fp, buf, sizeof(buf));\n\n\t\tif (read != sizeof(buf)) {\n\t\t\tif (error) {\n\t\t\t\tspprintf(error, 4096, \"phar error: \\\"%s\\\" is a corrupted tar file (truncated)\", fname);\n\t\t\t}\n\t\t\tphp_stream_close(fp);\n\t\t\tphar_destroy_phar_data(myphar TSRMLS_CC);\n\t\t\treturn FAILURE;\n\t\t}\n\t} while (read != 0);\n\n\tif (zend_hash_exists(&(myphar->manifest), \".phar/stub.php\", sizeof(\".phar/stub.php\")-1)) {\n\t\tmyphar->is_data = 0;\n\t} else {\n\t\tmyphar->is_data = 1;\n\t}\n\n\t/* ensure signature set */\n\tif (!myphar->is_data && PHAR_G(require_hash) && !myphar->signature) {\n\t\tphp_stream_close(fp);\n\t\tphar_destroy_phar_data(myphar TSRMLS_CC);\n\t\tif (error) {\n\t\t\tspprintf(error, 0, \"tar-based phar \\\"%s\\\" does not have a signature\", fname);\n\t\t}\n\t\treturn FAILURE;\n\t}\n\n\tmyphar->fname = pestrndup(fname, fname_len, myphar->is_persistent);\n#ifdef PHP_WIN32\n\tphar_unixify_path_separators(myphar->fname, fname_len);\n#endif\n\tmyphar->fname_len = fname_len;\n\tmyphar->fp = fp;\n\tp = strrchr(myphar->fname, '/');\n\n\tif (p) {\n\t\tmyphar->ext = memchr(p, '.', (myphar->fname + fname_len) - p);\n\t\tif (myphar->ext == p) {\n\t\t\tmyphar->ext = memchr(p + 1, '.', (myphar->fname + fname_len) - p - 1);\n\t\t}\n\t\tif (myphar->ext) {\n\t\t\tmyphar->ext_len = (myphar->fname + fname_len) - myphar->ext;\n\t\t}\n\t}\n\n\tphar_request_initialize(TSRMLS_C);\n\n\tif (SUCCESS != zend_hash_add(&(PHAR_GLOBALS->phar_fname_map), myphar->fname, fname_len, (void*)&myphar, sizeof(phar_archive_data*), (void **)&actual)) {\n\t\tif (error) {\n\t\t\tspprintf(error, 4096, \"phar error: Unable to add tar-based phar \\\"%s\\\" to phar registry\", fname);\n\t\t}\n\t\tphp_stream_close(fp);\n\t\tphar_destroy_phar_data(myphar TSRMLS_CC);\n\t\treturn FAILURE;\n\t}\n\n\tmyphar = *actual;\n\n\tif (actual_alias) {\n\t\tphar_archive_data **fd_ptr;\n\n\t\tmyphar->is_temporary_alias = 0;\n\n\t\tif (SUCCESS == zend_hash_find(&(PHAR_GLOBALS->phar_alias_map), actual_alias, myphar->alias_len, (void **)&fd_ptr)) {\n\t\t\tif (SUCCESS != phar_free_alias(*fd_ptr, actual_alias, myphar->alias_len TSRMLS_CC)) {\n\t\t\t\tif (error) {\n\t\t\t\t\tspprintf(error, 4096, \"phar error: Unable to add tar-based phar \\\"%s\\\", alias is already in use\", fname);\n\t\t\t\t}\n\t\t\t\tzend_hash_del(&(PHAR_GLOBALS->phar_fname_map), myphar->fname, fname_len);\n\t\t\t\treturn FAILURE;\n\t\t\t}\n\t\t}\n\n\t\tzend_hash_add(&(PHAR_GLOBALS->phar_alias_map), actual_alias, myphar->alias_len, (void*)&myphar, sizeof(phar_archive_data*), NULL);\n\t} else {\n\t\tphar_archive_data **fd_ptr;\n\n\t\tif (alias_len) {\n\t\t\tif (SUCCESS == zend_hash_find(&(PHAR_GLOBALS->phar_alias_map), alias, alias_len, (void **)&fd_ptr)) {\n\t\t\t\tif (SUCCESS != phar_free_alias(*fd_ptr, alias, alias_len TSRMLS_CC)) {\n\t\t\t\t\tif (error) {\n\t\t\t\t\t\tspprintf(error, 4096, \"phar error: Unable to add tar-based phar \\\"%s\\\", alias is already in use\", fname);\n\t\t\t\t\t}\n\t\t\t\t\tzend_hash_del(&(PHAR_GLOBALS->phar_fname_map), myphar->fname, fname_len);\n\t\t\t\t\treturn FAILURE;\n\t\t\t\t}\n\t\t\t}\n\t\t\tzend_hash_add(&(PHAR_GLOBALS->phar_alias_map), alias, alias_len, (void*)&myphar, sizeof(phar_archive_data*), NULL);\n\t\t\tmyphar->alias = pestrndup(alias, alias_len, myphar->is_persistent);\n\t\t\tmyphar->alias_len = alias_len;\n\t\t} else {\n\t\t\tmyphar->alias = pestrndup(myphar->fname, fname_len, myphar->is_persistent);\n\t\t\tmyphar->alias_len = fname_len;\n\t\t}\n\n\t\tmyphar->is_temporary_alias = 1;\n\t}\n\n\tif (pphar) {\n\t\t*pphar = myphar;\n\t}\n\n\treturn SUCCESS;\n}", "project": "php-src", "hash": 206237236085142250315781022529097188900, "size": 480, "commit_id": "07c7df68bd68bbe706371fccc77c814ebb335d9e", "message": "Fixed bug #71488: Stack overflow when decompressing tar archives", "target": 1, "dataset": "other", "idx": 204238 }, { "func": "static int vcpu_stat_clear(void *_offset, u64 val)\n{\n\tunsigned offset = (long)_offset;\n\tstruct kvm *kvm;\n\n\tif (val)\n\t\treturn -EINVAL;\n\n\tmutex_lock(&kvm_lock);\n\tlist_for_each_entry(kvm, &vm_list, vm_list) {\n\t\tkvm_clear_stat_per_vcpu(kvm, offset);\n\t}\n\tmutex_unlock(&kvm_lock);\n\n\treturn 0;\n}", "project": "linux", "hash": 308257994175781952695000762474970624899, "size": 16, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354605 }, { "func": "static void tipc_node_link_up(struct tipc_node *n, int bearer_id,\n\t\t\t struct sk_buff_head *xmitq)\n{\n\tstruct tipc_media_addr *maddr;\n\n\ttipc_node_write_lock(n);\n\t__tipc_node_link_up(n, bearer_id, xmitq);\n\tmaddr = &n->links[bearer_id].maddr;\n\ttipc_bearer_xmit(n->net, bearer_id, xmitq, maddr, n);\n\ttipc_node_write_unlock(n);\n}", "project": "linux", "hash": 169487623186715109479155747660100368089, "size": 11, "commit_id": "0217ed2848e8538bcf9172d97ed2eeb4a26041bb", "message": "tipc: better validate user input in tipc_nl_retrieve_key()\n\nBefore calling tipc_aead_key_size(ptr), we need to ensure\nwe have enough data to dereference ptr->keylen.\n\nWe probably also want to make sure tipc_aead_key_size()\nwont overflow with malicious ptr->keylen values.\n\nSyzbot reported:\n\nBUG: KMSAN: uninit-value in __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\nBUG: KMSAN: uninit-value in tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\nCPU: 0 PID: 21060 Comm: syz-executor.5 Not tainted 5.11.0-rc7-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nCall Trace:\n __dump_stack lib/dump_stack.c:79 [inline]\n dump_stack+0x21c/0x280 lib/dump_stack.c:120\n kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118\n __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197\n __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\n tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\n genl_family_rcv_msg_doit net/netlink/genetlink.c:739 [inline]\n genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]\n genl_rcv_msg+0x1319/0x1610 net/netlink/genetlink.c:800\n netlink_rcv_skb+0x6fa/0x810 net/netlink/af_netlink.c:2494\n genl_rcv+0x63/0x80 net/netlink/genetlink.c:811\n netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]\n netlink_unicast+0x11d6/0x14a0 net/netlink/af_netlink.c:1330\n netlink_sendmsg+0x1740/0x1840 net/netlink/af_netlink.c:1919\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\nRIP: 0023:0xf7f60549\nCode: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00\nRSP: 002b:00000000f555a5fc EFLAGS: 00000296 ORIG_RAX: 0000000000000172\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000200\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n\nUninit was created at:\n kmsan_save_stack_with_flags mm/kmsan/kmsan.c:121 [inline]\n kmsan_internal_poison_shadow+0x5c/0xf0 mm/kmsan/kmsan.c:104\n kmsan_slab_alloc+0x8d/0xe0 mm/kmsan/kmsan_hooks.c:76\n slab_alloc_node mm/slub.c:2907 [inline]\n __kmalloc_node_track_caller+0xa37/0x1430 mm/slub.c:4527\n __kmalloc_reserve net/core/skbuff.c:142 [inline]\n __alloc_skb+0x2f8/0xb30 net/core/skbuff.c:210\n alloc_skb include/linux/skbuff.h:1099 [inline]\n netlink_alloc_large_skb net/netlink/af_netlink.c:1176 [inline]\n netlink_sendmsg+0xdbc/0x1840 net/netlink/af_netlink.c:1894\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\n\nFixes: e1f32190cf7d (\"tipc: add support for AEAD key setting via netlink\")\nSigned-off-by: Eric Dumazet \nCc: Tuong Lien \nCc: Jon Maloy \nCc: Ying Xue \nReported-by: syzbot \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 364941 }, { "func": "static enum hrtimer_restart stimer_timer_callback(struct hrtimer *timer)\n{\n\tstruct kvm_vcpu_hv_stimer *stimer;\n\n\tstimer = container_of(timer, struct kvm_vcpu_hv_stimer, timer);\n\ttrace_kvm_hv_stimer_callback(hv_stimer_to_vcpu(stimer)->vcpu_id,\n\t\t\t\t stimer->index);\n\tstimer_mark_pending(stimer, true);\n\n\treturn HRTIMER_NORESTART;\n}", "project": "linux", "hash": 338157155022326899247665355084037087192, "size": 11, "commit_id": "919f4ebc598701670e80e31573a58f1f2d2bf918", "message": "KVM: x86: hyper-v: Fix Hyper-V context null-ptr-deref\n\nReported by syzkaller:\n\n KASAN: null-ptr-deref in range [0x0000000000000140-0x0000000000000147]\n CPU: 1 PID: 8370 Comm: syz-executor859 Not tainted 5.11.0-syzkaller #0\n RIP: 0010:synic_get arch/x86/kvm/hyperv.c:165 [inline]\n RIP: 0010:kvm_hv_set_sint_gsi arch/x86/kvm/hyperv.c:475 [inline]\n RIP: 0010:kvm_hv_irq_routing_update+0x230/0x460 arch/x86/kvm/hyperv.c:498\n Call Trace:\n kvm_set_irq_routing+0x69b/0x940 arch/x86/kvm/../../../virt/kvm/irqchip.c:223\n kvm_vm_ioctl+0x12d0/0x2800 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3959\n vfs_ioctl fs/ioctl.c:48 [inline]\n __do_sys_ioctl fs/ioctl.c:753 [inline]\n __se_sys_ioctl fs/ioctl.c:739 [inline]\n __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739\n do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nHyper-V context is lazily allocated until Hyper-V specific MSRs are accessed\nor SynIC is enabled. However, the syzkaller testcase sets irq routing table\ndirectly w/o enabling SynIC. This results in null-ptr-deref when accessing\nSynIC Hyper-V context. This patch fixes it.\n\nsyzkaller source: https://syzkaller.appspot.com/x/repro.c?x=163342ccd00000\n\nReported-by: syzbot+6987f3b2dbd9eda95f12@syzkaller.appspotmail.com\nFixes: 8f014550dfb1 (\"KVM: x86: hyper-v: Make Hyper-V emulation enablement conditional\")\nSigned-off-by: Wanpeng Li \nMessage-Id: <1614326399-5762-1-git-send-email-wanpengli@tencent.com>\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 343528 }, { "func": "static int input_dev_suspend(struct device *dev)\n{\n\tstruct input_dev *input_dev = to_input_dev(dev);\n\n\tspin_lock_irq(&input_dev->event_lock);\n\n\t/*\n\t * Keys that are pressed now are unlikely to be\n\t * still pressed when we resume.\n\t */\n\tinput_dev_release_keys(input_dev);\n\n\t/* Turn off LEDs and sounds, if any are active. */\n\tinput_dev_toggle(input_dev, false);\n\n\tspin_unlock_irq(&input_dev->event_lock);\n\n\treturn 0;\n}", "project": "linux", "hash": 296861858587310356887666937559832315286, "size": 19, "commit_id": "cb222aed03d798fc074be55e59d9a112338ee784", "message": "Input: add safety guards to input_set_keycode()\n\nIf we happen to have a garbage in input device's keycode table with values\ntoo big we'll end up doing clear_bit() with offset way outside of our\nbitmaps, damaging other objects within an input device or even outside of\nit. Let's add sanity checks to the returned old keycodes.\n\nReported-by: syzbot+c769968809f9359b07aa@syzkaller.appspotmail.com\nReported-by: syzbot+76f3a30e88d256644c78@syzkaller.appspotmail.com\nLink: https://lore.kernel.org/r/20191207212757.GA245964@dtor-ws\nSigned-off-by: Dmitry Torokhov ", "target": 0, "dataset": "other", "idx": 353363 }, { "project": "Chrome", "commit_id": "de5aa214ea77b3d2c4ff8a0c58f446896c107ce0", "target": 0, "func": "TranslateManager* TranslateManager::GetInstance() {\n return Singleton::get();\n}\n", "cwe": "", "big_vul_idx": 107998, "idx": 96964, "hash": 93339660722680839047355861739674144756 }, { "func": "static void restore_bytes(struct kmem_cache *s, char *message, u8 data,\n\t\t\t\t\t\tvoid *from, void *to)\n{\n\tslab_fix(s, \"Restoring 0x%p-0x%p=0x%x\\n\", from, to - 1, data);\n\tmemset(from, data, to - from);\n}", "project": "linux", "hash": 317620728025565780663103521449744071917, "size": 6, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280174 }, { "func": "static char* oidc_get_state_cookie_name(request_rec *r, const char *state) {\n\treturn apr_psprintf(r->pool, \"%s%s\", oidc_cfg_dir_state_cookie_prefix(r),\n\t\t\tstate);\n}", "project": "mod_auth_openidc", "hash": 146789673172317765232174197207492156135, "size": 4, "commit_id": "00c315cb0c8ab77c67be4a2ac08a71a83ac58751", "message": "avoid XSS vulnerability when using OIDCPreservePost On\n\nand supplying URLs that contain single quotes; thanks @oss-aimoto\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 381974 }, { "func": "static inline int tcp_skb_pcount(const struct sk_buff *skb)\n{\n\treturn TCP_SKB_CB(skb)->tcp_gso_segs;\n}", "project": "linux", "hash": 278064766108863334653571575670023928719, "size": 4, "commit_id": "bb1fceca22492109be12640d49f5ea5a544c6bb4", "message": "tcp: fix use after free in tcp_xmit_retransmit_queue()\n\nWhen tcp_sendmsg() allocates a fresh and empty skb, it puts it at the\ntail of the write queue using tcp_add_write_queue_tail()\n\nThen it attempts to copy user data into this fresh skb.\n\nIf the copy fails, we undo the work and remove the fresh skb.\n\nUnfortunately, this undo lacks the change done to tp->highest_sack and\nwe can leave a dangling pointer (to a freed skb)\n\nLater, tcp_xmit_retransmit_queue() can dereference this pointer and\naccess freed memory. For regular kernels where memory is not unmapped,\nthis might cause SACK bugs because tcp_highest_sack_seq() is buggy,\nreturning garbage instead of tp->snd_nxt, but with various debug\nfeatures like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel.\n\nThis bug was found by Marco Grassi thanks to syzkaller.\n\nFixes: 6859d49475d4 (\"[TCP]: Abstract tp->highest_sack accessing & point to next skb\")\nReported-by: Marco Grassi \nSigned-off-by: Eric Dumazet \nCc: Ilpo Järvinen \nCc: Yuchung Cheng \nCc: Neal Cardwell \nAcked-by: Neal Cardwell \nReviewed-by: Cong Wang \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 410719 }, { "func": "static int rle(uint8_t *dst, const uint8_t *src,\n int compressed_size, int uncompressed_size)\n{\n uint8_t *d = dst;\n const int8_t *s = src;\n int ssize = compressed_size;\n int dsize = uncompressed_size;\n uint8_t *dend = d + dsize;\n int count;\n\n while (ssize > 0) {\n count = *s++;\n\n if (count < 0) {\n count = -count;\n\n if ((dsize -= count) < 0 ||\n (ssize -= count + 1) < 0)\n return AVERROR_INVALIDDATA;\n\n while (count--)\n *d++ = *s++;\n } else {\n count++;\n\n if ((dsize -= count) < 0 ||\n (ssize -= 2) < 0)\n return AVERROR_INVALIDDATA;\n\n while (count--)\n *d++ = *s;\n\n s++;\n }\n }\n\n if (dend != d)\n return AVERROR_INVALIDDATA;\n\n return 0;\n}", "project": "FFmpeg", "hash": 291378614160696408367786950172205776235, "size": 41, "commit_id": "26d3c81bc5ef2f8c3f09d45eaeacfb4b1139a777", "message": "avcodec/exr: More strictly check dc_count\n\nFixes: out of array access\nFixes: exr/deneme\n\nFound-by: Burak Çarıkçı \nSigned-off-by: Michael Niedermayer ", "target": 0, "dataset": "other", "idx": 262686 }, { "func": "static OPJ_BOOL opj_j2k_compare_SPCod_SPCoc(opj_j2k_t *p_j2k,\n OPJ_UINT32 p_tile_no, OPJ_UINT32 p_first_comp_no, OPJ_UINT32 p_second_comp_no)\n{\n OPJ_UINT32 i;\n opj_cp_t *l_cp = NULL;\n opj_tcp_t *l_tcp = NULL;\n opj_tccp_t *l_tccp0 = NULL;\n opj_tccp_t *l_tccp1 = NULL;\n\n /* preconditions */\n assert(p_j2k != 00);\n\n l_cp = &(p_j2k->m_cp);\n l_tcp = &l_cp->tcps[p_tile_no];\n l_tccp0 = &l_tcp->tccps[p_first_comp_no];\n l_tccp1 = &l_tcp->tccps[p_second_comp_no];\n\n if (l_tccp0->numresolutions != l_tccp1->numresolutions) {\n return OPJ_FALSE;\n }\n if (l_tccp0->cblkw != l_tccp1->cblkw) {\n return OPJ_FALSE;\n }\n if (l_tccp0->cblkh != l_tccp1->cblkh) {\n return OPJ_FALSE;\n }\n if (l_tccp0->cblksty != l_tccp1->cblksty) {\n return OPJ_FALSE;\n }\n if (l_tccp0->qmfbid != l_tccp1->qmfbid) {\n return OPJ_FALSE;\n }\n if ((l_tccp0->csty & J2K_CCP_CSTY_PRT) != (l_tccp1->csty & J2K_CCP_CSTY_PRT)) {\n return OPJ_FALSE;\n }\n\n for (i = 0U; i < l_tccp0->numresolutions; ++i) {\n if (l_tccp0->prcw[i] != l_tccp1->prcw[i]) {\n return OPJ_FALSE;\n }\n if (l_tccp0->prch[i] != l_tccp1->prch[i]) {\n return OPJ_FALSE;\n }\n }\n return OPJ_TRUE;\n}", "project": "openjpeg", "hash": 92176004212881145834482651631468033347, "size": 46, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357345 }, { "func": "Header headerNew(void)\n{\n return headerCreate(NULL, 0);\n}", "project": "rpm", "hash": 193586421570709826534586487316708346071, "size": 4, "commit_id": "8f4b3c3cab8922a2022b9e47c71f1ecf906077ef", "message": "hdrblobInit() needs bounds checks too\n\nUsers can pass untrusted data to hdrblobInit() and it must be robust\nagainst this.", "target": 0, "dataset": "other", "idx": 318174 }, { "func": "void tipc_node_subscribe(struct net *net, struct list_head *subscr, u32 addr)\n{\n\tstruct tipc_node *n;\n\n\tif (in_own_node(net, addr))\n\t\treturn;\n\n\tn = tipc_node_find(net, addr);\n\tif (!n) {\n\t\tpr_warn(\"Node subscribe rejected, unknown node 0x%x\\n\", addr);\n\t\treturn;\n\t}\n\ttipc_node_write_lock(n);\n\tlist_add_tail(subscr, &n->publ_list);\n\ttipc_node_write_unlock_fast(n);\n\ttipc_node_put(n);\n}", "project": "linux", "hash": 91408060447414656951256946738146626117, "size": 17, "commit_id": "0217ed2848e8538bcf9172d97ed2eeb4a26041bb", "message": "tipc: better validate user input in tipc_nl_retrieve_key()\n\nBefore calling tipc_aead_key_size(ptr), we need to ensure\nwe have enough data to dereference ptr->keylen.\n\nWe probably also want to make sure tipc_aead_key_size()\nwont overflow with malicious ptr->keylen values.\n\nSyzbot reported:\n\nBUG: KMSAN: uninit-value in __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\nBUG: KMSAN: uninit-value in tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\nCPU: 0 PID: 21060 Comm: syz-executor.5 Not tainted 5.11.0-rc7-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nCall Trace:\n __dump_stack lib/dump_stack.c:79 [inline]\n dump_stack+0x21c/0x280 lib/dump_stack.c:120\n kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118\n __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197\n __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\n tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\n genl_family_rcv_msg_doit net/netlink/genetlink.c:739 [inline]\n genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]\n genl_rcv_msg+0x1319/0x1610 net/netlink/genetlink.c:800\n netlink_rcv_skb+0x6fa/0x810 net/netlink/af_netlink.c:2494\n genl_rcv+0x63/0x80 net/netlink/genetlink.c:811\n netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]\n netlink_unicast+0x11d6/0x14a0 net/netlink/af_netlink.c:1330\n netlink_sendmsg+0x1740/0x1840 net/netlink/af_netlink.c:1919\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\nRIP: 0023:0xf7f60549\nCode: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00\nRSP: 002b:00000000f555a5fc EFLAGS: 00000296 ORIG_RAX: 0000000000000172\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000200\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n\nUninit was created at:\n kmsan_save_stack_with_flags mm/kmsan/kmsan.c:121 [inline]\n kmsan_internal_poison_shadow+0x5c/0xf0 mm/kmsan/kmsan.c:104\n kmsan_slab_alloc+0x8d/0xe0 mm/kmsan/kmsan_hooks.c:76\n slab_alloc_node mm/slub.c:2907 [inline]\n __kmalloc_node_track_caller+0xa37/0x1430 mm/slub.c:4527\n __kmalloc_reserve net/core/skbuff.c:142 [inline]\n __alloc_skb+0x2f8/0xb30 net/core/skbuff.c:210\n alloc_skb include/linux/skbuff.h:1099 [inline]\n netlink_alloc_large_skb net/netlink/af_netlink.c:1176 [inline]\n netlink_sendmsg+0xdbc/0x1840 net/netlink/af_netlink.c:1894\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\n\nFixes: e1f32190cf7d (\"tipc: add support for AEAD key setting via netlink\")\nSigned-off-by: Eric Dumazet \nCc: Tuong Lien \nCc: Jon Maloy \nCc: Ying Xue \nReported-by: syzbot \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 364949 }, { "func": "static inline void tcp_store_ts_recent(struct tcp_sock *tp)\n{\n\ttp->rx_opt.ts_recent = tp->rx_opt.rcv_tsval;\n\ttp->rx_opt.ts_recent_stamp = get_seconds();\n}", "project": "net-next", "hash": 285655333697682077962309348783122405259, "size": 5, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409852 }, { "project": "Chrome", "commit_id": "6834289784ed45b5524de0fb7ef43ae283b0d6d3", "target": 0, "func": "void AudioContext::registerLiveNode(AudioNode& node)\n{\n ASSERT(isMainThread());\n m_liveNodes.add(&node, adoptPtr(new AudioNodeDisposer(node)));\n}\n", "cwe": "", "big_vul_idx": 139676, "idx": 124825, "hash": 137888157213316998796157552327436237327 }, { "func": "static void kvm_send_ipi_to_many(struct kvm *kvm, u32 vector,\n\t\t\t\t unsigned long *vcpu_bitmap)\n{\n\tstruct kvm_lapic_irq irq = {\n\t\t.delivery_mode = APIC_DM_FIXED,\n\t\t.vector = vector\n\t};\n\tstruct kvm_vcpu *vcpu;\n\tint i;\n\n\tkvm_for_each_vcpu(i, vcpu, kvm) {\n\t\tif (vcpu_bitmap && !test_bit(i, vcpu_bitmap))\n\t\t\tcontinue;\n\n\t\t/* We fail only when APIC is disabled */\n\t\tkvm_apic_set_irq(vcpu, &irq, NULL);\n\t}\n}", "project": "linux", "hash": 132114358618597068403581144568111663887, "size": 18, "commit_id": "919f4ebc598701670e80e31573a58f1f2d2bf918", "message": "KVM: x86: hyper-v: Fix Hyper-V context null-ptr-deref\n\nReported by syzkaller:\n\n KASAN: null-ptr-deref in range [0x0000000000000140-0x0000000000000147]\n CPU: 1 PID: 8370 Comm: syz-executor859 Not tainted 5.11.0-syzkaller #0\n RIP: 0010:synic_get arch/x86/kvm/hyperv.c:165 [inline]\n RIP: 0010:kvm_hv_set_sint_gsi arch/x86/kvm/hyperv.c:475 [inline]\n RIP: 0010:kvm_hv_irq_routing_update+0x230/0x460 arch/x86/kvm/hyperv.c:498\n Call Trace:\n kvm_set_irq_routing+0x69b/0x940 arch/x86/kvm/../../../virt/kvm/irqchip.c:223\n kvm_vm_ioctl+0x12d0/0x2800 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3959\n vfs_ioctl fs/ioctl.c:48 [inline]\n __do_sys_ioctl fs/ioctl.c:753 [inline]\n __se_sys_ioctl fs/ioctl.c:739 [inline]\n __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739\n do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nHyper-V context is lazily allocated until Hyper-V specific MSRs are accessed\nor SynIC is enabled. However, the syzkaller testcase sets irq routing table\ndirectly w/o enabling SynIC. This results in null-ptr-deref when accessing\nSynIC Hyper-V context. This patch fixes it.\n\nsyzkaller source: https://syzkaller.appspot.com/x/repro.c?x=163342ccd00000\n\nReported-by: syzbot+6987f3b2dbd9eda95f12@syzkaller.appspotmail.com\nFixes: 8f014550dfb1 (\"KVM: x86: hyper-v: Make Hyper-V emulation enablement conditional\")\nSigned-off-by: Wanpeng Li \nMessage-Id: <1614326399-5762-1-git-send-email-wanpengli@tencent.com>\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 343508 }, { "func": "static void resolve_linearized_pdf(pdf_t *pdf)\n{\n int i;\n xref_t buf;\n\n if (pdf->n_xrefs < 2)\n return;\n\n if (!pdf->xrefs[0].is_linear)\n return;\n\n /* Swap Linear with Version 1 */\n buf = pdf->xrefs[0];\n pdf->xrefs[0] = pdf->xrefs[1];\n pdf->xrefs[1] = buf;\n\n /* Resolve is_linear flag and version */\n pdf->xrefs[0].is_linear = 1;\n pdf->xrefs[0].version = 1;\n pdf->xrefs[1].is_linear = 0;\n pdf->xrefs[1].version = 1;\n\n /* Adjust the other version values now */\n for (i=2; in_xrefs; ++i)\n --pdf->xrefs[i].version;\n}", "project": "pdfresurrect", "hash": 243335245018367511635403419630172192872, "size": 26, "commit_id": "7e35d1806e111fd28610ccc86bb33f54792ac370", "message": "Fix possible infinite loop case when looking for a trailer.\n\nThanks to chibataiki for reporting and isolating this!", "target": 0, "dataset": "other", "idx": 355584 }, { "func": "bool CSoundFile::ProcessEffects()\n{\n\tModChannel *pChn = m_PlayState.Chn;\n\tROWINDEX nBreakRow = ROWINDEX_INVALID;\t\t// Is changed if a break to row command is encountered\n\tROWINDEX nPatLoopRow = ROWINDEX_INVALID;\t// Is changed if a pattern loop jump-back is executed\n\tORDERINDEX nPosJump = ORDERINDEX_INVALID;\n\n\tfor(CHANNELINDEX nChn = 0; nChn < GetNumChannels(); nChn++, pChn++)\n\t{\n\t\tconst uint32 tickCount = m_PlayState.m_nTickCount % (m_PlayState.m_nMusicSpeed + m_PlayState.m_nFrameDelay);\n\t\tuint32 instr = pChn->rowCommand.instr;\n\t\tModCommand::VOLCMD volcmd = pChn->rowCommand.volcmd;\n\t\tuint32 vol = pChn->rowCommand.vol;\n\t\tModCommand::COMMAND cmd = pChn->rowCommand.command;\n\t\tuint32 param = pChn->rowCommand.param;\n\t\tbool bPorta = pChn->rowCommand.IsPortamento();\n\n\t\tuint32 nStartTick = 0;\n\t\tpChn->isFirstTick = m_SongFlags[SONG_FIRSTTICK];\n\n\t\t// Process parameter control note.\n\t\tif(pChn->rowCommand.note == NOTE_PC)\n\t\t{\n#ifndef NO_PLUGINS\n\t\t\tconst PLUGINDEX plug = pChn->rowCommand.instr;\n\t\t\tconst PlugParamIndex plugparam = pChn->rowCommand.GetValueVolCol();\n\t\t\tconst PlugParamValue value = pChn->rowCommand.GetValueEffectCol() / PlugParamValue(ModCommand::maxColumnValue);\n\n\t\t\tif(plug > 0 && plug <= MAX_MIXPLUGINS && m_MixPlugins[plug - 1].pMixPlugin)\n\t\t\t\tm_MixPlugins[plug-1].pMixPlugin->SetParameter(plugparam, value);\n#endif // NO_PLUGINS\n\t\t}\n\n\t\t// Process continuous parameter control note.\n\t\t// Row data is cleared after first tick so on following\n\t\t// ticks using channels m_nPlugParamValueStep to identify\n\t\t// the need for parameter control. The condition cmd == 0\n\t\t// is to make sure that m_nPlugParamValueStep != 0 because\n\t\t// of NOTE_PCS, not because of macro.\n\t\tif(pChn->rowCommand.note == NOTE_PCS || (cmd == CMD_NONE && pChn->m_plugParamValueStep != 0))\n\t\t{\n#ifndef NO_PLUGINS\n\t\t\tconst bool isFirstTick = m_SongFlags[SONG_FIRSTTICK];\n\t\t\tif(isFirstTick)\n\t\t\t\tpChn->m_RowPlug = pChn->rowCommand.instr;\n\t\t\tconst PLUGINDEX nPlug = pChn->m_RowPlug;\n\t\t\tconst bool hasValidPlug = (nPlug > 0 && nPlug <= MAX_MIXPLUGINS && m_MixPlugins[nPlug-1].pMixPlugin);\n\t\t\tif(hasValidPlug)\n\t\t\t{\n\t\t\t\tif(isFirstTick)\n\t\t\t\t\tpChn->m_RowPlugParam = ModCommand::GetValueVolCol(pChn->rowCommand.volcmd, pChn->rowCommand.vol);\n\t\t\t\tconst PlugParamIndex plugparam = pChn->m_RowPlugParam;\n\t\t\t\tif(isFirstTick)\n\t\t\t\t{\n\t\t\t\t\tPlugParamValue targetvalue = ModCommand::GetValueEffectCol(pChn->rowCommand.command, pChn->rowCommand.param) / PlugParamValue(ModCommand::maxColumnValue);\n\t\t\t\t\tpChn->m_plugParamTargetValue = targetvalue;\n\t\t\t\t\tpChn->m_plugParamValueStep = (targetvalue - m_MixPlugins[nPlug-1].pMixPlugin->GetParameter(plugparam)) / float(GetNumTicksOnCurrentRow());\n\t\t\t\t}\n\t\t\t\tif(m_PlayState.m_nTickCount + 1 == GetNumTicksOnCurrentRow())\n\t\t\t\t{\t// On last tick, set parameter exactly to target value.\n\t\t\t\t\tm_MixPlugins[nPlug-1].pMixPlugin->SetParameter(plugparam, pChn->m_plugParamTargetValue);\n\t\t\t\t}\n\t\t\t\telse\n\t\t\t\t\tm_MixPlugins[nPlug-1].pMixPlugin->ModifyParameter(plugparam, pChn->m_plugParamValueStep);\n\t\t\t}\n#endif // NO_PLUGINS\n\t\t}\n\n\t\t// Apart from changing parameters, parameter control notes are intended to be 'invisible'.\n\t\t// To achieve this, clearing the note data so that rest of the process sees the row as empty row.\n\t\tif(ModCommand::IsPcNote(pChn->rowCommand.note))\n\t\t{\n\t\t\tpChn->ClearRowCmd();\n\t\t\tinstr = 0;\n\t\t\tvolcmd = VOLCMD_NONE;\n\t\t\tvol = 0;\n\t\t\tcmd = CMD_NONE;\n\t\t\tparam = 0;\n\t\t\tbPorta = false;\n\t\t}\n\n\t\t// Process Invert Loop (MOD Effect, called every row if it's active)\n\t\tif(!m_SongFlags[SONG_FIRSTTICK])\n\t\t{\n\t\t\tInvertLoop(&m_PlayState.Chn[nChn]);\n\t\t} else\n\t\t{\n\t\t\tif(instr) m_PlayState.Chn[nChn].nEFxOffset = 0;\n\t\t}\n\n\t\t// Process special effects (note delay, pattern delay, pattern loop)\n\t\tif (cmd == CMD_DELAYCUT)\n\t\t{\n\t\t\t//:xy --> note delay until tick x, note cut at tick x+y\n\t\t\tnStartTick = (param & 0xF0) >> 4;\n\t\t\tconst uint32 cutAtTick = nStartTick + (param & 0x0F);\n\t\t\tNoteCut(nChn, cutAtTick, m_playBehaviour[kITSCxStopsSample]);\n\t\t} else if ((cmd == CMD_MODCMDEX) || (cmd == CMD_S3MCMDEX))\n\t\t{\n\t\t\tif ((!param) && (GetType() & (MOD_TYPE_S3M|MOD_TYPE_IT|MOD_TYPE_MPT)))\n\t\t\t\tparam = pChn->nOldCmdEx;\n\t\t\telse\n\t\t\t\tpChn->nOldCmdEx = static_cast(param);\n\n\t\t\t// Note Delay ?\n\t\t\tif ((param & 0xF0) == 0xD0)\n\t\t\t{\n\t\t\t\tnStartTick = param & 0x0F;\n\t\t\t\tif(nStartTick == 0)\n\t\t\t\t{\n\t\t\t\t\t//IT compatibility 22. SD0 == SD1\n\t\t\t\t\tif(GetType() & (MOD_TYPE_IT | MOD_TYPE_MPT))\n\t\t\t\t\t\tnStartTick = 1;\n\t\t\t\t\t//ST3 ignores notes with SD0 completely\n\t\t\t\t\telse if(GetType() == MOD_TYPE_S3M)\n\t\t\t\t\t\tcontinue;\n\t\t\t\t} else if(nStartTick >= (m_PlayState.m_nMusicSpeed + m_PlayState.m_nFrameDelay) && m_playBehaviour[kITOutOfRangeDelay])\n\t\t\t\t{\n\t\t\t\t\t// IT compatibility 08. Handling of out-of-range delay command.\n\t\t\t\t\t// Additional test case: tickdelay.it\n\t\t\t\t\tif(instr)\n\t\t\t\t\t{\n\t\t\t\t\t\tpChn->nNewIns = static_cast(instr);\n\t\t\t\t\t}\n\t\t\t\t\tcontinue;\n\t\t\t\t}\n\t\t\t} else if(m_SongFlags[SONG_FIRSTTICK])\n\t\t\t{\n\t\t\t\t// Pattern Loop ?\n\t\t\t\tif((((param & 0xF0) == 0x60 && cmd == CMD_MODCMDEX)\n\t\t\t\t\t|| ((param & 0xF0) == 0xB0 && cmd == CMD_S3MCMDEX))\n\t\t\t\t\t&& !(m_playBehaviour[kST3NoMutedChannels] && ChnSettings[nChn].dwFlags[CHN_MUTE]))\t// not even effects are processed on muted S3M channels\n\t\t\t\t{\n\t\t\t\t\tROWINDEX nloop = PatternLoop(pChn, param & 0x0F);\n\t\t\t\t\tif (nloop != ROWINDEX_INVALID)\n\t\t\t\t\t{\n\t\t\t\t\t\t// FT2 compatibility: E6x overwrites jump targets of Dxx effects that are located left of the E6x effect.\n\t\t\t\t\t\t// Test cases: PatLoop-Jumps.xm, PatLoop-Various.xm\n\t\t\t\t\t\tif(nBreakRow != ROWINDEX_INVALID && m_playBehaviour[kFT2PatternLoopWithJumps])\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tnBreakRow = nloop;\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\tnPatLoopRow = nloop;\n\t\t\t\t\t}\n\n\t\t\t\t\tif(GetType() == MOD_TYPE_S3M)\n\t\t\t\t\t{\n\t\t\t\t\t\t// ST3 doesn't have per-channel pattern loop memory, so spam all changes to other channels as well.\n\t\t\t\t\t\tfor (CHANNELINDEX i = 0; i < GetNumChannels(); i++)\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tm_PlayState.Chn[i].nPatternLoop = pChn->nPatternLoop;\n\t\t\t\t\t\t\tm_PlayState.Chn[i].nPatternLoopCount = pChn->nPatternLoopCount;\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t} else if ((param & 0xF0) == 0xE0)\n\t\t\t\t{\n\t\t\t\t\t// Pattern Delay\n\t\t\t\t\t// In Scream Tracker 3 / Impulse Tracker, only the first delay command on this row is considered.\n\t\t\t\t\t// Test cases: PatternDelays.it, PatternDelays.s3m, PatternDelays.xm\n\t\t\t\t\t// XXX In Scream Tracker 3, the \"left\" channels are evaluated before the \"right\" channels, which is not emulated here!\n\t\t\t\t\tif(!(GetType() & (MOD_TYPE_S3M | MOD_TYPE_IT | MOD_TYPE_MPT)) || !m_PlayState.m_nPatternDelay)\n\t\t\t\t\t{\n\t\t\t\t\t\tif(!(GetType() & (MOD_TYPE_S3M)) || (param & 0x0F) != 0)\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\t// While Impulse Tracker *does* count S60 as a valid row delay (and thus ignores any other row delay commands on the right),\n\t\t\t\t\t\t\t// Scream Tracker 3 simply ignores such commands.\n\t\t\t\t\t\t\tm_PlayState.m_nPatternDelay = 1 + (param & 0x0F);\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\tif(GetType() == MOD_TYPE_MTM && cmd == CMD_MODCMDEX && (param & 0xF0) == 0xD0)\n\t\t{\n\t\t\t// Apparently, retrigger and note delay have the same behaviour in MultiTracker:\n\t\t\t// They both restart the note at tick x, and if there is a note on the same row,\n\t\t\t// this note is started on the first tick.\n\t\t\tnStartTick = 0;\n\t\t\tparam = 0x90 | (param & 0x0F);\n\t\t}\n\n\t\tif(nStartTick != 0 && pChn->rowCommand.note == NOTE_KEYOFF && pChn->rowCommand.volcmd == VOLCMD_PANNING && m_playBehaviour[kFT2PanWithDelayedNoteOff])\n\t\t{\n\t\t\t// FT2 compatibility: If there's a delayed note off, panning commands are ignored. WTF!\n\t\t\t// Test case: PanOff.xm\n\t\t\tpChn->rowCommand.volcmd = VOLCMD_NONE;\n\t\t}\n\n\t\tbool triggerNote = (m_PlayState.m_nTickCount == nStartTick);\t// Can be delayed by a note delay effect\n\t\tif(m_playBehaviour[kFT2OutOfRangeDelay] && nStartTick >= m_PlayState.m_nMusicSpeed)\n\t\t{\n\t\t\t// FT2 compatibility: Note delays greater than the song speed should be ignored.\n\t\t\t// However, EEx pattern delay is *not* considered at all.\n\t\t\t// Test case: DelayCombination.xm, PortaDelay.xm\n\t\t\ttriggerNote = false;\n\t\t} else if(m_playBehaviour[kRowDelayWithNoteDelay] && nStartTick > 0 && tickCount == nStartTick)\n\t\t{\n\t\t\t// IT compatibility: Delayed notes (using SDx) that are on the same row as a Row Delay effect are retriggered.\n\t\t\t// ProTracker / Scream Tracker 3 / FastTracker 2 do the same.\n\t\t\t// Test case: PatternDelay-NoteDelay.it, PatternDelay-NoteDelay.xm, PatternDelaysRetrig.mod\n\t\t\ttriggerNote = true;\n\t\t}\n\n\t\t// IT compatibility: Tick-0 vs non-tick-0 effect distinction is always based on tick delay.\n\t\t// Test case: SlideDelay.it\n\t\tif(m_playBehaviour[kITFirstTickHandling])\n\t\t{\n\t\t\tpChn->isFirstTick = tickCount == nStartTick;\n\t\t}\n\n\t\t// FT2 compatibility: Note + portamento + note delay = no portamento\n\t\t// Test case: PortaDelay.xm\n\t\tif(m_playBehaviour[kFT2PortaDelay] && nStartTick != 0)\n\t\t{\n\t\t\tbPorta = false;\n\t\t}\n\n\t\tif(m_SongFlags[SONG_PT_MODE] && instr && !m_PlayState.m_nTickCount)\n\t\t{\n\t\t\t// Instrument number resets the stacked ProTracker offset.\n\t\t\t// Test case: ptoffset.mod\n\t\t\tpChn->proTrackerOffset = 0;\n\t\t\t// ProTracker compatibility: Sample properties are always loaded on the first tick, even when there is a note delay.\n\t\t\t// Test case: InstrDelay.mod\n\t\t\tif(!triggerNote && pChn->IsSamplePlaying())\n\t\t\t{\n\t\t\t\tpChn->nNewIns = static_cast(instr);\n\t\t\t\tif(instr <= GetNumSamples())\n\t\t\t\t{\n\t\t\t\t\tpChn->nVolume = Samples[instr].nVolume;\n\t\t\t\t\tpChn->nFineTune = Samples[instr].nFineTune;\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\t// Handles note/instrument/volume changes\n\t\tif(triggerNote)\n\t\t{\n\t\t\tModCommand::NOTE note = pChn->rowCommand.note;\n\t\t\tif(instr) pChn->nNewIns = static_cast(instr);\n\n\t\t\tif(ModCommand::IsNote(note) && m_playBehaviour[kFT2Transpose])\n\t\t\t{\n\t\t\t\t// Notes that exceed FT2's limit are completely ignored.\n\t\t\t\t// Test case: NoteLimit.xm\n\t\t\t\tint transpose = pChn->nTranspose;\n\t\t\t\tif(instr && !bPorta)\n\t\t\t\t{\n\t\t\t\t\t// Refresh transpose\n\t\t\t\t\t// Test case: NoteLimit2.xm\n\t\t\t\t\tSAMPLEINDEX sample = SAMPLEINDEX_INVALID;\n\t\t\t\t\tif(GetNumInstruments())\n\t\t\t\t\t{\n\t\t\t\t\t\t// Instrument mode\n\t\t\t\t\t\tif(instr <= GetNumInstruments() && Instruments[instr] != nullptr)\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tsample = Instruments[instr]->Keyboard[note - NOTE_MIN];\n\t\t\t\t\t\t}\n\t\t\t\t\t} else\n\t\t\t\t\t{\n\t\t\t\t\t\t// Sample mode\n\t\t\t\t\t\tsample = static_cast(instr);\n\t\t\t\t\t}\n\t\t\t\t\tif(sample <= GetNumSamples())\n\t\t\t\t\t{\n\t\t\t\t\t\ttranspose = GetSample(sample).RelativeTone;\n\t\t\t\t\t}\n\t\t\t\t}\n\n\t\t\t\tconst int computedNote = note + transpose;\n\t\t\t\tif((computedNote < NOTE_MIN + 11 || computedNote > NOTE_MIN + 130))\n\t\t\t\t{\n\t\t\t\t\tnote = NOTE_NONE;\n\t\t\t\t}\n\t\t\t} else if((GetType() & (MOD_TYPE_IT | MOD_TYPE_MPT)) && GetNumInstruments() != 0 && ModCommand::IsNoteOrEmpty(static_cast(note)))\n\t\t\t{\n\t\t\t\t// IT compatibility: Invalid instrument numbers do nothing, but they are remembered for upcoming notes and do not trigger a note in that case.\n\t\t\t\t// Test case: InstrumentNumberChange.it\n\t\t\t\tINSTRUMENTINDEX instrToCheck = static_cast((instr != 0) ? instr : pChn->nOldIns);\n\t\t\t\tif(instrToCheck != 0 && (instrToCheck > GetNumInstruments() || Instruments[instrToCheck] == nullptr))\n\t\t\t\t{\n\t\t\t\t\tnote = NOTE_NONE;\n\t\t\t\t\tinstr = 0;\n\t\t\t\t}\n\t\t\t}\n\n\t\t\t// XM: FT2 ignores a note next to a K00 effect, and a fade-out seems to be done when no volume envelope is present (not exactly the Kxx behaviour)\n\t\t\tif(cmd == CMD_KEYOFF && param == 0 && m_playBehaviour[kFT2KeyOff])\n\t\t\t{\n\t\t\t\tnote = NOTE_NONE;\n\t\t\t\tinstr = 0;\n\t\t\t}\n\n\t\t\tbool retrigEnv = note == NOTE_NONE && instr != 0;\n\n\t\t\t// Apparently, any note number in a pattern causes instruments to recall their original volume settings - no matter if there's a Note Off next to it or whatever.\n\t\t\t// Test cases: keyoff+instr.xm, delay.xm\n\t\t\tbool reloadSampleSettings = (m_playBehaviour[kFT2ReloadSampleSettings] && instr != 0);\n\t\t\t// ProTracker Compatibility: If a sample was stopped before, lone instrument numbers can retrigger it\n\t\t\t// Test case: PTSwapEmpty.mod\n\t\t\tbool keepInstr = (GetType() & (MOD_TYPE_IT | MOD_TYPE_MPT)) || (m_playBehaviour[kMODSampleSwap] && !pChn->IsSamplePlaying() && pChn->pModSample != nullptr && !pChn->pModSample->HasSampleData());\n\n\t\t\t// Now it's time for some FT2 crap...\n\t\t\tif (GetType() & (MOD_TYPE_XM | MOD_TYPE_MT2))\n\t\t\t{\n\n\t\t\t\t// XM: Key-Off + Sample == Note Cut (BUT: Only if no instr number or volume effect is present!)\n\t\t\t\t// Test case: NoteOffVolume.xm\n\t\t\t\tif(note == NOTE_KEYOFF\n\t\t\t\t\t&& ((!instr && volcmd != VOLCMD_VOLUME && cmd != CMD_VOLUME) || !m_playBehaviour[kFT2KeyOff])\n\t\t\t\t\t&& (pChn->pModInstrument == nullptr || !pChn->pModInstrument->VolEnv.dwFlags[ENV_ENABLED]))\n\t\t\t\t{\n\t\t\t\t\tpChn->dwFlags.set(CHN_FASTVOLRAMP);\n\t\t\t\t\tpChn->nVolume = 0;\n\t\t\t\t\tnote = NOTE_NONE;\n\t\t\t\t\tinstr = 0;\n\t\t\t\t\tretrigEnv = false;\n\t\t\t\t\t// FT2 Compatbility: Start fading the note for notes with no delay. Only relevant when a volume command is encountered after the note-off.\n\t\t\t\t\t// Test case: NoteOffFadeNoEnv.xm\n\t\t\t\t\tif(m_SongFlags[SONG_FIRSTTICK] && m_playBehaviour[kFT2NoteOffFlags])\n\t\t\t\t\t\tpChn->dwFlags.set(CHN_NOTEFADE);\n\t\t\t\t} else if(m_playBehaviour[kFT2RetrigWithNoteDelay] && !m_SongFlags[SONG_FIRSTTICK])\n\t\t\t\t{\n\t\t\t\t\t// FT2 Compatibility: Some special hacks for rogue note delays... (EDx with x > 0)\n\t\t\t\t\t// Apparently anything that is next to a note delay behaves totally unpredictable in FT2. Swedish tracker logic. :)\n\n\t\t\t\t\tretrigEnv = true;\n\n\t\t\t\t\t// Portamento + Note Delay = No Portamento\n\t\t\t\t\t// Test case: porta-delay.xm\n\t\t\t\t\tbPorta = false;\n\n\t\t\t\t\tif(note == NOTE_NONE)\n\t\t\t\t\t{\n\t\t\t\t\t\t// If there's a note delay but no real note, retrig the last note.\n\t\t\t\t\t\t// Test case: delay2.xm, delay3.xm\n\t\t\t\t\t\tnote = static_cast(pChn->nNote - pChn->nTranspose);\n\t\t\t\t\t} else if(note >= NOTE_MIN_SPECIAL)\n\t\t\t\t\t{\n\t\t\t\t\t\t// Gah! Even Note Off + Note Delay will cause envelopes to *retrigger*! How stupid is that?\n\t\t\t\t\t\t// ... Well, and that is actually all it does if there's an envelope. No fade out, no nothing. *sigh*\n\t\t\t\t\t\t// Test case: OffDelay.xm\n\t\t\t\t\t\tnote = NOTE_NONE;\n\t\t\t\t\t\tkeepInstr = false;\n\t\t\t\t\t\treloadSampleSettings = true;\n\t\t\t\t\t} else\n\t\t\t\t\t{\n\t\t\t\t\t\t// Normal note\n\t\t\t\t\t\tkeepInstr = true;\n\t\t\t\t\t\treloadSampleSettings = true;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tif((retrigEnv && !m_playBehaviour[kFT2ReloadSampleSettings]) || reloadSampleSettings)\n\t\t\t{\n\t\t\t\tconst ModSample *oldSample = nullptr;\n\t\t\t\t// Reset default volume when retriggering envelopes\n\n\t\t\t\tif(GetNumInstruments())\n\t\t\t\t{\n\t\t\t\t\toldSample = pChn->pModSample;\n\t\t\t\t} else if (instr <= GetNumSamples())\n\t\t\t\t{\n\t\t\t\t\t// Case: Only samples are used; no instruments.\n\t\t\t\t\toldSample = &Samples[instr];\n\t\t\t\t}\n\n\t\t\t\tif(oldSample != nullptr)\n\t\t\t\t{\n\t\t\t\t\tif(!oldSample->uFlags[SMP_NODEFAULTVOLUME])\n\t\t\t\t\t\tpChn->nVolume = oldSample->nVolume;\n\t\t\t\t\tif(reloadSampleSettings)\n\t\t\t\t\t{\n\t\t\t\t\t\t// Also reload panning\n\t\t\t\t\t\tpChn->nPan = oldSample->nPan;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\n\t\t\t// FT2 compatibility: Instrument number disables tremor effect\n\t\t\t// Test case: TremorInstr.xm, TremoRecover.xm\n\t\t\tif(m_playBehaviour[kFT2Tremor] && instr != 0)\n\t\t\t{\n\t\t\t\tpChn->nTremorCount = 0x20;\n\t\t\t}\n\n\t\t\tif(retrigEnv) //Case: instrument with no note data.\n\t\t\t{\n\t\t\t\t//IT compatibility: Instrument with no note.\n\t\t\t\tif(m_playBehaviour[kITInstrWithoutNote] || GetType() == MOD_TYPE_PLM)\n\t\t\t\t{\n\t\t\t\t\t// IT compatibility: Completely retrigger note after sample end to also reset portamento.\n\t\t\t\t\t// Test case: PortaResetAfterRetrigger.it\n\t\t\t\t\tbool triggerAfterSmpEnd = m_playBehaviour[kITMultiSampleInstrumentNumber] && !pChn->IsSamplePlaying();\n\t\t\t\t\tif(GetNumInstruments())\n\t\t\t\t\t{\n\t\t\t\t\t\t// Instrument mode\n\t\t\t\t\t\tif(instr <= GetNumInstruments() && (pChn->pModInstrument != Instruments[instr] || triggerAfterSmpEnd))\n\t\t\t\t\t\t\tnote = pChn->nNote;\n\t\t\t\t\t} else\n\t\t\t\t\t{\n\t\t\t\t\t\t// Sample mode\n\t\t\t\t\t\tif(instr < MAX_SAMPLES && (pChn->pModSample != &Samples[instr] || triggerAfterSmpEnd))\n\t\t\t\t\t\t\tnote = pChn->nNote;\n\t\t\t\t\t}\n\t\t\t\t}\n\n\t\t\t\tif (GetNumInstruments() && (GetType() & (MOD_TYPE_XM|MOD_TYPE_MT2)))\n\t\t\t\t{\n\t\t\t\t\tpChn->ResetEnvelopes();\n\t\t\t\t\tpChn->dwFlags.set(CHN_FASTVOLRAMP);\n\t\t\t\t\tpChn->dwFlags.reset(CHN_NOTEFADE);\n\t\t\t\t\tpChn->nAutoVibDepth = 0;\n\t\t\t\t\tpChn->nAutoVibPos = 0;\n\t\t\t\t\tpChn->nFadeOutVol = 65536;\n\t\t\t\t\t// FT2 Compatbility: Reset key-off status with instrument number\n\t\t\t\t\t// Test case: NoteOffInstrChange.xm\n\t\t\t\t\tif(m_playBehaviour[kFT2NoteOffFlags])\n\t\t\t\t\t\tpChn->dwFlags.reset(CHN_KEYOFF);\n\t\t\t\t}\n\t\t\t\tif (!keepInstr) instr = 0;\n\t\t\t}\n\n\t\t\t// Note Cut/Off/Fade => ignore instrument\n\t\t\tif (note >= NOTE_MIN_SPECIAL)\n\t\t\t{\n\t\t\t\t// IT compatibility: Default volume of sample is recalled if instrument number is next to a note-off.\n\t\t\t\t// Test case: NoteOffInstr.it, noteoff2.it\n\t\t\t\tif(m_playBehaviour[kITInstrWithNoteOff] && instr)\n\t\t\t\t{\n\t\t\t\t\tSAMPLEINDEX smp = static_cast(instr);\n\t\t\t\t\tif(GetNumInstruments())\n\t\t\t\t\t{\n\t\t\t\t\t\tsmp = 0;\n\t\t\t\t\t\tif(instr <= GetNumInstruments() && Instruments[instr] != nullptr && ModCommand::IsNote(pChn->nLastNote))\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tsmp = Instruments[instr]->Keyboard[pChn->nLastNote - NOTE_MIN];\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t\tif(smp > 0 && smp <= GetNumSamples() && !Samples[smp].uFlags[SMP_NODEFAULTVOLUME])\n\t\t\t\t\t\tpChn->nVolume = Samples[smp].nVolume;\n\t\t\t\t}\n\t\t\t\tinstr = 0;\n\t\t\t}\n\n\t\t\tif(ModCommand::IsNote(note))\n\t\t\t{\n\t\t\t\tpChn->nNewNote = pChn->nLastNote = note;\n\n\t\t\t\t// New Note Action ?\n\t\t\t\tif(!bPorta)\n\t\t\t\t{\n\t\t\t\t\tCheckNNA(nChn, instr, note, false);\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tif(note)\n\t\t\t{\n\t\t\t\tif(pChn->nRestorePanOnNewNote > 0)\n\t\t\t\t{\n\t\t\t\t\tpChn->nPan = pChn->nRestorePanOnNewNote - 1;\n\t\t\t\t\tpChn->nRestorePanOnNewNote = 0;\n\t\t\t\t}\n\t\t\t\tif(pChn->nRestoreResonanceOnNewNote > 0)\n\t\t\t\t{\n\t\t\t\t\tpChn->nResonance = pChn->nRestoreResonanceOnNewNote - 1;\n\t\t\t\t\tpChn->nRestoreResonanceOnNewNote = 0;\n\t\t\t\t}\n\t\t\t\tif(pChn->nRestoreCutoffOnNewNote > 0)\n\t\t\t\t{\n\t\t\t\t\tpChn->nCutOff = pChn->nRestoreCutoffOnNewNote - 1;\n\t\t\t\t\tpChn->nRestoreCutoffOnNewNote = 0;\n\t\t\t\t}\n\t\t\t}\n\n\t\t\t// Instrument Change ?\n\t\t\tif(instr)\n\t\t\t{\n\t\t\t\tconst ModSample *oldSample = pChn->pModSample;\n\t\t\t\t//const ModInstrument *oldInstrument = pChn->pModInstrument;\n\n\t\t\t\tInstrumentChange(pChn, instr, bPorta, true);\n\t\t\t\t// IT compatibility: Keep new instrument number for next instrument-less note even if sample playback is stopped\n\t\t\t\t// Test case: StoppedInstrSwap.it\n\t\t\t\tif(GetType() == MOD_TYPE_MOD)\n\t\t\t\t{\n\t\t\t\t\t// Test case: PortaSwapPT.mod\n\t\t\t\t\tif(!bPorta || !m_playBehaviour[kMODSampleSwap]) pChn->nNewIns = 0;\n\t\t\t\t} else\n\t\t\t\t{\n\t\t\t\t\tif(!m_playBehaviour[kITInstrWithNoteOff] || ModCommand::IsNote(note)) pChn->nNewIns = 0;\n\t\t\t\t}\n\n\t\t\t\tif(m_playBehaviour[kITPortamentoSwapResetsPos])\n\t\t\t\t{\n\t\t\t\t\t// Test cases: PortaInsNum.it, PortaSample.it\n\t\t\t\t\tif(ModCommand::IsNote(note) && oldSample != pChn->pModSample)\n\t\t\t\t\t{\n\t\t\t\t\t\t//const bool newInstrument = oldInstrument != pChn->pModInstrument && pChn->pModInstrument->Keyboard[pChn->nNewNote - NOTE_MIN] != 0;\n\t\t\t\t\t\tpChn->position.Set(0);\n\t\t\t\t\t}\n\t\t\t\t} else if ((GetType() & (MOD_TYPE_S3M | MOD_TYPE_IT | MOD_TYPE_MPT) && oldSample != pChn->pModSample && ModCommand::IsNote(note)))\n\t\t\t\t{\n\t\t\t\t\t// Special IT case: portamento+note causes sample change -> ignore portamento\n\t\t\t\t\tbPorta = false;\n\t\t\t\t} else if(m_playBehaviour[kMODSampleSwap] && pChn->increment.IsZero())\n\t\t\t\t{\n\t\t\t\t\t// If channel was paused and is resurrected by a lone instrument number, reset the sample position.\n\t\t\t\t\t// Test case: PTSwapEmpty.mod\n\t\t\t\t\tpChn->position.Set(0);\n\t\t\t\t}\n\t\t\t}\n\t\t\t// New Note ?\n\t\t\tif (note)\n\t\t\t{\n\t\t\t\tif ((!instr) && (pChn->nNewIns) && (note < 0x80))\n\t\t\t\t{\n\t\t\t\t\tInstrumentChange(pChn, pChn->nNewIns, bPorta, pChn->pModSample == nullptr && pChn->pModInstrument == nullptr, !(GetType() & (MOD_TYPE_XM|MOD_TYPE_MT2)));\n\t\t\t\t\tpChn->nNewIns = 0;\n\t\t\t\t}\n\t\t\t\tNoteChange(pChn, note, bPorta, !(GetType() & (MOD_TYPE_XM|MOD_TYPE_MT2)));\n\t\t\t\tif ((bPorta) && (GetType() & (MOD_TYPE_XM|MOD_TYPE_MT2)) && (instr))\n\t\t\t\t{\n\t\t\t\t\tpChn->dwFlags.set(CHN_FASTVOLRAMP);\n\t\t\t\t\tpChn->ResetEnvelopes();\n\t\t\t\t\tpChn->nAutoVibDepth = 0;\n\t\t\t\t\tpChn->nAutoVibPos = 0;\n\t\t\t\t}\n\t\t\t}\n\t\t\t// Tick-0 only volume commands\n\t\t\tif (volcmd == VOLCMD_VOLUME)\n\t\t\t{\n\t\t\t\tif (vol > 64) vol = 64;\n\t\t\t\tpChn->nVolume = vol << 2;\n\t\t\t\tpChn->dwFlags.set(CHN_FASTVOLRAMP);\n\t\t\t} else\n\t\t\tif (volcmd == VOLCMD_PANNING)\n\t\t\t{\n\t\t\t\tPanning(pChn, vol, Pan6bit);\n\t\t\t}\n\n#ifndef NO_PLUGINS\n\t\t\tif (m_nInstruments) ProcessMidiOut(nChn);\n#endif // NO_PLUGINS\n\t\t}\n\n\t\tif(m_playBehaviour[kST3NoMutedChannels] && ChnSettings[nChn].dwFlags[CHN_MUTE])\t// not even effects are processed on muted S3M channels\n\t\t\tcontinue;\n\n\t\t// Volume Column Effect (except volume & panning)\n\t\t/*\tA few notes, paraphrased from ITTECH.TXT by Storlek (creator of schismtracker):\n\t\t\tEx/Fx/Gx are shared with Exx/Fxx/Gxx; Ex/Fx are 4x the 'normal' slide value\n\t\t\tGx is linked with Ex/Fx if Compat Gxx is off, just like Gxx is with Exx/Fxx\n\t\t\tGx values: 1, 4, 8, 16, 32, 64, 96, 128, 255\n\t\t\tAx/Bx/Cx/Dx values are used directly (i.e. D9 == D09), and are NOT shared with Dxx\n\t\t\t(value is stored into nOldVolParam and used by A0/B0/C0/D0)\n\t\t\tHx uses the same value as Hxx and Uxx, and affects the *depth*\n\t\t\tso... hxx = (hx | (oldhxx & 0xf0)) ???\n\t\t\tTODO is this done correctly?\n\t\t*/\n\t\tbool doVolumeColumn = m_PlayState.m_nTickCount >= nStartTick;\n\t\t// FT2 compatibility: If there's a note delay, volume column effects are NOT executed\n\t\t// on the first tick and, if there's an instrument number, on the delayed tick.\n\t\t// Test case: VolColDelay.xm, PortaDelay.xm\n\t\tif(m_playBehaviour[kFT2VolColDelay] && nStartTick != 0)\n\t\t{\n\t\t\tdoVolumeColumn = m_PlayState.m_nTickCount != 0 && (m_PlayState.m_nTickCount != nStartTick || (pChn->rowCommand.instr == 0 && volcmd != VOLCMD_TONEPORTAMENTO));\n\t\t}\n\t\tif(volcmd > VOLCMD_PANNING && doVolumeColumn)\n\t\t{\n\t\t\tif (volcmd == VOLCMD_TONEPORTAMENTO)\n\t\t\t{\n\t\t\t\tuint32 porta = 0;\n\t\t\t\tif(GetType() & (MOD_TYPE_IT | MOD_TYPE_MPT | MOD_TYPE_AMS | MOD_TYPE_AMS2 | MOD_TYPE_DMF | MOD_TYPE_DBM | MOD_TYPE_IMF | MOD_TYPE_PSM | MOD_TYPE_J2B | MOD_TYPE_ULT | MOD_TYPE_OKT | MOD_TYPE_MT2 | MOD_TYPE_MDL))\n\t\t\t\t{\n\t\t\t\t\tporta = ImpulseTrackerPortaVolCmd[vol & 0x0F];\n\t\t\t\t} else\n\t\t\t\t{\n\t\t\t\t\tif(cmd == CMD_TONEPORTAMENTO && GetType() == MOD_TYPE_XM)\n\t\t\t\t\t{\n\t\t\t\t\t\t// Yes, FT2 is *that* weird. If there is a Mx command in the volume column\n\t\t\t\t\t\t// and a normal 3xx command, the 3xx command is ignored but the Mx command's\n\t\t\t\t\t\t// effectiveness is doubled.\n\t\t\t\t\t\t// Test case: TonePortamentoMemory.xm\n\t\t\t\t\t\tcmd = CMD_NONE;\n\t\t\t\t\t\tvol *= 2;\n\t\t\t\t\t}\n\t\t\t\t\tporta = vol << 4;\n\n\t\t\t\t\t// FT2 compatibility: If there's a portamento and a note delay, execute the portamento, but don't update the parameter\n\t\t\t\t\t// Test case: PortaDelay.xm\n\t\t\t\t\tif(m_playBehaviour[kFT2PortaDelay] && nStartTick != 0)\n\t\t\t\t\t{\n\t\t\t\t\t\tporta = 0;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\tTonePortamento(pChn, porta);\n\t\t\t} else\n\t\t\t{\n\t\t\t\t// FT2 Compatibility: FT2 ignores some volume commands with parameter = 0.\n\t\t\t\tif(m_playBehaviour[kFT2VolColMemory] && vol == 0)\n\t\t\t\t{\n\t\t\t\t\tswitch(volcmd)\n\t\t\t\t\t{\n\t\t\t\t\tcase VOLCMD_VOLUME:\n\t\t\t\t\tcase VOLCMD_PANNING:\n\t\t\t\t\tcase VOLCMD_VIBRATODEPTH:\n\t\t\t\t\t\tbreak;\n\t\t\t\t\tcase VOLCMD_PANSLIDELEFT:\n\t\t\t\t\t\t// FT2 Compatibility: Pan slide left with zero parameter causes panning to be set to full left on every non-row tick.\n\t\t\t\t\t\t// Test case: PanSlideZero.xm\n\t\t\t\t\t\tif(!m_SongFlags[SONG_FIRSTTICK])\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tpChn->nPan = 0;\n\t\t\t\t\t\t}\n\t\t\t\t\t\tMPT_FALLTHROUGH;\n\t\t\t\t\tdefault:\n\t\t\t\t\t\t// no memory here.\n\t\t\t\t\t\tvolcmd = VOLCMD_NONE;\n\t\t\t\t\t}\n\n\t\t\t\t} else if(!m_playBehaviour[kITVolColMemory])\n\t\t\t\t{\n\t\t\t\t\t// IT Compatibility: Effects in the volume column don't have an unified memory.\n\t\t\t\t\t// Test case: VolColMemory.it\n\t\t\t\t\tif(vol) pChn->nOldVolParam = static_cast(vol); else vol = pChn->nOldVolParam;\n\t\t\t\t}\n\n\t\t\t\tswitch(volcmd)\n\t\t\t\t{\n\t\t\t\tcase VOLCMD_VOLSLIDEUP:\n\t\t\t\tcase VOLCMD_VOLSLIDEDOWN:\n\t\t\t\t\t// IT Compatibility: Volume column volume slides have their own memory\n\t\t\t\t\t// Test case: VolColMemory.it\n\t\t\t\t\tif(vol == 0 && m_playBehaviour[kITVolColMemory])\n\t\t\t\t\t{\n\t\t\t\t\t\tvol = pChn->nOldVolParam;\n\t\t\t\t\t\tif(vol == 0)\n\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t} else\n\t\t\t\t\t{\n\t\t\t\t\t\tpChn->nOldVolParam = static_cast(vol);\n\t\t\t\t\t}\n\t\t\t\t\tVolumeSlide(pChn, static_cast(volcmd == VOLCMD_VOLSLIDEUP ? (vol << 4) : vol));\n\t\t\t\t\tbreak;\n\n\t\t\t\tcase VOLCMD_FINEVOLUP:\n\t\t\t\t\t// IT Compatibility: Fine volume slides in the volume column are only executed on the first tick, not on multiples of the first tick in case of pattern delay\n\t\t\t\t\t// Test case: FineVolColSlide.it\n\t\t\t\t\tif(m_PlayState.m_nTickCount == nStartTick || !m_playBehaviour[kITVolColMemory])\n\t\t\t\t\t{\n\t\t\t\t\t\t// IT Compatibility: Volume column volume slides have their own memory\n\t\t\t\t\t\t// Test case: VolColMemory.it\n\t\t\t\t\t\tFineVolumeUp(pChn, static_cast(vol), m_playBehaviour[kITVolColMemory]);\n\t\t\t\t\t}\n\t\t\t\t\tbreak;\n\n\t\t\t\tcase VOLCMD_FINEVOLDOWN:\n\t\t\t\t\t// IT Compatibility: Fine volume slides in the volume column are only executed on the first tick, not on multiples of the first tick in case of pattern delay\n\t\t\t\t\t// Test case: FineVolColSlide.it\n\t\t\t\t\tif(m_PlayState.m_nTickCount == nStartTick || !m_playBehaviour[kITVolColMemory])\n\t\t\t\t\t{\n\t\t\t\t\t\t// IT Compatibility: Volume column volume slides have their own memory\n\t\t\t\t\t\t// Test case: VolColMemory.it\n\t\t\t\t\t\tFineVolumeDown(pChn, static_cast(vol), m_playBehaviour[kITVolColMemory]);\n\t\t\t\t\t}\n\t\t\t\t\tbreak;\n\n\t\t\t\tcase VOLCMD_VIBRATOSPEED:\n\t\t\t\t\t// FT2 does not automatically enable vibrato with the \"set vibrato speed\" command\n\t\t\t\t\tif(m_playBehaviour[kFT2VolColVibrato])\n\t\t\t\t\t\tpChn->nVibratoSpeed = vol & 0x0F;\n\t\t\t\t\telse\n\t\t\t\t\t\tVibrato(pChn, vol << 4);\n\t\t\t\t\tbreak;\n\n\t\t\t\tcase VOLCMD_VIBRATODEPTH:\n\t\t\t\t\tVibrato(pChn, vol);\n\t\t\t\t\tbreak;\n\n\t\t\t\tcase VOLCMD_PANSLIDELEFT:\n\t\t\t\t\tPanningSlide(pChn, static_cast(vol), !m_playBehaviour[kFT2VolColMemory]);\n\t\t\t\t\tbreak;\n\n\t\t\t\tcase VOLCMD_PANSLIDERIGHT:\n\t\t\t\t\tPanningSlide(pChn, static_cast(vol << 4), !m_playBehaviour[kFT2VolColMemory]);\n\t\t\t\t\tbreak;\n\n\t\t\t\tcase VOLCMD_PORTAUP:\n\t\t\t\t\t// IT compatibility (one of the first testcases - link effect memory)\n\t\t\t\t\tPortamentoUp(nChn, static_cast(vol << 2), m_playBehaviour[kITVolColFinePortamento]);\n\t\t\t\t\tbreak;\n\n\t\t\t\tcase VOLCMD_PORTADOWN:\n\t\t\t\t\t// IT compatibility (one of the first testcases - link effect memory)\n\t\t\t\t\tPortamentoDown(nChn, static_cast(vol << 2), m_playBehaviour[kITVolColFinePortamento]);\n\t\t\t\t\tbreak;\n\n\t\t\t\tcase VOLCMD_OFFSET:\n\t\t\t\t\tif (triggerNote && pChn->pModSample && vol <= CountOf(pChn->pModSample->cues))\n\t\t\t\t\t{\n\t\t\t\t\t\tSmpLength offset;\n\t\t\t\t\t\tif(vol == 0)\n\t\t\t\t\t\t\toffset = pChn->oldOffset;\n\t\t\t\t\t\telse\n\t\t\t\t\t\t\toffset = pChn->oldOffset = pChn->pModSample->cues[vol - 1];\n\t\t\t\t\t\tSampleOffset(*pChn, offset);\n\t\t\t\t\t}\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\t// Effects\n\t\tif(cmd != CMD_NONE) switch (cmd)\n\t\t{\n\t\t// Set Volume\n\t\tcase CMD_VOLUME:\n\t\t\tif(m_SongFlags[SONG_FIRSTTICK])\n\t\t\t{\n\t\t\t\tpChn->nVolume = (param < 64) ? param * 4 : 256;\n\t\t\t\tpChn->dwFlags.set(CHN_FASTVOLRAMP);\n\t\t\t}\n\t\t\tbreak;\n\n\t\t// Portamento Up\n\t\tcase CMD_PORTAMENTOUP:\n\t\t\tif ((!param) && (GetType() & MOD_TYPE_MOD)) break;\n\t\t\tPortamentoUp(nChn, static_cast(param));\n\t\t\tbreak;\n\n\t\t// Portamento Down\n\t\tcase CMD_PORTAMENTODOWN:\n\t\t\tif ((!param) && (GetType() & MOD_TYPE_MOD)) break;\n\t\t\tPortamentoDown(nChn, static_cast(param));\n\t\t\tbreak;\n\n\t\t// Volume Slide\n\t\tcase CMD_VOLUMESLIDE:\n\t\t\tif (param || (GetType() != MOD_TYPE_MOD)) VolumeSlide(pChn, static_cast(param));\n\t\t\tbreak;\n\n\t\t// Tone-Portamento\n\t\tcase CMD_TONEPORTAMENTO:\n\t\t\tTonePortamento(pChn, param);\n\t\t\tbreak;\n\n\t\t// Tone-Portamento + Volume Slide\n\t\tcase CMD_TONEPORTAVOL:\n\t\t\tif ((param) || (GetType() != MOD_TYPE_MOD)) VolumeSlide(pChn, static_cast(param));\n\t\t\tTonePortamento(pChn, 0);\n\t\t\tbreak;\n\n\t\t// Vibrato\n\t\tcase CMD_VIBRATO:\n\t\t\tVibrato(pChn, param);\n\t\t\tbreak;\n\n\t\t// Vibrato + Volume Slide\n\t\tcase CMD_VIBRATOVOL:\n\t\t\tif ((param) || (GetType() != MOD_TYPE_MOD)) VolumeSlide(pChn, static_cast(param));\n\t\t\tVibrato(pChn, 0);\n\t\t\tbreak;\n\n\t\t// Set Speed\n\t\tcase CMD_SPEED:\n\t\t\tif(m_SongFlags[SONG_FIRSTTICK])\n\t\t\t\tSetSpeed(m_PlayState, param);\n\t\t\tbreak;\n\n\t\t// Set Tempo\n\t\tcase CMD_TEMPO:\n\t\t\tif(m_playBehaviour[kMODVBlankTiming])\n\t\t\t{\n\t\t\t\t// ProTracker MODs with VBlank timing: All Fxx parameters set the tick count.\n\t\t\t\tif(m_SongFlags[SONG_FIRSTTICK] && param != 0) SetSpeed(m_PlayState, param);\n\t\t\t\tbreak;\n\t\t\t}\n\t\t\t{\n\t\t\t\tparam = CalculateXParam(m_PlayState.m_nPattern, m_PlayState.m_nRow, nChn);\n\t\t\t\tif (GetType() & (MOD_TYPE_S3M|MOD_TYPE_IT|MOD_TYPE_MPT))\n\t\t\t\t{\n\t\t\t\t\tif (param) pChn->nOldTempo = static_cast(param); else param = pChn->nOldTempo;\n\t\t\t\t}\n\t\t\t\tTEMPO t(param, 0);\n\t\t\t\tLimitMax(t, GetModSpecifications().GetTempoMax());\n\t\t\t\tSetTempo(t);\n\t\t\t}\n\t\t\tbreak;\n\n\t\t// Set Offset\n\t\tcase CMD_OFFSET:\n\t\t\tif (triggerNote)\n\t\t\t{\n\t\t\t\t// FT2 compatibility: Portamento + Offset = Ignore offset\n\t\t\t\t// Test case: porta-offset.xm\n\t\t\t\tif(bPorta && GetType() == MOD_TYPE_XM)\n\t\t\t\t{\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t\tbool isExtended = false;\n\t\t\t\tSmpLength offset = CalculateXParam(m_PlayState.m_nPattern, m_PlayState.m_nRow, nChn, &isExtended);\n\t\t\t\tif(!isExtended)\n\t\t\t\t{\n\t\t\t\t\t// No X-param (normal behaviour)\n\t\t\t\t\toffset <<= 8;\n\t\t\t\t\tif (offset) pChn->oldOffset = offset; else offset = pChn->oldOffset;\n\t\t\t\t\toffset += static_cast(pChn->nOldHiOffset) << 16;\n\t\t\t\t}\n\t\t\t\tSampleOffset(*pChn, offset);\n\t\t\t}\n\t\t\tbreak;\n\n\t\t// Disorder Tracker 2 percentage offset\n\t\tcase CMD_OFFSETPERCENTAGE:\n\t\t\tif(triggerNote)\n\t\t\t{\n\t\t\t\tSampleOffset(*pChn, Util::muldiv_unsigned(pChn->nLength, param, 255));\n\t\t\t}\n\t\t\tbreak;\n\n\t\t// Arpeggio\n\t\tcase CMD_ARPEGGIO:\n\t\t\t// IT compatibility 01. Don't ignore Arpeggio if no note is playing (also valid for ST3)\n\t\t\tif(m_PlayState.m_nTickCount) break;\n\t\t\tif((!pChn->nPeriod || !pChn->nNote)\n\t\t\t\t&& (pChn->pModInstrument == nullptr || !pChn->pModInstrument->HasValidMIDIChannel())\t// Plugin arpeggio\n\t\t\t\t&& !m_playBehaviour[kITArpeggio] && (GetType() & (MOD_TYPE_IT | MOD_TYPE_MPT))) break;\n\t\t\tif (!param && (GetType() & (MOD_TYPE_XM | MOD_TYPE_MOD))) break;\t// Only important when editing MOD/XM files (000 effects are removed when loading files where this means \"no effect\")\n\t\t\tpChn->nCommand = CMD_ARPEGGIO;\n\t\t\tif (param) pChn->nArpeggio = static_cast(param);\n\t\t\tbreak;\n\n\t\t// Retrig\n\t\tcase CMD_RETRIG:\n\t\t\tif (GetType() & (MOD_TYPE_XM|MOD_TYPE_MT2))\n\t\t\t{\n\t\t\t\tif (!(param & 0xF0)) param |= pChn->nRetrigParam & 0xF0;\n\t\t\t\tif (!(param & 0x0F)) param |= pChn->nRetrigParam & 0x0F;\n\t\t\t\tparam |= 0x100; // increment retrig count on first row\n\t\t\t}\n\t\t\t// IT compatibility 15. Retrigger\n\t\t\tif(m_playBehaviour[kITRetrigger])\n\t\t\t{\n\t\t\t\tif (param) pChn->nRetrigParam = static_cast(param & 0xFF);\n\t\t\t\tRetrigNote(nChn, pChn->nRetrigParam, (volcmd == VOLCMD_OFFSET) ? vol + 1 : 0);\n\t\t\t} else\n\t\t\t{\n\t\t\t\t// XM Retrig\n\t\t\t\tif (param) pChn->nRetrigParam = static_cast(param & 0xFF); else param = pChn->nRetrigParam;\n\t\t\t\tRetrigNote(nChn, param, (volcmd == VOLCMD_OFFSET) ? vol + 1 : 0);\n\t\t\t}\n\t\t\tbreak;\n\n\t\t// Tremor\n\t\tcase CMD_TREMOR:\n\t\t\tif(!m_SongFlags[SONG_FIRSTTICK])\n\t\t\t{\n\t\t\t\tbreak;\n\t\t\t}\n\n\t\t\t// IT compatibility 12. / 13. Tremor (using modified DUMB's Tremor logic here because of old effects - http://dumb.sf.net/)\n\t\t\tif(m_playBehaviour[kITTremor])\n\t\t\t{\n\t\t\t\tif(param && !m_SongFlags[SONG_ITOLDEFFECTS])\n\t\t\t\t{\n\t\t\t\t\t// Old effects have different length interpretation (+1 for both on and off)\n\t\t\t\t\tif(param & 0xF0) param -= 0x10;\n\t\t\t\t\tif(param & 0x0F) param -= 0x01;\n\t\t\t\t}\n\t\t\t\tpChn->nTremorCount |= 0x80; // set on/off flag\n\t\t\t} else if(m_playBehaviour[kFT2Tremor])\n\t\t\t{\n\t\t\t\t// XM Tremor. Logic is being processed in sndmix.cpp\n\t\t\t\tpChn->nTremorCount |= 0x80; // set on/off flag\n\t\t\t}\n\n\t\t\tpChn->nCommand = CMD_TREMOR;\n\t\t\tif (param) pChn->nTremorParam = static_cast(param);\n\n\t\t\tbreak;\n\n\t\t// Set Global Volume\n\t\tcase CMD_GLOBALVOLUME:\n\t\t\t// IT compatibility: Only apply global volume on first tick (and multiples)\n\t\t\t// Test case: GlobalVolFirstTick.it\n\t\t\tif(!m_SongFlags[SONG_FIRSTTICK])\n\t\t\t\tbreak;\n\t\t\t// ST3 applies global volume on tick 1 and does other weird things, but we won't emulate this for now.\n// \t\t\tif(((GetType() & MOD_TYPE_S3M) && m_nTickCount != 1)\n// \t\t\t\t|| (!(GetType() & MOD_TYPE_S3M) && !m_SongFlags[SONG_FIRSTTICK]))\n// \t\t\t{\n// \t\t\t\tbreak;\n// \t\t\t}\n\n\t\t\t// FT2 compatibility: On channels that are \"left\" of the global volume command, the new global volume is not applied\n\t\t\t// until the second tick of the row. Since we apply global volume on the mix buffer rather than note volumes, this\n\t\t\t// cannot be fixed for now.\n\t\t\t// Test case: GlobalVolume.xm\n// \t\t\tif(IsCompatibleMode(TRK_FASTTRACKER2) && m_SongFlags[SONG_FIRSTTICK] && m_nMusicSpeed > 1)\n// \t\t\t{\n// \t\t\t\tbreak;\n// \t\t\t}\n\n\t\t\tif (!(GetType() & GLOBALVOL_7BIT_FORMATS)) param *= 2;\n\n\t\t\t// IT compatibility 16. ST3 and IT ignore out-of-range values.\n\t\t\t// Test case: globalvol-invalid.it\n\t\t\tif(param <= 128)\n\t\t\t{\n\t\t\t\tm_PlayState.m_nGlobalVolume = param * 2;\n\t\t\t} else if(!(GetType() & (MOD_TYPE_IT | MOD_TYPE_MPT | MOD_TYPE_S3M)))\n\t\t\t{\n\t\t\t\tm_PlayState.m_nGlobalVolume = 256;\n\t\t\t}\n\t\t\tbreak;\n\n\t\t// Global Volume Slide\n\t\tcase CMD_GLOBALVOLSLIDE:\n\t\t\t//IT compatibility 16. Saving last global volume slide param per channel (FT2/IT)\n\t\t\tif(m_playBehaviour[kPerChannelGlobalVolSlide])\n\t\t\t\tGlobalVolSlide(static_cast(param), pChn->nOldGlobalVolSlide);\n\t\t\telse\n\t\t\t\tGlobalVolSlide(static_cast(param), m_PlayState.Chn[0].nOldGlobalVolSlide);\n\t\t\tbreak;\n\n\t\t// Set 8-bit Panning\n\t\tcase CMD_PANNING8:\n\t\t\tif(m_SongFlags[SONG_FIRSTTICK])\n\t\t\t{\n\t\t\t\tPanning(pChn, param, Pan8bit);\n\t\t\t}\n\t\t\tbreak;\n\n\t\t// Panning Slide\n\t\tcase CMD_PANNINGSLIDE:\n\t\t\tPanningSlide(pChn, static_cast(param));\n\t\t\tbreak;\n\n\t\t// Tremolo\n\t\tcase CMD_TREMOLO:\n\t\t\tTremolo(pChn, param);\n\t\t\tbreak;\n\n\t\t// Fine Vibrato\n\t\tcase CMD_FINEVIBRATO:\n\t\t\tFineVibrato(pChn, param);\n\t\t\tbreak;\n\n\t\t// MOD/XM Exx Extended Commands\n\t\tcase CMD_MODCMDEX:\n\t\t\tExtendedMODCommands(nChn, static_cast(param));\n\t\t\tbreak;\n\n\t\t// S3M/IT Sxx Extended Commands\n\t\tcase CMD_S3MCMDEX:\n\t\t\tif(m_playBehaviour[kST3EffectMemory] && param == 0)\n\t\t\t{\n\t\t\t\tparam = pChn->nArpeggio;\t// S00 uses the last non-zero effect parameter as memory, like other effects including Arpeggio, so we \"borrow\" our memory there.\n\t\t\t}\n\t\t\tExtendedS3MCommands(nChn, static_cast(param));\n\t\t\tbreak;\n\n\t\t// Key Off\n\t\tcase CMD_KEYOFF:\n\t\t\t// This is how Key Off is supposed to sound... (in FT2 at least)\n\t\t\tif(m_playBehaviour[kFT2KeyOff])\n\t\t\t{\n\t\t\t\tif (m_PlayState.m_nTickCount == param)\n\t\t\t\t{\n\t\t\t\t\t// XM: Key-Off + Sample == Note Cut\n\t\t\t\t\tif(pChn->pModInstrument == nullptr || !pChn->pModInstrument->VolEnv.dwFlags[ENV_ENABLED])\n\t\t\t\t\t{\n\t\t\t\t\t\tif(param == 0 && (pChn->rowCommand.instr || pChn->rowCommand.volcmd != VOLCMD_NONE)) // FT2 is weird....\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tpChn->dwFlags.set(CHN_NOTEFADE);\n\t\t\t\t\t\t}\n\t\t\t\t\t\telse\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tpChn->dwFlags.set(CHN_FASTVOLRAMP);\n\t\t\t\t\t\t\tpChn->nVolume = 0;\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t\tKeyOff(pChn);\n\t\t\t\t}\n\t\t\t}\n\t\t\t// This is how it's NOT supposed to sound...\n\t\t\telse\n\t\t\t{\n\t\t\t\tif(m_SongFlags[SONG_FIRSTTICK])\n\t\t\t\t\tKeyOff(pChn);\n\t\t\t}\n\t\t\tbreak;\n\n\t\t// Extra-fine porta up/down\n\t\tcase CMD_XFINEPORTAUPDOWN:\n\t\t\tswitch(param & 0xF0)\n\t\t\t{\n\t\t\tcase 0x10: ExtraFinePortamentoUp(pChn, param & 0x0F); break;\n\t\t\tcase 0x20: ExtraFinePortamentoDown(pChn, param & 0x0F); break;\n\t\t\t// ModPlug XM Extensions (ignore in compatible mode)\n\t\t\tcase 0x50:\n\t\t\tcase 0x60:\n\t\t\tcase 0x70:\n\t\t\tcase 0x90:\n\t\t\tcase 0xA0:\n\t\t\t\tif(!m_playBehaviour[kFT2RestrictXCommand]) ExtendedS3MCommands(nChn, static_cast(param));\n\t\t\t\tbreak;\n\t\t\t}\n\t\t\tbreak;\n\n\t\t// Set Channel Global Volume\n\t\tcase CMD_CHANNELVOLUME:\n\t\t\tif(!m_SongFlags[SONG_FIRSTTICK]) break;\n\t\t\tif (param <= 64)\n\t\t\t{\n\t\t\t\tpChn->nGlobalVol = param;\n\t\t\t\tpChn->dwFlags.set(CHN_FASTVOLRAMP);\n\t\t\t}\n\t\t\tbreak;\n\n\t\t// Channel volume slide\n\t\tcase CMD_CHANNELVOLSLIDE:\n\t\t\tChannelVolSlide(pChn, static_cast(param));\n\t\t\tbreak;\n\n\t\t// Panbrello (IT)\n\t\tcase CMD_PANBRELLO:\n\t\t\tPanbrello(pChn, param);\n\t\t\tbreak;\n\n\t\t// Set Envelope Position\n\t\tcase CMD_SETENVPOSITION:\n\t\t\tif(m_SongFlags[SONG_FIRSTTICK])\n\t\t\t{\n\t\t\t\tpChn->VolEnv.nEnvPosition = param;\n\n\t\t\t\t// FT2 compatibility: FT2 only sets the position of the panning envelope if the volume envelope's sustain flag is set\n\t\t\t\t// Test case: SetEnvPos.xm\n\t\t\t\tif(!m_playBehaviour[kFT2SetPanEnvPos] || pChn->VolEnv.flags[ENV_SUSTAIN])\n\t\t\t\t{\n\t\t\t\t\tpChn->PanEnv.nEnvPosition = param;\n\t\t\t\t\tpChn->PitchEnv.nEnvPosition = param;\n\t\t\t\t}\n\n\t\t\t}\n\t\t\tbreak;\n\n\t\t// Position Jump\n\t\tcase CMD_POSITIONJUMP:\n\t\t\tm_PlayState.m_nNextPatStartRow = 0; // FT2 E60 bug\n\t\t\tnPosJump = static_cast(CalculateXParam(m_PlayState.m_nPattern, m_PlayState.m_nRow, nChn));\n\n\t\t\t// see https://forum.openmpt.org/index.php?topic=2769.0 - FastTracker resets Dxx if Bxx is called _after_ Dxx\n\t\t\t// Test case: PatternJump.mod\n\t\t\tif((GetType() & (MOD_TYPE_MOD | MOD_TYPE_XM)) && nBreakRow != ROWINDEX_INVALID)\n\t\t\t{\n\t\t\t\tnBreakRow = 0;\n\t\t\t}\n\t\t\tbreak;\n\n\t\t// Pattern Break\n\t\tcase CMD_PATTERNBREAK:\n\t\t\t{\n\t\t\t\tROWINDEX row = PatternBreak(m_PlayState, nChn, static_cast(param));\n\t\t\t\tif(row != ROWINDEX_INVALID)\n\t\t\t\t{\n\t\t\t\t\tnBreakRow = row;\n\t\t\t\t\tif(m_SongFlags[SONG_PATTERNLOOP])\n\t\t\t\t\t{\n\t\t\t\t\t\t//If song is set to loop and a pattern break occurs we should stay on the same pattern.\n\t\t\t\t\t\t//Use nPosJump to force playback to \"jump to this pattern\" rather than move to next, as by default.\n\t\t\t\t\t\t//rewbs.to\n\t\t\t\t\t\tnPosJump = m_PlayState.m_nCurrentOrder;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t\tbreak;\n\n\t\t// IMF / PTM Note Slides\n\t\tcase CMD_NOTESLIDEUP:\n\t\tcase CMD_NOTESLIDEDOWN:\n\t\tcase CMD_NOTESLIDEUPRETRIG:\n\t\tcase CMD_NOTESLIDEDOWNRETRIG:\n\t\t\t// Note that this command seems to be a bit buggy in Polytracker... Luckily, no tune seems to seriously use this\n\t\t\t// (Vic uses it e.g. in Spaceman or Perfect Reason to slide effect samples, noone will notice the difference :)\n\t\t\tNoteSlide(pChn, param, cmd == CMD_NOTESLIDEUP || cmd == CMD_NOTESLIDEUPRETRIG, cmd == CMD_NOTESLIDEUPRETRIG || cmd == CMD_NOTESLIDEDOWNRETRIG);\n\t\t\tbreak;\n\n\t\t// PTM Reverse sample + offset (executed on every tick)\n\t\tcase CMD_REVERSEOFFSET:\n\t\t\tReverseSampleOffset(*pChn, static_cast(param));\n\t\t\tbreak;\n\n#ifndef NO_PLUGINS\n\t\t// DBM: Toggle DSP Echo\n\t\tcase CMD_DBMECHO:\n\t\t\tif(m_PlayState.m_nTickCount == 0)\n\t\t\t{\n\t\t\t\tuint32 chns = (param >> 4), enable = (param & 0x0F);\n\t\t\t\tif(chns > 1 || enable > 2)\n\t\t\t\t{\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t\tCHANNELINDEX firstChn = nChn, lastChn = nChn;\n\t\t\t\tif(chns == 1)\n\t\t\t\t{\n\t\t\t\t\tfirstChn = 0;\n\t\t\t\t\tlastChn = m_nChannels - 1;\n\t\t\t\t}\n\t\t\t\tfor(CHANNELINDEX c = firstChn; c <= lastChn; c++)\n\t\t\t\t{\n\t\t\t\t\tChnSettings[c].dwFlags.set(CHN_NOFX, enable == 1);\n\t\t\t\t\tm_PlayState.Chn[c].dwFlags.set(CHN_NOFX, enable == 1);\n\t\t\t\t}\n\t\t\t}\n\t\t\tbreak;\n#endif // NO_PLUGINS\n\t\t}\n\n\t\tif(m_playBehaviour[kST3EffectMemory] && param != 0)\n\t\t{\n\t\t\tUpdateS3MEffectMemory(pChn, static_cast(param));\n\t\t}\n\n\t\tif(pChn->rowCommand.instr)\n\t\t{\n\t\t\t// Not necessarily consistent with actually playing instrument for IT compatibility\n\t\t\tpChn->nOldIns = pChn->rowCommand.instr;\n\t\t}\n\n\t} // for(...) end\n\n\t// Navigation Effects\n\tif(m_SongFlags[SONG_FIRSTTICK])\n\t{\n\t\tconst bool doPatternLoop = (nPatLoopRow != ROWINDEX_INVALID);\n\t\tconst bool doBreakRow = (nBreakRow != ROWINDEX_INVALID);\n\t\tconst bool doPosJump = (nPosJump != ORDERINDEX_INVALID);\n\n\t\t// Pattern Loop\n\t\tif(doPatternLoop)\n\t\t{\n\t\t\tm_PlayState.m_nNextOrder = m_PlayState.m_nCurrentOrder;\n\t\t\tm_PlayState.m_nNextRow = nPatLoopRow;\n\t\t\tif(m_PlayState.m_nPatternDelay)\n\t\t\t{\n\t\t\t\tm_PlayState.m_nNextRow++;\n\t\t\t}\n\n\t\t\t// IT Compatibility: If the restart row is past the end of the current pattern\n\t\t\t// (e.g. when continued from a previous pattern without explicit SB0 effect), continue the next pattern.\n\t\t\t// Test case: LoopStartAfterPatternEnd.it\n\t\t\tif(nPatLoopRow >= Patterns[m_PlayState.m_nPattern].GetNumRows())\n\t\t\t{\n\t\t\t\tm_PlayState.m_nNextOrder++;\n\t\t\t\tm_PlayState.m_nNextRow = 0;\n\t\t\t}\n\n\t\t\t// As long as the pattern loop is running, mark the looped rows as not visited yet\n\t\t\tvisitedSongRows.ResetPatternLoop(m_PlayState.m_nCurrentOrder, nPatLoopRow);\n\t\t}\n\n\t\t// Pattern Break / Position Jump only if no loop running\n\t\t// Exception: FastTracker 2 in all cases, Impulse Tracker in case of position jump\n\t\t// Test case for FT2 exception: PatLoop-Jumps.xm, PatLoop-Various.xm\n\t\t// Test case for IT: exception: LoopBreak.it\n\t\tif((doBreakRow || doPosJump)\n\t\t\t&& (!doPatternLoop || m_playBehaviour[kFT2PatternLoopWithJumps] || (m_playBehaviour[kITPatternLoopWithJumps] && doPosJump)))\n\t\t{\n\t\t\tif(!doPosJump) nPosJump = m_PlayState.m_nCurrentOrder + 1;\n\t\t\tif(!doBreakRow) nBreakRow = 0;\n\t\t\tm_SongFlags.set(SONG_BREAKTOROW);\n\n\t\t\tif(nPosJump >= Order().size())\n\t\t\t{\n\t\t\t\tnPosJump = Order().GetRestartPos();\n\t\t\t}\n\n\t\t\t// IT / FT2 compatibility: don't reset loop count on pattern break.\n\t\t\t// Test case: gm-trippy01.it, PatLoop-Break.xm, PatLoop-Weird.xm, PatLoop-Break.mod\n\t\t\tif(nPosJump != m_PlayState.m_nCurrentOrder\n\t\t\t\t&& !m_playBehaviour[kITPatternLoopBreak] && !m_playBehaviour[kFT2PatternLoopWithJumps] && GetType() != MOD_TYPE_MOD)\n\t\t\t{\n\t\t\t\tfor(CHANNELINDEX i = 0; i < GetNumChannels(); i++)\n\t\t\t\t{\n\t\t\t\t\tm_PlayState.Chn[i].nPatternLoopCount = 0;\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tm_PlayState.m_nNextRow = nBreakRow;\n\t\t\tif(!m_SongFlags[SONG_PATTERNLOOP])\n\t\t\t\tm_PlayState.m_nNextOrder = nPosJump;\n\t\t}\n\n\t}\n\treturn true;\n}", "project": "openmpt", "hash": 225699270393111401302627093268387107602, "size": 1201, "commit_id": "7ebf02af2e90f03e0dbd0e18b8b3164f372fb97c", "message": "[Fix] Possible out-of-bounds read when computing length of some IT files with pattern loops (OpenMPT: formats that are converted to IT, libopenmpt: IT/ITP/MO3), caught with afl-fuzz.\n\ngit-svn-id: https://source.openmpt.org/svn/openmpt/trunk/OpenMPT@10027 56274372-70c3-4bfc-bfc3-4c3a0b034d27", "target": 0, "dataset": "other", "idx": 255182 }, { "func": "Variant f_phprof_disable() {\n return s_profiler_factory->stop();\n}", "project": "hhvm", "hash": 307353130312039694306213922578090535893, "size": 3, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219233 }, { "func": "static inline int may_lookup(struct nameidata *nd)\n{\n\tif (nd->flags & LOOKUP_RCU) {\n\t\tint err = inode_permission(nd->inode, MAY_EXEC|MAY_NOT_BLOCK);\n\t\tif (err != -ECHILD)\n\t\t\treturn err;\n\t\tif (unlazy_walk(nd))\n\t\t\treturn -ECHILD;\n\t}\n\treturn inode_permission(nd->inode, MAY_EXEC);\n}", "project": "linux", "hash": 65588077636815665025377804256961818790, "size": 11, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295316 }, { "func": "static void opj_j2k_write_qcc_in_memory(opj_j2k_t *p_j2k,\n OPJ_UINT32 p_comp_no,\n OPJ_BYTE * p_data,\n OPJ_UINT32 * p_data_written,\n opj_event_mgr_t * p_manager\n )\n{\n OPJ_UINT32 l_qcc_size, l_remaining_size;\n OPJ_BYTE * l_current_data = 00;\n\n /* preconditions */\n assert(p_j2k != 00);\n assert(p_manager != 00);\n\n l_qcc_size = 6 + opj_j2k_get_SQcd_SQcc_size(p_j2k, p_j2k->m_current_tile_number,\n p_comp_no);\n l_remaining_size = l_qcc_size;\n\n l_current_data = p_data;\n\n opj_write_bytes(l_current_data, J2K_MS_QCC, 2); /* QCC */\n l_current_data += 2;\n\n if (p_j2k->m_private_image->numcomps <= 256) {\n --l_qcc_size;\n\n opj_write_bytes(l_current_data, l_qcc_size - 2, 2); /* L_QCC */\n l_current_data += 2;\n\n opj_write_bytes(l_current_data, p_comp_no, 1); /* Cqcc */\n ++l_current_data;\n\n /* in the case only one byte is sufficient the last byte allocated is useless -> still do -6 for available */\n l_remaining_size -= 6;\n } else {\n opj_write_bytes(l_current_data, l_qcc_size - 2, 2); /* L_QCC */\n l_current_data += 2;\n\n opj_write_bytes(l_current_data, p_comp_no, 2); /* Cqcc */\n l_current_data += 2;\n\n l_remaining_size -= 6;\n }\n\n opj_j2k_write_SQcd_SQcc(p_j2k, p_j2k->m_current_tile_number, p_comp_no,\n l_current_data, &l_remaining_size, p_manager);\n\n *p_data_written = l_qcc_size;\n}", "project": "openjpeg", "hash": 57564902188227627172065687006576056177, "size": 49, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357305 }, { "func": "int DSA_set0_key(DSA *d, BIGNUM *pub_key, BIGNUM *priv_key)\n{\n\td->pub_key = pub_key;\n\td->priv_key = priv_key;\n\n\treturn 1;\n}", "project": "php-src", "hash": 20546049334752174514568688826392639820, "size": 7, "commit_id": "0216630ea2815a5789a24279a1211ac398d4de79", "message": "Fix bug #79601 (Wrong ciphertext/tag in AES-CCM encryption for a 12 bytes IV)", "target": 0, "dataset": "other", "idx": 291447 }, { "func": "static int slab_mem_going_offline_callback(void *arg)\n{\n\tstruct kmem_cache *s;\n\n\tmutex_lock(&slab_mutex);\n\tlist_for_each_entry(s, &slab_caches, list)\n\t\t__kmem_cache_shrink(s);\n\tmutex_unlock(&slab_mutex);\n\n\treturn 0;\n}", "project": "linux", "hash": 204410220721364615382631000185818524286, "size": 11, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280045 }, { "func": "void tty_add_file(struct tty_struct *tty, struct file *file)\n{\n\tstruct tty_file_private *priv = file->private_data;\n\n\tpriv->tty = tty;\n\tpriv->file = file;\n\n\tspin_lock(&tty->files_lock);\n\tlist_add(&priv->list, &tty->tty_files);\n\tspin_unlock(&tty->files_lock);\n}", "project": "linux", "hash": 46391608071358356025780964702796299558, "size": 11, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 325983 }, { "func": "ALWAYS_INLINE String empty_string() {\n return String::attach(staticEmptyString());\n}", "project": "hhvm", "hash": 264208603128997653608608761964569960860, "size": 3, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219682 }, { "func": "int udp_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)\n{\n\tstruct inet_sock *inet = inet_sk(sk);\n\tstruct udp_sock *up = udp_sk(sk);\n\tstruct flowi4 fl4_stack;\n\tstruct flowi4 *fl4;\n\tint ulen = len;\n\tstruct ipcm_cookie ipc;\n\tstruct rtable *rt = NULL;\n\tint free = 0;\n\tint connected = 0;\n\t__be32 daddr, faddr, saddr;\n\t__be16 dport;\n\tu8 tos;\n\tint err, is_udplite = IS_UDPLITE(sk);\n\tint corkreq = up->corkflag || msg->msg_flags&MSG_MORE;\n\tint (*getfrag)(void *, char *, int, int, int, struct sk_buff *);\n\tstruct sk_buff *skb;\n\tstruct ip_options_data opt_copy;\n\n\tif (len > 0xFFFF)\n\t\treturn -EMSGSIZE;\n\n\t/*\n\t *\tCheck the flags.\n\t */\n\n\tif (msg->msg_flags & MSG_OOB) /* Mirror BSD error message compatibility */\n\t\treturn -EOPNOTSUPP;\n\n\tipc.opt = NULL;\n\tipc.tx_flags = 0;\n\tipc.ttl = 0;\n\tipc.tos = -1;\n\n\tgetfrag = is_udplite ? udplite_getfrag : ip_generic_getfrag;\n\n\tfl4 = &inet->cork.fl.u.ip4;\n\tif (up->pending) {\n\t\t/*\n\t\t * There are pending frames.\n\t\t * The socket lock must be held while it's corked.\n\t\t */\n\t\tlock_sock(sk);\n\t\tif (likely(up->pending)) {\n\t\t\tif (unlikely(up->pending != AF_INET)) {\n\t\t\t\trelease_sock(sk);\n\t\t\t\treturn -EINVAL;\n\t\t\t}\n\t\t\tgoto do_append_data;\n\t\t}\n\t\trelease_sock(sk);\n\t}\n\tulen += sizeof(struct udphdr);\n\n\t/*\n\t *\tGet and verify the address.\n\t */\n\tif (msg->msg_name) {\n\t\tDECLARE_SOCKADDR(struct sockaddr_in *, usin, msg->msg_name);\n\t\tif (msg->msg_namelen < sizeof(*usin))\n\t\t\treturn -EINVAL;\n\t\tif (usin->sin_family != AF_INET) {\n\t\t\tif (usin->sin_family != AF_UNSPEC)\n\t\t\t\treturn -EAFNOSUPPORT;\n\t\t}\n\n\t\tdaddr = usin->sin_addr.s_addr;\n\t\tdport = usin->sin_port;\n\t\tif (dport == 0)\n\t\t\treturn -EINVAL;\n\t} else {\n\t\tif (sk->sk_state != TCP_ESTABLISHED)\n\t\t\treturn -EDESTADDRREQ;\n\t\tdaddr = inet->inet_daddr;\n\t\tdport = inet->inet_dport;\n\t\t/* Open fast path for connected socket.\n\t\t Route will not be used, if at least one option is set.\n\t\t */\n\t\tconnected = 1;\n\t}\n\n\tipc.sockc.tsflags = sk->sk_tsflags;\n\tipc.addr = inet->inet_saddr;\n\tipc.oif = sk->sk_bound_dev_if;\n\n\tif (msg->msg_controllen) {\n\t\terr = ip_cmsg_send(sk, msg, &ipc, sk->sk_family == AF_INET6);\n\t\tif (unlikely(err)) {\n\t\t\tkfree(ipc.opt);\n\t\t\treturn err;\n\t\t}\n\t\tif (ipc.opt)\n\t\t\tfree = 1;\n\t\tconnected = 0;\n\t}\n\tif (!ipc.opt) {\n\t\tstruct ip_options_rcu *inet_opt;\n\n\t\trcu_read_lock();\n\t\tinet_opt = rcu_dereference(inet->inet_opt);\n\t\tif (inet_opt) {\n\t\t\tmemcpy(&opt_copy, inet_opt,\n\t\t\t sizeof(*inet_opt) + inet_opt->opt.optlen);\n\t\t\tipc.opt = &opt_copy.opt;\n\t\t}\n\t\trcu_read_unlock();\n\t}\n\n\tsaddr = ipc.addr;\n\tipc.addr = faddr = daddr;\n\n\tsock_tx_timestamp(sk, ipc.sockc.tsflags, &ipc.tx_flags);\n\n\tif (ipc.opt && ipc.opt->opt.srr) {\n\t\tif (!daddr)\n\t\t\treturn -EINVAL;\n\t\tfaddr = ipc.opt->opt.faddr;\n\t\tconnected = 0;\n\t}\n\ttos = get_rttos(&ipc, inet);\n\tif (sock_flag(sk, SOCK_LOCALROUTE) ||\n\t (msg->msg_flags & MSG_DONTROUTE) ||\n\t (ipc.opt && ipc.opt->opt.is_strictroute)) {\n\t\ttos |= RTO_ONLINK;\n\t\tconnected = 0;\n\t}\n\n\tif (ipv4_is_multicast(daddr)) {\n\t\tif (!ipc.oif)\n\t\t\tipc.oif = inet->mc_index;\n\t\tif (!saddr)\n\t\t\tsaddr = inet->mc_addr;\n\t\tconnected = 0;\n\t} else if (!ipc.oif)\n\t\tipc.oif = inet->uc_index;\n\n\tif (connected)\n\t\trt = (struct rtable *)sk_dst_check(sk, 0);\n\n\tif (!rt) {\n\t\tstruct net *net = sock_net(sk);\n\t\t__u8 flow_flags = inet_sk_flowi_flags(sk);\n\n\t\tfl4 = &fl4_stack;\n\n\t\tflowi4_init_output(fl4, ipc.oif, sk->sk_mark, tos,\n\t\t\t\t RT_SCOPE_UNIVERSE, sk->sk_protocol,\n\t\t\t\t flow_flags,\n\t\t\t\t faddr, saddr, dport, inet->inet_sport,\n\t\t\t\t sk->sk_uid);\n\n\t\tsecurity_sk_classify_flow(sk, flowi4_to_flowi(fl4));\n\t\trt = ip_route_output_flow(net, fl4, sk);\n\t\tif (IS_ERR(rt)) {\n\t\t\terr = PTR_ERR(rt);\n\t\t\trt = NULL;\n\t\t\tif (err == -ENETUNREACH)\n\t\t\t\tIP_INC_STATS(net, IPSTATS_MIB_OUTNOROUTES);\n\t\t\tgoto out;\n\t\t}\n\n\t\terr = -EACCES;\n\t\tif ((rt->rt_flags & RTCF_BROADCAST) &&\n\t\t !sock_flag(sk, SOCK_BROADCAST))\n\t\t\tgoto out;\n\t\tif (connected)\n\t\t\tsk_dst_set(sk, dst_clone(&rt->dst));\n\t}\n\n\tif (msg->msg_flags&MSG_CONFIRM)\n\t\tgoto do_confirm;\nback_from_confirm:\n\n\tsaddr = fl4->saddr;\n\tif (!ipc.addr)\n\t\tdaddr = ipc.addr = fl4->daddr;\n\n\t/* Lockless fast path for the non-corking case. */\n\tif (!corkreq) {\n\t\tskb = ip_make_skb(sk, fl4, getfrag, msg, ulen,\n\t\t\t\t sizeof(struct udphdr), &ipc, &rt,\n\t\t\t\t msg->msg_flags);\n\t\terr = PTR_ERR(skb);\n\t\tif (!IS_ERR_OR_NULL(skb))\n\t\t\terr = udp_send_skb(skb, fl4);\n\t\tgoto out;\n\t}\n\n\tlock_sock(sk);\n\tif (unlikely(up->pending)) {\n\t\t/* The socket is already corked while preparing it. */\n\t\t/* ... which is an evident application bug. --ANK */\n\t\trelease_sock(sk);\n\n\t\tnet_dbg_ratelimited(\"cork app bug 2\\n\");\n\t\terr = -EINVAL;\n\t\tgoto out;\n\t}\n\t/*\n\t *\tNow cork the socket to pend data.\n\t */\n\tfl4 = &inet->cork.fl.u.ip4;\n\tfl4->daddr = daddr;\n\tfl4->saddr = saddr;\n\tfl4->fl4_dport = dport;\n\tfl4->fl4_sport = inet->inet_sport;\n\tup->pending = AF_INET;\n\ndo_append_data:\n\tup->len += ulen;\n\terr = ip_append_data(sk, fl4, getfrag, msg, ulen,\n\t\t\t sizeof(struct udphdr), &ipc, &rt,\n\t\t\t corkreq ? msg->msg_flags|MSG_MORE : msg->msg_flags);\n\tif (err)\n\t\tudp_flush_pending_frames(sk);\n\telse if (!corkreq)\n\t\terr = udp_push_pending_frames(sk);\n\telse if (unlikely(skb_queue_empty(&sk->sk_write_queue)))\n\t\tup->pending = 0;\n\trelease_sock(sk);\n\nout:\n\tip_rt_put(rt);\n\tif (free)\n\t\tkfree(ipc.opt);\n\tif (!err)\n\t\treturn len;\n\t/*\n\t * ENOBUFS = no kernel mem, SOCK_NOSPACE = no sndbuf space. Reporting\n\t * ENOBUFS might not be good (it's not tunable per se), but otherwise\n\t * we don't have a good statistic (IpOutDiscards but it can be too many\n\t * things). We could add another new stat but at least for now that\n\t * seems like overkill.\n\t */\n\tif (err == -ENOBUFS || test_bit(SOCK_NOSPACE, &sk->sk_socket->flags)) {\n\t\tUDP_INC_STATS(sock_net(sk),\n\t\t\t UDP_MIB_SNDBUFERRORS, is_udplite);\n\t}\n\treturn err;\n\ndo_confirm:\n\tif (msg->msg_flags & MSG_PROBE)\n\t\tdst_confirm_neigh(&rt->dst, &fl4->daddr);\n\tif (!(msg->msg_flags&MSG_PROBE) || len)\n\t\tgoto back_from_confirm;\n\terr = 0;\n\tgoto out;\n}", "project": "net", "hash": 311407155905079667589869002579372252624, "size": 249, "commit_id": "85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa", "message": "udp: consistently apply ufo or fragmentation\n\nWhen iteratively building a UDP datagram with MSG_MORE and that\ndatagram exceeds MTU, consistently choose UFO or fragmentation.\n\nOnce skb_is_gso, always apply ufo. Conversely, once a datagram is\nsplit across multiple skbs, do not consider ufo.\n\nSendpage already maintains the first invariant, only add the second.\nIPv6 does not have a sendpage implementation to modify.\n\nA gso skb must have a partial checksum, do not follow sk_no_check_tx\nin udp_send_skb.\n\nFound by syzkaller.\n\nFixes: e89e9cf539a2 (\"[IPv4/IPv6]: UFO Scatter-gather approach\")\nReported-by: Andrey Konovalov \nSigned-off-by: Willem de Bruijn \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 468932 }, { "func": "void WebContents::InspectSharedWorkerById(const std::string& workerId) {\n if (type_ == Type::REMOTE)\n return;\n\n if (!enable_devtools_)\n return;\n\n for (const auto& agent_host : content::DevToolsAgentHost::GetOrCreateAll()) {\n if (agent_host->GetType() ==\n content::DevToolsAgentHost::kTypeSharedWorker) {\n if (agent_host->GetId() == workerId) {\n OpenDevTools(nullptr);\n managed_web_contents()->AttachTo(agent_host);\n break;\n }\n }\n }\n}", "project": "electron", "hash": 196608243718819754252036305876308370726, "size": 18, "commit_id": "18613925610ba319da7f497b6deed85ad712c59b", "message": "refactor: wire will-navigate up to a navigation throttle instead of OpenURL (#25108)\n\n* refactor: wire will-navigate up to a navigation throttle instead of OpenURL (#25065)\r\n\r\n* refactor: wire will-navigate up to a navigation throttle instead of OpenURL\r\n\r\n* spec: add test for x-site _top navigation\r\n\r\n* chore: old code be old", "target": 0, "dataset": "other", "idx": 269779 }, { "func": "static int scan_display(int ystart, int rescan) {\n\tchar *src, *dst;\n\tint pixelsize = bpp/8;\n\tint x, y, w, n;\n\tint tile_count = 0;\n\tint nodiffs = 0, diff_hint;\n\tint xd_check = 0, xd_freq = 1;\n\tstatic int xd_tck = 0;\n\n\ty = ystart;\n\n\tg_now = dnow();\n\n\tif (! main_fb) {\n\t\trfbLog(\"scan_display: no main_fb!\\n\");\n\t\treturn 0;\n\t}\n\n\tX_LOCK;\n\n\twhile (y < dpy_y) {\n\n\t\tif (use_xdamage) {\n\t\t\tXD_tot++;\n\t\t\txd_check = 0;\n\t\t\tif (xdamage_hint_skip(y)) {\n\t\t\t\tif (xd_do_check && dpy && use_xdamage == 1) {\n\t\t\t\t\txd_tck++;\n\t\t\t\t\txd_tck = xd_tck % xd_freq;\n\t\t\t\t\tif (xd_tck == 0) {\n\t\t\t\t\t\txd_check = 1;\n\t\t\t\t\t\txd_samples++;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\tif (!xd_check) {\n\t\t\t\t\tXD_skip++;\n\t\t\t\t\ty += NSCAN;\n\t\t\t\t\tcontinue;\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\tif (xd_do_check && 0) {\n\t\t\t\t\tfprintf(stderr, \"ns y=%d\\n\", y);\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\t/* grab the horizontal scanline from the display: */\n\n#ifndef NO_NCACHE\n/* XXX Y test */\nif (ncache > 0) {\n\tint gotone = 0;\n\tif (macosx_console) {\n\t\tif (macosx_checkevent(NULL)) {\n\t\t\tgotone = 1;\n\t\t}\n\t} else {\n#if !NO_X11\n\t\tXEvent ev;\n\t\tif (raw_fb_str) {\n\t\t\t;\n\t\t} else if (XEventsQueued(dpy, QueuedAlready) == 0) {\n\t\t\t;\t/* XXX Y resp */\n\t\t} else if (XCheckTypedEvent(dpy, MapNotify, &ev)) {\n\t\t\tgotone = 1;\n\t\t} else if (XCheckTypedEvent(dpy, UnmapNotify, &ev)) {\n\t\t\tgotone = 2;\n\t\t} else if (XCheckTypedEvent(dpy, CreateNotify, &ev)) {\n\t\t\tgotone = 3;\n\t\t} else if (XCheckTypedEvent(dpy, ConfigureNotify, &ev)) {\n\t\t\tgotone = 4;\n\t\t} else if (XCheckTypedEvent(dpy, VisibilityNotify, &ev)) {\n\t\t\tgotone = 5;\n\t\t}\n\t\tif (gotone) {\n\t\t\tXPutBackEvent(dpy, &ev);\n\t\t}\n#endif\n\t}\n\tif (gotone) {\n\t\tstatic int nomsg = 1;\n\t\tif (nomsg) {\n\t\t\tif (dnowx() > 20) {\n\t\t\t\tnomsg = 0;\n\t\t\t}\n\t\t} else {\nif (ncdb) fprintf(stderr, \"\\n*** SCAN_DISPLAY CHECK_NCACHE/%d *** %d rescan=%d\\n\", gotone, y, rescan);\n\t\t}\n\t\tX_UNLOCK;\n\t\tcheck_ncache(0, 1);\n\t\tX_LOCK;\n\t}\n}\n#endif\n\n\t\tXRANDR_SET_TRAP_RET(-1, \"scan_display-set\");\n\t\tcopy_image(scanline, 0, y, 0, 0);\n\t\tXRANDR_CHK_TRAP_RET(-1, \"scan_display-chk\");\n\n\t\t/* for better memory i/o try the whole line at once */\n\t\tsrc = scanline->data;\n\t\tdst = main_fb + y * main_bytes_per_line;\n\n\t\tif (! memcmp(dst, src, main_bytes_per_line)) {\n\t\t\t/* no changes anywhere in scan line */\n\t\t\tnodiffs = 1;\n\t\t\tif (! rescan) {\n\t\t\t\ty += NSCAN;\n\t\t\t\tcontinue;\n\t\t\t}\n\t\t}\n\t\tif (xd_check) {\n\t\t\txd_misses++;\n\t\t}\n\n\t\tx = 0;\n\t\twhile (x < dpy_x) {\n\t\t\tn = (x/tile_x) + (y/tile_y) * ntiles_x;\n\t\t\tdiff_hint = 0;\n\n\t\t\tif (blackouts) {\n\t\t\t\tif (blackout_line_skip(n, x, y, rescan,\n\t\t\t\t &tile_count)) {\n\t\t\t\t\tx += NSCAN;\n\t\t\t\t\tcontinue;\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tif (rescan) {\n\t\t\t\tif (nodiffs || tile_has_diff[n]) {\n\t\t\t\t\ttile_count += tile_has_diff[n];\n\t\t\t\t\tx += NSCAN;\n\t\t\t\t\tcontinue;\n\t\t\t\t}\n\t\t\t} else if (xdamage_tile_count &&\n\t\t\t tile_has_xdamage_diff[n]) {\n\t\t\t\ttile_has_xdamage_diff[n] = 2;\n\t\t\t\tdiff_hint = 1;\n\t\t\t}\n\n\t\t\t/* set ptrs to correspond to the x offset: */\n\t\t\tsrc = scanline->data + x * pixelsize;\n\t\t\tdst = main_fb + y * main_bytes_per_line + x * pixelsize;\n\n\t\t\t/* compute the width of data to be compared: */\n\t\t\tif (x + NSCAN > dpy_x) {\n\t\t\t\tw = dpy_x - x;\n\t\t\t} else {\n\t\t\t\tw = NSCAN;\n\t\t\t}\n\n\t\t\tif (diff_hint || memcmp(dst, src, w * pixelsize)) {\n\t\t\t\t/* found a difference, record it: */\n\t\t\t\tif (! blackouts) {\n\t\t\t\t\ttile_has_diff[n] = 1;\n\t\t\t\t\ttile_count++;\t\t\n\t\t\t\t} else {\n\t\t\t\t\tif (blackout_line_cmpskip(n, x, y,\n\t\t\t\t\t dst, src, w, pixelsize)) {\n\t\t\t\t\t\ttile_has_diff[n] = 0;\n\t\t\t\t\t} else {\n\t\t\t\t\t\ttile_has_diff[n] = 1;\n\t\t\t\t\t\ttile_count++;\t\t\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t\tx += NSCAN;\n\t\t}\n\t\ty += NSCAN;\n\t}\n\n\tX_UNLOCK;\n\n\treturn tile_count;\n}", "project": "x11vnc", "hash": 116632398895859930494269459526803432730, "size": 175, "commit_id": "69eeb9f7baa14ca03b16c9de821f9876def7a36a", "message": "scan: limit access to shared memory segments to current user", "target": 0, "dataset": "other", "idx": 360757 }, { "func": "static void __init_autocomplete (RCore* core) {\n\tint i;\n\tcore->autocomplete = R_NEW0 (RCoreAutocomplete);\n\tif (core->autocomplete_type == AUTOCOMPLETE_DEFAULT) {\n\t\t__init_autocomplete_default (core);\n\t} else if (core->autocomplete_type == AUTOCOMPLETE_MS) {\n\t\tr_core_autocomplete_add (core->autocomplete, \"ls\", R_CORE_AUTOCMPLT_MS, true);\n\t\tr_core_autocomplete_add (core->autocomplete, \"cd\", R_CORE_AUTOCMPLT_MS, true);\n\t\tr_core_autocomplete_add (core->autocomplete, \"cat\", R_CORE_AUTOCMPLT_MS, true);\n\t\tr_core_autocomplete_add (core->autocomplete, \"get\", R_CORE_AUTOCMPLT_MS, true);\n\t\tr_core_autocomplete_add (core->autocomplete, \"mount\", R_CORE_AUTOCMPLT_MS, true);\n\t\tfor (i = 0; i < ms_argc && ms_argv[i]; i++) {\n\t\t\tif (!r_core_autocomplete_find (core->autocomplete, ms_argv[i], true)) {\n\t\t\t\tr_core_autocomplete_add (core->autocomplete, ms_argv[i], R_CORE_AUTOCMPLT_MS, true);\n\t\t\t}\n\t\t}\n\t}\n}", "project": "radare2", "hash": 201000460775977866448562906699477021624, "size": 18, "commit_id": "cb8b683758edddae2d2f62e8e63a738c39f92683", "message": "Fix #16303 - c->table_query double free (#16318)", "target": 0, "dataset": "other", "idx": 232116 }, { "func": "unsigned Utf8::Length(uchar c, int previous) {\n if (c <= kMaxOneByteChar) {\n return 1;\n } else if (c <= kMaxTwoByteChar) {\n return 2;\n } else if (c <= kMaxThreeByteChar) {\n if (Utf16::IsTrailSurrogate(c) &&\n Utf16::IsLeadSurrogate(previous)) {\n return kSizeOfUnmatchedSurrogate - kBytesSavedByCombiningSurrogates;\n }\n return 3;\n } else {\n return 4;\n }\n}", "project": "node", "hash": 234874114780861102309543146883909568175, "size": 15, "commit_id": "78b0e30954111cfaba0edbeee85450d8cbc6fdf6", "message": "deps: fix out-of-band write in utf8 decoder\n\nOriginally reported by: Kris Reeves \n\nReviewed-By: Trevor Norris ", "target": 0, "dataset": "other", "idx": 385633 }, { "func": "void LanLinkProvider::connectError(QAbstractSocket::SocketError socketError)\n{\n QSslSocket* socket = qobject_cast(sender());\n if (!socket) return;\n\n qCDebug(KDECONNECT_CORE) << \"Socket error\" << socketError;\n qCDebug(KDECONNECT_CORE) << \"Fallback (1), try reverse connection (send udp packet)\" << socket->errorString();\n NetworkPacket np(QLatin1String(\"\"));\n NetworkPacket::createIdentityPacket(&np);\n np.set(QStringLiteral(\"tcpPort\"), m_tcpPort);\n m_udpSocket.writeDatagram(np.serialize(), m_receivedIdentityPackets[socket].sender, m_udpBroadcastPort);\n\n //The socket we created didn't work, and we didn't manage\n //to create a LanDeviceLink from it, deleting everything.\n delete m_receivedIdentityPackets.take(socket).np;\n socket->deleteLater();\n}", "project": "kdeconnect-kde", "hash": 61111212422605397982289302108669650931, "size": 17, "commit_id": "542d94a70c56aa386c8d4d793481ce181b0422e8", "message": "Limit number of connected sockets from unpaired devices\n\nThanks Matthias Gerstner for reporting this.", "target": 0, "dataset": "other", "idx": 227370 }, { "func": "static int savemsg(message_data_t *m, FILE *f)\n{\n struct stat sbuf;\n const char **body, **groups;\n int r, i;\n time_t now = time(NULL);\n static int post_count = 0;\n FILE *stagef = NULL;\n const char *skipheaders[] = {\n\t\"Path\",\t\t/* need to prepend our servername */\n\t\"Xref\",\t\t/* need to remove (generated on the fly) */\n\t\"Reply-To\",\t/* need to add \"post\" email addresses */\n\tNULL\n };\n\n m->f = f;\n\n /* fill the cache */\n r = spool_fill_hdrcache(nntp_in, f, m->hdrcache, skipheaders);\n if (r) {\n\t/* got a bad header */\n\n\t/* flush the remaining output */\n\tspool_copy_msg(nntp_in, NULL);\n\treturn r;\n }\n\n /* now, using our header cache, fill in the data that we want */\n\n /* get path */\n if ((body = spool_getheader(m->hdrcache, \"path\")) != NULL) {\n\t/* prepend to the cached path */\n\tm->path = strconcat(config_servername, \"!\", body[0], (char *)NULL);\n\tspool_replace_header(xstrdup(\"Path\"), xstrdup(m->path), m->hdrcache);\n } else {\n\t/* no path, create one */\n\tm->path = strconcat(config_servername, \"!\",\n\t\t\t nntp_userid ? nntp_userid : \"anonymous\",\n\t\t\t (char *)NULL);\n\tspool_cache_header(xstrdup(\"Path\"), xstrdup(m->path), m->hdrcache);\n }\n fprintf(f, \"Path: %s\\r\\n\", m->path);\n\n /* get message-id */\n if ((body = spool_getheader(m->hdrcache, \"message-id\")) != NULL) {\n\tm->id = xstrdup(body[0]);\n } else {\n\t/* no message-id, create one */\n\tpid_t p = getpid();\n\n\tm->id = xmalloc(40 + strlen(config_servername));\n\tsprintf(m->id, \"\", p, (int) now, \n\t\tpost_count++, config_servername);\n\tfprintf(f, \"Message-ID: %s\\r\\n\", m->id);\n\tspool_cache_header(xstrdup(\"Message-ID\"), xstrdup(m->id), m->hdrcache);\n }\n\n /* get date */\n if ((body = spool_getheader(m->hdrcache, \"date\")) == NULL) {\n\t/* no date, create one */\n\tchar datestr[RFC822_DATETIME_MAX+1];\n\n\ttime_to_rfc822(now, datestr, sizeof(datestr));\n\tm->date = xstrdup(datestr);\n\tfprintf(f, \"Date: %s\\r\\n\", datestr);\n\tspool_cache_header(xstrdup(\"Date\"), xstrdup(datestr), m->hdrcache);\n }\n else {\n\tm->date = xstrdup(body[0]);\n }\n\n /* get control */\n if ((body = spool_getheader(m->hdrcache, \"control\")) != NULL) {\n\tsize_t len;\n\tchar *s;\n\n\tm->control = xstrdup(body[0]);\n\n\t/* create a recipient for the appropriate pseudo newsgroup */\n\tlen = strcspn(m->control, \" \\t\\r\\n\");\n\ts = xmalloc(strlen(newsprefix) + 8 + len + 1);\n\tsprintf(s, \"%scontrol.%.*s\", newsprefix, (int) len, m->control);\n\n\tstrarray_appendm(&m->rcpt, s);\n } else {\n\tm->control = NULL;\t/* no control */\n\n\t/* get newsgroups */\n\tif ((groups = spool_getheader(m->hdrcache, \"newsgroups\")) != NULL) {\n\t /* parse newsgroups and create recipients */\n\t parse_groups(groups[0], m);\n\t if (!m->rcpt.count) {\n\t\tr = IMAP_MAILBOX_NONEXISTENT; /* no newsgroups that we serve */\n\t }\n\t if (!r) {\n\t\tconst char *newspostuser = config_getstring(IMAPOPT_NEWSPOSTUSER);\n\t\t/* get reply-to */\n\t\tbody = spool_getheader(m->hdrcache, \"reply-to\");\n\n\t\t/* add Reply-To: header */\n\t\tif (body || newspostuser) {\n\t\t const char **postto, *p;\n\t\t int fold = 0;\n\t\t const char *sep = \"\";\n\t\t char *replyto;\n\t\t size_t n;\n\t\t struct buf buf = BUF_INITIALIZER;\n\n\t\t if (newspostuser) {\n\t\t\t/* add \"post\" email addresses based on newsgroup */\n\n\t\t\t/* determine which groups header to use */\n\t\t\tpostto = spool_getheader(m->hdrcache, \"followup-to\");\n\t\t\tif (!postto) postto = groups;\n\n\t\t\tif (body) {\n\t\t\t /* append to the cached header */\n\t\t\t buf_appendcstr(&buf, body[0]);\n\t\t\t fold = buf.len+1;\n\t\t\t sep = \", \";\n\t\t\t}\n\t\t\tfor (p = postto[0];; p += n) {\n\t\t\t /* skip whitespace */\n\t\t\t while (p && *p &&\n\t\t\t\t (Uisspace(*p) || *p == ',')) p++;\n\t\t\t if (!p || !*p) break;\n\n\t\t\t /* find end of group name */\n\t\t\t n = strcspn(p, \", \\t\");\n\n\t\t\t /* add the post address */\n\t\t\t buf_printf(&buf, \"%s%s+%.*s\",\n\t\t\t\t\t sep, newspostuser, (int) n, p);\n\n\t\t\t sep = \", \";\n\t\t\t}\n\t\t\treplyto = buf_release(&buf);\n\t\t\tif (body) {\n\t\t\t /* replace the existing header */\n\t\t\t spool_replace_header(xstrdup(\"Reply-To\"), replyto,\n\t\t\t\t\t m->hdrcache);\n\t\t\t} else {\n\t\t\t /* add the new header to the cache */\n\t\t\t spool_cache_header(xstrdup(\"Reply-To\"), replyto,\n\t\t\t\t\t m->hdrcache);\n\t\t\t}\n\t\t } else {\n\t\t\t/* no newspostuser, use original replyto */\n\t\t\treplyto = (char *) body[0];\n\t\t }\n\n\t\t /* add the header to the file */\n\t\t fprintf(f, \"Reply-To: \");\n\t\t if (fold)\n\t\t\tfprintf(f, \"%.*s\\r\\n\\t\", fold, replyto);\n\t\t fprintf(f, \"%s\\r\\n\", replyto+fold);\n\t\t}\n\t }\n\t} else {\n\t r = NNTP_NO_NEWSGROUPS;\t\t/* no newsgroups header */\n\t}\n\n\tif (r) {\n\t /* error getting newsgroups */\n\n\t /* flush the remaining output */\n\t spool_copy_msg(nntp_in, NULL);\n\t return r;\n\t}\n }\n\n fflush(f);\n if (ferror(f)) {\n\treturn IMAP_IOERROR;\n }\n\n if (fstat(fileno(f), &sbuf) == -1) {\n\treturn IMAP_IOERROR;\n }\n\n /* spool to the stage of one of the recipients */\n for (i = 0; !stagef && (i < m->rcpt.count); i++) {\n\tstagef = append_newstage(m->rcpt.data[i], now, 0, &stage);\n }\n\n if (stagef) {\n\tconst char *base = 0;\n\tunsigned long size = 0;\n\tint n;\n\n\t/* copy the header from our tmpfile to the stage */\n\tmap_refresh(fileno(f), 1, &base, &size, sbuf.st_size, \"tmp\", 0);\n\tn = retry_write(fileno(stagef), base, size);\n\tmap_free(&base, &size);\n\n\tif (n == -1) {\n\t /* close and remove the stage */\n\t fclose(stagef);\n\t append_removestage(stage);\n\t stage = NULL;\n\t return IMAP_IOERROR;\n\t}\n\telse {\n\t /* close the tmpfile and use the stage */\n\t fclose(f);\n\t m->f = f = stagef;\n\t}\n }\n /* else this is probably a remote group, so use the tmpfile */\n\n r = spool_copy_msg(nntp_in, f);\n\n if (r) return r;\n\n fflush(f);\n if (ferror(f)) {\n\treturn IMAP_IOERROR;\n }\n\n if (fstat(fileno(f), &sbuf) == -1) {\n\treturn IMAP_IOERROR;\n }\n m->size = sbuf.st_size;\n m->data = prot_new(fileno(f), 0);\n\n return 0;\n}", "project": "cyrus-imapd", "hash": 323289953061990986436742707218799072125, "size": 227, "commit_id": "0f8f026699829b65733c3081657b24e2174f4f4d", "message": "CVE-2011-3208 - fix buffer overflow in nntpd", "target": 0, "dataset": "other", "idx": 451904 }, { "func": "R_API int r_core_seek_size(RCore *core, ut64 addr, int bsize) {\n\tut8 *bump;\n\tint ret = false;\n\tif (bsize < 0) {\n\t\treturn false;\n\t}\n\tif (bsize == core->blocksize) {\n\t\treturn true;\n\t}\n\tif (r_sandbox_enable (0)) {\n\t\t// TODO : restrict to filesize?\n\t\tif (bsize > 1024*32) {\n\t\t\teprintf (\"Sandbox mode restricts blocksize bigger than 32k\\n\");\n\t\t\treturn false;\n\t\t}\n\t}\n\tif (bsize > core->blocksize_max) {\n\t\teprintf (\"Block size %d is too big\\n\", bsize);\n\t\treturn false;\n\t}\n\tcore->offset = addr;\n\tif (bsize < 1) {\n\t\tbsize = 1;\n\t} else if (core->blocksize_max && bsize>core->blocksize_max) {\n\t\teprintf (\"bsize is bigger than `bm`. dimmed to 0x%x > 0x%x\\n\",\n\t\t\tbsize, core->blocksize_max);\n\t\tbsize = core->blocksize_max;\n\t}\n\tbump = realloc (core->block, bsize + 1);\n\tif (!bump) {\n\t\teprintf (\"Oops. cannot allocate that much (%u)\\n\", bsize);\n\t\tret = false;\n\t} else {\n\t\tret = true;\n\t\tcore->block = bump;\n\t\tcore->blocksize = bsize;\n\t\tmemset (core->block, 0xff, core->blocksize);\n\t\tr_core_block_read (core);\n\t}\n\treturn ret;\n}", "project": "radare2", "hash": 114196009407638829253752030234365835683, "size": 41, "commit_id": "cb8b683758edddae2d2f62e8e63a738c39f92683", "message": "Fix #16303 - c->table_query double free (#16318)", "target": 0, "dataset": "other", "idx": 232118 }, { "func": " void Jp2Image::readMetadata()\n {\n#ifdef EXIV2_DEBUG_MESSAGES\n std::cerr << \"Exiv2::Jp2Image::readMetadata: Reading JPEG-2000 file \" << io_->path() << std::endl;\n#endif\n if (io_->open() != 0)\n {\n throw Error(kerDataSourceOpenFailed, io_->path(), strError());\n }\n IoCloser closer(*io_);\n // Ensure that this is the correct image type\n if (!isJp2Type(*io_, true))\n {\n if (io_->error() || io_->eof()) throw Error(kerFailedToReadImageData);\n throw Error(kerNotAnImage, \"JPEG-2000\");\n }\n\n long position = 0;\n Jp2BoxHeader box = {0,0};\n Jp2BoxHeader subBox = {0,0};\n Jp2ImageHeaderBox ihdr = {0,0,0,0,0,0,0,0};\n Jp2UuidBox uuid = {{0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};\n size_t boxes = 0 ;\n size_t boxem = 1000 ; // boxes max\n\n while (io_->read((byte*)&box, sizeof(box)) == sizeof(box))\n {\n boxes_check(boxes++,boxem );\n position = io_->tell();\n box.length = getLong((byte*)&box.length, bigEndian);\n box.type = getLong((byte*)&box.type, bigEndian);\n#ifdef EXIV2_DEBUG_MESSAGES\n std::cout << \"Exiv2::Jp2Image::readMetadata: \"\n << \"Position: \" << position\n << \" box type: \" << toAscii(box.type)\n << \" length: \" << box.length\n << std::endl;\n#endif\n\n if (box.length == 0) return ;\n\n if (box.length == 1)\n {\n // FIXME. Special case. the real box size is given in another place.\n }\n\n switch(box.type)\n {\n case kJp2BoxTypeJp2Header:\n {\n#ifdef EXIV2_DEBUG_MESSAGES\n std::cout << \"Exiv2::Jp2Image::readMetadata: JP2Header box found\" << std::endl;\n#endif\n long restore = io_->tell();\n\n while (io_->read((byte*)&subBox, sizeof(subBox)) == sizeof(subBox) && subBox.length )\n {\n boxes_check(boxes++, boxem) ;\n subBox.length = getLong((byte*)&subBox.length, bigEndian);\n subBox.type = getLong((byte*)&subBox.type, bigEndian);\n if (subBox.length > io_->size() ) {\n throw Error(kerCorruptedMetadata);\n }\n#ifdef EXIV2_DEBUG_MESSAGES\n std::cout << \"Exiv2::Jp2Image::readMetadata: \"\n << \"subBox = \" << toAscii(subBox.type) << \" length = \" << subBox.length << std::endl;\n#endif\n if(subBox.type == kJp2BoxTypeColorHeader && subBox.length != 15)\n {\n#ifdef EXIV2_DEBUG_MESSAGES\n std::cout << \"Exiv2::Jp2Image::readMetadata: \"\n << \"Color data found\" << std::endl;\n#endif\n\n const long pad = 3 ; // 3 padding bytes 2 0 0\n const size_t data_length = Safe::add(subBox.length, static_cast(8));\n // data_length makes no sense if it is larger than the rest of the file\n if (data_length > io_->size() - io_->tell()) {\n throw Error(kerCorruptedMetadata);\n }\n DataBuf data(static_cast(data_length));\n io_->read(data.pData_,data.size_);\n const long iccLength = getULong(data.pData_+pad, bigEndian);\n // subtracting pad from data.size_ is safe:\n // size_ is at least 8 and pad = 3\n if (iccLength > data.size_ - pad) {\n throw Error(kerCorruptedMetadata);\n }\n DataBuf icc(iccLength);\n ::memcpy(icc.pData_,data.pData_+pad,icc.size_);\n#ifdef EXIV2_DEBUG_MESSAGES\n const char* iccPath = \"/tmp/libexiv2_jp2.icc\";\n FILE* f = fopen(iccPath,\"wb\");\n if ( f ) {\n fwrite(icc.pData_,icc.size_,1,f);\n fclose(f);\n }\n std::cout << \"Exiv2::Jp2Image::readMetadata: wrote iccProfile \" << icc.size_<< \" bytes to \" << iccPath << std::endl ;\n#endif\n setIccProfile(icc);\n }\n\n if( subBox.type == kJp2BoxTypeImageHeader)\n {\n io_->read((byte*)&ihdr, sizeof(ihdr));\n#ifdef EXIV2_DEBUG_MESSAGES\n std::cout << \"Exiv2::Jp2Image::readMetadata: Ihdr data found\" << std::endl;\n#endif\n ihdr.imageHeight = getLong((byte*)&ihdr.imageHeight, bigEndian);\n ihdr.imageWidth = getLong((byte*)&ihdr.imageWidth, bigEndian);\n ihdr.componentCount = getShort((byte*)&ihdr.componentCount, bigEndian);\n ihdr.compressionTypeProfile = getShort((byte*)&ihdr.compressionTypeProfile, bigEndian);\n\n pixelWidth_ = ihdr.imageWidth;\n pixelHeight_ = ihdr.imageHeight;\n }\n\n io_->seek(restore,BasicIo::beg);\n if ( io_->seek(subBox.length, Exiv2::BasicIo::cur) != 0 ) {\n throw Error(kerCorruptedMetadata);\n }\n restore = io_->tell();\n }\n break;\n }\n\n case kJp2BoxTypeUuid:\n {\n#ifdef EXIV2_DEBUG_MESSAGES\n std::cout << \"Exiv2::Jp2Image::readMetadata: UUID box found\" << std::endl;\n#endif\n\n if (io_->read((byte*)&uuid, sizeof(uuid)) == sizeof(uuid))\n {\n DataBuf rawData;\n long bufRead;\n bool bIsExif = memcmp(uuid.uuid, kJp2UuidExif, sizeof(uuid))==0;\n bool bIsIPTC = memcmp(uuid.uuid, kJp2UuidIptc, sizeof(uuid))==0;\n bool bIsXMP = memcmp(uuid.uuid, kJp2UuidXmp , sizeof(uuid))==0;\n\n if(bIsExif)\n {\n#ifdef EXIV2_DEBUG_MESSAGES\n std::cout << \"Exiv2::Jp2Image::readMetadata: Exif data found\" << std::endl ;\n#endif\n rawData.alloc(box.length - (sizeof(box) + sizeof(uuid)));\n bufRead = io_->read(rawData.pData_, rawData.size_);\n if (io_->error()) throw Error(kerFailedToReadImageData);\n if (bufRead != rawData.size_) throw Error(kerInputDataReadFailed);\n\n if (rawData.size_ > 8) // \"II*\\0long\"\n {\n // Find the position of Exif header in bytes array.\n long pos = ( (rawData.pData_[0] == rawData.pData_[1])\n && (rawData.pData_[0]=='I' || rawData.pData_[0]=='M')\n ) ? 0 : -1;\n\n // #1242 Forgive having Exif\\0\\0 in rawData.pData_\n const byte exifHeader[] = { 0x45, 0x78, 0x69, 0x66, 0x00, 0x00 };\n for (long i=0 ; pos < 0 && i < rawData.size_-(long)sizeof(exifHeader) ; i++)\n {\n if (memcmp(exifHeader, &rawData.pData_[i], sizeof(exifHeader)) == 0)\n {\n pos = i+sizeof(exifHeader);\n#ifndef SUPPRESS_WARNINGS\n EXV_WARNING << \"Reading non-standard UUID-EXIF_bad box in \" << io_->path() << std::endl;\n#endif\n\n }\n }\n\n // If found it, store only these data at from this place.\n if (pos >= 0 )\n {\n#ifdef EXIV2_DEBUG_MESSAGES\n std::cout << \"Exiv2::Jp2Image::readMetadata: Exif header found at position \" << pos << std::endl;\n#endif\n ByteOrder bo = TiffParser::decode(exifData(),\n iptcData(),\n xmpData(),\n rawData.pData_ + pos,\n rawData.size_ - pos);\n setByteOrder(bo);\n }\n }\n else\n {\n#ifndef SUPPRESS_WARNINGS\n EXV_WARNING << \"Failed to decode Exif metadata.\" << std::endl;\n#endif\n exifData_.clear();\n }\n }\n\n if(bIsIPTC)\n {\n#ifdef EXIV2_DEBUG_MESSAGES\n std::cout << \"Exiv2::Jp2Image::readMetadata: Iptc data found\" << std::endl;\n#endif\n rawData.alloc(box.length - (sizeof(box) + sizeof(uuid)));\n bufRead = io_->read(rawData.pData_, rawData.size_);\n if (io_->error()) throw Error(kerFailedToReadImageData);\n if (bufRead != rawData.size_) throw Error(kerInputDataReadFailed);\n\n if (IptcParser::decode(iptcData_, rawData.pData_, rawData.size_))\n {\n#ifndef SUPPRESS_WARNINGS\n EXV_WARNING << \"Failed to decode IPTC metadata.\" << std::endl;\n#endif\n iptcData_.clear();\n }\n }\n\n if(bIsXMP)\n {\n#ifdef EXIV2_DEBUG_MESSAGES\n std::cout << \"Exiv2::Jp2Image::readMetadata: Xmp data found\" << std::endl;\n#endif\n rawData.alloc(box.length - (uint32_t)(sizeof(box) + sizeof(uuid)));\n bufRead = io_->read(rawData.pData_, rawData.size_);\n if (io_->error()) throw Error(kerFailedToReadImageData);\n if (bufRead != rawData.size_) throw Error(kerInputDataReadFailed);\n xmpPacket_.assign(reinterpret_cast(rawData.pData_), rawData.size_);\n\n std::string::size_type idx = xmpPacket_.find_first_of('<');\n if (idx != std::string::npos && idx > 0)\n {\n#ifndef SUPPRESS_WARNINGS\n EXV_WARNING << \"Removing \" << static_cast(idx)\n << \" characters from the beginning of the XMP packet\" << std::endl;\n#endif\n xmpPacket_ = xmpPacket_.substr(idx);\n }\n\n if (xmpPacket_.size() > 0 && XmpParser::decode(xmpData_, xmpPacket_))\n {\n#ifndef SUPPRESS_WARNINGS\n EXV_WARNING << \"Failed to decode XMP metadata.\" << std::endl;\n#endif\n }\n }\n }\n break;\n }\n\n default:\n {\n break;\n }\n }\n\n // Move to the next box.\n io_->seek(static_cast(position - sizeof(box) + box.length), BasicIo::beg);\n if (io_->error()) throw Error(kerFailedToReadImageData);\n }\n\n } // Jp2Image::readMetadata", "project": "exiv2", "hash": 1096778139859557953851263812096044783, "size": 257, "commit_id": "f9308839198aca5e68a65194f151a1de92398f54", "message": "Better bounds checking in Jp2Image::encodeJp2Header()", "target": 0, "dataset": "other", "idx": 409140 }, { "func": "nfs4_ff_layout_stat_io_update_completed(struct nfs4_ff_layoutstat *layoutstat,\n\t\t__u64 requested,\n\t\t__u64 completed,\n\t\tktime_t time_completed,\n\t\tktime_t time_started)\n{\n\tstruct nfs4_ff_io_stat *iostat = &layoutstat->io_stat;\n\tktime_t completion_time = ktime_sub(time_completed, time_started);\n\tktime_t timer;\n\n\tiostat->ops_completed++;\n\tiostat->bytes_completed += completed;\n\tiostat->bytes_not_delivered += requested - completed;\n\n\ttimer = nfs4_ff_end_busy_timer(&layoutstat->busy_timer, time_completed);\n\tiostat->total_busy_time =\n\t\t\tktime_add(iostat->total_busy_time, timer);\n\tiostat->aggregate_completion_time =\n\t\t\tktime_add(iostat->aggregate_completion_time,\n\t\t\t\t\tcompletion_time);\n}", "project": "linux", "hash": 238804158353141773244351957054324246485, "size": 21, "commit_id": "ed34695e15aba74f45247f1ee2cf7e09d449f925", "message": "pNFS/flexfiles: fix incorrect size check in decode_nfs_fh()\n\nWe (adam zabrocki, alexander matrosov, alexander tereshkin, maksym\nbazalii) observed the check:\n\n\tif (fh->size > sizeof(struct nfs_fh))\n\nshould not use the size of the nfs_fh struct which includes an extra two\nbytes from the size field.\n\nstruct nfs_fh {\n\tunsigned short size;\n\tunsigned char data[NFS_MAXFHSIZE];\n}\n\nbut should determine the size from data[NFS_MAXFHSIZE] so the memcpy\nwill not write 2 bytes beyond destination. The proposed fix is to\ncompare against the NFS_MAXFHSIZE directly, as is done elsewhere in fs\ncode base.\n\nFixes: d67ae825a59d (\"pnfs/flexfiles: Add the FlexFile Layout Driver\")\nSigned-off-by: Nikola Livic \nSigned-off-by: Dan Carpenter \nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 234451 }, { "func": "DLLEXPORT int DLLCALL tjEncodeYUV2(tjhandle handle, unsigned char *srcBuf,\n\tint width, int pitch, int height, int pixelFormat, unsigned char *dstBuf,\n\tint subsamp, int flags)\n{\n\treturn tjEncodeYUV3(handle, srcBuf, width, pitch, height, pixelFormat,\n\t\tdstBuf, 4, subsamp, flags);\n}", "project": "libjpeg-turbo", "hash": 259219344558726963773733721550646372362, "size": 7, "commit_id": "dab6be4cfb2f9307b5378d2d1dc74d9080383dc2", "message": "tjDecompressToYUV*(): Fix OOB write/double free\n\n... when attempting to decompress grayscale JPEG images with sampling\nfactors != 1.\n\nFixes #387", "target": 0, "dataset": "other", "idx": 311132 }, { "func": "static int check_unshare_flags(unsigned long unshare_flags)\n{\n\tif (unshare_flags & ~(CLONE_THREAD|CLONE_FS|CLONE_NEWNS|CLONE_SIGHAND|\n\t\t\t\tCLONE_VM|CLONE_FILES|CLONE_SYSVSEM|\n\t\t\t\tCLONE_NEWUTS|CLONE_NEWIPC|CLONE_NEWNET|\n\t\t\t\tCLONE_NEWUSER|CLONE_NEWPID|CLONE_NEWCGROUP|\n\t\t\t\tCLONE_NEWTIME))\n\t\treturn -EINVAL;\n\t/*\n\t * Not implemented, but pretend it works if there is nothing\n\t * to unshare. Note that unsharing the address space or the\n\t * signal handlers also need to unshare the signal queues (aka\n\t * CLONE_THREAD).\n\t */\n\tif (unshare_flags & (CLONE_THREAD | CLONE_SIGHAND | CLONE_VM)) {\n\t\tif (!thread_group_empty(current))\n\t\t\treturn -EINVAL;\n\t}\n\tif (unshare_flags & (CLONE_SIGHAND | CLONE_VM)) {\n\t\tif (refcount_read(¤t->sighand->count) > 1)\n\t\t\treturn -EINVAL;\n\t}\n\tif (unshare_flags & CLONE_VM) {\n\t\tif (!current_is_single_threaded())\n\t\t\treturn -EINVAL;\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 103346445032320145945915242924689230952, "size": 29, "commit_id": "b4e00444cab4c3f3fec876dc0cccc8cbb0d1a948", "message": "fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent\n\ncurrent->group_leader->exit_signal may change during copy_process() if\ncurrent->real_parent exits.\n\nMove the assignment inside tasklist_lock to avoid the race.\n\nSigned-off-by: Eddy Wu \nAcked-by: Oleg Nesterov \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 293656 }, { "func": "static int reverse_path_check(void)\n{\n\tint error = 0;\n\tstruct file *current_file;\n\n\t/* let's call this for all tfiles */\n\tlist_for_each_entry(current_file, &tfile_check_list, f_tfile_llink) {\n\t\tpath_count_init();\n\t\terror = ep_call_nested(&poll_loop_ncalls,\n\t\t\t\t\treverse_path_check_proc, current_file,\n\t\t\t\t\tcurrent_file, current);\n\t\tif (error)\n\t\t\tbreak;\n\t}\n\treturn error;\n}", "project": "linux", "hash": 149637603933704173097063886831779472206, "size": 16, "commit_id": "52c479697c9b73f628140dcdfcd39ea302d05482", "message": "do_epoll_ctl(): clean the failure exits up a bit\n\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 336262 }, { "func": "int STDCALL mysql_server_init(int argc __attribute__((unused)),\n char **argv __attribute__((unused)),\n char **groups __attribute__((unused)))\n{\n#ifdef _WIN32\n BOOL ret = InitOnceExecuteOnce(&init_once, win_init_once, NULL, NULL);\n return ret? 0: 1;\n#else\n return pthread_once(&init_once, mysql_once_init);\n#endif\n}", "project": "mariadb-connector-c", "hash": 264371040414450889585337960211772729693, "size": 11, "commit_id": "2759b87d72926b7c9b5426437a7c8dd15ff57945", "message": "sanity checks for client-supplied OK packet content\n\nreported by Matthias Kaiser, Apple Information Security", "target": 0, "dataset": "other", "idx": 429732 }, { "func": "static int phar_tar_setupmetadata(void *pDest, void *argument TSRMLS_DC) /* {{{ */\n{\n\tint lookfor_len;\n\tstruct _phar_pass_tar_info *i = (struct _phar_pass_tar_info *)argument;\n\tchar *lookfor, **error = i->error;\n\tphar_entry_info *entry = (phar_entry_info *)pDest, *metadata, newentry = {0};\n\n\tif (entry->filename_len >= sizeof(\".phar/.metadata\") && !memcmp(entry->filename, \".phar/.metadata\", sizeof(\".phar/.metadata\")-1)) {\n\t\tif (entry->filename_len == sizeof(\".phar/.metadata.bin\")-1 && !memcmp(entry->filename, \".phar/.metadata.bin\", sizeof(\".phar/.metadata.bin\")-1)) {\n\t\t\tif (entry->phar->metadata == NULL) {\n\t\t\t\treturn ZEND_HASH_APPLY_REMOVE;\n\t\t\t}\n\t\t\treturn phar_tar_setmetadata(entry->phar->metadata, entry, error TSRMLS_CC);\n\t\t}\n\t\t/* search for the file this metadata entry references */\n\t\tif (entry->filename_len >= sizeof(\".phar/.metadata/\") + sizeof(\"/.metadata.bin\") - 1 && !zend_hash_exists(&(entry->phar->manifest), entry->filename + sizeof(\".phar/.metadata/\") - 1, entry->filename_len - (sizeof(\"/.metadata.bin\") - 1 + sizeof(\".phar/.metadata/\") - 1))) {\n\t\t\t/* this is orphaned metadata, erase it */\n\t\t\treturn ZEND_HASH_APPLY_REMOVE;\n\t\t}\n\t\t/* we can keep this entry, the file that refers to it exists */\n\t\treturn ZEND_HASH_APPLY_KEEP;\n\t}\n\n\tif (!entry->is_modified) {\n\t\treturn ZEND_HASH_APPLY_KEEP;\n\t}\n\n\t/* now we are dealing with regular files, so look for metadata */\n\tlookfor_len = spprintf(&lookfor, 0, \".phar/.metadata/%s/.metadata.bin\", entry->filename);\n\n\tif (!entry->metadata) {\n\t\tzend_hash_del(&(entry->phar->manifest), lookfor, lookfor_len);\n\t\tefree(lookfor);\n\t\treturn ZEND_HASH_APPLY_KEEP;\n\t}\n\n\tif (SUCCESS == zend_hash_find(&(entry->phar->manifest), lookfor, lookfor_len, (void **)&metadata)) {\n\t\tint ret;\n\t\tret = phar_tar_setmetadata(entry->metadata, metadata, error TSRMLS_CC);\n\t\tefree(lookfor);\n\t\treturn ret;\n\t}\n\n\tnewentry.filename = lookfor;\n\tnewentry.filename_len = lookfor_len;\n\tnewentry.phar = entry->phar;\n\tnewentry.tar_type = TAR_FILE;\n\tnewentry.is_tar = 1;\n\n\tif (SUCCESS != zend_hash_add(&(entry->phar->manifest), lookfor, lookfor_len, (void *)&newentry, sizeof(phar_entry_info), (void **)&metadata)) {\n\t\tefree(lookfor);\n\t\tspprintf(error, 0, \"phar tar error: unable to add magic metadata file to manifest for file \\\"%s\\\"\", entry->filename);\n\t\treturn ZEND_HASH_APPLY_STOP;\n\t}\n\n\treturn phar_tar_setmetadata(entry->metadata, metadata, error TSRMLS_CC);\n}", "project": "php-src", "hash": 153135198116639192409190982573066325212, "size": 57, "commit_id": "07c7df68bd68bbe706371fccc77c814ebb335d9e", "message": "Fixed bug #71488: Stack overflow when decompressing tar archives", "target": 0, "dataset": "other", "idx": 355579 }, { "func": "static bool check_simple_equality(THD *thd, const Item::Context &ctx,\n Item *left_item, Item *right_item,\n COND_EQUAL *cond_equal)\n{\n Item *orig_left_item= left_item;\n Item *orig_right_item= right_item;\n if (left_item->type() == Item::REF_ITEM &&\n ((Item_ref*)left_item)->ref_type() == Item_ref::VIEW_REF)\n {\n if (((Item_ref*)left_item)->get_depended_from())\n return FALSE;\n if (((Item_direct_view_ref*)left_item)->get_null_ref_table() !=\n NO_NULL_TABLE && !left_item->real_item()->used_tables())\n return FALSE;\n left_item= left_item->real_item();\n }\n if (right_item->type() == Item::REF_ITEM &&\n ((Item_ref*)right_item)->ref_type() == Item_ref::VIEW_REF)\n {\n if (((Item_ref*)right_item)->get_depended_from())\n return FALSE;\n if (((Item_direct_view_ref*)right_item)->get_null_ref_table() !=\n NO_NULL_TABLE && !right_item->real_item()->used_tables())\n return FALSE;\n right_item= right_item->real_item();\n }\n if (left_item->type() == Item::FIELD_ITEM &&\n right_item->type() == Item::FIELD_ITEM &&\n !((Item_field*)left_item)->get_depended_from() &&\n !((Item_field*)right_item)->get_depended_from())\n {\n /* The predicate the form field1=field2 is processed */\n\n Field *left_field= ((Item_field*) left_item)->field;\n Field *right_field= ((Item_field*) right_item)->field;\n\n if (!left_field->eq_def(right_field))\n return FALSE;\n\n /* Search for multiple equalities containing field1 and/or field2 */\n bool left_copyfl, right_copyfl;\n Item_equal *left_item_equal=\n find_item_equal(cond_equal, left_field, &left_copyfl);\n Item_equal *right_item_equal= \n find_item_equal(cond_equal, right_field, &right_copyfl);\n\n /* As (NULL=NULL) != TRUE we can't just remove the predicate f=f */\n if (left_field->eq(right_field)) /* f = f */\n return (!(left_field->maybe_null() && !left_item_equal)); \n\n if (left_item_equal && left_item_equal == right_item_equal)\n {\n /* \n The equality predicate is inference of one of the existing\n multiple equalities, i.e the condition is already covered\n by upper level equalities\n */\n return TRUE;\n }\n \n /* Copy the found multiple equalities at the current level if needed */\n if (left_copyfl)\n {\n /* left_item_equal of an upper level contains left_item */\n left_item_equal= new (thd->mem_root) Item_equal(thd, left_item_equal);\n left_item_equal->set_context_field(((Item_field*) left_item));\n cond_equal->current_level.push_back(left_item_equal, thd->mem_root);\n }\n if (right_copyfl)\n {\n /* right_item_equal of an upper level contains right_item */\n right_item_equal= new (thd->mem_root) Item_equal(thd, right_item_equal);\n right_item_equal->set_context_field(((Item_field*) right_item));\n cond_equal->current_level.push_back(right_item_equal, thd->mem_root);\n }\n\n if (left_item_equal)\n { \n /* left item was found in the current or one of the upper levels */\n if (! right_item_equal)\n left_item_equal->add(orig_right_item, thd->mem_root);\n else\n {\n /* Merge two multiple equalities forming a new one */\n left_item_equal->merge(thd, right_item_equal);\n /* Remove the merged multiple equality from the list */\n List_iterator li(cond_equal->current_level);\n while ((li++) != right_item_equal) ;\n li.remove();\n }\n }\n else\n { \n /* left item was not found neither the current nor in upper levels */\n if (right_item_equal)\n right_item_equal->add(orig_left_item, thd->mem_root);\n else \n {\n /* None of the fields was found in multiple equalities */\n Type_handler_hybrid_field_type\n tmp(orig_left_item->type_handler_for_comparison());\n if (tmp.aggregate_for_comparison(orig_right_item->\n type_handler_for_comparison()))\n return false;\n Item_equal *item_equal=\n new (thd->mem_root) Item_equal(thd, tmp.type_handler(),\n orig_left_item, orig_right_item,\n false);\n item_equal->set_context_field((Item_field*)left_item);\n cond_equal->current_level.push_back(item_equal, thd->mem_root);\n }\n }\n return TRUE;\n }\n\n {\n /* The predicate of the form field=const/const=field is processed */\n Item *const_item= 0;\n Item_field *field_item= 0;\n Item *orig_field_item= 0;\n if (left_item->type() == Item::FIELD_ITEM &&\n !((Item_field*)left_item)->get_depended_from() &&\n right_item->const_item() && !right_item->is_expensive())\n {\n orig_field_item= orig_left_item;\n field_item= (Item_field *) left_item;\n const_item= right_item;\n }\n else if (right_item->type() == Item::FIELD_ITEM &&\n !((Item_field*)right_item)->get_depended_from() &&\n left_item->const_item() && !left_item->is_expensive())\n {\n orig_field_item= orig_right_item;\n field_item= (Item_field *) right_item;\n const_item= left_item;\n }\n\n if (const_item &&\n field_item->field->test_if_equality_guarantees_uniqueness(const_item))\n {\n /*\n field_item and const_item are arguments of a scalar or a row\n comparison function:\n WHERE column=constant\n WHERE (column, ...) = (constant, ...)\n\n The owner comparison function has previously called fix_fields(),\n so field_item and const_item should be directly comparable items,\n field_item->cmp_context and const_item->cmp_context should be set.\n In case of string comparison, charsets and collations of\n field_item and const_item should have already be aggregated\n for comparison, all necessary character set converters installed\n and fixed.\n\n In case of string comparison, const_item can be either:\n - a weaker constant that does not need to be converted to field_item:\n WHERE latin1_field = 'latin1_const'\n WHERE varbinary_field = 'latin1_const'\n WHERE latin1_bin_field = 'latin1_general_ci_const'\n - a stronger constant that does not need to be converted to field_item:\n WHERE latin1_field = binary 0xDF\n WHERE latin1_field = 'a' COLLATE latin1_bin\n - a result of conversion (e.g. from the session character set)\n to the character set of field_item:\n WHERE latin1_field = 'utf8_string_with_latin1_repertoire'\n */\n bool copyfl;\n\n Item_equal *item_equal = find_item_equal(cond_equal,\n field_item->field, ©fl);\n if (copyfl)\n {\n item_equal= new (thd->mem_root) Item_equal(thd, item_equal);\n cond_equal->current_level.push_back(item_equal, thd->mem_root);\n item_equal->set_context_field(field_item);\n }\n Item *const_item2= field_item->field->get_equal_const_item(thd, ctx,\n const_item);\n if (!const_item2)\n return false;\n\n if (item_equal)\n {\n /* \n The flag cond_false will be set to 1 after this, if item_equal\n already contains a constant and its value is not equal to\n the value of const_item.\n */\n item_equal->add_const(thd, const_item2);\n }\n else\n {\n Type_handler_hybrid_field_type\n tmp(orig_left_item->type_handler_for_comparison());\n if (tmp.aggregate_for_comparison(orig_right_item->\n type_handler_for_comparison()))\n return false;\n item_equal= new (thd->mem_root) Item_equal(thd, tmp.type_handler(),\n const_item2,\n orig_field_item, true);\n item_equal->set_context_field(field_item);\n cond_equal->current_level.push_back(item_equal, thd->mem_root);\n }\n return TRUE;\n }\n }\n return FALSE;\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 153494287750128385621824172442218759396, "size": 208, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508430 }, { "func": " void make_sort_key(uchar *to, Item *item, const SORT_FIELD_ATTR *sort_field,\n Sort_param *param) const\n {\n type_handler()->make_sort_key(to, item, sort_field, param);\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 326605207482876328164382387625345044796, "size": 5, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509039 }, { "func": "UnicodeStringTest::TestStartsWithAndEndsWithNulTerminated() {\n UnicodeString test(\"abcde\");\n const UChar ab[] = { 0x61, 0x62, 0 };\n const UChar de[] = { 0x64, 0x65, 0 };\n assertTrue(\"abcde.startsWith(ab, -1)\", test.startsWith(ab, -1));\n assertTrue(\"abcde.startsWith(ab, 0, -1)\", test.startsWith(ab, 0, -1));\n assertTrue(\"abcde.endsWith(de, -1)\", test.endsWith(de, -1));\n assertTrue(\"abcde.endsWith(de, 0, -1)\", test.endsWith(de, 0, -1));\n}", "project": "icu", "hash": 325115717449807060244858716044847006724, "size": 9, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430785 }, { "func": "QList LanLinkProvider::getBroadcastAddresses()\n{\n const QStringList customDevices = KdeConnectConfig::instance().customDevices();\n\n QList destinations;\n destinations.reserve(customDevices.length() + 1);\n\n // Default broadcast address\n destinations.append(m_testMode ? QHostAddress::LocalHost : QHostAddress::Broadcast);\n\n // Custom device addresses\n for (auto& customDevice : customDevices) {\n QHostAddress address(customDevice);\n if (address.isNull()) {\n qCWarning(KDECONNECT_CORE) << \"Invalid custom device address\" << customDevice;\n } else {\n destinations.append(address);\n }\n }\n\n return destinations;\n}", "project": "kdeconnect-kde", "hash": 163977344334958127853855311306436508406, "size": 22, "commit_id": "542d94a70c56aa386c8d4d793481ce181b0422e8", "message": "Limit number of connected sockets from unpaired devices\n\nThanks Matthias Gerstner for reporting this.", "target": 0, "dataset": "other", "idx": 227367 }, { "func": "JOIN::optimize_inner()\n{\n DBUG_ENTER(\"JOIN::optimize_inner\");\n subq_exit_fl= false;\n do_send_rows = (unit->select_limit_cnt) ? 1 : 0;\n\n DEBUG_SYNC(thd, \"before_join_optimize\");\n\n THD_STAGE_INFO(thd, stage_optimizing);\n\n set_allowed_join_cache_types();\n need_distinct= TRUE;\n\n /*\n Needed in case optimizer short-cuts,\n set properly in make_aggr_tables_info()\n */\n fields= &select_lex->item_list;\n\n if (select_lex->first_cond_optimization)\n {\n //Do it only for the first execution\n /* Merge all mergeable derived tables/views in this SELECT. */\n if (select_lex->handle_derived(thd->lex, DT_MERGE))\n DBUG_RETURN(TRUE); \n table_count= select_lex->leaf_tables.elements;\n }\n\n if (select_lex->first_cond_optimization &&\n transform_in_predicates_into_in_subq(thd))\n DBUG_RETURN(1);\n\n // Update used tables after all handling derived table procedures\n select_lex->update_used_tables();\n\n /*\n In fact we transform underlying subqueries after their 'prepare' phase and\n before 'optimize' from upper query 'optimize' to allow semijoin\n conversion happened (which done in the same way.\n */\n if (select_lex->first_cond_optimization &&\n conds && conds->walk(&Item::exists2in_processor, 0, thd))\n DBUG_RETURN(1);\n /*\n TODO\n make view to decide if it is possible to write to WHERE directly or make Semi-Joins able to process ON condition if it is possible\n for (TABLE_LIST *tbl= tables_list; tbl; tbl= tbl->next_local)\n {\n if (tbl->on_expr &&\n tbl->on_expr->walk(&Item::exists2in_processor, 0, thd))\n DBUG_RETURN(1);\n }\n */\n\n if (transform_max_min_subquery())\n DBUG_RETURN(1); /* purecov: inspected */\n\n if (select_lex->first_cond_optimization)\n {\n /* dump_TABLE_LIST_graph(select_lex, select_lex->leaf_tables); */\n if (convert_join_subqueries_to_semijoins(this))\n DBUG_RETURN(1); /* purecov: inspected */\n /* dump_TABLE_LIST_graph(select_lex, select_lex->leaf_tables); */\n select_lex->update_used_tables();\n }\n \n eval_select_list_used_tables();\n\n table_count= select_lex->leaf_tables.elements;\n\n if (select_lex->options & OPTION_SCHEMA_TABLE &&\n optimize_schema_tables_memory_usage(select_lex->leaf_tables))\n DBUG_RETURN(1);\n\n if (setup_ftfuncs(select_lex)) /* should be after having->fix_fields */\n DBUG_RETURN(-1);\n\n row_limit= ((select_distinct || order || group_list) ? HA_POS_ERROR :\n\t unit->select_limit_cnt);\n /* select_limit is used to decide if we are likely to scan the whole table */\n select_limit= unit->select_limit_cnt;\n if (having || (select_options & OPTION_FOUND_ROWS))\n select_limit= HA_POS_ERROR;\n#ifdef HAVE_REF_TO_FIELDS\t\t\t// Not done yet\n /* Add HAVING to WHERE if possible */\n if (having && !group_list && !sum_func_count)\n {\n if (!conds)\n {\n conds= having;\n having= 0;\n }\n else if ((conds=new (thd->mem_root) Item_cond_and(conds,having)))\n {\n /*\n Item_cond_and can't be fixed after creation, so we do not check\n conds->fixed\n */\n conds->fix_fields(thd, &conds);\n conds->change_ref_to_fields(thd, tables_list);\n conds->top_level_item();\n having= 0;\n }\n }\n#endif\n\n SELECT_LEX *sel= select_lex;\n if (sel->first_cond_optimization)\n {\n /*\n The following code will allocate the new items in a permanent\n MEMROOT for prepared statements and stored procedures.\n\n But first we need to ensure that thd->lex->explain is allocated\n in the execution arena\n */\n create_explain_query_if_not_exists(thd->lex, thd->mem_root);\n\n Query_arena *arena, backup;\n arena= thd->activate_stmt_arena_if_needed(&backup);\n\n sel->first_cond_optimization= 0;\n\n /* Convert all outer joins to inner joins if possible */\n conds= simplify_joins(this, join_list, conds, TRUE, FALSE);\n if (thd->is_error() || select_lex->save_leaf_tables(thd))\n {\n if (arena)\n thd->restore_active_arena(arena, &backup);\n DBUG_RETURN(1);\n }\n build_bitmap_for_nested_joins(join_list, 0);\n\n sel->prep_where= conds ? conds->copy_andor_structure(thd) : 0;\n\n sel->where= conds;\n\n select_lex->update_used_tables();\n\n if (arena)\n thd->restore_active_arena(arena, &backup);\n }\n \n if (optimize_constant_subqueries())\n DBUG_RETURN(1);\n\n if (conds && conds->with_subquery())\n (void) conds->walk(&Item::cleanup_is_expensive_cache_processor,\n 0, (void *) 0);\n if (having && having->with_subquery())\n (void) having->walk(&Item::cleanup_is_expensive_cache_processor,\n\t\t\t0, (void *) 0);\n\n if (setup_jtbm_semi_joins(this, join_list, &conds))\n DBUG_RETURN(1);\n\n if (select_lex->cond_pushed_into_where)\n {\n conds= and_conds(thd, conds, select_lex->cond_pushed_into_where);\n if (conds && conds->fix_fields(thd, &conds))\n DBUG_RETURN(1);\n }\n if (select_lex->cond_pushed_into_having)\n {\n having= and_conds(thd, having, select_lex->cond_pushed_into_having);\n if (having)\n {\n select_lex->having_fix_field= 1;\n select_lex->having_fix_field_for_pushed_cond= 1;\n if (having->fix_fields(thd, &having))\n DBUG_RETURN(1);\n select_lex->having_fix_field= 0;\n select_lex->having_fix_field_for_pushed_cond= 0;\n }\n }\n \n bool ignore_on_expr= false;\n /*\n PS/SP note: on_expr of versioned table can not be reallocated\n (see build_equal_items() below) because it can be not rebuilt\n at second invocation.\n */\n if (!thd->stmt_arena->is_conventional() && thd->mem_root != thd->stmt_arena->mem_root)\n for (TABLE_LIST *tbl= tables_list; tbl; tbl= tbl->next_local)\n if (tbl->table && tbl->on_expr && tbl->table->versioned())\n {\n ignore_on_expr= true;\n break;\n }\n conds= optimize_cond(this, conds, join_list, ignore_on_expr,\n &cond_value, &cond_equal, OPT_LINK_EQUAL_FIELDS);\n \n if (thd->is_error())\n {\n error= 1;\n DBUG_PRINT(\"error\",(\"Error from optimize_cond\"));\n DBUG_RETURN(1);\n }\n\n if (optimizer_flag(thd, OPTIMIZER_SWITCH_COND_PUSHDOWN_FOR_DERIVED))\n {\n TABLE_LIST *tbl;\n List_iterator_fast li(select_lex->leaf_tables);\n while ((tbl= li++))\n {\n /* \n Do not push conditions from where into materialized inner tables\n of outer joins: this is not valid.\n */\n if (tbl->is_materialized_derived())\n {\n JOIN *join= tbl->get_unit()->first_select()->join;\n if (join &&\n join->optimization_state == JOIN::OPTIMIZATION_PHASE_1_DONE &&\n join->with_two_phase_optimization)\n continue;\n /*\n Do not push conditions from where into materialized inner tables\n of outer joins: this is not valid.\n */\n if (!tbl->is_inner_table_of_outer_join())\n\t{\n if (pushdown_cond_for_derived(thd, conds, tbl))\n\t DBUG_RETURN(1);\n }\n\tif (mysql_handle_single_derived(thd->lex, tbl, DT_OPTIMIZE))\n\t DBUG_RETURN(1);\n }\n }\n }\n else\n {\n /* Run optimize phase for all derived tables/views used in this SELECT. */\n if (select_lex->handle_derived(thd->lex, DT_OPTIMIZE))\n DBUG_RETURN(1);\n }\n\n {\n having= optimize_cond(this, having, join_list, TRUE,\n &having_value, &having_equal);\n\n if (unlikely(thd->is_error()))\n {\n error= 1;\n DBUG_PRINT(\"error\",(\"Error from optimize_cond\"));\n DBUG_RETURN(1);\n }\n if (select_lex->where)\n {\n select_lex->cond_value= cond_value;\n if (sel->where != conds && cond_value == Item::COND_OK)\n thd->change_item_tree(&sel->where, conds);\n } \n if (select_lex->having)\n {\n select_lex->having_value= having_value;\n if (sel->having != having && having_value == Item::COND_OK)\n thd->change_item_tree(&sel->having, having); \n }\n if (cond_value == Item::COND_FALSE || having_value == Item::COND_FALSE || \n (!unit->select_limit_cnt && !(select_options & OPTION_FOUND_ROWS)))\n {\t\t\t\t\t\t/* Impossible cond */\n if (unit->select_limit_cnt)\n {\n DBUG_PRINT(\"info\", (having_value == Item::COND_FALSE ?\n \"Impossible HAVING\" : \"Impossible WHERE\"));\n zero_result_cause= having_value == Item::COND_FALSE ?\n \"Impossible HAVING\" : \"Impossible WHERE\";\n }\n else\n {\n DBUG_PRINT(\"info\", (\"Zero limit\"));\n zero_result_cause= \"Zero limit\";\n }\n table_count= top_join_tab_count= 0;\n handle_implicit_grouping_with_window_funcs();\n error= 0;\n subq_exit_fl= true;\n goto setup_subq_exit;\n }\n }\n\n#ifdef WITH_PARTITION_STORAGE_ENGINE\n {\n TABLE_LIST *tbl;\n List_iterator_fast li(select_lex->leaf_tables);\n while ((tbl= li++))\n {\n Item **prune_cond= get_sargable_cond(this, tbl->table);\n tbl->table->all_partitions_pruned_away=\n prune_partitions(thd, tbl->table, *prune_cond);\n }\n }\n#endif\n\n /* \n Try to optimize count(*), MY_MIN() and MY_MAX() to const fields if\n there is implicit grouping (aggregate functions but no\n group_list). In this case, the result set shall only contain one\n row. \n */\n if (tables_list && implicit_grouping)\n {\n int res;\n /*\n opt_sum_query() returns HA_ERR_KEY_NOT_FOUND if no rows match\n to the WHERE conditions,\n or 1 if all items were resolved (optimized away),\n or 0, or an error number HA_ERR_...\n\n If all items were resolved by opt_sum_query, there is no need to\n open any tables.\n */\n if ((res=opt_sum_query(thd, select_lex->leaf_tables, all_fields, conds)))\n {\n DBUG_ASSERT(res >= 0);\n if (res == HA_ERR_KEY_NOT_FOUND)\n {\n DBUG_PRINT(\"info\",(\"No matching min/max row\"));\n\tzero_result_cause= \"No matching min/max row\";\n table_count= top_join_tab_count= 0;\n\terror=0;\n subq_exit_fl= true;\n handle_implicit_grouping_with_window_funcs();\n goto setup_subq_exit;\n }\n if (res > 1)\n {\n error= res;\n DBUG_PRINT(\"error\",(\"Error from opt_sum_query\"));\n DBUG_RETURN(1);\n }\n\n DBUG_PRINT(\"info\",(\"Select tables optimized away\"));\n if (!select_lex->have_window_funcs())\n zero_result_cause= \"Select tables optimized away\";\n tables_list= 0;\t\t\t\t// All tables resolved\n select_lex->min_max_opt_list.empty();\n const_tables= top_join_tab_count= table_count;\n handle_implicit_grouping_with_window_funcs();\n /*\n Extract all table-independent conditions and replace the WHERE\n clause with them. All other conditions were computed by opt_sum_query\n and the MIN/MAX/COUNT function(s) have been replaced by constants,\n so there is no need to compute the whole WHERE clause again.\n Notice that make_cond_for_table() will always succeed to remove all\n computed conditions, because opt_sum_query() is applicable only to\n conjunctions.\n Preserve conditions for EXPLAIN.\n */\n if (conds && !(thd->lex->describe & DESCRIBE_EXTENDED))\n {\n COND *table_independent_conds=\n make_cond_for_table(thd, conds, PSEUDO_TABLE_BITS, 0, -1,\n FALSE, FALSE);\n DBUG_EXECUTE(\"where\",\n print_where(table_independent_conds,\n \"where after opt_sum_query()\",\n QT_ORDINARY););\n conds= table_independent_conds;\n }\n }\n }\n if (!tables_list)\n {\n DBUG_PRINT(\"info\",(\"No tables\"));\n error= 0;\n subq_exit_fl= true;\n goto setup_subq_exit;\n }\n error= -1;\t\t\t\t\t// Error is sent to client\n /* get_sort_by_table() call used to be here: */\n MEM_UNDEFINED(&sort_by_table, sizeof(sort_by_table));\n\n /*\n We have to remove constants and duplicates from group_list before\n calling make_join_statistics() as this may call get_best_group_min_max()\n which needs a simplfied group_list.\n */\n if (group_list && table_count == 1)\n {\n group_list= remove_const(this, group_list, conds,\n rollup.state == ROLLUP::STATE_NONE,\n &simple_group);\n if (unlikely(thd->is_error()))\n {\n error= 1;\n DBUG_RETURN(1);\n }\n if (!group_list)\n {\n /* The output has only one row */\n order=0;\n simple_order=1;\n group_optimized_away= 1;\n select_distinct=0;\n }\n }\n \n /* Calculate how to do the join */\n THD_STAGE_INFO(thd, stage_statistics);\n result->prepare_to_read_rows();\n if (unlikely(make_join_statistics(this, select_lex->leaf_tables,\n &keyuse)) ||\n unlikely(thd->is_fatal_error))\n {\n DBUG_PRINT(\"error\",(\"Error: make_join_statistics() failed\"));\n DBUG_RETURN(1);\n }\n\n /*\n If a splittable materialized derived/view dt_i is embedded into\n into another splittable materialized derived/view dt_o then\n splitting plans for dt_i and dt_o are evaluated independently.\n First the optimizer looks for the best splitting plan sp_i for dt_i.\n It happens when non-splitting plans for dt_o are evaluated.\n The cost of sp_i is considered as the cost of materialization of dt_i\n when evaluating any splitting plan for dt_o.\n */\n if (fix_all_splittings_in_plan())\n DBUG_RETURN(1);\n\nsetup_subq_exit:\n with_two_phase_optimization= check_two_phase_optimization(thd);\n if (with_two_phase_optimization)\n optimization_state= JOIN::OPTIMIZATION_PHASE_1_DONE;\n else\n {\n if (optimize_stage2())\n DBUG_RETURN(1);\n }\n DBUG_RETURN(0);\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 115172256208858184880640637977680335900, "size": 433, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508743 }, { "func": "HttpStateData::closeServer()\n{\n debugs(11,5, HERE << \"closing HTTP server \" << serverConnection << \" this \" << this);\n\n if (Comm::IsConnOpen(serverConnection)) {\n fwd->unregister(serverConnection);\n comm_remove_close_handler(serverConnection->fd, closeHandler);\n closeHandler = NULL;\n serverConnection->close();\n }\n}", "project": "squid", "hash": 45561339651173854019651682695696258863, "size": 11, "commit_id": "fd68382860633aca92065e6c343cfd1b12b126e7", "message": "Improve Transfer-Encoding handling (#702)\n\nReject messages containing Transfer-Encoding header with coding other\nthan chunked or identity. Squid does not support other codings.\n\nFor simplicity and security sake, also reject messages where\nTransfer-Encoding contains unnecessary complex values that are\ntechnically equivalent to \"chunked\" or \"identity\" (e.g., \",,chunked\" or\n\"identity, chunked\").\n\nRFC 7230 formally deprecated and removed identity coding, but it is\nstill used by some agents.", "target": 0, "dataset": "other", "idx": 402328 }, { "func": "DLLEXPORT int DLLCALL tjCompressFromYUVPlanes(tjhandle handle,\n\tconst unsigned char **srcPlanes, int width, const int *strides, int height,\n\tint subsamp, unsigned char **jpegBuf, unsigned long *jpegSize, int jpegQual,\n\tint flags)\n{\n\tint i, row, retval=0, alloc=1; JSAMPROW *inbuf[MAX_COMPONENTS];\n\tint pw[MAX_COMPONENTS], ph[MAX_COMPONENTS], iw[MAX_COMPONENTS],\n\t\ttmpbufsize=0, usetmpbuf=0, th[MAX_COMPONENTS];\n\tJSAMPLE *_tmpbuf=NULL, *ptr; JSAMPROW *tmpbuf[MAX_COMPONENTS];\n\n\tgetcinstance(handle)\n\n\tfor(i=0; iinit&COMPRESS)==0)\n\t\t_throw(\"tjCompressFromYUVPlanes(): Instance has not been initialized for compression\");\n\n\tif(!srcPlanes || !srcPlanes[0] || width<=0 || height<=0 || subsamp<0\n\t\t|| subsamp>=NUMSUBOPT || jpegBuf==NULL || jpegSize==NULL || jpegQual<0\n\t\t|| jpegQual>100)\n\t\t_throw(\"tjCompressFromYUVPlanes(): Invalid argument\");\n\tif(subsamp!=TJSAMP_GRAY && (!srcPlanes[1] || !srcPlanes[2]))\n\t\t_throw(\"tjCompressFromYUVPlanes(): Invalid argument\");\n\n\tif(setjmp(this->jerr.setjmp_buffer))\n\t{\n\t\t/* If we get here, the JPEG code has signaled an error. */\n\t\tretval=-1; goto bailout;\n\t}\n\n\tcinfo->image_width=width;\n\tcinfo->image_height=height;\n\n#ifndef NO_PUTENV\n\tif(flags&TJFLAG_FORCEMMX) putenv(\"JSIMD_FORCEMMX=1\");\n\telse if(flags&TJFLAG_FORCESSE) putenv(\"JSIMD_FORCESSE=1\");\n\telse if(flags&TJFLAG_FORCESSE2) putenv(\"JSIMD_FORCESSE2=1\");\n#endif\n\n\tif(flags&TJFLAG_NOREALLOC)\n\t{\n\t\talloc=0; *jpegSize=tjBufSize(width, height, subsamp);\n\t}\n\tjpeg_mem_dest_tj(cinfo, jpegBuf, jpegSize, alloc);\n\tif(setCompDefaults(cinfo, TJPF_RGB, subsamp, jpegQual, flags)==-1)\n\t\treturn -1;\n\tcinfo->raw_data_in=TRUE;\n\n\tjpeg_start_compress(cinfo, TRUE);\n\tfor(i=0; inum_components; i++)\n\t{\n\t\tjpeg_component_info *compptr=&cinfo->comp_info[i];\n\t\tint ih;\n\t\tiw[i]=compptr->width_in_blocks*DCTSIZE;\n\t\tih=compptr->height_in_blocks*DCTSIZE;\n\t\tpw[i]=PAD(cinfo->image_width, cinfo->max_h_samp_factor)\n\t\t\t*compptr->h_samp_factor/cinfo->max_h_samp_factor;\n\t\tph[i]=PAD(cinfo->image_height, cinfo->max_v_samp_factor)\n\t\t\t*compptr->v_samp_factor/cinfo->max_v_samp_factor;\n\t\tif(iw[i]!=pw[i] || ih!=ph[i]) usetmpbuf=1;\n\t\tth[i]=compptr->v_samp_factor*DCTSIZE;\n\t\ttmpbufsize+=iw[i]*th[i];\n\t\tif((inbuf[i]=(JSAMPROW *)malloc(sizeof(JSAMPROW)*ph[i]))==NULL)\n\t\t\t_throw(\"tjCompressFromYUVPlanes(): Memory allocation failure\");\n\t\tptr=(JSAMPLE *)srcPlanes[i];\n\t\tfor(row=0; rownum_components; i++)\n\t\t{\n\t\t\tif((tmpbuf[i]=(JSAMPROW *)malloc(sizeof(JSAMPROW)*th[i]))==NULL)\n\t\t\t\t_throw(\"tjCompressFromYUVPlanes(): Memory allocation failure\");\n\t\t\tfor(row=0; rowjerr.setjmp_buffer))\n\t{\n\t\t/* If we get here, the JPEG code has signaled an error. */\n\t\tretval=-1; goto bailout;\n\t}\n\n\tfor(row=0; row<(int)cinfo->image_height;\n\t\trow+=cinfo->max_v_samp_factor*DCTSIZE)\n\t{\n\t\tJSAMPARRAY yuvptr[MAX_COMPONENTS];\n\t\tint crow[MAX_COMPONENTS];\n\t\tfor(i=0; inum_components; i++)\n\t\t{\n\t\t\tjpeg_component_info *compptr=&cinfo->comp_info[i];\n\t\t\tcrow[i]=row*compptr->v_samp_factor/cinfo->max_v_samp_factor;\n\t\t\tif(usetmpbuf)\n\t\t\t{\n\t\t\t\tint j, k;\n\t\t\t\tfor(j=0; jmax_v_samp_factor*DCTSIZE);\n\t}\n\tjpeg_finish_compress(cinfo);\n\n\tbailout:\n\tif(cinfo->global_state>CSTATE_START) jpeg_abort_compress(cinfo);\n\tfor(i=0; ijerr.warning) retval=-1;\n\treturn retval;\n}", "project": "libjpeg-turbo", "hash": 39071198681370066869549936521465455753, "size": 138, "commit_id": "dab6be4cfb2f9307b5378d2d1dc74d9080383dc2", "message": "tjDecompressToYUV*(): Fix OOB write/double free\n\n... when attempting to decompress grayscale JPEG images with sampling\nfactors != 1.\n\nFixes #387", "target": 0, "dataset": "other", "idx": 311109 }, { "func": "static void devm_input_device_unregister(struct device *dev, void *res)\n{\n\tstruct input_devres *devres = res;\n\tstruct input_dev *input = devres->input;\n\n\tdev_dbg(dev, \"%s: unregistering device %s\\n\",\n\t\t__func__, dev_name(&input->dev));\n\t__input_unregister_device(input);\n}", "project": "linux", "hash": 325115997830938561028127413754270920096, "size": 9, "commit_id": "cb222aed03d798fc074be55e59d9a112338ee784", "message": "Input: add safety guards to input_set_keycode()\n\nIf we happen to have a garbage in input device's keycode table with values\ntoo big we'll end up doing clear_bit() with offset way outside of our\nbitmaps, damaging other objects within an input device or even outside of\nit. Let's add sanity checks to the returned old keycodes.\n\nReported-by: syzbot+c769968809f9359b07aa@syzkaller.appspotmail.com\nReported-by: syzbot+76f3a30e88d256644c78@syzkaller.appspotmail.com\nLink: https://lore.kernel.org/r/20191207212757.GA245964@dtor-ws\nSigned-off-by: Dmitry Torokhov ", "target": 0, "dataset": "other", "idx": 353359 }, { "func": "static int tiocgwinsz(struct tty_struct *tty, struct winsize __user *arg)\n{\n\tint err;\n\n\tmutex_lock(&tty->winsize_mutex);\n\terr = copy_to_user(arg, &tty->winsize, sizeof(*arg));\n\tmutex_unlock(&tty->winsize_mutex);\n\n\treturn err ? -EFAULT: 0;\n}", "project": "linux", "hash": 205935320521264944322285757067627086386, "size": 10, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 326015 }, { "func": "int hci_get_random_address(struct hci_dev *hdev, bool require_privacy,\n\t\t\t bool use_rpa, struct adv_info *adv_instance,\n\t\t\t u8 *own_addr_type, bdaddr_t *rand_addr)\n{\n\tint err;\n\n\tbacpy(rand_addr, BDADDR_ANY);\n\n\t/* If privacy is enabled use a resolvable private address. If\n\t * current RPA has expired then generate a new one.\n\t */\n\tif (use_rpa) {\n\t\tint to;\n\n\t\t/* If Controller supports LL Privacy use own address type is\n\t\t * 0x03\n\t\t */\n\t\tif (use_ll_privacy(hdev))\n\t\t\t*own_addr_type = ADDR_LE_DEV_RANDOM_RESOLVED;\n\t\telse\n\t\t\t*own_addr_type = ADDR_LE_DEV_RANDOM;\n\n\t\tif (adv_instance) {\n\t\t\tif (!adv_instance->rpa_expired &&\n\t\t\t !bacmp(&adv_instance->random_addr, &hdev->rpa))\n\t\t\t\treturn 0;\n\n\t\t\tadv_instance->rpa_expired = false;\n\t\t} else {\n\t\t\tif (!hci_dev_test_and_clear_flag(hdev, HCI_RPA_EXPIRED) &&\n\t\t\t !bacmp(&hdev->random_addr, &hdev->rpa))\n\t\t\t\treturn 0;\n\t\t}\n\n\t\terr = smp_generate_rpa(hdev, hdev->irk, &hdev->rpa);\n\t\tif (err < 0) {\n\t\t\tbt_dev_err(hdev, \"failed to generate new RPA\");\n\t\t\treturn err;\n\t\t}\n\n\t\tbacpy(rand_addr, &hdev->rpa);\n\n\t\tto = msecs_to_jiffies(hdev->rpa_timeout * 1000);\n\t\tif (adv_instance)\n\t\t\tqueue_delayed_work(hdev->workqueue,\n\t\t\t\t\t &adv_instance->rpa_expired_cb, to);\n\t\telse\n\t\t\tqueue_delayed_work(hdev->workqueue,\n\t\t\t\t\t &hdev->rpa_expired, to);\n\n\t\treturn 0;\n\t}\n\n\t/* In case of required privacy without resolvable private address,\n\t * use an non-resolvable private address. This is useful for\n\t * non-connectable advertising.\n\t */\n\tif (require_privacy) {\n\t\tbdaddr_t nrpa;\n\n\t\twhile (true) {\n\t\t\t/* The non-resolvable private address is generated\n\t\t\t * from random six bytes with the two most significant\n\t\t\t * bits cleared.\n\t\t\t */\n\t\t\tget_random_bytes(&nrpa, 6);\n\t\t\tnrpa.b[5] &= 0x3f;\n\n\t\t\t/* The non-resolvable private address shall not be\n\t\t\t * equal to the public address.\n\t\t\t */\n\t\t\tif (bacmp(&hdev->bdaddr, &nrpa))\n\t\t\t\tbreak;\n\t\t}\n\n\t\t*own_addr_type = ADDR_LE_DEV_RANDOM;\n\t\tbacpy(rand_addr, &nrpa);\n\n\t\treturn 0;\n\t}\n\n\t/* No privacy so use a public address. */\n\t*own_addr_type = ADDR_LE_DEV_PUBLIC;\n\n\treturn 0;\n}", "project": "linux", "hash": 97141383337398042544402889815913202610, "size": 86, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402571 }, { "func": "CServer::CServer() : m_DemoRecorder(&m_SnapshotDelta)\n{\n\tm_TickSpeed = SERVER_TICK_SPEED;\n\n\tm_pGameServer = 0;\n\n\tm_CurrentGameTick = 0;\n\tm_RunServer = 1;\n\n\tm_pCurrentMapData = 0;\n\tm_CurrentMapSize = 0;\n\n\tm_NumMapEntries = 0;\n\tm_pFirstMapEntry = 0;\n\tm_pLastMapEntry = 0;\n\tm_pMapListHeap = 0;\n\n\tm_MapReload = 0;\n\n\tm_RconClientID = IServer::RCON_CID_SERV;\n\tm_RconAuthLevel = AUTHED_ADMIN;\n\n\tm_RconPasswordSet = 0;\n\tm_GeneratedRconPassword = 0;\n\n\tInit();\n}", "project": "teeworlds", "hash": 144778052180885982412250613658105757860, "size": 27, "commit_id": "c68402fa7e279d42886d5951d1ea8ac2facc1ea5", "message": "changed a check", "target": 0, "dataset": "other", "idx": 382023 }, { "func": "static void fuse_prepare_release(struct fuse_inode *fi, struct fuse_file *ff,\n\t\t\t\t int flags, int opcode)\n{\n\tstruct fuse_conn *fc = ff->fm->fc;\n\tstruct fuse_release_args *ra = ff->release_args;\n\n\t/* Inode is NULL on error path of fuse_create_open() */\n\tif (likely(fi)) {\n\t\tspin_lock(&fi->lock);\n\t\tlist_del(&ff->write_entry);\n\t\tspin_unlock(&fi->lock);\n\t}\n\tspin_lock(&fc->lock);\n\tif (!RB_EMPTY_NODE(&ff->polled_node))\n\t\trb_erase(&ff->polled_node, &fc->polled_files);\n\tspin_unlock(&fc->lock);\n\n\twake_up_interruptible_all(&ff->poll_wait);\n\n\tra->inarg.fh = ff->fh;\n\tra->inarg.flags = flags;\n\tra->args.in_numargs = 1;\n\tra->args.in_args[0].size = sizeof(struct fuse_release_in);\n\tra->args.in_args[0].value = &ra->inarg;\n\tra->args.opcode = opcode;\n\tra->args.nodeid = ff->nodeid;\n\tra->args.force = true;\n\tra->args.nocreds = true;\n}", "project": "linux", "hash": 190953665715234826874392045829645098430, "size": 29, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342083 }, { "func": "static inline int hid_hw_raw_request(struct hid_device *hdev,\n\t\t\t\t unsigned char reportnum, __u8 *buf,\n\t\t\t\t size_t len, unsigned char rtype, int reqtype)\n{\n\tif (len < 1 || len > HID_MAX_BUFFER_SIZE || !buf)\n\t\treturn -EINVAL;\n\n\treturn hdev->ll_driver->raw_request(hdev, reportnum, buf, len,\n\t\t\t\t\t\t rtype, reqtype);\n}", "project": "linux", "hash": 240164872132410291410154083601531969646, "size": 10, "commit_id": "35556bed836f8dc07ac55f69c8d17dce3e7f0e25", "message": "HID: core: Sanitize event code and type when mapping input\n\nWhen calling into hid_map_usage(), the passed event code is\nblindly stored as is, even if it doesn't fit in the associated bitmap.\n\nThis event code can come from a variety of sources, including devices\nmasquerading as input devices, only a bit more \"programmable\".\n\nInstead of taking the event code at face value, check that it actually\nfits the corresponding bitmap, and if it doesn't:\n- spit out a warning so that we know which device is acting up\n- NULLify the bitmap pointer so that we catch unexpected uses\n\nCode paths that can make use of untrusted inputs can now check\nthat the mapping was indeed correct and bail out if not.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Marc Zyngier \nSigned-off-by: Benjamin Tissoires ", "target": 0, "dataset": "other", "idx": 458332 }, { "project": "phosphor-host-ipmid", "commit_id": "b265455a2518ece7c004b43c144199ec980fc620", "target": 0, "func": "PasswdMgr::PasswdMgr()\n{\n initPasswordMap();\n}", "idx": 519586, "cwe": "CWE-276", "hash": 260518766949662350085991708776853648039, "dataset": "other" }, { "func": "static void ecryptfs_generate_new_key(struct ecryptfs_crypt_stat *crypt_stat)\n{\n\tget_random_bytes(crypt_stat->key, crypt_stat->key_size);\n\tcrypt_stat->flags |= ECRYPTFS_KEY_VALID;\n\tecryptfs_compute_root_iv(crypt_stat);\n\tif (unlikely(ecryptfs_verbosity > 0)) {\n\t\tecryptfs_printk(KERN_DEBUG, \"Generated new session key:\\n\");\n\t\tecryptfs_dump_hex(crypt_stat->key,\n\t\t\t\t crypt_stat->key_size);\n\t}\n}", "target": 0, "cwe": [ "CWE-189" ], "project": "linux-2.6", "commit_id": "8faece5f906725c10e7a1f6caf84452abadbdc7b", "hash": 85180783205936356261730278110206089280, "size": 11, "message": "eCryptfs: Allocate a variable number of pages for file headers\n\nWhen allocating the memory used to store the eCryptfs header contents, a\nsingle, zeroed page was being allocated with get_zeroed_page().\nHowever, the size of an eCryptfs header is either PAGE_CACHE_SIZE or\nECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE (8192), whichever is larger, and is\nstored in the file's private_data->crypt_stat->num_header_bytes_at_front\nfield.\n\necryptfs_write_metadata_to_contents() was using\nnum_header_bytes_at_front to decide how many bytes should be written to\nthe lower filesystem for the file header. Unfortunately, at least 8K\nwas being written from the page, despite the chance of the single,\nzeroed page being smaller than 8K. This resulted in random areas of\nkernel memory being written between the 0x1000 and 0x1FFF bytes offsets\nin the eCryptfs file headers if PAGE_SIZE was 4K.\n\nThis patch allocates a variable number of pages, calculated with\nnum_header_bytes_at_front, and passes the number of allocated pages\nalong to ecryptfs_write_metadata_to_contents().\n\nThanks to Florian Streibelt for reporting the data leak and working with\nme to find the problem. 2.6.28 is the only kernel release with this\nvulnerability. Corresponds to CVE-2009-0787\n\nSigned-off-by: Tyler Hicks \nAcked-by: Dustin Kirkland \nReviewed-by: Eric Sandeen \nReviewed-by: Eugene Teo \nCc: Greg KH \nCc: dann frazier \nCc: Serge E. Hallyn \nCc: Florian Streibelt \nCc: stable@kernel.org\nSigned-off-by: Linus Torvalds ", "dataset": "other", "idx": 490204 }, { "func": "static ut64 bbBegin(RAnalFunction *fcn, ut64 addr) {\n\tRListIter *iter;\n\tRAnalBlock *bb;\n\tr_list_foreach (fcn->bbs, iter, bb) {\n\t\tif (R_BETWEEN (bb->addr, addr, bb->addr + bb->size - 1)) {\n\t\t\treturn bb->addr;\n\t\t}\n\t}\n\treturn UT64_MAX;\n}", "project": "radare2", "hash": 278693676005512659238856180143867002892, "size": 10, "commit_id": "cb8b683758edddae2d2f62e8e63a738c39f92683", "message": "Fix #16303 - c->table_query double free (#16318)", "target": 0, "dataset": "other", "idx": 232096 }, { "func": "uint8_t intsetFind(intset *is, int64_t value) {\n uint8_t valenc = _intsetValueEncoding(value);\n return valenc <= intrev32ifbe(is->encoding) && intsetSearch(is,value,NULL);\n}", "project": "redis", "hash": 250046900483006003232253624465477258311, "size": 4, "commit_id": "789f10156009b404950ad717642a9496ed887083", "message": "Fix integer overflow in intset (CVE-2021-29478)\n\nAn integer overflow bug in Redis 6.2 could be exploited to corrupt the heap and\npotentially result with remote code execution.\n\nThe vulnerability involves changing the default set-max-intset-entries\nconfiguration value, creating a large set key that consists of integer values\nand using the COPY command to duplicate it.\n\nThe integer overflow bug exists in all versions of Redis starting with 2.6,\nwhere it could result with a corrupted RDB or DUMP payload, but not exploited\nthrough COPY (which did not exist before 6.2).\n\n(cherry picked from commit 29900d4e6bccdf3691bedf0ea9a5d84863fa3592)", "target": 0, "dataset": "other", "idx": 290640 }, { "func": "static int exif_file_sections_add(image_info_type *ImageInfo, int type,\n size_t size, unsigned char *data) {\n file_section *tmp;\n int count = ImageInfo->file.count;\n size_t realloc_size = (count+1) * sizeof(file_section);\n tmp = (file_section *)IM_REALLOC(ImageInfo->file.list, realloc_size);\n CHECK_ALLOC_R(tmp, realloc_size, -1);\n ImageInfo->file.list = tmp;\n ImageInfo->file.list[count].type = 0xFFFF;\n ImageInfo->file.list[count].data = nullptr;\n ImageInfo->file.list[count].size = 0;\n ImageInfo->file.count = count+1;\n if (!size) {\n data = nullptr;\n } else if (data == nullptr) {\n data = (unsigned char *)IM_MALLOC(size);\n if (data == nullptr) IM_FREE(tmp);\n CHECK_ALLOC_R(data, size, -1);\n }\n ImageInfo->file.list[count].type = type;\n ImageInfo->file.list[count].data = data;\n ImageInfo->file.list[count].size = size;\n return count;\n}", "project": "hhvm", "hash": 174201721798010025006860836984010373145, "size": 24, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219653 }, { "func": "static int fuse_getattr(const struct path *path, struct kstat *stat,\n\t\t\tu32 request_mask, unsigned int flags)\n{\n\tstruct inode *inode = d_inode(path->dentry);\n\tstruct fuse_conn *fc = get_fuse_conn(inode);\n\n\tif (fuse_is_bad(inode))\n\t\treturn -EIO;\n\n\tif (!fuse_allow_current_process(fc)) {\n\t\tif (!request_mask) {\n\t\t\t/*\n\t\t\t * If user explicitly requested *nothing* then don't\n\t\t\t * error out, but return st_dev only.\n\t\t\t */\n\t\t\tstat->result_mask = 0;\n\t\t\tstat->dev = inode->i_sb->s_dev;\n\t\t\treturn 0;\n\t\t}\n\t\treturn -EACCES;\n\t}\n\n\treturn fuse_update_get_attr(inode, NULL, stat, request_mask, flags);\n}", "project": "linux", "hash": 217175065209009935601062239343747698124, "size": 24, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341954 }, { "func": "static int queue_pages_pmd(pmd_t *pmd, spinlock_t *ptl, unsigned long addr,\n\t\t\t\tunsigned long end, struct mm_walk *walk)\n{\n\tint ret = 0;\n\tstruct page *page;\n\tstruct queue_pages *qp = walk->private;\n\tunsigned long flags;\n\n\tif (unlikely(is_pmd_migration_entry(*pmd))) {\n\t\tret = -EIO;\n\t\tgoto unlock;\n\t}\n\tpage = pmd_page(*pmd);\n\tif (is_huge_zero_page(page)) {\n\t\tspin_unlock(ptl);\n\t\t__split_huge_pmd(walk->vma, pmd, addr, false, NULL);\n\t\tret = 2;\n\t\tgoto out;\n\t}\n\tif (!queue_pages_required(page, qp))\n\t\tgoto unlock;\n\n\tflags = qp->flags;\n\t/* go to thp migration */\n\tif (flags & (MPOL_MF_MOVE | MPOL_MF_MOVE_ALL)) {\n\t\tif (!vma_migratable(walk->vma) ||\n\t\t migrate_page_add(page, qp->pagelist, flags)) {\n\t\t\tret = 1;\n\t\t\tgoto unlock;\n\t\t}\n\t} else\n\t\tret = -EIO;\nunlock:\n\tspin_unlock(ptl);\nout:\n\treturn ret;\n}", "project": "linux", "hash": 265211601252348552132872566324871536702, "size": 37, "commit_id": "aa9f7d5172fac9bf1f09e678c35e287a40a7b7dd", "message": "mm: mempolicy: require at least one nodeid for MPOL_PREFERRED\n\nUsing an empty (malformed) nodelist that is not caught during mount option\nparsing leads to a stack-out-of-bounds access.\n\nThe option string that was used was: \"mpol=prefer:,\". However,\nMPOL_PREFERRED requires a single node number, which is not being provided\nhere.\n\nAdd a check that 'nodes' is not empty after parsing for MPOL_PREFERRED's\nnodeid.\n\nFixes: 095f1fc4ebf3 (\"mempolicy: rework shmem mpol parsing and display\")\nReported-by: Entropy Moe <3ntr0py1337@gmail.com>\nReported-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nSigned-off-by: Randy Dunlap \nSigned-off-by: Andrew Morton \nTested-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nCc: Lee Schermerhorn \nLink: http://lkml.kernel.org/r/89526377-7eb6-b662-e1d8-4430928abde9@infradead.org\nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 366762 }, { "func": "int svm_allocate_nested(struct vcpu_svm *svm)\n{\n\tstruct page *hsave_page;\n\n\tif (svm->nested.initialized)\n\t\treturn 0;\n\n\thsave_page = alloc_page(GFP_KERNEL_ACCOUNT | __GFP_ZERO);\n\tif (!hsave_page)\n\t\treturn -ENOMEM;\n\tsvm->nested.hsave = page_address(hsave_page);\n\n\tsvm->nested.msrpm = svm_vcpu_alloc_msrpm();\n\tif (!svm->nested.msrpm)\n\t\tgoto err_free_hsave;\n\tsvm_vcpu_init_msrpm(&svm->vcpu, svm->nested.msrpm);\n\n\tsvm->nested.initialized = true;\n\treturn 0;\n\nerr_free_hsave:\n\t__free_page(hsave_page);\n\treturn -ENOMEM;\n}", "project": "linux", "hash": 13158309708895124681581054669807590540, "size": 24, "commit_id": "a58d9166a756a0f4a6618e4f593232593d6df134", "message": "KVM: SVM: load control fields from VMCB12 before checking them\n\nAvoid races between check and use of the nested VMCB controls. This\nfor example ensures that the VMRUN intercept is always reflected to the\nnested hypervisor, instead of being processed by the host. Without this\npatch, it is possible to end up with svm->nested.hsave pointing to\nthe MSR permission bitmap for nested guests.\n\nThis bug is CVE-2021-29657.\n\nReported-by: Felix Wilhelm \nCc: stable@vger.kernel.org\nFixes: 2fcf4876ada (\"KVM: nSVM: implement on demand allocation of the nested state\")\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 376649 }, { "func": "int blosc2_compress_ctx(blosc2_context* context, const void* src, int32_t srcsize,\n void* dest, int32_t destsize) {\n int error, cbytes;\n\n if (context->do_compress != 1) {\n fprintf(stderr, \"Context is not meant for compression. Giving up.\\n\");\n return -10;\n }\n\n error = initialize_context_compression(\n context, src, srcsize, dest, destsize,\n context->clevel, context->filters, context->filters_meta,\n context->typesize, context->compcode, context->blocksize,\n context->new_nthreads, context->nthreads, context->schunk);\n if (error <= 0) {\n return error;\n }\n\n /* Write the extended header */\n error = write_compression_header(context, true);\n if (error < 0) {\n return error;\n }\n\n cbytes = blosc_compress_context(context);\n if (cbytes < 0) {\n return cbytes;\n }\n\n if (context->use_dict && context->dict_cdict == NULL) {\n\n if (context->compcode != BLOSC_ZSTD) {\n const char* compname;\n compname = clibcode_to_clibname(context->compcode);\n fprintf(stderr, \"Codec %s does not support dicts. Giving up.\\n\",\n compname);\n return -20;\n }\n\n#ifdef HAVE_ZSTD\n // Build the dictionary out of the filters outcome and compress with it\n int32_t dict_maxsize = BLOSC2_MAXDICTSIZE;\n // Do not make the dict more than 5% larger than uncompressed buffer\n if (dict_maxsize > srcsize / 20) {\n dict_maxsize = srcsize / 20;\n }\n void* samples_buffer = context->dest + BLOSC_EXTENDED_HEADER_LENGTH;\n unsigned nblocks = 8; // the minimum that accepts zstd as of 1.4.0\n unsigned sample_fraction = 1; // 1 allows to use most of the chunk for training\n size_t sample_size = context->sourcesize / nblocks / sample_fraction;\n\n // Populate the samples sizes for training the dictionary\n size_t* samples_sizes = malloc(nblocks * sizeof(void*));\n for (size_t i = 0; i < nblocks; i++) {\n samples_sizes[i] = sample_size;\n }\n\n // Train from samples\n void* dict_buffer = malloc(dict_maxsize);\n size_t dict_actual_size = ZDICT_trainFromBuffer(dict_buffer, dict_maxsize, samples_buffer, samples_sizes, nblocks);\n\n // TODO: experiment with parameters of low-level fast cover algorithm\n // Note that this API is still unstable. See: https://github.com/facebook/zstd/issues/1599\n // ZDICT_fastCover_params_t fast_cover_params;\n // memset(&fast_cover_params, 0, sizeof(fast_cover_params));\n // fast_cover_params.d = nblocks;\n // fast_cover_params.steps = 4;\n // fast_cover_params.zParams.compressionLevel = context->clevel;\n //size_t dict_actual_size = ZDICT_optimizeTrainFromBuffer_fastCover(dict_buffer, dict_maxsize, samples_buffer, samples_sizes, nblocks, &fast_cover_params);\n\n if (ZDICT_isError(dict_actual_size) != ZSTD_error_no_error) {\n fprintf(stderr, \"Error in ZDICT_trainFromBuffer(): '%s'.\"\n \" Giving up.\\n\", ZDICT_getErrorName(dict_actual_size));\n return -20;\n }\n assert(dict_actual_size > 0);\n free(samples_sizes);\n\n // Update bytes counter and pointers to bstarts for the new compressed buffer\n context->bstarts = (int32_t*)(context->dest + BLOSC_EXTENDED_HEADER_LENGTH);\n context->output_bytes = BLOSC_EXTENDED_HEADER_LENGTH +\n sizeof(int32_t) * context->nblocks;\n /* Write the size of trained dict at the end of bstarts */\n _sw32(context->dest + context->output_bytes, (int32_t)dict_actual_size);\n context->output_bytes += sizeof(int32_t);\n /* Write the trained dict afterwards */\n context->dict_buffer = context->dest + context->output_bytes;\n memcpy(context->dict_buffer, dict_buffer, (unsigned int)dict_actual_size);\n context->dict_cdict = ZSTD_createCDict(dict_buffer, dict_actual_size, 1); // TODO: use get_accel()\n free(dict_buffer); // the dictionary is copied in the header now\n context->output_bytes += (int32_t)dict_actual_size;\n context->dict_size = dict_actual_size;\n\n /* Compress with dict */\n cbytes = blosc_compress_context(context);\n\n // Invalidate the dictionary for compressing other chunks using the same context\n context->dict_buffer = NULL;\n ZSTD_freeCDict(context->dict_cdict);\n context->dict_cdict = NULL;\n#endif // HAVE_ZSTD\n }\n\n return cbytes;\n}", "project": "c-blosc2", "hash": 335533780045120971316140042230184357818, "size": 105, "commit_id": "c4c6470e88210afc95262c8b9fcc27e30ca043ee", "message": "Fixed asan heap buffer overflow when not enough space to write compressed block size.", "target": 0, "dataset": "other", "idx": 303081 }, { "func": "static bool notify_marshall_changes(int num_changes,\n\t\t\t\tuint32_t max_offset,\n\t\t\t\tstruct notify_change_event *changes,\n\t\t\t\tDATA_BLOB *final_blob)\n{\n\tint i;\n\n\tif (num_changes == -1) {\n\t\treturn false;\n\t}\n\n\t/*\n\t * Sort the notifies by timestamp when the event happened to avoid\n\t * coalescing and thus dropping events.\n\t */\n\n\tqsort(changes, num_changes,\n\t sizeof(*changes), compare_notify_change_events);\n\n\tfor (i=0; iname;\n\t\tm.FileNameLength = strlen_m(c->name)*2;\n\t\tm.Action = c->action;\n\n\t\tm._pad = data_blob_null;\n\n\t\t/*\n\t\t * Offset to next entry, only if there is one\n\t\t */\n\n\t\tif (i == (num_changes-1)) {\n\t\t\tm.NextEntryOffset = 0;\n\t\t} else {\n\t\t\tif ((m.FileNameLength % 4) == 2) {\n\t\t\t\tm._pad = data_blob_const(&pad, 2);\n\t\t\t}\n\t\t\tm.NextEntryOffset =\n\t\t\t\tndr_size_FILE_NOTIFY_INFORMATION(&m, 0);\n\t\t}\n\n\t\tndr_err = ndr_push_struct_blob(&blob, talloc_tos(), &m,\n\t\t\t(ndr_push_flags_fn_t)ndr_push_FILE_NOTIFY_INFORMATION);\n\t\tif (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {\n\t\t\treturn false;\n\t\t}\n\n\t\tif (DEBUGLEVEL >= 10) {\n\t\t\tNDR_PRINT_DEBUG(FILE_NOTIFY_INFORMATION, &m);\n\t\t}\n\n\t\tif (!data_blob_append(talloc_tos(), final_blob,\n\t\t\t\t blob.data, blob.length)) {\n\t\t\tdata_blob_free(&blob);\n\t\t\treturn false;\n\t\t}\n\n\t\tdata_blob_free(&blob);\n\n\t\tif (final_blob->length > max_offset) {\n\t\t\t/* Too much data for client. */\n\t\t\tDEBUG(10, (\"Client only wanted %d bytes, trying to \"\n\t\t\t\t \"marshall %d bytes\\n\", (int)max_offset,\n\t\t\t\t (int)final_blob->length));\n\t\t\treturn False;\n\t\t}\n\t}\n\n\treturn True;\n}", "project": "samba", "hash": 161763711552429455744653336975349940955, "size": 84, "commit_id": "c300a85848350635e7ddd8129b31c4d439dc0f8a", "message": "s3: smbd: Ensure change notifies can't get set unless the directory handle is open for SEC_DIR_LIST.\n\nRemove knownfail entry.\n\nCVE-2020-14318\n\nBUG: https://bugzilla.samba.org/show_bug.cgi?id=14434\n\nSigned-off-by: Jeremy Allison ", "target": 0, "dataset": "other", "idx": 279688 }, { "func": "exif_process_unicode(image_info_type* /*ImageInfo*/, xp_field_type* xp_field,\n int tag, char* szValuePtr, int ByteCount) {\n xp_field->tag = tag;\n xp_field->value = nullptr;\n\n /* Copy the comment */\n xp_field->size =\n exif_process_string_raw(&xp_field->value, szValuePtr, ByteCount);\n return xp_field->size;\n}", "project": "hhvm", "hash": 156528621085726906062879468668910025552, "size": 10, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219277 }, { "func": "static int exif_process_string_raw(char **result, char *value,\n size_t byte_count) {\n /* we cannot use strlcpy - here the problem is that we have to copy NUL\n * chars up to byte_count, we also have to add a single NUL character to\n * force end of string.\n */\n *result = 0;\n if (byte_count) {\n (*result) = (char*)IM_MALLOC(byte_count + 1);\n CHECK_ALLOC_R((*result), byte_count + 1, 0);\n memcpy(*result, value, byte_count);\n (*result)[byte_count] = '\\0';\n return byte_count+1;\n }\n return 0;\n}", "project": "hhvm", "hash": 76304707216232047211309237580046950804, "size": 16, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219641 }, { "func": "static bool checkreturn pb_field_find(pb_field_iterator_t *iter, uint32_t tag)\n{\n unsigned start = iter->field_index;\n \n do {\n if (iter->pos->tag == tag &&\n PB_LTYPE(iter->pos->type) != PB_LTYPE_EXTENSION)\n {\n return true;\n }\n (void)pb_field_next(iter);\n } while (iter->field_index != start);\n \n return false;\n}", "project": "nanopb", "hash": 49773237196998985239789850384941011649, "size": 15, "commit_id": "7b396821ddd06df8e39143f16e1dc0a4645b89a3", "message": "Fix invalid free() after failed realloc() (GHSA-gcx3-7m76-287p)", "target": 0, "dataset": "other", "idx": 255351 }, { "func": "static inline void flush_slab(struct kmem_cache *s, struct kmem_cache_cpu *c)\n{\n\tstat(s, CPUSLAB_FLUSH);\n\tdeactivate_slab(s, c->page, c->freelist, c);\n\n\tc->tid = next_tid(c->tid);\n}", "project": "linux", "hash": 296321973908472270006020954600156809103, "size": 7, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280021 }, { "func": "static void extend_tile_hint(int x, int y, int tw, int th, hint_t *hint) {\n\tint w = dpy_x - x;\n\tint h = dpy_y - y;\n\n\tif (w > tw) {\n\t\tw = tw;\n\t}\n\tif (h > th) {\n\t\th = th;\n\t}\n\n\tif (hint->x > x) {\t\t\t/* extend to the left */\n\t\thint->w += hint->x - x;\n\t\thint->x = x;\n\t}\n\tif (hint->y > y) {\t\t\t/* extend upward */\n\t\thint->h += hint->y - y;\n\t\thint->y = y;\n\t}\n\n\tif (hint->x + hint->w < x + w) {\t/* extend to the right */\n\t\thint->w = x + w - hint->x;\n\t}\n\tif (hint->y + hint->h < y + h) {\t/* extend downward */\n\t\thint->h = y + h - hint->y;\n\t}\n}", "project": "x11vnc", "hash": 119673652027394651759251736149352879800, "size": 27, "commit_id": "69eeb9f7baa14ca03b16c9de821f9876def7a36a", "message": "scan: limit access to shared memory segments to current user", "target": 0, "dataset": "other", "idx": 360751 }, { "func": "int udp_v4_get_port(struct sock *sk, unsigned short snum)\n{\n\tunsigned int hash2_nulladdr =\n\t\tudp4_portaddr_hash(sock_net(sk), htonl(INADDR_ANY), snum);\n\tunsigned int hash2_partial =\n\t\tudp4_portaddr_hash(sock_net(sk), inet_sk(sk)->inet_rcv_saddr, 0);\n\n\t/* precompute partial secondary hash */\n\tudp_sk(sk)->udp_portaddr_hash = hash2_partial;\n\treturn udp_lib_get_port(sk, snum, hash2_nulladdr);\n}", "project": "net", "hash": 151400986298755169961359550276902544678, "size": 11, "commit_id": "85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa", "message": "udp: consistently apply ufo or fragmentation\n\nWhen iteratively building a UDP datagram with MSG_MORE and that\ndatagram exceeds MTU, consistently choose UFO or fragmentation.\n\nOnce skb_is_gso, always apply ufo. Conversely, once a datagram is\nsplit across multiple skbs, do not consider ufo.\n\nSendpage already maintains the first invariant, only add the second.\nIPv6 does not have a sendpage implementation to modify.\n\nA gso skb must have a partial checksum, do not follow sk_no_check_tx\nin udp_send_skb.\n\nFound by syzkaller.\n\nFixes: e89e9cf539a2 (\"[IPv4/IPv6]: UFO Scatter-gather approach\")\nReported-by: Andrey Konovalov \nSigned-off-by: Willem de Bruijn \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 468942 }, { "func": "static int can_open_cached(struct nfs4_state *state, fmode_t mode,\n\t\tint open_mode, enum open_claim_type4 claim)\n{\n\tint ret = 0;\n\n\tif (open_mode & (O_EXCL|O_TRUNC))\n\t\tgoto out;\n\tswitch (claim) {\n\tcase NFS4_OPEN_CLAIM_NULL:\n\tcase NFS4_OPEN_CLAIM_FH:\n\t\tgoto out;\n\tdefault:\n\t\tbreak;\n\t}\n\tswitch (mode & (FMODE_READ|FMODE_WRITE)) {\n\t\tcase FMODE_READ:\n\t\t\tret |= test_bit(NFS_O_RDONLY_STATE, &state->flags) != 0\n\t\t\t\t&& state->n_rdonly != 0;\n\t\t\tbreak;\n\t\tcase FMODE_WRITE:\n\t\t\tret |= test_bit(NFS_O_WRONLY_STATE, &state->flags) != 0\n\t\t\t\t&& state->n_wronly != 0;\n\t\t\tbreak;\n\t\tcase FMODE_READ|FMODE_WRITE:\n\t\t\tret |= test_bit(NFS_O_RDWR_STATE, &state->flags) != 0\n\t\t\t\t&& state->n_rdwr != 0;\n\t}\nout:\n\treturn ret;\n}", "project": "linux", "hash": 246990328818459499604221018106405313555, "size": 30, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431148 }, { "func": "int imap_parse_path(const char *path, struct ConnAccount *cac, char *mailbox, size_t mailboxlen)\n{\n static unsigned short ImapPort = 0;\n static unsigned short ImapsPort = 0;\n\n if (ImapPort == 0)\n {\n struct servent *service = getservbyname(\"imap\", \"tcp\");\n if (service)\n ImapPort = ntohs(service->s_port);\n else\n ImapPort = IMAP_PORT;\n mutt_debug(LL_DEBUG3, \"Using default IMAP port %d\\n\", ImapPort);\n }\n\n if (ImapsPort == 0)\n {\n struct servent *service = getservbyname(\"imaps\", \"tcp\");\n if (service)\n ImapsPort = ntohs(service->s_port);\n else\n ImapsPort = IMAP_SSL_PORT;\n mutt_debug(LL_DEBUG3, \"Using default IMAPS port %d\\n\", ImapsPort);\n }\n\n /* Defaults */\n cac->port = ImapPort;\n cac->type = MUTT_ACCT_TYPE_IMAP;\n cac->service = \"imap\";\n cac->get_field = imap_get_field;\n\n struct Url *url = url_parse(path);\n if (!url)\n return -1;\n\n if ((url->scheme != U_IMAP) && (url->scheme != U_IMAPS))\n {\n url_free(&url);\n return -1;\n }\n\n if ((mutt_account_fromurl(cac, url) < 0) || (cac->host[0] == '\\0'))\n {\n url_free(&url);\n return -1;\n }\n\n if (url->scheme == U_IMAPS)\n cac->flags |= MUTT_ACCT_SSL;\n\n mutt_str_copy(mailbox, url->path, mailboxlen);\n\n url_free(&url);\n\n if ((cac->flags & MUTT_ACCT_SSL) && !(cac->flags & MUTT_ACCT_PORT))\n cac->port = ImapsPort;\n\n return 0;\n}", "project": "neomutt", "hash": 245962638811503431483220554072113482273, "size": 59, "commit_id": "fa1db5785e5cfd9d3cd27b7571b9fe268d2ec2dc", "message": "Fix seqset iterator when it ends in a comma\n\nIf the seqset ended with a comma, the substr_end marker would be just\nbefore the trailing nul. In the next call, the loop to skip the\nmarker would iterate right past the end of string too.\n\nThe fix is simple: place the substr_end marker and skip past it\nimmediately.", "target": 0, "dataset": "other", "idx": 399273 }, { "func": "CallResult JSObject::addOwnProperty(\n Handle selfHandle,\n Runtime *runtime,\n SymbolID name,\n DefinePropertyFlags dpFlags,\n Handle<> valueOrAccessor,\n PropOpFlags opFlags) {\n /// Can we add more properties?\n if (!selfHandle->isExtensible() && !opFlags.getInternalForce()) {\n if (opFlags.getThrowOnError()) {\n return runtime->raiseTypeError(\n TwineChar16(\"Cannot add new property '\") +\n runtime->getIdentifierTable().getStringViewForDev(runtime, name) +\n \"'\");\n }\n return false;\n }\n\n PropertyFlags flags{};\n\n // Accessors don't set writeable.\n if (dpFlags.isAccessor()) {\n dpFlags.setWritable = 0;\n flags.accessor = 1;\n }\n\n // Override the default flags if specified.\n if (dpFlags.setEnumerable)\n flags.enumerable = dpFlags.enumerable;\n if (dpFlags.setWritable)\n flags.writable = dpFlags.writable;\n if (dpFlags.setConfigurable)\n flags.configurable = dpFlags.configurable;\n flags.internalSetter = dpFlags.enableInternalSetter;\n\n if (LLVM_UNLIKELY(\n addOwnPropertyImpl(\n selfHandle, runtime, name, flags, valueOrAccessor) ==\n ExecutionStatus::EXCEPTION)) {\n return ExecutionStatus::EXCEPTION;\n }\n\n return true;\n}", "project": "hermes", "hash": 319024032739484883296904164376119433974, "size": 44, "commit_id": "fe52854cdf6725c2eaa9e125995da76e6ceb27da", "message": "[CVE-2020-1911] Look up HostObject computed properties on the right object in the prototype chain.\n\nSummary:\nThe change in the hermes repository fixes the security vulnerability\nCVE-2020-1911. This vulnerability only affects applications which\nallow evaluation of uncontrolled, untrusted JavaScript code not\nshipped with the app, so React Native apps will generally not be affected.\n\nThis revision includes a test for the bug. The test is generic JSI\ncode, so it is included in the hermes and react-native repositories.\n\nChangelog: [Internal]\n\nReviewed By: tmikov\n\nDifferential Revision: D23322992\n\nfbshipit-source-id: 4e88c974afe1ad33a263f9cac03e9dc98d33649a", "target": 0, "dataset": "other", "idx": 230191 }, { "project": "Chrome", "commit_id": "1da0daecc540238cb473f0d6322da51d3a544244", "target": 0, "func": " void Stop() {\n EXPECT_CALL(*vc_impl_, StopCapture(capture_client()))\n .Times(1)\n .WillOnce(CaptureStopped(capture_client(), vc_impl_.get()));\n EXPECT_CALL(*vc_manager_, RemoveDevice(_, _))\n .WillOnce(Return());\n decoder_->Stop(media::NewExpectedClosure());\n message_loop_->RunAllPending();\n }\n", "cwe": "", "big_vul_idx": 113326, "idx": 101619, "hash": 325217385028523296404348103827126279365 }, { "project": "Chrome", "commit_id": "1da0daecc540238cb473f0d6322da51d3a544244", "target": 0, "func": " void Stop() {\n decoder_->Stop(NewExpectedClosure());\n message_loop_.RunAllPending();\n }\n", "cwe": "", "big_vul_idx": 113345, "idx": 101637, "hash": 303212272361948453679631719685754801194 }, { "project": "Chrome", "commit_id": "1da0daecc540238cb473f0d6322da51d3a544244", "target": 0, "func": "void VideoRendererBase::Stop(const base::Closure& callback) {\n if (state_ == kStopped) {\n callback.Run();\n return;\n }\n\n base::PlatformThreadHandle thread_to_join = base::kNullThreadHandle;\n {\n base::AutoLock auto_lock(lock_);\n state_ = kStopped;\n\n statistics_cb_.Reset();\n time_cb_.Reset();\n if (!pending_paint_ && !pending_paint_with_last_available_)\n DoStopOrError_Locked();\n\n if (thread_ != base::kNullThreadHandle) {\n frame_available_.Signal();\n thread_to_join = thread_;\n thread_ = base::kNullThreadHandle;\n }\n }\n if (thread_to_join != base::kNullThreadHandle)\n base::PlatformThread::Join(thread_to_join);\n\n decoder_->Stop(callback);\n}\n", "cwe": "", "big_vul_idx": 113362, "idx": 101651, "hash": 335686209415329829059489509246752806981 }, { "func": "otError Commissioner::Stop(void)\n{\n otError error = OT_ERROR_NONE;\n\n VerifyOrExit(mState != OT_COMMISSIONER_STATE_DISABLED, error = OT_ERROR_INVALID_STATE);\n\n Get().Stop();\n\n Get().RemoveUnicastAddress(mCommissionerAloc);\n RemoveCoapResources();\n ClearJoiners();\n mTransmitAttempts = 0;\n\n mTimer.Stop();\n Get().Stop();\n\n SetState(OT_COMMISSIONER_STATE_DISABLED);\n\n SendKeepAlive();\n\nexit:\n return error;\n}", "project": "openthread", "hash": 312813283350293124571581633106983911491, "size": 23, "commit_id": "c3a3a0c424322009fec3ab735fb20ce8f6e19e70", "message": "[commissioner] use strnlen instead of strlen (#4404)", "target": 0, "dataset": "other", "idx": 269870 }, { "func": "Status GraphConstructor::PopulateMissingUnusedInputMapKeys() {\n if (missing_unused_input_map_keys_ == nullptr) return Status::OK();\n for (const auto& input_map_pair : opts_.input_map) {\n TensorId key = input_map_pair.first;\n if (used_input_map_keys_.count(key) > 0) continue;\n\n auto pair = gdef_nodes_.find(key.first);\n if (pair == gdef_nodes_.end()) {\n // key's node doesn't exist in GraphDef\n missing_unused_input_map_keys_->push_back(key);\n continue;\n }\n\n // Check that key's index is in bounds. Get the number of outputs from the\n // NodeDef, rather than the imported Node, since the Node may not exist if\n // opts_.skip_mapped_nodes is true.\n const NodeDef& node_def = get_node_def(pair->second.gdef_index);\n const OpDef* op_def;\n TF_RETURN_IF_ERROR(g_->op_registry()->LookUpOpDef(node_def.op(), &op_def));\n int num_outputs;\n TF_RETURN_IF_ERROR(NumOutputsForNode(node_def, *op_def, &num_outputs));\n if (key.second >= num_outputs) {\n // key's index out of bounds\n missing_unused_input_map_keys_->push_back(key);\n }\n }\n return Status::OK();\n}", "project": "tensorflow", "hash": 309408765839045300351367252658650037148, "size": 28, "commit_id": "0cc38aaa4064fd9e79101994ce9872c6d91f816b", "message": "Prevent unitialized memory access in `GraphConstructor::MakeEdge`\n\nThe `MakeEdge` implementation assumes that there exists an output at `output_index` of `src` node and an input at `input_index` of `dst` node. However, if this is not the case this results in accessing data out of bounds. Because we are accessing an array that is a private member of a class and only in read only mode, this usually results only in unitialized memory access. However, it is reasonable to think that malicious users could manipulate these indexes to actually read data outside the class, thus resulting in information leakage and further exploits.\n\nPiperOrigin-RevId: 346343288\nChange-Id: I2127da27c2023d27f26efd39afa6c853385cab6f", "target": 0, "dataset": "other", "idx": 268339 }, { "project": "Chrome", "commit_id": "6834289784ed45b5524de0fb7ef43ae283b0d6d3", "target": 0, "func": "PeriodicWave* AudioContext::createPeriodicWave(DOMFloat32Array* real, DOMFloat32Array* imag, ExceptionState& exceptionState)\n{\n ASSERT(isMainThread());\n\n if (!real) {\n exceptionState.throwDOMException(\n SyntaxError,\n \"invalid real array\");\n return 0;\n }\n\n if (!imag) {\n exceptionState.throwDOMException(\n SyntaxError,\n \"invalid imaginary array\");\n return 0;\n }\n\n if (real->length() != imag->length()) {\n exceptionState.throwDOMException(\n IndexSizeError,\n \"length of real array (\" + String::number(real->length())\n + \") and length of imaginary array (\" + String::number(imag->length())\n + \") must match.\");\n return 0;\n }\n\n if (real->length() > 4096) {\n exceptionState.throwDOMException(\n IndexSizeError,\n \"length of real array (\" + String::number(real->length())\n + \") exceeds allowed maximum of 4096\");\n return 0;\n }\n\n if (imag->length() > 4096) {\n exceptionState.throwDOMException(\n IndexSizeError,\n \"length of imaginary array (\" + String::number(imag->length())\n + \") exceeds allowed maximum of 4096\");\n return 0;\n }\n\n return PeriodicWave::create(sampleRate(), real, imag);\n}\n", "cwe": "", "big_vul_idx": 139643, "idx": 124795, "hash": 23939873744456838826056161749781307979 }, { "func": "TfLiteIntArray* TfLiteIntArrayCreate(int size) {\n TfLiteIntArray* ret =\n (TfLiteIntArray*)malloc(TfLiteIntArrayGetSizeInBytes(size));\n ret->size = size;\n return ret;\n}", "project": "tensorflow", "hash": 242700938325897026893971319335076679091, "size": 6, "commit_id": "7c8cc4ec69cd348e44ad6a2699057ca88faad3e5", "message": "Fix a dangerous integer overflow and a malloc of negative size.\n\nPiperOrigin-RevId: 371254154\nChange-Id: I250a98a3df26328770167025670235a963a72da0", "target": 1, "dataset": "other", "idx": 197460 }, { "func": "int RGWAsioFrontend::run()\n{\n return impl->run();\n}", "project": "ceph", "hash": 206486544576486704850558305361744323330, "size": 4, "commit_id": "ff72c50a2c43c57aead933eb4903ad1ca6d1748a", "message": "rgw: improve beast\n\nAvoid leaking connections that had partially-consumed\nclient data on unexpected disconnect.\n\nResolves CVE-2020-1700 (moderate impact flaw).\n\nFixes: https://tracker.ceph.com/issues/42531\n\nSigned-off-by: Or Friedmann \nSigned-off-by: Matt Benjamin ", "target": 0, "dataset": "other", "idx": 384558 }, { "func": "\nstatic void io_poll_task_func(struct callback_head *cb)\n{\n\tstruct io_kiocb *req = container_of(cb, struct io_kiocb, task_work);\n\tstruct io_ring_ctx *ctx = req->ctx;\n\tstruct io_kiocb *nxt;\n\n\tif (io_poll_rewait(req, &req->poll)) {\n\t\tspin_unlock_irq(&ctx->completion_lock);\n\t} else {\n\t\tbool done;\n\n\t\tdone = io_poll_complete(req, req->result);\n\t\tif (done) {\n\t\t\thash_del(&req->hash_node);\n\t\t} else {\n\t\t\treq->result = 0;\n\t\t\tadd_wait_queue(req->poll.head, &req->poll.wait);\n\t\t}\n\t\tspin_unlock_irq(&ctx->completion_lock);\n\t\tio_cqring_ev_posted(ctx);\n\n\t\tif (done) {\n\t\t\tnxt = io_put_req_find_next(req);\n\t\t\tif (nxt)\n\t\t\t\t__io_req_task_submit(nxt);\n\t\t}\n\t}", "project": "linux", "hash": 120312759474319220733032376543110164805, "size": 28, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338521 }, { "func": "static int SFAddScriptLangIndex(SplineFont *_sf,uint32 script,uint32 lang) {\n int i;\n SplineFont1 *sf;\n\n if ( _sf->cidmaster ) _sf = _sf->cidmaster;\n else if ( _sf->mm!=NULL ) _sf=_sf->mm->normal;\n\n if ( _sf->sfd_version>=2 )\n\tIError( \"SFFindBiggestScriptLangIndex called with bad version number.\\n\" );\n\n sf = (SplineFont1 *) _sf;\n\n if ( script==0 ) script=DEFAULT_SCRIPT;\n if ( lang==0 ) lang=DEFAULT_LANG;\n if ( sf->script_lang==NULL )\n\tsf->script_lang = calloc(2,sizeof(struct script_record *));\n for ( i=0; sf->script_lang[i]!=NULL; ++i ) {\n\tif ( sf->script_lang[i][0].script==script && sf->script_lang[i][1].script==0 &&\n\t\tsf->script_lang[i][0].langs[0]==lang &&\n\t\tsf->script_lang[i][0].langs[1]==0 )\nreturn( i );\n }\n sf->script_lang = realloc(sf->script_lang,(i+2)*sizeof(struct script_record *));\n sf->script_lang[i] = calloc(2,sizeof(struct script_record));\n sf->script_lang[i][0].script = script;\n sf->script_lang[i][0].langs = malloc(2*sizeof(uint32));\n sf->script_lang[i][0].langs[0] = lang;\n sf->script_lang[i][0].langs[1] = 0;\n sf->script_lang[i+1] = NULL;\n sf->sli_cnt = i+1;\nreturn( i );\n}", "project": "fontforge", "hash": 166702086412753282811876453520766656000, "size": 32, "commit_id": "048a91e2682c1a8936ae34dbc7bd70291ec05410", "message": "Fix for #4084 Use-after-free (heap) in the SFD_GetFontMetaData() function\nFix for #4086 NULL pointer dereference in the SFDGetSpiros() function\nFix for #4088 NULL pointer dereference in the SFD_AssignLookups() function\nAdd empty sf->fontname string if it isn't set, fixing #4089 #4090 and many\n other potential issues (many downstream calls to strlen() on the value).", "target": 0, "dataset": "other", "idx": 417884 }, { "func": "static void svm_vcpu_blocking(struct kvm_vcpu *vcpu)\n{\n\tavic_set_running(vcpu, false);\n}", "project": "linux", "hash": 52055008557035900484304289013766047093, "size": 4, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432571 }, { "func": "int trace_array_get(struct trace_array *this_tr)\n{\n\tstruct trace_array *tr;\n\tint ret = -ENODEV;\n\n\tmutex_lock(&trace_types_lock);\n\tlist_for_each_entry(tr, &ftrace_trace_arrays, list) {\n\t\tif (tr == this_tr) {\n\t\t\ttr->ref++;\n\t\t\tret = 0;\n\t\t\tbreak;\n\t\t}\n\t}\n\tmutex_unlock(&trace_types_lock);\n\n\treturn ret;\n}", "project": "linux", "hash": 247718955106092341004363291298389335309, "size": 17, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445738 }, { "func": "\nstatic void io_buffer_unmap(struct io_ring_ctx *ctx, struct io_mapped_ubuf **slot)\n{\n\tstruct io_mapped_ubuf *imu = *slot;\n\tunsigned int i;\n\n\tif (imu != ctx->dummy_ubuf) {\n\t\tfor (i = 0; i < imu->nr_bvecs; i++)\n\t\t\tunpin_user_page(imu->bvec[i].bv_page);\n\t\tif (imu->acct_pages)\n\t\t\tio_unaccount_mem(ctx, imu->acct_pages);\n\t\tkvfree(imu);\n\t}\n\t*slot = NULL;", "project": "linux", "hash": 56896847070655834204215779136105213397, "size": 14, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338557 }, { "func": "void hci_req_add_le_scan_disable(struct hci_request *req, bool rpa_le_conn)\n{\n\tstruct hci_dev *hdev = req->hdev;\n\n\tif (hdev->scanning_paused) {\n\t\tbt_dev_dbg(hdev, \"Scanning is paused for suspend\");\n\t\treturn;\n\t}\n\n\tif (hdev->suspended)\n\t\tset_bit(SUSPEND_SCAN_DISABLE, hdev->suspend_tasks);\n\n\tif (use_ext_scan(hdev)) {\n\t\tstruct hci_cp_le_set_ext_scan_enable cp;\n\n\t\tmemset(&cp, 0, sizeof(cp));\n\t\tcp.enable = LE_SCAN_DISABLE;\n\t\thci_req_add(req, HCI_OP_LE_SET_EXT_SCAN_ENABLE, sizeof(cp),\n\t\t\t &cp);\n\t} else {\n\t\tstruct hci_cp_le_set_scan_enable cp;\n\n\t\tmemset(&cp, 0, sizeof(cp));\n\t\tcp.enable = LE_SCAN_DISABLE;\n\t\thci_req_add(req, HCI_OP_LE_SET_SCAN_ENABLE, sizeof(cp), &cp);\n\t}\n\n\t/* Disable address resolution */\n\tif (use_ll_privacy(hdev) &&\n\t hci_dev_test_flag(hdev, HCI_ENABLE_LL_PRIVACY) &&\n\t hci_dev_test_flag(hdev, HCI_LL_RPA_RESOLUTION) && !rpa_le_conn) {\n\t\t__u8 enable = 0x00;\n\n\t\thci_req_add(req, HCI_OP_LE_SET_ADDR_RESOLV_ENABLE, 1, &enable);\n\t}\n}", "project": "linux", "hash": 132528992851937876131691667040504181029, "size": 36, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402477 }, { "func": "inline bool IsNextIteration(const NodeDef& node_def) {\n return node_def.op() == \"NextIteration\" ||\n node_def.op() == \"RefNextIteration\";\n}", "project": "tensorflow", "hash": 318340772513347026692897265181855011840, "size": 4, "commit_id": "0cc38aaa4064fd9e79101994ce9872c6d91f816b", "message": "Prevent unitialized memory access in `GraphConstructor::MakeEdge`\n\nThe `MakeEdge` implementation assumes that there exists an output at `output_index` of `src` node and an input at `input_index` of `dst` node. However, if this is not the case this results in accessing data out of bounds. Because we are accessing an array that is a private member of a class and only in read only mode, this usually results only in unitialized memory access. However, it is reasonable to think that malicious users could manipulate these indexes to actually read data outside the class, thus resulting in information leakage and further exploits.\n\nPiperOrigin-RevId: 346343288\nChange-Id: I2127da27c2023d27f26efd39afa6c853385cab6f", "target": 0, "dataset": "other", "idx": 268313 }, { "func": "unsigned long gfn_to_hva_memslot(struct kvm_memory_slot *slot,\n\t\t\t\t\tgfn_t gfn)\n{\n\treturn gfn_to_hva_many(slot, gfn, NULL);\n}", "project": "linux", "hash": 224996587356748189616262771439577807396, "size": 5, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354629 }, { "func": "static void set_abs(struct input_dev *input, unsigned int code,\n\t\tstruct hid_field *field, int snratio)\n{\n\tint fmin = field->logical_minimum;\n\tint fmax = field->logical_maximum;\n\tint fuzz = snratio ? (fmax - fmin) / snratio : 0;\n\tinput_set_abs_params(input, code, fmin, fmax, fuzz, 0);\n\tinput_abs_set_res(input, code, hidinput_calc_abs_res(field, code));\n}", "project": "linux", "hash": 74814423871987154391093115452586584043, "size": 9, "commit_id": "35556bed836f8dc07ac55f69c8d17dce3e7f0e25", "message": "HID: core: Sanitize event code and type when mapping input\n\nWhen calling into hid_map_usage(), the passed event code is\nblindly stored as is, even if it doesn't fit in the associated bitmap.\n\nThis event code can come from a variety of sources, including devices\nmasquerading as input devices, only a bit more \"programmable\".\n\nInstead of taking the event code at face value, check that it actually\nfits the corresponding bitmap, and if it doesn't:\n- spit out a warning so that we know which device is acting up\n- NULLify the bitmap pointer so that we catch unexpected uses\n\nCode paths that can make use of untrusted inputs can now check\nthat the mapping was indeed correct and bail out if not.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Marc Zyngier \nSigned-off-by: Benjamin Tissoires ", "target": 0, "dataset": "other", "idx": 458364 }, { "func": "static void pipe_start_flow_control(struct sock *sk)\n{\n\tstruct pep_sock *pn = pep_sk(sk);\n\n\tif (!pn_flow_safe(pn->tx_fc)) {\n\t\tatomic_set(&pn->tx_credits, 1);\n\t\tsk->sk_write_space(sk);\n\t}\n\tpipe_grant_credits(sk, GFP_ATOMIC);\n}", "project": "linux", "hash": 50452768351061172199719876857278256809, "size": 10, "commit_id": "bcd0f93353326954817a4f9fa55ec57fb38acbb0", "message": "phonet: refcount leak in pep_sock_accep\n\nsock_hold(sk) is invoked in pep_sock_accept(), but __sock_put(sk) is not\ninvoked in subsequent failure branches(pep_accept_conn() != 0).\n\nSigned-off-by: Hangyu Hua \nLink: https://lore.kernel.org/r/20211209082839.33985-1-hbh25y@gmail.com\nSigned-off-by: Jakub Kicinski ", "target": 0, "dataset": "other", "idx": 224813 }, { "func": "static int remove_dup_with_compare(THD *thd, TABLE *table, Field **first_field,\n\t\t\t\t Item *having)\n{\n handler *file=table->file;\n uchar *record=table->record[0];\n int error;\n DBUG_ENTER(\"remove_dup_with_compare\");\n\n if (unlikely(file->ha_rnd_init_with_error(1)))\n DBUG_RETURN(1);\n\n error= file->ha_rnd_next(record);\n for (;;)\n {\n if (unlikely(thd->check_killed()))\n {\n error=0;\n goto err;\n }\n if (unlikely(error))\n {\n if (error == HA_ERR_END_OF_FILE)\n\tbreak;\n goto err;\n }\n if (having && !having->val_int())\n {\n if (unlikely((error= file->ha_delete_row(record))))\n\tgoto err;\n error= file->ha_rnd_next(record);\n continue;\n }\n if (unlikely(copy_blobs(first_field)))\n {\n my_message(ER_OUTOFMEMORY, ER_THD(thd,ER_OUTOFMEMORY),\n MYF(ME_FATALERROR));\n error=0;\n goto err;\n }\n store_record(table,record[1]);\n\n /* Read through rest of file and mark duplicated rows deleted */\n bool found=0;\n for (;;)\n {\n if (unlikely((error= file->ha_rnd_next(record))))\n {\n\tif (error == HA_ERR_END_OF_FILE)\n\t break;\n\tgoto err;\n }\n if (compare_record(table, first_field) == 0)\n {\n\tif (unlikely((error= file->ha_delete_row(record))))\n\t goto err;\n }\n else if (!found)\n {\n\tfound=1;\n if (unlikely((error= file->remember_rnd_pos())))\n goto err;\n }\n }\n if (!found)\n break;\t\t\t\t\t// End of file\n /* Restart search on saved row */\n if (unlikely((error= file->restart_rnd_next(record))))\n goto err;\n }\n\n file->extra(HA_EXTRA_NO_CACHE);\n (void) file->ha_rnd_end();\n DBUG_RETURN(0);\nerr:\n file->extra(HA_EXTRA_NO_CACHE);\n (void) file->ha_rnd_end();\n if (error)\n file->print_error(error,MYF(0));\n DBUG_RETURN(1);\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 193635984437641111260949664020834387153, "size": 80, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508571 }, { "func": "static inline int tcp_is_sack(const struct tcp_sock *tp)\n{\n\treturn tp->rx_opt.sack_ok;\n}", "project": "linux", "hash": 263032445218131986773740755536480388883, "size": 4, "commit_id": "bb1fceca22492109be12640d49f5ea5a544c6bb4", "message": "tcp: fix use after free in tcp_xmit_retransmit_queue()\n\nWhen tcp_sendmsg() allocates a fresh and empty skb, it puts it at the\ntail of the write queue using tcp_add_write_queue_tail()\n\nThen it attempts to copy user data into this fresh skb.\n\nIf the copy fails, we undo the work and remove the fresh skb.\n\nUnfortunately, this undo lacks the change done to tp->highest_sack and\nwe can leave a dangling pointer (to a freed skb)\n\nLater, tcp_xmit_retransmit_queue() can dereference this pointer and\naccess freed memory. For regular kernels where memory is not unmapped,\nthis might cause SACK bugs because tcp_highest_sack_seq() is buggy,\nreturning garbage instead of tp->snd_nxt, but with various debug\nfeatures like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel.\n\nThis bug was found by Marco Grassi thanks to syzkaller.\n\nFixes: 6859d49475d4 (\"[TCP]: Abstract tp->highest_sack accessing & point to next skb\")\nReported-by: Marco Grassi \nSigned-off-by: Eric Dumazet \nCc: Ilpo Järvinen \nCc: Yuchung Cheng \nCc: Neal Cardwell \nAcked-by: Neal Cardwell \nReviewed-by: Cong Wang \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 410718 }, { "func": "static int __init setup_transparent_hugepage(char *str)\n{\n\tint ret = 0;\n\tif (!str)\n\t\tgoto out;\n\tif (!strcmp(str, \"always\")) {\n\t\tset_bit(TRANSPARENT_HUGEPAGE_FLAG,\n\t\t\t&transparent_hugepage_flags);\n\t\tclear_bit(TRANSPARENT_HUGEPAGE_REQ_MADV_FLAG,\n\t\t\t &transparent_hugepage_flags);\n\t\tret = 1;\n\t} else if (!strcmp(str, \"madvise\")) {\n\t\tclear_bit(TRANSPARENT_HUGEPAGE_FLAG,\n\t\t\t &transparent_hugepage_flags);\n\t\tset_bit(TRANSPARENT_HUGEPAGE_REQ_MADV_FLAG,\n\t\t\t&transparent_hugepage_flags);\n\t\tret = 1;\n\t} else if (!strcmp(str, \"never\")) {\n\t\tclear_bit(TRANSPARENT_HUGEPAGE_FLAG,\n\t\t\t &transparent_hugepage_flags);\n\t\tclear_bit(TRANSPARENT_HUGEPAGE_REQ_MADV_FLAG,\n\t\t\t &transparent_hugepage_flags);\n\t\tret = 1;\n\t}\nout:\n\tif (!ret)\n\t\tpr_warn(\"transparent_hugepage= cannot parse, ignored\\n\");\n\treturn ret;\n}", "project": "linux", "hash": 17651940938395678189154367406651721132, "size": 29, "commit_id": "c444eb564fb16645c172d550359cb3d75fe8a040", "message": "mm: thp: make the THP mapcount atomic against __split_huge_pmd_locked()\n\nWrite protect anon page faults require an accurate mapcount to decide\nif to break the COW or not. This is implemented in the THP path with\nreuse_swap_page() ->\npage_trans_huge_map_swapcount()/page_trans_huge_mapcount().\n\nIf the COW triggers while the other processes sharing the page are\nunder a huge pmd split, to do an accurate reading, we must ensure the\nmapcount isn't computed while it's being transferred from the head\npage to the tail pages.\n\nreuse_swap_cache() already runs serialized by the page lock, so it's\nenough to add the page lock around __split_huge_pmd_locked too, in\norder to add the missing serialization.\n\nNote: the commit in \"Fixes\" is just to facilitate the backporting,\nbecause the code before such commit didn't try to do an accurate THP\nmapcount calculation and it instead used the page_count() to decide if\nto COW or not. Both the page_count and the pin_count are THP-wide\nrefcounts, so they're inaccurate if used in\nreuse_swap_page(). Reverting such commit (besides the unrelated fix to\nthe local anon_vma assignment) would have also opened the window for\nmemory corruption side effects to certain workloads as documented in\nsuch commit header.\n\nSigned-off-by: Andrea Arcangeli \nSuggested-by: Jann Horn \nReported-by: Jann Horn \nAcked-by: Kirill A. Shutemov \nFixes: 6d0a07edd17c (\"mm: thp: calculate the mapcount correctly for THP pages during WP faults\")\nCc: stable@vger.kernel.org\nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 364187 }, { "func": "static void simple_free_urb(struct urb *urb)\n{\n\tunsigned long offset = buffer_offset(urb->transfer_buffer);\n\n\tif (urb->transfer_flags & URB_NO_TRANSFER_DMA_MAP)\n\t\tusb_free_coherent(\n\t\t\turb->dev,\n\t\t\turb->transfer_buffer_length + offset,\n\t\t\turb->transfer_buffer - offset,\n\t\t\turb->transfer_dma - offset);\n\telse\n\t\tkfree(urb->transfer_buffer - offset);\n\tusb_free_urb(urb);\n}", "project": "linux", "hash": 34674359728043525646230379660946005336, "size": 14, "commit_id": "28ebeb8db77035e058a510ce9bd17c2b9a009dba", "message": "usb: usbtest: fix missing kfree(dev->buf) in usbtest_disconnect\n\nBUG: memory leak\nunreferenced object 0xffff888055046e00 (size 256):\n comm \"kworker/2:9\", pid 2570, jiffies 4294942129 (age 1095.500s)\n hex dump (first 32 bytes):\n 00 70 04 55 80 88 ff ff 18 bb 5a 81 ff ff ff ff .p.U......Z.....\n f5 96 78 81 ff ff ff ff 37 de 8e 81 ff ff ff ff ..x.....7.......\n backtrace:\n [<00000000d121dccf>] kmemleak_alloc_recursive\ninclude/linux/kmemleak.h:43 [inline]\n [<00000000d121dccf>] slab_post_alloc_hook mm/slab.h:586 [inline]\n [<00000000d121dccf>] slab_alloc_node mm/slub.c:2786 [inline]\n [<00000000d121dccf>] slab_alloc mm/slub.c:2794 [inline]\n [<00000000d121dccf>] kmem_cache_alloc_trace+0x15e/0x2d0 mm/slub.c:2811\n [<000000005c3c3381>] kmalloc include/linux/slab.h:555 [inline]\n [<000000005c3c3381>] usbtest_probe+0x286/0x19d0\ndrivers/usb/misc/usbtest.c:2790\n [<000000001cec6910>] usb_probe_interface+0x2bd/0x870\ndrivers/usb/core/driver.c:361\n [<000000007806c118>] really_probe+0x48d/0x8f0 drivers/base/dd.c:551\n [<00000000a3308c3e>] driver_probe_device+0xfc/0x2a0 drivers/base/dd.c:724\n [<000000003ef66004>] __device_attach_driver+0x1b6/0x240\ndrivers/base/dd.c:831\n [<00000000eee53e97>] bus_for_each_drv+0x14e/0x1e0 drivers/base/bus.c:431\n [<00000000bb0648d0>] __device_attach+0x1f9/0x350 drivers/base/dd.c:897\n [<00000000838b324a>] device_initial_probe+0x1a/0x20 drivers/base/dd.c:944\n [<0000000030d501c1>] bus_probe_device+0x1e1/0x280 drivers/base/bus.c:491\n [<000000005bd7adef>] device_add+0x131d/0x1c40 drivers/base/core.c:2504\n [<00000000a0937814>] usb_set_configuration+0xe84/0x1ab0\ndrivers/usb/core/message.c:2030\n [<00000000e3934741>] generic_probe+0x6a/0xe0 drivers/usb/core/generic.c:210\n [<0000000098ade0f1>] usb_probe_device+0x90/0xd0\ndrivers/usb/core/driver.c:266\n [<000000007806c118>] really_probe+0x48d/0x8f0 drivers/base/dd.c:551\n [<00000000a3308c3e>] driver_probe_device+0xfc/0x2a0 drivers/base/dd.c:724\n\nAcked-by: Alan Stern \nReported-by: Kyungtae Kim \nSigned-off-by: Zqiang \nLink: https://lore.kernel.org/r/20200612035210.20494-1-qiang.zhang@windriver.com\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 412247 }, { "func": "void CClientAuth::RefusedLogin(const CString& sReason) {\n if (m_pClient) {\n m_pClient->RefuseLogin(sReason);\n }\n}", "project": "znc", "hash": 80577779010813245348343298044611536169, "size": 5, "commit_id": "d229761821da38d984a9e4098ad96842490dc001", "message": "Fix echo-message for *status\n\nClose #1705", "target": 0, "dataset": "other", "idx": 231608 }, { "func": "void CWebAuth::RefusedLogin(const CString& sReason) {\n if (m_pWebSock) {\n std::shared_ptr spSession = m_pWebSock->GetSession();\n\n spSession->AddError(\"Invalid login!\");\n spSession->SetUser(nullptr);\n\n m_pWebSock->SetLoggedIn(false);\n m_pWebSock->UnPauseRead();\n if (m_bBasic) {\n m_pWebSock->AddHeader(\"WWW-Authenticate\", \"Basic realm=\\\"ZNC\\\"\");\n m_pWebSock->CHTTPSock::PrintErrorPage(\n 401, \"Unauthorized\",\n \"HTTP Basic authentication attempted with invalid credentials\");\n // Why CWebSock makes this function protected?..\n } else {\n m_pWebSock->Redirect(\"/?cookie_check=true\");\n }\n\n DEBUG(\"UNSUCCESSFUL login attempt ==> REASON [\" + sReason +\n \"] ==> SESSION [\" + spSession->GetId() + \"]\");\n }\n}", "project": "znc", "hash": 209106969697203855570651078926777139162, "size": 23, "commit_id": "a4a5aeeb17d32937d8c7d743dae9a4cc755ce773", "message": "Don't let web skin name ../../../../ access files outside of usual skins directories.\n\nThanks for Jeriko One for finding and reporting this.", "target": 0, "dataset": "other", "idx": 265783 }, { "func": "void hci_req_prepare_suspend(struct hci_dev *hdev, enum suspended_state next)\n{\n\tint old_state;\n\tstruct hci_conn *conn;\n\tstruct hci_request req;\n\tu8 page_scan;\n\tint disconnect_counter;\n\n\tif (next == hdev->suspend_state) {\n\t\tbt_dev_dbg(hdev, \"Same state before and after: %d\", next);\n\t\tgoto done;\n\t}\n\n\thdev->suspend_state = next;\n\thci_req_init(&req, hdev);\n\n\tif (next == BT_SUSPEND_DISCONNECT) {\n\t\t/* Mark device as suspended */\n\t\thdev->suspended = true;\n\n\t\t/* Pause discovery if not already stopped */\n\t\told_state = hdev->discovery.state;\n\t\tif (old_state != DISCOVERY_STOPPED) {\n\t\t\tset_bit(SUSPEND_PAUSE_DISCOVERY, hdev->suspend_tasks);\n\t\t\thci_discovery_set_state(hdev, DISCOVERY_STOPPING);\n\t\t\tqueue_work(hdev->req_workqueue, &hdev->discov_update);\n\t\t}\n\n\t\thdev->discovery_paused = true;\n\t\thdev->discovery_old_state = old_state;\n\n\t\t/* Stop directed advertising */\n\t\told_state = hci_dev_test_flag(hdev, HCI_ADVERTISING);\n\t\tif (old_state) {\n\t\t\tset_bit(SUSPEND_PAUSE_ADVERTISING, hdev->suspend_tasks);\n\t\t\tcancel_delayed_work(&hdev->discov_off);\n\t\t\tqueue_delayed_work(hdev->req_workqueue,\n\t\t\t\t\t &hdev->discov_off, 0);\n\t\t}\n\n\t\t/* Pause other advertisements */\n\t\tif (hdev->adv_instance_cnt)\n\t\t\t__hci_req_pause_adv_instances(&req);\n\n\t\thdev->advertising_paused = true;\n\t\thdev->advertising_old_state = old_state;\n\t\t/* Disable page scan */\n\t\tpage_scan = SCAN_DISABLED;\n\t\thci_req_add(&req, HCI_OP_WRITE_SCAN_ENABLE, 1, &page_scan);\n\n\t\t/* Disable LE passive scan if enabled */\n\t\tif (hci_dev_test_flag(hdev, HCI_LE_SCAN)) {\n\t\t\tcancel_interleave_scan(hdev);\n\t\t\thci_req_add_le_scan_disable(&req, false);\n\t\t}\n\n\t\t/* Disable advertisement filters */\n\t\thci_req_add_set_adv_filter_enable(&req, false);\n\n\t\t/* Mark task needing completion */\n\t\tset_bit(SUSPEND_SCAN_DISABLE, hdev->suspend_tasks);\n\n\t\t/* Prevent disconnects from causing scanning to be re-enabled */\n\t\thdev->scanning_paused = true;\n\n\t\t/* Run commands before disconnecting */\n\t\thci_req_run(&req, suspend_req_complete);\n\n\t\tdisconnect_counter = 0;\n\t\t/* Soft disconnect everything (power off) */\n\t\tlist_for_each_entry(conn, &hdev->conn_hash.list, list) {\n\t\t\thci_disconnect(conn, HCI_ERROR_REMOTE_POWER_OFF);\n\t\t\tdisconnect_counter++;\n\t\t}\n\n\t\tif (disconnect_counter > 0) {\n\t\t\tbt_dev_dbg(hdev,\n\t\t\t\t \"Had %d disconnects. Will wait on them\",\n\t\t\t\t disconnect_counter);\n\t\t\tset_bit(SUSPEND_DISCONNECTING, hdev->suspend_tasks);\n\t\t}\n\t} else if (next == BT_SUSPEND_CONFIGURE_WAKE) {\n\t\t/* Unpause to take care of updating scanning params */\n\t\thdev->scanning_paused = false;\n\t\t/* Enable event filter for paired devices */\n\t\thci_req_set_event_filter(&req);\n\t\t/* Enable passive scan at lower duty cycle */\n\t\t__hci_update_background_scan(&req);\n\t\t/* Pause scan changes again. */\n\t\thdev->scanning_paused = true;\n\t\thci_req_run(&req, suspend_req_complete);\n\t} else {\n\t\thdev->suspended = false;\n\t\thdev->scanning_paused = false;\n\n\t\thci_req_clear_event_filter(&req);\n\t\t/* Reset passive/background scanning to normal */\n\t\t__hci_update_background_scan(&req);\n\t\t/* Enable all of the advertisement filters */\n\t\thci_req_add_set_adv_filter_enable(&req, true);\n\n\t\t/* Unpause directed advertising */\n\t\thdev->advertising_paused = false;\n\t\tif (hdev->advertising_old_state) {\n\t\t\tset_bit(SUSPEND_UNPAUSE_ADVERTISING,\n\t\t\t\thdev->suspend_tasks);\n\t\t\thci_dev_set_flag(hdev, HCI_ADVERTISING);\n\t\t\tqueue_work(hdev->req_workqueue,\n\t\t\t\t &hdev->discoverable_update);\n\t\t\thdev->advertising_old_state = 0;\n\t\t}\n\n\t\t/* Resume other advertisements */\n\t\tif (hdev->adv_instance_cnt)\n\t\t\t__hci_req_resume_adv_instances(&req);\n\n\t\t/* Unpause discovery */\n\t\thdev->discovery_paused = false;\n\t\tif (hdev->discovery_old_state != DISCOVERY_STOPPED &&\n\t\t hdev->discovery_old_state != DISCOVERY_STOPPING) {\n\t\t\tset_bit(SUSPEND_UNPAUSE_DISCOVERY, hdev->suspend_tasks);\n\t\t\thci_discovery_set_state(hdev, DISCOVERY_STARTING);\n\t\t\tqueue_work(hdev->req_workqueue, &hdev->discov_update);\n\t\t}\n\n\t\thci_req_run(&req, suspend_req_complete);\n\t}\n\n\thdev->suspend_state = next;\n\ndone:\n\tclear_bit(SUSPEND_PREPARE_NOTIFIER, hdev->suspend_tasks);\n\twake_up(&hdev->suspend_wait_q);\n}", "project": "linux", "hash": 271821916206173398346512721317914093941, "size": 134, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402529 }, { "func": "bool JOIN::add_fields_for_current_rowid(JOIN_TAB *cur, List *table_fields)\n{\n /*\n this will not walk into semi-join materialization nests but this is ok\n because we will never need to save current rowids for those.\n */\n for (JOIN_TAB *tab=join_tab; tab < cur; tab++)\n {\n if (!tab->keep_current_rowid)\n continue;\n Item *item= new (thd->mem_root) Item_temptable_rowid(tab->table);\n item->fix_fields(thd, 0);\n table_fields->push_back(item, thd->mem_root);\n cur->tmp_table_param->func_count++;\n }\n return 0;\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 65748224402329164775922020085821852239, "size": 17, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508614 }, { "func": "static khint_t fix_chromosome(const bcf_hdr_t *h, vdict_t *d, const char *p) {\n // Simple error recovery for chromosomes not defined in the header. It will not help when VCF header has\n // been already printed, but will enable tools like vcfcheck to proceed.\n\n kstring_t tmp = {0,0,0};\n khint_t k;\n int l;\n ksprintf(&tmp, \"##contig=\", p);\n bcf_hrec_t *hrec = bcf_hdr_parse_line(h,tmp.s,&l);\n free(tmp.s);\n int res = hrec ? bcf_hdr_add_hrec((bcf_hdr_t*)h, hrec) : -1;\n if (res < 0) bcf_hrec_destroy(hrec);\n if (res > 0) res = bcf_hdr_sync((bcf_hdr_t*)h);\n k = kh_get(vdict, d, p);\n\n return k;\n}", "project": "htslib", "hash": 270032419084524625262375041736684923345, "size": 17, "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c", "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields. It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097", "target": 0, "dataset": "other", "idx": 402149 }, { "func": " Classifier (std::string suffix,\n CompressorScheme scheme,\n PixelType type,\n int cscIdx,\n bool caseInsensitive):\n _suffix(suffix),\n _scheme(scheme),\n _type(type),\n _cscIdx(cscIdx),\n _caseInsensitive(caseInsensitive)\n {\n if (caseInsensitive) \n std::transform(_suffix.begin(), _suffix.end(), _suffix.begin(), tolower);\n }", "project": "openexr", "hash": 167846588410947779796946682955920190673, "size": 14, "commit_id": "3eda5d70aba127bae9bd6bae9956fcf024b64031", "message": "fixes for DWA uncompress: sanity check unknown data reading, off-by-one error on max suffix string length\n\nSigned-off-by: Peter Hillman ", "target": 0, "dataset": "other", "idx": 440089 }, { "func": " int64_t toInt64 () const { return m_str ? m_str->toInt64 () : 0;}", "project": "hhvm", "hash": 268674079868272949799746521340486594860, "size": 1, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219483 }, { "func": "static int sctp_ioctl(struct sock *sk, int cmd, unsigned long arg)\n{\n\tint rc = -ENOTCONN;\n\n\tlock_sock(sk);\n\n\t/*\n\t * SEQPACKET-style sockets in LISTENING state are valid, for\n\t * SCTP, so only discard TCP-style sockets in LISTENING state.\n\t */\n\tif (sctp_style(sk, TCP) && sctp_sstate(sk, LISTENING))\n\t\tgoto out;\n\n\tswitch (cmd) {\n\tcase SIOCINQ: {\n\t\tstruct sk_buff *skb;\n\t\tunsigned int amount = 0;\n\n\t\tskb = skb_peek(&sk->sk_receive_queue);\n\t\tif (skb != NULL) {\n\t\t\t/*\n\t\t\t * We will only return the amount of this packet since\n\t\t\t * that is all that will be read.\n\t\t\t */\n\t\t\tamount = skb->len;\n\t\t}\n\t\trc = put_user(amount, (int __user *)arg);\n\t\tbreak;\n\t}\n\tdefault:\n\t\trc = -ENOIOCTLCMD;\n\t\tbreak;\n\t}\nout:\n\trelease_sock(sk);\n\treturn rc;\n}", "project": "linux", "hash": 118855160948946086377551937455641965305, "size": 37, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398200 }, { "func": "static void gdImageBrushApply (gdImagePtr im, int x, int y)\n{\n\tint lx, ly;\n\tint hy, hx;\n\tint x1, y1, x2, y2;\n\tint srcx, srcy;\n\n\tif (!im->brush) {\n\t\treturn;\n\t}\n\n\thy = gdImageSY(im->brush) / 2;\n\ty1 = y - hy;\n\ty2 = y1 + gdImageSY(im->brush);\n\thx = gdImageSX(im->brush) / 2;\n\tx1 = x - hx;\n\tx2 = x1 + gdImageSX(im->brush);\n\tsrcy = 0;\n\n\tif (im->trueColor) {\n\t\tif (im->brush->trueColor) {\n\t\t\tfor (ly = y1; ly < y2; ly++) {\n\t\t\t\tsrcx = 0;\n\t\t\t\tfor (lx = x1; (lx < x2); lx++) {\n\t\t\t\t\tint p;\n\t\t\t\t\tp = gdImageGetTrueColorPixel(im->brush, srcx, srcy);\n\t\t\t\t\t/* 2.0.9, Thomas Winzig: apply simple full transparency */\n\t\t\t\t\tif (p != gdImageGetTransparent(im->brush)) {\n\t\t\t\t\t\tgdImageSetPixel(im, lx, ly, p);\n\t\t\t\t\t}\n\t\t\t\t\tsrcx++;\n\t\t\t\t}\n\t\t\t\tsrcy++;\n\t\t\t}\n\t\t} else {\n\t\t\t/* 2.0.12: Brush palette, image truecolor (thanks to Thorben Kundinger for pointing out the issue) */\n\t\t\tfor (ly = y1; ly < y2; ly++) {\n\t\t\t\tsrcx = 0;\n\t\t\t\tfor (lx = x1; lx < x2; lx++) {\n\t\t\t\t\tint p, tc;\n\t\t\t\t\tp = gdImageGetPixel(im->brush, srcx, srcy);\n\t\t\t\t\ttc = gdImageGetTrueColorPixel(im->brush, srcx, srcy);\n\t\t\t\t\t/* 2.0.9, Thomas Winzig: apply simple full transparency */\n\t\t\t\t\tif (p != gdImageGetTransparent(im->brush)) {\n\t\t\t\t\t\tgdImageSetPixel(im, lx, ly, tc);\n\t\t\t\t\t}\n\t\t\t\t\tsrcx++;\n\t\t\t\t}\n\t\t\t\tsrcy++;\n\t\t\t}\n\t\t}\n\t} else {\n\t\tfor (ly = y1; ly < y2; ly++) {\n\t\t\tsrcx = 0;\n\t\t\tfor (lx = x1; lx < x2; lx++) {\n\t\t\t\tint p;\n\t\t\t\tp = gdImageGetPixel(im->brush, srcx, srcy);\n\t\t\t\t/* Allow for non-square brushes! */\n\t\t\t\tif (p != gdImageGetTransparent(im->brush)) {\n\t\t\t\t\t/* Truecolor brush. Very slow on a palette destination. */\n\t\t\t\t\tif (im->brush->trueColor) {\n\t\t\t\t\t\tgdImageSetPixel(im, lx, ly, gdImageColorResolveAlpha(im, gdTrueColorGetRed(p),\n\t\t\t\t\t\t\t\t\t\t\t\t\t gdTrueColorGetGreen(p),\n\t\t\t\t\t\t\t\t\t\t\t\t\t gdTrueColorGetBlue(p),\n\t\t\t\t\t\t\t\t\t\t\t\t\t gdTrueColorGetAlpha(p)));\n\t\t\t\t\t} else {\n\t\t\t\t\t\tgdImageSetPixel(im, lx, ly, im->brushColorMap[p]);\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\tsrcx++;\n\t\t\t}\n\t\t\tsrcy++;\n\t\t}\n\t}\n}", "project": "php-src", "hash": 52264409027038231846492907426929392979, "size": 75, "commit_id": "c395c6e5d7e8df37a21265ff76e48fe75ceb5ae6", "message": "iFixed bug #72446 - Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow", "target": 0, "dataset": "other", "idx": 295174 }, { "func": "int vspprintf(char** pbuf, size_t /*max_len*/, const char* format, ...) {\n int len;\n va_list ap;\n va_start(ap, format);\n len = xbuf_format_converter(pbuf, format, ap);\n va_end(ap);\n return len;\n}", "project": "hhvm", "hash": 33521820157835536953736758635287380188, "size": 8, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219854 }, { "func": " */\nvoid bfq_weights_tree_remove(struct bfq_data *bfqd,\n\t\t\t struct bfq_queue *bfqq)\n{\n\tstruct bfq_entity *entity = bfqq->entity.parent;\n\n\tfor_each_entity(entity) {\n\t\tstruct bfq_sched_data *sd = entity->my_sched_data;\n\n\t\tif (sd->next_in_service || sd->in_service_entity) {\n\t\t\t/*\n\t\t\t * entity is still active, because either\n\t\t\t * next_in_service or in_service_entity is not\n\t\t\t * NULL (see the comments on the definition of\n\t\t\t * next_in_service for details on why\n\t\t\t * in_service_entity must be checked too).\n\t\t\t *\n\t\t\t * As a consequence, its parent entities are\n\t\t\t * active as well, and thus this loop must\n\t\t\t * stop here.\n\t\t\t */\n\t\t\tbreak;\n\t\t}\n\n\t\t/*\n\t\t * The decrement of num_groups_with_pending_reqs is\n\t\t * not performed immediately upon the deactivation of\n\t\t * entity, but it is delayed to when it also happens\n\t\t * that the first leaf descendant bfqq of entity gets\n\t\t * all its pending requests completed. The following\n\t\t * instructions perform this delayed decrement, if\n\t\t * needed. See the comments on\n\t\t * num_groups_with_pending_reqs for details.\n\t\t */\n\t\tif (entity->in_groups_with_pending_reqs) {\n\t\t\tentity->in_groups_with_pending_reqs = false;\n\t\t\tbfqd->num_groups_with_pending_reqs--;\n\t\t}\n\t}\n\n\t/*\n\t * Next function is invoked last, because it causes bfqq to be\n\t * freed if the following holds: bfqq is not in service and\n\t * has no dispatched request. DO NOT use bfqq after the next\n\t * function invocation.\n\t */\n\t__bfq_weights_tree_remove(bfqd, bfqq,\n\t\t\t\t &bfqd->queue_weights_tree);", "project": "linux", "hash": 309796853132914962723073568361892193190, "size": 48, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453292 }, { "func": "static void ff_layout_read_call_done(struct rpc_task *task, void *data)\n{\n\tstruct nfs_pgio_header *hdr = data;\n\n\tdprintk(\"--> %s task->tk_status %d\\n\", __func__, task->tk_status);\n\n\tif (test_bit(NFS_IOHDR_REDO, &hdr->flags) &&\n\t task->tk_status == 0) {\n\t\tnfs4_sequence_done(task, &hdr->res.seq_res);\n\t\treturn;\n\t}\n\n\t/* Note this may cause RPC to be resent */\n\thdr->mds_ops->rpc_call_done(task, hdr);\n}", "project": "linux", "hash": 210893773682039054872787941630025338074, "size": 15, "commit_id": "ed34695e15aba74f45247f1ee2cf7e09d449f925", "message": "pNFS/flexfiles: fix incorrect size check in decode_nfs_fh()\n\nWe (adam zabrocki, alexander matrosov, alexander tereshkin, maksym\nbazalii) observed the check:\n\n\tif (fh->size > sizeof(struct nfs_fh))\n\nshould not use the size of the nfs_fh struct which includes an extra two\nbytes from the size field.\n\nstruct nfs_fh {\n\tunsigned short size;\n\tunsigned char data[NFS_MAXFHSIZE];\n}\n\nbut should determine the size from data[NFS_MAXFHSIZE] so the memcpy\nwill not write 2 bytes beyond destination. The proposed fix is to\ncompare against the NFS_MAXFHSIZE directly, as is done elsewhere in fs\ncode base.\n\nFixes: d67ae825a59d (\"pnfs/flexfiles: Add the FlexFile Layout Driver\")\nSigned-off-by: Nikola Livic \nSigned-off-by: Dan Carpenter \nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 234420 }, { "func": "static void hci_cc_write_ssp_debug_mode(struct hci_dev *hdev, struct sk_buff *skb)\n{\n\tu8 status = *((u8 *) skb->data);\n\tu8 *mode;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, status);\n\n\tif (status)\n\t\treturn;\n\n\tmode = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_DEBUG_MODE);\n\tif (mode)\n\t\thdev->ssp_debug_mode = *mode;\n}", "project": "linux", "hash": 240632812485826458194823812292377344951, "size": 14, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431891 }, { "func": "int CServer::SnapNewID()\n{\n\treturn m_IDPool.NewID();\n}", "project": "teeworlds", "hash": 65543981672584843333362412281017486589, "size": 4, "commit_id": "c68402fa7e279d42886d5951d1ea8ac2facc1ea5", "message": "changed a check", "target": 0, "dataset": "other", "idx": 382007 }, { "func": "static void set_random_addr(struct hci_request *req, bdaddr_t *rpa)\n{\n\tstruct hci_dev *hdev = req->hdev;\n\n\t/* If we're advertising or initiating an LE connection we can't\n\t * go ahead and change the random address at this time. This is\n\t * because the eventual initiator address used for the\n\t * subsequently created connection will be undefined (some\n\t * controllers use the new address and others the one we had\n\t * when the operation started).\n\t *\n\t * In this kind of scenario skip the update and let the random\n\t * address be updated at the next cycle.\n\t */\n\tif (hci_dev_test_flag(hdev, HCI_LE_ADV) ||\n\t hci_lookup_le_connect(hdev)) {\n\t\tbt_dev_dbg(hdev, \"Deferring random address update\");\n\t\thci_dev_set_flag(hdev, HCI_RPA_EXPIRED);\n\t\treturn;\n\t}\n\n\thci_req_add(req, HCI_OP_LE_SET_RANDOM_ADDR, 6, rpa);\n}", "project": "linux", "hash": 322385710463600764511984703181509676945, "size": 23, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402565 }, { "func": "static int usb_host_read_file(char *line, size_t line_size, const char *device_file, const char *device_name)\n{\n Monitor *mon = cur_mon;\n FILE *f;\n int ret = 0;\n char filename[PATH_MAX];\n\n snprintf(filename, PATH_MAX, USBSYSBUS_PATH \"/devices/%s/%s\", device_name,\n device_file);\n f = fopen(filename, \"r\");\n if (f) {\n fgets(line, line_size, f);\n fclose(f);\n ret = 1;\n } else {\n monitor_printf(mon, \"husb: could not open %s\\n\", filename);\n }\n\n return ret;\n}", "project": "qemu", "hash": 24759623693199212359178560389285174549, "size": 20, "commit_id": "babd03fde68093482528010a5435c14ce9128e3f", "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel. However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris \nSigned-off-by: Anthony Liguori ", "target": 0, "dataset": "other", "idx": 346316 }, { "func": "static int nfs4_sp4_select_mode(struct nfs_client *clp,\n\t\t\t\t struct nfs41_state_protection *sp)\n{\n\tstatic const u32 supported_enforce[NFS4_OP_MAP_NUM_WORDS] = {\n\t\t[1] = 1 << (OP_BIND_CONN_TO_SESSION - 32) |\n\t\t 1 << (OP_EXCHANGE_ID - 32) |\n\t\t 1 << (OP_CREATE_SESSION - 32) |\n\t\t 1 << (OP_DESTROY_SESSION - 32) |\n\t\t 1 << (OP_DESTROY_CLIENTID - 32)\n\t};\n\tunsigned long flags = 0;\n\tunsigned int i;\n\tint ret = 0;\n\n\tif (sp->how == SP4_MACH_CRED) {\n\t\t/* Print state protect result */\n\t\tdfprintk(MOUNT, \"Server SP4_MACH_CRED support:\\n\");\n\t\tfor (i = 0; i <= LAST_NFS4_OP; i++) {\n\t\t\tif (test_bit(i, sp->enforce.u.longs))\n\t\t\t\tdfprintk(MOUNT, \" enforce op %d\\n\", i);\n\t\t\tif (test_bit(i, sp->allow.u.longs))\n\t\t\t\tdfprintk(MOUNT, \" allow op %d\\n\", i);\n\t\t}\n\n\t\t/* make sure nothing is on enforce list that isn't supported */\n\t\tfor (i = 0; i < NFS4_OP_MAP_NUM_WORDS; i++) {\n\t\t\tif (sp->enforce.u.words[i] & ~supported_enforce[i]) {\n\t\t\t\tdfprintk(MOUNT, \"sp4_mach_cred: disabled\\n\");\n\t\t\t\tret = -EINVAL;\n\t\t\t\tgoto out;\n\t\t\t}\n\t\t}\n\n\t\t/*\n\t\t * Minimal mode - state operations are allowed to use machine\n\t\t * credential. Note this already happens by default, so the\n\t\t * client doesn't have to do anything more than the negotiation.\n\t\t *\n\t\t * NOTE: we don't care if EXCHANGE_ID is in the list -\n\t\t * we're already using the machine cred for exchange_id\n\t\t * and will never use a different cred.\n\t\t */\n\t\tif (test_bit(OP_BIND_CONN_TO_SESSION, sp->enforce.u.longs) &&\n\t\t test_bit(OP_CREATE_SESSION, sp->enforce.u.longs) &&\n\t\t test_bit(OP_DESTROY_SESSION, sp->enforce.u.longs) &&\n\t\t test_bit(OP_DESTROY_CLIENTID, sp->enforce.u.longs)) {\n\t\t\tdfprintk(MOUNT, \"sp4_mach_cred:\\n\");\n\t\t\tdfprintk(MOUNT, \" minimal mode enabled\\n\");\n\t\t\t__set_bit(NFS_SP4_MACH_CRED_MINIMAL, &flags);\n\t\t} else {\n\t\t\tdfprintk(MOUNT, \"sp4_mach_cred: disabled\\n\");\n\t\t\tret = -EINVAL;\n\t\t\tgoto out;\n\t\t}\n\n\t\tif (test_bit(OP_CLOSE, sp->allow.u.longs) &&\n\t\t test_bit(OP_OPEN_DOWNGRADE, sp->allow.u.longs) &&\n\t\t test_bit(OP_DELEGRETURN, sp->allow.u.longs) &&\n\t\t test_bit(OP_LOCKU, sp->allow.u.longs)) {\n\t\t\tdfprintk(MOUNT, \" cleanup mode enabled\\n\");\n\t\t\t__set_bit(NFS_SP4_MACH_CRED_CLEANUP, &flags);\n\t\t}\n\n\t\tif (test_bit(OP_LAYOUTRETURN, sp->allow.u.longs)) {\n\t\t\tdfprintk(MOUNT, \" pnfs cleanup mode enabled\\n\");\n\t\t\t__set_bit(NFS_SP4_MACH_CRED_PNFS_CLEANUP, &flags);\n\t\t}\n\n\t\tif (test_bit(OP_SECINFO, sp->allow.u.longs) &&\n\t\t test_bit(OP_SECINFO_NO_NAME, sp->allow.u.longs)) {\n\t\t\tdfprintk(MOUNT, \" secinfo mode enabled\\n\");\n\t\t\t__set_bit(NFS_SP4_MACH_CRED_SECINFO, &flags);\n\t\t}\n\n\t\tif (test_bit(OP_TEST_STATEID, sp->allow.u.longs) &&\n\t\t test_bit(OP_FREE_STATEID, sp->allow.u.longs)) {\n\t\t\tdfprintk(MOUNT, \" stateid mode enabled\\n\");\n\t\t\t__set_bit(NFS_SP4_MACH_CRED_STATEID, &flags);\n\t\t}\n\n\t\tif (test_bit(OP_WRITE, sp->allow.u.longs)) {\n\t\t\tdfprintk(MOUNT, \" write mode enabled\\n\");\n\t\t\t__set_bit(NFS_SP4_MACH_CRED_WRITE, &flags);\n\t\t}\n\n\t\tif (test_bit(OP_COMMIT, sp->allow.u.longs)) {\n\t\t\tdfprintk(MOUNT, \" commit mode enabled\\n\");\n\t\t\t__set_bit(NFS_SP4_MACH_CRED_COMMIT, &flags);\n\t\t}\n\t}\nout:\n\tclp->cl_sp4_flags = flags;\n\treturn ret;\n}", "project": "linux", "hash": 209814122989191880700378542015205863343, "size": 94, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431249 }, { "func": "static void hci_cc_le_add_to_white_list(struct hci_dev *hdev,\n\t\t\t\t\tstruct sk_buff *skb)\n{\n\tstruct hci_cp_le_add_to_white_list *sent;\n\t__u8 status = *((__u8 *) skb->data);\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, status);\n\n\tif (status)\n\t\treturn;\n\n\tsent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_WHITE_LIST);\n\tif (!sent)\n\t\treturn;\n\n\thci_bdaddr_list_add(&hdev->le_white_list, &sent->bdaddr,\n\t\t\t sent->bdaddr_type);\n}", "project": "linux", "hash": 237046576589925426827805768044733657786, "size": 18, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431979 }, { "project": "Chrome", "commit_id": "ea994548ed483e234a6fadd0cbdfa10d58b75cef", "target": 0, "func": "void SoftwareFrameManager::SetVisibility(bool visible) {\n if (HasCurrentFrame()) {\n if (visible) {\n RendererFrameManager::GetInstance()->LockFrame(this);\n } else {\n RendererFrameManager::GetInstance()->UnlockFrame(this);\n }\n }\n}\n", "cwe": "", "big_vul_idx": 129973, "idx": 116285, "hash": 165797642922075720116097615630900513197 }, { "func": "static void nfs4_slot_sequence_record_sent(struct nfs4_slot *slot,\n\t\tu32 seqnr)\n{\n\tif ((s32)(seqnr - slot->seq_nr_highest_sent) > 0)\n\t\tslot->seq_nr_highest_sent = seqnr;\n}", "project": "linux", "hash": 31382308682611383575161386886561812134, "size": 6, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431134 }, { "func": "static bool task_participate_group_stop(struct task_struct *task)\n{\n\tstruct signal_struct *sig = task->signal;\n\tbool consume = task->jobctl & JOBCTL_STOP_CONSUME;\n\n\tWARN_ON_ONCE(!(task->jobctl & JOBCTL_STOP_PENDING));\n\n\ttask_clear_jobctl_pending(task, JOBCTL_STOP_PENDING);\n\n\tif (!consume)\n\t\treturn false;\n\n\tif (!WARN_ON_ONCE(sig->group_stop_count == 0))\n\t\tsig->group_stop_count--;\n\n\t/*\n\t * Tell the caller to notify completion iff we are entering into a\n\t * fresh group stop. Read comment in do_signal_stop() for details.\n\t */\n\tif (!sig->group_stop_count && !(sig->flags & SIGNAL_STOP_STOPPED)) {\n\t\tsignal_set_stop_flags(sig, SIGNAL_STOP_STOPPED);\n\t\treturn true;\n\t}\n\treturn false;\n}", "project": "linux", "hash": 126766194375795132702813903443745384022, "size": 25, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375210 }, { "func": "static void trace_module_remove_evals(struct module *mod)\n{\n\tunion trace_eval_map_item *map;\n\tunion trace_eval_map_item **last = &trace_eval_maps;\n\n\tif (!mod->num_trace_evals)\n\t\treturn;\n\n\tmutex_lock(&trace_eval_mutex);\n\n\tmap = trace_eval_maps;\n\n\twhile (map) {\n\t\tif (map->head.mod == mod)\n\t\t\tbreak;\n\t\tmap = trace_eval_jmp_to_tail(map);\n\t\tlast = &map->tail.next;\n\t\tmap = map->tail.next;\n\t}\n\tif (!map)\n\t\tgoto out;\n\n\t*last = trace_eval_jmp_to_tail(map)->tail.next;\n\tkfree(map);\n out:\n\tmutex_unlock(&trace_eval_mutex);\n}", "project": "linux", "hash": 17233870238106204345595580401486728465, "size": 27, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445589 }, { "func": "static inline void trace_module_remove_evals(struct module *mod) { }", "project": "linux", "hash": 101977662359306080908312043894233621111, "size": 1, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445812 }, { "func": " Item_ignore_value(THD *thd, Name_resolution_context *context_arg)\n :Item_default_value(thd, context_arg)\n {};", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 166808476692760641120739909565620075505, "size": 3, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 508949 }, { "func": "static enum_func_status\nphp_mysqlnd_eof_read(void * _packet, MYSQLND_CONN_DATA * conn TSRMLS_DC)\n{\n\t/*\n\t EOF packet is since 4.1 five bytes long,\n\t but we can get also an error, make it bigger.\n\n\t Error : error_code + '#' + sqlstate + MYSQLND_ERRMSG_SIZE\n\t*/\n\tMYSQLND_PACKET_EOF *packet= (MYSQLND_PACKET_EOF *) _packet;\n\tsize_t buf_len = conn->net->cmd_buffer.length;\n\tzend_uchar *buf = (zend_uchar *) conn->net->cmd_buffer.buffer;\n\tzend_uchar *p = buf;\n\tzend_uchar *begin = buf;\n\n\tDBG_ENTER(\"php_mysqlnd_eof_read\");\n\n\tPACKET_READ_HEADER_AND_BODY(packet, conn, buf, buf_len, \"EOF\", PROT_EOF_PACKET);\n\tBAIL_IF_NO_MORE_DATA;\n\n\t/* Should be always EODATA_MARKER */\n\tpacket->field_count = uint1korr(p);\n\tp++;\n\tBAIL_IF_NO_MORE_DATA;\n\n\tif (ERROR_MARKER == packet->field_count) {\n\t\tphp_mysqlnd_read_error_from_line(p, packet->header.size - 1,\n\t\t\t\t\t\t\t\t\t\t packet->error, sizeof(packet->error),\n\t\t\t\t\t\t\t\t\t\t &packet->error_no, packet->sqlstate\n\t\t\t\t\t\t\t\t\t\t TSRMLS_CC);\n\t\tDBG_RETURN(PASS);\n\t}\n\n\t/*\n\t\t4.1 sends 1 byte EOF packet after metadata of\n\t\tPREPARE/EXECUTE but 5 bytes after the result. This is not\n\t\taccording to the Docs@Forge!!!\n\t*/\n\tif (packet->header.size > 1) {\n\t\tpacket->warning_count = uint2korr(p);\n\t\tp+= 2;\n\t\tBAIL_IF_NO_MORE_DATA;\n\n\t\tpacket->server_status = uint2korr(p);\n\t\tp+= 2;\n\t\tBAIL_IF_NO_MORE_DATA;\n\t} else {\n\t\tpacket->warning_count = 0;\n\t\tpacket->server_status = 0;\n\t}\n\n\tBAIL_IF_NO_MORE_DATA;\n\n\tDBG_INF_FMT(\"EOF packet: fields=%u status=%u warnings=%u\",\n\t\t\t\tpacket->field_count, packet->server_status, packet->warning_count);\n\n\tDBG_RETURN(PASS);\npremature_end:\n\tDBG_ERR_FMT(\"EOF packet %d bytes shorter than expected\", p - begin - packet->header.size);\n\tphp_error_docref(NULL TSRMLS_CC, E_WARNING, \"EOF packet \"MYSQLND_SZ_T_SPEC\" bytes shorter than expected\",\n\t\t\t\t\t p - begin - packet->header.size);\n\tDBG_RETURN(FAIL);", "project": "php-src", "hash": 310786437830920581906731042189764857117, "size": 62, "commit_id": "28f80baf3c53e267c9ce46a2a0fadbb981585132", "message": "Fix bug #72293 - Heap overflow in mysqlnd related to BIT fields", "target": 0, "dataset": "other", "idx": 416692 }, { "func": "ff_layout_free_layout_hdr(struct pnfs_layout_hdr *lo)\n{\n\tstruct nfs4_flexfile_layout *ffl = FF_LAYOUT_FROM_HDR(lo);\n\tstruct nfs4_ff_layout_ds_err *err, *n;\n\n\tlist_for_each_entry_safe(err, n, &ffl->error_list, list) {\n\t\tlist_del(&err->list);\n\t\tkfree(err);\n\t}\n\tkfree_rcu(ffl, generic_hdr.plh_rcu);\n}", "project": "linux", "hash": 92842182919553593185954289321931090862, "size": 11, "commit_id": "ed34695e15aba74f45247f1ee2cf7e09d449f925", "message": "pNFS/flexfiles: fix incorrect size check in decode_nfs_fh()\n\nWe (adam zabrocki, alexander matrosov, alexander tereshkin, maksym\nbazalii) observed the check:\n\n\tif (fh->size > sizeof(struct nfs_fh))\n\nshould not use the size of the nfs_fh struct which includes an extra two\nbytes from the size field.\n\nstruct nfs_fh {\n\tunsigned short size;\n\tunsigned char data[NFS_MAXFHSIZE];\n}\n\nbut should determine the size from data[NFS_MAXFHSIZE] so the memcpy\nwill not write 2 bytes beyond destination. The proposed fix is to\ncompare against the NFS_MAXFHSIZE directly, as is done elsewhere in fs\ncode base.\n\nFixes: d67ae825a59d (\"pnfs/flexfiles: Add the FlexFile Layout Driver\")\nSigned-off-by: Nikola Livic \nSigned-off-by: Dan Carpenter \nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 234396 }, { "func": "static void *get_partial_node(struct kmem_cache *s, struct kmem_cache_node *n,\n\t\t\t\tstruct kmem_cache_cpu *c, gfp_t flags)\n{\n\tstruct page *page, *page2;\n\tvoid *object = NULL;\n\tunsigned int available = 0;\n\tint objects;\n\n\t/*\n\t * Racy check. If we mistakenly see no partial slabs then we\n\t * just allocate an empty slab. If we mistakenly try to get a\n\t * partial slab and there is none available then get_partials()\n\t * will return NULL.\n\t */\n\tif (!n || !n->nr_partial)\n\t\treturn NULL;\n\n\tspin_lock(&n->list_lock);\n\tlist_for_each_entry_safe(page, page2, &n->partial, slab_list) {\n\t\tvoid *t;\n\n\t\tif (!pfmemalloc_match(page, flags))\n\t\t\tcontinue;\n\n\t\tt = acquire_slab(s, n, page, object == NULL, &objects);\n\t\tif (!t)\n\t\t\tbreak;\n\n\t\tavailable += objects;\n\t\tif (!object) {\n\t\t\tc->page = page;\n\t\t\tstat(s, ALLOC_FROM_PARTIAL);\n\t\t\tobject = t;\n\t\t} else {\n\t\t\tput_cpu_partial(s, page, 0);\n\t\t\tstat(s, CPU_PARTIAL_NODE);\n\t\t}\n\t\tif (!kmem_cache_has_cpu_partial(s)\n\t\t\t|| available > slub_cpu_partial(s) / 2)\n\t\t\tbreak;\n\n\t}\n\tspin_unlock(&n->list_lock);\n\treturn object;\n}", "project": "linux", "hash": 208428004798866696234029786067548851553, "size": 45, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280074 }, { "func": "static int sctp_getsockopt(struct sock *sk, int level, int optname,\n\t\t\t char __user *optval, int __user *optlen)\n{\n\tint retval = 0;\n\tint len;\n\n\tpr_debug(\"%s: sk:%p, optname:%d\\n\", __func__, sk, optname);\n\n\t/* I can hardly begin to describe how wrong this is. This is\n\t * so broken as to be worse than useless. The API draft\n\t * REALLY is NOT helpful here... I am not convinced that the\n\t * semantics of getsockopt() with a level OTHER THAN SOL_SCTP\n\t * are at all well-founded.\n\t */\n\tif (level != SOL_SCTP) {\n\t\tstruct sctp_af *af = sctp_sk(sk)->pf->af;\n\n\t\tretval = af->getsockopt(sk, level, optname, optval, optlen);\n\t\treturn retval;\n\t}\n\n\tif (get_user(len, optlen))\n\t\treturn -EFAULT;\n\n\tif (len < 0)\n\t\treturn -EINVAL;\n\n\tlock_sock(sk);\n\n\tswitch (optname) {\n\tcase SCTP_STATUS:\n\t\tretval = sctp_getsockopt_sctp_status(sk, len, optval, optlen);\n\t\tbreak;\n\tcase SCTP_DISABLE_FRAGMENTS:\n\t\tretval = sctp_getsockopt_disable_fragments(sk, len, optval,\n\t\t\t\t\t\t\t optlen);\n\t\tbreak;\n\tcase SCTP_EVENTS:\n\t\tretval = sctp_getsockopt_events(sk, len, optval, optlen);\n\t\tbreak;\n\tcase SCTP_AUTOCLOSE:\n\t\tretval = sctp_getsockopt_autoclose(sk, len, optval, optlen);\n\t\tbreak;\n\tcase SCTP_SOCKOPT_PEELOFF:\n\t\tretval = sctp_getsockopt_peeloff(sk, len, optval, optlen);\n\t\tbreak;\n\tcase SCTP_SOCKOPT_PEELOFF_FLAGS:\n\t\tretval = sctp_getsockopt_peeloff_flags(sk, len, optval, optlen);\n\t\tbreak;\n\tcase SCTP_PEER_ADDR_PARAMS:\n\t\tretval = sctp_getsockopt_peer_addr_params(sk, len, optval,\n\t\t\t\t\t\t\t optlen);\n\t\tbreak;\n\tcase SCTP_DELAYED_SACK:\n\t\tretval = sctp_getsockopt_delayed_ack(sk, len, optval,\n\t\t\t\t\t\t\t optlen);\n\t\tbreak;\n\tcase SCTP_INITMSG:\n\t\tretval = sctp_getsockopt_initmsg(sk, len, optval, optlen);\n\t\tbreak;\n\tcase SCTP_GET_PEER_ADDRS:\n\t\tretval = sctp_getsockopt_peer_addrs(sk, len, optval,\n\t\t\t\t\t\t optlen);\n\t\tbreak;\n\tcase SCTP_GET_LOCAL_ADDRS:\n\t\tretval = sctp_getsockopt_local_addrs(sk, len, optval,\n\t\t\t\t\t\t optlen);\n\t\tbreak;\n\tcase SCTP_SOCKOPT_CONNECTX3:\n\t\tretval = sctp_getsockopt_connectx3(sk, len, optval, optlen);\n\t\tbreak;\n\tcase SCTP_DEFAULT_SEND_PARAM:\n\t\tretval = sctp_getsockopt_default_send_param(sk, len,\n\t\t\t\t\t\t\t optval, optlen);\n\t\tbreak;\n\tcase SCTP_DEFAULT_SNDINFO:\n\t\tretval = sctp_getsockopt_default_sndinfo(sk, len,\n\t\t\t\t\t\t\t optval, optlen);\n\t\tbreak;\n\tcase SCTP_PRIMARY_ADDR:\n\t\tretval = sctp_getsockopt_primary_addr(sk, len, optval, optlen);\n\t\tbreak;\n\tcase SCTP_NODELAY:\n\t\tretval = sctp_getsockopt_nodelay(sk, len, optval, optlen);\n\t\tbreak;\n\tcase SCTP_RTOINFO:\n\t\tretval = sctp_getsockopt_rtoinfo(sk, len, optval, optlen);\n\t\tbreak;\n\tcase SCTP_ASSOCINFO:\n\t\tretval = sctp_getsockopt_associnfo(sk, len, optval, optlen);\n\t\tbreak;\n\tcase SCTP_I_WANT_MAPPED_V4_ADDR:\n\t\tretval = sctp_getsockopt_mappedv4(sk, len, optval, optlen);\n\t\tbreak;\n\tcase SCTP_MAXSEG:\n\t\tretval = sctp_getsockopt_maxseg(sk, len, optval, optlen);\n\t\tbreak;\n\tcase SCTP_GET_PEER_ADDR_INFO:\n\t\tretval = sctp_getsockopt_peer_addr_info(sk, len, optval,\n\t\t\t\t\t\t\toptlen);\n\t\tbreak;\n\tcase SCTP_ADAPTATION_LAYER:\n\t\tretval = sctp_getsockopt_adaptation_layer(sk, len, optval,\n\t\t\t\t\t\t\toptlen);\n\t\tbreak;\n\tcase SCTP_CONTEXT:\n\t\tretval = sctp_getsockopt_context(sk, len, optval, optlen);\n\t\tbreak;\n\tcase SCTP_FRAGMENT_INTERLEAVE:\n\t\tretval = sctp_getsockopt_fragment_interleave(sk, len, optval,\n\t\t\t\t\t\t\t optlen);\n\t\tbreak;\n\tcase SCTP_PARTIAL_DELIVERY_POINT:\n\t\tretval = sctp_getsockopt_partial_delivery_point(sk, len, optval,\n\t\t\t\t\t\t\t\toptlen);\n\t\tbreak;\n\tcase SCTP_MAX_BURST:\n\t\tretval = sctp_getsockopt_maxburst(sk, len, optval, optlen);\n\t\tbreak;\n\tcase SCTP_AUTH_KEY:\n\tcase SCTP_AUTH_CHUNK:\n\tcase SCTP_AUTH_DELETE_KEY:\n\tcase SCTP_AUTH_DEACTIVATE_KEY:\n\t\tretval = -EOPNOTSUPP;\n\t\tbreak;\n\tcase SCTP_HMAC_IDENT:\n\t\tretval = sctp_getsockopt_hmac_ident(sk, len, optval, optlen);\n\t\tbreak;\n\tcase SCTP_AUTH_ACTIVE_KEY:\n\t\tretval = sctp_getsockopt_active_key(sk, len, optval, optlen);\n\t\tbreak;\n\tcase SCTP_PEER_AUTH_CHUNKS:\n\t\tretval = sctp_getsockopt_peer_auth_chunks(sk, len, optval,\n\t\t\t\t\t\t\toptlen);\n\t\tbreak;\n\tcase SCTP_LOCAL_AUTH_CHUNKS:\n\t\tretval = sctp_getsockopt_local_auth_chunks(sk, len, optval,\n\t\t\t\t\t\t\toptlen);\n\t\tbreak;\n\tcase SCTP_GET_ASSOC_NUMBER:\n\t\tretval = sctp_getsockopt_assoc_number(sk, len, optval, optlen);\n\t\tbreak;\n\tcase SCTP_GET_ASSOC_ID_LIST:\n\t\tretval = sctp_getsockopt_assoc_ids(sk, len, optval, optlen);\n\t\tbreak;\n\tcase SCTP_AUTO_ASCONF:\n\t\tretval = sctp_getsockopt_auto_asconf(sk, len, optval, optlen);\n\t\tbreak;\n\tcase SCTP_PEER_ADDR_THLDS:\n\t\tretval = sctp_getsockopt_paddr_thresholds(sk, optval, len,\n\t\t\t\t\t\t\t optlen, false);\n\t\tbreak;\n\tcase SCTP_PEER_ADDR_THLDS_V2:\n\t\tretval = sctp_getsockopt_paddr_thresholds(sk, optval, len,\n\t\t\t\t\t\t\t optlen, true);\n\t\tbreak;\n\tcase SCTP_GET_ASSOC_STATS:\n\t\tretval = sctp_getsockopt_assoc_stats(sk, len, optval, optlen);\n\t\tbreak;\n\tcase SCTP_RECVRCVINFO:\n\t\tretval = sctp_getsockopt_recvrcvinfo(sk, len, optval, optlen);\n\t\tbreak;\n\tcase SCTP_RECVNXTINFO:\n\t\tretval = sctp_getsockopt_recvnxtinfo(sk, len, optval, optlen);\n\t\tbreak;\n\tcase SCTP_PR_SUPPORTED:\n\t\tretval = sctp_getsockopt_pr_supported(sk, len, optval, optlen);\n\t\tbreak;\n\tcase SCTP_DEFAULT_PRINFO:\n\t\tretval = sctp_getsockopt_default_prinfo(sk, len, optval,\n\t\t\t\t\t\t\toptlen);\n\t\tbreak;\n\tcase SCTP_PR_ASSOC_STATUS:\n\t\tretval = sctp_getsockopt_pr_assocstatus(sk, len, optval,\n\t\t\t\t\t\t\toptlen);\n\t\tbreak;\n\tcase SCTP_PR_STREAM_STATUS:\n\t\tretval = sctp_getsockopt_pr_streamstatus(sk, len, optval,\n\t\t\t\t\t\t\t optlen);\n\t\tbreak;\n\tcase SCTP_RECONFIG_SUPPORTED:\n\t\tretval = sctp_getsockopt_reconfig_supported(sk, len, optval,\n\t\t\t\t\t\t\t optlen);\n\t\tbreak;\n\tcase SCTP_ENABLE_STREAM_RESET:\n\t\tretval = sctp_getsockopt_enable_strreset(sk, len, optval,\n\t\t\t\t\t\t\t optlen);\n\t\tbreak;\n\tcase SCTP_STREAM_SCHEDULER:\n\t\tretval = sctp_getsockopt_scheduler(sk, len, optval,\n\t\t\t\t\t\t optlen);\n\t\tbreak;\n\tcase SCTP_STREAM_SCHEDULER_VALUE:\n\t\tretval = sctp_getsockopt_scheduler_value(sk, len, optval,\n\t\t\t\t\t\t\t optlen);\n\t\tbreak;\n\tcase SCTP_INTERLEAVING_SUPPORTED:\n\t\tretval = sctp_getsockopt_interleaving_supported(sk, len, optval,\n\t\t\t\t\t\t\t\toptlen);\n\t\tbreak;\n\tcase SCTP_REUSE_PORT:\n\t\tretval = sctp_getsockopt_reuse_port(sk, len, optval, optlen);\n\t\tbreak;\n\tcase SCTP_EVENT:\n\t\tretval = sctp_getsockopt_event(sk, len, optval, optlen);\n\t\tbreak;\n\tcase SCTP_ASCONF_SUPPORTED:\n\t\tretval = sctp_getsockopt_asconf_supported(sk, len, optval,\n\t\t\t\t\t\t\t optlen);\n\t\tbreak;\n\tcase SCTP_AUTH_SUPPORTED:\n\t\tretval = sctp_getsockopt_auth_supported(sk, len, optval,\n\t\t\t\t\t\t\toptlen);\n\t\tbreak;\n\tcase SCTP_ECN_SUPPORTED:\n\t\tretval = sctp_getsockopt_ecn_supported(sk, len, optval, optlen);\n\t\tbreak;\n\tcase SCTP_EXPOSE_POTENTIALLY_FAILED_STATE:\n\t\tretval = sctp_getsockopt_pf_expose(sk, len, optval, optlen);\n\t\tbreak;\n\tcase SCTP_REMOTE_UDP_ENCAPS_PORT:\n\t\tretval = sctp_getsockopt_encap_port(sk, len, optval, optlen);\n\t\tbreak;\n\tdefault:\n\t\tretval = -ENOPROTOOPT;\n\t\tbreak;\n\t}\n\n\trelease_sock(sk);\n\treturn retval;\n}", "project": "linux", "hash": 221440345326573276916366989374942498477, "size": 231, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398045 }, { "func": "static inline void kvm_inject_gp(struct kvm_vcpu *vcpu, u32 error_code)\n{\n\tkvm_queue_exception_e(vcpu, GP_VECTOR, error_code);\n}", "project": "kvm", "hash": 42187599441019336456105384493358543834, "size": 4, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437542 }, { "func": "static inline ssize_t nfs4_read_cached_acl(struct inode *inode, char *buf, size_t buflen)\n{\n\tstruct nfs_inode *nfsi = NFS_I(inode);\n\tstruct nfs4_cached_acl *acl;\n\tint ret = -ENOENT;\n\n\tspin_lock(&inode->i_lock);\n\tacl = nfsi->nfs4_acl;\n\tif (acl == NULL)\n\t\tgoto out;\n\tif (buf == NULL) /* user is just asking for length */\n\t\tgoto out_len;\n\tif (acl->cached == 0)\n\t\tgoto out;\n\tret = -ERANGE; /* see getxattr(2) man page */\n\tif (acl->len > buflen)\n\t\tgoto out;\n\tmemcpy(buf, acl->data, acl->len);\nout_len:\n\tret = acl->len;\nout:\n\tspin_unlock(&inode->i_lock);\n\treturn ret;\n}", "project": "linux", "hash": 61456284889151924672134557735325877063, "size": 24, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431491 }, { "func": "static int php_openssl_is_private_key(EVP_PKEY* pkey)\n{\n\tassert(pkey != NULL);\n\n\tswitch (EVP_PKEY_id(pkey)) {\n\t\tcase EVP_PKEY_RSA:\n\t\tcase EVP_PKEY_RSA2:\n\t\t\t{\n\t\t\t\tRSA *rsa = EVP_PKEY_get0_RSA(pkey);\n\t\t\t\tif (rsa != NULL) {\n\t\t\t\t\tconst BIGNUM *p, *q;\n\n\t\t\t\t\tRSA_get0_factors(rsa, &p, &q);\n\t\t\t\t\t if (p == NULL || q == NULL) {\n\t\t\t\t\t\treturn 0;\n\t\t\t\t\t }\n\t\t\t\t}\n\t\t\t}\n\t\t\tbreak;\n\t\tcase EVP_PKEY_DSA:\n\t\tcase EVP_PKEY_DSA1:\n\t\tcase EVP_PKEY_DSA2:\n\t\tcase EVP_PKEY_DSA3:\n\t\tcase EVP_PKEY_DSA4:\n\t\t\t{\n\t\t\t\tDSA *dsa = EVP_PKEY_get0_DSA(pkey);\n\t\t\t\tif (dsa != NULL) {\n\t\t\t\t\tconst BIGNUM *p, *q, *g, *pub_key, *priv_key;\n\n\t\t\t\t\tDSA_get0_pqg(dsa, &p, &q, &g);\n\t\t\t\t\tif (p == NULL || q == NULL) {\n\t\t\t\t\t\treturn 0;\n\t\t\t\t\t}\n\n\t\t\t\t\tDSA_get0_key(dsa, &pub_key, &priv_key);\n\t\t\t\t\tif (priv_key == NULL) {\n\t\t\t\t\t\treturn 0;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t\tbreak;\n\t\tcase EVP_PKEY_DH:\n\t\t\t{\n\t\t\t\tDH *dh = EVP_PKEY_get0_DH(pkey);\n\t\t\t\tif (dh != NULL) {\n\t\t\t\t\tconst BIGNUM *p, *q, *g, *pub_key, *priv_key;\n\n\t\t\t\t\tDH_get0_pqg(dh, &p, &q, &g);\n\t\t\t\t\tif (p == NULL) {\n\t\t\t\t\t\treturn 0;\n\t\t\t\t\t}\n\n\t\t\t\t\tDH_get0_key(dh, &pub_key, &priv_key);\n\t\t\t\t\tif (priv_key == NULL) {\n\t\t\t\t\t\treturn 0;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t\tbreak;\n#ifdef HAVE_EVP_PKEY_EC\n\t\tcase EVP_PKEY_EC:\n\t\t\t{\n\t\t\t\tEC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey);\n\t\t\t\tif (ec != NULL && NULL == EC_KEY_get0_private_key(ec)) {\n\t\t\t\t\treturn 0;\n\t\t\t\t}\n\t\t\t}\n\t\t\tbreak;\n#endif\n\t\tdefault:\n\t\t\tphp_error_docref(NULL, E_WARNING, \"key type not supported in this PHP build!\");\n\t\t\tbreak;\n\t}\n\treturn 1;\n}", "project": "php-src", "hash": 29728573708779547741301520345112619608, "size": 75, "commit_id": "0216630ea2815a5789a24279a1211ac398d4de79", "message": "Fix bug #79601 (Wrong ciphertext/tag in AES-CCM encryption for a 12 bytes IV)", "target": 0, "dataset": "other", "idx": 291381 }, { "func": " Status GetFirstDimensionSize(OpKernelContext* context, INDEX_TYPE* result) {\n const Tensor first_partition_tensor =\n context->input(kFirstPartitionInputIndex);\n const RowPartitionType first_partition_type = row_partition_types_[0];\n switch (first_partition_type) {\n case RowPartitionType::FIRST_DIM_SIZE:\n *result = first_partition_tensor.scalar()();\n return Status::OK();\n case RowPartitionType::VALUE_ROWIDS:\n return errors::InvalidArgument(\n \"Cannot handle VALUE_ROWIDS in first dimension.\");\n case RowPartitionType::ROW_SPLITS:\n *result = first_partition_tensor.shape().dim_size(0) - 1;\n return Status::OK();\n default:\n return errors::InvalidArgument(\n \"Cannot handle type \",\n RowPartitionTypeToString(first_partition_type));\n }\n }", "project": "tensorflow", "hash": 8875073086629769890154937833779819001, "size": 20, "commit_id": "301ae88b331d37a2a16159b65b255f4f9eb39314", "message": "Fix null ptr deref in tf.raw_ops.RaggedTensorToTensor\n\nPiperOrigin-RevId: 384257511\nChange-Id: I0484ad285039d132d6c41b284a7fcdd2b774a38e", "target": 1, "dataset": "other", "idx": 198407 }, { "func": " Status GetFirstDimensionSize(OpKernelContext* context, INDEX_TYPE* result) {\n const Tensor first_partition_tensor =\n context->input(kFirstPartitionInputIndex);\n if (row_partition_types_.empty()) {\n return errors::InvalidArgument(\"No row_partition_types given.\");\n }\n const RowPartitionType first_partition_type = row_partition_types_[0];\n switch (first_partition_type) {\n case RowPartitionType::FIRST_DIM_SIZE:\n *result = first_partition_tensor.scalar()();\n return Status::OK();\n case RowPartitionType::VALUE_ROWIDS:\n return errors::InvalidArgument(\n \"Cannot handle VALUE_ROWIDS in first dimension.\");\n case RowPartitionType::ROW_SPLITS:\n *result = first_partition_tensor.shape().dim_size(0) - 1;\n return Status::OK();\n default:\n return errors::InvalidArgument(\n \"Cannot handle type \",\n RowPartitionTypeToString(first_partition_type));\n }\n }", "project": "tensorflow", "hash": 111412195870420450026567644267237811330, "size": 23, "commit_id": "301ae88b331d37a2a16159b65b255f4f9eb39314", "message": "Fix null ptr deref in tf.raw_ops.RaggedTensorToTensor\n\nPiperOrigin-RevId: 384257511\nChange-Id: I0484ad285039d132d6c41b284a7fcdd2b774a38e", "target": 0, "dataset": "other", "idx": 274041 }, { "func": "HttpHeader::chunked() const\n{\n return has(Http::HdrType::TRANSFER_ENCODING) &&\n hasListMember(Http::HdrType::TRANSFER_ENCODING, \"chunked\", ',');\n}", "project": "squid", "hash": 190287884813011176772557767261091701787, "size": 5, "commit_id": "fd68382860633aca92065e6c343cfd1b12b126e7", "message": "Improve Transfer-Encoding handling (#702)\n\nReject messages containing Transfer-Encoding header with coding other\nthan chunked or identity. Squid does not support other codings.\n\nFor simplicity and security sake, also reject messages where\nTransfer-Encoding contains unnecessary complex values that are\ntechnically equivalent to \"chunked\" or \"identity\" (e.g., \",,chunked\" or\n\"identity, chunked\").\n\nRFC 7230 formally deprecated and removed identity coding, but it is\nstill used by some agents.", "target": 1, "dataset": "other", "idx": 207839 }, { "func": "static int lz4_wrap_decompress(const char* input, size_t compressed_length,\n char* output, size_t maxout) {\n int nbytes;\n#ifdef HAVE_IPP\n int outlen = (int)maxout;\n int inlen = (int)compressed_length;\n IppStatus status;\n status = ippsDecodeLZ4_8u((const Ipp8u*)input, inlen, (Ipp8u*)output, &outlen);\n //status = ippsDecodeLZ4Dict_8u((const Ipp8u*)input, &inlen, (Ipp8u*)output, 0, &outlen, NULL, 1 << 16);\n nbytes = (status == ippStsNoErr) ? outlen : -outlen;\n#else\n nbytes = LZ4_decompress_safe(input, output, (int)compressed_length, (int)maxout);\n#endif\n if (nbytes != (int)maxout) {\n return 0;\n }\n return (int)maxout;\n}", "project": "c-blosc2", "hash": 55769411746115452592497548452590645591, "size": 18, "commit_id": "c4c6470e88210afc95262c8b9fcc27e30ca043ee", "message": "Fixed asan heap buffer overflow when not enough space to write compressed block size.", "target": 0, "dataset": "other", "idx": 303063 }, { "func": " strtr_compare_hash_suffix(size_t m, int B)\n : m(m), B(B) { }", "project": "hhvm", "hash": 16016341187817559494517567592097762884, "size": 2, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219865 }, { "func": "LUA_API lua_State *lua_newthread (lua_State *L) {\n global_State *g;\n lua_State *L1;\n lua_lock(L);\n g = G(L);\n luaC_checkGC(L);\n /* create new thread */\n L1 = &cast(LX *, luaM_newobject(L, LUA_TTHREAD, sizeof(LX)))->l;\n L1->marked = luaC_white(g);\n L1->tt = LUA_VTHREAD;\n /* link it on list 'allgc' */\n L1->next = g->allgc;\n g->allgc = obj2gco(L1);\n /* anchor it on L stack */\n setthvalue2s(L, L->top, L1);\n api_incr_top(L);\n preinit_thread(L1, g);\n L1->nCcalls = getCcalls(L);\n L1->hookmask = L->hookmask;\n L1->basehookcount = L->basehookcount;\n L1->hook = L->hook;\n resethookcount(L1);\n /* initialize L1 extra space */\n memcpy(lua_getextraspace(L1), lua_getextraspace(g->mainthread),\n LUA_EXTRASPACE);\n luai_userstatethread(L, L1);\n stack_init(L1, L); /* init stack */\n lua_unlock(L);\n return L1;\n}", "project": "lua", "hash": 251547119834980494947153754078325368585, "size": 30, "commit_id": "a2195644d89812e5b157ce7bac35543e06db05e3", "message": "Fixed bug: invalid 'oldpc' when returning to a function\n\nThe field 'L->oldpc' is not always updated when control returns to a\nfunction; an invalid value can seg. fault when computing 'changedline'.\n(One example is an error in a finalizer; control can return to\n'luaV_execute' without executing 'luaD_poscall'.) Instead of trying to\nfix all possible corner cases, it seems safer to be resilient to invalid\nvalues for 'oldpc'. Valid but wrong values at most cause an extra call\nto a line hook.", "target": 0, "dataset": "other", "idx": 462768 }, { "func": "static void fuse_register_polled_file(struct fuse_conn *fc,\n\t\t\t\t struct fuse_file *ff)\n{\n\tspin_lock(&fc->lock);\n\tif (RB_EMPTY_NODE(&ff->polled_node)) {\n\t\tstruct rb_node **link, *parent;\n\n\t\tlink = fuse_find_polled_node(fc, ff->kh, &parent);\n\t\tBUG_ON(*link);\n\t\trb_link_node(&ff->polled_node, parent, link);\n\t\trb_insert_color(&ff->polled_node, &fc->polled_files);\n\t}\n\tspin_unlock(&fc->lock);\n}", "project": "linux", "hash": 278973909003164057983908197972059792498, "size": 14, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342098 }, { "func": "int force_sig_ptrace_errno_trap(int errno, void __user *addr)\n{\n\tstruct kernel_siginfo info;\n\n\tclear_siginfo(&info);\n\tinfo.si_signo = SIGTRAP;\n\tinfo.si_errno = errno;\n\tinfo.si_code = TRAP_HWBKPT;\n\tinfo.si_addr = addr;\n\treturn force_sig_info(&info);\n}", "project": "linux", "hash": 191162551744836703179196605879414544454, "size": 11, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375287 }, { "func": "static inline int pfkey_mode_to_xfrm(int mode)\n{\n\tswitch(mode) {\n\tcase IPSEC_MODE_ANY:\t/*XXX*/\n\tcase IPSEC_MODE_TRANSPORT:\n\t\treturn XFRM_MODE_TRANSPORT;\n\tcase IPSEC_MODE_TUNNEL:\n\t\treturn XFRM_MODE_TUNNEL;\n\tcase IPSEC_MODE_BEET:\n\t\treturn XFRM_MODE_BEET;\n\tdefault:\n\t\treturn -1;\n\t}\n}", "project": "linux", "hash": 35499077166509077328451782863088208674, "size": 14, "commit_id": "9a564bccb78a76740ea9d75a259942df8143d02c", "message": "af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\n\nAdd __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\nto initialize the buffer of supp_skb to fix a kernel-info-leak issue.\n1) Function pfkey_register calls compose_sadb_supported to request\na sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate\na sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then\ncompose_sadb_supported treats the memory as a struct sadb_supported and\nbegins to initialize. But it just initializes the field sadb_supported_len\nand field sadb_supported_exttype without field sadb_supported_reserved.\n\nReported-by: TCS Robot \nSigned-off-by: Haimin Zhang \nSigned-off-by: Steffen Klassert ", "target": 0, "dataset": "other", "idx": 268080 }, { "func": "static inline int register_fuseblk(void)\n{\n\treturn register_filesystem(&fuseblk_fs_type);\n}", "project": "linux", "hash": 285518910498352612959769674313780912830, "size": 4, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341935 }, { "func": "static inline int register_fuseblk(void)\n{\n\treturn 0;\n}", "project": "linux", "hash": 187183779507279932300952433337611482298, "size": 4, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341955 }, { "func": "static int is_associated_fs(const char *devname, struct libmnt_fs *fs)\n{\n\tuintmax_t offset = 0;\n\tconst char *src, *optstr;\n\tchar *val;\n\tsize_t valsz;\n\tint flags = 0;\n\n\t/* check if it begins with /dev/loop */\n\tif (strncmp(devname, _PATH_DEV_LOOP, sizeof(_PATH_DEV_LOOP) - 1) != 0)\n\t\treturn 0;\n\n\tsrc = mnt_fs_get_srcpath(fs);\n\tif (!src)\n\t\treturn 0;\n\n\t/* check for the offset option in @fs */\n\toptstr = mnt_fs_get_user_options(fs);\n\n\tif (optstr &&\n\t mnt_optstr_get_option(optstr, \"offset\", &val, &valsz) == 0) {\n\t\tflags |= LOOPDEV_FL_OFFSET;\n\n\t\tif (mnt_parse_offset(val, valsz, &offset) != 0)\n\t\t\treturn 0;\n\t}\n\n\treturn loopdev_is_used(devname, src, offset, 0, flags);\n}", "project": "util-linux", "hash": 34300514404785229101398594186136516812, "size": 29, "commit_id": "57202f5713afa2af20ffbb6ab5331481d0396f8d", "message": "libmount: fix UID check for FUSE umount [CVE-2021-3995]\n\nImproper UID check allows an unprivileged user to unmount FUSE\nfilesystems of users with similar UID.\n\nSigned-off-by: Karel Zak ", "target": 0, "dataset": "other", "idx": 410416 }, { "func": "\nstatic void io_ring_ctx_wait_and_kill(struct io_ring_ctx *ctx)\n{\n\tunsigned long index;\n\tstruct creds *creds;\n\n\tmutex_lock(&ctx->uring_lock);\n\tpercpu_ref_kill(&ctx->refs);\n\tif (ctx->rings)\n\t\t__io_cqring_overflow_flush(ctx, true);\n\txa_for_each(&ctx->personalities, index, creds)\n\t\tio_unregister_personality(ctx, index);\n\tmutex_unlock(&ctx->uring_lock);\n\n\tio_kill_timeouts(ctx, NULL, NULL);\n\tio_poll_remove_all(ctx, NULL, NULL);\n\n\t/* if we failed setting up the ctx, we might not have any rings */\n\tio_iopoll_try_reap_events(ctx);\n\n\tINIT_WORK(&ctx->exit_work, io_ring_exit_work);\n\t/*\n\t * Use system_unbound_wq to avoid spawning tons of event kworkers\n\t * if we're exiting a ton of rings at the same time. It just adds\n\t * noise and overhead, there's no discernable change in runtime\n\t * over using system_wq.\n\t */\n\tqueue_work(system_unbound_wq, &ctx->exit_work);", "project": "linux", "hash": 311889089453567490243843618308059564265, "size": 28, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338555 }, { "func": "static void io_ring_ctx_wait_and_kill(struct io_ring_ctx *ctx)\n{\n\tmutex_lock(&ctx->uring_lock);\n\tpercpu_ref_kill(&ctx->refs);\n\tmutex_unlock(&ctx->uring_lock);\n\n\tio_kill_timeouts(ctx);\n\tio_poll_remove_all(ctx);\n\n\tif (ctx->io_wq)\n\t\tio_wq_cancel_all(ctx->io_wq);\n\n\t/* if we failed setting up the ctx, we might not have any rings */\n\tif (ctx->rings)\n\t\tio_cqring_overflow_flush(ctx, true);\n\tio_iopoll_try_reap_events(ctx);\n\tidr_for_each(&ctx->personality_idr, io_remove_personalities, ctx);\n\n\t/*\n\t * Do this upfront, so we won't have a grace period where the ring\n\t * is closed but resources aren't reaped yet. This can cause\n\t * spurious failure in setting up a new ring.\n\t */\n\tio_unaccount_mem(ctx, ring_pages(ctx->sq_entries, ctx->cq_entries),\n\t\t\t ACCT_LOCKED);\n\n\tINIT_WORK(&ctx->exit_work, io_ring_exit_work);\n\tqueue_work(system_wq, &ctx->exit_work);\n}", "project": "linux", "hash": 175259261121314362179176338646683270418, "size": 29, "commit_id": "6d816e088c359866f9867057e04f244c608c42fe", "message": "io_uring: hold 'ctx' reference around task_work queue + execute\n\nWe're holding the request reference, but we need to go one higher\nto ensure that the ctx remains valid after the request has finished.\nIf the ring is closed with pending task_work inflight, and the\ngiven io_kiocb finishes sync during issue, then we need a reference\nto the ring itself around the task_work execution cycle.\n\nCc: stable@vger.kernel.org # v5.7+\nReported-by: syzbot+9b260fc33297966f5a8e@syzkaller.appspotmail.com\nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 456965 }, { "func": "static bool checkreturn pb_decode_varint32_eof(pb_istream_t *stream, uint32_t *dest, bool *eof)\n{\n pb_byte_t byte;\n uint32_t result;\n \n if (!pb_readbyte(stream, &byte))\n {\n if (stream->bytes_left == 0)\n {\n if (eof)\n {\n *eof = true;\n }\n }\n\n return false;\n }\n \n if ((byte & 0x80) == 0)\n {\n /* Quick case, 1 byte value */\n result = byte;\n }\n else\n {\n /* Multibyte case */\n uint_fast8_t bitpos = 7;\n result = byte & 0x7F;\n \n do\n {\n if (!pb_readbyte(stream, &byte))\n return false;\n \n if (bitpos >= 32)\n {\n /* Note: The varint could have trailing 0x80 bytes, or 0xFF for negative. */\n uint8_t sign_extension = (bitpos < 63) ? 0xFF : 0x01;\n \n if ((byte & 0x7F) != 0x00 && ((result >> 31) == 0 || byte != sign_extension))\n {\n PB_RETURN_ERROR(stream, \"varint overflow\");\n }\n }\n else\n {\n result |= (uint32_t)(byte & 0x7F) << bitpos;\n }\n bitpos = (uint_fast8_t)(bitpos + 7);\n } while (byte & 0x80);\n \n if (bitpos == 35 && (byte & 0x70) != 0)\n {\n /* The last byte was at bitpos=28, so only bottom 4 bits fit. */\n PB_RETURN_ERROR(stream, \"varint overflow\");\n }\n }\n \n *dest = result;\n return true;\n}", "project": "nanopb", "hash": 264331870239068439406400609716284954676, "size": 61, "commit_id": "aa9d0d1ca78d6adec3adfeecf3a706c7f9df81f2", "message": "Fix invalid free() after failed realloc() (GHSA-gcx3-7m76-287p)", "target": 0, "dataset": "other", "idx": 252504 }, { "func": "static bool checkreturn pb_decode_varint32_eof(pb_istream_t *stream, uint32_t *dest, bool *eof)\n{\n pb_byte_t byte;\n uint32_t result;\n \n if (!pb_readbyte(stream, &byte))\n {\n if (stream->bytes_left == 0)\n {\n if (eof)\n {\n *eof = true;\n }\n }\n\n return false;\n }\n \n if ((byte & 0x80) == 0)\n {\n /* Quick case, 1 byte value */\n result = byte;\n }\n else\n {\n /* Multibyte case */\n uint_fast8_t bitpos = 7;\n result = byte & 0x7F;\n \n do\n {\n if (!pb_readbyte(stream, &byte))\n return false;\n \n if (bitpos >= 32)\n {\n /* Note: The varint could have trailing 0x80 bytes, or 0xFF for negative. */\n pb_byte_t sign_extension = (bitpos < 63) ? 0xFF : 0x01;\n bool valid_extension = ((byte & 0x7F) == 0x00 ||\n ((result >> 31) != 0 && byte == sign_extension));\n\n if (bitpos >= 64 || !valid_extension)\n {\n PB_RETURN_ERROR(stream, \"varint overflow\");\n }\n }\n else\n {\n result |= (uint32_t)(byte & 0x7F) << bitpos;\n }\n bitpos = (uint_fast8_t)(bitpos + 7);\n } while (byte & 0x80);\n \n if (bitpos == 35 && (byte & 0x70) != 0)\n {\n /* The last byte was at bitpos=28, so only bottom 4 bits fit. */\n PB_RETURN_ERROR(stream, \"varint overflow\");\n }\n }\n \n *dest = result;\n return true;\n}", "project": "nanopb", "hash": 160165573434474459432946097714925408655, "size": 63, "commit_id": "e2f0ccf939d9f82931d085acb6df8e9a182a4261", "message": "Fix invalid free() with oneof (#647)\n\nNanopb would call free() or realloc() on an invalid\n(attacker controlled) pointer value when all the following\nconditions are true:\n\n- PB_ENABLE_MALLOC is defined at the compile time\n- Message definition contains an oneof field, and the oneof\n contains at least one pointer type field and at least one\n non-pointer type field.\n- Data being decoded first contains a non-pointer value for\n the oneof field, and later contains an overwriting pointer\n value.\n\nDepending on message layout, the bug may not be exploitable in all\ncases, but it is known to be exploitable at least with string and\nbytes fields. Actual security impact will also depend on the heap\nimplementation used.", "target": 0, "dataset": "other", "idx": 254698 }, { "func": "static void early_kmem_cache_node_alloc(int node)\n{\n\tstruct page *page;\n\tstruct kmem_cache_node *n;\n\n\tBUG_ON(kmem_cache_node->size < sizeof(struct kmem_cache_node));\n\n\tpage = new_slab(kmem_cache_node, GFP_NOWAIT, node);\n\n\tBUG_ON(!page);\n\tif (page_to_nid(page) != node) {\n\t\tpr_err(\"SLUB: Unable to allocate memory from node %d\\n\", node);\n\t\tpr_err(\"SLUB: Allocating a useless per node structure in order to be able to continue\\n\");\n\t}\n\n\tn = page->freelist;\n\tBUG_ON(!n);\n#ifdef CONFIG_SLUB_DEBUG\n\tinit_object(kmem_cache_node, n, SLUB_RED_ACTIVE);\n\tinit_tracking(kmem_cache_node, n);\n#endif\n\tn = kasan_kmalloc(kmem_cache_node, n, sizeof(struct kmem_cache_node),\n\t\t GFP_KERNEL);\n\tpage->freelist = get_freepointer(kmem_cache_node, n);\n\tpage->inuse = 1;\n\tpage->frozen = 0;\n\tkmem_cache_node->node[node] = n;\n\tinit_kmem_cache_node(n);\n\tinc_slabs_node(kmem_cache_node, node, page->objects);\n\n\t/*\n\t * No locks need to be taken here as it has just been\n\t * initialized and there is no concurrent access.\n\t */\n\t__add_partial(n, page, DEACTIVATE_TO_HEAD);\n}", "project": "linux", "hash": 163817408308631027954208798200113150313, "size": 36, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280171 }, { "func": "int mpol_set_shared_policy(struct shared_policy *info,\n\t\t\tstruct vm_area_struct *vma, struct mempolicy *npol)\n{\n\tint err;\n\tstruct sp_node *new = NULL;\n\tunsigned long sz = vma_pages(vma);\n\n\tpr_debug(\"set_shared_policy %lx sz %lu %d %d %lx\\n\",\n\t\t vma->vm_pgoff,\n\t\t sz, npol ? npol->mode : -1,\n\t\t npol ? npol->flags : -1,\n\t\t npol ? nodes_addr(npol->v.nodes)[0] : NUMA_NO_NODE);\n\n\tif (npol) {\n\t\tnew = sp_alloc(vma->vm_pgoff, vma->vm_pgoff + sz, npol);\n\t\tif (!new)\n\t\t\treturn -ENOMEM;\n\t}\n\terr = shared_policy_replace(info, vma->vm_pgoff, vma->vm_pgoff+sz, new);\n\tif (err && new)\n\t\tsp_free(new);\n\treturn err;\n}", "project": "linux", "hash": 271305577902970358720162588610768398874, "size": 23, "commit_id": "aa9f7d5172fac9bf1f09e678c35e287a40a7b7dd", "message": "mm: mempolicy: require at least one nodeid for MPOL_PREFERRED\n\nUsing an empty (malformed) nodelist that is not caught during mount option\nparsing leads to a stack-out-of-bounds access.\n\nThe option string that was used was: \"mpol=prefer:,\". However,\nMPOL_PREFERRED requires a single node number, which is not being provided\nhere.\n\nAdd a check that 'nodes' is not empty after parsing for MPOL_PREFERRED's\nnodeid.\n\nFixes: 095f1fc4ebf3 (\"mempolicy: rework shmem mpol parsing and display\")\nReported-by: Entropy Moe <3ntr0py1337@gmail.com>\nReported-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nSigned-off-by: Randy Dunlap \nSigned-off-by: Andrew Morton \nTested-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nCc: Lee Schermerhorn \nLink: http://lkml.kernel.org/r/89526377-7eb6-b662-e1d8-4430928abde9@infradead.org\nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 366739 }, { "func": "static bool tipc_node_cleanup(struct tipc_node *peer)\n{\n\tstruct tipc_node *temp_node;\n\tstruct tipc_net *tn = tipc_net(peer->net);\n\tbool deleted = false;\n\n\t/* If lock held by tipc_node_stop() the node will be deleted anyway */\n\tif (!spin_trylock_bh(&tn->node_list_lock))\n\t\treturn false;\n\n\ttipc_node_write_lock(peer);\n\n\tif (!node_is_up(peer) && time_after(jiffies, peer->delete_at)) {\n\t\ttipc_node_clear_links(peer);\n\t\ttipc_node_delete_from_list(peer);\n\t\tdeleted = true;\n\t}\n\ttipc_node_write_unlock(peer);\n\n\tif (!deleted) {\n\t\tspin_unlock_bh(&tn->node_list_lock);\n\t\treturn deleted;\n\t}\n\n\t/* Calculate cluster capabilities */\n\ttn->capabilities = TIPC_NODE_CAPABILITIES;\n\tlist_for_each_entry_rcu(temp_node, &tn->node_list, list) {\n\t\ttn->capabilities &= temp_node->capabilities;\n\t}\n\ttipc_bcast_toggle_rcast(peer->net,\n\t\t\t\t(tn->capabilities & TIPC_BCAST_RCAST));\n\tspin_unlock_bh(&tn->node_list_lock);\n\treturn deleted;\n}", "project": "linux", "hash": 309619894697797695432322239368854163674, "size": 34, "commit_id": "0217ed2848e8538bcf9172d97ed2eeb4a26041bb", "message": "tipc: better validate user input in tipc_nl_retrieve_key()\n\nBefore calling tipc_aead_key_size(ptr), we need to ensure\nwe have enough data to dereference ptr->keylen.\n\nWe probably also want to make sure tipc_aead_key_size()\nwont overflow with malicious ptr->keylen values.\n\nSyzbot reported:\n\nBUG: KMSAN: uninit-value in __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\nBUG: KMSAN: uninit-value in tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\nCPU: 0 PID: 21060 Comm: syz-executor.5 Not tainted 5.11.0-rc7-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nCall Trace:\n __dump_stack lib/dump_stack.c:79 [inline]\n dump_stack+0x21c/0x280 lib/dump_stack.c:120\n kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118\n __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197\n __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\n tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\n genl_family_rcv_msg_doit net/netlink/genetlink.c:739 [inline]\n genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]\n genl_rcv_msg+0x1319/0x1610 net/netlink/genetlink.c:800\n netlink_rcv_skb+0x6fa/0x810 net/netlink/af_netlink.c:2494\n genl_rcv+0x63/0x80 net/netlink/genetlink.c:811\n netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]\n netlink_unicast+0x11d6/0x14a0 net/netlink/af_netlink.c:1330\n netlink_sendmsg+0x1740/0x1840 net/netlink/af_netlink.c:1919\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\nRIP: 0023:0xf7f60549\nCode: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00\nRSP: 002b:00000000f555a5fc EFLAGS: 00000296 ORIG_RAX: 0000000000000172\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000200\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n\nUninit was created at:\n kmsan_save_stack_with_flags mm/kmsan/kmsan.c:121 [inline]\n kmsan_internal_poison_shadow+0x5c/0xf0 mm/kmsan/kmsan.c:104\n kmsan_slab_alloc+0x8d/0xe0 mm/kmsan/kmsan_hooks.c:76\n slab_alloc_node mm/slub.c:2907 [inline]\n __kmalloc_node_track_caller+0xa37/0x1430 mm/slub.c:4527\n __kmalloc_reserve net/core/skbuff.c:142 [inline]\n __alloc_skb+0x2f8/0xb30 net/core/skbuff.c:210\n alloc_skb include/linux/skbuff.h:1099 [inline]\n netlink_alloc_large_skb net/netlink/af_netlink.c:1176 [inline]\n netlink_sendmsg+0xdbc/0x1840 net/netlink/af_netlink.c:1894\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\n\nFixes: e1f32190cf7d (\"tipc: add support for AEAD key setting via netlink\")\nSigned-off-by: Eric Dumazet \nCc: Tuong Lien \nCc: Jon Maloy \nCc: Ying Xue \nReported-by: syzbot \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 364942 }, { "func": "ConnStateData::parseProxyProtocolHeader()\n{\n // http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt\n\n // detect and parse PROXY/2.0 protocol header\n if (inBuf.startsWith(Proxy2p0magic))\n return parseProxy2p0();\n\n // detect and parse PROXY/1.0 protocol header\n if (inBuf.startsWith(Proxy1p0magic))\n return parseProxy1p0();\n\n // detect and terminate other protocols\n if (inBuf.length() >= Proxy2p0magic.length()) {\n // PROXY/1.0 magic is shorter, so we know that\n // the input does not start with any PROXY magic\n return proxyProtocolError(\"PROXY protocol error: invalid header\");\n }\n\n // TODO: detect short non-magic prefixes earlier to avoid\n // waiting for more data which may never come\n\n // not enough bytes to parse yet.\n return false;\n}", "project": "squid", "hash": 332970134384283605818823167325042065980, "size": 25, "commit_id": "fd68382860633aca92065e6c343cfd1b12b126e7", "message": "Improve Transfer-Encoding handling (#702)\n\nReject messages containing Transfer-Encoding header with coding other\nthan chunked or identity. Squid does not support other codings.\n\nFor simplicity and security sake, also reject messages where\nTransfer-Encoding contains unnecessary complex values that are\ntechnically equivalent to \"chunked\" or \"identity\" (e.g., \",,chunked\" or\n\"identity, chunked\").\n\nRFC 7230 formally deprecated and removed identity coding, but it is\nstill used by some agents.", "target": 0, "dataset": "other", "idx": 402330 }, { "func": "void kvm_vcpu_destroy(struct kvm_vcpu *vcpu)\n{\n\tkvm_arch_vcpu_destroy(vcpu);\n\n\t/*\n\t * No need for rcu_read_lock as VCPU_RUN is the only place that changes\n\t * the vcpu->pid pointer, and at destruction time all file descriptors\n\t * are already gone.\n\t */\n\tput_pid(rcu_dereference_protected(vcpu->pid, 1));\n\n\tfree_page((unsigned long)vcpu->run);\n\tkmem_cache_free(kvm_vcpu_cache, vcpu);\n}", "project": "linux", "hash": 324051281817927168665393444359081214549, "size": 14, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354465 }, { "func": "void kvm_vcpu_destroy(struct kvm_vcpu *vcpu)\n{\n\tkvm_dirty_ring_free(&vcpu->dirty_ring);\n\tkvm_arch_vcpu_destroy(vcpu);\n\n\t/*\n\t * No need for rcu_read_lock as VCPU_RUN is the only place that changes\n\t * the vcpu->pid pointer, and at destruction time all file descriptors\n\t * are already gone.\n\t */\n\tput_pid(rcu_dereference_protected(vcpu->pid, 1));\n\n\tfree_page((unsigned long)vcpu->run);\n\tkmem_cache_free(kvm_vcpu_cache, vcpu);\n}", "project": "linux", "hash": 135388410145058524881455568804730444186, "size": 15, "commit_id": "f8be156be163a052a067306417cd0ff679068c97", "message": "KVM: do not allow mapping valid but non-reference-counted pages\n\nIt's possible to create a region which maps valid but non-refcounted\npages (e.g., tail pages of non-compound higher order allocations). These\nhost pages can then be returned by gfn_to_page, gfn_to_pfn, etc., family\nof APIs, which take a reference to the page, which takes it from 0 to 1.\nWhen the reference is dropped, this will free the page incorrectly.\n\nFix this by only taking a reference on valid pages if it was non-zero,\nwhich indicates it is participating in normal refcounting (and can be\nreleased with put_page).\n\nThis addresses CVE-2021-22543.\n\nSigned-off-by: Nicholas Piggin \nTested-by: Paolo Bonzini \nCc: stable@vger.kernel.org\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 404096 }, { "func": "static void nfs4_opendata_put(struct nfs4_opendata *p)\n{\n\tif (p != NULL)\n\t\tkref_put(&p->kref, nfs4_opendata_free);\n}", "project": "linux", "hash": 137553838050097058236894598528917738287, "size": 5, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431336 }, { "func": "static void prb_open_block(struct tpacket_kbdq_core *pkc1,\n\tstruct tpacket_block_desc *pbd1)\n{\n\tstruct timespec64 ts;\n\tstruct tpacket_hdr_v1 *h1 = &pbd1->hdr.bh1;\n\n\tsmp_rmb();\n\n\t/* We could have just memset this but we will lose the\n\t * flexibility of making the priv area sticky\n\t */\n\n\tBLOCK_SNUM(pbd1) = pkc1->knxt_seq_num++;\n\tBLOCK_NUM_PKTS(pbd1) = 0;\n\tBLOCK_LEN(pbd1) = BLK_PLUS_PRIV(pkc1->blk_sizeof_priv);\n\n\tktime_get_real_ts64(&ts);\n\n\th1->ts_first_pkt.ts_sec = ts.tv_sec;\n\th1->ts_first_pkt.ts_nsec = ts.tv_nsec;\n\n\tpkc1->pkblk_start = (char *)pbd1;\n\tpkc1->nxt_offset = pkc1->pkblk_start + BLK_PLUS_PRIV(pkc1->blk_sizeof_priv);\n\n\tBLOCK_O2FP(pbd1) = (__u32)BLK_PLUS_PRIV(pkc1->blk_sizeof_priv);\n\tBLOCK_O2PRIV(pbd1) = BLK_HDR_LEN;\n\n\tpbd1->version = pkc1->version;\n\tpkc1->prev = pkc1->nxt_offset;\n\tpkc1->pkblk_end = pkc1->pkblk_start + pkc1->kblk_size;\n\n\tprb_thaw_queue(pkc1);\n\t_prb_refresh_rx_retire_blk_timer(pkc1);\n\n\tsmp_wmb();\n}", "project": "linux", "hash": 85321625979004474393897370185390787314, "size": 36, "commit_id": "acf69c946233259ab4d64f8869d4037a198c7f06", "message": "net/packet: fix overflow in tpacket_rcv\n\nUsing tp_reserve to calculate netoff can overflow as\ntp_reserve is unsigned int and netoff is unsigned short.\n\nThis may lead to macoff receving a smaller value then\nsizeof(struct virtio_net_hdr), and if po->has_vnet_hdr\nis set, an out-of-bounds write will occur when\ncalling virtio_net_hdr_from_skb.\n\nThe bug is fixed by converting netoff to unsigned int\nand checking if it exceeds USHRT_MAX.\n\nThis addresses CVE-2020-14386\n\nFixes: 8913336a7e8d (\"packet: add PACKET_RESERVE sockopt\")\nSigned-off-by: Or Cohen \nSigned-off-by: Eric Dumazet \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 330404 }, { "func": "static int pep_connresp_rcv(struct sock *sk, struct sk_buff *skb)\n{\n\tstruct pep_sock *pn = pep_sk(sk);\n\tstruct pnpipehdr *hdr;\n\tu8 n_sb;\n\n\tif (!pskb_pull(skb, sizeof(*hdr) + 4))\n\t\treturn -EINVAL;\n\n\thdr = pnp_hdr(skb);\n\tif (hdr->error_code != PN_PIPE_NO_ERROR)\n\t\treturn -ECONNREFUSED;\n\n\t/* Parse sub-blocks */\n\tn_sb = hdr->data[3];\n\twhile (n_sb > 0) {\n\t\tu8 type, buf[6], len = sizeof(buf);\n\t\tconst u8 *data = pep_get_sb(skb, &type, &len, buf);\n\n\t\tif (data == NULL)\n\t\t\treturn -EINVAL;\n\n\t\tswitch (type) {\n\t\tcase PN_PIPE_SB_REQUIRED_FC_TX:\n\t\t\tif (len < 2 || len < data[0])\n\t\t\t\tbreak;\n\t\t\tpn->tx_fc = pipe_negotiate_fc(data + 2, len - 2);\n\t\t\tbreak;\n\n\t\tcase PN_PIPE_SB_PREFERRED_FC_RX:\n\t\t\tif (len < 2 || len < data[0])\n\t\t\t\tbreak;\n\t\t\tpn->rx_fc = pipe_negotiate_fc(data + 2, len - 2);\n\t\t\tbreak;\n\n\t\t}\n\t\tn_sb--;\n\t}\n\n\treturn pipe_handler_send_created_ind(sk);\n}", "project": "linux", "hash": 159944784612097202887984213187741286495, "size": 41, "commit_id": "bcd0f93353326954817a4f9fa55ec57fb38acbb0", "message": "phonet: refcount leak in pep_sock_accep\n\nsock_hold(sk) is invoked in pep_sock_accept(), but __sock_put(sk) is not\ninvoked in subsequent failure branches(pep_accept_conn() != 0).\n\nSigned-off-by: Hangyu Hua \nLink: https://lore.kernel.org/r/20211209082839.33985-1-hbh25y@gmail.com\nSigned-off-by: Jakub Kicinski ", "target": 0, "dataset": "other", "idx": 224815 }, { "func": "CtPtr ProtocolV1::handle_connect_message_2() {\n ldout(cct, 20) << __func__ << dendl;\n\n ldout(cct, 20) << __func__ << \" accept got peer connect_seq \"\n << connect_msg.connect_seq << \" global_seq \"\n << connect_msg.global_seq << dendl;\n\n connection->set_peer_type(connect_msg.host_type);\n connection->policy = messenger->get_policy(connect_msg.host_type);\n\n ldout(cct, 10) << __func__ << \" accept of host_type \" << connect_msg.host_type\n << \", policy.lossy=\" << connection->policy.lossy\n << \" policy.server=\" << connection->policy.server\n << \" policy.standby=\" << connection->policy.standby\n << \" policy.resetcheck=\" << connection->policy.resetcheck\n\t\t << \" features 0x\" << std::hex << (uint64_t)connect_msg.features\n\t\t << std::dec\n << dendl;\n\n ceph_msg_connect_reply reply;\n bufferlist authorizer_reply;\n\n // FIPS zeroization audit 20191115: this memset is not security related.\n memset(&reply, 0, sizeof(reply));\n reply.protocol_version =\n messenger->get_proto_version(connection->peer_type, false);\n\n // mismatch?\n ldout(cct, 10) << __func__ << \" accept my proto \" << reply.protocol_version\n << \", their proto \" << connect_msg.protocol_version << dendl;\n\n if (connect_msg.protocol_version != reply.protocol_version) {\n return send_connect_message_reply(CEPH_MSGR_TAG_BADPROTOVER, reply,\n authorizer_reply);\n }\n\n // require signatures for cephx?\n if (connect_msg.authorizer_protocol == CEPH_AUTH_CEPHX) {\n if (connection->peer_type == CEPH_ENTITY_TYPE_OSD ||\n connection->peer_type == CEPH_ENTITY_TYPE_MDS ||\n connection->peer_type == CEPH_ENTITY_TYPE_MGR) {\n if (cct->_conf->cephx_require_signatures ||\n cct->_conf->cephx_cluster_require_signatures) {\n ldout(cct, 10)\n << __func__\n << \" using cephx, requiring MSG_AUTH feature bit for cluster\"\n << dendl;\n connection->policy.features_required |= CEPH_FEATURE_MSG_AUTH;\n }\n } else {\n if (cct->_conf->cephx_require_signatures ||\n cct->_conf->cephx_service_require_signatures) {\n ldout(cct, 10)\n << __func__\n << \" using cephx, requiring MSG_AUTH feature bit for service\"\n << dendl;\n connection->policy.features_required |= CEPH_FEATURE_MSG_AUTH;\n }\n }\n }\n\n uint64_t feat_missing =\n connection->policy.features_required & ~(uint64_t)connect_msg.features;\n if (feat_missing) {\n ldout(cct, 1) << __func__ << \" peer missing required features \" << std::hex\n << feat_missing << std::dec << dendl;\n return send_connect_message_reply(CEPH_MSGR_TAG_FEATURES, reply,\n authorizer_reply);\n }\n\n bufferlist auth_bl_copy = authorizer_buf;\n auto am = auth_meta;\n am->auth_method = connect_msg.authorizer_protocol;\n connection->lock.unlock();\n ldout(cct,10) << __func__ << \" authorizor_protocol \"\n\t\t<< connect_msg.authorizer_protocol\n\t\t<< \" len \" << auth_bl_copy.length()\n\t\t<< dendl;\n bool more = (bool)auth_meta->authorizer_challenge;\n int r = messenger->auth_server->handle_auth_request(\n connection,\n am.get(),\n more,\n am->auth_method,\n auth_bl_copy,\n &authorizer_reply);\n if (r < 0) {\n connection->lock.lock();\n if (state != ACCEPTING_WAIT_CONNECT_MSG_AUTH) {\n ldout(cct, 1) << __func__ << \" state changed\" << dendl;\n return _fault();\n }\n ldout(cct, 0) << __func__ << \": got bad authorizer, auth_reply_len=\"\n\t\t << authorizer_reply.length() << dendl;\n session_security.reset();\n return send_connect_message_reply(CEPH_MSGR_TAG_BADAUTHORIZER, reply,\n\t\t\t\t authorizer_reply);\n }\n if (r == 0) {\n connection->lock.lock();\n if (state != ACCEPTING_WAIT_CONNECT_MSG_AUTH) {\n ldout(cct, 1) << __func__ << \" state changed\" << dendl;\n return _fault();\n }\n ldout(cct, 10) << __func__ << \": challenging authorizer\" << dendl;\n ceph_assert(authorizer_reply.length());\n return send_connect_message_reply(CEPH_MSGR_TAG_CHALLENGE_AUTHORIZER,\n\t\t\t\t reply, authorizer_reply);\n }\n\n // We've verified the authorizer for this AsyncConnection, so set up the\n // session security structure. PLR\n ldout(cct, 10) << __func__ << \" accept setting up session_security.\" << dendl;\n\n if (connection->policy.server &&\n connection->policy.lossy &&\n !connection->policy.register_lossy_clients) {\n // incoming lossy client, no need to register this connection\n // new session\n ldout(cct, 10) << __func__ << \" accept new session\" << dendl;\n connection->lock.lock();\n return open(reply, authorizer_reply);\n }\n\n AsyncConnectionRef existing = messenger->lookup_conn(*connection->peer_addrs);\n\n connection->inject_delay();\n\n connection->lock.lock();\n if (state != ACCEPTING_WAIT_CONNECT_MSG_AUTH) {\n ldout(cct, 1) << __func__ << \" state changed\" << dendl;\n return _fault();\n }\n\n if (existing == connection) {\n existing = nullptr;\n }\n if (existing && existing->protocol->proto_type != 1) {\n ldout(cct,1) << __func__ << \" existing \" << existing << \" proto \"\n\t\t << existing->protocol.get() << \" version is \"\n\t\t << existing->protocol->proto_type << \", marking down\" << dendl;\n existing->mark_down();\n existing = nullptr;\n }\n\n if (existing) {\n // There is no possible that existing connection will acquire this\n // connection's lock\n existing->lock.lock(); // skip lockdep check (we are locking a second\n // AsyncConnection here)\n\n ldout(cct,10) << __func__ << \" existing=\" << existing << \" exproto=\"\n\t\t << existing->protocol.get() << dendl;\n ProtocolV1 *exproto = dynamic_cast(existing->protocol.get());\n ceph_assert(exproto);\n ceph_assert(exproto->proto_type == 1);\n\n if (exproto->state == CLOSED) {\n ldout(cct, 1) << __func__ << \" existing \" << existing\n\t\t << \" already closed.\" << dendl;\n existing->lock.unlock();\n existing = nullptr;\n\n return open(reply, authorizer_reply);\n }\n\n if (exproto->replacing) {\n ldout(cct, 1) << __func__\n << \" existing racing replace happened while replacing.\"\n << \" existing_state=\"\n << connection->get_state_name(existing->state) << dendl;\n reply.global_seq = exproto->peer_global_seq;\n existing->lock.unlock();\n return send_connect_message_reply(CEPH_MSGR_TAG_RETRY_GLOBAL, reply,\n authorizer_reply);\n }\n\n if (connect_msg.global_seq < exproto->peer_global_seq) {\n ldout(cct, 10) << __func__ << \" accept existing \" << existing << \".gseq \"\n << exproto->peer_global_seq << \" > \"\n << connect_msg.global_seq << \", RETRY_GLOBAL\" << dendl;\n reply.global_seq = exproto->peer_global_seq; // so we can send it below..\n existing->lock.unlock();\n return send_connect_message_reply(CEPH_MSGR_TAG_RETRY_GLOBAL, reply,\n authorizer_reply);\n } else {\n ldout(cct, 10) << __func__ << \" accept existing \" << existing << \".gseq \"\n << exproto->peer_global_seq\n << \" <= \" << connect_msg.global_seq << \", looks ok\"\n << dendl;\n }\n\n if (existing->policy.lossy) {\n ldout(cct, 0)\n << __func__\n << \" accept replacing existing (lossy) channel (new one lossy=\"\n << connection->policy.lossy << \")\" << dendl;\n exproto->session_reset();\n return replace(existing, reply, authorizer_reply);\n }\n\n ldout(cct, 1) << __func__ << \" accept connect_seq \"\n << connect_msg.connect_seq\n << \" vs existing csq=\" << exproto->connect_seq\n << \" existing_state=\"\n << connection->get_state_name(existing->state) << dendl;\n\n if (connect_msg.connect_seq == 0 && exproto->connect_seq > 0) {\n ldout(cct, 0)\n << __func__\n << \" accept peer reset, then tried to connect to us, replacing\"\n << dendl;\n // this is a hard reset from peer\n is_reset_from_peer = true;\n if (connection->policy.resetcheck) {\n exproto->session_reset(); // this resets out_queue, msg_ and\n // connect_seq #'s\n }\n return replace(existing, reply, authorizer_reply);\n }\n\n if (connect_msg.connect_seq < exproto->connect_seq) {\n // old attempt, or we sent READY but they didn't get it.\n ldout(cct, 10) << __func__ << \" accept existing \" << existing << \".cseq \"\n << exproto->connect_seq << \" > \" << connect_msg.connect_seq\n << \", RETRY_SESSION\" << dendl;\n reply.connect_seq = exproto->connect_seq + 1;\n existing->lock.unlock();\n return send_connect_message_reply(CEPH_MSGR_TAG_RETRY_SESSION, reply,\n authorizer_reply);\n }\n\n if (connect_msg.connect_seq == exproto->connect_seq) {\n // if the existing connection successfully opened, and/or\n // subsequently went to standby, then the peer should bump\n // their connect_seq and retry: this is not a connection race\n // we need to resolve here.\n if (exproto->state == OPENED || exproto->state == STANDBY) {\n ldout(cct, 10) << __func__ << \" accept connection race, existing \"\n << existing << \".cseq \" << exproto->connect_seq\n << \" == \" << connect_msg.connect_seq\n << \", OPEN|STANDBY, RETRY_SESSION \" << dendl;\n // if connect_seq both zero, dont stuck into dead lock. it's ok to\n // replace\n if (connection->policy.resetcheck && exproto->connect_seq == 0) {\n return replace(existing, reply, authorizer_reply);\n }\n\n reply.connect_seq = exproto->connect_seq + 1;\n existing->lock.unlock();\n return send_connect_message_reply(CEPH_MSGR_TAG_RETRY_SESSION, reply,\n authorizer_reply);\n }\n\n // connection race?\n if (connection->peer_addrs->legacy_addr() < messenger->get_myaddr_legacy() ||\n existing->policy.server) {\n // incoming wins\n ldout(cct, 10) << __func__ << \" accept connection race, existing \"\n << existing << \".cseq \" << exproto->connect_seq\n << \" == \" << connect_msg.connect_seq\n << \", or we are server, replacing my attempt\" << dendl;\n return replace(existing, reply, authorizer_reply);\n } else {\n // our existing outgoing wins\n ldout(messenger->cct, 10)\n << __func__ << \" accept connection race, existing \" << existing\n << \".cseq \" << exproto->connect_seq\n << \" == \" << connect_msg.connect_seq << \", sending WAIT\" << dendl;\n ceph_assert(connection->peer_addrs->legacy_addr() >\n messenger->get_myaddr_legacy());\n existing->lock.unlock();\n\t// make sure we follow through with opening the existing\n\t// connection (if it isn't yet open) since we know the peer\n\t// has something to send to us.\n\texisting->send_keepalive();\n return send_connect_message_reply(CEPH_MSGR_TAG_WAIT, reply,\n authorizer_reply);\n }\n }\n\n ceph_assert(connect_msg.connect_seq > exproto->connect_seq);\n ceph_assert(connect_msg.global_seq >= exproto->peer_global_seq);\n if (connection->policy.resetcheck && // RESETSESSION only used by servers;\n // peers do not reset each other\n exproto->connect_seq == 0) {\n ldout(cct, 0) << __func__ << \" accept we reset (peer sent cseq \"\n << connect_msg.connect_seq << \", \" << existing\n << \".cseq = \" << exproto->connect_seq\n << \"), sending RESETSESSION \" << dendl;\n existing->lock.unlock();\n return send_connect_message_reply(CEPH_MSGR_TAG_RESETSESSION, reply,\n authorizer_reply);\n }\n\n // reconnect\n ldout(cct, 10) << __func__ << \" accept peer sent cseq \"\n << connect_msg.connect_seq << \" > \" << exproto->connect_seq\n << dendl;\n return replace(existing, reply, authorizer_reply);\n } // existing\n else if (!replacing && connect_msg.connect_seq > 0) {\n // we reset, and they are opening a new session\n ldout(cct, 0) << __func__ << \" accept we reset (peer sent cseq \"\n << connect_msg.connect_seq << \"), sending RESETSESSION\"\n << dendl;\n return send_connect_message_reply(CEPH_MSGR_TAG_RESETSESSION, reply,\n authorizer_reply);\n } else {\n // new session\n ldout(cct, 10) << __func__ << \" accept new session\" << dendl;\n existing = nullptr;\n return open(reply, authorizer_reply);\n }\n}", "project": "ceph", "hash": 281879160932946016021869248674182261089, "size": 315, "commit_id": "bafdfec8f974f1a3f7d404bcfd0a4cfad784937d", "message": "msg/async/ProtocolV1: resurrect \"implement cephx_*require_version options\"\n\nThis was added in commit 9bcbc2a3621f (\"mon,msg: implement\ncephx_*_require_version options\") and inadvertently dropped in\ncommit e6f043f7d2dc (\"msgr/async: huge refactoring of protocol V1\").\nAs a result, service daemons don't enforce cephx_require_version\nand cephx_cluster_require_version options and connections without\nCEPH_FEATURE_CEPHX_V2 are allowed through.\n\n(cephx_service_require_version enforcement was brought back a\nyear later in commit 321548010578 (\"mon/MonClient: skip CEPHX_V2\nchallenge if client doesn't support it\"), although the peer gets\nTAG_BADAUTHORIZER instead of TAG_FEATURES.)\n\nResurrect the original behaviour: all cephx_*require_version\noptions are enforced and the peer gets TAG_FEATURES, signifying\nthat it is missing a required feature.\n\nSigned-off-by: Ilya Dryomov \n(cherry picked from commit 6f5c4152ca2c6423e665cde2196c6301f76043a2)", "target": 1, "dataset": "other", "idx": 204335 }, { "func": "static inline bool queue_pages_required(struct page *page,\n\t\t\t\t\tstruct queue_pages *qp)\n{\n\tint nid = page_to_nid(page);\n\tunsigned long flags = qp->flags;\n\n\treturn node_isset(nid, *qp->nmask) == !(flags & MPOL_MF_INVERT);\n}", "project": "linux", "hash": 172724325209856003767636425255095263079, "size": 8, "commit_id": "aa9f7d5172fac9bf1f09e678c35e287a40a7b7dd", "message": "mm: mempolicy: require at least one nodeid for MPOL_PREFERRED\n\nUsing an empty (malformed) nodelist that is not caught during mount option\nparsing leads to a stack-out-of-bounds access.\n\nThe option string that was used was: \"mpol=prefer:,\". However,\nMPOL_PREFERRED requires a single node number, which is not being provided\nhere.\n\nAdd a check that 'nodes' is not empty after parsing for MPOL_PREFERRED's\nnodeid.\n\nFixes: 095f1fc4ebf3 (\"mempolicy: rework shmem mpol parsing and display\")\nReported-by: Entropy Moe <3ntr0py1337@gmail.com>\nReported-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nSigned-off-by: Randy Dunlap \nSigned-off-by: Andrew Morton \nTested-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nCc: Lee Schermerhorn \nLink: http://lkml.kernel.org/r/89526377-7eb6-b662-e1d8-4430928abde9@infradead.org\nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 366786 }, { "project": "Chrome", "commit_id": "6834289784ed45b5524de0fb7ef43ae283b0d6d3", "target": 0, "func": "void AudioContext::rejectPendingResolvers()\n{\n ASSERT(isMainThread());\n\n\n for (auto& resolver : m_suspendResolvers) {\n resolver->reject(DOMException::create(InvalidStateError, \"Audio context is going away\"));\n }\n m_suspendResolvers.clear();\n\n for (auto& resolver : m_resumeResolvers) {\n resolver->reject(DOMException::create(InvalidStateError, \"Audio context is going away\"));\n }\n m_resumeResolvers.clear();\n m_isResolvingResumePromises = false;\n}\n", "cwe": "", "big_vul_idx": 139677, "idx": 124826, "hash": 292968128272207145185109851924224103279 }, { "func": "static int futex_wait_setup(u32 __user *uaddr, u32 val, int fshared,\n\t\t\t struct futex_q *q, struct futex_hash_bucket **hb)\n{\n\tu32 uval;\n\tint ret;\n\n\t/*\n\t * Access the page AFTER the hash-bucket is locked.\n\t * Order is important:\n\t *\n\t * Userspace waiter: val = var; if (cond(val)) futex_wait(&var, val);\n\t * Userspace waker: if (cond(var)) { var = new; futex_wake(&var); }\n\t *\n\t * The basic logical guarantee of a futex is that it blocks ONLY\n\t * if cond(var) is known to be true at the time of blocking, for\n\t * any cond. If we queued after testing *uaddr, that would open\n\t * a race condition where we could block indefinitely with\n\t * cond(var) false, which would violate the guarantee.\n\t *\n\t * A consequence is that futex_wait() can return zero and absorb\n\t * a wakeup when *uaddr != val on entry to the syscall. This is\n\t * rare, but normal.\n\t */\nretry:\n\tq->key = FUTEX_KEY_INIT;\n\tret = get_futex_key(uaddr, fshared, &q->key);\n\tif (unlikely(ret != 0))\n\t\treturn ret;\n\nretry_private:\n\t*hb = queue_lock(q);\n\n\tret = get_futex_value_locked(&uval, uaddr);\n\n\tif (ret) {\n\t\tqueue_unlock(q, *hb);\n\n\t\tret = get_user(uval, uaddr);\n\t\tif (ret)\n\t\t\tgoto out;\n\n\t\tif (!fshared)\n\t\t\tgoto retry_private;\n\n\t\tput_futex_key(fshared, &q->key);\n\t\tgoto retry;\n\t}\n\n\tif (uval != val) {\n\t\tqueue_unlock(q, *hb);\n\t\tret = -EWOULDBLOCK;\n\t}\n\nout:\n\tif (ret)\n\t\tput_futex_key(fshared, &q->key);\n\treturn ret;\n}", "target": 0, "cwe": [], "project": "linux-2.6", "commit_id": "5ecb01cfdf96c5f465192bdb2a4fd4a61a24c6cc", "hash": 178821694557156370934758293646810446892, "size": 58, "message": "futex_lock_pi() key refcnt fix\n\nThis fixes a futex key reference count bug in futex_lock_pi(),\nwhere a key's reference count is incremented twice but decremented\nonly once, causing the backing object to not be released.\n\nIf the futex is created in a temporary file in an ext3 file system,\nthis bug causes the file's inode to become an \"undead\" orphan,\nwhich causes an oops from a BUG_ON() in ext3_put_super() when the\nfile system is unmounted. glibc's test suite is known to trigger this,\nsee .\n\nThe bug is a regression from 2.6.28-git3, namely Peter Zijlstra's\n38d47c1b7075bd7ec3881141bb3629da58f88dab \"[PATCH] futex: rely on\nget_user_pages() for shared futexes\". That commit made get_futex_key()\nalso increment the reference count of the futex key, and updated its\ncallers to decrement the key's reference count before returning.\nUnfortunately the normal exit path in futex_lock_pi() wasn't corrected:\nthe reference count is incremented by get_futex_key() and queue_lock(),\nbut the normal exit path only decrements once, via unqueue_me_pi().\nThe fix is to put_futex_key() after unqueue_me_pi(), since 2.6.31\nthis is easily done by 'goto out_put_key' rather than 'goto out'.\n\nSigned-off-by: Mikael Pettersson \nAcked-by: Peter Zijlstra \nAcked-by: Darren Hart \nSigned-off-by: Thomas Gleixner \nCc: ", "dataset": "other", "idx": 492319 }, { "func": "static bool virtual_matches(const struct virtual_engine *ve,\n\t\t\t const struct i915_request *rq,\n\t\t\t const struct intel_engine_cs *engine)\n{\n\tconst struct intel_engine_cs *inflight;\n\n\tif (!(rq->execution_mask & engine->mask)) /* We peeked too soon! */\n\t\treturn false;\n\n\t/*\n\t * We track when the HW has completed saving the context image\n\t * (i.e. when we have seen the final CS event switching out of\n\t * the context) and must not overwrite the context image before\n\t * then. This restricts us to only using the active engine\n\t * while the previous virtualized request is inflight (so\n\t * we reuse the register offsets). This is a very small\n\t * hystersis on the greedy seelction algorithm.\n\t */\n\tinflight = intel_context_inflight(&ve->context);\n\tif (inflight && inflight != engine)\n\t\treturn false;\n\n\treturn true;\n}", "project": "linux", "hash": 231681877618335955419083880303700989338, "size": 24, "commit_id": "bc8a76a152c5f9ef3b48104154a65a68a8b76946", "message": "drm/i915/gen9: Clear residual context state on context switch\n\nIntel ID: PSIRT-TA-201910-001\nCVEID: CVE-2019-14615\n\nIntel GPU Hardware prior to Gen11 does not clear EU state\nduring a context switch. This can result in information\nleakage between contexts.\n\nFor Gen8 and Gen9, hardware provides a mechanism for\nfast cleardown of the EU state, by issuing a PIPE_CONTROL\nwith bit 27 set. We can use this in a context batch buffer\nto explicitly cleardown the state on every context switch.\n\nAs this workaround is already in place for gen8, we can borrow\nthe code verbatim for Gen9.\n\nSigned-off-by: Mika Kuoppala \nSigned-off-by: Akeem G Abodunrin \nCc: Kumar Valsan Prathap \nCc: Chris Wilson \nCc: Balestrieri Francesco \nCc: Bloomfield Jon \nCc: Dutt Sudeep ", "target": 0, "dataset": "other", "idx": 281481 }, { "func": "static void hint_updates(void) {\n\thint_t hint;\n\tint x, y, i, n, ty, th, tx, tw;\n\tint hint_count = 0, in_run = 0;\n\n\thint.x = hint.y = hint.w = hint.h = 0;\n\n\tfor (y=0; y < ntiles_y; y++) {\n\t\tfor (x=0; x < ntiles_x; x++) {\n\t\t\tn = x + y * ntiles_x;\n\n\t\t\tif (tile_has_diff[n]) {\n\t\t\t\tty = tile_region[n].first_line;\n\t\t\t\tth = tile_region[n].last_line - ty + 1;\n\n\t\t\t\ttx = tile_region[n].first_x;\n\t\t\t\ttw = tile_region[n].last_x - tx + 1;\n\t\t\t\tif (tx < 0) {\n\t\t\t\t\ttx = 0;\n\t\t\t\t\ttw = tile_x;\n\t\t\t\t}\n\n\t\t\t\tif (! in_run) {\n\t\t\t\t\tcreate_tile_hint( x * tile_x + tx,\n\t\t\t\t\t y * tile_y + ty, tw, th, &hint);\n\t\t\t\t\tin_run = 1;\n\t\t\t\t} else {\n\t\t\t\t\textend_tile_hint( x * tile_x + tx,\n\t\t\t\t\t y * tile_y + ty, tw, th, &hint);\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\tif (in_run) {\n\t\t\t\t\t/* end of a row run of altered tiles: */\n\t\t\t\t\tsave_hint(hint, hint_count++);\n\t\t\t\t\tin_run = 0;\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\tif (in_run) {\t/* save the last row run */\n\t\t\tsave_hint(hint, hint_count++);\n\t\t\tin_run = 0;\n\t\t}\n\t}\n\n\tfor (i=0; i < hint_count; i++) {\n\t\t/* pass update info to vnc: */\n\t\tmark_hint(hint_list[i]);\n\t}\n}", "project": "x11vnc", "hash": 304113419012718854291339757405588307925, "size": 49, "commit_id": "69eeb9f7baa14ca03b16c9de821f9876def7a36a", "message": "scan: limit access to shared memory segments to current user", "target": 0, "dataset": "other", "idx": 360783 }, { "func": "R_API int r_socket_gets(RSocket *s, char *buf,\tint size) {\n\treturn -1;\n}", "project": "radare2", "hash": 73024833121680936088191098661878332118, "size": 3, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 0, "dataset": "other", "idx": 268990 }, { "func": "R_API int r_socket_gets(RSocket *s, char *buf,\tint size) {\n\tint i = 0;\n\tint ret = 0;\n\n\tif (s->fd == R_INVALID_SOCKET) {\n\t\treturn -1;\n\t}\n\twhile (i < size) {\n\t\tret = r_socket_read (s, (ut8 *)buf + i, 1);\n\t\tif (ret == 0) {\n\t\t\tif (i > 0) {\n\t\t\t\treturn i;\n\t\t\t}\n\t\t\treturn -1;\n\t\t}\n\t\tif (ret < 0) {\n\t\t\tr_socket_close (s);\n\t\t\treturn i == 0? -1: i;\n\t\t}\n\t\tif (buf[i] == '\\r' || buf[i] == '\\n') {\n\t\t\tbuf[i] = 0;\n\t\t\tbreak;\n\t\t}\n\t\ti += ret;\n\t}\n\tbuf[i] = '\\0';\n\treturn i;\n}", "project": "radare2", "hash": 149772519831778494217294574684192862316, "size": 28, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 0, "dataset": "other", "idx": 268998 }, { "func": "static inline void power_pmu_bhrb_enable(struct perf_event *event) {}", "project": "linux", "hash": 279183476939295281639683921881997587285, "size": 1, "commit_id": "60b7ed54a41b550d50caf7f2418db4a7e75b5bdc", "message": "powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set\n\nOn systems without any specific PMU driver support registered, running\nperf record causes Oops.\n\nThe relevant portion from call trace:\n\n BUG: Kernel NULL pointer dereference on read at 0x00000040\n Faulting instruction address: 0xc0021f0c\n Oops: Kernel access of bad area, sig: 11 [#1]\n BE PAGE_SIZE=4K PREEMPT CMPCPRO\n SAF3000 DIE NOTIFICATION\n CPU: 0 PID: 442 Comm: null_syscall Not tainted 5.13.0-rc6-s3k-dev-01645-g7649ee3d2957 #5164\n NIP: c0021f0c LR: c00e8ad8 CTR: c00d8a5c\n NIP perf_instruction_pointer+0x10/0x60\n LR perf_prepare_sample+0x344/0x674\n Call Trace:\n perf_prepare_sample+0x7c/0x674 (unreliable)\n perf_event_output_forward+0x3c/0x94\n __perf_event_overflow+0x74/0x14c\n perf_swevent_hrtimer+0xf8/0x170\n __hrtimer_run_queues.constprop.0+0x160/0x318\n hrtimer_interrupt+0x148/0x3b0\n timer_interrupt+0xc4/0x22c\n Decrementer_virt+0xb8/0xbc\n\nDuring perf record session, perf_instruction_pointer() is called to\ncapture the sample IP. This function in core-book3s accesses\nppmu->flags. If a platform specific PMU driver is not registered, ppmu\nis set to NULL and accessing its members results in a crash. Fix this\ncrash by checking if ppmu is set.\n\nFixes: 2ca13a4cc56c (\"powerpc/perf: Use regs->nip when SIAR is zero\")\nCc: stable@vger.kernel.org # v5.11+\nReported-by: Christophe Leroy \nSigned-off-by: Athira Rajeev \nTested-by: Christophe Leroy \nSigned-off-by: Michael Ellerman \nLink: https://lore.kernel.org/r/1623952506-1431-1-git-send-email-atrajeev@linux.vnet.ibm.com", "target": 0, "dataset": "other", "idx": 374679 }, { "func": "static void power_pmu_bhrb_enable(struct perf_event *event)\n{\n\tstruct cpu_hw_events *cpuhw = this_cpu_ptr(&cpu_hw_events);\n\n\tif (!ppmu->bhrb_nr)\n\t\treturn;\n\n\t/* Clear BHRB if we changed task context to avoid data leaks */\n\tif (event->ctx->task && cpuhw->bhrb_context != event->ctx) {\n\t\tpower_pmu_bhrb_reset();\n\t\tcpuhw->bhrb_context = event->ctx;\n\t}\n\tcpuhw->bhrb_users++;\n\tperf_sched_cb_inc(event->ctx->pmu);\n}", "project": "linux", "hash": 106207826992468386607751256803822980812, "size": 15, "commit_id": "60b7ed54a41b550d50caf7f2418db4a7e75b5bdc", "message": "powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set\n\nOn systems without any specific PMU driver support registered, running\nperf record causes Oops.\n\nThe relevant portion from call trace:\n\n BUG: Kernel NULL pointer dereference on read at 0x00000040\n Faulting instruction address: 0xc0021f0c\n Oops: Kernel access of bad area, sig: 11 [#1]\n BE PAGE_SIZE=4K PREEMPT CMPCPRO\n SAF3000 DIE NOTIFICATION\n CPU: 0 PID: 442 Comm: null_syscall Not tainted 5.13.0-rc6-s3k-dev-01645-g7649ee3d2957 #5164\n NIP: c0021f0c LR: c00e8ad8 CTR: c00d8a5c\n NIP perf_instruction_pointer+0x10/0x60\n LR perf_prepare_sample+0x344/0x674\n Call Trace:\n perf_prepare_sample+0x7c/0x674 (unreliable)\n perf_event_output_forward+0x3c/0x94\n __perf_event_overflow+0x74/0x14c\n perf_swevent_hrtimer+0xf8/0x170\n __hrtimer_run_queues.constprop.0+0x160/0x318\n hrtimer_interrupt+0x148/0x3b0\n timer_interrupt+0xc4/0x22c\n Decrementer_virt+0xb8/0xbc\n\nDuring perf record session, perf_instruction_pointer() is called to\ncapture the sample IP. This function in core-book3s accesses\nppmu->flags. If a platform specific PMU driver is not registered, ppmu\nis set to NULL and accessing its members results in a crash. Fix this\ncrash by checking if ppmu is set.\n\nFixes: 2ca13a4cc56c (\"powerpc/perf: Use regs->nip when SIAR is zero\")\nCc: stable@vger.kernel.org # v5.11+\nReported-by: Christophe Leroy \nSigned-off-by: Athira Rajeev \nTested-by: Christophe Leroy \nSigned-off-by: Michael Ellerman \nLink: https://lore.kernel.org/r/1623952506-1431-1-git-send-email-atrajeev@linux.vnet.ibm.com", "target": 0, "dataset": "other", "idx": 374689 }, { "func": "static int nfs4_sequence_process(struct rpc_task *task, struct nfs4_sequence_res *res)\n{\n\tif (res->sr_slot == NULL)\n\t\treturn 1;\n\tif (res->sr_slot->table->session != NULL)\n\t\treturn nfs41_sequence_process(task, res);\n\treturn nfs40_sequence_done(task, res);\n}", "project": "linux", "hash": 303315749496954235314402865481609407191, "size": 8, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431466 }, { "func": "static int nfs4_sequence_process(struct rpc_task *task, struct nfs4_sequence_res *res)\n{\n\treturn nfs40_sequence_done(task, res);\n}", "project": "linux", "hash": 747721872082356660582517063584845391, "size": 4, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431611 }, { "func": "static void io_submit_flush_completions(struct io_comp_state *cs,\n\t\t\t\t\tstruct io_ring_ctx *ctx)\n{\n\tint i, nr = cs->nr;\n\tstruct io_kiocb *req;\n\tstruct req_batch rb;\n\n\tio_init_req_batch(&rb);\n\tspin_lock_irq(&ctx->completion_lock);\n\tfor (i = 0; i < nr; i++) {\n\t\treq = cs->reqs[i];\n\t\t__io_cqring_fill_event(ctx, req->user_data, req->result,\n\t\t\t\t\treq->compl.cflags);\n\t}\n\tio_commit_cqring(ctx);\n\tspin_unlock_irq(&ctx->completion_lock);\n\n\tio_cqring_ev_posted(ctx);\n\tfor (i = 0; i < nr; i++) {\n\t\treq = cs->reqs[i];\n\n\t\t/* submission and completion refs */\n\t\tif (req_ref_sub_and_test(req, 2))\n\t\t\tio_req_free_batch(&rb, req, &ctx->submit_state);\n\t}\n\n\tio_req_free_batch_finish(ctx, &rb);\n\tcs->nr = 0;\n}", "project": "linux", "hash": 179903425568614218975589722028609490659, "size": 29, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338717 }, { "func": "enum_func_status\nphp_mysqlnd_rowp_read_text_protocol_c(MYSQLND_MEMORY_POOL_CHUNK * row_buffer, zval ** fields,\n\t\t\t\t\t\t\t\t\tunsigned int field_count, const MYSQLND_FIELD * fields_metadata,\n\t\t\t\t\t\t\t\t\tzend_bool as_int_or_float, MYSQLND_STATS * stats TSRMLS_DC)\n{\n\tenum_func_status ret;\n\tDBG_ENTER(\"php_mysqlnd_rowp_read_text_protocol_c\");\n\tret = php_mysqlnd_rowp_read_text_protocol_aux(row_buffer, fields, field_count, fields_metadata, as_int_or_float, TRUE, stats TSRMLS_CC);\n\tDBG_RETURN(ret);", "project": "php-src", "hash": 136455825172868541182027683110420544945, "size": 9, "commit_id": "28f80baf3c53e267c9ce46a2a0fadbb981585132", "message": "Fix bug #72293 - Heap overflow in mysqlnd related to BIT fields", "target": 0, "dataset": "other", "idx": 416687 }, { "func": "TEST_F(ZNCTest, FixFixOfCVE20149403) {\n auto znc = Run();\n auto ircd = ConnectIRCd();\n ircd.Write(\":server 001 nick :Hello\");\n ircd.Write(\":nick JOIN @#znc\");\n ircd.ReadUntil(\"MODE @#znc\");\n ircd.Write(\":server 005 nick STATUSMSG=@ :supports\");\n ircd.Write(\":server PING :12345\");\n ircd.ReadUntil(\"PONG 12345\");\n\n QNetworkRequest request;\n request.setRawHeader(\"Authorization\",\n \"Basic \" + QByteArray(\"user:hunter2\").toBase64());\n request.setUrl(QUrl(\"http://127.0.0.1:12345/mods/global/webadmin/addchan\"));\n auto reply = HttpPost(request, {\n {\"user\", \"user\"},\n {\"network\", \"test\"},\n {\"submitted\", \"1\"},\n {\"name\", \"@#znc\"},\n {\"enabled\", \"1\"},\n });\n EXPECT_THAT(reply->readAll().toStdString(),\n HasSubstr(\"Could not add channel [@#znc]\"));\n}", "project": "znc", "hash": 268479727348875273505070528117472688692, "size": 24, "commit_id": "d229761821da38d984a9e4098ad96842490dc001", "message": "Fix echo-message for *status\n\nClose #1705", "target": 0, "dataset": "other", "idx": 231572 }, { "func": "TEST_F(ZNCTest, HTTP) {\n auto znc = Run();\n auto ircd = ConnectIRCd();\n auto reply = HttpGet(QNetworkRequest(QUrl(\"http://127.0.0.1:12345/\")));\n EXPECT_THAT(reply->rawHeader(\"Server\").toStdString(), HasSubstr(\"ZNC\"));\n}", "project": "znc", "hash": 296847994479810063910422201928422378394, "size": 6, "commit_id": "d229761821da38d984a9e4098ad96842490dc001", "message": "Fix echo-message for *status\n\nClose #1705", "target": 0, "dataset": "other", "idx": 231607 }, { "func": "static uint64_t time_win_to_unix(uint64_t win_time) {\n\tconst size_t ns_in_sec = 10000000;\n\tconst uint64_t sec_to_unix = 11644473600LL;\n\treturn win_time / ns_in_sec - sec_to_unix;\n}", "project": "libarchive", "hash": 10939990234374130233071064081811959869, "size": 5, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 0, "dataset": "other", "idx": 244749 }, { "func": "static void bg_scan_update(struct work_struct *work)\n{\n\tstruct hci_dev *hdev = container_of(work, struct hci_dev,\n\t\t\t\t\t bg_scan_update);\n\tstruct hci_conn *conn;\n\tu8 status;\n\tint err;\n\n\terr = hci_req_sync(hdev, update_bg_scan, 0, HCI_CMD_TIMEOUT, &status);\n\tif (!err)\n\t\treturn;\n\n\thci_dev_lock(hdev);\n\n\tconn = hci_conn_hash_lookup_state(hdev, LE_LINK, BT_CONNECT);\n\tif (conn)\n\t\thci_le_conn_failed(conn, status);\n\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 155287654605712240893978250990662577878, "size": 20, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402513 }, { "func": "static void tcp_fin(struct sock *sk)\n{\n\tstruct tcp_sock *tp = tcp_sk(sk);\n\n\tinet_csk_schedule_ack(sk);\n\n\tsk->sk_shutdown |= RCV_SHUTDOWN;\n\tsock_set_flag(sk, SOCK_DONE);\n\n\tswitch (sk->sk_state) {\n\tcase TCP_SYN_RECV:\n\tcase TCP_ESTABLISHED:\n\t\t/* Move to CLOSE_WAIT */\n\t\ttcp_set_state(sk, TCP_CLOSE_WAIT);\n\t\tinet_csk(sk)->icsk_ack.pingpong = 1;\n\t\tbreak;\n\n\tcase TCP_CLOSE_WAIT:\n\tcase TCP_CLOSING:\n\t\t/* Received a retransmission of the FIN, do\n\t\t * nothing.\n\t\t */\n\t\tbreak;\n\tcase TCP_LAST_ACK:\n\t\t/* RFC793: Remain in the LAST-ACK state. */\n\t\tbreak;\n\n\tcase TCP_FIN_WAIT1:\n\t\t/* This case occurs when a simultaneous close\n\t\t * happens, we must ack the received FIN and\n\t\t * enter the CLOSING state.\n\t\t */\n\t\ttcp_send_ack(sk);\n\t\ttcp_set_state(sk, TCP_CLOSING);\n\t\tbreak;\n\tcase TCP_FIN_WAIT2:\n\t\t/* Received a FIN -- send ACK and enter TIME_WAIT. */\n\t\ttcp_send_ack(sk);\n\t\ttcp_time_wait(sk, TCP_TIME_WAIT, 0);\n\t\tbreak;\n\tdefault:\n\t\t/* Only TCP_LISTEN and TCP_CLOSE are left, in these\n\t\t * cases we should never reach this piece of code.\n\t\t */\n\t\tprintk(KERN_ERR \"%s: Impossible, sk->sk_state=%d\\n\",\n\t\t __func__, sk->sk_state);\n\t\tbreak;\n\t}\n\n\t/* It _is_ possible, that we have something out-of-order _after_ FIN.\n\t * Probably, we should reset in this case. For now drop them.\n\t */\n\t__skb_queue_purge(&tp->out_of_order_queue);\n\tif (tcp_is_sack(tp))\n\t\ttcp_sack_reset(&tp->rx_opt);\n\tsk_mem_reclaim(sk);\n\n\tif (!sock_flag(sk, SOCK_DEAD)) {\n\t\tsk->sk_state_change(sk);\n\n\t\t/* Do not send POLL_HUP for half duplex close. */\n\t\tif (sk->sk_shutdown == SHUTDOWN_MASK ||\n\t\t sk->sk_state == TCP_CLOSE)\n\t\t\tsk_wake_async(sk, SOCK_WAKE_WAITD, POLL_HUP);\n\t\telse\n\t\t\tsk_wake_async(sk, SOCK_WAKE_WAITD, POLL_IN);\n\t}\n}", "project": "net-next", "hash": 136239503348812572575262683145880741437, "size": 68, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409944 }, { "func": "static int read_var_sized(struct archive_read* a, size_t* pvalue,\n size_t* pvalue_len)\n{\n\tuint64_t v;\n\tuint64_t v_size = 0;\n\n\tconst int ret = pvalue_len ? read_var(a, &v, &v_size)\n\t\t\t\t : read_var(a, &v, NULL);\n\n\tif(ret == 1 && pvalue) {\n\t\t*pvalue = (size_t) v;\n\t}\n\n\tif(pvalue_len) {\n\t\t/* Possible data truncation should be safe. */\n\t\t*pvalue_len = (size_t) v_size;\n\t}\n\n\treturn ret;\n}", "project": "libarchive", "hash": 255927794208227034147815349210301720260, "size": 20, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 0, "dataset": "other", "idx": 244814 }, { "func": "static int __sctp_connect(struct sock *sk, struct sockaddr *kaddrs,\n\t\t\t int addrs_size, int flags, sctp_assoc_t *assoc_id)\n{\n\tstruct sctp_sock *sp = sctp_sk(sk);\n\tstruct sctp_endpoint *ep = sp->ep;\n\tstruct sctp_transport *transport;\n\tstruct sctp_association *asoc;\n\tvoid *addr_buf = kaddrs;\n\tunion sctp_addr *daddr;\n\tstruct sctp_af *af;\n\tint walk_size, err;\n\tlong timeo;\n\n\tif (sctp_sstate(sk, ESTABLISHED) || sctp_sstate(sk, CLOSING) ||\n\t (sctp_style(sk, TCP) && sctp_sstate(sk, LISTENING)))\n\t\treturn -EISCONN;\n\n\tdaddr = addr_buf;\n\taf = sctp_get_af_specific(daddr->sa.sa_family);\n\tif (!af || af->sockaddr_len > addrs_size)\n\t\treturn -EINVAL;\n\n\terr = sctp_verify_addr(sk, daddr, af->sockaddr_len);\n\tif (err)\n\t\treturn err;\n\n\tasoc = sctp_endpoint_lookup_assoc(ep, daddr, &transport);\n\tif (asoc)\n\t\treturn asoc->state >= SCTP_STATE_ESTABLISHED ? -EISCONN\n\t\t\t\t\t\t\t : -EALREADY;\n\n\terr = sctp_connect_new_asoc(ep, daddr, NULL, &transport);\n\tif (err)\n\t\treturn err;\n\tasoc = transport->asoc;\n\n\taddr_buf += af->sockaddr_len;\n\twalk_size = af->sockaddr_len;\n\twhile (walk_size < addrs_size) {\n\t\terr = -EINVAL;\n\t\tif (walk_size + sizeof(sa_family_t) > addrs_size)\n\t\t\tgoto out_free;\n\n\t\tdaddr = addr_buf;\n\t\taf = sctp_get_af_specific(daddr->sa.sa_family);\n\t\tif (!af || af->sockaddr_len + walk_size > addrs_size)\n\t\t\tgoto out_free;\n\n\t\tif (asoc->peer.port != ntohs(daddr->v4.sin_port))\n\t\t\tgoto out_free;\n\n\t\terr = sctp_connect_add_peer(asoc, daddr, af->sockaddr_len);\n\t\tif (err)\n\t\t\tgoto out_free;\n\n\t\taddr_buf += af->sockaddr_len;\n\t\twalk_size += af->sockaddr_len;\n\t}\n\n\t/* In case the user of sctp_connectx() wants an association\n\t * id back, assign one now.\n\t */\n\tif (assoc_id) {\n\t\terr = sctp_assoc_set_id(asoc, GFP_KERNEL);\n\t\tif (err < 0)\n\t\t\tgoto out_free;\n\t}\n\n\terr = sctp_primitive_ASSOCIATE(sock_net(sk), asoc, NULL);\n\tif (err < 0)\n\t\tgoto out_free;\n\n\t/* Initialize sk's dport and daddr for getpeername() */\n\tinet_sk(sk)->inet_dport = htons(asoc->peer.port);\n\tsp->pf->to_sk_daddr(daddr, sk);\n\tsk->sk_err = 0;\n\n\tif (assoc_id)\n\t\t*assoc_id = asoc->assoc_id;\n\n\ttimeo = sock_sndtimeo(sk, flags & O_NONBLOCK);\n\treturn sctp_wait_for_connect(asoc, &timeo);\n\nout_free:\n\tpr_debug(\"%s: took out_free path with asoc:%p kaddrs:%p err:%d\\n\",\n\t\t __func__, asoc, kaddrs, err);\n\tsctp_association_free(asoc);\n\treturn err;\n}", "project": "linux", "hash": 240288751249244100726377863079417322368, "size": 89, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398050 }, { "func": " void flushSb() {\n if (tl_buffer.raw) {\n json_free(tl_buffer.raw);\n tl_buffer.raw = nullptr;\n }\n sb_cap = 0;\n sb_buf.setBuf(nullptr, 0);\n sb_key.setBuf(nullptr, 0);\n }", "project": "hhvm", "hash": 307815282949874171771664506906152569955, "size": 9, "commit_id": "b3679121bb3c7017ff04b4c08402ffff5cf59b13", "message": "Fix buffer overrun in SimpleParser::handleBackslash\n\nSummary:\nIt read 4 chars, then checked for validity, but any of them could have\nbeen the end of the string, so check after each one instead.\n\nReviewed By: oulgen\n\nDifferential Revision: D19611163\n\nfbshipit-source-id: 3da0a39555cb85a93f4fd98048368f17cf37e2e4", "target": 0, "dataset": "other", "idx": 227323 }, { "func": "static void cdev_unmap(dev_t dev, unsigned count)\n{\n\tkobj_unmap(cdev_map, dev, count);\n}", "project": "linux", "hash": 297823363043523303214694493342245784151, "size": 4, "commit_id": "68faa679b8be1a74e6663c21c3a9d25d32f1c079", "message": "chardev: Avoid potential use-after-free in 'chrdev_open()'\n\n'chrdev_open()' calls 'cdev_get()' to obtain a reference to the\n'struct cdev *' stashed in the 'i_cdev' field of the target inode\nstructure. If the pointer is NULL, then it is initialised lazily by\nlooking up the kobject in the 'cdev_map' and so the whole procedure is\nprotected by the 'cdev_lock' spinlock to serialise initialisation of\nthe shared pointer.\n\nUnfortunately, it is possible for the initialising thread to fail *after*\ninstalling the new pointer, for example if the subsequent '->open()' call\non the file fails. In this case, 'cdev_put()' is called, the reference\ncount on the kobject is dropped and, if nobody else has taken a reference,\nthe release function is called which finally clears 'inode->i_cdev' from\n'cdev_purge()' before potentially freeing the object. The problem here\nis that a racing thread can happily take the 'cdev_lock' and see the\nnon-NULL pointer in the inode, which can result in a refcount increment\nfrom zero and a warning:\n\n | ------------[ cut here ]------------\n | refcount_t: addition on 0; use-after-free.\n | WARNING: CPU: 2 PID: 6385 at lib/refcount.c:25 refcount_warn_saturate+0x6d/0xf0\n | Modules linked in:\n | CPU: 2 PID: 6385 Comm: repro Not tainted 5.5.0-rc2+ #22\n | Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014\n | RIP: 0010:refcount_warn_saturate+0x6d/0xf0\n | Code: 05 55 9a 15 01 01 e8 9d aa c8 ff 0f 0b c3 80 3d 45 9a 15 01 00 75 ce 48 c7 c7 00 9c 62 b3 c6 08\n | RSP: 0018:ffffb524c1b9bc70 EFLAGS: 00010282\n | RAX: 0000000000000000 RBX: ffff9e9da1f71390 RCX: 0000000000000000\n | RDX: ffff9e9dbbd27618 RSI: ffff9e9dbbd18798 RDI: ffff9e9dbbd18798\n | RBP: 0000000000000000 R08: 000000000000095f R09: 0000000000000039\n | R10: 0000000000000000 R11: ffffb524c1b9bb20 R12: ffff9e9da1e8c700\n | R13: ffffffffb25ee8b0 R14: 0000000000000000 R15: ffff9e9da1e8c700\n | FS: 00007f3b87d26700(0000) GS:ffff9e9dbbd00000(0000) knlGS:0000000000000000\n | CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n | CR2: 00007fc16909c000 CR3: 000000012df9c000 CR4: 00000000000006e0\n | DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n | DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n | Call Trace:\n | kobject_get+0x5c/0x60\n | cdev_get+0x2b/0x60\n | chrdev_open+0x55/0x220\n | ? cdev_put.part.3+0x20/0x20\n | do_dentry_open+0x13a/0x390\n | path_openat+0x2c8/0x1470\n | do_filp_open+0x93/0x100\n | ? selinux_file_ioctl+0x17f/0x220\n | do_sys_open+0x186/0x220\n | do_syscall_64+0x48/0x150\n | entry_SYSCALL_64_after_hwframe+0x44/0xa9\n | RIP: 0033:0x7f3b87efcd0e\n | Code: 89 54 24 08 e8 a3 f4 ff ff 8b 74 24 0c 48 8b 3c 24 41 89 c0 44 8b 54 24 08 b8 01 01 00 00 89 f4\n | RSP: 002b:00007f3b87d259f0 EFLAGS: 00000293 ORIG_RAX: 0000000000000101\n | RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f3b87efcd0e\n | RDX: 0000000000000000 RSI: 00007f3b87d25a80 RDI: 00000000ffffff9c\n | RBP: 00007f3b87d25e90 R08: 0000000000000000 R09: 0000000000000000\n | R10: 0000000000000000 R11: 0000000000000293 R12: 00007ffe188f504e\n | R13: 00007ffe188f504f R14: 00007f3b87d26700 R15: 0000000000000000\n | ---[ end trace 24f53ca58db8180a ]---\n\nSince 'cdev_get()' can already fail to obtain a reference, simply move\nit over to use 'kobject_get_unless_zero()' instead of 'kobject_get()',\nwhich will cause the racing thread to return -ENXIO if the initialising\nthread fails unexpectedly.\n\nCc: Hillf Danton \nCc: Andrew Morton \nCc: Al Viro \nReported-by: syzbot+82defefbbd8527e1c2cb@syzkaller.appspotmail.com\nSigned-off-by: Will Deacon \nCc: stable \nLink: https://lore.kernel.org/r/20191219120203.32691-1-will@kernel.org\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 446384 }, { "func": "R_API int r_core_bind(RCore *core, RCoreBind *bnd) {\n\tbnd->core = core;\n\tbnd->bphit = (RCoreDebugBpHit)r_core_debug_breakpoint_hit;\n\tbnd->syshit = (RCoreDebugSyscallHit)r_core_debug_syscall_hit;\n\tbnd->cmd = (RCoreCmd)r_core_cmd0;\n\tbnd->cmdf = (RCoreCmdF)r_core_cmdf;\n\tbnd->cmdstr = (RCoreCmdStr)r_core_cmd_str;\n\tbnd->cmdstrf = (RCoreCmdStrF)r_core_cmd_strf;\n\tbnd->puts = (RCorePuts)r_cons_strcat;\n\tbnd->setab = (RCoreSetArchBits)setab;\n\tbnd->getName = (RCoreGetName)getName;\n\tbnd->getNameDelta = (RCoreGetNameDelta)getNameDelta;\n\tbnd->archbits = (RCoreSeekArchBits)archbits;\n\tbnd->cfggeti = (RCoreConfigGetI)cfggeti;\n\tbnd->cfgGet = (RCoreConfigGet)cfgget;\n\tbnd->numGet = (RCoreNumGet)numget;\n\tbnd->isMapped = (RCoreIsMapped)__isMapped;\n\tbnd->syncDebugMaps = (RCoreDebugMapsSync)__syncDebugMaps;\n\treturn true;\n}", "project": "radare2", "hash": 187750417394202826981964467605047970140, "size": 20, "commit_id": "cb8b683758edddae2d2f62e8e63a738c39f92683", "message": "Fix #16303 - c->table_query double free (#16318)", "target": 0, "dataset": "other", "idx": 232114 }, { "func": "static inline gpa_t gfn_to_gpa(gfn_t gfn)\n{\n\treturn (gpa_t)gfn << PAGE_SHIFT;\n}", "project": "linux", "hash": 217301651256545908059505558584058794929, "size": 4, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354748 }, { "func": "static int oidc_handle_request_uri(request_rec *r, oidc_cfg *c) {\n\n\tchar *request_ref = NULL;\n\toidc_util_get_request_parameter(r, OIDC_REDIRECT_URI_REQUEST_REQUEST_URI,\n\t\t\t&request_ref);\n\tif (request_ref == NULL) {\n\t\toidc_error(r, \"no \\\"%s\\\" parameter found\",\n\t\t\t\tOIDC_REDIRECT_URI_REQUEST_REQUEST_URI);\n\t\treturn HTTP_BAD_REQUEST;\n\t}\n\n\tchar *jwt = NULL;\n\toidc_cache_get_request_uri(r, request_ref, &jwt);\n\tif (jwt == NULL) {\n\t\toidc_error(r, \"no cached JWT found for %s reference: %s\",\n\t\t\t\tOIDC_REDIRECT_URI_REQUEST_REQUEST_URI, request_ref);\n\t\treturn HTTP_NOT_FOUND;\n\t}\n\n\toidc_cache_set_request_uri(r, request_ref, NULL, 0);\n\n\treturn oidc_util_http_send(r, jwt, strlen(jwt), OIDC_CONTENT_TYPE_JWT, OK);\n}", "project": "mod_auth_openidc", "hash": 158027356998551666945336565752843007416, "size": 23, "commit_id": "00c315cb0c8ab77c67be4a2ac08a71a83ac58751", "message": "avoid XSS vulnerability when using OIDCPreservePost On\n\nand supplying URLs that contain single quotes; thanks @oss-aimoto\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 381905 }, { "func": "static apr_byte_t oidc_check_cookie_domain(request_rec *r, oidc_cfg *cfg,\n\t\toidc_session_t *session) {\n\tconst char *c_cookie_domain =\n\t\t\tcfg->cookie_domain ?\n\t\t\t\t\tcfg->cookie_domain : oidc_get_current_url_host(r);\n\tconst char *s_cookie_domain = oidc_session_get_cookie_domain(r, session);\n\tif ((s_cookie_domain == NULL)\n\t\t\t|| (apr_strnatcmp(c_cookie_domain, s_cookie_domain) != 0)) {\n\t\toidc_warn(r,\n\t\t\t\t\"aborting: detected attempt to play cookie against a different domain/host than issued for! (issued=%s, current=%s)\",\n\t\t\t\ts_cookie_domain, c_cookie_domain);\n\t\treturn FALSE;\n\t}\n\n\treturn TRUE;\n}", "project": "mod_auth_openidc", "hash": 273090957371675510952639710339332451087, "size": 16, "commit_id": "00c315cb0c8ab77c67be4a2ac08a71a83ac58751", "message": "avoid XSS vulnerability when using OIDCPreservePost On\n\nand supplying URLs that contain single quotes; thanks @oss-aimoto\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 381964 }, { "func": "static __always_inline int __kvm_handle_hva_range(struct kvm *kvm,\n\t\t\t\t\t\t const struct kvm_hva_range *range)\n{\n\tbool ret = false, locked = false;\n\tstruct kvm_gfn_range gfn_range;\n\tstruct kvm_memory_slot *slot;\n\tstruct kvm_memslots *slots;\n\tint i, idx;\n\n\t/* A null handler is allowed if and only if on_lock() is provided. */\n\tif (WARN_ON_ONCE(IS_KVM_NULL_FN(range->on_lock) &&\n\t\t\t IS_KVM_NULL_FN(range->handler)))\n\t\treturn 0;\n\n\tidx = srcu_read_lock(&kvm->srcu);\n\n\t/* The on_lock() path does not yet support lock elision. */\n\tif (!IS_KVM_NULL_FN(range->on_lock)) {\n\t\tlocked = true;\n\t\tKVM_MMU_LOCK(kvm);\n\n\t\trange->on_lock(kvm, range->start, range->end);\n\n\t\tif (IS_KVM_NULL_FN(range->handler))\n\t\t\tgoto out_unlock;\n\t}\n\n\tfor (i = 0; i < KVM_ADDRESS_SPACE_NUM; i++) {\n\t\tslots = __kvm_memslots(kvm, i);\n\t\tkvm_for_each_memslot(slot, slots) {\n\t\t\tunsigned long hva_start, hva_end;\n\n\t\t\thva_start = max(range->start, slot->userspace_addr);\n\t\t\thva_end = min(range->end, slot->userspace_addr +\n\t\t\t\t\t\t (slot->npages << PAGE_SHIFT));\n\t\t\tif (hva_start >= hva_end)\n\t\t\t\tcontinue;\n\n\t\t\t/*\n\t\t\t * To optimize for the likely case where the address\n\t\t\t * range is covered by zero or one memslots, don't\n\t\t\t * bother making these conditional (to avoid writes on\n\t\t\t * the second or later invocation of the handler).\n\t\t\t */\n\t\t\tgfn_range.pte = range->pte;\n\t\t\tgfn_range.may_block = range->may_block;\n\n\t\t\t/*\n\t\t\t * {gfn(page) | page intersects with [hva_start, hva_end)} =\n\t\t\t * {gfn_start, gfn_start+1, ..., gfn_end-1}.\n\t\t\t */\n\t\t\tgfn_range.start = hva_to_gfn_memslot(hva_start, slot);\n\t\t\tgfn_range.end = hva_to_gfn_memslot(hva_end + PAGE_SIZE - 1, slot);\n\t\t\tgfn_range.slot = slot;\n\n\t\t\tif (!locked) {\n\t\t\t\tlocked = true;\n\t\t\t\tKVM_MMU_LOCK(kvm);\n\t\t\t}\n\t\t\tret |= range->handler(kvm, &gfn_range);\n\t\t}\n\t}\n\n\tif (range->flush_on_ret && (ret || kvm->tlbs_dirty))\n\t\tkvm_flush_remote_tlbs(kvm);\n\nout_unlock:\n\tif (locked)\n\t\tKVM_MMU_UNLOCK(kvm);\n\n\tsrcu_read_unlock(&kvm->srcu, idx);\n\n\t/* The notifiers are averse to booleans. :-( */\n\treturn (int)ret;\n}", "project": "linux", "hash": 261184879056555592874345366882663031264, "size": 75, "commit_id": "f8be156be163a052a067306417cd0ff679068c97", "message": "KVM: do not allow mapping valid but non-reference-counted pages\n\nIt's possible to create a region which maps valid but non-refcounted\npages (e.g., tail pages of non-compound higher order allocations). These\nhost pages can then be returned by gfn_to_page, gfn_to_pfn, etc., family\nof APIs, which take a reference to the page, which takes it from 0 to 1.\nWhen the reference is dropped, this will free the page incorrectly.\n\nFix this by only taking a reference on valid pages if it was non-zero,\nwhich indicates it is participating in normal refcounting (and can be\nreleased with put_page).\n\nThis addresses CVE-2021-22543.\n\nSigned-off-by: Nicholas Piggin \nTested-by: Paolo Bonzini \nCc: stable@vger.kernel.org\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 404063 }, { "func": "Pl_ASCIIHexDecoder::flush()\n{\n if (this->pos == 0)\n {\n\tQTC::TC(\"libtests\", \"Pl_ASCIIHexDecoder no-op flush\");\n\treturn;\n }\n int b[2];\n for (int i = 0; i < 2; ++i)\n {\n\tif (this->inbuf[i] >= 'A')\n\t{\n\t b[i] = this->inbuf[i] - 'A' + 10;\n\t}\n\telse\n\t{\n\t b[i] = this->inbuf[i] - '0';\n\t}\n }\n unsigned char ch = static_cast((b[0] << 4) + b[1]);\n\n QTC::TC(\"libtests\", \"Pl_ASCIIHexDecoder partial flush\",\n\t (this->pos == 2) ? 0 : 1);\n getNext()->write(&ch, 1);\n\n this->pos = 0;\n this->inbuf[0] = '0';\n this->inbuf[1] = '0';\n this->inbuf[2] = '\\0';\n}", "project": "qpdf", "hash": 203118129371621348619685394824494279281, "size": 30, "commit_id": "dc92574c10f3e2516ec6445b88c5d584f40df4e5", "message": "Fix some pipelines to be safe if downstream write fails (fuzz issue 28262)", "target": 1, "dataset": "other", "idx": 212373 }, { "func": "Pl_AES_PDF::flush(bool strip_padding)\n{\n assert(this->offset == this->buf_size);\n\n if (first)\n {\n\tfirst = false;\n bool return_after_init = false;\n\tif (this->cbc_mode)\n\t{\n\t if (encrypt)\n\t {\n\t\t// Set cbc_block to the initialization vector, and if\n\t\t// not zero, write it to the output stream.\n\t\tinitializeVector();\n if (! (this->use_zero_iv || this->use_specified_iv))\n {\n getNext()->write(this->cbc_block, this->buf_size);\n }\n\t }\n\t else if (this->use_zero_iv || this->use_specified_iv)\n {\n // Initialize vector with zeroes; zero vector was not\n // written to the beginning of the input file.\n initializeVector();\n }\n else\n\t {\n\t\t// Take the first block of input as the initialization\n\t\t// vector. There's nothing to write at this time.\n\t\tmemcpy(this->cbc_block, this->inbuf, this->buf_size);\n\t\tthis->offset = 0;\n return_after_init = true;\n\t }\n\t}\n this->crypto->rijndael_init(\n encrypt, this->key.get(), key_bytes,\n this->cbc_mode, this->cbc_block);\n if (return_after_init)\n {\n return;\n }\n }\n\n if (this->encrypt)\n {\n\tthis->crypto->rijndael_process(this->inbuf, this->outbuf);\n }\n else\n {\n\tthis->crypto->rijndael_process(this->inbuf, this->outbuf);\n }\n unsigned int bytes = this->buf_size;\n if (strip_padding)\n {\n\tunsigned char last = this->outbuf[this->buf_size - 1];\n\tif (last <= this->buf_size)\n\t{\n\t bool strip = true;\n\t for (unsigned int i = 1; i <= last; ++i)\n\t {\n\t\tif (this->outbuf[this->buf_size - i] != last)\n\t\t{\n\t\t strip = false;\n\t\t break;\n\t\t}\n\t }\n\t if (strip)\n\t {\n\t\tbytes -= last;\n\t }\n\t}\n }\n getNext()->write(this->outbuf, bytes);\n this->offset = 0;\n}", "project": "qpdf", "hash": 210723206961795046431763152490099955651, "size": 76, "commit_id": "dc92574c10f3e2516ec6445b88c5d584f40df4e5", "message": "Fix some pipelines to be safe if downstream write fails (fuzz issue 28262)", "target": 1, "dataset": "other", "idx": 212374 }, { "func": "Pl_ASCII85Decoder::flush()\n{\n if (this->pos == 0)\n {\n\tQTC::TC(\"libtests\", \"Pl_ASCII85Decoder no-op flush\");\n\treturn;\n }\n unsigned long lval = 0;\n for (int i = 0; i < 5; ++i)\n {\n\tlval *= 85;\n\tlval += (this->inbuf[i] - 33U);\n }\n\n unsigned char outbuf[4];\n memset(outbuf, 0, 4);\n for (int i = 3; i >= 0; --i)\n {\n\toutbuf[i] = lval & 0xff;\n\tlval >>= 8;\n }\n\n QTC::TC(\"libtests\", \"Pl_ASCII85Decoder partial flush\",\n\t (this->pos == 5) ? 0 : 1);\n getNext()->write(outbuf, this->pos - 1);\n\n this->pos = 0;\n memset(this->inbuf, 117, 5);\n}", "project": "qpdf", "hash": 85528360671820919508396699545533821192, "size": 29, "commit_id": "dc92574c10f3e2516ec6445b88c5d584f40df4e5", "message": "Fix some pipelines to be safe if downstream write fails (fuzz issue 28262)", "target": 1, "dataset": "other", "idx": 212375 }, { "func": "bool MemFile::flush() {\n raise_fatal_error((std::string(\"cannot flush a mem stream: \") +\n getName()).c_str());\n}", "project": "hhvm", "hash": 1279207098280164003087635136501055863, "size": 4, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219123 }, { "func": "Pl_ASCIIHexDecoder::flush()\n{\n if (this->pos == 0)\n {\n\tQTC::TC(\"libtests\", \"Pl_ASCIIHexDecoder no-op flush\");\n\treturn;\n }\n int b[2];\n for (int i = 0; i < 2; ++i)\n {\n\tif (this->inbuf[i] >= 'A')\n\t{\n\t b[i] = this->inbuf[i] - 'A' + 10;\n\t}\n\telse\n\t{\n\t b[i] = this->inbuf[i] - '0';\n\t}\n }\n unsigned char ch = static_cast((b[0] << 4) + b[1]);\n\n QTC::TC(\"libtests\", \"Pl_ASCIIHexDecoder partial flush\",\n\t (this->pos == 2) ? 0 : 1);\n // Reset before calling getNext()->write in case that throws an\n // exception.\n this->pos = 0;\n this->inbuf[0] = '0';\n this->inbuf[1] = '0';\n this->inbuf[2] = '\\0';\n\n getNext()->write(&ch, 1);\n}", "project": "qpdf", "hash": 210240176858994773313725168075493405218, "size": 32, "commit_id": "dc92574c10f3e2516ec6445b88c5d584f40df4e5", "message": "Fix some pipelines to be safe if downstream write fails (fuzz issue 28262)", "target": 0, "dataset": "other", "idx": 458316 }, { "func": "Pl_ASCII85Decoder::flush()\n{\n if (this->pos == 0)\n {\n\tQTC::TC(\"libtests\", \"Pl_ASCII85Decoder no-op flush\");\n\treturn;\n }\n unsigned long lval = 0;\n for (int i = 0; i < 5; ++i)\n {\n\tlval *= 85;\n\tlval += (this->inbuf[i] - 33U);\n }\n\n unsigned char outbuf[4];\n memset(outbuf, 0, 4);\n for (int i = 3; i >= 0; --i)\n {\n\toutbuf[i] = lval & 0xff;\n\tlval >>= 8;\n }\n\n QTC::TC(\"libtests\", \"Pl_ASCII85Decoder partial flush\",\n\t (this->pos == 5) ? 0 : 1);\n // Reset before calling getNext()->write in case that throws an\n // exception.\n auto t = this->pos - 1;\n this->pos = 0;\n memset(this->inbuf, 117, 5);\n\n getNext()->write(outbuf, t);\n}", "project": "qpdf", "hash": 295062865177124626965605267616423090069, "size": 32, "commit_id": "dc92574c10f3e2516ec6445b88c5d584f40df4e5", "message": "Fix some pipelines to be safe if downstream write fails (fuzz issue 28262)", "target": 0, "dataset": "other", "idx": 458318 }, { "func": "Pl_AES_PDF::flush(bool strip_padding)\n{\n assert(this->offset == this->buf_size);\n\n if (first)\n {\n\tfirst = false;\n bool return_after_init = false;\n\tif (this->cbc_mode)\n\t{\n\t if (encrypt)\n\t {\n\t\t// Set cbc_block to the initialization vector, and if\n\t\t// not zero, write it to the output stream.\n\t\tinitializeVector();\n if (! (this->use_zero_iv || this->use_specified_iv))\n {\n getNext()->write(this->cbc_block, this->buf_size);\n }\n\t }\n\t else if (this->use_zero_iv || this->use_specified_iv)\n {\n // Initialize vector with zeroes; zero vector was not\n // written to the beginning of the input file.\n initializeVector();\n }\n else\n\t {\n\t\t// Take the first block of input as the initialization\n\t\t// vector. There's nothing to write at this time.\n\t\tmemcpy(this->cbc_block, this->inbuf, this->buf_size);\n\t\tthis->offset = 0;\n return_after_init = true;\n\t }\n\t}\n this->crypto->rijndael_init(\n encrypt, this->key.get(), key_bytes,\n this->cbc_mode, this->cbc_block);\n if (return_after_init)\n {\n return;\n }\n }\n\n if (this->encrypt)\n {\n\tthis->crypto->rijndael_process(this->inbuf, this->outbuf);\n }\n else\n {\n\tthis->crypto->rijndael_process(this->inbuf, this->outbuf);\n }\n unsigned int bytes = this->buf_size;\n if (strip_padding)\n {\n\tunsigned char last = this->outbuf[this->buf_size - 1];\n\tif (last <= this->buf_size)\n\t{\n\t bool strip = true;\n\t for (unsigned int i = 1; i <= last; ++i)\n\t {\n\t\tif (this->outbuf[this->buf_size - i] != last)\n\t\t{\n\t\t strip = false;\n\t\t break;\n\t\t}\n\t }\n\t if (strip)\n\t {\n\t\tbytes -= last;\n\t }\n\t}\n }\n this->offset = 0;\n getNext()->write(this->outbuf, bytes);\n}", "project": "qpdf", "hash": 322713675875595696904824155170504505595, "size": 76, "commit_id": "dc92574c10f3e2516ec6445b88c5d584f40df4e5", "message": "Fix some pipelines to be safe if downstream write fails (fuzz issue 28262)", "target": 0, "dataset": "other", "idx": 458323 }, { "func": "int ssh_buffer_get_u64(struct ssh_buffer_struct *buffer, uint64_t *data){\n return ssh_buffer_get_data(buffer,data,sizeof(uint64_t));\n}", "project": "libssh-mirror", "hash": 233590576894178507564129557988451717520, "size": 3, "commit_id": "10b3ebbe61a7031a3dae97f05834442220447181", "message": "buffer: Reformat ssh_buffer_add_data()\n\nSigned-off-by: Andreas Schneider \nReviewed-by: Anderson Toshiyuki Sasaki \nReviewed-by: Jakub Jelen ", "target": 0, "dataset": "other", "idx": 345166 }, { "func": "void kvm_hv_setup_tsc_page(struct kvm *kvm,\n\t\t\t struct pvclock_vcpu_time_info *hv_clock)\n{\n\tstruct kvm_hv *hv = to_kvm_hv(kvm);\n\tu32 tsc_seq;\n\tu64 gfn;\n\n\tBUILD_BUG_ON(sizeof(tsc_seq) != sizeof(hv->tsc_ref.tsc_sequence));\n\tBUILD_BUG_ON(offsetof(struct ms_hyperv_tsc_page, tsc_sequence) != 0);\n\n\tif (!(hv->hv_tsc_page & HV_X64_MSR_TSC_REFERENCE_ENABLE))\n\t\treturn;\n\n\tmutex_lock(&hv->hv_lock);\n\tif (!(hv->hv_tsc_page & HV_X64_MSR_TSC_REFERENCE_ENABLE))\n\t\tgoto out_unlock;\n\n\tgfn = hv->hv_tsc_page >> HV_X64_MSR_TSC_REFERENCE_ADDRESS_SHIFT;\n\t/*\n\t * Because the TSC parameters only vary when there is a\n\t * change in the master clock, do not bother with caching.\n\t */\n\tif (unlikely(kvm_read_guest(kvm, gfn_to_gpa(gfn),\n\t\t\t\t &tsc_seq, sizeof(tsc_seq))))\n\t\tgoto out_unlock;\n\n\t/*\n\t * While we're computing and writing the parameters, force the\n\t * guest to use the time reference count MSR.\n\t */\n\thv->tsc_ref.tsc_sequence = 0;\n\tif (kvm_write_guest(kvm, gfn_to_gpa(gfn),\n\t\t\t &hv->tsc_ref, sizeof(hv->tsc_ref.tsc_sequence)))\n\t\tgoto out_unlock;\n\n\tif (!compute_tsc_page_parameters(hv_clock, &hv->tsc_ref))\n\t\tgoto out_unlock;\n\n\t/* Ensure sequence is zero before writing the rest of the struct. */\n\tsmp_wmb();\n\tif (kvm_write_guest(kvm, gfn_to_gpa(gfn), &hv->tsc_ref, sizeof(hv->tsc_ref)))\n\t\tgoto out_unlock;\n\n\t/*\n\t * Now switch to the TSC page mechanism by writing the sequence.\n\t */\n\ttsc_seq++;\n\tif (tsc_seq == 0xFFFFFFFF || tsc_seq == 0)\n\t\ttsc_seq = 1;\n\n\t/* Write the struct entirely before the non-zero sequence. */\n\tsmp_wmb();\n\n\thv->tsc_ref.tsc_sequence = tsc_seq;\n\tkvm_write_guest(kvm, gfn_to_gpa(gfn),\n\t\t\t&hv->tsc_ref, sizeof(hv->tsc_ref.tsc_sequence));\nout_unlock:\n\tmutex_unlock(&hv->hv_lock);\n}", "project": "linux", "hash": 147899953547684807565423801287828241903, "size": 59, "commit_id": "919f4ebc598701670e80e31573a58f1f2d2bf918", "message": "KVM: x86: hyper-v: Fix Hyper-V context null-ptr-deref\n\nReported by syzkaller:\n\n KASAN: null-ptr-deref in range [0x0000000000000140-0x0000000000000147]\n CPU: 1 PID: 8370 Comm: syz-executor859 Not tainted 5.11.0-syzkaller #0\n RIP: 0010:synic_get arch/x86/kvm/hyperv.c:165 [inline]\n RIP: 0010:kvm_hv_set_sint_gsi arch/x86/kvm/hyperv.c:475 [inline]\n RIP: 0010:kvm_hv_irq_routing_update+0x230/0x460 arch/x86/kvm/hyperv.c:498\n Call Trace:\n kvm_set_irq_routing+0x69b/0x940 arch/x86/kvm/../../../virt/kvm/irqchip.c:223\n kvm_vm_ioctl+0x12d0/0x2800 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3959\n vfs_ioctl fs/ioctl.c:48 [inline]\n __do_sys_ioctl fs/ioctl.c:753 [inline]\n __se_sys_ioctl fs/ioctl.c:739 [inline]\n __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739\n do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nHyper-V context is lazily allocated until Hyper-V specific MSRs are accessed\nor SynIC is enabled. However, the syzkaller testcase sets irq routing table\ndirectly w/o enabling SynIC. This results in null-ptr-deref when accessing\nSynIC Hyper-V context. This patch fixes it.\n\nsyzkaller source: https://syzkaller.appspot.com/x/repro.c?x=163342ccd00000\n\nReported-by: syzbot+6987f3b2dbd9eda95f12@syzkaller.appspotmail.com\nFixes: 8f014550dfb1 (\"KVM: x86: hyper-v: Make Hyper-V emulation enablement conditional\")\nSigned-off-by: Wanpeng Li \nMessage-Id: <1614326399-5762-1-git-send-email-wanpengli@tencent.com>\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 343487 }, { "func": "inline void Item_sp_variable::make_field(THD *thd, Send_field *field)\n{\n Item *it= this_item();\n\n if (name)\n it->set_name(thd, name, (uint) strlen(name), system_charset_info);\n else\n it->set_name(thd, m_name.str, (uint) m_name.length, system_charset_info);\n it->make_field(thd, field);\n}", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 114607322402296037849422017977619141433, "size": 10, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509087 }, { "func": " void make_field(THD *thd, Send_field *field) { item->make_field(thd, field); }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 198986890435943598206093847597294990059, "size": 1, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509103 }, { "func": " void make_field(THD *thd, Send_field *)\n {\n illegal_method_call((const char*)\"make_field\");\n };", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 205939033868220750091698159443829204709, "size": 4, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509304 }, { "func": " virtual void make_field(THD *thd, Send_field *field)\n { orig_item->make_field(thd, field); }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 301896862625880747092944836989650610749, "size": 2, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509377 }, { "func": "static int ecryptfs_decrypt_extent(struct page *page,\n\t\t\t\t struct ecryptfs_crypt_stat *crypt_stat,\n\t\t\t\t struct page *enc_extent_page,\n\t\t\t\t unsigned long extent_offset)\n{\n\tloff_t extent_base;\n\tchar extent_iv[ECRYPTFS_MAX_IV_BYTES];\n\tint rc;\n\n\textent_base = (((loff_t)page->index)\n\t\t * (PAGE_CACHE_SIZE / crypt_stat->extent_size));\n\trc = ecryptfs_derive_iv(extent_iv, crypt_stat,\n\t\t\t\t(extent_base + extent_offset));\n\tif (rc) {\n\t\tecryptfs_printk(KERN_ERR, \"Error attempting to \"\n\t\t\t\t\"derive IV for extent [0x%.16x]; \"\n\t\t\t\t\"rc = [%d]\\n\", (extent_base + extent_offset),\n\t\t\t\trc);\n\t\tgoto out;\n\t}\n\tif (unlikely(ecryptfs_verbosity > 0)) {\n\t\tecryptfs_printk(KERN_DEBUG, \"Decrypting extent \"\n\t\t\t\t\"with iv:\\n\");\n\t\tecryptfs_dump_hex(extent_iv, crypt_stat->iv_bytes);\n\t\tecryptfs_printk(KERN_DEBUG, \"First 8 bytes before \"\n\t\t\t\t\"decryption:\\n\");\n\t\tecryptfs_dump_hex((char *)\n\t\t\t\t (page_address(enc_extent_page)\n\t\t\t\t + (extent_offset * crypt_stat->extent_size)),\n\t\t\t\t 8);\n\t}\n\trc = ecryptfs_decrypt_page_offset(crypt_stat, page,\n\t\t\t\t\t (extent_offset\n\t\t\t\t\t * crypt_stat->extent_size),\n\t\t\t\t\t enc_extent_page, 0,\n\t\t\t\t\t crypt_stat->extent_size, extent_iv);\n\tif (rc < 0) {\n\t\tprintk(KERN_ERR \"%s: Error attempting to decrypt to page with \"\n\t\t \"page->index = [%ld], extent_offset = [%ld]; \"\n\t\t \"rc = [%d]\\n\", __func__, page->index, extent_offset,\n\t\t rc);\n\t\tgoto out;\n\t}\n\trc = 0;\n\tif (unlikely(ecryptfs_verbosity > 0)) {\n\t\tecryptfs_printk(KERN_DEBUG, \"Decrypt extent [0x%.16x]; \"\n\t\t\t\t\"rc = [%d]\\n\", (extent_base + extent_offset),\n\t\t\t\trc);\n\t\tecryptfs_printk(KERN_DEBUG, \"First 8 bytes after \"\n\t\t\t\t\"decryption:\\n\");\n\t\tecryptfs_dump_hex((char *)(page_address(page)\n\t\t\t\t\t + (extent_offset\n\t\t\t\t\t * crypt_stat->extent_size)), 8);\n\t}\nout:\n\treturn rc;\n}", "target": 0, "cwe": [ "CWE-189" ], "project": "linux-2.6", "commit_id": "8faece5f906725c10e7a1f6caf84452abadbdc7b", "hash": 277507154161495951053926748122234541093, "size": 57, "message": "eCryptfs: Allocate a variable number of pages for file headers\n\nWhen allocating the memory used to store the eCryptfs header contents, a\nsingle, zeroed page was being allocated with get_zeroed_page().\nHowever, the size of an eCryptfs header is either PAGE_CACHE_SIZE or\nECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE (8192), whichever is larger, and is\nstored in the file's private_data->crypt_stat->num_header_bytes_at_front\nfield.\n\necryptfs_write_metadata_to_contents() was using\nnum_header_bytes_at_front to decide how many bytes should be written to\nthe lower filesystem for the file header. Unfortunately, at least 8K\nwas being written from the page, despite the chance of the single,\nzeroed page being smaller than 8K. This resulted in random areas of\nkernel memory being written between the 0x1000 and 0x1FFF bytes offsets\nin the eCryptfs file headers if PAGE_SIZE was 4K.\n\nThis patch allocates a variable number of pages, calculated with\nnum_header_bytes_at_front, and passes the number of allocated pages\nalong to ecryptfs_write_metadata_to_contents().\n\nThanks to Florian Streibelt for reporting the data leak and working with\nme to find the problem. 2.6.28 is the only kernel release with this\nvulnerability. Corresponds to CVE-2009-0787\n\nSigned-off-by: Tyler Hicks \nAcked-by: Dustin Kirkland \nReviewed-by: Eric Sandeen \nReviewed-by: Eugene Teo \nCc: Greg KH \nCc: dann frazier \nCc: Serge E. Hallyn \nCc: Florian Streibelt \nCc: stable@kernel.org\nSigned-off-by: Linus Torvalds ", "dataset": "other", "idx": 490156 }, { "func": "int parse_arguments(int *argc_p, const char ***argv_p)\n{\n\tstatic poptContext pc;\n\tchar *ref = lp_refuse_options(module_id);\n\tconst char *arg, **argv = *argv_p;\n\tint argc = *argc_p;\n\tint opt;\n\n\tif (ref && *ref)\n\t\tset_refuse_options(ref);\n\tif (am_daemon) {\n\t\tset_refuse_options(\"log-file*\");\n#ifdef ICONV_OPTION\n\t\tif (!*lp_charset(module_id))\n\t\t\tset_refuse_options(\"iconv\");\n#endif\n\t}\n\n#ifdef ICONV_OPTION\n\tif (!am_daemon && protect_args <= 0 && (arg = getenv(\"RSYNC_ICONV\")) != NULL && *arg)\n\t\ticonv_opt = strdup(arg);\n#endif\n\n\t/* TODO: Call poptReadDefaultConfig; handle errors. */\n\n\t/* The context leaks in case of an error, but if there's a\n\t * problem we always exit anyhow. */\n\tif (pc)\n\t\tpoptFreeContext(pc);\n\tpc = poptGetContext(RSYNC_NAME, argc, argv, long_options, 0);\n\tif (!am_server) {\n\t\tpoptReadDefaultConfig(pc, 0);\n\t\tpopt_unalias(pc, \"--daemon\");\n\t\tpopt_unalias(pc, \"--server\");\n\t}\n\n\twhile ((opt = poptGetNextOpt(pc)) != -1) {\n\t\t/* most options are handled automatically by popt;\n\t\t * only special cases are returned and listed here. */\n\n\t\tswitch (opt) {\n\t\tcase OPT_VERSION:\n\t\t\tprint_rsync_version(FINFO);\n\t\t\texit_cleanup(0);\n\n\t\tcase OPT_SERVER:\n\t\t\tif (!am_server) {\n\t\t\t\t/* Disable popt aliases on the server side and\n\t\t\t\t * then start parsing the options again. */\n\t\t\t\tpoptFreeContext(pc);\n\t\t\t\tpc = poptGetContext(RSYNC_NAME, argc, argv,\n\t\t\t\t\t\t long_options, 0);\n\t\t\t\tam_server = 1;\n\t\t\t}\n#ifdef ICONV_OPTION\n\t\t\ticonv_opt = NULL;\n#endif\n\t\t\tbreak;\n\n\t\tcase OPT_SENDER:\n\t\t\tif (!am_server) {\n\t\t\t\tusage(FERROR);\n\t\t\t\texit_cleanup(RERR_SYNTAX);\n\t\t\t}\n\t\t\tam_sender = 1;\n\t\t\tbreak;\n\n\t\tcase OPT_DAEMON:\n\t\t\tif (am_daemon) {\n\t\t\t\tstrlcpy(err_buf,\n\t\t\t\t\t\"Attempt to hack rsync thwarted!\\n\",\n\t\t\t\t\tsizeof err_buf);\n\t\t\t\treturn 0;\n\t\t\t}\n#ifdef ICONV_OPTION\n\t\t\ticonv_opt = NULL;\n#endif\n\t\t\tprotect_args = 0;\n\t\t\tpoptFreeContext(pc);\n\t\t\tpc = poptGetContext(RSYNC_NAME, argc, argv,\n\t\t\t\t\t long_daemon_options, 0);\n\t\t\twhile ((opt = poptGetNextOpt(pc)) != -1) {\n\t\t\t\tchar **cpp;\n\t\t\t\tswitch (opt) {\n\t\t\t\tcase 'h':\n\t\t\t\t\tdaemon_usage(FINFO);\n\t\t\t\t\texit_cleanup(0);\n\n\t\t\t\tcase 'M':\n\t\t\t\t\targ = poptGetOptArg(pc);\n\t\t\t\t\tif (!strchr(arg, '=')) {\n\t\t\t\t\t\trprintf(FERROR,\n\t\t\t\t\t\t \"--dparam value is missing an '=': %s\\n\",\n\t\t\t\t\t\t arg);\n\t\t\t\t\t\tgoto daemon_error;\n\t\t\t\t\t}\n\t\t\t\t\tcpp = EXPAND_ITEM_LIST(&dparam_list, char *, 4);\n\t\t\t\t\t*cpp = strdup(arg);\n\t\t\t\t\tbreak;\n\n\t\t\t\tcase 'v':\n\t\t\t\t\tverbose++;\n\t\t\t\t\tbreak;\n\n\t\t\t\tdefault:\n\t\t\t\t\trprintf(FERROR,\n\t\t\t\t\t \"rsync: %s: %s (in daemon mode)\\n\",\n\t\t\t\t\t poptBadOption(pc, POPT_BADOPTION_NOALIAS),\n\t\t\t\t\t poptStrerror(opt));\n\t\t\t\t\tgoto daemon_error;\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tif (dparam_list.count && !set_dparams(1))\n\t\t\t\texit_cleanup(RERR_SYNTAX);\n\n\t\t\tif (tmpdir && strlen(tmpdir) >= MAXPATHLEN - 10) {\n\t\t\t\tsnprintf(err_buf, sizeof err_buf,\n\t\t\t\t\t \"the --temp-dir path is WAY too long.\\n\");\n\t\t\t\treturn 0;\n\t\t\t}\n\n\t\t\tif (!daemon_opt) {\n\t\t\t\trprintf(FERROR, \"Daemon option(s) used without --daemon.\\n\");\n\t\t\t daemon_error:\n\t\t\t\trprintf(FERROR,\n\t\t\t\t \"(Type \\\"rsync --daemon --help\\\" for assistance with daemon mode.)\\n\");\n\t\t\t\texit_cleanup(RERR_SYNTAX);\n\t\t\t}\n\n\t\t\t*argv_p = argv = poptGetArgs(pc);\n\t\t\t*argc_p = argc = count_args(argv);\n\t\t\tam_starting_up = 0;\n\t\t\tdaemon_opt = 0;\n\t\t\tam_daemon = 1;\n\t\t\treturn 1;\n\n\t\tcase OPT_MODIFY_WINDOW:\n\t\t\t/* The value has already been set by popt, but\n\t\t\t * we need to remember that we're using a\n\t\t\t * non-default setting. */\n\t\t\tmodify_window_set = 1;\n\t\t\tbreak;\n\n\t\tcase OPT_FILTER:\n\t\t\tparse_filter_str(&filter_list, poptGetOptArg(pc),\n\t\t\t\t\trule_template(0), 0);\n\t\t\tbreak;\n\n\t\tcase OPT_EXCLUDE:\n\t\t\tparse_filter_str(&filter_list, poptGetOptArg(pc),\n\t\t\t\t\trule_template(0), XFLG_OLD_PREFIXES);\n\t\t\tbreak;\n\n\t\tcase OPT_INCLUDE:\n\t\t\tparse_filter_str(&filter_list, poptGetOptArg(pc),\n\t\t\t\t\trule_template(FILTRULE_INCLUDE), XFLG_OLD_PREFIXES);\n\t\t\tbreak;\n\n\t\tcase OPT_EXCLUDE_FROM:\n\t\tcase OPT_INCLUDE_FROM:\n\t\t\targ = poptGetOptArg(pc);\n\t\t\tif (sanitize_paths)\n\t\t\t\targ = sanitize_path(NULL, arg, NULL, 0, SP_DEFAULT);\n\t\t\tif (daemon_filter_list.head) {\n\t\t\t\tint rej;\n\t\t\t\tchar *cp = strdup(arg);\n\t\t\t\tif (!cp)\n\t\t\t\t\tout_of_memory(\"parse_arguments\");\n\t\t\t\tif (!*cp)\n\t\t\t\t\trej = 1;\n\t\t\t\telse {\n\t\t\t\t\tchar *dir = cp + (*cp == '/' ? module_dirlen : 0);\n\t\t\t\t\tclean_fname(dir, CFN_COLLAPSE_DOT_DOT_DIRS);\n\t\t\t\t\trej = check_filter(&daemon_filter_list, FLOG, dir, 0) < 0;\n\t\t\t\t}\n\t\t\t\tfree(cp);\n\t\t\t\tif (rej)\n\t\t\t\t\tgoto options_rejected;\n\t\t\t}\n\t\t\tparse_filter_file(&filter_list, arg,\n\t\t\t\trule_template(opt == OPT_INCLUDE_FROM ? FILTRULE_INCLUDE : 0),\n\t\t\t\tXFLG_FATAL_ERRORS | XFLG_OLD_PREFIXES);\n\t\t\tbreak;\n\n\t\tcase 'a':\n\t\t\tif (refused_archive_part) {\n\t\t\t\tcreate_refuse_error(refused_archive_part);\n\t\t\t\treturn 0;\n\t\t\t}\n\t\t\tif (!recurse) /* preserve recurse == 2 */\n\t\t\t\trecurse = 1;\n#ifdef SUPPORT_LINKS\n\t\t\tpreserve_links = 1;\n#endif\n\t\t\tpreserve_perms = 1;\n\t\t\tpreserve_times = 1;\n\t\t\tpreserve_gid = 1;\n\t\t\tpreserve_uid = 1;\n\t\t\tpreserve_devices = 1;\n\t\t\tpreserve_specials = 1;\n\t\t\tbreak;\n\n\t\tcase 'D':\n\t\t\tpreserve_devices = preserve_specials = 1;\n\t\t\tbreak;\n\n\t\tcase OPT_NO_D:\n\t\t\tpreserve_devices = preserve_specials = 0;\n\t\t\tbreak;\n\n\t\tcase 'h':\n\t\t\thuman_readable++;\n\t\t\tbreak;\n\n\t\tcase 'H':\n\t\t\tpreserve_hard_links++;\n\t\t\tbreak;\n\n\t\tcase 'i':\n\t\t\titemize_changes++;\n\t\t\tbreak;\n\n\t\tcase 'v':\n\t\t\tverbose++;\n\t\t\tbreak;\n\n\t\tcase 'y':\n\t\t\tfuzzy_basis++;\n\t\t\tbreak;\n\n\t\tcase 'q':\n\t\t\tquiet++;\n\t\t\tbreak;\n\n\t\tcase 'x':\n\t\t\tone_file_system++;\n\t\t\tbreak;\n\n\t\tcase 'F':\n\t\t\tswitch (++F_option_cnt) {\n\t\t\tcase 1:\n\t\t\t\tparse_filter_str(&filter_list,\": /.rsync-filter\",rule_template(0),0);\n\t\t\t\tbreak;\n\t\t\tcase 2:\n\t\t\t\tparse_filter_str(&filter_list,\"- .rsync-filter\",rule_template(0),0);\n\t\t\t\tbreak;\n\t\t\t}\n\t\t\tbreak;\n\n\t\tcase 'P':\n\t\t\tif (refused_partial || refused_progress) {\n\t\t\t\tcreate_refuse_error(refused_partial\n\t\t\t\t ? refused_partial : refused_progress);\n\t\t\t\treturn 0;\n\t\t\t}\n\t\t\tdo_progress = 1;\n\t\t\tkeep_partial = 1;\n\t\t\tbreak;\n\n\t\tcase 'z':\n\t\t\tdo_compression++;\n\t\t\tbreak;\n\n\t\tcase 'M':\n\t\t\targ = poptGetOptArg(pc);\n\t\t\tif (*arg != '-') {\n\t\t\t\tsnprintf(err_buf, sizeof err_buf,\n\t\t\t\t\t\"Remote option must start with a dash: %s\\n\", arg);\n\t\t\t\treturn 0;\n\t\t\t}\n\t\t\tif (remote_option_cnt+2 >= remote_option_alloc) {\n\t\t\t\tremote_option_alloc += 16;\n\t\t\t\tremote_options = realloc_array(remote_options,\n\t\t\t\t\t\t\tconst char *, remote_option_alloc);\n\t\t\t\tif (!remote_options)\n\t\t\t\t\tout_of_memory(\"parse_arguments\");\n\t\t\t\tif (!remote_option_cnt)\n\t\t\t\t\tremote_options[0] = \"ARG0\";\n\t\t\t}\n\t\t\tremote_options[++remote_option_cnt] = arg;\n\t\t\tremote_options[remote_option_cnt+1] = NULL;\n\t\t\tbreak;\n\n\t\tcase OPT_WRITE_BATCH:\n\t\t\t/* batch_name is already set */\n\t\t\twrite_batch = 1;\n\t\t\tbreak;\n\n\t\tcase OPT_ONLY_WRITE_BATCH:\n\t\t\t/* batch_name is already set */\n\t\t\twrite_batch = -1;\n\t\t\tbreak;\n\n\t\tcase OPT_READ_BATCH:\n\t\t\t/* batch_name is already set */\n\t\t\tread_batch = 1;\n\t\t\tbreak;\n\n\t\tcase OPT_NO_ICONV:\n#ifdef ICONV_OPTION\n\t\t\ticonv_opt = NULL;\n#endif\n\t\t\tbreak;\n\n\t\tcase OPT_MAX_SIZE:\n\t\t\tif ((max_size = parse_size_arg(&max_size_arg, 'b')) < 0) {\n\t\t\t\tsnprintf(err_buf, sizeof err_buf,\n\t\t\t\t\t\"--max-size value is invalid: %s\\n\",\n\t\t\t\t\tmax_size_arg);\n\t\t\t\treturn 0;\n\t\t\t}\n\t\t\tbreak;\n\n\t\tcase OPT_MIN_SIZE:\n\t\t\tif ((min_size = parse_size_arg(&min_size_arg, 'b')) < 0) {\n\t\t\t\tsnprintf(err_buf, sizeof err_buf,\n\t\t\t\t\t\"--min-size value is invalid: %s\\n\",\n\t\t\t\t\tmin_size_arg);\n\t\t\t\treturn 0;\n\t\t\t}\n\t\t\tbreak;\n\n\t\tcase OPT_BWLIMIT:\n\t\t\t{\n\t\t\t\tOFF_T limit = parse_size_arg(&bwlimit_arg, 'K');\n\t\t\t\tif (limit < 0) {\n\t\t\t\t\tsnprintf(err_buf, sizeof err_buf,\n\t\t\t\t\t\t\"--bwlimit value is invalid: %s\\n\", bwlimit_arg);\n\t\t\t\t\treturn 0;\n\t\t\t\t}\n\t\t\t\tbwlimit = (limit + 512) / 1024;\n\t\t\t\tif (limit && !bwlimit) {\n\t\t\t\t\tsnprintf(err_buf, sizeof err_buf,\n\t\t\t\t\t\t\"--bwlimit value is too small: %s\\n\", bwlimit_arg);\n\t\t\t\t\treturn 0;\n\t\t\t\t}\n\t\t\t}\n\t\t\tbreak;\n\n\t\tcase OPT_APPEND:\n\t\t\tif (am_server)\n\t\t\t\tappend_mode++;\n\t\t\telse\n\t\t\t\tappend_mode = 1;\n\t\t\tbreak;\n\n\t\tcase OPT_LINK_DEST:\n#ifdef SUPPORT_HARD_LINKS\n\t\t\tlink_dest = 1;\n\t\t\tdest_option = \"--link-dest\";\n\t\t\tgoto set_dest_dir;\n#else\n\t\t\tsnprintf(err_buf, sizeof err_buf,\n\t\t\t\t \"hard links are not supported on this %s\\n\",\n\t\t\t\t am_server ? \"server\" : \"client\");\n\t\t\treturn 0;\n#endif\n\n\t\tcase OPT_COPY_DEST:\n\t\t\tcopy_dest = 1;\n\t\t\tdest_option = \"--copy-dest\";\n\t\t\tgoto set_dest_dir;\n\n\t\tcase OPT_COMPARE_DEST:\n\t\t\tcompare_dest = 1;\n\t\t\tdest_option = \"--compare-dest\";\n\t\tset_dest_dir:\n\t\t\tif (basis_dir_cnt >= MAX_BASIS_DIRS) {\n\t\t\t\tsnprintf(err_buf, sizeof err_buf,\n\t\t\t\t\t\"ERROR: at most %d %s args may be specified\\n\",\n\t\t\t\t\tMAX_BASIS_DIRS, dest_option);\n\t\t\t\treturn 0;\n\t\t\t}\n\t\t\t/* We defer sanitizing this arg until we know what\n\t\t\t * our destination directory is going to be. */\n\t\t\tbasis_dir[basis_dir_cnt++] = (char *)poptGetOptArg(pc);\n\t\t\tbreak;\n\n\t\tcase OPT_CHMOD:\n\t\t\targ = poptGetOptArg(pc);\n\t\t\tif (!parse_chmod(arg, &chmod_modes)) {\n\t\t\t\tsnprintf(err_buf, sizeof err_buf,\n\t\t\t\t \"Invalid argument passed to --chmod (%s)\\n\",\n\t\t\t\t arg);\n\t\t\t\treturn 0;\n\t\t\t}\n\t\t\tbreak;\n\n\t\tcase OPT_INFO:\n\t\t\targ = poptGetOptArg(pc);\n\t\t\tparse_output_words(info_words, info_levels, arg, USER_PRIORITY);\n\t\t\tbreak;\n\n\t\tcase OPT_DEBUG:\n\t\t\targ = poptGetOptArg(pc);\n\t\t\tparse_output_words(debug_words, debug_levels, arg, USER_PRIORITY);\n\t\t\tbreak;\n\n\t\tcase OPT_USERMAP:\n\t\t\tif (usermap) {\n\t\t\t\tif (usermap_via_chown) {\n\t\t\t\t\tsnprintf(err_buf, sizeof err_buf,\n\t\t\t\t\t \"--usermap conflicts with prior --chown.\\n\");\n\t\t\t\t\treturn 0;\n\t\t\t\t}\n\t\t\t\tsnprintf(err_buf, sizeof err_buf,\n\t\t\t\t \"You can only specify --usermap once.\\n\");\n\t\t\t\treturn 0;\n\t\t\t}\n\t\t\tusermap = (char *)poptGetOptArg(pc);\n\t\t\tusermap_via_chown = False;\n\t\t\tbreak;\n\n\t\tcase OPT_GROUPMAP:\n\t\t\tif (groupmap) {\n\t\t\t\tif (groupmap_via_chown) {\n\t\t\t\t\tsnprintf(err_buf, sizeof err_buf,\n\t\t\t\t\t \"--groupmap conflicts with prior --chown.\\n\");\n\t\t\t\t\treturn 0;\n\t\t\t\t}\n\t\t\t\tsnprintf(err_buf, sizeof err_buf,\n\t\t\t\t \"You can only specify --groupmap once.\\n\");\n\t\t\t\treturn 0;\n\t\t\t}\n\t\t\tgroupmap = (char *)poptGetOptArg(pc);\n\t\t\tgroupmap_via_chown = False;\n\t\t\tbreak;\n\n\t\tcase OPT_CHOWN: {\n\t\t\tconst char *chown = poptGetOptArg(pc);\n\t\t\tint len;\n\t\t\tif ((arg = strchr(chown, ':')) != NULL)\n\t\t\t\tlen = arg++ - chown;\n\t\t\telse\n\t\t\t\tlen = strlen(chown);\n\t\t\tif (len) {\n\t\t\t\tif (usermap) {\n\t\t\t\t\tif (!usermap_via_chown) {\n\t\t\t\t\t\tsnprintf(err_buf, sizeof err_buf,\n\t\t\t\t\t\t \"--chown conflicts with prior --usermap.\\n\");\n\t\t\t\t\t\treturn 0;\n\t\t\t\t\t}\n\t\t\t\t\tsnprintf(err_buf, sizeof err_buf,\n\t\t\t\t\t \"You can only specify a user-affecting --chown once.\\n\");\n\t\t\t\t\treturn 0;\n\t\t\t\t}\n\t\t\t\tif (asprintf(&usermap, \"*:%.*s\", len, chown) < 0)\n\t\t\t\t\tout_of_memory(\"parse_arguments\");\n\t\t\t\tusermap_via_chown = True;\n\t\t\t}\n\t\t\tif (arg && *arg) {\n\t\t\t\tif (groupmap) {\n\t\t\t\t\tif (!groupmap_via_chown) {\n\t\t\t\t\t\tsnprintf(err_buf, sizeof err_buf,\n\t\t\t\t\t\t \"--chown conflicts with prior --groupmap.\\n\");\n\t\t\t\t\t\treturn 0;\n\t\t\t\t\t}\n\t\t\t\t\tsnprintf(err_buf, sizeof err_buf,\n\t\t\t\t\t \"You can only specify a group-affecting --chown once.\\n\");\n\t\t\t\t\treturn 0;\n\t\t\t\t}\n\t\t\t\tif (asprintf(&groupmap, \"*:%s\", arg) < 0)\n\t\t\t\t\tout_of_memory(\"parse_arguments\");\n\t\t\t\tgroupmap_via_chown = True;\n\t\t\t}\n\t\t\tbreak;\n\t\t}\n\n\t\tcase OPT_HELP:\n\t\t\tusage(FINFO);\n\t\t\texit_cleanup(0);\n\n\t\tcase 'A':\n#ifdef SUPPORT_ACLS\n\t\t\tpreserve_acls = 1;\n\t\t\tpreserve_perms = 1;\n\t\t\tbreak;\n#else\n\t\t\t/* FIXME: this should probably be ignored with a\n\t\t\t * warning and then countermeasures taken to\n\t\t\t * restrict group and other access in the presence\n\t\t\t * of any more restrictive ACLs, but this is safe\n\t\t\t * for now */\n\t\t\tsnprintf(err_buf,sizeof(err_buf),\n \"ACLs are not supported on this %s\\n\",\n\t\t\t\t am_server ? \"server\" : \"client\");\n\t\t\treturn 0;\n#endif\n\n\t\tcase 'X':\n#ifdef SUPPORT_XATTRS\n\t\t\tpreserve_xattrs++;\n\t\t\tbreak;\n#else\n\t\t\tsnprintf(err_buf,sizeof(err_buf),\n\t\t\t\t \"extended attributes are not supported on this %s\\n\",\n\t\t\t\t am_server ? \"server\" : \"client\");\n\t\t\treturn 0;\n#endif\n\n\t\tdefault:\n\t\t\t/* A large opt value means that set_refuse_options()\n\t\t\t * turned this option off. */\n\t\t\tif (opt >= OPT_REFUSED_BASE) {\n\t\t\t\tcreate_refuse_error(opt);\n\t\t\t\treturn 0;\n\t\t\t}\n\t\t\tsnprintf(err_buf, sizeof err_buf, \"%s%s: %s\\n\",\n\t\t\t\t am_server ? \"on remote machine: \" : \"\",\n\t\t\t\t poptBadOption(pc, POPT_BADOPTION_NOALIAS),\n\t\t\t\t poptStrerror(opt));\n\t\t\treturn 0;\n\t\t}\n\t}\n\n\tif (protect_args < 0) {\n\t\tif (am_server)\n\t\t\tprotect_args = 0;\n\t\telse if ((arg = getenv(\"RSYNC_PROTECT_ARGS\")) != NULL && *arg)\n\t\t\tprotect_args = atoi(arg) ? 1 : 0;\n\t\telse {\n#ifdef RSYNC_USE_PROTECTED_ARGS\n\t\t\tprotect_args = 1;\n#else\n\t\t\tprotect_args = 0;\n#endif\n\t\t}\n\t}\n\n\tif (checksum_choice && strcmp(checksum_choice, \"auto\") != 0 && strcmp(checksum_choice, \"auto,auto\") != 0) {\n\t\t/* Call this early to verify the args and figure out if we need to force\n\t\t * --whole-file. Note that the parse function will get called again later,\n\t\t * just in case an \"auto\" choice needs to know the protocol_version. */\n\t\tif (parse_checksum_choice())\n\t\t\twhole_file = 1;\n\t} else\n\t\tchecksum_choice = NULL;\n\n\tif (human_readable > 1 && argc == 2 && !am_server) {\n\t\t/* Allow the old meaning of 'h' (--help) on its own. */\n\t\tusage(FINFO);\n\t\texit_cleanup(0);\n\t}\n\n\tif (do_compression || def_compress_level != NOT_SPECIFIED) {\n\t\tif (def_compress_level == NOT_SPECIFIED)\n\t\t\tdef_compress_level = Z_DEFAULT_COMPRESSION;\n\t\telse if (def_compress_level < Z_DEFAULT_COMPRESSION || def_compress_level > Z_BEST_COMPRESSION) {\n\t\t\tsnprintf(err_buf, sizeof err_buf, \"--compress-level value is invalid: %d\\n\",\n\t\t\t\t def_compress_level);\n\t\t\treturn 0;\n\t\t} else if (def_compress_level == Z_NO_COMPRESSION)\n\t\t\tdo_compression = 0;\n\t\telse if (!do_compression)\n\t\t\tdo_compression = 1;\n\t\tif (do_compression && refused_compress) {\n\t\t\tcreate_refuse_error(refused_compress);\n\t\t\treturn 0;\n\t\t}\n#ifdef EXTERNAL_ZLIB\n\t\tif (do_compression == 1) {\n\t\t\tsnprintf(err_buf, sizeof err_buf,\n\t\t\t\t\"This rsync lacks old-style --compress due to its external zlib. Try -zz.\\n\");\n\t\t\tif (am_server)\n\t\t\t\treturn 0;\n\t\t\tfprintf(stderr, \"%s\" \"Continuing without compression.\\n\\n\", err_buf);\n\t\t\tdo_compression = 0;\n\t\t}\n#endif\n\t}\n\n#ifdef HAVE_SETVBUF\n\tif (outbuf_mode && !am_server) {\n\t\tint mode = *(uchar *)outbuf_mode;\n\t\tif (islower(mode))\n\t\t\tmode = toupper(mode);\n\t\tfflush(stdout); /* Just in case... */\n\t\tswitch (mode) {\n\t\tcase 'N': /* None */\n\t\tcase 'U': /* Unbuffered */\n\t\t\tmode = _IONBF;\n\t\t\tbreak;\n\t\tcase 'L': /* Line */\n\t\t\tmode = _IOLBF;\n\t\t\tbreak;\n\t\tcase 'B': /* Block */\n\t\tcase 'F': /* Full */\n\t\t\tmode = _IOFBF;\n\t\t\tbreak;\n\t\tdefault:\n\t\t\tsnprintf(err_buf, sizeof err_buf,\n\t\t\t\t\"Invalid --outbuf setting -- specify N, L, or B.\\n\");\n\t\t\treturn 0;\n\t\t}\n\t\tsetvbuf(stdout, (char *)NULL, mode, 0);\n\t}\n\n\tif (msgs2stderr) {\n\t\t/* Make stderr line buffered for better sharing of the stream. */\n\t\tfflush(stderr); /* Just in case... */\n\t\tsetvbuf(stderr, (char *)NULL, _IOLBF, 0);\n\t}\n#endif\n\n\tset_output_verbosity(verbose, DEFAULT_PRIORITY);\n\n\tif (do_stats) {\n\t\tparse_output_words(info_words, info_levels,\n\t\t\tverbose > 1 ? \"stats3\" : \"stats2\", DEFAULT_PRIORITY);\n\t}\n\n#ifdef ICONV_OPTION\n\tif (iconv_opt && protect_args != 2) {\n\t\tif (!am_server && strcmp(iconv_opt, \"-\") == 0)\n\t\t\ticonv_opt = NULL;\n\t\telse\n\t\t\tneed_unsorted_flist = 1;\n\t}\n\tif (refused_no_iconv && !iconv_opt) {\n\t\tcreate_refuse_error(refused_no_iconv);\n\t\treturn 0;\n\t}\n#endif\n\n\tif (fuzzy_basis > 1)\n\t\tfuzzy_basis = basis_dir_cnt + 1;\n\n\tif (protect_args == 1 && am_server)\n\t\treturn 1;\n\n\t*argv_p = argv = poptGetArgs(pc);\n\t*argc_p = argc = count_args(argv);\n\n#ifndef SUPPORT_LINKS\n\tif (preserve_links && !am_sender) {\n\t\tsnprintf(err_buf, sizeof err_buf,\n\t\t\t \"symlinks are not supported on this %s\\n\",\n\t\t\t am_server ? \"server\" : \"client\");\n\t\treturn 0;\n\t}\n#endif\n\n#ifndef SUPPORT_HARD_LINKS\n\tif (preserve_hard_links) {\n\t\tsnprintf(err_buf, sizeof err_buf,\n\t\t\t \"hard links are not supported on this %s\\n\",\n\t\t\t am_server ? \"server\" : \"client\");\n\t\treturn 0;\n\t}\n#endif\n\n#ifdef SUPPORT_XATTRS\n\tif (am_root < 0 && preserve_xattrs > 1) {\n\t\tsnprintf(err_buf, sizeof err_buf,\n\t\t\t \"--fake-super conflicts with -XX\\n\");\n\t\treturn 0;\n\t}\n#else\n\tif (am_root < 0) {\n\t\tsnprintf(err_buf, sizeof err_buf,\n\t\t\t \"--fake-super requires an rsync with extended attributes enabled\\n\");\n\t\treturn 0;\n\t}\n#endif\n\n\tif (block_size > MAX_BLOCK_SIZE) {\n\t\tsnprintf(err_buf, sizeof err_buf,\n\t\t\t \"--block-size=%lu is too large (max: %u)\\n\", block_size, MAX_BLOCK_SIZE);\n\t\treturn 0;\n\t}\n\n\tif (write_batch && read_batch) {\n\t\tsnprintf(err_buf, sizeof err_buf,\n\t\t\t\"--write-batch and --read-batch can not be used together\\n\");\n\t\treturn 0;\n\t}\n\tif (write_batch > 0 || read_batch) {\n\t\tif (am_server) {\n\t\t\trprintf(FINFO,\n\t\t\t\t\"ignoring --%s-batch option sent to server\\n\",\n\t\t\t\twrite_batch ? \"write\" : \"read\");\n\t\t\t/* We don't actually exit_cleanup(), so that we can\n\t\t\t * still service older version clients that still send\n\t\t\t * batch args to server. */\n\t\t\tread_batch = write_batch = 0;\n\t\t\tbatch_name = NULL;\n\t\t} else if (dry_run)\n\t\t\twrite_batch = 0;\n\t} else if (write_batch < 0 && dry_run)\n\t\twrite_batch = 0;\n\tif (read_batch && files_from) {\n\t\tsnprintf(err_buf, sizeof err_buf,\n\t\t\t\"--read-batch cannot be used with --files-from\\n\");\n\t\treturn 0;\n\t}\n\tif (read_batch && remove_source_files) {\n\t\tsnprintf(err_buf, sizeof err_buf,\n\t\t\t\"--read-batch cannot be used with --remove-%s-files\\n\",\n\t\t\tremove_source_files == 1 ? \"source\" : \"sent\");\n\t\treturn 0;\n\t}\n\tif (batch_name && strlen(batch_name) > MAX_BATCH_NAME_LEN) {\n\t\tsnprintf(err_buf, sizeof err_buf,\n\t\t\t\"the batch-file name must be %d characters or less.\\n\",\n\t\t\tMAX_BATCH_NAME_LEN);\n\t\treturn 0;\n\t}\n\n\tif (tmpdir && strlen(tmpdir) >= MAXPATHLEN - 10) {\n\t\tsnprintf(err_buf, sizeof err_buf,\n\t\t\t \"the --temp-dir path is WAY too long.\\n\");\n\t\treturn 0;\n\t}\n\n\tif (max_delete < 0 && max_delete != INT_MIN) {\n\t\t/* Negative numbers are treated as \"no deletions\". */\n\t\tmax_delete = 0;\n\t}\n\n\tif (compare_dest + copy_dest + link_dest > 1) {\n\t\tsnprintf(err_buf, sizeof err_buf,\n\t\t\t\"You may not mix --compare-dest, --copy-dest, and --link-dest.\\n\");\n\t\treturn 0;\n\t}\n\n\tif (files_from) {\n\t\tif (recurse == 1) /* preserve recurse == 2 */\n\t\t\trecurse = 0;\n\t\tif (xfer_dirs < 0)\n\t\t\txfer_dirs = 1;\n\t}\n\n\tif (argc < 2 && !read_batch && !am_server)\n\t\tlist_only |= 1;\n\n\tif (xfer_dirs >= 4) {\n\t\tparse_filter_str(&filter_list, \"- /*/*\", rule_template(0), 0);\n\t\trecurse = xfer_dirs = 1;\n\t} else if (recurse)\n\t\txfer_dirs = 1;\n\telse if (xfer_dirs < 0)\n\t\txfer_dirs = list_only ? 1 : 0;\n\n\tif (relative_paths < 0)\n\t\trelative_paths = files_from? 1 : 0;\n\tif (!relative_paths)\n\t\timplied_dirs = 0;\n\n\tif (delete_before + !!delete_during + delete_after > 1) {\n\t\tsnprintf(err_buf, sizeof err_buf,\n\t\t\t\"You may not combine multiple --delete-WHEN options.\\n\");\n\t\treturn 0;\n\t}\n\tif (delete_before || delete_during || delete_after)\n\t\tdelete_mode = 1;\n\telse if (delete_mode || delete_excluded) {\n\t\t/* Only choose now between before & during if one is refused. */\n\t\tif (refused_delete_before) {\n\t\t\tif (!refused_delete_during)\n\t\t\t\tdelete_during = 1;\n\t\t\telse {\n\t\t\t\tcreate_refuse_error(refused_delete_before);\n\t\t\t\treturn 0;\n\t\t\t}\n\t\t} else if (refused_delete_during)\n\t\t\tdelete_before = 1;\n\t\tdelete_mode = 1;\n\t}\n\tif (!xfer_dirs && delete_mode) {\n\t\tsnprintf(err_buf, sizeof err_buf,\n\t\t\t\"--delete does not work without --recursive (-r) or --dirs (-d).\\n\");\n\t\treturn 0;\n\t}\n\n\tif (missing_args == 3) /* simplify if both options were specified */\n\t\tmissing_args = 2;\n\tif (refused_delete && (delete_mode || missing_args == 2)) {\n\t\tcreate_refuse_error(refused_delete);\n\t\treturn 0;\n\t}\n\n\tif (remove_source_files) {\n\t\t/* We only want to infer this refusal of --remove-source-files\n\t\t * via the refusal of \"delete\", not any of the \"delete-FOO\"\n\t\t * options. */\n\t\tif (refused_delete && am_sender) {\n\t\t\tcreate_refuse_error(refused_delete);\n\t\t\treturn 0;\n\t\t}\n\t\tneed_messages_from_generator = 1;\n\t}\n\n\tif (munge_symlinks && !am_daemon) {\n\t\tSTRUCT_STAT st;\n\t\tchar prefix[SYMLINK_PREFIX_LEN]; /* NOT +1 ! */\n\t\tstrlcpy(prefix, SYMLINK_PREFIX, sizeof prefix); /* trim the trailing slash */\n\t\tif (do_stat(prefix, &st) == 0 && S_ISDIR(st.st_mode)) {\n\t\t\trprintf(FERROR, \"Symlink munging is unsafe when a %s directory exists.\\n\",\n\t\t\t\tprefix);\n\t\t\texit_cleanup(RERR_UNSUPPORTED);\n\t\t}\n\t}\n\n\tif (sanitize_paths) {\n\t\tint i;\n\t\tfor (i = argc; i-- > 0; )\n\t\t\targv[i] = sanitize_path(NULL, argv[i], \"\", 0, SP_KEEP_DOT_DIRS);\n\t\tif (tmpdir)\n\t\t\ttmpdir = sanitize_path(NULL, tmpdir, NULL, 0, SP_DEFAULT);\n\t\tif (backup_dir)\n\t\t\tbackup_dir = sanitize_path(NULL, backup_dir, NULL, 0, SP_DEFAULT);\n\t}\n\tif (daemon_filter_list.head && !am_sender) {\n\t\tfilter_rule_list *elp = &daemon_filter_list;\n\t\tif (tmpdir) {\n\t\t\tchar *dir;\n\t\t\tif (!*tmpdir)\n\t\t\t\tgoto options_rejected;\n\t\t\tdir = tmpdir + (*tmpdir == '/' ? module_dirlen : 0);\n\t\t\tclean_fname(dir, CFN_COLLAPSE_DOT_DOT_DIRS);\n\t\t\tif (check_filter(elp, FLOG, dir, 1) < 0)\n\t\t\t\tgoto options_rejected;\n\t\t}\n\t\tif (backup_dir) {\n\t\t\tchar *dir;\n\t\t\tif (!*backup_dir)\n\t\t\t\tgoto options_rejected;\n\t\t\tdir = backup_dir + (*backup_dir == '/' ? module_dirlen : 0);\n\t\t\tclean_fname(dir, CFN_COLLAPSE_DOT_DOT_DIRS);\n\t\t\tif (check_filter(elp, FLOG, dir, 1) < 0)\n\t\t\t\tgoto options_rejected;\n\t\t}\n\t}\n\n\tif (!backup_suffix)\n\t\tbackup_suffix = backup_dir ? \"\" : BACKUP_SUFFIX;\n\tbackup_suffix_len = strlen(backup_suffix);\n\tif (strchr(backup_suffix, '/') != NULL) {\n\t\tsnprintf(err_buf, sizeof err_buf,\n\t\t\t\"--suffix cannot contain slashes: %s\\n\",\n\t\t\tbackup_suffix);\n\t\treturn 0;\n\t}\n\tif (backup_dir) {\n\t\tsize_t len;\n\t\twhile (*backup_dir == '.' && backup_dir[1] == '/')\n\t\t\tbackup_dir += 2;\n\t\tif (*backup_dir == '.' && backup_dir[1] == '\\0')\n\t\t\tbackup_dir++;\n\t\tlen = strlcpy(backup_dir_buf, backup_dir, sizeof backup_dir_buf);\n\t\tif (len > sizeof backup_dir_buf - 128) {\n\t\t\tsnprintf(err_buf, sizeof err_buf,\n\t\t\t\t\"the --backup-dir path is WAY too long.\\n\");\n\t\t\treturn 0;\n\t\t}\n\t\tbackup_dir_len = (int)len;\n\t\tif (!backup_dir_len) {\n\t\t\tbackup_dir_len = -1;\n\t\t\tbackup_dir = NULL;\n\t\t} else if (backup_dir_buf[backup_dir_len - 1] != '/') {\n\t\t\tbackup_dir_buf[backup_dir_len++] = '/';\n\t\t\tbackup_dir_buf[backup_dir_len] = '\\0';\n\t\t}\n\t\tbackup_dir_remainder = sizeof backup_dir_buf - backup_dir_len;\n\t}\n\tif (backup_dir) {\n\t\t/* No need for a suffix or a protect rule. */\n\t} else if (!backup_suffix_len && (!am_server || !am_sender)) {\n\t\tsnprintf(err_buf, sizeof err_buf,\n\t\t\t\"--suffix cannot be empty %s\\n\", backup_dir_len < 0\n\t\t\t? \"when --backup-dir is the same as the dest dir\"\n\t\t\t: \"without a --backup-dir\");\n\t\treturn 0;\n\t} else if (make_backups && delete_mode && !delete_excluded && !am_server) {\n\t\tsnprintf(backup_dir_buf, sizeof backup_dir_buf,\n\t\t\t\"P *%s\", backup_suffix);\n\t\tparse_filter_str(&filter_list, backup_dir_buf, rule_template(0), 0);\n\t}\n\n\tif (preserve_times) {\n\t\tpreserve_times = PRESERVE_FILE_TIMES;\n\t\tif (!omit_dir_times)\n\t\t\tpreserve_times |= PRESERVE_DIR_TIMES;\n#ifdef CAN_SET_SYMLINK_TIMES\n\t\tif (!omit_link_times)\n\t\t\tpreserve_times |= PRESERVE_LINK_TIMES;\n#endif\n\t}\n\n\tif (make_backups && !backup_dir) {\n\t\tomit_dir_times = 0; /* Implied, so avoid -O to sender. */\n\t\tpreserve_times &= ~PRESERVE_DIR_TIMES;\n\t}\n\n\tif (stdout_format) {\n\t\tif (am_server && log_format_has(stdout_format, 'I'))\n\t\t\tstdout_format_has_i = 2;\n\t\telse if (log_format_has(stdout_format, 'i'))\n\t\t\tstdout_format_has_i = itemize_changes | 1;\n\t\tif (!log_format_has(stdout_format, 'b')\n\t\t && !log_format_has(stdout_format, 'c')\n\t\t && !log_format_has(stdout_format, 'C'))\n\t\t\tlog_before_transfer = !am_server;\n\t} else if (itemize_changes) {\n\t\tstdout_format = \"%i %n%L\";\n\t\tstdout_format_has_i = itemize_changes;\n\t\tlog_before_transfer = !am_server;\n\t}\n\n\tif (do_progress && !am_server) {\n\t\tif (!log_before_transfer && INFO_EQ(NAME, 0))\n\t\t\tparse_output_words(info_words, info_levels, \"name\", DEFAULT_PRIORITY);\n\t\tparse_output_words(info_words, info_levels, \"flist2,progress\", DEFAULT_PRIORITY);\n\t}\n\n\tif (dry_run)\n\t\tdo_xfers = 0;\n\n\tset_io_timeout(io_timeout);\n\n\tif (INFO_GTE(NAME, 1) && !stdout_format) {\n\t\tstdout_format = \"%n%L\";\n\t\tlog_before_transfer = !am_server;\n\t}\n\tif (stdout_format_has_i || log_format_has(stdout_format, 'o'))\n\t\tstdout_format_has_o_or_i = 1;\n\n\tif (logfile_name && !am_daemon) {\n\t\tif (!logfile_format) {\n\t\t\tlogfile_format = \"%i %n%L\";\n\t\t\tlogfile_format_has_i = logfile_format_has_o_or_i = 1;\n\t\t} else {\n\t\t\tif (log_format_has(logfile_format, 'i'))\n\t\t\t\tlogfile_format_has_i = 1;\n\t\t\tif (logfile_format_has_i || log_format_has(logfile_format, 'o'))\n\t\t\t\tlogfile_format_has_o_or_i = 1;\n\t\t}\n\t\tlog_init(0);\n\t} else if (!am_daemon)\n\t\tlogfile_format = NULL;\n\n\tif (daemon_bwlimit && (!bwlimit || bwlimit > daemon_bwlimit))\n\t\tbwlimit = daemon_bwlimit;\n\tif (bwlimit) {\n\t\tbwlimit_writemax = (size_t)bwlimit * 128;\n\t\tif (bwlimit_writemax < 512)\n\t\t\tbwlimit_writemax = 512;\n\t}\n\n\tif (append_mode) {\n\t\tif (whole_file > 0) {\n\t\t\tsnprintf(err_buf, sizeof err_buf,\n\t\t\t\t \"--append cannot be used with --whole-file\\n\");\n\t\t\treturn 0;\n\t\t}\n\t\tif (refused_inplace) {\n\t\t\tcreate_refuse_error(refused_inplace);\n\t\t\treturn 0;\n\t\t}\n\t\tinplace = 1;\n\t}\n\n\tif (delay_updates && !partial_dir)\n\t\tpartial_dir = tmp_partialdir;\n\n\tif (inplace) {\n#ifdef HAVE_FTRUNCATE\n\t\tif (partial_dir) {\n\t\t\tsnprintf(err_buf, sizeof err_buf,\n\t\t\t\t \"--%s cannot be used with --%s\\n\",\n\t\t\t\t append_mode ? \"append\" : \"inplace\",\n\t\t\t\t delay_updates ? \"delay-updates\" : \"partial-dir\");\n\t\t\treturn 0;\n\t\t}\n\t\t/* --inplace implies --partial for refusal purposes, but we\n\t\t * clear the keep_partial flag for internal logic purposes. */\n\t\tif (refused_partial) {\n\t\t\tcreate_refuse_error(refused_partial);\n\t\t\treturn 0;\n\t\t}\n\t\tkeep_partial = 0;\n#else\n\t\tsnprintf(err_buf, sizeof err_buf,\n\t\t\t \"--%s is not supported on this %s\\n\",\n\t\t\t append_mode ? \"append\" : \"inplace\",\n\t\t\t am_server ? \"server\" : \"client\");\n\t\treturn 0;\n#endif\n\t} else {\n\t\tif (keep_partial && !partial_dir && !am_server) {\n\t\t\tif ((arg = getenv(\"RSYNC_PARTIAL_DIR\")) != NULL && *arg)\n\t\t\t\tpartial_dir = strdup(arg);\n\t\t}\n\t\tif (partial_dir) {\n\t\t\tif (*partial_dir)\n\t\t\t\tclean_fname(partial_dir, CFN_COLLAPSE_DOT_DOT_DIRS);\n\t\t\tif (!*partial_dir || strcmp(partial_dir, \".\") == 0)\n\t\t\t\tpartial_dir = NULL;\n\t\t\tif (!partial_dir && refused_partial) {\n\t\t\t\tcreate_refuse_error(refused_partial);\n\t\t\t\treturn 0;\n\t\t\t}\n\t\t\tkeep_partial = 1;\n\t\t}\n\t}\n\n\tif (files_from) {\n\t\tchar *h, *p;\n\t\tint q;\n\t\tif (argc > 2 || (!am_daemon && !am_server && argc == 1)) {\n\t\t\tusage(FERROR);\n\t\t\texit_cleanup(RERR_SYNTAX);\n\t\t}\n\t\tif (strcmp(files_from, \"-\") == 0) {\n\t\t\tfilesfrom_fd = 0;\n\t\t\tif (am_server)\n\t\t\t\tfilesfrom_host = \"\"; /* reading from socket */\n\t\t} else if ((p = check_for_hostspec(files_from, &h, &q)) != 0) {\n\t\t\tif (am_server) {\n\t\t\t\tsnprintf(err_buf, sizeof err_buf,\n\t\t\t\t\t\"The --files-from sent to the server cannot specify a host.\\n\");\n\t\t\t\treturn 0;\n\t\t\t}\n\t\t\tfiles_from = p;\n\t\t\tfilesfrom_host = h;\n\t\t\tif (strcmp(files_from, \"-\") == 0) {\n\t\t\t\tsnprintf(err_buf, sizeof err_buf,\n\t\t\t\t\t\"Invalid --files-from remote filename\\n\");\n\t\t\t\treturn 0;\n\t\t\t}\n\t\t} else {\n\t\t\tif (sanitize_paths)\n\t\t\t\tfiles_from = sanitize_path(NULL, files_from, NULL, 0, SP_DEFAULT);\n\t\t\tif (daemon_filter_list.head) {\n\t\t\t\tchar *dir;\n\t\t\t\tif (!*files_from)\n\t\t\t\t\tgoto options_rejected;\n\t\t\t\tdir = files_from + (*files_from == '/' ? module_dirlen : 0);\n\t\t\t\tclean_fname(dir, CFN_COLLAPSE_DOT_DOT_DIRS);\n\t\t\t\tif (check_filter(&daemon_filter_list, FLOG, dir, 0) < 0)\n\t\t\t\t\tgoto options_rejected;\n\t\t\t}\n\t\t\tfilesfrom_fd = open(files_from, O_RDONLY|O_BINARY);\n\t\t\tif (filesfrom_fd < 0) {\n\t\t\t\tsnprintf(err_buf, sizeof err_buf,\n\t\t\t\t\t\"failed to open files-from file %s: %s\\n\",\n\t\t\t\t\tfiles_from, strerror(errno));\n\t\t\t\treturn 0;\n\t\t\t}\n\t\t}\n\t}\n\n\tam_starting_up = 0;\n\n\treturn 1;\n\n options_rejected:\n\tsnprintf(err_buf, sizeof err_buf,\n\t\t\"Your options have been rejected by the server.\\n\");\n\treturn 0;\n}", "project": "rsync", "hash": 282111307716565365896500155152540425903, "size": 1062, "commit_id": "7706303828fcde524222babb2833864a4bd09e07", "message": "Ignore --protect-args when already sent by client\n\nIn parse_arguments when --protect-args is encountered the function exits\nearly. The caller is expected to check protect_args, and recall\nparse_arguments setting protect_args to 2. This patch prevents the\nclient from resetting protect_args during the second pass of\nparse_arguments. This prevents parse_arguments returning early the\nsecond time before it's able to sanitize the arguments it received.", "target": 1, "dataset": "other", "idx": 204749 }, { "func": "int parse_arguments(int *argc_p, const char ***argv_p)\n{\n\tstatic poptContext pc;\n\tchar *ref = lp_refuse_options(module_id);\n\tconst char *arg, **argv = *argv_p;\n\tint argc = *argc_p;\n\tint opt;\n\tint orig_protect_args = protect_args;\n\n\tif (ref && *ref)\n\t\tset_refuse_options(ref);\n\tif (am_daemon) {\n\t\tset_refuse_options(\"log-file*\");\n#ifdef ICONV_OPTION\n\t\tif (!*lp_charset(module_id))\n\t\t\tset_refuse_options(\"iconv\");\n#endif\n\t}\n\n#ifdef ICONV_OPTION\n\tif (!am_daemon && protect_args <= 0 && (arg = getenv(\"RSYNC_ICONV\")) != NULL && *arg)\n\t\ticonv_opt = strdup(arg);\n#endif\n\n\t/* TODO: Call poptReadDefaultConfig; handle errors. */\n\n\t/* The context leaks in case of an error, but if there's a\n\t * problem we always exit anyhow. */\n\tif (pc)\n\t\tpoptFreeContext(pc);\n\tpc = poptGetContext(RSYNC_NAME, argc, argv, long_options, 0);\n\tif (!am_server) {\n\t\tpoptReadDefaultConfig(pc, 0);\n\t\tpopt_unalias(pc, \"--daemon\");\n\t\tpopt_unalias(pc, \"--server\");\n\t}\n\n\twhile ((opt = poptGetNextOpt(pc)) != -1) {\n\t\t/* most options are handled automatically by popt;\n\t\t * only special cases are returned and listed here. */\n\n\t\tswitch (opt) {\n\t\tcase OPT_VERSION:\n\t\t\tprint_rsync_version(FINFO);\n\t\t\texit_cleanup(0);\n\n\t\tcase OPT_SERVER:\n\t\t\tif (!am_server) {\n\t\t\t\t/* Disable popt aliases on the server side and\n\t\t\t\t * then start parsing the options again. */\n\t\t\t\tpoptFreeContext(pc);\n\t\t\t\tpc = poptGetContext(RSYNC_NAME, argc, argv,\n\t\t\t\t\t\t long_options, 0);\n\t\t\t\tam_server = 1;\n\t\t\t}\n#ifdef ICONV_OPTION\n\t\t\ticonv_opt = NULL;\n#endif\n\t\t\tbreak;\n\n\t\tcase OPT_SENDER:\n\t\t\tif (!am_server) {\n\t\t\t\tusage(FERROR);\n\t\t\t\texit_cleanup(RERR_SYNTAX);\n\t\t\t}\n\t\t\tam_sender = 1;\n\t\t\tbreak;\n\n\t\tcase OPT_DAEMON:\n\t\t\tif (am_daemon) {\n\t\t\t\tstrlcpy(err_buf,\n\t\t\t\t\t\"Attempt to hack rsync thwarted!\\n\",\n\t\t\t\t\tsizeof err_buf);\n\t\t\t\treturn 0;\n\t\t\t}\n#ifdef ICONV_OPTION\n\t\t\ticonv_opt = NULL;\n#endif\n\t\t\tprotect_args = 0;\n\t\t\tpoptFreeContext(pc);\n\t\t\tpc = poptGetContext(RSYNC_NAME, argc, argv,\n\t\t\t\t\t long_daemon_options, 0);\n\t\t\twhile ((opt = poptGetNextOpt(pc)) != -1) {\n\t\t\t\tchar **cpp;\n\t\t\t\tswitch (opt) {\n\t\t\t\tcase 'h':\n\t\t\t\t\tdaemon_usage(FINFO);\n\t\t\t\t\texit_cleanup(0);\n\n\t\t\t\tcase 'M':\n\t\t\t\t\targ = poptGetOptArg(pc);\n\t\t\t\t\tif (!strchr(arg, '=')) {\n\t\t\t\t\t\trprintf(FERROR,\n\t\t\t\t\t\t \"--dparam value is missing an '=': %s\\n\",\n\t\t\t\t\t\t arg);\n\t\t\t\t\t\tgoto daemon_error;\n\t\t\t\t\t}\n\t\t\t\t\tcpp = EXPAND_ITEM_LIST(&dparam_list, char *, 4);\n\t\t\t\t\t*cpp = strdup(arg);\n\t\t\t\t\tbreak;\n\n\t\t\t\tcase 'v':\n\t\t\t\t\tverbose++;\n\t\t\t\t\tbreak;\n\n\t\t\t\tdefault:\n\t\t\t\t\trprintf(FERROR,\n\t\t\t\t\t \"rsync: %s: %s (in daemon mode)\\n\",\n\t\t\t\t\t poptBadOption(pc, POPT_BADOPTION_NOALIAS),\n\t\t\t\t\t poptStrerror(opt));\n\t\t\t\t\tgoto daemon_error;\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tif (dparam_list.count && !set_dparams(1))\n\t\t\t\texit_cleanup(RERR_SYNTAX);\n\n\t\t\tif (tmpdir && strlen(tmpdir) >= MAXPATHLEN - 10) {\n\t\t\t\tsnprintf(err_buf, sizeof err_buf,\n\t\t\t\t\t \"the --temp-dir path is WAY too long.\\n\");\n\t\t\t\treturn 0;\n\t\t\t}\n\n\t\t\tif (!daemon_opt) {\n\t\t\t\trprintf(FERROR, \"Daemon option(s) used without --daemon.\\n\");\n\t\t\t daemon_error:\n\t\t\t\trprintf(FERROR,\n\t\t\t\t \"(Type \\\"rsync --daemon --help\\\" for assistance with daemon mode.)\\n\");\n\t\t\t\texit_cleanup(RERR_SYNTAX);\n\t\t\t}\n\n\t\t\t*argv_p = argv = poptGetArgs(pc);\n\t\t\t*argc_p = argc = count_args(argv);\n\t\t\tam_starting_up = 0;\n\t\t\tdaemon_opt = 0;\n\t\t\tam_daemon = 1;\n\t\t\treturn 1;\n\n\t\tcase OPT_MODIFY_WINDOW:\n\t\t\t/* The value has already been set by popt, but\n\t\t\t * we need to remember that we're using a\n\t\t\t * non-default setting. */\n\t\t\tmodify_window_set = 1;\n\t\t\tbreak;\n\n\t\tcase OPT_FILTER:\n\t\t\tparse_filter_str(&filter_list, poptGetOptArg(pc),\n\t\t\t\t\trule_template(0), 0);\n\t\t\tbreak;\n\n\t\tcase OPT_EXCLUDE:\n\t\t\tparse_filter_str(&filter_list, poptGetOptArg(pc),\n\t\t\t\t\trule_template(0), XFLG_OLD_PREFIXES);\n\t\t\tbreak;\n\n\t\tcase OPT_INCLUDE:\n\t\t\tparse_filter_str(&filter_list, poptGetOptArg(pc),\n\t\t\t\t\trule_template(FILTRULE_INCLUDE), XFLG_OLD_PREFIXES);\n\t\t\tbreak;\n\n\t\tcase OPT_EXCLUDE_FROM:\n\t\tcase OPT_INCLUDE_FROM:\n\t\t\targ = poptGetOptArg(pc);\n\t\t\tif (sanitize_paths)\n\t\t\t\targ = sanitize_path(NULL, arg, NULL, 0, SP_DEFAULT);\n\t\t\tif (daemon_filter_list.head) {\n\t\t\t\tint rej;\n\t\t\t\tchar *cp = strdup(arg);\n\t\t\t\tif (!cp)\n\t\t\t\t\tout_of_memory(\"parse_arguments\");\n\t\t\t\tif (!*cp)\n\t\t\t\t\trej = 1;\n\t\t\t\telse {\n\t\t\t\t\tchar *dir = cp + (*cp == '/' ? module_dirlen : 0);\n\t\t\t\t\tclean_fname(dir, CFN_COLLAPSE_DOT_DOT_DIRS);\n\t\t\t\t\trej = check_filter(&daemon_filter_list, FLOG, dir, 0) < 0;\n\t\t\t\t}\n\t\t\t\tfree(cp);\n\t\t\t\tif (rej)\n\t\t\t\t\tgoto options_rejected;\n\t\t\t}\n\t\t\tparse_filter_file(&filter_list, arg,\n\t\t\t\trule_template(opt == OPT_INCLUDE_FROM ? FILTRULE_INCLUDE : 0),\n\t\t\t\tXFLG_FATAL_ERRORS | XFLG_OLD_PREFIXES);\n\t\t\tbreak;\n\n\t\tcase 'a':\n\t\t\tif (refused_archive_part) {\n\t\t\t\tcreate_refuse_error(refused_archive_part);\n\t\t\t\treturn 0;\n\t\t\t}\n\t\t\tif (!recurse) /* preserve recurse == 2 */\n\t\t\t\trecurse = 1;\n#ifdef SUPPORT_LINKS\n\t\t\tpreserve_links = 1;\n#endif\n\t\t\tpreserve_perms = 1;\n\t\t\tpreserve_times = 1;\n\t\t\tpreserve_gid = 1;\n\t\t\tpreserve_uid = 1;\n\t\t\tpreserve_devices = 1;\n\t\t\tpreserve_specials = 1;\n\t\t\tbreak;\n\n\t\tcase 'D':\n\t\t\tpreserve_devices = preserve_specials = 1;\n\t\t\tbreak;\n\n\t\tcase OPT_NO_D:\n\t\t\tpreserve_devices = preserve_specials = 0;\n\t\t\tbreak;\n\n\t\tcase 'h':\n\t\t\thuman_readable++;\n\t\t\tbreak;\n\n\t\tcase 'H':\n\t\t\tpreserve_hard_links++;\n\t\t\tbreak;\n\n\t\tcase 'i':\n\t\t\titemize_changes++;\n\t\t\tbreak;\n\n\t\tcase 'v':\n\t\t\tverbose++;\n\t\t\tbreak;\n\n\t\tcase 'y':\n\t\t\tfuzzy_basis++;\n\t\t\tbreak;\n\n\t\tcase 'q':\n\t\t\tquiet++;\n\t\t\tbreak;\n\n\t\tcase 'x':\n\t\t\tone_file_system++;\n\t\t\tbreak;\n\n\t\tcase 'F':\n\t\t\tswitch (++F_option_cnt) {\n\t\t\tcase 1:\n\t\t\t\tparse_filter_str(&filter_list,\": /.rsync-filter\",rule_template(0),0);\n\t\t\t\tbreak;\n\t\t\tcase 2:\n\t\t\t\tparse_filter_str(&filter_list,\"- .rsync-filter\",rule_template(0),0);\n\t\t\t\tbreak;\n\t\t\t}\n\t\t\tbreak;\n\n\t\tcase 'P':\n\t\t\tif (refused_partial || refused_progress) {\n\t\t\t\tcreate_refuse_error(refused_partial\n\t\t\t\t ? refused_partial : refused_progress);\n\t\t\t\treturn 0;\n\t\t\t}\n\t\t\tdo_progress = 1;\n\t\t\tkeep_partial = 1;\n\t\t\tbreak;\n\n\t\tcase 'z':\n\t\t\tdo_compression++;\n\t\t\tbreak;\n\n\t\tcase 'M':\n\t\t\targ = poptGetOptArg(pc);\n\t\t\tif (*arg != '-') {\n\t\t\t\tsnprintf(err_buf, sizeof err_buf,\n\t\t\t\t\t\"Remote option must start with a dash: %s\\n\", arg);\n\t\t\t\treturn 0;\n\t\t\t}\n\t\t\tif (remote_option_cnt+2 >= remote_option_alloc) {\n\t\t\t\tremote_option_alloc += 16;\n\t\t\t\tremote_options = realloc_array(remote_options,\n\t\t\t\t\t\t\tconst char *, remote_option_alloc);\n\t\t\t\tif (!remote_options)\n\t\t\t\t\tout_of_memory(\"parse_arguments\");\n\t\t\t\tif (!remote_option_cnt)\n\t\t\t\t\tremote_options[0] = \"ARG0\";\n\t\t\t}\n\t\t\tremote_options[++remote_option_cnt] = arg;\n\t\t\tremote_options[remote_option_cnt+1] = NULL;\n\t\t\tbreak;\n\n\t\tcase OPT_WRITE_BATCH:\n\t\t\t/* batch_name is already set */\n\t\t\twrite_batch = 1;\n\t\t\tbreak;\n\n\t\tcase OPT_ONLY_WRITE_BATCH:\n\t\t\t/* batch_name is already set */\n\t\t\twrite_batch = -1;\n\t\t\tbreak;\n\n\t\tcase OPT_READ_BATCH:\n\t\t\t/* batch_name is already set */\n\t\t\tread_batch = 1;\n\t\t\tbreak;\n\n\t\tcase OPT_NO_ICONV:\n#ifdef ICONV_OPTION\n\t\t\ticonv_opt = NULL;\n#endif\n\t\t\tbreak;\n\n\t\tcase OPT_MAX_SIZE:\n\t\t\tif ((max_size = parse_size_arg(&max_size_arg, 'b')) < 0) {\n\t\t\t\tsnprintf(err_buf, sizeof err_buf,\n\t\t\t\t\t\"--max-size value is invalid: %s\\n\",\n\t\t\t\t\tmax_size_arg);\n\t\t\t\treturn 0;\n\t\t\t}\n\t\t\tbreak;\n\n\t\tcase OPT_MIN_SIZE:\n\t\t\tif ((min_size = parse_size_arg(&min_size_arg, 'b')) < 0) {\n\t\t\t\tsnprintf(err_buf, sizeof err_buf,\n\t\t\t\t\t\"--min-size value is invalid: %s\\n\",\n\t\t\t\t\tmin_size_arg);\n\t\t\t\treturn 0;\n\t\t\t}\n\t\t\tbreak;\n\n\t\tcase OPT_BWLIMIT:\n\t\t\t{\n\t\t\t\tOFF_T limit = parse_size_arg(&bwlimit_arg, 'K');\n\t\t\t\tif (limit < 0) {\n\t\t\t\t\tsnprintf(err_buf, sizeof err_buf,\n\t\t\t\t\t\t\"--bwlimit value is invalid: %s\\n\", bwlimit_arg);\n\t\t\t\t\treturn 0;\n\t\t\t\t}\n\t\t\t\tbwlimit = (limit + 512) / 1024;\n\t\t\t\tif (limit && !bwlimit) {\n\t\t\t\t\tsnprintf(err_buf, sizeof err_buf,\n\t\t\t\t\t\t\"--bwlimit value is too small: %s\\n\", bwlimit_arg);\n\t\t\t\t\treturn 0;\n\t\t\t\t}\n\t\t\t}\n\t\t\tbreak;\n\n\t\tcase OPT_APPEND:\n\t\t\tif (am_server)\n\t\t\t\tappend_mode++;\n\t\t\telse\n\t\t\t\tappend_mode = 1;\n\t\t\tbreak;\n\n\t\tcase OPT_LINK_DEST:\n#ifdef SUPPORT_HARD_LINKS\n\t\t\tlink_dest = 1;\n\t\t\tdest_option = \"--link-dest\";\n\t\t\tgoto set_dest_dir;\n#else\n\t\t\tsnprintf(err_buf, sizeof err_buf,\n\t\t\t\t \"hard links are not supported on this %s\\n\",\n\t\t\t\t am_server ? \"server\" : \"client\");\n\t\t\treturn 0;\n#endif\n\n\t\tcase OPT_COPY_DEST:\n\t\t\tcopy_dest = 1;\n\t\t\tdest_option = \"--copy-dest\";\n\t\t\tgoto set_dest_dir;\n\n\t\tcase OPT_COMPARE_DEST:\n\t\t\tcompare_dest = 1;\n\t\t\tdest_option = \"--compare-dest\";\n\t\tset_dest_dir:\n\t\t\tif (basis_dir_cnt >= MAX_BASIS_DIRS) {\n\t\t\t\tsnprintf(err_buf, sizeof err_buf,\n\t\t\t\t\t\"ERROR: at most %d %s args may be specified\\n\",\n\t\t\t\t\tMAX_BASIS_DIRS, dest_option);\n\t\t\t\treturn 0;\n\t\t\t}\n\t\t\t/* We defer sanitizing this arg until we know what\n\t\t\t * our destination directory is going to be. */\n\t\t\tbasis_dir[basis_dir_cnt++] = (char *)poptGetOptArg(pc);\n\t\t\tbreak;\n\n\t\tcase OPT_CHMOD:\n\t\t\targ = poptGetOptArg(pc);\n\t\t\tif (!parse_chmod(arg, &chmod_modes)) {\n\t\t\t\tsnprintf(err_buf, sizeof err_buf,\n\t\t\t\t \"Invalid argument passed to --chmod (%s)\\n\",\n\t\t\t\t arg);\n\t\t\t\treturn 0;\n\t\t\t}\n\t\t\tbreak;\n\n\t\tcase OPT_INFO:\n\t\t\targ = poptGetOptArg(pc);\n\t\t\tparse_output_words(info_words, info_levels, arg, USER_PRIORITY);\n\t\t\tbreak;\n\n\t\tcase OPT_DEBUG:\n\t\t\targ = poptGetOptArg(pc);\n\t\t\tparse_output_words(debug_words, debug_levels, arg, USER_PRIORITY);\n\t\t\tbreak;\n\n\t\tcase OPT_USERMAP:\n\t\t\tif (usermap) {\n\t\t\t\tif (usermap_via_chown) {\n\t\t\t\t\tsnprintf(err_buf, sizeof err_buf,\n\t\t\t\t\t \"--usermap conflicts with prior --chown.\\n\");\n\t\t\t\t\treturn 0;\n\t\t\t\t}\n\t\t\t\tsnprintf(err_buf, sizeof err_buf,\n\t\t\t\t \"You can only specify --usermap once.\\n\");\n\t\t\t\treturn 0;\n\t\t\t}\n\t\t\tusermap = (char *)poptGetOptArg(pc);\n\t\t\tusermap_via_chown = False;\n\t\t\tbreak;\n\n\t\tcase OPT_GROUPMAP:\n\t\t\tif (groupmap) {\n\t\t\t\tif (groupmap_via_chown) {\n\t\t\t\t\tsnprintf(err_buf, sizeof err_buf,\n\t\t\t\t\t \"--groupmap conflicts with prior --chown.\\n\");\n\t\t\t\t\treturn 0;\n\t\t\t\t}\n\t\t\t\tsnprintf(err_buf, sizeof err_buf,\n\t\t\t\t \"You can only specify --groupmap once.\\n\");\n\t\t\t\treturn 0;\n\t\t\t}\n\t\t\tgroupmap = (char *)poptGetOptArg(pc);\n\t\t\tgroupmap_via_chown = False;\n\t\t\tbreak;\n\n\t\tcase OPT_CHOWN: {\n\t\t\tconst char *chown = poptGetOptArg(pc);\n\t\t\tint len;\n\t\t\tif ((arg = strchr(chown, ':')) != NULL)\n\t\t\t\tlen = arg++ - chown;\n\t\t\telse\n\t\t\t\tlen = strlen(chown);\n\t\t\tif (len) {\n\t\t\t\tif (usermap) {\n\t\t\t\t\tif (!usermap_via_chown) {\n\t\t\t\t\t\tsnprintf(err_buf, sizeof err_buf,\n\t\t\t\t\t\t \"--chown conflicts with prior --usermap.\\n\");\n\t\t\t\t\t\treturn 0;\n\t\t\t\t\t}\n\t\t\t\t\tsnprintf(err_buf, sizeof err_buf,\n\t\t\t\t\t \"You can only specify a user-affecting --chown once.\\n\");\n\t\t\t\t\treturn 0;\n\t\t\t\t}\n\t\t\t\tif (asprintf(&usermap, \"*:%.*s\", len, chown) < 0)\n\t\t\t\t\tout_of_memory(\"parse_arguments\");\n\t\t\t\tusermap_via_chown = True;\n\t\t\t}\n\t\t\tif (arg && *arg) {\n\t\t\t\tif (groupmap) {\n\t\t\t\t\tif (!groupmap_via_chown) {\n\t\t\t\t\t\tsnprintf(err_buf, sizeof err_buf,\n\t\t\t\t\t\t \"--chown conflicts with prior --groupmap.\\n\");\n\t\t\t\t\t\treturn 0;\n\t\t\t\t\t}\n\t\t\t\t\tsnprintf(err_buf, sizeof err_buf,\n\t\t\t\t\t \"You can only specify a group-affecting --chown once.\\n\");\n\t\t\t\t\treturn 0;\n\t\t\t\t}\n\t\t\t\tif (asprintf(&groupmap, \"*:%s\", arg) < 0)\n\t\t\t\t\tout_of_memory(\"parse_arguments\");\n\t\t\t\tgroupmap_via_chown = True;\n\t\t\t}\n\t\t\tbreak;\n\t\t}\n\n\t\tcase OPT_HELP:\n\t\t\tusage(FINFO);\n\t\t\texit_cleanup(0);\n\n\t\tcase 'A':\n#ifdef SUPPORT_ACLS\n\t\t\tpreserve_acls = 1;\n\t\t\tpreserve_perms = 1;\n\t\t\tbreak;\n#else\n\t\t\t/* FIXME: this should probably be ignored with a\n\t\t\t * warning and then countermeasures taken to\n\t\t\t * restrict group and other access in the presence\n\t\t\t * of any more restrictive ACLs, but this is safe\n\t\t\t * for now */\n\t\t\tsnprintf(err_buf,sizeof(err_buf),\n \"ACLs are not supported on this %s\\n\",\n\t\t\t\t am_server ? \"server\" : \"client\");\n\t\t\treturn 0;\n#endif\n\n\t\tcase 'X':\n#ifdef SUPPORT_XATTRS\n\t\t\tpreserve_xattrs++;\n\t\t\tbreak;\n#else\n\t\t\tsnprintf(err_buf,sizeof(err_buf),\n\t\t\t\t \"extended attributes are not supported on this %s\\n\",\n\t\t\t\t am_server ? \"server\" : \"client\");\n\t\t\treturn 0;\n#endif\n\n\t\tdefault:\n\t\t\t/* A large opt value means that set_refuse_options()\n\t\t\t * turned this option off. */\n\t\t\tif (opt >= OPT_REFUSED_BASE) {\n\t\t\t\tcreate_refuse_error(opt);\n\t\t\t\treturn 0;\n\t\t\t}\n\t\t\tsnprintf(err_buf, sizeof err_buf, \"%s%s: %s\\n\",\n\t\t\t\t am_server ? \"on remote machine: \" : \"\",\n\t\t\t\t poptBadOption(pc, POPT_BADOPTION_NOALIAS),\n\t\t\t\t poptStrerror(opt));\n\t\t\treturn 0;\n\t\t}\n\t}\n\n\tif (protect_args < 0) {\n\t\tif (am_server)\n\t\t\tprotect_args = 0;\n\t\telse if ((arg = getenv(\"RSYNC_PROTECT_ARGS\")) != NULL && *arg)\n\t\t\tprotect_args = atoi(arg) ? 1 : 0;\n\t\telse {\n#ifdef RSYNC_USE_PROTECTED_ARGS\n\t\t\tprotect_args = 1;\n#else\n\t\t\tprotect_args = 0;\n#endif\n\t\t}\n\t}\n\n\tif (checksum_choice && strcmp(checksum_choice, \"auto\") != 0 && strcmp(checksum_choice, \"auto,auto\") != 0) {\n\t\t/* Call this early to verify the args and figure out if we need to force\n\t\t * --whole-file. Note that the parse function will get called again later,\n\t\t * just in case an \"auto\" choice needs to know the protocol_version. */\n\t\tif (parse_checksum_choice())\n\t\t\twhole_file = 1;\n\t} else\n\t\tchecksum_choice = NULL;\n\n\tif (human_readable > 1 && argc == 2 && !am_server) {\n\t\t/* Allow the old meaning of 'h' (--help) on its own. */\n\t\tusage(FINFO);\n\t\texit_cleanup(0);\n\t}\n\n\tif (do_compression || def_compress_level != NOT_SPECIFIED) {\n\t\tif (def_compress_level == NOT_SPECIFIED)\n\t\t\tdef_compress_level = Z_DEFAULT_COMPRESSION;\n\t\telse if (def_compress_level < Z_DEFAULT_COMPRESSION || def_compress_level > Z_BEST_COMPRESSION) {\n\t\t\tsnprintf(err_buf, sizeof err_buf, \"--compress-level value is invalid: %d\\n\",\n\t\t\t\t def_compress_level);\n\t\t\treturn 0;\n\t\t} else if (def_compress_level == Z_NO_COMPRESSION)\n\t\t\tdo_compression = 0;\n\t\telse if (!do_compression)\n\t\t\tdo_compression = 1;\n\t\tif (do_compression && refused_compress) {\n\t\t\tcreate_refuse_error(refused_compress);\n\t\t\treturn 0;\n\t\t}\n#ifdef EXTERNAL_ZLIB\n\t\tif (do_compression == 1) {\n\t\t\tsnprintf(err_buf, sizeof err_buf,\n\t\t\t\t\"This rsync lacks old-style --compress due to its external zlib. Try -zz.\\n\");\n\t\t\tif (am_server)\n\t\t\t\treturn 0;\n\t\t\tfprintf(stderr, \"%s\" \"Continuing without compression.\\n\\n\", err_buf);\n\t\t\tdo_compression = 0;\n\t\t}\n#endif\n\t}\n\n#ifdef HAVE_SETVBUF\n\tif (outbuf_mode && !am_server) {\n\t\tint mode = *(uchar *)outbuf_mode;\n\t\tif (islower(mode))\n\t\t\tmode = toupper(mode);\n\t\tfflush(stdout); /* Just in case... */\n\t\tswitch (mode) {\n\t\tcase 'N': /* None */\n\t\tcase 'U': /* Unbuffered */\n\t\t\tmode = _IONBF;\n\t\t\tbreak;\n\t\tcase 'L': /* Line */\n\t\t\tmode = _IOLBF;\n\t\t\tbreak;\n\t\tcase 'B': /* Block */\n\t\tcase 'F': /* Full */\n\t\t\tmode = _IOFBF;\n\t\t\tbreak;\n\t\tdefault:\n\t\t\tsnprintf(err_buf, sizeof err_buf,\n\t\t\t\t\"Invalid --outbuf setting -- specify N, L, or B.\\n\");\n\t\t\treturn 0;\n\t\t}\n\t\tsetvbuf(stdout, (char *)NULL, mode, 0);\n\t}\n\n\tif (msgs2stderr) {\n\t\t/* Make stderr line buffered for better sharing of the stream. */\n\t\tfflush(stderr); /* Just in case... */\n\t\tsetvbuf(stderr, (char *)NULL, _IOLBF, 0);\n\t}\n#endif\n\n\tset_output_verbosity(verbose, DEFAULT_PRIORITY);\n\n\tif (do_stats) {\n\t\tparse_output_words(info_words, info_levels,\n\t\t\tverbose > 1 ? \"stats3\" : \"stats2\", DEFAULT_PRIORITY);\n\t}\n\n#ifdef ICONV_OPTION\n\tif (iconv_opt && protect_args != 2) {\n\t\tif (!am_server && strcmp(iconv_opt, \"-\") == 0)\n\t\t\ticonv_opt = NULL;\n\t\telse\n\t\t\tneed_unsorted_flist = 1;\n\t}\n\tif (refused_no_iconv && !iconv_opt) {\n\t\tcreate_refuse_error(refused_no_iconv);\n\t\treturn 0;\n\t}\n#endif\n\n\tif (fuzzy_basis > 1)\n\t\tfuzzy_basis = basis_dir_cnt + 1;\n\n\t/* Don't let the client reset protect_args if it was already processed */\n\tif (orig_protect_args == 2 && am_server)\n\t\tprotect_args = orig_protect_args;\n\n\tif (protect_args == 1 && am_server)\n\t\treturn 1;\n\n\t*argv_p = argv = poptGetArgs(pc);\n\t*argc_p = argc = count_args(argv);\n\n#ifndef SUPPORT_LINKS\n\tif (preserve_links && !am_sender) {\n\t\tsnprintf(err_buf, sizeof err_buf,\n\t\t\t \"symlinks are not supported on this %s\\n\",\n\t\t\t am_server ? \"server\" : \"client\");\n\t\treturn 0;\n\t}\n#endif\n\n#ifndef SUPPORT_HARD_LINKS\n\tif (preserve_hard_links) {\n\t\tsnprintf(err_buf, sizeof err_buf,\n\t\t\t \"hard links are not supported on this %s\\n\",\n\t\t\t am_server ? \"server\" : \"client\");\n\t\treturn 0;\n\t}\n#endif\n\n#ifdef SUPPORT_XATTRS\n\tif (am_root < 0 && preserve_xattrs > 1) {\n\t\tsnprintf(err_buf, sizeof err_buf,\n\t\t\t \"--fake-super conflicts with -XX\\n\");\n\t\treturn 0;\n\t}\n#else\n\tif (am_root < 0) {\n\t\tsnprintf(err_buf, sizeof err_buf,\n\t\t\t \"--fake-super requires an rsync with extended attributes enabled\\n\");\n\t\treturn 0;\n\t}\n#endif\n\n\tif (block_size > MAX_BLOCK_SIZE) {\n\t\tsnprintf(err_buf, sizeof err_buf,\n\t\t\t \"--block-size=%lu is too large (max: %u)\\n\", block_size, MAX_BLOCK_SIZE);\n\t\treturn 0;\n\t}\n\n\tif (write_batch && read_batch) {\n\t\tsnprintf(err_buf, sizeof err_buf,\n\t\t\t\"--write-batch and --read-batch can not be used together\\n\");\n\t\treturn 0;\n\t}\n\tif (write_batch > 0 || read_batch) {\n\t\tif (am_server) {\n\t\t\trprintf(FINFO,\n\t\t\t\t\"ignoring --%s-batch option sent to server\\n\",\n\t\t\t\twrite_batch ? \"write\" : \"read\");\n\t\t\t/* We don't actually exit_cleanup(), so that we can\n\t\t\t * still service older version clients that still send\n\t\t\t * batch args to server. */\n\t\t\tread_batch = write_batch = 0;\n\t\t\tbatch_name = NULL;\n\t\t} else if (dry_run)\n\t\t\twrite_batch = 0;\n\t} else if (write_batch < 0 && dry_run)\n\t\twrite_batch = 0;\n\tif (read_batch && files_from) {\n\t\tsnprintf(err_buf, sizeof err_buf,\n\t\t\t\"--read-batch cannot be used with --files-from\\n\");\n\t\treturn 0;\n\t}\n\tif (read_batch && remove_source_files) {\n\t\tsnprintf(err_buf, sizeof err_buf,\n\t\t\t\"--read-batch cannot be used with --remove-%s-files\\n\",\n\t\t\tremove_source_files == 1 ? \"source\" : \"sent\");\n\t\treturn 0;\n\t}\n\tif (batch_name && strlen(batch_name) > MAX_BATCH_NAME_LEN) {\n\t\tsnprintf(err_buf, sizeof err_buf,\n\t\t\t\"the batch-file name must be %d characters or less.\\n\",\n\t\t\tMAX_BATCH_NAME_LEN);\n\t\treturn 0;\n\t}\n\n\tif (tmpdir && strlen(tmpdir) >= MAXPATHLEN - 10) {\n\t\tsnprintf(err_buf, sizeof err_buf,\n\t\t\t \"the --temp-dir path is WAY too long.\\n\");\n\t\treturn 0;\n\t}\n\n\tif (max_delete < 0 && max_delete != INT_MIN) {\n\t\t/* Negative numbers are treated as \"no deletions\". */\n\t\tmax_delete = 0;\n\t}\n\n\tif (compare_dest + copy_dest + link_dest > 1) {\n\t\tsnprintf(err_buf, sizeof err_buf,\n\t\t\t\"You may not mix --compare-dest, --copy-dest, and --link-dest.\\n\");\n\t\treturn 0;\n\t}\n\n\tif (files_from) {\n\t\tif (recurse == 1) /* preserve recurse == 2 */\n\t\t\trecurse = 0;\n\t\tif (xfer_dirs < 0)\n\t\t\txfer_dirs = 1;\n\t}\n\n\tif (argc < 2 && !read_batch && !am_server)\n\t\tlist_only |= 1;\n\n\tif (xfer_dirs >= 4) {\n\t\tparse_filter_str(&filter_list, \"- /*/*\", rule_template(0), 0);\n\t\trecurse = xfer_dirs = 1;\n\t} else if (recurse)\n\t\txfer_dirs = 1;\n\telse if (xfer_dirs < 0)\n\t\txfer_dirs = list_only ? 1 : 0;\n\n\tif (relative_paths < 0)\n\t\trelative_paths = files_from? 1 : 0;\n\tif (!relative_paths)\n\t\timplied_dirs = 0;\n\n\tif (delete_before + !!delete_during + delete_after > 1) {\n\t\tsnprintf(err_buf, sizeof err_buf,\n\t\t\t\"You may not combine multiple --delete-WHEN options.\\n\");\n\t\treturn 0;\n\t}\n\tif (delete_before || delete_during || delete_after)\n\t\tdelete_mode = 1;\n\telse if (delete_mode || delete_excluded) {\n\t\t/* Only choose now between before & during if one is refused. */\n\t\tif (refused_delete_before) {\n\t\t\tif (!refused_delete_during)\n\t\t\t\tdelete_during = 1;\n\t\t\telse {\n\t\t\t\tcreate_refuse_error(refused_delete_before);\n\t\t\t\treturn 0;\n\t\t\t}\n\t\t} else if (refused_delete_during)\n\t\t\tdelete_before = 1;\n\t\tdelete_mode = 1;\n\t}\n\tif (!xfer_dirs && delete_mode) {\n\t\tsnprintf(err_buf, sizeof err_buf,\n\t\t\t\"--delete does not work without --recursive (-r) or --dirs (-d).\\n\");\n\t\treturn 0;\n\t}\n\n\tif (missing_args == 3) /* simplify if both options were specified */\n\t\tmissing_args = 2;\n\tif (refused_delete && (delete_mode || missing_args == 2)) {\n\t\tcreate_refuse_error(refused_delete);\n\t\treturn 0;\n\t}\n\n\tif (remove_source_files) {\n\t\t/* We only want to infer this refusal of --remove-source-files\n\t\t * via the refusal of \"delete\", not any of the \"delete-FOO\"\n\t\t * options. */\n\t\tif (refused_delete && am_sender) {\n\t\t\tcreate_refuse_error(refused_delete);\n\t\t\treturn 0;\n\t\t}\n\t\tneed_messages_from_generator = 1;\n\t}\n\n\tif (munge_symlinks && !am_daemon) {\n\t\tSTRUCT_STAT st;\n\t\tchar prefix[SYMLINK_PREFIX_LEN]; /* NOT +1 ! */\n\t\tstrlcpy(prefix, SYMLINK_PREFIX, sizeof prefix); /* trim the trailing slash */\n\t\tif (do_stat(prefix, &st) == 0 && S_ISDIR(st.st_mode)) {\n\t\t\trprintf(FERROR, \"Symlink munging is unsafe when a %s directory exists.\\n\",\n\t\t\t\tprefix);\n\t\t\texit_cleanup(RERR_UNSUPPORTED);\n\t\t}\n\t}\n\n\tif (sanitize_paths) {\n\t\tint i;\n\t\tfor (i = argc; i-- > 0; )\n\t\t\targv[i] = sanitize_path(NULL, argv[i], \"\", 0, SP_KEEP_DOT_DIRS);\n\t\tif (tmpdir)\n\t\t\ttmpdir = sanitize_path(NULL, tmpdir, NULL, 0, SP_DEFAULT);\n\t\tif (backup_dir)\n\t\t\tbackup_dir = sanitize_path(NULL, backup_dir, NULL, 0, SP_DEFAULT);\n\t}\n\tif (daemon_filter_list.head && !am_sender) {\n\t\tfilter_rule_list *elp = &daemon_filter_list;\n\t\tif (tmpdir) {\n\t\t\tchar *dir;\n\t\t\tif (!*tmpdir)\n\t\t\t\tgoto options_rejected;\n\t\t\tdir = tmpdir + (*tmpdir == '/' ? module_dirlen : 0);\n\t\t\tclean_fname(dir, CFN_COLLAPSE_DOT_DOT_DIRS);\n\t\t\tif (check_filter(elp, FLOG, dir, 1) < 0)\n\t\t\t\tgoto options_rejected;\n\t\t}\n\t\tif (backup_dir) {\n\t\t\tchar *dir;\n\t\t\tif (!*backup_dir)\n\t\t\t\tgoto options_rejected;\n\t\t\tdir = backup_dir + (*backup_dir == '/' ? module_dirlen : 0);\n\t\t\tclean_fname(dir, CFN_COLLAPSE_DOT_DOT_DIRS);\n\t\t\tif (check_filter(elp, FLOG, dir, 1) < 0)\n\t\t\t\tgoto options_rejected;\n\t\t}\n\t}\n\n\tif (!backup_suffix)\n\t\tbackup_suffix = backup_dir ? \"\" : BACKUP_SUFFIX;\n\tbackup_suffix_len = strlen(backup_suffix);\n\tif (strchr(backup_suffix, '/') != NULL) {\n\t\tsnprintf(err_buf, sizeof err_buf,\n\t\t\t\"--suffix cannot contain slashes: %s\\n\",\n\t\t\tbackup_suffix);\n\t\treturn 0;\n\t}\n\tif (backup_dir) {\n\t\tsize_t len;\n\t\twhile (*backup_dir == '.' && backup_dir[1] == '/')\n\t\t\tbackup_dir += 2;\n\t\tif (*backup_dir == '.' && backup_dir[1] == '\\0')\n\t\t\tbackup_dir++;\n\t\tlen = strlcpy(backup_dir_buf, backup_dir, sizeof backup_dir_buf);\n\t\tif (len > sizeof backup_dir_buf - 128) {\n\t\t\tsnprintf(err_buf, sizeof err_buf,\n\t\t\t\t\"the --backup-dir path is WAY too long.\\n\");\n\t\t\treturn 0;\n\t\t}\n\t\tbackup_dir_len = (int)len;\n\t\tif (!backup_dir_len) {\n\t\t\tbackup_dir_len = -1;\n\t\t\tbackup_dir = NULL;\n\t\t} else if (backup_dir_buf[backup_dir_len - 1] != '/') {\n\t\t\tbackup_dir_buf[backup_dir_len++] = '/';\n\t\t\tbackup_dir_buf[backup_dir_len] = '\\0';\n\t\t}\n\t\tbackup_dir_remainder = sizeof backup_dir_buf - backup_dir_len;\n\t}\n\tif (backup_dir) {\n\t\t/* No need for a suffix or a protect rule. */\n\t} else if (!backup_suffix_len && (!am_server || !am_sender)) {\n\t\tsnprintf(err_buf, sizeof err_buf,\n\t\t\t\"--suffix cannot be empty %s\\n\", backup_dir_len < 0\n\t\t\t? \"when --backup-dir is the same as the dest dir\"\n\t\t\t: \"without a --backup-dir\");\n\t\treturn 0;\n\t} else if (make_backups && delete_mode && !delete_excluded && !am_server) {\n\t\tsnprintf(backup_dir_buf, sizeof backup_dir_buf,\n\t\t\t\"P *%s\", backup_suffix);\n\t\tparse_filter_str(&filter_list, backup_dir_buf, rule_template(0), 0);\n\t}\n\n\tif (preserve_times) {\n\t\tpreserve_times = PRESERVE_FILE_TIMES;\n\t\tif (!omit_dir_times)\n\t\t\tpreserve_times |= PRESERVE_DIR_TIMES;\n#ifdef CAN_SET_SYMLINK_TIMES\n\t\tif (!omit_link_times)\n\t\t\tpreserve_times |= PRESERVE_LINK_TIMES;\n#endif\n\t}\n\n\tif (make_backups && !backup_dir) {\n\t\tomit_dir_times = 0; /* Implied, so avoid -O to sender. */\n\t\tpreserve_times &= ~PRESERVE_DIR_TIMES;\n\t}\n\n\tif (stdout_format) {\n\t\tif (am_server && log_format_has(stdout_format, 'I'))\n\t\t\tstdout_format_has_i = 2;\n\t\telse if (log_format_has(stdout_format, 'i'))\n\t\t\tstdout_format_has_i = itemize_changes | 1;\n\t\tif (!log_format_has(stdout_format, 'b')\n\t\t && !log_format_has(stdout_format, 'c')\n\t\t && !log_format_has(stdout_format, 'C'))\n\t\t\tlog_before_transfer = !am_server;\n\t} else if (itemize_changes) {\n\t\tstdout_format = \"%i %n%L\";\n\t\tstdout_format_has_i = itemize_changes;\n\t\tlog_before_transfer = !am_server;\n\t}\n\n\tif (do_progress && !am_server) {\n\t\tif (!log_before_transfer && INFO_EQ(NAME, 0))\n\t\t\tparse_output_words(info_words, info_levels, \"name\", DEFAULT_PRIORITY);\n\t\tparse_output_words(info_words, info_levels, \"flist2,progress\", DEFAULT_PRIORITY);\n\t}\n\n\tif (dry_run)\n\t\tdo_xfers = 0;\n\n\tset_io_timeout(io_timeout);\n\n\tif (INFO_GTE(NAME, 1) && !stdout_format) {\n\t\tstdout_format = \"%n%L\";\n\t\tlog_before_transfer = !am_server;\n\t}\n\tif (stdout_format_has_i || log_format_has(stdout_format, 'o'))\n\t\tstdout_format_has_o_or_i = 1;\n\n\tif (logfile_name && !am_daemon) {\n\t\tif (!logfile_format) {\n\t\t\tlogfile_format = \"%i %n%L\";\n\t\t\tlogfile_format_has_i = logfile_format_has_o_or_i = 1;\n\t\t} else {\n\t\t\tif (log_format_has(logfile_format, 'i'))\n\t\t\t\tlogfile_format_has_i = 1;\n\t\t\tif (logfile_format_has_i || log_format_has(logfile_format, 'o'))\n\t\t\t\tlogfile_format_has_o_or_i = 1;\n\t\t}\n\t\tlog_init(0);\n\t} else if (!am_daemon)\n\t\tlogfile_format = NULL;\n\n\tif (daemon_bwlimit && (!bwlimit || bwlimit > daemon_bwlimit))\n\t\tbwlimit = daemon_bwlimit;\n\tif (bwlimit) {\n\t\tbwlimit_writemax = (size_t)bwlimit * 128;\n\t\tif (bwlimit_writemax < 512)\n\t\t\tbwlimit_writemax = 512;\n\t}\n\n\tif (append_mode) {\n\t\tif (whole_file > 0) {\n\t\t\tsnprintf(err_buf, sizeof err_buf,\n\t\t\t\t \"--append cannot be used with --whole-file\\n\");\n\t\t\treturn 0;\n\t\t}\n\t\tif (refused_inplace) {\n\t\t\tcreate_refuse_error(refused_inplace);\n\t\t\treturn 0;\n\t\t}\n\t\tinplace = 1;\n\t}\n\n\tif (delay_updates && !partial_dir)\n\t\tpartial_dir = tmp_partialdir;\n\n\tif (inplace) {\n#ifdef HAVE_FTRUNCATE\n\t\tif (partial_dir) {\n\t\t\tsnprintf(err_buf, sizeof err_buf,\n\t\t\t\t \"--%s cannot be used with --%s\\n\",\n\t\t\t\t append_mode ? \"append\" : \"inplace\",\n\t\t\t\t delay_updates ? \"delay-updates\" : \"partial-dir\");\n\t\t\treturn 0;\n\t\t}\n\t\t/* --inplace implies --partial for refusal purposes, but we\n\t\t * clear the keep_partial flag for internal logic purposes. */\n\t\tif (refused_partial) {\n\t\t\tcreate_refuse_error(refused_partial);\n\t\t\treturn 0;\n\t\t}\n\t\tkeep_partial = 0;\n#else\n\t\tsnprintf(err_buf, sizeof err_buf,\n\t\t\t \"--%s is not supported on this %s\\n\",\n\t\t\t append_mode ? \"append\" : \"inplace\",\n\t\t\t am_server ? \"server\" : \"client\");\n\t\treturn 0;\n#endif\n\t} else {\n\t\tif (keep_partial && !partial_dir && !am_server) {\n\t\t\tif ((arg = getenv(\"RSYNC_PARTIAL_DIR\")) != NULL && *arg)\n\t\t\t\tpartial_dir = strdup(arg);\n\t\t}\n\t\tif (partial_dir) {\n\t\t\tif (*partial_dir)\n\t\t\t\tclean_fname(partial_dir, CFN_COLLAPSE_DOT_DOT_DIRS);\n\t\t\tif (!*partial_dir || strcmp(partial_dir, \".\") == 0)\n\t\t\t\tpartial_dir = NULL;\n\t\t\tif (!partial_dir && refused_partial) {\n\t\t\t\tcreate_refuse_error(refused_partial);\n\t\t\t\treturn 0;\n\t\t\t}\n\t\t\tkeep_partial = 1;\n\t\t}\n\t}\n\n\tif (files_from) {\n\t\tchar *h, *p;\n\t\tint q;\n\t\tif (argc > 2 || (!am_daemon && !am_server && argc == 1)) {\n\t\t\tusage(FERROR);\n\t\t\texit_cleanup(RERR_SYNTAX);\n\t\t}\n\t\tif (strcmp(files_from, \"-\") == 0) {\n\t\t\tfilesfrom_fd = 0;\n\t\t\tif (am_server)\n\t\t\t\tfilesfrom_host = \"\"; /* reading from socket */\n\t\t} else if ((p = check_for_hostspec(files_from, &h, &q)) != 0) {\n\t\t\tif (am_server) {\n\t\t\t\tsnprintf(err_buf, sizeof err_buf,\n\t\t\t\t\t\"The --files-from sent to the server cannot specify a host.\\n\");\n\t\t\t\treturn 0;\n\t\t\t}\n\t\t\tfiles_from = p;\n\t\t\tfilesfrom_host = h;\n\t\t\tif (strcmp(files_from, \"-\") == 0) {\n\t\t\t\tsnprintf(err_buf, sizeof err_buf,\n\t\t\t\t\t\"Invalid --files-from remote filename\\n\");\n\t\t\t\treturn 0;\n\t\t\t}\n\t\t} else {\n\t\t\tif (sanitize_paths)\n\t\t\t\tfiles_from = sanitize_path(NULL, files_from, NULL, 0, SP_DEFAULT);\n\t\t\tif (daemon_filter_list.head) {\n\t\t\t\tchar *dir;\n\t\t\t\tif (!*files_from)\n\t\t\t\t\tgoto options_rejected;\n\t\t\t\tdir = files_from + (*files_from == '/' ? module_dirlen : 0);\n\t\t\t\tclean_fname(dir, CFN_COLLAPSE_DOT_DOT_DIRS);\n\t\t\t\tif (check_filter(&daemon_filter_list, FLOG, dir, 0) < 0)\n\t\t\t\t\tgoto options_rejected;\n\t\t\t}\n\t\t\tfilesfrom_fd = open(files_from, O_RDONLY|O_BINARY);\n\t\t\tif (filesfrom_fd < 0) {\n\t\t\t\tsnprintf(err_buf, sizeof err_buf,\n\t\t\t\t\t\"failed to open files-from file %s: %s\\n\",\n\t\t\t\t\tfiles_from, strerror(errno));\n\t\t\t\treturn 0;\n\t\t\t}\n\t\t}\n\t}\n\n\tam_starting_up = 0;\n\n\treturn 1;\n\n options_rejected:\n\tsnprintf(err_buf, sizeof err_buf,\n\t\t\"Your options have been rejected by the server.\\n\");\n\treturn 0;\n}", "project": "rsync", "hash": 212765220547978151069862672879986367926, "size": 1067, "commit_id": "7706303828fcde524222babb2833864a4bd09e07", "message": "Ignore --protect-args when already sent by client\n\nIn parse_arguments when --protect-args is encountered the function exits\nearly. The caller is expected to check protect_args, and recall\nparse_arguments setting protect_args to 2. This patch prevents the\nclient from resetting protect_args during the second pass of\nparse_arguments. This prevents parse_arguments returning early the\nsecond time before it's able to sanitize the arguments it received.", "target": 0, "dataset": "other", "idx": 364670 }, { "func": "static inline void dec_slabs_node(struct kmem_cache *s, int node,\n\t\t\t\t\t\t\tint objects) {}", "project": "linux", "hash": 55216416415689568328483976602894782124, "size": 2, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280047 }, { "func": "static inline void dec_slabs_node(struct kmem_cache *s, int node, int objects)\n{\n\tstruct kmem_cache_node *n = get_node(s, node);\n\n\tatomic_long_dec(&n->nr_slabs);\n\tatomic_long_sub(objects, &n->total_objects);\n}", "project": "linux", "hash": 231844384924920601858829534051980264532, "size": 7, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280163 }, { "func": "int vfs_rmdir(struct inode *dir, struct dentry *dentry)\n{\n\tint error = may_delete(dir, dentry, 1);\n\n\tif (error)\n\t\treturn error;\n\n\tif (!dir->i_op->rmdir)\n\t\treturn -EPERM;\n\n\tdget(dentry);\n\tinode_lock(dentry->d_inode);\n\n\terror = -EBUSY;\n\tif (is_local_mountpoint(dentry))\n\t\tgoto out;\n\n\terror = security_inode_rmdir(dir, dentry);\n\tif (error)\n\t\tgoto out;\n\n\terror = dir->i_op->rmdir(dir, dentry);\n\tif (error)\n\t\tgoto out;\n\n\tshrink_dcache_parent(dentry);\n\tdentry->d_inode->i_flags |= S_DEAD;\n\tdont_mount(dentry);\n\tdetach_mounts(dentry);\n\tfsnotify_rmdir(dir, dentry);\n\nout:\n\tinode_unlock(dentry->d_inode);\n\tdput(dentry);\n\tif (!error)\n\t\td_delete(dentry);\n\treturn error;\n}", "project": "linux", "hash": 200489598155986536081419360570441471240, "size": 38, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295334 }, { "func": "TfLiteStatus ResizeAndTransposeWeights(TfLiteContext* context,\n const TfLiteTensor* weights,\n TfLiteTensor* transposed_weights) {\n TfLiteIntArray* transposed_weights_shape_array = TfLiteIntArrayCreate(4);\n const RuntimeShape& input_shape = GetTensorShape(weights);\n transposed_weights_shape_array->data[0] = input_shape.Dims(1);\n transposed_weights_shape_array->data[1] = input_shape.Dims(2);\n transposed_weights_shape_array->data[2] = input_shape.Dims(0);\n transposed_weights_shape_array->data[3] = input_shape.Dims(3);\n\n transposed_weights->type = weights->type;\n transposed_weights->allocation_type = kTfLiteDynamic;\n TF_LITE_ENSURE_STATUS(context->ResizeTensor(context, transposed_weights,\n transposed_weights_shape_array));\n\n // Transpose the weights from OHWI order to HWOI order.\n TransposeParams transpose_params;\n transpose_params.perm_count = 4;\n transpose_params.perm[0] = 1;\n transpose_params.perm[1] = 2;\n transpose_params.perm[2] = 0;\n transpose_params.perm[3] = 3;\n\n if (weights->type == kTfLiteFloat32) {\n optimized_ops::Transpose(transpose_params, input_shape,\n GetTensorData(weights),\n GetTensorShape(transposed_weights),\n GetTensorData(transposed_weights));\n } else if (weights->type == kTfLiteUInt8) {\n optimized_ops::Transpose(transpose_params, input_shape,\n GetTensorData(weights),\n GetTensorShape(transposed_weights),\n GetTensorData(transposed_weights));\n } else if (weights->type == kTfLiteInt8) {\n // int16 transpose_conv also with int8 weights\n optimized_ops::Transpose(transpose_params, input_shape,\n GetTensorData(weights),\n GetTensorShape(transposed_weights),\n GetTensorData(transposed_weights));\n } else {\n TF_LITE_KERNEL_LOG(\n context,\n \"Only float32, uint8, int8, int16 is supported currently, got %s.\",\n TfLiteTypeGetName(weights->type));\n return kTfLiteError;\n }\n\n return kTfLiteOk;\n}", "project": "tensorflow", "hash": 322272648503409007651090501985566092975, "size": 49, "commit_id": "801c1c6be5324219689c98e1bd3e0ca365ee834d", "message": "Fix another division by 0 in TFLite\n\nPiperOrigin-RevId: 370800181\nChange-Id: I924809166a6131f5075e6d45c455106538d755f9", "target": 0, "dataset": "other", "idx": 265427 }, { "func": "ExecutionStatus Interpreter::caseIteratorNext(\n Runtime *runtime,\n PinnedHermesValue *frameRegs,\n const inst::Inst *ip) {\n if (LLVM_LIKELY(O2REG(IteratorNext).isNumber())) {\n JSArray::size_type i =\n O2REG(IteratorNext).getNumberAs();\n if (i >= JSArray::getLength(vmcast(O3REG(IteratorNext)))) {\n // Finished iterating the array, stop.\n O2REG(IteratorNext) = HermesValue::encodeUndefinedValue();\n O1REG(IteratorNext) = HermesValue::encodeUndefinedValue();\n return ExecutionStatus::RETURNED;\n }\n Handle arr = Handle::vmcast(&O3REG(IteratorNext));\n {\n // Fast path: look up the property in indexed storage.\n // Runs when there is no hole and a regular non-accessor property exists\n // at the current index, because those are the only properties stored\n // in indexed storage.\n // If there is another kind of property we have to call getComputed_RJS.\n // No need to check the fastIndexProperties flag because the indexed\n // storage would be deleted and at() would return empty in that case.\n NoAllocScope noAlloc{runtime};\n HermesValue value = arr->at(runtime, i);\n if (LLVM_LIKELY(!value.isEmpty())) {\n O1REG(IteratorNext) = value;\n O2REG(IteratorNext) = HermesValue::encodeNumberValue(i + 1);\n return ExecutionStatus::RETURNED;\n }\n }\n // Slow path, just run the full getComputedPropertyValue_RJS path.\n GCScopeMarkerRAII marker{runtime};\n Handle<> idxHandle{&O2REG(IteratorNext)};\n CallResult> valueRes =\n JSObject::getComputed_RJS(arr, runtime, idxHandle);\n if (LLVM_UNLIKELY(valueRes == ExecutionStatus::EXCEPTION)) {\n return ExecutionStatus::EXCEPTION;\n }\n O1REG(IteratorNext) = valueRes->get();\n O2REG(IteratorNext) = HermesValue::encodeNumberValue(i + 1);\n return ExecutionStatus::RETURNED;\n }\n if (LLVM_UNLIKELY(O2REG(IteratorNext).isUndefined())) {\n // In all current use cases of IteratorNext, we check and branch away\n // from IteratorNext in the case that iterStorage was set to undefined\n // (which indicates completion of iteration).\n // If we introduce a use case which allows calling IteratorNext,\n // then this assert can be removed. For now, this branch just returned\n // undefined in NDEBUG mode.\n assert(false && \"IteratorNext called on completed iterator\");\n O1REG(IteratorNext) = HermesValue::encodeUndefinedValue();\n return ExecutionStatus::RETURNED;\n }\n\n GCScopeMarkerRAII marker{runtime};\n\n IteratorRecord iterRecord{Handle::vmcast(&O2REG(IteratorNext)),\n Handle::vmcast(&O3REG(IteratorNext))};\n\n CallResult> resultObjRes =\n iteratorNext(runtime, iterRecord, llvh::None);\n if (LLVM_UNLIKELY(resultObjRes == ExecutionStatus::EXCEPTION)) {\n return ExecutionStatus::EXCEPTION;\n }\n Handle resultObj = runtime->makeHandle(std::move(*resultObjRes));\n CallResult> doneRes = JSObject::getNamed_RJS(\n resultObj, runtime, Predefined::getSymbolID(Predefined::done));\n if (LLVM_UNLIKELY(doneRes == ExecutionStatus::EXCEPTION)) {\n return ExecutionStatus::EXCEPTION;\n }\n if (toBoolean(doneRes->get())) {\n // Done with iteration. Clear the iterator so that subsequent\n // instructions do not call next() or return().\n O2REG(IteratorNext) = HermesValue::encodeUndefinedValue();\n O1REG(IteratorNext) = HermesValue::encodeUndefinedValue();\n } else {\n // Not done iterating, so get the `value` property and store it\n // as the result.\n CallResult> propRes = JSObject::getNamed_RJS(\n resultObj, runtime, Predefined::getSymbolID(Predefined::value));\n if (LLVM_UNLIKELY(propRes == ExecutionStatus::EXCEPTION)) {\n return ExecutionStatus::EXCEPTION;\n }\n O1REG(IteratorNext) = propRes->get();\n propRes->invalidate();\n }\n return ExecutionStatus::RETURNED;\n}", "project": "hermes", "hash": 289055434363663091237873428140858721694, "size": 88, "commit_id": "b2021df620824627f5a8c96615edbd1eb7fdddfc", "message": "Fix CVE-2020-1914 by using NEXTINST for SaveGeneratorLong\n\nSummary:\nIf `SaveGeneratorLong` was emitted, it would accidentally jump to the\nwrong next instruction, based on how long SaveGenerator was.\n\nMake a callout function to handle the common case, and handle the dispatch\nwithin each case of the interpreter loop.\n\nFixes CVE-2020-1914\n\nReviewed By: neildhar\n\nDifferential Revision: D24024242\n\nfbshipit-source-id: 3bcb88daa740f0d50e91771a49eb212551ce8bd8", "target": 0, "dataset": "other", "idx": 295510 }, { "func": "static void tty_update_time(struct timespec64 *time)\n{\n\ttime64_t sec = ktime_get_real_seconds();\n\n\t/*\n\t * We only care if the two values differ in anything other than the\n\t * lower three bits (i.e every 8 seconds). If so, then we can update\n\t * the time of the tty device, otherwise it could be construded as a\n\t * security leak to let userspace know the exact timing of the tty.\n\t */\n\tif ((sec ^ time->tv_sec) & ~7)\n\t\ttime->tv_sec = sec;\n}", "project": "linux", "hash": 11283664237658105440588870395422109694, "size": 13, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 326050 }, { "func": "static void encode_write(struct xdr_stream *xdr, const struct nfs_pgio_args *args,\n\t\t\t struct compound_hdr *hdr)\n{\n\t__be32 *p;\n\n\tencode_op_hdr(xdr, OP_WRITE, decode_write_maxsz, hdr);\n\tencode_nfs4_stateid(xdr, &args->stateid);\n\n\tp = reserve_space(xdr, 16);\n\tp = xdr_encode_hyper(p, args->offset);\n\t*p++ = cpu_to_be32(args->stable);\n\t*p = cpu_to_be32(args->count);\n\n\txdr_write_pages(xdr, args->pages, args->pgbase, args->count);\n}", "project": "linux", "hash": 97608840943031834292940540500430581146, "size": 15, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431540 }, { "func": "static OPJ_BOOL opj_j2k_write_all_qcc(\n opj_j2k_t *p_j2k,\n struct opj_stream_private *p_stream,\n struct opj_event_mgr * p_manager)\n{\n OPJ_UINT32 compno;\n\n /* preconditions */\n assert(p_j2k != 00);\n assert(p_manager != 00);\n assert(p_stream != 00);\n\n for (compno = 1; compno < p_j2k->m_private_image->numcomps; ++compno) {\n /* qcd is first component of first tile */\n if (! opj_j2k_compare_qcc(p_j2k, 0, compno)) {\n if (! opj_j2k_write_qcc(p_j2k, compno, p_stream, p_manager)) {\n return OPJ_FALSE;\n }\n }\n }\n return OPJ_TRUE;\n}", "project": "openjpeg", "hash": 11138743903389430226884945401820905676, "size": 22, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357364 }, { "project": "Chrome", "commit_id": "6834289784ed45b5524de0fb7ef43ae283b0d6d3", "target": 0, "func": "void AudioContext::uninitialize()\n{\n ASSERT(isMainThread());\n\n if (!isInitialized())\n return;\n\n m_isInitialized = false;\n\n m_destinationNode->uninitialize();\n\n if (!isOfflineContext()) {\n ASSERT(s_hardwareContextCount);\n --s_hardwareContextCount;\n }\n\n derefUnfinishedSourceNodes();\n\n rejectPendingResolvers();\n\n ASSERT(m_listener);\n m_listener->waitForHRTFDatabaseLoaderThreadCompletion();\n\n clear();\n}\n", "cwe": "", "big_vul_idx": 139695, "idx": 124843, "hash": 271268341929546695057140591602040378720 }, { "func": "static int sctp_send_asconf_del_ip(struct sock\t\t*sk,\n\t\t\t\t struct sockaddr\t*addrs,\n\t\t\t\t int\t\t\taddrcnt)\n{\n\tstruct sctp_sock\t*sp;\n\tstruct sctp_endpoint\t*ep;\n\tstruct sctp_association\t*asoc;\n\tstruct sctp_transport\t*transport;\n\tstruct sctp_bind_addr\t*bp;\n\tstruct sctp_chunk\t*chunk;\n\tunion sctp_addr\t\t*laddr;\n\tvoid\t\t\t*addr_buf;\n\tstruct sctp_af\t\t*af;\n\tstruct sctp_sockaddr_entry *saddr;\n\tint \t\t\ti;\n\tint \t\t\tretval = 0;\n\tint\t\t\tstored = 0;\n\n\tchunk = NULL;\n\tsp = sctp_sk(sk);\n\tep = sp->ep;\n\n\tif (!ep->asconf_enable)\n\t\treturn retval;\n\n\tpr_debug(\"%s: sk:%p, addrs:%p, addrcnt:%d\\n\",\n\t\t __func__, sk, addrs, addrcnt);\n\n\tlist_for_each_entry(asoc, &ep->asocs, asocs) {\n\n\t\tif (!asoc->peer.asconf_capable)\n\t\t\tcontinue;\n\n\t\tif (asoc->peer.addip_disabled_mask & SCTP_PARAM_DEL_IP)\n\t\t\tcontinue;\n\n\t\tif (!sctp_state(asoc, ESTABLISHED))\n\t\t\tcontinue;\n\n\t\t/* Check if any address in the packed array of addresses is\n\t\t * not present in the bind address list of the association.\n\t\t * If so, do not send the asconf chunk to its peer, but\n\t\t * continue with other associations.\n\t\t */\n\t\taddr_buf = addrs;\n\t\tfor (i = 0; i < addrcnt; i++) {\n\t\t\tladdr = addr_buf;\n\t\t\taf = sctp_get_af_specific(laddr->v4.sin_family);\n\t\t\tif (!af) {\n\t\t\t\tretval = -EINVAL;\n\t\t\t\tgoto out;\n\t\t\t}\n\n\t\t\tif (!sctp_assoc_lookup_laddr(asoc, laddr))\n\t\t\t\tbreak;\n\n\t\t\taddr_buf += af->sockaddr_len;\n\t\t}\n\t\tif (i < addrcnt)\n\t\t\tcontinue;\n\n\t\t/* Find one address in the association's bind address list\n\t\t * that is not in the packed array of addresses. This is to\n\t\t * make sure that we do not delete all the addresses in the\n\t\t * association.\n\t\t */\n\t\tbp = &asoc->base.bind_addr;\n\t\tladdr = sctp_find_unmatch_addr(bp, (union sctp_addr *)addrs,\n\t\t\t\t\t addrcnt, sp);\n\t\tif ((laddr == NULL) && (addrcnt == 1)) {\n\t\t\tif (asoc->asconf_addr_del_pending)\n\t\t\t\tcontinue;\n\t\t\tasoc->asconf_addr_del_pending =\n\t\t\t kzalloc(sizeof(union sctp_addr), GFP_ATOMIC);\n\t\t\tif (asoc->asconf_addr_del_pending == NULL) {\n\t\t\t\tretval = -ENOMEM;\n\t\t\t\tgoto out;\n\t\t\t}\n\t\t\tasoc->asconf_addr_del_pending->sa.sa_family =\n\t\t\t\t addrs->sa_family;\n\t\t\tasoc->asconf_addr_del_pending->v4.sin_port =\n\t\t\t\t htons(bp->port);\n\t\t\tif (addrs->sa_family == AF_INET) {\n\t\t\t\tstruct sockaddr_in *sin;\n\n\t\t\t\tsin = (struct sockaddr_in *)addrs;\n\t\t\t\tasoc->asconf_addr_del_pending->v4.sin_addr.s_addr = sin->sin_addr.s_addr;\n\t\t\t} else if (addrs->sa_family == AF_INET6) {\n\t\t\t\tstruct sockaddr_in6 *sin6;\n\n\t\t\t\tsin6 = (struct sockaddr_in6 *)addrs;\n\t\t\t\tasoc->asconf_addr_del_pending->v6.sin6_addr = sin6->sin6_addr;\n\t\t\t}\n\n\t\t\tpr_debug(\"%s: keep the last address asoc:%p %pISc at %p\\n\",\n\t\t\t\t __func__, asoc, &asoc->asconf_addr_del_pending->sa,\n\t\t\t\t asoc->asconf_addr_del_pending);\n\n\t\t\tasoc->src_out_of_asoc_ok = 1;\n\t\t\tstored = 1;\n\t\t\tgoto skip_mkasconf;\n\t\t}\n\n\t\tif (laddr == NULL)\n\t\t\treturn -EINVAL;\n\n\t\t/* We do not need RCU protection throughout this loop\n\t\t * because this is done under a socket lock from the\n\t\t * setsockopt call.\n\t\t */\n\t\tchunk = sctp_make_asconf_update_ip(asoc, laddr, addrs, addrcnt,\n\t\t\t\t\t\t SCTP_PARAM_DEL_IP);\n\t\tif (!chunk) {\n\t\t\tretval = -ENOMEM;\n\t\t\tgoto out;\n\t\t}\n\nskip_mkasconf:\n\t\t/* Reset use_as_src flag for the addresses in the bind address\n\t\t * list that are to be deleted.\n\t\t */\n\t\taddr_buf = addrs;\n\t\tfor (i = 0; i < addrcnt; i++) {\n\t\t\tladdr = addr_buf;\n\t\t\taf = sctp_get_af_specific(laddr->v4.sin_family);\n\t\t\tlist_for_each_entry(saddr, &bp->address_list, list) {\n\t\t\t\tif (sctp_cmp_addr_exact(&saddr->a, laddr))\n\t\t\t\t\tsaddr->state = SCTP_ADDR_DEL;\n\t\t\t}\n\t\t\taddr_buf += af->sockaddr_len;\n\t\t}\n\n\t\t/* Update the route and saddr entries for all the transports\n\t\t * as some of the addresses in the bind address list are\n\t\t * about to be deleted and cannot be used as source addresses.\n\t\t */\n\t\tlist_for_each_entry(transport, &asoc->peer.transport_addr_list,\n\t\t\t\t\ttransports) {\n\t\t\tsctp_transport_route(transport, NULL,\n\t\t\t\t\t sctp_sk(asoc->base.sk));\n\t\t}\n\n\t\tif (stored)\n\t\t\t/* We don't need to transmit ASCONF */\n\t\t\tcontinue;\n\t\tretval = sctp_send_asconf(asoc, chunk);\n\t}\nout:\n\treturn retval;\n}", "project": "linux", "hash": 162760695835245950677763846547657430657, "size": 150, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398053 }, { "func": "static int count_esp_combs(const struct xfrm_tmpl *t)\n{\n\tint i, k, sz = 0;\n\n\tfor (i = 0; ; i++) {\n\t\tconst struct xfrm_algo_desc *ealg = xfrm_ealg_get_byidx(i);\n\t\tif (!ealg)\n\t\t\tbreak;\n\n\t\tif (!ealg->pfkey_supported)\n\t\t\tcontinue;\n\n\t\tif (!(ealg_tmpl_set(t, ealg)))\n\t\t\tcontinue;\n\n\t\tfor (k = 1; ; k++) {\n\t\t\tconst struct xfrm_algo_desc *aalg = xfrm_aalg_get_byidx(k);\n\t\t\tif (!aalg)\n\t\t\t\tbreak;\n\n\t\t\tif (!aalg->pfkey_supported)\n\t\t\t\tcontinue;\n\n\t\t\tif (aalg_tmpl_set(t, aalg))\n\t\t\t\tsz += sizeof(struct sadb_comb);\n\t\t}\n\t}\n\treturn sz + sizeof(struct sadb_prop);\n}", "project": "linux", "hash": 291523021779374770553567005377166819910, "size": 29, "commit_id": "9a564bccb78a76740ea9d75a259942df8143d02c", "message": "af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\n\nAdd __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\nto initialize the buffer of supp_skb to fix a kernel-info-leak issue.\n1) Function pfkey_register calls compose_sadb_supported to request\na sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate\na sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then\ncompose_sadb_supported treats the memory as a struct sadb_supported and\nbegins to initialize. But it just initializes the field sadb_supported_len\nand field sadb_supported_exttype without field sadb_supported_reserved.\n\nReported-by: TCS Robot \nSigned-off-by: Haimin Zhang \nSigned-off-by: Steffen Klassert ", "target": 0, "dataset": "other", "idx": 268037 }, { "func": "int fuse_do_setattr(struct dentry *dentry, struct iattr *attr,\n\t\t struct file *file)\n{\n\tstruct inode *inode = d_inode(dentry);\n\tstruct fuse_mount *fm = get_fuse_mount(inode);\n\tstruct fuse_conn *fc = fm->fc;\n\tstruct fuse_inode *fi = get_fuse_inode(inode);\n\tFUSE_ARGS(args);\n\tstruct fuse_setattr_in inarg;\n\tstruct fuse_attr_out outarg;\n\tbool is_truncate = false;\n\tbool is_wb = fc->writeback_cache;\n\tloff_t oldsize;\n\tint err;\n\tbool trust_local_cmtime = is_wb && S_ISREG(inode->i_mode);\n\tbool fault_blocked = false;\n\n\tif (!fc->default_permissions)\n\t\tattr->ia_valid |= ATTR_FORCE;\n\n\terr = setattr_prepare(dentry, attr);\n\tif (err)\n\t\treturn err;\n\n\tif (attr->ia_valid & ATTR_SIZE) {\n\t\tif (WARN_ON(!S_ISREG(inode->i_mode)))\n\t\t\treturn -EIO;\n\t\tis_truncate = true;\n\t}\n\n\tif (FUSE_IS_DAX(inode) && is_truncate) {\n\t\tdown_write(&fi->i_mmap_sem);\n\t\tfault_blocked = true;\n\t\terr = fuse_dax_break_layouts(inode, 0, 0);\n\t\tif (err) {\n\t\t\tup_write(&fi->i_mmap_sem);\n\t\t\treturn err;\n\t\t}\n\t}\n\n\tif (attr->ia_valid & ATTR_OPEN) {\n\t\t/* This is coming from open(..., ... | O_TRUNC); */\n\t\tWARN_ON(!(attr->ia_valid & ATTR_SIZE));\n\t\tWARN_ON(attr->ia_size != 0);\n\t\tif (fc->atomic_o_trunc) {\n\t\t\t/*\n\t\t\t * No need to send request to userspace, since actual\n\t\t\t * truncation has already been done by OPEN. But still\n\t\t\t * need to truncate page cache.\n\t\t\t */\n\t\t\ti_size_write(inode, 0);\n\t\t\ttruncate_pagecache(inode, 0);\n\t\t\tgoto out;\n\t\t}\n\t\tfile = NULL;\n\t}\n\n\t/* Flush dirty data/metadata before non-truncate SETATTR */\n\tif (is_wb && S_ISREG(inode->i_mode) &&\n\t attr->ia_valid &\n\t\t\t(ATTR_MODE | ATTR_UID | ATTR_GID | ATTR_MTIME_SET |\n\t\t\t ATTR_TIMES_SET)) {\n\t\terr = write_inode_now(inode, true);\n\t\tif (err)\n\t\t\treturn err;\n\n\t\tfuse_set_nowrite(inode);\n\t\tfuse_release_nowrite(inode);\n\t}\n\n\tif (is_truncate) {\n\t\tfuse_set_nowrite(inode);\n\t\tset_bit(FUSE_I_SIZE_UNSTABLE, &fi->state);\n\t\tif (trust_local_cmtime && attr->ia_size != inode->i_size)\n\t\t\tattr->ia_valid |= ATTR_MTIME | ATTR_CTIME;\n\t}\n\n\tmemset(&inarg, 0, sizeof(inarg));\n\tmemset(&outarg, 0, sizeof(outarg));\n\tiattr_to_fattr(fc, attr, &inarg, trust_local_cmtime);\n\tif (file) {\n\t\tstruct fuse_file *ff = file->private_data;\n\t\tinarg.valid |= FATTR_FH;\n\t\tinarg.fh = ff->fh;\n\t}\n\n\t/* Kill suid/sgid for non-directory chown unconditionally */\n\tif (fc->handle_killpriv_v2 && !S_ISDIR(inode->i_mode) &&\n\t attr->ia_valid & (ATTR_UID | ATTR_GID))\n\t\tinarg.valid |= FATTR_KILL_SUIDGID;\n\n\tif (attr->ia_valid & ATTR_SIZE) {\n\t\t/* For mandatory locking in truncate */\n\t\tinarg.valid |= FATTR_LOCKOWNER;\n\t\tinarg.lock_owner = fuse_lock_owner_id(fc, current->files);\n\n\t\t/* Kill suid/sgid for truncate only if no CAP_FSETID */\n\t\tif (fc->handle_killpriv_v2 && !capable(CAP_FSETID))\n\t\t\tinarg.valid |= FATTR_KILL_SUIDGID;\n\t}\n\tfuse_setattr_fill(fc, &args, inode, &inarg, &outarg);\n\terr = fuse_simple_request(fm, &args);\n\tif (err) {\n\t\tif (err == -EINTR)\n\t\t\tfuse_invalidate_attr(inode);\n\t\tgoto error;\n\t}\n\n\tif (fuse_invalid_attr(&outarg.attr) ||\n\t (inode->i_mode ^ outarg.attr.mode) & S_IFMT) {\n\t\tfuse_make_bad(inode);\n\t\terr = -EIO;\n\t\tgoto error;\n\t}\n\n\tspin_lock(&fi->lock);\n\t/* the kernel maintains i_mtime locally */\n\tif (trust_local_cmtime) {\n\t\tif (attr->ia_valid & ATTR_MTIME)\n\t\t\tinode->i_mtime = attr->ia_mtime;\n\t\tif (attr->ia_valid & ATTR_CTIME)\n\t\t\tinode->i_ctime = attr->ia_ctime;\n\t\t/* FIXME: clear I_DIRTY_SYNC? */\n\t}\n\n\tfuse_change_attributes_common(inode, &outarg.attr,\n\t\t\t\t attr_timeout(&outarg));\n\toldsize = inode->i_size;\n\t/* see the comment in fuse_change_attributes() */\n\tif (!is_wb || is_truncate || !S_ISREG(inode->i_mode))\n\t\ti_size_write(inode, outarg.attr.size);\n\n\tif (is_truncate) {\n\t\t/* NOTE: this may release/reacquire fi->lock */\n\t\t__fuse_release_nowrite(inode);\n\t}\n\tspin_unlock(&fi->lock);\n\n\t/*\n\t * Only call invalidate_inode_pages2() after removing\n\t * FUSE_NOWRITE, otherwise fuse_launder_page() would deadlock.\n\t */\n\tif ((is_truncate || !is_wb) &&\n\t S_ISREG(inode->i_mode) && oldsize != outarg.attr.size) {\n\t\ttruncate_pagecache(inode, outarg.attr.size);\n\t\tinvalidate_inode_pages2(inode->i_mapping);\n\t}\n\n\tclear_bit(FUSE_I_SIZE_UNSTABLE, &fi->state);\nout:\n\tif (fault_blocked)\n\t\tup_write(&fi->i_mmap_sem);\n\n\treturn 0;\n\nerror:\n\tif (is_truncate)\n\t\tfuse_release_nowrite(inode);\n\n\tclear_bit(FUSE_I_SIZE_UNSTABLE, &fi->state);\n\n\tif (fault_blocked)\n\t\tup_write(&fi->i_mmap_sem);\n\treturn err;\n}", "project": "linux", "hash": 127410323683804207443692467844866400424, "size": 165, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342051 }, { "func": "static int _nfs4_proc_lookupp(struct inode *inode,\n\t\tstruct nfs_fh *fhandle, struct nfs_fattr *fattr,\n\t\tstruct nfs4_label *label)\n{\n\tstruct rpc_clnt *clnt = NFS_CLIENT(inode);\n\tstruct nfs_server *server = NFS_SERVER(inode);\n\tint\t\t status;\n\tstruct nfs4_lookupp_arg args = {\n\t\t.bitmask = server->attr_bitmask,\n\t\t.fh = NFS_FH(inode),\n\t};\n\tstruct nfs4_lookupp_res res = {\n\t\t.server = server,\n\t\t.fattr = fattr,\n\t\t.label = label,\n\t\t.fh = fhandle,\n\t};\n\tstruct rpc_message msg = {\n\t\t.rpc_proc = &nfs4_procedures[NFSPROC4_CLNT_LOOKUPP],\n\t\t.rpc_argp = &args,\n\t\t.rpc_resp = &res,\n\t};\n\n\targs.bitmask = nfs4_bitmask(server, label);\n\n\tnfs_fattr_init(fattr);\n\n\tdprintk(\"NFS call lookupp ino=0x%lx\\n\", inode->i_ino);\n\tstatus = nfs4_call_sync(clnt, server, &msg, &args.seq_args,\n\t\t\t\t&res.seq_res, 0);\n\tdprintk(\"NFS reply lookupp: %d\\n\", status);\n\treturn status;\n}", "project": "linux", "hash": 130167164816472719721060640328766649550, "size": 33, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431153 }, { "func": "void * headerUnload(Header h)\n{\n return headerExport(h, NULL);\n}", "project": "rpm", "hash": 20889473924266927087670404667576694129, "size": 4, "commit_id": "8f4b3c3cab8922a2022b9e47c71f1ecf906077ef", "message": "hdrblobInit() needs bounds checks too\n\nUsers can pass untrusted data to hdrblobInit() and it must be robust\nagainst this.", "target": 0, "dataset": "other", "idx": 318192 }, { "func": "static void deletePortsStats(struct port_stats *stats) {\n struct port_stats *current_port, *tmp;\n\n HASH_ITER(hh, stats, current_port, tmp) {\n HASH_DEL(stats, current_port);\n freeIpTree(current_port->addr_tree);\n free(current_port);\n }\n}", "project": "nDPI", "hash": 228445259944305335932107476332732164584, "size": 9, "commit_id": "b7e666e465f138ae48ab81976726e67deed12701", "message": "Added fix to avoid potential heap buffer overflow in H.323 dissector\nModified HTTP report information to make it closer to the HTTP field names", "target": 0, "dataset": "other", "idx": 254806 }, { "func": "static int kvm_get_dirty_log_protect(struct kvm *kvm, struct kvm_dirty_log *log)\n{\n\tstruct kvm_memslots *slots;\n\tstruct kvm_memory_slot *memslot;\n\tint i, as_id, id;\n\tunsigned long n;\n\tunsigned long *dirty_bitmap;\n\tunsigned long *dirty_bitmap_buffer;\n\tbool flush;\n\n\tas_id = log->slot >> 16;\n\tid = (u16)log->slot;\n\tif (as_id >= KVM_ADDRESS_SPACE_NUM || id >= KVM_USER_MEM_SLOTS)\n\t\treturn -EINVAL;\n\n\tslots = __kvm_memslots(kvm, as_id);\n\tmemslot = id_to_memslot(slots, id);\n\tif (!memslot || !memslot->dirty_bitmap)\n\t\treturn -ENOENT;\n\n\tdirty_bitmap = memslot->dirty_bitmap;\n\n\tkvm_arch_sync_dirty_log(kvm, memslot);\n\n\tn = kvm_dirty_bitmap_bytes(memslot);\n\tflush = false;\n\tif (kvm->manual_dirty_log_protect) {\n\t\t/*\n\t\t * Unlike kvm_get_dirty_log, we always return false in *flush,\n\t\t * because no flush is needed until KVM_CLEAR_DIRTY_LOG. There\n\t\t * is some code duplication between this function and\n\t\t * kvm_get_dirty_log, but hopefully all architecture\n\t\t * transition to kvm_get_dirty_log_protect and kvm_get_dirty_log\n\t\t * can be eliminated.\n\t\t */\n\t\tdirty_bitmap_buffer = dirty_bitmap;\n\t} else {\n\t\tdirty_bitmap_buffer = kvm_second_dirty_bitmap(memslot);\n\t\tmemset(dirty_bitmap_buffer, 0, n);\n\n\t\tspin_lock(&kvm->mmu_lock);\n\t\tfor (i = 0; i < n / sizeof(long); i++) {\n\t\t\tunsigned long mask;\n\t\t\tgfn_t offset;\n\n\t\t\tif (!dirty_bitmap[i])\n\t\t\t\tcontinue;\n\n\t\t\tflush = true;\n\t\t\tmask = xchg(&dirty_bitmap[i], 0);\n\t\t\tdirty_bitmap_buffer[i] = mask;\n\n\t\t\toffset = i * BITS_PER_LONG;\n\t\t\tkvm_arch_mmu_enable_log_dirty_pt_masked(kvm, memslot,\n\t\t\t\t\t\t\t\toffset, mask);\n\t\t}\n\t\tspin_unlock(&kvm->mmu_lock);\n\t}\n\n\tif (flush)\n\t\tkvm_arch_flush_remote_tlbs_memslot(kvm, memslot);\n\n\tif (copy_to_user(log->dirty_bitmap, dirty_bitmap_buffer, n))\n\t\treturn -EFAULT;\n\treturn 0;\n}", "project": "linux", "hash": 178028653010984610563069372067588517865, "size": 66, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354528 }, { "func": "static int kvm_get_dirty_log_protect(struct kvm *kvm, struct kvm_dirty_log *log)\n{\n\tstruct kvm_memslots *slots;\n\tstruct kvm_memory_slot *memslot;\n\tint i, as_id, id;\n\tunsigned long n;\n\tunsigned long *dirty_bitmap;\n\tunsigned long *dirty_bitmap_buffer;\n\tbool flush;\n\n\t/* Dirty ring tracking is exclusive to dirty log tracking */\n\tif (kvm->dirty_ring_size)\n\t\treturn -ENXIO;\n\n\tas_id = log->slot >> 16;\n\tid = (u16)log->slot;\n\tif (as_id >= KVM_ADDRESS_SPACE_NUM || id >= KVM_USER_MEM_SLOTS)\n\t\treturn -EINVAL;\n\n\tslots = __kvm_memslots(kvm, as_id);\n\tmemslot = id_to_memslot(slots, id);\n\tif (!memslot || !memslot->dirty_bitmap)\n\t\treturn -ENOENT;\n\n\tdirty_bitmap = memslot->dirty_bitmap;\n\n\tkvm_arch_sync_dirty_log(kvm, memslot);\n\n\tn = kvm_dirty_bitmap_bytes(memslot);\n\tflush = false;\n\tif (kvm->manual_dirty_log_protect) {\n\t\t/*\n\t\t * Unlike kvm_get_dirty_log, we always return false in *flush,\n\t\t * because no flush is needed until KVM_CLEAR_DIRTY_LOG. There\n\t\t * is some code duplication between this function and\n\t\t * kvm_get_dirty_log, but hopefully all architecture\n\t\t * transition to kvm_get_dirty_log_protect and kvm_get_dirty_log\n\t\t * can be eliminated.\n\t\t */\n\t\tdirty_bitmap_buffer = dirty_bitmap;\n\t} else {\n\t\tdirty_bitmap_buffer = kvm_second_dirty_bitmap(memslot);\n\t\tmemset(dirty_bitmap_buffer, 0, n);\n\n\t\tKVM_MMU_LOCK(kvm);\n\t\tfor (i = 0; i < n / sizeof(long); i++) {\n\t\t\tunsigned long mask;\n\t\t\tgfn_t offset;\n\n\t\t\tif (!dirty_bitmap[i])\n\t\t\t\tcontinue;\n\n\t\t\tflush = true;\n\t\t\tmask = xchg(&dirty_bitmap[i], 0);\n\t\t\tdirty_bitmap_buffer[i] = mask;\n\n\t\t\toffset = i * BITS_PER_LONG;\n\t\t\tkvm_arch_mmu_enable_log_dirty_pt_masked(kvm, memslot,\n\t\t\t\t\t\t\t\toffset, mask);\n\t\t}\n\t\tKVM_MMU_UNLOCK(kvm);\n\t}\n\n\tif (flush)\n\t\tkvm_arch_flush_remote_tlbs_memslot(kvm, memslot);\n\n\tif (copy_to_user(log->dirty_bitmap, dirty_bitmap_buffer, n))\n\t\treturn -EFAULT;\n\treturn 0;\n}", "project": "linux", "hash": 235011337988802138985781245396919352861, "size": 70, "commit_id": "f8be156be163a052a067306417cd0ff679068c97", "message": "KVM: do not allow mapping valid but non-reference-counted pages\n\nIt's possible to create a region which maps valid but non-refcounted\npages (e.g., tail pages of non-compound higher order allocations). These\nhost pages can then be returned by gfn_to_page, gfn_to_pfn, etc., family\nof APIs, which take a reference to the page, which takes it from 0 to 1.\nWhen the reference is dropped, this will free the page incorrectly.\n\nFix this by only taking a reference on valid pages if it was non-zero,\nwhich indicates it is participating in normal refcounting (and can be\nreleased with put_page).\n\nThis addresses CVE-2021-22543.\n\nSigned-off-by: Nicholas Piggin \nTested-by: Paolo Bonzini \nCc: stable@vger.kernel.org\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 404103 }, { "func": " Item* element_index(uint i)\n { return result_type() == ROW_RESULT ? orig_item->element_index(i) : this; }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 53242175942955069635666241069768541593, "size": 2, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509053 }, { "func": "static OPJ_BOOL opj_j2k_get_sot_values(OPJ_BYTE * p_header_data,\n OPJ_UINT32 p_header_size,\n OPJ_UINT32* p_tile_no,\n OPJ_UINT32* p_tot_len,\n OPJ_UINT32* p_current_part,\n OPJ_UINT32* p_num_parts,\n opj_event_mgr_t * p_manager)\n{\n /* preconditions */\n assert(p_header_data != 00);\n assert(p_manager != 00);\n\n /* Size of this marker is fixed = 12 (we have already read marker and its size)*/\n if (p_header_size != 8) {\n opj_event_msg(p_manager, EVT_ERROR, \"Error reading SOT marker\\n\");\n return OPJ_FALSE;\n }\n\n opj_read_bytes(p_header_data, p_tile_no, 2); /* Isot */\n p_header_data += 2;\n opj_read_bytes(p_header_data, p_tot_len, 4); /* Psot */\n p_header_data += 4;\n opj_read_bytes(p_header_data, p_current_part, 1); /* TPsot */\n ++p_header_data;\n opj_read_bytes(p_header_data, p_num_parts, 1); /* TNsot */\n ++p_header_data;\n return OPJ_TRUE;\n}", "project": "openjpeg", "hash": 291813121225244682704519615746928653099, "size": 28, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357314 }, { "func": "bool checkreturn pb_skip_varint(pb_istream_t *stream)\n{\n uint8_t byte;\n do\n {\n if (!pb_read(stream, &byte, 1))\n return false;\n } while (byte & 0x80);\n return true;\n}", "project": "nanopb", "hash": 89952592128958310229457478061360346284, "size": 10, "commit_id": "7b396821ddd06df8e39143f16e1dc0a4645b89a3", "message": "Fix invalid free() after failed realloc() (GHSA-gcx3-7m76-287p)", "target": 0, "dataset": "other", "idx": 255316 }, { "func": "static void nfs_clear_open_stateid(struct nfs4_state *state,\n\tnfs4_stateid *arg_stateid,\n\tnfs4_stateid *stateid, fmode_t fmode)\n{\n\twrite_seqlock(&state->seqlock);\n\t/* Ignore, if the CLOSE argment doesn't match the current stateid */\n\tif (nfs4_state_match_open_stateid_other(state, arg_stateid))\n\t\tnfs_clear_open_stateid_locked(state, stateid, fmode);\n\twrite_sequnlock(&state->seqlock);\n\tif (test_bit(NFS_STATE_RECLAIM_NOGRACE, &state->flags))\n\t\tnfs4_schedule_state_manager(state->owner->so_server->nfs_client);\n}", "project": "linux", "hash": 219032893567505923811359946945187692583, "size": 12, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431485 }, { "func": "SYSCALL_DEFINE2(mkdir, const char __user *, pathname, umode_t, mode)\n{\n\treturn do_mkdirat(AT_FDCWD, pathname, mode);\n}", "project": "linux", "hash": 266576935000064129633916474918207701301, "size": 4, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295324 }, { "func": "SYSCALL_DEFINE3(mkdirat, int, dfd, const char __user *, pathname, umode_t, mode)\n{\n\treturn do_mkdirat(dfd, pathname, mode);\n}", "project": "linux", "hash": 272889456814233848165305873085835624029, "size": 4, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295410 }, { "func": "long do_mkdirat(int dfd, const char __user *pathname, umode_t mode)\n{\n\tstruct dentry *dentry;\n\tstruct path path;\n\tint error;\n\tunsigned int lookup_flags = LOOKUP_DIRECTORY;\n\nretry:\n\tdentry = user_path_create(dfd, pathname, &path, lookup_flags);\n\tif (IS_ERR(dentry))\n\t\treturn PTR_ERR(dentry);\n\n\tif (!IS_POSIXACL(path.dentry->d_inode))\n\t\tmode &= ~current_umask();\n\terror = security_path_mkdir(&path, dentry, mode);\n\tif (!error)\n\t\terror = vfs_mkdir(path.dentry->d_inode, dentry, mode);\n\tdone_path_create(&path, dentry);\n\tif (retry_estale(error, lookup_flags)) {\n\t\tlookup_flags |= LOOKUP_REVAL;\n\t\tgoto retry;\n\t}\n\treturn error;\n}", "project": "linux", "hash": 322459053089432077456685643358798666393, "size": 24, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295425 }, { "func": "static int sctp_setsockopt_reconfig_supported(struct sock *sk,\n\t\t\t\t\t struct sctp_assoc_value *params,\n\t\t\t\t\t unsigned int optlen)\n{\n\tstruct sctp_association *asoc;\n\tint retval = -EINVAL;\n\n\tif (optlen != sizeof(*params))\n\t\tgoto out;\n\n\tasoc = sctp_id2assoc(sk, params->assoc_id);\n\tif (!asoc && params->assoc_id != SCTP_FUTURE_ASSOC &&\n\t sctp_style(sk, UDP))\n\t\tgoto out;\n\n\tsctp_sk(sk)->ep->reconf_enable = !!params->assoc_value;\n\n\tretval = 0;\n\nout:\n\treturn retval;\n}", "project": "linux", "hash": 80782305163870857860998008025587276088, "size": 22, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398211 }, { "func": "int RGWHandler_REST_SWIFT::validate_bucket_name(const string& bucket)\n{\n const size_t len = bucket.size();\n\n if (len > MAX_BUCKET_NAME_LEN) {\n /* Bucket Name too long. Generate custom error message and bind it\n * to an R-value reference. */\n const auto msg = boost::str(\n boost::format(\"Container name length of %lld longer than %lld\")\n % len % int(MAX_BUCKET_NAME_LEN));\n set_req_state_err(s, ERR_INVALID_BUCKET_NAME, msg);\n return -ERR_INVALID_BUCKET_NAME;\n }\n\n const auto ret = RGWHandler_REST::validate_bucket_name(bucket);\n if (ret < 0) {\n return ret;\n }\n\n if (len == 0)\n return 0;\n\n if (bucket[0] == '.')\n return -ERR_INVALID_BUCKET_NAME;\n\n if (check_utf8(bucket.c_str(), len))\n return -ERR_INVALID_UTF8;\n\n const char *s = bucket.c_str();\n\n for (size_t i = 0; i < len; ++i, ++s) {\n if (*(unsigned char *)s == 0xff)\n return -ERR_INVALID_BUCKET_NAME;\n if (*(unsigned char *)s == '/')\n return -ERR_INVALID_BUCKET_NAME;\n }\n\n return 0;\n}", "project": "ceph", "hash": 84294069258641450216967837012203393522, "size": 39, "commit_id": "f44a8ae8aa27ecef69528db9aec220f12492810e", "message": "rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name\n\nchecking for empty name avoids later assertion in RGWObjectCtx::set_atomic\n\nFixes: CVE-2021-3531\n\nReviewed-by: Casey Bodley \nSigned-off-by: Casey Bodley \n(cherry picked from commit 7196a469b4470f3c8628489df9a41ec8b00a5610)", "target": 0, "dataset": "other", "idx": 448870 }, { "func": "static int kvm_clock_sync(struct notifier_block *notifier, unsigned long val,\n\t\t\t void *v)\n{\n\tstruct kvm *kvm;\n\tstruct kvm_vcpu *vcpu;\n\tint i;\n\tunsigned long long *delta = v;\n\n\tlist_for_each_entry(kvm, &vm_list, vm_list) {\n\t\tkvm_for_each_vcpu(i, vcpu, kvm) {\n\t\t\tkvm_clock_sync_scb(vcpu->arch.sie_block, *delta);\n\t\t\tif (i == 0) {\n\t\t\t\tkvm->arch.epoch = vcpu->arch.sie_block->epoch;\n\t\t\t\tkvm->arch.epdx = vcpu->arch.sie_block->epdx;\n\t\t\t}\n\t\t\tif (vcpu->arch.cputm_enabled)\n\t\t\t\tvcpu->arch.cputm_start += *delta;\n\t\t\tif (vcpu->arch.vsie_block)\n\t\t\t\tkvm_clock_sync_scb(vcpu->arch.vsie_block,\n\t\t\t\t\t\t *delta);\n\t\t}\n\t}\n\treturn NOTIFY_OK;\n}", "project": "linux", "hash": 123303332989745420939895939742800506733, "size": 24, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354803 }, { "func": "static void encode_sequence(struct xdr_stream *xdr,\n\t\t\t const struct nfs4_sequence_args *args,\n\t\t\t struct compound_hdr *hdr)\n{\n#if defined(CONFIG_NFS_V4_1)\n\tstruct nfs4_session *session;\n\tstruct nfs4_slot_table *tp;\n\tstruct nfs4_slot *slot = args->sa_slot;\n\t__be32 *p;\n\n\ttp = slot->table;\n\tsession = tp->session;\n\tif (!session)\n\t\treturn;\n\n\tencode_op_hdr(xdr, OP_SEQUENCE, decode_sequence_maxsz, hdr);\n\n\t/*\n\t * Sessionid + seqid + slotid + max slotid + cache_this\n\t */\n\tdprintk(\"%s: sessionid=%u:%u:%u:%u seqid=%d slotid=%d \"\n\t\t\"max_slotid=%d cache_this=%d\\n\",\n\t\t__func__,\n\t\t((u32 *)session->sess_id.data)[0],\n\t\t((u32 *)session->sess_id.data)[1],\n\t\t((u32 *)session->sess_id.data)[2],\n\t\t((u32 *)session->sess_id.data)[3],\n\t\tslot->seq_nr, slot->slot_nr,\n\t\ttp->highest_used_slotid, args->sa_cache_this);\n\tp = reserve_space(xdr, NFS4_MAX_SESSIONID_LEN + 16);\n\tp = xdr_encode_opaque_fixed(p, session->sess_id.data, NFS4_MAX_SESSIONID_LEN);\n\t*p++ = cpu_to_be32(slot->seq_nr);\n\t*p++ = cpu_to_be32(slot->slot_nr);\n\t*p++ = cpu_to_be32(tp->highest_used_slotid);\n\t*p = cpu_to_be32(args->sa_cache_this);\n#endif /* CONFIG_NFS_V4_1 */\n}", "project": "linux", "hash": 99477101649928454125598047709076180107, "size": 37, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431601 }, { "func": "extern \"C\" bool enc_is_syscall_dispatcher_set() {\n return global_syscall_callback != nullptr;\n}", "project": "asylo", "hash": 40652320356517970613174531630060859252, "size": 3, "commit_id": "90d7619e9dd99bcdb6cd28c7649d741d254d9a1a", "message": "Add sysno check in MessageReader\n\nThe sysno in MessageReader is interpreted from the Message header passed\nfrom the host. A malicious Message header may provide a modified sysno\nto bypass the validation, and overwrites enclave memory. This change\nadds a check for sysno to make sure it matches the expected value.\n\nThis issue was reported by Qinkun Bao, Zhaofeng Chen, Mingshen Sun, and\nKang Li from Baidu Security.\n\nPiperOrigin-RevId: 377328054\nChange-Id: I3ff6f60694d3390f66da89d139cf7cc7b49abaea", "target": 0, "dataset": "other", "idx": 248774 }, { "func": "static int ebb_event_check(struct perf_event *event) { return 0; }", "project": "linux", "hash": 182200211524533865439733358063656016783, "size": 1, "commit_id": "60b7ed54a41b550d50caf7f2418db4a7e75b5bdc", "message": "powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set\n\nOn systems without any specific PMU driver support registered, running\nperf record causes Oops.\n\nThe relevant portion from call trace:\n\n BUG: Kernel NULL pointer dereference on read at 0x00000040\n Faulting instruction address: 0xc0021f0c\n Oops: Kernel access of bad area, sig: 11 [#1]\n BE PAGE_SIZE=4K PREEMPT CMPCPRO\n SAF3000 DIE NOTIFICATION\n CPU: 0 PID: 442 Comm: null_syscall Not tainted 5.13.0-rc6-s3k-dev-01645-g7649ee3d2957 #5164\n NIP: c0021f0c LR: c00e8ad8 CTR: c00d8a5c\n NIP perf_instruction_pointer+0x10/0x60\n LR perf_prepare_sample+0x344/0x674\n Call Trace:\n perf_prepare_sample+0x7c/0x674 (unreliable)\n perf_event_output_forward+0x3c/0x94\n __perf_event_overflow+0x74/0x14c\n perf_swevent_hrtimer+0xf8/0x170\n __hrtimer_run_queues.constprop.0+0x160/0x318\n hrtimer_interrupt+0x148/0x3b0\n timer_interrupt+0xc4/0x22c\n Decrementer_virt+0xb8/0xbc\n\nDuring perf record session, perf_instruction_pointer() is called to\ncapture the sample IP. This function in core-book3s accesses\nppmu->flags. If a platform specific PMU driver is not registered, ppmu\nis set to NULL and accessing its members results in a crash. Fix this\ncrash by checking if ppmu is set.\n\nFixes: 2ca13a4cc56c (\"powerpc/perf: Use regs->nip when SIAR is zero\")\nCc: stable@vger.kernel.org # v5.11+\nReported-by: Christophe Leroy \nSigned-off-by: Athira Rajeev \nTested-by: Christophe Leroy \nSigned-off-by: Michael Ellerman \nLink: https://lore.kernel.org/r/1623952506-1431-1-git-send-email-atrajeev@linux.vnet.ibm.com", "target": 0, "dataset": "other", "idx": 374686 }, { "func": "static int ebb_event_check(struct perf_event *event)\n{\n\tstruct perf_event *leader = event->group_leader;\n\n\t/* Event and group leader must agree on EBB */\n\tif (is_ebb_event(leader) != is_ebb_event(event))\n\t\treturn -EINVAL;\n\n\tif (is_ebb_event(event)) {\n\t\tif (!(event->attach_state & PERF_ATTACH_TASK))\n\t\t\treturn -EINVAL;\n\n\t\tif (!leader->attr.pinned || !leader->attr.exclusive)\n\t\t\treturn -EINVAL;\n\n\t\tif (event->attr.freq ||\n\t\t event->attr.inherit ||\n\t\t event->attr.sample_type ||\n\t\t event->attr.sample_period ||\n\t\t event->attr.enable_on_exec)\n\t\t\treturn -EINVAL;\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 309837845454261082558499514294245606091, "size": 25, "commit_id": "60b7ed54a41b550d50caf7f2418db4a7e75b5bdc", "message": "powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set\n\nOn systems without any specific PMU driver support registered, running\nperf record causes Oops.\n\nThe relevant portion from call trace:\n\n BUG: Kernel NULL pointer dereference on read at 0x00000040\n Faulting instruction address: 0xc0021f0c\n Oops: Kernel access of bad area, sig: 11 [#1]\n BE PAGE_SIZE=4K PREEMPT CMPCPRO\n SAF3000 DIE NOTIFICATION\n CPU: 0 PID: 442 Comm: null_syscall Not tainted 5.13.0-rc6-s3k-dev-01645-g7649ee3d2957 #5164\n NIP: c0021f0c LR: c00e8ad8 CTR: c00d8a5c\n NIP perf_instruction_pointer+0x10/0x60\n LR perf_prepare_sample+0x344/0x674\n Call Trace:\n perf_prepare_sample+0x7c/0x674 (unreliable)\n perf_event_output_forward+0x3c/0x94\n __perf_event_overflow+0x74/0x14c\n perf_swevent_hrtimer+0xf8/0x170\n __hrtimer_run_queues.constprop.0+0x160/0x318\n hrtimer_interrupt+0x148/0x3b0\n timer_interrupt+0xc4/0x22c\n Decrementer_virt+0xb8/0xbc\n\nDuring perf record session, perf_instruction_pointer() is called to\ncapture the sample IP. This function in core-book3s accesses\nppmu->flags. If a platform specific PMU driver is not registered, ppmu\nis set to NULL and accessing its members results in a crash. Fix this\ncrash by checking if ppmu is set.\n\nFixes: 2ca13a4cc56c (\"powerpc/perf: Use regs->nip when SIAR is zero\")\nCc: stable@vger.kernel.org # v5.11+\nReported-by: Christophe Leroy \nSigned-off-by: Athira Rajeev \nTested-by: Christophe Leroy \nSigned-off-by: Michael Ellerman \nLink: https://lore.kernel.org/r/1623952506-1431-1-git-send-email-atrajeev@linux.vnet.ibm.com", "target": 0, "dataset": "other", "idx": 374711 }, { "func": "static bool checkreturn buf_read(pb_istream_t *stream, uint8_t *buf, size_t count)\n{\n uint8_t *source = (uint8_t*)stream->state;\n stream->state = source + count;\n \n if (buf != NULL)\n {\n while (count--)\n *buf++ = *source++;\n }\n \n return true;\n}", "project": "nanopb", "hash": 146751680354705427967953778468815311157, "size": 13, "commit_id": "7b396821ddd06df8e39143f16e1dc0a4645b89a3", "message": "Fix invalid free() after failed realloc() (GHSA-gcx3-7m76-287p)", "target": 0, "dataset": "other", "idx": 255332 }, { "func": "static int session_included(request_rec * r, session_dir_conf * conf)\n{\n\n const char **includes = (const char **) conf->includes->elts;\n const char **excludes = (const char **) conf->excludes->elts;\n int included = 1; /* defaults to included */\n int i;\n\n if (conf->includes->nelts) {\n included = 0;\n for (i = 0; !included && i < conf->includes->nelts; i++) {\n const char *include = includes[i];\n if (strncmp(r->uri, include, strlen(include)) == 0) {\n included = 1;\n }\n }\n }\n\n if (conf->excludes->nelts) {\n for (i = 0; included && i < conf->excludes->nelts; i++) {\n const char *exclude = excludes[i];\n if (strncmp(r->uri, exclude, strlen(exclude)) == 0) {\n included = 0;\n }\n }\n }\n\n return included;\n}", "project": "httpd", "hash": 36995064402257701222229107761603379732, "size": 29, "commit_id": "7e09dd714fc62c08c5b0319ed7b9702594faf49b", "message": "mod_session: account for the '&' in identity_concat().\n\ngit-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887052 13f79535-47bb-0310-9956-ffa450edef68", "target": 0, "dataset": "other", "idx": 389224 }, { "func": "static int mnt_optstr_parse_next(char **optstr,\t char **name, size_t *namesz,\n\t\t\t\t\tchar **value, size_t *valsz)\n{\n\tint open_quote = 0;\n\tchar *start = NULL, *stop = NULL, *p, *sep = NULL;\n\tchar *optstr0;\n\n\tassert(optstr);\n\tassert(*optstr);\n\n\toptstr0 = *optstr;\n\n\tif (name)\n\t\t*name = NULL;\n\tif (namesz)\n\t\t*namesz = 0;\n\tif (value)\n\t\t*value = NULL;\n\tif (valsz)\n\t\t*valsz = 0;\n\n\t/* trim leading commas as to not invalidate option\n\t * strings with multiple consecutive commas */\n\twhile (optstr0 && *optstr0 == ',')\n\t\toptstr0++;\n\n\tfor (p = optstr0; p && *p; p++) {\n\t\tif (!start)\n\t\t\tstart = p;\t\t/* beginning of the option item */\n\t\tif (*p == '\"')\n\t\t\topen_quote ^= 1;\t/* reverse the status */\n\t\tif (open_quote)\n\t\t\tcontinue;\t\t/* still in quoted block */\n\t\tif (!sep && p > start && *p == '=')\n\t\t\tsep = p;\t\t/* name and value separator */\n\t\tif (*p == ',')\n\t\t\tstop = p;\t\t/* terminate the option item */\n\t\telse if (*(p + 1) == '\\0')\n\t\t\tstop = p + 1;\t\t/* end of optstr */\n\t\tif (!start || !stop)\n\t\t\tcontinue;\n\t\tif (stop <= start)\n\t\t\tgoto error;\n\n\t\tif (name)\n\t\t\t*name = start;\n\t\tif (namesz)\n\t\t\t*namesz = sep ? sep - start : stop - start;\n\t\t*optstr = *stop ? stop + 1 : stop;\n\n\t\tif (sep) {\n\t\t\tif (value)\n\t\t\t\t*value = sep + 1;\n\t\t\tif (valsz)\n\t\t\t\t*valsz = stop - sep - 1;\n\t\t}\n\t\treturn 0;\n\t}\n\n\treturn 1;\t\t\t\t/* end of optstr */\n\nerror:\n\tDBG(OPTIONS, ul_debug(\"parse error: \\\"%s\\\"\", optstr0));\n\treturn -EINVAL;\n}", "project": "util-linux", "hash": 336447126756884764376602832640236223741, "size": 65, "commit_id": "57202f5713afa2af20ffbb6ab5331481d0396f8d", "message": "libmount: fix UID check for FUSE umount [CVE-2021-3995]\n\nImproper UID check allows an unprivileged user to unmount FUSE\nfilesystems of users with similar UID.\n\nSigned-off-by: Karel Zak ", "target": 0, "dataset": "other", "idx": 410417 }, { "func": "int lj_debug_getinfo(lua_State *L, const char *what, lj_Debug *ar, int ext)\n{\n int opt_f = 0, opt_L = 0;\n TValue *frame = NULL;\n TValue *nextframe = NULL;\n GCfunc *fn;\n if (*what == '>') {\n TValue *func = L->top - 1;\n if (!tvisfunc(func)) return 0;\n fn = funcV(func);\n L->top--;\n what++;\n } else {\n uint32_t offset = (uint32_t)ar->i_ci & 0xffff;\n uint32_t size = (uint32_t)ar->i_ci >> 16;\n lua_assert(offset != 0);\n frame = tvref(L->stack) + offset;\n if (size) nextframe = frame + size;\n lua_assert(frame <= tvref(L->maxstack) &&\n\t (!nextframe || nextframe <= tvref(L->maxstack)));\n fn = frame_func(frame);\n lua_assert(fn->c.gct == ~LJ_TFUNC);\n }\n for (; *what; what++) {\n if (*what == 'S') {\n if (isluafunc(fn)) {\n\tGCproto *pt = funcproto(fn);\n\tBCLine firstline = pt->firstline;\n\tGCstr *name = proto_chunkname(pt);\n\tar->source = strdata(name);\n\tlj_debug_shortname(ar->short_src, name);\n\tar->linedefined = (int)firstline;\n\tar->lastlinedefined = (int)(firstline + pt->numline);\n\tar->what = (firstline || !pt->numline) ? \"Lua\" : \"main\";\n } else {\n\tar->source = \"=[C]\";\n\tar->short_src[0] = '[';\n\tar->short_src[1] = 'C';\n\tar->short_src[2] = ']';\n\tar->short_src[3] = '\\0';\n\tar->linedefined = -1;\n\tar->lastlinedefined = -1;\n\tar->what = \"C\";\n }\n } else if (*what == 'l') {\n ar->currentline = frame ? debug_frameline(L, fn, nextframe) : -1;\n } else if (*what == 'u') {\n ar->nups = fn->c.nupvalues;\n if (ext) {\n\tif (isluafunc(fn)) {\n\t GCproto *pt = funcproto(fn);\n\t ar->nparams = pt->numparams;\n\t ar->isvararg = !!(pt->flags & PROTO_VARARG);\n\t} else {\n\t ar->nparams = 0;\n\t ar->isvararg = 1;\n\t}\n }\n } else if (*what == 'n') {\n ar->namewhat = frame ? lj_debug_funcname(L, frame, &ar->name) : NULL;\n if (ar->namewhat == NULL) {\n\tar->namewhat = \"\";\n\tar->name = NULL;\n }\n } else if (*what == 'f') {\n opt_f = 1;\n } else if (*what == 'L') {\n opt_L = 1;\n } else {\n return 0; /* Bad option. */\n }\n }\n if (opt_f) {\n setfuncV(L, L->top, fn);\n incr_top(L);\n }\n if (opt_L) {\n if (isluafunc(fn)) {\n GCtab *t = lj_tab_new(L, 0, 0);\n GCproto *pt = funcproto(fn);\n const void *lineinfo = proto_lineinfo(pt);\n if (lineinfo) {\n\tBCLine first = pt->firstline;\n\tint sz = pt->numline < 256 ? 1 : pt->numline < 65536 ? 2 : 4;\n\tMSize i, szl = pt->sizebc-1;\n\tfor (i = 0; i < szl; i++) {\n\t BCLine line = first +\n\t (sz == 1 ? (BCLine)((const uint8_t *)lineinfo)[i] :\n\t sz == 2 ? (BCLine)((const uint16_t *)lineinfo)[i] :\n\t (BCLine)((const uint32_t *)lineinfo)[i]);\n\t setboolV(lj_tab_setint(L, t, line), 1);\n\t}\n }\n settabV(L, L->top, t);\n } else {\n setnilV(L->top);\n }\n incr_top(L);\n }\n return 1; /* Ok. */\n}", "project": "LuaJIT", "hash": 176881090139235664865504075508536219160, "size": 101, "commit_id": "e296f56b825c688c3530a981dc6b495d972f3d01", "message": "Call error function on rethrow after trace exit.", "target": 0, "dataset": "other", "idx": 394633 }, { "func": "static ut64 num_callback(RNum *userptr, const char *str, int *ok) {\n\tRCore *core = (RCore *)userptr; // XXX ?\n\tRAnalFunction *fcn;\n\tchar *ptr, *bptr, *out = NULL;\n\tRFlagItem *flag;\n\tRBinSection *s;\n\tRAnalOp op;\n\tut64 ret = 0;\n\n\tif (ok) {\n\t\t*ok = false;\n\t}\n\tswitch (*str) {\n\tcase '.':\n\t\tif (str[1] == '.') {\n\t\t\tif (ok) {\n\t\t\t\t*ok = true;\n\t\t\t}\n\t\t\treturn r_num_tail (core->num, core->offset, str + 2);\n\t\t}\n\t\tif (core->num->nc.curr_tok == '+') {\n\t\t\tut64 off = core->num->nc.number_value.n;\n\t\t\tif (!off) {\n\t\t\t\toff = core->offset;\n\t\t\t}\n\t\t\tRAnalFunction *fcn = r_anal_get_function_at (core->anal, off);\n\t\t\tif (fcn) {\n\t\t\t\tif (ok) {\n\t\t\t\t\t*ok = true;\n\t\t\t\t}\n\t\t\t\tut64 dst = r_anal_fcn_label_get (core->anal, fcn, str + 1);\n\t\t\t\tif (dst == UT64_MAX) {\n\t\t\t\t\tdst = fcn->addr;\n\t\t\t\t}\n\t\t\t\tst64 delta = dst - off;\n\t\t\t\tif (delta < 0) {\n\t\t\t\t\tcore->num->nc.curr_tok = '-';\n\t\t\t\t\tdelta = off - dst;\n\t\t\t\t}\n\t\t\t\treturn delta;\n\t\t\t}\n\t\t}\n\t\tbreak;\n\tcase '[':\n{\n\t\tut64 n = 0LL;\n\t\tint refsz = core->assembler->bits / 8;\n\t\tconst char *p = NULL;\n\t\tif (strlen (str) > 5) {\n\t\t\tp = strchr (str + 5, ':');\n\t\t}\n\t\tif (p) {\n\t\t\trefsz = atoi (str + 1);\n\t\t\tstr = p;\n\t\t}\n\t\t// push state\n\t\tif (str[0] && str[1]) {\n\t\t\tconst char *q;\n\t\t\tchar *o = strdup (str + 1);\n\t\t\tif (o) {\n\t\t\t\tq = r_num_calc_index (core->num, NULL);\n\t\t\t\tif (q) {\n\t\t\t\t\tif (r_str_replace_char (o, ']', 0)>0) {\n\t\t\t\t\t\tn = r_num_math (core->num, o);\n\t\t\t\t\t\tif (core->num->nc.errors) {\n\t\t\t\t\t\t\treturn 0;\n\t\t\t\t\t\t}\n\t\t\t\t\t\tr_num_calc_index (core->num, q);\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\tfree (o);\n\t\t\t}\n\t\t} else {\n\t\t\treturn 0;\n\t\t}\n\t\t// pop state\n\t\tif (ok) {\n\t\t\t*ok = 1;\n\t\t}\n\t\tut8 buf[sizeof (ut64)] = R_EMPTY;\n\t\t(void)r_io_read_at (core->io, n, buf, R_MIN (sizeof (buf), refsz));\n\t\tswitch (refsz) {\n\t\tcase 8:\n\t\t\treturn r_read_ble64 (buf, core->print->big_endian);\n\t\tcase 4:\n\t\t\treturn r_read_ble32 (buf, core->print->big_endian);\n\t\tcase 2:\n\t\t\treturn r_read_ble16 (buf, core->print->big_endian);\n\t\tcase 1:\n\t\t\treturn r_read_ble8 (buf);\n\t\tdefault:\n\t\t\teprintf (\"Invalid reference size: %d (%s)\\n\", refsz, str);\n\t\t\treturn 0LL;\n\t\t}\n}\n\t\tbreak;\n\tcase '$':\n\t\tif (ok) {\n\t\t\t*ok = 1;\n\t\t}\n\t\t// TODO: group analop-dependant vars after a char, so i can filter\n\t\tr_anal_op (core->anal, &op, core->offset, core->block, core->blocksize, R_ANAL_OP_MASK_BASIC);\n\t\tr_anal_op_fini (&op); // we don't need strings or pointers, just values, which are not nullified in fini\n\t\tswitch (str[1]) {\n\t\tcase '.': // can use pc, sp, a0, a1, ...\n\t\t\treturn r_debug_reg_get (core->dbg, str + 2);\n\t\tcase 'k': // $k{kv}\n\t\t\tif (str[2] != '{') {\n\t\t\t\teprintf (\"Expected '{' after 'k'.\\n\");\n\t\t\t\tbreak;\n\t\t\t}\n\t\t\tbptr = strdup (str + 3);\n\t\t\tptr = strchr (bptr, '}');\n\t\t\tif (!ptr) {\n\t\t\t\t// invalid json\n\t\t\t\tfree (bptr);\n\t\t\t\tbreak;\n\t\t\t}\n\t\t\t*ptr = '\\0';\n\t\t\tret = 0LL;\n\t\t\tout = sdb_querys (core->sdb, NULL, 0, bptr);\n\t\t\tif (out && *out) {\n\t\t\t\tif (strstr (out, \"$k{\")) {\n\t\t\t\t\teprintf (\"Recursivity is not permitted here\\n\");\n\t\t\t\t} else {\n\t\t\t\t\tret = r_num_math (core->num, out);\n\t\t\t\t}\n\t\t\t}\n\t\t\tfree (bptr);\n\t\t\tfree (out);\n\t\t\treturn ret;\n\t\t\tbreak;\n\t\tcase '{': // ${ev} eval var\n\t\t\tbptr = strdup (str + 2);\n\t\t\tptr = strchr (bptr, '}');\n\t\t\tif (ptr) {\n\t\t\t\tptr[0] = '\\0';\n\t\t\t\tut64 ret = r_config_get_i (core->config, bptr);\n\t\t\t\tfree (bptr);\n\t\t\t\treturn ret;\n\t\t\t}\n\t\t\t// take flag here\n\t\t\tfree (bptr);\n\t\t\tbreak;\n\t\tcase 'c': // $c console width\n\t\t\treturn r_cons_get_size (NULL);\n\t\tcase 'r': // $r\n\t\t\tif (str[2] == '{') {\n\t\t\t\tbptr = strdup (str + 3);\n\t\t\t\tptr = strchr (bptr, '}');\n\t\t\t\tif (!ptr) {\n\t\t\t\t\tfree (bptr);\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t\t*ptr = 0;\n\t\t\t\tif (r_config_get_i (core->config, \"cfg.debug\")) {\n\t\t\t\t\tif (r_debug_reg_sync (core->dbg, R_REG_TYPE_GPR, false)) {\n\t\t\t\t\t\tRRegItem *r = r_reg_get (core->dbg->reg, bptr, -1);\n\t\t\t\t\t\tif (r) {\n\t\t\t\t\t\t\tfree (bptr);\n\t\t\t\t\t\t\treturn r_reg_get_value (core->dbg->reg, r);\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t} else {\n\t\t\t\t\tRRegItem *r = r_reg_get (core->anal->reg, bptr, -1);\n\t\t\t\t\tif (r) {\n\t\t\t\t\t\tfree (bptr);\n\t\t\t\t\t\treturn r_reg_get_value (core->anal->reg, r);\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\tfree (bptr);\n\t\t\t\treturn 0; // UT64_MAX;\n\t\t\t} else {\n\t\t\t\tint rows;\n\t\t\t\t(void)r_cons_get_size (&rows);\n\t\t\t\treturn rows;\n\t\t\t}\n\t\t\tbreak;\n\t\tcase 'e': // $e\n\t\t\tif (str[2] == '{') { // $e{flag} flag off + size\n\t\t\t\tchar *flagName = strdup (str + 3);\n\t\t\t\tint flagLength = strlen (flagName);\n\t\t\t\tif (flagLength > 0) {\n\t\t\t\t\tflagName[flagLength - 1] = 0;\n\t\t\t\t}\n\t\t\t\tRFlagItem *flag = r_flag_get (core->flags, flagName);\n\t\t\t\tfree (flagName);\n\t\t\t\tif (flag) {\n\t\t\t\t\treturn flag->offset + flag->size;\n\t\t\t\t}\n\t\t\t\treturn UT64_MAX;\n\t\t\t}\n\t\t\treturn r_anal_op_is_eob (&op);\n\t\tcase 'j': // $j jump address\n\t\t\treturn op.jump;\n\t\tcase 'p': // $p\n\t\t\treturn r_sys_getpid ();\n\t\tcase 'P': // $P\n\t\t\treturn core->dbg->pid > 0 ? core->dbg->pid : 0;\n\t\tcase 'f': // $f jump fail address\n\t\t\tif (str[2] == 'l') { // $fl flag length\n\t\t\t\tRFlagItem *fi = r_flag_get_i (core->flags, core->offset);\n\t\t\t\tif (fi) {\n\t\t\t\t\treturn fi->size;\n\t\t\t\t}\n\t\t\t\treturn 0;\n\t\t\t}\n\t\t\treturn op.fail;\n\t\tcase 'm': // $m memref\n\t\t\treturn op.ptr;\n\t\tcase 'B': // $B base address\n\t\tcase 'M': { // $M map address\n\t\t\t\tut64 lower = UT64_MAX;\n\t\t\t\tut64 size = 0LL;\n\t\t\t\tRIOMap *map = r_io_map_get (core->io, core->offset);\n\t\t\t\tif (map) {\n\t\t\t\t\tlower = r_itv_begin (map->itv);\n\t\t\t\t\tsize = r_itv_size (map->itv);\n\t\t\t\t}\n\n\t\t\t\tif (str[1] == 'B') {\n\t\t\t\t\t/* clear lower bits of the lowest map address to define the base address */\n\t\t\t\t\tconst int clear_bits = 16;\n\t\t\t\t\tlower >>= clear_bits;\n\t\t\t\t\tlower <<= clear_bits;\n\t\t\t\t}\n\t\t\t\tif (str[2] == 'M') {\n\t\t\t\t\treturn size;\n\t\t\t\t}\n\t\t\t\treturn (lower == UT64_MAX)? 0LL: lower;\n\t\t\t}\n\t\t\tbreak;\n\t\tcase 'v': // $v immediate value\n\t\t\treturn op.val;\n\t\tcase 'l': // $l opcode length\n\t\t\treturn op.size;\n\t\tcase 'b': // $b\n\t\t\treturn core->blocksize;\n\t\tcase 's': // $s file size\n\t\t\tif (str[2] == '{') { // $s{flag} flag size\n\t\t\t\tbptr = strdup (str + 3);\n\t\t\t\tptr = strchr (bptr, '}');\n\t\t\t\tif (!ptr) {\n\t\t\t\t\t// invalid json\n\t\t\t\t\tfree (bptr);\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t\t*ptr = '\\0';\n\t\t\t\tRFlagItem *flag = r_flag_get (core->flags, bptr);\n\t\t\t\tret = flag? flag->size: 0LL; // flag\n\t\t\t\tfree (bptr);\n\t\t\t\tfree (out);\n\t\t\t\treturn ret;\n\t\t\t} else if (core->file) {\n\t\t\t\treturn r_io_fd_size (core->io, core->file->fd);\n\t\t\t}\n\t\t\treturn 0LL;\n\t\tcase 'w': // $w word size\n\t\t\treturn r_config_get_i (core->config, \"asm.bits\") / 8;\n\t\tcase 'S': // $S section offset\n\t\t\t{\n\t\t\t\tRBinObject *bo = r_bin_cur_object (core->bin);\n\t\t\t\tif (bo && (s = r_bin_get_section_at (bo, core->offset, true))) {\n\t\t\t\t\treturn (str[2] == 'S'? s->size: s->vaddr);\n\t\t\t\t}\n\t\t\t}\n\t\t\treturn 0LL;\n\t\tcase 'D': // $D\n\t\t\tif (str[2] == 'B') { // $DD\n\t\t\t\treturn r_debug_get_baddr (core->dbg, NULL);\n\t\t\t} else if (IS_DIGIT (str[2])) {\n\t\t\t\treturn getref (core, atoi (str + 2), 'r', R_ANAL_REF_TYPE_DATA);\n\t\t\t} else {\n\t\t\t\tRDebugMap *map;\n\t\t\t\tRListIter *iter;\n\t\t\t\tr_list_foreach (core->dbg->maps, iter, map) {\n\t\t\t\t\tif (core->offset >= map->addr && core->offset < map->addr_end) {\n\t\t\t\t\t\treturn (str[2] == 'D')? map->size: map->addr;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t\treturn 0LL; // maybe // return UT64_MAX;\n\t\tcase '?': // $?\n\t\t\treturn core->num->value; // rc;\n\t\tcase '$': // $$ offset\n\t\t\treturn str[2] == '$' ? core->prompt_offset : core->offset;\n\t\tcase 'o': { // $o\n\t\t\tRBinSection *s = r_bin_get_section_at (r_bin_cur_object (core->bin), core->offset, true);\n\t\t\treturn s ? core->offset - s->vaddr + s->paddr : core->offset;\n\t\t\tbreak;\n\t\t}\n\t\tcase 'O': // $O\n\t\t\t if (core->print->cur_enabled) {\n\t\t\t\t return core->offset + core->print->cur;\n\t\t\t }\n\t\t\t return core->offset;\n\t\tcase 'C': // $C nth call\n\t\t\treturn getref (core, atoi (str + 2), 'r', R_ANAL_REF_TYPE_CALL);\n\t\tcase 'J': // $J nth jump\n\t\t\treturn getref (core, atoi (str + 2), 'r', R_ANAL_REF_TYPE_CODE);\n\t\tcase 'X': // $X nth xref\n\t\t\treturn getref (core, atoi (str + 2), 'x', R_ANAL_REF_TYPE_CALL);\n\t\tcase 'F': // $F function size\n\t\t\tfcn = r_anal_get_fcn_in (core->anal, core->offset, 0);\n\t\t\tif (fcn) {\n\t\t\t\tswitch (str[2]) {\n\t\t\t\t/* function bounds (uppercase) */\n\t\t\t\tcase 'B': return fcn->addr; // begin\n\t\t\t\tcase 'E': return r_anal_function_max_addr (fcn); // end\n\t\t\t\tcase 'S': return (str[3]=='S') ? r_anal_function_realsize (fcn) : r_anal_function_linear_size (fcn);\n\t\t\t\tcase 'I': return fcn->ninstr;\n\t\t\t\t/* basic blocks (lowercase) */\n\t\t\t\tcase 'b': return bbBegin (fcn, core->offset);\n\t\t\t\tcase 'e': return bbBegin (fcn, core->offset) + bbSize (fcn, core->offset);\n\t\t\t\tcase 'i': return bbInstructions (fcn, core->offset);\n\t\t\t\tcase 's': return bbSize (fcn, core->offset);\n\t\t\t\tcase 'j': return bbJump (fcn, core->offset); // jump\n\t\t\t\tcase 'f': return bbFail (fcn, core->offset); // fail\n\t\t\t\t}\n\t\t\t\treturn fcn->addr;\n\t\t\t}\n\t\t\treturn 0;\n\t\t}\n\t\tbreak;\n\tdefault:\n\t\tif (*str >= 'A') {\n\t\t\t// NOTE: functions override flags\n\t\t\tRAnalFunction *fcn = r_anal_get_function_byname (core->anal, str);\n\t\t\tif (fcn) {\n\t\t\t\tif (ok) {\n\t\t\t\t\t*ok = true;\n\t\t\t\t}\n\t\t\t\treturn fcn->addr;\n\t\t\t}\n#if 0\n\t\t\tut64 addr = r_anal_fcn_label_get (core->anal, core->offset, str);\n\t\t\tif (addr != 0) {\n\t\t\t\tret = addr;\n\t\t\t} else {\n\t\t\t\t...\n\t\t\t}\n#endif\n\t\t\tif ((flag = r_flag_get (core->flags, str))) {\n\t\t\t\tret = flag->offset;\n\t\t\t\tif (ok) {\n\t\t\t\t\t*ok = true;\n\t\t\t\t}\n\t\t\t\treturn ret;\n\t\t\t}\n\n\t\t\t// check for reg alias\n\t\t\tstruct r_reg_item_t *r = r_reg_get (core->dbg->reg, str, -1);\n\t\t\tif (!r) {\n\t\t\t\tint role = r_reg_get_name_idx (str);\n\t\t\t\tif (role != -1) {\n\t\t\t\t\tconst char *alias = r_reg_get_name (core->dbg->reg, role);\n\t\t\t\t\tif (alias) {\n\t\t\t\t\t\tr = r_reg_get (core->dbg->reg, alias, -1);\n\t\t\t\t\t\tif (r) {\n\t\t\t\t\t\t\tif (ok) {\n\t\t\t\t\t\t\t\t*ok = true;\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\tret = r_reg_get_value (core->dbg->reg, r);\n\t\t\t\t\t\t\treturn ret;\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\tif (ok) {\n\t\t\t\t\t*ok = true;\n\t\t\t\t}\n\t\t\t\tret = r_reg_get_value (core->dbg->reg, r);\n\t\t\t\treturn ret;\n\t\t\t}\n\t\t}\n\t\tbreak;\n\t}\n\n\treturn ret;\n}", "project": "radare2", "hash": 309543645109018447947978518899619702428, "size": 380, "commit_id": "cb8b683758edddae2d2f62e8e63a738c39f92683", "message": "Fix #16303 - c->table_query double free (#16318)", "target": 0, "dataset": "other", "idx": 232115 }, { "func": "static int nfs41_reclaim_complete_handle_errors(struct rpc_task *task, struct nfs_client *clp)\n{\n\tswitch(task->tk_status) {\n\tcase 0:\n\t\twake_up_all(&clp->cl_lock_waitq);\n\t\t/* Fallthrough */\n\tcase -NFS4ERR_COMPLETE_ALREADY:\n\tcase -NFS4ERR_WRONG_CRED: /* What to do here? */\n\t\tbreak;\n\tcase -NFS4ERR_DELAY:\n\t\trpc_delay(task, NFS4_POLL_RETRY_MAX);\n\t\t/* fall through */\n\tcase -NFS4ERR_RETRY_UNCACHED_REP:\n\t\treturn -EAGAIN;\n\tcase -NFS4ERR_BADSESSION:\n\tcase -NFS4ERR_DEADSESSION:\n\tcase -NFS4ERR_CONN_NOT_BOUND_TO_SESSION:\n\t\tbreak;\n\tdefault:\n\t\tnfs4_schedule_lease_recovery(clp);\n\t}\n\treturn 0;\n}", "project": "linux", "hash": 25967178641984564667766268966035410527, "size": 23, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431065 }, { "func": "static void hci_pin_code_request_evt(struct hci_dev *hdev, struct sk_buff *skb)\n{\n\tstruct hci_ev_pin_code_req *ev = (void *) skb->data;\n\tstruct hci_conn *conn;\n\n\tBT_DBG(\"%s\", hdev->name);\n\n\thci_dev_lock(hdev);\n\n\tconn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);\n\tif (!conn)\n\t\tgoto unlock;\n\n\tif (conn->state == BT_CONNECTED) {\n\t\thci_conn_hold(conn);\n\t\tconn->disc_timeout = HCI_PAIRING_TIMEOUT;\n\t\thci_conn_drop(conn);\n\t}\n\n\tif (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&\n\t !test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags)) {\n\t\thci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY,\n\t\t\t sizeof(ev->bdaddr), &ev->bdaddr);\n\t} else if (hci_dev_test_flag(hdev, HCI_MGMT)) {\n\t\tu8 secure;\n\n\t\tif (conn->pending_sec_level == BT_SECURITY_HIGH)\n\t\t\tsecure = 1;\n\t\telse\n\t\t\tsecure = 0;\n\n\t\tmgmt_pin_code_request(hdev, &ev->bdaddr, secure);\n\t}\n\nunlock:\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 123624287142562308062221403340080196085, "size": 37, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431875 }, { "func": "int scan_for_updates(int count_only) {\n\tint i, tile_count, tile_diffs;\n\tint old_copy_tile;\n\tdouble frac1 = 0.1; /* tweak parameter to try a 2nd scan_display() */\n\tdouble frac2 = 0.35; /* or 3rd */\n\tdouble frac3 = 0.02; /* do scan_display() again after copy_tiles() */\n\tstatic double last_poll = 0.0;\n\n\tif (unixpw_in_progress) return 0;\n \n\tif (slow_fb > 0.0) {\n\t\tdouble now = dnow();\n\t\tif (now < last_poll + slow_fb) {\n\t\t\treturn 0;\n\t\t}\n\t\tlast_poll = now;\n\t}\n\n\tfor (i=0; i < ntiles; i++) {\n\t\ttile_has_diff[i] = 0;\n\t\ttile_has_xdamage_diff[i] = 0;\n\t\ttile_tried[i] = 0;\n\t\ttile_copied[i] = 0;\n\t}\n\tfor (i=0; i < ntiles_y; i++) {\n\t\t/* could be useful, currently not used */\n\t\ttile_row_has_xdamage_diff[i] = 0;\n\t}\n\txdamage_tile_count = 0;\n\n\t/*\n\t * n.b. this program has only been tested so far with\n\t * tile_x = tile_y = NSCAN = 32!\n\t */\n\n\tif (!count_only) {\n\t\tscan_count++;\n\t\tscan_count %= NSCAN;\n\n\t\t/* some periodic maintenance */\n\t\tif (subwin && scan_count % 4 == 0) {\n\t\t\tset_offset();\t/* follow the subwindow */\n\t\t}\n\t\tif (indexed_color && scan_count % 4 == 0) {\n\t\t\t/* check for changed colormap */\n\t\t\tset_colormap(0);\n\t\t}\n\t\tif (cmap8to24 && scan_count % 1 == 0) {\n\t\t\tcheck_for_multivis();\n\t\t}\n#ifdef MACOSX\n\t\tif (macosx_console) {\n\t\t\tmacosx_event_loop();\n\t\t}\n#endif\n\t\tif (use_xdamage) {\n\t\t\t/* first pass collecting DAMAGE events: */\n#ifdef MACOSX\n\t\t\tif (macosx_console) {\n\t\t\t\tcollect_non_X_xdamage(-1, -1, -1, -1, 0);\n\t\t\t} else \n#endif\n\t\t\t{\n\t\t\t\tif (rawfb_vnc_reflect) {\n\t\t\t\t\tcollect_non_X_xdamage(-1, -1, -1, -1, 0);\n\t\t\t\t} else {\n\t\t\t\t\tcollect_xdamage(scan_count, 0);\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\n#define SCAN_FATAL(x) \\\n\tif (x < 0) { \\\n\t\tscan_in_progress = 0; \\\n\t\tfb_copy_in_progress = 0; \\\n\t\treturn 0; \\\n\t}\n\n\t/* scan with the initial y to the jitter value from scanlines: */\n\tscan_in_progress = 1;\n\ttile_count = scan_display(scanlines[scan_count], 0);\n\tSCAN_FATAL(tile_count);\n\n\t/*\n\t * we do the XDAMAGE here too since after scan_display()\n\t * there is a better chance we have received the events from\n\t * the X server (otherwise the DAMAGE events will be processed\n\t * in the *next* call, usually too late and wasteful since\n\t * the unchanged tiles are read in again).\n\t */\n\tif (use_xdamage) {\n#ifdef MACOSX\n\t\tif (macosx_console) {\n\t\t\t;\n\t\t} else \n#endif\n\t\t{\n\t\t\tif (rawfb_vnc_reflect) {\n\t\t\t\t;\n\t\t\t} else {\n\t\t\t\tcollect_xdamage(scan_count, 1);\n\t\t\t}\n\t\t}\n\t}\n\tif (count_only) {\n\t\tscan_in_progress = 0;\n\t\tfb_copy_in_progress = 0;\n\t\treturn tile_count;\n\t}\n\n\tif (xdamage_tile_count) {\n\t\t/* pick up \"known\" damaged tiles we missed in scan_display() */\n\t\tfor (i=0; i < ntiles; i++) {\n\t\t\tif (tile_has_diff[i]) {\n\t\t\t\tcontinue;\n\t\t\t}\n\t\t\tif (tile_has_xdamage_diff[i]) {\n\t\t\t\ttile_has_diff[i] = 1;\n\t\t\t\tif (tile_has_xdamage_diff[i] == 1) {\n\t\t\t\t\ttile_has_xdamage_diff[i] = 2;\n\t\t\t\t\ttile_count++;\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\tif (dpy && use_xdamage == 1) {\n\t\tstatic time_t last_xd_check = 0;\n\t\tif (time(NULL) > last_xd_check + 2) {\n\t\t\tint cp = (scan_count + 3) % NSCAN;\n\t\t\txd_do_check = 1;\n\t\t\ttile_count = scan_display(scanlines[cp], 0);\n\t\t\txd_do_check = 0;\n\t\t\tSCAN_FATAL(tile_count);\n\t\t\tlast_xd_check = time(NULL);\n\t\t\tif (xd_samples > 200) {\n\t\t\t\tstatic int bad = 0;\n\t\t\t\tif (xd_misses > (20 * xd_samples) / 100) {\n\t\t\t\t\trfbLog(\"XDAMAGE is not working well... misses: %d/%d\\n\", xd_misses, xd_samples);\n\t\t\t\t\trfbLog(\"Maybe an OpenGL app like Beryl or Compiz is the problem?\\n\");\n\t\t\t\t\trfbLog(\"Use x11vnc -noxdamage or disable the Beryl/Compiz app.\\n\");\n\t\t\t\t\trfbLog(\"To disable this check and warning specify -xdamage twice.\\n\");\n\t\t\t\t\tif (++bad >= 10) {\n\t\t\t\t\t\trfbLog(\"XDAMAGE appears broken (OpenGL app?), turning it off.\\n\");\n\t\t\t\t\t\tuse_xdamage = 0;\n\t\t\t\t\t\tinitialize_xdamage();\n\t\t\t\t\t\tdestroy_xdamage_if_needed();\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\txd_samples = 0;\n\t\t\t\txd_misses = 0;\n\t\t\t}\n\t\t}\n\t}\n\n\tnap_set(tile_count);\n\n\tif (fs_factor && frac1 >= fs_frac) {\n\t\t/* make frac1 < fs_frac if fullscreen updates are enabled */\n\t\tfrac1 = fs_frac/2.0;\n\t}\n\n\tif (tile_count > frac1 * ntiles) {\n\t\t/*\n\t\t * many tiles have changed, so try a rescan (since it should\n\t\t * be short compared to the many upcoming copy_tiles() calls)\n\t\t */\n\n\t\t/* this check is done to skip the extra scan_display() call */\n\t\tif (! fs_factor || tile_count <= fs_frac * ntiles) {\n\t\t\tint cp, tile_count_old = tile_count;\n\t\t\t\n\t\t\t/* choose a different y shift for the 2nd scan: */\n\t\t\tcp = (NSCAN - scan_count) % NSCAN;\n\n\t\t\ttile_count = scan_display(scanlines[cp], 1);\n\t\t\tSCAN_FATAL(tile_count);\n\n\t\t\tif (tile_count >= (1 + frac2) * tile_count_old) {\n\t\t\t\t/* on a roll... do a 3rd scan */\n\t\t\t\tcp = (NSCAN - scan_count + 7) % NSCAN;\n\t\t\t\ttile_count = scan_display(scanlines[cp], 1);\n\t\t\t\tSCAN_FATAL(tile_count);\n\t\t\t}\n\t\t}\n\t\tscan_in_progress = 0;\n\n\t\t/*\n\t\t * At some number of changed tiles it is better to just\n\t\t * copy the full screen at once. I.e. time = c1 + m * r1\n\t\t * where m is number of tiles, r1 is the copy_tiles()\n\t\t * time, and c1 is the scan_display() time: for some m\n\t\t * it crosses the full screen update time.\n\t\t *\n\t\t * We try to predict that crossover with the fs_frac\n\t\t * fudge factor... seems to be about 1/2 the total number\n\t\t * of tiles. n.b. this ignores network bandwidth,\n\t\t * compression time etc...\n\t\t *\n\t\t * Use -fs 1.0 to disable on slow links.\n\t\t */\n\t\tif (fs_factor && tile_count > fs_frac * ntiles) {\n\t\t\tint cs;\n\t\t\tfb_copy_in_progress = 1;\n\t\t\tcs = copy_screen();\n\t\t\tfb_copy_in_progress = 0;\n\t\t\tSCAN_FATAL(cs);\n\t\t\tif (use_threads && pointer_mode != 1) {\n\t\t\t\tpointer_event(-1, 0, 0, NULL);\n\t\t\t}\n\t\t\tnap_check(tile_count);\n\t\t\treturn tile_count;\n\t\t}\n\t}\n\tscan_in_progress = 0;\n\n\t/* copy all tiles with differences from display to rfb framebuffer: */\n\tfb_copy_in_progress = 1;\n\n\tif (single_copytile || tile_shm_count < ntiles_x) {\n\t\t/*\n\t\t * Old way, copy I/O one tile at a time.\n\t\t */\n\t\told_copy_tile = 1;\n\t} else {\n\t\t/* \n\t\t * New way, does runs of horizontal tiles at once.\n\t\t * Note that below, for simplicity, the extra tile finding\n\t\t * (e.g. copy_tiles_backward_pass) is done the old way.\n\t\t */\n\t\told_copy_tile = 0;\n\t}\n\n\tif (unixpw_in_progress) return 0;\n\n\tif (old_copy_tile) {\n\t\ttile_diffs = copy_all_tiles();\n\t} else {\n\t\ttile_diffs = copy_all_tile_runs();\n\t}\n\tSCAN_FATAL(tile_diffs);\n\n\t/*\n\t * This backward pass for upward and left tiles complements what\n\t * was done in copy_all_tiles() for downward and right tiles.\n\t */\n\ttile_diffs = copy_tiles_backward_pass();\n\tSCAN_FATAL(tile_diffs);\n\n\tif (tile_diffs > frac3 * ntiles) {\n\t\t/*\n\t\t * we spent a lot of time in those copy_tiles, run\n\t\t * another scan, maybe more of the screen changed.\n\t\t */\n\t\tint cp = (NSCAN - scan_count + 13) % NSCAN;\n\n\t\tscan_in_progress = 1;\n\t\ttile_count = scan_display(scanlines[cp], 1);\n\t\tSCAN_FATAL(tile_count);\n\t\tscan_in_progress = 0;\n\n\t\ttile_diffs = copy_tiles_additional_pass();\n\t\tSCAN_FATAL(tile_diffs);\n\t}\n\n\t/* Given enough tile diffs, try the islands: */\n\tif (grow_fill && tile_diffs > 4) {\n\t\ttile_diffs = grow_islands();\n\t}\n\tSCAN_FATAL(tile_diffs);\n\n\t/* Given enough tile diffs, try the gaps: */\n\tif (gaps_fill && tile_diffs > 4) {\n\t\ttile_diffs = fill_tile_gaps();\n\t}\n\tSCAN_FATAL(tile_diffs);\n\n\tfb_copy_in_progress = 0;\n\tif (use_threads && pointer_mode != 1) {\n\t\t/*\n\t\t * tell the pointer handler it can process any queued\n\t\t * pointer events:\n\t\t */\n\t\tpointer_event(-1, 0, 0, NULL);\n\t}\n\n\tif (blackouts) {\n\t\t/* ignore any diffs in completely covered tiles */\n\t\tint x, y, n;\n\t\tfor (y=0; y < ntiles_y; y++) {\n\t\t\tfor (x=0; x < ntiles_x; x++) {\n\t\t\t\tn = x + y * ntiles_x;\n\t\t\t\tif (tile_blackout[n].cover == 2) {\n\t\t\t\t\ttile_has_diff[n] = 0;\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\n\thint_updates();\t/* use x0rfbserver hints algorithm */\n\n\t/* Work around threaded rfbProcessClientMessage() calls timeouts */\n\tif (use_threads) {\n\t\tping_clients(tile_diffs);\n\t} else if (saw_ultra_chat || saw_ultra_file) {\n\t\tping_clients(-1);\n\t} else if (use_openssl && !tile_diffs) {\n\t\tping_clients(0);\n\t}\n\t/* -ping option: */\n\tif (ping_interval) {\n\t\tint td = ping_interval > 0 ? ping_interval : -ping_interval;\n\t\tping_clients(-td);\n\t}\n\n\n\tnap_check(tile_diffs);\n\treturn tile_diffs;\n}", "project": "x11vnc", "hash": 286699392458492283200716111106368723056, "size": 319, "commit_id": "69eeb9f7baa14ca03b16c9de821f9876def7a36a", "message": "scan: limit access to shared memory segments to current user", "target": 0, "dataset": "other", "idx": 360752 }, { "func": "static inline int invalid_nodeid(u64 nodeid)\n{\n\treturn !nodeid || nodeid == FUSE_ROOT_ID;\n}", "project": "linux", "hash": 16384320037638038847631762969943725986, "size": 4, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341951 }, { "func": "const CIRCSock* CClient::GetIRCSock() const {\n if (m_pNetwork) {\n return m_pNetwork->GetIRCSock();\n }\n\n return nullptr;\n}", "project": "znc", "hash": 168099292909357434263178176415724784315, "size": 7, "commit_id": "d229761821da38d984a9e4098ad96842490dc001", "message": "Fix echo-message for *status\n\nClose #1705", "target": 0, "dataset": "other", "idx": 231559 }, { "func": "CIRCSock* CClient::GetIRCSock() {\n if (m_pNetwork) {\n return m_pNetwork->GetIRCSock();\n }\n\n return nullptr;\n}", "project": "znc", "hash": 126581930959551278071568625147908193970, "size": 7, "commit_id": "d229761821da38d984a9e4098ad96842490dc001", "message": "Fix echo-message for *status\n\nClose #1705", "target": 0, "dataset": "other", "idx": 231561 }, { "func": "UnicodeString UnicodeString::fromUTF8(StringPiece utf8) {\n UnicodeString result;\n result.setToUTF8(utf8);\n return result;\n}", "project": "icu", "hash": 30977530590608878594525451940775672751, "size": 5, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430810 }, { "project": "opaque", "commit_id": "5ddda15d89f5ac82f4416208c5319ace4aecdc36", "target": 0, "func": "int cmp(const uint8_t *value1, const uint8_t *value2, uint32_t len) {\n for (uint32_t i = 0; i < len; i++) {\n if (*(value1+i) != *(value2+i)) {\n return -1;\n }\n }\n return 0;\n}", "idx": 519098, "cwe": "CWE-787", "hash": 331268147683117824523990425300918636500, "dataset": "other" }, { "func": "static int kvm_get_stat_per_vm(struct kvm *kvm, size_t offset, u64 *val)\n{\n\t*val = *(ulong *)((void *)kvm + offset);\n\n\treturn 0;\n}", "project": "linux", "hash": 185799293728752882191504385996660931858, "size": 6, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354631 }, { "func": "static void encode_setclientid_confirm(struct xdr_stream *xdr, const struct nfs4_setclientid_res *arg, struct compound_hdr *hdr)\n{\n\tencode_op_hdr(xdr, OP_SETCLIENTID_CONFIRM,\n\t\t\tdecode_setclientid_confirm_maxsz, hdr);\n\tencode_uint64(xdr, arg->clientid);\n\tencode_nfs4_verifier(xdr, &arg->confirm);\n}", "project": "linux", "hash": 171175466937637520712330179328683044976, "size": 7, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431122 }, { "project": "opaque", "commit_id": "5ddda15d89f5ac82f4416208c5319ace4aecdc36", "target": 0, "func": "int initialize_enclave(void)\n{\n char token_path[MAX_PATH] = {'\\0'};\n sgx_launch_token_t token = {0};\n sgx_status_t ret = SGX_ERROR_UNEXPECTED;\n int updated = 0;\n\n /* Step 1: retrive the launch token saved by last transaction */\n#ifdef _MSC_VER\n /* try to get the token saved in CSIDL_LOCAL_APPDATA */\n if (S_OK != SHGetFolderPathA(NULL, CSIDL_LOCAL_APPDATA, NULL, 0, token_path)) {\n strncpy_s(token_path, _countof(token_path), TOKEN_FILENAME, sizeof(TOKEN_FILENAME));\n } else {\n strncat_s(token_path, _countof(token_path), \"\\\\\" TOKEN_FILENAME, sizeof(TOKEN_FILENAME)+2);\n }\n\n /* open the token file */\n HANDLE token_handler = CreateFileA(token_path, GENERIC_READ|GENERIC_WRITE, FILE_SHARE_READ, NULL, OPEN_ALWAYS, NULL, NULL);\n if (token_handler == INVALID_HANDLE_VALUE) {\n printf(\"Warning: Failed to create/open the launch token file \\\"%s\\\".\\n\", token_path);\n } else {\n /* read the token from saved file */\n DWORD read_num = 0;\n ReadFile(token_handler, token, sizeof(sgx_launch_token_t), &read_num, NULL);\n if (read_num != 0 && read_num != sizeof(sgx_launch_token_t)) {\n /* if token is invalid, clear the buffer */\n memset(&token, 0x0, sizeof(sgx_launch_token_t));\n printf(\"Warning: Invalid launch token read from \\\"%s\\\".\\n\", token_path);\n }\n }\n#else /* __GNUC__ */\n /* try to get the token saved in $HOME */\n const char *home_dir = getpwuid(getuid())->pw_dir;\n\n if (home_dir != NULL &&\n (strlen(home_dir)+strlen(\"/\")+sizeof(TOKEN_FILENAME)+1) <= MAX_PATH) {\n /* compose the token path */\n strncpy(token_path, home_dir, strlen(home_dir));\n strncat(token_path, \"/\", strlen(\"/\"));\n strncat(token_path, TOKEN_FILENAME, sizeof(TOKEN_FILENAME)+1);\n } else {\n /* if token path is too long or $HOME is NULL */\n strncpy(token_path, TOKEN_FILENAME, sizeof(TOKEN_FILENAME));\n }\n\n FILE *fp = fopen(token_path, \"rb\");\n if (fp == NULL && (fp = fopen(token_path, \"wb\")) == NULL) {\n printf(\"Warning: Failed to create/open the launch token file \\\"%s\\\".\\n\", token_path);\n }\n\n if (fp != NULL) {\n /* read the token from saved file */\n size_t read_num = fread(token, 1, sizeof(sgx_launch_token_t), fp);\n if (read_num != 0 && read_num != sizeof(sgx_launch_token_t)) {\n /* if token is invalid, clear the buffer */\n memset(&token, 0x0, sizeof(sgx_launch_token_t));\n printf(\"Warning: Invalid launch token read from \\\"%s\\\".\\n\", token_path);\n }\n }\n#endif\n /* Step 2: call sgx_create_enclave to initialize an enclave instance */\n /* Debug Support: set 2nd parameter to 1 */\n ret = sgx_create_enclave(ENCLAVE_FILENAME, SGX_DEBUG_FLAG, &token, &updated, &global_eid, NULL);\n if (ret != SGX_SUCCESS) {\n print_error_message(ret);\n#ifdef _MSC_VER\n if (token_handler != INVALID_HANDLE_VALUE)\n CloseHandle(token_handler);\n#else\n if (fp != NULL) fclose(fp);\n#endif\n return -1;\n }\n\n /* Step 3: save the launch token if it is updated */\n#ifdef _MSC_VER\n if (updated == FALSE || token_handler == INVALID_HANDLE_VALUE) {\n /* if the token is not updated, or file handler is invalid, do not perform saving */\n if (token_handler != INVALID_HANDLE_VALUE)\n CloseHandle(token_handler);\n return 0;\n }\n\n /* flush the file cache */\n FlushFileBuffers(token_handler);\n /* set access offset to the begin of the file */\n SetFilePointer(token_handler, 0, NULL, FILE_BEGIN);\n\n /* write back the token */\n DWORD write_num = 0;\n WriteFile(token_handler, token, sizeof(sgx_launch_token_t), &write_num, NULL);\n if (write_num != sizeof(sgx_launch_token_t))\n printf(\"Warning: Failed to save launch token to \\\"%s\\\".\\n\", token_path);\n CloseHandle(token_handler);\n#else /* __GNUC__ */\n if (updated == FALSE || fp == NULL) {\n /* if the token is not updated, or file handler is invalid, do not perform saving */\n if (fp != NULL) fclose(fp);\n return 0;\n }\n\n /* reopen the file with write capablity */\n fp = freopen(token_path, \"wb\", fp);\n if (fp == NULL) return 0;\n size_t write_num = fwrite(token, 1, sizeof(sgx_launch_token_t), fp);\n if (write_num != sizeof(sgx_launch_token_t))\n printf(\"Warning: Failed to save launch token to \\\"%s\\\".\\n\", token_path);\n fclose(fp);\n#endif\n return 0;\n}", "idx": 519070, "cwe": "CWE-787", "hash": 86962835254162312236921480734264125243, "dataset": "other" }, { "func": "static inline int mpol_store_user_nodemask(const struct mempolicy *pol)\n{\n\treturn pol->flags & MPOL_MODE_FLAGS;\n}", "project": "linux", "hash": 231281660454355698173455415263161660790, "size": 4, "commit_id": "aa9f7d5172fac9bf1f09e678c35e287a40a7b7dd", "message": "mm: mempolicy: require at least one nodeid for MPOL_PREFERRED\n\nUsing an empty (malformed) nodelist that is not caught during mount option\nparsing leads to a stack-out-of-bounds access.\n\nThe option string that was used was: \"mpol=prefer:,\". However,\nMPOL_PREFERRED requires a single node number, which is not being provided\nhere.\n\nAdd a check that 'nodes' is not empty after parsing for MPOL_PREFERRED's\nnodeid.\n\nFixes: 095f1fc4ebf3 (\"mempolicy: rework shmem mpol parsing and display\")\nReported-by: Entropy Moe <3ntr0py1337@gmail.com>\nReported-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nSigned-off-by: Randy Dunlap \nSigned-off-by: Andrew Morton \nTested-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nCc: Lee Schermerhorn \nLink: http://lkml.kernel.org/r/89526377-7eb6-b662-e1d8-4430928abde9@infradead.org\nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 366717 }, { "func": "\tif(pThis->bIsDA && getPhysicalQueueSize(pThis) > 0 && pThis->bSaveOnShutdown) {\n\t\tCHKiRet(DoSaveOnShutdown(pThis));\n\t}", "project": "rsyslog", "hash": 335788306607338286994738631388764441302, "size": 3, "commit_id": "dfa88369d4ca4290db56b843f9eabdae1bfe0fd5", "message": "bugfix: memory leak when $RepeatedMsgReduction on was used\n\nbug tracker: http://bugzilla.adiscon.com/show_bug.cgi?id=225", "target": 0, "dataset": "other", "idx": 373751 }, { "func": "void exit_mm_release(struct task_struct *tsk, struct mm_struct *mm)\n{\n\tfutex_exit_release(tsk);\n\tmm_release(tsk, mm);\n}", "project": "linux", "hash": 60075964915725165953768840416145299666, "size": 5, "commit_id": "b4e00444cab4c3f3fec876dc0cccc8cbb0d1a948", "message": "fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent\n\ncurrent->group_leader->exit_signal may change during copy_process() if\ncurrent->real_parent exits.\n\nMove the assignment inside tasklist_lock to avoid the race.\n\nSigned-off-by: Eddy Wu \nAcked-by: Oleg Nesterov \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 293732 }, { "func": "void blosc_init(void) {\n /* Return if Blosc is already initialized */\n if (g_initlib) return;\n\n pthread_mutex_init(&global_comp_mutex, NULL);\n /* Create a global context */\n g_global_context = (blosc2_context*)my_malloc(sizeof(blosc2_context));\n memset(g_global_context, 0, sizeof(blosc2_context));\n g_global_context->nthreads = g_nthreads;\n g_global_context->new_nthreads = g_nthreads;\n g_initlib = 1;\n}", "project": "c-blosc2", "hash": 246882575883981292009553302606137715792, "size": 12, "commit_id": "c4c6470e88210afc95262c8b9fcc27e30ca043ee", "message": "Fixed asan heap buffer overflow when not enough space to write compressed block size.", "target": 0, "dataset": "other", "idx": 303059 }, { "project": "Chrome", "commit_id": "327585cb0eab0859518643a2d00917081f7e7645", "target": 0, "func": "void WebGraphicsContext3DDefaultImpl::copyTexSubImage2D(unsigned long target, long level, long xoffset, long yoffset,\n long x, long y, unsigned long width, unsigned long height)\n{\n makeContextCurrent();\n\n bool needsResolve = (m_attributes.antialias && m_boundFBO == m_multisampleFBO);\n if (needsResolve) {\n resolveMultisampledFramebuffer(x, y, width, height);\n glBindFramebufferEXT(GL_FRAMEBUFFER_EXT, m_fbo);\n }\n\n glCopyTexSubImage2D(target, level, xoffset, yoffset, x, y, width, height);\n\n if (needsResolve)\n glBindFramebufferEXT(GL_FRAMEBUFFER_EXT, m_boundFBO);\n}\n", "cwe": "", "big_vul_idx": 98975, "idx": 89034, "hash": 135699178864100809893839884793645604513 }, { "func": "void CLua::getregistry(const char *name)\n{\n _getregistry(state(), name);\n}", "project": "crawl", "hash": 23518653801860216664537607175635240287, "size": 4, "commit_id": "768f60da87a3fa0b5561da5ade9309577c176d04", "message": "Disable lua bytecode loading", "target": 0, "dataset": "other", "idx": 230497 }, { "func": "ElectronNavigationThrottle::WillStartRequest() {\n auto* handle = navigation_handle();\n auto* contents = handle->GetWebContents();\n if (!contents) {\n NOTREACHED();\n return PROCEED;\n }\n\n v8::Isolate* isolate = v8::Isolate::GetCurrent();\n v8::HandleScope scope(isolate);\n auto api_contents = electron::api::WebContents::From(isolate, contents);\n if (api_contents.IsEmpty()) {\n // No need to emit any event if the WebContents is not available in JS.\n return PROCEED;\n }\n\n if (handle->IsRendererInitiated() && handle->IsInMainFrame() &&\n api_contents->EmitNavigationEvent(\"will-navigate\", handle)) {\n return CANCEL;\n }\n return PROCEED;\n}", "project": "electron", "hash": 338503281170197587312866594350074682456, "size": 22, "commit_id": "18613925610ba319da7f497b6deed85ad712c59b", "message": "refactor: wire will-navigate up to a navigation throttle instead of OpenURL (#25108)\n\n* refactor: wire will-navigate up to a navigation throttle instead of OpenURL (#25065)\r\n\r\n* refactor: wire will-navigate up to a navigation throttle instead of OpenURL\r\n\r\n* spec: add test for x-site _top navigation\r\n\r\n* chore: old code be old", "target": 0, "dataset": "other", "idx": 269730 }, { "func": "int imap_rename_mailbox(struct ImapAccountData *adata, char *oldname, const char *newname)\n{\n char oldmbox[1024];\n char newmbox[1024];\n int rc = 0;\n\n imap_munge_mbox_name(adata->unicode, oldmbox, sizeof(oldmbox), oldname);\n imap_munge_mbox_name(adata->unicode, newmbox, sizeof(newmbox), newname);\n\n struct Buffer *buf = mutt_buffer_pool_get();\n mutt_buffer_printf(buf, \"RENAME %s %s\", oldmbox, newmbox);\n\n if (imap_exec(adata, mutt_b2s(buf), IMAP_CMD_NO_FLAGS) != IMAP_EXEC_SUCCESS)\n rc = -1;\n\n mutt_buffer_pool_release(&buf);\n\n return rc;\n}", "project": "neomutt", "hash": 292340857354836019802400163305065565747, "size": 19, "commit_id": "9c36717a3e2af1f2c1b7242035455ec8112b4b06", "message": "imap: close connection on all failures\n\nThanks to Gabriel Salles-Loustau for spotting the problem.\n\nCo-authored-by: Kevin McCarthy ", "target": 0, "dataset": "other", "idx": 357004 }, { "func": "static void setupDetection(u_int16_t thread_id, pcap_t * pcap_handle) {\n NDPI_PROTOCOL_BITMASK all;\n struct ndpi_workflow_prefs prefs;\n\n memset(&prefs, 0, sizeof(prefs));\n prefs.decode_tunnels = decode_tunnels;\n prefs.num_roots = NUM_ROOTS;\n prefs.max_ndpi_flows = MAX_NDPI_FLOWS;\n prefs.quiet_mode = quiet_mode;\n\n memset(&ndpi_thread_info[thread_id], 0, sizeof(ndpi_thread_info[thread_id]));\n ndpi_thread_info[thread_id].workflow = ndpi_workflow_init(&prefs, pcap_handle);\n\n /* Preferences */\n ndpi_workflow_set_flow_detected_callback(ndpi_thread_info[thread_id].workflow,\n\t\t\t\t\t on_protocol_discovered,\n\t\t\t\t\t (void *)(uintptr_t)thread_id);\n\n // enable all protocols\n NDPI_BITMASK_SET_ALL(all);\n ndpi_set_protocol_detection_bitmask2(ndpi_thread_info[thread_id].workflow->ndpi_struct, &all);\n\n // clear memory for results\n memset(ndpi_thread_info[thread_id].workflow->stats.protocol_counter, 0,\n\t sizeof(ndpi_thread_info[thread_id].workflow->stats.protocol_counter));\n memset(ndpi_thread_info[thread_id].workflow->stats.protocol_counter_bytes, 0,\n\t sizeof(ndpi_thread_info[thread_id].workflow->stats.protocol_counter_bytes));\n memset(ndpi_thread_info[thread_id].workflow->stats.protocol_flows, 0,\n\t sizeof(ndpi_thread_info[thread_id].workflow->stats.protocol_flows));\n\n if(_protoFilePath != NULL)\n ndpi_load_protocols_file(ndpi_thread_info[thread_id].workflow->ndpi_struct, _protoFilePath);\n\n if(_customCategoryFilePath)\n ndpi_load_categories_file(ndpi_thread_info[thread_id].workflow->ndpi_struct, _customCategoryFilePath);\n\n ndpi_finalize_initalization(ndpi_thread_info[thread_id].workflow->ndpi_struct);\n}", "project": "nDPI", "hash": 195363558281782833363616680957060790333, "size": 38, "commit_id": "b7e666e465f138ae48ab81976726e67deed12701", "message": "Added fix to avoid potential heap buffer overflow in H.323 dissector\nModified HTTP report information to make it closer to the HTTP field names", "target": 0, "dataset": "other", "idx": 254850 }, { "func": "CtPtr ProtocolV1::send_connect_message()\n{\n state = CONNECTING_SEND_CONNECT_MSG;\n\n ldout(cct, 20) << __func__ << dendl;\n ceph_assert(messenger->auth_client);\n\n bufferlist auth_bl;\n vector preferred_modes;\n\n if (connection->peer_type != CEPH_ENTITY_TYPE_MON ||\n messenger->get_myname().type() == CEPH_ENTITY_TYPE_MON) {\n if (authorizer_more.length()) {\n ldout(cct,10) << __func__ << \" using augmented (challenge) auth payload\"\n\t\t << dendl;\n auth_bl = authorizer_more;\n } else {\n auto am = auth_meta;\n authorizer_more.clear();\n connection->lock.unlock();\n int r = messenger->auth_client->get_auth_request(\n\tconnection, am.get(),\n\t&am->auth_method, &preferred_modes, &auth_bl);\n connection->lock.lock();\n if (r < 0) {\n\treturn _fault();\n }\n if (state != CONNECTING_SEND_CONNECT_MSG) {\n\tldout(cct, 1) << __func__ << \" state changed!\" << dendl;\n\treturn _fault();\n }\n }\n }\n\n ceph_msg_connect connect;\n connect.features = connection->policy.features_supported;\n connect.host_type = messenger->get_myname().type();\n connect.global_seq = global_seq;\n connect.connect_seq = connect_seq;\n connect.protocol_version =\n messenger->get_proto_version(connection->peer_type, true);\n if (auth_bl.length()) {\n ldout(cct, 10) << __func__\n << \" connect_msg.authorizer_len=\" << auth_bl.length()\n << \" protocol=\" << auth_meta->auth_method << dendl;\n connect.authorizer_protocol = auth_meta->auth_method;\n connect.authorizer_len = auth_bl.length();\n } else {\n connect.authorizer_protocol = 0;\n connect.authorizer_len = 0;\n }\n\n connect.flags = 0;\n if (connection->policy.lossy) {\n connect.flags |=\n CEPH_MSG_CONNECT_LOSSY; // this is fyi, actually, server decides!\n }\n\n bufferlist bl;\n bl.append((char *)&connect, sizeof(connect));\n if (auth_bl.length()) {\n bl.append(auth_bl.c_str(), auth_bl.length());\n }\n\n ldout(cct, 10) << __func__ << \" connect sending gseq=\" << global_seq\n << \" cseq=\" << connect_seq\n << \" proto=\" << connect.protocol_version << dendl;\n\n return WRITE(bl, handle_connect_message_write);\n}", "project": "ceph", "hash": 296054472214011929325217889026457188241, "size": 70, "commit_id": "bafdfec8f974f1a3f7d404bcfd0a4cfad784937d", "message": "msg/async/ProtocolV1: resurrect \"implement cephx_*require_version options\"\n\nThis was added in commit 9bcbc2a3621f (\"mon,msg: implement\ncephx_*_require_version options\") and inadvertently dropped in\ncommit e6f043f7d2dc (\"msgr/async: huge refactoring of protocol V1\").\nAs a result, service daemons don't enforce cephx_require_version\nand cephx_cluster_require_version options and connections without\nCEPH_FEATURE_CEPHX_V2 are allowed through.\n\n(cephx_service_require_version enforcement was brought back a\nyear later in commit 321548010578 (\"mon/MonClient: skip CEPHX_V2\nchallenge if client doesn't support it\"), although the peer gets\nTAG_BADAUTHORIZER instead of TAG_FEATURES.)\n\nResurrect the original behaviour: all cephx_*require_version\noptions are enforced and the peer gets TAG_FEATURES, signifying\nthat it is missing a required feature.\n\nSigned-off-by: Ilya Dryomov \n(cherry picked from commit 6f5c4152ca2c6423e665cde2196c6301f76043a2)", "target": 0, "dataset": "other", "idx": 356894 }, { "func": "static void record_and_restart(struct perf_event *event, unsigned long val,\n\t\t\t struct pt_regs *regs)\n{\n\tu64 period = event->hw.sample_period;\n\ts64 prev, delta, left;\n\tint record = 0;\n\n\tif (event->hw.state & PERF_HES_STOPPED) {\n\t\twrite_pmc(event->hw.idx, 0);\n\t\treturn;\n\t}\n\n\t/* we don't have to worry about interrupts here */\n\tprev = local64_read(&event->hw.prev_count);\n\tdelta = check_and_compute_delta(prev, val);\n\tlocal64_add(delta, &event->count);\n\n\t/*\n\t * See if the total period for this event has expired,\n\t * and update for the next period.\n\t */\n\tval = 0;\n\tleft = local64_read(&event->hw.period_left) - delta;\n\tif (delta == 0)\n\t\tleft++;\n\tif (period) {\n\t\tif (left <= 0) {\n\t\t\tleft += period;\n\t\t\tif (left <= 0)\n\t\t\t\tleft = period;\n\n\t\t\t/*\n\t\t\t * If address is not requested in the sample via\n\t\t\t * PERF_SAMPLE_IP, just record that sample irrespective\n\t\t\t * of SIAR valid check.\n\t\t\t */\n\t\t\tif (event->attr.sample_type & PERF_SAMPLE_IP)\n\t\t\t\trecord = siar_valid(regs);\n\t\t\telse\n\t\t\t\trecord = 1;\n\n\t\t\tevent->hw.last_period = event->hw.sample_period;\n\t\t}\n\t\tif (left < 0x80000000LL)\n\t\t\tval = 0x80000000LL - left;\n\t}\n\n\twrite_pmc(event->hw.idx, val);\n\tlocal64_set(&event->hw.prev_count, val);\n\tlocal64_set(&event->hw.period_left, left);\n\tperf_event_update_userpage(event);\n\n\t/*\n\t * Due to hardware limitation, sometimes SIAR could sample a kernel\n\t * address even when freeze on supervisor state (kernel) is set in\n\t * MMCR2. Check attr.exclude_kernel and address to drop the sample in\n\t * these cases.\n\t */\n\tif (event->attr.exclude_kernel &&\n\t (event->attr.sample_type & PERF_SAMPLE_IP) &&\n\t is_kernel_addr(mfspr(SPRN_SIAR)))\n\t\trecord = 0;\n\n\t/*\n\t * Finally record data if requested.\n\t */\n\tif (record) {\n\t\tstruct perf_sample_data data;\n\n\t\tperf_sample_data_init(&data, ~0ULL, event->hw.last_period);\n\n\t\tif (event->attr.sample_type & PERF_SAMPLE_ADDR_TYPE)\n\t\t\tperf_get_data_addr(event, regs, &data.addr);\n\n\t\tif (event->attr.sample_type & PERF_SAMPLE_BRANCH_STACK) {\n\t\t\tstruct cpu_hw_events *cpuhw;\n\t\t\tcpuhw = this_cpu_ptr(&cpu_hw_events);\n\t\t\tpower_pmu_bhrb_read(event, cpuhw);\n\t\t\tdata.br_stack = &cpuhw->bhrb_stack;\n\t\t}\n\n\t\tif (event->attr.sample_type & PERF_SAMPLE_DATA_SRC &&\n\t\t\t\t\t\tppmu->get_mem_data_src)\n\t\t\tppmu->get_mem_data_src(&data.data_src, ppmu->flags, regs);\n\n\t\tif (event->attr.sample_type & PERF_SAMPLE_WEIGHT_TYPE &&\n\t\t\t\t\t\tppmu->get_mem_weight)\n\t\t\tppmu->get_mem_weight(&data.weight.full, event->attr.sample_type);\n\n\t\tif (perf_event_overflow(event, &data, regs))\n\t\t\tpower_pmu_stop(event, 0);\n\t} else if (period) {\n\t\t/* Account for interrupt in case of invalid SIAR */\n\t\tif (perf_event_account_interrupt(event))\n\t\t\tpower_pmu_stop(event, 0);\n\t}\n}", "project": "linux", "hash": 260607011012048408514924232299234329313, "size": 97, "commit_id": "60b7ed54a41b550d50caf7f2418db4a7e75b5bdc", "message": "powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set\n\nOn systems without any specific PMU driver support registered, running\nperf record causes Oops.\n\nThe relevant portion from call trace:\n\n BUG: Kernel NULL pointer dereference on read at 0x00000040\n Faulting instruction address: 0xc0021f0c\n Oops: Kernel access of bad area, sig: 11 [#1]\n BE PAGE_SIZE=4K PREEMPT CMPCPRO\n SAF3000 DIE NOTIFICATION\n CPU: 0 PID: 442 Comm: null_syscall Not tainted 5.13.0-rc6-s3k-dev-01645-g7649ee3d2957 #5164\n NIP: c0021f0c LR: c00e8ad8 CTR: c00d8a5c\n NIP perf_instruction_pointer+0x10/0x60\n LR perf_prepare_sample+0x344/0x674\n Call Trace:\n perf_prepare_sample+0x7c/0x674 (unreliable)\n perf_event_output_forward+0x3c/0x94\n __perf_event_overflow+0x74/0x14c\n perf_swevent_hrtimer+0xf8/0x170\n __hrtimer_run_queues.constprop.0+0x160/0x318\n hrtimer_interrupt+0x148/0x3b0\n timer_interrupt+0xc4/0x22c\n Decrementer_virt+0xb8/0xbc\n\nDuring perf record session, perf_instruction_pointer() is called to\ncapture the sample IP. This function in core-book3s accesses\nppmu->flags. If a platform specific PMU driver is not registered, ppmu\nis set to NULL and accessing its members results in a crash. Fix this\ncrash by checking if ppmu is set.\n\nFixes: 2ca13a4cc56c (\"powerpc/perf: Use regs->nip when SIAR is zero\")\nCc: stable@vger.kernel.org # v5.11+\nReported-by: Christophe Leroy \nSigned-off-by: Athira Rajeev \nTested-by: Christophe Leroy \nSigned-off-by: Michael Ellerman \nLink: https://lore.kernel.org/r/1623952506-1431-1-git-send-email-atrajeev@linux.vnet.ibm.com", "target": 0, "dataset": "other", "idx": 374692 }, { "func": "static void parse_output_words(struct output_struct *words, short *levels,\n\t\t\t const char *str, uchar priority)\n{\n\tconst char *s;\n\tint j, len, lev;\n\n\tfor ( ; str; str = s) {\n\t\tif ((s = strchr(str, ',')) != NULL)\n\t\t\tlen = s++ - str;\n\t\telse\n\t\t\tlen = strlen(str);\n\t\tif (!len)\n\t\t\tcontinue;\n\t\tif (!isDigit(str)) {\n\t\t\twhile (len && isDigit(str+len-1))\n\t\t\t\tlen--;\n\t\t}\n\t\tlev = isDigit(str+len) ? atoi(str+len) : 1;\n\t\tif (lev > MAX_OUT_LEVEL)\n\t\t\tlev = MAX_OUT_LEVEL;\n\t\tif (len == 4 && strncasecmp(str, \"help\", 4) == 0) {\n\t\t\toutput_item_help(words);\n\t\t\texit_cleanup(0);\n\t\t}\n\t\tif (len == 4 && strncasecmp(str, \"none\", 4) == 0)\n\t\t\tlen = lev = 0;\n\t\telse if (len == 3 && strncasecmp(str, \"all\", 3) == 0)\n\t\t\tlen = 0;\n\t\tfor (j = 0; words[j].name; j++) {\n\t\t\tif (!len\n\t\t\t || (len == words[j].namelen && strncasecmp(str, words[j].name, len) == 0)) {\n\t\t\t\tif (priority >= words[j].priority) {\n\t\t\t\t\twords[j].priority = priority;\n\t\t\t\t\tlevels[j] = lev;\n\t\t\t\t}\n\t\t\t\tif (len)\n\t\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\t\tif (len && !words[j].name) {\n\t\t\trprintf(FERROR, \"Unknown %s item: \\\"%.*s\\\"\\n\",\n\t\t\t\twords[j].help, len, str);\n\t\t\texit_cleanup(RERR_SYNTAX);\n\t\t}\n\t}\n}", "project": "rsync", "hash": 1441503571744244796432259235177624334, "size": 46, "commit_id": "7706303828fcde524222babb2833864a4bd09e07", "message": "Ignore --protect-args when already sent by client\n\nIn parse_arguments when --protect-args is encountered the function exits\nearly. The caller is expected to check protect_args, and recall\nparse_arguments setting protect_args to 2. This patch prevents the\nclient from resetting protect_args during the second pass of\nparse_arguments. This prevents parse_arguments returning early the\nsecond time before it's able to sanitize the arguments it received.", "target": 0, "dataset": "other", "idx": 364672 }, { "func": "static int pause_interception(struct vcpu_svm *svm)\n{\n\tstruct kvm_vcpu *vcpu = &svm->vcpu;\n\tbool in_kernel = (svm_get_cpl(vcpu) == 0);\n\n\tif (pause_filter_thresh)\n\t\tgrow_ple_window(vcpu);\n\n\tkvm_vcpu_on_spin(vcpu, in_kernel);\n\treturn 1;\n}", "project": "linux", "hash": 316599720748309985020109784340444898293, "size": 11, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432479 }, { "func": "static int pause_interception(struct vcpu_svm *svm)\n{\n\tkvm_vcpu_on_spin(&(svm->vcpu));\n\treturn 1;\n}", "project": "kvm", "hash": 4836304354143588578137524015986315123, "size": 5, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437608 }, { "func": "static int create_vcpu_fd(struct kvm_vcpu *vcpu)\n{\n\tchar name[8 + 1 + ITOA_MAX_LEN + 1];\n\n\tsnprintf(name, sizeof(name), \"kvm-vcpu:%d\", vcpu->vcpu_id);\n\treturn anon_inode_getfd(name, &kvm_vcpu_fops, vcpu, O_RDWR | O_CLOEXEC);\n}", "project": "linux", "hash": 144543109846018646800022135061542584279, "size": 7, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354670 }, { "func": "static void hci_cc_read_stored_link_key(struct hci_dev *hdev,\n\t\t\t\t\tstruct sk_buff *skb)\n{\n\tstruct hci_rp_read_stored_link_key *rp = (void *)skb->data;\n\tstruct hci_cp_read_stored_link_key *sent;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, rp->status);\n\n\tsent = hci_sent_cmd_data(hdev, HCI_OP_READ_STORED_LINK_KEY);\n\tif (!sent)\n\t\treturn;\n\n\tif (!rp->status && sent->read_all == 0x01) {\n\t\thdev->stored_max_keys = rp->max_keys;\n\t\thdev->stored_num_keys = rp->num_keys;\n\t}\n}", "project": "linux", "hash": 35070561272593441870775266119950090861, "size": 17, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 432004 }, { "func": "void Commissioner::RemoveCoapResources(void)\n{\n Get().RemoveResource(mRelayReceive);\n Get().RemoveResource(mDatasetChanged);\n Get().RemoveResource(mJoinerFinalize);\n}", "project": "openthread", "hash": 316792671758286214126869586569011391885, "size": 6, "commit_id": "c3a3a0c424322009fec3ab735fb20ce8f6e19e70", "message": "[commissioner] use strnlen instead of strlen (#4404)", "target": 0, "dataset": "other", "idx": 269883 }, { "func": "tracing_readme_read(struct file *filp, char __user *ubuf,\n\t\t size_t cnt, loff_t *ppos)\n{\n\treturn simple_read_from_buffer(ubuf, cnt, ppos,\n\t\t\t\t\treadme_msg, strlen(readme_msg));\n}", "project": "linux", "hash": 108732412802579667837683563876259486684, "size": 6, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445657 }, { "func": "rb_simple_read(struct file *filp, char __user *ubuf,\n\t size_t cnt, loff_t *ppos)\n{\n\tstruct trace_array *tr = filp->private_data;\n\tchar buf[64];\n\tint r;\n\n\tr = tracer_tracing_is_on(tr);\n\tr = sprintf(buf, \"%d\\n\", r);\n\n\treturn simple_read_from_buffer(ubuf, cnt, ppos, buf, r);\n}", "project": "linux", "hash": 159342224440471907441459377498341150000, "size": 12, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445714 }, { "func": "tracing_nsecs_read(unsigned long *ptr, char __user *ubuf,\n\t\t size_t cnt, loff_t *ppos)\n{\n\tchar buf[64];\n\tint r;\n\n\tr = snprintf(buf, sizeof(buf), \"%ld\\n\",\n\t\t *ptr == (unsigned long)-1 ? -1 : nsecs_to_usecs(*ptr));\n\tif (r > sizeof(buf))\n\t\tr = sizeof(buf);\n\treturn simple_read_from_buffer(ubuf, cnt, ppos, buf, r);\n}", "project": "linux", "hash": 267205487276320687463122356683814373927, "size": 12, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445791 }, { "func": "tracing_read_dyn_info(struct file *filp, char __user *ubuf,\n\t\t size_t cnt, loff_t *ppos)\n{\n\tunsigned long *p = filp->private_data;\n\tchar buf[64]; /* Not too big for a shallow stack */\n\tint r;\n\n\tr = scnprintf(buf, 63, \"%ld\", *p);\n\tbuf[r++] = '\\n';\n\n\treturn simple_read_from_buffer(ubuf, cnt, ppos, buf, r);\n}", "project": "linux", "hash": 60560301845060036934230190166723409164, "size": 12, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445807 }, { "func": "static int nfs4_opendata_access(const struct cred *cred,\n\t\t\t\tstruct nfs4_opendata *opendata,\n\t\t\t\tstruct nfs4_state *state, fmode_t fmode,\n\t\t\t\tint openflags)\n{\n\tstruct nfs_access_entry cache;\n\tu32 mask, flags;\n\n\t/* access call failed or for some reason the server doesn't\n\t * support any access modes -- defer access call until later */\n\tif (opendata->o_res.access_supported == 0)\n\t\treturn 0;\n\n\tmask = 0;\n\t/*\n\t * Use openflags to check for exec, because fmode won't\n\t * always have FMODE_EXEC set when file open for exec.\n\t */\n\tif (openflags & __FMODE_EXEC) {\n\t\t/* ONLY check for exec rights */\n\t\tif (S_ISDIR(state->inode->i_mode))\n\t\t\tmask = NFS4_ACCESS_LOOKUP;\n\t\telse\n\t\t\tmask = NFS4_ACCESS_EXECUTE;\n\t} else if ((fmode & FMODE_READ) && !opendata->file_created)\n\t\tmask = NFS4_ACCESS_READ;\n\n\tcache.cred = cred;\n\tnfs_access_set_mask(&cache, opendata->o_res.access_result);\n\tnfs_access_add_cache(state->inode, &cache);\n\n\tflags = NFS4_ACCESS_READ | NFS4_ACCESS_EXECUTE | NFS4_ACCESS_LOOKUP;\n\tif ((mask & ~cache.mask & flags) == 0)\n\t\treturn 0;\n\n\treturn -EACCES;\n}", "project": "linux", "hash": 259915748948362144338086347468355615943, "size": 37, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 430943 }, { "func": "int imap_cmd_idle (IMAP_DATA* idata)\n{\n int rc;\n\n if (cmd_start (idata, \"IDLE\", IMAP_CMD_POLL) < 0)\n {\n cmd_handle_fatal (idata);\n return -1;\n }\n\n if ((ImapPollTimeout > 0) &&\n (mutt_socket_poll (idata->conn, ImapPollTimeout)) == 0)\n {\n mutt_error (_(\"Connection to %s timed out\"), idata->conn->account.host);\n mutt_sleep (2);\n cmd_handle_fatal (idata);\n return -1;\n }\n\n do\n rc = imap_cmd_step (idata);\n while (rc == IMAP_CMD_CONTINUE);\n\n if (rc == IMAP_CMD_RESPOND)\n {\n /* successfully entered IDLE state */\n idata->state = IMAP_IDLE;\n /* queue automatic exit when next command is issued */\n mutt_buffer_printf (idata->cmdbuf, \"DONE\\r\\n\");\n rc = IMAP_CMD_OK;\n }\n if (rc != IMAP_CMD_OK)\n {\n dprint (1, (debugfile, \"imap_cmd_idle: error starting IDLE\\n\"));\n return -1;\n }\n \n return 0;\n}", "project": "mutt", "hash": 111267377123479699147943422467222033774, "size": 39, "commit_id": "9347b5c01dc52682cb6be11539d9b7ebceae4416", "message": "Handle NO response without message properly", "target": 0, "dataset": "other", "idx": 338012 }, { "func": "\nstatic ssize_t slab_attr_store(struct kobject *kobj,\n\t\t\t\tstruct attribute *attr,\n\t\t\t\tconst char *buf, size_t len)\n{\n\tstruct slab_attribute *attribute;\n\tstruct kmem_cache *s;\n\tint err;\n\n\tattribute = to_slab_attr(attr);\n\ts = to_slab(kobj);\n\n\tif (!attribute->store)\n\t\treturn -EIO;\n\n\terr = attribute->store(s, buf, len);\n#ifdef CONFIG_MEMCG\n\tif (slab_state >= FULL && err >= 0 && is_root_cache(s)) {\n\t\tstruct kmem_cache *c;\n\n\t\tmutex_lock(&slab_mutex);\n\t\tif (s->max_attr_size < len)\n\t\t\ts->max_attr_size = len;\n\n\t\t/*\n\t\t * This is a best effort propagation, so this function's return\n\t\t * value will be determined by the parent cache only. This is\n\t\t * basically because not all attributes will have a well\n\t\t * defined semantics for rollbacks - most of the actions will\n\t\t * have permanent effects.\n\t\t *\n\t\t * Returning the error value of any of the children that fail\n\t\t * is not 100 % defined, in the sense that users seeing the\n\t\t * error code won't be able to know anything about the state of\n\t\t * the cache.\n\t\t *\n\t\t * Only returning the error code for the parent cache at least\n\t\t * has well defined semantics. The cache being written to\n\t\t * directly either failed or succeeded, in which case we loop\n\t\t * through the descendants with best-effort propagation.\n\t\t */\n\t\tfor_each_memcg_cache(c, s)\n\t\t\tattribute->store(c, buf, len);\n\t\tmutex_unlock(&slab_mutex);\n\t}\n#endif\n\treturn err;", "project": "linux", "hash": 182097463964311781805732253471647156096, "size": 47, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280253 }, { "func": "static void autocomplete_project(RCore *core, RLineCompletion *completion, const char* str) {\n\tr_return_if_fail (str);\n\tchar *foo, *projects_path = r_file_abspath (r_config_get (core->config, \"dir.projects\"));\n\tRList *list = r_sys_dir (projects_path);\n\tRListIter *iter;\n\tint n = strlen (str);\n\tif (projects_path) {\n\t\tr_list_foreach (list, iter, foo) {\n\t\t\tif (r_core_is_project (core, foo)) {\n\t\t\t\tif (!strncmp (foo, str, n)) {\n\t\t\t\t\tr_line_completion_push (completion, foo);\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\tfree (projects_path);\n\t\tr_list_free (list);\n\t}\n}", "project": "radare2", "hash": 267666282645730551220697357959879128582, "size": 18, "commit_id": "cb8b683758edddae2d2f62e8e63a738c39f92683", "message": "Fix #16303 - c->table_query double free (#16318)", "target": 0, "dataset": "other", "idx": 232169 }, { "func": "HttpStateData::sendComplete()\n{\n /*\n * Set the read timeout here because it hasn't been set yet.\n * We only set the read timeout after the request has been\n * fully written to the peer. If we start the timeout\n * after connection establishment, then we are likely to hit\n * the timeout for POST/PUT requests that have very large\n * request bodies.\n */\n typedef CommCbMemFunT TimeoutDialer;\n AsyncCall::Pointer timeoutCall = JobCallback(11, 5,\n TimeoutDialer, this, HttpStateData::httpTimeout);\n\n commSetConnTimeout(serverConnection, Config.Timeout.read, timeoutCall);\n flags.request_sent = true;\n}", "project": "squid", "hash": 3462597277919416525189732049005032577, "size": 17, "commit_id": "fd68382860633aca92065e6c343cfd1b12b126e7", "message": "Improve Transfer-Encoding handling (#702)\n\nReject messages containing Transfer-Encoding header with coding other\nthan chunked or identity. Squid does not support other codings.\n\nFor simplicity and security sake, also reject messages where\nTransfer-Encoding contains unnecessary complex values that are\ntechnically equivalent to \"chunked\" or \"identity\" (e.g., \",,chunked\" or\n\"identity, chunked\").\n\nRFC 7230 formally deprecated and removed identity coding, but it is\nstill used by some agents.", "target": 0, "dataset": "other", "idx": 402322 }, { "func": "void tty_kref_put(struct tty_struct *tty)\n{\n\tif (tty)\n\t\tkref_put(&tty->kref, queue_release_one_tty);\n}", "project": "linux", "hash": 19709934058932980069937317806069716347, "size": 5, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 326073 }, { "project": "opaque", "commit_id": "5ddda15d89f5ac82f4416208c5319ace4aecdc36", "target": 0, "func": "JNIEXPORT jbyteArray JNICALL Java_edu_berkeley_cs_rise_opaque_execution_SGXEnclave_RemoteAttestation1(\n JNIEnv *env, jobject obj,\n jlong eid) {\n\n (void)env;\n (void)obj;\n (void)eid;\n\n // Remote attestation will be initiated when the ISV server challenges the ISV\n // app or if the ISV app detects it doesn't have the credentials\n // (shared secret) from a previous attestation required for secure\n // communication with the server.\n\n int ret = 0;\n int enclave_lost_retry_time = 2;\n sgx_status_t status;\n\n // Ideally, this check would be around the full attestation flow.\n do {\n ret = ecall_enclave_init_ra(eid,\n &status,\n false,\n &context);\n } while (SGX_ERROR_ENCLAVE_LOST == ret && enclave_lost_retry_time--);\n\n if (status != SGX_SUCCESS) {\n printf(\"[RemoteAttestation1] enclave_init_ra's status is %u\\n\", (uint32_t) status);\n std::exit(1);\n }\n\n uint8_t *msg1 = (uint8_t *) malloc(sizeof(sgx_ra_msg1_t));\n\n#ifdef DEBUG\n printf(\"[RemoteAttestation1] context is %u, eid: %u\\n\", (uint32_t) context, (uint32_t) eid);\n#endif\n\n ret = sgx_ra_get_msg1(context, eid, sgx_ra_get_ga, (sgx_ra_msg1_t*) msg1);\n\n if(SGX_SUCCESS != ret) {\n ret = -1;\n fprintf(stdout, \"\\nError, call sgx_ra_get_msg1 fail [%s].\", __FUNCTION__);\n jbyteArray array_ret = env->NewByteArray(0);\n return array_ret;\n } else {\n#ifdef DEBUG\n fprintf(stdout, \"\\nCall sgx_ra_get_msg1 success.\\n\");\n fprintf(stdout, \"\\nMSG1 body generated -\\n\");\n PRINT_BYTE_ARRAY(stdout, msg1, sizeof(sgx_ra_msg1_t));\n#endif\n }\n\n // The ISV application sends msg1 to the SP to get msg2,\n // msg2 needs to be freed when no longer needed.\n // The ISV decides whether to use linkable or unlinkable signatures.\n#ifdef DEBUG\n fprintf(stdout, \"\\nSending msg1 to remote attestation service provider.\"\n \"Expecting msg2 back.\\n\");\n#endif\n\n jbyteArray array_ret = env->NewByteArray(sizeof(sgx_ra_msg1_t));\n env->SetByteArrayRegion(array_ret, 0, sizeof(sgx_ra_msg1_t), (jbyte *) msg1);\n\n free(msg1);\n\n return array_ret;\n}", "idx": 519065, "cwe": "CWE-787", "hash": 216481138777014473252411762047350988583, "dataset": "other" }, { "func": "int bcf_has_filter(const bcf_hdr_t *hdr, bcf1_t *line, char *filter)\n{\n if ( filter[0]=='.' && !filter[1] ) filter = \"PASS\";\n int id = bcf_hdr_id2int(hdr, BCF_DT_ID, filter);\n if ( !bcf_hdr_idinfo_exists(hdr,BCF_HL_FLT,id) ) return -1; // not defined in the header\n\n if ( !(line->unpacked & BCF_UN_FLT) ) bcf_unpack(line, BCF_UN_FLT);\n if ( id==0 && !line->d.n_flt) return 1; // PASS\n\n int i;\n for (i=0; id.n_flt; i++)\n if ( line->d.flt[i]==id ) return 1;\n return 0;\n}", "project": "htslib", "hash": 193820774462553225217956010442829623923, "size": 14, "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c", "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields. It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097", "target": 0, "dataset": "other", "idx": 402241 }, { "func": "static void load_creator_from_xml(xref_t *xref, const char *buf)\n{\n /* TODO */\n}", "project": "pdfresurrect", "hash": 290053157073903000317036059844593603968, "size": 4, "commit_id": "7e35d1806e111fd28610ccc86bb33f54792ac370", "message": "Fix possible infinite loop case when looking for a trailer.\n\nThanks to chibataiki for reporting and isolating this!", "target": 0, "dataset": "other", "idx": 355602 }, { "func": "void LibRaw::process_Sony_0x2010(uchar *buf, ushort len)\n{\n if (!imSony.group2010)\n return;\n\n if ((imSony.real_iso_offset != 0xffff) &&\n (len >= (imSony.real_iso_offset + 2)) && (imCommon.real_ISO < 0.1f))\n {\n uchar s[2];\n s[0] = SonySubstitution[buf[imSony.real_iso_offset]];\n s[1] = SonySubstitution[buf[imSony.real_iso_offset + 1]];\n imCommon.real_ISO =\n 100.0f * libraw_powf64l(2.0f, (16 - ((float)sget2(s)) / 256.0f));\n }\n\n if (len >= (imSony.MeteringMode_offset + 2))\n {\n imgdata.shootinginfo.MeteringMode =\n SonySubstitution[buf[imSony.MeteringMode_offset]];\n imgdata.shootinginfo.ExposureProgram =\n SonySubstitution[buf[imSony.ExposureProgram_offset]];\n }\n\n if (len >= (imSony.ReleaseMode2_offset + 2))\n {\n imgdata.shootinginfo.DriveMode =\n SonySubstitution[buf[imSony.ReleaseMode2_offset]];\n }\n}", "project": "LibRaw", "hash": 234059956926598168232692640058736893528, "size": 29, "commit_id": "c243f4539233053466c1309bde606815351bee81", "message": "additional checks in parseSonySRF\n\nparseSonySR2: buffer size check", "target": 0, "dataset": "other", "idx": 394106 }, { "func": "static void ca8210_hw_setup(struct ieee802154_hw *ca8210_hw)\n{\n\t/* Support channels 11-26 */\n\tca8210_hw->phy->supported.channels[0] = CA8210_VALID_CHANNELS;\n\tca8210_hw->phy->supported.tx_powers_size = CA8210_MAX_TX_POWERS;\n\tca8210_hw->phy->supported.tx_powers = ca8210_tx_powers;\n\tca8210_hw->phy->supported.cca_ed_levels_size = CA8210_MAX_ED_LEVELS;\n\tca8210_hw->phy->supported.cca_ed_levels = ca8210_ed_levels;\n\tca8210_hw->phy->current_channel = 18;\n\tca8210_hw->phy->current_page = 0;\n\tca8210_hw->phy->transmit_power = 800;\n\tca8210_hw->phy->cca.mode = NL802154_CCA_ENERGY_CARRIER;\n\tca8210_hw->phy->cca.opt = NL802154_CCA_OPT_ENERGY_CARRIER_AND;\n\tca8210_hw->phy->cca_ed_level = -9800;\n\tca8210_hw->phy->symbol_duration = 16;\n\tca8210_hw->phy->lifs_period = 40;\n\tca8210_hw->phy->sifs_period = 12;\n\tca8210_hw->flags =\n\t\tIEEE802154_HW_AFILT |\n\t\tIEEE802154_HW_OMIT_CKSUM |\n\t\tIEEE802154_HW_FRAME_RETRIES |\n\t\tIEEE802154_HW_PROMISCUOUS |\n\t\tIEEE802154_HW_CSMA_PARAMS;\n\tca8210_hw->phy->flags =\n\t\tWPAN_PHY_FLAG_TXPOWER |\n\t\tWPAN_PHY_FLAG_CCA_ED_LEVEL |\n\t\tWPAN_PHY_FLAG_CCA_MODE;\n}", "project": "linux", "hash": 29094173101841737167484250122664658318, "size": 28, "commit_id": "6402939ec86eaf226c8b8ae00ed983936b164908", "message": "ieee802154: ca8210: prevent memory leak\n\nIn ca8210_probe the allocated pdata needs to be assigned to\nspi_device->dev.platform_data before calling ca8210_get_platform_data.\nOthrwise when ca8210_get_platform_data fails pdata cannot be released.\n\nSigned-off-by: Navid Emamdoost \nLink: https://lore.kernel.org/r/20190917224713.26371-1-navid.emamdoost@gmail.com\nSigned-off-by: Stefan Schmidt ", "target": 0, "dataset": "other", "idx": 408819 }, { "func": "rpmRC hdrblobInit(const void *uh, size_t uc,\n\t\trpmTagVal regionTag, int exact_size,\n\t\tstruct hdrblob_s *blob, char **emsg)\n{\n rpmRC rc = RPMRC_FAIL;\n\n memset(blob, 0, sizeof(*blob));\n blob->ei = (int32_t *) uh; /* discards const */\n blob->il = ntohl(blob->ei[0]);\n blob->dl = ntohl(blob->ei[1]);\n blob->pe = (entryInfo) &(blob->ei[2]);\n blob->pvlen = sizeof(blob->il) + sizeof(blob->dl) +\n\t\t (blob->il * sizeof(*blob->pe)) + blob->dl;\n blob->dataStart = (uint8_t *) (blob->pe + blob->il);\n blob->dataEnd = blob->dataStart + blob->dl;\n\n /* Is the blob the right size? */\n if (blob->pvlen >= headerMaxbytes || (uc && blob->pvlen != uc)) {\n\trasprintf(emsg, _(\"blob size(%d): BAD, 8 + 16 * il(%d) + dl(%d)\"),\n\t\t\tblob->pvlen, blob->il, blob->dl);\n\tgoto exit;\n }\n\n if (hdrblobVerifyRegion(regionTag, exact_size, blob, emsg) == RPMRC_FAIL)\n\tgoto exit;\n\n /* Sanity check the rest of the header structure. */\n if (hdrblobVerifyInfo(blob, emsg))\n\tgoto exit;\n\n rc = RPMRC_OK;\n\nexit:\n return rc;\n}", "project": "rpm", "hash": 221870817089961992144312998012828797980, "size": 35, "commit_id": "8f4b3c3cab8922a2022b9e47c71f1ecf906077ef", "message": "hdrblobInit() needs bounds checks too\n\nUsers can pass untrusted data to hdrblobInit() and it must be robust\nagainst this.", "target": 1, "dataset": "other", "idx": 201363 }, { "func": "rpmRC hdrblobInit(const void *uh, size_t uc,\n\t\trpmTagVal regionTag, int exact_size,\n\t\tstruct hdrblob_s *blob, char **emsg)\n{\n rpmRC rc = RPMRC_FAIL;\n memset(blob, 0, sizeof(*blob));\n if (uc && uc < 8) {\n\trasprintf(emsg, _(\"hdr length: BAD\"));\n\tgoto exit;\n }\n\n blob->ei = (int32_t *) uh; /* discards const */\n blob->il = ntohl((uint32_t)(blob->ei[0]));\n blob->dl = ntohl((uint32_t)(blob->ei[1]));\n if (hdrblobVerifyLengths(regionTag, blob->il, blob->dl, emsg) != RPMRC_OK)\n\tgoto exit;\n\n blob->pe = (entryInfo) &(blob->ei[2]);\n blob->pvlen = sizeof(blob->il) + sizeof(blob->dl) +\n\t\t (blob->il * sizeof(*blob->pe)) + blob->dl;\n blob->dataStart = (uint8_t *) (blob->pe + blob->il);\n blob->dataEnd = blob->dataStart + blob->dl;\n\n /* Is the blob the right size? */\n if (blob->pvlen >= headerMaxbytes || (uc && blob->pvlen != uc)) {\n\trasprintf(emsg, _(\"blob size(%d): BAD, 8 + 16 * il(%d) + dl(%d)\"),\n\t\t\tblob->pvlen, blob->il, blob->dl);\n\tgoto exit;\n }\n\n if (hdrblobVerifyRegion(regionTag, exact_size, blob, emsg) == RPMRC_FAIL)\n\tgoto exit;\n\n /* Sanity check the rest of the header structure. */\n if (hdrblobVerifyInfo(blob, emsg))\n\tgoto exit;\n\n rc = RPMRC_OK;\n\nexit:\n return rc;\n}", "project": "rpm", "hash": 315069287843193856684881977313831062424, "size": 42, "commit_id": "8f4b3c3cab8922a2022b9e47c71f1ecf906077ef", "message": "hdrblobInit() needs bounds checks too\n\nUsers can pass untrusted data to hdrblobInit() and it must be robust\nagainst this.", "target": 0, "dataset": "other", "idx": 318167 }, { "func": "static int packet_create(struct net *net, struct socket *sock, int protocol,\n\t\t\t int kern)\n{\n\tstruct sock *sk;\n\tstruct packet_sock *po;\n\t__be16 proto = (__force __be16)protocol; /* weird, but documented */\n\tint err;\n\n\tif (!ns_capable(net->user_ns, CAP_NET_RAW))\n\t\treturn -EPERM;\n\tif (sock->type != SOCK_DGRAM && sock->type != SOCK_RAW &&\n\t sock->type != SOCK_PACKET)\n\t\treturn -ESOCKTNOSUPPORT;\n\n\tsock->state = SS_UNCONNECTED;\n\n\terr = -ENOBUFS;\n\tsk = sk_alloc(net, PF_PACKET, GFP_KERNEL, &packet_proto, kern);\n\tif (sk == NULL)\n\t\tgoto out;\n\n\tsock->ops = &packet_ops;\n\tif (sock->type == SOCK_PACKET)\n\t\tsock->ops = &packet_ops_spkt;\n\n\tsock_init_data(sock, sk);\n\n\tpo = pkt_sk(sk);\n\tinit_completion(&po->skb_completion);\n\tsk->sk_family = PF_PACKET;\n\tpo->num = proto;\n\tpo->xmit = dev_queue_xmit;\n\n\terr = packet_alloc_pending(po);\n\tif (err)\n\t\tgoto out2;\n\n\tpacket_cached_dev_reset(po);\n\n\tsk->sk_destruct = packet_sock_destruct;\n\tsk_refcnt_debug_inc(sk);\n\n\t/*\n\t *\tAttach a protocol block\n\t */\n\n\tspin_lock_init(&po->bind_lock);\n\tmutex_init(&po->pg_vec_lock);\n\tpo->rollover = NULL;\n\tpo->prot_hook.func = packet_rcv;\n\n\tif (sock->type == SOCK_PACKET)\n\t\tpo->prot_hook.func = packet_rcv_spkt;\n\n\tpo->prot_hook.af_packet_priv = sk;\n\n\tif (proto) {\n\t\tpo->prot_hook.type = proto;\n\t\t__register_prot_hook(sk);\n\t}\n\n\tmutex_lock(&net->packet.sklist_lock);\n\tsk_add_node_tail_rcu(sk, &net->packet.sklist);\n\tmutex_unlock(&net->packet.sklist_lock);\n\n\tpreempt_disable();\n\tsock_prot_inuse_add(net, &packet_proto, 1);\n\tpreempt_enable();\n\n\treturn 0;\nout2:\n\tsk_free(sk);\nout:\n\treturn err;\n}", "project": "linux", "hash": 278929484364430574901688373284650005907, "size": 75, "commit_id": "acf69c946233259ab4d64f8869d4037a198c7f06", "message": "net/packet: fix overflow in tpacket_rcv\n\nUsing tp_reserve to calculate netoff can overflow as\ntp_reserve is unsigned int and netoff is unsigned short.\n\nThis may lead to macoff receving a smaller value then\nsizeof(struct virtio_net_hdr), and if po->has_vnet_hdr\nis set, an out-of-bounds write will occur when\ncalling virtio_net_hdr_from_skb.\n\nThe bug is fixed by converting netoff to unsigned int\nand checking if it exceeds USHRT_MAX.\n\nThis addresses CVE-2020-14386\n\nFixes: 8913336a7e8d (\"packet: add PACKET_RESERVE sockopt\")\nSigned-off-by: Or Cohen \nSigned-off-by: Eric Dumazet \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 330412 }, { "func": "static noinline int free_debug_processing(\n\tstruct kmem_cache *s, struct page *page,\n\tvoid *head, void *tail, int bulk_cnt,\n\tunsigned long addr)\n{\n\tstruct kmem_cache_node *n = get_node(s, page_to_nid(page));\n\tvoid *object = head;\n\tint cnt = 0;\n\tunsigned long uninitialized_var(flags);\n\tint ret = 0;\n\n\tspin_lock_irqsave(&n->list_lock, flags);\n\tslab_lock(page);\n\n\tif (s->flags & SLAB_CONSISTENCY_CHECKS) {\n\t\tif (!check_slab(s, page))\n\t\t\tgoto out;\n\t}\n\nnext_object:\n\tcnt++;\n\n\tif (s->flags & SLAB_CONSISTENCY_CHECKS) {\n\t\tif (!free_consistency_checks(s, page, object, addr))\n\t\t\tgoto out;\n\t}\n\n\tif (s->flags & SLAB_STORE_USER)\n\t\tset_track(s, object, TRACK_FREE, addr);\n\ttrace(s, page, object, 0);\n\t/* Freepointer not overwritten by init_object(), SLAB_POISON moved it */\n\tinit_object(s, object, SLUB_RED_INACTIVE);\n\n\t/* Reached end of constructed freelist yet? */\n\tif (object != tail) {\n\t\tobject = get_freepointer(s, object);\n\t\tgoto next_object;\n\t}\n\tret = 1;\n\nout:\n\tif (cnt != bulk_cnt)\n\t\tslab_err(s, page, \"Bulk freelist count(%d) invalid(%d)\\n\",\n\t\t\t bulk_cnt, cnt);\n\n\tslab_unlock(page);\n\tspin_unlock_irqrestore(&n->list_lock, flags);\n\tif (!ret)\n\t\tslab_fix(s, \"Object at 0x%p not freed\", object);\n\treturn ret;\n}", "project": "linux", "hash": 150522492727481440436966850258723359436, "size": 51, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280104 }, { "func": "static inline int free_debug_processing(\n\tstruct kmem_cache *s, struct page *page,\n\tvoid *head, void *tail, int bulk_cnt,\n\tunsigned long addr) { return 0; }", "project": "linux", "hash": 111783773221512642831424439043371917072, "size": 4, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280181 }, { "func": " void DoRealBackwardFFT(OpKernelContext* ctx, uint64* fft_shape,\n const Tensor& in, Tensor* out) {\n auto device = ctx->eigen_device();\n // Reconstruct the full FFT and take the inverse.\n auto input = Tensor(in).flat_inner_dims();\n auto output = out->flat_inner_dims();\n const auto input_dims = input.dimensions();\n\n // Calculate the shape of the temporary tensor for the full FFT and the\n // region we will slice from input given fft_shape. We slice input to\n // fft_shape on its inner-most dimensions, except the last (which we\n // slice to fft_shape[-1] / 2 + 1).\n Eigen::DSizes input_slice_sizes;\n input_slice_sizes[0] = input_dims[0];\n TensorShape full_fft_shape;\n full_fft_shape.AddDim(input_dims[0]);\n for (auto i = 1; i <= FFTRank; i++) {\n input_slice_sizes[i] =\n i == FFTRank ? fft_shape[i - 1] / 2 + 1 : fft_shape[i - 1];\n full_fft_shape.AddDim(fft_shape[i - 1]);\n }\n\n Tensor temp;\n OP_REQUIRES_OK(ctx, ctx->allocate_temp(DataTypeToEnum::v(),\n full_fft_shape, &temp));\n auto full_fft = temp.flat_inner_dims();\n\n // Calculate the starting point and range of the source of\n // negative frequency part.\n auto neg_sizes = input_slice_sizes;\n neg_sizes[FFTRank] = fft_shape[FFTRank - 1] - input_slice_sizes[FFTRank];\n Eigen::DSizes neg_target_indices;\n neg_target_indices[FFTRank] = input_slice_sizes[FFTRank];\n\n const Eigen::DSizes start_indices;\n Eigen::DSizes neg_start_indices;\n neg_start_indices[FFTRank] = 1;\n\n full_fft.slice(start_indices, input_slice_sizes).device(device) =\n input.slice(start_indices, input_slice_sizes);\n\n // First, conduct IFFTs on outer dimensions. We save computation (and\n // avoid touching uninitialized memory) by slicing full_fft to the\n // subregion we wrote input to.\n if (FFTRank > 1) {\n const auto outer_axes =\n Eigen::ArrayXi::LinSpaced(FFTRank - 1, 1, FFTRank - 1);\n full_fft.slice(start_indices, input_slice_sizes).device(device) =\n full_fft.slice(start_indices, input_slice_sizes)\n .template fft(outer_axes);\n }\n\n // Reconstruct the full FFT by appending reversed and conjugated\n // spectrum as the negative frequency part.\n Eigen::array reverse_last_axis;\n for (auto i = 0; i <= FFTRank; i++) {\n reverse_last_axis[i] = i == FFTRank;\n }\n\n if (neg_sizes[FFTRank] != 0) {\n full_fft.slice(neg_target_indices, neg_sizes).device(device) =\n full_fft.slice(neg_start_indices, neg_sizes)\n .reverse(reverse_last_axis)\n .conjugate();\n }\n\n auto inner_axis = Eigen::array{FFTRank};\n output.device(device) =\n full_fft.template fft(inner_axis);\n }", "project": "tensorflow", "hash": 56902686635502283680756537340956645942, "size": 70, "commit_id": "1c56f53be0b722ca657cbc7df461ed676c8642a2", "message": "Fix a check fail in Fast Fourier implementation\n\nPiperOrigin-RevId: 372026629\nChange-Id: Id05c3362aa575271bc3e06b16316c9037085fc11", "target": 1, "dataset": "other", "idx": 196614 }, { "func": " void DoRealBackwardFFT(OpKernelContext* ctx, uint64* fft_shape,\n const Tensor& in, Tensor* out) {\n auto device = ctx->eigen_device();\n // Reconstruct the full FFT and take the inverse.\n auto input = Tensor(in).flat_inner_dims();\n auto output = out->flat_inner_dims();\n const auto input_dims = input.dimensions();\n\n // Calculate the shape of the temporary tensor for the full FFT and the\n // region we will slice from input given fft_shape. We slice input to\n // fft_shape on its inner-most dimensions, except the last (which we\n // slice to fft_shape[-1] / 2 + 1).\n Eigen::DSizes input_slice_sizes;\n input_slice_sizes[0] = input_dims[0];\n TensorShape full_fft_shape;\n full_fft_shape.AddDim(input_dims[0]);\n for (auto i = 1; i <= FFTRank; i++) {\n input_slice_sizes[i] =\n i == FFTRank ? fft_shape[i - 1] / 2 + 1 : fft_shape[i - 1];\n full_fft_shape.AddDim(fft_shape[i - 1]);\n }\n OP_REQUIRES(ctx, full_fft_shape.num_elements() > 0,\n errors::InvalidArgument(\"Obtained a FFT shape of 0 elements: \",\n full_fft_shape.DebugString()));\n\n Tensor temp;\n OP_REQUIRES_OK(ctx, ctx->allocate_temp(DataTypeToEnum::v(),\n full_fft_shape, &temp));\n auto full_fft = temp.flat_inner_dims();\n\n // Calculate the starting point and range of the source of\n // negative frequency part.\n auto neg_sizes = input_slice_sizes;\n neg_sizes[FFTRank] = fft_shape[FFTRank - 1] - input_slice_sizes[FFTRank];\n Eigen::DSizes neg_target_indices;\n neg_target_indices[FFTRank] = input_slice_sizes[FFTRank];\n\n const Eigen::DSizes start_indices;\n Eigen::DSizes neg_start_indices;\n neg_start_indices[FFTRank] = 1;\n\n full_fft.slice(start_indices, input_slice_sizes).device(device) =\n input.slice(start_indices, input_slice_sizes);\n\n // First, conduct IFFTs on outer dimensions. We save computation (and\n // avoid touching uninitialized memory) by slicing full_fft to the\n // subregion we wrote input to.\n if (FFTRank > 1) {\n const auto outer_axes =\n Eigen::ArrayXi::LinSpaced(FFTRank - 1, 1, FFTRank - 1);\n full_fft.slice(start_indices, input_slice_sizes).device(device) =\n full_fft.slice(start_indices, input_slice_sizes)\n .template fft(outer_axes);\n }\n\n // Reconstruct the full FFT by appending reversed and conjugated\n // spectrum as the negative frequency part.\n Eigen::array reverse_last_axis;\n for (auto i = 0; i <= FFTRank; i++) {\n reverse_last_axis[i] = i == FFTRank;\n }\n\n if (neg_sizes[FFTRank] != 0) {\n full_fft.slice(neg_target_indices, neg_sizes).device(device) =\n full_fft.slice(neg_start_indices, neg_sizes)\n .reverse(reverse_last_axis)\n .conjugate();\n }\n\n auto inner_axis = Eigen::array{FFTRank};\n output.device(device) =\n full_fft.template fft(inner_axis);\n }", "project": "tensorflow", "hash": 97199204025657134104101875831269345760, "size": 73, "commit_id": "31bd5026304677faa8a0b77602c6154171b9aec1", "message": "Prevent check fail in FFT\n\nPiperOrigin-RevId: 372031044\nChange-Id: I50994e3e8a5d1342d01bde80256f6bf2730ca299", "target": 0, "dataset": "other", "idx": 235722 }, { "func": "static void io_unaccount_mem(struct io_ring_ctx *ctx, unsigned long nr_pages,\n\t\t\t enum io_mem_account acct)\n{\n\tif (ctx->limit_mem)\n\t\t__io_unaccount_mem(ctx->user, nr_pages);\n\n\tif (ctx->sqo_mm) {\n\t\tif (acct == ACCT_LOCKED)\n\t\t\tctx->sqo_mm->locked_vm -= nr_pages;\n\t\telse if (acct == ACCT_PINNED)\n\t\t\tatomic64_sub(nr_pages, &ctx->sqo_mm->pinned_vm);\n\t}\n}", "project": "linux", "hash": 10367691499231861705183591160250817620, "size": 13, "commit_id": "6d816e088c359866f9867057e04f244c608c42fe", "message": "io_uring: hold 'ctx' reference around task_work queue + execute\n\nWe're holding the request reference, but we need to go one higher\nto ensure that the ctx remains valid after the request has finished.\nIf the ring is closed with pending task_work inflight, and the\ngiven io_kiocb finishes sync during issue, then we need a reference\nto the ring itself around the task_work execution cycle.\n\nCc: stable@vger.kernel.org # v5.7+\nReported-by: syzbot+9b260fc33297966f5a8e@syzkaller.appspotmail.com\nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 456915 }, { "func": "static UnicodeString wrapUChars(const UChar *uchars) {\n return UnicodeString(TRUE, uchars, -1);\n}", "project": "icu", "hash": 10519845349186272586768309791823647944, "size": 3, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430731 }, { "func": "CHANNELINDEX CSoundFile::CheckNNA(CHANNELINDEX nChn, uint32 instr, int note, bool forceCut)\n{\n\tCHANNELINDEX nnaChn = CHANNELINDEX_INVALID;\n\tModChannel &srcChn = m_PlayState.Chn[nChn];\n\tconst ModInstrument *pIns = nullptr;\n\tif(!ModCommand::IsNote(static_cast(note)))\n\t{\n\t\treturn nnaChn;\n\t}\n\t// Always NNA cut - using\n\tif((!(GetType() & (MOD_TYPE_IT | MOD_TYPE_MPT | MOD_TYPE_MT2)) || !m_nInstruments || forceCut) && !srcChn.HasMIDIOutput())\n\t{\n\t\tif(!srcChn.nLength || srcChn.dwFlags[CHN_MUTE] || !(srcChn.rightVol | srcChn.leftVol))\n\t\t{\n\t\t\treturn CHANNELINDEX_INVALID;\n\t\t}\n\n\t\tnnaChn = GetNNAChannel(nChn);\n\t\tif(!nnaChn) return CHANNELINDEX_INVALID;\n\t\tModChannel &chn = m_PlayState.Chn[nnaChn];\n\t\t// Copy Channel\n\t\tchn = srcChn;\n\t\tchn.dwFlags.reset(CHN_VIBRATO | CHN_TREMOLO | CHN_MUTE | CHN_PORTAMENTO);\n\t\tchn.nPanbrelloOffset = 0;\n\t\tchn.nMasterChn = nChn + 1;\n\t\tchn.nCommand = CMD_NONE;\n\t\tchn.rowCommand.Clear();\n\t\t// Cut the note\n\t\tchn.nFadeOutVol = 0;\n\t\tchn.dwFlags.set(CHN_NOTEFADE | CHN_FASTVOLRAMP);\n\t\t// Stop this channel\n\t\tsrcChn.nLength = 0;\n\t\tsrcChn.position.Set(0);\n\t\tsrcChn.nROfs = srcChn.nLOfs = 0;\n\t\tsrcChn.rightVol = srcChn.leftVol = 0;\n\t\treturn nnaChn;\n\t}\n\tif(instr > GetNumInstruments()) instr = 0;\n\tconst ModSample *pSample = srcChn.pModSample;\n\t// If no instrument is given, assume previous instrument to still be valid.\n\t// Test case: DNA-NoInstr.it\n\tpIns = instr > 0 ? Instruments[instr] : srcChn.pModInstrument;\n\tif(pIns != nullptr)\n\t{\n\t\tuint32 n = pIns->Keyboard[note - NOTE_MIN];\n\t\tnote = pIns->NoteMap[note - NOTE_MIN];\n\t\tif ((n) && (n < MAX_SAMPLES))\n\t\t{\n\t\t\tpSample = &Samples[n];\n\t\t} else if(m_playBehaviour[kITEmptyNoteMapSlot] && !pIns->HasValidMIDIChannel())\n\t\t{\n\t\t\t// Impulse Tracker ignores empty slots.\n\t\t\t// We won't ignore them if a plugin is assigned to this slot, so that VSTis still work as intended.\n\t\t\t// Test case: emptyslot.it, PortaInsNum.it, gxsmp.it, gxsmp2.it\n\t\t\treturn CHANNELINDEX_INVALID;\n\t\t}\n\t}\n\tif (srcChn.dwFlags[CHN_MUTE])\n\t\treturn CHANNELINDEX_INVALID;\n\n\tfor(CHANNELINDEX i = nChn; i < MAX_CHANNELS; i++)\n\tif(i >= m_nChannels || i == nChn)\n\t{\n\t\tModChannel &chn = m_PlayState.Chn[i];\n\t\tbool applyDNAtoPlug = false;\n\t\tif((chn.nMasterChn == nChn + 1 || i == nChn) && chn.pModInstrument != nullptr)\n\t\t{\n\t\t\tbool bOk = false;\n\t\t\t// Duplicate Check Type\n\t\t\tswitch(chn.pModInstrument->nDCT)\n\t\t\t{\n\t\t\t// Note\n\t\t\tcase DCT_NOTE:\n\t\t\t\tif(note && chn.nNote == note && pIns == chn.pModInstrument) bOk = true;\n\t\t\t\tif(pIns && pIns->nMixPlug) applyDNAtoPlug = true;\n\t\t\t\tbreak;\n\t\t\t// Sample\n\t\t\tcase DCT_SAMPLE:\n\t\t\t\tif(pSample != nullptr && pSample == chn.pModSample) bOk = true;\n\t\t\t\tbreak;\n\t\t\t// Instrument\n\t\t\tcase DCT_INSTRUMENT:\n\t\t\t\tif(pIns == chn.pModInstrument) bOk = true;\n\t\t\t\tif(pIns && pIns->nMixPlug) applyDNAtoPlug = true;\n\t\t\t\tbreak;\n\t\t\t// Plugin\n\t\t\tcase DCT_PLUGIN:\n\t\t\t\tif(pIns && (pIns->nMixPlug) && (pIns->nMixPlug == chn.pModInstrument->nMixPlug))\n\t\t\t\t{\n\t\t\t\t\tapplyDNAtoPlug = true;\n\t\t\t\t\tbOk = true;\n\t\t\t\t}\n\t\t\t\tbreak;\n\n\t\t\t}\n\t\t\t// Duplicate Note Action\n\t\t\tif (bOk)\n\t\t\t{\n#ifndef NO_PLUGINS\n\t\t\t\tif (applyDNAtoPlug && chn.nNote != NOTE_NONE)\n\t\t\t\t{\n\t\t\t\t\tswitch(chn.pModInstrument->nDNA)\n\t\t\t\t\t{\n\t\t\t\t\tcase DNA_NOTECUT:\n\t\t\t\t\tcase DNA_NOTEOFF:\n\t\t\t\t\tcase DNA_NOTEFADE:\n\t\t\t\t\t\t// Switch off duplicated note played on this plugin\n\t\t\t\t\t\tSendMIDINote(i, chn.GetPluginNote(m_playBehaviour[kITRealNoteMapping]) + NOTE_MAX_SPECIAL, 0);\n\t\t\t\t\t\tchn.nArpeggioLastNote = NOTE_NONE;\n\t\t\t\t\t\tbreak;\n\t\t\t\t\t}\n\t\t\t\t}\n#endif // NO_PLUGINS\n\n\t\t\t\tswitch(chn.pModInstrument->nDNA)\n\t\t\t\t{\n\t\t\t\t// Cut\n\t\t\t\tcase DNA_NOTECUT:\n\t\t\t\t\tKeyOff(&chn);\n\t\t\t\t\tchn.nVolume = 0;\n\t\t\t\t\tbreak;\n\t\t\t\t// Note Off\n\t\t\t\tcase DNA_NOTEOFF:\n\t\t\t\t\tKeyOff(&chn);\n\t\t\t\t\tbreak;\n\t\t\t\t// Note Fade\n\t\t\t\tcase DNA_NOTEFADE:\n\t\t\t\t\tchn.dwFlags.set(CHN_NOTEFADE);\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t\tif(!chn.nVolume)\n\t\t\t\t{\n\t\t\t\t\tchn.nFadeOutVol = 0;\n\t\t\t\t\tchn.dwFlags.set(CHN_NOTEFADE | CHN_FASTVOLRAMP);\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\n\t// Do we need to apply New/Duplicate Note Action to a VSTi?\n\tbool applyNNAtoPlug = false;\n#ifndef NO_PLUGINS\n\tIMixPlugin *pPlugin = nullptr;\n\tif(srcChn.HasMIDIOutput() && ModCommand::IsNote(srcChn.nNote)) // instro sends to a midi chan\n\t{\n\t\tPLUGINDEX nPlugin = GetBestPlugin(nChn, PrioritiseInstrument, RespectMutes);\n\n\t\tif(nPlugin > 0 && nPlugin <= MAX_MIXPLUGINS)\n\t\t{\n\t\t\tpPlugin = m_MixPlugins[nPlugin-1].pMixPlugin;\n\t\t\tif(pPlugin)\n\t\t\t{\n\t\t\t\t// apply NNA to this plugin iff it is currently playing a note on this tracker channel\n\t\t\t\t// (and if it is playing a note, we know that would be the last note played on this chan).\n\t\t\t\tapplyNNAtoPlug = pPlugin->IsNotePlaying(srcChn.GetPluginNote(m_playBehaviour[kITRealNoteMapping]), GetBestMidiChannel(nChn), nChn);\n\t\t\t}\n\t\t}\n\t}\n#endif // NO_PLUGINS\n\n\t// New Note Action\n\tif((srcChn.nRealVolume > 0 && srcChn.nLength > 0) || applyNNAtoPlug)\n\t{\n\t\tnnaChn = GetNNAChannel(nChn);\n\t\tif(nnaChn != 0)\n\t\t{\n\t\t\tModChannel &chn = m_PlayState.Chn[nnaChn];\n\t\t\t// Copy Channel\n\t\t\tchn = srcChn;\n\t\t\tchn.dwFlags.reset(CHN_VIBRATO | CHN_TREMOLO | CHN_PORTAMENTO);\n\t\t\tchn.nPanbrelloOffset = 0;\n\n\t\t\tchn.nMasterChn = nChn < GetNumChannels() ? nChn + 1 : 0;\n\t\t\tchn.nCommand = CMD_NONE;\n#ifndef NO_PLUGINS\n\t\t\tif(applyNNAtoPlug && pPlugin)\n\t\t\t{\n\t\t\t\t//Move note to the NNA channel (odd, but makes sense with DNA stuff).\n\t\t\t\t//Actually a bad idea since it then become very hard to kill some notes.\n\t\t\t\t//pPlugin->MoveNote(pChn.nNote, pChn.pModInstrument->nMidiChannel, nChn, n);\n\t\t\t\tswitch(srcChn.nNNA)\n\t\t\t\t{\n\t\t\t\tcase NNA_NOTEOFF:\n\t\t\t\tcase NNA_NOTECUT:\n\t\t\t\tcase NNA_NOTEFADE:\n\t\t\t\t\t//switch off note played on this plugin, on this tracker channel and midi channel\n\t\t\t\t\t//pPlugin->MidiCommand(pChn.pModInstrument->nMidiChannel, pChn.pModInstrument->nMidiProgram, pChn.nNote + NOTE_MAX_SPECIAL, 0, n);\n\t\t\t\t\tSendMIDINote(nChn, NOTE_KEYOFF, 0);\n\t\t\t\t\tsrcChn.nArpeggioLastNote = NOTE_NONE;\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t}\n#endif // NO_PLUGINS\n\n\t\t\t// Key Off the note\n\t\t\tswitch(srcChn.nNNA)\n\t\t\t{\n\t\t\tcase NNA_NOTEOFF:\n\t\t\t\tKeyOff(&chn);\n\t\t\t\tbreak;\n\t\t\tcase NNA_NOTECUT:\n\t\t\t\tchn.nFadeOutVol = 0;\n\t\t\t\tchn.dwFlags.set(CHN_NOTEFADE);\n\t\t\t\tbreak;\n\t\t\tcase NNA_NOTEFADE:\n\t\t\t\tchn.dwFlags.set(CHN_NOTEFADE);\n\t\t\t\tbreak;\n\t\t\t}\n\t\t\tif(!chn.nVolume)\n\t\t\t{\n\t\t\t\tchn.nFadeOutVol = 0;\n\t\t\t\tchn.dwFlags.set(CHN_NOTEFADE | CHN_FASTVOLRAMP);\n\t\t\t}\n\t\t\t// Stop this channel\n\t\t\tsrcChn.nLength = 0;\n\t\t\tsrcChn.position.Set(0);\n\t\t\tsrcChn.nROfs = srcChn.nLOfs = 0;\n\t\t}\n\t}\n\treturn nnaChn;\n}", "project": "openmpt", "hash": 187120198697866997126285673064569908559, "size": 221, "commit_id": "7ebf02af2e90f03e0dbd0e18b8b3164f372fb97c", "message": "[Fix] Possible out-of-bounds read when computing length of some IT files with pattern loops (OpenMPT: formats that are converted to IT, libopenmpt: IT/ITP/MO3), caught with afl-fuzz.\n\ngit-svn-id: https://source.openmpt.org/svn/openmpt/trunk/OpenMPT@10027 56274372-70c3-4bfc-bfc3-4c3a0b034d27", "target": 0, "dataset": "other", "idx": 255236 }, { "func": "static void disable_cpu_timer_accounting(struct kvm_vcpu *vcpu)\n{\n\tpreempt_disable(); /* protect from TOD sync and vcpu_load/put */\n\t__disable_cpu_timer_accounting(vcpu);\n\tpreempt_enable();\n}", "project": "linux", "hash": 289516563499138044588654755008667322870, "size": 6, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354600 }, { "func": "static void php_enchant_list_dicts_fn( const char * const lang_tag,\n\t \tconst char * const provider_name, const char * const provider_desc,\n\t\tconst char * const provider_file, void * ud) /* {{{ */\n{\n\tzval *zdesc = (zval *) ud;\n\tzval *tmp_array;\n\n\tMAKE_STD_ZVAL(tmp_array);\n\tarray_init(tmp_array);\n\tadd_assoc_string(tmp_array, \"lang_tag\", (char *)lang_tag, 1);\n\tadd_assoc_string(tmp_array, \"provider_name\", (char *)provider_name, 1);\n\tadd_assoc_string(tmp_array, \"provider_desc\", (char *)provider_desc, 1);\n\tadd_assoc_string(tmp_array, \"provider_file\", (char *)provider_file, 1);\n\n\tif (Z_TYPE_P(zdesc) != IS_ARRAY) {\n\t\tarray_init(zdesc);\n\t}\n\tadd_next_index_zval(zdesc, tmp_array);\n\n}", "project": "php-src", "hash": 62548704475188188557070941392843247894, "size": 20, "commit_id": "bdfe457a2c1b47209e32783b3a6447e81baf179a", "message": "Port for for bug #68552", "target": 0, "dataset": "other", "idx": 429194 }, { "func": "string SummarizeAttrValue(const AttrValue& attr_value) {\n switch (attr_value.value_case()) {\n case AttrValue::kS:\n return SummarizeString(attr_value.s());\n case AttrValue::kI:\n return strings::StrCat(attr_value.i());\n case AttrValue::kF:\n return strings::StrCat(attr_value.f());\n case AttrValue::kB:\n return attr_value.b() ? \"true\" : \"false\";\n case AttrValue::kType:\n return EnumName_DataType(attr_value.type());\n case AttrValue::kShape:\n return PartialTensorShape::DebugString(attr_value.shape());\n case AttrValue::kTensor:\n return SummarizeTensor(attr_value.tensor());\n case AttrValue::kList: {\n std::vector pieces;\n if (attr_value.list().s_size() > 0) {\n for (int i = 0; i < attr_value.list().s_size(); ++i) {\n pieces.push_back(SummarizeString(attr_value.list().s(i)));\n }\n } else if (attr_value.list().i_size() > 0) {\n for (int i = 0; i < attr_value.list().i_size(); ++i) {\n pieces.push_back(strings::StrCat(attr_value.list().i(i)));\n }\n } else if (attr_value.list().f_size() > 0) {\n for (int i = 0; i < attr_value.list().f_size(); ++i) {\n pieces.push_back(strings::StrCat(attr_value.list().f(i)));\n }\n } else if (attr_value.list().b_size() > 0) {\n for (int i = 0; i < attr_value.list().b_size(); ++i) {\n pieces.push_back(attr_value.list().b(i) ? \"true\" : \"false\");\n }\n } else if (attr_value.list().type_size() > 0) {\n for (int i = 0; i < attr_value.list().type_size(); ++i) {\n pieces.push_back(EnumName_DataType(attr_value.list().type(i)));\n }\n } else if (attr_value.list().shape_size() > 0) {\n for (int i = 0; i < attr_value.list().shape_size(); ++i) {\n pieces.push_back(\n TensorShape::DebugString(attr_value.list().shape(i)));\n }\n } else if (attr_value.list().tensor_size() > 0) {\n for (int i = 0; i < attr_value.list().tensor_size(); ++i) {\n pieces.push_back(SummarizeTensor(attr_value.list().tensor(i)));\n }\n } else if (attr_value.list().func_size() > 0) {\n for (int i = 0; i < attr_value.list().func_size(); ++i) {\n pieces.push_back(SummarizeFunc(attr_value.list().func(i)));\n }\n }\n constexpr int kMaxListSummarySize = 50;\n if (pieces.size() >= kMaxListSummarySize) {\n pieces.erase(pieces.begin() + 5, pieces.begin() + (pieces.size() - 6));\n pieces[5] = \"...\";\n }\n return strings::StrCat(\"[\", absl::StrJoin(pieces, \", \"), \"]\");\n }\n case AttrValue::kFunc: {\n return SummarizeFunc(attr_value.func());\n }\n case AttrValue::kPlaceholder:\n return strings::StrCat(\"$\", attr_value.placeholder());\n case AttrValue::VALUE_NOT_SET:\n return \"\";\n }\n return \"\"; // Prevent missing return warning\n}", "project": "tensorflow", "hash": 152591158449101155223320307723962913218, "size": 69, "commit_id": "c2426bba00a01de6913738df8fa78e0215fcce02", "message": "Use `PartialTensorShape` instead of `TensorShape`.\n\n`TensorShape` constructor throws a CHECK-fail if shape is partial/overflows which the other doesn't. We are only determining the number of elements in the shape and partial shape should be used as it returns negative number when needed.\n\nPiperOrigin-RevId: 409205384\nChange-Id: Ia56542ff9ec758f2c9ffc7e4dcc9fa7eecd86e7b", "target": 0, "dataset": "other", "idx": 223170 }, { "func": "static int skip_base_block(struct archive_read* a) {\n\tint ret;\n\tstruct rar5* rar = get_context(a);\n\n\t/* Create a new local archive_entry structure that will be operated on\n\t * by header reader; operations on this archive_entry will be discarded.\n\t */\n\tstruct archive_entry* entry = archive_entry_new();\n\tret = process_base_block(a, entry);\n\n\t/* Discard operations on this archive_entry structure. */\n\tarchive_entry_free(entry);\n\tif(ret == ARCHIVE_FATAL)\n\t\treturn ret;\n\n\tif(rar->generic.last_header_id == 2 && rar->generic.split_before > 0)\n\t\treturn ARCHIVE_OK;\n\n\tif(ret == ARCHIVE_OK)\n\t\treturn ARCHIVE_RETRY;\n\telse\n\t\treturn ret;\n}", "project": "libarchive", "hash": 25234826381267643844515056332550802100, "size": 23, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 0, "dataset": "other", "idx": 244690 }, { "func": "static void input_stop_autorepeat(struct input_dev *dev)\n{\n\tdel_timer(&dev->timer);\n}", "project": "linux", "hash": 259091145001438943376214428846351060741, "size": 4, "commit_id": "cb222aed03d798fc074be55e59d9a112338ee784", "message": "Input: add safety guards to input_set_keycode()\n\nIf we happen to have a garbage in input device's keycode table with values\ntoo big we'll end up doing clear_bit() with offset way outside of our\nbitmaps, damaging other objects within an input device or even outside of\nit. Let's add sanity checks to the returned old keycodes.\n\nReported-by: syzbot+c769968809f9359b07aa@syzkaller.appspotmail.com\nReported-by: syzbot+76f3a30e88d256644c78@syzkaller.appspotmail.com\nLink: https://lore.kernel.org/r/20191207212757.GA245964@dtor-ws\nSigned-off-by: Dmitry Torokhov ", "target": 0, "dataset": "other", "idx": 353346 }, { "func": "static void prb_retire_current_block(struct tpacket_kbdq_core *pkc,\n\t\tstruct packet_sock *po, unsigned int status)\n{\n\tstruct tpacket_block_desc *pbd = GET_CURR_PBLOCK_DESC_FROM_CORE(pkc);\n\n\t/* retire/close the current block */\n\tif (likely(TP_STATUS_KERNEL == BLOCK_STATUS(pbd))) {\n\t\t/*\n\t\t * Plug the case where copy_bits() is in progress on\n\t\t * cpu-0 and tpacket_rcv() got invoked on cpu-1, didn't\n\t\t * have space to copy the pkt in the current block and\n\t\t * called prb_retire_current_block()\n\t\t *\n\t\t * We don't need to worry about the TMO case because\n\t\t * the timer-handler already handled this case.\n\t\t */\n\t\tif (!(status & TP_STATUS_BLK_TMO)) {\n\t\t\t/* Waiting for skb_copy_bits to finish... */\n\t\t\twrite_lock(&pkc->blk_fill_in_prog_lock);\n\t\t\twrite_unlock(&pkc->blk_fill_in_prog_lock);\n\t\t}\n\t\tprb_close_block(pkc, pbd, po, status);\n\t\treturn;\n\t}\n}", "project": "linux", "hash": 1804550757770743513190386598354556979, "size": 25, "commit_id": "acf69c946233259ab4d64f8869d4037a198c7f06", "message": "net/packet: fix overflow in tpacket_rcv\n\nUsing tp_reserve to calculate netoff can overflow as\ntp_reserve is unsigned int and netoff is unsigned short.\n\nThis may lead to macoff receving a smaller value then\nsizeof(struct virtio_net_hdr), and if po->has_vnet_hdr\nis set, an out-of-bounds write will occur when\ncalling virtio_net_hdr_from_skb.\n\nThe bug is fixed by converting netoff to unsigned int\nand checking if it exceeds USHRT_MAX.\n\nThis addresses CVE-2020-14386\n\nFixes: 8913336a7e8d (\"packet: add PACKET_RESERVE sockopt\")\nSigned-off-by: Or Cohen \nSigned-off-by: Eric Dumazet \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 330363 }, { "func": " bool parseRue() {\n if (*p++ != 'r') return false;\n if (*p++ != 'u') return false;\n if (*p++ != 'e') return false;\n auto const tv = top++;\n tv->m_type = KindOfBoolean;\n tv->m_data.num = true;\n return true;\n }", "project": "hhvm", "hash": 254365569719432830513295935461829087309, "size": 9, "commit_id": "b3679121bb3c7017ff04b4c08402ffff5cf59b13", "message": "Fix buffer overrun in SimpleParser::handleBackslash\n\nSummary:\nIt read 4 chars, then checked for validity, but any of them could have\nbeen the end of the string, so check after each one instead.\n\nReviewed By: oulgen\n\nDifferential Revision: D19611163\n\nfbshipit-source-id: 3da0a39555cb85a93f4fd98048368f17cf37e2e4", "target": 0, "dataset": "other", "idx": 227329 }, { "func": "static int process_base_block(struct archive_read* a,\n struct archive_entry* entry)\n{\n\tstruct rar5* rar = get_context(a);\n\tuint32_t hdr_crc, computed_crc;\n\tsize_t raw_hdr_size = 0, hdr_size_len, hdr_size;\n\tsize_t header_id = 0;\n\tsize_t header_flags = 0;\n\tconst uint8_t* p;\n\tint ret;\n\n\tenum HEADER_TYPE {\n\t\tHEAD_MARK = 0x00, HEAD_MAIN = 0x01, HEAD_FILE = 0x02,\n\t\tHEAD_SERVICE = 0x03, HEAD_CRYPT = 0x04, HEAD_ENDARC = 0x05,\n\t\tHEAD_UNKNOWN = 0xff,\n\t};\n\n\t/* Skip any unprocessed data for this file. */\n\tret = skip_unprocessed_bytes(a);\n\tif(ret != ARCHIVE_OK)\n\t\treturn ret;\n\n\t/* Read the expected CRC32 checksum. */\n\tif(!read_u32(a, &hdr_crc)) {\n\t\treturn ARCHIVE_EOF;\n\t}\n\n\t/* Read header size. */\n\tif(!read_var_sized(a, &raw_hdr_size, &hdr_size_len)) {\n\t\treturn ARCHIVE_EOF;\n\t}\n\n\t/* Sanity check, maximum header size for RAR5 is 2MB. */\n\tif(raw_hdr_size > (2 * 1024 * 1024)) {\n\t\tarchive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,\n\t\t \"Base block header is too large\");\n\n\t\treturn ARCHIVE_FATAL;\n\t}\n\n\thdr_size = raw_hdr_size + hdr_size_len;\n\n\t/* Read the whole header data into memory, maximum memory use here is\n\t * 2MB. */\n\tif(!read_ahead(a, hdr_size, &p)) {\n\t\treturn ARCHIVE_EOF;\n\t}\n\n\t/* Verify the CRC32 of the header data. */\n\tcomputed_crc = (uint32_t) crc32(0, p, (int) hdr_size);\n\tif(computed_crc != hdr_crc) {\n\t\tarchive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,\n\t\t \"Header CRC error\");\n\n\t\treturn ARCHIVE_FATAL;\n\t}\n\n\t/* If the checksum is OK, we proceed with parsing. */\n\tif(ARCHIVE_OK != consume(a, hdr_size_len)) {\n\t\treturn ARCHIVE_EOF;\n\t}\n\n\tif(!read_var_sized(a, &header_id, NULL))\n\t\treturn ARCHIVE_EOF;\n\n\tif(!read_var_sized(a, &header_flags, NULL))\n\t\treturn ARCHIVE_EOF;\n\n\trar->generic.split_after = (header_flags & HFL_SPLIT_AFTER) > 0;\n\trar->generic.split_before = (header_flags & HFL_SPLIT_BEFORE) > 0;\n\trar->generic.size = (int)hdr_size;\n\trar->generic.last_header_id = (int)header_id;\n\trar->main.endarc = 0;\n\n\t/* Those are possible header ids in RARv5. */\n\tswitch(header_id) {\n\t\tcase HEAD_MAIN:\n\t\t\tret = process_head_main(a, rar, entry, header_flags);\n\n\t\t\t/* Main header doesn't have any files in it, so it's\n\t\t\t * pointless to return to the caller. Retry to next\n\t\t\t * header, which should be HEAD_FILE/HEAD_SERVICE. */\n\t\t\tif(ret == ARCHIVE_OK)\n\t\t\t\treturn ARCHIVE_RETRY;\n\n\t\t\treturn ret;\n\t\tcase HEAD_SERVICE:\n\t\t\tret = process_head_service(a, rar, entry, header_flags);\n\t\t\treturn ret;\n\t\tcase HEAD_FILE:\n\t\t\tret = process_head_file(a, rar, entry, header_flags);\n\t\t\treturn ret;\n\t\tcase HEAD_CRYPT:\n\t\t\tarchive_set_error(&a->archive,\n\t\t\t ARCHIVE_ERRNO_FILE_FORMAT,\n\t\t\t \"Encryption is not supported\");\n\t\t\treturn ARCHIVE_FATAL;\n\t\tcase HEAD_ENDARC:\n\t\t\trar->main.endarc = 1;\n\n\t\t\t/* After encountering an end of file marker, we need\n\t\t\t * to take into consideration if this archive is\n\t\t\t * continued in another file (i.e. is it part01.rar:\n\t\t\t * is there a part02.rar?) */\n\t\t\tif(rar->main.volume) {\n\t\t\t\t/* In case there is part02.rar, position the\n\t\t\t\t * read pointer in a proper place, so we can\n\t\t\t\t * resume parsing. */\n\t\t\t\tret = scan_for_signature(a);\n\t\t\t\tif(ret == ARCHIVE_FATAL) {\n\t\t\t\t\treturn ARCHIVE_EOF;\n\t\t\t\t} else {\n\t\t\t\t\tif(rar->vol.expected_vol_no ==\n\t\t\t\t\t UINT_MAX) {\n\t\t\t\t\t\tarchive_set_error(&a->archive,\n\t\t\t\t\t\t ARCHIVE_ERRNO_FILE_FORMAT,\n\t\t\t\t\t\t \"Header error\");\n\t\t\t\t\t\t\treturn ARCHIVE_FATAL;\n\t\t\t\t\t}\n\n\t\t\t\t\trar->vol.expected_vol_no =\n\t\t\t\t\t rar->main.vol_no + 1;\n\t\t\t\t\treturn ARCHIVE_OK;\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\treturn ARCHIVE_EOF;\n\t\t\t}\n\t\tcase HEAD_MARK:\n\t\t\treturn ARCHIVE_EOF;\n\t\tdefault:\n\t\t\tif((header_flags & HFL_SKIP_IF_UNKNOWN) == 0) {\n\t\t\t\tarchive_set_error(&a->archive,\n\t\t\t\t ARCHIVE_ERRNO_FILE_FORMAT,\n\t\t\t\t \"Header type error\");\n\t\t\t\treturn ARCHIVE_FATAL;\n\t\t\t} else {\n\t\t\t\t/* If the block is marked as 'skip if unknown',\n\t\t\t\t * do as the flag says: skip the block\n\t\t\t\t * instead on failing on it. */\n\t\t\t\treturn ARCHIVE_RETRY;\n\t\t\t}\n\t}\n\n#if !defined WIN32\n\t// Not reached.\n\tarchive_set_error(&a->archive, ARCHIVE_ERRNO_PROGRAMMER,\n\t \"Internal unpacker error\");\n\treturn ARCHIVE_FATAL;\n#endif\n}", "project": "libarchive", "hash": 100291370177792498743783572399624603579, "size": 150, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 1, "dataset": "other", "idx": 196781 }, { "func": "static int process_base_block(struct archive_read* a,\n struct archive_entry* entry)\n{\n\tconst size_t SMALLEST_RAR5_BLOCK_SIZE = 3;\n\n\tstruct rar5* rar = get_context(a);\n\tuint32_t hdr_crc, computed_crc;\n\tsize_t raw_hdr_size = 0, hdr_size_len, hdr_size;\n\tsize_t header_id = 0;\n\tsize_t header_flags = 0;\n\tconst uint8_t* p;\n\tint ret;\n\n\tenum HEADER_TYPE {\n\t\tHEAD_MARK = 0x00, HEAD_MAIN = 0x01, HEAD_FILE = 0x02,\n\t\tHEAD_SERVICE = 0x03, HEAD_CRYPT = 0x04, HEAD_ENDARC = 0x05,\n\t\tHEAD_UNKNOWN = 0xff,\n\t};\n\n\t/* Skip any unprocessed data for this file. */\n\tret = skip_unprocessed_bytes(a);\n\tif(ret != ARCHIVE_OK)\n\t\treturn ret;\n\n\t/* Read the expected CRC32 checksum. */\n\tif(!read_u32(a, &hdr_crc)) {\n\t\treturn ARCHIVE_EOF;\n\t}\n\n\t/* Read header size. */\n\tif(!read_var_sized(a, &raw_hdr_size, &hdr_size_len)) {\n\t\treturn ARCHIVE_EOF;\n\t}\n\n\thdr_size = raw_hdr_size + hdr_size_len;\n\n\t/* Sanity check, maximum header size for RAR5 is 2MB. */\n\tif(hdr_size > (2 * 1024 * 1024)) {\n\t\tarchive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,\n\t\t \"Base block header is too large\");\n\n\t\treturn ARCHIVE_FATAL;\n\t}\n\n\t/* Additional sanity checks to weed out invalid files. */\n\tif(raw_hdr_size == 0 || hdr_size_len == 0 ||\n\t\thdr_size < SMALLEST_RAR5_BLOCK_SIZE)\n\t{\n\t\tarchive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,\n\t\t \"Too small block encountered (%ld bytes)\",\n\t\t raw_hdr_size);\n\n\t\treturn ARCHIVE_FATAL;\n\t}\n\n\t/* Read the whole header data into memory, maximum memory use here is\n\t * 2MB. */\n\tif(!read_ahead(a, hdr_size, &p)) {\n\t\treturn ARCHIVE_EOF;\n\t}\n\n\t/* Verify the CRC32 of the header data. */\n\tcomputed_crc = (uint32_t) crc32(0, p, (int) hdr_size);\n\tif(computed_crc != hdr_crc) {\n\t\tarchive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,\n\t\t \"Header CRC error\");\n\n\t\treturn ARCHIVE_FATAL;\n\t}\n\n\t/* If the checksum is OK, we proceed with parsing. */\n\tif(ARCHIVE_OK != consume(a, hdr_size_len)) {\n\t\treturn ARCHIVE_EOF;\n\t}\n\n\tif(!read_var_sized(a, &header_id, NULL))\n\t\treturn ARCHIVE_EOF;\n\n\tif(!read_var_sized(a, &header_flags, NULL))\n\t\treturn ARCHIVE_EOF;\n\n\trar->generic.split_after = (header_flags & HFL_SPLIT_AFTER) > 0;\n\trar->generic.split_before = (header_flags & HFL_SPLIT_BEFORE) > 0;\n\trar->generic.size = (int)hdr_size;\n\trar->generic.last_header_id = (int)header_id;\n\trar->main.endarc = 0;\n\n\t/* Those are possible header ids in RARv5. */\n\tswitch(header_id) {\n\t\tcase HEAD_MAIN:\n\t\t\tret = process_head_main(a, rar, entry, header_flags);\n\n\t\t\t/* Main header doesn't have any files in it, so it's\n\t\t\t * pointless to return to the caller. Retry to next\n\t\t\t * header, which should be HEAD_FILE/HEAD_SERVICE. */\n\t\t\tif(ret == ARCHIVE_OK)\n\t\t\t\treturn ARCHIVE_RETRY;\n\n\t\t\treturn ret;\n\t\tcase HEAD_SERVICE:\n\t\t\tret = process_head_service(a, rar, entry, header_flags);\n\t\t\treturn ret;\n\t\tcase HEAD_FILE:\n\t\t\tret = process_head_file(a, rar, entry, header_flags);\n\t\t\treturn ret;\n\t\tcase HEAD_CRYPT:\n\t\t\tarchive_set_error(&a->archive,\n\t\t\t ARCHIVE_ERRNO_FILE_FORMAT,\n\t\t\t \"Encryption is not supported\");\n\t\t\treturn ARCHIVE_FATAL;\n\t\tcase HEAD_ENDARC:\n\t\t\trar->main.endarc = 1;\n\n\t\t\t/* After encountering an end of file marker, we need\n\t\t\t * to take into consideration if this archive is\n\t\t\t * continued in another file (i.e. is it part01.rar:\n\t\t\t * is there a part02.rar?) */\n\t\t\tif(rar->main.volume) {\n\t\t\t\t/* In case there is part02.rar, position the\n\t\t\t\t * read pointer in a proper place, so we can\n\t\t\t\t * resume parsing. */\n\t\t\t\tret = scan_for_signature(a);\n\t\t\t\tif(ret == ARCHIVE_FATAL) {\n\t\t\t\t\treturn ARCHIVE_EOF;\n\t\t\t\t} else {\n\t\t\t\t\tif(rar->vol.expected_vol_no ==\n\t\t\t\t\t UINT_MAX) {\n\t\t\t\t\t\tarchive_set_error(&a->archive,\n\t\t\t\t\t\t ARCHIVE_ERRNO_FILE_FORMAT,\n\t\t\t\t\t\t \"Header error\");\n\t\t\t\t\t\t\treturn ARCHIVE_FATAL;\n\t\t\t\t\t}\n\n\t\t\t\t\trar->vol.expected_vol_no =\n\t\t\t\t\t rar->main.vol_no + 1;\n\t\t\t\t\treturn ARCHIVE_OK;\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\treturn ARCHIVE_EOF;\n\t\t\t}\n\t\tcase HEAD_MARK:\n\t\t\treturn ARCHIVE_EOF;\n\t\tdefault:\n\t\t\tif((header_flags & HFL_SKIP_IF_UNKNOWN) == 0) {\n\t\t\t\tarchive_set_error(&a->archive,\n\t\t\t\t ARCHIVE_ERRNO_FILE_FORMAT,\n\t\t\t\t \"Header type error\");\n\t\t\t\treturn ARCHIVE_FATAL;\n\t\t\t} else {\n\t\t\t\t/* If the block is marked as 'skip if unknown',\n\t\t\t\t * do as the flag says: skip the block\n\t\t\t\t * instead on failing on it. */\n\t\t\t\treturn ARCHIVE_RETRY;\n\t\t\t}\n\t}\n\n#if !defined WIN32\n\t// Not reached.\n\tarchive_set_error(&a->archive, ARCHIVE_ERRNO_PROGRAMMER,\n\t \"Internal unpacker error\");\n\treturn ARCHIVE_FATAL;\n#endif\n}", "project": "libarchive", "hash": 7503224727997862368510784011625765002, "size": 163, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 0, "dataset": "other", "idx": 244730 }, { "func": "static int __init con_init(void)\n{\n\tconst char *display_desc = NULL;\n\tstruct vc_data *vc;\n\tunsigned int currcons = 0, i;\n\n\tconsole_lock();\n\n\tif (!conswitchp)\n\t\tconswitchp = &dummy_con;\n\tdisplay_desc = conswitchp->con_startup();\n\tif (!display_desc) {\n\t\tfg_console = 0;\n\t\tconsole_unlock();\n\t\treturn 0;\n\t}\n\n\tfor (i = 0; i < MAX_NR_CON_DRIVER; i++) {\n\t\tstruct con_driver *con_driver = ®istered_con_driver[i];\n\n\t\tif (con_driver->con == NULL) {\n\t\t\tcon_driver->con = conswitchp;\n\t\t\tcon_driver->desc = display_desc;\n\t\t\tcon_driver->flag = CON_DRIVER_FLAG_INIT;\n\t\t\tcon_driver->first = 0;\n\t\t\tcon_driver->last = MAX_NR_CONSOLES - 1;\n\t\t\tbreak;\n\t\t}\n\t}\n\n\tfor (i = 0; i < MAX_NR_CONSOLES; i++)\n\t\tcon_driver_map[i] = conswitchp;\n\n\tif (blankinterval) {\n\t\tblank_state = blank_normal_wait;\n\t\tmod_timer(&console_timer, jiffies + (blankinterval * HZ));\n\t}\n\n\tfor (currcons = 0; currcons < MIN_NR_CONSOLES; currcons++) {\n\t\tvc_cons[currcons].d = vc = kzalloc(sizeof(struct vc_data), GFP_NOWAIT);\n\t\tINIT_WORK(&vc_cons[currcons].SAK_work, vc_SAK);\n\t\ttty_port_init(&vc->port);\n\t\tvisual_init(vc, currcons, 1);\n\t\tvc->vc_screenbuf = kzalloc(vc->vc_screenbuf_size, GFP_NOWAIT);\n\t\tvc_init(vc, vc->vc_rows, vc->vc_cols,\n\t\t\tcurrcons || !vc->vc_sw->con_save_screen);\n\t}\n\tcurrcons = fg_console = 0;\n\tmaster_display_fg = vc = vc_cons[currcons].d;\n\tset_origin(vc);\n\tsave_screen(vc);\n\tgotoxy(vc, vc->vc_x, vc->vc_y);\n\tcsi_J(vc, 0);\n\tupdate_screen(vc);\n\tpr_info(\"Console: %s %s %dx%d\\n\",\n\t\tvc->vc_can_do_color ? \"colour\" : \"mono\",\n\t\tdisplay_desc, vc->vc_cols, vc->vc_rows);\n\tprintable = 1;\n\n\tconsole_unlock();\n\n#ifdef CONFIG_VT_CONSOLE\n\tregister_console(&vt_console_driver);\n#endif\n\treturn 0;\n}", "project": "linux", "hash": 267804870115161621605875759912333436713, "size": 66, "commit_id": "ca4463bf8438b403596edd0ec961ca0d4fbe0220", "message": "vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console\n\nThe VT_DISALLOCATE ioctl can free a virtual console while tty_release()\nis still running, causing a use-after-free in con_shutdown(). This\noccurs because VT_DISALLOCATE considers a virtual console's\n'struct vc_data' to be unused as soon as the corresponding tty's\nrefcount hits 0. But actually it may be still being closed.\n\nFix this by making vc_data be reference-counted via the embedded\n'struct tty_port'. A newly allocated virtual console has refcount 1.\nOpening it for the first time increments the refcount to 2. Closing it\nfor the last time decrements the refcount (in tty_operations::cleanup()\nso that it happens late enough), as does VT_DISALLOCATE.\n\nReproducer:\n\t#include \n\t#include \n\t#include \n\t#include \n\n\tint main()\n\t{\n\t\tif (fork()) {\n\t\t\tfor (;;)\n\t\t\t\tclose(open(\"/dev/tty5\", O_RDWR));\n\t\t} else {\n\t\t\tint fd = open(\"/dev/tty10\", O_RDWR);\n\n\t\t\tfor (;;)\n\t\t\t\tioctl(fd, VT_DISALLOCATE, 5);\n\t\t}\n\t}\n\nKASAN report:\n\tBUG: KASAN: use-after-free in con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\tWrite of size 8 at addr ffff88806a4ec108 by task syz_vt/129\n\n\tCPU: 0 PID: 129 Comm: syz_vt Not tainted 5.6.0-rc2 #11\n\tHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20191223_100556-anatol 04/01/2014\n\tCall Trace:\n\t [...]\n\t con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\t release_tty+0xa8/0x410 drivers/tty/tty_io.c:1514\n\t tty_release_struct+0x34/0x50 drivers/tty/tty_io.c:1629\n\t tty_release+0x984/0xed0 drivers/tty/tty_io.c:1789\n\t [...]\n\n\tAllocated by task 129:\n\t [...]\n\t kzalloc include/linux/slab.h:669 [inline]\n\t vc_allocate drivers/tty/vt/vt.c:1085 [inline]\n\t vc_allocate+0x1ac/0x680 drivers/tty/vt/vt.c:1066\n\t con_install+0x4d/0x3f0 drivers/tty/vt/vt.c:3229\n\t tty_driver_install_tty drivers/tty/tty_io.c:1228 [inline]\n\t tty_init_dev+0x94/0x350 drivers/tty/tty_io.c:1341\n\t tty_open_by_driver drivers/tty/tty_io.c:1987 [inline]\n\t tty_open+0x3ca/0xb30 drivers/tty/tty_io.c:2035\n\t [...]\n\n\tFreed by task 130:\n\t [...]\n\t kfree+0xbf/0x1e0 mm/slab.c:3757\n\t vt_disallocate drivers/tty/vt/vt_ioctl.c:300 [inline]\n\t vt_ioctl+0x16dc/0x1e30 drivers/tty/vt/vt_ioctl.c:818\n\t tty_ioctl+0x9db/0x11b0 drivers/tty/tty_io.c:2660\n\t [...]\n\nFixes: 4001d7b7fc27 (\"vt: push down the tty lock so we can see what is left to tackle\")\nCc: # v3.4+\nReported-by: syzbot+522643ab5729b0421998@syzkaller.appspotmail.com\nAcked-by: Jiri Slaby \nSigned-off-by: Eric Biggers \nLink: https://lore.kernel.org/r/20200322034305.210082-2-ebiggers@kernel.org\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 437092 }, { "func": "static int mt_compute_slot(struct mt_device *td, struct mt_application *app,\n\t\t\t struct mt_usages *slot,\n\t\t\t struct input_dev *input)\n{\n\t__s32 quirks = app->quirks;\n\n\tif (quirks & MT_QUIRK_SLOT_IS_CONTACTID)\n\t\treturn *slot->contactid;\n\n\tif (quirks & MT_QUIRK_CYPRESS)\n\t\treturn cypress_compute_slot(app, slot);\n\n\tif (quirks & MT_QUIRK_SLOT_IS_CONTACTNUMBER)\n\t\treturn app->num_received;\n\n\tif (quirks & MT_QUIRK_SLOT_IS_CONTACTID_MINUS_ONE)\n\t\treturn *slot->contactid - 1;\n\n\treturn input_mt_get_slot_by_key(input, *slot->contactid);\n}", "project": "linux", "hash": 91400742996033193003445238245238742232, "size": 20, "commit_id": "35556bed836f8dc07ac55f69c8d17dce3e7f0e25", "message": "HID: core: Sanitize event code and type when mapping input\n\nWhen calling into hid_map_usage(), the passed event code is\nblindly stored as is, even if it doesn't fit in the associated bitmap.\n\nThis event code can come from a variety of sources, including devices\nmasquerading as input devices, only a bit more \"programmable\".\n\nInstead of taking the event code at face value, check that it actually\nfits the corresponding bitmap, and if it doesn't:\n- spit out a warning so that we know which device is acting up\n- NULLify the bitmap pointer so that we catch unexpected uses\n\nCode paths that can make use of untrusted inputs can now check\nthat the mapping was indeed correct and bail out if not.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Marc Zyngier \nSigned-off-by: Benjamin Tissoires ", "target": 0, "dataset": "other", "idx": 458387 }, { "func": "int vcf_hdr_write(htsFile *fp, const bcf_hdr_t *h)\n{\n kstring_t htxt = {0,0,0};\n bcf_hdr_format(h, 0, &htxt);\n while (htxt.l && htxt.s[htxt.l-1] == '\\0') --htxt.l; // kill trailing zeros\n int ret;\n if ( fp->format.compression!=no_compression )\n ret = bgzf_write(fp->fp.bgzf, htxt.s, htxt.l);\n else\n ret = hwrite(fp->fp.hfile, htxt.s, htxt.l);\n free(htxt.s);\n return ret<0 ? -1 : 0;\n}", "project": "htslib", "hash": 158263705728329578996114704399850104913, "size": 13, "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c", "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields. It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097", "target": 0, "dataset": "other", "idx": 402181 }, { "func": "static inline void input_proc_exit(void) { }", "project": "linux", "hash": 201289832116399073971572183068478610717, "size": 1, "commit_id": "cb222aed03d798fc074be55e59d9a112338ee784", "message": "Input: add safety guards to input_set_keycode()\n\nIf we happen to have a garbage in input device's keycode table with values\ntoo big we'll end up doing clear_bit() with offset way outside of our\nbitmaps, damaging other objects within an input device or even outside of\nit. Let's add sanity checks to the returned old keycodes.\n\nReported-by: syzbot+c769968809f9359b07aa@syzkaller.appspotmail.com\nReported-by: syzbot+76f3a30e88d256644c78@syzkaller.appspotmail.com\nLink: https://lore.kernel.org/r/20191207212757.GA245964@dtor-ws\nSigned-off-by: Dmitry Torokhov ", "target": 0, "dataset": "other", "idx": 353332 }, { "func": "static void input_proc_exit(void)\n{\n\tremove_proc_entry(\"devices\", proc_bus_input_dir);\n\tremove_proc_entry(\"handlers\", proc_bus_input_dir);\n\tremove_proc_entry(\"bus/input\", NULL);\n}", "project": "linux", "hash": 85321509683132682424742374408732408287, "size": 6, "commit_id": "cb222aed03d798fc074be55e59d9a112338ee784", "message": "Input: add safety guards to input_set_keycode()\n\nIf we happen to have a garbage in input device's keycode table with values\ntoo big we'll end up doing clear_bit() with offset way outside of our\nbitmaps, damaging other objects within an input device or even outside of\nit. Let's add sanity checks to the returned old keycodes.\n\nReported-by: syzbot+c769968809f9359b07aa@syzkaller.appspotmail.com\nReported-by: syzbot+76f3a30e88d256644c78@syzkaller.appspotmail.com\nLink: https://lore.kernel.org/r/20191207212757.GA245964@dtor-ws\nSigned-off-by: Dmitry Torokhov ", "target": 0, "dataset": "other", "idx": 353388 }, { "func": " double val_real()\n { \n DBUG_ASSERT(fixed == 1); \n return (double) (ulonglong) Item_hex_hybrid::val_int();\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 99884600452648748846012043558652774863, "size": 5, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 508992 }, { "func": " double val_real() { return (double)val_int(); }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 169307693031914250953500777807025644253, "size": 1, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509065 }, { "func": " double val_real()\n { \n DBUG_ASSERT(fixed == 1);\n return double_from_string_with_check(&str_value);\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 204523815568120142286418666636764860529, "size": 5, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509151 }, { "func": " double val_real()\n { return val_real_from_date(); }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 16361786034412806965290949636216771596, "size": 2, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509323 }, { "func": " double val_real()\n {\n if (check_null_ref())\n return 0;\n else\n return Item_direct_ref::val_real();\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 214181939153200401911938407962544930007, "size": 7, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509438 }, { "func": "static OPJ_BOOL opj_j2k_merge_ppm(opj_cp_t *p_cp, opj_event_mgr_t * p_manager)\n{\n OPJ_UINT32 i, l_ppm_data_size, l_N_ppm_remaining;\n\n /* preconditions */\n assert(p_cp != 00);\n assert(p_manager != 00);\n assert(p_cp->ppm_buffer == NULL);\n\n if (p_cp->ppm == 0U) {\n return OPJ_TRUE;\n }\n\n l_ppm_data_size = 0U;\n l_N_ppm_remaining = 0U;\n for (i = 0U; i < p_cp->ppm_markers_count; ++i) {\n if (p_cp->ppm_markers[i].m_data !=\n NULL) { /* standard doesn't seem to require contiguous Zppm */\n OPJ_UINT32 l_N_ppm;\n OPJ_UINT32 l_data_size = p_cp->ppm_markers[i].m_data_size;\n const OPJ_BYTE* l_data = p_cp->ppm_markers[i].m_data;\n\n if (l_N_ppm_remaining >= l_data_size) {\n l_N_ppm_remaining -= l_data_size;\n l_data_size = 0U;\n } else {\n l_data += l_N_ppm_remaining;\n l_data_size -= l_N_ppm_remaining;\n l_N_ppm_remaining = 0U;\n }\n\n if (l_data_size > 0U) {\n do {\n /* read Nppm */\n if (l_data_size < 4U) {\n /* clean up to be done on l_cp destruction */\n opj_event_msg(p_manager, EVT_ERROR, \"Not enough bytes to read Nppm\\n\");\n return OPJ_FALSE;\n }\n opj_read_bytes(l_data, &l_N_ppm, 4);\n l_data += 4;\n l_data_size -= 4;\n l_ppm_data_size +=\n l_N_ppm; /* can't overflow, max 256 markers of max 65536 bytes, that is when PPM markers are not corrupted which is checked elsewhere */\n\n if (l_data_size >= l_N_ppm) {\n l_data_size -= l_N_ppm;\n l_data += l_N_ppm;\n } else {\n l_N_ppm_remaining = l_N_ppm - l_data_size;\n l_data_size = 0U;\n }\n } while (l_data_size > 0U);\n }\n }\n }\n\n if (l_N_ppm_remaining != 0U) {\n /* clean up to be done on l_cp destruction */\n opj_event_msg(p_manager, EVT_ERROR, \"Corrupted PPM markers\\n\");\n return OPJ_FALSE;\n }\n\n p_cp->ppm_buffer = (OPJ_BYTE *) opj_malloc(l_ppm_data_size);\n if (p_cp->ppm_buffer == 00) {\n opj_event_msg(p_manager, EVT_ERROR, \"Not enough memory to read PPM marker\\n\");\n return OPJ_FALSE;\n }\n p_cp->ppm_len = l_ppm_data_size;\n l_ppm_data_size = 0U;\n l_N_ppm_remaining = 0U;\n for (i = 0U; i < p_cp->ppm_markers_count; ++i) {\n if (p_cp->ppm_markers[i].m_data !=\n NULL) { /* standard doesn't seem to require contiguous Zppm */\n OPJ_UINT32 l_N_ppm;\n OPJ_UINT32 l_data_size = p_cp->ppm_markers[i].m_data_size;\n const OPJ_BYTE* l_data = p_cp->ppm_markers[i].m_data;\n\n if (l_N_ppm_remaining >= l_data_size) {\n memcpy(p_cp->ppm_buffer + l_ppm_data_size, l_data, l_data_size);\n l_ppm_data_size += l_data_size;\n l_N_ppm_remaining -= l_data_size;\n l_data_size = 0U;\n } else {\n memcpy(p_cp->ppm_buffer + l_ppm_data_size, l_data, l_N_ppm_remaining);\n l_ppm_data_size += l_N_ppm_remaining;\n l_data += l_N_ppm_remaining;\n l_data_size -= l_N_ppm_remaining;\n l_N_ppm_remaining = 0U;\n }\n\n if (l_data_size > 0U) {\n do {\n /* read Nppm */\n if (l_data_size < 4U) {\n /* clean up to be done on l_cp destruction */\n opj_event_msg(p_manager, EVT_ERROR, \"Not enough bytes to read Nppm\\n\");\n return OPJ_FALSE;\n }\n opj_read_bytes(l_data, &l_N_ppm, 4);\n l_data += 4;\n l_data_size -= 4;\n\n if (l_data_size >= l_N_ppm) {\n memcpy(p_cp->ppm_buffer + l_ppm_data_size, l_data, l_N_ppm);\n l_ppm_data_size += l_N_ppm;\n l_data_size -= l_N_ppm;\n l_data += l_N_ppm;\n } else {\n memcpy(p_cp->ppm_buffer + l_ppm_data_size, l_data, l_data_size);\n l_ppm_data_size += l_data_size;\n l_N_ppm_remaining = l_N_ppm - l_data_size;\n l_data_size = 0U;\n }\n } while (l_data_size > 0U);\n }\n opj_free(p_cp->ppm_markers[i].m_data);\n p_cp->ppm_markers[i].m_data = NULL;\n p_cp->ppm_markers[i].m_data_size = 0U;\n }\n }\n\n p_cp->ppm_data = p_cp->ppm_buffer;\n p_cp->ppm_data_size = p_cp->ppm_len;\n\n p_cp->ppm_markers_count = 0U;\n opj_free(p_cp->ppm_markers);\n p_cp->ppm_markers = NULL;\n\n return OPJ_TRUE;\n}", "project": "openjpeg", "hash": 260896162865383717443173033004289077926, "size": 131, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357285 }, { "func": "static void tcp_grow_window(struct sock *sk, const struct sk_buff *skb)\n{\n\tstruct tcp_sock *tp = tcp_sk(sk);\n\n\t/* Check #1 */\n\tif (tp->rcv_ssthresh < tp->window_clamp &&\n\t (int)tp->rcv_ssthresh < tcp_space(sk) &&\n\t !tcp_memory_pressure) {\n\t\tint incr;\n\n\t\t/* Check #2. Increase window, if skb with such overhead\n\t\t * will fit to rcvbuf in future.\n\t\t */\n\t\tif (tcp_win_from_space(skb->truesize) <= skb->len)\n\t\t\tincr = 2 * tp->advmss;\n\t\telse\n\t\t\tincr = __tcp_grow_window(sk, skb);\n\n\t\tif (incr) {\n\t\t\ttp->rcv_ssthresh = min(tp->rcv_ssthresh + incr,\n\t\t\t\t\t tp->window_clamp);\n\t\t\tinet_csk(sk)->icsk_ack.quick |= 1;\n\t\t}\n\t}\n}", "project": "net-next", "hash": 194508840887780149728353482608238359216, "size": 25, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409946 }, { "func": "static int vcpu_post_run_fault_in_sie(struct kvm_vcpu *vcpu)\n{\n\tstruct kvm_s390_pgm_info pgm_info = {\n\t\t.code = PGM_ADDRESSING,\n\t};\n\tu8 opcode, ilen;\n\tint rc;\n\n\tVCPU_EVENT(vcpu, 3, \"%s\", \"fault in sie instruction\");\n\ttrace_kvm_s390_sie_fault(vcpu);\n\n\t/*\n\t * We want to inject an addressing exception, which is defined as a\n\t * suppressing or terminating exception. However, since we came here\n\t * by a DAT access exception, the PSW still points to the faulting\n\t * instruction since DAT exceptions are nullifying. So we've got\n\t * to look up the current opcode to get the length of the instruction\n\t * to be able to forward the PSW.\n\t */\n\trc = read_guest_instr(vcpu, vcpu->arch.sie_block->gpsw.addr, &opcode, 1);\n\tilen = insn_length(opcode);\n\tif (rc < 0) {\n\t\treturn rc;\n\t} else if (rc) {\n\t\t/* Instruction-Fetching Exceptions - we can't detect the ilen.\n\t\t * Forward by arbitrary ilc, injection will take care of\n\t\t * nullification if necessary.\n\t\t */\n\t\tpgm_info = vcpu->arch.pgm;\n\t\tilen = 4;\n\t}\n\tpgm_info.flags = ilen | KVM_S390_PGM_FLAGS_ILC_VALID;\n\tkvm_s390_forward_psw(vcpu, ilen);\n\treturn kvm_s390_inject_prog_irq(vcpu, &pgm_info);\n}", "project": "linux", "hash": 276002080422877458837356982623683309750, "size": 35, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354602 }, { "func": "static int detect_signtrust(\n\tsc_pkcs15_card_t *p15card\n){\n\tif(insert_cert(p15card,\"8000DF01C000\", 0x45, 1, \"Signatur Zertifikat\")) return 1;\n\tset_string(&p15card->tokeninfo->manufacturer_id, \"Deutsche Post\");\n\tset_string(&p15card->tokeninfo->label, \"SignTrust Card\");\n\n\tinsert_cert(p15card,\"800082008220\", 0x46, 1, \"Verschluesselungs Zertifikat\");\n\tinsert_cert(p15card,\"800083008320\", 0x47, 1, \"Authentifizierungs Zertifikat\");\n\n\tinsert_key(p15card,\"8000DF015331\", 0x45, 0x80, 1024, 1, \"Signatur Schluessel\");\n\tinsert_key(p15card,\"800082008210\", 0x46, 0x80, 1024, 2, \"Verschluesselungs Schluessel\");\n\tinsert_key(p15card,\"800083008310\", 0x47, 0x80, 1024, 3, \"Authentifizierungs Schluessel\");\n\n\tinsert_pin(p15card,\"8000DF010000\", 1, 0, 0x81, 6, \"Signatur PIN\",\n\t\tSC_PKCS15_PIN_FLAG_CASE_SENSITIVE | SC_PKCS15_PIN_FLAG_LOCAL |\n\t\tSC_PKCS15_PIN_FLAG_INITIALIZED\n\t);\n\tinsert_pin(p15card,\"800082000040\", 2, 0, 0x81, 6, \"Verschluesselungs PIN\",\n\t\tSC_PKCS15_PIN_FLAG_CASE_SENSITIVE | SC_PKCS15_PIN_FLAG_LOCAL |\n\t\tSC_PKCS15_PIN_FLAG_INITIALIZED\n\t);\n\tinsert_pin(p15card,\"800083000040\", 3, 0, 0x81, 6, \"Authentifizierungs PIN\",\n\t\tSC_PKCS15_PIN_FLAG_CASE_SENSITIVE | SC_PKCS15_PIN_FLAG_LOCAL |\n\t\tSC_PKCS15_PIN_FLAG_INITIALIZED\n\t);\n\n\treturn 0;\n}", "project": "OpenSC", "hash": 280325702267617719830340731979930783856, "size": 29, "commit_id": "5df913b7f57ad89b9832555d24c08d23a534311e", "message": "tcos: Check bounds in insert_pin()\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28383", "target": 0, "dataset": "other", "idx": 243961 }, { "func": "static int ipv4_tuple_to_nlattr(struct sk_buff *skb,\n\t\t\t\tconst struct nf_conntrack_tuple *tuple)\n{\n\tif (nla_put_in_addr(skb, CTA_IP_V4_SRC, tuple->src.u3.ip) ||\n\t nla_put_in_addr(skb, CTA_IP_V4_DST, tuple->dst.u3.ip))\n\t\treturn -EMSGSIZE;\n\treturn 0;\n}", "project": "linux", "hash": 76691506078010999448016566369634894484, "size": 8, "commit_id": "1cc5ef91d2ff94d2bf2de3b3585423e8a1051cb6", "message": "netfilter: ctnetlink: add a range check for l3/l4 protonum\n\nThe indexes to the nf_nat_l[34]protos arrays come from userspace. So\ncheck the tuple's family, e.g. l3num, when creating the conntrack in\norder to prevent an OOB memory access during setup. Here is an example\nkernel panic on 4.14.180 when userspace passes in an index greater than\nNFPROTO_NUMPROTO.\n\nInternal error: Oops - BUG: 0 [#1] PREEMPT SMP\nModules linked in:...\nProcess poc (pid: 5614, stack limit = 0x00000000a3933121)\nCPU: 4 PID: 5614 Comm: poc Tainted: G S W O 4.14.180-g051355490483\nHardware name: Qualcomm Technologies, Inc. SM8150 V2 PM8150 Google Inc. MSM\ntask: 000000002a3dfffe task.stack: 00000000a3933121\npc : __cfi_check_fail+0x1c/0x24\nlr : __cfi_check_fail+0x1c/0x24\n...\nCall trace:\n__cfi_check_fail+0x1c/0x24\nname_to_dev_t+0x0/0x468\nnfnetlink_parse_nat_setup+0x234/0x258\nctnetlink_parse_nat_setup+0x4c/0x228\nctnetlink_new_conntrack+0x590/0xc40\nnfnetlink_rcv_msg+0x31c/0x4d4\nnetlink_rcv_skb+0x100/0x184\nnfnetlink_rcv+0xf4/0x180\nnetlink_unicast+0x360/0x770\nnetlink_sendmsg+0x5a0/0x6a4\n___sys_sendmsg+0x314/0x46c\nSyS_sendmsg+0xb4/0x108\nel0_svc_naked+0x34/0x38\n\nThis crash is not happening since 5.4+, however, ctnetlink still\nallows for creating entries with unsupported layer 3 protocol number.\n\nFixes: c1d10adb4a521 (\"[NETFILTER]: Add ctnetlink port for nf_conntrack\")\nSigned-off-by: Will McVicker \n[pablo@netfilter.org: rebased original patch on top of nf.git]\nSigned-off-by: Pablo Neira Ayuso ", "target": 0, "dataset": "other", "idx": 394247 }, { "func": "static inline void TCP_ECN_check_ce(struct tcp_sock *tp, const struct sk_buff *skb)\n{\n\tif (!(tp->ecn_flags & TCP_ECN_OK))\n\t\treturn;\n\n\tswitch (TCP_SKB_CB(skb)->ip_dsfield & INET_ECN_MASK) {\n\tcase INET_ECN_NOT_ECT:\n\t\t/* Funny extension: if ECT is not set on a segment,\n\t\t * and we already seen ECT on a previous segment,\n\t\t * it is probably a retransmit.\n\t\t */\n\t\tif (tp->ecn_flags & TCP_ECN_SEEN)\n\t\t\ttcp_enter_quickack_mode((struct sock *)tp);\n\t\tbreak;\n\tcase INET_ECN_CE:\n\t\ttp->ecn_flags |= TCP_ECN_DEMAND_CWR;\n\t\t/* fallinto */\n\tdefault:\n\t\ttp->ecn_flags |= TCP_ECN_SEEN;\n\t}\n}", "project": "net-next", "hash": 5228556253099108715641630733145985400, "size": 21, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409899 }, { "func": "int nested_svm_exit_special(struct vcpu_svm *svm)\n{\n\tu32 exit_code = svm->vmcb->control.exit_code;\n\n\tswitch (exit_code) {\n\tcase SVM_EXIT_INTR:\n\tcase SVM_EXIT_NMI:\n\tcase SVM_EXIT_NPF:\n\t\treturn NESTED_EXIT_HOST;\n\tcase SVM_EXIT_EXCP_BASE ... SVM_EXIT_EXCP_BASE + 0x1f: {\n\t\tu32 excp_bits = 1 << (exit_code - SVM_EXIT_EXCP_BASE);\n\n\t\tif (get_host_vmcb(svm)->control.intercepts[INTERCEPT_EXCEPTION] &\n\t\t\t\texcp_bits)\n\t\t\treturn NESTED_EXIT_HOST;\n\t\telse if (exit_code == SVM_EXIT_EXCP_BASE + PF_VECTOR &&\n\t\t\t svm->vcpu.arch.apf.host_apf_flags)\n\t\t\t/* Trap async PF even if not shadowing */\n\t\t\treturn NESTED_EXIT_HOST;\n\t\tbreak;\n\t}\n\tdefault:\n\t\tbreak;\n\t}\n\n\treturn NESTED_EXIT_CONTINUE;\n}", "project": "linux", "hash": 222638158865409523087616693431064319766, "size": 27, "commit_id": "a58d9166a756a0f4a6618e4f593232593d6df134", "message": "KVM: SVM: load control fields from VMCB12 before checking them\n\nAvoid races between check and use of the nested VMCB controls. This\nfor example ensures that the VMRUN intercept is always reflected to the\nnested hypervisor, instead of being processed by the host. Without this\npatch, it is possible to end up with svm->nested.hsave pointing to\nthe MSR permission bitmap for nested guests.\n\nThis bug is CVE-2021-29657.\n\nReported-by: Felix Wilhelm \nCc: stable@vger.kernel.org\nFixes: 2fcf4876ada (\"KVM: nSVM: implement on demand allocation of the nested state\")\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 376644 }, { "func": "static int nested_svm_exit_special(struct vcpu_svm *svm)\n{\n\tu32 exit_code = svm->vmcb->control.exit_code;\n\n\tswitch (exit_code) {\n\tcase SVM_EXIT_INTR:\n\tcase SVM_EXIT_NMI:\n\tcase SVM_EXIT_EXCP_BASE + MC_VECTOR:\n\t\treturn NESTED_EXIT_HOST;\n\tcase SVM_EXIT_NPF:\n\t\t/* For now we are always handling NPFs when using them */\n\t\tif (npt_enabled)\n\t\t\treturn NESTED_EXIT_HOST;\n\t\tbreak;\n\tcase SVM_EXIT_EXCP_BASE + PF_VECTOR:\n\t\t/* When we're shadowing, trap PFs, but not async PF */\n\t\tif (!npt_enabled && svm->vcpu.arch.apf.host_apf_reason == 0)\n\t\t\treturn NESTED_EXIT_HOST;\n\t\tbreak;\n\tdefault:\n\t\tbreak;\n\t}\n\n\treturn NESTED_EXIT_CONTINUE;\n}", "project": "linux", "hash": 131245312112904951862677414777270378497, "size": 25, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432607 }, { "func": "static int nested_svm_exit_special(struct vcpu_svm *svm)\n{\n\tu32 exit_code = svm->vmcb->control.exit_code;\n\n\tswitch (exit_code) {\n\tcase SVM_EXIT_INTR:\n\tcase SVM_EXIT_NMI:\n\tcase SVM_EXIT_EXCP_BASE + MC_VECTOR:\n\t\treturn NESTED_EXIT_HOST;\n\tcase SVM_EXIT_NPF:\n\t\t/* For now we are always handling NPFs when using them */\n\t\tif (npt_enabled)\n\t\t\treturn NESTED_EXIT_HOST;\n\t\tbreak;\n\tcase SVM_EXIT_EXCP_BASE + PF_VECTOR:\n\t\t/* When we're shadowing, trap PFs, but not async PF */\n\t\tif (!npt_enabled && svm->apf_reason == 0)\n\t\t\treturn NESTED_EXIT_HOST;\n\t\tbreak;\n\tcase SVM_EXIT_EXCP_BASE + NM_VECTOR:\n\t\tnm_interception(svm);\n\t\tbreak;\n\tdefault:\n\t\tbreak;\n\t}\n\n\treturn NESTED_EXIT_CONTINUE;\n}", "project": "kvm", "hash": 284197339860766219536938798716693520904, "size": 28, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437611 }, { "func": "static void mt_expired_timeout(struct timer_list *t)\n{\n\tstruct mt_device *td = from_timer(td, t, release_timer);\n\tstruct hid_device *hdev = td->hdev;\n\n\t/*\n\t * An input report came in just before we release the sticky fingers,\n\t * it will take care of the sticky fingers.\n\t */\n\tif (test_and_set_bit(MT_IO_FLAGS_RUNNING, &td->mt_io_flags))\n\t\treturn;\n\tif (test_bit(MT_IO_FLAGS_PENDING_SLOTS, &td->mt_io_flags))\n\t\tmt_release_contacts(hdev);\n\tclear_bit(MT_IO_FLAGS_RUNNING, &td->mt_io_flags);\n}", "project": "linux", "hash": 306807109055956517749088836826024320116, "size": 15, "commit_id": "35556bed836f8dc07ac55f69c8d17dce3e7f0e25", "message": "HID: core: Sanitize event code and type when mapping input\n\nWhen calling into hid_map_usage(), the passed event code is\nblindly stored as is, even if it doesn't fit in the associated bitmap.\n\nThis event code can come from a variety of sources, including devices\nmasquerading as input devices, only a bit more \"programmable\".\n\nInstead of taking the event code at face value, check that it actually\nfits the corresponding bitmap, and if it doesn't:\n- spit out a warning so that we know which device is acting up\n- NULLify the bitmap pointer so that we catch unexpected uses\n\nCode paths that can make use of untrusted inputs can now check\nthat the mapping was indeed correct and bail out if not.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Marc Zyngier \nSigned-off-by: Benjamin Tissoires ", "target": 0, "dataset": "other", "idx": 458371 }, { "func": "static void write_iac(struct hci_request *req)\n{\n\tstruct hci_dev *hdev = req->hdev;\n\tstruct hci_cp_write_current_iac_lap cp;\n\n\tif (!hci_dev_test_flag(hdev, HCI_DISCOVERABLE))\n\t\treturn;\n\n\tif (hci_dev_test_flag(hdev, HCI_LIMITED_DISCOVERABLE)) {\n\t\t/* Limited discoverable mode */\n\t\tcp.num_iac = min_t(u8, hdev->num_iac, 2);\n\t\tcp.iac_lap[0] = 0x00;\t/* LIAC */\n\t\tcp.iac_lap[1] = 0x8b;\n\t\tcp.iac_lap[2] = 0x9e;\n\t\tcp.iac_lap[3] = 0x33;\t/* GIAC */\n\t\tcp.iac_lap[4] = 0x8b;\n\t\tcp.iac_lap[5] = 0x9e;\n\t} else {\n\t\t/* General discoverable mode */\n\t\tcp.num_iac = 1;\n\t\tcp.iac_lap[0] = 0x33;\t/* GIAC */\n\t\tcp.iac_lap[1] = 0x8b;\n\t\tcp.iac_lap[2] = 0x9e;\n\t}\n\n\thci_req_add(req, HCI_OP_WRITE_CURRENT_IAC_LAP,\n\t\t (cp.num_iac * 3) + 1, &cp);\n}", "project": "linux", "hash": 135716833493117374996421914872702441567, "size": 28, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402535 }, { "func": "static inline gfn_t gpa_to_gfn(gpa_t gpa)\n{\n\treturn (gfn_t)(gpa >> PAGE_SHIFT);\n}", "project": "linux", "hash": 250566919600484052622947270449886205327, "size": 4, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354521 }, { "func": "static int serial_blosc(struct thread_context* thread_context) {\n blosc2_context* context = thread_context->parent_context;\n int32_t j, bsize, leftoverblock;\n int32_t cbytes;\n int32_t ntbytes = (int32_t)context->output_bytes;\n int32_t* bstarts = context->bstarts;\n uint8_t* tmp = thread_context->tmp;\n uint8_t* tmp2 = thread_context->tmp2;\n int dict_training = context->use_dict && (context->dict_cdict == NULL);\n bool memcpyed = context->header_flags & (uint8_t)BLOSC_MEMCPYED;\n\n for (j = 0; j < context->nblocks; j++) {\n if (context->do_compress && !memcpyed && !dict_training) {\n _sw32(bstarts + j, ntbytes);\n }\n bsize = context->blocksize;\n leftoverblock = 0;\n if ((j == context->nblocks - 1) && (context->leftover > 0)) {\n bsize = context->leftover;\n leftoverblock = 1;\n }\n if (context->do_compress) {\n if (memcpyed && !context->prefilter) {\n /* We want to memcpy only */\n memcpy(context->dest + BLOSC_MAX_OVERHEAD + j * context->blocksize,\n context->src + j * context->blocksize,\n (unsigned int)bsize);\n cbytes = (int32_t)bsize;\n }\n else {\n /* Regular compression */\n cbytes = blosc_c(thread_context, bsize, leftoverblock, ntbytes,\n context->destsize, context->src, j * context->blocksize,\n context->dest + ntbytes, tmp, tmp2);\n if (cbytes == 0) {\n ntbytes = 0; /* uncompressible data */\n break;\n }\n }\n }\n else {\n if (memcpyed) {\n // Check that sizes in header are compatible, otherwise there is a header corruption\n int32_t csize = sw32_(context->src + 12); /* compressed buffer size */\n if (context->sourcesize + BLOSC_MAX_OVERHEAD != csize) {\n return -1;\n }\n if (context->srcsize < BLOSC_MAX_OVERHEAD + (j * context->blocksize) + bsize) {\n /* Not enough input to copy block */\n return -1;\n }\n memcpy(context->dest + j * context->blocksize,\n context->src + BLOSC_MAX_OVERHEAD + j * context->blocksize,\n (unsigned int)bsize);\n cbytes = (int32_t)bsize;\n }\n else {\n /* Regular decompression */\n cbytes = blosc_d(thread_context, bsize, leftoverblock,\n context->src, context->srcsize, sw32_(bstarts + j),\n context->dest, j * context->blocksize, tmp, tmp2);\n }\n }\n\n if (cbytes < 0) {\n ntbytes = cbytes; /* error in blosc_c or blosc_d */\n break;\n }\n ntbytes += cbytes;\n }\n\n return ntbytes;\n}", "project": "c-blosc2", "hash": 63453032904659299808897537753081473727, "size": 73, "commit_id": "c4c6470e88210afc95262c8b9fcc27e30ca043ee", "message": "Fixed asan heap buffer overflow when not enough space to write compressed block size.", "target": 0, "dataset": "other", "idx": 303129 }, { "func": "static void init_local_extra(pcre_extra* local, pcre_extra* shared) {\n if (shared) {\n memcpy(local, shared, sizeof(pcre_extra));\n } else {\n memset(local, 0, sizeof(pcre_extra));\n local->flags = PCRE_EXTRA_MATCH_LIMIT | PCRE_EXTRA_MATCH_LIMIT_RECURSION;\n }\n local->match_limit = tl_pcre_globals->preg_backtrace_limit;\n local->match_limit_recursion = tl_pcre_globals->preg_recursion_limit;\n}", "project": "hhvm", "hash": 296954339970864498519051366052341380363, "size": 10, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219477 }, { "func": "void done_path_create(struct path *path, struct dentry *dentry)\n{\n\tdput(dentry);\n\tinode_unlock(path->dentry->d_inode);\n\tmnt_drop_write(path->mnt);\n\tpath_put(path);\n}", "project": "linux", "hash": 143664763987477379963363811829095881551, "size": 7, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295396 }, { "func": "ConnStateData::splice()\n{\n // normally we can splice here, because we just got client hello message\n\n if (fd_table[clientConnection->fd].ssl.get()) {\n // Restore default read methods\n fd_table[clientConnection->fd].read_method = &default_read_method;\n fd_table[clientConnection->fd].write_method = &default_write_method;\n }\n\n // XXX: assuming that there was an HTTP/1.1 CONNECT to begin with...\n // reset the current protocol to HTTP/1.1 (was \"HTTPS\" for the bumping process)\n transferProtocol = Http::ProtocolVersion();\n assert(!pipeline.empty());\n Http::StreamPointer context = pipeline.front();\n Must(context);\n Must(context->http);\n ClientHttpRequest *http = context->http;\n HttpRequest::Pointer request = http->request;\n context->finished();\n if (transparent()) {\n // For transparent connections, make a new fake CONNECT request, now\n // with SNI as target. doCallout() checks, adaptations may need that.\n return fakeAConnectRequest(\"splice\", preservedClientData);\n } else {\n // For non transparent connections make a new tunneled CONNECT, which\n // also sets the HttpRequest::flags::forceTunnel flag to avoid\n // respond with \"Connection Established\" to the client.\n // This fake CONNECT request required to allow use of SNI in\n // doCallout() checks and adaptations.\n return initiateTunneledRequest(request, Http::METHOD_CONNECT, \"splice\", preservedClientData);\n }\n}", "project": "squid", "hash": 103250712777917896172127152251872735941, "size": 33, "commit_id": "fd68382860633aca92065e6c343cfd1b12b126e7", "message": "Improve Transfer-Encoding handling (#702)\n\nReject messages containing Transfer-Encoding header with coding other\nthan chunked or identity. Squid does not support other codings.\n\nFor simplicity and security sake, also reject messages where\nTransfer-Encoding contains unnecessary complex values that are\ntechnically equivalent to \"chunked\" or \"identity\" (e.g., \",,chunked\" or\n\"identity, chunked\").\n\nRFC 7230 formally deprecated and removed identity coding, but it is\nstill used by some agents.", "target": 0, "dataset": "other", "idx": 402331 }, { "func": "__poll_t fuse_file_poll(struct file *file, poll_table *wait)\n{\n\tstruct fuse_file *ff = file->private_data;\n\tstruct fuse_mount *fm = ff->fm;\n\tstruct fuse_poll_in inarg = { .fh = ff->fh, .kh = ff->kh };\n\tstruct fuse_poll_out outarg;\n\tFUSE_ARGS(args);\n\tint err;\n\n\tif (fm->fc->no_poll)\n\t\treturn DEFAULT_POLLMASK;\n\n\tpoll_wait(file, &ff->poll_wait, wait);\n\tinarg.events = mangle_poll(poll_requested_events(wait));\n\n\t/*\n\t * Ask for notification iff there's someone waiting for it.\n\t * The client may ignore the flag and always notify.\n\t */\n\tif (waitqueue_active(&ff->poll_wait)) {\n\t\tinarg.flags |= FUSE_POLL_SCHEDULE_NOTIFY;\n\t\tfuse_register_polled_file(fm->fc, ff);\n\t}\n\n\targs.opcode = FUSE_POLL;\n\targs.nodeid = ff->nodeid;\n\targs.in_numargs = 1;\n\targs.in_args[0].size = sizeof(inarg);\n\targs.in_args[0].value = &inarg;\n\targs.out_numargs = 1;\n\targs.out_args[0].size = sizeof(outarg);\n\targs.out_args[0].value = &outarg;\n\terr = fuse_simple_request(fm, &args);\n\n\tif (!err)\n\t\treturn demangle_poll(outarg.revents);\n\tif (err == -ENOSYS) {\n\t\tfm->fc->no_poll = 1;\n\t\treturn DEFAULT_POLLMASK;\n\t}\n\treturn EPOLLERR;\n}", "project": "linux", "hash": 76775227534804374681879248581522665143, "size": 42, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342059 }, { "func": "void CSoundFile::FinePortamentoDown(ModChannel *pChn, ModCommand::PARAM param) const\n{\n\tif(GetType() == MOD_TYPE_XM)\n\t{\n\t\t// FT2 compatibility: E1x / E2x / X1x / X2x memory is not linked\n\t\t// Test case: Porta-LinkMem.xm\n\t\tif(param) pChn->nOldFinePortaUpDown = (pChn->nOldFinePortaUpDown & 0xF0) | (param & 0x0F); else param = (pChn->nOldFinePortaUpDown & 0x0F);\n\t} else if(GetType() == MOD_TYPE_MT2)\n\t{\n\t\tif(param) pChn->nOldFinePortaUpDown = param; else param = pChn->nOldFinePortaUpDown;\n\t}\n\n\tif(pChn->isFirstTick)\n\t{\n\t\tif ((pChn->nPeriod) && (param))\n\t\t{\n\t\t\tif (m_SongFlags[SONG_LINEARSLIDES] && GetType() != MOD_TYPE_XM)\n\t\t\t{\n\t\t\t\tconst auto oldPeriod = pChn->nPeriod;\n\t\t\t\tpChn->nPeriod = Util::muldivr(pChn->nPeriod, GetLinearSlideDownTable(this, param & 0x0F), 65536);\n\t\t\t\tif(oldPeriod == pChn->nPeriod)\n\t\t\t\t{\n\t\t\t\t\tif(!m_playBehaviour[kHertzInLinearMode] && pChn->nPeriod < Util::MaxValueOfType(pChn->nPeriod))\n\t\t\t\t\t\tpChn->nPeriod++;\n\t\t\t\t\telse if(m_playBehaviour[kHertzInLinearMode] && pChn->nPeriod > 1)\n\t\t\t\t\t\tpChn->nPeriod--;\n\t\t\t\t}\n\t\t\t} else\n\t\t\t{\n\t\t\t\tpChn->nPeriod += (int)(param * 4);\n\t\t\t\tif (pChn->nPeriod > 0xFFFF) pChn->nPeriod = 0xFFFF;\n\t\t\t}\n\t\t}\n\t}\n}", "project": "openmpt", "hash": 83544520552806300873644724332053214666, "size": 35, "commit_id": "7ebf02af2e90f03e0dbd0e18b8b3164f372fb97c", "message": "[Fix] Possible out-of-bounds read when computing length of some IT files with pattern loops (OpenMPT: formats that are converted to IT, libopenmpt: IT/ITP/MO3), caught with afl-fuzz.\n\ngit-svn-id: https://source.openmpt.org/svn/openmpt/trunk/OpenMPT@10027 56274372-70c3-4bfc-bfc3-4c3a0b034d27", "target": 0, "dataset": "other", "idx": 255235 }, { "func": "int RGWHandler_REST_S3Website::serve_errordoc(int http_ret, const string& errordoc_key) {\n int ret = 0;\n s->formatter->reset(); /* Try to throw it all away */\n\n std::shared_ptr getop( static_cast(op_get()));\n if (getop.get() == NULL) {\n return -1; // Trigger double error handler\n }\n getop->init(store, s, this);\n getop->range_str = NULL;\n getop->if_mod = NULL;\n getop->if_unmod = NULL;\n getop->if_match = NULL;\n getop->if_nomatch = NULL;\n s->object = errordoc_key;\n\n ret = init_permissions(getop.get());\n if (ret < 0) {\n ldout(s->cct, 20) << \"serve_errordoc failed, init_permissions ret=\" << ret << dendl;\n return -1; // Trigger double error handler\n }\n\n ret = read_permissions(getop.get());\n if (ret < 0) {\n ldout(s->cct, 20) << \"serve_errordoc failed, read_permissions ret=\" << ret << dendl;\n return -1; // Trigger double error handler\n }\n\n if (http_ret) {\n getop->set_custom_http_response(http_ret);\n }\n\n ret = getop->init_processing();\n if (ret < 0) {\n ldout(s->cct, 20) << \"serve_errordoc failed, init_processing ret=\" << ret << dendl;\n return -1; // Trigger double error handler\n }\n\n ret = getop->verify_op_mask();\n if (ret < 0) {\n ldout(s->cct, 20) << \"serve_errordoc failed, verify_op_mask ret=\" << ret << dendl;\n return -1; // Trigger double error handler\n }\n\n ret = getop->verify_permission();\n if (ret < 0) {\n ldout(s->cct, 20) << \"serve_errordoc failed, verify_permission ret=\" << ret << dendl;\n return -1; // Trigger double error handler\n }\n\n ret = getop->verify_params();\n if (ret < 0) {\n ldout(s->cct, 20) << \"serve_errordoc failed, verify_params ret=\" << ret << dendl;\n return -1; // Trigger double error handler\n }\n\n // No going back now\n getop->pre_exec();\n /*\n * FIXME Missing headers:\n * With a working errordoc, the s3 error fields are rendered as HTTP headers,\n * x-amz-error-code: NoSuchKey\n * x-amz-error-message: The specified key does not exist.\n * x-amz-error-detail-Key: foo\n */\n getop->execute();\n getop->complete();\n return 0;\n\n}", "project": "ceph", "hash": 193580288371992795255766502435834436823, "size": 70, "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 281294 }, { "func": "int RGWSwiftWebsiteHandler::serve_errordoc(const int http_ret,\n const std::string error_doc)\n{\n /* Try to throw it all away. */\n s->formatter->reset();\n\n class RGWGetErrorPage : public RGWGetObj_ObjStore_SWIFT {\n public:\n RGWGetErrorPage(RGWRados* const store,\n RGWHandler_REST* const handler,\n req_state* const s,\n const int http_ret) {\n /* Calling a virtual from the base class is safe as the subobject should\n * be properly initialized and we haven't overridden the init method. */\n init(store, s, handler);\n set_get_data(true);\n set_custom_http_response(http_ret);\n }\n\n int error_handler(const int err_no,\n std::string* const error_content) override {\n /* Enforce that any error generated while getting the error page will\n * not be send to a client. This allows us to recover from the double\n * fault situation by sending the original message. */\n return 0;\n }\n } get_errpage_op(store, handler, s, http_ret);\n\n s->object = std::to_string(http_ret) + error_doc;\n\n RGWOp* newop = &get_errpage_op;\n RGWRequest req(0);\n return rgw_process_authenticated(handler, newop, &req, s, true);\n}", "project": "ceph", "hash": 323838343985408639385145162434177353288, "size": 34, "commit_id": "f44a8ae8aa27ecef69528db9aec220f12492810e", "message": "rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name\n\nchecking for empty name avoids later assertion in RGWObjectCtx::set_atomic\n\nFixes: CVE-2021-3531\n\nReviewed-by: Casey Bodley \nSigned-off-by: Casey Bodley \n(cherry picked from commit 7196a469b4470f3c8628489df9a41ec8b00a5610)", "target": 0, "dataset": "other", "idx": 448840 }, { "project": "Chrome", "commit_id": "957973753ec4159003ff7930d946b7e89c7e09f3", "target": 0, "func": " void BlobURLRequestJob::NotifySuccess() {\n int status_code = 0;\n std::string status_text;\n if (byte_range_set_ && byte_range_.IsValid()) {\n status_code = kHTTPPartialContent;\n status_text += kHTTPPartialContentText;\n } else {\n status_code = kHTTPOk;\n status_text = kHTTPOKText;\n }\n HeadersCompleted(status_code, status_text);\n}\n", "cwe": "", "big_vul_idx": 106419, "idx": 95570, "hash": 57864503079130512894147233015866422978 }, { "func": "static void __io_complete_rw(struct io_kiocb *req, long res, long res2,\n\t\t\t unsigned int issue_flags)\n{\n\tint cflags = 0;\n\n\tif (req->rw.kiocb.ki_flags & IOCB_WRITE)\n\t\tkiocb_end_write(req);\n\tif (res != req->result) {\n\t\tif ((res == -EAGAIN || res == -EOPNOTSUPP) &&\n\t\t io_rw_should_reissue(req)) {\n\t\t\treq->flags |= REQ_F_REISSUE;\n\t\t\treturn;\n\t\t}\n\t\treq_set_fail_links(req);\n\t}\n\tif (req->flags & REQ_F_BUFFER_SELECTED)\n\t\tcflags = io_put_rw_kbuf(req);\n\t__io_req_complete(req, issue_flags, res, cflags);\n}", "project": "linux", "hash": 321149954700047014251269186680483614803, "size": 19, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338631 }, { "func": "static void SFDGetSubrs(FILE *sfd) {\n /* Obselete, parse it in case there are any old sfds */\n int i, cnt, tot, len;\n struct enc85 dec;\n\n getint(sfd,&cnt);\n tot = 0;\n for ( i=0; ifontname string if it isn't set, fixing #4089 #4090 and many\n other potential issues (many downstream calls to strlen() on the value).", "target": 0, "dataset": "other", "idx": 417941 }, { "func": "static ssize_t tracing_resize_ring_buffer(struct trace_array *tr,\n\t\t\t\t\t unsigned long size, int cpu_id)\n{\n\tint ret = size;\n\n\tmutex_lock(&trace_types_lock);\n\n\tif (cpu_id != RING_BUFFER_ALL_CPUS) {\n\t\t/* make sure, this cpu is enabled in the mask */\n\t\tif (!cpumask_test_cpu(cpu_id, tracing_buffer_mask)) {\n\t\t\tret = -EINVAL;\n\t\t\tgoto out;\n\t\t}\n\t}\n\n\tret = __tracing_resize_ring_buffer(tr, size, cpu_id);\n\tif (ret < 0)\n\t\tret = -ENOMEM;\n\nout:\n\tmutex_unlock(&trace_types_lock);\n\n\treturn ret;\n}", "project": "linux", "hash": 267641099604951986685046865762762696220, "size": 24, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445780 }, { "func": "uint32_t ssh_buffer_pass_bytes_end(struct ssh_buffer_struct *buffer, uint32_t len){\n buffer_verify(buffer);\n\n if (buffer->used < len) {\n return 0;\n }\n\n buffer->used-=len;\n buffer_verify(buffer);\n return len;\n}", "project": "libssh-mirror", "hash": 240483711688388515881986528165998442351, "size": 11, "commit_id": "10b3ebbe61a7031a3dae97f05834442220447181", "message": "buffer: Reformat ssh_buffer_add_data()\n\nSigned-off-by: Andreas Schneider \nReviewed-by: Anderson Toshiyuki Sasaki \nReviewed-by: Jakub Jelen ", "target": 0, "dataset": "other", "idx": 345157 }, { "func": " Item_iterator_ref_list(List_iterator &arg_list):\n list(arg_list) {}", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 312343823626021113524266891734275300979, "size": 2, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509076 }, { "func": " Item_iterator_list(List_iterator &arg_list):\n list(arg_list) {}", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 39623616242592142835895506469115886169, "size": 2, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509394 }, { "func": "static inline bool tcp_in_cwnd_reduction(const struct sock *sk)\n{\n\treturn (TCPF_CA_CWR | TCPF_CA_Recovery) &\n\t (1 << inet_csk(sk)->icsk_ca_state);\n}", "project": "linux", "hash": 326753200267912903991956225918717245558, "size": 5, "commit_id": "bb1fceca22492109be12640d49f5ea5a544c6bb4", "message": "tcp: fix use after free in tcp_xmit_retransmit_queue()\n\nWhen tcp_sendmsg() allocates a fresh and empty skb, it puts it at the\ntail of the write queue using tcp_add_write_queue_tail()\n\nThen it attempts to copy user data into this fresh skb.\n\nIf the copy fails, we undo the work and remove the fresh skb.\n\nUnfortunately, this undo lacks the change done to tp->highest_sack and\nwe can leave a dangling pointer (to a freed skb)\n\nLater, tcp_xmit_retransmit_queue() can dereference this pointer and\naccess freed memory. For regular kernels where memory is not unmapped,\nthis might cause SACK bugs because tcp_highest_sack_seq() is buggy,\nreturning garbage instead of tp->snd_nxt, but with various debug\nfeatures like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel.\n\nThis bug was found by Marco Grassi thanks to syzkaller.\n\nFixes: 6859d49475d4 (\"[TCP]: Abstract tp->highest_sack accessing & point to next skb\")\nReported-by: Marco Grassi \nSigned-off-by: Eric Dumazet \nCc: Ilpo Järvinen \nCc: Yuchung Cheng \nCc: Neal Cardwell \nAcked-by: Neal Cardwell \nReviewed-by: Cong Wang \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 410802 }, { "func": "static void nfs41_free_stateid_done(struct rpc_task *task, void *calldata)\n{\n\tstruct nfs_free_stateid_data *data = calldata;\n\n\tnfs41_sequence_done(task, &data->res.seq_res);\n\n\tswitch (task->tk_status) {\n\tcase -NFS4ERR_DELAY:\n\t\tif (nfs4_async_handle_error(task, data->server, NULL, NULL) == -EAGAIN)\n\t\t\trpc_restart_call_prepare(task);\n\t}\n}", "project": "linux", "hash": 66095335111571135257973700314957766503, "size": 12, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 430980 }, { "func": "static u8 tdme_settxpower(u8 txp, void *device_ref)\n{\n\tu8 status;\n\ts8 txp_val;\n\tu8 txp_ext;\n\tunion pa_cfg_sfr pa_cfg_val;\n\n\t/* extend from 6 to 8 bit */\n\ttxp_ext = 0x3F & txp;\n\tif (txp_ext & 0x20)\n\t\ttxp_ext += 0xC0;\n\ttxp_val = (s8)txp_ext;\n\n\tif (CA8210_MAC_MPW) {\n\t\tif (txp_val > 0) {\n\t\t\t/* 8 dBm: ptrim = 5, itrim = +3 => +4 dBm */\n\t\t\tpa_cfg_val.bias_current_trim = 3;\n\t\t\tpa_cfg_val.buffer_capacitor_trim = 5;\n\t\t\tpa_cfg_val.boost = 1;\n\t\t} else {\n\t\t\t/* 0 dBm: ptrim = 7, itrim = +3 => -6 dBm */\n\t\t\tpa_cfg_val.bias_current_trim = 3;\n\t\t\tpa_cfg_val.buffer_capacitor_trim = 7;\n\t\t\tpa_cfg_val.boost = 0;\n\t\t}\n\t\t/* write PACFG */\n\t\tstatus = tdme_setsfr_request_sync(\n\t\t\t0,\n\t\t\tCA8210_SFR_PACFG,\n\t\t\tpa_cfg_val.paib,\n\t\t\tdevice_ref\n\t\t);\n\t} else {\n\t\t/* Look-Up Table for Setting Current and Frequency Trim values\n\t\t * for desired Output Power\n\t\t */\n\t\tif (txp_val > 8) {\n\t\t\tpa_cfg_val.paib = 0x3F;\n\t\t} else if (txp_val == 8) {\n\t\t\tpa_cfg_val.paib = 0x32;\n\t\t} else if (txp_val == 7) {\n\t\t\tpa_cfg_val.paib = 0x22;\n\t\t} else if (txp_val == 6) {\n\t\t\tpa_cfg_val.paib = 0x18;\n\t\t} else if (txp_val == 5) {\n\t\t\tpa_cfg_val.paib = 0x10;\n\t\t} else if (txp_val == 4) {\n\t\t\tpa_cfg_val.paib = 0x0C;\n\t\t} else if (txp_val == 3) {\n\t\t\tpa_cfg_val.paib = 0x08;\n\t\t} else if (txp_val == 2) {\n\t\t\tpa_cfg_val.paib = 0x05;\n\t\t} else if (txp_val == 1) {\n\t\t\tpa_cfg_val.paib = 0x03;\n\t\t} else if (txp_val == 0) {\n\t\t\tpa_cfg_val.paib = 0x01;\n\t\t} else { /* < 0 */\n\t\t\tpa_cfg_val.paib = 0x00;\n\t\t}\n\t\t/* write PACFGIB */\n\t\tstatus = tdme_setsfr_request_sync(\n\t\t\t0,\n\t\t\tCA8210_SFR_PACFGIB,\n\t\t\tpa_cfg_val.paib,\n\t\t\tdevice_ref\n\t\t);\n\t}\n\n\treturn status;\n}", "project": "linux", "hash": 221334507579929350881751741756221854045, "size": 70, "commit_id": "6402939ec86eaf226c8b8ae00ed983936b164908", "message": "ieee802154: ca8210: prevent memory leak\n\nIn ca8210_probe the allocated pdata needs to be assigned to\nspi_device->dev.platform_data before calling ca8210_get_platform_data.\nOthrwise when ca8210_get_platform_data fails pdata cannot be released.\n\nSigned-off-by: Navid Emamdoost \nLink: https://lore.kernel.org/r/20190917224713.26371-1-navid.emamdoost@gmail.com\nSigned-off-by: Stefan Schmidt ", "target": 0, "dataset": "other", "idx": 408793 }, { "func": "static int check_guard_bytes(struct usbtest_dev *tdev, struct urb *urb)\n{\n\tu8 *buf = urb->transfer_buffer;\n\tu8 *guard = buf - buffer_offset(buf);\n\tunsigned i;\n\n\tfor (i = 0; guard < buf; i++, guard++) {\n\t\tif (*guard != GUARD_BYTE) {\n\t\t\tERROR(tdev, \"guard byte[%d] %d (not %d)\\n\",\n\t\t\t\ti, *guard, GUARD_BYTE);\n\t\t\treturn -EINVAL;\n\t\t}\n\t}\n\treturn 0;\n}", "project": "linux", "hash": 132657468018554619970539593368660346670, "size": 15, "commit_id": "28ebeb8db77035e058a510ce9bd17c2b9a009dba", "message": "usb: usbtest: fix missing kfree(dev->buf) in usbtest_disconnect\n\nBUG: memory leak\nunreferenced object 0xffff888055046e00 (size 256):\n comm \"kworker/2:9\", pid 2570, jiffies 4294942129 (age 1095.500s)\n hex dump (first 32 bytes):\n 00 70 04 55 80 88 ff ff 18 bb 5a 81 ff ff ff ff .p.U......Z.....\n f5 96 78 81 ff ff ff ff 37 de 8e 81 ff ff ff ff ..x.....7.......\n backtrace:\n [<00000000d121dccf>] kmemleak_alloc_recursive\ninclude/linux/kmemleak.h:43 [inline]\n [<00000000d121dccf>] slab_post_alloc_hook mm/slab.h:586 [inline]\n [<00000000d121dccf>] slab_alloc_node mm/slub.c:2786 [inline]\n [<00000000d121dccf>] slab_alloc mm/slub.c:2794 [inline]\n [<00000000d121dccf>] kmem_cache_alloc_trace+0x15e/0x2d0 mm/slub.c:2811\n [<000000005c3c3381>] kmalloc include/linux/slab.h:555 [inline]\n [<000000005c3c3381>] usbtest_probe+0x286/0x19d0\ndrivers/usb/misc/usbtest.c:2790\n [<000000001cec6910>] usb_probe_interface+0x2bd/0x870\ndrivers/usb/core/driver.c:361\n [<000000007806c118>] really_probe+0x48d/0x8f0 drivers/base/dd.c:551\n [<00000000a3308c3e>] driver_probe_device+0xfc/0x2a0 drivers/base/dd.c:724\n [<000000003ef66004>] __device_attach_driver+0x1b6/0x240\ndrivers/base/dd.c:831\n [<00000000eee53e97>] bus_for_each_drv+0x14e/0x1e0 drivers/base/bus.c:431\n [<00000000bb0648d0>] __device_attach+0x1f9/0x350 drivers/base/dd.c:897\n [<00000000838b324a>] device_initial_probe+0x1a/0x20 drivers/base/dd.c:944\n [<0000000030d501c1>] bus_probe_device+0x1e1/0x280 drivers/base/bus.c:491\n [<000000005bd7adef>] device_add+0x131d/0x1c40 drivers/base/core.c:2504\n [<00000000a0937814>] usb_set_configuration+0xe84/0x1ab0\ndrivers/usb/core/message.c:2030\n [<00000000e3934741>] generic_probe+0x6a/0xe0 drivers/usb/core/generic.c:210\n [<0000000098ade0f1>] usb_probe_device+0x90/0xd0\ndrivers/usb/core/driver.c:266\n [<000000007806c118>] really_probe+0x48d/0x8f0 drivers/base/dd.c:551\n [<00000000a3308c3e>] driver_probe_device+0xfc/0x2a0 drivers/base/dd.c:724\n\nAcked-by: Alan Stern \nReported-by: Kyungtae Kim \nSigned-off-by: Zqiang \nLink: https://lore.kernel.org/r/20200612035210.20494-1-qiang.zhang@windriver.com\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 412253 }, { "func": "static void __update_tracer_options(struct trace_array *tr)\n{\n\tstruct tracer *t;\n\n\tfor (t = trace_types; t; t = t->next)\n\t\tadd_tracer_options(tr, t);\n}", "project": "linux", "hash": 9516900681912565750337636465188043487, "size": 7, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445585 }, { "func": "get_total_entries(struct trace_buffer *buf,\n\t\t unsigned long *total, unsigned long *entries)\n{\n\tunsigned long count;\n\tint cpu;\n\n\t*total = 0;\n\t*entries = 0;\n\n\tfor_each_tracing_cpu(cpu) {\n\t\tcount = ring_buffer_entries_cpu(buf->buffer, cpu);\n\t\t/*\n\t\t * If this buffer has skipped entries, then we hold all\n\t\t * entries for the trace and we need to ignore the\n\t\t * ones before the time stamp.\n\t\t */\n\t\tif (per_cpu_ptr(buf->data, cpu)->skipped_entries) {\n\t\t\tcount -= per_cpu_ptr(buf->data, cpu)->skipped_entries;\n\t\t\t/* total is the same as the entries */\n\t\t\t*total += count;\n\t\t} else\n\t\t\t*total += count +\n\t\t\t\tring_buffer_overrun_cpu(buf->buffer, cpu);\n\t\t*entries += count;\n\t}\n}", "project": "linux", "hash": 83040125887395224339369930721513318266, "size": 26, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445565 }, { "func": "tracing_cpumask_write(struct file *filp, const char __user *ubuf,\n\t\t size_t count, loff_t *ppos)\n{\n\tstruct trace_array *tr = file_inode(filp)->i_private;\n\tcpumask_var_t tracing_cpumask_new;\n\tint err, cpu;\n\n\tif (!alloc_cpumask_var(&tracing_cpumask_new, GFP_KERNEL))\n\t\treturn -ENOMEM;\n\n\terr = cpumask_parse_user(ubuf, count, tracing_cpumask_new);\n\tif (err)\n\t\tgoto err_unlock;\n\n\tlocal_irq_disable();\n\tarch_spin_lock(&tr->max_lock);\n\tfor_each_tracing_cpu(cpu) {\n\t\t/*\n\t\t * Increase/decrease the disabled counter if we are\n\t\t * about to flip a bit in the cpumask:\n\t\t */\n\t\tif (cpumask_test_cpu(cpu, tr->tracing_cpumask) &&\n\t\t\t\t!cpumask_test_cpu(cpu, tracing_cpumask_new)) {\n\t\t\tatomic_inc(&per_cpu_ptr(tr->trace_buffer.data, cpu)->disabled);\n\t\t\tring_buffer_record_disable_cpu(tr->trace_buffer.buffer, cpu);\n\t\t}\n\t\tif (!cpumask_test_cpu(cpu, tr->tracing_cpumask) &&\n\t\t\t\tcpumask_test_cpu(cpu, tracing_cpumask_new)) {\n\t\t\tatomic_dec(&per_cpu_ptr(tr->trace_buffer.data, cpu)->disabled);\n\t\t\tring_buffer_record_enable_cpu(tr->trace_buffer.buffer, cpu);\n\t\t}\n\t}\n\tarch_spin_unlock(&tr->max_lock);\n\tlocal_irq_enable();\n\n\tcpumask_copy(tr->tracing_cpumask, tracing_cpumask_new);\n\tfree_cpumask_var(tracing_cpumask_new);\n\n\treturn count;\n\nerr_unlock:\n\tfree_cpumask_var(tracing_cpumask_new);\n\n\treturn err;\n}", "project": "linux", "hash": 213239612103653632575872048172755014164, "size": 45, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445570 }, { "func": "tracing_total_entries_read(struct file *filp, char __user *ubuf,\n\t\t\t\tsize_t cnt, loff_t *ppos)\n{\n\tstruct trace_array *tr = filp->private_data;\n\tchar buf[64];\n\tint r, cpu;\n\tunsigned long size = 0, expanded_size = 0;\n\n\tmutex_lock(&trace_types_lock);\n\tfor_each_tracing_cpu(cpu) {\n\t\tsize += per_cpu_ptr(tr->trace_buffer.data, cpu)->entries >> 10;\n\t\tif (!ring_buffer_expanded)\n\t\t\texpanded_size += trace_buf_size >> 10;\n\t}\n\tif (ring_buffer_expanded)\n\t\tr = sprintf(buf, \"%lu\\n\", size);\n\telse\n\t\tr = sprintf(buf, \"%lu (expanded: %lu)\\n\", size, expanded_size);\n\tmutex_unlock(&trace_types_lock);\n\n\treturn simple_read_from_buffer(ubuf, cnt, ppos, buf, r);\n}", "project": "linux", "hash": 156411280319480623017210587603474209693, "size": 22, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445772 }, { "func": "static void update_cr0_intercept(struct vcpu_svm *svm)\n{\n\tulong gcr0 = svm->vcpu.arch.cr0;\n\tu64 *hcr0 = &svm->vmcb->save.cr0;\n\n\t*hcr0 = (*hcr0 & ~SVM_CR0_SELECTIVE_MASK)\n\t\t| (gcr0 & SVM_CR0_SELECTIVE_MASK);\n\n\tmark_dirty(svm->vmcb, VMCB_CR);\n\n\tif (gcr0 == *hcr0) {\n\t\tclr_cr_intercept(svm, INTERCEPT_CR0_READ);\n\t\tclr_cr_intercept(svm, INTERCEPT_CR0_WRITE);\n\t} else {\n\t\tset_cr_intercept(svm, INTERCEPT_CR0_READ);\n\t\tset_cr_intercept(svm, INTERCEPT_CR0_WRITE);\n\t}\n}", "project": "linux", "hash": 218862033627208569008265073111074016507, "size": 18, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432399 }, { "func": "static void update_cr0_intercept(struct vcpu_svm *svm)\n{\n\tulong gcr0 = svm->vcpu.arch.cr0;\n\tu64 *hcr0 = &svm->vmcb->save.cr0;\n\n\tif (!svm->vcpu.fpu_active)\n\t\t*hcr0 |= SVM_CR0_SELECTIVE_MASK;\n\telse\n\t\t*hcr0 = (*hcr0 & ~SVM_CR0_SELECTIVE_MASK)\n\t\t\t| (gcr0 & SVM_CR0_SELECTIVE_MASK);\n\n\tmark_dirty(svm->vmcb, VMCB_CR);\n\n\tif (gcr0 == *hcr0 && svm->vcpu.fpu_active) {\n\t\tclr_cr_intercept(svm, INTERCEPT_CR0_READ);\n\t\tclr_cr_intercept(svm, INTERCEPT_CR0_WRITE);\n\t} else {\n\t\tset_cr_intercept(svm, INTERCEPT_CR0_READ);\n\t\tset_cr_intercept(svm, INTERCEPT_CR0_WRITE);\n\t}\n}", "project": "kvm", "hash": 206598025375646293357017732005362631813, "size": 21, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437637 }, { "func": "int kvm_arch_vcpu_ioctl_set_fpu(struct kvm_vcpu *vcpu, struct kvm_fpu *fpu)\n{\n\tint ret = 0;\n\n\tvcpu_load(vcpu);\n\n\tif (test_fp_ctl(fpu->fpc)) {\n\t\tret = -EINVAL;\n\t\tgoto out;\n\t}\n\tvcpu->run->s.regs.fpc = fpu->fpc;\n\tif (MACHINE_HAS_VX)\n\t\tconvert_fp_to_vx((__vector128 *) vcpu->run->s.regs.vrs,\n\t\t\t\t (freg_t *) fpu->fprs);\n\telse\n\t\tmemcpy(vcpu->run->s.regs.fprs, &fpu->fprs, sizeof(fpu->fprs));\n\nout:\n\tvcpu_put(vcpu);\n\treturn ret;\n}", "project": "linux", "hash": 181925986915982522266319974027651869487, "size": 21, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354714 }, { "func": "static int stimer_start(struct kvm_vcpu_hv_stimer *stimer)\n{\n\tu64 time_now;\n\tktime_t ktime_now;\n\n\ttime_now = get_time_ref_counter(hv_stimer_to_vcpu(stimer)->kvm);\n\tktime_now = ktime_get();\n\n\tif (stimer->config.periodic) {\n\t\tif (stimer->exp_time) {\n\t\t\tif (time_now >= stimer->exp_time) {\n\t\t\t\tu64 remainder;\n\n\t\t\t\tdiv64_u64_rem(time_now - stimer->exp_time,\n\t\t\t\t\t stimer->count, &remainder);\n\t\t\t\tstimer->exp_time =\n\t\t\t\t\ttime_now + (stimer->count - remainder);\n\t\t\t}\n\t\t} else\n\t\t\tstimer->exp_time = time_now + stimer->count;\n\n\t\ttrace_kvm_hv_stimer_start_periodic(\n\t\t\t\t\thv_stimer_to_vcpu(stimer)->vcpu_id,\n\t\t\t\t\tstimer->index,\n\t\t\t\t\ttime_now, stimer->exp_time);\n\n\t\thrtimer_start(&stimer->timer,\n\t\t\t ktime_add_ns(ktime_now,\n\t\t\t\t\t 100 * (stimer->exp_time - time_now)),\n\t\t\t HRTIMER_MODE_ABS);\n\t\treturn 0;\n\t}\n\tstimer->exp_time = stimer->count;\n\tif (time_now >= stimer->count) {\n\t\t/*\n\t\t * Expire timer according to Hypervisor Top-Level Functional\n\t\t * specification v4(15.3.1):\n\t\t * \"If a one shot is enabled and the specified count is in\n\t\t * the past, it will expire immediately.\"\n\t\t */\n\t\tstimer_mark_pending(stimer, false);\n\t\treturn 0;\n\t}\n\n\ttrace_kvm_hv_stimer_start_one_shot(hv_stimer_to_vcpu(stimer)->vcpu_id,\n\t\t\t\t\t stimer->index,\n\t\t\t\t\t time_now, stimer->count);\n\n\thrtimer_start(&stimer->timer,\n\t\t ktime_add_ns(ktime_now, 100 * (stimer->count - time_now)),\n\t\t HRTIMER_MODE_ABS);\n\treturn 0;\n}", "project": "linux", "hash": 223531289791246230715147067525437700335, "size": 53, "commit_id": "919f4ebc598701670e80e31573a58f1f2d2bf918", "message": "KVM: x86: hyper-v: Fix Hyper-V context null-ptr-deref\n\nReported by syzkaller:\n\n KASAN: null-ptr-deref in range [0x0000000000000140-0x0000000000000147]\n CPU: 1 PID: 8370 Comm: syz-executor859 Not tainted 5.11.0-syzkaller #0\n RIP: 0010:synic_get arch/x86/kvm/hyperv.c:165 [inline]\n RIP: 0010:kvm_hv_set_sint_gsi arch/x86/kvm/hyperv.c:475 [inline]\n RIP: 0010:kvm_hv_irq_routing_update+0x230/0x460 arch/x86/kvm/hyperv.c:498\n Call Trace:\n kvm_set_irq_routing+0x69b/0x940 arch/x86/kvm/../../../virt/kvm/irqchip.c:223\n kvm_vm_ioctl+0x12d0/0x2800 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3959\n vfs_ioctl fs/ioctl.c:48 [inline]\n __do_sys_ioctl fs/ioctl.c:753 [inline]\n __se_sys_ioctl fs/ioctl.c:739 [inline]\n __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739\n do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nHyper-V context is lazily allocated until Hyper-V specific MSRs are accessed\nor SynIC is enabled. However, the syzkaller testcase sets irq routing table\ndirectly w/o enabling SynIC. This results in null-ptr-deref when accessing\nSynIC Hyper-V context. This patch fixes it.\n\nsyzkaller source: https://syzkaller.appspot.com/x/repro.c?x=163342ccd00000\n\nReported-by: syzbot+6987f3b2dbd9eda95f12@syzkaller.appspotmail.com\nFixes: 8f014550dfb1 (\"KVM: x86: hyper-v: Make Hyper-V emulation enablement conditional\")\nSigned-off-by: Wanpeng Li \nMessage-Id: <1614326399-5762-1-git-send-email-wanpengli@tencent.com>\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 343483 }, { "func": "int input_register_device(struct input_dev *dev)\n{\n\tstruct input_devres *devres = NULL;\n\tstruct input_handler *handler;\n\tunsigned int packet_size;\n\tconst char *path;\n\tint error;\n\n\tif (test_bit(EV_ABS, dev->evbit) && !dev->absinfo) {\n\t\tdev_err(&dev->dev,\n\t\t\t\"Absolute device without dev->absinfo, refusing to register\\n\");\n\t\treturn -EINVAL;\n\t}\n\n\tif (dev->devres_managed) {\n\t\tdevres = devres_alloc(devm_input_device_unregister,\n\t\t\t\t sizeof(*devres), GFP_KERNEL);\n\t\tif (!devres)\n\t\t\treturn -ENOMEM;\n\n\t\tdevres->input = dev;\n\t}\n\n\t/* Every input device generates EV_SYN/SYN_REPORT events. */\n\t__set_bit(EV_SYN, dev->evbit);\n\n\t/* KEY_RESERVED is not supposed to be transmitted to userspace. */\n\t__clear_bit(KEY_RESERVED, dev->keybit);\n\n\t/* Make sure that bitmasks not mentioned in dev->evbit are clean. */\n\tinput_cleanse_bitmasks(dev);\n\n\tpacket_size = input_estimate_events_per_packet(dev);\n\tif (dev->hint_events_per_packet < packet_size)\n\t\tdev->hint_events_per_packet = packet_size;\n\n\tdev->max_vals = dev->hint_events_per_packet + 2;\n\tdev->vals = kcalloc(dev->max_vals, sizeof(*dev->vals), GFP_KERNEL);\n\tif (!dev->vals) {\n\t\terror = -ENOMEM;\n\t\tgoto err_devres_free;\n\t}\n\n\t/*\n\t * If delay and period are pre-set by the driver, then autorepeating\n\t * is handled by the driver itself and we don't do it in input.c.\n\t */\n\tif (!dev->rep[REP_DELAY] && !dev->rep[REP_PERIOD])\n\t\tinput_enable_softrepeat(dev, 250, 33);\n\n\tif (!dev->getkeycode)\n\t\tdev->getkeycode = input_default_getkeycode;\n\n\tif (!dev->setkeycode)\n\t\tdev->setkeycode = input_default_setkeycode;\n\n\tif (dev->poller)\n\t\tinput_dev_poller_finalize(dev->poller);\n\n\terror = device_add(&dev->dev);\n\tif (error)\n\t\tgoto err_free_vals;\n\n\tpath = kobject_get_path(&dev->dev.kobj, GFP_KERNEL);\n\tpr_info(\"%s as %s\\n\",\n\t\tdev->name ? dev->name : \"Unspecified device\",\n\t\tpath ? path : \"N/A\");\n\tkfree(path);\n\n\terror = mutex_lock_interruptible(&input_mutex);\n\tif (error)\n\t\tgoto err_device_del;\n\n\tlist_add_tail(&dev->node, &input_dev_list);\n\n\tlist_for_each_entry(handler, &input_handler_list, node)\n\t\tinput_attach_handler(dev, handler);\n\n\tinput_wakeup_procfs_readers();\n\n\tmutex_unlock(&input_mutex);\n\n\tif (dev->devres_managed) {\n\t\tdev_dbg(dev->dev.parent, \"%s: registering %s with devres.\\n\",\n\t\t\t__func__, dev_name(&dev->dev));\n\t\tdevres_add(dev->dev.parent, devres);\n\t}\n\treturn 0;\n\nerr_device_del:\n\tdevice_del(&dev->dev);\nerr_free_vals:\n\tkfree(dev->vals);\n\tdev->vals = NULL;\nerr_devres_free:\n\tdevres_free(devres);\n\treturn error;\n}", "project": "linux", "hash": 153218311254519772041112146866943955819, "size": 98, "commit_id": "cb222aed03d798fc074be55e59d9a112338ee784", "message": "Input: add safety guards to input_set_keycode()\n\nIf we happen to have a garbage in input device's keycode table with values\ntoo big we'll end up doing clear_bit() with offset way outside of our\nbitmaps, damaging other objects within an input device or even outside of\nit. Let's add sanity checks to the returned old keycodes.\n\nReported-by: syzbot+c769968809f9359b07aa@syzkaller.appspotmail.com\nReported-by: syzbot+76f3a30e88d256644c78@syzkaller.appspotmail.com\nLink: https://lore.kernel.org/r/20191207212757.GA245964@dtor-ws\nSigned-off-by: Dmitry Torokhov ", "target": 0, "dataset": "other", "idx": 353307 }, { "func": "static int nfs41_check_delegation_stateid(struct nfs4_state *state)\n{\n\tstruct nfs_server *server = NFS_SERVER(state->inode);\n\tnfs4_stateid stateid;\n\tstruct nfs_delegation *delegation;\n\tconst struct cred *cred = NULL;\n\tint status, ret = NFS_OK;\n\n\t/* Get the delegation credential for use by test/free_stateid */\n\trcu_read_lock();\n\tdelegation = rcu_dereference(NFS_I(state->inode)->delegation);\n\tif (delegation == NULL) {\n\t\trcu_read_unlock();\n\t\tnfs_state_clear_delegation(state);\n\t\treturn NFS_OK;\n\t}\n\n\tspin_lock(&delegation->lock);\n\tnfs4_stateid_copy(&stateid, &delegation->stateid);\n\n\tif (!test_and_clear_bit(NFS_DELEGATION_TEST_EXPIRED,\n\t\t\t\t&delegation->flags)) {\n\t\tspin_unlock(&delegation->lock);\n\t\trcu_read_unlock();\n\t\treturn NFS_OK;\n\t}\n\n\tif (delegation->cred)\n\t\tcred = get_cred(delegation->cred);\n\tspin_unlock(&delegation->lock);\n\trcu_read_unlock();\n\tstatus = nfs41_test_and_free_expired_stateid(server, &stateid, cred);\n\ttrace_nfs4_test_delegation_stateid(state, NULL, status);\n\tif (status == -NFS4ERR_EXPIRED || status == -NFS4ERR_BAD_STATEID)\n\t\tnfs_finish_clear_delegation_stateid(state, &stateid);\n\telse\n\t\tret = status;\n\n\tput_cred(cred);\n\treturn ret;\n}", "project": "linux", "hash": 6100058212336450220623076015465930572, "size": 41, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431286 }, { "func": "static int printer_func_bind(struct usb_configuration *c,\n\t\tstruct usb_function *f)\n{\n\tstruct usb_gadget *gadget = c->cdev->gadget;\n\tstruct printer_dev *dev = func_to_printer(f);\n\tstruct device *pdev;\n\tstruct usb_composite_dev *cdev = c->cdev;\n\tstruct usb_ep *in_ep;\n\tstruct usb_ep *out_ep = NULL;\n\tstruct usb_request *req;\n\tdev_t devt;\n\tint id;\n\tint ret;\n\tu32 i;\n\n\tid = usb_interface_id(c, f);\n\tif (id < 0)\n\t\treturn id;\n\tintf_desc.bInterfaceNumber = id;\n\n\t/* finish hookup to lower layer ... */\n\tdev->gadget = gadget;\n\n\t/* all we really need is bulk IN/OUT */\n\tin_ep = usb_ep_autoconfig(cdev->gadget, &fs_ep_in_desc);\n\tif (!in_ep) {\nautoconf_fail:\n\t\tdev_err(&cdev->gadget->dev, \"can't autoconfigure on %s\\n\",\n\t\t\tcdev->gadget->name);\n\t\treturn -ENODEV;\n\t}\n\n\tout_ep = usb_ep_autoconfig(cdev->gadget, &fs_ep_out_desc);\n\tif (!out_ep)\n\t\tgoto autoconf_fail;\n\n\t/* assumes that all endpoints are dual-speed */\n\ths_ep_in_desc.bEndpointAddress = fs_ep_in_desc.bEndpointAddress;\n\ths_ep_out_desc.bEndpointAddress = fs_ep_out_desc.bEndpointAddress;\n\tss_ep_in_desc.bEndpointAddress = fs_ep_in_desc.bEndpointAddress;\n\tss_ep_out_desc.bEndpointAddress = fs_ep_out_desc.bEndpointAddress;\n\n\tret = usb_assign_descriptors(f, fs_printer_function,\n\t\t\ths_printer_function, ss_printer_function, NULL);\n\tif (ret)\n\t\treturn ret;\n\n\tdev->in_ep = in_ep;\n\tdev->out_ep = out_ep;\n\n\tret = -ENOMEM;\n\tfor (i = 0; i < dev->q_len; i++) {\n\t\treq = printer_req_alloc(dev->in_ep, USB_BUFSIZE, GFP_KERNEL);\n\t\tif (!req)\n\t\t\tgoto fail_tx_reqs;\n\t\tlist_add(&req->list, &dev->tx_reqs);\n\t}\n\n\tfor (i = 0; i < dev->q_len; i++) {\n\t\treq = printer_req_alloc(dev->out_ep, USB_BUFSIZE, GFP_KERNEL);\n\t\tif (!req)\n\t\t\tgoto fail_rx_reqs;\n\t\tlist_add(&req->list, &dev->rx_reqs);\n\t}\n\n\t/* Setup the sysfs files for the printer gadget. */\n\tdevt = MKDEV(major, dev->minor);\n\tpdev = device_create(usb_gadget_class, NULL, devt,\n\t\t\t\t NULL, \"g_printer%d\", dev->minor);\n\tif (IS_ERR(pdev)) {\n\t\tERROR(dev, \"Failed to create device: g_printer\\n\");\n\t\tret = PTR_ERR(pdev);\n\t\tgoto fail_rx_reqs;\n\t}\n\n\t/*\n\t * Register a character device as an interface to a user mode\n\t * program that handles the printer specific functionality.\n\t */\n\tcdev_init(&dev->printer_cdev, &printer_io_operations);\n\tdev->printer_cdev.owner = THIS_MODULE;\n\tret = cdev_add(&dev->printer_cdev, devt, 1);\n\tif (ret) {\n\t\tERROR(dev, \"Failed to open char device\\n\");\n\t\tgoto fail_cdev_add;\n\t}\n\n\treturn 0;\n\nfail_cdev_add:\n\tdevice_destroy(usb_gadget_class, devt);\n\nfail_rx_reqs:\n\twhile (!list_empty(&dev->rx_reqs)) {\n\t\treq = container_of(dev->rx_reqs.next, struct usb_request, list);\n\t\tlist_del(&req->list);\n\t\tprinter_req_free(dev->out_ep, req);\n\t}\n\nfail_tx_reqs:\n\twhile (!list_empty(&dev->tx_reqs)) {\n\t\treq = container_of(dev->tx_reqs.next, struct usb_request, list);\n\t\tlist_del(&req->list);\n\t\tprinter_req_free(dev->in_ep, req);\n\t}\n\n\treturn ret;\n\n}", "project": "linux", "hash": 102649557459662091865802259519889139409, "size": 109, "commit_id": "e8d5f92b8d30bb4ade76494490c3c065e12411b1", "message": "usb: gadget: function: printer: fix use-after-free in __lock_acquire\n\nFix this by increase object reference count.\n\nBUG: KASAN: use-after-free in __lock_acquire+0x3fd4/0x4180\nkernel/locking/lockdep.c:3831\nRead of size 8 at addr ffff8880683b0018 by task syz-executor.0/3377\n\nCPU: 1 PID: 3377 Comm: syz-executor.0 Not tainted 5.6.11 #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011\nCall Trace:\n __dump_stack lib/dump_stack.c:77 [inline]\n dump_stack+0xce/0x128 lib/dump_stack.c:118\n print_address_description.constprop.4+0x21/0x3c0 mm/kasan/report.c:374\n __kasan_report+0x131/0x1b0 mm/kasan/report.c:506\n kasan_report+0x12/0x20 mm/kasan/common.c:641\n __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135\n __lock_acquire+0x3fd4/0x4180 kernel/locking/lockdep.c:3831\n lock_acquire+0x127/0x350 kernel/locking/lockdep.c:4488\n __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]\n _raw_spin_lock_irqsave+0x35/0x50 kernel/locking/spinlock.c:159\n printer_ioctl+0x4a/0x110 drivers/usb/gadget/function/f_printer.c:723\n vfs_ioctl fs/ioctl.c:47 [inline]\n ksys_ioctl+0xfb/0x130 fs/ioctl.c:763\n __do_sys_ioctl fs/ioctl.c:772 [inline]\n __se_sys_ioctl fs/ioctl.c:770 [inline]\n __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:770\n do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294\n entry_SYSCALL_64_after_hwframe+0x49/0xbe\nRIP: 0033:0x4531a9\nCode: ed 60 fc ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48\n89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d\n01 f0 ff ff 0f 83 bb 60 fc ff c3 66 2e 0f 1f 84 00 00 00 00\nRSP: 002b:00007fd14ad72c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 000000000073bfa8 RCX: 00000000004531a9\nRDX: fffffffffffffff9 RSI: 000000000000009e RDI: 0000000000000003\nRBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 00000000004bbd61\nR13: 00000000004d0a98 R14: 00007fd14ad736d4 R15: 00000000ffffffff\n\nAllocated by task 2393:\n save_stack+0x21/0x90 mm/kasan/common.c:72\n set_track mm/kasan/common.c:80 [inline]\n __kasan_kmalloc.constprop.3+0xa7/0xd0 mm/kasan/common.c:515\n kasan_kmalloc+0x9/0x10 mm/kasan/common.c:529\n kmem_cache_alloc_trace+0xfa/0x2d0 mm/slub.c:2813\n kmalloc include/linux/slab.h:555 [inline]\n kzalloc include/linux/slab.h:669 [inline]\n gprinter_alloc+0xa1/0x870 drivers/usb/gadget/function/f_printer.c:1416\n usb_get_function+0x58/0xc0 drivers/usb/gadget/functions.c:61\n config_usb_cfg_link+0x1ed/0x3e0 drivers/usb/gadget/configfs.c:444\n configfs_symlink+0x527/0x11d0 fs/configfs/symlink.c:202\n vfs_symlink+0x33d/0x5b0 fs/namei.c:4201\n do_symlinkat+0x11b/0x1d0 fs/namei.c:4228\n __do_sys_symlinkat fs/namei.c:4242 [inline]\n __se_sys_symlinkat fs/namei.c:4239 [inline]\n __x64_sys_symlinkat+0x73/0xb0 fs/namei.c:4239\n do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294\n entry_SYSCALL_64_after_hwframe+0x49/0xbe\n\nFreed by task 3368:\n save_stack+0x21/0x90 mm/kasan/common.c:72\n set_track mm/kasan/common.c:80 [inline]\n kasan_set_free_info mm/kasan/common.c:337 [inline]\n __kasan_slab_free+0x135/0x190 mm/kasan/common.c:476\n kasan_slab_free+0xe/0x10 mm/kasan/common.c:485\n slab_free_hook mm/slub.c:1444 [inline]\n slab_free_freelist_hook mm/slub.c:1477 [inline]\n slab_free mm/slub.c:3034 [inline]\n kfree+0xf7/0x410 mm/slub.c:3995\n gprinter_free+0x49/0xd0 drivers/usb/gadget/function/f_printer.c:1353\n usb_put_function+0x38/0x50 drivers/usb/gadget/functions.c:87\n config_usb_cfg_unlink+0x2db/0x3b0 drivers/usb/gadget/configfs.c:485\n configfs_unlink+0x3b9/0x7f0 fs/configfs/symlink.c:250\n vfs_unlink+0x287/0x570 fs/namei.c:4073\n do_unlinkat+0x4f9/0x620 fs/namei.c:4137\n __do_sys_unlink fs/namei.c:4184 [inline]\n __se_sys_unlink fs/namei.c:4182 [inline]\n __x64_sys_unlink+0x42/0x50 fs/namei.c:4182\n do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294\n entry_SYSCALL_64_after_hwframe+0x49/0xbe\n\nThe buggy address belongs to the object at ffff8880683b0000\n which belongs to the cache kmalloc-1k of size 1024\nThe buggy address is located 24 bytes inside of\n 1024-byte region [ffff8880683b0000, ffff8880683b0400)\nThe buggy address belongs to the page:\npage:ffffea0001a0ec00 refcount:1 mapcount:0 mapping:ffff88806c00e300\nindex:0xffff8880683b1800 compound_mapcount: 0\nflags: 0x100000000010200(slab|head)\nraw: 0100000000010200 0000000000000000 0000000600000001 ffff88806c00e300\nraw: ffff8880683b1800 000000008010000a 00000001ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\n\nReported-by: Kyungtae Kim \nSigned-off-by: Zqiang \nSigned-off-by: Felipe Balbi ", "target": 0, "dataset": "other", "idx": 389346 }, { "func": "static const char *oidc_original_request_method(request_rec *r, oidc_cfg *cfg,\n\t\tapr_byte_t handle_discovery_response) {\n\tconst char *method = OIDC_METHOD_GET;\n\n\tchar *m = NULL;\n\tif ((handle_discovery_response == TRUE)\n\t\t\t&& (oidc_util_request_matches_url(r, oidc_get_redirect_uri(r, cfg)))\n\t\t\t&& (oidc_is_discovery_response(r, cfg))) {\n\t\toidc_util_get_request_parameter(r, OIDC_DISC_RM_PARAM, &m);\n\t\tif (m != NULL)\n\t\t\tmethod = apr_pstrdup(r->pool, m);\n\t} else {\n\n\t\t/*\n\t\t * if POST preserve is not enabled for this location, there's no point in preserving\n\t\t * the method either which would result in POSTing empty data on return;\n\t\t * so we revert to legacy behavior\n\t\t */\n\t\tif (oidc_cfg_dir_preserve_post(r) == 0)\n\t\t\treturn OIDC_METHOD_GET;\n\n\t\tconst char *content_type = oidc_util_hdr_in_content_type_get(r);\n\t\tif ((r->method_number == M_POST) && (apr_strnatcmp(content_type,\n\t\t\t\tOIDC_CONTENT_TYPE_FORM_ENCODED) == 0))\n\t\t\tmethod = OIDC_METHOD_FORM_POST;\n\t}\n\n\toidc_debug(r, \"return: %s\", method);\n\n\treturn method;\n}", "project": "mod_auth_openidc", "hash": 76306710588117027634448999298383394036, "size": 31, "commit_id": "ce37080c6aea30aabae8b4a9b4eea7808445cc8e", "message": "2.4.0.2 oops\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 447701 }, { "func": "Variant getImageSize(const req::ptr& stream, Array& imageinfo) {\n int itype = 0;\n struct gfxinfo *result = nullptr;\n\n imageinfo = Array::CreateDArray();\n itype = php_getimagetype(stream);\n switch( itype) {\n case IMAGE_FILETYPE_GIF:\n result = php_handle_gif(stream);\n break;\n case IMAGE_FILETYPE_JPEG:\n result = php_handle_jpeg(stream, imageinfo);\n break;\n case IMAGE_FILETYPE_PNG:\n result = php_handle_png(stream);\n break;\n case IMAGE_FILETYPE_SWF:\n result = php_handle_swf(stream);\n break;\n case IMAGE_FILETYPE_SWC:\n result = php_handle_swc(stream);\n break;\n case IMAGE_FILETYPE_PSD:\n result = php_handle_psd(stream);\n break;\n case IMAGE_FILETYPE_BMP:\n result = php_handle_bmp(stream);\n break;\n case IMAGE_FILETYPE_TIFF_II:\n result = php_handle_tiff(stream, 0);\n break;\n case IMAGE_FILETYPE_TIFF_MM:\n result = php_handle_tiff(stream, 1);\n break;\n case IMAGE_FILETYPE_JPC:\n result = php_handle_jpc(stream);\n break;\n case IMAGE_FILETYPE_JP2:\n result = php_handle_jp2(stream);\n break;\n case IMAGE_FILETYPE_IFF:\n result = php_handle_iff(stream);\n break;\n case IMAGE_FILETYPE_WBMP:\n result = php_handle_wbmp(stream);\n break;\n case IMAGE_FILETYPE_XBM:\n result = php_handle_xbm(stream);\n break;\n case IMAGE_FILETYPE_ICO:\n result = php_handle_ico(stream);\n break;\n default:\n case IMAGE_FILETYPE_UNKNOWN:\n break;\n }\n\n if (result) {\n DArrayInit ret(7);\n ret.set(0, (int64_t)result->width);\n ret.set(1, (int64_t)result->height);\n ret.set(2, itype);\n char *temp;\n php_vspprintf(&temp, 0, \"width=\\\"%d\\\" height=\\\"%d\\\"\",\n result->width, result->height);\n ret.set(3, String(temp, CopyString));\n if (temp) IM_FREE(temp);\n if (result->bits != 0) {\n ret.set(s_bits, (int64_t)result->bits);\n }\n if (result->channels != 0) {\n ret.set(s_channels, (int64_t)result->channels);\n }\n ret.set(s_mime, (char*)php_image_type_to_mime_type(itype));\n IM_FREE(result);\n return ret.toVariant();\n } else {\n return false;\n }\n}", "project": "hhvm", "hash": 158337651470326225897397625419407479471, "size": 80, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219763 }, { "func": "static void opj_tcd_free_tile(opj_tcd_t *p_tcd)\n{\n OPJ_UINT32 compno, resno, bandno, precno;\n opj_tcd_tile_t *l_tile = 00;\n opj_tcd_tilecomp_t *l_tile_comp = 00;\n opj_tcd_resolution_t *l_res = 00;\n opj_tcd_band_t *l_band = 00;\n opj_tcd_precinct_t *l_precinct = 00;\n OPJ_UINT32 l_nb_resolutions, l_nb_precincts;\n void (* l_tcd_code_block_deallocate)(opj_tcd_precinct_t *) = 00;\n\n if (! p_tcd) {\n return;\n }\n\n if (! p_tcd->tcd_image) {\n return;\n }\n\n if (p_tcd->m_is_decoder) {\n l_tcd_code_block_deallocate = opj_tcd_code_block_dec_deallocate;\n } else {\n l_tcd_code_block_deallocate = opj_tcd_code_block_enc_deallocate;\n }\n\n l_tile = p_tcd->tcd_image->tiles;\n if (! l_tile) {\n return;\n }\n\n l_tile_comp = l_tile->comps;\n\n for (compno = 0; compno < l_tile->numcomps; ++compno) {\n l_res = l_tile_comp->resolutions;\n if (l_res) {\n\n l_nb_resolutions = l_tile_comp->resolutions_size / (OPJ_UINT32)sizeof(\n opj_tcd_resolution_t);\n for (resno = 0; resno < l_nb_resolutions; ++resno) {\n l_band = l_res->bands;\n for (bandno = 0; bandno < 3; ++bandno) {\n l_precinct = l_band->precincts;\n if (l_precinct) {\n\n l_nb_precincts = l_band->precincts_data_size / (OPJ_UINT32)sizeof(\n opj_tcd_precinct_t);\n for (precno = 0; precno < l_nb_precincts; ++precno) {\n opj_tgt_destroy(l_precinct->incltree);\n l_precinct->incltree = 00;\n opj_tgt_destroy(l_precinct->imsbtree);\n l_precinct->imsbtree = 00;\n (*l_tcd_code_block_deallocate)(l_precinct);\n ++l_precinct;\n }\n\n opj_free(l_band->precincts);\n l_band->precincts = 00;\n }\n ++l_band;\n } /* for (resno */\n ++l_res;\n }\n\n opj_free(l_tile_comp->resolutions);\n l_tile_comp->resolutions = 00;\n }\n\n if (l_tile_comp->ownsData && l_tile_comp->data) {\n opj_image_data_free(l_tile_comp->data);\n l_tile_comp->data = 00;\n l_tile_comp->ownsData = 0;\n l_tile_comp->data_size = 0;\n l_tile_comp->data_size_needed = 0;\n }\n\n opj_image_data_free(l_tile_comp->data_win);\n\n ++l_tile_comp;\n }\n\n opj_free(l_tile->comps);\n l_tile->comps = 00;\n opj_free(p_tcd->tcd_image->tiles);\n p_tcd->tcd_image->tiles = 00;\n}", "project": "openjpeg", "hash": 159494888461153894537207826955784208379, "size": 85, "commit_id": "15cf3d95814dc931ca0ecb132f81cb152e051bae", "message": "Encoder: grow again buffer size in opj_tcd_code_block_enc_allocate_data() (fixes #1283)", "target": 0, "dataset": "other", "idx": 359164 }, { "func": "ConnStateData::parseTlsHandshake()\n{\n Must(parsingTlsHandshake);\n\n assert(!inBuf.isEmpty());\n receivedFirstByte();\n fd_note(clientConnection->fd, \"Parsing TLS handshake\");\n\n bool unsupportedProtocol = false;\n try {\n if (!tlsParser.parseHello(inBuf)) {\n // need more data to finish parsing\n readSomeData();\n return;\n }\n }\n catch (const std::exception &ex) {\n debugs(83, 2, \"error on FD \" << clientConnection->fd << \": \" << ex.what());\n unsupportedProtocol = true;\n }\n\n parsingTlsHandshake = false;\n\n // client data may be needed for splicing and for\n // tunneling unsupportedProtocol after an error\n preservedClientData = inBuf;\n\n // Even if the parser failed, each TLS detail should either be set\n // correctly or still be \"unknown\"; copying unknown detail is a no-op.\n Security::TlsDetails::Pointer const &details = tlsParser.details;\n clientConnection->tlsNegotiations()->retrieveParsedInfo(details);\n if (details && !details->serverName.isEmpty()) {\n resetSslCommonName(details->serverName.c_str());\n tlsClientSni_ = details->serverName;\n }\n\n // We should disable read/write handlers\n Comm::ResetSelect(clientConnection->fd);\n\n if (unsupportedProtocol) {\n Http::StreamPointer context = pipeline.front();\n Must(context && context->http);\n HttpRequest::Pointer request = context->http->request;\n debugs(83, 5, \"Got something other than TLS Client Hello. Cannot SslBump.\");\n sslBumpMode = Ssl::bumpSplice;\n context->http->al->ssl.bumpMode = Ssl::bumpSplice;\n if (!clientTunnelOnError(this, context, request, HttpRequestMethod(), ERR_PROTOCOL_UNKNOWN))\n clientConnection->close();\n return;\n }\n\n if (!sslServerBump || sslServerBump->act.step1 == Ssl::bumpClientFirst) { // Either means client-first.\n getSslContextStart();\n return;\n } else if (sslServerBump->act.step1 == Ssl::bumpServerFirst) {\n // will call httpsPeeked() with certificate and connection, eventually\n FwdState::fwdStart(clientConnection, sslServerBump->entry, sslServerBump->request.getRaw());\n } else {\n Must(sslServerBump->act.step1 == Ssl::bumpPeek || sslServerBump->act.step1 == Ssl::bumpStare);\n startPeekAndSplice();\n }\n}", "project": "squid", "hash": 247848640249550499065609847240814189269, "size": 62, "commit_id": "fd68382860633aca92065e6c343cfd1b12b126e7", "message": "Improve Transfer-Encoding handling (#702)\n\nReject messages containing Transfer-Encoding header with coding other\nthan chunked or identity. Squid does not support other codings.\n\nFor simplicity and security sake, also reject messages where\nTransfer-Encoding contains unnecessary complex values that are\ntechnically equivalent to \"chunked\" or \"identity\" (e.g., \",,chunked\" or\n\"identity, chunked\").\n\nRFC 7230 formally deprecated and removed identity coding, but it is\nstill used by some agents.", "target": 0, "dataset": "other", "idx": 402347 }, { "func": " Item_copy_string(THD *thd, Item *item_arg): Item_copy(thd, item_arg) {}", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 41097146298324999853866449486643397425, "size": 1, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509319 }, { "func": "static void fuse_rdc_reset(struct inode *inode)\n{\n\tstruct fuse_inode *fi = get_fuse_inode(inode);\n\n\tfi->rdc.cached = false;\n\tfi->rdc.version++;\n\tfi->rdc.size = 0;\n\tfi->rdc.pos = 0;\n}", "project": "linux", "hash": 207690245884433167717951383986635521357, "size": 9, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342040 }, { "func": "static int mpol_set_nodemask(struct mempolicy *pol,\n\t\t const nodemask_t *nodes, struct nodemask_scratch *nsc)\n{\n\tint ret;\n\n\t/* if mode is MPOL_DEFAULT, pol is NULL. This is right. */\n\tif (pol == NULL)\n\t\treturn 0;\n\t/* Check N_MEMORY */\n\tnodes_and(nsc->mask1,\n\t\t cpuset_current_mems_allowed, node_states[N_MEMORY]);\n\n\tVM_BUG_ON(!nodes);\n\tif (pol->mode == MPOL_PREFERRED && nodes_empty(*nodes))\n\t\tnodes = NULL;\t/* explicit local allocation */\n\telse {\n\t\tif (pol->flags & MPOL_F_RELATIVE_NODES)\n\t\t\tmpol_relative_nodemask(&nsc->mask2, nodes, &nsc->mask1);\n\t\telse\n\t\t\tnodes_and(nsc->mask2, *nodes, nsc->mask1);\n\n\t\tif (mpol_store_user_nodemask(pol))\n\t\t\tpol->w.user_nodemask = *nodes;\n\t\telse\n\t\t\tpol->w.cpuset_mems_allowed =\n\t\t\t\t\t\tcpuset_current_mems_allowed;\n\t}\n\n\tif (nodes)\n\t\tret = mpol_ops[pol->mode].create(pol, &nsc->mask2);\n\telse\n\t\tret = mpol_ops[pol->mode].create(pol, NULL);\n\treturn ret;\n}", "project": "linux", "hash": 77286990929877457451499968640196070586, "size": 34, "commit_id": "aa9f7d5172fac9bf1f09e678c35e287a40a7b7dd", "message": "mm: mempolicy: require at least one nodeid for MPOL_PREFERRED\n\nUsing an empty (malformed) nodelist that is not caught during mount option\nparsing leads to a stack-out-of-bounds access.\n\nThe option string that was used was: \"mpol=prefer:,\". However,\nMPOL_PREFERRED requires a single node number, which is not being provided\nhere.\n\nAdd a check that 'nodes' is not empty after parsing for MPOL_PREFERRED's\nnodeid.\n\nFixes: 095f1fc4ebf3 (\"mempolicy: rework shmem mpol parsing and display\")\nReported-by: Entropy Moe <3ntr0py1337@gmail.com>\nReported-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nSigned-off-by: Randy Dunlap \nSigned-off-by: Andrew Morton \nTested-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nCc: Lee Schermerhorn \nLink: http://lkml.kernel.org/r/89526377-7eb6-b662-e1d8-4430928abde9@infradead.org\nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 366726 }, { "func": "static bool checkreturn find_extension_field(pb_field_iter_t *iter)\n{\n const pb_field_t *start = iter->pos;\n \n do {\n if (PB_LTYPE(iter->pos->type) == PB_LTYPE_EXTENSION)\n return true;\n (void)pb_field_iter_next(iter);\n } while (iter->pos != start);\n \n return false;\n}", "project": "nanopb", "hash": 331626759094987132214723940381092340250, "size": 12, "commit_id": "aa9d0d1ca78d6adec3adfeecf3a706c7f9df81f2", "message": "Fix invalid free() after failed realloc() (GHSA-gcx3-7m76-287p)", "target": 0, "dataset": "other", "idx": 252513 }, { "func": "static bool checkreturn find_extension_field(pb_field_iterator_t *iter)\n{\n unsigned start = iter->field_index;\n \n do {\n if (PB_LTYPE(iter->pos->type) == PB_LTYPE_EXTENSION)\n return true;\n (void)pb_field_next(iter);\n } while (iter->field_index != start);\n \n return false;\n}", "project": "nanopb", "hash": 22561736283133598459439550075677144438, "size": 12, "commit_id": "7b396821ddd06df8e39143f16e1dc0a4645b89a3", "message": "Fix invalid free() after failed realloc() (GHSA-gcx3-7m76-287p)", "target": 0, "dataset": "other", "idx": 255317 }, { "func": "static int _nfs4_proc_mknod(struct inode *dir, struct dentry *dentry,\n\t\tstruct iattr *sattr, struct nfs4_label *label, dev_t rdev)\n{\n\tstruct nfs4_createdata *data;\n\tint mode = sattr->ia_mode;\n\tint status = -ENOMEM;\n\n\tdata = nfs4_alloc_createdata(dir, &dentry->d_name, sattr, NF4SOCK);\n\tif (data == NULL)\n\t\tgoto out;\n\n\tif (S_ISFIFO(mode))\n\t\tdata->arg.ftype = NF4FIFO;\n\telse if (S_ISBLK(mode)) {\n\t\tdata->arg.ftype = NF4BLK;\n\t\tdata->arg.u.device.specdata1 = MAJOR(rdev);\n\t\tdata->arg.u.device.specdata2 = MINOR(rdev);\n\t}\n\telse if (S_ISCHR(mode)) {\n\t\tdata->arg.ftype = NF4CHR;\n\t\tdata->arg.u.device.specdata1 = MAJOR(rdev);\n\t\tdata->arg.u.device.specdata2 = MINOR(rdev);\n\t} else if (!S_ISSOCK(mode)) {\n\t\tstatus = -EINVAL;\n\t\tgoto out_free;\n\t}\n\n\tdata->arg.label = label;\n\tstatus = nfs4_do_create(dir, dentry, data);\nout_free:\n\tnfs4_free_createdata(data);\nout:\n\treturn status;\n}", "project": "linux", "hash": 80722660698174807555542860395758637434, "size": 34, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431458 }, { "func": " virtual void save_result(Field *to) { save_val(to); }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 207231018735039729898791931948296437180, "size": 1, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 508941 }, { "func": "static void *nested_svm_map(struct vcpu_svm *svm, u64 gpa, struct page **_page)\n{\n\tstruct page *page;\n\n\tmight_sleep();\n\n\tpage = gfn_to_page(svm->vcpu.kvm, gpa >> PAGE_SHIFT);\n\tif (is_error_page(page))\n\t\tgoto error;\n\n\t*_page = page;\n\n\treturn kmap(page);\n\nerror:\n\tkvm_inject_gp(&svm->vcpu, 0);\n\n\treturn NULL;\n}", "project": "kvm", "hash": 299688567587379506413220255765555492427, "size": 19, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437667 }, { "func": "R_API void r_core_autocomplete_free(RCoreAutocomplete *obj) {\n\tif (!obj) {\n\t\treturn;\n\t}\n\tint i;\n\tfor (i = 0; i < obj->n_subcmds; i++) {\n\t\tr_core_autocomplete_free (obj->subcmds[i]);\n\t\tobj->subcmds[i] = NULL;\n\t}\n\tfree (obj->subcmds);\n\tfree ((char*) obj->cmd);\n\tfree (obj);\n}", "project": "radare2", "hash": 230394539506603686376927772945627749294, "size": 13, "commit_id": "cb8b683758edddae2d2f62e8e63a738c39f92683", "message": "Fix #16303 - c->table_query double free (#16318)", "target": 0, "dataset": "other", "idx": 232117 }, { "func": "static int imap_path_pretty(char *buf, size_t buflen, const char *folder)\n{\n if (!folder)\n return -1;\n\n imap_pretty_mailbox(buf, buflen, folder);\n return 0;\n}", "project": "neomutt", "hash": 210689742720602305264983510585537396651, "size": 8, "commit_id": "9c36717a3e2af1f2c1b7242035455ec8112b4b06", "message": "imap: close connection on all failures\n\nThanks to Gabriel Salles-Loustau for spotting the problem.\n\nCo-authored-by: Kevin McCarthy ", "target": 0, "dataset": "other", "idx": 357038 }, { "func": "int alloc_chrdev_region(dev_t *dev, unsigned baseminor, unsigned count,\n\t\t\tconst char *name)\n{\n\tstruct char_device_struct *cd;\n\tcd = __register_chrdev_region(0, baseminor, count, name);\n\tif (IS_ERR(cd))\n\t\treturn PTR_ERR(cd);\n\t*dev = MKDEV(cd->major, cd->baseminor);\n\treturn 0;\n}", "project": "linux", "hash": 95981677015406246796933232958848546420, "size": 10, "commit_id": "68faa679b8be1a74e6663c21c3a9d25d32f1c079", "message": "chardev: Avoid potential use-after-free in 'chrdev_open()'\n\n'chrdev_open()' calls 'cdev_get()' to obtain a reference to the\n'struct cdev *' stashed in the 'i_cdev' field of the target inode\nstructure. If the pointer is NULL, then it is initialised lazily by\nlooking up the kobject in the 'cdev_map' and so the whole procedure is\nprotected by the 'cdev_lock' spinlock to serialise initialisation of\nthe shared pointer.\n\nUnfortunately, it is possible for the initialising thread to fail *after*\ninstalling the new pointer, for example if the subsequent '->open()' call\non the file fails. In this case, 'cdev_put()' is called, the reference\ncount on the kobject is dropped and, if nobody else has taken a reference,\nthe release function is called which finally clears 'inode->i_cdev' from\n'cdev_purge()' before potentially freeing the object. The problem here\nis that a racing thread can happily take the 'cdev_lock' and see the\nnon-NULL pointer in the inode, which can result in a refcount increment\nfrom zero and a warning:\n\n | ------------[ cut here ]------------\n | refcount_t: addition on 0; use-after-free.\n | WARNING: CPU: 2 PID: 6385 at lib/refcount.c:25 refcount_warn_saturate+0x6d/0xf0\n | Modules linked in:\n | CPU: 2 PID: 6385 Comm: repro Not tainted 5.5.0-rc2+ #22\n | Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014\n | RIP: 0010:refcount_warn_saturate+0x6d/0xf0\n | Code: 05 55 9a 15 01 01 e8 9d aa c8 ff 0f 0b c3 80 3d 45 9a 15 01 00 75 ce 48 c7 c7 00 9c 62 b3 c6 08\n | RSP: 0018:ffffb524c1b9bc70 EFLAGS: 00010282\n | RAX: 0000000000000000 RBX: ffff9e9da1f71390 RCX: 0000000000000000\n | RDX: ffff9e9dbbd27618 RSI: ffff9e9dbbd18798 RDI: ffff9e9dbbd18798\n | RBP: 0000000000000000 R08: 000000000000095f R09: 0000000000000039\n | R10: 0000000000000000 R11: ffffb524c1b9bb20 R12: ffff9e9da1e8c700\n | R13: ffffffffb25ee8b0 R14: 0000000000000000 R15: ffff9e9da1e8c700\n | FS: 00007f3b87d26700(0000) GS:ffff9e9dbbd00000(0000) knlGS:0000000000000000\n | CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n | CR2: 00007fc16909c000 CR3: 000000012df9c000 CR4: 00000000000006e0\n | DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n | DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n | Call Trace:\n | kobject_get+0x5c/0x60\n | cdev_get+0x2b/0x60\n | chrdev_open+0x55/0x220\n | ? cdev_put.part.3+0x20/0x20\n | do_dentry_open+0x13a/0x390\n | path_openat+0x2c8/0x1470\n | do_filp_open+0x93/0x100\n | ? selinux_file_ioctl+0x17f/0x220\n | do_sys_open+0x186/0x220\n | do_syscall_64+0x48/0x150\n | entry_SYSCALL_64_after_hwframe+0x44/0xa9\n | RIP: 0033:0x7f3b87efcd0e\n | Code: 89 54 24 08 e8 a3 f4 ff ff 8b 74 24 0c 48 8b 3c 24 41 89 c0 44 8b 54 24 08 b8 01 01 00 00 89 f4\n | RSP: 002b:00007f3b87d259f0 EFLAGS: 00000293 ORIG_RAX: 0000000000000101\n | RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f3b87efcd0e\n | RDX: 0000000000000000 RSI: 00007f3b87d25a80 RDI: 00000000ffffff9c\n | RBP: 00007f3b87d25e90 R08: 0000000000000000 R09: 0000000000000000\n | R10: 0000000000000000 R11: 0000000000000293 R12: 00007ffe188f504e\n | R13: 00007ffe188f504f R14: 00007f3b87d26700 R15: 0000000000000000\n | ---[ end trace 24f53ca58db8180a ]---\n\nSince 'cdev_get()' can already fail to obtain a reference, simply move\nit over to use 'kobject_get_unless_zero()' instead of 'kobject_get()',\nwhich will cause the racing thread to return -ENXIO if the initialising\nthread fails unexpectedly.\n\nCc: Hillf Danton \nCc: Andrew Morton \nCc: Al Viro \nReported-by: syzbot+82defefbbd8527e1c2cb@syzkaller.appspotmail.com\nSigned-off-by: Will Deacon \nCc: stable \nLink: https://lore.kernel.org/r/20191219120203.32691-1-will@kernel.org\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 446390 }, { "func": "Item_bool_func2::remove_eq_conds(THD *thd, Item::cond_result *cond_value,\n bool top_level_arg)\n{\n if (const_item() && !is_expensive())\n {\n *cond_value= eval_const_cond() ? Item::COND_TRUE : Item::COND_FALSE;\n return (COND*) 0;\n }\n if ((*cond_value= eq_cmp_result()) != Item::COND_OK)\n {\n if (args[0]->eq(args[1], true))\n {\n if (!args[0]->maybe_null || functype() == Item_func::EQUAL_FUNC)\n return (COND*) 0; // Compare of identical items\n }\n }\n *cond_value= Item::COND_OK;\n return this; // Point at next and level\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 94045310244332531539241217672032323624, "size": 19, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508462 }, { "func": "Item_cond::remove_eq_conds(THD *thd, Item::cond_result *cond_value,\n bool top_level_arg)\n{\n bool and_level= functype() == Item_func::COND_AND_FUNC;\n List *cond_arg_list= argument_list();\n\n if (and_level)\n {\n /*\n Remove multiple equalities that became always true (e.g. after\n constant row substitution).\n They would be removed later in the function anyway, but the list of\n them cond_equal.current_level also must be adjusted correspondingly.\n So it's easier to do it at one pass through the list of the equalities.\n */\n List *cond_equalities=\n &((Item_cond_and *) this)->m_cond_equal.current_level;\n cond_arg_list->disjoin((List *) cond_equalities);\n List_iterator it(*cond_equalities);\n Item_equal *eq_item;\n while ((eq_item= it++))\n {\n if (eq_item->const_item() && eq_item->val_int())\n it.remove();\n }\n cond_arg_list->append((List *) cond_equalities);\n }\n\n List new_equalities;\n List_iterator li(*cond_arg_list);\n bool should_fix_fields= 0;\n Item::cond_result tmp_cond_value;\n Item *item;\n\n /*\n If the list cond_arg_list became empty then it consisted only\n of always true multiple equalities.\n */\n *cond_value= cond_arg_list->elements ? Item::COND_UNDEF : Item::COND_TRUE;\n\n while ((item=li++))\n {\n Item *new_item= item->remove_eq_conds(thd, &tmp_cond_value, false);\n if (!new_item)\n {\n /* This can happen only when item is converted to TRUE or FALSE */\n li.remove();\n }\n else if (item != new_item)\n {\n /*\n This can happen when:\n - item was an OR formula converted to one disjunct\n - item was an AND formula converted to one conjunct\n In these cases the disjunct/conjunct must be merged into the\n argument list of cond.\n */\n if (new_item->type() == Item::COND_ITEM &&\n item->type() == Item::COND_ITEM)\n {\n DBUG_ASSERT(functype() == ((Item_cond *) new_item)->functype());\n List *new_item_arg_list=\n ((Item_cond *) new_item)->argument_list();\n if (and_level)\n {\n /*\n If new_item is an AND formula then multiple equalities\n of new_item_arg_list must merged into multiple equalities\n of cond_arg_list.\n */\n List *new_item_equalities=\n &((Item_cond_and *) new_item)->m_cond_equal.current_level;\n if (!new_item_equalities->is_empty())\n {\n /*\n Cut the multiple equalities from the new_item_arg_list and\n append them on the list new_equalities. Later the equalities\n from this list will be merged into the multiple equalities\n of cond_arg_list all together.\n */\n new_item_arg_list->disjoin((List *) new_item_equalities);\n new_equalities.append(new_item_equalities);\n }\n }\n if (new_item_arg_list->is_empty())\n li.remove();\n else\n {\n uint cnt= new_item_arg_list->elements;\n li.replace(*new_item_arg_list);\n /* Make iterator li ignore new items */\n for (cnt--; cnt; cnt--)\n li++;\n should_fix_fields= 1;\n }\n }\n else if (and_level &&\n new_item->type() == Item::FUNC_ITEM &&\n ((Item_cond*) new_item)->functype() ==\n Item_func::MULT_EQUAL_FUNC)\n {\n li.remove();\n new_equalities.push_back((Item_equal *) new_item, thd->mem_root);\n }\n else\n {\n if (new_item->type() == Item::COND_ITEM &&\n ((Item_cond*) new_item)->functype() == functype())\n {\n List *new_item_arg_list=\n ((Item_cond *) new_item)->argument_list();\n uint cnt= new_item_arg_list->elements;\n li.replace(*new_item_arg_list);\n /* Make iterator li ignore new items */\n for (cnt--; cnt; cnt--)\n li++;\n }\n else\n li.replace(new_item);\n should_fix_fields= 1;\n }\n }\n if (*cond_value == Item::COND_UNDEF)\n *cond_value= tmp_cond_value;\n switch (tmp_cond_value) {\n case Item::COND_OK: // Not TRUE or FALSE\n if (and_level || *cond_value == Item::COND_FALSE)\n *cond_value=tmp_cond_value;\n break;\n case Item::COND_FALSE:\n if (and_level)\n {\n *cond_value= tmp_cond_value;\n return (COND*) 0; // Always false\n }\n break;\n case Item::COND_TRUE:\n if (!and_level)\n {\n *cond_value= tmp_cond_value;\n return (COND*) 0; // Always true\n }\n break;\n case Item::COND_UNDEF: // Impossible\n break; /* purecov: deadcode */\n }\n }\n COND *cond= this;\n if (!new_equalities.is_empty())\n {\n DBUG_ASSERT(and_level);\n /*\n Merge multiple equalities that were cut from the results of\n simplification of OR formulas converted into AND formulas.\n These multiple equalities are to be merged into the\n multiple equalities of cond_arg_list.\n */\n COND_EQUAL *cond_equal= &((Item_cond_and *) this)->m_cond_equal;\n List *cond_equalities= &cond_equal->current_level;\n cond_arg_list->disjoin((List *) cond_equalities);\n Item_equal *equality;\n List_iterator_fast it(new_equalities);\n while ((equality= it++))\n {\n equality->upper_levels= cond_equal->upper_levels;\n equality->merge_into_list(thd, cond_equalities, false, false);\n List_iterator_fast ei(*cond_equalities);\n while ((equality= ei++))\n {\n if (equality->const_item() && !equality->val_int())\n {\n *cond_value= Item::COND_FALSE;\n return (COND*) 0;\n }\n }\n }\n cond_arg_list->append((List *) cond_equalities);\n /*\n Propagate the newly formed multiple equalities to\n the all AND/OR levels of cond\n */\n bool is_simplifiable_cond= false;\n propagate_new_equalities(thd, this, cond_equalities,\n cond_equal->upper_levels,\n &is_simplifiable_cond);\n /*\n If the above propagation of multiple equalities brings us\n to multiple equalities that are always FALSE then try to\n simplify the condition with remove_eq_cond() again.\n */\n if (is_simplifiable_cond)\n {\n if (!(cond= cond->remove_eq_conds(thd, cond_value, false)))\n return cond;\n }\n should_fix_fields= 1;\n }\n if (should_fix_fields)\n cond->update_used_tables();\n\n if (!((Item_cond*) cond)->argument_list()->elements ||\n *cond_value != Item::COND_OK)\n return (COND*) 0;\n if (((Item_cond*) cond)->argument_list()->elements == 1)\n { // Remove list\n item= ((Item_cond*) cond)->argument_list()->head();\n ((Item_cond*) cond)->argument_list()->empty();\n return item;\n }\n *cond_value= Item::COND_OK;\n return cond;\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 72799667554583941822172655755361552119, "size": 212, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508667 }, { "func": "Item::remove_eq_conds(THD *thd, Item::cond_result *cond_value, bool top_level_arg)\n{\n if (const_item() && !is_expensive())\n {\n *cond_value= eval_const_cond() ? Item::COND_TRUE : Item::COND_FALSE;\n return (COND*) 0;\n }\n *cond_value= Item::COND_OK;\n return this; // Point at next and level\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 100337637715066996478800084310879907570, "size": 10, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508693 }, { "func": "Item_func_isnull::remove_eq_conds(THD *thd, Item::cond_result *cond_value,\n bool top_level_arg)\n{\n Item *real_item= args[0]->real_item();\n if (real_item->type() == Item::FIELD_ITEM)\n {\n Field *field= ((Item_field*) real_item)->field;\n\n if (((field->type() == MYSQL_TYPE_DATE) ||\n (field->type() == MYSQL_TYPE_DATETIME)) &&\n (field->flags & NOT_NULL_FLAG))\n {\n /* fix to replace 'NULL' dates with '0' (shreeve@uci.edu) */\n /*\n See BUG#12594011\n Documentation says that\n SELECT datetime_notnull d FROM t1 WHERE d IS NULL\n shall return rows where d=='0000-00-00'\n\n Thus, for DATE and DATETIME columns defined as NOT NULL,\n \"date_notnull IS NULL\" has to be modified to\n \"date_notnull IS NULL OR date_notnull == 0\" (if outer join)\n \"date_notnull == 0\" (otherwise)\n\n */\n\n Item *item0= new(thd->mem_root) Item_int(thd, (longlong) 0, 1);\n Item *eq_cond= new(thd->mem_root) Item_func_eq(thd, args[0], item0);\n if (!eq_cond)\n return this;\n\n COND *cond= this;\n if (field->table->pos_in_table_list->is_inner_table_of_outer_join())\n {\n // outer join: transform \"col IS NULL\" to \"col IS NULL or col=0\"\n Item *or_cond= new(thd->mem_root) Item_cond_or(thd, eq_cond, this);\n if (!or_cond)\n return this;\n cond= or_cond;\n }\n else\n {\n // not outer join: transform \"col IS NULL\" to \"col=0\"\n cond= eq_cond;\n }\n\n cond->fix_fields(thd, &cond);\n /*\n Note: although args[0] is a field, cond can still be a constant\n (in case field is a part of a dependent subquery).\n\n Note: we call cond->Item::remove_eq_conds() non-virtually (statically)\n for performance purpose.\n A non-qualified call, i.e. just cond->remove_eq_conds(),\n would call Item_bool_func2::remove_eq_conds() instead, which would\n try to do some extra job to detect if args[0] and args[1] are\n equivalent items. We know they are not (we have field=0 here).\n */\n return cond->Item::remove_eq_conds(thd, cond_value, false);\n }\n\n /*\n Handles this special case for some ODBC applications:\n The are requesting the row that was just updated with a auto_increment\n value with this construct:\n\n SELECT * from table_name where auto_increment_column IS NULL\n This will be changed to:\n SELECT * from table_name where auto_increment_column = LAST_INSERT_ID\n\n Note, this substitution is done if the NULL test is the only condition!\n If the NULL test is a part of a more complex condition, it is not\n substituted and is treated normally:\n WHERE auto_increment IS NULL AND something_else\n */\n\n if (top_level_arg) // \"auto_increment_column IS NULL\" is the only condition\n {\n if (field->flags & AUTO_INCREMENT_FLAG && !field->table->maybe_null &&\n (thd->variables.option_bits & OPTION_AUTO_IS_NULL) &&\n (thd->first_successful_insert_id_in_prev_stmt > 0 &&\n thd->substitute_null_with_insert_id))\n {\n #ifdef HAVE_QUERY_CACHE\n query_cache_abort(thd, &thd->query_cache_tls);\n #endif\n COND *new_cond, *cond= this;\n /* If this fails, we will catch it later before executing query */\n if ((new_cond= new (thd->mem_root) Item_func_eq(thd, args[0],\n new (thd->mem_root) Item_int(thd, \"last_insert_id()\",\n thd->read_first_successful_insert_id_in_prev_stmt(),\n MY_INT64_NUM_DECIMAL_DIGITS))))\n {\n cond= new_cond;\n /*\n Item_func_eq can't be fixed after creation so we do not check\n cond->fixed, also it do not need tables so we use 0 as second\n argument.\n */\n cond->fix_fields(thd, &cond);\n }\n /*\n IS NULL should be mapped to LAST_INSERT_ID only for first row, so\n clear for next row\n */\n thd->substitute_null_with_insert_id= FALSE;\n\n *cond_value= Item::COND_OK;\n return cond;\n }\n }\n }\n return Item::remove_eq_conds(thd, cond_value, top_level_arg);\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 61330233679754498269942482759847428898, "size": 114, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508706 }, { "func": "void CClient::PutModNotice(const CString& sModule, const CString& sLine) {\n if (!m_pUser) {\n return;\n }\n\n DEBUG(\"(\" << GetFullName()\n << \") ZNC -> CLI [:\" + m_pUser->GetStatusPrefix() +\n ((sModule.empty()) ? \"status\" : sModule) +\n \"!znc@znc.in NOTICE \" << GetNick() << \" :\" << sLine\n << \"]\");\n Write(\":\" + m_pUser->GetStatusPrefix() +\n ((sModule.empty()) ? \"status\" : sModule) + \"!znc@znc.in NOTICE \" +\n GetNick() + \" :\" + sLine + \"\\r\\n\");\n}", "project": "znc", "hash": 215483483237697692941846098812288090455, "size": 14, "commit_id": "d229761821da38d984a9e4098ad96842490dc001", "message": "Fix echo-message for *status\n\nClose #1705", "target": 0, "dataset": "other", "idx": 231542 }, { "func": "void cdev_device_del(struct cdev *cdev, struct device *dev)\n{\n\tdevice_del(dev);\n\tif (dev->devt)\n\t\tcdev_del(cdev);\n}", "project": "linux", "hash": 208552843442205595405510800041800634578, "size": 6, "commit_id": "68faa679b8be1a74e6663c21c3a9d25d32f1c079", "message": "chardev: Avoid potential use-after-free in 'chrdev_open()'\n\n'chrdev_open()' calls 'cdev_get()' to obtain a reference to the\n'struct cdev *' stashed in the 'i_cdev' field of the target inode\nstructure. If the pointer is NULL, then it is initialised lazily by\nlooking up the kobject in the 'cdev_map' and so the whole procedure is\nprotected by the 'cdev_lock' spinlock to serialise initialisation of\nthe shared pointer.\n\nUnfortunately, it is possible for the initialising thread to fail *after*\ninstalling the new pointer, for example if the subsequent '->open()' call\non the file fails. In this case, 'cdev_put()' is called, the reference\ncount on the kobject is dropped and, if nobody else has taken a reference,\nthe release function is called which finally clears 'inode->i_cdev' from\n'cdev_purge()' before potentially freeing the object. The problem here\nis that a racing thread can happily take the 'cdev_lock' and see the\nnon-NULL pointer in the inode, which can result in a refcount increment\nfrom zero and a warning:\n\n | ------------[ cut here ]------------\n | refcount_t: addition on 0; use-after-free.\n | WARNING: CPU: 2 PID: 6385 at lib/refcount.c:25 refcount_warn_saturate+0x6d/0xf0\n | Modules linked in:\n | CPU: 2 PID: 6385 Comm: repro Not tainted 5.5.0-rc2+ #22\n | Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014\n | RIP: 0010:refcount_warn_saturate+0x6d/0xf0\n | Code: 05 55 9a 15 01 01 e8 9d aa c8 ff 0f 0b c3 80 3d 45 9a 15 01 00 75 ce 48 c7 c7 00 9c 62 b3 c6 08\n | RSP: 0018:ffffb524c1b9bc70 EFLAGS: 00010282\n | RAX: 0000000000000000 RBX: ffff9e9da1f71390 RCX: 0000000000000000\n | RDX: ffff9e9dbbd27618 RSI: ffff9e9dbbd18798 RDI: ffff9e9dbbd18798\n | RBP: 0000000000000000 R08: 000000000000095f R09: 0000000000000039\n | R10: 0000000000000000 R11: ffffb524c1b9bb20 R12: ffff9e9da1e8c700\n | R13: ffffffffb25ee8b0 R14: 0000000000000000 R15: ffff9e9da1e8c700\n | FS: 00007f3b87d26700(0000) GS:ffff9e9dbbd00000(0000) knlGS:0000000000000000\n | CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n | CR2: 00007fc16909c000 CR3: 000000012df9c000 CR4: 00000000000006e0\n | DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n | DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n | Call Trace:\n | kobject_get+0x5c/0x60\n | cdev_get+0x2b/0x60\n | chrdev_open+0x55/0x220\n | ? cdev_put.part.3+0x20/0x20\n | do_dentry_open+0x13a/0x390\n | path_openat+0x2c8/0x1470\n | do_filp_open+0x93/0x100\n | ? selinux_file_ioctl+0x17f/0x220\n | do_sys_open+0x186/0x220\n | do_syscall_64+0x48/0x150\n | entry_SYSCALL_64_after_hwframe+0x44/0xa9\n | RIP: 0033:0x7f3b87efcd0e\n | Code: 89 54 24 08 e8 a3 f4 ff ff 8b 74 24 0c 48 8b 3c 24 41 89 c0 44 8b 54 24 08 b8 01 01 00 00 89 f4\n | RSP: 002b:00007f3b87d259f0 EFLAGS: 00000293 ORIG_RAX: 0000000000000101\n | RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f3b87efcd0e\n | RDX: 0000000000000000 RSI: 00007f3b87d25a80 RDI: 00000000ffffff9c\n | RBP: 00007f3b87d25e90 R08: 0000000000000000 R09: 0000000000000000\n | R10: 0000000000000000 R11: 0000000000000293 R12: 00007ffe188f504e\n | R13: 00007ffe188f504f R14: 00007f3b87d26700 R15: 0000000000000000\n | ---[ end trace 24f53ca58db8180a ]---\n\nSince 'cdev_get()' can already fail to obtain a reference, simply move\nit over to use 'kobject_get_unless_zero()' instead of 'kobject_get()',\nwhich will cause the racing thread to return -ENXIO if the initialising\nthread fails unexpectedly.\n\nCc: Hillf Danton \nCc: Andrew Morton \nCc: Al Viro \nReported-by: syzbot+82defefbbd8527e1c2cb@syzkaller.appspotmail.com\nSigned-off-by: Will Deacon \nCc: stable \nLink: https://lore.kernel.org/r/20191219120203.32691-1-will@kernel.org\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 446371 }, { "func": "int SELECT_LEX::vers_setup_conds(THD *thd, TABLE_LIST *tables)\n{\n DBUG_ENTER(\"SELECT_LEX::vers_setup_cond\");\n#define newx new (thd->mem_root)\n\n const bool update_conds= !skip_setup_conds(thd);\n TABLE_LIST *table;\n\n if (!versioned_tables)\n {\n for (table= tables; table; table= table->next_local)\n {\n if (table->table && table->table->versioned())\n versioned_tables++;\n else if (table->vers_conditions.is_set() &&\n (table->is_non_derived() || !table->vers_conditions.used))\n {\n my_error(ER_VERS_NOT_VERSIONED, MYF(0), table->alias.str);\n DBUG_RETURN(-1);\n }\n }\n }\n\n if (versioned_tables == 0)\n DBUG_RETURN(0);\n\n /* For prepared statements we create items on statement arena,\n because they must outlive execution phase for multiple executions. */\n Query_arena_stmt on_stmt_arena(thd);\n\n // find outer system_time\n SELECT_LEX *outer_slex= outer_select();\n TABLE_LIST* outer_table= NULL;\n\n if (outer_slex)\n {\n TABLE_LIST* derived= master_unit()->derived;\n // inner SELECT may not be a derived table (derived == NULL)\n while (derived && outer_slex && !derived->vers_conditions.is_set())\n {\n derived= outer_slex->master_unit()->derived;\n outer_slex= outer_slex->outer_select();\n }\n if (derived && outer_slex)\n {\n DBUG_ASSERT(derived->vers_conditions.is_set());\n outer_table= derived;\n }\n }\n\n bool is_select= false;\n bool use_sysvar= false;\n switch (thd->lex->sql_command)\n {\n case SQLCOM_SELECT:\n use_sysvar= true;\n /* fall through */\n case SQLCOM_CREATE_TABLE:\n case SQLCOM_INSERT_SELECT:\n case SQLCOM_REPLACE_SELECT:\n case SQLCOM_DELETE_MULTI:\n case SQLCOM_UPDATE_MULTI:\n is_select= true;\n default:\n break;\n }\n\n for (table= tables; table; table= table->next_local)\n {\n if (!table->table || table->is_view() || !table->table->versioned())\n continue;\n\n vers_select_conds_t &vers_conditions= table->vers_conditions;\n\n#ifdef WITH_PARTITION_STORAGE_ENGINE\n /*\n if the history is stored in partitions, then partitions\n themselves are not versioned\n */\n if (table->partition_names && table->table->part_info->vers_info)\n {\n /* If the history is stored in partitions, then partitions\n themselves are not versioned. */\n if (vers_conditions.was_set())\n {\n my_error(ER_VERS_QUERY_IN_PARTITION, MYF(0), table->alias.str);\n DBUG_RETURN(-1);\n }\n else if (!vers_conditions.is_set())\n vers_conditions.type= SYSTEM_TIME_ALL;\n }\n#endif\n\n if (outer_table && !vers_conditions.is_set())\n {\n // propagate system_time from nearest outer SELECT_LEX\n vers_conditions= outer_table->vers_conditions;\n outer_table->vers_conditions.used= true;\n }\n\n // propagate system_time from sysvar\n if (!vers_conditions.is_set() && use_sysvar)\n {\n if (vers_conditions.init_from_sysvar(thd))\n DBUG_RETURN(-1);\n }\n\n if (vers_conditions.is_set())\n {\n if (vers_conditions.was_set() &&\n table->lock_type > TL_READ_NO_INSERT &&\n !vers_conditions.delete_history)\n {\n my_error(ER_TABLE_NOT_LOCKED_FOR_WRITE, MYF(0), table->alias.str);\n DBUG_RETURN(-1);\n }\n\n if (vers_conditions.type == SYSTEM_TIME_ALL)\n continue;\n }\n\n const LEX_CSTRING *fstart=\n thd->make_clex_string(table->table->vers_start_field()->field_name);\n const LEX_CSTRING *fend=\n thd->make_clex_string(table->table->vers_end_field()->field_name);\n\n Item *row_start=\n newx Item_field(thd, &this->context, table->db.str, table->alias.str, fstart);\n Item *row_end=\n newx Item_field(thd, &this->context, table->db.str, table->alias.str, fend);\n\n bool timestamps_only= table->table->versioned(VERS_TIMESTAMP);\n\n if (vers_conditions.is_set() && vers_conditions.type != SYSTEM_TIME_HISTORY)\n {\n thd->where= \"FOR SYSTEM_TIME\";\n /* TODO: do resolve fix_length_and_dec(), fix_fields(). This requires\n storing vers_conditions as Item and make some magic related to\n vers_system_time_t/VERS_TRX_ID at stage of fix_fields()\n (this is large refactoring). */\n if (vers_conditions.resolve_units(thd))\n DBUG_RETURN(-1);\n if (timestamps_only && (vers_conditions.start.unit == VERS_TRX_ID ||\n vers_conditions.end.unit == VERS_TRX_ID))\n {\n my_error(ER_VERS_ENGINE_UNSUPPORTED, MYF(0), table->table_name.str);\n DBUG_RETURN(-1);\n }\n }\n\n if (!update_conds)\n continue;\n\n Item *cond1= NULL, *cond2= NULL, *cond3= NULL, *curr= NULL;\n Item *point_in_time1= vers_conditions.start.item;\n Item *point_in_time2= vers_conditions.end.item;\n TABLE *t= table->table;\n if (t->versioned(VERS_TIMESTAMP))\n {\n MYSQL_TIME max_time;\n switch (vers_conditions.type)\n {\n case SYSTEM_TIME_UNSPECIFIED:\n case SYSTEM_TIME_HISTORY:\n thd->variables.time_zone->gmt_sec_to_TIME(&max_time, TIMESTAMP_MAX_VALUE);\n max_time.second_part= TIME_MAX_SECOND_PART;\n curr= newx Item_datetime_literal(thd, &max_time, TIME_SECOND_PART_DIGITS);\n if (vers_conditions.type == SYSTEM_TIME_UNSPECIFIED)\n cond1= newx Item_func_eq(thd, row_end, curr);\n else\n cond1= newx Item_func_lt(thd, row_end, curr);\n break;\n case SYSTEM_TIME_AS_OF:\n cond1= newx Item_func_le(thd, row_start, point_in_time1);\n cond2= newx Item_func_gt(thd, row_end, point_in_time1);\n break;\n case SYSTEM_TIME_FROM_TO:\n cond1= newx Item_func_lt(thd, row_start, point_in_time2);\n cond2= newx Item_func_gt(thd, row_end, point_in_time1);\n cond3= newx Item_func_lt(thd, point_in_time1, point_in_time2);\n break;\n case SYSTEM_TIME_BETWEEN:\n cond1= newx Item_func_le(thd, row_start, point_in_time2);\n cond2= newx Item_func_gt(thd, row_end, point_in_time1);\n cond3= newx Item_func_le(thd, point_in_time1, point_in_time2);\n break;\n case SYSTEM_TIME_BEFORE:\n cond1= newx Item_func_history(thd, row_end);\n cond2= newx Item_func_lt(thd, row_end, point_in_time1);\n break;\n default:\n DBUG_ASSERT(0);\n }\n }\n else\n {\n DBUG_ASSERT(table->table->s && table->table->s->db_plugin);\n\n Item *trx_id0, *trx_id1;\n\n switch (vers_conditions.type)\n {\n case SYSTEM_TIME_UNSPECIFIED:\n case SYSTEM_TIME_HISTORY:\n curr= newx Item_int(thd, ULONGLONG_MAX);\n if (vers_conditions.type == SYSTEM_TIME_UNSPECIFIED)\n cond1= newx Item_func_eq(thd, row_end, curr);\n else\n cond1= newx Item_func_lt(thd, row_end, curr);\n break;\n case SYSTEM_TIME_AS_OF:\n trx_id0= vers_conditions.start.unit == VERS_TIMESTAMP\n ? newx Item_func_trt_id(thd, point_in_time1, TR_table::FLD_TRX_ID)\n : point_in_time1;\n cond1= newx Item_func_trt_trx_sees_eq(thd, trx_id0, row_start);\n cond2= newx Item_func_trt_trx_sees(thd, row_end, trx_id0);\n break;\n case SYSTEM_TIME_FROM_TO:\n\tcond3= newx Item_func_lt(thd, point_in_time1, point_in_time2);\n /* fall through */\n case SYSTEM_TIME_BETWEEN:\n trx_id0= vers_conditions.start.unit == VERS_TIMESTAMP\n ? newx Item_func_trt_id(thd, point_in_time1, TR_table::FLD_TRX_ID, true)\n : point_in_time1;\n trx_id1= vers_conditions.end.unit == VERS_TIMESTAMP\n ? newx Item_func_trt_id(thd, point_in_time2, TR_table::FLD_TRX_ID, false)\n : point_in_time2;\n cond1= vers_conditions.type == SYSTEM_TIME_FROM_TO\n ? newx Item_func_trt_trx_sees(thd, trx_id1, row_start)\n : newx Item_func_trt_trx_sees_eq(thd, trx_id1, row_start);\n cond2= newx Item_func_trt_trx_sees_eq(thd, row_end, trx_id0);\n\tif (!cond3)\n\t cond3= newx Item_func_le(thd, point_in_time1, point_in_time2);\n break;\n case SYSTEM_TIME_BEFORE:\n trx_id0= vers_conditions.start.unit == VERS_TIMESTAMP\n ? newx Item_func_trt_id(thd, point_in_time1, TR_table::FLD_TRX_ID, true)\n : point_in_time1;\n cond1= newx Item_func_history(thd, row_end);\n cond2= newx Item_func_trt_trx_sees(thd, trx_id0, row_end);\n break;\n default:\n DBUG_ASSERT(0);\n }\n }\n\n if (cond1)\n {\n cond1= and_items(thd, cond2, cond1);\n cond1= and_items(thd, cond3, cond1);\n if (is_select)\n table->on_expr= and_items(thd, table->on_expr, cond1);\n else\n {\n if (join)\n {\n where= and_items(thd, join->conds, cond1);\n join->conds= where;\n }\n else\n where= and_items(thd, where, cond1);\n table->where= and_items(thd, table->where, cond1);\n }\n }\n\n table->vers_conditions.type= SYSTEM_TIME_ALL;\n } // for (table= tables; ...)\n\n DBUG_RETURN(0);\n#undef newx\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 158234172210914316640319026999436959935, "size": 271, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508595 }, { "func": "static int get_nodes(nodemask_t *nodes, const unsigned long __user *nmask,\n\t\t unsigned long maxnode)\n{\n\tunsigned long k;\n\tunsigned long t;\n\tunsigned long nlongs;\n\tunsigned long endmask;\n\n\t--maxnode;\n\tnodes_clear(*nodes);\n\tif (maxnode == 0 || !nmask)\n\t\treturn 0;\n\tif (maxnode > PAGE_SIZE*BITS_PER_BYTE)\n\t\treturn -EINVAL;\n\n\tnlongs = BITS_TO_LONGS(maxnode);\n\tif ((maxnode % BITS_PER_LONG) == 0)\n\t\tendmask = ~0UL;\n\telse\n\t\tendmask = (1UL << (maxnode % BITS_PER_LONG)) - 1;\n\n\t/*\n\t * When the user specified more nodes than supported just check\n\t * if the non supported part is all zero.\n\t *\n\t * If maxnode have more longs than MAX_NUMNODES, check\n\t * the bits in that area first. And then go through to\n\t * check the rest bits which equal or bigger than MAX_NUMNODES.\n\t * Otherwise, just check bits [MAX_NUMNODES, maxnode).\n\t */\n\tif (nlongs > BITS_TO_LONGS(MAX_NUMNODES)) {\n\t\tfor (k = BITS_TO_LONGS(MAX_NUMNODES); k < nlongs; k++) {\n\t\t\tif (get_user(t, nmask + k))\n\t\t\t\treturn -EFAULT;\n\t\t\tif (k == nlongs - 1) {\n\t\t\t\tif (t & endmask)\n\t\t\t\t\treturn -EINVAL;\n\t\t\t} else if (t)\n\t\t\t\treturn -EINVAL;\n\t\t}\n\t\tnlongs = BITS_TO_LONGS(MAX_NUMNODES);\n\t\tendmask = ~0UL;\n\t}\n\n\tif (maxnode > MAX_NUMNODES && MAX_NUMNODES % BITS_PER_LONG != 0) {\n\t\tunsigned long valid_mask = endmask;\n\n\t\tvalid_mask &= ~((1UL << (MAX_NUMNODES % BITS_PER_LONG)) - 1);\n\t\tif (get_user(t, nmask + nlongs - 1))\n\t\t\treturn -EFAULT;\n\t\tif (t & valid_mask)\n\t\t\treturn -EINVAL;\n\t}\n\n\tif (copy_from_user(nodes_addr(*nodes), nmask, nlongs*sizeof(unsigned long)))\n\t\treturn -EFAULT;\n\tnodes_addr(*nodes)[nlongs-1] &= endmask;\n\treturn 0;\n}", "project": "linux", "hash": 258936114439956555017753745501713394693, "size": 59, "commit_id": "aa9f7d5172fac9bf1f09e678c35e287a40a7b7dd", "message": "mm: mempolicy: require at least one nodeid for MPOL_PREFERRED\n\nUsing an empty (malformed) nodelist that is not caught during mount option\nparsing leads to a stack-out-of-bounds access.\n\nThe option string that was used was: \"mpol=prefer:,\". However,\nMPOL_PREFERRED requires a single node number, which is not being provided\nhere.\n\nAdd a check that 'nodes' is not empty after parsing for MPOL_PREFERRED's\nnodeid.\n\nFixes: 095f1fc4ebf3 (\"mempolicy: rework shmem mpol parsing and display\")\nReported-by: Entropy Moe <3ntr0py1337@gmail.com>\nReported-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nSigned-off-by: Randy Dunlap \nSigned-off-by: Andrew Morton \nTested-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nCc: Lee Schermerhorn \nLink: http://lkml.kernel.org/r/89526377-7eb6-b662-e1d8-4430928abde9@infradead.org\nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 366752 }, { "func": "static void nfs4_get_lease_time_done(struct rpc_task *task, void *calldata)\n{\n\tstruct nfs4_get_lease_time_data *data =\n\t\t\t(struct nfs4_get_lease_time_data *)calldata;\n\n\tdprintk(\"--> %s\\n\", __func__);\n\tif (!nfs4_sequence_done(task, &data->res->lr_seq_res))\n\t\treturn;\n\tswitch (task->tk_status) {\n\tcase -NFS4ERR_DELAY:\n\tcase -NFS4ERR_GRACE:\n\t\tdprintk(\"%s Retry: tk_status %d\\n\", __func__, task->tk_status);\n\t\trpc_delay(task, NFS4_POLL_RETRY_MIN);\n\t\ttask->tk_status = 0;\n\t\t/* fall through */\n\tcase -NFS4ERR_RETRY_UNCACHED_REP:\n\t\trpc_restart_call_prepare(task);\n\t\treturn;\n\t}\n\tdprintk(\"<-- %s\\n\", __func__);\n}", "project": "linux", "hash": 15943595764554180083031957742388424974, "size": 21, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431322 }, { "func": "static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev,\n\t\t struct packet_type *pt, struct net_device *orig_dev)\n{\n\tstruct sock *sk;\n\tstruct packet_sock *po;\n\tstruct sockaddr_ll *sll;\n\tunion tpacket_uhdr h;\n\tu8 *skb_head = skb->data;\n\tint skb_len = skb->len;\n\tunsigned int snaplen, res;\n\tunsigned long status = TP_STATUS_USER;\n\tunsigned short macoff, netoff, hdrlen;\n\tstruct sk_buff *copy_skb = NULL;\n\tstruct timespec64 ts;\n\t__u32 ts_status;\n\tbool is_drop_n_account = false;\n\tunsigned int slot_id = 0;\n\tbool do_vnet = false;\n\n\t/* struct tpacket{2,3}_hdr is aligned to a multiple of TPACKET_ALIGNMENT.\n\t * We may add members to them until current aligned size without forcing\n\t * userspace to call getsockopt(..., PACKET_HDRLEN, ...).\n\t */\n\tBUILD_BUG_ON(TPACKET_ALIGN(sizeof(*h.h2)) != 32);\n\tBUILD_BUG_ON(TPACKET_ALIGN(sizeof(*h.h3)) != 48);\n\n\tif (skb->pkt_type == PACKET_LOOPBACK)\n\t\tgoto drop;\n\n\tsk = pt->af_packet_priv;\n\tpo = pkt_sk(sk);\n\n\tif (!net_eq(dev_net(dev), sock_net(sk)))\n\t\tgoto drop;\n\n\tif (dev->header_ops) {\n\t\tif (sk->sk_type != SOCK_DGRAM)\n\t\t\tskb_push(skb, skb->data - skb_mac_header(skb));\n\t\telse if (skb->pkt_type == PACKET_OUTGOING) {\n\t\t\t/* Special case: outgoing packets have ll header at head */\n\t\t\tskb_pull(skb, skb_network_offset(skb));\n\t\t}\n\t}\n\n\tsnaplen = skb->len;\n\n\tres = run_filter(skb, sk, snaplen);\n\tif (!res)\n\t\tgoto drop_n_restore;\n\n\t/* If we are flooded, just give up */\n\tif (__packet_rcv_has_room(po, skb) == ROOM_NONE) {\n\t\tatomic_inc(&po->tp_drops);\n\t\tgoto drop_n_restore;\n\t}\n\n\tif (skb->ip_summed == CHECKSUM_PARTIAL)\n\t\tstatus |= TP_STATUS_CSUMNOTREADY;\n\telse if (skb->pkt_type != PACKET_OUTGOING &&\n\t\t (skb->ip_summed == CHECKSUM_COMPLETE ||\n\t\t skb_csum_unnecessary(skb)))\n\t\tstatus |= TP_STATUS_CSUM_VALID;\n\n\tif (snaplen > res)\n\t\tsnaplen = res;\n\n\tif (sk->sk_type == SOCK_DGRAM) {\n\t\tmacoff = netoff = TPACKET_ALIGN(po->tp_hdrlen) + 16 +\n\t\t\t\t po->tp_reserve;\n\t} else {\n\t\tunsigned int maclen = skb_network_offset(skb);\n\t\tnetoff = TPACKET_ALIGN(po->tp_hdrlen +\n\t\t\t\t (maclen < 16 ? 16 : maclen)) +\n\t\t\t\t po->tp_reserve;\n\t\tif (po->has_vnet_hdr) {\n\t\t\tnetoff += sizeof(struct virtio_net_hdr);\n\t\t\tdo_vnet = true;\n\t\t}\n\t\tmacoff = netoff - maclen;\n\t}\n\tif (po->tp_version <= TPACKET_V2) {\n\t\tif (macoff + snaplen > po->rx_ring.frame_size) {\n\t\t\tif (po->copy_thresh &&\n\t\t\t atomic_read(&sk->sk_rmem_alloc) < sk->sk_rcvbuf) {\n\t\t\t\tif (skb_shared(skb)) {\n\t\t\t\t\tcopy_skb = skb_clone(skb, GFP_ATOMIC);\n\t\t\t\t} else {\n\t\t\t\t\tcopy_skb = skb_get(skb);\n\t\t\t\t\tskb_head = skb->data;\n\t\t\t\t}\n\t\t\t\tif (copy_skb)\n\t\t\t\t\tskb_set_owner_r(copy_skb, sk);\n\t\t\t}\n\t\t\tsnaplen = po->rx_ring.frame_size - macoff;\n\t\t\tif ((int)snaplen < 0) {\n\t\t\t\tsnaplen = 0;\n\t\t\t\tdo_vnet = false;\n\t\t\t}\n\t\t}\n\t} else if (unlikely(macoff + snaplen >\n\t\t\t GET_PBDQC_FROM_RB(&po->rx_ring)->max_frame_len)) {\n\t\tu32 nval;\n\n\t\tnval = GET_PBDQC_FROM_RB(&po->rx_ring)->max_frame_len - macoff;\n\t\tpr_err_once(\"tpacket_rcv: packet too big, clamped from %u to %u. macoff=%u\\n\",\n\t\t\t snaplen, nval, macoff);\n\t\tsnaplen = nval;\n\t\tif (unlikely((int)snaplen < 0)) {\n\t\t\tsnaplen = 0;\n\t\t\tmacoff = GET_PBDQC_FROM_RB(&po->rx_ring)->max_frame_len;\n\t\t\tdo_vnet = false;\n\t\t}\n\t}\n\tspin_lock(&sk->sk_receive_queue.lock);\n\th.raw = packet_current_rx_frame(po, skb,\n\t\t\t\t\tTP_STATUS_KERNEL, (macoff+snaplen));\n\tif (!h.raw)\n\t\tgoto drop_n_account;\n\n\tif (po->tp_version <= TPACKET_V2) {\n\t\tslot_id = po->rx_ring.head;\n\t\tif (test_bit(slot_id, po->rx_ring.rx_owner_map))\n\t\t\tgoto drop_n_account;\n\t\t__set_bit(slot_id, po->rx_ring.rx_owner_map);\n\t}\n\n\tif (do_vnet &&\n\t virtio_net_hdr_from_skb(skb, h.raw + macoff -\n\t\t\t\t sizeof(struct virtio_net_hdr),\n\t\t\t\t vio_le(), true, 0)) {\n\t\tif (po->tp_version == TPACKET_V3)\n\t\t\tprb_clear_blk_fill_status(&po->rx_ring);\n\t\tgoto drop_n_account;\n\t}\n\n\tif (po->tp_version <= TPACKET_V2) {\n\t\tpacket_increment_rx_head(po, &po->rx_ring);\n\t/*\n\t * LOSING will be reported till you read the stats,\n\t * because it's COR - Clear On Read.\n\t * Anyways, moving it for V1/V2 only as V3 doesn't need this\n\t * at packet level.\n\t */\n\t\tif (atomic_read(&po->tp_drops))\n\t\t\tstatus |= TP_STATUS_LOSING;\n\t}\n\n\tpo->stats.stats1.tp_packets++;\n\tif (copy_skb) {\n\t\tstatus |= TP_STATUS_COPY;\n\t\t__skb_queue_tail(&sk->sk_receive_queue, copy_skb);\n\t}\n\tspin_unlock(&sk->sk_receive_queue.lock);\n\n\tskb_copy_bits(skb, 0, h.raw + macoff, snaplen);\n\n\tif (!(ts_status = tpacket_get_timestamp(skb, &ts, po->tp_tstamp)))\n\t\tktime_get_real_ts64(&ts);\n\n\tstatus |= ts_status;\n\n\tswitch (po->tp_version) {\n\tcase TPACKET_V1:\n\t\th.h1->tp_len = skb->len;\n\t\th.h1->tp_snaplen = snaplen;\n\t\th.h1->tp_mac = macoff;\n\t\th.h1->tp_net = netoff;\n\t\th.h1->tp_sec = ts.tv_sec;\n\t\th.h1->tp_usec = ts.tv_nsec / NSEC_PER_USEC;\n\t\thdrlen = sizeof(*h.h1);\n\t\tbreak;\n\tcase TPACKET_V2:\n\t\th.h2->tp_len = skb->len;\n\t\th.h2->tp_snaplen = snaplen;\n\t\th.h2->tp_mac = macoff;\n\t\th.h2->tp_net = netoff;\n\t\th.h2->tp_sec = ts.tv_sec;\n\t\th.h2->tp_nsec = ts.tv_nsec;\n\t\tif (skb_vlan_tag_present(skb)) {\n\t\t\th.h2->tp_vlan_tci = skb_vlan_tag_get(skb);\n\t\t\th.h2->tp_vlan_tpid = ntohs(skb->vlan_proto);\n\t\t\tstatus |= TP_STATUS_VLAN_VALID | TP_STATUS_VLAN_TPID_VALID;\n\t\t} else {\n\t\t\th.h2->tp_vlan_tci = 0;\n\t\t\th.h2->tp_vlan_tpid = 0;\n\t\t}\n\t\tmemset(h.h2->tp_padding, 0, sizeof(h.h2->tp_padding));\n\t\thdrlen = sizeof(*h.h2);\n\t\tbreak;\n\tcase TPACKET_V3:\n\t\t/* tp_nxt_offset,vlan are already populated above.\n\t\t * So DONT clear those fields here\n\t\t */\n\t\th.h3->tp_status |= status;\n\t\th.h3->tp_len = skb->len;\n\t\th.h3->tp_snaplen = snaplen;\n\t\th.h3->tp_mac = macoff;\n\t\th.h3->tp_net = netoff;\n\t\th.h3->tp_sec = ts.tv_sec;\n\t\th.h3->tp_nsec = ts.tv_nsec;\n\t\tmemset(h.h3->tp_padding, 0, sizeof(h.h3->tp_padding));\n\t\thdrlen = sizeof(*h.h3);\n\t\tbreak;\n\tdefault:\n\t\tBUG();\n\t}\n\n\tsll = h.raw + TPACKET_ALIGN(hdrlen);\n\tsll->sll_halen = dev_parse_header(skb, sll->sll_addr);\n\tsll->sll_family = AF_PACKET;\n\tsll->sll_hatype = dev->type;\n\tsll->sll_protocol = skb->protocol;\n\tsll->sll_pkttype = skb->pkt_type;\n\tif (unlikely(po->origdev))\n\t\tsll->sll_ifindex = orig_dev->ifindex;\n\telse\n\t\tsll->sll_ifindex = dev->ifindex;\n\n\tsmp_mb();\n\n#if ARCH_IMPLEMENTS_FLUSH_DCACHE_PAGE == 1\n\tif (po->tp_version <= TPACKET_V2) {\n\t\tu8 *start, *end;\n\n\t\tend = (u8 *) PAGE_ALIGN((unsigned long) h.raw +\n\t\t\t\t\tmacoff + snaplen);\n\n\t\tfor (start = h.raw; start < end; start += PAGE_SIZE)\n\t\t\tflush_dcache_page(pgv_to_page(start));\n\t}\n\tsmp_wmb();\n#endif\n\n\tif (po->tp_version <= TPACKET_V2) {\n\t\tspin_lock(&sk->sk_receive_queue.lock);\n\t\t__packet_set_status(po, h.raw, status);\n\t\t__clear_bit(slot_id, po->rx_ring.rx_owner_map);\n\t\tspin_unlock(&sk->sk_receive_queue.lock);\n\t\tsk->sk_data_ready(sk);\n\t} else if (po->tp_version == TPACKET_V3) {\n\t\tprb_clear_blk_fill_status(&po->rx_ring);\n\t}\n\ndrop_n_restore:\n\tif (skb_head != skb->data && skb_shared(skb)) {\n\t\tskb->data = skb_head;\n\t\tskb->len = skb_len;\n\t}\ndrop:\n\tif (!is_drop_n_account)\n\t\tconsume_skb(skb);\n\telse\n\t\tkfree_skb(skb);\n\treturn 0;\n\ndrop_n_account:\n\tspin_unlock(&sk->sk_receive_queue.lock);\n\tatomic_inc(&po->tp_drops);\n\tis_drop_n_account = true;\n\n\tsk->sk_data_ready(sk);\n\tkfree_skb(copy_skb);\n\tgoto drop_n_restore;\n}", "project": "linux", "hash": 247138033746397759600375764218281666520, "size": 264, "commit_id": "acf69c946233259ab4d64f8869d4037a198c7f06", "message": "net/packet: fix overflow in tpacket_rcv\n\nUsing tp_reserve to calculate netoff can overflow as\ntp_reserve is unsigned int and netoff is unsigned short.\n\nThis may lead to macoff receving a smaller value then\nsizeof(struct virtio_net_hdr), and if po->has_vnet_hdr\nis set, an out-of-bounds write will occur when\ncalling virtio_net_hdr_from_skb.\n\nThe bug is fixed by converting netoff to unsigned int\nand checking if it exceeds USHRT_MAX.\n\nThis addresses CVE-2020-14386\n\nFixes: 8913336a7e8d (\"packet: add PACKET_RESERVE sockopt\")\nSigned-off-by: Or Cohen \nSigned-off-by: Eric Dumazet \nSigned-off-by: Linus Torvalds ", "target": 1, "dataset": "other", "idx": 202143 }, { "func": "static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev,\n\t\t struct packet_type *pt, struct net_device *orig_dev)\n{\n\tstruct sock *sk;\n\tstruct packet_sock *po;\n\tstruct sockaddr_ll *sll;\n\tunion tpacket_uhdr h;\n\tu8 *skb_head = skb->data;\n\tint skb_len = skb->len;\n\tunsigned int snaplen, res;\n\tunsigned long status = TP_STATUS_USER;\n\tunsigned short macoff, hdrlen;\n\tunsigned int netoff;\n\tstruct sk_buff *copy_skb = NULL;\n\tstruct timespec64 ts;\n\t__u32 ts_status;\n\tbool is_drop_n_account = false;\n\tunsigned int slot_id = 0;\n\tbool do_vnet = false;\n\n\t/* struct tpacket{2,3}_hdr is aligned to a multiple of TPACKET_ALIGNMENT.\n\t * We may add members to them until current aligned size without forcing\n\t * userspace to call getsockopt(..., PACKET_HDRLEN, ...).\n\t */\n\tBUILD_BUG_ON(TPACKET_ALIGN(sizeof(*h.h2)) != 32);\n\tBUILD_BUG_ON(TPACKET_ALIGN(sizeof(*h.h3)) != 48);\n\n\tif (skb->pkt_type == PACKET_LOOPBACK)\n\t\tgoto drop;\n\n\tsk = pt->af_packet_priv;\n\tpo = pkt_sk(sk);\n\n\tif (!net_eq(dev_net(dev), sock_net(sk)))\n\t\tgoto drop;\n\n\tif (dev->header_ops) {\n\t\tif (sk->sk_type != SOCK_DGRAM)\n\t\t\tskb_push(skb, skb->data - skb_mac_header(skb));\n\t\telse if (skb->pkt_type == PACKET_OUTGOING) {\n\t\t\t/* Special case: outgoing packets have ll header at head */\n\t\t\tskb_pull(skb, skb_network_offset(skb));\n\t\t}\n\t}\n\n\tsnaplen = skb->len;\n\n\tres = run_filter(skb, sk, snaplen);\n\tif (!res)\n\t\tgoto drop_n_restore;\n\n\t/* If we are flooded, just give up */\n\tif (__packet_rcv_has_room(po, skb) == ROOM_NONE) {\n\t\tatomic_inc(&po->tp_drops);\n\t\tgoto drop_n_restore;\n\t}\n\n\tif (skb->ip_summed == CHECKSUM_PARTIAL)\n\t\tstatus |= TP_STATUS_CSUMNOTREADY;\n\telse if (skb->pkt_type != PACKET_OUTGOING &&\n\t\t (skb->ip_summed == CHECKSUM_COMPLETE ||\n\t\t skb_csum_unnecessary(skb)))\n\t\tstatus |= TP_STATUS_CSUM_VALID;\n\n\tif (snaplen > res)\n\t\tsnaplen = res;\n\n\tif (sk->sk_type == SOCK_DGRAM) {\n\t\tmacoff = netoff = TPACKET_ALIGN(po->tp_hdrlen) + 16 +\n\t\t\t\t po->tp_reserve;\n\t} else {\n\t\tunsigned int maclen = skb_network_offset(skb);\n\t\tnetoff = TPACKET_ALIGN(po->tp_hdrlen +\n\t\t\t\t (maclen < 16 ? 16 : maclen)) +\n\t\t\t\t po->tp_reserve;\n\t\tif (po->has_vnet_hdr) {\n\t\t\tnetoff += sizeof(struct virtio_net_hdr);\n\t\t\tdo_vnet = true;\n\t\t}\n\t\tmacoff = netoff - maclen;\n\t}\n\tif (netoff > USHRT_MAX) {\n\t\tatomic_inc(&po->tp_drops);\n\t\tgoto drop_n_restore;\n\t}\n\tif (po->tp_version <= TPACKET_V2) {\n\t\tif (macoff + snaplen > po->rx_ring.frame_size) {\n\t\t\tif (po->copy_thresh &&\n\t\t\t atomic_read(&sk->sk_rmem_alloc) < sk->sk_rcvbuf) {\n\t\t\t\tif (skb_shared(skb)) {\n\t\t\t\t\tcopy_skb = skb_clone(skb, GFP_ATOMIC);\n\t\t\t\t} else {\n\t\t\t\t\tcopy_skb = skb_get(skb);\n\t\t\t\t\tskb_head = skb->data;\n\t\t\t\t}\n\t\t\t\tif (copy_skb)\n\t\t\t\t\tskb_set_owner_r(copy_skb, sk);\n\t\t\t}\n\t\t\tsnaplen = po->rx_ring.frame_size - macoff;\n\t\t\tif ((int)snaplen < 0) {\n\t\t\t\tsnaplen = 0;\n\t\t\t\tdo_vnet = false;\n\t\t\t}\n\t\t}\n\t} else if (unlikely(macoff + snaplen >\n\t\t\t GET_PBDQC_FROM_RB(&po->rx_ring)->max_frame_len)) {\n\t\tu32 nval;\n\n\t\tnval = GET_PBDQC_FROM_RB(&po->rx_ring)->max_frame_len - macoff;\n\t\tpr_err_once(\"tpacket_rcv: packet too big, clamped from %u to %u. macoff=%u\\n\",\n\t\t\t snaplen, nval, macoff);\n\t\tsnaplen = nval;\n\t\tif (unlikely((int)snaplen < 0)) {\n\t\t\tsnaplen = 0;\n\t\t\tmacoff = GET_PBDQC_FROM_RB(&po->rx_ring)->max_frame_len;\n\t\t\tdo_vnet = false;\n\t\t}\n\t}\n\tspin_lock(&sk->sk_receive_queue.lock);\n\th.raw = packet_current_rx_frame(po, skb,\n\t\t\t\t\tTP_STATUS_KERNEL, (macoff+snaplen));\n\tif (!h.raw)\n\t\tgoto drop_n_account;\n\n\tif (po->tp_version <= TPACKET_V2) {\n\t\tslot_id = po->rx_ring.head;\n\t\tif (test_bit(slot_id, po->rx_ring.rx_owner_map))\n\t\t\tgoto drop_n_account;\n\t\t__set_bit(slot_id, po->rx_ring.rx_owner_map);\n\t}\n\n\tif (do_vnet &&\n\t virtio_net_hdr_from_skb(skb, h.raw + macoff -\n\t\t\t\t sizeof(struct virtio_net_hdr),\n\t\t\t\t vio_le(), true, 0)) {\n\t\tif (po->tp_version == TPACKET_V3)\n\t\t\tprb_clear_blk_fill_status(&po->rx_ring);\n\t\tgoto drop_n_account;\n\t}\n\n\tif (po->tp_version <= TPACKET_V2) {\n\t\tpacket_increment_rx_head(po, &po->rx_ring);\n\t/*\n\t * LOSING will be reported till you read the stats,\n\t * because it's COR - Clear On Read.\n\t * Anyways, moving it for V1/V2 only as V3 doesn't need this\n\t * at packet level.\n\t */\n\t\tif (atomic_read(&po->tp_drops))\n\t\t\tstatus |= TP_STATUS_LOSING;\n\t}\n\n\tpo->stats.stats1.tp_packets++;\n\tif (copy_skb) {\n\t\tstatus |= TP_STATUS_COPY;\n\t\t__skb_queue_tail(&sk->sk_receive_queue, copy_skb);\n\t}\n\tspin_unlock(&sk->sk_receive_queue.lock);\n\n\tskb_copy_bits(skb, 0, h.raw + macoff, snaplen);\n\n\tif (!(ts_status = tpacket_get_timestamp(skb, &ts, po->tp_tstamp)))\n\t\tktime_get_real_ts64(&ts);\n\n\tstatus |= ts_status;\n\n\tswitch (po->tp_version) {\n\tcase TPACKET_V1:\n\t\th.h1->tp_len = skb->len;\n\t\th.h1->tp_snaplen = snaplen;\n\t\th.h1->tp_mac = macoff;\n\t\th.h1->tp_net = netoff;\n\t\th.h1->tp_sec = ts.tv_sec;\n\t\th.h1->tp_usec = ts.tv_nsec / NSEC_PER_USEC;\n\t\thdrlen = sizeof(*h.h1);\n\t\tbreak;\n\tcase TPACKET_V2:\n\t\th.h2->tp_len = skb->len;\n\t\th.h2->tp_snaplen = snaplen;\n\t\th.h2->tp_mac = macoff;\n\t\th.h2->tp_net = netoff;\n\t\th.h2->tp_sec = ts.tv_sec;\n\t\th.h2->tp_nsec = ts.tv_nsec;\n\t\tif (skb_vlan_tag_present(skb)) {\n\t\t\th.h2->tp_vlan_tci = skb_vlan_tag_get(skb);\n\t\t\th.h2->tp_vlan_tpid = ntohs(skb->vlan_proto);\n\t\t\tstatus |= TP_STATUS_VLAN_VALID | TP_STATUS_VLAN_TPID_VALID;\n\t\t} else {\n\t\t\th.h2->tp_vlan_tci = 0;\n\t\t\th.h2->tp_vlan_tpid = 0;\n\t\t}\n\t\tmemset(h.h2->tp_padding, 0, sizeof(h.h2->tp_padding));\n\t\thdrlen = sizeof(*h.h2);\n\t\tbreak;\n\tcase TPACKET_V3:\n\t\t/* tp_nxt_offset,vlan are already populated above.\n\t\t * So DONT clear those fields here\n\t\t */\n\t\th.h3->tp_status |= status;\n\t\th.h3->tp_len = skb->len;\n\t\th.h3->tp_snaplen = snaplen;\n\t\th.h3->tp_mac = macoff;\n\t\th.h3->tp_net = netoff;\n\t\th.h3->tp_sec = ts.tv_sec;\n\t\th.h3->tp_nsec = ts.tv_nsec;\n\t\tmemset(h.h3->tp_padding, 0, sizeof(h.h3->tp_padding));\n\t\thdrlen = sizeof(*h.h3);\n\t\tbreak;\n\tdefault:\n\t\tBUG();\n\t}\n\n\tsll = h.raw + TPACKET_ALIGN(hdrlen);\n\tsll->sll_halen = dev_parse_header(skb, sll->sll_addr);\n\tsll->sll_family = AF_PACKET;\n\tsll->sll_hatype = dev->type;\n\tsll->sll_protocol = skb->protocol;\n\tsll->sll_pkttype = skb->pkt_type;\n\tif (unlikely(po->origdev))\n\t\tsll->sll_ifindex = orig_dev->ifindex;\n\telse\n\t\tsll->sll_ifindex = dev->ifindex;\n\n\tsmp_mb();\n\n#if ARCH_IMPLEMENTS_FLUSH_DCACHE_PAGE == 1\n\tif (po->tp_version <= TPACKET_V2) {\n\t\tu8 *start, *end;\n\n\t\tend = (u8 *) PAGE_ALIGN((unsigned long) h.raw +\n\t\t\t\t\tmacoff + snaplen);\n\n\t\tfor (start = h.raw; start < end; start += PAGE_SIZE)\n\t\t\tflush_dcache_page(pgv_to_page(start));\n\t}\n\tsmp_wmb();\n#endif\n\n\tif (po->tp_version <= TPACKET_V2) {\n\t\tspin_lock(&sk->sk_receive_queue.lock);\n\t\t__packet_set_status(po, h.raw, status);\n\t\t__clear_bit(slot_id, po->rx_ring.rx_owner_map);\n\t\tspin_unlock(&sk->sk_receive_queue.lock);\n\t\tsk->sk_data_ready(sk);\n\t} else if (po->tp_version == TPACKET_V3) {\n\t\tprb_clear_blk_fill_status(&po->rx_ring);\n\t}\n\ndrop_n_restore:\n\tif (skb_head != skb->data && skb_shared(skb)) {\n\t\tskb->data = skb_head;\n\t\tskb->len = skb_len;\n\t}\ndrop:\n\tif (!is_drop_n_account)\n\t\tconsume_skb(skb);\n\telse\n\t\tkfree_skb(skb);\n\treturn 0;\n\ndrop_n_account:\n\tspin_unlock(&sk->sk_receive_queue.lock);\n\tatomic_inc(&po->tp_drops);\n\tis_drop_n_account = true;\n\n\tsk->sk_data_ready(sk);\n\tkfree_skb(copy_skb);\n\tgoto drop_n_restore;\n}", "project": "linux", "hash": 321520857233827511931030116735694876634, "size": 269, "commit_id": "acf69c946233259ab4d64f8869d4037a198c7f06", "message": "net/packet: fix overflow in tpacket_rcv\n\nUsing tp_reserve to calculate netoff can overflow as\ntp_reserve is unsigned int and netoff is unsigned short.\n\nThis may lead to macoff receving a smaller value then\nsizeof(struct virtio_net_hdr), and if po->has_vnet_hdr\nis set, an out-of-bounds write will occur when\ncalling virtio_net_hdr_from_skb.\n\nThe bug is fixed by converting netoff to unsigned int\nand checking if it exceeds USHRT_MAX.\n\nThis addresses CVE-2020-14386\n\nFixes: 8913336a7e8d (\"packet: add PACKET_RESERVE sockopt\")\nSigned-off-by: Or Cohen \nSigned-off-by: Eric Dumazet \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 330393 }, { "func": "static void print_rsync_version(enum logcode f)\n{\n\tchar *subprotocol = \"\";\n\tchar const *got_socketpair = \"no \";\n\tchar const *have_inplace = \"no \";\n\tchar const *hardlinks = \"no \";\n\tchar const *prealloc = \"no \";\n\tchar const *symtimes = \"no \";\n\tchar const *acls = \"no \";\n\tchar const *xattrs = \"no \";\n\tchar const *links = \"no \";\n\tchar const *iconv = \"no \";\n\tchar const *ipv6 = \"no \";\n\tSTRUCT_STAT *dumstat;\n\n#if SUBPROTOCOL_VERSION != 0\n\tif (asprintf(&subprotocol, \".PR%d\", SUBPROTOCOL_VERSION) < 0)\n\t\tout_of_memory(\"print_rsync_version\");\n#endif\n#ifdef HAVE_SOCKETPAIR\n\tgot_socketpair = \"\";\n#endif\n#ifdef HAVE_FTRUNCATE\n\thave_inplace = \"\";\n#endif\n#ifdef SUPPORT_HARD_LINKS\n\thardlinks = \"\";\n#endif\n#ifdef SUPPORT_PREALLOCATION\n\tprealloc = \"\";\n#endif\n#ifdef SUPPORT_ACLS\n\tacls = \"\";\n#endif\n#ifdef SUPPORT_XATTRS\n\txattrs = \"\";\n#endif\n#ifdef SUPPORT_LINKS\n\tlinks = \"\";\n#endif\n#ifdef INET6\n\tipv6 = \"\";\n#endif\n#ifdef ICONV_OPTION\n\ticonv = \"\";\n#endif\n#ifdef CAN_SET_SYMLINK_TIMES\n\tsymtimes = \"\";\n#endif\n\n\trprintf(f, \"%s version %s protocol version %d%s\\n\",\n\t\tRSYNC_NAME, RSYNC_VERSION, PROTOCOL_VERSION, subprotocol);\n\trprintf(f, \"Copyright (C) 1996-2015 by Andrew Tridgell, Wayne Davison, and others.\\n\");\n\trprintf(f, \"Web site: http://rsync.samba.org/\\n\");\n\trprintf(f, \"Capabilities:\\n\");\n\trprintf(f, \" %d-bit files, %d-bit inums, %d-bit timestamps, %d-bit long ints,\\n\",\n\t\t(int)(sizeof (OFF_T) * 8),\n\t\t(int)(sizeof dumstat->st_ino * 8), /* Don't check ino_t! */\n\t\t(int)(sizeof (time_t) * 8),\n\t\t(int)(sizeof (int64) * 8));\n\trprintf(f, \" %ssocketpairs, %shardlinks, %ssymlinks, %sIPv6, batchfiles, %sinplace,\\n\",\n\t\tgot_socketpair, hardlinks, links, ipv6, have_inplace);\n\trprintf(f, \" %sappend, %sACLs, %sxattrs, %siconv, %ssymtimes, %sprealloc\\n\",\n\t\thave_inplace, acls, xattrs, iconv, symtimes, prealloc);\n\n#ifdef MAINTAINER_MODE\n\trprintf(f, \"Panic Action: \\\"%s\\\"\\n\", get_panic_action());\n#endif\n\n#if SIZEOF_INT64 < 8\n\trprintf(f, \"WARNING: no 64-bit integers on this platform!\\n\");\n#endif\n\tif (sizeof (int64) != SIZEOF_INT64) {\n\t\trprintf(f,\n\t\t\t\"WARNING: size mismatch in SIZEOF_INT64 define (%d != %d)\\n\",\n\t\t\t(int) SIZEOF_INT64, (int) sizeof (int64));\n\t}\n\n\trprintf(f,\"\\n\");\n\trprintf(f,\"rsync comes with ABSOLUTELY NO WARRANTY. This is free software, and you\\n\");\n\trprintf(f,\"are welcome to redistribute it under certain conditions. See the GNU\\n\");\n\trprintf(f,\"General Public Licence for details.\\n\");\n}", "project": "rsync", "hash": 238558148947488603281243690945134266934, "size": 83, "commit_id": "7706303828fcde524222babb2833864a4bd09e07", "message": "Ignore --protect-args when already sent by client\n\nIn parse_arguments when --protect-args is encountered the function exits\nearly. The caller is expected to check protect_args, and recall\nparse_arguments setting protect_args to 2. This patch prevents the\nclient from resetting protect_args during the second pass of\nparse_arguments. This prevents parse_arguments returning early the\nsecond time before it's able to sanitize the arguments it received.", "target": 0, "dataset": "other", "idx": 364667 }, { "func": "static bool __tpacket_has_room(const struct packet_sock *po, int pow_off)\n{\n\tint idx, len;\n\n\tlen = READ_ONCE(po->rx_ring.frame_max) + 1;\n\tidx = READ_ONCE(po->rx_ring.head);\n\tif (pow_off)\n\t\tidx += len >> pow_off;\n\tif (idx >= len)\n\t\tidx -= len;\n\treturn packet_lookup_frame(po, &po->rx_ring, idx, TP_STATUS_KERNEL);\n}", "project": "linux", "hash": 97556592194860565199760044279616613820, "size": 12, "commit_id": "acf69c946233259ab4d64f8869d4037a198c7f06", "message": "net/packet: fix overflow in tpacket_rcv\n\nUsing tp_reserve to calculate netoff can overflow as\ntp_reserve is unsigned int and netoff is unsigned short.\n\nThis may lead to macoff receving a smaller value then\nsizeof(struct virtio_net_hdr), and if po->has_vnet_hdr\nis set, an out-of-bounds write will occur when\ncalling virtio_net_hdr_from_skb.\n\nThe bug is fixed by converting netoff to unsigned int\nand checking if it exceeds USHRT_MAX.\n\nThis addresses CVE-2020-14386\n\nFixes: 8913336a7e8d (\"packet: add PACKET_RESERVE sockopt\")\nSigned-off-by: Or Cohen \nSigned-off-by: Eric Dumazet \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 330396 }, { "func": "static int ca8210_test_interface_init(struct ca8210_priv *priv)\n{\n\tstruct ca8210_test *test = &priv->test;\n\tchar node_name[32];\n\n\tsnprintf(\n\t\tnode_name,\n\t\tsizeof(node_name),\n\t\t\"ca8210@%d_%d\",\n\t\tpriv->spi->master->bus_num,\n\t\tpriv->spi->chip_select\n\t);\n\n\ttest->ca8210_dfs_spi_int = debugfs_create_file(\n\t\tnode_name,\n\t\t0600, /* S_IRUSR | S_IWUSR */\n\t\tNULL,\n\t\tpriv,\n\t\t&test_int_fops\n\t);\n\tif (IS_ERR(test->ca8210_dfs_spi_int)) {\n\t\tdev_err(\n\t\t\t&priv->spi->dev,\n\t\t\t\"Error %ld when creating debugfs node\\n\",\n\t\t\tPTR_ERR(test->ca8210_dfs_spi_int)\n\t\t);\n\t\treturn PTR_ERR(test->ca8210_dfs_spi_int);\n\t}\n\tdebugfs_create_symlink(\"ca8210\", NULL, node_name);\n\tinit_waitqueue_head(&test->readq);\n\treturn kfifo_alloc(\n\t\t&test->up_fifo,\n\t\tCA8210_TEST_INT_FIFO_SIZE,\n\t\tGFP_KERNEL\n\t);\n}", "project": "linux", "hash": 70032340231500114449683534120512057300, "size": 36, "commit_id": "6402939ec86eaf226c8b8ae00ed983936b164908", "message": "ieee802154: ca8210: prevent memory leak\n\nIn ca8210_probe the allocated pdata needs to be assigned to\nspi_device->dev.platform_data before calling ca8210_get_platform_data.\nOthrwise when ca8210_get_platform_data fails pdata cannot be released.\n\nSigned-off-by: Navid Emamdoost \nLink: https://lore.kernel.org/r/20190917224713.26371-1-navid.emamdoost@gmail.com\nSigned-off-by: Stefan Schmidt ", "target": 0, "dataset": "other", "idx": 408814 }, { "func": "CallResult appendAllPropertyNames(\n Handle obj,\n Runtime *runtime,\n MutableHandle &arr,\n uint32_t beginIndex) {\n uint32_t size = beginIndex;\n // We know that duplicate property names can only exist between objects in\n // the prototype chain. Hence there should not be duplicated properties\n // before we start to look at any prototype.\n bool needDedup = false;\n MutableHandle<> prop(runtime);\n MutableHandle head(runtime, obj.get());\n MutableHandle tmpVal{runtime};\n while (head.get()) {\n GCScope gcScope(runtime);\n\n // enumerableProps will contain all enumerable own properties from obj.\n // Impl note: this is the only place where getOwnPropertyKeys will be\n // called without IncludeNonEnumerable on a Proxy. Everywhere else,\n // trap ordering is specified but ES9 13.7.5.15 says \"The mechanics and\n // order of enumerating the properties is not specified\", which is\n // unusual.\n auto cr =\n JSObject::getOwnPropertyNames(head, runtime, true /* onlyEnumerable */);\n if (LLVM_UNLIKELY(cr == ExecutionStatus::EXCEPTION)) {\n return ExecutionStatus::EXCEPTION;\n }\n auto enumerableProps = *cr;\n auto marker = gcScope.createMarker();\n for (unsigned i = 0, e = enumerableProps->getEndIndex(); i < e; ++i) {\n gcScope.flushToMarker(marker);\n prop = enumerableProps->at(runtime, i);\n if (!needDedup) {\n // If no dedup is needed, add it directly.\n if (LLVM_UNLIKELY(\n BigStorage::push_back(arr, runtime, prop) ==\n ExecutionStatus::EXCEPTION)) {\n return ExecutionStatus::EXCEPTION;\n }\n ++size;\n continue;\n }\n // Otherwise loop through all existing properties and check if we\n // have seen it before.\n bool dupFound = false;\n if (prop->isNumber()) {\n for (uint32_t j = beginIndex; j < size && !dupFound; ++j) {\n HermesValue val = arr->at(j);\n if (val.isNumber()) {\n dupFound = val.getNumber() == prop->getNumber();\n } else {\n // val is string, prop is number.\n tmpVal = val.getString();\n auto valNum = toArrayIndex(\n StringPrimitive::createStringView(runtime, tmpVal));\n dupFound = valNum && valNum.getValue() == prop->getNumber();\n }\n }\n } else {\n for (uint32_t j = beginIndex; j < size && !dupFound; ++j) {\n HermesValue val = arr->at(j);\n if (val.isNumber()) {\n // val is number, prop is string.\n auto propNum = toArrayIndex(StringPrimitive::createStringView(\n runtime, Handle::vmcast(prop)));\n dupFound = propNum && (propNum.getValue() == val.getNumber());\n } else {\n dupFound = val.getString()->equals(prop->getString());\n }\n }\n }\n if (LLVM_LIKELY(!dupFound)) {\n if (LLVM_UNLIKELY(\n BigStorage::push_back(arr, runtime, prop) ==\n ExecutionStatus::EXCEPTION)) {\n return ExecutionStatus::EXCEPTION;\n }\n ++size;\n }\n }\n // Continue to follow the prototype chain.\n CallResult> parentRes =\n JSObject::getPrototypeOf(head, runtime);\n if (LLVM_UNLIKELY(parentRes == ExecutionStatus::EXCEPTION)) {\n return ExecutionStatus::EXCEPTION;\n }\n head = parentRes->get();\n needDedup = true;\n }\n return size;\n}", "project": "hermes", "hash": 190864482475036811956844771086705997499, "size": 91, "commit_id": "fe52854cdf6725c2eaa9e125995da76e6ceb27da", "message": "[CVE-2020-1911] Look up HostObject computed properties on the right object in the prototype chain.\n\nSummary:\nThe change in the hermes repository fixes the security vulnerability\nCVE-2020-1911. This vulnerability only affects applications which\nallow evaluation of uncontrolled, untrusted JavaScript code not\nshipped with the app, so React Native apps will generally not be affected.\n\nThis revision includes a test for the bug. The test is generic JSI\ncode, so it is included in the hermes and react-native repositories.\n\nChangelog: [Internal]\n\nReviewed By: tmikov\n\nDifferential Revision: D23322992\n\nfbshipit-source-id: 4e88c974afe1ad33a263f9cac03e9dc98d33649a", "target": 0, "dataset": "other", "idx": 230254 }, { "project": "Chrome", "commit_id": "a5333583f14284a411abac2fef7caed889a8bba3", "target": 0, "func": "EmbeddedWorkerContextClient::EmbeddedWorkerContextClient(\n int embedded_worker_id,\n int64 service_worker_version_id,\n const GURL& script_url)\n : embedded_worker_id_(embedded_worker_id),\n service_worker_version_id_(service_worker_version_id),\n script_url_(script_url),\n sender_(ChildThread::current()->thread_safe_sender()),\n main_thread_proxy_(base::MessageLoopProxy::current()),\n weak_factory_(this) {\n g_worker_client_tls.Pointer()->Set(this);\n}\n", "cwe": "", "big_vul_idx": 121729, "idx": 109020, "hash": 25780000373713799142789231206250327364 }, { "func": "static ssize_t fuse_send_write(struct fuse_io_args *ia, loff_t pos,\n\t\t\t size_t count, fl_owner_t owner)\n{\n\tstruct kiocb *iocb = ia->io->iocb;\n\tstruct file *file = iocb->ki_filp;\n\tstruct fuse_file *ff = file->private_data;\n\tstruct fuse_mount *fm = ff->fm;\n\tstruct fuse_write_in *inarg = &ia->write.in;\n\tssize_t err;\n\n\tfuse_write_args_fill(ia, ff, pos, count);\n\tinarg->flags = fuse_write_flags(iocb);\n\tif (owner != NULL) {\n\t\tinarg->write_flags |= FUSE_WRITE_LOCKOWNER;\n\t\tinarg->lock_owner = fuse_lock_owner_id(fm->fc, owner);\n\t}\n\n\tif (ia->io->async)\n\t\treturn fuse_async_req_send(fm, ia, count);\n\n\terr = fuse_simple_request(fm, &ia->ap.args);\n\tif (!err && ia->write.out.size > count)\n\t\terr = -EIO;\n\n\treturn err ?: ia->write.out.size;\n}", "project": "linux", "hash": 240620729620134417830851427983337943510, "size": 26, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342031 }, { "func": "DLLEXPORT int DLLCALL tjDecompressToYUV(tjhandle handle,\n\tunsigned char *jpegBuf, unsigned long jpegSize, unsigned char *dstBuf,\n\tint flags)\n{\n\treturn tjDecompressToYUV2(handle, jpegBuf, jpegSize, dstBuf, 0, 4, 0, flags);\n}", "project": "libjpeg-turbo", "hash": 218054652149076822611811132243282035426, "size": 6, "commit_id": "dab6be4cfb2f9307b5378d2d1dc74d9080383dc2", "message": "tjDecompressToYUV*(): Fix OOB write/double free\n\n... when attempting to decompress grayscale JPEG images with sampling\nfactors != 1.\n\nFixes #387", "target": 0, "dataset": "other", "idx": 311115 }, { "func": "int handle_futex_death(u32 __user *uaddr, struct task_struct *curr, int pi)\n{\n\tu32 uval, nval, mval;\n\nretry:\n\tif (get_user(uval, uaddr))\n\t\treturn -1;\n\n\tif ((uval & FUTEX_TID_MASK) == task_pid_vnr(curr)) {\n\t\t/*\n\t\t * Ok, this dying thread is truly holding a futex\n\t\t * of interest. Set the OWNER_DIED bit atomically\n\t\t * via cmpxchg, and if the value had FUTEX_WAITERS\n\t\t * set, wake up a waiter (if any). (We have to do a\n\t\t * futex_wake() even if OWNER_DIED is already set -\n\t\t * to handle the rare but possible case of recursive\n\t\t * thread-death.) The rest of the cleanup is done in\n\t\t * userspace.\n\t\t */\n\t\tmval = (uval & FUTEX_WAITERS) | FUTEX_OWNER_DIED;\n\t\tnval = futex_atomic_cmpxchg_inatomic(uaddr, uval, mval);\n\n\t\tif (nval == -EFAULT)\n\t\t\treturn -1;\n\n\t\tif (nval != uval)\n\t\t\tgoto retry;\n\n\t\t/*\n\t\t * Wake robust non-PI futexes here. The wakeup of\n\t\t * PI futexes happens in exit_pi_state():\n\t\t */\n\t\tif (!pi && (uval & FUTEX_WAITERS))\n\t\t\tfutex_wake(uaddr, 1, 1, FUTEX_BITSET_MATCH_ANY);\n\t}\n\treturn 0;\n}", "target": 0, "cwe": [], "project": "linux-2.6", "commit_id": "5ecb01cfdf96c5f465192bdb2a4fd4a61a24c6cc", "hash": 56089368519133278848652456608078623057, "size": 37, "message": "futex_lock_pi() key refcnt fix\n\nThis fixes a futex key reference count bug in futex_lock_pi(),\nwhere a key's reference count is incremented twice but decremented\nonly once, causing the backing object to not be released.\n\nIf the futex is created in a temporary file in an ext3 file system,\nthis bug causes the file's inode to become an \"undead\" orphan,\nwhich causes an oops from a BUG_ON() in ext3_put_super() when the\nfile system is unmounted. glibc's test suite is known to trigger this,\nsee .\n\nThe bug is a regression from 2.6.28-git3, namely Peter Zijlstra's\n38d47c1b7075bd7ec3881141bb3629da58f88dab \"[PATCH] futex: rely on\nget_user_pages() for shared futexes\". That commit made get_futex_key()\nalso increment the reference count of the futex key, and updated its\ncallers to decrement the key's reference count before returning.\nUnfortunately the normal exit path in futex_lock_pi() wasn't corrected:\nthe reference count is incremented by get_futex_key() and queue_lock(),\nbut the normal exit path only decrements once, via unqueue_me_pi().\nThe fix is to put_futex_key() after unqueue_me_pi(), since 2.6.31\nthis is easily done by 'goto out_put_key' rather than 'goto out'.\n\nSigned-off-by: Mikael Pettersson \nAcked-by: Peter Zijlstra \nAcked-by: Darren Hart \nSigned-off-by: Thomas Gleixner \nCc: ", "dataset": "other", "idx": 492317 }, { "func": "bool pb_decode_nullterminated(pb_istream_t *stream, const pb_field_t fields[], void *dest_struct)\n{\n /* This behaviour will be separated in nanopb-0.4.0, see issue #278. */\n return pb_decode(stream, fields, dest_struct);\n}", "project": "nanopb", "hash": 263673914085382885167073031661048147056, "size": 5, "commit_id": "aa9d0d1ca78d6adec3adfeecf3a706c7f9df81f2", "message": "Fix invalid free() after failed realloc() (GHSA-gcx3-7m76-287p)", "target": 0, "dataset": "other", "idx": 252516 }, { "func": "static int fuse_create(struct inode *dir, struct dentry *entry, umode_t mode,\n\t\t bool excl)\n{\n\treturn fuse_mknod(dir, entry, mode, 0);\n}", "project": "linux", "hash": 86105050177165429112801327801349109567, "size": 5, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342126 }, { "func": "static ssize_t fuse_perform_write(struct kiocb *iocb,\n\t\t\t\t struct address_space *mapping,\n\t\t\t\t struct iov_iter *ii, loff_t pos)\n{\n\tstruct inode *inode = mapping->host;\n\tstruct fuse_conn *fc = get_fuse_conn(inode);\n\tstruct fuse_inode *fi = get_fuse_inode(inode);\n\tint err = 0;\n\tssize_t res = 0;\n\n\tif (inode->i_size < pos + iov_iter_count(ii))\n\t\tset_bit(FUSE_I_SIZE_UNSTABLE, &fi->state);\n\n\tdo {\n\t\tssize_t count;\n\t\tstruct fuse_io_args ia = {};\n\t\tstruct fuse_args_pages *ap = &ia.ap;\n\t\tunsigned int nr_pages = fuse_wr_pages(pos, iov_iter_count(ii),\n\t\t\t\t\t\t fc->max_pages);\n\n\t\tap->pages = fuse_pages_alloc(nr_pages, GFP_KERNEL, &ap->descs);\n\t\tif (!ap->pages) {\n\t\t\terr = -ENOMEM;\n\t\t\tbreak;\n\t\t}\n\n\t\tcount = fuse_fill_write_pages(ap, mapping, ii, pos, nr_pages);\n\t\tif (count <= 0) {\n\t\t\terr = count;\n\t\t} else {\n\t\t\terr = fuse_send_write_pages(&ia, iocb, inode,\n\t\t\t\t\t\t pos, count);\n\t\t\tif (!err) {\n\t\t\t\tsize_t num_written = ia.write.out.size;\n\n\t\t\t\tres += num_written;\n\t\t\t\tpos += num_written;\n\n\t\t\t\t/* break out of the loop on short write */\n\t\t\t\tif (num_written != count)\n\t\t\t\t\terr = -EIO;\n\t\t\t}\n\t\t}\n\t\tkfree(ap->pages);\n\t} while (!err && iov_iter_count(ii));\n\n\tif (res > 0)\n\t\tfuse_write_update_size(inode, pos);\n\n\tclear_bit(FUSE_I_SIZE_UNSTABLE, &fi->state);\n\tfuse_invalidate_attr(inode);\n\n\treturn res > 0 ? res : err;\n}", "project": "linux", "hash": 85605990413088777568793943457605605211, "size": 54, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341974 }, { "func": "int fuse_reverse_inval_inode(struct fuse_conn *fc, u64 nodeid,\n\t\t\t loff_t offset, loff_t len)\n{\n\tstruct fuse_inode *fi;\n\tstruct inode *inode;\n\tpgoff_t pg_start;\n\tpgoff_t pg_end;\n\n\tinode = fuse_ilookup(fc, nodeid, NULL);\n\tif (!inode)\n\t\treturn -ENOENT;\n\n\tfi = get_fuse_inode(inode);\n\tspin_lock(&fi->lock);\n\tfi->attr_version = atomic64_inc_return(&fc->attr_version);\n\tspin_unlock(&fi->lock);\n\n\tfuse_invalidate_attr(inode);\n\tforget_all_cached_acls(inode);\n\tif (offset >= 0) {\n\t\tpg_start = offset >> PAGE_SHIFT;\n\t\tif (len <= 0)\n\t\t\tpg_end = -1;\n\t\telse\n\t\t\tpg_end = (offset + len - 1) >> PAGE_SHIFT;\n\t\tinvalidate_inode_pages2_range(inode->i_mapping,\n\t\t\t\t\t pg_start, pg_end);\n\t}\n\tiput(inode);\n\treturn 0;\n}", "project": "linux", "hash": 312157274997349224713723790852604844461, "size": 31, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341908 }, { "func": "int __kmem_cache_create(struct kmem_cache *s, slab_flags_t flags)\n{\n\tint err;\n\n\terr = kmem_cache_open(s, flags);\n\tif (err)\n\t\treturn err;\n\n\t/* Mutex is not taken during early boot */\n\tif (slab_state <= UP)\n\t\treturn 0;\n\n\tmemcg_propagate_slab_attrs(s);\n\terr = sysfs_slab_add(s);\n\tif (err)\n\t\t__kmem_cache_release(s);\n\n\treturn err;\n}", "project": "linux", "hash": 25259879176562596249883219377087156330, "size": 19, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280085 }, { "func": "UnicodeStringAppendable::reserveAppendCapacity(int32_t appendCapacity) {\n return str.cloneArrayIfNeeded(str.length() + appendCapacity);\n}", "project": "icu", "hash": 80029007181233459529478594246508716187, "size": 3, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430819 }, { "func": "static int kvm_vm_ioctl_reset_dirty_pages(struct kvm *kvm)\n{\n\tint i;\n\tstruct kvm_vcpu *vcpu;\n\tint cleared = 0;\n\n\tif (!kvm->dirty_ring_size)\n\t\treturn -EINVAL;\n\n\tmutex_lock(&kvm->slots_lock);\n\n\tkvm_for_each_vcpu(i, vcpu, kvm)\n\t\tcleared += kvm_dirty_ring_reset(vcpu->kvm, &vcpu->dirty_ring);\n\n\tmutex_unlock(&kvm->slots_lock);\n\n\tif (cleared)\n\t\tkvm_flush_remote_tlbs(kvm);\n\n\treturn cleared;\n}", "project": "linux", "hash": 149723187045232902639694781585815190392, "size": 21, "commit_id": "f8be156be163a052a067306417cd0ff679068c97", "message": "KVM: do not allow mapping valid but non-reference-counted pages\n\nIt's possible to create a region which maps valid but non-refcounted\npages (e.g., tail pages of non-compound higher order allocations). These\nhost pages can then be returned by gfn_to_page, gfn_to_pfn, etc., family\nof APIs, which take a reference to the page, which takes it from 0 to 1.\nWhen the reference is dropped, this will free the page incorrectly.\n\nFix this by only taking a reference on valid pages if it was non-zero,\nwhich indicates it is participating in normal refcounting (and can be\nreleased with put_page).\n\nThis addresses CVE-2021-22543.\n\nSigned-off-by: Nicholas Piggin \nTested-by: Paolo Bonzini \nCc: stable@vger.kernel.org\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 404072 }, { "func": "void init_openvpn_dissector(struct ndpi_detection_module_struct *ndpi_struct,\n\t\t\t u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) {\n ndpi_set_bitmask_protocol_detection(\"OpenVPN\", ndpi_struct, detection_bitmask, *id,\n\t\t\t\t NDPI_PROTOCOL_OPENVPN,\n\t\t\t\t ndpi_search_openvpn,\n\t\t\t\t NDPI_SELECTION_BITMASK_PROTOCOL_TCP_OR_UDP_WITH_PAYLOAD,\n\t\t\t\t SAVE_DETECTION_BITMASK_AS_UNKNOWN,\n\t\t\t\t ADD_TO_DETECTION_BITMASK);\n\n *id += 1;\n}", "project": "nDPI", "hash": 186981501670670036103371620191385989922, "size": 11, "commit_id": "8e7b1ea7a136cc4e4aa9880072ec2d69900a825e", "message": "Fix for potential heap-buffer-overflow in ndpi_search_openvpn", "target": 0, "dataset": "other", "idx": 241324 }, { "func": "static void nested_svm_uninit_mmu_context(struct kvm_vcpu *vcpu)\n{\n\tvcpu->arch.walk_mmu = &vcpu->arch.mmu;\n}", "project": "kvm", "hash": 157181479437509704339147088529407331305, "size": 4, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437583 }, { "func": "static int read_ahead(struct archive_read* a, size_t how_many,\n const uint8_t** ptr)\n{\n\tssize_t avail = -1;\n\tif(!ptr)\n\t\treturn 0;\n\n\t*ptr = __archive_read_ahead(a, how_many, &avail);\n\tif(*ptr == NULL) {\n\t\treturn 0;\n\t}\n\n\treturn 1;\n}", "project": "libarchive", "hash": 142951958097206788901237405011859164153, "size": 14, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 0, "dataset": "other", "idx": 244743 }, { "func": "void __hci_req_write_fast_connectable(struct hci_request *req, bool enable)\n{\n\tstruct hci_dev *hdev = req->hdev;\n\tstruct hci_cp_write_page_scan_activity acp;\n\tu8 type;\n\n\tif (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))\n\t\treturn;\n\n\tif (hdev->hci_ver < BLUETOOTH_VER_1_2)\n\t\treturn;\n\n\tif (enable) {\n\t\ttype = PAGE_SCAN_TYPE_INTERLACED;\n\n\t\t/* 160 msec page scan interval */\n\t\tacp.interval = cpu_to_le16(0x0100);\n\t} else {\n\t\ttype = hdev->def_page_scan_type;\n\t\tacp.interval = cpu_to_le16(hdev->def_page_scan_int);\n\t}\n\n\tacp.window = cpu_to_le16(hdev->def_page_scan_window);\n\n\tif (__cpu_to_le16(hdev->page_scan_interval) != acp.interval ||\n\t __cpu_to_le16(hdev->page_scan_window) != acp.window)\n\t\thci_req_add(req, HCI_OP_WRITE_PAGE_SCAN_ACTIVITY,\n\t\t\t sizeof(acp), &acp);\n\n\tif (hdev->page_scan_type != type)\n\t\thci_req_add(req, HCI_OP_WRITE_PAGE_SCAN_TYPE, 1, &type);\n}", "project": "linux", "hash": 148011768332726521429167556703386513517, "size": 32, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402539 }, { "func": "static int ff_layout_encode_ioerr(struct xdr_stream *xdr,\n\t\t\t\t const struct nfs4_layoutreturn_args *args,\n\t\t\t\t const struct nfs4_flexfile_layoutreturn_args *ff_args)\n{\n\t__be32 *start;\n\n\tstart = xdr_reserve_space(xdr, 4);\n\tif (unlikely(!start))\n\t\treturn -E2BIG;\n\n\t*start = cpu_to_be32(ff_args->num_errors);\n\t/* This assume we always return _ALL_ layouts */\n\treturn ff_layout_encode_ds_ioerr(xdr, &ff_args->errors);\n}", "project": "linux", "hash": 106957426044153255677524333918171262250, "size": 14, "commit_id": "ed34695e15aba74f45247f1ee2cf7e09d449f925", "message": "pNFS/flexfiles: fix incorrect size check in decode_nfs_fh()\n\nWe (adam zabrocki, alexander matrosov, alexander tereshkin, maksym\nbazalii) observed the check:\n\n\tif (fh->size > sizeof(struct nfs_fh))\n\nshould not use the size of the nfs_fh struct which includes an extra two\nbytes from the size field.\n\nstruct nfs_fh {\n\tunsigned short size;\n\tunsigned char data[NFS_MAXFHSIZE];\n}\n\nbut should determine the size from data[NFS_MAXFHSIZE] so the memcpy\nwill not write 2 bytes beyond destination. The proposed fix is to\ncompare against the NFS_MAXFHSIZE directly, as is done elsewhere in fs\ncode base.\n\nFixes: d67ae825a59d (\"pnfs/flexfiles: Add the FlexFile Layout Driver\")\nSigned-off-by: Nikola Livic \nSigned-off-by: Dan Carpenter \nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 234455 }, { "func": "TEST(TestAddDelegateOwnership, AddDelegateDoesNotTakeOwnership) {\n class TestDelegate : public TfLiteDelegate {\n public:\n TestDelegate(bool* destroyed, bool* prepared)\n : TfLiteDelegate(TfLiteDelegateCreate()),\n destroyed_(destroyed),\n prepared_(prepared) {\n flags = kTfLiteDelegateFlagsNone;\n Prepare = [](TfLiteContext*, TfLiteDelegate* delegate) -> TfLiteStatus {\n *(static_cast(delegate)->prepared_) = true;\n return kTfLiteOk;\n };\n }\n ~TestDelegate() { *destroyed_ = true; }\n\n private:\n bool* destroyed_;\n bool* prepared_;\n };\n\n // Construct a delegate with flags for indicating preparation/destruction.\n bool destroyed = false;\n bool prepared = false;\n {\n std::unique_ptr delegate(\n new TestDelegate(&destroyed, &prepared));\n {\n // Load a model.\n auto model = FlatBufferModel::BuildFromFile(\n \"tensorflow/lite/testdata/empty_model.bin\");\n ASSERT_TRUE(model);\n // Now try to build it into an interpreter.\n std::unique_ptr interpreter;\n InterpreterBuilder builder(*model, TrivialResolver());\n builder.AddDelegate(delegate.get()); // Does not transfer ownership.\n // Loop to check we can construct multiple interpreters from one builder.\n for (int i = 0; i < 3; i++) {\n prepared = false;\n ASSERT_EQ(builder(&interpreter), kTfLiteOk);\n ASSERT_NE(interpreter, nullptr);\n\n // The delegate should be prepared as normal, and should be preserved.\n EXPECT_TRUE(prepared);\n EXPECT_FALSE(destroyed);\n\n // Interpreter interaction should not impact the delegate's validity.\n interpreter->AllocateTensors();\n interpreter->Invoke();\n EXPECT_FALSE(destroyed);\n }\n }\n EXPECT_NE(delegate, nullptr);\n EXPECT_FALSE(destroyed);\n }\n // Only after the delegate itself goes out of scope should the delegate be\n // destroyed.\n EXPECT_TRUE(destroyed);\n}", "project": "tensorflow", "hash": 146030081513645817304804222397472377564, "size": 58, "commit_id": "c6173f5fe66cdbab74f4f869311fe6aae2ba35f4", "message": "TFLite: Error out when the graph has a recurion.\n\nRecursion is currently unsupported.\n\nPiperOrigin-RevId: 371708957\nChange-Id: I8dfad0d85cbfe08e39ae8ea7bad21254ddee5003", "target": 0, "dataset": "other", "idx": 269617 }, { "func": "void GraphConstructor::Undo() {\n for (const auto& iter : gdef_nodes_) {\n if (iter.second.node != nullptr) {\n g_->RemoveNode(iter.second.node);\n }\n }\n g_->set_versions(original_versions_);\n}", "project": "tensorflow", "hash": 20398654260933712426715451380027772832, "size": 8, "commit_id": "0cc38aaa4064fd9e79101994ce9872c6d91f816b", "message": "Prevent unitialized memory access in `GraphConstructor::MakeEdge`\n\nThe `MakeEdge` implementation assumes that there exists an output at `output_index` of `src` node and an input at `input_index` of `dst` node. However, if this is not the case this results in accessing data out of bounds. Because we are accessing an array that is a private member of a class and only in read only mode, this usually results only in unitialized memory access. However, it is reasonable to think that malicious users could manipulate these indexes to actually read data outside the class, thus resulting in information leakage and further exploits.\n\nPiperOrigin-RevId: 346343288\nChange-Id: I2127da27c2023d27f26efd39afa6c853385cab6f", "target": 0, "dataset": "other", "idx": 268331 }, { "func": "static void io_req_track_inflight(struct io_kiocb *req)\n{\n\tif (!(req->flags & REQ_F_INFLIGHT)) {\n\t\treq->flags |= REQ_F_INFLIGHT;\n\t\tatomic_inc(¤t->io_uring->inflight_tracked);\n\t}\n}", "project": "linux", "hash": 15477215038700636505520089229450143101, "size": 7, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338576 }, { "func": "PHPAPI void php_register_variable_ex(char *var_name, zval *val, zval *track_vars_array)\n{\n\tchar *p = NULL;\n\tchar *ip = NULL;\t\t/* index pointer */\n\tchar *index;\n\tchar *var, *var_orig;\n\tsize_t var_len, index_len;\n\tzval gpc_element, *gpc_element_p;\n\tzend_bool is_array = 0;\n\tHashTable *symtable1 = NULL;\n\tALLOCA_FLAG(use_heap)\n\n\tassert(var_name != NULL);\n\n\tif (track_vars_array && Z_TYPE_P(track_vars_array) == IS_ARRAY) {\n\t\tsymtable1 = Z_ARRVAL_P(track_vars_array);\n\t}\n\n\tif (!symtable1) {\n\t\t/* Nothing to do */\n\t\tzval_dtor(val);\n\t\treturn;\n\t}\n\n\n\t/* ignore leading spaces in the variable name */\n\twhile (*var_name==' ') {\n\t\tvar_name++;\n\t}\n\n\t/*\n\t * Prepare variable name\n\t */\n\tvar_len = strlen(var_name);\n\tvar = var_orig = do_alloca(var_len + 1, use_heap);\n\tmemcpy(var_orig, var_name, var_len + 1);\n\n\t/* ensure that we don't have spaces or dots in the variable name (not binary safe) */\n\tfor (p = var; *p; p++) {\n\t\tif (*p == ' ' || *p == '.') {\n\t\t\t*p='_';\n\t\t} else if (*p == '[') {\n\t\t\tis_array = 1;\n\t\t\tip = p;\n\t\t\t*p = 0;\n\t\t\tbreak;\n\t\t}\n\t}\n\tvar_len = p - var;\n\n\tif (var_len==0) { /* empty variable name, or variable name with a space in it */\n\t\tzval_dtor(val);\n\t\tfree_alloca(var_orig, use_heap);\n\t\treturn;\n\t}\n\n\tif (var_len == sizeof(\"this\")-1 && EG(current_execute_data)) {\n\t\tzend_execute_data *ex = EG(current_execute_data);\n\n\t\twhile (ex) {\n\t\t\tif (ex->func && ZEND_USER_CODE(ex->func->common.type)) {\n\t\t\t\tif ((ZEND_CALL_INFO(ex) & ZEND_CALL_HAS_SYMBOL_TABLE)\n\t\t\t\t\t\t&& ex->symbol_table == symtable1) {\n\t\t\t\t\tif (memcmp(var, \"this\", sizeof(\"this\")-1) == 0) {\n\t\t\t\t\t\tzend_throw_error(NULL, \"Cannot re-assign $this\");\n\t\t\t\t\t\tzval_dtor(val);\n\t\t\t\t\t\tfree_alloca(var_orig, use_heap);\n\t\t\t\t\t\treturn;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\tbreak;\n\t\t\t}\n\t\t\tex = ex->prev_execute_data;\n\t\t}\n\t}\n\n\t/* GLOBALS hijack attempt, reject parameter */\n\tif (symtable1 == &EG(symbol_table) &&\n\t\tvar_len == sizeof(\"GLOBALS\")-1 &&\n\t\t!memcmp(var, \"GLOBALS\", sizeof(\"GLOBALS\")-1)) {\n\t\tzval_dtor(val);\n\t\tfree_alloca(var_orig, use_heap);\n\t\treturn;\n\t}\n\n\tindex = var;\n\tindex_len = var_len;\n\n\tif (is_array) {\n\t\tint nest_level = 0;\n\t\twhile (1) {\n\t\t\tchar *index_s;\n\t\t\tsize_t new_idx_len = 0;\n\n\t\t\tif(++nest_level > PG(max_input_nesting_level)) {\n\t\t\t\tHashTable *ht;\n\t\t\t\t/* too many levels of nesting */\n\n\t\t\t\tif (track_vars_array) {\n\t\t\t\t\tht = Z_ARRVAL_P(track_vars_array);\n\t\t\t\t\tzend_symtable_str_del(ht, var, var_len);\n\t\t\t\t}\n\n\t\t\t\tzval_dtor(val);\n\n\t\t\t\t/* do not output the error message to the screen,\n\t\t\t\t this helps us to to avoid \"information disclosure\" */\n\t\t\t\tif (!PG(display_errors)) {\n\t\t\t\t\tphp_error_docref(NULL, E_WARNING, \"Input variable nesting level exceeded \" ZEND_LONG_FMT \". To increase the limit change max_input_nesting_level in php.ini.\", PG(max_input_nesting_level));\n\t\t\t\t}\n\t\t\t\tfree_alloca(var_orig, use_heap);\n\t\t\t\treturn;\n\t\t\t}\n\n\t\t\tip++;\n\t\t\tindex_s = ip;\n\t\t\tif (isspace(*ip)) {\n\t\t\t\tip++;\n\t\t\t}\n\t\t\tif (*ip==']') {\n\t\t\t\tindex_s = NULL;\n\t\t\t} else {\n\t\t\t\tip = strchr(ip, ']');\n\t\t\t\tif (!ip) {\n\t\t\t\t\t/* PHP variables cannot contain '[' in their names, so we replace the character with a '_' */\n\t\t\t\t\t*(index_s - 1) = '_';\n\n\t\t\t\t\tindex_len = 0;\n\t\t\t\t\tif (index) {\n\t\t\t\t\t\tindex_len = strlen(index);\n\t\t\t\t\t}\n\t\t\t\t\tgoto plain_var;\n\t\t\t\t\treturn;\n\t\t\t\t}\n\t\t\t\t*ip = 0;\n\t\t\t\tnew_idx_len = strlen(index_s);\n\t\t\t}\n\n\t\t\tif (!index) {\n\t\t\t\tarray_init(&gpc_element);\n\t\t\t\tif ((gpc_element_p = zend_hash_next_index_insert(symtable1, &gpc_element)) == NULL) {\n\t\t\t\t\tzval_ptr_dtor(&gpc_element);\n\t\t\t\t\tzval_dtor(val);\n\t\t\t\t\tfree_alloca(var_orig, use_heap);\n\t\t\t\t\treturn;\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\tgpc_element_p = zend_symtable_str_find(symtable1, index, index_len);\n\t\t\t\tif (!gpc_element_p) {\n\t\t\t\t\tzval tmp;\n\t\t\t\t\tarray_init(&tmp);\n\t\t\t\t\tgpc_element_p = zend_symtable_str_update_ind(symtable1, index, index_len, &tmp);\n\t\t\t\t} else {\n\t\t\t\t\tif (Z_TYPE_P(gpc_element_p) == IS_INDIRECT) {\n\t\t\t\t\t\tgpc_element_p = Z_INDIRECT_P(gpc_element_p);\n\t\t\t\t\t}\n\t\t\t\t\tif (Z_TYPE_P(gpc_element_p) != IS_ARRAY) {\n\t\t\t\t\t\tzval_ptr_dtor(gpc_element_p);\n\t\t\t\t\t\tarray_init(gpc_element_p);\n\t\t\t\t\t} else {\n\t\t\t\t\t\tSEPARATE_ARRAY(gpc_element_p);\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t\tsymtable1 = Z_ARRVAL_P(gpc_element_p);\n\t\t\t/* ip pointed to the '[' character, now obtain the key */\n\t\t\tindex = index_s;\n\t\t\tindex_len = new_idx_len;\n\n\t\t\tip++;\n\t\t\tif (*ip == '[') {\n\t\t\t\tis_array = 1;\n\t\t\t\t*ip = 0;\n\t\t\t} else {\n\t\t\t\tgoto plain_var;\n\t\t\t}\n\t\t}\n\t} else {\nplain_var:\n\t\tZVAL_COPY_VALUE(&gpc_element, val);\n\t\tif (!index) {\n\t\t\tif ((gpc_element_p = zend_hash_next_index_insert(symtable1, &gpc_element)) == NULL) {\n\t\t\t\tzval_ptr_dtor(&gpc_element);\n\t\t\t}\n\t\t} else {\n\t\t\t/*\n\t\t\t * According to rfc2965, more specific paths are listed above the less specific ones.\n\t\t\t * If we encounter a duplicate cookie name, we should skip it, since it is not possible\n\t\t\t * to have the same (plain text) cookie name for the same path and we should not overwrite\n\t\t\t * more specific cookies with the less specific ones.\n\t\t\t */\n\t\t\tif (Z_TYPE(PG(http_globals)[TRACK_VARS_COOKIE]) != IS_UNDEF &&\n\t\t\t\tsymtable1 == Z_ARRVAL(PG(http_globals)[TRACK_VARS_COOKIE]) &&\n\t\t\t\tzend_symtable_str_exists(symtable1, index, index_len)) {\n\t\t\t\tzval_ptr_dtor(&gpc_element);\n\t\t\t} else {\n\t\t\t\tgpc_element_p = zend_symtable_str_update_ind(symtable1, index, index_len, &gpc_element);\n\t\t\t}\n\t\t}\n\t}\n\tfree_alloca(var_orig, use_heap);\n}", "project": "php-src", "hash": 17879675236624250983246777626655020669, "size": 202, "commit_id": "6559fe912661ca5ce5f0eeeb591d928451428ed0", "message": "Do not decode cookie names anymore", "target": 0, "dataset": "other", "idx": 374962 }, { "func": "int bcf_get_variant_type(bcf1_t *rec, int ith_allele)\n{\n if ( rec->d.var_type==-1 ) bcf_set_variant_types(rec);\n return rec->d.var[ith_allele].type;\n}", "project": "htslib", "hash": 167035303226109464930073940179153216037, "size": 5, "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c", "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields. It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097", "target": 0, "dataset": "other", "idx": 402222 }, { "func": "static int nested_svm_intercept(struct vcpu_svm *svm)\n{\n\tu32 exit_code = svm->vmcb->control.exit_code;\n\tint vmexit = NESTED_EXIT_HOST;\n\n\tswitch (exit_code) {\n\tcase SVM_EXIT_MSR:\n\t\tvmexit = nested_svm_exit_handled_msr(svm);\n\t\tbreak;\n\tcase SVM_EXIT_IOIO:\n\t\tvmexit = nested_svm_intercept_ioio(svm);\n\t\tbreak;\n\tcase SVM_EXIT_READ_CR0 ... SVM_EXIT_WRITE_CR8: {\n\t\tu32 bit = 1U << (exit_code - SVM_EXIT_READ_CR0);\n\t\tif (svm->nested.intercept_cr & bit)\n\t\t\tvmexit = NESTED_EXIT_DONE;\n\t\tbreak;\n\t}\n\tcase SVM_EXIT_READ_DR0 ... SVM_EXIT_WRITE_DR7: {\n\t\tu32 bit = 1U << (exit_code - SVM_EXIT_READ_DR0);\n\t\tif (svm->nested.intercept_dr & bit)\n\t\t\tvmexit = NESTED_EXIT_DONE;\n\t\tbreak;\n\t}\n\tcase SVM_EXIT_EXCP_BASE ... SVM_EXIT_EXCP_BASE + 0x1f: {\n\t\tu32 excp_bits = 1 << (exit_code - SVM_EXIT_EXCP_BASE);\n\t\tif (svm->nested.intercept_exceptions & excp_bits) {\n\t\t\tif (exit_code == SVM_EXIT_EXCP_BASE + DB_VECTOR)\n\t\t\t\tvmexit = nested_svm_intercept_db(svm);\n\t\t\telse\n\t\t\t\tvmexit = NESTED_EXIT_DONE;\n\t\t}\n\t\t/* async page fault always cause vmexit */\n\t\telse if ((exit_code == SVM_EXIT_EXCP_BASE + PF_VECTOR) &&\n\t\t\t svm->vcpu.arch.exception.nested_apf != 0)\n\t\t\tvmexit = NESTED_EXIT_DONE;\n\t\tbreak;\n\t}\n\tcase SVM_EXIT_ERR: {\n\t\tvmexit = NESTED_EXIT_DONE;\n\t\tbreak;\n\t}\n\tdefault: {\n\t\tu64 exit_bits = 1ULL << (exit_code - SVM_EXIT_INTR);\n\t\tif (svm->nested.intercept & exit_bits)\n\t\t\tvmexit = NESTED_EXIT_DONE;\n\t}\n\t}\n\n\treturn vmexit;\n}", "project": "linux", "hash": 102428947262169668730962664525859535908, "size": 51, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432418 }, { "func": "static int nested_svm_intercept(struct vcpu_svm *svm)\n{\n\tu32 exit_code = svm->vmcb->control.exit_code;\n\tint vmexit = NESTED_EXIT_HOST;\n\n\tswitch (exit_code) {\n\tcase SVM_EXIT_MSR:\n\t\tvmexit = nested_svm_exit_handled_msr(svm);\n\t\tbreak;\n\tcase SVM_EXIT_IOIO:\n\t\tvmexit = nested_svm_intercept_ioio(svm);\n\t\tbreak;\n\tcase SVM_EXIT_READ_CR0 ... SVM_EXIT_WRITE_CR8: {\n\t\tu32 bit = 1U << (exit_code - SVM_EXIT_READ_CR0);\n\t\tif (svm->nested.intercept_cr & bit)\n\t\t\tvmexit = NESTED_EXIT_DONE;\n\t\tbreak;\n\t}\n\tcase SVM_EXIT_READ_DR0 ... SVM_EXIT_WRITE_DR7: {\n\t\tu32 bit = 1U << (exit_code - SVM_EXIT_READ_DR0);\n\t\tif (svm->nested.intercept_dr & bit)\n\t\t\tvmexit = NESTED_EXIT_DONE;\n\t\tbreak;\n\t}\n\tcase SVM_EXIT_EXCP_BASE ... SVM_EXIT_EXCP_BASE + 0x1f: {\n\t\tu32 excp_bits = 1 << (exit_code - SVM_EXIT_EXCP_BASE);\n\t\tif (svm->nested.intercept_exceptions & excp_bits)\n\t\t\tvmexit = NESTED_EXIT_DONE;\n\t\t/* async page fault always cause vmexit */\n\t\telse if ((exit_code == SVM_EXIT_EXCP_BASE + PF_VECTOR) &&\n\t\t\t svm->apf_reason != 0)\n\t\t\tvmexit = NESTED_EXIT_DONE;\n\t\tbreak;\n\t}\n\tcase SVM_EXIT_ERR: {\n\t\tvmexit = NESTED_EXIT_DONE;\n\t\tbreak;\n\t}\n\tdefault: {\n\t\tu64 exit_bits = 1ULL << (exit_code - SVM_EXIT_INTR);\n\t\tif (svm->nested.intercept & exit_bits)\n\t\t\tvmexit = NESTED_EXIT_DONE;\n\t}\n\t}\n\n\treturn vmexit;\n}", "project": "kvm", "hash": 152329118641346166780713598687821087592, "size": 47, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437599 }, { "func": "bool AreTensorProtosEqual(const TensorProto& lhs, const TensorProto& rhs,\n bool allow_false_negatives) {\n // A small TensorProto can expand into a giant Tensor. So we avoid\n // conversion to an actual Tensor if we can quickly rule out equality\n // by comparing the Tensor size since different sized Tensors are definitely\n // different.\n const int64_t lhs_tensor_bytes = TensorByteSize(lhs);\n const int64_t rhs_tensor_bytes = TensorByteSize(rhs);\n if (lhs_tensor_bytes != rhs_tensor_bytes) {\n return false;\n }\n\n // If the TensorProto representation expands into a much bigger Tensor,\n // we have a fast-path that first compares the protos.\n const int64_t lhs_proto_bytes = lhs.ByteSizeLong();\n const bool large_expansion =\n (lhs_proto_bytes < 512 && lhs_tensor_bytes > 4096);\n\n // If the tensor is very large, we'll only compare the proto representation if\n // false negatives are allowed. This may miss some equivalent tensors whose\n // actual tensor values are the same but which are described by different\n // TensorProtos. This avoids construction of large protos in memory.\n const bool only_compare_proto =\n (allow_false_negatives && lhs_tensor_bytes > kMaxAttrValueTensorByteSize);\n if (large_expansion || only_compare_proto) {\n if (AreSerializedProtosEqual(lhs, rhs))\n return true;\n else if (only_compare_proto)\n return false;\n }\n\n // Finally, compare them by constructing Tensors and serializing them back.\n // There are multiple equivalent representations of attr values containing\n // TensorProtos. Comparing Tensor objects is pretty tricky. This is unsafe\n // operation, because large tensors can be represented as TensorProto, but\n // can't be serialized to tensor content.\n Tensor lhs_t(lhs.dtype());\n bool success = lhs_t.FromProto(lhs);\n if (!success) {\n return false;\n }\n\n Tensor rhs_t(rhs.dtype());\n success = rhs_t.FromProto(rhs);\n if (!success) {\n return false;\n }\n\n TensorProto lhs_tp;\n lhs_t.AsProtoTensorContent(&lhs_tp);\n\n TensorProto rhs_tp;\n rhs_t.AsProtoTensorContent(&rhs_tp);\n\n return AreSerializedProtosEqual(lhs_tp, rhs_tp);\n}", "project": "tensorflow", "hash": 319552736742553679841503083796833259081, "size": 56, "commit_id": "c2426bba00a01de6913738df8fa78e0215fcce02", "message": "Use `PartialTensorShape` instead of `TensorShape`.\n\n`TensorShape` constructor throws a CHECK-fail if shape is partial/overflows which the other doesn't. We are only determining the number of elements in the shape and partial shape should be used as it returns negative number when needed.\n\nPiperOrigin-RevId: 409205384\nChange-Id: Ia56542ff9ec758f2c9ffc7e4dcc9fa7eecd86e7b", "target": 0, "dataset": "other", "idx": 223147 }, { "func": "\nstatic int __io_uring_add_task_file(struct io_ring_ctx *ctx)\n{\n\tstruct io_uring_task *tctx = current->io_uring;\n\tstruct io_tctx_node *node;\n\tint ret;\n\n\tif (unlikely(!tctx)) {\n\t\tret = io_uring_alloc_task_context(current, ctx);\n\t\tif (unlikely(ret))\n\t\t\treturn ret;\n\t\ttctx = current->io_uring;\n\t}\n\tif (!xa_load(&tctx->xa, (unsigned long)ctx)) {\n\t\tnode = kmalloc(sizeof(*node), GFP_KERNEL);\n\t\tif (!node)\n\t\t\treturn -ENOMEM;\n\t\tnode->ctx = ctx;\n\t\tnode->task = current;\n\n\t\tret = xa_err(xa_store(&tctx->xa, (unsigned long)ctx,\n\t\t\t\t\tnode, GFP_KERNEL));\n\t\tif (ret) {\n\t\t\tkfree(node);\n\t\t\treturn ret;\n\t\t}\n\n\t\tmutex_lock(&ctx->uring_lock);\n\t\tlist_add(&node->ctx_node, &ctx->tctx_list);\n\t\tmutex_unlock(&ctx->uring_lock);\n\t}\n\ttctx->last = ctx;\n\treturn 0;", "project": "linux", "hash": 205858604055988379963738958278246166839, "size": 33, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338646 }, { "func": "static int zlib_wrap_compress(const char* input, size_t input_length,\n char* output, size_t maxout, int clevel) {\n int status;\n uLongf cl = (uLongf)maxout;\n status = compress2(\n (Bytef*)output, &cl, (Bytef*)input, (uLong)input_length, clevel);\n if (status != Z_OK) {\n return 0;\n }\n return (int)cl;\n}", "project": "c-blosc2", "hash": 97175600465744460461017367290805834772, "size": 11, "commit_id": "c4c6470e88210afc95262c8b9fcc27e30ca043ee", "message": "Fixed asan heap buffer overflow when not enough space to write compressed block size.", "target": 0, "dataset": "other", "idx": 303082 }, { "func": "static int getusint(FILE *sfd, uint16 *val) {\n int val2;\n int ret = getint(sfd,&val2);\n *val = val2;\nreturn( ret );\n}", "project": "fontforge", "hash": 151939730511230875686357670874663809725, "size": 6, "commit_id": "048a91e2682c1a8936ae34dbc7bd70291ec05410", "message": "Fix for #4084 Use-after-free (heap) in the SFD_GetFontMetaData() function\nFix for #4086 NULL pointer dereference in the SFDGetSpiros() function\nFix for #4088 NULL pointer dereference in the SFD_AssignLookups() function\nAdd empty sf->fontname string if it isn't set, fixing #4089 #4090 and many\n other potential issues (many downstream calls to strlen() on the value).", "target": 0, "dataset": "other", "idx": 417891 }, { "func": "static void hci_simple_pair_complete_evt(struct hci_dev *hdev,\n\t\t\t\t\t struct sk_buff *skb)\n{\n\tstruct hci_ev_simple_pair_complete *ev = (void *) skb->data;\n\tstruct hci_conn *conn;\n\n\tBT_DBG(\"%s\", hdev->name);\n\n\thci_dev_lock(hdev);\n\n\tconn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);\n\tif (!conn)\n\t\tgoto unlock;\n\n\t/* Reset the authentication requirement to unknown */\n\tconn->remote_auth = 0xff;\n\n\t/* To avoid duplicate auth_failed events to user space we check\n\t * the HCI_CONN_AUTH_PEND flag which will be set if we\n\t * initiated the authentication. A traditional auth_complete\n\t * event gets always produced as initiator and is also mapped to\n\t * the mgmt_auth_failed event */\n\tif (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) && ev->status)\n\t\tmgmt_auth_failed(conn, ev->status);\n\n\thci_conn_drop(conn);\n\nunlock:\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 255419357348887769468237320316798778075, "size": 30, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431958 }, { "func": "void mpol_to_str(char *buffer, int maxlen, struct mempolicy *pol)\n{\n\tchar *p = buffer;\n\tnodemask_t nodes = NODE_MASK_NONE;\n\tunsigned short mode = MPOL_DEFAULT;\n\tunsigned short flags = 0;\n\n\tif (pol && pol != &default_policy && !(pol->flags & MPOL_F_MORON)) {\n\t\tmode = pol->mode;\n\t\tflags = pol->flags;\n\t}\n\n\tswitch (mode) {\n\tcase MPOL_DEFAULT:\n\t\tbreak;\n\tcase MPOL_PREFERRED:\n\t\tif (flags & MPOL_F_LOCAL)\n\t\t\tmode = MPOL_LOCAL;\n\t\telse\n\t\t\tnode_set(pol->v.preferred_node, nodes);\n\t\tbreak;\n\tcase MPOL_BIND:\n\tcase MPOL_INTERLEAVE:\n\t\tnodes = pol->v.nodes;\n\t\tbreak;\n\tdefault:\n\t\tWARN_ON_ONCE(1);\n\t\tsnprintf(p, maxlen, \"unknown\");\n\t\treturn;\n\t}\n\n\tp += snprintf(p, maxlen, \"%s\", policy_modes[mode]);\n\n\tif (flags & MPOL_MODE_FLAGS) {\n\t\tp += snprintf(p, buffer + maxlen - p, \"=\");\n\n\t\t/*\n\t\t * Currently, the only defined flags are mutually exclusive\n\t\t */\n\t\tif (flags & MPOL_F_STATIC_NODES)\n\t\t\tp += snprintf(p, buffer + maxlen - p, \"static\");\n\t\telse if (flags & MPOL_F_RELATIVE_NODES)\n\t\t\tp += snprintf(p, buffer + maxlen - p, \"relative\");\n\t}\n\n\tif (!nodes_empty(nodes))\n\t\tp += scnprintf(p, buffer + maxlen - p, \":%*pbl\",\n\t\t\t nodemask_pr_args(&nodes));\n}", "project": "linux", "hash": 253313253680300793558747285381472222260, "size": 49, "commit_id": "aa9f7d5172fac9bf1f09e678c35e287a40a7b7dd", "message": "mm: mempolicy: require at least one nodeid for MPOL_PREFERRED\n\nUsing an empty (malformed) nodelist that is not caught during mount option\nparsing leads to a stack-out-of-bounds access.\n\nThe option string that was used was: \"mpol=prefer:,\". However,\nMPOL_PREFERRED requires a single node number, which is not being provided\nhere.\n\nAdd a check that 'nodes' is not empty after parsing for MPOL_PREFERRED's\nnodeid.\n\nFixes: 095f1fc4ebf3 (\"mempolicy: rework shmem mpol parsing and display\")\nReported-by: Entropy Moe <3ntr0py1337@gmail.com>\nReported-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nSigned-off-by: Randy Dunlap \nSigned-off-by: Andrew Morton \nTested-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nCc: Lee Schermerhorn \nLink: http://lkml.kernel.org/r/89526377-7eb6-b662-e1d8-4430928abde9@infradead.org\nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 366774 }, { "func": "bool MemFile::eof() {\n assertx(m_len != -1);\n int64_t avail = bufferedLen();\n if (avail > 0) {\n return false;\n }\n return m_cursor == m_len;\n}", "project": "hhvm", "hash": 269784353061411217051657751375698090667, "size": 8, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219327 }, { "project": "Chrome", "commit_id": "6834289784ed45b5524de0fb7ef43ae283b0d6d3", "target": 0, "func": "MediaElementAudioSourceNode::~MediaElementAudioSourceNode()\n{\n ASSERT(!isInitialized());\n}\n", "cwe": "", "big_vul_idx": 139708, "idx": 180122, "hash": 77107679529415780053259826558655907999 }, { "project": "Chrome", "commit_id": "87190165c55bcf3eecd8824dd8d083f5e3236552", "target": 0, "func": "AudioOutputStream* AudioManagerBase::MakeAudioOutputStream(\n const AudioParameters& params) {\n if (!params.IsValid()) {\n DLOG(ERROR) << \"Audio parameters are invalid\";\n return NULL;\n }\n\n if (num_output_streams_ >= max_num_output_streams_) {\n DLOG(ERROR) << \"Number of opened output audio streams \"\n << num_output_streams_\n << \" exceed the max allowed number \"\n << max_num_output_streams_;\n return NULL;\n }\n\n AudioOutputStream* stream = NULL;\n if (params.format() == AudioParameters::AUDIO_MOCK) {\n stream = FakeAudioOutputStream::MakeFakeStream(this, params);\n } else if (params.format() == AudioParameters::AUDIO_PCM_LINEAR) {\n stream = MakeLinearOutputStream(params);\n } else if (params.format() == AudioParameters::AUDIO_PCM_LOW_LATENCY) {\n stream = MakeLowLatencyOutputStream(params);\n }\n\n if (stream)\n ++num_output_streams_;\n\n return stream;\n}\n", "cwe": "", "big_vul_idx": 113846, "idx": 102047, "hash": 216879897641170794439811057556613553318 }, { "func": "int mnt_optstr_get_uid(const char *optstr, const char *name, uid_t *uid)\n{\n\tchar *value = NULL;\n\tsize_t valsz = 0;\n\tchar buf[sizeof(stringify_value(UINT64_MAX))];\n\tint rc;\n\tuint64_t num;\n\n\tassert(optstr);\n\tassert(name);\n\tassert(uid);\n\n\trc = mnt_optstr_get_option(optstr, name, &value, &valsz);\n\tif (rc != 0)\n\t\tgoto fail;\n\n\tif (valsz > sizeof(buf) - 1) {\n\t\trc = -ERANGE;\n\t\tgoto fail;\n\t}\n\tmem2strcpy(buf, value, valsz, sizeof(buf));\n\n\trc = ul_strtou64(buf, &num, 10);\n\tif (rc != 0)\n\t\tgoto fail;\n\tif (num > ULONG_MAX || (uid_t) num != num) {\n\t\trc = -ERANGE;\n\t\tgoto fail;\n\t}\n\t*uid = (uid_t) num;\n\n\treturn 0;\nfail:\n\tDBG(UTILS, ul_debug(\"failed to convert '%s'= to number [rc=%d]\", name, rc));\n\treturn rc;\n}", "project": "util-linux", "hash": 77763318000857745901575305158316664514, "size": 36, "commit_id": "57202f5713afa2af20ffbb6ab5331481d0396f8d", "message": "libmount: fix UID check for FUSE umount [CVE-2021-3995]\n\nImproper UID check allows an unprivileged user to unmount FUSE\nfilesystems of users with similar UID.\n\nSigned-off-by: Karel Zak ", "target": 0, "dataset": "other", "idx": 410435 }, { "func": "void oidc_request_state_set(request_rec *r, const char *key, const char *value) {\n\n\t/* get a handle to the global state, which is a table */\n\tapr_table_t *state = oidc_request_state(r);\n\n\t/* put the name/value pair in that table */\n\tapr_table_set(state, key, value);\n}", "project": "mod_auth_openidc", "hash": 713154630669004544109677831116646106, "size": 8, "commit_id": "00c315cb0c8ab77c67be4a2ac08a71a83ac58751", "message": "avoid XSS vulnerability when using OIDCPreservePost On\n\nand supplying URLs that contain single quotes; thanks @oss-aimoto\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 381951 }, { "func": "static void print_event_info(struct trace_buffer *buf, struct seq_file *m)\n{\n\tunsigned long total;\n\tunsigned long entries;\n\n\tget_total_entries(buf, &total, &entries);\n\tseq_printf(m, \"# entries-in-buffer/entries-written: %lu/%lu #P:%d\\n\",\n\t\t entries, total, num_online_cpus());\n\tseq_puts(m, \"#\\n\");\n}", "project": "linux", "hash": 137589062975487046171249026741458886934, "size": 10, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445579 }, { "func": "static void hci_cc_read_def_err_data_reporting(struct hci_dev *hdev,\n\t\t\t\t\t struct sk_buff *skb)\n{\n\tstruct hci_rp_read_def_err_data_reporting *rp = (void *)skb->data;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, rp->status);\n\n\tif (rp->status)\n\t\treturn;\n\n\thdev->err_data_reporting = rp->err_data_reporting;\n}", "project": "linux", "hash": 169398618988573348849349791507407104759, "size": 12, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431914 }, { "func": "static void hidinput_change_resolution_multipliers(struct hid_device *hid)\n{\n\tstruct hid_report_enum *rep_enum;\n\tstruct hid_report *rep;\n\tint ret;\n\n\trep_enum = &hid->report_enum[HID_FEATURE_REPORT];\n\tlist_for_each_entry(rep, &rep_enum->report_list, list) {\n\t\tbool update_needed = __hidinput_change_resolution_multipliers(hid,\n\t\t\t\t\t\t\t\t rep, true);\n\n\t\tif (update_needed) {\n\t\t\tret = __hid_request(hid, rep, HID_REQ_SET_REPORT);\n\t\t\tif (ret) {\n\t\t\t\t__hidinput_change_resolution_multipliers(hid,\n\t\t\t\t\t\t\t\t rep, false);\n\t\t\t\treturn;\n\t\t\t}\n\t\t}\n\t}\n\n\t/* refresh our structs */\n\thid_setup_resolution_multiplier(hid);\n}", "project": "linux", "hash": 222675337445177003608924296040589770076, "size": 24, "commit_id": "35556bed836f8dc07ac55f69c8d17dce3e7f0e25", "message": "HID: core: Sanitize event code and type when mapping input\n\nWhen calling into hid_map_usage(), the passed event code is\nblindly stored as is, even if it doesn't fit in the associated bitmap.\n\nThis event code can come from a variety of sources, including devices\nmasquerading as input devices, only a bit more \"programmable\".\n\nInstead of taking the event code at face value, check that it actually\nfits the corresponding bitmap, and if it doesn't:\n- spit out a warning so that we know which device is acting up\n- NULLify the bitmap pointer so that we catch unexpected uses\n\nCode paths that can make use of untrusted inputs can now check\nthat the mapping was indeed correct and bail out if not.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Marc Zyngier \nSigned-off-by: Benjamin Tissoires ", "target": 0, "dataset": "other", "idx": 458352 }, { "func": "static void vhost_net_signal_used(struct vhost_net_virtqueue *nvq)\n{\n\tstruct vhost_virtqueue *vq = &nvq->vq;\n\tstruct vhost_dev *dev = vq->dev;\n\n\tif (!nvq->done_idx)\n\t\treturn;\n\n\tvhost_add_used_and_signal_n(dev, vq, vq->heads, nvq->done_idx);\n\tnvq->done_idx = 0;\n}", "project": "linux", "hash": 175858322129440882625643354884671079662, "size": 11, "commit_id": "42d84c8490f9f0931786f1623191fcab397c3d64", "message": "vhost: Check docket sk_family instead of call getname\n\nDoing so, we save one call to get data we already have in the struct.\n\nAlso, since there is no guarantee that getname use sockaddr_ll\nparameter beyond its size, we add a little bit of security here.\nIt should do not do beyond MAX_ADDR_LEN, but syzbot found that\nax25_getname writes more (72 bytes, the size of full_sockaddr_ax25,\nversus 20 + 32 bytes of sockaddr_ll + MAX_ADDR_LEN in syzbot repro).\n\nFixes: 3a4d5c94e9593 (\"vhost_net: a kernel-level virtio server\")\nReported-by: syzbot+f2a62d07a5198c819c7b@syzkaller.appspotmail.com\nSigned-off-by: Eugenio Pérez \nAcked-by: Michael S. Tsirkin \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 441964 }, { "func": "static void __ip_flush_pending_frames(struct sock *sk,\n\t\t\t\t struct sk_buff_head *queue,\n\t\t\t\t struct inet_cork *cork)\n{\n\tstruct sk_buff *skb;\n\n\twhile ((skb = __skb_dequeue_tail(queue)) != NULL)\n\t\tkfree_skb(skb);\n\n\tip_cork_release(cork);\n}", "project": "net", "hash": 257001611550399943438083919183765701647, "size": 11, "commit_id": "85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa", "message": "udp: consistently apply ufo or fragmentation\n\nWhen iteratively building a UDP datagram with MSG_MORE and that\ndatagram exceeds MTU, consistently choose UFO or fragmentation.\n\nOnce skb_is_gso, always apply ufo. Conversely, once a datagram is\nsplit across multiple skbs, do not consider ufo.\n\nSendpage already maintains the first invariant, only add the second.\nIPv6 does not have a sendpage implementation to modify.\n\nA gso skb must have a partial checksum, do not follow sk_no_check_tx\nin udp_send_skb.\n\nFound by syzkaller.\n\nFixes: e89e9cf539a2 (\"[IPv4/IPv6]: UFO Scatter-gather approach\")\nReported-by: Andrey Konovalov \nSigned-off-by: Willem de Bruijn \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 468992 }, { "func": "static inline void prepare_kill_siginfo(int sig, struct kernel_siginfo *info)\n{\n\tclear_siginfo(info);\n\tinfo->si_signo = sig;\n\tinfo->si_errno = 0;\n\tinfo->si_code = SI_USER;\n\tinfo->si_pid = task_tgid_vnr(current);\n\tinfo->si_uid = from_kuid_munged(current_user_ns(), current_uid());\n}", "project": "linux", "hash": 128443454172325778608087819428350925643, "size": 9, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375135 }, { "func": "SYSCALL_DEFINE2(kill, pid_t, pid, int, sig)\n{\n\tstruct kernel_siginfo info;\n\n\tprepare_kill_siginfo(sig, &info);\n\n\treturn kill_something_info(sig, &info, pid);\n}", "project": "linux", "hash": 216373212490786735025432747443679287724, "size": 8, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375172 }, { "func": "static int oidc_delete_oldest_state_cookies(request_rec *r,\n\t\tint number_of_valid_state_cookies, int max_number_of_state_cookies,\n\t\toidc_state_cookies_t *first) {\n\toidc_state_cookies_t *cur = NULL, *prev = NULL, *prev_oldest = NULL,\n\t\t\t*oldest = NULL;\n\twhile (number_of_valid_state_cookies >= max_number_of_state_cookies) {\n\t\toldest = first;\n\t\tprev_oldest = NULL;\n\t\tprev = first;\n\t\tcur = first->next;\n\t\twhile (cur) {\n\t\t\tif ((cur->timestamp < oldest->timestamp)) {\n\t\t\t\toldest = cur;\n\t\t\t\tprev_oldest = prev;\n\t\t\t}\n\t\t\tprev = cur;\n\t\t\tcur = cur->next;\n\t\t}\n\t\toidc_warn(r,\n\t\t\t\t\"deleting oldest state cookie: %s (time until expiry %\" APR_TIME_T_FMT \" seconds)\",\n\t\t\t\toldest->name, apr_time_sec(oldest->timestamp - apr_time_now()));\n\t\toidc_util_set_cookie(r, oldest->name, \"\", 0,\n\t\t\t\tOIDC_COOKIE_EXT_SAME_SITE_NONE(r));\n\t\tif (prev_oldest)\n\t\t\tprev_oldest->next = oldest->next;\n\t\telse\n\t\t\tfirst = first->next;\n\t\tnumber_of_valid_state_cookies--;\n\t}\n\treturn number_of_valid_state_cookies;\n}", "project": "mod_auth_openidc", "hash": 131248792847394174292439856421319458453, "size": 31, "commit_id": "00c315cb0c8ab77c67be4a2ac08a71a83ac58751", "message": "avoid XSS vulnerability when using OIDCPreservePost On\n\nand supplying URLs that contain single quotes; thanks @oss-aimoto\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 381956 }, { "func": "static int oidc_delete_oldest_state_cookies(request_rec *r,\n\t\tint number_of_valid_state_cookies, int max_number_of_state_cookies,\n\t\toidc_state_cookies_t *first) {\n\toidc_state_cookies_t *cur = NULL, *prev = NULL, *prev_oldest = NULL,\n\t\t\t*oldest = NULL;\n\twhile (number_of_valid_state_cookies >= max_number_of_state_cookies) {\n\t\toldest = first;\n\t\tprev_oldest = NULL;\n\t\tprev = first;\n\t\tcur = first->next;\n\t\twhile (cur) {\n\t\t\tif ((cur->timestamp < oldest->timestamp)) {\n\t\t\t\toldest = cur;\n\t\t\t\tprev_oldest = prev;\n\t\t\t}\n\t\t\tprev = cur;\n\t\t\tcur = cur->next;\n\t\t}\n\t\toidc_warn(r,\n\t\t\t\t\"deleting oldest state cookie: %s (time until expiry %\" APR_TIME_T_FMT \" seconds)\",\n\t\t\t\toldest->name, apr_time_sec(oldest->timestamp - apr_time_now()));\n\t\toidc_util_set_cookie(r, oldest->name, \"\", 0, NULL);\n\t\tif (prev_oldest)\n\t\t\tprev_oldest->next = oldest->next;\n\t\telse\n\t\t\tfirst = first->next;\n\t\tnumber_of_valid_state_cookies--;\n\t}\n\treturn number_of_valid_state_cookies;\n}", "project": "mod_auth_openidc", "hash": 11866401658276661688152064732322256271, "size": 30, "commit_id": "ce37080c6aea30aabae8b4a9b4eea7808445cc8e", "message": "2.4.0.2 oops\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 447673 }, { "func": "void sctp_transport_walk_stop(struct rhashtable_iter *iter) __releases(RCU)\n{\n\trhashtable_walk_stop(iter);\n\trhashtable_walk_exit(iter);\n}", "project": "linux", "hash": 160520787491180547367519444514031559194, "size": 5, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398066 }, { "func": "static bool nfs_open_stateid_recover_openmode(struct nfs4_state *state)\n{\n\tif (state->n_rdonly && !test_bit(NFS_O_RDONLY_STATE, &state->flags))\n\t\treturn true;\n\tif (state->n_wronly && !test_bit(NFS_O_WRONLY_STATE, &state->flags))\n\t\treturn true;\n\tif (state->n_rdwr && !test_bit(NFS_O_RDWR_STATE, &state->flags))\n\t\treturn true;\n\treturn false;\n}", "project": "linux", "hash": 67785673805231640008705150546283050523, "size": 10, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431116 }, { "func": "static int tcp_shifted_skb(struct sock *sk, struct sk_buff *skb,\n\t\t\t struct tcp_sacktag_state *state,\n\t\t\t unsigned int pcount, int shifted, int mss,\n\t\t\t int dup_sack)\n{\n\tstruct tcp_sock *tp = tcp_sk(sk);\n\tstruct sk_buff *prev = tcp_write_queue_prev(sk, skb);\n\n\tBUG_ON(!pcount);\n\n\tif (skb == tp->lost_skb_hint)\n\t\ttp->lost_cnt_hint += pcount;\n\n\tTCP_SKB_CB(prev)->end_seq += shifted;\n\tTCP_SKB_CB(skb)->seq += shifted;\n\n\tskb_shinfo(prev)->gso_segs += pcount;\n\tBUG_ON(skb_shinfo(skb)->gso_segs < pcount);\n\tskb_shinfo(skb)->gso_segs -= pcount;\n\n\t/* When we're adding to gso_segs == 1, gso_size will be zero,\n\t * in theory this shouldn't be necessary but as long as DSACK\n\t * code can come after this skb later on it's better to keep\n\t * setting gso_size to something.\n\t */\n\tif (!skb_shinfo(prev)->gso_size) {\n\t\tskb_shinfo(prev)->gso_size = mss;\n\t\tskb_shinfo(prev)->gso_type = sk->sk_gso_type;\n\t}\n\n\t/* CHECKME: To clear or not to clear? Mimics normal skb currently */\n\tif (skb_shinfo(skb)->gso_segs <= 1) {\n\t\tskb_shinfo(skb)->gso_size = 0;\n\t\tskb_shinfo(skb)->gso_type = 0;\n\t}\n\n\t/* We discard results */\n\ttcp_sacktag_one(skb, sk, state, dup_sack, pcount);\n\n\t/* Difference in this won't matter, both ACKed by the same cumul. ACK */\n\tTCP_SKB_CB(prev)->sacked |= (TCP_SKB_CB(skb)->sacked & TCPCB_EVER_RETRANS);\n\n\tif (skb->len > 0) {\n\t\tBUG_ON(!tcp_skb_pcount(skb));\n\t\tNET_INC_STATS_BH(sock_net(sk), LINUX_MIB_SACKSHIFTED);\n\t\treturn 0;\n\t}\n\n\t/* Whole SKB was eaten :-) */\n\n\tif (skb == tp->retransmit_skb_hint)\n\t\ttp->retransmit_skb_hint = prev;\n\tif (skb == tp->scoreboard_skb_hint)\n\t\ttp->scoreboard_skb_hint = prev;\n\tif (skb == tp->lost_skb_hint) {\n\t\ttp->lost_skb_hint = prev;\n\t\ttp->lost_cnt_hint -= tcp_skb_pcount(prev);\n\t}\n\n\tTCP_SKB_CB(skb)->tcp_flags |= TCP_SKB_CB(prev)->tcp_flags;\n\tif (skb == tcp_highest_sack(sk))\n\t\ttcp_advance_highest_sack(sk, skb);\n\n\ttcp_unlink_write_queue(skb, sk);\n\tsk_wmem_free_skb(sk, skb);\n\n\tNET_INC_STATS_BH(sock_net(sk), LINUX_MIB_SACKMERGED);\n\n\treturn 1;\n}", "project": "net-next", "hash": 36058713676470510491255768446753331855, "size": 70, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409888 }, { "func": "static apr_status_t session_output_filter(ap_filter_t * f,\n apr_bucket_brigade * in)\n{\n\n /* save all the sessions in all the requests */\n request_rec *r = f->r->main;\n if (!r) {\n r = f->r;\n }\n while (r) {\n session_rec *z = NULL;\n session_dir_conf *conf = ap_get_module_config(r->per_dir_config,\n &session_module);\n\n /* load the session, or create one if necessary */\n /* when unset or on error, z will be NULL */\n ap_session_load(r, &z);\n if (!z || z->written) {\n r = r->next;\n continue;\n }\n\n /* if a header was specified, insert the new values from the header */\n if (conf->header_set) {\n const char *override = apr_table_get(r->err_headers_out, conf->header);\n if (!override) {\n override = apr_table_get(r->headers_out, conf->header);\n }\n if (override) {\n apr_table_unset(r->err_headers_out, conf->header);\n apr_table_unset(r->headers_out, conf->header);\n z->encoded = override;\n z->dirty = 1;\n session_identity_decode(r, z);\n }\n }\n\n /* save away the session, and we're done */\n /* when unset or on error, we've complained to the log */\n ap_session_save(r, z);\n\n r = r->next;\n }\n\n /* remove ourselves from the filter chain */\n ap_remove_output_filter(f);\n\n /* send the data up the stack */\n return ap_pass_brigade(f->next, in);\n\n}", "project": "httpd", "hash": 270442828625212471649075357167940265651, "size": 51, "commit_id": "7e09dd714fc62c08c5b0319ed7b9702594faf49b", "message": "mod_session: account for the '&' in identity_concat().\n\ngit-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887052 13f79535-47bb-0310-9956-ffa450edef68", "target": 0, "dataset": "other", "idx": 389229 }, { "func": "static zend_bool add_post_var(zval *arr, post_var_data_t *var, zend_bool eof)\n{\n\tchar *start, *ksep, *vsep, *val;\n\tsize_t klen, vlen;\n\tsize_t new_vlen;\n\n\tif (var->ptr >= var->end) {\n\t\treturn 0;\n\t}\n\n\tstart = var->ptr + var->already_scanned;\n\tvsep = memchr(start, '&', var->end - start);\n\tif (!vsep) {\n\t\tif (!eof) {\n\t\t\tvar->already_scanned = var->end - var->ptr;\n\t\t\treturn 0;\n\t\t} else {\n\t\t\tvsep = var->end;\n\t\t}\n\t}\n\n\tksep = memchr(var->ptr, '=', vsep - var->ptr);\n\tif (ksep) {\n\t\t*ksep = '\\0';\n\t\t/* \"foo=bar&\" or \"foo=&\" */\n\t\tklen = ksep - var->ptr;\n\t\tvlen = vsep - ++ksep;\n\t} else {\n\t\tksep = \"\";\n\t\t/* \"foo&\" */\n\t\tklen = vsep - var->ptr;\n\t\tvlen = 0;\n\t}\n\n\tphp_url_decode(var->ptr, klen);\n\n\tval = estrndup(ksep, vlen);\n\tif (vlen) {\n\t\tvlen = php_url_decode(val, vlen);\n\t}\n\n\tif (sapi_module.input_filter(PARSE_POST, var->ptr, &val, vlen, &new_vlen)) {\n\t\tphp_register_variable_safe(var->ptr, val, new_vlen, arr);\n\t}\n\tefree(val);\n\n\tvar->ptr = vsep + (vsep != var->end);\n\tvar->already_scanned = 0;\n\treturn 1;\n}", "project": "php-src", "hash": 245941235090141010846456076994223624996, "size": 50, "commit_id": "6559fe912661ca5ce5f0eeeb591d928451428ed0", "message": "Do not decode cookie names anymore", "target": 0, "dataset": "other", "idx": 374975 }, { "func": "#else\nstatic inline void bfq_update_insert_stats(struct request_queue *q,\n\t\t\t\t\t struct bfq_queue *bfqq,\n\t\t\t\t\t bool idle_timer_disabled,", "project": "linux", "hash": 223177272632325187104763749176446054955, "size": 4, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453378 }, { "func": "#ifdef CONFIG_BFQ_CGROUP_DEBUG\nstatic void bfq_update_insert_stats(struct request_queue *q,\n\t\t\t\t struct bfq_queue *bfqq,\n\t\t\t\t bool idle_timer_disabled,\n\t\t\t\t unsigned int cmd_flags)\n{\n\tif (!bfqq)\n\t\treturn;\n\n\t/*\n\t * bfqq still exists, because it can disappear only after\n\t * either it is merged with another queue, or the process it\n\t * is associated with exits. But both actions must be taken by\n\t * the same process currently executing this flow of\n\t * instructions.\n\t *\n\t * In addition, the following queue lock guarantees that\n\t * bfqq_group(bfqq) exists as well.\n\t */\n\tspin_lock_irq(&q->queue_lock);\n\tbfqg_stats_update_io_add(bfqq_group(bfqq), bfqq, cmd_flags);\n\tif (idle_timer_disabled)\n\t\tbfqg_stats_update_idle_time(bfqq_group(bfqq));\n\tspin_unlock_irq(&q->queue_lock);", "project": "linux", "hash": 309589577484337625164905935929889165288, "size": 24, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453401 }, { "func": "static int cmd_queue (IMAP_DATA* idata, const char* cmdstr, int flags)\n{\n IMAP_COMMAND* cmd;\n int rc;\n\n if (cmd_queue_full (idata))\n {\n dprint (3, (debugfile, \"Draining IMAP command pipeline\\n\"));\n\n rc = imap_exec (idata, NULL, IMAP_CMD_FAIL_OK | (flags & IMAP_CMD_POLL));\n\n if (rc < 0 && rc != -2)\n return rc;\n }\n\n if (!(cmd = cmd_new (idata)))\n return IMAP_CMD_BAD;\n\n if (mutt_buffer_printf (idata->cmdbuf, \"%s %s\\r\\n\", cmd->seq, cmdstr) < 0)\n return IMAP_CMD_BAD;\n\n return 0;\n}", "project": "mutt", "hash": 151737785128927598856736977593951992991, "size": 23, "commit_id": "9347b5c01dc52682cb6be11539d9b7ebceae4416", "message": "Handle NO response without message properly", "target": 0, "dataset": "other", "idx": 338009 }, { "func": "static int fuse_writeback_range(struct inode *inode, loff_t start, loff_t end)\n{\n\tint err = filemap_write_and_wait_range(inode->i_mapping, start, end);\n\n\tif (!err)\n\t\tfuse_sync_writes(inode);\n\n\treturn err;\n}", "project": "linux", "hash": 247363838470771893508664369243846983564, "size": 9, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341926 }, { "func": " bool convert_if_needed(THD *thd, String *str)\n {\n /*\n Check is so simple because all charsets were set up properly\n in setup_one_conversion_function, where typecode of\n placeholder was also taken into account: the variables are different\n here only if conversion is really necessary.\n */\n if (needs_conversion())\n return convert(thd, str);\n str->set_charset(final_character_set_of_str_value);\n return false;\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 90720546439847034086319458094837030564, "size": 13, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509058 }, { "func": "int vfs_unlink(struct inode *dir, struct dentry *dentry, struct inode **delegated_inode)\n{\n\tstruct inode *target = dentry->d_inode;\n\tint error = may_delete(dir, dentry, 0);\n\n\tif (error)\n\t\treturn error;\n\n\tif (!dir->i_op->unlink)\n\t\treturn -EPERM;\n\n\tinode_lock(target);\n\tif (is_local_mountpoint(dentry))\n\t\terror = -EBUSY;\n\telse {\n\t\terror = security_inode_unlink(dir, dentry);\n\t\tif (!error) {\n\t\t\terror = try_break_deleg(target, delegated_inode);\n\t\t\tif (error)\n\t\t\t\tgoto out;\n\t\t\terror = dir->i_op->unlink(dir, dentry);\n\t\t\tif (!error) {\n\t\t\t\tdont_mount(dentry);\n\t\t\t\tdetach_mounts(dentry);\n\t\t\t\tfsnotify_unlink(dir, dentry);\n\t\t\t}\n\t\t}\n\t}\nout:\n\tinode_unlock(target);\n\n\t/* We don't d_delete() NFS sillyrenamed files--they still exist. */\n\tif (!error && !(dentry->d_flags & DCACHE_NFSFS_RENAMED)) {\n\t\tfsnotify_link_count(target);\n\t\td_delete(dentry);\n\t}\n\n\treturn error;\n}", "project": "linux", "hash": 101720141655072811838056895174327793171, "size": 39, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295413 }, { "func": "int update_open_stateid(struct nfs4_state *state,\n\t\tconst nfs4_stateid *open_stateid,\n\t\tconst nfs4_stateid *delegation,\n\t\tfmode_t fmode)\n{\n\tstruct nfs_server *server = NFS_SERVER(state->inode);\n\tstruct nfs_client *clp = server->nfs_client;\n\tstruct nfs_inode *nfsi = NFS_I(state->inode);\n\tstruct nfs_delegation *deleg_cur;\n\tnfs4_stateid freeme = { };\n\tint ret = 0;\n\n\tfmode &= (FMODE_READ|FMODE_WRITE);\n\n\trcu_read_lock();\n\tspin_lock(&state->owner->so_lock);\n\tif (open_stateid != NULL) {\n\t\tnfs_state_set_open_stateid(state, open_stateid, fmode, &freeme);\n\t\tret = 1;\n\t}\n\n\tdeleg_cur = nfs4_get_valid_delegation(state->inode);\n\tif (deleg_cur == NULL)\n\t\tgoto no_delegation;\n\n\tspin_lock(&deleg_cur->lock);\n\tif (rcu_dereference(nfsi->delegation) != deleg_cur ||\n\t test_bit(NFS_DELEGATION_RETURNING, &deleg_cur->flags) ||\n\t (deleg_cur->type & fmode) != fmode)\n\t\tgoto no_delegation_unlock;\n\n\tif (delegation == NULL)\n\t\tdelegation = &deleg_cur->stateid;\n\telse if (!nfs4_stateid_match_other(&deleg_cur->stateid, delegation))\n\t\tgoto no_delegation_unlock;\n\n\tnfs_mark_delegation_referenced(deleg_cur);\n\tnfs_state_set_delegation(state, &deleg_cur->stateid, fmode);\n\tret = 1;\nno_delegation_unlock:\n\tspin_unlock(&deleg_cur->lock);\nno_delegation:\n\tif (ret)\n\t\tupdate_open_stateflags(state, fmode);\n\tspin_unlock(&state->owner->so_lock);\n\trcu_read_unlock();\n\n\tif (test_bit(NFS_STATE_RECLAIM_NOGRACE, &state->flags))\n\t\tnfs4_schedule_state_manager(clp);\n\tif (freeme.type != 0)\n\t\tnfs4_test_and_free_stateid(server, &freeme,\n\t\t\t\tstate->owner->so_cred);\n\n\treturn ret;\n}", "project": "linux", "hash": 36567112444585188970390840174480089875, "size": 55, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431269 }, { "func": "void kvm_s390_vcpu_crypto_reset_all(struct kvm *kvm)\n{\n\tstruct kvm_vcpu *vcpu;\n\tint i;\n\n\tkvm_s390_vcpu_block_all(kvm);\n\n\tkvm_for_each_vcpu(i, vcpu, kvm) {\n\t\tkvm_s390_vcpu_crypto_setup(vcpu);\n\t\t/* recreate the shadow crycb by leaving the VSIE handler */\n\t\tkvm_s390_sync_request(KVM_REQ_VSIE_RESTART, vcpu);\n\t}\n\n\tkvm_s390_vcpu_unblock_all(kvm);\n}", "project": "linux", "hash": 321408260628535262172202616627653469403, "size": 15, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354671 }, { "func": "static bool nfs4_refresh_lock_old_stateid(nfs4_stateid *dst,\n\t\tstruct nfs4_lock_state *lsp)\n{\n\tstruct nfs4_state *state = lsp->ls_state;\n\tbool ret = false;\n\n\tspin_lock(&state->state_lock);\n\tif (!nfs4_stateid_match_other(dst, &lsp->ls_stateid))\n\t\tgoto out;\n\tif (!nfs4_stateid_is_newer(&lsp->ls_stateid, dst))\n\t\tnfs4_stateid_seqid_inc(dst);\n\telse\n\t\tdst->seqid = lsp->ls_stateid.seqid;\n\tret = true;\nout:\n\tspin_unlock(&state->state_lock);\n\treturn ret;\n}", "project": "linux", "hash": 68284816892745171836156646522655975986, "size": 18, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431329 }, { "project": "opaque", "commit_id": "5ddda15d89f5ac82f4416208c5319ace4aecdc36", "target": 0, "func": "JNIEXPORT void JNICALL Java_edu_berkeley_cs_rise_opaque_execution_SGXEnclave_StopEnclave(\n JNIEnv *env, jobject obj, jlong eid) {\n (void)env;\n (void)obj;\n\n sgx_check(\"StopEnclave\", sgx_destroy_enclave(eid));\n}", "idx": 519081, "cwe": "CWE-787", "hash": 198245721760971782298206161798062894367, "dataset": "other" }, { "func": "static void ca8210_unregister_ext_clock(struct spi_device *spi)\n{\n\tstruct ca8210_priv *priv = spi_get_drvdata(spi);\n\n\tif (!priv->clk)\n\t\treturn\n\n\tof_clk_del_provider(spi->dev.of_node);\n\tclk_unregister(priv->clk);\n\tdev_info(&spi->dev, \"External clock unregistered\\n\");\n}", "project": "linux", "hash": 82276743583545059747058876652943100913, "size": 11, "commit_id": "6402939ec86eaf226c8b8ae00ed983936b164908", "message": "ieee802154: ca8210: prevent memory leak\n\nIn ca8210_probe the allocated pdata needs to be assigned to\nspi_device->dev.platform_data before calling ca8210_get_platform_data.\nOthrwise when ca8210_get_platform_data fails pdata cannot be released.\n\nSigned-off-by: Navid Emamdoost \nLink: https://lore.kernel.org/r/20190917224713.26371-1-navid.emamdoost@gmail.com\nSigned-off-by: Stefan Schmidt ", "target": 0, "dataset": "other", "idx": 408807 }, { "func": "static int kvm_s390_set_tod(struct kvm *kvm, struct kvm_device_attr *attr)\n{\n\tint ret;\n\n\tif (attr->flags)\n\t\treturn -EINVAL;\n\n\tswitch (attr->attr) {\n\tcase KVM_S390_VM_TOD_EXT:\n\t\tret = kvm_s390_set_tod_ext(kvm, attr);\n\t\tbreak;\n\tcase KVM_S390_VM_TOD_HIGH:\n\t\tret = kvm_s390_set_tod_high(kvm, attr);\n\t\tbreak;\n\tcase KVM_S390_VM_TOD_LOW:\n\t\tret = kvm_s390_set_tod_low(kvm, attr);\n\t\tbreak;\n\tdefault:\n\t\tret = -ENXIO;\n\t\tbreak;\n\t}\n\treturn ret;\n}", "project": "linux", "hash": 193152511031083373206985173506185138366, "size": 23, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354512 }, { "func": "String preg_quote(const String& str,\n const String& delimiter /* = null_string */) {\n const char* in_str = str.data();\n const char* in_str_end = in_str + str.size();\n\n /* Nothing to do if we got an empty string */\n if (in_str == in_str_end) {\n return str;\n }\n\n char delim_char = 0; /* Delimiter character to be quoted */\n bool quote_delim = false; /* Whether to quote additional delim char */\n if (!delimiter.empty()) {\n delim_char = delimiter.charAt(0);\n quote_delim = true;\n }\n\n /* Allocate enough memory so that even if each character\n is quoted, we won't run out of room */\n String ret(4 * str.size() + 1, ReserveString);\n char* out_str = ret.mutableData();\n\n /* Go through the string and quote necessary characters */\n const char* p;\n char* q;\n for (p = in_str, q = out_str; p != in_str_end; p++) {\n char c = *p;\n switch (c) {\n case '.': case '\\\\': case '+': case '*': case '?':\n case '[': case '^': case ']': case '$': case '(':\n case ')': case '{': case '}': case '=': case '!':\n case '>': case '<': case '|': case ':': case '-':\n case '#':\n *q++ = '\\\\';\n *q++ = c;\n break;\n\n case '\\0':\n *q++ = '\\\\';\n *q++ = '0';\n *q++ = '0';\n *q++ = '0';\n break;\n\n default:\n if (quote_delim && c == delim_char)\n *q++ = '\\\\';\n *q++ = c;\n break;\n }\n }\n *q = '\\0';\n\n return ret.setSize(q - out_str);\n}", "project": "hhvm", "hash": 189278878836233230295539538309071035452, "size": 55, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 1, "dataset": "other", "idx": 194999 }, { "func": "String preg_quote(const String& str,\n const String& delimiter /* = null_string */) {\n const char* in_str = str.data();\n const char* in_str_end = in_str + str.size();\n\n /* Nothing to do if we got an empty string */\n if (in_str == in_str_end) {\n return str;\n }\n\n char delim_char = 0; /* Delimiter character to be quoted */\n bool quote_delim = false; /* Whether to quote additional delim char */\n if (!delimiter.empty()) {\n delim_char = delimiter.charAt(0);\n quote_delim = true;\n }\n\n /* Allocate enough memory so that even if each character\n is quoted, we won't run out of room */\n static_assert(\n (StringData::MaxSize * 4 + 1) < std::numeric_limits::max()\n );\n String ret(4 * str.size() + 1, ReserveString);\n char* out_str = ret.mutableData();\n\n /* Go through the string and quote necessary characters */\n const char* p;\n char* q;\n for (p = in_str, q = out_str; p != in_str_end; p++) {\n char c = *p;\n switch (c) {\n case '.': case '\\\\': case '+': case '*': case '?':\n case '[': case '^': case ']': case '$': case '(':\n case ')': case '{': case '}': case '=': case '!':\n case '>': case '<': case '|': case ':': case '-':\n case '#':\n *q++ = '\\\\';\n *q++ = c;\n break;\n\n case '\\0':\n *q++ = '\\\\';\n *q++ = '0';\n *q++ = '0';\n *q++ = '0';\n break;\n\n default:\n if (quote_delim && c == delim_char)\n *q++ = '\\\\';\n *q++ = c;\n break;\n }\n }\n *q = '\\0';\n\n return ret.setSize(q - out_str);\n}", "project": "hhvm", "hash": 220981898952866903098305403168592775003, "size": 58, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219542 }, { "func": "static int __buffer_append_option(struct ul_buffer *buf,\n\t\t\tconst char *name, size_t namesz,\n\t\t\tconst char *val, size_t valsz)\n{\n\tint rc = 0;\n\n\tif (!ul_buffer_is_empty(buf))\n\t\trc = ul_buffer_append_data(buf, \",\", 1);\n\tif (!rc)\n\t\trc = ul_buffer_append_data(buf, name, namesz);\n\tif (val && !rc) {\n\t\t/* we need to append '=' is value is empty string, see\n\t\t * 727c689908c5e68c92aa1dd65e0d3bdb6d91c1e5 */\n\t\trc = ul_buffer_append_data(buf, \"=\", 1);\n\t\tif (!rc && valsz)\n\t\t\trc = ul_buffer_append_data(buf, val, valsz);\n\t}\n\treturn rc;\n}", "project": "util-linux", "hash": 113894118632121595217564194480377184518, "size": 19, "commit_id": "57202f5713afa2af20ffbb6ab5331481d0396f8d", "message": "libmount: fix UID check for FUSE umount [CVE-2021-3995]\n\nImproper UID check allows an unprivileged user to unmount FUSE\nfilesystems of users with similar UID.\n\nSigned-off-by: Karel Zak ", "target": 0, "dataset": "other", "idx": 410388 }, { "func": "int bcf_add_id(const bcf_hdr_t *hdr, bcf1_t *line, const char *id)\n{\n if ( !id ) return 0;\n if ( !(line->unpacked & BCF_UN_STR) ) bcf_unpack(line, BCF_UN_STR);\n\n kstring_t tmp;\n tmp.l = 0; tmp.s = line->d.id; tmp.m = line->d.m_id;\n\n int len = strlen(id);\n char *dst = line->d.id;\n while ( *dst && (dst=strstr(dst,id)) )\n {\n if ( dst[len]!=0 && dst[len]!=';' ) dst++; // a prefix, not a match\n else if ( dst==line->d.id || dst[-1]==';' ) return 0; // already present\n dst++; // a suffix, not a match\n }\n if ( line->d.id && (line->d.id[0]!='.' || line->d.id[1]) )\n {\n tmp.l = strlen(line->d.id);\n kputc(';',&tmp);\n }\n kputs(id,&tmp);\n\n line->d.id = tmp.s; line->d.m_id = tmp.m;\n line->d.shared_dirty |= BCF1_DIRTY_ID;\n return 0;\n\n}", "project": "htslib", "hash": 296055771817309835230777096657079448599, "size": 28, "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c", "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields. It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097", "target": 0, "dataset": "other", "idx": 402185 }, { "func": "int FromkLinuxSignalNumber(int input) {\n#if defined(SIGRTMIN) && defined(SIGRTMAX)\n if (input >= kLinux_SIGRTMIN && input <= kLinux_SIGRTMAX) {\n return SIGRTMIN + input - kLinux_SIGRTMIN;\n }\n#endif\n return FromkLinuxBaseSignalNumber(input);\n}", "project": "asylo", "hash": 333232942093516844062432004062218583428, "size": 8, "commit_id": "bda9772e7872b0d2b9bee32930cf7a4983837b39", "message": "Check input length in FromLinuxSockAddr\n\nPiperOrigin-RevId: 333785506\nChange-Id: I1d68fb8954665eebc1018d80ff995cbe9e7ed6a9", "target": 0, "dataset": "other", "idx": 263458 }, { "func": "FastHufDecoder::enabled()\n{\n #if defined(__INTEL_COMPILER) || defined(__GNUC__) \n\n //\n // Enabled for ICC, GCC:\n // __i386__ -> x86\n // __x86_64__ -> 64-bit x86\n //\n\n #if defined (__i386__) || defined(__x86_64__)\n return true;\n #else\n return false;\n #endif\n\n #elif defined (_MSC_VER)\n\n //\n // Enabled for Visual Studio:\n // _M_IX86 -> x86\n // _M_X64 -> 64bit x86\n\n #if defined (_M_IX86) || defined(_M_X64)\n return true;\n #else\n return false;\n #endif\n\n #else\n\n //\n // Unknown compiler - Be safe and disable.\n //\n return false;\n #endif\n}", "project": "openexr", "hash": 296996557632876965036075299921250326897, "size": 37, "commit_id": "c3ed4a1db1f39bf4524a644cb2af81dc8cfab33f", "message": "compute Huf codelengths using 64 bit to prevent shift overflow\n\nSigned-off-by: Peter Hillman ", "target": 0, "dataset": "other", "idx": 413446 }, { "func": "static void io_req_complete_post(struct io_kiocb *req, long res,\n\t\t\t\t unsigned int cflags)\n{\n\tstruct io_ring_ctx *ctx = req->ctx;\n\tunsigned long flags;\n\n\tspin_lock_irqsave(&ctx->completion_lock, flags);\n\t__io_cqring_fill_event(ctx, req->user_data, res, cflags);\n\t/*\n\t * If we're the last reference to this request, add to our locked\n\t * free_list cache.\n\t */\n\tif (req_ref_put_and_test(req)) {\n\t\tstruct io_comp_state *cs = &ctx->submit_state.comp;\n\n\t\tif (req->flags & (REQ_F_LINK | REQ_F_HARDLINK)) {\n\t\t\tif (req->flags & (REQ_F_LINK_TIMEOUT | REQ_F_FAIL_LINK))\n\t\t\t\tio_disarm_next(req);\n\t\t\tif (req->link) {\n\t\t\t\tio_req_task_queue(req->link);\n\t\t\t\treq->link = NULL;\n\t\t\t}\n\t\t}\n\t\tio_dismantle_req(req);\n\t\tio_put_task(req->task, 1);\n\t\tlist_add(&req->compl.list, &cs->locked_free_list);\n\t\tcs->locked_free_nr++;\n\t} else {\n\t\tif (!percpu_ref_tryget(&ctx->refs))\n\t\t\treq = NULL;\n\t}\n\tio_commit_cqring(ctx);\n\tspin_unlock_irqrestore(&ctx->completion_lock, flags);\n\n\tif (req) {\n\t\tio_cqring_ev_posted(ctx);\n\t\tpercpu_ref_put(&ctx->refs);\n\t}\n}", "project": "linux", "hash": 2161067325526817655722273190407281843, "size": 39, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338643 }, { "func": " bool parseString() {\n int len;\n if (!parseRawString(&len)) return false;\n auto const start = reinterpret_cast(top);\n pushStringData(StringData::Make(start, len, CopyString));\n return true;\n }", "project": "hhvm", "hash": 95412429841170142088171047404730244604, "size": 7, "commit_id": "b3679121bb3c7017ff04b4c08402ffff5cf59b13", "message": "Fix buffer overrun in SimpleParser::handleBackslash\n\nSummary:\nIt read 4 chars, then checked for validity, but any of them could have\nbeen the end of the string, so check after each one instead.\n\nReviewed By: oulgen\n\nDifferential Revision: D19611163\n\nfbshipit-source-id: 3da0a39555cb85a93f4fd98048368f17cf37e2e4", "target": 0, "dataset": "other", "idx": 227321 }, { "func": "static u64 __scale_tsc(u64 ratio, u64 tsc)\n{\n\tu64 mult, frac, _tsc;\n\n\tmult = ratio >> 32;\n\tfrac = ratio & ((1ULL << 32) - 1);\n\n\t_tsc = tsc;\n\t_tsc *= mult;\n\t_tsc += (tsc >> 32) * frac;\n\t_tsc += ((tsc & ((1ULL << 32) - 1)) * frac) >> 32;\n\n\treturn _tsc;\n}", "project": "kvm", "hash": 184318253104524199824004935304502620620, "size": 14, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437568 }, { "func": "static bool __tpacket_v3_has_room(const struct packet_sock *po, int pow_off)\n{\n\tint idx, len;\n\n\tlen = READ_ONCE(po->rx_ring.prb_bdqc.knum_blocks);\n\tidx = READ_ONCE(po->rx_ring.prb_bdqc.kactive_blk_num);\n\tif (pow_off)\n\t\tidx += len >> pow_off;\n\tif (idx >= len)\n\t\tidx -= len;\n\treturn prb_lookup_block(po, &po->rx_ring, idx, TP_STATUS_KERNEL);\n}", "project": "linux", "hash": 121783371596997515217838741216279370320, "size": 12, "commit_id": "acf69c946233259ab4d64f8869d4037a198c7f06", "message": "net/packet: fix overflow in tpacket_rcv\n\nUsing tp_reserve to calculate netoff can overflow as\ntp_reserve is unsigned int and netoff is unsigned short.\n\nThis may lead to macoff receving a smaller value then\nsizeof(struct virtio_net_hdr), and if po->has_vnet_hdr\nis set, an out-of-bounds write will occur when\ncalling virtio_net_hdr_from_skb.\n\nThe bug is fixed by converting netoff to unsigned int\nand checking if it exceeds USHRT_MAX.\n\nThis addresses CVE-2020-14386\n\nFixes: 8913336a7e8d (\"packet: add PACKET_RESERVE sockopt\")\nSigned-off-by: Or Cohen \nSigned-off-by: Eric Dumazet \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 330394 }, { "func": " */\nstatic void bfq_update_peak_rate(struct bfq_data *bfqd, struct request *rq)\n{\n\tu64 now_ns = ktime_get_ns();\n\n\tif (bfqd->peak_rate_samples == 0) { /* first dispatch */\n\t\tbfq_log(bfqd, \"update_peak_rate: goto reset, samples %d\",\n\t\t\tbfqd->peak_rate_samples);\n\t\tbfq_reset_rate_computation(bfqd, rq);\n\t\tgoto update_last_values; /* will add one sample */\n\t}\n\n\t/*\n\t * Device idle for very long: the observation interval lasting\n\t * up to this dispatch cannot be a valid observation interval\n\t * for computing a new peak rate (similarly to the late-\n\t * completion event in bfq_completed_request()). Go to\n\t * update_rate_and_reset to have the following three steps\n\t * taken:\n\t * - close the observation interval at the last (previous)\n\t * request dispatch or completion\n\t * - compute rate, if possible, for that observation interval\n\t * - start a new observation interval with this dispatch\n\t */\n\tif (now_ns - bfqd->last_dispatch > 100*NSEC_PER_MSEC &&\n\t bfqd->rq_in_driver == 0)\n\t\tgoto update_rate_and_reset;\n\n\t/* Update sampling information */\n\tbfqd->peak_rate_samples++;\n\n\tif ((bfqd->rq_in_driver > 0 ||\n\t\tnow_ns - bfqd->last_completion < BFQ_MIN_TT)\n\t && !BFQ_RQ_SEEKY(bfqd, bfqd->last_position, rq))\n\t\tbfqd->sequential_samples++;\n\n\tbfqd->tot_sectors_dispatched += blk_rq_sectors(rq);\n\n\t/* Reset max observed rq size every 32 dispatches */\n\tif (likely(bfqd->peak_rate_samples % 32))\n\t\tbfqd->last_rq_max_size =\n\t\t\tmax_t(u32, blk_rq_sectors(rq), bfqd->last_rq_max_size);\n\telse\n\t\tbfqd->last_rq_max_size = blk_rq_sectors(rq);\n\n\tbfqd->delta_from_first = now_ns - bfqd->first_dispatch;\n\n\t/* Target observation interval not yet reached, go on sampling */\n\tif (bfqd->delta_from_first < BFQ_RATE_REF_INTERVAL)\n\t\tgoto update_last_values;\n\nupdate_rate_and_reset:\n\tbfq_update_rate_reset(bfqd, rq);\nupdate_last_values:\n\tbfqd->last_position = blk_rq_pos(rq) + blk_rq_sectors(rq);\n\tif (RQ_BFQQ(rq) == bfqd->in_service_queue)\n\t\tbfqd->in_serv_last_pos = bfqd->last_position;\n\tbfqd->last_dispatch = now_ns;", "project": "linux", "hash": 122003878869552587115426627048058954047, "size": 58, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453357 }, { "func": "sftp_client_message sftp_get_client_message(sftp_session sftp) {\n ssh_session session = sftp->session;\n sftp_packet packet;\n sftp_client_message msg;\n ssh_buffer payload;\n int rc;\n\n msg = malloc(sizeof (struct sftp_client_message_struct));\n if (msg == NULL) {\n ssh_set_error_oom(session);\n return NULL;\n }\n ZERO_STRUCTP(msg);\n\n packet = sftp_packet_read(sftp);\n if (packet == NULL) {\n ssh_set_error_oom(session);\n sftp_client_message_free(msg);\n return NULL;\n }\n\n payload = packet->payload;\n msg->type = packet->type;\n msg->sftp = sftp;\n\n /* take a copy of the whole packet */\n msg->complete_message = ssh_buffer_new();\n if (msg->complete_message == NULL) {\n ssh_set_error_oom(session);\n sftp_client_message_free(msg);\n return NULL;\n }\n\n ssh_buffer_add_data(msg->complete_message,\n ssh_buffer_get(payload),\n ssh_buffer_get_len(payload));\n\n ssh_buffer_get_u32(payload, &msg->id);\n\n switch(msg->type) {\n case SSH_FXP_CLOSE:\n case SSH_FXP_READDIR:\n msg->handle = ssh_buffer_get_ssh_string(payload);\n if (msg->handle == NULL) {\n ssh_set_error_oom(session);\n sftp_client_message_free(msg);\n return NULL;\n }\n break;\n case SSH_FXP_READ:\n rc = ssh_buffer_unpack(payload,\n \"Sqd\",\n &msg->handle,\n &msg->offset,\n &msg->len);\n if (rc != SSH_OK) {\n ssh_set_error_oom(session);\n sftp_client_message_free(msg);\n return NULL;\n }\n break;\n case SSH_FXP_WRITE:\n rc = ssh_buffer_unpack(payload,\n \"SqS\",\n &msg->handle,\n &msg->offset,\n &msg->data);\n if (rc != SSH_OK) {\n ssh_set_error_oom(session);\n sftp_client_message_free(msg);\n return NULL;\n }\n break;\n case SSH_FXP_REMOVE:\n case SSH_FXP_RMDIR:\n case SSH_FXP_OPENDIR:\n case SSH_FXP_READLINK:\n case SSH_FXP_REALPATH:\n rc = ssh_buffer_unpack(payload,\n \"s\",\n &msg->filename);\n if (rc != SSH_OK) {\n ssh_set_error_oom(session);\n sftp_client_message_free(msg);\n return NULL;\n }\n break;\n case SSH_FXP_RENAME:\n case SSH_FXP_SYMLINK:\n rc = ssh_buffer_unpack(payload,\n \"sS\",\n &msg->filename,\n &msg->data);\n if (rc != SSH_OK) {\n ssh_set_error_oom(session);\n sftp_client_message_free(msg);\n return NULL;\n }\n break;\n case SSH_FXP_MKDIR:\n case SSH_FXP_SETSTAT:\n rc = ssh_buffer_unpack(payload,\n \"s\",\n &msg->filename);\n if (rc != SSH_OK) {\n ssh_set_error_oom(session);\n sftp_client_message_free(msg);\n return NULL;\n }\n msg->attr = sftp_parse_attr(sftp, payload, 0);\n if (msg->attr == NULL) {\n ssh_set_error_oom(session);\n sftp_client_message_free(msg);\n return NULL;\n }\n break;\n case SSH_FXP_FSETSTAT:\n msg->handle = ssh_buffer_get_ssh_string(payload);\n if (msg->handle == NULL) {\n ssh_set_error_oom(session);\n sftp_client_message_free(msg);\n return NULL;\n }\n msg->attr = sftp_parse_attr(sftp, payload, 0);\n if (msg->attr == NULL) {\n ssh_set_error_oom(session);\n sftp_client_message_free(msg);\n return NULL;\n }\n break;\n case SSH_FXP_LSTAT:\n case SSH_FXP_STAT:\n rc = ssh_buffer_unpack(payload,\n \"s\",\n &msg->filename);\n if (rc != SSH_OK) {\n ssh_set_error_oom(session);\n sftp_client_message_free(msg);\n return NULL;\n }\n if(sftp->version > 3) {\n ssh_buffer_unpack(payload, \"d\", &msg->flags);\n }\n break;\n case SSH_FXP_OPEN:\n rc = ssh_buffer_unpack(payload,\n \"sd\",\n &msg->filename,\n &msg->flags);\n if (rc != SSH_OK) {\n ssh_set_error_oom(session);\n sftp_client_message_free(msg);\n return NULL;\n }\n msg->attr = sftp_parse_attr(sftp, payload, 0);\n if (msg->attr == NULL) {\n ssh_set_error_oom(session);\n sftp_client_message_free(msg);\n return NULL;\n }\n break;\n case SSH_FXP_FSTAT:\n rc = ssh_buffer_unpack(payload,\n \"S\",\n &msg->handle);\n if (rc != SSH_OK) {\n ssh_set_error_oom(session);\n sftp_client_message_free(msg);\n return NULL;\n }\n break;\n case SSH_FXP_EXTENDED:\n rc = ssh_buffer_unpack(payload,\n \"s\",\n &msg->submessage);\n if (rc != SSH_OK) {\n ssh_set_error_oom(session);\n sftp_client_message_free(msg);\n return NULL;\n }\n\n if (strcmp(msg->submessage, \"hardlink@openssh.com\") == 0 ||\n strcmp(msg->submessage, \"posix-rename@openssh.com\") == 0) {\n rc = ssh_buffer_unpack(payload,\n \"sS\",\n &msg->filename,\n &msg->data);\n if (rc != SSH_OK) {\n ssh_set_error_oom(session);\n sftp_client_message_free(msg);\n return NULL;\n }\n }\n break;\n default:\n ssh_set_error(sftp->session, SSH_FATAL,\n \"Received unhandled sftp message %d\", msg->type);\n sftp_client_message_free(msg);\n return NULL;\n }\n\n return msg;\n}", "project": "libssh-mirror", "hash": 104812262391619336608412301470901113139, "size": 203, "commit_id": "2782cb0495b7450bd8fe43ce4af886b66fea6c40", "message": "sftpserver: Add missing return check for ssh_buffer_add_data()\n\nSigned-off-by: Andreas Schneider \nReviewed-by: Anderson Toshiyuki Sasaki \nReviewed-by: Jakub Jelen ", "target": 1, "dataset": "other", "idx": 209954 }, { "func": "sftp_client_message sftp_get_client_message(sftp_session sftp) {\n ssh_session session = sftp->session;\n sftp_packet packet;\n sftp_client_message msg;\n ssh_buffer payload;\n int rc;\n\n msg = malloc(sizeof (struct sftp_client_message_struct));\n if (msg == NULL) {\n ssh_set_error_oom(session);\n return NULL;\n }\n ZERO_STRUCTP(msg);\n\n packet = sftp_packet_read(sftp);\n if (packet == NULL) {\n ssh_set_error_oom(session);\n sftp_client_message_free(msg);\n return NULL;\n }\n\n payload = packet->payload;\n msg->type = packet->type;\n msg->sftp = sftp;\n\n /* take a copy of the whole packet */\n msg->complete_message = ssh_buffer_new();\n if (msg->complete_message == NULL) {\n ssh_set_error_oom(session);\n sftp_client_message_free(msg);\n return NULL;\n }\n\n rc = ssh_buffer_add_data(msg->complete_message,\n ssh_buffer_get(payload),\n ssh_buffer_get_len(payload));\n if (rc < 0) {\n ssh_set_error_oom(session);\n sftp_client_message_free(msg);\n return NULL;\n }\n\n ssh_buffer_get_u32(payload, &msg->id);\n\n switch(msg->type) {\n case SSH_FXP_CLOSE:\n case SSH_FXP_READDIR:\n msg->handle = ssh_buffer_get_ssh_string(payload);\n if (msg->handle == NULL) {\n ssh_set_error_oom(session);\n sftp_client_message_free(msg);\n return NULL;\n }\n break;\n case SSH_FXP_READ:\n rc = ssh_buffer_unpack(payload,\n \"Sqd\",\n &msg->handle,\n &msg->offset,\n &msg->len);\n if (rc != SSH_OK) {\n ssh_set_error_oom(session);\n sftp_client_message_free(msg);\n return NULL;\n }\n break;\n case SSH_FXP_WRITE:\n rc = ssh_buffer_unpack(payload,\n \"SqS\",\n &msg->handle,\n &msg->offset,\n &msg->data);\n if (rc != SSH_OK) {\n ssh_set_error_oom(session);\n sftp_client_message_free(msg);\n return NULL;\n }\n break;\n case SSH_FXP_REMOVE:\n case SSH_FXP_RMDIR:\n case SSH_FXP_OPENDIR:\n case SSH_FXP_READLINK:\n case SSH_FXP_REALPATH:\n rc = ssh_buffer_unpack(payload,\n \"s\",\n &msg->filename);\n if (rc != SSH_OK) {\n ssh_set_error_oom(session);\n sftp_client_message_free(msg);\n return NULL;\n }\n break;\n case SSH_FXP_RENAME:\n case SSH_FXP_SYMLINK:\n rc = ssh_buffer_unpack(payload,\n \"sS\",\n &msg->filename,\n &msg->data);\n if (rc != SSH_OK) {\n ssh_set_error_oom(session);\n sftp_client_message_free(msg);\n return NULL;\n }\n break;\n case SSH_FXP_MKDIR:\n case SSH_FXP_SETSTAT:\n rc = ssh_buffer_unpack(payload,\n \"s\",\n &msg->filename);\n if (rc != SSH_OK) {\n ssh_set_error_oom(session);\n sftp_client_message_free(msg);\n return NULL;\n }\n msg->attr = sftp_parse_attr(sftp, payload, 0);\n if (msg->attr == NULL) {\n ssh_set_error_oom(session);\n sftp_client_message_free(msg);\n return NULL;\n }\n break;\n case SSH_FXP_FSETSTAT:\n msg->handle = ssh_buffer_get_ssh_string(payload);\n if (msg->handle == NULL) {\n ssh_set_error_oom(session);\n sftp_client_message_free(msg);\n return NULL;\n }\n msg->attr = sftp_parse_attr(sftp, payload, 0);\n if (msg->attr == NULL) {\n ssh_set_error_oom(session);\n sftp_client_message_free(msg);\n return NULL;\n }\n break;\n case SSH_FXP_LSTAT:\n case SSH_FXP_STAT:\n rc = ssh_buffer_unpack(payload,\n \"s\",\n &msg->filename);\n if (rc != SSH_OK) {\n ssh_set_error_oom(session);\n sftp_client_message_free(msg);\n return NULL;\n }\n if(sftp->version > 3) {\n ssh_buffer_unpack(payload, \"d\", &msg->flags);\n }\n break;\n case SSH_FXP_OPEN:\n rc = ssh_buffer_unpack(payload,\n \"sd\",\n &msg->filename,\n &msg->flags);\n if (rc != SSH_OK) {\n ssh_set_error_oom(session);\n sftp_client_message_free(msg);\n return NULL;\n }\n msg->attr = sftp_parse_attr(sftp, payload, 0);\n if (msg->attr == NULL) {\n ssh_set_error_oom(session);\n sftp_client_message_free(msg);\n return NULL;\n }\n break;\n case SSH_FXP_FSTAT:\n rc = ssh_buffer_unpack(payload,\n \"S\",\n &msg->handle);\n if (rc != SSH_OK) {\n ssh_set_error_oom(session);\n sftp_client_message_free(msg);\n return NULL;\n }\n break;\n case SSH_FXP_EXTENDED:\n rc = ssh_buffer_unpack(payload,\n \"s\",\n &msg->submessage);\n if (rc != SSH_OK) {\n ssh_set_error_oom(session);\n sftp_client_message_free(msg);\n return NULL;\n }\n\n if (strcmp(msg->submessage, \"hardlink@openssh.com\") == 0 ||\n strcmp(msg->submessage, \"posix-rename@openssh.com\") == 0) {\n rc = ssh_buffer_unpack(payload,\n \"sS\",\n &msg->filename,\n &msg->data);\n if (rc != SSH_OK) {\n ssh_set_error_oom(session);\n sftp_client_message_free(msg);\n return NULL;\n }\n }\n break;\n default:\n ssh_set_error(sftp->session, SSH_FATAL,\n \"Received unhandled sftp message %d\", msg->type);\n sftp_client_message_free(msg);\n return NULL;\n }\n\n return msg;\n}", "project": "libssh-mirror", "hash": 111915200315433769761170865971793335091, "size": 208, "commit_id": "2782cb0495b7450bd8fe43ce4af886b66fea6c40", "message": "sftpserver: Add missing return check for ssh_buffer_add_data()\n\nSigned-off-by: Andreas Schneider \nReviewed-by: Anderson Toshiyuki Sasaki \nReviewed-by: Jakub Jelen ", "target": 0, "dataset": "other", "idx": 424886 }, { "func": "static int php_ifd_get16u(void *Short, int motorola_intel) {\n if (motorola_intel) {\n return (((unsigned char *)Short)[0] << 8) | ((unsigned char *)Short)[1];\n } else {\n return (((unsigned char *)Short)[1] << 8) | ((unsigned char *)Short)[0];\n }\n}", "project": "hhvm", "hash": 58491834127135501221895718102844033861, "size": 7, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219345 }, { "func": "static int irda_sendmsg_ultra(struct kiocb *iocb, struct socket *sock,\n\t\t\t struct msghdr *msg, size_t len)\n{\n\tstruct sock *sk = sock->sk;\n\tstruct irda_sock *self;\n\t__u8 pid = 0;\n\tint bound = 0;\n\tstruct sk_buff *skb;\n\tint err;\n\n\tIRDA_DEBUG(4, \"%s(), len=%zd\\n\", __func__, len);\n\n\tif (msg->msg_flags & ~(MSG_DONTWAIT|MSG_CMSG_COMPAT))\n\t\treturn -EINVAL;\n\n\tif (sk->sk_shutdown & SEND_SHUTDOWN) {\n\t\tsend_sig(SIGPIPE, current, 0);\n\t\treturn -EPIPE;\n\t}\n\n\tself = irda_sk(sk);\n\n\t/* Check if an address was specified with sendto. Jean II */\n\tif (msg->msg_name) {\n\t\tstruct sockaddr_irda *addr = (struct sockaddr_irda *) msg->msg_name;\n\t\t/* Check address, extract pid. Jean II */\n\t\tif (msg->msg_namelen < sizeof(*addr))\n\t\t\treturn -EINVAL;\n\t\tif (addr->sir_family != AF_IRDA)\n\t\t\treturn -EINVAL;\n\n\t\tpid = addr->sir_lsap_sel;\n\t\tif (pid & 0x80) {\n\t\t\tIRDA_DEBUG(0, \"%s(), extension in PID not supp!\\n\", __func__);\n\t\t\treturn -EOPNOTSUPP;\n\t\t}\n\t} else {\n\t\t/* Check that the socket is properly bound to an Ultra\n\t\t * port. Jean II */\n\t\tif ((self->lsap == NULL) ||\n\t\t (sk->sk_state != TCP_ESTABLISHED)) {\n\t\t\tIRDA_DEBUG(0, \"%s(), socket not bound to Ultra PID.\\n\",\n\t\t\t\t __func__);\n\t\t\treturn -ENOTCONN;\n\t\t}\n\t\t/* Use PID from socket */\n\t\tbound = 1;\n\t}\n\n\t/*\n\t * Check that we don't send out too big frames. This is an unreliable\n\t * service, so we have no fragmentation and no coalescence\n\t */\n\tif (len > self->max_data_size) {\n\t\tIRDA_DEBUG(0, \"%s(), Warning to much data! \"\n\t\t\t \"Chopping frame from %zd to %d bytes!\\n\",\n\t\t\t __func__, len, self->max_data_size);\n\t\tlen = self->max_data_size;\n\t}\n\n\tskb = sock_alloc_send_skb(sk, len + self->max_header_size,\n\t\t\t\t msg->msg_flags & MSG_DONTWAIT, &err);\n\tif (!skb)\n\t\treturn -ENOBUFS;\n\n\tskb_reserve(skb, self->max_header_size);\n\tskb_reset_transport_header(skb);\n\n\tIRDA_DEBUG(4, \"%s(), appending user data\\n\", __func__);\n\tskb_put(skb, len);\n\terr = memcpy_fromiovec(skb_transport_header(skb), msg->msg_iov, len);\n\tif (err) {\n\t\tkfree_skb(skb);\n\t\treturn err;\n\t}\n\n\terr = irlmp_connless_data_request((bound ? self->lsap : NULL),\n\t\t\t\t\t skb, pid);\n\tif (err) {\n\t\tIRDA_DEBUG(0, \"%s(), err=%d\\n\", __func__, err);\n\t\treturn err;\n\t}\n\treturn len;\n}", "target": 0, "cwe": [ "CWE-200" ], "project": "linux-2.6", "commit_id": "09384dfc76e526c3993c09c42e016372dc9dd22c", "hash": 123924755742853793927952711674744073382, "size": 84, "message": "irda: Fix irda_getname() leak\n\nirda_getname() can leak kernel memory to user.\n\nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "dataset": "other", "idx": 490857 }, { "func": "apr_status_t h2_stream_add_header(h2_stream *stream,\n const char *name, size_t nlen,\n const char *value, size_t vlen)\n{\n h2_session *session = stream->session;\n int error = 0, was_added = 0;\n apr_status_t status = APR_SUCCESS;\n \n if (stream->has_response) {\n return APR_EINVAL; \n }\n\n if (name[0] == ':') {\n if ((vlen) > session->s->limit_req_line) {\n /* pseudo header: approximation of request line size check */\n if (!h2_stream_is_ready(stream)) {\n ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, session->c,\n H2_STRM_LOG(APLOGNO(10178), stream,\n \"Request pseudo header exceeds \"\n \"LimitRequestFieldSize: %s\"), name);\n }\n error = HTTP_REQUEST_URI_TOO_LARGE;\n goto cleanup;\n }\n }\n \n if (session->s->limit_req_fields > 0 \n && stream->request_headers_added > session->s->limit_req_fields) {\n /* already over limit, count this attempt, but do not take it in */\n ++stream->request_headers_added;\n }\n else if (H2_SS_IDLE == stream->state) {\n if (!stream->rtmp) {\n stream->rtmp = h2_req_create(stream->id, stream->pool, \n NULL, NULL, NULL, NULL, NULL, 0);\n }\n status = h2_request_add_header(stream->rtmp, stream->pool,\n name, nlen, value, vlen,\n session->s->limit_req_fieldsize, &was_added);\n if (was_added) ++stream->request_headers_added;\n }\n else if (H2_SS_OPEN == stream->state) {\n status = add_trailer(stream, name, nlen, value, vlen,\n session->s->limit_req_fieldsize, &was_added);\n if (was_added) ++stream->request_headers_added;\n }\n else {\n status = APR_EINVAL;\n goto cleanup;\n }\n \n if (APR_EINVAL == status) {\n /* header too long */\n if (!h2_stream_is_ready(stream)) {\n ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, session->c,\n H2_STRM_LOG(APLOGNO(10180), stream,\"Request header exceeds \"\n \"LimitRequestFieldSize: %.*s\"),\n (int)H2MIN(nlen, 80), name);\n }\n error = HTTP_REQUEST_HEADER_FIELDS_TOO_LARGE;\n goto cleanup;\n }\n \n if (session->s->limit_req_fields > 0 \n && stream->request_headers_added > session->s->limit_req_fields) {\n /* too many header lines */\n if (stream->request_headers_added > session->s->limit_req_fields + 100) {\n /* yeah, right, this request is way over the limit, say goodbye */\n h2_stream_rst(stream, H2_ERR_ENHANCE_YOUR_CALM);\n return APR_ECONNRESET;\n }\n if (!h2_stream_is_ready(stream)) {\n ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, session->c,\n H2_STRM_LOG(APLOGNO(10181), stream, \"Number of request headers \"\n \"exceeds LimitRequestFields\"));\n }\n error = HTTP_REQUEST_HEADER_FIELDS_TOO_LARGE;\n goto cleanup;\n }\n \ncleanup:\n if (error) {\n set_error_response(stream, error);\n return APR_EINVAL; \n }\n else if (status != APR_SUCCESS) {\n ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, session->c,\n H2_STRM_MSG(stream, \"header %s not accepted\"), name);\n h2_stream_dispatch(stream, H2_SEV_CANCELLED);\n }\n return status;\n}", "project": "httpd", "hash": 80355731275729217540539969923669999195, "size": 92, "commit_id": "f990e5ecad40b100a8a5c7c1033c46044a9cb244", "message": "mod_htt2: fix incomplete sync with latest changes in github, adjust version number.\n\n\n\ngit-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1889119 13f79535-47bb-0310-9956-ffa450edef68", "target": 0, "dataset": "other", "idx": 284229 }, { "func": "static int ecryptfs_read_headers_virt(char *page_virt,\n\t\t\t\t struct ecryptfs_crypt_stat *crypt_stat,\n\t\t\t\t struct dentry *ecryptfs_dentry,\n\t\t\t\t int validate_header_size)\n{\n\tint rc = 0;\n\tint offset;\n\tint bytes_read;\n\n\tecryptfs_set_default_sizes(crypt_stat);\n\tcrypt_stat->mount_crypt_stat = &ecryptfs_superblock_to_private(\n\t\tecryptfs_dentry->d_sb)->mount_crypt_stat;\n\toffset = ECRYPTFS_FILE_SIZE_BYTES;\n\trc = contains_ecryptfs_marker(page_virt + offset);\n\tif (rc == 0) {\n\t\trc = -EINVAL;\n\t\tgoto out;\n\t}\n\toffset += MAGIC_ECRYPTFS_MARKER_SIZE_BYTES;\n\trc = ecryptfs_process_flags(crypt_stat, (page_virt + offset),\n\t\t\t\t &bytes_read);\n\tif (rc) {\n\t\tecryptfs_printk(KERN_WARNING, \"Error processing flags\\n\");\n\t\tgoto out;\n\t}\n\tif (crypt_stat->file_version > ECRYPTFS_SUPPORTED_FILE_VERSION) {\n\t\tecryptfs_printk(KERN_WARNING, \"File version is [%d]; only \"\n\t\t\t\t\"file version [%d] is supported by this \"\n\t\t\t\t\"version of eCryptfs\\n\",\n\t\t\t\tcrypt_stat->file_version,\n\t\t\t\tECRYPTFS_SUPPORTED_FILE_VERSION);\n\t\trc = -EINVAL;\n\t\tgoto out;\n\t}\n\toffset += bytes_read;\n\tif (crypt_stat->file_version >= 1) {\n\t\trc = parse_header_metadata(crypt_stat, (page_virt + offset),\n\t\t\t\t\t &bytes_read, validate_header_size);\n\t\tif (rc) {\n\t\t\tecryptfs_printk(KERN_WARNING, \"Error reading header \"\n\t\t\t\t\t\"metadata; rc = [%d]\\n\", rc);\n\t\t}\n\t\toffset += bytes_read;\n\t} else\n\t\tset_default_header_data(crypt_stat);\n\trc = ecryptfs_parse_packet_set(crypt_stat, (page_virt + offset),\n\t\t\t\t ecryptfs_dentry);\nout:\n\treturn rc;\n}", "target": 0, "cwe": [ "CWE-189" ], "project": "linux-2.6", "commit_id": "8faece5f906725c10e7a1f6caf84452abadbdc7b", "hash": 94352889297738886537565816820315029505, "size": 50, "message": "eCryptfs: Allocate a variable number of pages for file headers\n\nWhen allocating the memory used to store the eCryptfs header contents, a\nsingle, zeroed page was being allocated with get_zeroed_page().\nHowever, the size of an eCryptfs header is either PAGE_CACHE_SIZE or\nECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE (8192), whichever is larger, and is\nstored in the file's private_data->crypt_stat->num_header_bytes_at_front\nfield.\n\necryptfs_write_metadata_to_contents() was using\nnum_header_bytes_at_front to decide how many bytes should be written to\nthe lower filesystem for the file header. Unfortunately, at least 8K\nwas being written from the page, despite the chance of the single,\nzeroed page being smaller than 8K. This resulted in random areas of\nkernel memory being written between the 0x1000 and 0x1FFF bytes offsets\nin the eCryptfs file headers if PAGE_SIZE was 4K.\n\nThis patch allocates a variable number of pages, calculated with\nnum_header_bytes_at_front, and passes the number of allocated pages\nalong to ecryptfs_write_metadata_to_contents().\n\nThanks to Florian Streibelt for reporting the data leak and working with\nme to find the problem. 2.6.28 is the only kernel release with this\nvulnerability. Corresponds to CVE-2009-0787\n\nSigned-off-by: Tyler Hicks \nAcked-by: Dustin Kirkland \nReviewed-by: Eric Sandeen \nReviewed-by: Eugene Teo \nCc: Greg KH \nCc: dann frazier \nCc: Serge E. Hallyn \nCc: Florian Streibelt \nCc: stable@kernel.org\nSigned-off-by: Linus Torvalds ", "dataset": "other", "idx": 490161 }, { "func": "static bool legitimize_root(struct nameidata *nd)\n{\n\tif (!nd->root.mnt || (nd->flags & LOOKUP_ROOT))\n\t\treturn true;\n\tnd->flags |= LOOKUP_ROOT_GRABBED;\n\treturn legitimize_path(nd, &nd->root, nd->root_seq);\n}", "project": "linux", "hash": 57575119600888432382917656637068637605, "size": 7, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295415 }, { "func": "static void complete_signal(int sig, struct task_struct *p, enum pid_type type)\n{\n\tstruct signal_struct *signal = p->signal;\n\tstruct task_struct *t;\n\n\t/*\n\t * Now find a thread we can wake up to take the signal off the queue.\n\t *\n\t * If the main thread wants the signal, it gets first crack.\n\t * Probably the least surprising to the average bear.\n\t */\n\tif (wants_signal(sig, p))\n\t\tt = p;\n\telse if ((type == PIDTYPE_PID) || thread_group_empty(p))\n\t\t/*\n\t\t * There is just one thread and it does not need to be woken.\n\t\t * It will dequeue unblocked signals before it runs again.\n\t\t */\n\t\treturn;\n\telse {\n\t\t/*\n\t\t * Otherwise try to find a suitable thread.\n\t\t */\n\t\tt = signal->curr_target;\n\t\twhile (!wants_signal(sig, t)) {\n\t\t\tt = next_thread(t);\n\t\t\tif (t == signal->curr_target)\n\t\t\t\t/*\n\t\t\t\t * No thread needs to be woken.\n\t\t\t\t * Any eligible threads will see\n\t\t\t\t * the signal in the queue soon.\n\t\t\t\t */\n\t\t\t\treturn;\n\t\t}\n\t\tsignal->curr_target = t;\n\t}\n\n\t/*\n\t * Found a killable thread. If the signal will be fatal,\n\t * then start taking the whole group down immediately.\n\t */\n\tif (sig_fatal(p, sig) &&\n\t !(signal->flags & SIGNAL_GROUP_EXIT) &&\n\t !sigismember(&t->real_blocked, sig) &&\n\t (sig == SIGKILL || !p->ptrace)) {\n\t\t/*\n\t\t * This signal will be fatal to the whole group.\n\t\t */\n\t\tif (!sig_kernel_coredump(sig)) {\n\t\t\t/*\n\t\t\t * Start a group exit and wake everybody up.\n\t\t\t * This way we don't have other threads\n\t\t\t * running and doing things after a slower\n\t\t\t * thread has the fatal signal pending.\n\t\t\t */\n\t\t\tsignal->flags = SIGNAL_GROUP_EXIT;\n\t\t\tsignal->group_exit_code = sig;\n\t\t\tsignal->group_stop_count = 0;\n\t\t\tt = p;\n\t\t\tdo {\n\t\t\t\ttask_clear_jobctl_pending(t, JOBCTL_PENDING_MASK);\n\t\t\t\tsigaddset(&t->pending.signal, SIGKILL);\n\t\t\t\tsignal_wake_up(t, 1);\n\t\t\t} while_each_thread(p, t);\n\t\t\treturn;\n\t\t}\n\t}\n\n\t/*\n\t * The signal is already in the shared-pending queue.\n\t * Tell the chosen thread to wake up and dequeue it.\n\t */\n\tsignal_wake_up(t, sig == SIGKILL);\n\treturn;\n}", "project": "linux", "hash": 66765339221127510368531599886648576388, "size": 75, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375138 }, { "func": " */\nstatic void bfq_rq_enqueued(struct bfq_data *bfqd, struct bfq_queue *bfqq,\n\t\t\t struct request *rq)\n{\n\tif (rq->cmd_flags & REQ_META)\n\t\tbfqq->meta_pending++;\n\n\tbfqq->last_request_pos = blk_rq_pos(rq) + blk_rq_sectors(rq);\n\n\tif (bfqq == bfqd->in_service_queue && bfq_bfqq_wait_request(bfqq)) {\n\t\tbool small_req = bfqq->queued[rq_is_sync(rq)] == 1 &&\n\t\t\t\t blk_rq_sectors(rq) < 32;\n\t\tbool budget_timeout = bfq_bfqq_budget_timeout(bfqq);\n\n\t\t/*\n\t\t * There is just this request queued: if\n\t\t * - the request is small, and\n\t\t * - we are idling to boost throughput, and\n\t\t * - the queue is not to be expired,\n\t\t * then just exit.\n\t\t *\n\t\t * In this way, if the device is being idled to wait\n\t\t * for a new request from the in-service queue, we\n\t\t * avoid unplugging the device and committing the\n\t\t * device to serve just a small request. In contrast\n\t\t * we wait for the block layer to decide when to\n\t\t * unplug the device: hopefully, new requests will be\n\t\t * merged to this one quickly, then the device will be\n\t\t * unplugged and larger requests will be dispatched.\n\t\t */\n\t\tif (small_req && idling_boosts_thr_without_issues(bfqd, bfqq) &&\n\t\t !budget_timeout)\n\t\t\treturn;\n\n\t\t/*\n\t\t * A large enough request arrived, or idling is being\n\t\t * performed to preserve service guarantees, or\n\t\t * finally the queue is to be expired: in all these\n\t\t * cases disk idling is to be stopped, so clear\n\t\t * wait_request flag and reset timer.\n\t\t */\n\t\tbfq_clear_bfqq_wait_request(bfqq);\n\t\thrtimer_try_to_cancel(&bfqd->idle_slice_timer);\n\n\t\t/*\n\t\t * The queue is not empty, because a new request just\n\t\t * arrived. Hence we can safely expire the queue, in\n\t\t * case of budget timeout, without risking that the\n\t\t * timestamps of the queue are not updated correctly.\n\t\t * See [1] for more details.\n\t\t */\n\t\tif (budget_timeout)\n\t\t\tbfq_bfqq_expire(bfqd, bfqq, false,\n\t\t\t\t\tBFQQE_BUDGET_TIMEOUT);\n\t}", "project": "linux", "hash": 235973313070897085405846425099333408789, "size": 55, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453300 }, { "func": "static apr_byte_t oidc_restore_proto_state(request_rec *r, oidc_cfg *c,\n\t\tconst char *state, oidc_proto_state_t **proto_state) {\n\n\toidc_debug(r, \"enter\");\n\n\tconst char *cookieName = oidc_get_state_cookie_name(r, state);\n\n\t/* clean expired state cookies to avoid pollution */\n\toidc_clean_expired_state_cookies(r, c, cookieName, FALSE);\n\n\t/* get the state cookie value first */\n\tchar *cookieValue = oidc_util_get_cookie(r, cookieName);\n\tif (cookieValue == NULL) {\n\t\toidc_error(r,\n\t\t\t\t\"no \\\"%s\\\" state cookie found: check domain and samesite cookie settings\",\n\t\t\t\tcookieName);\n\t\treturn FALSE;\n\t}\n\n\t/* clear state cookie because we don't need it anymore */\n\toidc_util_set_cookie(r, cookieName, \"\", 0,\n\t\t\tOIDC_COOKIE_EXT_SAME_SITE_NONE(r));\n\n\t*proto_state = oidc_proto_state_from_cookie(r, c, cookieValue);\n\tif (*proto_state == NULL)\n\t\treturn FALSE;\n\n\tconst char *nonce = oidc_proto_state_get_nonce(*proto_state);\n\n\t/* calculate the hash of the browser fingerprint concatenated with the nonce */\n\tchar *calc = oidc_get_browser_state_hash(r, c, nonce);\n\t/* compare the calculated hash with the value provided in the authorization response */\n\tif (apr_strnatcmp(calc, state) != 0) {\n\t\toidc_error(r,\n\t\t\t\t\"calculated state from cookie does not match state parameter passed back in URL: \\\"%s\\\" != \\\"%s\\\"\",\n\t\t\t\tstate, calc);\n\t\toidc_proto_state_destroy(*proto_state);\n\t\treturn FALSE;\n\t}\n\n\tapr_time_t ts = oidc_proto_state_get_timestamp(*proto_state);\n\n\t/* check that the timestamp is not beyond the valid interval */\n\tif (apr_time_now() > ts + apr_time_from_sec(c->state_timeout)) {\n\t\toidc_error(r, \"state has expired\");\n\t\tif ((c->default_sso_url == NULL)\n\t\t\t\t|| (apr_table_get(r->subprocess_env, \"OIDC_NO_DEFAULT_URL_ON_STATE_TIMEOUT\") != NULL)) {\n\t\t\toidc_util_html_send_error(r, c->error_template, \"Invalid Authentication Response\", apr_psprintf(r->pool, \"This is due to a timeout; please restart your authentication session by re-entering the URL/bookmark you originally wanted to access: %s\", oidc_proto_state_get_original_url(*proto_state)),\n\t\t\t\t\t\t\t\t\t OK);\n\t\t\t/*\n\t\t\t * a hack for Apache 2.4 to prevent it from writing its own 500/400/302 HTML document\n\t\t\t * text by making ap_send_error_response in http_protocol.c return early...\n\t\t\t */\n\t\t\tr->header_only = 1;\n\t\t}\n\t\toidc_proto_state_destroy(*proto_state);\n\t\treturn FALSE;\n\t}\n\n\t/* add the state */\n\toidc_proto_state_set_state(*proto_state, state);\n\n\t/* log the restored state object */\n\toidc_debug(r, \"restored state: %s\",\n\t\t\toidc_proto_state_to_string(r, *proto_state));\n\n\t/* we've made it */\n\treturn TRUE;\n}", "project": "mod_auth_openidc", "hash": 265663203337708966367463341989818655024, "size": 69, "commit_id": "00c315cb0c8ab77c67be4a2ac08a71a83ac58751", "message": "avoid XSS vulnerability when using OIDCPreservePost On\n\nand supplying URLs that contain single quotes; thanks @oss-aimoto\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 381954 }, { "func": "static apr_byte_t oidc_restore_proto_state(request_rec *r, oidc_cfg *c,\n\t\tconst char *state, oidc_proto_state_t **proto_state) {\n\n\toidc_debug(r, \"enter\");\n\n\tconst char *cookieName = oidc_get_state_cookie_name(r, state);\n\n\t/* clean expired state cookies to avoid pollution */\n\toidc_clean_expired_state_cookies(r, c, cookieName, FALSE);\n\n\t/* get the state cookie value first */\n\tchar *cookieValue = oidc_util_get_cookie(r, cookieName);\n\tif (cookieValue == NULL) {\n\t\toidc_error(r, \"no \\\"%s\\\" state cookie found\", cookieName);\n\t\treturn oidc_unsolicited_proto_state(r, c, state, proto_state);\n\t}\n\n\t/* clear state cookie because we don't need it anymore */\n\toidc_util_set_cookie(r, cookieName, \"\", 0, NULL);\n\n\t*proto_state = oidc_proto_state_from_cookie(r, c, cookieValue);\n\tif (*proto_state == NULL)\n\t\treturn FALSE;\n\n\tconst char *nonce = oidc_proto_state_get_nonce(*proto_state);\n\n\t/* calculate the hash of the browser fingerprint concatenated with the nonce */\n\tchar *calc = oidc_get_browser_state_hash(r, nonce);\n\t/* compare the calculated hash with the value provided in the authorization response */\n\tif (apr_strnatcmp(calc, state) != 0) {\n\t\toidc_error(r,\n\t\t\t\t\"calculated state from cookie does not match state parameter passed back in URL: \\\"%s\\\" != \\\"%s\\\"\",\n\t\t\t\tstate, calc);\n\t\toidc_proto_state_destroy(*proto_state);\n\t\treturn FALSE;\n\t}\n\n\tapr_time_t ts = oidc_proto_state_get_timestamp(*proto_state);\n\n\t/* check that the timestamp is not beyond the valid interval */\n\tif (apr_time_now() > ts + apr_time_from_sec(c->state_timeout)) {\n\t\toidc_error(r, \"state has expired\");\n\t\t/*\n\t\t * note that this overrides redirection to the OIDCDefaultURL as done later...\n\t\t * see: https://groups.google.com/forum/?utm_medium=email&utm_source=footer#!msg/mod_auth_openidc/L4JFBw-XCNU/BWi2Fmk2AwAJ\n\t\t */\n\t\toidc_util_html_send_error(r, c->error_template,\n\t\t\t\t\"Invalid Authentication Response\",\n\t\t\t\tapr_psprintf(r->pool,\n\t\t\t\t\t\t\"This is due to a timeout; please restart your authentication session by re-entering the URL/bookmark you originally wanted to access: %s\",\n\t\t\t\t\t\toidc_proto_state_get_original_url(*proto_state)),\n\t\t\t\t\t\tOK);\n\t\toidc_proto_state_destroy(*proto_state);\n\t\treturn FALSE;\n\t}\n\n\t/* add the state */\n\toidc_proto_state_set_state(*proto_state, state);\n\n\t/* log the restored state object */\n\toidc_debug(r, \"restored state: %s\",\n\t\t\toidc_proto_state_to_string(r, *proto_state));\n\n\t/* we've made it */\n\treturn TRUE;\n}", "project": "mod_auth_openidc", "hash": 255467386584813288181215554891852924177, "size": 66, "commit_id": "ce37080c6aea30aabae8b4a9b4eea7808445cc8e", "message": "2.4.0.2 oops\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 447714 }, { "func": "static int scan_for_signature(struct archive_read* a) {\n\tconst uint8_t* p;\n\tconst int chunk_size = 512;\n\tssize_t i;\n\n\t/* If we're here, it means we're on an 'unknown territory' data.\n\t * There's no indication what kind of data we're reading here.\n\t * It could be some text comment, any kind of binary data,\n\t * digital sign, dragons, etc.\n\t *\n\t * We want to find a valid RARv5 magic header inside this unknown\n\t * data. */\n\n\t/* Is it possible in libarchive to just skip everything until the\n\t * end of the file? If so, it would be a better approach than the\n\t * current implementation of this function. */\n\n\twhile(1) {\n\t\tif(!read_ahead(a, chunk_size, &p))\n\t\t\treturn ARCHIVE_EOF;\n\n\t\tfor(i = 0; i < chunk_size - rar5_signature_size; i++) {\n\t\t\tif(memcmp(&p[i], rar5_signature,\n\t\t\t rar5_signature_size) == 0) {\n\t\t\t\t/* Consume the number of bytes we've used to\n\t\t\t\t * search for the signature, as well as the\n\t\t\t\t * number of bytes used by the signature\n\t\t\t\t * itself. After this we should be standing\n\t\t\t\t * on a valid base block header. */\n\t\t\t\t(void) consume(a, i + rar5_signature_size);\n\t\t\t\treturn ARCHIVE_OK;\n\t\t\t}\n\t\t}\n\n\t\tconsume(a, chunk_size);\n\t}\n\n\treturn ARCHIVE_FATAL;\n}", "project": "libarchive", "hash": 270346685690127523994876136482080848629, "size": 39, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 0, "dataset": "other", "idx": 244747 }, { "func": "static apr_table_t* oidc_request_state(request_rec *rr) {\n\n\t/* our state is always stored in the main request */\n\trequest_rec *r = (rr->main != NULL) ? rr->main : rr;\n\n\t/* our state is a table, get it */\n\tapr_table_t *state = NULL;\n\tapr_pool_userdata_get((void**) &state, OIDC_USERDATA_KEY, r->pool);\n\n\t/* if it does not exist, we'll create a new table */\n\tif (state == NULL) {\n\t\tstate = apr_table_make(r->pool, 5);\n\t\tapr_pool_userdata_set(state, OIDC_USERDATA_KEY, NULL, r->pool);\n\t}\n\n\t/* return the resulting table, always non-null now */\n\treturn state;\n}", "project": "mod_auth_openidc", "hash": 18231092597549314161177842377723809063, "size": 18, "commit_id": "00c315cb0c8ab77c67be4a2ac08a71a83ac58751", "message": "avoid XSS vulnerability when using OIDCPreservePost On\n\nand supplying URLs that contain single quotes; thanks @oss-aimoto\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 381936 }, { "func": "static int stgi_interception(struct vcpu_svm *svm)\n{\n\tint ret;\n\n\tif (nested_svm_check_permissions(svm))\n\t\treturn 1;\n\n\t/*\n\t * If VGIF is enabled, the STGI intercept is only added to\n\t * detect the opening of the SMI/NMI window; remove it now.\n\t */\n\tif (vgif_enabled(svm))\n\t\tclr_intercept(svm, INTERCEPT_STGI);\n\n\tret = kvm_skip_emulated_instruction(&svm->vcpu);\n\tkvm_make_request(KVM_REQ_EVENT, &svm->vcpu);\n\n\tenable_gif(svm);\n\n\treturn ret;\n}", "project": "linux", "hash": 169659888286032379050918017720940129854, "size": 21, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432488 }, { "func": "static int stgi_interception(struct vcpu_svm *svm)\n{\n\tif (nested_svm_check_permissions(svm))\n\t\treturn 1;\n\n\tsvm->next_rip = kvm_rip_read(&svm->vcpu) + 3;\n\tskip_emulated_instruction(&svm->vcpu);\n\tkvm_make_request(KVM_REQ_EVENT, &svm->vcpu);\n\n\tenable_gif(svm);\n\n\treturn 1;\n}", "project": "kvm", "hash": 217001727991052682506827222480417790772, "size": 13, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437582 }, { "func": "void mouse_report(struct tty_struct *tty, int butt, int mrx, int mry)\n{\n\tchar buf[8];\n\n\tsprintf(buf, \"\\033[M%c%c%c\", (char)(' ' + butt), (char)('!' + mrx),\n\t\t(char)('!' + mry));\n\trespond_string(buf, tty->port);\n}", "project": "linux", "hash": 186598793206513382385587447530059484642, "size": 8, "commit_id": "ca4463bf8438b403596edd0ec961ca0d4fbe0220", "message": "vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console\n\nThe VT_DISALLOCATE ioctl can free a virtual console while tty_release()\nis still running, causing a use-after-free in con_shutdown(). This\noccurs because VT_DISALLOCATE considers a virtual console's\n'struct vc_data' to be unused as soon as the corresponding tty's\nrefcount hits 0. But actually it may be still being closed.\n\nFix this by making vc_data be reference-counted via the embedded\n'struct tty_port'. A newly allocated virtual console has refcount 1.\nOpening it for the first time increments the refcount to 2. Closing it\nfor the last time decrements the refcount (in tty_operations::cleanup()\nso that it happens late enough), as does VT_DISALLOCATE.\n\nReproducer:\n\t#include \n\t#include \n\t#include \n\t#include \n\n\tint main()\n\t{\n\t\tif (fork()) {\n\t\t\tfor (;;)\n\t\t\t\tclose(open(\"/dev/tty5\", O_RDWR));\n\t\t} else {\n\t\t\tint fd = open(\"/dev/tty10\", O_RDWR);\n\n\t\t\tfor (;;)\n\t\t\t\tioctl(fd, VT_DISALLOCATE, 5);\n\t\t}\n\t}\n\nKASAN report:\n\tBUG: KASAN: use-after-free in con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\tWrite of size 8 at addr ffff88806a4ec108 by task syz_vt/129\n\n\tCPU: 0 PID: 129 Comm: syz_vt Not tainted 5.6.0-rc2 #11\n\tHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20191223_100556-anatol 04/01/2014\n\tCall Trace:\n\t [...]\n\t con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\t release_tty+0xa8/0x410 drivers/tty/tty_io.c:1514\n\t tty_release_struct+0x34/0x50 drivers/tty/tty_io.c:1629\n\t tty_release+0x984/0xed0 drivers/tty/tty_io.c:1789\n\t [...]\n\n\tAllocated by task 129:\n\t [...]\n\t kzalloc include/linux/slab.h:669 [inline]\n\t vc_allocate drivers/tty/vt/vt.c:1085 [inline]\n\t vc_allocate+0x1ac/0x680 drivers/tty/vt/vt.c:1066\n\t con_install+0x4d/0x3f0 drivers/tty/vt/vt.c:3229\n\t tty_driver_install_tty drivers/tty/tty_io.c:1228 [inline]\n\t tty_init_dev+0x94/0x350 drivers/tty/tty_io.c:1341\n\t tty_open_by_driver drivers/tty/tty_io.c:1987 [inline]\n\t tty_open+0x3ca/0xb30 drivers/tty/tty_io.c:2035\n\t [...]\n\n\tFreed by task 130:\n\t [...]\n\t kfree+0xbf/0x1e0 mm/slab.c:3757\n\t vt_disallocate drivers/tty/vt/vt_ioctl.c:300 [inline]\n\t vt_ioctl+0x16dc/0x1e30 drivers/tty/vt/vt_ioctl.c:818\n\t tty_ioctl+0x9db/0x11b0 drivers/tty/tty_io.c:2660\n\t [...]\n\nFixes: 4001d7b7fc27 (\"vt: push down the tty lock so we can see what is left to tackle\")\nCc: # v3.4+\nReported-by: syzbot+522643ab5729b0421998@syzkaller.appspotmail.com\nAcked-by: Jiri Slaby \nSigned-off-by: Eric Biggers \nLink: https://lore.kernel.org/r/20200322034305.210082-2-ebiggers@kernel.org\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 437039 }, { "func": "static int oidc_authorization_response_error(request_rec *r, oidc_cfg *c,\n\t\toidc_proto_state_t *proto_state, const char *error,\n\t\tconst char *error_description) {\n\tconst char *prompt = oidc_proto_state_get_prompt(proto_state);\n\tif (prompt != NULL)\n\t\tprompt = apr_pstrdup(r->pool, prompt);\n\toidc_proto_state_destroy(proto_state);\n\tif ((prompt != NULL)\n\t\t\t&& (apr_strnatcmp(prompt, OIDC_PROTO_PROMPT_NONE) == 0)) {\n\t\treturn oidc_session_redirect_parent_window_to_logout(r, c);\n\t}\n\treturn oidc_util_html_send_error(r, c->error_template,\n\t\t\tapr_psprintf(r->pool, \"OpenID Connect Provider error: %s\", error),\n\t\t\terror_description, OK);\n}", "project": "mod_auth_openidc", "hash": 254991178855608384824179974986646877708, "size": 15, "commit_id": "00c315cb0c8ab77c67be4a2ac08a71a83ac58751", "message": "avoid XSS vulnerability when using OIDCPreservePost On\n\nand supplying URLs that contain single quotes; thanks @oss-aimoto\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 381904 }, { "func": "void lj_debug_shortname(char *out, GCstr *str)\n{\n const char *src = strdata(str);\n if (*src == '=') {\n strncpy(out, src+1, LUA_IDSIZE); /* Remove first char. */\n out[LUA_IDSIZE-1] = '\\0'; /* Ensures null termination. */\n } else if (*src == '@') { /* Output \"source\", or \"...source\". */\n size_t len = str->len-1;\n src++; /* Skip the `@' */\n if (len >= LUA_IDSIZE) {\n src += len-(LUA_IDSIZE-4); /* Get last part of file name. */\n *out++ = '.'; *out++ = '.'; *out++ = '.';\n }\n strcpy(out, src);\n } else { /* Output [string \"string\"]. */\n size_t len; /* Length, up to first control char. */\n for (len = 0; len < LUA_IDSIZE-12; len++)\n if (((const unsigned char *)src)[len] < ' ') break;\n strcpy(out, \"[string \\\"\"); out += 9;\n if (src[len] != '\\0') { /* Must truncate? */\n if (len > LUA_IDSIZE-15) len = LUA_IDSIZE-15;\n strncpy(out, src, len); out += len;\n strcpy(out, \"...\"); out += 3;\n } else {\n strcpy(out, src); out += len;\n }\n strcpy(out, \"\\\"]\");\n }\n}", "project": "LuaJIT", "hash": 115096193067808233244613490388176537364, "size": 29, "commit_id": "e296f56b825c688c3530a981dc6b495d972f3d01", "message": "Call error function on rethrow after trace exit.", "target": 0, "dataset": "other", "idx": 394634 }, { "func": "static int tty_tiocsserial(struct tty_struct *tty, struct serial_struct __user *ss)\n{\n\tstatic DEFINE_RATELIMIT_STATE(depr_flags,\n\t\t\tDEFAULT_RATELIMIT_INTERVAL,\n\t\t\tDEFAULT_RATELIMIT_BURST);\n\tchar comm[TASK_COMM_LEN];\n\tstruct serial_struct v;\n\tint flags;\n\n\tif (copy_from_user(&v, ss, sizeof(*ss)))\n\t\treturn -EFAULT;\n\n\tflags = v.flags & ASYNC_DEPRECATED;\n\n\tif (flags && __ratelimit(&depr_flags))\n\t\tpr_warn(\"%s: '%s' is using deprecated serial flags (with no effect): %.8x\\n\",\n\t\t\t__func__, get_task_comm(comm, current), flags);\n\tif (!tty->ops->set_serial)\n\t\treturn -ENOTTY;\n\treturn tty->ops->set_serial(tty, &v);\n}", "project": "linux", "hash": 214814857748421118946692304437690642775, "size": 21, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 326058 }, { "func": "static inline int ealg_tmpl_set(const struct xfrm_tmpl *t,\n\t\t\t\tconst struct xfrm_algo_desc *d)\n{\n\tunsigned int id = d->desc.sadb_alg_id;\n\n\tif (id >= sizeof(t->ealgos) * 8)\n\t\treturn 0;\n\n\treturn (t->ealgos >> id) & 1;\n}", "project": "linux", "hash": 183685097613742130846759622959122065561, "size": 10, "commit_id": "9a564bccb78a76740ea9d75a259942df8143d02c", "message": "af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\n\nAdd __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\nto initialize the buffer of supp_skb to fix a kernel-info-leak issue.\n1) Function pfkey_register calls compose_sadb_supported to request\na sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate\na sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then\ncompose_sadb_supported treats the memory as a struct sadb_supported and\nbegins to initialize. But it just initializes the field sadb_supported_len\nand field sadb_supported_exttype without field sadb_supported_reserved.\n\nReported-by: TCS Robot \nSigned-off-by: Haimin Zhang \nSigned-off-by: Steffen Klassert ", "target": 0, "dataset": "other", "idx": 268013 }, { "func": "static int tcp_any_retrans_done(const struct sock *sk)\n{\n\tconst struct tcp_sock *tp = tcp_sk(sk);\n\tstruct sk_buff *skb;\n\n\tif (tp->retrans_out)\n\t\treturn 1;\n\n\tskb = tcp_write_queue_head(sk);\n\tif (unlikely(skb && TCP_SKB_CB(skb)->sacked & TCPCB_EVER_RETRANS))\n\t\treturn 1;\n\n\treturn 0;\n}", "project": "net-next", "hash": 195418189229791648034085855096660421724, "size": 14, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409897 }, { "func": " bool is_null() { return !has_value(); }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 45352129457236239730404806117480142250, "size": 1, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 508971 }, { "func": " bool is_null()\n {\n if (check_null_ref())\n return 1;\n else\n return Item_direct_ref::is_null();\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 289760834432555823495097257563525480427, "size": 7, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509246 }, { "func": " bool is_null()\n { return is_null_from_temporal(); }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 186845362865703921934592239222597208913, "size": 2, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509397 }, { "func": "static EVP_PKEY * php_openssl_generate_private_key(struct php_x509_request * req)\n{\n\tchar * randfile = NULL;\n\tint egdsocket, seeded;\n\tEVP_PKEY * return_val = NULL;\n\n\tif (req->priv_key_bits < MIN_KEY_LENGTH) {\n\t\tphp_error_docref(NULL, E_WARNING, \"private key length is too short; it needs to be at least %d bits, not %d\",\n\t\t\t\tMIN_KEY_LENGTH, req->priv_key_bits);\n\t\treturn NULL;\n\t}\n\n\trandfile = CONF_get_string(req->req_config, req->section_name, \"RANDFILE\");\n\tif (randfile == NULL) {\n\t\tphp_openssl_store_errors();\n\t}\n\tphp_openssl_load_rand_file(randfile, &egdsocket, &seeded);\n\n\tif ((req->priv_key = EVP_PKEY_new()) != NULL) {\n\t\tswitch(req->priv_key_type) {\n\t\t\tcase OPENSSL_KEYTYPE_RSA:\n\t\t\t\t{\n\t\t\t\t\tRSA* rsaparam;\n#if OPENSSL_VERSION_NUMBER < 0x10002000L\n\t\t\t\t\t/* OpenSSL 1.0.2 deprecates RSA_generate_key */\n\t\t\t\t\tPHP_OPENSSL_RAND_ADD_TIME();\n\t\t\t\t\trsaparam = (RSA*)RSA_generate_key(req->priv_key_bits, RSA_F4, NULL, NULL);\n#else\n\t\t\t\t\t{\n\t\t\t\t\t\tBIGNUM *bne = (BIGNUM *)BN_new();\n\t\t\t\t\t\tif (BN_set_word(bne, RSA_F4) != 1) {\n\t\t\t\t\t\t\tBN_free(bne);\n\t\t\t\t\t\t\tphp_error_docref(NULL, E_WARNING, \"failed setting exponent\");\n\t\t\t\t\t\t\treturn NULL;\n\t\t\t\t\t\t}\n\t\t\t\t\t\trsaparam = RSA_new();\n\t\t\t\t\t\tPHP_OPENSSL_RAND_ADD_TIME();\n\t\t\t\t\t\tif (rsaparam == NULL || !RSA_generate_key_ex(rsaparam, req->priv_key_bits, bne, NULL)) {\n\t\t\t\t\t\t\tphp_openssl_store_errors();\n\t\t\t\t\t\t}\n\t\t\t\t\t\tBN_free(bne);\n\t\t\t\t\t}\n#endif\n\t\t\t\t\tif (rsaparam && EVP_PKEY_assign_RSA(req->priv_key, rsaparam)) {\n\t\t\t\t\t\treturn_val = req->priv_key;\n\t\t\t\t\t} else {\n\t\t\t\t\t\tphp_openssl_store_errors();\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\tbreak;\n#if !defined(NO_DSA)\n\t\t\tcase OPENSSL_KEYTYPE_DSA:\n\t\t\t\tPHP_OPENSSL_RAND_ADD_TIME();\n\t\t\t\t{\n\t\t\t\t\tDSA *dsaparam = DSA_new();\n\t\t\t\t\tif (dsaparam && DSA_generate_parameters_ex(dsaparam, req->priv_key_bits, NULL, 0, NULL, NULL, NULL)) {\n\t\t\t\t\t\tDSA_set_method(dsaparam, DSA_get_default_method());\n\t\t\t\t\t\tif (DSA_generate_key(dsaparam)) {\n\t\t\t\t\t\t\tif (EVP_PKEY_assign_DSA(req->priv_key, dsaparam)) {\n\t\t\t\t\t\t\t\treturn_val = req->priv_key;\n\t\t\t\t\t\t\t} else {\n\t\t\t\t\t\t\t\tphp_openssl_store_errors();\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t} else {\n\t\t\t\t\t\t\tphp_openssl_store_errors();\n\t\t\t\t\t\t\tDSA_free(dsaparam);\n\t\t\t\t\t\t}\n\t\t\t\t\t} else {\n\t\t\t\t\t\tphp_openssl_store_errors();\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\tbreak;\n#endif\n#if !defined(NO_DH)\n\t\t\tcase OPENSSL_KEYTYPE_DH:\n\t\t\t\tPHP_OPENSSL_RAND_ADD_TIME();\n\t\t\t\t{\n\t\t\t\t\tint codes = 0;\n\t\t\t\t\tDH *dhparam = DH_new();\n\t\t\t\t\tif (dhparam && DH_generate_parameters_ex(dhparam, req->priv_key_bits, 2, NULL)) {\n\t\t\t\t\t\tDH_set_method(dhparam, DH_get_default_method());\n\t\t\t\t\t\tif (DH_check(dhparam, &codes) && codes == 0 && DH_generate_key(dhparam)) {\n\t\t\t\t\t\t\tif (EVP_PKEY_assign_DH(req->priv_key, dhparam)) {\n\t\t\t\t\t\t\t\treturn_val = req->priv_key;\n\t\t\t\t\t\t\t} else {\n\t\t\t\t\t\t\t\tphp_openssl_store_errors();\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t} else {\n\t\t\t\t\t\t\tphp_openssl_store_errors();\n\t\t\t\t\t\t\tDH_free(dhparam);\n\t\t\t\t\t\t}\n\t\t\t\t\t} else {\n\t\t\t\t\t\tphp_openssl_store_errors();\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\tbreak;\n#endif\n#ifdef HAVE_EVP_PKEY_EC\n\t\t\tcase OPENSSL_KEYTYPE_EC:\n\t\t\t\t{\n\t\t\t\t\tEC_KEY *eckey;\n\t\t\t\t\tif (req->curve_name == NID_undef) {\n\t\t\t\t\t\tphp_error_docref(NULL, E_WARNING, \"Missing configuration value: 'curve_name' not set\");\n\t\t\t\t\t\treturn NULL;\n\t\t\t\t\t}\n\t\t\t\t\teckey = EC_KEY_new_by_curve_name(req->curve_name);\n\t\t\t\t\tif (eckey) {\n\t\t\t\t\t\tEC_KEY_set_asn1_flag(eckey, OPENSSL_EC_NAMED_CURVE);\n\t\t\t\t\t\tif (EC_KEY_generate_key(eckey) &&\n\t\t\t\t\t\t\tEVP_PKEY_assign_EC_KEY(req->priv_key, eckey)) {\n\t\t\t\t\t\t\treturn_val = req->priv_key;\n\t\t\t\t\t\t} else {\n\t\t\t\t\t\t\tEC_KEY_free(eckey);\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\tbreak;\n#endif\n\t\t\tdefault:\n\t\t\t\tphp_error_docref(NULL, E_WARNING, \"Unsupported private key type\");\n\t\t}\n\t} else {\n\t\tphp_openssl_store_errors();\n\t}\n\n\tphp_openssl_write_rand_file(randfile, egdsocket, seeded);\n\n\tif (return_val == NULL) {\n\t\tEVP_PKEY_free(req->priv_key);\n\t\treq->priv_key = NULL;\n\t\treturn NULL;\n\t}\n\n\treturn return_val;\n}", "project": "php-src", "hash": 265322319349174462525852417601685335334, "size": 135, "commit_id": "0216630ea2815a5789a24279a1211ac398d4de79", "message": "Fix bug #79601 (Wrong ciphertext/tag in AES-CCM encryption for a 12 bytes IV)", "target": 0, "dataset": "other", "idx": 291445 }, { "func": "static inline void req_ref_put(struct io_kiocb *req)\n{\n\tWARN_ON_ONCE(req_ref_put_and_test(req));\n}", "project": "linux", "hash": 89332275964751398515259243638552709810, "size": 4, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338556 }, { "func": "void rec_do(struct Curl_easy *data, int option)\n{\n struct TELNET *tn = data->req.p.telnet;\n switch(tn->us[option]) {\n case CURL_NO:\n if(tn->us_preferred[option] == CURL_YES) {\n tn->us[option] = CURL_YES;\n send_negotiation(data, CURL_WILL, option);\n if(tn->subnegotiation[option] == CURL_YES)\n /* transmission of data option */\n sendsuboption(data, option);\n }\n else if(tn->subnegotiation[option] == CURL_YES) {\n /* send information to achieve this option*/\n tn->us[option] = CURL_YES;\n send_negotiation(data, CURL_WILL, option);\n sendsuboption(data, option);\n }\n else\n send_negotiation(data, CURL_WONT, option);\n break;\n\n case CURL_YES:\n /* Already enabled */\n break;\n\n case CURL_WANTNO:\n switch(tn->usq[option]) {\n case CURL_EMPTY:\n /* Error: DONT answered by WILL */\n tn->us[option] = CURL_NO;\n break;\n case CURL_OPPOSITE:\n /* Error: DONT answered by WILL */\n tn->us[option] = CURL_YES;\n tn->usq[option] = CURL_EMPTY;\n break;\n }\n break;\n\n case CURL_WANTYES:\n switch(tn->usq[option]) {\n case CURL_EMPTY:\n tn->us[option] = CURL_YES;\n if(tn->subnegotiation[option] == CURL_YES) {\n /* transmission of data option */\n sendsuboption(data, option);\n }\n break;\n case CURL_OPPOSITE:\n tn->us[option] = CURL_WANTNO;\n tn->himq[option] = CURL_EMPTY;\n send_negotiation(data, CURL_WONT, option);\n break;\n }\n break;\n }\n}", "project": "curl", "hash": 44974819137424666812350424320645111513, "size": 58, "commit_id": "39ce47f219b09c380b81f89fe54ac586c8db6bde", "message": "telnet: check sscanf() for correct number of matches\n\nCVE-2021-22898\n\nBug: https://curl.se/docs/CVE-2021-22898.html", "target": 0, "dataset": "other", "idx": 481502 }, { "func": "static void hci_cc_write_page_scan_activity(struct hci_dev *hdev,\n\t\t\t\t\t struct sk_buff *skb)\n{\n\tu8 status = *((u8 *) skb->data);\n\tstruct hci_cp_write_page_scan_activity *sent;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, status);\n\n\tif (status)\n\t\treturn;\n\n\tsent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_ACTIVITY);\n\tif (!sent)\n\t\treturn;\n\n\thdev->page_scan_interval = __le16_to_cpu(sent->interval);\n\thdev->page_scan_window = __le16_to_cpu(sent->window);\n}", "project": "linux", "hash": 283116893238049520626768597303670714246, "size": 18, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431989 }, { "func": "static void intercept_id3(struct playlist *pls, uint8_t *buf,\n int buf_size, int *len)\n{\n /* intercept id3 tags, we do not want to pass them to the raw\n * demuxer on all segment switches */\n int bytes;\n int id3_buf_pos = 0;\n int fill_buf = 0;\n struct segment *seg = current_segment(pls);\n\n /* gather all the id3 tags */\n while (1) {\n /* see if we can retrieve enough data for ID3 header */\n if (*len < ID3v2_HEADER_SIZE && buf_size >= ID3v2_HEADER_SIZE) {\n bytes = read_from_url(pls, seg, buf + *len, ID3v2_HEADER_SIZE - *len, READ_COMPLETE);\n if (bytes > 0) {\n\n if (bytes == ID3v2_HEADER_SIZE - *len)\n /* no EOF yet, so fill the caller buffer again after\n * we have stripped the ID3 tags */\n fill_buf = 1;\n\n *len += bytes;\n\n } else if (*len <= 0) {\n /* error/EOF */\n *len = bytes;\n fill_buf = 0;\n }\n }\n\n if (*len < ID3v2_HEADER_SIZE)\n break;\n\n if (ff_id3v2_match(buf, ID3v2_DEFAULT_MAGIC)) {\n int64_t maxsize = seg->size >= 0 ? seg->size : 1024*1024;\n int taglen = ff_id3v2_tag_len(buf);\n int tag_got_bytes = FFMIN(taglen, *len);\n int remaining = taglen - tag_got_bytes;\n\n if (taglen > maxsize) {\n av_log(pls->ctx, AV_LOG_ERROR, \"Too large HLS ID3 tag (%d > %\"PRId64\" bytes)\\n\",\n taglen, maxsize);\n break;\n }\n\n /*\n * Copy the id3 tag to our temporary id3 buffer.\n * We could read a small id3 tag directly without memcpy, but\n * we would still need to copy the large tags, and handling\n * both of those cases together with the possibility for multiple\n * tags would make the handling a bit complex.\n */\n pls->id3_buf = av_fast_realloc(pls->id3_buf, &pls->id3_buf_size, id3_buf_pos + taglen);\n if (!pls->id3_buf)\n break;\n memcpy(pls->id3_buf + id3_buf_pos, buf, tag_got_bytes);\n id3_buf_pos += tag_got_bytes;\n\n /* strip the intercepted bytes */\n *len -= tag_got_bytes;\n memmove(buf, buf + tag_got_bytes, *len);\n av_log(pls->ctx, AV_LOG_DEBUG, \"Stripped %d HLS ID3 bytes\\n\", tag_got_bytes);\n\n if (remaining > 0) {\n /* read the rest of the tag in */\n if (read_from_url(pls, seg, pls->id3_buf + id3_buf_pos, remaining, READ_COMPLETE) != remaining)\n break;\n id3_buf_pos += remaining;\n av_log(pls->ctx, AV_LOG_DEBUG, \"Stripped additional %d HLS ID3 bytes\\n\", remaining);\n }\n\n } else {\n /* no more ID3 tags */\n break;\n }\n }\n\n /* re-fill buffer for the caller unless EOF */\n if (*len >= 0 && (fill_buf || *len == 0)) {\n bytes = read_from_url(pls, seg, buf + *len, buf_size - *len, READ_NORMAL);\n\n /* ignore error if we already had some data */\n if (bytes >= 0)\n *len += bytes;\n else if (*len == 0)\n *len = bytes;\n }\n\n if (pls->id3_buf) {\n /* Now parse all the ID3 tags */\n AVIOContext id3ioctx;\n ffio_init_context(&id3ioctx, pls->id3_buf, id3_buf_pos, 0, NULL, NULL, NULL, NULL);\n handle_id3(&id3ioctx, pls);\n }\n\n if (pls->is_id3_timestamped == -1)\n pls->is_id3_timestamped = (pls->id3_mpegts_timestamp != AV_NOPTS_VALUE);\n}", "project": "FFmpeg", "hash": 193447188470146136548993299212232044125, "size": 99, "commit_id": "6959358683c7533f586c07a766acc5fe9544d8b2", "message": "avformat/hls: check segment duration value of EXTINF\n\nfix ticket: 8673\nset the default EXTINF duration to 1ms if duration is smaller than 1ms\n\nSigned-off-by: Steven Liu \n(cherry picked from commit 9dfb19baeb86a8bb02c53a441682c6e9a6e104cc)", "target": 0, "dataset": "other", "idx": 270461 }, { "func": " * This can be called from a LLD or iscsi_transport.\n */\nstruct iscsi_cls_session *\niscsi_create_session(struct Scsi_Host *shost, struct iscsi_transport *transport,\n\t\t int dd_size, unsigned int target_id)\n{\n\tstruct iscsi_cls_session *session;\n\n\tsession = iscsi_alloc_session(shost, transport, dd_size);\n\tif (!session)\n\t\treturn NULL;\n\n\tif (iscsi_add_session(session, target_id)) {\n\t\tiscsi_free_session(session);\n\t\treturn NULL;", "project": "linux", "hash": 81374295067688653320379281528540325463, "size": 15, "commit_id": "f9dbdf97a5bd92b1a49cee3d591b55b11fd7a6d5", "message": "scsi: iscsi: Verify lengths on passthrough PDUs\n\nOpen-iSCSI sends passthrough PDUs over netlink, but the kernel should be\nverifying that the provided PDU header and data lengths fall within the\nnetlink message to prevent accessing beyond that in memory.\n\nCc: stable@vger.kernel.org\nReported-by: Adam Nichols \nReviewed-by: Lee Duncan \nReviewed-by: Mike Christie \nSigned-off-by: Chris Leech \nSigned-off-by: Martin K. Petersen ", "target": 0, "dataset": "other", "idx": 379969 }, { "func": "bool VariableUnserializer::matchString(folly::StringPiece str) {\n const char* p = m_buf;\n assertx(p <= m_end);\n int total = 0;\n if (*p == 'S') {\n total = 2 + 8 + 1;\n if (p + total > m_end) return false;\n p++;\n if (*p++ != ':') return false;\n auto const sd = *reinterpret_cast(p);\n assertx(sd->isStatic());\n if (str.compare(sd->slice()) != 0) return false;\n p += size_t(8);\n } else {\n const auto ss = str.size();\n if (ss >= 100) return false;\n int digits = ss >= 10 ? 2 : 1;\n total = 2 + digits + 2 + ss + 2;\n if (p + total > m_end) return false;\n if (*p++ != 's') return false;\n if (*p++ != ':') return false;\n if (digits == 2) {\n if (*p++ != '0' + ss/10) return false;\n if (*p++ != '0' + ss%10) return false;\n } else {\n if (*p++ != '0' + ss) return false;\n }\n if (*p++ != ':') return false;\n if (*p++ != '\\\"') return false;\n if (memcmp(p, str.data(), ss)) return false;\n p += ss;\n if (*p++ != '\\\"') return false;\n }\n if (*p++ != ';') return false;\n assertx(m_buf + total == p);\n m_buf = p;\n return true;\n}", "project": "hhvm", "hash": 18482593263502058733305746330590066804, "size": 38, "commit_id": "1107228a5128d3ca1c4add8ac1635d933cbbe2e9", "message": "CVE-2020-1899\n\nVariableUnserializer should only recognize type 'S' in APCSerialization mode", "target": 1, "dataset": "other", "idx": 195270 }, { "func": "static __always_inline void *slab_alloc(struct kmem_cache *s,\n\t\tgfp_t gfpflags, unsigned long addr)\n{\n\treturn slab_alloc_node(s, gfpflags, NUMA_NO_NODE, addr);\n}", "project": "linux", "hash": 293131120889911812069552886005952060649, "size": 5, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280063 }, { "func": "static int parse_filter_data(struct rar5* rar, const uint8_t* p,\n uint32_t* filter_data)\n{\n\tint i, bytes;\n\tuint32_t data = 0;\n\n\tif(ARCHIVE_OK != read_consume_bits(rar, p, 2, &bytes))\n\t\treturn ARCHIVE_EOF;\n\n\tbytes++;\n\n\tfor(i = 0; i < bytes; i++) {\n\t\tuint16_t byte;\n\n\t\tif(ARCHIVE_OK != read_bits_16(rar, p, &byte)) {\n\t\t\treturn ARCHIVE_EOF;\n\t\t}\n\n\t\t/* Cast to uint32_t will ensure the shift operation will not\n\t\t * produce undefined result. */\n\t\tdata += ((uint32_t) byte >> 8) << (i * 8);\n\t\tskip_bits(rar, 8);\n\t}\n\n\t*filter_data = data;\n\treturn ARCHIVE_OK;\n}", "project": "libarchive", "hash": 183082654846615714797292303990656038577, "size": 27, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 0, "dataset": "other", "idx": 244760 }, { "func": "static inline void enable_gif(struct vcpu_svm *svm)\n{\n\tif (vgif_enabled(svm))\n\t\tsvm->vmcb->control.int_ctl |= V_GIF_MASK;\n\telse\n\t\tsvm->vcpu.arch.hflags |= HF_GIF_MASK;\n}", "project": "linux", "hash": 161974289249821290534631738577700707690, "size": 7, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432643 }, { "func": "static inline void enable_gif(struct vcpu_svm *svm)\n{\n\tsvm->vcpu.arch.hflags |= HF_GIF_MASK;\n}", "project": "kvm", "hash": 291519245352742858233031554350929509944, "size": 4, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437576 }, { "func": "static void sca_del_vcpu(struct kvm_vcpu *vcpu)\n{\n\tif (!kvm_s390_use_sca_entries())\n\t\treturn;\n\tread_lock(&vcpu->kvm->arch.sca_lock);\n\tif (vcpu->kvm->arch.use_esca) {\n\t\tstruct esca_block *sca = vcpu->kvm->arch.sca;\n\n\t\tclear_bit_inv(vcpu->vcpu_id, (unsigned long *) sca->mcn);\n\t\tsca->cpu[vcpu->vcpu_id].sda = 0;\n\t} else {\n\t\tstruct bsca_block *sca = vcpu->kvm->arch.sca;\n\n\t\tclear_bit_inv(vcpu->vcpu_id, (unsigned long *) &sca->mcn);\n\t\tsca->cpu[vcpu->vcpu_id].sda = 0;\n\t}\n\tread_unlock(&vcpu->kvm->arch.sca_lock);\n}", "project": "linux", "hash": 150003164932120798886274632485438889685, "size": 18, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354447 }, { "func": "static inline bool avic_vcpu_is_running(struct kvm_vcpu *vcpu)\n{\n\tstruct vcpu_svm *svm = to_svm(vcpu);\n\tu64 *entry = svm->avic_physical_id_cache;\n\n\tif (!entry)\n\t\treturn false;\n\n\treturn (READ_ONCE(*entry) & AVIC_PHYSICAL_ID_ENTRY_IS_RUNNING_MASK);\n}", "project": "linux", "hash": 180718785648433374340444404122922651300, "size": 10, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432402 }, { "func": "static void svm_handle_mce(struct vcpu_svm *svm)\n{\n\tif (is_erratum_383()) {\n\t\t/*\n\t\t * Erratum 383 triggered. Guest state is corrupt so kill the\n\t\t * guest.\n\t\t */\n\t\tpr_err(\"KVM: Guest triggered AMD Erratum 383\\n\");\n\n\t\tkvm_make_request(KVM_REQ_TRIPLE_FAULT, &svm->vcpu);\n\n\t\treturn;\n\t}\n\n\t/*\n\t * On an #MC intercept the MCE handler is not called automatically in\n\t * the host. So do it by hand here.\n\t */\n\tasm volatile (\n\t\t\"int $0x12\\n\");\n\t/* not sure if we ever come back to this point */\n\n\treturn;\n}", "project": "linux", "hash": 61362813363014654871030533010275884565, "size": 24, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432412 }, { "func": "bool CLua::callfn(const char *fn, const char *params, ...)\n{\n error.clear();\n lua_State *ls = state();\n if (!ls)\n return false;\n\n pushglobal(fn);\n if (!lua_isfunction(ls, -1))\n {\n lua_pop(ls, 1);\n return false;\n }\n\n va_list args;\n va_list fnret;\n va_start(args, params);\n bool ret = calltopfn(ls, params, args, -1, &fnret);\n if (ret)\n {\n // If we have a > in format, gather return params now.\n if (proc_returns(params))\n vfnreturns(params, fnret);\n }\n va_end(args);\n va_end(fnret);\n return ret;\n}", "project": "crawl", "hash": 98618206300929099991915666637428350331, "size": 28, "commit_id": "768f60da87a3fa0b5561da5ade9309577c176d04", "message": "Disable lua bytecode loading", "target": 0, "dataset": "other", "idx": 230464 }, { "func": "bool CLua::callfn(const char *fn, int nargs, int nret)\n{\n error.clear();\n lua_State *ls = state();\n if (!ls)\n return false;\n\n // If a function is not provided on the stack, get the named function.\n if (fn)\n {\n pushglobal(fn);\n if (!lua_isfunction(ls, -1))\n {\n lua_settop(ls, -nargs - 2);\n return false;\n }\n\n // Slide the function in front of its args and call it.\n if (nargs)\n lua_insert(ls, -nargs - 1);\n }\n\n lua_call_throttle strangler(this);\n int err = lua_pcall(ls, nargs, nret, 0);\n set_error(err, ls);\n return !err;\n}", "project": "crawl", "hash": 158141806482956144555803444510736070335, "size": 27, "commit_id": "768f60da87a3fa0b5561da5ade9309577c176d04", "message": "Disable lua bytecode loading", "target": 0, "dataset": "other", "idx": 230531 }, { "func": "int rfbSendNewScaleSize(rfbClientPtr cl)\n{\n /* if the client supports newFBsize Encoding, use it */\n if (cl->useNewFBSize && cl->newFBSizePending)\n\treturn FALSE;\n\n LOCK(cl->updateMutex);\n cl->newFBSizePending = FALSE;\n UNLOCK(cl->updateMutex);\n\n if (cl->PalmVNC==TRUE)\n {\n rfbPalmVNCReSizeFrameBufferMsg pmsg;\n pmsg.type = rfbPalmVNCReSizeFrameBuffer;\n pmsg.pad1 = 0;\n pmsg.desktop_w = Swap16IfLE(cl->screen->width);\n pmsg.desktop_h = Swap16IfLE(cl->screen->height);\n pmsg.buffer_w = Swap16IfLE(cl->scaledScreen->width);\n pmsg.buffer_h = Swap16IfLE(cl->scaledScreen->height);\n pmsg.pad2 = 0;\n\n rfbLog(\"Sending a response to a PalmVNC style frameuffer resize event (%dx%d)\\n\", cl->scaledScreen->width, cl->scaledScreen->height);\n if (rfbWriteExact(cl, (char *)&pmsg, sz_rfbPalmVNCReSizeFrameBufferMsg) < 0) {\n rfbLogPerror(\"rfbNewClient: write\");\n rfbCloseClient(cl);\n return FALSE;\n }\n }\n else\n {\n rfbResizeFrameBufferMsg rmsg;\n rmsg.type = rfbResizeFrameBuffer;\n rmsg.pad1=0;\n rmsg.framebufferWidth = Swap16IfLE(cl->scaledScreen->width);\n rmsg.framebufferHeigth = Swap16IfLE(cl->scaledScreen->height);\n rfbLog(\"Sending a response to a UltraVNC style frameuffer resize event (%dx%d)\\n\", cl->scaledScreen->width, cl->scaledScreen->height);\n if (rfbWriteExact(cl, (char *)&rmsg, sz_rfbResizeFrameBufferMsg) < 0) {\n rfbLogPerror(\"rfbNewClient: write\");\n rfbCloseClient(cl);\n return FALSE;\n }\n }\n return TRUE;\n}", "project": "libvncserver", "hash": 309026005079056882903298344906182205878, "size": 44, "commit_id": "a6788d1da719ae006605b78d22f5a9f170b423af", "message": "libvncserver: scale: cast to 64 bit before shifting\n\nSince pixel_value is 64 bit the data type of the shift operand should\nbe 64 bit too to prevent integer overflows.", "target": 0, "dataset": "other", "idx": 296801 }, { "project": "Chrome", "commit_id": "ea994548ed483e234a6fadd0cbdfa10d58b75cef", "target": 0, "func": "uint32 SoftwareFrameManager::GetCurrentFrameOutputSurfaceId() const {\n DCHECK(HasCurrentFrame());\n return current_frame_->output_surface_id_;\n}\n", "cwe": "", "big_vul_idx": 129967, "idx": 179014, "hash": 86723691186133072904340592052386045781 }, { "func": "static void penalty_pc(jit_State *J, GCproto *pt, BCIns *pc, TraceError e)\n{\n uint32_t i, val = PENALTY_MIN;\n for (i = 0; i < PENALTY_SLOTS; i++)\n if (mref(J->penalty[i].pc, const BCIns) == pc) { /* Cache slot found? */\n /* First try to bump its hotcount several times. */\n val = ((uint32_t)J->penalty[i].val << 1) +\n\t LJ_PRNG_BITS(J, PENALTY_RNDBITS);\n if (val > PENALTY_MAX) {\n\tblacklist_pc(pt, pc); /* Blacklist it, if that didn't help. */\n\treturn;\n }\n goto setpenalty;\n }\n /* Assign a new penalty cache slot. */\n i = J->penaltyslot;\n J->penaltyslot = (J->penaltyslot + 1) & (PENALTY_SLOTS-1);\n setmref(J->penalty[i].pc, pc);\nsetpenalty:\n J->penalty[i].val = (uint16_t)val;\n J->penalty[i].reason = e;\n hotcount_set(J2GG(J), pc+1, val);\n}", "project": "LuaJIT", "hash": 304595508913237748470326384168271105814, "size": 23, "commit_id": "e296f56b825c688c3530a981dc6b495d972f3d01", "message": "Call error function on rethrow after trace exit.", "target": 0, "dataset": "other", "idx": 394657 }, { "func": "static int x25_wait_for_data(struct sock *sk, long timeout)\n{\n\tDECLARE_WAITQUEUE(wait, current);\n\tint rc = 0;\n\n\tadd_wait_queue_exclusive(sk_sleep(sk), &wait);\n\tfor (;;) {\n\t\t__set_current_state(TASK_INTERRUPTIBLE);\n\t\tif (sk->sk_shutdown & RCV_SHUTDOWN)\n\t\t\tbreak;\n\t\trc = -ERESTARTSYS;\n\t\tif (signal_pending(current))\n\t\t\tbreak;\n\t\trc = -EAGAIN;\n\t\tif (!timeout)\n\t\t\tbreak;\n\t\trc = 0;\n\t\tif (skb_queue_empty(&sk->sk_receive_queue)) {\n\t\t\trelease_sock(sk);\n\t\t\ttimeout = schedule_timeout(timeout);\n\t\t\tlock_sock(sk);\n\t\t} else\n\t\t\tbreak;\n\t}\n\t__set_current_state(TASK_RUNNING);\n\tremove_wait_queue(sk_sleep(sk), &wait);\n\treturn rc;\n}", "project": "net", "hash": 214190402191886245105959338173692448405, "size": 28, "commit_id": "7781607938c8371d4c2b243527430241c62e39c2", "message": "net/x25: Fix null-ptr-deref caused by x25_disconnect\n\nWhen the link layer is terminating, x25->neighbour will be set to NULL\nin x25_disconnect(). As a result, it could cause null-ptr-deref bugs in\nx25_sendmsg(),x25_recvmsg() and x25_connect(). One of the bugs is\nshown below.\n\n (Thread 1) | (Thread 2)\nx25_link_terminated() | x25_recvmsg()\n x25_kill_by_neigh() | ...\n x25_disconnect() | lock_sock(sk)\n ... | ...\n x25->neighbour = NULL //(1) |\n ... | x25->neighbour->extended //(2)\n\nThe code sets NULL to x25->neighbour in position (1) and dereferences\nx25->neighbour in position (2), which could cause null-ptr-deref bug.\n\nThis patch adds lock_sock() in x25_kill_by_neigh() in order to synchronize\nwith x25_sendmsg(), x25_recvmsg() and x25_connect(). What`s more, the\nsock held by lock_sock() is not NULL, because it is extracted from x25_list\nand uses x25_list_lock to synchronize.\n\nFixes: 4becb7ee5b3d (\"net/x25: Fix x25_neigh refcnt leak when x25 disconnect\")\nSigned-off-by: Duoming Zhou \nReviewed-by: Lin Ma \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 449162 }, { "func": "static void help(u_int long_help) {\n printf(\"Welcome to nDPI %s\\n\\n\", ndpi_revision());\n\n printf(\"ndpiReader \"\n#ifndef USE_DPDK\n\t \"-i \"\n#endif\n\t \"[-f ][-s ][-m ]\\n\"\n\t \" [-p ][-l [-q][-d][-J][-h][-e ][-t][-v ]\\n\"\n\t \" [-n ][-w ][-c ][-C ][-j ][-x ]\\n\"\n\t \" [-T ][-U ]\\n\\n\"\n\t \"Usage:\\n\"\n\t \" -i | Specify a pcap file/playlist to read packets from or a\\n\"\n\t \" | device for live capture (comma-separated list)\\n\"\n\t \" -f | Specify a BPF filter for filtering selected traffic\\n\"\n\t \" -s | Maximum capture duration in seconds (live traffic capture only)\\n\"\n\t \" -m | Split analysis duration in max seconds\\n\"\n\t \" -p .protos | Specify a protocol file (eg. protos.txt)\\n\"\n\t \" -l | Number of detection loops (test only)\\n\"\n\t \" -n | Number of threads. Default: number of interfaces in -i.\\n\"\n\t \" | Ignored with pcap files.\\n\"\n#ifdef linux\n \" -g | Thread affinity mask (one core id per thread)\\n\"\n#endif\n\t \" -d | Disable protocol guess and use only DPI\\n\"\n\t \" -e | Min human readeable string match len. Default %u\\n\"\n\t \" -q | Quiet mode\\n\"\n\t \" -J | Display flow SPLT (sequence of packet length and time)\\n\"\n\t \" | and BD (byte distribution). See https://github.com/cisco/joy\\n\"\n\t \" -t | Dissect GTP/TZSP tunnels\\n\"\n\t \" -P :::: | Enable payload analysis:\\n\"\n\t \" | = min pattern len to search\\n\"\n\t \" | = max pattern len to search\\n\"\n\t \" | = max num packets per flow\\n\"\n\t \" | = max packet payload dissection\\n\"\n\t \" | = max num reported payloads\\n\"\n\t \" | Default: %u:%u:%u:%u:%u\\n\"\n\t \" -r | Print nDPI version and git revision\\n\"\n\t \" -c | Load custom categories from the specified file\\n\"\n\t \" -C | Write output in CSV format on the specified file\\n\"\n\t \" -w | Write test output on the specified file. This is useful for\\n\"\n\t \" | testing purposes in order to compare results across runs\\n\"\n\t \" -h | This help\\n\"\n\t \" -v <1|2|3> | Verbose 'unknown protocol' packet print.\\n\"\n\t \" | 1 = verbose\\n\"\n\t \" | 2 = very verbose\\n\"\n\t \" | 3 = port stats\\n\"\n\t \" -V <1-4> | nDPI logging level\\n\"\n\t \" | 1 - trace, 2 - debug, 3 - full debug\\n\"\n\t \" | >3 - full debug + dbg_proto = all\\n\"\n\t \" -T | Max number of TCP processed packets before giving up [default: %u]\\n\"\n\t \" -U | Max number of UDP processed packets before giving up [default: %u]\\n\"\n\t ,\n\t human_readeable_string_len,\n\t min_pattern_len, max_pattern_len, max_num_packets_per_flow, max_packet_payload_dissection,\n\t max_num_reported_top_payloads, max_num_tcp_dissected_pkts, max_num_udp_dissected_pkts);\n\n#ifndef WIN32\n printf(\"\\nExcap (wireshark) options:\\n\"\n\t \" --extcap-interfaces\\n\"\n\t \" --extcap-version\\n\"\n\t \" --extcap-dlts\\n\"\n\t \" --extcap-interface \\n\"\n\t \" --extcap-config\\n\"\n\t \" --capture\\n\"\n\t \" --extcap-capture-filter\\n\"\n\t \" --fifo \\n\"\n\t \" --debug\\n\"\n\t \" --dbg-proto proto|num[,...]\\n\"\n );\n#endif\n\n if(long_help) {\n NDPI_PROTOCOL_BITMASK all;\n\n printf(\"\\n\\nnDPI supported protocols:\\n\");\n printf(\"%3s %-22s %-8s %-12s %s\\n\", \"Id\", \"Protocol\", \"Layer_4\", \"Breed\", \"Category\");\n num_threads = 1;\n\n NDPI_BITMASK_SET_ALL(all);\n ndpi_set_protocol_detection_bitmask2(ndpi_info_mod, &all);\n\n ndpi_dump_protocols(ndpi_info_mod);\n }\n exit(!long_help);\n}", "project": "nDPI", "hash": 129666219989421746701764663882434571823, "size": 86, "commit_id": "b7e666e465f138ae48ab81976726e67deed12701", "message": "Added fix to avoid potential heap buffer overflow in H.323 dissector\nModified HTTP report information to make it closer to the HTTP field names", "target": 0, "dataset": "other", "idx": 254805 }, { "func": "static void help(const char xopt)\n{\n int i;\n\n printf\n (\"usage: nasm [-@ response file] [-o outfile] [-f format] \"\n \"[-l listfile]\\n\"\n \" [options...] [--] filename\\n\"\n \" or nasm -v (or --v) for version info\\n\\n\"\n \"\\n\"\n \"Response files should contain command line parameters,\\n\"\n \"one per line.\\n\"\n \"\\n\"\n \" -t assemble in SciTech TASM compatible mode\\n\");\n printf\n (\" -E (or -e) preprocess only (writes output to stdout by default)\\n\"\n \" -a don't preprocess (assemble only)\\n\"\n \" -M generate Makefile dependencies on stdout\\n\"\n \" -MG d:o, missing files assumed generated\\n\"\n \" -MF file set Makefile dependency file\\n\"\n \" -MD file assemble and generate dependencies\\n\"\n \" -MT file dependency target name\\n\"\n \" -MQ file dependency target name (quoted)\\n\"\n \" -MP emit phony target\\n\\n\"\n \" -Zfile redirect error messages to file\\n\"\n \" -s redirect error messages to stdout\\n\\n\"\n \" -g generate debugging information\\n\\n\"\n \" -F format select a debugging format\\n\\n\"\n \" -gformat same as -g -F format\\n\\n\"\n \" -o outfile write output to an outfile\\n\\n\"\n \" -f format select an output format\\n\\n\"\n \" -l listfile write listing to a listfile\\n\\n\"\n \" -Ipath add a pathname to the include file path\\n\");\n printf\n (\" -Olevel optimize opcodes, immediates and branch offsets\\n\"\n \" -O0 no optimization\\n\"\n \" -O1 minimal optimization\\n\"\n \" -Ox multipass optimization (default)\\n\"\n \" -Pfile pre-include a file (also --include)\\n\"\n \" -Dmacro[=str] pre-define a macro\\n\"\n \" -Umacro undefine a macro\\n\"\n \" -Xformat specifiy error reporting format (gnu or vc)\\n\"\n \" -w+foo enable warning foo (equiv. -Wfoo)\\n\"\n \" -w-foo disable warning foo (equiv. -Wno-foo)\\n\"\n \" -w[+-]error[=foo]\\n\"\n \" promote [specific] warnings to errors\\n\"\n \" -h show invocation summary and exit (also --help)\\n\\n\"\n \" --pragma str pre-executes a specific %%pragma\\n\"\n \" --before str add line (usually a preprocessor statement) before the input\\n\"\n \" --prefix str prepend the given string to all the given string\\n\"\n \" to all extern, common and global symbols (also --gprefix)\\n\"\n \" --postfix str append the given string to all the given string\\n\"\n \" to all extern, common and global symbols (also --gpostfix)\\n\"\n \" --lprefix str prepend the given string to all other symbols\\n\"\n \" --lpostfix str append the given string to all other symbols\\n\"\n \" --keep-all output files will not be removed even if an error happens\\n\"\n \" --limit-X val set execution limit X\\n\");\n\n for (i = 0; i <= LIMIT_MAX; i++) {\n printf(\" %-15s %s (default \",\n limit_info[i].name, limit_info[i].help);\n if (nasm_limit[i] < LIMIT_MAX_VAL) {\n printf(\"%\"PRId64\")\\n\", nasm_limit[i]);\n } else {\n printf(\"unlimited)\\n\");\n }\n }\n\n printf(\"\\nWarnings for the -W/-w options:\\n\");\n\n for (i = 0; i <= ERR_WARN_ALL; i++)\n printf(\" %-23s %s%s\\n\",\n warnings[i].name, warnings[i].help,\n i == ERR_WARN_ALL ? \"\\n\" :\n warnings[i].enabled ? \" (default on)\" :\n \" (default off)\");\n\n if (xopt == 'f') {\n printf(\"valid output formats for -f are\"\n \" (`*' denotes default):\\n\");\n ofmt_list(ofmt, stdout);\n } else {\n printf(\"For a list of valid output formats, use -hf.\\n\");\n printf(\"For a list of debug formats, use -f -y.\\n\");\n }\n}", "project": "nasm", "hash": 76853013763404784083541147384828138601, "size": 86, "commit_id": "e996d28c70d45008085322b442b44a9224308548", "message": "labels: Don't nil dereference if no label provided\n\nAn equ without label may cause nil dereference\n\n |\tequ 0x100\n\nFixes 98578071b9d71ecaa2344dd9c185237c1765041e\n\nSigned-off-by: Cyrill Gorcunov ", "target": 0, "dataset": "other", "idx": 257492 }, { "func": "void help(void)\n{\n\tprintf(_(\"%s %s -- get file access control lists\\n\"),\n\t progname, VERSION);\n\tprintf(_(\"Usage: %s [-%s] file ...\\n\"),\n\t progname, cmd_line_options);\n#if !POSIXLY_CORRECT\n\tif (posixly_correct) {\n#endif\n\t\tprintf(_(\n\" -d, --default display the default access control list\\n\"));\n#if !POSIXLY_CORRECT\n\t} else {\n\t\tprintf(_(\n\" -a, --access display the file access control list only\\n\"\n\" -d, --default display the default access control list only\\n\"\n\" -c, --omit-header do not display the comment header\\n\"\n\" -e, --all-effective print all effective rights\\n\"\n\" -E, --no-effective print no effective rights\\n\"\n\" -s, --skip-base skip files that only have the base entries\\n\"\n\" -R, --recursive recurse into subdirectories\\n\"\n\" -L, --logical logical walk, follow symbolic links\\n\"\n\" -P, --physical physical walk, do not follow symbolic links\\n\"\n\" -t, --tabular use tabular output format\\n\"\n\" -n, --numeric print numeric user/group identifiers\\n\"\n\" -p, --absolute-names don't strip leading '/' in pathnames\\n\"));\n\t}\n#endif\n\tprintf(_(\n\" -v, --version print version and exit\\n\"\n\" -h, --help this help text\\n\"));\n}", "target": 0, "cwe": [], "project": "acl", "commit_id": "63451a06b7484d220750ed8574d3ee84e156daf5", "hash": 99342204445819023313767470533292007474, "size": 32, "message": "Make sure that getfacl -R only calls stat(2) on symlinks when it needs to\n\nThis fixes http://oss.sgi.com/bugzilla/show_bug.cgi?id=790\n\"getfacl follows symlinks, even without -L\".", "dataset": "other", "idx": 491967 }, { "func": "void CAuthBase::RefuseLogin(const CString& sReason) {\n if (!m_pSock) return;\n\n CUser* pUser = CZNC::Get().FindUser(GetUsername());\n\n // If the username is valid, notify that user that someone tried to\n // login. Use sReason because there are other reasons than \"wrong\n // password\" for a login to be rejected (e.g. fail2ban).\n if (pUser) {\n pUser->PutStatusNotice(t_f(\n \"A client from {1} attempted to login as you, but was rejected: \"\n \"{2}\")(GetRemoteIP(), sReason));\n }\n\n GLOBALMODULECALL(OnFailedLogin(GetUsername(), GetRemoteIP()), NOTHING);\n RefusedLogin(sReason);\n Invalidate();\n}", "project": "znc", "hash": 81251966659234390256424390324449731738, "size": 18, "commit_id": "d229761821da38d984a9e4098ad96842490dc001", "message": "Fix echo-message for *status\n\nClose #1705", "target": 0, "dataset": "other", "idx": 231581 }, { "func": "void CClient::RefuseLogin(const CString& sReason) {\n PutStatus(\"Bad username and/or password.\");\n PutClient(\":irc.znc.in 464 \" + GetNick() + \" :\" + sReason);\n Close(Csock::CLT_AFTERWRITE);\n}", "project": "znc", "hash": 158382185643561745713979373701010646515, "size": 5, "commit_id": "d229761821da38d984a9e4098ad96842490dc001", "message": "Fix echo-message for *status\n\nClose #1705", "target": 0, "dataset": "other", "idx": 231603 }, { "func": "static int parse(uint32_t *sizemax)\n{\n long apos = 0;\n long aposmax = ftell(g_fin) + *sizemax;\n uint32_t size;\n\n if (g_atom->opcode != ATOM_NAME)\n {\n fprintf(stderr, \"parse error: root is not a 'name' opcode\\n\");\n return ERR_FAIL;\n }\n //fprintf(stderr, \"looking for '%s'\\n\", (char *)g_atom->data);\n\n // search for atom in the file\n while (1)\n {\n char name[4];\n uint32_t tmp;\n\n apos = ftell(g_fin);\n if (apos >= (aposmax - 8))\n {\n fprintf(stderr, \"parse error: atom '%s' not found\\n\", (char *)g_atom->data);\n return ERR_FAIL;\n }\n if ((tmp = u32in()) < 8)\n {\n fprintf(stderr, \"invalid atom size %x @%lx\\n\", tmp, ftell(g_fin));\n return ERR_FAIL;\n }\n\n size = tmp;\n if (datain(name, 4) != 4)\n {\n // EOF\n fprintf(stderr, \"can't read atom name @%lx\\n\", ftell(g_fin));\n return ERR_FAIL;\n }\n\n //fprintf(stderr, \"atom: '%c%c%c%c'(%x)\", name[0],name[1],name[2],name[3], size);\n\n if (!memcmp(name, g_atom->data, 4))\n {\n //fprintf(stderr, \"OK\\n\");\n break;\n }\n //fprintf(stderr, \"\\n\");\n\n fseek(g_fin, apos + size, SEEK_SET);\n }\n *sizemax = size;\n g_atom++;\n if (g_atom->opcode == ATOM_DATA)\n {\n int err = ((int (*)(int)) g_atom->data)(size - 8);\n if (err < ERR_OK)\n {\n fseek(g_fin, apos + size, SEEK_SET);\n return err;\n }\n g_atom++;\n }\n if (g_atom->opcode == ATOM_DESCENT)\n {\n long apos = ftell(g_fin);;\n\n //fprintf(stderr, \"descent\\n\");\n g_atom++;\n while (g_atom->opcode != ATOM_STOP)\n {\n uint32_t subsize = size - 8;\n int ret;\n if (g_atom->opcode == ATOM_ASCENT)\n {\n g_atom++;\n break;\n }\n fseek(g_fin, apos, SEEK_SET);\n if ((ret = parse(&subsize)) < 0)\n return ret;\n }\n //fprintf(stderr, \"ascent\\n\");\n }\n\n fseek(g_fin, apos + size, SEEK_SET);\n\n return ERR_OK;\n}", "project": "faad2", "hash": 47540715471888071776971488346610154691, "size": 88, "commit_id": "1b71a6ba963d131375f5e489b3b25e36f19f3f24", "message": "fix heap-buffer-overflow in mp4read.c\n\nThis originated from an integer overflow: If mp4config.frame.ents\nwould be read-in with a value of (uint32t)(-1), it would overflow to 0\nin the size calculation for the allocation in the next line. The\nmalloc() function would then successfully return a pointer to a memory\nregion of size 0, which will cause a segfault when written to.\n\nFixes #57.", "target": 0, "dataset": "other", "idx": 221448 }, { "func": "boost::intrusive_ptr ExpressionRegexFindAll::parse(ExpressionContext* const expCtx,\n BSONElement expr,\n const VariablesParseState& vpsIn) {\n auto opName = \"$regexFindAll\"_sd;\n auto [input, regex, options] = CommonRegexParse(expCtx, expr, vpsIn, opName);\n return new ExpressionRegexFindAll(\n expCtx, std::move(input), std::move(regex), std::move(options), opName);\n}", "project": "mongo", "hash": 265963046707655581324603177645234304699, "size": 8, "commit_id": "1772b9a0393b55e6a280a35e8f0a1f75c014f301", "message": "SERVER-49404 Enforce additional checks in $arrayToObject", "target": 0, "dataset": "other", "idx": 370013 }, { "func": "intrusive_ptr ExpressionDateToString::parse(ExpressionContext* const expCtx,\n BSONElement expr,\n const VariablesParseState& vps) {\n verify(expr.fieldNameStringData() == \"$dateToString\");\n\n uassert(18629,\n \"$dateToString only supports an object as its argument\",\n expr.type() == BSONType::Object);\n\n BSONElement formatElem, dateElem, timeZoneElem, onNullElem;\n for (auto&& arg : expr.embeddedObject()) {\n auto field = arg.fieldNameStringData();\n\n if (field == \"format\"_sd) {\n formatElem = arg;\n } else if (field == \"date\"_sd) {\n dateElem = arg;\n } else if (field == \"timezone\"_sd) {\n timeZoneElem = arg;\n } else if (field == \"onNull\"_sd) {\n onNullElem = arg;\n } else {\n uasserted(18534,\n str::stream()\n << \"Unrecognized argument to $dateToString: \" << arg.fieldName());\n }\n }\n\n uassert(18628, \"Missing 'date' parameter to $dateToString\", !dateElem.eoo());\n\n return new ExpressionDateToString(expCtx,\n parseOperand(expCtx, dateElem, vps),\n formatElem ? parseOperand(expCtx, formatElem, vps) : nullptr,\n timeZoneElem ? parseOperand(expCtx, timeZoneElem, vps)\n : nullptr,\n onNullElem ? parseOperand(expCtx, onNullElem, vps) : nullptr);\n}", "project": "mongo", "hash": 336623500992453843958038085691207090123, "size": 37, "commit_id": "1772b9a0393b55e6a280a35e8f0a1f75c014f301", "message": "SERVER-49404 Enforce additional checks in $arrayToObject", "target": 0, "dataset": "other", "idx": 370014 }, { "func": "intrusive_ptr ExpressionLet::parse(ExpressionContext* const expCtx,\n BSONElement expr,\n const VariablesParseState& vpsIn) {\n verify(expr.fieldNameStringData() == \"$let\");\n\n uassert(16874, \"$let only supports an object as its argument\", expr.type() == Object);\n const BSONObj args = expr.embeddedObject();\n\n // varsElem must be parsed before inElem regardless of BSON order.\n BSONElement varsElem;\n BSONElement inElem;\n for (auto&& arg : args) {\n if (arg.fieldNameStringData() == \"vars\") {\n varsElem = arg;\n } else if (arg.fieldNameStringData() == \"in\") {\n inElem = arg;\n } else {\n uasserted(16875,\n str::stream() << \"Unrecognized parameter to $let: \" << arg.fieldName());\n }\n }\n\n uassert(16876, \"Missing 'vars' parameter to $let\", !varsElem.eoo());\n uassert(16877, \"Missing 'in' parameter to $let\", !inElem.eoo());\n\n // parse \"vars\"\n VariablesParseState vpsSub(vpsIn); // vpsSub gets our vars, vpsIn doesn't.\n VariableMap vars;\n std::vector> children;\n auto&& varsObj = varsElem.embeddedObjectUserCheck();\n for (auto&& varElem : varsObj)\n children.push_back(parseOperand(expCtx, varElem, vpsIn));\n\n // Make a place in the vector for \"in\".\n auto& inPtr = children.emplace_back(nullptr);\n\n std::vector>::size_type index = 0;\n std::vector orderedVariableIds;\n for (auto&& varElem : varsObj) {\n const string varName = varElem.fieldName();\n Variables::validateNameForUserWrite(varName);\n Variables::Id id = vpsSub.defineVariable(varName);\n\n orderedVariableIds.push_back(id);\n\n vars.emplace(id, NameAndExpression{varName, children[index]}); // only has outer vars\n ++index;\n }\n\n // parse \"in\"\n inPtr = parseOperand(expCtx, inElem, vpsSub); // has our vars\n\n return new ExpressionLet(\n expCtx, std::move(vars), std::move(children), std::move(orderedVariableIds));\n}", "project": "mongo", "hash": 303158973571594665080444539976344843171, "size": 55, "commit_id": "1772b9a0393b55e6a280a35e8f0a1f75c014f301", "message": "SERVER-49404 Enforce additional checks in $arrayToObject", "target": 0, "dataset": "other", "idx": 370015 }, { "func": "intrusive_ptr ExpressionMeta::parse(ExpressionContext* const expCtx,\n BSONElement expr,\n const VariablesParseState& vpsIn) {\n uassert(17307, \"$meta only supports string arguments\", expr.type() == String);\n\n const auto iter = kMetaNameToMetaType.find(expr.valueStringData());\n if (iter != kMetaNameToMetaType.end()) {\n return new ExpressionMeta(expCtx, iter->second);\n } else {\n uasserted(17308, \"Unsupported argument to $meta: \" + expr.String());\n }\n}", "project": "mongo", "hash": 312508868737039871205861219182349745366, "size": 12, "commit_id": "1772b9a0393b55e6a280a35e8f0a1f75c014f301", "message": "SERVER-49404 Enforce additional checks in $arrayToObject", "target": 0, "dataset": "other", "idx": 370020 }, { "func": "intrusive_ptr ExpressionRandom::parse(ExpressionContext* const expCtx,\n BSONElement exprElement,\n const VariablesParseState& vps) {\n uassert(3040500,\n \"$rand not allowed inside collection validators\",\n !expCtx->isParsingCollectionValidator);\n\n uassert(3040501, \"$rand does not currently accept arguments\", exprElement.Obj().isEmpty());\n\n return new ExpressionRandom(expCtx);\n}", "project": "mongo", "hash": 214325366652914035307137370298371826876, "size": 11, "commit_id": "1772b9a0393b55e6a280a35e8f0a1f75c014f301", "message": "SERVER-49404 Enforce additional checks in $arrayToObject", "target": 0, "dataset": "other", "idx": 370024 }, { "func": "intrusive_ptr ExpressionDateFromString::parse(ExpressionContext* const expCtx,\n BSONElement expr,\n const VariablesParseState& vps) {\n\n uassert(40540,\n str::stream() << \"$dateFromString only supports an object as an argument, found: \"\n << typeName(expr.type()),\n expr.type() == BSONType::Object);\n\n BSONElement dateStringElem, timeZoneElem, formatElem, onNullElem, onErrorElem;\n\n const BSONObj args = expr.embeddedObject();\n for (auto&& arg : args) {\n auto field = arg.fieldNameStringData();\n\n if (field == \"format\"_sd) {\n formatElem = arg;\n } else if (field == \"dateString\"_sd) {\n dateStringElem = arg;\n } else if (field == \"timezone\"_sd) {\n timeZoneElem = arg;\n } else if (field == \"onNull\"_sd) {\n onNullElem = arg;\n } else if (field == \"onError\"_sd) {\n onErrorElem = arg;\n } else {\n uasserted(40541,\n str::stream()\n << \"Unrecognized argument to $dateFromString: \" << arg.fieldName());\n }\n }\n\n uassert(40542, \"Missing 'dateString' parameter to $dateFromString\", dateStringElem);\n\n return new ExpressionDateFromString(\n expCtx,\n parseOperand(expCtx, dateStringElem, vps),\n timeZoneElem ? parseOperand(expCtx, timeZoneElem, vps) : nullptr,\n formatElem ? parseOperand(expCtx, formatElem, vps) : nullptr,\n onNullElem ? parseOperand(expCtx, onNullElem, vps) : nullptr,\n onErrorElem ? parseOperand(expCtx, onErrorElem, vps) : nullptr);\n}", "project": "mongo", "hash": 282072458605951317950918643794346746823, "size": 42, "commit_id": "1772b9a0393b55e6a280a35e8f0a1f75c014f301", "message": "SERVER-49404 Enforce additional checks in $arrayToObject", "target": 0, "dataset": "other", "idx": 370028 }, { "func": "intrusive_ptr ExpressionMap::parse(ExpressionContext* const expCtx,\n BSONElement expr,\n const VariablesParseState& vpsIn) {\n verify(expr.fieldNameStringData() == \"$map\");\n\n uassert(16878, \"$map only supports an object as its argument\", expr.type() == Object);\n\n // \"in\" must be parsed after \"as\" regardless of BSON order\n BSONElement inputElem;\n BSONElement asElem;\n BSONElement inElem;\n const BSONObj args = expr.embeddedObject();\n BSONForEach(arg, args) {\n if (arg.fieldNameStringData() == \"input\") {\n inputElem = arg;\n } else if (arg.fieldNameStringData() == \"as\") {\n asElem = arg;\n } else if (arg.fieldNameStringData() == \"in\") {\n inElem = arg;\n } else {\n uasserted(16879,\n str::stream() << \"Unrecognized parameter to $map: \" << arg.fieldName());\n }\n }\n\n uassert(16880, \"Missing 'input' parameter to $map\", !inputElem.eoo());\n uassert(16882, \"Missing 'in' parameter to $map\", !inElem.eoo());\n\n // parse \"input\"\n intrusive_ptr input =\n parseOperand(expCtx, inputElem, vpsIn); // only has outer vars\n\n // parse \"as\"\n VariablesParseState vpsSub(vpsIn); // vpsSub gets our vars, vpsIn doesn't.\n\n // If \"as\" is not specified, then use \"this\" by default.\n auto varName = asElem.eoo() ? \"this\" : asElem.str();\n\n Variables::validateNameForUserWrite(varName);\n Variables::Id varId = vpsSub.defineVariable(varName);\n\n // parse \"in\"\n intrusive_ptr in =\n parseOperand(expCtx, inElem, vpsSub); // has access to map variable\n\n return new ExpressionMap(expCtx, varName, varId, input, in);\n}", "project": "mongo", "hash": 291776300724939008664426500857372044387, "size": 47, "commit_id": "1772b9a0393b55e6a280a35e8f0a1f75c014f301", "message": "SERVER-49404 Enforce additional checks in $arrayToObject", "target": 0, "dataset": "other", "idx": 370030 }, { "func": "intrusive_ptr ExpressionCompare::parse(ExpressionContext* const expCtx,\n BSONElement bsonExpr,\n const VariablesParseState& vps,\n CmpOp op) {\n intrusive_ptr expr = new ExpressionCompare(expCtx, op);\n ExpressionVector args = parseArguments(expCtx, bsonExpr, vps);\n expr->validateArguments(args);\n expr->_children = args;\n return expr;\n}", "project": "mongo", "hash": 162909720851883706224157648561250284201, "size": 10, "commit_id": "1772b9a0393b55e6a280a35e8f0a1f75c014f301", "message": "SERVER-49404 Enforce additional checks in $arrayToObject", "target": 0, "dataset": "other", "idx": 370041 }, { "func": "intrusive_ptr ExpressionFieldPath::parse(ExpressionContext* const expCtx,\n const string& raw,\n const VariablesParseState& vps) {\n uassert(16873,\n str::stream() << \"FieldPath '\" << raw << \"' doesn't start with $\",\n raw.c_str()[0] == '$'); // c_str()[0] is always a valid reference.\n\n uassert(16872,\n str::stream() << \"'$' by itself is not a valid FieldPath\",\n raw.size() >= 2); // need at least \"$\" and either \"$\" or a field name\n\n if (raw[1] == '$') {\n const StringData rawSD = raw;\n const StringData fieldPath = rawSD.substr(2); // strip off $$\n const StringData varName = fieldPath.substr(0, fieldPath.find('.'));\n Variables::validateNameForUserRead(varName);\n auto varId = vps.getVariable(varName);\n return new ExpressionFieldPath(expCtx, fieldPath.toString(), varId);\n } else {\n return new ExpressionFieldPath(expCtx,\n \"CURRENT.\" + raw.substr(1), // strip the \"$\" prefix\n vps.getVariable(\"CURRENT\"));\n }\n}", "project": "mongo", "hash": 104656403635654918143392066903675097039, "size": 24, "commit_id": "1772b9a0393b55e6a280a35e8f0a1f75c014f301", "message": "SERVER-49404 Enforce additional checks in $arrayToObject", "target": 0, "dataset": "other", "idx": 370044 }, { "func": "intrusive_ptr ExpressionTrunc::parse(ExpressionContext* const expCtx,\n BSONElement elem,\n const VariablesParseState& vps) {\n return ExpressionRangedArity::parse(expCtx, elem, vps);\n}", "project": "mongo", "hash": 68294673386654299038716551849989596711, "size": 5, "commit_id": "1772b9a0393b55e6a280a35e8f0a1f75c014f301", "message": "SERVER-49404 Enforce additional checks in $arrayToObject", "target": 0, "dataset": "other", "idx": 370048 }, { "func": "boost::intrusive_ptr ExpressionRegexFind::parse(ExpressionContext* const expCtx,\n BSONElement expr,\n const VariablesParseState& vpsIn) {\n auto opName = \"$regexFind\"_sd;\n auto [input, regex, options] = CommonRegexParse(expCtx, expr, vpsIn, opName);\n return new ExpressionRegexFind(\n expCtx, std::move(input), std::move(regex), std::move(options), opName);\n}", "project": "mongo", "hash": 59886930669959971386928534518118685577, "size": 8, "commit_id": "1772b9a0393b55e6a280a35e8f0a1f75c014f301", "message": "SERVER-49404 Enforce additional checks in $arrayToObject", "target": 0, "dataset": "other", "idx": 370053 }, { "func": "intrusive_ptr ExpressionReduce::parse(ExpressionContext* const expCtx,\n BSONElement expr,\n const VariablesParseState& vps) {\n uassert(40075,\n str::stream() << \"$reduce requires an object as an argument, found: \"\n << typeName(expr.type()),\n expr.type() == Object);\n\n\n // vpsSub is used only to parse 'in', which must have access to $$this and $$value.\n VariablesParseState vpsSub(vps);\n auto thisVar = vpsSub.defineVariable(\"this\");\n auto valueVar = vpsSub.defineVariable(\"value\");\n\n boost::intrusive_ptr input;\n boost::intrusive_ptr initial;\n boost::intrusive_ptr in;\n for (auto&& elem : expr.Obj()) {\n auto field = elem.fieldNameStringData();\n\n if (field == \"input\") {\n input = parseOperand(expCtx, elem, vps);\n } else if (field == \"initialValue\") {\n initial = parseOperand(expCtx, elem, vps);\n } else if (field == \"in\") {\n in = parseOperand(expCtx, elem, vpsSub);\n } else {\n uasserted(40076, str::stream() << \"$reduce found an unknown argument: \" << field);\n }\n }\n\n uassert(40077, \"$reduce requires 'input' to be specified\", input);\n uassert(40078, \"$reduce requires 'initialValue' to be specified\", initial);\n uassert(40079, \"$reduce requires 'in' to be specified\", in);\n\n return new ExpressionReduce(\n expCtx, std::move(input), std::move(initial), std::move(in), thisVar, valueVar);\n}", "project": "mongo", "hash": 242074284314020654697020736272430590694, "size": 38, "commit_id": "1772b9a0393b55e6a280a35e8f0a1f75c014f301", "message": "SERVER-49404 Enforce additional checks in $arrayToObject", "target": 0, "dataset": "other", "idx": 370059 }, { "func": "intrusive_ptr ExpressionDateToParts::parse(ExpressionContext* const expCtx,\n BSONElement expr,\n const VariablesParseState& vps) {\n\n uassert(40524,\n \"$dateToParts only supports an object as its argument\",\n expr.type() == BSONType::Object);\n\n BSONElement dateElem;\n BSONElement timeZoneElem;\n BSONElement isoDateElem;\n\n const BSONObj args = expr.embeddedObject();\n for (auto&& arg : args) {\n auto field = arg.fieldNameStringData();\n\n if (field == \"date\"_sd) {\n dateElem = arg;\n } else if (field == \"timezone\"_sd) {\n timeZoneElem = arg;\n } else if (field == \"iso8601\"_sd) {\n isoDateElem = arg;\n } else {\n uasserted(40520,\n str::stream()\n << \"Unrecognized argument to $dateToParts: \" << arg.fieldName());\n }\n }\n\n uassert(40522, \"Missing 'date' parameter to $dateToParts\", dateElem);\n\n return new ExpressionDateToParts(\n expCtx,\n parseOperand(expCtx, dateElem, vps),\n timeZoneElem ? parseOperand(expCtx, timeZoneElem, vps) : nullptr,\n isoDateElem ? parseOperand(expCtx, isoDateElem, vps) : nullptr);\n}", "project": "mongo", "hash": 256152090663338572789142294384478446693, "size": 37, "commit_id": "1772b9a0393b55e6a280a35e8f0a1f75c014f301", "message": "SERVER-49404 Enforce additional checks in $arrayToObject", "target": 0, "dataset": "other", "idx": 370069 }, { "func": "boost::intrusive_ptr ExpressionRegexMatch::parse(ExpressionContext* const expCtx,\n BSONElement expr,\n const VariablesParseState& vpsIn) {\n auto opName = \"$regexMatch\"_sd;\n auto [input, regex, options] = CommonRegexParse(expCtx, expr, vpsIn, opName);\n return new ExpressionRegexMatch(\n expCtx, std::move(input), std::move(regex), std::move(options), opName);\n}", "project": "mongo", "hash": 270750736510516003925459147438131928724, "size": 8, "commit_id": "1772b9a0393b55e6a280a35e8f0a1f75c014f301", "message": "SERVER-49404 Enforce additional checks in $arrayToObject", "target": 0, "dataset": "other", "idx": 370072 }, { "func": "boost::intrusive_ptr ExpressionSwitch::parse(ExpressionContext* const expCtx,\n BSONElement expr,\n const VariablesParseState& vps) {\n uassert(40060,\n str::stream() << \"$switch requires an object as an argument, found: \"\n << typeName(expr.type()),\n expr.type() == Object);\n\n boost::intrusive_ptr expDefault;\n std::vector> children;\n for (auto&& elem : expr.Obj()) {\n auto field = elem.fieldNameStringData();\n\n if (field == \"branches\") {\n // Parse each branch separately.\n uassert(40061,\n str::stream() << \"$switch expected an array for 'branches', found: \"\n << typeName(elem.type()),\n elem.type() == Array);\n\n for (auto&& branch : elem.Array()) {\n uassert(40062,\n str::stream() << \"$switch expected each branch to be an object, found: \"\n << typeName(branch.type()),\n branch.type() == Object);\n\n boost::intrusive_ptr switchCase, switchThen;\n\n for (auto&& branchElement : branch.Obj()) {\n auto branchField = branchElement.fieldNameStringData();\n\n if (branchField == \"case\") {\n switchCase = parseOperand(expCtx, branchElement, vps);\n } else if (branchField == \"then\") {\n switchThen = parseOperand(expCtx, branchElement, vps);\n } else {\n uasserted(40063,\n str::stream() << \"$switch found an unknown argument to a branch: \"\n << branchField);\n }\n }\n\n uassert(40064, \"$switch requires each branch have a 'case' expression\", switchCase);\n uassert(\n 40065, \"$switch requires each branch have a 'then' expression.\", switchThen);\n\n children.push_back(std::move(switchCase));\n children.push_back(std::move(switchThen));\n }\n } else if (field == \"default\") {\n // Optional, arbitrary expression.\n expDefault = parseOperand(expCtx, elem, vps);\n } else {\n uasserted(40067, str::stream() << \"$switch found an unknown argument: \" << field);\n }\n }\n children.push_back(std::move(expDefault));\n // Obtain references to the case and branch expressions two-by-two from the children vector,\n // ignore the last.\n std::vector branches;\n boost::optional&> first;\n for (auto&& child : children) {\n if (first) {\n branches.emplace_back(*first, child);\n first = boost::none;\n } else {\n first = child;\n }\n }\n\n uassert(40068, \"$switch requires at least one branch.\", !branches.empty());\n\n return new ExpressionSwitch(expCtx, std::move(children), std::move(branches));\n}", "project": "mongo", "hash": 312672304435358304372526223276503180393, "size": 74, "commit_id": "1772b9a0393b55e6a280a35e8f0a1f75c014f301", "message": "SERVER-49404 Enforce additional checks in $arrayToObject", "target": 0, "dataset": "other", "idx": 370078 }, { "func": "intrusive_ptr ExpressionConvert::parse(ExpressionContext* const expCtx,\n BSONElement expr,\n const VariablesParseState& vps) {\n uassert(ErrorCodes::FailedToParse,\n str::stream() << \"$convert expects an object of named arguments but found: \"\n << typeName(expr.type()),\n expr.type() == BSONType::Object);\n\n boost::intrusive_ptr input;\n boost::intrusive_ptr to;\n boost::intrusive_ptr onError;\n boost::intrusive_ptr onNull;\n for (auto&& elem : expr.embeddedObject()) {\n const auto field = elem.fieldNameStringData();\n if (field == \"input\"_sd) {\n input = parseOperand(expCtx, elem, vps);\n } else if (field == \"to\"_sd) {\n to = parseOperand(expCtx, elem, vps);\n } else if (field == \"onError\"_sd) {\n onError = parseOperand(expCtx, elem, vps);\n } else if (field == \"onNull\"_sd) {\n onNull = parseOperand(expCtx, elem, vps);\n } else {\n uasserted(ErrorCodes::FailedToParse,\n str::stream()\n << \"$convert found an unknown argument: \" << elem.fieldNameStringData());\n }\n }\n\n uassert(ErrorCodes::FailedToParse, \"Missing 'input' parameter to $convert\", input);\n uassert(ErrorCodes::FailedToParse, \"Missing 'to' parameter to $convert\", to);\n\n return new ExpressionConvert(\n expCtx, std::move(input), std::move(to), std::move(onError), std::move(onNull));\n}", "project": "mongo", "hash": 277046102981041197431705510094714097581, "size": 35, "commit_id": "1772b9a0393b55e6a280a35e8f0a1f75c014f301", "message": "SERVER-49404 Enforce additional checks in $arrayToObject", "target": 0, "dataset": "other", "idx": 370081 }, { "func": "intrusive_ptr ExpressionZip::parse(ExpressionContext* const expCtx,\n BSONElement expr,\n const VariablesParseState& vps) {\n uassert(34460,\n str::stream() << \"$zip only supports an object as an argument, found \"\n << typeName(expr.type()),\n expr.type() == Object);\n\n auto useLongestLength = false;\n std::vector> children;\n // We need to ensure defaults appear after inputs so we build them seperately and then\n // concatenate them.\n std::vector> tempDefaultChildren;\n\n for (auto&& elem : expr.Obj()) {\n const auto field = elem.fieldNameStringData();\n if (field == \"inputs\") {\n uassert(34461,\n str::stream() << \"inputs must be an array of expressions, found \"\n << typeName(elem.type()),\n elem.type() == Array);\n for (auto&& subExpr : elem.Array()) {\n children.push_back(parseOperand(expCtx, subExpr, vps));\n }\n } else if (field == \"defaults\") {\n uassert(34462,\n str::stream() << \"defaults must be an array of expressions, found \"\n << typeName(elem.type()),\n elem.type() == Array);\n for (auto&& subExpr : elem.Array()) {\n tempDefaultChildren.push_back(parseOperand(expCtx, subExpr, vps));\n }\n } else if (field == \"useLongestLength\") {\n uassert(34463,\n str::stream() << \"useLongestLength must be a bool, found \"\n << typeName(expr.type()),\n elem.type() == Bool);\n useLongestLength = elem.Bool();\n } else {\n uasserted(34464,\n str::stream() << \"$zip found an unknown argument: \" << elem.fieldName());\n }\n }\n\n auto numInputs = children.size();\n std::move(tempDefaultChildren.begin(), tempDefaultChildren.end(), std::back_inserter(children));\n\n std::vector>> inputs;\n std::vector>> defaults;\n for (auto&& child : children) {\n if (numInputs == 0) {\n defaults.push_back(child);\n } else {\n inputs.push_back(child);\n numInputs--;\n }\n }\n\n uassert(34465, \"$zip requires at least one input array\", !inputs.empty());\n uassert(34466,\n \"cannot specify defaults unless useLongestLength is true\",\n (useLongestLength || defaults.empty()));\n uassert(34467,\n \"defaults and inputs must have the same length\",\n (defaults.empty() || defaults.size() == inputs.size()));\n\n return new ExpressionZip(\n expCtx, useLongestLength, std::move(children), std::move(inputs), std::move(defaults));\n}", "project": "mongo", "hash": 209453974370259879176641546346132045810, "size": 69, "commit_id": "1772b9a0393b55e6a280a35e8f0a1f75c014f301", "message": "SERVER-49404 Enforce additional checks in $arrayToObject", "target": 0, "dataset": "other", "idx": 370086 }, { "func": "intrusive_ptr ExpressionObject::parse(ExpressionContext* const expCtx,\n BSONObj obj,\n const VariablesParseState& vps) {\n // Make sure we don't have any duplicate field names.\n stdx::unordered_set specifiedFields;\n\n std::vector> children;\n vector&>> expressions;\n for (auto&& elem : obj) {\n // Make sure this element has a valid field name. Use StringData here so that we can detect\n // if the field name contains a null byte.\n FieldPath::uassertValidFieldName(elem.fieldNameStringData());\n\n auto fieldName = elem.fieldName();\n uassert(16406,\n str::stream() << \"duplicate field name specified in object literal: \"\n << obj.toString(),\n specifiedFields.find(fieldName) == specifiedFields.end());\n specifiedFields.insert(fieldName);\n children.push_back(parseOperand(expCtx, elem, vps));\n }\n\n std::vector>::size_type index = 0;\n for (auto&& elem : obj) {\n expressions.emplace_back(elem.fieldName(), children[index]);\n ++index;\n }\n\n return new ExpressionObject{expCtx, std::move(children), std::move(expressions)};\n}", "project": "mongo", "hash": 125881482029795640112748107830076727562, "size": 30, "commit_id": "1772b9a0393b55e6a280a35e8f0a1f75c014f301", "message": "SERVER-49404 Enforce additional checks in $arrayToObject", "target": 0, "dataset": "other", "idx": 370087 }, { "func": "intrusive_ptr ExpressionReplaceAll::parse(ExpressionContext* const expCtx,\n BSONElement expr,\n const VariablesParseState& vps) {\n auto [input, find, replacement] = parseExpressionReplaceBase(opName, expCtx, expr, vps);\n return make_intrusive(\n expCtx, std::move(input), std::move(find), std::move(replacement));\n}", "project": "mongo", "hash": 133434317841076783726351188619981731703, "size": 7, "commit_id": "1772b9a0393b55e6a280a35e8f0a1f75c014f301", "message": "SERVER-49404 Enforce additional checks in $arrayToObject", "target": 0, "dataset": "other", "idx": 370090 }, { "func": "intrusive_ptr ExpressionDateFromParts::parse(ExpressionContext* const expCtx,\n BSONElement expr,\n const VariablesParseState& vps) {\n\n uassert(40519,\n \"$dateFromParts only supports an object as its argument\",\n expr.type() == BSONType::Object);\n\n BSONElement yearElem;\n BSONElement monthElem;\n BSONElement dayElem;\n BSONElement hourElem;\n BSONElement minuteElem;\n BSONElement secondElem;\n BSONElement millisecondElem;\n BSONElement isoWeekYearElem;\n BSONElement isoWeekElem;\n BSONElement isoDayOfWeekElem;\n BSONElement timeZoneElem;\n\n const BSONObj args = expr.embeddedObject();\n for (auto&& arg : args) {\n auto field = arg.fieldNameStringData();\n\n if (field == \"year\"_sd) {\n yearElem = arg;\n } else if (field == \"month\"_sd) {\n monthElem = arg;\n } else if (field == \"day\"_sd) {\n dayElem = arg;\n } else if (field == \"hour\"_sd) {\n hourElem = arg;\n } else if (field == \"minute\"_sd) {\n minuteElem = arg;\n } else if (field == \"second\"_sd) {\n secondElem = arg;\n } else if (field == \"millisecond\"_sd) {\n millisecondElem = arg;\n } else if (field == \"isoWeekYear\"_sd) {\n isoWeekYearElem = arg;\n } else if (field == \"isoWeek\"_sd) {\n isoWeekElem = arg;\n } else if (field == \"isoDayOfWeek\"_sd) {\n isoDayOfWeekElem = arg;\n } else if (field == \"timezone\"_sd) {\n timeZoneElem = arg;\n } else {\n uasserted(40518,\n str::stream()\n << \"Unrecognized argument to $dateFromParts: \" << arg.fieldName());\n }\n }\n\n if (!yearElem && !isoWeekYearElem) {\n uasserted(40516, \"$dateFromParts requires either 'year' or 'isoWeekYear' to be present\");\n }\n\n if (yearElem && (isoWeekYearElem || isoWeekElem || isoDayOfWeekElem)) {\n uasserted(40489, \"$dateFromParts does not allow mixing natural dates with ISO dates\");\n }\n\n if (isoWeekYearElem && (yearElem || monthElem || dayElem)) {\n uasserted(40525, \"$dateFromParts does not allow mixing ISO dates with natural dates\");\n }\n\n return new ExpressionDateFromParts(\n expCtx,\n yearElem ? parseOperand(expCtx, yearElem, vps) : nullptr,\n monthElem ? parseOperand(expCtx, monthElem, vps) : nullptr,\n dayElem ? parseOperand(expCtx, dayElem, vps) : nullptr,\n hourElem ? parseOperand(expCtx, hourElem, vps) : nullptr,\n minuteElem ? parseOperand(expCtx, minuteElem, vps) : nullptr,\n secondElem ? parseOperand(expCtx, secondElem, vps) : nullptr,\n millisecondElem ? parseOperand(expCtx, millisecondElem, vps) : nullptr,\n isoWeekYearElem ? parseOperand(expCtx, isoWeekYearElem, vps) : nullptr,\n isoWeekElem ? parseOperand(expCtx, isoWeekElem, vps) : nullptr,\n isoDayOfWeekElem ? parseOperand(expCtx, isoDayOfWeekElem, vps) : nullptr,\n timeZoneElem ? parseOperand(expCtx, timeZoneElem, vps) : nullptr);\n}", "project": "mongo", "hash": 57178853766448300214134836369889620932, "size": 79, "commit_id": "1772b9a0393b55e6a280a35e8f0a1f75c014f301", "message": "SERVER-49404 Enforce additional checks in $arrayToObject", "target": 0, "dataset": "other", "idx": 370093 }, { "func": "intrusive_ptr ExpressionConstant::parse(ExpressionContext* const expCtx,\n BSONElement exprElement,\n const VariablesParseState& vps) {\n return new ExpressionConstant(expCtx, Value(exprElement));\n}", "project": "mongo", "hash": 195998562199788443586897349704074819062, "size": 5, "commit_id": "1772b9a0393b55e6a280a35e8f0a1f75c014f301", "message": "SERVER-49404 Enforce additional checks in $arrayToObject", "target": 0, "dataset": "other", "idx": 370094 }, { "func": "intrusive_ptr ExpressionFilter::parse(ExpressionContext* const expCtx,\n BSONElement expr,\n const VariablesParseState& vpsIn) {\n verify(expr.fieldNameStringData() == \"$filter\");\n\n uassert(28646, \"$filter only supports an object as its argument\", expr.type() == Object);\n\n // \"cond\" must be parsed after \"as\" regardless of BSON order.\n BSONElement inputElem;\n BSONElement asElem;\n BSONElement condElem;\n for (auto elem : expr.Obj()) {\n if (elem.fieldNameStringData() == \"input\") {\n inputElem = elem;\n } else if (elem.fieldNameStringData() == \"as\") {\n asElem = elem;\n } else if (elem.fieldNameStringData() == \"cond\") {\n condElem = elem;\n } else {\n uasserted(28647,\n str::stream() << \"Unrecognized parameter to $filter: \" << elem.fieldName());\n }\n }\n\n uassert(28648, \"Missing 'input' parameter to $filter\", !inputElem.eoo());\n uassert(28650, \"Missing 'cond' parameter to $filter\", !condElem.eoo());\n\n // Parse \"input\", only has outer variables.\n intrusive_ptr input = parseOperand(expCtx, inputElem, vpsIn);\n\n // Parse \"as\".\n VariablesParseState vpsSub(vpsIn); // vpsSub gets our variable, vpsIn doesn't.\n\n // If \"as\" is not specified, then use \"this\" by default.\n auto varName = asElem.eoo() ? \"this\" : asElem.str();\n\n Variables::validateNameForUserWrite(varName);\n Variables::Id varId = vpsSub.defineVariable(varName);\n\n // Parse \"cond\", has access to \"as\" variable.\n intrusive_ptr cond = parseOperand(expCtx, condElem, vpsSub);\n\n return new ExpressionFilter(\n expCtx, std::move(varName), varId, std::move(input), std::move(cond));\n}", "project": "mongo", "hash": 47302761922568187189542003215099202256, "size": 45, "commit_id": "1772b9a0393b55e6a280a35e8f0a1f75c014f301", "message": "SERVER-49404 Enforce additional checks in $arrayToObject", "target": 0, "dataset": "other", "idx": 370095 }, { "func": "intrusive_ptr ExpressionCond::parse(ExpressionContext* const expCtx,\n BSONElement expr,\n const VariablesParseState& vps) {\n if (expr.type() != Object) {\n return Base::parse(expCtx, expr, vps);\n }\n verify(expr.fieldNameStringData() == \"$cond\");\n\n intrusive_ptr ret = new ExpressionCond(expCtx);\n ret->_children.resize(3);\n\n const BSONObj args = expr.embeddedObject();\n BSONForEach(arg, args) {\n if (arg.fieldNameStringData() == \"if\") {\n ret->_children[0] = parseOperand(expCtx, arg, vps);\n } else if (arg.fieldNameStringData() == \"then\") {\n ret->_children[1] = parseOperand(expCtx, arg, vps);\n } else if (arg.fieldNameStringData() == \"else\") {\n ret->_children[2] = parseOperand(expCtx, arg, vps);\n } else {\n uasserted(17083,\n str::stream() << \"Unrecognized parameter to $cond: \" << arg.fieldName());\n }\n }\n\n uassert(17080, \"Missing 'if' parameter to $cond\", ret->_children[0]);\n uassert(17081, \"Missing 'then' parameter to $cond\", ret->_children[1]);\n uassert(17082, \"Missing 'else' parameter to $cond\", ret->_children[2]);\n\n return ret;\n}", "project": "mongo", "hash": 209732621551481942173411055635998773133, "size": 31, "commit_id": "1772b9a0393b55e6a280a35e8f0a1f75c014f301", "message": "SERVER-49404 Enforce additional checks in $arrayToObject", "target": 0, "dataset": "other", "idx": 370096 }, { "func": "intrusive_ptr ExpressionReplaceOne::parse(ExpressionContext* const expCtx,\n BSONElement expr,\n const VariablesParseState& vps) {\n auto [input, find, replacement] = parseExpressionReplaceBase(opName, expCtx, expr, vps);\n return make_intrusive(\n expCtx, std::move(input), std::move(find), std::move(replacement));\n}", "project": "mongo", "hash": 309898713362840197587804298678052902545, "size": 7, "commit_id": "1772b9a0393b55e6a280a35e8f0a1f75c014f301", "message": "SERVER-49404 Enforce additional checks in $arrayToObject", "target": 0, "dataset": "other", "idx": 370099 }, { "func": "intrusive_ptr ExpressionTrim::parse(ExpressionContext* const expCtx,\n BSONElement expr,\n const VariablesParseState& vps) {\n const auto name = expr.fieldNameStringData();\n TrimType trimType = TrimType::kBoth;\n if (name == \"$ltrim\"_sd) {\n trimType = TrimType::kLeft;\n } else if (name == \"$rtrim\"_sd) {\n trimType = TrimType::kRight;\n } else {\n invariant(name == \"$trim\"_sd);\n }\n uassert(50696,\n str::stream() << name << \" only supports an object as an argument, found \"\n << typeName(expr.type()),\n expr.type() == Object);\n\n boost::intrusive_ptr input;\n boost::intrusive_ptr characters;\n for (auto&& elem : expr.Obj()) {\n const auto field = elem.fieldNameStringData();\n if (field == \"input\"_sd) {\n input = parseOperand(expCtx, elem, vps);\n } else if (field == \"chars\"_sd) {\n characters = parseOperand(expCtx, elem, vps);\n } else {\n uasserted(50694,\n str::stream() << name << \" found an unknown argument: \" << elem.fieldName());\n }\n }\n uassert(50695, str::stream() << name << \" requires an 'input' field\", input);\n\n return new ExpressionTrim(expCtx, trimType, name, input, characters);\n}", "project": "mongo", "hash": 37092315136601370989048823394301990909, "size": 34, "commit_id": "1772b9a0393b55e6a280a35e8f0a1f75c014f301", "message": "SERVER-49404 Enforce additional checks in $arrayToObject", "target": 0, "dataset": "other", "idx": 370101 }, { "func": "HttpHeader::parse(const char *header_start, size_t hdrLen)\n{\n const char *field_ptr = header_start;\n const char *header_end = header_start + hdrLen; // XXX: remove\n int warnOnError = (Config.onoff.relaxed_header_parser <= 0 ? DBG_IMPORTANT : 2);\n\n PROF_start(HttpHeaderParse);\n\n assert(header_start && header_end);\n debugs(55, 7, \"parsing hdr: (\" << this << \")\" << std::endl << getStringPrefix(header_start, hdrLen));\n ++ HttpHeaderStats[owner].parsedCount;\n\n char *nulpos;\n if ((nulpos = (char*)memchr(header_start, '\\0', hdrLen))) {\n debugs(55, DBG_IMPORTANT, \"WARNING: HTTP header contains NULL characters {\" <<\n getStringPrefix(header_start, nulpos-header_start) << \"}\\nNULL\\n{\" << getStringPrefix(nulpos+1, hdrLen-(nulpos-header_start)-1));\n PROF_stop(HttpHeaderParse);\n clean();\n return 0;\n }\n\n Http::ContentLengthInterpreter clen(warnOnError);\n /* common format headers are \":[ws]\" lines delimited by .\n * continuation lines start with a (single) space or tab */\n while (field_ptr < header_end) {\n const char *field_start = field_ptr;\n const char *field_end;\n\n const char *hasBareCr = nullptr;\n size_t lines = 0;\n do {\n const char *this_line = field_ptr;\n field_ptr = (const char *)memchr(field_ptr, '\\n', header_end - field_ptr);\n ++lines;\n\n if (!field_ptr) {\n // missing \n PROF_stop(HttpHeaderParse);\n clean();\n return 0;\n }\n\n field_end = field_ptr;\n\n ++field_ptr; /* Move to next line */\n\n if (field_end > this_line && field_end[-1] == '\\r') {\n --field_end; /* Ignore CR LF */\n\n if (owner == hoRequest && field_end > this_line) {\n bool cr_only = true;\n for (const char *p = this_line; p < field_end && cr_only; ++p) {\n if (*p != '\\r')\n cr_only = false;\n }\n if (cr_only) {\n debugs(55, DBG_IMPORTANT, \"SECURITY WARNING: Rejecting HTTP request with a CR+ \"\n \"header field to prevent request smuggling attacks: {\" <<\n getStringPrefix(header_start, hdrLen) << \"}\");\n PROF_stop(HttpHeaderParse);\n clean();\n return 0;\n }\n }\n }\n\n /* Barf on stray CR characters */\n if (memchr(this_line, '\\r', field_end - this_line)) {\n hasBareCr = \"bare CR\";\n debugs(55, warnOnError, \"WARNING: suspicious CR characters in HTTP header {\" <<\n getStringPrefix(field_start, field_end-field_start) << \"}\");\n\n if (Config.onoff.relaxed_header_parser) {\n char *p = (char *) this_line; /* XXX Warning! This destroys original header content and violates specifications somewhat */\n\n while ((p = (char *)memchr(p, '\\r', field_end - p)) != NULL) {\n *p = ' ';\n ++p;\n }\n } else {\n PROF_stop(HttpHeaderParse);\n clean();\n return 0;\n }\n }\n\n if (this_line + 1 == field_end && this_line > field_start) {\n debugs(55, warnOnError, \"WARNING: Blank continuation line in HTTP header {\" <<\n getStringPrefix(header_start, hdrLen) << \"}\");\n PROF_stop(HttpHeaderParse);\n clean();\n return 0;\n }\n } while (field_ptr < header_end && (*field_ptr == ' ' || *field_ptr == '\\t'));\n\n if (field_start == field_end) {\n if (field_ptr < header_end) {\n debugs(55, warnOnError, \"WARNING: unparseable HTTP header field near {\" <<\n getStringPrefix(field_start, hdrLen-(field_start-header_start)) << \"}\");\n PROF_stop(HttpHeaderParse);\n clean();\n return 0;\n }\n\n break; /* terminating blank line */\n }\n\n const auto e = HttpHeaderEntry::parse(field_start, field_end, owner);\n if (!e) {\n debugs(55, warnOnError, \"WARNING: unparseable HTTP header field {\" <<\n getStringPrefix(field_start, field_end-field_start) << \"}\");\n debugs(55, warnOnError, \" in {\" << getStringPrefix(header_start, hdrLen) << \"}\");\n\n PROF_stop(HttpHeaderParse);\n clean();\n return 0;\n }\n\n if (lines > 1 || hasBareCr) {\n const auto framingHeader = (e->id == Http::HdrType::CONTENT_LENGTH || e->id == Http::HdrType::TRANSFER_ENCODING);\n if (framingHeader) {\n if (!hasBareCr) // already warned about bare CRs\n debugs(55, warnOnError, \"WARNING: obs-fold in framing-sensitive \" << e->name << \": \" << e->value);\n delete e;\n PROF_stop(HttpHeaderParse);\n clean();\n return 0;\n }\n }\n\n if (e->id == Http::HdrType::CONTENT_LENGTH && !clen.checkField(e->value)) {\n delete e;\n\n if (Config.onoff.relaxed_header_parser)\n continue; // clen has printed any necessary warnings\n\n PROF_stop(HttpHeaderParse);\n clean();\n return 0;\n }\n\n addEntry(e);\n }\n\n if (clen.headerWideProblem) {\n debugs(55, warnOnError, \"WARNING: \" << clen.headerWideProblem <<\n \" Content-Length field values in\" <<\n Raw(\"header\", header_start, hdrLen));\n }\n\n String rawTe;\n if (getByIdIfPresent(Http::HdrType::TRANSFER_ENCODING, &rawTe)) {\n // RFC 2616 section 4.4: ignore Content-Length with Transfer-Encoding\n // RFC 7230 section 3.3.3 #3: Transfer-Encoding overwrites Content-Length\n delById(Http::HdrType::CONTENT_LENGTH);\n // and clen state becomes irrelevant\n\n if (rawTe == \"chunked\") {\n ; // leave header present for chunked() method\n } else if (rawTe == \"identity\") { // deprecated. no coding\n delById(Http::HdrType::TRANSFER_ENCODING);\n } else {\n // This also rejects multiple encodings until we support them properly.\n debugs(55, warnOnError, \"WARNING: unsupported Transfer-Encoding used by client: \" << rawTe);\n teUnsupported_ = true;\n }\n\n } else if (clen.sawBad) {\n // ensure our callers do not accidentally see bad Content-Length values\n delById(Http::HdrType::CONTENT_LENGTH);\n conflictingContentLength_ = true; // TODO: Rename to badContentLength_.\n } else if (clen.needsSanitizing) {\n // RFC 7230 section 3.3.2: MUST either reject or ... [sanitize];\n // ensure our callers see a clean Content-Length value or none at all\n delById(Http::HdrType::CONTENT_LENGTH);\n if (clen.sawGood) {\n putInt64(Http::HdrType::CONTENT_LENGTH, clen.value);\n debugs(55, 5, \"sanitized Content-Length to be \" << clen.value);\n }\n }\n\n PROF_stop(HttpHeaderParse);\n return 1; /* even if no fields where found, it is a valid header */\n}", "project": "squid", "hash": 338452355585599762249645595552008783706, "size": 184, "commit_id": "fd68382860633aca92065e6c343cfd1b12b126e7", "message": "Improve Transfer-Encoding handling (#702)\n\nReject messages containing Transfer-Encoding header with coding other\nthan chunked or identity. Squid does not support other codings.\n\nFor simplicity and security sake, also reject messages where\nTransfer-Encoding contains unnecessary complex values that are\ntechnically equivalent to \"chunked\" or \"identity\" (e.g., \",,chunked\" or\n\"identity, chunked\").\n\nRFC 7230 formally deprecated and removed identity coding, but it is\nstill used by some agents.", "target": 0, "dataset": "other", "idx": 402392 }, { "func": "static u8 hci_to_mgmt_reason(u8 err)\n{\n\tswitch (err) {\n\tcase HCI_ERROR_CONNECTION_TIMEOUT:\n\t\treturn MGMT_DEV_DISCONN_TIMEOUT;\n\tcase HCI_ERROR_REMOTE_USER_TERM:\n\tcase HCI_ERROR_REMOTE_LOW_RESOURCES:\n\tcase HCI_ERROR_REMOTE_POWER_OFF:\n\t\treturn MGMT_DEV_DISCONN_REMOTE;\n\tcase HCI_ERROR_LOCAL_HOST_TERM:\n\t\treturn MGMT_DEV_DISCONN_LOCAL_HOST;\n\tdefault:\n\t\treturn MGMT_DEV_DISCONN_UNKNOWN;\n\t}\n}", "project": "linux", "hash": 78702992163333498559807963790216687918, "size": 15, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431994 }, { "func": "remove_card(struct pci_dev *dev)\n{\n\tstruct pcilynx *lynx = pci_get_drvdata(dev);\n\tstruct client *client;\n\n\tmutex_lock(&card_mutex);\n\tlist_del_init(&lynx->link);\n\tmisc_deregister(&lynx->misc);\n\tmutex_unlock(&card_mutex);\n\n\treg_write(lynx, PCI_INT_ENABLE, 0);\n\tfree_irq(lynx->pci_device->irq, lynx);\n\n\tspin_lock_irq(&lynx->client_list_lock);\n\tlist_for_each_entry(client, &lynx->client_list, link)\n\t\twake_up_interruptible(&client->buffer.wait);\n\tspin_unlock_irq(&lynx->client_list_lock);\n\n\tpci_free_consistent(lynx->pci_device, sizeof(struct pcl),\n\t\t\t lynx->rcv_start_pcl, lynx->rcv_start_pcl_bus);\n\tpci_free_consistent(lynx->pci_device, sizeof(struct pcl),\n\t\t\t lynx->rcv_pcl, lynx->rcv_pcl_bus);\n\tpci_free_consistent(lynx->pci_device, PAGE_SIZE,\n\t\t\t lynx->rcv_buffer, lynx->rcv_buffer_bus);\n\n\tiounmap(lynx->registers);\n\tpci_disable_device(dev);\n\tlynx_put(lynx);\n}", "project": "linux", "hash": 301965745171390143334549442209056389824, "size": 29, "commit_id": "829933ef05a951c8ff140e814656d73e74915faf", "message": "firewire: nosy: Fix a use-after-free bug in nosy_ioctl()\n\nFor each device, the nosy driver allocates a pcilynx structure.\nA use-after-free might happen in the following scenario:\n\n 1. Open nosy device for the first time and call ioctl with command\n NOSY_IOC_START, then a new client A will be malloced and added to\n doubly linked list.\n 2. Open nosy device for the second time and call ioctl with command\n NOSY_IOC_START, then a new client B will be malloced and added to\n doubly linked list.\n 3. Call ioctl with command NOSY_IOC_START for client A, then client A\n will be readded to the doubly linked list. Now the doubly linked\n list is messed up.\n 4. Close the first nosy device and nosy_release will be called. In\n nosy_release, client A will be unlinked and freed.\n 5. Close the second nosy device, and client A will be referenced,\n resulting in UAF.\n\nThe root cause of this bug is that the element in the doubly linked list\nis reentered into the list.\n\nFix this bug by adding a check before inserting a client. If a client\nis already in the linked list, don't insert it.\n\nThe following KASAN report reveals it:\n\n BUG: KASAN: use-after-free in nosy_release+0x1ea/0x210\n Write of size 8 at addr ffff888102ad7360 by task poc\n CPU: 3 PID: 337 Comm: poc Not tainted 5.12.0-rc5+ #6\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014\n Call Trace:\n nosy_release+0x1ea/0x210\n __fput+0x1e2/0x840\n task_work_run+0xe8/0x180\n exit_to_user_mode_prepare+0x114/0x120\n syscall_exit_to_user_mode+0x1d/0x40\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\n Allocated by task 337:\n nosy_open+0x154/0x4d0\n misc_open+0x2ec/0x410\n chrdev_open+0x20d/0x5a0\n do_dentry_open+0x40f/0xe80\n path_openat+0x1cf9/0x37b0\n do_filp_open+0x16d/0x390\n do_sys_openat2+0x11d/0x360\n __x64_sys_open+0xfd/0x1a0\n do_syscall_64+0x33/0x40\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\n Freed by task 337:\n kfree+0x8f/0x210\n nosy_release+0x158/0x210\n __fput+0x1e2/0x840\n task_work_run+0xe8/0x180\n exit_to_user_mode_prepare+0x114/0x120\n syscall_exit_to_user_mode+0x1d/0x40\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\n The buggy address belongs to the object at ffff888102ad7300 which belongs to the cache kmalloc-128 of size 128\n The buggy address is located 96 bytes inside of 128-byte region [ffff888102ad7300, ffff888102ad7380)\n\n[ Modified to use 'list_empty()' inside proper lock - Linus ]\n\nLink: https://lore.kernel.org/lkml/1617433116-5930-1-git-send-email-zheyuma97@gmail.com/\nReported-and-tested-by: 马哲宇 (Zheyu Ma) \nSigned-off-by: Zheyu Ma \nCc: Greg Kroah-Hartman \nCc: Stefan Richter \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 279639 }, { "func": "static void *t_start(struct seq_file *m, loff_t *pos)\n{\n\tstruct trace_array *tr = m->private;\n\tstruct tracer *t;\n\tloff_t l = 0;\n\n\tmutex_lock(&trace_types_lock);\n\n\tt = get_tracer_for_array(tr, trace_types);\n\tfor (; t && l < *pos; t = t_next(m, t, &l))\n\t\t\t;\n\n\treturn t;\n}", "project": "linux", "hash": 228079956495267157775334737590542418063, "size": 14, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445588 }, { "func": "tracing_set_trace_read(struct file *filp, char __user *ubuf,\n\t\t size_t cnt, loff_t *ppos)\n{\n\tstruct trace_array *tr = filp->private_data;\n\tchar buf[MAX_TRACER_SIZE+2];\n\tint r;\n\n\tmutex_lock(&trace_types_lock);\n\tr = sprintf(buf, \"%s\\n\", tr->current_trace->name);\n\tmutex_unlock(&trace_types_lock);\n\n\treturn simple_read_from_buffer(ubuf, cnt, ppos, buf, r);\n}", "project": "linux", "hash": 230408723867890896690825238518848816169, "size": 13, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445763 }, { "func": "static int prepare_arg_pages(struct linux_binprm *bprm,\n\t\t\tstruct user_arg_ptr argv, struct user_arg_ptr envp)\n{\n\tunsigned long limit, ptr_size;\n\n\tbprm->argc = count(argv, MAX_ARG_STRINGS);\n\tif (bprm->argc < 0)\n\t\treturn bprm->argc;\n\n\tbprm->envc = count(envp, MAX_ARG_STRINGS);\n\tif (bprm->envc < 0)\n\t\treturn bprm->envc;\n\n\t/*\n\t * Limit to 1/4 of the max stack size or 3/4 of _STK_LIM\n\t * (whichever is smaller) for the argv+env strings.\n\t * This ensures that:\n\t * - the remaining binfmt code will not run out of stack space,\n\t * - the program will have a reasonable amount of stack left\n\t * to work from.\n\t */\n\tlimit = _STK_LIM / 4 * 3;\n\tlimit = min(limit, bprm->rlim_stack.rlim_cur / 4);\n\t/*\n\t * We've historically supported up to 32 pages (ARG_MAX)\n\t * of argument strings even with small stacks\n\t */\n\tlimit = max_t(unsigned long, limit, ARG_MAX);\n\t/*\n\t * We must account for the size of all the argv and envp pointers to\n\t * the argv and envp strings, since they will also take up space in\n\t * the stack. They aren't stored until much later when we can't\n\t * signal to the parent that the child has run out of stack space.\n\t * Instead, calculate it here so it's possible to fail gracefully.\n\t */\n\tptr_size = (bprm->argc + bprm->envc) * sizeof(void *);\n\tif (limit <= ptr_size)\n\t\treturn -E2BIG;\n\tlimit -= ptr_size;\n\n\tbprm->argmin = bprm->p - limit;\n\treturn 0;\n}", "project": "linux", "hash": 330253023904157788050730644361155851667, "size": 43, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375161 }, { "func": "spinlock_t *__pmd_trans_huge_lock(pmd_t *pmd, struct vm_area_struct *vma)\n{\n\tspinlock_t *ptl;\n\tptl = pmd_lock(vma->vm_mm, pmd);\n\tif (likely(is_swap_pmd(*pmd) || pmd_trans_huge(*pmd) ||\n\t\t\tpmd_devmap(*pmd)))\n\t\treturn ptl;\n\tspin_unlock(ptl);\n\treturn NULL;\n}", "project": "linux", "hash": 73967402604277614224056097527754487536, "size": 10, "commit_id": "c444eb564fb16645c172d550359cb3d75fe8a040", "message": "mm: thp: make the THP mapcount atomic against __split_huge_pmd_locked()\n\nWrite protect anon page faults require an accurate mapcount to decide\nif to break the COW or not. This is implemented in the THP path with\nreuse_swap_page() ->\npage_trans_huge_map_swapcount()/page_trans_huge_mapcount().\n\nIf the COW triggers while the other processes sharing the page are\nunder a huge pmd split, to do an accurate reading, we must ensure the\nmapcount isn't computed while it's being transferred from the head\npage to the tail pages.\n\nreuse_swap_cache() already runs serialized by the page lock, so it's\nenough to add the page lock around __split_huge_pmd_locked too, in\norder to add the missing serialization.\n\nNote: the commit in \"Fixes\" is just to facilitate the backporting,\nbecause the code before such commit didn't try to do an accurate THP\nmapcount calculation and it instead used the page_count() to decide if\nto COW or not. Both the page_count and the pin_count are THP-wide\nrefcounts, so they're inaccurate if used in\nreuse_swap_page(). Reverting such commit (besides the unrelated fix to\nthe local anon_vma assignment) would have also opened the window for\nmemory corruption side effects to certain workloads as documented in\nsuch commit header.\n\nSigned-off-by: Andrea Arcangeli \nSuggested-by: Jann Horn \nReported-by: Jann Horn \nAcked-by: Kirill A. Shutemov \nFixes: 6d0a07edd17c (\"mm: thp: calculate the mapcount correctly for THP pages during WP faults\")\nCc: stable@vger.kernel.org\nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 364148 }, { "func": "static ssize_t fuse_direct_read_iter(struct kiocb *iocb, struct iov_iter *to)\n{\n\tssize_t res;\n\n\tif (!is_sync_kiocb(iocb) && iocb->ki_flags & IOCB_DIRECT) {\n\t\tres = fuse_direct_IO(iocb, to);\n\t} else {\n\t\tstruct fuse_io_priv io = FUSE_IO_PRIV_SYNC(iocb);\n\n\t\tres = __fuse_direct_read(&io, to, &iocb->ki_pos);\n\t}\n\n\treturn res;\n}", "project": "linux", "hash": 89299898263301794171600643680355250819, "size": 14, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341976 }, { "func": "void LibRaw::parseSonyMakernotes(\n int base, unsigned tag, unsigned type, unsigned len, unsigned dng_writer,\n uchar *&table_buf_0x0116, ushort &table_buf_0x0116_len,\n uchar *&table_buf_0x2010, ushort &table_buf_0x2010_len,\n uchar *&table_buf_0x9050, ushort &table_buf_0x9050_len,\n uchar *&table_buf_0x9400, ushort &table_buf_0x9400_len,\n uchar *&table_buf_0x9402, ushort &table_buf_0x9402_len,\n uchar *&table_buf_0x9403, ushort &table_buf_0x9403_len,\n uchar *&table_buf_0x9406, ushort &table_buf_0x9406_len,\n uchar *&table_buf_0x940c, ushort &table_buf_0x940c_len,\n uchar *&table_buf_0x940e, ushort &table_buf_0x940e_len)\n{\n\n ushort lid, a, b, c, d;\n uchar *table_buf;\n uchar uc;\n uchar s[2];\n int LensDataValid = 0;\n unsigned uitemp;\n\n if (tag == 0xb001)\n { // Sony ModelID\n unique_id = get2();\n setSonyBodyFeatures(unique_id);\n\n if (table_buf_0x0116_len)\n {\n process_Sony_0x0116(table_buf_0x0116, table_buf_0x0116_len, unique_id);\n free(table_buf_0x0116);\n table_buf_0x0116_len = 0;\n }\n\n if (table_buf_0x2010_len)\n {\n process_Sony_0x2010(table_buf_0x2010, table_buf_0x2010_len);\n free(table_buf_0x2010);\n table_buf_0x2010_len = 0;\n }\n\n if (table_buf_0x9050_len)\n {\n process_Sony_0x9050(table_buf_0x9050, table_buf_0x9050_len, unique_id);\n free(table_buf_0x9050);\n table_buf_0x9050_len = 0;\n }\n\n if (table_buf_0x9400_len)\n {\n process_Sony_0x9400(table_buf_0x9400, table_buf_0x9400_len, unique_id);\n free(table_buf_0x9400);\n table_buf_0x9400_len = 0;\n }\n\n if (table_buf_0x9402_len)\n {\n process_Sony_0x9402(table_buf_0x9402, table_buf_0x9402_len);\n free(table_buf_0x9402);\n table_buf_0x9402_len = 0;\n }\n\n if (table_buf_0x9403_len)\n {\n process_Sony_0x9403(table_buf_0x9403, table_buf_0x9403_len);\n free(table_buf_0x9403);\n table_buf_0x9403_len = 0;\n }\n\n if (table_buf_0x9406_len)\n {\n process_Sony_0x9406(table_buf_0x9406, table_buf_0x9406_len);\n free(table_buf_0x9406);\n table_buf_0x9406_len = 0;\n }\n\n if (table_buf_0x940c_len)\n {\n process_Sony_0x940c(table_buf_0x940c, table_buf_0x940c_len);\n free(table_buf_0x940c);\n table_buf_0x940c_len = 0;\n }\n\n if (table_buf_0x940e_len)\n {\n process_Sony_0x940e(table_buf_0x940e, table_buf_0x940e_len, unique_id);\n free(table_buf_0x940e);\n table_buf_0x940e_len = 0;\n }\n }\n else if (tag == 0xb000)\n {\n FORC4 imSony.FileFormat = imSony.FileFormat * 10 + fgetc(ifp);\n }\n else if (tag == 0xb026)\n {\n uitemp = get4();\n if (uitemp != 0xffffffff)\n imgdata.shootinginfo.ImageStabilization = uitemp;\n }\n else if (((tag == 0x0001) || // Minolta CameraSettings, big endian\n (tag == 0x0003)) &&\n (len >= 196))\n {\n table_buf = (uchar *)malloc(len);\n fread(table_buf, len, 1, ifp);\n\n lid = 0x01 << 2;\n imgdata.shootinginfo.ExposureMode =\n (unsigned)table_buf[lid] << 24 | (unsigned)table_buf[lid + 1] << 16 |\n (unsigned)table_buf[lid + 2] << 8 | (unsigned)table_buf[lid + 3];\n\n lid = 0x06 << 2;\n imgdata.shootinginfo.DriveMode =\n (unsigned)table_buf[lid] << 24 | (unsigned)table_buf[lid + 1] << 16 |\n (unsigned)table_buf[lid + 2] << 8 | (unsigned)table_buf[lid + 3];\n\n lid = 0x07 << 2;\n imgdata.shootinginfo.MeteringMode =\n (unsigned)table_buf[lid] << 24 | (unsigned)table_buf[lid + 1] << 16 |\n (unsigned)table_buf[lid + 2] << 8 | (unsigned)table_buf[lid + 3];\n\n lid = 0x25 << 2;\n imSony.MinoltaCamID =\n (unsigned)table_buf[lid] << 24 | (unsigned)table_buf[lid + 1] << 16 |\n (unsigned)table_buf[lid + 2] << 8 | (unsigned)table_buf[lid + 3];\n if (imSony.MinoltaCamID != -1)\n ilm.CamID = imSony.MinoltaCamID;\n\n lid = 0x30 << 2;\n imgdata.shootinginfo.FocusMode =\n (unsigned)table_buf[lid] << 24 | (unsigned)table_buf[lid + 1] << 16 |\n (unsigned)table_buf[lid + 2] << 8 | (unsigned)table_buf[lid + 3];\n\n free(table_buf);\n }\n else if ((tag == 0x0004) && // Minolta CameraSettings7D, big endian\n (len >= 227))\n {\n table_buf = (uchar *)malloc(len);\n fread(table_buf, len, 1, ifp);\n\n lid = 0x0;\n imgdata.shootinginfo.ExposureMode =\n (ushort)table_buf[lid] << 8 | (ushort)table_buf[lid + 1];\n\n lid = 0x0e << 1;\n imgdata.shootinginfo.FocusMode =\n (ushort)table_buf[lid] << 8 | (ushort)table_buf[lid + 1];\n\n lid = 0x10 << 1;\n imgdata.shootinginfo.AFPoint =\n (ushort)table_buf[lid] << 8 | (ushort)table_buf[lid + 1];\n\n lid = 0x25 << 1;\n switch ((ushort)table_buf[lid] << 8 | (ushort)table_buf[lid + 1]) {\n case 0:\n case 1:\n imCommon.ColorSpace = LIBRAW_COLORSPACE_sRGB;\n break;\n case 4:\n imCommon.ColorSpace = LIBRAW_COLORSPACE_AdobeRGB;\n break;\n default:\n imCommon.ColorSpace = LIBRAW_COLORSPACE_Unknown;\n break;\n }\n\n lid = 0x71 << 1;\n imgdata.shootinginfo.ImageStabilization =\n (ushort)table_buf[lid] << 8 | (ushort)table_buf[lid + 1];\n\n free(table_buf);\n }\n else if ((tag == 0x0010) && // CameraInfo\n strncasecmp(model, \"DSLR-A100\", 9) &&\n !strncasecmp(make, \"SONY\", 4) &&\n ((len == 368) || // a700 : CameraInfo\n (len == 5478) || // a850, a900 : CameraInfo\n (len == 5506) || // a200, a300, a350 : CameraInfo2\n (len == 6118) || // a230, a290, a330, a380, a390 : CameraInfo2\n (len == 15360)) // a450, a500, a550, a560, a580 : CameraInfo3\n // a33, a35, a55\n // NEX-3, NEX-5, NEX-5C, NEX-C3, NEX-VG10E\n\n )\n {\n table_buf = (uchar *)malloc(len);\n fread(table_buf, len, 1, ifp);\n if (memcmp(table_buf, \"\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\", 8) &&\n memcmp(table_buf, \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\", 8))\n {\n LensDataValid = 1;\n }\n switch (len)\n {\n case 368: // a700: CameraInfo\n case 5478: // a850, a900: CameraInfo\n if ((!dng_writer) ||\n (saneSonyCameraInfo(table_buf[0], table_buf[3], table_buf[2],\n table_buf[5], table_buf[4], table_buf[7])))\n {\n if (LensDataValid)\n {\n if (table_buf[0] | table_buf[3])\n ilm.MinFocal = bcd2dec(table_buf[0]) * 100 + bcd2dec(table_buf[3]);\n if (table_buf[2] | table_buf[5])\n ilm.MaxFocal = bcd2dec(table_buf[2]) * 100 + bcd2dec(table_buf[5]);\n if (table_buf[4])\n ilm.MaxAp4MinFocal = bcd2dec(table_buf[4]) / 10.0f;\n if (table_buf[4])\n ilm.MaxAp4MaxFocal = bcd2dec(table_buf[7]) / 10.0f;\n parseSonyLensFeatures(table_buf[1], table_buf[6]);\n }\n\n imSony.AFPointSelected = table_buf[21];\n imgdata.shootinginfo.AFPoint = (ushort)table_buf[25];\n\n if (len == 5478)\n {\n imSony.AFMicroAdjValue = table_buf[304] - 20;\n imSony.AFMicroAdjOn = (((table_buf[305] & 0x80) == 0x80) ? 1 : 0);\n imSony.AFMicroAdjRegisteredLenses = table_buf[305] & 0x7f;\n }\n }\n break;\n default:\n // CameraInfo2 & 3\n if ((!dng_writer) ||\n (saneSonyCameraInfo(table_buf[1], table_buf[2], table_buf[3],\n table_buf[4], table_buf[5], table_buf[6])))\n {\n if ((LensDataValid) && strncasecmp(model, \"NEX-5C\", 6))\n {\n if (table_buf[1] | table_buf[2])\n ilm.MinFocal = bcd2dec(table_buf[1]) * 100 + bcd2dec(table_buf[2]);\n if (table_buf[3] | table_buf[4])\n ilm.MaxFocal = bcd2dec(table_buf[3]) * 100 + bcd2dec(table_buf[4]);\n if (table_buf[5])\n ilm.MaxAp4MinFocal = bcd2dec(table_buf[5]) / 10.0f;\n if (table_buf[6])\n ilm.MaxAp4MaxFocal = bcd2dec(table_buf[6]) / 10.0f;\n parseSonyLensFeatures(table_buf[0], table_buf[7]);\n }\n\n if (!strncasecmp(model, \"DSLR-A450\", 9) ||\n !strncasecmp(model, \"DSLR-A500\", 9) ||\n !strncasecmp(model, \"DSLR-A550\", 9))\n {\n imSony.AFPointSelected = table_buf[0x14];\n imgdata.shootinginfo.FocusMode = table_buf[0x15];\n imgdata.shootinginfo.AFPoint = (ushort)table_buf[0x18];\n }\n else if (!strncasecmp(model, \"SLT-\", 4) ||\n !strncasecmp(model, \"DSLR-A560\", 9) ||\n !strncasecmp(model, \"DSLR-A580\", 9))\n {\n imSony.AFPointSelected = table_buf[0x1c];\n imgdata.shootinginfo.FocusMode = table_buf[0x1d];\n imgdata.shootinginfo.AFPoint = (ushort)table_buf[0x20];\n }\n }\n }\n free(table_buf);\n }\n else if ((!dng_writer) && ((tag == 0x0020) || (tag == 0xb0280020)))\n {\n if (!strncasecmp(model, \"DSLR-A100\", 9))\n { // WBInfoA100\n fseek(ifp, 0x49dc, SEEK_CUR);\n stmread(imgdata.shootinginfo.InternalBodySerial, 13, ifp);\n }\n else if ((len ==\n 19154) || // a200 a230 a290 a300 a330 a350 a380 a390 : FocusInfo\n (len == 19148))\n { // a700 a850 a900 : FocusInfo\n table_buf = (uchar *)malloc(128);\n fread(table_buf, 128, 1, ifp);\n imgdata.shootinginfo.DriveMode = table_buf[14];\n imgdata.shootinginfo.ExposureProgram = table_buf[63];\n free(table_buf);\n }\n else if (len == 20480) // a450 a500 a550 a560 a580 a33 a35 a55 : MoreInfo\n // NEX-3 NEX-5 NEX-C3 NEX-VG10E : MoreInfo\n {\n a = get2();\n b = get2();\n c = get2();\n d = get2();\n if ((a) && (c == 1))\n {\n fseek(ifp, d - 8, SEEK_CUR);\n table_buf = (uchar *)malloc(256);\n fread(table_buf, 256, 1, ifp);\n imgdata.shootinginfo.DriveMode = table_buf[1];\n imgdata.shootinginfo.ExposureProgram = table_buf[2];\n imgdata.shootinginfo.MeteringMode = table_buf[3];\n switch (table_buf[6]) {\n case 1:\n imCommon.ColorSpace = LIBRAW_COLORSPACE_sRGB;\n break;\n case 2:\n imCommon.ColorSpace = LIBRAW_COLORSPACE_AdobeRGB;\n break;\n default:\n imCommon.ColorSpace = LIBRAW_COLORSPACE_Unknown;\n break;\n }\n if (strncasecmp(model, \"DSLR-A450\", 9) &&\n strncasecmp(model, \"DSLR-A500\", 9) &&\n strncasecmp(model, \"DSLR-A550\", 9))\n imgdata.shootinginfo.FocusMode = table_buf[0x13];\n else\n imgdata.shootinginfo.FocusMode = table_buf[0x2c];\n free(table_buf);\n }\n }\n }\n else if (tag == 0x0102)\n {\n imSony.Quality = get4();\n }\n else if (tag == 0x0104)\n {\n imCommon.FlashEC = getreal(type);\n }\n else if (tag == 0x0105)\n { // Teleconverter\n ilm.TeleconverterID = get4();\n }\n else if (tag == 0x0107)\n {\n uitemp = get4();\n if (uitemp == 1)\n imgdata.shootinginfo.ImageStabilization = 0;\n else if (uitemp == 5)\n imgdata.shootinginfo.ImageStabilization = 1;\n else\n imgdata.shootinginfo.ImageStabilization = uitemp;\n }\n else if ((tag == 0xb0280088) && (dng_writer == nonDNG))\n {\n thumb_offset = get4() + base;\n }\n else if ((tag == 0xb0280089) && (dng_writer == nonDNG))\n {\n thumb_length = get4();\n }\n else if (((tag == 0x0114) || // CameraSettings\n (tag == 0xb0280114)) &&\n (len < 256000))\n {\n table_buf = (uchar *)malloc(len);\n fread(table_buf, len, 1, ifp);\n switch (len)\n {\n case 260: // Sony a100, big endian\n imgdata.shootinginfo.ExposureMode =\n ((ushort)table_buf[0]) << 8 | ((ushort)table_buf[1]);\n lid = 0x0a << 1;\n imgdata.shootinginfo.DriveMode =\n ((ushort)table_buf[lid]) << 8 | ((ushort)table_buf[lid + 1]);\n lid = 0x0c << 1;\n imgdata.shootinginfo.FocusMode =\n ((ushort)table_buf[lid]) << 8 | ((ushort)table_buf[lid + 1]);\n lid = 0x0d << 1;\n imSony.AFPointSelected = table_buf[lid + 1];\n lid = 0x0e << 1;\n imSony.AFAreaModeSetting = table_buf[lid + 1];\n lid = 0x12 << 1;\n imgdata.shootinginfo.MeteringMode =\n ((ushort)table_buf[lid]) << 8 | ((ushort)table_buf[lid + 1]);\n\n lid = 0x17 << 1;\n switch ((ushort)table_buf[lid] << 8 | (ushort)table_buf[lid + 1]) {\n case 0:\n imCommon.ColorSpace = LIBRAW_COLORSPACE_sRGB;\n break;\n case 2:\n imCommon.ColorSpace = LIBRAW_COLORSPACE_MonochromeGamma;\n break;\n case 5:\n imCommon.ColorSpace = LIBRAW_COLORSPACE_AdobeRGB;\n break;\n default:\n imCommon.ColorSpace = LIBRAW_COLORSPACE_Unknown;\n break;\n }\n\n break;\n case 448: // Minolta \"DYNAX 5D\" and its aliases, big endian\n lid = 0x0a << 1;\n imgdata.shootinginfo.ExposureMode =\n ((ushort)table_buf[lid]) << 8 | ((ushort)table_buf[lid + 1]);\n lid = 0x25 << 1;\n imgdata.shootinginfo.MeteringMode =\n ((ushort)table_buf[lid]) << 8 | ((ushort)table_buf[lid + 1]);\n\n lid = 0x2f << 1;\n switch ((ushort)table_buf[lid] << 8 | (ushort)table_buf[lid + 1]) {\n case 0:\n case 1:\n imCommon.ColorSpace = LIBRAW_COLORSPACE_sRGB;\n break;\n case 2:\n imCommon.ColorSpace = LIBRAW_COLORSPACE_MonochromeGamma;\n break;\n case 4:\n case 5:\n imCommon.ColorSpace = LIBRAW_COLORSPACE_AdobeRGB;\n break;\n default:\n imCommon.ColorSpace = LIBRAW_COLORSPACE_Unknown;\n break;\n }\n\n lid = 0xbd << 1;\n imgdata.shootinginfo.ImageStabilization =\n ((ushort)table_buf[lid]) << 8 | ((ushort)table_buf[lid + 1]);\n break;\n case 280: // a200 a300 a350 a700\n case 364: // a850 a900\n // CameraSettings and CameraSettings2 are big endian\n if (table_buf[2] | table_buf[3])\n {\n lid = (((ushort)table_buf[2]) << 8) | ((ushort)table_buf[3]);\n ilm.CurAp = libraw_powf64l(2.0f, ((float)lid / 8.0f - 1.0f) / 2.0f);\n }\n lid = 0x04 << 1;\n imgdata.shootinginfo.DriveMode = table_buf[lid + 1];\n lid = 0x1b << 1;\n switch (((ushort)table_buf[lid]) << 8 | ((ushort)table_buf[lid + 1])) {\n case 0:\n imCommon.ColorSpace = LIBRAW_COLORSPACE_sRGB;\n break;\n case 1:\n case 5:\n imCommon.ColorSpace = LIBRAW_COLORSPACE_AdobeRGB;\n break;\n default:\n imCommon.ColorSpace = LIBRAW_COLORSPACE_Unknown;\n break;\n }\n lid = 0x4d << 1;\n imgdata.shootinginfo.FocusMode =\n ((ushort)table_buf[lid]) << 8 | ((ushort)table_buf[lid + 1]);\n if (!imCommon.ColorSpace ||\n (imCommon.ColorSpace == LIBRAW_COLORSPACE_Unknown)) {\n lid = 0x83 << 1;\n switch (((ushort)table_buf[lid]) << 8 | ((ushort)table_buf[lid + 1])) {\n case 6:\n imCommon.ColorSpace = LIBRAW_COLORSPACE_sRGB;\n break;\n case 5:\n imCommon.ColorSpace = LIBRAW_COLORSPACE_AdobeRGB;\n break;\n default:\n imCommon.ColorSpace = LIBRAW_COLORSPACE_Unknown;\n break;\n }\n }\n break;\n case 332: // a230 a290 a330 a380 a390\n // CameraSettings and CameraSettings2 are big endian\n if (table_buf[2] | table_buf[3])\n {\n lid = (((ushort)table_buf[2]) << 8) | ((ushort)table_buf[3]);\n ilm.CurAp = libraw_powf64l(2.0f, ((float)lid / 8.0f - 1.0f) / 2.0f);\n }\n lid = 0x4d << 1;\n imgdata.shootinginfo.FocusMode =\n ((ushort)table_buf[lid]) << 8 | ((ushort)table_buf[lid + 1]);\n lid = 0x7e << 1;\n imgdata.shootinginfo.DriveMode = table_buf[lid + 1];\n break;\n case 1536: // a560 a580 a33 a35 a55 NEX-3 NEX-5 NEX-5C NEX-C3 NEX-VG10E\n case 2048: // a450 a500 a550\n // CameraSettings3 are little endian\n switch (table_buf[0x0e]) {\n case 1:\n imCommon.ColorSpace = LIBRAW_COLORSPACE_sRGB;\n break;\n case 2:\n imCommon.ColorSpace = LIBRAW_COLORSPACE_AdobeRGB;\n break;\n default:\n imCommon.ColorSpace = LIBRAW_COLORSPACE_Unknown;\n break;\n }\n imgdata.shootinginfo.DriveMode = table_buf[0x34];\n parseSonyLensType2(table_buf[1016], table_buf[1015]);\n if (ilm.LensMount != LIBRAW_MOUNT_Canon_EF)\n {\n switch (table_buf[153])\n {\n case 16:\n ilm.LensMount = LIBRAW_MOUNT_Minolta_A;\n break;\n case 17:\n ilm.LensMount = LIBRAW_MOUNT_Sony_E;\n break;\n }\n }\n break;\n }\n free(table_buf);\n }\n else if ((tag == 0x3000) && (len < 256000))\n {\n table_buf = (uchar *)malloc(len);\n fread(table_buf, len, 1, ifp);\n for (int i = 0; i < 20; i++)\n imSony.SonyDateTime[i] = table_buf[6 + i];\n free(table_buf);\n }\n else if (tag == 0x0116 && len < 256000)\n {\n table_buf_0x0116 = (uchar *)malloc(len);\n table_buf_0x0116_len = len;\n fread(table_buf_0x0116, len, 1, ifp);\n if (ilm.CamID)\n {\n process_Sony_0x0116(table_buf_0x0116, table_buf_0x0116_len, ilm.CamID);\n free(table_buf_0x0116);\n table_buf_0x0116_len = 0;\n }\n }\n else if (tag == 0x2008)\n {\n imSony.LongExposureNoiseReduction = get4();\n }\n else if (tag == 0x2009)\n {\n imSony.HighISONoiseReduction = get2();\n }\n else if (tag == 0x200a)\n {\n imSony.HDR[0] = get2();\n imSony.HDR[1] = get2();\n }\n else if (tag == 0x2010 && len < 256000)\n {\n table_buf_0x2010 = (uchar *)malloc(len);\n table_buf_0x2010_len = len;\n fread(table_buf_0x2010, len, 1, ifp);\n if (ilm.CamID)\n {\n process_Sony_0x2010(table_buf_0x2010, table_buf_0x2010_len);\n free(table_buf_0x2010);\n table_buf_0x2010_len = 0;\n }\n }\n else if (tag == 0x201a)\n {\n imSony.ElectronicFrontCurtainShutter = get4();\n }\n else if (tag == 0x201b)\n {\n if ((imSony.CameraType != LIBRAW_SONY_DSC) ||\n (ilm.CamID == SonyID_DSC_RX10M4) ||\n (ilm.CamID == SonyID_DSC_RX100M6) ||\n (ilm.CamID == SonyID_DSC_RX100M5A) ||\n (ilm.CamID == SonyID_DSC_RX0M2) ||\n (ilm.CamID == SonyID_DSC_RX100M7))\n {\n fread(&uc, 1, 1, ifp);\n imgdata.shootinginfo.FocusMode = (short)uc;\n }\n }\n else if (tag == 0x201c)\n {\n if ((imSony.CameraType != LIBRAW_SONY_DSC) ||\n (ilm.CamID == SonyID_DSC_RX10M4) ||\n (ilm.CamID == SonyID_DSC_RX100M6) ||\n (ilm.CamID == SonyID_DSC_RX100M5A) ||\n (ilm.CamID == SonyID_DSC_RX0M2) ||\n (ilm.CamID == SonyID_DSC_RX100M7))\n {\n imSony.AFAreaModeSetting = fgetc(ifp);\n }\n }\n else if (tag == 0x201d)\n {\n if (((imSony.AFAreaModeSetting == 3) &&\n ((imSony.CameraType == LIBRAW_SONY_ILCE) ||\n (imSony.CameraType == LIBRAW_SONY_NEX) ||\n (ilm.CamID == SonyID_DSC_RX10M4) ||\n (ilm.CamID == SonyID_DSC_RX100M6) ||\n (ilm.CamID == SonyID_DSC_RX100M5A) ||\n (ilm.CamID == SonyID_DSC_RX0M2) ||\n (ilm.CamID == SonyID_DSC_RX100M7))) ||\n ((imSony.AFAreaModeSetting == 4) &&\n (imSony.CameraType == LIBRAW_SONY_ILCA)))\n {\n imSony.FlexibleSpotPosition[0] = get2();\n imSony.FlexibleSpotPosition[1] = get2();\n }\n }\n else if (tag == 0x201e)\n {\n if (imSony.CameraType != LIBRAW_SONY_DSC)\n {\n imSony.AFPointSelected = fgetc(ifp);\n }\n }\n else if (tag == 0x2020)\n {\n if (imSony.CameraType != LIBRAW_SONY_DSC)\n {\n fread(imSony.AFPointsUsed, 1, 10, ifp);\n }\n }\n else if (tag == 0x2021)\n {\n if ((imSony.CameraType != LIBRAW_SONY_DSC) ||\n (ilm.CamID == SonyID_DSC_RX10M4) ||\n (ilm.CamID == SonyID_DSC_RX100M6) ||\n (ilm.CamID == SonyID_DSC_RX100M5A) ||\n (ilm.CamID == SonyID_DSC_RX0M2) ||\n (ilm.CamID == SonyID_DSC_RX100M7))\n {\n imSony.AFTracking = fgetc(ifp);\n }\n }\n else if (tag == 0x2027)\n {\n FORC4 imSony.FocusLocation[c] = get2();\n }\n else if (tag == 0x2028)\n {\n if (get2())\n {\n imSony.VariableLowPassFilter = get2();\n }\n }\n else if (tag == 0x2029)\n {\n imSony.RAWFileType = get2();\n }\n else if (tag == 0x202c)\n {\n imSony.MeteringMode2 = get2();\n }\n else if (tag == 0x202f)\n {\n imSony.PixelShiftGroupID = get4();\n imSony.PixelShiftGroupPrefix = imSony.PixelShiftGroupID >> 22;\n imSony.PixelShiftGroupID =\n ((imSony.PixelShiftGroupID >> 17) & (unsigned)0x1f) *\n (unsigned)1000000 +\n ((imSony.PixelShiftGroupID >> 12) & (unsigned)0x1f) * (unsigned)10000 +\n ((imSony.PixelShiftGroupID >> 6) & (unsigned)0x3f) * (unsigned)100 +\n (imSony.PixelShiftGroupID & (unsigned)0x3f);\n\n imSony.numInPixelShiftGroup = fgetc(ifp);\n imSony.nShotsInPixelShiftGroup = fgetc(ifp);\n }\n else if (tag == 0x9050 && len < 256000)\n { // little endian\n table_buf_0x9050 = (uchar *)malloc(len);\n table_buf_0x9050_len = len;\n fread(table_buf_0x9050, len, 1, ifp);\n\n if (ilm.CamID)\n {\n process_Sony_0x9050(table_buf_0x9050, table_buf_0x9050_len, ilm.CamID);\n free(table_buf_0x9050);\n table_buf_0x9050_len = 0;\n }\n }\n else if (tag == 0x9400 && len < 256000)\n {\n table_buf_0x9400 = (uchar *)malloc(len);\n table_buf_0x9400_len = len;\n fread(table_buf_0x9400, len, 1, ifp);\n if (ilm.CamID)\n {\n process_Sony_0x9400(table_buf_0x9400, table_buf_0x9400_len, unique_id);\n free(table_buf_0x9400);\n table_buf_0x9400_len = 0;\n }\n }\n else if (tag == 0x9402 && len < 256000)\n {\n table_buf_0x9402 = (uchar *)malloc(len);\n table_buf_0x9402_len = len;\n fread(table_buf_0x9402, len, 1, ifp);\n if (ilm.CamID)\n {\n process_Sony_0x9402(table_buf_0x9402, table_buf_0x9402_len);\n free(table_buf_0x9402);\n table_buf_0x9402_len = 0;\n }\n }\n else if (tag == 0x9403 && len < 256000)\n {\n table_buf_0x9403 = (uchar *)malloc(len);\n table_buf_0x9403_len = len;\n fread(table_buf_0x9403, len, 1, ifp);\n if (ilm.CamID)\n {\n process_Sony_0x9403(table_buf_0x9403, table_buf_0x9403_len);\n free(table_buf_0x9403);\n table_buf_0x9403_len = 0;\n }\n }\n else if ((tag == 0x9405) && (len < 256000) && (len > 0x64))\n {\n table_buf = (uchar *)malloc(len);\n fread(table_buf, len, 1, ifp);\n uc = table_buf[0x0];\n if (imCommon.real_ISO < 0.1f)\n {\n if ((uc == 0x25) || (uc == 0x3a) || (uc == 0x76) || (uc == 0x7e) ||\n (uc == 0x8b) || (uc == 0x9a) || (uc == 0xb3) || (uc == 0xe1))\n {\n s[0] = SonySubstitution[table_buf[0x04]];\n s[1] = SonySubstitution[table_buf[0x05]];\n imCommon.real_ISO =\n 100.0f * libraw_powf64l(2.0f, (16 - ((float)sget2(s)) / 256.0f));\n }\n }\n free(table_buf);\n }\n else if (tag == 0x9406 && len < 256000)\n {\n table_buf_0x9406 = (uchar *)malloc(len);\n table_buf_0x9406_len = len;\n fread(table_buf_0x9406, len, 1, ifp);\n if (ilm.CamID)\n {\n process_Sony_0x9406(table_buf_0x9406, table_buf_0x9406_len);\n free(table_buf_0x9406);\n table_buf_0x9406_len = 0;\n }\n }\n else if (tag == 0x940c && len < 256000)\n {\n table_buf_0x940c = (uchar *)malloc(len);\n table_buf_0x940c_len = len;\n fread(table_buf_0x940c, len, 1, ifp);\n if (ilm.CamID)\n {\n process_Sony_0x940c(table_buf_0x940c, table_buf_0x940c_len);\n free(table_buf_0x940c);\n table_buf_0x940c_len = 0;\n }\n }\n else if (tag == 0x940e && len < 256000)\n {\n table_buf_0x940e = (uchar *)malloc(len);\n table_buf_0x940e_len = len;\n fread(table_buf_0x940e, len, 1, ifp);\n if (ilm.CamID)\n {\n process_Sony_0x940e(table_buf_0x940e, table_buf_0x940e_len, ilm.CamID);\n free(table_buf_0x940e);\n table_buf_0x940e_len = 0;\n }\n }\n else if (((tag == 0xb027) || (tag == 0x010c)) && (ilm.LensID == -1))\n {\n ilm.LensID = get4();\n// printf (\"==>> 1: ilm.LensID %lld\\n\", ilm.LensID);\n if ((ilm.LensID > 0x4900) && (ilm.LensID <= 0x5900))\n {\n ilm.AdapterID = 0x4900;\n ilm.LensID -= ilm.AdapterID;\n ilm.LensMount = LIBRAW_MOUNT_Sigma_X3F;\n strcpy(ilm.Adapter, \"MC-11\");\n }\n\n else if ((ilm.LensID > 0xef00) && (ilm.LensID < 0xffff) &&\n (ilm.LensID != 0xff00))\n {\n ilm.AdapterID = 0xef00;\n ilm.LensID -= ilm.AdapterID;\n ilm.LensMount = LIBRAW_MOUNT_Canon_EF;\n }\n\n else if (((ilm.LensID != -1) && (ilm.LensID < 0xef00)) ||\n (ilm.LensID == 0xff00))\n ilm.LensMount = LIBRAW_MOUNT_Minolta_A;\n /*\n if (tag == 0x010c)\n ilm.CameraMount = LIBRAW_MOUNT_Minolta_A;\n */\n }\n else if (tag == 0xb02a && len < 256000)\n { // Sony LensSpec\n table_buf = (uchar *)malloc(len);\n fread(table_buf, len, 1, ifp);\n if ((!dng_writer) ||\n (saneSonyCameraInfo(table_buf[1], table_buf[2], table_buf[3],\n table_buf[4], table_buf[5], table_buf[6])))\n {\n if (table_buf[1] | table_buf[2])\n ilm.MinFocal = bcd2dec(table_buf[1]) * 100 + bcd2dec(table_buf[2]);\n if (table_buf[3] | table_buf[4])\n ilm.MaxFocal = bcd2dec(table_buf[3]) * 100 + bcd2dec(table_buf[4]);\n if (table_buf[5])\n ilm.MaxAp4MinFocal = bcd2dec(table_buf[5]) / 10.0f;\n if (table_buf[6])\n ilm.MaxAp4MaxFocal = bcd2dec(table_buf[6]) / 10.0f;\n parseSonyLensFeatures(table_buf[0], table_buf[7]);\n }\n free(table_buf);\n }\n else if ((tag == 0xb02b) && !imgdata.sizes.raw_inset_crop.cwidth &&\n (len == 2))\n {\n imgdata.sizes.raw_inset_crop.cheight = get4();\n imgdata.sizes.raw_inset_crop.cwidth = get4();\n }\n else if (tag == 0xb041)\n {\n imgdata.shootinginfo.ExposureMode = get2();\n }\n\n // MetaVersion: (unique_id >= 286)\n}", "project": "LibRaw", "hash": 54451953429109223616327222263443076587, "size": 819, "commit_id": "c243f4539233053466c1309bde606815351bee81", "message": "additional checks in parseSonySRF\n\nparseSonySR2: buffer size check", "target": 0, "dataset": "other", "idx": 394105 }, { "func": "static int gap_try(int x, int y, int *run, int *saw, int along_x) {\n\tint n, m, i, xt, yt, ct;\n\n\tn = x + y * ntiles_x;\n\n\tif (! tile_has_diff[n]) {\n\t\tif (*saw) {\n\t\t\t(*run)++;\t/* extend the gap run. */\n\t\t}\n\t\treturn 0;\n\t}\n\tif (! *saw || *run == 0 || *run > gaps_fill) {\n\t\t*run = 0;\t\t/* unacceptable run. */\n\t\t*saw = 1;\n\t\treturn 0;\n\t}\n\n\tfor (i=1; i <= *run; i++) {\t/* iterate thru the run. */\n\t\tif (along_x) {\n\t\t\txt = x - i;\n\t\t\tyt = y;\n\t\t} else {\n\t\t\txt = x;\n\t\t\tyt = y - i;\n\t\t}\n\n\t\tm = xt + yt * ntiles_x;\n\t\tif (tile_tried[m]) {\t/* do not repeat tiles */\n\t\t\tcontinue;\n\t\t}\n\n\t\tct = copy_tiles(xt, yt, 1);\n\t\tif (ct < 0) return ct;\t/* fatal */\n\t}\n\t*run = 0;\n\t*saw = 1;\n\treturn 1;\n}", "project": "x11vnc", "hash": 162057009801367517866035772692724057199, "size": 38, "commit_id": "69eeb9f7baa14ca03b16c9de821f9876def7a36a", "message": "scan: limit access to shared memory segments to current user", "target": 0, "dataset": "other", "idx": 360760 }, { "func": "bool pb_decode_delimited(pb_istream_t *stream, const pb_field_t fields[], void *dest_struct)\n{\n pb_istream_t substream;\n bool status;\n \n if (!pb_make_string_substream(stream, &substream))\n return false;\n \n status = pb_decode(&substream, fields, dest_struct);\n\n if (!pb_close_string_substream(stream, &substream))\n return false;\n return status;\n}", "project": "nanopb", "hash": 203318096790203625102847260882185086120, "size": 14, "commit_id": "aa9d0d1ca78d6adec3adfeecf3a706c7f9df81f2", "message": "Fix invalid free() after failed realloc() (GHSA-gcx3-7m76-287p)", "target": 0, "dataset": "other", "idx": 252498 }, { "func": "bool pb_decode_delimited(pb_istream_t *stream, const pb_field_t fields[], void *dest_struct)\n{\n pb_istream_t substream;\n bool status;\n \n if (!pb_make_string_substream(stream, &substream))\n return false;\n \n status = pb_decode(&substream, fields, dest_struct);\n pb_close_string_substream(stream, &substream);\n return status;\n}", "project": "nanopb", "hash": 29548138857341153839350569521320983988, "size": 12, "commit_id": "7b396821ddd06df8e39143f16e1dc0a4645b89a3", "message": "Fix invalid free() after failed realloc() (GHSA-gcx3-7m76-287p)", "target": 0, "dataset": "other", "idx": 255338 }, { "func": "void luaD_callnoyield (lua_State *L, StkId func, int nResults) {\n incXCcalls(L);\n if (getCcalls(L) <= CSTACKERR) /* possible stack overflow? */\n luaE_freeCI(L);\n luaD_call(L, func, nResults);\n decXCcalls(L);\n}", "project": "lua", "hash": 156964113476265802309004545976693990252, "size": 7, "commit_id": "34affe7a63fc5d842580a9f23616d057e17dfe27", "message": "Fixed bug: 'luaD_callnoyield' called twice in a row\n\nIn luaD_callnoyield, when there is a possible stack overflow, it\nzeros the number of CallInfos to force a check when calling the\nfunction. However, if the \"function\" is not a function, the code will\nraise an error before checking the stack. Then, the error handling calls\nluaD_callnoyield again and nCcalls is decremented again, crossing the\nstack redzone without raising an error. (This loop can only happens\nonce, because the error handler must be a function. But once is enough\nto cross the redzone.)", "target": 1, "dataset": "other", "idx": 211977 }, { "func": "void luaD_callnoyield (lua_State *L, StkId func, int nResults) {\n incXCcalls(L);\n if (getCcalls(L) <= CSTACKERR) { /* possible C stack overflow? */\n luaE_exitCcall(L); /* to compensate decrement in next call */\n luaE_enterCcall(L); /* check properly */\n }\n luaD_call(L, func, nResults);\n decXCcalls(L);\n}", "project": "lua", "hash": 284813496960113122553300230525776419698, "size": 9, "commit_id": "34affe7a63fc5d842580a9f23616d057e17dfe27", "message": "Fixed bug: 'luaD_callnoyield' called twice in a row\n\nIn luaD_callnoyield, when there is a possible stack overflow, it\nzeros the number of CallInfos to force a check when calling the\nfunction. However, if the \"function\" is not a function, the code will\nraise an error before checking the stack. Then, the error handling calls\nluaD_callnoyield again and nCcalls is decremented again, crossing the\nstack redzone without raising an error. (This loop can only happens\nonce, because the error handler must be a function. But once is enough\nto cross the redzone.)", "target": 0, "dataset": "other", "idx": 454326 }, { "func": "DLLEXPORT int DLLCALL tjTransform(tjhandle handle,\n\tconst unsigned char *jpegBuf, unsigned long jpegSize, int n,\n\tunsigned char **dstBufs, unsigned long *dstSizes, tjtransform *t, int flags)\n{\n\tjpeg_transform_info *xinfo=NULL;\n\tjvirt_barray_ptr *srccoefs, *dstcoefs;\n\tint retval=0, i, jpegSubsamp;\n\n\tgetinstance(handle);\n\tif((this->init&COMPRESS)==0 || (this->init&DECOMPRESS)==0)\n\t\t_throw(\"tjTransform(): Instance has not been initialized for transformation\");\n\n\tif(jpegBuf==NULL || jpegSize<=0 || n<1 || dstBufs==NULL || dstSizes==NULL\n\t\t|| t==NULL || flags<0)\n\t\t_throw(\"tjTransform(): Invalid argument\");\n\n#ifndef NO_PUTENV\n\tif(flags&TJFLAG_FORCEMMX) putenv(\"JSIMD_FORCEMMX=1\");\n\telse if(flags&TJFLAG_FORCESSE) putenv(\"JSIMD_FORCESSE=1\");\n\telse if(flags&TJFLAG_FORCESSE2) putenv(\"JSIMD_FORCESSE2=1\");\n#endif\n\n\tif((xinfo=(jpeg_transform_info *)malloc(sizeof(jpeg_transform_info)*n))\n\t\t==NULL)\n\t\t_throw(\"tjTransform(): Memory allocation failure\");\n\tMEMZERO(xinfo, sizeof(jpeg_transform_info)*n);\n\n\tif(setjmp(this->jerr.setjmp_buffer))\n\t{\n\t\t/* If we get here, the JPEG code has signaled an error. */\n\t\tretval=-1; goto bailout;\n\t}\n\n\tjpeg_mem_src_tj(dinfo, jpegBuf, jpegSize);\n\n\tfor(i=0; iimage_width; h=dinfo->image_height;\n\t\t}\n\t\telse\n\t\t{\n\t\t\tw=xinfo[i].crop_width; h=xinfo[i].crop_height;\n\t\t}\n\t\tif(flags&TJFLAG_NOREALLOC)\n\t\t{\n\t\t\talloc=0; dstSizes[i]=tjBufSize(w, h, jpegSubsamp);\n\t\t}\n\t\tif(!(t[i].options&TJXOPT_NOOUTPUT))\n\t\t\tjpeg_mem_dest_tj(cinfo, &dstBufs[i], &dstSizes[i], alloc);\n\t\tjpeg_copy_critical_parameters(dinfo, cinfo);\n\t\tdstcoefs=jtransform_adjust_parameters(dinfo, cinfo, srccoefs,\n\t\t\t&xinfo[i]);\n\t\tif(!(t[i].options&TJXOPT_NOOUTPUT))\n\t\t{\n\t\t\tjpeg_write_coefficients(cinfo, dstcoefs);\n\t\t\tjcopy_markers_execute(dinfo, cinfo, JCOPYOPT_ALL);\n\t\t}\n\t\telse jinit_c_master_control(cinfo, TRUE);\n\t\tjtransform_execute_transformation(dinfo, cinfo, srccoefs,\n\t\t\t&xinfo[i]);\n\t\tif(t[i].customFilter)\n\t\t{\n\t\t\tint ci, y; JDIMENSION by;\n\t\t\tfor(ci=0; cinum_components; ci++)\n\t\t\t{\n\t\t\t\tjpeg_component_info *compptr=&cinfo->comp_info[ci];\n\t\t\t\ttjregion arrayRegion={0, 0, compptr->width_in_blocks*DCTSIZE,\n\t\t\t\t\tDCTSIZE};\n\t\t\t\ttjregion planeRegion={0, 0, compptr->width_in_blocks*DCTSIZE,\n\t\t\t\t\tcompptr->height_in_blocks*DCTSIZE};\n\t\t\t\tfor(by=0; byheight_in_blocks; by+=compptr->v_samp_factor)\n\t\t\t\t{\n\t\t\t\t\tJBLOCKARRAY barray=(dinfo->mem->access_virt_barray)\n\t\t\t\t\t\t((j_common_ptr)dinfo, dstcoefs[ci], by, compptr->v_samp_factor,\n\t\t\t\t\t\tTRUE);\n\t\t\t\t\tfor(y=0; yv_samp_factor; y++)\n\t\t\t\t\t{\n\t\t\t\t\t\tif(t[i].customFilter(barray[y][0], arrayRegion, planeRegion,\n\t\t\t\t\t\t\tci, i, &t[i])==-1)\n\t\t\t\t\t\t\t_throw(\"tjTransform(): Error in custom filter\");\n\t\t\t\t\t\tarrayRegion.y+=DCTSIZE;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\tif(!(t[i].options&TJXOPT_NOOUTPUT)) jpeg_finish_compress(cinfo);\n\t}\n\n\tjpeg_finish_decompress(dinfo);\n\n\tbailout:\n\tif(cinfo->global_state>CSTATE_START) jpeg_abort_compress(cinfo);\n\tif(dinfo->global_state>DSTATE_START) jpeg_abort_decompress(dinfo);\n\tif(xinfo) free(xinfo);\n\tif(this->jerr.warning) retval=-1;\n\treturn retval;\n}", "project": "libjpeg-turbo", "hash": 66701937992471775913032121670361598702, "size": 154, "commit_id": "dab6be4cfb2f9307b5378d2d1dc74d9080383dc2", "message": "tjDecompressToYUV*(): Fix OOB write/double free\n\n... when attempting to decompress grayscale JPEG images with sampling\nfactors != 1.\n\nFixes #387", "target": 0, "dataset": "other", "idx": 311097 }, { "func": "int ecryptfs_encrypt_page(struct page *page)\n{\n\tstruct inode *ecryptfs_inode;\n\tstruct ecryptfs_crypt_stat *crypt_stat;\n\tchar *enc_extent_virt;\n\tstruct page *enc_extent_page = NULL;\n\tloff_t extent_offset;\n\tint rc = 0;\n\n\tecryptfs_inode = page->mapping->host;\n\tcrypt_stat =\n\t\t&(ecryptfs_inode_to_private(ecryptfs_inode)->crypt_stat);\n\tif (!(crypt_stat->flags & ECRYPTFS_ENCRYPTED)) {\n\t\trc = ecryptfs_write_lower_page_segment(ecryptfs_inode, page,\n\t\t\t\t\t\t 0, PAGE_CACHE_SIZE);\n\t\tif (rc)\n\t\t\tprintk(KERN_ERR \"%s: Error attempting to copy \"\n\t\t\t \"page at index [%ld]\\n\", __func__,\n\t\t\t page->index);\n\t\tgoto out;\n\t}\n\tenc_extent_page = alloc_page(GFP_USER);\n\tif (!enc_extent_page) {\n\t\trc = -ENOMEM;\n\t\tecryptfs_printk(KERN_ERR, \"Error allocating memory for \"\n\t\t\t\t\"encrypted extent\\n\");\n\t\tgoto out;\n\t}\n\tenc_extent_virt = kmap(enc_extent_page);\n\tfor (extent_offset = 0;\n\t extent_offset < (PAGE_CACHE_SIZE / crypt_stat->extent_size);\n\t extent_offset++) {\n\t\tloff_t offset;\n\n\t\trc = ecryptfs_encrypt_extent(enc_extent_page, crypt_stat, page,\n\t\t\t\t\t extent_offset);\n\t\tif (rc) {\n\t\t\tprintk(KERN_ERR \"%s: Error encrypting extent; \"\n\t\t\t \"rc = [%d]\\n\", __func__, rc);\n\t\t\tgoto out;\n\t\t}\n\t\tecryptfs_lower_offset_for_extent(\n\t\t\t&offset, ((((loff_t)page->index)\n\t\t\t\t * (PAGE_CACHE_SIZE\n\t\t\t\t / crypt_stat->extent_size))\n\t\t\t\t + extent_offset), crypt_stat);\n\t\trc = ecryptfs_write_lower(ecryptfs_inode, enc_extent_virt,\n\t\t\t\t\t offset, crypt_stat->extent_size);\n\t\tif (rc) {\n\t\t\tecryptfs_printk(KERN_ERR, \"Error attempting \"\n\t\t\t\t\t\"to write lower page; rc = [%d]\"\n\t\t\t\t\t\"\\n\", rc);\n\t\t\tgoto out;\n\t\t}\n\t}\nout:\n\tif (enc_extent_page) {\n\t\tkunmap(enc_extent_page);\n\t\t__free_page(enc_extent_page);\n\t}\n\treturn rc;\n}", "target": 0, "cwe": [ "CWE-189" ], "project": "linux-2.6", "commit_id": "8faece5f906725c10e7a1f6caf84452abadbdc7b", "hash": 130360366827493636825596341250589579669, "size": 62, "message": "eCryptfs: Allocate a variable number of pages for file headers\n\nWhen allocating the memory used to store the eCryptfs header contents, a\nsingle, zeroed page was being allocated with get_zeroed_page().\nHowever, the size of an eCryptfs header is either PAGE_CACHE_SIZE or\nECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE (8192), whichever is larger, and is\nstored in the file's private_data->crypt_stat->num_header_bytes_at_front\nfield.\n\necryptfs_write_metadata_to_contents() was using\nnum_header_bytes_at_front to decide how many bytes should be written to\nthe lower filesystem for the file header. Unfortunately, at least 8K\nwas being written from the page, despite the chance of the single,\nzeroed page being smaller than 8K. This resulted in random areas of\nkernel memory being written between the 0x1000 and 0x1FFF bytes offsets\nin the eCryptfs file headers if PAGE_SIZE was 4K.\n\nThis patch allocates a variable number of pages, calculated with\nnum_header_bytes_at_front, and passes the number of allocated pages\nalong to ecryptfs_write_metadata_to_contents().\n\nThanks to Florian Streibelt for reporting the data leak and working with\nme to find the problem. 2.6.28 is the only kernel release with this\nvulnerability. Corresponds to CVE-2009-0787\n\nSigned-off-by: Tyler Hicks \nAcked-by: Dustin Kirkland \nReviewed-by: Eric Sandeen \nReviewed-by: Eugene Teo \nCc: Greg KH \nCc: dann frazier \nCc: Serge E. Hallyn \nCc: Florian Streibelt \nCc: stable@kernel.org\nSigned-off-by: Linus Torvalds ", "dataset": "other", "idx": 490208 }, { "func": "static int parse_playlist(HLSContext *c, const char *url,\n struct playlist *pls, AVIOContext *in)\n{\n int ret = 0, is_segment = 0, is_variant = 0;\n int64_t duration = 0;\n enum KeyType key_type = KEY_NONE;\n uint8_t iv[16] = \"\";\n int has_iv = 0;\n char key[MAX_URL_SIZE] = \"\";\n char line[MAX_URL_SIZE];\n const char *ptr;\n int close_in = 0;\n int64_t seg_offset = 0;\n int64_t seg_size = -1;\n uint8_t *new_url = NULL;\n struct variant_info variant_info;\n char tmp_str[MAX_URL_SIZE];\n struct segment *cur_init_section = NULL;\n\n if (!in) {\n#if 1\n AVDictionary *opts = NULL;\n close_in = 1;\n /* Some HLS servers don't like being sent the range header */\n av_dict_set(&opts, \"seekable\", \"0\", 0);\n\n // broker prior HTTP options that should be consistent across requests\n av_dict_set(&opts, \"user-agent\", c->user_agent, 0);\n av_dict_set(&opts, \"cookies\", c->cookies, 0);\n av_dict_set(&opts, \"headers\", c->headers, 0);\n\n ret = avio_open2(&in, url, AVIO_FLAG_READ,\n c->interrupt_callback, &opts);\n av_dict_free(&opts);\n if (ret < 0)\n return ret;\n#else\n ret = open_in(c, &in, url);\n if (ret < 0)\n return ret;\n close_in = 1;\n#endif\n }\n\n if (av_opt_get(in, \"location\", AV_OPT_SEARCH_CHILDREN, &new_url) >= 0)\n url = new_url;\n\n read_chomp_line(in, line, sizeof(line));\n if (strcmp(line, \"#EXTM3U\")) {\n ret = AVERROR_INVALIDDATA;\n goto fail;\n }\n\n if (pls) {\n free_segment_list(pls);\n pls->finished = 0;\n pls->type = PLS_TYPE_UNSPECIFIED;\n }\n while (!avio_feof(in)) {\n read_chomp_line(in, line, sizeof(line));\n if (av_strstart(line, \"#EXT-X-STREAM-INF:\", &ptr)) {\n is_variant = 1;\n memset(&variant_info, 0, sizeof(variant_info));\n ff_parse_key_value(ptr, (ff_parse_key_val_cb) handle_variant_args,\n &variant_info);\n } else if (av_strstart(line, \"#EXT-X-KEY:\", &ptr)) {\n struct key_info info = {{0}};\n ff_parse_key_value(ptr, (ff_parse_key_val_cb) handle_key_args,\n &info);\n key_type = KEY_NONE;\n has_iv = 0;\n if (!strcmp(info.method, \"AES-128\"))\n key_type = KEY_AES_128;\n if (!strcmp(info.method, \"SAMPLE-AES\"))\n key_type = KEY_SAMPLE_AES;\n if (!strncmp(info.iv, \"0x\", 2) || !strncmp(info.iv, \"0X\", 2)) {\n ff_hex_to_data(iv, info.iv + 2);\n has_iv = 1;\n }\n av_strlcpy(key, info.uri, sizeof(key));\n } else if (av_strstart(line, \"#EXT-X-MEDIA:\", &ptr)) {\n struct rendition_info info = {{0}};\n ff_parse_key_value(ptr, (ff_parse_key_val_cb) handle_rendition_args,\n &info);\n new_rendition(c, &info, url);\n } else if (av_strstart(line, \"#EXT-X-TARGETDURATION:\", &ptr)) {\n ret = ensure_playlist(c, &pls, url);\n if (ret < 0)\n goto fail;\n pls->target_duration = atoi(ptr) * AV_TIME_BASE;\n } else if (av_strstart(line, \"#EXT-X-MEDIA-SEQUENCE:\", &ptr)) {\n ret = ensure_playlist(c, &pls, url);\n if (ret < 0)\n goto fail;\n pls->start_seq_no = atoi(ptr);\n } else if (av_strstart(line, \"#EXT-X-PLAYLIST-TYPE:\", &ptr)) {\n ret = ensure_playlist(c, &pls, url);\n if (ret < 0)\n goto fail;\n if (!strcmp(ptr, \"EVENT\"))\n pls->type = PLS_TYPE_EVENT;\n else if (!strcmp(ptr, \"VOD\"))\n pls->type = PLS_TYPE_VOD;\n } else if (av_strstart(line, \"#EXT-X-MAP:\", &ptr)) {\n struct init_section_info info = {{0}};\n ret = ensure_playlist(c, &pls, url);\n if (ret < 0)\n goto fail;\n ff_parse_key_value(ptr, (ff_parse_key_val_cb) handle_init_section_args,\n &info);\n cur_init_section = new_init_section(pls, &info, url);\n } else if (av_strstart(line, \"#EXT-X-ENDLIST\", &ptr)) {\n if (pls)\n pls->finished = 1;\n } else if (av_strstart(line, \"#EXTINF:\", &ptr)) {\n is_segment = 1;\n duration = atof(ptr) * AV_TIME_BASE;\n } else if (av_strstart(line, \"#EXT-X-BYTERANGE:\", &ptr)) {\n seg_size = atoi(ptr);\n ptr = strchr(ptr, '@');\n if (ptr)\n seg_offset = atoi(ptr+1);\n } else if (av_strstart(line, \"#\", NULL)) {\n continue;\n } else if (line[0]) {\n if (is_variant) {\n if (!new_variant(c, &variant_info, line, url)) {\n ret = AVERROR(ENOMEM);\n goto fail;\n }\n is_variant = 0;\n }\n if (is_segment) {\n struct segment *seg;\n if (!pls) {\n if (!new_variant(c, 0, url, NULL)) {\n ret = AVERROR(ENOMEM);\n goto fail;\n }\n pls = c->playlists[c->n_playlists - 1];\n }\n seg = av_malloc(sizeof(struct segment));\n if (!seg) {\n ret = AVERROR(ENOMEM);\n goto fail;\n }\n seg->duration = duration;\n seg->key_type = key_type;\n if (has_iv) {\n memcpy(seg->iv, iv, sizeof(iv));\n } else {\n int seq = pls->start_seq_no + pls->n_segments;\n memset(seg->iv, 0, sizeof(seg->iv));\n AV_WB32(seg->iv + 12, seq);\n }\n\n if (key_type != KEY_NONE) {\n ff_make_absolute_url(tmp_str, sizeof(tmp_str), url, key);\n seg->key = av_strdup(tmp_str);\n if (!seg->key) {\n av_free(seg);\n ret = AVERROR(ENOMEM);\n goto fail;\n }\n } else {\n seg->key = NULL;\n }\n\n ff_make_absolute_url(tmp_str, sizeof(tmp_str), url, line);\n seg->url = av_strdup(tmp_str);\n if (!seg->url) {\n av_free(seg->key);\n av_free(seg);\n ret = AVERROR(ENOMEM);\n goto fail;\n }\n\n dynarray_add(&pls->segments, &pls->n_segments, seg);\n is_segment = 0;\n\n seg->size = seg_size;\n if (seg_size >= 0) {\n seg->url_offset = seg_offset;\n seg_offset += seg_size;\n seg_size = -1;\n } else {\n seg->url_offset = 0;\n seg_offset = 0;\n }\n\n seg->init_section = cur_init_section;\n }\n }\n }\n if (pls)\n pls->last_load_time = av_gettime_relative();\n\nfail:\n av_free(new_url);\n if (close_in)\n avio_close(in);\n return ret;\n}", "project": "FFmpeg", "hash": 322685302452455197251925283777640246074, "size": 203, "commit_id": "6959358683c7533f586c07a766acc5fe9544d8b2", "message": "avformat/hls: check segment duration value of EXTINF\n\nfix ticket: 8673\nset the default EXTINF duration to 1ms if duration is smaller than 1ms\n\nSigned-off-by: Steven Liu \n(cherry picked from commit 9dfb19baeb86a8bb02c53a441682c6e9a6e104cc)", "target": 1, "dataset": "other", "idx": 198208 }, { "func": "static int parse_playlist(HLSContext *c, const char *url,\n struct playlist *pls, AVIOContext *in)\n{\n int ret = 0, is_segment = 0, is_variant = 0;\n int64_t duration = 0;\n enum KeyType key_type = KEY_NONE;\n uint8_t iv[16] = \"\";\n int has_iv = 0;\n char key[MAX_URL_SIZE] = \"\";\n char line[MAX_URL_SIZE];\n const char *ptr;\n int close_in = 0;\n int64_t seg_offset = 0;\n int64_t seg_size = -1;\n uint8_t *new_url = NULL;\n struct variant_info variant_info;\n char tmp_str[MAX_URL_SIZE];\n struct segment *cur_init_section = NULL;\n\n if (!in) {\n#if 1\n AVDictionary *opts = NULL;\n close_in = 1;\n /* Some HLS servers don't like being sent the range header */\n av_dict_set(&opts, \"seekable\", \"0\", 0);\n\n // broker prior HTTP options that should be consistent across requests\n av_dict_set(&opts, \"user-agent\", c->user_agent, 0);\n av_dict_set(&opts, \"cookies\", c->cookies, 0);\n av_dict_set(&opts, \"headers\", c->headers, 0);\n\n ret = avio_open2(&in, url, AVIO_FLAG_READ,\n c->interrupt_callback, &opts);\n av_dict_free(&opts);\n if (ret < 0)\n return ret;\n#else\n ret = open_in(c, &in, url);\n if (ret < 0)\n return ret;\n close_in = 1;\n#endif\n }\n\n if (av_opt_get(in, \"location\", AV_OPT_SEARCH_CHILDREN, &new_url) >= 0)\n url = new_url;\n\n read_chomp_line(in, line, sizeof(line));\n if (strcmp(line, \"#EXTM3U\")) {\n ret = AVERROR_INVALIDDATA;\n goto fail;\n }\n\n if (pls) {\n free_segment_list(pls);\n pls->finished = 0;\n pls->type = PLS_TYPE_UNSPECIFIED;\n }\n while (!avio_feof(in)) {\n read_chomp_line(in, line, sizeof(line));\n if (av_strstart(line, \"#EXT-X-STREAM-INF:\", &ptr)) {\n is_variant = 1;\n memset(&variant_info, 0, sizeof(variant_info));\n ff_parse_key_value(ptr, (ff_parse_key_val_cb) handle_variant_args,\n &variant_info);\n } else if (av_strstart(line, \"#EXT-X-KEY:\", &ptr)) {\n struct key_info info = {{0}};\n ff_parse_key_value(ptr, (ff_parse_key_val_cb) handle_key_args,\n &info);\n key_type = KEY_NONE;\n has_iv = 0;\n if (!strcmp(info.method, \"AES-128\"))\n key_type = KEY_AES_128;\n if (!strcmp(info.method, \"SAMPLE-AES\"))\n key_type = KEY_SAMPLE_AES;\n if (!strncmp(info.iv, \"0x\", 2) || !strncmp(info.iv, \"0X\", 2)) {\n ff_hex_to_data(iv, info.iv + 2);\n has_iv = 1;\n }\n av_strlcpy(key, info.uri, sizeof(key));\n } else if (av_strstart(line, \"#EXT-X-MEDIA:\", &ptr)) {\n struct rendition_info info = {{0}};\n ff_parse_key_value(ptr, (ff_parse_key_val_cb) handle_rendition_args,\n &info);\n new_rendition(c, &info, url);\n } else if (av_strstart(line, \"#EXT-X-TARGETDURATION:\", &ptr)) {\n ret = ensure_playlist(c, &pls, url);\n if (ret < 0)\n goto fail;\n pls->target_duration = atoi(ptr) * AV_TIME_BASE;\n } else if (av_strstart(line, \"#EXT-X-MEDIA-SEQUENCE:\", &ptr)) {\n ret = ensure_playlist(c, &pls, url);\n if (ret < 0)\n goto fail;\n pls->start_seq_no = atoi(ptr);\n } else if (av_strstart(line, \"#EXT-X-PLAYLIST-TYPE:\", &ptr)) {\n ret = ensure_playlist(c, &pls, url);\n if (ret < 0)\n goto fail;\n if (!strcmp(ptr, \"EVENT\"))\n pls->type = PLS_TYPE_EVENT;\n else if (!strcmp(ptr, \"VOD\"))\n pls->type = PLS_TYPE_VOD;\n } else if (av_strstart(line, \"#EXT-X-MAP:\", &ptr)) {\n struct init_section_info info = {{0}};\n ret = ensure_playlist(c, &pls, url);\n if (ret < 0)\n goto fail;\n ff_parse_key_value(ptr, (ff_parse_key_val_cb) handle_init_section_args,\n &info);\n cur_init_section = new_init_section(pls, &info, url);\n } else if (av_strstart(line, \"#EXT-X-ENDLIST\", &ptr)) {\n if (pls)\n pls->finished = 1;\n } else if (av_strstart(line, \"#EXTINF:\", &ptr)) {\n is_segment = 1;\n duration = atof(ptr) * AV_TIME_BASE;\n } else if (av_strstart(line, \"#EXT-X-BYTERANGE:\", &ptr)) {\n seg_size = atoi(ptr);\n ptr = strchr(ptr, '@');\n if (ptr)\n seg_offset = atoi(ptr+1);\n } else if (av_strstart(line, \"#\", NULL)) {\n continue;\n } else if (line[0]) {\n if (is_variant) {\n if (!new_variant(c, &variant_info, line, url)) {\n ret = AVERROR(ENOMEM);\n goto fail;\n }\n is_variant = 0;\n }\n if (is_segment) {\n struct segment *seg;\n if (!pls) {\n if (!new_variant(c, 0, url, NULL)) {\n ret = AVERROR(ENOMEM);\n goto fail;\n }\n pls = c->playlists[c->n_playlists - 1];\n }\n seg = av_malloc(sizeof(struct segment));\n if (!seg) {\n ret = AVERROR(ENOMEM);\n goto fail;\n }\n if (has_iv) {\n memcpy(seg->iv, iv, sizeof(iv));\n } else {\n int seq = pls->start_seq_no + pls->n_segments;\n memset(seg->iv, 0, sizeof(seg->iv));\n AV_WB32(seg->iv + 12, seq);\n }\n\n if (key_type != KEY_NONE) {\n ff_make_absolute_url(tmp_str, sizeof(tmp_str), url, key);\n seg->key = av_strdup(tmp_str);\n if (!seg->key) {\n av_free(seg);\n ret = AVERROR(ENOMEM);\n goto fail;\n }\n } else {\n seg->key = NULL;\n }\n\n ff_make_absolute_url(tmp_str, sizeof(tmp_str), url, line);\n seg->url = av_strdup(tmp_str);\n if (!seg->url) {\n av_free(seg->key);\n av_free(seg);\n ret = AVERROR(ENOMEM);\n goto fail;\n }\n\n if (duration < 0.001 * AV_TIME_BASE) {\n duration = 0.001 * AV_TIME_BASE;\n }\n seg->duration = duration;\n seg->key_type = key_type;\n dynarray_add(&pls->segments, &pls->n_segments, seg);\n is_segment = 0;\n\n seg->size = seg_size;\n if (seg_size >= 0) {\n seg->url_offset = seg_offset;\n seg_offset += seg_size;\n seg_size = -1;\n } else {\n seg->url_offset = 0;\n seg_offset = 0;\n }\n\n seg->init_section = cur_init_section;\n }\n }\n }\n if (pls)\n pls->last_load_time = av_gettime_relative();\n\nfail:\n av_free(new_url);\n if (close_in)\n avio_close(in);\n return ret;\n}", "project": "FFmpeg", "hash": 143241207040584752751126445822656075184, "size": 206, "commit_id": "6959358683c7533f586c07a766acc5fe9544d8b2", "message": "avformat/hls: check segment duration value of EXTINF\n\nfix ticket: 8673\nset the default EXTINF duration to 1ms if duration is smaller than 1ms\n\nSigned-off-by: Steven Liu \n(cherry picked from commit 9dfb19baeb86a8bb02c53a441682c6e9a6e104cc)", "target": 0, "dataset": "other", "idx": 270450 }, { "func": "static void nfs_state_clear_delegation(struct nfs4_state *state)\n{\n\twrite_seqlock(&state->seqlock);\n\tnfs4_stateid_copy(&state->stateid, &state->open_stateid);\n\tclear_bit(NFS_DELEGATED_STATE, &state->flags);\n\twrite_sequnlock(&state->seqlock);\n}", "project": "linux", "hash": 100205493113827948702279550946173691860, "size": 7, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431407 }, { "func": "UnicodeString::getChar32At(int32_t offset) const {\n return char32At(offset);\n}", "project": "icu", "hash": 321776233954840420089909562135184560377, "size": 3, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430845 }, { "func": "static int fill_tile_gaps(void) {\n\tint x, y, run, saw;\n\tint n, diffs = 0, ct;\n\n\t/* horizontal: */\n\tfor (y=0; y < ntiles_y; y++) {\n\t\trun = 0;\n\t\tsaw = 0;\n\t\tfor (x=0; x < ntiles_x; x++) {\n\t\t\tct = gap_try(x, y, &run, &saw, 1);\n\t\t\tif (ct < 0) return ct;\t/* fatal */\n\t\t}\n\t}\n\n\t/* vertical: */\n\tfor (x=0; x < ntiles_x; x++) {\n\t\trun = 0;\n\t\tsaw = 0;\n\t\tfor (y=0; y < ntiles_y; y++) {\n\t\t\tct = gap_try(x, y, &run, &saw, 0);\n\t\t\tif (ct < 0) return ct;\t/* fatal */\n\t\t}\n\t}\n\n\tfor (n=0; n < ntiles; n++) {\n\t\tif (tile_has_diff[n]) {\n\t\t\tdiffs++;\n\t\t}\n\t}\n\treturn diffs;\n}", "project": "x11vnc", "hash": 108544214661372034925281516476089720872, "size": 31, "commit_id": "69eeb9f7baa14ca03b16c9de821f9876def7a36a", "message": "scan: limit access to shared memory segments to current user", "target": 0, "dataset": "other", "idx": 360755 }, { "func": " virtual Item* propagate_equal_fields(THD*, const Context &, COND_EQUAL *)\n {\n return this;\n };", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 157046394567136902321782925489311270432, "size": 4, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509227 }, { "func": "static int ecryptfs_encrypt_extent(struct page *enc_extent_page,\n\t\t\t\t struct ecryptfs_crypt_stat *crypt_stat,\n\t\t\t\t struct page *page,\n\t\t\t\t unsigned long extent_offset)\n{\n\tloff_t extent_base;\n\tchar extent_iv[ECRYPTFS_MAX_IV_BYTES];\n\tint rc;\n\n\textent_base = (((loff_t)page->index)\n\t\t * (PAGE_CACHE_SIZE / crypt_stat->extent_size));\n\trc = ecryptfs_derive_iv(extent_iv, crypt_stat,\n\t\t\t\t(extent_base + extent_offset));\n\tif (rc) {\n\t\tecryptfs_printk(KERN_ERR, \"Error attempting to \"\n\t\t\t\t\"derive IV for extent [0x%.16x]; \"\n\t\t\t\t\"rc = [%d]\\n\", (extent_base + extent_offset),\n\t\t\t\trc);\n\t\tgoto out;\n\t}\n\tif (unlikely(ecryptfs_verbosity > 0)) {\n\t\tecryptfs_printk(KERN_DEBUG, \"Encrypting extent \"\n\t\t\t\t\"with iv:\\n\");\n\t\tecryptfs_dump_hex(extent_iv, crypt_stat->iv_bytes);\n\t\tecryptfs_printk(KERN_DEBUG, \"First 8 bytes before \"\n\t\t\t\t\"encryption:\\n\");\n\t\tecryptfs_dump_hex((char *)\n\t\t\t\t (page_address(page)\n\t\t\t\t + (extent_offset * crypt_stat->extent_size)),\n\t\t\t\t 8);\n\t}\n\trc = ecryptfs_encrypt_page_offset(crypt_stat, enc_extent_page, 0,\n\t\t\t\t\t page, (extent_offset\n\t\t\t\t\t\t * crypt_stat->extent_size),\n\t\t\t\t\t crypt_stat->extent_size, extent_iv);\n\tif (rc < 0) {\n\t\tprintk(KERN_ERR \"%s: Error attempting to encrypt page with \"\n\t\t \"page->index = [%ld], extent_offset = [%ld]; \"\n\t\t \"rc = [%d]\\n\", __func__, page->index, extent_offset,\n\t\t rc);\n\t\tgoto out;\n\t}\n\trc = 0;\n\tif (unlikely(ecryptfs_verbosity > 0)) {\n\t\tecryptfs_printk(KERN_DEBUG, \"Encrypt extent [0x%.16x]; \"\n\t\t\t\t\"rc = [%d]\\n\", (extent_base + extent_offset),\n\t\t\t\trc);\n\t\tecryptfs_printk(KERN_DEBUG, \"First 8 bytes after \"\n\t\t\t\t\"encryption:\\n\");\n\t\tecryptfs_dump_hex((char *)(page_address(enc_extent_page)), 8);\n\t}\nout:\n\treturn rc;\n}", "target": 0, "cwe": [ "CWE-189" ], "project": "linux-2.6", "commit_id": "8faece5f906725c10e7a1f6caf84452abadbdc7b", "hash": 209994696376684665117491388544121694016, "size": 54, "message": "eCryptfs: Allocate a variable number of pages for file headers\n\nWhen allocating the memory used to store the eCryptfs header contents, a\nsingle, zeroed page was being allocated with get_zeroed_page().\nHowever, the size of an eCryptfs header is either PAGE_CACHE_SIZE or\nECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE (8192), whichever is larger, and is\nstored in the file's private_data->crypt_stat->num_header_bytes_at_front\nfield.\n\necryptfs_write_metadata_to_contents() was using\nnum_header_bytes_at_front to decide how many bytes should be written to\nthe lower filesystem for the file header. Unfortunately, at least 8K\nwas being written from the page, despite the chance of the single,\nzeroed page being smaller than 8K. This resulted in random areas of\nkernel memory being written between the 0x1000 and 0x1FFF bytes offsets\nin the eCryptfs file headers if PAGE_SIZE was 4K.\n\nThis patch allocates a variable number of pages, calculated with\nnum_header_bytes_at_front, and passes the number of allocated pages\nalong to ecryptfs_write_metadata_to_contents().\n\nThanks to Florian Streibelt for reporting the data leak and working with\nme to find the problem. 2.6.28 is the only kernel release with this\nvulnerability. Corresponds to CVE-2009-0787\n\nSigned-off-by: Tyler Hicks \nAcked-by: Dustin Kirkland \nReviewed-by: Eric Sandeen \nReviewed-by: Eugene Teo \nCc: Greg KH \nCc: dann frazier \nCc: Serge E. Hallyn \nCc: Florian Streibelt \nCc: stable@kernel.org\nSigned-off-by: Linus Torvalds ", "dataset": "other", "idx": 490201 }, { "func": "static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len)\n{\n int i;\n uint16_t limit;\n VncDisplay *vd = vs->vd;\n\n if (data[0] > 3) {\n update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_BASE);\n }\n\n switch (data[0]) {\n case VNC_MSG_CLIENT_SET_PIXEL_FORMAT:\n if (len == 1)\n return 20;\n\n set_pixel_format(vs, read_u8(data, 4), read_u8(data, 5),\n read_u8(data, 6), read_u8(data, 7),\n read_u16(data, 8), read_u16(data, 10),\n read_u16(data, 12), read_u8(data, 14),\n read_u8(data, 15), read_u8(data, 16));\n break;\n case VNC_MSG_CLIENT_SET_ENCODINGS:\n if (len == 1)\n return 4;\n\n if (len == 4) {\n limit = read_u16(data, 2);\n if (limit > 0)\n return 4 + (limit * 4);\n } else\n limit = read_u16(data, 2);\n\n for (i = 0; i < limit; i++) {\n int32_t val = read_s32(data, 4 + (i * 4));\n memcpy(data + 4 + (i * 4), &val, sizeof(val));\n }\n\n set_encodings(vs, (int32_t *)(data + 4), limit);\n break;\n case VNC_MSG_CLIENT_FRAMEBUFFER_UPDATE_REQUEST:\n if (len == 1)\n return 10;\n\n framebuffer_update_request(vs,\n read_u8(data, 1), read_u16(data, 2), read_u16(data, 4),\n read_u16(data, 6), read_u16(data, 8));\n break;\n case VNC_MSG_CLIENT_KEY_EVENT:\n if (len == 1)\n return 8;\n\n key_event(vs, read_u8(data, 1), read_u32(data, 4));\n break;\n case VNC_MSG_CLIENT_POINTER_EVENT:\n if (len == 1)\n return 6;\n\n pointer_event(vs, read_u8(data, 1), read_u16(data, 2), read_u16(data, 4));\n break;\n case VNC_MSG_CLIENT_CUT_TEXT:\n if (len == 1) {\n return 8;\n }\n if (len == 8) {\n uint32_t dlen = read_u32(data, 4);\n if (dlen > (1 << 20)) {\n error_report(\"vnc: client_cut_text msg payload has %u bytes\"\n \" which exceeds our limit of 1MB.\", dlen);\n vnc_client_error(vs);\n break;\n }\n if (dlen > 0) {\n return 8 + dlen;\n }\n }\n\n client_cut_text(vs, read_u32(data, 4), data + 8);\n break;\n case VNC_MSG_CLIENT_QEMU:\n if (len == 1)\n return 2;\n\n switch (read_u8(data, 1)) {\n case VNC_MSG_CLIENT_QEMU_EXT_KEY_EVENT:\n if (len == 2)\n return 12;\n\n ext_key_event(vs, read_u16(data, 2),\n read_u32(data, 4), read_u32(data, 8));\n break;\n case VNC_MSG_CLIENT_QEMU_AUDIO:\n if (len == 2)\n return 4;\n\n switch (read_u16 (data, 2)) {\n case VNC_MSG_CLIENT_QEMU_AUDIO_ENABLE:\n audio_add(vs);\n break;\n case VNC_MSG_CLIENT_QEMU_AUDIO_DISABLE:\n audio_del(vs);\n break;\n case VNC_MSG_CLIENT_QEMU_AUDIO_SET_FORMAT:\n if (len == 4)\n return 10;\n switch (read_u8(data, 4)) {\n case 0: vs->as.fmt = AUD_FMT_U8; break;\n case 1: vs->as.fmt = AUD_FMT_S8; break;\n case 2: vs->as.fmt = AUD_FMT_U16; break;\n case 3: vs->as.fmt = AUD_FMT_S16; break;\n case 4: vs->as.fmt = AUD_FMT_U32; break;\n case 5: vs->as.fmt = AUD_FMT_S32; break;\n default:\n VNC_DEBUG(\"Invalid audio format %d\\n\", read_u8(data, 4));\n vnc_client_error(vs);\n break;\n }\n vs->as.nchannels = read_u8(data, 5);\n if (vs->as.nchannels != 1 && vs->as.nchannels != 2) {\n VNC_DEBUG(\"Invalid audio channel coount %d\\n\",\n read_u8(data, 5));\n vnc_client_error(vs);\n break;\n }\n vs->as.freq = read_u32(data, 6);\n break;\n default:\n VNC_DEBUG(\"Invalid audio message %d\\n\", read_u8(data, 4));\n vnc_client_error(vs);\n break;\n }\n break;\n\n default:\n VNC_DEBUG(\"Msg: %d\\n\", read_u16(data, 0));\n vnc_client_error(vs);\n break;\n }\n break;\n default:\n VNC_DEBUG(\"Msg: %d\\n\", data[0]);\n vnc_client_error(vs);\n break;\n }\n\n vnc_read_when(vs, protocol_client_msg, 1);\n return 0;\n}", "project": "qemu", "hash": 436182452489722437108942421275282144, "size": 147, "commit_id": "4c65fed8bdf96780735dbdb92a8bd0d6b6526cc3", "message": "ui: vnc: avoid floating point exception\n\nWhile sending 'SetPixelFormat' messages to a VNC server,\nthe client could set the 'red-max', 'green-max' and 'blue-max'\nvalues to be zero. This leads to a floating point exception in\nwrite_png_palette while doing frame buffer updates.\n\nReported-by: Lian Yihan \nSigned-off-by: Prasad J Pandit \nReviewed-by: Gerd Hoffmann \nSigned-off-by: Peter Maydell ", "target": 0, "dataset": "other", "idx": 330511 }, { "func": "int imap_create_mailbox(struct ImapAccountData *adata, char *mailbox)\n{\n char buf[2048], mbox[1024];\n\n imap_munge_mbox_name(adata->unicode, mbox, sizeof(mbox), mailbox);\n snprintf(buf, sizeof(buf), \"CREATE %s\", mbox);\n\n if (imap_exec(adata, buf, IMAP_CMD_NO_FLAGS) != IMAP_EXEC_SUCCESS)\n {\n mutt_error(_(\"CREATE failed: %s\"), imap_cmd_trailer(adata));\n return -1;\n }\n\n return 0;\n}", "project": "neomutt", "hash": 37004114894340162183626971965956653969, "size": 15, "commit_id": "9c36717a3e2af1f2c1b7242035455ec8112b4b06", "message": "imap: close connection on all failures\n\nThanks to Gabriel Salles-Loustau for spotting the problem.\n\nCo-authored-by: Kevin McCarthy ", "target": 0, "dataset": "other", "idx": 357036 }, { "func": "static void tracing_stop_tr(struct trace_array *tr)\n{\n\tstruct ring_buffer *buffer;\n\tunsigned long flags;\n\n\t/* If global, we need to also stop the max tracer */\n\tif (tr->flags & TRACE_ARRAY_FL_GLOBAL)\n\t\treturn tracing_stop();\n\n\traw_spin_lock_irqsave(&tr->start_lock, flags);\n\tif (tr->stop_count++)\n\t\tgoto out;\n\n\tbuffer = tr->trace_buffer.buffer;\n\tif (buffer)\n\t\tring_buffer_record_disable(buffer);\n\n out:\n\traw_spin_unlock_irqrestore(&tr->start_lock, flags);\n}", "project": "linux", "hash": 160696089077889925225515563649640514977, "size": 20, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445725 }, { "func": "static int sd_s_ctrl(struct v4l2_ctrl *ctrl)\n{\n\tstruct gspca_dev *gspca_dev =\n\t\tcontainer_of(ctrl->handler, struct gspca_dev, ctrl_handler);\n\tstruct sd *sd = (struct sd *)gspca_dev;\n\n\tgspca_dev->usb_err = 0;\n\n\tif (!gspca_dev->streaming)\n\t\treturn 0;\n\n\tswitch (ctrl->id) {\n\tcase V4L2_CID_BRIGHTNESS:\n\t\tsetbrightness(gspca_dev, ctrl->val);\n\t\tbreak;\n\tcase V4L2_CID_CONTRAST:\n\t\tsetcontrast(gspca_dev, ctrl->val);\n\t\tbreak;\n\tcase V4L2_CID_POWER_LINE_FREQUENCY:\n\t\tsetfreq(gspca_dev, ctrl->val);\n\t\tbreak;\n\tcase V4L2_CID_AUTOBRIGHTNESS:\n\t\tif (ctrl->is_new)\n\t\t\tsetautobright(gspca_dev, ctrl->val);\n\t\tif (!ctrl->val && sd->brightness->is_new)\n\t\t\tsetbrightness(gspca_dev, sd->brightness->val);\n\t\tbreak;\n\tcase V4L2_CID_SATURATION:\n\t\tsetcolors(gspca_dev, ctrl->val);\n\t\tbreak;\n\tcase V4L2_CID_HFLIP:\n\t\tsethvflip(gspca_dev, ctrl->val, sd->vflip->val);\n\t\tbreak;\n\tcase V4L2_CID_AUTOGAIN:\n\t\tif (ctrl->is_new)\n\t\t\tsetautogain(gspca_dev, ctrl->val);\n\t\tif (!ctrl->val && gspca_dev->exposure->is_new)\n\t\t\tsetexposure(gspca_dev, gspca_dev->exposure->val);\n\t\tbreak;\n\tcase V4L2_CID_JPEG_COMPRESSION_QUALITY:\n\t\treturn -EBUSY; /* Should never happen, as we grab the ctrl */\n\t}\n\treturn gspca_dev->usb_err;\n}", "project": "linux", "hash": 132151085368881913380010899592419002800, "size": 44, "commit_id": "998912346c0da53a6dbb71fab3a138586b596b30", "message": "media: ov519: add missing endpoint sanity checks\n\nMake sure to check that we have at least one endpoint before accessing\nthe endpoint array to avoid dereferencing a NULL-pointer on stream\nstart.\n\nNote that these sanity checks are not redundant as the driver is mixing\nlooking up altsettings by index and by number, which need not coincide.\n\nFixes: 1876bb923c98 (\"V4L/DVB (12079): gspca_ov519: add support for the ov511 bridge\")\nFixes: b282d87332f5 (\"V4L/DVB (12080): gspca_ov519: Fix ov518+ with OV7620AE (Trust spacecam 320)\")\nCc: stable # 2.6.31\nCc: Hans de Goede \nSigned-off-by: Johan Hovold \nSigned-off-by: Hans Verkuil \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 306308 }, { "func": "static int sctp_getsockopt_pr_assocstatus(struct sock *sk, int len,\n\t\t\t\t\t char __user *optval,\n\t\t\t\t\t int __user *optlen)\n{\n\tstruct sctp_prstatus params;\n\tstruct sctp_association *asoc;\n\tint policy;\n\tint retval = -EINVAL;\n\n\tif (len < sizeof(params))\n\t\tgoto out;\n\n\tlen = sizeof(params);\n\tif (copy_from_user(¶ms, optval, len)) {\n\t\tretval = -EFAULT;\n\t\tgoto out;\n\t}\n\n\tpolicy = params.sprstat_policy;\n\tif (!policy || (policy & ~(SCTP_PR_SCTP_MASK | SCTP_PR_SCTP_ALL)) ||\n\t ((policy & SCTP_PR_SCTP_ALL) && (policy & SCTP_PR_SCTP_MASK)))\n\t\tgoto out;\n\n\tasoc = sctp_id2assoc(sk, params.sprstat_assoc_id);\n\tif (!asoc)\n\t\tgoto out;\n\n\tif (policy == SCTP_PR_SCTP_ALL) {\n\t\tparams.sprstat_abandoned_unsent = 0;\n\t\tparams.sprstat_abandoned_sent = 0;\n\t\tfor (policy = 0; policy <= SCTP_PR_INDEX(MAX); policy++) {\n\t\t\tparams.sprstat_abandoned_unsent +=\n\t\t\t\tasoc->abandoned_unsent[policy];\n\t\t\tparams.sprstat_abandoned_sent +=\n\t\t\t\tasoc->abandoned_sent[policy];\n\t\t}\n\t} else {\n\t\tparams.sprstat_abandoned_unsent =\n\t\t\tasoc->abandoned_unsent[__SCTP_PR_INDEX(policy)];\n\t\tparams.sprstat_abandoned_sent =\n\t\t\tasoc->abandoned_sent[__SCTP_PR_INDEX(policy)];\n\t}\n\n\tif (put_user(len, optlen)) {\n\t\tretval = -EFAULT;\n\t\tgoto out;\n\t}\n\n\tif (copy_to_user(optval, ¶ms, len)) {\n\t\tretval = -EFAULT;\n\t\tgoto out;\n\t}\n\n\tretval = 0;\n\nout:\n\treturn retval;\n}", "project": "linux", "hash": 101247771318546036131133103643264018758, "size": 58, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398093 }, { "func": "static int hdrchkTagType(rpm_tag_t tag, rpm_tagtype_t type)\n{\n rpmTagType t = rpmTagGetTagType(tag);\n if (t == type)\n\treturn 0;\n\n /* Permit unknown tags for forward compatibility */\n if (t == RPM_NULL_TYPE)\n\treturn 0;\n\n /* Some string tags harmlessly disagree on the exact type */\n if (rpmTagGetClass(tag) == RPM_STRING_CLASS &&\n\t (rpmTagTypeGetClass(type) == RPM_STRING_CLASS))\n\treturn 0;\n\n /* Known tag with mismatching type, bad bad bad. */\n return 1;\n}", "project": "rpm", "hash": 267498769410118458166068014949465801819, "size": 18, "commit_id": "8f4b3c3cab8922a2022b9e47c71f1ecf906077ef", "message": "hdrblobInit() needs bounds checks too\n\nUsers can pass untrusted data to hdrblobInit() and it must be robust\nagainst this.", "target": 0, "dataset": "other", "idx": 318193 }, { "func": "static int wake_futex_pi(u32 __user *uaddr, u32 uval, struct futex_q *this)\n{\n\tstruct task_struct *new_owner;\n\tstruct futex_pi_state *pi_state = this->pi_state;\n\tu32 curval, newval;\n\n\tif (!pi_state)\n\t\treturn -EINVAL;\n\n\traw_spin_lock(&pi_state->pi_mutex.wait_lock);\n\tnew_owner = rt_mutex_next_owner(&pi_state->pi_mutex);\n\n\t/*\n\t * This happens when we have stolen the lock and the original\n\t * pending owner did not enqueue itself back on the rt_mutex.\n\t * Thats not a tragedy. We know that way, that a lock waiter\n\t * is on the fly. We make the futex_q waiter the pending owner.\n\t */\n\tif (!new_owner)\n\t\tnew_owner = this->task;\n\n\t/*\n\t * We pass it to the next owner. (The WAITERS bit is always\n\t * kept enabled while there is PI state around. We must also\n\t * preserve the owner died bit.)\n\t */\n\tif (!(uval & FUTEX_OWNER_DIED)) {\n\t\tint ret = 0;\n\n\t\tnewval = FUTEX_WAITERS | task_pid_vnr(new_owner);\n\n\t\tcurval = cmpxchg_futex_value_locked(uaddr, uval, newval);\n\n\t\tif (curval == -EFAULT)\n\t\t\tret = -EFAULT;\n\t\telse if (curval != uval)\n\t\t\tret = -EINVAL;\n\t\tif (ret) {\n\t\t\traw_spin_unlock(&pi_state->pi_mutex.wait_lock);\n\t\t\treturn ret;\n\t\t}\n\t}\n\n\traw_spin_lock_irq(&pi_state->owner->pi_lock);\n\tWARN_ON(list_empty(&pi_state->list));\n\tlist_del_init(&pi_state->list);\n\traw_spin_unlock_irq(&pi_state->owner->pi_lock);\n\n\traw_spin_lock_irq(&new_owner->pi_lock);\n\tWARN_ON(!list_empty(&pi_state->list));\n\tlist_add(&pi_state->list, &new_owner->pi_state_list);\n\tpi_state->owner = new_owner;\n\traw_spin_unlock_irq(&new_owner->pi_lock);\n\n\traw_spin_unlock(&pi_state->pi_mutex.wait_lock);\n\trt_mutex_unlock(&pi_state->pi_mutex);\n\n\treturn 0;\n}", "target": 0, "cwe": [], "project": "linux-2.6", "commit_id": "5ecb01cfdf96c5f465192bdb2a4fd4a61a24c6cc", "hash": 262554574307903616393945506826936555219, "size": 59, "message": "futex_lock_pi() key refcnt fix\n\nThis fixes a futex key reference count bug in futex_lock_pi(),\nwhere a key's reference count is incremented twice but decremented\nonly once, causing the backing object to not be released.\n\nIf the futex is created in a temporary file in an ext3 file system,\nthis bug causes the file's inode to become an \"undead\" orphan,\nwhich causes an oops from a BUG_ON() in ext3_put_super() when the\nfile system is unmounted. glibc's test suite is known to trigger this,\nsee .\n\nThe bug is a regression from 2.6.28-git3, namely Peter Zijlstra's\n38d47c1b7075bd7ec3881141bb3629da58f88dab \"[PATCH] futex: rely on\nget_user_pages() for shared futexes\". That commit made get_futex_key()\nalso increment the reference count of the futex key, and updated its\ncallers to decrement the key's reference count before returning.\nUnfortunately the normal exit path in futex_lock_pi() wasn't corrected:\nthe reference count is incremented by get_futex_key() and queue_lock(),\nbut the normal exit path only decrements once, via unqueue_me_pi().\nThe fix is to put_futex_key() after unqueue_me_pi(), since 2.6.31\nthis is easily done by 'goto out_put_key' rather than 'goto out'.\n\nSigned-off-by: Mikael Pettersson \nAcked-by: Peter Zijlstra \nAcked-by: Darren Hart \nSigned-off-by: Thomas Gleixner \nCc: ", "dataset": "other", "idx": 492310 }, { "func": "static int sst_run_shell (const char* cmd_str, char** env, int max_tries)\n{\n int ret = 0;\n\n for (int tries=1; tries <= max_tries; tries++)\n {\n wsp::process proc (cmd_str, \"r\", env);\n\n if (NULL != proc.pipe())\n {\n proc.wait();\n }\n\n if ((ret = proc.error()))\n {\n WSREP_ERROR(\"Try %d/%d: '%s' failed: %d (%s)\",\n tries, max_tries, proc.cmd(), ret, strerror(ret));\n sleep (1);\n }\n else\n {\n WSREP_DEBUG(\"SST script successfully completed.\");\n break;\n }\n }\n\n return -ret;\n}", "project": "mysql-wsrep", "hash": 147259944811515466750700223845652363125, "size": 28, "commit_id": "4ea4b0c6a318209ac09b15aaa906c7b4a13b988c", "message": "codership/mysql-wsrep-bugs#758 Donor uses invalid SST methods", "target": 0, "dataset": "other", "idx": 454796 }, { "func": "static void updatePortStats(struct port_stats **stats, u_int32_t port,\n\t\t\t u_int32_t addr, u_int8_t version,\n u_int32_t num_pkts, u_int32_t num_bytes,\n const char *proto) {\n\n struct port_stats *s = NULL;\n int count = 0;\n\n HASH_FIND_INT(*stats, &port, s);\n if(s == NULL) {\n s = (struct port_stats*)calloc(1, sizeof(struct port_stats));\n if(!s) return;\n\n s->port = port, s->num_pkts = num_pkts, s->num_bytes = num_bytes;\n s->num_addr = 1, s->cumulative_addr = 1; s->num_flows = 1;\n\n updateTopIpAddress(addr, version, proto, 1, s->top_ip_addrs, MAX_NUM_IP_ADDRESS);\n\n s->addr_tree = (addr_node *) malloc(sizeof(addr_node));\n if(!s->addr_tree) {\n free(s);\n return;\n }\n\n s->addr_tree->addr = addr;\n s->addr_tree->version = version;\n strncpy(s->addr_tree->proto, proto, sizeof(s->addr_tree->proto));\n s->addr_tree->count = 1;\n s->addr_tree->left = NULL;\n s->addr_tree->right = NULL;\n\n HASH_ADD_INT(*stats, port, s);\n }\n else{\n count = updateIpTree(addr, version, &(*s).addr_tree, proto);\n\n if(count == UPDATED_TREE) s->num_addr++;\n\n if(count) {\n s->cumulative_addr++;\n updateTopIpAddress(addr, version, proto, count, s->top_ip_addrs, MAX_NUM_IP_ADDRESS);\n }\n\n s->num_pkts += num_pkts, s->num_bytes += num_bytes, s->num_flows++;\n }\n}", "project": "nDPI", "hash": 271454222132033788878361282578905413306, "size": 46, "commit_id": "b7e666e465f138ae48ab81976726e67deed12701", "message": "Added fix to avoid potential heap buffer overflow in H.323 dissector\nModified HTTP report information to make it closer to the HTTP field names", "target": 0, "dataset": "other", "idx": 254824 }, { "func": "static int le_scan_disable(struct hci_request *req, unsigned long opt)\n{\n\thci_req_add_le_scan_disable(req, false);\n\treturn 0;\n}", "project": "linux", "hash": 339201147637457319091406043587248899498, "size": 5, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402551 }, { "func": "static inline void encode_delegation_type(struct xdr_stream *xdr, fmode_t delegation_type)\n{\n\t__be32 *p;\n\n\tp = reserve_space(xdr, 4);\n\tswitch (delegation_type) {\n\tcase 0:\n\t\t*p = cpu_to_be32(NFS4_OPEN_DELEGATE_NONE);\n\t\tbreak;\n\tcase FMODE_READ:\n\t\t*p = cpu_to_be32(NFS4_OPEN_DELEGATE_READ);\n\t\tbreak;\n\tcase FMODE_WRITE|FMODE_READ:\n\t\t*p = cpu_to_be32(NFS4_OPEN_DELEGATE_WRITE);\n\t\tbreak;\n\tdefault:\n\t\tBUG();\n\t}\n}", "project": "linux", "hash": 61643186415752446458824788171757658315, "size": 19, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431562 }, { "func": "static int kvm_try_get_pfn(kvm_pfn_t pfn)\n{\n\tif (kvm_is_reserved_pfn(pfn))\n\t\treturn 1;\n\treturn get_page_unless_zero(pfn_to_page(pfn));\n}", "project": "linux", "hash": 111920807071563746721758808213666934677, "size": 6, "commit_id": "f8be156be163a052a067306417cd0ff679068c97", "message": "KVM: do not allow mapping valid but non-reference-counted pages\n\nIt's possible to create a region which maps valid but non-refcounted\npages (e.g., tail pages of non-compound higher order allocations). These\nhost pages can then be returned by gfn_to_page, gfn_to_pfn, etc., family\nof APIs, which take a reference to the page, which takes it from 0 to 1.\nWhen the reference is dropped, this will free the page incorrectly.\n\nFix this by only taking a reference on valid pages if it was non-zero,\nwhich indicates it is participating in normal refcounting (and can be\nreleased with put_page).\n\nThis addresses CVE-2021-22543.\n\nSigned-off-by: Nicholas Piggin \nTested-by: Paolo Bonzini \nCc: stable@vger.kernel.org\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 404064 }, { "func": "static void nested_svm_inject_npf_exit(struct kvm_vcpu *vcpu,\n\t\t\t\t struct x86_exception *fault)\n{\n\tstruct vcpu_svm *svm = to_svm(vcpu);\n\n\tif (svm->vmcb->control.exit_code != SVM_EXIT_NPF) {\n\t\t/*\n\t\t * TODO: track the cause of the nested page fault, and\n\t\t * correctly fill in the high bits of exit_info_1.\n\t\t */\n\t\tsvm->vmcb->control.exit_code = SVM_EXIT_NPF;\n\t\tsvm->vmcb->control.exit_code_hi = 0;\n\t\tsvm->vmcb->control.exit_info_1 = (1ULL << 32);\n\t\tsvm->vmcb->control.exit_info_2 = fault->address;\n\t}\n\n\tsvm->vmcb->control.exit_info_1 &= ~0xffffffffULL;\n\tsvm->vmcb->control.exit_info_1 |= fault->error_code;\n\n\t/*\n\t * The present bit is always zero for page structure faults on real\n\t * hardware.\n\t */\n\tif (svm->vmcb->control.exit_info_1 & (2ULL << 32))\n\t\tsvm->vmcb->control.exit_info_1 &= ~1;\n\n\tnested_svm_vmexit(svm);\n}", "project": "linux", "hash": 257914322291223351142395648592144979557, "size": 28, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432566 }, { "func": "static int create_constraint_attribute(int id, const char *name,\n\t\t\t\tint mode,\n\t\t\t\tstruct device_attribute *dev_attr,\n\t\t\t\tssize_t (*show)(struct device *,\n\t\t\t\t\tstruct device_attribute *, char *),\n\t\t\t\tssize_t (*store)(struct device *,\n\t\t\t\t\tstruct device_attribute *,\n\t\t\t\tconst char *, size_t)\n\t\t\t\t)\n{\n\n\tdev_attr->attr.name = kasprintf(GFP_KERNEL, \"constraint_%d_%s\",\n\t\t\t\t\t\t\t\tid, name);\n\tif (!dev_attr->attr.name)\n\t\treturn -ENOMEM;\n\tdev_attr->attr.mode = mode;\n\tdev_attr->show = show;\n\tdev_attr->store = store;\n\n\treturn 0;\n}", "project": "linux", "hash": 332219962375691976058011485175842075251, "size": 21, "commit_id": "949dd0104c496fa7c14991a23c03c62e44637e71", "message": "powercap: restrict energy meter to root access\n\nRemove non-privileged user access to power data contained in\n/sys/class/powercap/intel-rapl*/*/energy_uj\n\nNon-privileged users currently have read access to power data and can\nuse this data to form a security attack. Some privileged\ndrivers/applications need read access to this data, but don't expose it\nto non-privileged users.\n\nFor example, thermald uses this data to ensure that power management\nworks correctly. Thus removing non-privileged access is preferred over\ncompletely disabling this power reporting capability with\nCONFIG_INTEL_RAPL=n.\n\nFixes: 95677a9a3847 (\"PowerCap: Fix mode for energy counter\")\n\nSigned-off-by: Len Brown \nCc: stable@vger.kernel.org", "target": 0, "dataset": "other", "idx": 310347 }, { "func": "UnicodeString::fastCopyFrom(const UnicodeString &src) {\n return copyFrom(src, TRUE);\n}", "project": "icu", "hash": 199993717486110267390765518187401875426, "size": 3, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430788 }, { "func": "static void avic_set_running(struct kvm_vcpu *vcpu, bool is_run)\n{\n\tstruct vcpu_svm *svm = to_svm(vcpu);\n\n\tsvm->avic_is_running = is_run;\n\tif (is_run)\n\t\tavic_vcpu_load(vcpu, vcpu->cpu);\n\telse\n\t\tavic_vcpu_put(vcpu);\n}", "project": "linux", "hash": 189726624734313157854897237279207597549, "size": 10, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432435 }, { "func": "static OPJ_BOOL opj_j2k_read_header_procedure(opj_j2k_t *p_j2k,\n opj_stream_private_t *p_stream,\n opj_event_mgr_t * p_manager)\n{\n OPJ_UINT32 l_current_marker;\n OPJ_UINT32 l_marker_size;\n const opj_dec_memory_marker_handler_t * l_marker_handler = 00;\n OPJ_BOOL l_has_siz = 0;\n OPJ_BOOL l_has_cod = 0;\n OPJ_BOOL l_has_qcd = 0;\n\n /* preconditions */\n assert(p_stream != 00);\n assert(p_j2k != 00);\n assert(p_manager != 00);\n\n /* We enter in the main header */\n p_j2k->m_specific_param.m_decoder.m_state = J2K_STATE_MHSOC;\n\n /* Try to read the SOC marker, the codestream must begin with SOC marker */\n if (! opj_j2k_read_soc(p_j2k, p_stream, p_manager)) {\n opj_event_msg(p_manager, EVT_ERROR, \"Expected a SOC marker \\n\");\n return OPJ_FALSE;\n }\n\n /* Try to read 2 bytes (the next marker ID) from stream and copy them into the buffer */\n if (opj_stream_read_data(p_stream,\n p_j2k->m_specific_param.m_decoder.m_header_data, 2, p_manager) != 2) {\n opj_event_msg(p_manager, EVT_ERROR, \"Stream too short\\n\");\n return OPJ_FALSE;\n }\n\n /* Read 2 bytes as the new marker ID */\n opj_read_bytes(p_j2k->m_specific_param.m_decoder.m_header_data,\n &l_current_marker, 2);\n\n /* Try to read until the SOT is detected */\n while (l_current_marker != J2K_MS_SOT) {\n\n /* Check if the current marker ID is valid */\n if (l_current_marker < 0xff00) {\n opj_event_msg(p_manager, EVT_ERROR,\n \"A marker ID was expected (0xff--) instead of %.8x\\n\", l_current_marker);\n return OPJ_FALSE;\n }\n\n /* Get the marker handler from the marker ID */\n l_marker_handler = opj_j2k_get_marker_handler(l_current_marker);\n\n /* Manage case where marker is unknown */\n if (l_marker_handler->id == J2K_MS_UNK) {\n if (! opj_j2k_read_unk(p_j2k, p_stream, &l_current_marker, p_manager)) {\n opj_event_msg(p_manager, EVT_ERROR,\n \"Unknow marker have been detected and generated error.\\n\");\n return OPJ_FALSE;\n }\n\n if (l_current_marker == J2K_MS_SOT) {\n break; /* SOT marker is detected main header is completely read */\n } else { /* Get the marker handler from the marker ID */\n l_marker_handler = opj_j2k_get_marker_handler(l_current_marker);\n }\n }\n\n if (l_marker_handler->id == J2K_MS_SIZ) {\n /* Mark required SIZ marker as found */\n l_has_siz = 1;\n }\n if (l_marker_handler->id == J2K_MS_COD) {\n /* Mark required COD marker as found */\n l_has_cod = 1;\n }\n if (l_marker_handler->id == J2K_MS_QCD) {\n /* Mark required QCD marker as found */\n l_has_qcd = 1;\n }\n\n /* Check if the marker is known and if it is the right place to find it */\n if (!(p_j2k->m_specific_param.m_decoder.m_state & l_marker_handler->states)) {\n opj_event_msg(p_manager, EVT_ERROR,\n \"Marker is not compliant with its position\\n\");\n return OPJ_FALSE;\n }\n\n /* Try to read 2 bytes (the marker size) from stream and copy them into the buffer */\n if (opj_stream_read_data(p_stream,\n p_j2k->m_specific_param.m_decoder.m_header_data, 2, p_manager) != 2) {\n opj_event_msg(p_manager, EVT_ERROR, \"Stream too short\\n\");\n return OPJ_FALSE;\n }\n\n /* read 2 bytes as the marker size */\n opj_read_bytes(p_j2k->m_specific_param.m_decoder.m_header_data, &l_marker_size,\n 2);\n if (l_marker_size < 2) {\n opj_event_msg(p_manager, EVT_ERROR, \"Invalid marker size\\n\");\n return OPJ_FALSE;\n }\n l_marker_size -= 2; /* Subtract the size of the marker ID already read */\n\n /* Check if the marker size is compatible with the header data size */\n if (l_marker_size > p_j2k->m_specific_param.m_decoder.m_header_data_size) {\n OPJ_BYTE *new_header_data = (OPJ_BYTE *) opj_realloc(\n p_j2k->m_specific_param.m_decoder.m_header_data, l_marker_size);\n if (! new_header_data) {\n opj_free(p_j2k->m_specific_param.m_decoder.m_header_data);\n p_j2k->m_specific_param.m_decoder.m_header_data = NULL;\n p_j2k->m_specific_param.m_decoder.m_header_data_size = 0;\n opj_event_msg(p_manager, EVT_ERROR, \"Not enough memory to read header\\n\");\n return OPJ_FALSE;\n }\n p_j2k->m_specific_param.m_decoder.m_header_data = new_header_data;\n p_j2k->m_specific_param.m_decoder.m_header_data_size = l_marker_size;\n }\n\n /* Try to read the rest of the marker segment from stream and copy them into the buffer */\n if (opj_stream_read_data(p_stream,\n p_j2k->m_specific_param.m_decoder.m_header_data, l_marker_size,\n p_manager) != l_marker_size) {\n opj_event_msg(p_manager, EVT_ERROR, \"Stream too short\\n\");\n return OPJ_FALSE;\n }\n\n /* Read the marker segment with the correct marker handler */\n if (!(*(l_marker_handler->handler))(p_j2k,\n p_j2k->m_specific_param.m_decoder.m_header_data, l_marker_size, p_manager)) {\n opj_event_msg(p_manager, EVT_ERROR,\n \"Marker handler function failed to read the marker segment\\n\");\n return OPJ_FALSE;\n }\n\n /* Add the marker to the codestream index*/\n if (OPJ_FALSE == opj_j2k_add_mhmarker(\n p_j2k->cstr_index,\n l_marker_handler->id,\n (OPJ_UINT32) opj_stream_tell(p_stream) - l_marker_size - 4,\n l_marker_size + 4)) {\n opj_event_msg(p_manager, EVT_ERROR, \"Not enough memory to add mh marker\\n\");\n return OPJ_FALSE;\n }\n\n /* Try to read 2 bytes (the next marker ID) from stream and copy them into the buffer */\n if (opj_stream_read_data(p_stream,\n p_j2k->m_specific_param.m_decoder.m_header_data, 2, p_manager) != 2) {\n opj_event_msg(p_manager, EVT_ERROR, \"Stream too short\\n\");\n return OPJ_FALSE;\n }\n\n /* read 2 bytes as the new marker ID */\n opj_read_bytes(p_j2k->m_specific_param.m_decoder.m_header_data,\n &l_current_marker, 2);\n }\n\n if (l_has_siz == 0) {\n opj_event_msg(p_manager, EVT_ERROR,\n \"required SIZ marker not found in main header\\n\");\n return OPJ_FALSE;\n }\n if (l_has_cod == 0) {\n opj_event_msg(p_manager, EVT_ERROR,\n \"required COD marker not found in main header\\n\");\n return OPJ_FALSE;\n }\n if (l_has_qcd == 0) {\n opj_event_msg(p_manager, EVT_ERROR,\n \"required QCD marker not found in main header\\n\");\n return OPJ_FALSE;\n }\n\n if (! opj_j2k_merge_ppm(&(p_j2k->m_cp), p_manager)) {\n opj_event_msg(p_manager, EVT_ERROR, \"Failed to merge PPM data\\n\");\n return OPJ_FALSE;\n }\n\n opj_event_msg(p_manager, EVT_INFO, \"Main header has been correctly decoded.\\n\");\n\n /* Position of the last element if the main header */\n p_j2k->cstr_index->main_head_end = (OPJ_UINT32) opj_stream_tell(p_stream) - 2;\n\n /* Next step: read a tile-part header */\n p_j2k->m_specific_param.m_decoder.m_state = J2K_STATE_TPHSOT;\n\n return OPJ_TRUE;\n}", "project": "openjpeg", "hash": 13431940927694665176904314088895280731, "size": 184, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357387 }, { "func": "static int clgi_interception(struct vcpu_svm *svm)\n{\n\tint ret;\n\n\tif (nested_svm_check_permissions(svm))\n\t\treturn 1;\n\n\tret = kvm_skip_emulated_instruction(&svm->vcpu);\n\n\tdisable_gif(svm);\n\n\t/* After a CLGI no interrupts should come */\n\tif (!kvm_vcpu_apicv_active(&svm->vcpu)) {\n\t\tsvm_clear_vintr(svm);\n\t\tsvm->vmcb->control.int_ctl &= ~V_IRQ_MASK;\n\t\tmark_dirty(svm->vmcb, VMCB_INTR);\n\t}\n\n\treturn ret;\n}", "project": "linux", "hash": 225352005361803799678808601640805473920, "size": 20, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432403 }, { "func": "static int clgi_interception(struct vcpu_svm *svm)\n{\n\tif (nested_svm_check_permissions(svm))\n\t\treturn 1;\n\n\tsvm->next_rip = kvm_rip_read(&svm->vcpu) + 3;\n\tskip_emulated_instruction(&svm->vcpu);\n\n\tdisable_gif(svm);\n\n\t/* After a CLGI no interrupts should come */\n\tsvm_clear_vintr(svm);\n\tsvm->vmcb->control.int_ctl &= ~V_IRQ_MASK;\n\n\tmark_dirty(svm->vmcb, VMCB_INTR);\n\n\treturn 1;\n}", "project": "kvm", "hash": 196617358693240552795403042835490765498, "size": 18, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437543 }, { "func": "static void opj_j2k_cp_destroy(opj_cp_t *p_cp)\n{\n OPJ_UINT32 l_nb_tiles;\n opj_tcp_t * l_current_tile = 00;\n\n if (p_cp == 00) {\n return;\n }\n if (p_cp->tcps != 00) {\n OPJ_UINT32 i;\n l_current_tile = p_cp->tcps;\n l_nb_tiles = p_cp->th * p_cp->tw;\n\n for (i = 0U; i < l_nb_tiles; ++i) {\n opj_j2k_tcp_destroy(l_current_tile);\n ++l_current_tile;\n }\n opj_free(p_cp->tcps);\n p_cp->tcps = 00;\n }\n if (p_cp->ppm_markers != 00) {\n OPJ_UINT32 i;\n for (i = 0U; i < p_cp->ppm_markers_count; ++i) {\n if (p_cp->ppm_markers[i].m_data != NULL) {\n opj_free(p_cp->ppm_markers[i].m_data);\n }\n }\n p_cp->ppm_markers_count = 0U;\n opj_free(p_cp->ppm_markers);\n p_cp->ppm_markers = NULL;\n }\n opj_free(p_cp->ppm_buffer);\n p_cp->ppm_buffer = 00;\n p_cp->ppm_data =\n NULL; /* ppm_data belongs to the allocated buffer pointed by ppm_buffer */\n opj_free(p_cp->comment);\n p_cp->comment = 00;\n if (! p_cp->m_is_decoder) {\n opj_free(p_cp->m_specific_param.m_enc.m_matrice);\n p_cp->m_specific_param.m_enc.m_matrice = 00;\n }\n}", "project": "openjpeg", "hash": 79313362821995625594980391331270392267, "size": 42, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357405 }, { "func": "static __always_inline void slab_lock(struct page *page)\n{\n\tVM_BUG_ON_PAGE(PageTail(page), page);\n\tbit_spin_lock(PG_locked, &page->flags);\n}", "project": "linux", "hash": 191972329085622393338087514880757115829, "size": 5, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280082 }, { "func": "static int nfs40_open_expired(struct nfs4_state_owner *sp, struct nfs4_state *state)\n{\n\t/* NFSv4.0 doesn't allow for delegation recovery on open expire */\n\tnfs40_clear_delegation_stateid(state);\n\tnfs_state_clear_open_state_flags(state);\n\treturn nfs4_open_expired(sp, state);\n}", "project": "linux", "hash": 132054415420357008632654261987492762711, "size": 7, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431029 }, { "func": "R_API int r_sys_cmd(const char *str) {\n\tif (r_sandbox_enable (0)) {\n\t\treturn false;\n\t}\n\treturn r_sandbox_system (str, 1);\n}", "project": "radare2", "hash": 281732387261461605579493220815801774904, "size": 6, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 0, "dataset": "other", "idx": 268934 }, { "func": "static void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev,\n\t\t\t\t\t struct sk_buff *skb)\n{\n\tstruct inquiry_data data;\n\tint num_rsp = *((__u8 *) skb->data);\n\n\tBT_DBG(\"%s num_rsp %d\", hdev->name, num_rsp);\n\n\tif (!num_rsp)\n\t\treturn;\n\n\tif (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))\n\t\treturn;\n\n\thci_dev_lock(hdev);\n\n\tif ((skb->len - 1) / num_rsp != sizeof(struct inquiry_info_with_rssi)) {\n\t\tstruct inquiry_info_with_rssi_and_pscan_mode *info;\n\t\tinfo = (void *) (skb->data + 1);\n\n\t\tfor (; num_rsp; num_rsp--, info++) {\n\t\t\tu32 flags;\n\n\t\t\tbacpy(&data.bdaddr, &info->bdaddr);\n\t\t\tdata.pscan_rep_mode\t= info->pscan_rep_mode;\n\t\t\tdata.pscan_period_mode\t= info->pscan_period_mode;\n\t\t\tdata.pscan_mode\t\t= info->pscan_mode;\n\t\t\tmemcpy(data.dev_class, info->dev_class, 3);\n\t\t\tdata.clock_offset\t= info->clock_offset;\n\t\t\tdata.rssi\t\t= info->rssi;\n\t\t\tdata.ssp_mode\t\t= 0x00;\n\n\t\t\tflags = hci_inquiry_cache_update(hdev, &data, false);\n\n\t\t\tmgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,\n\t\t\t\t\t info->dev_class, info->rssi,\n\t\t\t\t\t flags, NULL, 0, NULL, 0);\n\t\t}\n\t} else {\n\t\tstruct inquiry_info_with_rssi *info = (void *) (skb->data + 1);\n\n\t\tfor (; num_rsp; num_rsp--, info++) {\n\t\t\tu32 flags;\n\n\t\t\tbacpy(&data.bdaddr, &info->bdaddr);\n\t\t\tdata.pscan_rep_mode\t= info->pscan_rep_mode;\n\t\t\tdata.pscan_period_mode\t= info->pscan_period_mode;\n\t\t\tdata.pscan_mode\t\t= 0x00;\n\t\t\tmemcpy(data.dev_class, info->dev_class, 3);\n\t\t\tdata.clock_offset\t= info->clock_offset;\n\t\t\tdata.rssi\t\t= info->rssi;\n\t\t\tdata.ssp_mode\t\t= 0x00;\n\n\t\t\tflags = hci_inquiry_cache_update(hdev, &data, false);\n\n\t\t\tmgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,\n\t\t\t\t\t info->dev_class, info->rssi,\n\t\t\t\t\t flags, NULL, 0, NULL, 0);\n\t\t}\n\t}\n\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 279763188441669222762878613183420349705, "size": 63, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431960 }, { "func": "static void ov511_configure(struct gspca_dev *gspca_dev)\n{\n\tstruct sd *sd = (struct sd *) gspca_dev;\n\n\t/* For 511 and 511+ */\n\tstatic const struct ov_regvals init_511[] = {\n\t\t{ R51x_SYS_RESET,\t0x7f },\n\t\t{ R51x_SYS_INIT,\t0x01 },\n\t\t{ R51x_SYS_RESET,\t0x7f },\n\t\t{ R51x_SYS_INIT,\t0x01 },\n\t\t{ R51x_SYS_RESET,\t0x3f },\n\t\t{ R51x_SYS_INIT,\t0x01 },\n\t\t{ R51x_SYS_RESET,\t0x3d },\n\t};\n\n\tstatic const struct ov_regvals norm_511[] = {\n\t\t{ R511_DRAM_FLOW_CTL,\t0x01 },\n\t\t{ R51x_SYS_SNAP,\t0x00 },\n\t\t{ R51x_SYS_SNAP,\t0x02 },\n\t\t{ R51x_SYS_SNAP,\t0x00 },\n\t\t{ R511_FIFO_OPTS,\t0x1f },\n\t\t{ R511_COMP_EN,\t\t0x00 },\n\t\t{ R511_COMP_LUT_EN,\t0x03 },\n\t};\n\n\tstatic const struct ov_regvals norm_511_p[] = {\n\t\t{ R511_DRAM_FLOW_CTL,\t0xff },\n\t\t{ R51x_SYS_SNAP,\t0x00 },\n\t\t{ R51x_SYS_SNAP,\t0x02 },\n\t\t{ R51x_SYS_SNAP,\t0x00 },\n\t\t{ R511_FIFO_OPTS,\t0xff },\n\t\t{ R511_COMP_EN,\t\t0x00 },\n\t\t{ R511_COMP_LUT_EN,\t0x03 },\n\t};\n\n\tstatic const struct ov_regvals compress_511[] = {\n\t\t{ 0x70, 0x1f },\n\t\t{ 0x71, 0x05 },\n\t\t{ 0x72, 0x06 },\n\t\t{ 0x73, 0x06 },\n\t\t{ 0x74, 0x14 },\n\t\t{ 0x75, 0x03 },\n\t\t{ 0x76, 0x04 },\n\t\t{ 0x77, 0x04 },\n\t};\n\n\tgspca_dbg(gspca_dev, D_PROBE, \"Device custom id %x\\n\",\n\t\t reg_r(sd, R51x_SYS_CUST_ID));\n\n\twrite_regvals(sd, init_511, ARRAY_SIZE(init_511));\n\n\tswitch (sd->bridge) {\n\tcase BRIDGE_OV511:\n\t\twrite_regvals(sd, norm_511, ARRAY_SIZE(norm_511));\n\t\tbreak;\n\tcase BRIDGE_OV511PLUS:\n\t\twrite_regvals(sd, norm_511_p, ARRAY_SIZE(norm_511_p));\n\t\tbreak;\n\t}\n\n\t/* Init compression */\n\twrite_regvals(sd, compress_511, ARRAY_SIZE(compress_511));\n\n\tov51x_upload_quan_tables(sd);\n}", "project": "linux", "hash": 228244230264988617139110808936961788166, "size": 65, "commit_id": "998912346c0da53a6dbb71fab3a138586b596b30", "message": "media: ov519: add missing endpoint sanity checks\n\nMake sure to check that we have at least one endpoint before accessing\nthe endpoint array to avoid dereferencing a NULL-pointer on stream\nstart.\n\nNote that these sanity checks are not redundant as the driver is mixing\nlooking up altsettings by index and by number, which need not coincide.\n\nFixes: 1876bb923c98 (\"V4L/DVB (12079): gspca_ov519: add support for the ov511 bridge\")\nFixes: b282d87332f5 (\"V4L/DVB (12080): gspca_ov519: Fix ov518+ with OV7620AE (Trust spacecam 320)\")\nCc: stable # 2.6.31\nCc: Hans de Goede \nSigned-off-by: Johan Hovold \nSigned-off-by: Hans Verkuil \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 306344 }, { "func": "static void sethvflip(struct gspca_dev *gspca_dev, s32 hflip, s32 vflip)\n{\n\tstruct sd *sd = (struct sd *) gspca_dev;\n\n\tif (sd->gspca_dev.streaming)\n\t\treg_w(sd, OV519_R51_RESET1, 0x0f);\t/* block stream */\n\ti2c_w_mask(sd, OV7670_R1E_MVFP,\n\t\tOV7670_MVFP_MIRROR * hflip | OV7670_MVFP_VFLIP * vflip,\n\t\tOV7670_MVFP_MIRROR | OV7670_MVFP_VFLIP);\n\tif (sd->gspca_dev.streaming)\n\t\treg_w(sd, OV519_R51_RESET1, 0x00);\t/* restart stream */\n}", "project": "linux", "hash": 24767069287701603412384176343549190780, "size": 12, "commit_id": "998912346c0da53a6dbb71fab3a138586b596b30", "message": "media: ov519: add missing endpoint sanity checks\n\nMake sure to check that we have at least one endpoint before accessing\nthe endpoint array to avoid dereferencing a NULL-pointer on stream\nstart.\n\nNote that these sanity checks are not redundant as the driver is mixing\nlooking up altsettings by index and by number, which need not coincide.\n\nFixes: 1876bb923c98 (\"V4L/DVB (12079): gspca_ov519: add support for the ov511 bridge\")\nFixes: b282d87332f5 (\"V4L/DVB (12080): gspca_ov519: Fix ov518+ with OV7620AE (Trust spacecam 320)\")\nCc: stable # 2.6.31\nCc: Hans de Goede \nSigned-off-by: Johan Hovold \nSigned-off-by: Hans Verkuil \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 306294 }, { "func": "bool fuse_lock_inode(struct inode *inode)\n{\n\tbool locked = false;\n\n\tif (!get_fuse_conn(inode)->parallel_dirops) {\n\t\tmutex_lock(&get_fuse_inode(inode)->mutex);\n\t\tlocked = true;\n\t}\n\n\treturn locked;\n}", "project": "linux", "hash": 317549553009742009518916758662671721887, "size": 11, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342129 }, { "func": "bool CClient::SendMotd() {\n const VCString& vsMotd = CZNC::Get().GetMotd();\n\n if (!vsMotd.size()) {\n return false;\n }\n\n for (const CString& sLine : vsMotd) {\n if (m_pNetwork) {\n PutStatusNotice(m_pNetwork->ExpandString(sLine));\n } else {\n PutStatusNotice(m_pUser->ExpandString(sLine));\n }\n }\n\n return true;\n}", "project": "znc", "hash": 4602730293178777405720644953530286142, "size": 17, "commit_id": "d229761821da38d984a9e4098ad96842490dc001", "message": "Fix echo-message for *status\n\nClose #1705", "target": 0, "dataset": "other", "idx": 231579 }, { "func": "static void ov8xx0_configure(struct sd *sd)\n{\n\tstruct gspca_dev *gspca_dev = (struct gspca_dev *)sd;\n\tint rc;\n\n\tgspca_dbg(gspca_dev, D_PROBE, \"starting ov8xx0 configuration\\n\");\n\n\t/* Detect sensor (sub)type */\n\trc = i2c_r(sd, OV7610_REG_COM_I);\n\tif (rc < 0) {\n\t\tgspca_err(gspca_dev, \"Error detecting sensor type\\n\");\n\t\treturn;\n\t}\n\tif ((rc & 3) == 1)\n\t\tsd->sensor = SEN_OV8610;\n\telse\n\t\tgspca_err(gspca_dev, \"Unknown image sensor version: %d\\n\",\n\t\t\t rc & 3);\n}", "project": "linux", "hash": 108981778148144302222213046226756048006, "size": 19, "commit_id": "998912346c0da53a6dbb71fab3a138586b596b30", "message": "media: ov519: add missing endpoint sanity checks\n\nMake sure to check that we have at least one endpoint before accessing\nthe endpoint array to avoid dereferencing a NULL-pointer on stream\nstart.\n\nNote that these sanity checks are not redundant as the driver is mixing\nlooking up altsettings by index and by number, which need not coincide.\n\nFixes: 1876bb923c98 (\"V4L/DVB (12079): gspca_ov519: add support for the ov511 bridge\")\nFixes: b282d87332f5 (\"V4L/DVB (12080): gspca_ov519: Fix ov518+ with OV7620AE (Trust spacecam 320)\")\nCc: stable # 2.6.31\nCc: Hans de Goede \nSigned-off-by: Johan Hovold \nSigned-off-by: Hans Verkuil \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 306319 }, { "func": "static int skip_unprocessed_bytes(struct archive_read* a) {\n\tstruct rar5* rar = get_context(a);\n\tint ret;\n\n\tif(rar->file.bytes_remaining) {\n\t\t/* Use different skipping method in block merging mode than in\n\t\t * normal mode. If merge mode is active, rar5_read_data_skip\n\t\t * can't be used, because it could allow recursive use of\n\t\t * merge_block() * function, and this function doesn't support\n\t\t * recursive use. */\n\t\tif(rar->merge_mode) {\n\t\t\t/* Discard whole merged block. This is valid in solid\n\t\t\t * mode as well, because the code will discard blocks\n\t\t\t * only if those blocks are safe to discard (i.e.\n\t\t\t * they're not FILE blocks). */\n\t\t\tret = consume(a, rar->file.bytes_remaining);\n\t\t\tif(ret != ARCHIVE_OK) {\n\t\t\t\treturn ret;\n\t\t\t}\n\t\t\trar->file.bytes_remaining = 0;\n\t\t} else {\n\t\t\t/* If we're not in merge mode, use safe skipping code.\n\t\t\t * This will ensure we'll handle solid archives\n\t\t\t * properly. */\n\t\t\tret = rar5_read_data_skip(a);\n\t\t\tif(ret != ARCHIVE_OK) {\n\t\t\t\treturn ret;\n\t\t\t}\n\t\t}\n\t}\n\n\treturn ARCHIVE_OK;\n}", "project": "libarchive", "hash": 234137890501450660745364957702821465051, "size": 33, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 0, "dataset": "other", "idx": 244797 }, { "func": "JOIN::destroy()\n{\n DBUG_ENTER(\"JOIN::destroy\");\n select_lex->join= 0;\n\n cond_equal= 0;\n having_equal= 0;\n\n cleanup(1);\n\n if (join_tab)\n {\n for (JOIN_TAB *tab= first_linear_tab(this, WITH_BUSH_ROOTS,\n WITH_CONST_TABLES);\n tab; tab= next_linear_tab(this, tab, WITH_BUSH_ROOTS))\n {\n if (tab->aggr)\n {\n free_tmp_table(thd, tab->table);\n delete tab->tmp_table_param;\n tab->tmp_table_param= NULL;\n tab->aggr= NULL;\n }\n tab->table= NULL;\n }\n }\n\n /* Cleanup items referencing temporary table columns */\n cleanup_item_list(tmp_all_fields1);\n cleanup_item_list(tmp_all_fields3);\n destroy_sj_tmp_tables(this);\n delete_dynamic(&keyuse);\n if (save_qep)\n delete(save_qep);\n if (ext_keyuses_for_splitting)\n delete(ext_keyuses_for_splitting);\n delete procedure;\n DBUG_RETURN(error);\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 304662252453400914955135746551730265407, "size": 39, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508712 }, { "func": "static int64_t read_integer(const Array& args, const String& key, int64_t def) {\n if (args.exists(key)) {\n return args[key].toInt64();\n }\n return def;\n}", "project": "hhvm", "hash": 17903400214545544510873754006555387933, "size": 6, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219765 }, { "func": "static int compare_fields_by_table_order(Item *field1,\n Item *field2,\n void *table_join_idx)\n{\n int cmp= 0;\n bool outer_ref= 0;\n Item *field1_real= field1->real_item();\n Item *field2_real= field2->real_item();\n\n if (field1->const_item() || field1_real->const_item())\n return -1;\n if (field2->const_item() || field2_real->const_item())\n return 1;\n Item_field *f1= (Item_field *) field1_real;\n Item_field *f2= (Item_field *) field2_real;\n if (f1->used_tables() & OUTER_REF_TABLE_BIT)\n {\n outer_ref= 1;\n cmp= -1;\n }\n if (f2->used_tables() & OUTER_REF_TABLE_BIT)\n { \n outer_ref= 1;\n cmp++;\n }\n if (outer_ref)\n return cmp;\n JOIN_TAB **idx= (JOIN_TAB **) table_join_idx;\n \n JOIN_TAB *tab1= idx[f1->field->table->tablenr];\n JOIN_TAB *tab2= idx[f2->field->table->tablenr];\n \n /* \n if one of the table is inside a merged SJM nest and another one isn't,\n compare SJM bush roots of the tables.\n */\n if (tab1->bush_root_tab != tab2->bush_root_tab)\n {\n if (tab1->bush_root_tab)\n tab1= tab1->bush_root_tab;\n\n if (tab2->bush_root_tab)\n tab2= tab2->bush_root_tab;\n }\n \n cmp= (int)(tab1 - tab2);\n\n if (!cmp)\n {\n /* Fields f1, f2 belong to the same table */\n\n JOIN_TAB *tab= idx[f1->field->table->tablenr];\n uint keyno= MAX_KEY;\n if (tab->ref.key_parts)\n keyno= tab->ref.key;\n else if (tab->select && tab->select->quick)\n keyno = tab->select->quick->index;\n if (keyno != MAX_KEY)\n {\n if (f1->field->part_of_key.is_set(keyno))\n cmp= -1;\n if (f2->field->part_of_key.is_set(keyno))\n cmp++;\n /*\n Here:\n if both f1, f2 are components of the key tab->ref.key then cmp==0,\n if only f1 is a component of the key then cmp==-1 (f1 is better),\n if only f2 is a component of the key then cmp==1, (f2 is better),\n if none of f1,f1 is component of the key cmp==0.\n */ \n if (!cmp)\n {\n KEY *key_info= tab->table->key_info + keyno;\n for (uint i= 0; i < key_info->user_defined_key_parts; i++)\n\t{\n Field *fld= key_info->key_part[i].field;\n if (fld->eq(f1->field))\n\t {\n\t cmp= -1; // f1 is better\n break;\n }\n if (fld->eq(f2->field))\n\t {\n\t cmp= 1; // f2 is better\n break;\n }\n }\n } \n } \n if (!cmp) \n cmp= f1->field->field_index-f2->field->field_index;\n }\n return cmp < 0 ? -1 : (cmp ? 1 : 0);\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 128711453874035814740935781777027933202, "size": 94, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508703 }, { "func": "static BOOL update_process_glyph(rdpContext* context, const BYTE* data, UINT32 cacheIndex, INT32* x,\n INT32* y, UINT32 cacheId, UINT32 flAccel, BOOL fOpRedundant,\n const RDP_RECT* bound)\n{\n\tINT32 sx = 0, sy = 0;\n\tINT32 dx, dy;\n\trdpGlyph* glyph;\n\trdpGlyphCache* glyph_cache;\n\n\tif (!context || !data || !x || !y || !context->graphics || !context->cache ||\n\t !context->cache->glyph)\n\t\treturn FALSE;\n\n\tglyph_cache = context->cache->glyph;\n\tglyph = glyph_cache_get(glyph_cache, cacheId, cacheIndex);\n\n\tif (!glyph)\n\t\treturn FALSE;\n\n\tdx = glyph->x + *x;\n\tdy = glyph->y + *y;\n\n\tif (dx < bound->x)\n\t{\n\t\tsx = bound->x - dx;\n\t\tdx = bound->x;\n\t}\n\n\tif (dy < bound->y)\n\t{\n\t\tsy = bound->y - dy;\n\t\tdy = bound->y;\n\t}\n\n\tif ((dx <= (bound->x + bound->width)) && (dy <= (bound->y + bound->height)))\n\t{\n\t\tINT32 dw = glyph->cx - sx;\n\t\tINT32 dh = glyph->cy - sy;\n\n\t\tif ((dw + dx) > (bound->x + bound->width))\n\t\t\tdw = (bound->x + bound->width) - (dw + dx);\n\n\t\tif ((dh + dy) > (bound->y + bound->height))\n\t\t\tdh = (bound->y + bound->height) - (dh + dy);\n\n\t\tif ((dh > 0) && (dw > 0))\n\t\t{\n\t\t\tif (!glyph->Draw(context, glyph, dx, dy, dw, dh, sx, sy, fOpRedundant))\n\t\t\t\treturn FALSE;\n\t\t}\n\t}\n\n\tif (flAccel & SO_CHAR_INC_EQUAL_BM_BASE)\n\t\t*x += glyph->cx;\n\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 252789567983824172221791607717299929351, "size": 57, "commit_id": "c0fd449ec0870b050d350d6d844b1ea6dad4bc7d", "message": "Fixed Out-of-bound read in glyph_cache_put\n\nCVE-2020-11098 thanks to @antonio-morales for finding this.", "target": 0, "dataset": "other", "idx": 432867 }, { "func": "static enum_func_status\nphp_mysqlnd_chg_user_read(void * _packet, MYSQLND_CONN_DATA * conn TSRMLS_DC)\n{\n\t/* There could be an error message */\n\tsize_t buf_len = conn->net->cmd_buffer.length;\n\tzend_uchar *buf = (zend_uchar *) conn->net->cmd_buffer.buffer;\n\tzend_uchar *p = buf;\n\tzend_uchar *begin = buf;\n\tMYSQLND_PACKET_CHG_USER_RESPONSE *packet= (MYSQLND_PACKET_CHG_USER_RESPONSE *) _packet;\n\n\tDBG_ENTER(\"php_mysqlnd_chg_user_read\");\n\n\tPACKET_READ_HEADER_AND_BODY(packet, conn, buf, buf_len, \"change user response\", PROT_CHG_USER_RESP_PACKET);\n\tBAIL_IF_NO_MORE_DATA;\n\n\t/*\n\t Don't increment. First byte is ERROR_MARKER on error, but otherwise is starting byte\n\t of encoded sequence for length.\n\t*/\n\n\t/* Should be always 0x0 or ERROR_MARKER for error */\n\tpacket->response_code = uint1korr(p);\n\tp++;\n\n\tif (packet->header.size == 1 && buf[0] == EODATA_MARKER && packet->server_capabilities & CLIENT_SECURE_CONNECTION) {\n\t\t/* We don't handle 3.23 authentication */\n\t\tpacket->server_asked_323_auth = TRUE;\n\t\tDBG_RETURN(FAIL);\n\t}\n\n\tif (ERROR_MARKER == packet->response_code) {\n\t\tphp_mysqlnd_read_error_from_line(p, packet->header.size - 1,\n\t\t\t\t\t\t\t\t\t\t packet->error_info.error,\n\t\t\t\t\t\t\t\t\t\t sizeof(packet->error_info.error),\n\t\t\t\t\t\t\t\t\t\t &packet->error_info.error_no,\n\t\t\t\t\t\t\t\t\t\t packet->error_info.sqlstate\n\t\t\t\t\t\t\t\t\t\t TSRMLS_CC);\n\t}\n\tBAIL_IF_NO_MORE_DATA;\n\tif (packet->response_code == 0xFE && packet->header.size > (size_t) (p - buf)) {\n\t\tpacket->new_auth_protocol = mnd_pestrdup((char *)p, FALSE);\n\t\tpacket->new_auth_protocol_len = strlen(packet->new_auth_protocol);\n\t\tp+= packet->new_auth_protocol_len + 1; /* +1 for the \\0 */\n\t\tpacket->new_auth_protocol_data_len = packet->header.size - (size_t) (p - buf);\n\t\tif (packet->new_auth_protocol_data_len) {\n\t\t\tpacket->new_auth_protocol_data = mnd_emalloc(packet->new_auth_protocol_data_len);\n\t\t\tmemcpy(packet->new_auth_protocol_data, p, packet->new_auth_protocol_data_len);\n\t\t}\n\t\tDBG_INF_FMT(\"The server requested switching auth plugin to : %s\", packet->new_auth_protocol);\n\t\tDBG_INF_FMT(\"Server salt : [%*s]\", packet->new_auth_protocol_data_len, packet->new_auth_protocol_data);\n\t}\n\n\tDBG_RETURN(PASS);\npremature_end:\n\tDBG_ERR_FMT(\"CHANGE_USER packet %d bytes shorter than expected\", p - begin - packet->header.size);\n\tphp_error_docref(NULL TSRMLS_CC, E_WARNING, \"CHANGE_USER packet \"MYSQLND_SZ_T_SPEC\" bytes shorter than expected\",\n\t\t\t\t\t\t p - begin - packet->header.size);\n\tDBG_RETURN(FAIL);", "project": "php-src", "hash": 236504724185603753222038495022724149942, "size": 58, "commit_id": "28f80baf3c53e267c9ce46a2a0fadbb981585132", "message": "Fix bug #72293 - Heap overflow in mysqlnd related to BIT fields", "target": 0, "dataset": "other", "idx": 416691 }, { "func": "static u64 svm_read_l1_tsc(struct kvm_vcpu *vcpu, u64 host_tsc)\n{\n\tstruct vmcb *vmcb = get_host_vmcb(to_svm(vcpu));\n\treturn vmcb->control.tsc_offset +\n\t\tsvm_scale_tsc(vcpu, host_tsc);\n}", "project": "kvm", "hash": 32425671635116676675194837466919631240, "size": 6, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437630 }, { "func": "static void free_kmem_cache_nodes(struct kmem_cache *s)\n{\n\tint node;\n\tstruct kmem_cache_node *n;\n\n\tfor_each_kmem_cache_node(s, node, n) {\n\t\ts->node[node] = NULL;\n\t\tkmem_cache_free(kmem_cache_node, n);\n\t}\n}", "project": "linux", "hash": 204152787817917486893107065202117904365, "size": 10, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280226 }, { "func": "static void nfs_fixup_referral_attributes(struct nfs_fattr *fattr)\n{\n\tif (!(((fattr->valid & NFS_ATTR_FATTR_MOUNTED_ON_FILEID) ||\n\t (fattr->valid & NFS_ATTR_FATTR_FILEID)) &&\n\t (fattr->valid & NFS_ATTR_FATTR_FSID) &&\n\t (fattr->valid & NFS_ATTR_FATTR_V4_LOCATIONS)))\n\t\treturn;\n\n\tfattr->valid |= NFS_ATTR_FATTR_TYPE | NFS_ATTR_FATTR_MODE |\n\t\tNFS_ATTR_FATTR_NLINK | NFS_ATTR_FATTR_V4_REFERRAL;\n\tfattr->mode = S_IFDIR | S_IRUGO | S_IXUGO;\n\tfattr->nlink = 2;\n}", "project": "linux", "hash": 329138192066898203728990047321386858903, "size": 13, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431382 }, { "func": "R_API int r_str_replace_char(char *s, int a, int b) {\n\treturn r_str_replace_ch (s, a, b, true);\n}", "project": "radare2", "hash": 263632803559149745584759779304532622517, "size": 3, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 0, "dataset": "other", "idx": 269007 }, { "func": "int pep_write(struct sock *sk, struct sk_buff *skb)\n{\n\tstruct sk_buff *rskb, *fs;\n\tint flen = 0;\n\n\tif (pep_sk(sk)->aligned)\n\t\treturn pipe_skb_send(sk, skb);\n\n\trskb = alloc_skb(MAX_PNPIPE_HEADER, GFP_ATOMIC);\n\tif (!rskb) {\n\t\tkfree_skb(skb);\n\t\treturn -ENOMEM;\n\t}\n\tskb_shinfo(rskb)->frag_list = skb;\n\trskb->len += skb->len;\n\trskb->data_len += rskb->len;\n\trskb->truesize += rskb->len;\n\n\t/* Avoid nested fragments */\n\tskb_walk_frags(skb, fs)\n\t\tflen += fs->len;\n\tskb->next = skb_shinfo(skb)->frag_list;\n\tskb_frag_list_init(skb);\n\tskb->len -= flen;\n\tskb->data_len -= flen;\n\tskb->truesize -= flen;\n\n\tskb_reserve(rskb, MAX_PHONET_HEADER + 3);\n\treturn pipe_skb_send(sk, rskb);\n}", "project": "linux", "hash": 111559511717979359744026563927087226682, "size": 30, "commit_id": "bcd0f93353326954817a4f9fa55ec57fb38acbb0", "message": "phonet: refcount leak in pep_sock_accep\n\nsock_hold(sk) is invoked in pep_sock_accept(), but __sock_put(sk) is not\ninvoked in subsequent failure branches(pep_accept_conn() != 0).\n\nSigned-off-by: Hangyu Hua \nLink: https://lore.kernel.org/r/20211209082839.33985-1-hbh25y@gmail.com\nSigned-off-by: Jakub Kicinski ", "target": 0, "dataset": "other", "idx": 224825 }, { "func": "static int verify_checksums(struct archive_read* a) {\n\tint verify_crc;\n\tstruct rar5* rar = get_context(a);\n\n\t/* Check checksums only when actually unpacking the data. There's no\n\t * need to calculate checksum when we're skipping data in solid archives\n\t * (skipping in solid archives is the same thing as unpacking compressed\n\t * data and discarding the result). */\n\n\tif(!rar->skip_mode) {\n\t\t/* Always check checksums if we're not in skip mode */\n\t\tverify_crc = 1;\n\t} else {\n\t\t/* We can override the logic above with a compile-time option\n\t\t * NO_CRC_ON_SOLID_SKIP. This option is used during debugging,\n\t\t * and it will check checksums of unpacked data even when\n\t\t * we're skipping it. */\n\n#if defined CHECK_CRC_ON_SOLID_SKIP\n\t\t/* Debug case */\n\t\tverify_crc = 1;\n#else\n\t\t/* Normal case */\n\t\tverify_crc = 0;\n#endif\n\t}\n\n\tif(verify_crc) {\n\t\t/* During unpacking, on each unpacked block we're calling the\n\t\t * update_crc() function. Since we are here, the unpacking\n\t\t * process is already over and we can check if calculated\n\t\t * checksum (CRC32 or BLAKE2sp) is the same as what is stored\n\t\t * in the archive. */\n\t\tif(rar->file.stored_crc32 > 0) {\n\t\t\t/* Check CRC32 only when the file contains a CRC32\n\t\t\t * value for this file. */\n\n\t\t\tif(rar->file.calculated_crc32 !=\n\t\t\t rar->file.stored_crc32) {\n\t\t\t\t/* Checksums do not match; the unpacked file\n\t\t\t\t * is corrupted. */\n\n\t\t\t\tDEBUG_CODE {\n\t\t\t\t\tprintf(\"Checksum error: CRC32 \"\n\t\t\t\t\t \"(was: %08x, expected: %08x)\\n\",\n\t\t\t\t\t rar->file.calculated_crc32,\n\t\t\t\t\t rar->file.stored_crc32);\n\t\t\t\t}\n\n#ifndef DONT_FAIL_ON_CRC_ERROR\n\t\t\t\tarchive_set_error(&a->archive,\n\t\t\t\t ARCHIVE_ERRNO_FILE_FORMAT,\n\t\t\t\t \"Checksum error: CRC32\");\n\t\t\t\treturn ARCHIVE_FATAL;\n#endif\n\t\t\t} else {\n\t\t\t\tDEBUG_CODE {\n\t\t\t\t\tprintf(\"Checksum OK: CRC32 \"\n\t\t\t\t\t \"(%08x/%08x)\\n\",\n\t\t\t\t\t rar->file.stored_crc32,\n\t\t\t\t\t rar->file.calculated_crc32);\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\tif(rar->file.has_blake2 > 0) {\n\t\t\t/* BLAKE2sp is an optional checksum algorithm that is\n\t\t\t * added to RARv5 archives when using the `-htb` switch\n\t\t\t * during creation of archive.\n\t\t\t *\n\t\t\t * We now finalize the hash calculation by calling the\n\t\t\t * `final` function. This will generate the final hash\n\t\t\t * value we can use to compare it with the BLAKE2sp\n\t\t\t * checksum that is stored in the archive.\n\t\t\t *\n\t\t\t * The return value of this `final` function is not\n\t\t\t * very helpful, as it guards only against improper use.\n \t\t\t * This is why we're explicitly ignoring it. */\n\n\t\t\tuint8_t b2_buf[32];\n\t\t\t(void) blake2sp_final(&rar->file.b2state, b2_buf, 32);\n\n\t\t\tif(memcmp(&rar->file.blake2sp, b2_buf, 32) != 0) {\n#ifndef DONT_FAIL_ON_CRC_ERROR\n\t\t\t\tarchive_set_error(&a->archive,\n\t\t\t\t ARCHIVE_ERRNO_FILE_FORMAT,\n\t\t\t\t \"Checksum error: BLAKE2\");\n\n\t\t\t\treturn ARCHIVE_FATAL;\n#endif\n\t\t\t}\n\t\t}\n\t}\n\n\t/* Finalization for this file has been successfully completed. */\n\treturn ARCHIVE_OK;\n}", "project": "libarchive", "hash": 115184108419055193809027375858336249774, "size": 97, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 0, "dataset": "other", "idx": 244697 }, { "func": "static void sanitize_global_limit(unsigned *limit)\n{\n\t/*\n\t * The default maximum number of async requests is calculated to consume\n\t * 1/2^13 of the total memory, assuming 392 bytes per request.\n\t */\n\tif (*limit == 0)\n\t\t*limit = ((totalram_pages() << PAGE_SHIFT) >> 13) / 392;\n\n\tif (*limit >= 1 << 16)\n\t\t*limit = (1 << 16) - 1;\n}", "project": "linux", "hash": 50676690571394696044532464818460814694, "size": 12, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342064 }, { "func": "static int lizard_wrap_compress(const char* input, size_t input_length,\n char* output, size_t maxout, int clevel) {\n int cbytes;\n cbytes = Lizard_compress(input, output, (int)input_length, (int)maxout,\n clevel);\n return cbytes;\n}", "project": "c-blosc2", "hash": 246090814407038628326382952439745693291, "size": 7, "commit_id": "c4c6470e88210afc95262c8b9fcc27e30ca043ee", "message": "Fixed asan heap buffer overflow when not enough space to write compressed block size.", "target": 0, "dataset": "other", "idx": 303092 }, { "func": "uint check_join_cache_usage(JOIN_TAB *tab,\n ulonglong options,\n uint no_jbuf_after,\n uint table_index,\n JOIN_TAB *prev_tab)\n{\n Cost_estimate cost;\n uint flags= 0;\n ha_rows rows= 0;\n uint bufsz= 4096;\n JOIN_CACHE *prev_cache=0;\n JOIN *join= tab->join;\n MEM_ROOT *root= join->thd->mem_root;\n uint cache_level= tab->used_join_cache_level;\n bool force_unlinked_cache=\n !(join->allowed_join_cache_types & JOIN_CACHE_INCREMENTAL_BIT);\n bool no_hashed_cache=\n !(join->allowed_join_cache_types & JOIN_CACHE_HASHED_BIT);\n bool no_bka_cache= \n !(join->allowed_join_cache_types & JOIN_CACHE_BKA_BIT);\n\n join->return_tab= 0;\n\n /*\n Don't use join cache if @@join_cache_level==0 or this table is the first\n one join suborder (either at top level or inside a bush)\n */\n if (cache_level == 0 || !prev_tab)\n return 0;\n\n if (force_unlinked_cache && (cache_level%2 == 0))\n cache_level--;\n\n if (options & SELECT_NO_JOIN_CACHE)\n goto no_join_cache;\n\n if (tab->use_quick == 2)\n goto no_join_cache;\n\n if (tab->table->map & join->complex_firstmatch_tables)\n goto no_join_cache;\n \n /*\n Don't use join cache if we're inside a join tab range covered by LooseScan\n strategy (TODO: LooseScan is very similar to FirstMatch so theoretically it \n should be possible to use join buffering in the same way we're using it for\n multi-table firstmatch ranges).\n */\n if (tab->inside_loosescan_range)\n goto no_join_cache;\n\n if (tab->is_inner_table_of_semijoin() &&\n !join->allowed_semijoin_with_cache)\n goto no_join_cache;\n if (tab->is_inner_table_of_outer_join() &&\n !join->allowed_outer_join_with_cache)\n goto no_join_cache;\n\n /*\n Non-linked join buffers can't guarantee one match\n */\n if (tab->is_nested_inner())\n {\n if (force_unlinked_cache || cache_level == 1)\n goto no_join_cache;\n if (cache_level & 1)\n cache_level--;\n }\n \n /*\n Don't use BKA for materialized tables. We could actually have a\n meaningful use of BKA when linked join buffers are used.\n\n The problem is, the temp.table is not filled (actually not even opened\n properly) yet, and this doesn't let us call\n handler->multi_range_read_info(). It is possible to come up with\n estimates, etc. without acessing the table, but it seems not to worth the\n effort now.\n */\n if (tab->table->pos_in_table_list->is_materialized_derived())\n {\n no_bka_cache= true;\n /*\n Don't use hash join algorithm if the temporary table for the rows\n of the derived table will be created with an equi-join key.\n */\n if (tab->table->s->keys)\n no_hashed_cache= true;\n }\n\n /*\n Don't use join buffering if we're dictated not to by no_jbuf_after\n (This is not meaningfully used currently)\n */\n if (table_index > no_jbuf_after)\n goto no_join_cache;\n \n /*\n TODO: BNL join buffer should be perfectly ok with tab->bush_children.\n */\n if (tab->loosescan_match_tab || tab->bush_children)\n goto no_join_cache;\n\n for (JOIN_TAB *first_inner= tab->first_inner; first_inner;\n first_inner= first_inner->first_upper)\n {\n if (first_inner != tab && \n (!first_inner->use_join_cache || !(tab-1)->use_join_cache))\n goto no_join_cache;\n }\n if (tab->first_sj_inner_tab && tab->first_sj_inner_tab != tab &&\n (!tab->first_sj_inner_tab->use_join_cache || !(tab-1)->use_join_cache))\n goto no_join_cache;\n if (!prev_tab->use_join_cache)\n {\n /* \n Check whether table tab and the previous one belong to the same nest of\n inner tables and if so do not use join buffer when joining table tab. \n */\n if (tab->first_inner && tab != tab->first_inner)\n {\n for (JOIN_TAB *first_inner= tab[-1].first_inner;\n first_inner;\n first_inner= first_inner->first_upper)\n {\n if (first_inner == tab->first_inner)\n goto no_join_cache;\n }\n }\n else if (tab->first_sj_inner_tab && tab != tab->first_sj_inner_tab &&\n tab->first_sj_inner_tab == tab[-1].first_sj_inner_tab)\n goto no_join_cache; \n } \n\n prev_cache= prev_tab->cache;\n\n switch (tab->type) {\n case JT_ALL:\n if (cache_level == 1)\n prev_cache= 0;\n if ((tab->cache= new (root) JOIN_CACHE_BNL(join, tab, prev_cache)))\n {\n tab->icp_other_tables_ok= FALSE;\n /* If make_join_select() hasn't called make_scan_filter(), do it now */\n if (!tab->cache_select && tab->make_scan_filter())\n goto no_join_cache;\n return (2 - MY_TEST(!prev_cache));\n }\n goto no_join_cache;\n case JT_SYSTEM:\n case JT_CONST:\n case JT_REF:\n case JT_EQ_REF:\n if (cache_level <=2 || (no_hashed_cache && no_bka_cache))\n goto no_join_cache;\n if (tab->ref.is_access_triggered())\n goto no_join_cache;\n\n if (!tab->is_ref_for_hash_join() && !no_bka_cache)\n {\n flags= HA_MRR_NO_NULL_ENDPOINTS | HA_MRR_SINGLE_POINT;\n if (tab->table->covering_keys.is_set(tab->ref.key))\n flags|= HA_MRR_INDEX_ONLY;\n rows= tab->table->file->multi_range_read_info(tab->ref.key, 10, 20,\n tab->ref.key_parts,\n &bufsz, &flags, &cost);\n }\n\n if ((cache_level <=4 && !no_hashed_cache) || no_bka_cache ||\n tab->is_ref_for_hash_join() ||\n\t((flags & HA_MRR_NO_ASSOCIATION) && cache_level <=6))\n {\n if (!tab->hash_join_is_possible() ||\n tab->make_scan_filter())\n goto no_join_cache;\n if (cache_level == 3)\n prev_cache= 0;\n if ((tab->cache= new (root) JOIN_CACHE_BNLH(join, tab, prev_cache)))\n {\n tab->icp_other_tables_ok= FALSE; \n return (4 - MY_TEST(!prev_cache));\n }\n goto no_join_cache;\n }\n if (cache_level > 4 && no_bka_cache)\n goto no_join_cache;\n \n if ((flags & HA_MRR_NO_ASSOCIATION) &&\n\t(cache_level <= 6 || no_hashed_cache))\n goto no_join_cache;\n\n if ((rows != HA_POS_ERROR) && !(flags & HA_MRR_USE_DEFAULT_IMPL))\n {\n if (cache_level <= 6 || no_hashed_cache)\n {\n if (cache_level == 5)\n prev_cache= 0;\n if ((tab->cache= new (root) JOIN_CACHE_BKA(join, tab, flags, prev_cache)))\n return (6 - MY_TEST(!prev_cache));\n goto no_join_cache;\n }\n else\n {\n if (cache_level == 7)\n prev_cache= 0;\n if ((tab->cache= new (root) JOIN_CACHE_BKAH(join, tab, flags, prev_cache)))\n\t{\n tab->idx_cond_fact_out= FALSE;\n return (8 - MY_TEST(!prev_cache));\n }\n goto no_join_cache;\n }\n }\n goto no_join_cache;\n default : ;\n }\n\nno_join_cache:\n if (tab->type != JT_ALL && tab->is_ref_for_hash_join())\n {\n tab->type= JT_ALL;\n tab->ref.key_parts= 0;\n }\n revise_cache_usage(tab); \n return 0;\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 29466455415898355143930817223686493492, "size": 226, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508520 }, { "func": " static Item_cache* get_cache(THD *thd, const Item* item,\n const Item_result type)\n {\n return get_cache(thd, item, type, item->field_type());\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 231423820832676583118452028415746891866, "size": 5, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509062 }, { "func": " static Item_cache* get_cache(THD *thd, const Item *item)\n {\n return get_cache(thd, item, item->cmp_type());\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 193968543518614701582202838336954182549, "size": 4, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509350 }, { "func": "static void exif_process_APP12(image_info_type *ImageInfo,\n char *buffer, size_t length) {\n size_t l1, l2=0;\n if ((l1 = php_strnlen(buffer+2, length-2)) > 0) {\n exif_iif_add_tag(ImageInfo, SECTION_APP12, \"Company\",\n TAG_NONE, TAG_FMT_STRING, l1, buffer+2);\n if (length > 2+l1+1) {\n l2 = php_strnlen(buffer+2+l1+1, length-2-l1-1);\n exif_iif_add_tag(ImageInfo, SECTION_APP12, \"Info\",\n TAG_NONE, TAG_FMT_STRING, l2, buffer+2+l1+1);\n }\n }\n}", "project": "hhvm", "hash": 10589713427808692308365245863221209685, "size": 13, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219679 }, { "func": "void CServerBan::InitServerBan(IConsole *pConsole, IStorage *pStorage, CServer* pServer)\n{\n\tCNetBan::Init(pConsole, pStorage);\n\n\tm_pServer = pServer;\n\n\t// overwrites base command, todo: improve this\n\tConsole()->Register(\"ban\", \"s[id|ip|range] ?i[minutes] r[reason]\", CFGFLAG_SERVER|CFGFLAG_STORE, ConBanExt, this, \"Ban player with IP/IP range/client id for x minutes for any reason\");\n}", "project": "teeworlds", "hash": 189630398119913327894186223337313390579, "size": 9, "commit_id": "c68402fa7e279d42886d5951d1ea8ac2facc1ea5", "message": "changed a check", "target": 0, "dataset": "other", "idx": 382053 }, { "func": "static u8 create_instance_adv_data(struct hci_dev *hdev, u8 instance, u8 *ptr)\n{\n\tstruct adv_info *adv_instance = NULL;\n\tu8 ad_len = 0, flags = 0;\n\tu32 instance_flags;\n\n\t/* Return 0 when the current instance identifier is invalid. */\n\tif (instance) {\n\t\tadv_instance = hci_find_adv_instance(hdev, instance);\n\t\tif (!adv_instance)\n\t\t\treturn 0;\n\t}\n\n\tinstance_flags = get_adv_instance_flags(hdev, instance);\n\n\t/* If instance already has the flags set skip adding it once\n\t * again.\n\t */\n\tif (adv_instance && eir_get_data(adv_instance->adv_data,\n\t\t\t\t\t adv_instance->adv_data_len, EIR_FLAGS,\n\t\t\t\t\t NULL))\n\t\tgoto skip_flags;\n\n\t/* The Add Advertising command allows userspace to set both the general\n\t * and limited discoverable flags.\n\t */\n\tif (instance_flags & MGMT_ADV_FLAG_DISCOV)\n\t\tflags |= LE_AD_GENERAL;\n\n\tif (instance_flags & MGMT_ADV_FLAG_LIMITED_DISCOV)\n\t\tflags |= LE_AD_LIMITED;\n\n\tif (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))\n\t\tflags |= LE_AD_NO_BREDR;\n\n\tif (flags || (instance_flags & MGMT_ADV_FLAG_MANAGED_FLAGS)) {\n\t\t/* If a discovery flag wasn't provided, simply use the global\n\t\t * settings.\n\t\t */\n\t\tif (!flags)\n\t\t\tflags |= mgmt_get_adv_discov_flags(hdev);\n\n\t\t/* If flags would still be empty, then there is no need to\n\t\t * include the \"Flags\" AD field\".\n\t\t */\n\t\tif (flags) {\n\t\t\tptr[0] = 0x02;\n\t\t\tptr[1] = EIR_FLAGS;\n\t\t\tptr[2] = flags;\n\n\t\t\tad_len += 3;\n\t\t\tptr += 3;\n\t\t}\n\t}\n\nskip_flags:\n\tif (adv_instance) {\n\t\tmemcpy(ptr, adv_instance->adv_data,\n\t\t adv_instance->adv_data_len);\n\t\tad_len += adv_instance->adv_data_len;\n\t\tptr += adv_instance->adv_data_len;\n\t}\n\n\tif (instance_flags & MGMT_ADV_FLAG_TX_POWER) {\n\t\ts8 adv_tx_power;\n\n\t\tif (ext_adv_capable(hdev)) {\n\t\t\tif (adv_instance)\n\t\t\t\tadv_tx_power = adv_instance->tx_power;\n\t\t\telse\n\t\t\t\tadv_tx_power = hdev->adv_tx_power;\n\t\t} else {\n\t\t\tadv_tx_power = hdev->adv_tx_power;\n\t\t}\n\n\t\t/* Provide Tx Power only if we can provide a valid value for it */\n\t\tif (adv_tx_power != HCI_TX_POWER_INVALID) {\n\t\t\tptr[0] = 0x02;\n\t\t\tptr[1] = EIR_TX_POWER;\n\t\t\tptr[2] = (u8)adv_tx_power;\n\n\t\t\tad_len += 3;\n\t\t\tptr += 3;\n\t\t}\n\t}\n\n\treturn ad_len;\n}", "project": "linux", "hash": 187042804827397600480139150407794973498, "size": 88, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402573 }, { "func": "static void tipc_node_delete(struct tipc_node *node)\n{\n\ttrace_tipc_node_delete(node, true, \" \");\n\ttipc_node_delete_from_list(node);\n\n\tdel_timer_sync(&node->timer);\n\ttipc_node_put(node);\n}", "project": "linux", "hash": 45912596991173175334127210104406932711, "size": 8, "commit_id": "0217ed2848e8538bcf9172d97ed2eeb4a26041bb", "message": "tipc: better validate user input in tipc_nl_retrieve_key()\n\nBefore calling tipc_aead_key_size(ptr), we need to ensure\nwe have enough data to dereference ptr->keylen.\n\nWe probably also want to make sure tipc_aead_key_size()\nwont overflow with malicious ptr->keylen values.\n\nSyzbot reported:\n\nBUG: KMSAN: uninit-value in __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\nBUG: KMSAN: uninit-value in tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\nCPU: 0 PID: 21060 Comm: syz-executor.5 Not tainted 5.11.0-rc7-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nCall Trace:\n __dump_stack lib/dump_stack.c:79 [inline]\n dump_stack+0x21c/0x280 lib/dump_stack.c:120\n kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118\n __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197\n __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\n tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\n genl_family_rcv_msg_doit net/netlink/genetlink.c:739 [inline]\n genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]\n genl_rcv_msg+0x1319/0x1610 net/netlink/genetlink.c:800\n netlink_rcv_skb+0x6fa/0x810 net/netlink/af_netlink.c:2494\n genl_rcv+0x63/0x80 net/netlink/genetlink.c:811\n netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]\n netlink_unicast+0x11d6/0x14a0 net/netlink/af_netlink.c:1330\n netlink_sendmsg+0x1740/0x1840 net/netlink/af_netlink.c:1919\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\nRIP: 0023:0xf7f60549\nCode: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00\nRSP: 002b:00000000f555a5fc EFLAGS: 00000296 ORIG_RAX: 0000000000000172\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000200\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n\nUninit was created at:\n kmsan_save_stack_with_flags mm/kmsan/kmsan.c:121 [inline]\n kmsan_internal_poison_shadow+0x5c/0xf0 mm/kmsan/kmsan.c:104\n kmsan_slab_alloc+0x8d/0xe0 mm/kmsan/kmsan_hooks.c:76\n slab_alloc_node mm/slub.c:2907 [inline]\n __kmalloc_node_track_caller+0xa37/0x1430 mm/slub.c:4527\n __kmalloc_reserve net/core/skbuff.c:142 [inline]\n __alloc_skb+0x2f8/0xb30 net/core/skbuff.c:210\n alloc_skb include/linux/skbuff.h:1099 [inline]\n netlink_alloc_large_skb net/netlink/af_netlink.c:1176 [inline]\n netlink_sendmsg+0xdbc/0x1840 net/netlink/af_netlink.c:1894\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\n\nFixes: e1f32190cf7d (\"tipc: add support for AEAD key setting via netlink\")\nSigned-off-by: Eric Dumazet \nCc: Tuong Lien \nCc: Jon Maloy \nCc: Ying Xue \nReported-by: syzbot \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 364916 }, { "func": "int imap_mailbox_status(struct Mailbox *m, bool queue)\n{\n struct ImapAccountData *adata = imap_adata_get(m);\n struct ImapMboxData *mdata = imap_mdata_get(m);\n if (!adata || !mdata)\n return -1;\n return imap_status(adata, mdata, queue);\n}", "project": "neomutt", "hash": 280273820675254518348690223643399235530, "size": 8, "commit_id": "9c36717a3e2af1f2c1b7242035455ec8112b4b06", "message": "imap: close connection on all failures\n\nThanks to Gabriel Salles-Loustau for spotting the problem.\n\nCo-authored-by: Kevin McCarthy ", "target": 0, "dataset": "other", "idx": 357002 }, { "func": "static int copy_tiles_backward_pass(void) {\n\tint x, y, n, m;\n\tint diffs = 0, ct;\n\n\tif (unixpw_in_progress) return 0;\n\n\tfor (y = ntiles_y - 1; y >= 0; y--) {\n\t for (x = ntiles_x - 1; x >= 0; x--) {\n\t\tn = x + y * ntiles_x;\t\t/* number of this tile */\n\n\t\tif (! tile_has_diff[n]) {\n\t\t\tcontinue;\n\t\t}\n\n\t\tm = x + (y-1) * ntiles_x;\t/* neighboring tile upward */\n\n\t\tif (y >= 1 && ! tile_has_diff[m] && tile_region[n].top_diff) {\n\t\t\tif (! tile_tried[m]) {\n\t\t\t\ttile_has_diff[m] = 2;\n\t\t\t\tct = copy_tiles(x, y-1, 1);\n\t\t\t\tif (ct < 0) return ct;\t/* fatal */\n\t\t\t}\n\t\t}\n\n\t\tm = (x-1) + y * ntiles_x;\t/* neighboring tile to left */\n\n\t\tif (x >= 1 && ! tile_has_diff[m] && tile_region[n].left_diff) {\n\t\t\tif (! tile_tried[m]) {\n\t\t\t\ttile_has_diff[m] = 2;\n\t\t\t\tct = copy_tiles(x-1, y, 1);\n\t\t\t\tif (ct < 0) return ct;\t/* fatal */\n\t\t\t}\n\t\t}\n\t }\n\t}\n\tfor (n=0; n < ntiles; n++) {\n\t\tif (tile_has_diff[n]) {\n\t\t\tdiffs++;\n\t\t}\n\t}\n\treturn diffs;\n}", "project": "x11vnc", "hash": 227103239452127571653015307764363098483, "size": 42, "commit_id": "69eeb9f7baa14ca03b16c9de821f9876def7a36a", "message": "scan: limit access to shared memory segments to current user", "target": 0, "dataset": "other", "idx": 360793 }, { "func": " bool parseValue(bool array_elem = false) {\n auto const ch = *p++;\n if (ch == '{') return parseMixed();\n else if (ch == '[') return parsePacked();\n else if (ch == '\\\"') return parseString();\n else if ((ch >= '0' && ch <= '9') ||\n ch == '-') return parseNumber(ch, array_elem);\n else if (ch == 't') return parseRue();\n else if (ch == 'f') return parseAlse();\n else if (ch == 'n') return parseUll();\n else if (isSpace(ch)) {\n skipSpace();\n return parseValue(array_elem);\n }\n else return false;\n }", "project": "hhvm", "hash": 433694658593148248155752093953786375, "size": 16, "commit_id": "b3679121bb3c7017ff04b4c08402ffff5cf59b13", "message": "Fix buffer overrun in SimpleParser::handleBackslash\n\nSummary:\nIt read 4 chars, then checked for validity, but any of them could have\nbeen the end of the string, so check after each one instead.\n\nReviewed By: oulgen\n\nDifferential Revision: D19611163\n\nfbshipit-source-id: 3da0a39555cb85a93f4fd98048368f17cf37e2e4", "target": 0, "dataset": "other", "idx": 227283 }, { "func": "static int vcf_parse_format(kstring_t *s, const bcf_hdr_t *h, bcf1_t *v, char *p, char *q)\n{\n if ( !bcf_hdr_nsamples(h) ) return 0;\n\n static int extreme_val_warned = 0;\n char *r, *t;\n int j, l, m, g, overflow = 0;\n khint_t k;\n ks_tokaux_t aux1;\n vdict_t *d = (vdict_t*)h->dict[BCF_DT_ID];\n kstring_t *mem = (kstring_t*)&h->mem;\n fmt_aux_t fmt[MAX_N_FMT];\n mem->l = 0;\n\n char *end = s->s + s->l;\n if ( q>=end )\n {\n hts_log_error(\"FORMAT column with no sample columns starting at %s:%\"PRIhts_pos\"\", bcf_seqname_safe(h,v), v->pos+1);\n v->errcode |= BCF_ERR_NCOLS;\n return -1;\n }\n\n v->n_fmt = 0;\n if ( p[0]=='.' && p[1]==0 ) // FORMAT field is empty \".\"\n {\n v->n_sample = bcf_hdr_nsamples(h);\n return 0;\n }\n\n // get format information from the dictionary\n for (j = 0, t = kstrtok(p, \":\", &aux1); t; t = kstrtok(0, 0, &aux1), ++j) {\n if (j >= MAX_N_FMT) {\n v->errcode |= BCF_ERR_LIMITS;\n hts_log_error(\"FORMAT column at %s:%\"PRIhts_pos\" lists more identifiers than htslib can handle\",\n bcf_seqname_safe(h,v), v->pos+1);\n return -1;\n }\n\n *(char*)aux1.p = 0;\n k = kh_get(vdict, d, t);\n if (k == kh_end(d) || kh_val(d, k).info[BCF_HL_FMT] == 15) {\n if ( t[0]=='.' && t[1]==0 )\n {\n hts_log_error(\"Invalid FORMAT tag name '.' at %s:%\"PRIhts_pos, bcf_seqname_safe(h,v), v->pos+1);\n v->errcode |= BCF_ERR_TAG_INVALID;\n return -1;\n }\n hts_log_warning(\"FORMAT '%s' at %s:%\"PRIhts_pos\" is not defined in the header, assuming Type=String\", t, bcf_seqname_safe(h,v), v->pos+1);\n kstring_t tmp = {0,0,0};\n int l;\n ksprintf(&tmp, \"##FORMAT=\", t);\n bcf_hrec_t *hrec = bcf_hdr_parse_line(h,tmp.s,&l);\n free(tmp.s);\n int res = hrec ? bcf_hdr_add_hrec((bcf_hdr_t*)h, hrec) : -1;\n if (res < 0) bcf_hrec_destroy(hrec);\n if (res > 0) res = bcf_hdr_sync((bcf_hdr_t*)h);\n\n k = kh_get(vdict, d, t);\n v->errcode = BCF_ERR_TAG_UNDEF;\n if (res || k == kh_end(d)) {\n hts_log_error(\"Could not add dummy header for FORMAT '%s' at %s:%\"PRIhts_pos, t, bcf_seqname_safe(h,v), v->pos+1);\n v->errcode |= BCF_ERR_TAG_INVALID;\n return -1;\n }\n }\n fmt[j].max_l = fmt[j].max_m = fmt[j].max_g = 0;\n fmt[j].key = kh_val(d, k).id;\n fmt[j].is_gt = !strcmp(t, \"GT\");\n fmt[j].y = h->id[0][fmt[j].key].val->info[BCF_HL_FMT];\n v->n_fmt++;\n }\n // compute max\n int n_sample_ori = -1;\n r = q + 1; // r: position in the format string\n l = 0, m = g = 1, v->n_sample = 0; // m: max vector size, l: max field len, g: max number of alleles\n while ( rkeep_samples )\n {\n n_sample_ori++;\n if ( !bit_array_test(h->keep_samples,n_sample_ori) )\n {\n while ( *r!='\\t' && ris_gt) g++;\n break;\n\n case '\\t':\n *r = 0; // fall through\n\n case '\\0':\n case ':':\n if (f->max_m < m) f->max_m = m;\n if (f->max_l < l) f->max_l = l;\n if (f->is_gt && f->max_g < g) f->max_g = g;\n l = 0, m = g = 1;\n if ( *r==':' ) {\n j++; f++;\n if ( j>=v->n_fmt ) {\n hts_log_error(\"Incorrect number of FORMAT fields at %s:%\"PRIhts_pos\"\",\n h->id[BCF_DT_CTG][v->rid].key, v->pos+1);\n v->errcode |= BCF_ERR_NCOLS;\n return -1;\n }\n } else goto end_for;\n break;\n }\n if ( r>=end ) break;\n r++; l++;\n }\n end_for:\n v->n_sample++;\n if ( v->n_sample == bcf_hdr_nsamples(h) ) break;\n r++;\n }\n\n // allocate memory for arrays\n for (j = 0; j < v->n_fmt; ++j) {\n fmt_aux_t *f = &fmt[j];\n if ( !f->max_m ) f->max_m = 1; // omitted trailing format field\n if ((f->y>>4&0xf) == BCF_HT_STR) {\n f->size = f->is_gt? f->max_g << 2 : f->max_l;\n } else if ((f->y>>4&0xf) == BCF_HT_REAL || (f->y>>4&0xf) == BCF_HT_INT) {\n f->size = f->max_m << 2;\n } else\n {\n hts_log_error(\"The format type %d at %s:%\"PRIhts_pos\" is currently not supported\", f->y>>4&0xf, bcf_seqname_safe(h,v), v->pos+1);\n v->errcode |= BCF_ERR_TAG_INVALID;\n return -1;\n }\n if (align_mem(mem) < 0) {\n hts_log_error(\"Memory allocation failure at %s:%\"PRIhts_pos, bcf_seqname_safe(h,v), v->pos+1);\n v->errcode |= BCF_ERR_LIMITS;\n return -1;\n }\n f->offset = mem->l;\n\n // Limit the total memory to ~2Gb per VCF row. This should mean\n // malformed VCF data is less likely to take excessive memory and/or\n // time.\n if (v->n_sample * (uint64_t)f->size > INT_MAX) {\n hts_log_error(\"Excessive memory required by FORMAT fields at %s:%\"PRIhts_pos, bcf_seqname_safe(h,v), v->pos+1);\n v->errcode |= BCF_ERR_LIMITS;\n return -1;\n }\n if (ks_resize(mem, mem->l + v->n_sample * (size_t)f->size) < 0) {\n hts_log_error(\"Memory allocation failure at %s:%\"PRIhts_pos, bcf_seqname_safe(h,v), v->pos+1);\n v->errcode |= BCF_ERR_LIMITS;\n return -1;\n }\n mem->l += v->n_sample * f->size;\n }\n for (j = 0; j < v->n_fmt; ++j)\n fmt[j].buf = (uint8_t*)mem->s + fmt[j].offset;\n // fill the sample fields; at beginning of the loop, t points to the first char of a format\n n_sample_ori = -1;\n t = q + 1; m = 0; // m: sample id\n while ( tkeep_samples )\n {\n n_sample_ori++;\n if ( !bit_array_test(h->keep_samples,n_sample_ori) )\n {\n while ( *t && tbuf) {\n hts_log_error(\"Memory allocation failure for FORMAT field type %d at %s:%\"PRIhts_pos,\n z->y>>4&0xf, bcf_seqname_safe(h,v), v->pos+1);\n v->errcode |= BCF_ERR_LIMITS;\n return -1;\n }\n if ((z->y>>4&0xf) == BCF_HT_STR) {\n if (z->is_gt) { // genotypes\n int32_t is_phased = 0;\n uint32_t *x = (uint32_t*)(z->buf + z->size * (size_t)m);\n uint32_t unreadable = 0;\n uint32_t max = 0;\n overflow = 0;\n for (l = 0;; ++t) {\n if (*t == '.') {\n ++t, x[l++] = is_phased;\n } else {\n char *tt = t;\n uint32_t val = hts_str2uint(t, &t, sizeof(val) * CHAR_MAX - 2, &overflow);\n unreadable |= tt == t;\n if (max < val) max = val;\n x[l++] = (val + 1) << 1 | is_phased;\n }\n is_phased = (*t == '|');\n if (*t != '|' && *t != '/') break;\n }\n // Possibly check max against v->n_allele instead?\n if (overflow || max > (INT32_MAX >> 1) - 1) {\n hts_log_error(\"Couldn't read GT data: value too large at %s:%\"PRIhts_pos, bcf_seqname_safe(h,v), v->pos+1);\n return -1;\n }\n if (unreadable) {\n hts_log_error(\"Couldn't read GT data: value not a number or '.' at %s:%\"PRIhts_pos, bcf_seqname_safe(h,v), v->pos+1);\n return -1;\n }\n if ( !l ) x[l++] = 0; // An empty field, insert missing value\n for (; l < z->size>>2; ++l) x[l] = bcf_int32_vector_end;\n } else {\n char *x = (char*)z->buf + z->size * (size_t)m;\n for (r = t, l = 0; *t != ':' && *t; ++t) x[l++] = *t;\n for (; l < z->size; ++l) x[l] = 0;\n }\n } else if ((z->y>>4&0xf) == BCF_HT_INT) {\n int32_t *x = (int32_t*)(z->buf + z->size * (size_t)m);\n for (l = 0;; ++t) {\n if (*t == '.') {\n x[l++] = bcf_int32_missing, ++t; // ++t to skip \".\"\n } else {\n overflow = 0;\n char *te;\n long int tmp_val = hts_str2int(t, &te, sizeof(tmp_val)*CHAR_BIT, &overflow);\n if ( te==t || overflow || tmp_valBCF_MAX_BT_INT32 )\n {\n if ( !extreme_val_warned )\n {\n hts_log_warning(\"Extreme FORMAT/%s value encountered and set to missing at %s:%\"PRIhts_pos, h->id[BCF_DT_ID][fmt[j-1].key].key, bcf_seqname_safe(h,v), v->pos+1);\n extreme_val_warned = 1;\n }\n tmp_val = bcf_int32_missing;\n }\n x[l++] = tmp_val;\n t = te;\n }\n if (*t != ',') break;\n }\n if ( !l ) x[l++] = bcf_int32_missing;\n for (; l < z->size>>2; ++l) x[l] = bcf_int32_vector_end;\n } else if ((z->y>>4&0xf) == BCF_HT_REAL) {\n float *x = (float*)(z->buf + z->size * (size_t)m);\n for (l = 0;; ++t) {\n if (*t == '.' && !isdigit_c(t[1])) {\n bcf_float_set_missing(x[l++]), ++t; // ++t to skip \".\"\n } else {\n overflow = 0;\n char *te;\n float tmp_val = hts_str2dbl(t, &te, &overflow);\n if ( (te==t || overflow) && !extreme_val_warned )\n {\n hts_log_warning(\"Extreme FORMAT/%s value encountered at %s:%\"PRIhts_pos, h->id[BCF_DT_ID][fmt[j-1].key].key, bcf_seqname(h,v), v->pos+1);\n extreme_val_warned = 1;\n }\n x[l++] = tmp_val;\n t = te;\n }\n if (*t != ',') break;\n }\n if ( !l ) bcf_float_set_missing(x[l++]); // An empty field, insert missing value\n for (; l < z->size>>2; ++l) bcf_float_set_vector_end(x[l]);\n } else {\n hts_log_error(\"Unknown FORMAT field type %d at %s:%\"PRIhts_pos, z->y>>4&0xf, bcf_seqname_safe(h,v), v->pos+1);\n v->errcode |= BCF_ERR_TAG_INVALID;\n return -1;\n }\n\n if (*t == '\\0') {\n break;\n }\n else if (*t == ':') {\n t++;\n }\n else {\n char buffer[8];\n hts_log_error(\"Invalid character %s in '%s' FORMAT field at %s:%\"PRIhts_pos\"\",\n hts_strprint(buffer, sizeof buffer, '\\'', t, 1),\n h->id[BCF_DT_ID][z->key].key, bcf_seqname_safe(h,v), v->pos+1);\n v->errcode |= BCF_ERR_CHAR;\n return -1;\n }\n }\n\n for (; j < v->n_fmt; ++j) { // fill end-of-vector values\n fmt_aux_t *z = &fmt[j];\n if ((z->y>>4&0xf) == BCF_HT_STR) {\n if (z->is_gt) {\n int32_t *x = (int32_t*)(z->buf + z->size * (size_t)m);\n if (z->size) x[0] = bcf_int32_missing;\n for (l = 1; l < z->size>>2; ++l) x[l] = bcf_int32_vector_end;\n } else {\n char *x = (char*)z->buf + z->size * (size_t)m;\n if ( z->size ) x[0] = '.';\n for (l = 1; l < z->size; ++l) x[l] = 0;\n }\n } else if ((z->y>>4&0xf) == BCF_HT_INT) {\n int32_t *x = (int32_t*)(z->buf + z->size * (size_t)m);\n x[0] = bcf_int32_missing;\n for (l = 1; l < z->size>>2; ++l) x[l] = bcf_int32_vector_end;\n } else if ((z->y>>4&0xf) == BCF_HT_REAL) {\n float *x = (float*)(z->buf + z->size * (size_t)m);\n bcf_float_set_missing(x[0]);\n for (l = 1; l < z->size>>2; ++l) bcf_float_set_vector_end(x[l]);\n }\n }\n\n m++; t++;\n }\n\n // write individual genotype information\n kstring_t *str = &v->indiv;\n int i;\n if (v->n_sample > 0) {\n for (i = 0; i < v->n_fmt; ++i) {\n fmt_aux_t *z = &fmt[i];\n bcf_enc_int1(str, z->key);\n if ((z->y>>4&0xf) == BCF_HT_STR && !z->is_gt) {\n bcf_enc_size(str, z->size, BCF_BT_CHAR);\n kputsn((char*)z->buf, z->size * (size_t)v->n_sample, str);\n } else if ((z->y>>4&0xf) == BCF_HT_INT || z->is_gt) {\n bcf_enc_vint(str, (z->size>>2) * v->n_sample, (int32_t*)z->buf, z->size>>2);\n } else {\n bcf_enc_size(str, z->size>>2, BCF_BT_FLOAT);\n if (serialize_float_array(str, (z->size>>2) * (size_t)v->n_sample,\n (float *) z->buf) != 0) {\n v->errcode |= BCF_ERR_LIMITS;\n hts_log_error(\"Out of memory at %s:%\"PRIhts_pos, bcf_seqname_safe(h,v), v->pos+1);\n return -1;\n }\n }\n }\n }\n\n if ( v->n_sample!=bcf_hdr_nsamples(h) )\n {\n hts_log_error(\"Number of columns at %s:%\"PRIhts_pos\" does not match the number of samples (%d vs %d)\",\n bcf_seqname_safe(h,v), v->pos+1, v->n_sample, bcf_hdr_nsamples(h));\n v->errcode |= BCF_ERR_NCOLS;\n return -1;\n }\n if ( v->indiv.l > 0xffffffff )\n {\n hts_log_error(\"The FORMAT at %s:%\"PRIhts_pos\" is too long\", bcf_seqname_safe(h,v), v->pos+1);\n v->errcode |= BCF_ERR_LIMITS;\n\n // Error recovery: return -1 if this is a critical error or 0 if we want to ignore the FORMAT and proceed\n v->n_fmt = 0;\n return -1;\n }\n\n return 0;\n}", "project": "htslib", "hash": 315712016709704795623581796512547762288, "size": 371, "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c", "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields. It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097", "target": 1, "dataset": "other", "idx": 207837 }, { "func": "static int vcf_parse_format(kstring_t *s, const bcf_hdr_t *h, bcf1_t *v, char *p, char *q)\n{\n if ( !bcf_hdr_nsamples(h) ) return 0;\n\n static int extreme_val_warned = 0;\n char *r, *t;\n int j, l, m, g, overflow = 0;\n khint_t k;\n ks_tokaux_t aux1;\n vdict_t *d = (vdict_t*)h->dict[BCF_DT_ID];\n kstring_t *mem = (kstring_t*)&h->mem;\n fmt_aux_t fmt[MAX_N_FMT];\n mem->l = 0;\n\n char *end = s->s + s->l;\n if ( q>=end )\n {\n hts_log_error(\"FORMAT column with no sample columns starting at %s:%\"PRIhts_pos\"\", bcf_seqname_safe(h,v), v->pos+1);\n v->errcode |= BCF_ERR_NCOLS;\n return -1;\n }\n\n v->n_fmt = 0;\n if ( p[0]=='.' && p[1]==0 ) // FORMAT field is empty \".\"\n {\n v->n_sample = bcf_hdr_nsamples(h);\n return 0;\n }\n\n // get format information from the dictionary\n for (j = 0, t = kstrtok(p, \":\", &aux1); t; t = kstrtok(0, 0, &aux1), ++j) {\n if (j >= MAX_N_FMT) {\n v->errcode |= BCF_ERR_LIMITS;\n hts_log_error(\"FORMAT column at %s:%\"PRIhts_pos\" lists more identifiers than htslib can handle\",\n bcf_seqname_safe(h,v), v->pos+1);\n return -1;\n }\n\n *(char*)aux1.p = 0;\n k = kh_get(vdict, d, t);\n if (k == kh_end(d) || kh_val(d, k).info[BCF_HL_FMT] == 15) {\n if ( t[0]=='.' && t[1]==0 )\n {\n hts_log_error(\"Invalid FORMAT tag name '.' at %s:%\"PRIhts_pos, bcf_seqname_safe(h,v), v->pos+1);\n v->errcode |= BCF_ERR_TAG_INVALID;\n return -1;\n }\n hts_log_warning(\"FORMAT '%s' at %s:%\"PRIhts_pos\" is not defined in the header, assuming Type=String\", t, bcf_seqname_safe(h,v), v->pos+1);\n kstring_t tmp = {0,0,0};\n int l;\n ksprintf(&tmp, \"##FORMAT=\", t);\n bcf_hrec_t *hrec = bcf_hdr_parse_line(h,tmp.s,&l);\n free(tmp.s);\n int res = hrec ? bcf_hdr_add_hrec((bcf_hdr_t*)h, hrec) : -1;\n if (res < 0) bcf_hrec_destroy(hrec);\n if (res > 0) res = bcf_hdr_sync((bcf_hdr_t*)h);\n\n k = kh_get(vdict, d, t);\n v->errcode = BCF_ERR_TAG_UNDEF;\n if (res || k == kh_end(d)) {\n hts_log_error(\"Could not add dummy header for FORMAT '%s' at %s:%\"PRIhts_pos, t, bcf_seqname_safe(h,v), v->pos+1);\n v->errcode |= BCF_ERR_TAG_INVALID;\n return -1;\n }\n }\n fmt[j].max_l = fmt[j].max_m = fmt[j].max_g = 0;\n fmt[j].key = kh_val(d, k).id;\n fmt[j].is_gt = !strcmp(t, \"GT\");\n fmt[j].y = h->id[0][fmt[j].key].val->info[BCF_HL_FMT];\n v->n_fmt++;\n }\n // compute max\n int n_sample_ori = -1;\n r = q + 1; // r: position in the format string\n l = 0, m = g = 1, v->n_sample = 0; // m: max vector size, l: max field len, g: max number of alleles\n while ( rkeep_samples )\n {\n n_sample_ori++;\n if ( !bit_array_test(h->keep_samples,n_sample_ori) )\n {\n while ( *r!='\\t' && ris_gt) g++;\n break;\n\n case '\\t':\n *r = 0; // fall through\n\n case '\\0':\n case ':':\n if (f->max_m < m) f->max_m = m;\n if (f->max_l < l) f->max_l = l;\n if (f->is_gt && f->max_g < g) f->max_g = g;\n l = 0, m = g = 1;\n if ( *r==':' ) {\n j++; f++;\n if ( j>=v->n_fmt ) {\n hts_log_error(\"Incorrect number of FORMAT fields at %s:%\"PRIhts_pos\"\",\n h->id[BCF_DT_CTG][v->rid].key, v->pos+1);\n v->errcode |= BCF_ERR_NCOLS;\n return -1;\n }\n } else goto end_for;\n break;\n }\n if ( r>=end ) break;\n r++; l++;\n }\n end_for:\n v->n_sample++;\n if ( v->n_sample == bcf_hdr_nsamples(h) ) break;\n r++;\n }\n\n // allocate memory for arrays\n for (j = 0; j < v->n_fmt; ++j) {\n fmt_aux_t *f = &fmt[j];\n if ( !f->max_m ) f->max_m = 1; // omitted trailing format field\n if ((f->y>>4&0xf) == BCF_HT_STR) {\n f->size = f->is_gt? f->max_g << 2 : f->max_l;\n } else if ((f->y>>4&0xf) == BCF_HT_REAL || (f->y>>4&0xf) == BCF_HT_INT) {\n f->size = f->max_m << 2;\n } else\n {\n hts_log_error(\"The format type %d at %s:%\"PRIhts_pos\" is currently not supported\", f->y>>4&0xf, bcf_seqname_safe(h,v), v->pos+1);\n v->errcode |= BCF_ERR_TAG_INVALID;\n return -1;\n }\n if (align_mem(mem) < 0) {\n hts_log_error(\"Memory allocation failure at %s:%\"PRIhts_pos, bcf_seqname_safe(h,v), v->pos+1);\n v->errcode |= BCF_ERR_LIMITS;\n return -1;\n }\n\n // Limit the total memory to ~2Gb per VCF row. This should mean\n // malformed VCF data is less likely to take excessive memory and/or\n // time.\n if ((uint64_t) mem->l + v->n_sample * (uint64_t)f->size > INT_MAX) {\n hts_log_error(\"Excessive memory required by FORMAT fields at %s:%\"PRIhts_pos, bcf_seqname_safe(h,v), v->pos+1);\n v->errcode |= BCF_ERR_LIMITS;\n return -1;\n }\n\n f->offset = mem->l;\n if (ks_resize(mem, mem->l + v->n_sample * (size_t)f->size) < 0) {\n hts_log_error(\"Memory allocation failure at %s:%\"PRIhts_pos, bcf_seqname_safe(h,v), v->pos+1);\n v->errcode |= BCF_ERR_LIMITS;\n return -1;\n }\n mem->l += v->n_sample * f->size;\n }\n for (j = 0; j < v->n_fmt; ++j)\n fmt[j].buf = (uint8_t*)mem->s + fmt[j].offset;\n // fill the sample fields; at beginning of the loop, t points to the first char of a format\n n_sample_ori = -1;\n t = q + 1; m = 0; // m: sample id\n while ( tkeep_samples )\n {\n n_sample_ori++;\n if ( !bit_array_test(h->keep_samples,n_sample_ori) )\n {\n while ( *t && tbuf) {\n hts_log_error(\"Memory allocation failure for FORMAT field type %d at %s:%\"PRIhts_pos,\n z->y>>4&0xf, bcf_seqname_safe(h,v), v->pos+1);\n v->errcode |= BCF_ERR_LIMITS;\n return -1;\n }\n if ((z->y>>4&0xf) == BCF_HT_STR) {\n if (z->is_gt) { // genotypes\n int32_t is_phased = 0;\n uint32_t *x = (uint32_t*)(z->buf + z->size * (size_t)m);\n uint32_t unreadable = 0;\n uint32_t max = 0;\n overflow = 0;\n for (l = 0;; ++t) {\n if (*t == '.') {\n ++t, x[l++] = is_phased;\n } else {\n char *tt = t;\n uint32_t val = hts_str2uint(t, &t, sizeof(val) * CHAR_MAX - 2, &overflow);\n unreadable |= tt == t;\n if (max < val) max = val;\n x[l++] = (val + 1) << 1 | is_phased;\n }\n is_phased = (*t == '|');\n if (*t != '|' && *t != '/') break;\n }\n // Possibly check max against v->n_allele instead?\n if (overflow || max > (INT32_MAX >> 1) - 1) {\n hts_log_error(\"Couldn't read GT data: value too large at %s:%\"PRIhts_pos, bcf_seqname_safe(h,v), v->pos+1);\n return -1;\n }\n if (unreadable) {\n hts_log_error(\"Couldn't read GT data: value not a number or '.' at %s:%\"PRIhts_pos, bcf_seqname_safe(h,v), v->pos+1);\n return -1;\n }\n if ( !l ) x[l++] = 0; // An empty field, insert missing value\n for (; l < z->size>>2; ++l) x[l] = bcf_int32_vector_end;\n } else {\n char *x = (char*)z->buf + z->size * (size_t)m;\n for (r = t, l = 0; *t != ':' && *t; ++t) x[l++] = *t;\n for (; l < z->size; ++l) x[l] = 0;\n }\n } else if ((z->y>>4&0xf) == BCF_HT_INT) {\n int32_t *x = (int32_t*)(z->buf + z->size * (size_t)m);\n for (l = 0;; ++t) {\n if (*t == '.') {\n x[l++] = bcf_int32_missing, ++t; // ++t to skip \".\"\n } else {\n overflow = 0;\n char *te;\n long int tmp_val = hts_str2int(t, &te, sizeof(tmp_val)*CHAR_BIT, &overflow);\n if ( te==t || overflow || tmp_valBCF_MAX_BT_INT32 )\n {\n if ( !extreme_val_warned )\n {\n hts_log_warning(\"Extreme FORMAT/%s value encountered and set to missing at %s:%\"PRIhts_pos, h->id[BCF_DT_ID][fmt[j-1].key].key, bcf_seqname_safe(h,v), v->pos+1);\n extreme_val_warned = 1;\n }\n tmp_val = bcf_int32_missing;\n }\n x[l++] = tmp_val;\n t = te;\n }\n if (*t != ',') break;\n }\n if ( !l ) x[l++] = bcf_int32_missing;\n for (; l < z->size>>2; ++l) x[l] = bcf_int32_vector_end;\n } else if ((z->y>>4&0xf) == BCF_HT_REAL) {\n float *x = (float*)(z->buf + z->size * (size_t)m);\n for (l = 0;; ++t) {\n if (*t == '.' && !isdigit_c(t[1])) {\n bcf_float_set_missing(x[l++]), ++t; // ++t to skip \".\"\n } else {\n overflow = 0;\n char *te;\n float tmp_val = hts_str2dbl(t, &te, &overflow);\n if ( (te==t || overflow) && !extreme_val_warned )\n {\n hts_log_warning(\"Extreme FORMAT/%s value encountered at %s:%\"PRIhts_pos, h->id[BCF_DT_ID][fmt[j-1].key].key, bcf_seqname(h,v), v->pos+1);\n extreme_val_warned = 1;\n }\n x[l++] = tmp_val;\n t = te;\n }\n if (*t != ',') break;\n }\n if ( !l ) bcf_float_set_missing(x[l++]); // An empty field, insert missing value\n for (; l < z->size>>2; ++l) bcf_float_set_vector_end(x[l]);\n } else {\n hts_log_error(\"Unknown FORMAT field type %d at %s:%\"PRIhts_pos, z->y>>4&0xf, bcf_seqname_safe(h,v), v->pos+1);\n v->errcode |= BCF_ERR_TAG_INVALID;\n return -1;\n }\n\n if (*t == '\\0') {\n break;\n }\n else if (*t == ':') {\n t++;\n }\n else {\n char buffer[8];\n hts_log_error(\"Invalid character %s in '%s' FORMAT field at %s:%\"PRIhts_pos\"\",\n hts_strprint(buffer, sizeof buffer, '\\'', t, 1),\n h->id[BCF_DT_ID][z->key].key, bcf_seqname_safe(h,v), v->pos+1);\n v->errcode |= BCF_ERR_CHAR;\n return -1;\n }\n }\n\n for (; j < v->n_fmt; ++j) { // fill end-of-vector values\n fmt_aux_t *z = &fmt[j];\n if ((z->y>>4&0xf) == BCF_HT_STR) {\n if (z->is_gt) {\n int32_t *x = (int32_t*)(z->buf + z->size * (size_t)m);\n if (z->size) x[0] = bcf_int32_missing;\n for (l = 1; l < z->size>>2; ++l) x[l] = bcf_int32_vector_end;\n } else {\n char *x = (char*)z->buf + z->size * (size_t)m;\n if ( z->size ) x[0] = '.';\n for (l = 1; l < z->size; ++l) x[l] = 0;\n }\n } else if ((z->y>>4&0xf) == BCF_HT_INT) {\n int32_t *x = (int32_t*)(z->buf + z->size * (size_t)m);\n x[0] = bcf_int32_missing;\n for (l = 1; l < z->size>>2; ++l) x[l] = bcf_int32_vector_end;\n } else if ((z->y>>4&0xf) == BCF_HT_REAL) {\n float *x = (float*)(z->buf + z->size * (size_t)m);\n bcf_float_set_missing(x[0]);\n for (l = 1; l < z->size>>2; ++l) bcf_float_set_vector_end(x[l]);\n }\n }\n\n m++; t++;\n }\n\n // write individual genotype information\n kstring_t *str = &v->indiv;\n int i;\n if (v->n_sample > 0) {\n for (i = 0; i < v->n_fmt; ++i) {\n fmt_aux_t *z = &fmt[i];\n bcf_enc_int1(str, z->key);\n if ((z->y>>4&0xf) == BCF_HT_STR && !z->is_gt) {\n bcf_enc_size(str, z->size, BCF_BT_CHAR);\n kputsn((char*)z->buf, z->size * (size_t)v->n_sample, str);\n } else if ((z->y>>4&0xf) == BCF_HT_INT || z->is_gt) {\n bcf_enc_vint(str, (z->size>>2) * v->n_sample, (int32_t*)z->buf, z->size>>2);\n } else {\n bcf_enc_size(str, z->size>>2, BCF_BT_FLOAT);\n if (serialize_float_array(str, (z->size>>2) * (size_t)v->n_sample,\n (float *) z->buf) != 0) {\n v->errcode |= BCF_ERR_LIMITS;\n hts_log_error(\"Out of memory at %s:%\"PRIhts_pos, bcf_seqname_safe(h,v), v->pos+1);\n return -1;\n }\n }\n }\n }\n\n if ( v->n_sample!=bcf_hdr_nsamples(h) )\n {\n hts_log_error(\"Number of columns at %s:%\"PRIhts_pos\" does not match the number of samples (%d vs %d)\",\n bcf_seqname_safe(h,v), v->pos+1, v->n_sample, bcf_hdr_nsamples(h));\n v->errcode |= BCF_ERR_NCOLS;\n return -1;\n }\n if ( v->indiv.l > 0xffffffff )\n {\n hts_log_error(\"The FORMAT at %s:%\"PRIhts_pos\" is too long\", bcf_seqname_safe(h,v), v->pos+1);\n v->errcode |= BCF_ERR_LIMITS;\n\n // Error recovery: return -1 if this is a critical error or 0 if we want to ignore the FORMAT and proceed\n v->n_fmt = 0;\n return -1;\n }\n\n return 0;\n}", "project": "htslib", "hash": 92847516526430128297643351147009305704, "size": 372, "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c", "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields. It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097", "target": 0, "dataset": "other", "idx": 402146 }, { "func": "static void nfs4_open_confirm_done(struct rpc_task *task, void *calldata)\n{\n\tstruct nfs4_opendata *data = calldata;\n\n\tnfs40_sequence_done(task, &data->c_res.seq_res);\n\n\tdata->rpc_status = task->tk_status;\n\tif (data->rpc_status == 0) {\n\t\tnfs4_stateid_copy(&data->o_res.stateid, &data->c_res.stateid);\n\t\tnfs_confirm_seqid(&data->owner->so_seqid, 0);\n\t\trenew_lease(data->o_res.server, data->timestamp);\n\t\tdata->rpc_done = true;\n\t}\n}", "project": "linux", "hash": 272642477844692197282372117363900529005, "size": 14, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431542 }, { "func": "static int io_send(struct io_kiocb *req, unsigned int issue_flags)\n{\n\tstruct io_sr_msg *sr = &req->sr_msg;\n\tstruct msghdr msg;\n\tstruct iovec iov;\n\tstruct socket *sock;\n\tunsigned flags;\n\tint min_ret = 0;\n\tint ret;\n\n\tsock = sock_from_file(req->file);\n\tif (unlikely(!sock))\n\t\treturn -ENOTSOCK;\n\n\tret = import_single_range(WRITE, sr->buf, sr->len, &iov, &msg.msg_iter);\n\tif (unlikely(ret))\n\t\treturn ret;\n\n\tmsg.msg_name = NULL;\n\tmsg.msg_control = NULL;\n\tmsg.msg_controllen = 0;\n\tmsg.msg_namelen = 0;\n\n\tflags = req->sr_msg.msg_flags;\n\tif (issue_flags & IO_URING_F_NONBLOCK)\n\t\tflags |= MSG_DONTWAIT;\n\tif (flags & MSG_WAITALL)\n\t\tmin_ret = iov_iter_count(&msg.msg_iter);\n\n\tmsg.msg_flags = flags;\n\tret = sock_sendmsg(sock, &msg);\n\tif ((issue_flags & IO_URING_F_NONBLOCK) && ret == -EAGAIN)\n\t\treturn -EAGAIN;\n\tif (ret == -ERESTARTSYS)\n\t\tret = -EINTR;\n\n\tif (ret < min_ret)\n\t\treq_set_fail_links(req);\n\t__io_req_complete(req, issue_flags, ret, 0);\n\treturn 0;\n}", "project": "linux", "hash": 121779031800315763040338437695835663083, "size": 41, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338658 }, { "func": "static void prb_retire_rx_blk_timer_expired(struct timer_list *t)\n{\n\tstruct packet_sock *po =\n\t\tfrom_timer(po, t, rx_ring.prb_bdqc.retire_blk_timer);\n\tstruct tpacket_kbdq_core *pkc = GET_PBDQC_FROM_RB(&po->rx_ring);\n\tunsigned int frozen;\n\tstruct tpacket_block_desc *pbd;\n\n\tspin_lock(&po->sk.sk_receive_queue.lock);\n\n\tfrozen = prb_queue_frozen(pkc);\n\tpbd = GET_CURR_PBLOCK_DESC_FROM_CORE(pkc);\n\n\tif (unlikely(pkc->delete_blk_timer))\n\t\tgoto out;\n\n\t/* We only need to plug the race when the block is partially filled.\n\t * tpacket_rcv:\n\t *\t\tlock(); increment BLOCK_NUM_PKTS; unlock()\n\t *\t\tcopy_bits() is in progress ...\n\t *\t\ttimer fires on other cpu:\n\t *\t\twe can't retire the current block because copy_bits\n\t *\t\tis in progress.\n\t *\n\t */\n\tif (BLOCK_NUM_PKTS(pbd)) {\n\t\t/* Waiting for skb_copy_bits to finish... */\n\t\twrite_lock(&pkc->blk_fill_in_prog_lock);\n\t\twrite_unlock(&pkc->blk_fill_in_prog_lock);\n\t}\n\n\tif (pkc->last_kactive_blk_num == pkc->kactive_blk_num) {\n\t\tif (!frozen) {\n\t\t\tif (!BLOCK_NUM_PKTS(pbd)) {\n\t\t\t\t/* An empty block. Just refresh the timer. */\n\t\t\t\tgoto refresh_timer;\n\t\t\t}\n\t\t\tprb_retire_current_block(pkc, po, TP_STATUS_BLK_TMO);\n\t\t\tif (!prb_dispatch_next_block(pkc, po))\n\t\t\t\tgoto refresh_timer;\n\t\t\telse\n\t\t\t\tgoto out;\n\t\t} else {\n\t\t\t/* Case 1. Queue was frozen because user-space was\n\t\t\t *\t lagging behind.\n\t\t\t */\n\t\t\tif (prb_curr_blk_in_use(pbd)) {\n\t\t\t\t/*\n\t\t\t\t * Ok, user-space is still behind.\n\t\t\t\t * So just refresh the timer.\n\t\t\t\t */\n\t\t\t\tgoto refresh_timer;\n\t\t\t} else {\n\t\t\t /* Case 2. queue was frozen,user-space caught up,\n\t\t\t\t* now the link went idle && the timer fired.\n\t\t\t\t* We don't have a block to close.So we open this\n\t\t\t\t* block and restart the timer.\n\t\t\t\t* opening a block thaws the queue,restarts timer\n\t\t\t\t* Thawing/timer-refresh is a side effect.\n\t\t\t\t*/\n\t\t\t\tprb_open_block(pkc, pbd);\n\t\t\t\tgoto out;\n\t\t\t}\n\t\t}\n\t}\n\nrefresh_timer:\n\t_prb_refresh_rx_retire_blk_timer(pkc);\n\nout:\n\tspin_unlock(&po->sk.sk_receive_queue.lock);\n}", "project": "linux", "hash": 199821763374531667672606030660649146094, "size": 72, "commit_id": "acf69c946233259ab4d64f8869d4037a198c7f06", "message": "net/packet: fix overflow in tpacket_rcv\n\nUsing tp_reserve to calculate netoff can overflow as\ntp_reserve is unsigned int and netoff is unsigned short.\n\nThis may lead to macoff receving a smaller value then\nsizeof(struct virtio_net_hdr), and if po->has_vnet_hdr\nis set, an out-of-bounds write will occur when\ncalling virtio_net_hdr_from_skb.\n\nThe bug is fixed by converting netoff to unsigned int\nand checking if it exceeds USHRT_MAX.\n\nThis addresses CVE-2020-14386\n\nFixes: 8913336a7e8d (\"packet: add PACKET_RESERVE sockopt\")\nSigned-off-by: Or Cohen \nSigned-off-by: Eric Dumazet \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 330388 }, { "func": "static ssize_t nfs4_proc_get_acl(struct inode *inode, void *buf, size_t buflen)\n{\n\tstruct nfs_server *server = NFS_SERVER(inode);\n\tint ret;\n\n\tif (!nfs4_server_supports_acls(server))\n\t\treturn -EOPNOTSUPP;\n\tret = nfs_revalidate_inode(server, inode);\n\tif (ret < 0)\n\t\treturn ret;\n\tif (NFS_I(inode)->cache_validity & NFS_INO_INVALID_ACL)\n\t\tnfs_zap_acl_cache(inode);\n\tret = nfs4_read_cached_acl(inode, buf, buflen);\n\tif (ret != -ENOENT)\n\t\t/* -ENOENT is returned if there is no ACL or if there is an ACL\n\t\t * but no cached acl data, just the acl length */\n\t\treturn ret;\n\treturn nfs4_get_acl_uncached(inode, buf, buflen);\n}", "project": "linux", "hash": 293348945750843087843356564727157977694, "size": 19, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431391 }, { "func": "static int futex_requeue(u32 __user *uaddr1, int fshared, u32 __user *uaddr2,\n\t\t\t int nr_wake, int nr_requeue, u32 *cmpval,\n\t\t\t int requeue_pi)\n{\n\tunion futex_key key1 = FUTEX_KEY_INIT, key2 = FUTEX_KEY_INIT;\n\tint drop_count = 0, task_count = 0, ret;\n\tstruct futex_pi_state *pi_state = NULL;\n\tstruct futex_hash_bucket *hb1, *hb2;\n\tstruct plist_head *head1;\n\tstruct futex_q *this, *next;\n\tu32 curval2;\n\n\tif (requeue_pi) {\n\t\t/*\n\t\t * requeue_pi requires a pi_state, try to allocate it now\n\t\t * without any locks in case it fails.\n\t\t */\n\t\tif (refill_pi_state_cache())\n\t\t\treturn -ENOMEM;\n\t\t/*\n\t\t * requeue_pi must wake as many tasks as it can, up to nr_wake\n\t\t * + nr_requeue, since it acquires the rt_mutex prior to\n\t\t * returning to userspace, so as to not leave the rt_mutex with\n\t\t * waiters and no owner. However, second and third wake-ups\n\t\t * cannot be predicted as they involve race conditions with the\n\t\t * first wake and a fault while looking up the pi_state. Both\n\t\t * pthread_cond_signal() and pthread_cond_broadcast() should\n\t\t * use nr_wake=1.\n\t\t */\n\t\tif (nr_wake != 1)\n\t\t\treturn -EINVAL;\n\t}\n\nretry:\n\tif (pi_state != NULL) {\n\t\t/*\n\t\t * We will have to lookup the pi_state again, so free this one\n\t\t * to keep the accounting correct.\n\t\t */\n\t\tfree_pi_state(pi_state);\n\t\tpi_state = NULL;\n\t}\n\n\tret = get_futex_key(uaddr1, fshared, &key1);\n\tif (unlikely(ret != 0))\n\t\tgoto out;\n\tret = get_futex_key(uaddr2, fshared, &key2);\n\tif (unlikely(ret != 0))\n\t\tgoto out_put_key1;\n\n\thb1 = hash_futex(&key1);\n\thb2 = hash_futex(&key2);\n\nretry_private:\n\tdouble_lock_hb(hb1, hb2);\n\n\tif (likely(cmpval != NULL)) {\n\t\tu32 curval;\n\n\t\tret = get_futex_value_locked(&curval, uaddr1);\n\n\t\tif (unlikely(ret)) {\n\t\t\tdouble_unlock_hb(hb1, hb2);\n\n\t\t\tret = get_user(curval, uaddr1);\n\t\t\tif (ret)\n\t\t\t\tgoto out_put_keys;\n\n\t\t\tif (!fshared)\n\t\t\t\tgoto retry_private;\n\n\t\t\tput_futex_key(fshared, &key2);\n\t\t\tput_futex_key(fshared, &key1);\n\t\t\tgoto retry;\n\t\t}\n\t\tif (curval != *cmpval) {\n\t\t\tret = -EAGAIN;\n\t\t\tgoto out_unlock;\n\t\t}\n\t}\n\n\tif (requeue_pi && (task_count - nr_wake < nr_requeue)) {\n\t\t/*\n\t\t * Attempt to acquire uaddr2 and wake the top waiter. If we\n\t\t * intend to requeue waiters, force setting the FUTEX_WAITERS\n\t\t * bit. We force this here where we are able to easily handle\n\t\t * faults rather in the requeue loop below.\n\t\t */\n\t\tret = futex_proxy_trylock_atomic(uaddr2, hb1, hb2, &key1,\n\t\t\t\t\t\t &key2, &pi_state, nr_requeue);\n\n\t\t/*\n\t\t * At this point the top_waiter has either taken uaddr2 or is\n\t\t * waiting on it. If the former, then the pi_state will not\n\t\t * exist yet, look it up one more time to ensure we have a\n\t\t * reference to it.\n\t\t */\n\t\tif (ret == 1) {\n\t\t\tWARN_ON(pi_state);\n\t\t\tdrop_count++;\n\t\t\ttask_count++;\n\t\t\tret = get_futex_value_locked(&curval2, uaddr2);\n\t\t\tif (!ret)\n\t\t\t\tret = lookup_pi_state(curval2, hb2, &key2,\n\t\t\t\t\t\t &pi_state);\n\t\t}\n\n\t\tswitch (ret) {\n\t\tcase 0:\n\t\t\tbreak;\n\t\tcase -EFAULT:\n\t\t\tdouble_unlock_hb(hb1, hb2);\n\t\t\tput_futex_key(fshared, &key2);\n\t\t\tput_futex_key(fshared, &key1);\n\t\t\tret = fault_in_user_writeable(uaddr2);\n\t\t\tif (!ret)\n\t\t\t\tgoto retry;\n\t\t\tgoto out;\n\t\tcase -EAGAIN:\n\t\t\t/* The owner was exiting, try again. */\n\t\t\tdouble_unlock_hb(hb1, hb2);\n\t\t\tput_futex_key(fshared, &key2);\n\t\t\tput_futex_key(fshared, &key1);\n\t\t\tcond_resched();\n\t\t\tgoto retry;\n\t\tdefault:\n\t\t\tgoto out_unlock;\n\t\t}\n\t}\n\n\thead1 = &hb1->chain;\n\tplist_for_each_entry_safe(this, next, head1, list) {\n\t\tif (task_count - nr_wake >= nr_requeue)\n\t\t\tbreak;\n\n\t\tif (!match_futex(&this->key, &key1))\n\t\t\tcontinue;\n\n\t\t/*\n\t\t * FUTEX_WAIT_REQEUE_PI and FUTEX_CMP_REQUEUE_PI should always\n\t\t * be paired with each other and no other futex ops.\n\t\t */\n\t\tif ((requeue_pi && !this->rt_waiter) ||\n\t\t (!requeue_pi && this->rt_waiter)) {\n\t\t\tret = -EINVAL;\n\t\t\tbreak;\n\t\t}\n\n\t\t/*\n\t\t * Wake nr_wake waiters. For requeue_pi, if we acquired the\n\t\t * lock, we already woke the top_waiter. If not, it will be\n\t\t * woken by futex_unlock_pi().\n\t\t */\n\t\tif (++task_count <= nr_wake && !requeue_pi) {\n\t\t\twake_futex(this);\n\t\t\tcontinue;\n\t\t}\n\n\t\t/* Ensure we requeue to the expected futex for requeue_pi. */\n\t\tif (requeue_pi && !match_futex(this->requeue_pi_key, &key2)) {\n\t\t\tret = -EINVAL;\n\t\t\tbreak;\n\t\t}\n\n\t\t/*\n\t\t * Requeue nr_requeue waiters and possibly one more in the case\n\t\t * of requeue_pi if we couldn't acquire the lock atomically.\n\t\t */\n\t\tif (requeue_pi) {\n\t\t\t/* Prepare the waiter to take the rt_mutex. */\n\t\t\tatomic_inc(&pi_state->refcount);\n\t\t\tthis->pi_state = pi_state;\n\t\t\tret = rt_mutex_start_proxy_lock(&pi_state->pi_mutex,\n\t\t\t\t\t\t\tthis->rt_waiter,\n\t\t\t\t\t\t\tthis->task, 1);\n\t\t\tif (ret == 1) {\n\t\t\t\t/* We got the lock. */\n\t\t\t\trequeue_pi_wake_futex(this, &key2, hb2);\n\t\t\t\tdrop_count++;\n\t\t\t\tcontinue;\n\t\t\t} else if (ret) {\n\t\t\t\t/* -EDEADLK */\n\t\t\t\tthis->pi_state = NULL;\n\t\t\t\tfree_pi_state(pi_state);\n\t\t\t\tgoto out_unlock;\n\t\t\t}\n\t\t}\n\t\trequeue_futex(this, hb1, hb2, &key2);\n\t\tdrop_count++;\n\t}\n\nout_unlock:\n\tdouble_unlock_hb(hb1, hb2);\n\n\t/*\n\t * drop_futex_key_refs() must be called outside the spinlocks. During\n\t * the requeue we moved futex_q's from the hash bucket at key1 to the\n\t * one at key2 and updated their key pointer. We no longer need to\n\t * hold the references to key1.\n\t */\n\twhile (--drop_count >= 0)\n\t\tdrop_futex_key_refs(&key1);\n\nout_put_keys:\n\tput_futex_key(fshared, &key2);\nout_put_key1:\n\tput_futex_key(fshared, &key1);\nout:\n\tif (pi_state != NULL)\n\t\tfree_pi_state(pi_state);\n\treturn ret ? ret : task_count;\n}", "target": 0, "cwe": [], "project": "linux-2.6", "commit_id": "5ecb01cfdf96c5f465192bdb2a4fd4a61a24c6cc", "hash": 221654500441647009730252035490028584856, "size": 212, "message": "futex_lock_pi() key refcnt fix\n\nThis fixes a futex key reference count bug in futex_lock_pi(),\nwhere a key's reference count is incremented twice but decremented\nonly once, causing the backing object to not be released.\n\nIf the futex is created in a temporary file in an ext3 file system,\nthis bug causes the file's inode to become an \"undead\" orphan,\nwhich causes an oops from a BUG_ON() in ext3_put_super() when the\nfile system is unmounted. glibc's test suite is known to trigger this,\nsee .\n\nThe bug is a regression from 2.6.28-git3, namely Peter Zijlstra's\n38d47c1b7075bd7ec3881141bb3629da58f88dab \"[PATCH] futex: rely on\nget_user_pages() for shared futexes\". That commit made get_futex_key()\nalso increment the reference count of the futex key, and updated its\ncallers to decrement the key's reference count before returning.\nUnfortunately the normal exit path in futex_lock_pi() wasn't corrected:\nthe reference count is incremented by get_futex_key() and queue_lock(),\nbut the normal exit path only decrements once, via unqueue_me_pi().\nThe fix is to put_futex_key() after unqueue_me_pi(), since 2.6.31\nthis is easily done by 'goto out_put_key' rather than 'goto out'.\n\nSigned-off-by: Mikael Pettersson \nAcked-by: Peter Zijlstra \nAcked-by: Darren Hart \nSigned-off-by: Thomas Gleixner \nCc: ", "dataset": "other", "idx": 492291 }, { "func": "void rfbScaledScreenUpdateRect(rfbScreenInfoPtr screen, rfbScreenInfoPtr ptr, int x0, int y0, int w0, int h0)\n{\n int x,y,w,v,z;\n int x1, y1, w1, h1;\n int bitsPerPixel, bytesPerPixel, bytesPerLine, areaX, areaY, area2;\n unsigned char *srcptr, *dstptr;\n\n /* Nothing to do!!! */\n if (screen==ptr) return;\n\n x1 = x0;\n y1 = y0;\n w1 = w0;\n h1 = h0;\n\n rfbScaledCorrection(screen, ptr, &x1, &y1, &w1, &h1, \"rfbScaledScreenUpdateRect\");\n x0 = ScaleX(ptr, screen, x1);\n y0 = ScaleY(ptr, screen, y1);\n w0 = ScaleX(ptr, screen, w1);\n h0 = ScaleY(ptr, screen, h1);\n\n bitsPerPixel = screen->bitsPerPixel;\n bytesPerPixel = bitsPerPixel / 8;\n bytesPerLine = w1 * bytesPerPixel;\n srcptr = (unsigned char *)(screen->frameBuffer +\n (y0 * screen->paddedWidthInBytes + x0 * bytesPerPixel));\n dstptr = (unsigned char *)(ptr->frameBuffer +\n ( y1 * ptr->paddedWidthInBytes + x1 * bytesPerPixel));\n /* The area of the source framebuffer for each destination pixel */\n areaX = ScaleX(ptr,screen,1);\n areaY = ScaleY(ptr,screen,1);\n area2 = areaX*areaY;\n\n\n /* Ensure that we do not go out of bounds */\n if ((x1+w1) > (ptr->width))\n {\n if (x1==0) w1=ptr->width; else x1 = ptr->width - w1;\n }\n if ((y1+h1) > (ptr->height))\n {\n if (y1==0) h1=ptr->height; else y1 = ptr->height - h1;\n }\n /*\n * rfbLog(\"rfbScaledScreenUpdateRect(%dXx%dY-%dWx%dH -> %dXx%dY-%dWx%dH <%dx%d>) {%dWx%dH -> %dWx%dH} 0x%p\\n\",\n * x0, y0, w0, h0, x1, y1, w1, h1, areaX, areaY,\n * screen->width, screen->height, ptr->width, ptr->height, ptr->frameBuffer);\n */\n\n if (screen->serverFormat.trueColour) { /* Blend neighbouring pixels together */\n unsigned char *srcptr2;\n unsigned long pixel_value, red, green, blue;\n unsigned int redShift = screen->serverFormat.redShift;\n unsigned int greenShift = screen->serverFormat.greenShift;\n unsigned int blueShift = screen->serverFormat.blueShift;\n unsigned long redMax = screen->serverFormat.redMax;\n unsigned long greenMax = screen->serverFormat.greenMax;\n unsigned long blueMax = screen->serverFormat.blueMax;\n\n /* for each *destination* pixel... */\n for (y = 0; y < h1; y++) {\n for (x = 0; x < w1; x++) {\n red = green = blue = 0;\n /* Get the totals for rgb from the source grid... */\n for (w = 0; w < areaX; w++) {\n for (v = 0; v < areaY; v++) {\n srcptr2 = &srcptr[(((x * areaX) + w) * bytesPerPixel) +\n (v * screen->paddedWidthInBytes)];\n pixel_value = 0;\n\n\n switch (bytesPerPixel) {\n case 4: pixel_value = *((unsigned int *)srcptr2); break;\n case 2: pixel_value = *((unsigned short *)srcptr2); break;\n case 1: pixel_value = *((unsigned char *)srcptr2); break;\n default:\n /* fixme: endianness problem? */\n for (z = 0; z < bytesPerPixel; z++)\n pixel_value += (srcptr2[z] << (8 * z));\n break;\n }\n /*\n srcptr2 += bytesPerPixel;\n */\n\n red += ((pixel_value >> redShift) & redMax);\n green += ((pixel_value >> greenShift) & greenMax);\n blue += ((pixel_value >> blueShift) & blueMax);\n\n }\n }\n /* We now have a total for all of the colors, find the average! */\n red /= area2;\n green /= area2;\n blue /= area2;\n /* Stuff the new value back into memory */\n pixel_value = ((red & redMax) << redShift) | ((green & greenMax) << greenShift) | ((blue & blueMax) << blueShift);\n\n switch (bytesPerPixel) {\n case 4: *((unsigned int *)dstptr) = (unsigned int) pixel_value; break;\n case 2: *((unsigned short *)dstptr) = (unsigned short) pixel_value; break;\n case 1: *((unsigned char *)dstptr) = (unsigned char) pixel_value; break;\n default:\n /* fixme: endianness problem? */\n for (z = 0; z < bytesPerPixel; z++)\n dstptr[z]=(pixel_value >> (8 * z)) & 0xff;\n break;\n }\n dstptr += bytesPerPixel;\n }\n srcptr += (screen->paddedWidthInBytes * areaY);\n dstptr += (ptr->paddedWidthInBytes - bytesPerLine);\n }\n } else\n { /* Not truecolour, so we can't blend. Just use the top-left pixel instead */\n for (y = y1; y < (y1+h1); y++) {\n for (x = x1; x < (x1+w1); x++)\n memcpy (&ptr->frameBuffer[(y *ptr->paddedWidthInBytes) + (x * bytesPerPixel)],\n &screen->frameBuffer[(y * areaY * screen->paddedWidthInBytes) + (x *areaX * bytesPerPixel)], bytesPerPixel);\n }\n }\n}", "project": "libvncserver", "hash": 295503009586478475692075987935889055828, "size": 122, "commit_id": "a6788d1da719ae006605b78d22f5a9f170b423af", "message": "libvncserver: scale: cast to 64 bit before shifting\n\nSince pixel_value is 64 bit the data type of the shift operand should\nbe 64 bit too to prevent integer overflows.", "target": 1, "dataset": "other", "idx": 199993 }, { "func": "void rfbScaledScreenUpdateRect(rfbScreenInfoPtr screen, rfbScreenInfoPtr ptr, int x0, int y0, int w0, int h0)\n{\n int x,y,w,v,z;\n int x1, y1, w1, h1;\n int bitsPerPixel, bytesPerPixel, bytesPerLine, areaX, areaY, area2;\n unsigned char *srcptr, *dstptr;\n\n /* Nothing to do!!! */\n if (screen==ptr) return;\n\n x1 = x0;\n y1 = y0;\n w1 = w0;\n h1 = h0;\n\n rfbScaledCorrection(screen, ptr, &x1, &y1, &w1, &h1, \"rfbScaledScreenUpdateRect\");\n x0 = ScaleX(ptr, screen, x1);\n y0 = ScaleY(ptr, screen, y1);\n w0 = ScaleX(ptr, screen, w1);\n h0 = ScaleY(ptr, screen, h1);\n\n bitsPerPixel = screen->bitsPerPixel;\n bytesPerPixel = bitsPerPixel / 8;\n bytesPerLine = w1 * bytesPerPixel;\n srcptr = (unsigned char *)(screen->frameBuffer +\n (y0 * screen->paddedWidthInBytes + x0 * bytesPerPixel));\n dstptr = (unsigned char *)(ptr->frameBuffer +\n ( y1 * ptr->paddedWidthInBytes + x1 * bytesPerPixel));\n /* The area of the source framebuffer for each destination pixel */\n areaX = ScaleX(ptr,screen,1);\n areaY = ScaleY(ptr,screen,1);\n area2 = areaX*areaY;\n\n\n /* Ensure that we do not go out of bounds */\n if ((x1+w1) > (ptr->width))\n {\n if (x1==0) w1=ptr->width; else x1 = ptr->width - w1;\n }\n if ((y1+h1) > (ptr->height))\n {\n if (y1==0) h1=ptr->height; else y1 = ptr->height - h1;\n }\n /*\n * rfbLog(\"rfbScaledScreenUpdateRect(%dXx%dY-%dWx%dH -> %dXx%dY-%dWx%dH <%dx%d>) {%dWx%dH -> %dWx%dH} 0x%p\\n\",\n * x0, y0, w0, h0, x1, y1, w1, h1, areaX, areaY,\n * screen->width, screen->height, ptr->width, ptr->height, ptr->frameBuffer);\n */\n\n if (screen->serverFormat.trueColour) { /* Blend neighbouring pixels together */\n unsigned char *srcptr2;\n unsigned long pixel_value, red, green, blue;\n unsigned int redShift = screen->serverFormat.redShift;\n unsigned int greenShift = screen->serverFormat.greenShift;\n unsigned int blueShift = screen->serverFormat.blueShift;\n unsigned long redMax = screen->serverFormat.redMax;\n unsigned long greenMax = screen->serverFormat.greenMax;\n unsigned long blueMax = screen->serverFormat.blueMax;\n\n /* for each *destination* pixel... */\n for (y = 0; y < h1; y++) {\n for (x = 0; x < w1; x++) {\n red = green = blue = 0;\n /* Get the totals for rgb from the source grid... */\n for (w = 0; w < areaX; w++) {\n for (v = 0; v < areaY; v++) {\n srcptr2 = &srcptr[(((x * areaX) + w) * bytesPerPixel) +\n (v * screen->paddedWidthInBytes)];\n pixel_value = 0;\n\n\n switch (bytesPerPixel) {\n case 4: pixel_value = *((unsigned int *)srcptr2); break;\n case 2: pixel_value = *((unsigned short *)srcptr2); break;\n case 1: pixel_value = *((unsigned char *)srcptr2); break;\n default:\n /* fixme: endianness problem? */\n for (z = 0; z < bytesPerPixel; z++)\n pixel_value += ((unsigned long)srcptr2[z] << (8 * z));\n break;\n }\n /*\n srcptr2 += bytesPerPixel;\n */\n\n red += ((pixel_value >> redShift) & redMax);\n green += ((pixel_value >> greenShift) & greenMax);\n blue += ((pixel_value >> blueShift) & blueMax);\n\n }\n }\n /* We now have a total for all of the colors, find the average! */\n red /= area2;\n green /= area2;\n blue /= area2;\n /* Stuff the new value back into memory */\n pixel_value = ((red & redMax) << redShift) | ((green & greenMax) << greenShift) | ((blue & blueMax) << blueShift);\n\n switch (bytesPerPixel) {\n case 4: *((unsigned int *)dstptr) = (unsigned int) pixel_value; break;\n case 2: *((unsigned short *)dstptr) = (unsigned short) pixel_value; break;\n case 1: *((unsigned char *)dstptr) = (unsigned char) pixel_value; break;\n default:\n /* fixme: endianness problem? */\n for (z = 0; z < bytesPerPixel; z++)\n dstptr[z]=(pixel_value >> (8 * z)) & 0xff;\n break;\n }\n dstptr += bytesPerPixel;\n }\n srcptr += (screen->paddedWidthInBytes * areaY);\n dstptr += (ptr->paddedWidthInBytes - bytesPerLine);\n }\n } else\n { /* Not truecolour, so we can't blend. Just use the top-left pixel instead */\n for (y = y1; y < (y1+h1); y++) {\n for (x = x1; x < (x1+w1); x++)\n memcpy (&ptr->frameBuffer[(y *ptr->paddedWidthInBytes) + (x * bytesPerPixel)],\n &screen->frameBuffer[(y * areaY * screen->paddedWidthInBytes) + (x *areaX * bytesPerPixel)], bytesPerPixel);\n }\n }\n}", "project": "libvncserver", "hash": 85794347889118649475691237939536661528, "size": 122, "commit_id": "a6788d1da719ae006605b78d22f5a9f170b423af", "message": "libvncserver: scale: cast to 64 bit before shifting\n\nSince pixel_value is 64 bit the data type of the shift operand should\nbe 64 bit too to prevent integer overflows.", "target": 0, "dataset": "other", "idx": 296799 }, { "func": "static struct sk_buff * pfkey_xfrm_policy2msg_prep(const struct xfrm_policy *xp)\n{\n\tstruct sk_buff *skb;\n\tint size;\n\n\tsize = pfkey_xfrm_policy2msg_size(xp);\n\n\tskb = alloc_skb(size + 16, GFP_ATOMIC);\n\tif (skb == NULL)\n\t\treturn ERR_PTR(-ENOBUFS);\n\n\treturn skb;\n}", "project": "linux", "hash": 198749077392719479710681714788031092585, "size": 13, "commit_id": "9a564bccb78a76740ea9d75a259942df8143d02c", "message": "af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\n\nAdd __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\nto initialize the buffer of supp_skb to fix a kernel-info-leak issue.\n1) Function pfkey_register calls compose_sadb_supported to request\na sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate\na sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then\ncompose_sadb_supported treats the memory as a struct sadb_supported and\nbegins to initialize. But it just initializes the field sadb_supported_len\nand field sadb_supported_exttype without field sadb_supported_reserved.\n\nReported-by: TCS Robot \nSigned-off-by: Haimin Zhang \nSigned-off-by: Steffen Klassert ", "target": 0, "dataset": "other", "idx": 268064 }, { "func": "void php_ifd_set16u(char *data, unsigned int value, int motorola_intel) {\n if (motorola_intel) {\n data[0] = (value & 0xFF00) >> 8;\n data[1] = (value & 0x00FF);\n } else {\n data[1] = (value & 0xFF00) >> 8;\n data[0] = (value & 0x00FF);\n }\n}", "project": "hhvm", "hash": 332698923943069079857432565360735614889, "size": 9, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219818 }, { "func": "static void nft_obj_commit_update(struct nft_trans *trans)\n{\n\tstruct nft_object *newobj;\n\tstruct nft_object *obj;\n\n\tobj = nft_trans_obj(trans);\n\tnewobj = nft_trans_obj_newobj(trans);\n\n\tif (obj->ops->update)\n\t\tobj->ops->update(obj, newobj);\n\n\tkfree(newobj);\n}", "project": "linux", "hash": 88353146612376850804240346104233357232, "size": 13, "commit_id": "ad9f151e560b016b6ad3280b48e42fa11e1a5440", "message": "netfilter: nf_tables: initialize set before expression setup\n\nnft_set_elem_expr_alloc() needs an initialized set if expression sets on\nthe NFT_EXPR_GC flag. Move set fields initialization before expression\nsetup.\n\n[4512935.019450] ==================================================================\n[4512935.019456] BUG: KASAN: null-ptr-deref in nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019487] Read of size 8 at addr 0000000000000070 by task nft/23532\n[4512935.019494] CPU: 1 PID: 23532 Comm: nft Not tainted 5.12.0-rc4+ #48\n[...]\n[4512935.019502] Call Trace:\n[4512935.019505] dump_stack+0x89/0xb4\n[4512935.019512] ? nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019536] ? nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019560] kasan_report.cold.12+0x5f/0xd8\n[4512935.019566] ? nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019590] nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019615] nf_tables_newset+0xc7f/0x1460 [nf_tables]\n\nReported-by: syzbot+ce96ca2b1d0b37c6422d@syzkaller.appspotmail.com\nFixes: 65038428b2c6 (\"netfilter: nf_tables: allow to specify stateful expression in set definition\")\nSigned-off-by: Pablo Neira Ayuso ", "target": 0, "dataset": "other", "idx": 328388 }, { "func": "static __poll_t tty_poll(struct file *filp, poll_table *wait)\n{\n\tstruct tty_struct *tty = file_tty(filp);\n\tstruct tty_ldisc *ld;\n\t__poll_t ret = 0;\n\n\tif (tty_paranoia_check(tty, file_inode(filp), \"tty_poll\"))\n\t\treturn 0;\n\n\tld = tty_ldisc_ref_wait(tty);\n\tif (!ld)\n\t\treturn hung_up_tty_poll(filp, wait);\n\tif (ld->ops->poll)\n\t\tret = ld->ops->poll(tty, filp, wait);\n\ttty_ldisc_deref(ld);\n\treturn ret;\n}", "project": "linux", "hash": 48886686632748362844836751573685846867, "size": 17, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 326030 }, { "func": "void *kmem_cache_alloc_node_trace(struct kmem_cache *s,\n\t\t\t\t gfp_t gfpflags,\n\t\t\t\t int node, size_t size)\n{\n\tvoid *ret = slab_alloc_node(s, gfpflags, node, _RET_IP_);\n\n\ttrace_kmalloc_node(_RET_IP_, ret,\n\t\t\t size, s->size, gfpflags, node);\n\n\tret = kasan_kmalloc(s, ret, size, gfpflags);\n\treturn ret;\n}", "project": "linux", "hash": 42346785374485324532679450741192541304, "size": 12, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280038 }, { "func": "int vcf_format(const bcf_hdr_t *h, const bcf1_t *v, kstring_t *s)\n{\n int i;\n int32_t max_dt_id = h->n[BCF_DT_ID];\n const char *chrom = bcf_seqname(h, v);\n if (!chrom) {\n hts_log_error(\"Invalid BCF, CONTIG id=%d not present in the header\",\n v->rid);\n errno = EINVAL;\n return -1;\n }\n bcf_unpack((bcf1_t*)v, BCF_UN_ALL);\n kputs(chrom, s); // CHROM\n kputc('\\t', s); kputll(v->pos + 1, s); // POS\n kputc('\\t', s); kputs(v->d.id ? v->d.id : \".\", s); // ID\n kputc('\\t', s); // REF\n if (v->n_allele > 0) kputs(v->d.allele[0], s);\n else kputc('.', s);\n kputc('\\t', s); // ALT\n if (v->n_allele > 1) {\n for (i = 1; i < v->n_allele; ++i) {\n if (i > 1) kputc(',', s);\n kputs(v->d.allele[i], s);\n }\n } else kputc('.', s);\n kputc('\\t', s); // QUAL\n if ( bcf_float_is_missing(v->qual) ) kputc('.', s); // QUAL\n else kputd(v->qual, s);\n kputc('\\t', s); // FILTER\n if (v->d.n_flt) {\n for (i = 0; i < v->d.n_flt; ++i) {\n int32_t idx = v->d.flt[i];\n if (idx < 0 || idx >= max_dt_id\n || h->id[BCF_DT_ID][idx].key == NULL) {\n hts_log_error(\"Invalid BCF, the FILTER tag id=%d at %s:%\"PRIhts_pos\" not present in the header\",\n idx, bcf_seqname_safe(h, v), v->pos + 1);\n errno = EINVAL;\n return -1;\n }\n if (i) kputc(';', s);\n kputs(h->id[BCF_DT_ID][idx].key, s);\n }\n } else kputc('.', s);\n kputc('\\t', s); // INFO\n if (v->n_info) {\n int first = 1;\n for (i = 0; i < v->n_info; ++i) {\n bcf_info_t *z = &v->d.info[i];\n if ( !z->vptr ) continue;\n if ( !first ) kputc(';', s);\n first = 0;\n if (z->key < 0 || z->key >= max_dt_id\n || h->id[BCF_DT_ID][z->key].key == NULL) {\n hts_log_error(\"Invalid BCF, the INFO tag id=%d is %s at %s:%\"PRIhts_pos,\n z->key,\n z->key < 0 ? \"negative\"\n : (z->key >= max_dt_id ? \"too large\" : \"not present in the header\"),\n bcf_seqname_safe(h, v), v->pos+1);\n errno = EINVAL;\n return -1;\n }\n kputs(h->id[BCF_DT_ID][z->key].key, s);\n if (z->len <= 0) continue;\n kputc('=', s);\n if (z->len == 1)\n {\n switch (z->type)\n {\n case BCF_BT_INT8: if ( z->v1.i==bcf_int8_missing ) kputc('.', s); else kputw(z->v1.i, s); break;\n case BCF_BT_INT16: if ( z->v1.i==bcf_int16_missing ) kputc('.', s); else kputw(z->v1.i, s); break;\n case BCF_BT_INT32: if ( z->v1.i==bcf_int32_missing ) kputc('.', s); else kputw(z->v1.i, s); break;\n case BCF_BT_INT64: if ( z->v1.i==bcf_int64_missing ) kputc('.', s); else kputll(z->v1.i, s); break;\n case BCF_BT_FLOAT: if ( bcf_float_is_missing(z->v1.f) ) kputc('.', s); else kputd(z->v1.f, s); break;\n case BCF_BT_CHAR: kputc(z->v1.i, s); break;\n default:\n hts_log_error(\"Unexpected type %d at %s:%\"PRIhts_pos, z->type, bcf_seqname_safe(h, v), v->pos+1);\n errno = EINVAL;\n return -1;\n }\n }\n else bcf_fmt_array(s, z->len, z->type, z->vptr);\n }\n if ( first ) kputc('.', s);\n } else kputc('.', s);\n // FORMAT and individual information\n if (v->n_sample)\n {\n int i,j;\n if ( v->n_fmt)\n {\n int gt_i = -1;\n bcf_fmt_t *fmt = v->d.fmt;\n int first = 1;\n for (i = 0; i < (int)v->n_fmt; ++i) {\n if ( !fmt[i].p ) continue;\n kputc(!first ? ':' : '\\t', s); first = 0;\n if (fmt[i].id < 0 || fmt[i].id >= max_dt_id\n || h->id[BCF_DT_ID][fmt[i].id].key == NULL) //!bcf_hdr_idinfo_exists(h,BCF_HL_FMT,fmt[i].id) )\n {\n hts_log_error(\"Invalid BCF, the FORMAT tag id=%d at %s:%\"PRIhts_pos\" not present in the header\", fmt[i].id, bcf_seqname_safe(h, v), v->pos+1);\n errno = EINVAL;\n return -1;\n }\n kputs(h->id[BCF_DT_ID][fmt[i].id].key, s);\n if (strcmp(h->id[BCF_DT_ID][fmt[i].id].key, \"GT\") == 0) gt_i = i;\n }\n if ( first ) kputs(\"\\t.\", s);\n for (j = 0; j < v->n_sample; ++j) {\n kputc('\\t', s);\n first = 1;\n for (i = 0; i < (int)v->n_fmt; ++i) {\n bcf_fmt_t *f = &fmt[i];\n if ( !f->p ) continue;\n if (!first) kputc(':', s);\n first = 0;\n if (gt_i == i)\n bcf_format_gt(f,j,s);\n else\n bcf_fmt_array(s, f->n, f->type, f->p + j * (size_t)f->size);\n }\n if ( first ) kputc('.', s);\n }\n }\n else\n for (j=0; j<=v->n_sample; j++)\n kputs(\"\\t.\", s);\n }\n kputc('\\n', s);\n return 0;\n}", "project": "htslib", "hash": 201823675635530354170292814774371916205, "size": 130, "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c", "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields. It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097", "target": 0, "dataset": "other", "idx": 402237 }, { "func": "static void nfs4_xdr_enc_locku(struct rpc_rqst *req, struct xdr_stream *xdr,\n\t\t\t const void *data)\n{\n\tconst struct nfs_locku_args *args = data;\n\tstruct compound_hdr hdr = {\n\t\t.minorversion = nfs4_xdr_minorversion(&args->seq_args),\n\t};\n\n\tencode_compound_hdr(xdr, req, &hdr);\n\tencode_sequence(xdr, &args->seq_args, &hdr);\n\tencode_putfh(xdr, args->fh, &hdr);\n\tencode_locku(xdr, args, &hdr);\n\tencode_nops(&hdr);\n}", "project": "linux", "hash": 226088716060206085031105655227638882076, "size": 14, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 430988 }, { "func": "HttpStateData::writeReplyBody()\n{\n truncateVirginBody(); // if needed\n const char *data = inBuf.rawContent();\n int len = inBuf.length();\n addVirginReplyBody(data, len);\n inBuf.consume(len);\n}", "project": "squid", "hash": 288599145585245982333282122881457281077, "size": 8, "commit_id": "fd68382860633aca92065e6c343cfd1b12b126e7", "message": "Improve Transfer-Encoding handling (#702)\n\nReject messages containing Transfer-Encoding header with coding other\nthan chunked or identity. Squid does not support other codings.\n\nFor simplicity and security sake, also reject messages where\nTransfer-Encoding contains unnecessary complex values that are\ntechnically equivalent to \"chunked\" or \"identity\" (e.g., \",,chunked\" or\n\"identity, chunked\").\n\nRFC 7230 formally deprecated and removed identity coding, but it is\nstill used by some agents.", "target": 0, "dataset": "other", "idx": 402333 }, { "func": "CLua::CLua(bool managed)\n : error(), managed_vm(managed), shutting_down(false),\n throttle_unit_lines(50000),\n throttle_sleep_ms(0), throttle_sleep_start(2),\n throttle_sleep_end(800), n_throttle_sleeps(0), mixed_call_depth(0),\n lua_call_depth(0), max_mixed_call_depth(8),\n max_lua_call_depth(100), memory_used(0),\n _state(nullptr), sourced_files(), uniqindex(0)\n{\n}", "project": "crawl", "hash": 19366559314873167867009034145516178294, "size": 10, "commit_id": "768f60da87a3fa0b5561da5ade9309577c176d04", "message": "Disable lua bytecode loading", "target": 0, "dataset": "other", "idx": 230477 }, { "func": "static int nfs4_proc_getlk(struct nfs4_state *state, int cmd, struct file_lock *request)\n{\n\tstruct nfs4_exception exception = {\n\t\t.interruptible = true,\n\t};\n\tint err;\n\n\tdo {\n\t\terr = _nfs4_proc_getlk(state, cmd, request);\n\t\ttrace_nfs4_get_lock(request, state, cmd, err);\n\t\terr = nfs4_handle_exception(NFS_SERVER(state->inode), err,\n\t\t\t\t&exception);\n\t} while (exception.retry);\n\treturn err;\n}", "project": "linux", "hash": 318320416641793145449060433590054132108, "size": 15, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431502 }, { "func": "void JOIN::drop_unused_derived_keys()\n{\n JOIN_TAB *tab;\n for (tab= first_linear_tab(this, WITH_BUSH_ROOTS, WITHOUT_CONST_TABLES);\n tab; \n tab= next_linear_tab(this, tab, WITH_BUSH_ROOTS))\n {\n \n TABLE *tmp_tbl= tab->table;\n if (!tmp_tbl)\n continue;\n if (!tmp_tbl->pos_in_table_list->is_materialized_derived())\n continue;\n if (tmp_tbl->max_keys > 1 && !tab->is_ref_for_hash_join())\n tmp_tbl->use_index(tab->ref.key);\n if (tmp_tbl->s->keys)\n {\n if (tab->ref.key >= 0 && tab->ref.key < MAX_KEY)\n tab->ref.key= 0;\n else\n tmp_tbl->s->keys= 0;\n }\n tab->keys= (key_map) (tmp_tbl->s->keys ? 1 : 0);\n }\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 176830284426984570495631184804229262926, "size": 25, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508696 }, { "func": "apr_status_t h2_stream_end_headers(h2_stream *stream, int eos, size_t raw_bytes)\n{\n apr_status_t status;\n val_len_check_ctx ctx;\n \n status = h2_request_end_headers(stream->rtmp, stream->pool, eos, raw_bytes);\n if (APR_SUCCESS == status) {\n set_policy_for(stream, stream->rtmp);\n stream->request = stream->rtmp;\n stream->rtmp = NULL;\n \n ctx.maxlen = stream->session->s->limit_req_fieldsize;\n ctx.failed_key = NULL;\n apr_table_do(table_check_val_len, &ctx, stream->request->headers, NULL);\n if (ctx.failed_key) {\n if (!h2_stream_is_ready(stream)) {\n ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, stream->session->c,\n H2_STRM_LOG(APLOGNO(10230), stream,\"Request header exceeds \"\n \"LimitRequestFieldSize: %.*s\"),\n (int)H2MIN(strlen(ctx.failed_key), 80), ctx.failed_key);\n }\n set_error_response(stream, HTTP_REQUEST_HEADER_FIELDS_TOO_LARGE);\n /* keep on returning APR_SUCCESS, so that we send a HTTP response and\n * do not RST the stream. */\n }\n }\n return status;\n}", "project": "httpd", "hash": 174705790082746543014987035351464049193, "size": 28, "commit_id": "f990e5ecad40b100a8a5c7c1033c46044a9cb244", "message": "mod_htt2: fix incomplete sync with latest changes in github, adjust version number.\n\n\n\ngit-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1889119 13f79535-47bb-0310-9956-ffa450edef68", "target": 0, "dataset": "other", "idx": 284245 }, { "func": "static struct kobject *base_probe(dev_t dev, int *part, void *data)\n{\n\tif (request_module(\"char-major-%d-%d\", MAJOR(dev), MINOR(dev)) > 0)\n\t\t/* Make old-style 2.4 aliases work */\n\t\trequest_module(\"char-major-%d\", MAJOR(dev));\n\treturn NULL;\n}", "project": "linux", "hash": 236942066648151614573330095232157625369, "size": 7, "commit_id": "68faa679b8be1a74e6663c21c3a9d25d32f1c079", "message": "chardev: Avoid potential use-after-free in 'chrdev_open()'\n\n'chrdev_open()' calls 'cdev_get()' to obtain a reference to the\n'struct cdev *' stashed in the 'i_cdev' field of the target inode\nstructure. If the pointer is NULL, then it is initialised lazily by\nlooking up the kobject in the 'cdev_map' and so the whole procedure is\nprotected by the 'cdev_lock' spinlock to serialise initialisation of\nthe shared pointer.\n\nUnfortunately, it is possible for the initialising thread to fail *after*\ninstalling the new pointer, for example if the subsequent '->open()' call\non the file fails. In this case, 'cdev_put()' is called, the reference\ncount on the kobject is dropped and, if nobody else has taken a reference,\nthe release function is called which finally clears 'inode->i_cdev' from\n'cdev_purge()' before potentially freeing the object. The problem here\nis that a racing thread can happily take the 'cdev_lock' and see the\nnon-NULL pointer in the inode, which can result in a refcount increment\nfrom zero and a warning:\n\n | ------------[ cut here ]------------\n | refcount_t: addition on 0; use-after-free.\n | WARNING: CPU: 2 PID: 6385 at lib/refcount.c:25 refcount_warn_saturate+0x6d/0xf0\n | Modules linked in:\n | CPU: 2 PID: 6385 Comm: repro Not tainted 5.5.0-rc2+ #22\n | Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014\n | RIP: 0010:refcount_warn_saturate+0x6d/0xf0\n | Code: 05 55 9a 15 01 01 e8 9d aa c8 ff 0f 0b c3 80 3d 45 9a 15 01 00 75 ce 48 c7 c7 00 9c 62 b3 c6 08\n | RSP: 0018:ffffb524c1b9bc70 EFLAGS: 00010282\n | RAX: 0000000000000000 RBX: ffff9e9da1f71390 RCX: 0000000000000000\n | RDX: ffff9e9dbbd27618 RSI: ffff9e9dbbd18798 RDI: ffff9e9dbbd18798\n | RBP: 0000000000000000 R08: 000000000000095f R09: 0000000000000039\n | R10: 0000000000000000 R11: ffffb524c1b9bb20 R12: ffff9e9da1e8c700\n | R13: ffffffffb25ee8b0 R14: 0000000000000000 R15: ffff9e9da1e8c700\n | FS: 00007f3b87d26700(0000) GS:ffff9e9dbbd00000(0000) knlGS:0000000000000000\n | CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n | CR2: 00007fc16909c000 CR3: 000000012df9c000 CR4: 00000000000006e0\n | DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n | DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n | Call Trace:\n | kobject_get+0x5c/0x60\n | cdev_get+0x2b/0x60\n | chrdev_open+0x55/0x220\n | ? cdev_put.part.3+0x20/0x20\n | do_dentry_open+0x13a/0x390\n | path_openat+0x2c8/0x1470\n | do_filp_open+0x93/0x100\n | ? selinux_file_ioctl+0x17f/0x220\n | do_sys_open+0x186/0x220\n | do_syscall_64+0x48/0x150\n | entry_SYSCALL_64_after_hwframe+0x44/0xa9\n | RIP: 0033:0x7f3b87efcd0e\n | Code: 89 54 24 08 e8 a3 f4 ff ff 8b 74 24 0c 48 8b 3c 24 41 89 c0 44 8b 54 24 08 b8 01 01 00 00 89 f4\n | RSP: 002b:00007f3b87d259f0 EFLAGS: 00000293 ORIG_RAX: 0000000000000101\n | RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f3b87efcd0e\n | RDX: 0000000000000000 RSI: 00007f3b87d25a80 RDI: 00000000ffffff9c\n | RBP: 00007f3b87d25e90 R08: 0000000000000000 R09: 0000000000000000\n | R10: 0000000000000000 R11: 0000000000000293 R12: 00007ffe188f504e\n | R13: 00007ffe188f504f R14: 00007f3b87d26700 R15: 0000000000000000\n | ---[ end trace 24f53ca58db8180a ]---\n\nSince 'cdev_get()' can already fail to obtain a reference, simply move\nit over to use 'kobject_get_unless_zero()' instead of 'kobject_get()',\nwhich will cause the racing thread to return -ENXIO if the initialising\nthread fails unexpectedly.\n\nCc: Hillf Danton \nCc: Andrew Morton \nCc: Al Viro \nReported-by: syzbot+82defefbbd8527e1c2cb@syzkaller.appspotmail.com\nSigned-off-by: Will Deacon \nCc: stable \nLink: https://lore.kernel.org/r/20191219120203.32691-1-will@kernel.org\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 446379 }, { "func": "void extcap_dlts() {\n u_int dlts_number = DLT_EN10MB;\n printf(\"dlt {number=%u}{name=%s}{display=%s}\\n\", dlts_number, \"ndpi\", \"nDPI Interface\");\n exit(0);\n}", "project": "nDPI", "hash": 306024440350973387217836010358259430670, "size": 5, "commit_id": "b7e666e465f138ae48ab81976726e67deed12701", "message": "Added fix to avoid potential heap buffer overflow in H.323 dissector\nModified HTTP report information to make it closer to the HTTP field names", "target": 0, "dataset": "other", "idx": 254811 }, { "project": "Chrome", "commit_id": "327585cb0eab0859518643a2d00917081f7e7645", "target": 0, "func": "WebGraphicsContext3DDefaultImpl::VertexAttribPointerState::VertexAttribPointerState()\n : enabled(false)\n , buffer(0)\n , indx(0)\n , size(0)\n , type(0)\n , normalized(false)\n , stride(0)\n , offset(0)\n{\n}\n", "cwe": "", "big_vul_idx": 98964, "idx": 89023, "hash": 60313001127613146047391394354558934317 }, { "func": "static inline bool kvm_test_request(int req, struct kvm_vcpu *vcpu)\n{\n\treturn test_bit(req & KVM_REQUEST_MASK, (void *)&vcpu->requests);\n}", "project": "linux", "hash": 210154999305421411155940759201523139315, "size": 4, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354735 }, { "func": "static int fuse_readpage(struct file *file, struct page *page)\n{\n\tstruct inode *inode = page->mapping->host;\n\tint err;\n\n\terr = -EIO;\n\tif (fuse_is_bad(inode))\n\t\tgoto out;\n\n\terr = fuse_do_readpage(file, page);\n\tfuse_invalidate_atime(inode);\n out:\n\tunlock_page(page);\n\treturn err;\n}", "project": "linux", "hash": 220955644026084188561117370804487154093, "size": 15, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342045 }, { "func": "static int vhost_net_build_xdp(struct vhost_net_virtqueue *nvq,\n\t\t\t struct iov_iter *from)\n{\n\tstruct vhost_virtqueue *vq = &nvq->vq;\n\tstruct vhost_net *net = container_of(vq->dev, struct vhost_net,\n\t\t\t\t\t dev);\n\tstruct socket *sock = vq->private_data;\n\tstruct page_frag *alloc_frag = &net->page_frag;\n\tstruct virtio_net_hdr *gso;\n\tstruct xdp_buff *xdp = &nvq->xdp[nvq->batched_xdp];\n\tstruct tun_xdp_hdr *hdr;\n\tsize_t len = iov_iter_count(from);\n\tint headroom = vhost_sock_xdp(sock) ? XDP_PACKET_HEADROOM : 0;\n\tint buflen = SKB_DATA_ALIGN(sizeof(struct skb_shared_info));\n\tint pad = SKB_DATA_ALIGN(VHOST_NET_RX_PAD + headroom + nvq->sock_hlen);\n\tint sock_hlen = nvq->sock_hlen;\n\tvoid *buf;\n\tint copied;\n\n\tif (unlikely(len < nvq->sock_hlen))\n\t\treturn -EFAULT;\n\n\tif (SKB_DATA_ALIGN(len + pad) +\n\t SKB_DATA_ALIGN(sizeof(struct skb_shared_info)) > PAGE_SIZE)\n\t\treturn -ENOSPC;\n\n\tbuflen += SKB_DATA_ALIGN(len + pad);\n\talloc_frag->offset = ALIGN((u64)alloc_frag->offset, SMP_CACHE_BYTES);\n\tif (unlikely(!vhost_net_page_frag_refill(net, buflen,\n\t\t\t\t\t\t alloc_frag, GFP_KERNEL)))\n\t\treturn -ENOMEM;\n\n\tbuf = (char *)page_address(alloc_frag->page) + alloc_frag->offset;\n\tcopied = copy_page_from_iter(alloc_frag->page,\n\t\t\t\t alloc_frag->offset +\n\t\t\t\t offsetof(struct tun_xdp_hdr, gso),\n\t\t\t\t sock_hlen, from);\n\tif (copied != sock_hlen)\n\t\treturn -EFAULT;\n\n\thdr = buf;\n\tgso = &hdr->gso;\n\n\tif ((gso->flags & VIRTIO_NET_HDR_F_NEEDS_CSUM) &&\n\t vhost16_to_cpu(vq, gso->csum_start) +\n\t vhost16_to_cpu(vq, gso->csum_offset) + 2 >\n\t vhost16_to_cpu(vq, gso->hdr_len)) {\n\t\tgso->hdr_len = cpu_to_vhost16(vq,\n\t\t\t vhost16_to_cpu(vq, gso->csum_start) +\n\t\t\t vhost16_to_cpu(vq, gso->csum_offset) + 2);\n\n\t\tif (vhost16_to_cpu(vq, gso->hdr_len) > len)\n\t\t\treturn -EINVAL;\n\t}\n\n\tlen -= sock_hlen;\n\tcopied = copy_page_from_iter(alloc_frag->page,\n\t\t\t\t alloc_frag->offset + pad,\n\t\t\t\t len, from);\n\tif (copied != len)\n\t\treturn -EFAULT;\n\n\txdp->data_hard_start = buf;\n\txdp->data = buf + pad;\n\txdp->data_end = xdp->data + len;\n\thdr->buflen = buflen;\n\n\t--net->refcnt_bias;\n\talloc_frag->offset += buflen;\n\n\t++nvq->batched_xdp;\n\n\treturn 0;\n}", "project": "linux", "hash": 168327859349429467185878210028724124181, "size": 74, "commit_id": "42d84c8490f9f0931786f1623191fcab397c3d64", "message": "vhost: Check docket sk_family instead of call getname\n\nDoing so, we save one call to get data we already have in the struct.\n\nAlso, since there is no guarantee that getname use sockaddr_ll\nparameter beyond its size, we add a little bit of security here.\nIt should do not do beyond MAX_ADDR_LEN, but syzbot found that\nax25_getname writes more (72 bytes, the size of full_sockaddr_ax25,\nversus 20 + 32 bytes of sockaddr_ll + MAX_ADDR_LEN in syzbot repro).\n\nFixes: 3a4d5c94e9593 (\"vhost_net: a kernel-level virtio server\")\nReported-by: syzbot+f2a62d07a5198c819c7b@syzkaller.appspotmail.com\nSigned-off-by: Eugenio Pérez \nAcked-by: Michael S. Tsirkin \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 441979 }, { "func": "int CServer::NewClientCallback(int ClientID, void *pUser)\n{\n\tCServer *pThis = (CServer *)pUser;\n\n\t// Remove non human player on same slot\n\tif(pThis->GameServer()->IsClientBot(ClientID))\n\t{\n\t\tpThis->GameServer()->OnClientDrop(ClientID, \"removing dummy\");\n\t}\n\n\tpThis->m_aClients[ClientID].m_State = CClient::STATE_AUTH;\n\tpThis->m_aClients[ClientID].m_aName[0] = 0;\n\tpThis->m_aClients[ClientID].m_aClan[0] = 0;\n\tpThis->m_aClients[ClientID].m_Country = -1;\n\tpThis->m_aClients[ClientID].m_Authed = AUTHED_NO;\n\tpThis->m_aClients[ClientID].m_AuthTries = 0;\n\tpThis->m_aClients[ClientID].m_pRconCmdToSend = 0;\n\tpThis->m_aClients[ClientID].m_pMapListEntryToSend = 0;\n\tpThis->m_aClients[ClientID].m_NoRconNote = false;\n\tpThis->m_aClients[ClientID].m_Quitting = false;\n\tpThis->m_aClients[ClientID].Reset();\n\n\treturn 0;\n}", "project": "teeworlds", "hash": 97483112300789577308538887105687333685, "size": 24, "commit_id": "c68402fa7e279d42886d5951d1ea8ac2facc1ea5", "message": "changed a check", "target": 0, "dataset": "other", "idx": 382027 }, { "func": "void LanLinkProvider::userRequestsUnpair(const QString& deviceId)\n{\n LanPairingHandler* ph = createPairingHandler(m_links.value(deviceId));\n ph->unpair();\n}", "project": "kdeconnect-kde", "hash": 2031948026427825848402135917205376841, "size": 5, "commit_id": "542d94a70c56aa386c8d4d793481ce181b0422e8", "message": "Limit number of connected sockets from unpaired devices\n\nThanks Matthias Gerstner for reporting this.", "target": 0, "dataset": "other", "idx": 227363 }, { "func": "static void hci_cc_le_clear_white_list(struct hci_dev *hdev,\n\t\t\t\t struct sk_buff *skb)\n{\n\t__u8 status = *((__u8 *) skb->data);\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, status);\n\n\tif (status)\n\t\treturn;\n\n\thci_bdaddr_list_clear(&hdev->le_white_list);\n}", "project": "linux", "hash": 84275774872610272067484781677085636396, "size": 12, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431897 }, { "func": "int tipc_node_add_conn(struct net *net, u32 dnode, u32 port, u32 peer_port)\n{\n\tstruct tipc_node *node;\n\tstruct tipc_sock_conn *conn;\n\tint err = 0;\n\n\tif (in_own_node(net, dnode))\n\t\treturn 0;\n\n\tnode = tipc_node_find(net, dnode);\n\tif (!node) {\n\t\tpr_warn(\"Connecting sock to node 0x%x failed\\n\", dnode);\n\t\treturn -EHOSTUNREACH;\n\t}\n\tconn = kmalloc(sizeof(*conn), GFP_ATOMIC);\n\tif (!conn) {\n\t\terr = -EHOSTUNREACH;\n\t\tgoto exit;\n\t}\n\tconn->peer_node = dnode;\n\tconn->port = port;\n\tconn->peer_port = peer_port;\n\n\ttipc_node_write_lock(node);\n\tlist_add_tail(&conn->list, &node->conn_sks);\n\ttipc_node_write_unlock(node);\nexit:\n\ttipc_node_put(node);\n\treturn err;\n}", "project": "linux", "hash": 32675816595088642820001522532603327222, "size": 30, "commit_id": "0217ed2848e8538bcf9172d97ed2eeb4a26041bb", "message": "tipc: better validate user input in tipc_nl_retrieve_key()\n\nBefore calling tipc_aead_key_size(ptr), we need to ensure\nwe have enough data to dereference ptr->keylen.\n\nWe probably also want to make sure tipc_aead_key_size()\nwont overflow with malicious ptr->keylen values.\n\nSyzbot reported:\n\nBUG: KMSAN: uninit-value in __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\nBUG: KMSAN: uninit-value in tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\nCPU: 0 PID: 21060 Comm: syz-executor.5 Not tainted 5.11.0-rc7-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nCall Trace:\n __dump_stack lib/dump_stack.c:79 [inline]\n dump_stack+0x21c/0x280 lib/dump_stack.c:120\n kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118\n __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197\n __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\n tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\n genl_family_rcv_msg_doit net/netlink/genetlink.c:739 [inline]\n genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]\n genl_rcv_msg+0x1319/0x1610 net/netlink/genetlink.c:800\n netlink_rcv_skb+0x6fa/0x810 net/netlink/af_netlink.c:2494\n genl_rcv+0x63/0x80 net/netlink/genetlink.c:811\n netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]\n netlink_unicast+0x11d6/0x14a0 net/netlink/af_netlink.c:1330\n netlink_sendmsg+0x1740/0x1840 net/netlink/af_netlink.c:1919\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\nRIP: 0023:0xf7f60549\nCode: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00\nRSP: 002b:00000000f555a5fc EFLAGS: 00000296 ORIG_RAX: 0000000000000172\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000200\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n\nUninit was created at:\n kmsan_save_stack_with_flags mm/kmsan/kmsan.c:121 [inline]\n kmsan_internal_poison_shadow+0x5c/0xf0 mm/kmsan/kmsan.c:104\n kmsan_slab_alloc+0x8d/0xe0 mm/kmsan/kmsan_hooks.c:76\n slab_alloc_node mm/slub.c:2907 [inline]\n __kmalloc_node_track_caller+0xa37/0x1430 mm/slub.c:4527\n __kmalloc_reserve net/core/skbuff.c:142 [inline]\n __alloc_skb+0x2f8/0xb30 net/core/skbuff.c:210\n alloc_skb include/linux/skbuff.h:1099 [inline]\n netlink_alloc_large_skb net/netlink/af_netlink.c:1176 [inline]\n netlink_sendmsg+0xdbc/0x1840 net/netlink/af_netlink.c:1894\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\n\nFixes: e1f32190cf7d (\"tipc: add support for AEAD key setting via netlink\")\nSigned-off-by: Eric Dumazet \nCc: Tuong Lien \nCc: Jon Maloy \nCc: Ying Xue \nReported-by: syzbot \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 364971 }, { "func": "TEST_P(JSITest, InstanceOfTest) {\n auto ctor = function(\"function Rick() { this.say = 'wubalubadubdub'; }\");\n auto newObj = function(\"function (ctor) { return new ctor(); }\");\n auto instance = newObj.call(rt, ctor).getObject(rt);\n EXPECT_TRUE(instance.instanceOf(rt, ctor));\n EXPECT_EQ(\n instance.getProperty(rt, \"say\").getString(rt).utf8(rt), \"wubalubadubdub\");\n EXPECT_FALSE(Object(rt).instanceOf(rt, ctor));\n EXPECT_TRUE(ctor.callAsConstructor(rt, nullptr, 0)\n .getObject(rt)\n .instanceOf(rt, ctor));\n}", "project": "hermes", "hash": 142837079136620103119537996072348177553, "size": 12, "commit_id": "fe52854cdf6725c2eaa9e125995da76e6ceb27da", "message": "[CVE-2020-1911] Look up HostObject computed properties on the right object in the prototype chain.\n\nSummary:\nThe change in the hermes repository fixes the security vulnerability\nCVE-2020-1911. This vulnerability only affects applications which\nallow evaluation of uncontrolled, untrusted JavaScript code not\nshipped with the app, so React Native apps will generally not be affected.\n\nThis revision includes a test for the bug. The test is generic JSI\ncode, so it is included in the hermes and react-native repositories.\n\nChangelog: [Internal]\n\nReviewed By: tmikov\n\nDifferential Revision: D23322992\n\nfbshipit-source-id: 4e88c974afe1ad33a263f9cac03e9dc98d33649a", "target": 0, "dataset": "other", "idx": 230199 }, { "func": "static int svm_create_vcpu(struct kvm_vcpu *vcpu)\n{\n\tstruct vcpu_svm *svm;\n\tstruct page *page;\n\tstruct page *msrpm_pages;\n\tstruct page *hsave_page;\n\tstruct page *nested_msrpm_pages;\n\tint err;\n\n\tBUILD_BUG_ON(offsetof(struct vcpu_svm, vcpu) != 0);\n\tsvm = to_svm(vcpu);\n\n\terr = -ENOMEM;\n\tpage = alloc_page(GFP_KERNEL_ACCOUNT);\n\tif (!page)\n\t\tgoto out;\n\n\tmsrpm_pages = alloc_pages(GFP_KERNEL_ACCOUNT, MSRPM_ALLOC_ORDER);\n\tif (!msrpm_pages)\n\t\tgoto free_page1;\n\n\tnested_msrpm_pages = alloc_pages(GFP_KERNEL_ACCOUNT, MSRPM_ALLOC_ORDER);\n\tif (!nested_msrpm_pages)\n\t\tgoto free_page2;\n\n\thsave_page = alloc_page(GFP_KERNEL_ACCOUNT);\n\tif (!hsave_page)\n\t\tgoto free_page3;\n\n\terr = avic_init_vcpu(svm);\n\tif (err)\n\t\tgoto free_page4;\n\n\t/* We initialize this flag to true to make sure that the is_running\n\t * bit would be set the first time the vcpu is loaded.\n\t */\n\tif (irqchip_in_kernel(vcpu->kvm) && kvm_apicv_activated(vcpu->kvm))\n\t\tsvm->avic_is_running = true;\n\n\tsvm->nested.hsave = page_address(hsave_page);\n\n\tsvm->msrpm = page_address(msrpm_pages);\n\tsvm_vcpu_init_msrpm(svm->msrpm);\n\n\tsvm->nested.msrpm = page_address(nested_msrpm_pages);\n\tsvm_vcpu_init_msrpm(svm->nested.msrpm);\n\n\tsvm->vmcb = page_address(page);\n\tclear_page(svm->vmcb);\n\tsvm->vmcb_pa = __sme_set(page_to_pfn(page) << PAGE_SHIFT);\n\tsvm->asid_generation = 0;\n\tinit_vmcb(svm);\n\n\tsvm_init_osvw(vcpu);\n\tvcpu->arch.microcode_version = 0x01000065;\n\n\treturn 0;\n\nfree_page4:\n\t__free_page(hsave_page);\nfree_page3:\n\t__free_pages(nested_msrpm_pages, MSRPM_ALLOC_ORDER);\nfree_page2:\n\t__free_pages(msrpm_pages, MSRPM_ALLOC_ORDER);\nfree_page1:\n\t__free_page(page);\nout:\n\treturn err;\n}", "project": "linux", "hash": 187993193902060305729130908873493017614, "size": 69, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432398 }, { "func": "void fuse_invalidate_entry_cache(struct dentry *entry)\n{\n\tfuse_dentry_settime(entry, 0);\n}", "project": "linux", "hash": 144236875201054416365190382473713254166, "size": 4, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341925 }, { "func": "static int sctp_getsockopt_recvrcvinfo(struct sock *sk,\tint len,\n\t\t\t\t char __user *optval,\n\t\t\t\t int __user *optlen)\n{\n\tint val = 0;\n\n\tif (len < sizeof(int))\n\t\treturn -EINVAL;\n\n\tlen = sizeof(int);\n\tif (sctp_sk(sk)->recvrcvinfo)\n\t\tval = 1;\n\tif (put_user(len, optlen))\n\t\treturn -EFAULT;\n\tif (copy_to_user(optval, &val, len))\n\t\treturn -EFAULT;\n\n\treturn 0;\n}", "project": "linux", "hash": 109108553963009610184390052703209669107, "size": 19, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398206 }, { "func": "static bool path_connected(const struct path *path)\n{\n\tstruct vfsmount *mnt = path->mnt;\n\tstruct super_block *sb = mnt->mnt_sb;\n\n\t/* Bind mounts and multi-root filesystems can have disconnected paths */\n\tif (!(sb->s_iflags & SB_I_MULTIROOT) && (mnt->mnt_root == sb->s_root))\n\t\treturn true;\n\n\treturn is_subdir(path->dentry, mnt->mnt_root);\n}", "project": "linux", "hash": 287932944339411120272062379275628803542, "size": 11, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295376 }, { "func": "static inline void unregister_fuseblk(void)\n{\n\tunregister_filesystem(&fuseblk_fs_type);\n}", "project": "linux", "hash": 320019470666770701693909071495452310959, "size": 4, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341896 }, { "func": "static inline void unregister_fuseblk(void)\n{\n}", "project": "linux", "hash": 192961053110841247663648472655378023778, "size": 3, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342150 }, { "func": "static void encode_remove(struct xdr_stream *xdr, const struct qstr *name, struct compound_hdr *hdr)\n{\n\tencode_op_hdr(xdr, OP_REMOVE, decode_remove_maxsz, hdr);\n\tencode_string(xdr, name->len, name->name);\n}", "project": "linux", "hash": 112890738627472272030847484246980649802, "size": 5, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431393 }, { "func": "static int fuse_flush(struct file *file, fl_owner_t id)\n{\n\tstruct inode *inode = file_inode(file);\n\tstruct fuse_mount *fm = get_fuse_mount(inode);\n\tstruct fuse_file *ff = file->private_data;\n\tstruct fuse_flush_in inarg;\n\tFUSE_ARGS(args);\n\tint err;\n\n\tif (fuse_is_bad(inode))\n\t\treturn -EIO;\n\n\terr = write_inode_now(inode, 1);\n\tif (err)\n\t\treturn err;\n\n\tinode_lock(inode);\n\tfuse_sync_writes(inode);\n\tinode_unlock(inode);\n\n\terr = filemap_check_errors(file->f_mapping);\n\tif (err)\n\t\treturn err;\n\n\terr = 0;\n\tif (fm->fc->no_flush)\n\t\tgoto inval_attr_out;\n\n\tmemset(&inarg, 0, sizeof(inarg));\n\tinarg.fh = ff->fh;\n\tinarg.lock_owner = fuse_lock_owner_id(fm->fc, id);\n\targs.opcode = FUSE_FLUSH;\n\targs.nodeid = get_node_id(inode);\n\targs.in_numargs = 1;\n\targs.in_args[0].size = sizeof(inarg);\n\targs.in_args[0].value = &inarg;\n\targs.force = true;\n\n\terr = fuse_simple_request(fm, &args);\n\tif (err == -ENOSYS) {\n\t\tfm->fc->no_flush = 1;\n\t\terr = 0;\n\t}\n\ninval_attr_out:\n\t/*\n\t * In memory i_blocks is not maintained by fuse, if writeback cache is\n\t * enabled, i_blocks from cached attr may not be accurate.\n\t */\n\tif (!err && fm->fc->writeback_cache)\n\t\tfuse_invalidate_attr(inode);\n\treturn err;\n}", "project": "linux", "hash": 313897344183834944068658007256256923444, "size": 53, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341966 }, { "project": "Chrome", "commit_id": "327585cb0eab0859518643a2d00917081f7e7645", "target": 0, "func": "bool WebGraphicsContext3DDefaultImpl::getActiveAttrib(WebGLId program, unsigned long index, ActiveInfo& info)\n{\n makeContextCurrent();\n if (!program) {\n synthesizeGLError(GL_INVALID_VALUE);\n return false;\n }\n GLint maxNameLength = -1;\n glGetProgramiv(program, GL_ACTIVE_ATTRIBUTE_MAX_LENGTH, &maxNameLength);\n if (maxNameLength < 0)\n return false;\n GLchar* name = 0;\n if (!tryFastMalloc(maxNameLength * sizeof(GLchar)).getValue(name)) {\n synthesizeGLError(GL_OUT_OF_MEMORY);\n return false;\n }\n GLsizei length = 0;\n GLint size = -1;\n GLenum type = 0;\n glGetActiveAttrib(program, index, maxNameLength,\n &length, &size, &type, name);\n if (size < 0) {\n fastFree(name);\n return false;\n }\n info.name = WebString::fromUTF8(name, length);\n info.type = type;\n info.size = size;\n fastFree(name);\n return true;\n}\n", "cwe": "", "big_vul_idx": 98996, "idx": 89053, "hash": 226380885689225415170569271063510446674 }, { "func": "\nstatic enum hrtimer_restart io_link_timeout_fn(struct hrtimer *timer)\n{\n\tstruct io_timeout_data *data = container_of(timer,\n\t\t\t\t\t\tstruct io_timeout_data, timer);\n\tstruct io_kiocb *prev, *req = data->req;\n\tstruct io_ring_ctx *ctx = req->ctx;\n\tunsigned long flags;\n\n\tspin_lock_irqsave(&ctx->completion_lock, flags);\n\tprev = req->timeout.head;\n\treq->timeout.head = NULL;\n\n\t/*\n\t * We don't expect the list to be empty, that will only happen if we\n\t * race with the completion of the linked work.\n\t */\n\tif (prev && req_ref_inc_not_zero(prev))\n\t\tio_remove_next_linked(prev);\n\telse\n\t\tprev = NULL;\n\tspin_unlock_irqrestore(&ctx->completion_lock, flags);\n\n\tif (prev) {\n\t\tio_async_find_and_cancel(ctx, req, prev->user_data, -ETIME);\n\t\tio_put_req_deferred(prev, 1);\n\t} else {\n\t\tio_req_complete_post(req, -ETIME, 0);\n\t}\n\tio_put_req_deferred(req, 1);\n\treturn HRTIMER_NORESTART;", "project": "linux", "hash": 101334739038324376104036436553347249490, "size": 31, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338571 }, { "func": "static inline void clr_cr_intercept(struct vcpu_svm *svm, int bit)\n{\n\tstruct vmcb *vmcb = get_host_vmcb(svm);\n\n\tvmcb->control.intercept_cr &= ~(1U << bit);\n\n\trecalc_intercepts(svm);\n}", "project": "linux", "hash": 243174637867823673538057861105985635075, "size": 8, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432626 }, { "func": "static void update_cr8_intercept(struct kvm_vcpu *vcpu, int tpr, int irr)\n{\n\tstruct vcpu_svm *svm = to_svm(vcpu);\n\n\tif (svm_nested_virtualize_tpr(vcpu))\n\t\treturn;\n\n\tclr_cr_intercept(svm, INTERCEPT_CR8_WRITE);\n\n\tif (irr == -1)\n\t\treturn;\n\n\tif (tpr >= irr)\n\t\tset_cr_intercept(svm, INTERCEPT_CR8_WRITE);\n}", "project": "linux", "hash": 30888959191367528391933347209278064252, "size": 15, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432523 }, { "func": "static void update_cr8_intercept(struct kvm_vcpu *vcpu, int tpr, int irr)\n{\n\tstruct vcpu_svm *svm = to_svm(vcpu);\n\n\tif (is_guest_mode(vcpu) && (vcpu->arch.hflags & HF_VINTR_MASK))\n\t\treturn;\n\n\tclr_cr_intercept(svm, INTERCEPT_CR8_WRITE);\n\n\tif (irr == -1)\n\t\treturn;\n\n\tif (tpr >= irr)\n\t\tset_cr_intercept(svm, INTERCEPT_CR8_WRITE);\n}", "project": "kvm", "hash": 101937654637056124286472170738423948556, "size": 15, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437631 }, { "func": "kern_path_mountpoint(int dfd, const char *name, struct path *path,\n\t\t\tunsigned int flags)\n{\n\treturn filename_mountpoint(dfd, getname_kernel(name), path, flags);\n}", "project": "linux", "hash": 16863158062614897781117630878861322535, "size": 5, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295349 }, { "func": "user_path_mountpoint_at(int dfd, const char __user *name, unsigned int flags,\n\t\t\tstruct path *path)\n{\n\treturn filename_mountpoint(dfd, getname(name), path, flags);\n}", "project": "linux", "hash": 240571615702594370444104409174202867096, "size": 5, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295360 }, { "func": " const String& setSize(int64_t len) {\n assertx(m_str);\n m_str->setSize(len);\n return *this;\n }", "project": "hhvm", "hash": 203901183816821851556350922359774929875, "size": 5, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219102 }, { "func": "inline void StringData::setSize(int64_t len) {\n assertx(!isImmutable() && !hasMultipleRefs());\n assertx(len >= 0 && len <= capacity());\n mutableData()[len] = 0;\n m_lenAndHash = len;\n assertx(m_hash == 0);\n assertx(checkSane());\n}", "project": "hhvm", "hash": 49780885152957699857887618811559316022, "size": 8, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219861 }, { "func": "void ethereum_signing_init(EthereumSignTx *msg, const HDNode *node,\n bool needs_confirm) {\n ethereum_signing = true;\n sha3_256_Init(&keccak_ctx);\n\n memset(&msg_tx_request, 0, sizeof(EthereumTxRequest));\n /* set fields to 0, to avoid conditions later */\n if (!msg->has_value) msg->value.size = 0;\n if (!msg->has_data_initial_chunk) msg->data_initial_chunk.size = 0;\n if (!msg->has_to) msg->to.size = 0;\n if (!msg->has_nonce) msg->nonce.size = 0;\n\n /* eip-155 chain id */\n if (msg->has_chain_id) {\n if (msg->chain_id < 1) {\n fsm_sendFailure(FailureType_Failure_SyntaxError,\n _(\"Chain Id out of bounds\"));\n ethereum_signing_abort();\n return;\n }\n chain_id = msg->chain_id;\n } else {\n chain_id = 0;\n }\n\n /* Wanchain txtype */\n if (msg->has_tx_type) {\n if (msg->tx_type == 1 || msg->tx_type == 6) {\n tx_type = msg->tx_type;\n } else {\n fsm_sendFailure(FailureType_Failure_SyntaxError,\n _(\"Txtype out of bounds\"));\n ethereum_signing_abort();\n return;\n }\n } else {\n tx_type = 0;\n }\n\n if (msg->has_data_length && msg->data_length > 0) {\n if (!msg->has_data_initial_chunk || msg->data_initial_chunk.size == 0) {\n fsm_sendFailure(FailureType_Failure_Other,\n _(\"Data length provided, but no initial chunk\"));\n ethereum_signing_abort();\n return;\n }\n /* Our encoding only supports transactions up to 2^24 bytes. To\n * prevent exceeding the limit we use a stricter limit on data length.\n */\n if (msg->data_length > 16000000) {\n fsm_sendFailure(FailureType_Failure_SyntaxError,\n _(\"Data length exceeds limit\"));\n ethereum_signing_abort();\n return;\n }\n data_total = msg->data_length;\n } else {\n data_total = 0;\n }\n if (msg->data_initial_chunk.size > data_total) {\n fsm_sendFailure(FailureType_Failure_Other,\n _(\"Invalid size of initial chunk\"));\n ethereum_signing_abort();\n return;\n }\n\n const TokenType *token = NULL;\n\n // safety checks\n if (!ethereum_signing_check(msg)) {\n fsm_sendFailure(FailureType_Failure_SyntaxError, _(\"Safety check failed\"));\n ethereum_signing_abort();\n return;\n }\n\n bool data_needs_confirm = true;\n if (ethereum_contractHandled(data_total, msg, node)) {\n if (!ethereum_contractConfirmed(data_total, msg, node)) {\n fsm_sendFailure(FailureType_Failure_ActionCancelled,\n \"Signing cancelled by user\");\n ethereum_signing_abort();\n return;\n }\n needs_confirm = false;\n data_needs_confirm = false;\n }\n\n // Detect THORChain transaction data in memo\n if (ethereum_isThorchainTx(msg)) {\n if (token == NULL && data_total > 0 && data_needs_confirm) {\n char swap_data[256] = {'\\0'};\n uint8_t swap_data_len = ethereum_extractThorchainData(msg, swap_data);\n if (!thorchain_parseConfirmMemo(swap_data, swap_data_len)) {\n fsm_sendFailure(FailureType_Failure_Other, _(\"Malformed THORChain swap data\"));\n ethereum_signing_abort();\n return;\n }\n needs_confirm = false;\n data_needs_confirm = false;\n }\n }\n\n // detect ERC-20 token\n if (data_total == 68 && ethereum_isStandardERC20Transfer(msg)) {\n token = tokenByChainAddress(chain_id, msg->to.bytes);\n }\n\n bool is_approve = false;\n if (data_total == 68 && ethereum_isStandardERC20Approve(msg)) {\n token = tokenByChainAddress(chain_id, msg->to.bytes);\n is_approve = true;\n }\n\n char confirm_body_message[BODY_CHAR_MAX];\n if (needs_confirm) {\n memset(confirm_body_message, 0, sizeof(confirm_body_message));\n if (token != NULL) {\n layoutEthereumConfirmTx(\n msg->data_initial_chunk.bytes + 16, 20,\n msg->data_initial_chunk.bytes + 36, 32, token, confirm_body_message,\n sizeof(confirm_body_message), /*approve=*/is_approve);\n } else {\n layoutEthereumConfirmTx(msg->to.bytes, msg->to.size, msg->value.bytes,\n msg->value.size, NULL, confirm_body_message,\n sizeof(confirm_body_message), /*approve=*/false);\n }\n bool is_transfer = msg->address_type == OutputAddressType_TRANSFER;\n const char *title;\n ButtonRequestType BRT;\n if (is_approve) {\n title = \"Approve\";\n BRT = ButtonRequestType_ButtonRequest_ConfirmOutput;\n } else if (is_transfer) {\n title = \"Transfer\";\n BRT = ButtonRequestType_ButtonRequest_ConfirmTransferToAccount;\n } else {\n title = \"Send\";\n BRT = ButtonRequestType_ButtonRequest_ConfirmOutput;\n }\n if (!confirm(BRT, title, \"%s\", confirm_body_message)) {\n fsm_sendFailure(FailureType_Failure_ActionCancelled,\n \"Signing cancelled by user\");\n ethereum_signing_abort();\n return;\n }\n }\n\n memset(confirm_body_message, 0, sizeof(confirm_body_message));\n if (token == NULL && data_total > 0 && data_needs_confirm) {\n // KeepKey custom: warn the user that they're trying to do something\n // that is potentially dangerous. People (generally) aren't great at\n // parsing raw transaction data, and we can't effectively show them\n // what they're about to do in the general case.\n if (!storage_isPolicyEnabled(\"AdvancedMode\")) {\n (void)review(\n ButtonRequestType_ButtonRequest_Other, \"Warning\",\n \"Signing of arbitrary ETH contract data is recommended only for \"\n \"experienced users. Enable 'AdvancedMode' policy to dismiss.\");\n }\n\n layoutEthereumData(msg->data_initial_chunk.bytes,\n msg->data_initial_chunk.size, data_total,\n confirm_body_message, sizeof(confirm_body_message));\n if (!confirm(ButtonRequestType_ButtonRequest_ConfirmOutput,\n \"Confirm Ethereum Data\", \"%s\", confirm_body_message)) {\n fsm_sendFailure(FailureType_Failure_ActionCancelled, NULL);\n ethereum_signing_abort();\n return;\n }\n }\n\n if (is_approve) {\n token = NULL;\n }\n\n memset(confirm_body_message, 0, sizeof(confirm_body_message));\n layoutEthereumFee(msg->value.bytes, msg->value.size, msg->gas_price.bytes,\n msg->gas_price.size, msg->gas_limit.bytes,\n msg->gas_limit.size, token != NULL, confirm_body_message,\n sizeof(confirm_body_message));\n if (!confirm(ButtonRequestType_ButtonRequest_SignTx, \"Transaction\", \"%s\",\n confirm_body_message)) {\n fsm_sendFailure(FailureType_Failure_ActionCancelled,\n \"Signing cancelled by user\");\n ethereum_signing_abort();\n return;\n }\n\n /* Stage 1: Calculate total RLP length */\n uint32_t rlp_length = 0;\n layoutProgress(_(\"Signing\"), 0);\n\n rlp_length += rlp_calculate_length(msg->nonce.size, msg->nonce.bytes[0]);\n rlp_length +=\n rlp_calculate_length(msg->gas_price.size, msg->gas_price.bytes[0]);\n rlp_length +=\n rlp_calculate_length(msg->gas_limit.size, msg->gas_limit.bytes[0]);\n rlp_length += rlp_calculate_length(msg->to.size, msg->to.bytes[0]);\n rlp_length += rlp_calculate_length(msg->value.size, msg->value.bytes[0]);\n rlp_length +=\n rlp_calculate_length(data_total, msg->data_initial_chunk.bytes[0]);\n if (tx_type) {\n rlp_length += rlp_calculate_number_length(tx_type);\n }\n if (chain_id) {\n rlp_length += rlp_calculate_number_length(chain_id);\n rlp_length += rlp_calculate_length(0, 0);\n rlp_length += rlp_calculate_length(0, 0);\n }\n\n /* Stage 2: Store header fields */\n hash_rlp_list_length(rlp_length);\n layoutProgress(_(\"Signing\"), 100);\n\n if (tx_type) {\n hash_rlp_number(tx_type);\n }\n hash_rlp_field(msg->nonce.bytes, msg->nonce.size);\n hash_rlp_field(msg->gas_price.bytes, msg->gas_price.size);\n hash_rlp_field(msg->gas_limit.bytes, msg->gas_limit.size);\n hash_rlp_field(msg->to.bytes, msg->to.size);\n hash_rlp_field(msg->value.bytes, msg->value.size);\n hash_rlp_length(data_total, msg->data_initial_chunk.bytes[0]);\n hash_data(msg->data_initial_chunk.bytes, msg->data_initial_chunk.size);\n data_left = data_total - msg->data_initial_chunk.size;\n\n memcpy(privkey, node->private_key, 32);\n\n if (data_left > 0) {\n send_request_chunk();\n } else {\n send_signature();\n }\n}", "project": "keepkey-firmware", "hash": 41626652124789053097491254548529987279, "size": 234, "commit_id": "e49d45594002d4d3fbc1f03488e6dfc0a0a65836", "message": "710 merge", "target": 0, "dataset": "other", "idx": 220865 }, { "func": " table_map view_used_tables(TABLE_LIST *view)\n {\n view->view_used_tables= 0;\n walk(&Item::view_used_tables_processor, 0, view);\n return view->view_used_tables;\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 275370090484374748060271494363490036836, "size": 6, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509229 }, { "func": "static int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key)\n{\n\tdh->pub_key = pub_key;\n\tdh->priv_key = priv_key;\n\n\treturn 1;\n}", "project": "php-src", "hash": 283633814298067720459495558983386245783, "size": 7, "commit_id": "0216630ea2815a5789a24279a1211ac398d4de79", "message": "Fix bug #79601 (Wrong ciphertext/tag in AES-CCM encryption for a 12 bytes IV)", "target": 0, "dataset": "other", "idx": 291371 }, { "func": "static int kvm_get_stat_per_vcpu(struct kvm *kvm, size_t offset, u64 *val)\n{\n\tint i;\n\tstruct kvm_vcpu *vcpu;\n\n\t*val = 0;\n\n\tkvm_for_each_vcpu(i, vcpu, kvm)\n\t\t*val += *(u64 *)((void *)vcpu + offset);\n\n\treturn 0;\n}", "project": "linux", "hash": 159546676386916928966523318557082529313, "size": 12, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354839 }, { "func": "static int sctp_getsockopt_encap_port(struct sock *sk, int len,\n\t\t\t\t char __user *optval, int __user *optlen)\n{\n\tstruct sctp_association *asoc;\n\tstruct sctp_udpencaps encap;\n\tstruct sctp_transport *t;\n\t__be16 encap_port;\n\n\tif (len < sizeof(encap))\n\t\treturn -EINVAL;\n\n\tlen = sizeof(encap);\n\tif (copy_from_user(&encap, optval, len))\n\t\treturn -EFAULT;\n\n\t/* If an address other than INADDR_ANY is specified, and\n\t * no transport is found, then the request is invalid.\n\t */\n\tif (!sctp_is_any(sk, (union sctp_addr *)&encap.sue_address)) {\n\t\tt = sctp_addr_id2transport(sk, &encap.sue_address,\n\t\t\t\t\t encap.sue_assoc_id);\n\t\tif (!t) {\n\t\t\tpr_debug(\"%s: failed no transport\\n\", __func__);\n\t\t\treturn -EINVAL;\n\t\t}\n\n\t\tencap_port = t->encap_port;\n\t\tgoto out;\n\t}\n\n\t/* Get association, if assoc_id != SCTP_FUTURE_ASSOC and the\n\t * socket is a one to many style socket, and an association\n\t * was not found, then the id was invalid.\n\t */\n\tasoc = sctp_id2assoc(sk, encap.sue_assoc_id);\n\tif (!asoc && encap.sue_assoc_id != SCTP_FUTURE_ASSOC &&\n\t sctp_style(sk, UDP)) {\n\t\tpr_debug(\"%s: failed no association\\n\", __func__);\n\t\treturn -EINVAL;\n\t}\n\n\tif (asoc) {\n\t\tencap_port = asoc->encap_port;\n\t\tgoto out;\n\t}\n\n\tencap_port = sctp_sk(sk)->encap_port;\n\nout:\n\tencap.sue_port = (__force uint16_t)encap_port;\n\tif (copy_to_user(optval, &encap, len))\n\t\treturn -EFAULT;\n\n\tif (put_user(len, optlen))\n\t\treturn -EFAULT;\n\n\treturn 0;\n}", "project": "linux", "hash": 101889246496206468980218130833380592694, "size": 58, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398058 }, { "func": "static int finish(void)\n{\n\tint magic = BPF_PRELOAD_END;\n\tstruct pid *tgid;\n\tloff_t pos = 0;\n\tssize_t n;\n\n\t/* send the last magic to UMD. It will do a normal exit. */\n\tn = kernel_write(umd_ops.info.pipe_to_umh,\n\t\t\t &magic, sizeof(magic), &pos);\n\tif (n != sizeof(magic))\n\t\treturn -EPIPE;\n\n\ttgid = umd_ops.info.tgid;\n\tif (tgid) {\n\t\twait_event(tgid->wait_pidfd, thread_group_exited(tgid));\n\t\tumd_cleanup_helper(&umd_ops.info);\n\t}\n\treturn 0;\n}", "project": "linux", "hash": 98165059016791660800423553012988267396, "size": 20, "commit_id": "f60a85cad677c4f9bb4cadd764f1d106c38c7cf8", "message": "bpf: Fix umd memory leak in copy_process()\n\nThe syzbot reported a memleak as follows:\n\nBUG: memory leak\nunreferenced object 0xffff888101b41d00 (size 120):\n comm \"kworker/u4:0\", pid 8, jiffies 4294944270 (age 12.780s)\n backtrace:\n [] alloc_pid+0x66/0x560\n [] copy_process+0x1465/0x25e0\n [] kernel_clone+0xf3/0x670\n [] kernel_thread+0x61/0x80\n [] call_usermodehelper_exec_work\n [] call_usermodehelper_exec_work+0xc4/0x120\n [] process_one_work+0x2c9/0x600\n [] worker_thread+0x59/0x5d0\n [] kthread+0x178/0x1b0\n [] ret_from_fork+0x1f/0x30\n\nunreferenced object 0xffff888110ef5c00 (size 232):\n comm \"kworker/u4:0\", pid 8414, jiffies 4294944270 (age 12.780s)\n backtrace:\n [] kmem_cache_zalloc\n [] __alloc_file+0x1f/0xf0\n [] alloc_empty_file+0x69/0x120\n [] alloc_file+0x33/0x1b0\n [] alloc_file_pseudo+0xb2/0x140\n [] create_pipe_files+0x138/0x2e0\n [] umd_setup+0x33/0x220\n [] call_usermodehelper_exec_async+0xb4/0x1b0\n [] ret_from_fork+0x1f/0x30\n\nAfter the UMD process exits, the pipe_to_umh/pipe_from_umh and\ntgid need to be released.\n\nFixes: d71fa5c9763c (\"bpf: Add kernel module with user mode driver that populates bpffs.\")\nReported-by: syzbot+44908bb56d2bfe56b28e@syzkaller.appspotmail.com\nSigned-off-by: Zqiang \nSigned-off-by: Daniel Borkmann \nLink: https://lore.kernel.org/bpf/20210317030915.2865-1-qiang.zhang@windriver.com", "target": 0, "dataset": "other", "idx": 385300 }, { "func": "Pl_AES_PDF::finish()\n{\n if (this->encrypt)\n {\n\tif (this->offset == this->buf_size)\n\t{\n\t flush(false);\n\t}\n if (! this->disable_padding)\n {\n // Pad as described in section 3.5.1 of version 1.7 of the PDF\n // specification, including providing an entire block of padding\n // if the input was a multiple of 16 bytes.\n unsigned char pad =\n QIntC::to_uchar(this->buf_size - this->offset);\n memset(this->inbuf + this->offset, pad, pad);\n this->offset = this->buf_size;\n flush(false);\n }\n }\n else\n {\n\tif (this->offset != this->buf_size)\n\t{\n\t // This is never supposed to happen as the output is\n\t // always supposed to be padded. However, we have\n\t // encountered files for which the output is not a\n\t // multiple of the block size. In this case, pad with\n\t // zeroes and hope for the best.\n\t assert(this->buf_size > this->offset);\n\t std::memset(this->inbuf + this->offset, 0,\n\t\t\tthis->buf_size - this->offset);\n\t this->offset = this->buf_size;\n\t}\n\tflush(! this->disable_padding);\n }\n this->crypto->rijndael_finalize();\n getNext()->finish();\n}", "project": "qpdf", "hash": 51243257645404500461191904756632181088, "size": 39, "commit_id": "dc92574c10f3e2516ec6445b88c5d584f40df4e5", "message": "Fix some pipelines to be safe if downstream write fails (fuzz issue 28262)", "target": 0, "dataset": "other", "idx": 458326 }, { "func": "int vfs_create(struct inode *dir, struct dentry *dentry, umode_t mode,\n\t\tbool want_excl)\n{\n\tint error = may_create(dir, dentry);\n\tif (error)\n\t\treturn error;\n\n\tif (!dir->i_op->create)\n\t\treturn -EACCES;\t/* shouldn't it be ENOSYS? */\n\tmode &= S_IALLUGO;\n\tmode |= S_IFREG;\n\terror = security_inode_create(dir, dentry, mode);\n\tif (error)\n\t\treturn error;\n\terror = dir->i_op->create(dir, dentry, mode, want_excl);\n\tif (!error)\n\t\tfsnotify_create(dir, dentry);\n\treturn error;\n}", "project": "linux", "hash": 110013640154319074439021059781392764549, "size": 19, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295386 }, { "func": "static void nfs_state_set_open_stateid(struct nfs4_state *state,\n\t\tconst nfs4_stateid *open_stateid,\n\t\tfmode_t fmode,\n\t\tnfs4_stateid *freeme)\n{\n\t/*\n\t * Protect the call to nfs4_state_set_mode_locked and\n\t * serialise the stateid update\n\t */\n\twrite_seqlock(&state->seqlock);\n\tnfs_set_open_stateid_locked(state, open_stateid, freeme);\n\tswitch (fmode) {\n\tcase FMODE_READ:\n\t\tset_bit(NFS_O_RDONLY_STATE, &state->flags);\n\t\tbreak;\n\tcase FMODE_WRITE:\n\t\tset_bit(NFS_O_WRONLY_STATE, &state->flags);\n\t\tbreak;\n\tcase FMODE_READ|FMODE_WRITE:\n\t\tset_bit(NFS_O_RDWR_STATE, &state->flags);\n\t}\n\tset_bit(NFS_OPEN_STATE, &state->flags);\n\twrite_sequnlock(&state->seqlock);\n}", "project": "linux", "hash": 212498859352455154368103598856343335293, "size": 24, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431261 }, { "func": "static void tracing_snapshot_instance(struct trace_array *tr)\n{\n\tstruct tracer *tracer = tr->current_trace;\n\tunsigned long flags;\n\n\tif (in_nmi()) {\n\t\tinternal_trace_puts(\"*** SNAPSHOT CALLED FROM NMI CONTEXT ***\\n\");\n\t\tinternal_trace_puts(\"*** snapshot is being ignored ***\\n\");\n\t\treturn;\n\t}\n\n\tif (!tr->allocated_snapshot) {\n\t\tinternal_trace_puts(\"*** SNAPSHOT NOT ALLOCATED ***\\n\");\n\t\tinternal_trace_puts(\"*** stopping trace here! ***\\n\");\n\t\ttracing_off();\n\t\treturn;\n\t}\n\n\t/* Note, snapshot can not be used when the tracer uses it */\n\tif (tracer->use_max_tr) {\n\t\tinternal_trace_puts(\"*** LATENCY TRACER ACTIVE ***\\n\");\n\t\tinternal_trace_puts(\"*** Can not use snapshot (sorry) ***\\n\");\n\t\treturn;\n\t}\n\n\tlocal_irq_save(flags);\n\tupdate_max_tr(tr, current, smp_processor_id());\n\tlocal_irq_restore(flags);\n}", "project": "linux", "hash": 23952061043614793566798370711744161150, "size": 29, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445757 }, { "func": "void CSoundFile::RetrigNote(CHANNELINDEX nChn, int param, int offset)\n{\n\t// Retrig: bit 8 is set if it's the new XM retrig\n\tModChannel &chn = m_PlayState.Chn[nChn];\n\tint retrigSpeed = param & 0x0F;\n\tint16 retrigCount = chn.nRetrigCount;\n\tbool doRetrig = false;\n\n\t// IT compatibility 15. Retrigger\n\tif(m_playBehaviour[kITRetrigger])\n\t{\n\t\tif(m_PlayState.m_nTickCount == 0 && chn.rowCommand.note)\n\t\t{\n\t\t\tchn.nRetrigCount = param & 0xf;\n\t\t} else if(!chn.nRetrigCount || !--chn.nRetrigCount)\n\t\t{\n\t\t\tchn.nRetrigCount = param & 0xf;\n\t\t\tdoRetrig = true;\n\t\t}\n\t} else if(m_playBehaviour[kFT2Retrigger] && (param & 0x100))\n\t{\n\t\t// Buggy-like-hell FT2 Rxy retrig!\n\t\t// Test case: retrig.xm\n\t\tif(m_SongFlags[SONG_FIRSTTICK])\n\t\t{\n\t\t\t// Here are some really stupid things FT2 does on the first tick.\n\t\t\t// Test case: RetrigTick0.xm\n\t\t\tif(chn.rowCommand.instr > 0 && chn.rowCommand.IsNoteOrEmpty()) retrigCount = 1;\n\t\t\tif(chn.rowCommand.volcmd == VOLCMD_VOLUME && chn.rowCommand.vol != 0)\n\t\t\t{\n\t\t\t\t// I guess this condition simply checked if the volume byte was != 0 in FT2.\n\t\t\t\tchn.nRetrigCount = retrigCount;\n\t\t\t\treturn;\n\t\t\t}\n\t\t}\n\t\tif(retrigCount >= retrigSpeed)\n\t\t{\n\t\t\tif(!m_SongFlags[SONG_FIRSTTICK] || !chn.rowCommand.IsNote())\n\t\t\t{\n\t\t\t\tdoRetrig = true;\n\t\t\t\tretrigCount = 0;\n\t\t\t}\n\t\t}\n\t} else\n\t{\n\t\t// old routines\n\t\tif (GetType() & (MOD_TYPE_S3M|MOD_TYPE_IT|MOD_TYPE_MPT))\n\t\t{\n\t\t\tif (!retrigSpeed) retrigSpeed = 1;\n\t\t\tif ((retrigCount) && (!(retrigCount % retrigSpeed))) doRetrig = true;\n\t\t\tretrigCount++;\n\t\t} else if(GetType() == MOD_TYPE_MTM)\n\t\t{\n\t\t\t// In MultiTracker, E9x retriggers the last note at exactly the x-th tick of the row\n\t\t\tdoRetrig = m_PlayState.m_nTickCount == static_cast(param & 0x0F) && retrigSpeed != 0;\n\t\t} else\n\t\t{\n\t\t\tint realspeed = retrigSpeed;\n\t\t\t// FT2 bug: if a retrig (Rxy) occurs together with a volume command, the first retrig interval is increased by one tick\n\t\t\tif ((param & 0x100) && (chn.rowCommand.volcmd == VOLCMD_VOLUME) && (chn.rowCommand.param & 0xF0)) realspeed++;\n\t\t\tif(!m_SongFlags[SONG_FIRSTTICK] || (param & 0x100))\n\t\t\t{\n\t\t\t\tif (!realspeed) realspeed = 1;\n\t\t\t\tif ((!(param & 0x100)) && (m_PlayState.m_nMusicSpeed) && (!(m_PlayState.m_nTickCount % realspeed))) doRetrig = true;\n\t\t\t\tretrigCount++;\n\t\t\t} else if (GetType() & (MOD_TYPE_XM|MOD_TYPE_MT2)) retrigCount = 0;\n\t\t\tif (retrigCount >= realspeed)\n\t\t\t{\n\t\t\t\tif ((m_PlayState.m_nTickCount) || ((param & 0x100) && (!chn.rowCommand.note))) doRetrig = true;\n\t\t\t}\n\t\t\tif(m_playBehaviour[kFT2Retrigger] && param == 0)\n\t\t\t{\n\t\t\t\t// E90 = Retrig instantly, and only once\n\t\t\t\tdoRetrig = (m_PlayState.m_nTickCount == 0);\n\t\t\t}\n\t\t}\n\t}\n\n\t// IT compatibility: If a sample is shorter than the retrig time (i.e. it stops before the retrig counter hits zero), it is not retriggered.\n\t// Test case: retrig-short.it\n\tif(chn.nLength == 0 && m_playBehaviour[kITShortSampleRetrig] && !chn.HasMIDIOutput())\n\t{\n\t\treturn;\n\t}\n\n\tif(doRetrig)\n\t{\n\t\tuint32 dv = (param >> 4) & 0x0F;\n\t\tint vol = chn.nVolume;\n\t\tif (dv)\n\t\t{\n\n\t\t\t// FT2 compatibility: Retrig + volume will not change volume of retrigged notes\n\t\t\tif(!m_playBehaviour[kFT2Retrigger] || !(chn.rowCommand.volcmd == VOLCMD_VOLUME))\n\t\t\t{\n\t\t\t\tif (retrigTable1[dv])\n\t\t\t\t\tvol = (vol * retrigTable1[dv]) >> 4;\n\t\t\t\telse\n\t\t\t\t\tvol += ((int)retrigTable2[dv]) << 2;\n\t\t\t}\n\t\t\tLimit(vol, 0, 256);\n\n\t\t\tchn.dwFlags.set(CHN_FASTVOLRAMP);\n\t\t}\n\t\tuint32 note = chn.nNewNote;\n\t\tint32 oldPeriod = chn.nPeriod;\n\t\tif (note >= NOTE_MIN && note <= NOTE_MAX && chn.nLength)\n\t\t\tCheckNNA(nChn, 0, note, true);\n\t\tbool resetEnv = false;\n\t\tif(GetType() & (MOD_TYPE_XM | MOD_TYPE_MT2))\n\t\t{\n\t\t\tif((chn.rowCommand.instr) && (param < 0x100))\n\t\t\t{\n\t\t\t\tInstrumentChange(&chn, chn.rowCommand.instr, false, false);\n\t\t\t\tresetEnv = true;\n\t\t\t}\n\t\t\tif (param < 0x100) resetEnv = true;\n\t\t}\n\t\tbool fading = chn.dwFlags[CHN_NOTEFADE];\n\t\t// IT compatibility: Really weird combination of envelopes and retrigger (see Storlek's q.it testcase)\n\t\t// Test case: retrig.it\n\t\tNoteChange(&chn, note, m_playBehaviour[kITRetrigger], resetEnv);\n\t\t// XM compatibility: Prevent NoteChange from resetting the fade flag in case an instrument number + note-off is present.\n\t\t// Test case: RetrigFade.xm\n\t\tif(fading && GetType() == MOD_TYPE_XM)\n\t\t\tchn.dwFlags.set(CHN_NOTEFADE);\n\t\tchn.nVolume = vol;\n\t\tif(m_nInstruments)\n\t\t{\n\t\t\tchn.rowCommand.note = static_cast(note);\t// No retrig without note...\n#ifndef NO_PLUGINS\n\t\t\tProcessMidiOut(nChn);\t//Send retrig to Midi\n#endif // NO_PLUGINS\n\t\t}\n\t\tif ((GetType() & (MOD_TYPE_IT|MOD_TYPE_MPT)) && (!chn.rowCommand.note) && (oldPeriod)) chn.nPeriod = oldPeriod;\n\t\tif (!(GetType() & (MOD_TYPE_S3M|MOD_TYPE_IT|MOD_TYPE_MPT))) retrigCount = 0;\n\t\t// IT compatibility: see previous IT compatibility comment =)\n\t\tif(m_playBehaviour[kITRetrigger]) chn.position.Set(0);\n\n\t\toffset--;\n\t\tif(offset >= 0 && offset <= static_cast(CountOf(chn.pModSample->cues)) && chn.pModSample != nullptr)\n\t\t{\n\t\t\tif(offset == 0) offset = chn.oldOffset;\n\t\t\telse offset = chn.oldOffset = chn.pModSample->cues[offset - 1];\n\t\t\tSampleOffset(chn, offset);\n\t\t}\n\t}\n\n\t// buggy-like-hell FT2 Rxy retrig!\n\tif(m_playBehaviour[kFT2Retrigger] && (param & 0x100)) retrigCount++;\n\n\t// Now we can also store the retrig value for IT...\n\tif(!m_playBehaviour[kITRetrigger])\n\t\tchn.nRetrigCount = retrigCount;\n}", "project": "openmpt", "hash": 157442320854166930195469601862011370311, "size": 155, "commit_id": "7ebf02af2e90f03e0dbd0e18b8b3164f372fb97c", "message": "[Fix] Possible out-of-bounds read when computing length of some IT files with pattern loops (OpenMPT: formats that are converted to IT, libopenmpt: IT/ITP/MO3), caught with afl-fuzz.\n\ngit-svn-id: https://source.openmpt.org/svn/openmpt/trunk/OpenMPT@10027 56274372-70c3-4bfc-bfc3-4c3a0b034d27", "target": 0, "dataset": "other", "idx": 255227 }, { "func": "ALWAYS_INLINE Variant preg_return_no_error(Variant&& return_value) {\n *rl_last_error_code = PHP_PCRE_NO_ERROR;\n return std::move(return_value);\n}", "project": "hhvm", "hash": 92714978960616582549598901135926555499, "size": 4, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219072 }, { "func": " bool eval_const_cond()\n {\n DBUG_ASSERT(const_item());\n DBUG_ASSERT(!is_expensive());\n return val_bool();\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 140204644497092024492426363731351147605, "size": 6, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509213 }, { "func": "static void hci_extended_inquiry_result_evt(struct hci_dev *hdev,\n\t\t\t\t\t struct sk_buff *skb)\n{\n\tstruct inquiry_data data;\n\tstruct extended_inquiry_info *info = (void *) (skb->data + 1);\n\tint num_rsp = *((__u8 *) skb->data);\n\tsize_t eir_len;\n\n\tBT_DBG(\"%s num_rsp %d\", hdev->name, num_rsp);\n\n\tif (!num_rsp)\n\t\treturn;\n\n\tif (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))\n\t\treturn;\n\n\thci_dev_lock(hdev);\n\n\tfor (; num_rsp; num_rsp--, info++) {\n\t\tu32 flags;\n\t\tbool name_known;\n\n\t\tbacpy(&data.bdaddr, &info->bdaddr);\n\t\tdata.pscan_rep_mode\t= info->pscan_rep_mode;\n\t\tdata.pscan_period_mode\t= info->pscan_period_mode;\n\t\tdata.pscan_mode\t\t= 0x00;\n\t\tmemcpy(data.dev_class, info->dev_class, 3);\n\t\tdata.clock_offset\t= info->clock_offset;\n\t\tdata.rssi\t\t= info->rssi;\n\t\tdata.ssp_mode\t\t= 0x01;\n\n\t\tif (hci_dev_test_flag(hdev, HCI_MGMT))\n\t\t\tname_known = eir_get_data(info->data,\n\t\t\t\t\t\t sizeof(info->data),\n\t\t\t\t\t\t EIR_NAME_COMPLETE, NULL);\n\t\telse\n\t\t\tname_known = true;\n\n\t\tflags = hci_inquiry_cache_update(hdev, &data, name_known);\n\n\t\teir_len = eir_get_length(info->data, sizeof(info->data));\n\n\t\tmgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,\n\t\t\t\t info->dev_class, info->rssi,\n\t\t\t\t flags, info->data, eir_len, NULL, 0);\n\t}\n\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 246597494627569744149252198466981823503, "size": 49, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 1, "dataset": "other", "idx": 210268 }, { "func": "static void hci_extended_inquiry_result_evt(struct hci_dev *hdev,\n\t\t\t\t\t struct sk_buff *skb)\n{\n\tstruct inquiry_data data;\n\tstruct extended_inquiry_info *info = (void *) (skb->data + 1);\n\tint num_rsp = *((__u8 *) skb->data);\n\tsize_t eir_len;\n\n\tBT_DBG(\"%s num_rsp %d\", hdev->name, num_rsp);\n\n\tif (!num_rsp || skb->len < num_rsp * sizeof(*info) + 1)\n\t\treturn;\n\n\tif (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))\n\t\treturn;\n\n\thci_dev_lock(hdev);\n\n\tfor (; num_rsp; num_rsp--, info++) {\n\t\tu32 flags;\n\t\tbool name_known;\n\n\t\tbacpy(&data.bdaddr, &info->bdaddr);\n\t\tdata.pscan_rep_mode\t= info->pscan_rep_mode;\n\t\tdata.pscan_period_mode\t= info->pscan_period_mode;\n\t\tdata.pscan_mode\t\t= 0x00;\n\t\tmemcpy(data.dev_class, info->dev_class, 3);\n\t\tdata.clock_offset\t= info->clock_offset;\n\t\tdata.rssi\t\t= info->rssi;\n\t\tdata.ssp_mode\t\t= 0x01;\n\n\t\tif (hci_dev_test_flag(hdev, HCI_MGMT))\n\t\t\tname_known = eir_get_data(info->data,\n\t\t\t\t\t\t sizeof(info->data),\n\t\t\t\t\t\t EIR_NAME_COMPLETE, NULL);\n\t\telse\n\t\t\tname_known = true;\n\n\t\tflags = hci_inquiry_cache_update(hdev, &data, name_known);\n\n\t\teir_len = eir_get_length(info->data, sizeof(info->data));\n\n\t\tmgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,\n\t\t\t\t info->dev_class, info->rssi,\n\t\t\t\t flags, info->data, eir_len, NULL, 0);\n\t}\n\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 330631060070038770247000748836217689829, "size": 49, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431954 }, { "func": "static int route4_change(struct net *net, struct sk_buff *in_skb,\n\t\t\t struct tcf_proto *tp, unsigned long base, u32 handle,\n\t\t\t struct nlattr **tca, void **arg, bool ovr,\n\t\t\t bool rtnl_held, struct netlink_ext_ack *extack)\n{\n\tstruct route4_head *head = rtnl_dereference(tp->root);\n\tstruct route4_filter __rcu **fp;\n\tstruct route4_filter *fold, *f1, *pfp, *f = NULL;\n\tstruct route4_bucket *b;\n\tstruct nlattr *opt = tca[TCA_OPTIONS];\n\tstruct nlattr *tb[TCA_ROUTE4_MAX + 1];\n\tunsigned int h, th;\n\tint err;\n\tbool new = true;\n\n\tif (opt == NULL)\n\t\treturn handle ? -EINVAL : 0;\n\n\terr = nla_parse_nested_deprecated(tb, TCA_ROUTE4_MAX, opt,\n\t\t\t\t\t route4_policy, NULL);\n\tif (err < 0)\n\t\treturn err;\n\n\tfold = *arg;\n\tif (fold && handle && fold->handle != handle)\n\t\t\treturn -EINVAL;\n\n\terr = -ENOBUFS;\n\tf = kzalloc(sizeof(struct route4_filter), GFP_KERNEL);\n\tif (!f)\n\t\tgoto errout;\n\n\terr = tcf_exts_init(&f->exts, net, TCA_ROUTE4_ACT, TCA_ROUTE4_POLICE);\n\tif (err < 0)\n\t\tgoto errout;\n\n\tif (fold) {\n\t\tf->id = fold->id;\n\t\tf->iif = fold->iif;\n\t\tf->res = fold->res;\n\t\tf->handle = fold->handle;\n\n\t\tf->tp = fold->tp;\n\t\tf->bkt = fold->bkt;\n\t\tnew = false;\n\t}\n\n\terr = route4_set_parms(net, tp, base, f, handle, head, tb,\n\t\t\t tca[TCA_RATE], new, ovr, extack);\n\tif (err < 0)\n\t\tgoto errout;\n\n\th = from_hash(f->handle >> 16);\n\tfp = &f->bkt->ht[h];\n\tfor (pfp = rtnl_dereference(*fp);\n\t (f1 = rtnl_dereference(*fp)) != NULL;\n\t fp = &f1->next)\n\t\tif (f->handle < f1->handle)\n\t\t\tbreak;\n\n\ttcf_block_netif_keep_dst(tp->chain->block);\n\trcu_assign_pointer(f->next, f1);\n\trcu_assign_pointer(*fp, f);\n\n\tif (fold && fold->handle && f->handle != fold->handle) {\n\t\tth = to_hash(fold->handle);\n\t\th = from_hash(fold->handle >> 16);\n\t\tb = rtnl_dereference(head->table[th]);\n\t\tif (b) {\n\t\t\tfp = &b->ht[h];\n\t\t\tfor (pfp = rtnl_dereference(*fp); pfp;\n\t\t\t fp = &pfp->next, pfp = rtnl_dereference(*fp)) {\n\t\t\t\tif (pfp == f) {\n\t\t\t\t\t*fp = f->next;\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\n\troute4_reset_fastmap(head);\n\t*arg = f;\n\tif (fold) {\n\t\ttcf_unbind_filter(tp, &fold->res);\n\t\ttcf_exts_get_net(&fold->exts);\n\t\ttcf_queue_work(&fold->rwork, route4_delete_filter_work);\n\t}\n\treturn 0;\n\nerrout:\n\tif (f)\n\t\ttcf_exts_destroy(&f->exts);\n\tkfree(f);\n\treturn err;\n}", "project": "linux", "hash": 231199128984425325302576009574271570955, "size": 95, "commit_id": "ef299cc3fa1a9e1288665a9fdc8bff55629fd359", "message": "net_sched: cls_route: remove the right filter from hashtable\n\nroute4_change() allocates a new filter and copies values from\nthe old one. After the new filter is inserted into the hash\ntable, the old filter should be removed and freed, as the final\nstep of the update.\n\nHowever, the current code mistakenly removes the new one. This\nlooks apparently wrong to me, and it causes double \"free\" and\nuse-after-free too, as reported by syzbot.\n\nReported-and-tested-by: syzbot+f9b32aaacd60305d9687@syzkaller.appspotmail.com\nReported-and-tested-by: syzbot+2f8c233f131943d6056d@syzkaller.appspotmail.com\nReported-and-tested-by: syzbot+9c2df9fd5e9445b74e01@syzkaller.appspotmail.com\nFixes: 1109c00547fc (\"net: sched: RCU cls_route\")\nCc: Jamal Hadi Salim \nCc: Jiri Pirko \nCc: John Fastabend \nSigned-off-by: Cong Wang \nSigned-off-by: David S. Miller ", "target": 1, "dataset": "other", "idx": 206718 }, { "func": "static int route4_change(struct net *net, struct sk_buff *in_skb,\n\t\t\t struct tcf_proto *tp, unsigned long base, u32 handle,\n\t\t\t struct nlattr **tca, void **arg, bool ovr,\n\t\t\t bool rtnl_held, struct netlink_ext_ack *extack)\n{\n\tstruct route4_head *head = rtnl_dereference(tp->root);\n\tstruct route4_filter __rcu **fp;\n\tstruct route4_filter *fold, *f1, *pfp, *f = NULL;\n\tstruct route4_bucket *b;\n\tstruct nlattr *opt = tca[TCA_OPTIONS];\n\tstruct nlattr *tb[TCA_ROUTE4_MAX + 1];\n\tunsigned int h, th;\n\tint err;\n\tbool new = true;\n\n\tif (opt == NULL)\n\t\treturn handle ? -EINVAL : 0;\n\n\terr = nla_parse_nested_deprecated(tb, TCA_ROUTE4_MAX, opt,\n\t\t\t\t\t route4_policy, NULL);\n\tif (err < 0)\n\t\treturn err;\n\n\tfold = *arg;\n\tif (fold && handle && fold->handle != handle)\n\t\t\treturn -EINVAL;\n\n\terr = -ENOBUFS;\n\tf = kzalloc(sizeof(struct route4_filter), GFP_KERNEL);\n\tif (!f)\n\t\tgoto errout;\n\n\terr = tcf_exts_init(&f->exts, net, TCA_ROUTE4_ACT, TCA_ROUTE4_POLICE);\n\tif (err < 0)\n\t\tgoto errout;\n\n\tif (fold) {\n\t\tf->id = fold->id;\n\t\tf->iif = fold->iif;\n\t\tf->res = fold->res;\n\t\tf->handle = fold->handle;\n\n\t\tf->tp = fold->tp;\n\t\tf->bkt = fold->bkt;\n\t\tnew = false;\n\t}\n\n\terr = route4_set_parms(net, tp, base, f, handle, head, tb,\n\t\t\t tca[TCA_RATE], new, ovr, extack);\n\tif (err < 0)\n\t\tgoto errout;\n\n\th = from_hash(f->handle >> 16);\n\tfp = &f->bkt->ht[h];\n\tfor (pfp = rtnl_dereference(*fp);\n\t (f1 = rtnl_dereference(*fp)) != NULL;\n\t fp = &f1->next)\n\t\tif (f->handle < f1->handle)\n\t\t\tbreak;\n\n\ttcf_block_netif_keep_dst(tp->chain->block);\n\trcu_assign_pointer(f->next, f1);\n\trcu_assign_pointer(*fp, f);\n\n\tif (fold && fold->handle && f->handle != fold->handle) {\n\t\tth = to_hash(fold->handle);\n\t\th = from_hash(fold->handle >> 16);\n\t\tb = rtnl_dereference(head->table[th]);\n\t\tif (b) {\n\t\t\tfp = &b->ht[h];\n\t\t\tfor (pfp = rtnl_dereference(*fp); pfp;\n\t\t\t fp = &pfp->next, pfp = rtnl_dereference(*fp)) {\n\t\t\t\tif (pfp == fold) {\n\t\t\t\t\trcu_assign_pointer(*fp, fold->next);\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\n\troute4_reset_fastmap(head);\n\t*arg = f;\n\tif (fold) {\n\t\ttcf_unbind_filter(tp, &fold->res);\n\t\ttcf_exts_get_net(&fold->exts);\n\t\ttcf_queue_work(&fold->rwork, route4_delete_filter_work);\n\t}\n\treturn 0;\n\nerrout:\n\tif (f)\n\t\ttcf_exts_destroy(&f->exts);\n\tkfree(f);\n\treturn err;\n}", "project": "linux", "hash": 37265442732800560811121149832465762697, "size": 95, "commit_id": "ef299cc3fa1a9e1288665a9fdc8bff55629fd359", "message": "net_sched: cls_route: remove the right filter from hashtable\n\nroute4_change() allocates a new filter and copies values from\nthe old one. After the new filter is inserted into the hash\ntable, the old filter should be removed and freed, as the final\nstep of the update.\n\nHowever, the current code mistakenly removes the new one. This\nlooks apparently wrong to me, and it causes double \"free\" and\nuse-after-free too, as reported by syzbot.\n\nReported-and-tested-by: syzbot+f9b32aaacd60305d9687@syzkaller.appspotmail.com\nReported-and-tested-by: syzbot+2f8c233f131943d6056d@syzkaller.appspotmail.com\nReported-and-tested-by: syzbot+9c2df9fd5e9445b74e01@syzkaller.appspotmail.com\nFixes: 1109c00547fc (\"net: sched: RCU cls_route\")\nCc: Jamal Hadi Salim \nCc: Jiri Pirko \nCc: John Fastabend \nSigned-off-by: Cong Wang \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 385783 }, { "func": "void Commissioner::ClearJoiners(void)\n{\n for (Joiner *joiner = &mJoiners[0]; joiner < OT_ARRAY_END(mJoiners); joiner++)\n {\n joiner->mValid = false;\n }\n\n SendCommissionerSet();\n}", "project": "openthread", "hash": 225951875256517915474381172411498889294, "size": 9, "commit_id": "c3a3a0c424322009fec3ab735fb20ce8f6e19e70", "message": "[commissioner] use strnlen instead of strlen (#4404)", "target": 0, "dataset": "other", "idx": 269872 }, { "func": "static int msr_interception(struct vcpu_svm *svm)\n{\n\tif (svm->vmcb->control.exit_info_1)\n\t\treturn wrmsr_interception(svm);\n\telse\n\t\treturn rdmsr_interception(svm);\n}", "project": "linux", "hash": 20624596151318414727820058392432141017, "size": 7, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432483 }, { "func": "void kvm_reload_remote_mmus(struct kvm *kvm)\n{\n\tkvm_make_all_cpus_request(kvm, KVM_REQ_MMU_RELOAD);\n}", "project": "linux", "hash": 95066267641130259978035157612339595795, "size": 4, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354543 }, { "func": "static int complete_hosts(char *buf, size_t buflen)\n{\n // struct Connection *conn = NULL;\n int rc = -1;\n size_t matchlen;\n\n matchlen = mutt_str_len(buf);\n struct MailboxList ml = STAILQ_HEAD_INITIALIZER(ml);\n neomutt_mailboxlist_get_all(&ml, NeoMutt, MUTT_MAILBOX_ANY);\n struct MailboxNode *np = NULL;\n STAILQ_FOREACH(np, &ml, entries)\n {\n if (!mutt_str_startswith(mailbox_path(np->mailbox), buf))\n continue;\n\n if (rc)\n {\n mutt_str_copy(buf, mailbox_path(np->mailbox), buflen);\n rc = 0;\n }\n else\n longest_common_prefix(buf, mailbox_path(np->mailbox), matchlen, buflen);\n }\n neomutt_mailboxlist_clear(&ml);\n\n#if 0\n TAILQ_FOREACH(conn, mutt_socket_head(), entries)\n {\n struct Url url = { 0 };\n char urlstr[1024];\n\n if (conn->account.type != MUTT_ACCT_TYPE_IMAP)\n continue;\n\n mutt_account_tourl(&conn->account, &url);\n /* FIXME: how to handle multiple users on the same host? */\n url.user = NULL;\n url.path = NULL;\n url_tostring(&url, urlstr, sizeof(urlstr), 0);\n if (mutt_strn_equal(buf, urlstr, matchlen))\n {\n if (rc)\n {\n mutt_str_copy(buf, urlstr, buflen);\n rc = 0;\n }\n else\n longest_common_prefix(buf, urlstr, matchlen, buflen);\n }\n }\n#endif\n\n return rc;\n}", "project": "neomutt", "hash": 23663179981143896358796953108441387008, "size": 54, "commit_id": "9c36717a3e2af1f2c1b7242035455ec8112b4b06", "message": "imap: close connection on all failures\n\nThanks to Gabriel Salles-Loustau for spotting the problem.\n\nCo-authored-by: Kevin McCarthy ", "target": 0, "dataset": "other", "idx": 357034 }, { "func": "static inline void php_register_server_variables(void)\n{\n\tzval request_time_float, request_time_long;\n\n\tzval_ptr_dtor(&PG(http_globals)[TRACK_VARS_SERVER]);\n\tarray_init(&PG(http_globals)[TRACK_VARS_SERVER]);\n\n\t/* Server variables */\n\tif (sapi_module.register_server_variables) {\n\t\tsapi_module.register_server_variables(&PG(http_globals)[TRACK_VARS_SERVER]);\n\t}\n\n\t/* PHP Authentication support */\n\tif (SG(request_info).auth_user) {\n\t\tphp_register_variable(\"PHP_AUTH_USER\", SG(request_info).auth_user, &PG(http_globals)[TRACK_VARS_SERVER]);\n\t}\n\tif (SG(request_info).auth_password) {\n\t\tphp_register_variable(\"PHP_AUTH_PW\", SG(request_info).auth_password, &PG(http_globals)[TRACK_VARS_SERVER]);\n\t}\n\tif (SG(request_info).auth_digest) {\n\t\tphp_register_variable(\"PHP_AUTH_DIGEST\", SG(request_info).auth_digest, &PG(http_globals)[TRACK_VARS_SERVER]);\n\t}\n\n\t/* store request init time */\n\tZVAL_DOUBLE(&request_time_float, sapi_get_request_time());\n\tphp_register_variable_ex(\"REQUEST_TIME_FLOAT\", &request_time_float, &PG(http_globals)[TRACK_VARS_SERVER]);\n\tZVAL_LONG(&request_time_long, zend_dval_to_lval(Z_DVAL(request_time_float)));\n\tphp_register_variable_ex(\"REQUEST_TIME\", &request_time_long, &PG(http_globals)[TRACK_VARS_SERVER]);\n}", "project": "php-src", "hash": 20846285429165500397776783277650657049, "size": 29, "commit_id": "6559fe912661ca5ce5f0eeeb591d928451428ed0", "message": "Do not decode cookie names anymore", "target": 0, "dataset": "other", "idx": 374958 }, { "func": "JOIN_TAB::remove_duplicates()\n\n{\n bool error;\n ulong keylength= 0;\n uint field_count;\n List *fields= (this-1)->fields;\n THD *thd= join->thd;\n\n DBUG_ENTER(\"remove_duplicates\");\n\n DBUG_ASSERT(join->aggr_tables > 0 && table->s->tmp_table != NO_TMP_TABLE);\n THD_STAGE_INFO(join->thd, stage_removing_duplicates);\n\n //join->explain->ops_tracker.report_duplicate_removal();\n\n table->reginfo.lock_type=TL_WRITE;\n\n /* Calculate how many saved fields there is in list */\n field_count=0;\n List_iterator it(*fields);\n Item *item;\n while ((item=it++))\n {\n if (item->get_tmp_table_field() && ! item->const_item())\n field_count++;\n }\n\n if (!field_count && !(join->select_options & OPTION_FOUND_ROWS) && !having) \n { // only const items with no OPTION_FOUND_ROWS\n join->unit->select_limit_cnt= 1;\t\t// Only send first row\n DBUG_RETURN(false);\n }\n\n Field **first_field=table->field+table->s->fields - field_count;\n for (Field **ptr=first_field; *ptr; ptr++)\n keylength+= (*ptr)->sort_length() + (*ptr)->maybe_null();\n\n /*\n Disable LIMIT ROWS EXAMINED in order to avoid interrupting prematurely\n duplicate removal, and produce a possibly incomplete query result.\n */\n thd->lex->limit_rows_examined_cnt= ULONGLONG_MAX;\n if (thd->killed == ABORT_QUERY)\n thd->reset_killed();\n\n table->file->info(HA_STATUS_VARIABLE);\n if (table->s->db_type() == heap_hton ||\n (!table->s->blob_fields &&\n ((ALIGN_SIZE(keylength) + HASH_OVERHEAD) * table->file->stats.records <\n\tthd->variables.sortbuff_size)))\n error=remove_dup_with_hash_index(join->thd, table, field_count, first_field,\n\t\t\t\t keylength, having);\n else\n error=remove_dup_with_compare(join->thd, table, first_field, having);\n\n if (join->select_lex != join->select_lex->master_unit()->fake_select_lex)\n thd->lex->set_limit_rows_examined();\n free_blobs(first_field);\n DBUG_RETURN(error);\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 208498784274514021218338131589778582793, "size": 61, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508455 }, { "func": "void CSoundFile::Panbrello(ModChannel *p, uint32 param) const\n{\n\tif (param & 0x0F) p->nPanbrelloDepth = param & 0x0F;\n\tif (param & 0xF0) p->nPanbrelloSpeed = (param >> 4) & 0x0F;\n}", "project": "openmpt", "hash": 244965321623341083657614838697683708552, "size": 5, "commit_id": "7ebf02af2e90f03e0dbd0e18b8b3164f372fb97c", "message": "[Fix] Possible out-of-bounds read when computing length of some IT files with pattern loops (OpenMPT: formats that are converted to IT, libopenmpt: IT/ITP/MO3), caught with afl-fuzz.\n\ngit-svn-id: https://source.openmpt.org/svn/openmpt/trunk/OpenMPT@10027 56274372-70c3-4bfc-bfc3-4c3a0b034d27", "target": 0, "dataset": "other", "idx": 255238 }, { "func": "void gdImageString (gdImagePtr im, gdFontPtr f, int x, int y, unsigned char *s, int color)\n{\n\tint i;\n\tint l;\n\tl = strlen ((char *) s);\n\tfor (i = 0; (i < l); i++) {\n\t\tgdImageChar(im, f, x, y, s[i], color);\n\t\tx += f->w;\n\t}\n}", "project": "php-src", "hash": 297735146437720174662500116434782877520, "size": 10, "commit_id": "c395c6e5d7e8df37a21265ff76e48fe75ceb5ae6", "message": "iFixed bug #72446 - Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow", "target": 0, "dataset": "other", "idx": 295130 }, { "func": "static void encode_delegreturn(struct xdr_stream *xdr, const nfs4_stateid *stateid, struct compound_hdr *hdr)\n{\n\tencode_op_hdr(xdr, OP_DELEGRETURN, decode_delegreturn_maxsz, hdr);\n\tencode_nfs4_stateid(xdr, stateid);\n}", "project": "linux", "hash": 11939901990368900725892857512896286114, "size": 5, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431602 }, { "func": "static void __exit fuse_exit(void)\n{\n\tpr_debug(\"exit\\n\");\n\n\tfuse_ctl_cleanup();\n\tfuse_sysfs_cleanup();\n\tfuse_fs_cleanup();\n\tfuse_dev_cleanup();\n}", "project": "linux", "hash": 99780738052325690886315020563515657112, "size": 9, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341882 }, { "func": "static int bcf_set_variant_types(bcf1_t *b)\n{\n if ( !(b->unpacked & BCF_UN_STR) ) bcf_unpack(b, BCF_UN_STR);\n bcf_dec_t *d = &b->d;\n if ( d->n_var < b->n_allele )\n {\n d->var = (variant_t *) realloc(d->var, sizeof(variant_t)*b->n_allele);\n d->n_var = b->n_allele;\n }\n int i;\n b->d.var_type = 0;\n d->var[0].type = VCF_REF;\n d->var[0].n = 0;\n for (i=1; in_allele; i++)\n {\n bcf_set_variant_type(d->allele[0],d->allele[i], &d->var[i]);\n b->d.var_type |= d->var[i].type;\n //fprintf(stderr,\"[set_variant_type] %d %s %s -> %d %d .. %d\\n\", b->pos+1,d->allele[0],d->allele[i],d->var[i].type,d->var[i].n, b->d.var_type);\n }\n return 0;\n}", "project": "htslib", "hash": 61124219128025313435092184772033965107, "size": 21, "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c", "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields. It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097", "target": 0, "dataset": "other", "idx": 402211 }, { "func": "static inline int check_user_page_hwpoison(unsigned long addr)\n{\n\tint rc, flags = FOLL_HWPOISON | FOLL_WRITE;\n\n\trc = get_user_pages(addr, 1, flags, NULL, NULL);\n\treturn rc == -EHWPOISON;\n}", "project": "linux", "hash": 44135884913333558810201331151059002753, "size": 7, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354442 }, { "func": "R_API int r_sys_fork() {\n#if HAVE_FORK\n#if __WINDOWS__\n\treturn -1;\n#else\n\treturn fork ();\n#endif\n#else\n\treturn -1;\n#endif\n}", "project": "radare2", "hash": 291522801540861321742457361640347788809, "size": 11, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 0, "dataset": "other", "idx": 269043 }, { "func": "int CServerBan::BanAddr(const NETADDR *pAddr, int Seconds, const char *pReason)\n{\n\treturn BanExt(&m_BanAddrPool, pAddr, Seconds, pReason);\n}", "project": "teeworlds", "hash": 86261538184927272361273671740765575416, "size": 4, "commit_id": "c68402fa7e279d42886d5951d1ea8ac2facc1ea5", "message": "changed a check", "target": 0, "dataset": "other", "idx": 382002 }, { "project": "opaque", "commit_id": "5ddda15d89f5ac82f4416208c5319ace4aecdc36", "target": 0, "func": "void ecall_partition_for_sort(uint8_t *sort_order, size_t sort_order_length,\n uint32_t num_partitions,\n uint8_t *input_rows, size_t input_rows_length,\n uint8_t *boundary_rows, size_t boundary_rows_length,\n uint8_t **output_partitions, size_t *output_partition_lengths) {\n // Guard against operating on arbitrary enclave memory\n assert(sgx_is_outside_enclave(input_rows, input_rows_length) == 1);\n assert(sgx_is_outside_enclave(boundary_rows, boundary_rows_length) == 1);\n sgx_lfence();\n\n try {\n partition_for_sort(sort_order, sort_order_length,\n num_partitions,\n input_rows, input_rows_length,\n boundary_rows, boundary_rows_length,\n output_partitions, output_partition_lengths);\n } catch (const std::runtime_error &e) {\n ocall_throw(e.what());\n }\n}", "idx": 519080, "cwe": "CWE-787", "hash": 202492174910647429609894873326931016360, "dataset": "other" }, { "func": "void CServer::ConStatus(IConsole::IResult *pResult, void *pUser)\n{\n\tchar aBuf[1024];\n\tchar aAddrStr[NETADDR_MAXSTRSIZE];\n\tCServer* pThis = static_cast(pUser);\n\n\tfor(int i = 0; i < MAX_CLIENTS; i++)\n\t{\n\t\tif(pThis->m_aClients[i].m_State != CClient::STATE_EMPTY)\n\t\t{\n\t\t\tnet_addr_str(pThis->m_NetServer.ClientAddr(i), aAddrStr, sizeof(aAddrStr), true);\n\t\t\tif(pThis->m_aClients[i].m_State == CClient::STATE_INGAME)\n\t\t\t{\n\t\t\t\tconst char *pAuthStr = pThis->m_aClients[i].m_Authed == CServer::AUTHED_ADMIN ? \"(Admin)\" :\n\t\t\t\t\t\t\t\t\t\tpThis->m_aClients[i].m_Authed == CServer::AUTHED_MOD ? \"(Mod)\" : \"\";\n\t\t\t\tstr_format(aBuf, sizeof(aBuf), \"id=%d addr=%s client=%x name='%s' score=%d %s\", i, aAddrStr,\n\t\t\t\t\tpThis->m_aClients[i].m_Version, pThis->m_aClients[i].m_aName, pThis->m_aClients[i].m_Score, pAuthStr);\n\t\t\t}\n\t\t\telse\n\t\t\t\tstr_format(aBuf, sizeof(aBuf), \"id=%d addr=%s connecting\", i, aAddrStr);\n\t\t\tpThis->Console()->Print(IConsole::OUTPUT_LEVEL_STANDARD, \"server\", aBuf);\n\t\t}\n\t}\n}", "project": "teeworlds", "hash": 163629336651462839442152208894100036174, "size": 24, "commit_id": "c68402fa7e279d42886d5951d1ea8ac2facc1ea5", "message": "changed a check", "target": 0, "dataset": "other", "idx": 382010 }, { "func": "ConnStateData::getSslContextStart()\n{\n // If we are called, then CONNECT has succeeded. Finalize it.\n if (auto xact = pipeline.front()) {\n if (xact->http && xact->http->request && xact->http->request->method == Http::METHOD_CONNECT)\n xact->finished();\n // cannot proceed with encryption if requests wait for plain responses\n Must(pipeline.empty());\n }\n /* careful: finished() above frees request, host, etc. */\n\n if (port->secure.generateHostCertificates) {\n Ssl::CertificateProperties certProperties;\n buildSslCertGenerationParams(certProperties);\n\n // Disable caching for bumpPeekAndSplice mode\n if (!(sslServerBump && (sslServerBump->act.step1 == Ssl::bumpPeek || sslServerBump->act.step1 == Ssl::bumpStare))) {\n sslBumpCertKey.clear();\n Ssl::InRamCertificateDbKey(certProperties, sslBumpCertKey);\n assert(!sslBumpCertKey.isEmpty());\n\n Security::ContextPointer ctx(getTlsContextFromCache(sslBumpCertKey, certProperties));\n if (ctx) {\n getSslContextDone(ctx);\n return;\n }\n }\n\n#if USE_SSL_CRTD\n try {\n debugs(33, 5, HERE << \"Generating SSL certificate for \" << certProperties.commonName << \" using ssl_crtd.\");\n Ssl::CrtdMessage request_message(Ssl::CrtdMessage::REQUEST);\n request_message.setCode(Ssl::CrtdMessage::code_new_certificate);\n request_message.composeRequest(certProperties);\n debugs(33, 5, HERE << \"SSL crtd request: \" << request_message.compose().c_str());\n Ssl::Helper::Submit(request_message, sslCrtdHandleReplyWrapper, this);\n return;\n } catch (const std::exception &e) {\n debugs(33, DBG_IMPORTANT, \"ERROR: Failed to compose ssl_crtd \" <<\n \"request for \" << certProperties.commonName <<\n \" certificate: \" << e.what() << \"; will now block to \" <<\n \"generate that certificate.\");\n // fall through to do blocking in-process generation.\n }\n#endif // USE_SSL_CRTD\n\n debugs(33, 5, HERE << \"Generating SSL certificate for \" << certProperties.commonName);\n if (sslServerBump && (sslServerBump->act.step1 == Ssl::bumpPeek || sslServerBump->act.step1 == Ssl::bumpStare)) {\n doPeekAndSpliceStep();\n auto ssl = fd_table[clientConnection->fd].ssl.get();\n if (!Ssl::configureSSL(ssl, certProperties, *port))\n debugs(33, 5, \"Failed to set certificates to ssl object for PeekAndSplice mode\");\n\n Security::ContextPointer ctx(Security::GetFrom(fd_table[clientConnection->fd].ssl));\n Ssl::configureUnconfiguredSslContext(ctx, certProperties.signAlgorithm, *port);\n } else {\n Security::ContextPointer dynCtx(Ssl::GenerateSslContext(certProperties, port->secure, (signAlgorithm == Ssl::algSignTrusted)));\n if (dynCtx && !sslBumpCertKey.isEmpty())\n storeTlsContextToCache(sslBumpCertKey, dynCtx);\n getSslContextDone(dynCtx);\n }\n return;\n }\n\n Security::ContextPointer nil;\n getSslContextDone(nil);\n}", "project": "squid", "hash": 206983071251279967062838431918579512207, "size": 67, "commit_id": "fd68382860633aca92065e6c343cfd1b12b126e7", "message": "Improve Transfer-Encoding handling (#702)\n\nReject messages containing Transfer-Encoding header with coding other\nthan chunked or identity. Squid does not support other codings.\n\nFor simplicity and security sake, also reject messages where\nTransfer-Encoding contains unnecessary complex values that are\ntechnically equivalent to \"chunked\" or \"identity\" (e.g., \",,chunked\" or\n\"identity, chunked\").\n\nRFC 7230 formally deprecated and removed identity coding, but it is\nstill used by some agents.", "target": 0, "dataset": "other", "idx": 402365 }, { "func": "static void syndbg_exit(struct kvm_vcpu *vcpu, u32 msr)\n{\n\tstruct kvm_hv_syndbg *syndbg = to_hv_syndbg(vcpu);\n\tstruct kvm_vcpu_hv *hv_vcpu = to_hv_vcpu(vcpu);\n\n\thv_vcpu->exit.type = KVM_EXIT_HYPERV_SYNDBG;\n\thv_vcpu->exit.u.syndbg.msr = msr;\n\thv_vcpu->exit.u.syndbg.control = syndbg->control.control;\n\thv_vcpu->exit.u.syndbg.send_page = syndbg->control.send_page;\n\thv_vcpu->exit.u.syndbg.recv_page = syndbg->control.recv_page;\n\thv_vcpu->exit.u.syndbg.pending_page = syndbg->control.pending_page;\n\tvcpu->arch.complete_userspace_io =\n\t\t\tkvm_hv_syndbg_complete_userspace;\n\n\tkvm_make_request(KVM_REQ_HV_EXIT, vcpu);\n}", "project": "linux", "hash": 162613429716599264504283486205409290866, "size": 16, "commit_id": "919f4ebc598701670e80e31573a58f1f2d2bf918", "message": "KVM: x86: hyper-v: Fix Hyper-V context null-ptr-deref\n\nReported by syzkaller:\n\n KASAN: null-ptr-deref in range [0x0000000000000140-0x0000000000000147]\n CPU: 1 PID: 8370 Comm: syz-executor859 Not tainted 5.11.0-syzkaller #0\n RIP: 0010:synic_get arch/x86/kvm/hyperv.c:165 [inline]\n RIP: 0010:kvm_hv_set_sint_gsi arch/x86/kvm/hyperv.c:475 [inline]\n RIP: 0010:kvm_hv_irq_routing_update+0x230/0x460 arch/x86/kvm/hyperv.c:498\n Call Trace:\n kvm_set_irq_routing+0x69b/0x940 arch/x86/kvm/../../../virt/kvm/irqchip.c:223\n kvm_vm_ioctl+0x12d0/0x2800 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3959\n vfs_ioctl fs/ioctl.c:48 [inline]\n __do_sys_ioctl fs/ioctl.c:753 [inline]\n __se_sys_ioctl fs/ioctl.c:739 [inline]\n __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739\n do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nHyper-V context is lazily allocated until Hyper-V specific MSRs are accessed\nor SynIC is enabled. However, the syzkaller testcase sets irq routing table\ndirectly w/o enabling SynIC. This results in null-ptr-deref when accessing\nSynIC Hyper-V context. This patch fixes it.\n\nsyzkaller source: https://syzkaller.appspot.com/x/repro.c?x=163342ccd00000\n\nReported-by: syzbot+6987f3b2dbd9eda95f12@syzkaller.appspotmail.com\nFixes: 8f014550dfb1 (\"KVM: x86: hyper-v: Make Hyper-V emulation enablement conditional\")\nSigned-off-by: Wanpeng Li \nMessage-Id: <1614326399-5762-1-git-send-email-wanpengli@tencent.com>\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 343472 }, { "func": "static void do_con_trol(struct tty_struct *tty, struct vc_data *vc, int c)\n{\n\t/*\n\t * Control characters can be used in the _middle_\n\t * of an escape sequence.\n\t */\n\tif (vc->vc_state == ESosc && c>=8 && c<=13) /* ... except for OSC */\n\t\treturn;\n\tswitch (c) {\n\tcase 0:\n\t\treturn;\n\tcase 7:\n\t\tif (vc->vc_state == ESosc)\n\t\t\tvc->vc_state = ESnormal;\n\t\telse if (vc->vc_bell_duration)\n\t\t\tkd_mksound(vc->vc_bell_pitch, vc->vc_bell_duration);\n\t\treturn;\n\tcase 8:\n\t\tbs(vc);\n\t\treturn;\n\tcase 9:\n\t\tvc->vc_pos -= (vc->vc_x << 1);\n\t\twhile (vc->vc_x < vc->vc_cols - 1) {\n\t\t\tvc->vc_x++;\n\t\t\tif (vc->vc_tab_stop[7 & (vc->vc_x >> 5)] & (1 << (vc->vc_x & 31)))\n\t\t\t\tbreak;\n\t\t}\n\t\tvc->vc_pos += (vc->vc_x << 1);\n\t\tnotify_write(vc, '\\t');\n\t\treturn;\n\tcase 10: case 11: case 12:\n\t\tlf(vc);\n\t\tif (!is_kbd(vc, lnm))\n\t\t\treturn;\n\t\t/* fall through */\n\tcase 13:\n\t\tcr(vc);\n\t\treturn;\n\tcase 14:\n\t\tvc->vc_charset = 1;\n\t\tvc->vc_translate = set_translate(vc->vc_G1_charset, vc);\n\t\tvc->vc_disp_ctrl = 1;\n\t\treturn;\n\tcase 15:\n\t\tvc->vc_charset = 0;\n\t\tvc->vc_translate = set_translate(vc->vc_G0_charset, vc);\n\t\tvc->vc_disp_ctrl = 0;\n\t\treturn;\n\tcase 24: case 26:\n\t\tvc->vc_state = ESnormal;\n\t\treturn;\n\tcase 27:\n\t\tvc->vc_state = ESesc;\n\t\treturn;\n\tcase 127:\n\t\tdel(vc);\n\t\treturn;\n\tcase 128+27:\n\t\tvc->vc_state = ESsquare;\n\t\treturn;\n\t}\n\tswitch(vc->vc_state) {\n\tcase ESesc:\n\t\tvc->vc_state = ESnormal;\n\t\tswitch (c) {\n\t\tcase '[':\n\t\t\tvc->vc_state = ESsquare;\n\t\t\treturn;\n\t\tcase ']':\n\t\t\tvc->vc_state = ESnonstd;\n\t\t\treturn;\n\t\tcase '%':\n\t\t\tvc->vc_state = ESpercent;\n\t\t\treturn;\n\t\tcase 'E':\n\t\t\tcr(vc);\n\t\t\tlf(vc);\n\t\t\treturn;\n\t\tcase 'M':\n\t\t\tri(vc);\n\t\t\treturn;\n\t\tcase 'D':\n\t\t\tlf(vc);\n\t\t\treturn;\n\t\tcase 'H':\n\t\t\tvc->vc_tab_stop[7 & (vc->vc_x >> 5)] |= (1 << (vc->vc_x & 31));\n\t\t\treturn;\n\t\tcase 'Z':\n\t\t\trespond_ID(tty);\n\t\t\treturn;\n\t\tcase '7':\n\t\t\tsave_cur(vc);\n\t\t\treturn;\n\t\tcase '8':\n\t\t\trestore_cur(vc);\n\t\t\treturn;\n\t\tcase '(':\n\t\t\tvc->vc_state = ESsetG0;\n\t\t\treturn;\n\t\tcase ')':\n\t\t\tvc->vc_state = ESsetG1;\n\t\t\treturn;\n\t\tcase '#':\n\t\t\tvc->vc_state = EShash;\n\t\t\treturn;\n\t\tcase 'c':\n\t\t\treset_terminal(vc, 1);\n\t\t\treturn;\n\t\tcase '>': /* Numeric keypad */\n\t\t\tclr_kbd(vc, kbdapplic);\n\t\t\treturn;\n\t\tcase '=': /* Appl. keypad */\n\t\t\tset_kbd(vc, kbdapplic);\n\t\t\treturn;\n\t\t}\n\t\treturn;\n\tcase ESnonstd:\n\t\tif (c=='P') { /* palette escape sequence */\n\t\t\tfor (vc->vc_npar = 0; vc->vc_npar < NPAR; vc->vc_npar++)\n\t\t\t\tvc->vc_par[vc->vc_npar] = 0;\n\t\t\tvc->vc_npar = 0;\n\t\t\tvc->vc_state = ESpalette;\n\t\t\treturn;\n\t\t} else if (c=='R') { /* reset palette */\n\t\t\treset_palette(vc);\n\t\t\tvc->vc_state = ESnormal;\n\t\t} else if (c>='0' && c<='9')\n\t\t\tvc->vc_state = ESosc;\n\t\telse\n\t\t\tvc->vc_state = ESnormal;\n\t\treturn;\n\tcase ESpalette:\n\t\tif (isxdigit(c)) {\n\t\t\tvc->vc_par[vc->vc_npar++] = hex_to_bin(c);\n\t\t\tif (vc->vc_npar == 7) {\n\t\t\t\tint i = vc->vc_par[0] * 3, j = 1;\n\t\t\t\tvc->vc_palette[i] = 16 * vc->vc_par[j++];\n\t\t\t\tvc->vc_palette[i++] += vc->vc_par[j++];\n\t\t\t\tvc->vc_palette[i] = 16 * vc->vc_par[j++];\n\t\t\t\tvc->vc_palette[i++] += vc->vc_par[j++];\n\t\t\t\tvc->vc_palette[i] = 16 * vc->vc_par[j++];\n\t\t\t\tvc->vc_palette[i] += vc->vc_par[j];\n\t\t\t\tset_palette(vc);\n\t\t\t\tvc->vc_state = ESnormal;\n\t\t\t}\n\t\t} else\n\t\t\tvc->vc_state = ESnormal;\n\t\treturn;\n\tcase ESsquare:\n\t\tfor (vc->vc_npar = 0; vc->vc_npar < NPAR; vc->vc_npar++)\n\t\t\tvc->vc_par[vc->vc_npar] = 0;\n\t\tvc->vc_npar = 0;\n\t\tvc->vc_state = ESgetpars;\n\t\tif (c == '[') { /* Function key */\n\t\t\tvc->vc_state=ESfunckey;\n\t\t\treturn;\n\t\t}\n\t\tswitch (c) {\n\t\tcase '?':\n\t\t\tvc->vc_priv = EPdec;\n\t\t\treturn;\n\t\tcase '>':\n\t\t\tvc->vc_priv = EPgt;\n\t\t\treturn;\n\t\tcase '=':\n\t\t\tvc->vc_priv = EPeq;\n\t\t\treturn;\n\t\tcase '<':\n\t\t\tvc->vc_priv = EPlt;\n\t\t\treturn;\n\t\t}\n\t\tvc->vc_priv = EPecma;\n\t\t/* fall through */\n\tcase ESgetpars:\n\t\tif (c == ';' && vc->vc_npar < NPAR - 1) {\n\t\t\tvc->vc_npar++;\n\t\t\treturn;\n\t\t} else if (c>='0' && c<='9') {\n\t\t\tvc->vc_par[vc->vc_npar] *= 10;\n\t\t\tvc->vc_par[vc->vc_npar] += c - '0';\n\t\t\treturn;\n\t\t}\n\t\tif (c >= 0x20 && c <= 0x3f) { /* 0x2x, 0x3a and 0x3c - 0x3f */\n\t\t\tvc->vc_state = EScsiignore;\n\t\t\treturn;\n\t\t}\n\t\tvc->vc_state = ESnormal;\n\t\tswitch(c) {\n\t\tcase 'h':\n\t\t\tif (vc->vc_priv <= EPdec)\n\t\t\t\tset_mode(vc, 1);\n\t\t\treturn;\n\t\tcase 'l':\n\t\t\tif (vc->vc_priv <= EPdec)\n\t\t\t\tset_mode(vc, 0);\n\t\t\treturn;\n\t\tcase 'c':\n\t\t\tif (vc->vc_priv == EPdec) {\n\t\t\t\tif (vc->vc_par[0])\n\t\t\t\t\tvc->vc_cursor_type = vc->vc_par[0] | (vc->vc_par[1] << 8) | (vc->vc_par[2] << 16);\n\t\t\t\telse\n\t\t\t\t\tvc->vc_cursor_type = cur_default;\n\t\t\t\treturn;\n\t\t\t}\n\t\t\tbreak;\n\t\tcase 'm':\n\t\t\tif (vc->vc_priv == EPdec) {\n\t\t\t\tclear_selection();\n\t\t\t\tif (vc->vc_par[0])\n\t\t\t\t\tvc->vc_complement_mask = vc->vc_par[0] << 8 | vc->vc_par[1];\n\t\t\t\telse\n\t\t\t\t\tvc->vc_complement_mask = vc->vc_s_complement_mask;\n\t\t\t\treturn;\n\t\t\t}\n\t\t\tbreak;\n\t\tcase 'n':\n\t\t\tif (vc->vc_priv == EPecma) {\n\t\t\t\tif (vc->vc_par[0] == 5)\n\t\t\t\t\tstatus_report(tty);\n\t\t\t\telse if (vc->vc_par[0] == 6)\n\t\t\t\t\tcursor_report(vc, tty);\n\t\t\t}\n\t\t\treturn;\n\t\t}\n\t\tif (vc->vc_priv != EPecma) {\n\t\t\tvc->vc_priv = EPecma;\n\t\t\treturn;\n\t\t}\n\t\tswitch(c) {\n\t\tcase 'G': case '`':\n\t\t\tif (vc->vc_par[0])\n\t\t\t\tvc->vc_par[0]--;\n\t\t\tgotoxy(vc, vc->vc_par[0], vc->vc_y);\n\t\t\treturn;\n\t\tcase 'A':\n\t\t\tif (!vc->vc_par[0])\n\t\t\t\tvc->vc_par[0]++;\n\t\t\tgotoxy(vc, vc->vc_x, vc->vc_y - vc->vc_par[0]);\n\t\t\treturn;\n\t\tcase 'B': case 'e':\n\t\t\tif (!vc->vc_par[0])\n\t\t\t\tvc->vc_par[0]++;\n\t\t\tgotoxy(vc, vc->vc_x, vc->vc_y + vc->vc_par[0]);\n\t\t\treturn;\n\t\tcase 'C': case 'a':\n\t\t\tif (!vc->vc_par[0])\n\t\t\t\tvc->vc_par[0]++;\n\t\t\tgotoxy(vc, vc->vc_x + vc->vc_par[0], vc->vc_y);\n\t\t\treturn;\n\t\tcase 'D':\n\t\t\tif (!vc->vc_par[0])\n\t\t\t\tvc->vc_par[0]++;\n\t\t\tgotoxy(vc, vc->vc_x - vc->vc_par[0], vc->vc_y);\n\t\t\treturn;\n\t\tcase 'E':\n\t\t\tif (!vc->vc_par[0])\n\t\t\t\tvc->vc_par[0]++;\n\t\t\tgotoxy(vc, 0, vc->vc_y + vc->vc_par[0]);\n\t\t\treturn;\n\t\tcase 'F':\n\t\t\tif (!vc->vc_par[0])\n\t\t\t\tvc->vc_par[0]++;\n\t\t\tgotoxy(vc, 0, vc->vc_y - vc->vc_par[0]);\n\t\t\treturn;\n\t\tcase 'd':\n\t\t\tif (vc->vc_par[0])\n\t\t\t\tvc->vc_par[0]--;\n\t\t\tgotoxay(vc, vc->vc_x ,vc->vc_par[0]);\n\t\t\treturn;\n\t\tcase 'H': case 'f':\n\t\t\tif (vc->vc_par[0])\n\t\t\t\tvc->vc_par[0]--;\n\t\t\tif (vc->vc_par[1])\n\t\t\t\tvc->vc_par[1]--;\n\t\t\tgotoxay(vc, vc->vc_par[1], vc->vc_par[0]);\n\t\t\treturn;\n\t\tcase 'J':\n\t\t\tcsi_J(vc, vc->vc_par[0]);\n\t\t\treturn;\n\t\tcase 'K':\n\t\t\tcsi_K(vc, vc->vc_par[0]);\n\t\t\treturn;\n\t\tcase 'L':\n\t\t\tcsi_L(vc, vc->vc_par[0]);\n\t\t\treturn;\n\t\tcase 'M':\n\t\t\tcsi_M(vc, vc->vc_par[0]);\n\t\t\treturn;\n\t\tcase 'P':\n\t\t\tcsi_P(vc, vc->vc_par[0]);\n\t\t\treturn;\n\t\tcase 'c':\n\t\t\tif (!vc->vc_par[0])\n\t\t\t\trespond_ID(tty);\n\t\t\treturn;\n\t\tcase 'g':\n\t\t\tif (!vc->vc_par[0])\n\t\t\t\tvc->vc_tab_stop[7 & (vc->vc_x >> 5)] &= ~(1 << (vc->vc_x & 31));\n\t\t\telse if (vc->vc_par[0] == 3) {\n\t\t\t\tvc->vc_tab_stop[0] =\n\t\t\t\t\tvc->vc_tab_stop[1] =\n\t\t\t\t\tvc->vc_tab_stop[2] =\n\t\t\t\t\tvc->vc_tab_stop[3] =\n\t\t\t\t\tvc->vc_tab_stop[4] =\n\t\t\t\t\tvc->vc_tab_stop[5] =\n\t\t\t\t\tvc->vc_tab_stop[6] =\n\t\t\t\t\tvc->vc_tab_stop[7] = 0;\n\t\t\t}\n\t\t\treturn;\n\t\tcase 'm':\n\t\t\tcsi_m(vc);\n\t\t\treturn;\n\t\tcase 'q': /* DECLL - but only 3 leds */\n\t\t\t/* map 0,1,2,3 to 0,1,2,4 */\n\t\t\tif (vc->vc_par[0] < 4)\n\t\t\t\tvt_set_led_state(vc->vc_num,\n\t\t\t\t\t (vc->vc_par[0] < 3) ? vc->vc_par[0] : 4);\n\t\t\treturn;\n\t\tcase 'r':\n\t\t\tif (!vc->vc_par[0])\n\t\t\t\tvc->vc_par[0]++;\n\t\t\tif (!vc->vc_par[1])\n\t\t\t\tvc->vc_par[1] = vc->vc_rows;\n\t\t\t/* Minimum allowed region is 2 lines */\n\t\t\tif (vc->vc_par[0] < vc->vc_par[1] &&\n\t\t\t vc->vc_par[1] <= vc->vc_rows) {\n\t\t\t\tvc->vc_top = vc->vc_par[0] - 1;\n\t\t\t\tvc->vc_bottom = vc->vc_par[1];\n\t\t\t\tgotoxay(vc, 0, 0);\n\t\t\t}\n\t\t\treturn;\n\t\tcase 's':\n\t\t\tsave_cur(vc);\n\t\t\treturn;\n\t\tcase 'u':\n\t\t\trestore_cur(vc);\n\t\t\treturn;\n\t\tcase 'X':\n\t\t\tcsi_X(vc, vc->vc_par[0]);\n\t\t\treturn;\n\t\tcase '@':\n\t\t\tcsi_at(vc, vc->vc_par[0]);\n\t\t\treturn;\n\t\tcase ']': /* setterm functions */\n\t\t\tsetterm_command(vc);\n\t\t\treturn;\n\t\t}\n\t\treturn;\n\tcase EScsiignore:\n\t\tif (c >= 20 && c <= 0x3f)\n\t\t\treturn;\n\t\tvc->vc_state = ESnormal;\n\t\treturn;\n\tcase ESpercent:\n\t\tvc->vc_state = ESnormal;\n\t\tswitch (c) {\n\t\tcase '@': /* defined in ISO 2022 */\n\t\t\tvc->vc_utf = 0;\n\t\t\treturn;\n\t\tcase 'G': /* prelim official escape code */\n\t\tcase '8': /* retained for compatibility */\n\t\t\tvc->vc_utf = 1;\n\t\t\treturn;\n\t\t}\n\t\treturn;\n\tcase ESfunckey:\n\t\tvc->vc_state = ESnormal;\n\t\treturn;\n\tcase EShash:\n\t\tvc->vc_state = ESnormal;\n\t\tif (c == '8') {\n\t\t\t/* DEC screen alignment test. kludge :-) */\n\t\t\tvc->vc_video_erase_char =\n\t\t\t\t(vc->vc_video_erase_char & 0xff00) | 'E';\n\t\t\tcsi_J(vc, 2);\n\t\t\tvc->vc_video_erase_char =\n\t\t\t\t(vc->vc_video_erase_char & 0xff00) | ' ';\n\t\t\tdo_update_region(vc, vc->vc_origin, vc->vc_screenbuf_size / 2);\n\t\t}\n\t\treturn;\n\tcase ESsetG0:\n\t\tif (c == '0')\n\t\t\tvc->vc_G0_charset = GRAF_MAP;\n\t\telse if (c == 'B')\n\t\t\tvc->vc_G0_charset = LAT1_MAP;\n\t\telse if (c == 'U')\n\t\t\tvc->vc_G0_charset = IBMPC_MAP;\n\t\telse if (c == 'K')\n\t\t\tvc->vc_G0_charset = USER_MAP;\n\t\tif (vc->vc_charset == 0)\n\t\t\tvc->vc_translate = set_translate(vc->vc_G0_charset, vc);\n\t\tvc->vc_state = ESnormal;\n\t\treturn;\n\tcase ESsetG1:\n\t\tif (c == '0')\n\t\t\tvc->vc_G1_charset = GRAF_MAP;\n\t\telse if (c == 'B')\n\t\t\tvc->vc_G1_charset = LAT1_MAP;\n\t\telse if (c == 'U')\n\t\t\tvc->vc_G1_charset = IBMPC_MAP;\n\t\telse if (c == 'K')\n\t\t\tvc->vc_G1_charset = USER_MAP;\n\t\tif (vc->vc_charset == 1)\n\t\t\tvc->vc_translate = set_translate(vc->vc_G1_charset, vc);\n\t\tvc->vc_state = ESnormal;\n\t\treturn;\n\tcase ESosc:\n\t\treturn;\n\tdefault:\n\t\tvc->vc_state = ESnormal;\n\t}\n}", "project": "linux", "hash": 122057880091488767843192732740938174847, "size": 412, "commit_id": "ca4463bf8438b403596edd0ec961ca0d4fbe0220", "message": "vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console\n\nThe VT_DISALLOCATE ioctl can free a virtual console while tty_release()\nis still running, causing a use-after-free in con_shutdown(). This\noccurs because VT_DISALLOCATE considers a virtual console's\n'struct vc_data' to be unused as soon as the corresponding tty's\nrefcount hits 0. But actually it may be still being closed.\n\nFix this by making vc_data be reference-counted via the embedded\n'struct tty_port'. A newly allocated virtual console has refcount 1.\nOpening it for the first time increments the refcount to 2. Closing it\nfor the last time decrements the refcount (in tty_operations::cleanup()\nso that it happens late enough), as does VT_DISALLOCATE.\n\nReproducer:\n\t#include \n\t#include \n\t#include \n\t#include \n\n\tint main()\n\t{\n\t\tif (fork()) {\n\t\t\tfor (;;)\n\t\t\t\tclose(open(\"/dev/tty5\", O_RDWR));\n\t\t} else {\n\t\t\tint fd = open(\"/dev/tty10\", O_RDWR);\n\n\t\t\tfor (;;)\n\t\t\t\tioctl(fd, VT_DISALLOCATE, 5);\n\t\t}\n\t}\n\nKASAN report:\n\tBUG: KASAN: use-after-free in con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\tWrite of size 8 at addr ffff88806a4ec108 by task syz_vt/129\n\n\tCPU: 0 PID: 129 Comm: syz_vt Not tainted 5.6.0-rc2 #11\n\tHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20191223_100556-anatol 04/01/2014\n\tCall Trace:\n\t [...]\n\t con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\t release_tty+0xa8/0x410 drivers/tty/tty_io.c:1514\n\t tty_release_struct+0x34/0x50 drivers/tty/tty_io.c:1629\n\t tty_release+0x984/0xed0 drivers/tty/tty_io.c:1789\n\t [...]\n\n\tAllocated by task 129:\n\t [...]\n\t kzalloc include/linux/slab.h:669 [inline]\n\t vc_allocate drivers/tty/vt/vt.c:1085 [inline]\n\t vc_allocate+0x1ac/0x680 drivers/tty/vt/vt.c:1066\n\t con_install+0x4d/0x3f0 drivers/tty/vt/vt.c:3229\n\t tty_driver_install_tty drivers/tty/tty_io.c:1228 [inline]\n\t tty_init_dev+0x94/0x350 drivers/tty/tty_io.c:1341\n\t tty_open_by_driver drivers/tty/tty_io.c:1987 [inline]\n\t tty_open+0x3ca/0xb30 drivers/tty/tty_io.c:2035\n\t [...]\n\n\tFreed by task 130:\n\t [...]\n\t kfree+0xbf/0x1e0 mm/slab.c:3757\n\t vt_disallocate drivers/tty/vt/vt_ioctl.c:300 [inline]\n\t vt_ioctl+0x16dc/0x1e30 drivers/tty/vt/vt_ioctl.c:818\n\t tty_ioctl+0x9db/0x11b0 drivers/tty/tty_io.c:2660\n\t [...]\n\nFixes: 4001d7b7fc27 (\"vt: push down the tty lock so we can see what is left to tackle\")\nCc: # v3.4+\nReported-by: syzbot+522643ab5729b0421998@syzkaller.appspotmail.com\nAcked-by: Jiri Slaby \nSigned-off-by: Eric Biggers \nLink: https://lore.kernel.org/r/20200322034305.210082-2-ebiggers@kernel.org\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 437050 }, { "func": "static int hva_to_pfn_slow(unsigned long addr, bool *async, bool write_fault,\n\t\t\t bool *writable, kvm_pfn_t *pfn)\n{\n\tunsigned int flags = FOLL_HWPOISON;\n\tstruct page *page;\n\tint npages = 0;\n\n\tmight_sleep();\n\n\tif (writable)\n\t\t*writable = write_fault;\n\n\tif (write_fault)\n\t\tflags |= FOLL_WRITE;\n\tif (async)\n\t\tflags |= FOLL_NOWAIT;\n\n\tnpages = get_user_pages_unlocked(addr, 1, &page, flags);\n\tif (npages != 1)\n\t\treturn npages;\n\n\t/* map read fault as writable if possible */\n\tif (unlikely(!write_fault) && writable) {\n\t\tstruct page *wpage;\n\n\t\tif (__get_user_pages_fast(addr, 1, 1, &wpage) == 1) {\n\t\t\t*writable = true;\n\t\t\tput_page(page);\n\t\t\tpage = wpage;\n\t\t}\n\t}\n\t*pfn = page_to_pfn(page);\n\treturn npages;\n}", "project": "linux", "hash": 336911280478872735608711917694301210847, "size": 34, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354768 }, { "func": "static int hva_to_pfn_slow(unsigned long addr, bool *async, bool write_fault,\n\t\t\t bool *writable, kvm_pfn_t *pfn)\n{\n\tunsigned int flags = FOLL_HWPOISON;\n\tstruct page *page;\n\tint npages = 0;\n\n\tmight_sleep();\n\n\tif (writable)\n\t\t*writable = write_fault;\n\n\tif (write_fault)\n\t\tflags |= FOLL_WRITE;\n\tif (async)\n\t\tflags |= FOLL_NOWAIT;\n\n\tnpages = get_user_pages_unlocked(addr, 1, &page, flags);\n\tif (npages != 1)\n\t\treturn npages;\n\n\t/* map read fault as writable if possible */\n\tif (unlikely(!write_fault) && writable) {\n\t\tstruct page *wpage;\n\n\t\tif (get_user_page_fast_only(addr, FOLL_WRITE, &wpage)) {\n\t\t\t*writable = true;\n\t\t\tput_page(page);\n\t\t\tpage = wpage;\n\t\t}\n\t}\n\t*pfn = page_to_pfn(page);\n\treturn npages;\n}", "project": "linux", "hash": 92355525948804858558615365545772683673, "size": 34, "commit_id": "f8be156be163a052a067306417cd0ff679068c97", "message": "KVM: do not allow mapping valid but non-reference-counted pages\n\nIt's possible to create a region which maps valid but non-refcounted\npages (e.g., tail pages of non-compound higher order allocations). These\nhost pages can then be returned by gfn_to_page, gfn_to_pfn, etc., family\nof APIs, which take a reference to the page, which takes it from 0 to 1.\nWhen the reference is dropped, this will free the page incorrectly.\n\nFix this by only taking a reference on valid pages if it was non-zero,\nwhich indicates it is participating in normal refcounting (and can be\nreleased with put_page).\n\nThis addresses CVE-2021-22543.\n\nSigned-off-by: Nicholas Piggin \nTested-by: Paolo Bonzini \nCc: stable@vger.kernel.org\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 404079 }, { "func": "static int ov511_i2c_r(struct sd *sd, u8 reg)\n{\n\tstruct gspca_dev *gspca_dev = (struct gspca_dev *)sd;\n\tint rc, value, retries;\n\n\t/* Two byte write cycle */\n\tfor (retries = 6; ; ) {\n\t\t/* Select camera register */\n\t\treg_w(sd, R51x_I2C_SADDR_2, reg);\n\n\t\t/* Initiate 2-byte write cycle */\n\t\treg_w(sd, R511_I2C_CTL, 0x03);\n\n\t\tdo {\n\t\t\trc = reg_r(sd, R511_I2C_CTL);\n\t\t} while (rc > 0 && ((rc & 1) == 0)); /* Retry until idle */\n\n\t\tif (rc < 0)\n\t\t\treturn rc;\n\n\t\tif ((rc & 2) == 0) /* Ack? */\n\t\t\tbreak;\n\n\t\t/* I2C abort */\n\t\treg_w(sd, R511_I2C_CTL, 0x10);\n\n\t\tif (--retries < 0) {\n\t\t\tgspca_dbg(gspca_dev, D_USBI, \"i2c write retries exhausted\\n\");\n\t\t\treturn -1;\n\t\t}\n\t}\n\n\t/* Two byte read cycle */\n\tfor (retries = 6; ; ) {\n\t\t/* Initiate 2-byte read cycle */\n\t\treg_w(sd, R511_I2C_CTL, 0x05);\n\n\t\tdo {\n\t\t\trc = reg_r(sd, R511_I2C_CTL);\n\t\t} while (rc > 0 && ((rc & 1) == 0)); /* Retry until idle */\n\n\t\tif (rc < 0)\n\t\t\treturn rc;\n\n\t\tif ((rc & 2) == 0) /* Ack? */\n\t\t\tbreak;\n\n\t\t/* I2C abort */\n\t\treg_w(sd, R511_I2C_CTL, 0x10);\n\n\t\tif (--retries < 0) {\n\t\t\tgspca_dbg(gspca_dev, D_USBI, \"i2c read retries exhausted\\n\");\n\t\t\treturn -1;\n\t\t}\n\t}\n\n\tvalue = reg_r(sd, R51x_I2C_DATA);\n\n\tgspca_dbg(gspca_dev, D_USBI, \"ov511_i2c_r %02x %02x\\n\", reg, value);\n\n\t/* This is needed to make i2c_w() work */\n\treg_w(sd, R511_I2C_CTL, 0x05);\n\n\treturn value;\n}", "project": "linux", "hash": 243015550844043839718129918898689701652, "size": 65, "commit_id": "998912346c0da53a6dbb71fab3a138586b596b30", "message": "media: ov519: add missing endpoint sanity checks\n\nMake sure to check that we have at least one endpoint before accessing\nthe endpoint array to avoid dereferencing a NULL-pointer on stream\nstart.\n\nNote that these sanity checks are not redundant as the driver is mixing\nlooking up altsettings by index and by number, which need not coincide.\n\nFixes: 1876bb923c98 (\"V4L/DVB (12079): gspca_ov519: add support for the ov511 bridge\")\nFixes: b282d87332f5 (\"V4L/DVB (12080): gspca_ov519: Fix ov518+ with OV7620AE (Trust spacecam 320)\")\nCc: stable # 2.6.31\nCc: Hans de Goede \nSigned-off-by: Johan Hovold \nSigned-off-by: Hans Verkuil \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 306316 }, { "func": "inline StringData* StringData::modifyChar(int offset, char c) {\n assertx(offset >= 0 && offset < size());\n assertx(!hasMultipleRefs());\n\n auto const sd = isProxy() ? escalate(size()) : this;\n sd->mutableData()[offset] = c;\n sd->m_hash = 0;\n return sd;\n}", "project": "hhvm", "hash": 97966571767874196807555263885010171984, "size": 9, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219558 }, { "func": "int mnt_optstr_next_option(char **optstr, char **name, size_t *namesz,\n\t\t\t\t\tchar **value, size_t *valuesz)\n{\n\tif (!optstr || !*optstr)\n\t\treturn -EINVAL;\n\treturn mnt_optstr_parse_next(optstr, name, namesz, value, valuesz);\n}", "project": "util-linux", "hash": 314314861050562713714617743047537735772, "size": 7, "commit_id": "57202f5713afa2af20ffbb6ab5331481d0396f8d", "message": "libmount: fix UID check for FUSE umount [CVE-2021-3995]\n\nImproper UID check allows an unprivileged user to unmount FUSE\nfilesystems of users with similar UID.\n\nSigned-off-by: Karel Zak ", "target": 0, "dataset": "other", "idx": 410389 }, { "func": "static void nfs_state_clear_open_state_flags(struct nfs4_state *state)\n{\n\tclear_bit(NFS_O_RDWR_STATE, &state->flags);\n\tclear_bit(NFS_O_WRONLY_STATE, &state->flags);\n\tclear_bit(NFS_O_RDONLY_STATE, &state->flags);\n\tclear_bit(NFS_OPEN_STATE, &state->flags);\n}", "project": "linux", "hash": 334574499472139505357531406284440438593, "size": 7, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431472 }, { "func": "static int alloc_percpu_trace_buffer(void)\n{\n\tstruct trace_buffer_struct *buffers;\n\n\tbuffers = alloc_percpu(struct trace_buffer_struct);\n\tif (WARN(!buffers, \"Could not allocate percpu trace_printk buffer\"))\n\t\treturn -ENOMEM;\n\n\ttrace_percpu_buffer = buffers;\n\treturn 0;\n}", "project": "linux", "hash": 194232493604764999522686830612597316932, "size": 11, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445722 }, { "func": "static int oidc_handle_discovery_response(request_rec *r, oidc_cfg *c) {\n\n\t/* variables to hold the values returned in the response */\n\tchar *issuer = NULL, *target_link_uri = NULL, *login_hint = NULL,\n\t\t\t*auth_request_params = NULL, *csrf_cookie, *csrf_query = NULL,\n\t\t\t*user = NULL, *path_scopes;\n\toidc_provider_t *provider = NULL;\n\n\toidc_util_get_request_parameter(r, OIDC_DISC_OP_PARAM, &issuer);\n\toidc_util_get_request_parameter(r, OIDC_DISC_USER_PARAM, &user);\n\toidc_util_get_request_parameter(r, OIDC_DISC_RT_PARAM, &target_link_uri);\n\toidc_util_get_request_parameter(r, OIDC_DISC_LH_PARAM, &login_hint);\n\toidc_util_get_request_parameter(r, OIDC_DISC_SC_PARAM, &path_scopes);\n\toidc_util_get_request_parameter(r, OIDC_DISC_AR_PARAM,\n\t\t\t&auth_request_params);\n\toidc_util_get_request_parameter(r, OIDC_CSRF_NAME, &csrf_query);\n\tcsrf_cookie = oidc_util_get_cookie(r, OIDC_CSRF_NAME);\n\n\t/* do CSRF protection if not 3rd party initiated SSO */\n\tif (csrf_cookie) {\n\n\t\t/* clean CSRF cookie */\n\t\toidc_util_set_cookie(r, OIDC_CSRF_NAME, \"\", 0, NULL);\n\n\t\t/* compare CSRF cookie value with query parameter value */\n\t\tif ((csrf_query == NULL)\n\t\t\t\t|| apr_strnatcmp(csrf_query, csrf_cookie) != 0) {\n\t\t\toidc_warn(r,\n\t\t\t\t\t\"CSRF protection failed, no Discovery and dynamic client registration will be allowed\");\n\t\t\tcsrf_cookie = NULL;\n\t\t}\n\t}\n\n\t// TODO: trim issuer/accountname/domain input and do more input validation\n\n\toidc_debug(r,\n\t\t\t\"issuer=\\\"%s\\\", target_link_uri=\\\"%s\\\", login_hint=\\\"%s\\\", user=\\\"%s\\\"\",\n\t\t\tissuer, target_link_uri, login_hint, user);\n\n\tif (target_link_uri == NULL) {\n\t\tif (c->default_sso_url == NULL) {\n\t\t\treturn oidc_util_html_send_error(r, c->error_template,\n\t\t\t\t\t\"Invalid Request\",\n\t\t\t\t\t\"SSO to this module without specifying a \\\"target_link_uri\\\" parameter is not possible because \" OIDCDefaultURL \" is not set.\",\n\t\t\t\t\tHTTP_INTERNAL_SERVER_ERROR);\n\t\t}\n\t\ttarget_link_uri = c->default_sso_url;\n\t}\n\n\t/* do open redirect prevention */\n\tif (oidc_target_link_uri_matches_configuration(r, c,\n\t\t\ttarget_link_uri) == FALSE) {\n\t\treturn oidc_util_html_send_error(r, c->error_template,\n\t\t\t\t\"Invalid Request\",\n\t\t\t\t\"\\\"target_link_uri\\\" parameter does not match configuration settings, aborting to prevent an open redirect.\",\n\t\t\t\tHTTP_UNAUTHORIZED);\n\t}\n\n\t/* see if this is a static setup */\n\tif (c->metadata_dir == NULL) {\n\t\tif ((oidc_provider_static_config(r, c, &provider) == TRUE)\n\t\t\t\t&& (issuer != NULL)) {\n\t\t\tif (apr_strnatcmp(provider->issuer, issuer) != 0) {\n\t\t\t\treturn oidc_util_html_send_error(r, c->error_template,\n\t\t\t\t\t\t\"Invalid Request\",\n\t\t\t\t\t\tapr_psprintf(r->pool,\n\t\t\t\t\t\t\t\t\"The \\\"iss\\\" value must match the configured providers' one (%s != %s).\",\n\t\t\t\t\t\t\t\tissuer, c->provider.issuer),\n\t\t\t\t\t\t\t\tHTTP_INTERNAL_SERVER_ERROR);\n\t\t\t}\n\t\t}\n\t\treturn oidc_authenticate_user(r, c, NULL, target_link_uri, login_hint,\n\t\t\t\tNULL, NULL, auth_request_params, path_scopes);\n\t}\n\n\t/* find out if the user entered an account name or selected an OP manually */\n\tif (user != NULL) {\n\n\t\tif (login_hint == NULL)\n\t\t\tlogin_hint = apr_pstrdup(r->pool, user);\n\n\t\t/* normalize the user identifier */\n\t\tif (strstr(user, \"https://\") != user)\n\t\t\tuser = apr_psprintf(r->pool, \"https://%s\", user);\n\n\t\t/* got an user identifier as input, perform OP discovery with that */\n\t\tif (oidc_proto_url_based_discovery(r, c, user, &issuer) == FALSE) {\n\n\t\t\t/* something did not work out, show a user facing error */\n\t\t\treturn oidc_util_html_send_error(r, c->error_template,\n\t\t\t\t\t\"Invalid Request\",\n\t\t\t\t\t\"Could not resolve the provided user identifier to an OpenID Connect provider; check your syntax.\",\n\t\t\t\t\tHTTP_NOT_FOUND);\n\t\t}\n\n\t\t/* issuer is set now, so let's continue as planned */\n\n\t} else if (strstr(issuer, OIDC_STR_AT) != NULL) {\n\n\t\tif (login_hint == NULL) {\n\t\t\tlogin_hint = apr_pstrdup(r->pool, issuer);\n\t\t\t//char *p = strstr(issuer, OIDC_STR_AT);\n\t\t\t//*p = '\\0';\n\t\t}\n\n\t\t/* got an account name as input, perform OP discovery with that */\n\t\tif (oidc_proto_account_based_discovery(r, c, issuer, &issuer) == FALSE) {\n\n\t\t\t/* something did not work out, show a user facing error */\n\t\t\treturn oidc_util_html_send_error(r, c->error_template,\n\t\t\t\t\t\"Invalid Request\",\n\t\t\t\t\t\"Could not resolve the provided account name to an OpenID Connect provider; check your syntax.\",\n\t\t\t\t\tHTTP_NOT_FOUND);\n\t\t}\n\n\t\t/* issuer is set now, so let's continue as planned */\n\n\t}\n\n\t/* strip trailing '/' */\n\tint n = strlen(issuer);\n\tif (issuer[n - 1] == OIDC_CHAR_FORWARD_SLASH)\n\t\tissuer[n - 1] = '\\0';\n\n\t/* try and get metadata from the metadata directories for the selected OP */\n\tif ((oidc_metadata_get(r, c, issuer, &provider, csrf_cookie != NULL) == TRUE)\n\t\t\t&& (provider != NULL)) {\n\n\t\t/* now we've got a selected OP, send the user there to authenticate */\n\t\treturn oidc_authenticate_user(r, c, provider, target_link_uri,\n\t\t\t\tlogin_hint, NULL, NULL, auth_request_params, path_scopes);\n\t}\n\n\t/* something went wrong */\n\treturn oidc_util_html_send_error(r, c->error_template, \"Invalid Request\",\n\t\t\t\"Could not find valid provider metadata for the selected OpenID Connect provider; contact the administrator\",\n\t\t\tHTTP_NOT_FOUND);\n}", "project": "mod_auth_openidc", "hash": 94183515310356175950120128606056344360, "size": 138, "commit_id": "ce37080c6aea30aabae8b4a9b4eea7808445cc8e", "message": "2.4.0.2 oops\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 447676 }, { "func": "static int pep_reply(struct sock *sk, struct sk_buff *oskb, u8 code,\n\t\t\tconst void *data, int len, gfp_t priority)\n{\n\tconst struct pnpipehdr *oph = pnp_hdr(oskb);\n\tstruct pnpipehdr *ph;\n\tstruct sk_buff *skb;\n\tstruct sockaddr_pn peer;\n\n\tskb = pep_alloc_skb(sk, data, len, priority);\n\tif (!skb)\n\t\treturn -ENOMEM;\n\n\tph = pnp_hdr(skb);\n\tph->utid = oph->utid;\n\tph->message_id = oph->message_id + 1; /* REQ -> RESP */\n\tph->pipe_handle = oph->pipe_handle;\n\tph->error_code = code;\n\n\tpn_skb_get_src_sockaddr(oskb, &peer);\n\treturn pn_skb_send(sk, skb, &peer);\n}", "project": "linux", "hash": 81648084509221509731937906529626878212, "size": 21, "commit_id": "bcd0f93353326954817a4f9fa55ec57fb38acbb0", "message": "phonet: refcount leak in pep_sock_accep\n\nsock_hold(sk) is invoked in pep_sock_accept(), but __sock_put(sk) is not\ninvoked in subsequent failure branches(pep_accept_conn() != 0).\n\nSigned-off-by: Hangyu Hua \nLink: https://lore.kernel.org/r/20211209082839.33985-1-hbh25y@gmail.com\nSigned-off-by: Jakub Kicinski ", "target": 0, "dataset": "other", "idx": 224790 }, { "func": "static int ipsecrequests_to_migrate(struct sadb_x_ipsecrequest *rq1, int len,\n\t\t\t\t struct xfrm_migrate *m)\n{\n\tint err;\n\tstruct sadb_x_ipsecrequest *rq2;\n\tint mode;\n\n\tif (len < sizeof(*rq1) ||\n\t len < rq1->sadb_x_ipsecrequest_len ||\n\t rq1->sadb_x_ipsecrequest_len < sizeof(*rq1))\n\t\treturn -EINVAL;\n\n\t/* old endoints */\n\terr = parse_sockaddr_pair((struct sockaddr *)(rq1 + 1),\n\t\t\t\t rq1->sadb_x_ipsecrequest_len - sizeof(*rq1),\n\t\t\t\t &m->old_saddr, &m->old_daddr,\n\t\t\t\t &m->old_family);\n\tif (err)\n\t\treturn err;\n\n\trq2 = (struct sadb_x_ipsecrequest *)((u8 *)rq1 + rq1->sadb_x_ipsecrequest_len);\n\tlen -= rq1->sadb_x_ipsecrequest_len;\n\n\tif (len <= sizeof(*rq2) ||\n\t len < rq2->sadb_x_ipsecrequest_len ||\n\t rq2->sadb_x_ipsecrequest_len < sizeof(*rq2))\n\t\treturn -EINVAL;\n\n\t/* new endpoints */\n\terr = parse_sockaddr_pair((struct sockaddr *)(rq2 + 1),\n\t\t\t\t rq2->sadb_x_ipsecrequest_len - sizeof(*rq2),\n\t\t\t\t &m->new_saddr, &m->new_daddr,\n\t\t\t\t &m->new_family);\n\tif (err)\n\t\treturn err;\n\n\tif (rq1->sadb_x_ipsecrequest_proto != rq2->sadb_x_ipsecrequest_proto ||\n\t rq1->sadb_x_ipsecrequest_mode != rq2->sadb_x_ipsecrequest_mode ||\n\t rq1->sadb_x_ipsecrequest_reqid != rq2->sadb_x_ipsecrequest_reqid)\n\t\treturn -EINVAL;\n\n\tm->proto = rq1->sadb_x_ipsecrequest_proto;\n\tif ((mode = pfkey_mode_to_xfrm(rq1->sadb_x_ipsecrequest_mode)) < 0)\n\t\treturn -EINVAL;\n\tm->mode = mode;\n\tm->reqid = rq1->sadb_x_ipsecrequest_reqid;\n\n\treturn ((int)(rq1->sadb_x_ipsecrequest_len +\n\t\t rq2->sadb_x_ipsecrequest_len));\n}", "project": "linux", "hash": 232338011128824984548441177942985303389, "size": 50, "commit_id": "9a564bccb78a76740ea9d75a259942df8143d02c", "message": "af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\n\nAdd __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\nto initialize the buffer of supp_skb to fix a kernel-info-leak issue.\n1) Function pfkey_register calls compose_sadb_supported to request\na sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate\na sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then\ncompose_sadb_supported treats the memory as a struct sadb_supported and\nbegins to initialize. But it just initializes the field sadb_supported_len\nand field sadb_supported_exttype without field sadb_supported_reserved.\n\nReported-by: TCS Robot \nSigned-off-by: Haimin Zhang \nSigned-off-by: Steffen Klassert ", "target": 0, "dataset": "other", "idx": 268081 }, { "func": "static char * exif_get_tagname(int tag_num, char *ret, int len,\n tag_table_type tag_table) {\n int i, t;\n char tmp[32];\n\n for (i = 0; (t = tag_table[i].Tag) != TAG_END_OF_LIST; i++) {\n if (t == tag_num) {\n if (ret && len) {\n string_copy(ret, tag_table[i].Desc, abs(len));\n if (len < 0) {\n memset(ret + strlen(ret), ' ', -len - strlen(ret) - 1);\n ret[-len - 1] = '\\0';\n }\n return ret;\n }\n return tag_table[i].Desc;\n }\n }\n\n if (ret && len) {\n snprintf(tmp, sizeof(tmp), \"UndefinedTag:0x%04X\", tag_num);\n string_copy(ret, tmp, abs(len));\n if (len < 0) {\n memset(ret + strlen(ret), ' ', -len - strlen(ret) - 1);\n ret[-len - 1] = '\\0';\n }\n return ret;\n }\n return \"\";\n}", "project": "hhvm", "hash": 66974638673654489246943050954833373667, "size": 30, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219692 }, { "func": "void CSoundFile::NoteChange(ModChannel *pChn, int note, bool bPorta, bool bResetEnv, bool bManual) const\n{\n\tif (note < NOTE_MIN) return;\n\tconst ModSample *pSmp = pChn->pModSample;\n\tconst ModInstrument *pIns = pChn->pModInstrument;\n\n\tconst bool newTuning = (GetType() == MOD_TYPE_MPT && pIns != nullptr && pIns->pTuning);\n\t// save the note that's actually used, as it's necessary to properly calculate PPS and stuff\n\tconst int realnote = note;\n\n\tif((pIns) && (note - NOTE_MIN < (int)CountOf(pIns->Keyboard)))\n\t{\n\t\tuint32 n = pIns->Keyboard[note - NOTE_MIN];\n\t\tif((n) && (n < MAX_SAMPLES))\n\t\t{\n\t\t\tpSmp = &Samples[n];\n\t\t} else if(m_playBehaviour[kITEmptyNoteMapSlot] && !pChn->HasMIDIOutput())\n\t\t{\n\t\t\t// Impulse Tracker ignores empty slots.\n\t\t\t// We won't ignore them if a plugin is assigned to this slot, so that VSTis still work as intended.\n\t\t\t// Test case: emptyslot.it, PortaInsNum.it, gxsmp.it, gxsmp2.it\n\t\t\treturn;\n\t\t}\n\t\tnote = pIns->NoteMap[note - NOTE_MIN];\n\t}\n\t// Key Off\n\tif(note > NOTE_MAX)\n\t{\n\t\t// Key Off (+ Invalid Note for XM - TODO is this correct?)\n\t\tif(note == NOTE_KEYOFF || !(GetType() & (MOD_TYPE_IT|MOD_TYPE_MPT)))\n\t\t{\n\t\t\tKeyOff(pChn);\n\t\t} else // Invalid Note -> Note Fade\n\t\t{\n\t\t\tif(/*note == NOTE_FADE && */ GetNumInstruments())\n\t\t\t\tpChn->dwFlags.set(CHN_NOTEFADE);\n\t\t}\n\n\t\t// Note Cut\n\t\tif (note == NOTE_NOTECUT)\n\t\t{\n\t\t\tpChn->dwFlags.set(CHN_NOTEFADE | CHN_FASTVOLRAMP);\n\t\t\t// IT compatibility: Stopping sample playback by setting sample increment to 0 rather than volume\n\t\t\t// Test case: NoteOffInstr.it\n\t\t\tif ((!(GetType() & (MOD_TYPE_IT | MOD_TYPE_MPT))) || (m_nInstruments != 0 && !m_playBehaviour[kITInstrWithNoteOff])) pChn->nVolume = 0;\n\t\t\tif(m_playBehaviour[kITInstrWithNoteOff]) pChn->increment.Set(0);\n\t\t\tpChn->nFadeOutVol = 0;\n\t\t}\n\n\t\t// IT compatibility tentative fix: Clear channel note memory.\n\t\tif(m_playBehaviour[kITClearOldNoteAfterCut])\n\t\t{\n\t\t\tpChn->nNote = pChn->nNewNote = NOTE_NONE;\n\t\t}\n\t\treturn;\n\t}\n\n\tif(newTuning)\n\t{\n\t\tif(!bPorta || pChn->nNote == NOTE_NONE)\n\t\t\tpChn->nPortamentoDest = 0;\n\t\telse\n\t\t{\n\t\t\tpChn->nPortamentoDest = pIns->pTuning->GetStepDistance(pChn->nNote, pChn->m_PortamentoFineSteps, static_cast(note), 0);\n\t\t\t//Here pChn->nPortamentoDest means 'steps to slide'.\n\t\t\tpChn->m_PortamentoFineSteps = -pChn->nPortamentoDest;\n\t\t}\n\t}\n\n\tif(!bPorta && (GetType() & (MOD_TYPE_XM | MOD_TYPE_MED | MOD_TYPE_MT2)))\n\t{\n\t\tif(pSmp)\n\t\t{\n\t\t\tpChn->nTranspose = pSmp->RelativeTone;\n\t\t\tpChn->nFineTune = pSmp->nFineTune;\n\t\t}\n\t}\n\t// IT Compatibility: Update multisample instruments frequency even if instrument is not specified (fixes the guitars in spx-shuttledeparture.it)\n\t// Test case: freqreset-noins.it\n\tif(!bPorta && pSmp && m_playBehaviour[kITMultiSampleBehaviour])\n\t\tpChn->nC5Speed = pSmp->nC5Speed;\n\n\tif(bPorta && !pChn->IsSamplePlaying())\n\t{\n\t\tif(m_playBehaviour[kFT2PortaNoNote])\n\t\t{\n\t\t\t// FT2 Compatibility: Ignore notes with portamento if there was no note playing.\n\t\t\t// Test case: 3xx-no-old-samp.xm\n\t\t\tpChn->nPeriod = 0;\n\t\t\treturn;\n\t\t} else if(m_playBehaviour[kITPortaNoNote])\n\t\t{\n\t\t\t// IT Compatibility: Ignore portamento command if no note was playing (e.g. if a previous note has faded out).\n\t\t\t// Test case: Fade-Porta.it\n\t\t\tbPorta = false;\n\t\t}\n\t}\n\n\tif(GetType() & (MOD_TYPE_XM|MOD_TYPE_MT2|MOD_TYPE_MED|MOD_TYPE_MOD))\n\t{\n\t\tnote += pChn->nTranspose;\n\t\t// RealNote = PatternNote + RelativeTone; (0..118, 0 = C-0, 118 = A#9)\n\t\tLimit(note, NOTE_MIN + 11, NOTE_MIN + 130);\t// 119 possible notes\n\t} else\n\t{\n\t\tLimit(note, NOTE_MIN, NOTE_MAX);\n\t}\n\tif(m_playBehaviour[kITRealNoteMapping])\n\t{\n\t\t// need to memorize the original note for various effects (e.g. PPS)\n\t\tpChn->nNote = static_cast(Clamp(realnote, NOTE_MIN, NOTE_MAX));\n\t} else\n\t{\n\t\tpChn->nNote = static_cast(note);\n\t}\n\tpChn->m_CalculateFreq = true;\n\n\tif ((!bPorta) || (GetType() & (MOD_TYPE_S3M|MOD_TYPE_IT|MOD_TYPE_MPT)))\n\t\tpChn->nNewIns = 0;\n\n\tuint32 period = GetPeriodFromNote(note, pChn->nFineTune, pChn->nC5Speed);\n\tpChn->nPanbrelloOffset = 0;\n\n\t// IT compatibility: Sample and instrument panning is only applied on note change, not instrument change\n\t// Test case: PanReset.it\n\tif(m_playBehaviour[kITPanningReset]) ApplyInstrumentPanning(pChn, pIns, pSmp);\n\n\tif(bResetEnv && !bPorta)\n\t{\n\t\tpChn->nVolSwing = pChn->nPanSwing = 0;\n\t\tpChn->nResSwing = pChn->nCutSwing = 0;\n\t\tif(pIns)\n\t\t{\n\t\t\t// IT Compatiblity: NNA is reset on every note change, not every instrument change (fixes spx-farspacedance.it).\n\t\t\tif(m_playBehaviour[kITNNAReset]) pChn->nNNA = pIns->nNNA;\n\n\t\t\tif(!pIns->VolEnv.dwFlags[ENV_CARRY]) pChn->VolEnv.Reset();\n\t\t\tif(!pIns->PanEnv.dwFlags[ENV_CARRY]) pChn->PanEnv.Reset();\n\t\t\tif(!pIns->PitchEnv.dwFlags[ENV_CARRY]) pChn->PitchEnv.Reset();\n\n\t\t\t// Volume Swing\n\t\t\tif(pIns->nVolSwing)\n\t\t\t{\n\t\t\t\tpChn->nVolSwing = static_cast(((mpt::random(AccessPRNG()) * pIns->nVolSwing) / 64 + 1) * (m_playBehaviour[kITSwingBehaviour] ? pChn->nInsVol : ((pChn->nVolume + 1) / 2)) / 199);\n\t\t\t}\n\t\t\t// Pan Swing\n\t\t\tif(pIns->nPanSwing)\n\t\t\t{\n\t\t\t\tpChn->nPanSwing = static_cast(((mpt::random(AccessPRNG()) * pIns->nPanSwing * 4) / 128));\n\t\t\t\tif(!m_playBehaviour[kITSwingBehaviour])\n\t\t\t\t{\n\t\t\t\t\tpChn->nRestorePanOnNewNote = static_cast(pChn->nPan + 1);\n\t\t\t\t}\n\t\t\t}\n\t\t\t// Cutoff Swing\n\t\t\tif(pIns->nCutSwing)\n\t\t\t{\n\t\t\t\tint32 d = ((int32)pIns->nCutSwing * (int32)(static_cast(mpt::random(AccessPRNG())) + 1)) / 128;\n\t\t\t\tpChn->nCutSwing = static_cast((d * pChn->nCutOff + 1) / 128);\n\t\t\t\tpChn->nRestoreCutoffOnNewNote = pChn->nCutOff + 1;\n\t\t\t}\n\t\t\t// Resonance Swing\n\t\t\tif(pIns->nResSwing)\n\t\t\t{\n\t\t\t\tint32 d = ((int32)pIns->nResSwing * (int32)(static_cast(mpt::random(AccessPRNG())) + 1)) / 128;\n\t\t\t\tpChn->nResSwing = static_cast((d * pChn->nResonance + 1) / 128);\n\t\t\t\tpChn->nRestoreResonanceOnNewNote = pChn->nResonance + 1;\n\t\t\t}\n\t\t}\n\t}\n\n\tif(!pSmp) return;\n\tif(period)\n\t{\n\t\tif((!bPorta) || (!pChn->nPeriod)) pChn->nPeriod = period;\n\t\tif(!newTuning)\n\t\t{\n\t\t\t// FT2 compatibility: Don't reset portamento target with new notes.\n\t\t\t// Test case: Porta-Pickup.xm\n\t\t\t// ProTracker does the same.\n\t\t\t// Test case: PortaTarget.mod\n\t\t\t// IT compatibility: Portamento target is completely cleared with new notes.\n\t\t\t// Test case: PortaReset.it\n\t\t\tif(bPorta || !(m_playBehaviour[kFT2PortaTargetNoReset] || m_playBehaviour[kITClearPortaTarget] || GetType() == MOD_TYPE_MOD))\n\t\t\t{\n\t\t\t\tpChn->nPortamentoDest = period;\n\t\t\t}\n\t\t}\n\n\t\tif(!bPorta || (!pChn->nLength && !(GetType() & MOD_TYPE_S3M)))\n\t\t{\n\t\t\tpChn->pModSample = pSmp;\n\t\t\tpChn->nLength = pSmp->nLength;\n\t\t\tpChn->nLoopEnd = pSmp->nLength;\n\t\t\tpChn->nLoopStart = 0;\n\t\t\tpChn->position.Set(0);\n\t\t\tif(m_SongFlags[SONG_PT_MODE] && !pChn->rowCommand.instr)\n\t\t\t{\n\t\t\t\tpChn->position.SetInt(std::min(pChn->proTrackerOffset, pChn->nLength - 1));\n\t\t\t} else\n\t\t\t{\n\t\t\t\tpChn->proTrackerOffset = 0;\n\t\t\t}\n\t\t\tpChn->dwFlags = (pChn->dwFlags & CHN_CHANNELFLAGS) | (pSmp->uFlags & (CHN_SAMPLEFLAGS | CHN_SURROUND));\n\t\t\tpChn->dwFlags.reset(CHN_PORTAMENTO);\n\t\t\tif(pChn->dwFlags[CHN_SUSTAINLOOP])\n\t\t\t{\n\t\t\t\tpChn->nLoopStart = pSmp->nSustainStart;\n\t\t\t\tpChn->nLoopEnd = pSmp->nSustainEnd;\n\t\t\t\tpChn->dwFlags.set(CHN_PINGPONGLOOP, pChn->dwFlags[CHN_PINGPONGSUSTAIN]);\n\t\t\t\tpChn->dwFlags.set(CHN_LOOP);\n\t\t\t\tif (pChn->nLength > pChn->nLoopEnd) pChn->nLength = pChn->nLoopEnd;\n\t\t\t} else if(pChn->dwFlags[CHN_LOOP])\n\t\t\t{\n\t\t\t\tpChn->nLoopStart = pSmp->nLoopStart;\n\t\t\t\tpChn->nLoopEnd = pSmp->nLoopEnd;\n\t\t\t\tif (pChn->nLength > pChn->nLoopEnd) pChn->nLength = pChn->nLoopEnd;\n\t\t\t}\n\t\t\t// ProTracker \"oneshot\" loops (if loop start is 0, play the whole sample once and then repeat until loop end)\n\t\t\tif(m_playBehaviour[kMODOneShotLoops] && pChn->nLoopStart == 0) pChn->nLoopEnd = pChn->nLength = pSmp->nLength;\n\n\t\t\tif(pChn->dwFlags[CHN_REVERSE])\n\t\t\t{\n\t\t\t\tpChn->dwFlags.set(CHN_PINGPONGFLAG);\n\t\t\t\tpChn->position.SetInt(pChn->nLength - 1);\n\t\t\t}\n\n\t\t\t// Handle \"retrigger\" waveform type\n\t\t\tif(pChn->nVibratoType < 4)\n\t\t\t{\n\t\t\t\t// IT Compatibilty: Slightly different waveform offsets (why does MPT have two different offsets here with IT old effects enabled and disabled?)\n\t\t\t\tif(!m_playBehaviour[kITVibratoTremoloPanbrello] && (GetType() & (MOD_TYPE_IT | MOD_TYPE_MPT)) && !m_SongFlags[SONG_ITOLDEFFECTS])\n\t\t\t\t\tpChn->nVibratoPos = 0x10;\n\t\t\t\telse if(GetType() == MOD_TYPE_MTM)\n\t\t\t\t\tpChn->nVibratoPos = 0x20;\n\t\t\t\telse if(!(GetType() & (MOD_TYPE_DIGI | MOD_TYPE_DBM)))\n\t\t\t\t\tpChn->nVibratoPos = 0;\n\t\t\t}\n\t\t\t// IT Compatibility: No \"retrigger\" waveform here\n\t\t\tif(!m_playBehaviour[kITVibratoTremoloPanbrello] && pChn->nTremoloType < 4)\n\t\t\t{\n\t\t\t\tpChn->nTremoloPos = 0;\n\t\t\t}\n\t\t}\n\t\tif(pChn->position.GetUInt() >= pChn->nLength) pChn->position.SetInt(pChn->nLoopStart);\n\t} else\n\t{\n\t\tbPorta = false;\n\t}\n\n\tif (!bPorta\n\t\t|| (!(GetType() & (MOD_TYPE_IT | MOD_TYPE_MPT | MOD_TYPE_DBM)))\n\t\t|| (pChn->dwFlags[CHN_NOTEFADE] && !pChn->nFadeOutVol)\n\t\t|| (m_SongFlags[SONG_ITCOMPATGXX] && pChn->rowCommand.instr != 0))\n\t{\n\t\tif((GetType() & (MOD_TYPE_IT | MOD_TYPE_MPT | MOD_TYPE_DBM)) && pChn->dwFlags[CHN_NOTEFADE] && !pChn->nFadeOutVol)\n\t\t{\n\t\t\tpChn->ResetEnvelopes();\n\t\t\t// IT Compatibility: Autovibrato reset\n\t\t\tif(!m_playBehaviour[kITVibratoTremoloPanbrello])\n\t\t\t{\n\t\t\t\tpChn->nAutoVibDepth = 0;\n\t\t\t\tpChn->nAutoVibPos = 0;\n\t\t\t}\n\t\t\tpChn->dwFlags.reset(CHN_NOTEFADE);\n\t\t\tpChn->nFadeOutVol = 65536;\n\t\t}\n\t\tif ((!bPorta) || (!m_SongFlags[SONG_ITCOMPATGXX]) || (pChn->rowCommand.instr))\n\t\t{\n\t\t\tif ((!(GetType() & (MOD_TYPE_XM|MOD_TYPE_MT2))) || (pChn->rowCommand.instr))\n\t\t\t{\n\t\t\t\tpChn->dwFlags.reset(CHN_NOTEFADE);\n\t\t\t\tpChn->nFadeOutVol = 65536;\n\t\t\t}\n\t\t}\n\t}\n\n\t// IT compatibility: Don't reset key-off flag on porta notes unless Compat Gxx is enabled\n\t// Test case: Off-Porta.it, Off-Porta-CompatGxx.it\n\tif(m_playBehaviour[kITDontResetNoteOffOnPorta] && bPorta && (!m_SongFlags[SONG_ITCOMPATGXX] || pChn->rowCommand.instr == 0))\n\t\tpChn->dwFlags.reset(CHN_EXTRALOUD);\n\telse\n\t\tpChn->dwFlags.reset(CHN_EXTRALOUD | CHN_KEYOFF);\n\n\t// Enable Ramping\n\tif(!bPorta)\n\t{\n\t\tpChn->nLeftVU = pChn->nRightVU = 0xFF;\n\t\tpChn->dwFlags.reset(CHN_FILTER);\n\t\tpChn->dwFlags.set(CHN_FASTVOLRAMP);\n\n\t\t// IT compatibility 15. Retrigger is reset in RetrigNote (Tremor doesn't store anything here, so we just don't reset this as well)\n\t\tif(!m_playBehaviour[kITRetrigger] && !m_playBehaviour[kITTremor])\n\t\t{\n\t\t\t// FT2 compatibility: Retrigger is reset in RetrigNote, tremor in ProcessEffects\n\t\t\tif(!m_playBehaviour[kFT2Retrigger] && !m_playBehaviour[kFT2Tremor])\n\t\t\t{\n\t\t\t\tpChn->nRetrigCount = 0;\n\t\t\t\tpChn->nTremorCount = 0;\n\t\t\t}\n\t\t}\n\n\t\tif(bResetEnv)\n\t\t{\n\t\t\tpChn->nAutoVibDepth = 0;\n\t\t\tpChn->nAutoVibPos = 0;\n\t\t}\n\t\tpChn->rightVol = pChn->leftVol = 0;\n\t\tbool useFilter = !m_SongFlags[SONG_MPTFILTERMODE];\n\t\t// Setup Initial Filter for this note\n\t\tif(pIns)\n\t\t{\n\t\t\tif(pIns->IsResonanceEnabled())\n\t\t\t{\n\t\t\t\tpChn->nResonance = pIns->GetResonance();\n\t\t\t\tuseFilter = true;\n\t\t\t}\n\t\t\tif(pIns->IsCutoffEnabled())\n\t\t\t{\n\t\t\t\tpChn->nCutOff = pIns->GetCutoff();\n\t\t\t\tuseFilter = true;\n\t\t\t}\n\t\t\tif(useFilter && (pIns->nFilterMode != FLTMODE_UNCHANGED))\n\t\t\t{\n\t\t\t\tpChn->nFilterMode = pIns->nFilterMode;\n\t\t\t}\n\t\t} else\n\t\t{\n\t\t\tpChn->nVolSwing = pChn->nPanSwing = 0;\n\t\t\tpChn->nCutSwing = pChn->nResSwing = 0;\n\t\t}\n\t\tif((pChn->nCutOff < 0x7F || m_playBehaviour[kITFilterBehaviour]) && useFilter)\n\t\t{\n\t\t\tSetupChannelFilter(pChn, true);\n\t\t}\n\t}\n\t// Special case for MPT\n\tif (bManual) pChn->dwFlags.reset(CHN_MUTE);\n\tif((pChn->dwFlags[CHN_MUTE] && (m_MixerSettings.MixerFlags & SNDMIX_MUTECHNMODE))\n\t\t|| (pChn->pModSample != nullptr && pChn->pModSample->uFlags[CHN_MUTE] && !bManual)\n\t\t|| (pChn->pModInstrument != nullptr && pChn->pModInstrument->dwFlags[INS_MUTE] && !bManual))\n\t{\n\t\tif (!bManual) pChn->nPeriod = 0;\n\t}\n\n\t// Reset the Amiga resampler for this channel\n\tif(!bPorta)\n\t{\n\t\tpChn->paulaState.Reset();\n\t}\n}", "project": "openmpt", "hash": 152805828109301899039558464269069538743, "size": 351, "commit_id": "7ebf02af2e90f03e0dbd0e18b8b3164f372fb97c", "message": "[Fix] Possible out-of-bounds read when computing length of some IT files with pattern loops (OpenMPT: formats that are converted to IT, libopenmpt: IT/ITP/MO3), caught with afl-fuzz.\n\ngit-svn-id: https://source.openmpt.org/svn/openmpt/trunk/OpenMPT@10027 56274372-70c3-4bfc-bfc3-4c3a0b034d27", "target": 0, "dataset": "other", "idx": 255200 }, { "func": "static int autocomplete(RLineCompletion *completion, RLineBuffer *buf, RLinePromptType prompt_type, void *user) {\n\tRCore *core = user;\n\tr_core_autocomplete (core, completion, buf, prompt_type);\n\treturn true;\n}", "project": "radare2", "hash": 90130375778342831131638369662423872761, "size": 5, "commit_id": "cb8b683758edddae2d2f62e8e63a738c39f92683", "message": "Fix #16303 - c->table_query double free (#16318)", "target": 0, "dataset": "other", "idx": 232166 }, { "func": "static int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q)\n{\n\tr->p = p;\n\tr->q = q;\n\n\treturn 1;\n}", "project": "php-src", "hash": 287715647193101276149413694646458940640, "size": 7, "commit_id": "0216630ea2815a5789a24279a1211ac398d4de79", "message": "Fix bug #79601 (Wrong ciphertext/tag in AES-CCM encryption for a 12 bytes IV)", "target": 0, "dataset": "other", "idx": 291426 }, { "func": "static void nested_svm_smi(struct vcpu_svm *svm)\n{\n\tsvm->vmcb->control.exit_code = SVM_EXIT_SMI;\n\tsvm->vmcb->control.exit_info_1 = 0;\n\tsvm->vmcb->control.exit_info_2 = 0;\n\n\tnested_svm_vmexit(svm);\n}", "project": "linux", "hash": 135382805337762067400985843142935701440, "size": 8, "commit_id": "a58d9166a756a0f4a6618e4f593232593d6df134", "message": "KVM: SVM: load control fields from VMCB12 before checking them\n\nAvoid races between check and use of the nested VMCB controls. This\nfor example ensures that the VMRUN intercept is always reflected to the\nnested hypervisor, instead of being processed by the host. Without this\npatch, it is possible to end up with svm->nested.hsave pointing to\nthe MSR permission bitmap for nested guests.\n\nThis bug is CVE-2021-29657.\n\nReported-by: Felix Wilhelm \nCc: stable@vger.kernel.org\nFixes: 2fcf4876ada (\"KVM: nSVM: implement on demand allocation of the nested state\")\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 376663 }, { "func": "void gdImageFill(gdImagePtr im, int x, int y, int nc)\n{\n\tint l, x1, x2, dy;\n\tint oc; /* old pixel value */\n\tint wx2,wy2;\n\n\tint alphablending_bak;\n\n\t/* stack of filled segments */\n\t/* struct seg stack[FILL_MAX],*sp = stack;; */\n\tstruct seg *stack = NULL;\n\tstruct seg *sp;\n\n\tif (!im->trueColor && nc > (im->colorsTotal -1)) {\n\t\treturn;\n\t}\n\n\talphablending_bak = im->alphaBlendingFlag;\n\tim->alphaBlendingFlag = 0;\n\n\tif (nc==gdTiled){\n\t\t_gdImageFillTiled(im,x,y,nc);\n\t\tim->alphaBlendingFlag = alphablending_bak;\n\t\treturn;\n\t}\n\n\twx2=im->sx;wy2=im->sy;\n\toc = gdImageGetPixel(im, x, y);\n\tif (oc==nc || x<0 || x>wx2 || y<0 || y>wy2) {\n\t\tim->alphaBlendingFlag = alphablending_bak;\n\t\treturn;\n\t}\n\n\t/* Do not use the 4 neighbors implementation with\n\t * small images\n\t */\n\tif (im->sx < 4) {\n\t\tint ix = x, iy = y, c;\n\t\tdo {\n\t\t\tdo {\n\t\t\t\tc = gdImageGetPixel(im, ix, iy);\n\t\t\t\tif (c != oc) {\n\t\t\t\t\tgoto done;\n\t\t\t\t}\n\t\t\t\tgdImageSetPixel(im, ix, iy, nc);\n\t\t\t} while(ix++ < (im->sx -1));\n\t\t\tix = x;\n\t\t} while(iy++ < (im->sy -1));\n\t\tgoto done;\n\t}\n\n\tstack = (struct seg *)safe_emalloc(sizeof(struct seg), ((int)(im->sy*im->sx)/4), 1);\n\tsp = stack;\n\n\t/* required! */\n\tFILL_PUSH(y,x,x,1);\n\t/* seed segment (popped 1st) */\n \tFILL_PUSH(y+1, x, x, -1);\n\twhile (sp>stack) {\n\t\tFILL_POP(y, x1, x2, dy);\n\n\t\tfor (x=x1; x>=0 && gdImageGetPixel(im,x, y)==oc; x--) {\n\t\t\tgdImageSetPixel(im,x, y, nc);\n\t\t}\n\t\tif (x>=x1) {\n\t\t\tgoto skip;\n\t\t}\n\t\tl = x+1;\n\n /* leak on left? */\n\t\tif (lx2+1) {\n\t\t\t\tFILL_PUSH(y, x2+1, x-1, -dy);\n\t\t\t}\nskip:\t\t\tfor (x++; x<=x2 && (gdImageGetPixel(im, x, y)!=oc); x++);\n\n\t\t\tl = x;\n\t\t} while (x<=x2);\n\t}\n\n\tefree(stack);\n\ndone:\n\tim->alphaBlendingFlag = alphablending_bak;\n}", "project": "php-src", "hash": 31247908747070422431665336694939635477, "size": 94, "commit_id": "c395c6e5d7e8df37a21265ff76e48fe75ceb5ae6", "message": "iFixed bug #72446 - Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow", "target": 0, "dataset": "other", "idx": 295178 }, { "func": "static void dec2str(int val, char *str, size_t size)\n{\n if (val == -1)\n snprintf(str, size, \"*\");\n else\n snprintf(str, size, \"%d\", val); \n}", "project": "qemu", "hash": 210684172187248459328056297163522803256, "size": 7, "commit_id": "babd03fde68093482528010a5435c14ce9128e3f", "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel. However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris \nSigned-off-by: Anthony Liguori ", "target": 0, "dataset": "other", "idx": 346289 }, { "func": "static rsRetVal qqueuePersist(qqueue_t *pThis, int bIsCheckpoint)\n{\n\tDEFiRet;\n\tstrm_t *psQIF = NULL; /* Queue Info File */\n\tuchar pszQIFNam[MAXFNAME];\n\tsize_t lenQIFNam;\n\n\tASSERT(pThis != NULL);\n\n\tif(pThis->qType != QUEUETYPE_DISK) {\n\t\tif(getPhysicalQueueSize(pThis) > 0) {\n\t\t\t/* This error code is OK, but we will probably not implement this any time\n \t\t\t * The reason is that persistence happens via DA queues. But I would like to\n\t\t\t * leave the code as is, as we so have a hook in case we need one.\n\t\t\t * -- rgerhards, 2008-01-28\n\t\t\t */\n\t\t\tABORT_FINALIZE(RS_RET_NOT_IMPLEMENTED);\n\t\t} else\n\t\t\tFINALIZE; /* if the queue is empty, we are happy and done... */\n\t}\n\n\tDBGOPRINT((obj_t*) pThis, \"persisting queue to disk, %d entries...\\n\", getPhysicalQueueSize(pThis));\n\n\t/* Construct file name */\n\tlenQIFNam = snprintf((char*)pszQIFNam, sizeof(pszQIFNam) / sizeof(uchar), \"%s/%s.qi\",\n\t\t\t (char*) glbl.GetWorkDir(), (char*)pThis->pszFilePrefix);\n\n\tif((bIsCheckpoint != QUEUE_CHECKPOINT) && (getPhysicalQueueSize(pThis) == 0)) {\n\t\tif(pThis->bNeedDelQIF) {\n\t\t\tunlink((char*)pszQIFNam);\n\t\t\tpThis->bNeedDelQIF = 0;\n\t\t}\n\t\t/* indicate spool file needs to be deleted */\n\t\tif(pThis->tVars.disk.pReadDel != NULL) /* may be NULL if we had a startup failure! */\n\t\t\tCHKiRet(strm.SetbDeleteOnClose(pThis->tVars.disk.pReadDel, 1));\n\t\tFINALIZE; /* nothing left to do, so be happy */\n\t}\n\n\tCHKiRet(strm.Construct(&psQIF));\n\tCHKiRet(strm.SettOperationsMode(psQIF, STREAMMODE_WRITE_TRUNC));\n\tCHKiRet(strm.SetbSync(psQIF, pThis->bSyncQueueFiles));\n\tCHKiRet(strm.SetsType(psQIF, STREAMTYPE_FILE_SINGLE));\n\tCHKiRet(strm.SetFName(psQIF, pszQIFNam, lenQIFNam));\n\tCHKiRet(strm.ConstructFinalize(psQIF));\n\n\t/* first, write the property bag for ourselfs\n\t * And, surprisingly enough, we currently need to persist only the size of the\n\t * queue. All the rest is re-created with then-current config parameters when the\n\t * queue is re-created. Well, we'll also save the current queue type, just so that\n\t * we know when somebody has changed the queue type... -- rgerhards, 2008-01-11\n\t */\n\tCHKiRet(obj.BeginSerializePropBag(psQIF, (obj_t*) pThis));\n\tobjSerializeSCALAR(psQIF, iQueueSize, INT);\n\tobjSerializeSCALAR(psQIF, tVars.disk.sizeOnDisk, INT64);\n\tobjSerializeSCALAR(psQIF, tVars.disk.bytesRead, INT64);\n\tCHKiRet(obj.EndSerialize(psQIF));\n\n\t/* now persist the stream info */\n\tCHKiRet(strm.Serialize(pThis->tVars.disk.pWrite, psQIF));\n\tCHKiRet(strm.Serialize(pThis->tVars.disk.pReadDel, psQIF));\n\t\n\t/* tell the input file object that it must not delete the file on close if the queue\n\t * is non-empty - but only if we are not during a simple checkpoint\n\t */\n\tif(bIsCheckpoint != QUEUE_CHECKPOINT) {\n\t\tCHKiRet(strm.SetbDeleteOnClose(pThis->tVars.disk.pReadDel, 0));\n\t}\n\n\t/* we have persisted the queue object. So whenever it comes to an empty queue,\n\t * we need to delete the QIF. Thus, we indicte that need.\n\t */\n\tpThis->bNeedDelQIF = 1;\n\nfinalize_it:\n\tif(psQIF != NULL)\n\t\tstrm.Destruct(&psQIF);\n\n\tRETiRet;\n}", "project": "rsyslog", "hash": 287159238889073490878315586302135631899, "size": 79, "commit_id": "dfa88369d4ca4290db56b843f9eabdae1bfe0fd5", "message": "bugfix: memory leak when $RepeatedMsgReduction on was used\n\nbug tracker: http://bugzilla.adiscon.com/show_bug.cgi?id=225", "target": 0, "dataset": "other", "idx": 373778 }, { "func": "static void trace_save(jit_State *J, GCtrace *T)\n{\n size_t sztr = ((sizeof(GCtrace)+7)&~7);\n size_t szins = (J->cur.nins-J->cur.nk)*sizeof(IRIns);\n char *p = (char *)T + sztr;\n memcpy(T, &J->cur, sizeof(GCtrace));\n setgcrefr(T->nextgc, J2G(J)->gc.root);\n setgcrefp(J2G(J)->gc.root, T);\n newwhite(J2G(J), T);\n T->gct = ~LJ_TTRACE;\n T->ir = (IRIns *)p - J->cur.nk;\n memcpy(p, J->cur.ir+J->cur.nk, szins);\n p += szins;\n TRACE_APPENDVEC(snap, nsnap, SnapShot)\n TRACE_APPENDVEC(snapmap, nsnapmap, SnapEntry)\n J->cur.traceno = 0;\n setgcrefp(J->trace[T->traceno], T);\n lj_gc_barriertrace(J2G(J), T->traceno);\n lj_gdbjit_addtrace(J, T);\n#ifdef LUAJIT_USE_PERFTOOLS\n perftools_addtrace(T);\n#endif\n}", "project": "LuaJIT", "hash": 231057149391656388574283864822453348701, "size": 23, "commit_id": "e296f56b825c688c3530a981dc6b495d972f3d01", "message": "Call error function on rethrow after trace exit.", "target": 0, "dataset": "other", "idx": 394646 }, { "func": "static int mt_process_slot(struct mt_device *td, struct input_dev *input,\n\t\t\t struct mt_application *app,\n\t\t\t struct mt_usages *slot)\n{\n\tstruct input_mt *mt = input->mt;\n\t__s32 quirks = app->quirks;\n\tbool valid = true;\n\tbool confidence_state = true;\n\tbool inrange_state = false;\n\tint active;\n\tint slotnum;\n\tint tool = MT_TOOL_FINGER;\n\n\tif (!slot)\n\t\treturn -EINVAL;\n\n\tif ((quirks & MT_QUIRK_CONTACT_CNT_ACCURATE) &&\n\t app->num_received >= app->num_expected)\n\t\treturn -EAGAIN;\n\n\tif (!(quirks & MT_QUIRK_ALWAYS_VALID)) {\n\t\tif (quirks & MT_QUIRK_VALID_IS_INRANGE)\n\t\t\tvalid = *slot->inrange_state;\n\t\tif (quirks & MT_QUIRK_NOT_SEEN_MEANS_UP)\n\t\t\tvalid = *slot->tip_state;\n\t\tif (quirks & MT_QUIRK_VALID_IS_CONFIDENCE)\n\t\t\tvalid = *slot->confidence_state;\n\n\t\tif (!valid)\n\t\t\treturn 0;\n\t}\n\n\tslotnum = mt_compute_slot(td, app, slot, input);\n\tif (slotnum < 0 || slotnum >= td->maxcontacts)\n\t\treturn 0;\n\n\tif ((quirks & MT_QUIRK_IGNORE_DUPLICATES) && mt) {\n\t\tstruct input_mt_slot *i_slot = &mt->slots[slotnum];\n\n\t\tif (input_mt_is_active(i_slot) &&\n\t\t input_mt_is_used(mt, i_slot))\n\t\t\treturn -EAGAIN;\n\t}\n\n\tif (quirks & MT_QUIRK_CONFIDENCE)\n\t\tconfidence_state = *slot->confidence_state;\n\n\tif (quirks & MT_QUIRK_HOVERING)\n\t\tinrange_state = *slot->inrange_state;\n\n\tactive = *slot->tip_state || inrange_state;\n\n\tif (app->application == HID_GD_SYSTEM_MULTIAXIS)\n\t\ttool = MT_TOOL_DIAL;\n\telse if (unlikely(!confidence_state)) {\n\t\ttool = MT_TOOL_PALM;\n\t\tif (!active && mt &&\n\t\t input_mt_is_active(&mt->slots[slotnum])) {\n\t\t\t/*\n\t\t\t * The non-confidence was reported for\n\t\t\t * previously valid contact that is also no\n\t\t\t * longer valid. We can't simply report\n\t\t\t * lift-off as userspace will not be aware\n\t\t\t * of non-confidence, so we need to split\n\t\t\t * it into 2 events: active MT_TOOL_PALM\n\t\t\t * and a separate liftoff.\n\t\t\t */\n\t\t\tactive = true;\n\t\t\tset_bit(slotnum, app->pending_palm_slots);\n\t\t}\n\t}\n\n\tinput_mt_slot(input, slotnum);\n\tinput_mt_report_slot_state(input, tool, active);\n\tif (active) {\n\t\t/* this finger is in proximity of the sensor */\n\t\tint wide = (*slot->w > *slot->h);\n\t\tint major = max(*slot->w, *slot->h);\n\t\tint minor = min(*slot->w, *slot->h);\n\t\tint orientation = wide;\n\t\tint max_azimuth;\n\t\tint azimuth;\n\n\t\tif (slot->a != DEFAULT_ZERO) {\n\t\t\t/*\n\t\t\t * Azimuth is counter-clockwise and ranges from [0, MAX)\n\t\t\t * (a full revolution). Convert it to clockwise ranging\n\t\t\t * [-MAX/2, MAX/2].\n\t\t\t *\n\t\t\t * Note that ABS_MT_ORIENTATION require us to report\n\t\t\t * the limit of [-MAX/4, MAX/4], but the value can go\n\t\t\t * out of range to [-MAX/2, MAX/2] to report an upside\n\t\t\t * down ellipsis.\n\t\t\t */\n\t\t\tazimuth = *slot->a;\n\t\t\tmax_azimuth = input_abs_get_max(input,\n\t\t\t\t\t\t\tABS_MT_ORIENTATION);\n\t\t\tif (azimuth > max_azimuth * 2)\n\t\t\t\tazimuth -= max_azimuth * 4;\n\t\t\torientation = -azimuth;\n\t\t}\n\n\t\tif (quirks & MT_QUIRK_TOUCH_SIZE_SCALING) {\n\t\t\t/*\n\t\t\t * divided by two to match visual scale of touch\n\t\t\t * for devices with this quirk\n\t\t\t */\n\t\t\tmajor = major >> 1;\n\t\t\tminor = minor >> 1;\n\t\t}\n\n\t\tinput_event(input, EV_ABS, ABS_MT_POSITION_X, *slot->x);\n\t\tinput_event(input, EV_ABS, ABS_MT_POSITION_Y, *slot->y);\n\t\tinput_event(input, EV_ABS, ABS_MT_TOOL_X, *slot->cx);\n\t\tinput_event(input, EV_ABS, ABS_MT_TOOL_Y, *slot->cy);\n\t\tinput_event(input, EV_ABS, ABS_MT_DISTANCE, !*slot->tip_state);\n\t\tinput_event(input, EV_ABS, ABS_MT_ORIENTATION, orientation);\n\t\tinput_event(input, EV_ABS, ABS_MT_PRESSURE, *slot->p);\n\t\tinput_event(input, EV_ABS, ABS_MT_TOUCH_MAJOR, major);\n\t\tinput_event(input, EV_ABS, ABS_MT_TOUCH_MINOR, minor);\n\n\t\tset_bit(MT_IO_FLAGS_ACTIVE_SLOTS, &td->mt_io_flags);\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 231544629290509857287796449615021300567, "size": 126, "commit_id": "35556bed836f8dc07ac55f69c8d17dce3e7f0e25", "message": "HID: core: Sanitize event code and type when mapping input\n\nWhen calling into hid_map_usage(), the passed event code is\nblindly stored as is, even if it doesn't fit in the associated bitmap.\n\nThis event code can come from a variety of sources, including devices\nmasquerading as input devices, only a bit more \"programmable\".\n\nInstead of taking the event code at face value, check that it actually\nfits the corresponding bitmap, and if it doesn't:\n- spit out a warning so that we know which device is acting up\n- NULLify the bitmap pointer so that we catch unexpected uses\n\nCode paths that can make use of untrusted inputs can now check\nthat the mapping was indeed correct and bail out if not.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Marc Zyngier \nSigned-off-by: Benjamin Tissoires ", "target": 0, "dataset": "other", "idx": 458333 }, { "func": "void perf_event_print_debug(void)\n{\n\tunsigned long sdar, sier, flags;\n\tu32 pmcs[MAX_HWEVENTS];\n\tint i;\n\n\tif (!ppmu) {\n\t\tpr_info(\"Performance monitor hardware not registered.\\n\");\n\t\treturn;\n\t}\n\n\tif (!ppmu->n_counter)\n\t\treturn;\n\n\tlocal_irq_save(flags);\n\n\tpr_info(\"CPU: %d PMU registers, ppmu = %s n_counters = %d\",\n\t\t smp_processor_id(), ppmu->name, ppmu->n_counter);\n\n\tfor (i = 0; i < ppmu->n_counter; i++)\n\t\tpmcs[i] = read_pmc(i + 1);\n\n\tfor (; i < MAX_HWEVENTS; i++)\n\t\tpmcs[i] = 0xdeadbeef;\n\n\tpr_info(\"PMC1: %08x PMC2: %08x PMC3: %08x PMC4: %08x\\n\",\n\t\t pmcs[0], pmcs[1], pmcs[2], pmcs[3]);\n\n\tif (ppmu->n_counter > 4)\n\t\tpr_info(\"PMC5: %08x PMC6: %08x PMC7: %08x PMC8: %08x\\n\",\n\t\t\t pmcs[4], pmcs[5], pmcs[6], pmcs[7]);\n\n\tpr_info(\"MMCR0: %016lx MMCR1: %016lx MMCRA: %016lx\\n\",\n\t\tmfspr(SPRN_MMCR0), mfspr(SPRN_MMCR1), mfspr(SPRN_MMCRA));\n\n\tsdar = sier = 0;\n#ifdef CONFIG_PPC64\n\tsdar = mfspr(SPRN_SDAR);\n\n\tif (ppmu->flags & PPMU_HAS_SIER)\n\t\tsier = mfspr(SPRN_SIER);\n\n\tif (ppmu->flags & PPMU_ARCH_207S) {\n\t\tpr_info(\"MMCR2: %016lx EBBHR: %016lx\\n\",\n\t\t\tmfspr(SPRN_MMCR2), mfspr(SPRN_EBBHR));\n\t\tpr_info(\"EBBRR: %016lx BESCR: %016lx\\n\",\n\t\t\tmfspr(SPRN_EBBRR), mfspr(SPRN_BESCR));\n\t}\n\n\tif (ppmu->flags & PPMU_ARCH_31) {\n\t\tpr_info(\"MMCR3: %016lx SIER2: %016lx SIER3: %016lx\\n\",\n\t\t\tmfspr(SPRN_MMCR3), mfspr(SPRN_SIER2), mfspr(SPRN_SIER3));\n\t}\n#endif\n\tpr_info(\"SIAR: %016lx SDAR: %016lx SIER: %016lx\\n\",\n\t\tmfspr(SPRN_SIAR), sdar, sier);\n\n\tlocal_irq_restore(flags);\n}", "project": "linux", "hash": 329754338224903833934037715406428285470, "size": 59, "commit_id": "60b7ed54a41b550d50caf7f2418db4a7e75b5bdc", "message": "powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set\n\nOn systems without any specific PMU driver support registered, running\nperf record causes Oops.\n\nThe relevant portion from call trace:\n\n BUG: Kernel NULL pointer dereference on read at 0x00000040\n Faulting instruction address: 0xc0021f0c\n Oops: Kernel access of bad area, sig: 11 [#1]\n BE PAGE_SIZE=4K PREEMPT CMPCPRO\n SAF3000 DIE NOTIFICATION\n CPU: 0 PID: 442 Comm: null_syscall Not tainted 5.13.0-rc6-s3k-dev-01645-g7649ee3d2957 #5164\n NIP: c0021f0c LR: c00e8ad8 CTR: c00d8a5c\n NIP perf_instruction_pointer+0x10/0x60\n LR perf_prepare_sample+0x344/0x674\n Call Trace:\n perf_prepare_sample+0x7c/0x674 (unreliable)\n perf_event_output_forward+0x3c/0x94\n __perf_event_overflow+0x74/0x14c\n perf_swevent_hrtimer+0xf8/0x170\n __hrtimer_run_queues.constprop.0+0x160/0x318\n hrtimer_interrupt+0x148/0x3b0\n timer_interrupt+0xc4/0x22c\n Decrementer_virt+0xb8/0xbc\n\nDuring perf record session, perf_instruction_pointer() is called to\ncapture the sample IP. This function in core-book3s accesses\nppmu->flags. If a platform specific PMU driver is not registered, ppmu\nis set to NULL and accessing its members results in a crash. Fix this\ncrash by checking if ppmu is set.\n\nFixes: 2ca13a4cc56c (\"powerpc/perf: Use regs->nip when SIAR is zero\")\nCc: stable@vger.kernel.org # v5.11+\nReported-by: Christophe Leroy \nSigned-off-by: Athira Rajeev \nTested-by: Christophe Leroy \nSigned-off-by: Michael Ellerman \nLink: https://lore.kernel.org/r/1623952506-1431-1-git-send-email-atrajeev@linux.vnet.ibm.com", "target": 0, "dataset": "other", "idx": 374738 }, { "func": "static void hash_rlp_length(uint32_t length, uint8_t firstbyte) {\n uint8_t buf[4];\n if (length == 1 && firstbyte <= 0x7f) {\n /* empty length header */\n } else if (length <= 55) {\n buf[0] = 0x80 + length;\n hash_data(buf, 1);\n } else if (length <= 0xff) {\n buf[0] = 0xb7 + 1;\n buf[1] = length;\n hash_data(buf, 2);\n } else if (length <= 0xffff) {\n buf[0] = 0xb7 + 2;\n buf[1] = length >> 8;\n buf[2] = length & 0xff;\n hash_data(buf, 3);\n } else {\n buf[0] = 0xb7 + 3;\n buf[1] = length >> 16;\n buf[2] = length >> 8;\n buf[3] = length & 0xff;\n hash_data(buf, 4);\n }\n}", "project": "keepkey-firmware", "hash": 328921545702066719181287074065136815570, "size": 24, "commit_id": "e49d45594002d4d3fbc1f03488e6dfc0a0a65836", "message": "710 merge", "target": 0, "dataset": "other", "idx": 220879 }, { "func": "static int do_umount(struct libmnt_context *cxt)\n{\n\tint rc = 0, flags = 0;\n\tconst char *src, *target;\n\tchar *tgtbuf = NULL;\n\n\tassert(cxt);\n\tassert(cxt->fs);\n\tassert((cxt->flags & MNT_FL_MOUNTFLAGS_MERGED));\n\tassert(cxt->syscall_status == 1);\n\n\tif (cxt->helper)\n\t\treturn exec_helper(cxt);\n\n\tsrc = mnt_fs_get_srcpath(cxt->fs);\n\ttarget = mnt_fs_get_target(cxt->fs);\n\n\tif (!target)\n\t\treturn -EINVAL;\n\n\tDBG(CXT, ul_debugobj(cxt, \"do umount\"));\n\n\tif (mnt_context_is_restricted(cxt) && !mnt_context_is_fake(cxt)) {\n\t\t/*\n\t\t * extra paranoia for non-root users\n\t\t * -- chdir to the parent of the mountpoint and use NOFOLLOW\n\t\t * flag to avoid races and symlink attacks.\n\t\t */\n\t\tif (umount_nofollow_support())\n\t\t\tflags |= UMOUNT_NOFOLLOW;\n\n\t\trc = mnt_chdir_to_parent(target, &tgtbuf);\n\t\tif (rc)\n\t\t\treturn rc;\n\t\ttarget = tgtbuf;\n\t}\n\n\tif (mnt_context_is_lazy(cxt))\n\t\tflags |= MNT_DETACH;\n\n\tif (mnt_context_is_force(cxt))\n\t\tflags |= MNT_FORCE;\n\n\tDBG(CXT, ul_debugobj(cxt, \"umount(2) [target='%s', flags=0x%08x]%s\",\n\t\t\t\ttarget, flags,\n\t\t\t\tmnt_context_is_fake(cxt) ? \" (FAKE)\" : \"\"));\n\n\tif (mnt_context_is_fake(cxt))\n\t\trc = 0;\n\telse {\n\t\trc = flags ? umount2(target, flags) : umount(target);\n\t\tif (rc < 0)\n\t\t\tcxt->syscall_status = -errno;\n\t\tfree(tgtbuf);\n\t}\n\n\t/*\n\t * try remount read-only\n\t */\n\tif (rc < 0\n\t && cxt->syscall_status == -EBUSY\n\t && mnt_context_is_rdonly_umount(cxt)\n\t && src) {\n\n\t\tmnt_context_set_mflags(cxt, (cxt->mountflags |\n\t\t\t\t\t MS_REMOUNT | MS_RDONLY));\n\t\tmnt_context_enable_loopdel(cxt, FALSE);\n\n\t\tDBG(CXT, ul_debugobj(cxt,\n\t\t\t\"umount(2) failed [errno=%d] -- trying to remount read-only\",\n\t\t\t-cxt->syscall_status));\n\n\t\trc = mount(src, mnt_fs_get_target(cxt->fs), NULL,\n\t\t\t MS_REMOUNT | MS_RDONLY, NULL);\n\t\tif (rc < 0) {\n\t\t\tcxt->syscall_status = -errno;\n\t\t\tDBG(CXT, ul_debugobj(cxt,\n\t\t\t\t\"read-only re-mount(2) failed [errno=%d]\",\n\t\t\t\t-cxt->syscall_status));\n\n\t\t\treturn -cxt->syscall_status;\n\t\t}\n\t\tcxt->syscall_status = 0;\n\t\tDBG(CXT, ul_debugobj(cxt, \"read-only re-mount(2) success\"));\n\t\treturn 0;\n\t}\n\n\tif (rc < 0) {\n\t\tDBG(CXT, ul_debugobj(cxt, \"umount(2) failed [errno=%d]\",\n\t\t\t-cxt->syscall_status));\n\t\treturn -cxt->syscall_status;\n\t}\n\n\tcxt->syscall_status = 0;\n\tDBG(CXT, ul_debugobj(cxt, \"umount(2) success\"));\n\treturn 0;\n}", "project": "util-linux", "hash": 315549445730776925595009784741061001602, "size": 97, "commit_id": "57202f5713afa2af20ffbb6ab5331481d0396f8d", "message": "libmount: fix UID check for FUSE umount [CVE-2021-3995]\n\nImproper UID check allows an unprivileged user to unmount FUSE\nfilesystems of users with similar UID.\n\nSigned-off-by: Karel Zak ", "target": 0, "dataset": "other", "idx": 410402 }, { "func": "static void sp_delete(struct shared_policy *sp, struct sp_node *n)\n{\n\tpr_debug(\"deleting %lx-l%lx\\n\", n->start, n->end);\n\trb_erase(&n->nd, &sp->root);\n\tsp_free(n);\n}", "project": "linux", "hash": 98409569903030258975220574851081166667, "size": 6, "commit_id": "aa9f7d5172fac9bf1f09e678c35e287a40a7b7dd", "message": "mm: mempolicy: require at least one nodeid for MPOL_PREFERRED\n\nUsing an empty (malformed) nodelist that is not caught during mount option\nparsing leads to a stack-out-of-bounds access.\n\nThe option string that was used was: \"mpol=prefer:,\". However,\nMPOL_PREFERRED requires a single node number, which is not being provided\nhere.\n\nAdd a check that 'nodes' is not empty after parsing for MPOL_PREFERRED's\nnodeid.\n\nFixes: 095f1fc4ebf3 (\"mempolicy: rework shmem mpol parsing and display\")\nReported-by: Entropy Moe <3ntr0py1337@gmail.com>\nReported-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nSigned-off-by: Randy Dunlap \nSigned-off-by: Andrew Morton \nTested-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nCc: Lee Schermerhorn \nLink: http://lkml.kernel.org/r/89526377-7eb6-b662-e1d8-4430928abde9@infradead.org\nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 366738 }, { "func": "ma_set_connect_attrs(MYSQL *mysql, const char *host)\n{\n char buffer[255];\n int rc= 0;\n\n rc= mysql_options(mysql, MYSQL_OPT_CONNECT_ATTR_DELETE, \"_client_name\") +\n mysql_options(mysql, MYSQL_OPT_CONNECT_ATTR_DELETE, \"_client_version\") +\n mysql_options(mysql, MYSQL_OPT_CONNECT_ATTR_DELETE, \"_os\") +\n mysql_options(mysql, MYSQL_OPT_CONNECT_ATTR_DELETE, \"_server_host\") +\n#ifdef _WIN32\n mysql_options(mysql, MYSQL_OPT_CONNECT_ATTR_DELETE, \"_thread\") +\n#endif\n mysql_options(mysql, MYSQL_OPT_CONNECT_ATTR_DELETE, \"_pid\") +\n mysql_options(mysql, MYSQL_OPT_CONNECT_ATTR_DELETE, \"_platform\");\n\n rc+= mysql_optionsv(mysql, MYSQL_OPT_CONNECT_ATTR_ADD, \"_client_name\", \"libmariadb\")\n + mysql_optionsv(mysql, MYSQL_OPT_CONNECT_ATTR_ADD, \"_client_version\", MARIADB_PACKAGE_VERSION)\n + mysql_optionsv(mysql, MYSQL_OPT_CONNECT_ATTR_ADD, \"_os\", MARIADB_SYSTEM_TYPE);\n\n if (host && *host)\n rc+= mysql_optionsv(mysql, MYSQL_OPT_CONNECT_ATTR_ADD, \"_server_host\", host);\n\n#ifdef _WIN32\n snprintf(buffer, 255, \"%lu\", (ulong) GetCurrentThreadId());\n rc+= mysql_optionsv(mysql, MYSQL_OPT_CONNECT_ATTR_ADD, \"_thread\", buffer);\n snprintf(buffer, 255, \"%lu\", (ulong) GetCurrentProcessId());\n#else\n snprintf(buffer, 255, \"%lu\", (ulong) getpid());\n#endif\n rc+= mysql_optionsv(mysql, MYSQL_OPT_CONNECT_ATTR_ADD, \"_pid\", buffer);\n\n rc+= mysql_optionsv(mysql, MYSQL_OPT_CONNECT_ATTR_ADD, \"_platform\", MARIADB_MACHINE_TYPE);\n return(test(rc>0));\n}", "project": "mariadb-connector-c", "hash": 146844304949301481854533240656489965211, "size": 34, "commit_id": "2759b87d72926b7c9b5426437a7c8dd15ff57945", "message": "sanity checks for client-supplied OK packet content\n\nreported by Matthias Kaiser, Apple Information Security", "target": 0, "dataset": "other", "idx": 429709 }, { "func": "static void new_asid(struct vcpu_svm *svm, struct svm_cpu_data *sd)\n{\n\tif (sd->next_asid > sd->max_asid) {\n\t\t++sd->asid_generation;\n\t\tsd->next_asid = sd->min_asid;\n\t\tsvm->vmcb->control.tlb_ctl = TLB_CONTROL_FLUSH_ALL_ASID;\n\t}\n\n\tsvm->asid_generation = sd->asid_generation;\n\tsvm->vmcb->control.asid = sd->next_asid++;\n\n\tmark_dirty(svm->vmcb, VMCB_ASID);\n}", "project": "linux", "hash": 12735409678943381897829396634978866829, "size": 13, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432525 }, { "func": "static void new_asid(struct vcpu_svm *svm, struct svm_cpu_data *sd)\n{\n\tif (sd->next_asid > sd->max_asid) {\n\t\t++sd->asid_generation;\n\t\tsd->next_asid = 1;\n\t\tsvm->vmcb->control.tlb_ctl = TLB_CONTROL_FLUSH_ALL_ASID;\n\t}\n\n\tsvm->asid_generation = sd->asid_generation;\n\tsvm->vmcb->control.asid = sd->next_asid++;\n\n\tmark_dirty(svm->vmcb, VMCB_ASID);\n}", "project": "kvm", "hash": 148805209906205768431819413124442507328, "size": 13, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437558 }, { "func": "int rtnl_wilddump_req_filter(struct rtnl_handle *rth, int family, int type,\n\t\t\t __u32 filt_mask)\n{\n\tstruct {\n\t\tstruct nlmsghdr nlh;\n\t\tstruct ifinfomsg ifm;\n\t\t/* attribute has to be NLMSG aligned */\n\t\tstruct rtattr ext_req __attribute__ ((aligned(NLMSG_ALIGNTO)));\n\t\t__u32 ext_filter_mask;\n\t} req = {\n\t\t.nlh.nlmsg_len = sizeof(req),\n\t\t.nlh.nlmsg_type = type,\n\t\t.nlh.nlmsg_flags = NLM_F_DUMP | NLM_F_REQUEST,\n\t\t.nlh.nlmsg_seq = rth->dump = ++rth->seq,\n\t\t.ifm.ifi_family = family,\n\t\t.ext_req.rta_type = IFLA_EXT_MASK,\n\t\t.ext_req.rta_len = RTA_LENGTH(sizeof(__u32)),\n\t\t.ext_filter_mask = filt_mask,\n\t};\n\n\treturn send(rth->fd, &req, sizeof(req), 0);\n}", "project": "iproute2", "hash": 313056258914854310301595229015625516837, "size": 22, "commit_id": "b45e300024bb0936a41821ad75117dc08b65669f", "message": "libnetlink: don't return error on success\n\nChange to error handling broke normal code.\n\nFixes: c60389e4f9ea (\"libnetlink: fix leak and using unused memory on error\")\nReported-by: David Ahern \nSigned-off-by: Stephen Hemminger ", "target": 0, "dataset": "other", "idx": 318245 }, { "func": "static int io_statx(struct io_kiocb *req, unsigned int issue_flags)\n{\n\tstruct io_statx *ctx = &req->statx;\n\tint ret;\n\n\tif (issue_flags & IO_URING_F_NONBLOCK)\n\t\treturn -EAGAIN;\n\n\tret = do_statx(ctx->dfd, ctx->filename, ctx->flags, ctx->mask,\n\t\t ctx->buffer);\n\n\tif (ret < 0)\n\t\treq_set_fail_links(req);\n\tio_req_complete(req, ret);\n\treturn 0;\n}", "project": "linux", "hash": 271372512246064468518304577360133541974, "size": 16, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338610 }, { "func": "\nstatic void __io_queue_proc(struct io_poll_iocb *poll, struct io_poll_table *pt,\n\t\t\t struct wait_queue_head *head,\n\t\t\t struct io_poll_iocb **poll_ptr)\n{\n\tstruct io_kiocb *req = pt->req;\n\n\t/*\n\t * If poll->head is already set, it's because the file being polled\n\t * uses multiple waitqueues for poll handling (eg one for read, one\n\t * for write). Setup a separate io_poll_iocb if this happens.\n\t */\n\tif (unlikely(poll->head)) {\n\t\tstruct io_poll_iocb *poll_one = poll;\n\n\t\t/* already have a 2nd entry, fail a third attempt */\n\t\tif (*poll_ptr) {\n\t\t\tpt->error = -EINVAL;\n\t\t\treturn;\n\t\t}\n\t\t/*\n\t\t * Can't handle multishot for double wait for now, turn it\n\t\t * into one-shot mode.\n\t\t */\n\t\tif (!(req->poll.events & EPOLLONESHOT))\n\t\t\treq->poll.events |= EPOLLONESHOT;\n\t\t/* double add on the same waitqueue head, ignore */\n\t\tif (poll->head == head)\n\t\t\treturn;\n\t\tpoll = kmalloc(sizeof(*poll), GFP_ATOMIC);\n\t\tif (!poll) {\n\t\t\tpt->error = -ENOMEM;\n\t\t\treturn;\n\t\t}\n\t\tio_init_poll_iocb(poll, poll_one->events, io_poll_double_wake);\n\t\treq_ref_get(req);\n\t\tpoll->wait.private = req;\n\t\t*poll_ptr = poll;\n\t}\n\n\tpt->error = 0;\n\tpoll->head = head;\n\n\tif (poll->events & EPOLLEXCLUSIVE)\n\t\tadd_wait_queue_exclusive(head, &poll->wait);\n\telse\n\t\tadd_wait_queue(head, &poll->wait);", "project": "linux", "hash": 76877508140312586337805507568066638966, "size": 47, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338690 }, { "project": "Chrome", "commit_id": "6834289784ed45b5524de0fb7ef43ae283b0d6d3", "target": 0, "func": "void AudioContext::resolvePromisesForSuspend()\n{\n ASSERT(isAudioThread());\n ASSERT(isGraphOwner());\n\n if (m_suspendResolvers.size() > 0)\n callOnMainThread(bind(&AudioContext::resolvePromisesForSuspendOnMainThread, this));\n\n}\n", "cwe": "", "big_vul_idx": 139684, "idx": 124832, "hash": 192353405282113966210903293607174877988 }, { "func": "DLLEXPORT int DLLCALL tjDecompressHeader(tjhandle handle,\n\tunsigned char *jpegBuf, unsigned long jpegSize, int *width, int *height)\n{\n\tint jpegSubsamp;\n\treturn tjDecompressHeader2(handle, jpegBuf, jpegSize, width, height,\n\t\t&jpegSubsamp);\n}", "project": "libjpeg-turbo", "hash": 75360896301267377059935556053543885908, "size": 7, "commit_id": "dab6be4cfb2f9307b5378d2d1dc74d9080383dc2", "message": "tjDecompressToYUV*(): Fix OOB write/double free\n\n... when attempting to decompress grayscale JPEG images with sampling\nfactors != 1.\n\nFixes #387", "target": 0, "dataset": "other", "idx": 311100 }, { "func": "TfLiteStatus PrepareImpl(TfLiteContext* context, TfLiteNode* node) {\n auto* params =\n reinterpret_cast(node->builtin_data);\n OpData* data = reinterpret_cast(node->user_data);\n // Check we have all the inputs and outputs we need.\n TF_LITE_ENSURE(context, node->inputs->size == 2 || node->inputs->size == 3);\n // Shuffled formats need a workspace to store the shuffled input activations.\n const int expected_outputs_count =\n params->weights_format == kTfLiteFullyConnectedWeightsFormatDefault ? 1\n : 2;\n TF_LITE_ENSURE_EQ(context, node->outputs->size, expected_outputs_count);\n\n const TfLiteTensor* input;\n TF_LITE_ENSURE_OK(context, GetInputSafe(context, node, kInputTensor, &input));\n const TfLiteTensor* filter;\n TF_LITE_ENSURE_OK(context,\n GetInputSafe(context, node, kWeightsTensor, &filter));\n const TfLiteTensor* bias =\n (node->inputs->size == 3)\n ? GetOptionalInputTensor(context, node, kBiasTensor)\n : nullptr;\n TfLiteTensor* output;\n TF_LITE_ENSURE_OK(context,\n GetOutputSafe(context, node, kOutputTensor, &output));\n\n // Check proper datatype match among all Input Tensors\n TF_LITE_ENSURE_STATUS(\n CheckTypes(context, input, filter, bias, output, params));\n\n // Check all the parameters of tensor match within themselves and match the\n // input configuration.\n int input_size = 1;\n for (int i = 0; i < input->dims->size; i++) {\n input_size *= input->dims->data[i];\n }\n\n TF_LITE_ENSURE_EQ(context, NumDimensions(filter), 2);\n TF_LITE_ENSURE(context, filter->dims->data[1] != 0);\n const int batch_size = input_size / filter->dims->data[1];\n const int num_units = filter->dims->data[0];\n\n if (bias) {\n TF_LITE_ENSURE_EQ(context, NumElements(bias), SizeOfDimension(filter, 0));\n }\n\n // Note that quantized inference requires that all tensors have their\n // parameters set. This is usually done during quantized training.\n if (input->type == kTfLiteUInt8 || input->type == kTfLiteInt8 ||\n input->type == kTfLiteInt16) {\n double real_multiplier = 0.0;\n TF_LITE_ENSURE_STATUS(GetQuantizedConvolutionMultipler(\n context, input, filter, bias, output, &real_multiplier));\n int exponent;\n QuantizeMultiplier(real_multiplier, &data->output_multiplier, &exponent);\n data->output_shift = exponent;\n TF_LITE_ENSURE_STATUS(CalculateActivationRangeQuantized(\n context, params->activation, output, &data->output_activation_min,\n &data->output_activation_max));\n }\n\n if (input->type == kTfLiteInt16 && output->type == kTfLiteInt16) {\n TF_LITE_ENSURE_EQ(context, input->params.zero_point, 0);\n TF_LITE_ENSURE_EQ(context, output->params.zero_point, 0);\n }\n\n // If we have to perform on-the-fly quantization (with quantized weights and\n // float inputs) first we need to quantize the inputs. Allocate a temporary\n // buffer to store the intermediate quantized values.\n // Additionally, we allocate a temporary buffer to store the accumulated\n // quantized values prior to multiplication by the scaling factor.\n const bool is_hybrid =\n (input->type == kTfLiteFloat32 &&\n (filter->type == kTfLiteUInt8 || filter->type == kTfLiteInt8));\n const bool is_sparse = filter->sparsity != nullptr;\n if (is_hybrid) {\n TfLiteIntArrayFree(node->temporaries);\n data->compute_row_sums = true;\n if (is_sparse) {\n node->temporaries = TfLiteIntArrayCreate(6);\n } else {\n node->temporaries = TfLiteIntArrayCreate(5);\n }\n node->temporaries->data[0] = data->scratch_tensor_index;\n\n TfLiteTensor* input_quantized;\n TF_LITE_ENSURE_OK(context, GetTemporarySafe(context, node, /*index=*/0,\n &input_quantized));\n input_quantized->type = filter->type;\n input_quantized->allocation_type = kTfLiteArenaRw;\n\n TfLiteIntArray* input_quantized_size = TfLiteIntArrayCopy(input->dims);\n TF_LITE_ENSURE_OK(context, context->ResizeTensor(context, input_quantized,\n input_quantized_size));\n\n node->temporaries->data[1] = data->scratch_tensor_index + 1;\n TfLiteTensor* scaling_factors;\n TF_LITE_ENSURE_OK(context, GetTemporarySafe(context, node, /*index=*/1,\n &scaling_factors));\n scaling_factors->type = kTfLiteFloat32;\n scaling_factors->allocation_type = kTfLiteArenaRw;\n\n int scaling_dims[1] = {batch_size};\n if (!TfLiteIntArrayEqualsArray(scaling_factors->dims, 1, scaling_dims)) {\n TfLiteIntArray* scaling_factors_size = TfLiteIntArrayCreate(1);\n scaling_factors_size->data[0] = batch_size;\n TF_LITE_ENSURE_OK(context, context->ResizeTensor(context, scaling_factors,\n scaling_factors_size));\n }\n\n node->temporaries->data[2] = data->scratch_tensor_index + 2;\n TfLiteTensor* accum_scratch;\n TF_LITE_ENSURE_OK(\n context, GetTemporarySafe(context, node, /*index=*/2, &accum_scratch));\n accum_scratch->type = kTfLiteInt32;\n accum_scratch->allocation_type = kTfLiteArenaRw;\n int accum_scratch_dims[2] = {num_units, batch_size};\n if (!TfLiteIntArrayEqualsArray(accum_scratch->dims, 2,\n accum_scratch_dims)) {\n TfLiteIntArray* accum_size = TfLiteIntArrayCreate(2);\n accum_size->data[0] = num_units;\n accum_size->data[1] = batch_size;\n TF_LITE_ENSURE_OK(\n context, context->ResizeTensor(context, accum_scratch, accum_size));\n }\n\n node->temporaries->data[3] = data->scratch_tensor_index + 3;\n TfLiteTensor* input_offsets;\n TF_LITE_ENSURE_OK(\n context, GetTemporarySafe(context, node, /*index=*/3, &input_offsets));\n input_offsets->type = kTfLiteInt32;\n input_offsets->allocation_type = kTfLiteArenaRw;\n if (!TfLiteIntArrayEqualsArray(input_offsets->dims, 1, scaling_dims)) {\n TfLiteIntArray* input_offsets_size = TfLiteIntArrayCreate(1);\n input_offsets_size->data[0] = batch_size;\n TF_LITE_ENSURE_OK(context, context->ResizeTensor(context, input_offsets,\n input_offsets_size));\n }\n node->temporaries->data[4] = data->scratch_tensor_index + 4;\n TfLiteTensor* row_sums;\n TF_LITE_ENSURE_OK(context,\n GetTemporarySafe(context, node, /*index=*/4, &row_sums));\n row_sums->type = kTfLiteInt32;\n row_sums->allocation_type = kTfLiteArenaRwPersistent;\n int row_sums_dims[1] = {num_units};\n if (!TfLiteIntArrayEqualsArray(row_sums->dims, 1, row_sums_dims)) {\n TfLiteIntArray* row_sums_size = TfLiteIntArrayCreate(1);\n row_sums_size->data[0] = row_sums_dims[0];\n TF_LITE_ENSURE_OK(\n context, context->ResizeTensor(context, row_sums, row_sums_size));\n }\n\n if (is_sparse) {\n data->ledger_initialized = false;\n node->temporaries->data[5] = data->scratch_tensor_index + 5;\n TfLiteTensor* filter_ledger =\n &context->tensors[node->temporaries->data[5]];\n auto status =\n CreateLedgerTensor(filter->sparsity, context, filter_ledger);\n if (status != kTfLiteOk) return status;\n }\n }\n\n // Resize output.\n TfLiteIntArray* output_size_array = nullptr;\n if (params->keep_num_dims) {\n // When number of dimensions are kept the filter operates along the last\n // dimensions. In other words, for an input tensor with shape\n // [batch_size, ..., n_inputs] and a filter of shape [n_inputs, n_units]\n // this Op produces an output of shape [batch_size, ..., n_units].\n TF_LITE_ENSURE_EQ(context, input->dims->data[input->dims->size - 1],\n SizeOfDimension(filter, 1));\n output_size_array = TfLiteIntArrayCopy(input->dims);\n output_size_array->data[output_size_array->size - 1] = num_units;\n } else {\n // Otherwise, the output is (potentially flattened to) a 2-D matrix.\n output_size_array = TfLiteIntArrayCreate(2);\n output_size_array->data[0] = batch_size;\n output_size_array->data[1] = num_units;\n }\n TF_LITE_ENSURE_OK(context,\n context->ResizeTensor(context, output, output_size_array));\n\n return kTfLiteOk;\n}", "project": "tensorflow", "hash": 220174330879913368563686256728938222252, "size": 184, "commit_id": "6c0b2b70eeee588591680f5b7d5d38175fd7cdf6", "message": "[lite] add validation check for sparse fully connected\n\nPiperOrigin-RevId: 417629354\nChange-Id: If96171c4bd4f5fdb01d6368d6deab19d1c9beca7", "target": 0, "dataset": "other", "idx": 220480 }, { "func": "void LibRaw::parseSonySRF(unsigned len)\n{\n\n if ((len > 0xfffff) || (len == 0))\n return;\n\n INT64 save = ftell(ifp);\n INT64 offset =\n 0x0310c0 - save; /* for non-DNG this value normally is 0x8ddc */\n if (len < offset || offset < 0)\n return;\n INT64 decrypt_len = offset >> 2; /* master key offset value is the next\n un-encrypted metadata field after SRF0 */\n\n unsigned i, nWB;\n unsigned MasterKey, SRF2Key, RawDataKey;\n INT64 srf_offset, tag_offset, tag_data, tag_dataoffset;\n int tag_dataunitlen;\n uchar *srf_buf;\n short entries;\n unsigned tag_id, tag_type, tag_datalen;\n\n srf_buf = (uchar *)malloc(len);\n fread(srf_buf, len, 1, ifp);\n\n offset += srf_buf[offset] << 2;\n\n#define CHECKBUFFER_SGET4(offset) \\\n do \\\n { \\\n if ((((offset) + 4) > len) || ((offset) < 0)) \\\n goto restore_after_parseSonySRF; \\\n } while (0)\n\n#define CHECKBUFFER_SGET2(offset) \\\n do \\\n { \\\n if ( ((offset + 2) > len) || ((offset) < 0)) \\\n goto restore_after_parseSonySRF; \\\n } while (0)\n\n CHECKBUFFER_SGET4(offset);\n\n /* master key is stored in big endian */\n MasterKey = ((unsigned)srf_buf[offset] << 24) |\n ((unsigned)srf_buf[offset + 1] << 16) |\n ((unsigned)srf_buf[offset + 2] << 8) |\n (unsigned)srf_buf[offset + 3];\n\n /* skip SRF0 */\n srf_offset = 0;\n CHECKBUFFER_SGET2(srf_offset);\n entries = sget2(srf_buf + srf_offset);\n if (entries > 1000)\n goto restore_after_parseSonySRF;\n offset = srf_offset + 2;\n CHECKBUFFER_SGET4(offset);\n CHECKBUFFER_SGET4(offset + 12 * entries);\n srf_offset = sget4(srf_buf + offset + 12 * entries) -\n save; /* SRF0 ends with SRF1 abs. position */\n\n /* get SRF1, it has fixed 40 bytes length and contains keys to decode metadata\n * and raw data */\n if (srf_offset < 0 || decrypt_len < srf_offset / 4)\n goto restore_after_parseSonySRF;\n sony_decrypt((unsigned *)(srf_buf + srf_offset), decrypt_len - srf_offset / 4,\n 1, MasterKey);\n CHECKBUFFER_SGET2(srf_offset);\n entries = sget2(srf_buf + srf_offset);\n if (entries > 1000)\n goto restore_after_parseSonySRF;\n offset = srf_offset + 2;\n tag_offset = offset;\n\n while (entries--) {\n if (tiff_sget (save, srf_buf, len,\n &tag_offset, &tag_id, &tag_type, &tag_dataoffset,\n &tag_datalen, &tag_dataunitlen) == 0) {\n if (tag_id == 0x0000) {\n SRF2Key = sget4(srf_buf + tag_dataoffset);\n } else if (tag_id == 0x0001) {\n RawDataKey = sget4(srf_buf + tag_dataoffset);\n }\n } else goto restore_after_parseSonySRF;\n }\n offset = tag_offset;\n\n /* get SRF2 */\n CHECKBUFFER_SGET4(offset);\n srf_offset =\n sget4(srf_buf + offset) - save; /* SRFn ends with SRFn+1 position */\n if (srf_offset < 0 || decrypt_len < srf_offset / 4)\n goto restore_after_parseSonySRF;\n sony_decrypt((unsigned *)(srf_buf + srf_offset), decrypt_len - srf_offset / 4,\n 1, SRF2Key);\n CHECKBUFFER_SGET2(srf_offset);\n entries = sget2(srf_buf + srf_offset);\n if (entries > 1000)\n goto restore_after_parseSonySRF;\n offset = srf_offset + 2;\n tag_offset = offset;\n\n while (entries--) {\n if (tiff_sget (save, srf_buf, len,\n &tag_offset, &tag_id, &tag_type, &tag_dataoffset,\n &tag_datalen, &tag_dataunitlen) == 0) {\n if ((tag_id >= 0x00c0) && (tag_id <= 0x00ce)) {\n i = (tag_id - 0x00c0) % 3;\n nWB = (tag_id - 0x00c0) / 3;\n icWBC[Sony_SRF_wb_list[nWB]][i] = sget4(srf_buf + tag_dataoffset);\n if (i == 1) {\n icWBC[Sony_SRF_wb_list[nWB]][3] =\n icWBC[Sony_SRF_wb_list[nWB]][i];\n }\n } else if ((tag_id >= 0x00d0) && (tag_id <= 0x00d2)) {\n i = (tag_id - 0x00d0) % 3;\n cam_mul[i] = sget4(srf_buf + tag_dataoffset);\n if (i == 1) {\n cam_mul[3] = cam_mul[i];\n }\n } else switch (tag_id) {\n /*\n 0x0002 SRF6Offset\n 0x0003 SRFDataOffset (?)\n 0x0004 RawDataOffset\n 0x0005 RawDataLength\n */\n case 0x0043:\n ilm.MaxAp4MaxFocal = sgetreal(tag_type, srf_buf + tag_dataoffset);\n break;\n case 0x0044:\n ilm.MaxAp4MinFocal = sgetreal(tag_type, srf_buf + tag_dataoffset);\n break;\n case 0x0045:\n ilm.MinFocal = sgetreal(tag_type, srf_buf + tag_dataoffset);\n break;\n case 0x0046:\n ilm.MaxFocal = sgetreal(tag_type, srf_buf + tag_dataoffset);\n break;\n }\n } else goto restore_after_parseSonySRF;\n }\n offset = tag_offset;\n\nrestore_after_parseSonySRF:\n free(srf_buf);\n fseek(ifp, save, SEEK_SET);\n#undef CHECKBUFFER_SGET4\n#undef CHECKBUFFER_SGET2\n}", "project": "LibRaw", "hash": 133935611544622211790149768901407187953, "size": 150, "commit_id": "c243f4539233053466c1309bde606815351bee81", "message": "additional checks in parseSonySRF\n\nparseSonySR2: buffer size check", "target": 1, "dataset": "other", "idx": 207218 }, { "func": "void LibRaw::parseSonySRF(unsigned len)\n{\n\n if ((len > 0xfffff) || (len == 0))\n return;\n\n INT64 save = ftell(ifp);\n INT64 offset =\n 0x0310c0 - save; /* for non-DNG this value normally is 0x8ddc */\n if (len < offset || offset < 0)\n return;\n INT64 decrypt_len = offset >> 2; /* master key offset value is the next\n un-encrypted metadata field after SRF0 */\n\n unsigned i, nWB;\n unsigned MasterKey, SRF2Key, RawDataKey;\n INT64 srf_offset, tag_offset, tag_data, tag_dataoffset;\n int tag_dataunitlen;\n uchar *srf_buf;\n ushort entries;\n unsigned tag_id, tag_type, tag_datalen;\n\n srf_buf = (uchar *)malloc(len+64);\n fread(srf_buf, len, 1, ifp);\n\n offset += srf_buf[offset] << 2;\n\n#define CHECKBUFFER_SGET4(offset) \\\n do \\\n { \\\n if ((((offset) + 4) > len) || ((offset) < 0)) \\\n goto restore_after_parseSonySRF; \\\n } while (0)\n\n#define CHECKBUFFER_SGET2(offset) \\\n do \\\n { \\\n if ( ((offset + 2) > len) || ((offset) < 0)) \\\n goto restore_after_parseSonySRF; \\\n } while (0)\n\n CHECKBUFFER_SGET4(offset);\n\n /* master key is stored in big endian */\n MasterKey = ((unsigned)srf_buf[offset] << 24) |\n ((unsigned)srf_buf[offset + 1] << 16) |\n ((unsigned)srf_buf[offset + 2] << 8) |\n (unsigned)srf_buf[offset + 3];\n\n /* skip SRF0 */\n srf_offset = 0;\n CHECKBUFFER_SGET2(srf_offset);\n entries = sget2(srf_buf + srf_offset);\n if (entries > 1000)\n goto restore_after_parseSonySRF;\n offset = srf_offset + 2;\n CHECKBUFFER_SGET4(offset);\n CHECKBUFFER_SGET4(offset + 12 * entries);\n srf_offset = sget4(srf_buf + offset + 12 * entries) -\n save; /* SRF0 ends with SRF1 abs. position */\n\n /* get SRF1, it has fixed 40 bytes length and contains keys to decode metadata\n * and raw data */\n if (srf_offset < 0 || decrypt_len < srf_offset / 4)\n goto restore_after_parseSonySRF;\n sony_decrypt((unsigned *)(srf_buf + srf_offset), decrypt_len - srf_offset / 4,\n 1, MasterKey);\n CHECKBUFFER_SGET2(srf_offset);\n entries = sget2(srf_buf + srf_offset);\n if (entries > 1000)\n goto restore_after_parseSonySRF;\n offset = srf_offset + 2;\n tag_offset = offset;\n\n while (entries--) {\n if (tiff_sget (save, srf_buf, len,\n &tag_offset, &tag_id, &tag_type, &tag_dataoffset,\n &tag_datalen, &tag_dataunitlen) == 0) {\n if (tag_id == 0x0000) {\n\t\t CHECKBUFFER_SGET4(tag_dataoffset);\n\t\t SRF2Key = sget4(srf_buf + tag_dataoffset);\n } else if (tag_id == 0x0001) {\n\t\t CHECKBUFFER_SGET4(tag_dataoffset);\n\t\t RawDataKey = sget4(srf_buf + tag_dataoffset);\n }\n } else goto restore_after_parseSonySRF;\n }\n offset = tag_offset;\n\n /* get SRF2 */\n CHECKBUFFER_SGET4(offset);\n srf_offset =\n sget4(srf_buf + offset) - save; /* SRFn ends with SRFn+1 position */\n if (srf_offset < 0 || decrypt_len < srf_offset / 4)\n goto restore_after_parseSonySRF;\n sony_decrypt((unsigned *)(srf_buf + srf_offset), decrypt_len - srf_offset / 4,\n 1, SRF2Key);\n CHECKBUFFER_SGET2(srf_offset);\n entries = sget2(srf_buf + srf_offset);\n if (entries > 1000)\n goto restore_after_parseSonySRF;\n offset = srf_offset + 2;\n tag_offset = offset;\n\n while (entries--) {\n\t if (tiff_sget(save, srf_buf, len,\n &tag_offset, &tag_id, &tag_type, &tag_dataoffset,\n &tag_datalen, &tag_dataunitlen) == 0) {\n if ((tag_id >= 0x00c0) && (tag_id <= 0x00ce)) {\n i = (tag_id - 0x00c0) % 3;\n nWB = (tag_id - 0x00c0) / 3;\n\t\tCHECKBUFFER_SGET4(tag_dataoffset);\n\t\ticWBC[Sony_SRF_wb_list[nWB]][i] = sget4(srf_buf + tag_dataoffset);\n if (i == 1) {\n icWBC[Sony_SRF_wb_list[nWB]][3] =\n icWBC[Sony_SRF_wb_list[nWB]][i];\n }\n } else if ((tag_id >= 0x00d0) && (tag_id <= 0x00d2)) {\n i = (tag_id - 0x00d0) % 3;\n\t\tCHECKBUFFER_SGET4(tag_dataoffset);\n\t\tcam_mul[i] = sget4(srf_buf + tag_dataoffset);\n if (i == 1) {\n cam_mul[3] = cam_mul[i];\n }\n } else switch (tag_id) {\n /*\n 0x0002 SRF6Offset\n 0x0003 SRFDataOffset (?)\n 0x0004 RawDataOffset\n 0x0005 RawDataLength\n */\n case 0x0043:\n\t\t CHECKBUFFER_SGET4(tag_dataoffset); // need to add extra space\n\t\t ilm.MaxAp4MaxFocal = sgetreal(tag_type, srf_buf + tag_dataoffset);\n break;\n case 0x0044:\n\t\t CHECKBUFFER_SGET4(tag_dataoffset);\n\t\t ilm.MaxAp4MinFocal = sgetreal(tag_type, srf_buf + tag_dataoffset);\n break;\n case 0x0045:\n\t\t CHECKBUFFER_SGET4(tag_dataoffset);\n\t\t ilm.MinFocal = sgetreal(tag_type, srf_buf + tag_dataoffset);\n break;\n case 0x0046:\n\t\t CHECKBUFFER_SGET4(tag_dataoffset);\n\t\t ilm.MaxFocal = sgetreal(tag_type, srf_buf + tag_dataoffset);\n break;\n }\n } else goto restore_after_parseSonySRF;\n }\n offset = tag_offset;\n\nrestore_after_parseSonySRF:\n free(srf_buf);\n fseek(ifp, save, SEEK_SET);\n#undef CHECKBUFFER_SGET4\n#undef CHECKBUFFER_SGET2\n}", "project": "LibRaw", "hash": 211422748523486439603542502209147525104, "size": 158, "commit_id": "c243f4539233053466c1309bde606815351bee81", "message": "additional checks in parseSonySRF\n\nparseSonySR2: buffer size check", "target": 0, "dataset": "other", "idx": 394100 }, { "func": "static void hci_cc_le_del_from_resolv_list(struct hci_dev *hdev,\n\t\t\t\t\t struct sk_buff *skb)\n{\n\tstruct hci_cp_le_del_from_resolv_list *sent;\n\t__u8 status = *((__u8 *) skb->data);\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, status);\n\n\tif (status)\n\t\treturn;\n\n\tsent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_RESOLV_LIST);\n\tif (!sent)\n\t\treturn;\n\n\thci_bdaddr_list_del_with_irk(&hdev->le_resolv_list, &sent->bdaddr,\n\t\t\t sent->bdaddr_type);\n}", "project": "linux", "hash": 173057593788699249273363582439920270303, "size": 18, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431965 }, { "func": "static int is_ignored(int sig)\n{\n\treturn (sigismember(¤t->blocked, sig) ||\n\t\tcurrent->sighand->action[sig-1].sa.sa_handler == SIG_IGN);\n}", "project": "linux", "hash": 163575955373091572927746822802863820538, "size": 5, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 326002 }, { "func": "static ssize_t fuse_get_res_by_io(struct fuse_io_priv *io)\n{\n\tif (io->err)\n\t\treturn io->err;\n\n\tif (io->bytes >= 0 && io->write)\n\t\treturn -EIO;\n\n\treturn io->bytes < 0 ? io->size : io->bytes;\n}", "project": "linux", "hash": 93487996664391895879476557942269056215, "size": 10, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341897 }, { "func": "bool fuse_mount_remove(struct fuse_mount *fm)\n{\n\tstruct fuse_conn *fc = fm->fc;\n\tbool last = false;\n\n\tdown_write(&fc->killsb);\n\tlist_del_init(&fm->fc_entry);\n\tif (list_empty(&fc->mounts))\n\t\tlast = true;\n\tup_write(&fc->killsb);\n\n\treturn last;\n}", "project": "linux", "hash": 318522964171239089711435412457595562302, "size": 13, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342067 }, { "project": "Chrome", "commit_id": "957973753ec4159003ff7930d946b7e89c7e09f3", "target": 0, "func": "void BlobURLRequestJob::DidResolve(base::PlatformFileError rv,\n const base::PlatformFileInfo& file_info) {\n if (rv == base::PLATFORM_FILE_ERROR_NOT_FOUND) {\n NotifyFailure(net::ERR_FILE_NOT_FOUND);\n return;\n } else if (rv != base::PLATFORM_FILE_OK) {\n NotifyFailure(net::ERR_FAILED);\n return;\n }\n\n const BlobData::Item& item = blob_data_->items().at(item_index_);\n DCHECK(item.type() == BlobData::TYPE_FILE);\n\n if (!item.expected_modification_time().is_null() &&\n item.expected_modification_time().ToTimeT() !=\n file_info.last_modified.ToTimeT()) {\n NotifyFailure(net::ERR_FILE_NOT_FOUND);\n return;\n }\n\n int64 item_length = static_cast(item.length());\n if (item_length == -1)\n item_length = file_info.size;\n\n item_length_list_.push_back(item_length);\n total_size_ += item_length;\n\n item_index_++;\n CountSize();\n}\n", "cwe": "", "big_vul_idx": 106411, "idx": 95564, "hash": 180185318819131842397252829792916573095 }, { "func": "static inline int kvm_vcpu_get_idx(struct kvm_vcpu *vcpu)\n{\n\treturn vcpu->vcpu_idx;\n}", "project": "linux", "hash": 147184092856353505274614946405442243457, "size": 4, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354688 }, { "func": "static void io_req_free_batch(struct req_batch *rb, struct io_kiocb *req,\n\t\t\t struct io_submit_state *state)\n{\n\tio_queue_next(req);\n\tio_dismantle_req(req);\n\n\tif (req->task != rb->task) {\n\t\tif (rb->task)\n\t\t\tio_put_task(rb->task, rb->task_refs);\n\t\trb->task = req->task;\n\t\trb->task_refs = 0;\n\t}\n\trb->task_refs++;\n\trb->ctx_refs++;\n\n\tif (state->free_reqs != ARRAY_SIZE(state->reqs))\n\t\tstate->reqs[state->free_reqs++] = req;\n\telse\n\t\tlist_add(&req->compl.list, &state->comp.free_list);\n}", "project": "linux", "hash": 64286407194944194946739761220028656715, "size": 20, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338692 }, { "func": "static void io_req_free_batch(struct req_batch *rb, struct io_kiocb *req)\n{\n\tif (unlikely(io_is_fallback_req(req))) {\n\t\tio_free_req(req);\n\t\treturn;\n\t}\n\tif (req->flags & REQ_F_LINK_HEAD)\n\t\tio_queue_next(req);\n\n\tif (req->flags & REQ_F_TASK_PINNED) {\n\t\tif (req->task != rb->task) {\n\t\t\tif (rb->task)\n\t\t\t\tput_task_struct_many(rb->task, rb->task_refs);\n\t\t\trb->task = req->task;\n\t\t\trb->task_refs = 0;\n\t\t}\n\t\trb->task_refs++;\n\t\treq->flags &= ~REQ_F_TASK_PINNED;\n\t}\n\n\tWARN_ON_ONCE(io_dismantle_req(req));\n\trb->reqs[rb->to_free++] = req;\n\tif (unlikely(rb->to_free == ARRAY_SIZE(rb->reqs)))\n\t\t__io_req_free_batch_flush(req->ctx, rb);\n}", "project": "linux", "hash": 339698134047117574702345454362745568379, "size": 25, "commit_id": "6d816e088c359866f9867057e04f244c608c42fe", "message": "io_uring: hold 'ctx' reference around task_work queue + execute\n\nWe're holding the request reference, but we need to go one higher\nto ensure that the ctx remains valid after the request has finished.\nIf the ring is closed with pending task_work inflight, and the\ngiven io_kiocb finishes sync during issue, then we need a reference\nto the ring itself around the task_work execution cycle.\n\nCc: stable@vger.kernel.org # v5.7+\nReported-by: syzbot+9b260fc33297966f5a8e@syzkaller.appspotmail.com\nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 456911 }, { "func": "inline void add_cond_and_fix(THD *thd, Item **e1, Item *e2)\n{\n if (*e1)\n {\n if (!e2)\n return;\n Item *res;\n if ((res= new (thd->mem_root) Item_cond_and(thd, *e1, e2)))\n {\n res->fix_fields(thd, 0);\n res->update_used_tables();\n *e1= res;\n }\n }\n else\n *e1= e2;\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 102075324630185401422924231408269597853, "size": 17, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508446 }, { "func": "static void nfs_finish_clear_delegation_stateid(struct nfs4_state *state,\n\t\tconst nfs4_stateid *stateid)\n{\n\tnfs_remove_bad_delegation(state->inode, stateid);\n\tnfs_state_clear_delegation(state);\n}", "project": "linux", "hash": 328870895642623989286704756042704360926, "size": 6, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431519 }, { "func": "static void fuse_release_user_pages(struct fuse_args_pages *ap,\n\t\t\t\t bool should_dirty)\n{\n\tunsigned int i;\n\n\tfor (i = 0; i < ap->num_pages; i++) {\n\t\tif (should_dirty)\n\t\t\tset_page_dirty_lock(ap->pages[i]);\n\t\tput_page(ap->pages[i]);\n\t}\n}", "project": "linux", "hash": 281666193062059634623667557971440783374, "size": 11, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341936 }, { "func": "static inline void add_partial(struct kmem_cache_node *n,\n\t\t\t\tstruct page *page, int tail)\n{\n\tlockdep_assert_held(&n->list_lock);\n\t__add_partial(n, page, tail);\n}", "project": "linux", "hash": 307276117351072809391997206746384946115, "size": 6, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280274 }, { "func": "static void nf_tables_commit_chain(struct net *net, struct nft_chain *chain)\n{\n\tstruct nft_rule **g0, **g1;\n\tbool next_genbit;\n\n\tnext_genbit = nft_gencursor_next(net);\n\n\tg0 = rcu_dereference_protected(chain->rules_gen_0,\n\t\t\t\t lockdep_commit_lock_is_held(net));\n\tg1 = rcu_dereference_protected(chain->rules_gen_1,\n\t\t\t\t lockdep_commit_lock_is_held(net));\n\n\t/* No changes to this chain? */\n\tif (chain->rules_next == NULL) {\n\t\t/* chain had no change in last or next generation */\n\t\tif (g0 == g1)\n\t\t\treturn;\n\t\t/*\n\t\t * chain had no change in this generation; make sure next\n\t\t * one uses same rules as current generation.\n\t\t */\n\t\tif (next_genbit) {\n\t\t\trcu_assign_pointer(chain->rules_gen_1, g0);\n\t\t\tnf_tables_commit_chain_free_rules_old(g1);\n\t\t} else {\n\t\t\trcu_assign_pointer(chain->rules_gen_0, g1);\n\t\t\tnf_tables_commit_chain_free_rules_old(g0);\n\t\t}\n\n\t\treturn;\n\t}\n\n\tif (next_genbit)\n\t\trcu_assign_pointer(chain->rules_gen_1, chain->rules_next);\n\telse\n\t\trcu_assign_pointer(chain->rules_gen_0, chain->rules_next);\n\n\tchain->rules_next = NULL;\n\n\tif (g0 == g1)\n\t\treturn;\n\n\tif (next_genbit)\n\t\tnf_tables_commit_chain_free_rules_old(g1);\n\telse\n\t\tnf_tables_commit_chain_free_rules_old(g0);\n}", "project": "linux", "hash": 103861694468918305290908684656804757527, "size": 47, "commit_id": "ad9f151e560b016b6ad3280b48e42fa11e1a5440", "message": "netfilter: nf_tables: initialize set before expression setup\n\nnft_set_elem_expr_alloc() needs an initialized set if expression sets on\nthe NFT_EXPR_GC flag. Move set fields initialization before expression\nsetup.\n\n[4512935.019450] ==================================================================\n[4512935.019456] BUG: KASAN: null-ptr-deref in nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019487] Read of size 8 at addr 0000000000000070 by task nft/23532\n[4512935.019494] CPU: 1 PID: 23532 Comm: nft Not tainted 5.12.0-rc4+ #48\n[...]\n[4512935.019502] Call Trace:\n[4512935.019505] dump_stack+0x89/0xb4\n[4512935.019512] ? nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019536] ? nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019560] kasan_report.cold.12+0x5f/0xd8\n[4512935.019566] ? nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019590] nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019615] nf_tables_newset+0xc7f/0x1460 [nf_tables]\n\nReported-by: syzbot+ce96ca2b1d0b37c6422d@syzkaller.appspotmail.com\nFixes: 65038428b2c6 (\"netfilter: nf_tables: allow to specify stateful expression in set definition\")\nSigned-off-by: Pablo Neira Ayuso ", "target": 0, "dataset": "other", "idx": 328359 }, { "func": "string lua_text_pattern::new_fn_name()\n{\n return make_stringf(\"__ch_stash_search_%u\", lfndx++);\n}", "project": "crawl", "hash": 260024200574307093467083385398123596579, "size": 4, "commit_id": "768f60da87a3fa0b5561da5ade9309577c176d04", "message": "Disable lua bytecode loading", "target": 0, "dataset": "other", "idx": 230521 }, { "func": "static void nf_tables_table_notify(const struct nft_ctx *ctx, int event)\n{\n\tstruct nftables_pernet *nft_net;\n\tstruct sk_buff *skb;\n\tint err;\n\n\tif (!ctx->report &&\n\t !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))\n\t\treturn;\n\n\tskb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);\n\tif (skb == NULL)\n\t\tgoto err;\n\n\terr = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq,\n\t\t\t\t\tevent, 0, ctx->family, ctx->table);\n\tif (err < 0) {\n\t\tkfree_skb(skb);\n\t\tgoto err;\n\t}\n\n\tnft_net = nft_pernet(ctx->net);\n\tnft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);\n\treturn;\nerr:\n\tnfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);\n}", "project": "linux", "hash": 19346566094892831133654892540768306090, "size": 27, "commit_id": "ad9f151e560b016b6ad3280b48e42fa11e1a5440", "message": "netfilter: nf_tables: initialize set before expression setup\n\nnft_set_elem_expr_alloc() needs an initialized set if expression sets on\nthe NFT_EXPR_GC flag. Move set fields initialization before expression\nsetup.\n\n[4512935.019450] ==================================================================\n[4512935.019456] BUG: KASAN: null-ptr-deref in nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019487] Read of size 8 at addr 0000000000000070 by task nft/23532\n[4512935.019494] CPU: 1 PID: 23532 Comm: nft Not tainted 5.12.0-rc4+ #48\n[...]\n[4512935.019502] Call Trace:\n[4512935.019505] dump_stack+0x89/0xb4\n[4512935.019512] ? nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019536] ? nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019560] kasan_report.cold.12+0x5f/0xd8\n[4512935.019566] ? nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019590] nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019615] nf_tables_newset+0xc7f/0x1460 [nf_tables]\n\nReported-by: syzbot+ce96ca2b1d0b37c6422d@syzkaller.appspotmail.com\nFixes: 65038428b2c6 (\"netfilter: nf_tables: allow to specify stateful expression in set definition\")\nSigned-off-by: Pablo Neira Ayuso ", "target": 0, "dataset": "other", "idx": 328373 }, { "func": "static void hci_cc_read_local_name(struct hci_dev *hdev, struct sk_buff *skb)\n{\n\tstruct hci_rp_read_local_name *rp = (void *) skb->data;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, rp->status);\n\n\tif (rp->status)\n\t\treturn;\n\n\tif (hci_dev_test_flag(hdev, HCI_SETUP) ||\n\t hci_dev_test_flag(hdev, HCI_CONFIG))\n\t\tmemcpy(hdev->dev_name, rp->name, HCI_MAX_NAME_LENGTH);\n}", "project": "linux", "hash": 228581910177609503287224264944609093624, "size": 13, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 432041 }, { "func": "static int rar5_init(struct rar5* rar) {\n\tssize_t i;\n\n\tmemset(rar, 0, sizeof(struct rar5));\n\n\t/* Decrypt the magic signature pattern. Check the comment near the\n\t * `rar5_signature` symbol to read the rationale behind this. */\n\n\tif(rar5_signature[0] == 243) {\n\t\tfor(i = 0; i < rar5_signature_size; i++) {\n\t\t\trar5_signature[i] ^= 0xA1;\n\t\t}\n\t}\n\n\tif(CDE_OK != cdeque_init(&rar->cstate.filters, 8192))\n\t\treturn ARCHIVE_FATAL;\n\n\treturn ARCHIVE_OK;\n}", "project": "libarchive", "hash": 150166944391286469548723239482365902852, "size": 19, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 0, "dataset": "other", "idx": 244708 }, { "func": "uint32 CSoundFile::CalculateXParam(PATTERNINDEX pat, ROWINDEX row, CHANNELINDEX chn, bool *isExtended) const\n{\n\tif(isExtended != nullptr) *isExtended = false;\n\tROWINDEX maxCommands = 4;\n\tconst ModCommand *m = Patterns[pat].GetpModCommand(row, chn);\n\tuint32 val = m->param;\n\n\tswitch(m->command)\n\t{\n\tcase CMD_OFFSET:\n\t\t// 24 bit command\n\t\tmaxCommands = 2;\n\t\tbreak;\n\tcase CMD_TEMPO:\n\tcase CMD_PATTERNBREAK:\n\tcase CMD_POSITIONJUMP:\n\t\t// 16 bit command\n\t\tmaxCommands = 1;\n\t\tbreak;\n\tdefault:\n\t\treturn val;\n\t}\n\n\tconst bool xmTempoFix = m->command == CMD_TEMPO && GetType() == MOD_TYPE_XM;\n\tROWINDEX numRows = std::min(Patterns[pat].GetNumRows() - row - 1, maxCommands);\n\twhile(numRows > 0)\n\t{\n\t\tm += Patterns[pat].GetNumChannels();\n\t\tif(m->command != CMD_XPARAM)\n\t\t{\n\t\t\tbreak;\n\t\t}\n\t\tif(xmTempoFix && val < 256)\n\t\t{\n\t\t\t// With XM, 0x20 is the lowest tempo. Anything below changes ticks per row.\n\t\t\tval -= 0x20;\n\t\t}\n\t\tval = (val << 8) | m->param;\n\t\tnumRows--;\n\t\tif(isExtended != nullptr) *isExtended = true;\n\t}\n\treturn val;\n}", "project": "openmpt", "hash": 214321747941434421739969401949684448995, "size": 43, "commit_id": "7ebf02af2e90f03e0dbd0e18b8b3164f372fb97c", "message": "[Fix] Possible out-of-bounds read when computing length of some IT files with pattern loops (OpenMPT: formats that are converted to IT, libopenmpt: IT/ITP/MO3), caught with afl-fuzz.\n\ngit-svn-id: https://source.openmpt.org/svn/openmpt/trunk/OpenMPT@10027 56274372-70c3-4bfc-bfc3-4c3a0b034d27", "target": 0, "dataset": "other", "idx": 255194 }, { "func": "static void destroy_thread_context(struct thread_context* thread_context) {\n my_free(thread_context->tmp);\n#if defined(HAVE_ZSTD)\n if (thread_context->zstd_cctx != NULL) {\n ZSTD_freeCCtx(thread_context->zstd_cctx);\n }\n if (thread_context->zstd_dctx != NULL) {\n ZSTD_freeDCtx(thread_context->zstd_dctx);\n }\n#endif\n#ifdef HAVE_IPP\n if (thread_context->lz4_hash_table != NULL) {\n ippsFree(thread_context->lz4_hash_table);\n }\n#endif\n}", "project": "c-blosc2", "hash": 286114106544486824654045196655081155527, "size": 16, "commit_id": "c4c6470e88210afc95262c8b9fcc27e30ca043ee", "message": "Fixed asan heap buffer overflow when not enough space to write compressed block size.", "target": 0, "dataset": "other", "idx": 303115 }, { "func": "}\nEXPORT_SYMBOL_GPL(iscsi_remove_session);\n\nvoid iscsi_free_session(struct iscsi_cls_session *session)\n{\n\tISCSI_DBG_TRANS_SESSION(session, \"Freeing session\\n\");", "project": "linux", "hash": 277598389844674614289956919489089553534, "size": 6, "commit_id": "f9dbdf97a5bd92b1a49cee3d591b55b11fd7a6d5", "message": "scsi: iscsi: Verify lengths on passthrough PDUs\n\nOpen-iSCSI sends passthrough PDUs over netlink, but the kernel should be\nverifying that the provided PDU header and data lengths fall within the\nnetlink message to prevent accessing beyond that in memory.\n\nCc: stable@vger.kernel.org\nReported-by: Adam Nichols \nReviewed-by: Lee Duncan \nReviewed-by: Mike Christie \nSigned-off-by: Chris Leech \nSigned-off-by: Martin K. Petersen ", "target": 0, "dataset": "other", "idx": 379950 }, { "func": "static int dwa_uncompress(EXRContext *s, const uint8_t *src, int compressed_size,\n int uncompressed_size, EXRThreadData *td)\n{\n int64_t version, lo_usize, lo_size;\n int64_t ac_size, dc_size, rle_usize, rle_csize, rle_raw_size;\n int64_t ac_count, dc_count, ac_compression;\n const int dc_w = td->xsize >> 3;\n const int dc_h = td->ysize >> 3;\n GetByteContext gb, agb;\n int skip, ret;\n\n if (compressed_size <= 88)\n return AVERROR_INVALIDDATA;\n\n version = AV_RL64(src + 0);\n if (version != 2)\n return AVERROR_INVALIDDATA;\n\n lo_usize = AV_RL64(src + 8);\n lo_size = AV_RL64(src + 16);\n ac_size = AV_RL64(src + 24);\n dc_size = AV_RL64(src + 32);\n rle_csize = AV_RL64(src + 40);\n rle_usize = AV_RL64(src + 48);\n rle_raw_size = AV_RL64(src + 56);\n ac_count = AV_RL64(src + 64);\n dc_count = AV_RL64(src + 72);\n ac_compression = AV_RL64(src + 80);\n\n if (compressed_size < 88LL + lo_size + ac_size + dc_size + rle_csize)\n return AVERROR_INVALIDDATA;\n\n bytestream2_init(&gb, src + 88, compressed_size - 88);\n skip = bytestream2_get_le16(&gb);\n if (skip < 2)\n return AVERROR_INVALIDDATA;\n\n bytestream2_skip(&gb, skip - 2);\n\n if (lo_size > 0) {\n if (lo_usize > uncompressed_size)\n return AVERROR_INVALIDDATA;\n bytestream2_skip(&gb, lo_size);\n }\n\n if (ac_size > 0) {\n unsigned long dest_len = ac_count * 2LL;\n GetByteContext agb = gb;\n\n if (ac_count > 3LL * td->xsize * s->scan_lines_per_block)\n return AVERROR_INVALIDDATA;\n\n av_fast_padded_malloc(&td->ac_data, &td->ac_size, dest_len);\n if (!td->ac_data)\n return AVERROR(ENOMEM);\n\n switch (ac_compression) {\n case 0:\n ret = huf_uncompress(s, td, &agb, (int16_t *)td->ac_data, ac_count);\n if (ret < 0)\n return ret;\n break;\n case 1:\n if (uncompress(td->ac_data, &dest_len, agb.buffer, ac_size) != Z_OK ||\n dest_len != ac_count * 2LL)\n return AVERROR_INVALIDDATA;\n break;\n default:\n return AVERROR_INVALIDDATA;\n }\n\n bytestream2_skip(&gb, ac_size);\n }\n\n if (dc_size > 0) {\n unsigned long dest_len = dc_count * 2LL;\n GetByteContext agb = gb;\n\n if (dc_count > (6LL * td->xsize * td->ysize + 63) / 64)\n return AVERROR_INVALIDDATA;\n\n av_fast_padded_malloc(&td->dc_data, &td->dc_size, FFALIGN(dest_len, 64) * 2);\n if (!td->dc_data)\n return AVERROR(ENOMEM);\n\n if (uncompress(td->dc_data + FFALIGN(dest_len, 64), &dest_len, agb.buffer, dc_size) != Z_OK ||\n (dest_len != dc_count * 2LL))\n return AVERROR_INVALIDDATA;\n\n s->dsp.predictor(td->dc_data + FFALIGN(dest_len, 64), dest_len);\n s->dsp.reorder_pixels(td->dc_data, td->dc_data + FFALIGN(dest_len, 64), dest_len);\n\n bytestream2_skip(&gb, dc_size);\n }\n\n if (rle_raw_size > 0 && rle_csize > 0 && rle_usize > 0) {\n unsigned long dest_len = rle_usize;\n\n av_fast_padded_malloc(&td->rle_data, &td->rle_size, rle_usize);\n if (!td->rle_data)\n return AVERROR(ENOMEM);\n\n av_fast_padded_malloc(&td->rle_raw_data, &td->rle_raw_size, rle_raw_size);\n if (!td->rle_raw_data)\n return AVERROR(ENOMEM);\n\n if (uncompress(td->rle_data, &dest_len, gb.buffer, rle_csize) != Z_OK ||\n (dest_len != rle_usize))\n return AVERROR_INVALIDDATA;\n\n ret = rle(td->rle_raw_data, td->rle_data, rle_usize, rle_raw_size);\n if (ret < 0)\n return ret;\n bytestream2_skip(&gb, rle_csize);\n }\n\n bytestream2_init(&agb, td->ac_data, ac_count * 2);\n\n for (int y = 0; y < td->ysize; y += 8) {\n for (int x = 0; x < td->xsize; x += 8) {\n memset(td->block, 0, sizeof(td->block));\n\n for (int j = 0; j < 3; j++) {\n float *block = td->block[j];\n const int idx = (x >> 3) + (y >> 3) * dc_w + dc_w * dc_h * j;\n uint16_t *dc = (uint16_t *)td->dc_data;\n union av_intfloat32 dc_val;\n\n dc_val.i = half2float(dc[idx], s->mantissatable,\n s->exponenttable, s->offsettable);\n\n block[0] = dc_val.f;\n ac_uncompress(s, &agb, block);\n dct_inverse(block);\n }\n\n {\n const float scale = s->pixel_type == EXR_FLOAT ? 2.f : 1.f;\n const int o = s->nb_channels == 4;\n float *bo = ((float *)td->uncompressed_data) +\n y * td->xsize * s->nb_channels + td->xsize * (o + 0) + x;\n float *go = ((float *)td->uncompressed_data) +\n y * td->xsize * s->nb_channels + td->xsize * (o + 1) + x;\n float *ro = ((float *)td->uncompressed_data) +\n y * td->xsize * s->nb_channels + td->xsize * (o + 2) + x;\n float *yb = td->block[0];\n float *ub = td->block[1];\n float *vb = td->block[2];\n\n for (int yy = 0; yy < 8; yy++) {\n for (int xx = 0; xx < 8; xx++) {\n const int idx = xx + yy * 8;\n\n convert(yb[idx], ub[idx], vb[idx], &bo[xx], &go[xx], &ro[xx]);\n\n bo[xx] = to_linear(bo[xx], scale);\n go[xx] = to_linear(go[xx], scale);\n ro[xx] = to_linear(ro[xx], scale);\n }\n\n bo += td->xsize * s->nb_channels;\n go += td->xsize * s->nb_channels;\n ro += td->xsize * s->nb_channels;\n }\n }\n }\n }\n\n if (s->nb_channels < 4)\n return 0;\n\n for (int y = 0; y < td->ysize && td->rle_raw_data; y++) {\n uint32_t *ao = ((uint32_t *)td->uncompressed_data) + y * td->xsize * s->nb_channels;\n uint8_t *ai0 = td->rle_raw_data + y * td->xsize;\n uint8_t *ai1 = td->rle_raw_data + y * td->xsize + rle_raw_size / 2;\n\n for (int x = 0; x < td->xsize; x++) {\n uint16_t ha = ai0[x] | (ai1[x] << 8);\n\n ao[x] = half2float(ha, s->mantissatable, s->exponenttable, s->offsettable);\n }\n }\n\n return 0;\n}", "project": "FFmpeg", "hash": 164964024217881679158454133523303710683, "size": 185, "commit_id": "26d3c81bc5ef2f8c3f09d45eaeacfb4b1139a777", "message": "avcodec/exr: More strictly check dc_count\n\nFixes: out of array access\nFixes: exr/deneme\n\nFound-by: Burak Çarıkçı \nSigned-off-by: Michael Niedermayer ", "target": 1, "dataset": "other", "idx": 197652 }, { "func": "static int dwa_uncompress(EXRContext *s, const uint8_t *src, int compressed_size,\n int uncompressed_size, EXRThreadData *td)\n{\n int64_t version, lo_usize, lo_size;\n int64_t ac_size, dc_size, rle_usize, rle_csize, rle_raw_size;\n int64_t ac_count, dc_count, ac_compression;\n const int dc_w = td->xsize >> 3;\n const int dc_h = td->ysize >> 3;\n GetByteContext gb, agb;\n int skip, ret;\n\n if (compressed_size <= 88)\n return AVERROR_INVALIDDATA;\n\n version = AV_RL64(src + 0);\n if (version != 2)\n return AVERROR_INVALIDDATA;\n\n lo_usize = AV_RL64(src + 8);\n lo_size = AV_RL64(src + 16);\n ac_size = AV_RL64(src + 24);\n dc_size = AV_RL64(src + 32);\n rle_csize = AV_RL64(src + 40);\n rle_usize = AV_RL64(src + 48);\n rle_raw_size = AV_RL64(src + 56);\n ac_count = AV_RL64(src + 64);\n dc_count = AV_RL64(src + 72);\n ac_compression = AV_RL64(src + 80);\n\n if (compressed_size < 88LL + lo_size + ac_size + dc_size + rle_csize)\n return AVERROR_INVALIDDATA;\n\n bytestream2_init(&gb, src + 88, compressed_size - 88);\n skip = bytestream2_get_le16(&gb);\n if (skip < 2)\n return AVERROR_INVALIDDATA;\n\n bytestream2_skip(&gb, skip - 2);\n\n if (lo_size > 0) {\n if (lo_usize > uncompressed_size)\n return AVERROR_INVALIDDATA;\n bytestream2_skip(&gb, lo_size);\n }\n\n if (ac_size > 0) {\n unsigned long dest_len = ac_count * 2LL;\n GetByteContext agb = gb;\n\n if (ac_count > 3LL * td->xsize * s->scan_lines_per_block)\n return AVERROR_INVALIDDATA;\n\n av_fast_padded_malloc(&td->ac_data, &td->ac_size, dest_len);\n if (!td->ac_data)\n return AVERROR(ENOMEM);\n\n switch (ac_compression) {\n case 0:\n ret = huf_uncompress(s, td, &agb, (int16_t *)td->ac_data, ac_count);\n if (ret < 0)\n return ret;\n break;\n case 1:\n if (uncompress(td->ac_data, &dest_len, agb.buffer, ac_size) != Z_OK ||\n dest_len != ac_count * 2LL)\n return AVERROR_INVALIDDATA;\n break;\n default:\n return AVERROR_INVALIDDATA;\n }\n\n bytestream2_skip(&gb, ac_size);\n }\n\n {\n unsigned long dest_len = dc_count * 2LL;\n GetByteContext agb = gb;\n\n if (dc_count != dc_w * dc_h * 3)\n return AVERROR_INVALIDDATA;\n\n av_fast_padded_malloc(&td->dc_data, &td->dc_size, FFALIGN(dest_len, 64) * 2);\n if (!td->dc_data)\n return AVERROR(ENOMEM);\n\n if (uncompress(td->dc_data + FFALIGN(dest_len, 64), &dest_len, agb.buffer, dc_size) != Z_OK ||\n (dest_len != dc_count * 2LL))\n return AVERROR_INVALIDDATA;\n\n s->dsp.predictor(td->dc_data + FFALIGN(dest_len, 64), dest_len);\n s->dsp.reorder_pixels(td->dc_data, td->dc_data + FFALIGN(dest_len, 64), dest_len);\n\n bytestream2_skip(&gb, dc_size);\n }\n\n if (rle_raw_size > 0 && rle_csize > 0 && rle_usize > 0) {\n unsigned long dest_len = rle_usize;\n\n av_fast_padded_malloc(&td->rle_data, &td->rle_size, rle_usize);\n if (!td->rle_data)\n return AVERROR(ENOMEM);\n\n av_fast_padded_malloc(&td->rle_raw_data, &td->rle_raw_size, rle_raw_size);\n if (!td->rle_raw_data)\n return AVERROR(ENOMEM);\n\n if (uncompress(td->rle_data, &dest_len, gb.buffer, rle_csize) != Z_OK ||\n (dest_len != rle_usize))\n return AVERROR_INVALIDDATA;\n\n ret = rle(td->rle_raw_data, td->rle_data, rle_usize, rle_raw_size);\n if (ret < 0)\n return ret;\n bytestream2_skip(&gb, rle_csize);\n }\n\n bytestream2_init(&agb, td->ac_data, ac_count * 2);\n\n for (int y = 0; y < td->ysize; y += 8) {\n for (int x = 0; x < td->xsize; x += 8) {\n memset(td->block, 0, sizeof(td->block));\n\n for (int j = 0; j < 3; j++) {\n float *block = td->block[j];\n const int idx = (x >> 3) + (y >> 3) * dc_w + dc_w * dc_h * j;\n uint16_t *dc = (uint16_t *)td->dc_data;\n union av_intfloat32 dc_val;\n\n dc_val.i = half2float(dc[idx], s->mantissatable,\n s->exponenttable, s->offsettable);\n\n block[0] = dc_val.f;\n ac_uncompress(s, &agb, block);\n dct_inverse(block);\n }\n\n {\n const float scale = s->pixel_type == EXR_FLOAT ? 2.f : 1.f;\n const int o = s->nb_channels == 4;\n float *bo = ((float *)td->uncompressed_data) +\n y * td->xsize * s->nb_channels + td->xsize * (o + 0) + x;\n float *go = ((float *)td->uncompressed_data) +\n y * td->xsize * s->nb_channels + td->xsize * (o + 1) + x;\n float *ro = ((float *)td->uncompressed_data) +\n y * td->xsize * s->nb_channels + td->xsize * (o + 2) + x;\n float *yb = td->block[0];\n float *ub = td->block[1];\n float *vb = td->block[2];\n\n for (int yy = 0; yy < 8; yy++) {\n for (int xx = 0; xx < 8; xx++) {\n const int idx = xx + yy * 8;\n\n convert(yb[idx], ub[idx], vb[idx], &bo[xx], &go[xx], &ro[xx]);\n\n bo[xx] = to_linear(bo[xx], scale);\n go[xx] = to_linear(go[xx], scale);\n ro[xx] = to_linear(ro[xx], scale);\n }\n\n bo += td->xsize * s->nb_channels;\n go += td->xsize * s->nb_channels;\n ro += td->xsize * s->nb_channels;\n }\n }\n }\n }\n\n if (s->nb_channels < 4)\n return 0;\n\n for (int y = 0; y < td->ysize && td->rle_raw_data; y++) {\n uint32_t *ao = ((uint32_t *)td->uncompressed_data) + y * td->xsize * s->nb_channels;\n uint8_t *ai0 = td->rle_raw_data + y * td->xsize;\n uint8_t *ai1 = td->rle_raw_data + y * td->xsize + rle_raw_size / 2;\n\n for (int x = 0; x < td->xsize; x++) {\n uint16_t ha = ai0[x] | (ai1[x] << 8);\n\n ao[x] = half2float(ha, s->mantissatable, s->exponenttable, s->offsettable);\n }\n }\n\n return 0;\n}", "project": "FFmpeg", "hash": 64835961090131636283596112080756004472, "size": 185, "commit_id": "26d3c81bc5ef2f8c3f09d45eaeacfb4b1139a777", "message": "avcodec/exr: More strictly check dc_count\n\nFixes: out of array access\nFixes: exr/deneme\n\nFound-by: Burak Çarıkçı \nSigned-off-by: Michael Niedermayer ", "target": 0, "dataset": "other", "idx": 262684 }, { "func": "static bool checkreturn pb_decode_varint32(pb_istream_t *stream, uint32_t *dest)\n{\n uint8_t byte;\n uint32_t result;\n \n if (!pb_readbyte(stream, &byte))\n return false;\n \n if ((byte & 0x80) == 0)\n {\n /* Quick case, 1 byte value */\n result = byte;\n }\n else\n {\n /* Multibyte case */\n uint8_t bitpos = 7;\n result = byte & 0x7F;\n \n do\n {\n if (bitpos >= 32)\n PB_RETURN_ERROR(stream, \"varint overflow\");\n \n if (!pb_readbyte(stream, &byte))\n return false;\n \n result |= (uint32_t)(byte & 0x7F) << bitpos;\n bitpos = (uint8_t)(bitpos + 7);\n } while (byte & 0x80);\n }\n \n *dest = result;\n return true;\n}", "project": "nanopb", "hash": 211009274905238337316614953549120249618, "size": 35, "commit_id": "7b396821ddd06df8e39143f16e1dc0a4645b89a3", "message": "Fix invalid free() after failed realloc() (GHSA-gcx3-7m76-287p)", "target": 0, "dataset": "other", "idx": 255321 }, { "func": " void pushDouble(double data) {\n auto const tv = top++;\n tv->m_type = KindOfDouble;\n tv->m_data.dbl = data;\n }", "project": "hhvm", "hash": 124543228750922033836958492939718777813, "size": 5, "commit_id": "b3679121bb3c7017ff04b4c08402ffff5cf59b13", "message": "Fix buffer overrun in SimpleParser::handleBackslash\n\nSummary:\nIt read 4 chars, then checked for validity, but any of them could have\nbeen the end of the string, so check after each one instead.\n\nReviewed By: oulgen\n\nDifferential Revision: D19611163\n\nfbshipit-source-id: 3da0a39555cb85a93f4fd98048368f17cf37e2e4", "target": 0, "dataset": "other", "idx": 227287 }, { "func": "int updateIpTree(u_int32_t key, u_int8_t version,\n\t\t addr_node **vrootp, const char *proto) {\n addr_node *q;\n addr_node **rootp = vrootp;\n\n if(rootp == (addr_node **)0)\n return 0;\n\n while(*rootp != (addr_node *)0) {\n /* Knuth's T1: */\n if((version == (*rootp)->version) && (key == (*rootp)->addr)) {\n /* T2: */\n return ++((*rootp)->count);\n }\n\n rootp = (key < (*rootp)->addr) ?\n &(*rootp)->left :\t\t/* T3: follow left branch */\n &(*rootp)->right;\t\t/* T4: follow right branch */\n }\n\n q = (addr_node *) malloc(sizeof(addr_node));\t/* T5: key not found */\n if(q != (addr_node *)0) {\t /* make new node */\n *rootp = q;\t\t\t /* link new node to old */\n\n q->addr = key;\n q->version = version;\n strncpy(q->proto, proto, sizeof(q->proto));\n q->count = UPDATED_TREE;\n q->left = q->right = (addr_node *)0;\n\n return q->count;\n }\n\n return(0);\n}", "project": "nDPI", "hash": 135137597312835803599554222551730281702, "size": 35, "commit_id": "b7e666e465f138ae48ab81976726e67deed12701", "message": "Added fix to avoid potential heap buffer overflow in H.323 dissector\nModified HTTP report information to make it closer to the HTTP field names", "target": 0, "dataset": "other", "idx": 254864 }, { "func": "static void ca8210_rx_done(struct cas_control *cas_ctl)\n{\n\tu8 *buf;\n\tunsigned int len;\n\tstruct work_priv_container *mlme_reset_wpc;\n\tstruct ca8210_priv *priv = cas_ctl->priv;\n\n\tbuf = cas_ctl->tx_in_buf;\n\tlen = buf[1] + 2;\n\tif (len > CA8210_SPI_BUF_SIZE) {\n\t\tdev_crit(\n\t\t\t&priv->spi->dev,\n\t\t\t\"Received packet len (%u) erroneously long\\n\",\n\t\t\tlen\n\t\t);\n\t\tgoto finish;\n\t}\n\n\tif (buf[0] & SPI_SYN) {\n\t\tif (priv->sync_command_response) {\n\t\t\tmemcpy(priv->sync_command_response, buf, len);\n\t\t\tcomplete(&priv->sync_exchange_complete);\n\t\t} else {\n\t\t\tif (cascoda_api_upstream)\n\t\t\t\tcascoda_api_upstream(buf, len, priv->spi);\n\t\t\tpriv->sync_up++;\n\t\t}\n\t} else {\n\t\tif (cascoda_api_upstream)\n\t\t\tcascoda_api_upstream(buf, len, priv->spi);\n\t}\n\n\tca8210_net_rx(priv->hw, buf, len);\n\tif (buf[0] == SPI_MCPS_DATA_CONFIRM) {\n\t\tif (buf[3] == MAC_TRANSACTION_OVERFLOW) {\n\t\t\tdev_info(\n\t\t\t\t&priv->spi->dev,\n\t\t\t\t\"Waiting for transaction overflow to stabilise...\\n\");\n\t\t\tmsleep(2000);\n\t\t\tdev_info(\n\t\t\t\t&priv->spi->dev,\n\t\t\t\t\"Resetting MAC...\\n\");\n\n\t\t\tmlme_reset_wpc = kmalloc(sizeof(*mlme_reset_wpc),\n\t\t\t\t\t\t GFP_KERNEL);\n\t\t\tif (!mlme_reset_wpc)\n\t\t\t\tgoto finish;\n\t\t\tINIT_WORK(\n\t\t\t\t&mlme_reset_wpc->work,\n\t\t\t\tca8210_mlme_reset_worker\n\t\t\t);\n\t\t\tmlme_reset_wpc->priv = priv;\n\t\t\tqueue_work(priv->mlme_workqueue, &mlme_reset_wpc->work);\n\t\t}\n\t} else if (buf[0] == SPI_HWME_WAKEUP_INDICATION) {\n\t\tdev_notice(\n\t\t\t&priv->spi->dev,\n\t\t\t\"Wakeup indication received, reason:\\n\"\n\t\t);\n\t\tswitch (buf[2]) {\n\t\tcase 0:\n\t\t\tdev_notice(\n\t\t\t\t&priv->spi->dev,\n\t\t\t\t\"Transceiver woken up from Power Up / System Reset\\n\"\n\t\t\t);\n\t\t\tbreak;\n\t\tcase 1:\n\t\t\tdev_notice(\n\t\t\t\t&priv->spi->dev,\n\t\t\t\t\"Watchdog Timer Time-Out\\n\"\n\t\t\t);\n\t\t\tbreak;\n\t\tcase 2:\n\t\t\tdev_notice(\n\t\t\t\t&priv->spi->dev,\n\t\t\t\t\"Transceiver woken up from Power-Off by Sleep Timer Time-Out\\n\");\n\t\t\tbreak;\n\t\tcase 3:\n\t\t\tdev_notice(\n\t\t\t\t&priv->spi->dev,\n\t\t\t\t\"Transceiver woken up from Power-Off by GPIO Activity\\n\"\n\t\t\t);\n\t\t\tbreak;\n\t\tcase 4:\n\t\t\tdev_notice(\n\t\t\t\t&priv->spi->dev,\n\t\t\t\t\"Transceiver woken up from Standby by Sleep Timer Time-Out\\n\"\n\t\t\t);\n\t\t\tbreak;\n\t\tcase 5:\n\t\t\tdev_notice(\n\t\t\t\t&priv->spi->dev,\n\t\t\t\t\"Transceiver woken up from Standby by GPIO Activity\\n\"\n\t\t\t);\n\t\t\tbreak;\n\t\tcase 6:\n\t\t\tdev_notice(\n\t\t\t\t&priv->spi->dev,\n\t\t\t\t\"Sleep-Timer Time-Out in Active Mode\\n\"\n\t\t\t);\n\t\t\tbreak;\n\t\tdefault:\n\t\t\tdev_warn(&priv->spi->dev, \"Wakeup reason unknown\\n\");\n\t\t\tbreak;\n\t\t}\n\t\tcomplete(&priv->ca8210_is_awake);\n\t}\n\nfinish:;\n}", "project": "linux", "hash": 277603219964557678399317295224485337391, "size": 110, "commit_id": "6402939ec86eaf226c8b8ae00ed983936b164908", "message": "ieee802154: ca8210: prevent memory leak\n\nIn ca8210_probe the allocated pdata needs to be assigned to\nspi_device->dev.platform_data before calling ca8210_get_platform_data.\nOthrwise when ca8210_get_platform_data fails pdata cannot be released.\n\nSigned-off-by: Navid Emamdoost \nLink: https://lore.kernel.org/r/20190917224713.26371-1-navid.emamdoost@gmail.com\nSigned-off-by: Stefan Schmidt ", "target": 0, "dataset": "other", "idx": 408784 }, { "func": "R_API int r_sys_run_rop(const ut8 *buf, int len) {\n#if USE_FORK\n\tint st;\n#endif\n\t// TODO: define R_SYS_ALIGN_FORWARD in r_util.h\n\tut8 *bufptr = malloc (len);\n\tif (!bufptr) {\n\t\teprintf (\"r_sys_run_rop: Cannot allocate buffer\\n\");\n\t\treturn false;\n\t}\n\n\tif (!buf) {\n\t\teprintf (\"r_sys_run_rop: Cannot execute empty rop chain\\n\");\n\t\tfree (bufptr);\n\t\treturn false;\n\t}\n\tmemcpy (bufptr, buf, len);\n#if USE_FORK\n#if __UNIX__\n\tpid_t pid = r_sys_fork ();\n#else\n\tpid = -1;\n#endif\n\tif (pid < 0) {\n\t\tR_SYS_ASM_START_ROP ();\n\t} else {\n\t\tR_SYS_ASM_START_ROP ();\n\t\texit (0);\n return 0;\n\t}\n\tst = 0;\n\tif (waitpid (pid, &st, 0) == -1) {\n eprintf (\"r_sys_run_rop: waitpid failed\\n\");\n free (bufptr);\n return -1;\n }\n\tif (WIFSIGNALED (st)) {\n\t\tint num = WTERMSIG (st);\n\t\teprintf (\"Got signal %d\\n\", num);\n\t\tret = num;\n\t} else {\n\t\tret = WEXITSTATUS (st);\n\t}\n#else\n\tR_SYS_ASM_START_ROP ();\n#endif\n\tfree (bufptr);\n\treturn 0;\n}", "project": "radare2", "hash": 140876238369297078931671421612418821871, "size": 49, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 0, "dataset": "other", "idx": 268906 }, { "func": "otError Commissioner::RemoveJoiner(const Mac::ExtAddress *aEui64, uint32_t aDelay)\n{\n otError error = OT_ERROR_NOT_FOUND;\n\n VerifyOrExit(mState == OT_COMMISSIONER_STATE_ACTIVE, error = OT_ERROR_INVALID_STATE);\n\n for (Joiner *joiner = &mJoiners[0]; joiner < OT_ARRAY_END(mJoiners); joiner++)\n {\n if (!joiner->mValid)\n {\n continue;\n }\n\n if (aEui64 != NULL)\n {\n if (joiner->mEui64 != *aEui64)\n {\n continue;\n }\n }\n else if (!joiner->mAny)\n {\n continue;\n }\n\n if (aDelay > 0)\n {\n TimeMilli now = TimerMilli::GetNow();\n\n if ((joiner->mExpirationTime > now) && (joiner->mExpirationTime - now > Time::SecToMsec(aDelay)))\n {\n joiner->mExpirationTime = now + Time::SecToMsec(aDelay);\n UpdateJoinerExpirationTimer();\n }\n }\n else\n {\n Mac::ExtAddress joinerId;\n\n joiner->mValid = false;\n UpdateJoinerExpirationTimer();\n SendCommissionerSet();\n\n otLogInfoMeshCoP(\"Removed Joiner (%s)\", (aEui64 != NULL) ? aEui64->ToString().AsCString() : \"*\");\n\n ComputeJoinerId(joiner->mEui64, joinerId);\n SignalJoinerEvent(OT_COMMISSIONER_JOINER_REMOVED, joinerId);\n }\n\n ExitNow(error = OT_ERROR_NONE);\n }\n\nexit:\n return error;\n}", "project": "openthread", "hash": 122289868811975741814307101252833319362, "size": 55, "commit_id": "c3a3a0c424322009fec3ab735fb20ce8f6e19e70", "message": "[commissioner] use strnlen instead of strlen (#4404)", "target": 0, "dataset": "other", "idx": 269869 }, { "func": "static int prompt_flag (RCore *r, char *s, size_t maxlen) {\n\tconst char DOTS[] = \"...\";\n\tconst RFlagItem *f = r_flag_get_at (r->flags, r->offset, false);\n\tif (!f) {\n\t\treturn false;\n\t}\n\tif (f->offset < r->offset) {\n\t\tsnprintf (s, maxlen, \"%s + %\" PFMT64u, f->name, r->offset - f->offset);\n\t} else {\n\t\tsnprintf (s, maxlen, \"%s\", f->name);\n\t}\n\tif (strlen (s) > maxlen - sizeof (DOTS)) {\n\t\ts[maxlen - sizeof (DOTS) - 1] = '\\0';\n\t\tstrcat (s, DOTS);\n\t}\n\treturn true;\n}", "project": "radare2", "hash": 27790306826956533801307044902949566750, "size": 17, "commit_id": "cb8b683758edddae2d2f62e8e63a738c39f92683", "message": "Fix #16303 - c->table_query double free (#16318)", "target": 0, "dataset": "other", "idx": 232181 }, { "func": "static inline void kvm_arch_free_vm(struct kvm *kvm)\n{\n\tkfree(kvm);\n}", "project": "linux", "hash": 199637661788392814022907671970849283607, "size": 4, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354502 }, { "func": "static void t_blosc_do_job(void *ctxt)\n{\n struct thread_context* thcontext = (struct thread_context*)ctxt;\n blosc2_context* context = thcontext->parent_context;\n int32_t cbytes;\n int32_t ntdest;\n int32_t tblocks; /* number of blocks per thread */\n int32_t tblock; /* limit block on a thread */\n int32_t nblock_; /* private copy of nblock */\n int32_t bsize;\n int32_t leftoverblock;\n /* Parameters for threads */\n int32_t blocksize;\n int32_t ebsize;\n int32_t srcsize;\n bool compress = context->do_compress != 0;\n int32_t maxbytes;\n int32_t nblocks;\n int32_t leftover;\n int32_t leftover2;\n int32_t* bstarts;\n const uint8_t* src;\n uint8_t* dest;\n uint8_t* tmp;\n uint8_t* tmp2;\n uint8_t* tmp3;\n\n /* Get parameters for this thread before entering the main loop */\n blocksize = context->blocksize;\n ebsize = blocksize + context->typesize * sizeof(int32_t);\n maxbytes = context->destsize;\n nblocks = context->nblocks;\n leftover = context->leftover;\n bstarts = context->bstarts;\n src = context->src;\n srcsize = context->srcsize;\n dest = context->dest;\n\n /* Resize the temporaries if needed */\n if (blocksize != thcontext->tmp_blocksize) {\n my_free(thcontext->tmp);\n thcontext->tmp_nbytes = (size_t)3 * context->blocksize + ebsize;\n thcontext->tmp = my_malloc(thcontext->tmp_nbytes);\n thcontext->tmp2 = thcontext->tmp + blocksize;\n thcontext->tmp3 = thcontext->tmp + blocksize + ebsize;\n thcontext->tmp4 = thcontext->tmp + 2 * blocksize + ebsize;\n thcontext->tmp_blocksize = blocksize;\n }\n\n tmp = thcontext->tmp;\n tmp2 = thcontext->tmp2;\n tmp3 = thcontext->tmp3;\n\n // Determine whether we can do a static distribution of workload among different threads\n bool memcpyed = context->header_flags & (uint8_t)BLOSC_MEMCPYED;\n bool static_schedule = (!compress || memcpyed) && context->block_maskout == NULL;\n if (static_schedule) {\n /* Blocks per thread */\n tblocks = nblocks / context->nthreads;\n leftover2 = nblocks % context->nthreads;\n tblocks = (leftover2 > 0) ? tblocks + 1 : tblocks;\n nblock_ = thcontext->tid * tblocks;\n tblock = nblock_ + tblocks;\n if (tblock > nblocks) {\n tblock = nblocks;\n }\n }\n else {\n // Use dynamic schedule via a queue. Get the next block.\n pthread_mutex_lock(&context->count_mutex);\n context->thread_nblock++;\n nblock_ = context->thread_nblock;\n pthread_mutex_unlock(&context->count_mutex);\n tblock = nblocks;\n }\n\n /* Loop over blocks */\n leftoverblock = 0;\n while ((nblock_ < tblock) && (context->thread_giveup_code > 0)) {\n bsize = blocksize;\n if (nblock_ == (nblocks - 1) && (leftover > 0)) {\n bsize = leftover;\n leftoverblock = 1;\n }\n if (compress) {\n if (memcpyed) {\n if (!context->prefilter) {\n /* We want to memcpy only */\n memcpy(dest + BLOSC_MAX_OVERHEAD + nblock_ * blocksize,\n src + nblock_ * blocksize, (unsigned int) bsize);\n cbytes = (int32_t) bsize;\n }\n else {\n /* Only the prefilter has to be executed, and this is done in blosc_c().\n * However, no further actions are needed, so we can put the result\n * directly in dest. */\n cbytes = blosc_c(thcontext, bsize, leftoverblock, 0,\n ebsize, src, nblock_ * blocksize,\n dest + BLOSC_MAX_OVERHEAD + nblock_ * blocksize,\n tmp, tmp3);\n }\n }\n else {\n /* Regular compression */\n cbytes = blosc_c(thcontext, bsize, leftoverblock, 0,\n ebsize, src, nblock_ * blocksize, tmp2, tmp, tmp3);\n }\n }\n else {\n if (memcpyed) {\n /* We want to memcpy only */\n if (srcsize < BLOSC_MAX_OVERHEAD + (nblock_ * blocksize) + bsize) {\n /* Not enough input to copy data */\n\n cbytes = -1;\n } else {\n memcpy(dest + nblock_ * blocksize,\n src + BLOSC_MAX_OVERHEAD + nblock_ * blocksize, (unsigned int)bsize);\n cbytes = (int32_t)bsize;\n }\n }\n else {\n if (srcsize < (int32_t)(BLOSC_MAX_OVERHEAD + (sizeof(int32_t) * nblocks))) {\n /* Not enough input to read all `bstarts` */\n cbytes = -1;\n } else {\n cbytes = blosc_d(thcontext, bsize, leftoverblock,\n src, srcsize, sw32_(bstarts + nblock_),\n dest, nblock_ * blocksize, tmp, tmp2);\n }\n }\n }\n\n /* Check whether current thread has to giveup */\n if (context->thread_giveup_code <= 0) {\n break;\n }\n\n /* Check results for the compressed/decompressed block */\n if (cbytes < 0) { /* compr/decompr failure */\n /* Set giveup_code error */\n pthread_mutex_lock(&context->count_mutex);\n context->thread_giveup_code = cbytes;\n pthread_mutex_unlock(&context->count_mutex);\n break;\n }\n\n if (compress && !memcpyed) {\n /* Start critical section */\n pthread_mutex_lock(&context->count_mutex);\n ntdest = context->output_bytes;\n // Note: do not use a typical local dict_training variable here\n // because it is probably cached from previous calls if the number of\n // threads does not change (the usual thing).\n if (!(context->use_dict && context->dict_cdict == NULL)) {\n _sw32(bstarts + nblock_, (int32_t) ntdest);\n }\n\n if ((cbytes == 0) || (ntdest + cbytes > maxbytes)) {\n context->thread_giveup_code = 0; /* uncompressible buf */\n pthread_mutex_unlock(&context->count_mutex);\n break;\n }\n context->thread_nblock++;\n nblock_ = context->thread_nblock;\n context->output_bytes += cbytes;\n pthread_mutex_unlock(&context->count_mutex);\n /* End of critical section */\n\n /* Copy the compressed buffer to destination */\n memcpy(dest + ntdest, tmp2, (unsigned int) cbytes);\n }\n else if (static_schedule) {\n nblock_++;\n }\n else {\n pthread_mutex_lock(&context->count_mutex);\n context->thread_nblock++;\n nblock_ = context->thread_nblock;\n context->output_bytes += cbytes;\n pthread_mutex_unlock(&context->count_mutex);\n }\n\n } /* closes while (nblock_) */\n\n if (static_schedule) {\n context->output_bytes = context->sourcesize;\n if (compress) {\n context->output_bytes += BLOSC_MAX_OVERHEAD;\n }\n }\n\n}", "project": "c-blosc2", "hash": 80393219724171170535857779005666960543, "size": 193, "commit_id": "c4c6470e88210afc95262c8b9fcc27e30ca043ee", "message": "Fixed asan heap buffer overflow when not enough space to write compressed block size.", "target": 0, "dataset": "other", "idx": 303077 }, { "func": "static void __register_prot_hook(struct sock *sk)\n{\n\tstruct packet_sock *po = pkt_sk(sk);\n\n\tif (!po->running) {\n\t\tif (po->fanout)\n\t\t\t__fanout_link(sk, po);\n\t\telse\n\t\t\tdev_add_pack(&po->prot_hook);\n\n\t\tsock_hold(sk);\n\t\tpo->running = 1;\n\t}\n}", "project": "linux", "hash": 80381719010736893162068925622812664592, "size": 14, "commit_id": "acf69c946233259ab4d64f8869d4037a198c7f06", "message": "net/packet: fix overflow in tpacket_rcv\n\nUsing tp_reserve to calculate netoff can overflow as\ntp_reserve is unsigned int and netoff is unsigned short.\n\nThis may lead to macoff receving a smaller value then\nsizeof(struct virtio_net_hdr), and if po->has_vnet_hdr\nis set, an out-of-bounds write will occur when\ncalling virtio_net_hdr_from_skb.\n\nThe bug is fixed by converting netoff to unsigned int\nand checking if it exceeds USHRT_MAX.\n\nThis addresses CVE-2020-14386\n\nFixes: 8913336a7e8d (\"packet: add PACKET_RESERVE sockopt\")\nSigned-off-by: Or Cohen \nSigned-off-by: Eric Dumazet \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 330365 }, { "func": "static int nfs41_check_open_stateid(struct nfs4_state *state)\n{\n\tstruct nfs_server *server = NFS_SERVER(state->inode);\n\tnfs4_stateid *stateid = &state->open_stateid;\n\tconst struct cred *cred = state->owner->so_cred;\n\tint status;\n\n\tif (test_bit(NFS_OPEN_STATE, &state->flags) == 0)\n\t\treturn -NFS4ERR_BAD_STATEID;\n\tstatus = nfs41_test_and_free_expired_stateid(server, stateid, cred);\n\ttrace_nfs4_test_open_stateid(state, NULL, status);\n\tif (status == -NFS4ERR_EXPIRED || status == -NFS4ERR_BAD_STATEID) {\n\t\tnfs_state_clear_open_state_flags(state);\n\t\tstateid->type = NFS4_INVALID_STATEID_TYPE;\n\t\treturn status;\n\t}\n\tif (nfs_open_stateid_recover_openmode(state))\n\t\treturn -NFS4ERR_OPENMODE;\n\treturn NFS_OK;\n}", "project": "linux", "hash": 26799241678966244421417597125554688237, "size": 20, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431549 }, { "func": "static int pfkey_spddelete(struct sock *sk, struct sk_buff *skb, const struct sadb_msg *hdr, void * const *ext_hdrs)\n{\n\tstruct net *net = sock_net(sk);\n\tint err;\n\tstruct sadb_address *sa;\n\tstruct sadb_x_policy *pol;\n\tstruct xfrm_policy *xp;\n\tstruct xfrm_selector sel;\n\tstruct km_event c;\n\tstruct sadb_x_sec_ctx *sec_ctx;\n\tstruct xfrm_sec_ctx *pol_ctx = NULL;\n\n\tif (!present_and_same_family(ext_hdrs[SADB_EXT_ADDRESS_SRC-1],\n\t\t\t\t ext_hdrs[SADB_EXT_ADDRESS_DST-1]) ||\n\t !ext_hdrs[SADB_X_EXT_POLICY-1])\n\t\treturn -EINVAL;\n\n\tpol = ext_hdrs[SADB_X_EXT_POLICY-1];\n\tif (!pol->sadb_x_policy_dir || pol->sadb_x_policy_dir >= IPSEC_DIR_MAX)\n\t\treturn -EINVAL;\n\n\tmemset(&sel, 0, sizeof(sel));\n\n\tsa = ext_hdrs[SADB_EXT_ADDRESS_SRC-1];\n\tsel.family = pfkey_sadb_addr2xfrm_addr(sa, &sel.saddr);\n\tsel.prefixlen_s = sa->sadb_address_prefixlen;\n\tsel.proto = pfkey_proto_to_xfrm(sa->sadb_address_proto);\n\tsel.sport = ((struct sockaddr_in *)(sa+1))->sin_port;\n\tif (sel.sport)\n\t\tsel.sport_mask = htons(0xffff);\n\n\tsa = ext_hdrs[SADB_EXT_ADDRESS_DST-1];\n\tpfkey_sadb_addr2xfrm_addr(sa, &sel.daddr);\n\tsel.prefixlen_d = sa->sadb_address_prefixlen;\n\tsel.proto = pfkey_proto_to_xfrm(sa->sadb_address_proto);\n\tsel.dport = ((struct sockaddr_in *)(sa+1))->sin_port;\n\tif (sel.dport)\n\t\tsel.dport_mask = htons(0xffff);\n\n\tsec_ctx = ext_hdrs[SADB_X_EXT_SEC_CTX - 1];\n\tif (sec_ctx != NULL) {\n\t\tstruct xfrm_user_sec_ctx *uctx = pfkey_sadb2xfrm_user_sec_ctx(sec_ctx, GFP_KERNEL);\n\n\t\tif (!uctx)\n\t\t\treturn -ENOMEM;\n\n\t\terr = security_xfrm_policy_alloc(&pol_ctx, uctx, GFP_KERNEL);\n\t\tkfree(uctx);\n\t\tif (err)\n\t\t\treturn err;\n\t}\n\n\txp = xfrm_policy_bysel_ctx(net, &dummy_mark, 0, XFRM_POLICY_TYPE_MAIN,\n\t\t\t\t pol->sadb_x_policy_dir - 1, &sel, pol_ctx,\n\t\t\t\t 1, &err);\n\tsecurity_xfrm_policy_free(pol_ctx);\n\tif (xp == NULL)\n\t\treturn -ENOENT;\n\n\txfrm_audit_policy_delete(xp, err ? 0 : 1, true);\n\n\tif (err)\n\t\tgoto out;\n\n\tc.seq = hdr->sadb_msg_seq;\n\tc.portid = hdr->sadb_msg_pid;\n\tc.data.byid = 0;\n\tc.event = XFRM_MSG_DELPOLICY;\n\tkm_policy_notify(xp, pol->sadb_x_policy_dir-1, &c);\n\nout:\n\txfrm_pol_put(xp);\n\treturn err;\n}", "project": "linux", "hash": 95232288858962186782599497703435415671, "size": 74, "commit_id": "9a564bccb78a76740ea9d75a259942df8143d02c", "message": "af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\n\nAdd __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\nto initialize the buffer of supp_skb to fix a kernel-info-leak issue.\n1) Function pfkey_register calls compose_sadb_supported to request\na sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate\na sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then\ncompose_sadb_supported treats the memory as a struct sadb_supported and\nbegins to initialize. But it just initializes the field sadb_supported_len\nand field sadb_supported_exttype without field sadb_supported_reserved.\n\nReported-by: TCS Robot \nSigned-off-by: Haimin Zhang \nSigned-off-by: Steffen Klassert ", "target": 0, "dataset": "other", "idx": 268024 }, { "func": "void extcap_config() {\n int i, argidx = 0;\n struct ndpi_proto_sorter *protos;\n u_int ndpi_num_supported_protocols = ndpi_get_ndpi_num_supported_protocols(ndpi_info_mod);\n ndpi_proto_defaults_t *proto_defaults = ndpi_get_proto_defaults(ndpi_info_mod);\n\n /* -i */\n printf(\"arg {number=%d}{call=-i}{display=Capture Interface}{type=string}\"\n\t \"{tooltip=The interface name}\\n\", argidx++);\n printf(\"arg {number=%d}{call=-i}{display=Pcap File to Analyze}{type=fileselect}\"\n\t \"{tooltip=The pcap file to analyze (if the interface is unspecified)}\\n\", argidx++);\n\n protos = (struct ndpi_proto_sorter*)malloc(sizeof(struct ndpi_proto_sorter) * ndpi_num_supported_protocols);\n if(!protos) exit(0);\n\n for(i=0; i<(int) ndpi_num_supported_protocols; i++) {\n protos[i].id = i;\n snprintf(protos[i].name, sizeof(protos[i].name), \"%s\", proto_defaults[i].protoName);\n }\n\n qsort(protos, ndpi_num_supported_protocols, sizeof(struct ndpi_proto_sorter), cmpProto);\n\n printf(\"arg {number=%d}{call=-9}{display=nDPI Protocol Filter}{type=selector}\"\n\t \"{tooltip=nDPI Protocol to be filtered}\\n\", argidx);\n\n printf(\"value {arg=%d}{value=%d}{display=%s}\\n\", argidx, -1, \"All Protocols (no nDPI filtering)\");\n\n for(i=0; i<(int)ndpi_num_supported_protocols; i++)\n printf(\"value {arg=%d}{value=%d}{display=%s (%d)}\\n\", argidx, protos[i].id,\n\t protos[i].name, protos[i].id);\n\n free(protos);\n\n exit(0);\n}", "project": "nDPI", "hash": 293791895166943076497824782077048201749, "size": 35, "commit_id": "b7e666e465f138ae48ab81976726e67deed12701", "message": "Added fix to avoid potential heap buffer overflow in H.323 dissector\nModified HTTP report information to make it closer to the HTTP field names", "target": 0, "dataset": "other", "idx": 254857 }, { "func": "static void path_count_init(void)\n{\n\tint i;\n\n\tfor (i = 0; i < PATH_ARR_SIZE; i++)\n\t\tpath_count[i] = 0;\n}", "project": "linux", "hash": 274651373575747844352715745083684387849, "size": 7, "commit_id": "52c479697c9b73f628140dcdfcd39ea302d05482", "message": "do_epoll_ctl(): clean the failure exits up a bit\n\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 336246 }, { "func": "static void hci_cs_create_conn(struct hci_dev *hdev, __u8 status)\n{\n\tstruct hci_cp_create_conn *cp;\n\tstruct hci_conn *conn;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, status);\n\n\tcp = hci_sent_cmd_data(hdev, HCI_OP_CREATE_CONN);\n\tif (!cp)\n\t\treturn;\n\n\thci_dev_lock(hdev);\n\n\tconn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);\n\n\tBT_DBG(\"%s bdaddr %pMR hcon %p\", hdev->name, &cp->bdaddr, conn);\n\n\tif (status) {\n\t\tif (conn && conn->state == BT_CONNECT) {\n\t\t\tif (status != 0x0c || conn->attempt > 2) {\n\t\t\t\tconn->state = BT_CLOSED;\n\t\t\t\thci_connect_cfm(conn, status);\n\t\t\t\thci_conn_del(conn);\n\t\t\t} else\n\t\t\t\tconn->state = BT_CONNECT2;\n\t\t}\n\t} else {\n\t\tif (!conn) {\n\t\t\tconn = hci_conn_add(hdev, ACL_LINK, &cp->bdaddr,\n\t\t\t\t\t HCI_ROLE_MASTER);\n\t\t\tif (!conn)\n\t\t\t\tbt_dev_err(hdev, \"no memory for new connection\");\n\t\t}\n\t}\n\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 136912986182878645302777948881200866028, "size": 37, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431970 }, { "func": "void kvm_arch_vcpu_load(struct kvm_vcpu *vcpu, int cpu)\n{\n\n\tgmap_enable(vcpu->arch.enabled_gmap);\n\tkvm_s390_set_cpuflags(vcpu, CPUSTAT_RUNNING);\n\tif (vcpu->arch.cputm_enabled && !is_vcpu_idle(vcpu))\n\t\t__start_cpu_timer_accounting(vcpu);\n\tvcpu->cpu = cpu;\n}", "project": "linux", "hash": 231555185885771255920732475848423794242, "size": 9, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354567 }, { "func": "static inline void tcp_advance_highest_sack(struct sock *sk, struct sk_buff *skb)\n{\n\ttcp_sk(sk)->highest_sack = tcp_skb_is_last(sk, skb) ? NULL :\n\t\t\t\t\t\ttcp_write_queue_next(sk, skb);\n}", "project": "linux", "hash": 246129762974249899533870634758211007257, "size": 5, "commit_id": "bb1fceca22492109be12640d49f5ea5a544c6bb4", "message": "tcp: fix use after free in tcp_xmit_retransmit_queue()\n\nWhen tcp_sendmsg() allocates a fresh and empty skb, it puts it at the\ntail of the write queue using tcp_add_write_queue_tail()\n\nThen it attempts to copy user data into this fresh skb.\n\nIf the copy fails, we undo the work and remove the fresh skb.\n\nUnfortunately, this undo lacks the change done to tp->highest_sack and\nwe can leave a dangling pointer (to a freed skb)\n\nLater, tcp_xmit_retransmit_queue() can dereference this pointer and\naccess freed memory. For regular kernels where memory is not unmapped,\nthis might cause SACK bugs because tcp_highest_sack_seq() is buggy,\nreturning garbage instead of tp->snd_nxt, but with various debug\nfeatures like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel.\n\nThis bug was found by Marco Grassi thanks to syzkaller.\n\nFixes: 6859d49475d4 (\"[TCP]: Abstract tp->highest_sack accessing & point to next skb\")\nReported-by: Marco Grassi \nSigned-off-by: Eric Dumazet \nCc: Ilpo Järvinen \nCc: Yuchung Cheng \nCc: Neal Cardwell \nAcked-by: Neal Cardwell \nReviewed-by: Cong Wang \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 410811 }, { "func": "static int pfkey_getspi(struct sock *sk, struct sk_buff *skb, const struct sadb_msg *hdr, void * const *ext_hdrs)\n{\n\tstruct net *net = sock_net(sk);\n\tstruct sk_buff *resp_skb;\n\tstruct sadb_x_sa2 *sa2;\n\tstruct sadb_address *saddr, *daddr;\n\tstruct sadb_msg *out_hdr;\n\tstruct sadb_spirange *range;\n\tstruct xfrm_state *x = NULL;\n\tint mode;\n\tint err;\n\tu32 min_spi, max_spi;\n\tu32 reqid;\n\tu8 proto;\n\tunsigned short family;\n\txfrm_address_t *xsaddr = NULL, *xdaddr = NULL;\n\n\tif (!present_and_same_family(ext_hdrs[SADB_EXT_ADDRESS_SRC-1],\n\t\t\t\t ext_hdrs[SADB_EXT_ADDRESS_DST-1]))\n\t\treturn -EINVAL;\n\n\tproto = pfkey_satype2proto(hdr->sadb_msg_satype);\n\tif (proto == 0)\n\t\treturn -EINVAL;\n\n\tif ((sa2 = ext_hdrs[SADB_X_EXT_SA2-1]) != NULL) {\n\t\tmode = pfkey_mode_to_xfrm(sa2->sadb_x_sa2_mode);\n\t\tif (mode < 0)\n\t\t\treturn -EINVAL;\n\t\treqid = sa2->sadb_x_sa2_reqid;\n\t} else {\n\t\tmode = 0;\n\t\treqid = 0;\n\t}\n\n\tsaddr = ext_hdrs[SADB_EXT_ADDRESS_SRC-1];\n\tdaddr = ext_hdrs[SADB_EXT_ADDRESS_DST-1];\n\n\tfamily = ((struct sockaddr *)(saddr + 1))->sa_family;\n\tswitch (family) {\n\tcase AF_INET:\n\t\txdaddr = (xfrm_address_t *)&((struct sockaddr_in *)(daddr + 1))->sin_addr.s_addr;\n\t\txsaddr = (xfrm_address_t *)&((struct sockaddr_in *)(saddr + 1))->sin_addr.s_addr;\n\t\tbreak;\n#if IS_ENABLED(CONFIG_IPV6)\n\tcase AF_INET6:\n\t\txdaddr = (xfrm_address_t *)&((struct sockaddr_in6 *)(daddr + 1))->sin6_addr;\n\t\txsaddr = (xfrm_address_t *)&((struct sockaddr_in6 *)(saddr + 1))->sin6_addr;\n\t\tbreak;\n#endif\n\t}\n\n\tif (hdr->sadb_msg_seq) {\n\t\tx = xfrm_find_acq_byseq(net, DUMMY_MARK, hdr->sadb_msg_seq);\n\t\tif (x && !xfrm_addr_equal(&x->id.daddr, xdaddr, family)) {\n\t\t\txfrm_state_put(x);\n\t\t\tx = NULL;\n\t\t}\n\t}\n\n\tif (!x)\n\t\tx = xfrm_find_acq(net, &dummy_mark, mode, reqid, 0, proto, xdaddr, xsaddr, 1, family);\n\n\tif (x == NULL)\n\t\treturn -ENOENT;\n\n\tmin_spi = 0x100;\n\tmax_spi = 0x0fffffff;\n\n\trange = ext_hdrs[SADB_EXT_SPIRANGE-1];\n\tif (range) {\n\t\tmin_spi = range->sadb_spirange_min;\n\t\tmax_spi = range->sadb_spirange_max;\n\t}\n\n\terr = verify_spi_info(x->id.proto, min_spi, max_spi);\n\tif (err) {\n\t\txfrm_state_put(x);\n\t\treturn err;\n\t}\n\n\terr = xfrm_alloc_spi(x, min_spi, max_spi);\n\tresp_skb = err ? ERR_PTR(err) : pfkey_xfrm_state2msg(x);\n\n\tif (IS_ERR(resp_skb)) {\n\t\txfrm_state_put(x);\n\t\treturn PTR_ERR(resp_skb);\n\t}\n\n\tout_hdr = (struct sadb_msg *) resp_skb->data;\n\tout_hdr->sadb_msg_version = hdr->sadb_msg_version;\n\tout_hdr->sadb_msg_type = SADB_GETSPI;\n\tout_hdr->sadb_msg_satype = pfkey_proto2satype(proto);\n\tout_hdr->sadb_msg_errno = 0;\n\tout_hdr->sadb_msg_reserved = 0;\n\tout_hdr->sadb_msg_seq = hdr->sadb_msg_seq;\n\tout_hdr->sadb_msg_pid = hdr->sadb_msg_pid;\n\n\txfrm_state_put(x);\n\n\tpfkey_broadcast(resp_skb, GFP_KERNEL, BROADCAST_ONE, sk, net);\n\n\treturn 0;\n}", "project": "linux", "hash": 47982540976459159208290409929009091242, "size": 104, "commit_id": "9a564bccb78a76740ea9d75a259942df8143d02c", "message": "af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\n\nAdd __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\nto initialize the buffer of supp_skb to fix a kernel-info-leak issue.\n1) Function pfkey_register calls compose_sadb_supported to request\na sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate\na sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then\ncompose_sadb_supported treats the memory as a struct sadb_supported and\nbegins to initialize. But it just initializes the field sadb_supported_len\nand field sadb_supported_exttype without field sadb_supported_reserved.\n\nReported-by: TCS Robot \nSigned-off-by: Haimin Zhang \nSigned-off-by: Steffen Klassert ", "target": 0, "dataset": "other", "idx": 267991 }, { "func": "void gdImageDestroy (gdImagePtr im)\n{\n\tint i;\n\tif (im->pixels) {\n\t\tfor (i = 0; i < im->sy; i++) {\n\t\t\tgdFree(im->pixels[i]);\n\t\t}\n\t\tgdFree(im->pixels);\n\t}\n\tif (im->tpixels) {\n\t\tfor (i = 0; i < im->sy; i++) {\n\t\t\tgdFree(im->tpixels[i]);\n\t\t}\n\t\tgdFree(im->tpixels);\n\t}\n\tif (im->AA_opacity) {\n\t\tfor (i = 0; i < im->sy; i++) {\n\t\t\tgdFree(im->AA_opacity[i]);\n\t\t}\n\t\tgdFree(im->AA_opacity);\n\t}\n\tif (im->polyInts) {\n\t\tgdFree(im->polyInts);\n\t}\n\tif (im->style) {\n\t\tgdFree(im->style);\n\t}\n\tgdFree(im);\n}", "project": "php-src", "hash": 86074423689893185022743928723707005889, "size": 29, "commit_id": "c395c6e5d7e8df37a21265ff76e48fe75ceb5ae6", "message": "iFixed bug #72446 - Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow", "target": 0, "dataset": "other", "idx": 295185 }, { "func": "static int nfs4_proc_pathconf(struct nfs_server *server, struct nfs_fh *fhandle,\n\t\tstruct nfs_pathconf *pathconf)\n{\n\tstruct nfs4_exception exception = {\n\t\t.interruptible = true,\n\t};\n\tint err;\n\n\tdo {\n\t\terr = nfs4_handle_exception(server,\n\t\t\t\t_nfs4_proc_pathconf(server, fhandle, pathconf),\n\t\t\t\t&exception);\n\t} while (exception.retry);\n\treturn err;\n}", "project": "linux", "hash": 154879474197394385526468367767748862447, "size": 15, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 430940 }, { "func": "static void nfs4_xdr_enc_lookup(struct rpc_rqst *req, struct xdr_stream *xdr,\n\t\t\t\tconst void *data)\n{\n\tconst struct nfs4_lookup_arg *args = data;\n\tstruct compound_hdr hdr = {\n\t\t.minorversion = nfs4_xdr_minorversion(&args->seq_args),\n\t};\n\n\tencode_compound_hdr(xdr, req, &hdr);\n\tencode_sequence(xdr, &args->seq_args, &hdr);\n\tencode_putfh(xdr, args->dir_fh, &hdr);\n\tencode_lookup(xdr, args->name, &hdr);\n\tencode_getfh(xdr, &hdr);\n\tencode_getfattr(xdr, args->bitmask, &hdr);\n\tencode_nops(&hdr);\n}", "project": "linux", "hash": 290799205728242883379760651856403887841, "size": 16, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431478 }, { "func": "}\n\nstatic int\niscsi_get_host_stats(struct iscsi_transport *transport, struct nlmsghdr *nlh)\n{\n\tstruct iscsi_uevent *ev = nlmsg_data(nlh);\n\tstruct Scsi_Host *shost = NULL;\n\tstruct iscsi_internal *priv;\n\tstruct sk_buff *skbhost_stats;\n\tstruct nlmsghdr *nlhhost_stats;\n\tstruct iscsi_uevent *evhost_stats;\n\tint host_stats_size = 0;\n\tint len, err = 0;\n\tchar *buf;\n\n\tif (!transport->get_host_stats)\n\t\treturn -ENOSYS;\n\n\tpriv = iscsi_if_transport_lookup(transport);\n\tif (!priv)\n\t\treturn -EINVAL;\n\n\thost_stats_size = sizeof(struct iscsi_offload_host_stats);\n\tlen = nlmsg_total_size(sizeof(*ev) + host_stats_size);\n\n\tshost = scsi_host_lookup(ev->u.get_host_stats.host_no);\n\tif (!shost) {\n\t\tpr_err(\"%s: failed. Could not find host no %u\\n\",\n\t\t __func__, ev->u.get_host_stats.host_no);\n\t\treturn -ENODEV;\n\t}\n\n\tdo {\n\t\tint actual_size;\n\n\t\tskbhost_stats = alloc_skb(len, GFP_KERNEL);\n\t\tif (!skbhost_stats) {\n\t\t\tpr_err(\"cannot deliver host stats: OOM\\n\");\n\t\t\terr = -ENOMEM;\n\t\t\tgoto exit_host_stats;\n\t\t}\n\n\t\tnlhhost_stats = __nlmsg_put(skbhost_stats, 0, 0, 0,\n\t\t\t\t (len - sizeof(*nlhhost_stats)), 0);\n\t\tevhost_stats = nlmsg_data(nlhhost_stats);\n\t\tmemset(evhost_stats, 0, sizeof(*evhost_stats));\n\t\tevhost_stats->transport_handle = iscsi_handle(transport);\n\t\tevhost_stats->type = nlh->nlmsg_type;\n\t\tevhost_stats->u.get_host_stats.host_no =\n\t\t\t\t\tev->u.get_host_stats.host_no;\n\t\tbuf = (char *)evhost_stats + sizeof(*evhost_stats);\n\t\tmemset(buf, 0, host_stats_size);\n\n\t\terr = transport->get_host_stats(shost, buf, host_stats_size);\n\t\tif (err) {\n\t\t\tkfree_skb(skbhost_stats);\n\t\t\tgoto exit_host_stats;\n\t\t}\n\n\t\tactual_size = nlmsg_total_size(sizeof(*ev) + host_stats_size);\n\t\tskb_trim(skbhost_stats, NLMSG_ALIGN(actual_size));\n\t\tnlhhost_stats->nlmsg_len = actual_size;\n\n\t\terr = iscsi_multicast_skb(skbhost_stats, ISCSI_NL_GRP_ISCSID,\n\t\t\t\t\t GFP_KERNEL);\n\t} while (err < 0 && err != -ECONNREFUSED);\n\nexit_host_stats:", "project": "linux", "hash": 241606322455459624370633457942169317114, "size": 68, "commit_id": "f9dbdf97a5bd92b1a49cee3d591b55b11fd7a6d5", "message": "scsi: iscsi: Verify lengths on passthrough PDUs\n\nOpen-iSCSI sends passthrough PDUs over netlink, but the kernel should be\nverifying that the provided PDU header and data lengths fall within the\nnetlink message to prevent accessing beyond that in memory.\n\nCc: stable@vger.kernel.org\nReported-by: Adam Nichols \nReviewed-by: Lee Duncan \nReviewed-by: Mike Christie \nSigned-off-by: Chris Leech \nSigned-off-by: Martin K. Petersen ", "target": 0, "dataset": "other", "idx": 380015 }, { "func": " */\nstatic bool bfq_bfqq_higher_class_or_weight(struct bfq_queue *bfqq,\n\t\t\t\t\t struct bfq_queue *in_serv_bfqq)\n{\n\tint bfqq_weight, in_serv_weight;\n\n\tif (bfqq->ioprio_class < in_serv_bfqq->ioprio_class)\n\t\treturn true;\n\n\tif (in_serv_bfqq->entity.parent == bfqq->entity.parent) {\n\t\tbfqq_weight = bfqq->entity.weight;\n\t\tin_serv_weight = in_serv_bfqq->entity.weight;\n\t} else {\n\t\tif (bfqq->entity.parent)\n\t\t\tbfqq_weight = bfqq->entity.parent->weight;\n\t\telse\n\t\t\tbfqq_weight = bfqq->entity.weight;\n\t\tif (in_serv_bfqq->entity.parent)\n\t\t\tin_serv_weight = in_serv_bfqq->entity.parent->weight;\n\t\telse\n\t\t\tin_serv_weight = in_serv_bfqq->entity.weight;\n\t}\n\n\treturn bfqq_weight > in_serv_weight;", "project": "linux", "hash": 230958291306457022341638734503257220769, "size": 24, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453370 }, { "func": "inline bool StringData::isProxy() const { return m_data != payload(); }", "project": "hhvm", "hash": 110791788413079619469919171452192989579, "size": 1, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219189 }, { "func": "void revise_cache_usage(JOIN_TAB *join_tab)\n{\n JOIN_TAB *tab;\n JOIN_TAB *first_inner;\n\n if (join_tab->first_inner)\n {\n JOIN_TAB *end_tab= join_tab;\n for (first_inner= join_tab->first_inner; \n first_inner;\n first_inner= first_inner->first_upper) \n {\n for (tab= end_tab; tab >= first_inner; tab--)\n set_join_cache_denial(tab);\n end_tab= first_inner;\n }\n }\n else if (join_tab->first_sj_inner_tab)\n {\n first_inner= join_tab->first_sj_inner_tab;\n for (tab= join_tab; tab >= first_inner; tab--)\n {\n set_join_cache_denial(tab);\n }\n }\n else set_join_cache_denial(join_tab);\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 317883150562983057879292657542449587277, "size": 27, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508685 }, { "func": "static void hci_cs_auth_requested(struct hci_dev *hdev, __u8 status)\n{\n\tstruct hci_cp_auth_requested *cp;\n\tstruct hci_conn *conn;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, status);\n\n\tif (!status)\n\t\treturn;\n\n\tcp = hci_sent_cmd_data(hdev, HCI_OP_AUTH_REQUESTED);\n\tif (!cp)\n\t\treturn;\n\n\thci_dev_lock(hdev);\n\n\tconn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));\n\tif (conn) {\n\t\tif (conn->state == BT_CONFIG) {\n\t\t\thci_connect_cfm(conn, status);\n\t\t\thci_conn_drop(conn);\n\t\t}\n\t}\n\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 240699750720040230168333128615703608988, "size": 26, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431877 }, { "func": "static ssize_t fuse_send_read(struct fuse_io_args *ia, loff_t pos, size_t count,\n\t\t\t fl_owner_t owner)\n{\n\tstruct file *file = ia->io->iocb->ki_filp;\n\tstruct fuse_file *ff = file->private_data;\n\tstruct fuse_mount *fm = ff->fm;\n\n\tfuse_read_args_fill(ia, file, pos, count, FUSE_READ);\n\tif (owner != NULL) {\n\t\tia->read.in.read_flags |= FUSE_READ_LOCKOWNER;\n\t\tia->read.in.lock_owner = fuse_lock_owner_id(fm->fc, owner);\n\t}\n\n\tif (ia->io->async)\n\t\treturn fuse_async_req_send(fm, ia, count);\n\n\treturn fuse_simple_request(fm, &ia->ap.args);\n}", "project": "linux", "hash": 142906794494202973541743112006978903551, "size": 18, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341884 }, { "func": "int tcp_rcv_established(struct sock *sk, struct sk_buff *skb,\n\t\t\tconst struct tcphdr *th, unsigned int len)\n{\n\tstruct tcp_sock *tp = tcp_sk(sk);\n\tint res;\n\n\t/*\n\t *\tHeader prediction.\n\t *\tThe code loosely follows the one in the famous\n\t *\t\"30 instruction TCP receive\" Van Jacobson mail.\n\t *\n\t *\tVan's trick is to deposit buffers into socket queue\n\t *\ton a device interrupt, to call tcp_recv function\n\t *\ton the receive process context and checksum and copy\n\t *\tthe buffer to user space. smart...\n\t *\n\t *\tOur current scheme is not silly either but we take the\n\t *\textra cost of the net_bh soft interrupt processing...\n\t *\tWe do checksum and copy also but from device to kernel.\n\t */\n\n\ttp->rx_opt.saw_tstamp = 0;\n\n\t/*\tpred_flags is 0xS?10 << 16 + snd_wnd\n\t *\tif header_prediction is to be made\n\t *\t'S' will always be tp->tcp_header_len >> 2\n\t *\t'?' will be 0 for the fast path, otherwise pred_flags is 0 to\n\t * turn it off\t(when there are holes in the receive\n\t *\t space for instance)\n\t *\tPSH flag is ignored.\n\t */\n\n\tif ((tcp_flag_word(th) & TCP_HP_BITS) == tp->pred_flags &&\n\t TCP_SKB_CB(skb)->seq == tp->rcv_nxt &&\n\t !after(TCP_SKB_CB(skb)->ack_seq, tp->snd_nxt)) {\n\t\tint tcp_header_len = tp->tcp_header_len;\n\n\t\t/* Timestamp header prediction: tcp_header_len\n\t\t * is automatically equal to th->doff*4 due to pred_flags\n\t\t * match.\n\t\t */\n\n\t\t/* Check timestamp */\n\t\tif (tcp_header_len == sizeof(struct tcphdr) + TCPOLEN_TSTAMP_ALIGNED) {\n\t\t\t/* No? Slow path! */\n\t\t\tif (!tcp_parse_aligned_timestamp(tp, th))\n\t\t\t\tgoto slow_path;\n\n\t\t\t/* If PAWS failed, check it more carefully in slow path */\n\t\t\tif ((s32)(tp->rx_opt.rcv_tsval - tp->rx_opt.ts_recent) < 0)\n\t\t\t\tgoto slow_path;\n\n\t\t\t/* DO NOT update ts_recent here, if checksum fails\n\t\t\t * and timestamp was corrupted part, it will result\n\t\t\t * in a hung connection since we will drop all\n\t\t\t * future packets due to the PAWS test.\n\t\t\t */\n\t\t}\n\n\t\tif (len <= tcp_header_len) {\n\t\t\t/* Bulk data transfer: sender */\n\t\t\tif (len == tcp_header_len) {\n\t\t\t\t/* Predicted packet is in window by definition.\n\t\t\t\t * seq == rcv_nxt and rcv_wup <= rcv_nxt.\n\t\t\t\t * Hence, check seq<=rcv_wup reduces to:\n\t\t\t\t */\n\t\t\t\tif (tcp_header_len ==\n\t\t\t\t (sizeof(struct tcphdr) + TCPOLEN_TSTAMP_ALIGNED) &&\n\t\t\t\t tp->rcv_nxt == tp->rcv_wup)\n\t\t\t\t\ttcp_store_ts_recent(tp);\n\n\t\t\t\t/* We know that such packets are checksummed\n\t\t\t\t * on entry.\n\t\t\t\t */\n\t\t\t\ttcp_ack(sk, skb, 0);\n\t\t\t\t__kfree_skb(skb);\n\t\t\t\ttcp_data_snd_check(sk);\n\t\t\t\treturn 0;\n\t\t\t} else { /* Header too small */\n\t\t\t\tTCP_INC_STATS_BH(sock_net(sk), TCP_MIB_INERRS);\n\t\t\t\tgoto discard;\n\t\t\t}\n\t\t} else {\n\t\t\tint eaten = 0;\n\t\t\tint copied_early = 0;\n\n\t\t\tif (tp->copied_seq == tp->rcv_nxt &&\n\t\t\t len - tcp_header_len <= tp->ucopy.len) {\n#ifdef CONFIG_NET_DMA\n\t\t\t\tif (tcp_dma_try_early_copy(sk, skb, tcp_header_len)) {\n\t\t\t\t\tcopied_early = 1;\n\t\t\t\t\teaten = 1;\n\t\t\t\t}\n#endif\n\t\t\t\tif (tp->ucopy.task == current &&\n\t\t\t\t sock_owned_by_user(sk) && !copied_early) {\n\t\t\t\t\t__set_current_state(TASK_RUNNING);\n\n\t\t\t\t\tif (!tcp_copy_to_iovec(sk, skb, tcp_header_len))\n\t\t\t\t\t\teaten = 1;\n\t\t\t\t}\n\t\t\t\tif (eaten) {\n\t\t\t\t\t/* Predicted packet is in window by definition.\n\t\t\t\t\t * seq == rcv_nxt and rcv_wup <= rcv_nxt.\n\t\t\t\t\t * Hence, check seq<=rcv_wup reduces to:\n\t\t\t\t\t */\n\t\t\t\t\tif (tcp_header_len ==\n\t\t\t\t\t (sizeof(struct tcphdr) +\n\t\t\t\t\t TCPOLEN_TSTAMP_ALIGNED) &&\n\t\t\t\t\t tp->rcv_nxt == tp->rcv_wup)\n\t\t\t\t\t\ttcp_store_ts_recent(tp);\n\n\t\t\t\t\ttcp_rcv_rtt_measure_ts(sk, skb);\n\n\t\t\t\t\t__skb_pull(skb, tcp_header_len);\n\t\t\t\t\ttp->rcv_nxt = TCP_SKB_CB(skb)->end_seq;\n\t\t\t\t\tNET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPHPHITSTOUSER);\n\t\t\t\t}\n\t\t\t\tif (copied_early)\n\t\t\t\t\ttcp_cleanup_rbuf(sk, skb->len);\n\t\t\t}\n\t\t\tif (!eaten) {\n\t\t\t\tif (tcp_checksum_complete_user(sk, skb))\n\t\t\t\t\tgoto csum_error;\n\n\t\t\t\t/* Predicted packet is in window by definition.\n\t\t\t\t * seq == rcv_nxt and rcv_wup <= rcv_nxt.\n\t\t\t\t * Hence, check seq<=rcv_wup reduces to:\n\t\t\t\t */\n\t\t\t\tif (tcp_header_len ==\n\t\t\t\t (sizeof(struct tcphdr) + TCPOLEN_TSTAMP_ALIGNED) &&\n\t\t\t\t tp->rcv_nxt == tp->rcv_wup)\n\t\t\t\t\ttcp_store_ts_recent(tp);\n\n\t\t\t\ttcp_rcv_rtt_measure_ts(sk, skb);\n\n\t\t\t\tif ((int)skb->truesize > sk->sk_forward_alloc)\n\t\t\t\t\tgoto step5;\n\n\t\t\t\tNET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPHPHITS);\n\n\t\t\t\t/* Bulk data transfer: receiver */\n\t\t\t\t__skb_pull(skb, tcp_header_len);\n\t\t\t\t__skb_queue_tail(&sk->sk_receive_queue, skb);\n\t\t\t\tskb_set_owner_r(skb, sk);\n\t\t\t\ttp->rcv_nxt = TCP_SKB_CB(skb)->end_seq;\n\t\t\t}\n\n\t\t\ttcp_event_data_recv(sk, skb);\n\n\t\t\tif (TCP_SKB_CB(skb)->ack_seq != tp->snd_una) {\n\t\t\t\t/* Well, only one small jumplet in fast path... */\n\t\t\t\ttcp_ack(sk, skb, FLAG_DATA);\n\t\t\t\ttcp_data_snd_check(sk);\n\t\t\t\tif (!inet_csk_ack_scheduled(sk))\n\t\t\t\t\tgoto no_ack;\n\t\t\t}\n\n\t\t\tif (!copied_early || tp->rcv_nxt != tp->rcv_wup)\n\t\t\t\t__tcp_ack_snd_check(sk, 0);\nno_ack:\n#ifdef CONFIG_NET_DMA\n\t\t\tif (copied_early)\n\t\t\t\t__skb_queue_tail(&sk->sk_async_wait_queue, skb);\n\t\t\telse\n#endif\n\t\t\tif (eaten)\n\t\t\t\t__kfree_skb(skb);\n\t\t\telse\n\t\t\t\tsk->sk_data_ready(sk, 0);\n\t\t\treturn 0;\n\t\t}\n\t}\n\nslow_path:\n\tif (len < (th->doff << 2) || tcp_checksum_complete_user(sk, skb))\n\t\tgoto csum_error;\n\n\t/*\n\t *\tStandard slow path.\n\t */\n\n\tres = tcp_validate_incoming(sk, skb, th, 1);\n\tif (res <= 0)\n\t\treturn -res;\n\nstep5:\n\tif (th->ack && tcp_ack(sk, skb, FLAG_SLOWPATH) < 0)\n\t\tgoto discard;\n\n\ttcp_rcv_rtt_measure_ts(sk, skb);\n\n\t/* Process urgent data. */\n\ttcp_urg(sk, skb, th);\n\n\t/* step 7: process the segment text */\n\ttcp_data_queue(sk, skb);\n\n\ttcp_data_snd_check(sk);\n\ttcp_ack_snd_check(sk);\n\treturn 0;\n\ncsum_error:\n\tTCP_INC_STATS_BH(sock_net(sk), TCP_MIB_INERRS);\n\ndiscard:\n\t__kfree_skb(skb);\n\treturn 0;\n}", "project": "net-next", "hash": 142589934222583992372823010217654382401, "size": 209, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409954 }, { "func": "\nstatic int io_queue_rsrc_removal(struct io_rsrc_data *data, unsigned idx,\n\t\t\t\t struct io_rsrc_node *node, void *rsrc)\n{\n\tstruct io_rsrc_put *prsrc;\n\n\tprsrc = kzalloc(sizeof(*prsrc), GFP_KERNEL);\n\tif (!prsrc)\n\t\treturn -ENOMEM;\n\n\tprsrc->tag = data->tags[idx];\n\tprsrc->rsrc = rsrc;\n\tlist_add(&prsrc->list, &node->rsrc_list);\n\treturn 0;", "project": "linux", "hash": 239887341359925076984223725484690691159, "size": 14, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338696 }, { "func": "static int fuse_access(struct inode *inode, int mask)\n{\n\tstruct fuse_mount *fm = get_fuse_mount(inode);\n\tFUSE_ARGS(args);\n\tstruct fuse_access_in inarg;\n\tint err;\n\n\tBUG_ON(mask & MAY_NOT_BLOCK);\n\n\tif (fm->fc->no_access)\n\t\treturn 0;\n\n\tmemset(&inarg, 0, sizeof(inarg));\n\tinarg.mask = mask & (MAY_READ | MAY_WRITE | MAY_EXEC);\n\targs.opcode = FUSE_ACCESS;\n\targs.nodeid = get_node_id(inode);\n\targs.in_numargs = 1;\n\targs.in_args[0].size = sizeof(inarg);\n\targs.in_args[0].value = &inarg;\n\terr = fuse_simple_request(fm, &args);\n\tif (err == -ENOSYS) {\n\t\tfm->fc->no_access = 1;\n\t\terr = 0;\n\t}\n\treturn err;\n}", "project": "linux", "hash": 260361078115316354476746786227400958234, "size": 26, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341917 }, { "func": "void JOIN::exec_inner()\n{\n List *columns_list= &fields_list;\n DBUG_ENTER(\"JOIN::exec_inner\");\n DBUG_ASSERT(optimization_state == JOIN::OPTIMIZATION_DONE);\n\n THD_STAGE_INFO(thd, stage_executing);\n\n /*\n Enable LIMIT ROWS EXAMINED during query execution if:\n (1) This JOIN is the outermost query (not a subquery or derived table)\n This ensures that the limit is enabled when actual execution begins, and\n not if a subquery is evaluated during optimization of the outer query.\n (2) This JOIN is not the result of a UNION. In this case do not apply the\n limit in order to produce the partial query result stored in the\n UNION temp table.\n */\n if (!select_lex->outer_select() && // (1)\n select_lex != select_lex->master_unit()->fake_select_lex) // (2)\n thd->lex->set_limit_rows_examined();\n\n if (procedure)\n {\n procedure_fields_list= fields_list;\n if (procedure->change_columns(thd, procedure_fields_list) ||\n\tresult->prepare(procedure_fields_list, unit))\n {\n thd->set_examined_row_count(0);\n thd->limit_found_rows= 0;\n DBUG_VOID_RETURN;\n }\n columns_list= &procedure_fields_list;\n }\n if (result->prepare2(this))\n DBUG_VOID_RETURN;\n\n if (!tables_list && (table_count || !select_lex->with_sum_func) &&\n !select_lex->have_window_funcs())\n { // Only test of functions\n if (select_options & SELECT_DESCRIBE)\n select_describe(this, FALSE, FALSE, FALSE,\n\t\t (zero_result_cause?zero_result_cause:\"No tables used\"));\n\n else\n {\n if (result->send_result_set_metadata(*columns_list,\n Protocol::SEND_NUM_ROWS |\n Protocol::SEND_EOF))\n {\n DBUG_VOID_RETURN;\n }\n\n /*\n We have to test for 'conds' here as the WHERE may not be constant\n even if we don't have any tables for prepared statements or if\n conds uses something like 'rand()'.\n If the HAVING clause is either impossible or always true, then\n JOIN::having is set to NULL by optimize_cond.\n In this case JOIN::exec must check for JOIN::having_value, in the\n same way it checks for JOIN::cond_value.\n */\n DBUG_ASSERT(error == 0);\n if (cond_value != Item::COND_FALSE &&\n having_value != Item::COND_FALSE &&\n (!conds || conds->val_int()) &&\n (!having || having->val_int()))\n {\n\tif (do_send_rows &&\n (procedure ? (procedure->send_row(procedure_fields_list) ||\n procedure->end_of_records()) : result->send_data(fields_list)> 0))\n\t error= 1;\n\telse\n\t send_records= ((select_options & OPTION_FOUND_ROWS) ? 1 :\n thd->get_sent_row_count());\n }\n else\n send_records= 0;\n if (likely(!error))\n {\n join_free(); // Unlock all cursors\n error= (int) result->send_eof();\n }\n }\n /* Single select (without union) always returns 0 or 1 row */\n thd->limit_found_rows= send_records;\n thd->set_examined_row_count(0);\n DBUG_VOID_RETURN;\n }\n\n /*\n Evaluate expensive constant conditions that were not evaluated during\n optimization. Do not evaluate them for EXPLAIN statements as these\n condtions may be arbitrarily costly, and because the optimize phase\n might not have produced a complete executable plan for EXPLAINs.\n */\n if (!zero_result_cause &&\n exec_const_cond && !(select_options & SELECT_DESCRIBE) &&\n !exec_const_cond->val_int())\n zero_result_cause= \"Impossible WHERE noticed after reading const tables\";\n\n /* \n We've called exec_const_cond->val_int(). This may have caused an error.\n */\n if (unlikely(thd->is_error()))\n {\n error= thd->is_error();\n DBUG_VOID_RETURN;\n }\n\n if (zero_result_cause)\n {\n if (select_lex->have_window_funcs() && send_row_on_empty_set())\n {\n /*\n The query produces just one row but it has window functions.\n\n The only way to compute the value of window function(s) is to\n run the entire window function computation step (there is no shortcut).\n */\n const_tables= table_count;\n first_select= sub_select_postjoin_aggr;\n }\n else\n {\n (void) return_zero_rows(this, result, select_lex->leaf_tables,\n *columns_list,\n\t\t\t send_row_on_empty_set(),\n\t\t\t select_options,\n\t\t\t zero_result_cause,\n\t\t\t having ? having : tmp_having, all_fields);\n DBUG_VOID_RETURN;\n }\n }\n \n /*\n Evaluate all constant expressions with subqueries in the\n ORDER/GROUP clauses to make sure that all subqueries return a\n single row. The evaluation itself will trigger an error if that is\n not the case.\n */\n if (exec_const_order_group_cond.elements &&\n !(select_options & SELECT_DESCRIBE))\n {\n List_iterator_fast const_item_it(exec_const_order_group_cond);\n Item *cur_const_item;\n while ((cur_const_item= const_item_it++))\n {\n cur_const_item->val_str(); // This caches val_str() to Item::str_value\n if (unlikely(thd->is_error()))\n {\n error= thd->is_error();\n DBUG_VOID_RETURN;\n }\n }\n }\n\n if ((this->select_lex->options & OPTION_SCHEMA_TABLE) &&\n get_schema_tables_result(this, PROCESSED_BY_JOIN_EXEC))\n DBUG_VOID_RETURN;\n\n if (select_options & SELECT_DESCRIBE)\n {\n select_describe(this, need_tmp,\n\t\t order != 0 && !skip_sort_order,\n\t\t select_distinct,\n !table_count ? \"No tables used\" : NullS);\n DBUG_VOID_RETURN;\n }\n else\n {\n /* it's a const select, materialize it. */\n select_lex->mark_const_derived(zero_result_cause);\n }\n\n /*\n Initialize examined rows here because the values from all join parts\n must be accumulated in examined_row_count. Hence every join\n iteration must count from zero.\n */\n join_examined_rows= 0;\n\n /* XXX: When can we have here thd->is_error() not zero? */\n if (unlikely(thd->is_error()))\n {\n error= thd->is_error();\n DBUG_VOID_RETURN;\n }\n\n THD_STAGE_INFO(thd, stage_sending_data);\n DBUG_PRINT(\"info\", (\"%s\", thd->proc_info));\n result->send_result_set_metadata(\n procedure ? procedure_fields_list : *fields,\n Protocol::SEND_NUM_ROWS | Protocol::SEND_EOF);\n\n error= result->view_structure_only() ? false : do_select(this, procedure);\n /* Accumulate the counts from all join iterations of all join parts. */\n thd->inc_examined_row_count(join_examined_rows);\n DBUG_PRINT(\"counts\", (\"thd->examined_row_count: %lu\",\n (ulong) thd->get_examined_row_count()));\n\n DBUG_VOID_RETURN;\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 136441511460169992479885767778818811587, "size": 202, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508490 }, { "func": "static void nfs4_xdr_enc_readdir(struct rpc_rqst *req, struct xdr_stream *xdr,\n\t\t\t\t const void *data)\n{\n\tconst struct nfs4_readdir_arg *args = data;\n\tstruct compound_hdr hdr = {\n\t\t.minorversion = nfs4_xdr_minorversion(&args->seq_args),\n\t};\n\n\tencode_compound_hdr(xdr, req, &hdr);\n\tencode_sequence(xdr, &args->seq_args, &hdr);\n\tencode_putfh(xdr, args->fh, &hdr);\n\tencode_readdir(xdr, args, req, &hdr);\n\n\trpc_prepare_reply_pages(req, args->pages, args->pgbase,\n\t\t\t\targs->count, hdr.replen);\n\tencode_nops(&hdr);\n}", "project": "linux", "hash": 146239345636901971221514548221214768532, "size": 17, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431121 }, { "func": "static int sync_helper(struct Mailbox *m, AclFlags right, int flag, const char *name)\n{\n int count = 0;\n int rc;\n char buf[1024];\n\n if (!m)\n return -1;\n\n if ((m->rights & right) == 0)\n return 0;\n\n if ((right == MUTT_ACL_WRITE) && !imap_has_flag(&imap_mdata_get(m)->flags, name))\n return 0;\n\n snprintf(buf, sizeof(buf), \"+FLAGS.SILENT (%s)\", name);\n rc = imap_exec_msgset(m, \"UID STORE\", buf, flag, true, false);\n if (rc < 0)\n return rc;\n count += rc;\n\n buf[0] = '-';\n rc = imap_exec_msgset(m, \"UID STORE\", buf, flag, true, true);\n if (rc < 0)\n return rc;\n count += rc;\n\n return count;\n}", "project": "neomutt", "hash": 181112530512689252622850077420457057277, "size": 29, "commit_id": "9c36717a3e2af1f2c1b7242035455ec8112b4b06", "message": "imap: close connection on all failures\n\nThanks to Gabriel Salles-Loustau for spotting the problem.\n\nCo-authored-by: Kevin McCarthy ", "target": 0, "dataset": "other", "idx": 357046 }, { "func": "static void oidc_log_session_expires(request_rec *r, const char *msg,\n\t\tapr_time_t session_expires) {\n\tchar buf[APR_RFC822_DATE_LEN + 1];\n\tapr_rfc822_date(buf, session_expires);\n\toidc_debug(r, \"%s: %s (in %\" APR_TIME_T_FMT \" secs from now)\", msg, buf,\n\t\t\tapr_time_sec(session_expires - apr_time_now()));\n}", "project": "mod_auth_openidc", "hash": 77842914393772693105188693697851498029, "size": 7, "commit_id": "00c315cb0c8ab77c67be4a2ac08a71a83ac58751", "message": "avoid XSS vulnerability when using OIDCPreservePost On\n\nand supplying URLs that contain single quotes; thanks @oss-aimoto\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 381940 }, { "func": "static int mt_probe(struct hid_device *hdev, const struct hid_device_id *id)\n{\n\tint ret, i;\n\tstruct mt_device *td;\n\tconst struct mt_class *mtclass = mt_classes; /* MT_CLS_DEFAULT */\n\n\tfor (i = 0; mt_classes[i].name ; i++) {\n\t\tif (id->driver_data == mt_classes[i].name) {\n\t\t\tmtclass = &(mt_classes[i]);\n\t\t\tbreak;\n\t\t}\n\t}\n\n\ttd = devm_kzalloc(&hdev->dev, sizeof(struct mt_device), GFP_KERNEL);\n\tif (!td) {\n\t\tdev_err(&hdev->dev, \"cannot allocate multitouch data\\n\");\n\t\treturn -ENOMEM;\n\t}\n\ttd->hdev = hdev;\n\ttd->mtclass = *mtclass;\n\ttd->inputmode_value = MT_INPUTMODE_TOUCHSCREEN;\n\thid_set_drvdata(hdev, td);\n\n\tINIT_LIST_HEAD(&td->applications);\n\tINIT_LIST_HEAD(&td->reports);\n\n\tif (id->vendor == HID_ANY_ID && id->product == HID_ANY_ID)\n\t\ttd->serial_maybe = true;\n\n\t/* This allows the driver to correctly support devices\n\t * that emit events over several HID messages.\n\t */\n\thdev->quirks |= HID_QUIRK_NO_INPUT_SYNC;\n\n\t/*\n\t * This allows the driver to handle different input sensors\n\t * that emits events through different applications on the same HID\n\t * device.\n\t */\n\thdev->quirks |= HID_QUIRK_INPUT_PER_APP;\n\n\tif (id->group != HID_GROUP_MULTITOUCH_WIN_8)\n\t\thdev->quirks |= HID_QUIRK_MULTI_INPUT;\n\n\tif (mtclass->quirks & MT_QUIRK_FORCE_MULTI_INPUT) {\n\t\thdev->quirks &= ~HID_QUIRK_INPUT_PER_APP;\n\t\thdev->quirks |= HID_QUIRK_MULTI_INPUT;\n\t}\n\n\ttimer_setup(&td->release_timer, mt_expired_timeout, 0);\n\n\tret = hid_parse(hdev);\n\tif (ret != 0)\n\t\treturn ret;\n\n\tif (mtclass->quirks & MT_QUIRK_FIX_CONST_CONTACT_ID)\n\t\tmt_fix_const_fields(hdev, HID_DG_CONTACTID);\n\n\tret = hid_hw_start(hdev, HID_CONNECT_DEFAULT);\n\tif (ret)\n\t\treturn ret;\n\n\tret = sysfs_create_group(&hdev->dev.kobj, &mt_attribute_group);\n\tif (ret)\n\t\tdev_warn(&hdev->dev, \"Cannot allocate sysfs group for %s\\n\",\n\t\t\t\thdev->name);\n\n\tmt_set_modes(hdev, HID_LATENCY_NORMAL, true, true);\n\n\treturn 0;\n}", "project": "linux", "hash": 55993742902618320606244931536680992228, "size": 71, "commit_id": "35556bed836f8dc07ac55f69c8d17dce3e7f0e25", "message": "HID: core: Sanitize event code and type when mapping input\n\nWhen calling into hid_map_usage(), the passed event code is\nblindly stored as is, even if it doesn't fit in the associated bitmap.\n\nThis event code can come from a variety of sources, including devices\nmasquerading as input devices, only a bit more \"programmable\".\n\nInstead of taking the event code at face value, check that it actually\nfits the corresponding bitmap, and if it doesn't:\n- spit out a warning so that we know which device is acting up\n- NULLify the bitmap pointer so that we catch unexpected uses\n\nCode paths that can make use of untrusted inputs can now check\nthat the mapping was indeed correct and bail out if not.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Marc Zyngier \nSigned-off-by: Benjamin Tissoires ", "target": 0, "dataset": "other", "idx": 458401 }, { "func": "static int sctp_getsockopt_sctp_status(struct sock *sk, int len,\n\t\t\t\t char __user *optval,\n\t\t\t\t int __user *optlen)\n{\n\tstruct sctp_status status;\n\tstruct sctp_association *asoc = NULL;\n\tstruct sctp_transport *transport;\n\tsctp_assoc_t associd;\n\tint retval = 0;\n\n\tif (len < sizeof(status)) {\n\t\tretval = -EINVAL;\n\t\tgoto out;\n\t}\n\n\tlen = sizeof(status);\n\tif (copy_from_user(&status, optval, len)) {\n\t\tretval = -EFAULT;\n\t\tgoto out;\n\t}\n\n\tassocid = status.sstat_assoc_id;\n\tasoc = sctp_id2assoc(sk, associd);\n\tif (!asoc) {\n\t\tretval = -EINVAL;\n\t\tgoto out;\n\t}\n\n\ttransport = asoc->peer.primary_path;\n\n\tstatus.sstat_assoc_id = sctp_assoc2id(asoc);\n\tstatus.sstat_state = sctp_assoc_to_state(asoc);\n\tstatus.sstat_rwnd = asoc->peer.rwnd;\n\tstatus.sstat_unackdata = asoc->unack_data;\n\n\tstatus.sstat_penddata = sctp_tsnmap_pending(&asoc->peer.tsn_map);\n\tstatus.sstat_instrms = asoc->stream.incnt;\n\tstatus.sstat_outstrms = asoc->stream.outcnt;\n\tstatus.sstat_fragmentation_point = asoc->frag_point;\n\tstatus.sstat_primary.spinfo_assoc_id = sctp_assoc2id(transport->asoc);\n\tmemcpy(&status.sstat_primary.spinfo_address, &transport->ipaddr,\n\t\t\ttransport->af_specific->sockaddr_len);\n\t/* Map ipv4 address into v4-mapped-on-v6 address. */\n\tsctp_get_pf_specific(sk->sk_family)->addr_to_user(sctp_sk(sk),\n\t\t(union sctp_addr *)&status.sstat_primary.spinfo_address);\n\tstatus.sstat_primary.spinfo_state = transport->state;\n\tstatus.sstat_primary.spinfo_cwnd = transport->cwnd;\n\tstatus.sstat_primary.spinfo_srtt = transport->srtt;\n\tstatus.sstat_primary.spinfo_rto = jiffies_to_msecs(transport->rto);\n\tstatus.sstat_primary.spinfo_mtu = transport->pathmtu;\n\n\tif (status.sstat_primary.spinfo_state == SCTP_UNKNOWN)\n\t\tstatus.sstat_primary.spinfo_state = SCTP_ACTIVE;\n\n\tif (put_user(len, optlen)) {\n\t\tretval = -EFAULT;\n\t\tgoto out;\n\t}\n\n\tpr_debug(\"%s: len:%d, state:%d, rwnd:%d, assoc_id:%d\\n\",\n\t\t __func__, len, status.sstat_state, status.sstat_rwnd,\n\t\t status.sstat_assoc_id);\n\n\tif (copy_to_user(optval, &status, len)) {\n\t\tretval = -EFAULT;\n\t\tgoto out;\n\t}\n\nout:\n\treturn retval;\n}", "project": "linux", "hash": 57032238994145932960399203865492084029, "size": 71, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398148 }, { "func": "static void create_trace_options_dir(struct trace_array *tr)\n{\n\tstruct dentry *t_options;\n\tbool top_level = tr == &global_trace;\n\tint i;\n\n\tt_options = trace_options_init_dentry(tr);\n\tif (!t_options)\n\t\treturn;\n\n\tfor (i = 0; trace_options[i]; i++) {\n\t\tif (top_level ||\n\t\t !((1 << i) & TOP_LEVEL_TRACE_FLAGS))\n\t\t\tcreate_trace_option_core_file(tr, trace_options[i], i);\n\t}\n}", "project": "linux", "hash": 28944944250191829122827325833270245673, "size": 16, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445649 }, { "func": "int LJ_FASTCALL lj_trace_exit(jit_State *J, void *exptr)\n{\n ERRNO_SAVE\n lua_State *L = J->L;\n ExitState *ex = (ExitState *)exptr;\n ExitDataCP exd;\n int errcode;\n const BCIns *pc;\n void *cf;\n GCtrace *T;\n#ifdef EXITSTATE_PCREG\n J->parent = trace_exit_find(J, (MCode *)(intptr_t)ex->gpr[EXITSTATE_PCREG]);\n#endif\n T = traceref(J, J->parent); UNUSED(T);\n#ifdef EXITSTATE_CHECKEXIT\n if (J->exitno == T->nsnap) { /* Treat stack check like a parent exit. */\n lua_assert(T->root != 0);\n J->exitno = T->ir[REF_BASE].op2;\n J->parent = T->ir[REF_BASE].op1;\n T = traceref(J, J->parent);\n }\n#endif\n lua_assert(T != NULL && J->exitno < T->nsnap);\n exd.J = J;\n exd.exptr = exptr;\n errcode = lj_vm_cpcall(L, NULL, &exd, trace_exit_cp);\n if (errcode)\n return -errcode; /* Return negated error code. */\n\n lj_vmevent_send(L, TEXIT,\n lj_state_checkstack(L, 4+RID_NUM_GPR+RID_NUM_FPR+LUA_MINSTACK);\n setintV(L->top++, J->parent);\n setintV(L->top++, J->exitno);\n trace_exit_regs(L, ex);\n );\n\n pc = exd.pc;\n cf = cframe_raw(L->cframe);\n setcframe_pc(cf, pc);\n if (G(L)->gc.state == GCSatomic || G(L)->gc.state == GCSfinalize) {\n if (!(G(L)->hookmask & HOOK_GC))\n lj_gc_step(L); /* Exited because of GC: drive GC forward. */\n } else {\n trace_hotside(J, pc);\n }\n if (bc_op(*pc) == BC_JLOOP) {\n BCIns *retpc = &traceref(J, bc_d(*pc))->startins;\n if (bc_isret(bc_op(*retpc))) {\n if (J->state == LJ_TRACE_RECORD) {\n\tJ->patchins = *pc;\n\tJ->patchpc = (BCIns *)pc;\n\t*J->patchpc = *retpc;\n\tJ->bcskip = 1;\n } else {\n\tpc = retpc;\n\tsetcframe_pc(cf, pc);\n }\n }\n }\n /* Return MULTRES or 0. */\n ERRNO_RESTORE\n switch (bc_op(*pc)) {\n case BC_CALLM: case BC_CALLMT:\n return (int)((BCReg)(L->top - L->base) - bc_a(*pc) - bc_c(*pc));\n case BC_RETM:\n return (int)((BCReg)(L->top - L->base) + 1 - bc_a(*pc) - bc_d(*pc));\n case BC_TSETM:\n return (int)((BCReg)(L->top - L->base) + 1 - bc_a(*pc));\n default:\n if (bc_op(*pc) >= BC_FUNCF)\n return (int)((BCReg)(L->top - L->base) + 1);\n return 0;\n }\n}", "project": "LuaJIT", "hash": 229324233505718420467228062644621991536, "size": 74, "commit_id": "e296f56b825c688c3530a981dc6b495d972f3d01", "message": "Call error function on rethrow after trace exit.", "target": 0, "dataset": "other", "idx": 394625 }, { "func": "static void svm_complete_interrupts(struct vcpu_svm *svm)\n{\n\tu8 vector;\n\tint type;\n\tu32 exitintinfo = svm->vmcb->control.exit_int_info;\n\tunsigned int3_injected = svm->int3_injected;\n\n\tsvm->int3_injected = 0;\n\n\t/*\n\t * If we've made progress since setting HF_IRET_MASK, we've\n\t * executed an IRET and can allow NMI injection.\n\t */\n\tif ((svm->vcpu.arch.hflags & HF_IRET_MASK)\n\t && kvm_rip_read(&svm->vcpu) != svm->nmi_iret_rip) {\n\t\tsvm->vcpu.arch.hflags &= ~(HF_NMI_MASK | HF_IRET_MASK);\n\t\tkvm_make_request(KVM_REQ_EVENT, &svm->vcpu);\n\t}\n\n\tsvm->vcpu.arch.nmi_injected = false;\n\tkvm_clear_exception_queue(&svm->vcpu);\n\tkvm_clear_interrupt_queue(&svm->vcpu);\n\n\tif (!(exitintinfo & SVM_EXITINTINFO_VALID))\n\t\treturn;\n\n\tkvm_make_request(KVM_REQ_EVENT, &svm->vcpu);\n\n\tvector = exitintinfo & SVM_EXITINTINFO_VEC_MASK;\n\ttype = exitintinfo & SVM_EXITINTINFO_TYPE_MASK;\n\n\tswitch (type) {\n\tcase SVM_EXITINTINFO_TYPE_NMI:\n\t\tsvm->vcpu.arch.nmi_injected = true;\n\t\tbreak;\n\tcase SVM_EXITINTINFO_TYPE_EXEPT:\n\t\t/*\n\t\t * In case of software exceptions, do not reinject the vector,\n\t\t * but re-execute the instruction instead. Rewind RIP first\n\t\t * if we emulated INT3 before.\n\t\t */\n\t\tif (kvm_exception_is_soft(vector)) {\n\t\t\tif (vector == BP_VECTOR && int3_injected &&\n\t\t\t kvm_is_linear_rip(&svm->vcpu, svm->int3_rip))\n\t\t\t\tkvm_rip_write(&svm->vcpu,\n\t\t\t\t\t kvm_rip_read(&svm->vcpu) -\n\t\t\t\t\t int3_injected);\n\t\t\tbreak;\n\t\t}\n\t\tif (exitintinfo & SVM_EXITINTINFO_VALID_ERR) {\n\t\t\tu32 err = svm->vmcb->control.exit_int_info_err;\n\t\t\tkvm_requeue_exception_e(&svm->vcpu, vector, err);\n\n\t\t} else\n\t\t\tkvm_requeue_exception(&svm->vcpu, vector);\n\t\tbreak;\n\tcase SVM_EXITINTINFO_TYPE_INTR:\n\t\tkvm_queue_interrupt(&svm->vcpu, vector, false);\n\t\tbreak;\n\tdefault:\n\t\tbreak;\n\t}\n}", "project": "linux", "hash": 267707422419778564060701069937941913309, "size": 63, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432634 }, { "func": "static opj_codestream_index_t* opj_j2k_create_cstr_index(void)\n{\n opj_codestream_index_t* cstr_index = (opj_codestream_index_t*)\n opj_calloc(1, sizeof(opj_codestream_index_t));\n if (!cstr_index) {\n return NULL;\n }\n\n cstr_index->maxmarknum = 100;\n cstr_index->marknum = 0;\n cstr_index->marker = (opj_marker_info_t*)\n opj_calloc(cstr_index->maxmarknum, sizeof(opj_marker_info_t));\n if (!cstr_index-> marker) {\n opj_free(cstr_index);\n return NULL;\n }\n\n cstr_index->tile_index = NULL;\n\n return cstr_index;\n}", "project": "openjpeg", "hash": 67769028449097776948662436783333754094, "size": 21, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357328 }, { "func": "static int kvm_s390_vm_start_migration(struct kvm *kvm)\n{\n\tstruct kvm_memory_slot *ms;\n\tstruct kvm_memslots *slots;\n\tunsigned long ram_pages = 0;\n\tint slotnr;\n\n\t/* migration mode already enabled */\n\tif (kvm->arch.migration_mode)\n\t\treturn 0;\n\tslots = kvm_memslots(kvm);\n\tif (!slots || !slots->used_slots)\n\t\treturn -EINVAL;\n\n\tif (!kvm->arch.use_cmma) {\n\t\tkvm->arch.migration_mode = 1;\n\t\treturn 0;\n\t}\n\t/* mark all the pages in active slots as dirty */\n\tfor (slotnr = 0; slotnr < slots->used_slots; slotnr++) {\n\t\tms = slots->memslots + slotnr;\n\t\tif (!ms->dirty_bitmap)\n\t\t\treturn -EINVAL;\n\t\t/*\n\t\t * The second half of the bitmap is only used on x86,\n\t\t * and would be wasted otherwise, so we put it to good\n\t\t * use here to keep track of the state of the storage\n\t\t * attributes.\n\t\t */\n\t\tmemset(kvm_second_dirty_bitmap(ms), 0xff, kvm_dirty_bitmap_bytes(ms));\n\t\tram_pages += ms->npages;\n\t}\n\tatomic64_set(&kvm->arch.cmma_dirty_pages, ram_pages);\n\tkvm->arch.migration_mode = 1;\n\tkvm_s390_sync_request_broadcast(kvm, KVM_REQ_START_MIGRATION);\n\treturn 0;\n}", "project": "linux", "hash": 45583637608575300514812651526870059396, "size": 37, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354453 }, { "func": "static int make_msg_set(struct Mailbox *m, struct Buffer *buf, int flag,\n bool changed, bool invert, int *pos)\n{\n int count = 0; /* number of messages in message set */\n unsigned int setstart = 0; /* start of current message range */\n int n;\n bool started = false;\n\n struct ImapAccountData *adata = imap_adata_get(m);\n if (!adata || (adata->mailbox != m))\n return -1;\n\n for (n = *pos; (n < m->msg_count) && (mutt_buffer_len(buf) < IMAP_MAX_CMDLEN); n++)\n {\n struct Email *e = m->emails[n];\n if (!e)\n break;\n bool match = false; /* whether current message matches flag condition */\n /* don't include pending expunged messages.\n *\n * TODO: can we unset active in cmd_parse_expunge() and\n * cmd_parse_vanished() instead of checking for index != INT_MAX. */\n if (e->active && (e->index != INT_MAX))\n {\n switch (flag)\n {\n case MUTT_DELETED:\n if (e->deleted != imap_edata_get(e)->deleted)\n match = invert ^ e->deleted;\n break;\n case MUTT_FLAG:\n if (e->flagged != imap_edata_get(e)->flagged)\n match = invert ^ e->flagged;\n break;\n case MUTT_OLD:\n if (e->old != imap_edata_get(e)->old)\n match = invert ^ e->old;\n break;\n case MUTT_READ:\n if (e->read != imap_edata_get(e)->read)\n match = invert ^ e->read;\n break;\n case MUTT_REPLIED:\n if (e->replied != imap_edata_get(e)->replied)\n match = invert ^ e->replied;\n break;\n case MUTT_TAG:\n if (e->tagged)\n match = true;\n break;\n case MUTT_TRASH:\n if (e->deleted && !e->purge)\n match = true;\n break;\n }\n }\n\n if (match && (!changed || e->changed))\n {\n count++;\n if (setstart == 0)\n {\n setstart = imap_edata_get(e)->uid;\n if (started)\n {\n mutt_buffer_add_printf(buf, \",%u\", imap_edata_get(e)->uid);\n }\n else\n {\n mutt_buffer_add_printf(buf, \"%u\", imap_edata_get(e)->uid);\n started = true;\n }\n }\n /* tie up if the last message also matches */\n else if (n == (m->msg_count - 1))\n mutt_buffer_add_printf(buf, \":%u\", imap_edata_get(e)->uid);\n }\n /* End current set if message doesn't match or we've reached the end\n * of the mailbox via inactive messages following the last match. */\n else if (setstart && (e->active || (n == adata->mailbox->msg_count - 1)))\n {\n if (imap_edata_get(m->emails[n - 1])->uid > setstart)\n mutt_buffer_add_printf(buf, \":%u\", imap_edata_get(m->emails[n - 1])->uid);\n setstart = 0;\n }\n }\n\n *pos = n;\n\n return count;\n}", "project": "neomutt", "hash": 153705064994298955884066659100031253253, "size": 91, "commit_id": "9c36717a3e2af1f2c1b7242035455ec8112b4b06", "message": "imap: close connection on all failures\n\nThanks to Gabriel Salles-Loustau for spotting the problem.\n\nCo-authored-by: Kevin McCarthy ", "target": 0, "dataset": "other", "idx": 357051 }, { "func": "static void ASMReplaceTagsWithLookups(ASM *sm,SplineFont1 *sf) {\n int i;\n\n if ( sm->type != asm_context )\nreturn;\n for ( i=0; iclass_cnt*sm->state_cnt; ++i ) {\n\tif ( sm->state[i].u.context.mark_lookup!=NULL )\n\t sm->state[i].u.context.mark_lookup = FindNestedLookupByTag(sf,(uint32) (intpt) (sm->state[i].u.context.mark_lookup) );\n\tif ( sm->state[i].u.context.cur_lookup!=NULL )\n\t sm->state[i].u.context.cur_lookup = FindNestedLookupByTag(sf,(uint32) (intpt) (sm->state[i].u.context.cur_lookup) );\n }\n}", "project": "fontforge", "hash": 251505688100226145375684272463804077035, "size": 12, "commit_id": "048a91e2682c1a8936ae34dbc7bd70291ec05410", "message": "Fix for #4084 Use-after-free (heap) in the SFD_GetFontMetaData() function\nFix for #4086 NULL pointer dereference in the SFDGetSpiros() function\nFix for #4088 NULL pointer dereference in the SFD_AssignLookups() function\nAdd empty sf->fontname string if it isn't set, fixing #4089 #4090 and many\n other potential issues (many downstream calls to strlen() on the value).", "target": 0, "dataset": "other", "idx": 417864 }, { "func": "static int sctp_getsockopt_peeloff(struct sock *sk, int len, char __user *optval, int __user *optlen)\n{\n\tsctp_peeloff_arg_t peeloff;\n\tstruct file *newfile = NULL;\n\tint retval = 0;\n\n\tif (len < sizeof(sctp_peeloff_arg_t))\n\t\treturn -EINVAL;\n\tlen = sizeof(sctp_peeloff_arg_t);\n\tif (copy_from_user(&peeloff, optval, len))\n\t\treturn -EFAULT;\n\n\tretval = sctp_getsockopt_peeloff_common(sk, &peeloff, &newfile, 0);\n\tif (retval < 0)\n\t\tgoto out;\n\n\t/* Return the fd mapped to the new socket. */\n\tif (put_user(len, optlen)) {\n\t\tfput(newfile);\n\t\tput_unused_fd(retval);\n\t\treturn -EFAULT;\n\t}\n\n\tif (copy_to_user(optval, &peeloff, len)) {\n\t\tfput(newfile);\n\t\tput_unused_fd(retval);\n\t\treturn -EFAULT;\n\t}\n\tfd_install(retval, newfile);\nout:\n\treturn retval;\n}", "project": "linux", "hash": 329700485788336601976062962355261315965, "size": 32, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398157 }, { "func": "static void update_memslots(struct kvm_memslots *slots,\n\t\t\t struct kvm_memory_slot *memslot,\n\t\t\t enum kvm_mr_change change)\n{\n\tint i;\n\n\tif (change == KVM_MR_DELETE) {\n\t\tkvm_memslot_delete(slots, memslot);\n\t} else {\n\t\tif (change == KVM_MR_CREATE)\n\t\t\ti = kvm_memslot_insert_back(slots);\n\t\telse\n\t\t\ti = kvm_memslot_move_backward(slots, memslot);\n\t\ti = kvm_memslot_move_forward(slots, memslot, i);\n\n\t\t/*\n\t\t * Copy the memslot to its new position in memslots and update\n\t\t * its index accordingly.\n\t\t */\n\t\tslots->memslots[i] = *memslot;\n\t\tslots->id_to_index[memslot->id] = i;\n\t}\n}", "project": "linux", "hash": 191806273895072742116255059645475617798, "size": 23, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354571 }, { "func": "void imap_mdata_cache_reset(struct ImapMboxData *mdata)\n{\n mutt_hash_free(&mdata->uid_hash);\n imap_msn_free(&mdata->msn);\n mutt_bcache_close(&mdata->bcache);\n}", "project": "neomutt", "hash": 236557647544556853629859511129211520139, "size": 6, "commit_id": "fa1db5785e5cfd9d3cd27b7571b9fe268d2ec2dc", "message": "Fix seqset iterator when it ends in a comma\n\nIf the seqset ended with a comma, the substr_end marker would be just\nbefore the trailing nul. In the next call, the loop to skip the\nmarker would iterate right past the end of string too.\n\nThe fix is simple: place the substr_end marker and skip past it\nimmediately.", "target": 0, "dataset": "other", "idx": 399268 }, { "func": "static int input_dev_poweroff(struct device *dev)\n{\n\tstruct input_dev *input_dev = to_input_dev(dev);\n\n\tspin_lock_irq(&input_dev->event_lock);\n\n\t/* Turn off LEDs and sounds, if any are active. */\n\tinput_dev_toggle(input_dev, false);\n\n\tspin_unlock_irq(&input_dev->event_lock);\n\n\treturn 0;\n}", "project": "linux", "hash": 316534322939993753614957312957636475545, "size": 13, "commit_id": "cb222aed03d798fc074be55e59d9a112338ee784", "message": "Input: add safety guards to input_set_keycode()\n\nIf we happen to have a garbage in input device's keycode table with values\ntoo big we'll end up doing clear_bit() with offset way outside of our\nbitmaps, damaging other objects within an input device or even outside of\nit. Let's add sanity checks to the returned old keycodes.\n\nReported-by: syzbot+c769968809f9359b07aa@syzkaller.appspotmail.com\nReported-by: syzbot+76f3a30e88d256644c78@syzkaller.appspotmail.com\nLink: https://lore.kernel.org/r/20191207212757.GA245964@dtor-ws\nSigned-off-by: Dmitry Torokhov ", "target": 0, "dataset": "other", "idx": 353347 }, { "func": "static inline bool tcp_stream_is_thin(struct tcp_sock *tp)\n{\n\treturn tp->packets_out < 4 && !tcp_in_initial_slowstart(tp);\n}", "project": "linux", "hash": 283347768659214685111498711328619621143, "size": 4, "commit_id": "bb1fceca22492109be12640d49f5ea5a544c6bb4", "message": "tcp: fix use after free in tcp_xmit_retransmit_queue()\n\nWhen tcp_sendmsg() allocates a fresh and empty skb, it puts it at the\ntail of the write queue using tcp_add_write_queue_tail()\n\nThen it attempts to copy user data into this fresh skb.\n\nIf the copy fails, we undo the work and remove the fresh skb.\n\nUnfortunately, this undo lacks the change done to tp->highest_sack and\nwe can leave a dangling pointer (to a freed skb)\n\nLater, tcp_xmit_retransmit_queue() can dereference this pointer and\naccess freed memory. For regular kernels where memory is not unmapped,\nthis might cause SACK bugs because tcp_highest_sack_seq() is buggy,\nreturning garbage instead of tp->snd_nxt, but with various debug\nfeatures like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel.\n\nThis bug was found by Marco Grassi thanks to syzkaller.\n\nFixes: 6859d49475d4 (\"[TCP]: Abstract tp->highest_sack accessing & point to next skb\")\nReported-by: Marco Grassi \nSigned-off-by: Eric Dumazet \nCc: Ilpo Järvinen \nCc: Yuchung Cheng \nCc: Neal Cardwell \nAcked-by: Neal Cardwell \nReviewed-by: Cong Wang \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 410745 }, { "func": "void kvm_arch_vcpu_destroy(struct kvm_vcpu *vcpu)\n{\n\tu16 rc, rrc;\n\n\tVCPU_EVENT(vcpu, 3, \"%s\", \"free cpu\");\n\ttrace_kvm_s390_destroy_vcpu(vcpu->vcpu_id);\n\tkvm_s390_clear_local_irqs(vcpu);\n\tkvm_clear_async_pf_completion_queue(vcpu);\n\tif (!kvm_is_ucontrol(vcpu->kvm))\n\t\tsca_del_vcpu(vcpu);\n\n\tif (kvm_is_ucontrol(vcpu->kvm))\n\t\tgmap_remove(vcpu->arch.gmap);\n\n\tif (vcpu->kvm->arch.use_cmma)\n\t\tkvm_s390_vcpu_unsetup_cmma(vcpu);\n\t/* We can not hold the vcpu mutex here, we are already dying */\n\tif (kvm_s390_pv_cpu_get_handle(vcpu))\n\t\tkvm_s390_pv_destroy_cpu(vcpu, &rc, &rrc);\n\tfree_page((unsigned long)(vcpu->arch.sie_block));\n}", "project": "linux", "hash": 3166597931753354339719550290640258604, "size": 21, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354811 }, { "func": "static void ov51x_set_slave_ids(struct sd *sd,\n\t\t\t\tu8 slave)\n{\n\tswitch (sd->bridge) {\n\tcase BRIDGE_OVFX2:\n\t\treg_w(sd, OVFX2_I2C_ADDR, slave);\n\t\treturn;\n\tcase BRIDGE_W9968CF:\n\t\tsd->sensor_addr = slave;\n\t\treturn;\n\t}\n\n\treg_w(sd, R51x_I2C_W_SID, slave);\n\treg_w(sd, R51x_I2C_R_SID, slave + 1);\n}", "project": "linux", "hash": 98279326179701966680551412305807647962, "size": 15, "commit_id": "998912346c0da53a6dbb71fab3a138586b596b30", "message": "media: ov519: add missing endpoint sanity checks\n\nMake sure to check that we have at least one endpoint before accessing\nthe endpoint array to avoid dereferencing a NULL-pointer on stream\nstart.\n\nNote that these sanity checks are not redundant as the driver is mixing\nlooking up altsettings by index and by number, which need not coincide.\n\nFixes: 1876bb923c98 (\"V4L/DVB (12079): gspca_ov519: add support for the ov511 bridge\")\nFixes: b282d87332f5 (\"V4L/DVB (12080): gspca_ov519: Fix ov518+ with OV7620AE (Trust spacecam 320)\")\nCc: stable # 2.6.31\nCc: Hans de Goede \nSigned-off-by: Johan Hovold \nSigned-off-by: Hans Verkuil \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 306333 }, { "func": "static void dump_vmcb(struct kvm_vcpu *vcpu)\n{\n\tstruct vcpu_svm *svm = to_svm(vcpu);\n\tstruct vmcb_control_area *control = &svm->vmcb->control;\n\tstruct vmcb_save_area *save = &svm->vmcb->save;\n\n\tif (!dump_invalid_vmcb) {\n\t\tpr_warn_ratelimited(\"set kvm_amd.dump_invalid_vmcb=1 to dump internal KVM state.\\n\");\n\t\treturn;\n\t}\n\n\tpr_err(\"VMCB Control Area:\\n\");\n\tpr_err(\"%-20s%04x\\n\", \"cr_read:\", control->intercept_cr & 0xffff);\n\tpr_err(\"%-20s%04x\\n\", \"cr_write:\", control->intercept_cr >> 16);\n\tpr_err(\"%-20s%04x\\n\", \"dr_read:\", control->intercept_dr & 0xffff);\n\tpr_err(\"%-20s%04x\\n\", \"dr_write:\", control->intercept_dr >> 16);\n\tpr_err(\"%-20s%08x\\n\", \"exceptions:\", control->intercept_exceptions);\n\tpr_err(\"%-20s%016llx\\n\", \"intercepts:\", control->intercept);\n\tpr_err(\"%-20s%d\\n\", \"pause filter count:\", control->pause_filter_count);\n\tpr_err(\"%-20s%d\\n\", \"pause filter threshold:\",\n\t control->pause_filter_thresh);\n\tpr_err(\"%-20s%016llx\\n\", \"iopm_base_pa:\", control->iopm_base_pa);\n\tpr_err(\"%-20s%016llx\\n\", \"msrpm_base_pa:\", control->msrpm_base_pa);\n\tpr_err(\"%-20s%016llx\\n\", \"tsc_offset:\", control->tsc_offset);\n\tpr_err(\"%-20s%d\\n\", \"asid:\", control->asid);\n\tpr_err(\"%-20s%d\\n\", \"tlb_ctl:\", control->tlb_ctl);\n\tpr_err(\"%-20s%08x\\n\", \"int_ctl:\", control->int_ctl);\n\tpr_err(\"%-20s%08x\\n\", \"int_vector:\", control->int_vector);\n\tpr_err(\"%-20s%08x\\n\", \"int_state:\", control->int_state);\n\tpr_err(\"%-20s%08x\\n\", \"exit_code:\", control->exit_code);\n\tpr_err(\"%-20s%016llx\\n\", \"exit_info1:\", control->exit_info_1);\n\tpr_err(\"%-20s%016llx\\n\", \"exit_info2:\", control->exit_info_2);\n\tpr_err(\"%-20s%08x\\n\", \"exit_int_info:\", control->exit_int_info);\n\tpr_err(\"%-20s%08x\\n\", \"exit_int_info_err:\", control->exit_int_info_err);\n\tpr_err(\"%-20s%lld\\n\", \"nested_ctl:\", control->nested_ctl);\n\tpr_err(\"%-20s%016llx\\n\", \"nested_cr3:\", control->nested_cr3);\n\tpr_err(\"%-20s%016llx\\n\", \"avic_vapic_bar:\", control->avic_vapic_bar);\n\tpr_err(\"%-20s%08x\\n\", \"event_inj:\", control->event_inj);\n\tpr_err(\"%-20s%08x\\n\", \"event_inj_err:\", control->event_inj_err);\n\tpr_err(\"%-20s%lld\\n\", \"virt_ext:\", control->virt_ext);\n\tpr_err(\"%-20s%016llx\\n\", \"next_rip:\", control->next_rip);\n\tpr_err(\"%-20s%016llx\\n\", \"avic_backing_page:\", control->avic_backing_page);\n\tpr_err(\"%-20s%016llx\\n\", \"avic_logical_id:\", control->avic_logical_id);\n\tpr_err(\"%-20s%016llx\\n\", \"avic_physical_id:\", control->avic_physical_id);\n\tpr_err(\"VMCB State Save Area:\\n\");\n\tpr_err(\"%-5s s: %04x a: %04x l: %08x b: %016llx\\n\",\n\t \"es:\",\n\t save->es.selector, save->es.attrib,\n\t save->es.limit, save->es.base);\n\tpr_err(\"%-5s s: %04x a: %04x l: %08x b: %016llx\\n\",\n\t \"cs:\",\n\t save->cs.selector, save->cs.attrib,\n\t save->cs.limit, save->cs.base);\n\tpr_err(\"%-5s s: %04x a: %04x l: %08x b: %016llx\\n\",\n\t \"ss:\",\n\t save->ss.selector, save->ss.attrib,\n\t save->ss.limit, save->ss.base);\n\tpr_err(\"%-5s s: %04x a: %04x l: %08x b: %016llx\\n\",\n\t \"ds:\",\n\t save->ds.selector, save->ds.attrib,\n\t save->ds.limit, save->ds.base);\n\tpr_err(\"%-5s s: %04x a: %04x l: %08x b: %016llx\\n\",\n\t \"fs:\",\n\t save->fs.selector, save->fs.attrib,\n\t save->fs.limit, save->fs.base);\n\tpr_err(\"%-5s s: %04x a: %04x l: %08x b: %016llx\\n\",\n\t \"gs:\",\n\t save->gs.selector, save->gs.attrib,\n\t save->gs.limit, save->gs.base);\n\tpr_err(\"%-5s s: %04x a: %04x l: %08x b: %016llx\\n\",\n\t \"gdtr:\",\n\t save->gdtr.selector, save->gdtr.attrib,\n\t save->gdtr.limit, save->gdtr.base);\n\tpr_err(\"%-5s s: %04x a: %04x l: %08x b: %016llx\\n\",\n\t \"ldtr:\",\n\t save->ldtr.selector, save->ldtr.attrib,\n\t save->ldtr.limit, save->ldtr.base);\n\tpr_err(\"%-5s s: %04x a: %04x l: %08x b: %016llx\\n\",\n\t \"idtr:\",\n\t save->idtr.selector, save->idtr.attrib,\n\t save->idtr.limit, save->idtr.base);\n\tpr_err(\"%-5s s: %04x a: %04x l: %08x b: %016llx\\n\",\n\t \"tr:\",\n\t save->tr.selector, save->tr.attrib,\n\t save->tr.limit, save->tr.base);\n\tpr_err(\"cpl: %d efer: %016llx\\n\",\n\t\tsave->cpl, save->efer);\n\tpr_err(\"%-15s %016llx %-13s %016llx\\n\",\n\t \"cr0:\", save->cr0, \"cr2:\", save->cr2);\n\tpr_err(\"%-15s %016llx %-13s %016llx\\n\",\n\t \"cr3:\", save->cr3, \"cr4:\", save->cr4);\n\tpr_err(\"%-15s %016llx %-13s %016llx\\n\",\n\t \"dr6:\", save->dr6, \"dr7:\", save->dr7);\n\tpr_err(\"%-15s %016llx %-13s %016llx\\n\",\n\t \"rip:\", save->rip, \"rflags:\", save->rflags);\n\tpr_err(\"%-15s %016llx %-13s %016llx\\n\",\n\t \"rsp:\", save->rsp, \"rax:\", save->rax);\n\tpr_err(\"%-15s %016llx %-13s %016llx\\n\",\n\t \"star:\", save->star, \"lstar:\", save->lstar);\n\tpr_err(\"%-15s %016llx %-13s %016llx\\n\",\n\t \"cstar:\", save->cstar, \"sfmask:\", save->sfmask);\n\tpr_err(\"%-15s %016llx %-13s %016llx\\n\",\n\t \"kernel_gs_base:\", save->kernel_gs_base,\n\t \"sysenter_cs:\", save->sysenter_cs);\n\tpr_err(\"%-15s %016llx %-13s %016llx\\n\",\n\t \"sysenter_esp:\", save->sysenter_esp,\n\t \"sysenter_eip:\", save->sysenter_eip);\n\tpr_err(\"%-15s %016llx %-13s %016llx\\n\",\n\t \"gpat:\", save->g_pat, \"dbgctl:\", save->dbgctl);\n\tpr_err(\"%-15s %016llx %-13s %016llx\\n\",\n\t \"br_from:\", save->br_from, \"br_to:\", save->br_to);\n\tpr_err(\"%-15s %016llx %-13s %016llx\\n\",\n\t \"excp_from:\", save->last_excp_from,\n\t \"excp_to:\", save->last_excp_to);\n}", "project": "linux", "hash": 7765017000181124808605055589230643709, "size": 115, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432557 }, { "func": "static void dump_vmcb(struct kvm_vcpu *vcpu)\n{\n\tstruct vcpu_svm *svm = to_svm(vcpu);\n\tstruct vmcb_control_area *control = &svm->vmcb->control;\n\tstruct vmcb_save_area *save = &svm->vmcb->save;\n\n\tpr_err(\"VMCB Control Area:\\n\");\n\tpr_err(\"%-20s%04x\\n\", \"cr_read:\", control->intercept_cr & 0xffff);\n\tpr_err(\"%-20s%04x\\n\", \"cr_write:\", control->intercept_cr >> 16);\n\tpr_err(\"%-20s%04x\\n\", \"dr_read:\", control->intercept_dr & 0xffff);\n\tpr_err(\"%-20s%04x\\n\", \"dr_write:\", control->intercept_dr >> 16);\n\tpr_err(\"%-20s%08x\\n\", \"exceptions:\", control->intercept_exceptions);\n\tpr_err(\"%-20s%016llx\\n\", \"intercepts:\", control->intercept);\n\tpr_err(\"%-20s%d\\n\", \"pause filter count:\", control->pause_filter_count);\n\tpr_err(\"%-20s%016llx\\n\", \"iopm_base_pa:\", control->iopm_base_pa);\n\tpr_err(\"%-20s%016llx\\n\", \"msrpm_base_pa:\", control->msrpm_base_pa);\n\tpr_err(\"%-20s%016llx\\n\", \"tsc_offset:\", control->tsc_offset);\n\tpr_err(\"%-20s%d\\n\", \"asid:\", control->asid);\n\tpr_err(\"%-20s%d\\n\", \"tlb_ctl:\", control->tlb_ctl);\n\tpr_err(\"%-20s%08x\\n\", \"int_ctl:\", control->int_ctl);\n\tpr_err(\"%-20s%08x\\n\", \"int_vector:\", control->int_vector);\n\tpr_err(\"%-20s%08x\\n\", \"int_state:\", control->int_state);\n\tpr_err(\"%-20s%08x\\n\", \"exit_code:\", control->exit_code);\n\tpr_err(\"%-20s%016llx\\n\", \"exit_info1:\", control->exit_info_1);\n\tpr_err(\"%-20s%016llx\\n\", \"exit_info2:\", control->exit_info_2);\n\tpr_err(\"%-20s%08x\\n\", \"exit_int_info:\", control->exit_int_info);\n\tpr_err(\"%-20s%08x\\n\", \"exit_int_info_err:\", control->exit_int_info_err);\n\tpr_err(\"%-20s%lld\\n\", \"nested_ctl:\", control->nested_ctl);\n\tpr_err(\"%-20s%016llx\\n\", \"nested_cr3:\", control->nested_cr3);\n\tpr_err(\"%-20s%08x\\n\", \"event_inj:\", control->event_inj);\n\tpr_err(\"%-20s%08x\\n\", \"event_inj_err:\", control->event_inj_err);\n\tpr_err(\"%-20s%lld\\n\", \"lbr_ctl:\", control->lbr_ctl);\n\tpr_err(\"%-20s%016llx\\n\", \"next_rip:\", control->next_rip);\n\tpr_err(\"VMCB State Save Area:\\n\");\n\tpr_err(\"%-5s s: %04x a: %04x l: %08x b: %016llx\\n\",\n\t \"es:\",\n\t save->es.selector, save->es.attrib,\n\t save->es.limit, save->es.base);\n\tpr_err(\"%-5s s: %04x a: %04x l: %08x b: %016llx\\n\",\n\t \"cs:\",\n\t save->cs.selector, save->cs.attrib,\n\t save->cs.limit, save->cs.base);\n\tpr_err(\"%-5s s: %04x a: %04x l: %08x b: %016llx\\n\",\n\t \"ss:\",\n\t save->ss.selector, save->ss.attrib,\n\t save->ss.limit, save->ss.base);\n\tpr_err(\"%-5s s: %04x a: %04x l: %08x b: %016llx\\n\",\n\t \"ds:\",\n\t save->ds.selector, save->ds.attrib,\n\t save->ds.limit, save->ds.base);\n\tpr_err(\"%-5s s: %04x a: %04x l: %08x b: %016llx\\n\",\n\t \"fs:\",\n\t save->fs.selector, save->fs.attrib,\n\t save->fs.limit, save->fs.base);\n\tpr_err(\"%-5s s: %04x a: %04x l: %08x b: %016llx\\n\",\n\t \"gs:\",\n\t save->gs.selector, save->gs.attrib,\n\t save->gs.limit, save->gs.base);\n\tpr_err(\"%-5s s: %04x a: %04x l: %08x b: %016llx\\n\",\n\t \"gdtr:\",\n\t save->gdtr.selector, save->gdtr.attrib,\n\t save->gdtr.limit, save->gdtr.base);\n\tpr_err(\"%-5s s: %04x a: %04x l: %08x b: %016llx\\n\",\n\t \"ldtr:\",\n\t save->ldtr.selector, save->ldtr.attrib,\n\t save->ldtr.limit, save->ldtr.base);\n\tpr_err(\"%-5s s: %04x a: %04x l: %08x b: %016llx\\n\",\n\t \"idtr:\",\n\t save->idtr.selector, save->idtr.attrib,\n\t save->idtr.limit, save->idtr.base);\n\tpr_err(\"%-5s s: %04x a: %04x l: %08x b: %016llx\\n\",\n\t \"tr:\",\n\t save->tr.selector, save->tr.attrib,\n\t save->tr.limit, save->tr.base);\n\tpr_err(\"cpl: %d efer: %016llx\\n\",\n\t\tsave->cpl, save->efer);\n\tpr_err(\"%-15s %016llx %-13s %016llx\\n\",\n\t \"cr0:\", save->cr0, \"cr2:\", save->cr2);\n\tpr_err(\"%-15s %016llx %-13s %016llx\\n\",\n\t \"cr3:\", save->cr3, \"cr4:\", save->cr4);\n\tpr_err(\"%-15s %016llx %-13s %016llx\\n\",\n\t \"dr6:\", save->dr6, \"dr7:\", save->dr7);\n\tpr_err(\"%-15s %016llx %-13s %016llx\\n\",\n\t \"rip:\", save->rip, \"rflags:\", save->rflags);\n\tpr_err(\"%-15s %016llx %-13s %016llx\\n\",\n\t \"rsp:\", save->rsp, \"rax:\", save->rax);\n\tpr_err(\"%-15s %016llx %-13s %016llx\\n\",\n\t \"star:\", save->star, \"lstar:\", save->lstar);\n\tpr_err(\"%-15s %016llx %-13s %016llx\\n\",\n\t \"cstar:\", save->cstar, \"sfmask:\", save->sfmask);\n\tpr_err(\"%-15s %016llx %-13s %016llx\\n\",\n\t \"kernel_gs_base:\", save->kernel_gs_base,\n\t \"sysenter_cs:\", save->sysenter_cs);\n\tpr_err(\"%-15s %016llx %-13s %016llx\\n\",\n\t \"sysenter_esp:\", save->sysenter_esp,\n\t \"sysenter_eip:\", save->sysenter_eip);\n\tpr_err(\"%-15s %016llx %-13s %016llx\\n\",\n\t \"gpat:\", save->g_pat, \"dbgctl:\", save->dbgctl);\n\tpr_err(\"%-15s %016llx %-13s %016llx\\n\",\n\t \"br_from:\", save->br_from, \"br_to:\", save->br_to);\n\tpr_err(\"%-15s %016llx %-13s %016llx\\n\",\n\t \"excp_from:\", save->last_excp_from,\n\t \"excp_to:\", save->last_excp_to);\n}", "project": "kvm", "hash": 30241985038715619077265388558920332348, "size": 104, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437555 }, { "func": "static void oidc_store_userinfo_claims(request_rec *r, oidc_cfg *c,\n\t\toidc_session_t *session, oidc_provider_t *provider, const char *claims,\n\t\tconst char *userinfo_jwt) {\n\n\toidc_debug(r, \"enter\");\n\n\t/* see if we've resolved any claims */\n\tif (claims != NULL) {\n\t\t/*\n\t\t * Successfully decoded a set claims from the response so we can store them\n\t\t * (well actually the stringified representation in the response)\n\t\t * in the session context safely now\n\t\t */\n\t\toidc_session_set_userinfo_claims(r, session, claims);\n\n\t\tif (c->session_type != OIDC_SESSION_TYPE_CLIENT_COOKIE) {\n\t\t\t/* this will also clear the entry if a JWT was not returned at this point */\n\t\t\toidc_session_set_userinfo_jwt(r, session, userinfo_jwt);\n\t\t}\n\n\t} else {\n\t\t/*\n\t\t * clear the existing claims because we could not refresh them\n\t\t */\n\t\toidc_session_set_userinfo_claims(r, session, NULL);\n\n\t\toidc_session_set_userinfo_jwt(r, session, NULL);\n\t}\n\n\t/* store the last refresh time if we've configured a userinfo refresh interval */\n\tif (provider->userinfo_refresh_interval > 0)\n\t\toidc_session_reset_userinfo_last_refresh(r, session);\n}", "project": "mod_auth_openidc", "hash": 294198396980947556662167722627691997420, "size": 33, "commit_id": "00c315cb0c8ab77c67be4a2ac08a71a83ac58751", "message": "avoid XSS vulnerability when using OIDCPreservePost On\n\nand supplying URLs that contain single quotes; thanks @oss-aimoto\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 381922 }, { "func": "static ssize_t red_zone_store(struct kmem_cache *s,\n\t\t\t\tconst char *buf, size_t length)\n{\n\tif (any_slab_objects(s))\n\t\treturn -EBUSY;\n\n\ts->flags &= ~SLAB_RED_ZONE;\n\tif (buf[0] == '1') {\n\t\ts->flags |= SLAB_RED_ZONE;\n\t}\n\tcalculate_sizes(s, -1);\n\treturn length;\n}", "project": "linux", "hash": 130252878883418762009481046558605850144, "size": 13, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280269 }, { "func": "static int sctp_setsockopt_autoclose(struct sock *sk, u32 *optval,\n\t\t\t\t unsigned int optlen)\n{\n\tstruct sctp_sock *sp = sctp_sk(sk);\n\tstruct net *net = sock_net(sk);\n\n\t/* Applicable to UDP-style socket only */\n\tif (sctp_style(sk, TCP))\n\t\treturn -EOPNOTSUPP;\n\tif (optlen != sizeof(int))\n\t\treturn -EINVAL;\n\n\tsp->autoclose = *optval;\n\tif (sp->autoclose > net->sctp.max_autoclose)\n\t\tsp->autoclose = net->sctp.max_autoclose;\n\n\treturn 0;\n}", "project": "linux", "hash": 262597473605372118724854672232758978273, "size": 18, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398126 }, { "func": "static inline int pmd_move_must_withdraw(spinlock_t *new_pmd_ptl,\n\t\t\t\t\t spinlock_t *old_pmd_ptl,\n\t\t\t\t\t struct vm_area_struct *vma)\n{\n\t/*\n\t * With split pmd lock we also need to move preallocated\n\t * PTE page table if new_pmd is on different PMD page table.\n\t *\n\t * We also don't deposit and withdraw tables for file pages.\n\t */\n\treturn (new_pmd_ptl != old_pmd_ptl) && vma_is_anonymous(vma);\n}", "project": "linux", "hash": 37964731913799436995397845742542981279, "size": 12, "commit_id": "c444eb564fb16645c172d550359cb3d75fe8a040", "message": "mm: thp: make the THP mapcount atomic against __split_huge_pmd_locked()\n\nWrite protect anon page faults require an accurate mapcount to decide\nif to break the COW or not. This is implemented in the THP path with\nreuse_swap_page() ->\npage_trans_huge_map_swapcount()/page_trans_huge_mapcount().\n\nIf the COW triggers while the other processes sharing the page are\nunder a huge pmd split, to do an accurate reading, we must ensure the\nmapcount isn't computed while it's being transferred from the head\npage to the tail pages.\n\nreuse_swap_cache() already runs serialized by the page lock, so it's\nenough to add the page lock around __split_huge_pmd_locked too, in\norder to add the missing serialization.\n\nNote: the commit in \"Fixes\" is just to facilitate the backporting,\nbecause the code before such commit didn't try to do an accurate THP\nmapcount calculation and it instead used the page_count() to decide if\nto COW or not. Both the page_count and the pin_count are THP-wide\nrefcounts, so they're inaccurate if used in\nreuse_swap_page(). Reverting such commit (besides the unrelated fix to\nthe local anon_vma assignment) would have also opened the window for\nmemory corruption side effects to certain workloads as documented in\nsuch commit header.\n\nSigned-off-by: Andrea Arcangeli \nSuggested-by: Jann Horn \nReported-by: Jann Horn \nAcked-by: Kirill A. Shutemov \nFixes: 6d0a07edd17c (\"mm: thp: calculate the mapcount correctly for THP pages during WP faults\")\nCc: stable@vger.kernel.org\nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 364202 }, { "func": "static void SFDCleanupAnchorClasses(SplineFont *sf) {\n AnchorClass *ac;\n AnchorPoint *ap;\n int i, j, scnt;\n#define S_MAX\t100\n uint32 scripts[S_MAX];\n int merge=0;\n\n for ( ac = sf->anchor; ac!=NULL; ac=ac->next ) {\n\tif ( ((AnchorClass1 *) ac)->script_lang_index==0xffff ) {\n\t scnt = 0;\n\t for ( i=0; iglyphcnt; ++i ) if ( sf->glyphs[i]!=NULL ) {\n\t\tfor ( ap = sf->glyphs[i]->anchor; ap!=NULL && ap->anchor!=ac; ap=ap->next );\n\t\tif ( ap!=NULL && scntglyphs[i]);\n\t\t if ( script==0 )\n\t continue;\n\t\t for ( j=0; jscript_lang_index = SFAddScriptIndex((SplineFont1 *) sf,scripts,scnt);\n\t}\n\tif ( ((AnchorClass1 *) ac)->merge_with == 0xffff )\n\t ((AnchorClass1 *) ac)->merge_with = ++merge;\n }\n#undef S_MAX\n}", "project": "fontforge", "hash": 152066704023923172474985672395986152132, "size": 31, "commit_id": "048a91e2682c1a8936ae34dbc7bd70291ec05410", "message": "Fix for #4084 Use-after-free (heap) in the SFD_GetFontMetaData() function\nFix for #4086 NULL pointer dereference in the SFDGetSpiros() function\nFix for #4088 NULL pointer dereference in the SFD_AssignLookups() function\nAdd empty sf->fontname string if it isn't set, fixing #4089 #4090 and many\n other potential issues (many downstream calls to strlen() on the value).", "target": 0, "dataset": "other", "idx": 417943 }, { "func": "static int _nfs4_server_capabilities(struct nfs_server *server, struct nfs_fh *fhandle)\n{\n\tu32 bitmask[3] = {}, minorversion = server->nfs_client->cl_minorversion;\n\tstruct nfs4_server_caps_arg args = {\n\t\t.fhandle = fhandle,\n\t\t.bitmask = bitmask,\n\t};\n\tstruct nfs4_server_caps_res res = {};\n\tstruct rpc_message msg = {\n\t\t.rpc_proc = &nfs4_procedures[NFSPROC4_CLNT_SERVER_CAPS],\n\t\t.rpc_argp = &args,\n\t\t.rpc_resp = &res,\n\t};\n\tint status;\n\tint i;\n\n\tbitmask[0] = FATTR4_WORD0_SUPPORTED_ATTRS |\n\t\t FATTR4_WORD0_FH_EXPIRE_TYPE |\n\t\t FATTR4_WORD0_LINK_SUPPORT |\n\t\t FATTR4_WORD0_SYMLINK_SUPPORT |\n\t\t FATTR4_WORD0_ACLSUPPORT;\n\tif (minorversion)\n\t\tbitmask[2] = FATTR4_WORD2_SUPPATTR_EXCLCREAT;\n\n\tstatus = nfs4_call_sync(server->client, server, &msg, &args.seq_args, &res.seq_res, 0);\n\tif (status == 0) {\n\t\t/* Sanity check the server answers */\n\t\tswitch (minorversion) {\n\t\tcase 0:\n\t\t\tres.attr_bitmask[1] &= FATTR4_WORD1_NFS40_MASK;\n\t\t\tres.attr_bitmask[2] = 0;\n\t\t\tbreak;\n\t\tcase 1:\n\t\t\tres.attr_bitmask[2] &= FATTR4_WORD2_NFS41_MASK;\n\t\t\tbreak;\n\t\tcase 2:\n\t\t\tres.attr_bitmask[2] &= FATTR4_WORD2_NFS42_MASK;\n\t\t}\n\t\tmemcpy(server->attr_bitmask, res.attr_bitmask, sizeof(server->attr_bitmask));\n\t\tserver->caps &= ~(NFS_CAP_ACLS|NFS_CAP_HARDLINKS|\n\t\t\t\tNFS_CAP_SYMLINKS|NFS_CAP_FILEID|\n\t\t\t\tNFS_CAP_MODE|NFS_CAP_NLINK|NFS_CAP_OWNER|\n\t\t\t\tNFS_CAP_OWNER_GROUP|NFS_CAP_ATIME|\n\t\t\t\tNFS_CAP_CTIME|NFS_CAP_MTIME|\n\t\t\t\tNFS_CAP_SECURITY_LABEL);\n\t\tif (res.attr_bitmask[0] & FATTR4_WORD0_ACL &&\n\t\t\t\tres.acl_bitmask & ACL4_SUPPORT_ALLOW_ACL)\n\t\t\tserver->caps |= NFS_CAP_ACLS;\n\t\tif (res.has_links != 0)\n\t\t\tserver->caps |= NFS_CAP_HARDLINKS;\n\t\tif (res.has_symlinks != 0)\n\t\t\tserver->caps |= NFS_CAP_SYMLINKS;\n\t\tif (res.attr_bitmask[0] & FATTR4_WORD0_FILEID)\n\t\t\tserver->caps |= NFS_CAP_FILEID;\n\t\tif (res.attr_bitmask[1] & FATTR4_WORD1_MODE)\n\t\t\tserver->caps |= NFS_CAP_MODE;\n\t\tif (res.attr_bitmask[1] & FATTR4_WORD1_NUMLINKS)\n\t\t\tserver->caps |= NFS_CAP_NLINK;\n\t\tif (res.attr_bitmask[1] & FATTR4_WORD1_OWNER)\n\t\t\tserver->caps |= NFS_CAP_OWNER;\n\t\tif (res.attr_bitmask[1] & FATTR4_WORD1_OWNER_GROUP)\n\t\t\tserver->caps |= NFS_CAP_OWNER_GROUP;\n\t\tif (res.attr_bitmask[1] & FATTR4_WORD1_TIME_ACCESS)\n\t\t\tserver->caps |= NFS_CAP_ATIME;\n\t\tif (res.attr_bitmask[1] & FATTR4_WORD1_TIME_METADATA)\n\t\t\tserver->caps |= NFS_CAP_CTIME;\n\t\tif (res.attr_bitmask[1] & FATTR4_WORD1_TIME_MODIFY)\n\t\t\tserver->caps |= NFS_CAP_MTIME;\n#ifdef CONFIG_NFS_V4_SECURITY_LABEL\n\t\tif (res.attr_bitmask[2] & FATTR4_WORD2_SECURITY_LABEL)\n\t\t\tserver->caps |= NFS_CAP_SECURITY_LABEL;\n#endif\n\t\tmemcpy(server->attr_bitmask_nl, res.attr_bitmask,\n\t\t\t\tsizeof(server->attr_bitmask));\n\t\tserver->attr_bitmask_nl[2] &= ~FATTR4_WORD2_SECURITY_LABEL;\n\n\t\tmemcpy(server->cache_consistency_bitmask, res.attr_bitmask, sizeof(server->cache_consistency_bitmask));\n\t\tserver->cache_consistency_bitmask[0] &= FATTR4_WORD0_CHANGE|FATTR4_WORD0_SIZE;\n\t\tserver->cache_consistency_bitmask[1] &= FATTR4_WORD1_TIME_METADATA|FATTR4_WORD1_TIME_MODIFY;\n\t\tserver->cache_consistency_bitmask[2] = 0;\n\n\t\t/* Avoid a regression due to buggy server */\n\t\tfor (i = 0; i < ARRAY_SIZE(res.exclcreat_bitmask); i++)\n\t\t\tres.exclcreat_bitmask[i] &= res.attr_bitmask[i];\n\t\tmemcpy(server->exclcreat_bitmask, res.exclcreat_bitmask,\n\t\t\tsizeof(server->exclcreat_bitmask));\n\n\t\tserver->acl_bitmask = res.acl_bitmask;\n\t\tserver->fh_expire_type = res.fh_expire_type;\n\t}\n\n\treturn status;\n}", "project": "linux", "hash": 239020047313511955164193611890193083866, "size": 93, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431583 }, { "func": "int kvm_vcpu_read_guest_page(struct kvm_vcpu *vcpu, gfn_t gfn, void *data,\n\t\t\t int offset, int len)\n{\n\tstruct kvm_memory_slot *slot = kvm_vcpu_gfn_to_memslot(vcpu, gfn);\n\n\treturn __kvm_read_guest_page(slot, gfn, data, offset, len);\n}", "project": "linux", "hash": 48681750286836417645967831858899338426, "size": 7, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354658 }, { "func": "static char* is_unsafe_cipher(ndpi_cipher_weakness c) {\n switch(c) {\n case ndpi_cipher_insecure:\n return(\"INSECURE\");\n break;\n\n case ndpi_cipher_weak:\n return(\"WEAK\");\n break;\n\n default:\n return(\"OK\");\n }\n}", "project": "nDPI", "hash": 174693171689126527874649493639599233989, "size": 14, "commit_id": "b7e666e465f138ae48ab81976726e67deed12701", "message": "Added fix to avoid potential heap buffer overflow in H.323 dissector\nModified HTTP report information to make it closer to the HTTP field names", "target": 0, "dataset": "other", "idx": 254849 }, { "func": "int kvm_vcpu_write_guest_page(struct kvm_vcpu *vcpu, gfn_t gfn,\n\t\t\t const void *data, int offset, int len)\n{\n\tstruct kvm_memory_slot *slot = kvm_vcpu_gfn_to_memslot(vcpu, gfn);\n\n\treturn __kvm_write_guest_page(slot, gfn, data, offset, len);\n}", "project": "linux", "hash": 152525504325663666014616718231423195483, "size": 7, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354415 }, { "func": "int kvm_vcpu_write_guest_page(struct kvm_vcpu *vcpu, gfn_t gfn,\n\t\t\t const void *data, int offset, int len)\n{\n\tstruct kvm_memory_slot *slot = kvm_vcpu_gfn_to_memslot(vcpu, gfn);\n\n\treturn __kvm_write_guest_page(vcpu->kvm, slot, gfn, data, offset, len);\n}", "project": "linux", "hash": 276416143107251032034872438290390076386, "size": 7, "commit_id": "f8be156be163a052a067306417cd0ff679068c97", "message": "KVM: do not allow mapping valid but non-reference-counted pages\n\nIt's possible to create a region which maps valid but non-refcounted\npages (e.g., tail pages of non-compound higher order allocations). These\nhost pages can then be returned by gfn_to_page, gfn_to_pfn, etc., family\nof APIs, which take a reference to the page, which takes it from 0 to 1.\nWhen the reference is dropped, this will free the page incorrectly.\n\nFix this by only taking a reference on valid pages if it was non-zero,\nwhich indicates it is participating in normal refcounting (and can be\nreleased with put_page).\n\nThis addresses CVE-2021-22543.\n\nSigned-off-by: Nicholas Piggin \nTested-by: Paolo Bonzini \nCc: stable@vger.kernel.org\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 404106 }, { "func": "static int tracing_buffers_open(struct inode *inode, struct file *filp)\n{\n\tstruct trace_array *tr = inode->i_private;\n\tstruct ftrace_buffer_info *info;\n\tint ret;\n\n\tif (tracing_disabled)\n\t\treturn -ENODEV;\n\n\tif (trace_array_get(tr) < 0)\n\t\treturn -ENODEV;\n\n\tinfo = kzalloc(sizeof(*info), GFP_KERNEL);\n\tif (!info) {\n\t\ttrace_array_put(tr);\n\t\treturn -ENOMEM;\n\t}\n\n\tmutex_lock(&trace_types_lock);\n\n\tinfo->iter.tr\t\t= tr;\n\tinfo->iter.cpu_file\t= tracing_get_cpu(inode);\n\tinfo->iter.trace\t= tr->current_trace;\n\tinfo->iter.trace_buffer = &tr->trace_buffer;\n\tinfo->spare\t\t= NULL;\n\t/* Force reading ring buffer for first read */\n\tinfo->read\t\t= (unsigned int)-1;\n\n\tfilp->private_data = info;\n\n\ttr->current_trace->ref++;\n\n\tmutex_unlock(&trace_types_lock);\n\n\tret = nonseekable_open(inode, filp);\n\tif (ret < 0)\n\t\ttrace_array_put(tr);\n\n\treturn ret;\n}", "project": "linux", "hash": 267969443803188466161223484147532817058, "size": 40, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445801 }, { "func": "static int nested_svm_intercept_ioio(struct vcpu_svm *svm)\n{\n\tunsigned port, size, iopm_len;\n\tu16 val, mask;\n\tu8 start_bit;\n\tu64 gpa;\n\n\tif (!(svm->nested.intercept & (1ULL << INTERCEPT_IOIO_PROT)))\n\t\treturn NESTED_EXIT_HOST;\n\n\tport = svm->vmcb->control.exit_info_1 >> 16;\n\tsize = (svm->vmcb->control.exit_info_1 & SVM_IOIO_SIZE_MASK) >>\n\t\tSVM_IOIO_SIZE_SHIFT;\n\tgpa = svm->nested.vmcb_iopm + (port / 8);\n\tstart_bit = port % 8;\n\tiopm_len = (start_bit + size > 8) ? 2 : 1;\n\tmask = (0xf >> (4 - size)) << start_bit;\n\tval = 0;\n\n\tif (kvm_vcpu_read_guest(&svm->vcpu, gpa, &val, iopm_len))\n\t\treturn NESTED_EXIT_DONE;\n\n\treturn (val & mask) ? NESTED_EXIT_DONE : NESTED_EXIT_HOST;\n}", "project": "linux", "hash": 299653931354877644859621765965197758427, "size": 24, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432546 }, { "func": "static int nested_svm_intercept_ioio(struct vcpu_svm *svm)\n{\n\tunsigned port, size, iopm_len;\n\tu16 val, mask;\n\tu8 start_bit;\n\tu64 gpa;\n\n\tif (!(svm->nested.intercept & (1ULL << INTERCEPT_IOIO_PROT)))\n\t\treturn NESTED_EXIT_HOST;\n\n\tport = svm->vmcb->control.exit_info_1 >> 16;\n\tsize = (svm->vmcb->control.exit_info_1 & SVM_IOIO_SIZE_MASK) >>\n\t\tSVM_IOIO_SIZE_SHIFT;\n\tgpa = svm->nested.vmcb_iopm + (port / 8);\n\tstart_bit = port % 8;\n\tiopm_len = (start_bit + size > 8) ? 2 : 1;\n\tmask = (0xf >> (4 - size)) << start_bit;\n\tval = 0;\n\n\tif (kvm_read_guest(svm->vcpu.kvm, gpa, &val, iopm_len))\n\t\treturn NESTED_EXIT_DONE;\n\n\treturn (val & mask) ? NESTED_EXIT_DONE : NESTED_EXIT_HOST;\n}", "project": "kvm", "hash": 135685562829126542102546197093135105667, "size": 24, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437612 }, { "func": "static inline void hid_map_usage_clear(struct hid_input *hidinput,\n\t\tstruct hid_usage *usage, unsigned long **bit, int *max,\n\t\t__u8 type, __u16 c)\n{\n\thid_map_usage(hidinput, usage, bit, max, type, c);\n\tif (*bit)\n\t\tclear_bit(usage->code, *bit);\n}", "project": "linux", "hash": 186770812742352092888133970575677009504, "size": 8, "commit_id": "35556bed836f8dc07ac55f69c8d17dce3e7f0e25", "message": "HID: core: Sanitize event code and type when mapping input\n\nWhen calling into hid_map_usage(), the passed event code is\nblindly stored as is, even if it doesn't fit in the associated bitmap.\n\nThis event code can come from a variety of sources, including devices\nmasquerading as input devices, only a bit more \"programmable\".\n\nInstead of taking the event code at face value, check that it actually\nfits the corresponding bitmap, and if it doesn't:\n- spit out a warning so that we know which device is acting up\n- NULLify the bitmap pointer so that we catch unexpected uses\n\nCode paths that can make use of untrusted inputs can now check\nthat the mapping was indeed correct and bail out if not.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Marc Zyngier \nSigned-off-by: Benjamin Tissoires ", "target": 0, "dataset": "other", "idx": 458416 }, { "func": "CallResult JSObject::getOwnComputedDescriptor(\n Handle selfHandle,\n Runtime *runtime,\n Handle<> nameValHandle,\n ComputedPropertyDescriptor &desc,\n MutableHandle<> &valueOrAccessor) {\n auto converted = toPropertyKeyIfObject(runtime, nameValHandle);\n if (LLVM_UNLIKELY(converted == ExecutionStatus::EXCEPTION)) {\n return ExecutionStatus::EXCEPTION;\n }\n // The proxy is ignored here so we can avoid calling\n // JSProxy::getOwnProperty twice on proxies, since\n // getOwnComputedPrimitiveDescriptor doesn't pass back the\n // valueOrAccessor.\n CallResult res = JSObject::getOwnComputedPrimitiveDescriptor(\n selfHandle, runtime, *converted, IgnoreProxy::Yes, desc);\n if (LLVM_UNLIKELY(res == ExecutionStatus::EXCEPTION)) {\n return ExecutionStatus::EXCEPTION;\n }\n if (*res) {\n valueOrAccessor = getComputedSlotValue(selfHandle.get(), runtime, desc);\n return true;\n }\n if (LLVM_UNLIKELY(selfHandle->isProxyObject())) {\n return JSProxy::getOwnProperty(\n selfHandle, runtime, nameValHandle, desc, &valueOrAccessor);\n }\n return false;\n}", "project": "hermes", "hash": 279418699571086074569296403875941081649, "size": 29, "commit_id": "fe52854cdf6725c2eaa9e125995da76e6ceb27da", "message": "[CVE-2020-1911] Look up HostObject computed properties on the right object in the prototype chain.\n\nSummary:\nThe change in the hermes repository fixes the security vulnerability\nCVE-2020-1911. This vulnerability only affects applications which\nallow evaluation of uncontrolled, untrusted JavaScript code not\nshipped with the app, so React Native apps will generally not be affected.\n\nThis revision includes a test for the bug. The test is generic JSI\ncode, so it is included in the hermes and react-native repositories.\n\nChangelog: [Internal]\n\nReviewed By: tmikov\n\nDifferential Revision: D23322992\n\nfbshipit-source-id: 4e88c974afe1ad33a263f9cac03e9dc98d33649a", "target": 0, "dataset": "other", "idx": 230252 }, { "func": "CallResult JSObject::getOwnComputedDescriptor(\n Handle selfHandle,\n Runtime *runtime,\n Handle<> nameValHandle,\n ComputedPropertyDescriptor &desc) {\n auto converted = toPropertyKeyIfObject(runtime, nameValHandle);\n if (LLVM_UNLIKELY(converted == ExecutionStatus::EXCEPTION)) {\n return ExecutionStatus::EXCEPTION;\n }\n return JSObject::getOwnComputedPrimitiveDescriptor(\n selfHandle, runtime, *converted, IgnoreProxy::No, desc);\n}", "project": "hermes", "hash": 318661896243185953498479236271460355853, "size": 12, "commit_id": "fe52854cdf6725c2eaa9e125995da76e6ceb27da", "message": "[CVE-2020-1911] Look up HostObject computed properties on the right object in the prototype chain.\n\nSummary:\nThe change in the hermes repository fixes the security vulnerability\nCVE-2020-1911. This vulnerability only affects applications which\nallow evaluation of uncontrolled, untrusted JavaScript code not\nshipped with the app, so React Native apps will generally not be affected.\n\nThis revision includes a test for the bug. The test is generic JSI\ncode, so it is included in the hermes and react-native repositories.\n\nChangelog: [Internal]\n\nReviewed By: tmikov\n\nDifferential Revision: D23322992\n\nfbshipit-source-id: 4e88c974afe1ad33a263f9cac03e9dc98d33649a", "target": 0, "dataset": "other", "idx": 230258 }, { "func": "static int tcp_try_undo_loss(struct sock *sk)\n{\n\tstruct tcp_sock *tp = tcp_sk(sk);\n\n\tif (tcp_may_undo(tp)) {\n\t\tstruct sk_buff *skb;\n\t\ttcp_for_write_queue(skb, sk) {\n\t\t\tif (skb == tcp_send_head(sk))\n\t\t\t\tbreak;\n\t\t\tTCP_SKB_CB(skb)->sacked &= ~TCPCB_LOST;\n\t\t}\n\n\t\ttcp_clear_all_retrans_hints(tp);\n\n\t\tDBGUNDO(sk, \"partial loss\");\n\t\ttp->lost_out = 0;\n\t\ttcp_undo_cwr(sk, true);\n\t\tNET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPLOSSUNDO);\n\t\tinet_csk(sk)->icsk_retransmits = 0;\n\t\ttp->undo_marker = 0;\n\t\tif (tcp_is_sack(tp))\n\t\t\ttcp_set_ca_state(sk, TCP_CA_Open);\n\t\treturn 1;\n\t}\n\treturn 0;\n}", "project": "net-next", "hash": 128138774519561093726424403365171038443, "size": 26, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409915 }, { "func": "static inline int pfkey_mode_from_xfrm(int mode)\n{\n\tswitch(mode) {\n\tcase XFRM_MODE_TRANSPORT:\n\t\treturn IPSEC_MODE_TRANSPORT;\n\tcase XFRM_MODE_TUNNEL:\n\t\treturn IPSEC_MODE_TUNNEL;\n\tcase XFRM_MODE_BEET:\n\t\treturn IPSEC_MODE_BEET;\n\tdefault:\n\t\treturn -1;\n\t}\n}", "project": "linux", "hash": 177876692407933143900762369643862907929, "size": 13, "commit_id": "9a564bccb78a76740ea9d75a259942df8143d02c", "message": "af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\n\nAdd __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\nto initialize the buffer of supp_skb to fix a kernel-info-leak issue.\n1) Function pfkey_register calls compose_sadb_supported to request\na sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate\na sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then\ncompose_sadb_supported treats the memory as a struct sadb_supported and\nbegins to initialize. But it just initializes the field sadb_supported_len\nand field sadb_supported_exttype without field sadb_supported_reserved.\n\nReported-by: TCS Robot \nSigned-off-by: Haimin Zhang \nSigned-off-by: Steffen Klassert ", "target": 0, "dataset": "other", "idx": 268022 }, { "func": "void CLua::pushglobal(const string &name)\n{\n vector pieces = split_string(\".\", name);\n lua_State *ls(state());\n\n if (pieces.empty())\n lua_pushnil(ls);\n\n for (unsigned i = 0, size = pieces.size(); i < size; ++i)\n {\n if (!i)\n lua_getglobal(ls, pieces[i].c_str());\n else\n {\n if (lua_istable(ls, -1))\n {\n lua_pushstring(ls, pieces[i].c_str());\n lua_gettable(ls, -2);\n // Swap the value we just found with the table itself.\n lua_insert(ls, -2);\n // And remove the table.\n lua_pop(ls, 1);\n }\n else\n {\n // We expected a table here, but got something else. Fail.\n lua_pop(ls, 1);\n lua_pushnil(ls);\n break;\n }\n }\n }\n}", "project": "crawl", "hash": 192769494547303480403359393307117140217, "size": 33, "commit_id": "768f60da87a3fa0b5561da5ade9309577c176d04", "message": "Disable lua bytecode loading", "target": 0, "dataset": "other", "idx": 230535 }, { "func": "int nfs4_buf_to_pages_noslab(const void *buf, size_t buflen,\n\t\tstruct page **pages)\n{\n\tstruct page *newpage, **spages;\n\tint rc = 0;\n\tsize_t len;\n\tspages = pages;\n\n\tdo {\n\t\tlen = min_t(size_t, PAGE_SIZE, buflen);\n\t\tnewpage = alloc_page(GFP_KERNEL);\n\n\t\tif (newpage == NULL)\n\t\t\tgoto unwind;\n\t\tmemcpy(page_address(newpage), buf, len);\n\t\tbuf += len;\n\t\tbuflen -= len;\n\t\t*pages++ = newpage;\n\t\trc++;\n\t} while (buflen != 0);\n\n\treturn rc;\n\nunwind:\n\tfor(; rc > 0; rc--)\n\t\t__free_page(spages[rc-1]);\n\treturn -ENOMEM;\n}", "project": "linux", "hash": 93216853958730658747409530590441351221, "size": 28, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431124 }, { "project": "Chrome", "commit_id": "a5333583f14284a411abac2fef7caed889a8bba3", "target": 0, "func": "void RunAndQuit(const base::Closure& closure,\n const base::Closure& quit,\n base::MessageLoopProxy* original_message_loop) {\n closure.Run();\n original_message_loop->PostTask(FROM_HERE, quit);\n}\n", "cwe": "", "big_vul_idx": 121715, "idx": 109008, "hash": 77367781235029200639560044543450245556 }, { "project": "Chrome", "commit_id": "957973753ec4159003ff7930d946b7e89c7e09f3", "target": 0, "func": "void BlobURLRequestJob::CountSize() {\n for (; item_index_ < blob_data_->items().size(); ++item_index_) {\n const BlobData::Item& item = blob_data_->items().at(item_index_);\n int64 item_length = static_cast(item.length());\n\n if (item.type() == BlobData::TYPE_FILE) {\n ResolveFile(item.file_path());\n return;\n }\n\n item_length_list_.push_back(item_length);\n total_size_ += item_length;\n }\n\n item_index_ = 0;\n\n if (!byte_range_.ComputeBounds(total_size_)) {\n NotifyFailure(net::ERR_REQUEST_RANGE_NOT_SATISFIABLE);\n return;\n }\n\n remaining_bytes_ = byte_range_.last_byte_position() -\n byte_range_.first_byte_position() + 1;\n DCHECK_GE(remaining_bytes_, 0);\n\n if (byte_range_.first_byte_position())\n Seek(byte_range_.first_byte_position());\n\n NotifySuccess();\n}\n", "cwe": "", "big_vul_idx": 106408, "idx": 95561, "hash": 155507342550319975764892220674972413673 }, { "func": "void LanLinkProvider::tcpSocketConnected()\n{\n QSslSocket* socket = qobject_cast(sender());\n\n if (!socket) return;\n // TODO Delete me?\n#if QT_VERSION < QT_VERSION_CHECK(5,15,0)\n disconnect(socket, QOverload::of(&QAbstractSocket::error), this, &LanLinkProvider::connectError);\n#else\n disconnect(socket, &QAbstractSocket::errorOccurred, this, &LanLinkProvider::connectError);\n#endif\n\n configureSocket(socket);\n\n // If socket disconnects due to any reason after connection, link on ssl failure\n connect(socket, &QAbstractSocket::disconnected, socket, &QObject::deleteLater);\n\n NetworkPacket* receivedPacket = m_receivedIdentityPackets[socket].np;\n const QString& deviceId = receivedPacket->get(QStringLiteral(\"deviceId\"));\n //qCDebug(KDECONNECT_CORE) << \"tcpSocketConnected\" << socket->isWritable();\n\n // If network is on ssl, do not believe when they are connected, believe when handshake is completed\n NetworkPacket np2(QLatin1String(\"\"));\n NetworkPacket::createIdentityPacket(&np2);\n socket->write(np2.serialize());\n bool success = socket->waitForBytesWritten();\n\n if (success) {\n\n qCDebug(KDECONNECT_CORE) << \"TCP connection done (i'm the existing device)\";\n\n // if ssl supported\n if (receivedPacket->get(QStringLiteral(\"protocolVersion\")) >= MIN_VERSION_WITH_SSL_SUPPORT) {\n\n bool isDeviceTrusted = KdeConnectConfig::instance().trustedDevices().contains(deviceId);\n configureSslSocket(socket, deviceId, isDeviceTrusted);\n\n qCDebug(KDECONNECT_CORE) << \"Starting server ssl (I'm the client TCP socket)\";\n\n connect(socket, &QSslSocket::encrypted, this, &LanLinkProvider::encrypted);\n\n connect(socket, QOverload &>::of(&QSslSocket::sslErrors), this, &LanLinkProvider::sslErrors);\n\n socket->startServerEncryption();\n\n return; // Return statement prevents from deleting received packet, needed in slot \"encrypted\"\n } else {\n qWarning() << receivedPacket->get(QStringLiteral(\"deviceName\")) << \"uses an old protocol version, this won't work\";\n //addLink(deviceId, socket, receivedPacket, LanDeviceLink::Remotely);\n }\n\n } else {\n //I think this will never happen, but if it happens the deviceLink\n //(or the socket that is now inside it) might not be valid. Delete them.\n qCDebug(KDECONNECT_CORE) << \"Fallback (2), try reverse connection (send udp packet)\";\n m_udpSocket.writeDatagram(np2.serialize(), m_receivedIdentityPackets[socket].sender, m_udpBroadcastPort);\n }\n\n delete m_receivedIdentityPackets.take(socket).np;\n //We don't delete the socket because now it's owned by the LanDeviceLink\n}", "project": "kdeconnect-kde", "hash": 328501247133160571917312816043328907676, "size": 61, "commit_id": "542d94a70c56aa386c8d4d793481ce181b0422e8", "message": "Limit number of connected sockets from unpaired devices\n\nThanks Matthias Gerstner for reporting this.", "target": 0, "dataset": "other", "idx": 227366 }, { "func": "int RGWPostObj_ObjStore_S3::get_policy()\n{\n if (part_bl(parts, \"policy\", &s->auth.s3_postobj_creds.encoded_policy)) {\n bool aws4_auth = false;\n\n /* x-amz-algorithm handling */\n using rgw::auth::s3::AWS4_HMAC_SHA256_STR;\n if ((part_str(parts, \"x-amz-algorithm\", &s->auth.s3_postobj_creds.x_amz_algorithm)) &&\n (s->auth.s3_postobj_creds.x_amz_algorithm == AWS4_HMAC_SHA256_STR)) {\n ldout(s->cct, 0) << \"Signature verification algorithm AWS v4 (AWS4-HMAC-SHA256)\" << dendl;\n aws4_auth = true;\n } else {\n ldout(s->cct, 0) << \"Signature verification algorithm AWS v2\" << dendl;\n }\n\n // check that the signature matches the encoded policy\n if (aws4_auth) {\n /* AWS4 */\n\n /* x-amz-credential handling */\n if (!part_str(parts, \"x-amz-credential\",\n &s->auth.s3_postobj_creds.x_amz_credential)) {\n ldout(s->cct, 0) << \"No S3 aws4 credential found!\" << dendl;\n err_msg = \"Missing aws4 credential\";\n return -EINVAL;\n }\n\n /* x-amz-signature handling */\n if (!part_str(parts, \"x-amz-signature\",\n &s->auth.s3_postobj_creds.signature)) {\n ldout(s->cct, 0) << \"No aws4 signature found!\" << dendl;\n err_msg = \"Missing aws4 signature\";\n return -EINVAL;\n }\n\n /* x-amz-date handling */\n std::string received_date_str;\n if (!part_str(parts, \"x-amz-date\", &received_date_str)) {\n ldout(s->cct, 0) << \"No aws4 date found!\" << dendl;\n err_msg = \"Missing aws4 date\";\n return -EINVAL;\n }\n } else {\n /* AWS2 */\n\n // check that the signature matches the encoded policy\n if (!part_str(parts, \"AWSAccessKeyId\",\n &s->auth.s3_postobj_creds.access_key)) {\n ldout(s->cct, 0) << \"No S3 aws2 access key found!\" << dendl;\n err_msg = \"Missing aws2 access key\";\n return -EINVAL;\n }\n\n if (!part_str(parts, \"signature\", &s->auth.s3_postobj_creds.signature)) {\n ldout(s->cct, 0) << \"No aws2 signature found!\" << dendl;\n err_msg = \"Missing aws2 signature\";\n return -EINVAL;\n }\n }\n\n /* FIXME: this is a makeshift solution. The browser upload authentication will be\n * handled by an instance of rgw::auth::Completer spawned in Handler's authorize()\n * method. */\n const int ret = rgw::auth::Strategy::apply(auth_registry_ptr->get_s3_post(), s);\n if (ret != 0) {\n return -EACCES;\n } else {\n /* Populate the owner info. */\n s->owner.set_id(s->user->user_id);\n s->owner.set_name(s->user->display_name);\n ldout(s->cct, 20) << \"Successful Signature Verification!\" << dendl;\n }\n\n ceph::bufferlist decoded_policy;\n try {\n decoded_policy.decode_base64(s->auth.s3_postobj_creds.encoded_policy);\n } catch (buffer::error& err) {\n ldout(s->cct, 0) << \"failed to decode_base64 policy\" << dendl;\n err_msg = \"Could not decode policy\";\n return -EINVAL;\n }\n\n decoded_policy.append('\\0'); // NULL terminate\n ldout(s->cct, 20) << \"POST policy: \" << decoded_policy.c_str() << dendl;\n\n\n int r = post_policy.from_json(decoded_policy, err_msg);\n if (r < 0) {\n if (err_msg.empty()) {\n\terr_msg = \"Failed to parse policy\";\n }\n ldout(s->cct, 0) << \"failed to parse policy\" << dendl;\n return -EINVAL;\n }\n\n if (aws4_auth) {\n /* AWS4 */\n post_policy.set_var_checked(\"x-amz-signature\");\n } else {\n /* AWS2 */\n post_policy.set_var_checked(\"AWSAccessKeyId\");\n post_policy.set_var_checked(\"signature\");\n }\n post_policy.set_var_checked(\"policy\");\n\n r = post_policy.check(&env, err_msg);\n if (r < 0) {\n if (err_msg.empty()) {\n\terr_msg = \"Policy check failed\";\n }\n ldout(s->cct, 0) << \"policy check failed\" << dendl;\n return r;\n }\n\n } else {\n ldout(s->cct, 0) << \"No attached policy found!\" << dendl;\n }\n\n string canned_acl;\n part_str(parts, \"acl\", &canned_acl);\n\n RGWAccessControlPolicy_S3 s3policy(s->cct);\n ldout(s->cct, 20) << \"canned_acl=\" << canned_acl << dendl;\n if (s3policy.create_canned(s->owner, s->bucket_owner, canned_acl) < 0) {\n err_msg = \"Bad canned ACLs\";\n return -EINVAL;\n }\n\n policy = s3policy;\n\n return 0;\n}", "project": "ceph", "hash": 298405481472656266376464474657545298617, "size": 132, "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 281355 }, { "func": "int RGWPostObj_ObjStore_S3::get_policy()\n{\n if (part_bl(parts, \"policy\", &s->auth.s3_postobj_creds.encoded_policy)) {\n bool aws4_auth = false;\n\n /* x-amz-algorithm handling */\n using rgw::auth::s3::AWS4_HMAC_SHA256_STR;\n if ((part_str(parts, \"x-amz-algorithm\", &s->auth.s3_postobj_creds.x_amz_algorithm)) &&\n (s->auth.s3_postobj_creds.x_amz_algorithm == AWS4_HMAC_SHA256_STR)) {\n ldout(s->cct, 0) << \"Signature verification algorithm AWS v4 (AWS4-HMAC-SHA256)\" << dendl;\n aws4_auth = true;\n } else {\n ldout(s->cct, 0) << \"Signature verification algorithm AWS v2\" << dendl;\n }\n\n // check that the signature matches the encoded policy\n if (aws4_auth) {\n /* AWS4 */\n\n /* x-amz-credential handling */\n if (!part_str(parts, \"x-amz-credential\",\n &s->auth.s3_postobj_creds.x_amz_credential)) {\n ldout(s->cct, 0) << \"No S3 aws4 credential found!\" << dendl;\n err_msg = \"Missing aws4 credential\";\n return -EINVAL;\n }\n\n /* x-amz-signature handling */\n if (!part_str(parts, \"x-amz-signature\",\n &s->auth.s3_postobj_creds.signature)) {\n ldout(s->cct, 0) << \"No aws4 signature found!\" << dendl;\n err_msg = \"Missing aws4 signature\";\n return -EINVAL;\n }\n\n /* x-amz-date handling */\n std::string received_date_str;\n if (!part_str(parts, \"x-amz-date\", &received_date_str)) {\n ldout(s->cct, 0) << \"No aws4 date found!\" << dendl;\n err_msg = \"Missing aws4 date\";\n return -EINVAL;\n }\n } else {\n /* AWS2 */\n\n // check that the signature matches the encoded policy\n if (!part_str(parts, \"AWSAccessKeyId\",\n &s->auth.s3_postobj_creds.access_key)) {\n ldout(s->cct, 0) << \"No S3 aws2 access key found!\" << dendl;\n err_msg = \"Missing aws2 access key\";\n return -EINVAL;\n }\n\n if (!part_str(parts, \"signature\", &s->auth.s3_postobj_creds.signature)) {\n ldout(s->cct, 0) << \"No aws2 signature found!\" << dendl;\n err_msg = \"Missing aws2 signature\";\n return -EINVAL;\n }\n }\n\n part_str(parts, \"x-amz-security-token\", &s->auth.s3_postobj_creds.x_amz_security_token);\n\n /* FIXME: this is a makeshift solution. The browser upload authentication will be\n * handled by an instance of rgw::auth::Completer spawned in Handler's authorize()\n * method. */\n const int ret = rgw::auth::Strategy::apply(this, auth_registry_ptr->get_s3_post(), s);\n if (ret != 0) {\n return -EACCES;\n } else {\n /* Populate the owner info. */\n s->owner.set_id(s->user->user_id);\n s->owner.set_name(s->user->display_name);\n ldout(s->cct, 20) << \"Successful Signature Verification!\" << dendl;\n }\n\n ceph::bufferlist decoded_policy;\n try {\n decoded_policy.decode_base64(s->auth.s3_postobj_creds.encoded_policy);\n } catch (buffer::error& err) {\n ldout(s->cct, 0) << \"failed to decode_base64 policy\" << dendl;\n err_msg = \"Could not decode policy\";\n return -EINVAL;\n }\n\n decoded_policy.append('\\0'); // NULL terminate\n ldout(s->cct, 20) << \"POST policy: \" << decoded_policy.c_str() << dendl;\n\n\n int r = post_policy.from_json(decoded_policy, err_msg);\n if (r < 0) {\n if (err_msg.empty()) {\n\terr_msg = \"Failed to parse policy\";\n }\n ldout(s->cct, 0) << \"failed to parse policy\" << dendl;\n return -EINVAL;\n }\n\n if (aws4_auth) {\n /* AWS4 */\n post_policy.set_var_checked(\"x-amz-signature\");\n } else {\n /* AWS2 */\n post_policy.set_var_checked(\"AWSAccessKeyId\");\n post_policy.set_var_checked(\"signature\");\n }\n post_policy.set_var_checked(\"policy\");\n\n r = post_policy.check(&env, err_msg);\n if (r < 0) {\n if (err_msg.empty()) {\n\terr_msg = \"Policy check failed\";\n }\n ldout(s->cct, 0) << \"policy check failed\" << dendl;\n return r;\n }\n\n } else {\n ldout(s->cct, 0) << \"No attached policy found!\" << dendl;\n }\n\n string canned_acl;\n part_str(parts, \"acl\", &canned_acl);\n\n RGWAccessControlPolicy_S3 s3policy(s->cct);\n ldout(s->cct, 20) << \"canned_acl=\" << canned_acl << dendl;\n if (s3policy.create_canned(s->owner, s->bucket_owner, canned_acl) < 0) {\n err_msg = \"Bad canned ACLs\";\n return -EINVAL;\n }\n\n policy = s3policy;\n\n return 0;\n}", "project": "ceph", "hash": 281312140957065191146734042354184388169, "size": 134, "commit_id": "fce0b267446d6f3f631bb4680ebc3527bbbea002", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 333795 }, { "func": "static int nfs41_proc_reclaim_complete(struct nfs_client *clp,\n\t\tconst struct cred *cred)\n{\n\tstruct nfs4_reclaim_complete_data *calldata;\n\tstruct rpc_message msg = {\n\t\t.rpc_proc = &nfs4_procedures[NFSPROC4_CLNT_RECLAIM_COMPLETE],\n\t\t.rpc_cred = cred,\n\t};\n\tstruct rpc_task_setup task_setup_data = {\n\t\t.rpc_client = clp->cl_rpcclient,\n\t\t.rpc_message = &msg,\n\t\t.callback_ops = &nfs4_reclaim_complete_call_ops,\n\t\t.flags = RPC_TASK_NO_ROUND_ROBIN,\n\t};\n\tint status = -ENOMEM;\n\n\tdprintk(\"--> %s\\n\", __func__);\n\tcalldata = kzalloc(sizeof(*calldata), GFP_NOFS);\n\tif (calldata == NULL)\n\t\tgoto out;\n\tcalldata->clp = clp;\n\tcalldata->arg.one_fs = 0;\n\n\tnfs4_init_sequence(&calldata->arg.seq_args, &calldata->res.seq_res, 0, 1);\n\tmsg.rpc_argp = &calldata->arg;\n\tmsg.rpc_resp = &calldata->res;\n\ttask_setup_data.callback_data = calldata;\n\tstatus = nfs4_call_sync_custom(&task_setup_data);\nout:\n\tdprintk(\"<-- %s status=%d\\n\", __func__, status);\n\treturn status;\n}", "project": "linux", "hash": 18338986663084212893628887304989527947, "size": 32, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431568 }, { "func": "static void __split_huge_pmd_locked(struct vm_area_struct *vma, pmd_t *pmd,\n\t\tunsigned long haddr, bool freeze)\n{\n\tstruct mm_struct *mm = vma->vm_mm;\n\tstruct page *page;\n\tpgtable_t pgtable;\n\tpmd_t old_pmd, _pmd;\n\tbool young, write, soft_dirty, pmd_migration = false, uffd_wp = false;\n\tunsigned long addr;\n\tint i;\n\n\tVM_BUG_ON(haddr & ~HPAGE_PMD_MASK);\n\tVM_BUG_ON_VMA(vma->vm_start > haddr, vma);\n\tVM_BUG_ON_VMA(vma->vm_end < haddr + HPAGE_PMD_SIZE, vma);\n\tVM_BUG_ON(!is_pmd_migration_entry(*pmd) && !pmd_trans_huge(*pmd)\n\t\t\t\t&& !pmd_devmap(*pmd));\n\n\tcount_vm_event(THP_SPLIT_PMD);\n\n\tif (!vma_is_anonymous(vma)) {\n\t\t_pmd = pmdp_huge_clear_flush_notify(vma, haddr, pmd);\n\t\t/*\n\t\t * We are going to unmap this huge page. So\n\t\t * just go ahead and zap it\n\t\t */\n\t\tif (arch_needs_pgtable_deposit())\n\t\t\tzap_deposited_table(mm, pmd);\n\t\tif (vma_is_special_huge(vma))\n\t\t\treturn;\n\t\tpage = pmd_page(_pmd);\n\t\tif (!PageDirty(page) && pmd_dirty(_pmd))\n\t\t\tset_page_dirty(page);\n\t\tif (!PageReferenced(page) && pmd_young(_pmd))\n\t\t\tSetPageReferenced(page);\n\t\tpage_remove_rmap(page, true);\n\t\tput_page(page);\n\t\tadd_mm_counter(mm, mm_counter_file(page), -HPAGE_PMD_NR);\n\t\treturn;\n\t} else if (is_huge_zero_pmd(*pmd)) {\n\t\t/*\n\t\t * FIXME: Do we want to invalidate secondary mmu by calling\n\t\t * mmu_notifier_invalidate_range() see comments below inside\n\t\t * __split_huge_pmd() ?\n\t\t *\n\t\t * We are going from a zero huge page write protected to zero\n\t\t * small page also write protected so it does not seems useful\n\t\t * to invalidate secondary mmu at this time.\n\t\t */\n\t\treturn __split_huge_zero_page_pmd(vma, haddr, pmd);\n\t}\n\n\t/*\n\t * Up to this point the pmd is present and huge and userland has the\n\t * whole access to the hugepage during the split (which happens in\n\t * place). If we overwrite the pmd with the not-huge version pointing\n\t * to the pte here (which of course we could if all CPUs were bug\n\t * free), userland could trigger a small page size TLB miss on the\n\t * small sized TLB while the hugepage TLB entry is still established in\n\t * the huge TLB. Some CPU doesn't like that.\n\t * See http://support.amd.com/us/Processor_TechDocs/41322.pdf, Erratum\n\t * 383 on page 93. Intel should be safe but is also warns that it's\n\t * only safe if the permission and cache attributes of the two entries\n\t * loaded in the two TLB is identical (which should be the case here).\n\t * But it is generally safer to never allow small and huge TLB entries\n\t * for the same virtual address to be loaded simultaneously. So instead\n\t * of doing \"pmd_populate(); flush_pmd_tlb_range();\" we first mark the\n\t * current pmd notpresent (atomically because here the pmd_trans_huge\n\t * must remain set at all times on the pmd until the split is complete\n\t * for this pmd), then we flush the SMP TLB and finally we write the\n\t * non-huge version of the pmd entry with pmd_populate.\n\t */\n\told_pmd = pmdp_invalidate(vma, haddr, pmd);\n\n\tpmd_migration = is_pmd_migration_entry(old_pmd);\n\tif (unlikely(pmd_migration)) {\n\t\tswp_entry_t entry;\n\n\t\tentry = pmd_to_swp_entry(old_pmd);\n\t\tpage = pfn_to_page(swp_offset(entry));\n\t\twrite = is_write_migration_entry(entry);\n\t\tyoung = false;\n\t\tsoft_dirty = pmd_swp_soft_dirty(old_pmd);\n\t\tuffd_wp = pmd_swp_uffd_wp(old_pmd);\n\t} else {\n\t\tpage = pmd_page(old_pmd);\n\t\tif (pmd_dirty(old_pmd))\n\t\t\tSetPageDirty(page);\n\t\twrite = pmd_write(old_pmd);\n\t\tyoung = pmd_young(old_pmd);\n\t\tsoft_dirty = pmd_soft_dirty(old_pmd);\n\t\tuffd_wp = pmd_uffd_wp(old_pmd);\n\t}\n\tVM_BUG_ON_PAGE(!page_count(page), page);\n\tpage_ref_add(page, HPAGE_PMD_NR - 1);\n\n\t/*\n\t * Withdraw the table only after we mark the pmd entry invalid.\n\t * This's critical for some architectures (Power).\n\t */\n\tpgtable = pgtable_trans_huge_withdraw(mm, pmd);\n\tpmd_populate(mm, &_pmd, pgtable);\n\n\tfor (i = 0, addr = haddr; i < HPAGE_PMD_NR; i++, addr += PAGE_SIZE) {\n\t\tpte_t entry, *pte;\n\t\t/*\n\t\t * Note that NUMA hinting access restrictions are not\n\t\t * transferred to avoid any possibility of altering\n\t\t * permissions across VMAs.\n\t\t */\n\t\tif (freeze || pmd_migration) {\n\t\t\tswp_entry_t swp_entry;\n\t\t\tswp_entry = make_migration_entry(page + i, write);\n\t\t\tentry = swp_entry_to_pte(swp_entry);\n\t\t\tif (soft_dirty)\n\t\t\t\tentry = pte_swp_mksoft_dirty(entry);\n\t\t\tif (uffd_wp)\n\t\t\t\tentry = pte_swp_mkuffd_wp(entry);\n\t\t} else {\n\t\t\tentry = mk_pte(page + i, READ_ONCE(vma->vm_page_prot));\n\t\t\tentry = maybe_mkwrite(entry, vma);\n\t\t\tif (!write)\n\t\t\t\tentry = pte_wrprotect(entry);\n\t\t\tif (!young)\n\t\t\t\tentry = pte_mkold(entry);\n\t\t\tif (soft_dirty)\n\t\t\t\tentry = pte_mksoft_dirty(entry);\n\t\t\tif (uffd_wp)\n\t\t\t\tentry = pte_mkuffd_wp(entry);\n\t\t}\n\t\tpte = pte_offset_map(&_pmd, addr);\n\t\tBUG_ON(!pte_none(*pte));\n\t\tset_pte_at(mm, addr, pte, entry);\n\t\tatomic_inc(&page[i]._mapcount);\n\t\tpte_unmap(pte);\n\t}\n\n\t/*\n\t * Set PG_double_map before dropping compound_mapcount to avoid\n\t * false-negative page_mapped().\n\t */\n\tif (compound_mapcount(page) > 1 && !TestSetPageDoubleMap(page)) {\n\t\tfor (i = 0; i < HPAGE_PMD_NR; i++)\n\t\t\tatomic_inc(&page[i]._mapcount);\n\t}\n\n\tif (atomic_add_negative(-1, compound_mapcount_ptr(page))) {\n\t\t/* Last compound_mapcount is gone. */\n\t\t__dec_node_page_state(page, NR_ANON_THPS);\n\t\tif (TestClearPageDoubleMap(page)) {\n\t\t\t/* No need in mapcount reference anymore */\n\t\t\tfor (i = 0; i < HPAGE_PMD_NR; i++)\n\t\t\t\tatomic_dec(&page[i]._mapcount);\n\t\t}\n\t}\n\n\tsmp_wmb(); /* make pte visible before pmd */\n\tpmd_populate(mm, pmd, pgtable);\n\n\tif (freeze) {\n\t\tfor (i = 0; i < HPAGE_PMD_NR; i++) {\n\t\t\tpage_remove_rmap(page + i, false);\n\t\t\tput_page(page + i);\n\t\t}\n\t}\n}", "project": "linux", "hash": 301423751840180454163085798618905798655, "size": 165, "commit_id": "c444eb564fb16645c172d550359cb3d75fe8a040", "message": "mm: thp: make the THP mapcount atomic against __split_huge_pmd_locked()\n\nWrite protect anon page faults require an accurate mapcount to decide\nif to break the COW or not. This is implemented in the THP path with\nreuse_swap_page() ->\npage_trans_huge_map_swapcount()/page_trans_huge_mapcount().\n\nIf the COW triggers while the other processes sharing the page are\nunder a huge pmd split, to do an accurate reading, we must ensure the\nmapcount isn't computed while it's being transferred from the head\npage to the tail pages.\n\nreuse_swap_cache() already runs serialized by the page lock, so it's\nenough to add the page lock around __split_huge_pmd_locked too, in\norder to add the missing serialization.\n\nNote: the commit in \"Fixes\" is just to facilitate the backporting,\nbecause the code before such commit didn't try to do an accurate THP\nmapcount calculation and it instead used the page_count() to decide if\nto COW or not. Both the page_count and the pin_count are THP-wide\nrefcounts, so they're inaccurate if used in\nreuse_swap_page(). Reverting such commit (besides the unrelated fix to\nthe local anon_vma assignment) would have also opened the window for\nmemory corruption side effects to certain workloads as documented in\nsuch commit header.\n\nSigned-off-by: Andrea Arcangeli \nSuggested-by: Jann Horn \nReported-by: Jann Horn \nAcked-by: Kirill A. Shutemov \nFixes: 6d0a07edd17c (\"mm: thp: calculate the mapcount correctly for THP pages during WP faults\")\nCc: stable@vger.kernel.org\nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 364137 }, { "func": "CallResult JSObject::defineOwnComputed(\n Handle selfHandle,\n Runtime *runtime,\n Handle<> nameValHandle,\n DefinePropertyFlags dpFlags,\n Handle<> valueOrAccessor,\n PropOpFlags opFlags) {\n auto converted = toPropertyKeyIfObject(runtime, nameValHandle);\n if (LLVM_UNLIKELY(converted == ExecutionStatus::EXCEPTION))\n return ExecutionStatus::EXCEPTION;\n return defineOwnComputedPrimitive(\n selfHandle, runtime, *converted, dpFlags, valueOrAccessor, opFlags);\n}", "project": "hermes", "hash": 67925641949368354630434891577254305516, "size": 13, "commit_id": "fe52854cdf6725c2eaa9e125995da76e6ceb27da", "message": "[CVE-2020-1911] Look up HostObject computed properties on the right object in the prototype chain.\n\nSummary:\nThe change in the hermes repository fixes the security vulnerability\nCVE-2020-1911. This vulnerability only affects applications which\nallow evaluation of uncontrolled, untrusted JavaScript code not\nshipped with the app, so React Native apps will generally not be affected.\n\nThis revision includes a test for the bug. The test is generic JSI\ncode, so it is included in the hermes and react-native repositories.\n\nChangelog: [Internal]\n\nReviewed By: tmikov\n\nDifferential Revision: D23322992\n\nfbshipit-source-id: 4e88c974afe1ad33a263f9cac03e9dc98d33649a", "target": 0, "dataset": "other", "idx": 230192 }, { "func": "static long fuse_file_fallocate(struct file *file, int mode, loff_t offset,\n\t\t\t\tloff_t length)\n{\n\tstruct fuse_file *ff = file->private_data;\n\tstruct inode *inode = file_inode(file);\n\tstruct fuse_inode *fi = get_fuse_inode(inode);\n\tstruct fuse_mount *fm = ff->fm;\n\tFUSE_ARGS(args);\n\tstruct fuse_fallocate_in inarg = {\n\t\t.fh = ff->fh,\n\t\t.offset = offset,\n\t\t.length = length,\n\t\t.mode = mode\n\t};\n\tint err;\n\tbool lock_inode = !(mode & FALLOC_FL_KEEP_SIZE) ||\n\t\t\t (mode & FALLOC_FL_PUNCH_HOLE);\n\n\tbool block_faults = FUSE_IS_DAX(inode) && lock_inode;\n\n\tif (mode & ~(FALLOC_FL_KEEP_SIZE | FALLOC_FL_PUNCH_HOLE))\n\t\treturn -EOPNOTSUPP;\n\n\tif (fm->fc->no_fallocate)\n\t\treturn -EOPNOTSUPP;\n\n\tif (lock_inode) {\n\t\tinode_lock(inode);\n\t\tif (block_faults) {\n\t\t\tdown_write(&fi->i_mmap_sem);\n\t\t\terr = fuse_dax_break_layouts(inode, 0, 0);\n\t\t\tif (err)\n\t\t\t\tgoto out;\n\t\t}\n\n\t\tif (mode & FALLOC_FL_PUNCH_HOLE) {\n\t\t\tloff_t endbyte = offset + length - 1;\n\n\t\t\terr = fuse_writeback_range(inode, offset, endbyte);\n\t\t\tif (err)\n\t\t\t\tgoto out;\n\t\t}\n\t}\n\n\tif (!(mode & FALLOC_FL_KEEP_SIZE) &&\n\t offset + length > i_size_read(inode)) {\n\t\terr = inode_newsize_ok(inode, offset + length);\n\t\tif (err)\n\t\t\tgoto out;\n\t}\n\n\tif (!(mode & FALLOC_FL_KEEP_SIZE))\n\t\tset_bit(FUSE_I_SIZE_UNSTABLE, &fi->state);\n\n\targs.opcode = FUSE_FALLOCATE;\n\targs.nodeid = ff->nodeid;\n\targs.in_numargs = 1;\n\targs.in_args[0].size = sizeof(inarg);\n\targs.in_args[0].value = &inarg;\n\terr = fuse_simple_request(fm, &args);\n\tif (err == -ENOSYS) {\n\t\tfm->fc->no_fallocate = 1;\n\t\terr = -EOPNOTSUPP;\n\t}\n\tif (err)\n\t\tgoto out;\n\n\t/* we could have extended the file */\n\tif (!(mode & FALLOC_FL_KEEP_SIZE)) {\n\t\tbool changed = fuse_write_update_size(inode, offset + length);\n\n\t\tif (changed && fm->fc->writeback_cache)\n\t\t\tfile_update_time(file);\n\t}\n\n\tif (mode & FALLOC_FL_PUNCH_HOLE)\n\t\ttruncate_pagecache_range(inode, offset, offset + length - 1);\n\n\tfuse_invalidate_attr(inode);\n\nout:\n\tif (!(mode & FALLOC_FL_KEEP_SIZE))\n\t\tclear_bit(FUSE_I_SIZE_UNSTABLE, &fi->state);\n\n\tif (block_faults)\n\t\tup_write(&fi->i_mmap_sem);\n\n\tif (lock_inode)\n\t\tinode_unlock(inode);\n\n\treturn err;\n}", "project": "linux", "hash": 216591883095832120566121437124809366270, "size": 92, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341968 }, { "func": "int kvm_write_guest_cached(struct kvm *kvm, struct gfn_to_hva_cache *ghc,\n\t\t\t void *data, unsigned long len)\n{\n\treturn kvm_write_guest_offset_cached(kvm, ghc, data, 0, len);\n}", "project": "linux", "hash": 255900095516715494709430640897335927391, "size": 5, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354485 }, { "func": "static int pep_accept_conn(struct sock *sk, struct sk_buff *skb)\n{\n\tstatic const u8 data[20] = {\n\t\tPAD, PAD, PAD, 2 /* sub-blocks */,\n\t\tPN_PIPE_SB_REQUIRED_FC_TX, pep_sb_size(5), 3, PAD,\n\t\t\tPN_MULTI_CREDIT_FLOW_CONTROL,\n\t\t\tPN_ONE_CREDIT_FLOW_CONTROL,\n\t\t\tPN_LEGACY_FLOW_CONTROL,\n\t\t\tPAD,\n\t\tPN_PIPE_SB_PREFERRED_FC_RX, pep_sb_size(5), 3, PAD,\n\t\t\tPN_MULTI_CREDIT_FLOW_CONTROL,\n\t\t\tPN_ONE_CREDIT_FLOW_CONTROL,\n\t\t\tPN_LEGACY_FLOW_CONTROL,\n\t\t\tPAD,\n\t};\n\n\tmight_sleep();\n\treturn pep_reply(sk, skb, PN_PIPE_NO_ERROR, data, sizeof(data),\n\t\t\t\tGFP_KERNEL);\n}", "project": "linux", "hash": 18550538592136087557075442103657216454, "size": 20, "commit_id": "bcd0f93353326954817a4f9fa55ec57fb38acbb0", "message": "phonet: refcount leak in pep_sock_accep\n\nsock_hold(sk) is invoked in pep_sock_accept(), but __sock_put(sk) is not\ninvoked in subsequent failure branches(pep_accept_conn() != 0).\n\nSigned-off-by: Hangyu Hua \nLink: https://lore.kernel.org/r/20211209082839.33985-1-hbh25y@gmail.com\nSigned-off-by: Jakub Kicinski ", "target": 0, "dataset": "other", "idx": 224816 }, { "func": "static int fuse_getlk(struct file *file, struct file_lock *fl)\n{\n\tstruct inode *inode = file_inode(file);\n\tstruct fuse_mount *fm = get_fuse_mount(inode);\n\tFUSE_ARGS(args);\n\tstruct fuse_lk_in inarg;\n\tstruct fuse_lk_out outarg;\n\tint err;\n\n\tfuse_lk_fill(&args, file, fl, FUSE_GETLK, 0, 0, &inarg);\n\targs.out_numargs = 1;\n\targs.out_args[0].size = sizeof(outarg);\n\targs.out_args[0].value = &outarg;\n\terr = fuse_simple_request(fm, &args);\n\tif (!err)\n\t\terr = convert_fuse_file_lock(fm->fc, &outarg.lk, fl);\n\n\treturn err;\n}", "project": "linux", "hash": 73518546811689409219925967327334445464, "size": 19, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341885 }, { "func": "static int vma_replace_policy(struct vm_area_struct *vma,\n\t\t\t\t\t\tstruct mempolicy *pol)\n{\n\tint err;\n\tstruct mempolicy *old;\n\tstruct mempolicy *new;\n\n\tpr_debug(\"vma %lx-%lx/%lx vm_ops %p vm_file %p set_policy %p\\n\",\n\t\t vma->vm_start, vma->vm_end, vma->vm_pgoff,\n\t\t vma->vm_ops, vma->vm_file,\n\t\t vma->vm_ops ? vma->vm_ops->set_policy : NULL);\n\n\tnew = mpol_dup(pol);\n\tif (IS_ERR(new))\n\t\treturn PTR_ERR(new);\n\n\tif (vma->vm_ops && vma->vm_ops->set_policy) {\n\t\terr = vma->vm_ops->set_policy(vma, new);\n\t\tif (err)\n\t\t\tgoto err_out;\n\t}\n\n\told = vma->vm_policy;\n\tvma->vm_policy = new; /* protected by mmap_sem */\n\tmpol_put(old);\n\n\treturn 0;\n err_out:\n\tmpol_put(new);\n\treturn err;\n}", "project": "linux", "hash": 315927988656548385365839181546632057830, "size": 31, "commit_id": "aa9f7d5172fac9bf1f09e678c35e287a40a7b7dd", "message": "mm: mempolicy: require at least one nodeid for MPOL_PREFERRED\n\nUsing an empty (malformed) nodelist that is not caught during mount option\nparsing leads to a stack-out-of-bounds access.\n\nThe option string that was used was: \"mpol=prefer:,\". However,\nMPOL_PREFERRED requires a single node number, which is not being provided\nhere.\n\nAdd a check that 'nodes' is not empty after parsing for MPOL_PREFERRED's\nnodeid.\n\nFixes: 095f1fc4ebf3 (\"mempolicy: rework shmem mpol parsing and display\")\nReported-by: Entropy Moe <3ntr0py1337@gmail.com>\nReported-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nSigned-off-by: Randy Dunlap \nSigned-off-by: Andrew Morton \nTested-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nCc: Lee Schermerhorn \nLink: http://lkml.kernel.org/r/89526377-7eb6-b662-e1d8-4430928abde9@infradead.org\nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 366730 }, { "func": "static void hci_disconn_phylink_complete_evt(struct hci_dev *hdev,\n\t\t\t\t\t struct sk_buff *skb)\n{\n\tstruct hci_ev_disconn_phy_link_complete *ev = (void *) skb->data;\n\tstruct hci_conn *hcon;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, ev->status);\n\n\tif (ev->status)\n\t\treturn;\n\n\thci_dev_lock(hdev);\n\n\thcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);\n\tif (hcon) {\n\t\thcon->state = BT_CLOSED;\n\t\thci_conn_del(hcon);\n\t}\n\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 116613181870041186572187697097184684094, "size": 21, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431929 }, { "func": "static int ca8210_interrupt_init(struct spi_device *spi)\n{\n\tint ret;\n\tstruct ca8210_platform_data *pdata = spi->dev.platform_data;\n\n\tpdata->gpio_irq = of_get_named_gpio(\n\t\tspi->dev.of_node,\n\t\t\"irq-gpio\",\n\t\t0\n\t);\n\n\tpdata->irq_id = gpio_to_irq(pdata->gpio_irq);\n\tif (pdata->irq_id < 0) {\n\t\tdev_crit(\n\t\t\t&spi->dev,\n\t\t\t\"Could not get irq for gpio pin %d\\n\",\n\t\t\tpdata->gpio_irq\n\t\t);\n\t\tgpio_free(pdata->gpio_irq);\n\t\treturn pdata->irq_id;\n\t}\n\n\tret = request_irq(\n\t\tpdata->irq_id,\n\t\tca8210_interrupt_handler,\n\t\tIRQF_TRIGGER_FALLING,\n\t\t\"ca8210-irq\",\n\t\tspi_get_drvdata(spi)\n\t);\n\tif (ret) {\n\t\tdev_crit(&spi->dev, \"request_irq %d failed\\n\", pdata->irq_id);\n\t\tgpio_unexport(pdata->gpio_irq);\n\t\tgpio_free(pdata->gpio_irq);\n\t}\n\n\treturn ret;\n}", "project": "linux", "hash": 151538684627854817471880992384795466880, "size": 37, "commit_id": "6402939ec86eaf226c8b8ae00ed983936b164908", "message": "ieee802154: ca8210: prevent memory leak\n\nIn ca8210_probe the allocated pdata needs to be assigned to\nspi_device->dev.platform_data before calling ca8210_get_platform_data.\nOthrwise when ca8210_get_platform_data fails pdata cannot be released.\n\nSigned-off-by: Navid Emamdoost \nLink: https://lore.kernel.org/r/20190917224713.26371-1-navid.emamdoost@gmail.com\nSigned-off-by: Stefan Schmidt ", "target": 0, "dataset": "other", "idx": 408773 }, { "func": "static apr_byte_t oidc_unsolicited_proto_state(request_rec *r, oidc_cfg *c,\n\t\tconst char *state, oidc_proto_state_t **proto_state) {\n\n\tchar *alg = NULL;\n\toidc_debug(r, \"enter: state header=%s\",\n\t\t\toidc_proto_peek_jwt_header(r, state, &alg));\n\n\toidc_jose_error_t err;\n\toidc_jwk_t *jwk = NULL;\n\tif (oidc_util_create_symmetric_key(r, c->provider.client_secret,\n\t\t\toidc_alg2keysize(alg), OIDC_JOSE_ALG_SHA256,\n\t\t\tTRUE, &jwk) == FALSE)\n\t\treturn FALSE;\n\n\toidc_jwt_t *jwt = NULL;\n\tif (oidc_jwt_parse(r->pool, state, &jwt,\n\t\t\toidc_util_merge_symmetric_key(r->pool, c->private_keys, jwk),\n\t\t\t&err) == FALSE) {\n\t\toidc_error(r,\n\t\t\t\t\"could not parse JWT from state: invalid unsolicited response: %s\",\n\t\t\t\toidc_jose_e2s(r->pool, err));\n\t\treturn FALSE;\n\t}\n\n\toidc_jwk_destroy(jwk);\n\toidc_debug(r, \"successfully parsed JWT from state\");\n\n\tif (jwt->payload.iss == NULL) {\n\t\toidc_error(r, \"no \\\"%s\\\" could be retrieved from JWT state, aborting\",\n\t\t\t\tOIDC_CLAIM_ISS);\n\t\toidc_jwt_destroy(jwt);\n\t\treturn FALSE;\n\t}\n\n\toidc_provider_t *provider = oidc_get_provider_for_issuer(r, c,\n\t\t\tjwt->payload.iss, FALSE);\n\tif (provider == NULL) {\n\t\toidc_jwt_destroy(jwt);\n\t\treturn FALSE;\n\t}\n\n\t/* validate the state JWT, validating optional exp + iat */\n\tif (oidc_proto_validate_jwt(r, jwt, provider->issuer, FALSE, FALSE,\n\t\t\tprovider->idtoken_iat_slack,\n\t\t\tOIDC_TOKEN_BINDING_POLICY_DISABLED) == FALSE) {\n\t\toidc_jwt_destroy(jwt);\n\t\treturn FALSE;\n\t}\n\n\tchar *rfp = NULL;\n\tif (oidc_jose_get_string(r->pool, jwt->payload.value.json, OIDC_CLAIM_RFP,\n\t\t\tTRUE, &rfp, &err) == FALSE) {\n\t\toidc_error(r,\n\t\t\t\t\"no \\\"%s\\\" claim could be retrieved from JWT state, aborting: %s\",\n\t\t\t\tOIDC_CLAIM_RFP, oidc_jose_e2s(r->pool, err));\n\t\toidc_jwt_destroy(jwt);\n\t\treturn FALSE;\n\t}\n\n\tif (apr_strnatcmp(rfp, OIDC_PROTO_ISS) != 0) {\n\t\toidc_error(r, \"\\\"%s\\\" (%s) does not match \\\"%s\\\", aborting\",\n\t\t\t\tOIDC_CLAIM_RFP, rfp, OIDC_PROTO_ISS);\n\t\toidc_jwt_destroy(jwt);\n\t\treturn FALSE;\n\t}\n\n\tchar *target_link_uri = NULL;\n\toidc_jose_get_string(r->pool, jwt->payload.value.json,\n\t\t\tOIDC_CLAIM_TARGET_LINK_URI,\n\t\t\tFALSE, &target_link_uri, NULL);\n\tif (target_link_uri == NULL) {\n\t\tif (c->default_sso_url == NULL) {\n\t\t\toidc_error(r,\n\t\t\t\t\t\"no \\\"%s\\\" claim could be retrieved from JWT state and no \" OIDCDefaultURL \" is set, aborting\",\n\t\t\t\t\tOIDC_CLAIM_TARGET_LINK_URI);\n\t\t\toidc_jwt_destroy(jwt);\n\t\t\treturn FALSE;\n\t\t}\n\t\ttarget_link_uri = c->default_sso_url;\n\t}\n\n\tif (c->metadata_dir != NULL) {\n\t\tif ((oidc_metadata_get(r, c, jwt->payload.iss, &provider, FALSE)\n\t\t\t\t== FALSE) || (provider == NULL)) {\n\t\t\toidc_error(r, \"no provider metadata found for provider \\\"%s\\\"\",\n\t\t\t\t\tjwt->payload.iss);\n\t\t\toidc_jwt_destroy(jwt);\n\t\t\treturn FALSE;\n\t\t}\n\t}\n\n\tchar *jti = NULL;\n\toidc_jose_get_string(r->pool, jwt->payload.value.json, OIDC_CLAIM_JTI,\n\t\t\tFALSE, &jti,\n\t\t\tNULL);\n\tif (jti == NULL) {\n\t\tchar *cser = oidc_jwt_serialize(r->pool, jwt, &err);\n\t\tif (cser == NULL)\n\t\t\treturn FALSE;\n\t\tif (oidc_util_hash_string_and_base64url_encode(r, OIDC_JOSE_ALG_SHA256,\n\t\t\t\tcser, &jti) == FALSE) {\n\t\t\toidc_error(r,\n\t\t\t\t\t\"oidc_util_hash_string_and_base64url_encode returned an error\");\n\t\t\treturn FALSE;\n\t\t}\n\t}\n\n\tchar *replay = NULL;\n\toidc_cache_get_jti(r, jti, &replay);\n\tif (replay != NULL) {\n\t\toidc_error(r,\n\t\t\t\t\"the \\\"%s\\\" value (%s) passed in the browser state was found in the cache already; possible replay attack!?\",\n\t\t\t\tOIDC_CLAIM_JTI, jti);\n\t\toidc_jwt_destroy(jwt);\n\t\treturn FALSE;\n\t}\n\n\t/* jti cache duration is the configured replay prevention window for token issuance plus 10 seconds for safety */\n\tapr_time_t jti_cache_duration = apr_time_from_sec(\n\t\t\tprovider->idtoken_iat_slack * 2 + 10);\n\n\t/* store it in the cache for the calculated duration */\n\toidc_cache_set_jti(r, jti, jti, apr_time_now() + jti_cache_duration);\n\n\toidc_debug(r,\n\t\t\t\"jti \\\"%s\\\" validated successfully and is now cached for %\" APR_TIME_T_FMT \" seconds\",\n\t\t\tjti, apr_time_sec(jti_cache_duration));\n\n\tjwk = NULL;\n\tif (oidc_util_create_symmetric_key(r, c->provider.client_secret, 0,\n\t\t\tNULL, TRUE, &jwk) == FALSE)\n\t\treturn FALSE;\n\n\toidc_jwks_uri_t jwks_uri = { provider->jwks_uri,\n\t\t\tprovider->jwks_refresh_interval, provider->ssl_validate_server };\n\tif (oidc_proto_jwt_verify(r, c, jwt, &jwks_uri,\n\t\t\toidc_util_merge_symmetric_key(r->pool, NULL, jwk)) == FALSE) {\n\t\toidc_error(r, \"state JWT could not be validated, aborting\");\n\t\toidc_jwt_destroy(jwt);\n\t\treturn FALSE;\n\t}\n\n\toidc_jwk_destroy(jwk);\n\toidc_debug(r, \"successfully verified state JWT\");\n\n\t*proto_state = oidc_proto_state_new();\n\toidc_proto_state_set_issuer(*proto_state, jwt->payload.iss);\n\toidc_proto_state_set_original_url(*proto_state, target_link_uri);\n\toidc_proto_state_set_original_method(*proto_state, OIDC_METHOD_GET);\n\toidc_proto_state_set_response_mode(*proto_state, provider->response_mode);\n\toidc_proto_state_set_response_type(*proto_state, provider->response_type);\n\toidc_proto_state_set_timestamp_now(*proto_state);\n\n\toidc_jwt_destroy(jwt);\n\n\treturn TRUE;\n}", "project": "mod_auth_openidc", "hash": 201767461697590416116818889197276903449, "size": 157, "commit_id": "ce37080c6aea30aabae8b4a9b4eea7808445cc8e", "message": "2.4.0.2 oops\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 447710 }, { "func": "\nstatic void bfq_update_io_thinktime(struct bfq_data *bfqd,\n\t\t\t\t struct bfq_queue *bfqq)\n{\n\tstruct bfq_ttime *ttime = &bfqq->ttime;\n\tu64 elapsed = ktime_get_ns() - bfqq->ttime.last_end_request;\n\n\telapsed = min_t(u64, elapsed, 2ULL * bfqd->bfq_slice_idle);\n\n\tttime->ttime_samples = (7*bfqq->ttime.ttime_samples + 256) / 8;\n\tttime->ttime_total = div_u64(7*ttime->ttime_total + 256*elapsed, 8);\n\tttime->ttime_mean = div64_ul(ttime->ttime_total + 128,\n\t\t\t\t ttime->ttime_samples);", "project": "linux", "hash": 135758283964365009119665758057778146903, "size": 13, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453323 }, { "func": "static void pb_release_single_field(const pb_field_iter_t *iter)\n{\n pb_type_t type;\n type = iter->pos->type;\n\n if (PB_HTYPE(type) == PB_HTYPE_ONEOF)\n {\n if (*(pb_size_t*)iter->pSize != iter->pos->tag)\n return; /* This is not the current field in the union */\n }\n\n /* Release anything contained inside an extension or submsg.\n * This has to be done even if the submsg itself is statically\n * allocated. */\n if (PB_LTYPE(type) == PB_LTYPE_EXTENSION)\n {\n /* Release fields from all extensions in the linked list */\n pb_extension_t *ext = *(pb_extension_t**)iter->pData;\n while (ext != NULL)\n {\n pb_field_iter_t ext_iter;\n iter_from_extension(&ext_iter, ext);\n pb_release_single_field(&ext_iter);\n ext = ext->next;\n }\n }\n else if (PB_LTYPE(type) == PB_LTYPE_SUBMESSAGE && PB_ATYPE(type) != PB_ATYPE_CALLBACK)\n {\n /* Release fields in submessage or submsg array */\n void *pItem = iter->pData;\n pb_size_t count = 1;\n \n if (PB_ATYPE(type) == PB_ATYPE_POINTER)\n {\n pItem = *(void**)iter->pData;\n }\n \n if (PB_HTYPE(type) == PB_HTYPE_REPEATED)\n {\n if (PB_ATYPE(type) == PB_ATYPE_STATIC && iter->pSize == iter->pData) {\n /* No _count field so use size of the array */\n count = iter->pos->array_size;\n } else {\n count = *(pb_size_t*)iter->pSize;\n }\n\n if (PB_ATYPE(type) == PB_ATYPE_STATIC && count > iter->pos->array_size)\n {\n /* Protect against corrupted _count fields */\n count = iter->pos->array_size;\n }\n }\n \n if (pItem)\n {\n while (count--)\n {\n pb_release((const pb_field_t*)iter->pos->ptr, pItem);\n pItem = (char*)pItem + iter->pos->data_size;\n }\n }\n }\n \n if (PB_ATYPE(type) == PB_ATYPE_POINTER)\n {\n if (PB_HTYPE(type) == PB_HTYPE_REPEATED &&\n (PB_LTYPE(type) == PB_LTYPE_STRING ||\n PB_LTYPE(type) == PB_LTYPE_BYTES))\n {\n /* Release entries in repeated string or bytes array */\n void **pItem = *(void***)iter->pData;\n pb_size_t count = *(pb_size_t*)iter->pSize;\n while (count--)\n {\n pb_free(*pItem);\n *pItem++ = NULL;\n }\n }\n \n if (PB_HTYPE(type) == PB_HTYPE_REPEATED)\n {\n /* We are going to release the array, so set the size to 0 */\n *(pb_size_t*)iter->pSize = 0;\n }\n \n /* Release main item */\n pb_free(*(void**)iter->pData);\n *(void**)iter->pData = NULL;\n }\n}", "project": "nanopb", "hash": 189444846113522661826579189329184692779, "size": 90, "commit_id": "aa9d0d1ca78d6adec3adfeecf3a706c7f9df81f2", "message": "Fix invalid free() after failed realloc() (GHSA-gcx3-7m76-287p)", "target": 0, "dataset": "other", "idx": 252497 }, { "func": "static void pb_release_single_field(pb_field_iter_t *field)\n{\n pb_type_t type;\n type = field->type;\n\n if (PB_HTYPE(type) == PB_HTYPE_ONEOF)\n {\n if (*(pb_size_t*)field->pSize != field->tag)\n return; /* This is not the current field in the union */\n }\n\n /* Release anything contained inside an extension or submsg.\n * This has to be done even if the submsg itself is statically\n * allocated. */\n if (PB_LTYPE(type) == PB_LTYPE_EXTENSION)\n {\n /* Release fields from all extensions in the linked list */\n pb_extension_t *ext = *(pb_extension_t**)field->pData;\n while (ext != NULL)\n {\n pb_field_iter_t ext_iter;\n if (pb_field_iter_begin_extension(&ext_iter, ext))\n {\n pb_release_single_field(&ext_iter);\n }\n ext = ext->next;\n }\n }\n else if (PB_LTYPE_IS_SUBMSG(type) && PB_ATYPE(type) != PB_ATYPE_CALLBACK)\n {\n /* Release fields in submessage or submsg array */\n pb_size_t count = 1;\n \n if (PB_ATYPE(type) == PB_ATYPE_POINTER)\n {\n field->pData = *(void**)field->pField;\n }\n else\n {\n field->pData = field->pField;\n }\n \n if (PB_HTYPE(type) == PB_HTYPE_REPEATED)\n {\n count = *(pb_size_t*)field->pSize;\n\n if (PB_ATYPE(type) == PB_ATYPE_STATIC && count > field->array_size)\n {\n /* Protect against corrupted _count fields */\n count = field->array_size;\n }\n }\n \n if (field->pData)\n {\n for (; count > 0; count--)\n {\n pb_release(field->submsg_desc, field->pData);\n field->pData = (char*)field->pData + field->data_size;\n }\n }\n }\n \n if (PB_ATYPE(type) == PB_ATYPE_POINTER)\n {\n if (PB_HTYPE(type) == PB_HTYPE_REPEATED &&\n (PB_LTYPE(type) == PB_LTYPE_STRING ||\n PB_LTYPE(type) == PB_LTYPE_BYTES))\n {\n /* Release entries in repeated string or bytes array */\n void **pItem = *(void***)field->pField;\n pb_size_t count = *(pb_size_t*)field->pSize;\n for (; count > 0; count--)\n {\n pb_free(*pItem);\n *pItem++ = NULL;\n }\n }\n \n if (PB_HTYPE(type) == PB_HTYPE_REPEATED)\n {\n /* We are going to release the array, so set the size to 0 */\n *(pb_size_t*)field->pSize = 0;\n }\n \n /* Release main pointer */\n pb_free(*(void**)field->pField);\n *(void**)field->pField = NULL;\n }\n}", "project": "nanopb", "hash": 31674340861981854261289979826765843932, "size": 90, "commit_id": "e2f0ccf939d9f82931d085acb6df8e9a182a4261", "message": "Fix invalid free() with oneof (#647)\n\nNanopb would call free() or realloc() on an invalid\n(attacker controlled) pointer value when all the following\nconditions are true:\n\n- PB_ENABLE_MALLOC is defined at the compile time\n- Message definition contains an oneof field, and the oneof\n contains at least one pointer type field and at least one\n non-pointer type field.\n- Data being decoded first contains a non-pointer value for\n the oneof field, and later contains an overwriting pointer\n value.\n\nDepending on message layout, the bug may not be exploitable in all\ncases, but it is known to be exploitable at least with string and\nbytes fields. Actual security impact will also depend on the heap\nimplementation used.", "target": 0, "dataset": "other", "idx": 254697 }, { "func": "static void pb_release_single_field(const pb_field_iterator_t *iter)\n{\n pb_type_t type;\n type = iter->pos->type;\n\n /* Release anything contained inside an extension or submsg.\n * This has to be done even if the submsg itself is statically\n * allocated. */\n if (PB_LTYPE(type) == PB_LTYPE_EXTENSION)\n {\n /* Release fields from all extensions in the linked list */\n pb_extension_t *ext = *(pb_extension_t**)iter->pData;\n while (ext != NULL)\n {\n pb_field_iterator_t ext_iter;\n iter_from_extension(&ext_iter, ext);\n pb_release_single_field(&ext_iter);\n ext = ext->next;\n }\n }\n else if (PB_LTYPE(type) == PB_LTYPE_SUBMESSAGE)\n {\n /* Release fields in submessage or submsg array */\n void *pItem = iter->pData;\n pb_size_t count = 1;\n \n if (PB_ATYPE(type) == PB_ATYPE_POINTER)\n {\n pItem = *(void**)iter->pData;\n }\n \n if (PB_HTYPE(type) == PB_HTYPE_REPEATED)\n {\n count = *(pb_size_t*)iter->pSize;\n\n if (PB_ATYPE(type) == PB_ATYPE_STATIC && count > iter->pos->array_size)\n {\n /* Protect against corrupted _count fields */\n count = iter->pos->array_size;\n }\n }\n \n if (pItem)\n {\n while (count--)\n {\n pb_release((const pb_field_t*)iter->pos->ptr, pItem);\n pItem = (uint8_t*)pItem + iter->pos->data_size;\n }\n }\n }\n \n if (PB_ATYPE(type) == PB_ATYPE_POINTER)\n {\n if (PB_HTYPE(type) == PB_HTYPE_REPEATED &&\n (PB_LTYPE(type) == PB_LTYPE_STRING ||\n PB_LTYPE(type) == PB_LTYPE_BYTES))\n {\n /* Release entries in repeated string or bytes array */\n void **pItem = *(void***)iter->pData;\n pb_size_t count = *(pb_size_t*)iter->pSize;\n while (count--)\n {\n pb_free(*pItem);\n *pItem++ = NULL;\n }\n }\n \n if (PB_HTYPE(type) == PB_HTYPE_REPEATED)\n {\n /* We are going to release the array, so set the size to 0 */\n *(pb_size_t*)iter->pSize = 0;\n }\n \n /* Release main item */\n pb_free(*(void**)iter->pData);\n *(void**)iter->pData = NULL;\n }\n}", "project": "nanopb", "hash": 274468000088909233057375923500092894586, "size": 79, "commit_id": "7b396821ddd06df8e39143f16e1dc0a4645b89a3", "message": "Fix invalid free() after failed realloc() (GHSA-gcx3-7m76-287p)", "target": 0, "dataset": "other", "idx": 255339 }, { "func": "void fuse_finish_open(struct inode *inode, struct file *file)\n{\n\tstruct fuse_file *ff = file->private_data;\n\tstruct fuse_conn *fc = get_fuse_conn(inode);\n\n\tif (!(ff->open_flags & FOPEN_KEEP_CACHE))\n\t\tinvalidate_inode_pages2(inode->i_mapping);\n\tif (ff->open_flags & FOPEN_STREAM)\n\t\tstream_open(inode, file);\n\telse if (ff->open_flags & FOPEN_NONSEEKABLE)\n\t\tnonseekable_open(inode, file);\n\tif (fc->atomic_o_trunc && (file->f_flags & O_TRUNC)) {\n\t\tstruct fuse_inode *fi = get_fuse_inode(inode);\n\n\t\tspin_lock(&fi->lock);\n\t\tfi->attr_version = atomic64_inc_return(&fc->attr_version);\n\t\ti_size_write(inode, 0);\n\t\tspin_unlock(&fi->lock);\n\t\tfuse_invalidate_attr(inode);\n\t\tif (fc->writeback_cache)\n\t\t\tfile_update_time(file);\n\t}\n\tif ((file->f_mode & FMODE_WRITE) && fc->writeback_cache)\n\t\tfuse_link_write_file(file);\n}", "project": "linux", "hash": 120185883019994467377323567265683457342, "size": 25, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341903 }, { "func": "static apr_status_t ap_session_set(request_rec * r, session_rec * z,\n const char *key, const char *value)\n{\n if (!z) {\n apr_status_t rv;\n rv = ap_session_load(r, &z);\n if (APR_SUCCESS != rv) {\n return rv;\n }\n }\n if (z) {\n if (value) {\n apr_table_set(z->entries, key, value);\n }\n else {\n apr_table_unset(z->entries, key);\n }\n z->dirty = 1;\n }\n return APR_SUCCESS;\n}", "project": "httpd", "hash": 70572836848518574281097783214728123236, "size": 21, "commit_id": "7e09dd714fc62c08c5b0319ed7b9702594faf49b", "message": "mod_session: account for the '&' in identity_concat().\n\ngit-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887052 13f79535-47bb-0310-9956-ffa450edef68", "target": 0, "dataset": "other", "idx": 389210 }, { "func": "\nstatic void bfq_arm_slice_timer(struct bfq_data *bfqd)\n{\n\tstruct bfq_queue *bfqq = bfqd->in_service_queue;\n\tu32 sl;\n\n\tbfq_mark_bfqq_wait_request(bfqq);\n\n\t/*\n\t * We don't want to idle for seeks, but we do want to allow\n\t * fair distribution of slice time for a process doing back-to-back\n\t * seeks. So allow a little bit of time for him to submit a new rq.\n\t */\n\tsl = bfqd->bfq_slice_idle;\n\t/*\n\t * Unless the queue is being weight-raised or the scenario is\n\t * asymmetric, grant only minimum idle time if the queue\n\t * is seeky. A long idling is preserved for a weight-raised\n\t * queue, or, more in general, in an asymmetric scenario,\n\t * because a long idling is needed for guaranteeing to a queue\n\t * its reserved share of the throughput (in particular, it is\n\t * needed if the queue has a higher weight than some other\n\t * queue).\n\t */\n\tif (BFQQ_SEEKY(bfqq) && bfqq->wr_coeff == 1 &&\n\t !bfq_asymmetric_scenario(bfqd, bfqq))\n\t\tsl = min_t(u64, sl, BFQ_MIN_TT);\n\telse if (bfqq->wr_coeff > 1)\n\t\tsl = max_t(u32, sl, 20ULL * NSEC_PER_MSEC);\n\n\tbfqd->last_idling_start = ktime_get();\n\tbfqd->last_idling_start_jiffies = jiffies;\n\n\thrtimer_start(&bfqd->idle_slice_timer, ns_to_ktime(sl),\n\t\t HRTIMER_MODE_REL);\n\tbfqg_stats_set_start_idle_time(bfqq_group(bfqq));", "project": "linux", "hash": 33186109418350065959658990311920254309, "size": 36, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453385 }, { "func": "static void pmao_restore_workaround(bool ebb) { }", "project": "linux", "hash": 35673406322658216747044201358954287027, "size": 1, "commit_id": "60b7ed54a41b550d50caf7f2418db4a7e75b5bdc", "message": "powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set\n\nOn systems without any specific PMU driver support registered, running\nperf record causes Oops.\n\nThe relevant portion from call trace:\n\n BUG: Kernel NULL pointer dereference on read at 0x00000040\n Faulting instruction address: 0xc0021f0c\n Oops: Kernel access of bad area, sig: 11 [#1]\n BE PAGE_SIZE=4K PREEMPT CMPCPRO\n SAF3000 DIE NOTIFICATION\n CPU: 0 PID: 442 Comm: null_syscall Not tainted 5.13.0-rc6-s3k-dev-01645-g7649ee3d2957 #5164\n NIP: c0021f0c LR: c00e8ad8 CTR: c00d8a5c\n NIP perf_instruction_pointer+0x10/0x60\n LR perf_prepare_sample+0x344/0x674\n Call Trace:\n perf_prepare_sample+0x7c/0x674 (unreliable)\n perf_event_output_forward+0x3c/0x94\n __perf_event_overflow+0x74/0x14c\n perf_swevent_hrtimer+0xf8/0x170\n __hrtimer_run_queues.constprop.0+0x160/0x318\n hrtimer_interrupt+0x148/0x3b0\n timer_interrupt+0xc4/0x22c\n Decrementer_virt+0xb8/0xbc\n\nDuring perf record session, perf_instruction_pointer() is called to\ncapture the sample IP. This function in core-book3s accesses\nppmu->flags. If a platform specific PMU driver is not registered, ppmu\nis set to NULL and accessing its members results in a crash. Fix this\ncrash by checking if ppmu is set.\n\nFixes: 2ca13a4cc56c (\"powerpc/perf: Use regs->nip when SIAR is zero\")\nCc: stable@vger.kernel.org # v5.11+\nReported-by: Christophe Leroy \nSigned-off-by: Athira Rajeev \nTested-by: Christophe Leroy \nSigned-off-by: Michael Ellerman \nLink: https://lore.kernel.org/r/1623952506-1431-1-git-send-email-atrajeev@linux.vnet.ibm.com", "target": 0, "dataset": "other", "idx": 374677 }, { "func": "static void pmao_restore_workaround(bool ebb)\n{\n\tunsigned pmcs[6];\n\n\tif (!cpu_has_feature(CPU_FTR_PMAO_BUG))\n\t\treturn;\n\n\t/*\n\t * On POWER8E there is a hardware defect which affects the PMU context\n\t * switch logic, ie. power_pmu_disable/enable().\n\t *\n\t * When a counter overflows PMXE is cleared and FC/PMAO is set in MMCR0\n\t * by the hardware. Sometime later the actual PMU exception is\n\t * delivered.\n\t *\n\t * If we context switch, or simply disable/enable, the PMU prior to the\n\t * exception arriving, the exception will be lost when we clear PMAO.\n\t *\n\t * When we reenable the PMU, we will write the saved MMCR0 with PMAO\n\t * set, and this _should_ generate an exception. However because of the\n\t * defect no exception is generated when we write PMAO, and we get\n\t * stuck with no counters counting but no exception delivered.\n\t *\n\t * The workaround is to detect this case and tweak the hardware to\n\t * create another pending PMU exception.\n\t *\n\t * We do that by setting up PMC6 (cycles) for an imminent overflow and\n\t * enabling the PMU. That causes a new exception to be generated in the\n\t * chip, but we don't take it yet because we have interrupts hard\n\t * disabled. We then write back the PMU state as we want it to be seen\n\t * by the exception handler. When we reenable interrupts the exception\n\t * handler will be called and see the correct state.\n\t *\n\t * The logic is the same for EBB, except that the exception is gated by\n\t * us having interrupts hard disabled as well as the fact that we are\n\t * not in userspace. The exception is finally delivered when we return\n\t * to userspace.\n\t */\n\n\t/* Only if PMAO is set and PMAO_SYNC is clear */\n\tif ((current->thread.mmcr0 & (MMCR0_PMAO | MMCR0_PMAO_SYNC)) != MMCR0_PMAO)\n\t\treturn;\n\n\t/* If we're doing EBB, only if BESCR[GE] is set */\n\tif (ebb && !(current->thread.bescr & BESCR_GE))\n\t\treturn;\n\n\t/*\n\t * We are already soft-disabled in power_pmu_enable(). We need to hard\n\t * disable to actually prevent the PMU exception from firing.\n\t */\n\thard_irq_disable();\n\n\t/*\n\t * This is a bit gross, but we know we're on POWER8E and have 6 PMCs.\n\t * Using read/write_pmc() in a for loop adds 12 function calls and\n\t * almost doubles our code size.\n\t */\n\tpmcs[0] = mfspr(SPRN_PMC1);\n\tpmcs[1] = mfspr(SPRN_PMC2);\n\tpmcs[2] = mfspr(SPRN_PMC3);\n\tpmcs[3] = mfspr(SPRN_PMC4);\n\tpmcs[4] = mfspr(SPRN_PMC5);\n\tpmcs[5] = mfspr(SPRN_PMC6);\n\n\t/* Ensure all freeze bits are unset */\n\tmtspr(SPRN_MMCR2, 0);\n\n\t/* Set up PMC6 to overflow in one cycle */\n\tmtspr(SPRN_PMC6, 0x7FFFFFFE);\n\n\t/* Enable exceptions and unfreeze PMC6 */\n\tmtspr(SPRN_MMCR0, MMCR0_PMXE | MMCR0_PMCjCE | MMCR0_PMAO);\n\n\t/* Now we need to refreeze and restore the PMCs */\n\tmtspr(SPRN_MMCR0, MMCR0_FC | MMCR0_PMAO);\n\n\tmtspr(SPRN_PMC1, pmcs[0]);\n\tmtspr(SPRN_PMC2, pmcs[1]);\n\tmtspr(SPRN_PMC3, pmcs[2]);\n\tmtspr(SPRN_PMC4, pmcs[3]);\n\tmtspr(SPRN_PMC5, pmcs[4]);\n\tmtspr(SPRN_PMC6, pmcs[5]);\n}", "project": "linux", "hash": 169609939629655518358516551807200107360, "size": 84, "commit_id": "60b7ed54a41b550d50caf7f2418db4a7e75b5bdc", "message": "powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set\n\nOn systems without any specific PMU driver support registered, running\nperf record causes Oops.\n\nThe relevant portion from call trace:\n\n BUG: Kernel NULL pointer dereference on read at 0x00000040\n Faulting instruction address: 0xc0021f0c\n Oops: Kernel access of bad area, sig: 11 [#1]\n BE PAGE_SIZE=4K PREEMPT CMPCPRO\n SAF3000 DIE NOTIFICATION\n CPU: 0 PID: 442 Comm: null_syscall Not tainted 5.13.0-rc6-s3k-dev-01645-g7649ee3d2957 #5164\n NIP: c0021f0c LR: c00e8ad8 CTR: c00d8a5c\n NIP perf_instruction_pointer+0x10/0x60\n LR perf_prepare_sample+0x344/0x674\n Call Trace:\n perf_prepare_sample+0x7c/0x674 (unreliable)\n perf_event_output_forward+0x3c/0x94\n __perf_event_overflow+0x74/0x14c\n perf_swevent_hrtimer+0xf8/0x170\n __hrtimer_run_queues.constprop.0+0x160/0x318\n hrtimer_interrupt+0x148/0x3b0\n timer_interrupt+0xc4/0x22c\n Decrementer_virt+0xb8/0xbc\n\nDuring perf record session, perf_instruction_pointer() is called to\ncapture the sample IP. This function in core-book3s accesses\nppmu->flags. If a platform specific PMU driver is not registered, ppmu\nis set to NULL and accessing its members results in a crash. Fix this\ncrash by checking if ppmu is set.\n\nFixes: 2ca13a4cc56c (\"powerpc/perf: Use regs->nip when SIAR is zero\")\nCc: stable@vger.kernel.org # v5.11+\nReported-by: Christophe Leroy \nSigned-off-by: Athira Rajeev \nTested-by: Christophe Leroy \nSigned-off-by: Michael Ellerman \nLink: https://lore.kernel.org/r/1623952506-1431-1-git-send-email-atrajeev@linux.vnet.ibm.com", "target": 0, "dataset": "other", "idx": 374748 }, { "func": "static inline int handle_dots(struct nameidata *nd, int type)\n{\n\tif (type == LAST_DOTDOT) {\n\t\tif (!nd->root.mnt)\n\t\t\tset_root(nd);\n\t\tif (nd->flags & LOOKUP_RCU) {\n\t\t\treturn follow_dotdot_rcu(nd);\n\t\t} else\n\t\t\treturn follow_dotdot(nd);\n\t}\n\treturn 0;\n}", "project": "linux", "hash": 252492638720056659751430358951998075645, "size": 12, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295442 }, { "func": "static OPJ_BOOL opj_j2k_setup_decoding(opj_j2k_t *p_j2k,\n opj_event_mgr_t * p_manager)\n{\n /* preconditions*/\n assert(p_j2k != 00);\n assert(p_manager != 00);\n\n if (! opj_procedure_list_add_procedure(p_j2k->m_procedure_list,\n (opj_procedure)opj_j2k_decode_tiles, p_manager)) {\n return OPJ_FALSE;\n }\n /* DEVELOPER CORNER, add your custom procedures */\n\n return OPJ_TRUE;\n}", "project": "openjpeg", "hash": 50567324052048973117522015997725350598, "size": 15, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357316 }, { "func": "static int phar_extract_file(zend_bool overwrite, phar_entry_info *entry, char *dest, int dest_len, char **error TSRMLS_DC) /* {{{ */\n{\n\tphp_stream_statbuf ssb;\n\tint len;\n\tphp_stream *fp;\n\tchar *fullpath;\n\tconst char *slash;\n\tmode_t mode;\n\n\tif (entry->is_mounted) {\n\t\t/* silently ignore mounted entries */\n\t\treturn SUCCESS;\n\t}\n\n\tif (entry->filename_len >= sizeof(\".phar\")-1 && !memcmp(entry->filename, \".phar\", sizeof(\".phar\")-1)) {\n\t\treturn SUCCESS;\n\t}\n\n\tlen = spprintf(&fullpath, 0, \"%s/%s\", dest, entry->filename);\n\n\tif (len >= MAXPATHLEN) {\n\t\tchar *tmp;\n\t\t/* truncate for error message */\n\t\tfullpath[50] = '\\0';\n\t\tif (entry->filename_len > 50) {\n\t\t\ttmp = estrndup(entry->filename, 50);\n\t\t\tspprintf(error, 4096, \"Cannot extract \\\"%s...\\\" to \\\"%s...\\\", extracted filename is too long for filesystem\", tmp, fullpath);\n\t\t\tefree(tmp);\n\t\t} else {\n\t\t\tspprintf(error, 4096, \"Cannot extract \\\"%s\\\" to \\\"%s...\\\", extracted filename is too long for filesystem\", entry->filename, fullpath);\n\t\t}\n\t\tefree(fullpath);\n\t\treturn FAILURE;\n\t}\n\n\tif (!len) {\n\t\tspprintf(error, 4096, \"Cannot extract \\\"%s\\\", internal error\", entry->filename);\n\t\tefree(fullpath);\n\t\treturn FAILURE;\n\t}\n\n\tif (PHAR_OPENBASEDIR_CHECKPATH(fullpath)) {\n\t\tspprintf(error, 4096, \"Cannot extract \\\"%s\\\" to \\\"%s\\\", openbasedir/safe mode restrictions in effect\", entry->filename, fullpath);\n\t\tefree(fullpath);\n\t\treturn FAILURE;\n\t}\n\n\t/* let see if the path already exists */\n\tif (!overwrite && SUCCESS == php_stream_stat_path(fullpath, &ssb)) {\n\t\tspprintf(error, 4096, \"Cannot extract \\\"%s\\\" to \\\"%s\\\", path already exists\", entry->filename, fullpath);\n\t\tefree(fullpath);\n\t\treturn FAILURE;\n\t}\n\n\t/* perform dirname */\n\tslash = zend_memrchr(entry->filename, '/', entry->filename_len);\n\n\tif (slash) {\n\t\tfullpath[dest_len + (slash - entry->filename) + 1] = '\\0';\n\t} else {\n\t\tfullpath[dest_len] = '\\0';\n\t}\n\n\tif (FAILURE == php_stream_stat_path(fullpath, &ssb)) {\n\t\tif (entry->is_dir) {\n\t\t\tif (!php_stream_mkdir(fullpath, entry->flags & PHAR_ENT_PERM_MASK, PHP_STREAM_MKDIR_RECURSIVE, NULL)) {\n\t\t\t\tspprintf(error, 4096, \"Cannot extract \\\"%s\\\", could not create directory \\\"%s\\\"\", entry->filename, fullpath);\n\t\t\t\tefree(fullpath);\n\t\t\t\treturn FAILURE;\n\t\t\t}\n\t\t} else {\n\t\t\tif (!php_stream_mkdir(fullpath, 0777, PHP_STREAM_MKDIR_RECURSIVE, NULL)) {\n\t\t\t\tspprintf(error, 4096, \"Cannot extract \\\"%s\\\", could not create directory \\\"%s\\\"\", entry->filename, fullpath);\n\t\t\t\tefree(fullpath);\n\t\t\t\treturn FAILURE;\n\t\t\t}\n\t\t}\n\t}\n\n\tif (slash) {\n\t\tfullpath[dest_len + (slash - entry->filename) + 1] = '/';\n\t} else {\n\t\tfullpath[dest_len] = '/';\n\t}\n\n\t/* it is a standalone directory, job done */\n\tif (entry->is_dir) {\n\t\tefree(fullpath);\n\t\treturn SUCCESS;\n\t}\n\n#if PHP_API_VERSION < 20100412\n\tfp = php_stream_open_wrapper(fullpath, \"w+b\", REPORT_ERRORS|ENFORCE_SAFE_MODE, NULL);\n#else\n\tfp = php_stream_open_wrapper(fullpath, \"w+b\", REPORT_ERRORS, NULL);\n#endif\n\n\tif (!fp) {\n\t\tspprintf(error, 4096, \"Cannot extract \\\"%s\\\", could not open for writing \\\"%s\\\"\", entry->filename, fullpath);\n\t\tefree(fullpath);\n\t\treturn FAILURE;\n\t}\n\n\tif (!phar_get_efp(entry, 0 TSRMLS_CC)) {\n\t\tif (FAILURE == phar_open_entry_fp(entry, error, 1 TSRMLS_CC)) {\n\t\t\tif (error) {\n\t\t\t\tspprintf(error, 4096, \"Cannot extract \\\"%s\\\" to \\\"%s\\\", unable to open internal file pointer: %s\", entry->filename, fullpath, *error);\n\t\t\t} else {\n\t\t\t\tspprintf(error, 4096, \"Cannot extract \\\"%s\\\" to \\\"%s\\\", unable to open internal file pointer\", entry->filename, fullpath);\n\t\t\t}\n\t\t\tefree(fullpath);\n\t\t\tphp_stream_close(fp);\n\t\t\treturn FAILURE;\n\t\t}\n\t}\n\n\tif (FAILURE == phar_seek_efp(entry, 0, SEEK_SET, 0, 0 TSRMLS_CC)) {\n\t\tspprintf(error, 4096, \"Cannot extract \\\"%s\\\" to \\\"%s\\\", unable to seek internal file pointer\", entry->filename, fullpath);\n\t\tefree(fullpath);\n\t\tphp_stream_close(fp);\n\t\treturn FAILURE;\n\t}\n\n\tif (SUCCESS != phar_stream_copy_to_stream(phar_get_efp(entry, 0 TSRMLS_CC), fp, entry->uncompressed_filesize, NULL)) {\n\t\tspprintf(error, 4096, \"Cannot extract \\\"%s\\\" to \\\"%s\\\", copying contents failed\", entry->filename, fullpath);\n\t\tefree(fullpath);\n\t\tphp_stream_close(fp);\n\t\treturn FAILURE;\n\t}\n\n\tphp_stream_close(fp);\n\tmode = (mode_t) entry->flags & PHAR_ENT_PERM_MASK;\n\n\tif (FAILURE == VCWD_CHMOD(fullpath, mode)) {\n\t\tspprintf(error, 4096, \"Cannot extract \\\"%s\\\" to \\\"%s\\\", setting file permissions failed\", entry->filename, fullpath);\n\t\tefree(fullpath);\n\t\treturn FAILURE;\n\t}\n\n\tefree(fullpath);\n\treturn SUCCESS;\n}", "project": "php-src", "hash": 37688762116686819876950467450247800655, "size": 142, "commit_id": "b2cf3f064b8f5efef89bb084521b61318c71781b", "message": "Fixed bug #68901 (use after free)", "target": 0, "dataset": "other", "idx": 413467 }, { "func": "static inline void req_ref_get(struct io_kiocb *req)\n{\n\tWARN_ON_ONCE(req_ref_zero_or_close_to_overflow(req));\n\tatomic_inc(&req->refs);\n}", "project": "linux", "hash": 171615662686923637026179148055805070695, "size": 5, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338611 }, { "func": "static int __bprm_mm_init(struct linux_binprm *bprm)\n{\n\tint err;\n\tstruct vm_area_struct *vma = NULL;\n\tstruct mm_struct *mm = bprm->mm;\n\n\tbprm->vma = vma = vm_area_alloc(mm);\n\tif (!vma)\n\t\treturn -ENOMEM;\n\tvma_set_anonymous(vma);\n\n\tif (down_write_killable(&mm->mmap_sem)) {\n\t\terr = -EINTR;\n\t\tgoto err_free;\n\t}\n\n\t/*\n\t * Place the stack at the largest stack address the architecture\n\t * supports. Later, we'll move this to an appropriate place. We don't\n\t * use STACK_TOP because that can depend on attributes which aren't\n\t * configured yet.\n\t */\n\tBUILD_BUG_ON(VM_STACK_FLAGS & VM_STACK_INCOMPLETE_SETUP);\n\tvma->vm_end = STACK_TOP_MAX;\n\tvma->vm_start = vma->vm_end - PAGE_SIZE;\n\tvma->vm_flags = VM_SOFTDIRTY | VM_STACK_FLAGS | VM_STACK_INCOMPLETE_SETUP;\n\tvma->vm_page_prot = vm_get_page_prot(vma->vm_flags);\n\n\terr = insert_vm_struct(mm, vma);\n\tif (err)\n\t\tgoto err;\n\n\tmm->stack_vm = mm->total_vm = 1;\n\tup_write(&mm->mmap_sem);\n\tbprm->p = vma->vm_end - sizeof(void *);\n\treturn 0;\nerr:\n\tup_write(&mm->mmap_sem);\nerr_free:\n\tbprm->vma = NULL;\n\tvm_area_free(vma);\n\treturn err;\n}", "project": "linux", "hash": 65151142055683825549522725182920174367, "size": 43, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375144 }, { "func": "static void cdeque_free(struct cdeque* d) {\n\tif(!d)\n\t\treturn;\n\n\tif(!d->arr)\n\t\treturn;\n\n\tfree(d->arr);\n\n\td->arr = NULL;\n\td->beg_pos = -1;\n\td->end_pos = -1;\n\td->cap_mask = 0;\n}", "project": "libarchive", "hash": 326496892233416464565385742600108003986, "size": 14, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 0, "dataset": "other", "idx": 244750 }, { "func": " static req::ptr GetHelper(const Variant& var, bool public_key,\n const char *passphrase) {\n req::ptr ocert;\n EVP_PKEY *key = nullptr;\n\n if (var.isResource()) {\n auto cert = dyn_cast_or_null(var);\n auto key = dyn_cast_or_null(var);\n if (!cert && !key) return nullptr;\n if (key) {\n bool is_priv = key->isPrivate();\n if (!public_key && !is_priv) {\n raise_warning(\"supplied key param is a public key\");\n return nullptr;\n }\n if (public_key && is_priv) {\n raise_warning(\"Don't know how to get public key from \"\n \"this private key\");\n return nullptr;\n }\n return key;\n }\n ocert = cert;\n } else {\n /* it's an X509 file/cert of some kind, and we need to extract\n the data from that */\n if (public_key) {\n ocert = Certificate::Get(var);\n if (!ocert) {\n /* not a X509 certificate, try to retrieve public key */\n BIO *in = Certificate::ReadData(var);\n if (in == nullptr) return nullptr;\n key = PEM_read_bio_PUBKEY(in, nullptr,nullptr, nullptr);\n BIO_free(in);\n }\n } else {\n /* we want the private key */\n BIO *in = Certificate::ReadData(var);\n if (in == nullptr) return nullptr;\n key = PEM_read_bio_PrivateKey(in, nullptr,nullptr, (void*)passphrase);\n BIO_free(in);\n }\n }\n\n if (public_key && ocert && key == nullptr) {\n /* extract public key from X509 cert */\n key = (EVP_PKEY *)X509_get_pubkey(ocert->get());\n }\n\n if (key) {\n return req::make(key);\n }\n\n return nullptr;\n }", "project": "hhvm", "hash": 146497273215932450765416336318021298367, "size": 55, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219733 }, { "func": "\nstatic int bfq_bfqq_budget_left(struct bfq_queue *bfqq)\n{\n\tstruct bfq_entity *entity = &bfqq->entity;\n\n\treturn entity->budget - entity->service;", "project": "linux", "hash": 273117927898256663976595513518961910709, "size": 6, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453286 }, { "func": "void input_enable_softrepeat(struct input_dev *dev, int delay, int period)\n{\n\tdev->timer.function = input_repeat_key;\n\tdev->rep[REP_DELAY] = delay;\n\tdev->rep[REP_PERIOD] = period;\n}", "project": "linux", "hash": 279971587647881077306944771301289609294, "size": 6, "commit_id": "cb222aed03d798fc074be55e59d9a112338ee784", "message": "Input: add safety guards to input_set_keycode()\n\nIf we happen to have a garbage in input device's keycode table with values\ntoo big we'll end up doing clear_bit() with offset way outside of our\nbitmaps, damaging other objects within an input device or even outside of\nit. Let's add sanity checks to the returned old keycodes.\n\nReported-by: syzbot+c769968809f9359b07aa@syzkaller.appspotmail.com\nReported-by: syzbot+76f3a30e88d256644c78@syzkaller.appspotmail.com\nLink: https://lore.kernel.org/r/20191207212757.GA245964@dtor-ws\nSigned-off-by: Dmitry Torokhov ", "target": 0, "dataset": "other", "idx": 353306 }, { "func": "CURLcode init_telnet(struct Curl_easy *data)\n{\n struct TELNET *tn;\n\n tn = calloc(1, sizeof(struct TELNET));\n if(!tn)\n return CURLE_OUT_OF_MEMORY;\n\n data->req.p.telnet = tn; /* make us known */\n\n tn->telrcv_state = CURL_TS_DATA;\n\n /* Init suboptions */\n CURL_SB_CLEAR(tn);\n\n /* Set the options we want by default */\n tn->us_preferred[CURL_TELOPT_SGA] = CURL_YES;\n tn->him_preferred[CURL_TELOPT_SGA] = CURL_YES;\n\n /* To be compliant with previous releases of libcurl\n we enable this option by default. This behavior\n can be changed thanks to the \"BINARY\" option in\n CURLOPT_TELNETOPTIONS\n */\n tn->us_preferred[CURL_TELOPT_BINARY] = CURL_YES;\n tn->him_preferred[CURL_TELOPT_BINARY] = CURL_YES;\n\n /* We must allow the server to echo what we sent\n but it is not necessary to request the server\n to do so (it might forces the server to close\n the connection). Hence, we ignore ECHO in the\n negotiate function\n */\n tn->him_preferred[CURL_TELOPT_ECHO] = CURL_YES;\n\n /* Set the subnegotiation fields to send information\n just after negotiation passed (do/will)\n\n Default values are (0,0) initialized by calloc.\n According to the RFC1013 it is valid:\n A value equal to zero is acceptable for the width (or height),\n and means that no character width (or height) is being sent.\n In this case, the width (or height) that will be assumed by the\n Telnet server is operating system specific (it will probably be\n based upon the terminal type information that may have been sent\n using the TERMINAL TYPE Telnet option). */\n tn->subnegotiation[CURL_TELOPT_NAWS] = CURL_YES;\n return CURLE_OK;\n}", "project": "curl", "hash": 253944610609750378722716235163249684563, "size": 49, "commit_id": "39ce47f219b09c380b81f89fe54ac586c8db6bde", "message": "telnet: check sscanf() for correct number of matches\n\nCVE-2021-22898\n\nBug: https://curl.se/docs/CVE-2021-22898.html", "target": 0, "dataset": "other", "idx": 481501 }, { "func": "DLLEXPORT int DLLCALL tjDecodeYUV(tjhandle handle, const unsigned char *srcBuf,\n\tint pad, int subsamp, unsigned char *dstBuf, int width, int pitch,\n\tint height, int pixelFormat, int flags)\n{\n\tconst unsigned char *srcPlanes[3];\n\tint pw0, ph0, strides[3], retval=-1;\n\n\tif(srcBuf==NULL || pad<0 || !isPow2(pad) || subsamp<0 || subsamp>=NUMSUBOPT\n\t\t|| width<=0 || height<=0)\n\t\t_throw(\"tjDecodeYUV(): Invalid argument\");\n\n\tpw0=tjPlaneWidth(0, width, subsamp);\n\tph0=tjPlaneHeight(0, height, subsamp);\n\tsrcPlanes[0]=srcBuf;\n\tstrides[0]=PAD(pw0, pad);\n\tif(subsamp==TJSAMP_GRAY)\n\t{\n\t\tstrides[1]=strides[2]=0;\n\t\tsrcPlanes[1]=srcPlanes[2]=NULL;\n\t}\n\telse\n\t{\n\t\tint pw1=tjPlaneWidth(1, width, subsamp);\n\t\tint ph1=tjPlaneHeight(1, height, subsamp);\n\t\tstrides[1]=strides[2]=PAD(pw1, pad);\n\t\tsrcPlanes[1]=srcPlanes[0]+strides[0]*ph0;\n\t\tsrcPlanes[2]=srcPlanes[1]+strides[1]*ph1;\n\t}\n\n\treturn tjDecodeYUVPlanes(handle, srcPlanes, strides, subsamp, dstBuf, width,\n\t\tpitch, height, pixelFormat, flags);\n\n\tbailout:\n\treturn retval;\n}", "project": "libjpeg-turbo", "hash": 61111450252397078426525304308493623428, "size": 35, "commit_id": "dab6be4cfb2f9307b5378d2d1dc74d9080383dc2", "message": "tjDecompressToYUV*(): Fix OOB write/double free\n\n... when attempting to decompress grayscale JPEG images with sampling\nfactors != 1.\n\nFixes #387", "target": 0, "dataset": "other", "idx": 311094 }, { "func": "static void kvm_arch_vcpu_ioctl_clear_reset(struct kvm_vcpu *vcpu)\n{\n\tstruct kvm_sync_regs *regs = &vcpu->run->s.regs;\n\n\t/* Clear reset is a superset of the initial reset */\n\tkvm_arch_vcpu_ioctl_initial_reset(vcpu);\n\n\tmemset(®s->gprs, 0, sizeof(regs->gprs));\n\tmemset(®s->vrs, 0, sizeof(regs->vrs));\n\tmemset(®s->acrs, 0, sizeof(regs->acrs));\n\tmemset(®s->gscb, 0, sizeof(regs->gscb));\n\n\tregs->etoken = 0;\n\tregs->etoken_extension = 0;\n}", "project": "linux", "hash": 286025818559548158932904353881383081948, "size": 15, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354546 }, { "func": "parse_bracket_exp (re_string_t *regexp, re_dfa_t *dfa, re_token_t *token,\n\t\t reg_syntax_t syntax, reg_errcode_t *err)\n{\n#ifdef _LIBC\n const unsigned char *collseqmb;\n const char *collseqwc;\n uint32_t nrules;\n int32_t table_size;\n const int32_t *symb_table;\n const unsigned char *extra;\n\n /* Local function for parse_bracket_exp used in _LIBC environment.\n Seek the collating symbol entry corresponding to NAME.\n Return the index of the symbol in the SYMB_TABLE,\n or -1 if not found. */\n\n auto inline int32_t\n __attribute__ ((always_inline))\n seek_collating_symbol_entry (const unsigned char *name, size_t name_len)\n {\n int32_t elem;\n\n for (elem = 0; elem < table_size; elem++)\n\tif (symb_table[2 * elem] != 0)\n\t {\n\t int32_t idx = symb_table[2 * elem + 1];\n\t /* Skip the name of collating element name. */\n\t idx += 1 + extra[idx];\n\t if (/* Compare the length of the name. */\n\t\tname_len == extra[idx]\n\t\t/* Compare the name. */\n\t\t&& memcmp (name, &extra[idx + 1], name_len) == 0)\n\t /* Yep, this is the entry. */\n\t return elem;\n\t }\n return -1;\n }\n\n /* Local function for parse_bracket_exp used in _LIBC environment.\n Look up the collation sequence value of BR_ELEM.\n Return the value if succeeded, UINT_MAX otherwise. */\n\n auto inline unsigned int\n __attribute__ ((always_inline))\n lookup_collation_sequence_value (bracket_elem_t *br_elem)\n {\n if (br_elem->type == SB_CHAR)\n\t{\n\t /*\n\t if (MB_CUR_MAX == 1)\n\t */\n\t if (nrules == 0)\n\t return collseqmb[br_elem->opr.ch];\n\t else\n\t {\n\t wint_t wc = __btowc (br_elem->opr.ch);\n\t return __collseq_table_lookup (collseqwc, wc);\n\t }\n\t}\n else if (br_elem->type == MB_CHAR)\n\t{\n\t if (nrules != 0)\n\t return __collseq_table_lookup (collseqwc, br_elem->opr.wch);\n\t}\n else if (br_elem->type == COLL_SYM)\n\t{\n\t size_t sym_name_len = strlen ((char *) br_elem->opr.name);\n\t if (nrules != 0)\n\t {\n\t int32_t elem, idx;\n\t elem = seek_collating_symbol_entry (br_elem->opr.name,\n\t\t\t\t\t\t sym_name_len);\n\t if (elem != -1)\n\t\t{\n\t\t /* We found the entry. */\n\t\t idx = symb_table[2 * elem + 1];\n\t\t /* Skip the name of collating element name. */\n\t\t idx += 1 + extra[idx];\n\t\t /* Skip the byte sequence of the collating element. */\n\t\t idx += 1 + extra[idx];\n\t\t /* Adjust for the alignment. */\n\t\t idx = (idx + 3) & ~3;\n\t\t /* Skip the multibyte collation sequence value. */\n\t\t idx += sizeof (unsigned int);\n\t\t /* Skip the wide char sequence of the collating element. */\n\t\t idx += sizeof (unsigned int) *\n\t\t (1 + *(unsigned int *) (extra + idx));\n\t\t /* Return the collation sequence value. */\n\t\t return *(unsigned int *) (extra + idx);\n\t\t}\n\t else if (sym_name_len == 1)\n\t\t{\n\t\t /* No valid character. Match it as a single byte\n\t\t character. */\n\t\t return collseqmb[br_elem->opr.name[0]];\n\t\t}\n\t }\n\t else if (sym_name_len == 1)\n\t return collseqmb[br_elem->opr.name[0]];\n\t}\n return UINT_MAX;\n }\n\n /* Local function for parse_bracket_exp used in _LIBC environment.\n Build the range expression which starts from START_ELEM, and ends\n at END_ELEM. The result are written to MBCSET and SBCSET.\n RANGE_ALLOC is the allocated size of mbcset->range_starts, and\n mbcset->range_ends, is a pointer argument since we may\n update it. */\n\n auto inline reg_errcode_t\n __attribute__ ((always_inline))\n build_range_exp (bitset_t sbcset, re_charset_t *mbcset, int *range_alloc,\n\t\t bracket_elem_t *start_elem, bracket_elem_t *end_elem)\n {\n unsigned int ch;\n uint32_t start_collseq;\n uint32_t end_collseq;\n\n /* Equivalence Classes and Character Classes can't be a range\n\t start/end. */\n if (BE (start_elem->type == EQUIV_CLASS || start_elem->type == CHAR_CLASS\n\t || end_elem->type == EQUIV_CLASS || end_elem->type == CHAR_CLASS,\n\t 0))\n\treturn REG_ERANGE;\n\n /* FIXME: Implement rational ranges here, too. */\n start_collseq = lookup_collation_sequence_value (start_elem);\n end_collseq = lookup_collation_sequence_value (end_elem);\n /* Check start/end collation sequence values. */\n if (BE (start_collseq == UINT_MAX || end_collseq == UINT_MAX, 0))\n\treturn REG_ECOLLATE;\n if (BE ((syntax & RE_NO_EMPTY_RANGES) && start_collseq > end_collseq, 0))\n\treturn REG_ERANGE;\n\n /* Got valid collation sequence values, add them as a new entry.\n\t However, if we have no collation elements, and the character set\n\t is single byte, the single byte character set that we\n\t build below suffices. */\n if (nrules > 0 || dfa->mb_cur_max > 1)\n\t{\n\t /* Check the space of the arrays. */\n\t if (BE (*range_alloc == mbcset->nranges, 0))\n\t {\n\t /* There is not enough space, need realloc. */\n\t uint32_t *new_array_start;\n\t uint32_t *new_array_end;\n\t Idx new_nranges;\n\n\t /* +1 in case of mbcset->nranges is 0. */\n\t new_nranges = 2 * mbcset->nranges + 1;\n\t new_array_start = re_realloc (mbcset->range_starts, uint32_t,\n\t\t\t\t\t new_nranges);\n\t new_array_end = re_realloc (mbcset->range_ends, uint32_t,\n\t\t\t\t\t new_nranges);\n\n\t if (BE (new_array_start == NULL || new_array_end == NULL, 0))\n\t\treturn REG_ESPACE;\n\n\t mbcset->range_starts = new_array_start;\n\t mbcset->range_ends = new_array_end;\n\t *range_alloc = new_nranges;\n\t }\n\n\t mbcset->range_starts[mbcset->nranges] = start_collseq;\n\t mbcset->range_ends[mbcset->nranges++] = end_collseq;\n\t}\n\n /* Build the table for single byte characters. */\n for (ch = 0; ch < SBC_MAX; ch++)\n\t{\n\t uint32_t ch_collseq;\n\t /*\n\t if (MB_CUR_MAX == 1)\n\t */\n\t if (nrules == 0)\n\t ch_collseq = collseqmb[ch];\n\t else\n\t ch_collseq = __collseq_table_lookup (collseqwc, __btowc (ch));\n\t if (start_collseq <= ch_collseq && ch_collseq <= end_collseq)\n\t bitset_set (sbcset, ch);\n\t}\n return REG_NOERROR;\n }\n\n /* Local function for parse_bracket_exp used in _LIBC environment.\n Build the collating element which is represented by NAME.\n The result are written to MBCSET and SBCSET.\n COLL_SYM_ALLOC is the allocated size of mbcset->coll_sym, is a\n pointer argument since we may update it. */\n\n auto inline reg_errcode_t\n __attribute__ ((always_inline))\n build_collating_symbol (bitset_t sbcset, re_charset_t *mbcset,\n\t\t\t Idx *coll_sym_alloc, const unsigned char *name)\n {\n int32_t elem, idx;\n size_t name_len = strlen ((const char *) name);\n if (nrules != 0)\n\t{\n\t elem = seek_collating_symbol_entry (name, name_len);\n\t if (elem != -1)\n\t {\n\t /* We found the entry. */\n\t idx = symb_table[2 * elem + 1];\n\t /* Skip the name of collating element name. */\n\t idx += 1 + extra[idx];\n\t }\n\t else if (name_len == 1)\n\t {\n\t /* No valid character, treat it as a normal\n\t\t character. */\n\t bitset_set (sbcset, name[0]);\n\t return REG_NOERROR;\n\t }\n\t else\n\t return REG_ECOLLATE;\n\n\t /* Got valid collation sequence, add it as a new entry. */\n\t /* Check the space of the arrays. */\n\t if (BE (*coll_sym_alloc == mbcset->ncoll_syms, 0))\n\t {\n\t /* Not enough, realloc it. */\n\t /* +1 in case of mbcset->ncoll_syms is 0. */\n\t Idx new_coll_sym_alloc = 2 * mbcset->ncoll_syms + 1;\n\t /* Use realloc since mbcset->coll_syms is NULL\n\t\t if *alloc == 0. */\n\t int32_t *new_coll_syms = re_realloc (mbcset->coll_syms, int32_t,\n\t\t\t\t\t\t new_coll_sym_alloc);\n\t if (BE (new_coll_syms == NULL, 0))\n\t\treturn REG_ESPACE;\n\t mbcset->coll_syms = new_coll_syms;\n\t *coll_sym_alloc = new_coll_sym_alloc;\n\t }\n\t mbcset->coll_syms[mbcset->ncoll_syms++] = idx;\n\t return REG_NOERROR;\n\t}\n else\n\t{\n\t if (BE (name_len != 1, 0))\n\t return REG_ECOLLATE;\n\t else\n\t {\n\t bitset_set (sbcset, name[0]);\n\t return REG_NOERROR;\n\t }\n\t}\n }\n#endif\n\n re_token_t br_token;\n re_bitset_ptr_t sbcset;\n#ifdef RE_ENABLE_I18N\n re_charset_t *mbcset;\n Idx coll_sym_alloc = 0, range_alloc = 0, mbchar_alloc = 0;\n Idx equiv_class_alloc = 0, char_class_alloc = 0;\n#endif /* not RE_ENABLE_I18N */\n bool non_match = false;\n bin_tree_t *work_tree;\n int token_len;\n bool first_round = true;\n#ifdef _LIBC\n collseqmb = (const unsigned char *)\n _NL_CURRENT (LC_COLLATE, _NL_COLLATE_COLLSEQMB);\n nrules = _NL_CURRENT_WORD (LC_COLLATE, _NL_COLLATE_NRULES);\n if (nrules)\n {\n /*\n if (MB_CUR_MAX > 1)\n */\n collseqwc = _NL_CURRENT (LC_COLLATE, _NL_COLLATE_COLLSEQWC);\n table_size = _NL_CURRENT_WORD (LC_COLLATE, _NL_COLLATE_SYMB_HASH_SIZEMB);\n symb_table = (const int32_t *) _NL_CURRENT (LC_COLLATE,\n\t\t\t\t\t\t _NL_COLLATE_SYMB_TABLEMB);\n extra = (const unsigned char *) _NL_CURRENT (LC_COLLATE,\n\t\t\t\t\t\t _NL_COLLATE_SYMB_EXTRAMB);\n }\n#endif\n sbcset = (re_bitset_ptr_t) calloc (sizeof (bitset_t), 1);\n#ifdef RE_ENABLE_I18N\n mbcset = (re_charset_t *) calloc (sizeof (re_charset_t), 1);\n#endif /* RE_ENABLE_I18N */\n#ifdef RE_ENABLE_I18N\n if (BE (sbcset == NULL || mbcset == NULL, 0))\n#else\n if (BE (sbcset == NULL, 0))\n#endif /* RE_ENABLE_I18N */\n {\n re_free (sbcset);\n#ifdef RE_ENABLE_I18N\n re_free (mbcset);\n#endif\n *err = REG_ESPACE;\n return NULL;\n }\n\n token_len = peek_token_bracket (token, regexp, syntax);\n if (BE (token->type == END_OF_RE, 0))\n {\n *err = REG_BADPAT;\n goto parse_bracket_exp_free_return;\n }\n if (token->type == OP_NON_MATCH_LIST)\n {\n#ifdef RE_ENABLE_I18N\n mbcset->non_match = 1;\n#endif /* not RE_ENABLE_I18N */\n non_match = true;\n if (syntax & RE_HAT_LISTS_NOT_NEWLINE)\n\tbitset_set (sbcset, '\\n');\n re_string_skip_bytes (regexp, token_len); /* Skip a token. */\n token_len = peek_token_bracket (token, regexp, syntax);\n if (BE (token->type == END_OF_RE, 0))\n\t{\n\t *err = REG_BADPAT;\n\t goto parse_bracket_exp_free_return;\n\t}\n }\n\n /* We treat the first ']' as a normal character. */\n if (token->type == OP_CLOSE_BRACKET)\n token->type = CHARACTER;\n\n while (1)\n {\n bracket_elem_t start_elem, end_elem;\n unsigned char start_name_buf[BRACKET_NAME_BUF_SIZE];\n unsigned char end_name_buf[BRACKET_NAME_BUF_SIZE];\n reg_errcode_t ret;\n int token_len2 = 0;\n bool is_range_exp = false;\n re_token_t token2;\n\n start_elem.opr.name = start_name_buf;\n start_elem.type = COLL_SYM;\n ret = parse_bracket_element (&start_elem, regexp, token, token_len, dfa,\n\t\t\t\t syntax, first_round);\n if (BE (ret != REG_NOERROR, 0))\n\t{\n\t *err = ret;\n\t goto parse_bracket_exp_free_return;\n\t}\n first_round = false;\n\n /* Get information about the next token. We need it in any case. */\n token_len = peek_token_bracket (token, regexp, syntax);\n\n /* Do not check for ranges if we know they are not allowed. */\n if (start_elem.type != CHAR_CLASS && start_elem.type != EQUIV_CLASS)\n\t{\n\t if (BE (token->type == END_OF_RE, 0))\n\t {\n\t *err = REG_EBRACK;\n\t goto parse_bracket_exp_free_return;\n\t }\n\t if (token->type == OP_CHARSET_RANGE)\n\t {\n\t re_string_skip_bytes (regexp, token_len); /* Skip '-'. */\n\t token_len2 = peek_token_bracket (&token2, regexp, syntax);\n\t if (BE (token2.type == END_OF_RE, 0))\n\t\t{\n\t\t *err = REG_EBRACK;\n\t\t goto parse_bracket_exp_free_return;\n\t\t}\n\t if (token2.type == OP_CLOSE_BRACKET)\n\t\t{\n\t\t /* We treat the last '-' as a normal character. */\n\t\t re_string_skip_bytes (regexp, -token_len);\n\t\t token->type = CHARACTER;\n\t\t}\n\t else\n\t\tis_range_exp = true;\n\t }\n\t}\n\n if (is_range_exp == true)\n\t{\n\t end_elem.opr.name = end_name_buf;\n\t end_elem.type = COLL_SYM;\n\t ret = parse_bracket_element (&end_elem, regexp, &token2, token_len2,\n\t\t\t\t dfa, syntax, true);\n\t if (BE (ret != REG_NOERROR, 0))\n\t {\n\t *err = ret;\n\t goto parse_bracket_exp_free_return;\n\t }\n\n\t token_len = peek_token_bracket (token, regexp, syntax);\n\n#ifdef _LIBC\n\t *err = build_range_exp (sbcset, mbcset, &range_alloc,\n\t\t\t\t &start_elem, &end_elem);\n#else\n# ifdef RE_ENABLE_I18N\n\t *err = build_range_exp (syntax, sbcset,\n\t\t\t\t dfa->mb_cur_max > 1 ? mbcset : NULL,\n\t\t\t\t &range_alloc, &start_elem, &end_elem);\n# else\n\t *err = build_range_exp (syntax, sbcset, &start_elem, &end_elem);\n# endif\n#endif /* RE_ENABLE_I18N */\n\t if (BE (*err != REG_NOERROR, 0))\n\t goto parse_bracket_exp_free_return;\n\t}\n else\n\t{\n\t switch (start_elem.type)\n\t {\n\t case SB_CHAR:\n\t bitset_set (sbcset, start_elem.opr.ch);\n\t break;\n#ifdef RE_ENABLE_I18N\n\t case MB_CHAR:\n\t /* Check whether the array has enough space. */\n\t if (BE (mbchar_alloc == mbcset->nmbchars, 0))\n\t\t{\n\t\t wchar_t *new_mbchars;\n\t\t /* Not enough, realloc it. */\n\t\t /* +1 in case of mbcset->nmbchars is 0. */\n\t\t mbchar_alloc = 2 * mbcset->nmbchars + 1;\n\t\t /* Use realloc since array is NULL if *alloc == 0. */\n\t\t new_mbchars = re_realloc (mbcset->mbchars, wchar_t,\n\t\t\t\t\t mbchar_alloc);\n\t\t if (BE (new_mbchars == NULL, 0))\n\t\t goto parse_bracket_exp_espace;\n\t\t mbcset->mbchars = new_mbchars;\n\t\t}\n\t mbcset->mbchars[mbcset->nmbchars++] = start_elem.opr.wch;\n\t break;\n#endif /* RE_ENABLE_I18N */\n\t case EQUIV_CLASS:\n\t *err = build_equiv_class (sbcset,\n#ifdef RE_ENABLE_I18N\n\t\t\t\t\tmbcset, &equiv_class_alloc,\n#endif /* RE_ENABLE_I18N */\n\t\t\t\t\tstart_elem.opr.name);\n\t if (BE (*err != REG_NOERROR, 0))\n\t\tgoto parse_bracket_exp_free_return;\n\t break;\n\t case COLL_SYM:\n\t *err = build_collating_symbol (sbcset,\n#ifdef RE_ENABLE_I18N\n\t\t\t\t\t mbcset, &coll_sym_alloc,\n#endif /* RE_ENABLE_I18N */\n\t\t\t\t\t start_elem.opr.name);\n\t if (BE (*err != REG_NOERROR, 0))\n\t\tgoto parse_bracket_exp_free_return;\n\t break;\n\t case CHAR_CLASS:\n\t *err = build_charclass (regexp->trans, sbcset,\n#ifdef RE_ENABLE_I18N\n\t\t\t\t mbcset, &char_class_alloc,\n#endif /* RE_ENABLE_I18N */\n\t\t\t\t (const char *) start_elem.opr.name,\n\t\t\t\t syntax);\n\t if (BE (*err != REG_NOERROR, 0))\n\t goto parse_bracket_exp_free_return;\n\t break;\n\t default:\n\t assert (0);\n\t break;\n\t }\n\t}\n if (BE (token->type == END_OF_RE, 0))\n\t{\n\t *err = REG_EBRACK;\n\t goto parse_bracket_exp_free_return;\n\t}\n if (token->type == OP_CLOSE_BRACKET)\n\tbreak;\n }\n\n re_string_skip_bytes (regexp, token_len); /* Skip a token. */\n\n /* If it is non-matching list. */\n if (non_match)\n bitset_not (sbcset);\n\n#ifdef RE_ENABLE_I18N\n /* Ensure only single byte characters are set. */\n if (dfa->mb_cur_max > 1)\n bitset_mask (sbcset, dfa->sb_char);\n\n if (mbcset->nmbchars || mbcset->ncoll_syms || mbcset->nequiv_classes\n || mbcset->nranges || (dfa->mb_cur_max > 1 && (mbcset->nchar_classes\n\t\t\t\t\t\t || mbcset->non_match)))\n {\n bin_tree_t *mbc_tree;\n int sbc_idx;\n /* Build a tree for complex bracket. */\n dfa->has_mb_node = 1;\n br_token.type = COMPLEX_BRACKET;\n br_token.opr.mbcset = mbcset;\n mbc_tree = create_token_tree (dfa, NULL, NULL, &br_token);\n if (BE (mbc_tree == NULL, 0))\n\tgoto parse_bracket_exp_espace;\n for (sbc_idx = 0; sbc_idx < BITSET_WORDS; ++sbc_idx)\n\tif (sbcset[sbc_idx])\n\t break;\n /* If there are no bits set in sbcset, there is no point\n\t of having both SIMPLE_BRACKET and COMPLEX_BRACKET. */\n if (sbc_idx < BITSET_WORDS)\n\t{\n\t /* Build a tree for simple bracket. */\n\t br_token.type = SIMPLE_BRACKET;\n\t br_token.opr.sbcset = sbcset;\n\t work_tree = create_token_tree (dfa, NULL, NULL, &br_token);\n\t if (BE (work_tree == NULL, 0))\n\t goto parse_bracket_exp_espace;\n\n\t /* Then join them by ALT node. */\n\t work_tree = create_tree (dfa, work_tree, mbc_tree, OP_ALT);\n\t if (BE (work_tree == NULL, 0))\n\t goto parse_bracket_exp_espace;\n\t}\n else\n\t{\n\t re_free (sbcset);\n\t work_tree = mbc_tree;\n\t}\n }\n else\n#endif /* not RE_ENABLE_I18N */\n {\n#ifdef RE_ENABLE_I18N\n free_charset (mbcset);\n#endif\n /* Build a tree for simple bracket. */\n br_token.type = SIMPLE_BRACKET;\n br_token.opr.sbcset = sbcset;\n work_tree = create_token_tree (dfa, NULL, NULL, &br_token);\n if (BE (work_tree == NULL, 0))\n\tgoto parse_bracket_exp_espace;\n }\n return work_tree;\n\n parse_bracket_exp_espace:\n *err = REG_ESPACE;\n parse_bracket_exp_free_return:\n re_free (sbcset);\n#ifdef RE_ENABLE_I18N\n free_charset (mbcset);\n#endif /* RE_ENABLE_I18N */\n return NULL;\n}", "project": "gnulib", "hash": 232709841888054958779621778612335456169, "size": 545, "commit_id": "5513b40999149090987a0341c018d05d3eea1272", "message": "Diagnose ERE '()|\\1'\n\nProblem reported by Hanno Böck in: http://bugs.gnu.org/21513\n* lib/regcomp.c (parse_reg_exp): While parsing alternatives, keep\ntrack of the set of previously-completed subexpressions available\nbefore the first alternative, and restore this set just before\nparsing each subsequent alternative. This lets us diagnose the\ninvalid back-reference in the ERE '()|\\1'.", "target": 0, "dataset": "other", "idx": 285553 }, { "func": "static unsigned long move_vma(struct vm_area_struct *vma,\n\t\tunsigned long old_addr, unsigned long old_len,\n\t\tunsigned long new_len, unsigned long new_addr,\n\t\tbool *locked, unsigned long flags,\n\t\tstruct vm_userfaultfd_ctx *uf, struct list_head *uf_unmap)\n{\n\tstruct mm_struct *mm = vma->vm_mm;\n\tstruct vm_area_struct *new_vma;\n\tunsigned long vm_flags = vma->vm_flags;\n\tunsigned long new_pgoff;\n\tunsigned long moved_len;\n\tunsigned long excess = 0;\n\tunsigned long hiwater_vm;\n\tint split = 0;\n\tint err;\n\tbool need_rmap_locks;\n\n\t/*\n\t * We'd prefer to avoid failure later on in do_munmap:\n\t * which may split one vma into three before unmapping.\n\t */\n\tif (mm->map_count >= sysctl_max_map_count - 3)\n\t\treturn -ENOMEM;\n\n\t/*\n\t * Advise KSM to break any KSM pages in the area to be moved:\n\t * it would be confusing if they were to turn up at the new\n\t * location, where they happen to coincide with different KSM\n\t * pages recently unmapped. But leave vma->vm_flags as it was,\n\t * so KSM can come around to merge on vma and new_vma afterwards.\n\t */\n\terr = ksm_madvise(vma, old_addr, old_addr + old_len,\n\t\t\t\t\t\tMADV_UNMERGEABLE, &vm_flags);\n\tif (err)\n\t\treturn err;\n\n\tnew_pgoff = vma->vm_pgoff + ((old_addr - vma->vm_start) >> PAGE_SHIFT);\n\tnew_vma = copy_vma(&vma, new_addr, new_len, new_pgoff,\n\t\t\t &need_rmap_locks);\n\tif (!new_vma)\n\t\treturn -ENOMEM;\n\n\tmoved_len = move_page_tables(vma, old_addr, new_vma, new_addr, old_len,\n\t\t\t\t need_rmap_locks);\n\tif (moved_len < old_len) {\n\t\terr = -ENOMEM;\n\t} else if (vma->vm_ops && vma->vm_ops->mremap) {\n\t\terr = vma->vm_ops->mremap(new_vma);\n\t}\n\n\tif (unlikely(err)) {\n\t\t/*\n\t\t * On error, move entries back from new area to old,\n\t\t * which will succeed since page tables still there,\n\t\t * and then proceed to unmap new area instead of old.\n\t\t */\n\t\tmove_page_tables(new_vma, new_addr, vma, old_addr, moved_len,\n\t\t\t\t true);\n\t\tvma = new_vma;\n\t\told_len = new_len;\n\t\told_addr = new_addr;\n\t\tnew_addr = err;\n\t} else {\n\t\tmremap_userfaultfd_prep(new_vma, uf);\n\t\tarch_remap(mm, old_addr, old_addr + old_len,\n\t\t\t new_addr, new_addr + new_len);\n\t}\n\n\t/* Conceal VM_ACCOUNT so old reservation is not undone */\n\tif (vm_flags & VM_ACCOUNT) {\n\t\tvma->vm_flags &= ~VM_ACCOUNT;\n\t\texcess = vma->vm_end - vma->vm_start - old_len;\n\t\tif (old_addr > vma->vm_start &&\n\t\t old_addr + old_len < vma->vm_end)\n\t\t\tsplit = 1;\n\t}\n\n\t/*\n\t * If we failed to move page tables we still do total_vm increment\n\t * since do_munmap() will decrement it by old_len == new_len.\n\t *\n\t * Since total_vm is about to be raised artificially high for a\n\t * moment, we need to restore high watermark afterwards: if stats\n\t * are taken meanwhile, total_vm and hiwater_vm appear too high.\n\t * If this were a serious issue, we'd add a flag to do_munmap().\n\t */\n\thiwater_vm = mm->hiwater_vm;\n\tvm_stat_account(mm, vma->vm_flags, new_len >> PAGE_SHIFT);\n\n\t/* Tell pfnmap has moved from this vma */\n\tif (unlikely(vma->vm_flags & VM_PFNMAP))\n\t\tuntrack_pfn_moved(vma);\n\n\tif (unlikely(!err && (flags & MREMAP_DONTUNMAP))) {\n\t\tif (vm_flags & VM_ACCOUNT) {\n\t\t\t/* Always put back VM_ACCOUNT since we won't unmap */\n\t\t\tvma->vm_flags |= VM_ACCOUNT;\n\n\t\t\tvm_acct_memory(new_len >> PAGE_SHIFT);\n\t\t}\n\n\t\t/*\n\t\t * VMAs can actually be merged back together in copy_vma\n\t\t * calling merge_vma. This can happen with anonymous vmas\n\t\t * which have not yet been faulted, so if we were to consider\n\t\t * this VMA split we'll end up adding VM_ACCOUNT on the\n\t\t * next VMA, which is completely unrelated if this VMA\n\t\t * was re-merged.\n\t\t */\n\t\tif (split && new_vma == vma)\n\t\t\tsplit = 0;\n\n\t\t/* We always clear VM_LOCKED[ONFAULT] on the old vma */\n\t\tvma->vm_flags &= VM_LOCKED_CLEAR_MASK;\n\n\t\t/* Because we won't unmap we don't need to touch locked_vm */\n\t\tgoto out;\n\t}\n\n\tif (do_munmap(mm, old_addr, old_len, uf_unmap) < 0) {\n\t\t/* OOM: unable to split vma, just get accounts right */\n\t\tvm_unacct_memory(excess >> PAGE_SHIFT);\n\t\texcess = 0;\n\t}\n\n\tif (vm_flags & VM_LOCKED) {\n\t\tmm->locked_vm += new_len >> PAGE_SHIFT;\n\t\t*locked = true;\n\t}\nout:\n\tmm->hiwater_vm = hiwater_vm;\n\n\t/* Restore VM_ACCOUNT if one or two pieces of vma left */\n\tif (excess) {\n\t\tvma->vm_flags |= VM_ACCOUNT;\n\t\tif (split)\n\t\t\tvma->vm_next->vm_flags |= VM_ACCOUNT;\n\t}\n\n\treturn new_addr;\n}", "project": "linux", "hash": 49687775947434392544613137023795087957, "size": 141, "commit_id": "5bfea2d9b17f1034a68147a8b03b9789af5700f9", "message": "mm: Fix mremap not considering huge pmd devmap\n\nThe original code in mm/mremap.c checks huge pmd by:\n\n\t\tif (is_swap_pmd(*old_pmd) || pmd_trans_huge(*old_pmd)) {\n\nHowever, a DAX mapped nvdimm is mapped as huge page (by default) but it\nis not transparent huge page (_PAGE_PSE | PAGE_DEVMAP). This commit\nchanges the condition to include the case.\n\nThis addresses CVE-2020-10757.\n\nFixes: 5c7fb56e5e3f (\"mm, dax: dax-pmd vs thp-pmd vs hugetlbfs-pmd\")\nCc: \nReported-by: Fan Yang \nSigned-off-by: Fan Yang \nTested-by: Fan Yang \nTested-by: Dan Williams \nReviewed-by: Dan Williams \nAcked-by: Kirill A. Shutemov \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 321572 }, { "func": "int gdImageColorClosest (gdImagePtr im, int r, int g, int b)\n{\n\treturn gdImageColorClosestAlpha (im, r, g, b, gdAlphaOpaque);\n}", "project": "php-src", "hash": 74963017944176013247821597912193970375, "size": 4, "commit_id": "c395c6e5d7e8df37a21265ff76e48fe75ceb5ae6", "message": "iFixed bug #72446 - Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow", "target": 0, "dataset": "other", "idx": 295171 }, { "func": "CLua *lua_call_throttle::find_clua(lua_State *ls)\n{\n return lookup(lua_map, ls, nullptr);\n}", "project": "crawl", "hash": 125552571811215562066263409230267044017, "size": 4, "commit_id": "768f60da87a3fa0b5561da5ade9309577c176d04", "message": "Disable lua bytecode loading", "target": 0, "dataset": "other", "idx": 230532 }, { "func": "int mnt_context_prepare_umount(struct libmnt_context *cxt)\n{\n\tint rc;\n\tstruct libmnt_ns *ns_old;\n\n\tif (!cxt || !cxt->fs || mnt_fs_is_swaparea(cxt->fs))\n\t\treturn -EINVAL;\n\tif (!mnt_context_get_source(cxt) && !mnt_context_get_target(cxt))\n\t\treturn -EINVAL;\n\tif (cxt->flags & MNT_FL_PREPARED)\n\t\treturn 0;\n\n\tassert(cxt->helper_exec_status == 1);\n\tassert(cxt->syscall_status == 1);\n\n\tfree(cxt->helper);\t/* be paranoid */\n\tcxt->helper = NULL;\n\tcxt->action = MNT_ACT_UMOUNT;\n\n\tns_old = mnt_context_switch_target_ns(cxt);\n\tif (!ns_old)\n\t\treturn -MNT_ERR_NAMESPACE;\n\n\trc = lookup_umount_fs(cxt);\n\tif (!rc)\n\t\trc = mnt_context_merge_mflags(cxt);\n\tif (!rc)\n\t\trc = evaluate_permissions(cxt);\n\n\tif (!rc && !cxt->helper) {\n\n\t\tif (cxt->user_mountflags & MNT_MS_HELPER)\n\t\t\t/* on helper= mount option based helper */\n\t\t\trc = prepare_helper_from_options(cxt, \"helper\");\n\n\t\tif (!rc && !cxt->helper)\n\t\t\t/* on fstype based helper */\n\t\t\trc = mnt_context_prepare_helper(cxt, \"umount\", NULL);\n\t}\n\n\tif (!rc && (cxt->user_mountflags & MNT_MS_LOOP))\n\t\t/* loop option explicitly specified in mtab, detach this loop */\n\t\tmnt_context_enable_loopdel(cxt, TRUE);\n\n\tif (!rc && mnt_context_is_loopdel(cxt) && cxt->fs) {\n\t\tconst char *src = mnt_fs_get_srcpath(cxt->fs);\n\n\t\tif (src && (!is_loopdev(src) || loopdev_is_autoclear(src)))\n\t\t\tmnt_context_enable_loopdel(cxt, FALSE);\n\t}\n\n\tif (rc) {\n\t\tDBG(CXT, ul_debugobj(cxt, \"umount: preparing failed\"));\n\t\treturn rc;\n\t}\n\tcxt->flags |= MNT_FL_PREPARED;\n\n\tif (!mnt_context_switch_ns(cxt, ns_old))\n\t\treturn -MNT_ERR_NAMESPACE;\n\n\treturn rc;\n}", "project": "util-linux", "hash": 69521287186122037772579766481724463934, "size": 62, "commit_id": "57202f5713afa2af20ffbb6ab5331481d0396f8d", "message": "libmount: fix UID check for FUSE umount [CVE-2021-3995]\n\nImproper UID check allows an unprivileged user to unmount FUSE\nfilesystems of users with similar UID.\n\nSigned-off-by: Karel Zak ", "target": 0, "dataset": "other", "idx": 410407 }, { "func": "static int __class_reset_perm_values(__attribute__((unused)) hashtab_key_t k, hashtab_datum_t d, void *args)\n{\n\tstruct cil_perm *perm = (struct cil_perm *)d;\n\n\tperm->value -= *((int *)args);\n\n\treturn SEPOL_OK;\n}", "project": "selinux", "hash": 261808016953225716136035349737105832970, "size": 8, "commit_id": "c49a8ea09501ad66e799ea41b8154b6770fec2c8", "message": "libsepol/cil: cil_reset_classperms_set() should not reset classpermission\n\nIn struct cil_classperms_set, the set field is a pointer to a\nstruct cil_classpermission which is looked up in the symbol table.\nSince the cil_classperms_set does not create the cil_classpermission,\nit should not reset it.\n\nSet the set field to NULL instead of resetting the classpermission\nthat it points to.\n\nSigned-off-by: James Carter ", "target": 0, "dataset": "other", "idx": 416767 }, { "func": "static void ep_free(struct eventpoll *ep)\n{\n\tstruct rb_node *rbp;\n\tstruct epitem *epi;\n\n\t/* We need to release all tasks waiting for these file */\n\tif (waitqueue_active(&ep->poll_wait))\n\t\tep_poll_safewake(ep, NULL);\n\n\t/*\n\t * We need to lock this because we could be hit by\n\t * eventpoll_release_file() while we're freeing the \"struct eventpoll\".\n\t * We do not need to hold \"ep->mtx\" here because the epoll file\n\t * is on the way to be removed and no one has references to it\n\t * anymore. The only hit might come from eventpoll_release_file() but\n\t * holding \"epmutex\" is sufficient here.\n\t */\n\tmutex_lock(&epmutex);\n\n\t/*\n\t * Walks through the whole tree by unregistering poll callbacks.\n\t */\n\tfor (rbp = rb_first_cached(&ep->rbr); rbp; rbp = rb_next(rbp)) {\n\t\tepi = rb_entry(rbp, struct epitem, rbn);\n\n\t\tep_unregister_pollwait(ep, epi);\n\t\tcond_resched();\n\t}\n\n\t/*\n\t * Walks through the whole tree by freeing each \"struct epitem\". At this\n\t * point we are sure no poll callbacks will be lingering around, and also by\n\t * holding \"epmutex\" we can be sure that no file cleanup code will hit\n\t * us during this operation. So we can avoid the lock on \"ep->lock\".\n\t * We do not need to lock ep->mtx, either, we only do it to prevent\n\t * a lockdep warning.\n\t */\n\tmutex_lock(&ep->mtx);\n\twhile ((rbp = rb_first_cached(&ep->rbr)) != NULL) {\n\t\tepi = rb_entry(rbp, struct epitem, rbn);\n\t\tep_remove(ep, epi);\n\t\tcond_resched();\n\t}\n\tmutex_unlock(&ep->mtx);\n\n\tmutex_unlock(&epmutex);\n\tmutex_destroy(&ep->mtx);\n\tfree_uid(ep->user);\n\twakeup_source_unregister(ep->ws);\n\tkfree(ep);\n}", "project": "linux", "hash": 196333493303246648902319214898567378727, "size": 51, "commit_id": "52c479697c9b73f628140dcdfcd39ea302d05482", "message": "do_epoll_ctl(): clean the failure exits up a bit\n\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 336252 }, { "func": "int tipc_nl_peer_rm(struct sk_buff *skb, struct genl_info *info)\n{\n\tstruct net *net = sock_net(skb->sk);\n\tstruct tipc_net *tn = net_generic(net, tipc_net_id);\n\tstruct nlattr *attrs[TIPC_NLA_NET_MAX + 1];\n\tstruct tipc_node *peer, *temp_node;\n\tu8 node_id[NODE_ID_LEN];\n\tu64 *w0 = (u64 *)&node_id[0];\n\tu64 *w1 = (u64 *)&node_id[8];\n\tu32 addr;\n\tint err;\n\n\t/* We identify the peer by its net */\n\tif (!info->attrs[TIPC_NLA_NET])\n\t\treturn -EINVAL;\n\n\terr = nla_parse_nested_deprecated(attrs, TIPC_NLA_NET_MAX,\n\t\t\t\t\t info->attrs[TIPC_NLA_NET],\n\t\t\t\t\t tipc_nl_net_policy, info->extack);\n\tif (err)\n\t\treturn err;\n\n\t/* attrs[TIPC_NLA_NET_NODEID] and attrs[TIPC_NLA_NET_ADDR] are\n\t * mutually exclusive cases\n\t */\n\tif (attrs[TIPC_NLA_NET_ADDR]) {\n\t\taddr = nla_get_u32(attrs[TIPC_NLA_NET_ADDR]);\n\t\tif (!addr)\n\t\t\treturn -EINVAL;\n\t}\n\n\tif (attrs[TIPC_NLA_NET_NODEID]) {\n\t\tif (!attrs[TIPC_NLA_NET_NODEID_W1])\n\t\t\treturn -EINVAL;\n\t\t*w0 = nla_get_u64(attrs[TIPC_NLA_NET_NODEID]);\n\t\t*w1 = nla_get_u64(attrs[TIPC_NLA_NET_NODEID_W1]);\n\t\taddr = hash128to32(node_id);\n\t}\n\n\tif (in_own_node(net, addr))\n\t\treturn -ENOTSUPP;\n\n\tspin_lock_bh(&tn->node_list_lock);\n\tpeer = tipc_node_find(net, addr);\n\tif (!peer) {\n\t\tspin_unlock_bh(&tn->node_list_lock);\n\t\treturn -ENXIO;\n\t}\n\n\ttipc_node_write_lock(peer);\n\tif (peer->state != SELF_DOWN_PEER_DOWN &&\n\t peer->state != SELF_DOWN_PEER_LEAVING) {\n\t\ttipc_node_write_unlock(peer);\n\t\terr = -EBUSY;\n\t\tgoto err_out;\n\t}\n\n\ttipc_node_clear_links(peer);\n\ttipc_node_write_unlock(peer);\n\ttipc_node_delete(peer);\n\n\t/* Calculate cluster capabilities */\n\ttn->capabilities = TIPC_NODE_CAPABILITIES;\n\tlist_for_each_entry_rcu(temp_node, &tn->node_list, list) {\n\t\ttn->capabilities &= temp_node->capabilities;\n\t}\n\ttipc_bcast_toggle_rcast(net, (tn->capabilities & TIPC_BCAST_RCAST));\n\terr = 0;\nerr_out:\n\ttipc_node_put(peer);\n\tspin_unlock_bh(&tn->node_list_lock);\n\n\treturn err;\n}", "project": "linux", "hash": 338778271147709169880258409395448467749, "size": 74, "commit_id": "0217ed2848e8538bcf9172d97ed2eeb4a26041bb", "message": "tipc: better validate user input in tipc_nl_retrieve_key()\n\nBefore calling tipc_aead_key_size(ptr), we need to ensure\nwe have enough data to dereference ptr->keylen.\n\nWe probably also want to make sure tipc_aead_key_size()\nwont overflow with malicious ptr->keylen values.\n\nSyzbot reported:\n\nBUG: KMSAN: uninit-value in __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\nBUG: KMSAN: uninit-value in tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\nCPU: 0 PID: 21060 Comm: syz-executor.5 Not tainted 5.11.0-rc7-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nCall Trace:\n __dump_stack lib/dump_stack.c:79 [inline]\n dump_stack+0x21c/0x280 lib/dump_stack.c:120\n kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118\n __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197\n __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\n tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\n genl_family_rcv_msg_doit net/netlink/genetlink.c:739 [inline]\n genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]\n genl_rcv_msg+0x1319/0x1610 net/netlink/genetlink.c:800\n netlink_rcv_skb+0x6fa/0x810 net/netlink/af_netlink.c:2494\n genl_rcv+0x63/0x80 net/netlink/genetlink.c:811\n netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]\n netlink_unicast+0x11d6/0x14a0 net/netlink/af_netlink.c:1330\n netlink_sendmsg+0x1740/0x1840 net/netlink/af_netlink.c:1919\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\nRIP: 0023:0xf7f60549\nCode: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00\nRSP: 002b:00000000f555a5fc EFLAGS: 00000296 ORIG_RAX: 0000000000000172\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000200\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n\nUninit was created at:\n kmsan_save_stack_with_flags mm/kmsan/kmsan.c:121 [inline]\n kmsan_internal_poison_shadow+0x5c/0xf0 mm/kmsan/kmsan.c:104\n kmsan_slab_alloc+0x8d/0xe0 mm/kmsan/kmsan_hooks.c:76\n slab_alloc_node mm/slub.c:2907 [inline]\n __kmalloc_node_track_caller+0xa37/0x1430 mm/slub.c:4527\n __kmalloc_reserve net/core/skbuff.c:142 [inline]\n __alloc_skb+0x2f8/0xb30 net/core/skbuff.c:210\n alloc_skb include/linux/skbuff.h:1099 [inline]\n netlink_alloc_large_skb net/netlink/af_netlink.c:1176 [inline]\n netlink_sendmsg+0xdbc/0x1840 net/netlink/af_netlink.c:1894\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\n\nFixes: e1f32190cf7d (\"tipc: add support for AEAD key setting via netlink\")\nSigned-off-by: Eric Dumazet \nCc: Tuong Lien \nCc: Jon Maloy \nCc: Ying Xue \nReported-by: syzbot \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 364904 }, { "func": "static int mt_reset_resume(struct hid_device *hdev)\n{\n\tmt_release_contacts(hdev);\n\tmt_set_modes(hdev, HID_LATENCY_NORMAL, true, true);\n\treturn 0;\n}", "project": "linux", "hash": 238691802419665626267202015434874157763, "size": 6, "commit_id": "35556bed836f8dc07ac55f69c8d17dce3e7f0e25", "message": "HID: core: Sanitize event code and type when mapping input\n\nWhen calling into hid_map_usage(), the passed event code is\nblindly stored as is, even if it doesn't fit in the associated bitmap.\n\nThis event code can come from a variety of sources, including devices\nmasquerading as input devices, only a bit more \"programmable\".\n\nInstead of taking the event code at face value, check that it actually\nfits the corresponding bitmap, and if it doesn't:\n- spit out a warning so that we know which device is acting up\n- NULLify the bitmap pointer so that we catch unexpected uses\n\nCode paths that can make use of untrusted inputs can now check\nthat the mapping was indeed correct and bail out if not.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Marc Zyngier \nSigned-off-by: Benjamin Tissoires ", "target": 0, "dataset": "other", "idx": 458361 }, { "func": "static void pointer_event(VncState *vs, int button_mask, int x, int y)\n{\n static uint32_t bmap[INPUT_BUTTON_MAX] = {\n [INPUT_BUTTON_LEFT] = 0x01,\n [INPUT_BUTTON_MIDDLE] = 0x02,\n [INPUT_BUTTON_RIGHT] = 0x04,\n [INPUT_BUTTON_WHEEL_UP] = 0x08,\n [INPUT_BUTTON_WHEEL_DOWN] = 0x10,\n };\n QemuConsole *con = vs->vd->dcl.con;\n int width = pixman_image_get_width(vs->vd->server);\n int height = pixman_image_get_height(vs->vd->server);\n\n if (vs->last_bmask != button_mask) {\n qemu_input_update_buttons(con, bmap, vs->last_bmask, button_mask);\n vs->last_bmask = button_mask;\n }\n\n if (vs->absolute) {\n qemu_input_queue_abs(con, INPUT_AXIS_X, x, width);\n qemu_input_queue_abs(con, INPUT_AXIS_Y, y, height);\n } else if (vnc_has_feature(vs, VNC_FEATURE_POINTER_TYPE_CHANGE)) {\n qemu_input_queue_rel(con, INPUT_AXIS_X, x - 0x7FFF);\n qemu_input_queue_rel(con, INPUT_AXIS_Y, y - 0x7FFF);\n } else {\n if (vs->last_x != -1) {\n qemu_input_queue_rel(con, INPUT_AXIS_X, x - vs->last_x);\n qemu_input_queue_rel(con, INPUT_AXIS_Y, y - vs->last_y);\n }\n vs->last_x = x;\n vs->last_y = y;\n }\n qemu_input_event_sync();\n}", "project": "qemu", "hash": 271626691180306131805962796214773390909, "size": 34, "commit_id": "4c65fed8bdf96780735dbdb92a8bd0d6b6526cc3", "message": "ui: vnc: avoid floating point exception\n\nWhile sending 'SetPixelFormat' messages to a VNC server,\nthe client could set the 'red-max', 'green-max' and 'blue-max'\nvalues to be zero. This leads to a floating point exception in\nwrite_png_palette while doing frame buffer updates.\n\nReported-by: Lian Yihan \nSigned-off-by: Prasad J Pandit \nReviewed-by: Gerd Hoffmann \nSigned-off-by: Peter Maydell ", "target": 0, "dataset": "other", "idx": 330486 }, { "func": "static int parse_filter(struct archive_read* ar, const uint8_t* p) {\n\tuint32_t block_start, block_length;\n\tuint16_t filter_type;\n\tstruct filter_info* filt = NULL;\n\tstruct rar5* rar = get_context(ar);\n\n\t/* Read the parameters from the input stream. */\n\tif(ARCHIVE_OK != parse_filter_data(rar, p, &block_start))\n\t\treturn ARCHIVE_EOF;\n\n\tif(ARCHIVE_OK != parse_filter_data(rar, p, &block_length))\n\t\treturn ARCHIVE_EOF;\n\n\tif(ARCHIVE_OK != read_bits_16(rar, p, &filter_type))\n\t\treturn ARCHIVE_EOF;\n\n\tfilter_type >>= 13;\n\tskip_bits(rar, 3);\n\n\t/* Perform some sanity checks on this filter parameters. Note that we\n\t * allow only DELTA, E8/E9 and ARM filters here, because rest of\n\t * filters are not used in RARv5. */\n\n\tif(block_length < 4 ||\n\t block_length > 0x400000 ||\n\t filter_type > FILTER_ARM ||\n\t !is_valid_filter_block_start(rar, block_start))\n\t{\n\t\tarchive_set_error(&ar->archive, ARCHIVE_ERRNO_FILE_FORMAT,\n\t\t \"Invalid filter encountered\");\n\t\treturn ARCHIVE_FATAL;\n\t}\n\n\t/* Allocate a new filter. */\n\tfilt = add_new_filter(rar);\n\tif(filt == NULL) {\n\t\tarchive_set_error(&ar->archive, ENOMEM,\n\t\t \"Can't allocate memory for a filter descriptor.\");\n\t\treturn ARCHIVE_FATAL;\n\t}\n\n\tfilt->type = filter_type;\n\tfilt->block_start = rar->cstate.write_ptr + block_start;\n\tfilt->block_length = block_length;\n\n\trar->cstate.last_block_start = filt->block_start;\n\trar->cstate.last_block_length = filt->block_length;\n\n\t/* Read some more data in case this is a DELTA filter. Other filter\n\t * types don't require any additional data over what was already\n\t * read. */\n\tif(filter_type == FILTER_DELTA) {\n\t\tint channels;\n\n\t\tif(ARCHIVE_OK != read_consume_bits(rar, p, 5, &channels))\n\t\t\treturn ARCHIVE_EOF;\n\n\t\tfilt->channels = channels + 1;\n\t}\n\n\treturn ARCHIVE_OK;\n}", "project": "libarchive", "hash": 4164371290029335057584565812652023908, "size": 62, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 0, "dataset": "other", "idx": 244742 }, { "func": "static int parse_filter(const char *spec, struct USBAutoFilter *f)\n{\n enum { BUS, DEV, VID, PID, DONE };\n const char *p = spec;\n int i;\n\n f->bus_num = -1;\n f->addr = -1;\n f->vendor_id = -1;\n f->product_id = -1;\n\n for (i = BUS; i < DONE; i++) {\n \tp = strpbrk(p, \":.\");\n \tif (!p) break;\n p++;\n \n \tif (*p == '*')\n continue;\n\n switch(i) {\n case BUS: f->bus_num = strtol(p, NULL, 10); break;\n case DEV: f->addr = strtol(p, NULL, 10); break;\n case VID: f->vendor_id = strtol(p, NULL, 16); break;\n case PID: f->product_id = strtol(p, NULL, 16); break;\n }\n }\n\n if (i < DEV) {\n fprintf(stderr, \"husb: invalid auto filter spec %s\\n\", spec);\n return -1;\n }\n\n return 0;\n}", "project": "qemu", "hash": 193266224385206357158962055348077095472, "size": 34, "commit_id": "babd03fde68093482528010a5435c14ce9128e3f", "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel. However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris \nSigned-off-by: Anthony Liguori ", "target": 0, "dataset": "other", "idx": 346290 }, { "func": "void ap_core_reorder_directories(apr_pool_t *p, server_rec *s)\n{\n core_server_config *sconf;\n apr_array_header_t *sec_dir;\n struct reorder_sort_rec *sortbin;\n int nelts;\n ap_conf_vector_t **elts;\n int i;\n apr_pool_t *tmp;\n\n sconf = ap_get_core_module_config(s->module_config);\n sec_dir = sconf->sec_dir;\n nelts = sec_dir->nelts;\n elts = (ap_conf_vector_t **)sec_dir->elts;\n\n if (!nelts) {\n /* simple case of already being sorted... */\n /* We're not checking this condition to be fast... we're checking\n * it to avoid trying to palloc zero bytes, which can trigger some\n * memory debuggers to barf\n */\n return;\n }\n\n /* we have to allocate tmp space to do a stable sort */\n apr_pool_create(&tmp, p);\n sortbin = apr_palloc(tmp, sec_dir->nelts * sizeof(*sortbin));\n for (i = 0; i < nelts; ++i) {\n sortbin[i].orig_index = i;\n sortbin[i].elt = elts[i];\n }\n\n qsort(sortbin, nelts, sizeof(*sortbin), reorder_sorter);\n\n /* and now copy back to the original array */\n for (i = 0; i < nelts; ++i) {\n elts[i] = sortbin[i].elt;\n }\n\n apr_pool_destroy(tmp);\n}", "project": "httpd", "hash": 287976147966505783161863161024781606684, "size": 41, "commit_id": "4cc27823899e070268b906ca677ee838d07cf67a", "message": "core: Disallow Methods' registration at run time (.htaccess), they may be\nused only if registered at init time (httpd.conf).\n\nCalling ap_method_register() in children processes is not the right scope\nsince it won't be shared for all requests.\n\n\ngit-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1807655 13f79535-47bb-0310-9956-ffa450edef68", "target": 0, "dataset": "other", "idx": 246246 }, { "func": "void __init kmem_cache_init(void)\n{\n\tstatic __initdata struct kmem_cache boot_kmem_cache,\n\t\tboot_kmem_cache_node;\n\n\tif (debug_guardpage_minorder())\n\t\tslub_max_order = 0;\n\n\tkmem_cache_node = &boot_kmem_cache_node;\n\tkmem_cache = &boot_kmem_cache;\n\n\tcreate_boot_cache(kmem_cache_node, \"kmem_cache_node\",\n\t\tsizeof(struct kmem_cache_node), SLAB_HWCACHE_ALIGN, 0, 0);\n\n\tregister_hotmemory_notifier(&slab_memory_callback_nb);\n\n\t/* Able to allocate the per node structures */\n\tslab_state = PARTIAL;\n\n\tcreate_boot_cache(kmem_cache, \"kmem_cache\",\n\t\t\toffsetof(struct kmem_cache, node) +\n\t\t\t\tnr_node_ids * sizeof(struct kmem_cache_node *),\n\t\t SLAB_HWCACHE_ALIGN, 0, 0);\n\n\tkmem_cache = bootstrap(&boot_kmem_cache);\n\tkmem_cache_node = bootstrap(&boot_kmem_cache_node);\n\n\t/* Now we can use the kmem_cache to allocate kmalloc slabs */\n\tsetup_kmalloc_cache_index_table();\n\tcreate_kmalloc_caches(0);\n\n\t/* Setup random freelists for each cache */\n\tinit_freelist_randomization();\n\n\tcpuhp_setup_state_nocalls(CPUHP_SLUB_DEAD, \"slub:dead\", NULL,\n\t\t\t\t slub_cpu_dead);\n\n\tpr_info(\"SLUB: HWalign=%d, Order=%u-%u, MinObjects=%u, CPUs=%u, Nodes=%u\\n\",\n\t\tcache_line_size(),\n\t\tslub_min_order, slub_max_order, slub_min_objects,\n\t\tnr_cpu_ids, nr_node_ids);\n}", "project": "linux", "hash": 294206897054908014476579601455253607516, "size": 42, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280048 }, { "func": "static int fuse_update_get_attr(struct inode *inode, struct file *file,\n\t\t\t\tstruct kstat *stat, u32 request_mask,\n\t\t\t\tunsigned int flags)\n{\n\tstruct fuse_inode *fi = get_fuse_inode(inode);\n\tint err = 0;\n\tbool sync;\n\n\tif (flags & AT_STATX_FORCE_SYNC)\n\t\tsync = true;\n\telse if (flags & AT_STATX_DONT_SYNC)\n\t\tsync = false;\n\telse if (request_mask & READ_ONCE(fi->inval_mask))\n\t\tsync = true;\n\telse\n\t\tsync = time_before64(fi->i_time, get_jiffies_64());\n\n\tif (sync) {\n\t\tforget_all_cached_acls(inode);\n\t\terr = fuse_do_getattr(inode, stat, file);\n\t} else if (stat) {\n\t\tgeneric_fillattr(inode, stat);\n\t\tstat->mode = fi->orig_i_mode;\n\t\tstat->ino = fi->orig_ino;\n\t}\n\n\treturn err;\n}", "project": "linux", "hash": 219990268890587466572981253823501236494, "size": 28, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341880 }, { "func": "static void discoverable_update_work(struct work_struct *work)\n{\n\tstruct hci_dev *hdev = container_of(work, struct hci_dev,\n\t\t\t\t\t discoverable_update);\n\tu8 status;\n\n\thci_req_sync(hdev, discoverable_update, 0, HCI_CMD_TIMEOUT, &status);\n\tmgmt_set_discoverable_complete(hdev, status);\n}", "project": "linux", "hash": 112992923737532705909449316252762244738, "size": 9, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402528 }, { "project": "Chrome", "commit_id": "1da0daecc540238cb473f0d6322da51d3a544244", "target": 0, "func": " void DecodeSingleFrame(const scoped_refptr& buffer,\n VideoDecoder::DecoderStatus* status,\n scoped_refptr* video_frame) {\n EXPECT_CALL(*demuxer_, Read(_))\n .WillOnce(ReturnBuffer(buffer))\n .WillRepeatedly(ReturnBuffer(end_of_stream_buffer_));\n\n EXPECT_CALL(statistics_cb_, OnStatistics(_));\n\n Read(status, video_frame);\n }\n", "cwe": "", "big_vul_idx": 113337, "idx": 101629, "hash": 149268303906827778164256697993669431137 }, { "func": "static void svm_set_vintr(struct vcpu_svm *svm)\n{\n\tset_intercept(svm, INTERCEPT_VINTR);\n}", "project": "linux", "hash": 225583001781914137183164369784071109125, "size": 4, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432592 }, { "func": "static void execlists_reset(struct intel_engine_cs *engine, bool stalled)\n{\n\tunsigned long flags;\n\n\tGEM_TRACE(\"%s\\n\", engine->name);\n\n\tspin_lock_irqsave(&engine->active.lock, flags);\n\n\t__execlists_reset(engine, stalled);\n\n\tspin_unlock_irqrestore(&engine->active.lock, flags);\n}", "project": "linux", "hash": 42899689275388062428323751256331060606, "size": 12, "commit_id": "bc8a76a152c5f9ef3b48104154a65a68a8b76946", "message": "drm/i915/gen9: Clear residual context state on context switch\n\nIntel ID: PSIRT-TA-201910-001\nCVEID: CVE-2019-14615\n\nIntel GPU Hardware prior to Gen11 does not clear EU state\nduring a context switch. This can result in information\nleakage between contexts.\n\nFor Gen8 and Gen9, hardware provides a mechanism for\nfast cleardown of the EU state, by issuing a PIPE_CONTROL\nwith bit 27 set. We can use this in a context batch buffer\nto explicitly cleardown the state on every context switch.\n\nAs this workaround is already in place for gen8, we can borrow\nthe code verbatim for Gen9.\n\nSigned-off-by: Mika Kuoppala \nSigned-off-by: Akeem G Abodunrin \nCc: Kumar Valsan Prathap \nCc: Chris Wilson \nCc: Balestrieri Francesco \nCc: Bloomfield Jon \nCc: Dutt Sudeep ", "target": 0, "dataset": "other", "idx": 281450 }, { "func": "static STACK_OF(X509) * php_array_to_X509_sk(zval * zcerts) /* {{{ */\n{\n\tzval * zcertval;\n\tSTACK_OF(X509) * sk = NULL;\n\tX509 * cert;\n\tzend_resource *certresource;\n\n\tsk = sk_X509_new_null();\n\n\t/* get certs */\n\tif (Z_TYPE_P(zcerts) == IS_ARRAY) {\n\t\tZEND_HASH_FOREACH_VAL(Z_ARRVAL_P(zcerts), zcertval) {\n\t\t\tcert = php_openssl_x509_from_zval(zcertval, 0, &certresource);\n\t\t\tif (cert == NULL) {\n\t\t\t\tgoto clean_exit;\n\t\t\t}\n\n\t\t\tif (certresource != NULL) {\n\t\t\t\tcert = X509_dup(cert);\n\n\t\t\t\tif (cert == NULL) {\n\t\t\t\t\tphp_openssl_store_errors();\n\t\t\t\t\tgoto clean_exit;\n\t\t\t\t}\n\n\t\t\t}\n\t\t\tsk_X509_push(sk, cert);\n\t\t} ZEND_HASH_FOREACH_END();\n\t} else {\n\t\t/* a single certificate */\n\t\tcert = php_openssl_x509_from_zval(zcerts, 0, &certresource);\n\n\t\tif (cert == NULL) {\n\t\t\tgoto clean_exit;\n\t\t}\n\n\t\tif (certresource != NULL) {\n\t\t\tcert = X509_dup(cert);\n\t\t\tif (cert == NULL) {\n\t\t\t\tphp_openssl_store_errors();\n\t\t\t\tgoto clean_exit;\n\t\t\t}\n\t\t}\n\t\tsk_X509_push(sk, cert);\n\t}\n\nclean_exit:\n\treturn sk;\n}", "project": "php-src", "hash": 301948459110204553960034237733768158892, "size": 49, "commit_id": "0216630ea2815a5789a24279a1211ac398d4de79", "message": "Fix bug #79601 (Wrong ciphertext/tag in AES-CCM encryption for a 12 bytes IV)", "target": 0, "dataset": "other", "idx": 291370 }, { "func": "can_change_cond_ref_to_const(Item_bool_func2 *target,\n Item *target_expr, Item *target_value,\n Item_bool_func2 *source,\n Item *source_expr, Item *source_const)\n{\n return target_expr->eq(source_expr,0) &&\n target_value != source_const &&\n target->compare_type_handler()->\n can_change_cond_ref_to_const(target, target_expr, target_value,\n source, source_expr, source_const);\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 251847242973212951435434884128458012647, "size": 11, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508548 }, { "func": "static void list_slab_objects(struct kmem_cache *s, struct page *page,\n\t\t\t\t\t\t\tconst char *text)\n{\n#ifdef CONFIG_SLUB_DEBUG\n\tvoid *addr = page_address(page);\n\tvoid *p;\n\tunsigned long *map;\n\n\tslab_err(s, page, text, s->name);\n\tslab_lock(page);\n\n\tmap = get_map(s, page);\n\tfor_each_object(p, s, addr, page->objects) {\n\n\t\tif (!test_bit(slab_index(p, s, addr), map)) {\n\t\t\tpr_err(\"INFO: Object 0x%p @offset=%tu\\n\", p, p - addr);\n\t\t\tprint_tracking(s, p);\n\t\t}\n\t}\n\tput_map(map);\n\n\tslab_unlock(page);\n#endif\n}", "project": "linux", "hash": 98894920109244962148849249083824572971, "size": 24, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280162 }, { "func": "static enum_func_status\nphp_mysqlnd_read_error_from_line(zend_uchar *buf, size_t buf_len,\n\t\t\t\t\t\t\t\tchar *error, int error_buf_len,\n\t\t\t\t\t\t\t\tunsigned int *error_no, char *sqlstate TSRMLS_DC)\n{\n\tzend_uchar *p = buf;\n\tint error_msg_len= 0;\n\n\tDBG_ENTER(\"php_mysqlnd_read_error_from_line\");\n\n\t*error_no = CR_UNKNOWN_ERROR;\n\tmemcpy(sqlstate, unknown_sqlstate, MYSQLND_SQLSTATE_LENGTH);\n\n\tif (buf_len > 2) {\n\t\t*error_no = uint2korr(p);\n\t\tp+= 2;\n\t\t/*\n\t\t sqlstate is following. No need to check for buf_left_len as we checked > 2 above,\n\t\t if it was >=2 then we would need a check\n\t\t*/\n\t\tif (*p == '#') {\n\t\t\t++p;\n\t\t\tif ((buf_len - (p - buf)) >= MYSQLND_SQLSTATE_LENGTH) {\n\t\t\t\tmemcpy(sqlstate, p, MYSQLND_SQLSTATE_LENGTH);\n\t\t\t\tp+= MYSQLND_SQLSTATE_LENGTH;\n\t\t\t} else {\n\t\t\t\tgoto end;\n\t\t\t}\n\t\t}\n\t\tif ((buf_len - (p - buf)) > 0) {\n\t\t\terror_msg_len = MIN((int)((buf_len - (p - buf))), (int) (error_buf_len - 1));\n\t\t\tmemcpy(error, p, error_msg_len);\n\t\t}\n\t}\nend:\n\tsqlstate[MYSQLND_SQLSTATE_LENGTH] = '\\0';\n\terror[error_msg_len]= '\\0';\n\n\tDBG_RETURN(FAIL);", "project": "php-src", "hash": 59705050806846886960213004822524746216, "size": 39, "commit_id": "28f80baf3c53e267c9ce46a2a0fadbb981585132", "message": "Fix bug #72293 - Heap overflow in mysqlnd related to BIT fields", "target": 0, "dataset": "other", "idx": 416663 }, { "func": "static void encode_locku(struct xdr_stream *xdr, const struct nfs_locku_args *args, struct compound_hdr *hdr)\n{\n\t__be32 *p;\n\n\tencode_op_hdr(xdr, OP_LOCKU, decode_locku_maxsz, hdr);\n\tencode_uint32(xdr, nfs4_lock_type(args->fl, 0));\n\tencode_nfs4_seqid(xdr, args->seqid);\n\tencode_nfs4_stateid(xdr, &args->stateid);\n\tp = reserve_space(xdr, 16);\n\tp = xdr_encode_hyper(p, args->fl->fl_start);\n\txdr_encode_hyper(p, nfs4_lock_length(args->fl));\n}", "project": "linux", "hash": 247511985813849994835257218841923044926, "size": 12, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431394 }, { "func": "static void setfreq(struct gspca_dev *gspca_dev, s32 val)\n{\n\tstruct sd *sd = (struct sd *) gspca_dev;\n\n\tsetfreq_i(sd, val);\n\n\t/* Ugly but necessary */\n\tif (sd->bridge == BRIDGE_W9968CF)\n\t\tw9968cf_set_crop_window(sd);\n}", "project": "linux", "hash": 299377689267918695121981730254104588863, "size": 10, "commit_id": "998912346c0da53a6dbb71fab3a138586b596b30", "message": "media: ov519: add missing endpoint sanity checks\n\nMake sure to check that we have at least one endpoint before accessing\nthe endpoint array to avoid dereferencing a NULL-pointer on stream\nstart.\n\nNote that these sanity checks are not redundant as the driver is mixing\nlooking up altsettings by index and by number, which need not coincide.\n\nFixes: 1876bb923c98 (\"V4L/DVB (12079): gspca_ov519: add support for the ov511 bridge\")\nFixes: b282d87332f5 (\"V4L/DVB (12080): gspca_ov519: Fix ov518+ with OV7620AE (Trust spacecam 320)\")\nCc: stable # 2.6.31\nCc: Hans de Goede \nSigned-off-by: Johan Hovold \nSigned-off-by: Hans Verkuil \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 306318 }, { "func": "DLLEXPORT int DLLCALL tjCompress(tjhandle handle, unsigned char *srcBuf,\n\tint width, int pitch, int height, int pixelSize, unsigned char *jpegBuf,\n\tunsigned long *jpegSize, int jpegSubsamp, int jpegQual, int flags)\n{\n\tint retval=0; unsigned long size;\n\tif(flags&TJ_YUV)\n\t{\n\t\tsize=tjBufSizeYUV(width, height, jpegSubsamp);\n\t\tretval=tjEncodeYUV2(handle, srcBuf, width, pitch, height,\n\t\t\tgetPixelFormat(pixelSize, flags), jpegBuf, jpegSubsamp, flags);\n\t}\n\telse\n\t{\n\t\tretval=tjCompress2(handle, srcBuf, width, pitch, height,\n\t\t\tgetPixelFormat(pixelSize, flags), &jpegBuf, &size, jpegSubsamp, jpegQual,\n\t\t\tflags|TJFLAG_NOREALLOC);\n\t}\n\t*jpegSize=size;\n\treturn retval;\n}", "project": "libjpeg-turbo", "hash": 261647440793956428215117382330564132951, "size": 20, "commit_id": "dab6be4cfb2f9307b5378d2d1dc74d9080383dc2", "message": "tjDecompressToYUV*(): Fix OOB write/double free\n\n... when attempting to decompress grayscale JPEG images with sampling\nfactors != 1.\n\nFixes #387", "target": 0, "dataset": "other", "idx": 311099 }, { "func": "}\n\nstatic int\niscsi_get_chap(struct iscsi_transport *transport, struct nlmsghdr *nlh)\n{\n\tstruct iscsi_uevent *ev = nlmsg_data(nlh);\n\tstruct Scsi_Host *shost = NULL;\n\tstruct iscsi_chap_rec *chap_rec;\n\tstruct iscsi_internal *priv;\n\tstruct sk_buff *skbchap;\n\tstruct nlmsghdr *nlhchap;\n\tstruct iscsi_uevent *evchap;\n\tuint32_t chap_buf_size;\n\tint len, err = 0;\n\tchar *buf;\n\n\tif (!transport->get_chap)\n\t\treturn -EINVAL;\n\n\tpriv = iscsi_if_transport_lookup(transport);\n\tif (!priv)\n\t\treturn -EINVAL;\n\n\tchap_buf_size = (ev->u.get_chap.num_entries * sizeof(*chap_rec));\n\tlen = nlmsg_total_size(sizeof(*ev) + chap_buf_size);\n\n\tshost = scsi_host_lookup(ev->u.get_chap.host_no);\n\tif (!shost) {\n\t\tprintk(KERN_ERR \"%s: failed. Could not find host no %u\\n\",\n\t\t __func__, ev->u.get_chap.host_no);\n\t\treturn -ENODEV;\n\t}\n\n\tdo {\n\t\tint actual_size;\n\n\t\tskbchap = alloc_skb(len, GFP_KERNEL);\n\t\tif (!skbchap) {\n\t\t\tprintk(KERN_ERR \"can not deliver chap: OOM\\n\");\n\t\t\terr = -ENOMEM;\n\t\t\tgoto exit_get_chap;\n\t\t}\n\n\t\tnlhchap = __nlmsg_put(skbchap, 0, 0, 0,\n\t\t\t\t (len - sizeof(*nlhchap)), 0);\n\t\tevchap = nlmsg_data(nlhchap);\n\t\tmemset(evchap, 0, sizeof(*evchap));\n\t\tevchap->transport_handle = iscsi_handle(transport);\n\t\tevchap->type = nlh->nlmsg_type;\n\t\tevchap->u.get_chap.host_no = ev->u.get_chap.host_no;\n\t\tevchap->u.get_chap.chap_tbl_idx = ev->u.get_chap.chap_tbl_idx;\n\t\tevchap->u.get_chap.num_entries = ev->u.get_chap.num_entries;\n\t\tbuf = (char *)evchap + sizeof(*evchap);\n\t\tmemset(buf, 0, chap_buf_size);\n\n\t\terr = transport->get_chap(shost, ev->u.get_chap.chap_tbl_idx,\n\t\t\t\t &evchap->u.get_chap.num_entries, buf);\n\n\t\tactual_size = nlmsg_total_size(sizeof(*ev) + chap_buf_size);\n\t\tskb_trim(skbchap, NLMSG_ALIGN(actual_size));\n\t\tnlhchap->nlmsg_len = actual_size;\n\n\t\terr = iscsi_multicast_skb(skbchap, ISCSI_NL_GRP_ISCSID,\n\t\t\t\t\t GFP_KERNEL);\n\t} while (err < 0 && err != -ECONNREFUSED);\n\nexit_get_chap:", "project": "linux", "hash": 49857154522248434637308755242968044115, "size": 67, "commit_id": "f9dbdf97a5bd92b1a49cee3d591b55b11fd7a6d5", "message": "scsi: iscsi: Verify lengths on passthrough PDUs\n\nOpen-iSCSI sends passthrough PDUs over netlink, but the kernel should be\nverifying that the provided PDU header and data lengths fall within the\nnetlink message to prevent accessing beyond that in memory.\n\nCc: stable@vger.kernel.org\nReported-by: Adam Nichols \nReviewed-by: Lee Duncan \nReviewed-by: Mike Christie \nSigned-off-by: Chris Leech \nSigned-off-by: Martin K. Petersen ", "target": 0, "dataset": "other", "idx": 380005 }, { "func": "static void gotoxy(struct vc_data *vc, int new_x, int new_y)\n{\n\tint min_y, max_y;\n\n\tif (new_x < 0)\n\t\tvc->vc_x = 0;\n\telse {\n\t\tif (new_x >= vc->vc_cols)\n\t\t\tvc->vc_x = vc->vc_cols - 1;\n\t\telse\n\t\t\tvc->vc_x = new_x;\n\t}\n\n \tif (vc->vc_decom) {\n\t\tmin_y = vc->vc_top;\n\t\tmax_y = vc->vc_bottom;\n\t} else {\n\t\tmin_y = 0;\n\t\tmax_y = vc->vc_rows;\n\t}\n\tif (new_y < min_y)\n\t\tvc->vc_y = min_y;\n\telse if (new_y >= max_y)\n\t\tvc->vc_y = max_y - 1;\n\telse\n\t\tvc->vc_y = new_y;\n\tvc->vc_pos = vc->vc_origin + vc->vc_y * vc->vc_size_row + (vc->vc_x<<1);\n\tvc->vc_need_wrap = 0;\n}", "project": "linux", "hash": 4300339855641816589307541455671346987, "size": 29, "commit_id": "ca4463bf8438b403596edd0ec961ca0d4fbe0220", "message": "vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console\n\nThe VT_DISALLOCATE ioctl can free a virtual console while tty_release()\nis still running, causing a use-after-free in con_shutdown(). This\noccurs because VT_DISALLOCATE considers a virtual console's\n'struct vc_data' to be unused as soon as the corresponding tty's\nrefcount hits 0. But actually it may be still being closed.\n\nFix this by making vc_data be reference-counted via the embedded\n'struct tty_port'. A newly allocated virtual console has refcount 1.\nOpening it for the first time increments the refcount to 2. Closing it\nfor the last time decrements the refcount (in tty_operations::cleanup()\nso that it happens late enough), as does VT_DISALLOCATE.\n\nReproducer:\n\t#include \n\t#include \n\t#include \n\t#include \n\n\tint main()\n\t{\n\t\tif (fork()) {\n\t\t\tfor (;;)\n\t\t\t\tclose(open(\"/dev/tty5\", O_RDWR));\n\t\t} else {\n\t\t\tint fd = open(\"/dev/tty10\", O_RDWR);\n\n\t\t\tfor (;;)\n\t\t\t\tioctl(fd, VT_DISALLOCATE, 5);\n\t\t}\n\t}\n\nKASAN report:\n\tBUG: KASAN: use-after-free in con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\tWrite of size 8 at addr ffff88806a4ec108 by task syz_vt/129\n\n\tCPU: 0 PID: 129 Comm: syz_vt Not tainted 5.6.0-rc2 #11\n\tHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20191223_100556-anatol 04/01/2014\n\tCall Trace:\n\t [...]\n\t con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\t release_tty+0xa8/0x410 drivers/tty/tty_io.c:1514\n\t tty_release_struct+0x34/0x50 drivers/tty/tty_io.c:1629\n\t tty_release+0x984/0xed0 drivers/tty/tty_io.c:1789\n\t [...]\n\n\tAllocated by task 129:\n\t [...]\n\t kzalloc include/linux/slab.h:669 [inline]\n\t vc_allocate drivers/tty/vt/vt.c:1085 [inline]\n\t vc_allocate+0x1ac/0x680 drivers/tty/vt/vt.c:1066\n\t con_install+0x4d/0x3f0 drivers/tty/vt/vt.c:3229\n\t tty_driver_install_tty drivers/tty/tty_io.c:1228 [inline]\n\t tty_init_dev+0x94/0x350 drivers/tty/tty_io.c:1341\n\t tty_open_by_driver drivers/tty/tty_io.c:1987 [inline]\n\t tty_open+0x3ca/0xb30 drivers/tty/tty_io.c:2035\n\t [...]\n\n\tFreed by task 130:\n\t [...]\n\t kfree+0xbf/0x1e0 mm/slab.c:3757\n\t vt_disallocate drivers/tty/vt/vt_ioctl.c:300 [inline]\n\t vt_ioctl+0x16dc/0x1e30 drivers/tty/vt/vt_ioctl.c:818\n\t tty_ioctl+0x9db/0x11b0 drivers/tty/tty_io.c:2660\n\t [...]\n\nFixes: 4001d7b7fc27 (\"vt: push down the tty lock so we can see what is left to tackle\")\nCc: # v3.4+\nReported-by: syzbot+522643ab5729b0421998@syzkaller.appspotmail.com\nAcked-by: Jiri Slaby \nSigned-off-by: Eric Biggers \nLink: https://lore.kernel.org/r/20200322034305.210082-2-ebiggers@kernel.org\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 437062 }, { "func": "void RegisterInternalHandlers() {\n // Register the enclave donate thread entry handler.\n if (!TrustedPrimitives::RegisterEntryHandler(kSelectorAsyloDonateThread,\n EntryHandler{DonateThread})\n .ok()) {\n TrustedPrimitives::BestEffortAbort(\n \"Could not register entry handler: DonateThread.\");\n }\n\n // Register the enclave finalization entry handler.\n if (!TrustedPrimitives::RegisterEntryHandler(kSelectorAsyloFini,\n EntryHandler{FinalizeEnclave})\n .ok()) {\n TrustedPrimitives::BestEffortAbort(\n \"Could not register entry handler: FinalizeEnclave\");\n }\n}", "project": "asylo", "hash": 289661354771002552915006573831339727205, "size": 17, "commit_id": "53ed5d8fd8118ced1466e509606dd2f473707a5c", "message": "Store untrusted output pointer in enclave\n\nValidate the pointer after it's stored in enclave to avoid unexpected\nmodifications after it's validated.\n\nPiperOrigin-RevId: 365648810\nChange-Id: I3079128040c142e86bab8255b07d03562a6fcb61", "target": 0, "dataset": "other", "idx": 232058 }, { "func": "static int dump_sp(struct xfrm_policy *xp, int dir, int count, void *ptr)\n{\n\tstruct pfkey_sock *pfk = ptr;\n\tstruct sk_buff *out_skb;\n\tstruct sadb_msg *out_hdr;\n\tint err;\n\n\tif (!pfkey_can_dump(&pfk->sk))\n\t\treturn -ENOBUFS;\n\n\tout_skb = pfkey_xfrm_policy2msg_prep(xp);\n\tif (IS_ERR(out_skb))\n\t\treturn PTR_ERR(out_skb);\n\n\terr = pfkey_xfrm_policy2msg(out_skb, xp, dir);\n\tif (err < 0) {\n\t\tkfree_skb(out_skb);\n\t\treturn err;\n\t}\n\n\tout_hdr = (struct sadb_msg *) out_skb->data;\n\tout_hdr->sadb_msg_version = pfk->dump.msg_version;\n\tout_hdr->sadb_msg_type = SADB_X_SPDDUMP;\n\tout_hdr->sadb_msg_satype = SADB_SATYPE_UNSPEC;\n\tout_hdr->sadb_msg_errno = 0;\n\tout_hdr->sadb_msg_seq = count + 1;\n\tout_hdr->sadb_msg_pid = pfk->dump.msg_portid;\n\n\tif (pfk->dump.skb)\n\t\tpfkey_broadcast(pfk->dump.skb, GFP_ATOMIC, BROADCAST_ONE,\n\t\t\t\t&pfk->sk, sock_net(&pfk->sk));\n\tpfk->dump.skb = out_skb;\n\n\treturn 0;\n}", "project": "linux", "hash": 170115228892953369787699265085754231972, "size": 35, "commit_id": "9a564bccb78a76740ea9d75a259942df8143d02c", "message": "af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\n\nAdd __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\nto initialize the buffer of supp_skb to fix a kernel-info-leak issue.\n1) Function pfkey_register calls compose_sadb_supported to request\na sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate\na sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then\ncompose_sadb_supported treats the memory as a struct sadb_supported and\nbegins to initialize. But it just initializes the field sadb_supported_len\nand field sadb_supported_exttype without field sadb_supported_reserved.\n\nReported-by: TCS Robot \nSigned-off-by: Haimin Zhang \nSigned-off-by: Steffen Klassert ", "target": 0, "dataset": "other", "idx": 268102 }, { "func": "static bool adv_instance_is_scannable(struct hci_dev *hdev, u8 instance)\n{\n\tstruct adv_info *adv_instance;\n\n\t/* Instance 0x00 always set local name */\n\tif (instance == 0x00)\n\t\treturn true;\n\n\tadv_instance = hci_find_adv_instance(hdev, instance);\n\tif (!adv_instance)\n\t\treturn false;\n\n\tif (adv_instance->flags & MGMT_ADV_FLAG_APPEARANCE ||\n\t adv_instance->flags & MGMT_ADV_FLAG_LOCAL_NAME)\n\t\treturn true;\n\n\treturn adv_instance->scan_rsp_len ? true : false;\n}", "project": "linux", "hash": 283910369269622785239517694187710243312, "size": 18, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402549 }, { "func": "static int hidinput_scale_battery_capacity(struct hid_device *dev,\n\t\t\t\t\t int value)\n{\n\tif (dev->battery_min < dev->battery_max &&\n\t value >= dev->battery_min && value <= dev->battery_max)\n\t\tvalue = ((value - dev->battery_min) * 100) /\n\t\t\t(dev->battery_max - dev->battery_min);\n\n\treturn value;\n}", "project": "linux", "hash": 190071065416543527013853491898313334059, "size": 10, "commit_id": "35556bed836f8dc07ac55f69c8d17dce3e7f0e25", "message": "HID: core: Sanitize event code and type when mapping input\n\nWhen calling into hid_map_usage(), the passed event code is\nblindly stored as is, even if it doesn't fit in the associated bitmap.\n\nThis event code can come from a variety of sources, including devices\nmasquerading as input devices, only a bit more \"programmable\".\n\nInstead of taking the event code at face value, check that it actually\nfits the corresponding bitmap, and if it doesn't:\n- spit out a warning so that we know which device is acting up\n- NULLify the bitmap pointer so that we catch unexpected uses\n\nCode paths that can make use of untrusted inputs can now check\nthat the mapping was indeed correct and bail out if not.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Marc Zyngier \nSigned-off-by: Benjamin Tissoires ", "target": 0, "dataset": "other", "idx": 458337 }, { "func": "static int nop_interception(struct vcpu_svm *svm)\n{\n\treturn kvm_skip_emulated_instruction(&(svm->vcpu));\n}", "project": "linux", "hash": 200085524394225907263762200934516983784, "size": 4, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432511 }, { "func": "static int nop_interception(struct vcpu_svm *svm)\n{\n\tskip_emulated_instruction(&(svm->vcpu));\n\treturn 1;\n}", "project": "kvm", "hash": 220392936238112736753037517029889230226, "size": 5, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437617 }, { "func": "bool test_if_ref(Item *root_cond, Item_field *left_item,Item *right_item)\n{\n Field *field=left_item->field;\n JOIN_TAB *join_tab= field->table->reginfo.join_tab;\n // No need to change const test\n if (!field->table->const_table && join_tab &&\n !join_tab->is_ref_for_hash_join() &&\n (!join_tab->first_inner ||\n *join_tab->first_inner->on_expr_ref == root_cond))\n {\n /*\n If ref access uses \"Full scan on NULL key\" (i.e. it actually alternates\n between ref access and full table scan), then no equality can be\n guaranteed to be true.\n */\n if (join_tab->ref.is_access_triggered())\n return FALSE;\n\n Item *ref_item=part_of_refkey(field->table,field);\n if (ref_item && (ref_item->eq(right_item,1) || \n\t\t ref_item->real_item()->eq(right_item,1)))\n {\n right_item= right_item->real_item();\n if (right_item->type() == Item::FIELD_ITEM)\n\treturn (field->eq_def(((Item_field *) right_item)->field));\n /* remove equalities injected by IN->EXISTS transformation */\n else if (right_item->type() == Item::CACHE_ITEM)\n return ((Item_cache *)right_item)->eq_def (field);\n if (right_item->const_item() && !(right_item->is_null()))\n {\n\t/*\n\t We can remove binary fields and numerical fields except float,\n\t as float comparison isn't 100 % safe\n\t We have to keep normal strings to be able to check for end spaces\n\t*/\n\tif (field->binary() &&\n\t field->real_type() != MYSQL_TYPE_STRING &&\n\t field->real_type() != MYSQL_TYPE_VARCHAR &&\n\t (field->type() != MYSQL_TYPE_FLOAT || field->decimals() == 0))\n\t{\n\t return !right_item->save_in_field_no_warnings(field, 1);\n\t}\n }\n }\n }\n return 0;\t\t\t\t\t// keep test\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 90518155628908369751561096473736332217, "size": 47, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508733 }, { "func": "static void kvm_io_bus_destroy(struct kvm_io_bus *bus)\n{\n\tint i;\n\n\tfor (i = 0; i < bus->dev_count; i++) {\n\t\tstruct kvm_io_device *pos = bus->range[i].dev;\n\n\t\tkvm_iodevice_destructor(pos);\n\t}\n\tkfree(bus);\n}", "project": "linux", "hash": 280855278881178265438425922707632653488, "size": 11, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354639 }, { "func": "void ProtocolV1::prepare_send_message(uint64_t features, Message *m,\n bufferlist &bl) {\n ldout(cct, 20) << __func__ << \" m \" << *m << dendl;\n\n // associate message with Connection (for benefit of encode_payload)\n ldout(cct, 20) << __func__ << (m->empty_payload() ? \" encoding features \" : \" half-reencoding features \")\n\t\t << features << \" \" << m << \" \" << *m << dendl;\n\n // encode and copy out of *m\n // in write_message we update header.seq and need recalc crc\n // so skip calc header in encode function.\n m->encode(features, messenger->crcflags, true);\n\n bl.append(m->get_payload());\n bl.append(m->get_middle());\n bl.append(m->get_data());\n}", "project": "ceph", "hash": 314741742913546081568656879703163579602, "size": 17, "commit_id": "bafdfec8f974f1a3f7d404bcfd0a4cfad784937d", "message": "msg/async/ProtocolV1: resurrect \"implement cephx_*require_version options\"\n\nThis was added in commit 9bcbc2a3621f (\"mon,msg: implement\ncephx_*_require_version options\") and inadvertently dropped in\ncommit e6f043f7d2dc (\"msgr/async: huge refactoring of protocol V1\").\nAs a result, service daemons don't enforce cephx_require_version\nand cephx_cluster_require_version options and connections without\nCEPH_FEATURE_CEPHX_V2 are allowed through.\n\n(cephx_service_require_version enforcement was brought back a\nyear later in commit 321548010578 (\"mon/MonClient: skip CEPHX_V2\nchallenge if client doesn't support it\"), although the peer gets\nTAG_BADAUTHORIZER instead of TAG_FEATURES.)\n\nResurrect the original behaviour: all cephx_*require_version\noptions are enforced and the peer gets TAG_FEATURES, signifying\nthat it is missing a required feature.\n\nSigned-off-by: Ilya Dryomov \n(cherry picked from commit 6f5c4152ca2c6423e665cde2196c6301f76043a2)", "target": 0, "dataset": "other", "idx": 356892 }, { "func": "string SummarizeTensor(const TensorProto& tensor_proto) {\n Tensor t;\n if (!t.FromProto(tensor_proto)) {\n return strings::StrCat(\n \"\");\n }\n return t.DebugString();\n}", "project": "tensorflow", "hash": 324513730486821108954307202431587474372, "size": 8, "commit_id": "c2426bba00a01de6913738df8fa78e0215fcce02", "message": "Use `PartialTensorShape` instead of `TensorShape`.\n\n`TensorShape` constructor throws a CHECK-fail if shape is partial/overflows which the other doesn't. We are only determining the number of elements in the shape and partial shape should be used as it returns negative number when needed.\n\nPiperOrigin-RevId: 409205384\nChange-Id: Ia56542ff9ec758f2c9ffc7e4dcc9fa7eecd86e7b", "target": 0, "dataset": "other", "idx": 223139 }, { "func": "OPJ_BOOL opj_j2k_start_compress(opj_j2k_t *p_j2k,\n opj_stream_private_t *p_stream,\n opj_image_t * p_image,\n opj_event_mgr_t * p_manager)\n{\n /* preconditions */\n assert(p_j2k != 00);\n assert(p_stream != 00);\n assert(p_manager != 00);\n\n p_j2k->m_private_image = opj_image_create0();\n if (! p_j2k->m_private_image) {\n opj_event_msg(p_manager, EVT_ERROR, \"Failed to allocate image header.\");\n return OPJ_FALSE;\n }\n opj_copy_image_header(p_image, p_j2k->m_private_image);\n\n /* TODO_MSD: Find a better way */\n if (p_image->comps) {\n OPJ_UINT32 it_comp;\n for (it_comp = 0 ; it_comp < p_image->numcomps; it_comp++) {\n if (p_image->comps[it_comp].data) {\n p_j2k->m_private_image->comps[it_comp].data = p_image->comps[it_comp].data;\n p_image->comps[it_comp].data = NULL;\n\n }\n }\n }\n\n /* customization of the validation */\n if (! opj_j2k_setup_encoding_validation(p_j2k, p_manager)) {\n return OPJ_FALSE;\n }\n\n /* validation of the parameters codec */\n if (! opj_j2k_exec(p_j2k, p_j2k->m_validation_list, p_stream, p_manager)) {\n return OPJ_FALSE;\n }\n\n /* customization of the encoding */\n if (! opj_j2k_setup_header_writing(p_j2k, p_manager)) {\n return OPJ_FALSE;\n }\n\n /* write header */\n if (! opj_j2k_exec(p_j2k, p_j2k->m_procedure_list, p_stream, p_manager)) {\n return OPJ_FALSE;\n }\n\n return OPJ_TRUE;\n}", "project": "openjpeg", "hash": 276824793920990929960936894985291751665, "size": 51, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357363 }, { "func": "static int sctp_msghdr_parse(const struct msghdr *msg, struct sctp_cmsgs *cmsgs)\n{\n\tstruct msghdr *my_msg = (struct msghdr *)msg;\n\tstruct cmsghdr *cmsg;\n\n\tfor_each_cmsghdr(cmsg, my_msg) {\n\t\tif (!CMSG_OK(my_msg, cmsg))\n\t\t\treturn -EINVAL;\n\n\t\t/* Should we parse this header or ignore? */\n\t\tif (cmsg->cmsg_level != IPPROTO_SCTP)\n\t\t\tcontinue;\n\n\t\t/* Strictly check lengths following example in SCM code. */\n\t\tswitch (cmsg->cmsg_type) {\n\t\tcase SCTP_INIT:\n\t\t\t/* SCTP Socket API Extension\n\t\t\t * 5.3.1 SCTP Initiation Structure (SCTP_INIT)\n\t\t\t *\n\t\t\t * This cmsghdr structure provides information for\n\t\t\t * initializing new SCTP associations with sendmsg().\n\t\t\t * The SCTP_INITMSG socket option uses this same data\n\t\t\t * structure. This structure is not used for\n\t\t\t * recvmsg().\n\t\t\t *\n\t\t\t * cmsg_level cmsg_type cmsg_data[]\n\t\t\t * ------------ ------------ ----------------------\n\t\t\t * IPPROTO_SCTP SCTP_INIT struct sctp_initmsg\n\t\t\t */\n\t\t\tif (cmsg->cmsg_len != CMSG_LEN(sizeof(struct sctp_initmsg)))\n\t\t\t\treturn -EINVAL;\n\n\t\t\tcmsgs->init = CMSG_DATA(cmsg);\n\t\t\tbreak;\n\n\t\tcase SCTP_SNDRCV:\n\t\t\t/* SCTP Socket API Extension\n\t\t\t * 5.3.2 SCTP Header Information Structure(SCTP_SNDRCV)\n\t\t\t *\n\t\t\t * This cmsghdr structure specifies SCTP options for\n\t\t\t * sendmsg() and describes SCTP header information\n\t\t\t * about a received message through recvmsg().\n\t\t\t *\n\t\t\t * cmsg_level cmsg_type cmsg_data[]\n\t\t\t * ------------ ------------ ----------------------\n\t\t\t * IPPROTO_SCTP SCTP_SNDRCV struct sctp_sndrcvinfo\n\t\t\t */\n\t\t\tif (cmsg->cmsg_len != CMSG_LEN(sizeof(struct sctp_sndrcvinfo)))\n\t\t\t\treturn -EINVAL;\n\n\t\t\tcmsgs->srinfo = CMSG_DATA(cmsg);\n\n\t\t\tif (cmsgs->srinfo->sinfo_flags &\n\t\t\t ~(SCTP_UNORDERED | SCTP_ADDR_OVER |\n\t\t\t SCTP_SACK_IMMEDIATELY | SCTP_SENDALL |\n\t\t\t SCTP_PR_SCTP_MASK | SCTP_ABORT | SCTP_EOF))\n\t\t\t\treturn -EINVAL;\n\t\t\tbreak;\n\n\t\tcase SCTP_SNDINFO:\n\t\t\t/* SCTP Socket API Extension\n\t\t\t * 5.3.4 SCTP Send Information Structure (SCTP_SNDINFO)\n\t\t\t *\n\t\t\t * This cmsghdr structure specifies SCTP options for\n\t\t\t * sendmsg(). This structure and SCTP_RCVINFO replaces\n\t\t\t * SCTP_SNDRCV which has been deprecated.\n\t\t\t *\n\t\t\t * cmsg_level cmsg_type cmsg_data[]\n\t\t\t * ------------ ------------ ---------------------\n\t\t\t * IPPROTO_SCTP SCTP_SNDINFO struct sctp_sndinfo\n\t\t\t */\n\t\t\tif (cmsg->cmsg_len != CMSG_LEN(sizeof(struct sctp_sndinfo)))\n\t\t\t\treturn -EINVAL;\n\n\t\t\tcmsgs->sinfo = CMSG_DATA(cmsg);\n\n\t\t\tif (cmsgs->sinfo->snd_flags &\n\t\t\t ~(SCTP_UNORDERED | SCTP_ADDR_OVER |\n\t\t\t SCTP_SACK_IMMEDIATELY | SCTP_SENDALL |\n\t\t\t SCTP_PR_SCTP_MASK | SCTP_ABORT | SCTP_EOF))\n\t\t\t\treturn -EINVAL;\n\t\t\tbreak;\n\t\tcase SCTP_PRINFO:\n\t\t\t/* SCTP Socket API Extension\n\t\t\t * 5.3.7 SCTP PR-SCTP Information Structure (SCTP_PRINFO)\n\t\t\t *\n\t\t\t * This cmsghdr structure specifies SCTP options for sendmsg().\n\t\t\t *\n\t\t\t * cmsg_level cmsg_type cmsg_data[]\n\t\t\t * ------------ ------------ ---------------------\n\t\t\t * IPPROTO_SCTP SCTP_PRINFO struct sctp_prinfo\n\t\t\t */\n\t\t\tif (cmsg->cmsg_len != CMSG_LEN(sizeof(struct sctp_prinfo)))\n\t\t\t\treturn -EINVAL;\n\n\t\t\tcmsgs->prinfo = CMSG_DATA(cmsg);\n\t\t\tif (cmsgs->prinfo->pr_policy & ~SCTP_PR_SCTP_MASK)\n\t\t\t\treturn -EINVAL;\n\n\t\t\tif (cmsgs->prinfo->pr_policy == SCTP_PR_SCTP_NONE)\n\t\t\t\tcmsgs->prinfo->pr_value = 0;\n\t\t\tbreak;\n\t\tcase SCTP_AUTHINFO:\n\t\t\t/* SCTP Socket API Extension\n\t\t\t * 5.3.8 SCTP AUTH Information Structure (SCTP_AUTHINFO)\n\t\t\t *\n\t\t\t * This cmsghdr structure specifies SCTP options for sendmsg().\n\t\t\t *\n\t\t\t * cmsg_level cmsg_type cmsg_data[]\n\t\t\t * ------------ ------------ ---------------------\n\t\t\t * IPPROTO_SCTP SCTP_AUTHINFO struct sctp_authinfo\n\t\t\t */\n\t\t\tif (cmsg->cmsg_len != CMSG_LEN(sizeof(struct sctp_authinfo)))\n\t\t\t\treturn -EINVAL;\n\n\t\t\tcmsgs->authinfo = CMSG_DATA(cmsg);\n\t\t\tbreak;\n\t\tcase SCTP_DSTADDRV4:\n\t\tcase SCTP_DSTADDRV6:\n\t\t\t/* SCTP Socket API Extension\n\t\t\t * 5.3.9/10 SCTP Destination IPv4/6 Address Structure (SCTP_DSTADDRV4/6)\n\t\t\t *\n\t\t\t * This cmsghdr structure specifies SCTP options for sendmsg().\n\t\t\t *\n\t\t\t * cmsg_level cmsg_type cmsg_data[]\n\t\t\t * ------------ ------------ ---------------------\n\t\t\t * IPPROTO_SCTP SCTP_DSTADDRV4 struct in_addr\n\t\t\t * ------------ ------------ ---------------------\n\t\t\t * IPPROTO_SCTP SCTP_DSTADDRV6 struct in6_addr\n\t\t\t */\n\t\t\tcmsgs->addrs_msg = my_msg;\n\t\t\tbreak;\n\t\tdefault:\n\t\t\treturn -EINVAL;\n\t\t}\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 24479143041546227885144398490512561200, "size": 139, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398131 }, { "project": "Chrome", "commit_id": "3454ed7b88318dcd4539c6e1a50d27b0ca535686", "target": 0, "func": "void SearchEngineTabHelper::DidNavigateMainFrame(\n const content::LoadCommittedDetails& /*details*/,\n const content::FrameNavigateParams& params) {\n GenerateKeywordIfNecessary(params);\n}\n", "cwe": "", "big_vul_idx": 130380, "idx": 116648, "hash": 95954431299924947716702689274838460561 }, { "func": "static int packet_notifier(struct notifier_block *this,\n\t\t\t unsigned long msg, void *ptr)\n{\n\tstruct sock *sk;\n\tstruct net_device *dev = netdev_notifier_info_to_dev(ptr);\n\tstruct net *net = dev_net(dev);\n\n\trcu_read_lock();\n\tsk_for_each_rcu(sk, &net->packet.sklist) {\n\t\tstruct packet_sock *po = pkt_sk(sk);\n\n\t\tswitch (msg) {\n\t\tcase NETDEV_UNREGISTER:\n\t\t\tif (po->mclist)\n\t\t\t\tpacket_dev_mclist_delete(dev, &po->mclist);\n\t\t\tfallthrough;\n\n\t\tcase NETDEV_DOWN:\n\t\t\tif (dev->ifindex == po->ifindex) {\n\t\t\t\tspin_lock(&po->bind_lock);\n\t\t\t\tif (po->running) {\n\t\t\t\t\t__unregister_prot_hook(sk, false);\n\t\t\t\t\tsk->sk_err = ENETDOWN;\n\t\t\t\t\tif (!sock_flag(sk, SOCK_DEAD))\n\t\t\t\t\t\tsk->sk_error_report(sk);\n\t\t\t\t}\n\t\t\t\tif (msg == NETDEV_UNREGISTER) {\n\t\t\t\t\tpacket_cached_dev_reset(po);\n\t\t\t\t\tpo->ifindex = -1;\n\t\t\t\t\tif (po->prot_hook.dev)\n\t\t\t\t\t\tdev_put(po->prot_hook.dev);\n\t\t\t\t\tpo->prot_hook.dev = NULL;\n\t\t\t\t}\n\t\t\t\tspin_unlock(&po->bind_lock);\n\t\t\t}\n\t\t\tbreak;\n\t\tcase NETDEV_UP:\n\t\t\tif (dev->ifindex == po->ifindex) {\n\t\t\t\tspin_lock(&po->bind_lock);\n\t\t\t\tif (po->num)\n\t\t\t\t\tregister_prot_hook(sk);\n\t\t\t\tspin_unlock(&po->bind_lock);\n\t\t\t}\n\t\t\tbreak;\n\t\t}\n\t}\n\trcu_read_unlock();\n\treturn NOTIFY_DONE;\n}", "project": "linux", "hash": 63478354422236233638931044201941870962, "size": 49, "commit_id": "acf69c946233259ab4d64f8869d4037a198c7f06", "message": "net/packet: fix overflow in tpacket_rcv\n\nUsing tp_reserve to calculate netoff can overflow as\ntp_reserve is unsigned int and netoff is unsigned short.\n\nThis may lead to macoff receving a smaller value then\nsizeof(struct virtio_net_hdr), and if po->has_vnet_hdr\nis set, an out-of-bounds write will occur when\ncalling virtio_net_hdr_from_skb.\n\nThe bug is fixed by converting netoff to unsigned int\nand checking if it exceeds USHRT_MAX.\n\nThis addresses CVE-2020-14386\n\nFixes: 8913336a7e8d (\"packet: add PACKET_RESERVE sockopt\")\nSigned-off-by: Or Cohen \nSigned-off-by: Eric Dumazet \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 330389 }, { "func": "base::Optional GetCursorBlinkInterval() {\n#if defined(OS_MACOSX)\n base::TimeDelta interval;\n if (ui::TextInsertionCaretBlinkPeriod(&interval))\n return interval;\n#elif defined(OS_LINUX)\n if (auto* linux_ui = views::LinuxUI::instance())\n return linux_ui->GetCursorBlinkInterval();\n#elif defined(OS_WIN)\n const auto system_msec = ::GetCaretBlinkTime();\n if (system_msec != 0) {\n return (system_msec == INFINITE)\n ? base::TimeDelta()\n : base::TimeDelta::FromMilliseconds(system_msec);\n }\n#endif\n return base::nullopt;\n}", "project": "electron", "hash": 7318234986567945315740066477254107253, "size": 18, "commit_id": "18613925610ba319da7f497b6deed85ad712c59b", "message": "refactor: wire will-navigate up to a navigation throttle instead of OpenURL (#25108)\n\n* refactor: wire will-navigate up to a navigation throttle instead of OpenURL (#25065)\r\n\r\n* refactor: wire will-navigate up to a navigation throttle instead of OpenURL\r\n\r\n* spec: add test for x-site _top navigation\r\n\r\n* chore: old code be old", "target": 0, "dataset": "other", "idx": 269788 }, { "func": "void CServer::ConKick(IConsole::IResult *pResult, void *pUser)\n{\n\tif(pResult->NumArguments() > 1)\n\t{\n\t\tchar aBuf[128];\n\t\tstr_format(aBuf, sizeof(aBuf), \"Kicked (%s)\", pResult->GetString(1));\n\t\t((CServer *)pUser)->Kick(pResult->GetInteger(0), aBuf);\n\t}\n\telse\n\t\t((CServer *)pUser)->Kick(pResult->GetInteger(0), \"Kicked by console\");\n}", "project": "teeworlds", "hash": 21078625896383016179685356563747907372, "size": 11, "commit_id": "c68402fa7e279d42886d5951d1ea8ac2facc1ea5", "message": "changed a check", "target": 0, "dataset": "other", "idx": 382032 }, { "project": "opaque", "commit_id": "5ddda15d89f5ac82f4416208c5319ace4aecdc36", "target": 0, "func": "JNIEXPORT jbyteArray JNICALL Java_edu_berkeley_cs_rise_opaque_execution_SGXEnclave_FindRangeBounds(\n JNIEnv *env, jobject obj, jlong eid, jbyteArray sort_order, jint num_partitions,\n jbyteArray input_rows) {\n (void)obj;\n\n jboolean if_copy;\n\n size_t sort_order_length = static_cast(env->GetArrayLength(sort_order));\n uint8_t *sort_order_ptr = reinterpret_cast(\n env->GetByteArrayElements(sort_order, &if_copy));\n\n size_t input_rows_length = static_cast(env->GetArrayLength(input_rows));\n uint8_t *input_rows_ptr = reinterpret_cast(\n env->GetByteArrayElements(input_rows, &if_copy));\n\n uint8_t *output_rows;\n size_t output_rows_length;\n\n sgx_check(\"Find Range Bounds\",\n ecall_find_range_bounds(\n eid,\n sort_order_ptr, sort_order_length,\n num_partitions,\n input_rows_ptr, input_rows_length,\n &output_rows, &output_rows_length));\n\n jbyteArray ret = env->NewByteArray(output_rows_length);\n env->SetByteArrayRegion(ret, 0, output_rows_length, reinterpret_cast(output_rows));\n free(output_rows);\n\n env->ReleaseByteArrayElements(sort_order, reinterpret_cast(sort_order_ptr), 0);\n env->ReleaseByteArrayElements(input_rows, reinterpret_cast(input_rows_ptr), 0);\n\n return ret;\n}", "idx": 519097, "cwe": "CWE-787", "hash": 314841488278723470394307358944490688202, "dataset": "other" }, { "func": "\nstatic void bfq_idle_slice_timer_body(struct bfq_queue *bfqq)\n{\n\tstruct bfq_data *bfqd = bfqq->bfqd;\n\tenum bfqq_expiration reason;\n\tunsigned long flags;\n\n\tspin_lock_irqsave(&bfqd->lock, flags);\n\tbfq_clear_bfqq_wait_request(bfqq);\n\n\tif (bfqq != bfqd->in_service_queue) {\n\t\tspin_unlock_irqrestore(&bfqd->lock, flags);\n\t\treturn;\n\t}\n\n\tif (bfq_bfqq_budget_timeout(bfqq))\n\t\t/*\n\t\t * Also here the queue can be safely expired\n\t\t * for budget timeout without wasting\n\t\t * guarantees\n\t\t */\n\t\treason = BFQQE_BUDGET_TIMEOUT;\n\telse if (bfqq->queued[0] == 0 && bfqq->queued[1] == 0)\n\t\t/*\n\t\t * The queue may not be empty upon timer expiration,\n\t\t * because we may not disable the timer when the\n\t\t * first request of the in-service queue arrives\n\t\t * during disk idling.\n\t\t */\n\t\treason = BFQQE_TOO_IDLE;\n\telse\n\t\tgoto schedule_dispatch;\n\n\tbfq_bfqq_expire(bfqd, bfqq, true, reason);\n\nschedule_dispatch:\n\tspin_unlock_irqrestore(&bfqd->lock, flags);\n\tbfq_schedule_dispatch(bfqd);", "project": "linux", "hash": 128858888171698182771172635480199449190, "size": 38, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 1, "dataset": "other", "idx": 211918 }, { "func": "static void\nbfq_idle_slice_timer_body(struct bfq_data *bfqd, struct bfq_queue *bfqq)\n{\n\tenum bfqq_expiration reason;\n\tunsigned long flags;\n\n\tspin_lock_irqsave(&bfqd->lock, flags);\n\n\t/*\n\t * Considering that bfqq may be in race, we should firstly check\n\t * whether bfqq is in service before doing something on it. If\n\t * the bfqq in race is not in service, it has already been expired\n\t * through __bfq_bfqq_expire func and its wait_request flags has\n\t * been cleared in __bfq_bfqd_reset_in_service func.\n\t */\n\tif (bfqq != bfqd->in_service_queue) {\n\t\tspin_unlock_irqrestore(&bfqd->lock, flags);\n\t\treturn;\n\t}\n\n\tbfq_clear_bfqq_wait_request(bfqq);\n\n\tif (bfq_bfqq_budget_timeout(bfqq))\n\t\t/*\n\t\t * Also here the queue can be safely expired\n\t\t * for budget timeout without wasting\n\t\t * guarantees\n\t\t */\n\t\treason = BFQQE_BUDGET_TIMEOUT;\n\telse if (bfqq->queued[0] == 0 && bfqq->queued[1] == 0)\n\t\t/*\n\t\t * The queue may not be empty upon timer expiration,\n\t\t * because we may not disable the timer when the\n\t\t * first request of the in-service queue arrives\n\t\t * during disk idling.\n\t\t */\n\t\treason = BFQQE_TOO_IDLE;\n\telse\n\t\tgoto schedule_dispatch;\n\n\tbfq_bfqq_expire(bfqd, bfqq, true, reason);\n\nschedule_dispatch:\n\tspin_unlock_irqrestore(&bfqd->lock, flags);\n\tbfq_schedule_dispatch(bfqd);", "project": "linux", "hash": 316977131305739620723653491038112566062, "size": 45, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453337 }, { "func": "EXPORT_SYMBOL_GPL(iscsi_session_event);\n\nstatic int\niscsi_if_create_session(struct iscsi_internal *priv, struct iscsi_endpoint *ep,\n\t\t\tstruct iscsi_uevent *ev, pid_t pid,\n\t\t\tuint32_t initial_cmdsn,\tuint16_t cmds_max,\n\t\t\tuint16_t queue_depth)\n{\n\tstruct iscsi_transport *transport = priv->iscsi_transport;\n\tstruct iscsi_cls_session *session;\n\tstruct Scsi_Host *shost;\n\n\tsession = transport->create_session(ep, cmds_max, queue_depth,\n\t\t\t\t\t initial_cmdsn);\n\tif (!session)\n\t\treturn -ENOMEM;\n\n\tsession->creator = pid;\n\tshost = iscsi_session_to_shost(session);\n\tev->r.c_session_ret.host_no = shost->host_no;\n\tev->r.c_session_ret.sid = session->sid;\n\tISCSI_DBG_TRANS_SESSION(session,", "project": "linux", "hash": 308008959912997454412809570691243508867, "size": 22, "commit_id": "f9dbdf97a5bd92b1a49cee3d591b55b11fd7a6d5", "message": "scsi: iscsi: Verify lengths on passthrough PDUs\n\nOpen-iSCSI sends passthrough PDUs over netlink, but the kernel should be\nverifying that the provided PDU header and data lengths fall within the\nnetlink message to prevent accessing beyond that in memory.\n\nCc: stable@vger.kernel.org\nReported-by: Adam Nichols \nReviewed-by: Lee Duncan \nReviewed-by: Mike Christie \nSigned-off-by: Chris Leech \nSigned-off-by: Martin K. Petersen ", "target": 0, "dataset": "other", "idx": 379955 }, { "func": "static void pep_sock_close(struct sock *sk, long timeout)\n{\n\tstruct pep_sock *pn = pep_sk(sk);\n\tint ifindex = 0;\n\n\tsock_hold(sk); /* keep a reference after sk_common_release() */\n\tsk_common_release(sk);\n\n\tlock_sock(sk);\n\tif ((1 << sk->sk_state) & (TCPF_SYN_RECV|TCPF_ESTABLISHED)) {\n\t\tif (sk->sk_backlog_rcv == pipe_do_rcv)\n\t\t\t/* Forcefully remove dangling Phonet pipe */\n\t\t\tpipe_do_remove(sk);\n\t\telse\n\t\t\tpipe_handler_request(sk, PNS_PEP_DISCONNECT_REQ, PAD,\n\t\t\t\t\t\tNULL, 0);\n\t}\n\tsk->sk_state = TCP_CLOSE;\n\n\tifindex = pn->ifindex;\n\tpn->ifindex = 0;\n\trelease_sock(sk);\n\n\tif (ifindex)\n\t\tgprs_detach(sk);\n\tsock_put(sk);\n}", "project": "linux", "hash": 98484444711339771164111488438076760567, "size": 27, "commit_id": "bcd0f93353326954817a4f9fa55ec57fb38acbb0", "message": "phonet: refcount leak in pep_sock_accep\n\nsock_hold(sk) is invoked in pep_sock_accept(), but __sock_put(sk) is not\ninvoked in subsequent failure branches(pep_accept_conn() != 0).\n\nSigned-off-by: Hangyu Hua \nLink: https://lore.kernel.org/r/20211209082839.33985-1-hbh25y@gmail.com\nSigned-off-by: Jakub Kicinski ", "target": 0, "dataset": "other", "idx": 224817 }, { "func": "static int load_script(struct linux_binprm *bprm)\n{\n\tconst char *i_arg, *i_name;\n\tchar *cp;\n\tstruct file *file;\n\tchar interp[BINPRM_BUF_SIZE];\n\tint retval;\n\n\tif ((bprm->buf[0] != '#') || (bprm->buf[1] != '!') ||\n\t (bprm->recursion_depth > BINPRM_MAX_RECURSION))\n\t\treturn -ENOEXEC;\n\t/*\n\t * This section does the #! interpretation.\n\t * Sorta complicated, but hopefully it will work. -TYT\n\t */\n\n\tbprm->recursion_depth++;\n\tallow_write_access(bprm->file);\n\tfput(bprm->file);\n\tbprm->file = NULL;\n\n\tbprm->buf[BINPRM_BUF_SIZE - 1] = '\\0';\n\tif ((cp = strchr(bprm->buf, '\\n')) == NULL)\n\t\tcp = bprm->buf+BINPRM_BUF_SIZE-1;\n\t*cp = '\\0';\n\twhile (cp > bprm->buf) {\n\t\tcp--;\n\t\tif ((*cp == ' ') || (*cp == '\\t'))\n\t\t\t*cp = '\\0';\n\t\telse\n\t\t\tbreak;\n\t}\n\tfor (cp = bprm->buf+2; (*cp == ' ') || (*cp == '\\t'); cp++);\n\tif (*cp == '\\0') \n\t\treturn -ENOEXEC; /* No interpreter name found */\n\ti_name = cp;\n\ti_arg = NULL;\n\tfor ( ; *cp && (*cp != ' ') && (*cp != '\\t'); cp++)\n\t\t/* nothing */ ;\n\twhile ((*cp == ' ') || (*cp == '\\t'))\n\t\t*cp++ = '\\0';\n\tif (*cp)\n\t\ti_arg = cp;\n\tstrcpy (interp, i_name);\n\t/*\n\t * OK, we've parsed out the interpreter name and\n\t * (optional) argument.\n\t * Splice in (1) the interpreter's name for argv[0]\n\t * (2) (optional) argument to interpreter\n\t * (3) filename of shell script (replace argv[0])\n\t *\n\t * This is done in reverse order, because of how the\n\t * user environment and arguments are stored.\n\t */\n\tretval = remove_arg_zero(bprm);\n\tif (retval)\n\t\treturn retval;\n\tretval = copy_strings_kernel(1, &bprm->interp, bprm);\n\tif (retval < 0) return retval; \n\tbprm->argc++;\n\tif (i_arg) {\n\t\tretval = copy_strings_kernel(1, &i_arg, bprm);\n\t\tif (retval < 0) return retval; \n\t\tbprm->argc++;\n\t}\n\tretval = copy_strings_kernel(1, &i_name, bprm);\n\tif (retval) return retval; \n\tbprm->argc++;\n\tbprm->interp = interp;\n\n\t/*\n\t * OK, now restart the process with the interpreter's dentry.\n\t */\n\tfile = open_exec(interp);\n\tif (IS_ERR(file))\n\t\treturn PTR_ERR(file);\n\n\tbprm->file = file;\n\tretval = prepare_binprm(bprm);\n\tif (retval < 0)\n\t\treturn retval;\n\treturn search_binary_handler(bprm);\n}", "target": 1, "cwe": [ "CWE-200" ], "project": "linux-2.6", "commit_id": "d740269867021faf4ce38a449353d2b986c34a67", "hash": 225298922249985030158445231880652319052, "size": 83, "message": "exec: use -ELOOP for max recursion depth\n\nTo avoid an explosion of request_module calls on a chain of abusive\nscripts, fail maximum recursion with -ELOOP instead of -ENOEXEC. As soon\nas maximum recursion depth is hit, the error will fail all the way back\nup the chain, aborting immediately.\n\nThis also has the side-effect of stopping the user's shell from attempting\nto reexecute the top-level file as a shell script. As seen in the\ndash source:\n\n if (cmd != path_bshell && errno == ENOEXEC) {\n *argv-- = cmd;\n *argv = cmd = path_bshell;\n goto repeat;\n }\n\nThe above logic was designed for running scripts automatically that lacked\nthe \"#!\" header, not to re-try failed recursion. On a legitimate -ENOEXEC,\nthings continue to behave as the shell expects.\n\nAdditionally, when tracking recursion, the binfmt handlers should not be\ninvolved. The recursion being tracked is the depth of calls through\nsearch_binary_handler(), so that function should be exclusively responsible\nfor tracking the depth.\n\nSigned-off-by: Kees Cook \nCc: halfdog \nCc: P J P \nCc: Alexander Viro \nSigned-off-by: Andrew Morton \nSigned-off-by: Linus Torvalds ", "dataset": "other", "idx": 215780 }, { "func": "static inline bool pcre_need_log_error(int pcre_code) {\n return RuntimeOption::EnablePregErrorLog &&\n (pcre_code == PCRE_ERROR_MATCHLIMIT ||\n pcre_code == PCRE_ERROR_RECURSIONLIMIT);\n}", "project": "hhvm", "hash": 337767628302760240886729220595960591744, "size": 5, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219709 }, { "func": "static bool v4l2_is_known_ioctl(unsigned int cmd)\n{\n\tif (_IOC_NR(cmd) >= V4L2_IOCTLS)\n\t\treturn false;\n\treturn v4l2_ioctls[_IOC_NR(cmd)].ioctl == cmd;\n}", "project": "linux", "hash": 110330012375393295562119852850756726055, "size": 6, "commit_id": "fb18802a338b36f675a388fc03d2aa504a0d0899", "message": "media: v4l: ioctl: Fix memory leak in video_usercopy\n\nWhen an IOCTL with argument size larger than 128 that also used array\narguments were handled, two memory allocations were made but alas, only\nthe latter one of them was released. This happened because there was only\na single local variable to hold such a temporary allocation.\n\nFix this by adding separate variables to hold the pointers to the\ntemporary allocations.\n\nReported-by: Arnd Bergmann \nReported-by: syzbot+1115e79c8df6472c612b@syzkaller.appspotmail.com\nFixes: d14e6d76ebf7 (\"[media] v4l: Add multi-planar ioctl handling code\")\nCc: stable@vger.kernel.org\nSigned-off-by: Sakari Ailus \nAcked-by: Arnd Bergmann \nAcked-by: Hans Verkuil \nReviewed-by: Laurent Pinchart \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 381488 }, { "func": "url_full_path (const struct url *url)\n{\n int length = full_path_length (url);\n char *full_path = xmalloc (length + 1);\n\n full_path_write (url, full_path);\n full_path[length] = '\\0';\n\n return full_path;\n}", "target": 0, "cwe": [], "project": "wget", "commit_id": "59b920874daa565a1323ffa1e756e80493190686", "hash": 185143917378043004685796927203342450139, "size": 10, "message": "Support non-ASCII URLs\n\n* src/url.c [HAVE_ICONV]: Include iconv.h and langinfo.h.\n(convert_fname): New function.\n[HAVE_ICONV]: Convert file name from remote encoding to local\nencoding.\n(url_file_name): Call convert_fname.\n(filechr_table): Don't consider bytes in 128..159 as control\ncharacters.\n\n* tests/Test-ftp-iri.px: Fix the expected file name to match the\nnew file-name recoding. State the remote encoding explicitly on\nthe Wget command line.\n\n* NEWS: Mention the URI recoding when built with libiconv.", "dataset": "other", "idx": 498305 }, { "func": "R_API void r_sys_backtrace(void) {\n#ifdef HAVE_BACKTRACE\n\tvoid *array[10];\n\tsize_t size = backtrace (array, 10);\n\teprintf (\"Backtrace %zd stack frames.\\n\", size);\n\tbacktrace_symbols_fd (array, size, 2);\n#elif __APPLE__\n\tvoid **fp = (void **) __builtin_frame_address (0);\n\tvoid *saved_pc = __builtin_return_address (0);\n\tvoid *saved_fp = __builtin_frame_address (1);\n\tint depth = 0;\n\n\tprintf (\"[%d] pc == %p fp == %p\\n\", depth++, saved_pc, saved_fp);\n\tfp = saved_fp;\n\twhile (fp) {\n\t\tsaved_fp = *fp;\n\t\tfp = saved_fp;\n\t\tif (!*fp) {\n\t\t\tbreak;\n\t\t}\n\t\tsaved_pc = *(fp + 2);\n\t\tprintf (\"[%d] pc == %p fp == %p\\n\", depth++, saved_pc, saved_fp);\n\t}\n#else\n#ifdef _MSC_VER\n#pragma message (\"TODO: r_sys_bt : unimplemented\")\n#else\n#warning TODO: r_sys_bt : unimplemented\n#endif\n#endif\n}", "project": "radare2", "hash": 104111252100339319461287361460958376092, "size": 31, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 0, "dataset": "other", "idx": 268926 }, { "func": "void tipc_node_stop(struct net *net)\n{\n\tstruct tipc_net *tn = tipc_net(net);\n\tstruct tipc_node *node, *t_node;\n\n\tspin_lock_bh(&tn->node_list_lock);\n\tlist_for_each_entry_safe(node, t_node, &tn->node_list, list)\n\t\ttipc_node_delete(node);\n\tspin_unlock_bh(&tn->node_list_lock);\n}", "project": "linux", "hash": 216590539434450837097034126497574054466, "size": 10, "commit_id": "0217ed2848e8538bcf9172d97ed2eeb4a26041bb", "message": "tipc: better validate user input in tipc_nl_retrieve_key()\n\nBefore calling tipc_aead_key_size(ptr), we need to ensure\nwe have enough data to dereference ptr->keylen.\n\nWe probably also want to make sure tipc_aead_key_size()\nwont overflow with malicious ptr->keylen values.\n\nSyzbot reported:\n\nBUG: KMSAN: uninit-value in __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\nBUG: KMSAN: uninit-value in tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\nCPU: 0 PID: 21060 Comm: syz-executor.5 Not tainted 5.11.0-rc7-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nCall Trace:\n __dump_stack lib/dump_stack.c:79 [inline]\n dump_stack+0x21c/0x280 lib/dump_stack.c:120\n kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118\n __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197\n __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\n tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\n genl_family_rcv_msg_doit net/netlink/genetlink.c:739 [inline]\n genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]\n genl_rcv_msg+0x1319/0x1610 net/netlink/genetlink.c:800\n netlink_rcv_skb+0x6fa/0x810 net/netlink/af_netlink.c:2494\n genl_rcv+0x63/0x80 net/netlink/genetlink.c:811\n netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]\n netlink_unicast+0x11d6/0x14a0 net/netlink/af_netlink.c:1330\n netlink_sendmsg+0x1740/0x1840 net/netlink/af_netlink.c:1919\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\nRIP: 0023:0xf7f60549\nCode: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00\nRSP: 002b:00000000f555a5fc EFLAGS: 00000296 ORIG_RAX: 0000000000000172\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000200\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n\nUninit was created at:\n kmsan_save_stack_with_flags mm/kmsan/kmsan.c:121 [inline]\n kmsan_internal_poison_shadow+0x5c/0xf0 mm/kmsan/kmsan.c:104\n kmsan_slab_alloc+0x8d/0xe0 mm/kmsan/kmsan_hooks.c:76\n slab_alloc_node mm/slub.c:2907 [inline]\n __kmalloc_node_track_caller+0xa37/0x1430 mm/slub.c:4527\n __kmalloc_reserve net/core/skbuff.c:142 [inline]\n __alloc_skb+0x2f8/0xb30 net/core/skbuff.c:210\n alloc_skb include/linux/skbuff.h:1099 [inline]\n netlink_alloc_large_skb net/netlink/af_netlink.c:1176 [inline]\n netlink_sendmsg+0xdbc/0x1840 net/netlink/af_netlink.c:1894\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\n\nFixes: e1f32190cf7d (\"tipc: add support for AEAD key setting via netlink\")\nSigned-off-by: Eric Dumazet \nCc: Tuong Lien \nCc: Jon Maloy \nCc: Ying Xue \nReported-by: syzbot \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 364933 }, { "func": "R_API int r_str_word_set0(char *str) {\n\tint i, quote = 0;\n\tchar *p;\n\tif (!str || !*str) {\n\t\treturn 0;\n\t}\n\tfor (i = 0; str[i] && str[i + 1]; i++) {\n\t\tif (i > 0 && str[i-1] == ' ' && str[i] == ' ') {\n\t\t\tint len = strlen (str + i);\n\t\t\tmemmove (str + i, str + i + 1, len);\n\t\t\ti--;\n\t\t}\n\t}\n\tif (str[i] == ' ') {\n\t\tstr[i] = 0;\n\t}\n\tfor (i = 1, p = str; *p; p++) {\n\t\tif (*p == '\\\"') {\n\t\t\tif (quote) {\n\t\t\t\tquote = 0;\n\t\t\t\t*p = '\\0';\n\t\t\t\t// FIX: i++;\n\t\t\t\tcontinue;\n\t\t\t} else {\n\t\t\t\tquote = 1;\n\t\t\t\tmemmove (p, p + 1, strlen (p + 1) + 1);\n\t\t\t}\n\t\t}\n\t\tif (quote) {\n\t\t\tcontinue;\n\t\t}\n\t\tif (*p == ' ') {\n\t\t\tchar *q = p - 1;\n\t\t\tif (p > str && (*q == '\\\\' || !*q)) {\n\t\t\t\tmemmove (p, p + 1, strlen (p + 1) + 1);\n\t\t\t\tif (*q == '\\\\') {\n\t\t\t\t\t*q = ' ';\n\t\t\t\t\tcontinue;\n\t\t\t\t}\n\t\t\t\tp--;\n\t\t\t}\n\t\t\ti++;\n\t\t\t*p = '\\0';\n\t\t} // s/ /\\0/g\n\t}\n\treturn i;\n}", "project": "radare2", "hash": 326075110565904194739810330852436864502, "size": 47, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 0, "dataset": "other", "idx": 269045 }, { "func": "static void simple_fill_buf(struct urb *urb)\n{\n\tunsigned\ti;\n\tu8\t\t*buf = urb->transfer_buffer;\n\tunsigned\tlen = urb->transfer_buffer_length;\n\tunsigned\tmaxpacket;\n\n\tswitch (pattern) {\n\tdefault:\n\t\t/* FALLTHROUGH */\n\tcase 0:\n\t\tmemset(buf, 0, len);\n\t\tbreak;\n\tcase 1:\t\t\t/* mod63 */\n\t\tmaxpacket = get_maxpacket(urb->dev, urb->pipe);\n\t\tfor (i = 0; i < len; i++)\n\t\t\t*buf++ = (u8) ((i % maxpacket) % 63);\n\t\tbreak;\n\t}\n}", "project": "linux", "hash": 162801687273279988963198547461719464398, "size": 20, "commit_id": "28ebeb8db77035e058a510ce9bd17c2b9a009dba", "message": "usb: usbtest: fix missing kfree(dev->buf) in usbtest_disconnect\n\nBUG: memory leak\nunreferenced object 0xffff888055046e00 (size 256):\n comm \"kworker/2:9\", pid 2570, jiffies 4294942129 (age 1095.500s)\n hex dump (first 32 bytes):\n 00 70 04 55 80 88 ff ff 18 bb 5a 81 ff ff ff ff .p.U......Z.....\n f5 96 78 81 ff ff ff ff 37 de 8e 81 ff ff ff ff ..x.....7.......\n backtrace:\n [<00000000d121dccf>] kmemleak_alloc_recursive\ninclude/linux/kmemleak.h:43 [inline]\n [<00000000d121dccf>] slab_post_alloc_hook mm/slab.h:586 [inline]\n [<00000000d121dccf>] slab_alloc_node mm/slub.c:2786 [inline]\n [<00000000d121dccf>] slab_alloc mm/slub.c:2794 [inline]\n [<00000000d121dccf>] kmem_cache_alloc_trace+0x15e/0x2d0 mm/slub.c:2811\n [<000000005c3c3381>] kmalloc include/linux/slab.h:555 [inline]\n [<000000005c3c3381>] usbtest_probe+0x286/0x19d0\ndrivers/usb/misc/usbtest.c:2790\n [<000000001cec6910>] usb_probe_interface+0x2bd/0x870\ndrivers/usb/core/driver.c:361\n [<000000007806c118>] really_probe+0x48d/0x8f0 drivers/base/dd.c:551\n [<00000000a3308c3e>] driver_probe_device+0xfc/0x2a0 drivers/base/dd.c:724\n [<000000003ef66004>] __device_attach_driver+0x1b6/0x240\ndrivers/base/dd.c:831\n [<00000000eee53e97>] bus_for_each_drv+0x14e/0x1e0 drivers/base/bus.c:431\n [<00000000bb0648d0>] __device_attach+0x1f9/0x350 drivers/base/dd.c:897\n [<00000000838b324a>] device_initial_probe+0x1a/0x20 drivers/base/dd.c:944\n [<0000000030d501c1>] bus_probe_device+0x1e1/0x280 drivers/base/bus.c:491\n [<000000005bd7adef>] device_add+0x131d/0x1c40 drivers/base/core.c:2504\n [<00000000a0937814>] usb_set_configuration+0xe84/0x1ab0\ndrivers/usb/core/message.c:2030\n [<00000000e3934741>] generic_probe+0x6a/0xe0 drivers/usb/core/generic.c:210\n [<0000000098ade0f1>] usb_probe_device+0x90/0xd0\ndrivers/usb/core/driver.c:266\n [<000000007806c118>] really_probe+0x48d/0x8f0 drivers/base/dd.c:551\n [<00000000a3308c3e>] driver_probe_device+0xfc/0x2a0 drivers/base/dd.c:724\n\nAcked-by: Alan Stern \nReported-by: Kyungtae Kim \nSigned-off-by: Zqiang \nLink: https://lore.kernel.org/r/20200612035210.20494-1-qiang.zhang@windriver.com\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 412244 }, { "func": "bool create_internal_tmp_table(TABLE *table, KEY *keyinfo, \n TMP_ENGINE_COLUMNDEF *start_recinfo,\n TMP_ENGINE_COLUMNDEF **recinfo, \n ulonglong options)\n{\n int error;\n MARIA_KEYDEF keydef;\n MARIA_UNIQUEDEF uniquedef;\n TABLE_SHARE *share= table->s;\n MARIA_CREATE_INFO create_info;\n DBUG_ENTER(\"create_internal_tmp_table\");\n\n if (share->keys)\n {\t\t\t\t\t\t// Get keys for ni_create\n bool using_unique_constraint=0;\n HA_KEYSEG *seg= (HA_KEYSEG*) alloc_root(&table->mem_root,\n sizeof(*seg) * keyinfo->user_defined_key_parts);\n if (!seg)\n goto err;\n\n bzero(seg, sizeof(*seg) * keyinfo->user_defined_key_parts);\n /*\n Note that a similar check is performed during\n subquery_types_allow_materialization. See MDEV-7122 for more details as\n to why. Whenever this changes, it must be updated there as well, for\n all tmp_table engines.\n */\n if (keyinfo->key_length > table->file->max_key_length() ||\n\tkeyinfo->user_defined_key_parts > table->file->max_key_parts() ||\n\tshare->uniques)\n {\n if (!share->uniques && !(keyinfo->flags & HA_NOSAME))\n {\n my_error(ER_INTERNAL_ERROR, MYF(0),\n \"Using too big key for internal temp tables\");\n DBUG_RETURN(1);\n }\n\n /* Can't create a key; Make a unique constraint instead of a key */\n share->keys= 0;\n share->uniques= 1;\n using_unique_constraint=1;\n bzero((char*) &uniquedef,sizeof(uniquedef));\n uniquedef.keysegs=keyinfo->user_defined_key_parts;\n uniquedef.seg=seg;\n uniquedef.null_are_equal=1;\n\n /* Create extra column for hash value */\n bzero((uchar*) *recinfo,sizeof(**recinfo));\n (*recinfo)->type= FIELD_CHECK;\n (*recinfo)->length= MARIA_UNIQUE_HASH_LENGTH;\n (*recinfo)++;\n\n /* Avoid warnings from valgrind */\n bzero(table->record[0]+ share->reclength, MARIA_UNIQUE_HASH_LENGTH);\n bzero(share->default_values+ share->reclength, MARIA_UNIQUE_HASH_LENGTH);\n share->reclength+= MARIA_UNIQUE_HASH_LENGTH;\n }\n else\n {\n /* Create a key */\n bzero((char*) &keydef,sizeof(keydef));\n keydef.flag= keyinfo->flags & HA_NOSAME;\n keydef.keysegs= keyinfo->user_defined_key_parts;\n keydef.seg= seg;\n }\n for (uint i=0; i < keyinfo->user_defined_key_parts ; i++,seg++)\n {\n Field *field=keyinfo->key_part[i].field;\n seg->flag= 0;\n seg->language= field->charset()->number;\n seg->length= keyinfo->key_part[i].length;\n seg->start= keyinfo->key_part[i].offset;\n if (field->flags & BLOB_FLAG)\n {\n\tseg->type=\n\t((keyinfo->key_part[i].key_type & FIELDFLAG_BINARY) ?\n\t HA_KEYTYPE_VARBINARY2 : HA_KEYTYPE_VARTEXT2);\n\tseg->bit_start= (uint8)(field->pack_length() -\n portable_sizeof_char_ptr);\n\tseg->flag= HA_BLOB_PART;\n\tseg->length=0;\t\t\t// Whole blob in unique constraint\n }\n else\n {\n\tseg->type= keyinfo->key_part[i].type;\n /* Tell handler if it can do suffic space compression */\n\tif (field->real_type() == MYSQL_TYPE_STRING &&\n\t keyinfo->key_part[i].length > 32)\n\t seg->flag|= HA_SPACE_PACK;\n }\n if (!(field->flags & NOT_NULL_FLAG))\n {\n\tseg->null_bit= field->null_bit;\n\tseg->null_pos= (uint) (field->null_ptr - (uchar*) table->record[0]);\n\t/*\n\t We are using a GROUP BY on something that contains NULL\n\t In this case we have to tell Aria that two NULL should\n\t on INSERT be regarded at the same value\n\t*/\n\tif (!using_unique_constraint)\n\t keydef.flag|= HA_NULL_ARE_EQUAL;\n }\n }\n }\n bzero((char*) &create_info,sizeof(create_info));\n create_info.data_file_length= table->in_use->variables.tmp_disk_table_size;\n\n /*\n The logic for choosing the record format:\n The STATIC_RECORD format is the fastest one, because it's so simple,\n so we use this by default for short rows.\n BLOCK_RECORD caches both row and data, so this is generally faster than\n DYNAMIC_RECORD. The one exception is when we write to tmp table and\n want to use keys for duplicate elimination as with BLOCK RECORD\n we first write the row, then check for key conflicts and then we have to\n delete the row. The cases when this can happen is when there is\n a group by and no sum functions or if distinct is used.\n */\n {\n enum data_file_type file_type= table->no_rows ? NO_RECORD :\n (share->reclength < 64 && !share->blob_fields ? STATIC_RECORD :\n table->used_for_duplicate_elimination ? DYNAMIC_RECORD : BLOCK_RECORD);\n uint create_flags= HA_CREATE_TMP_TABLE | HA_CREATE_INTERNAL_TABLE |\n (table->keep_row_order ? HA_PRESERVE_INSERT_ORDER : 0);\n\n if (file_type != NO_RECORD && encrypt_tmp_disk_tables)\n {\n /* encryption is only supported for BLOCK_RECORD */\n file_type= BLOCK_RECORD;\n if (table->used_for_duplicate_elimination)\n {\n /*\n sql-layer expect the last column to be stored/restored also\n when it's null.\n\n This is probably a bug (that sql-layer doesn't annotate\n the column as not-null) but both heap, aria-static, aria-dynamic and\n myisam has this property. aria-block_record does not since it\n does not store null-columns at all.\n Emulate behaviour by making column not-nullable when creating the\n table.\n */\n uint cols= (uint)(*recinfo-start_recinfo);\n start_recinfo[cols-1].null_bit= 0;\n }\n }\n\n if (unlikely((error= maria_create(share->path.str, file_type, share->keys,\n &keydef, (uint) (*recinfo-start_recinfo),\n start_recinfo, share->uniques, &uniquedef,\n &create_info, create_flags))))\n {\n table->file->print_error(error,MYF(0));\t/* purecov: inspected */\n table->db_stat=0;\n goto err;\n }\n }\n\n table->in_use->inc_status_created_tmp_disk_tables();\n table->in_use->inc_status_created_tmp_tables();\n share->db_record_offset= 1;\n table->set_created();\n DBUG_RETURN(0);\n err:\n DBUG_RETURN(1);\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 253671325463355441299193296949045095371, "size": 167, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508533 }, { "func": "bool create_internal_tmp_table(TABLE *table, KEY *keyinfo, \n TMP_ENGINE_COLUMNDEF *start_recinfo,\n TMP_ENGINE_COLUMNDEF **recinfo,\n ulonglong options)\n{\n int error;\n MI_KEYDEF keydef;\n MI_UNIQUEDEF uniquedef;\n TABLE_SHARE *share= table->s;\n DBUG_ENTER(\"create_internal_tmp_table\");\n\n if (share->keys)\n {\t\t\t\t\t\t// Get keys for ni_create\n bool using_unique_constraint=0;\n HA_KEYSEG *seg= (HA_KEYSEG*) alloc_root(&table->mem_root,\n sizeof(*seg) * keyinfo->user_defined_key_parts);\n if (!seg)\n goto err;\n\n bzero(seg, sizeof(*seg) * keyinfo->user_defined_key_parts);\n /*\n Note that a similar check is performed during\n subquery_types_allow_materialization. See MDEV-7122 for more details as\n to why. Whenever this changes, it must be updated there as well, for\n all tmp_table engines.\n */\n if (keyinfo->key_length > table->file->max_key_length() ||\n\tkeyinfo->user_defined_key_parts > table->file->max_key_parts() ||\n\tshare->uniques)\n {\n /* Can't create a key; Make a unique constraint instead of a key */\n share->keys= 0;\n share->uniques= 1;\n using_unique_constraint=1;\n bzero((char*) &uniquedef,sizeof(uniquedef));\n uniquedef.keysegs=keyinfo->user_defined_key_parts;\n uniquedef.seg=seg;\n uniquedef.null_are_equal=1;\n\n /* Create extra column for hash value */\n bzero((uchar*) *recinfo,sizeof(**recinfo));\n (*recinfo)->type= FIELD_CHECK;\n (*recinfo)->length=MI_UNIQUE_HASH_LENGTH;\n (*recinfo)++;\n /* Avoid warnings from valgrind */\n bzero(table->record[0]+ share->reclength, MI_UNIQUE_HASH_LENGTH);\n bzero(share->default_values+ share->reclength, MI_UNIQUE_HASH_LENGTH);\n share->reclength+= MI_UNIQUE_HASH_LENGTH;\n }\n else\n {\n /* Create an unique key */\n bzero((char*) &keydef,sizeof(keydef));\n keydef.flag= ((keyinfo->flags & HA_NOSAME) | HA_BINARY_PACK_KEY |\n HA_PACK_KEY);\n keydef.keysegs= keyinfo->user_defined_key_parts;\n keydef.seg= seg;\n }\n for (uint i=0; i < keyinfo->user_defined_key_parts ; i++,seg++)\n {\n Field *field=keyinfo->key_part[i].field;\n seg->flag= 0;\n seg->language= field->charset()->number;\n seg->length= keyinfo->key_part[i].length;\n seg->start= keyinfo->key_part[i].offset;\n if (field->flags & BLOB_FLAG)\n {\n\tseg->type=\n\t((keyinfo->key_part[i].key_type & FIELDFLAG_BINARY) ?\n\t HA_KEYTYPE_VARBINARY2 : HA_KEYTYPE_VARTEXT2);\n\tseg->bit_start= (uint8)(field->pack_length() - portable_sizeof_char_ptr);\n\tseg->flag= HA_BLOB_PART;\n\tseg->length=0;\t\t\t// Whole blob in unique constraint\n }\n else\n {\n\tseg->type= keyinfo->key_part[i].type;\n /* Tell handler if it can do suffic space compression */\n\tif (field->real_type() == MYSQL_TYPE_STRING &&\n\t keyinfo->key_part[i].length > 4)\n\t seg->flag|= HA_SPACE_PACK;\n }\n if (!(field->flags & NOT_NULL_FLAG))\n {\n\tseg->null_bit= field->null_bit;\n\tseg->null_pos= (uint) (field->null_ptr - (uchar*) table->record[0]);\n\t/*\n\t We are using a GROUP BY on something that contains NULL\n\t In this case we have to tell MyISAM that two NULL should\n\t on INSERT be regarded at the same value\n\t*/\n\tif (!using_unique_constraint)\n\t keydef.flag|= HA_NULL_ARE_EQUAL;\n }\n }\n }\n MI_CREATE_INFO create_info;\n bzero((char*) &create_info,sizeof(create_info));\n create_info.data_file_length= table->in_use->variables.tmp_disk_table_size;\n\n if (unlikely((error= mi_create(share->path.str, share->keys, &keydef,\n\t\t (uint) (*recinfo-start_recinfo),\n start_recinfo,\n\t\t share->uniques, &uniquedef,\n &create_info,\n\t\t HA_CREATE_TMP_TABLE |\n HA_CREATE_INTERNAL_TABLE |\n ((share->db_create_options &\n HA_OPTION_PACK_RECORD) ?\n HA_PACK_RECORD : 0)\n ))))\n {\n table->file->print_error(error,MYF(0));\t/* purecov: inspected */\n table->db_stat=0;\n goto err;\n }\n table->in_use->inc_status_created_tmp_disk_tables();\n table->in_use->inc_status_created_tmp_tables();\n share->db_record_offset= 1;\n table->set_created();\n DBUG_RETURN(0);\n err:\n DBUG_RETURN(1);\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 72198620813585495357750908144338800267, "size": 124, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508720 }, { "func": "static ssize_t order_show(struct kmem_cache *s, char *buf)\n{\n\treturn sprintf(buf, \"%u\\n\", oo_order(s->oo));\n}", "project": "linux", "hash": 175256269019806230003404597678416197503, "size": 4, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280198 }, { "func": "static void nfs4_lock_done(struct rpc_task *task, void *calldata)\n{\n\tstruct nfs4_lockdata *data = calldata;\n\tstruct nfs4_lock_state *lsp = data->lsp;\n\n\tdprintk(\"%s: begin!\\n\", __func__);\n\n\tif (!nfs4_sequence_done(task, &data->res.seq_res))\n\t\treturn;\n\n\tdata->rpc_status = task->tk_status;\n\tswitch (task->tk_status) {\n\tcase 0:\n\t\trenew_lease(NFS_SERVER(d_inode(data->ctx->dentry)),\n\t\t\t\tdata->timestamp);\n\t\tif (data->arg.new_lock && !data->cancelled) {\n\t\t\tdata->fl.fl_flags &= ~(FL_SLEEP | FL_ACCESS);\n\t\t\tif (locks_lock_inode_wait(lsp->ls_state->inode, &data->fl) < 0)\n\t\t\t\tgoto out_restart;\n\t\t}\n\t\tif (data->arg.new_lock_owner != 0) {\n\t\t\tnfs_confirm_seqid(&lsp->ls_seqid, 0);\n\t\t\tnfs4_stateid_copy(&lsp->ls_stateid, &data->res.stateid);\n\t\t\tset_bit(NFS_LOCK_INITIALIZED, &lsp->ls_flags);\n\t\t} else if (!nfs4_update_lock_stateid(lsp, &data->res.stateid))\n\t\t\tgoto out_restart;\n\t\tbreak;\n\tcase -NFS4ERR_BAD_STATEID:\n\tcase -NFS4ERR_OLD_STATEID:\n\tcase -NFS4ERR_STALE_STATEID:\n\tcase -NFS4ERR_EXPIRED:\n\t\tif (data->arg.new_lock_owner != 0) {\n\t\t\tif (!nfs4_stateid_match(&data->arg.open_stateid,\n\t\t\t\t\t\t&lsp->ls_state->open_stateid))\n\t\t\t\tgoto out_restart;\n\t\t} else if (!nfs4_stateid_match(&data->arg.lock_stateid,\n\t\t\t\t\t\t&lsp->ls_stateid))\n\t\t\t\tgoto out_restart;\n\t}\nout_done:\n\tdprintk(\"%s: done, ret = %d!\\n\", __func__, data->rpc_status);\n\treturn;\nout_restart:\n\tif (!data->cancelled)\n\t\trpc_restart_call_prepare(task);\n\tgoto out_done;\n}", "project": "linux", "hash": 94125795039866493222658658500512575875, "size": 47, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431068 }, { "func": "static void nfs_state_log_out_of_order_open_stateid(struct nfs4_state *state,\n\t\tconst nfs4_stateid *stateid)\n{\n\tu32 state_seqid = be32_to_cpu(state->open_stateid.seqid);\n\tu32 stateid_seqid = be32_to_cpu(stateid->seqid);\n\n\tif (stateid_seqid == state_seqid + 1U ||\n\t (stateid_seqid == 1U && state_seqid == 0xffffffffU))\n\t\tnfs_state_log_update_open_stateid(state);\n\telse\n\t\tset_bit(NFS_STATE_CHANGE_WAIT, &state->flags);\n}", "project": "linux", "hash": 18303894825223650816622452008695006113, "size": 12, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431487 }, { "func": "rdpGlyphCache* glyph_cache_new(rdpSettings* settings)\n{\n\tint i;\n\trdpGlyphCache* glyphCache;\n\tglyphCache = (rdpGlyphCache*)calloc(1, sizeof(rdpGlyphCache));\n\n\tif (!glyphCache)\n\t\treturn NULL;\n\n\tglyphCache->log = WLog_Get(\"com.freerdp.cache.glyph\");\n\tglyphCache->settings = settings;\n\tglyphCache->context = ((freerdp*)settings->instance)->update->context;\n\n\tfor (i = 0; i < 10; i++)\n\t{\n\t\tglyphCache->glyphCache[i].number = settings->GlyphCache[i].cacheEntries;\n\t\tglyphCache->glyphCache[i].maxCellSize = settings->GlyphCache[i].cacheMaximumCellSize;\n\t\tglyphCache->glyphCache[i].entries =\n\t\t (rdpGlyph**)calloc(glyphCache->glyphCache[i].number, sizeof(rdpGlyph*));\n\n\t\tif (!glyphCache->glyphCache[i].entries)\n\t\t\tgoto fail;\n\t}\n\n\tglyphCache->fragCache.entries = calloc(256, sizeof(FRAGMENT_CACHE_ENTRY));\n\n\tif (!glyphCache->fragCache.entries)\n\t\tgoto fail;\n\n\treturn glyphCache;\nfail:\n\tglyph_cache_free(glyphCache);\n\treturn NULL;\n}", "project": "FreeRDP", "hash": 333096604094527307773079204845739458284, "size": 34, "commit_id": "c0fd449ec0870b050d350d6d844b1ea6dad4bc7d", "message": "Fixed Out-of-bound read in glyph_cache_put\n\nCVE-2020-11098 thanks to @antonio-morales for finding this.", "target": 0, "dataset": "other", "idx": 432863 }, { "func": "static int irda_sendmsg(struct kiocb *iocb, struct socket *sock,\n\t\t\tstruct msghdr *msg, size_t len)\n{\n\tstruct sock *sk = sock->sk;\n\tstruct irda_sock *self;\n\tstruct sk_buff *skb;\n\tint err = -EPIPE;\n\n\tIRDA_DEBUG(4, \"%s(), len=%zd\\n\", __func__, len);\n\n\t/* Note : socket.c set MSG_EOR on SEQPACKET sockets */\n\tif (msg->msg_flags & ~(MSG_DONTWAIT | MSG_EOR | MSG_CMSG_COMPAT |\n\t\t\t MSG_NOSIGNAL))\n\t\treturn -EINVAL;\n\n\tif (sk->sk_shutdown & SEND_SHUTDOWN)\n\t\tgoto out_err;\n\n\tif (sk->sk_state != TCP_ESTABLISHED)\n\t\treturn -ENOTCONN;\n\n\tself = irda_sk(sk);\n\n\t/* Check if IrTTP is wants us to slow down */\n\n\tif (wait_event_interruptible(*(sk->sk_sleep),\n\t (self->tx_flow != FLOW_STOP || sk->sk_state != TCP_ESTABLISHED)))\n\t\treturn -ERESTARTSYS;\n\n\t/* Check if we are still connected */\n\tif (sk->sk_state != TCP_ESTABLISHED)\n\t\treturn -ENOTCONN;\n\n\t/* Check that we don't send out too big frames */\n\tif (len > self->max_data_size) {\n\t\tIRDA_DEBUG(2, \"%s(), Chopping frame from %zd to %d bytes!\\n\",\n\t\t\t __func__, len, self->max_data_size);\n\t\tlen = self->max_data_size;\n\t}\n\n\tskb = sock_alloc_send_skb(sk, len + self->max_header_size + 16,\n\t\t\t\t msg->msg_flags & MSG_DONTWAIT, &err);\n\tif (!skb)\n\t\tgoto out_err;\n\n\tskb_reserve(skb, self->max_header_size + 16);\n\tskb_reset_transport_header(skb);\n\tskb_put(skb, len);\n\terr = memcpy_fromiovec(skb_transport_header(skb), msg->msg_iov, len);\n\tif (err) {\n\t\tkfree_skb(skb);\n\t\tgoto out_err;\n\t}\n\n\t/*\n\t * Just send the message to TinyTP, and let it deal with possible\n\t * errors. No need to duplicate all that here\n\t */\n\terr = irttp_data_request(self->tsap, skb);\n\tif (err) {\n\t\tIRDA_DEBUG(0, \"%s(), err=%d\\n\", __func__, err);\n\t\tgoto out_err;\n\t}\n\t/* Tell client how much data we actually sent */\n\treturn len;\n\n out_err:\n\treturn sk_stream_error(sk, msg->msg_flags, err);\n\n}", "target": 0, "cwe": [ "CWE-200" ], "project": "linux-2.6", "commit_id": "09384dfc76e526c3993c09c42e016372dc9dd22c", "hash": 95702337301095265031752413096299461968, "size": 70, "message": "irda: Fix irda_getname() leak\n\nirda_getname() can leak kernel memory to user.\n\nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "dataset": "other", "idx": 490848 }, { "func": "CString CClient::GetNickMask() const {\n if (GetIRCSock() && GetIRCSock()->IsAuthed()) {\n return GetIRCSock()->GetNickMask();\n }\n\n CString sHost =\n m_pNetwork ? m_pNetwork->GetBindHost() : m_pUser->GetBindHost();\n if (sHost.empty()) {\n sHost = \"irc.znc.in\";\n }\n\n return GetNick() + \"!\" +\n (m_pNetwork ? m_pNetwork->GetIdent() : m_pUser->GetIdent()) + \"@\" +\n sHost;\n}", "project": "znc", "hash": 99075580050349447917859701272998810248, "size": 15, "commit_id": "d229761821da38d984a9e4098ad96842490dc001", "message": "Fix echo-message for *status\n\nClose #1705", "target": 0, "dataset": "other", "idx": 231564 }, { "func": "static void ri(struct vc_data *vc)\n{\n \t/* don't scroll if below top of scrolling region, or\n\t * if above scrolling region\n\t */\n\tif (vc->vc_y == vc->vc_top)\n\t\tcon_scroll(vc, vc->vc_top, vc->vc_bottom, SM_DOWN, 1);\n\telse if (vc->vc_y > 0) {\n\t\tvc->vc_y--;\n\t\tvc->vc_pos -= vc->vc_size_row;\n\t}\n\tvc->vc_need_wrap = 0;\n}", "project": "linux", "hash": 298894185741861381520566771639360740296, "size": 13, "commit_id": "ca4463bf8438b403596edd0ec961ca0d4fbe0220", "message": "vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console\n\nThe VT_DISALLOCATE ioctl can free a virtual console while tty_release()\nis still running, causing a use-after-free in con_shutdown(). This\noccurs because VT_DISALLOCATE considers a virtual console's\n'struct vc_data' to be unused as soon as the corresponding tty's\nrefcount hits 0. But actually it may be still being closed.\n\nFix this by making vc_data be reference-counted via the embedded\n'struct tty_port'. A newly allocated virtual console has refcount 1.\nOpening it for the first time increments the refcount to 2. Closing it\nfor the last time decrements the refcount (in tty_operations::cleanup()\nso that it happens late enough), as does VT_DISALLOCATE.\n\nReproducer:\n\t#include \n\t#include \n\t#include \n\t#include \n\n\tint main()\n\t{\n\t\tif (fork()) {\n\t\t\tfor (;;)\n\t\t\t\tclose(open(\"/dev/tty5\", O_RDWR));\n\t\t} else {\n\t\t\tint fd = open(\"/dev/tty10\", O_RDWR);\n\n\t\t\tfor (;;)\n\t\t\t\tioctl(fd, VT_DISALLOCATE, 5);\n\t\t}\n\t}\n\nKASAN report:\n\tBUG: KASAN: use-after-free in con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\tWrite of size 8 at addr ffff88806a4ec108 by task syz_vt/129\n\n\tCPU: 0 PID: 129 Comm: syz_vt Not tainted 5.6.0-rc2 #11\n\tHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20191223_100556-anatol 04/01/2014\n\tCall Trace:\n\t [...]\n\t con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\t release_tty+0xa8/0x410 drivers/tty/tty_io.c:1514\n\t tty_release_struct+0x34/0x50 drivers/tty/tty_io.c:1629\n\t tty_release+0x984/0xed0 drivers/tty/tty_io.c:1789\n\t [...]\n\n\tAllocated by task 129:\n\t [...]\n\t kzalloc include/linux/slab.h:669 [inline]\n\t vc_allocate drivers/tty/vt/vt.c:1085 [inline]\n\t vc_allocate+0x1ac/0x680 drivers/tty/vt/vt.c:1066\n\t con_install+0x4d/0x3f0 drivers/tty/vt/vt.c:3229\n\t tty_driver_install_tty drivers/tty/tty_io.c:1228 [inline]\n\t tty_init_dev+0x94/0x350 drivers/tty/tty_io.c:1341\n\t tty_open_by_driver drivers/tty/tty_io.c:1987 [inline]\n\t tty_open+0x3ca/0xb30 drivers/tty/tty_io.c:2035\n\t [...]\n\n\tFreed by task 130:\n\t [...]\n\t kfree+0xbf/0x1e0 mm/slab.c:3757\n\t vt_disallocate drivers/tty/vt/vt_ioctl.c:300 [inline]\n\t vt_ioctl+0x16dc/0x1e30 drivers/tty/vt/vt_ioctl.c:818\n\t tty_ioctl+0x9db/0x11b0 drivers/tty/tty_io.c:2660\n\t [...]\n\nFixes: 4001d7b7fc27 (\"vt: push down the tty lock so we can see what is left to tackle\")\nCc: # v3.4+\nReported-by: syzbot+522643ab5729b0421998@syzkaller.appspotmail.com\nAcked-by: Jiri Slaby \nSigned-off-by: Eric Biggers \nLink: https://lore.kernel.org/r/20200322034305.210082-2-ebiggers@kernel.org\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 437063 }, { "func": "SYSCALL_DEFINE0(pause)\n{\n\twhile (!signal_pending(current)) {\n\t\t__set_current_state(TASK_INTERRUPTIBLE);\n\t\tschedule();\n\t}\n\treturn -ERESTARTNOHAND;\n}", "project": "linux", "hash": 70715527806795011110352797573614738823, "size": 8, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375244 }, { "func": "static void free_blobs(Field **ptr)\n{\n for (; *ptr ; ptr++)\n {\n if ((*ptr)->flags & BLOB_FLAG)\n ((Field_blob *) (*ptr))->free();\n }\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 154393992451180865470693839248553621497, "size": 8, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508531 }, { "func": "void enc_untrusted_thread_wait(int32_t *const queue,\n uint64_t timeout_microsec) {\n enc_untrusted_thread_wait_value(queue, kWaitQueueEnabled, timeout_microsec);\n}", "project": "asylo", "hash": 153701455169178554625262879313814577194, "size": 4, "commit_id": "a37fb6a0e7daf30134dbbf357c9a518a1026aa02", "message": "Check untrusted queue is in outside enclave\n\nPiperOrigin-RevId: 333370935\nChange-Id: Ic3f15d5db1302d95c7cb199b44172474fecb81ca", "target": 0, "dataset": "other", "idx": 231079 }, { "func": "int sh_mathstd(const char *name) { return sh_mathstdfun(name, strlen(name), NULL) != 0; }", "project": "ast", "hash": 77553971371707196202847059899070053285, "size": 1, "commit_id": "c7de8b641266bac7c77942239ac659edfee9ecd2", "message": "Harden env var imports", "target": 0, "dataset": "other", "idx": 321872 }, { "func": "static void encode_getfattr(struct xdr_stream *xdr, const u32* bitmask, struct compound_hdr *hdr)\n{\n\tencode_getattr(xdr, nfs4_fattr_bitmap, bitmask,\n\t\t\tARRAY_SIZE(nfs4_fattr_bitmap), hdr);\n}", "project": "linux", "hash": 329104622253858215348474611910401941674, "size": 5, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431082 }, { "func": "static int svm_get_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info)\n{\n\tstruct vcpu_svm *svm = to_svm(vcpu);\n\n\tswitch (msr_info->index) {\n\tcase MSR_STAR:\n\t\tmsr_info->data = svm->vmcb->save.star;\n\t\tbreak;\n#ifdef CONFIG_X86_64\n\tcase MSR_LSTAR:\n\t\tmsr_info->data = svm->vmcb->save.lstar;\n\t\tbreak;\n\tcase MSR_CSTAR:\n\t\tmsr_info->data = svm->vmcb->save.cstar;\n\t\tbreak;\n\tcase MSR_KERNEL_GS_BASE:\n\t\tmsr_info->data = svm->vmcb->save.kernel_gs_base;\n\t\tbreak;\n\tcase MSR_SYSCALL_MASK:\n\t\tmsr_info->data = svm->vmcb->save.sfmask;\n\t\tbreak;\n#endif\n\tcase MSR_IA32_SYSENTER_CS:\n\t\tmsr_info->data = svm->vmcb->save.sysenter_cs;\n\t\tbreak;\n\tcase MSR_IA32_SYSENTER_EIP:\n\t\tmsr_info->data = svm->sysenter_eip;\n\t\tbreak;\n\tcase MSR_IA32_SYSENTER_ESP:\n\t\tmsr_info->data = svm->sysenter_esp;\n\t\tbreak;\n\tcase MSR_TSC_AUX:\n\t\tif (!boot_cpu_has(X86_FEATURE_RDTSCP))\n\t\t\treturn 1;\n\t\tmsr_info->data = svm->tsc_aux;\n\t\tbreak;\n\t/*\n\t * Nobody will change the following 5 values in the VMCB so we can\n\t * safely return them on rdmsr. They will always be 0 until LBRV is\n\t * implemented.\n\t */\n\tcase MSR_IA32_DEBUGCTLMSR:\n\t\tmsr_info->data = svm->vmcb->save.dbgctl;\n\t\tbreak;\n\tcase MSR_IA32_LASTBRANCHFROMIP:\n\t\tmsr_info->data = svm->vmcb->save.br_from;\n\t\tbreak;\n\tcase MSR_IA32_LASTBRANCHTOIP:\n\t\tmsr_info->data = svm->vmcb->save.br_to;\n\t\tbreak;\n\tcase MSR_IA32_LASTINTFROMIP:\n\t\tmsr_info->data = svm->vmcb->save.last_excp_from;\n\t\tbreak;\n\tcase MSR_IA32_LASTINTTOIP:\n\t\tmsr_info->data = svm->vmcb->save.last_excp_to;\n\t\tbreak;\n\tcase MSR_VM_HSAVE_PA:\n\t\tmsr_info->data = svm->nested.hsave_msr;\n\t\tbreak;\n\tcase MSR_VM_CR:\n\t\tmsr_info->data = svm->nested.vm_cr_msr;\n\t\tbreak;\n\tcase MSR_IA32_SPEC_CTRL:\n\t\tif (!msr_info->host_initiated &&\n\t\t !guest_cpuid_has(vcpu, X86_FEATURE_SPEC_CTRL) &&\n\t\t !guest_cpuid_has(vcpu, X86_FEATURE_AMD_STIBP) &&\n\t\t !guest_cpuid_has(vcpu, X86_FEATURE_AMD_IBRS) &&\n\t\t !guest_cpuid_has(vcpu, X86_FEATURE_AMD_SSBD))\n\t\t\treturn 1;\n\n\t\tmsr_info->data = svm->spec_ctrl;\n\t\tbreak;\n\tcase MSR_AMD64_VIRT_SPEC_CTRL:\n\t\tif (!msr_info->host_initiated &&\n\t\t !guest_cpuid_has(vcpu, X86_FEATURE_VIRT_SSBD))\n\t\t\treturn 1;\n\n\t\tmsr_info->data = svm->virt_spec_ctrl;\n\t\tbreak;\n\tcase MSR_F15H_IC_CFG: {\n\n\t\tint family, model;\n\n\t\tfamily = guest_cpuid_family(vcpu);\n\t\tmodel = guest_cpuid_model(vcpu);\n\n\t\tif (family < 0 || model < 0)\n\t\t\treturn kvm_get_msr_common(vcpu, msr_info);\n\n\t\tmsr_info->data = 0;\n\n\t\tif (family == 0x15 &&\n\t\t (model >= 0x2 && model < 0x20))\n\t\t\tmsr_info->data = 0x1E;\n\t\t}\n\t\tbreak;\n\tcase MSR_F10H_DECFG:\n\t\tmsr_info->data = svm->msr_decfg;\n\t\tbreak;\n\tdefault:\n\t\treturn kvm_get_msr_common(vcpu, msr_info);\n\t}\n\treturn 0;\n}", "project": "linux", "hash": 330822881685753904177010991323763909991, "size": 104, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432457 }, { "func": "static int svm_get_msr(struct kvm_vcpu *vcpu, unsigned ecx, u64 *data)\n{\n\tstruct vcpu_svm *svm = to_svm(vcpu);\n\n\tswitch (ecx) {\n\tcase MSR_IA32_TSC: {\n\t\t*data = svm->vmcb->control.tsc_offset +\n\t\t\tsvm_scale_tsc(vcpu, native_read_tsc());\n\n\t\tbreak;\n\t}\n\tcase MSR_STAR:\n\t\t*data = svm->vmcb->save.star;\n\t\tbreak;\n#ifdef CONFIG_X86_64\n\tcase MSR_LSTAR:\n\t\t*data = svm->vmcb->save.lstar;\n\t\tbreak;\n\tcase MSR_CSTAR:\n\t\t*data = svm->vmcb->save.cstar;\n\t\tbreak;\n\tcase MSR_KERNEL_GS_BASE:\n\t\t*data = svm->vmcb->save.kernel_gs_base;\n\t\tbreak;\n\tcase MSR_SYSCALL_MASK:\n\t\t*data = svm->vmcb->save.sfmask;\n\t\tbreak;\n#endif\n\tcase MSR_IA32_SYSENTER_CS:\n\t\t*data = svm->vmcb->save.sysenter_cs;\n\t\tbreak;\n\tcase MSR_IA32_SYSENTER_EIP:\n\t\t*data = svm->sysenter_eip;\n\t\tbreak;\n\tcase MSR_IA32_SYSENTER_ESP:\n\t\t*data = svm->sysenter_esp;\n\t\tbreak;\n\t/*\n\t * Nobody will change the following 5 values in the VMCB so we can\n\t * safely return them on rdmsr. They will always be 0 until LBRV is\n\t * implemented.\n\t */\n\tcase MSR_IA32_DEBUGCTLMSR:\n\t\t*data = svm->vmcb->save.dbgctl;\n\t\tbreak;\n\tcase MSR_IA32_LASTBRANCHFROMIP:\n\t\t*data = svm->vmcb->save.br_from;\n\t\tbreak;\n\tcase MSR_IA32_LASTBRANCHTOIP:\n\t\t*data = svm->vmcb->save.br_to;\n\t\tbreak;\n\tcase MSR_IA32_LASTINTFROMIP:\n\t\t*data = svm->vmcb->save.last_excp_from;\n\t\tbreak;\n\tcase MSR_IA32_LASTINTTOIP:\n\t\t*data = svm->vmcb->save.last_excp_to;\n\t\tbreak;\n\tcase MSR_VM_HSAVE_PA:\n\t\t*data = svm->nested.hsave_msr;\n\t\tbreak;\n\tcase MSR_VM_CR:\n\t\t*data = svm->nested.vm_cr_msr;\n\t\tbreak;\n\tcase MSR_IA32_UCODE_REV:\n\t\t*data = 0x01000065;\n\t\tbreak;\n\tdefault:\n\t\treturn kvm_get_msr_common(vcpu, ecx, data);\n\t}\n\treturn 0;\n}", "project": "kvm", "hash": 190540740939711148699403848421538981023, "size": 71, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437579 }, { "func": "void set_current_blocked(sigset_t *newset)\n{\n\tsigdelsetmask(newset, sigmask(SIGKILL) | sigmask(SIGSTOP));\n\t__set_current_blocked(newset);\n}", "project": "linux", "hash": 198115962967470896040610613167504934427, "size": 5, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375272 }, { "project": "opaque", "commit_id": "5ddda15d89f5ac82f4416208c5319ace4aecdc36", "target": 0, "func": "void ecall_find_range_bounds(uint8_t *sort_order, size_t sort_order_length,\n uint32_t num_partitions,\n uint8_t *input_rows, size_t input_rows_length,\n uint8_t **output_rows, size_t *output_rows_length) {\n // Guard against operating on arbitrary enclave memory\n assert(sgx_is_outside_enclave(input_rows, input_rows_length) == 1);\n sgx_lfence();\n\n try {\n find_range_bounds(sort_order, sort_order_length,\n num_partitions,\n input_rows, input_rows_length,\n output_rows, output_rows_length);\n } catch (const std::runtime_error &e) {\n ocall_throw(e.what());\n }\n}", "idx": 519072, "cwe": "CWE-787", "hash": 83574658543583843597275104621835543166, "dataset": "other" }, { "func": "static int hci_req_add_le_interleaved_scan(struct hci_request *req,\n\t\t\t\t\t unsigned long opt)\n{\n\tstruct hci_dev *hdev = req->hdev;\n\tint ret = 0;\n\n\thci_dev_lock(hdev);\n\n\tif (hci_dev_test_flag(hdev, HCI_LE_SCAN))\n\t\thci_req_add_le_scan_disable(req, false);\n\thci_req_add_le_passive_scan(req);\n\n\tswitch (hdev->interleave_scan_state) {\n\tcase INTERLEAVE_SCAN_ALLOWLIST:\n\t\tbt_dev_dbg(hdev, \"next state: allowlist\");\n\t\thdev->interleave_scan_state = INTERLEAVE_SCAN_NO_FILTER;\n\t\tbreak;\n\tcase INTERLEAVE_SCAN_NO_FILTER:\n\t\tbt_dev_dbg(hdev, \"next state: no filter\");\n\t\thdev->interleave_scan_state = INTERLEAVE_SCAN_ALLOWLIST;\n\t\tbreak;\n\tcase INTERLEAVE_SCAN_NONE:\n\t\tBT_ERR(\"unexpected error\");\n\t\tret = -1;\n\t}\n\n\thci_dev_unlock(hdev);\n\n\treturn ret;\n}", "project": "linux", "hash": 118057993764912051385545309994540781609, "size": 30, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402555 }, { "func": "static int kvm_vm_ioctl_clear_dirty_log(struct kvm *kvm,\n\t\t\t\t\tstruct kvm_clear_dirty_log *log)\n{\n\tint r;\n\n\tmutex_lock(&kvm->slots_lock);\n\n\tr = kvm_clear_dirty_log_protect(kvm, log);\n\n\tmutex_unlock(&kvm->slots_lock);\n\treturn r;\n}", "project": "linux", "hash": 149460330046640761565946033152894730032, "size": 12, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354608 }, { "func": "static inline int verify_sec_ctx_len(const void *p)\n{\n\tconst struct sadb_x_sec_ctx *sec_ctx = p;\n\tint len = sec_ctx->sadb_x_ctx_len;\n\n\tif (len > PAGE_SIZE)\n\t\treturn -EINVAL;\n\n\tlen = pfkey_sec_ctx_len(sec_ctx);\n\n\tif (sec_ctx->sadb_x_sec_len != len)\n\t\treturn -EINVAL;\n\n\treturn 0;\n}", "project": "linux", "hash": 18008611479456209191003092439312725450, "size": 15, "commit_id": "9a564bccb78a76740ea9d75a259942df8143d02c", "message": "af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\n\nAdd __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\nto initialize the buffer of supp_skb to fix a kernel-info-leak issue.\n1) Function pfkey_register calls compose_sadb_supported to request\na sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate\na sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then\ncompose_sadb_supported treats the memory as a struct sadb_supported and\nbegins to initialize. But it just initializes the field sadb_supported_len\nand field sadb_supported_exttype without field sadb_supported_reserved.\n\nReported-by: TCS Robot \nSigned-off-by: Haimin Zhang \nSigned-off-by: Steffen Klassert ", "target": 0, "dataset": "other", "idx": 268093 }, { "func": "static int on_frame_recv(h2_stream_state_t state, int frame_type)\n{\n return on_frame(state, frame_type, trans_on_recv, H2_ALEN(trans_on_recv));\n}", "project": "httpd", "hash": 188237070704609310041778763996864961490, "size": 4, "commit_id": "f990e5ecad40b100a8a5c7c1033c46044a9cb244", "message": "mod_htt2: fix incomplete sync with latest changes in github, adjust version number.\n\n\n\ngit-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1889119 13f79535-47bb-0310-9956-ffa450edef68", "target": 0, "dataset": "other", "idx": 284228 }, { "func": "static int io_splice(struct io_kiocb *req, unsigned int issue_flags)\n{\n\tstruct io_splice *sp = &req->splice;\n\tstruct file *in = sp->file_in;\n\tstruct file *out = sp->file_out;\n\tunsigned int flags = sp->flags & ~SPLICE_F_FD_IN_FIXED;\n\tloff_t *poff_in, *poff_out;\n\tlong ret = 0;\n\n\tif (issue_flags & IO_URING_F_NONBLOCK)\n\t\treturn -EAGAIN;\n\n\tpoff_in = (sp->off_in == -1) ? NULL : &sp->off_in;\n\tpoff_out = (sp->off_out == -1) ? NULL : &sp->off_out;\n\n\tif (sp->len)\n\t\tret = do_splice(in, poff_in, out, poff_out, sp->len, flags);\n\n\tif (!(sp->flags & SPLICE_F_FD_IN_FIXED))\n\t\tio_put_file(in);\n\treq->flags &= ~REQ_F_NEED_CLEANUP;\n\n\tif (ret != sp->len)\n\t\treq_set_fail_links(req);\n\tio_req_complete(req, ret);\n\treturn 0;\n}", "project": "linux", "hash": 281013886753331657223143828804019278564, "size": 27, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338645 }, { "func": "static indexEntry nextIndex(HeaderIterator hi)\n{\n Header h = hi->h;\n int slot;\n indexEntry entry = NULL;\n\n for (slot = hi->next_index; slot < h->indexUsed; slot++) {\n\tentry = h->index + slot;\n\tif (!ENTRY_IS_REGION(entry))\n\t break;\n }\n hi->next_index = slot;\n if (entry == NULL || slot >= h->indexUsed)\n\treturn NULL;\n\n hi->next_index++;\n return entry;\n}", "project": "rpm", "hash": 3749380125496439772885777895847045978, "size": 18, "commit_id": "8f4b3c3cab8922a2022b9e47c71f1ecf906077ef", "message": "hdrblobInit() needs bounds checks too\n\nUsers can pass untrusted data to hdrblobInit() and it must be robust\nagainst this.", "target": 0, "dataset": "other", "idx": 318178 }, { "func": "static gdFontPtr php_find_gd_font(int size) {\n gdFontPtr font;\n\n switch (size) {\n case 1:\n font = gdFontTiny;\n break;\n case 2:\n font = gdFontSmall;\n break;\n case 3:\n font = gdFontMediumBold;\n break;\n case 4:\n font = gdFontLarge;\n break;\n case 5:\n font = gdFontGiant;\n break;\n default:\n raise_warning(\"Unsupported font: %d\", size);\n // font = zend_list_find(size - 5, &ind_type);\n // if (!font || ind_type != le_gd_font) {\n if (size < 1) {\n font = gdFontTiny;\n } else {\n font = gdFontGiant;\n }\n break;\n }\n return font;\n}", "project": "hhvm", "hash": 225807237607540851321088539287831178718, "size": 32, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219769 }, { "func": "char* formatBytes(u_int32_t howMuch, char *buf, u_int buf_len) {\n char unit = 'B';\n\n if(howMuch < 1024) {\n snprintf(buf, buf_len, \"%lu %c\", (unsigned long)howMuch, unit);\n } else if(howMuch < (1024*1024)) {\n snprintf(buf, buf_len, \"%.2f K%c\", (float)(howMuch)/1024, unit);\n } else {\n float tmpGB = ((float)howMuch)/(1024*1024);\n\n if(tmpGB < 1024) {\n snprintf(buf, buf_len, \"%.2f M%c\", tmpGB, unit);\n } else {\n tmpGB /= 1024;\n\n snprintf(buf, buf_len, \"%.2f G%c\", tmpGB, unit);\n }\n }\n\n return(buf);\n}", "project": "nDPI", "hash": 66364306620455481221738295340727387523, "size": 21, "commit_id": "b7e666e465f138ae48ab81976726e67deed12701", "message": "Added fix to avoid potential heap buffer overflow in H.323 dissector\nModified HTTP report information to make it closer to the HTTP field names", "target": 0, "dataset": "other", "idx": 254845 }, { "func": "CallResult Interpreter::interpretFunction(\n Runtime *runtime,\n InterpreterState &state) {\n // The interepter is re-entrant and also saves/restores its IP via the runtime\n // whenever a call out is made (see the CAPTURE_IP_* macros). As such, failure\n // to preserve the IP across calls to interpeterFunction() disrupt interpreter\n // calls further up the C++ callstack. The RAII utility class below makes sure\n // we always do this correctly.\n //\n // TODO: The IPs stored in the C++ callstack via this holder will generally be\n // the same as in the JS stack frames via the Saved IP field. We can probably\n // get rid of one of these redundant stores. Doing this isn't completely\n // trivial as there are currently cases where we re-enter the interpreter\n // without calling Runtime::saveCallerIPInStackFrame(), and there are features\n // (I think mostly the debugger + stack traces) which implicitly rely on\n // this behavior. At least their tests break if this behavior is not\n // preserved.\n struct IPSaver {\n IPSaver(Runtime *runtime)\n : ip_(runtime->getCurrentIP()), runtime_(runtime) {}\n\n ~IPSaver() {\n runtime_->setCurrentIP(ip_);\n }\n\n private:\n const Inst *ip_;\n Runtime *runtime_;\n };\n IPSaver ipSaver(runtime);\n\n#ifndef HERMES_ENABLE_DEBUGGER\n static_assert(!SingleStep, \"can't use single-step mode without the debugger\");\n#endif\n // Make sure that the cache can use an optimization by avoiding a branch to\n // access the property storage.\n static_assert(\n HiddenClass::kDictionaryThreshold <=\n SegmentedArray::kValueToSegmentThreshold,\n \"Cannot avoid branches in cache check if the dictionary \"\n \"crossover point is larger than the inline storage\");\n\n CodeBlock *curCodeBlock = state.codeBlock;\n const Inst *ip = nullptr;\n // Holds runtime->currentFrame_.ptr()-1 which is the first local\n // register. This eliminates the indirect load from Runtime and the -1 offset.\n PinnedHermesValue *frameRegs;\n // Strictness of current function.\n bool strictMode;\n // Default flags when accessing properties.\n PropOpFlags defaultPropOpFlags;\n\n// These CAPTURE_IP* macros should wrap around any major calls out of the\n// interpeter loop. They stash and retrieve the IP via the current Runtime\n// allowing the IP to be externally observed and even altered to change the flow\n// of execution. Explicitly saving AND restoring the IP from the Runtime in this\n// way means the C++ compiler will keep IP in a register within the rest of the\n// interpeter loop.\n//\n// When assertions are enabled we take the extra step of \"invalidating\" the IP\n// between captures so we can detect if it's erroneously accessed.\n//\n// In some cases we explicitly don't want to invalidate the IP and instead want\n// it to stay set. For this we use the *NO_INVALIDATE variants. This comes up\n// when we're performing a call operation which may re-enter the interpeter\n// loop, and so need the IP available for the saveCallerIPInStackFrame() call\n// when we next enter.\n#define CAPTURE_IP_ASSIGN_NO_INVALIDATE(dst, expr) \\\n runtime->setCurrentIP(ip); \\\n dst = expr; \\\n ip = runtime->getCurrentIP();\n\n#ifdef NDEBUG\n\n#define CAPTURE_IP(expr) \\\n runtime->setCurrentIP(ip); \\\n (void)expr; \\\n ip = runtime->getCurrentIP();\n\n#define CAPTURE_IP_ASSIGN(dst, expr) CAPTURE_IP_ASSIGN_NO_INVALIDATE(dst, expr)\n\n#else // !NDEBUG\n\n#define CAPTURE_IP(expr) \\\n runtime->setCurrentIP(ip); \\\n (void)expr; \\\n ip = runtime->getCurrentIP(); \\\n runtime->invalidateCurrentIP();\n\n#define CAPTURE_IP_ASSIGN(dst, expr) \\\n runtime->setCurrentIP(ip); \\\n dst = expr; \\\n ip = runtime->getCurrentIP(); \\\n runtime->invalidateCurrentIP();\n\n#endif // NDEBUG\n\n LLVM_DEBUG(dbgs() << \"interpretFunction() called\\n\");\n\n ScopedNativeDepthTracker depthTracker{runtime};\n if (LLVM_UNLIKELY(depthTracker.overflowed())) {\n return runtime->raiseStackOverflow(Runtime::StackOverflowKind::NativeStack);\n }\n\n if (!SingleStep) {\n if (auto jitPtr = runtime->jitContext_.compile(runtime, curCodeBlock)) {\n return (*jitPtr)(runtime);\n }\n }\n\n GCScope gcScope(runtime);\n // Avoid allocating a handle dynamically by reusing this one.\n MutableHandle<> tmpHandle(runtime);\n CallResult res{ExecutionStatus::EXCEPTION};\n CallResult> resPH{ExecutionStatus::EXCEPTION};\n CallResult> resArgs{ExecutionStatus::EXCEPTION};\n CallResult boolRes{ExecutionStatus::EXCEPTION};\n\n // Mark the gcScope so we can clear all allocated handles.\n // Remember how many handles the scope has so we can clear them in the loop.\n static constexpr unsigned KEEP_HANDLES = 1;\n assert(\n gcScope.getHandleCountDbg() == KEEP_HANDLES &&\n \"scope has unexpected number of handles\");\n\n INIT_OPCODE_PROFILER;\n\n#if !defined(HERMESVM_PROFILER_EXTERN)\ntailCall:\n#endif\n PROFILER_ENTER_FUNCTION(curCodeBlock);\n\n#ifdef HERMES_ENABLE_DEBUGGER\n runtime->getDebugger().willEnterCodeBlock(curCodeBlock);\n#endif\n\n runtime->getCodeCoverageProfiler().markExecuted(runtime, curCodeBlock);\n\n // Update function executionCount_ count\n curCodeBlock->incrementExecutionCount();\n\n if (!SingleStep) {\n auto newFrame = runtime->setCurrentFrameToTopOfStack();\n runtime->saveCallerIPInStackFrame();\n#ifndef NDEBUG\n runtime->invalidateCurrentIP();\n#endif\n\n // Point frameRegs to the first register in the new frame. Note that at this\n // moment technically it points above the top of the stack, but we are never\n // going to access it.\n frameRegs = &newFrame.getFirstLocalRef();\n\n#ifndef NDEBUG\n LLVM_DEBUG(\n dbgs() << \"function entry: stackLevel=\" << runtime->getStackLevel()\n << \", argCount=\" << runtime->getCurrentFrame().getArgCount()\n << \", frameSize=\" << curCodeBlock->getFrameSize() << \"\\n\");\n\n LLVM_DEBUG(\n dbgs() << \" callee \"\n << DumpHermesValue(\n runtime->getCurrentFrame().getCalleeClosureOrCBRef())\n << \"\\n\");\n LLVM_DEBUG(\n dbgs() << \" this \"\n << DumpHermesValue(runtime->getCurrentFrame().getThisArgRef())\n << \"\\n\");\n for (uint32_t i = 0; i != runtime->getCurrentFrame()->getArgCount(); ++i) {\n LLVM_DEBUG(\n dbgs() << \" \" << llvh::format_decimal(i, 4) << \" \"\n << DumpHermesValue(runtime->getCurrentFrame().getArgRef(i))\n << \"\\n\");\n }\n#endif\n\n // Allocate the registers for the new frame.\n if (LLVM_UNLIKELY(!runtime->checkAndAllocStack(\n curCodeBlock->getFrameSize() +\n StackFrameLayout::CalleeExtraRegistersAtStart,\n HermesValue::encodeUndefinedValue())))\n goto stackOverflow;\n\n ip = (Inst const *)curCodeBlock->begin();\n\n // Check for invalid invocation.\n if (LLVM_UNLIKELY(curCodeBlock->getHeaderFlags().isCallProhibited(\n newFrame.isConstructorCall()))) {\n if (!newFrame.isConstructorCall()) {\n CAPTURE_IP(\n runtime->raiseTypeError(\"Class constructor invoked without new\"));\n } else {\n CAPTURE_IP(runtime->raiseTypeError(\"Function is not a constructor\"));\n }\n goto handleExceptionInParent;\n }\n } else {\n // Point frameRegs to the first register in the frame.\n frameRegs = &runtime->getCurrentFrame().getFirstLocalRef();\n ip = (Inst const *)(curCodeBlock->begin() + state.offset);\n }\n\n assert((const uint8_t *)ip < curCodeBlock->end() && \"CodeBlock is empty\");\n\n INIT_STATE_FOR_CODEBLOCK(curCodeBlock);\n\n#define BEFORE_OP_CODE \\\n { \\\n UPDATE_OPCODE_TIME_SPENT; \\\n HERMES_SLOW_ASSERT( \\\n curCodeBlock->contains(ip) && \"curCodeBlock must contain ip\"); \\\n HERMES_SLOW_ASSERT((printDebugInfo(curCodeBlock, frameRegs, ip), true)); \\\n HERMES_SLOW_ASSERT( \\\n gcScope.getHandleCountDbg() == KEEP_HANDLES && \\\n \"unaccounted handles were created\"); \\\n HERMES_SLOW_ASSERT(tmpHandle->isUndefined() && \"tmpHandle not cleared\"); \\\n RECORD_OPCODE_START_TIME; \\\n INC_OPCODE_COUNT; \\\n }\n\n#ifdef HERMESVM_INDIRECT_THREADING\n static void *opcodeDispatch[] = {\n#define DEFINE_OPCODE(name) &&case_##name,\n#include \"hermes/BCGen/HBC/BytecodeList.def\"\n &&case__last};\n\n#define CASE(name) case_##name:\n#define DISPATCH \\\n BEFORE_OP_CODE; \\\n if (SingleStep) { \\\n state.codeBlock = curCodeBlock; \\\n state.offset = CUROFFSET; \\\n return HermesValue::encodeUndefinedValue(); \\\n } \\\n goto *opcodeDispatch[(unsigned)ip->opCode]\n\n#else // HERMESVM_INDIRECT_THREADING\n\n#define CASE(name) case OpCode::name:\n#define DISPATCH \\\n if (SingleStep) { \\\n state.codeBlock = curCodeBlock; \\\n state.offset = CUROFFSET; \\\n return HermesValue::encodeUndefinedValue(); \\\n } \\\n continue\n\n#endif // HERMESVM_INDIRECT_THREADING\n\n#define RUN_DEBUGGER_ASYNC_BREAK(flags) \\\n do { \\\n CAPTURE_IP_ASSIGN( \\\n auto dRes, \\\n runDebuggerUpdatingState( \\\n (uint8_t)(flags) & \\\n (uint8_t)Runtime::AsyncBreakReasonBits::DebuggerExplicit \\\n ? Debugger::RunReason::AsyncBreakExplicit \\\n : Debugger::RunReason::AsyncBreakImplicit, \\\n runtime, \\\n curCodeBlock, \\\n ip, \\\n frameRegs)); \\\n if (dRes == ExecutionStatus::EXCEPTION) \\\n goto exception; \\\n } while (0)\n\n for (;;) {\n BEFORE_OP_CODE;\n\n#ifdef HERMESVM_INDIRECT_THREADING\n goto *opcodeDispatch[(unsigned)ip->opCode];\n#else\n switch (ip->opCode)\n#endif\n {\n const Inst *nextIP;\n uint32_t idVal;\n bool tryProp;\n uint32_t callArgCount;\n // This is HermesValue::getRaw(), since HermesValue cannot be assigned\n // to. It is meant to be used only for very short durations, in the\n // dispatch of call instructions, when there is definitely no possibility\n // of a GC.\n HermesValue::RawType callNewTarget;\n\n/// Handle an opcode \\p name with an out-of-line implementation in a function\n/// ExecutionStatus caseName(\n/// Runtime *,\n/// PinnedHermesValue *frameRegs,\n/// Inst *ip)\n#define CASE_OUTOFLINE(name) \\\n CASE(name) { \\\n CAPTURE_IP_ASSIGN(auto res, case##name(runtime, frameRegs, ip)); \\\n if (LLVM_UNLIKELY(res == ExecutionStatus::EXCEPTION)) { \\\n goto exception; \\\n } \\\n gcScope.flushToSmallCount(KEEP_HANDLES); \\\n ip = NEXTINST(name); \\\n DISPATCH; \\\n }\n\n/// Implement a binary arithmetic instruction with a fast path where both\n/// operands are numbers.\n/// \\param name the name of the instruction. The fast path case will have a\n/// \"n\" appended to the name.\n/// \\param oper the C++ operator to use to actually perform the arithmetic\n/// operation.\n#define BINOP(name, oper) \\\n CASE(name) { \\\n if (LLVM_LIKELY(O2REG(name).isNumber() && O3REG(name).isNumber())) { \\\n /* Fast-path. */ \\\n CASE(name##N) { \\\n O1REG(name) = HermesValue::encodeDoubleValue( \\\n oper(O2REG(name).getNumber(), O3REG(name).getNumber())); \\\n ip = NEXTINST(name); \\\n DISPATCH; \\\n } \\\n } \\\n CAPTURE_IP_ASSIGN(res, toNumber_RJS(runtime, Handle<>(&O2REG(name)))); \\\n if (res == ExecutionStatus::EXCEPTION) \\\n goto exception; \\\n double left = res->getDouble(); \\\n CAPTURE_IP_ASSIGN(res, toNumber_RJS(runtime, Handle<>(&O3REG(name)))); \\\n if (res == ExecutionStatus::EXCEPTION) \\\n goto exception; \\\n O1REG(name) = \\\n HermesValue::encodeDoubleValue(oper(left, res->getDouble())); \\\n gcScope.flushToSmallCount(KEEP_HANDLES); \\\n ip = NEXTINST(name); \\\n DISPATCH; \\\n }\n\n/// Implement a shift instruction with a fast path where both\n/// operands are numbers.\n/// \\param name the name of the instruction.\n/// \\param oper the C++ operator to use to actually perform the shift\n/// operation.\n/// \\param lConv the conversion function for the LHS of the expression.\n/// \\param lType the type of the LHS operand.\n/// \\param returnType the type of the return value.\n#define SHIFTOP(name, oper, lConv, lType, returnType) \\\n CASE(name) { \\\n if (LLVM_LIKELY( \\\n O2REG(name).isNumber() && \\\n O3REG(name).isNumber())) { /* Fast-path. */ \\\n auto lnum = static_cast( \\\n hermes::truncateToInt32(O2REG(name).getNumber())); \\\n auto rnum = static_cast( \\\n hermes::truncateToInt32(O3REG(name).getNumber())) & \\\n 0x1f; \\\n O1REG(name) = HermesValue::encodeDoubleValue( \\\n static_cast(lnum oper rnum)); \\\n ip = NEXTINST(name); \\\n DISPATCH; \\\n } \\\n CAPTURE_IP_ASSIGN(res, lConv(runtime, Handle<>(&O2REG(name)))); \\\n if (res == ExecutionStatus::EXCEPTION) { \\\n goto exception; \\\n } \\\n auto lnum = static_cast(res->getNumber()); \\\n CAPTURE_IP_ASSIGN(res, toUInt32_RJS(runtime, Handle<>(&O3REG(name)))); \\\n if (res == ExecutionStatus::EXCEPTION) { \\\n goto exception; \\\n } \\\n auto rnum = static_cast(res->getNumber()) & 0x1f; \\\n gcScope.flushToSmallCount(KEEP_HANDLES); \\\n O1REG(name) = HermesValue::encodeDoubleValue( \\\n static_cast(lnum oper rnum)); \\\n ip = NEXTINST(name); \\\n DISPATCH; \\\n }\n\n/// Implement a binary bitwise instruction with a fast path where both\n/// operands are numbers.\n/// \\param name the name of the instruction.\n/// \\param oper the C++ operator to use to actually perform the bitwise\n/// operation.\n#define BITWISEBINOP(name, oper) \\\n CASE(name) { \\\n if (LLVM_LIKELY(O2REG(name).isNumber() && O3REG(name).isNumber())) { \\\n /* Fast-path. */ \\\n O1REG(name) = HermesValue::encodeDoubleValue( \\\n hermes::truncateToInt32(O2REG(name).getNumber()) \\\n oper hermes::truncateToInt32(O3REG(name).getNumber())); \\\n ip = NEXTINST(name); \\\n DISPATCH; \\\n } \\\n CAPTURE_IP_ASSIGN(res, toInt32_RJS(runtime, Handle<>(&O2REG(name)))); \\\n if (res == ExecutionStatus::EXCEPTION) { \\\n goto exception; \\\n } \\\n int32_t left = res->getNumberAs(); \\\n CAPTURE_IP_ASSIGN(res, toInt32_RJS(runtime, Handle<>(&O3REG(name)))); \\\n if (res == ExecutionStatus::EXCEPTION) { \\\n goto exception; \\\n } \\\n O1REG(name) = \\\n HermesValue::encodeNumberValue(left oper res->getNumberAs()); \\\n gcScope.flushToSmallCount(KEEP_HANDLES); \\\n ip = NEXTINST(name); \\\n DISPATCH; \\\n }\n\n/// Implement a comparison instruction.\n/// \\param name the name of the instruction.\n/// \\param oper the C++ operator to use to actually perform the fast arithmetic\n/// comparison.\n/// \\param operFuncName function to call for the slow-path comparison.\n#define CONDOP(name, oper, operFuncName) \\\n CASE(name) { \\\n if (LLVM_LIKELY(O2REG(name).isNumber() && O3REG(name).isNumber())) { \\\n /* Fast-path. */ \\\n O1REG(name) = HermesValue::encodeBoolValue( \\\n O2REG(name).getNumber() oper O3REG(name).getNumber()); \\\n ip = NEXTINST(name); \\\n DISPATCH; \\\n } \\\n CAPTURE_IP_ASSIGN( \\\n boolRes, \\\n operFuncName( \\\n runtime, Handle<>(&O2REG(name)), Handle<>(&O3REG(name)))); \\\n if (boolRes == ExecutionStatus::EXCEPTION) \\\n goto exception; \\\n gcScope.flushToSmallCount(KEEP_HANDLES); \\\n O1REG(name) = HermesValue::encodeBoolValue(boolRes.getValue()); \\\n ip = NEXTINST(name); \\\n DISPATCH; \\\n }\n\n/// Implement a comparison conditional jump with a fast path where both\n/// operands are numbers.\n/// \\param name the name of the instruction. The fast path case will have a\n/// \"N\" appended to the name.\n/// \\param suffix Optional suffix to be added to the end (e.g. Long)\n/// \\param oper the C++ operator to use to actually perform the fast arithmetic\n/// comparison.\n/// \\param operFuncName function to call for the slow-path comparison.\n/// \\param trueDest ip value if the conditional evaluates to true\n/// \\param falseDest ip value if the conditional evaluates to false\n#define JCOND_IMPL(name, suffix, oper, operFuncName, trueDest, falseDest) \\\n CASE(name##suffix) { \\\n if (LLVM_LIKELY( \\\n O2REG(name##suffix).isNumber() && \\\n O3REG(name##suffix).isNumber())) { \\\n /* Fast-path. */ \\\n CASE(name##N##suffix) { \\\n if (O2REG(name##N##suffix) \\\n .getNumber() oper O3REG(name##N##suffix) \\\n .getNumber()) { \\\n ip = trueDest; \\\n DISPATCH; \\\n } \\\n ip = falseDest; \\\n DISPATCH; \\\n } \\\n } \\\n CAPTURE_IP_ASSIGN( \\\n boolRes, \\\n operFuncName( \\\n runtime, \\\n Handle<>(&O2REG(name##suffix)), \\\n Handle<>(&O3REG(name##suffix)))); \\\n if (boolRes == ExecutionStatus::EXCEPTION) \\\n goto exception; \\\n gcScope.flushToSmallCount(KEEP_HANDLES); \\\n if (boolRes.getValue()) { \\\n ip = trueDest; \\\n DISPATCH; \\\n } \\\n ip = falseDest; \\\n DISPATCH; \\\n }\n\n/// Implement a strict equality conditional jump\n/// \\param name the name of the instruction.\n/// \\param suffix Optional suffix to be added to the end (e.g. Long)\n/// \\param trueDest ip value if the conditional evaluates to true\n/// \\param falseDest ip value if the conditional evaluates to false\n#define JCOND_STRICT_EQ_IMPL(name, suffix, trueDest, falseDest) \\\n CASE(name##suffix) { \\\n if (strictEqualityTest(O2REG(name##suffix), O3REG(name##suffix))) { \\\n ip = trueDest; \\\n DISPATCH; \\\n } \\\n ip = falseDest; \\\n DISPATCH; \\\n }\n\n/// Implement an equality conditional jump\n/// \\param name the name of the instruction.\n/// \\param suffix Optional suffix to be added to the end (e.g. Long)\n/// \\param trueDest ip value if the conditional evaluates to true\n/// \\param falseDest ip value if the conditional evaluates to false\n#define JCOND_EQ_IMPL(name, suffix, trueDest, falseDest) \\\n CASE(name##suffix) { \\\n CAPTURE_IP_ASSIGN( \\\n res, \\\n abstractEqualityTest_RJS( \\\n runtime, \\\n Handle<>(&O2REG(name##suffix)), \\\n Handle<>(&O3REG(name##suffix)))); \\\n if (res == ExecutionStatus::EXCEPTION) { \\\n goto exception; \\\n } \\\n gcScope.flushToSmallCount(KEEP_HANDLES); \\\n if (res->getBool()) { \\\n ip = trueDest; \\\n DISPATCH; \\\n } \\\n ip = falseDest; \\\n DISPATCH; \\\n }\n\n/// Implement the long and short forms of a conditional jump, and its negation.\n#define JCOND(name, oper, operFuncName) \\\n JCOND_IMPL( \\\n J##name, \\\n , \\\n oper, \\\n operFuncName, \\\n IPADD(ip->iJ##name.op1), \\\n NEXTINST(J##name)); \\\n JCOND_IMPL( \\\n J##name, \\\n Long, \\\n oper, \\\n operFuncName, \\\n IPADD(ip->iJ##name##Long.op1), \\\n NEXTINST(J##name##Long)); \\\n JCOND_IMPL( \\\n JNot##name, \\\n , \\\n oper, \\\n operFuncName, \\\n NEXTINST(JNot##name), \\\n IPADD(ip->iJNot##name.op1)); \\\n JCOND_IMPL( \\\n JNot##name, \\\n Long, \\\n oper, \\\n operFuncName, \\\n NEXTINST(JNot##name##Long), \\\n IPADD(ip->iJNot##name##Long.op1));\n\n/// Load a constant.\n/// \\param value is the value to store in the output register.\n#define LOAD_CONST(name, value) \\\n CASE(name) { \\\n O1REG(name) = value; \\\n ip = NEXTINST(name); \\\n DISPATCH; \\\n }\n\n#define LOAD_CONST_CAPTURE_IP(name, value) \\\n CASE(name) { \\\n CAPTURE_IP_ASSIGN(O1REG(name), value); \\\n ip = NEXTINST(name); \\\n DISPATCH; \\\n }\n\n CASE(Mov) {\n O1REG(Mov) = O2REG(Mov);\n ip = NEXTINST(Mov);\n DISPATCH;\n }\n\n CASE(MovLong) {\n O1REG(MovLong) = O2REG(MovLong);\n ip = NEXTINST(MovLong);\n DISPATCH;\n }\n\n CASE(LoadParam) {\n if (LLVM_LIKELY(ip->iLoadParam.op2 <= FRAME.getArgCount())) {\n // index 0 must load 'this'. Index 1 the first argument, etc.\n O1REG(LoadParam) = FRAME.getArgRef((int32_t)ip->iLoadParam.op2 - 1);\n ip = NEXTINST(LoadParam);\n DISPATCH;\n }\n O1REG(LoadParam) = HermesValue::encodeUndefinedValue();\n ip = NEXTINST(LoadParam);\n DISPATCH;\n }\n\n CASE(LoadParamLong) {\n if (LLVM_LIKELY(ip->iLoadParamLong.op2 <= FRAME.getArgCount())) {\n // index 0 must load 'this'. Index 1 the first argument, etc.\n O1REG(LoadParamLong) =\n FRAME.getArgRef((int32_t)ip->iLoadParamLong.op2 - 1);\n ip = NEXTINST(LoadParamLong);\n DISPATCH;\n }\n O1REG(LoadParamLong) = HermesValue::encodeUndefinedValue();\n ip = NEXTINST(LoadParamLong);\n DISPATCH;\n }\n\n CASE(CoerceThisNS) {\n if (LLVM_LIKELY(O2REG(CoerceThisNS).isObject())) {\n O1REG(CoerceThisNS) = O2REG(CoerceThisNS);\n } else if (\n O2REG(CoerceThisNS).isNull() || O2REG(CoerceThisNS).isUndefined()) {\n O1REG(CoerceThisNS) = runtime->global_;\n } else {\n tmpHandle = O2REG(CoerceThisNS);\n nextIP = NEXTINST(CoerceThisNS);\n goto coerceThisSlowPath;\n }\n ip = NEXTINST(CoerceThisNS);\n DISPATCH;\n }\n CASE(LoadThisNS) {\n if (LLVM_LIKELY(FRAME.getThisArgRef().isObject())) {\n O1REG(LoadThisNS) = FRAME.getThisArgRef();\n } else if (\n FRAME.getThisArgRef().isNull() ||\n FRAME.getThisArgRef().isUndefined()) {\n O1REG(LoadThisNS) = runtime->global_;\n } else {\n tmpHandle = FRAME.getThisArgRef();\n nextIP = NEXTINST(LoadThisNS);\n goto coerceThisSlowPath;\n }\n ip = NEXTINST(LoadThisNS);\n DISPATCH;\n }\n coerceThisSlowPath : {\n CAPTURE_IP_ASSIGN(res, toObject(runtime, tmpHandle));\n if (LLVM_UNLIKELY(res == ExecutionStatus::EXCEPTION)) {\n goto exception;\n }\n O1REG(CoerceThisNS) = res.getValue();\n tmpHandle.clear();\n gcScope.flushToSmallCount(KEEP_HANDLES);\n ip = nextIP;\n DISPATCH;\n }\n\n CASE(ConstructLong) {\n callArgCount = (uint32_t)ip->iConstructLong.op3;\n nextIP = NEXTINST(ConstructLong);\n callNewTarget = O2REG(ConstructLong).getRaw();\n goto doCall;\n }\n CASE(CallLong) {\n callArgCount = (uint32_t)ip->iCallLong.op3;\n nextIP = NEXTINST(CallLong);\n callNewTarget = HermesValue::encodeUndefinedValue().getRaw();\n goto doCall;\n }\n\n // Note in Call1 through Call4, the first argument is 'this' which has\n // argument index -1.\n // Also note that we are writing to callNewTarget last, to avoid the\n // possibility of it being aliased by the arg writes.\n CASE(Call1) {\n callArgCount = 1;\n nextIP = NEXTINST(Call1);\n StackFramePtr fr{runtime->stackPointer_};\n fr.getArgRefUnsafe(-1) = O3REG(Call1);\n callNewTarget = HermesValue::encodeUndefinedValue().getRaw();\n goto doCall;\n }\n\n CASE(Call2) {\n callArgCount = 2;\n nextIP = NEXTINST(Call2);\n StackFramePtr fr{runtime->stackPointer_};\n fr.getArgRefUnsafe(-1) = O3REG(Call2);\n fr.getArgRefUnsafe(0) = O4REG(Call2);\n callNewTarget = HermesValue::encodeUndefinedValue().getRaw();\n goto doCall;\n }\n\n CASE(Call3) {\n callArgCount = 3;\n nextIP = NEXTINST(Call3);\n StackFramePtr fr{runtime->stackPointer_};\n fr.getArgRefUnsafe(-1) = O3REG(Call3);\n fr.getArgRefUnsafe(0) = O4REG(Call3);\n fr.getArgRefUnsafe(1) = O5REG(Call3);\n callNewTarget = HermesValue::encodeUndefinedValue().getRaw();\n goto doCall;\n }\n\n CASE(Call4) {\n callArgCount = 4;\n nextIP = NEXTINST(Call4);\n StackFramePtr fr{runtime->stackPointer_};\n fr.getArgRefUnsafe(-1) = O3REG(Call4);\n fr.getArgRefUnsafe(0) = O4REG(Call4);\n fr.getArgRefUnsafe(1) = O5REG(Call4);\n fr.getArgRefUnsafe(2) = O6REG(Call4);\n callNewTarget = HermesValue::encodeUndefinedValue().getRaw();\n goto doCall;\n }\n\n CASE(Construct) {\n callArgCount = (uint32_t)ip->iConstruct.op3;\n nextIP = NEXTINST(Construct);\n callNewTarget = O2REG(Construct).getRaw();\n goto doCall;\n }\n CASE(Call) {\n callArgCount = (uint32_t)ip->iCall.op3;\n nextIP = NEXTINST(Call);\n callNewTarget = HermesValue::encodeUndefinedValue().getRaw();\n // Fall through.\n }\n\n doCall : {\n#ifdef HERMES_ENABLE_DEBUGGER\n // Check for an async debugger request.\n if (uint8_t asyncFlags =\n runtime->testAndClearDebuggerAsyncBreakRequest()) {\n RUN_DEBUGGER_ASYNC_BREAK(asyncFlags);\n gcScope.flushToSmallCount(KEEP_HANDLES);\n DISPATCH;\n }\n#endif\n\n // Subtract 1 from callArgCount as 'this' is considered an argument in the\n // instruction, but not in the frame.\n CAPTURE_IP_ASSIGN_NO_INVALIDATE(\n auto newFrame,\n StackFramePtr::initFrame(\n runtime->stackPointer_,\n FRAME,\n ip,\n curCodeBlock,\n callArgCount - 1,\n O2REG(Call),\n HermesValue::fromRaw(callNewTarget)));\n (void)newFrame;\n\n SLOW_DEBUG(dumpCallArguments(dbgs(), runtime, newFrame));\n\n if (auto *func = dyn_vmcast(O2REG(Call))) {\n assert(!SingleStep && \"can't single-step a call\");\n\n#ifdef HERMES_ENABLE_ALLOCATION_LOCATION_TRACES\n runtime->pushCallStack(curCodeBlock, ip);\n#endif\n\n CodeBlock *calleeBlock = func->getCodeBlock();\n calleeBlock->lazyCompile(runtime);\n#if defined(HERMESVM_PROFILER_EXTERN)\n CAPTURE_IP_ASSIGN_NO_INVALIDATE(\n res, runtime->interpretFunction(calleeBlock));\n if (LLVM_UNLIKELY(res == ExecutionStatus::EXCEPTION)) {\n goto exception;\n }\n O1REG(Call) = *res;\n gcScope.flushToSmallCount(KEEP_HANDLES);\n ip = nextIP;\n DISPATCH;\n#else\n if (auto jitPtr = runtime->jitContext_.compile(runtime, calleeBlock)) {\n res = (*jitPtr)(runtime);\n if (LLVM_UNLIKELY(res == ExecutionStatus::EXCEPTION))\n goto exception;\n O1REG(Call) = *res;\n SLOW_DEBUG(\n dbgs() << \"JIT return value r\" << (unsigned)ip->iCall.op1 << \"=\"\n << DumpHermesValue(O1REG(Call)) << \"\\n\");\n gcScope.flushToSmallCount(KEEP_HANDLES);\n ip = nextIP;\n DISPATCH;\n }\n curCodeBlock = calleeBlock;\n goto tailCall;\n#endif\n }\n CAPTURE_IP_ASSIGN_NO_INVALIDATE(\n resPH, Interpreter::handleCallSlowPath(runtime, &O2REG(Call)));\n if (LLVM_UNLIKELY(resPH == ExecutionStatus::EXCEPTION)) {\n goto exception;\n }\n O1REG(Call) = std::move(resPH->get());\n SLOW_DEBUG(\n dbgs() << \"native return value r\" << (unsigned)ip->iCall.op1 << \"=\"\n << DumpHermesValue(O1REG(Call)) << \"\\n\");\n gcScope.flushToSmallCount(KEEP_HANDLES);\n ip = nextIP;\n DISPATCH;\n }\n\n CASE(CallDirect)\n CASE(CallDirectLongIndex) {\n#ifdef HERMES_ENABLE_DEBUGGER\n // Check for an async debugger request.\n if (uint8_t asyncFlags =\n runtime->testAndClearDebuggerAsyncBreakRequest()) {\n RUN_DEBUGGER_ASYNC_BREAK(asyncFlags);\n gcScope.flushToSmallCount(KEEP_HANDLES);\n DISPATCH;\n }\n#endif\n\n CAPTURE_IP_ASSIGN(\n CodeBlock * calleeBlock,\n ip->opCode == OpCode::CallDirect\n ? curCodeBlock->getRuntimeModule()->getCodeBlockMayAllocate(\n ip->iCallDirect.op3)\n : curCodeBlock->getRuntimeModule()->getCodeBlockMayAllocate(\n ip->iCallDirectLongIndex.op3));\n\n CAPTURE_IP_ASSIGN_NO_INVALIDATE(\n auto newFrame,\n StackFramePtr::initFrame(\n runtime->stackPointer_,\n FRAME,\n ip,\n curCodeBlock,\n (uint32_t)ip->iCallDirect.op2 - 1,\n HermesValue::encodeNativePointer(calleeBlock),\n HermesValue::encodeUndefinedValue()));\n (void)newFrame;\n\n LLVM_DEBUG(dumpCallArguments(dbgs(), runtime, newFrame));\n\n assert(!SingleStep && \"can't single-step a call\");\n\n calleeBlock->lazyCompile(runtime);\n#if defined(HERMESVM_PROFILER_EXTERN)\n CAPTURE_IP_ASSIGN_NO_INVALIDATE(\n res, runtime->interpretFunction(calleeBlock));\n if (LLVM_UNLIKELY(res == ExecutionStatus::EXCEPTION)) {\n goto exception;\n }\n O1REG(CallDirect) = *res;\n gcScope.flushToSmallCount(KEEP_HANDLES);\n ip = ip->opCode == OpCode::CallDirect ? NEXTINST(CallDirect)\n : NEXTINST(CallDirectLongIndex);\n DISPATCH;\n#else\n if (auto jitPtr = runtime->jitContext_.compile(runtime, calleeBlock)) {\n res = (*jitPtr)(runtime);\n if (LLVM_UNLIKELY(res == ExecutionStatus::EXCEPTION))\n goto exception;\n O1REG(CallDirect) = *res;\n LLVM_DEBUG(\n dbgs() << \"JIT return value r\" << (unsigned)ip->iCallDirect.op1\n << \"=\" << DumpHermesValue(O1REG(Call)) << \"\\n\");\n gcScope.flushToSmallCount(KEEP_HANDLES);\n ip = ip->opCode == OpCode::CallDirect ? NEXTINST(CallDirect)\n : NEXTINST(CallDirectLongIndex);\n DISPATCH;\n }\n curCodeBlock = calleeBlock;\n goto tailCall;\n#endif\n }\n\n CASE(CallBuiltin) {\n NativeFunction *nf =\n runtime->getBuiltinNativeFunction(ip->iCallBuiltin.op2);\n\n CAPTURE_IP_ASSIGN(\n auto newFrame,\n StackFramePtr::initFrame(\n runtime->stackPointer_,\n FRAME,\n ip,\n curCodeBlock,\n (uint32_t)ip->iCallBuiltin.op3 - 1,\n nf,\n false));\n // \"thisArg\" is implicitly assumed to \"undefined\".\n newFrame.getThisArgRef() = HermesValue::encodeUndefinedValue();\n\n SLOW_DEBUG(dumpCallArguments(dbgs(), runtime, newFrame));\n\n CAPTURE_IP_ASSIGN(resPH, NativeFunction::_nativeCall(nf, runtime));\n if (LLVM_UNLIKELY(resPH == ExecutionStatus::EXCEPTION))\n goto exception;\n O1REG(CallBuiltin) = std::move(resPH->get());\n SLOW_DEBUG(\n dbgs() << \"native return value r\" << (unsigned)ip->iCallBuiltin.op1\n << \"=\" << DumpHermesValue(O1REG(CallBuiltin)) << \"\\n\");\n gcScope.flushToSmallCount(KEEP_HANDLES);\n ip = NEXTINST(CallBuiltin);\n DISPATCH;\n }\n\n CASE(CompleteGenerator) {\n auto *innerFn = vmcast(\n runtime->getCurrentFrame().getCalleeClosure());\n innerFn->setState(GeneratorInnerFunction::State::Completed);\n ip = NEXTINST(CompleteGenerator);\n DISPATCH;\n }\n\n CASE(SaveGenerator) {\n nextIP = IPADD(ip->iSaveGenerator.op1);\n goto doSaveGen;\n }\n CASE(SaveGeneratorLong) {\n nextIP = IPADD(ip->iSaveGeneratorLong.op1);\n goto doSaveGen;\n }\n\n doSaveGen : {\n auto *innerFn = vmcast(\n runtime->getCurrentFrame().getCalleeClosure());\n\n innerFn->saveStack(runtime);\n innerFn->setNextIP(nextIP);\n innerFn->setState(GeneratorInnerFunction::State::SuspendedYield);\n ip = NEXTINST(SaveGenerator);\n DISPATCH;\n }\n\n CASE(StartGenerator) {\n auto *innerFn = vmcast(\n runtime->getCurrentFrame().getCalleeClosure());\n if (innerFn->getState() ==\n GeneratorInnerFunction::State::SuspendedStart) {\n nextIP = NEXTINST(StartGenerator);\n } else {\n nextIP = innerFn->getNextIP();\n innerFn->restoreStack(runtime);\n }\n innerFn->setState(GeneratorInnerFunction::State::Executing);\n ip = nextIP;\n DISPATCH;\n }\n\n CASE(ResumeGenerator) {\n auto *innerFn = vmcast(\n runtime->getCurrentFrame().getCalleeClosure());\n O1REG(ResumeGenerator) = innerFn->getResult();\n O2REG(ResumeGenerator) = HermesValue::encodeBoolValue(\n innerFn->getAction() == GeneratorInnerFunction::Action::Return);\n innerFn->clearResult(runtime);\n if (innerFn->getAction() == GeneratorInnerFunction::Action::Throw) {\n runtime->setThrownValue(O1REG(ResumeGenerator));\n goto exception;\n }\n ip = NEXTINST(ResumeGenerator);\n DISPATCH;\n }\n\n CASE(Ret) {\n#ifdef HERMES_ENABLE_DEBUGGER\n // Check for an async debugger request.\n if (uint8_t asyncFlags =\n runtime->testAndClearDebuggerAsyncBreakRequest()) {\n RUN_DEBUGGER_ASYNC_BREAK(asyncFlags);\n gcScope.flushToSmallCount(KEEP_HANDLES);\n DISPATCH;\n }\n#endif\n\n PROFILER_EXIT_FUNCTION(curCodeBlock);\n\n#ifdef HERMES_ENABLE_ALLOCATION_LOCATION_TRACES\n runtime->popCallStack();\n#endif\n\n // Store the return value.\n res = O1REG(Ret);\n\n ip = FRAME.getSavedIP();\n curCodeBlock = FRAME.getSavedCodeBlock();\n\n frameRegs =\n &runtime->restoreStackAndPreviousFrame(FRAME).getFirstLocalRef();\n\n SLOW_DEBUG(\n dbgs() << \"function exit: restored stackLevel=\"\n << runtime->getStackLevel() << \"\\n\");\n\n // Are we returning to native code?\n if (!curCodeBlock) {\n SLOW_DEBUG(dbgs() << \"function exit: returning to native code\\n\");\n return res;\n }\n\n// Return because of recursive calling structure\n#if defined(HERMESVM_PROFILER_EXTERN)\n return res;\n#endif\n\n INIT_STATE_FOR_CODEBLOCK(curCodeBlock);\n O1REG(Call) = res.getValue();\n ip = nextInstCall(ip);\n DISPATCH;\n }\n\n CASE(Catch) {\n assert(!runtime->thrownValue_.isEmpty() && \"Invalid thrown value\");\n assert(\n !isUncatchableError(runtime->thrownValue_) &&\n \"Uncatchable thrown value was caught\");\n O1REG(Catch) = runtime->thrownValue_;\n runtime->clearThrownValue();\n#ifdef HERMES_ENABLE_DEBUGGER\n // Signal to the debugger that we're done unwinding an exception,\n // and we can resume normal debugging flow.\n runtime->debugger_.finishedUnwindingException();\n#endif\n ip = NEXTINST(Catch);\n DISPATCH;\n }\n\n CASE(Throw) {\n runtime->thrownValue_ = O1REG(Throw);\n SLOW_DEBUG(\n dbgs() << \"Exception thrown: \"\n << DumpHermesValue(runtime->thrownValue_) << \"\\n\");\n goto exception;\n }\n\n CASE(ThrowIfUndefinedInst) {\n if (LLVM_UNLIKELY(O1REG(ThrowIfUndefinedInst).isUndefined())) {\n SLOW_DEBUG(\n dbgs() << \"Throwing ReferenceError for undefined variable\");\n CAPTURE_IP(runtime->raiseReferenceError(\n \"accessing an uninitialized variable\"));\n goto exception;\n }\n ip = NEXTINST(ThrowIfUndefinedInst);\n DISPATCH;\n }\n\n CASE(Debugger) {\n SLOW_DEBUG(dbgs() << \"debugger statement executed\\n\");\n#ifdef HERMES_ENABLE_DEBUGGER\n {\n if (!runtime->debugger_.isDebugging()) {\n // Only run the debugger if we're not already debugging.\n // Don't want to call it again and mess with its state.\n CAPTURE_IP_ASSIGN(\n auto res,\n runDebuggerUpdatingState(\n Debugger::RunReason::Opcode,\n runtime,\n curCodeBlock,\n ip,\n frameRegs));\n if (res == ExecutionStatus::EXCEPTION) {\n // If one of the internal steps threw,\n // then handle that here by jumping to where we're supposed to go.\n // If we're in mid-step, the breakpoint at the catch point\n // will have been set by the debugger.\n // We don't want to execute this instruction because it's already\n // thrown.\n goto exception;\n }\n }\n auto breakpointOpt = runtime->debugger_.getBreakpointLocation(ip);\n if (breakpointOpt.hasValue()) {\n // We're on a breakpoint but we're supposed to continue.\n curCodeBlock->uninstallBreakpointAtOffset(\n CUROFFSET, breakpointOpt->opCode);\n if (ip->opCode == OpCode::Debugger) {\n // Breakpointed a debugger instruction, so move past it\n // since we've already called the debugger on this instruction.\n ip = NEXTINST(Debugger);\n } else {\n InterpreterState newState{curCodeBlock, (uint32_t)CUROFFSET};\n CAPTURE_IP_ASSIGN(\n ExecutionStatus status, runtime->stepFunction(newState));\n curCodeBlock->installBreakpointAtOffset(CUROFFSET);\n if (status == ExecutionStatus::EXCEPTION) {\n goto exception;\n }\n curCodeBlock = newState.codeBlock;\n ip = newState.codeBlock->getOffsetPtr(newState.offset);\n INIT_STATE_FOR_CODEBLOCK(curCodeBlock);\n // Single-stepping should handle call stack management for us.\n frameRegs = &runtime->getCurrentFrame().getFirstLocalRef();\n }\n } else if (ip->opCode == OpCode::Debugger) {\n // No breakpoint here and we've already run the debugger,\n // just continue on.\n // If the current instruction is no longer a debugger instruction,\n // we're just going to keep executing from the current IP.\n ip = NEXTINST(Debugger);\n }\n gcScope.flushToSmallCount(KEEP_HANDLES);\n }\n DISPATCH;\n#else\n ip = NEXTINST(Debugger);\n DISPATCH;\n#endif\n }\n\n CASE(AsyncBreakCheck) {\n if (LLVM_UNLIKELY(runtime->hasAsyncBreak())) {\n#ifdef HERMES_ENABLE_DEBUGGER\n if (uint8_t asyncFlags =\n runtime->testAndClearDebuggerAsyncBreakRequest()) {\n RUN_DEBUGGER_ASYNC_BREAK(asyncFlags);\n }\n#endif\n if (runtime->testAndClearTimeoutAsyncBreakRequest()) {\n CAPTURE_IP_ASSIGN(auto nRes, runtime->notifyTimeout());\n if (nRes == ExecutionStatus::EXCEPTION) {\n goto exception;\n }\n }\n }\n gcScope.flushToSmallCount(KEEP_HANDLES);\n\n ip = NEXTINST(AsyncBreakCheck);\n DISPATCH;\n }\n\n CASE(ProfilePoint) {\n#ifdef HERMESVM_PROFILER_BB\n auto pointIndex = ip->iProfilePoint.op1;\n SLOW_DEBUG(llvh::dbgs() << \"ProfilePoint: \" << pointIndex << \"\\n\");\n CAPTURE_IP(runtime->getBasicBlockExecutionInfo().executeBlock(\n curCodeBlock, pointIndex));\n#endif\n ip = NEXTINST(ProfilePoint);\n DISPATCH;\n }\n\n CASE(Unreachable) {\n llvm_unreachable(\"Hermes bug: unreachable instruction\");\n }\n\n CASE(CreateClosure) {\n idVal = ip->iCreateClosure.op3;\n nextIP = NEXTINST(CreateClosure);\n goto createClosure;\n }\n CASE(CreateClosureLongIndex) {\n idVal = ip->iCreateClosureLongIndex.op3;\n nextIP = NEXTINST(CreateClosureLongIndex);\n goto createClosure;\n }\n createClosure : {\n auto *runtimeModule = curCodeBlock->getRuntimeModule();\n CAPTURE_IP_ASSIGN(\n O1REG(CreateClosure),\n JSFunction::create(\n runtime,\n runtimeModule->getDomain(runtime),\n Handle::vmcast(&runtime->functionPrototype),\n Handle::vmcast(&O2REG(CreateClosure)),\n runtimeModule->getCodeBlockMayAllocate(idVal))\n .getHermesValue());\n gcScope.flushToSmallCount(KEEP_HANDLES);\n ip = nextIP;\n DISPATCH;\n }\n\n CASE(CreateGeneratorClosure) {\n CAPTURE_IP_ASSIGN(\n auto res,\n createGeneratorClosure(\n runtime,\n curCodeBlock->getRuntimeModule(),\n ip->iCreateClosure.op3,\n Handle::vmcast(&O2REG(CreateGeneratorClosure))));\n if (LLVM_UNLIKELY(res == ExecutionStatus::EXCEPTION)) {\n goto exception;\n }\n O1REG(CreateGeneratorClosure) = res->getHermesValue();\n res->invalidate();\n gcScope.flushToSmallCount(KEEP_HANDLES);\n ip = NEXTINST(CreateGeneratorClosure);\n DISPATCH;\n }\n CASE(CreateGeneratorClosureLongIndex) {\n CAPTURE_IP_ASSIGN(\n auto res,\n createGeneratorClosure(\n runtime,\n curCodeBlock->getRuntimeModule(),\n ip->iCreateClosureLongIndex.op3,\n Handle::vmcast(\n &O2REG(CreateGeneratorClosureLongIndex))));\n if (LLVM_UNLIKELY(res == ExecutionStatus::EXCEPTION)) {\n goto exception;\n }\n O1REG(CreateGeneratorClosureLongIndex) = res->getHermesValue();\n res->invalidate();\n gcScope.flushToSmallCount(KEEP_HANDLES);\n ip = NEXTINST(CreateGeneratorClosureLongIndex);\n DISPATCH;\n }\n\n CASE(CreateGenerator) {\n CAPTURE_IP_ASSIGN(\n auto res,\n createGenerator_RJS(\n runtime,\n curCodeBlock->getRuntimeModule(),\n ip->iCreateGenerator.op3,\n Handle::vmcast(&O2REG(CreateGenerator)),\n FRAME.getNativeArgs()));\n if (LLVM_UNLIKELY(res == ExecutionStatus::EXCEPTION)) {\n goto exception;\n }\n O1REG(CreateGenerator) = res->getHermesValue();\n res->invalidate();\n gcScope.flushToSmallCount(KEEP_HANDLES);\n ip = NEXTINST(CreateGenerator);\n DISPATCH;\n }\n CASE(CreateGeneratorLongIndex) {\n CAPTURE_IP_ASSIGN(\n auto res,\n createGenerator_RJS(\n runtime,\n curCodeBlock->getRuntimeModule(),\n ip->iCreateGeneratorLongIndex.op3,\n Handle::vmcast(&O2REG(CreateGeneratorLongIndex)),\n FRAME.getNativeArgs()));\n if (LLVM_UNLIKELY(res == ExecutionStatus::EXCEPTION)) {\n goto exception;\n }\n O1REG(CreateGeneratorLongIndex) = res->getHermesValue();\n res->invalidate();\n gcScope.flushToSmallCount(KEEP_HANDLES);\n ip = NEXTINST(CreateGeneratorLongIndex);\n DISPATCH;\n }\n\n CASE(GetEnvironment) {\n // The currently executing function must exist, so get the environment.\n Environment *curEnv =\n FRAME.getCalleeClosureUnsafe()->getEnvironment(runtime);\n for (unsigned level = ip->iGetEnvironment.op2; level; --level) {\n assert(curEnv && \"invalid environment relative level\");\n curEnv = curEnv->getParentEnvironment(runtime);\n }\n O1REG(GetEnvironment) = HermesValue::encodeObjectValue(curEnv);\n ip = NEXTINST(GetEnvironment);\n DISPATCH;\n }\n\n CASE(CreateEnvironment) {\n tmpHandle = HermesValue::encodeObjectValue(\n FRAME.getCalleeClosureUnsafe()->getEnvironment(runtime));\n\n CAPTURE_IP_ASSIGN(\n res,\n Environment::create(\n runtime,\n tmpHandle->getPointer() ? Handle::vmcast(tmpHandle)\n : Handle::vmcast_or_null(\n &runtime->nullPointer_),\n curCodeBlock->getEnvironmentSize()));\n if (res == ExecutionStatus::EXCEPTION) {\n goto exception;\n }\n O1REG(CreateEnvironment) = *res;\n#ifdef HERMES_ENABLE_DEBUGGER\n FRAME.getDebugEnvironmentRef() = *res;\n#endif\n tmpHandle = HermesValue::encodeUndefinedValue();\n gcScope.flushToSmallCount(KEEP_HANDLES);\n ip = NEXTINST(CreateEnvironment);\n DISPATCH;\n }\n\n CASE(StoreToEnvironment) {\n vmcast(O1REG(StoreToEnvironment))\n ->slot(ip->iStoreToEnvironment.op2)\n .set(O3REG(StoreToEnvironment), &runtime->getHeap());\n ip = NEXTINST(StoreToEnvironment);\n DISPATCH;\n }\n CASE(StoreToEnvironmentL) {\n vmcast(O1REG(StoreToEnvironmentL))\n ->slot(ip->iStoreToEnvironmentL.op2)\n .set(O3REG(StoreToEnvironmentL), &runtime->getHeap());\n ip = NEXTINST(StoreToEnvironmentL);\n DISPATCH;\n }\n\n CASE(StoreNPToEnvironment) {\n vmcast(O1REG(StoreNPToEnvironment))\n ->slot(ip->iStoreNPToEnvironment.op2)\n .setNonPtr(O3REG(StoreNPToEnvironment), &runtime->getHeap());\n ip = NEXTINST(StoreNPToEnvironment);\n DISPATCH;\n }\n CASE(StoreNPToEnvironmentL) {\n vmcast(O1REG(StoreNPToEnvironmentL))\n ->slot(ip->iStoreNPToEnvironmentL.op2)\n .setNonPtr(O3REG(StoreNPToEnvironmentL), &runtime->getHeap());\n ip = NEXTINST(StoreNPToEnvironmentL);\n DISPATCH;\n }\n\n CASE(LoadFromEnvironment) {\n O1REG(LoadFromEnvironment) =\n vmcast(O2REG(LoadFromEnvironment))\n ->slot(ip->iLoadFromEnvironment.op3);\n ip = NEXTINST(LoadFromEnvironment);\n DISPATCH;\n }\n\n CASE(LoadFromEnvironmentL) {\n O1REG(LoadFromEnvironmentL) =\n vmcast(O2REG(LoadFromEnvironmentL))\n ->slot(ip->iLoadFromEnvironmentL.op3);\n ip = NEXTINST(LoadFromEnvironmentL);\n DISPATCH;\n }\n\n CASE(GetGlobalObject) {\n O1REG(GetGlobalObject) = runtime->global_;\n ip = NEXTINST(GetGlobalObject);\n DISPATCH;\n }\n\n CASE(GetNewTarget) {\n O1REG(GetNewTarget) = FRAME.getNewTargetRef();\n ip = NEXTINST(GetNewTarget);\n DISPATCH;\n }\n\n CASE(DeclareGlobalVar) {\n DefinePropertyFlags dpf =\n DefinePropertyFlags::getDefaultNewPropertyFlags();\n dpf.configurable = 0;\n // Do not overwrite existing globals with undefined.\n dpf.setValue = 0;\n\n CAPTURE_IP_ASSIGN(\n auto res,\n JSObject::defineOwnProperty(\n runtime->getGlobal(),\n runtime,\n ID(ip->iDeclareGlobalVar.op1),\n dpf,\n Runtime::getUndefinedValue(),\n PropOpFlags().plusThrowOnError()));\n if (res == ExecutionStatus::EXCEPTION) {\n assert(\n !runtime->getGlobal()->isProxyObject() &&\n \"global can't be a proxy object\");\n // If the property already exists, this should be a noop.\n // Instead of incurring the cost to check every time, do it\n // only if an exception is thrown, and swallow the exception\n // if it exists, since we didn't want to make the call,\n // anyway. This most likely means the property is\n // non-configurable.\n NamedPropertyDescriptor desc;\n CAPTURE_IP_ASSIGN(\n auto res,\n JSObject::getOwnNamedDescriptor(\n runtime->getGlobal(),\n runtime,\n ID(ip->iDeclareGlobalVar.op1),\n desc));\n if (!res) {\n goto exception;\n } else {\n runtime->clearThrownValue();\n }\n // fall through\n }\n gcScope.flushToSmallCount(KEEP_HANDLES);\n ip = NEXTINST(DeclareGlobalVar);\n DISPATCH;\n }\n\n CASE(TryGetByIdLong) {\n tryProp = true;\n idVal = ip->iTryGetByIdLong.op4;\n nextIP = NEXTINST(TryGetByIdLong);\n goto getById;\n }\n CASE(GetByIdLong) {\n tryProp = false;\n idVal = ip->iGetByIdLong.op4;\n nextIP = NEXTINST(GetByIdLong);\n goto getById;\n }\n CASE(GetByIdShort) {\n tryProp = false;\n idVal = ip->iGetByIdShort.op4;\n nextIP = NEXTINST(GetByIdShort);\n goto getById;\n }\n CASE(TryGetById) {\n tryProp = true;\n idVal = ip->iTryGetById.op4;\n nextIP = NEXTINST(TryGetById);\n goto getById;\n }\n CASE(GetById) {\n tryProp = false;\n idVal = ip->iGetById.op4;\n nextIP = NEXTINST(GetById);\n }\n getById : {\n ++NumGetById;\n // NOTE: it is safe to use OnREG(GetById) here because all instructions\n // have the same layout: opcode, registers, non-register operands, i.e.\n // they only differ in the width of the last \"identifier\" field.\n CallResult propRes{ExecutionStatus::EXCEPTION};\n if (LLVM_LIKELY(O2REG(GetById).isObject())) {\n auto *obj = vmcast(O2REG(GetById));\n auto cacheIdx = ip->iGetById.op3;\n auto *cacheEntry = curCodeBlock->getReadCacheEntry(cacheIdx);\n\n#ifdef HERMESVM_PROFILER_BB\n {\n HERMES_SLOW_ASSERT(\n gcScope.getHandleCountDbg() == KEEP_HANDLES &&\n \"unaccounted handles were created\");\n auto objHandle = runtime->makeHandle(obj);\n auto cacheHCPtr = vmcast_or_null(static_cast(\n cacheEntry->clazz.get(runtime, &runtime->getHeap())));\n CAPTURE_IP(runtime->recordHiddenClass(\n curCodeBlock, ip, ID(idVal), obj->getClass(runtime), cacheHCPtr));\n // obj may be moved by GC due to recordHiddenClass\n obj = objHandle.get();\n }\n gcScope.flushToSmallCount(KEEP_HANDLES);\n#endif\n auto clazzGCPtr = obj->getClassGCPtr();\n#ifndef NDEBUG\n if (clazzGCPtr.get(runtime)->isDictionary())\n ++NumGetByIdDict;\n#else\n (void)NumGetByIdDict;\n#endif\n\n // If we have a cache hit, reuse the cached offset and immediately\n // return the property.\n if (LLVM_LIKELY(cacheEntry->clazz == clazzGCPtr.getStorageType())) {\n ++NumGetByIdCacheHits;\n CAPTURE_IP_ASSIGN(\n O1REG(GetById),\n JSObject::getNamedSlotValue(\n obj, runtime, cacheEntry->slot));\n ip = nextIP;\n DISPATCH;\n }\n auto id = ID(idVal);\n NamedPropertyDescriptor desc;\n CAPTURE_IP_ASSIGN(\n OptValue fastPathResult,\n JSObject::tryGetOwnNamedDescriptorFast(obj, runtime, id, desc));\n if (LLVM_LIKELY(\n fastPathResult.hasValue() && fastPathResult.getValue()) &&\n !desc.flags.accessor) {\n ++NumGetByIdFastPaths;\n\n // cacheIdx == 0 indicates no caching so don't update the cache in\n // those cases.\n auto *clazz = clazzGCPtr.getNonNull(runtime);\n if (LLVM_LIKELY(!clazz->isDictionaryNoCache()) &&\n LLVM_LIKELY(cacheIdx != hbc::PROPERTY_CACHING_DISABLED)) {\n#ifdef HERMES_SLOW_DEBUG\n if (cacheEntry->clazz &&\n cacheEntry->clazz != clazzGCPtr.getStorageType())\n ++NumGetByIdCacheEvicts;\n#else\n (void)NumGetByIdCacheEvicts;\n#endif\n // Cache the class, id and property slot.\n cacheEntry->clazz = clazzGCPtr.getStorageType();\n cacheEntry->slot = desc.slot;\n }\n\n CAPTURE_IP_ASSIGN(\n O1REG(GetById), JSObject::getNamedSlotValue(obj, runtime, desc));\n ip = nextIP;\n DISPATCH;\n }\n\n // The cache may also be populated via the prototype of the object.\n // This value is only reliable if the fast path was a definite\n // not-found.\n if (fastPathResult.hasValue() && !fastPathResult.getValue() &&\n !obj->isProxyObject()) {\n CAPTURE_IP_ASSIGN(JSObject * parent, obj->getParent(runtime));\n // TODO: This isLazy check is because a lazy object is reported as\n // having no properties and therefore cannot contain the property.\n // This check does not belong here, it should be merged into\n // tryGetOwnNamedDescriptorFast().\n if (parent &&\n cacheEntry->clazz == parent->getClassGCPtr().getStorageType() &&\n LLVM_LIKELY(!obj->isLazy())) {\n ++NumGetByIdProtoHits;\n CAPTURE_IP_ASSIGN(\n O1REG(GetById),\n JSObject::getNamedSlotValue(parent, runtime, cacheEntry->slot));\n ip = nextIP;\n DISPATCH;\n }\n }\n\n#ifdef HERMES_SLOW_DEBUG\n CAPTURE_IP_ASSIGN(\n JSObject * propObj,\n JSObject::getNamedDescriptor(\n Handle::vmcast(&O2REG(GetById)), runtime, id, desc));\n if (propObj) {\n if (desc.flags.accessor)\n ++NumGetByIdAccessor;\n else if (propObj != vmcast(O2REG(GetById)))\n ++NumGetByIdProto;\n } else {\n ++NumGetByIdNotFound;\n }\n#else\n (void)NumGetByIdAccessor;\n (void)NumGetByIdProto;\n (void)NumGetByIdNotFound;\n#endif\n#ifdef HERMES_SLOW_DEBUG\n auto *savedClass = cacheIdx != hbc::PROPERTY_CACHING_DISABLED\n ? cacheEntry->clazz.get(runtime, &runtime->getHeap())\n : nullptr;\n#endif\n ++NumGetByIdSlow;\n CAPTURE_IP_ASSIGN(\n resPH,\n JSObject::getNamed_RJS(\n Handle::vmcast(&O2REG(GetById)),\n runtime,\n id,\n !tryProp ? defaultPropOpFlags\n : defaultPropOpFlags.plusMustExist(),\n cacheIdx != hbc::PROPERTY_CACHING_DISABLED ? cacheEntry\n : nullptr));\n if (LLVM_UNLIKELY(resPH == ExecutionStatus::EXCEPTION)) {\n goto exception;\n }\n#ifdef HERMES_SLOW_DEBUG\n if (cacheIdx != hbc::PROPERTY_CACHING_DISABLED && savedClass &&\n cacheEntry->clazz.get(runtime, &runtime->getHeap()) != savedClass) {\n ++NumGetByIdCacheEvicts;\n }\n#endif\n } else {\n ++NumGetByIdTransient;\n assert(!tryProp && \"TryGetById can only be used on the global object\");\n /* Slow path. */\n CAPTURE_IP_ASSIGN(\n resPH,\n Interpreter::getByIdTransient_RJS(\n runtime, Handle<>(&O2REG(GetById)), ID(idVal)));\n if (LLVM_UNLIKELY(resPH == ExecutionStatus::EXCEPTION)) {\n goto exception;\n }\n }\n O1REG(GetById) = resPH->get();\n gcScope.flushToSmallCount(KEEP_HANDLES);\n ip = nextIP;\n DISPATCH;\n }\n\n CASE(TryPutByIdLong) {\n tryProp = true;\n idVal = ip->iTryPutByIdLong.op4;\n nextIP = NEXTINST(TryPutByIdLong);\n goto putById;\n }\n CASE(PutByIdLong) {\n tryProp = false;\n idVal = ip->iPutByIdLong.op4;\n nextIP = NEXTINST(PutByIdLong);\n goto putById;\n }\n CASE(TryPutById) {\n tryProp = true;\n idVal = ip->iTryPutById.op4;\n nextIP = NEXTINST(TryPutById);\n goto putById;\n }\n CASE(PutById) {\n tryProp = false;\n idVal = ip->iPutById.op4;\n nextIP = NEXTINST(PutById);\n }\n putById : {\n ++NumPutById;\n if (LLVM_LIKELY(O1REG(PutById).isObject())) {\n auto *obj = vmcast(O1REG(PutById));\n auto cacheIdx = ip->iPutById.op3;\n auto *cacheEntry = curCodeBlock->getWriteCacheEntry(cacheIdx);\n\n#ifdef HERMESVM_PROFILER_BB\n {\n HERMES_SLOW_ASSERT(\n gcScope.getHandleCountDbg() == KEEP_HANDLES &&\n \"unaccounted handles were created\");\n auto objHandle = runtime->makeHandle(obj);\n auto cacheHCPtr = vmcast_or_null(static_cast(\n cacheEntry->clazz.get(runtime, &runtime->getHeap())));\n CAPTURE_IP(runtime->recordHiddenClass(\n curCodeBlock, ip, ID(idVal), obj->getClass(runtime), cacheHCPtr));\n // obj may be moved by GC due to recordHiddenClass\n obj = objHandle.get();\n }\n gcScope.flushToSmallCount(KEEP_HANDLES);\n#endif\n auto clazzGCPtr = obj->getClassGCPtr();\n // If we have a cache hit, reuse the cached offset and immediately\n // return the property.\n if (LLVM_LIKELY(cacheEntry->clazz == clazzGCPtr.getStorageType())) {\n ++NumPutByIdCacheHits;\n CAPTURE_IP(JSObject::setNamedSlotValue(\n obj, runtime, cacheEntry->slot, O2REG(PutById)));\n ip = nextIP;\n DISPATCH;\n }\n auto id = ID(idVal);\n NamedPropertyDescriptor desc;\n CAPTURE_IP_ASSIGN(\n OptValue hasOwnProp,\n JSObject::tryGetOwnNamedDescriptorFast(obj, runtime, id, desc));\n if (LLVM_LIKELY(hasOwnProp.hasValue() && hasOwnProp.getValue()) &&\n !desc.flags.accessor && desc.flags.writable &&\n !desc.flags.internalSetter) {\n ++NumPutByIdFastPaths;\n\n // cacheIdx == 0 indicates no caching so don't update the cache in\n // those cases.\n auto *clazz = clazzGCPtr.getNonNull(runtime);\n if (LLVM_LIKELY(!clazz->isDictionary()) &&\n LLVM_LIKELY(cacheIdx != hbc::PROPERTY_CACHING_DISABLED)) {\n#ifdef HERMES_SLOW_DEBUG\n if (cacheEntry->clazz &&\n cacheEntry->clazz != clazzGCPtr.getStorageType())\n ++NumPutByIdCacheEvicts;\n#else\n (void)NumPutByIdCacheEvicts;\n#endif\n // Cache the class and property slot.\n cacheEntry->clazz = clazzGCPtr.getStorageType();\n cacheEntry->slot = desc.slot;\n }\n\n CAPTURE_IP(JSObject::setNamedSlotValue(\n obj, runtime, desc.slot, O2REG(PutById)));\n ip = nextIP;\n DISPATCH;\n }\n\n CAPTURE_IP_ASSIGN(\n auto putRes,\n JSObject::putNamed_RJS(\n Handle::vmcast(&O1REG(PutById)),\n runtime,\n id,\n Handle<>(&O2REG(PutById)),\n !tryProp ? defaultPropOpFlags\n : defaultPropOpFlags.plusMustExist()));\n if (LLVM_UNLIKELY(putRes == ExecutionStatus::EXCEPTION)) {\n goto exception;\n }\n } else {\n ++NumPutByIdTransient;\n assert(!tryProp && \"TryPutById can only be used on the global object\");\n CAPTURE_IP_ASSIGN(\n auto retStatus,\n Interpreter::putByIdTransient_RJS(\n runtime,\n Handle<>(&O1REG(PutById)),\n ID(idVal),\n Handle<>(&O2REG(PutById)),\n strictMode));\n if (retStatus == ExecutionStatus::EXCEPTION) {\n goto exception;\n }\n }\n gcScope.flushToSmallCount(KEEP_HANDLES);\n ip = nextIP;\n DISPATCH;\n }\n\n CASE(GetByVal) {\n CallResult propRes{ExecutionStatus::EXCEPTION};\n if (LLVM_LIKELY(O2REG(GetByVal).isObject())) {\n CAPTURE_IP_ASSIGN(\n resPH,\n JSObject::getComputed_RJS(\n Handle::vmcast(&O2REG(GetByVal)),\n runtime,\n Handle<>(&O3REG(GetByVal))));\n if (LLVM_UNLIKELY(resPH == ExecutionStatus::EXCEPTION)) {\n goto exception;\n }\n } else {\n // This is the \"slow path\".\n CAPTURE_IP_ASSIGN(\n resPH,\n Interpreter::getByValTransient_RJS(\n runtime,\n Handle<>(&O2REG(GetByVal)),\n Handle<>(&O3REG(GetByVal))));\n if (LLVM_UNLIKELY(resPH == ExecutionStatus::EXCEPTION)) {\n goto exception;\n }\n }\n gcScope.flushToSmallCount(KEEP_HANDLES);\n O1REG(GetByVal) = resPH->get();\n ip = NEXTINST(GetByVal);\n DISPATCH;\n }\n\n CASE(PutByVal) {\n if (LLVM_LIKELY(O1REG(PutByVal).isObject())) {\n CAPTURE_IP_ASSIGN(\n auto putRes,\n JSObject::putComputed_RJS(\n Handle::vmcast(&O1REG(PutByVal)),\n runtime,\n Handle<>(&O2REG(PutByVal)),\n Handle<>(&O3REG(PutByVal)),\n defaultPropOpFlags));\n if (LLVM_UNLIKELY(putRes == ExecutionStatus::EXCEPTION)) {\n goto exception;\n }\n } else {\n // This is the \"slow path\".\n CAPTURE_IP_ASSIGN(\n auto retStatus,\n Interpreter::putByValTransient_RJS(\n runtime,\n Handle<>(&O1REG(PutByVal)),\n Handle<>(&O2REG(PutByVal)),\n Handle<>(&O3REG(PutByVal)),\n strictMode));\n if (LLVM_UNLIKELY(retStatus == ExecutionStatus::EXCEPTION)) {\n goto exception;\n }\n }\n gcScope.flushToSmallCount(KEEP_HANDLES);\n ip = NEXTINST(PutByVal);\n DISPATCH;\n }\n\n CASE(PutOwnByIndexL) {\n nextIP = NEXTINST(PutOwnByIndexL);\n idVal = ip->iPutOwnByIndexL.op3;\n goto putOwnByIndex;\n }\n CASE(PutOwnByIndex) {\n nextIP = NEXTINST(PutOwnByIndex);\n idVal = ip->iPutOwnByIndex.op3;\n }\n putOwnByIndex : {\n tmpHandle = HermesValue::encodeDoubleValue(idVal);\n CAPTURE_IP(JSObject::defineOwnComputedPrimitive(\n Handle::vmcast(&O1REG(PutOwnByIndex)),\n runtime,\n tmpHandle,\n DefinePropertyFlags::getDefaultNewPropertyFlags(),\n Handle<>(&O2REG(PutOwnByIndex))));\n gcScope.flushToSmallCount(KEEP_HANDLES);\n tmpHandle.clear();\n ip = nextIP;\n DISPATCH;\n }\n\n CASE(GetPNameList) {\n CAPTURE_IP_ASSIGN(\n auto pRes, handleGetPNameList(runtime, frameRegs, ip));\n if (LLVM_UNLIKELY(pRes == ExecutionStatus::EXCEPTION)) {\n goto exception;\n }\n gcScope.flushToSmallCount(KEEP_HANDLES);\n ip = NEXTINST(GetPNameList);\n DISPATCH;\n }\n\n CASE(GetNextPName) {\n {\n assert(\n vmisa(O2REG(GetNextPName)) &&\n \"GetNextPName's second op must be BigStorage\");\n auto obj = Handle::vmcast(&O3REG(GetNextPName));\n auto arr = Handle::vmcast(&O2REG(GetNextPName));\n uint32_t idx = O4REG(GetNextPName).getNumber();\n uint32_t size = O5REG(GetNextPName).getNumber();\n MutableHandle propObj{runtime};\n // Loop until we find a property which is present.\n while (idx < size) {\n tmpHandle = arr->at(idx);\n ComputedPropertyDescriptor desc;\n CAPTURE_IP(JSObject::getComputedPrimitiveDescriptor(\n obj, runtime, tmpHandle, propObj, desc));\n if (LLVM_LIKELY(propObj))\n break;\n ++idx;\n }\n if (idx < size) {\n // We must return the property as a string\n if (tmpHandle->isNumber()) {\n CAPTURE_IP_ASSIGN(auto status, toString_RJS(runtime, tmpHandle));\n assert(\n status == ExecutionStatus::RETURNED &&\n \"toString on number cannot fail\");\n tmpHandle = status->getHermesValue();\n }\n O1REG(GetNextPName) = tmpHandle.get();\n O4REG(GetNextPName) = HermesValue::encodeNumberValue(idx + 1);\n } else {\n O1REG(GetNextPName) = HermesValue::encodeUndefinedValue();\n }\n }\n gcScope.flushToSmallCount(KEEP_HANDLES);\n tmpHandle.clear();\n ip = NEXTINST(GetNextPName);\n DISPATCH;\n }\n\n CASE(ToNumber) {\n if (LLVM_LIKELY(O2REG(ToNumber).isNumber())) {\n O1REG(ToNumber) = O2REG(ToNumber);\n ip = NEXTINST(ToNumber);\n } else {\n CAPTURE_IP_ASSIGN(\n res, toNumber_RJS(runtime, Handle<>(&O2REG(ToNumber))));\n if (res == ExecutionStatus::EXCEPTION)\n goto exception;\n gcScope.flushToSmallCount(KEEP_HANDLES);\n O1REG(ToNumber) = res.getValue();\n ip = NEXTINST(ToNumber);\n }\n DISPATCH;\n }\n\n CASE(ToInt32) {\n CAPTURE_IP_ASSIGN(res, toInt32_RJS(runtime, Handle<>(&O2REG(ToInt32))));\n if (LLVM_UNLIKELY(res == ExecutionStatus::EXCEPTION))\n goto exception;\n gcScope.flushToSmallCount(KEEP_HANDLES);\n O1REG(ToInt32) = res.getValue();\n ip = NEXTINST(ToInt32);\n DISPATCH;\n }\n\n CASE(AddEmptyString) {\n if (LLVM_LIKELY(O2REG(AddEmptyString).isString())) {\n O1REG(AddEmptyString) = O2REG(AddEmptyString);\n ip = NEXTINST(AddEmptyString);\n } else {\n CAPTURE_IP_ASSIGN(\n res,\n toPrimitive_RJS(\n runtime,\n Handle<>(&O2REG(AddEmptyString)),\n PreferredType::NONE));\n if (LLVM_UNLIKELY(res == ExecutionStatus::EXCEPTION))\n goto exception;\n tmpHandle = res.getValue();\n CAPTURE_IP_ASSIGN(auto strRes, toString_RJS(runtime, tmpHandle));\n if (LLVM_UNLIKELY(strRes == ExecutionStatus::EXCEPTION))\n goto exception;\n tmpHandle.clear();\n gcScope.flushToSmallCount(KEEP_HANDLES);\n O1REG(AddEmptyString) = strRes->getHermesValue();\n ip = NEXTINST(AddEmptyString);\n }\n DISPATCH;\n }\n\n CASE(Jmp) {\n ip = IPADD(ip->iJmp.op1);\n DISPATCH;\n }\n CASE(JmpLong) {\n ip = IPADD(ip->iJmpLong.op1);\n DISPATCH;\n }\n CASE(JmpTrue) {\n if (toBoolean(O2REG(JmpTrue)))\n ip = IPADD(ip->iJmpTrue.op1);\n else\n ip = NEXTINST(JmpTrue);\n DISPATCH;\n }\n CASE(JmpTrueLong) {\n if (toBoolean(O2REG(JmpTrueLong)))\n ip = IPADD(ip->iJmpTrueLong.op1);\n else\n ip = NEXTINST(JmpTrueLong);\n DISPATCH;\n }\n CASE(JmpFalse) {\n if (!toBoolean(O2REG(JmpFalse)))\n ip = IPADD(ip->iJmpFalse.op1);\n else\n ip = NEXTINST(JmpFalse);\n DISPATCH;\n }\n CASE(JmpFalseLong) {\n if (!toBoolean(O2REG(JmpFalseLong)))\n ip = IPADD(ip->iJmpFalseLong.op1);\n else\n ip = NEXTINST(JmpFalseLong);\n DISPATCH;\n }\n CASE(JmpUndefined) {\n if (O2REG(JmpUndefined).isUndefined())\n ip = IPADD(ip->iJmpUndefined.op1);\n else\n ip = NEXTINST(JmpUndefined);\n DISPATCH;\n }\n CASE(JmpUndefinedLong) {\n if (O2REG(JmpUndefinedLong).isUndefined())\n ip = IPADD(ip->iJmpUndefinedLong.op1);\n else\n ip = NEXTINST(JmpUndefinedLong);\n DISPATCH;\n }\n CASE(Add) {\n if (LLVM_LIKELY(\n O2REG(Add).isNumber() &&\n O3REG(Add).isNumber())) { /* Fast-path. */\n CASE(AddN) {\n O1REG(Add) = HermesValue::encodeDoubleValue(\n O2REG(Add).getNumber() + O3REG(Add).getNumber());\n ip = NEXTINST(Add);\n DISPATCH;\n }\n }\n CAPTURE_IP_ASSIGN(\n res,\n addOp_RJS(runtime, Handle<>(&O2REG(Add)), Handle<>(&O3REG(Add))));\n if (res == ExecutionStatus::EXCEPTION) {\n goto exception;\n }\n gcScope.flushToSmallCount(KEEP_HANDLES);\n O1REG(Add) = res.getValue();\n ip = NEXTINST(Add);\n DISPATCH;\n }\n\n CASE(BitNot) {\n if (LLVM_LIKELY(O2REG(BitNot).isNumber())) { /* Fast-path. */\n O1REG(BitNot) = HermesValue::encodeDoubleValue(\n ~hermes::truncateToInt32(O2REG(BitNot).getNumber()));\n ip = NEXTINST(BitNot);\n DISPATCH;\n }\n CAPTURE_IP_ASSIGN(res, toInt32_RJS(runtime, Handle<>(&O2REG(BitNot))));\n if (res == ExecutionStatus::EXCEPTION) {\n goto exception;\n }\n gcScope.flushToSmallCount(KEEP_HANDLES);\n O1REG(BitNot) = HermesValue::encodeDoubleValue(\n ~static_cast(res->getNumber()));\n ip = NEXTINST(BitNot);\n DISPATCH;\n }\n\n CASE(GetArgumentsLength) {\n // If the arguments object hasn't been created yet.\n if (O2REG(GetArgumentsLength).isUndefined()) {\n O1REG(GetArgumentsLength) =\n HermesValue::encodeNumberValue(FRAME.getArgCount());\n ip = NEXTINST(GetArgumentsLength);\n DISPATCH;\n }\n // The arguments object has been created, so this is a regular property\n // get.\n assert(\n O2REG(GetArgumentsLength).isObject() &&\n \"arguments lazy register is not an object\");\n CAPTURE_IP_ASSIGN(\n resPH,\n JSObject::getNamed_RJS(\n Handle::vmcast(&O2REG(GetArgumentsLength)),\n runtime,\n Predefined::getSymbolID(Predefined::length)));\n if (resPH == ExecutionStatus::EXCEPTION) {\n goto exception;\n }\n gcScope.flushToSmallCount(KEEP_HANDLES);\n O1REG(GetArgumentsLength) = resPH->get();\n ip = NEXTINST(GetArgumentsLength);\n DISPATCH;\n }\n\n CASE(GetArgumentsPropByVal) {\n // If the arguments object hasn't been created yet and we have a\n // valid integer index, we use the fast path.\n if (O3REG(GetArgumentsPropByVal).isUndefined()) {\n // If this is an integer index.\n if (auto index = toArrayIndexFastPath(O2REG(GetArgumentsPropByVal))) {\n // Is this an existing argument?\n if (*index < FRAME.getArgCount()) {\n O1REG(GetArgumentsPropByVal) = FRAME.getArgRef(*index);\n ip = NEXTINST(GetArgumentsPropByVal);\n DISPATCH;\n }\n }\n }\n // Slow path.\n CAPTURE_IP_ASSIGN(\n auto res,\n getArgumentsPropByValSlowPath_RJS(\n runtime,\n &O3REG(GetArgumentsPropByVal),\n &O2REG(GetArgumentsPropByVal),\n FRAME.getCalleeClosureHandleUnsafe(),\n strictMode));\n if (res == ExecutionStatus::EXCEPTION) {\n goto exception;\n }\n gcScope.flushToSmallCount(KEEP_HANDLES);\n O1REG(GetArgumentsPropByVal) = res->getHermesValue();\n ip = NEXTINST(GetArgumentsPropByVal);\n DISPATCH;\n }\n\n CASE(ReifyArguments) {\n // If the arguments object was already created, do nothing.\n if (!O1REG(ReifyArguments).isUndefined()) {\n assert(\n O1REG(ReifyArguments).isObject() &&\n \"arguments lazy register is not an object\");\n ip = NEXTINST(ReifyArguments);\n DISPATCH;\n }\n CAPTURE_IP_ASSIGN(\n resArgs,\n reifyArgumentsSlowPath(\n runtime, FRAME.getCalleeClosureHandleUnsafe(), strictMode));\n if (LLVM_UNLIKELY(resArgs == ExecutionStatus::EXCEPTION)) {\n goto exception;\n }\n O1REG(ReifyArguments) = resArgs->getHermesValue();\n gcScope.flushToSmallCount(KEEP_HANDLES);\n ip = NEXTINST(ReifyArguments);\n DISPATCH;\n }\n\n CASE(NewObject) {\n // Create a new object using the built-in constructor. Note that the\n // built-in constructor is empty, so we don't actually need to call\n // it.\n CAPTURE_IP_ASSIGN(\n O1REG(NewObject), JSObject::create(runtime).getHermesValue());\n assert(\n gcScope.getHandleCountDbg() == KEEP_HANDLES &&\n \"Should not create handles.\");\n ip = NEXTINST(NewObject);\n DISPATCH;\n }\n CASE(NewObjectWithParent) {\n CAPTURE_IP_ASSIGN(\n O1REG(NewObjectWithParent),\n JSObject::create(\n runtime,\n O2REG(NewObjectWithParent).isObject()\n ? Handle::vmcast(&O2REG(NewObjectWithParent))\n : O2REG(NewObjectWithParent).isNull()\n ? Runtime::makeNullHandle()\n : Handle::vmcast(&runtime->objectPrototype))\n .getHermesValue());\n assert(\n gcScope.getHandleCountDbg() == KEEP_HANDLES &&\n \"Should not create handles.\");\n ip = NEXTINST(NewObjectWithParent);\n DISPATCH;\n }\n\n CASE(NewObjectWithBuffer) {\n CAPTURE_IP_ASSIGN(\n resPH,\n Interpreter::createObjectFromBuffer(\n runtime,\n curCodeBlock,\n ip->iNewObjectWithBuffer.op3,\n ip->iNewObjectWithBuffer.op4,\n ip->iNewObjectWithBuffer.op5));\n if (LLVM_UNLIKELY(resPH == ExecutionStatus::EXCEPTION)) {\n goto exception;\n }\n O1REG(NewObjectWithBuffer) = resPH->get();\n gcScope.flushToSmallCount(KEEP_HANDLES);\n ip = NEXTINST(NewObjectWithBuffer);\n DISPATCH;\n }\n\n CASE(NewObjectWithBufferLong) {\n CAPTURE_IP_ASSIGN(\n resPH,\n Interpreter::createObjectFromBuffer(\n runtime,\n curCodeBlock,\n ip->iNewObjectWithBufferLong.op3,\n ip->iNewObjectWithBufferLong.op4,\n ip->iNewObjectWithBufferLong.op5));\n if (LLVM_UNLIKELY(resPH == ExecutionStatus::EXCEPTION)) {\n goto exception;\n }\n O1REG(NewObjectWithBufferLong) = resPH->get();\n gcScope.flushToSmallCount(KEEP_HANDLES);\n ip = NEXTINST(NewObjectWithBufferLong);\n DISPATCH;\n }\n\n CASE(NewArray) {\n // Create a new array using the built-in constructor. Note that the\n // built-in constructor is empty, so we don't actually need to call\n // it.\n CAPTURE_IP_ASSIGN(\n auto createRes,\n JSArray::create(runtime, ip->iNewArray.op2, ip->iNewArray.op2));\n if (createRes == ExecutionStatus::EXCEPTION) {\n goto exception;\n }\n O1REG(NewArray) = createRes->getHermesValue();\n gcScope.flushToSmallCount(KEEP_HANDLES);\n ip = NEXTINST(NewArray);\n DISPATCH;\n }\n\n CASE(NewArrayWithBuffer) {\n CAPTURE_IP_ASSIGN(\n resPH,\n Interpreter::createArrayFromBuffer(\n runtime,\n curCodeBlock,\n ip->iNewArrayWithBuffer.op2,\n ip->iNewArrayWithBuffer.op3,\n ip->iNewArrayWithBuffer.op4));\n if (LLVM_UNLIKELY(resPH == ExecutionStatus::EXCEPTION)) {\n goto exception;\n }\n O1REG(NewArrayWithBuffer) = resPH->get();\n gcScope.flushToSmallCount(KEEP_HANDLES);\n tmpHandle.clear();\n ip = NEXTINST(NewArrayWithBuffer);\n DISPATCH;\n }\n\n CASE(NewArrayWithBufferLong) {\n CAPTURE_IP_ASSIGN(\n resPH,\n Interpreter::createArrayFromBuffer(\n runtime,\n curCodeBlock,\n ip->iNewArrayWithBufferLong.op2,\n ip->iNewArrayWithBufferLong.op3,\n ip->iNewArrayWithBufferLong.op4));\n if (LLVM_UNLIKELY(resPH == ExecutionStatus::EXCEPTION)) {\n goto exception;\n }\n O1REG(NewArrayWithBufferLong) = resPH->get();\n gcScope.flushToSmallCount(KEEP_HANDLES);\n tmpHandle.clear();\n ip = NEXTINST(NewArrayWithBufferLong);\n DISPATCH;\n }\n\n CASE(CreateThis) {\n // Registers: output, prototype, closure.\n if (LLVM_UNLIKELY(!vmisa(O3REG(CreateThis)))) {\n CAPTURE_IP(runtime->raiseTypeError(\"constructor is not callable\"));\n goto exception;\n }\n CAPTURE_IP_ASSIGN(\n auto res,\n Callable::newObject(\n Handle::vmcast(&O3REG(CreateThis)),\n runtime,\n Handle::vmcast(\n O2REG(CreateThis).isObject() ? &O2REG(CreateThis)\n : &runtime->objectPrototype)));\n if (LLVM_UNLIKELY(res == ExecutionStatus::EXCEPTION)) {\n goto exception;\n }\n gcScope.flushToSmallCount(KEEP_HANDLES);\n O1REG(CreateThis) = res->getHermesValue();\n ip = NEXTINST(CreateThis);\n DISPATCH;\n }\n\n CASE(SelectObject) {\n // Registers: output, thisObject, constructorReturnValue.\n O1REG(SelectObject) = O3REG(SelectObject).isObject()\n ? O3REG(SelectObject)\n : O2REG(SelectObject);\n ip = NEXTINST(SelectObject);\n DISPATCH;\n }\n\n CASE(Eq)\n CASE(Neq) {\n CAPTURE_IP_ASSIGN(\n res,\n abstractEqualityTest_RJS(\n runtime, Handle<>(&O2REG(Eq)), Handle<>(&O3REG(Eq))));\n if (res == ExecutionStatus::EXCEPTION) {\n goto exception;\n }\n gcScope.flushToSmallCount(KEEP_HANDLES);\n O1REG(Eq) = ip->opCode == OpCode::Eq\n ? res.getValue()\n : HermesValue::encodeBoolValue(!res->getBool());\n ip = NEXTINST(Eq);\n DISPATCH;\n }\n CASE(StrictEq) {\n O1REG(StrictEq) = HermesValue::encodeBoolValue(\n strictEqualityTest(O2REG(StrictEq), O3REG(StrictEq)));\n ip = NEXTINST(StrictEq);\n DISPATCH;\n }\n CASE(StrictNeq) {\n O1REG(StrictNeq) = HermesValue::encodeBoolValue(\n !strictEqualityTest(O2REG(StrictNeq), O3REG(StrictNeq)));\n ip = NEXTINST(StrictNeq);\n DISPATCH;\n }\n CASE(Not) {\n O1REG(Not) = HermesValue::encodeBoolValue(!toBoolean(O2REG(Not)));\n ip = NEXTINST(Not);\n DISPATCH;\n }\n CASE(Negate) {\n if (LLVM_LIKELY(O2REG(Negate).isNumber())) {\n O1REG(Negate) =\n HermesValue::encodeDoubleValue(-O2REG(Negate).getNumber());\n } else {\n CAPTURE_IP_ASSIGN(\n res, toNumber_RJS(runtime, Handle<>(&O2REG(Negate))));\n if (res == ExecutionStatus::EXCEPTION)\n goto exception;\n gcScope.flushToSmallCount(KEEP_HANDLES);\n O1REG(Negate) = HermesValue::encodeDoubleValue(-res->getNumber());\n }\n ip = NEXTINST(Negate);\n DISPATCH;\n }\n CASE(TypeOf) {\n CAPTURE_IP_ASSIGN(\n O1REG(TypeOf), typeOf(runtime, Handle<>(&O2REG(TypeOf))));\n ip = NEXTINST(TypeOf);\n DISPATCH;\n }\n CASE(Mod) {\n // We use fmod here for simplicity. Theoretically fmod behaves slightly\n // differently than the ECMAScript Spec. fmod applies round-towards-zero\n // for the remainder when it's not representable by a double; while the\n // spec requires round-to-nearest. As an example, 5 % 0.7 will give\n // 0.10000000000000031 using fmod, but using the rounding style\n // described\n // by the spec, the output should really be 0.10000000000000053.\n // Such difference can be ignored in practice.\n if (LLVM_LIKELY(O2REG(Mod).isNumber() && O3REG(Mod).isNumber())) {\n /* Fast-path. */\n O1REG(Mod) = HermesValue::encodeDoubleValue(\n std::fmod(O2REG(Mod).getNumber(), O3REG(Mod).getNumber()));\n ip = NEXTINST(Mod);\n DISPATCH;\n }\n CAPTURE_IP_ASSIGN(res, toNumber_RJS(runtime, Handle<>(&O2REG(Mod))));\n if (res == ExecutionStatus::EXCEPTION)\n goto exception;\n double left = res->getDouble();\n CAPTURE_IP_ASSIGN(res, toNumber_RJS(runtime, Handle<>(&O3REG(Mod))));\n if (res == ExecutionStatus::EXCEPTION)\n goto exception;\n O1REG(Mod) =\n HermesValue::encodeDoubleValue(std::fmod(left, res->getDouble()));\n gcScope.flushToSmallCount(KEEP_HANDLES);\n ip = NEXTINST(Mod);\n DISPATCH;\n }\n CASE(InstanceOf) {\n CAPTURE_IP_ASSIGN(\n auto result,\n instanceOfOperator_RJS(\n runtime,\n Handle<>(&O2REG(InstanceOf)),\n Handle<>(&O3REG(InstanceOf))));\n if (LLVM_UNLIKELY(result == ExecutionStatus::EXCEPTION)) {\n goto exception;\n }\n O1REG(InstanceOf) = HermesValue::encodeBoolValue(*result);\n gcScope.flushToSmallCount(KEEP_HANDLES);\n ip = NEXTINST(InstanceOf);\n DISPATCH;\n }\n CASE(IsIn) {\n {\n if (LLVM_UNLIKELY(!O3REG(IsIn).isObject())) {\n CAPTURE_IP(runtime->raiseTypeError(\n \"right operand of 'in' is not an object\"));\n goto exception;\n }\n CAPTURE_IP_ASSIGN(\n auto cr,\n JSObject::hasComputed(\n Handle::vmcast(&O3REG(IsIn)),\n runtime,\n Handle<>(&O2REG(IsIn))));\n if (cr == ExecutionStatus::EXCEPTION) {\n goto exception;\n }\n O1REG(IsIn) = HermesValue::encodeBoolValue(*cr);\n }\n gcScope.flushToSmallCount(KEEP_HANDLES);\n ip = NEXTINST(IsIn);\n DISPATCH;\n }\n\n CASE(PutNewOwnByIdShort) {\n nextIP = NEXTINST(PutNewOwnByIdShort);\n idVal = ip->iPutNewOwnByIdShort.op3;\n goto putOwnById;\n }\n CASE(PutNewOwnNEByIdLong)\n CASE(PutNewOwnByIdLong) {\n nextIP = NEXTINST(PutNewOwnByIdLong);\n idVal = ip->iPutNewOwnByIdLong.op3;\n goto putOwnById;\n }\n CASE(PutNewOwnNEById)\n CASE(PutNewOwnById) {\n nextIP = NEXTINST(PutNewOwnById);\n idVal = ip->iPutNewOwnById.op3;\n }\n putOwnById : {\n assert(\n O1REG(PutNewOwnById).isObject() &&\n \"Object argument of PutNewOwnById must be an object\");\n CAPTURE_IP_ASSIGN(\n auto res,\n JSObject::defineNewOwnProperty(\n Handle::vmcast(&O1REG(PutNewOwnById)),\n runtime,\n ID(idVal),\n ip->opCode <= OpCode::PutNewOwnByIdLong\n ? PropertyFlags::defaultNewNamedPropertyFlags()\n : PropertyFlags::nonEnumerablePropertyFlags(),\n Handle<>(&O2REG(PutNewOwnById))));\n if (LLVM_UNLIKELY(res == ExecutionStatus::EXCEPTION)) {\n goto exception;\n }\n gcScope.flushToSmallCount(KEEP_HANDLES);\n ip = nextIP;\n DISPATCH;\n }\n\n CASE(DelByIdLong) {\n idVal = ip->iDelByIdLong.op3;\n nextIP = NEXTINST(DelByIdLong);\n goto DelById;\n }\n\n CASE(DelById) {\n idVal = ip->iDelById.op3;\n nextIP = NEXTINST(DelById);\n }\n DelById : {\n if (LLVM_LIKELY(O2REG(DelById).isObject())) {\n CAPTURE_IP_ASSIGN(\n auto status,\n JSObject::deleteNamed(\n Handle::vmcast(&O2REG(DelById)),\n runtime,\n ID(idVal),\n defaultPropOpFlags));\n if (LLVM_UNLIKELY(status == ExecutionStatus::EXCEPTION)) {\n goto exception;\n }\n O1REG(DelById) = HermesValue::encodeBoolValue(status.getValue());\n } else {\n // This is the \"slow path\".\n CAPTURE_IP_ASSIGN(res, toObject(runtime, Handle<>(&O2REG(DelById))));\n if (LLVM_UNLIKELY(res == ExecutionStatus::EXCEPTION)) {\n // If an exception is thrown, likely we are trying to convert\n // undefined/null to an object. Passing over the name of the property\n // so that we could emit more meaningful error messages.\n CAPTURE_IP(amendPropAccessErrorMsgWithPropName(\n runtime, Handle<>(&O2REG(DelById)), \"delete\", ID(idVal)));\n goto exception;\n }\n tmpHandle = res.getValue();\n CAPTURE_IP_ASSIGN(\n auto status,\n JSObject::deleteNamed(\n Handle::vmcast(tmpHandle),\n runtime,\n ID(idVal),\n defaultPropOpFlags));\n if (LLVM_UNLIKELY(status == ExecutionStatus::EXCEPTION)) {\n goto exception;\n }\n O1REG(DelById) = HermesValue::encodeBoolValue(status.getValue());\n tmpHandle.clear();\n }\n gcScope.flushToSmallCount(KEEP_HANDLES);\n ip = nextIP;\n DISPATCH;\n }\n\n CASE(DelByVal) {\n if (LLVM_LIKELY(O2REG(DelByVal).isObject())) {\n CAPTURE_IP_ASSIGN(\n auto status,\n JSObject::deleteComputed(\n Handle::vmcast(&O2REG(DelByVal)),\n runtime,\n Handle<>(&O3REG(DelByVal)),\n defaultPropOpFlags));\n if (LLVM_UNLIKELY(status == ExecutionStatus::EXCEPTION)) {\n goto exception;\n }\n O1REG(DelByVal) = HermesValue::encodeBoolValue(status.getValue());\n } else {\n // This is the \"slow path\".\n CAPTURE_IP_ASSIGN(res, toObject(runtime, Handle<>(&O2REG(DelByVal))));\n if (LLVM_UNLIKELY(res == ExecutionStatus::EXCEPTION)) {\n goto exception;\n }\n tmpHandle = res.getValue();\n CAPTURE_IP_ASSIGN(\n auto status,\n JSObject::deleteComputed(\n Handle::vmcast(tmpHandle),\n runtime,\n Handle<>(&O3REG(DelByVal)),\n defaultPropOpFlags));\n if (LLVM_UNLIKELY(status == ExecutionStatus::EXCEPTION)) {\n goto exception;\n }\n O1REG(DelByVal) = HermesValue::encodeBoolValue(status.getValue());\n }\n gcScope.flushToSmallCount(KEEP_HANDLES);\n tmpHandle.clear();\n ip = NEXTINST(DelByVal);\n DISPATCH;\n }\n CASE(CreateRegExp) {\n {\n // Create the RegExp object.\n CAPTURE_IP_ASSIGN(auto re, JSRegExp::create(runtime));\n // Initialize the regexp.\n CAPTURE_IP_ASSIGN(\n auto pattern,\n runtime->makeHandle(curCodeBlock->getRuntimeModule()\n ->getStringPrimFromStringIDMayAllocate(\n ip->iCreateRegExp.op2)));\n CAPTURE_IP_ASSIGN(\n auto flags,\n runtime->makeHandle(curCodeBlock->getRuntimeModule()\n ->getStringPrimFromStringIDMayAllocate(\n ip->iCreateRegExp.op3)));\n CAPTURE_IP_ASSIGN(\n auto bytecode,\n curCodeBlock->getRuntimeModule()->getRegExpBytecodeFromRegExpID(\n ip->iCreateRegExp.op4));\n CAPTURE_IP_ASSIGN(\n auto initRes,\n JSRegExp::initialize(re, runtime, pattern, flags, bytecode));\n if (LLVM_UNLIKELY(initRes == ExecutionStatus::EXCEPTION)) {\n goto exception;\n }\n // Done, return the new object.\n O1REG(CreateRegExp) = re.getHermesValue();\n }\n gcScope.flushToSmallCount(KEEP_HANDLES);\n ip = NEXTINST(CreateRegExp);\n DISPATCH;\n }\n\n CASE(SwitchImm) {\n if (LLVM_LIKELY(O1REG(SwitchImm).isNumber())) {\n double numVal = O1REG(SwitchImm).getNumber();\n uint32_t uintVal = (uint32_t)numVal;\n if (LLVM_LIKELY(numVal == uintVal) && // Only integers.\n LLVM_LIKELY(uintVal >= ip->iSwitchImm.op4) && // Bounds checking.\n LLVM_LIKELY(uintVal <= ip->iSwitchImm.op5)) // Bounds checking.\n {\n // Calculate the offset into the bytecode where the jump table for\n // this SwitchImm starts.\n const uint8_t *tablestart = (const uint8_t *)llvh::alignAddr(\n (const uint8_t *)ip + ip->iSwitchImm.op2, sizeof(uint32_t));\n\n // Read the offset from the table.\n // Must be signed to account for backwards branching.\n const int32_t *loc =\n (const int32_t *)tablestart + uintVal - ip->iSwitchImm.op4;\n\n ip = IPADD(*loc);\n DISPATCH;\n }\n }\n // Wrong type or out of range, jump to default.\n ip = IPADD(ip->iSwitchImm.op3);\n DISPATCH;\n }\n LOAD_CONST(\n LoadConstUInt8,\n HermesValue::encodeDoubleValue(ip->iLoadConstUInt8.op2));\n LOAD_CONST(\n LoadConstInt, HermesValue::encodeDoubleValue(ip->iLoadConstInt.op2));\n LOAD_CONST(\n LoadConstDouble,\n HermesValue::encodeDoubleValue(ip->iLoadConstDouble.op2));\n LOAD_CONST_CAPTURE_IP(\n LoadConstString,\n HermesValue::encodeStringValue(\n curCodeBlock->getRuntimeModule()\n ->getStringPrimFromStringIDMayAllocate(\n ip->iLoadConstString.op2)));\n LOAD_CONST_CAPTURE_IP(\n LoadConstStringLongIndex,\n HermesValue::encodeStringValue(\n curCodeBlock->getRuntimeModule()\n ->getStringPrimFromStringIDMayAllocate(\n ip->iLoadConstStringLongIndex.op2)));\n LOAD_CONST(LoadConstUndefined, HermesValue::encodeUndefinedValue());\n LOAD_CONST(LoadConstNull, HermesValue::encodeNullValue());\n LOAD_CONST(LoadConstTrue, HermesValue::encodeBoolValue(true));\n LOAD_CONST(LoadConstFalse, HermesValue::encodeBoolValue(false));\n LOAD_CONST(LoadConstZero, HermesValue::encodeDoubleValue(0));\n BINOP(Sub, doSub);\n BINOP(Mul, doMult);\n BINOP(Div, doDiv);\n BITWISEBINOP(BitAnd, &);\n BITWISEBINOP(BitOr, |);\n BITWISEBINOP(BitXor, ^);\n // For LShift, we need to use toUInt32 first because lshift on negative\n // numbers is undefined behavior in theory.\n SHIFTOP(LShift, <<, toUInt32_RJS, uint32_t, int32_t);\n SHIFTOP(RShift, >>, toInt32_RJS, int32_t, int32_t);\n SHIFTOP(URshift, >>, toUInt32_RJS, uint32_t, uint32_t);\n CONDOP(Less, <, lessOp_RJS);\n CONDOP(LessEq, <=, lessEqualOp_RJS);\n CONDOP(Greater, >, greaterOp_RJS);\n CONDOP(GreaterEq, >=, greaterEqualOp_RJS);\n JCOND(Less, <, lessOp_RJS);\n JCOND(LessEqual, <=, lessEqualOp_RJS);\n JCOND(Greater, >, greaterOp_RJS);\n JCOND(GreaterEqual, >=, greaterEqualOp_RJS);\n\n JCOND_STRICT_EQ_IMPL(\n JStrictEqual, , IPADD(ip->iJStrictEqual.op1), NEXTINST(JStrictEqual));\n JCOND_STRICT_EQ_IMPL(\n JStrictEqual,\n Long,\n IPADD(ip->iJStrictEqualLong.op1),\n NEXTINST(JStrictEqualLong));\n JCOND_STRICT_EQ_IMPL(\n JStrictNotEqual,\n ,\n NEXTINST(JStrictNotEqual),\n IPADD(ip->iJStrictNotEqual.op1));\n JCOND_STRICT_EQ_IMPL(\n JStrictNotEqual,\n Long,\n NEXTINST(JStrictNotEqualLong),\n IPADD(ip->iJStrictNotEqualLong.op1));\n\n JCOND_EQ_IMPL(JEqual, , IPADD(ip->iJEqual.op1), NEXTINST(JEqual));\n JCOND_EQ_IMPL(\n JEqual, Long, IPADD(ip->iJEqualLong.op1), NEXTINST(JEqualLong));\n JCOND_EQ_IMPL(\n JNotEqual, , NEXTINST(JNotEqual), IPADD(ip->iJNotEqual.op1));\n JCOND_EQ_IMPL(\n JNotEqual,\n Long,\n NEXTINST(JNotEqualLong),\n IPADD(ip->iJNotEqualLong.op1));\n\n CASE_OUTOFLINE(PutOwnByVal);\n CASE_OUTOFLINE(PutOwnGetterSetterByVal);\n CASE_OUTOFLINE(DirectEval);\n\n CASE_OUTOFLINE(IteratorBegin);\n CASE_OUTOFLINE(IteratorNext);\n CASE(IteratorClose) {\n if (LLVM_UNLIKELY(O1REG(IteratorClose).isObject())) {\n // The iterator must be closed if it's still an object.\n // That means it was never an index and is not done iterating (a state\n // which is indicated by `undefined`).\n CAPTURE_IP_ASSIGN(\n auto res,\n iteratorClose(\n runtime,\n Handle::vmcast(&O1REG(IteratorClose)),\n Runtime::getEmptyValue()));\n if (LLVM_UNLIKELY(res == ExecutionStatus::EXCEPTION)) {\n if (ip->iIteratorClose.op2 &&\n !isUncatchableError(runtime->thrownValue_)) {\n // Ignore inner exception.\n runtime->clearThrownValue();\n } else {\n goto exception;\n }\n }\n gcScope.flushToSmallCount(KEEP_HANDLES);\n }\n ip = NEXTINST(IteratorClose);\n DISPATCH;\n }\n\n CASE(_last) {\n llvm_unreachable(\"Invalid opcode _last\");\n }\n }\n\n llvm_unreachable(\"unreachable\");\n\n // We arrive here if we couldn't allocate the registers for the current frame.\n stackOverflow:\n CAPTURE_IP(runtime->raiseStackOverflow(\n Runtime::StackOverflowKind::JSRegisterStack));\n\n // We arrive here when we raised an exception in a callee, but we don't want\n // the callee to be able to handle it.\n handleExceptionInParent:\n // Restore the caller code block and IP.\n curCodeBlock = FRAME.getSavedCodeBlock();\n ip = FRAME.getSavedIP();\n\n // Pop to the previous frame where technically the error happened.\n frameRegs =\n &runtime->restoreStackAndPreviousFrame(FRAME).getFirstLocalRef();\n\n // If we are coming from native code, return.\n if (!curCodeBlock)\n return ExecutionStatus::EXCEPTION;\n\n// Return because of recursive calling structure\n#ifdef HERMESVM_PROFILER_EXTERN\n return ExecutionStatus::EXCEPTION;\n#endif\n // Handle the exception.\n exception:\n UPDATE_OPCODE_TIME_SPENT;\n assert(\n !runtime->thrownValue_.isEmpty() &&\n \"thrownValue unavailable at exception\");\n\n bool catchable = true;\n // If this is an Error object that was thrown internally, it didn't have\n // access to the current codeblock and IP, so collect the stack trace here.\n if (auto *jsError = dyn_vmcast(runtime->thrownValue_)) {\n catchable = jsError->catchable();\n if (!jsError->getStackTrace()) {\n // Temporarily clear the thrown value for following operations.\n CAPTURE_IP_ASSIGN(\n auto errorHandle,\n runtime->makeHandle(vmcast(runtime->thrownValue_)));\n runtime->clearThrownValue();\n\n CAPTURE_IP(JSError::recordStackTrace(\n errorHandle, runtime, false, curCodeBlock, ip));\n\n // Restore the thrown value.\n runtime->setThrownValue(errorHandle.getHermesValue());\n }\n }\n\n gcScope.flushToSmallCount(KEEP_HANDLES);\n tmpHandle.clear();\n\n#ifdef HERMES_ENABLE_DEBUGGER\n if (SingleStep) {\n // If we're single stepping, don't bother with any more checks,\n // and simply signal that we should continue execution with an exception.\n state.codeBlock = curCodeBlock;\n state.offset = CUROFFSET;\n return ExecutionStatus::EXCEPTION;\n }\n\n using PauseOnThrowMode = facebook::hermes::debugger::PauseOnThrowMode;\n auto mode = runtime->debugger_.getPauseOnThrowMode();\n if (mode != PauseOnThrowMode::None) {\n if (!runtime->debugger_.isDebugging()) {\n // Determine whether the PauseOnThrowMode requires us to stop here.\n bool caught =\n runtime->debugger_\n .findCatchTarget(InterpreterState(curCodeBlock, CUROFFSET))\n .hasValue();\n bool shouldStop = mode == PauseOnThrowMode::All ||\n (mode == PauseOnThrowMode::Uncaught && !caught);\n if (shouldStop) {\n // When runDebugger is invoked after an exception,\n // stepping should never happen internally.\n // Any step is a step to an exception handler, which we do\n // directly here in the interpreter.\n // Thus, the result state should be the same as the input state.\n InterpreterState tmpState{curCodeBlock, (uint32_t)CUROFFSET};\n CAPTURE_IP_ASSIGN(\n ExecutionStatus resultStatus,\n runtime->debugger_.runDebugger(\n Debugger::RunReason::Exception, tmpState));\n (void)resultStatus;\n assert(\n tmpState == InterpreterState(curCodeBlock, CUROFFSET) &&\n \"not allowed to step internally in a pauseOnThrow\");\n gcScope.flushToSmallCount(KEEP_HANDLES);\n }\n }\n }\n#endif\n\n int32_t handlerOffset = 0;\n\n // If the exception is not catchable, skip found catch blocks.\n while (((handlerOffset = curCodeBlock->findCatchTargetOffset(CUROFFSET)) ==\n -1) ||\n !catchable) {\n PROFILER_EXIT_FUNCTION(curCodeBlock);\n\n#ifdef HERMES_ENABLE_ALLOCATION_LOCATION_TRACES\n runtime->popCallStack();\n#endif\n\n // Restore the code block and IP.\n curCodeBlock = FRAME.getSavedCodeBlock();\n ip = FRAME.getSavedIP();\n\n // Pop a stack frame.\n frameRegs =\n &runtime->restoreStackAndPreviousFrame(FRAME).getFirstLocalRef();\n\n SLOW_DEBUG(\n dbgs() << \"function exit with exception: restored stackLevel=\"\n << runtime->getStackLevel() << \"\\n\");\n\n // Are we returning to native code?\n if (!curCodeBlock) {\n SLOW_DEBUG(\n dbgs()\n << \"function exit with exception: returning to native code\\n\");\n return ExecutionStatus::EXCEPTION;\n }\n\n assert(\n isCallType(ip->opCode) &&\n \"return address is not Call-type instruction\");\n\n// Return because of recursive calling structure\n#ifdef HERMESVM_PROFILER_EXTERN\n return ExecutionStatus::EXCEPTION;\n#endif\n }\n\n INIT_STATE_FOR_CODEBLOCK(curCodeBlock);\n\n ip = IPADD(handlerOffset - CUROFFSET);\n }\n}", "project": "hermes", "hash": 239731606711042238751809560389055742004, "size": 2753, "commit_id": "b2021df620824627f5a8c96615edbd1eb7fdddfc", "message": "Fix CVE-2020-1914 by using NEXTINST for SaveGeneratorLong\n\nSummary:\nIf `SaveGeneratorLong` was emitted, it would accidentally jump to the\nwrong next instruction, based on how long SaveGenerator was.\n\nMake a callout function to handle the common case, and handle the dispatch\nwithin each case of the interpreter loop.\n\nFixes CVE-2020-1914\n\nReviewed By: neildhar\n\nDifferential Revision: D24024242\n\nfbshipit-source-id: 3bcb88daa740f0d50e91771a49eb212551ce8bd8", "target": 1, "dataset": "other", "idx": 199924 }, { "func": "CallResult Interpreter::interpretFunction(\n Runtime *runtime,\n InterpreterState &state) {\n // The interepter is re-entrant and also saves/restores its IP via the runtime\n // whenever a call out is made (see the CAPTURE_IP_* macros). As such, failure\n // to preserve the IP across calls to interpeterFunction() disrupt interpreter\n // calls further up the C++ callstack. The RAII utility class below makes sure\n // we always do this correctly.\n //\n // TODO: The IPs stored in the C++ callstack via this holder will generally be\n // the same as in the JS stack frames via the Saved IP field. We can probably\n // get rid of one of these redundant stores. Doing this isn't completely\n // trivial as there are currently cases where we re-enter the interpreter\n // without calling Runtime::saveCallerIPInStackFrame(), and there are features\n // (I think mostly the debugger + stack traces) which implicitly rely on\n // this behavior. At least their tests break if this behavior is not\n // preserved.\n struct IPSaver {\n IPSaver(Runtime *runtime)\n : ip_(runtime->getCurrentIP()), runtime_(runtime) {}\n\n ~IPSaver() {\n runtime_->setCurrentIP(ip_);\n }\n\n private:\n const Inst *ip_;\n Runtime *runtime_;\n };\n IPSaver ipSaver(runtime);\n\n#ifndef HERMES_ENABLE_DEBUGGER\n static_assert(!SingleStep, \"can't use single-step mode without the debugger\");\n#endif\n // Make sure that the cache can use an optimization by avoiding a branch to\n // access the property storage.\n static_assert(\n HiddenClass::kDictionaryThreshold <=\n SegmentedArray::kValueToSegmentThreshold,\n \"Cannot avoid branches in cache check if the dictionary \"\n \"crossover point is larger than the inline storage\");\n\n CodeBlock *curCodeBlock = state.codeBlock;\n const Inst *ip = nullptr;\n // Holds runtime->currentFrame_.ptr()-1 which is the first local\n // register. This eliminates the indirect load from Runtime and the -1 offset.\n PinnedHermesValue *frameRegs;\n // Strictness of current function.\n bool strictMode;\n // Default flags when accessing properties.\n PropOpFlags defaultPropOpFlags;\n\n// These CAPTURE_IP* macros should wrap around any major calls out of the\n// interpeter loop. They stash and retrieve the IP via the current Runtime\n// allowing the IP to be externally observed and even altered to change the flow\n// of execution. Explicitly saving AND restoring the IP from the Runtime in this\n// way means the C++ compiler will keep IP in a register within the rest of the\n// interpeter loop.\n//\n// When assertions are enabled we take the extra step of \"invalidating\" the IP\n// between captures so we can detect if it's erroneously accessed.\n//\n// In some cases we explicitly don't want to invalidate the IP and instead want\n// it to stay set. For this we use the *NO_INVALIDATE variants. This comes up\n// when we're performing a call operation which may re-enter the interpeter\n// loop, and so need the IP available for the saveCallerIPInStackFrame() call\n// when we next enter.\n#define CAPTURE_IP_ASSIGN_NO_INVALIDATE(dst, expr) \\\n runtime->setCurrentIP(ip); \\\n dst = expr; \\\n ip = runtime->getCurrentIP();\n\n#ifdef NDEBUG\n\n#define CAPTURE_IP(expr) \\\n runtime->setCurrentIP(ip); \\\n (void)expr; \\\n ip = runtime->getCurrentIP();\n\n#define CAPTURE_IP_ASSIGN(dst, expr) CAPTURE_IP_ASSIGN_NO_INVALIDATE(dst, expr)\n\n#else // !NDEBUG\n\n#define CAPTURE_IP(expr) \\\n runtime->setCurrentIP(ip); \\\n (void)expr; \\\n ip = runtime->getCurrentIP(); \\\n runtime->invalidateCurrentIP();\n\n#define CAPTURE_IP_ASSIGN(dst, expr) \\\n runtime->setCurrentIP(ip); \\\n dst = expr; \\\n ip = runtime->getCurrentIP(); \\\n runtime->invalidateCurrentIP();\n\n#endif // NDEBUG\n\n/// \\def DONT_CAPTURE_IP(expr)\n/// \\param expr A call expression to a function external to the interpreter. The\n/// expression should not make any allocations and the IP should be set\n/// immediately following this macro.\n#define DONT_CAPTURE_IP(expr) \\\n do { \\\n NoAllocScope noAlloc(runtime); \\\n (void)expr; \\\n } while (false)\n\n LLVM_DEBUG(dbgs() << \"interpretFunction() called\\n\");\n\n ScopedNativeDepthTracker depthTracker{runtime};\n if (LLVM_UNLIKELY(depthTracker.overflowed())) {\n return runtime->raiseStackOverflow(Runtime::StackOverflowKind::NativeStack);\n }\n\n if (!SingleStep) {\n if (auto jitPtr = runtime->jitContext_.compile(runtime, curCodeBlock)) {\n return (*jitPtr)(runtime);\n }\n }\n\n GCScope gcScope(runtime);\n // Avoid allocating a handle dynamically by reusing this one.\n MutableHandle<> tmpHandle(runtime);\n CallResult res{ExecutionStatus::EXCEPTION};\n CallResult> resPH{ExecutionStatus::EXCEPTION};\n CallResult> resArgs{ExecutionStatus::EXCEPTION};\n CallResult boolRes{ExecutionStatus::EXCEPTION};\n\n // Mark the gcScope so we can clear all allocated handles.\n // Remember how many handles the scope has so we can clear them in the loop.\n static constexpr unsigned KEEP_HANDLES = 1;\n assert(\n gcScope.getHandleCountDbg() == KEEP_HANDLES &&\n \"scope has unexpected number of handles\");\n\n INIT_OPCODE_PROFILER;\n\n#if !defined(HERMESVM_PROFILER_EXTERN)\ntailCall:\n#endif\n PROFILER_ENTER_FUNCTION(curCodeBlock);\n\n#ifdef HERMES_ENABLE_DEBUGGER\n runtime->getDebugger().willEnterCodeBlock(curCodeBlock);\n#endif\n\n runtime->getCodeCoverageProfiler().markExecuted(runtime, curCodeBlock);\n\n // Update function executionCount_ count\n curCodeBlock->incrementExecutionCount();\n\n if (!SingleStep) {\n auto newFrame = runtime->setCurrentFrameToTopOfStack();\n runtime->saveCallerIPInStackFrame();\n#ifndef NDEBUG\n runtime->invalidateCurrentIP();\n#endif\n\n // Point frameRegs to the first register in the new frame. Note that at this\n // moment technically it points above the top of the stack, but we are never\n // going to access it.\n frameRegs = &newFrame.getFirstLocalRef();\n\n#ifndef NDEBUG\n LLVM_DEBUG(\n dbgs() << \"function entry: stackLevel=\" << runtime->getStackLevel()\n << \", argCount=\" << runtime->getCurrentFrame().getArgCount()\n << \", frameSize=\" << curCodeBlock->getFrameSize() << \"\\n\");\n\n LLVM_DEBUG(\n dbgs() << \" callee \"\n << DumpHermesValue(\n runtime->getCurrentFrame().getCalleeClosureOrCBRef())\n << \"\\n\");\n LLVM_DEBUG(\n dbgs() << \" this \"\n << DumpHermesValue(runtime->getCurrentFrame().getThisArgRef())\n << \"\\n\");\n for (uint32_t i = 0; i != runtime->getCurrentFrame()->getArgCount(); ++i) {\n LLVM_DEBUG(\n dbgs() << \" \" << llvh::format_decimal(i, 4) << \" \"\n << DumpHermesValue(runtime->getCurrentFrame().getArgRef(i))\n << \"\\n\");\n }\n#endif\n\n // Allocate the registers for the new frame.\n if (LLVM_UNLIKELY(!runtime->checkAndAllocStack(\n curCodeBlock->getFrameSize() +\n StackFrameLayout::CalleeExtraRegistersAtStart,\n HermesValue::encodeUndefinedValue())))\n goto stackOverflow;\n\n ip = (Inst const *)curCodeBlock->begin();\n\n // Check for invalid invocation.\n if (LLVM_UNLIKELY(curCodeBlock->getHeaderFlags().isCallProhibited(\n newFrame.isConstructorCall()))) {\n if (!newFrame.isConstructorCall()) {\n CAPTURE_IP(\n runtime->raiseTypeError(\"Class constructor invoked without new\"));\n } else {\n CAPTURE_IP(runtime->raiseTypeError(\"Function is not a constructor\"));\n }\n goto handleExceptionInParent;\n }\n } else {\n // Point frameRegs to the first register in the frame.\n frameRegs = &runtime->getCurrentFrame().getFirstLocalRef();\n ip = (Inst const *)(curCodeBlock->begin() + state.offset);\n }\n\n assert((const uint8_t *)ip < curCodeBlock->end() && \"CodeBlock is empty\");\n\n INIT_STATE_FOR_CODEBLOCK(curCodeBlock);\n\n#define BEFORE_OP_CODE \\\n { \\\n UPDATE_OPCODE_TIME_SPENT; \\\n HERMES_SLOW_ASSERT( \\\n curCodeBlock->contains(ip) && \"curCodeBlock must contain ip\"); \\\n HERMES_SLOW_ASSERT((printDebugInfo(curCodeBlock, frameRegs, ip), true)); \\\n HERMES_SLOW_ASSERT( \\\n gcScope.getHandleCountDbg() == KEEP_HANDLES && \\\n \"unaccounted handles were created\"); \\\n HERMES_SLOW_ASSERT(tmpHandle->isUndefined() && \"tmpHandle not cleared\"); \\\n RECORD_OPCODE_START_TIME; \\\n INC_OPCODE_COUNT; \\\n }\n\n#ifdef HERMESVM_INDIRECT_THREADING\n static void *opcodeDispatch[] = {\n#define DEFINE_OPCODE(name) &&case_##name,\n#include \"hermes/BCGen/HBC/BytecodeList.def\"\n &&case__last};\n\n#define CASE(name) case_##name:\n#define DISPATCH \\\n BEFORE_OP_CODE; \\\n if (SingleStep) { \\\n state.codeBlock = curCodeBlock; \\\n state.offset = CUROFFSET; \\\n return HermesValue::encodeUndefinedValue(); \\\n } \\\n goto *opcodeDispatch[(unsigned)ip->opCode]\n\n#else // HERMESVM_INDIRECT_THREADING\n\n#define CASE(name) case OpCode::name:\n#define DISPATCH \\\n if (SingleStep) { \\\n state.codeBlock = curCodeBlock; \\\n state.offset = CUROFFSET; \\\n return HermesValue::encodeUndefinedValue(); \\\n } \\\n continue\n\n#endif // HERMESVM_INDIRECT_THREADING\n\n#define RUN_DEBUGGER_ASYNC_BREAK(flags) \\\n do { \\\n CAPTURE_IP_ASSIGN( \\\n auto dRes, \\\n runDebuggerUpdatingState( \\\n (uint8_t)(flags) & \\\n (uint8_t)Runtime::AsyncBreakReasonBits::DebuggerExplicit \\\n ? Debugger::RunReason::AsyncBreakExplicit \\\n : Debugger::RunReason::AsyncBreakImplicit, \\\n runtime, \\\n curCodeBlock, \\\n ip, \\\n frameRegs)); \\\n if (dRes == ExecutionStatus::EXCEPTION) \\\n goto exception; \\\n } while (0)\n\n for (;;) {\n BEFORE_OP_CODE;\n\n#ifdef HERMESVM_INDIRECT_THREADING\n goto *opcodeDispatch[(unsigned)ip->opCode];\n#else\n switch (ip->opCode)\n#endif\n {\n const Inst *nextIP;\n uint32_t idVal;\n bool tryProp;\n uint32_t callArgCount;\n // This is HermesValue::getRaw(), since HermesValue cannot be assigned\n // to. It is meant to be used only for very short durations, in the\n // dispatch of call instructions, when there is definitely no possibility\n // of a GC.\n HermesValue::RawType callNewTarget;\n\n/// Handle an opcode \\p name with an out-of-line implementation in a function\n/// ExecutionStatus caseName(\n/// Runtime *,\n/// PinnedHermesValue *frameRegs,\n/// Inst *ip)\n#define CASE_OUTOFLINE(name) \\\n CASE(name) { \\\n CAPTURE_IP_ASSIGN(auto res, case##name(runtime, frameRegs, ip)); \\\n if (LLVM_UNLIKELY(res == ExecutionStatus::EXCEPTION)) { \\\n goto exception; \\\n } \\\n gcScope.flushToSmallCount(KEEP_HANDLES); \\\n ip = NEXTINST(name); \\\n DISPATCH; \\\n }\n\n/// Implement a binary arithmetic instruction with a fast path where both\n/// operands are numbers.\n/// \\param name the name of the instruction. The fast path case will have a\n/// \"n\" appended to the name.\n/// \\param oper the C++ operator to use to actually perform the arithmetic\n/// operation.\n#define BINOP(name, oper) \\\n CASE(name) { \\\n if (LLVM_LIKELY(O2REG(name).isNumber() && O3REG(name).isNumber())) { \\\n /* Fast-path. */ \\\n CASE(name##N) { \\\n O1REG(name) = HermesValue::encodeDoubleValue( \\\n oper(O2REG(name).getNumber(), O3REG(name).getNumber())); \\\n ip = NEXTINST(name); \\\n DISPATCH; \\\n } \\\n } \\\n CAPTURE_IP_ASSIGN(res, toNumber_RJS(runtime, Handle<>(&O2REG(name)))); \\\n if (res == ExecutionStatus::EXCEPTION) \\\n goto exception; \\\n double left = res->getDouble(); \\\n CAPTURE_IP_ASSIGN(res, toNumber_RJS(runtime, Handle<>(&O3REG(name)))); \\\n if (res == ExecutionStatus::EXCEPTION) \\\n goto exception; \\\n O1REG(name) = \\\n HermesValue::encodeDoubleValue(oper(left, res->getDouble())); \\\n gcScope.flushToSmallCount(KEEP_HANDLES); \\\n ip = NEXTINST(name); \\\n DISPATCH; \\\n }\n\n/// Implement a shift instruction with a fast path where both\n/// operands are numbers.\n/// \\param name the name of the instruction.\n/// \\param oper the C++ operator to use to actually perform the shift\n/// operation.\n/// \\param lConv the conversion function for the LHS of the expression.\n/// \\param lType the type of the LHS operand.\n/// \\param returnType the type of the return value.\n#define SHIFTOP(name, oper, lConv, lType, returnType) \\\n CASE(name) { \\\n if (LLVM_LIKELY( \\\n O2REG(name).isNumber() && \\\n O3REG(name).isNumber())) { /* Fast-path. */ \\\n auto lnum = static_cast( \\\n hermes::truncateToInt32(O2REG(name).getNumber())); \\\n auto rnum = static_cast( \\\n hermes::truncateToInt32(O3REG(name).getNumber())) & \\\n 0x1f; \\\n O1REG(name) = HermesValue::encodeDoubleValue( \\\n static_cast(lnum oper rnum)); \\\n ip = NEXTINST(name); \\\n DISPATCH; \\\n } \\\n CAPTURE_IP_ASSIGN(res, lConv(runtime, Handle<>(&O2REG(name)))); \\\n if (res == ExecutionStatus::EXCEPTION) { \\\n goto exception; \\\n } \\\n auto lnum = static_cast(res->getNumber()); \\\n CAPTURE_IP_ASSIGN(res, toUInt32_RJS(runtime, Handle<>(&O3REG(name)))); \\\n if (res == ExecutionStatus::EXCEPTION) { \\\n goto exception; \\\n } \\\n auto rnum = static_cast(res->getNumber()) & 0x1f; \\\n gcScope.flushToSmallCount(KEEP_HANDLES); \\\n O1REG(name) = HermesValue::encodeDoubleValue( \\\n static_cast(lnum oper rnum)); \\\n ip = NEXTINST(name); \\\n DISPATCH; \\\n }\n\n/// Implement a binary bitwise instruction with a fast path where both\n/// operands are numbers.\n/// \\param name the name of the instruction.\n/// \\param oper the C++ operator to use to actually perform the bitwise\n/// operation.\n#define BITWISEBINOP(name, oper) \\\n CASE(name) { \\\n if (LLVM_LIKELY(O2REG(name).isNumber() && O3REG(name).isNumber())) { \\\n /* Fast-path. */ \\\n O1REG(name) = HermesValue::encodeDoubleValue( \\\n hermes::truncateToInt32(O2REG(name).getNumber()) \\\n oper hermes::truncateToInt32(O3REG(name).getNumber())); \\\n ip = NEXTINST(name); \\\n DISPATCH; \\\n } \\\n CAPTURE_IP_ASSIGN(res, toInt32_RJS(runtime, Handle<>(&O2REG(name)))); \\\n if (res == ExecutionStatus::EXCEPTION) { \\\n goto exception; \\\n } \\\n int32_t left = res->getNumberAs(); \\\n CAPTURE_IP_ASSIGN(res, toInt32_RJS(runtime, Handle<>(&O3REG(name)))); \\\n if (res == ExecutionStatus::EXCEPTION) { \\\n goto exception; \\\n } \\\n O1REG(name) = \\\n HermesValue::encodeNumberValue(left oper res->getNumberAs()); \\\n gcScope.flushToSmallCount(KEEP_HANDLES); \\\n ip = NEXTINST(name); \\\n DISPATCH; \\\n }\n\n/// Implement a comparison instruction.\n/// \\param name the name of the instruction.\n/// \\param oper the C++ operator to use to actually perform the fast arithmetic\n/// comparison.\n/// \\param operFuncName function to call for the slow-path comparison.\n#define CONDOP(name, oper, operFuncName) \\\n CASE(name) { \\\n if (LLVM_LIKELY(O2REG(name).isNumber() && O3REG(name).isNumber())) { \\\n /* Fast-path. */ \\\n O1REG(name) = HermesValue::encodeBoolValue( \\\n O2REG(name).getNumber() oper O3REG(name).getNumber()); \\\n ip = NEXTINST(name); \\\n DISPATCH; \\\n } \\\n CAPTURE_IP_ASSIGN( \\\n boolRes, \\\n operFuncName( \\\n runtime, Handle<>(&O2REG(name)), Handle<>(&O3REG(name)))); \\\n if (boolRes == ExecutionStatus::EXCEPTION) \\\n goto exception; \\\n gcScope.flushToSmallCount(KEEP_HANDLES); \\\n O1REG(name) = HermesValue::encodeBoolValue(boolRes.getValue()); \\\n ip = NEXTINST(name); \\\n DISPATCH; \\\n }\n\n/// Implement a comparison conditional jump with a fast path where both\n/// operands are numbers.\n/// \\param name the name of the instruction. The fast path case will have a\n/// \"N\" appended to the name.\n/// \\param suffix Optional suffix to be added to the end (e.g. Long)\n/// \\param oper the C++ operator to use to actually perform the fast arithmetic\n/// comparison.\n/// \\param operFuncName function to call for the slow-path comparison.\n/// \\param trueDest ip value if the conditional evaluates to true\n/// \\param falseDest ip value if the conditional evaluates to false\n#define JCOND_IMPL(name, suffix, oper, operFuncName, trueDest, falseDest) \\\n CASE(name##suffix) { \\\n if (LLVM_LIKELY( \\\n O2REG(name##suffix).isNumber() && \\\n O3REG(name##suffix).isNumber())) { \\\n /* Fast-path. */ \\\n CASE(name##N##suffix) { \\\n if (O2REG(name##N##suffix) \\\n .getNumber() oper O3REG(name##N##suffix) \\\n .getNumber()) { \\\n ip = trueDest; \\\n DISPATCH; \\\n } \\\n ip = falseDest; \\\n DISPATCH; \\\n } \\\n } \\\n CAPTURE_IP_ASSIGN( \\\n boolRes, \\\n operFuncName( \\\n runtime, \\\n Handle<>(&O2REG(name##suffix)), \\\n Handle<>(&O3REG(name##suffix)))); \\\n if (boolRes == ExecutionStatus::EXCEPTION) \\\n goto exception; \\\n gcScope.flushToSmallCount(KEEP_HANDLES); \\\n if (boolRes.getValue()) { \\\n ip = trueDest; \\\n DISPATCH; \\\n } \\\n ip = falseDest; \\\n DISPATCH; \\\n }\n\n/// Implement a strict equality conditional jump\n/// \\param name the name of the instruction.\n/// \\param suffix Optional suffix to be added to the end (e.g. Long)\n/// \\param trueDest ip value if the conditional evaluates to true\n/// \\param falseDest ip value if the conditional evaluates to false\n#define JCOND_STRICT_EQ_IMPL(name, suffix, trueDest, falseDest) \\\n CASE(name##suffix) { \\\n if (strictEqualityTest(O2REG(name##suffix), O3REG(name##suffix))) { \\\n ip = trueDest; \\\n DISPATCH; \\\n } \\\n ip = falseDest; \\\n DISPATCH; \\\n }\n\n/// Implement an equality conditional jump\n/// \\param name the name of the instruction.\n/// \\param suffix Optional suffix to be added to the end (e.g. Long)\n/// \\param trueDest ip value if the conditional evaluates to true\n/// \\param falseDest ip value if the conditional evaluates to false\n#define JCOND_EQ_IMPL(name, suffix, trueDest, falseDest) \\\n CASE(name##suffix) { \\\n CAPTURE_IP_ASSIGN( \\\n res, \\\n abstractEqualityTest_RJS( \\\n runtime, \\\n Handle<>(&O2REG(name##suffix)), \\\n Handle<>(&O3REG(name##suffix)))); \\\n if (res == ExecutionStatus::EXCEPTION) { \\\n goto exception; \\\n } \\\n gcScope.flushToSmallCount(KEEP_HANDLES); \\\n if (res->getBool()) { \\\n ip = trueDest; \\\n DISPATCH; \\\n } \\\n ip = falseDest; \\\n DISPATCH; \\\n }\n\n/// Implement the long and short forms of a conditional jump, and its negation.\n#define JCOND(name, oper, operFuncName) \\\n JCOND_IMPL( \\\n J##name, \\\n , \\\n oper, \\\n operFuncName, \\\n IPADD(ip->iJ##name.op1), \\\n NEXTINST(J##name)); \\\n JCOND_IMPL( \\\n J##name, \\\n Long, \\\n oper, \\\n operFuncName, \\\n IPADD(ip->iJ##name##Long.op1), \\\n NEXTINST(J##name##Long)); \\\n JCOND_IMPL( \\\n JNot##name, \\\n , \\\n oper, \\\n operFuncName, \\\n NEXTINST(JNot##name), \\\n IPADD(ip->iJNot##name.op1)); \\\n JCOND_IMPL( \\\n JNot##name, \\\n Long, \\\n oper, \\\n operFuncName, \\\n NEXTINST(JNot##name##Long), \\\n IPADD(ip->iJNot##name##Long.op1));\n\n/// Load a constant.\n/// \\param value is the value to store in the output register.\n#define LOAD_CONST(name, value) \\\n CASE(name) { \\\n O1REG(name) = value; \\\n ip = NEXTINST(name); \\\n DISPATCH; \\\n }\n\n#define LOAD_CONST_CAPTURE_IP(name, value) \\\n CASE(name) { \\\n CAPTURE_IP_ASSIGN(O1REG(name), value); \\\n ip = NEXTINST(name); \\\n DISPATCH; \\\n }\n\n CASE(Mov) {\n O1REG(Mov) = O2REG(Mov);\n ip = NEXTINST(Mov);\n DISPATCH;\n }\n\n CASE(MovLong) {\n O1REG(MovLong) = O2REG(MovLong);\n ip = NEXTINST(MovLong);\n DISPATCH;\n }\n\n CASE(LoadParam) {\n if (LLVM_LIKELY(ip->iLoadParam.op2 <= FRAME.getArgCount())) {\n // index 0 must load 'this'. Index 1 the first argument, etc.\n O1REG(LoadParam) = FRAME.getArgRef((int32_t)ip->iLoadParam.op2 - 1);\n ip = NEXTINST(LoadParam);\n DISPATCH;\n }\n O1REG(LoadParam) = HermesValue::encodeUndefinedValue();\n ip = NEXTINST(LoadParam);\n DISPATCH;\n }\n\n CASE(LoadParamLong) {\n if (LLVM_LIKELY(ip->iLoadParamLong.op2 <= FRAME.getArgCount())) {\n // index 0 must load 'this'. Index 1 the first argument, etc.\n O1REG(LoadParamLong) =\n FRAME.getArgRef((int32_t)ip->iLoadParamLong.op2 - 1);\n ip = NEXTINST(LoadParamLong);\n DISPATCH;\n }\n O1REG(LoadParamLong) = HermesValue::encodeUndefinedValue();\n ip = NEXTINST(LoadParamLong);\n DISPATCH;\n }\n\n CASE(CoerceThisNS) {\n if (LLVM_LIKELY(O2REG(CoerceThisNS).isObject())) {\n O1REG(CoerceThisNS) = O2REG(CoerceThisNS);\n } else if (\n O2REG(CoerceThisNS).isNull() || O2REG(CoerceThisNS).isUndefined()) {\n O1REG(CoerceThisNS) = runtime->global_;\n } else {\n tmpHandle = O2REG(CoerceThisNS);\n nextIP = NEXTINST(CoerceThisNS);\n goto coerceThisSlowPath;\n }\n ip = NEXTINST(CoerceThisNS);\n DISPATCH;\n }\n CASE(LoadThisNS) {\n if (LLVM_LIKELY(FRAME.getThisArgRef().isObject())) {\n O1REG(LoadThisNS) = FRAME.getThisArgRef();\n } else if (\n FRAME.getThisArgRef().isNull() ||\n FRAME.getThisArgRef().isUndefined()) {\n O1REG(LoadThisNS) = runtime->global_;\n } else {\n tmpHandle = FRAME.getThisArgRef();\n nextIP = NEXTINST(LoadThisNS);\n goto coerceThisSlowPath;\n }\n ip = NEXTINST(LoadThisNS);\n DISPATCH;\n }\n coerceThisSlowPath : {\n CAPTURE_IP_ASSIGN(res, toObject(runtime, tmpHandle));\n if (LLVM_UNLIKELY(res == ExecutionStatus::EXCEPTION)) {\n goto exception;\n }\n O1REG(CoerceThisNS) = res.getValue();\n tmpHandle.clear();\n gcScope.flushToSmallCount(KEEP_HANDLES);\n ip = nextIP;\n DISPATCH;\n }\n\n CASE(ConstructLong) {\n callArgCount = (uint32_t)ip->iConstructLong.op3;\n nextIP = NEXTINST(ConstructLong);\n callNewTarget = O2REG(ConstructLong).getRaw();\n goto doCall;\n }\n CASE(CallLong) {\n callArgCount = (uint32_t)ip->iCallLong.op3;\n nextIP = NEXTINST(CallLong);\n callNewTarget = HermesValue::encodeUndefinedValue().getRaw();\n goto doCall;\n }\n\n // Note in Call1 through Call4, the first argument is 'this' which has\n // argument index -1.\n // Also note that we are writing to callNewTarget last, to avoid the\n // possibility of it being aliased by the arg writes.\n CASE(Call1) {\n callArgCount = 1;\n nextIP = NEXTINST(Call1);\n StackFramePtr fr{runtime->stackPointer_};\n fr.getArgRefUnsafe(-1) = O3REG(Call1);\n callNewTarget = HermesValue::encodeUndefinedValue().getRaw();\n goto doCall;\n }\n\n CASE(Call2) {\n callArgCount = 2;\n nextIP = NEXTINST(Call2);\n StackFramePtr fr{runtime->stackPointer_};\n fr.getArgRefUnsafe(-1) = O3REG(Call2);\n fr.getArgRefUnsafe(0) = O4REG(Call2);\n callNewTarget = HermesValue::encodeUndefinedValue().getRaw();\n goto doCall;\n }\n\n CASE(Call3) {\n callArgCount = 3;\n nextIP = NEXTINST(Call3);\n StackFramePtr fr{runtime->stackPointer_};\n fr.getArgRefUnsafe(-1) = O3REG(Call3);\n fr.getArgRefUnsafe(0) = O4REG(Call3);\n fr.getArgRefUnsafe(1) = O5REG(Call3);\n callNewTarget = HermesValue::encodeUndefinedValue().getRaw();\n goto doCall;\n }\n\n CASE(Call4) {\n callArgCount = 4;\n nextIP = NEXTINST(Call4);\n StackFramePtr fr{runtime->stackPointer_};\n fr.getArgRefUnsafe(-1) = O3REG(Call4);\n fr.getArgRefUnsafe(0) = O4REG(Call4);\n fr.getArgRefUnsafe(1) = O5REG(Call4);\n fr.getArgRefUnsafe(2) = O6REG(Call4);\n callNewTarget = HermesValue::encodeUndefinedValue().getRaw();\n goto doCall;\n }\n\n CASE(Construct) {\n callArgCount = (uint32_t)ip->iConstruct.op3;\n nextIP = NEXTINST(Construct);\n callNewTarget = O2REG(Construct).getRaw();\n goto doCall;\n }\n CASE(Call) {\n callArgCount = (uint32_t)ip->iCall.op3;\n nextIP = NEXTINST(Call);\n callNewTarget = HermesValue::encodeUndefinedValue().getRaw();\n // Fall through.\n }\n\n doCall : {\n#ifdef HERMES_ENABLE_DEBUGGER\n // Check for an async debugger request.\n if (uint8_t asyncFlags =\n runtime->testAndClearDebuggerAsyncBreakRequest()) {\n RUN_DEBUGGER_ASYNC_BREAK(asyncFlags);\n gcScope.flushToSmallCount(KEEP_HANDLES);\n DISPATCH;\n }\n#endif\n\n // Subtract 1 from callArgCount as 'this' is considered an argument in the\n // instruction, but not in the frame.\n CAPTURE_IP_ASSIGN_NO_INVALIDATE(\n auto newFrame,\n StackFramePtr::initFrame(\n runtime->stackPointer_,\n FRAME,\n ip,\n curCodeBlock,\n callArgCount - 1,\n O2REG(Call),\n HermesValue::fromRaw(callNewTarget)));\n (void)newFrame;\n\n SLOW_DEBUG(dumpCallArguments(dbgs(), runtime, newFrame));\n\n if (auto *func = dyn_vmcast(O2REG(Call))) {\n assert(!SingleStep && \"can't single-step a call\");\n\n#ifdef HERMES_ENABLE_ALLOCATION_LOCATION_TRACES\n runtime->pushCallStack(curCodeBlock, ip);\n#endif\n\n CodeBlock *calleeBlock = func->getCodeBlock();\n calleeBlock->lazyCompile(runtime);\n#if defined(HERMESVM_PROFILER_EXTERN)\n CAPTURE_IP_ASSIGN_NO_INVALIDATE(\n res, runtime->interpretFunction(calleeBlock));\n if (LLVM_UNLIKELY(res == ExecutionStatus::EXCEPTION)) {\n goto exception;\n }\n O1REG(Call) = *res;\n gcScope.flushToSmallCount(KEEP_HANDLES);\n ip = nextIP;\n DISPATCH;\n#else\n if (auto jitPtr = runtime->jitContext_.compile(runtime, calleeBlock)) {\n res = (*jitPtr)(runtime);\n if (LLVM_UNLIKELY(res == ExecutionStatus::EXCEPTION))\n goto exception;\n O1REG(Call) = *res;\n SLOW_DEBUG(\n dbgs() << \"JIT return value r\" << (unsigned)ip->iCall.op1 << \"=\"\n << DumpHermesValue(O1REG(Call)) << \"\\n\");\n gcScope.flushToSmallCount(KEEP_HANDLES);\n ip = nextIP;\n DISPATCH;\n }\n curCodeBlock = calleeBlock;\n goto tailCall;\n#endif\n }\n CAPTURE_IP_ASSIGN_NO_INVALIDATE(\n resPH, Interpreter::handleCallSlowPath(runtime, &O2REG(Call)));\n if (LLVM_UNLIKELY(resPH == ExecutionStatus::EXCEPTION)) {\n goto exception;\n }\n O1REG(Call) = std::move(resPH->get());\n SLOW_DEBUG(\n dbgs() << \"native return value r\" << (unsigned)ip->iCall.op1 << \"=\"\n << DumpHermesValue(O1REG(Call)) << \"\\n\");\n gcScope.flushToSmallCount(KEEP_HANDLES);\n ip = nextIP;\n DISPATCH;\n }\n\n CASE(CallDirect)\n CASE(CallDirectLongIndex) {\n#ifdef HERMES_ENABLE_DEBUGGER\n // Check for an async debugger request.\n if (uint8_t asyncFlags =\n runtime->testAndClearDebuggerAsyncBreakRequest()) {\n RUN_DEBUGGER_ASYNC_BREAK(asyncFlags);\n gcScope.flushToSmallCount(KEEP_HANDLES);\n DISPATCH;\n }\n#endif\n\n CAPTURE_IP_ASSIGN(\n CodeBlock * calleeBlock,\n ip->opCode == OpCode::CallDirect\n ? curCodeBlock->getRuntimeModule()->getCodeBlockMayAllocate(\n ip->iCallDirect.op3)\n : curCodeBlock->getRuntimeModule()->getCodeBlockMayAllocate(\n ip->iCallDirectLongIndex.op3));\n\n CAPTURE_IP_ASSIGN_NO_INVALIDATE(\n auto newFrame,\n StackFramePtr::initFrame(\n runtime->stackPointer_,\n FRAME,\n ip,\n curCodeBlock,\n (uint32_t)ip->iCallDirect.op2 - 1,\n HermesValue::encodeNativePointer(calleeBlock),\n HermesValue::encodeUndefinedValue()));\n (void)newFrame;\n\n LLVM_DEBUG(dumpCallArguments(dbgs(), runtime, newFrame));\n\n assert(!SingleStep && \"can't single-step a call\");\n\n calleeBlock->lazyCompile(runtime);\n#if defined(HERMESVM_PROFILER_EXTERN)\n CAPTURE_IP_ASSIGN_NO_INVALIDATE(\n res, runtime->interpretFunction(calleeBlock));\n if (LLVM_UNLIKELY(res == ExecutionStatus::EXCEPTION)) {\n goto exception;\n }\n O1REG(CallDirect) = *res;\n gcScope.flushToSmallCount(KEEP_HANDLES);\n ip = ip->opCode == OpCode::CallDirect ? NEXTINST(CallDirect)\n : NEXTINST(CallDirectLongIndex);\n DISPATCH;\n#else\n if (auto jitPtr = runtime->jitContext_.compile(runtime, calleeBlock)) {\n res = (*jitPtr)(runtime);\n if (LLVM_UNLIKELY(res == ExecutionStatus::EXCEPTION))\n goto exception;\n O1REG(CallDirect) = *res;\n LLVM_DEBUG(\n dbgs() << \"JIT return value r\" << (unsigned)ip->iCallDirect.op1\n << \"=\" << DumpHermesValue(O1REG(Call)) << \"\\n\");\n gcScope.flushToSmallCount(KEEP_HANDLES);\n ip = ip->opCode == OpCode::CallDirect ? NEXTINST(CallDirect)\n : NEXTINST(CallDirectLongIndex);\n DISPATCH;\n }\n curCodeBlock = calleeBlock;\n goto tailCall;\n#endif\n }\n\n CASE(CallBuiltin) {\n NativeFunction *nf =\n runtime->getBuiltinNativeFunction(ip->iCallBuiltin.op2);\n\n CAPTURE_IP_ASSIGN(\n auto newFrame,\n StackFramePtr::initFrame(\n runtime->stackPointer_,\n FRAME,\n ip,\n curCodeBlock,\n (uint32_t)ip->iCallBuiltin.op3 - 1,\n nf,\n false));\n // \"thisArg\" is implicitly assumed to \"undefined\".\n newFrame.getThisArgRef() = HermesValue::encodeUndefinedValue();\n\n SLOW_DEBUG(dumpCallArguments(dbgs(), runtime, newFrame));\n\n CAPTURE_IP_ASSIGN(resPH, NativeFunction::_nativeCall(nf, runtime));\n if (LLVM_UNLIKELY(resPH == ExecutionStatus::EXCEPTION))\n goto exception;\n O1REG(CallBuiltin) = std::move(resPH->get());\n SLOW_DEBUG(\n dbgs() << \"native return value r\" << (unsigned)ip->iCallBuiltin.op1\n << \"=\" << DumpHermesValue(O1REG(CallBuiltin)) << \"\\n\");\n gcScope.flushToSmallCount(KEEP_HANDLES);\n ip = NEXTINST(CallBuiltin);\n DISPATCH;\n }\n\n CASE(CompleteGenerator) {\n auto *innerFn = vmcast(\n runtime->getCurrentFrame().getCalleeClosure());\n innerFn->setState(GeneratorInnerFunction::State::Completed);\n ip = NEXTINST(CompleteGenerator);\n DISPATCH;\n }\n\n CASE(SaveGenerator) {\n DONT_CAPTURE_IP(\n saveGenerator(runtime, frameRegs, IPADD(ip->iSaveGenerator.op1)));\n ip = NEXTINST(SaveGenerator);\n DISPATCH;\n }\n CASE(SaveGeneratorLong) {\n DONT_CAPTURE_IP(saveGenerator(\n runtime, frameRegs, IPADD(ip->iSaveGeneratorLong.op1)));\n ip = NEXTINST(SaveGeneratorLong);\n DISPATCH;\n }\n\n CASE(StartGenerator) {\n auto *innerFn = vmcast(\n runtime->getCurrentFrame().getCalleeClosure());\n if (innerFn->getState() ==\n GeneratorInnerFunction::State::SuspendedStart) {\n nextIP = NEXTINST(StartGenerator);\n } else {\n nextIP = innerFn->getNextIP();\n innerFn->restoreStack(runtime);\n }\n innerFn->setState(GeneratorInnerFunction::State::Executing);\n ip = nextIP;\n DISPATCH;\n }\n\n CASE(ResumeGenerator) {\n auto *innerFn = vmcast(\n runtime->getCurrentFrame().getCalleeClosure());\n O1REG(ResumeGenerator) = innerFn->getResult();\n O2REG(ResumeGenerator) = HermesValue::encodeBoolValue(\n innerFn->getAction() == GeneratorInnerFunction::Action::Return);\n innerFn->clearResult(runtime);\n if (innerFn->getAction() == GeneratorInnerFunction::Action::Throw) {\n runtime->setThrownValue(O1REG(ResumeGenerator));\n goto exception;\n }\n ip = NEXTINST(ResumeGenerator);\n DISPATCH;\n }\n\n CASE(Ret) {\n#ifdef HERMES_ENABLE_DEBUGGER\n // Check for an async debugger request.\n if (uint8_t asyncFlags =\n runtime->testAndClearDebuggerAsyncBreakRequest()) {\n RUN_DEBUGGER_ASYNC_BREAK(asyncFlags);\n gcScope.flushToSmallCount(KEEP_HANDLES);\n DISPATCH;\n }\n#endif\n\n PROFILER_EXIT_FUNCTION(curCodeBlock);\n\n#ifdef HERMES_ENABLE_ALLOCATION_LOCATION_TRACES\n runtime->popCallStack();\n#endif\n\n // Store the return value.\n res = O1REG(Ret);\n\n ip = FRAME.getSavedIP();\n curCodeBlock = FRAME.getSavedCodeBlock();\n\n frameRegs =\n &runtime->restoreStackAndPreviousFrame(FRAME).getFirstLocalRef();\n\n SLOW_DEBUG(\n dbgs() << \"function exit: restored stackLevel=\"\n << runtime->getStackLevel() << \"\\n\");\n\n // Are we returning to native code?\n if (!curCodeBlock) {\n SLOW_DEBUG(dbgs() << \"function exit: returning to native code\\n\");\n return res;\n }\n\n// Return because of recursive calling structure\n#if defined(HERMESVM_PROFILER_EXTERN)\n return res;\n#endif\n\n INIT_STATE_FOR_CODEBLOCK(curCodeBlock);\n O1REG(Call) = res.getValue();\n ip = nextInstCall(ip);\n DISPATCH;\n }\n\n CASE(Catch) {\n assert(!runtime->thrownValue_.isEmpty() && \"Invalid thrown value\");\n assert(\n !isUncatchableError(runtime->thrownValue_) &&\n \"Uncatchable thrown value was caught\");\n O1REG(Catch) = runtime->thrownValue_;\n runtime->clearThrownValue();\n#ifdef HERMES_ENABLE_DEBUGGER\n // Signal to the debugger that we're done unwinding an exception,\n // and we can resume normal debugging flow.\n runtime->debugger_.finishedUnwindingException();\n#endif\n ip = NEXTINST(Catch);\n DISPATCH;\n }\n\n CASE(Throw) {\n runtime->thrownValue_ = O1REG(Throw);\n SLOW_DEBUG(\n dbgs() << \"Exception thrown: \"\n << DumpHermesValue(runtime->thrownValue_) << \"\\n\");\n goto exception;\n }\n\n CASE(ThrowIfUndefinedInst) {\n if (LLVM_UNLIKELY(O1REG(ThrowIfUndefinedInst).isUndefined())) {\n SLOW_DEBUG(\n dbgs() << \"Throwing ReferenceError for undefined variable\");\n CAPTURE_IP(runtime->raiseReferenceError(\n \"accessing an uninitialized variable\"));\n goto exception;\n }\n ip = NEXTINST(ThrowIfUndefinedInst);\n DISPATCH;\n }\n\n CASE(Debugger) {\n SLOW_DEBUG(dbgs() << \"debugger statement executed\\n\");\n#ifdef HERMES_ENABLE_DEBUGGER\n {\n if (!runtime->debugger_.isDebugging()) {\n // Only run the debugger if we're not already debugging.\n // Don't want to call it again and mess with its state.\n CAPTURE_IP_ASSIGN(\n auto res,\n runDebuggerUpdatingState(\n Debugger::RunReason::Opcode,\n runtime,\n curCodeBlock,\n ip,\n frameRegs));\n if (res == ExecutionStatus::EXCEPTION) {\n // If one of the internal steps threw,\n // then handle that here by jumping to where we're supposed to go.\n // If we're in mid-step, the breakpoint at the catch point\n // will have been set by the debugger.\n // We don't want to execute this instruction because it's already\n // thrown.\n goto exception;\n }\n }\n auto breakpointOpt = runtime->debugger_.getBreakpointLocation(ip);\n if (breakpointOpt.hasValue()) {\n // We're on a breakpoint but we're supposed to continue.\n curCodeBlock->uninstallBreakpointAtOffset(\n CUROFFSET, breakpointOpt->opCode);\n if (ip->opCode == OpCode::Debugger) {\n // Breakpointed a debugger instruction, so move past it\n // since we've already called the debugger on this instruction.\n ip = NEXTINST(Debugger);\n } else {\n InterpreterState newState{curCodeBlock, (uint32_t)CUROFFSET};\n CAPTURE_IP_ASSIGN(\n ExecutionStatus status, runtime->stepFunction(newState));\n curCodeBlock->installBreakpointAtOffset(CUROFFSET);\n if (status == ExecutionStatus::EXCEPTION) {\n goto exception;\n }\n curCodeBlock = newState.codeBlock;\n ip = newState.codeBlock->getOffsetPtr(newState.offset);\n INIT_STATE_FOR_CODEBLOCK(curCodeBlock);\n // Single-stepping should handle call stack management for us.\n frameRegs = &runtime->getCurrentFrame().getFirstLocalRef();\n }\n } else if (ip->opCode == OpCode::Debugger) {\n // No breakpoint here and we've already run the debugger,\n // just continue on.\n // If the current instruction is no longer a debugger instruction,\n // we're just going to keep executing from the current IP.\n ip = NEXTINST(Debugger);\n }\n gcScope.flushToSmallCount(KEEP_HANDLES);\n }\n DISPATCH;\n#else\n ip = NEXTINST(Debugger);\n DISPATCH;\n#endif\n }\n\n CASE(AsyncBreakCheck) {\n if (LLVM_UNLIKELY(runtime->hasAsyncBreak())) {\n#ifdef HERMES_ENABLE_DEBUGGER\n if (uint8_t asyncFlags =\n runtime->testAndClearDebuggerAsyncBreakRequest()) {\n RUN_DEBUGGER_ASYNC_BREAK(asyncFlags);\n }\n#endif\n if (runtime->testAndClearTimeoutAsyncBreakRequest()) {\n CAPTURE_IP_ASSIGN(auto nRes, runtime->notifyTimeout());\n if (nRes == ExecutionStatus::EXCEPTION) {\n goto exception;\n }\n }\n }\n gcScope.flushToSmallCount(KEEP_HANDLES);\n\n ip = NEXTINST(AsyncBreakCheck);\n DISPATCH;\n }\n\n CASE(ProfilePoint) {\n#ifdef HERMESVM_PROFILER_BB\n auto pointIndex = ip->iProfilePoint.op1;\n SLOW_DEBUG(llvh::dbgs() << \"ProfilePoint: \" << pointIndex << \"\\n\");\n CAPTURE_IP(runtime->getBasicBlockExecutionInfo().executeBlock(\n curCodeBlock, pointIndex));\n#endif\n ip = NEXTINST(ProfilePoint);\n DISPATCH;\n }\n\n CASE(Unreachable) {\n llvm_unreachable(\"Hermes bug: unreachable instruction\");\n }\n\n CASE(CreateClosure) {\n idVal = ip->iCreateClosure.op3;\n nextIP = NEXTINST(CreateClosure);\n goto createClosure;\n }\n CASE(CreateClosureLongIndex) {\n idVal = ip->iCreateClosureLongIndex.op3;\n nextIP = NEXTINST(CreateClosureLongIndex);\n goto createClosure;\n }\n createClosure : {\n auto *runtimeModule = curCodeBlock->getRuntimeModule();\n CAPTURE_IP_ASSIGN(\n O1REG(CreateClosure),\n JSFunction::create(\n runtime,\n runtimeModule->getDomain(runtime),\n Handle::vmcast(&runtime->functionPrototype),\n Handle::vmcast(&O2REG(CreateClosure)),\n runtimeModule->getCodeBlockMayAllocate(idVal))\n .getHermesValue());\n gcScope.flushToSmallCount(KEEP_HANDLES);\n ip = nextIP;\n DISPATCH;\n }\n\n CASE(CreateGeneratorClosure) {\n CAPTURE_IP_ASSIGN(\n auto res,\n createGeneratorClosure(\n runtime,\n curCodeBlock->getRuntimeModule(),\n ip->iCreateClosure.op3,\n Handle::vmcast(&O2REG(CreateGeneratorClosure))));\n if (LLVM_UNLIKELY(res == ExecutionStatus::EXCEPTION)) {\n goto exception;\n }\n O1REG(CreateGeneratorClosure) = res->getHermesValue();\n res->invalidate();\n gcScope.flushToSmallCount(KEEP_HANDLES);\n ip = NEXTINST(CreateGeneratorClosure);\n DISPATCH;\n }\n CASE(CreateGeneratorClosureLongIndex) {\n CAPTURE_IP_ASSIGN(\n auto res,\n createGeneratorClosure(\n runtime,\n curCodeBlock->getRuntimeModule(),\n ip->iCreateClosureLongIndex.op3,\n Handle::vmcast(\n &O2REG(CreateGeneratorClosureLongIndex))));\n if (LLVM_UNLIKELY(res == ExecutionStatus::EXCEPTION)) {\n goto exception;\n }\n O1REG(CreateGeneratorClosureLongIndex) = res->getHermesValue();\n res->invalidate();\n gcScope.flushToSmallCount(KEEP_HANDLES);\n ip = NEXTINST(CreateGeneratorClosureLongIndex);\n DISPATCH;\n }\n\n CASE(CreateGenerator) {\n CAPTURE_IP_ASSIGN(\n auto res,\n createGenerator_RJS(\n runtime,\n curCodeBlock->getRuntimeModule(),\n ip->iCreateGenerator.op3,\n Handle::vmcast(&O2REG(CreateGenerator)),\n FRAME.getNativeArgs()));\n if (LLVM_UNLIKELY(res == ExecutionStatus::EXCEPTION)) {\n goto exception;\n }\n O1REG(CreateGenerator) = res->getHermesValue();\n res->invalidate();\n gcScope.flushToSmallCount(KEEP_HANDLES);\n ip = NEXTINST(CreateGenerator);\n DISPATCH;\n }\n CASE(CreateGeneratorLongIndex) {\n CAPTURE_IP_ASSIGN(\n auto res,\n createGenerator_RJS(\n runtime,\n curCodeBlock->getRuntimeModule(),\n ip->iCreateGeneratorLongIndex.op3,\n Handle::vmcast(&O2REG(CreateGeneratorLongIndex)),\n FRAME.getNativeArgs()));\n if (LLVM_UNLIKELY(res == ExecutionStatus::EXCEPTION)) {\n goto exception;\n }\n O1REG(CreateGeneratorLongIndex) = res->getHermesValue();\n res->invalidate();\n gcScope.flushToSmallCount(KEEP_HANDLES);\n ip = NEXTINST(CreateGeneratorLongIndex);\n DISPATCH;\n }\n\n CASE(GetEnvironment) {\n // The currently executing function must exist, so get the environment.\n Environment *curEnv =\n FRAME.getCalleeClosureUnsafe()->getEnvironment(runtime);\n for (unsigned level = ip->iGetEnvironment.op2; level; --level) {\n assert(curEnv && \"invalid environment relative level\");\n curEnv = curEnv->getParentEnvironment(runtime);\n }\n O1REG(GetEnvironment) = HermesValue::encodeObjectValue(curEnv);\n ip = NEXTINST(GetEnvironment);\n DISPATCH;\n }\n\n CASE(CreateEnvironment) {\n tmpHandle = HermesValue::encodeObjectValue(\n FRAME.getCalleeClosureUnsafe()->getEnvironment(runtime));\n\n CAPTURE_IP_ASSIGN(\n res,\n Environment::create(\n runtime,\n tmpHandle->getPointer() ? Handle::vmcast(tmpHandle)\n : Handle::vmcast_or_null(\n &runtime->nullPointer_),\n curCodeBlock->getEnvironmentSize()));\n if (res == ExecutionStatus::EXCEPTION) {\n goto exception;\n }\n O1REG(CreateEnvironment) = *res;\n#ifdef HERMES_ENABLE_DEBUGGER\n FRAME.getDebugEnvironmentRef() = *res;\n#endif\n tmpHandle = HermesValue::encodeUndefinedValue();\n gcScope.flushToSmallCount(KEEP_HANDLES);\n ip = NEXTINST(CreateEnvironment);\n DISPATCH;\n }\n\n CASE(StoreToEnvironment) {\n vmcast(O1REG(StoreToEnvironment))\n ->slot(ip->iStoreToEnvironment.op2)\n .set(O3REG(StoreToEnvironment), &runtime->getHeap());\n ip = NEXTINST(StoreToEnvironment);\n DISPATCH;\n }\n CASE(StoreToEnvironmentL) {\n vmcast(O1REG(StoreToEnvironmentL))\n ->slot(ip->iStoreToEnvironmentL.op2)\n .set(O3REG(StoreToEnvironmentL), &runtime->getHeap());\n ip = NEXTINST(StoreToEnvironmentL);\n DISPATCH;\n }\n\n CASE(StoreNPToEnvironment) {\n vmcast(O1REG(StoreNPToEnvironment))\n ->slot(ip->iStoreNPToEnvironment.op2)\n .setNonPtr(O3REG(StoreNPToEnvironment), &runtime->getHeap());\n ip = NEXTINST(StoreNPToEnvironment);\n DISPATCH;\n }\n CASE(StoreNPToEnvironmentL) {\n vmcast(O1REG(StoreNPToEnvironmentL))\n ->slot(ip->iStoreNPToEnvironmentL.op2)\n .setNonPtr(O3REG(StoreNPToEnvironmentL), &runtime->getHeap());\n ip = NEXTINST(StoreNPToEnvironmentL);\n DISPATCH;\n }\n\n CASE(LoadFromEnvironment) {\n O1REG(LoadFromEnvironment) =\n vmcast(O2REG(LoadFromEnvironment))\n ->slot(ip->iLoadFromEnvironment.op3);\n ip = NEXTINST(LoadFromEnvironment);\n DISPATCH;\n }\n\n CASE(LoadFromEnvironmentL) {\n O1REG(LoadFromEnvironmentL) =\n vmcast(O2REG(LoadFromEnvironmentL))\n ->slot(ip->iLoadFromEnvironmentL.op3);\n ip = NEXTINST(LoadFromEnvironmentL);\n DISPATCH;\n }\n\n CASE(GetGlobalObject) {\n O1REG(GetGlobalObject) = runtime->global_;\n ip = NEXTINST(GetGlobalObject);\n DISPATCH;\n }\n\n CASE(GetNewTarget) {\n O1REG(GetNewTarget) = FRAME.getNewTargetRef();\n ip = NEXTINST(GetNewTarget);\n DISPATCH;\n }\n\n CASE(DeclareGlobalVar) {\n DefinePropertyFlags dpf =\n DefinePropertyFlags::getDefaultNewPropertyFlags();\n dpf.configurable = 0;\n // Do not overwrite existing globals with undefined.\n dpf.setValue = 0;\n\n CAPTURE_IP_ASSIGN(\n auto res,\n JSObject::defineOwnProperty(\n runtime->getGlobal(),\n runtime,\n ID(ip->iDeclareGlobalVar.op1),\n dpf,\n Runtime::getUndefinedValue(),\n PropOpFlags().plusThrowOnError()));\n if (res == ExecutionStatus::EXCEPTION) {\n assert(\n !runtime->getGlobal()->isProxyObject() &&\n \"global can't be a proxy object\");\n // If the property already exists, this should be a noop.\n // Instead of incurring the cost to check every time, do it\n // only if an exception is thrown, and swallow the exception\n // if it exists, since we didn't want to make the call,\n // anyway. This most likely means the property is\n // non-configurable.\n NamedPropertyDescriptor desc;\n CAPTURE_IP_ASSIGN(\n auto res,\n JSObject::getOwnNamedDescriptor(\n runtime->getGlobal(),\n runtime,\n ID(ip->iDeclareGlobalVar.op1),\n desc));\n if (!res) {\n goto exception;\n } else {\n runtime->clearThrownValue();\n }\n // fall through\n }\n gcScope.flushToSmallCount(KEEP_HANDLES);\n ip = NEXTINST(DeclareGlobalVar);\n DISPATCH;\n }\n\n CASE(TryGetByIdLong) {\n tryProp = true;\n idVal = ip->iTryGetByIdLong.op4;\n nextIP = NEXTINST(TryGetByIdLong);\n goto getById;\n }\n CASE(GetByIdLong) {\n tryProp = false;\n idVal = ip->iGetByIdLong.op4;\n nextIP = NEXTINST(GetByIdLong);\n goto getById;\n }\n CASE(GetByIdShort) {\n tryProp = false;\n idVal = ip->iGetByIdShort.op4;\n nextIP = NEXTINST(GetByIdShort);\n goto getById;\n }\n CASE(TryGetById) {\n tryProp = true;\n idVal = ip->iTryGetById.op4;\n nextIP = NEXTINST(TryGetById);\n goto getById;\n }\n CASE(GetById) {\n tryProp = false;\n idVal = ip->iGetById.op4;\n nextIP = NEXTINST(GetById);\n }\n getById : {\n ++NumGetById;\n // NOTE: it is safe to use OnREG(GetById) here because all instructions\n // have the same layout: opcode, registers, non-register operands, i.e.\n // they only differ in the width of the last \"identifier\" field.\n CallResult propRes{ExecutionStatus::EXCEPTION};\n if (LLVM_LIKELY(O2REG(GetById).isObject())) {\n auto *obj = vmcast(O2REG(GetById));\n auto cacheIdx = ip->iGetById.op3;\n auto *cacheEntry = curCodeBlock->getReadCacheEntry(cacheIdx);\n\n#ifdef HERMESVM_PROFILER_BB\n {\n HERMES_SLOW_ASSERT(\n gcScope.getHandleCountDbg() == KEEP_HANDLES &&\n \"unaccounted handles were created\");\n auto objHandle = runtime->makeHandle(obj);\n auto cacheHCPtr = vmcast_or_null(static_cast(\n cacheEntry->clazz.get(runtime, &runtime->getHeap())));\n CAPTURE_IP(runtime->recordHiddenClass(\n curCodeBlock, ip, ID(idVal), obj->getClass(runtime), cacheHCPtr));\n // obj may be moved by GC due to recordHiddenClass\n obj = objHandle.get();\n }\n gcScope.flushToSmallCount(KEEP_HANDLES);\n#endif\n auto clazzGCPtr = obj->getClassGCPtr();\n#ifndef NDEBUG\n if (clazzGCPtr.get(runtime)->isDictionary())\n ++NumGetByIdDict;\n#else\n (void)NumGetByIdDict;\n#endif\n\n // If we have a cache hit, reuse the cached offset and immediately\n // return the property.\n if (LLVM_LIKELY(cacheEntry->clazz == clazzGCPtr.getStorageType())) {\n ++NumGetByIdCacheHits;\n CAPTURE_IP_ASSIGN(\n O1REG(GetById),\n JSObject::getNamedSlotValue(\n obj, runtime, cacheEntry->slot));\n ip = nextIP;\n DISPATCH;\n }\n auto id = ID(idVal);\n NamedPropertyDescriptor desc;\n CAPTURE_IP_ASSIGN(\n OptValue fastPathResult,\n JSObject::tryGetOwnNamedDescriptorFast(obj, runtime, id, desc));\n if (LLVM_LIKELY(\n fastPathResult.hasValue() && fastPathResult.getValue()) &&\n !desc.flags.accessor) {\n ++NumGetByIdFastPaths;\n\n // cacheIdx == 0 indicates no caching so don't update the cache in\n // those cases.\n auto *clazz = clazzGCPtr.getNonNull(runtime);\n if (LLVM_LIKELY(!clazz->isDictionaryNoCache()) &&\n LLVM_LIKELY(cacheIdx != hbc::PROPERTY_CACHING_DISABLED)) {\n#ifdef HERMES_SLOW_DEBUG\n if (cacheEntry->clazz &&\n cacheEntry->clazz != clazzGCPtr.getStorageType())\n ++NumGetByIdCacheEvicts;\n#else\n (void)NumGetByIdCacheEvicts;\n#endif\n // Cache the class, id and property slot.\n cacheEntry->clazz = clazzGCPtr.getStorageType();\n cacheEntry->slot = desc.slot;\n }\n\n CAPTURE_IP_ASSIGN(\n O1REG(GetById), JSObject::getNamedSlotValue(obj, runtime, desc));\n ip = nextIP;\n DISPATCH;\n }\n\n // The cache may also be populated via the prototype of the object.\n // This value is only reliable if the fast path was a definite\n // not-found.\n if (fastPathResult.hasValue() && !fastPathResult.getValue() &&\n !obj->isProxyObject()) {\n CAPTURE_IP_ASSIGN(JSObject * parent, obj->getParent(runtime));\n // TODO: This isLazy check is because a lazy object is reported as\n // having no properties and therefore cannot contain the property.\n // This check does not belong here, it should be merged into\n // tryGetOwnNamedDescriptorFast().\n if (parent &&\n cacheEntry->clazz == parent->getClassGCPtr().getStorageType() &&\n LLVM_LIKELY(!obj->isLazy())) {\n ++NumGetByIdProtoHits;\n CAPTURE_IP_ASSIGN(\n O1REG(GetById),\n JSObject::getNamedSlotValue(parent, runtime, cacheEntry->slot));\n ip = nextIP;\n DISPATCH;\n }\n }\n\n#ifdef HERMES_SLOW_DEBUG\n CAPTURE_IP_ASSIGN(\n JSObject * propObj,\n JSObject::getNamedDescriptor(\n Handle::vmcast(&O2REG(GetById)), runtime, id, desc));\n if (propObj) {\n if (desc.flags.accessor)\n ++NumGetByIdAccessor;\n else if (propObj != vmcast(O2REG(GetById)))\n ++NumGetByIdProto;\n } else {\n ++NumGetByIdNotFound;\n }\n#else\n (void)NumGetByIdAccessor;\n (void)NumGetByIdProto;\n (void)NumGetByIdNotFound;\n#endif\n#ifdef HERMES_SLOW_DEBUG\n auto *savedClass = cacheIdx != hbc::PROPERTY_CACHING_DISABLED\n ? cacheEntry->clazz.get(runtime, &runtime->getHeap())\n : nullptr;\n#endif\n ++NumGetByIdSlow;\n CAPTURE_IP_ASSIGN(\n resPH,\n JSObject::getNamed_RJS(\n Handle::vmcast(&O2REG(GetById)),\n runtime,\n id,\n !tryProp ? defaultPropOpFlags\n : defaultPropOpFlags.plusMustExist(),\n cacheIdx != hbc::PROPERTY_CACHING_DISABLED ? cacheEntry\n : nullptr));\n if (LLVM_UNLIKELY(resPH == ExecutionStatus::EXCEPTION)) {\n goto exception;\n }\n#ifdef HERMES_SLOW_DEBUG\n if (cacheIdx != hbc::PROPERTY_CACHING_DISABLED && savedClass &&\n cacheEntry->clazz.get(runtime, &runtime->getHeap()) != savedClass) {\n ++NumGetByIdCacheEvicts;\n }\n#endif\n } else {\n ++NumGetByIdTransient;\n assert(!tryProp && \"TryGetById can only be used on the global object\");\n /* Slow path. */\n CAPTURE_IP_ASSIGN(\n resPH,\n Interpreter::getByIdTransient_RJS(\n runtime, Handle<>(&O2REG(GetById)), ID(idVal)));\n if (LLVM_UNLIKELY(resPH == ExecutionStatus::EXCEPTION)) {\n goto exception;\n }\n }\n O1REG(GetById) = resPH->get();\n gcScope.flushToSmallCount(KEEP_HANDLES);\n ip = nextIP;\n DISPATCH;\n }\n\n CASE(TryPutByIdLong) {\n tryProp = true;\n idVal = ip->iTryPutByIdLong.op4;\n nextIP = NEXTINST(TryPutByIdLong);\n goto putById;\n }\n CASE(PutByIdLong) {\n tryProp = false;\n idVal = ip->iPutByIdLong.op4;\n nextIP = NEXTINST(PutByIdLong);\n goto putById;\n }\n CASE(TryPutById) {\n tryProp = true;\n idVal = ip->iTryPutById.op4;\n nextIP = NEXTINST(TryPutById);\n goto putById;\n }\n CASE(PutById) {\n tryProp = false;\n idVal = ip->iPutById.op4;\n nextIP = NEXTINST(PutById);\n }\n putById : {\n ++NumPutById;\n if (LLVM_LIKELY(O1REG(PutById).isObject())) {\n auto *obj = vmcast(O1REG(PutById));\n auto cacheIdx = ip->iPutById.op3;\n auto *cacheEntry = curCodeBlock->getWriteCacheEntry(cacheIdx);\n\n#ifdef HERMESVM_PROFILER_BB\n {\n HERMES_SLOW_ASSERT(\n gcScope.getHandleCountDbg() == KEEP_HANDLES &&\n \"unaccounted handles were created\");\n auto objHandle = runtime->makeHandle(obj);\n auto cacheHCPtr = vmcast_or_null(static_cast(\n cacheEntry->clazz.get(runtime, &runtime->getHeap())));\n CAPTURE_IP(runtime->recordHiddenClass(\n curCodeBlock, ip, ID(idVal), obj->getClass(runtime), cacheHCPtr));\n // obj may be moved by GC due to recordHiddenClass\n obj = objHandle.get();\n }\n gcScope.flushToSmallCount(KEEP_HANDLES);\n#endif\n auto clazzGCPtr = obj->getClassGCPtr();\n // If we have a cache hit, reuse the cached offset and immediately\n // return the property.\n if (LLVM_LIKELY(cacheEntry->clazz == clazzGCPtr.getStorageType())) {\n ++NumPutByIdCacheHits;\n CAPTURE_IP(JSObject::setNamedSlotValue(\n obj, runtime, cacheEntry->slot, O2REG(PutById)));\n ip = nextIP;\n DISPATCH;\n }\n auto id = ID(idVal);\n NamedPropertyDescriptor desc;\n CAPTURE_IP_ASSIGN(\n OptValue hasOwnProp,\n JSObject::tryGetOwnNamedDescriptorFast(obj, runtime, id, desc));\n if (LLVM_LIKELY(hasOwnProp.hasValue() && hasOwnProp.getValue()) &&\n !desc.flags.accessor && desc.flags.writable &&\n !desc.flags.internalSetter) {\n ++NumPutByIdFastPaths;\n\n // cacheIdx == 0 indicates no caching so don't update the cache in\n // those cases.\n auto *clazz = clazzGCPtr.getNonNull(runtime);\n if (LLVM_LIKELY(!clazz->isDictionary()) &&\n LLVM_LIKELY(cacheIdx != hbc::PROPERTY_CACHING_DISABLED)) {\n#ifdef HERMES_SLOW_DEBUG\n if (cacheEntry->clazz &&\n cacheEntry->clazz != clazzGCPtr.getStorageType())\n ++NumPutByIdCacheEvicts;\n#else\n (void)NumPutByIdCacheEvicts;\n#endif\n // Cache the class and property slot.\n cacheEntry->clazz = clazzGCPtr.getStorageType();\n cacheEntry->slot = desc.slot;\n }\n\n CAPTURE_IP(JSObject::setNamedSlotValue(\n obj, runtime, desc.slot, O2REG(PutById)));\n ip = nextIP;\n DISPATCH;\n }\n\n CAPTURE_IP_ASSIGN(\n auto putRes,\n JSObject::putNamed_RJS(\n Handle::vmcast(&O1REG(PutById)),\n runtime,\n id,\n Handle<>(&O2REG(PutById)),\n !tryProp ? defaultPropOpFlags\n : defaultPropOpFlags.plusMustExist()));\n if (LLVM_UNLIKELY(putRes == ExecutionStatus::EXCEPTION)) {\n goto exception;\n }\n } else {\n ++NumPutByIdTransient;\n assert(!tryProp && \"TryPutById can only be used on the global object\");\n CAPTURE_IP_ASSIGN(\n auto retStatus,\n Interpreter::putByIdTransient_RJS(\n runtime,\n Handle<>(&O1REG(PutById)),\n ID(idVal),\n Handle<>(&O2REG(PutById)),\n strictMode));\n if (retStatus == ExecutionStatus::EXCEPTION) {\n goto exception;\n }\n }\n gcScope.flushToSmallCount(KEEP_HANDLES);\n ip = nextIP;\n DISPATCH;\n }\n\n CASE(GetByVal) {\n CallResult propRes{ExecutionStatus::EXCEPTION};\n if (LLVM_LIKELY(O2REG(GetByVal).isObject())) {\n CAPTURE_IP_ASSIGN(\n resPH,\n JSObject::getComputed_RJS(\n Handle::vmcast(&O2REG(GetByVal)),\n runtime,\n Handle<>(&O3REG(GetByVal))));\n if (LLVM_UNLIKELY(resPH == ExecutionStatus::EXCEPTION)) {\n goto exception;\n }\n } else {\n // This is the \"slow path\".\n CAPTURE_IP_ASSIGN(\n resPH,\n Interpreter::getByValTransient_RJS(\n runtime,\n Handle<>(&O2REG(GetByVal)),\n Handle<>(&O3REG(GetByVal))));\n if (LLVM_UNLIKELY(resPH == ExecutionStatus::EXCEPTION)) {\n goto exception;\n }\n }\n gcScope.flushToSmallCount(KEEP_HANDLES);\n O1REG(GetByVal) = resPH->get();\n ip = NEXTINST(GetByVal);\n DISPATCH;\n }\n\n CASE(PutByVal) {\n if (LLVM_LIKELY(O1REG(PutByVal).isObject())) {\n CAPTURE_IP_ASSIGN(\n auto putRes,\n JSObject::putComputed_RJS(\n Handle::vmcast(&O1REG(PutByVal)),\n runtime,\n Handle<>(&O2REG(PutByVal)),\n Handle<>(&O3REG(PutByVal)),\n defaultPropOpFlags));\n if (LLVM_UNLIKELY(putRes == ExecutionStatus::EXCEPTION)) {\n goto exception;\n }\n } else {\n // This is the \"slow path\".\n CAPTURE_IP_ASSIGN(\n auto retStatus,\n Interpreter::putByValTransient_RJS(\n runtime,\n Handle<>(&O1REG(PutByVal)),\n Handle<>(&O2REG(PutByVal)),\n Handle<>(&O3REG(PutByVal)),\n strictMode));\n if (LLVM_UNLIKELY(retStatus == ExecutionStatus::EXCEPTION)) {\n goto exception;\n }\n }\n gcScope.flushToSmallCount(KEEP_HANDLES);\n ip = NEXTINST(PutByVal);\n DISPATCH;\n }\n\n CASE(PutOwnByIndexL) {\n nextIP = NEXTINST(PutOwnByIndexL);\n idVal = ip->iPutOwnByIndexL.op3;\n goto putOwnByIndex;\n }\n CASE(PutOwnByIndex) {\n nextIP = NEXTINST(PutOwnByIndex);\n idVal = ip->iPutOwnByIndex.op3;\n }\n putOwnByIndex : {\n tmpHandle = HermesValue::encodeDoubleValue(idVal);\n CAPTURE_IP(JSObject::defineOwnComputedPrimitive(\n Handle::vmcast(&O1REG(PutOwnByIndex)),\n runtime,\n tmpHandle,\n DefinePropertyFlags::getDefaultNewPropertyFlags(),\n Handle<>(&O2REG(PutOwnByIndex))));\n gcScope.flushToSmallCount(KEEP_HANDLES);\n tmpHandle.clear();\n ip = nextIP;\n DISPATCH;\n }\n\n CASE(GetPNameList) {\n CAPTURE_IP_ASSIGN(\n auto pRes, handleGetPNameList(runtime, frameRegs, ip));\n if (LLVM_UNLIKELY(pRes == ExecutionStatus::EXCEPTION)) {\n goto exception;\n }\n gcScope.flushToSmallCount(KEEP_HANDLES);\n ip = NEXTINST(GetPNameList);\n DISPATCH;\n }\n\n CASE(GetNextPName) {\n {\n assert(\n vmisa(O2REG(GetNextPName)) &&\n \"GetNextPName's second op must be BigStorage\");\n auto obj = Handle::vmcast(&O3REG(GetNextPName));\n auto arr = Handle::vmcast(&O2REG(GetNextPName));\n uint32_t idx = O4REG(GetNextPName).getNumber();\n uint32_t size = O5REG(GetNextPName).getNumber();\n MutableHandle propObj{runtime};\n // Loop until we find a property which is present.\n while (idx < size) {\n tmpHandle = arr->at(idx);\n ComputedPropertyDescriptor desc;\n CAPTURE_IP(JSObject::getComputedPrimitiveDescriptor(\n obj, runtime, tmpHandle, propObj, desc));\n if (LLVM_LIKELY(propObj))\n break;\n ++idx;\n }\n if (idx < size) {\n // We must return the property as a string\n if (tmpHandle->isNumber()) {\n CAPTURE_IP_ASSIGN(auto status, toString_RJS(runtime, tmpHandle));\n assert(\n status == ExecutionStatus::RETURNED &&\n \"toString on number cannot fail\");\n tmpHandle = status->getHermesValue();\n }\n O1REG(GetNextPName) = tmpHandle.get();\n O4REG(GetNextPName) = HermesValue::encodeNumberValue(idx + 1);\n } else {\n O1REG(GetNextPName) = HermesValue::encodeUndefinedValue();\n }\n }\n gcScope.flushToSmallCount(KEEP_HANDLES);\n tmpHandle.clear();\n ip = NEXTINST(GetNextPName);\n DISPATCH;\n }\n\n CASE(ToNumber) {\n if (LLVM_LIKELY(O2REG(ToNumber).isNumber())) {\n O1REG(ToNumber) = O2REG(ToNumber);\n ip = NEXTINST(ToNumber);\n } else {\n CAPTURE_IP_ASSIGN(\n res, toNumber_RJS(runtime, Handle<>(&O2REG(ToNumber))));\n if (res == ExecutionStatus::EXCEPTION)\n goto exception;\n gcScope.flushToSmallCount(KEEP_HANDLES);\n O1REG(ToNumber) = res.getValue();\n ip = NEXTINST(ToNumber);\n }\n DISPATCH;\n }\n\n CASE(ToInt32) {\n CAPTURE_IP_ASSIGN(res, toInt32_RJS(runtime, Handle<>(&O2REG(ToInt32))));\n if (LLVM_UNLIKELY(res == ExecutionStatus::EXCEPTION))\n goto exception;\n gcScope.flushToSmallCount(KEEP_HANDLES);\n O1REG(ToInt32) = res.getValue();\n ip = NEXTINST(ToInt32);\n DISPATCH;\n }\n\n CASE(AddEmptyString) {\n if (LLVM_LIKELY(O2REG(AddEmptyString).isString())) {\n O1REG(AddEmptyString) = O2REG(AddEmptyString);\n ip = NEXTINST(AddEmptyString);\n } else {\n CAPTURE_IP_ASSIGN(\n res,\n toPrimitive_RJS(\n runtime,\n Handle<>(&O2REG(AddEmptyString)),\n PreferredType::NONE));\n if (LLVM_UNLIKELY(res == ExecutionStatus::EXCEPTION))\n goto exception;\n tmpHandle = res.getValue();\n CAPTURE_IP_ASSIGN(auto strRes, toString_RJS(runtime, tmpHandle));\n if (LLVM_UNLIKELY(strRes == ExecutionStatus::EXCEPTION))\n goto exception;\n tmpHandle.clear();\n gcScope.flushToSmallCount(KEEP_HANDLES);\n O1REG(AddEmptyString) = strRes->getHermesValue();\n ip = NEXTINST(AddEmptyString);\n }\n DISPATCH;\n }\n\n CASE(Jmp) {\n ip = IPADD(ip->iJmp.op1);\n DISPATCH;\n }\n CASE(JmpLong) {\n ip = IPADD(ip->iJmpLong.op1);\n DISPATCH;\n }\n CASE(JmpTrue) {\n if (toBoolean(O2REG(JmpTrue)))\n ip = IPADD(ip->iJmpTrue.op1);\n else\n ip = NEXTINST(JmpTrue);\n DISPATCH;\n }\n CASE(JmpTrueLong) {\n if (toBoolean(O2REG(JmpTrueLong)))\n ip = IPADD(ip->iJmpTrueLong.op1);\n else\n ip = NEXTINST(JmpTrueLong);\n DISPATCH;\n }\n CASE(JmpFalse) {\n if (!toBoolean(O2REG(JmpFalse)))\n ip = IPADD(ip->iJmpFalse.op1);\n else\n ip = NEXTINST(JmpFalse);\n DISPATCH;\n }\n CASE(JmpFalseLong) {\n if (!toBoolean(O2REG(JmpFalseLong)))\n ip = IPADD(ip->iJmpFalseLong.op1);\n else\n ip = NEXTINST(JmpFalseLong);\n DISPATCH;\n }\n CASE(JmpUndefined) {\n if (O2REG(JmpUndefined).isUndefined())\n ip = IPADD(ip->iJmpUndefined.op1);\n else\n ip = NEXTINST(JmpUndefined);\n DISPATCH;\n }\n CASE(JmpUndefinedLong) {\n if (O2REG(JmpUndefinedLong).isUndefined())\n ip = IPADD(ip->iJmpUndefinedLong.op1);\n else\n ip = NEXTINST(JmpUndefinedLong);\n DISPATCH;\n }\n CASE(Add) {\n if (LLVM_LIKELY(\n O2REG(Add).isNumber() &&\n O3REG(Add).isNumber())) { /* Fast-path. */\n CASE(AddN) {\n O1REG(Add) = HermesValue::encodeDoubleValue(\n O2REG(Add).getNumber() + O3REG(Add).getNumber());\n ip = NEXTINST(Add);\n DISPATCH;\n }\n }\n CAPTURE_IP_ASSIGN(\n res,\n addOp_RJS(runtime, Handle<>(&O2REG(Add)), Handle<>(&O3REG(Add))));\n if (res == ExecutionStatus::EXCEPTION) {\n goto exception;\n }\n gcScope.flushToSmallCount(KEEP_HANDLES);\n O1REG(Add) = res.getValue();\n ip = NEXTINST(Add);\n DISPATCH;\n }\n\n CASE(BitNot) {\n if (LLVM_LIKELY(O2REG(BitNot).isNumber())) { /* Fast-path. */\n O1REG(BitNot) = HermesValue::encodeDoubleValue(\n ~hermes::truncateToInt32(O2REG(BitNot).getNumber()));\n ip = NEXTINST(BitNot);\n DISPATCH;\n }\n CAPTURE_IP_ASSIGN(res, toInt32_RJS(runtime, Handle<>(&O2REG(BitNot))));\n if (res == ExecutionStatus::EXCEPTION) {\n goto exception;\n }\n gcScope.flushToSmallCount(KEEP_HANDLES);\n O1REG(BitNot) = HermesValue::encodeDoubleValue(\n ~static_cast(res->getNumber()));\n ip = NEXTINST(BitNot);\n DISPATCH;\n }\n\n CASE(GetArgumentsLength) {\n // If the arguments object hasn't been created yet.\n if (O2REG(GetArgumentsLength).isUndefined()) {\n O1REG(GetArgumentsLength) =\n HermesValue::encodeNumberValue(FRAME.getArgCount());\n ip = NEXTINST(GetArgumentsLength);\n DISPATCH;\n }\n // The arguments object has been created, so this is a regular property\n // get.\n assert(\n O2REG(GetArgumentsLength).isObject() &&\n \"arguments lazy register is not an object\");\n CAPTURE_IP_ASSIGN(\n resPH,\n JSObject::getNamed_RJS(\n Handle::vmcast(&O2REG(GetArgumentsLength)),\n runtime,\n Predefined::getSymbolID(Predefined::length)));\n if (resPH == ExecutionStatus::EXCEPTION) {\n goto exception;\n }\n gcScope.flushToSmallCount(KEEP_HANDLES);\n O1REG(GetArgumentsLength) = resPH->get();\n ip = NEXTINST(GetArgumentsLength);\n DISPATCH;\n }\n\n CASE(GetArgumentsPropByVal) {\n // If the arguments object hasn't been created yet and we have a\n // valid integer index, we use the fast path.\n if (O3REG(GetArgumentsPropByVal).isUndefined()) {\n // If this is an integer index.\n if (auto index = toArrayIndexFastPath(O2REG(GetArgumentsPropByVal))) {\n // Is this an existing argument?\n if (*index < FRAME.getArgCount()) {\n O1REG(GetArgumentsPropByVal) = FRAME.getArgRef(*index);\n ip = NEXTINST(GetArgumentsPropByVal);\n DISPATCH;\n }\n }\n }\n // Slow path.\n CAPTURE_IP_ASSIGN(\n auto res,\n getArgumentsPropByValSlowPath_RJS(\n runtime,\n &O3REG(GetArgumentsPropByVal),\n &O2REG(GetArgumentsPropByVal),\n FRAME.getCalleeClosureHandleUnsafe(),\n strictMode));\n if (res == ExecutionStatus::EXCEPTION) {\n goto exception;\n }\n gcScope.flushToSmallCount(KEEP_HANDLES);\n O1REG(GetArgumentsPropByVal) = res->getHermesValue();\n ip = NEXTINST(GetArgumentsPropByVal);\n DISPATCH;\n }\n\n CASE(ReifyArguments) {\n // If the arguments object was already created, do nothing.\n if (!O1REG(ReifyArguments).isUndefined()) {\n assert(\n O1REG(ReifyArguments).isObject() &&\n \"arguments lazy register is not an object\");\n ip = NEXTINST(ReifyArguments);\n DISPATCH;\n }\n CAPTURE_IP_ASSIGN(\n resArgs,\n reifyArgumentsSlowPath(\n runtime, FRAME.getCalleeClosureHandleUnsafe(), strictMode));\n if (LLVM_UNLIKELY(resArgs == ExecutionStatus::EXCEPTION)) {\n goto exception;\n }\n O1REG(ReifyArguments) = resArgs->getHermesValue();\n gcScope.flushToSmallCount(KEEP_HANDLES);\n ip = NEXTINST(ReifyArguments);\n DISPATCH;\n }\n\n CASE(NewObject) {\n // Create a new object using the built-in constructor. Note that the\n // built-in constructor is empty, so we don't actually need to call\n // it.\n CAPTURE_IP_ASSIGN(\n O1REG(NewObject), JSObject::create(runtime).getHermesValue());\n assert(\n gcScope.getHandleCountDbg() == KEEP_HANDLES &&\n \"Should not create handles.\");\n ip = NEXTINST(NewObject);\n DISPATCH;\n }\n CASE(NewObjectWithParent) {\n CAPTURE_IP_ASSIGN(\n O1REG(NewObjectWithParent),\n JSObject::create(\n runtime,\n O2REG(NewObjectWithParent).isObject()\n ? Handle::vmcast(&O2REG(NewObjectWithParent))\n : O2REG(NewObjectWithParent).isNull()\n ? Runtime::makeNullHandle()\n : Handle::vmcast(&runtime->objectPrototype))\n .getHermesValue());\n assert(\n gcScope.getHandleCountDbg() == KEEP_HANDLES &&\n \"Should not create handles.\");\n ip = NEXTINST(NewObjectWithParent);\n DISPATCH;\n }\n\n CASE(NewObjectWithBuffer) {\n CAPTURE_IP_ASSIGN(\n resPH,\n Interpreter::createObjectFromBuffer(\n runtime,\n curCodeBlock,\n ip->iNewObjectWithBuffer.op3,\n ip->iNewObjectWithBuffer.op4,\n ip->iNewObjectWithBuffer.op5));\n if (LLVM_UNLIKELY(resPH == ExecutionStatus::EXCEPTION)) {\n goto exception;\n }\n O1REG(NewObjectWithBuffer) = resPH->get();\n gcScope.flushToSmallCount(KEEP_HANDLES);\n ip = NEXTINST(NewObjectWithBuffer);\n DISPATCH;\n }\n\n CASE(NewObjectWithBufferLong) {\n CAPTURE_IP_ASSIGN(\n resPH,\n Interpreter::createObjectFromBuffer(\n runtime,\n curCodeBlock,\n ip->iNewObjectWithBufferLong.op3,\n ip->iNewObjectWithBufferLong.op4,\n ip->iNewObjectWithBufferLong.op5));\n if (LLVM_UNLIKELY(resPH == ExecutionStatus::EXCEPTION)) {\n goto exception;\n }\n O1REG(NewObjectWithBufferLong) = resPH->get();\n gcScope.flushToSmallCount(KEEP_HANDLES);\n ip = NEXTINST(NewObjectWithBufferLong);\n DISPATCH;\n }\n\n CASE(NewArray) {\n // Create a new array using the built-in constructor. Note that the\n // built-in constructor is empty, so we don't actually need to call\n // it.\n CAPTURE_IP_ASSIGN(\n auto createRes,\n JSArray::create(runtime, ip->iNewArray.op2, ip->iNewArray.op2));\n if (createRes == ExecutionStatus::EXCEPTION) {\n goto exception;\n }\n O1REG(NewArray) = createRes->getHermesValue();\n gcScope.flushToSmallCount(KEEP_HANDLES);\n ip = NEXTINST(NewArray);\n DISPATCH;\n }\n\n CASE(NewArrayWithBuffer) {\n CAPTURE_IP_ASSIGN(\n resPH,\n Interpreter::createArrayFromBuffer(\n runtime,\n curCodeBlock,\n ip->iNewArrayWithBuffer.op2,\n ip->iNewArrayWithBuffer.op3,\n ip->iNewArrayWithBuffer.op4));\n if (LLVM_UNLIKELY(resPH == ExecutionStatus::EXCEPTION)) {\n goto exception;\n }\n O1REG(NewArrayWithBuffer) = resPH->get();\n gcScope.flushToSmallCount(KEEP_HANDLES);\n tmpHandle.clear();\n ip = NEXTINST(NewArrayWithBuffer);\n DISPATCH;\n }\n\n CASE(NewArrayWithBufferLong) {\n CAPTURE_IP_ASSIGN(\n resPH,\n Interpreter::createArrayFromBuffer(\n runtime,\n curCodeBlock,\n ip->iNewArrayWithBufferLong.op2,\n ip->iNewArrayWithBufferLong.op3,\n ip->iNewArrayWithBufferLong.op4));\n if (LLVM_UNLIKELY(resPH == ExecutionStatus::EXCEPTION)) {\n goto exception;\n }\n O1REG(NewArrayWithBufferLong) = resPH->get();\n gcScope.flushToSmallCount(KEEP_HANDLES);\n tmpHandle.clear();\n ip = NEXTINST(NewArrayWithBufferLong);\n DISPATCH;\n }\n\n CASE(CreateThis) {\n // Registers: output, prototype, closure.\n if (LLVM_UNLIKELY(!vmisa(O3REG(CreateThis)))) {\n CAPTURE_IP(runtime->raiseTypeError(\"constructor is not callable\"));\n goto exception;\n }\n CAPTURE_IP_ASSIGN(\n auto res,\n Callable::newObject(\n Handle::vmcast(&O3REG(CreateThis)),\n runtime,\n Handle::vmcast(\n O2REG(CreateThis).isObject() ? &O2REG(CreateThis)\n : &runtime->objectPrototype)));\n if (LLVM_UNLIKELY(res == ExecutionStatus::EXCEPTION)) {\n goto exception;\n }\n gcScope.flushToSmallCount(KEEP_HANDLES);\n O1REG(CreateThis) = res->getHermesValue();\n ip = NEXTINST(CreateThis);\n DISPATCH;\n }\n\n CASE(SelectObject) {\n // Registers: output, thisObject, constructorReturnValue.\n O1REG(SelectObject) = O3REG(SelectObject).isObject()\n ? O3REG(SelectObject)\n : O2REG(SelectObject);\n ip = NEXTINST(SelectObject);\n DISPATCH;\n }\n\n CASE(Eq)\n CASE(Neq) {\n CAPTURE_IP_ASSIGN(\n res,\n abstractEqualityTest_RJS(\n runtime, Handle<>(&O2REG(Eq)), Handle<>(&O3REG(Eq))));\n if (res == ExecutionStatus::EXCEPTION) {\n goto exception;\n }\n gcScope.flushToSmallCount(KEEP_HANDLES);\n O1REG(Eq) = ip->opCode == OpCode::Eq\n ? res.getValue()\n : HermesValue::encodeBoolValue(!res->getBool());\n ip = NEXTINST(Eq);\n DISPATCH;\n }\n CASE(StrictEq) {\n O1REG(StrictEq) = HermesValue::encodeBoolValue(\n strictEqualityTest(O2REG(StrictEq), O3REG(StrictEq)));\n ip = NEXTINST(StrictEq);\n DISPATCH;\n }\n CASE(StrictNeq) {\n O1REG(StrictNeq) = HermesValue::encodeBoolValue(\n !strictEqualityTest(O2REG(StrictNeq), O3REG(StrictNeq)));\n ip = NEXTINST(StrictNeq);\n DISPATCH;\n }\n CASE(Not) {\n O1REG(Not) = HermesValue::encodeBoolValue(!toBoolean(O2REG(Not)));\n ip = NEXTINST(Not);\n DISPATCH;\n }\n CASE(Negate) {\n if (LLVM_LIKELY(O2REG(Negate).isNumber())) {\n O1REG(Negate) =\n HermesValue::encodeDoubleValue(-O2REG(Negate).getNumber());\n } else {\n CAPTURE_IP_ASSIGN(\n res, toNumber_RJS(runtime, Handle<>(&O2REG(Negate))));\n if (res == ExecutionStatus::EXCEPTION)\n goto exception;\n gcScope.flushToSmallCount(KEEP_HANDLES);\n O1REG(Negate) = HermesValue::encodeDoubleValue(-res->getNumber());\n }\n ip = NEXTINST(Negate);\n DISPATCH;\n }\n CASE(TypeOf) {\n CAPTURE_IP_ASSIGN(\n O1REG(TypeOf), typeOf(runtime, Handle<>(&O2REG(TypeOf))));\n ip = NEXTINST(TypeOf);\n DISPATCH;\n }\n CASE(Mod) {\n // We use fmod here for simplicity. Theoretically fmod behaves slightly\n // differently than the ECMAScript Spec. fmod applies round-towards-zero\n // for the remainder when it's not representable by a double; while the\n // spec requires round-to-nearest. As an example, 5 % 0.7 will give\n // 0.10000000000000031 using fmod, but using the rounding style\n // described\n // by the spec, the output should really be 0.10000000000000053.\n // Such difference can be ignored in practice.\n if (LLVM_LIKELY(O2REG(Mod).isNumber() && O3REG(Mod).isNumber())) {\n /* Fast-path. */\n O1REG(Mod) = HermesValue::encodeDoubleValue(\n std::fmod(O2REG(Mod).getNumber(), O3REG(Mod).getNumber()));\n ip = NEXTINST(Mod);\n DISPATCH;\n }\n CAPTURE_IP_ASSIGN(res, toNumber_RJS(runtime, Handle<>(&O2REG(Mod))));\n if (res == ExecutionStatus::EXCEPTION)\n goto exception;\n double left = res->getDouble();\n CAPTURE_IP_ASSIGN(res, toNumber_RJS(runtime, Handle<>(&O3REG(Mod))));\n if (res == ExecutionStatus::EXCEPTION)\n goto exception;\n O1REG(Mod) =\n HermesValue::encodeDoubleValue(std::fmod(left, res->getDouble()));\n gcScope.flushToSmallCount(KEEP_HANDLES);\n ip = NEXTINST(Mod);\n DISPATCH;\n }\n CASE(InstanceOf) {\n CAPTURE_IP_ASSIGN(\n auto result,\n instanceOfOperator_RJS(\n runtime,\n Handle<>(&O2REG(InstanceOf)),\n Handle<>(&O3REG(InstanceOf))));\n if (LLVM_UNLIKELY(result == ExecutionStatus::EXCEPTION)) {\n goto exception;\n }\n O1REG(InstanceOf) = HermesValue::encodeBoolValue(*result);\n gcScope.flushToSmallCount(KEEP_HANDLES);\n ip = NEXTINST(InstanceOf);\n DISPATCH;\n }\n CASE(IsIn) {\n {\n if (LLVM_UNLIKELY(!O3REG(IsIn).isObject())) {\n CAPTURE_IP(runtime->raiseTypeError(\n \"right operand of 'in' is not an object\"));\n goto exception;\n }\n CAPTURE_IP_ASSIGN(\n auto cr,\n JSObject::hasComputed(\n Handle::vmcast(&O3REG(IsIn)),\n runtime,\n Handle<>(&O2REG(IsIn))));\n if (cr == ExecutionStatus::EXCEPTION) {\n goto exception;\n }\n O1REG(IsIn) = HermesValue::encodeBoolValue(*cr);\n }\n gcScope.flushToSmallCount(KEEP_HANDLES);\n ip = NEXTINST(IsIn);\n DISPATCH;\n }\n\n CASE(PutNewOwnByIdShort) {\n nextIP = NEXTINST(PutNewOwnByIdShort);\n idVal = ip->iPutNewOwnByIdShort.op3;\n goto putOwnById;\n }\n CASE(PutNewOwnNEByIdLong)\n CASE(PutNewOwnByIdLong) {\n nextIP = NEXTINST(PutNewOwnByIdLong);\n idVal = ip->iPutNewOwnByIdLong.op3;\n goto putOwnById;\n }\n CASE(PutNewOwnNEById)\n CASE(PutNewOwnById) {\n nextIP = NEXTINST(PutNewOwnById);\n idVal = ip->iPutNewOwnById.op3;\n }\n putOwnById : {\n assert(\n O1REG(PutNewOwnById).isObject() &&\n \"Object argument of PutNewOwnById must be an object\");\n CAPTURE_IP_ASSIGN(\n auto res,\n JSObject::defineNewOwnProperty(\n Handle::vmcast(&O1REG(PutNewOwnById)),\n runtime,\n ID(idVal),\n ip->opCode <= OpCode::PutNewOwnByIdLong\n ? PropertyFlags::defaultNewNamedPropertyFlags()\n : PropertyFlags::nonEnumerablePropertyFlags(),\n Handle<>(&O2REG(PutNewOwnById))));\n if (LLVM_UNLIKELY(res == ExecutionStatus::EXCEPTION)) {\n goto exception;\n }\n gcScope.flushToSmallCount(KEEP_HANDLES);\n ip = nextIP;\n DISPATCH;\n }\n\n CASE(DelByIdLong) {\n idVal = ip->iDelByIdLong.op3;\n nextIP = NEXTINST(DelByIdLong);\n goto DelById;\n }\n\n CASE(DelById) {\n idVal = ip->iDelById.op3;\n nextIP = NEXTINST(DelById);\n }\n DelById : {\n if (LLVM_LIKELY(O2REG(DelById).isObject())) {\n CAPTURE_IP_ASSIGN(\n auto status,\n JSObject::deleteNamed(\n Handle::vmcast(&O2REG(DelById)),\n runtime,\n ID(idVal),\n defaultPropOpFlags));\n if (LLVM_UNLIKELY(status == ExecutionStatus::EXCEPTION)) {\n goto exception;\n }\n O1REG(DelById) = HermesValue::encodeBoolValue(status.getValue());\n } else {\n // This is the \"slow path\".\n CAPTURE_IP_ASSIGN(res, toObject(runtime, Handle<>(&O2REG(DelById))));\n if (LLVM_UNLIKELY(res == ExecutionStatus::EXCEPTION)) {\n // If an exception is thrown, likely we are trying to convert\n // undefined/null to an object. Passing over the name of the property\n // so that we could emit more meaningful error messages.\n CAPTURE_IP(amendPropAccessErrorMsgWithPropName(\n runtime, Handle<>(&O2REG(DelById)), \"delete\", ID(idVal)));\n goto exception;\n }\n tmpHandle = res.getValue();\n CAPTURE_IP_ASSIGN(\n auto status,\n JSObject::deleteNamed(\n Handle::vmcast(tmpHandle),\n runtime,\n ID(idVal),\n defaultPropOpFlags));\n if (LLVM_UNLIKELY(status == ExecutionStatus::EXCEPTION)) {\n goto exception;\n }\n O1REG(DelById) = HermesValue::encodeBoolValue(status.getValue());\n tmpHandle.clear();\n }\n gcScope.flushToSmallCount(KEEP_HANDLES);\n ip = nextIP;\n DISPATCH;\n }\n\n CASE(DelByVal) {\n if (LLVM_LIKELY(O2REG(DelByVal).isObject())) {\n CAPTURE_IP_ASSIGN(\n auto status,\n JSObject::deleteComputed(\n Handle::vmcast(&O2REG(DelByVal)),\n runtime,\n Handle<>(&O3REG(DelByVal)),\n defaultPropOpFlags));\n if (LLVM_UNLIKELY(status == ExecutionStatus::EXCEPTION)) {\n goto exception;\n }\n O1REG(DelByVal) = HermesValue::encodeBoolValue(status.getValue());\n } else {\n // This is the \"slow path\".\n CAPTURE_IP_ASSIGN(res, toObject(runtime, Handle<>(&O2REG(DelByVal))));\n if (LLVM_UNLIKELY(res == ExecutionStatus::EXCEPTION)) {\n goto exception;\n }\n tmpHandle = res.getValue();\n CAPTURE_IP_ASSIGN(\n auto status,\n JSObject::deleteComputed(\n Handle::vmcast(tmpHandle),\n runtime,\n Handle<>(&O3REG(DelByVal)),\n defaultPropOpFlags));\n if (LLVM_UNLIKELY(status == ExecutionStatus::EXCEPTION)) {\n goto exception;\n }\n O1REG(DelByVal) = HermesValue::encodeBoolValue(status.getValue());\n }\n gcScope.flushToSmallCount(KEEP_HANDLES);\n tmpHandle.clear();\n ip = NEXTINST(DelByVal);\n DISPATCH;\n }\n CASE(CreateRegExp) {\n {\n // Create the RegExp object.\n CAPTURE_IP_ASSIGN(auto re, JSRegExp::create(runtime));\n // Initialize the regexp.\n CAPTURE_IP_ASSIGN(\n auto pattern,\n runtime->makeHandle(curCodeBlock->getRuntimeModule()\n ->getStringPrimFromStringIDMayAllocate(\n ip->iCreateRegExp.op2)));\n CAPTURE_IP_ASSIGN(\n auto flags,\n runtime->makeHandle(curCodeBlock->getRuntimeModule()\n ->getStringPrimFromStringIDMayAllocate(\n ip->iCreateRegExp.op3)));\n CAPTURE_IP_ASSIGN(\n auto bytecode,\n curCodeBlock->getRuntimeModule()->getRegExpBytecodeFromRegExpID(\n ip->iCreateRegExp.op4));\n CAPTURE_IP_ASSIGN(\n auto initRes,\n JSRegExp::initialize(re, runtime, pattern, flags, bytecode));\n if (LLVM_UNLIKELY(initRes == ExecutionStatus::EXCEPTION)) {\n goto exception;\n }\n // Done, return the new object.\n O1REG(CreateRegExp) = re.getHermesValue();\n }\n gcScope.flushToSmallCount(KEEP_HANDLES);\n ip = NEXTINST(CreateRegExp);\n DISPATCH;\n }\n\n CASE(SwitchImm) {\n if (LLVM_LIKELY(O1REG(SwitchImm).isNumber())) {\n double numVal = O1REG(SwitchImm).getNumber();\n uint32_t uintVal = (uint32_t)numVal;\n if (LLVM_LIKELY(numVal == uintVal) && // Only integers.\n LLVM_LIKELY(uintVal >= ip->iSwitchImm.op4) && // Bounds checking.\n LLVM_LIKELY(uintVal <= ip->iSwitchImm.op5)) // Bounds checking.\n {\n // Calculate the offset into the bytecode where the jump table for\n // this SwitchImm starts.\n const uint8_t *tablestart = (const uint8_t *)llvh::alignAddr(\n (const uint8_t *)ip + ip->iSwitchImm.op2, sizeof(uint32_t));\n\n // Read the offset from the table.\n // Must be signed to account for backwards branching.\n const int32_t *loc =\n (const int32_t *)tablestart + uintVal - ip->iSwitchImm.op4;\n\n ip = IPADD(*loc);\n DISPATCH;\n }\n }\n // Wrong type or out of range, jump to default.\n ip = IPADD(ip->iSwitchImm.op3);\n DISPATCH;\n }\n LOAD_CONST(\n LoadConstUInt8,\n HermesValue::encodeDoubleValue(ip->iLoadConstUInt8.op2));\n LOAD_CONST(\n LoadConstInt, HermesValue::encodeDoubleValue(ip->iLoadConstInt.op2));\n LOAD_CONST(\n LoadConstDouble,\n HermesValue::encodeDoubleValue(ip->iLoadConstDouble.op2));\n LOAD_CONST_CAPTURE_IP(\n LoadConstString,\n HermesValue::encodeStringValue(\n curCodeBlock->getRuntimeModule()\n ->getStringPrimFromStringIDMayAllocate(\n ip->iLoadConstString.op2)));\n LOAD_CONST_CAPTURE_IP(\n LoadConstStringLongIndex,\n HermesValue::encodeStringValue(\n curCodeBlock->getRuntimeModule()\n ->getStringPrimFromStringIDMayAllocate(\n ip->iLoadConstStringLongIndex.op2)));\n LOAD_CONST(LoadConstUndefined, HermesValue::encodeUndefinedValue());\n LOAD_CONST(LoadConstNull, HermesValue::encodeNullValue());\n LOAD_CONST(LoadConstTrue, HermesValue::encodeBoolValue(true));\n LOAD_CONST(LoadConstFalse, HermesValue::encodeBoolValue(false));\n LOAD_CONST(LoadConstZero, HermesValue::encodeDoubleValue(0));\n BINOP(Sub, doSub);\n BINOP(Mul, doMult);\n BINOP(Div, doDiv);\n BITWISEBINOP(BitAnd, &);\n BITWISEBINOP(BitOr, |);\n BITWISEBINOP(BitXor, ^);\n // For LShift, we need to use toUInt32 first because lshift on negative\n // numbers is undefined behavior in theory.\n SHIFTOP(LShift, <<, toUInt32_RJS, uint32_t, int32_t);\n SHIFTOP(RShift, >>, toInt32_RJS, int32_t, int32_t);\n SHIFTOP(URshift, >>, toUInt32_RJS, uint32_t, uint32_t);\n CONDOP(Less, <, lessOp_RJS);\n CONDOP(LessEq, <=, lessEqualOp_RJS);\n CONDOP(Greater, >, greaterOp_RJS);\n CONDOP(GreaterEq, >=, greaterEqualOp_RJS);\n JCOND(Less, <, lessOp_RJS);\n JCOND(LessEqual, <=, lessEqualOp_RJS);\n JCOND(Greater, >, greaterOp_RJS);\n JCOND(GreaterEqual, >=, greaterEqualOp_RJS);\n\n JCOND_STRICT_EQ_IMPL(\n JStrictEqual, , IPADD(ip->iJStrictEqual.op1), NEXTINST(JStrictEqual));\n JCOND_STRICT_EQ_IMPL(\n JStrictEqual,\n Long,\n IPADD(ip->iJStrictEqualLong.op1),\n NEXTINST(JStrictEqualLong));\n JCOND_STRICT_EQ_IMPL(\n JStrictNotEqual,\n ,\n NEXTINST(JStrictNotEqual),\n IPADD(ip->iJStrictNotEqual.op1));\n JCOND_STRICT_EQ_IMPL(\n JStrictNotEqual,\n Long,\n NEXTINST(JStrictNotEqualLong),\n IPADD(ip->iJStrictNotEqualLong.op1));\n\n JCOND_EQ_IMPL(JEqual, , IPADD(ip->iJEqual.op1), NEXTINST(JEqual));\n JCOND_EQ_IMPL(\n JEqual, Long, IPADD(ip->iJEqualLong.op1), NEXTINST(JEqualLong));\n JCOND_EQ_IMPL(\n JNotEqual, , NEXTINST(JNotEqual), IPADD(ip->iJNotEqual.op1));\n JCOND_EQ_IMPL(\n JNotEqual,\n Long,\n NEXTINST(JNotEqualLong),\n IPADD(ip->iJNotEqualLong.op1));\n\n CASE_OUTOFLINE(PutOwnByVal);\n CASE_OUTOFLINE(PutOwnGetterSetterByVal);\n CASE_OUTOFLINE(DirectEval);\n\n CASE_OUTOFLINE(IteratorBegin);\n CASE_OUTOFLINE(IteratorNext);\n CASE(IteratorClose) {\n if (LLVM_UNLIKELY(O1REG(IteratorClose).isObject())) {\n // The iterator must be closed if it's still an object.\n // That means it was never an index and is not done iterating (a state\n // which is indicated by `undefined`).\n CAPTURE_IP_ASSIGN(\n auto res,\n iteratorClose(\n runtime,\n Handle::vmcast(&O1REG(IteratorClose)),\n Runtime::getEmptyValue()));\n if (LLVM_UNLIKELY(res == ExecutionStatus::EXCEPTION)) {\n if (ip->iIteratorClose.op2 &&\n !isUncatchableError(runtime->thrownValue_)) {\n // Ignore inner exception.\n runtime->clearThrownValue();\n } else {\n goto exception;\n }\n }\n gcScope.flushToSmallCount(KEEP_HANDLES);\n }\n ip = NEXTINST(IteratorClose);\n DISPATCH;\n }\n\n CASE(_last) {\n llvm_unreachable(\"Invalid opcode _last\");\n }\n }\n\n llvm_unreachable(\"unreachable\");\n\n // We arrive here if we couldn't allocate the registers for the current frame.\n stackOverflow:\n CAPTURE_IP(runtime->raiseStackOverflow(\n Runtime::StackOverflowKind::JSRegisterStack));\n\n // We arrive here when we raised an exception in a callee, but we don't want\n // the callee to be able to handle it.\n handleExceptionInParent:\n // Restore the caller code block and IP.\n curCodeBlock = FRAME.getSavedCodeBlock();\n ip = FRAME.getSavedIP();\n\n // Pop to the previous frame where technically the error happened.\n frameRegs =\n &runtime->restoreStackAndPreviousFrame(FRAME).getFirstLocalRef();\n\n // If we are coming from native code, return.\n if (!curCodeBlock)\n return ExecutionStatus::EXCEPTION;\n\n// Return because of recursive calling structure\n#ifdef HERMESVM_PROFILER_EXTERN\n return ExecutionStatus::EXCEPTION;\n#endif\n // Handle the exception.\n exception:\n UPDATE_OPCODE_TIME_SPENT;\n assert(\n !runtime->thrownValue_.isEmpty() &&\n \"thrownValue unavailable at exception\");\n\n bool catchable = true;\n // If this is an Error object that was thrown internally, it didn't have\n // access to the current codeblock and IP, so collect the stack trace here.\n if (auto *jsError = dyn_vmcast(runtime->thrownValue_)) {\n catchable = jsError->catchable();\n if (!jsError->getStackTrace()) {\n // Temporarily clear the thrown value for following operations.\n CAPTURE_IP_ASSIGN(\n auto errorHandle,\n runtime->makeHandle(vmcast(runtime->thrownValue_)));\n runtime->clearThrownValue();\n\n CAPTURE_IP(JSError::recordStackTrace(\n errorHandle, runtime, false, curCodeBlock, ip));\n\n // Restore the thrown value.\n runtime->setThrownValue(errorHandle.getHermesValue());\n }\n }\n\n gcScope.flushToSmallCount(KEEP_HANDLES);\n tmpHandle.clear();\n\n#ifdef HERMES_ENABLE_DEBUGGER\n if (SingleStep) {\n // If we're single stepping, don't bother with any more checks,\n // and simply signal that we should continue execution with an exception.\n state.codeBlock = curCodeBlock;\n state.offset = CUROFFSET;\n return ExecutionStatus::EXCEPTION;\n }\n\n using PauseOnThrowMode = facebook::hermes::debugger::PauseOnThrowMode;\n auto mode = runtime->debugger_.getPauseOnThrowMode();\n if (mode != PauseOnThrowMode::None) {\n if (!runtime->debugger_.isDebugging()) {\n // Determine whether the PauseOnThrowMode requires us to stop here.\n bool caught =\n runtime->debugger_\n .findCatchTarget(InterpreterState(curCodeBlock, CUROFFSET))\n .hasValue();\n bool shouldStop = mode == PauseOnThrowMode::All ||\n (mode == PauseOnThrowMode::Uncaught && !caught);\n if (shouldStop) {\n // When runDebugger is invoked after an exception,\n // stepping should never happen internally.\n // Any step is a step to an exception handler, which we do\n // directly here in the interpreter.\n // Thus, the result state should be the same as the input state.\n InterpreterState tmpState{curCodeBlock, (uint32_t)CUROFFSET};\n CAPTURE_IP_ASSIGN(\n ExecutionStatus resultStatus,\n runtime->debugger_.runDebugger(\n Debugger::RunReason::Exception, tmpState));\n (void)resultStatus;\n assert(\n tmpState == InterpreterState(curCodeBlock, CUROFFSET) &&\n \"not allowed to step internally in a pauseOnThrow\");\n gcScope.flushToSmallCount(KEEP_HANDLES);\n }\n }\n }\n#endif\n\n int32_t handlerOffset = 0;\n\n // If the exception is not catchable, skip found catch blocks.\n while (((handlerOffset = curCodeBlock->findCatchTargetOffset(CUROFFSET)) ==\n -1) ||\n !catchable) {\n PROFILER_EXIT_FUNCTION(curCodeBlock);\n\n#ifdef HERMES_ENABLE_ALLOCATION_LOCATION_TRACES\n runtime->popCallStack();\n#endif\n\n // Restore the code block and IP.\n curCodeBlock = FRAME.getSavedCodeBlock();\n ip = FRAME.getSavedIP();\n\n // Pop a stack frame.\n frameRegs =\n &runtime->restoreStackAndPreviousFrame(FRAME).getFirstLocalRef();\n\n SLOW_DEBUG(\n dbgs() << \"function exit with exception: restored stackLevel=\"\n << runtime->getStackLevel() << \"\\n\");\n\n // Are we returning to native code?\n if (!curCodeBlock) {\n SLOW_DEBUG(\n dbgs()\n << \"function exit with exception: returning to native code\\n\");\n return ExecutionStatus::EXCEPTION;\n }\n\n assert(\n isCallType(ip->opCode) &&\n \"return address is not Call-type instruction\");\n\n// Return because of recursive calling structure\n#ifdef HERMESVM_PROFILER_EXTERN\n return ExecutionStatus::EXCEPTION;\n#endif\n }\n\n INIT_STATE_FOR_CODEBLOCK(curCodeBlock);\n\n ip = IPADD(handlerOffset - CUROFFSET);\n }\n}", "project": "hermes", "hash": 289242997866177378156795426889881895518, "size": 2756, "commit_id": "b2021df620824627f5a8c96615edbd1eb7fdddfc", "message": "Fix CVE-2020-1914 by using NEXTINST for SaveGeneratorLong\n\nSummary:\nIf `SaveGeneratorLong` was emitted, it would accidentally jump to the\nwrong next instruction, based on how long SaveGenerator was.\n\nMake a callout function to handle the common case, and handle the dispatch\nwithin each case of the interpreter loop.\n\nFixes CVE-2020-1914\n\nReviewed By: neildhar\n\nDifferential Revision: D24024242\n\nfbshipit-source-id: 3bcb88daa740f0d50e91771a49eb212551ce8bd8", "target": 0, "dataset": "other", "idx": 295511 }, { "func": "static void cmdloop(void)\n{\n int c, r = 0, mode;\n static struct buf cmd, arg1, arg2, arg3, arg4;\n char *p, *result, buf[1024];\n const char *err;\n uint32_t uid, last;\n struct backend *be;\n char curgroup[MAX_MAILBOX_BUFFER] = \"\";\n\n allowanonymous = config_getswitch(IMAPOPT_ALLOWANONYMOUSLOGIN);\n\n for (;;) {\n\t/* Flush any buffered output */\n\tprot_flush(nntp_out);\n\tif (backend_current) prot_flush(backend_current->out);\n\n\t/* Check for shutdown file */\n\tif (shutdown_file(buf, sizeof(buf)) ||\n\t (nntp_userid &&\n\t userdeny(nntp_userid, config_ident, buf, sizeof(buf)))) {\n\t prot_printf(nntp_out, \"400 %s\\r\\n\", buf);\n\t shut_down(0);\n\t}\n\n\tsignals_poll();\n\n\tif (!proxy_check_input(protin, nntp_in, nntp_out,\n\t\t\t backend_current ? backend_current->in : NULL,\n\t\t\t NULL, 0)) {\n\t /* No input from client */\n\t continue;\n\t}\n\n\tif (group_state &&\n\t config_getswitch(IMAPOPT_DISCONNECT_ON_VANISHED_MAILBOX)) {\n\t if (group_state->mailbox->i.options & OPT_MAILBOX_DELETED) {\n\t\t/* Mailbox has been (re)moved */\n\t\tsyslog(LOG_WARNING,\n\t\t \"Newsgroup %s has been (re)moved out from under client\",\n\t\t group_state->mailbox->name);\n\t\tprot_printf(nntp_out,\n\t\t\t \"400 Newsgroup has been (re)moved\\r\\n\");\n\t\tshut_down(0);\n\t }\n\t}\n\n\t/* Parse command name */\n\tc = getword(nntp_in, &cmd);\n\tif (c == EOF) {\n\t if ((err = prot_error(nntp_in)) != NULL\n\t\t && strcmp(err, PROT_EOF_STRING)) {\n\t\tsyslog(LOG_WARNING, \"%s, closing connection\", err);\n\t\tprot_printf(nntp_out, \"400 %s\\r\\n\", err);\n\t }\n\t return;\n\t}\n\tif (!cmd.s[0]) {\n\t prot_printf(nntp_out, \"501 Empty command\\r\\n\");\n\t eatline(nntp_in, c);\n\t continue;\n\t}\n\tif (Uislower(cmd.s[0])) \n\t cmd.s[0] = toupper((unsigned char) cmd.s[0]);\n\tfor (p = &cmd.s[1]; *p; p++) {\n\t if (Uisupper(*p)) *p = tolower((unsigned char) *p);\n\t}\n\n\t/* Ihave/Takethis only allowed for feeders */\n\tif (!(nntp_capa & MODE_FEED) &&\n\t strchr(\"IT\", cmd.s[0])) goto noperm;\n \n\t/* Body/Date/Group/Newgroups/Newnews/Next/Over/Post/Xhdr/Xover/Xpat\n\t only allowed for readers */\n\tif (!(nntp_capa & MODE_READ) &&\n\t strchr(\"BDGNOPX\", cmd.s[0])) goto noperm;\n \n\t/* Only Authinfo/Capabilities/Check/Head/Help/Ihave/List Active/\n\t Mode/Quit/Starttls/Stat/Takethis allowed when not logged in */\n\tif (!nntp_userid && !allowanonymous &&\n\t !strchr(\"ACHILMQST\", cmd.s[0])) goto nologin;\n\n\t/* In case a [LIST]GROUP fails or\n\t a retrieval by msgid makes us switch groups */\n\tstrcpy(curgroup, group_state ? group_state->mailbox->name : \"\");\n\n\tswitch (cmd.s[0]) {\n\tcase 'A':\n\t if (!strcmp(cmd.s, \"Authinfo\")) {\n\t\tif (c != ' ') goto missingargs;\n\t\tc = getword(nntp_in, &arg1); /* subcommand */\n\t\tif (c == EOF) goto missingargs;\n\n\t\tlcase(arg1.s);\n\n\t\tif (!strcmp(arg1.s, \"user\") || !strcmp(arg1.s, \"pass\")) {\n\t\t if (c != ' ') goto missingargs;\n\t\t c = getuserpass(nntp_in, &arg2); /* user/pass */\n\t\t if (c == EOF) goto missingargs;\n\n\t\t if (c == '\\r') c = prot_getc(nntp_in);\n\t\t if (c != '\\n') goto extraargs;\n\n\t\t if (arg1.s[0] == 'u')\n\t\t\tcmd_authinfo_user(arg2.s);\n\t\t else\n\t\t\tcmd_authinfo_pass(arg2.s);\n\t\t}\n\t\telse if (!strcmp(arg1.s, \"sasl\") || !strcmp(arg1.s, \"generic\")) {\n\t\t arg2.len = arg3.len = 0;\n\n\t\t /* mech name required for SASL but not GENERIC */\n\t\t if ((arg1.s[0] == 's') && (c != ' ')) goto missingargs;\n\n\t\t if (c == ' ') {\n\t\t\tc = getword(nntp_in, &arg2); /* mech name */\n\t\t\tif (c == EOF) goto missingargs;\n\n\t\t\tif (c == ' ') {\n\t\t\t c = getword(nntp_in, &arg3); /* init response */\n\t\t\t if (c == EOF) goto missingargs;\n\t\t\t}\n\t\t }\n\n\t\t if (c == '\\r') c = prot_getc(nntp_in);\n\t\t if (c != '\\n') goto extraargs;\n\n\t\t cmd_authinfo_sasl(arg1.s, arg2.len ? arg2.s : NULL,\n\t\t\t\t arg3.len ? arg3.s : NULL);\n\t\t}\n\t\telse\n\t\t prot_printf(nntp_out,\n\t\t\t\t\"501 Unrecognized AUTHINFO command\\r\\n\");\n\t }\n\t else if (!(nntp_capa & MODE_READ)) goto noperm;\n\t else if (!nntp_userid && !allowanonymous) goto nologin;\n\t else if (!strcmp(cmd.s, \"Article\")) {\n\t\tchar *msgid;\n\n\t\tmode = ARTICLE_ALL;\n\n\t article:\n\t\tif (arg1.s) *arg1.s = 0;\n\n\t\tif (c == ' ') {\n\t\t c = getword(nntp_in, &arg1); /* number/msgid (optional) */\n\t\t if (c == EOF) goto missingargs;\n\t\t}\n\t\tif (c == '\\r') c = prot_getc(nntp_in);\n\t\tif (c != '\\n') goto extraargs;\n\n\t\tif (parserange(arg1.s, &uid, NULL, &msgid, &be) != -1) {\n\t\t if (be) {\n\t\t\tif (arg1.s && *arg1.s)\n\t\t\t prot_printf(be->out, \"%s %s\\r\\n\", cmd.s, arg1.s);\n\t\t\telse\n\t\t\t prot_printf(be->out, \"%s\\r\\n\", cmd.s);\n\n\t\t\tif (be != backend_current) {\n\t\t\t r = read_response(be, 0, &result);\n\t\t\t if (r) goto noopengroup;\n\n\t\t\t prot_printf(nntp_out, \"%s\", result);\n\t\t\t if (!strncmp(result, \"22\", 2) &&\n\t\t\t\tmode != ARTICLE_STAT) {\n\t\t\t\tpipe_to_end_of_response(be, 0);\n\t\t\t }\n\t\t\t}\n\t\t }\n\t\t else\n\t\t\tcmd_article(mode, msgid, uid);\n\t\t}\n\n\t\tif (msgid) goto prevgroup;\n\t }\n\t else goto badcmd;\n\t break;\n\n\tcase 'B':\n\t if (!strcmp(cmd.s, \"Body\")) {\n\t\tmode = ARTICLE_BODY;\n\t\tgoto article;\n\t }\n\t else goto badcmd;\n\t break;\n\n\tcase 'C':\n\t if (!strcmp(cmd.s, \"Capabilities\")) {\n\t\targ1.len = 0;\n\n\t\tif (c == ' ') {\n\t\t c = getword(nntp_in, &arg1); /* keyword (optional) */\n\t\t if (c == EOF) goto missingargs;\n\t\t}\n\t\tif (c == '\\r') c = prot_getc(nntp_in);\n\t\tif (c != '\\n') goto extraargs;\n\n\t\tcmd_capabilities(arg1.s);\n\t }\n\t else if (!(nntp_capa & MODE_FEED)) goto noperm;\n\t else if (!strcmp(cmd.s, \"Check\")) {\n\t\tmode = POST_CHECK;\n\t\tgoto ihave;\n\t }\n\t else goto badcmd;\n\t break;\n\n\tcase 'D':\n\t if (!strcmp(cmd.s, \"Date\")) {\n\t\ttime_t now = time(NULL);\n\t\tstruct tm *my_tm = gmtime(&now);\n\t\tchar buf[15];\n\n\t\tif (c == '\\r') c = prot_getc(nntp_in);\n\t\tif (c != '\\n') goto extraargs;\n\n\t\tstrftime(buf, sizeof(buf), \"%Y%m%d%H%M%S\", my_tm);\n\t\tprot_printf(nntp_out, \"111 %s\\r\\n\", buf);\n\t }\n\t else goto badcmd;\n\t break;\n\n\tcase 'G':\n\t if (!strcmp(cmd.s, \"Group\")) {\n\t\targ2.len = 0; /* GROUP command (no range) */\n\n\t group:\n#define LISTGROUP (arg2.len)\n\n\t\tif (!LISTGROUP && c != ' ') goto missingargs;\n\t\tif (c == ' ') {\n\t\t c = getword(nntp_in, &arg1); /* group */\n\t\t if (c == EOF) goto missingargs;\n\t\t}\n\t\tif (LISTGROUP && c == ' ') {\n\t\t c = getword(nntp_in, &arg2); /* range (optional) */\n\t\t if (c == EOF) goto missingargs;\n\t\t}\n\t\tif (c == '\\r') c = prot_getc(nntp_in);\n\t\tif (c != '\\n') goto extraargs;\n\n\t\tbe = backend_current;\n\t\tif (arg1.len &&\n\t\t (!is_newsgroup(arg1.s) ||\n\t\t (r = open_group(arg1.s, 0, &be, NULL)))) goto nogroup;\n\t\telse if (be) {\n\t\t prot_printf(be->out, \"%s\", cmd.s);\n\t\t if (arg1.len) {\n\t\t\tprot_printf(be->out, \" %s\", arg1.s);\n\t\t\t if (LISTGROUP) prot_printf(be->out, \" %s\", arg2.s);\n\t\t }\n\t\t prot_printf(be->out, \"\\r\\n\");\n\n\t\t r = read_response(be, 0, &result);\n\t\t if (r) goto nogroup;\n\n\t\t prot_printf(nntp_out, \"%s\", result);\n\n\t\t if (!strncmp(result, \"211\", 3)) {\n\t\t\tif (LISTGROUP) pipe_to_end_of_response(be, 0);\n\n\t\t\tif (backend_current && backend_current != be) {\n\t\t\t /* remove backend_current from the protgroup */\n\t\t\t protgroup_delete(protin, backend_current->in);\n\t\t\t}\n\t\t\tbackend_current = be;\n\n\t\t\t/* add backend_current to the protgroup */\n\t\t\tprotgroup_insert(protin, backend_current->in);\n\t\t }\n\t\t}\n\t\telse if (!group_state) goto noopengroup;\n\t\telse if (LISTGROUP &&\n\t\t\t parserange(arg2.s, &uid, &last, NULL, NULL) != 0) {\n\t\t /* parserange() will handle error code -- do nothing */\n\t\t}\n\t\telse {\n\t\t if (backend_current) {\n\t\t\t/* remove backend_current from the protgroup */\n\t\t\tprotgroup_delete(protin, backend_current->in);\n\t\t }\n\t\t backend_current = NULL;\n\n\t\t nntp_exists = group_state->exists;\n\t\t nntp_current = nntp_exists > 0;\n\n\t\t prot_printf(nntp_out, \"211 %u %lu %lu %s\\r\\n\",\n\t\t\t\tnntp_exists,\n\t\t\t\tnntp_exists ? index_getuid(group_state, 1) :\n\t\t\t\tgroup_state->last_uid+1,\n\t\t\t\tnntp_exists ? index_getuid(group_state, nntp_exists) :\n\t\t\t\tgroup_state->last_uid,\n\t\t\t\tgroup_state->mailbox->name + strlen(newsprefix));\n\n\t\t if (LISTGROUP) {\n\t\t\tint msgno, last_msgno;\n\n\t\t\tmsgno = index_finduid(group_state, uid);\n\t\t\tif (!msgno || index_getuid(group_state, msgno) != uid) {\n\t\t\t msgno++;\n\t\t\t}\n\t\t\tlast_msgno = index_finduid(group_state, last);\n\n\t\t\tfor (; msgno <= last_msgno; msgno++) {\n\t\t\t prot_printf(nntp_out, \"%u\\r\\n\",\n\t\t\t\t\tindex_getuid(group_state, msgno));\n\t\t\t}\n\t\t\tprot_printf(nntp_out, \".\\r\\n\");\n\t\t }\n\t\t}\n#undef LISTGROUP\n\t }\n\t else goto badcmd;\n\t break;\n\n\tcase 'H':\n\t if (!strcmp(cmd.s, \"Head\")) {\n\t\tmode = ARTICLE_HEAD;\n\t\tgoto article;\n\t }\n\t else if (!strcmp(cmd.s, \"Help\")) {\n\t\tif (c == '\\r') c = prot_getc(nntp_in);\n\t\tif (c != '\\n') goto extraargs;\n\n\t\tcmd_help();\n\t }\n\t else if (!(nntp_capa & MODE_READ)) goto noperm;\n\t else if (!nntp_userid && !allowanonymous) goto nologin;\n\t else if (!strcmp(cmd.s, \"Hdr\")) {\n\t\tchar *msgid;\n\n\t hdr:\n\t\tif (arg2.s) *arg2.s = 0;\n\n\t\tif (c != ' ') goto missingargs;\n\t\tc = getword(nntp_in, &arg1); /* header */\n\t\tif (c == EOF) goto missingargs;\n\t\tif (c == ' ') {\n\t\t c = getword(nntp_in, &arg2); /* range (optional) */\n\t\t if (c == EOF) goto missingargs;\n\t\t}\n\t\tif (c == '\\r') c = prot_getc(nntp_in);\n\t\tif (c != '\\n') goto extraargs;\n\n\t\tif (parserange(arg2.s, &uid, &last, &msgid, &be) != -1) {\n\t\t if (be) {\n\t\t\tif (arg2.s && *arg2.s)\n\t\t\t prot_printf(be->out, \"%s %s %s\\r\\n\",\n\t\t\t\t\tcmd.s, arg1.s, arg2.s);\n\t\t\telse\n\t\t\t prot_printf(be->out, \"%s %s\\r\\n\", cmd.s, arg1.s);\n\n\t\t\tif (be != backend_current) {\n\t\t\t r = read_response(be, 0, &result);\n\t\t\t if (r) goto noopengroup;\n\n\t\t\t prot_printf(nntp_out, \"%s\", result);\n\t\t\t if (!strncmp(result, \"22\", 2)) { /* 221 or 225 */\n\t\t\t\tpipe_to_end_of_response(be, 0);\n\t\t\t }\n\t\t\t}\n\t\t }\n\t\t else\n\t\t\tcmd_hdr(cmd.s, arg1.s, NULL, msgid, uid, last);\n\t\t}\n\n\t\tif (msgid) goto prevgroup;\n\t }\n\t else goto badcmd;\n\t break;\n\n\tcase 'I':\n\t if (!strcmp(cmd.s, \"Ihave\")) {\n\t\tmode = POST_IHAVE;\n\n\t ihave:\n\t\tif (c != ' ') goto missingargs;\n\t\tc = getword(nntp_in, &arg1); /* msgid */\n\t\tif (c == EOF) goto missingargs;\n\t\tif (c == '\\r') c = prot_getc(nntp_in);\n\t\tif (c != '\\n') goto extraargs;\n\n\t\tcmd_post(arg1.s, mode);\n\t }\n\t else goto badcmd;\n\t break;\n\n\tcase 'L':\n\t if (!strcmp(cmd.s, \"List\")) {\n\t\targ1.len = arg2.len = 0;\n\t\tif (c == ' ') {\n\t\t c = getword(nntp_in, &arg1); /* subcommand (optional) */\n\t\t if (c == EOF) goto missingargs;\n\t\t if (c == ' ') {\n\t\t\tc = getword(nntp_in, &arg2); /* argument (optional) */\n\t\t\tif (c == EOF) goto missingargs;\n\t\t }\n\t\t}\n\t\tif (c == '\\r') c = prot_getc(nntp_in);\n\t\tif (c != '\\n') goto extraargs;\n\n\t\tcmd_list(arg1.len ? arg1.s : NULL, arg2.len ? arg2.s : NULL);\n\n\t\tgoto prevgroup; /* In case we did LIST [ACTIVE] */\n\t }\n\t else if (!(nntp_capa & MODE_READ)) goto noperm;\n\t else if (!nntp_userid && !allowanonymous) goto nologin;\n\t else if (!strcmp(cmd.s, \"Last\")) {\n\t\tif (c == '\\r') c = prot_getc(nntp_in);\n\t\tif (c != '\\n') goto extraargs;\n\n\t\tif (backend_current) {\n\t\t prot_printf(backend_current->out, \"LAST\\r\\n\");\n\t\t}\n\t\telse if (!group_state) goto noopengroup;\n\t\telse if (!nntp_current) goto nocurrent;\n\t\telse if (nntp_current == 1) {\n\t\t prot_printf(nntp_out,\n\t\t\t\t\"422 No previous article in this group\\r\\n\");\n\t\t}\n\t\telse {\n\t\t char *msgid = index_get_msgid(group_state, --nntp_current);\n\n\t\t prot_printf(nntp_out, \"223 %u %s\\r\\n\",\n\t\t\t\tindex_getuid(group_state, nntp_current),\n\t\t\t\tmsgid ? msgid : \"<0>\");\n\n\t\t if (msgid) free(msgid);\n\t\t}\n\t }\n\t else if (!strcmp(cmd.s, \"Listgroup\")) {\n\t\targ1.len = 0; \t /* group is optional */\n\t\tbuf_setcstr(&arg2, \"1-\"); /* default range is all */\n\t\tbuf_cstring(&arg2);\t /* appends a '\\0' */\n\t\tgoto group;\n\t }\n\t else goto badcmd;\n\t break;\n\n\tcase 'M':\n\t if (!strcmp(cmd.s, \"Mode\")) {\n\t\tif (c != ' ') goto missingargs;\n\t\tc = getword(nntp_in, &arg1); /* mode */\n\t\tif (c == EOF) goto missingargs;\n\t\tif (c == '\\r') c = prot_getc(nntp_in);\n\t\tif (c != '\\n') goto extraargs;\n\n\t\tcmd_mode(arg1.s);\n\t }\n\t else goto badcmd;\n\t break;\n\n\tcase 'N':\n\t if (!strcmp(cmd.s, \"Newgroups\")) {\n\t\ttime_t tstamp;\n\n\t\targ3.len = 0;\n\t\tif (c != ' ') goto missingargs;\n\t\tc = getword(nntp_in, &arg1); /* date */\n\t\tif (c != ' ') goto missingargs;\n\t\tc = getword(nntp_in, &arg2); /* time */\n\t\tif (c == EOF) goto missingargs;\n\t\tif (c == ' ') {\n\t\t c = getword(nntp_in, &arg3); /* \"GMT\" (optional) */\n\t\t if (c == EOF) goto missingargs;\n\t\t}\n\t\tif (c == '\\r') c = prot_getc(nntp_in);\n\t\tif (c != '\\n') goto extraargs;\n\n\t\tif ((tstamp = parse_datetime(arg1.s, arg2.s,\n\t\t\t\t\t arg3.len ? arg3.s : NULL)) < 0)\n\t\t goto baddatetime;\n\n\t\tcmd_newgroups(tstamp);\n\t }\n\t else if (!strcmp(cmd.s, \"Newnews\")) {\n\t\ttime_t tstamp;\n\n\t\tif (!config_getswitch(IMAPOPT_ALLOWNEWNEWS))\n\t\t goto cmddisabled;\n\n\t\targ4.len = 0;\n\t\tif (c != ' ') goto missingargs;\n\t\tc = getword(nntp_in, &arg1); /* wildmat */\n\t\tif (c != ' ') goto missingargs;\n\t\tc = getword(nntp_in, &arg2); /* date */\n\t\tif (c != ' ') goto missingargs;\n\t\tc = getword(nntp_in, &arg3); /* time */\n\t\tif (c == EOF) goto missingargs;\n\t\tif (c == ' ') {\n\t\t c = getword(nntp_in, &arg4); /* \"GMT\" (optional) */\n\t\t if (c == EOF) goto missingargs;\n\t\t}\n\t\tif (c == '\\r') c = prot_getc(nntp_in);\n\t\tif (c != '\\n') goto extraargs;\n\n\t\tif ((tstamp = parse_datetime(arg2.s, arg3.s,\n\t\t\t\t\t arg4.len ? arg4.s : NULL)) < 0)\n\t\t goto baddatetime;\n\n\t\tcmd_newnews(arg1.s, tstamp);\n\t }\n\t else if (!strcmp(cmd.s, \"Next\")) {\n\t\tif (c == '\\r') c = prot_getc(nntp_in);\n\t\tif (c != '\\n') goto extraargs;\n\n\t\tif (backend_current) {\n\t\t prot_printf(backend_current->out, \"NEXT\\r\\n\");\n\t\t}\n\t\telse if (!group_state) goto noopengroup;\n\t\telse if (!nntp_current) goto nocurrent;\n\t\telse if (nntp_current == nntp_exists) {\n\t\t prot_printf(nntp_out,\n\t\t\t\t\"421 No next article in this group\\r\\n\");\n\t\t}\n\t\telse {\n\t\t char *msgid = index_get_msgid(group_state, ++nntp_current);\n\n\t\t prot_printf(nntp_out, \"223 %u %s\\r\\n\",\n\t\t\t\tindex_getuid(group_state, nntp_current),\n\t\t\t\tmsgid ? msgid : \"<0>\");\n\n\t\t if (msgid) free(msgid);\n\t\t}\n\t }\n\t else goto badcmd;\n\t break;\n\n\tcase 'O':\n\t if (!strcmp(cmd.s, \"Over\")) {\n\t\tchar *msgid;\n\n\t over:\n\t\tif (arg1.s) *arg1.s = 0;\n\n\t\tif (c == ' ') {\n\t\t c = getword(nntp_in, &arg1); /* range/msgid (optional) */\n\t\t if (c == EOF) goto missingargs;\n\t\t}\n\t\tif (c == '\\r') c = prot_getc(nntp_in);\n\t\tif (c != '\\n') goto extraargs;\n\n\t\tmsgid = NULL;\n\t\tif (parserange(arg1.s, &uid, &last,\n\t\t\t /* XOVER doesn't accept message-id */\n\t\t\t (cmd.s[0] == 'X' ? NULL : &msgid), &be) != -1) {\n\t\t if (be) {\n\t\t\tif (arg1.s && *arg1.s)\n\t\t\t prot_printf(be->out, \"%s %s\\r\\n\", cmd.s, arg1.s);\n\t\t\telse\n\t\t\t prot_printf(be->out, \"%s\\r\\n\", cmd.s);\n\n\t\t\tif (be != backend_current) {\n\t\t\t r = read_response(be, 0, &result);\n\t\t\t if (r) goto noopengroup;\n\n\t\t\t prot_printf(nntp_out, \"%s\", result);\n\t\t\t if (!strncmp(result, \"224\", 3)) {\n\t\t\t\tpipe_to_end_of_response(be, 0);\n\t\t\t }\n\t\t\t}\n\t\t }\n\t\t else\n\t\t\tcmd_over(msgid, uid, last);\n\t\t}\n\n\t\tif (msgid) goto prevgroup;\n\t }\n\t else goto badcmd;\n\t break;\n\n\tcase 'P':\n\t if (!strcmp(cmd.s, \"Post\")) {\n\t\tif (c == '\\r') c = prot_getc(nntp_in);\n\t\tif (c != '\\n') goto extraargs;\n\n\t\tcmd_post(NULL, POST_POST);\n\t }\n\t else goto badcmd;\n\t break;\n\n\tcase 'Q':\n\t if (!strcmp(cmd.s, \"Quit\")) {\n\t\tif (c == '\\r') c = prot_getc(nntp_in);\n\t\tif (c != '\\n') goto extraargs;\n\n\t\tprot_printf(nntp_out, \"205 Connection closing\\r\\n\");\n\t\treturn;\n\t }\n\t else goto badcmd;\n\t break;\n\n\tcase 'S':\n\t if (!strcmp(cmd.s, \"Starttls\") && tls_enabled()) {\n\t\tif (c == '\\r') c = prot_getc(nntp_in);\n\t\tif (c != '\\n') goto extraargs;\n\n\t\t/* XXX discard any input pipelined after STARTTLS */\n\t\tprot_flush(nntp_in);\n\n\t\tcmd_starttls(0);\n\t }\n\t else if (!strcmp(cmd.s, \"Stat\")) {\n\t\tmode = ARTICLE_STAT;\n\t\tgoto article;\n\t }\n\t else if (!nntp_userid && !allowanonymous) goto nologin;\n\t else if (!strcmp(cmd.s, \"Slave\")) {\t\n\t\tif (c == '\\r') c = prot_getc(nntp_in);\n\t\tif (c != '\\n') goto extraargs;\n\n\t\tprot_printf(nntp_out, \"202 Slave status noted\\r\\n\");\n\t }\n\t else goto badcmd;\n\t break;\n\n\tcase 'T':\n\t if (!strcmp(cmd.s, \"Takethis\")) {\n\t\tmode = POST_TAKETHIS;\n\t\tgoto ihave;\n\t }\n\t else goto badcmd;\n\t break;\n\n\tcase 'X':\n\t if (!strcmp(cmd.s, \"Xhdr\")) {\n\t\tgoto hdr;\n\t }\n\t else if (!strcmp(cmd.s, \"Xover\")) {\n\t\tgoto over;\n\t }\n\t else if (!strcmp(cmd.s, \"Xpat\")) {\n\t\tchar *msgid;\n\n\t\tif (c != ' ') goto missingargs;\n\t\tc = getword(nntp_in, &arg1); /* header */\n\t\tif (c != ' ') goto missingargs;\n\n\t\t/* gobble extra whitespace (hack for Mozilla) */\n\t\twhile ((c = prot_getc(nntp_in)) == ' ');\n\t\tprot_ungetc(c, nntp_in);\n\n\t\tc = getword(nntp_in, &arg2); /* range */\n\t\tif (c != ' ') goto missingargs;\n\t\tc = getword(nntp_in, &arg3); /* wildmat */\n\t\tif (c == EOF) goto missingargs;\n\n\t\t/* XXX per RFC 2980, we can have multiple patterns */\n\n\t\tif (c == '\\r') c = prot_getc(nntp_in);\n\t\tif (c != '\\n') goto extraargs;\n\n\t\tif (parserange(arg2.s, &uid, &last, &msgid, &be) != -1) {\n\t\t if (be) {\n\t\t\tprot_printf(be->out, \"%s %s %s %s\\r\\n\",\n\t\t\t\t cmd.s, arg1.s, arg2.s, arg3.s);\n\n\t\t\tif (be != backend_current) {\n\t\t\t r = read_response(be, 0, &result);\n\t\t\t if (r) goto noopengroup;\n\n\t\t\t prot_printf(nntp_out, \"%s\", result);\n\t\t\t if (!strncmp(result, \"221\", 3)) {\n\t\t\t\tpipe_to_end_of_response(be, 0);\n\t\t\t }\n\t\t\t}\n\t\t }\n\t\t else\n\t\t\tcmd_hdr(cmd.s, arg1.s, arg3.s, msgid, uid, last);\n\t\t}\n\n\t\tif (msgid) goto prevgroup;\n\t }\n\t else goto badcmd;\n\t break;\n\n\tdefault:\n\t badcmd:\n\t prot_printf(nntp_out, \"500 Unrecognized command\\r\\n\");\n\t eatline(nntp_in, c);\n\t}\n\n\tcontinue;\n\n noperm:\n\tprot_printf(nntp_out, \"502 Permission denied\\r\\n\");\n\teatline(nntp_in, c);\n\tcontinue;\n\n nologin:\n\tprot_printf(nntp_out, \"480 Authentication required\\r\\n\");\n\teatline(nntp_in, c);\n\tcontinue;\n\n cmddisabled:\n\tprot_printf(nntp_out, \"503 \\\"%s\\\" disabled\\r\\n\", cmd.s);\n\teatline(nntp_in, c);\n\tcontinue;\n\n extraargs:\n\tprot_printf(nntp_out, \"501 Unexpected extra argument\\r\\n\");\n\teatline(nntp_in, c);\n\tcontinue;\n\n missingargs:\n\tprot_printf(nntp_out, \"501 Missing argument\\r\\n\");\n\teatline(nntp_in, c);\n\tcontinue;\n\n baddatetime:\n\tprot_printf(nntp_out, \"501 Bad date/time\\r\\n\");\n\tcontinue;\n\n nogroup:\n\tprot_printf(nntp_out, \"411 No such newsgroup (%s)\\r\\n\",\n\t\t error_message(r));\n\n prevgroup:\n\t/* Return to previously selected group */\n\tif (*curgroup &&\n\t (!group_state || strcmp(curgroup, group_state->mailbox->name))) {\n\t open_group(curgroup, 1, NULL, NULL);\n\t}\n\n\tcontinue;\n\n noopengroup:\n\tprot_printf(nntp_out, \"412 No newsgroup selected\\r\\n\");\n\tcontinue;\n\n nocurrent:\n\tprot_printf(nntp_out, \"420 Current article number is invalid\\r\\n\");\n\tcontinue;\n }\n}", "project": "cyrus-imapd", "hash": 98586449225423569576643436771240715853, "size": 735, "commit_id": "0f8f026699829b65733c3081657b24e2174f4f4d", "message": "CVE-2011-3208 - fix buffer overflow in nntpd", "target": 0, "dataset": "other", "idx": 451895 }, { "func": "static void mix_pool_bytes_extract(struct entropy_store *r, const void *in,\n\t\t\t\t int nbytes, __u8 out[64])\n{\n\tstatic __u32 const twist_table[8] = {\n\t\t0x00000000, 0x3b6e20c8, 0x76dc4190, 0x4db26158,\n\t\t0xedb88320, 0xd6d6a3e8, 0x9b64c2b0, 0xa00ae278 };\n\tunsigned long i, j, tap1, tap2, tap3, tap4, tap5;\n\tint input_rotate;\n\tint wordmask = r->poolinfo->poolwords - 1;\n\tconst char *bytes = in;\n\t__u32 w;\n\tunsigned long flags;\n\n\t/* Taps are constant, so we can load them without holding r->lock. */\n\ttap1 = r->poolinfo->tap1;\n\ttap2 = r->poolinfo->tap2;\n\ttap3 = r->poolinfo->tap3;\n\ttap4 = r->poolinfo->tap4;\n\ttap5 = r->poolinfo->tap5;\n\n\tspin_lock_irqsave(&r->lock, flags);\n\tinput_rotate = r->input_rotate;\n\ti = r->add_ptr;\n\n\t/* mix one byte at a time to simplify size handling and churn faster */\n\twhile (nbytes--) {\n\t\tw = rol32(*bytes++, input_rotate & 31);\n\t\ti = (i - 1) & wordmask;\n\n\t\t/* XOR in the various taps */\n\t\tw ^= r->pool[i];\n\t\tw ^= r->pool[(i + tap1) & wordmask];\n\t\tw ^= r->pool[(i + tap2) & wordmask];\n\t\tw ^= r->pool[(i + tap3) & wordmask];\n\t\tw ^= r->pool[(i + tap4) & wordmask];\n\t\tw ^= r->pool[(i + tap5) & wordmask];\n\n\t\t/* Mix the result back in with a twist */\n\t\tr->pool[i] = (w >> 3) ^ twist_table[w & 7];\n\n\t\t/*\n\t\t * Normally, we add 7 bits of rotation to the pool.\n\t\t * At the beginning of the pool, add an extra 7 bits\n\t\t * rotation, so that successive passes spread the\n\t\t * input bits across the pool evenly.\n\t\t */\n\t\tinput_rotate += i ? 7 : 14;\n\t}\n\n\tr->input_rotate = input_rotate;\n\tr->add_ptr = i;\n\n\tif (out)\n\t\tfor (j = 0; j < 16; j++)\n\t\t\t((__u32 *)out)[j] = r->pool[(i - j) & wordmask];\n\n\tspin_unlock_irqrestore(&r->lock, flags);\n}", "target": 0, "cwe": [ "CWE-310" ], "project": "linux-2.6", "commit_id": "8a0a9bd4db63bc45e3017bedeafbd88d0eb84d02", "hash": 179421806364394549551230862945314829634, "size": 58, "message": "random: make get_random_int() more random\n\nIt's a really simple patch that basically just open-codes the current\n\"secure_ip_id()\" call, but when open-coding it we now use a _static_\nhashing area, so that it gets updated every time.\n\nAnd to make sure somebody can't just start from the same original seed of\nall-zeroes, and then do the \"half_md4_transform()\" over and over until\nthey get the same sequence as the kernel has, each iteration also mixes in\nthe same old \"current->pid + jiffies\" we used - so we should now have a\nregular strong pseudo-number generator, but we also have one that doesn't\nhave a single seed.\n\nNote: the \"pid + jiffies\" is just meant to be a tiny tiny bit of noise. It\nhas no real meaning. It could be anything. I just picked the previous\nseed, it's just that now we keep the state in between calls and that will\nfeed into the next result, and that should make all the difference.\n\nI made that hash be a per-cpu data just to avoid cache-line ping-pong:\nhaving multiple CPU's write to the same data would be fine for randomness,\nand add yet another layer of chaos to it, but since get_random_int() is\nsupposed to be a fast interface I did it that way instead. I considered\nusing \"__raw_get_cpu_var()\" to avoid any preemption overhead while still\ngetting the hash be _mostly_ ping-pong free, but in the end good taste won\nout.\n\nSigned-off-by: Ingo Molnar \nSigned-off-by: Linus Torvalds ", "dataset": "other", "idx": 499907 }, { "func": "int oidc_check_user_id(request_rec *r) {\n\n\toidc_cfg *c = ap_get_module_config(r->server->module_config,\n\t\t\t&auth_openidc_module);\n\n\t/* log some stuff about the incoming HTTP request */\n\toidc_debug(r, \"incoming request: \\\"%s?%s\\\", ap_is_initial_req(r)=%d\",\n\t\t\tr->parsed_uri.path, r->args, ap_is_initial_req(r));\n\n\t/* see if any authentication has been defined at all */\n\tconst char *current_auth = ap_auth_type(r);\n\tif (current_auth == NULL)\n\t\treturn DECLINED;\n\n\t/* see if we've configured OpenID Connect user authentication for this request */\n\tif (strcasecmp(current_auth, OIDC_AUTH_TYPE_OPENID_CONNECT) == 0) {\n\n\t\tr->ap_auth_type = (char*) current_auth;\n\t\treturn oidc_check_userid_openidc(r, c);\n\t}\n\n\t/* see if we've configured OAuth 2.0 access control for this request */\n\tif (strcasecmp(current_auth, OIDC_AUTH_TYPE_OPENID_OAUTH20) == 0) {\n\n\t\tr->ap_auth_type = (char*) current_auth;\n\t\treturn oidc_oauth_check_userid(r, c, NULL);\n\t}\n\n\t/* see if we've configured \"mixed mode\" for this request */\n\tif (strcasecmp(current_auth, OIDC_AUTH_TYPE_OPENID_BOTH) == 0)\n\t\treturn oidc_check_mixed_userid_oauth(r, c);\n\n\t/* this is not for us but for some other handler */\n\treturn DECLINED;\n}", "project": "mod_auth_openidc", "hash": 120973360770506678736653720705977696909, "size": 35, "commit_id": "00c315cb0c8ab77c67be4a2ac08a71a83ac58751", "message": "avoid XSS vulnerability when using OIDCPreservePost On\n\nand supplying URLs that contain single quotes; thanks @oss-aimoto\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 381916 }, { "func": "int oidc_check_user_id(request_rec *r) {\n\n\toidc_cfg *c = ap_get_module_config(r->server->module_config,\n\t\t\t&auth_openidc_module);\n\n\t/* log some stuff about the incoming HTTP request */\n\toidc_debug(r, \"incoming request: \\\"%s?%s\\\", ap_is_initial_req(r)=%d\",\n\t\t\tr->parsed_uri.path, r->args, ap_is_initial_req(r));\n\n\t/* see if any authentication has been defined at all */\n\tif (ap_auth_type(r) == NULL)\n\t\treturn DECLINED;\n\n\t/* see if we've configured OpenID Connect user authentication for this request */\n\tif (apr_strnatcasecmp((const char *) ap_auth_type(r),\n\t\t\tOIDC_AUTH_TYPE_OPENID_CONNECT) == 0)\n\t\treturn oidc_check_userid_openidc(r, c);\n\n\t/* see if we've configured OAuth 2.0 access control for this request */\n\tif (apr_strnatcasecmp((const char *) ap_auth_type(r),\n\t\t\tOIDC_AUTH_TYPE_OPENID_OAUTH20) == 0)\n\t\treturn oidc_oauth_check_userid(r, c, NULL);\n\n\t/* see if we've configured \"mixed mode\" for this request */\n\tif (apr_strnatcasecmp((const char *) ap_auth_type(r),\n\t\t\tOIDC_AUTH_TYPE_OPENID_BOTH) == 0)\n\t\treturn oidc_check_mixed_userid_oauth(r, c);\n\n\t/* this is not for us but for some other handler */\n\treturn DECLINED;\n}", "project": "mod_auth_openidc", "hash": 337231173099956180310603258864809360148, "size": 31, "commit_id": "ce37080c6aea30aabae8b4a9b4eea7808445cc8e", "message": "2.4.0.2 oops\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 447706 }, { "func": "void LanLinkProvider::deviceLinkDestroyed(QObject* destroyedDeviceLink)\n{\n const QString id = destroyedDeviceLink->property(\"deviceId\").toString();\n //qCDebug(KDECONNECT_CORE) << \"deviceLinkDestroyed\" << id;\n QMap< QString, LanDeviceLink* >::iterator linkIterator = m_links.find(id);\n Q_ASSERT(linkIterator != m_links.end());\n if (linkIterator != m_links.end()) {\n Q_ASSERT(linkIterator.value() == destroyedDeviceLink);\n m_links.erase(linkIterator);\n auto pairingHandler = m_pairingHandlers.take(id);\n if (pairingHandler) {\n pairingHandler->deleteLater();\n }\n }\n\n}", "project": "kdeconnect-kde", "hash": 272898698727272069220018086545337233663, "size": 16, "commit_id": "542d94a70c56aa386c8d4d793481ce181b0422e8", "message": "Limit number of connected sockets from unpaired devices\n\nThanks Matthias Gerstner for reporting this.", "target": 0, "dataset": "other", "idx": 227368 }, { "func": " * @session: iscsi class session\n * @event: type of event\n */\nint iscsi_session_event(struct iscsi_cls_session *session,\n\t\t\tenum iscsi_uevent_e event)\n{\n\tstruct iscsi_internal *priv;\n\tstruct Scsi_Host *shost;\n\tstruct iscsi_uevent *ev;\n\tstruct sk_buff *skb;\n\tstruct nlmsghdr *nlh;\n\tint rc, len = nlmsg_total_size(sizeof(*ev));\n\n\tpriv = iscsi_if_transport_lookup(session->transport);\n\tif (!priv)\n\t\treturn -EINVAL;\n\tshost = iscsi_session_to_shost(session);\n\n\tskb = alloc_skb(len, GFP_KERNEL);\n\tif (!skb) {\n\t\tiscsi_cls_session_printk(KERN_ERR, session,\n\t\t\t\t\t \"Cannot notify userspace of session \"\n\t\t\t\t\t \"event %u\\n\", event);\n\t\treturn -ENOMEM;\n\t}\n\n\tnlh = __nlmsg_put(skb, 0, 0, 0, (len - sizeof(*nlh)), 0);\n\tev = nlmsg_data(nlh);\n\tev->transport_handle = iscsi_handle(session->transport);\n\n\tev->type = event;\n\tswitch (event) {\n\tcase ISCSI_KEVENT_DESTROY_SESSION:\n\t\tev->r.d_session.host_no = shost->host_no;\n\t\tev->r.d_session.sid = session->sid;\n\t\tbreak;\n\tcase ISCSI_KEVENT_CREATE_SESSION:\n\t\tev->r.c_session_ret.host_no = shost->host_no;\n\t\tev->r.c_session_ret.sid = session->sid;\n\t\tbreak;\n\tcase ISCSI_KEVENT_UNBIND_SESSION:\n\t\tev->r.unbind_session.host_no = shost->host_no;\n\t\tev->r.unbind_session.sid = session->sid;\n\t\tbreak;\n\tdefault:\n\t\tiscsi_cls_session_printk(KERN_ERR, session, \"Invalid event \"\n\t\t\t\t\t \"%u.\\n\", event);\n\t\tkfree_skb(skb);\n\t\treturn -EINVAL;\n\t}\n\n\t/*\n\t * this will occur if the daemon is not up, so we just warn\n\t * the user and when the daemon is restarted it will handle it\n\t */\n\trc = iscsi_multicast_skb(skb, ISCSI_NL_GRP_ISCSID, GFP_KERNEL);\n\tif (rc == -ESRCH)\n\t\tiscsi_cls_session_printk(KERN_ERR, session,\n\t\t\t\t\t \"Cannot notify userspace of session \"\n\t\t\t\t\t \"event %u. Check iscsi daemon\\n\",\n\t\t\t\t\t event);\n\n\tISCSI_DBG_TRANS_SESSION(session, \"Completed handling event %d rc %d\\n\",", "project": "linux", "hash": 118686251061533945783492107677069768413, "size": 63, "commit_id": "f9dbdf97a5bd92b1a49cee3d591b55b11fd7a6d5", "message": "scsi: iscsi: Verify lengths on passthrough PDUs\n\nOpen-iSCSI sends passthrough PDUs over netlink, but the kernel should be\nverifying that the provided PDU header and data lengths fall within the\nnetlink message to prevent accessing beyond that in memory.\n\nCc: stable@vger.kernel.org\nReported-by: Adam Nichols \nReviewed-by: Lee Duncan \nReviewed-by: Mike Christie \nSigned-off-by: Chris Leech \nSigned-off-by: Martin K. Petersen ", "target": 0, "dataset": "other", "idx": 379906 }, { "func": "void sigqueue_free(struct sigqueue *q)\n{\n\tunsigned long flags;\n\tspinlock_t *lock = ¤t->sighand->siglock;\n\n\tBUG_ON(!(q->flags & SIGQUEUE_PREALLOC));\n\t/*\n\t * We must hold ->siglock while testing q->list\n\t * to serialize with collect_signal() or with\n\t * __exit_signal()->flush_sigqueue().\n\t */\n\tspin_lock_irqsave(lock, flags);\n\tq->flags &= ~SIGQUEUE_PREALLOC;\n\t/*\n\t * If it is queued it will be freed when dequeued,\n\t * like the \"regular\" sigqueue.\n\t */\n\tif (!list_empty(&q->list))\n\t\tq = NULL;\n\tspin_unlock_irqrestore(lock, flags);\n\n\tif (q)\n\t\t__sigqueue_free(q);\n}", "project": "linux", "hash": 67513882548833142917491667984439758678, "size": 24, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375171 }, { "func": "R_API void r_core_prompt_loop(RCore *r) {\n\tint ret;\n\tdo {\n\t\tint err = r_core_prompt (r, false);\n\t\tif (err < 1) {\n\t\t\t// handle ^D\n\t\t\tr->num->value = 0; // r.num->value will be read by r_main_radare2() after calling this fcn\n\t\t\tbreak;\n\t\t}\n\t\t/* -1 means invalid command, -2 means quit prompt loop */\n\t\tif ((ret = r_core_prompt_exec (r)) == -2) {\n\t\t\tbreak;\n\t\t}\n\t} while (ret != R_CORE_CMD_EXIT);\n}", "project": "radare2", "hash": 202407502412479426253984296145433492757, "size": 15, "commit_id": "cb8b683758edddae2d2f62e8e63a738c39f92683", "message": "Fix #16303 - c->table_query double free (#16318)", "target": 0, "dataset": "other", "idx": 232098 }, { "func": "static int __io_import_fixed(struct io_kiocb *req, int rw, struct iov_iter *iter,\n\t\t\t struct io_mapped_ubuf *imu)\n{\n\tsize_t len = req->rw.len;\n\tu64 buf_end, buf_addr = req->rw.addr;\n\tsize_t offset;\n\n\tif (unlikely(check_add_overflow(buf_addr, (u64)len, &buf_end)))\n\t\treturn -EFAULT;\n\t/* not inside the mapped region */\n\tif (unlikely(buf_addr < imu->ubuf || buf_end > imu->ubuf_end))\n\t\treturn -EFAULT;\n\n\t/*\n\t * May not be a start of buffer, set size appropriately\n\t * and advance us to the beginning.\n\t */\n\toffset = buf_addr - imu->ubuf;\n\tiov_iter_bvec(iter, rw, imu->bvec, imu->nr_bvecs, offset + len);\n\n\tif (offset) {\n\t\t/*\n\t\t * Don't use iov_iter_advance() here, as it's really slow for\n\t\t * using the latter parts of a big fixed buffer - it iterates\n\t\t * over each segment manually. We can cheat a bit here, because\n\t\t * we know that:\n\t\t *\n\t\t * 1) it's a BVEC iter, we set it up\n\t\t * 2) all bvecs are PAGE_SIZE in size, except potentially the\n\t\t * first and last bvec\n\t\t *\n\t\t * So just find our index, and adjust the iterator afterwards.\n\t\t * If the offset is within the first bvec (or the whole first\n\t\t * bvec, just use iov_iter_advance(). This makes it easier\n\t\t * since we can just skip the first segment, which may not\n\t\t * be PAGE_SIZE aligned.\n\t\t */\n\t\tconst struct bio_vec *bvec = imu->bvec;\n\n\t\tif (offset <= bvec->bv_len) {\n\t\t\tiov_iter_advance(iter, offset);\n\t\t} else {\n\t\t\tunsigned long seg_skip;\n\n\t\t\t/* skip first vec */\n\t\t\toffset -= bvec->bv_len;\n\t\t\tseg_skip = 1 + (offset >> PAGE_SHIFT);\n\n\t\t\titer->bvec = bvec + seg_skip;\n\t\t\titer->nr_segs -= seg_skip;\n\t\t\titer->count -= bvec->bv_len + offset;\n\t\t\titer->iov_offset = offset & ~PAGE_MASK;\n\t\t}\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 288288860731068917781531202269134562520, "size": 57, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338667 }, { "func": " virtual void update_null_value ()\n {\n switch (cmp_type()) {\n case INT_RESULT:\n (void) val_int();\n break;\n case REAL_RESULT:\n (void) val_real();\n break;\n case DECIMAL_RESULT:\n {\n my_decimal tmp;\n (void) val_decimal(&tmp);\n }\n break;\n case TIME_RESULT:\n {\n MYSQL_TIME ltime;\n (void) get_temporal_with_sql_mode(<ime);\n }\n break;\n case STRING_RESULT:\n {\n StringBuffer tmp;\n (void) val_str(&tmp);\n }\n break;\n case ROW_RESULT:\n DBUG_ASSERT(0);\n null_value= true;\n }\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 34360438519569084477609442208671149522, "size": 32, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509420 }, { "func": "static int evaluate_permissions(struct libmnt_context *cxt)\n{\n\tstruct libmnt_table *fstab;\n\tunsigned long u_flags = 0;\n\tconst char *tgt, *src, *optstr;\n\tint rc = 0, ok = 0;\n\tstruct libmnt_fs *fs;\n\n\tassert(cxt);\n\tassert(cxt->fs);\n\tassert((cxt->flags & MNT_FL_MOUNTFLAGS_MERGED));\n\n\tif (!mnt_context_is_restricted(cxt))\n\t\t return 0;\t\t/* superuser mount */\n\n\tDBG(CXT, ul_debugobj(cxt, \"umount: evaluating permissions\"));\n\n\tif (!mnt_context_tab_applied(cxt)) {\n\t\tDBG(CXT, ul_debugobj(cxt,\n\t\t\t\t\"cannot find %s in mtab and you are not root\",\n\t\t\t\tmnt_fs_get_target(cxt->fs)));\n\t\tgoto eperm;\n\t}\n\n\tif (cxt->user_mountflags & MNT_MS_UHELPER) {\n\t\t/* on uhelper= mount option based helper */\n\t\trc = prepare_helper_from_options(cxt, \"uhelper\");\n\t\tif (rc)\n\t\t\treturn rc;\n\t\tif (cxt->helper)\n\t\t\treturn 0;\t/* we'll call /sbin/umount. */\n\t}\n\n\t/*\n\t * Check if this is a fuse mount for the current user,\n\t * if so then unmounting is allowed\n\t */\n\tif (is_fuse_usermount(cxt, &rc)) {\n\t\tDBG(CXT, ul_debugobj(cxt, \"fuse user mount, umount is allowed\"));\n\t\treturn 0;\n\t}\n\tif (rc)\n\t\treturn rc;\n\n\t/*\n\t * User mounts have to be in /etc/fstab\n\t */\n\trc = mnt_context_get_fstab(cxt, &fstab);\n\tif (rc)\n\t\treturn rc;\n\n\ttgt = mnt_fs_get_target(cxt->fs);\n\tsrc = mnt_fs_get_source(cxt->fs);\n\n\tif (mnt_fs_get_bindsrc(cxt->fs)) {\n\t\tsrc = mnt_fs_get_bindsrc(cxt->fs);\n\t\tDBG(CXT, ul_debugobj(cxt,\n\t\t\t\t\"umount: using bind source: %s\", src));\n\t}\n\n\t/* If fstab contains the two lines\n\t *\t/dev/sda1 /mnt/zip auto user,noauto 0 0\n\t *\t/dev/sda4 /mnt/zip auto user,noauto 0 0\n\t * then \"mount /dev/sda4\" followed by \"umount /mnt/zip\" used to fail.\n\t * So, we must not look for the file, but for the pair (dev,file) in fstab.\n\t */\n\tfs = mnt_table_find_pair(fstab, src, tgt, MNT_ITER_FORWARD);\n\tif (!fs) {\n\t\t/*\n\t\t * It's possible that there is /path/file.img in fstab and\n\t\t * /dev/loop0 in mtab -- then we have to check the relation\n\t\t * between loopdev and the file.\n\t\t */\n\t\tfs = mnt_table_find_target(fstab, tgt, MNT_ITER_FORWARD);\n\t\tif (fs) {\n\t\t\tstruct libmnt_cache *cache = mnt_context_get_cache(cxt);\n\t\t\tconst char *sp = mnt_fs_get_srcpath(cxt->fs);\t\t/* devname from mtab */\n\t\t\tconst char *dev = sp && cache ? mnt_resolve_path(sp, cache) : sp;\n\n\t\t\tif (!dev || !is_associated_fs(dev, fs))\n\t\t\t\tfs = NULL;\n\t\t}\n\t\tif (!fs) {\n\t\t\tDBG(CXT, ul_debugobj(cxt,\n\t\t\t\t\t\"umount %s: mtab disagrees with fstab\",\n\t\t\t\t\ttgt));\n\t\t\tgoto eperm;\n\t\t}\n\t}\n\n\t/*\n\t * User mounting and unmounting is allowed only if fstab contains one\n\t * of the options `user', `users' or `owner' or `group'.\n\t *\n\t * The option `users' allows arbitrary users to mount and unmount -\n\t * this may be a security risk.\n\t *\n\t * The options `user', `owner' and `group' only allow unmounting by the\n\t * user that mounted (visible in mtab).\n\t */\n\toptstr = mnt_fs_get_user_options(fs);\t/* FSTAB mount options! */\n\tif (!optstr)\n\t\tgoto eperm;\n\n\tif (mnt_optstr_get_flags(optstr, &u_flags,\n\t\t\t\tmnt_get_builtin_optmap(MNT_USERSPACE_MAP)))\n\t\tgoto eperm;\n\n\tif (u_flags & MNT_MS_USERS) {\n\t\tDBG(CXT, ul_debugobj(cxt,\n\t\t\t\"umount: promiscuous setting ('users') in fstab\"));\n\t\treturn 0;\n\t}\n\t/*\n\t * Check user= setting from mtab if there is a user, owner or\n\t * group option in /etc/fstab\n\t */\n\tif (u_flags & (MNT_MS_USER | MNT_MS_OWNER | MNT_MS_GROUP)) {\n\n\t\tchar *curr_user;\n\t\tchar *mtab_user = NULL;\n\t\tsize_t sz;\n\t\tstruct libmnt_ns *ns_old;\n\n\t\tDBG(CXT, ul_debugobj(cxt,\n\t\t\t\t\"umount: checking user= from mtab\"));\n\n\t\tns_old = mnt_context_switch_origin_ns(cxt);\n\t\tif (!ns_old)\n\t\t\treturn -MNT_ERR_NAMESPACE;\n\n\t\tcurr_user = mnt_get_username(getuid());\n\n\t\tif (!mnt_context_switch_ns(cxt, ns_old)) {\n\t\t\tfree(curr_user);\n\t\t\treturn -MNT_ERR_NAMESPACE;\n\t\t}\n\t\tif (!curr_user) {\n\t\t\tDBG(CXT, ul_debugobj(cxt, \"umount %s: cannot \"\n\t\t\t\t\"convert %d to username\", tgt, getuid()));\n\t\t\tgoto eperm;\n\t\t}\n\n\t\t/* get options from mtab */\n\t\toptstr = mnt_fs_get_user_options(cxt->fs);\n\t\tif (optstr && !mnt_optstr_get_option(optstr,\n\t\t\t\t\t\"user\", &mtab_user, &sz) && sz)\n\t\t\tok = !strncmp(curr_user, mtab_user, sz);\n\n\t\tfree(curr_user);\n\t}\n\n\tif (ok) {\n\t\tDBG(CXT, ul_debugobj(cxt, \"umount %s is allowed\", tgt));\n\t\treturn 0;\n\t}\neperm:\n\tDBG(CXT, ul_debugobj(cxt, \"umount is not allowed for you\"));\n\treturn -EPERM;\n}", "project": "util-linux", "hash": 210022744998435071583607310401472244328, "size": 160, "commit_id": "57202f5713afa2af20ffbb6ab5331481d0396f8d", "message": "libmount: fix UID check for FUSE umount [CVE-2021-3995]\n\nImproper UID check allows an unprivileged user to unmount FUSE\nfilesystems of users with similar UID.\n\nSigned-off-by: Karel Zak ", "target": 0, "dataset": "other", "idx": 410400 }, { "func": "static int pfkey_process(struct sock *sk, struct sk_buff *skb, const struct sadb_msg *hdr)\n{\n\tvoid *ext_hdrs[SADB_EXT_MAX];\n\tint err;\n\n\tpfkey_broadcast(skb_clone(skb, GFP_KERNEL), GFP_KERNEL,\n\t\t\tBROADCAST_PROMISC_ONLY, NULL, sock_net(sk));\n\n\tmemset(ext_hdrs, 0, sizeof(ext_hdrs));\n\terr = parse_exthdrs(skb, hdr, ext_hdrs);\n\tif (!err) {\n\t\terr = -EOPNOTSUPP;\n\t\tif (pfkey_funcs[hdr->sadb_msg_type])\n\t\t\terr = pfkey_funcs[hdr->sadb_msg_type](sk, skb, hdr, ext_hdrs);\n\t}\n\treturn err;\n}", "project": "linux", "hash": 146080299045727256525881713890044297667, "size": 17, "commit_id": "9a564bccb78a76740ea9d75a259942df8143d02c", "message": "af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\n\nAdd __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\nto initialize the buffer of supp_skb to fix a kernel-info-leak issue.\n1) Function pfkey_register calls compose_sadb_supported to request\na sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate\na sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then\ncompose_sadb_supported treats the memory as a struct sadb_supported and\nbegins to initialize. But it just initializes the field sadb_supported_len\nand field sadb_supported_exttype without field sadb_supported_reserved.\n\nReported-by: TCS Robot \nSigned-off-by: Haimin Zhang \nSigned-off-by: Steffen Klassert ", "target": 0, "dataset": "other", "idx": 268071 }, { "func": "static void hci_cc_user_confirm_neg_reply(struct hci_dev *hdev,\n\t\t\t\t\t struct sk_buff *skb)\n{\n\tstruct hci_rp_user_confirm_reply *rp = (void *) skb->data;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, rp->status);\n\n\thci_dev_lock(hdev);\n\n\tif (hci_dev_test_flag(hdev, HCI_MGMT))\n\t\tmgmt_user_confirm_neg_reply_complete(hdev, &rp->bdaddr,\n\t\t\t\t\t\t ACL_LINK, 0, rp->status);\n\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 162125025298250329215075611785346453982, "size": 15, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431993 }, { "func": "void opj_tcd_makelayer(opj_tcd_t *tcd,\n OPJ_UINT32 layno,\n OPJ_FLOAT64 thresh,\n OPJ_UINT32 final)\n{\n OPJ_UINT32 compno, resno, bandno, precno, cblkno;\n OPJ_UINT32 passno;\n\n opj_tcd_tile_t *tcd_tile = tcd->tcd_image->tiles;\n\n tcd_tile->distolayer[layno] = 0; /* fixed_quality */\n\n for (compno = 0; compno < tcd_tile->numcomps; compno++) {\n opj_tcd_tilecomp_t *tilec = &tcd_tile->comps[compno];\n\n for (resno = 0; resno < tilec->numresolutions; resno++) {\n opj_tcd_resolution_t *res = &tilec->resolutions[resno];\n\n for (bandno = 0; bandno < res->numbands; bandno++) {\n opj_tcd_band_t *band = &res->bands[bandno];\n\n /* Skip empty bands */\n if (opj_tcd_is_band_empty(band)) {\n continue;\n }\n\n for (precno = 0; precno < res->pw * res->ph; precno++) {\n opj_tcd_precinct_t *prc = &band->precincts[precno];\n\n for (cblkno = 0; cblkno < prc->cw * prc->ch; cblkno++) {\n opj_tcd_cblk_enc_t *cblk = &prc->cblks.enc[cblkno];\n opj_tcd_layer_t *layer = &cblk->layers[layno];\n OPJ_UINT32 n;\n\n if (layno == 0) {\n cblk->numpassesinlayers = 0;\n }\n\n n = cblk->numpassesinlayers;\n\n if (thresh < 0) {\n /* Special value to indicate to use all passes */\n n = cblk->totalpasses;\n } else {\n for (passno = cblk->numpassesinlayers; passno < cblk->totalpasses; passno++) {\n OPJ_UINT32 dr;\n OPJ_FLOAT64 dd;\n opj_tcd_pass_t *pass = &cblk->passes[passno];\n\n if (n == 0) {\n dr = pass->rate;\n dd = pass->distortiondec;\n } else {\n dr = pass->rate - cblk->passes[n - 1].rate;\n dd = pass->distortiondec - cblk->passes[n - 1].distortiondec;\n }\n\n if (!dr) {\n if (dd != 0) {\n n = passno + 1;\n }\n continue;\n }\n if (thresh - (dd / dr) <\n DBL_EPSILON) { /* do not rely on float equality, check with DBL_EPSILON margin */\n n = passno + 1;\n }\n }\n }\n\n layer->numpasses = n - cblk->numpassesinlayers;\n\n if (!layer->numpasses) {\n layer->disto = 0;\n continue;\n }\n\n if (cblk->numpassesinlayers == 0) {\n layer->len = cblk->passes[n - 1].rate;\n layer->data = cblk->data;\n layer->disto = cblk->passes[n - 1].distortiondec;\n } else {\n layer->len = cblk->passes[n - 1].rate - cblk->passes[cblk->numpassesinlayers -\n 1].rate;\n layer->data = cblk->data + cblk->passes[cblk->numpassesinlayers - 1].rate;\n layer->disto = cblk->passes[n - 1].distortiondec -\n cblk->passes[cblk->numpassesinlayers - 1].distortiondec;\n }\n\n tcd_tile->distolayer[layno] += layer->disto; /* fixed_quality */\n\n if (final) {\n cblk->numpassesinlayers = n;\n }\n }\n }\n }\n }\n }\n}", "project": "openjpeg", "hash": 29894575418606518226450588428439039400, "size": 100, "commit_id": "15cf3d95814dc931ca0ecb132f81cb152e051bae", "message": "Encoder: grow again buffer size in opj_tcd_code_block_enc_allocate_data() (fixes #1283)", "target": 0, "dataset": "other", "idx": 359163 }, { "func": "static u64 attr_timeout(struct fuse_attr_out *o)\n{\n\treturn time_to_jiffies(o->attr_valid, o->attr_valid_nsec);\n}", "project": "linux", "hash": 128417898128043603196934518790792229519, "size": 4, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342160 }, { "func": "static Variant php_replace_in_subject(const Variant& regex, const Variant& replace,\n String subject, int limit, bool callable,\n int* replace_count) {\n if (!regex.isArray()) {\n return php_pcre_replace(regex.toString(), subject, replace, callable,\n limit, replace_count);\n }\n\n if (callable || !replace.isArray()) {\n Array arr = regex.toDArray();\n for (ArrayIter iterRegex(arr); iterRegex; ++iterRegex) {\n String regex_entry = iterRegex.second().toString();\n auto ret = php_pcre_replace(regex_entry, subject, replace, callable,\n limit, replace_count);\n if (!ret.isString()) {\n assertx(ret.isNull());\n return ret; // php_pcre_replace already set error\n }\n subject = ret.asStrRef();\n assertx(!subject.isNull());\n }\n return preg_return_no_error(std::move(subject));\n }\n\n Array arrReplace = replace.toDArray();\n Array arrRegex = regex.toDArray();\n ArrayIter iterReplace(arrReplace);\n for (ArrayIter iterRegex(arrRegex); iterRegex; ++iterRegex) {\n String regex_entry = iterRegex.second().toString();\n Variant replace_value;\n if (iterReplace) {\n replace_value = iterReplace.second();\n ++iterReplace;\n }\n\n auto ret = php_pcre_replace(regex_entry, subject, replace_value, callable,\n limit, replace_count);\n if (!ret.isString()) {\n assertx(ret.isNull());\n return ret; // php_pcre_replace already set error\n }\n subject = ret.asStrRef();\n assertx(!subject.isNull());\n }\n return preg_return_no_error(std::move(subject));\n}", "project": "hhvm", "hash": 292299265441362015451921435132788012668, "size": 46, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219181 }, { "func": "static inline int tcp_skb_mss(const struct sk_buff *skb)\n{\n\treturn TCP_SKB_CB(skb)->tcp_gso_size;\n}", "project": "linux", "hash": 206621031498250716508004390375776766968, "size": 4, "commit_id": "bb1fceca22492109be12640d49f5ea5a544c6bb4", "message": "tcp: fix use after free in tcp_xmit_retransmit_queue()\n\nWhen tcp_sendmsg() allocates a fresh and empty skb, it puts it at the\ntail of the write queue using tcp_add_write_queue_tail()\n\nThen it attempts to copy user data into this fresh skb.\n\nIf the copy fails, we undo the work and remove the fresh skb.\n\nUnfortunately, this undo lacks the change done to tp->highest_sack and\nwe can leave a dangling pointer (to a freed skb)\n\nLater, tcp_xmit_retransmit_queue() can dereference this pointer and\naccess freed memory. For regular kernels where memory is not unmapped,\nthis might cause SACK bugs because tcp_highest_sack_seq() is buggy,\nreturning garbage instead of tp->snd_nxt, but with various debug\nfeatures like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel.\n\nThis bug was found by Marco Grassi thanks to syzkaller.\n\nFixes: 6859d49475d4 (\"[TCP]: Abstract tp->highest_sack accessing & point to next skb\")\nReported-by: Marco Grassi \nSigned-off-by: Eric Dumazet \nCc: Ilpo Järvinen \nCc: Yuchung Cheng \nCc: Neal Cardwell \nAcked-by: Neal Cardwell \nReviewed-by: Cong Wang \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 410720 }, { "func": "static void do_jobctl_trap(void)\n{\n\tstruct signal_struct *signal = current->signal;\n\tint signr = current->jobctl & JOBCTL_STOP_SIGMASK;\n\n\tif (current->ptrace & PT_SEIZED) {\n\t\tif (!signal->group_stop_count &&\n\t\t !(signal->flags & SIGNAL_STOP_STOPPED))\n\t\t\tsignr = SIGTRAP;\n\t\tWARN_ON_ONCE(!signr);\n\t\tptrace_do_notify(signr, signr | (PTRACE_EVENT_STOP << 8),\n\t\t\t\t CLD_STOPPED);\n\t} else {\n\t\tWARN_ON_ONCE(!signr);\n\t\tptrace_stop(signr, CLD_STOPPED, 0, NULL);\n\t\tcurrent->exit_code = 0;\n\t}\n}", "project": "linux", "hash": 230009838443454565513466819768856797753, "size": 18, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375322 }, { "func": "static int grep_tree(struct grep_opt *opt, const char **paths,\n\t\t struct tree_desc *tree,\n\t\t const char *tree_name, const char *base)\n{\n\tint len;\n\tint hit = 0;\n\tstruct name_entry entry;\n\tchar *down;\n\tint tn_len = strlen(tree_name);\n\tchar *path_buf = xmalloc(PATH_MAX + tn_len + 100);\n\n\tif (tn_len) {\n\t\ttn_len = sprintf(path_buf, \"%s:\", tree_name);\n\t\tdown = path_buf + tn_len;\n\t\tstrcat(down, base);\n\t}\n\telse {\n\t\tdown = path_buf;\n\t\tstrcpy(down, base);\n\t}\n\tlen = strlen(path_buf);\n\n\twhile (tree_entry(tree, &entry)) {\n\t\tstrcpy(path_buf + len, entry.path);\n\n\t\tif (S_ISDIR(entry.mode))\n\t\t\t/* Match \"abc/\" against pathspec to\n\t\t\t * decide if we want to descend into \"abc\"\n\t\t\t * directory.\n\t\t\t */\n\t\t\tstrcpy(path_buf + len + tree_entry_len(entry.path, entry.sha1), \"/\");\n\n\t\tif (!pathspec_matches(paths, down))\n\t\t\t;\n\t\telse if (S_ISREG(entry.mode))\n\t\t\thit |= grep_sha1(opt, entry.sha1, path_buf, tn_len);\n\t\telse if (S_ISDIR(entry.mode)) {\n\t\t\tenum object_type type;\n\t\t\tstruct tree_desc sub;\n\t\t\tvoid *data;\n\t\t\tunsigned long size;\n\n\t\t\tdata = read_sha1_file(entry.sha1, &type, &size);\n\t\t\tif (!data)\n\t\t\t\tdie(\"unable to read tree (%s)\",\n\t\t\t\t sha1_to_hex(entry.sha1));\n\t\t\tinit_tree_desc(&sub, data, size);\n\t\t\thit |= grep_tree(opt, paths, &sub, tree_name, down);\n\t\t\tfree(data);\n\t\t}\n\t}\n\treturn hit;\n}", "project": "git", "hash": 77154386793728243633685029216704517884, "size": 53, "commit_id": "620e2bb93785ed8eb60846d94fd4753d4817c8ec", "message": "Fix buffer overflow in git-grep\n\nIf PATH_MAX on your system is smaller than any path stored in the git\nrepository, that can cause memory corruption inside of the grep_tree\nfunction used by git-grep.\n\nSigned-off-by: Dmitry Potapov \nSigned-off-by: Junio C Hamano ", "target": 1, "dataset": "other", "idx": 211109 }, { "func": "static int grep_tree(struct grep_opt *opt, const char **paths,\n\t\t struct tree_desc *tree,\n\t\t const char *tree_name, const char *base)\n{\n\tint len;\n\tint hit = 0;\n\tstruct name_entry entry;\n\tchar *down;\n\tint tn_len = strlen(tree_name);\n\tstruct strbuf pathbuf;\n\n\tstrbuf_init(&pathbuf, PATH_MAX + tn_len);\n\n\tif (tn_len) {\n\t\tstrbuf_add(&pathbuf, tree_name, tn_len);\n\t\tstrbuf_addch(&pathbuf, ':');\n\t\ttn_len = pathbuf.len;\n\t}\n\tstrbuf_addstr(&pathbuf, base);\n\tlen = pathbuf.len;\n\n\twhile (tree_entry(tree, &entry)) {\n\t\tint te_len = tree_entry_len(entry.path, entry.sha1);\n\t\tpathbuf.len = len;\n\t\tstrbuf_add(&pathbuf, entry.path, te_len);\n\n\t\tif (S_ISDIR(entry.mode))\n\t\t\t/* Match \"abc/\" against pathspec to\n\t\t\t * decide if we want to descend into \"abc\"\n\t\t\t * directory.\n\t\t\t */\n\t\t\tstrbuf_addch(&pathbuf, '/');\n\n\t\tdown = pathbuf.buf + tn_len;\n\t\tif (!pathspec_matches(paths, down))\n\t\t\t;\n\t\telse if (S_ISREG(entry.mode))\n\t\t\thit |= grep_sha1(opt, entry.sha1, pathbuf.buf, tn_len);\n\t\telse if (S_ISDIR(entry.mode)) {\n\t\t\tenum object_type type;\n\t\t\tstruct tree_desc sub;\n\t\t\tvoid *data;\n\t\t\tunsigned long size;\n\n\t\t\tdata = read_sha1_file(entry.sha1, &type, &size);\n\t\t\tif (!data)\n\t\t\t\tdie(\"unable to read tree (%s)\",\n\t\t\t\t sha1_to_hex(entry.sha1));\n\t\t\tinit_tree_desc(&sub, data, size);\n\t\t\thit |= grep_tree(opt, paths, &sub, tree_name, down);\n\t\t\tfree(data);\n\t\t}\n\t}\n\tstrbuf_release(&pathbuf);\n\treturn hit;\n}", "project": "git", "hash": 315062688524784334062144621049330398394, "size": 56, "commit_id": "620e2bb93785ed8eb60846d94fd4753d4817c8ec", "message": "Fix buffer overflow in git-grep\n\nIf PATH_MAX on your system is smaller than any path stored in the git\nrepository, that can cause memory corruption inside of the grep_tree\nfunction used by git-grep.\n\nSigned-off-by: Dmitry Potapov \nSigned-off-by: Junio C Hamano ", "target": 0, "dataset": "other", "idx": 446048 }, { "func": "\nstatic void bfq_exit_bfqq(struct bfq_data *bfqd, struct bfq_queue *bfqq)\n{\n\tif (bfqq == bfqd->in_service_queue) {\n\t\t__bfq_bfqq_expire(bfqd, bfqq, BFQQE_BUDGET_TIMEOUT);\n\t\tbfq_schedule_dispatch(bfqd);\n\t}\n\n\tbfq_log_bfqq(bfqd, bfqq, \"exit_bfqq: %p, %d\", bfqq, bfqq->ref);\n\n\tbfq_put_cooperator(bfqq);\n\n\tbfq_release_process_ref(bfqd, bfqq);", "project": "linux", "hash": 148933369364446164750179348058422841238, "size": 13, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453334 }, { "func": "unsigned int CClient::DetachChans(const std::set& sChans) {\n unsigned int uDetached = 0;\n for (CChan* pChan : sChans) {\n if (pChan->IsDetached()) continue;\n uDetached++;\n pChan->DetachUser();\n }\n return uDetached;\n}", "project": "znc", "hash": 212131118239899787844198523173356701762, "size": 9, "commit_id": "d229761821da38d984a9e4098ad96842490dc001", "message": "Fix echo-message for *status\n\nClose #1705", "target": 0, "dataset": "other", "idx": 231590 }, { "func": "static int imap_mbox_open_append(struct Mailbox *m, OpenMailboxFlags flags)\n{\n if (!m->account)\n return -1;\n\n /* in APPEND mode, we appear to hijack an existing IMAP connection -\n * ctx is brand new and mostly empty */\n struct ImapAccountData *adata = imap_adata_get(m);\n struct ImapMboxData *mdata = imap_mdata_get(m);\n\n int rc = imap_mailbox_status(m, false);\n if (rc >= 0)\n return 0;\n if (rc == -1)\n return -1;\n\n char buf[PATH_MAX + 64];\n snprintf(buf, sizeof(buf), _(\"Create %s?\"), mdata->name);\n if (C_Confirmcreate && (mutt_yesorno(buf, MUTT_YES) != MUTT_YES))\n return -1;\n\n if (imap_create_mailbox(adata, mdata->name) < 0)\n return -1;\n\n return 0;\n}", "project": "neomutt", "hash": 52279861343345234087830821711770661287, "size": 26, "commit_id": "9c36717a3e2af1f2c1b7242035455ec8112b4b06", "message": "imap: close connection on all failures\n\nThanks to Gabriel Salles-Loustau for spotting the problem.\n\nCo-authored-by: Kevin McCarthy ", "target": 0, "dataset": "other", "idx": 357050 }, { "func": "static bool regs_use_siar(struct pt_regs *regs)\n{\n\t/*\n\t * When we take a performance monitor exception the regs are setup\n\t * using perf_read_regs() which overloads some fields, in particular\n\t * regs->result to tell us whether to use SIAR.\n\t *\n\t * However if the regs are from another exception, eg. a syscall, then\n\t * they have not been setup using perf_read_regs() and so regs->result\n\t * is something random.\n\t */\n\treturn ((TRAP(regs) == INTERRUPT_PERFMON) && regs->result);\n}", "project": "linux", "hash": 314245157343814757945617380960086001665, "size": 13, "commit_id": "60b7ed54a41b550d50caf7f2418db4a7e75b5bdc", "message": "powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set\n\nOn systems without any specific PMU driver support registered, running\nperf record causes Oops.\n\nThe relevant portion from call trace:\n\n BUG: Kernel NULL pointer dereference on read at 0x00000040\n Faulting instruction address: 0xc0021f0c\n Oops: Kernel access of bad area, sig: 11 [#1]\n BE PAGE_SIZE=4K PREEMPT CMPCPRO\n SAF3000 DIE NOTIFICATION\n CPU: 0 PID: 442 Comm: null_syscall Not tainted 5.13.0-rc6-s3k-dev-01645-g7649ee3d2957 #5164\n NIP: c0021f0c LR: c00e8ad8 CTR: c00d8a5c\n NIP perf_instruction_pointer+0x10/0x60\n LR perf_prepare_sample+0x344/0x674\n Call Trace:\n perf_prepare_sample+0x7c/0x674 (unreliable)\n perf_event_output_forward+0x3c/0x94\n __perf_event_overflow+0x74/0x14c\n perf_swevent_hrtimer+0xf8/0x170\n __hrtimer_run_queues.constprop.0+0x160/0x318\n hrtimer_interrupt+0x148/0x3b0\n timer_interrupt+0xc4/0x22c\n Decrementer_virt+0xb8/0xbc\n\nDuring perf record session, perf_instruction_pointer() is called to\ncapture the sample IP. This function in core-book3s accesses\nppmu->flags. If a platform specific PMU driver is not registered, ppmu\nis set to NULL and accessing its members results in a crash. Fix this\ncrash by checking if ppmu is set.\n\nFixes: 2ca13a4cc56c (\"powerpc/perf: Use regs->nip when SIAR is zero\")\nCc: stable@vger.kernel.org # v5.11+\nReported-by: Christophe Leroy \nSigned-off-by: Athira Rajeev \nTested-by: Christophe Leroy \nSigned-off-by: Michael Ellerman \nLink: https://lore.kernel.org/r/1623952506-1431-1-git-send-email-atrajeev@linux.vnet.ibm.com", "target": 0, "dataset": "other", "idx": 374682 }, { "func": "static int path_parentat(struct nameidata *nd, unsigned flags,\n\t\t\t\tstruct path *parent)\n{\n\tconst char *s = path_init(nd, flags);\n\tint err = link_path_walk(s, nd);\n\tif (!err)\n\t\terr = complete_walk(nd);\n\tif (!err) {\n\t\t*parent = nd->path;\n\t\tnd->path.mnt = NULL;\n\t\tnd->path.dentry = NULL;\n\t}\n\tterminate_walk(nd);\n\treturn err;\n}", "project": "linux", "hash": 85063775780821233362644949965562119654, "size": 15, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295329 }, { "func": "int DSA_set0_pqg(DSA *d, BIGNUM *p, BIGNUM *q, BIGNUM *g)\n{\n\td->p = p;\n\td->q = q;\n\td->g = g;\n\n\treturn 1;\n}", "project": "php-src", "hash": 75267819969248180468144595652580108984, "size": 8, "commit_id": "0216630ea2815a5789a24279a1211ac398d4de79", "message": "Fix bug #79601 (Wrong ciphertext/tag in AES-CCM encryption for a 12 bytes IV)", "target": 0, "dataset": "other", "idx": 291434 }, { "func": "int inode_permission(struct inode *inode, int mask)\n{\n\tint retval;\n\n\tretval = sb_permission(inode->i_sb, inode, mask);\n\tif (retval)\n\t\treturn retval;\n\n\tif (unlikely(mask & MAY_WRITE)) {\n\t\t/*\n\t\t * Nobody gets write access to an immutable file.\n\t\t */\n\t\tif (IS_IMMUTABLE(inode))\n\t\t\treturn -EPERM;\n\n\t\t/*\n\t\t * Updating mtime will likely cause i_uid and i_gid to be\n\t\t * written back improperly if their true value is unknown\n\t\t * to the vfs.\n\t\t */\n\t\tif (HAS_UNMAPPED_ID(inode))\n\t\t\treturn -EACCES;\n\t}\n\n\tretval = do_inode_permission(inode, mask);\n\tif (retval)\n\t\treturn retval;\n\n\tretval = devcgroup_inode_permission(inode, mask);\n\tif (retval)\n\t\treturn retval;\n\n\treturn security_inode_permission(inode, mask);\n}", "project": "linux", "hash": 35137916744025673694401073500533157988, "size": 34, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295393 }, { "func": "static inline void encode_claim_fh(struct xdr_stream *xdr)\n{\n\t__be32 *p;\n\n\tp = reserve_space(xdr, 4);\n\t*p = cpu_to_be32(NFS4_OPEN_CLAIM_FH);\n}", "project": "linux", "hash": 133060975123629647746888051089496166489, "size": 7, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431062 }, { "func": "CallResult JSObject::defineOwnComputedPrimitive(\n Handle selfHandle,\n Runtime *runtime,\n Handle<> nameValHandle,\n DefinePropertyFlags dpFlags,\n Handle<> valueOrAccessor,\n PropOpFlags opFlags) {\n assert(\n !nameValHandle->isObject() &&\n \"nameValHandle passed to \"\n \"defineOwnComputedPrimitive() cannot be \"\n \"an object\");\n assert(\n !opFlags.getMustExist() && \"cannot use mustExist with defineOwnProperty\");\n assert(\n !(dpFlags.setValue && dpFlags.isAccessor()) &&\n \"Cannot set both value and accessor\");\n assert(\n (dpFlags.setValue || dpFlags.isAccessor() ||\n valueOrAccessor.get().isUndefined()) &&\n \"value must be undefined when all of setValue/setSetter/setGetter are \"\n \"false\");\n assert(\n !dpFlags.enableInternalSetter &&\n \"Cannot set internalSetter on a computed property\");\n#ifndef NDEBUG\n if (dpFlags.isAccessor()) {\n assert(valueOrAccessor.get().isPointer() && \"accessor must be non-empty\");\n assert(\n !dpFlags.setWritable && !dpFlags.writable &&\n \"writable must not be set with accessors\");\n }\n#endif\n\n // If the name is a valid integer array index, store it here.\n OptValue arrayIndex;\n\n // If we have indexed storage, we must attempt to convert the name to array\n // index, even if the conversion is expensive.\n if (selfHandle->flags_.indexedStorage) {\n MutableHandle strPrim{runtime};\n TO_ARRAY_INDEX(runtime, nameValHandle, strPrim, arrayIndex);\n }\n\n SymbolID id{};\n\n // If not storing a property with an array index name, or if we don't have\n // indexed storage, just pass to the named routine.\n if (!arrayIndex) {\n LAZY_TO_IDENTIFIER(runtime, nameValHandle, id);\n return defineOwnProperty(\n selfHandle, runtime, id, dpFlags, valueOrAccessor, opFlags);\n }\n\n // At this point we know that we have indexed storage and that the property\n // has an index-like name.\n\n // First check if a named property with the same name exists.\n if (selfHandle->clazz_.get(runtime)->getHasIndexLikeProperties()) {\n LAZY_TO_IDENTIFIER(runtime, nameValHandle, id);\n\n NamedPropertyDescriptor desc;\n auto pos = findProperty(selfHandle, runtime, id, desc);\n // If we found a named property, update it.\n if (pos) {\n return updateOwnProperty(\n selfHandle,\n runtime,\n id,\n *pos,\n desc,\n dpFlags,\n valueOrAccessor,\n opFlags);\n }\n }\n\n // Does an indexed property with that index exist?\n auto indexedPropPresent =\n getOwnIndexedPropertyFlags(selfHandle.get(), runtime, *arrayIndex);\n if (indexedPropPresent) {\n // The current value of the property.\n HermesValue curValueOrAccessor =\n getOwnIndexed(selfHandle.get(), runtime, *arrayIndex);\n\n auto updateStatus = checkPropertyUpdate(\n runtime,\n *indexedPropPresent,\n dpFlags,\n curValueOrAccessor,\n valueOrAccessor,\n opFlags);\n if (updateStatus == ExecutionStatus::EXCEPTION)\n return ExecutionStatus::EXCEPTION;\n if (updateStatus->first == PropertyUpdateStatus::failed)\n return false;\n\n // The property update is valid, but can the property remain an \"indexed\"\n // property, or do we need to convert it to a named property?\n // If the property flags didn't change, the property remains indexed.\n if (updateStatus->second == *indexedPropPresent) {\n // If the value doesn't change, we are done.\n if (updateStatus->first == PropertyUpdateStatus::done)\n return true;\n\n // If we successfully updated the value, we are done.\n auto result =\n setOwnIndexed(selfHandle, runtime, *arrayIndex, valueOrAccessor);\n if (LLVM_UNLIKELY(result == ExecutionStatus::EXCEPTION))\n return ExecutionStatus::EXCEPTION;\n if (*result)\n return true;\n\n if (opFlags.getThrowOnError()) {\n // TODO: better error message.\n return runtime->raiseTypeError(\n \"cannot change read-only property value\");\n }\n\n return false;\n }\n\n // OK, we need to convert an indexed property to a named one.\n\n // Check whether to use the supplied value, or to reuse the old one, as we\n // are simply reconfiguring it.\n MutableHandle<> value{runtime};\n if (dpFlags.setValue || dpFlags.isAccessor()) {\n value = valueOrAccessor.get();\n } else {\n value = curValueOrAccessor;\n }\n\n // Update dpFlags to match the existing property flags.\n dpFlags.setEnumerable = 1;\n dpFlags.setWritable = 1;\n dpFlags.setConfigurable = 1;\n dpFlags.enumerable = updateStatus->second.enumerable;\n dpFlags.writable = updateStatus->second.writable;\n dpFlags.configurable = updateStatus->second.configurable;\n\n // Delete the existing indexed property.\n if (!deleteOwnIndexed(selfHandle, runtime, *arrayIndex)) {\n if (opFlags.getThrowOnError()) {\n // TODO: better error message.\n return runtime->raiseTypeError(\"Cannot define property\");\n }\n return false;\n }\n\n // Add the new named property.\n LAZY_TO_IDENTIFIER(runtime, nameValHandle, id);\n return addOwnProperty(selfHandle, runtime, id, dpFlags, value, opFlags);\n }\n\n /// Can we add new properties?\n if (!selfHandle->isExtensible()) {\n if (opFlags.getThrowOnError()) {\n return runtime->raiseTypeError(\n \"cannot add a new property\"); // TODO: better message.\n }\n return false;\n }\n\n // This is a new property with an index-like name.\n // Check whether we need to update array's \".length\" property.\n bool updateLength = false;\n if (auto arrayHandle = Handle::dyn_vmcast(selfHandle)) {\n if (LLVM_UNLIKELY(*arrayIndex >= JSArray::getLength(*arrayHandle))) {\n NamedPropertyDescriptor lengthDesc;\n bool lengthPresent = getOwnNamedDescriptor(\n arrayHandle,\n runtime,\n Predefined::getSymbolID(Predefined::length),\n lengthDesc);\n (void)lengthPresent;\n assert(lengthPresent && \".length must be present in JSArray\");\n\n if (!lengthDesc.flags.writable) {\n if (opFlags.getThrowOnError()) {\n return runtime->raiseTypeError(\n \"Cannot assign to read-only 'length' property of array\");\n }\n return false;\n }\n\n updateLength = true;\n }\n }\n\n bool newIsIndexed = canNewPropertyBeIndexed(dpFlags);\n if (newIsIndexed) {\n auto result = setOwnIndexed(\n selfHandle,\n runtime,\n *arrayIndex,\n dpFlags.setValue ? valueOrAccessor : Runtime::getUndefinedValue());\n if (LLVM_UNLIKELY(result == ExecutionStatus::EXCEPTION))\n return ExecutionStatus::EXCEPTION;\n if (!*result) {\n if (opFlags.getThrowOnError()) {\n // TODO: better error message.\n return runtime->raiseTypeError(\"Cannot define property\");\n }\n return false;\n }\n }\n\n // If this is an array and we need to update \".length\", do so.\n if (updateLength) {\n // This should always succeed since we are simply enlarging the length.\n auto res = JSArray::setLength(\n Handle::vmcast(selfHandle), runtime, *arrayIndex + 1, opFlags);\n (void)res;\n assert(\n res != ExecutionStatus::EXCEPTION && *res &&\n \"JSArray::setLength() failed unexpectedly\");\n }\n\n if (newIsIndexed)\n return true;\n\n // We are adding a new property with an index-like name.\n LAZY_TO_IDENTIFIER(runtime, nameValHandle, id);\n return addOwnProperty(\n selfHandle, runtime, id, dpFlags, valueOrAccessor, opFlags);\n}", "project": "hermes", "hash": 294845817089252839146404685009771314171, "size": 227, "commit_id": "fe52854cdf6725c2eaa9e125995da76e6ceb27da", "message": "[CVE-2020-1911] Look up HostObject computed properties on the right object in the prototype chain.\n\nSummary:\nThe change in the hermes repository fixes the security vulnerability\nCVE-2020-1911. This vulnerability only affects applications which\nallow evaluation of uncontrolled, untrusted JavaScript code not\nshipped with the app, so React Native apps will generally not be affected.\n\nThis revision includes a test for the bug. The test is generic JSI\ncode, so it is included in the hermes and react-native repositories.\n\nChangelog: [Internal]\n\nReviewed By: tmikov\n\nDifferential Revision: D23322992\n\nfbshipit-source-id: 4e88c974afe1ad33a263f9cac03e9dc98d33649a", "target": 0, "dataset": "other", "idx": 230156 }, { "func": "CallResult JSObject::defineOwnComputedPrimitive(\n Handle selfHandle,\n Runtime *runtime,\n Handle<> nameValHandle,\n DefinePropertyFlags dpFlags,\n Handle<> valueOrAccessor,\n PropOpFlags opFlags) {\n assert(\n !nameValHandle->isObject() &&\n \"nameValHandle passed to \"\n \"defineOwnComputedPrimitive() cannot be \"\n \"an object\");\n assert(\n !opFlags.getMustExist() && \"cannot use mustExist with defineOwnProperty\");\n assert(\n !(dpFlags.setValue && dpFlags.isAccessor()) &&\n \"Cannot set both value and accessor\");\n assert(\n (dpFlags.setValue || dpFlags.isAccessor() ||\n valueOrAccessor.get().isUndefined()) &&\n \"value must be undefined when all of setValue/setSetter/setGetter are \"\n \"false\");\n assert(\n !dpFlags.enableInternalSetter &&\n \"Cannot set internalSetter on a computed property\");\n#ifndef NDEBUG\n if (dpFlags.isAccessor()) {\n assert(valueOrAccessor.get().isPointer() && \"accessor must be non-empty\");\n assert(\n !dpFlags.setWritable && !dpFlags.writable &&\n \"writable must not be set with accessors\");\n }\n#endif\n\n // If the name is a valid integer array index, store it here.\n OptValue arrayIndex;\n\n // If we have indexed storage, we must attempt to convert the name to array\n // index, even if the conversion is expensive.\n if (selfHandle->flags_.indexedStorage) {\n MutableHandle strPrim{runtime};\n TO_ARRAY_INDEX(runtime, nameValHandle, strPrim, arrayIndex);\n }\n\n SymbolID id{};\n\n // If not storing a property with an array index name, or if we don't have\n // indexed storage, just pass to the named routine.\n if (!arrayIndex) {\n LAZY_TO_IDENTIFIER(runtime, nameValHandle, id);\n return defineOwnPropertyInternal(\n selfHandle, runtime, id, dpFlags, valueOrAccessor, opFlags);\n }\n\n // At this point we know that we have indexed storage and that the property\n // has an index-like name.\n\n // First check if a named property with the same name exists.\n if (selfHandle->clazz_.get(runtime)->getHasIndexLikeProperties()) {\n LAZY_TO_IDENTIFIER(runtime, nameValHandle, id);\n\n NamedPropertyDescriptor desc;\n auto pos = findProperty(selfHandle, runtime, id, desc);\n // If we found a named property, update it.\n if (pos) {\n return updateOwnProperty(\n selfHandle,\n runtime,\n id,\n *pos,\n desc,\n dpFlags,\n valueOrAccessor,\n opFlags);\n }\n }\n\n // Does an indexed property with that index exist?\n auto indexedPropPresent =\n getOwnIndexedPropertyFlags(selfHandle.get(), runtime, *arrayIndex);\n if (indexedPropPresent) {\n // The current value of the property.\n HermesValue curValueOrAccessor =\n getOwnIndexed(selfHandle.get(), runtime, *arrayIndex);\n\n auto updateStatus = checkPropertyUpdate(\n runtime,\n *indexedPropPresent,\n dpFlags,\n curValueOrAccessor,\n valueOrAccessor,\n opFlags);\n if (updateStatus == ExecutionStatus::EXCEPTION)\n return ExecutionStatus::EXCEPTION;\n if (updateStatus->first == PropertyUpdateStatus::failed)\n return false;\n\n // The property update is valid, but can the property remain an \"indexed\"\n // property, or do we need to convert it to a named property?\n // If the property flags didn't change, the property remains indexed.\n if (updateStatus->second == *indexedPropPresent) {\n // If the value doesn't change, we are done.\n if (updateStatus->first == PropertyUpdateStatus::done)\n return true;\n\n // If we successfully updated the value, we are done.\n auto result =\n setOwnIndexed(selfHandle, runtime, *arrayIndex, valueOrAccessor);\n if (LLVM_UNLIKELY(result == ExecutionStatus::EXCEPTION))\n return ExecutionStatus::EXCEPTION;\n if (*result)\n return true;\n\n if (opFlags.getThrowOnError()) {\n // TODO: better error message.\n return runtime->raiseTypeError(\n \"cannot change read-only property value\");\n }\n\n return false;\n }\n\n // OK, we need to convert an indexed property to a named one.\n\n // Check whether to use the supplied value, or to reuse the old one, as we\n // are simply reconfiguring it.\n MutableHandle<> value{runtime};\n if (dpFlags.setValue || dpFlags.isAccessor()) {\n value = valueOrAccessor.get();\n } else {\n value = curValueOrAccessor;\n }\n\n // Update dpFlags to match the existing property flags.\n dpFlags.setEnumerable = 1;\n dpFlags.setWritable = 1;\n dpFlags.setConfigurable = 1;\n dpFlags.enumerable = updateStatus->second.enumerable;\n dpFlags.writable = updateStatus->second.writable;\n dpFlags.configurable = updateStatus->second.configurable;\n\n // Delete the existing indexed property.\n if (!deleteOwnIndexed(selfHandle, runtime, *arrayIndex)) {\n if (opFlags.getThrowOnError()) {\n // TODO: better error message.\n return runtime->raiseTypeError(\"Cannot define property\");\n }\n return false;\n }\n\n // Add the new named property.\n LAZY_TO_IDENTIFIER(runtime, nameValHandle, id);\n return addOwnProperty(selfHandle, runtime, id, dpFlags, value, opFlags);\n }\n\n /// Can we add new properties?\n if (!selfHandle->isExtensible()) {\n if (opFlags.getThrowOnError()) {\n return runtime->raiseTypeError(\n \"cannot add a new property\"); // TODO: better message.\n }\n return false;\n }\n\n // This is a new property with an index-like name.\n // Check whether we need to update array's \".length\" property.\n bool updateLength = false;\n if (auto arrayHandle = Handle::dyn_vmcast(selfHandle)) {\n if (LLVM_UNLIKELY(*arrayIndex >= JSArray::getLength(*arrayHandle))) {\n NamedPropertyDescriptor lengthDesc;\n bool lengthPresent = getOwnNamedDescriptor(\n arrayHandle,\n runtime,\n Predefined::getSymbolID(Predefined::length),\n lengthDesc);\n (void)lengthPresent;\n assert(lengthPresent && \".length must be present in JSArray\");\n\n if (!lengthDesc.flags.writable) {\n if (opFlags.getThrowOnError()) {\n return runtime->raiseTypeError(\n \"Cannot assign to read-only 'length' property of array\");\n }\n return false;\n }\n\n updateLength = true;\n }\n }\n\n bool newIsIndexed = canNewPropertyBeIndexed(dpFlags);\n if (newIsIndexed) {\n auto result = setOwnIndexed(\n selfHandle,\n runtime,\n *arrayIndex,\n dpFlags.setValue ? valueOrAccessor : Runtime::getUndefinedValue());\n if (LLVM_UNLIKELY(result == ExecutionStatus::EXCEPTION))\n return ExecutionStatus::EXCEPTION;\n if (!*result) {\n if (opFlags.getThrowOnError()) {\n // TODO: better error message.\n return runtime->raiseTypeError(\"Cannot define property\");\n }\n return false;\n }\n }\n\n // If this is an array and we need to update \".length\", do so.\n if (updateLength) {\n // This should always succeed since we are simply enlarging the length.\n auto res = JSArray::setLength(\n Handle::vmcast(selfHandle), runtime, *arrayIndex + 1, opFlags);\n (void)res;\n assert(\n res != ExecutionStatus::EXCEPTION && *res &&\n \"JSArray::setLength() failed unexpectedly\");\n }\n\n if (newIsIndexed)\n return true;\n\n // We are adding a new property with an index-like name.\n LAZY_TO_IDENTIFIER(runtime, nameValHandle, id);\n return addOwnProperty(\n selfHandle, runtime, id, dpFlags, valueOrAccessor, opFlags);\n}", "project": "hermes", "hash": 303947678751396416524916891656840087000, "size": 227, "commit_id": "8cb935cd3b2321c46aa6b7ed8454d95c75a7fca0", "message": "Handle set where internalSetter and Proxy are both true\n\nSummary:\nIf putComputed is called on a proxy whose target's prototype\nis an array with a propname of 'length', then internalSetter will be\ntrue, and the receiver will be a proxy. In that case, proxy needs to\nwin; the behavior may assert or be UB otherwise.\n\nReviewed By: tmikov\n\nDifferential Revision: D23916279\n\nfbshipit-source-id: c760356d48a02ece565fb4bc1acdafd7ccad7c68", "target": 0, "dataset": "other", "idx": 259371 }, { "func": "static int fuse_atomic_open(struct inode *dir, struct dentry *entry,\n\t\t\t struct file *file, unsigned flags,\n\t\t\t umode_t mode)\n{\n\tint err;\n\tstruct fuse_conn *fc = get_fuse_conn(dir);\n\tstruct dentry *res = NULL;\n\n\tif (fuse_is_bad(dir))\n\t\treturn -EIO;\n\n\tif (d_in_lookup(entry)) {\n\t\tres = fuse_lookup(dir, entry, 0);\n\t\tif (IS_ERR(res))\n\t\t\treturn PTR_ERR(res);\n\n\t\tif (res)\n\t\t\tentry = res;\n\t}\n\n\tif (!(flags & O_CREAT) || d_really_is_positive(entry))\n\t\tgoto no_open;\n\n\t/* Only creates */\n\tfile->f_mode |= FMODE_CREATED;\n\n\tif (fc->no_create)\n\t\tgoto mknod;\n\n\terr = fuse_create_open(dir, entry, file, flags, mode);\n\tif (err == -ENOSYS) {\n\t\tfc->no_create = 1;\n\t\tgoto mknod;\n\t}\nout_dput:\n\tdput(res);\n\treturn err;\n\nmknod:\n\terr = fuse_mknod(dir, entry, mode, 0);\n\tif (err)\n\t\tgoto out_dput;\nno_open:\n\treturn finish_no_open(file, res);\n}", "project": "linux", "hash": 122852299121347153267260595650215002185, "size": 45, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341939 }, { "func": "void mpol_shared_policy_init(struct shared_policy *sp, struct mempolicy *mpol)\n{\n\tint ret;\n\n\tsp->root = RB_ROOT;\t\t/* empty tree == default mempolicy */\n\trwlock_init(&sp->lock);\n\n\tif (mpol) {\n\t\tstruct vm_area_struct pvma;\n\t\tstruct mempolicy *new;\n\t\tNODEMASK_SCRATCH(scratch);\n\n\t\tif (!scratch)\n\t\t\tgoto put_mpol;\n\t\t/* contextualize the tmpfs mount point mempolicy */\n\t\tnew = mpol_new(mpol->mode, mpol->flags, &mpol->w.user_nodemask);\n\t\tif (IS_ERR(new))\n\t\t\tgoto free_scratch; /* no valid nodemask intersection */\n\n\t\ttask_lock(current);\n\t\tret = mpol_set_nodemask(new, &mpol->w.user_nodemask, scratch);\n\t\ttask_unlock(current);\n\t\tif (ret)\n\t\t\tgoto put_new;\n\n\t\t/* Create pseudo-vma that contains just the policy */\n\t\tvma_init(&pvma, NULL);\n\t\tpvma.vm_end = TASK_SIZE;\t/* policy covers entire file */\n\t\tmpol_set_shared_policy(sp, &pvma, new); /* adds ref */\n\nput_new:\n\t\tmpol_put(new);\t\t\t/* drop initial ref */\nfree_scratch:\n\t\tNODEMASK_SCRATCH_FREE(scratch);\nput_mpol:\n\t\tmpol_put(mpol);\t/* drop our incoming ref on sb mpol */\n\t}\n}", "project": "linux", "hash": 116690031274726444333803864691181145192, "size": 38, "commit_id": "aa9f7d5172fac9bf1f09e678c35e287a40a7b7dd", "message": "mm: mempolicy: require at least one nodeid for MPOL_PREFERRED\n\nUsing an empty (malformed) nodelist that is not caught during mount option\nparsing leads to a stack-out-of-bounds access.\n\nThe option string that was used was: \"mpol=prefer:,\". However,\nMPOL_PREFERRED requires a single node number, which is not being provided\nhere.\n\nAdd a check that 'nodes' is not empty after parsing for MPOL_PREFERRED's\nnodeid.\n\nFixes: 095f1fc4ebf3 (\"mempolicy: rework shmem mpol parsing and display\")\nReported-by: Entropy Moe <3ntr0py1337@gmail.com>\nReported-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nSigned-off-by: Randy Dunlap \nSigned-off-by: Andrew Morton \nTested-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nCc: Lee Schermerhorn \nLink: http://lkml.kernel.org/r/89526377-7eb6-b662-e1d8-4430928abde9@infradead.org\nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 366789 }, { "func": "void remove_redundant_subquery_clauses(st_select_lex *subq_select_lex)\n{\n DBUG_ENTER(\"remove_redundant_subquery_clauses\");\n Item_subselect *subq_predicate= subq_select_lex->master_unit()->item;\n /*\n The removal should happen for IN, ALL, ANY and EXISTS subqueries,\n which means all but single row subqueries. Example single row\n subqueries: \n a) SELECT * FROM t1 WHERE t1.a = () \n b) SELECT a, (substype() == Item_subselect::SINGLEROW_SUBS)\n DBUG_VOID_RETURN;\n\n /* A subquery that is not single row should be one of IN/ALL/ANY/EXISTS. */\n DBUG_ASSERT (subq_predicate->substype() == Item_subselect::EXISTS_SUBS ||\n subq_predicate->is_in_predicate());\n\n if (subq_select_lex->options & SELECT_DISTINCT)\n {\n subq_select_lex->join->select_distinct= false;\n subq_select_lex->options&= ~SELECT_DISTINCT;\n DBUG_PRINT(\"info\", (\"DISTINCT removed\"));\n }\n\n /*\n Remove GROUP BY if there are no aggregate functions and no HAVING\n clause\n */\n if (subq_select_lex->group_list.elements &&\n !subq_select_lex->with_sum_func && !subq_select_lex->join->having)\n {\n for (ORDER *ord= subq_select_lex->group_list.first; ord; ord= ord->next)\n {\n /*\n Do not remove the item if it is used in select list and then referred\n from GROUP BY clause by its name or number. Example:\n\n select (select ... ) as SUBQ ... group by SUBQ\n\n Here SUBQ cannot be removed.\n */\n if (!ord->in_field_list)\n (*ord->item)->walk(&Item::eliminate_subselect_processor, FALSE, NULL);\n }\n subq_select_lex->join->group_list= NULL;\n subq_select_lex->group_list.empty();\n DBUG_PRINT(\"info\", (\"GROUP BY removed\"));\n }\n\n /*\n TODO: This would prevent processing quries with ORDER BY ... LIMIT\n therefore we disable this optimization for now.\n Remove GROUP BY if there are no aggregate functions and no HAVING\n clause\n if (subq_select_lex->group_list.elements &&\n !subq_select_lex->with_sum_func && !subq_select_lex->join->having)\n {\n subq_select_lex->join->group_list= NULL;\n subq_select_lex->group_list.empty();\n }\n */\n DBUG_VOID_RETURN;\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 330033904394029682988457827752035377159, "size": 64, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508503 }, { "func": "int phar_tar_setmetadata(zval *metadata, phar_entry_info *entry, char **error TSRMLS_DC) /* {{{ */\n{\n\tphp_serialize_data_t metadata_hash;\n\n\tif (entry->metadata_str.c) {\n\t\tsmart_str_free(&entry->metadata_str);\n\t}\n\n\tentry->metadata_str.c = 0;\n\tentry->metadata_str.len = 0;\n\tPHP_VAR_SERIALIZE_INIT(metadata_hash);\n\tphp_var_serialize(&entry->metadata_str, &metadata, &metadata_hash TSRMLS_CC);\n\tPHP_VAR_SERIALIZE_DESTROY(metadata_hash);\n\tentry->uncompressed_filesize = entry->compressed_filesize = entry->metadata_str.len;\n\n\tif (entry->fp && entry->fp_type == PHAR_MOD) {\n\t\tphp_stream_close(entry->fp);\n\t}\n\n\tentry->fp_type = PHAR_MOD;\n\tentry->is_modified = 1;\n\tentry->fp = php_stream_fopen_tmpfile();\n\tentry->offset = entry->offset_abs = 0;\n\tif (entry->fp == NULL) {\n\t\tspprintf(error, 0, \"phar error: unable to create temporary file\");\n\t\treturn -1;\n\t}\n\tif (entry->metadata_str.len != php_stream_write(entry->fp, entry->metadata_str.c, entry->metadata_str.len)) {\n\t\tspprintf(error, 0, \"phar tar error: unable to write metadata to magic metadata file \\\"%s\\\"\", entry->filename);\n\t\tzend_hash_del(&(entry->phar->manifest), entry->filename, entry->filename_len);\n\t\treturn ZEND_HASH_APPLY_STOP;\n\t}\n\n\treturn ZEND_HASH_APPLY_KEEP;\n}", "project": "php-src", "hash": 30344724956816126561330089106648351643, "size": 35, "commit_id": "07c7df68bd68bbe706371fccc77c814ebb335d9e", "message": "Fixed bug #71488: Stack overflow when decompressing tar archives", "target": 0, "dataset": "other", "idx": 355578 }, { "func": "void UnicodeStringTest::TestUnicodeStringInsertAppendToSelf() {\n IcuTestErrorCode status(*this, \"TestUnicodeStringAppendToSelf\");\n\n // Test append operation\n UnicodeString str(u\"foo \");\n str.append(str);\n str.append(str);\n str.append(str);\n assertEquals(\"\", u\"foo foo foo foo foo foo foo foo \", str);\n\n // Test append operation with readonly alias to start\n str = UnicodeString(TRUE, u\"foo \", 4);\n str.append(str);\n str.append(str);\n str.append(str);\n assertEquals(\"\", u\"foo foo foo foo foo foo foo foo \", str);\n\n // Test append operation with aliased substring\n str = u\"abcde\";\n UnicodeString sub = str.tempSubString(1, 2);\n str.append(sub);\n assertEquals(\"\", u\"abcdebc\", str);\n\n // Test append operation with double-aliased substring\n str = UnicodeString(TRUE, u\"abcde\", 5);\n sub = str.tempSubString(1, 2);\n str.append(sub);\n assertEquals(\"\", u\"abcdebc\", str);\n\n // Test insert operation\n str = u\"a-*b\";\n str.insert(2, str);\n str.insert(4, str);\n str.insert(8, str);\n assertEquals(\"\", u\"a-a-a-a-a-a-a-a-*b*b*b*b*b*b*b*b\", str);\n\n // Test insert operation with readonly alias to start\n str = UnicodeString(TRUE, u\"a-*b\", 4);\n str.insert(2, str);\n str.insert(4, str);\n str.insert(8, str);\n assertEquals(\"\", u\"a-a-a-a-a-a-a-a-*b*b*b*b*b*b*b*b\", str);\n\n // Test insert operation with aliased substring\n str = u\"abcde\";\n sub = str.tempSubString(1, 3);\n str.insert(2, sub);\n assertEquals(\"\", u\"abbcdcde\", str);\n\n // Test insert operation with double-aliased substring\n str = UnicodeString(TRUE, u\"abcde\", 5);\n sub = str.tempSubString(1, 3);\n str.insert(2, sub);\n assertEquals(\"\", u\"abbcdcde\", str);\n}", "project": "icu", "hash": 249220405328505341378331510590096122576, "size": 55, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430784 }, { "func": "Variant WuManberReplacement::translate(String source) const {\n size_t pos = 0,\n nextwpos = 0,\n lastpos = source.size() - m;\n\n if (!valid) {\n return false;\n }\n\n // all patterns are longer than the source\n if (m > source.size()) {\n return source;\n }\n\n StringBuffer result(source.size());\n while (pos <= lastpos) {\n uint16_t h = strtr_hash(source.data() + pos + m - B, B) & SHIFT_TAB_MASK;\n size_t shift_pos = shift[h];\n\n if (shift_pos > 0) {\n pos += shift_pos;\n } else {\n uint16_t h2 = h & HASH_TAB_MASK,\n prefix_h = strtr_hash(source.data() + pos, Bp);\n int offset_start = hash[h2],\n offset_end = hash[h2 + 1], // exclusive\n i = 0;\n\n for (i = offset_start; i < offset_end; i++) {\n if (prefix[i] != prefix_h) {\n continue;\n }\n\n const PatAndRepl *pnr = &patterns[i];\n if (pnr->getPat().size() > source.size() - pos ||\n memcmp(pnr->getPat().data(), source.data() + pos,\n pnr->getPat().size()) != 0) {\n continue;\n }\n\n result.append(source.data() + nextwpos, pos - nextwpos);\n result.append(pnr->getRepl());\n pos += pnr->getPat().size();\n nextwpos = pos;\n goto end_outer_loop;\n }\n\n pos++;\nend_outer_loop: ;\n }\n }\n\n result.append(source.data() + nextwpos, source.size() - nextwpos );\n\n return result.detach();\n}", "project": "hhvm", "hash": 275767561138494409375836289573071585204, "size": 56, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219683 }, { "func": "bool lua_text_pattern::translate() const\n{\n if (translated || !isvalid)\n return false;\n\n if (pattern.find(\"]]\") != string::npos || pattern.find(\"[[\") != string::npos)\n return false;\n\n string textp;\n string luafn;\n const lua_pat_op *currop = nullptr;\n for (string::size_type i = 0; i < pattern.length(); ++i)\n {\n bool match = false;\n for (unsigned p = 0; p < ARRAYSZ(pat_ops); ++p)\n {\n const lua_pat_op &lop = pat_ops[p];\n if (pattern.find(lop.token, i) == i)\n {\n match = true;\n if (lop.pretext && (!currop || currop->posttext))\n {\n if (currop)\n textp.erase(0, textp.find_first_not_of(\" \\r\\n\\t\"));\n pre_pattern(textp, luafn);\n }\n\n currop = &lop;\n luafn += lop.luatok;\n\n i += strlen(lop.token) - 1;\n\n break;\n }\n }\n\n if (match)\n continue;\n\n textp += pattern[i];\n }\n\n if (currop && currop->posttext)\n post_pattern(textp, luafn);\n\n luafn = \"function \" + lua_fn_name + \"(text) return \" + luafn + \" end\";\n\n const_cast(this)->translated = true;\n\n int err = clua.execstring(luafn.c_str(), \"stash-search\");\n if (err)\n {\n lua_text_pattern *self = const_cast(this);\n self->isvalid = self->translated = false;\n }\n\n return translated;\n}", "project": "crawl", "hash": 66064399844253455586965118611572459272, "size": 58, "commit_id": "768f60da87a3fa0b5561da5ade9309577c176d04", "message": "Disable lua bytecode loading", "target": 0, "dataset": "other", "idx": 230496 }, { "func": "CWebSock::EPageReqResult CWebSock::OnPageRequestInternal(const CString& sURI,\n CString& sPageRet) {\n // Check that their session really belongs to their IP address. IP-based\n // authentication is bad, but here it's just an extra layer that makes\n // stealing cookies harder to pull off.\n //\n // When their IP is wrong, we give them an invalid cookie. This makes\n // sure that they will get a new cookie on their next request.\n if (CZNC::Get().GetProtectWebSessions() &&\n GetSession()->GetIP() != GetRemoteIP()) {\n DEBUG(\"Expected IP: \" << GetSession()->GetIP());\n DEBUG(\"Remote IP: \" << GetRemoteIP());\n SendCookie(\"SessionId\", \"WRONG_IP_FOR_SESSION\");\n PrintErrorPage(403, \"Access denied\",\n \"This session does not belong to your IP.\");\n return PAGE_DONE;\n }\n\n // For pages *not provided* by modules, a CSRF check is performed which involves:\n // Ensure that they really POSTed from one our forms by checking if they\n // know the \"secret\" CSRF check value. Don't do this for login since\n // CSRF against the login form makes no sense and the login form does a\n // cookies-enabled check which would break otherwise.\n // Don't do this, if user authenticated using http-basic auth, because:\n // 1. they obviously know the password,\n // 2. it's easier to automate some tasks e.g. user creation, without need to\n // care about cookies and CSRF\n if (IsPost() && !m_bBasicAuth && !sURI.StartsWith(\"/mods/\") &&\n !ValidateCSRFCheck(sURI)) {\n DEBUG(\"Expected _CSRF_Check: \" << GetCSRFCheck());\n DEBUG(\"Actual _CSRF_Check: \" << GetParam(\"_CSRF_Check\"));\n PrintErrorPage(\n 403, \"Access denied\",\n \"POST requests need to send \"\n \"a secret token to prevent cross-site request forgery attacks.\");\n return PAGE_DONE;\n }\n\n SendCookie(\"SessionId\", GetSession()->GetId());\n\n if (GetSession()->IsLoggedIn()) {\n m_sUser = GetSession()->GetUser()->GetUserName();\n m_bLoggedIn = true;\n }\n CLanguageScope user_language(\n m_bLoggedIn ? GetSession()->GetUser()->GetLanguage() : \"\");\n\n // Handle the static pages that don't require a login\n if (sURI == \"/\") {\n if (!m_bLoggedIn && GetParam(\"cookie_check\", false).ToBool() &&\n GetRequestCookie(\"SessionId\").empty()) {\n GetSession()->AddError(\n \"Your browser does not have cookies enabled for this site!\");\n }\n return PrintTemplate(\"index\", sPageRet);\n } else if (sURI == \"/favicon.ico\") {\n return PrintStaticFile(\"/pub/favicon.ico\", sPageRet);\n } else if (sURI == \"/robots.txt\") {\n return PrintStaticFile(\"/pub/robots.txt\", sPageRet);\n } else if (sURI == \"/logout\") {\n GetSession()->SetUser(nullptr);\n SetLoggedIn(false);\n Redirect(\"/\");\n\n // We already sent a reply\n return PAGE_DONE;\n } else if (sURI == \"/login\") {\n if (GetParam(\"submitted\").ToBool()) {\n m_sUser = GetParam(\"user\");\n m_sPass = GetParam(\"pass\");\n m_bLoggedIn = OnLogin(m_sUser, m_sPass, false);\n\n // AcceptedLogin()/RefusedLogin() will call Redirect()\n return PAGE_DEFERRED;\n }\n\n Redirect(\"/\"); // the login form is here\n return PAGE_DONE;\n } else if (sURI.StartsWith(\"/pub/\")) {\n return PrintStaticFile(sURI, sPageRet);\n } else if (sURI.StartsWith(\"/skinfiles/\")) {\n CString sSkinName = sURI.substr(11);\n CString::size_type uPathStart = sSkinName.find(\"/\");\n if (uPathStart != CString::npos) {\n CString sFilePath = sSkinName.substr(uPathStart + 1);\n sSkinName.erase(uPathStart);\n\n m_Template.ClearPaths();\n m_Template.AppendPath(GetSkinPath(sSkinName) + \"pub\");\n\n if (PrintFile(m_Template.ExpandFile(sFilePath))) {\n return PAGE_DONE;\n } else {\n return PAGE_NOTFOUND;\n }\n }\n return PAGE_NOTFOUND;\n } else if (sURI.StartsWith(\"/mods/\") || sURI.StartsWith(\"/modfiles/\")) {\n // Make sure modules are treated as directories\n if (!sURI.EndsWith(\"/\") && !sURI.Contains(\".\") &&\n !sURI.TrimLeft_n(\"/mods/\").TrimLeft_n(\"/\").Contains(\"/\")) {\n Redirect(sURI + \"/\");\n return PAGE_DONE;\n }\n\n // The URI looks like:\n // /mods/[type]/([network]/)?[module][/page][?arg1=val1&arg2=val2...]\n\n m_sPath = GetPath().TrimLeft_n(\"/\");\n\n m_sPath.TrimPrefix(\"mods/\");\n m_sPath.TrimPrefix(\"modfiles/\");\n\n CString sType = m_sPath.Token(0, false, \"/\");\n m_sPath = m_sPath.Token(1, true, \"/\");\n\n CModInfo::EModuleType eModType;\n if (sType.Equals(\"global\")) {\n eModType = CModInfo::GlobalModule;\n } else if (sType.Equals(\"user\")) {\n eModType = CModInfo::UserModule;\n } else if (sType.Equals(\"network\")) {\n eModType = CModInfo::NetworkModule;\n } else {\n PrintErrorPage(403, \"Forbidden\",\n \"Unknown module type [\" + sType + \"]\");\n return PAGE_DONE;\n }\n\n if ((eModType != CModInfo::GlobalModule) && !ForceLogin()) {\n // Make sure we have a valid user\n return PAGE_DONE;\n }\n\n CIRCNetwork* pNetwork = nullptr;\n if (eModType == CModInfo::NetworkModule) {\n CString sNetwork = m_sPath.Token(0, false, \"/\");\n m_sPath = m_sPath.Token(1, true, \"/\");\n\n pNetwork = GetSession()->GetUser()->FindNetwork(sNetwork);\n\n if (!pNetwork) {\n PrintErrorPage(404, \"Not Found\",\n \"Network [\" + sNetwork + \"] not found.\");\n return PAGE_DONE;\n }\n }\n\n m_sModName = m_sPath.Token(0, false, \"/\");\n m_sPage = m_sPath.Token(1, true, \"/\");\n\n if (m_sPage.empty()) {\n m_sPage = \"index\";\n }\n\n DEBUG(\"Path [\" + m_sPath + \"], Module [\" + m_sModName + \"], Page [\" +\n m_sPage + \"]\");\n\n CModule* pModule = nullptr;\n\n switch (eModType) {\n case CModInfo::GlobalModule:\n pModule = CZNC::Get().GetModules().FindModule(m_sModName);\n break;\n case CModInfo::UserModule:\n pModule = GetSession()->GetUser()->GetModules().FindModule(\n m_sModName);\n break;\n case CModInfo::NetworkModule:\n pModule = pNetwork->GetModules().FindModule(m_sModName);\n break;\n }\n\n if (!pModule) return PAGE_NOTFOUND;\n\n // Pass CSRF check to module.\n // Note that the normal CSRF checks are not applied to /mods/ URLs.\n if (IsPost() && !m_bBasicAuth &&\n !pModule->ValidateWebRequestCSRFCheck(*this, m_sPage)) {\n DEBUG(\"Expected _CSRF_Check: \" << GetCSRFCheck());\n DEBUG(\"Actual _CSRF_Check: \" << GetParam(\"_CSRF_Check\"));\n PrintErrorPage(\n 403, \"Access denied\",\n \"POST requests need to send \"\n \"a secret token to prevent cross-site request forgery attacks.\");\n return PAGE_DONE;\n }\n\n m_Template[\"ModPath\"] = pModule->GetWebPath();\n m_Template[\"ModFilesPath\"] = pModule->GetWebFilesPath();\n\n if (pModule->WebRequiresLogin() && !ForceLogin()) {\n return PAGE_PRINT;\n } else if (pModule->WebRequiresAdmin() && !GetSession()->IsAdmin()) {\n PrintErrorPage(403, \"Forbidden\",\n \"You need to be an admin to access this module\");\n return PAGE_DONE;\n } else if (pModule->GetType() != CModInfo::GlobalModule &&\n pModule->GetUser() != GetSession()->GetUser()) {\n PrintErrorPage(403, \"Forbidden\",\n \"You must login as \" +\n pModule->GetUser()->GetUserName() +\n \" in order to view this page\");\n return PAGE_DONE;\n } else if (pModule->OnWebPreRequest(*this, m_sPage)) {\n return PAGE_DEFERRED;\n }\n\n VWebSubPages& vSubPages = pModule->GetSubPages();\n\n for (TWebSubPage& SubPage : vSubPages) {\n bool bActive = (m_sModName == pModule->GetModName() &&\n m_sPage == SubPage->GetName());\n\n if (bActive && SubPage->RequiresAdmin() &&\n !GetSession()->IsAdmin()) {\n PrintErrorPage(403, \"Forbidden\",\n \"You need to be an admin to access this page\");\n return PAGE_DONE;\n }\n }\n\n if (pModule && pModule->GetType() != CModInfo::GlobalModule &&\n (!IsLoggedIn() || pModule->GetUser() != GetSession()->GetUser())) {\n AddModLoop(\"UserModLoop\", *pModule);\n }\n\n if (sURI.StartsWith(\"/modfiles/\")) {\n m_Template.AppendPath(GetSkinPath(GetSkinName()) + \"/mods/\" +\n m_sModName + \"/files/\");\n m_Template.AppendPath(pModule->GetModDataDir() + \"/files/\");\n\n if (PrintFile(m_Template.ExpandFile(m_sPage.TrimLeft_n(\"/\")))) {\n return PAGE_PRINT;\n } else {\n return PAGE_NOTFOUND;\n }\n } else {\n SetPaths(pModule, true);\n\n CTemplate& breadModule = m_Template.AddRow(\"BreadCrumbs\");\n breadModule[\"Text\"] = pModule->GetModName();\n breadModule[\"URL\"] = pModule->GetWebPath();\n\n /* if a module returns false from OnWebRequest, it does not\n want the template to be printed, usually because it did a\n redirect. */\n if (pModule->OnWebRequest(*this, m_sPage, m_Template)) {\n // If they already sent a reply, let's assume\n // they did what they wanted to do.\n if (SentHeader()) {\n return PAGE_DONE;\n }\n return PrintTemplate(m_sPage, sPageRet, pModule);\n }\n\n if (!SentHeader()) {\n PrintErrorPage(\n 404, \"Not Implemented\",\n \"The requested module does not acknowledge web requests\");\n }\n return PAGE_DONE;\n }\n } else {\n CString sPage(sURI.Trim_n(\"/\"));\n if (sPage.length() < 32) {\n for (unsigned int a = 0; a < sPage.length(); a++) {\n unsigned char c = sPage[a];\n\n if ((c < '0' || c > '9') && (c < 'a' || c > 'z') &&\n (c < 'A' || c > 'Z') && c != '_') {\n return PAGE_NOTFOUND;\n }\n }\n\n return PrintTemplate(sPage, sPageRet);\n }\n }\n\n return PAGE_NOTFOUND;\n}", "project": "znc", "hash": 128626659906160206024176104765325481327, "size": 281, "commit_id": "a4a5aeeb17d32937d8c7d743dae9a4cc755ce773", "message": "Don't let web skin name ../../../../ access files outside of usual skins directories.\n\nThanks for Jeriko One for finding and reporting this.", "target": 0, "dataset": "other", "idx": 265766 }, { "func": "static int io_provide_buffers_prep(struct io_kiocb *req,\n\t\t\t\t const struct io_uring_sqe *sqe)\n{\n\tunsigned long size, tmp_check;\n\tstruct io_provide_buf *p = &req->pbuf;\n\tu64 tmp;\n\n\tif (sqe->ioprio || sqe->rw_flags)\n\t\treturn -EINVAL;\n\n\ttmp = READ_ONCE(sqe->fd);\n\tif (!tmp || tmp > USHRT_MAX)\n\t\treturn -E2BIG;\n\tp->nbufs = tmp;\n\tp->addr = READ_ONCE(sqe->addr);\n\tp->len = READ_ONCE(sqe->len);\n\n\tif (check_mul_overflow((unsigned long)p->len, (unsigned long)p->nbufs,\n\t\t\t\t&size))\n\t\treturn -EOVERFLOW;\n\tif (check_add_overflow((unsigned long)p->addr, size, &tmp_check))\n\t\treturn -EOVERFLOW;\n\n\tsize = (unsigned long)p->len * p->nbufs;\n\tif (!access_ok(u64_to_user_ptr(p->addr), size))\n\t\treturn -EFAULT;\n\n\tp->bgid = READ_ONCE(sqe->buf_group);\n\ttmp = READ_ONCE(sqe->off);\n\tif (tmp > USHRT_MAX)\n\t\treturn -E2BIG;\n\tp->bid = tmp;\n\treturn 0;\n}", "project": "linux", "hash": 67439643223506342546098809404314955238, "size": 34, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338681 }, { "func": "static inline bool vgif_enabled(struct vcpu_svm *svm)\n{\n\treturn !!(svm->vmcb->control.int_ctl & V_GIF_ENABLE_MASK);\n}", "project": "linux", "hash": 233655131848931574966873700125412240984, "size": 4, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432466 }, { "func": "void nft_obj_notify(struct net *net, const struct nft_table *table,\n\t\t struct nft_object *obj, u32 portid, u32 seq, int event,\n\t\t int family, int report, gfp_t gfp)\n{\n\tstruct nftables_pernet *nft_net = nft_pernet(net);\n\tstruct sk_buff *skb;\n\tint err;\n\tchar *buf = kasprintf(gfp, \"%s:%u\",\n\t\t\t table->name, nft_net->base_seq);\n\n\taudit_log_nfcfg(buf,\n\t\t\tfamily,\n\t\t\tobj->handle,\n\t\t\tevent == NFT_MSG_NEWOBJ ?\n\t\t\t\t AUDIT_NFT_OP_OBJ_REGISTER :\n\t\t\t\t AUDIT_NFT_OP_OBJ_UNREGISTER,\n\t\t\tgfp);\n\tkfree(buf);\n\n\tif (!report &&\n\t !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))\n\t\treturn;\n\n\tskb = nlmsg_new(NLMSG_GOODSIZE, gfp);\n\tif (skb == NULL)\n\t\tgoto err;\n\n\terr = nf_tables_fill_obj_info(skb, net, portid, seq, event, 0, family,\n\t\t\t\t table, obj, false);\n\tif (err < 0) {\n\t\tkfree_skb(skb);\n\t\tgoto err;\n\t}\n\n\tnft_notify_enqueue(skb, report, &nft_net->notify_list);\n\treturn;\nerr:\n\tnfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);\n}", "project": "linux", "hash": 310432505066968951246462365864637928064, "size": 39, "commit_id": "ad9f151e560b016b6ad3280b48e42fa11e1a5440", "message": "netfilter: nf_tables: initialize set before expression setup\n\nnft_set_elem_expr_alloc() needs an initialized set if expression sets on\nthe NFT_EXPR_GC flag. Move set fields initialization before expression\nsetup.\n\n[4512935.019450] ==================================================================\n[4512935.019456] BUG: KASAN: null-ptr-deref in nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019487] Read of size 8 at addr 0000000000000070 by task nft/23532\n[4512935.019494] CPU: 1 PID: 23532 Comm: nft Not tainted 5.12.0-rc4+ #48\n[...]\n[4512935.019502] Call Trace:\n[4512935.019505] dump_stack+0x89/0xb4\n[4512935.019512] ? nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019536] ? nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019560] kasan_report.cold.12+0x5f/0xd8\n[4512935.019566] ? nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019590] nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019615] nf_tables_newset+0xc7f/0x1460 [nf_tables]\n\nReported-by: syzbot+ce96ca2b1d0b37c6422d@syzkaller.appspotmail.com\nFixes: 65038428b2c6 (\"netfilter: nf_tables: allow to specify stateful expression in set definition\")\nSigned-off-by: Pablo Neira Ayuso ", "target": 0, "dataset": "other", "idx": 328344 }, { "func": "static int ep_insert(struct eventpoll *ep, const struct epoll_event *event,\n\t\t struct file *tfile, int fd, int full_check)\n{\n\tint error, pwake = 0;\n\t__poll_t revents;\n\tlong user_watches;\n\tstruct epitem *epi;\n\tstruct ep_pqueue epq;\n\n\tlockdep_assert_irqs_enabled();\n\n\tuser_watches = atomic_long_read(&ep->user->epoll_watches);\n\tif (unlikely(user_watches >= max_user_watches))\n\t\treturn -ENOSPC;\n\tif (!(epi = kmem_cache_alloc(epi_cache, GFP_KERNEL)))\n\t\treturn -ENOMEM;\n\n\t/* Item initialization follow here ... */\n\tINIT_LIST_HEAD(&epi->rdllink);\n\tINIT_LIST_HEAD(&epi->fllink);\n\tINIT_LIST_HEAD(&epi->pwqlist);\n\tepi->ep = ep;\n\tep_set_ffd(&epi->ffd, tfile, fd);\n\tepi->event = *event;\n\tepi->nwait = 0;\n\tepi->next = EP_UNACTIVE_PTR;\n\tif (epi->event.events & EPOLLWAKEUP) {\n\t\terror = ep_create_wakeup_source(epi);\n\t\tif (error)\n\t\t\tgoto error_create_wakeup_source;\n\t} else {\n\t\tRCU_INIT_POINTER(epi->ws, NULL);\n\t}\n\n\t/* Initialize the poll table using the queue callback */\n\tepq.epi = epi;\n\tinit_poll_funcptr(&epq.pt, ep_ptable_queue_proc);\n\n\t/*\n\t * Attach the item to the poll hooks and get current event bits.\n\t * We can safely use the file* here because its usage count has\n\t * been increased by the caller of this function. Note that after\n\t * this operation completes, the poll callback can start hitting\n\t * the new item.\n\t */\n\trevents = ep_item_poll(epi, &epq.pt, 1);\n\n\t/*\n\t * We have to check if something went wrong during the poll wait queue\n\t * install process. Namely an allocation for a wait queue failed due\n\t * high memory pressure.\n\t */\n\terror = -ENOMEM;\n\tif (epi->nwait < 0)\n\t\tgoto error_unregister;\n\n\t/* Add the current item to the list of active epoll hook for this file */\n\tspin_lock(&tfile->f_lock);\n\tlist_add_tail_rcu(&epi->fllink, &tfile->f_ep_links);\n\tspin_unlock(&tfile->f_lock);\n\n\t/*\n\t * Add the current item to the RB tree. All RB tree operations are\n\t * protected by \"mtx\", and ep_insert() is called with \"mtx\" held.\n\t */\n\tep_rbtree_insert(ep, epi);\n\n\t/* now check if we've created too many backpaths */\n\terror = -EINVAL;\n\tif (full_check && reverse_path_check())\n\t\tgoto error_remove_epi;\n\n\t/* We have to drop the new item inside our item list to keep track of it */\n\twrite_lock_irq(&ep->lock);\n\n\t/* record NAPI ID of new item if present */\n\tep_set_busy_poll_napi_id(epi);\n\n\t/* If the file is already \"ready\" we drop it inside the ready list */\n\tif (revents && !ep_is_linked(epi)) {\n\t\tlist_add_tail(&epi->rdllink, &ep->rdllist);\n\t\tep_pm_stay_awake(epi);\n\n\t\t/* Notify waiting tasks that events are available */\n\t\tif (waitqueue_active(&ep->wq))\n\t\t\twake_up(&ep->wq);\n\t\tif (waitqueue_active(&ep->poll_wait))\n\t\t\tpwake++;\n\t}\n\n\twrite_unlock_irq(&ep->lock);\n\n\tatomic_long_inc(&ep->user->epoll_watches);\n\n\t/* We have to call this outside the lock */\n\tif (pwake)\n\t\tep_poll_safewake(ep, NULL);\n\n\treturn 0;\n\nerror_remove_epi:\n\tspin_lock(&tfile->f_lock);\n\tlist_del_rcu(&epi->fllink);\n\tspin_unlock(&tfile->f_lock);\n\n\trb_erase_cached(&epi->rbn, &ep->rbr);\n\nerror_unregister:\n\tep_unregister_pollwait(ep, epi);\n\n\t/*\n\t * We need to do this because an event could have been arrived on some\n\t * allocated wait queue. Note that we don't care about the ep->ovflist\n\t * list, since that is used/cleaned only inside a section bound by \"mtx\".\n\t * And ep_insert() is called with \"mtx\" held.\n\t */\n\twrite_lock_irq(&ep->lock);\n\tif (ep_is_linked(epi))\n\t\tlist_del_init(&epi->rdllink);\n\twrite_unlock_irq(&ep->lock);\n\n\twakeup_source_unregister(ep_wakeup_source(epi));\n\nerror_create_wakeup_source:\n\tkmem_cache_free(epi_cache, epi);\n\n\treturn error;\n}", "project": "linux", "hash": 247739373381166119686982200751831246730, "size": 128, "commit_id": "52c479697c9b73f628140dcdfcd39ea302d05482", "message": "do_epoll_ctl(): clean the failure exits up a bit\n\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 336232 }, { "func": "inline int MatchingElementsSize(const RuntimeShape& shape,\n const RuntimeShape& check_shape_0,\n const RuntimeShape& check_shape_1) {\n const int size_1 = shape.FlatSize();\n const int size_2 = check_shape_0.FlatSize();\n const int size_3 = check_shape_1.FlatSize();\n TFLITE_CHECK_EQ(size_1, size_2);\n TFLITE_CHECK_EQ(size_2, size_3);\n return size_1;\n}", "project": "tensorflow", "hash": 185772753939293257533192209492074153717, "size": 10, "commit_id": "8ee24e7949a203d234489f9da2c5bf45a7d5157d", "message": "[tflite] Ensure `MatchingDim` does not allow buffer overflow.\n\nWe check in `MatchingDim` that both arguments have the same dimensionality, however that is a `DCHECK` only enabled if building in debug mode. Hence, it could be possible to cause buffer overflows by passing in a tensor with larger dimensions as the second argument. To fix, we now make `MatchingDim` return the minimum of the two sizes.\n\nA much better fix would be to return a status object but that requires refactoring a large part of the codebase for minor benefits.\n\nPiperOrigin-RevId: 332526127\nChange-Id: If627d0d2c80a685217b6e0d1e64b0872dbf1c5e4", "target": 0, "dataset": "other", "idx": 269133 }, { "func": "inline int MatchingElementsSize(const RuntimeShape& shape,\n const RuntimeShape& check_shape_0) {\n const int size_1 = shape.FlatSize();\n const int size_2 = check_shape_0.FlatSize();\n TFLITE_CHECK_EQ(size_1, size_2);\n return size_1;\n}", "project": "tensorflow", "hash": 261286778320997521637055809842007118277, "size": 7, "commit_id": "8ee24e7949a203d234489f9da2c5bf45a7d5157d", "message": "[tflite] Ensure `MatchingDim` does not allow buffer overflow.\n\nWe check in `MatchingDim` that both arguments have the same dimensionality, however that is a `DCHECK` only enabled if building in debug mode. Hence, it could be possible to cause buffer overflows by passing in a tensor with larger dimensions as the second argument. To fix, we now make `MatchingDim` return the minimum of the two sizes.\n\nA much better fix would be to return a status object but that requires refactoring a large part of the codebase for minor benefits.\n\nPiperOrigin-RevId: 332526127\nChange-Id: If627d0d2c80a685217b6e0d1e64b0872dbf1c5e4", "target": 0, "dataset": "other", "idx": 269161 }, { "func": "static void fuse_readpages_end(struct fuse_mount *fm, struct fuse_args *args,\n\t\t\t int err)\n{\n\tint i;\n\tstruct fuse_io_args *ia = container_of(args, typeof(*ia), ap.args);\n\tstruct fuse_args_pages *ap = &ia->ap;\n\tsize_t count = ia->read.in.size;\n\tsize_t num_read = args->out_args[0].size;\n\tstruct address_space *mapping = NULL;\n\n\tfor (i = 0; mapping == NULL && i < ap->num_pages; i++)\n\t\tmapping = ap->pages[i]->mapping;\n\n\tif (mapping) {\n\t\tstruct inode *inode = mapping->host;\n\n\t\t/*\n\t\t * Short read means EOF. If file size is larger, truncate it\n\t\t */\n\t\tif (!err && num_read < count)\n\t\t\tfuse_short_read(inode, ia->read.attr_ver, num_read, ap);\n\n\t\tfuse_invalidate_atime(inode);\n\t}\n\n\tfor (i = 0; i < ap->num_pages; i++) {\n\t\tstruct page *page = ap->pages[i];\n\n\t\tif (!err)\n\t\t\tSetPageUptodate(page);\n\t\telse\n\t\t\tSetPageError(page);\n\t\tunlock_page(page);\n\t\tput_page(page);\n\t}\n\tif (ia->ff)\n\t\tfuse_file_put(ia->ff, false, false);\n\n\tfuse_io_free(ia);\n}", "project": "linux", "hash": 117201947098606180880407388278521629346, "size": 40, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341922 }, { "func": "void complement_pos(struct vc_data *vc, int offset)\n{\n\tstatic int old_offset = -1;\n\tstatic unsigned short old;\n\tstatic unsigned short oldx, oldy;\n\n\tWARN_CONSOLE_UNLOCKED();\n\n\tif (old_offset != -1 && old_offset >= 0 &&\n\t old_offset < vc->vc_screenbuf_size) {\n\t\tscr_writew(old, screenpos(vc, old_offset, 1));\n\t\tif (con_should_update(vc))\n\t\t\tvc->vc_sw->con_putc(vc, old, oldy, oldx);\n\t\tnotify_update(vc);\n\t}\n\n\told_offset = offset;\n\n\tif (offset != -1 && offset >= 0 &&\n\t offset < vc->vc_screenbuf_size) {\n\t\tunsigned short new;\n\t\tunsigned short *p;\n\t\tp = screenpos(vc, offset, 1);\n\t\told = scr_readw(p);\n\t\tnew = old ^ vc->vc_complement_mask;\n\t\tscr_writew(new, p);\n\t\tif (con_should_update(vc)) {\n\t\t\toldx = (offset >> 1) % vc->vc_cols;\n\t\t\toldy = (offset >> 1) / vc->vc_cols;\n\t\t\tvc->vc_sw->con_putc(vc, new, oldy, oldx);\n\t\t}\n\t\tnotify_update(vc);\n\t}\n}", "project": "linux", "hash": 222502150141364183133060995970855711284, "size": 34, "commit_id": "ca4463bf8438b403596edd0ec961ca0d4fbe0220", "message": "vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console\n\nThe VT_DISALLOCATE ioctl can free a virtual console while tty_release()\nis still running, causing a use-after-free in con_shutdown(). This\noccurs because VT_DISALLOCATE considers a virtual console's\n'struct vc_data' to be unused as soon as the corresponding tty's\nrefcount hits 0. But actually it may be still being closed.\n\nFix this by making vc_data be reference-counted via the embedded\n'struct tty_port'. A newly allocated virtual console has refcount 1.\nOpening it for the first time increments the refcount to 2. Closing it\nfor the last time decrements the refcount (in tty_operations::cleanup()\nso that it happens late enough), as does VT_DISALLOCATE.\n\nReproducer:\n\t#include \n\t#include \n\t#include \n\t#include \n\n\tint main()\n\t{\n\t\tif (fork()) {\n\t\t\tfor (;;)\n\t\t\t\tclose(open(\"/dev/tty5\", O_RDWR));\n\t\t} else {\n\t\t\tint fd = open(\"/dev/tty10\", O_RDWR);\n\n\t\t\tfor (;;)\n\t\t\t\tioctl(fd, VT_DISALLOCATE, 5);\n\t\t}\n\t}\n\nKASAN report:\n\tBUG: KASAN: use-after-free in con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\tWrite of size 8 at addr ffff88806a4ec108 by task syz_vt/129\n\n\tCPU: 0 PID: 129 Comm: syz_vt Not tainted 5.6.0-rc2 #11\n\tHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20191223_100556-anatol 04/01/2014\n\tCall Trace:\n\t [...]\n\t con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\t release_tty+0xa8/0x410 drivers/tty/tty_io.c:1514\n\t tty_release_struct+0x34/0x50 drivers/tty/tty_io.c:1629\n\t tty_release+0x984/0xed0 drivers/tty/tty_io.c:1789\n\t [...]\n\n\tAllocated by task 129:\n\t [...]\n\t kzalloc include/linux/slab.h:669 [inline]\n\t vc_allocate drivers/tty/vt/vt.c:1085 [inline]\n\t vc_allocate+0x1ac/0x680 drivers/tty/vt/vt.c:1066\n\t con_install+0x4d/0x3f0 drivers/tty/vt/vt.c:3229\n\t tty_driver_install_tty drivers/tty/tty_io.c:1228 [inline]\n\t tty_init_dev+0x94/0x350 drivers/tty/tty_io.c:1341\n\t tty_open_by_driver drivers/tty/tty_io.c:1987 [inline]\n\t tty_open+0x3ca/0xb30 drivers/tty/tty_io.c:2035\n\t [...]\n\n\tFreed by task 130:\n\t [...]\n\t kfree+0xbf/0x1e0 mm/slab.c:3757\n\t vt_disallocate drivers/tty/vt/vt_ioctl.c:300 [inline]\n\t vt_ioctl+0x16dc/0x1e30 drivers/tty/vt/vt_ioctl.c:818\n\t tty_ioctl+0x9db/0x11b0 drivers/tty/tty_io.c:2660\n\t [...]\n\nFixes: 4001d7b7fc27 (\"vt: push down the tty lock so we can see what is left to tackle\")\nCc: # v3.4+\nReported-by: syzbot+522643ab5729b0421998@syzkaller.appspotmail.com\nAcked-by: Jiri Slaby \nSigned-off-by: Eric Biggers \nLink: https://lore.kernel.org/r/20200322034305.210082-2-ebiggers@kernel.org\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 437086 }, { "func": "void CLua::fnreturns(const char *format, ...)\n{\n lua_State *ls = _state;\n\n if (!format || !ls)\n return;\n\n va_list args;\n va_start(args, format);\n vfnreturns(format, args);\n va_end(args);\n}", "project": "crawl", "hash": 21244069442622127045688179398707082539, "size": 12, "commit_id": "768f60da87a3fa0b5561da5ade9309577c176d04", "message": "Disable lua bytecode loading", "target": 0, "dataset": "other", "idx": 230515 }, { "func": "void dbug_serve_apcs(THD *thd, int n_calls)\n{\n const char *save_proc_info= thd->proc_info;\n \n /* Busy-wait for n_calls APC requests to arrive and be processed */\n int n_apcs= thd->apc_target.n_calls_processed + n_calls;\n while (thd->apc_target.n_calls_processed < n_apcs)\n {\n /* This is so that mysqltest knows we're ready to serve requests: */\n thd_proc_info(thd, \"show_explain_trap\");\n my_sleep(30000);\n thd_proc_info(thd, save_proc_info);\n if (unlikely(thd->check_killed(1)))\n break;\n }\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 318299152539622885595249704331864892015, "size": 16, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508615 }, { "func": "static void virtual_engine_initial_hint(struct virtual_engine *ve)\n{\n\tint swp;\n\n\t/*\n\t * Pick a random sibling on starting to help spread the load around.\n\t *\n\t * New contexts are typically created with exactly the same order\n\t * of siblings, and often started in batches. Due to the way we iterate\n\t * the array of sibling when submitting requests, sibling[0] is\n\t * prioritised for dequeuing. If we make sure that sibling[0] is fairly\n\t * randomised across the system, we also help spread the load by the\n\t * first engine we inspect being different each time.\n\t *\n\t * NB This does not force us to execute on this engine, it will just\n\t * typically be the first we inspect for submission.\n\t */\n\tswp = prandom_u32_max(ve->num_siblings);\n\tif (!swp)\n\t\treturn;\n\n\tswap(ve->siblings[swp], ve->siblings[0]);\n\tif (!intel_engine_has_relative_mmio(ve->siblings[0]))\n\t\tvirtual_update_register_offsets(ve->context.lrc_reg_state,\n\t\t\t\t\t\tve->siblings[0]);\n}", "project": "linux", "hash": 314895575201263988455140653245505913528, "size": 26, "commit_id": "bc8a76a152c5f9ef3b48104154a65a68a8b76946", "message": "drm/i915/gen9: Clear residual context state on context switch\n\nIntel ID: PSIRT-TA-201910-001\nCVEID: CVE-2019-14615\n\nIntel GPU Hardware prior to Gen11 does not clear EU state\nduring a context switch. This can result in information\nleakage between contexts.\n\nFor Gen8 and Gen9, hardware provides a mechanism for\nfast cleardown of the EU state, by issuing a PIPE_CONTROL\nwith bit 27 set. We can use this in a context batch buffer\nto explicitly cleardown the state on every context switch.\n\nAs this workaround is already in place for gen8, we can borrow\nthe code verbatim for Gen9.\n\nSigned-off-by: Mika Kuoppala \nSigned-off-by: Akeem G Abodunrin \nCc: Kumar Valsan Prathap \nCc: Chris Wilson \nCc: Balestrieri Francesco \nCc: Bloomfield Jon \nCc: Dutt Sudeep ", "target": 0, "dataset": "other", "idx": 281472 }, { "func": "static int io_import_fixed(struct io_kiocb *req, int rw, struct iov_iter *iter)\n{\n\tstruct io_ring_ctx *ctx = req->ctx;\n\tstruct io_mapped_ubuf *imu = req->imu;\n\tu16 index, buf_index = req->buf_index;\n\n\tif (likely(!imu)) {\n\t\tif (unlikely(buf_index >= ctx->nr_user_bufs))\n\t\t\treturn -EFAULT;\n\t\tindex = array_index_nospec(buf_index, ctx->nr_user_bufs);\n\t\timu = READ_ONCE(ctx->user_bufs[index]);\n\t\treq->imu = imu;\n\t}\n\treturn __io_import_fixed(req, rw, iter, imu);\n}", "project": "linux", "hash": 327880547706546005027492489996937604813, "size": 15, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338622 }, { "func": "static char* oidc_get_browser_state_hash(request_rec *r, oidc_cfg *c,\n\t\tconst char *nonce) {\n\n\toidc_debug(r, \"enter\");\n\n\t/* helper to hold to header values */\n\tconst char *value = NULL;\n\t/* the hash context */\n\tapr_sha1_ctx_t sha1;\n\n\t/* Initialize the hash context */\n\tapr_sha1_init(&sha1);\n\n\tif (c->state_input_headers & OIDC_STATE_INPUT_HEADERS_X_FORWARDED_FOR) {\n\t\t/* get the X-FORWARDED-FOR header value */\n\t\tvalue = oidc_util_hdr_in_x_forwarded_for_get(r);\n\t\t/* if we have a value for this header, concat it to the hash input */\n\t\tif (value != NULL)\n\t\t\tapr_sha1_update(&sha1, value, strlen(value));\n\t}\n\n\tif (c->state_input_headers & OIDC_STATE_INPUT_HEADERS_USER_AGENT) {\n\t\t/* get the USER-AGENT header value */\n\t\tvalue = oidc_util_hdr_in_user_agent_get(r);\n\t\t/* if we have a value for this header, concat it to the hash input */\n\t\tif (value != NULL)\n\t\t\tapr_sha1_update(&sha1, value, strlen(value));\n\t}\n\n\t/* get the remote client IP address or host name */\n\t/*\n\t int remotehost_is_ip;\n\t value = ap_get_remote_host(r->connection, r->per_dir_config,\n\t REMOTE_NOLOOKUP, &remotehost_is_ip);\n\t apr_sha1_update(&sha1, value, strlen(value));\n\t */\n\n\t/* concat the nonce parameter to the hash input */\n\tapr_sha1_update(&sha1, nonce, strlen(nonce));\n\n\t/* concat the token binding ID if present */\n\tvalue = oidc_util_get_provided_token_binding_id(r);\n\tif (value != NULL) {\n\t\toidc_debug(r,\n\t\t\t\t\"Provided Token Binding ID environment variable found; adding its value to the state\");\n\t\tapr_sha1_update(&sha1, value, strlen(value));\n\t}\n\n\t/* finalize the hash input and calculate the resulting hash output */\n\tunsigned char hash[OIDC_SHA1_LEN];\n\tapr_sha1_final(hash, &sha1);\n\n\t/* base64url-encode the resulting hash and return it */\n\tchar *result = NULL;\n\toidc_base64url_encode(r, &result, (const char*) hash, OIDC_SHA1_LEN, TRUE);\n\treturn result;\n}", "project": "mod_auth_openidc", "hash": 195786476180189920502853059560255485380, "size": 57, "commit_id": "00c315cb0c8ab77c67be4a2ac08a71a83ac58751", "message": "avoid XSS vulnerability when using OIDCPreservePost On\n\nand supplying URLs that contain single quotes; thanks @oss-aimoto\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 381919 }, { "func": "static int sctp_setsockopt_del_key(struct sock *sk,\n\t\t\t\t struct sctp_authkeyid *val,\n\t\t\t\t unsigned int optlen)\n{\n\tstruct sctp_endpoint *ep = sctp_sk(sk)->ep;\n\tstruct sctp_association *asoc;\n\tint ret = 0;\n\n\tif (optlen != sizeof(struct sctp_authkeyid))\n\t\treturn -EINVAL;\n\n\tasoc = sctp_id2assoc(sk, val->scact_assoc_id);\n\tif (!asoc && val->scact_assoc_id > SCTP_ALL_ASSOC &&\n\t sctp_style(sk, UDP))\n\t\treturn -EINVAL;\n\n\tif (asoc)\n\t\treturn sctp_auth_del_key_id(ep, asoc, val->scact_keynumber);\n\n\tif (sctp_style(sk, TCP))\n\t\tval->scact_assoc_id = SCTP_FUTURE_ASSOC;\n\n\tif (val->scact_assoc_id == SCTP_FUTURE_ASSOC ||\n\t val->scact_assoc_id == SCTP_ALL_ASSOC) {\n\t\tret = sctp_auth_del_key_id(ep, asoc, val->scact_keynumber);\n\t\tif (ret)\n\t\t\treturn ret;\n\t}\n\n\tif (val->scact_assoc_id == SCTP_CURRENT_ASSOC ||\n\t val->scact_assoc_id == SCTP_ALL_ASSOC) {\n\t\tlist_for_each_entry(asoc, &ep->asocs, asocs) {\n\t\t\tint res = sctp_auth_del_key_id(ep, asoc,\n\t\t\t\t\t\t val->scact_keynumber);\n\n\t\t\tif (res && !ret)\n\t\t\t\tret = res;\n\t\t}\n\t}\n\n\treturn ret;\n}", "project": "linux", "hash": 19580773935479739227488246931234461031, "size": 42, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398112 }, { "func": "void CSoundFile::GlobalVolSlide(ModCommand::PARAM param, uint8 &nOldGlobalVolSlide)\n{\n\tint32 nGlbSlide = 0;\n\tif (param) nOldGlobalVolSlide = param; else param = nOldGlobalVolSlide;\n\n\tif((GetType() & (MOD_TYPE_XM | MOD_TYPE_MT2)))\n\t{\n\t\t// XM nibble priority\n\t\tif((param & 0xF0) != 0)\n\t\t{\n\t\t\tparam &= 0xF0;\n\t\t} else\n\t\t{\n\t\t\tparam &= 0x0F;\n\t\t}\n\t}\n\n\tif (((param & 0x0F) == 0x0F) && (param & 0xF0))\n\t{\n\t\tif(m_SongFlags[SONG_FIRSTTICK]) nGlbSlide = (param >> 4) * 2;\n\t} else\n\tif (((param & 0xF0) == 0xF0) && (param & 0x0F))\n\t{\n\t\tif(m_SongFlags[SONG_FIRSTTICK]) nGlbSlide = - (int)((param & 0x0F) * 2);\n\t} else\n\t{\n\t\tif(!m_SongFlags[SONG_FIRSTTICK])\n\t\t{\n\t\t\tif (param & 0xF0)\n\t\t\t{\n\t\t\t\t// IT compatibility: Ignore slide commands with both nibbles set.\n\t\t\t\tif(!(GetType() & (MOD_TYPE_IT | MOD_TYPE_MPT | MOD_TYPE_IMF | MOD_TYPE_J2B | MOD_TYPE_MID | MOD_TYPE_AMS | MOD_TYPE_AMS2 | MOD_TYPE_DBM)) || (param & 0x0F) == 0)\n\t\t\t\t\tnGlbSlide = (int)((param & 0xF0) >> 4) * 2;\n\t\t\t} else\n\t\t\t{\n\t\t\t\tnGlbSlide = -(int)((param & 0x0F) * 2);\n\t\t\t}\n\t\t}\n\t}\n\tif (nGlbSlide)\n\t{\n\t\tif(!(GetType() & (MOD_TYPE_IT | MOD_TYPE_MPT | MOD_TYPE_IMF | MOD_TYPE_J2B | MOD_TYPE_MID | MOD_TYPE_AMS | MOD_TYPE_AMS2 | MOD_TYPE_DBM))) nGlbSlide *= 2;\n\t\tnGlbSlide += m_PlayState.m_nGlobalVolume;\n\t\tLimit(nGlbSlide, 0, 256);\n\t\tm_PlayState.m_nGlobalVolume = nGlbSlide;\n\t}\n}", "project": "openmpt", "hash": 297457874013589813053739653835093971822, "size": 47, "commit_id": "7ebf02af2e90f03e0dbd0e18b8b3164f372fb97c", "message": "[Fix] Possible out-of-bounds read when computing length of some IT files with pattern loops (OpenMPT: formats that are converted to IT, libopenmpt: IT/ITP/MO3), caught with afl-fuzz.\n\ngit-svn-id: https://source.openmpt.org/svn/openmpt/trunk/OpenMPT@10027 56274372-70c3-4bfc-bfc3-4c3a0b034d27", "target": 0, "dataset": "other", "idx": 255196 }, { "func": "static void discov_off(struct work_struct *work)\n{\n\tstruct hci_dev *hdev = container_of(work, struct hci_dev,\n\t\t\t\t\t discov_off.work);\n\n\tbt_dev_dbg(hdev, \"\");\n\n\thci_dev_lock(hdev);\n\n\t/* When discoverable timeout triggers, then just make sure\n\t * the limited discoverable flag is cleared. Even in the case\n\t * of a timeout triggered from general discoverable, it is\n\t * safe to unconditionally clear the flag.\n\t */\n\thci_dev_clear_flag(hdev, HCI_LIMITED_DISCOVERABLE);\n\thci_dev_clear_flag(hdev, HCI_DISCOVERABLE);\n\thdev->discov_timeout = 0;\n\n\thci_dev_unlock(hdev);\n\n\thci_req_sync(hdev, discoverable_update, 0, HCI_CMD_TIMEOUT, NULL);\n\tmgmt_new_settings(hdev);\n}", "project": "linux", "hash": 78357797461438496568600945882964916189, "size": 23, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402517 }, { "func": "static void x25_insert_socket(struct sock *sk)\n{\n\twrite_lock_bh(&x25_list_lock);\n\tsk_add_node(sk, &x25_list);\n\twrite_unlock_bh(&x25_list_lock);\n}", "project": "net", "hash": 33823208010184164262419585501690877093, "size": 6, "commit_id": "7781607938c8371d4c2b243527430241c62e39c2", "message": "net/x25: Fix null-ptr-deref caused by x25_disconnect\n\nWhen the link layer is terminating, x25->neighbour will be set to NULL\nin x25_disconnect(). As a result, it could cause null-ptr-deref bugs in\nx25_sendmsg(),x25_recvmsg() and x25_connect(). One of the bugs is\nshown below.\n\n (Thread 1) | (Thread 2)\nx25_link_terminated() | x25_recvmsg()\n x25_kill_by_neigh() | ...\n x25_disconnect() | lock_sock(sk)\n ... | ...\n x25->neighbour = NULL //(1) |\n ... | x25->neighbour->extended //(2)\n\nThe code sets NULL to x25->neighbour in position (1) and dereferences\nx25->neighbour in position (2), which could cause null-ptr-deref bug.\n\nThis patch adds lock_sock() in x25_kill_by_neigh() in order to synchronize\nwith x25_sendmsg(), x25_recvmsg() and x25_connect(). What`s more, the\nsock held by lock_sock() is not NULL, because it is extracted from x25_list\nand uses x25_list_lock to synchronize.\n\nFixes: 4becb7ee5b3d (\"net/x25: Fix x25_neigh refcnt leak when x25 disconnect\")\nSigned-off-by: Duoming Zhou \nReviewed-by: Lin Ma \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 449188 }, { "func": "static void output_printk(struct trace_event_buffer *fbuffer)\n{\n\tstruct trace_event_call *event_call;\n\tstruct trace_event *event;\n\tunsigned long flags;\n\tstruct trace_iterator *iter = tracepoint_print_iter;\n\n\t/* We should never get here if iter is NULL */\n\tif (WARN_ON_ONCE(!iter))\n\t\treturn;\n\n\tevent_call = fbuffer->trace_file->event_call;\n\tif (!event_call || !event_call->event.funcs ||\n\t !event_call->event.funcs->trace)\n\t\treturn;\n\n\tevent = &fbuffer->trace_file->event_call->event;\n\n\tspin_lock_irqsave(&tracepoint_iter_lock, flags);\n\ttrace_seq_init(&iter->seq);\n\titer->ent = fbuffer->entry;\n\tevent_call->event.funcs->trace(iter, 0, event);\n\ttrace_seq_putc(&iter->seq, 0);\n\tprintk(\"%s\", iter->seq.buffer);\n\n\tspin_unlock_irqrestore(&tracepoint_iter_lock, flags);\n}", "project": "linux", "hash": 200330998747193227434046574164768854798, "size": 27, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445685 }, { "func": "R_API int r_str_word_set0_stack(char *str) {\n\tint i;\n\tchar *p, *q;\n\tRStack *s;\n\tvoid *pop;\n\tif (!str || !*str) {\n\t\treturn 0;\n\t}\n\tfor (i = 0; str[i] && str[i+1]; i++) {\n\t\tif (i > 0 && str[i - 1] == ' ' && str[i] == ' ') {\n\t\t\tmemmove (str + i, str + i + 1, strlen (str + i));\n\t\t\ti--;\n\t\t}\n\t\tif (i == 0 && str[i] == ' ') {\n\t\t\tmemmove (str + i, str + i + 1, strlen (str + i));\n\t\t}\n\t}\n\tif (str[i] == ' ') {\n\t\tstr[i] = 0;\n\t}\n\ts = r_stack_new (5); //Some random number\n\tfor (i = 1, p = str; *p; p++) {\n\t\tq = p - 1;\n\t\tif (p > str && (*q == '\\\\')) {\n\t\t\tmemmove (q, p, strlen (p) + 1);\n\t\t\tp--;\n\t\t\tcontinue;\n\t\t}\n\t\tswitch (*p) {\n\t\tcase '(':\n\t\tcase '{':\n\t\tcase '[':\n\t\t\tr_stack_push (s, (void *)p);\n\t\t\tcontinue;\n\t\tcase '\\'':\n\t\tcase '\"':\n\t\t\tpop = r_stack_pop (s);\n\t\t\tif (pop && *(char *)pop != *p) {\n\t\t\t\tr_stack_push (s, pop);\n\t\t\t\tr_stack_push (s, (void *)p);\n\t\t\t} else if (!pop) {\n\t\t\t\tr_stack_push (s, (void *)p);\n\t\t\t}\n\t\t\tcontinue;\n\t\tcase ')':\n\t\tcase '}':\n\t\tcase ']':\n\t\t\tpop = r_stack_pop (s);\n\t\t\tif (pop) {\n\t\t\t\tif ((*(char *)pop == '(' && *p == ')') ||\n\t\t\t\t\t(*(char *)pop == '{' && *p == '}') ||\n\t\t\t\t\t(*(char *)pop == '[' && *p == ']')) {\n\t\t\t\t\tcontinue;\n\t\t\t\t}\n\t\t\t}\n\t\t\tbreak;\n\t\tcase ' ':\n\t\t\tif (p > str && !*q) {\n\t\t\t\tmemmove (p, p+1, strlen (p + 1) + 1);\n\t\t\t\tif (*q == '\\\\') {\n\t\t\t\t\t*q = ' ';\n\t\t\t\t\tcontinue;\n\t\t\t\t}\n\t\t\t\tp--;\n\t\t\t}\n\t\t\tif (r_stack_is_empty (s)) {\n\t\t\t\ti++;\n\t\t\t\t*p = '\\0';\n\t\t\t}\n\t\tdefault:\n\t\t\tbreak;\n\t\t}\n\t}\n\tr_stack_free (s);\n\treturn i;\n}", "project": "radare2", "hash": 124795445084072312197600138499629845844, "size": 76, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 0, "dataset": "other", "idx": 268824 }, { "func": "OPJ_BOOL opj_tcd_encode_tile(opj_tcd_t *p_tcd,\n OPJ_UINT32 p_tile_no,\n OPJ_BYTE *p_dest,\n OPJ_UINT32 * p_data_written,\n OPJ_UINT32 p_max_length,\n opj_codestream_info_t *p_cstr_info,\n opj_tcd_marker_info_t* p_marker_info,\n opj_event_mgr_t *p_manager)\n{\n\n if (p_tcd->cur_tp_num == 0) {\n\n p_tcd->tcd_tileno = p_tile_no;\n p_tcd->tcp = &p_tcd->cp->tcps[p_tile_no];\n\n /* INDEX >> \"Precinct_nb_X et Precinct_nb_Y\" */\n if (p_cstr_info) {\n OPJ_UINT32 l_num_packs = 0;\n OPJ_UINT32 i;\n opj_tcd_tilecomp_t *l_tilec_idx =\n &p_tcd->tcd_image->tiles->comps[0]; /* based on component 0 */\n opj_tccp_t *l_tccp = p_tcd->tcp->tccps; /* based on component 0 */\n\n for (i = 0; i < l_tilec_idx->numresolutions; i++) {\n opj_tcd_resolution_t *l_res_idx = &l_tilec_idx->resolutions[i];\n\n p_cstr_info->tile[p_tile_no].pw[i] = (int)l_res_idx->pw;\n p_cstr_info->tile[p_tile_no].ph[i] = (int)l_res_idx->ph;\n\n l_num_packs += l_res_idx->pw * l_res_idx->ph;\n p_cstr_info->tile[p_tile_no].pdx[i] = (int)l_tccp->prcw[i];\n p_cstr_info->tile[p_tile_no].pdy[i] = (int)l_tccp->prch[i];\n }\n p_cstr_info->tile[p_tile_no].packet = (opj_packet_info_t*) opj_calloc((\n OPJ_SIZE_T)p_cstr_info->numcomps * (OPJ_SIZE_T)p_cstr_info->numlayers *\n l_num_packs,\n sizeof(opj_packet_info_t));\n if (!p_cstr_info->tile[p_tile_no].packet) {\n /* FIXME event manager error callback */\n return OPJ_FALSE;\n }\n }\n /* << INDEX */\n\n /* FIXME _ProfStart(PGROUP_DC_SHIFT); */\n /*---------------TILE-------------------*/\n if (! opj_tcd_dc_level_shift_encode(p_tcd)) {\n return OPJ_FALSE;\n }\n /* FIXME _ProfStop(PGROUP_DC_SHIFT); */\n\n /* FIXME _ProfStart(PGROUP_MCT); */\n if (! opj_tcd_mct_encode(p_tcd)) {\n return OPJ_FALSE;\n }\n /* FIXME _ProfStop(PGROUP_MCT); */\n\n /* FIXME _ProfStart(PGROUP_DWT); */\n if (! opj_tcd_dwt_encode(p_tcd)) {\n return OPJ_FALSE;\n }\n /* FIXME _ProfStop(PGROUP_DWT); */\n\n /* FIXME _ProfStart(PGROUP_T1); */\n if (! opj_tcd_t1_encode(p_tcd)) {\n return OPJ_FALSE;\n }\n /* FIXME _ProfStop(PGROUP_T1); */\n\n /* FIXME _ProfStart(PGROUP_RATE); */\n if (! opj_tcd_rate_allocate_encode(p_tcd, p_dest, p_max_length,\n p_cstr_info, p_manager)) {\n return OPJ_FALSE;\n }\n /* FIXME _ProfStop(PGROUP_RATE); */\n\n }\n /*--------------TIER2------------------*/\n\n /* INDEX */\n if (p_cstr_info) {\n p_cstr_info->index_write = 1;\n }\n /* FIXME _ProfStart(PGROUP_T2); */\n\n if (! opj_tcd_t2_encode(p_tcd, p_dest, p_data_written, p_max_length,\n p_cstr_info, p_marker_info, p_manager)) {\n return OPJ_FALSE;\n }\n /* FIXME _ProfStop(PGROUP_T2); */\n\n /*---------------CLEAN-------------------*/\n\n return OPJ_TRUE;\n}", "project": "openjpeg", "hash": 65302118175769167633602423254932226742, "size": 95, "commit_id": "15cf3d95814dc931ca0ecb132f81cb152e051bae", "message": "Encoder: grow again buffer size in opj_tcd_code_block_enc_allocate_data() (fixes #1283)", "target": 0, "dataset": "other", "idx": 359160 }, { "func": "static int follow_dotdot(struct nameidata *nd)\n{\n\twhile(1) {\n\t\tif (path_equal(&nd->path, &nd->root))\n\t\t\tbreak;\n\t\tif (nd->path.dentry != nd->path.mnt->mnt_root) {\n\t\t\tint ret = path_parent_directory(&nd->path);\n\t\t\tif (ret)\n\t\t\t\treturn ret;\n\t\t\tbreak;\n\t\t}\n\t\tif (!follow_up(&nd->path))\n\t\t\tbreak;\n\t}\n\tfollow_mount(&nd->path);\n\tnd->inode = nd->path.dentry->d_inode;\n\treturn 0;\n}", "project": "linux", "hash": 103743366129787881276084168602235764095, "size": 18, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295326 }, { "func": "bool CPlayListPLS::Resize(std::vector ::size_type newSize)\n{\n if (newSize == 0)\n return false;\n\n while (m_vecItems.size() < newSize)\n {\n CFileItemPtr fileItem(new CFileItem());\n m_vecItems.push_back(fileItem);\n }\n return true;\n}", "project": "xbmc", "hash": 304012215008440518838106649839903079365, "size": 12, "commit_id": "80c8138c09598e88b4ddb6dbb279fa193bbb3237", "message": "[Playlist] dont use istream directly to a tinyxml structure\n\nTurn istream into a std::string to handle large buffers (#20305)", "target": 0, "dataset": "other", "idx": 219936 }, { "func": " inline void Resize(int dimensions_count) {\n if (size_ > kMaxSmallSize) {\n#ifdef TF_LITE_STATIC_MEMORY\n TFLITE_CHECK(false && \"No shape resizing supported on this platform\");\n#else // TF_LITE_STATIC_MEMORY\n delete[] dims_pointer_;\n#endif // TF_LITE_STATIC_MEMORY\n }\n size_ = dimensions_count;\n if (dimensions_count > kMaxSmallSize) {\n#ifdef TF_LITE_STATIC_MEMORY\n TFLITE_CHECK(false && \"No shape resizing supported on this platform\");\n#else // TF_LITE_STATIC_MEMORY\n dims_pointer_ = new int32_t[dimensions_count];\n#endif // TF_LITE_STATIC_MEMORY\n }\n }", "project": "tensorflow", "hash": 36618682480899939582540024648172847189, "size": 17, "commit_id": "8ee24e7949a203d234489f9da2c5bf45a7d5157d", "message": "[tflite] Ensure `MatchingDim` does not allow buffer overflow.\n\nWe check in `MatchingDim` that both arguments have the same dimensionality, however that is a `DCHECK` only enabled if building in debug mode. Hence, it could be possible to cause buffer overflows by passing in a tensor with larger dimensions as the second argument. To fix, we now make `MatchingDim` return the minimum of the two sizes.\n\nA much better fix would be to return a status object but that requires refactoring a large part of the codebase for minor benefits.\n\nPiperOrigin-RevId: 332526127\nChange-Id: If627d0d2c80a685217b6e0d1e64b0872dbf1c5e4", "target": 0, "dataset": "other", "idx": 269176 }, { "func": "static void __tipc_node_link_up(struct tipc_node *n, int bearer_id,\n\t\t\t\tstruct sk_buff_head *xmitq)\n{\n\tint *slot0 = &n->active_links[0];\n\tint *slot1 = &n->active_links[1];\n\tstruct tipc_link *ol = node_active_link(n, 0);\n\tstruct tipc_link *nl = n->links[bearer_id].link;\n\n\tif (!nl || tipc_link_is_up(nl))\n\t\treturn;\n\n\ttipc_link_fsm_evt(nl, LINK_ESTABLISH_EVT);\n\tif (!tipc_link_is_up(nl))\n\t\treturn;\n\n\tn->working_links++;\n\tn->action_flags |= TIPC_NOTIFY_LINK_UP;\n\tn->link_id = tipc_link_id(nl);\n\n\t/* Leave room for tunnel header when returning 'mtu' to users: */\n\tn->links[bearer_id].mtu = tipc_link_mss(nl);\n\n\ttipc_bearer_add_dest(n->net, bearer_id, n->addr);\n\ttipc_bcast_inc_bearer_dst_cnt(n->net, bearer_id);\n\n\tpr_debug(\"Established link <%s> on network plane %c\\n\",\n\t\t tipc_link_name(nl), tipc_link_plane(nl));\n\ttrace_tipc_node_link_up(n, true, \" \");\n\n\t/* Ensure that a STATE message goes first */\n\ttipc_link_build_state_msg(nl, xmitq);\n\n\t/* First link? => give it both slots */\n\tif (!ol) {\n\t\t*slot0 = bearer_id;\n\t\t*slot1 = bearer_id;\n\t\ttipc_node_fsm_evt(n, SELF_ESTABL_CONTACT_EVT);\n\t\tn->action_flags |= TIPC_NOTIFY_NODE_UP;\n\t\ttipc_link_set_active(nl, true);\n\t\ttipc_bcast_add_peer(n->net, nl, xmitq);\n\t\treturn;\n\t}\n\n\t/* Second link => redistribute slots */\n\tif (tipc_link_prio(nl) > tipc_link_prio(ol)) {\n\t\tpr_debug(\"Old link <%s> becomes standby\\n\", tipc_link_name(ol));\n\t\t*slot0 = bearer_id;\n\t\t*slot1 = bearer_id;\n\t\ttipc_link_set_active(nl, true);\n\t\ttipc_link_set_active(ol, false);\n\t} else if (tipc_link_prio(nl) == tipc_link_prio(ol)) {\n\t\ttipc_link_set_active(nl, true);\n\t\t*slot1 = bearer_id;\n\t} else {\n\t\tpr_debug(\"New link <%s> is standby\\n\", tipc_link_name(nl));\n\t}\n\n\t/* Prepare synchronization with first link */\n\ttipc_link_tnl_prepare(ol, nl, SYNCH_MSG, xmitq);\n}", "project": "linux", "hash": 319080340730130374917822693678554207049, "size": 60, "commit_id": "0217ed2848e8538bcf9172d97ed2eeb4a26041bb", "message": "tipc: better validate user input in tipc_nl_retrieve_key()\n\nBefore calling tipc_aead_key_size(ptr), we need to ensure\nwe have enough data to dereference ptr->keylen.\n\nWe probably also want to make sure tipc_aead_key_size()\nwont overflow with malicious ptr->keylen values.\n\nSyzbot reported:\n\nBUG: KMSAN: uninit-value in __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\nBUG: KMSAN: uninit-value in tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\nCPU: 0 PID: 21060 Comm: syz-executor.5 Not tainted 5.11.0-rc7-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nCall Trace:\n __dump_stack lib/dump_stack.c:79 [inline]\n dump_stack+0x21c/0x280 lib/dump_stack.c:120\n kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118\n __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197\n __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\n tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\n genl_family_rcv_msg_doit net/netlink/genetlink.c:739 [inline]\n genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]\n genl_rcv_msg+0x1319/0x1610 net/netlink/genetlink.c:800\n netlink_rcv_skb+0x6fa/0x810 net/netlink/af_netlink.c:2494\n genl_rcv+0x63/0x80 net/netlink/genetlink.c:811\n netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]\n netlink_unicast+0x11d6/0x14a0 net/netlink/af_netlink.c:1330\n netlink_sendmsg+0x1740/0x1840 net/netlink/af_netlink.c:1919\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\nRIP: 0023:0xf7f60549\nCode: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00\nRSP: 002b:00000000f555a5fc EFLAGS: 00000296 ORIG_RAX: 0000000000000172\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000200\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n\nUninit was created at:\n kmsan_save_stack_with_flags mm/kmsan/kmsan.c:121 [inline]\n kmsan_internal_poison_shadow+0x5c/0xf0 mm/kmsan/kmsan.c:104\n kmsan_slab_alloc+0x8d/0xe0 mm/kmsan/kmsan_hooks.c:76\n slab_alloc_node mm/slub.c:2907 [inline]\n __kmalloc_node_track_caller+0xa37/0x1430 mm/slub.c:4527\n __kmalloc_reserve net/core/skbuff.c:142 [inline]\n __alloc_skb+0x2f8/0xb30 net/core/skbuff.c:210\n alloc_skb include/linux/skbuff.h:1099 [inline]\n netlink_alloc_large_skb net/netlink/af_netlink.c:1176 [inline]\n netlink_sendmsg+0xdbc/0x1840 net/netlink/af_netlink.c:1894\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\n\nFixes: e1f32190cf7d (\"tipc: add support for AEAD key setting via netlink\")\nSigned-off-by: Eric Dumazet \nCc: Tuong Lien \nCc: Jon Maloy \nCc: Ying Xue \nReported-by: syzbot \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 364959 }, { "func": "enumerate_providers_fn (const char * const name,\n const char * const desc,\n const char * const file,\n void * ud) /* {{{ */\n{\n\tzval *zdesc = (zval *) ud;\n\tzval *tmp_array;\n\n\tMAKE_STD_ZVAL(tmp_array);\n\tarray_init(tmp_array);\n\n\tadd_assoc_string(tmp_array, \"name\", (char *)name, 1);\n\tadd_assoc_string(tmp_array, \"desc\", (char *)desc, 1);\n\tadd_assoc_string(tmp_array, \"file\", (char *)file, 1);\n\n\tif (Z_TYPE_P(zdesc)!=IS_ARRAY) {\n\t\tarray_init(zdesc);\n\t}\n\n\tadd_next_index_zval(zdesc, tmp_array);\n}", "project": "php-src", "hash": 320621141410246867904541190595587861688, "size": 21, "commit_id": "bdfe457a2c1b47209e32783b3a6447e81baf179a", "message": "Port for for bug #68552", "target": 0, "dataset": "other", "idx": 429195 }, { "func": "static int save_avio_options(AVFormatContext *s)\n{\n HLSContext *c = s->priv_data;\n const char *opts[] = { \"headers\", \"user_agent\", \"user-agent\", \"cookies\", NULL }, **opt = opts;\n uint8_t *buf;\n int ret = 0;\n\n while (*opt) {\n if (av_opt_get(s->pb, *opt, AV_OPT_SEARCH_CHILDREN, &buf) >= 0) {\n ret = av_dict_set(&c->avio_opts, *opt, buf,\n AV_DICT_DONT_STRDUP_VAL);\n if (ret < 0)\n return ret;\n }\n opt++;\n }\n\n return ret;\n}", "project": "FFmpeg", "hash": 181555837689814527763424901213155416489, "size": 19, "commit_id": "6959358683c7533f586c07a766acc5fe9544d8b2", "message": "avformat/hls: check segment duration value of EXTINF\n\nfix ticket: 8673\nset the default EXTINF duration to 1ms if duration is smaller than 1ms\n\nSigned-off-by: Steven Liu \n(cherry picked from commit 9dfb19baeb86a8bb02c53a441682c6e9a6e104cc)", "target": 0, "dataset": "other", "idx": 270443 }, { "func": " * iscsi interface functions\n */\nstatic struct iscsi_internal *\niscsi_if_transport_lookup(struct iscsi_transport *tt)\n{\n\tstruct iscsi_internal *priv;\n\tunsigned long flags;\n\n\tspin_lock_irqsave(&iscsi_transport_lock, flags);\n\tlist_for_each_entry(priv, &iscsi_transports, list) {\n\t\tif (tt == priv->iscsi_transport) {\n\t\t\tspin_unlock_irqrestore(&iscsi_transport_lock, flags);\n\t\t\treturn priv;\n\t\t}\n\t}", "project": "linux", "hash": 37256994103183618815182202673651779663, "size": 15, "commit_id": "f9dbdf97a5bd92b1a49cee3d591b55b11fd7a6d5", "message": "scsi: iscsi: Verify lengths on passthrough PDUs\n\nOpen-iSCSI sends passthrough PDUs over netlink, but the kernel should be\nverifying that the provided PDU header and data lengths fall within the\nnetlink message to prevent accessing beyond that in memory.\n\nCc: stable@vger.kernel.org\nReported-by: Adam Nichols \nReviewed-by: Lee Duncan \nReviewed-by: Mike Christie \nSigned-off-by: Chris Leech \nSigned-off-by: Martin K. Petersen ", "target": 0, "dataset": "other", "idx": 379958 }, { "func": "void WebContents::Print(gin_helper::Arguments* args) {\n gin_helper::Dictionary options =\n gin::Dictionary::CreateEmpty(args->isolate());\n base::Value settings(base::Value::Type::DICTIONARY);\n\n if (args->Length() >= 1 && !args->GetNext(&options)) {\n args->ThrowError(\"webContents.print(): Invalid print settings specified.\");\n return;\n }\n\n printing::CompletionCallback callback;\n if (args->Length() == 2 && !args->GetNext(&callback)) {\n args->ThrowError(\n \"webContents.print(): Invalid optional callback provided.\");\n return;\n }\n\n // Set optional silent printing\n bool silent = false;\n options.Get(\"silent\", &silent);\n\n bool print_background = false;\n options.Get(\"printBackground\", &print_background);\n settings.SetBoolKey(printing::kSettingShouldPrintBackgrounds,\n print_background);\n\n // Set custom margin settings\n gin_helper::Dictionary margins =\n gin::Dictionary::CreateEmpty(args->isolate());\n if (options.Get(\"margins\", &margins)) {\n printing::MarginType margin_type = printing::DEFAULT_MARGINS;\n margins.Get(\"marginType\", &margin_type);\n settings.SetIntKey(printing::kSettingMarginsType, margin_type);\n\n if (margin_type == printing::CUSTOM_MARGINS) {\n base::Value custom_margins(base::Value::Type::DICTIONARY);\n int top = 0;\n margins.Get(\"top\", &top);\n custom_margins.SetIntKey(printing::kSettingMarginTop, top);\n int bottom = 0;\n margins.Get(\"bottom\", &bottom);\n custom_margins.SetIntKey(printing::kSettingMarginBottom, bottom);\n int left = 0;\n margins.Get(\"left\", &left);\n custom_margins.SetIntKey(printing::kSettingMarginLeft, left);\n int right = 0;\n margins.Get(\"right\", &right);\n custom_margins.SetIntKey(printing::kSettingMarginRight, right);\n settings.SetPath(printing::kSettingMarginsCustom,\n std::move(custom_margins));\n }\n } else {\n settings.SetIntKey(printing::kSettingMarginsType,\n printing::DEFAULT_MARGINS);\n }\n\n // Set whether to print color or greyscale\n bool print_color = true;\n options.Get(\"color\", &print_color);\n int color_setting = print_color ? printing::COLOR : printing::GRAY;\n settings.SetIntKey(printing::kSettingColor, color_setting);\n\n // Is the orientation landscape or portrait.\n bool landscape = false;\n options.Get(\"landscape\", &landscape);\n settings.SetBoolKey(printing::kSettingLandscape, landscape);\n\n // We set the default to the system's default printer and only update\n // if at the Chromium level if the user overrides.\n // Printer device name as opened by the OS.\n base::string16 device_name;\n options.Get(\"deviceName\", &device_name);\n if (!device_name.empty() && !IsDeviceNameValid(device_name)) {\n args->ThrowError(\"webContents.print(): Invalid deviceName provided.\");\n return;\n }\n\n int scale_factor = 100;\n options.Get(\"scaleFactor\", &scale_factor);\n settings.SetIntKey(printing::kSettingScaleFactor, scale_factor);\n\n int pages_per_sheet = 1;\n options.Get(\"pagesPerSheet\", &pages_per_sheet);\n settings.SetIntKey(printing::kSettingPagesPerSheet, pages_per_sheet);\n\n // True if the user wants to print with collate.\n bool collate = true;\n options.Get(\"collate\", &collate);\n settings.SetBoolKey(printing::kSettingCollate, collate);\n\n // The number of individual copies to print\n int copies = 1;\n options.Get(\"copies\", &copies);\n settings.SetIntKey(printing::kSettingCopies, copies);\n\n // Strings to be printed as headers and footers if requested by the user.\n std::string header;\n options.Get(\"header\", &header);\n std::string footer;\n options.Get(\"footer\", &footer);\n\n if (!(header.empty() && footer.empty())) {\n settings.SetBoolKey(printing::kSettingHeaderFooterEnabled, true);\n\n settings.SetStringKey(printing::kSettingHeaderFooterTitle, header);\n settings.SetStringKey(printing::kSettingHeaderFooterURL, footer);\n } else {\n settings.SetBoolKey(printing::kSettingHeaderFooterEnabled, false);\n }\n\n // We don't want to allow the user to enable these settings\n // but we need to set them or a CHECK is hit.\n settings.SetIntKey(printing::kSettingPrinterType,\n static_cast(printing::PrinterType::kLocal));\n settings.SetBoolKey(printing::kSettingShouldPrintSelectionOnly, false);\n settings.SetBoolKey(printing::kSettingRasterizePdf, false);\n\n // Set custom page ranges to print\n std::vector page_ranges;\n if (options.Get(\"pageRanges\", &page_ranges)) {\n base::Value page_range_list(base::Value::Type::LIST);\n for (auto& range : page_ranges) {\n int from, to;\n if (range.Get(\"from\", &from) && range.Get(\"to\", &to)) {\n base::Value range(base::Value::Type::DICTIONARY);\n range.SetIntKey(printing::kSettingPageRangeFrom, from);\n range.SetIntKey(printing::kSettingPageRangeTo, to);\n page_range_list.Append(std::move(range));\n } else {\n continue;\n }\n }\n if (page_range_list.GetList().size() > 0)\n settings.SetPath(printing::kSettingPageRange, std::move(page_range_list));\n }\n\n // Duplex type user wants to use.\n printing::mojom::DuplexMode duplex_mode =\n printing::mojom::DuplexMode::kSimplex;\n options.Get(\"duplexMode\", &duplex_mode);\n settings.SetIntKey(printing::kSettingDuplexMode,\n static_cast(duplex_mode));\n\n // We've already done necessary parameter sanitization at the\n // JS level, so we can simply pass this through.\n base::Value media_size(base::Value::Type::DICTIONARY);\n if (options.Get(\"mediaSize\", &media_size))\n settings.SetKey(printing::kSettingMediaSize, std::move(media_size));\n\n // Set custom dots per inch (dpi)\n gin_helper::Dictionary dpi_settings;\n int dpi = 72;\n if (options.Get(\"dpi\", &dpi_settings)) {\n int horizontal = 72;\n dpi_settings.Get(\"horizontal\", &horizontal);\n settings.SetIntKey(printing::kSettingDpiHorizontal, horizontal);\n int vertical = 72;\n dpi_settings.Get(\"vertical\", &vertical);\n settings.SetIntKey(printing::kSettingDpiVertical, vertical);\n } else {\n settings.SetIntKey(printing::kSettingDpiHorizontal, dpi);\n settings.SetIntKey(printing::kSettingDpiVertical, dpi);\n }\n\n base::ThreadPool::PostTaskAndReplyWithResult(\n FROM_HERE, {base::MayBlock(), base::TaskPriority::USER_BLOCKING},\n base::BindOnce(&GetDefaultPrinterAsync),\n base::BindOnce(&WebContents::OnGetDefaultPrinter,\n weak_factory_.GetWeakPtr(), std::move(settings),\n std::move(callback), device_name, silent));\n}", "project": "electron", "hash": 142516265582482880990854705852892268115, "size": 171, "commit_id": "18613925610ba319da7f497b6deed85ad712c59b", "message": "refactor: wire will-navigate up to a navigation throttle instead of OpenURL (#25108)\n\n* refactor: wire will-navigate up to a navigation throttle instead of OpenURL (#25065)\r\n\r\n* refactor: wire will-navigate up to a navigation throttle instead of OpenURL\r\n\r\n* spec: add test for x-site _top navigation\r\n\r\n* chore: old code be old", "target": 0, "dataset": "other", "idx": 269742 }, { "func": " const String& shrink(size_t len) {\n assertx(m_str && !m_str->isImmutable());\n if (m_str->capacity() - len > kMinShrinkThreshold) {\n m_str = req::ptr::attach(m_str->shrinkImpl(len));\n } else {\n assertx(len < StringData::MaxSize);\n m_str->setSize(len);\n }\n return *this;\n }", "project": "hhvm", "hash": 12657666255464479322152592091778188640, "size": 10, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219681 }, { "func": "static void nfs4_locku_prepare(struct rpc_task *task, void *data)\n{\n\tstruct nfs4_unlockdata *calldata = data;\n\n\tif (test_bit(NFS_CONTEXT_UNLOCK, &calldata->l_ctx->open_context->flags) &&\n\t\tnfs_async_iocounter_wait(task, calldata->l_ctx))\n\t\treturn;\n\n\tif (nfs_wait_on_sequence(calldata->arg.seqid, task) != 0)\n\t\tgoto out_wait;\n\tif (test_bit(NFS_LOCK_INITIALIZED, &calldata->lsp->ls_flags) == 0) {\n\t\t/* Note: exit _without_ running nfs4_locku_done */\n\t\tgoto out_no_action;\n\t}\n\tcalldata->timestamp = jiffies;\n\tif (nfs4_setup_sequence(calldata->server->nfs_client,\n\t\t\t\t&calldata->arg.seq_args,\n\t\t\t\t&calldata->res.seq_res,\n\t\t\t\ttask) != 0)\n\t\tnfs_release_seqid(calldata->arg.seqid);\n\treturn;\nout_no_action:\n\ttask->tk_action = NULL;\nout_wait:\n\tnfs4_sequence_done(task, &calldata->res.seq_res);\n}", "project": "linux", "hash": 186438362868338995842708701111436440778, "size": 26, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431274 }, { "func": "static bool equal(Item *i1, Item *i2, Field *f2)\n{\n DBUG_ASSERT((i2 == NULL) ^ (f2 == NULL));\n\n if (i2 != NULL)\n return i1->eq(i2, 1);\n else if (i1->type() == Item::FIELD_ITEM)\n return f2->eq(((Item_field *) i1)->field);\n else\n return FALSE;\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 157156796562320890117916357348872147052, "size": 11, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508598 }, { "func": "static void write_i2c_regvals(struct sd *sd,\n\t\t\tconst struct ov_i2c_regvals *regvals,\n\t\t\tint n)\n{\n\twhile (--n >= 0) {\n\t\ti2c_w(sd, regvals->reg, regvals->val);\n\t\tregvals++;\n\t}\n}", "project": "linux", "hash": 105399482908786575669706276247924273073, "size": 9, "commit_id": "998912346c0da53a6dbb71fab3a138586b596b30", "message": "media: ov519: add missing endpoint sanity checks\n\nMake sure to check that we have at least one endpoint before accessing\nthe endpoint array to avoid dereferencing a NULL-pointer on stream\nstart.\n\nNote that these sanity checks are not redundant as the driver is mixing\nlooking up altsettings by index and by number, which need not coincide.\n\nFixes: 1876bb923c98 (\"V4L/DVB (12079): gspca_ov519: add support for the ov511 bridge\")\nFixes: b282d87332f5 (\"V4L/DVB (12080): gspca_ov519: Fix ov518+ with OV7620AE (Trust spacecam 320)\")\nCc: stable # 2.6.31\nCc: Hans de Goede \nSigned-off-by: Johan Hovold \nSigned-off-by: Hans Verkuil \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 306340 }, { "func": "static int route4_set_parms(struct net *net, struct tcf_proto *tp,\n\t\t\t unsigned long base, struct route4_filter *f,\n\t\t\t u32 handle, struct route4_head *head,\n\t\t\t struct nlattr **tb, struct nlattr *est, int new,\n\t\t\t bool ovr, struct netlink_ext_ack *extack)\n{\n\tu32 id = 0, to = 0, nhandle = 0x8000;\n\tstruct route4_filter *fp;\n\tunsigned int h1;\n\tstruct route4_bucket *b;\n\tint err;\n\n\terr = tcf_exts_validate(net, tp, tb, est, &f->exts, ovr, true, extack);\n\tif (err < 0)\n\t\treturn err;\n\n\tif (tb[TCA_ROUTE4_TO]) {\n\t\tif (new && handle & 0x8000)\n\t\t\treturn -EINVAL;\n\t\tto = nla_get_u32(tb[TCA_ROUTE4_TO]);\n\t\tif (to > 0xFF)\n\t\t\treturn -EINVAL;\n\t\tnhandle = to;\n\t}\n\n\tif (tb[TCA_ROUTE4_FROM]) {\n\t\tif (tb[TCA_ROUTE4_IIF])\n\t\t\treturn -EINVAL;\n\t\tid = nla_get_u32(tb[TCA_ROUTE4_FROM]);\n\t\tif (id > 0xFF)\n\t\t\treturn -EINVAL;\n\t\tnhandle |= id << 16;\n\t} else if (tb[TCA_ROUTE4_IIF]) {\n\t\tid = nla_get_u32(tb[TCA_ROUTE4_IIF]);\n\t\tif (id > 0x7FFF)\n\t\t\treturn -EINVAL;\n\t\tnhandle |= (id | 0x8000) << 16;\n\t} else\n\t\tnhandle |= 0xFFFF << 16;\n\n\tif (handle && new) {\n\t\tnhandle |= handle & 0x7F00;\n\t\tif (nhandle != handle)\n\t\t\treturn -EINVAL;\n\t}\n\n\th1 = to_hash(nhandle);\n\tb = rtnl_dereference(head->table[h1]);\n\tif (!b) {\n\t\tb = kzalloc(sizeof(struct route4_bucket), GFP_KERNEL);\n\t\tif (b == NULL)\n\t\t\treturn -ENOBUFS;\n\n\t\trcu_assign_pointer(head->table[h1], b);\n\t} else {\n\t\tunsigned int h2 = from_hash(nhandle >> 16);\n\n\t\tfor (fp = rtnl_dereference(b->ht[h2]);\n\t\t fp;\n\t\t fp = rtnl_dereference(fp->next))\n\t\t\tif (fp->handle == f->handle)\n\t\t\t\treturn -EEXIST;\n\t}\n\n\tif (tb[TCA_ROUTE4_TO])\n\t\tf->id = to;\n\n\tif (tb[TCA_ROUTE4_FROM])\n\t\tf->id = to | id<<16;\n\telse if (tb[TCA_ROUTE4_IIF])\n\t\tf->iif = id;\n\n\tf->handle = nhandle;\n\tf->bkt = b;\n\tf->tp = tp;\n\n\tif (tb[TCA_ROUTE4_CLASSID]) {\n\t\tf->res.classid = nla_get_u32(tb[TCA_ROUTE4_CLASSID]);\n\t\ttcf_bind_filter(tp, &f->res, base);\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 120108660748805797118337573911236983428, "size": 83, "commit_id": "ef299cc3fa1a9e1288665a9fdc8bff55629fd359", "message": "net_sched: cls_route: remove the right filter from hashtable\n\nroute4_change() allocates a new filter and copies values from\nthe old one. After the new filter is inserted into the hash\ntable, the old filter should be removed and freed, as the final\nstep of the update.\n\nHowever, the current code mistakenly removes the new one. This\nlooks apparently wrong to me, and it causes double \"free\" and\nuse-after-free too, as reported by syzbot.\n\nReported-and-tested-by: syzbot+f9b32aaacd60305d9687@syzkaller.appspotmail.com\nReported-and-tested-by: syzbot+2f8c233f131943d6056d@syzkaller.appspotmail.com\nReported-and-tested-by: syzbot+9c2df9fd5e9445b74e01@syzkaller.appspotmail.com\nFixes: 1109c00547fc (\"net: sched: RCU cls_route\")\nCc: Jamal Hadi Salim \nCc: Jiri Pirko \nCc: John Fastabend \nSigned-off-by: Cong Wang \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 385784 }, { "func": "bool CClient::OnNoticeMessage(CNoticeMessage& Message) {\n CString sTargets = Message.GetTarget();\n\n VCString vTargets;\n sTargets.Split(\",\", vTargets, false);\n\n for (CString& sTarget : vTargets) {\n Message.SetTarget(sTarget);\n if (m_pNetwork) {\n // May be nullptr.\n Message.SetChan(m_pNetwork->FindChan(sTarget));\n }\n\n if (sTarget.TrimPrefix(m_pUser->GetStatusPrefix())) {\n if (!sTarget.Equals(\"status\")) {\n CALLMOD(sTarget, this, m_pUser, m_pNetwork,\n OnModNotice(Message.GetText()));\n }\n continue;\n }\n\n bool bContinue = false;\n NETWORKMODULECALL(OnUserNoticeMessage(Message), m_pUser, m_pNetwork,\n this, &bContinue);\n if (bContinue) continue;\n\n if (!GetIRCSock()) {\n // Some lagmeters do a NOTICE to their own nick, ignore those.\n if (!sTarget.Equals(m_sNick))\n PutStatus(\n t_f(\"Your notice to {1} got lost, you are not connected to \"\n \"IRC!\")(Message.GetTarget()));\n continue;\n }\n\n if (m_pNetwork) {\n AddBuffer(Message);\n EchoMessage(Message);\n PutIRC(Message.ToString(CMessage::ExcludePrefix |\n CMessage::ExcludeTags));\n }\n }\n\n return true;\n}", "project": "znc", "hash": 228189226271359134809735022571528389126, "size": 45, "commit_id": "d229761821da38d984a9e4098ad96842490dc001", "message": "Fix echo-message for *status\n\nClose #1705", "target": 0, "dataset": "other", "idx": 231540 }, { "func": "int register_chrdev_region(dev_t from, unsigned count, const char *name)\n{\n\tstruct char_device_struct *cd;\n\tdev_t to = from + count;\n\tdev_t n, next;\n\n\tfor (n = from; n < to; n = next) {\n\t\tnext = MKDEV(MAJOR(n)+1, 0);\n\t\tif (next > to)\n\t\t\tnext = to;\n\t\tcd = __register_chrdev_region(MAJOR(n), MINOR(n),\n\t\t\t next - n, name);\n\t\tif (IS_ERR(cd))\n\t\t\tgoto fail;\n\t}\n\treturn 0;\nfail:\n\tto = n;\n\tfor (n = from; n < to; n = next) {\n\t\tnext = MKDEV(MAJOR(n)+1, 0);\n\t\tkfree(__unregister_chrdev_region(MAJOR(n), MINOR(n), next - n));\n\t}\n\treturn PTR_ERR(cd);\n}", "project": "linux", "hash": 153989198717990451147097113783762871967, "size": 24, "commit_id": "68faa679b8be1a74e6663c21c3a9d25d32f1c079", "message": "chardev: Avoid potential use-after-free in 'chrdev_open()'\n\n'chrdev_open()' calls 'cdev_get()' to obtain a reference to the\n'struct cdev *' stashed in the 'i_cdev' field of the target inode\nstructure. If the pointer is NULL, then it is initialised lazily by\nlooking up the kobject in the 'cdev_map' and so the whole procedure is\nprotected by the 'cdev_lock' spinlock to serialise initialisation of\nthe shared pointer.\n\nUnfortunately, it is possible for the initialising thread to fail *after*\ninstalling the new pointer, for example if the subsequent '->open()' call\non the file fails. In this case, 'cdev_put()' is called, the reference\ncount on the kobject is dropped and, if nobody else has taken a reference,\nthe release function is called which finally clears 'inode->i_cdev' from\n'cdev_purge()' before potentially freeing the object. The problem here\nis that a racing thread can happily take the 'cdev_lock' and see the\nnon-NULL pointer in the inode, which can result in a refcount increment\nfrom zero and a warning:\n\n | ------------[ cut here ]------------\n | refcount_t: addition on 0; use-after-free.\n | WARNING: CPU: 2 PID: 6385 at lib/refcount.c:25 refcount_warn_saturate+0x6d/0xf0\n | Modules linked in:\n | CPU: 2 PID: 6385 Comm: repro Not tainted 5.5.0-rc2+ #22\n | Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014\n | RIP: 0010:refcount_warn_saturate+0x6d/0xf0\n | Code: 05 55 9a 15 01 01 e8 9d aa c8 ff 0f 0b c3 80 3d 45 9a 15 01 00 75 ce 48 c7 c7 00 9c 62 b3 c6 08\n | RSP: 0018:ffffb524c1b9bc70 EFLAGS: 00010282\n | RAX: 0000000000000000 RBX: ffff9e9da1f71390 RCX: 0000000000000000\n | RDX: ffff9e9dbbd27618 RSI: ffff9e9dbbd18798 RDI: ffff9e9dbbd18798\n | RBP: 0000000000000000 R08: 000000000000095f R09: 0000000000000039\n | R10: 0000000000000000 R11: ffffb524c1b9bb20 R12: ffff9e9da1e8c700\n | R13: ffffffffb25ee8b0 R14: 0000000000000000 R15: ffff9e9da1e8c700\n | FS: 00007f3b87d26700(0000) GS:ffff9e9dbbd00000(0000) knlGS:0000000000000000\n | CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n | CR2: 00007fc16909c000 CR3: 000000012df9c000 CR4: 00000000000006e0\n | DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n | DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n | Call Trace:\n | kobject_get+0x5c/0x60\n | cdev_get+0x2b/0x60\n | chrdev_open+0x55/0x220\n | ? cdev_put.part.3+0x20/0x20\n | do_dentry_open+0x13a/0x390\n | path_openat+0x2c8/0x1470\n | do_filp_open+0x93/0x100\n | ? selinux_file_ioctl+0x17f/0x220\n | do_sys_open+0x186/0x220\n | do_syscall_64+0x48/0x150\n | entry_SYSCALL_64_after_hwframe+0x44/0xa9\n | RIP: 0033:0x7f3b87efcd0e\n | Code: 89 54 24 08 e8 a3 f4 ff ff 8b 74 24 0c 48 8b 3c 24 41 89 c0 44 8b 54 24 08 b8 01 01 00 00 89 f4\n | RSP: 002b:00007f3b87d259f0 EFLAGS: 00000293 ORIG_RAX: 0000000000000101\n | RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f3b87efcd0e\n | RDX: 0000000000000000 RSI: 00007f3b87d25a80 RDI: 00000000ffffff9c\n | RBP: 00007f3b87d25e90 R08: 0000000000000000 R09: 0000000000000000\n | R10: 0000000000000000 R11: 0000000000000293 R12: 00007ffe188f504e\n | R13: 00007ffe188f504f R14: 00007f3b87d26700 R15: 0000000000000000\n | ---[ end trace 24f53ca58db8180a ]---\n\nSince 'cdev_get()' can already fail to obtain a reference, simply move\nit over to use 'kobject_get_unless_zero()' instead of 'kobject_get()',\nwhich will cause the racing thread to return -ENXIO if the initialising\nthread fails unexpectedly.\n\nCc: Hillf Danton \nCc: Andrew Morton \nCc: Al Viro \nReported-by: syzbot+82defefbbd8527e1c2cb@syzkaller.appspotmail.com\nSigned-off-by: Will Deacon \nCc: stable \nLink: https://lore.kernel.org/r/20191219120203.32691-1-will@kernel.org\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 446389 }, { "func": "int print_explain_message_line(select_result_sink *result, \n uint8 options, bool is_analyze,\n uint select_number,\n const char *select_type,\n ha_rows *rows,\n const char *message)\n{\n THD *thd= result->thd;\n MEM_ROOT *mem_root= thd->mem_root;\n Item *item_null= new (mem_root) Item_null(thd);\n List item_list;\n\n item_list.push_back(new (mem_root) Item_int(thd, (int32) select_number),\n mem_root);\n item_list.push_back(new (mem_root) Item_string_sys(thd, select_type),\n mem_root);\n /* `table` */\n item_list.push_back(item_null, mem_root);\n \n /* `partitions` */\n if (options & DESCRIBE_PARTITIONS)\n item_list.push_back(item_null, mem_root);\n \n /* type, possible_keys, key, key_len, ref */\n for (uint i=0 ; i < 5; i++)\n item_list.push_back(item_null, mem_root);\n\n /* `rows` */\n if (rows)\n {\n item_list.push_back(new (mem_root) Item_int(thd, *rows,\n MY_INT64_NUM_DECIMAL_DIGITS),\n mem_root);\n }\n else\n item_list.push_back(item_null, mem_root);\n\n /* `r_rows` */\n if (is_analyze)\n item_list.push_back(item_null, mem_root);\n\n /* `filtered` */\n if (is_analyze || options & DESCRIBE_EXTENDED)\n item_list.push_back(item_null, mem_root);\n \n /* `r_filtered` */\n if (is_analyze)\n item_list.push_back(item_null, mem_root);\n\n /* `Extra` */\n if (message)\n item_list.push_back(new (mem_root) Item_string_sys(thd, message),\n mem_root);\n else\n item_list.push_back(item_null, mem_root);\n\n if (unlikely(thd->is_fatal_error) || unlikely(result->send_data(item_list)))\n return 1;\n return 0;\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 324949781555560370139901482652487413693, "size": 60, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508524 }, { "func": "static void nfc_sock_link(struct nfc_sock_list *l, struct sock *sk)\n{\n\twrite_lock(&l->lock);\n\tsk_add_node(sk, &l->head);\n\twrite_unlock(&l->lock);\n}", "project": "linux", "hash": 31428420676961774938017215616030183667, "size": 6, "commit_id": "26896f01467a28651f7a536143fe5ac8449d4041", "message": "net/nfc/rawsock.c: add CAP_NET_RAW check.\n\nWhen creating a raw AF_NFC socket, CAP_NET_RAW needs to be checked first.\n\nSigned-off-by: Qingyu Li \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 319217 }, { "func": "static void validate_slab(struct kmem_cache *s, struct page *page)\n{\n\tvoid *p;\n\tvoid *addr = page_address(page);\n\tunsigned long *map;\n\n\tslab_lock(page);\n\n\tif (!check_slab(s, page) || !on_freelist(s, page, NULL))\n\t\tgoto unlock;\n\n\t/* Now we know that a valid freelist exists */\n\tmap = get_map(s, page);\n\tfor_each_object(p, s, addr, page->objects) {\n\t\tu8 val = test_bit(slab_index(p, s, addr), map) ?\n\t\t\t SLUB_RED_INACTIVE : SLUB_RED_ACTIVE;\n\n\t\tif (!check_object(s, page, p, val))\n\t\t\tbreak;\n\t}\n\tput_map(map);\nunlock:\n\tslab_unlock(page);\n}", "project": "linux", "hash": 146265514028111034493530304980107447976, "size": 24, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280143 }, { "func": "static void SFDFixupRef(SplineChar *sc,RefChar *ref,int layer) {\n RefChar *rf;\n int ly;\n\n if ( sc->parent->multilayer ) {\n\tfor ( ly=ly_fore; lysc->layer_cnt; ++ly ) {\n\t for ( rf = ref->sc->layers[ly].refs; rf!=NULL; rf=rf->next ) {\n\t\tif ( rf->sc==sc ) {\t/* Huh? */\n\t\t ref->sc->layers[ly].refs = NULL;\n\t break;\n\t\t}\n\t\tif ( rf->layers[0].splines==NULL )\n\t\t SFDFixupRef(ref->sc,rf,layer);\n\t }\n\t}\n } else {\n\tfor ( rf = ref->sc->layers[layer].refs; rf!=NULL; rf=rf->next ) {\n\t if ( rf->sc==sc ) {\t/* Huh? */\n\t\tref->sc->layers[layer].refs = NULL;\n\tbreak;\n\t }\n\t if ( rf->layers[0].splines==NULL )\n\t\tSFDFixupRef(ref->sc,rf,layer);\n\t}\n }\n SCReinstanciateRefChar(sc,ref,layer);\n SCMakeDependent(sc,ref->sc);\n}", "project": "fontforge", "hash": 243047126626038872296527433251603015836, "size": 28, "commit_id": "048a91e2682c1a8936ae34dbc7bd70291ec05410", "message": "Fix for #4084 Use-after-free (heap) in the SFD_GetFontMetaData() function\nFix for #4086 NULL pointer dereference in the SFDGetSpiros() function\nFix for #4088 NULL pointer dereference in the SFD_AssignLookups() function\nAdd empty sf->fontname string if it isn't set, fixing #4089 #4090 and many\n other potential issues (many downstream calls to strlen() on the value).", "target": 0, "dataset": "other", "idx": 417861 }, { "project": "Chrome", "commit_id": "1da0daecc540238cb473f0d6322da51d3a544244", "target": 1, "func": " void VideoRendererBase::FrameReady(VideoDecoder::DecoderStatus status,\n scoped_refptr frame) {\n base::AutoLock auto_lock(lock_);\n DCHECK_NE(state_, kUninitialized);\n \n CHECK(pending_read_);\n pending_read_ = false;\n\n if (status != VideoDecoder::kOk) {\n DCHECK(!frame);\n PipelineStatus error = PIPELINE_ERROR_DECODE;\n if (status == VideoDecoder::kDecryptError)\n error = PIPELINE_ERROR_DECRYPT;\n\n if (!seek_cb_.is_null()) {\n base::ResetAndReturn(&seek_cb_).Run(error);\n return;\n }\n\n host()->SetError(error);\n return;\n }\n\n if (state_ == kStopped || state_ == kError || state_ == kFlushed ||\n state_ == kFlushingDecoder)\n return;\n\n if (state_ == kFlushing) {\n AttemptFlush_Locked();\n return;\n }\n\n if (!frame) {\n if (state_ != kSeeking)\n return;\n\n state_ = kPrerolled;\n base::ResetAndReturn(&seek_cb_).Run(PIPELINE_OK);\n return;\n }\n\n if (state_ == kSeeking && !frame->IsEndOfStream() &&\n (frame->GetTimestamp() + frame->GetDuration()) <= seek_timestamp_) {\n AttemptRead_Locked();\n return;\n }\n\n if (!frame->IsEndOfStream()) {\n if (frame->GetTimestamp() > host()->GetDuration())\n frame->SetTimestamp(host()->GetDuration());\n if ((frame->GetTimestamp() + frame->GetDuration()) > host()->GetDuration())\n frame->SetDuration(host()->GetDuration() - frame->GetTimestamp());\n }\n\n ready_frames_.push_back(frame);\n DCHECK_LE(NumFrames_Locked(), limits::kMaxVideoFrames);\n if (!frame->IsEndOfStream())\n time_cb_.Run(frame->GetTimestamp() + frame->GetDuration());\n frame_available_.Signal();\n\n PipelineStatistics statistics;\n statistics.video_frames_decoded = 1;\n statistics_cb_.Run(statistics);\n\n if (NumFrames_Locked() < limits::kMaxVideoFrames && !frame->IsEndOfStream()) {\n AttemptRead_Locked();\n return;\n }\n\n if (state_ == kSeeking) {\n DCHECK(!current_frame_);\n state_ = kPrerolled;\n\n if (!ready_frames_.front()->IsEndOfStream()) {\n current_frame_ = ready_frames_.front();\n ready_frames_.pop_front();\n }\n\n DCHECK(!seek_cb_.is_null());\n base::ResetAndReturn(&seek_cb_).Run(PIPELINE_OK);\n\n base::AutoUnlock ul(lock_);\n paint_cb_.Run();\n }\n}\n", "cwe": "", "big_vul_idx": 184481, "idx": 5439, "hash": 58467890702351424416835303863183847864 }, { "project": "Chrome", "commit_id": "1da0daecc540238cb473f0d6322da51d3a544244", "target": 0, "func": " void VideoRendererBase::FrameReady(VideoDecoder::DecoderStatus status,\n const scoped_refptr& frame) {\n base::AutoLock auto_lock(lock_);\n DCHECK_NE(state_, kUninitialized);\n \n CHECK(pending_read_);\n pending_read_ = false;\n\n if (status != VideoDecoder::kOk) {\n DCHECK(!frame);\n PipelineStatus error = PIPELINE_ERROR_DECODE;\n if (status == VideoDecoder::kDecryptError)\n error = PIPELINE_ERROR_DECRYPT;\n\n if (!seek_cb_.is_null()) {\n base::ResetAndReturn(&seek_cb_).Run(error);\n return;\n }\n\n host()->SetError(error);\n return;\n }\n\n if (state_ == kStopped || state_ == kError || state_ == kFlushed ||\n state_ == kFlushingDecoder)\n return;\n\n if (state_ == kFlushing) {\n AttemptFlush_Locked();\n return;\n }\n\n if (!frame) {\n if (state_ != kSeeking)\n return;\n\n state_ = kPrerolled;\n base::ResetAndReturn(&seek_cb_).Run(PIPELINE_OK);\n return;\n }\n\n if (state_ == kSeeking && !frame->IsEndOfStream() &&\n (frame->GetTimestamp() + frame->GetDuration()) <= seek_timestamp_) {\n AttemptRead_Locked();\n return;\n }\n\n if (!frame->IsEndOfStream()) {\n if (frame->GetTimestamp() > host()->GetDuration())\n frame->SetTimestamp(host()->GetDuration());\n if ((frame->GetTimestamp() + frame->GetDuration()) > host()->GetDuration())\n frame->SetDuration(host()->GetDuration() - frame->GetTimestamp());\n }\n\n ready_frames_.push_back(frame);\n DCHECK_LE(NumFrames_Locked(), limits::kMaxVideoFrames);\n if (!frame->IsEndOfStream())\n time_cb_.Run(frame->GetTimestamp() + frame->GetDuration());\n frame_available_.Signal();\n\n PipelineStatistics statistics;\n statistics.video_frames_decoded = 1;\n statistics_cb_.Run(statistics);\n\n if (NumFrames_Locked() < limits::kMaxVideoFrames && !frame->IsEndOfStream()) {\n AttemptRead_Locked();\n return;\n }\n\n if (state_ == kSeeking) {\n DCHECK(!current_frame_);\n state_ = kPrerolled;\n\n if (!ready_frames_.front()->IsEndOfStream()) {\n current_frame_ = ready_frames_.front();\n ready_frames_.pop_front();\n }\n\n DCHECK(!seek_cb_.is_null());\n base::ResetAndReturn(&seek_cb_).Run(PIPELINE_OK);\n\n base::AutoUnlock ul(lock_);\n paint_cb_.Run();\n }\n}\n", "cwe": "", "big_vul_idx": 184481, "idx": 162555, "hash": 27375883205547855814872471618190506441 }, { "func": "static inline struct i915_priolist *to_priolist(struct rb_node *rb)\n{\n\treturn rb_entry(rb, struct i915_priolist, node);\n}", "project": "linux", "hash": 159521327316952273956080367014311979250, "size": 4, "commit_id": "bc8a76a152c5f9ef3b48104154a65a68a8b76946", "message": "drm/i915/gen9: Clear residual context state on context switch\n\nIntel ID: PSIRT-TA-201910-001\nCVEID: CVE-2019-14615\n\nIntel GPU Hardware prior to Gen11 does not clear EU state\nduring a context switch. This can result in information\nleakage between contexts.\n\nFor Gen8 and Gen9, hardware provides a mechanism for\nfast cleardown of the EU state, by issuing a PIPE_CONTROL\nwith bit 27 set. We can use this in a context batch buffer\nto explicitly cleardown the state on every context switch.\n\nAs this workaround is already in place for gen8, we can borrow\nthe code verbatim for Gen9.\n\nSigned-off-by: Mika Kuoppala \nSigned-off-by: Akeem G Abodunrin \nCc: Kumar Valsan Prathap \nCc: Chris Wilson \nCc: Balestrieri Francesco \nCc: Bloomfield Jon \nCc: Dutt Sudeep ", "target": 0, "dataset": "other", "idx": 281488 }, { "func": "struct timerqueue_node *timerqueue_getnext(struct timerqueue_head *head)\n{\n\tstruct rb_node *leftmost = rb_first_cached(&head->rb_root);\n\n\treturn rb_entry(leftmost, struct timerqueue_node, node);\n}", "project": "tip", "hash": 49950772332248946073503965255413565484, "size": 6, "commit_id": "511885d7061eda3eb1faf3f57dcc936ff75863f1", "message": "lib/timerqueue: Rely on rbtree semantics for next timer\n\nSimplify the timerqueue code by using cached rbtrees and rely on the tree\nleftmost node semantics to get the timer with earliest expiration time.\nThis is a drop in conversion, and therefore semantics remain untouched.\n\nThe runtime overhead of cached rbtrees is be pretty much the same as the\ncurrent head->next method, noting that when removing the leftmost node,\na common operation for the timerqueue, the rb_next(leftmost) is O(1) as\nwell, so the next timer will either be the right node or its parent.\nTherefore no extra pointer chasing. Finally, the size of the struct\ntimerqueue_head remains the same.\n\nPasses several hours of rcutorture.\n\nSigned-off-by: Davidlohr Bueso \nSigned-off-by: Thomas Gleixner \nLink: https://lkml.kernel.org/r/20190724152323.bojciei3muvfxalm@linux-r8p5", "target": 0, "dataset": "other", "idx": 335106 }, { "func": "Status TensorToNdarray(const Tensor& t, PyObject** ret) {\n Status status;\n Safe_TF_TensorPtr tf_tensor = make_safe(TF_TensorFromTensor(t, &status));\n if (!status.ok()) {\n return status;\n }\n return TF_TensorToPyArray(std::move(tf_tensor), ret);\n}", "project": "tensorflow", "hash": 269074879990336498479542635913630439328, "size": 8, "commit_id": "030af767d357d1b4088c4a25c72cb3906abac489", "message": "Fix `tf.raw_ops.ResourceCountUpTo` null pointer dereference.\n\nPiperOrigin-RevId: 368294347\nChange-Id: I2c16fbfc9b4966c402c3d8e311f0d665a9c852d8", "target": 0, "dataset": "other", "idx": 232668 }, { "func": "void CClient::ParseUser(const CString& sAuthLine) {\n // user[@identifier][/network]\n\n const size_t uSlash = sAuthLine.rfind(\"/\");\n if (uSlash != CString::npos) {\n m_sNetwork = sAuthLine.substr(uSlash + 1);\n\n ParseIdentifier(sAuthLine.substr(0, uSlash));\n } else {\n ParseIdentifier(sAuthLine);\n }\n}", "project": "znc", "hash": 206505243541803038398818874831575829069, "size": 12, "commit_id": "d229761821da38d984a9e4098ad96842490dc001", "message": "Fix echo-message for *status\n\nClose #1705", "target": 0, "dataset": "other", "idx": 231544 }, { "func": "static void stimer_init(struct kvm_vcpu_hv_stimer *stimer, int timer_index)\n{\n\tmemset(stimer, 0, sizeof(*stimer));\n\tstimer->index = timer_index;\n\thrtimer_init(&stimer->timer, CLOCK_MONOTONIC, HRTIMER_MODE_ABS);\n\tstimer->timer.function = stimer_timer_callback;\n\tstimer_prepare_msg(stimer);\n}", "project": "linux", "hash": 335633622444205813815128156777146132465, "size": 8, "commit_id": "919f4ebc598701670e80e31573a58f1f2d2bf918", "message": "KVM: x86: hyper-v: Fix Hyper-V context null-ptr-deref\n\nReported by syzkaller:\n\n KASAN: null-ptr-deref in range [0x0000000000000140-0x0000000000000147]\n CPU: 1 PID: 8370 Comm: syz-executor859 Not tainted 5.11.0-syzkaller #0\n RIP: 0010:synic_get arch/x86/kvm/hyperv.c:165 [inline]\n RIP: 0010:kvm_hv_set_sint_gsi arch/x86/kvm/hyperv.c:475 [inline]\n RIP: 0010:kvm_hv_irq_routing_update+0x230/0x460 arch/x86/kvm/hyperv.c:498\n Call Trace:\n kvm_set_irq_routing+0x69b/0x940 arch/x86/kvm/../../../virt/kvm/irqchip.c:223\n kvm_vm_ioctl+0x12d0/0x2800 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3959\n vfs_ioctl fs/ioctl.c:48 [inline]\n __do_sys_ioctl fs/ioctl.c:753 [inline]\n __se_sys_ioctl fs/ioctl.c:739 [inline]\n __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739\n do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nHyper-V context is lazily allocated until Hyper-V specific MSRs are accessed\nor SynIC is enabled. However, the syzkaller testcase sets irq routing table\ndirectly w/o enabling SynIC. This results in null-ptr-deref when accessing\nSynIC Hyper-V context. This patch fixes it.\n\nsyzkaller source: https://syzkaller.appspot.com/x/repro.c?x=163342ccd00000\n\nReported-by: syzbot+6987f3b2dbd9eda95f12@syzkaller.appspotmail.com\nFixes: 8f014550dfb1 (\"KVM: x86: hyper-v: Make Hyper-V emulation enablement conditional\")\nSigned-off-by: Wanpeng Li \nMessage-Id: <1614326399-5762-1-git-send-email-wanpengli@tencent.com>\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 343522 }, { "func": " bool handleBackslash(signed char& out) {\n char ch = *p++;\n switch (ch) {\n case 0: return false;\n case '\"': out = ch; return true;\n case '\\\\': out = ch; return true;\n case '/': out = ch; return true;\n case 'b': out = '\\b'; return true;\n case 'f': out = '\\f'; return true;\n case 'n': out = '\\n'; return true;\n case 'r': out = '\\r'; return true;\n case 't': out = '\\t'; return true;\n case 'u': {\n if (UNLIKELY(is_tsimplejson)) {\n auto const ch1 = *p++;\n auto const ch2 = *p++;\n auto const dch3 = dehexchar(*p++);\n auto const dch4 = dehexchar(*p++);\n if (UNLIKELY(ch1 != '0' || ch2 != '0' || dch3 < 0 || dch4 < 0)) {\n return false;\n }\n out = (dch3 << 4) | dch4;\n return true;\n } else {\n uint16_t u16cp = 0;\n for (int i = 0; i < 4; i++) {\n auto const hexv = dehexchar(*p++);\n if (hexv < 0) return false; // includes check for end of string\n u16cp <<= 4;\n u16cp |= hexv;\n }\n if (u16cp > 0x7f) {\n return false;\n } else {\n out = u16cp;\n return true;\n }\n }\n }\n default: return false;\n }\n }", "project": "hhvm", "hash": 222661936735492214340109696360679833540, "size": 42, "commit_id": "b3679121bb3c7017ff04b4c08402ffff5cf59b13", "message": "Fix buffer overrun in SimpleParser::handleBackslash\n\nSummary:\nIt read 4 chars, then checked for validity, but any of them could have\nbeen the end of the string, so check after each one instead.\n\nReviewed By: oulgen\n\nDifferential Revision: D19611163\n\nfbshipit-source-id: 3da0a39555cb85a93f4fd98048368f17cf37e2e4", "target": 1, "dataset": "other", "idx": 195486 }, { "func": " bool handleBackslash(signed char& out) {\n char ch = *p++;\n switch (ch) {\n case 0: return false;\n case '\"': out = ch; return true;\n case '\\\\': out = ch; return true;\n case '/': out = ch; return true;\n case 'b': out = '\\b'; return true;\n case 'f': out = '\\f'; return true;\n case 'n': out = '\\n'; return true;\n case 'r': out = '\\r'; return true;\n case 't': out = '\\t'; return true;\n case 'u': {\n if (UNLIKELY(is_tsimplejson)) {\n auto const ch1 = *p++;\n if (UNLIKELY(ch1 != '0')) return false;\n auto const ch2 = *p++;\n if (UNLIKELY(ch2 != '0')) return false;\n auto const dch3 = dehexchar(*p++);\n if (UNLIKELY(dch3 < 0)) return false;\n auto const dch4 = dehexchar(*p++);\n if (UNLIKELY(dch4 < 0)) return false;\n out = (dch3 << 4) | dch4;\n return true;\n } else {\n uint16_t u16cp = 0;\n for (int i = 0; i < 4; i++) {\n auto const hexv = dehexchar(*p++);\n if (hexv < 0) return false; // includes check for end of string\n u16cp <<= 4;\n u16cp |= hexv;\n }\n if (u16cp > 0x7f) {\n return false;\n } else {\n out = u16cp;\n return true;\n }\n }\n }\n default: return false;\n }\n }", "project": "hhvm", "hash": 144019738520182441880919167101542852402, "size": 43, "commit_id": "b3679121bb3c7017ff04b4c08402ffff5cf59b13", "message": "Fix buffer overrun in SimpleParser::handleBackslash\n\nSummary:\nIt read 4 chars, then checked for validity, but any of them could have\nbeen the end of the string, so check after each one instead.\n\nReviewed By: oulgen\n\nDifferential Revision: D19611163\n\nfbshipit-source-id: 3da0a39555cb85a93f4fd98048368f17cf37e2e4", "target": 0, "dataset": "other", "idx": 227282 }, { "func": "static int pep_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)\n{\n\tstruct pep_sock *pn = pep_sk(sk);\n\tstruct sk_buff *skb;\n\tlong timeo;\n\tint flags = msg->msg_flags;\n\tint err, done;\n\n\tif (len > USHRT_MAX)\n\t\treturn -EMSGSIZE;\n\n\tif ((msg->msg_flags & ~(MSG_DONTWAIT|MSG_EOR|MSG_NOSIGNAL|\n\t\t\t\tMSG_CMSG_COMPAT)) ||\n\t\t\t!(msg->msg_flags & MSG_EOR))\n\t\treturn -EOPNOTSUPP;\n\n\tskb = sock_alloc_send_skb(sk, MAX_PNPIPE_HEADER + len,\n\t\t\t\t\tflags & MSG_DONTWAIT, &err);\n\tif (!skb)\n\t\treturn err;\n\n\tskb_reserve(skb, MAX_PHONET_HEADER + 3 + pn->aligned);\n\terr = memcpy_from_msg(skb_put(skb, len), msg, len);\n\tif (err < 0)\n\t\tgoto outfree;\n\n\tlock_sock(sk);\n\ttimeo = sock_sndtimeo(sk, flags & MSG_DONTWAIT);\n\tif ((1 << sk->sk_state) & (TCPF_LISTEN|TCPF_CLOSE)) {\n\t\terr = -ENOTCONN;\n\t\tgoto out;\n\t}\n\tif (sk->sk_state != TCP_ESTABLISHED) {\n\t\t/* Wait until the pipe gets to enabled state */\ndisabled:\n\t\terr = sk_stream_wait_connect(sk, &timeo);\n\t\tif (err)\n\t\t\tgoto out;\n\n\t\tif (sk->sk_state == TCP_CLOSE_WAIT) {\n\t\t\terr = -ECONNRESET;\n\t\t\tgoto out;\n\t\t}\n\t}\n\tBUG_ON(sk->sk_state != TCP_ESTABLISHED);\n\n\t/* Wait until flow control allows TX */\n\tdone = atomic_read(&pn->tx_credits);\n\twhile (!done) {\n\t\tDEFINE_WAIT_FUNC(wait, woken_wake_function);\n\n\t\tif (!timeo) {\n\t\t\terr = -EAGAIN;\n\t\t\tgoto out;\n\t\t}\n\t\tif (signal_pending(current)) {\n\t\t\terr = sock_intr_errno(timeo);\n\t\t\tgoto out;\n\t\t}\n\n\t\tadd_wait_queue(sk_sleep(sk), &wait);\n\t\tdone = sk_wait_event(sk, &timeo, atomic_read(&pn->tx_credits), &wait);\n\t\tremove_wait_queue(sk_sleep(sk), &wait);\n\n\t\tif (sk->sk_state != TCP_ESTABLISHED)\n\t\t\tgoto disabled;\n\t}\n\n\terr = pipe_skb_send(sk, skb);\n\tif (err >= 0)\n\t\terr = len; /* success! */\n\tskb = NULL;\nout:\n\trelease_sock(sk);\noutfree:\n\tkfree_skb(skb);\n\treturn err;\n}", "project": "linux", "hash": 175712656716763304415858066843911430532, "size": 78, "commit_id": "bcd0f93353326954817a4f9fa55ec57fb38acbb0", "message": "phonet: refcount leak in pep_sock_accep\n\nsock_hold(sk) is invoked in pep_sock_accept(), but __sock_put(sk) is not\ninvoked in subsequent failure branches(pep_accept_conn() != 0).\n\nSigned-off-by: Hangyu Hua \nLink: https://lore.kernel.org/r/20211209082839.33985-1-hbh25y@gmail.com\nSigned-off-by: Jakub Kicinski ", "target": 0, "dataset": "other", "idx": 224804 }, { "func": "int HTS_RESULT_USED bcf_hdr_parse_sample_line(bcf_hdr_t *h, const char *str)\n{\n int ret = 0;\n int i = 0;\n const char *p, *q;\n // add samples\n for (p = q = str;; ++q) {\n if (*q > '\\n') continue;\n if (++i > 9) {\n if ( bcf_hdr_add_sample_len(h, p, q - p) < 0 ) ret = -1;\n }\n if (*q == 0 || *q == '\\n' || ret < 0) break;\n p = q + 1;\n }\n\n return ret;\n}", "project": "htslib", "hash": 337287603929283773437245371817425595219, "size": 17, "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c", "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields. It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097", "target": 0, "dataset": "other", "idx": 402148 }, { "func": "static int io_setup_async_rw(struct io_kiocb *req, const struct iovec *iovec,\n\t\t\t const struct iovec *fast_iov,\n\t\t\t struct iov_iter *iter, bool force)\n{\n\tif (!force && !io_op_defs[req->opcode].needs_async_setup)\n\t\treturn 0;\n\tif (!req->async_data) {\n\t\tif (io_alloc_async_data(req)) {\n\t\t\tkfree(iovec);\n\t\t\treturn -ENOMEM;\n\t\t}\n\n\t\tio_req_map_rw(req, iovec, fast_iov, iter);\n\t}\n\treturn 0;\n}", "project": "linux", "hash": 88821476459954561305672623780112821624, "size": 16, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338530 }, { "func": "static int io_setup_async_rw(struct io_kiocb *req, ssize_t io_size,\n\t\t\t struct iovec *iovec, struct iovec *fast_iov,\n\t\t\t struct iov_iter *iter)\n{\n\tif (!io_op_defs[req->opcode].async_ctx)\n\t\treturn 0;\n\tif (!req->io) {\n\t\tif (__io_alloc_async_ctx(req))\n\t\t\treturn -ENOMEM;\n\n\t\tio_req_map_rw(req, io_size, iovec, fast_iov, iter);\n\t}\n\treturn 0;\n}", "project": "linux", "hash": 291165522290097767307861839353923047126, "size": 14, "commit_id": "6d816e088c359866f9867057e04f244c608c42fe", "message": "io_uring: hold 'ctx' reference around task_work queue + execute\n\nWe're holding the request reference, but we need to go one higher\nto ensure that the ctx remains valid after the request has finished.\nIf the ring is closed with pending task_work inflight, and the\ngiven io_kiocb finishes sync during issue, then we need a reference\nto the ring itself around the task_work execution cycle.\n\nCc: stable@vger.kernel.org # v5.7+\nReported-by: syzbot+9b260fc33297966f5a8e@syzkaller.appspotmail.com\nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 456930 }, { "func": "String serialize_keep_dvarrays(const Variant& value) {\n SerializeOptions opts;\n opts.keepDVArrays = true;\n return serialize_impl(value, opts);\n}", "project": "hhvm", "hash": 58170439397876812404525059785687317851, "size": 5, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219326 }, { "func": "static void i2c_w_mask(struct sd *sd,\n\t\t\tu8 reg,\n\t\t\tu8 value,\n\t\t\tu8 mask)\n{\n\tint rc;\n\tu8 oldval;\n\n\tvalue &= mask;\t\t\t/* Enforce mask on value */\n\trc = i2c_r(sd, reg);\n\tif (rc < 0)\n\t\treturn;\n\toldval = rc & ~mask;\t\t/* Clear the masked bits */\n\tvalue |= oldval;\t\t/* Set the desired bits */\n\ti2c_w(sd, reg, value);\n}", "project": "linux", "hash": 201035238427018409055979841671652368493, "size": 16, "commit_id": "998912346c0da53a6dbb71fab3a138586b596b30", "message": "media: ov519: add missing endpoint sanity checks\n\nMake sure to check that we have at least one endpoint before accessing\nthe endpoint array to avoid dereferencing a NULL-pointer on stream\nstart.\n\nNote that these sanity checks are not redundant as the driver is mixing\nlooking up altsettings by index and by number, which need not coincide.\n\nFixes: 1876bb923c98 (\"V4L/DVB (12079): gspca_ov519: add support for the ov511 bridge\")\nFixes: b282d87332f5 (\"V4L/DVB (12080): gspca_ov519: Fix ov518+ with OV7620AE (Trust spacecam 320)\")\nCc: stable # 2.6.31\nCc: Hans de Goede \nSigned-off-by: Johan Hovold \nSigned-off-by: Hans Verkuil \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 306287 }, { "func": "void kfree(const void *x)\n{\n\tstruct page *page;\n\tvoid *object = (void *)x;\n\n\ttrace_kfree(_RET_IP_, x);\n\n\tif (unlikely(ZERO_OR_NULL_PTR(x)))\n\t\treturn;\n\n\tpage = virt_to_head_page(x);\n\tif (unlikely(!PageSlab(page))) {\n\t\tunsigned int order = compound_order(page);\n\n\t\tBUG_ON(!PageCompound(page));\n\t\tkfree_hook(object);\n\t\tmod_node_page_state(page_pgdat(page), NR_SLAB_UNRECLAIMABLE,\n\t\t\t\t -(1 << order));\n\t\t__free_pages(page, order);\n\t\treturn;\n\t}\n\tslab_free(page->slab_cache, page, object, NULL, 1, _RET_IP_);\n}", "project": "linux", "hash": 796059536269028142189641481136596052, "size": 23, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280149 }, { "func": "static struct vfsmount *fuse_dentry_automount(struct path *path)\n{\n\tstruct fs_context *fsc;\n\tstruct fuse_mount *parent_fm = get_fuse_mount_super(path->mnt->mnt_sb);\n\tstruct fuse_conn *fc = parent_fm->fc;\n\tstruct fuse_mount *fm;\n\tstruct vfsmount *mnt;\n\tstruct fuse_inode *mp_fi = get_fuse_inode(d_inode(path->dentry));\n\tstruct super_block *sb;\n\tint err;\n\n\tfsc = fs_context_for_submount(path->mnt->mnt_sb->s_type, path->dentry);\n\tif (IS_ERR(fsc)) {\n\t\terr = PTR_ERR(fsc);\n\t\tgoto out;\n\t}\n\n\terr = -ENOMEM;\n\tfm = kzalloc(sizeof(struct fuse_mount), GFP_KERNEL);\n\tif (!fm)\n\t\tgoto out_put_fsc;\n\n\tfsc->s_fs_info = fm;\n\tsb = sget_fc(fsc, NULL, set_anon_super_fc);\n\tif (IS_ERR(sb)) {\n\t\terr = PTR_ERR(sb);\n\t\tkfree(fm);\n\t\tgoto out_put_fsc;\n\t}\n\tfm->fc = fuse_conn_get(fc);\n\n\t/* Initialize superblock, making @mp_fi its root */\n\terr = fuse_fill_super_submount(sb, mp_fi);\n\tif (err)\n\t\tgoto out_put_sb;\n\n\tsb->s_flags |= SB_ACTIVE;\n\tfsc->root = dget(sb->s_root);\n\t/* We are done configuring the superblock, so unlock it */\n\tup_write(&sb->s_umount);\n\n\tdown_write(&fc->killsb);\n\tlist_add_tail(&fm->fc_entry, &fc->mounts);\n\tup_write(&fc->killsb);\n\n\t/* Create the submount */\n\tmnt = vfs_create_mount(fsc);\n\tif (IS_ERR(mnt)) {\n\t\terr = PTR_ERR(mnt);\n\t\tgoto out_put_fsc;\n\t}\n\tmntget(mnt);\n\tput_fs_context(fsc);\n\treturn mnt;\n\nout_put_sb:\n\t/*\n\t * Only jump here when fsc->root is NULL and sb is still locked\n\t * (otherwise put_fs_context() will put the superblock)\n\t */\n\tdeactivate_locked_super(sb);\nout_put_fsc:\n\tput_fs_context(fsc);\nout:\n\treturn ERR_PTR(err);\n}", "project": "linux", "hash": 37680600372420148939090719136884021896, "size": 66, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342082 }, { "func": "static void object_set(const json_parser* json,\n Variant &var,\n const String& key,\n const Variant& value,\n int assoc,\n JSONContainerType container_type) {\n if (!assoc) {\n // We know it is stdClass, and everything is public (and dynamic).\n if (key.empty()) {\n var.getObjectData()->setProp(nullptr, s__empty_.get(), *value.asTypedValue());\n } else {\n var.getObjectData()->o_set(key, value);\n }\n } else {\n if (container_type == JSONContainerType::COLLECTIONS) {\n auto keyTV = make_tv(key.get());\n collections::set(var.getObjectData(), &keyTV, value.asTypedValue());\n } else if (container_type == JSONContainerType::HACK_ARRAYS ||\n container_type == JSONContainerType::LEGACY_HACK_ARRAYS) {\n forceToDict(var).set(key, value);\n } else {\n int64_t i;\n if (key.get()->isStrictlyInteger(i)) {\n forceToDArray(var).set(i, value);\n } else {\n forceToDArray(var).set(key, value);\n }\n }\n if (var.isArray()) {\n DEBUG_ONLY auto const data = var.getArrayData();\n assertx(IMPLIES(arrprov::arrayWantsTag(data), arrprov::getTag(data)));\n }\n }\n}", "project": "hhvm", "hash": 109655546704040923047262666151281956156, "size": 34, "commit_id": "b3679121bb3c7017ff04b4c08402ffff5cf59b13", "message": "Fix buffer overrun in SimpleParser::handleBackslash\n\nSummary:\nIt read 4 chars, then checked for validity, but any of them could have\nbeen the end of the string, so check after each one instead.\n\nReviewed By: oulgen\n\nDifferential Revision: D19611163\n\nfbshipit-source-id: 3da0a39555cb85a93f4fd98048368f17cf37e2e4", "target": 0, "dataset": "other", "idx": 227307 }, { "func": "const char* imap_cmd_trailer (IMAP_DATA* idata)\n{\n static const char* notrailer = \"\";\n const char* s = idata->buf;\n\n if (!s)\n {\n dprint (2, (debugfile, \"imap_cmd_trailer: not a tagged response\"));\n return notrailer;\n }\n\n s = imap_next_word ((char *)s);\n if (!s || (ascii_strncasecmp (s, \"OK\", 2) &&\n\t ascii_strncasecmp (s, \"NO\", 2) &&\n\t ascii_strncasecmp (s, \"BAD\", 3)))\n {\n dprint (2, (debugfile, \"imap_cmd_trailer: not a command completion: %s\",\n\t\tidata->buf));\n return notrailer;\n }\n\n s = imap_next_word ((char *)s);\n if (!s)\n return notrailer;\n\n return s;\n}", "project": "mutt", "hash": 268671276459495556730611377621064091004, "size": 27, "commit_id": "9347b5c01dc52682cb6be11539d9b7ebceae4416", "message": "Handle NO response without message properly", "target": 0, "dataset": "other", "idx": 338022 }, { "func": "\nstatic bool __bfq_bfqq_expire(struct bfq_data *bfqd, struct bfq_queue *bfqq,\n\t\t\t enum bfqq_expiration reason)\n{\n\t/*\n\t * If this bfqq is shared between multiple processes, check\n\t * to make sure that those processes are still issuing I/Os\n\t * within the mean seek distance. If not, it may be time to\n\t * break the queues apart again.\n\t */\n\tif (bfq_bfqq_coop(bfqq) && BFQQ_SEEKY(bfqq))\n\t\tbfq_mark_bfqq_split_coop(bfqq);\n\n\t/*\n\t * Consider queues with a higher finish virtual time than\n\t * bfqq. If idling_needed_for_service_guarantees(bfqq) returns\n\t * true, then bfqq's bandwidth would be violated if an\n\t * uncontrolled amount of I/O from these queues were\n\t * dispatched while bfqq is waiting for its new I/O to\n\t * arrive. This is exactly what may happen if this is a forced\n\t * expiration caused by a preemption attempt, and if bfqq is\n\t * not re-scheduled. To prevent this from happening, re-queue\n\t * bfqq if it needs I/O-dispatch plugging, even if it is\n\t * empty. By doing so, bfqq is granted to be served before the\n\t * above queues (provided that bfqq is of course eligible).\n\t */\n\tif (RB_EMPTY_ROOT(&bfqq->sort_list) &&\n\t !(reason == BFQQE_PREEMPTED &&\n\t idling_needed_for_service_guarantees(bfqd, bfqq))) {\n\t\tif (bfqq->dispatched == 0)\n\t\t\t/*\n\t\t\t * Overloading budget_timeout field to store\n\t\t\t * the time at which the queue remains with no\n\t\t\t * backlog and no outstanding request; used by\n\t\t\t * the weight-raising mechanism.\n\t\t\t */\n\t\t\tbfqq->budget_timeout = jiffies;\n\n\t\tbfq_del_bfqq_busy(bfqd, bfqq, true);\n\t} else {\n\t\tbfq_requeue_bfqq(bfqd, bfqq, true);\n\t\t/*\n\t\t * Resort priority tree of potential close cooperators.\n\t\t * See comments on bfq_pos_tree_add_move() for the unlikely().\n\t\t */\n\t\tif (unlikely(!bfqd->nonrot_with_queueing &&\n\t\t\t !RB_EMPTY_ROOT(&bfqq->sort_list)))\n\t\t\tbfq_pos_tree_add_move(bfqd, bfqq);\n\t}\n\n\t/*\n\t * All in-service entities must have been properly deactivated\n\t * or requeued before executing the next function, which\n\t * resets all in-service entities as no more in service. This\n\t * may cause bfqq to be freed. If this happens, the next\n\t * function returns true.\n\t */\n\treturn __bfq_bfqd_reset_in_service(bfqd);", "project": "linux", "hash": 310786886648520155262922365160557770768, "size": 58, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453372 }, { "func": "static enum fuse_parse_result fuse_parse_cache(struct fuse_file *ff,\n\t\t\t\t\t void *addr, unsigned int size,\n\t\t\t\t\t struct dir_context *ctx)\n{\n\tunsigned int offset = ff->readdir.cache_off & ~PAGE_MASK;\n\tenum fuse_parse_result res = FOUND_NONE;\n\n\tWARN_ON(offset >= size);\n\n\tfor (;;) {\n\t\tstruct fuse_dirent *dirent = addr + offset;\n\t\tunsigned int nbytes = size - offset;\n\t\tsize_t reclen;\n\n\t\tif (nbytes < FUSE_NAME_OFFSET || !dirent->namelen)\n\t\t\tbreak;\n\n\t\treclen = FUSE_DIRENT_SIZE(dirent); /* derefs ->namelen */\n\n\t\tif (WARN_ON(dirent->namelen > FUSE_NAME_MAX))\n\t\t\treturn FOUND_ERR;\n\t\tif (WARN_ON(reclen > nbytes))\n\t\t\treturn FOUND_ERR;\n\t\tif (WARN_ON(memchr(dirent->name, '/', dirent->namelen) != NULL))\n\t\t\treturn FOUND_ERR;\n\n\t\tif (ff->readdir.pos == ctx->pos) {\n\t\t\tres = FOUND_SOME;\n\t\t\tif (!dir_emit(ctx, dirent->name, dirent->namelen,\n\t\t\t\t dirent->ino, dirent->type))\n\t\t\t\treturn FOUND_ALL;\n\t\t\tctx->pos = dirent->off;\n\t\t}\n\t\tff->readdir.pos = dirent->off;\n\t\tff->readdir.cache_off += reclen;\n\n\t\toffset += reclen;\n\t}\n\n\treturn res;\n}", "project": "linux", "hash": 41811473605234212810110899574201037745, "size": 41, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342158 }, { "func": "void kvm_arch_commit_memory_region(struct kvm *kvm,\n\t\t\t\tconst struct kvm_userspace_memory_region *mem,\n\t\t\t\tstruct kvm_memory_slot *old,\n\t\t\t\tconst struct kvm_memory_slot *new,\n\t\t\t\tenum kvm_mr_change change)\n{\n\tint rc = 0;\n\n\tswitch (change) {\n\tcase KVM_MR_DELETE:\n\t\trc = gmap_unmap_segment(kvm->arch.gmap, old->base_gfn * PAGE_SIZE,\n\t\t\t\t\told->npages * PAGE_SIZE);\n\t\tbreak;\n\tcase KVM_MR_MOVE:\n\t\trc = gmap_unmap_segment(kvm->arch.gmap, old->base_gfn * PAGE_SIZE,\n\t\t\t\t\told->npages * PAGE_SIZE);\n\t\tif (rc)\n\t\t\tbreak;\n\t\t/* FALLTHROUGH */\n\tcase KVM_MR_CREATE:\n\t\trc = gmap_map_segment(kvm->arch.gmap, mem->userspace_addr,\n\t\t\t\t mem->guest_phys_addr, mem->memory_size);\n\t\tbreak;\n\tcase KVM_MR_FLAGS_ONLY:\n\t\tbreak;\n\tdefault:\n\t\tWARN(1, \"Unknown KVM MR CHANGE: %d\\n\", change);\n\t}\n\tif (rc)\n\t\tpr_warn(\"failed to commit memory region\\n\");\n\treturn;\n}", "project": "linux", "hash": 264139230900949438294202420389531205760, "size": 32, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354695 }, { "func": "PCRECache::StaticCache* PCRECache::CreateStatic() {\n StaticCache::Config config;\n config.maxLoadFactor = 0.5;\n return StaticCache::create(\n RuntimeOption::EvalPCRETableSize, config).release();\n}", "project": "hhvm", "hash": 269605201524771793114621724616761673167, "size": 6, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219752 }, { "func": "static int may_o_create(const struct path *dir, struct dentry *dentry, umode_t mode)\n{\n\tstruct user_namespace *s_user_ns;\n\tint error = security_path_mknod(dir, dentry, mode, 0);\n\tif (error)\n\t\treturn error;\n\n\ts_user_ns = dir->dentry->d_sb->s_user_ns;\n\tif (!kuid_has_mapping(s_user_ns, current_fsuid()) ||\n\t !kgid_has_mapping(s_user_ns, current_fsgid()))\n\t\treturn -EOVERFLOW;\n\n\terror = inode_permission(dir->dentry->d_inode, MAY_WRITE | MAY_EXEC);\n\tif (error)\n\t\treturn error;\n\n\treturn security_inode_create(dir->dentry->d_inode, dentry, mode);\n}", "project": "linux", "hash": 20075368116260851079376570247757677123, "size": 18, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295433 }, { "func": "void start_tty(struct tty_struct *tty)\n{\n\tunsigned long flags;\n\n\tspin_lock_irqsave(&tty->flow_lock, flags);\n\t__start_tty(tty);\n\tspin_unlock_irqrestore(&tty->flow_lock, flags);\n}", "project": "linux", "hash": 194944603749319546793536910765052332865, "size": 8, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 326042 }, { "func": "static ssize_t fuse_copy_file_range(struct file *src_file, loff_t src_off,\n\t\t\t\t struct file *dst_file, loff_t dst_off,\n\t\t\t\t size_t len, unsigned int flags)\n{\n\tssize_t ret;\n\n\tret = __fuse_copy_file_range(src_file, src_off, dst_file, dst_off,\n\t\t\t\t len, flags);\n\n\tif (ret == -EOPNOTSUPP || ret == -EXDEV)\n\t\tret = generic_copy_file_range(src_file, src_off, dst_file,\n\t\t\t\t\t dst_off, len, flags);\n\treturn ret;\n}", "project": "linux", "hash": 193905794635619799117086600811204774972, "size": 14, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341930 }, { "func": "static void oidc_scrub_request_headers(request_rec *r, const char *claim_prefix,\n\t\tapr_hash_t *scrub) {\n\n\tconst int prefix_len = claim_prefix ? strlen(claim_prefix) : 0;\n\n\t/* get an array representation of the incoming HTTP headers */\n\tconst apr_array_header_t *const h = apr_table_elts(r->headers_in);\n\n\t/* table to keep the non-suspicious headers */\n\tapr_table_t *clean_headers = apr_table_make(r->pool, h->nelts);\n\n\t/* loop over the incoming HTTP headers */\n\tconst apr_table_entry_t *const e = (const apr_table_entry_t*) h->elts;\n\tint i;\n\tfor (i = 0; i < h->nelts; i++) {\n\t\tconst char *const k = e[i].key;\n\n\t\t/* is this header's name equivalent to a header that needs scrubbing? */\n\t\tconst char *hdr =\n\t\t\t\t(k != NULL) && (scrub != NULL) ?\n\t\t\t\t\t\tapr_hash_get(scrub, k, APR_HASH_KEY_STRING) : NULL;\n\t\tconst int header_matches = (hdr != NULL)\n\t\t\t\t\t\t&& (oidc_strnenvcmp(k, hdr, -1) == 0);\n\n\t\t/*\n\t\t * would this header be interpreted as a mod_auth_openidc attribute? Note\n\t\t * that prefix_len will be zero if no attr_prefix is defined,\n\t\t * so this will always be false. Also note that we do not\n\t\t * scrub headers if the prefix is empty because every header\n\t\t * would match.\n\t\t */\n\t\tconst int prefix_matches = (k != NULL) && prefix_len\n\t\t\t\t&& (oidc_strnenvcmp(k, claim_prefix, prefix_len) == 0);\n\n\t\t/* add to the clean_headers if non-suspicious, skip and report otherwise */\n\t\tif (!prefix_matches && !header_matches) {\n\t\t\tapr_table_addn(clean_headers, k, e[i].val);\n\t\t} else {\n\t\t\toidc_warn(r, \"scrubbed suspicious request header (%s: %.32s)\", k,\n\t\t\t\t\te[i].val);\n\t\t}\n\t}\n\n\t/* overwrite the incoming headers with the cleaned result */\n\tr->headers_in = clean_headers;\n}", "project": "mod_auth_openidc", "hash": 64937596542399538925297721345776733531, "size": 46, "commit_id": "00c315cb0c8ab77c67be4a2ac08a71a83ac58751", "message": "avoid XSS vulnerability when using OIDCPreservePost On\n\nand supplying URLs that contain single quotes; thanks @oss-aimoto\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 381942 }, { "func": "static void oidc_scrub_request_headers(request_rec *r, const char *claim_prefix,\n\t\tapr_hash_t *scrub) {\n\n\tconst int prefix_len = claim_prefix ? strlen(claim_prefix) : 0;\n\n\t/* get an array representation of the incoming HTTP headers */\n\tconst apr_array_header_t * const h = apr_table_elts(r->headers_in);\n\n\t/* table to keep the non-suspicious headers */\n\tapr_table_t *clean_headers = apr_table_make(r->pool, h->nelts);\n\n\t/* loop over the incoming HTTP headers */\n\tconst apr_table_entry_t * const e = (const apr_table_entry_t *) h->elts;\n\tint i;\n\tfor (i = 0; i < h->nelts; i++) {\n\t\tconst char * const k = e[i].key;\n\n\t\t/* is this header's name equivalent to a header that needs scrubbing? */\n\t\tconst char *hdr =\n\t\t\t\t(k != NULL) && (scrub != NULL) ?\n\t\t\t\t\t\tapr_hash_get(scrub, k, APR_HASH_KEY_STRING) : NULL;\n\t\tconst int header_matches = (hdr != NULL)\n\t\t\t\t\t\t&& (oidc_strnenvcmp(k, hdr, -1) == 0);\n\n\t\t/*\n\t\t * would this header be interpreted as a mod_auth_openidc attribute? Note\n\t\t * that prefix_len will be zero if no attr_prefix is defined,\n\t\t * so this will always be false. Also note that we do not\n\t\t * scrub headers if the prefix is empty because every header\n\t\t * would match.\n\t\t */\n\t\tconst int prefix_matches = (k != NULL) && prefix_len\n\t\t\t\t&& (oidc_strnenvcmp(k, claim_prefix, prefix_len) == 0);\n\n\t\t/* add to the clean_headers if non-suspicious, skip and report otherwise */\n\t\tif (!prefix_matches && !header_matches) {\n\t\t\tapr_table_addn(clean_headers, k, e[i].val);\n\t\t} else {\n\t\t\toidc_warn(r, \"scrubbed suspicious request header (%s: %.32s)\", k,\n\t\t\t\t\te[i].val);\n\t\t}\n\t}\n\n\t/* overwrite the incoming headers with the cleaned result */\n\tr->headers_in = clean_headers;\n}", "project": "mod_auth_openidc", "hash": 279609859933538701312762712043983321941, "size": 46, "commit_id": "ce37080c6aea30aabae8b4a9b4eea7808445cc8e", "message": "2.4.0.2 oops\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 447674 }, { "func": "OPJ_BOOL opj_j2k_read_tile_header(opj_j2k_t * p_j2k,\n OPJ_UINT32 * p_tile_index,\n OPJ_UINT32 * p_data_size,\n OPJ_INT32 * p_tile_x0, OPJ_INT32 * p_tile_y0,\n OPJ_INT32 * p_tile_x1, OPJ_INT32 * p_tile_y1,\n OPJ_UINT32 * p_nb_comps,\n OPJ_BOOL * p_go_on,\n opj_stream_private_t *p_stream,\n opj_event_mgr_t * p_manager)\n{\n OPJ_UINT32 l_current_marker = J2K_MS_SOT;\n OPJ_UINT32 l_marker_size;\n const opj_dec_memory_marker_handler_t * l_marker_handler = 00;\n opj_tcp_t * l_tcp = NULL;\n const OPJ_UINT32 l_nb_tiles = p_j2k->m_cp.tw * p_j2k->m_cp.th;\n\n /* preconditions */\n assert(p_stream != 00);\n assert(p_j2k != 00);\n assert(p_manager != 00);\n\n /* Reach the End Of Codestream ?*/\n if (p_j2k->m_specific_param.m_decoder.m_state == J2K_STATE_EOC) {\n l_current_marker = J2K_MS_EOC;\n }\n /* We need to encounter a SOT marker (a new tile-part header) */\n else if (p_j2k->m_specific_param.m_decoder.m_state != J2K_STATE_TPHSOT) {\n return OPJ_FALSE;\n }\n\n /* Read into the codestream until reach the EOC or ! can_decode ??? FIXME */\n while ((!p_j2k->m_specific_param.m_decoder.m_can_decode) &&\n (l_current_marker != J2K_MS_EOC)) {\n\n /* Try to read until the Start Of Data is detected */\n while (l_current_marker != J2K_MS_SOD) {\n\n if (opj_stream_get_number_byte_left(p_stream) == 0) {\n p_j2k->m_specific_param.m_decoder.m_state = J2K_STATE_NEOC;\n break;\n }\n\n /* Try to read 2 bytes (the marker size) from stream and copy them into the buffer */\n if (opj_stream_read_data(p_stream,\n p_j2k->m_specific_param.m_decoder.m_header_data, 2, p_manager) != 2) {\n opj_event_msg(p_manager, EVT_ERROR, \"Stream too short\\n\");\n return OPJ_FALSE;\n }\n\n /* Read 2 bytes from the buffer as the marker size */\n opj_read_bytes(p_j2k->m_specific_param.m_decoder.m_header_data, &l_marker_size,\n 2);\n\n /* Check marker size (does not include marker ID but includes marker size) */\n if (l_marker_size < 2) {\n opj_event_msg(p_manager, EVT_ERROR, \"Inconsistent marker size\\n\");\n return OPJ_FALSE;\n }\n\n /* cf. https://code.google.com/p/openjpeg/issues/detail?id=226 */\n if (l_current_marker == 0x8080 &&\n opj_stream_get_number_byte_left(p_stream) == 0) {\n p_j2k->m_specific_param.m_decoder.m_state = J2K_STATE_NEOC;\n break;\n }\n\n /* Why this condition? FIXME */\n if (p_j2k->m_specific_param.m_decoder.m_state & J2K_STATE_TPH) {\n p_j2k->m_specific_param.m_decoder.m_sot_length -= (l_marker_size + 2);\n }\n l_marker_size -= 2; /* Subtract the size of the marker ID already read */\n\n /* Get the marker handler from the marker ID */\n l_marker_handler = opj_j2k_get_marker_handler(l_current_marker);\n\n /* Check if the marker is known and if it is the right place to find it */\n if (!(p_j2k->m_specific_param.m_decoder.m_state & l_marker_handler->states)) {\n opj_event_msg(p_manager, EVT_ERROR,\n \"Marker is not compliant with its position\\n\");\n return OPJ_FALSE;\n }\n /* FIXME manage case of unknown marker as in the main header ? */\n\n /* Check if the marker size is compatible with the header data size */\n if (l_marker_size > p_j2k->m_specific_param.m_decoder.m_header_data_size) {\n OPJ_BYTE *new_header_data = NULL;\n /* If we are here, this means we consider this marker as known & we will read it */\n /* Check enough bytes left in stream before allocation */\n if ((OPJ_OFF_T)l_marker_size > opj_stream_get_number_byte_left(p_stream)) {\n opj_event_msg(p_manager, EVT_ERROR,\n \"Marker size inconsistent with stream length\\n\");\n return OPJ_FALSE;\n }\n new_header_data = (OPJ_BYTE *) opj_realloc(\n p_j2k->m_specific_param.m_decoder.m_header_data, l_marker_size);\n if (! new_header_data) {\n opj_free(p_j2k->m_specific_param.m_decoder.m_header_data);\n p_j2k->m_specific_param.m_decoder.m_header_data = NULL;\n p_j2k->m_specific_param.m_decoder.m_header_data_size = 0;\n opj_event_msg(p_manager, EVT_ERROR, \"Not enough memory to read header\\n\");\n return OPJ_FALSE;\n }\n p_j2k->m_specific_param.m_decoder.m_header_data = new_header_data;\n p_j2k->m_specific_param.m_decoder.m_header_data_size = l_marker_size;\n }\n\n /* Try to read the rest of the marker segment from stream and copy them into the buffer */\n if (opj_stream_read_data(p_stream,\n p_j2k->m_specific_param.m_decoder.m_header_data, l_marker_size,\n p_manager) != l_marker_size) {\n opj_event_msg(p_manager, EVT_ERROR, \"Stream too short\\n\");\n return OPJ_FALSE;\n }\n\n if (!l_marker_handler->handler) {\n /* See issue #175 */\n opj_event_msg(p_manager, EVT_ERROR, \"Not sure how that happened.\\n\");\n return OPJ_FALSE;\n }\n /* Read the marker segment with the correct marker handler */\n if (!(*(l_marker_handler->handler))(p_j2k,\n p_j2k->m_specific_param.m_decoder.m_header_data, l_marker_size, p_manager)) {\n opj_event_msg(p_manager, EVT_ERROR,\n \"Fail to read the current marker segment (%#x)\\n\", l_current_marker);\n return OPJ_FALSE;\n }\n\n /* Add the marker to the codestream index*/\n if (OPJ_FALSE == opj_j2k_add_tlmarker(p_j2k->m_current_tile_number,\n p_j2k->cstr_index,\n l_marker_handler->id,\n (OPJ_UINT32) opj_stream_tell(p_stream) - l_marker_size - 4,\n l_marker_size + 4)) {\n opj_event_msg(p_manager, EVT_ERROR, \"Not enough memory to add tl marker\\n\");\n return OPJ_FALSE;\n }\n\n /* Keep the position of the last SOT marker read */\n if (l_marker_handler->id == J2K_MS_SOT) {\n OPJ_UINT32 sot_pos = (OPJ_UINT32) opj_stream_tell(p_stream) - l_marker_size - 4\n ;\n if (sot_pos > p_j2k->m_specific_param.m_decoder.m_last_sot_read_pos) {\n p_j2k->m_specific_param.m_decoder.m_last_sot_read_pos = sot_pos;\n }\n }\n\n if (p_j2k->m_specific_param.m_decoder.m_skip_data) {\n /* Skip the rest of the tile part header*/\n if (opj_stream_skip(p_stream, p_j2k->m_specific_param.m_decoder.m_sot_length,\n p_manager) != p_j2k->m_specific_param.m_decoder.m_sot_length) {\n opj_event_msg(p_manager, EVT_ERROR, \"Stream too short\\n\");\n return OPJ_FALSE;\n }\n l_current_marker = J2K_MS_SOD; /* Normally we reached a SOD */\n } else {\n /* Try to read 2 bytes (the next marker ID) from stream and copy them into the buffer*/\n if (opj_stream_read_data(p_stream,\n p_j2k->m_specific_param.m_decoder.m_header_data, 2, p_manager) != 2) {\n opj_event_msg(p_manager, EVT_ERROR, \"Stream too short\\n\");\n return OPJ_FALSE;\n }\n /* Read 2 bytes from the buffer as the new marker ID */\n opj_read_bytes(p_j2k->m_specific_param.m_decoder.m_header_data,\n &l_current_marker, 2);\n }\n }\n if (opj_stream_get_number_byte_left(p_stream) == 0\n && p_j2k->m_specific_param.m_decoder.m_state == J2K_STATE_NEOC) {\n break;\n }\n\n /* If we didn't skip data before, we need to read the SOD marker*/\n if (! p_j2k->m_specific_param.m_decoder.m_skip_data) {\n /* Try to read the SOD marker and skip data ? FIXME */\n if (! opj_j2k_read_sod(p_j2k, p_stream, p_manager)) {\n return OPJ_FALSE;\n }\n if (p_j2k->m_specific_param.m_decoder.m_can_decode &&\n !p_j2k->m_specific_param.m_decoder.m_nb_tile_parts_correction_checked) {\n /* Issue 254 */\n OPJ_BOOL l_correction_needed;\n\n p_j2k->m_specific_param.m_decoder.m_nb_tile_parts_correction_checked = 1;\n if (!opj_j2k_need_nb_tile_parts_correction(p_stream,\n p_j2k->m_current_tile_number, &l_correction_needed, p_manager)) {\n opj_event_msg(p_manager, EVT_ERROR,\n \"opj_j2k_apply_nb_tile_parts_correction error\\n\");\n return OPJ_FALSE;\n }\n if (l_correction_needed) {\n OPJ_UINT32 l_tile_no;\n\n p_j2k->m_specific_param.m_decoder.m_can_decode = 0;\n p_j2k->m_specific_param.m_decoder.m_nb_tile_parts_correction = 1;\n /* correct tiles */\n for (l_tile_no = 0U; l_tile_no < l_nb_tiles; ++l_tile_no) {\n if (p_j2k->m_cp.tcps[l_tile_no].m_nb_tile_parts != 0U) {\n p_j2k->m_cp.tcps[l_tile_no].m_nb_tile_parts += 1;\n }\n }\n opj_event_msg(p_manager, EVT_WARNING,\n \"Non conformant codestream TPsot==TNsot.\\n\");\n }\n }\n } else {\n /* Indicate we will try to read a new tile-part header*/\n p_j2k->m_specific_param.m_decoder.m_skip_data = 0;\n p_j2k->m_specific_param.m_decoder.m_can_decode = 0;\n p_j2k->m_specific_param.m_decoder.m_state = J2K_STATE_TPHSOT;\n }\n\n if (! p_j2k->m_specific_param.m_decoder.m_can_decode) {\n /* Try to read 2 bytes (the next marker ID) from stream and copy them into the buffer */\n if (opj_stream_read_data(p_stream,\n p_j2k->m_specific_param.m_decoder.m_header_data, 2, p_manager) != 2) {\n\n /* Deal with likely non conformant SPOT6 files, where the last */\n /* row of tiles have TPsot == 0 and TNsot == 0, and missing EOC, */\n /* but no other tile-parts were found. */\n if (p_j2k->m_current_tile_number + 1 == l_nb_tiles) {\n OPJ_UINT32 l_tile_no;\n for (l_tile_no = 0U; l_tile_no < l_nb_tiles; ++l_tile_no) {\n if (p_j2k->m_cp.tcps[l_tile_no].m_current_tile_part_number == 0 &&\n p_j2k->m_cp.tcps[l_tile_no].m_nb_tile_parts == 0) {\n break;\n }\n }\n if (l_tile_no < l_nb_tiles) {\n opj_event_msg(p_manager, EVT_INFO,\n \"Tile %u has TPsot == 0 and TNsot == 0, \"\n \"but no other tile-parts were found. \"\n \"EOC is also missing.\\n\",\n l_tile_no);\n p_j2k->m_current_tile_number = l_tile_no;\n l_current_marker = J2K_MS_EOC;\n p_j2k->m_specific_param.m_decoder.m_state = J2K_STATE_EOC;\n break;\n }\n }\n\n opj_event_msg(p_manager, EVT_ERROR, \"Stream too short\\n\");\n return OPJ_FALSE;\n }\n\n /* Read 2 bytes from buffer as the new marker ID */\n opj_read_bytes(p_j2k->m_specific_param.m_decoder.m_header_data,\n &l_current_marker, 2);\n }\n }\n\n /* Current marker is the EOC marker ?*/\n if (l_current_marker == J2K_MS_EOC) {\n if (p_j2k->m_specific_param.m_decoder.m_state != J2K_STATE_EOC) {\n p_j2k->m_current_tile_number = 0;\n p_j2k->m_specific_param.m_decoder.m_state = J2K_STATE_EOC;\n }\n }\n\n /* Deal with tiles that have a single tile-part with TPsot == 0 and TNsot == 0 */\n if (! p_j2k->m_specific_param.m_decoder.m_can_decode) {\n l_tcp = p_j2k->m_cp.tcps + p_j2k->m_current_tile_number;\n\n while ((p_j2k->m_current_tile_number < l_nb_tiles) && (l_tcp->m_data == 00)) {\n ++p_j2k->m_current_tile_number;\n ++l_tcp;\n }\n\n if (p_j2k->m_current_tile_number == l_nb_tiles) {\n *p_go_on = OPJ_FALSE;\n return OPJ_TRUE;\n }\n }\n\n if (! opj_j2k_merge_ppt(p_j2k->m_cp.tcps + p_j2k->m_current_tile_number,\n p_manager)) {\n opj_event_msg(p_manager, EVT_ERROR, \"Failed to merge PPT data\\n\");\n return OPJ_FALSE;\n }\n /*FIXME ???*/\n if (! opj_tcd_init_decode_tile(p_j2k->m_tcd, p_j2k->m_current_tile_number,\n p_manager)) {\n opj_event_msg(p_manager, EVT_ERROR, \"Cannot decode tile, memory error\\n\");\n return OPJ_FALSE;\n }\n\n opj_event_msg(p_manager, EVT_INFO, \"Header of tile %d / %d has been read.\\n\",\n p_j2k->m_current_tile_number + 1, (p_j2k->m_cp.th * p_j2k->m_cp.tw));\n\n *p_tile_index = p_j2k->m_current_tile_number;\n *p_go_on = OPJ_TRUE;\n if (p_data_size) {\n /* For internal use in j2k.c, we don't need this */\n /* This is just needed for folks using the opj_read_tile_header() / opj_decode_tile_data() combo */\n *p_data_size = opj_tcd_get_decoded_tile_size(p_j2k->m_tcd, OPJ_FALSE);\n if (*p_data_size == UINT_MAX) {\n return OPJ_FALSE;\n }\n }\n *p_tile_x0 = p_j2k->m_tcd->tcd_image->tiles->x0;\n *p_tile_y0 = p_j2k->m_tcd->tcd_image->tiles->y0;\n *p_tile_x1 = p_j2k->m_tcd->tcd_image->tiles->x1;\n *p_tile_y1 = p_j2k->m_tcd->tcd_image->tiles->y1;\n *p_nb_comps = p_j2k->m_tcd->tcd_image->tiles->numcomps;\n\n p_j2k->m_specific_param.m_decoder.m_state |= J2K_STATE_DATA;\n\n return OPJ_TRUE;\n}", "project": "openjpeg", "hash": 255448096046183850221035238905036125717, "size": 308, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357414 }, { "func": "\treturn err;\n}\n\nstatic int iscsi_if_ep_connect(struct iscsi_transport *transport,\n\t\t\t struct iscsi_uevent *ev, int msg_type)\n{\n\tstruct iscsi_endpoint *ep;\n\tstruct sockaddr *dst_addr;\n\tstruct Scsi_Host *shost = NULL;\n\tint non_blocking, err = 0;\n\n\tif (!transport->ep_connect)\n\t\treturn -EINVAL;\n\n\tif (msg_type == ISCSI_UEVENT_TRANSPORT_EP_CONNECT_THROUGH_HOST) {\n\t\tshost = scsi_host_lookup(ev->u.ep_connect_through_host.host_no);\n\t\tif (!shost) {\n\t\t\tprintk(KERN_ERR \"ep connect failed. Could not find \"\n\t\t\t \"host no %u\\n\",\n\t\t\t ev->u.ep_connect_through_host.host_no);\n\t\t\treturn -ENODEV;\n\t\t}\n\t\tnon_blocking = ev->u.ep_connect_through_host.non_blocking;\n\t} else\n\t\tnon_blocking = ev->u.ep_connect.non_blocking;\n\n\tdst_addr = (struct sockaddr *)((char*)ev + sizeof(*ev));\n\tep = transport->ep_connect(shost, dst_addr, non_blocking);\n\tif (IS_ERR(ep)) {\n\t\terr = PTR_ERR(ep);\n\t\tgoto release_host;\n\t}\n\n\tev->r.ep_connect_ret.handle = ep->id;\nrelease_host:\n\tif (shost)", "project": "linux", "hash": 216001460016196821932442897832397939740, "size": 36, "commit_id": "f9dbdf97a5bd92b1a49cee3d591b55b11fd7a6d5", "message": "scsi: iscsi: Verify lengths on passthrough PDUs\n\nOpen-iSCSI sends passthrough PDUs over netlink, but the kernel should be\nverifying that the provided PDU header and data lengths fall within the\nnetlink message to prevent accessing beyond that in memory.\n\nCc: stable@vger.kernel.org\nReported-by: Adam Nichols \nReviewed-by: Lee Duncan \nReviewed-by: Mike Christie \nSigned-off-by: Chris Leech \nSigned-off-by: Martin K. Petersen ", "target": 0, "dataset": "other", "idx": 379960 }, { "func": "rfbScreenInfoPtr rfbScalingFind(rfbClientPtr cl, int width, int height)\n{\n rfbScreenInfoPtr ptr;\n /* include the original in the search (ie: fine 1:1 scaled version of the frameBuffer) */\n for (ptr=cl->screen; ptr!=NULL; ptr=ptr->scaledScreenNext)\n {\n if ((ptr->width==width) && (ptr->height==height))\n return ptr;\n }\n return NULL;\n}", "project": "libvncserver", "hash": 250628621059394980916580992129234733241, "size": 11, "commit_id": "a6788d1da719ae006605b78d22f5a9f170b423af", "message": "libvncserver: scale: cast to 64 bit before shifting\n\nSince pixel_value is 64 bit the data type of the shift operand should\nbe 64 bit too to prevent integer overflows.", "target": 0, "dataset": "other", "idx": 296793 }, { "func": "GC_API GC_descr GC_CALL GC_make_descriptor(const GC_word * bm, size_t len)\n{\n signed_word last_set_bit = len - 1;\n GC_descr result;\n signed_word i;\n# define HIGH_BIT (((word)1) << (WORDSZ - 1))\n DCL_LOCK_STATE;\n\n# if defined(THREADS) && defined(AO_HAVE_load_acquire)\n if (!EXPECT(AO_load_acquire(\n (volatile AO_t *)&GC_explicit_typing_initialized),\n TRUE))\n# endif\n {\n LOCK();\n# if defined(THREADS) && defined(AO_HAVE_load_acquire)\n if (!GC_explicit_typing_initialized)\n# else\n if (!EXPECT(GC_explicit_typing_initialized, TRUE))\n# endif\n {\n GC_init_explicit_typing();\n GC_explicit_typing_initialized = TRUE;\n }\n UNLOCK();\n }\n\n while (last_set_bit >= 0 && !GC_get_bit(bm, last_set_bit))\n last_set_bit--;\n if (last_set_bit < 0) return(0 /* no pointers */);\n# if ALIGNMENT == CPP_WORDSZ/8\n {\n for (i = 0; i < last_set_bit; i++) {\n if (!GC_get_bit(bm, i)) {\n break;\n }\n }\n if (i == last_set_bit) {\n /* An initial section contains all pointers. Use length descriptor. */\n return (WORDS_TO_BYTES(last_set_bit+1) | GC_DS_LENGTH);\n }\n }\n# endif\n if ((word)last_set_bit < BITMAP_BITS) {\n /* Hopefully the common case. */\n /* Build bitmap descriptor (with bits reversed) */\n result = HIGH_BIT;\n for (i = last_set_bit - 1; i >= 0; i--) {\n result >>= 1;\n if (GC_get_bit(bm, i)) result |= HIGH_BIT;\n }\n result |= GC_DS_BITMAP;\n } else {\n signed_word index = GC_add_ext_descriptor(bm, (word)last_set_bit + 1);\n if (index == -1) return(WORDS_TO_BYTES(last_set_bit+1) | GC_DS_LENGTH);\n /* Out of memory: use conservative */\n /* approximation. */\n result = GC_MAKE_PROC(GC_typed_mark_proc_index, (word)index);\n }\n return result;\n}", "project": "bdwgc", "hash": 275714746816776214351352041196879685670, "size": 61, "commit_id": "4e1a6f9d8f2a49403bbd00b8c8e5324048fb84d4", "message": "Fix calloc_explicitly_typed in case of lb*n overflow\n\n* typd_mlc.c: Include limits.h (for SIZE_MAX).\n* typd_mlc.c (GC_SIZE_MAX, GC_SQRT_SIZE_MAX): New macro (same as in\nmalloc.c).\n* typd_mlc.c (GC_calloc_explicitly_typed): Return NULL if lb * n\noverflows (same algorithm as in calloc defined in malloc.c); eliminate\nlb *= n code duplication.", "target": 0, "dataset": "other", "idx": 374058 }, { "func": "bool Virtual_tmp_table::sp_set_all_fields_from_item(THD *thd, Item *value)\n{\n DBUG_ASSERT(value->fixed);\n DBUG_ASSERT(value->cols() == s->fields);\n for (uint i= 0; i < value->cols(); i++)\n {\n if (field[i]->sp_prepare_and_store_item(thd, value->addr(i)))\n return true;\n }\n return false;\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 232963102306809260260248268602353376091, "size": 11, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508648 }, { "func": "Next_select_func setup_end_select_func(JOIN *join, JOIN_TAB *tab)\n{\n TMP_TABLE_PARAM *tmp_tbl= tab ? tab->tmp_table_param : &join->tmp_table_param;\n\n /* \n Choose method for presenting result to user. Use end_send_group\n if the query requires grouping (has a GROUP BY clause and/or one or\n more aggregate functions). Use end_send if the query should not\n be grouped.\n */\n if (join->sort_and_group && !tmp_tbl->precomputed_group_by)\n {\n DBUG_PRINT(\"info\",(\"Using end_send_group\"));\n return end_send_group;\n }\n DBUG_PRINT(\"info\",(\"Using end_send\"));\n return end_send;\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 75060888505972078447331481512534833046, "size": 18, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508718 }, { "func": "int kvm_arch_vcpu_ioctl_get_regs(struct kvm_vcpu *vcpu, struct kvm_regs *regs)\n{\n\tvcpu_load(vcpu);\n\tmemcpy(®s->gprs, &vcpu->run->s.regs.gprs, sizeof(regs->gprs));\n\tvcpu_put(vcpu);\n\treturn 0;\n}", "project": "linux", "hash": 189066542134484357028738948772865735146, "size": 7, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354815 }, { "func": " Copy_query_with_rewrite(THD *t, const char *s, size_t l, String *d)\n :thd(t), src(s), src_len(l), from(0), dst(d) { }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 233158614287143135695962731498351477653, "size": 2, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509128 }, { "func": "static int php_openssl_cipher_init(const EVP_CIPHER *cipher_type,\n\t\tEVP_CIPHER_CTX *cipher_ctx, struct php_openssl_cipher_mode *mode,\n\t\tchar **ppassword, size_t *ppassword_len, zend_bool *free_password,\n\t\tchar **piv, size_t *piv_len, zend_bool *free_iv,\n\t\tchar *tag, int tag_len, zend_long options, int enc) /* {{{ */\n{\n\tunsigned char *key;\n\tint key_len, password_len;\n\tsize_t max_iv_len;\n\n\t*free_password = 0;\n\n\tmax_iv_len = EVP_CIPHER_iv_length(cipher_type);\n\tif (enc && *piv_len == 0 && max_iv_len > 0 && !mode->is_aead) {\n\t\tphp_error_docref(NULL, E_WARNING,\n\t\t\t\t\"Using an empty Initialization Vector (iv) is potentially insecure and not recommended\");\n\t}\n\n\tif (!EVP_CipherInit_ex(cipher_ctx, cipher_type, NULL, NULL, NULL, enc)) {\n\t\tphp_openssl_store_errors();\n\t\treturn FAILURE;\n\t}\n\tif (php_openssl_validate_iv(piv, piv_len, max_iv_len, free_iv, cipher_ctx, mode) == FAILURE) {\n\t\treturn FAILURE;\n\t}\n\tif (mode->is_single_run_aead && enc) {\n\t\tif (!EVP_CIPHER_CTX_ctrl(cipher_ctx, mode->aead_set_tag_flag, tag_len, NULL)) {\n\t\t\tphp_error_docref(NULL, E_WARNING, \"Setting tag length for AEAD cipher failed\");\n\t\t\treturn FAILURE;\n\t\t}\n\t} else if (!enc && tag && tag_len > 0) {\n\t\tif (!mode->is_aead) {\n\t\t\tphp_error_docref(NULL, E_WARNING, \"The tag cannot be used because the cipher method does not support AEAD\");\n\t\t} else if (!EVP_CIPHER_CTX_ctrl(cipher_ctx, mode->aead_set_tag_flag, tag_len, (unsigned char *) tag)) {\n\t\t\tphp_error_docref(NULL, E_WARNING, \"Setting tag for AEAD cipher decryption failed\");\n\t\t\treturn FAILURE;\n\t\t}\n\t}\n\t/* check and set key */\n\tpassword_len = (int) *ppassword_len;\n\tkey_len = EVP_CIPHER_key_length(cipher_type);\n\tif (key_len > password_len) {\n\t\tif ((OPENSSL_DONT_ZERO_PAD_KEY & options) && !EVP_CIPHER_CTX_set_key_length(cipher_ctx, password_len)) {\n\t\t\tphp_openssl_store_errors();\n\t\t\tphp_error_docref(NULL, E_WARNING, \"Key length cannot be set for the cipher method\");\n\t\t\treturn FAILURE;\n\t\t}\n\t\tkey = emalloc(key_len);\n\t\tmemset(key, 0, key_len);\n\t\tmemcpy(key, *ppassword, password_len);\n\t\t*ppassword = (char *) key;\n\t\t*ppassword_len = key_len;\n\t\t*free_password = 1;\n\t} else {\n\t\tif (password_len > key_len && !EVP_CIPHER_CTX_set_key_length(cipher_ctx, password_len)) {\n\t\t\tphp_openssl_store_errors();\n\t\t}\n\t\tkey = (unsigned char*)*ppassword;\n\t}\n\n\tif (!EVP_CipherInit_ex(cipher_ctx, NULL, NULL, key, (unsigned char *)*piv, enc)) {\n\t\tphp_openssl_store_errors();\n\t\treturn FAILURE;\n\t}\n\tif (options & OPENSSL_ZERO_PADDING) {\n\t\tEVP_CIPHER_CTX_set_padding(cipher_ctx, 0);\n\t}\n\n\treturn SUCCESS;\n}", "project": "php-src", "hash": 318294972260879561265536362775222269265, "size": 70, "commit_id": "0216630ea2815a5789a24279a1211ac398d4de79", "message": "Fix bug #79601 (Wrong ciphertext/tag in AES-CCM encryption for a 12 bytes IV)", "target": 0, "dataset": "other", "idx": 291453 }, { "func": "\treturn err;\n}\n\nstatic int iscsi_new_flashnode(struct iscsi_transport *transport,\n\t\t\t struct iscsi_uevent *ev, uint32_t len)\n{\n\tchar *data = (char *)ev + sizeof(*ev);\n\tstruct Scsi_Host *shost;\n\tint index;\n\tint err = 0;\n\n\tif (!transport->new_flashnode) {\n\t\terr = -ENOSYS;\n\t\tgoto exit_new_fnode;\n\t}\n\n\tshost = scsi_host_lookup(ev->u.new_flashnode.host_no);\n\tif (!shost) {\n\t\tpr_err(\"%s could not find host no %u\\n\",\n\t\t __func__, ev->u.new_flashnode.host_no);\n\t\terr = -ENODEV;\n\t\tgoto put_host;\n\t}\n\n\tindex = transport->new_flashnode(shost, data, len);\n\n\tif (index >= 0)\n\t\tev->r.new_flashnode_ret.flashnode_idx = index;\n\telse\n\t\terr = -EIO;\n\nput_host:\n\tscsi_host_put(shost);\n", "project": "linux", "hash": 230262099748420566746268816417226352261, "size": 34, "commit_id": "f9dbdf97a5bd92b1a49cee3d591b55b11fd7a6d5", "message": "scsi: iscsi: Verify lengths on passthrough PDUs\n\nOpen-iSCSI sends passthrough PDUs over netlink, but the kernel should be\nverifying that the provided PDU header and data lengths fall within the\nnetlink message to prevent accessing beyond that in memory.\n\nCc: stable@vger.kernel.org\nReported-by: Adam Nichols \nReviewed-by: Lee Duncan \nReviewed-by: Mike Christie \nSigned-off-by: Chris Leech \nSigned-off-by: Martin K. Petersen ", "target": 0, "dataset": "other", "idx": 379972 }, { "func": "void JOIN::cleanup_item_list(List &items) const\n{\n DBUG_ENTER(\"JOIN::cleanup_item_list\");\n if (!items.is_empty())\n {\n List_iterator_fast it(items);\n Item *item;\n while ((item= it++))\n item->cleanup();\n }\n DBUG_VOID_RETURN;\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 159276769933709608645016960673109643954, "size": 12, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508724 }, { "func": "static void ca8210_dev_com_clear(struct ca8210_priv *priv)\n{\n\tflush_workqueue(priv->mlme_workqueue);\n\tdestroy_workqueue(priv->mlme_workqueue);\n\tflush_workqueue(priv->irq_workqueue);\n\tdestroy_workqueue(priv->irq_workqueue);\n}", "project": "linux", "hash": 338328136302338046083176361080066717805, "size": 7, "commit_id": "6402939ec86eaf226c8b8ae00ed983936b164908", "message": "ieee802154: ca8210: prevent memory leak\n\nIn ca8210_probe the allocated pdata needs to be assigned to\nspi_device->dev.platform_data before calling ca8210_get_platform_data.\nOthrwise when ca8210_get_platform_data fails pdata cannot be released.\n\nSigned-off-by: Navid Emamdoost \nLink: https://lore.kernel.org/r/20190917224713.26371-1-navid.emamdoost@gmail.com\nSigned-off-by: Stefan Schmidt ", "target": 0, "dataset": "other", "idx": 408817 }, { "func": "static void cliprdr_write_file_contents_request(wStream* s,\n const CLIPRDR_FILE_CONTENTS_REQUEST* request)\n{\n\tStream_Write_UINT32(s, request->streamId); /* streamId (4 bytes) */\n\tStream_Write_UINT32(s, request->listIndex); /* listIndex (4 bytes) */\n\tStream_Write_UINT32(s, request->dwFlags); /* dwFlags (4 bytes) */\n\tStream_Write_UINT32(s, request->nPositionLow); /* nPositionLow (4 bytes) */\n\tStream_Write_UINT32(s, request->nPositionHigh); /* nPositionHigh (4 bytes) */\n\tStream_Write_UINT32(s, request->cbRequested); /* cbRequested (4 bytes) */\n\n\tif (request->haveClipDataId)\n\t\tStream_Write_UINT32(s, request->clipDataId); /* clipDataId (4 bytes) */\n}", "project": "FreeRDP", "hash": 162514535405536762391089522031015423599, "size": 13, "commit_id": "b73143cf7ee5fe4cdabcbf56908aa15d8a883821", "message": "Fixed oob read in cliprdr_read_format_list", "target": 0, "dataset": "other", "idx": 388313 }, { "func": "static inline void queueDrain(qqueue_t *pThis)\n{\n\tvoid *pUsr;\n\tASSERT(pThis != NULL);\n\n\tBEGINfunc\n\tDBGOPRINT((obj_t*) pThis, \"queue (type %d) will lose %d messages, destroying...\\n\", pThis->qType, pThis->iQueueSize);\n\t/* iQueueSize is not decremented by qDel(), so we need to do it ourselves */\n\twhile(ATOMIC_DEC_AND_FETCH(&pThis->iQueueSize, &pThis->mutQueueSize) > 0) {\n\t\tpThis->qDeq(pThis, &pUsr);\n\t\tif(pUsr != NULL) {\n\t\t\tobjDestruct(pUsr);\n\t\t}\n\t\tpThis->qDel(pThis);\n\t}\n\tENDfunc\n}", "project": "rsyslog", "hash": 234793265750540168956059162073887555848, "size": 17, "commit_id": "dfa88369d4ca4290db56b843f9eabdae1bfe0fd5", "message": "bugfix: memory leak when $RepeatedMsgReduction on was used\n\nbug tracker: http://bugzilla.adiscon.com/show_bug.cgi?id=225", "target": 0, "dataset": "other", "idx": 373811 }, { "func": "static void sca_dispose(struct kvm *kvm)\n{\n\tif (kvm->arch.use_esca)\n\t\tfree_pages_exact(kvm->arch.sca, sizeof(struct esca_block));\n\telse\n\t\tfree_page((unsigned long)(kvm->arch.sca));\n\tkvm->arch.sca = NULL;\n}", "project": "linux", "hash": 197704887696830163754149535418878580712, "size": 8, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354675 }, { "func": "static void setbrightness(struct gspca_dev *gspca_dev, s32 val)\n{\n\tstruct sd *sd = (struct sd *) gspca_dev;\n\tstatic const struct ov_i2c_regvals brit_7660[][7] = {\n\t\t{{0x0f, 0x6a}, {0x24, 0x40}, {0x25, 0x2b}, {0x26, 0x90},\n\t\t\t{0x27, 0xe0}, {0x28, 0xe0}, {0x2c, 0xe0}},\n\t\t{{0x0f, 0x6a}, {0x24, 0x50}, {0x25, 0x40}, {0x26, 0xa1},\n\t\t\t{0x27, 0xc0}, {0x28, 0xc0}, {0x2c, 0xc0}},\n\t\t{{0x0f, 0x6a}, {0x24, 0x68}, {0x25, 0x58}, {0x26, 0xc2},\n\t\t\t{0x27, 0xa0}, {0x28, 0xa0}, {0x2c, 0xa0}},\n\t\t{{0x0f, 0x6a}, {0x24, 0x70}, {0x25, 0x68}, {0x26, 0xd3},\n\t\t\t{0x27, 0x80}, {0x28, 0x80}, {0x2c, 0x80}},\n\t\t{{0x0f, 0x6a}, {0x24, 0x80}, {0x25, 0x70}, {0x26, 0xd3},\n\t\t\t{0x27, 0x20}, {0x28, 0x20}, {0x2c, 0x20}},\n\t\t{{0x0f, 0x6a}, {0x24, 0x88}, {0x25, 0x78}, {0x26, 0xd3},\n\t\t\t{0x27, 0x40}, {0x28, 0x40}, {0x2c, 0x40}},\n\t\t{{0x0f, 0x6a}, {0x24, 0x90}, {0x25, 0x80}, {0x26, 0xd4},\n\t\t\t{0x27, 0x60}, {0x28, 0x60}, {0x2c, 0x60}}\n\t};\n\n\tswitch (sd->sensor) {\n\tcase SEN_OV8610:\n\tcase SEN_OV7610:\n\tcase SEN_OV76BE:\n\tcase SEN_OV6620:\n\tcase SEN_OV6630:\n\tcase SEN_OV66308AF:\n\tcase SEN_OV7640:\n\tcase SEN_OV7648:\n\t\ti2c_w(sd, OV7610_REG_BRT, val);\n\t\tbreak;\n\tcase SEN_OV7620:\n\tcase SEN_OV7620AE:\n\t\ti2c_w(sd, OV7610_REG_BRT, val);\n\t\tbreak;\n\tcase SEN_OV7660:\n\t\twrite_i2c_regvals(sd, brit_7660[val],\n\t\t\t\tARRAY_SIZE(brit_7660[0]));\n\t\tbreak;\n\tcase SEN_OV7670:\n/*win trace\n *\t\ti2c_w_mask(sd, OV7670_R13_COM8, 0, OV7670_COM8_AEC); */\n\t\ti2c_w(sd, OV7670_R55_BRIGHT, ov7670_abs_to_sm(val));\n\t\tbreak;\n\t}\n}", "project": "linux", "hash": 313747308863968120054237962704578832300, "size": 46, "commit_id": "998912346c0da53a6dbb71fab3a138586b596b30", "message": "media: ov519: add missing endpoint sanity checks\n\nMake sure to check that we have at least one endpoint before accessing\nthe endpoint array to avoid dereferencing a NULL-pointer on stream\nstart.\n\nNote that these sanity checks are not redundant as the driver is mixing\nlooking up altsettings by index and by number, which need not coincide.\n\nFixes: 1876bb923c98 (\"V4L/DVB (12079): gspca_ov519: add support for the ov511 bridge\")\nFixes: b282d87332f5 (\"V4L/DVB (12080): gspca_ov519: Fix ov518+ with OV7620AE (Trust spacecam 320)\")\nCc: stable # 2.6.31\nCc: Hans de Goede \nSigned-off-by: Johan Hovold \nSigned-off-by: Hans Verkuil \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 306293 }, { "func": "static int sb_permission(struct super_block *sb, struct inode *inode, int mask)\n{\n\tif (unlikely(mask & MAY_WRITE)) {\n\t\tumode_t mode = inode->i_mode;\n\n\t\t/* Nobody gets write access to a read-only fs. */\n\t\tif (sb_rdonly(sb) && (S_ISREG(mode) || S_ISDIR(mode) || S_ISLNK(mode)))\n\t\t\treturn -EROFS;\n\t}\n\treturn 0;\n}", "project": "linux", "hash": 98542976747902067932975396662198473742, "size": 11, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295359 }, { "func": "int ip_do_fragment(struct net *net, struct sock *sk, struct sk_buff *skb,\n\t\t int (*output)(struct net *, struct sock *, struct sk_buff *))\n{\n\tstruct iphdr *iph;\n\tint ptr;\n\tstruct sk_buff *skb2;\n\tunsigned int mtu, hlen, left, len, ll_rs;\n\tint offset;\n\t__be16 not_last_frag;\n\tstruct rtable *rt = skb_rtable(skb);\n\tint err = 0;\n\n\t/* for offloaded checksums cleanup checksum before fragmentation */\n\tif (skb->ip_summed == CHECKSUM_PARTIAL &&\n\t (err = skb_checksum_help(skb)))\n\t\tgoto fail;\n\n\t/*\n\t *\tPoint into the IP datagram header.\n\t */\n\n\tiph = ip_hdr(skb);\n\n\tmtu = ip_skb_dst_mtu(sk, skb);\n\tif (IPCB(skb)->frag_max_size && IPCB(skb)->frag_max_size < mtu)\n\t\tmtu = IPCB(skb)->frag_max_size;\n\n\t/*\n\t *\tSetup starting values.\n\t */\n\n\thlen = iph->ihl * 4;\n\tmtu = mtu - hlen;\t/* Size of data space */\n\tIPCB(skb)->flags |= IPSKB_FRAG_COMPLETE;\n\tll_rs = LL_RESERVED_SPACE(rt->dst.dev);\n\n\t/* When frag_list is given, use it. First, check its validity:\n\t * some transformers could create wrong frag_list or break existing\n\t * one, it is not prohibited. In this case fall back to copying.\n\t *\n\t * LATER: this step can be merged to real generation of fragments,\n\t * we can switch to copy when see the first bad fragment.\n\t */\n\tif (skb_has_frag_list(skb)) {\n\t\tstruct sk_buff *frag, *frag2;\n\t\tunsigned int first_len = skb_pagelen(skb);\n\n\t\tif (first_len - hlen > mtu ||\n\t\t ((first_len - hlen) & 7) ||\n\t\t ip_is_fragment(iph) ||\n\t\t skb_cloned(skb) ||\n\t\t skb_headroom(skb) < ll_rs)\n\t\t\tgoto slow_path;\n\n\t\tskb_walk_frags(skb, frag) {\n\t\t\t/* Correct geometry. */\n\t\t\tif (frag->len > mtu ||\n\t\t\t ((frag->len & 7) && frag->next) ||\n\t\t\t skb_headroom(frag) < hlen + ll_rs)\n\t\t\t\tgoto slow_path_clean;\n\n\t\t\t/* Partially cloned skb? */\n\t\t\tif (skb_shared(frag))\n\t\t\t\tgoto slow_path_clean;\n\n\t\t\tBUG_ON(frag->sk);\n\t\t\tif (skb->sk) {\n\t\t\t\tfrag->sk = skb->sk;\n\t\t\t\tfrag->destructor = sock_wfree;\n\t\t\t}\n\t\t\tskb->truesize -= frag->truesize;\n\t\t}\n\n\t\t/* Everything is OK. Generate! */\n\n\t\terr = 0;\n\t\toffset = 0;\n\t\tfrag = skb_shinfo(skb)->frag_list;\n\t\tskb_frag_list_init(skb);\n\t\tskb->data_len = first_len - skb_headlen(skb);\n\t\tskb->len = first_len;\n\t\tiph->tot_len = htons(first_len);\n\t\tiph->frag_off = htons(IP_MF);\n\t\tip_send_check(iph);\n\n\t\tfor (;;) {\n\t\t\t/* Prepare header of the next frame,\n\t\t\t * before previous one went down. */\n\t\t\tif (frag) {\n\t\t\t\tfrag->ip_summed = CHECKSUM_NONE;\n\t\t\t\tskb_reset_transport_header(frag);\n\t\t\t\t__skb_push(frag, hlen);\n\t\t\t\tskb_reset_network_header(frag);\n\t\t\t\tmemcpy(skb_network_header(frag), iph, hlen);\n\t\t\t\tiph = ip_hdr(frag);\n\t\t\t\tiph->tot_len = htons(frag->len);\n\t\t\t\tip_copy_metadata(frag, skb);\n\t\t\t\tif (offset == 0)\n\t\t\t\t\tip_options_fragment(frag);\n\t\t\t\toffset += skb->len - hlen;\n\t\t\t\tiph->frag_off = htons(offset>>3);\n\t\t\t\tif (frag->next)\n\t\t\t\t\tiph->frag_off |= htons(IP_MF);\n\t\t\t\t/* Ready, complete checksum */\n\t\t\t\tip_send_check(iph);\n\t\t\t}\n\n\t\t\terr = output(net, sk, skb);\n\n\t\t\tif (!err)\n\t\t\t\tIP_INC_STATS(net, IPSTATS_MIB_FRAGCREATES);\n\t\t\tif (err || !frag)\n\t\t\t\tbreak;\n\n\t\t\tskb = frag;\n\t\t\tfrag = skb->next;\n\t\t\tskb->next = NULL;\n\t\t}\n\n\t\tif (err == 0) {\n\t\t\tIP_INC_STATS(net, IPSTATS_MIB_FRAGOKS);\n\t\t\treturn 0;\n\t\t}\n\n\t\twhile (frag) {\n\t\t\tskb = frag->next;\n\t\t\tkfree_skb(frag);\n\t\t\tfrag = skb;\n\t\t}\n\t\tIP_INC_STATS(net, IPSTATS_MIB_FRAGFAILS);\n\t\treturn err;\n\nslow_path_clean:\n\t\tskb_walk_frags(skb, frag2) {\n\t\t\tif (frag2 == frag)\n\t\t\t\tbreak;\n\t\t\tfrag2->sk = NULL;\n\t\t\tfrag2->destructor = NULL;\n\t\t\tskb->truesize += frag2->truesize;\n\t\t}\n\t}\n\nslow_path:\n\tiph = ip_hdr(skb);\n\n\tleft = skb->len - hlen;\t\t/* Space per frame */\n\tptr = hlen;\t\t/* Where to start from */\n\n\t/*\n\t *\tFragment the datagram.\n\t */\n\n\toffset = (ntohs(iph->frag_off) & IP_OFFSET) << 3;\n\tnot_last_frag = iph->frag_off & htons(IP_MF);\n\n\t/*\n\t *\tKeep copying data until we run out.\n\t */\n\n\twhile (left > 0) {\n\t\tlen = left;\n\t\t/* IF: it doesn't fit, use 'mtu' - the data space left */\n\t\tif (len > mtu)\n\t\t\tlen = mtu;\n\t\t/* IF: we are not sending up to and including the packet end\n\t\t then align the next start on an eight byte boundary */\n\t\tif (len < left)\t{\n\t\t\tlen &= ~7;\n\t\t}\n\n\t\t/* Allocate buffer */\n\t\tskb2 = alloc_skb(len + hlen + ll_rs, GFP_ATOMIC);\n\t\tif (!skb2) {\n\t\t\terr = -ENOMEM;\n\t\t\tgoto fail;\n\t\t}\n\n\t\t/*\n\t\t *\tSet up data on packet\n\t\t */\n\n\t\tip_copy_metadata(skb2, skb);\n\t\tskb_reserve(skb2, ll_rs);\n\t\tskb_put(skb2, len + hlen);\n\t\tskb_reset_network_header(skb2);\n\t\tskb2->transport_header = skb2->network_header + hlen;\n\n\t\t/*\n\t\t *\tCharge the memory for the fragment to any owner\n\t\t *\tit might possess\n\t\t */\n\n\t\tif (skb->sk)\n\t\t\tskb_set_owner_w(skb2, skb->sk);\n\n\t\t/*\n\t\t *\tCopy the packet header into the new buffer.\n\t\t */\n\n\t\tskb_copy_from_linear_data(skb, skb_network_header(skb2), hlen);\n\n\t\t/*\n\t\t *\tCopy a block of the IP datagram.\n\t\t */\n\t\tif (skb_copy_bits(skb, ptr, skb_transport_header(skb2), len))\n\t\t\tBUG();\n\t\tleft -= len;\n\n\t\t/*\n\t\t *\tFill in the new header fields.\n\t\t */\n\t\tiph = ip_hdr(skb2);\n\t\tiph->frag_off = htons((offset >> 3));\n\n\t\tif (IPCB(skb)->flags & IPSKB_FRAG_PMTU)\n\t\t\tiph->frag_off |= htons(IP_DF);\n\n\t\t/* ANK: dirty, but effective trick. Upgrade options only if\n\t\t * the segment to be fragmented was THE FIRST (otherwise,\n\t\t * options are already fixed) and make it ONCE\n\t\t * on the initial skb, so that all the following fragments\n\t\t * will inherit fixed options.\n\t\t */\n\t\tif (offset == 0)\n\t\t\tip_options_fragment(skb);\n\n\t\t/*\n\t\t *\tAdded AC : If we are fragmenting a fragment that's not the\n\t\t *\t\t last fragment then keep MF on each bit\n\t\t */\n\t\tif (left > 0 || not_last_frag)\n\t\t\tiph->frag_off |= htons(IP_MF);\n\t\tptr += len;\n\t\toffset += len;\n\n\t\t/*\n\t\t *\tPut this fragment into the sending queue.\n\t\t */\n\t\tiph->tot_len = htons(len + hlen);\n\n\t\tip_send_check(iph);\n\n\t\terr = output(net, sk, skb2);\n\t\tif (err)\n\t\t\tgoto fail;\n\n\t\tIP_INC_STATS(net, IPSTATS_MIB_FRAGCREATES);\n\t}\n\tconsume_skb(skb);\n\tIP_INC_STATS(net, IPSTATS_MIB_FRAGOKS);\n\treturn err;\n\nfail:\n\tkfree_skb(skb);\n\tIP_INC_STATS(net, IPSTATS_MIB_FRAGFAILS);\n\treturn err;\n}", "project": "net", "hash": 154444670053617137162629006222456475750, "size": 257, "commit_id": "85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa", "message": "udp: consistently apply ufo or fragmentation\n\nWhen iteratively building a UDP datagram with MSG_MORE and that\ndatagram exceeds MTU, consistently choose UFO or fragmentation.\n\nOnce skb_is_gso, always apply ufo. Conversely, once a datagram is\nsplit across multiple skbs, do not consider ufo.\n\nSendpage already maintains the first invariant, only add the second.\nIPv6 does not have a sendpage implementation to modify.\n\nA gso skb must have a partial checksum, do not follow sk_no_check_tx\nin udp_send_skb.\n\nFound by syzkaller.\n\nFixes: e89e9cf539a2 (\"[IPv4/IPv6]: UFO Scatter-gather approach\")\nReported-by: Andrey Konovalov \nSigned-off-by: Willem de Bruijn \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 469000 }, { "func": "inline void SparseTensor::Reorder(const VarDimArray& order) {\n DCHECK_EQ(DataTypeToEnum::v(), dtype())\n << \"Reorder requested with the wrong datatype\";\n DCHECK_EQ(order.size(), dims_) << \"Order length must be SparseTensor rank\";\n auto ix_t = ix_.matrix();\n auto vals_t = vals_.vec();\n\n std::vector reorder(num_entries());\n std::iota(reorder.begin(), reorder.end(), 0);\n\n // Sort to get order of indices\n switch (order.size()) {\n#define CASE_SORT(ORDER_SIZE) \\\n case ORDER_SIZE: { \\\n FixedDimComparator sorter(ix_t, order, shape()); \\\n std::sort(reorder.begin(), reorder.end(), sorter); \\\n break; \\\n }\n CASE_SORT(0);\n CASE_SORT(1);\n CASE_SORT(2);\n CASE_SORT(3);\n CASE_SORT(4);\n CASE_SORT(5);\n#undef CASE_SORT\n default: {\n DimComparator sorter(ix_t, order, shape());\n std::sort(reorder.begin(), reorder.end(), sorter);\n }\n }\n\n // We have a forward reordering, but what we'll need is a\n // permutation (the inverse). This can be calculated with O(1)\n // additional\n // and O(n) time (INVPERM) but we just do the simple thing here.\n std::vector permutation(reorder.size());\n for (std::size_t n = 0; n < reorder.size(); ++n) {\n permutation[reorder[n]] = n;\n }\n\n // Update indices & values by converting the permutations to\n // a product of transpositions. Iterate over the cycles in the\n // permutation, and convert each of those into a product of\n // transpositions (swaps):\n // https://en.wikipedia.org/wiki/Cyclic_permutation\n // This is N swaps, 2*N comparisons.\n for (std::size_t n = 0; n + 1 < permutation.size(); ++n) {\n while (n != permutation[n]) {\n std::size_t r = permutation[n];\n std::swap_ranges(&(ix_t(n, 0)), &(ix_t(n + 1, 0)), &(ix_t(r, 0)));\n std::swap(vals_t(n), vals_t(r));\n std::swap(permutation[n], permutation[r]);\n }\n }\n\n order_ = ShapeArray(order.begin(), order.end());\n}", "project": "tensorflow", "hash": 308503909192964626875254031904734409444, "size": 57, "commit_id": "8ba6fa29cd8bf9cef9b718dc31c78c73081f5b31", "message": "Fix heap-buffer-overflow issue with `tf.raw_ops.SparseSplit`.\n\nPiperOrigin-RevId: 371242872\nChange-Id: I482bb3d12602c7c3cc9446f97fb9f584bb98e9a4", "target": 0, "dataset": "other", "idx": 277027 }, { "func": "static int fuse_permission(struct inode *inode, int mask)\n{\n\tstruct fuse_conn *fc = get_fuse_conn(inode);\n\tbool refreshed = false;\n\tint err = 0;\n\n\tif (fuse_is_bad(inode))\n\t\treturn -EIO;\n\n\tif (!fuse_allow_current_process(fc))\n\t\treturn -EACCES;\n\n\t/*\n\t * If attributes are needed, refresh them before proceeding\n\t */\n\tif (fc->default_permissions ||\n\t ((mask & MAY_EXEC) && S_ISREG(inode->i_mode))) {\n\t\tstruct fuse_inode *fi = get_fuse_inode(inode);\n\t\tu32 perm_mask = STATX_MODE | STATX_UID | STATX_GID;\n\n\t\tif (perm_mask & READ_ONCE(fi->inval_mask) ||\n\t\t time_before64(fi->i_time, get_jiffies_64())) {\n\t\t\trefreshed = true;\n\n\t\t\terr = fuse_perm_getattr(inode, mask);\n\t\t\tif (err)\n\t\t\t\treturn err;\n\t\t}\n\t}\n\n\tif (fc->default_permissions) {\n\t\terr = generic_permission(inode, mask);\n\n\t\t/* If permission is denied, try to refresh file\n\t\t attributes. This is also needed, because the root\n\t\t node will at first have no permissions */\n\t\tif (err == -EACCES && !refreshed) {\n\t\t\terr = fuse_perm_getattr(inode, mask);\n\t\t\tif (!err)\n\t\t\t\terr = generic_permission(inode, mask);\n\t\t}\n\n\t\t/* Note: the opposite of the above test does not\n\t\t exist. So if permissions are revoked this won't be\n\t\t noticed immediately, only after the attribute\n\t\t timeout has expired */\n\t} else if (mask & (MAY_ACCESS | MAY_CHDIR)) {\n\t\terr = fuse_access(inode, mask);\n\t} else if ((mask & MAY_EXEC) && S_ISREG(inode->i_mode)) {\n\t\tif (!(inode->i_mode & S_IXUGO)) {\n\t\t\tif (refreshed)\n\t\t\t\treturn -EACCES;\n\n\t\t\terr = fuse_perm_getattr(inode, mask);\n\t\t\tif (!err && !(inode->i_mode & S_IXUGO))\n\t\t\t\treturn -EACCES;\n\t\t}\n\t}\n\treturn err;\n}", "project": "linux", "hash": 339293590208509329212437243019802669823, "size": 60, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342107 }, { "func": "void tracing_record_cmdline(struct task_struct *task)\n{\n\ttracing_record_taskinfo(task, TRACE_RECORD_CMDLINE);\n}", "project": "linux", "hash": 164132315254199097438387633065262588250, "size": 4, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445800 }, { "func": "void pb_release(const pb_field_t fields[], void *dest_struct)\n{\n pb_field_iter_t iter;\n \n if (!dest_struct)\n return; /* Ignore NULL pointers, similar to free() */\n\n if (!pb_field_iter_begin(&iter, fields, dest_struct))\n return; /* Empty message type */\n \n do\n {\n pb_release_single_field(&iter);\n } while (pb_field_iter_next(&iter));\n}", "project": "nanopb", "hash": 12734073621642314750920932131402010143, "size": 15, "commit_id": "aa9d0d1ca78d6adec3adfeecf3a706c7f9df81f2", "message": "Fix invalid free() after failed realloc() (GHSA-gcx3-7m76-287p)", "target": 0, "dataset": "other", "idx": 252502 }, { "func": "void pb_release(const pb_field_t fields[], void *dest_struct)\n{\n pb_field_iterator_t iter;\n pb_field_init(&iter, fields, dest_struct);\n\n if (iter.pos->tag == 0)\n return; /* Empty message type */\n \n do\n {\n pb_release_single_field(&iter);\n } while (pb_field_next(&iter));\n}", "project": "nanopb", "hash": 311180543776686219183409540141025497113, "size": 13, "commit_id": "7b396821ddd06df8e39143f16e1dc0a4645b89a3", "message": "Fix invalid free() after failed realloc() (GHSA-gcx3-7m76-287p)", "target": 0, "dataset": "other", "idx": 255323 }, { "func": "static int gdAlphaOverlayColor (int src, int dst, int max )\n{\n\t/* this function implements the algorithm\n\t *\n\t * for dst[rgb] < 0.5,\n\t * c[rgb] = 2.src[rgb].dst[rgb]\n\t * and for dst[rgb] > 0.5,\n\t * c[rgb] = -2.src[rgb].dst[rgb] + 2.dst[rgb] + 2.src[rgb] - 1\n\t *\n\t */\n\n\tdst = dst << 1;\n\tif( dst > max ) {\n\t\t/* in the \"light\" zone */\n\t\treturn dst + (src << 1) - (dst * src / max) - max;\n\t} else {\n\t\t/* in the \"dark\" zone */\n\t\treturn dst * src / max;\n\t}\n}", "project": "php-src", "hash": 134739913268387936411051748519103892469, "size": 20, "commit_id": "c395c6e5d7e8df37a21265ff76e48fe75ceb5ae6", "message": "iFixed bug #72446 - Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow", "target": 0, "dataset": "other", "idx": 295190 }, { "func": "ZEND_API zval * zend_throw_error_exception(zend_class_entry *exception_ce, char *message, long code, int severity TSRMLS_DC) /* {{{ */\n{\n\tzval *ex = zend_throw_exception(exception_ce, message, code TSRMLS_CC);\n\tzend_update_property_long(default_exception_ce, ex, \"severity\", sizeof(\"severity\")-1, severity TSRMLS_CC);\n\treturn ex;\n}", "project": "php-src", "hash": 30067324073256481482457068184885515338, "size": 6, "commit_id": "a894a8155fab068d68a04bf181dbaddfa01ccbb0", "message": "More fixes for bug #69152", "target": 0, "dataset": "other", "idx": 374447 }, { "func": "static int kvm_arch_vcpu_ioctl_set_initial_psw(struct kvm_vcpu *vcpu, psw_t psw)\n{\n\tint rc = 0;\n\n\tif (!is_vcpu_stopped(vcpu))\n\t\trc = -EBUSY;\n\telse {\n\t\tvcpu->run->psw_mask = psw.mask;\n\t\tvcpu->run->psw_addr = psw.addr;\n\t}\n\treturn rc;\n}", "project": "linux", "hash": 128705985006864311086858573252392074359, "size": 12, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354840 }, { "func": "static bool kill_ok_by_cred(struct task_struct *t)\n{\n\tconst struct cred *cred = current_cred();\n\tconst struct cred *tcred = __task_cred(t);\n\n\treturn uid_eq(cred->euid, tcred->suid) ||\n\t uid_eq(cred->euid, tcred->uid) ||\n\t uid_eq(cred->uid, tcred->suid) ||\n\t uid_eq(cred->uid, tcred->uid) ||\n\t ns_capable(tcred->user_ns, CAP_KILL);\n}", "project": "linux", "hash": 98377307338878840712036740663358297498, "size": 11, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375180 }, { "func": "void tty_open_proc_set_tty(struct file *filp, struct tty_struct *tty)\n{\n\tread_lock(&tasklist_lock);\n\tspin_lock_irq(¤t->sighand->siglock);\n\tif (current->signal->leader &&\n\t !current->signal->tty &&\n\t tty->session == NULL) {\n\t\t/*\n\t\t * Don't let a process that only has write access to the tty\n\t\t * obtain the privileges associated with having a tty as\n\t\t * controlling terminal (being able to reopen it with full\n\t\t * access through /dev/tty, being able to perform pushback).\n\t\t * Many distributions set the group of all ttys to \"tty\" and\n\t\t * grant write-only access to all terminals for setgid tty\n\t\t * binaries, which should not imply full privileges on all ttys.\n\t\t *\n\t\t * This could theoretically break old code that performs open()\n\t\t * on a write-only file descriptor. In that case, it might be\n\t\t * necessary to also permit this if\n\t\t * inode_permission(inode, MAY_READ) == 0.\n\t\t */\n\t\tif (filp->f_mode & FMODE_READ)\n\t\t\t__proc_set_tty(tty);\n\t}\n\tspin_unlock_irq(¤t->sighand->siglock);\n\tread_unlock(&tasklist_lock);\n}", "project": "linux", "hash": 302408985104397412626316985375136052066, "size": 27, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 326005 }, { "func": "static int kvm_debugfs_open(struct inode *inode, struct file *file,\n\t\t\t int (*get)(void *, u64 *), int (*set)(void *, u64),\n\t\t\t const char *fmt)\n{\n\tstruct kvm_stat_data *stat_data = (struct kvm_stat_data *)\n\t\t\t\t\t inode->i_private;\n\n\t/* The debugfs files are a reference to the kvm struct which\n\t * is still valid when kvm_destroy_vm is called.\n\t * To avoid the race between open and the removal of the debugfs\n\t * directory we test against the users count.\n\t */\n\tif (!refcount_inc_not_zero(&stat_data->kvm->users_count))\n\t\treturn -ENOENT;\n\n\tif (simple_attr_open(inode, file, get,\n\t\t KVM_DBGFS_GET_MODE(stat_data->dbgfs_item) & 0222\n\t\t ? set : NULL,\n\t\t fmt)) {\n\t\tkvm_put_kvm(stat_data->kvm);\n\t\treturn -ENOMEM;\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 50741096398191920288559905622270600420, "size": 25, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354445 }, { "func": "static int vcpu_stat_get(void *_offset, u64 *val)\n{\n\tunsigned offset = (long)_offset;\n\tstruct kvm *kvm;\n\tu64 tmp_val;\n\n\t*val = 0;\n\tmutex_lock(&kvm_lock);\n\tlist_for_each_entry(kvm, &vm_list, vm_list) {\n\t\tkvm_get_stat_per_vcpu(kvm, offset, &tmp_val);\n\t\t*val += tmp_val;\n\t}\n\tmutex_unlock(&kvm_lock);\n\treturn 0;\n}", "project": "linux", "hash": 86557186590335108636092541947580751312, "size": 15, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354597 }, { "func": "int tty_signal_session_leader(struct tty_struct *tty, int exit_session)\n{\n\tstruct task_struct *p;\n\tint refs = 0;\n\tstruct pid *tty_pgrp = NULL;\n\n\tread_lock(&tasklist_lock);\n\tif (tty->session) {\n\t\tdo_each_pid_task(tty->session, PIDTYPE_SID, p) {\n\t\t\tspin_lock_irq(&p->sighand->siglock);\n\t\t\tif (p->signal->tty == tty) {\n\t\t\t\tp->signal->tty = NULL;\n\t\t\t\t/* We defer the dereferences outside fo\n\t\t\t\t the tasklist lock */\n\t\t\t\trefs++;\n\t\t\t}\n\t\t\tif (!p->signal->leader) {\n\t\t\t\tspin_unlock_irq(&p->sighand->siglock);\n\t\t\t\tcontinue;\n\t\t\t}\n\t\t\t__group_send_sig_info(SIGHUP, SEND_SIG_PRIV, p);\n\t\t\t__group_send_sig_info(SIGCONT, SEND_SIG_PRIV, p);\n\t\t\tput_pid(p->signal->tty_old_pgrp); /* A noop */\n\t\t\tspin_lock(&tty->ctrl_lock);\n\t\t\ttty_pgrp = get_pid(tty->pgrp);\n\t\t\tif (tty->pgrp)\n\t\t\t\tp->signal->tty_old_pgrp = get_pid(tty->pgrp);\n\t\t\tspin_unlock(&tty->ctrl_lock);\n\t\t\tspin_unlock_irq(&p->sighand->siglock);\n\t\t} while_each_pid_task(tty->session, PIDTYPE_SID, p);\n\t}\n\tread_unlock(&tasklist_lock);\n\n\tif (tty_pgrp) {\n\t\tif (exit_session)\n\t\t\tkill_pgrp(tty_pgrp, SIGHUP, exit_session);\n\t\tput_pid(tty_pgrp);\n\t}\n\n\treturn refs;\n}", "project": "linux", "hash": 144825828044871393678174835751044103987, "size": 41, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 326000 }, { "func": "static int decode_update_thread_context(AVCodecContext *dst,\n const AVCodecContext *src)\n{\n H264Context *h = dst->priv_data, *h1 = src->priv_data;\n int inited = h->context_initialized, err = 0;\n int context_reinitialized = 0;\n int i, ret;\n\n if (dst == src)\n return 0;\n\n if (inited &&\n (h->width != h1->width ||\n h->height != h1->height ||\n h->mb_width != h1->mb_width ||\n h->mb_height != h1->mb_height ||\n h->sps.bit_depth_luma != h1->sps.bit_depth_luma ||\n h->sps.chroma_format_idc != h1->sps.chroma_format_idc ||\n h->sps.colorspace != h1->sps.colorspace)) {\n\n /* set bits_per_raw_sample to the previous value. the check for changed\n * bit depth in h264_set_parameter_from_sps() uses it and sets it to\n * the current value */\n h->avctx->bits_per_raw_sample = h->sps.bit_depth_luma;\n\n av_freep(&h->bipred_scratchpad);\n\n h->width = h1->width;\n h->height = h1->height;\n h->mb_height = h1->mb_height;\n h->mb_width = h1->mb_width;\n h->mb_num = h1->mb_num;\n h->mb_stride = h1->mb_stride;\n h->b_stride = h1->b_stride;\n // SPS/PPS\n if ((ret = copy_parameter_set((void **)h->sps_buffers,\n (void **)h1->sps_buffers,\n MAX_SPS_COUNT, sizeof(SPS))) < 0)\n return ret;\n h->sps = h1->sps;\n if ((ret = copy_parameter_set((void **)h->pps_buffers,\n (void **)h1->pps_buffers,\n MAX_PPS_COUNT, sizeof(PPS))) < 0)\n return ret;\n h->pps = h1->pps;\n\n if ((err = h264_slice_header_init(h, 1)) < 0) {\n av_log(h->avctx, AV_LOG_ERROR, \"h264_slice_header_init() failed\");\n return err;\n }\n context_reinitialized = 1;\n\n#if 0\n h264_set_parameter_from_sps(h);\n //Note we set context_reinitialized which will cause h264_set_parameter_from_sps to be reexecuted\n h->cur_chroma_format_idc = h1->cur_chroma_format_idc;\n#endif\n }\n /* update linesize on resize for h264. The h264 decoder doesn't\n * necessarily call ff_MPV_frame_start in the new thread */\n h->linesize = h1->linesize;\n h->uvlinesize = h1->uvlinesize;\n\n /* copy block_offset since frame_start may not be called */\n memcpy(h->block_offset, h1->block_offset, sizeof(h->block_offset));\n\n if (!inited) {\n for (i = 0; i < MAX_SPS_COUNT; i++)\n av_freep(h->sps_buffers + i);\n\n for (i = 0; i < MAX_PPS_COUNT; i++)\n av_freep(h->pps_buffers + i);\n\n av_freep(&h->rbsp_buffer[0]);\n av_freep(&h->rbsp_buffer[1]);\n memcpy(h, h1, offsetof(H264Context, intra_pcm_ptr));\n memcpy(&h->cabac, &h1->cabac,\n sizeof(H264Context) - offsetof(H264Context, cabac));\n av_assert0((void*)&h->cabac == &h->mb_padding + 1);\n\n memset(h->sps_buffers, 0, sizeof(h->sps_buffers));\n memset(h->pps_buffers, 0, sizeof(h->pps_buffers));\n\n memset(&h->er, 0, sizeof(h->er));\n memset(&h->me, 0, sizeof(h->me));\n memset(&h->mb, 0, sizeof(h->mb));\n memset(&h->mb_luma_dc, 0, sizeof(h->mb_luma_dc));\n memset(&h->mb_padding, 0, sizeof(h->mb_padding));\n\n h->avctx = dst;\n h->DPB = NULL;\n h->qscale_table_pool = NULL;\n h->mb_type_pool = NULL;\n h->ref_index_pool = NULL;\n h->motion_val_pool = NULL;\n for (i = 0; i < 2; i++) {\n h->rbsp_buffer[i] = NULL;\n h->rbsp_buffer_size[i] = 0;\n }\n\n if (h1->context_initialized) {\n h->context_initialized = 0;\n\n memset(&h->cur_pic, 0, sizeof(h->cur_pic));\n av_frame_unref(&h->cur_pic.f);\n h->cur_pic.tf.f = &h->cur_pic.f;\n\n ret = ff_h264_alloc_tables(h);\n if (ret < 0) {\n av_log(dst, AV_LOG_ERROR, \"Could not allocate memory for h264\\n\");\n return ret;\n }\n ret = context_init(h);\n if (ret < 0) {\n av_log(dst, AV_LOG_ERROR, \"context_init() failed.\\n\");\n return ret;\n }\n }\n\n h->bipred_scratchpad = NULL;\n h->edge_emu_buffer = NULL;\n\n h->thread_context[0] = h;\n h->context_initialized = h1->context_initialized;\n }\n\n h->avctx->coded_height = h1->avctx->coded_height;\n h->avctx->coded_width = h1->avctx->coded_width;\n h->avctx->width = h1->avctx->width;\n h->avctx->height = h1->avctx->height;\n h->coded_picture_number = h1->coded_picture_number;\n h->first_field = h1->first_field;\n h->picture_structure = h1->picture_structure;\n h->qscale = h1->qscale;\n h->droppable = h1->droppable;\n h->data_partitioning = h1->data_partitioning;\n h->low_delay = h1->low_delay;\n\n for (i = 0; h->DPB && i < MAX_PICTURE_COUNT; i++) {\n unref_picture(h, &h->DPB[i]);\n if (h1->DPB && h1->DPB[i].f.buf[0] &&\n (ret = ref_picture(h, &h->DPB[i], &h1->DPB[i])) < 0)\n return ret;\n }\n\n h->cur_pic_ptr = REBASE_PICTURE(h1->cur_pic_ptr, h, h1);\n unref_picture(h, &h->cur_pic);\n if (h1->cur_pic.f.buf[0] && (ret = ref_picture(h, &h->cur_pic, &h1->cur_pic)) < 0)\n return ret;\n\n h->workaround_bugs = h1->workaround_bugs;\n h->low_delay = h1->low_delay;\n h->droppable = h1->droppable;\n\n // extradata/NAL handling\n h->is_avc = h1->is_avc;\n\n // SPS/PPS\n if ((ret = copy_parameter_set((void **)h->sps_buffers,\n (void **)h1->sps_buffers,\n MAX_SPS_COUNT, sizeof(SPS))) < 0)\n return ret;\n h->sps = h1->sps;\n if ((ret = copy_parameter_set((void **)h->pps_buffers,\n (void **)h1->pps_buffers,\n MAX_PPS_COUNT, sizeof(PPS))) < 0)\n return ret;\n h->pps = h1->pps;\n\n // Dequantization matrices\n // FIXME these are big - can they be only copied when PPS changes?\n copy_fields(h, h1, dequant4_buffer, dequant4_coeff);\n\n for (i = 0; i < 6; i++)\n h->dequant4_coeff[i] = h->dequant4_buffer[0] +\n (h1->dequant4_coeff[i] - h1->dequant4_buffer[0]);\n\n for (i = 0; i < 6; i++)\n h->dequant8_coeff[i] = h->dequant8_buffer[0] +\n (h1->dequant8_coeff[i] - h1->dequant8_buffer[0]);\n\n h->dequant_coeff_pps = h1->dequant_coeff_pps;\n\n // POC timing\n copy_fields(h, h1, poc_lsb, redundant_pic_count);\n\n // reference lists\n copy_fields(h, h1, short_ref, cabac_init_idc);\n\n copy_picture_range(h->short_ref, h1->short_ref, 32, h, h1);\n copy_picture_range(h->long_ref, h1->long_ref, 32, h, h1);\n copy_picture_range(h->delayed_pic, h1->delayed_pic,\n MAX_DELAYED_PIC_COUNT + 2, h, h1);\n\n h->frame_recovered = h1->frame_recovered;\n\n if (context_reinitialized)\n h264_set_parameter_from_sps(h);\n\n if (!h->cur_pic_ptr)\n return 0;\n\n if (!h->droppable) {\n err = ff_h264_execute_ref_pic_marking(h, h->mmco, h->mmco_index);\n h->prev_poc_msb = h->poc_msb;\n h->prev_poc_lsb = h->poc_lsb;\n }\n h->prev_frame_num_offset = h->frame_num_offset;\n h->prev_frame_num = h->frame_num;\n h->outputed_poc = h->next_outputed_poc;\n\n h->recovery_frame = h1->recovery_frame;\n\n return err;\n}", "project": "FFmpeg", "hash": 267418963411356349516153748481198447291, "size": 215, "commit_id": "8a3b85f3a7952c54a2c36ba1797f7e0cde9f85aa", "message": "avcodec/h264: update current_sps & sps->new only after the whole slice header decoder and init code finished\n\nThis avoids them being cleared before the full initialization finished\n\nFixes out of array read\nFixes: asan_heap-oob_f0c5e6_7071_cov_1605985132_mov_h264_aac__Demo_FlagOfOurFathers.mov\nFound-by: Mateusz \"j00ru\" Jurczyk and Gynvael Coldwind\nSigned-off-by: Michael Niedermayer ", "target": 0, "dataset": "other", "idx": 270130 }, { "func": "static apr_byte_t oidc_session_pass_tokens_and_save(request_rec *r,\n\t\toidc_cfg *cfg, oidc_session_t *session, apr_byte_t needs_save) {\n\n\tapr_byte_t pass_headers = oidc_cfg_dir_pass_info_in_headers(r);\n\tapr_byte_t pass_envvars = oidc_cfg_dir_pass_info_in_envvars(r);\n\n\t/* set the refresh_token in the app headers/variables, if enabled for this location/directory */\n\tconst char *refresh_token = oidc_session_get_refresh_token(r, session);\n\tif ((oidc_cfg_dir_pass_refresh_token(r) != 0) && (refresh_token != NULL)) {\n\t\t/* pass it to the app in a header or environment variable */\n\t\toidc_util_set_app_info(r, OIDC_APP_INFO_REFRESH_TOKEN, refresh_token,\n\t\t\t\tOIDC_DEFAULT_HEADER_PREFIX, pass_headers, pass_envvars);\n\t}\n\n\t/* set the access_token in the app headers/variables */\n\tconst char *access_token = oidc_session_get_access_token(r, session);\n\tif (access_token != NULL) {\n\t\t/* pass it to the app in a header or environment variable */\n\t\toidc_util_set_app_info(r, OIDC_APP_INFO_ACCESS_TOKEN, access_token,\n\t\t\t\tOIDC_DEFAULT_HEADER_PREFIX, pass_headers, pass_envvars);\n\t}\n\n\t/* set the expiry timestamp in the app headers/variables */\n\tconst char *access_token_expires = oidc_session_get_access_token_expires(r,\n\t\t\tsession);\n\tif (access_token_expires != NULL) {\n\t\t/* pass it to the app in a header or environment variable */\n\t\toidc_util_set_app_info(r, OIDC_APP_INFO_ACCESS_TOKEN_EXP,\n\t\t\t\taccess_token_expires,\n\t\t\t\tOIDC_DEFAULT_HEADER_PREFIX, pass_headers, pass_envvars);\n\t}\n\n\t/*\n\t * reset the session inactivity timer\n\t * but only do this once per 10% of the inactivity timeout interval (with a max to 60 seconds)\n\t * for performance reasons\n\t *\n\t * now there's a small chance that the session ends 10% (or a minute) earlier than configured/expected\n\t * cq. when there's a request after a recent save (so no update) and then no activity happens until\n\t * a request comes in just before the session should expire\n\t * (\"recent\" and \"just before\" refer to 10%-with-a-max-of-60-seconds of the inactivity interval after\n\t * the start/last-update and before the expiry of the session respectively)\n\t *\n\t * this is be deemed acceptable here because of performance gain\n\t */\n\tapr_time_t interval = apr_time_from_sec(cfg->session_inactivity_timeout);\n\tapr_time_t now = apr_time_now();\n\tapr_time_t slack = interval / 10;\n\tif (slack > apr_time_from_sec(60))\n\t\tslack = apr_time_from_sec(60);\n\tif (session->expiry - now < interval - slack) {\n\t\tsession->expiry = now + interval;\n\t\tneeds_save = TRUE;\n\t}\n\n\t/* log message about session expiry */\n\toidc_log_session_expires(r, \"session inactivity timeout\", session->expiry);\n\n\t/* check if something was updated in the session and we need to save it again */\n\tif (needs_save)\n\t\tif (oidc_session_save(r, session, FALSE) == FALSE)\n\t\t\treturn FALSE;\n\n\treturn TRUE;\n}", "project": "mod_auth_openidc", "hash": 44803852567580316671369334548349342841, "size": 65, "commit_id": "ce37080c6aea30aabae8b4a9b4eea7808445cc8e", "message": "2.4.0.2 oops\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 447689 }, { "func": "static void SFDGetMinimumDistances(FILE *sfd, SplineChar *sc) {\n SplineSet *ss;\n SplinePoint *sp;\n int pt,i, val, err;\n int ch;\n SplinePoint **mapping=NULL;\n MinimumDistance *last, *md, *mdhead=NULL;\n\n for ( i=0; i<2; ++i ) {\n\tpt = 0;\n\tfor ( ss = sc->layers[ly_fore].splines; ss!=NULL; ss=ss->next ) {\n\t for ( sp=ss->first; ; ) {\n\t\tif ( mapping!=NULL ) mapping[pt] = sp;\n\t\tpt++;\n\t\tif ( sp->next == NULL )\n\t break;\n\t\tsp = sp->next->to;\n\t\tif ( sp==ss->first )\n\t break;\n\t }\n\t}\n\tif ( mapping==NULL )\n\t mapping = calloc(pt,sizeof(SplinePoint *));\n }\n\n last = NULL;\n for ( ch=nlgetc(sfd); ch!=EOF && ch!='\\n'; ch=nlgetc(sfd)) {\n\terr = false;\n\twhile ( isspace(ch) && ch!='\\n' ) ch=nlgetc(sfd);\n\tif ( ch=='\\n' )\n break;\n\tmd = chunkalloc(sizeof(MinimumDistance));\n\tif ( ch=='x' ) md->x = true;\n\tgetint(sfd,&val);\n\tif ( val<-1 || val>=pt ) {\n\t IError( \"Minimum Distance specifies bad point (%d) in sfd file\\n\", val );\n\t err = true;\n\t} else if ( val!=-1 ) {\n\t md->sp1 = mapping[val];\n\t md->sp1->dontinterpolate = true;\n\t}\n\tch = nlgetc(sfd);\n\tif ( ch!=',' ) {\n\t IError( \"Minimum Distance lacks a comma where expected\\n\" );\n\t err = true;\n\t}\n\tgetint(sfd,&val);\n\tif ( val<-1 || val>=pt ) {\n\t IError( \"Minimum Distance specifies bad point (%d) in sfd file\\n\", val );\n\t err = true;\n\t} else if ( val!=-1 ) {\n\t md->sp2 = mapping[val];\n\t md->sp2->dontinterpolate = true;\n\t}\n\tif ( !err ) {\n\t if ( last!=NULL )\n\t\tlast->next = md;\n\t last = md;\n\t} else\n\t chunkfree(md,sizeof(MinimumDistance));\n }\n free(mapping);\n\n /* Obsolete concept */\n MinimumDistancesFree(mdhead);\n}", "project": "fontforge", "hash": 318683366051425207468634117097130211557, "size": 66, "commit_id": "048a91e2682c1a8936ae34dbc7bd70291ec05410", "message": "Fix for #4084 Use-after-free (heap) in the SFD_GetFontMetaData() function\nFix for #4086 NULL pointer dereference in the SFDGetSpiros() function\nFix for #4088 NULL pointer dereference in the SFD_AssignLookups() function\nAdd empty sf->fontname string if it isn't set, fixing #4089 #4090 and many\n other potential issues (many downstream calls to strlen() on the value).", "target": 0, "dataset": "other", "idx": 417805 }, { "func": " virtual Item* compile(THD *thd, Item_analyzer analyzer, uchar **arg_p,\n Item_transformer transformer, uchar *arg_t)\n {\n if ((this->*analyzer) (arg_p))\n return ((this->*transformer) (thd, arg_t));\n return 0;\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 143665835922037935301575834059862898263, "size": 7, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509450 }, { "func": "static void ACDisassociateLigatures(SplineFont1 *sf,AnchorClass1 *ac) {\n int gid,k;\n SplineFont1 *subsf;\n SplineChar *sc;\n AnchorPoint *ap, *lap;\n AnchorClass1 *lac;\n char *format;\n\n lac = chunkalloc(sizeof(AnchorClass1));\n *lac = *ac;\n lac->ac.type = act_mklg;\n ac->ac.next = (AnchorClass *) lac;\n\n /* GT: Need to split some AnchorClasses into two classes, one for normal */\n /* GT: base letters, and one for ligatures. So create a new AnchorClass */\n /* GT: name for the ligature version */\n format = _(\"Ligature %s\");\n lac->ac.name = malloc(strlen(ac->ac.name)+strlen(format)+1);\n sprintf( lac->ac.name, format, ac->ac.name );\n\n k=0;\n do {\n\tsubsf = sf->sf.subfontcnt==0 ? sf : (SplineFont1 *) (sf->sf.subfonts[k]);\n\tfor ( gid=0; gidsf.glyphcnt; ++gid ) if ( (sc=subsf->sf.glyphs[gid])!=NULL ) {\n\t for ( ap=sc->anchor; ap!=NULL; ap=ap->next ) {\n\t\tif ( ap->anchor!=(AnchorClass *) ac )\n\t continue;\n\t\tif ( ap->type==at_mark ) {\n\t\t lap = chunkalloc(sizeof(AnchorPoint));\n\t\t *lap = *ap;\n\t\t ap->next = lap;\n\t\t lap->anchor = (AnchorClass *) lac;\n\t\t} else if ( ap->type==at_baselig ) {\n\t\t ap->anchor = (AnchorClass *) lac;\n\t\t}\n\t }\n\t}\n\t++k;\n } while ( ksf.subfontcnt );\n}", "project": "fontforge", "hash": 41594084219285145760816615563260260910, "size": 40, "commit_id": "048a91e2682c1a8936ae34dbc7bd70291ec05410", "message": "Fix for #4084 Use-after-free (heap) in the SFD_GetFontMetaData() function\nFix for #4086 NULL pointer dereference in the SFDGetSpiros() function\nFix for #4088 NULL pointer dereference in the SFD_AssignLookups() function\nAdd empty sf->fontname string if it isn't set, fixing #4089 #4090 and many\n other potential issues (many downstream calls to strlen() on the value).", "target": 0, "dataset": "other", "idx": 417881 }, { "func": "static OPJ_UINT32 opj_j2k_get_max_poc_size(opj_j2k_t *p_j2k)\n{\n opj_tcp_t * l_tcp = 00;\n OPJ_UINT32 l_nb_tiles = 0;\n OPJ_UINT32 l_max_poc = 0;\n OPJ_UINT32 i;\n\n l_tcp = p_j2k->m_cp.tcps;\n l_nb_tiles = p_j2k->m_cp.th * p_j2k->m_cp.tw;\n\n for (i = 0; i < l_nb_tiles; ++i) {\n l_max_poc = opj_uint_max(l_max_poc, l_tcp->numpocs);\n ++l_tcp;\n }\n\n ++l_max_poc;\n\n return 4 + 9 * l_max_poc;\n}", "project": "openjpeg", "hash": 57865666689012638761551868899517009747, "size": 19, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357356 }, { "func": "static bool checkreturn read_raw_value(pb_istream_t *stream, pb_wire_type_t wire_type, pb_byte_t *buf, size_t *size)\n{\n size_t max_size = *size;\n switch (wire_type)\n {\n case PB_WT_VARINT:\n *size = 0;\n do\n {\n (*size)++;\n if (*size > max_size) return false;\n if (!pb_read(stream, buf, 1)) return false;\n } while (*buf++ & 0x80);\n return true;\n \n case PB_WT_64BIT:\n *size = 8;\n return pb_read(stream, buf, 8);\n \n case PB_WT_32BIT:\n *size = 4;\n return pb_read(stream, buf, 4);\n \n case PB_WT_STRING:\n /* Calling read_raw_value with a PB_WT_STRING is an error.\n * Explicitly handle this case and fallthrough to default to avoid\n * compiler warnings.\n */\n\n default: PB_RETURN_ERROR(stream, \"invalid wire_type\");\n }\n}", "project": "nanopb", "hash": 183628988150363065212084392339449875175, "size": 32, "commit_id": "aa9d0d1ca78d6adec3adfeecf3a706c7f9df81f2", "message": "Fix invalid free() after failed realloc() (GHSA-gcx3-7m76-287p)", "target": 0, "dataset": "other", "idx": 252514 }, { "func": "static bool checkreturn read_raw_value(pb_istream_t *stream, pb_wire_type_t wire_type, uint8_t *buf, size_t *size)\n{\n size_t max_size = *size;\n switch (wire_type)\n {\n case PB_WT_VARINT:\n *size = 0;\n do\n {\n (*size)++;\n if (*size > max_size) return false;\n if (!pb_read(stream, buf, 1)) return false;\n } while (*buf++ & 0x80);\n return true;\n \n case PB_WT_64BIT:\n *size = 8;\n return pb_read(stream, buf, 8);\n \n case PB_WT_32BIT:\n *size = 4;\n return pb_read(stream, buf, 4);\n \n default: PB_RETURN_ERROR(stream, \"invalid wire_type\");\n }\n}", "project": "nanopb", "hash": 259312712356420596929529837212356938167, "size": 26, "commit_id": "7b396821ddd06df8e39143f16e1dc0a4645b89a3", "message": "Fix invalid free() after failed realloc() (GHSA-gcx3-7m76-287p)", "target": 0, "dataset": "other", "idx": 255350 }, { "func": "static int nf_tables_getobj(struct sk_buff *skb, const struct nfnl_info *info,\n\t\t\t const struct nlattr * const nla[])\n{\n\tconst struct nfgenmsg *nfmsg = nlmsg_data(info->nlh);\n\tstruct netlink_ext_ack *extack = info->extack;\n\tu8 genmask = nft_genmask_cur(info->net);\n\tint family = nfmsg->nfgen_family;\n\tconst struct nft_table *table;\n\tstruct net *net = info->net;\n\tstruct nft_object *obj;\n\tstruct sk_buff *skb2;\n\tbool reset = false;\n\tu32 objtype;\n\tint err;\n\n\tif (info->nlh->nlmsg_flags & NLM_F_DUMP) {\n\t\tstruct netlink_dump_control c = {\n\t\t\t.start = nf_tables_dump_obj_start,\n\t\t\t.dump = nf_tables_dump_obj,\n\t\t\t.done = nf_tables_dump_obj_done,\n\t\t\t.module = THIS_MODULE,\n\t\t\t.data = (void *)nla,\n\t\t};\n\n\t\treturn nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);\n\t}\n\n\tif (!nla[NFTA_OBJ_NAME] ||\n\t !nla[NFTA_OBJ_TYPE])\n\t\treturn -EINVAL;\n\n\ttable = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask, 0);\n\tif (IS_ERR(table)) {\n\t\tNL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);\n\t\treturn PTR_ERR(table);\n\t}\n\n\tobjtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));\n\tobj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);\n\tif (IS_ERR(obj)) {\n\t\tNL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);\n\t\treturn PTR_ERR(obj);\n\t}\n\n\tskb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);\n\tif (!skb2)\n\t\treturn -ENOMEM;\n\n\tif (NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)\n\t\treset = true;\n\n\tif (reset) {\n\t\tconst struct nftables_pernet *nft_net;\n\t\tchar *buf;\n\n\t\tnft_net = nft_pernet(net);\n\t\tbuf = kasprintf(GFP_ATOMIC, \"%s:%u\", table->name, nft_net->base_seq);\n\n\t\taudit_log_nfcfg(buf,\n\t\t\t\tfamily,\n\t\t\t\tobj->handle,\n\t\t\t\tAUDIT_NFT_OP_OBJ_RESET,\n\t\t\t\tGFP_ATOMIC);\n\t\tkfree(buf);\n\t}\n\n\terr = nf_tables_fill_obj_info(skb2, net, NETLINK_CB(skb).portid,\n\t\t\t\t info->nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0,\n\t\t\t\t family, table, obj, reset);\n\tif (err < 0)\n\t\tgoto err_fill_obj_info;\n\n\treturn nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);\n\nerr_fill_obj_info:\n\tkfree_skb(skb2);\n\treturn err;\n}", "project": "linux", "hash": 220696158702754236115105330878426383661, "size": 78, "commit_id": "ad9f151e560b016b6ad3280b48e42fa11e1a5440", "message": "netfilter: nf_tables: initialize set before expression setup\n\nnft_set_elem_expr_alloc() needs an initialized set if expression sets on\nthe NFT_EXPR_GC flag. Move set fields initialization before expression\nsetup.\n\n[4512935.019450] ==================================================================\n[4512935.019456] BUG: KASAN: null-ptr-deref in nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019487] Read of size 8 at addr 0000000000000070 by task nft/23532\n[4512935.019494] CPU: 1 PID: 23532 Comm: nft Not tainted 5.12.0-rc4+ #48\n[...]\n[4512935.019502] Call Trace:\n[4512935.019505] dump_stack+0x89/0xb4\n[4512935.019512] ? nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019536] ? nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019560] kasan_report.cold.12+0x5f/0xd8\n[4512935.019566] ? nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019590] nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019615] nf_tables_newset+0xc7f/0x1460 [nf_tables]\n\nReported-by: syzbot+ce96ca2b1d0b37c6422d@syzkaller.appspotmail.com\nFixes: 65038428b2c6 (\"netfilter: nf_tables: allow to specify stateful expression in set definition\")\nSigned-off-by: Pablo Neira Ayuso ", "target": 0, "dataset": "other", "idx": 328368 }, { "func": "static int sctp_sendmsg_parse(struct sock *sk, struct sctp_cmsgs *cmsgs,\n\t\t\t struct sctp_sndrcvinfo *srinfo,\n\t\t\t const struct msghdr *msg, size_t msg_len)\n{\n\t__u16 sflags;\n\tint err;\n\n\tif (sctp_sstate(sk, LISTENING) && sctp_style(sk, TCP))\n\t\treturn -EPIPE;\n\n\tif (msg_len > sk->sk_sndbuf)\n\t\treturn -EMSGSIZE;\n\n\tmemset(cmsgs, 0, sizeof(*cmsgs));\n\terr = sctp_msghdr_parse(msg, cmsgs);\n\tif (err) {\n\t\tpr_debug(\"%s: msghdr parse err:%x\\n\", __func__, err);\n\t\treturn err;\n\t}\n\n\tmemset(srinfo, 0, sizeof(*srinfo));\n\tif (cmsgs->srinfo) {\n\t\tsrinfo->sinfo_stream = cmsgs->srinfo->sinfo_stream;\n\t\tsrinfo->sinfo_flags = cmsgs->srinfo->sinfo_flags;\n\t\tsrinfo->sinfo_ppid = cmsgs->srinfo->sinfo_ppid;\n\t\tsrinfo->sinfo_context = cmsgs->srinfo->sinfo_context;\n\t\tsrinfo->sinfo_assoc_id = cmsgs->srinfo->sinfo_assoc_id;\n\t\tsrinfo->sinfo_timetolive = cmsgs->srinfo->sinfo_timetolive;\n\t}\n\n\tif (cmsgs->sinfo) {\n\t\tsrinfo->sinfo_stream = cmsgs->sinfo->snd_sid;\n\t\tsrinfo->sinfo_flags = cmsgs->sinfo->snd_flags;\n\t\tsrinfo->sinfo_ppid = cmsgs->sinfo->snd_ppid;\n\t\tsrinfo->sinfo_context = cmsgs->sinfo->snd_context;\n\t\tsrinfo->sinfo_assoc_id = cmsgs->sinfo->snd_assoc_id;\n\t}\n\n\tif (cmsgs->prinfo) {\n\t\tsrinfo->sinfo_timetolive = cmsgs->prinfo->pr_value;\n\t\tSCTP_PR_SET_POLICY(srinfo->sinfo_flags,\n\t\t\t\t cmsgs->prinfo->pr_policy);\n\t}\n\n\tsflags = srinfo->sinfo_flags;\n\tif (!sflags && msg_len)\n\t\treturn 0;\n\n\tif (sctp_style(sk, TCP) && (sflags & (SCTP_EOF | SCTP_ABORT)))\n\t\treturn -EINVAL;\n\n\tif (((sflags & SCTP_EOF) && msg_len > 0) ||\n\t (!(sflags & (SCTP_EOF | SCTP_ABORT)) && msg_len == 0))\n\t\treturn -EINVAL;\n\n\tif ((sflags & SCTP_ADDR_OVER) && !msg->msg_name)\n\t\treturn -EINVAL;\n\n\treturn 0;\n}", "project": "linux", "hash": 173748895838280491147812434135777753215, "size": 60, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398205 }, { "func": "static void __slab_free(struct kmem_cache *s, struct page *page,\n\t\t\tvoid *head, void *tail, int cnt,\n\t\t\tunsigned long addr)\n\n{\n\tvoid *prior;\n\tint was_frozen;\n\tstruct page new;\n\tunsigned long counters;\n\tstruct kmem_cache_node *n = NULL;\n\tunsigned long uninitialized_var(flags);\n\n\tstat(s, FREE_SLOWPATH);\n\n\tif (kmem_cache_debug(s) &&\n\t !free_debug_processing(s, page, head, tail, cnt, addr))\n\t\treturn;\n\n\tdo {\n\t\tif (unlikely(n)) {\n\t\t\tspin_unlock_irqrestore(&n->list_lock, flags);\n\t\t\tn = NULL;\n\t\t}\n\t\tprior = page->freelist;\n\t\tcounters = page->counters;\n\t\tset_freepointer(s, tail, prior);\n\t\tnew.counters = counters;\n\t\twas_frozen = new.frozen;\n\t\tnew.inuse -= cnt;\n\t\tif ((!new.inuse || !prior) && !was_frozen) {\n\n\t\t\tif (kmem_cache_has_cpu_partial(s) && !prior) {\n\n\t\t\t\t/*\n\t\t\t\t * Slab was on no list before and will be\n\t\t\t\t * partially empty\n\t\t\t\t * We can defer the list move and instead\n\t\t\t\t * freeze it.\n\t\t\t\t */\n\t\t\t\tnew.frozen = 1;\n\n\t\t\t} else { /* Needs to be taken off a list */\n\n\t\t\t\tn = get_node(s, page_to_nid(page));\n\t\t\t\t/*\n\t\t\t\t * Speculatively acquire the list_lock.\n\t\t\t\t * If the cmpxchg does not succeed then we may\n\t\t\t\t * drop the list_lock without any processing.\n\t\t\t\t *\n\t\t\t\t * Otherwise the list_lock will synchronize with\n\t\t\t\t * other processors updating the list of slabs.\n\t\t\t\t */\n\t\t\t\tspin_lock_irqsave(&n->list_lock, flags);\n\n\t\t\t}\n\t\t}\n\n\t} while (!cmpxchg_double_slab(s, page,\n\t\tprior, counters,\n\t\thead, new.counters,\n\t\t\"__slab_free\"));\n\n\tif (likely(!n)) {\n\n\t\t/*\n\t\t * If we just froze the page then put it onto the\n\t\t * per cpu partial list.\n\t\t */\n\t\tif (new.frozen && !was_frozen) {\n\t\t\tput_cpu_partial(s, page, 1);\n\t\t\tstat(s, CPU_PARTIAL_FREE);\n\t\t}\n\t\t/*\n\t\t * The list lock was not taken therefore no list\n\t\t * activity can be necessary.\n\t\t */\n\t\tif (was_frozen)\n\t\t\tstat(s, FREE_FROZEN);\n\t\treturn;\n\t}\n\n\tif (unlikely(!new.inuse && n->nr_partial >= s->min_partial))\n\t\tgoto slab_empty;\n\n\t/*\n\t * Objects left in the slab. If it was not on the partial list before\n\t * then add it.\n\t */\n\tif (!kmem_cache_has_cpu_partial(s) && unlikely(!prior)) {\n\t\tremove_full(s, n, page);\n\t\tadd_partial(n, page, DEACTIVATE_TO_TAIL);\n\t\tstat(s, FREE_ADD_PARTIAL);\n\t}\n\tspin_unlock_irqrestore(&n->list_lock, flags);\n\treturn;\n\nslab_empty:\n\tif (prior) {\n\t\t/*\n\t\t * Slab on the partial list.\n\t\t */\n\t\tremove_partial(n, page);\n\t\tstat(s, FREE_REMOVE_PARTIAL);\n\t} else {\n\t\t/* Slab must be on the full list */\n\t\tremove_full(s, n, page);\n\t}\n\n\tspin_unlock_irqrestore(&n->list_lock, flags);\n\tstat(s, FREE_SLAB);\n\tdiscard_slab(s, page);\n}", "project": "linux", "hash": 139683591868149209501463131661701799210, "size": 112, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280210 }, { "func": "bool JOIN_TAB::keyuse_is_valid_for_access_in_chosen_plan(JOIN *join,\n KEYUSE *keyuse)\n{\n if (!access_from_tables_is_allowed(keyuse->used_tables, \n join->sjm_lookup_tables))\n return false;\n if (join->sjm_scan_tables & table->map)\n return true;\n table_map keyuse_sjm_scan_tables= keyuse->used_tables &\n join->sjm_scan_tables;\n if (!keyuse_sjm_scan_tables)\n return true;\n uint sjm_tab_nr= 0;\n while (!(keyuse_sjm_scan_tables & table_map(1) << sjm_tab_nr))\n sjm_tab_nr++;\n JOIN_TAB *sjm_tab= join->map2table[sjm_tab_nr];\n TABLE_LIST *emb_sj_nest= sjm_tab->emb_sj_nest; \n if (!(emb_sj_nest->sj_mat_info && emb_sj_nest->sj_mat_info->is_used &&\n emb_sj_nest->sj_mat_info->is_sj_scan))\n return true;\n st_select_lex *sjm_sel= emb_sj_nest->sj_subq_pred->unit->first_select(); \n for (uint i= 0; i < sjm_sel->item_list.elements; i++)\n {\n DBUG_ASSERT(sjm_sel->ref_pointer_array[i]->real_item()->type() == Item::FIELD_ITEM);\n if (keyuse->val->real_item()->type() == Item::FIELD_ITEM)\n {\n Field *field = ((Item_field*)sjm_sel->ref_pointer_array[i]->real_item())->field;\n if (field->eq(((Item_field*)keyuse->val->real_item())->field))\n return true;\n }\n }\n return false; \n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 18438010368443919331198838605218339502, "size": 33, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508481 }, { "func": "static ssize_t objects_partial_show(struct kmem_cache *s, char *buf)\n{\n\treturn show_slab_objects(s, buf, SO_PARTIAL|SO_OBJECTS);\n}", "project": "linux", "hash": 109979943004285325817518712369942572237, "size": 4, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280229 }, { "func": "int set_tracer_flag(struct trace_array *tr, unsigned int mask, int enabled)\n{\n\t/* do nothing if flag is already set */\n\tif (!!(tr->trace_flags & mask) == !!enabled)\n\t\treturn 0;\n\n\t/* Give the tracer a chance to approve the change */\n\tif (tr->current_trace->flag_changed)\n\t\tif (tr->current_trace->flag_changed(tr, mask, !!enabled))\n\t\t\treturn -EINVAL;\n\n\tif (enabled)\n\t\ttr->trace_flags |= mask;\n\telse\n\t\ttr->trace_flags &= ~mask;\n\n\tif (mask == TRACE_ITER_RECORD_CMD)\n\t\ttrace_event_enable_cmd_record(enabled);\n\n\tif (mask == TRACE_ITER_RECORD_TGID) {\n\t\tif (!tgid_map)\n\t\t\ttgid_map = kzalloc((PID_MAX_DEFAULT + 1) * sizeof(*tgid_map),\n\t\t\t\t\t GFP_KERNEL);\n\t\tif (!tgid_map) {\n\t\t\ttr->trace_flags &= ~TRACE_ITER_RECORD_TGID;\n\t\t\treturn -ENOMEM;\n\t\t}\n\n\t\ttrace_event_enable_tgid_record(enabled);\n\t}\n\n\tif (mask == TRACE_ITER_EVENT_FORK)\n\t\ttrace_event_follow_fork(tr, enabled);\n\n\tif (mask == TRACE_ITER_FUNC_FORK)\n\t\tftrace_pid_follow_fork(tr, enabled);\n\n\tif (mask == TRACE_ITER_OVERWRITE) {\n\t\tring_buffer_change_overwrite(tr->trace_buffer.buffer, enabled);\n#ifdef CONFIG_TRACER_MAX_TRACE\n\t\tring_buffer_change_overwrite(tr->max_buffer.buffer, enabled);\n#endif\n\t}\n\n\tif (mask == TRACE_ITER_PRINTK) {\n\t\ttrace_printk_start_stop_comm(enabled);\n\t\ttrace_printk_control(enabled);\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 44054588271864162474393976922418502177, "size": 51, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445607 }, { "func": "static inline bool list_add_tail_lockless(struct list_head *new,\n\t\t\t\t\t struct list_head *head)\n{\n\tstruct list_head *prev;\n\n\t/*\n\t * This is simple 'new->next = head' operation, but cmpxchg()\n\t * is used in order to detect that same element has been just\n\t * added to the list from another CPU: the winner observes\n\t * new->next == new.\n\t */\n\tif (cmpxchg(&new->next, new, head) != new)\n\t\treturn false;\n\n\t/*\n\t * Initially ->next of a new element must be updated with the head\n\t * (we are inserting to the tail) and only then pointers are atomically\n\t * exchanged. XCHG guarantees memory ordering, thus ->next should be\n\t * updated before pointers are actually swapped and pointers are\n\t * swapped before prev->next is updated.\n\t */\n\n\tprev = xchg(&head->prev, new);\n\n\t/*\n\t * It is safe to modify prev->next and new->prev, because a new element\n\t * is added only to the tail and new->next is updated before XCHG.\n\t */\n\n\tprev->next = new;\n\tnew->prev = prev;\n\n\treturn true;\n}", "project": "linux", "hash": 57307040598659858500625063786217094557, "size": 34, "commit_id": "52c479697c9b73f628140dcdfcd39ea302d05482", "message": "do_epoll_ctl(): clean the failure exits up a bit\n\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 336255 }, { "func": "UnicodeStringTest::TestUnicodeStringImplementsAppendable() {\n UnicodeString dest;\n UnicodeStringAppendable app(dest);\n doTestAppendable(dest, app);\n}", "project": "icu", "hash": 253095869663762989897228974872167543857, "size": 5, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430792 }, { "func": "static int usb_host_scan_dev(void *opaque, USBScanFunc *func)\n{\n FILE *f = NULL;\n char line[1024];\n char buf[1024];\n int bus_num, addr, speed, device_count, class_id, product_id, vendor_id;\n char product_name[512];\n int ret = 0;\n\n if (!usb_host_device_path) {\n perror(\"husb: USB Host Device Path not set\");\n goto the_end;\n }\n snprintf(line, sizeof(line), \"%s/devices\", usb_host_device_path);\n f = fopen(line, \"r\");\n if (!f) {\n perror(\"husb: cannot open devices file\");\n goto the_end;\n }\n\n device_count = 0;\n bus_num = addr = speed = class_id = product_id = vendor_id = 0;\n for(;;) {\n if (fgets(line, sizeof(line), f) == NULL)\n break;\n if (strlen(line) > 0)\n line[strlen(line) - 1] = '\\0';\n if (line[0] == 'T' && line[1] == ':') {\n if (device_count && (vendor_id || product_id)) {\n /* New device. Add the previously discovered device. */\n ret = func(opaque, bus_num, addr, class_id, vendor_id,\n product_id, product_name, speed);\n if (ret)\n goto the_end;\n }\n if (get_tag_value(buf, sizeof(buf), line, \"Bus=\", \" \") < 0)\n goto fail;\n bus_num = atoi(buf);\n if (get_tag_value(buf, sizeof(buf), line, \"Dev#=\", \" \") < 0)\n goto fail;\n addr = atoi(buf);\n if (get_tag_value(buf, sizeof(buf), line, \"Spd=\", \" \") < 0)\n goto fail;\n if (!strcmp(buf, \"480\"))\n speed = USB_SPEED_HIGH;\n else if (!strcmp(buf, \"1.5\"))\n speed = USB_SPEED_LOW;\n else\n speed = USB_SPEED_FULL;\n product_name[0] = '\\0';\n class_id = 0xff;\n device_count++;\n product_id = 0;\n vendor_id = 0;\n } else if (line[0] == 'P' && line[1] == ':') {\n if (get_tag_value(buf, sizeof(buf), line, \"Vendor=\", \" \") < 0)\n goto fail;\n vendor_id = strtoul(buf, NULL, 16);\n if (get_tag_value(buf, sizeof(buf), line, \"ProdID=\", \" \") < 0)\n goto fail;\n product_id = strtoul(buf, NULL, 16);\n } else if (line[0] == 'S' && line[1] == ':') {\n if (get_tag_value(buf, sizeof(buf), line, \"Product=\", \"\") < 0)\n goto fail;\n pstrcpy(product_name, sizeof(product_name), buf);\n } else if (line[0] == 'D' && line[1] == ':') {\n if (get_tag_value(buf, sizeof(buf), line, \"Cls=\", \" (\") < 0)\n goto fail;\n class_id = strtoul(buf, NULL, 16);\n }\n fail: ;\n }\n if (device_count && (vendor_id || product_id)) {\n /* Add the last device. */\n ret = func(opaque, bus_num, addr, class_id, vendor_id,\n product_id, product_name, speed);\n }\n the_end:\n if (f)\n fclose(f);\n return ret;\n}", "project": "qemu", "hash": 141419311059650026918123089373491142577, "size": 82, "commit_id": "babd03fde68093482528010a5435c14ce9128e3f", "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel. However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris \nSigned-off-by: Anthony Liguori ", "target": 0, "dataset": "other", "idx": 346286 }, { "func": "static void nfs4_xdr_enc_access(struct rpc_rqst *req, struct xdr_stream *xdr,\n\t\t\t\tconst void *data)\n{\n\tconst struct nfs4_accessargs *args = data;\n\tstruct compound_hdr hdr = {\n\t\t.minorversion = nfs4_xdr_minorversion(&args->seq_args),\n\t};\n\n\tencode_compound_hdr(xdr, req, &hdr);\n\tencode_sequence(xdr, &args->seq_args, &hdr);\n\tencode_putfh(xdr, args->fh, &hdr);\n\tencode_access(xdr, args->access, &hdr);\n\tif (args->bitmask)\n\t\tencode_getfattr(xdr, args->bitmask, &hdr);\n\tencode_nops(&hdr);\n}", "project": "linux", "hash": 314567047128962982654192936963875921325, "size": 16, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431273 }, { "func": "\nstatic __poll_t io_poll_parse_events(const struct io_uring_sqe *sqe,\n\t\t\t\t unsigned int flags)\n{\n\tu32 events;\n\n\tevents = READ_ONCE(sqe->poll32_events);\n#ifdef __BIG_ENDIAN\n\tevents = swahw32(events);\n#endif\n\tif (!(flags & IORING_POLL_ADD_MULTI))\n\t\tevents |= EPOLLONESHOT;\n\treturn demangle_poll(events) | (events & (EPOLLEXCLUSIVE|EPOLLONESHOT));", "project": "linux", "hash": 23272302890777927312007043794372821351, "size": 13, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338541 }, { "func": "static int fuse_bdi_init(struct fuse_conn *fc, struct super_block *sb)\n{\n\tint err;\n\tchar *suffix = \"\";\n\n\tif (sb->s_bdev) {\n\t\tsuffix = \"-fuseblk\";\n\t\t/*\n\t\t * sb->s_bdi points to blkdev's bdi however we want to redirect\n\t\t * it to our private bdi...\n\t\t */\n\t\tbdi_put(sb->s_bdi);\n\t\tsb->s_bdi = &noop_backing_dev_info;\n\t}\n\terr = super_setup_bdi_name(sb, \"%u:%u%s\", MAJOR(fc->dev),\n\t\t\t\t MINOR(fc->dev), suffix);\n\tif (err)\n\t\treturn err;\n\n\t/* fuse does it's own writeback accounting */\n\tsb->s_bdi->capabilities &= ~BDI_CAP_WRITEBACK_ACCT;\n\tsb->s_bdi->capabilities |= BDI_CAP_STRICTLIMIT;\n\n\t/*\n\t * For a single fuse filesystem use max 1% of dirty +\n\t * writeback threshold.\n\t *\n\t * This gives about 1M of write buffer for memory maps on a\n\t * machine with 1G and 10% dirty_ratio, which should be more\n\t * than enough.\n\t *\n\t * Privileged users can raise it by writing to\n\t *\n\t * /sys/class/bdi//max_ratio\n\t */\n\tbdi_set_max_ratio(sb->s_bdi, 1);\n\n\treturn 0;\n}", "project": "linux", "hash": 133507597247080705761769867794554761220, "size": 39, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342044 }, { "project": "Chrome", "commit_id": "1da0daecc540238cb473f0d6322da51d3a544244", "target": 0, "func": " MockVideoCaptureImpl(const media::VideoCaptureSessionId id,\n scoped_refptr ml_proxy,\n VideoCaptureMessageFilter* filter)\n : VideoCaptureImpl(id, ml_proxy, filter) {\n }\n", "cwe": "", "big_vul_idx": 113324, "idx": 101617, "hash": 125346000642211456861211194375170577812 }, { "func": "int LibRaw::ljpeg_start(struct jhead *jh, int info_only)\n{\n ushort c, tag, len;\n int cnt = 0;\n uchar data[0x10000];\n const uchar *dp;\n\n memset(jh, 0, sizeof *jh);\n jh->restart = INT_MAX;\n if ((fgetc(ifp), fgetc(ifp)) != 0xd8)\n return 0;\n do\n {\n if (feof(ifp))\n return 0;\n if (cnt++ > 1024)\n return 0; // 1024 tags limit\n if (!fread(data, 2, 2, ifp))\n return 0;\n tag = data[0] << 8 | data[1];\n len = (data[2] << 8 | data[3]) - 2;\n if (tag <= 0xff00)\n return 0;\n fread(data, 1, len, ifp);\n switch (tag)\n {\n case 0xffc3: // start of frame; lossless, Huffman\n jh->sraw = ((data[7] >> 4) * (data[7] & 15) - 1) & 3;\n case 0xffc1:\n case 0xffc0:\n jh->algo = tag & 0xff;\n jh->bits = data[0];\n jh->high = data[1] << 8 | data[2];\n jh->wide = data[3] << 8 | data[4];\n jh->clrs = data[5] + jh->sraw;\n if (len == 9 && !dng_version)\n getc(ifp);\n break;\n case 0xffc4: // define Huffman tables\n if (info_only)\n break;\n for (dp = data; dp < data + len && !((c = *dp++) & -20);)\n jh->free[c] = jh->huff[c] = make_decoder_ref(&dp);\n break;\n case 0xffda: // start of scan\n jh->psv = data[1 + data[0] * 2];\n jh->bits -= data[3 + data[0] * 2] & 15;\n break;\n case 0xffdb:\n FORC(64) jh->quant[c] = data[c * 2 + 1] << 8 | data[c * 2 + 2];\n break;\n case 0xffdd:\n jh->restart = data[0] << 8 | data[1];\n }\n } while (tag != 0xffda);\n if (jh->bits > 16 || jh->clrs > 6 || !jh->bits || !jh->high || !jh->wide ||\n !jh->clrs)\n return 0;\n if (info_only)\n return 1;\n if (!jh->huff[0])\n return 0;\n FORC(19) if (!jh->huff[c + 1]) jh->huff[c + 1] = jh->huff[c];\n if (jh->sraw)\n {\n FORC(4) jh->huff[2 + c] = jh->huff[1];\n FORC(jh->sraw) jh->huff[1 + c] = jh->huff[0];\n }\n jh->row = (ushort *)calloc(jh->wide * jh->clrs, 4);\n merror(jh->row, \"ljpeg_start()\");\n return zero_after_ff = 1;\n}", "project": "LibRaw", "hash": 17018590345339261485668035454434752810, "size": 72, "commit_id": "a6937d4046a7c4742b683a04c8564605fd9be4fb", "message": "more room for ljpeg row", "target": 1, "dataset": "other", "idx": 201452 }, { "func": "int LibRaw::ljpeg_start(struct jhead *jh, int info_only)\n{\n ushort c, tag, len;\n int cnt = 0;\n uchar data[0x10000];\n const uchar *dp;\n\n memset(jh, 0, sizeof *jh);\n jh->restart = INT_MAX;\n if ((fgetc(ifp), fgetc(ifp)) != 0xd8)\n return 0;\n do\n {\n if (feof(ifp))\n return 0;\n if (cnt++ > 1024)\n return 0; // 1024 tags limit\n if (!fread(data, 2, 2, ifp))\n return 0;\n tag = data[0] << 8 | data[1];\n len = (data[2] << 8 | data[3]) - 2;\n if (tag <= 0xff00)\n return 0;\n fread(data, 1, len, ifp);\n switch (tag)\n {\n case 0xffc3: // start of frame; lossless, Huffman\n jh->sraw = ((data[7] >> 4) * (data[7] & 15) - 1) & 3;\n case 0xffc1:\n case 0xffc0:\n jh->algo = tag & 0xff;\n jh->bits = data[0];\n jh->high = data[1] << 8 | data[2];\n jh->wide = data[3] << 8 | data[4];\n jh->clrs = data[5] + jh->sraw;\n if (len == 9 && !dng_version)\n getc(ifp);\n break;\n case 0xffc4: // define Huffman tables\n if (info_only)\n break;\n for (dp = data; dp < data + len && !((c = *dp++) & -20);)\n jh->free[c] = jh->huff[c] = make_decoder_ref(&dp);\n break;\n case 0xffda: // start of scan\n jh->psv = data[1 + data[0] * 2];\n jh->bits -= data[3 + data[0] * 2] & 15;\n break;\n case 0xffdb:\n FORC(64) jh->quant[c] = data[c * 2 + 1] << 8 | data[c * 2 + 2];\n break;\n case 0xffdd:\n jh->restart = data[0] << 8 | data[1];\n }\n } while (tag != 0xffda);\n if (jh->bits > 16 || jh->clrs > 6 || !jh->bits || !jh->high || !jh->wide ||\n !jh->clrs)\n return 0;\n if (info_only)\n return 1;\n if (!jh->huff[0])\n return 0;\n FORC(19) if (!jh->huff[c + 1]) jh->huff[c + 1] = jh->huff[c];\n if (jh->sraw)\n {\n FORC(4) jh->huff[2 + c] = jh->huff[1];\n FORC(jh->sraw) jh->huff[1 + c] = jh->huff[0];\n }\n jh->row = (ushort *)calloc(jh->wide * jh->clrs, 16);\n merror(jh->row, \"ljpeg_start()\");\n return zero_after_ff = 1;\n}", "project": "LibRaw", "hash": 172933929170343697197974643398947672843, "size": 72, "commit_id": "a6937d4046a7c4742b683a04c8564605fd9be4fb", "message": "more room for ljpeg row", "target": 0, "dataset": "other", "idx": 319453 }, { "func": "void CClient::SetNetwork(CIRCNetwork* pNetwork, bool bDisconnect,\n bool bReconnect) {\n if (m_pNetwork) {\n m_pNetwork->ClientDisconnected(this);\n\n if (bDisconnect) {\n ClearServerDependentCaps();\n // Tell the client they are no longer in these channels.\n const vector& vChans = m_pNetwork->GetChans();\n for (const CChan* pChan : vChans) {\n if (!(pChan->IsDetached())) {\n PutClient(\":\" + m_pNetwork->GetIRCNick().GetNickMask() +\n \" PART \" + pChan->GetName());\n }\n }\n }\n } else if (m_pUser) {\n m_pUser->UserDisconnected(this);\n }\n\n m_pNetwork = pNetwork;\n\n if (bReconnect) {\n if (m_pNetwork) {\n m_pNetwork->ClientConnected(this);\n } else if (m_pUser) {\n m_pUser->UserConnected(this);\n }\n }\n}", "project": "znc", "hash": 175700246396014000842029635882898258873, "size": 30, "commit_id": "d229761821da38d984a9e4098ad96842490dc001", "message": "Fix echo-message for *status\n\nClose #1705", "target": 0, "dataset": "other", "idx": 231576 }, { "func": "CtPtr ProtocolV1::handle_message(char *buffer, int r) {\n ldout(cct, 20) << __func__ << \" r=\" << r << dendl;\n\n if (r < 0) {\n ldout(cct, 1) << __func__ << \" read tag failed\" << dendl;\n return _fault();\n }\n\n char tag = buffer[0];\n ldout(cct, 20) << __func__ << \" process tag \" << (int)tag << dendl;\n\n if (tag == CEPH_MSGR_TAG_KEEPALIVE) {\n ldout(cct, 20) << __func__ << \" got KEEPALIVE\" << dendl;\n connection->set_last_keepalive(ceph_clock_now());\n } else if (tag == CEPH_MSGR_TAG_KEEPALIVE2) {\n return READ(sizeof(ceph_timespec), handle_keepalive2);\n } else if (tag == CEPH_MSGR_TAG_KEEPALIVE2_ACK) {\n return READ(sizeof(ceph_timespec), handle_keepalive2_ack);\n } else if (tag == CEPH_MSGR_TAG_ACK) {\n return READ(sizeof(ceph_le64), handle_tag_ack);\n } else if (tag == CEPH_MSGR_TAG_MSG) {\n recv_stamp = ceph_clock_now();\n ldout(cct, 20) << __func__ << \" begin MSG\" << dendl;\n return READ(sizeof(ceph_msg_header), handle_message_header);\n } else if (tag == CEPH_MSGR_TAG_CLOSE) {\n ldout(cct, 20) << __func__ << \" got CLOSE\" << dendl;\n stop();\n } else {\n ldout(cct, 0) << __func__ << \" bad tag \" << (int)tag << dendl;\n return _fault();\n }\n return nullptr;\n}", "project": "ceph", "hash": 150680688397034268339121175542750652418, "size": 33, "commit_id": "bafdfec8f974f1a3f7d404bcfd0a4cfad784937d", "message": "msg/async/ProtocolV1: resurrect \"implement cephx_*require_version options\"\n\nThis was added in commit 9bcbc2a3621f (\"mon,msg: implement\ncephx_*_require_version options\") and inadvertently dropped in\ncommit e6f043f7d2dc (\"msgr/async: huge refactoring of protocol V1\").\nAs a result, service daemons don't enforce cephx_require_version\nand cephx_cluster_require_version options and connections without\nCEPH_FEATURE_CEPHX_V2 are allowed through.\n\n(cephx_service_require_version enforcement was brought back a\nyear later in commit 321548010578 (\"mon/MonClient: skip CEPHX_V2\nchallenge if client doesn't support it\"), although the peer gets\nTAG_BADAUTHORIZER instead of TAG_FEATURES.)\n\nResurrect the original behaviour: all cephx_*require_version\noptions are enforced and the peer gets TAG_FEATURES, signifying\nthat it is missing a required feature.\n\nSigned-off-by: Ilya Dryomov \n(cherry picked from commit 6f5c4152ca2c6423e665cde2196c6301f76043a2)", "target": 0, "dataset": "other", "idx": 356883 }, { "func": "static void io_rw_resubmit(struct callback_head *cb)\n{\n\tstruct io_kiocb *req = container_of(cb, struct io_kiocb, task_work);\n\tstruct io_ring_ctx *ctx = req->ctx;\n\tint err;\n\n\terr = io_sq_thread_acquire_mm(ctx, req);\n\n\tif (io_resubmit_prep(req, err)) {\n\t\trefcount_inc(&req->refs);\n\t\tio_queue_async_work(req);\n\t}\n\n\tpercpu_ref_put(&ctx->refs);\n}", "project": "linux", "hash": 87946252993303382927280600561442239520, "size": 15, "commit_id": "6d816e088c359866f9867057e04f244c608c42fe", "message": "io_uring: hold 'ctx' reference around task_work queue + execute\n\nWe're holding the request reference, but we need to go one higher\nto ensure that the ctx remains valid after the request has finished.\nIf the ring is closed with pending task_work inflight, and the\ngiven io_kiocb finishes sync during issue, then we need a reference\nto the ring itself around the task_work execution cycle.\n\nCc: stable@vger.kernel.org # v5.7+\nReported-by: syzbot+9b260fc33297966f5a8e@syzkaller.appspotmail.com\nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 456912 }, { "func": "void trace_array_put(struct trace_array *this_tr)\n{\n\tmutex_lock(&trace_types_lock);\n\t__trace_array_put(this_tr);\n\tmutex_unlock(&trace_types_lock);\n}", "project": "linux", "hash": 156218244628463489324364125764025606368, "size": 6, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445572 }, { "func": "UnicodeString::doReplace( int32_t start,\n int32_t length,\n const UnicodeString& src,\n int32_t srcStart,\n int32_t srcLength)\n{\n // pin the indices to legal values\n src.pinIndices(srcStart, srcLength);\n\n // get the characters from src\n // and replace the range in ourselves with them\n return doReplace(start, length, src.getArrayStart(), srcStart, srcLength);\n}", "project": "icu", "hash": 169892533186110249777856811332860495750, "size": 13, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430771 }, { "func": "UnicodeString::doReplace(int32_t start,\n int32_t length,\n const UChar *srcChars,\n int32_t srcStart,\n int32_t srcLength)\n{\n if(!isWritable()) {\n return *this;\n }\n\n int32_t oldLength = this->length();\n\n // optimize (read-only alias).remove(0, start) and .remove(start, end)\n if((fUnion.fFields.fLengthAndFlags&kBufferIsReadonly) && srcLength == 0) {\n if(start == 0) {\n // remove prefix by adjusting the array pointer\n pinIndex(length);\n fUnion.fFields.fArray += length;\n fUnion.fFields.fCapacity -= length;\n setLength(oldLength - length);\n return *this;\n } else {\n pinIndex(start);\n if(length >= (oldLength - start)) {\n // remove suffix by reducing the length (like truncate())\n setLength(start);\n fUnion.fFields.fCapacity = start; // not NUL-terminated any more\n return *this;\n }\n }\n }\n\n if(start == oldLength) {\n return doAppend(srcChars, srcStart, srcLength);\n }\n\n if(srcChars == 0) {\n srcLength = 0;\n } else {\n // Perform all remaining operations relative to srcChars + srcStart.\n // From this point forward, do not use srcStart.\n srcChars += srcStart;\n if (srcLength < 0) {\n // get the srcLength if necessary\n srcLength = u_strlen(srcChars);\n }\n }\n\n // pin the indices to legal values\n pinIndices(start, length);\n\n // Calculate the size of the string after the replace.\n // Avoid int32_t overflow.\n int32_t newLength = oldLength - length;\n if(srcLength > (INT32_MAX - newLength)) {\n setToBogus();\n return *this;\n }\n newLength += srcLength;\n\n // Check for insertion into ourself\n const UChar *oldArray = getArrayStart();\n if (isBufferWritable() &&\n oldArray < srcChars + srcLength &&\n srcChars < oldArray + oldLength) {\n // Copy into a new UnicodeString and start over\n UnicodeString copy(srcChars, srcLength);\n if (copy.isBogus()) {\n setToBogus();\n return *this;\n }\n return doReplace(start, length, copy.getArrayStart(), 0, srcLength);\n }\n\n // cloneArrayIfNeeded(doCopyArray=FALSE) may change fArray but will not copy the current contents;\n // therefore we need to keep the current fArray\n UChar oldStackBuffer[US_STACKBUF_SIZE];\n if((fUnion.fFields.fLengthAndFlags&kUsingStackBuffer) && (newLength > US_STACKBUF_SIZE)) {\n // copy the stack buffer contents because it will be overwritten with\n // fUnion.fFields values\n u_memcpy(oldStackBuffer, oldArray, oldLength);\n oldArray = oldStackBuffer;\n }\n\n // clone our array and allocate a bigger array if needed\n int32_t *bufferToDelete = 0;\n if(!cloneArrayIfNeeded(newLength, getGrowCapacity(newLength),\n FALSE, &bufferToDelete)\n ) {\n return *this;\n }\n\n // now do the replace\n\n UChar *newArray = getArrayStart();\n if(newArray != oldArray) {\n // if fArray changed, then we need to copy everything except what will change\n us_arrayCopy(oldArray, 0, newArray, 0, start);\n us_arrayCopy(oldArray, start + length,\n newArray, start + srcLength,\n oldLength - (start + length));\n } else if(length != srcLength) {\n // fArray did not change; copy only the portion that isn't changing, leaving a hole\n us_arrayCopy(oldArray, start + length,\n newArray, start + srcLength,\n oldLength - (start + length));\n }\n\n // now fill in the hole with the new string\n us_arrayCopy(srcChars, 0, newArray, start, srcLength);\n\n setLength(newLength);\n\n // delayed delete in case srcChars == fArray when we started, and\n // to keep oldArray alive for the above operations\n if (bufferToDelete) {\n uprv_free(bufferToDelete);\n }\n\n return *this;\n}", "project": "icu", "hash": 73058970282736186473378585954403960787, "size": 121, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430811 }, { "func": "int ecryptfs_read_and_validate_xattr_region(char *page_virt,\n\t\t\t\t\t struct dentry *ecryptfs_dentry)\n{\n\tint rc;\n\n\trc = ecryptfs_read_xattr_region(page_virt, ecryptfs_dentry->d_inode);\n\tif (rc)\n\t\tgoto out;\n\tif (!contains_ecryptfs_marker(page_virt\t+ ECRYPTFS_FILE_SIZE_BYTES)) {\n\t\tprintk(KERN_WARNING \"Valid data found in [%s] xattr, but \"\n\t\t\t\"the marker is invalid\\n\", ECRYPTFS_XATTR_NAME);\n\t\trc = -EINVAL;\n\t}\nout:\n\treturn rc;\n}", "target": 0, "cwe": [ "CWE-189" ], "project": "linux-2.6", "commit_id": "8faece5f906725c10e7a1f6caf84452abadbdc7b", "hash": 102365503096584461273287446096881256480, "size": 16, "message": "eCryptfs: Allocate a variable number of pages for file headers\n\nWhen allocating the memory used to store the eCryptfs header contents, a\nsingle, zeroed page was being allocated with get_zeroed_page().\nHowever, the size of an eCryptfs header is either PAGE_CACHE_SIZE or\nECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE (8192), whichever is larger, and is\nstored in the file's private_data->crypt_stat->num_header_bytes_at_front\nfield.\n\necryptfs_write_metadata_to_contents() was using\nnum_header_bytes_at_front to decide how many bytes should be written to\nthe lower filesystem for the file header. Unfortunately, at least 8K\nwas being written from the page, despite the chance of the single,\nzeroed page being smaller than 8K. This resulted in random areas of\nkernel memory being written between the 0x1000 and 0x1FFF bytes offsets\nin the eCryptfs file headers if PAGE_SIZE was 4K.\n\nThis patch allocates a variable number of pages, calculated with\nnum_header_bytes_at_front, and passes the number of allocated pages\nalong to ecryptfs_write_metadata_to_contents().\n\nThanks to Florian Streibelt for reporting the data leak and working with\nme to find the problem. 2.6.28 is the only kernel release with this\nvulnerability. Corresponds to CVE-2009-0787\n\nSigned-off-by: Tyler Hicks \nAcked-by: Dustin Kirkland \nReviewed-by: Eric Sandeen \nReviewed-by: Eugene Teo \nCc: Greg KH \nCc: dann frazier \nCc: Serge E. Hallyn \nCc: Florian Streibelt \nCc: stable@kernel.org\nSigned-off-by: Linus Torvalds ", "dataset": "other", "idx": 490165 }, { "func": "static uint32 gettag(FILE *sfd) {\n int ch, quoted;\n uint32 tag;\n\n while ( (ch=nlgetc(sfd))==' ' );\n if ( (quoted = (ch=='\\'')) ) ch = nlgetc(sfd);\n tag = (ch<<24)|(nlgetc(sfd)<<16);\n tag |= nlgetc(sfd)<<8;\n tag |= nlgetc(sfd);\n if ( quoted ) (void) nlgetc(sfd);\nreturn( tag );\n}", "project": "fontforge", "hash": 100159321116224355811665387982232356676, "size": 12, "commit_id": "048a91e2682c1a8936ae34dbc7bd70291ec05410", "message": "Fix for #4084 Use-after-free (heap) in the SFD_GetFontMetaData() function\nFix for #4086 NULL pointer dereference in the SFDGetSpiros() function\nFix for #4088 NULL pointer dereference in the SFD_AssignLookups() function\nAdd empty sf->fontname string if it isn't set, fixing #4089 #4090 and many\n other potential issues (many downstream calls to strlen() on the value).", "target": 0, "dataset": "other", "idx": 417879 }, { "func": "static void increment_offset(int64_t delta)\n{\n if (unlikely(delta == 0))\n return;\n\n location.offset += delta;\n set_curr_offs(location.offset);\n}", "project": "nasm", "hash": 303584892898863935728337807533181334783, "size": 8, "commit_id": "e996d28c70d45008085322b442b44a9224308548", "message": "labels: Don't nil dereference if no label provided\n\nAn equ without label may cause nil dereference\n\n |\tequ 0x100\n\nFixes 98578071b9d71ecaa2344dd9c185237c1765041e\n\nSigned-off-by: Cyrill Gorcunov ", "target": 0, "dataset": "other", "idx": 257474 }, { "func": "\nstatic int io_req_prep_async(struct io_kiocb *req)\n{\n\tif (!io_op_defs[req->opcode].needs_async_setup)\n\t\treturn 0;\n\tif (WARN_ON_ONCE(req->async_data))\n\t\treturn -EFAULT;\n\tif (io_alloc_async_data(req))\n\t\treturn -EAGAIN;\n\n\tswitch (req->opcode) {\n\tcase IORING_OP_READV:\n\t\treturn io_rw_prep_async(req, READ);\n\tcase IORING_OP_WRITEV:\n\t\treturn io_rw_prep_async(req, WRITE);\n\tcase IORING_OP_SENDMSG:\n\t\treturn io_sendmsg_prep_async(req);\n\tcase IORING_OP_RECVMSG:\n\t\treturn io_recvmsg_prep_async(req);\n\tcase IORING_OP_CONNECT:\n\t\treturn io_connect_prep_async(req);\n\t}\n\tprintk_once(KERN_WARNING \"io_uring: prep_async() bad opcode %d\\n\",\n\t\t req->opcode);\n\treturn -EFAULT;", "project": "linux", "hash": 115169640127270358921391155111326330069, "size": 25, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338706 }, { "func": "void imap_logout_all(void)\n{\n struct Account *np = NULL;\n TAILQ_FOREACH(np, &NeoMutt->accounts, entries)\n {\n if (np->type != MUTT_IMAP)\n continue;\n\n struct ImapAccountData *adata = np->adata;\n if (!adata)\n continue;\n\n struct Connection *conn = adata->conn;\n if (!conn || (conn->fd < 0))\n continue;\n\n mutt_message(_(\"Closing connection to %s...\"), conn->account.host);\n imap_logout(np->adata);\n mutt_clear_error();\n }\n}", "project": "neomutt", "hash": 103418385104580779612693824696398282782, "size": 21, "commit_id": "9c36717a3e2af1f2c1b7242035455ec8112b4b06", "message": "imap: close connection on all failures\n\nThanks to Gabriel Salles-Loustau for spotting the problem.\n\nCo-authored-by: Kevin McCarthy ", "target": 0, "dataset": "other", "idx": 357016 }, { "func": "int __init tty_init(void)\n{\n\ttty_sysctl_init();\n\tcdev_init(&tty_cdev, &tty_fops);\n\tif (cdev_add(&tty_cdev, MKDEV(TTYAUX_MAJOR, 0), 1) ||\n\t register_chrdev_region(MKDEV(TTYAUX_MAJOR, 0), 1, \"/dev/tty\") < 0)\n\t\tpanic(\"Couldn't register /dev/tty driver\\n\");\n\tdevice_create(tty_class, NULL, MKDEV(TTYAUX_MAJOR, 0), NULL, \"tty\");\n\n\tcdev_init(&console_cdev, &console_fops);\n\tif (cdev_add(&console_cdev, MKDEV(TTYAUX_MAJOR, 1), 1) ||\n\t register_chrdev_region(MKDEV(TTYAUX_MAJOR, 1), 1, \"/dev/console\") < 0)\n\t\tpanic(\"Couldn't register /dev/console driver\\n\");\n\tconsdev = device_create_with_groups(tty_class, NULL,\n\t\t\t\t\t MKDEV(TTYAUX_MAJOR, 1), NULL,\n\t\t\t\t\t cons_dev_groups, \"console\");\n\tif (IS_ERR(consdev))\n\t\tconsdev = NULL;\n\n#ifdef CONFIG_VT\n\tvty_init(&console_fops);\n#endif\n\treturn 0;\n}", "project": "linux", "hash": 261902592408328405310486683805405367790, "size": 24, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 326036 }, { "func": " explicit operator std::string () const { return toCppString(); }", "project": "hhvm", "hash": 261522136096285215298436370014622362446, "size": 1, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219281 }, { "func": "static void save_cur(struct vc_data *vc)\n{\n\tvc->vc_saved_x\t\t= vc->vc_x;\n\tvc->vc_saved_y\t\t= vc->vc_y;\n\tvc->vc_s_intensity\t= vc->vc_intensity;\n\tvc->vc_s_italic = vc->vc_italic;\n\tvc->vc_s_underline\t= vc->vc_underline;\n\tvc->vc_s_blink\t\t= vc->vc_blink;\n\tvc->vc_s_reverse\t= vc->vc_reverse;\n\tvc->vc_s_charset\t= vc->vc_charset;\n\tvc->vc_s_color\t\t= vc->vc_color;\n\tvc->vc_saved_G0\t\t= vc->vc_G0_charset;\n\tvc->vc_saved_G1\t\t= vc->vc_G1_charset;\n}", "project": "linux", "hash": 61814332898215431990939551997915495162, "size": 14, "commit_id": "ca4463bf8438b403596edd0ec961ca0d4fbe0220", "message": "vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console\n\nThe VT_DISALLOCATE ioctl can free a virtual console while tty_release()\nis still running, causing a use-after-free in con_shutdown(). This\noccurs because VT_DISALLOCATE considers a virtual console's\n'struct vc_data' to be unused as soon as the corresponding tty's\nrefcount hits 0. But actually it may be still being closed.\n\nFix this by making vc_data be reference-counted via the embedded\n'struct tty_port'. A newly allocated virtual console has refcount 1.\nOpening it for the first time increments the refcount to 2. Closing it\nfor the last time decrements the refcount (in tty_operations::cleanup()\nso that it happens late enough), as does VT_DISALLOCATE.\n\nReproducer:\n\t#include \n\t#include \n\t#include \n\t#include \n\n\tint main()\n\t{\n\t\tif (fork()) {\n\t\t\tfor (;;)\n\t\t\t\tclose(open(\"/dev/tty5\", O_RDWR));\n\t\t} else {\n\t\t\tint fd = open(\"/dev/tty10\", O_RDWR);\n\n\t\t\tfor (;;)\n\t\t\t\tioctl(fd, VT_DISALLOCATE, 5);\n\t\t}\n\t}\n\nKASAN report:\n\tBUG: KASAN: use-after-free in con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\tWrite of size 8 at addr ffff88806a4ec108 by task syz_vt/129\n\n\tCPU: 0 PID: 129 Comm: syz_vt Not tainted 5.6.0-rc2 #11\n\tHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20191223_100556-anatol 04/01/2014\n\tCall Trace:\n\t [...]\n\t con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\t release_tty+0xa8/0x410 drivers/tty/tty_io.c:1514\n\t tty_release_struct+0x34/0x50 drivers/tty/tty_io.c:1629\n\t tty_release+0x984/0xed0 drivers/tty/tty_io.c:1789\n\t [...]\n\n\tAllocated by task 129:\n\t [...]\n\t kzalloc include/linux/slab.h:669 [inline]\n\t vc_allocate drivers/tty/vt/vt.c:1085 [inline]\n\t vc_allocate+0x1ac/0x680 drivers/tty/vt/vt.c:1066\n\t con_install+0x4d/0x3f0 drivers/tty/vt/vt.c:3229\n\t tty_driver_install_tty drivers/tty/tty_io.c:1228 [inline]\n\t tty_init_dev+0x94/0x350 drivers/tty/tty_io.c:1341\n\t tty_open_by_driver drivers/tty/tty_io.c:1987 [inline]\n\t tty_open+0x3ca/0xb30 drivers/tty/tty_io.c:2035\n\t [...]\n\n\tFreed by task 130:\n\t [...]\n\t kfree+0xbf/0x1e0 mm/slab.c:3757\n\t vt_disallocate drivers/tty/vt/vt_ioctl.c:300 [inline]\n\t vt_ioctl+0x16dc/0x1e30 drivers/tty/vt/vt_ioctl.c:818\n\t tty_ioctl+0x9db/0x11b0 drivers/tty/tty_io.c:2660\n\t [...]\n\nFixes: 4001d7b7fc27 (\"vt: push down the tty lock so we can see what is left to tackle\")\nCc: # v3.4+\nReported-by: syzbot+522643ab5729b0421998@syzkaller.appspotmail.com\nAcked-by: Jiri Slaby \nSigned-off-by: Eric Biggers \nLink: https://lore.kernel.org/r/20200322034305.210082-2-ebiggers@kernel.org\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 437087 }, { "func": "void WebContents::InspectSharedWorker() {\n if (type_ == Type::REMOTE)\n return;\n\n if (!enable_devtools_)\n return;\n\n for (const auto& agent_host : content::DevToolsAgentHost::GetOrCreateAll()) {\n if (agent_host->GetType() ==\n content::DevToolsAgentHost::kTypeSharedWorker) {\n OpenDevTools(nullptr);\n managed_web_contents()->AttachTo(agent_host);\n break;\n }\n }\n}", "project": "electron", "hash": 288100667870938387908522455003897726443, "size": 16, "commit_id": "18613925610ba319da7f497b6deed85ad712c59b", "message": "refactor: wire will-navigate up to a navigation throttle instead of OpenURL (#25108)\n\n* refactor: wire will-navigate up to a navigation throttle instead of OpenURL (#25065)\r\n\r\n* refactor: wire will-navigate up to a navigation throttle instead of OpenURL\r\n\r\n* spec: add test for x-site _top navigation\r\n\r\n* chore: old code be old", "target": 0, "dataset": "other", "idx": 269780 }, { "func": "\treturn err;\n}\n\nstatic int iscsi_if_ep_disconnect(struct iscsi_transport *transport,\n\t\t\t\t u64 ep_handle)\n{\n\tstruct iscsi_cls_conn *conn;\n\tstruct iscsi_endpoint *ep;\n\n\tif (!transport->ep_disconnect)\n\t\treturn -EINVAL;\n\n\tep = iscsi_lookup_endpoint(ep_handle);\n\tif (!ep)\n\t\treturn -EINVAL;\n\tconn = ep->conn;\n\tif (conn) {\n\t\tmutex_lock(&conn->ep_mutex);\n\t\tconn->ep = NULL;\n\t\tmutex_unlock(&conn->ep_mutex);\n\t}\n", "project": "linux", "hash": 191127705575968367787759788141570142487, "size": 22, "commit_id": "f9dbdf97a5bd92b1a49cee3d591b55b11fd7a6d5", "message": "scsi: iscsi: Verify lengths on passthrough PDUs\n\nOpen-iSCSI sends passthrough PDUs over netlink, but the kernel should be\nverifying that the provided PDU header and data lengths fall within the\nnetlink message to prevent accessing beyond that in memory.\n\nCc: stable@vger.kernel.org\nReported-by: Adam Nichols \nReviewed-by: Lee Duncan \nReviewed-by: Mike Christie \nSigned-off-by: Chris Leech \nSigned-off-by: Martin K. Petersen ", "target": 0, "dataset": "other", "idx": 379977 }, { "func": "static void update_depend_map_for_order(JOIN *join, ORDER *order)\n{\n for (; order ; order=order->next)\n {\n table_map depend_map;\n order->item[0]->update_used_tables();\n order->depend_map=depend_map=order->item[0]->used_tables();\n order->used= 0;\n // Not item_sum(), RAND() and no reference to table outside of sub select\n if (!(order->depend_map & (OUTER_REF_TABLE_BIT | RAND_TABLE_BIT))\n && !order->item[0]->with_sum_func &&\n join->join_tab)\n {\n for (JOIN_TAB **tab=join->map2table;\n\t depend_map ;\n\t tab++, depend_map>>=1)\n {\n\tif (depend_map & 1)\n\t order->depend_map|=(*tab)->ref.depend_map;\n }\n }\n }\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 331002733725731781873471726093120034279, "size": 23, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508666 }, { "func": "void kmem_cache_free_bulk(struct kmem_cache *s, size_t size, void **p)\n{\n\tif (WARN_ON(!size))\n\t\treturn;\n\n\tdo {\n\t\tstruct detached_freelist df;\n\n\t\tsize = build_detached_freelist(s, size, p, &df);\n\t\tif (!df.page)\n\t\t\tcontinue;\n\n\t\tslab_free(df.s, df.page, df.freelist, df.tail, df.cnt,_RET_IP_);\n\t} while (likely(size));\n}", "project": "linux", "hash": 42284285052745927915330309472750778381, "size": 15, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280106 }, { "func": "static int sctp_getsockopt_scheduler(struct sock *sk, int len,\n\t\t\t\t char __user *optval,\n\t\t\t\t int __user *optlen)\n{\n\tstruct sctp_assoc_value params;\n\tstruct sctp_association *asoc;\n\tint retval = -EFAULT;\n\n\tif (len < sizeof(params)) {\n\t\tretval = -EINVAL;\n\t\tgoto out;\n\t}\n\n\tlen = sizeof(params);\n\tif (copy_from_user(¶ms, optval, len))\n\t\tgoto out;\n\n\tasoc = sctp_id2assoc(sk, params.assoc_id);\n\tif (!asoc && params.assoc_id != SCTP_FUTURE_ASSOC &&\n\t sctp_style(sk, UDP)) {\n\t\tretval = -EINVAL;\n\t\tgoto out;\n\t}\n\n\tparams.assoc_value = asoc ? sctp_sched_get_sched(asoc)\n\t\t\t\t : sctp_sk(sk)->default_ss;\n\n\tif (put_user(len, optlen))\n\t\tgoto out;\n\n\tif (copy_to_user(optval, ¶ms, len))\n\t\tgoto out;\n\n\tretval = 0;\n\nout:\n\treturn retval;\n}", "project": "linux", "hash": 47430097474668175050953199974316471600, "size": 38, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398142 }, { "func": "void vm_area_free(struct vm_area_struct *vma)\n{\n\tkmem_cache_free(vm_area_cachep, vma);\n}", "project": "linux", "hash": 131865217302318664394742524387709453047, "size": 4, "commit_id": "b4e00444cab4c3f3fec876dc0cccc8cbb0d1a948", "message": "fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent\n\ncurrent->group_leader->exit_signal may change during copy_process() if\ncurrent->real_parent exits.\n\nMove the assignment inside tasklist_lock to avoid the race.\n\nSigned-off-by: Eddy Wu \nAcked-by: Oleg Nesterov \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 293650 }, { "func": "uint32_t enc_untrusted_ql_set_quote_config(const sgx_ql_config_t *config) {\n uint32_t result;\n CHECK_OCALL(ocall_enc_untrusted_ql_set_quote_config(\n &result, config, config->cert_data_size, config->p_cert_data));\n return result;\n}", "project": "asylo", "hash": 291659534409018754976444829109979172532, "size": 6, "commit_id": "53ed5d8fd8118ced1466e509606dd2f473707a5c", "message": "Store untrusted output pointer in enclave\n\nValidate the pointer after it's stored in enclave to avoid unexpected\nmodifications after it's validated.\n\nPiperOrigin-RevId: 365648810\nChange-Id: I3079128040c142e86bab8255b07d03562a6fcb61", "target": 0, "dataset": "other", "idx": 232072 }, { "func": "bool checkreturn pb_decode(pb_istream_t *stream, const pb_field_t fields[], void *dest_struct)\n{\n bool status;\n pb_message_set_to_defaults(fields, dest_struct);\n status = pb_decode_noinit(stream, fields, dest_struct);\n \n#ifdef PB_ENABLE_MALLOC\n if (!status)\n pb_release(fields, dest_struct);\n#endif\n \n return status;\n}", "project": "nanopb", "hash": 271465172588370208707423768105628772965, "size": 13, "commit_id": "aa9d0d1ca78d6adec3adfeecf3a706c7f9df81f2", "message": "Fix invalid free() after failed realloc() (GHSA-gcx3-7m76-287p)", "target": 0, "dataset": "other", "idx": 252495 }, { "func": "int JOIN_TAB::make_scan_filter()\n{\n COND *tmp;\n DBUG_ENTER(\"make_scan_filter\");\n\n Item *cond= is_inner_table_of_outer_join() ?\n *get_first_inner_table()->on_expr_ref : join->conds;\n \n if (cond &&\n (tmp= make_cond_for_table(join->thd, cond,\n join->const_table_map | table->map,\n\t\t\t table->map, -1, FALSE, TRUE)))\n {\n DBUG_EXECUTE(\"where\",print_where(tmp,\"cache\", QT_ORDINARY););\n if (!(cache_select=\n (SQL_SELECT*) join->thd->memdup((uchar*) select, sizeof(SQL_SELECT))))\n\tDBUG_RETURN(1);\n cache_select->cond= tmp;\n cache_select->read_tables=join->const_table_map;\n }\n DBUG_RETURN(0);\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 286044564538534994425657918720343037185, "size": 22, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508585 }, { "func": "static bool fuse_use_readdirplus(struct inode *dir, struct dir_context *ctx)\n{\n\tstruct fuse_conn *fc = get_fuse_conn(dir);\n\tstruct fuse_inode *fi = get_fuse_inode(dir);\n\n\tif (!fc->do_readdirplus)\n\t\treturn false;\n\tif (!fc->readdirplus_auto)\n\t\treturn true;\n\tif (test_and_clear_bit(FUSE_I_ADVISE_RDPLUS, &fi->state))\n\t\treturn true;\n\tif (ctx->pos == 0)\n\t\treturn true;\n\treturn false;\n}", "project": "linux", "hash": 90909064055024887561294762451070518539, "size": 15, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342075 }, { "func": "static inline void encode_claim_delegate_cur_fh(struct xdr_stream *xdr, const nfs4_stateid *stateid)\n{\n\t__be32 *p;\n\n\tp = reserve_space(xdr, 4);\n\t*p = cpu_to_be32(NFS4_OPEN_CLAIM_DELEG_CUR_FH);\n\tencode_nfs4_stateid(xdr, stateid);\n}", "project": "linux", "hash": 232319661163550401416907149439908994644, "size": 8, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431476 }, { "func": "static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,\n\t\tint closing, int tx_ring)\n{\n\tstruct pgv *pg_vec = NULL;\n\tstruct packet_sock *po = pkt_sk(sk);\n\tunsigned long *rx_owner_map = NULL;\n\tint was_running, order = 0;\n\tstruct packet_ring_buffer *rb;\n\tstruct sk_buff_head *rb_queue;\n\t__be16 num;\n\tint err;\n\t/* Added to avoid minimal code churn */\n\tstruct tpacket_req *req = &req_u->req;\n\n\trb = tx_ring ? &po->tx_ring : &po->rx_ring;\n\trb_queue = tx_ring ? &sk->sk_write_queue : &sk->sk_receive_queue;\n\n\terr = -EBUSY;\n\tif (!closing) {\n\t\tif (atomic_read(&po->mapped))\n\t\t\tgoto out;\n\t\tif (packet_read_pending(rb))\n\t\t\tgoto out;\n\t}\n\n\tif (req->tp_block_nr) {\n\t\tunsigned int min_frame_size;\n\n\t\t/* Sanity tests and some calculations */\n\t\terr = -EBUSY;\n\t\tif (unlikely(rb->pg_vec))\n\t\t\tgoto out;\n\n\t\tswitch (po->tp_version) {\n\t\tcase TPACKET_V1:\n\t\t\tpo->tp_hdrlen = TPACKET_HDRLEN;\n\t\t\tbreak;\n\t\tcase TPACKET_V2:\n\t\t\tpo->tp_hdrlen = TPACKET2_HDRLEN;\n\t\t\tbreak;\n\t\tcase TPACKET_V3:\n\t\t\tpo->tp_hdrlen = TPACKET3_HDRLEN;\n\t\t\tbreak;\n\t\t}\n\n\t\terr = -EINVAL;\n\t\tif (unlikely((int)req->tp_block_size <= 0))\n\t\t\tgoto out;\n\t\tif (unlikely(!PAGE_ALIGNED(req->tp_block_size)))\n\t\t\tgoto out;\n\t\tmin_frame_size = po->tp_hdrlen + po->tp_reserve;\n\t\tif (po->tp_version >= TPACKET_V3 &&\n\t\t req->tp_block_size <\n\t\t BLK_PLUS_PRIV((u64)req_u->req3.tp_sizeof_priv) + min_frame_size)\n\t\t\tgoto out;\n\t\tif (unlikely(req->tp_frame_size < min_frame_size))\n\t\t\tgoto out;\n\t\tif (unlikely(req->tp_frame_size & (TPACKET_ALIGNMENT - 1)))\n\t\t\tgoto out;\n\n\t\trb->frames_per_block = req->tp_block_size / req->tp_frame_size;\n\t\tif (unlikely(rb->frames_per_block == 0))\n\t\t\tgoto out;\n\t\tif (unlikely(rb->frames_per_block > UINT_MAX / req->tp_block_nr))\n\t\t\tgoto out;\n\t\tif (unlikely((rb->frames_per_block * req->tp_block_nr) !=\n\t\t\t\t\treq->tp_frame_nr))\n\t\t\tgoto out;\n\n\t\terr = -ENOMEM;\n\t\torder = get_order(req->tp_block_size);\n\t\tpg_vec = alloc_pg_vec(req, order);\n\t\tif (unlikely(!pg_vec))\n\t\t\tgoto out;\n\t\tswitch (po->tp_version) {\n\t\tcase TPACKET_V3:\n\t\t\t/* Block transmit is not supported yet */\n\t\t\tif (!tx_ring) {\n\t\t\t\tinit_prb_bdqc(po, rb, pg_vec, req_u);\n\t\t\t} else {\n\t\t\t\tstruct tpacket_req3 *req3 = &req_u->req3;\n\n\t\t\t\tif (req3->tp_retire_blk_tov ||\n\t\t\t\t req3->tp_sizeof_priv ||\n\t\t\t\t req3->tp_feature_req_word) {\n\t\t\t\t\terr = -EINVAL;\n\t\t\t\t\tgoto out_free_pg_vec;\n\t\t\t\t}\n\t\t\t}\n\t\t\tbreak;\n\t\tdefault:\n\t\t\tif (!tx_ring) {\n\t\t\t\trx_owner_map = bitmap_alloc(req->tp_frame_nr,\n\t\t\t\t\tGFP_KERNEL | __GFP_NOWARN | __GFP_ZERO);\n\t\t\t\tif (!rx_owner_map)\n\t\t\t\t\tgoto out_free_pg_vec;\n\t\t\t}\n\t\t\tbreak;\n\t\t}\n\t}\n\t/* Done */\n\telse {\n\t\terr = -EINVAL;\n\t\tif (unlikely(req->tp_frame_nr))\n\t\t\tgoto out;\n\t}\n\n\n\t/* Detach socket from network */\n\tspin_lock(&po->bind_lock);\n\twas_running = po->running;\n\tnum = po->num;\n\tif (was_running) {\n\t\tpo->num = 0;\n\t\t__unregister_prot_hook(sk, false);\n\t}\n\tspin_unlock(&po->bind_lock);\n\n\tsynchronize_net();\n\n\terr = -EBUSY;\n\tmutex_lock(&po->pg_vec_lock);\n\tif (closing || atomic_read(&po->mapped) == 0) {\n\t\terr = 0;\n\t\tspin_lock_bh(&rb_queue->lock);\n\t\tswap(rb->pg_vec, pg_vec);\n\t\tif (po->tp_version <= TPACKET_V2)\n\t\t\tswap(rb->rx_owner_map, rx_owner_map);\n\t\trb->frame_max = (req->tp_frame_nr - 1);\n\t\trb->head = 0;\n\t\trb->frame_size = req->tp_frame_size;\n\t\tspin_unlock_bh(&rb_queue->lock);\n\n\t\tswap(rb->pg_vec_order, order);\n\t\tswap(rb->pg_vec_len, req->tp_block_nr);\n\n\t\trb->pg_vec_pages = req->tp_block_size/PAGE_SIZE;\n\t\tpo->prot_hook.func = (po->rx_ring.pg_vec) ?\n\t\t\t\t\t\ttpacket_rcv : packet_rcv;\n\t\tskb_queue_purge(rb_queue);\n\t\tif (atomic_read(&po->mapped))\n\t\t\tpr_err(\"packet_mmap: vma is busy: %d\\n\",\n\t\t\t atomic_read(&po->mapped));\n\t}\n\tmutex_unlock(&po->pg_vec_lock);\n\n\tspin_lock(&po->bind_lock);\n\tif (was_running) {\n\t\tpo->num = num;\n\t\tregister_prot_hook(sk);\n\t}\n\tspin_unlock(&po->bind_lock);\n\tif (pg_vec && (po->tp_version > TPACKET_V2)) {\n\t\t/* Because we don't support block-based V3 on tx-ring */\n\t\tif (!tx_ring)\n\t\t\tprb_shutdown_retire_blk_timer(po, rb_queue);\n\t}\n\nout_free_pg_vec:\n\tbitmap_free(rx_owner_map);\n\tif (pg_vec)\n\t\tfree_pg_vec(pg_vec, order, req->tp_block_nr);\nout:\n\treturn err;\n}", "project": "linux", "hash": 280136327965089333254430226151107270463, "size": 165, "commit_id": "acf69c946233259ab4d64f8869d4037a198c7f06", "message": "net/packet: fix overflow in tpacket_rcv\n\nUsing tp_reserve to calculate netoff can overflow as\ntp_reserve is unsigned int and netoff is unsigned short.\n\nThis may lead to macoff receving a smaller value then\nsizeof(struct virtio_net_hdr), and if po->has_vnet_hdr\nis set, an out-of-bounds write will occur when\ncalling virtio_net_hdr_from_skb.\n\nThe bug is fixed by converting netoff to unsigned int\nand checking if it exceeds USHRT_MAX.\n\nThis addresses CVE-2020-14386\n\nFixes: 8913336a7e8d (\"packet: add PACKET_RESERVE sockopt\")\nSigned-off-by: Or Cohen \nSigned-off-by: Eric Dumazet \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 330419 }, { "func": "UnicodeStringAppendable::appendString(const UChar *s, int32_t length) {\n return str.doAppend(s, 0, length).isWritable();\n}", "project": "icu", "hash": 71373617111696971560417873975661468400, "size": 3, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430848 }, { "project": "Chrome", "commit_id": "de5aa214ea77b3d2c4ff8a0c58f446896c107ce0", "target": 0, "func": "void TranslateManager::InitAcceptLanguages(PrefService* prefs) {\n std::string accept_langs_str = prefs->GetString(prefs::kAcceptLanguages);\n std::vector accept_langs_list;\n LanguageSet accept_langs_set;\n base::SplitString(accept_langs_str, ',', &accept_langs_list);\n std::vector::const_iterator iter;\n std::string ui_lang =\n GetLanguageCode(g_browser_process->GetApplicationLocale());\n bool is_ui_english = StartsWithASCII(ui_lang, \"en-\", false);\n for (iter = accept_langs_list.begin();\n iter != accept_langs_list.end(); ++iter) {\n std::string accept_lang(*iter);\n size_t index = iter->find(\"-\");\n if (index != std::string::npos && *iter != \"zh-CN\" && *iter != \"zh-TW\")\n accept_lang = iter->substr(0, index);\n if (accept_lang != \"en\" || is_ui_english)\n accept_langs_set.insert(accept_lang);\n }\n accept_languages_[prefs] = accept_langs_set;\n}\n", "cwe": "", "big_vul_idx": 108000, "idx": 96966, "hash": 252762081116771165917090639199201650259 }, { "func": "void Utf8DecoderBase::WriteUtf16Slow(const uint8_t* stream,\n uint16_t* data,\n unsigned data_length) {\n while (data_length != 0) {\n unsigned cursor = 0;\n uint32_t character = Utf8::ValueOf(stream, Utf8::kMaxEncodedSize, &cursor);\n // There's a total lack of bounds checking for stream\n // as it was already done in Reset.\n stream += cursor;\n if (character > unibrow::Utf16::kMaxNonSurrogateCharCode) {\n *data++ = Utf16::LeadSurrogate(character);\n *data++ = Utf16::TrailSurrogate(character);\n DCHECK(data_length > 1);\n data_length -= 2;\n } else {\n *data++ = character;\n data_length -= 1;\n }\n }\n}", "project": "node", "hash": 252347364978872387181975652701666279871, "size": 20, "commit_id": "78b0e30954111cfaba0edbeee85450d8cbc6fdf6", "message": "deps: fix out-of-band write in utf8 decoder\n\nOriginally reported by: Kris Reeves \n\nReviewed-By: Trevor Norris ", "target": 1, "dataset": "other", "idx": 206709 }, { "func": "void Utf8DecoderBase::WriteUtf16Slow(const uint8_t* stream,\n unsigned stream_length,\n uint16_t* data,\n unsigned data_length) {\n while (data_length != 0) {\n unsigned cursor = 0;\n\n uint32_t character = Utf8::ValueOf(stream, stream_length, &cursor);\n // There's a total lack of bounds checking for stream\n // as it was already done in Reset.\n stream += cursor;\n stream_length -= cursor;\n if (character > unibrow::Utf16::kMaxNonSurrogateCharCode) {\n *data++ = Utf16::LeadSurrogate(character);\n *data++ = Utf16::TrailSurrogate(character);\n DCHECK(data_length > 1);\n data_length -= 2;\n } else {\n *data++ = character;\n data_length -= 1;\n }\n }\n DCHECK(stream_length >= 0);\n}", "project": "node", "hash": 108599142078622494128331469487001444691, "size": 24, "commit_id": "78b0e30954111cfaba0edbeee85450d8cbc6fdf6", "message": "deps: fix out-of-band write in utf8 decoder\n\nOriginally reported by: Kris Reeves \n\nReviewed-By: Trevor Norris ", "target": 0, "dataset": "other", "idx": 385616 }, { "func": "blosc2_context* blosc2_create_dctx(blosc2_dparams dparams) {\n blosc2_context* context = (blosc2_context*)my_malloc(sizeof(blosc2_context));\n\n /* Populate the context, using zeros as default values */\n memset(context, 0, sizeof(blosc2_context));\n context->do_compress = 0; /* Meant for decompression */\n context->nthreads = dparams.nthreads;\n context->new_nthreads = context->nthreads;\n context->threads_started = 0;\n context->block_maskout = NULL;\n context->block_maskout_nitems = 0;\n context->schunk = dparams.schunk;\n\n return context;\n}", "project": "c-blosc2", "hash": 84943253037483115619919924241988782736, "size": 15, "commit_id": "c4c6470e88210afc95262c8b9fcc27e30ca043ee", "message": "Fixed asan heap buffer overflow when not enough space to write compressed block size.", "target": 0, "dataset": "other", "idx": 303093 }, { "func": "static void encode_open_confirm(struct xdr_stream *xdr, const struct nfs_open_confirmargs *arg, struct compound_hdr *hdr)\n{\n\tencode_op_hdr(xdr, OP_OPEN_CONFIRM, decode_open_confirm_maxsz, hdr);\n\tencode_nfs4_stateid(xdr, arg->stateid);\n\tencode_nfs4_seqid(xdr, arg->seqid);\n}", "project": "linux", "hash": 70062002834264461104767451918658063523, "size": 6, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 430987 }, { "func": "static bool kvm_request_needs_ipi(struct kvm_vcpu *vcpu, unsigned req)\n{\n\tint mode = kvm_vcpu_exiting_guest_mode(vcpu);\n\n\t/*\n\t * We need to wait for the VCPU to reenable interrupts and get out of\n\t * READING_SHADOW_PAGE_TABLES mode.\n\t */\n\tif (req & KVM_REQUEST_WAIT)\n\t\treturn mode != OUTSIDE_GUEST_MODE;\n\n\t/*\n\t * Need to kick a running VCPU, but otherwise there is nothing to do.\n\t */\n\treturn mode == IN_GUEST_MODE;\n}", "project": "linux", "hash": 326577756064868100044668410554971246123, "size": 16, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354498 }, { "func": "\nstatic int bfq_var_store(unsigned long *var, const char *page)\n{\n\tunsigned long new_val;\n\tint ret = kstrtoul(page, 10, &new_val);\n\n\tif (ret)\n\t\treturn ret;\n\t*var = new_val;\n\treturn 0;", "project": "linux", "hash": 99568749500965984595126999360848567489, "size": 10, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453314 }, { "func": "static void tcp_cong_avoid(struct sock *sk, u32 ack, u32 in_flight)\n{\n\tconst struct inet_connection_sock *icsk = inet_csk(sk);\n\ticsk->icsk_ca_ops->cong_avoid(sk, ack, in_flight);\n\ttcp_sk(sk)->snd_cwnd_stamp = tcp_time_stamp;\n}", "project": "net-next", "hash": 8124318854032583872032162710061493590, "size": 6, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409936 }, { "func": "static bool nfs4_sync_lock_stateid(nfs4_stateid *dst,\n\t\tstruct nfs4_lock_state *lsp)\n{\n\tstruct nfs4_state *state = lsp->ls_state;\n\tbool ret;\n\n\tspin_lock(&state->state_lock);\n\tret = !nfs4_stateid_match_other(dst, &lsp->ls_stateid);\n\tnfs4_stateid_copy(dst, &lsp->ls_stateid);\n\tspin_unlock(&state->state_lock);\n\treturn ret;\n}", "project": "linux", "hash": 307406723759483104405860887918845011658, "size": 12, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431390 }, { "func": "static void SFDGetPrivate(FILE *sfd,SplineFont *sf) {\n int i, cnt, len;\n char name[200];\n char *pt, *end;\n\n sf->private = calloc(1,sizeof(struct psdict));\n getint(sfd,&cnt);\n sf->private->next = sf->private->cnt = cnt;\n sf->private->values = calloc(cnt,sizeof(char *));\n sf->private->keys = calloc(cnt,sizeof(char *));\n for ( i=0; iprivate->keys[i] = copy(name);\n\tgetint(sfd,&len);\n\tnlgetc(sfd);\t/* skip space */\n\tpt = sf->private->values[i] = malloc(len+1);\n\tfor ( end = pt+len; ptfontname string if it isn't set, fixing #4089 #4090 and many\n other potential issues (many downstream calls to strlen() on the value).", "target": 0, "dataset": "other", "idx": 417810 }, { "func": "static void nfs4_locku_done(struct rpc_task *task, void *data)\n{\n\tstruct nfs4_unlockdata *calldata = data;\n\tstruct nfs4_exception exception = {\n\t\t.inode = calldata->lsp->ls_state->inode,\n\t\t.stateid = &calldata->arg.stateid,\n\t};\n\n\tif (!nfs4_sequence_done(task, &calldata->res.seq_res))\n\t\treturn;\n\tswitch (task->tk_status) {\n\t\tcase 0:\n\t\t\trenew_lease(calldata->server, calldata->timestamp);\n\t\t\tlocks_lock_inode_wait(calldata->lsp->ls_state->inode, &calldata->fl);\n\t\t\tif (nfs4_update_lock_stateid(calldata->lsp,\n\t\t\t\t\t&calldata->res.stateid))\n\t\t\t\tbreak;\n\t\t\t/* Fall through */\n\t\tcase -NFS4ERR_ADMIN_REVOKED:\n\t\tcase -NFS4ERR_EXPIRED:\n\t\t\tnfs4_free_revoked_stateid(calldata->server,\n\t\t\t\t\t&calldata->arg.stateid,\n\t\t\t\t\ttask->tk_msg.rpc_cred);\n\t\t\t/* Fall through */\n\t\tcase -NFS4ERR_BAD_STATEID:\n\t\tcase -NFS4ERR_STALE_STATEID:\n\t\t\tif (nfs4_sync_lock_stateid(&calldata->arg.stateid,\n\t\t\t\t\t\tcalldata->lsp))\n\t\t\t\trpc_restart_call_prepare(task);\n\t\t\tbreak;\n\t\tcase -NFS4ERR_OLD_STATEID:\n\t\t\tif (nfs4_refresh_lock_old_stateid(&calldata->arg.stateid,\n\t\t\t\t\t\tcalldata->lsp))\n\t\t\t\trpc_restart_call_prepare(task);\n\t\t\tbreak;\n\t\tdefault:\n\t\t\ttask->tk_status = nfs4_async_handle_exception(task,\n\t\t\t\t\tcalldata->server, task->tk_status,\n\t\t\t\t\t&exception);\n\t\t\tif (exception.retry)\n\t\t\t\trpc_restart_call_prepare(task);\n\t}\n\tnfs_release_seqid(calldata->arg.seqid);\n}", "project": "linux", "hash": 245219019567193293647868119105025540767, "size": 44, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431569 }, { "func": "static void __submit_queue_imm(struct intel_engine_cs *engine)\n{\n\tstruct intel_engine_execlists * const execlists = &engine->execlists;\n\n\tif (reset_in_progress(execlists))\n\t\treturn; /* defer until we restart the engine following reset */\n\n\tif (execlists->tasklet.func == execlists_submission_tasklet)\n\t\t__execlists_submission_tasklet(engine);\n\telse\n\t\ttasklet_hi_schedule(&execlists->tasklet);\n}", "project": "linux", "hash": 325010623626758611152867377281211470633, "size": 12, "commit_id": "bc8a76a152c5f9ef3b48104154a65a68a8b76946", "message": "drm/i915/gen9: Clear residual context state on context switch\n\nIntel ID: PSIRT-TA-201910-001\nCVEID: CVE-2019-14615\n\nIntel GPU Hardware prior to Gen11 does not clear EU state\nduring a context switch. This can result in information\nleakage between contexts.\n\nFor Gen8 and Gen9, hardware provides a mechanism for\nfast cleardown of the EU state, by issuing a PIPE_CONTROL\nwith bit 27 set. We can use this in a context batch buffer\nto explicitly cleardown the state on every context switch.\n\nAs this workaround is already in place for gen8, we can borrow\nthe code verbatim for Gen9.\n\nSigned-off-by: Mika Kuoppala \nSigned-off-by: Akeem G Abodunrin \nCc: Kumar Valsan Prathap \nCc: Chris Wilson \nCc: Balestrieri Francesco \nCc: Bloomfield Jon \nCc: Dutt Sudeep ", "target": 0, "dataset": "other", "idx": 281526 }, { "func": "static void follow_mount(struct path *path)\n{\n\twhile (d_mountpoint(path->dentry)) {\n\t\tstruct vfsmount *mounted = lookup_mnt(path);\n\t\tif (!mounted)\n\t\t\tbreak;\n\t\tdput(path->dentry);\n\t\tmntput(path->mnt);\n\t\tpath->mnt = mounted;\n\t\tpath->dentry = dget(mounted->mnt_root);\n\t}\n}", "project": "linux", "hash": 255257417760092644067010887503726825400, "size": 12, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295389 }, { "func": "static rsRetVal qqueueSetProperty(qqueue_t *pThis, var_t *pProp)\n{\n\tDEFiRet;\n\n\tISOBJ_TYPE_assert(pThis, qqueue);\n\tASSERT(pProp != NULL);\n\n \tif(isProp(\"iQueueSize\")) {\n\t\tpThis->iQueueSize = pProp->val.num;\n \t} else if(isProp(\"tVars.disk.sizeOnDisk\")) {\n\t\tpThis->tVars.disk.sizeOnDisk = pProp->val.num;\n \t} else if(isProp(\"tVars.disk.bytesRead\")) {\n\t\tpThis->tVars.disk.bytesRead = pProp->val.num;\n \t} else if(isProp(\"qType\")) {\n\t\tif(pThis->qType != pProp->val.num)\n\t\t\tABORT_FINALIZE(RS_RET_QTYPE_MISMATCH);\n\t}\n\nfinalize_it:\n\tRETiRet;\n}", "project": "rsyslog", "hash": 164935368991515276481265734599111412578, "size": 21, "commit_id": "dfa88369d4ca4290db56b843f9eabdae1bfe0fd5", "message": "bugfix: memory leak when $RepeatedMsgReduction on was used\n\nbug tracker: http://bugzilla.adiscon.com/show_bug.cgi?id=225", "target": 0, "dataset": "other", "idx": 373809 }, { "func": "static Variant to_double(UncheckedBuffer &buf) {\n auto data = buf.data();\n auto ret = data ? zend_strtod(data, nullptr) : 0.0;\n buf.clear();\n return ret;\n}", "project": "hhvm", "hash": 95758182885650229183330102089655041049, "size": 6, "commit_id": "b3679121bb3c7017ff04b4c08402ffff5cf59b13", "message": "Fix buffer overrun in SimpleParser::handleBackslash\n\nSummary:\nIt read 4 chars, then checked for validity, but any of them could have\nbeen the end of the string, so check after each one instead.\n\nReviewed By: oulgen\n\nDifferential Revision: D19611163\n\nfbshipit-source-id: 3da0a39555cb85a93f4fd98048368f17cf37e2e4", "target": 0, "dataset": "other", "idx": 227299 }, { "func": "static bool nested_svm_vmrun_msrpm(struct vcpu_svm *svm)\n{\n\t/*\n\t * This function merges the msr permission bitmaps of kvm and the\n\t * nested vmcb. It is optimized in that it only merges the parts where\n\t * the kvm msr permission bitmap may contain zero bits\n\t */\n\tint i;\n\n\tif (!(svm->nested.intercept & (1ULL << INTERCEPT_MSR_PROT)))\n\t\treturn true;\n\n\tfor (i = 0; i < MSRPM_OFFSETS; i++) {\n\t\tu32 value, p;\n\t\tu64 offset;\n\n\t\tif (msrpm_offsets[i] == 0xffffffff)\n\t\t\tbreak;\n\n\t\tp = msrpm_offsets[i];\n\t\toffset = svm->nested.vmcb_msrpm + (p * 4);\n\n\t\tif (kvm_vcpu_read_guest(&svm->vcpu, offset, &value, 4))\n\t\t\treturn false;\n\n\t\tsvm->nested.msrpm[p] = svm->msrpm[p] | value;\n\t}\n\n\tsvm->vmcb->control.msrpm_base_pa = __sme_set(__pa(svm->nested.msrpm));\n\n\treturn true;\n}", "project": "linux", "hash": 55901771749749102830347401820945162163, "size": 32, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432480 }, { "func": "static bool nested_svm_vmrun_msrpm(struct vcpu_svm *svm)\n{\n\t/*\n\t * This function merges the msr permission bitmaps of kvm and the\n\t * nested vmcb. It is optimized in that it only merges the parts where\n\t * the kvm msr permission bitmap may contain zero bits\n\t */\n\tint i;\n\n\tif (!(svm->nested.intercept & (1ULL << INTERCEPT_MSR_PROT)))\n\t\treturn true;\n\n\tfor (i = 0; i < MSRPM_OFFSETS; i++) {\n\t\tu32 value, p;\n\t\tu64 offset;\n\n\t\tif (msrpm_offsets[i] == 0xffffffff)\n\t\t\tbreak;\n\n\t\tp = msrpm_offsets[i];\n\t\toffset = svm->nested.vmcb_msrpm + (p * 4);\n\n\t\tif (kvm_read_guest(svm->vcpu.kvm, offset, &value, 4))\n\t\t\treturn false;\n\n\t\tsvm->nested.msrpm[p] = svm->msrpm[p] | value;\n\t}\n\n\tsvm->vmcb->control.msrpm_base_pa = __pa(svm->nested.msrpm);\n\n\treturn true;\n}", "project": "kvm", "hash": 147669443964154374533958063837046158249, "size": 32, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437601 }, { "func": "void PCRECache::insert(\n Accessor& accessor,\n const StringData* regex,\n TempKeyCache& keyCache,\n const pcre_cache_entry* ent\n) {\n switch (m_kind) {\n case CacheKind::Static:\n {\n assertx(m_staticCache.load());\n // Clear the cache if we haven't refreshed it in a while\n if (time(nullptr) > m_expire) {\n clearStatic();\n }\n auto const cache = m_staticCache.load(std::memory_order_acquire);\n auto const key =\n regex->isStatic() ||\n (regex->isUncounted() && regex->uncountedIncRef()) ?\n regex : StringData::MakeUncounted(regex->slice());\n auto pair = cache->insert(StaticCachePair(key, ent));\n if (pair.second) {\n // Inserted, container owns the pointer\n accessor = ent;\n } else {\n // Not inserted, caller needs to own the pointer\n if (regex->isUncounted()) StringData::ReleaseUncounted(key);\n accessor = EntryPtr(ent);\n }\n }\n break;\n case CacheKind::Lru:\n case CacheKind::Scalable:\n {\n if (!keyCache) {\n keyCache.reset(new LRUCacheKey(regex->data(), regex->size()));\n }\n // Pointer ownership is shared between container and caller\n accessor = EntryPtr(ent);\n if (m_kind == CacheKind::Lru) {\n m_lruCache->insert(*keyCache, accessor.entryPtr());\n } else {\n m_scalableCache->insert(*keyCache, accessor.entryPtr());\n }\n }\n break;\n }\n}", "project": "hhvm", "hash": 242569615435081141879283028163191321914, "size": 47, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219545 }, { "func": "UINT DeviceServiceEntry(PDEVICE_SERVICE_ENTRY_POINTS pEntryPoints)\n{\n\tchar* name;\n\tchar* path;\n\tsize_t i;\n\tsize_t length;\n\tRDPDR_PARALLEL* device;\n\tPARALLEL_DEVICE* parallel;\n\tUINT error;\n\tdevice = (RDPDR_PARALLEL*)pEntryPoints->device;\n\tname = device->Name;\n\tpath = device->Path;\n\n\tif (!name || (name[0] == '*') || !path)\n\t{\n\t\t/* TODO: implement auto detection of parallel ports */\n\t\treturn CHANNEL_RC_INITIALIZATION_ERROR;\n\t}\n\n\tif (name[0] && path[0])\n\t{\n\t\tparallel = (PARALLEL_DEVICE*)calloc(1, sizeof(PARALLEL_DEVICE));\n\n\t\tif (!parallel)\n\t\t{\n\t\t\tWLog_ERR(TAG, \"calloc failed!\");\n\t\t\treturn CHANNEL_RC_NO_MEMORY;\n\t\t}\n\n\t\tparallel->device.type = RDPDR_DTYP_PARALLEL;\n\t\tparallel->device.name = name;\n\t\tparallel->device.IRPRequest = parallel_irp_request;\n\t\tparallel->device.Free = parallel_free;\n\t\tparallel->rdpcontext = pEntryPoints->rdpcontext;\n\t\tlength = strlen(name);\n\t\tparallel->device.data = Stream_New(NULL, length + 1);\n\n\t\tif (!parallel->device.data)\n\t\t{\n\t\t\tWLog_ERR(TAG, \"Stream_New failed!\");\n\t\t\terror = CHANNEL_RC_NO_MEMORY;\n\t\t\tgoto error_out;\n\t\t}\n\n\t\tfor (i = 0; i <= length; i++)\n\t\t\tStream_Write_UINT8(parallel->device.data, name[i] < 0 ? '_' : name[i]);\n\n\t\tparallel->path = path;\n\t\tparallel->queue = MessageQueue_New(NULL);\n\n\t\tif (!parallel->queue)\n\t\t{\n\t\t\tWLog_ERR(TAG, \"MessageQueue_New failed!\");\n\t\t\terror = CHANNEL_RC_NO_MEMORY;\n\t\t\tgoto error_out;\n\t\t}\n\n\t\tif ((error = pEntryPoints->RegisterDevice(pEntryPoints->devman, (DEVICE*)parallel)))\n\t\t{\n\t\t\tWLog_ERR(TAG, \"RegisterDevice failed with error %\" PRIu32 \"!\", error);\n\t\t\tgoto error_out;\n\t\t}\n\n\t\tif (!(parallel->thread =\n\t\t CreateThread(NULL, 0, parallel_thread_func, (void*)parallel, 0, NULL)))\n\t\t{\n\t\t\tWLog_ERR(TAG, \"CreateThread failed!\");\n\t\t\terror = ERROR_INTERNAL_ERROR;\n\t\t\tgoto error_out;\n\t\t}\n\t}\n\n\treturn CHANNEL_RC_OK;\nerror_out:\n\tMessageQueue_Free(parallel->queue);\n\tStream_Free(parallel->device.data, TRUE);\n\tfree(parallel);\n\treturn error;\n}", "project": "FreeRDP", "hash": 299843326105621841155875327009803323806, "size": 79, "commit_id": "795842f4096501fcefc1a7f535ccc8132feb31d7", "message": "Fixed oob read in parallel_process_irp_create", "target": 0, "dataset": "other", "idx": 403461 }, { "func": "\nstatic void bfq_bfqq_save_state(struct bfq_queue *bfqq)\n{\n\tstruct bfq_io_cq *bic = bfqq->bic;\n\n\t/*\n\t * If !bfqq->bic, the queue is already shared or its requests\n\t * have already been redirected to a shared queue; both idle window\n\t * and weight raising state have already been saved. Do nothing.\n\t */\n\tif (!bic)\n\t\treturn;\n\n\tbic->saved_weight = bfqq->entity.orig_weight;\n\tbic->saved_ttime = bfqq->ttime;\n\tbic->saved_has_short_ttime = bfq_bfqq_has_short_ttime(bfqq);\n\tbic->saved_IO_bound = bfq_bfqq_IO_bound(bfqq);\n\tbic->saved_in_large_burst = bfq_bfqq_in_large_burst(bfqq);\n\tbic->was_in_burst_list = !hlist_unhashed(&bfqq->burst_list_node);\n\tif (unlikely(bfq_bfqq_just_created(bfqq) &&\n\t\t !bfq_bfqq_in_large_burst(bfqq) &&\n\t\t bfqq->bfqd->low_latency)) {\n\t\t/*\n\t\t * bfqq being merged right after being created: bfqq\n\t\t * would have deserved interactive weight raising, but\n\t\t * did not make it to be set in a weight-raised state,\n\t\t * because of this early merge.\tStore directly the\n\t\t * weight-raising state that would have been assigned\n\t\t * to bfqq, so that to avoid that bfqq unjustly fails\n\t\t * to enjoy weight raising if split soon.\n\t\t */\n\t\tbic->saved_wr_coeff = bfqq->bfqd->bfq_wr_coeff;\n\t\tbic->saved_wr_start_at_switch_to_srt = bfq_smallest_from_now();\n\t\tbic->saved_wr_cur_max_time = bfq_wr_duration(bfqq->bfqd);\n\t\tbic->saved_last_wr_start_finish = jiffies;\n\t} else {\n\t\tbic->saved_wr_coeff = bfqq->wr_coeff;\n\t\tbic->saved_wr_start_at_switch_to_srt =\n\t\t\tbfqq->wr_start_at_switch_to_srt;\n\t\tbic->saved_last_wr_start_finish = bfqq->last_wr_start_finish;\n\t\tbic->saved_wr_cur_max_time = bfqq->wr_cur_max_time;\n\t}", "project": "linux", "hash": 21673001119339168956514434896503803479, "size": 42, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453285 }, { "func": "UnicodeString::extractBetween(int32_t start,\n int32_t limit,\n UnicodeString& target) const {\n pinIndex(start);\n pinIndex(limit);\n doExtract(start, limit - start, target);\n}", "project": "icu", "hash": 169076525813854753052218534330652773543, "size": 7, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430826 }, { "func": "static void RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q)\n{\n\t*p = r->p;\n\t*q = r->q;\n}", "project": "php-src", "hash": 9237506391133546140633665781373971778, "size": 5, "commit_id": "0216630ea2815a5789a24279a1211ac398d4de79", "message": "Fix bug #79601 (Wrong ciphertext/tag in AES-CCM encryption for a 12 bytes IV)", "target": 0, "dataset": "other", "idx": 291446 }, { "func": "static void touch_pmd(struct vm_area_struct *vma, unsigned long addr,\n\t\tpmd_t *pmd, int flags)\n{\n\tpmd_t _pmd;\n\n\t_pmd = pmd_mkyoung(*pmd);\n\tif (flags & FOLL_WRITE)\n\t\t_pmd = pmd_mkdirty(_pmd);\n\tif (pmdp_set_access_flags(vma, addr & HPAGE_PMD_MASK,\n\t\t\t\tpmd, _pmd, flags & FOLL_WRITE))\n\t\tupdate_mmu_cache_pmd(vma, addr, pmd);\n}", "project": "linux", "hash": 198142228471016966390316737185717988587, "size": 12, "commit_id": "c444eb564fb16645c172d550359cb3d75fe8a040", "message": "mm: thp: make the THP mapcount atomic against __split_huge_pmd_locked()\n\nWrite protect anon page faults require an accurate mapcount to decide\nif to break the COW or not. This is implemented in the THP path with\nreuse_swap_page() ->\npage_trans_huge_map_swapcount()/page_trans_huge_mapcount().\n\nIf the COW triggers while the other processes sharing the page are\nunder a huge pmd split, to do an accurate reading, we must ensure the\nmapcount isn't computed while it's being transferred from the head\npage to the tail pages.\n\nreuse_swap_cache() already runs serialized by the page lock, so it's\nenough to add the page lock around __split_huge_pmd_locked too, in\norder to add the missing serialization.\n\nNote: the commit in \"Fixes\" is just to facilitate the backporting,\nbecause the code before such commit didn't try to do an accurate THP\nmapcount calculation and it instead used the page_count() to decide if\nto COW or not. Both the page_count and the pin_count are THP-wide\nrefcounts, so they're inaccurate if used in\nreuse_swap_page(). Reverting such commit (besides the unrelated fix to\nthe local anon_vma assignment) would have also opened the window for\nmemory corruption side effects to certain workloads as documented in\nsuch commit header.\n\nSigned-off-by: Andrea Arcangeli \nSuggested-by: Jann Horn \nReported-by: Jann Horn \nAcked-by: Kirill A. Shutemov \nFixes: 6d0a07edd17c (\"mm: thp: calculate the mapcount correctly for THP pages during WP faults\")\nCc: stable@vger.kernel.org\nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 364183 }, { "func": "static void output_item_help(struct output_struct *words)\n{\n\tshort *levels = words == info_words ? info_levels : debug_levels;\n\tconst char **verbosity = words == info_words ? info_verbosity : debug_verbosity;\n\tchar buf[128], *opt, *fmt = \"%-10s %s\\n\";\n\tint j;\n\n\treset_output_levels();\n\n\trprintf(FINFO, \"Use OPT or OPT1 for level 1 output, OPT2 for level 2, etc.; OPT0 silences.\\n\");\n\trprintf(FINFO, \"\\n\");\n\tfor (j = 0; words[j].name; j++)\n\t\trprintf(FINFO, fmt, words[j].name, words[j].help);\n\trprintf(FINFO, \"\\n\");\n\n\tsnprintf(buf, sizeof buf, \"Set all %s options (e.g. all%d)\",\n\t\t words[j].help, MAX_OUT_LEVEL);\n\trprintf(FINFO, fmt, \"ALL\", buf);\n\n\tsnprintf(buf, sizeof buf, \"Silence all %s options (same as all0)\",\n\t\t words[j].help);\n\trprintf(FINFO, fmt, \"NONE\", buf);\n\n\trprintf(FINFO, fmt, \"HELP\", \"Output this help message\");\n\trprintf(FINFO, \"\\n\");\n\trprintf(FINFO, \"Options added for each increase in verbose level:\\n\");\n\n\tfor (j = 1; j <= MAX_VERBOSITY; j++) {\n\t\tparse_output_words(words, levels, verbosity[j], HELP_PRIORITY);\n\t\topt = make_output_option(words, levels, W_CLI|W_SRV|W_SND|W_REC);\n\t\tif (opt) {\n\t\t\trprintf(FINFO, \"%d) %s\\n\", j, strchr(opt, '=')+1);\n\t\t\tfree(opt);\n\t\t}\n\t\treset_output_levels();\n\t}\n}", "project": "rsync", "hash": 283782385974495683407328683316726367009, "size": 37, "commit_id": "7706303828fcde524222babb2833864a4bd09e07", "message": "Ignore --protect-args when already sent by client\n\nIn parse_arguments when --protect-args is encountered the function exits\nearly. The caller is expected to check protect_args, and recall\nparse_arguments setting protect_args to 2. This patch prevents the\nclient from resetting protect_args during the second pass of\nparse_arguments. This prevents parse_arguments returning early the\nsecond time before it's able to sanitize the arguments it received.", "target": 0, "dataset": "other", "idx": 364673 }, { "func": "static __always_inline void do_slab_free(struct kmem_cache *s,\n\t\t\t\tstruct page *page, void *head, void *tail,\n\t\t\t\tint cnt, unsigned long addr)\n{\n\tvoid *tail_obj = tail ? : head;\n\tstruct kmem_cache_cpu *c;\n\tunsigned long tid;\nredo:\n\t/*\n\t * Determine the currently cpus per cpu slab.\n\t * The cpu may change afterward. However that does not matter since\n\t * data is retrieved via this pointer. If we are on the same cpu\n\t * during the cmpxchg then the free will succeed.\n\t */\n\tdo {\n\t\ttid = this_cpu_read(s->cpu_slab->tid);\n\t\tc = raw_cpu_ptr(s->cpu_slab);\n\t} while (IS_ENABLED(CONFIG_PREEMPTION) &&\n\t\t unlikely(tid != READ_ONCE(c->tid)));\n\n\t/* Same with comment on barrier() in slab_alloc_node() */\n\tbarrier();\n\n\tif (likely(page == c->page)) {\n\t\tset_freepointer(s, tail_obj, c->freelist);\n\n\t\tif (unlikely(!this_cpu_cmpxchg_double(\n\t\t\t\ts->cpu_slab->freelist, s->cpu_slab->tid,\n\t\t\t\tc->freelist, tid,\n\t\t\t\thead, next_tid(tid)))) {\n\n\t\t\tnote_cmpxchg_failure(\"slab_free\", s, tid);\n\t\t\tgoto redo;\n\t\t}\n\t\tstat(s, FREE_FASTPATH);\n\t} else\n\t\t__slab_free(s, page, head, tail_obj, cnt, addr);\n\n}", "project": "linux", "hash": 115574979294528053027571503829673365593, "size": 39, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280079 }, { "func": "\nstatic int io_poll_add_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)\n{\n\tstruct io_poll_iocb *poll = &req->poll;\n\tu32 flags;\n\n\tif (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))\n\t\treturn -EINVAL;\n\tif (sqe->ioprio || sqe->buf_index || sqe->off || sqe->addr)\n\t\treturn -EINVAL;\n\tflags = READ_ONCE(sqe->len);\n\tif (flags & ~IORING_POLL_ADD_MULTI)\n\t\treturn -EINVAL;\n\n\tpoll->events = io_poll_parse_events(sqe, flags);\n\treturn 0;", "project": "linux", "hash": 12030037257936143023392873178202660580, "size": 16, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338688 }, { "func": "static int io_poll_add_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)\n{\n\tstruct io_poll_iocb *poll = &req->poll;\n\tu32 events;\n\n\tif (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))\n\t\treturn -EINVAL;\n\tif (sqe->addr || sqe->ioprio || sqe->off || sqe->len || sqe->buf_index)\n\t\treturn -EINVAL;\n\tif (!poll->file)\n\t\treturn -EBADF;\n\n\tevents = READ_ONCE(sqe->poll32_events);\n#ifdef __BIG_ENDIAN\n\tevents = swahw32(events);\n#endif\n\tpoll->events = demangle_poll(events) | EPOLLERR | EPOLLHUP |\n\t\t (events & EPOLLEXCLUSIVE);\n\n\tio_get_req_task(req);\n\treturn 0;\n}", "project": "linux", "hash": 111612557058823788363031043346796728657, "size": 22, "commit_id": "6d816e088c359866f9867057e04f244c608c42fe", "message": "io_uring: hold 'ctx' reference around task_work queue + execute\n\nWe're holding the request reference, but we need to go one higher\nto ensure that the ctx remains valid after the request has finished.\nIf the ring is closed with pending task_work inflight, and the\ngiven io_kiocb finishes sync during issue, then we need a reference\nto the ring itself around the task_work execution cycle.\n\nCc: stable@vger.kernel.org # v5.7+\nReported-by: syzbot+9b260fc33297966f5a8e@syzkaller.appspotmail.com\nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 456929 }, { "func": "static void hci_cs_read_remote_ext_features(struct hci_dev *hdev, __u8 status)\n{\n\tstruct hci_cp_read_remote_ext_features *cp;\n\tstruct hci_conn *conn;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, status);\n\n\tif (!status)\n\t\treturn;\n\n\tcp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES);\n\tif (!cp)\n\t\treturn;\n\n\thci_dev_lock(hdev);\n\n\tconn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));\n\tif (conn) {\n\t\tif (conn->state == BT_CONFIG) {\n\t\t\thci_connect_cfm(conn, status);\n\t\t\thci_conn_drop(conn);\n\t\t}\n\t}\n\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 235201106724905583030273015087449312575, "size": 26, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431894 }, { "func": "ulong check_selectivity(THD *thd,\n ulong rows_to_read,\n TABLE *table,\n List *conds)\n{\n ulong count= 0;\n COND_STATISTIC *cond;\n List_iterator_fast it(*conds);\n handler *file= table->file;\n uchar *record= table->record[0];\n int error= 0;\n DBUG_ENTER(\"check_selectivity\");\n\n DBUG_ASSERT(rows_to_read > 0);\n while ((cond= it++))\n {\n DBUG_ASSERT(cond->cond);\n DBUG_ASSERT(cond->cond->used_tables() == table->map);\n cond->positive= 0;\n }\n it.rewind();\n\n if (unlikely(file->ha_rnd_init_with_error(1)))\n DBUG_RETURN(0);\n do\n {\n error= file->ha_rnd_next(record);\n\n if (unlikely(thd->killed))\n {\n thd->send_kill_message();\n count= 0;\n goto err;\n }\n if (unlikely(error))\n {\n if (error == HA_ERR_END_OF_FILE)\n\tbreak;\n goto err;\n }\n\n count++;\n while ((cond= it++))\n {\n if (cond->cond->val_bool())\n cond->positive++;\n }\n it.rewind();\n\n } while (count < rows_to_read);\n\n file->ha_rnd_end();\n DBUG_RETURN(count);\n\nerr:\n DBUG_PRINT(\"error\", (\"error %d\", error));\n file->ha_rnd_end();\n DBUG_RETURN(0);\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 121348299665552733231583049600260644409, "size": 59, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508458 }, { "func": "void BPMDetect::updateXCorr(int process_samples)\r\n{\r\n int offs;\r\n SAMPLETYPE *pBuffer;\r\n \r\n assert(buffer->numSamples() >= (uint)(process_samples + windowLen));\r\n assert(process_samples == XCORR_UPDATE_SEQUENCE);\r\n\r\n pBuffer = buffer->ptrBegin();\r\n\r\n // calculate decay factor for xcorr filtering\r\n float xcorr_decay = (float)pow(0.5, 1.0 / (XCORR_DECAY_TIME_CONSTANT * TARGET_SRATE / process_samples));\r\n\r\n // prescale pbuffer\r\n float tmp[XCORR_UPDATE_SEQUENCE];\r\n for (int i = 0; i < process_samples; i++)\r\n {\r\n tmp[i] = hamw[i] * hamw[i] * pBuffer[i];\r\n }\r\n\r\n #pragma omp parallel for\r\n for (offs = windowStart; offs < windowLen; offs ++) \r\n {\r\n double sum;\r\n int i;\r\n\r\n sum = 0;\r\n for (i = 0; i < process_samples; i ++) \r\n {\r\n sum += tmp[i] * pBuffer[i + offs]; // scaling the sub-result shouldn't be necessary\r\n }\r\n xcorr[offs] *= xcorr_decay; // decay 'xcorr' here with suitable time constant.\r\n\r\n xcorr[offs] += (float)fabs(sum);\r\n }\r\n}\r", "project": "soundtouch", "hash": 178252841325647050460724580883501288834, "size": 36, "commit_id": "a1c400eb2cff849c0e5f9d6916d69ffea3ad2c85", "message": "Fix issue CVE-2018-17096: Replace assert with runtime exception", "target": 0, "dataset": "other", "idx": 368098 }, { "func": "static bool nfs4_clear_cap_atomic_open_v1(struct nfs_server *server,\n\t\tint err, struct nfs4_exception *exception)\n{\n\tif (err != -EINVAL)\n\t\treturn false;\n\tif (!(server->caps & NFS_CAP_ATOMIC_OPEN_V1))\n\t\treturn false;\n\tserver->caps &= ~NFS_CAP_ATOMIC_OPEN_V1;\n\texception->retry = 1;\n\treturn true;\n}", "project": "linux", "hash": 114627069619264771874127048393917904939, "size": 11, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431080 }, { "func": "static void autocomplete_macro(RCore *core, RLineCompletion *completion, const char *str) {\n\tr_return_if_fail (str);\n\tRCmdMacroItem *item;\n\tRListIter *iter;\n\tchar buf[1024];\n\tint n = strlen(str);\n\tr_list_foreach (core->rcmd->macro.macros, iter, item) {\n\t\tchar *p = item->name;\n\t\tif (!*str || !strncmp (str, p, n)) {\n\t\t\tsnprintf (buf, sizeof (buf), \"%s%s)\", str, p);\n\t\t\tr_line_completion_push (completion, buf);\n\t\t}\n\t}\n}", "project": "radare2", "hash": 299435976305483763208680125272024307299, "size": 14, "commit_id": "cb8b683758edddae2d2f62e8e63a738c39f92683", "message": "Fix #16303 - c->table_query double free (#16318)", "target": 0, "dataset": "other", "idx": 232113 }, { "func": "void CLua::setglobal(const char *name)\n{\n lua_setglobal(state(), name);\n}", "project": "crawl", "hash": 89148709840230747917332456870302590188, "size": 4, "commit_id": "768f60da87a3fa0b5561da5ade9309577c176d04", "message": "Disable lua bytecode loading", "target": 0, "dataset": "other", "idx": 230499 }, { "func": "static int tcp_ack(struct sock *sk, const struct sk_buff *skb, int flag)\n{\n\tstruct inet_connection_sock *icsk = inet_csk(sk);\n\tstruct tcp_sock *tp = tcp_sk(sk);\n\tu32 prior_snd_una = tp->snd_una;\n\tu32 ack_seq = TCP_SKB_CB(skb)->seq;\n\tu32 ack = TCP_SKB_CB(skb)->ack_seq;\n\tbool is_dupack = false;\n\tu32 prior_in_flight;\n\tu32 prior_fackets;\n\tint prior_packets;\n\tint prior_sacked = tp->sacked_out;\n\tint pkts_acked = 0;\n\tint newly_acked_sacked = 0;\n\tint frto_cwnd = 0;\n\n\t/* If the ack is older than previous acks\n\t * then we can probably ignore it.\n\t */\n\tif (before(ack, prior_snd_una))\n\t\tgoto old_ack;\n\n\t/* If the ack includes data we haven't sent yet, discard\n\t * this segment (RFC793 Section 3.9).\n\t */\n\tif (after(ack, tp->snd_nxt))\n\t\tgoto invalid_ack;\n\n\tif (after(ack, prior_snd_una))\n\t\tflag |= FLAG_SND_UNA_ADVANCED;\n\n\tif (sysctl_tcp_abc) {\n\t\tif (icsk->icsk_ca_state < TCP_CA_CWR)\n\t\t\ttp->bytes_acked += ack - prior_snd_una;\n\t\telse if (icsk->icsk_ca_state == TCP_CA_Loss)\n\t\t\t/* we assume just one segment left network */\n\t\t\ttp->bytes_acked += min(ack - prior_snd_una,\n\t\t\t\t\t tp->mss_cache);\n\t}\n\n\tprior_fackets = tp->fackets_out;\n\tprior_in_flight = tcp_packets_in_flight(tp);\n\n\tif (!(flag & FLAG_SLOWPATH) && after(ack, prior_snd_una)) {\n\t\t/* Window is constant, pure forward advance.\n\t\t * No more checks are required.\n\t\t * Note, we use the fact that SND.UNA>=SND.WL2.\n\t\t */\n\t\ttcp_update_wl(tp, ack_seq);\n\t\ttp->snd_una = ack;\n\t\tflag |= FLAG_WIN_UPDATE;\n\n\t\ttcp_ca_event(sk, CA_EVENT_FAST_ACK);\n\n\t\tNET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPHPACKS);\n\t} else {\n\t\tif (ack_seq != TCP_SKB_CB(skb)->end_seq)\n\t\t\tflag |= FLAG_DATA;\n\t\telse\n\t\t\tNET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPPUREACKS);\n\n\t\tflag |= tcp_ack_update_window(sk, skb, ack, ack_seq);\n\n\t\tif (TCP_SKB_CB(skb)->sacked)\n\t\t\tflag |= tcp_sacktag_write_queue(sk, skb, prior_snd_una);\n\n\t\tif (TCP_ECN_rcv_ecn_echo(tp, tcp_hdr(skb)))\n\t\t\tflag |= FLAG_ECE;\n\n\t\ttcp_ca_event(sk, CA_EVENT_SLOW_ACK);\n\t}\n\n\t/* We passed data and got it acked, remove any soft error\n\t * log. Something worked...\n\t */\n\tsk->sk_err_soft = 0;\n\ticsk->icsk_probes_out = 0;\n\ttp->rcv_tstamp = tcp_time_stamp;\n\tprior_packets = tp->packets_out;\n\tif (!prior_packets)\n\t\tgoto no_queue;\n\n\t/* See if we can take anything off of the retransmit queue. */\n\tflag |= tcp_clean_rtx_queue(sk, prior_fackets, prior_snd_una);\n\n\tpkts_acked = prior_packets - tp->packets_out;\n\tnewly_acked_sacked = (prior_packets - prior_sacked) -\n\t\t\t (tp->packets_out - tp->sacked_out);\n\n\tif (tp->frto_counter)\n\t\tfrto_cwnd = tcp_process_frto(sk, flag);\n\t/* Guarantee sacktag reordering detection against wrap-arounds */\n\tif (before(tp->frto_highmark, tp->snd_una))\n\t\ttp->frto_highmark = 0;\n\n\tif (tcp_ack_is_dubious(sk, flag)) {\n\t\t/* Advance CWND, if state allows this. */\n\t\tif ((flag & FLAG_DATA_ACKED) && !frto_cwnd &&\n\t\t tcp_may_raise_cwnd(sk, flag))\n\t\t\ttcp_cong_avoid(sk, ack, prior_in_flight);\n\t\tis_dupack = !(flag & (FLAG_SND_UNA_ADVANCED | FLAG_NOT_DUP));\n\t\ttcp_fastretrans_alert(sk, pkts_acked, newly_acked_sacked,\n\t\t\t\t is_dupack, flag);\n\t} else {\n\t\tif ((flag & FLAG_DATA_ACKED) && !frto_cwnd)\n\t\t\ttcp_cong_avoid(sk, ack, prior_in_flight);\n\t}\n\n\tif ((flag & FLAG_FORWARD_PROGRESS) || !(flag & FLAG_NOT_DUP))\n\t\tdst_confirm(__sk_dst_get(sk));\n\n\treturn 1;\n\nno_queue:\n\t/* If data was DSACKed, see if we can undo a cwnd reduction. */\n\tif (flag & FLAG_DSACKING_ACK)\n\t\ttcp_fastretrans_alert(sk, pkts_acked, newly_acked_sacked,\n\t\t\t\t is_dupack, flag);\n\t/* If this ack opens up a zero window, clear backoff. It was\n\t * being used to time the probes, and is probably far higher than\n\t * it needs to be for normal retransmission.\n\t */\n\tif (tcp_send_head(sk))\n\t\ttcp_ack_probe(sk);\n\treturn 1;\n\ninvalid_ack:\n\tSOCK_DEBUG(sk, \"Ack %u after %u:%u\\n\", ack, tp->snd_una, tp->snd_nxt);\n\treturn -1;\n\nold_ack:\n\t/* If data was SACKed, tag it and see if we should send more data.\n\t * If data was DSACKed, see if we can undo a cwnd reduction.\n\t */\n\tif (TCP_SKB_CB(skb)->sacked) {\n\t\tflag |= tcp_sacktag_write_queue(sk, skb, prior_snd_una);\n\t\tnewly_acked_sacked = tp->sacked_out - prior_sacked;\n\t\ttcp_fastretrans_alert(sk, pkts_acked, newly_acked_sacked,\n\t\t\t\t is_dupack, flag);\n\t}\n\n\tSOCK_DEBUG(sk, \"Ack %u before %u:%u\\n\", ack, tp->snd_una, tp->snd_nxt);\n\treturn 0;\n}", "project": "net-next", "hash": 132185992353814286063255598244227577533, "size": 144, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409925 }, { "func": "static int ep_modify(struct eventpoll *ep, struct epitem *epi,\n\t\t const struct epoll_event *event)\n{\n\tint pwake = 0;\n\tpoll_table pt;\n\n\tlockdep_assert_irqs_enabled();\n\n\tinit_poll_funcptr(&pt, NULL);\n\n\t/*\n\t * Set the new event interest mask before calling f_op->poll();\n\t * otherwise we might miss an event that happens between the\n\t * f_op->poll() call and the new event set registering.\n\t */\n\tepi->event.events = event->events; /* need barrier below */\n\tepi->event.data = event->data; /* protected by mtx */\n\tif (epi->event.events & EPOLLWAKEUP) {\n\t\tif (!ep_has_wakeup_source(epi))\n\t\t\tep_create_wakeup_source(epi);\n\t} else if (ep_has_wakeup_source(epi)) {\n\t\tep_destroy_wakeup_source(epi);\n\t}\n\n\t/*\n\t * The following barrier has two effects:\n\t *\n\t * 1) Flush epi changes above to other CPUs. This ensures\n\t * we do not miss events from ep_poll_callback if an\n\t * event occurs immediately after we call f_op->poll().\n\t * We need this because we did not take ep->lock while\n\t * changing epi above (but ep_poll_callback does take\n\t * ep->lock).\n\t *\n\t * 2) We also need to ensure we do not miss _past_ events\n\t * when calling f_op->poll(). This barrier also\n\t * pairs with the barrier in wq_has_sleeper (see\n\t * comments for wq_has_sleeper).\n\t *\n\t * This barrier will now guarantee ep_poll_callback or f_op->poll\n\t * (or both) will notice the readiness of an item.\n\t */\n\tsmp_mb();\n\n\t/*\n\t * Get current event bits. We can safely use the file* here because\n\t * its usage count has been increased by the caller of this function.\n\t * If the item is \"hot\" and it is not registered inside the ready\n\t * list, push it inside.\n\t */\n\tif (ep_item_poll(epi, &pt, 1)) {\n\t\twrite_lock_irq(&ep->lock);\n\t\tif (!ep_is_linked(epi)) {\n\t\t\tlist_add_tail(&epi->rdllink, &ep->rdllist);\n\t\t\tep_pm_stay_awake(epi);\n\n\t\t\t/* Notify waiting tasks that events are available */\n\t\t\tif (waitqueue_active(&ep->wq))\n\t\t\t\twake_up(&ep->wq);\n\t\t\tif (waitqueue_active(&ep->poll_wait))\n\t\t\t\tpwake++;\n\t\t}\n\t\twrite_unlock_irq(&ep->lock);\n\t}\n\n\t/* We have to call this outside the lock */\n\tif (pwake)\n\t\tep_poll_safewake(ep, NULL);\n\n\treturn 0;\n}", "project": "linux", "hash": 83196935818068033660840500386333968933, "size": 71, "commit_id": "52c479697c9b73f628140dcdfcd39ea302d05482", "message": "do_epoll_ctl(): clean the failure exits up a bit\n\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 336223 }, { "func": "uint8_t ethereum_extractThorchainData(const EthereumSignTx *msg,\n char *buffer) {\n // Swap data begins 164 chars into data buffer:\n // offset = deposit function hash + address + address + uint256\n uint16_t offset = 4 + (5 * 32);\n int16_t len = msg->data_length - offset;\n if (msg->has_data_length && len > 0) {\n memcpy(buffer, msg->data_initial_chunk.bytes + offset, len);\n // String length must be < 255 characters\n return len < 256 ? (uint8_t)len : 0;\n }\n return 0;\n}", "project": "keepkey-firmware", "hash": 30009078677497671388353724048438003192, "size": 13, "commit_id": "e49d45594002d4d3fbc1f03488e6dfc0a0a65836", "message": "710 merge", "target": 1, "dataset": "other", "idx": 195057 }, { "func": "uint8_t ethereum_extractThorchainData(const EthereumSignTx *msg,\n char *buffer) {\n // Swap data begins 164 chars into data buffer:\n // offset = deposit function hash + address + address + uint256\n uint16_t offset = 4 + (5 * 32);\n int16_t len = msg->data_length - offset;\n if (msg->has_data_length && len > 0 && len < 256) {\n memcpy(buffer, msg->data_initial_chunk.bytes + offset, len);\n // String length must be < 255 characters\n return (uint8_t)len;\n }\n return 0;\n}", "project": "keepkey-firmware", "hash": 31658134530975392085648913239261058010, "size": 13, "commit_id": "e49d45594002d4d3fbc1f03488e6dfc0a0a65836", "message": "710 merge", "target": 0, "dataset": "other", "idx": 220894 }, { "func": "OPJ_BOOL opj_j2k_encode(opj_j2k_t * p_j2k,\n opj_stream_private_t *p_stream,\n opj_event_mgr_t * p_manager)\n{\n OPJ_UINT32 i, j;\n OPJ_UINT32 l_nb_tiles;\n OPJ_SIZE_T l_max_tile_size = 0, l_current_tile_size;\n OPJ_BYTE * l_current_data = 00;\n OPJ_BOOL l_reuse_data = OPJ_FALSE;\n opj_tcd_t* p_tcd = 00;\n\n /* preconditions */\n assert(p_j2k != 00);\n assert(p_stream != 00);\n assert(p_manager != 00);\n\n p_tcd = p_j2k->m_tcd;\n\n l_nb_tiles = p_j2k->m_cp.th * p_j2k->m_cp.tw;\n if (l_nb_tiles == 1) {\n l_reuse_data = OPJ_TRUE;\n#ifdef __SSE__\n for (j = 0; j < p_j2k->m_tcd->image->numcomps; ++j) {\n opj_image_comp_t * l_img_comp = p_tcd->image->comps + j;\n if (((size_t)l_img_comp->data & 0xFU) !=\n 0U) { /* tile data shall be aligned on 16 bytes */\n l_reuse_data = OPJ_FALSE;\n }\n }\n#endif\n }\n for (i = 0; i < l_nb_tiles; ++i) {\n if (! opj_j2k_pre_write_tile(p_j2k, i, p_stream, p_manager)) {\n if (l_current_data) {\n opj_free(l_current_data);\n }\n return OPJ_FALSE;\n }\n\n /* if we only have one tile, then simply set tile component data equal to image component data */\n /* otherwise, allocate the data */\n for (j = 0; j < p_j2k->m_tcd->image->numcomps; ++j) {\n opj_tcd_tilecomp_t* l_tilec = p_tcd->tcd_image->tiles->comps + j;\n if (l_reuse_data) {\n opj_image_comp_t * l_img_comp = p_tcd->image->comps + j;\n l_tilec->data = l_img_comp->data;\n l_tilec->ownsData = OPJ_FALSE;\n } else {\n if (! opj_alloc_tile_component_data(l_tilec)) {\n opj_event_msg(p_manager, EVT_ERROR, \"Error allocating tile component data.\");\n if (l_current_data) {\n opj_free(l_current_data);\n }\n return OPJ_FALSE;\n }\n }\n }\n l_current_tile_size = opj_tcd_get_encoder_input_buffer_size(p_j2k->m_tcd);\n if (!l_reuse_data) {\n if (l_current_tile_size > l_max_tile_size) {\n OPJ_BYTE *l_new_current_data = (OPJ_BYTE *) opj_realloc(l_current_data,\n l_current_tile_size);\n if (! l_new_current_data) {\n if (l_current_data) {\n opj_free(l_current_data);\n }\n opj_event_msg(p_manager, EVT_ERROR, \"Not enough memory to encode all tiles\\n\");\n return OPJ_FALSE;\n }\n l_current_data = l_new_current_data;\n l_max_tile_size = l_current_tile_size;\n }\n if (l_current_data == NULL) {\n /* Should not happen in practice, but will avoid Coverity to */\n /* complain about a null pointer dereference */\n assert(0);\n return OPJ_FALSE;\n }\n\n /* copy image data (32 bit) to l_current_data as contiguous, all-component, zero offset buffer */\n /* 32 bit components @ 8 bit precision get converted to 8 bit */\n /* 32 bit components @ 16 bit precision get converted to 16 bit */\n opj_j2k_get_tile_data(p_j2k->m_tcd, l_current_data);\n\n /* now copy this data into the tile component */\n if (! opj_tcd_copy_tile_data(p_j2k->m_tcd, l_current_data,\n l_current_tile_size)) {\n opj_event_msg(p_manager, EVT_ERROR,\n \"Size mismatch between tile data and sent data.\");\n opj_free(l_current_data);\n return OPJ_FALSE;\n }\n }\n\n if (! opj_j2k_post_write_tile(p_j2k, p_stream, p_manager)) {\n if (l_current_data) {\n opj_free(l_current_data);\n }\n return OPJ_FALSE;\n }\n }\n\n if (l_current_data) {\n opj_free(l_current_data);\n }\n return OPJ_TRUE;\n}", "project": "openjpeg", "hash": 167480227174440581911837845400161467160, "size": 107, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357340 }, { "func": "unsigned int CClient::PutStatus(const CTable& table) {\n unsigned int idx = 0;\n CString sLine;\n while (table.GetLine(idx++, sLine)) PutStatus(sLine);\n return idx - 1;\n}", "project": "znc", "hash": 47311921839745244097640103392414876997, "size": 6, "commit_id": "d229761821da38d984a9e4098ad96842490dc001", "message": "Fix echo-message for *status\n\nClose #1705", "target": 0, "dataset": "other", "idx": 231546 }, { "func": "void CClient::PutStatus(const CString& sLine) { PutModule(\"status\", sLine); }", "project": "znc", "hash": 165979618280190832104837150351133236775, "size": 1, "commit_id": "d229761821da38d984a9e4098ad96842490dc001", "message": "Fix echo-message for *status\n\nClose #1705", "target": 0, "dataset": "other", "idx": 231594 }, { "func": "int LibRaw::parseCR3(unsigned long long oAtomList,\n unsigned long long szAtomList, short &nesting,\n char *AtomNameStack, short &nTrack, short &TrackType)\n{\n /*\n Atom starts with 4 bytes for Atom size and 4 bytes containing Atom name\n Atom size includes the length of the header and the size of all \"contained\"\n Atoms if Atom size == 1, Atom has the extended size stored in 8 bytes located\n after the Atom name if Atom size == 0, it is the last top-level Atom extending\n to the end of the file Atom name is often a 4 symbol mnemonic, but can be a\n 4-byte integer\n */\n const char UIID_Canon[17] =\n \"\\x85\\xc0\\xb6\\x87\\x82\\x0f\\x11\\xe0\\x81\\x11\\xf4\\xce\\x46\\x2b\\x6a\\x48\";\n\n /*\n AtomType = 0 - unknown: \"unk.\"\n AtomType = 1 - container atom: \"cont\"\n AtomType = 2 - leaf atom: \"leaf\"\n AtomType = 3 - can be container, can be leaf: \"both\"\n */\n short AtomType;\n static const struct\n {\n char AtomName[5];\n short AtomType;\n } AtomNamesList[] = {\n {\"dinf\", 1},\n {\"edts\", 1},\n {\"fiin\", 1},\n {\"ipro\", 1},\n {\"iprp\", 1},\n {\"mdia\", 1},\n {\"meco\", 1},\n {\"mere\", 1},\n {\"mfra\", 1},\n {\"minf\", 1},\n {\"moof\", 1},\n {\"moov\", 1},\n {\"mvex\", 1},\n {\"paen\", 1},\n {\"schi\", 1},\n {\"sinf\", 1},\n {\"skip\", 1},\n {\"stbl\", 1},\n {\"stsd\", 1},\n {\"strk\", 1},\n {\"tapt\", 1},\n {\"traf\", 1},\n {\"trak\", 1},\n\n {\"cdsc\", 2},\n {\"colr\", 2},\n {\"dimg\", 2},\n // {\"dref\", 2},\n {\"free\", 2},\n {\"frma\", 2},\n {\"ftyp\", 2},\n {\"hdlr\", 2},\n {\"hvcC\", 2},\n {\"iinf\", 2},\n {\"iloc\", 2},\n {\"infe\", 2},\n {\"ipco\", 2},\n {\"ipma\", 2},\n {\"iref\", 2},\n {\"irot\", 2},\n {\"ispe\", 2},\n {\"meta\", 2},\n {\"mvhd\", 2},\n {\"pitm\", 2},\n {\"pixi\", 2},\n {\"schm\", 2},\n {\"thmb\", 2},\n {\"tkhd\", 2},\n {\"url \", 2},\n {\"urn \", 2},\n\n {\"CCTP\", 1},\n {\"CRAW\", 1},\n\n {\"JPEG\", 2},\n {\"CDI1\", 2},\n {\"CMP1\", 2},\n\n {\"CNCV\", 2},\n {\"CCDT\", 2},\n {\"CTBO\", 2},\n {\"CMT1\", 2},\n {\"CMT2\", 2},\n {\"CMT3\", 2},\n {\"CMT4\", 2},\n {\"THMB\", 2},\n {\"co64\", 2},\n {\"mdat\", 2},\n {\"mdhd\", 2},\n {\"nmhd\", 2},\n {\"stsc\", 2},\n {\"stsz\", 2},\n {\"stts\", 2},\n {\"vmhd\", 2},\n\n {\"dref\", 3},\n {\"uuid\", 3},\n };\n\n const char sHandlerType[5][5] = {\"unk.\", \"soun\", \"vide\", \"hint\", \"meta\"};\n\n int c, err;\n\n ushort tL; // Atom length represented in 4 or 8 bytes\n char nmAtom[5]; // Atom name\n unsigned long long oAtom, szAtom; // Atom offset and Atom size\n unsigned long long oAtomContent,\n szAtomContent; // offset and size of Atom content\n unsigned long long lHdr;\n\n char UIID[16];\n uchar CMP1[36];\n char HandlerType[5], MediaFormatID[5];\n uint32_t relpos_inDir, relpos_inBox;\n unsigned szItem, Tag, lTag;\n ushort tItem;\n\n nmAtom[0] = MediaFormatID[0] = nmAtom[4] = MediaFormatID[4] = '\\0';\n strcpy(HandlerType, sHandlerType[0]);\n oAtom = oAtomList;\n nesting++;\n if (nesting > 31)\n return -14; // too deep nesting\n short s_order = order;\n\n while ((oAtom + 8ULL) <= (oAtomList + szAtomList))\n {\n lHdr = 0ULL;\n err = 0;\n order = 0x4d4d;\n fseek(ifp, oAtom, SEEK_SET);\n szAtom = get4();\n FORC4 nmAtom[c] = AtomNameStack[nesting * 4 + c] = fgetc(ifp);\n AtomNameStack[(nesting + 1) * 4] = '\\0';\n tL = 4;\n AtomType = 0;\n\n for (c = 0; c < int(sizeof AtomNamesList / sizeof *AtomNamesList); c++)\n if (!strcmp(nmAtom, AtomNamesList[c].AtomName))\n {\n AtomType = AtomNamesList[c].AtomType;\n break;\n }\n\n if (!AtomType)\n {\n err = 1;\n }\n\n if (szAtom == 0ULL)\n {\n if (nesting != 0)\n {\n err = -2;\n goto fin;\n }\n szAtom = szAtomList - oAtom;\n oAtomContent = oAtom + 8ULL;\n szAtomContent = szAtom - 8ULL;\n }\n else if (szAtom == 1ULL)\n {\n if ((oAtom + 16ULL) > (oAtomList + szAtomList))\n {\n err = -3;\n goto fin;\n }\n tL = 8;\n szAtom = (((unsigned long long)get4()) << 32) | get4();\n oAtomContent = oAtom + 16ULL;\n szAtomContent = szAtom - 16ULL;\n }\n else\n {\n oAtomContent = oAtom + 8ULL;\n szAtomContent = szAtom - 8ULL;\n }\n\n if (!strcmp(nmAtom, \"trak\"))\n {\n nTrack++;\n TrackType = 0;\n if (nTrack >= LIBRAW_CRXTRACKS_MAXCOUNT)\n break;\n }\n if (!strcmp(AtomNameStack, \"moovuuid\"))\n {\n lHdr = 16ULL;\n fread(UIID, 1, lHdr, ifp);\n if (!strncmp(UIID, UIID_Canon, lHdr))\n {\n AtomType = 1;\n }\n else\n fseek(ifp, -lHdr, SEEK_CUR);\n }\n else if (!strcmp(AtomNameStack, \"moovuuidCCTP\"))\n {\n lHdr = 12ULL;\n }\n else if (!strcmp(AtomNameStack, \"moovuuidCMT1\"))\n {\n short q_order = order;\n order = get2();\n if ((tL != 4) || bad_hdr)\n {\n err = -4;\n goto fin;\n }\n parse_tiff_ifd(oAtomContent);\n order = q_order;\n }\n else if (!strcmp(AtomNameStack, \"moovuuidCMT2\"))\n {\n short q_order = order;\n order = get2();\n if ((tL != 4) || bad_hdr)\n {\n err = -5;\n goto fin;\n }\n parse_exif(oAtomContent);\n order = q_order;\n }\n else if (!strcmp(AtomNameStack, \"moovuuidCMT3\"))\n {\n short q_order = order;\n order = get2();\n if ((tL != 4) || bad_hdr)\n {\n err = -6;\n goto fin;\n }\n fseek(ifp, -12L, SEEK_CUR);\n parse_makernote(oAtomContent, 0);\n order = q_order;\n }\n else if (!strcmp(AtomNameStack, \"moovuuidCMT4\"))\n {\n short q_order = order;\n order = get2();\n if ((tL != 4) || bad_hdr)\n {\n err = -6;\n goto fin;\n }\n INT64 off = ftell(ifp);\n parse_gps(oAtomContent);\n fseek(ifp, off, SEEK_SET);\n parse_gps_libraw(oAtomContent);\n order = q_order;\n }\n else if (!strcmp(AtomNameStack, \"moovtrakmdiahdlr\"))\n {\n fseek(ifp, 8L, SEEK_CUR);\n FORC4 HandlerType[c] = fgetc(ifp);\n for (c = 1; c < int(sizeof sHandlerType / sizeof *sHandlerType); c++)\n if (!strcmp(HandlerType, sHandlerType[c]))\n {\n TrackType = c;\n break;\n }\n }\n else if (!strcmp(AtomNameStack, \"moovtrakmdiaminfstblstsd\"))\n {\n if (szAtomContent >= 16)\n {\n fseek(ifp, 12L, SEEK_CUR);\n lHdr = 8;\n }\n else\n {\n err = -7;\n goto fin;\n }\n FORC4 MediaFormatID[c] = fgetc(ifp);\n if ((TrackType == 2) && (!strcmp(MediaFormatID, \"CRAW\")))\n {\n if (szAtomContent >= 44)\n fseek(ifp, 24L, SEEK_CUR);\n else\n {\n err = -8;\n goto fin;\n }\n }\n else\n {\n AtomType = 2; // only continue for CRAW\n lHdr = 0;\n }\n#define current_track libraw_internal_data.unpacker_data.crx_header[nTrack]\n\n /*ImageWidth =*/ get2();\n /*ImageHeight =*/ get2();\n }\n else if (!strcmp(AtomNameStack, \"moovtrakmdiaminfstblstsdCRAW\"))\n {\n lHdr = 82;\n }\n else if (!strcmp(AtomNameStack, \"moovtrakmdiaminfstblstsdCRAWCMP1\"))\n {\n if (szAtomContent >= 40)\n fread(CMP1, 1, 36, ifp);\n else\n {\n err = -7;\n goto fin;\n }\n if (!crxParseImageHeader(CMP1, nTrack))\n current_track.MediaType = 1;\n }\n else if (!strcmp(AtomNameStack, \"moovtrakmdiaminfstblstsdCRAWJPEG\"))\n {\n current_track.MediaType = 2;\n }\n else if (!strcmp(AtomNameStack, \"moovtrakmdiaminfstblstsz\"))\n {\n if (szAtomContent == 12)\n fseek(ifp, 4L, SEEK_CUR);\n else if (szAtomContent == 16)\n fseek(ifp, 12L, SEEK_CUR);\n else\n {\n err = -9;\n goto fin;\n }\n current_track.MediaSize = get4();\n }\n else if (!strcmp(AtomNameStack, \"moovtrakmdiaminfstblco64\"))\n {\n if (szAtomContent == 16)\n fseek(ifp, 8L, SEEK_CUR);\n else\n {\n err = -10;\n goto fin;\n }\n current_track.MediaOffset = (((unsigned long long)get4()) << 32) | get4();\n }\n\n if (nTrack >= 0 && nTrack < LIBRAW_CRXTRACKS_MAXCOUNT &&\n current_track.MediaSize && current_track.MediaOffset &&\n ((oAtom + szAtom) >= (oAtomList + szAtomList)) &&\n !strncmp(AtomNameStack, \"moovtrakmdiaminfstbl\", 20))\n {\n if ((TrackType == 4) && (!strcmp(MediaFormatID, \"CTMD\")))\n {\n order = 0x4949;\n relpos_inDir = 0L;\n while (relpos_inDir + 6 < current_track.MediaSize)\n {\n fseek(ifp, current_track.MediaOffset + relpos_inDir, SEEK_SET);\n szItem = get4();\n tItem = get2();\n if ((relpos_inDir + szItem) > current_track.MediaSize)\n {\n err = -11;\n goto fin;\n }\n if ((tItem == 7) || (tItem == 8) || (tItem == 9))\n {\n relpos_inBox = relpos_inDir + 12L;\n while (relpos_inBox + 8 < relpos_inDir + szItem)\n {\n fseek(ifp, current_track.MediaOffset + relpos_inBox, SEEK_SET);\n lTag = get4();\n Tag = get4();\n if (lTag < 8)\n {\n err = -12;\n goto fin;\n }\n else if ((relpos_inBox + lTag) > (relpos_inDir + szItem))\n {\n err = -11;\n goto fin;\n }\n if ((Tag == 0x927c) && ((tItem == 7) || (tItem == 8)))\n {\n fseek(ifp, current_track.MediaOffset + relpos_inBox + 8L,\n SEEK_SET);\n short q_order = order;\n order = get2();\n if (bad_hdr)\n {\n err = -13;\n goto fin;\n }\n fseek(ifp, -8L, SEEK_CUR);\n libraw_internal_data.unpacker_data.CR3_CTMDtag = 1;\n parse_makernote(current_track.MediaOffset + relpos_inBox + 8,\n 0);\n libraw_internal_data.unpacker_data.CR3_CTMDtag = 0;\n order = q_order;\n }\n relpos_inBox += lTag;\n }\n }\n relpos_inDir += szItem;\n }\n order = 0x4d4d;\n }\n }\n#undef current_track\n if (AtomType == 1)\n {\n err = parseCR3(oAtomContent + lHdr, szAtomContent - lHdr, nesting,\n AtomNameStack, nTrack, TrackType);\n if (err)\n goto fin;\n }\n oAtom += szAtom;\n }\n\nfin:\n nesting--;\n if (nesting >= 0)\n AtomNameStack[nesting * 4] = '\\0';\n order = s_order;\n return err;\n}", "project": "LibRaw", "hash": 114141989721156435786927961308148704312, "size": 429, "commit_id": "55f0a0c08974b8b79ebfa7762b555a1704b25fb2", "message": "possible buffer underrun in exif parser", "target": 0, "dataset": "other", "idx": 395529 }, { "func": "int input_register_handler(struct input_handler *handler)\n{\n\tstruct input_dev *dev;\n\tint error;\n\n\terror = mutex_lock_interruptible(&input_mutex);\n\tif (error)\n\t\treturn error;\n\n\tINIT_LIST_HEAD(&handler->h_list);\n\n\tlist_add_tail(&handler->node, &input_handler_list);\n\n\tlist_for_each_entry(dev, &input_dev_list, node)\n\t\tinput_attach_handler(dev, handler);\n\n\tinput_wakeup_procfs_readers();\n\n\tmutex_unlock(&input_mutex);\n\treturn 0;\n}", "project": "linux", "hash": 107897113445627679704405175167258759648, "size": 21, "commit_id": "cb222aed03d798fc074be55e59d9a112338ee784", "message": "Input: add safety guards to input_set_keycode()\n\nIf we happen to have a garbage in input device's keycode table with values\ntoo big we'll end up doing clear_bit() with offset way outside of our\nbitmaps, damaging other objects within an input device or even outside of\nit. Let's add sanity checks to the returned old keycodes.\n\nReported-by: syzbot+c769968809f9359b07aa@syzkaller.appspotmail.com\nReported-by: syzbot+76f3a30e88d256644c78@syzkaller.appspotmail.com\nLink: https://lore.kernel.org/r/20191207212757.GA245964@dtor-ws\nSigned-off-by: Dmitry Torokhov ", "target": 0, "dataset": "other", "idx": 353372 }, { "func": "void CAuthBase::Invalidate() { m_pSock = nullptr; }", "project": "znc", "hash": 84439504650646726954536097151089903877, "size": 1, "commit_id": "d229761821da38d984a9e4098ad96842490dc001", "message": "Fix echo-message for *status\n\nClose #1705", "target": 0, "dataset": "other", "idx": 231541 }, { "func": "void CWebAuth::Invalidate() {\n CAuthBase::Invalidate();\n m_pWebSock = nullptr;\n}", "project": "znc", "hash": 225221362934257848815590937767922670607, "size": 4, "commit_id": "a4a5aeeb17d32937d8c7d743dae9a4cc755ce773", "message": "Don't let web skin name ../../../../ access files outside of usual skins directories.\n\nThanks for Jeriko One for finding and reporting this.", "target": 0, "dataset": "other", "idx": 265771 }, { "func": "static int clip_1d(int *x0, int *y0, int *x1, int *y1, int maxdim) {\n\tdouble m; /* gradient of line */\n\n\tif (*x0 < 0) { /* start of line is left of window */\n\t\tif(*x1 < 0) { /* as is the end, so the line never cuts the window */\n\t\t\treturn 0;\n\t\t}\n\t\tm = (*y1 - *y0)/(double)(*x1 - *x0); /* calculate the slope of the line */\n\t\t/* adjust x0 to be on the left boundary (ie to be zero), and y0 to match */\n\t\t*y0 -= (int)(m * *x0);\n\t\t*x0 = 0;\n\t\t/* now, perhaps, adjust the far end of the line as well */\n\t\tif (*x1 > maxdim) {\n\t\t\t*y1 += (int)(m * (maxdim - *x1));\n\t\t\t*x1 = maxdim;\n\t\t}\n\t\treturn 1;\n\t}\n\tif (*x0 > maxdim) { /* start of line is right of window - complement of above */\n\t\tif (*x1 > maxdim) { /* as is the end, so the line misses the window */\n\t\t\treturn 0;\n\t\t}\n\t\tm = (*y1 - *y0)/(double)(*x1 - *x0); /* calculate the slope of the line */\n\t\t*y0 += (int)(m * (maxdim - *x0)); /* adjust so point is on the right boundary */\n\t\t*x0 = maxdim;\n\t\t/* now, perhaps, adjust the end of the line */\n\t\tif (*x1 < 0) {\n\t\t\t*y1 -= (int)(m * *x1);\n\t\t\t*x1 = 0;\n\t\t}\n\t\treturn 1;\n\t}\n\t/* the final case - the start of the line is inside the window */\n\tif (*x1 > maxdim) { /* other end is outside to the right */\n\t\tm = (*y1 - *y0)/(double)(*x1 - *x0); /* calculate the slope of the line */\n\t\t*y1 += (int)(m * (maxdim - *x1));\n\t\t*x1 = maxdim;\n\t\treturn 1;\n\t}\n\tif (*x1 < 0) { /* other end is outside to the left */\n\t\tm = (*y1 - *y0)/(double)(*x1 - *x0); /* calculate the slope of the line */\n\t\t*y1 -= (int)(m * *x1);\n\t\t*x1 = 0;\n\t\treturn 1;\n\t}\n\t/* only get here if both points are inside the window */\n\treturn 1;\n}", "project": "php-src", "hash": 74961734171754543856381964732648384802, "size": 48, "commit_id": "c395c6e5d7e8df37a21265ff76e48fe75ceb5ae6", "message": "iFixed bug #72446 - Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow", "target": 0, "dataset": "other", "idx": 295169 }, { "func": "static void clear_tfile_check_list(void)\n{\n\tstruct file *file;\n\n\t/* first clear the tfile_check_list */\n\twhile (!list_empty(&tfile_check_list)) {\n\t\tfile = list_first_entry(&tfile_check_list, struct file,\n\t\t\t\t\tf_tfile_llink);\n\t\tlist_del_init(&file->f_tfile_llink);\n\t\tfput(file);\n\t}\n\tINIT_LIST_HEAD(&tfile_check_list);\n}", "project": "linux", "hash": 31801002484241720950679084770364177525, "size": 13, "commit_id": "52c479697c9b73f628140dcdfcd39ea302d05482", "message": "do_epoll_ctl(): clean the failure exits up a bit\n\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 336253 }, { "func": "static void svm_sync_dirty_debug_regs(struct kvm_vcpu *vcpu)\n{\n\tstruct vcpu_svm *svm = to_svm(vcpu);\n\n\tget_debugreg(vcpu->arch.db[0], 0);\n\tget_debugreg(vcpu->arch.db[1], 1);\n\tget_debugreg(vcpu->arch.db[2], 2);\n\tget_debugreg(vcpu->arch.db[3], 3);\n\tvcpu->arch.dr6 = svm_get_dr6(vcpu);\n\tvcpu->arch.dr7 = svm->vmcb->save.dr7;\n\n\tvcpu->arch.switch_db_regs &= ~KVM_DEBUGREG_WONT_EXIT;\n\tset_dr_intercepts(svm);\n}", "project": "linux", "hash": 109677315436137774483812442155585858798, "size": 14, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432462 }, { "func": "__unwind_incomplete_requests(struct intel_engine_cs *engine)\n{\n\tstruct i915_request *rq, *rn, *active = NULL;\n\tstruct list_head *uninitialized_var(pl);\n\tint prio = I915_PRIORITY_INVALID;\n\n\tlockdep_assert_held(&engine->active.lock);\n\n\tlist_for_each_entry_safe_reverse(rq, rn,\n\t\t\t\t\t &engine->active.requests,\n\t\t\t\t\t sched.link) {\n\t\tif (i915_request_completed(rq))\n\t\t\tcontinue; /* XXX */\n\n\t\t__i915_request_unsubmit(rq);\n\n\t\t/*\n\t\t * Push the request back into the queue for later resubmission.\n\t\t * If this request is not native to this physical engine (i.e.\n\t\t * it came from a virtual source), push it back onto the virtual\n\t\t * engine so that it can be moved across onto another physical\n\t\t * engine as load dictates.\n\t\t */\n\t\tif (likely(rq->execution_mask == engine->mask)) {\n\t\t\tGEM_BUG_ON(rq_prio(rq) == I915_PRIORITY_INVALID);\n\t\t\tif (rq_prio(rq) != prio) {\n\t\t\t\tprio = rq_prio(rq);\n\t\t\t\tpl = i915_sched_lookup_priolist(engine, prio);\n\t\t\t}\n\t\t\tGEM_BUG_ON(RB_EMPTY_ROOT(&engine->execlists.queue.rb_root));\n\n\t\t\tlist_move(&rq->sched.link, pl);\n\t\t\tactive = rq;\n\t\t} else {\n\t\t\tstruct intel_engine_cs *owner = rq->hw_context->engine;\n\n\t\t\t/*\n\t\t\t * Decouple the virtual breadcrumb before moving it\n\t\t\t * back to the virtual engine -- we don't want the\n\t\t\t * request to complete in the background and try\n\t\t\t * and cancel the breadcrumb on the virtual engine\n\t\t\t * (instead of the old engine where it is linked)!\n\t\t\t */\n\t\t\tif (test_bit(DMA_FENCE_FLAG_ENABLE_SIGNAL_BIT,\n\t\t\t\t &rq->fence.flags)) {\n\t\t\t\tspin_lock_nested(&rq->lock,\n\t\t\t\t\t\t SINGLE_DEPTH_NESTING);\n\t\t\t\ti915_request_cancel_breadcrumb(rq);\n\t\t\t\tspin_unlock(&rq->lock);\n\t\t\t}\n\t\t\trq->engine = owner;\n\t\t\towner->submit_request(rq);\n\t\t\tactive = NULL;\n\t\t}\n\t}\n\n\treturn active;\n}", "project": "linux", "hash": 110478470784796196405806227143621442420, "size": 58, "commit_id": "bc8a76a152c5f9ef3b48104154a65a68a8b76946", "message": "drm/i915/gen9: Clear residual context state on context switch\n\nIntel ID: PSIRT-TA-201910-001\nCVEID: CVE-2019-14615\n\nIntel GPU Hardware prior to Gen11 does not clear EU state\nduring a context switch. This can result in information\nleakage between contexts.\n\nFor Gen8 and Gen9, hardware provides a mechanism for\nfast cleardown of the EU state, by issuing a PIPE_CONTROL\nwith bit 27 set. We can use this in a context batch buffer\nto explicitly cleardown the state on every context switch.\n\nAs this workaround is already in place for gen8, we can borrow\nthe code verbatim for Gen9.\n\nSigned-off-by: Mika Kuoppala \nSigned-off-by: Akeem G Abodunrin \nCc: Kumar Valsan Prathap \nCc: Chris Wilson \nCc: Balestrieri Francesco \nCc: Bloomfield Jon \nCc: Dutt Sudeep ", "target": 0, "dataset": "other", "idx": 281528 }, { "func": "static int _clua_require(lua_State *ls)\n{\n const char *file = luaL_checkstring(ls, 1);\n if (!file)\n return 0;\n\n CLua &vm(CLua::get_vm(ls));\n if (vm.execfile(file, false, false) != 0)\n luaL_error(ls, vm.error.c_str());\n\n lua_pushboolean(ls, true);\n return 1;\n}", "project": "crawl", "hash": 213073019276384534500767057536416766543, "size": 13, "commit_id": "768f60da87a3fa0b5561da5ade9309577c176d04", "message": "Disable lua bytecode loading", "target": 0, "dataset": "other", "idx": 230517 }, { "func": "static void fuse_force_forget(struct file *file, u64 nodeid)\n{\n\tstruct inode *inode = file_inode(file);\n\tstruct fuse_mount *fm = get_fuse_mount(inode);\n\tstruct fuse_forget_in inarg;\n\tFUSE_ARGS(args);\n\n\tmemset(&inarg, 0, sizeof(inarg));\n\tinarg.nlookup = 1;\n\targs.opcode = FUSE_FORGET;\n\targs.nodeid = nodeid;\n\targs.in_numargs = 1;\n\targs.in_args[0].size = sizeof(inarg);\n\targs.in_args[0].value = &inarg;\n\targs.force = true;\n\targs.noreply = true;\n\n\tfuse_simple_request(fm, &args);\n\t/* ignore errors */\n}", "project": "linux", "hash": 302831086089291198305003615952453119993, "size": 20, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342140 }, { "func": "static void close_state (lua_State *L) {\n global_State *g = G(L);\n luaF_close(L, L->stack, CLOSEPROTECT); /* close all upvalues */\n luaC_freeallobjects(L); /* collect all objects */\n if (ttisnil(&g->nilvalue)) /* closing a fully built state? */\n luai_userstateclose(L);\n luaM_freearray(L, G(L)->strt.hash, G(L)->strt.size);\n freestack(L);\n lua_assert(gettotalbytes(g) == sizeof(LG));\n (*g->frealloc)(g->ud, fromstate(L), sizeof(LG), 0); /* free main block */\n}", "project": "lua", "hash": 31744785954947534280792621328718587045, "size": 11, "commit_id": "a2195644d89812e5b157ce7bac35543e06db05e3", "message": "Fixed bug: invalid 'oldpc' when returning to a function\n\nThe field 'L->oldpc' is not always updated when control returns to a\nfunction; an invalid value can seg. fault when computing 'changedline'.\n(One example is an error in a finalizer; control can return to\n'luaV_execute' without executing 'luaD_poscall'.) Instead of trying to\nfix all possible corner cases, it seems safer to be resilient to invalid\nvalues for 'oldpc'. Valid but wrong values at most cause an extra call\nto a line hook.", "target": 0, "dataset": "other", "idx": 462774 }, { "func": "int test_if_item_cache_changed(List &list)\n{\n DBUG_ENTER(\"test_if_item_cache_changed\");\n List_iterator li(list);\n int idx= -1,i;\n Cached_item *buff;\n\n for (i=(int) list.elements-1 ; (buff=li++) ; i--)\n {\n if (buff->cmp())\n idx=i;\n }\n DBUG_PRINT(\"info\", (\"idx: %d\", idx));\n DBUG_RETURN(idx);\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 233816619905821300940670047102280473842, "size": 15, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508657 }, { "func": "static OPJ_BOOL opj_j2k_decode_one_tile(opj_j2k_t *p_j2k,\n opj_stream_private_t *p_stream,\n opj_event_mgr_t * p_manager)\n{\n OPJ_BOOL l_go_on = OPJ_TRUE;\n OPJ_UINT32 l_current_tile_no;\n OPJ_UINT32 l_tile_no_to_dec;\n OPJ_INT32 l_tile_x0, l_tile_y0, l_tile_x1, l_tile_y1;\n OPJ_UINT32 l_nb_comps;\n OPJ_UINT32 l_nb_tiles;\n OPJ_UINT32 i;\n\n /*Allocate and initialize some elements of codestrem index if not already done*/\n if (!p_j2k->cstr_index->tile_index) {\n if (!opj_j2k_allocate_tile_element_cstr_index(p_j2k)) {\n return OPJ_FALSE;\n }\n }\n /* Move into the codestream to the first SOT used to decode the desired tile */\n l_tile_no_to_dec = (OPJ_UINT32)\n p_j2k->m_specific_param.m_decoder.m_tile_ind_to_dec;\n if (p_j2k->cstr_index->tile_index)\n if (p_j2k->cstr_index->tile_index->tp_index) {\n if (! p_j2k->cstr_index->tile_index[l_tile_no_to_dec].nb_tps) {\n /* the index for this tile has not been built,\n * so move to the last SOT read */\n if (!(opj_stream_read_seek(p_stream,\n p_j2k->m_specific_param.m_decoder.m_last_sot_read_pos + 2, p_manager))) {\n opj_event_msg(p_manager, EVT_ERROR, \"Problem with seek function\\n\");\n return OPJ_FALSE;\n }\n } else {\n if (!(opj_stream_read_seek(p_stream,\n p_j2k->cstr_index->tile_index[l_tile_no_to_dec].tp_index[0].start_pos + 2,\n p_manager))) {\n opj_event_msg(p_manager, EVT_ERROR, \"Problem with seek function\\n\");\n return OPJ_FALSE;\n }\n }\n /* Special case if we have previously read the EOC marker (if the previous tile getted is the last ) */\n if (p_j2k->m_specific_param.m_decoder.m_state == J2K_STATE_EOC) {\n p_j2k->m_specific_param.m_decoder.m_state = J2K_STATE_TPHSOT;\n }\n }\n\n /* Reset current tile part number for all tiles, and not only the one */\n /* of interest. */\n /* Not completely sure this is always correct but required for */\n /* ./build/bin/j2k_random_tile_access ./build/tests/tte1.j2k */\n l_nb_tiles = p_j2k->m_cp.tw * p_j2k->m_cp.th;\n for (i = 0; i < l_nb_tiles; ++i) {\n p_j2k->m_cp.tcps[i].m_current_tile_part_number = -1;\n }\n\n for (;;) {\n if (! opj_j2k_read_tile_header(p_j2k,\n &l_current_tile_no,\n NULL,\n &l_tile_x0, &l_tile_y0,\n &l_tile_x1, &l_tile_y1,\n &l_nb_comps,\n &l_go_on,\n p_stream,\n p_manager)) {\n return OPJ_FALSE;\n }\n\n if (! l_go_on) {\n break;\n }\n\n if (! opj_j2k_decode_tile(p_j2k, l_current_tile_no, NULL, 0,\n p_stream, p_manager)) {\n return OPJ_FALSE;\n }\n opj_event_msg(p_manager, EVT_INFO, \"Tile %d/%d has been decoded.\\n\",\n l_current_tile_no + 1, p_j2k->m_cp.th * p_j2k->m_cp.tw);\n\n if (! opj_j2k_update_image_data(p_j2k->m_tcd,\n p_j2k->m_output_image)) {\n return OPJ_FALSE;\n }\n opj_j2k_tcp_data_destroy(&p_j2k->m_cp.tcps[l_current_tile_no]);\n\n opj_event_msg(p_manager, EVT_INFO,\n \"Image data has been updated with tile %d.\\n\\n\", l_current_tile_no + 1);\n\n if (l_current_tile_no == l_tile_no_to_dec) {\n /* move into the codestream to the first SOT (FIXME or not move?)*/\n if (!(opj_stream_read_seek(p_stream, p_j2k->cstr_index->main_head_end + 2,\n p_manager))) {\n opj_event_msg(p_manager, EVT_ERROR, \"Problem with seek function\\n\");\n return OPJ_FALSE;\n }\n break;\n } else {\n opj_event_msg(p_manager, EVT_WARNING,\n \"Tile read, decoded and updated is not the desired one (%d vs %d).\\n\",\n l_current_tile_no + 1, l_tile_no_to_dec + 1);\n }\n\n }\n\n if (! opj_j2k_are_all_used_components_decoded(p_j2k, p_manager)) {\n return OPJ_FALSE;\n }\n\n return OPJ_TRUE;\n}", "project": "openjpeg", "hash": 325840820996135354648841046388134750790, "size": 109, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357398 }, { "func": "ProtocolV1::~ProtocolV1() {\n ceph_assert(out_q.empty());\n ceph_assert(sent.empty());\n\n delete[] temp_buffer;\n}", "project": "ceph", "hash": 131729348716463037361896603399177151431, "size": 6, "commit_id": "bafdfec8f974f1a3f7d404bcfd0a4cfad784937d", "message": "msg/async/ProtocolV1: resurrect \"implement cephx_*require_version options\"\n\nThis was added in commit 9bcbc2a3621f (\"mon,msg: implement\ncephx_*_require_version options\") and inadvertently dropped in\ncommit e6f043f7d2dc (\"msgr/async: huge refactoring of protocol V1\").\nAs a result, service daemons don't enforce cephx_require_version\nand cephx_cluster_require_version options and connections without\nCEPH_FEATURE_CEPHX_V2 are allowed through.\n\n(cephx_service_require_version enforcement was brought back a\nyear later in commit 321548010578 (\"mon/MonClient: skip CEPHX_V2\nchallenge if client doesn't support it\"), although the peer gets\nTAG_BADAUTHORIZER instead of TAG_FEATURES.)\n\nResurrect the original behaviour: all cephx_*require_version\noptions are enforced and the peer gets TAG_FEATURES, signifying\nthat it is missing a required feature.\n\nSigned-off-by: Ilya Dryomov \n(cherry picked from commit 6f5c4152ca2c6423e665cde2196c6301f76043a2)", "target": 0, "dataset": "other", "idx": 356887 }, { "func": "static int kvm_s390_set_mem_control(struct kvm *kvm, struct kvm_device_attr *attr)\n{\n\tint ret;\n\tunsigned int idx;\n\tswitch (attr->attr) {\n\tcase KVM_S390_VM_MEM_ENABLE_CMMA:\n\t\tret = -ENXIO;\n\t\tif (!sclp.has_cmma)\n\t\t\tbreak;\n\n\t\tVM_EVENT(kvm, 3, \"%s\", \"ENABLE: CMMA support\");\n\t\tmutex_lock(&kvm->lock);\n\t\tif (kvm->created_vcpus)\n\t\t\tret = -EBUSY;\n\t\telse if (kvm->mm->context.allow_gmap_hpage_1m)\n\t\t\tret = -EINVAL;\n\t\telse {\n\t\t\tkvm->arch.use_cmma = 1;\n\t\t\t/* Not compatible with cmma. */\n\t\t\tkvm->arch.use_pfmfi = 0;\n\t\t\tret = 0;\n\t\t}\n\t\tmutex_unlock(&kvm->lock);\n\t\tbreak;\n\tcase KVM_S390_VM_MEM_CLR_CMMA:\n\t\tret = -ENXIO;\n\t\tif (!sclp.has_cmma)\n\t\t\tbreak;\n\t\tret = -EINVAL;\n\t\tif (!kvm->arch.use_cmma)\n\t\t\tbreak;\n\n\t\tVM_EVENT(kvm, 3, \"%s\", \"RESET: CMMA states\");\n\t\tmutex_lock(&kvm->lock);\n\t\tidx = srcu_read_lock(&kvm->srcu);\n\t\ts390_reset_cmma(kvm->arch.gmap->mm);\n\t\tsrcu_read_unlock(&kvm->srcu, idx);\n\t\tmutex_unlock(&kvm->lock);\n\t\tret = 0;\n\t\tbreak;\n\tcase KVM_S390_VM_MEM_LIMIT_SIZE: {\n\t\tunsigned long new_limit;\n\n\t\tif (kvm_is_ucontrol(kvm))\n\t\t\treturn -EINVAL;\n\n\t\tif (get_user(new_limit, (u64 __user *)attr->addr))\n\t\t\treturn -EFAULT;\n\n\t\tif (kvm->arch.mem_limit != KVM_S390_NO_MEM_LIMIT &&\n\t\t new_limit > kvm->arch.mem_limit)\n\t\t\treturn -E2BIG;\n\n\t\tif (!new_limit)\n\t\t\treturn -EINVAL;\n\n\t\t/* gmap_create takes last usable address */\n\t\tif (new_limit != KVM_S390_NO_MEM_LIMIT)\n\t\t\tnew_limit -= 1;\n\n\t\tret = -EBUSY;\n\t\tmutex_lock(&kvm->lock);\n\t\tif (!kvm->created_vcpus) {\n\t\t\t/* gmap_create will round the limit up */\n\t\t\tstruct gmap *new = gmap_create(current->mm, new_limit);\n\n\t\t\tif (!new) {\n\t\t\t\tret = -ENOMEM;\n\t\t\t} else {\n\t\t\t\tgmap_remove(kvm->arch.gmap);\n\t\t\t\tnew->private = kvm;\n\t\t\t\tkvm->arch.gmap = new;\n\t\t\t\tret = 0;\n\t\t\t}\n\t\t}\n\t\tmutex_unlock(&kvm->lock);\n\t\tVM_EVENT(kvm, 3, \"SET: max guest address: %lu\", new_limit);\n\t\tVM_EVENT(kvm, 3, \"New guest asce: 0x%pK\",\n\t\t\t (void *) kvm->arch.gmap->asce);\n\t\tbreak;\n\t}\n\tdefault:\n\t\tret = -ENXIO;\n\t\tbreak;\n\t}\n\treturn ret;\n}", "project": "linux", "hash": 98228342080396028341020239981166209724, "size": 87, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354612 }, { "func": "static int mt_compute_timestamp(struct mt_application *app, __s32 value)\n{\n\tlong delta = value - app->prev_scantime;\n\tunsigned long jdelta = jiffies_to_usecs(jiffies - app->jiffies);\n\n\tapp->jiffies = jiffies;\n\n\tif (delta < 0)\n\t\tdelta += app->scantime_logical_max;\n\n\t/* HID_DG_SCANTIME is expressed in 100us, we want it in us. */\n\tdelta *= 100;\n\n\tif (jdelta > MAX_TIMESTAMP_INTERVAL)\n\t\t/* No data received for a while, resync the timestamp. */\n\t\treturn 0;\n\telse\n\t\treturn app->timestamp + delta;\n}", "project": "linux", "hash": 7118374600416928055038108192014935529, "size": 19, "commit_id": "35556bed836f8dc07ac55f69c8d17dce3e7f0e25", "message": "HID: core: Sanitize event code and type when mapping input\n\nWhen calling into hid_map_usage(), the passed event code is\nblindly stored as is, even if it doesn't fit in the associated bitmap.\n\nThis event code can come from a variety of sources, including devices\nmasquerading as input devices, only a bit more \"programmable\".\n\nInstead of taking the event code at face value, check that it actually\nfits the corresponding bitmap, and if it doesn't:\n- spit out a warning so that we know which device is acting up\n- NULLify the bitmap pointer so that we catch unexpected uses\n\nCode paths that can make use of untrusted inputs can now check\nthat the mapping was indeed correct and bail out if not.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Marc Zyngier \nSigned-off-by: Benjamin Tissoires ", "target": 0, "dataset": "other", "idx": 458390 }, { "func": "static int ca8210_async_xmit_complete(\n\tstruct ieee802154_hw *hw,\n\tu8 msduhandle,\n\tu8 status)\n{\n\tstruct ca8210_priv *priv = hw->priv;\n\n\tif (priv->nextmsduhandle != msduhandle) {\n\t\tdev_err(\n\t\t\t&priv->spi->dev,\n\t\t\t\"Unexpected msdu_handle on data confirm, Expected %d, got %d\\n\",\n\t\t\tpriv->nextmsduhandle,\n\t\t\tmsduhandle\n\t\t);\n\t\treturn -EIO;\n\t}\n\n\tpriv->async_tx_pending = false;\n\tpriv->nextmsduhandle++;\n\n\tif (status) {\n\t\tdev_err(\n\t\t\t&priv->spi->dev,\n\t\t\t\"Link transmission unsuccessful, status = %d\\n\",\n\t\t\tstatus\n\t\t);\n\t\tif (status != MAC_TRANSACTION_OVERFLOW) {\n\t\t\tieee802154_wake_queue(priv->hw);\n\t\t\treturn 0;\n\t\t}\n\t}\n\tieee802154_xmit_complete(priv->hw, priv->tx_skb, true);\n\n\treturn 0;\n}", "project": "linux", "hash": 166412289078687458364507570767945508543, "size": 35, "commit_id": "6402939ec86eaf226c8b8ae00ed983936b164908", "message": "ieee802154: ca8210: prevent memory leak\n\nIn ca8210_probe the allocated pdata needs to be assigned to\nspi_device->dev.platform_data before calling ca8210_get_platform_data.\nOthrwise when ca8210_get_platform_data fails pdata cannot be released.\n\nSigned-off-by: Navid Emamdoost \nLink: https://lore.kernel.org/r/20190917224713.26371-1-navid.emamdoost@gmail.com\nSigned-off-by: Stefan Schmidt ", "target": 0, "dataset": "other", "idx": 408794 }, { "func": "void kvm_release_pfn_clean(kvm_pfn_t pfn)\n{\n\tif (!is_error_noslot_pfn(pfn) && !kvm_is_reserved_pfn(pfn))\n\t\tput_page(pfn_to_page(pfn));\n}", "project": "linux", "hash": 302065406333775857192253427106906769742, "size": 5, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354421 }, { "func": "long do_futex(u32 __user *uaddr, int op, u32 val, ktime_t *timeout,\n\t\tu32 __user *uaddr2, u32 val2, u32 val3)\n{\n\tint clockrt, ret = -ENOSYS;\n\tint cmd = op & FUTEX_CMD_MASK;\n\tint fshared = 0;\n\n\tif (!(op & FUTEX_PRIVATE_FLAG))\n\t\tfshared = 1;\n\n\tclockrt = op & FUTEX_CLOCK_REALTIME;\n\tif (clockrt && cmd != FUTEX_WAIT_BITSET && cmd != FUTEX_WAIT_REQUEUE_PI)\n\t\treturn -ENOSYS;\n\n\tswitch (cmd) {\n\tcase FUTEX_WAIT:\n\t\tval3 = FUTEX_BITSET_MATCH_ANY;\n\tcase FUTEX_WAIT_BITSET:\n\t\tret = futex_wait(uaddr, fshared, val, timeout, val3, clockrt);\n\t\tbreak;\n\tcase FUTEX_WAKE:\n\t\tval3 = FUTEX_BITSET_MATCH_ANY;\n\tcase FUTEX_WAKE_BITSET:\n\t\tret = futex_wake(uaddr, fshared, val, val3);\n\t\tbreak;\n\tcase FUTEX_REQUEUE:\n\t\tret = futex_requeue(uaddr, fshared, uaddr2, val, val2, NULL, 0);\n\t\tbreak;\n\tcase FUTEX_CMP_REQUEUE:\n\t\tret = futex_requeue(uaddr, fshared, uaddr2, val, val2, &val3,\n\t\t\t\t 0);\n\t\tbreak;\n\tcase FUTEX_WAKE_OP:\n\t\tret = futex_wake_op(uaddr, fshared, uaddr2, val, val2, val3);\n\t\tbreak;\n\tcase FUTEX_LOCK_PI:\n\t\tif (futex_cmpxchg_enabled)\n\t\t\tret = futex_lock_pi(uaddr, fshared, val, timeout, 0);\n\t\tbreak;\n\tcase FUTEX_UNLOCK_PI:\n\t\tif (futex_cmpxchg_enabled)\n\t\t\tret = futex_unlock_pi(uaddr, fshared);\n\t\tbreak;\n\tcase FUTEX_TRYLOCK_PI:\n\t\tif (futex_cmpxchg_enabled)\n\t\t\tret = futex_lock_pi(uaddr, fshared, 0, timeout, 1);\n\t\tbreak;\n\tcase FUTEX_WAIT_REQUEUE_PI:\n\t\tval3 = FUTEX_BITSET_MATCH_ANY;\n\t\tret = futex_wait_requeue_pi(uaddr, fshared, val, timeout, val3,\n\t\t\t\t\t clockrt, uaddr2);\n\t\tbreak;\n\tcase FUTEX_CMP_REQUEUE_PI:\n\t\tret = futex_requeue(uaddr, fshared, uaddr2, val, val2, &val3,\n\t\t\t\t 1);\n\t\tbreak;\n\tdefault:\n\t\tret = -ENOSYS;\n\t}\n\treturn ret;\n}", "target": 0, "cwe": [], "project": "linux-2.6", "commit_id": "5ecb01cfdf96c5f465192bdb2a4fd4a61a24c6cc", "hash": 203083762774035821566656214173713233374, "size": 61, "message": "futex_lock_pi() key refcnt fix\n\nThis fixes a futex key reference count bug in futex_lock_pi(),\nwhere a key's reference count is incremented twice but decremented\nonly once, causing the backing object to not be released.\n\nIf the futex is created in a temporary file in an ext3 file system,\nthis bug causes the file's inode to become an \"undead\" orphan,\nwhich causes an oops from a BUG_ON() in ext3_put_super() when the\nfile system is unmounted. glibc's test suite is known to trigger this,\nsee .\n\nThe bug is a regression from 2.6.28-git3, namely Peter Zijlstra's\n38d47c1b7075bd7ec3881141bb3629da58f88dab \"[PATCH] futex: rely on\nget_user_pages() for shared futexes\". That commit made get_futex_key()\nalso increment the reference count of the futex key, and updated its\ncallers to decrement the key's reference count before returning.\nUnfortunately the normal exit path in futex_lock_pi() wasn't corrected:\nthe reference count is incremented by get_futex_key() and queue_lock(),\nbut the normal exit path only decrements once, via unqueue_me_pi().\nThe fix is to put_futex_key() after unqueue_me_pi(), since 2.6.31\nthis is easily done by 'goto out_put_key' rather than 'goto out'.\n\nSigned-off-by: Mikael Pettersson \nAcked-by: Peter Zijlstra \nAcked-by: Darren Hart \nSigned-off-by: Thomas Gleixner \nCc: ", "dataset": "other", "idx": 492292 }, { "func": "static void tcp_fastretrans_alert(struct sock *sk, int pkts_acked,\n\t\t\t\t int newly_acked_sacked, bool is_dupack,\n\t\t\t\t int flag)\n{\n\tstruct inet_connection_sock *icsk = inet_csk(sk);\n\tstruct tcp_sock *tp = tcp_sk(sk);\n\tint do_lost = is_dupack || ((flag & FLAG_DATA_SACKED) &&\n\t\t\t\t (tcp_fackets_out(tp) > tp->reordering));\n\tint fast_rexmit = 0, mib_idx;\n\n\tif (WARN_ON(!tp->packets_out && tp->sacked_out))\n\t\ttp->sacked_out = 0;\n\tif (WARN_ON(!tp->sacked_out && tp->fackets_out))\n\t\ttp->fackets_out = 0;\n\n\t/* Now state machine starts.\n\t * A. ECE, hence prohibit cwnd undoing, the reduction is required. */\n\tif (flag & FLAG_ECE)\n\t\ttp->prior_ssthresh = 0;\n\n\t/* B. In all the states check for reneging SACKs. */\n\tif (tcp_check_sack_reneging(sk, flag))\n\t\treturn;\n\n\t/* C. Process data loss notification, provided it is valid. */\n\tif (tcp_is_fack(tp) && (flag & FLAG_DATA_LOST) &&\n\t before(tp->snd_una, tp->high_seq) &&\n\t icsk->icsk_ca_state != TCP_CA_Open &&\n\t tp->fackets_out > tp->reordering) {\n\t\ttcp_mark_head_lost(sk, tp->fackets_out - tp->reordering, 0);\n\t\tNET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPLOSS);\n\t}\n\n\t/* D. Check consistency of the current state. */\n\ttcp_verify_left_out(tp);\n\n\t/* E. Check state exit conditions. State can be terminated\n\t * when high_seq is ACKed. */\n\tif (icsk->icsk_ca_state == TCP_CA_Open) {\n\t\tWARN_ON(tp->retrans_out != 0);\n\t\ttp->retrans_stamp = 0;\n\t} else if (!before(tp->snd_una, tp->high_seq)) {\n\t\tswitch (icsk->icsk_ca_state) {\n\t\tcase TCP_CA_Loss:\n\t\t\ticsk->icsk_retransmits = 0;\n\t\t\tif (tcp_try_undo_recovery(sk))\n\t\t\t\treturn;\n\t\t\tbreak;\n\n\t\tcase TCP_CA_CWR:\n\t\t\t/* CWR is to be held something *above* high_seq\n\t\t\t * is ACKed for CWR bit to reach receiver. */\n\t\t\tif (tp->snd_una != tp->high_seq) {\n\t\t\t\ttcp_complete_cwr(sk);\n\t\t\t\ttcp_set_ca_state(sk, TCP_CA_Open);\n\t\t\t}\n\t\t\tbreak;\n\n\t\tcase TCP_CA_Recovery:\n\t\t\tif (tcp_is_reno(tp))\n\t\t\t\ttcp_reset_reno_sack(tp);\n\t\t\tif (tcp_try_undo_recovery(sk))\n\t\t\t\treturn;\n\t\t\ttcp_complete_cwr(sk);\n\t\t\tbreak;\n\t\t}\n\t}\n\n\t/* F. Process state. */\n\tswitch (icsk->icsk_ca_state) {\n\tcase TCP_CA_Recovery:\n\t\tif (!(flag & FLAG_SND_UNA_ADVANCED)) {\n\t\t\tif (tcp_is_reno(tp) && is_dupack)\n\t\t\t\ttcp_add_reno_sack(sk);\n\t\t} else\n\t\t\tdo_lost = tcp_try_undo_partial(sk, pkts_acked);\n\t\tbreak;\n\tcase TCP_CA_Loss:\n\t\tif (flag & FLAG_DATA_ACKED)\n\t\t\ticsk->icsk_retransmits = 0;\n\t\tif (tcp_is_reno(tp) && flag & FLAG_SND_UNA_ADVANCED)\n\t\t\ttcp_reset_reno_sack(tp);\n\t\tif (!tcp_try_undo_loss(sk)) {\n\t\t\ttcp_moderate_cwnd(tp);\n\t\t\ttcp_xmit_retransmit_queue(sk);\n\t\t\treturn;\n\t\t}\n\t\tif (icsk->icsk_ca_state != TCP_CA_Open)\n\t\t\treturn;\n\t\t/* Loss is undone; fall through to processing in Open state. */\n\tdefault:\n\t\tif (tcp_is_reno(tp)) {\n\t\t\tif (flag & FLAG_SND_UNA_ADVANCED)\n\t\t\t\ttcp_reset_reno_sack(tp);\n\t\t\tif (is_dupack)\n\t\t\t\ttcp_add_reno_sack(sk);\n\t\t}\n\n\t\tif (icsk->icsk_ca_state <= TCP_CA_Disorder)\n\t\t\ttcp_try_undo_dsack(sk);\n\n\t\tif (!tcp_time_to_recover(sk)) {\n\t\t\ttcp_try_to_open(sk, flag);\n\t\t\treturn;\n\t\t}\n\n\t\t/* MTU probe failure: don't reduce cwnd */\n\t\tif (icsk->icsk_ca_state < TCP_CA_CWR &&\n\t\t icsk->icsk_mtup.probe_size &&\n\t\t tp->snd_una == tp->mtu_probe.probe_seq_start) {\n\t\t\ttcp_mtup_probe_failed(sk);\n\t\t\t/* Restores the reduction we did in tcp_mtup_probe() */\n\t\t\ttp->snd_cwnd++;\n\t\t\ttcp_simple_retransmit(sk);\n\t\t\treturn;\n\t\t}\n\n\t\t/* Otherwise enter Recovery state */\n\n\t\tif (tcp_is_reno(tp))\n\t\t\tmib_idx = LINUX_MIB_TCPRENORECOVERY;\n\t\telse\n\t\t\tmib_idx = LINUX_MIB_TCPSACKRECOVERY;\n\n\t\tNET_INC_STATS_BH(sock_net(sk), mib_idx);\n\n\t\ttp->high_seq = tp->snd_nxt;\n\t\ttp->prior_ssthresh = 0;\n\t\ttp->undo_marker = tp->snd_una;\n\t\ttp->undo_retrans = tp->retrans_out;\n\n\t\tif (icsk->icsk_ca_state < TCP_CA_CWR) {\n\t\t\tif (!(flag & FLAG_ECE))\n\t\t\t\ttp->prior_ssthresh = tcp_current_ssthresh(sk);\n\t\t\ttp->snd_ssthresh = icsk->icsk_ca_ops->ssthresh(sk);\n\t\t\tTCP_ECN_queue_cwr(tp);\n\t\t}\n\n\t\ttp->bytes_acked = 0;\n\t\ttp->snd_cwnd_cnt = 0;\n\t\ttp->prior_cwnd = tp->snd_cwnd;\n\t\ttp->prr_delivered = 0;\n\t\ttp->prr_out = 0;\n\t\ttcp_set_ca_state(sk, TCP_CA_Recovery);\n\t\tfast_rexmit = 1;\n\t}\n\n\tif (do_lost || (tcp_is_fack(tp) && tcp_head_timedout(sk)))\n\t\ttcp_update_scoreboard(sk, fast_rexmit);\n\ttp->prr_delivered += newly_acked_sacked;\n\ttcp_update_cwnd_in_recovery(sk, newly_acked_sacked, fast_rexmit, flag);\n\ttcp_xmit_retransmit_queue(sk);\n}", "project": "net-next", "hash": 175520690321617653216656316524886289980, "size": 153, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409859 }, { "func": "static int interrupt_window_interception(struct vcpu_svm *svm)\n{\n\tkvm_make_request(KVM_REQ_EVENT, &svm->vcpu);\n\tsvm_clear_vintr(svm);\n\n\t/*\n\t * For AVIC, the only reason to end up here is ExtINTs.\n\t * In this case AVIC was temporarily disabled for\n\t * requesting the IRQ window and we have to re-enable it.\n\t */\n\tsvm_toggle_avic_for_irq_window(&svm->vcpu, true);\n\n\tsvm->vmcb->control.int_ctl &= ~V_IRQ_MASK;\n\tmark_dirty(svm->vmcb, VMCB_INTR);\n\t++svm->vcpu.stat.irq_window_exits;\n\treturn 1;\n}", "project": "linux", "hash": 226474964544317115795669001185259510150, "size": 17, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432437 }, { "func": "static int interrupt_window_interception(struct vcpu_svm *svm)\n{\n\tstruct kvm_run *kvm_run = svm->vcpu.run;\n\n\tkvm_make_request(KVM_REQ_EVENT, &svm->vcpu);\n\tsvm_clear_vintr(svm);\n\tsvm->vmcb->control.int_ctl &= ~V_IRQ_MASK;\n\tmark_dirty(svm->vmcb, VMCB_INTR);\n\t++svm->vcpu.stat.irq_window_exits;\n\t/*\n\t * If the user space waits to inject interrupts, exit as soon as\n\t * possible\n\t */\n\tif (!irqchip_in_kernel(svm->vcpu.kvm) &&\n\t kvm_run->request_interrupt_window &&\n\t !kvm_cpu_has_interrupt(&svm->vcpu)) {\n\t\tkvm_run->exit_reason = KVM_EXIT_IRQ_WINDOW_OPEN;\n\t\treturn 0;\n\t}\n\n\treturn 1;\n}", "project": "kvm", "hash": 279027682151772633958539113553650597098, "size": 22, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437575 }, { "func": "static void __kvm_unmap_gfn(struct kvm_memory_slot *memslot,\n\t\t\tstruct kvm_host_map *map,\n\t\t\tstruct gfn_to_pfn_cache *cache,\n\t\t\tbool dirty, bool atomic)\n{\n\tif (!map)\n\t\treturn;\n\n\tif (!map->hva)\n\t\treturn;\n\n\tif (map->page != KVM_UNMAPPED_PAGE) {\n\t\tif (atomic)\n\t\t\tkunmap_atomic(map->hva);\n\t\telse\n\t\t\tkunmap(map->page);\n\t}\n#ifdef CONFIG_HAS_IOMEM\n\telse if (!atomic)\n\t\tmemunmap(map->hva);\n\telse\n\t\tWARN_ONCE(1, \"Unexpected unmapping in atomic context\");\n#endif\n\n\tif (dirty)\n\t\tmark_page_dirty_in_slot(memslot, map->gfn);\n\n\tif (cache)\n\t\tcache->dirty |= dirty;\n\telse\n\t\tkvm_release_pfn(map->pfn, dirty, NULL);\n\n\tmap->hva = NULL;\n\tmap->page = NULL;\n}", "project": "linux", "hash": 204967012792860691128997493891166758173, "size": 35, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354743 }, { "func": "static void __kvm_unmap_gfn(struct kvm *kvm,\n\t\t\tstruct kvm_memory_slot *memslot,\n\t\t\tstruct kvm_host_map *map,\n\t\t\tstruct gfn_to_pfn_cache *cache,\n\t\t\tbool dirty, bool atomic)\n{\n\tif (!map)\n\t\treturn;\n\n\tif (!map->hva)\n\t\treturn;\n\n\tif (map->page != KVM_UNMAPPED_PAGE) {\n\t\tif (atomic)\n\t\t\tkunmap_atomic(map->hva);\n\t\telse\n\t\t\tkunmap(map->page);\n\t}\n#ifdef CONFIG_HAS_IOMEM\n\telse if (!atomic)\n\t\tmemunmap(map->hva);\n\telse\n\t\tWARN_ONCE(1, \"Unexpected unmapping in atomic context\");\n#endif\n\n\tif (dirty)\n\t\tmark_page_dirty_in_slot(kvm, memslot, map->gfn);\n\n\tif (cache)\n\t\tcache->dirty |= dirty;\n\telse\n\t\tkvm_release_pfn(map->pfn, dirty, NULL);\n\n\tmap->hva = NULL;\n\tmap->page = NULL;\n}", "project": "linux", "hash": 136776961867613690154774245171931468492, "size": 36, "commit_id": "f8be156be163a052a067306417cd0ff679068c97", "message": "KVM: do not allow mapping valid but non-reference-counted pages\n\nIt's possible to create a region which maps valid but non-refcounted\npages (e.g., tail pages of non-compound higher order allocations). These\nhost pages can then be returned by gfn_to_page, gfn_to_pfn, etc., family\nof APIs, which take a reference to the page, which takes it from 0 to 1.\nWhen the reference is dropped, this will free the page incorrectly.\n\nFix this by only taking a reference on valid pages if it was non-zero,\nwhich indicates it is participating in normal refcounting (and can be\nreleased with put_page).\n\nThis addresses CVE-2021-22543.\n\nSigned-off-by: Nicholas Piggin \nTested-by: Paolo Bonzini \nCc: stable@vger.kernel.org\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 404105 }, { "func": "static int key_notify_sa_expire(struct xfrm_state *x, const struct km_event *c)\n{\n\tstruct sk_buff *out_skb;\n\tstruct sadb_msg *out_hdr;\n\tint hard;\n\tint hsc;\n\n\thard = c->data.hard;\n\tif (hard)\n\t\thsc = 2;\n\telse\n\t\thsc = 1;\n\n\tout_skb = pfkey_xfrm_state2msg_expire(x, hsc);\n\tif (IS_ERR(out_skb))\n\t\treturn PTR_ERR(out_skb);\n\n\tout_hdr = (struct sadb_msg *) out_skb->data;\n\tout_hdr->sadb_msg_version = PF_KEY_V2;\n\tout_hdr->sadb_msg_type = SADB_EXPIRE;\n\tout_hdr->sadb_msg_satype = pfkey_proto2satype(x->id.proto);\n\tout_hdr->sadb_msg_errno = 0;\n\tout_hdr->sadb_msg_reserved = 0;\n\tout_hdr->sadb_msg_seq = 0;\n\tout_hdr->sadb_msg_pid = 0;\n\n\tpfkey_broadcast(out_skb, GFP_ATOMIC, BROADCAST_REGISTERED, NULL,\n\t\t\txs_net(x));\n\treturn 0;\n}", "project": "linux", "hash": 233325603403109540936677550099685601949, "size": 30, "commit_id": "9a564bccb78a76740ea9d75a259942df8143d02c", "message": "af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\n\nAdd __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\nto initialize the buffer of supp_skb to fix a kernel-info-leak issue.\n1) Function pfkey_register calls compose_sadb_supported to request\na sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate\na sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then\ncompose_sadb_supported treats the memory as a struct sadb_supported and\nbegins to initialize. But it just initializes the field sadb_supported_len\nand field sadb_supported_exttype without field sadb_supported_reserved.\n\nReported-by: TCS Robot \nSigned-off-by: Haimin Zhang \nSigned-off-by: Steffen Klassert ", "target": 0, "dataset": "other", "idx": 268085 }, { "func": "int prepare_binprm(struct linux_binprm *bprm)\n{\n\tint retval;\n\tloff_t pos = 0;\n\n\tbprm_fill_uid(bprm);\n\n\t/* fill in binprm security blob */\n\tretval = security_bprm_set_creds(bprm);\n\tif (retval)\n\t\treturn retval;\n\tbprm->called_set_creds = 1;\n\n\tmemset(bprm->buf, 0, BINPRM_BUF_SIZE);\n\treturn kernel_read(bprm->file, bprm->buf, BINPRM_BUF_SIZE, &pos);\n}", "project": "linux", "hash": 107136124464311361633226403703268219236, "size": 16, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375193 }, { "func": "int prepare_binprm(struct linux_binprm *bprm)\n{\n\tumode_t mode;\n\tstruct inode * inode = bprm->file->f_path.dentry->d_inode;\n\tint retval;\n\n\tmode = inode->i_mode;\n\tif (bprm->file->f_op == NULL)\n\t\treturn -EACCES;\n\n\t/* clear any previous set[ug]id data from a previous binary */\n\tbprm->cred->euid = current_euid();\n\tbprm->cred->egid = current_egid();\n\n\tif (!(bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) &&\n\t !current->no_new_privs) {\n\t\t/* Set-uid? */\n\t\tif (mode & S_ISUID) {\n\t\t\tif (!kuid_has_mapping(bprm->cred->user_ns, inode->i_uid))\n\t\t\t\treturn -EPERM;\n\t\t\tbprm->per_clear |= PER_CLEAR_ON_SETID;\n\t\t\tbprm->cred->euid = inode->i_uid;\n\n\t\t}\n\n\t\t/* Set-gid? */\n\t\t/*\n\t\t * If setgid is set but no group execute bit then this\n\t\t * is a candidate for mandatory locking, not a setgid\n\t\t * executable.\n\t\t */\n\t\tif ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) {\n\t\t\tif (!kgid_has_mapping(bprm->cred->user_ns, inode->i_gid))\n\t\t\t\treturn -EPERM;\n\t\t\tbprm->per_clear |= PER_CLEAR_ON_SETID;\n\t\t\tbprm->cred->egid = inode->i_gid;\n\t\t}\n\t}\n\n\t/* fill in binprm security blob */\n\tretval = security_bprm_set_creds(bprm);\n\tif (retval)\n\t\treturn retval;\n\tbprm->cred_prepared = 1;\n\n\tmemset(bprm->buf, 0, BINPRM_BUF_SIZE);\n\treturn kernel_read(bprm->file, 0, bprm->buf, BINPRM_BUF_SIZE);\n}", "target": 0, "cwe": [ "CWE-200" ], "project": "linux-2.6", "commit_id": "d740269867021faf4ce38a449353d2b986c34a67", "hash": 158501706141746254035179061060309304298, "size": 48, "message": "exec: use -ELOOP for max recursion depth\n\nTo avoid an explosion of request_module calls on a chain of abusive\nscripts, fail maximum recursion with -ELOOP instead of -ENOEXEC. As soon\nas maximum recursion depth is hit, the error will fail all the way back\nup the chain, aborting immediately.\n\nThis also has the side-effect of stopping the user's shell from attempting\nto reexecute the top-level file as a shell script. As seen in the\ndash source:\n\n if (cmd != path_bshell && errno == ENOEXEC) {\n *argv-- = cmd;\n *argv = cmd = path_bshell;\n goto repeat;\n }\n\nThe above logic was designed for running scripts automatically that lacked\nthe \"#!\" header, not to re-try failed recursion. On a legitimate -ENOEXEC,\nthings continue to behave as the shell expects.\n\nAdditionally, when tracking recursion, the binfmt handlers should not be\ninvolved. The recursion being tracked is the depth of calls through\nsearch_binary_handler(), so that function should be exclusively responsible\nfor tracking the depth.\n\nSigned-off-by: Kees Cook \nCc: halfdog \nCc: P J P \nCc: Alexander Viro \nSigned-off-by: Andrew Morton \nSigned-off-by: Linus Torvalds ", "dataset": "other", "idx": 496254 }, { "func": " */\nstatic int bfq_min_budget(struct bfq_data *bfqd)\n{\n\tif (bfqd->budgets_assigned < bfq_stats_min_budgets)\n\t\treturn bfq_default_max_budget / 32;\n\telse\n\t\treturn bfqd->bfq_max_budget / 32;", "project": "linux", "hash": 157314396279746933335939502327604233492, "size": 7, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453355 }, { "func": "void __weak kvm_arch_pre_destroy_vm(struct kvm *kvm)\n{\n}", "project": "linux", "hash": 318367537038076905912746666126838370888, "size": 3, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354753 }, { "func": "static int h264_decode_frame(AVCodecContext *avctx, void *data,\n int *got_frame, AVPacket *avpkt)\n{\n const uint8_t *buf = avpkt->data;\n int buf_size = avpkt->size;\n H264Context *h = avctx->priv_data;\n AVFrame *pict = data;\n int buf_index = 0;\n Picture *out;\n int i, out_idx;\n int ret;\n\n h->flags = avctx->flags;\n\n /* end of stream, output what is still in the buffers */\n if (buf_size == 0) {\n out:\n\n h->cur_pic_ptr = NULL;\n h->first_field = 0;\n\n // FIXME factorize this with the output code below\n out = h->delayed_pic[0];\n out_idx = 0;\n for (i = 1;\n h->delayed_pic[i] &&\n !h->delayed_pic[i]->f.key_frame &&\n !h->delayed_pic[i]->mmco_reset;\n i++)\n if (h->delayed_pic[i]->poc < out->poc) {\n out = h->delayed_pic[i];\n out_idx = i;\n }\n\n for (i = out_idx; h->delayed_pic[i]; i++)\n h->delayed_pic[i] = h->delayed_pic[i + 1];\n\n if (out) {\n out->reference &= ~DELAYED_PIC_REF;\n ret = output_frame(h, pict, out);\n if (ret < 0)\n return ret;\n *got_frame = 1;\n }\n\n return buf_index;\n }\n if(h->is_avc && buf_size >= 9 && buf[0]==1 && buf[2]==0 && (buf[4]&0xFC)==0xFC && (buf[5]&0x1F) && buf[8]==0x67){\n int cnt= buf[5]&0x1f;\n const uint8_t *p= buf+6;\n while(cnt--){\n int nalsize= AV_RB16(p) + 2;\n if(nalsize > buf_size - (p-buf) || p[2]!=0x67)\n goto not_extra;\n p += nalsize;\n }\n cnt = *(p++);\n if(!cnt)\n goto not_extra;\n while(cnt--){\n int nalsize= AV_RB16(p) + 2;\n if(nalsize > buf_size - (p-buf) || p[2]!=0x68)\n goto not_extra;\n p += nalsize;\n }\n\n return ff_h264_decode_extradata(h, buf, buf_size);\n }\nnot_extra:\n\n buf_index = decode_nal_units(h, buf, buf_size, 0);\n if (buf_index < 0)\n return AVERROR_INVALIDDATA;\n\n if (!h->cur_pic_ptr && h->nal_unit_type == NAL_END_SEQUENCE) {\n av_assert0(buf_index <= buf_size);\n goto out;\n }\n\n if (!(avctx->flags2 & CODEC_FLAG2_CHUNKS) && !h->cur_pic_ptr) {\n if (avctx->skip_frame >= AVDISCARD_NONREF ||\n buf_size >= 4 && !memcmp(\"Q264\", buf, 4))\n return buf_size;\n av_log(avctx, AV_LOG_ERROR, \"no frame!\\n\");\n return AVERROR_INVALIDDATA;\n }\n\n if (!(avctx->flags2 & CODEC_FLAG2_CHUNKS) ||\n (h->mb_y >= h->mb_height && h->mb_height)) {\n if (avctx->flags2 & CODEC_FLAG2_CHUNKS)\n decode_postinit(h, 1);\n\n field_end(h, 0);\n\n /* Wait for second field. */\n *got_frame = 0;\n if (h->next_output_pic && (\n h->next_output_pic->recovered)) {\n if (!h->next_output_pic->recovered)\n h->next_output_pic->f.flags |= AV_FRAME_FLAG_CORRUPT;\n\n ret = output_frame(h, pict, h->next_output_pic);\n if (ret < 0)\n return ret;\n *got_frame = 1;\n if (CONFIG_MPEGVIDEO) {\n ff_print_debug_info2(h->avctx, h->next_output_pic, pict, h->er.mbskip_table,\n &h->low_delay,\n h->mb_width, h->mb_height, h->mb_stride, 1);\n }\n }\n }\n\n assert(pict->buf[0] || !*got_frame);\n\n return get_consumed_bytes(buf_index, buf_size);\n}", "project": "FFmpeg", "hash": 117470852869089647631545290614858997532, "size": 117, "commit_id": "8a3b85f3a7952c54a2c36ba1797f7e0cde9f85aa", "message": "avcodec/h264: update current_sps & sps->new only after the whole slice header decoder and init code finished\n\nThis avoids them being cleared before the full initialization finished\n\nFixes out of array read\nFixes: asan_heap-oob_f0c5e6_7071_cov_1605985132_mov_h264_aac__Demo_FlagOfOurFathers.mov\nFound-by: Mateusz \"j00ru\" Jurczyk and Gynvael Coldwind\nSigned-off-by: Michael Niedermayer ", "target": 0, "dataset": "other", "idx": 270128 }, { "func": "static void hci_cc_read_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb)\n{\n\tstruct hci_rp_read_class_of_dev *rp = (void *) skb->data;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, rp->status);\n\n\tif (rp->status)\n\t\treturn;\n\n\tmemcpy(hdev->dev_class, rp->dev_class, 3);\n\n\tBT_DBG(\"%s class 0x%.2x%.2x%.2x\", hdev->name,\n\t hdev->dev_class[2], hdev->dev_class[1], hdev->dev_class[0]);\n}", "project": "linux", "hash": 65411517020882226570944628413928461270, "size": 14, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431902 }, { "func": "static OPJ_BOOL opj_j2k_create_tcd(opj_j2k_t *p_j2k,\n opj_stream_private_t *p_stream,\n opj_event_mgr_t * p_manager\n )\n{\n /* preconditions */\n assert(p_j2k != 00);\n assert(p_manager != 00);\n assert(p_stream != 00);\n\n OPJ_UNUSED(p_stream);\n\n p_j2k->m_tcd = opj_tcd_create(OPJ_FALSE);\n\n if (! p_j2k->m_tcd) {\n opj_event_msg(p_manager, EVT_ERROR, \"Not enough memory to create Tile Coder\\n\");\n return OPJ_FALSE;\n }\n\n if (!opj_tcd_init(p_j2k->m_tcd, p_j2k->m_private_image, &p_j2k->m_cp,\n p_j2k->m_tp)) {\n opj_tcd_destroy(p_j2k->m_tcd);\n p_j2k->m_tcd = 00;\n return OPJ_FALSE;\n }\n\n return OPJ_TRUE;\n}", "project": "openjpeg", "hash": 134847270250177450878974418191472758354, "size": 28, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357434 }, { "func": "static void free_snapshot(struct trace_array *tr)\n{\n\t/*\n\t * We don't free the ring buffer. instead, resize it because\n\t * The max_tr ring buffer has some state (e.g. ring->clock) and\n\t * we want preserve it.\n\t */\n\tring_buffer_resize(tr->max_buffer.buffer, 1, RING_BUFFER_ALL_CPUS);\n\tset_buffer_entries(&tr->max_buffer, 1);\n\ttracing_reset_online_cpus(&tr->max_buffer);\n\ttr->allocated_snapshot = false;\n}", "project": "linux", "hash": 163679142633710776858285281666733389071, "size": 12, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445816 }, { "func": "static long kvm_s390_get_skeys(struct kvm *kvm, struct kvm_s390_skeys *args)\n{\n\tuint8_t *keys;\n\tuint64_t hva;\n\tint srcu_idx, i, r = 0;\n\n\tif (args->flags != 0)\n\t\treturn -EINVAL;\n\n\t/* Is this guest using storage keys? */\n\tif (!mm_uses_skeys(current->mm))\n\t\treturn KVM_S390_GET_SKEYS_NONE;\n\n\t/* Enforce sane limit on memory allocation */\n\tif (args->count < 1 || args->count > KVM_S390_SKEYS_MAX)\n\t\treturn -EINVAL;\n\n\tkeys = kvmalloc_array(args->count, sizeof(uint8_t), GFP_KERNEL);\n\tif (!keys)\n\t\treturn -ENOMEM;\n\n\tdown_read(¤t->mm->mmap_sem);\n\tsrcu_idx = srcu_read_lock(&kvm->srcu);\n\tfor (i = 0; i < args->count; i++) {\n\t\thva = gfn_to_hva(kvm, args->start_gfn + i);\n\t\tif (kvm_is_error_hva(hva)) {\n\t\t\tr = -EFAULT;\n\t\t\tbreak;\n\t\t}\n\n\t\tr = get_guest_storage_key(current->mm, hva, &keys[i]);\n\t\tif (r)\n\t\t\tbreak;\n\t}\n\tsrcu_read_unlock(&kvm->srcu, srcu_idx);\n\tup_read(¤t->mm->mmap_sem);\n\n\tif (!r) {\n\t\tr = copy_to_user((uint8_t __user *)args->skeydata_addr, keys,\n\t\t\t\t sizeof(uint8_t) * args->count);\n\t\tif (r)\n\t\t\tr = -EFAULT;\n\t}\n\n\tkvfree(keys);\n\treturn r;\n}", "project": "linux", "hash": 5529170788078460234024644418883273927, "size": 47, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354699 }, { "func": "static int nfs4_proc_unlink_done(struct rpc_task *task, struct inode *dir)\n{\n\tstruct nfs_unlinkdata *data = task->tk_calldata;\n\tstruct nfs_removeres *res = &data->res;\n\n\tif (!nfs4_sequence_done(task, &res->seq_res))\n\t\treturn 0;\n\tif (nfs4_async_handle_error(task, res->server, NULL,\n\t\t\t\t &data->timeout) == -EAGAIN)\n\t\treturn 0;\n\tif (task->tk_status == 0)\n\t\tnfs4_update_changeattr(dir, &res->cinfo,\n\t\t\t\tres->dir_attr->time_start,\n\t\t\t\tNFS_INO_INVALID_DATA);\n\treturn 1;\n}", "project": "linux", "hash": 338808170320664300910565395756249654420, "size": 16, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431073 }, { "func": "static int verify_halted(struct usbtest_dev *tdev, int ep, struct urb *urb)\n{\n\tint\tretval;\n\tu16\tstatus;\n\n\t/* should look and act halted */\n\tretval = usb_get_std_status(urb->dev, USB_RECIP_ENDPOINT, ep, &status);\n\tif (retval < 0) {\n\t\tERROR(tdev, \"ep %02x couldn't get halt status, %d\\n\",\n\t\t\t\tep, retval);\n\t\treturn retval;\n\t}\n\tif (status != 1) {\n\t\tERROR(tdev, \"ep %02x bogus status: %04x != 1\\n\", ep, status);\n\t\treturn -EINVAL;\n\t}\n\tretval = simple_io(tdev, urb, 1, 0, -EPIPE, __func__);\n\tif (retval != -EPIPE)\n\t\treturn -EINVAL;\n\tretval = simple_io(tdev, urb, 1, 0, -EPIPE, \"verify_still_halted\");\n\tif (retval != -EPIPE)\n\t\treturn -EINVAL;\n\treturn 0;\n}", "project": "linux", "hash": 98515315773977197552361425203883918371, "size": 24, "commit_id": "28ebeb8db77035e058a510ce9bd17c2b9a009dba", "message": "usb: usbtest: fix missing kfree(dev->buf) in usbtest_disconnect\n\nBUG: memory leak\nunreferenced object 0xffff888055046e00 (size 256):\n comm \"kworker/2:9\", pid 2570, jiffies 4294942129 (age 1095.500s)\n hex dump (first 32 bytes):\n 00 70 04 55 80 88 ff ff 18 bb 5a 81 ff ff ff ff .p.U......Z.....\n f5 96 78 81 ff ff ff ff 37 de 8e 81 ff ff ff ff ..x.....7.......\n backtrace:\n [<00000000d121dccf>] kmemleak_alloc_recursive\ninclude/linux/kmemleak.h:43 [inline]\n [<00000000d121dccf>] slab_post_alloc_hook mm/slab.h:586 [inline]\n [<00000000d121dccf>] slab_alloc_node mm/slub.c:2786 [inline]\n [<00000000d121dccf>] slab_alloc mm/slub.c:2794 [inline]\n [<00000000d121dccf>] kmem_cache_alloc_trace+0x15e/0x2d0 mm/slub.c:2811\n [<000000005c3c3381>] kmalloc include/linux/slab.h:555 [inline]\n [<000000005c3c3381>] usbtest_probe+0x286/0x19d0\ndrivers/usb/misc/usbtest.c:2790\n [<000000001cec6910>] usb_probe_interface+0x2bd/0x870\ndrivers/usb/core/driver.c:361\n [<000000007806c118>] really_probe+0x48d/0x8f0 drivers/base/dd.c:551\n [<00000000a3308c3e>] driver_probe_device+0xfc/0x2a0 drivers/base/dd.c:724\n [<000000003ef66004>] __device_attach_driver+0x1b6/0x240\ndrivers/base/dd.c:831\n [<00000000eee53e97>] bus_for_each_drv+0x14e/0x1e0 drivers/base/bus.c:431\n [<00000000bb0648d0>] __device_attach+0x1f9/0x350 drivers/base/dd.c:897\n [<00000000838b324a>] device_initial_probe+0x1a/0x20 drivers/base/dd.c:944\n [<0000000030d501c1>] bus_probe_device+0x1e1/0x280 drivers/base/bus.c:491\n [<000000005bd7adef>] device_add+0x131d/0x1c40 drivers/base/core.c:2504\n [<00000000a0937814>] usb_set_configuration+0xe84/0x1ab0\ndrivers/usb/core/message.c:2030\n [<00000000e3934741>] generic_probe+0x6a/0xe0 drivers/usb/core/generic.c:210\n [<0000000098ade0f1>] usb_probe_device+0x90/0xd0\ndrivers/usb/core/driver.c:266\n [<000000007806c118>] really_probe+0x48d/0x8f0 drivers/base/dd.c:551\n [<00000000a3308c3e>] driver_probe_device+0xfc/0x2a0 drivers/base/dd.c:724\n\nAcked-by: Alan Stern \nReported-by: Kyungtae Kim \nSigned-off-by: Zqiang \nLink: https://lore.kernel.org/r/20200612035210.20494-1-qiang.zhang@windriver.com\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 412281 }, { "func": " getOwnIndexedPropertyFlags(JSObject *self, Runtime *runtime, uint32_t index) {\n return JSObject::getOwnIndexedPropertyFlags(self, runtime, index);\n }", "project": "hermes", "hash": 279947202979947712189985727087538003909, "size": 3, "commit_id": "fe52854cdf6725c2eaa9e125995da76e6ceb27da", "message": "[CVE-2020-1911] Look up HostObject computed properties on the right object in the prototype chain.\n\nSummary:\nThe change in the hermes repository fixes the security vulnerability\nCVE-2020-1911. This vulnerability only affects applications which\nallow evaluation of uncontrolled, untrusted JavaScript code not\nshipped with the app, so React Native apps will generally not be affected.\n\nThis revision includes a test for the bug. The test is generic JSI\ncode, so it is included in the hermes and react-native repositories.\n\nChangelog: [Internal]\n\nReviewed By: tmikov\n\nDifferential Revision: D23322992\n\nfbshipit-source-id: 4e88c974afe1ad33a263f9cac03e9dc98d33649a", "target": 0, "dataset": "other", "idx": 230217 }, { "func": "void imap_quote_string(char *dest, size_t dlen, const char *src, bool quote_backtick)\n{\n const char *quote = \"`\\\"\\\\\";\n if (!quote_backtick)\n quote++;\n\n char *pt = dest;\n const char *s = src;\n\n *pt++ = '\"';\n /* save room for trailing quote-char */\n dlen -= 2;\n\n for (; *s && dlen; s++)\n {\n if (strchr(quote, *s))\n {\n dlen -= 2;\n if (dlen == 0)\n break;\n *pt++ = '\\\\';\n *pt++ = *s;\n }\n else\n {\n *pt++ = *s;\n dlen--;\n }\n }\n *pt++ = '\"';\n *pt = '\\0';\n}", "project": "neomutt", "hash": 22083083465161457258845765353691198009, "size": 32, "commit_id": "65d64a5b60a4a3883f2cd799d92c6091d8854f23", "message": "Check for int underflow in imap_quote_string", "target": 1, "dataset": "other", "idx": 198183 }, { "func": "static OPJ_BOOL opj_tcd_code_block_dec_allocate(opj_tcd_cblk_dec_t *\n p_code_block)\n{\n if (! p_code_block->segs) {\n\n p_code_block->segs = (opj_tcd_seg_t *) opj_calloc(OPJ_J2K_DEFAULT_NB_SEGS,\n sizeof(opj_tcd_seg_t));\n if (! p_code_block->segs) {\n return OPJ_FALSE;\n }\n /*fprintf(stderr, \"Allocate %d elements of code_block->data\\n\", OPJ_J2K_DEFAULT_NB_SEGS * sizeof(opj_tcd_seg_t));*/\n\n p_code_block->m_current_max_segs = OPJ_J2K_DEFAULT_NB_SEGS;\n /*fprintf(stderr, \"m_current_max_segs of code_block->data = %d\\n\", p_code_block->m_current_max_segs);*/\n } else {\n /* sanitize */\n opj_tcd_seg_t * l_segs = p_code_block->segs;\n OPJ_UINT32 l_current_max_segs = p_code_block->m_current_max_segs;\n opj_tcd_seg_data_chunk_t* l_chunks = p_code_block->chunks;\n OPJ_UINT32 l_numchunksalloc = p_code_block->numchunksalloc;\n OPJ_UINT32 i;\n\n opj_aligned_free(p_code_block->decoded_data);\n p_code_block->decoded_data = 00;\n\n memset(p_code_block, 0, sizeof(opj_tcd_cblk_dec_t));\n p_code_block->segs = l_segs;\n p_code_block->m_current_max_segs = l_current_max_segs;\n for (i = 0; i < l_current_max_segs; ++i) {\n opj_tcd_reinit_segment(&l_segs[i]);\n }\n p_code_block->chunks = l_chunks;\n p_code_block->numchunksalloc = l_numchunksalloc;\n }\n\n return OPJ_TRUE;\n}", "project": "openjpeg", "hash": 133217067351721964040418046140893178633, "size": 37, "commit_id": "15cf3d95814dc931ca0ecb132f81cb152e051bae", "message": "Encoder: grow again buffer size in opj_tcd_code_block_enc_allocate_data() (fixes #1283)", "target": 0, "dataset": "other", "idx": 359188 }, { "func": "void force_sigsegv(int sig)\n{\n\tstruct task_struct *p = current;\n\n\tif (sig == SIGSEGV) {\n\t\tunsigned long flags;\n\t\tspin_lock_irqsave(&p->sighand->siglock, flags);\n\t\tp->sighand->action[sig - 1].sa.sa_handler = SIG_DFL;\n\t\tspin_unlock_irqrestore(&p->sighand->siglock, flags);\n\t}\n\tforce_sig(SIGSEGV);\n}", "project": "linux", "hash": 335149696778337326838728399244132810910, "size": 12, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375169 }, { "project": "Chrome", "commit_id": "a5333583f14284a411abac2fef7caed889a8bba3", "target": 0, "func": "EmbeddedWorkerContextClient::~EmbeddedWorkerContextClient() {\n DCHECK(g_worker_client_tls.Pointer()->Get() != NULL);\n g_worker_client_tls.Pointer()->Set(NULL);\n}\n", "cwe": "", "big_vul_idx": 121737, "idx": 109027, "hash": 305478255499046740853854010083757809877 }, { "func": "static int _nfs4_proc_mkdir(struct inode *dir, struct dentry *dentry,\n\t\tstruct iattr *sattr, struct nfs4_label *label)\n{\n\tstruct nfs4_createdata *data;\n\tint status = -ENOMEM;\n\n\tdata = nfs4_alloc_createdata(dir, &dentry->d_name, sattr, NF4DIR);\n\tif (data == NULL)\n\t\tgoto out;\n\n\tdata->arg.label = label;\n\tstatus = nfs4_do_create(dir, dentry, data);\n\n\tnfs4_free_createdata(data);\nout:\n\treturn status;\n}", "project": "linux", "hash": 292374457403815622334425453313246814350, "size": 17, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431421 }, { "func": "static int bcf_enc_long1(kstring_t *s, int64_t x) {\n uint32_t e = 0;\n if (x <= BCF_MAX_BT_INT32 && x >= BCF_MIN_BT_INT32)\n return bcf_enc_int1(s, x);\n if (x == bcf_int64_vector_end) {\n e |= bcf_enc_size(s, 1, BCF_BT_INT8);\n e |= kputc(bcf_int8_vector_end, s) < 0;\n } else if (x == bcf_int64_missing) {\n e |= bcf_enc_size(s, 1, BCF_BT_INT8);\n e |= kputc(bcf_int8_missing, s) < 0;\n } else {\n e |= bcf_enc_size(s, 1, BCF_BT_INT64);\n e |= ks_expand(s, 8);\n if (e == 0) { u64_to_le(x, (uint8_t *) s->s + s->l); s->l += 8; }\n }\n return e == 0 ? 0 : -1;\n}", "project": "htslib", "hash": 72093864614754220312679727375692445408, "size": 17, "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c", "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields. It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097", "target": 0, "dataset": "other", "idx": 402184 }, { "func": "static int __init input_proc_init(void)\n{\n\tstruct proc_dir_entry *entry;\n\n\tproc_bus_input_dir = proc_mkdir(\"bus/input\", NULL);\n\tif (!proc_bus_input_dir)\n\t\treturn -ENOMEM;\n\n\tentry = proc_create(\"devices\", 0, proc_bus_input_dir,\n\t\t\t &input_devices_fileops);\n\tif (!entry)\n\t\tgoto fail1;\n\n\tentry = proc_create(\"handlers\", 0, proc_bus_input_dir,\n\t\t\t &input_handlers_fileops);\n\tif (!entry)\n\t\tgoto fail2;\n\n\treturn 0;\n\n fail2:\tremove_proc_entry(\"devices\", proc_bus_input_dir);\n fail1: remove_proc_entry(\"bus/input\", NULL);\n\treturn -ENOMEM;\n}", "project": "linux", "hash": 24780947944674085991735477420234935852, "size": 24, "commit_id": "cb222aed03d798fc074be55e59d9a112338ee784", "message": "Input: add safety guards to input_set_keycode()\n\nIf we happen to have a garbage in input device's keycode table with values\ntoo big we'll end up doing clear_bit() with offset way outside of our\nbitmaps, damaging other objects within an input device or even outside of\nit. Let's add sanity checks to the returned old keycodes.\n\nReported-by: syzbot+c769968809f9359b07aa@syzkaller.appspotmail.com\nReported-by: syzbot+76f3a30e88d256644c78@syzkaller.appspotmail.com\nLink: https://lore.kernel.org/r/20191207212757.GA245964@dtor-ws\nSigned-off-by: Dmitry Torokhov ", "target": 0, "dataset": "other", "idx": 353383 }, { "func": "static inline int input_proc_init(void) { return 0; }", "project": "linux", "hash": 107770061272691832011472695574094867588, "size": 1, "commit_id": "cb222aed03d798fc074be55e59d9a112338ee784", "message": "Input: add safety guards to input_set_keycode()\n\nIf we happen to have a garbage in input device's keycode table with values\ntoo big we'll end up doing clear_bit() with offset way outside of our\nbitmaps, damaging other objects within an input device or even outside of\nit. Let's add sanity checks to the returned old keycodes.\n\nReported-by: syzbot+c769968809f9359b07aa@syzkaller.appspotmail.com\nReported-by: syzbot+76f3a30e88d256644c78@syzkaller.appspotmail.com\nLink: https://lore.kernel.org/r/20191207212757.GA245964@dtor-ws\nSigned-off-by: Dmitry Torokhov ", "target": 0, "dataset": "other", "idx": 353387 }, { "func": "int RGWGetObj_ObjStore_S3::send_response_data(bufferlist& bl, off_t bl_ofs,\n\t\t\t\t\t off_t bl_len)\n{\n const char *content_type = NULL;\n string content_type_str;\n map response_attrs;\n map::iterator riter;\n bufferlist metadata_bl;\n\n if (sent_header)\n goto send_data;\n\n if (custom_http_ret) {\n set_req_state_err(s, 0);\n dump_errno(s, custom_http_ret);\n } else {\n set_req_state_err(s, (partial_content && !op_ret) ? STATUS_PARTIAL_CONTENT\n : op_ret);\n dump_errno(s);\n }\n\n if (op_ret)\n goto done;\n\n if (range_str)\n dump_range(s, start, end, s->obj_size);\n\n if (s->system_request &&\n s->info.args.exists(RGW_SYS_PARAM_PREFIX \"prepend-metadata\")) {\n\n dump_header(s, \"Rgwx-Object-Size\", (long long)total_len);\n\n if (rgwx_stat) {\n /*\n * in this case, we're not returning the object's content, only the prepended\n * extra metadata\n */\n total_len = 0;\n }\n\n /* JSON encode object metadata */\n JSONFormatter jf;\n jf.open_object_section(\"obj_metadata\");\n encode_json(\"attrs\", attrs, &jf);\n utime_t ut(lastmod);\n encode_json(\"mtime\", ut, &jf);\n jf.close_section();\n stringstream ss;\n jf.flush(ss);\n metadata_bl.append(ss.str());\n dump_header(s, \"Rgwx-Embedded-Metadata-Len\", metadata_bl.length());\n total_len += metadata_bl.length();\n }\n\n if (s->system_request && !real_clock::is_zero(lastmod)) {\n /* we end up dumping mtime in two different methods, a bit redundant */\n dump_epoch_header(s, \"Rgwx-Mtime\", lastmod);\n uint64_t pg_ver = 0;\n int r = decode_attr_bl_single_value(attrs, RGW_ATTR_PG_VER, &pg_ver, (uint64_t)0);\n if (r < 0) {\n ldout(s->cct, 0) << \"ERROR: failed to decode pg ver attr, ignoring\" << dendl;\n }\n dump_header(s, \"Rgwx-Obj-PG-Ver\", pg_ver);\n\n uint32_t source_zone_short_id = 0;\n r = decode_attr_bl_single_value(attrs, RGW_ATTR_SOURCE_ZONE, &source_zone_short_id, (uint32_t)0);\n if (r < 0) {\n ldout(s->cct, 0) << \"ERROR: failed to decode pg ver attr, ignoring\" << dendl;\n }\n if (source_zone_short_id != 0) {\n dump_header(s, \"Rgwx-Source-Zone-Short-Id\", source_zone_short_id);\n }\n }\n\n for (auto &it : crypt_http_responses)\n dump_header(s, it.first, it.second);\n\n dump_content_length(s, total_len);\n dump_last_modified(s, lastmod);\n dump_header_if_nonempty(s, \"x-amz-version-id\", version_id);\n\n if (! op_ret) {\n if (! lo_etag.empty()) {\n /* Handle etag of Swift API's large objects (DLO/SLO). It's entirerly\n * legit to perform GET on them through S3 API. In such situation,\n * a client should receive the composited content with corresponding\n * etag value. */\n dump_etag(s, lo_etag);\n } else {\n auto iter = attrs.find(RGW_ATTR_ETAG);\n if (iter != attrs.end()) {\n dump_etag(s, iter->second.to_str());\n }\n }\n\n for (struct response_attr_param *p = resp_attr_params; p->param; p++) {\n bool exists;\n string val = s->info.args.get(p->param, &exists);\n if (exists) {\n\tif (strcmp(p->param, \"response-content-type\") != 0) {\n\t response_attrs[p->http_attr] = val;\n\t} else {\n\t content_type_str = val;\n\t content_type = content_type_str.c_str();\n\t}\n }\n }\n\n for (auto iter = attrs.begin(); iter != attrs.end(); ++iter) {\n const char *name = iter->first.c_str();\n map::iterator aiter = rgw_to_http_attrs.find(name);\n if (aiter != rgw_to_http_attrs.end()) {\n if (response_attrs.count(aiter->second) == 0) {\n /* Was not already overridden by a response param. */\n response_attrs[aiter->second] = iter->second.c_str();\n }\n } else if (iter->first.compare(RGW_ATTR_CONTENT_TYPE) == 0) {\n /* Special handling for content_type. */\n if (!content_type) {\n content_type = iter->second.c_str();\n }\n } else if (strcmp(name, RGW_ATTR_SLO_UINDICATOR) == 0) {\n // this attr has an extra length prefix from encode() in prior versions\n dump_header(s, \"X-Object-Meta-Static-Large-Object\", \"True\");\n } else if (strncmp(name, RGW_ATTR_META_PREFIX,\n\t\t\t sizeof(RGW_ATTR_META_PREFIX)-1) == 0) {\n /* User custom metadata. */\n name += sizeof(RGW_ATTR_PREFIX) - 1;\n dump_header(s, name, iter->second);\n } else if (iter->first.compare(RGW_ATTR_TAGS) == 0) {\n RGWObjTags obj_tags;\n try{\n bufferlist::iterator it = iter->second.begin();\n obj_tags.decode(it);\n } catch (buffer::error &err) {\n ldout(s->cct,0) << \"Error caught buffer::error couldn't decode TagSet \" << dendl;\n }\n dump_header(s, RGW_AMZ_TAG_COUNT, obj_tags.count());\n }\n }\n }\n\ndone:\n for (riter = response_attrs.begin(); riter != response_attrs.end();\n ++riter) {\n dump_header(s, riter->first, riter->second);\n }\n\n if (op_ret == -ERR_NOT_MODIFIED) {\n end_header(s, this);\n } else {\n if (!content_type)\n content_type = \"binary/octet-stream\";\n\n end_header(s, this, content_type);\n }\n\n if (metadata_bl.length()) {\n dump_body(s, metadata_bl);\n }\n sent_header = true;\n\nsend_data:\n if (get_data && !op_ret) {\n int r = dump_body(s, bl.c_str() + bl_ofs, bl_len);\n if (r < 0)\n return r;\n }\n\n return 0;\n}", "project": "ceph", "hash": 328805157265041295387468609454511432636, "size": 171, "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 1, "dataset": "other", "idx": 198696 }, { "func": "int RGWGetObj_ObjStore_S3::send_response_data(bufferlist& bl, off_t bl_ofs,\n\t\t\t\t\t off_t bl_len)\n{\n const char *content_type = NULL;\n string content_type_str;\n map response_attrs;\n map::iterator riter;\n bufferlist metadata_bl;\n\n if (sent_header)\n goto send_data;\n\n if (custom_http_ret) {\n set_req_state_err(s, 0);\n dump_errno(s, custom_http_ret);\n } else {\n set_req_state_err(s, (partial_content && !op_ret) ? STATUS_PARTIAL_CONTENT\n : op_ret);\n dump_errno(s);\n }\n\n if (op_ret)\n goto done;\n\n if (range_str)\n dump_range(s, start, end, s->obj_size);\n\n if (s->system_request &&\n s->info.args.exists(RGW_SYS_PARAM_PREFIX \"prepend-metadata\")) {\n\n dump_header(s, \"Rgwx-Object-Size\", (long long)total_len);\n\n if (rgwx_stat) {\n /*\n * in this case, we're not returning the object's content, only the prepended\n * extra metadata\n */\n total_len = 0;\n }\n\n /* JSON encode object metadata */\n JSONFormatter jf;\n jf.open_object_section(\"obj_metadata\");\n encode_json(\"attrs\", attrs, &jf);\n utime_t ut(lastmod);\n encode_json(\"mtime\", ut, &jf);\n jf.close_section();\n stringstream ss;\n jf.flush(ss);\n metadata_bl.append(ss.str());\n dump_header(s, \"Rgwx-Embedded-Metadata-Len\", metadata_bl.length());\n total_len += metadata_bl.length();\n }\n\n if (s->system_request && !real_clock::is_zero(lastmod)) {\n /* we end up dumping mtime in two different methods, a bit redundant */\n dump_epoch_header(s, \"Rgwx-Mtime\", lastmod);\n uint64_t pg_ver = 0;\n int r = decode_attr_bl_single_value(attrs, RGW_ATTR_PG_VER, &pg_ver, (uint64_t)0);\n if (r < 0) {\n ldout(s->cct, 0) << \"ERROR: failed to decode pg ver attr, ignoring\" << dendl;\n }\n dump_header(s, \"Rgwx-Obj-PG-Ver\", pg_ver);\n\n uint32_t source_zone_short_id = 0;\n r = decode_attr_bl_single_value(attrs, RGW_ATTR_SOURCE_ZONE, &source_zone_short_id, (uint32_t)0);\n if (r < 0) {\n ldout(s->cct, 0) << \"ERROR: failed to decode pg ver attr, ignoring\" << dendl;\n }\n if (source_zone_short_id != 0) {\n dump_header(s, \"Rgwx-Source-Zone-Short-Id\", source_zone_short_id);\n }\n }\n\n for (auto &it : crypt_http_responses)\n dump_header(s, it.first, it.second);\n\n dump_content_length(s, total_len);\n dump_last_modified(s, lastmod);\n dump_header_if_nonempty(s, \"x-amz-version-id\", version_id);\n if (attrs.find(RGW_ATTR_APPEND_PART_NUM) != attrs.end()) {\n dump_header(s, \"x-rgw-object-type\", \"Appendable\");\n dump_header(s, \"x-rgw-next-append-position\", s->obj_size);\n } else {\n dump_header(s, \"x-rgw-object-type\", \"Normal\");\n }\n\n if (! op_ret) {\n if (! lo_etag.empty()) {\n /* Handle etag of Swift API's large objects (DLO/SLO). It's entirerly\n * legit to perform GET on them through S3 API. In such situation,\n * a client should receive the composited content with corresponding\n * etag value. */\n dump_etag(s, lo_etag);\n } else {\n auto iter = attrs.find(RGW_ATTR_ETAG);\n if (iter != attrs.end()) {\n dump_etag(s, iter->second.to_str());\n }\n }\n\n for (struct response_attr_param *p = resp_attr_params; p->param; p++) {\n bool exists;\n string val = s->info.args.get(p->param, &exists);\n if (exists) {\n\tif (strcmp(p->param, \"response-content-type\") != 0) {\n\t response_attrs[p->http_attr] = val;\n\t} else {\n\t content_type_str = val;\n\t content_type = content_type_str.c_str();\n\t}\n }\n }\n\n for (auto iter = attrs.begin(); iter != attrs.end(); ++iter) {\n const char *name = iter->first.c_str();\n map::iterator aiter = rgw_to_http_attrs.find(name);\n if (aiter != rgw_to_http_attrs.end()) {\n if (response_attrs.count(aiter->second) == 0) {\n /* Was not already overridden by a response param. */\n\n size_t len = iter->second.length();\n string s(iter->second.c_str(), len);\n while (len && !s[len - 1]) {\n --len;\n s.resize(len);\n }\n response_attrs[aiter->second] = s;\n }\n } else if (iter->first.compare(RGW_ATTR_CONTENT_TYPE) == 0) {\n /* Special handling for content_type. */\n if (!content_type) {\n content_type_str = rgw_bl_str(iter->second);\n content_type = content_type_str.c_str();\n }\n } else if (strcmp(name, RGW_ATTR_SLO_UINDICATOR) == 0) {\n // this attr has an extra length prefix from encode() in prior versions\n dump_header(s, \"X-Object-Meta-Static-Large-Object\", \"True\");\n } else if (strncmp(name, RGW_ATTR_META_PREFIX,\n\t\t\t sizeof(RGW_ATTR_META_PREFIX)-1) == 0) {\n /* User custom metadata. */\n name += sizeof(RGW_ATTR_PREFIX) - 1;\n dump_header(s, name, iter->second);\n } else if (iter->first.compare(RGW_ATTR_TAGS) == 0) {\n RGWObjTags obj_tags;\n try{\n auto it = iter->second.cbegin();\n obj_tags.decode(it);\n } catch (buffer::error &err) {\n ldout(s->cct,0) << \"Error caught buffer::error couldn't decode TagSet \" << dendl;\n }\n dump_header(s, RGW_AMZ_TAG_COUNT, obj_tags.count());\n } else if (iter->first.compare(RGW_ATTR_OBJECT_RETENTION) == 0 && get_retention){\n RGWObjectRetention retention;\n try {\n decode(retention, iter->second);\n dump_header(s, \"x-amz-object-lock-mode\", retention.get_mode());\n dump_time_header(s, \"x-amz-object-lock-retain-until-date\", retention.get_retain_until_date());\n } catch (buffer::error& err) {\n ldpp_dout(this, 0) << \"ERROR: failed to decode RGWObjectRetention\" << dendl;\n }\n } else if (iter->first.compare(RGW_ATTR_OBJECT_LEGAL_HOLD) == 0 && get_legal_hold) {\n RGWObjectLegalHold legal_hold;\n try {\n decode(legal_hold, iter->second);\n dump_header(s, \"x-amz-object-lock-legal-hold\",legal_hold.get_status());\n } catch (buffer::error& err) {\n ldpp_dout(this, 0) << \"ERROR: failed to decode RGWObjectLegalHold\" << dendl;\n }\n }\n }\n }\n\ndone:\n for (riter = response_attrs.begin(); riter != response_attrs.end();\n ++riter) {\n dump_header(s, riter->first, riter->second);\n }\n\n if (op_ret == -ERR_NOT_MODIFIED) {\n end_header(s, this);\n } else {\n if (!content_type)\n content_type = \"binary/octet-stream\";\n\n end_header(s, this, content_type);\n }\n\n if (metadata_bl.length()) {\n dump_body(s, metadata_bl);\n }\n sent_header = true;\n\nsend_data:\n if (get_data && !op_ret) {\n int r = dump_body(s, bl.c_str() + bl_ofs, bl_len);\n if (r < 0)\n return r;\n }\n\n return 0;\n}", "project": "ceph", "hash": 194522038655282032593323730255797180912, "size": 202, "commit_id": "fce0b267446d6f3f631bb4680ebc3527bbbea002", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 1, "dataset": "other", "idx": 202400 }, { "func": "int RGWGetObj_ObjStore_S3::send_response_data(bufferlist& bl, off_t bl_ofs,\n\t\t\t\t\t off_t bl_len)\n{\n const char *content_type = NULL;\n string content_type_str;\n map response_attrs;\n map::iterator riter;\n bufferlist metadata_bl;\n\n if (sent_header)\n goto send_data;\n\n if (custom_http_ret) {\n set_req_state_err(s, 0);\n dump_errno(s, custom_http_ret);\n } else {\n set_req_state_err(s, (partial_content && !op_ret) ? STATUS_PARTIAL_CONTENT\n : op_ret);\n dump_errno(s);\n }\n\n if (op_ret)\n goto done;\n\n if (range_str)\n dump_range(s, start, end, s->obj_size);\n\n if (s->system_request &&\n s->info.args.exists(RGW_SYS_PARAM_PREFIX \"prepend-metadata\")) {\n\n dump_header(s, \"Rgwx-Object-Size\", (long long)total_len);\n\n if (rgwx_stat) {\n /*\n * in this case, we're not returning the object's content, only the prepended\n * extra metadata\n */\n total_len = 0;\n }\n\n /* JSON encode object metadata */\n JSONFormatter jf;\n jf.open_object_section(\"obj_metadata\");\n encode_json(\"attrs\", attrs, &jf);\n utime_t ut(lastmod);\n encode_json(\"mtime\", ut, &jf);\n jf.close_section();\n stringstream ss;\n jf.flush(ss);\n metadata_bl.append(ss.str());\n dump_header(s, \"Rgwx-Embedded-Metadata-Len\", metadata_bl.length());\n total_len += metadata_bl.length();\n }\n\n if (s->system_request && !real_clock::is_zero(lastmod)) {\n /* we end up dumping mtime in two different methods, a bit redundant */\n dump_epoch_header(s, \"Rgwx-Mtime\", lastmod);\n uint64_t pg_ver = 0;\n int r = decode_attr_bl_single_value(attrs, RGW_ATTR_PG_VER, &pg_ver, (uint64_t)0);\n if (r < 0) {\n ldout(s->cct, 0) << \"ERROR: failed to decode pg ver attr, ignoring\" << dendl;\n }\n dump_header(s, \"Rgwx-Obj-PG-Ver\", pg_ver);\n\n uint32_t source_zone_short_id = 0;\n r = decode_attr_bl_single_value(attrs, RGW_ATTR_SOURCE_ZONE, &source_zone_short_id, (uint32_t)0);\n if (r < 0) {\n ldout(s->cct, 0) << \"ERROR: failed to decode pg ver attr, ignoring\" << dendl;\n }\n if (source_zone_short_id != 0) {\n dump_header(s, \"Rgwx-Source-Zone-Short-Id\", source_zone_short_id);\n }\n }\n\n for (auto &it : crypt_http_responses)\n dump_header(s, it.first, it.second);\n\n dump_content_length(s, total_len);\n dump_last_modified(s, lastmod);\n dump_header_if_nonempty(s, \"x-amz-version-id\", version_id);\n\n if (! op_ret) {\n if (! lo_etag.empty()) {\n /* Handle etag of Swift API's large objects (DLO/SLO). It's entirerly\n * legit to perform GET on them through S3 API. In such situation,\n * a client should receive the composited content with corresponding\n * etag value. */\n dump_etag(s, lo_etag);\n } else {\n auto iter = attrs.find(RGW_ATTR_ETAG);\n if (iter != attrs.end()) {\n dump_etag(s, iter->second.to_str());\n }\n }\n\n for (struct response_attr_param *p = resp_attr_params; p->param; p++) {\n bool exists;\n string val = s->info.args.get(p->param, &exists);\n if (exists) {\n\t/* reject unauthenticated response header manipulation, see\n\t * https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html */\n\tif (s->auth.identity->is_anonymous()) {\n\t return -ERR_INVALID_REQUEST;\n\t}\n\tif (strcmp(p->param, \"response-content-type\") != 0) {\n\t response_attrs[p->http_attr] = val;\n\t} else {\n\t content_type_str = val;\n\t content_type = content_type_str.c_str();\n\t}\n }\n }\n\n for (auto iter = attrs.begin(); iter != attrs.end(); ++iter) {\n const char *name = iter->first.c_str();\n map::iterator aiter = rgw_to_http_attrs.find(name);\n if (aiter != rgw_to_http_attrs.end()) {\n if (response_attrs.count(aiter->second) == 0) {\n /* Was not already overridden by a response param. */\n response_attrs[aiter->second] = iter->second.c_str();\n }\n } else if (iter->first.compare(RGW_ATTR_CONTENT_TYPE) == 0) {\n /* Special handling for content_type. */\n if (!content_type) {\n content_type = iter->second.c_str();\n }\n } else if (strcmp(name, RGW_ATTR_SLO_UINDICATOR) == 0) {\n // this attr has an extra length prefix from encode() in prior versions\n dump_header(s, \"X-Object-Meta-Static-Large-Object\", \"True\");\n } else if (strncmp(name, RGW_ATTR_META_PREFIX,\n\t\t\t sizeof(RGW_ATTR_META_PREFIX)-1) == 0) {\n /* User custom metadata. */\n name += sizeof(RGW_ATTR_PREFIX) - 1;\n dump_header(s, name, iter->second);\n } else if (iter->first.compare(RGW_ATTR_TAGS) == 0) {\n RGWObjTags obj_tags;\n try{\n bufferlist::iterator it = iter->second.begin();\n obj_tags.decode(it);\n } catch (buffer::error &err) {\n ldout(s->cct,0) << \"Error caught buffer::error couldn't decode TagSet \" << dendl;\n }\n dump_header(s, RGW_AMZ_TAG_COUNT, obj_tags.count());\n }\n }\n }\n\ndone:\n for (riter = response_attrs.begin(); riter != response_attrs.end();\n ++riter) {\n dump_header(s, riter->first, riter->second);\n }\n\n if (op_ret == -ERR_NOT_MODIFIED) {\n end_header(s, this);\n } else {\n if (!content_type)\n content_type = \"binary/octet-stream\";\n\n end_header(s, this, content_type);\n }\n\n if (metadata_bl.length()) {\n dump_body(s, metadata_bl);\n }\n sent_header = true;\n\nsend_data:\n if (get_data && !op_ret) {\n int r = dump_body(s, bl.c_str() + bl_ofs, bl_len);\n if (r < 0)\n return r;\n }\n\n return 0;\n}", "project": "ceph", "hash": 11672994272374650223078214885046679730, "size": 176, "commit_id": "9ca5b3628245e2878426602bb24f1a4e45edc850", "message": "rgw: reject control characters in response-header actions\n\nS3 GetObject permits overriding response header values, but those inputs\nneed to be validated to insure only characters that are valid in an HTTP\nheader value are present.\n\nCredit: Initial vulnerability discovery by William Bowling (@wcbowling)\nCredit: Further vulnerability discovery by Robin H. Johnson \nSigned-off-by: Robin H. Johnson ", "target": 1, "dataset": "other", "idx": 204277 }, { "func": "int RGWGetObj_ObjStore_S3::send_response_data(bufferlist& bl, off_t bl_ofs,\n\t\t\t\t\t off_t bl_len)\n{\n const char *content_type = NULL;\n string content_type_str;\n map response_attrs;\n map::iterator riter;\n bufferlist metadata_bl;\n\n if (sent_header)\n goto send_data;\n\n if (custom_http_ret) {\n set_req_state_err(s, 0);\n dump_errno(s, custom_http_ret);\n } else {\n set_req_state_err(s, (partial_content && !op_ret) ? STATUS_PARTIAL_CONTENT\n : op_ret);\n dump_errno(s);\n }\n\n if (op_ret)\n goto done;\n\n if (range_str)\n dump_range(s, start, end, s->obj_size);\n\n if (s->system_request &&\n s->info.args.exists(RGW_SYS_PARAM_PREFIX \"prepend-metadata\")) {\n\n dump_header(s, \"Rgwx-Object-Size\", (long long)total_len);\n\n if (rgwx_stat) {\n /*\n * in this case, we're not returning the object's content, only the prepended\n * extra metadata\n */\n total_len = 0;\n }\n\n /* JSON encode object metadata */\n JSONFormatter jf;\n jf.open_object_section(\"obj_metadata\");\n encode_json(\"attrs\", attrs, &jf);\n utime_t ut(lastmod);\n encode_json(\"mtime\", ut, &jf);\n jf.close_section();\n stringstream ss;\n jf.flush(ss);\n metadata_bl.append(ss.str());\n dump_header(s, \"Rgwx-Embedded-Metadata-Len\", metadata_bl.length());\n total_len += metadata_bl.length();\n }\n\n if (s->system_request && !real_clock::is_zero(lastmod)) {\n /* we end up dumping mtime in two different methods, a bit redundant */\n dump_epoch_header(s, \"Rgwx-Mtime\", lastmod);\n uint64_t pg_ver = 0;\n int r = decode_attr_bl_single_value(attrs, RGW_ATTR_PG_VER, &pg_ver, (uint64_t)0);\n if (r < 0) {\n ldout(s->cct, 0) << \"ERROR: failed to decode pg ver attr, ignoring\" << dendl;\n }\n dump_header(s, \"Rgwx-Obj-PG-Ver\", pg_ver);\n\n uint32_t source_zone_short_id = 0;\n r = decode_attr_bl_single_value(attrs, RGW_ATTR_SOURCE_ZONE, &source_zone_short_id, (uint32_t)0);\n if (r < 0) {\n ldout(s->cct, 0) << \"ERROR: failed to decode pg ver attr, ignoring\" << dendl;\n }\n if (source_zone_short_id != 0) {\n dump_header(s, \"Rgwx-Source-Zone-Short-Id\", source_zone_short_id);\n }\n }\n\n for (auto &it : crypt_http_responses)\n dump_header(s, it.first, it.second);\n\n dump_content_length(s, total_len);\n dump_last_modified(s, lastmod);\n dump_header_if_nonempty(s, \"x-amz-version-id\", version_id);\n if (attrs.find(RGW_ATTR_APPEND_PART_NUM) != attrs.end()) {\n dump_header(s, \"x-rgw-object-type\", \"Appendable\");\n dump_header(s, \"x-rgw-next-append-position\", s->obj_size);\n } else {\n dump_header(s, \"x-rgw-object-type\", \"Normal\");\n }\n\n if (! op_ret) {\n if (! lo_etag.empty()) {\n /* Handle etag of Swift API's large objects (DLO/SLO). It's entirerly\n * legit to perform GET on them through S3 API. In such situation,\n * a client should receive the composited content with corresponding\n * etag value. */\n dump_etag(s, lo_etag);\n } else {\n auto iter = attrs.find(RGW_ATTR_ETAG);\n if (iter != attrs.end()) {\n dump_etag(s, iter->second.to_str());\n }\n }\n\n for (struct response_attr_param *p = resp_attr_params; p->param; p++) {\n bool exists;\n string val = s->info.args.get(p->param, &exists);\n if (exists) {\n\t/* reject unauthenticated response header manipulation, see\n\t * https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html */\n\tif (s->auth.identity->is_anonymous()) {\n\t return -ERR_INVALID_REQUEST;\n\t}\n\tif (strcmp(p->param, \"response-content-type\") != 0) {\n\t response_attrs[p->http_attr] = val;\n\t} else {\n\t content_type_str = val;\n\t content_type = content_type_str.c_str();\n\t}\n }\n }\n\n for (auto iter = attrs.begin(); iter != attrs.end(); ++iter) {\n const char *name = iter->first.c_str();\n map::iterator aiter = rgw_to_http_attrs.find(name);\n if (aiter != rgw_to_http_attrs.end()) {\n if (response_attrs.count(aiter->second) == 0) {\n /* Was not already overridden by a response param. */\n\n size_t len = iter->second.length();\n string s(iter->second.c_str(), len);\n while (len && !s[len - 1]) {\n --len;\n s.resize(len);\n }\n response_attrs[aiter->second] = s;\n }\n } else if (iter->first.compare(RGW_ATTR_CONTENT_TYPE) == 0) {\n /* Special handling for content_type. */\n if (!content_type) {\n content_type_str = rgw_bl_str(iter->second);\n content_type = content_type_str.c_str();\n }\n } else if (strcmp(name, RGW_ATTR_SLO_UINDICATOR) == 0) {\n // this attr has an extra length prefix from encode() in prior versions\n dump_header(s, \"X-Object-Meta-Static-Large-Object\", \"True\");\n } else if (strncmp(name, RGW_ATTR_META_PREFIX,\n\t\t\t sizeof(RGW_ATTR_META_PREFIX)-1) == 0) {\n /* User custom metadata. */\n name += sizeof(RGW_ATTR_PREFIX) - 1;\n dump_header(s, name, iter->second);\n } else if (iter->first.compare(RGW_ATTR_TAGS) == 0) {\n RGWObjTags obj_tags;\n try{\n auto it = iter->second.cbegin();\n obj_tags.decode(it);\n } catch (buffer::error &err) {\n ldout(s->cct,0) << \"Error caught buffer::error couldn't decode TagSet \" << dendl;\n }\n dump_header(s, RGW_AMZ_TAG_COUNT, obj_tags.count());\n } else if (iter->first.compare(RGW_ATTR_OBJECT_RETENTION) == 0 && get_retention){\n RGWObjectRetention retention;\n try {\n decode(retention, iter->second);\n dump_header(s, \"x-amz-object-lock-mode\", retention.get_mode());\n dump_time_header(s, \"x-amz-object-lock-retain-until-date\", retention.get_retain_until_date());\n } catch (buffer::error& err) {\n ldpp_dout(this, 0) << \"ERROR: failed to decode RGWObjectRetention\" << dendl;\n }\n } else if (iter->first.compare(RGW_ATTR_OBJECT_LEGAL_HOLD) == 0 && get_legal_hold) {\n RGWObjectLegalHold legal_hold;\n try {\n decode(legal_hold, iter->second);\n dump_header(s, \"x-amz-object-lock-legal-hold\",legal_hold.get_status());\n } catch (buffer::error& err) {\n ldpp_dout(this, 0) << \"ERROR: failed to decode RGWObjectLegalHold\" << dendl;\n }\n }\n }\n }\n\ndone:\n for (riter = response_attrs.begin(); riter != response_attrs.end();\n ++riter) {\n dump_header(s, riter->first, riter->second);\n }\n\n if (op_ret == -ERR_NOT_MODIFIED) {\n end_header(s, this);\n } else {\n if (!content_type)\n content_type = \"binary/octet-stream\";\n\n end_header(s, this, content_type);\n }\n\n if (metadata_bl.length()) {\n dump_body(s, metadata_bl);\n }\n sent_header = true;\n\nsend_data:\n if (get_data && !op_ret) {\n int r = dump_body(s, bl.c_str() + bl_ofs, bl_len);\n if (r < 0)\n return r;\n }\n\n return 0;\n}", "project": "ceph", "hash": 107958417671493336880373196615590270707, "size": 207, "commit_id": "c7da604cb101cbe78a257a29498a98c69964e0a6", "message": "rgw: reject control characters in response-header actions\n\nS3 GetObject permits overriding response header values, but those inputs\nneed to be validated to insure only characters that are valid in an HTTP\nheader value are present.\n\nCredit: Initial vulnerability discovery by William Bowling (@wcbowling)\nCredit: Further vulnerability discovery by Robin H. Johnson \nSigned-off-by: Robin H. Johnson ", "target": 1, "dataset": "other", "idx": 212167 }, { "func": "int RGWGetObj_ObjStore_S3Website::send_response_data(bufferlist& bl, off_t bl_ofs, off_t bl_len) {\n map::iterator iter;\n iter = attrs.find(RGW_ATTR_AMZ_WEBSITE_REDIRECT_LOCATION);\n if (iter != attrs.end()) {\n bufferlist &bl = iter->second;\n s->redirect = bl.c_str();\n s->err.http_ret = 301;\n ldout(s->cct, 20) << __CEPH_ASSERT_FUNCTION << \" redirecting per x-amz-website-redirect-location=\" << s->redirect << dendl;\n op_ret = -ERR_WEBSITE_REDIRECT;\n set_req_state_err(s, op_ret);\n dump_errno(s);\n dump_content_length(s, 0);\n dump_redirect(s, s->redirect);\n end_header(s, this);\n return op_ret;\n } else {\n return RGWGetObj_ObjStore_S3::send_response_data(bl, bl_ofs, bl_len);\n }\n}", "project": "ceph", "hash": 320213791093390971742013945121807888932, "size": 19, "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 281276 }, { "func": "void RGWListBuckets_ObjStore_S3::send_response_data(RGWUserBuckets& buckets)\n{\n if (!sent_data)\n return;\n\n map& m = buckets.get_buckets();\n map::iterator iter;\n\n for (iter = m.begin(); iter != m.end(); ++iter) {\n RGWBucketEnt obj = iter->second;\n dump_bucket(s, obj);\n }\n rgw_flush_formatter(s, s->formatter);\n}", "project": "ceph", "hash": 211727118530189820320846375476642687121, "size": 14, "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 281316 }, { "func": "void RGWGetObjTags_ObjStore_S3::send_response_data(bufferlist& bl)\n{\n dump_errno(s);\n end_header(s, this, \"application/xml\");\n dump_start(s);\n\n s->formatter->open_object_section_in_ns(\"Tagging\", XMLNS_AWS_S3);\n s->formatter->open_object_section(\"TagSet\");\n if (has_tags){\n RGWObjTagSet_S3 tagset;\n bufferlist::iterator iter = bl.begin();\n try {\n tagset.decode(iter);\n } catch (buffer::error& err) {\n ldout(s->cct,0) << \"ERROR: caught buffer::error, couldn't decode TagSet\" << dendl;\n op_ret= -EIO;\n return;\n }\n tagset.dump_xml(s->formatter);\n }\n s->formatter->close_section();\n s->formatter->close_section();\n rgw_flush_formatter_and_reset(s, s->formatter);\n}", "project": "ceph", "hash": 265288014204464187059149610535454727923, "size": 24, "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 281338 }, { "func": "void RGWGetObjTags_ObjStore_S3::send_response_data(bufferlist& bl)\n{\n dump_errno(s);\n end_header(s, this, \"application/xml\");\n dump_start(s);\n\n s->formatter->open_object_section_in_ns(\"Tagging\", XMLNS_AWS_S3);\n s->formatter->open_object_section(\"TagSet\");\n if (has_tags){\n RGWObjTagSet_S3 tagset;\n auto iter = bl.cbegin();\n try {\n tagset.decode(iter);\n } catch (buffer::error& err) {\n ldout(s->cct,0) << \"ERROR: caught buffer::error, couldn't decode TagSet\" << dendl;\n op_ret= -EIO;\n return;\n }\n tagset.dump_xml(s->formatter);\n }\n s->formatter->close_section();\n s->formatter->close_section();\n rgw_flush_formatter_and_reset(s, s->formatter);\n}", "project": "ceph", "hash": 236890352413952423877781291223197714737, "size": 24, "commit_id": "fce0b267446d6f3f631bb4680ebc3527bbbea002", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 333815 }, { "func": "void RGWListBuckets_ObjStore_SWIFT::send_response_data(RGWUserBuckets& buckets)\n{\n if (! sent_data) {\n return;\n }\n\n /* Take care of the prefix parameter of Swift API. There is no business\n * in applying the filter earlier as we really need to go through all\n * entries regardless of it (the headers like X-Account-Container-Count\n * aren't affected by specifying prefix). */\n const std::map& m = buckets.get_buckets();\n for (auto iter = m.lower_bound(prefix);\n iter != m.end() && boost::algorithm::starts_with(iter->first, prefix);\n ++iter) {\n dump_bucket_entry(iter->second);\n }\n}", "project": "ceph", "hash": 55277790542689247702740825013558174423, "size": 17, "commit_id": "f44a8ae8aa27ecef69528db9aec220f12492810e", "message": "rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name\n\nchecking for empty name avoids later assertion in RGWObjectCtx::set_atomic\n\nFixes: CVE-2021-3531\n\nReviewed-by: Casey Bodley \nSigned-off-by: Casey Bodley \n(cherry picked from commit 7196a469b4470f3c8628489df9a41ec8b00a5610)", "target": 0, "dataset": "other", "idx": 448834 }, { "func": "int RGWGetObj_ObjStore_SWIFT::send_response_data(bufferlist& bl,\n const off_t bl_ofs,\n const off_t bl_len)\n{\n string content_type;\n\n if (sent_header) {\n goto send_data;\n }\n\n if (custom_http_ret) {\n set_req_state_err(s, 0);\n dump_errno(s, custom_http_ret);\n } else {\n set_req_state_err(s, (partial_content && !op_ret) ? STATUS_PARTIAL_CONTENT\n\t\t : op_ret);\n dump_errno(s);\n\n if (s->is_err()) {\n end_header(s, NULL);\n return 0;\n }\n }\n\n if (range_str) {\n dump_range(s, ofs, end, s->obj_size);\n }\n\n if (s->is_err()) {\n end_header(s, NULL);\n return 0;\n }\n\n dump_content_length(s, total_len);\n dump_last_modified(s, lastmod);\n dump_header(s, \"X-Timestamp\", utime_t(lastmod));\n if (is_slo) {\n dump_header(s, \"X-Static-Large-Object\", \"True\");\n }\n\n if (! op_ret) {\n if (! lo_etag.empty()) {\n dump_etag(s, lo_etag, true /* quoted */);\n } else {\n auto iter = attrs.find(RGW_ATTR_ETAG);\n if (iter != attrs.end()) {\n dump_etag(s, iter->second.to_str());\n }\n }\n\n get_contype_from_attrs(attrs, content_type);\n dump_object_metadata(s, attrs);\n }\n\n end_header(s, this, !content_type.empty() ? content_type.c_str()\n\t : \"binary/octet-stream\");\n\n sent_header = true;\n\nsend_data:\n if (get_data && !op_ret) {\n const auto r = dump_body(s, bl.c_str() + bl_ofs, bl_len);\n if (r < 0) {\n return r;\n }\n }\n rgw_flush_formatter_and_reset(s, s->formatter);\n\n return 0;\n}", "project": "ceph", "hash": 97385578090319465923135167936791511589, "size": 70, "commit_id": "f44a8ae8aa27ecef69528db9aec220f12492810e", "message": "rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name\n\nchecking for empty name avoids later assertion in RGWObjectCtx::set_atomic\n\nFixes: CVE-2021-3531\n\nReviewed-by: Casey Bodley \nSigned-off-by: Casey Bodley \n(cherry picked from commit 7196a469b4470f3c8628489df9a41ec8b00a5610)", "target": 0, "dataset": "other", "idx": 448863 }, { "func": "int RGWGetObj_ObjStore_S3::send_response_data(bufferlist& bl, off_t bl_ofs,\n\t\t\t\t\t off_t bl_len)\n{\n const char *content_type = NULL;\n string content_type_str;\n map response_attrs;\n map::iterator riter;\n bufferlist metadata_bl;\n\n if (sent_header)\n goto send_data;\n\n if (custom_http_ret) {\n set_req_state_err(s, 0);\n dump_errno(s, custom_http_ret);\n } else {\n set_req_state_err(s, (partial_content && !op_ret) ? STATUS_PARTIAL_CONTENT\n : op_ret);\n dump_errno(s);\n }\n\n if (op_ret)\n goto done;\n\n if (range_str)\n dump_range(s, start, end, s->obj_size);\n\n if (s->system_request &&\n s->info.args.exists(RGW_SYS_PARAM_PREFIX \"prepend-metadata\")) {\n\n dump_header(s, \"Rgwx-Object-Size\", (long long)total_len);\n\n if (rgwx_stat) {\n /*\n * in this case, we're not returning the object's content, only the prepended\n * extra metadata\n */\n total_len = 0;\n }\n\n /* JSON encode object metadata */\n JSONFormatter jf;\n jf.open_object_section(\"obj_metadata\");\n encode_json(\"attrs\", attrs, &jf);\n utime_t ut(lastmod);\n encode_json(\"mtime\", ut, &jf);\n jf.close_section();\n stringstream ss;\n jf.flush(ss);\n metadata_bl.append(ss.str());\n dump_header(s, \"Rgwx-Embedded-Metadata-Len\", metadata_bl.length());\n total_len += metadata_bl.length();\n }\n\n if (s->system_request && !real_clock::is_zero(lastmod)) {\n /* we end up dumping mtime in two different methods, a bit redundant */\n dump_epoch_header(s, \"Rgwx-Mtime\", lastmod);\n uint64_t pg_ver = 0;\n int r = decode_attr_bl_single_value(attrs, RGW_ATTR_PG_VER, &pg_ver, (uint64_t)0);\n if (r < 0) {\n ldout(s->cct, 0) << \"ERROR: failed to decode pg ver attr, ignoring\" << dendl;\n }\n dump_header(s, \"Rgwx-Obj-PG-Ver\", pg_ver);\n\n uint32_t source_zone_short_id = 0;\n r = decode_attr_bl_single_value(attrs, RGW_ATTR_SOURCE_ZONE, &source_zone_short_id, (uint32_t)0);\n if (r < 0) {\n ldout(s->cct, 0) << \"ERROR: failed to decode pg ver attr, ignoring\" << dendl;\n }\n if (source_zone_short_id != 0) {\n dump_header(s, \"Rgwx-Source-Zone-Short-Id\", source_zone_short_id);\n }\n }\n\n for (auto &it : crypt_http_responses)\n dump_header(s, it.first, it.second);\n\n dump_content_length(s, total_len);\n dump_last_modified(s, lastmod);\n dump_header_if_nonempty(s, \"x-amz-version-id\", version_id);\n if (attrs.find(RGW_ATTR_APPEND_PART_NUM) != attrs.end()) {\n dump_header(s, \"x-rgw-object-type\", \"Appendable\");\n dump_header(s, \"x-rgw-next-append-position\", s->obj_size);\n } else {\n dump_header(s, \"x-rgw-object-type\", \"Normal\");\n }\n\n if (! op_ret) {\n if (! lo_etag.empty()) {\n /* Handle etag of Swift API's large objects (DLO/SLO). It's entirerly\n * legit to perform GET on them through S3 API. In such situation,\n * a client should receive the composited content with corresponding\n * etag value. */\n dump_etag(s, lo_etag);\n } else {\n auto iter = attrs.find(RGW_ATTR_ETAG);\n if (iter != attrs.end()) {\n dump_etag(s, iter->second.to_str());\n }\n }\n\n for (struct response_attr_param *p = resp_attr_params; p->param; p++) {\n bool exists;\n string val = s->info.args.get(p->param, &exists);\n if (exists) {\n\t/* reject unauthenticated response header manipulation, see\n\t * https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html */\n\tif (s->auth.identity->is_anonymous()) {\n\t return -ERR_INVALID_REQUEST;\n\t}\n /* HTTP specification says no control characters should be present in\n * header values: https://tools.ietf.org/html/rfc7230#section-3.2\n * field-vchar = VCHAR / obs-text\n *\n * Failure to validate this permits a CRLF injection in HTTP headers,\n * whereas S3 GetObject only permits specific headers.\n */\n if(str_has_cntrl(val)) {\n /* TODO: return a more distinct error in future;\n * stating what the problem is */\n return -ERR_INVALID_REQUEST;\n }\n\n\tif (strcmp(p->param, \"response-content-type\") != 0) {\n\t response_attrs[p->http_attr] = val;\n\t} else {\n\t content_type_str = val;\n\t content_type = content_type_str.c_str();\n\t}\n }\n }\n\n for (auto iter = attrs.begin(); iter != attrs.end(); ++iter) {\n const char *name = iter->first.c_str();\n map::iterator aiter = rgw_to_http_attrs.find(name);\n if (aiter != rgw_to_http_attrs.end()) {\n if (response_attrs.count(aiter->second) == 0) {\n /* Was not already overridden by a response param. */\n\n size_t len = iter->second.length();\n string s(iter->second.c_str(), len);\n while (len && !s[len - 1]) {\n --len;\n s.resize(len);\n }\n response_attrs[aiter->second] = s;\n }\n } else if (iter->first.compare(RGW_ATTR_CONTENT_TYPE) == 0) {\n /* Special handling for content_type. */\n if (!content_type) {\n content_type_str = rgw_bl_str(iter->second);\n content_type = content_type_str.c_str();\n }\n } else if (strcmp(name, RGW_ATTR_SLO_UINDICATOR) == 0) {\n // this attr has an extra length prefix from encode() in prior versions\n dump_header(s, \"X-Object-Meta-Static-Large-Object\", \"True\");\n } else if (strncmp(name, RGW_ATTR_META_PREFIX,\n\t\t\t sizeof(RGW_ATTR_META_PREFIX)-1) == 0) {\n /* User custom metadata. */\n name += sizeof(RGW_ATTR_PREFIX) - 1;\n dump_header(s, name, iter->second);\n } else if (iter->first.compare(RGW_ATTR_TAGS) == 0) {\n RGWObjTags obj_tags;\n try{\n auto it = iter->second.cbegin();\n obj_tags.decode(it);\n } catch (buffer::error &err) {\n ldout(s->cct,0) << \"Error caught buffer::error couldn't decode TagSet \" << dendl;\n }\n dump_header(s, RGW_AMZ_TAG_COUNT, obj_tags.count());\n } else if (iter->first.compare(RGW_ATTR_OBJECT_RETENTION) == 0 && get_retention){\n RGWObjectRetention retention;\n try {\n decode(retention, iter->second);\n dump_header(s, \"x-amz-object-lock-mode\", retention.get_mode());\n dump_time_header(s, \"x-amz-object-lock-retain-until-date\", retention.get_retain_until_date());\n } catch (buffer::error& err) {\n ldpp_dout(this, 0) << \"ERROR: failed to decode RGWObjectRetention\" << dendl;\n }\n } else if (iter->first.compare(RGW_ATTR_OBJECT_LEGAL_HOLD) == 0 && get_legal_hold) {\n RGWObjectLegalHold legal_hold;\n try {\n decode(legal_hold, iter->second);\n dump_header(s, \"x-amz-object-lock-legal-hold\",legal_hold.get_status());\n } catch (buffer::error& err) {\n ldpp_dout(this, 0) << \"ERROR: failed to decode RGWObjectLegalHold\" << dendl;\n }\n }\n }\n }\n\ndone:\n for (riter = response_attrs.begin(); riter != response_attrs.end();\n ++riter) {\n dump_header(s, riter->first, riter->second);\n }\n\n if (op_ret == -ERR_NOT_MODIFIED) {\n end_header(s, this);\n } else {\n if (!content_type)\n content_type = \"binary/octet-stream\";\n\n end_header(s, this, content_type);\n }\n\n if (metadata_bl.length()) {\n dump_body(s, metadata_bl);\n }\n sent_header = true;\n\nsend_data:\n if (get_data && !op_ret) {\n int r = dump_body(s, bl.c_str() + bl_ofs, bl_len);\n if (r < 0)\n return r;\n }\n\n return 0;\n}", "project": "ceph", "hash": 201752665573529785548111322973661860146, "size": 220, "commit_id": "c7da604cb101cbe78a257a29498a98c69964e0a6", "message": "rgw: reject control characters in response-header actions\n\nS3 GetObject permits overriding response header values, but those inputs\nneed to be validated to insure only characters that are valid in an HTTP\nheader value are present.\n\nCredit: Initial vulnerability discovery by William Bowling (@wcbowling)\nCredit: Further vulnerability discovery by Robin H. Johnson \nSigned-off-by: Robin H. Johnson ", "target": 0, "dataset": "other", "idx": 455531 }, { "func": "static void encode_destroy_clientid(struct xdr_stream *xdr,\n\t\t\t\t uint64_t clientid,\n\t\t\t\t struct compound_hdr *hdr)\n{\n\tencode_op_hdr(xdr, OP_DESTROY_CLIENTID, decode_destroy_clientid_maxsz, hdr);\n\tencode_uint64(xdr, clientid);\n}", "project": "linux", "hash": 93199191344118610294843749146568301275, "size": 7, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431474 }, { "func": "void CClient::PutIRC(const CString& sLine) {\n if (m_pNetwork) {\n m_pNetwork->PutIRC(sLine);\n }\n}", "project": "znc", "hash": 12904654347936699039602931676774941342, "size": 5, "commit_id": "d229761821da38d984a9e4098ad96842490dc001", "message": "Fix echo-message for *status\n\nClose #1705", "target": 0, "dataset": "other", "idx": 231578 }, { "func": "static inline void sca_copy_entry(struct esca_entry *d, struct bsca_entry *s)\n{\n\td->sda = s->sda;\n\td->sigp_ctrl.c = s->sigp_ctrl.c;\n\td->sigp_ctrl.scn = s->sigp_ctrl.scn;\n}", "project": "linux", "hash": 310615967447275117856900966291373113359, "size": 6, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354791 }, { "func": "static void nfs4_test_and_free_stateid(struct nfs_server *server,\n\t\tnfs4_stateid *stateid,\n\t\tconst struct cred *cred)\n{\n\tconst struct nfs4_minor_version_ops *ops = server->nfs_client->cl_mvops;\n\n\tops->test_and_free_expired(server, stateid, cred);\n}", "project": "linux", "hash": 93424858307007824862949515109746709195, "size": 8, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431009 }, { "func": "static void php_gdimagecharup(gdImagePtr im, gdFontPtr f, int x, int y,\n int c, int color) {\n int cx, cy, px, py, fline;\n cx = 0;\n cy = 0;\n\n if ((c < f->offset) || (c >= (f->offset + f->nchars))) {\n return;\n }\n\n fline = (c - f->offset) * f->h * f->w;\n for (py = y; (py > (y - f->w)); py--) {\n for (px = x; (px < (x + f->h)); px++) {\n if (f->data[fline + cy * f->w + cx]) {\n gdImageSetPixel(im, px, py, color);\n }\n cy++;\n }\n cy = 0;\n cx++;\n }\n}", "project": "hhvm", "hash": 334550883405922153870644516175302667145, "size": 22, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219124 }, { "func": " int get_request_payment_payer(bool *requester_pays) {\n XMLObj *config = find_first(\"RequestPaymentConfiguration\");\n if (!config)\n return -EINVAL;\n\n *requester_pays = false;\n\n XMLObj *field = config->find_first(\"Payer\");\n if (!field)\n return 0;\n\n string& s = field->get_data();\n\n if (stringcasecmp(s, \"Requester\") == 0) {\n *requester_pays = true;\n } else if (stringcasecmp(s, \"BucketOwner\") != 0) {\n return -EINVAL;\n }\n\n return 0;\n }", "project": "ceph", "hash": 332769862336326880449358763400477504271, "size": 21, "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 281263 }, { "func": " int toInt32 () const { return m_str ? m_str->toInt32 () : 0;}", "project": "hhvm", "hash": 144119448336875543968921942724918675169, "size": 1, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219100 }, { "func": "void lj_trace_ins(jit_State *J, const BCIns *pc)\n{\n /* Note: J->L must already be set. pc is the true bytecode PC here. */\n J->pc = pc;\n J->fn = curr_func(J->L);\n J->pt = isluafunc(J->fn) ? funcproto(J->fn) : NULL;\n while (lj_vm_cpcall(J->L, NULL, (void *)J, trace_state) != 0)\n J->state = LJ_TRACE_ERR;\n}", "project": "LuaJIT", "hash": 40110061586625213070382733593670534071, "size": 9, "commit_id": "e296f56b825c688c3530a981dc6b495d972f3d01", "message": "Call error function on rethrow after trace exit.", "target": 0, "dataset": "other", "idx": 394624 }, { "func": "slab_flags_t kmem_cache_flags(unsigned int object_size,\n\tslab_flags_t flags, const char *name,\n\tvoid (*ctor)(void *))\n{\n\treturn flags;\n}", "project": "linux", "hash": 314779384054410151923124910008720102899, "size": 6, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280090 }, { "func": "static void cmd_parse_list (IMAP_DATA* idata, char* s)\n{\n IMAP_LIST* list;\n IMAP_LIST lb;\n char delimbuf[5]; /* worst case: \"\\\\\"\\0 */\n unsigned int litlen;\n\n if (idata->cmddata && idata->cmdtype == IMAP_CT_LIST)\n list = (IMAP_LIST*)idata->cmddata;\n else\n list = &lb;\n\n memset (list, 0, sizeof (IMAP_LIST));\n\n /* flags */\n s = imap_next_word (s);\n if (*s != '(')\n {\n dprint (1, (debugfile, \"Bad LIST response\\n\"));\n return;\n }\n s++;\n while (*s)\n {\n if (!ascii_strncasecmp (s, \"\\\\NoSelect\", 9))\n list->noselect = 1;\n else if (!ascii_strncasecmp (s, \"\\\\NoInferiors\", 12))\n list->noinferiors = 1;\n /* See draft-gahrns-imap-child-mailbox-?? */\n else if (!ascii_strncasecmp (s, \"\\\\HasNoChildren\", 14))\n list->noinferiors = 1;\n \n s = imap_next_word (s);\n if (*(s - 2) == ')')\n break;\n }\n\n /* Delimiter */\n if (ascii_strncasecmp (s, \"NIL\", 3))\n {\n delimbuf[0] = '\\0';\n safe_strcat (delimbuf, 5, s); \n imap_unquote_string (delimbuf);\n list->delim = delimbuf[0];\n }\n\n /* Name */\n s = imap_next_word (s);\n /* Notes often responds with literals here. We need a real tokenizer. */\n if (!imap_get_literal_count (s, &litlen))\n {\n if (imap_cmd_step (idata) != IMAP_CMD_CONTINUE)\n {\n idata->status = IMAP_FATAL;\n return;\n }\n list->name = idata->buf;\n }\n else\n {\n imap_unmunge_mbox_name (idata, s);\n list->name = s;\n }\n\n if (list->name[0] == '\\0')\n {\n idata->delim = list->delim;\n dprint (3, (debugfile, \"Root delimiter: %c\\n\", idata->delim));\n }\n}", "project": "mutt", "hash": 17649390277899758536126742690059828123, "size": 70, "commit_id": "9347b5c01dc52682cb6be11539d9b7ebceae4416", "message": "Handle NO response without message properly", "target": 0, "dataset": "other", "idx": 338030 }, { "func": "static ssize_t objects_show(struct kmem_cache *s, char *buf)\n{\n\treturn show_slab_objects(s, buf, SO_ALL|SO_OBJECTS);\n}", "project": "linux", "hash": 284927230536321514313301848573106447682, "size": 4, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280178 }, { "func": "int nfs4_call_sync(struct rpc_clnt *clnt,\n\t\t struct nfs_server *server,\n\t\t struct rpc_message *msg,\n\t\t struct nfs4_sequence_args *args,\n\t\t struct nfs4_sequence_res *res,\n\t\t int cache_reply)\n{\n\tnfs4_init_sequence(args, res, cache_reply, 0);\n\treturn nfs4_call_sync_sequence(clnt, server, msg, args, res);\n}", "project": "linux", "hash": 153909392796808368113355420423583636227, "size": 10, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431278 }, { "func": "static void synic_exit(struct kvm_vcpu_hv_synic *synic, u32 msr)\n{\n\tstruct kvm_vcpu *vcpu = hv_synic_to_vcpu(synic);\n\tstruct kvm_vcpu_hv *hv_vcpu = to_hv_vcpu(vcpu);\n\n\thv_vcpu->exit.type = KVM_EXIT_HYPERV_SYNIC;\n\thv_vcpu->exit.u.synic.msr = msr;\n\thv_vcpu->exit.u.synic.control = synic->control;\n\thv_vcpu->exit.u.synic.evt_page = synic->evt_page;\n\thv_vcpu->exit.u.synic.msg_page = synic->msg_page;\n\n\tkvm_make_request(KVM_REQ_HV_EXIT, vcpu);\n}", "project": "linux", "hash": 139084535683271892179794067784476493019, "size": 13, "commit_id": "919f4ebc598701670e80e31573a58f1f2d2bf918", "message": "KVM: x86: hyper-v: Fix Hyper-V context null-ptr-deref\n\nReported by syzkaller:\n\n KASAN: null-ptr-deref in range [0x0000000000000140-0x0000000000000147]\n CPU: 1 PID: 8370 Comm: syz-executor859 Not tainted 5.11.0-syzkaller #0\n RIP: 0010:synic_get arch/x86/kvm/hyperv.c:165 [inline]\n RIP: 0010:kvm_hv_set_sint_gsi arch/x86/kvm/hyperv.c:475 [inline]\n RIP: 0010:kvm_hv_irq_routing_update+0x230/0x460 arch/x86/kvm/hyperv.c:498\n Call Trace:\n kvm_set_irq_routing+0x69b/0x940 arch/x86/kvm/../../../virt/kvm/irqchip.c:223\n kvm_vm_ioctl+0x12d0/0x2800 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3959\n vfs_ioctl fs/ioctl.c:48 [inline]\n __do_sys_ioctl fs/ioctl.c:753 [inline]\n __se_sys_ioctl fs/ioctl.c:739 [inline]\n __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739\n do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nHyper-V context is lazily allocated until Hyper-V specific MSRs are accessed\nor SynIC is enabled. However, the syzkaller testcase sets irq routing table\ndirectly w/o enabling SynIC. This results in null-ptr-deref when accessing\nSynIC Hyper-V context. This patch fixes it.\n\nsyzkaller source: https://syzkaller.appspot.com/x/repro.c?x=163342ccd00000\n\nReported-by: syzbot+6987f3b2dbd9eda95f12@syzkaller.appspotmail.com\nFixes: 8f014550dfb1 (\"KVM: x86: hyper-v: Make Hyper-V emulation enablement conditional\")\nSigned-off-by: Wanpeng Li \nMessage-Id: <1614326399-5762-1-git-send-email-wanpengli@tencent.com>\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 343534 }, { "project": "Chrome", "commit_id": "de5aa214ea77b3d2c4ff8a0c58f446896c107ce0", "target": 0, "func": "void TranslateManager::InitiateTranslation(TabContents* tab,\n const std::string& page_lang) {\n PrefService* prefs = tab->profile()->GetPrefs();\n if (!prefs->GetBoolean(prefs::kEnableTranslate))\n return;\n\n pref_change_registrar_.Init(prefs);\n\n if (CommandLine::ForCurrentProcess()->HasSwitch(switches::kDisableTranslate))\n return;\n\n NavigationEntry* entry = tab->controller().GetActiveEntry();\n if (!entry) {\n return;\n }\n\n if (GetTranslateInfoBarDelegate(tab))\n return;\n\n std::string target_lang = GetTargetLanguage();\n if (target_lang.empty() || !IsSupportedLanguage(page_lang)) {\n return;\n }\n\n if (!IsTranslatableURL(entry->url()) || page_lang == target_lang ||\n !TranslatePrefs::CanTranslate(prefs, page_lang, entry->url()) ||\n IsAcceptLanguage(tab, page_lang)) {\n return;\n }\n\n std::string auto_target_lang;\n if (!tab->profile()->IsOffTheRecord() &&\n TranslatePrefs::ShouldAutoTranslate(prefs, page_lang,\n &auto_target_lang)) {\n TranslatePage(tab, page_lang, auto_target_lang);\n return;\n }\n\n std::string auto_translate_to = tab->language_state().AutoTranslateTo();\n if (!auto_translate_to.empty()) {\n TranslatePage(tab, page_lang, auto_translate_to);\n return;\n }\n\n tab->AddInfoBar(TranslateInfoBarDelegate::CreateDelegate(\n TranslateInfoBarDelegate::BEFORE_TRANSLATE, tab,\n page_lang, target_lang));\n}\n", "cwe": "", "big_vul_idx": 108001, "idx": 96967, "hash": 307095169690908386154249455949768075934 }, { "func": "u64 ftrace_now(int cpu)\n{\n\treturn buffer_ftrace_now(&global_trace.trace_buffer, cpu);\n}", "project": "linux", "hash": 132590939106109685928482095242419194492, "size": 4, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445573 }, { "func": "static void free_saved_cmdlines_buffer(struct saved_cmdlines_buffer *s)\n{\n\tkfree(s->saved_cmdlines);\n\tkfree(s->map_cmdline_to_pid);\n\tkfree(s);\n}", "project": "linux", "hash": 157325540804354943244255914669352567004, "size": 6, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445728 }, { "func": "DLLEXPORT unsigned long DLLCALL tjPlaneSizeYUV(int componentID, int width,\n\tint stride, int height, int subsamp)\n{\n\tunsigned long retval=0;\n\tint pw, ph;\n\n\tif(width<1 || height<1 || subsamp<0 || subsamp>=NUMSUBOPT)\n\t\t_throw(\"tjPlaneSizeYUV(): Invalid argument\");\n\n\tpw=tjPlaneWidth(componentID, width, subsamp);\n\tph=tjPlaneHeight(componentID, height, subsamp);\n\tif(pw<0 || ph<0) return -1;\n\n\tif(stride==0) stride=pw;\n\telse stride=abs(stride);\n\n\tretval=stride*(ph-1)+pw;\n\n\tbailout:\n\treturn retval;\n}", "project": "libjpeg-turbo", "hash": 304762996543547857534471215029312661584, "size": 21, "commit_id": "dab6be4cfb2f9307b5378d2d1dc74d9080383dc2", "message": "tjDecompressToYUV*(): Fix OOB write/double free\n\n... when attempting to decompress grayscale JPEG images with sampling\nfactors != 1.\n\nFixes #387", "target": 0, "dataset": "other", "idx": 311113 }, { "func": "UnicodeStringTest::TestStackAllocation()\n{\n UChar testString[] ={ \n 0x54, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20, 0x61, 0x20, 0x63, 0x72, 0x61, 0x7a, 0x79, 0x20, 0x74, 0x65, 0x73, 0x74, 0x2e, 0 };\n UChar guardWord = 0x4DED;\n UnicodeString* test = 0;\n\n test = new UnicodeString(testString);\n if (*test != \"This is a crazy test.\")\n errln(\"Test string failed to initialize properly.\");\n if (guardWord != 0x04DED)\n errln(\"Test string initialization overwrote guard word!\");\n\n test->insert(8, \"only \");\n test->remove(15, 6);\n if (*test != \"This is only a test.\")\n errln(\"Manipulation of test string failed to work right.\");\n if (guardWord != 0x4DED)\n errln(\"Manipulation of test string overwrote guard word!\");\n\n // we have to deinitialize and release the backing store by calling the destructor\n // explicitly, since we can't overload operator delete\n delete test;\n\n UChar workingBuffer[] = {\n 0x4e, 0x6f, 0x77, 0x20, 0x69, 0x73, 0x20, 0x74, 0x68, 0x65, 0x20, 0x74, 0x69, 0x6d, 0x65, 0x20,\n 0x66, 0x6f, 0x72, 0x20, 0x61, 0x6c, 0x6c, 0x20, 0x6d, 0x65, 0x6e, 0x20, 0x74, 0x6f, 0x20,\n 0x63, 0x6f, 0x6d, 0x65, 0xffff, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,\n 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,\n 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 };\n UChar guardWord2 = 0x4DED;\n\n test = new UnicodeString(workingBuffer, 35, 100);\n if (*test != \"Now is the time for all men to come\")\n errln(\"Stack-allocated backing store failed to initialize correctly.\");\n if (guardWord2 != 0x4DED)\n errln(\"Stack-allocated backing store overwrote guard word!\");\n\n test->insert(24, \"good \");\n if (*test != \"Now is the time for all good men to come\")\n errln(\"insert() on stack-allocated UnicodeString didn't work right\");\n if (guardWord2 != 0x4DED)\n errln(\"insert() on stack-allocated UnicodeString overwrote guard word!\");\n\n if (workingBuffer[24] != 0x67)\n errln(\"insert() on stack-allocated UnicodeString didn't affect backing store\");\n\n *test += \" to the aid of their country.\";\n if (*test != \"Now is the time for all good men to come to the aid of their country.\")\n errln(\"Stack-allocated UnicodeString overflow didn't work\");\n if (guardWord2 != 0x4DED)\n errln(\"Stack-allocated UnicodeString overflow overwrote guard word!\");\n\n *test = \"ha!\";\n if (*test != \"ha!\")\n errln(\"Assignment to stack-allocated UnicodeString didn't work\");\n if (workingBuffer[0] != 0x4e)\n errln(\"Change to UnicodeString after overflow are still affecting original buffer\");\n if (guardWord2 != 0x4DED)\n errln(\"Change to UnicodeString after overflow overwrote guard word!\");\n\n // test read-only aliasing with setTo()\n workingBuffer[0] = 0x20ac;\n workingBuffer[1] = 0x125;\n workingBuffer[2] = 0;\n test->setTo(TRUE, workingBuffer, 2);\n if(test->length() != 2 || test->charAt(0) != 0x20ac || test->charAt(1) != 0x125) {\n errln(\"UnicodeString.setTo(readonly alias) does not alias correctly\");\n }\n\n UnicodeString *c=test->clone();\n\n workingBuffer[1] = 0x109;\n if(test->charAt(1) != 0x109) {\n errln(\"UnicodeString.setTo(readonly alias) made a copy: did not see change in buffer\");\n }\n\n if(c->length() != 2 || c->charAt(1) != 0x125) {\n errln(\"clone(alias) did not copy the buffer\");\n }\n delete c;\n\n test->setTo(TRUE, workingBuffer, -1);\n if(test->length() != 2 || test->charAt(0) != 0x20ac || test->charAt(1) != 0x109) {\n errln(\"UnicodeString.setTo(readonly alias, length -1) does not alias correctly\");\n }\n\n test->setTo(FALSE, workingBuffer, -1);\n if(!test->isBogus()) {\n errln(\"UnicodeString.setTo(unterminated readonly alias, length -1) does not result in isBogus()\");\n }\n \n delete test;\n \n test=new UnicodeString();\n UChar buffer[]={0x0061, 0x0062, 0x20ac, 0x0043, 0x0042, 0x0000};\n test->setTo(buffer, 4, 10);\n if(test->length() !=4 || test->charAt(0) != 0x0061 || test->charAt(1) != 0x0062 ||\n test->charAt(2) != 0x20ac || test->charAt(3) != 0x0043){\n errln((UnicodeString)\"UnicodeString.setTo(UChar*, length, capacity) does not work correctly\\n\" + prettify(*test));\n }\n delete test;\n\n\n // test the UChar32 constructor\n UnicodeString c32Test((UChar32)0x10ff2a);\n if( c32Test.length() != U16_LENGTH(0x10ff2a) ||\n c32Test.char32At(c32Test.length() - 1) != 0x10ff2a\n ) {\n errln(\"The UnicodeString(UChar32) constructor does not work with a 0x10ff2a filler\");\n }\n\n // test the (new) capacity constructor\n UnicodeString capTest(5, (UChar32)0x2a, 5);\n if( capTest.length() != 5 * U16_LENGTH(0x2a) ||\n capTest.char32At(0) != 0x2a ||\n capTest.char32At(4) != 0x2a\n ) {\n errln(\"The UnicodeString capacity constructor does not work with an ASCII filler\");\n }\n\n capTest = UnicodeString(5, (UChar32)0x10ff2a, 5);\n if( capTest.length() != 5 * U16_LENGTH(0x10ff2a) ||\n capTest.char32At(0) != 0x10ff2a ||\n capTest.char32At(4) != 0x10ff2a\n ) {\n errln(\"The UnicodeString capacity constructor does not work with a 0x10ff2a filler\");\n }\n\n capTest = UnicodeString(5, (UChar32)0, 0);\n if(capTest.length() != 0) {\n errln(\"The UnicodeString capacity constructor does not work with a 0x10ff2a filler\");\n }\n}", "project": "icu", "hash": 232291194279260558904841710513856646327, "size": 134, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430798 }, { "func": "char * php_conv_fp(register char format, register double num,\n bool add_dp, int precision, char dec_point,\n int *is_negative, char *buf, int *len) {\n register char *s = buf;\n register char *p, *p_orig;\n int decimal_point;\n\n if (precision >= NDIG - 1) {\n precision = NDIG - 2;\n }\n\n if (format == 'F') {\n p_orig = p = php_fcvt(num, precision, &decimal_point, is_negative);\n } else { // either e or E format\n p_orig = p = php_ecvt(num, precision + 1, &decimal_point, is_negative);\n }\n\n // Check for Infinity and NaN\n if (isalpha((int)*p)) {\n *len = strlen(p);\n memcpy(buf, p, *len + 1);\n *is_negative = 0;\n free(p_orig);\n return (buf);\n }\n if (format == 'F') {\n if (decimal_point <= 0) {\n if (num != 0 || precision > 0) {\n *s++ = '0';\n if (precision > 0) {\n *s++ = dec_point;\n while (decimal_point++ < 0) {\n *s++ = '0';\n }\n } else if (add_dp) {\n *s++ = dec_point;\n }\n }\n } else {\n int addz = decimal_point >= NDIG ? decimal_point - NDIG + 1 : 0;\n decimal_point -= addz;\n while (decimal_point-- > 0) {\n *s++ = *p++;\n }\n while (addz-- > 0) {\n *s++ = '0';\n }\n if (precision > 0 || add_dp) {\n *s++ = dec_point;\n }\n }\n } else {\n *s++ = *p++;\n if (precision > 0 || add_dp) {\n *s++ = '.';\n }\n }\n\n // copy the rest of p, the NUL is NOT copied\n while (*p) {\n *s++ = *p++;\n }\n\n if (format != 'F') {\n char temp[EXPONENT_LENGTH]; // for exponent conversion\n int t_len;\n int exponent_is_negative;\n\n *s++ = format; // either e or E\n decimal_point--;\n if (decimal_point != 0) {\n p = ap_php_conv_10((int64_t) decimal_point, false,\n &exponent_is_negative, &temp[EXPONENT_LENGTH],\n &t_len);\n *s++ = exponent_is_negative ? '-' : '+';\n\n // Make sure the exponent has at least 2 digits\n while (t_len--) {\n *s++ = *p++;\n }\n } else {\n *s++ = '+';\n *s++ = '0';\n }\n }\n *len = s - buf;\n free(p_orig);\n return (buf);\n}", "project": "hhvm", "hash": 141646447671514745105047246067043087789, "size": 89, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219650 }, { "func": "static void report_features(struct hid_device *hid)\n{\n\tstruct hid_driver *drv = hid->driver;\n\tstruct hid_report_enum *rep_enum;\n\tstruct hid_report *rep;\n\tstruct hid_usage *usage;\n\tint i, j;\n\n\trep_enum = &hid->report_enum[HID_FEATURE_REPORT];\n\tlist_for_each_entry(rep, &rep_enum->report_list, list)\n\t\tfor (i = 0; i < rep->maxfield; i++) {\n\t\t\t/* Ignore if report count is out of bounds. */\n\t\t\tif (rep->field[i]->report_count < 1)\n\t\t\t\tcontinue;\n\n\t\t\tfor (j = 0; j < rep->field[i]->maxusage; j++) {\n\t\t\t\tusage = &rep->field[i]->usage[j];\n\n\t\t\t\t/* Verify if Battery Strength feature is available */\n\t\t\t\tif (usage->hid == HID_DC_BATTERYSTRENGTH)\n\t\t\t\t\thidinput_setup_battery(hid, HID_FEATURE_REPORT,\n\t\t\t\t\t\t\t rep->field[i]);\n\n\t\t\t\tif (drv->feature_mapping)\n\t\t\t\t\tdrv->feature_mapping(hid, rep->field[i], usage);\n\t\t\t}\n\t\t}\n}", "project": "linux", "hash": 213861108591585086950175841487765801981, "size": 28, "commit_id": "35556bed836f8dc07ac55f69c8d17dce3e7f0e25", "message": "HID: core: Sanitize event code and type when mapping input\n\nWhen calling into hid_map_usage(), the passed event code is\nblindly stored as is, even if it doesn't fit in the associated bitmap.\n\nThis event code can come from a variety of sources, including devices\nmasquerading as input devices, only a bit more \"programmable\".\n\nInstead of taking the event code at face value, check that it actually\nfits the corresponding bitmap, and if it doesn't:\n- spit out a warning so that we know which device is acting up\n- NULLify the bitmap pointer so that we catch unexpected uses\n\nCode paths that can make use of untrusted inputs can now check\nthat the mapping was indeed correct and bail out if not.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Marc Zyngier \nSigned-off-by: Benjamin Tissoires ", "target": 0, "dataset": "other", "idx": 458419 }, { "func": "static void kvm_clock_sync_scb(struct kvm_s390_sie_block *scb, u64 delta)\n{\n\tu8 delta_idx = 0;\n\n\t/*\n\t * The TOD jumps by delta, we have to compensate this by adding\n\t * -delta to the epoch.\n\t */\n\tdelta = -delta;\n\n\t/* sign-extension - we're adding to signed values below */\n\tif ((s64)delta < 0)\n\t\tdelta_idx = -1;\n\n\tscb->epoch += delta;\n\tif (scb->ecd & ECD_MEF) {\n\t\tscb->epdx += delta_idx;\n\t\tif (scb->epoch < delta)\n\t\t\tscb->epdx += 1;\n\t}\n}", "project": "linux", "hash": 248537156101714068225638174383586312698, "size": 21, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354572 }, { "func": "void CClient::SendRequiredPasswordNotice() {\n PutClient(\":irc.znc.in 464 \" + GetNick() + \" :Password required\");\n PutClient(\n \":irc.znc.in NOTICE \" + GetNick() + \" :*** \"\n \"You need to send your password. \"\n \"Configure your client to send a server password.\");\n PutClient(\n \":irc.znc.in NOTICE \" + GetNick() + \" :*** \"\n \"To connect now, you can use /quote PASS :, \"\n \"or /quote PASS /: to connect to a \"\n \"specific network.\");\n}", "project": "znc", "hash": 145455505509728568105185582922321636087, "size": 12, "commit_id": "d229761821da38d984a9e4098ad96842490dc001", "message": "Fix echo-message for *status\n\nClose #1705", "target": 0, "dataset": "other", "idx": 231566 }, { "func": "void CLua::getglobal(const char *name)\n{\n lua_getglobal(state(), name);\n}", "project": "crawl", "hash": 293366388909776071855140099643811082831, "size": 4, "commit_id": "768f60da87a3fa0b5561da5ade9309577c176d04", "message": "Disable lua bytecode loading", "target": 0, "dataset": "other", "idx": 230465 }, { "func": "int ssl3_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,\n int len, int peek)\n{\n int al, i, j, ret;\n unsigned int n, curr_rec, num_recs, read_bytes;\n SSL3_RECORD *rr;\n SSL3_BUFFER *rbuf;\n void (*cb) (const SSL *ssl, int type2, int val) = NULL;\n\n rbuf = &s->rlayer.rbuf;\n\n if (!SSL3_BUFFER_is_initialised(rbuf)) {\n /* Not initialized yet */\n if (!ssl3_setup_read_buffer(s))\n return (-1);\n }\n\n if ((type && (type != SSL3_RT_APPLICATION_DATA)\n && (type != SSL3_RT_HANDSHAKE)) || (peek\n && (type !=\n SSL3_RT_APPLICATION_DATA))) {\n SSLerr(SSL_F_SSL3_READ_BYTES, ERR_R_INTERNAL_ERROR);\n return -1;\n }\n\n if ((type == SSL3_RT_HANDSHAKE) && (s->rlayer.handshake_fragment_len > 0))\n /* (partially) satisfy request from storage */\n {\n unsigned char *src = s->rlayer.handshake_fragment;\n unsigned char *dst = buf;\n unsigned int k;\n\n /* peek == 0 */\n n = 0;\n while ((len > 0) && (s->rlayer.handshake_fragment_len > 0)) {\n *dst++ = *src++;\n len--;\n s->rlayer.handshake_fragment_len--;\n n++;\n }\n /* move any remaining fragment bytes: */\n for (k = 0; k < s->rlayer.handshake_fragment_len; k++)\n s->rlayer.handshake_fragment[k] = *src++;\n\n if (recvd_type != NULL)\n *recvd_type = SSL3_RT_HANDSHAKE;\n\n return n;\n }\n\n /*\n * Now s->rlayer.handshake_fragment_len == 0 if type == SSL3_RT_HANDSHAKE.\n */\n\n if (!ossl_statem_get_in_handshake(s) && SSL_in_init(s)) {\n /* type == SSL3_RT_APPLICATION_DATA */\n i = s->handshake_func(s);\n if (i < 0)\n return (i);\n if (i == 0) {\n SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_SSL_HANDSHAKE_FAILURE);\n return (-1);\n }\n }\n start:\n s->rwstate = SSL_NOTHING;\n\n /*-\n * For each record 'i' up to |num_recs]\n * rr[i].type - is the type of record\n * rr[i].data, - data\n * rr[i].off, - offset into 'data' for next read\n * rr[i].length, - number of bytes.\n */\n rr = s->rlayer.rrec;\n num_recs = RECORD_LAYER_get_numrpipes(&s->rlayer);\n\n do {\n /* get new records if necessary */\n if (num_recs == 0) {\n ret = ssl3_get_record(s);\n if (ret <= 0)\n return (ret);\n num_recs = RECORD_LAYER_get_numrpipes(&s->rlayer);\n if (num_recs == 0) {\n /* Shouldn't happen */\n al = SSL_AD_INTERNAL_ERROR;\n SSLerr(SSL_F_SSL3_READ_BYTES, ERR_R_INTERNAL_ERROR);\n goto f_err;\n }\n }\n /* Skip over any records we have already read */\n for (curr_rec = 0;\n curr_rec < num_recs && SSL3_RECORD_is_read(&rr[curr_rec]);\n curr_rec++) ;\n if (curr_rec == num_recs) {\n RECORD_LAYER_set_numrpipes(&s->rlayer, 0);\n num_recs = 0;\n curr_rec = 0;\n }\n } while (num_recs == 0);\n rr = &rr[curr_rec];\n\n /*\n * Reset the count of consecutive warning alerts if we've got a non-empty\n * record that isn't an alert.\n */\n if (SSL3_RECORD_get_type(rr) != SSL3_RT_ALERT\n && SSL3_RECORD_get_length(rr) != 0)\n s->rlayer.alert_count = 0;\n\n /* we now have a packet which can be read and processed */\n\n if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,\n * reset by ssl3_get_finished */\n && (SSL3_RECORD_get_type(rr) != SSL3_RT_HANDSHAKE)) {\n al = SSL_AD_UNEXPECTED_MESSAGE;\n SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_DATA_BETWEEN_CCS_AND_FINISHED);\n goto f_err;\n }\n\n /*\n * If the other end has shut down, throw anything we read away (even in\n * 'peek' mode)\n */\n if (s->shutdown & SSL_RECEIVED_SHUTDOWN) {\n SSL3_RECORD_set_length(rr, 0);\n s->rwstate = SSL_NOTHING;\n return (0);\n }\n\n if (type == SSL3_RECORD_get_type(rr)\n || (SSL3_RECORD_get_type(rr) == SSL3_RT_CHANGE_CIPHER_SPEC\n && type == SSL3_RT_HANDSHAKE && recvd_type != NULL)) {\n /*\n * SSL3_RT_APPLICATION_DATA or\n * SSL3_RT_HANDSHAKE or\n * SSL3_RT_CHANGE_CIPHER_SPEC\n */\n /*\n * make sure that we are not getting application data when we are\n * doing a handshake for the first time\n */\n if (SSL_in_init(s) && (type == SSL3_RT_APPLICATION_DATA) &&\n (s->enc_read_ctx == NULL)) {\n al = SSL_AD_UNEXPECTED_MESSAGE;\n SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_APP_DATA_IN_HANDSHAKE);\n goto f_err;\n }\n\n if (type == SSL3_RT_HANDSHAKE\n && SSL3_RECORD_get_type(rr) == SSL3_RT_CHANGE_CIPHER_SPEC\n && s->rlayer.handshake_fragment_len > 0) {\n al = SSL_AD_UNEXPECTED_MESSAGE;\n SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_CCS_RECEIVED_EARLY);\n goto f_err;\n }\n\n if (recvd_type != NULL)\n *recvd_type = SSL3_RECORD_get_type(rr);\n\n if (len <= 0)\n return (len);\n\n read_bytes = 0;\n do {\n if ((unsigned int)len - read_bytes > SSL3_RECORD_get_length(rr))\n n = SSL3_RECORD_get_length(rr);\n else\n n = (unsigned int)len - read_bytes;\n\n memcpy(buf, &(rr->data[rr->off]), n);\n buf += n;\n if (!peek) {\n SSL3_RECORD_sub_length(rr, n);\n SSL3_RECORD_add_off(rr, n);\n if (SSL3_RECORD_get_length(rr) == 0) {\n s->rlayer.rstate = SSL_ST_READ_HEADER;\n SSL3_RECORD_set_off(rr, 0);\n SSL3_RECORD_set_read(rr);\n }\n }\n if (SSL3_RECORD_get_length(rr) == 0\n || (peek && n == SSL3_RECORD_get_length(rr))) {\n curr_rec++;\n rr++;\n }\n read_bytes += n;\n } while (type == SSL3_RT_APPLICATION_DATA && curr_rec < num_recs\n && read_bytes < (unsigned int)len);\n if (read_bytes == 0) {\n /* We must have read empty records. Get more data */\n goto start;\n }\n if (!peek && curr_rec == num_recs\n && (s->mode & SSL_MODE_RELEASE_BUFFERS)\n && SSL3_BUFFER_get_left(rbuf) == 0)\n ssl3_release_read_buffer(s);\n return read_bytes;\n }\n\n /*\n * If we get here, then type != rr->type; if we have a handshake message,\n * then it was unexpected (Hello Request or Client Hello) or invalid (we\n * were actually expecting a CCS).\n */\n\n /*\n * Lets just double check that we've not got an SSLv2 record\n */\n if (rr->rec_version == SSL2_VERSION) {\n /*\n * Should never happen. ssl3_get_record() should only give us an SSLv2\n * record back if this is the first packet and we are looking for an\n * initial ClientHello. Therefore |type| should always be equal to\n * |rr->type|. If not then something has gone horribly wrong\n */\n al = SSL_AD_INTERNAL_ERROR;\n SSLerr(SSL_F_SSL3_READ_BYTES, ERR_R_INTERNAL_ERROR);\n goto f_err;\n }\n\n if (s->method->version == TLS_ANY_VERSION\n && (s->server || rr->type != SSL3_RT_ALERT)) {\n /*\n * If we've got this far and still haven't decided on what version\n * we're using then this must be a client side alert we're dealing with\n * (we don't allow heartbeats yet). We shouldn't be receiving anything\n * other than a ClientHello if we are a server.\n */\n s->version = rr->rec_version;\n al = SSL_AD_UNEXPECTED_MESSAGE;\n SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_UNEXPECTED_MESSAGE);\n goto f_err;\n }\n\n /*\n * In case of record types for which we have 'fragment' storage, fill\n * that so that we can process the data at a fixed place.\n */\n {\n unsigned int dest_maxlen = 0;\n unsigned char *dest = NULL;\n unsigned int *dest_len = NULL;\n\n if (SSL3_RECORD_get_type(rr) == SSL3_RT_HANDSHAKE) {\n dest_maxlen = sizeof s->rlayer.handshake_fragment;\n dest = s->rlayer.handshake_fragment;\n dest_len = &s->rlayer.handshake_fragment_len;\n } else if (SSL3_RECORD_get_type(rr) == SSL3_RT_ALERT) {\n dest_maxlen = sizeof s->rlayer.alert_fragment;\n dest = s->rlayer.alert_fragment;\n dest_len = &s->rlayer.alert_fragment_len;\n }\n\n if (dest_maxlen > 0) {\n n = dest_maxlen - *dest_len; /* available space in 'dest' */\n if (SSL3_RECORD_get_length(rr) < n)\n n = SSL3_RECORD_get_length(rr); /* available bytes */\n\n /* now move 'n' bytes: */\n while (n-- > 0) {\n dest[(*dest_len)++] =\n SSL3_RECORD_get_data(rr)[SSL3_RECORD_get_off(rr)];\n SSL3_RECORD_add_off(rr, 1);\n SSL3_RECORD_add_length(rr, -1);\n }\n\n if (*dest_len < dest_maxlen) {\n SSL3_RECORD_set_read(rr);\n goto start; /* fragment was too small */\n }\n }\n }\n\n /*-\n * s->rlayer.handshake_fragment_len == 4 iff rr->type == SSL3_RT_HANDSHAKE;\n * s->rlayer.alert_fragment_len == 2 iff rr->type == SSL3_RT_ALERT.\n * (Possibly rr is 'empty' now, i.e. rr->length may be 0.)\n */\n\n /* If we are a client, check for an incoming 'Hello Request': */\n if ((!s->server) &&\n (s->rlayer.handshake_fragment_len >= 4) &&\n (s->rlayer.handshake_fragment[0] == SSL3_MT_HELLO_REQUEST) &&\n (s->session != NULL) && (s->session->cipher != NULL)) {\n s->rlayer.handshake_fragment_len = 0;\n\n if ((s->rlayer.handshake_fragment[1] != 0) ||\n (s->rlayer.handshake_fragment[2] != 0) ||\n (s->rlayer.handshake_fragment[3] != 0)) {\n al = SSL_AD_DECODE_ERROR;\n SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_BAD_HELLO_REQUEST);\n goto f_err;\n }\n\n if (s->msg_callback)\n s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE,\n s->rlayer.handshake_fragment, 4, s,\n s->msg_callback_arg);\n\n if (SSL_is_init_finished(s) &&\n !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) &&\n !s->s3->renegotiate) {\n ssl3_renegotiate(s);\n if (ssl3_renegotiate_check(s)) {\n i = s->handshake_func(s);\n if (i < 0)\n return (i);\n if (i == 0) {\n SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_SSL_HANDSHAKE_FAILURE);\n return (-1);\n }\n\n if (!(s->mode & SSL_MODE_AUTO_RETRY)) {\n if (SSL3_BUFFER_get_left(rbuf) == 0) {\n /* no read-ahead left? */\n BIO *bio;\n /*\n * In the case where we try to read application data,\n * but we trigger an SSL handshake, we return -1 with\n * the retry option set. Otherwise renegotiation may\n * cause nasty problems in the blocking world\n */\n s->rwstate = SSL_READING;\n bio = SSL_get_rbio(s);\n BIO_clear_retry_flags(bio);\n BIO_set_retry_read(bio);\n return (-1);\n }\n }\n }\n }\n /*\n * we either finished a handshake or ignored the request, now try\n * again to obtain the (application) data we were asked for\n */\n goto start;\n }\n /*\n * If we are a server and get a client hello when renegotiation isn't\n * allowed send back a no renegotiation alert and carry on. WARNING:\n * experimental code, needs reviewing (steve)\n */\n if (s->server &&\n SSL_is_init_finished(s) &&\n !s->s3->send_connection_binding &&\n (s->version > SSL3_VERSION) &&\n (s->rlayer.handshake_fragment_len >= 4) &&\n (s->rlayer.handshake_fragment[0] == SSL3_MT_CLIENT_HELLO) &&\n (s->session != NULL) && (s->session->cipher != NULL) &&\n !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {\n SSL3_RECORD_set_length(rr, 0);\n SSL3_RECORD_set_read(rr);\n ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_RENEGOTIATION);\n goto start;\n }\n if (s->rlayer.alert_fragment_len >= 2) {\n int alert_level = s->rlayer.alert_fragment[0];\n int alert_descr = s->rlayer.alert_fragment[1];\n\n s->rlayer.alert_fragment_len = 0;\n\n if (s->msg_callback)\n s->msg_callback(0, s->version, SSL3_RT_ALERT,\n s->rlayer.alert_fragment, 2, s,\n s->msg_callback_arg);\n\n if (s->info_callback != NULL)\n cb = s->info_callback;\n else if (s->ctx->info_callback != NULL)\n cb = s->ctx->info_callback;\n\n if (cb != NULL) {\n j = (alert_level << 8) | alert_descr;\n cb(s, SSL_CB_READ_ALERT, j);\n }\n\n if (alert_level == SSL3_AL_WARNING) {\n s->s3->warn_alert = alert_descr;\n SSL3_RECORD_set_read(rr);\n\n s->rlayer.alert_count++;\n if (s->rlayer.alert_count == MAX_WARN_ALERT_COUNT) {\n al = SSL_AD_UNEXPECTED_MESSAGE;\n SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_TOO_MANY_WARN_ALERTS);\n goto f_err;\n }\n\n if (alert_descr == SSL_AD_CLOSE_NOTIFY) {\n s->shutdown |= SSL_RECEIVED_SHUTDOWN;\n return (0);\n }\n /*\n * This is a warning but we receive it if we requested\n * renegotiation and the peer denied it. Terminate with a fatal\n * alert because if application tried to renegotiate it\n * presumably had a good reason and expects it to succeed. In\n * future we might have a renegotiation where we don't care if\n * the peer refused it where we carry on.\n */\n else if (alert_descr == SSL_AD_NO_RENEGOTIATION) {\n al = SSL_AD_HANDSHAKE_FAILURE;\n SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_NO_RENEGOTIATION);\n goto f_err;\n }\n#ifdef SSL_AD_MISSING_SRP_USERNAME\n else if (alert_descr == SSL_AD_MISSING_SRP_USERNAME)\n return (0);\n#endif\n } else if (alert_level == SSL3_AL_FATAL) {\n char tmp[16];\n\n s->rwstate = SSL_NOTHING;\n s->s3->fatal_alert = alert_descr;\n SSLerr(SSL_F_SSL3_READ_BYTES, SSL_AD_REASON_OFFSET + alert_descr);\n BIO_snprintf(tmp, sizeof tmp, \"%d\", alert_descr);\n ERR_add_error_data(2, \"SSL alert number \", tmp);\n s->shutdown |= SSL_RECEIVED_SHUTDOWN;\n SSL3_RECORD_set_read(rr);\n SSL_CTX_remove_session(s->session_ctx, s->session);\n return (0);\n } else {\n al = SSL_AD_ILLEGAL_PARAMETER;\n SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_UNKNOWN_ALERT_TYPE);\n goto f_err;\n }\n\n goto start;\n }\n\n if (s->shutdown & SSL_SENT_SHUTDOWN) { /* but we have not received a\n * shutdown */\n s->rwstate = SSL_NOTHING;\n SSL3_RECORD_set_length(rr, 0);\n SSL3_RECORD_set_read(rr);\n return (0);\n }\n\n if (SSL3_RECORD_get_type(rr) == SSL3_RT_CHANGE_CIPHER_SPEC) {\n al = SSL_AD_UNEXPECTED_MESSAGE;\n SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_CCS_RECEIVED_EARLY);\n goto f_err;\n }\n\n /*\n * Unexpected handshake message (Client Hello, or protocol violation)\n */\n if ((s->rlayer.handshake_fragment_len >= 4)\n && !ossl_statem_get_in_handshake(s)) {\n if (SSL_is_init_finished(s) &&\n !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)) {\n ossl_statem_set_in_init(s, 1);\n s->renegotiate = 1;\n s->new_session = 1;\n }\n i = s->handshake_func(s);\n if (i < 0)\n return (i);\n if (i == 0) {\n SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_SSL_HANDSHAKE_FAILURE);\n return (-1);\n }\n\n if (!(s->mode & SSL_MODE_AUTO_RETRY)) {\n if (SSL3_BUFFER_get_left(rbuf) == 0) {\n /* no read-ahead left? */\n BIO *bio;\n /*\n * In the case where we try to read application data, but we\n * trigger an SSL handshake, we return -1 with the retry\n * option set. Otherwise renegotiation may cause nasty\n * problems in the blocking world\n */\n s->rwstate = SSL_READING;\n bio = SSL_get_rbio(s);\n BIO_clear_retry_flags(bio);\n BIO_set_retry_read(bio);\n return (-1);\n }\n }\n goto start;\n }\n\n switch (SSL3_RECORD_get_type(rr)) {\n default:\n /*\n * TLS up to v1.1 just ignores unknown message types: TLS v1.2 give\n * an unexpected message alert.\n */\n if (s->version >= TLS1_VERSION && s->version <= TLS1_1_VERSION) {\n SSL3_RECORD_set_length(rr, 0);\n SSL3_RECORD_set_read(rr);\n goto start;\n }\n al = SSL_AD_UNEXPECTED_MESSAGE;\n SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_UNEXPECTED_RECORD);\n goto f_err;\n case SSL3_RT_CHANGE_CIPHER_SPEC:\n case SSL3_RT_ALERT:\n case SSL3_RT_HANDSHAKE:\n /*\n * we already handled all of these, with the possible exception of\n * SSL3_RT_HANDSHAKE when ossl_statem_get_in_handshake(s) is true, but\n * that should not happen when type != rr->type\n */\n al = SSL_AD_UNEXPECTED_MESSAGE;\n SSLerr(SSL_F_SSL3_READ_BYTES, ERR_R_INTERNAL_ERROR);\n goto f_err;\n case SSL3_RT_APPLICATION_DATA:\n /*\n * At this point, we were expecting handshake data, but have\n * application data. If the library was running inside ssl3_read()\n * (i.e. in_read_app_data is set) and it makes sense to read\n * application data at this point (session renegotiation not yet\n * started), we will indulge it.\n */\n if (ossl_statem_app_data_allowed(s)) {\n s->s3->in_read_app_data = 2;\n return (-1);\n } else {\n al = SSL_AD_UNEXPECTED_MESSAGE;\n SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_UNEXPECTED_RECORD);\n goto f_err;\n }\n }\n /* not reached */\n\n f_err:\n ssl3_send_alert(s, SSL3_AL_FATAL, al);\n return (-1);\n}", "target": 1, "cwe": [ "CWE-20" ], "project": "openssl", "commit_id": "63658103d4441924f8dbfc517b99bb54758a98b9", "hash": 229842592254180110350134928519396587226, "size": 532, "message": "Fix a hang with SSL_peek()\n\nIf while calling SSL_peek() we read an empty record then we go into an\ninfinite loop, continually trying to read data from the empty record and\nnever making any progress. This could be exploited by a malicious peer in\na Denial Of Service attack.\n\nCVE-2016-6305\n\nGitHub Issue #1563\n\nReviewed-by: Rich Salz ", "dataset": "other", "idx": 216634 }, { "func": "int ssl3_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,\n int len, int peek)\n{\n int al, i, j, ret;\n unsigned int n, curr_rec, num_recs, read_bytes;\n SSL3_RECORD *rr;\n SSL3_BUFFER *rbuf;\n void (*cb) (const SSL *ssl, int type2, int val) = NULL;\n\n rbuf = &s->rlayer.rbuf;\n\n if (!SSL3_BUFFER_is_initialised(rbuf)) {\n /* Not initialized yet */\n if (!ssl3_setup_read_buffer(s))\n return (-1);\n }\n\n if ((type && (type != SSL3_RT_APPLICATION_DATA)\n && (type != SSL3_RT_HANDSHAKE)) || (peek\n && (type !=\n SSL3_RT_APPLICATION_DATA))) {\n SSLerr(SSL_F_SSL3_READ_BYTES, ERR_R_INTERNAL_ERROR);\n return -1;\n }\n\n if ((type == SSL3_RT_HANDSHAKE) && (s->rlayer.handshake_fragment_len > 0))\n /* (partially) satisfy request from storage */\n {\n unsigned char *src = s->rlayer.handshake_fragment;\n unsigned char *dst = buf;\n unsigned int k;\n\n /* peek == 0 */\n n = 0;\n while ((len > 0) && (s->rlayer.handshake_fragment_len > 0)) {\n *dst++ = *src++;\n len--;\n s->rlayer.handshake_fragment_len--;\n n++;\n }\n /* move any remaining fragment bytes: */\n for (k = 0; k < s->rlayer.handshake_fragment_len; k++)\n s->rlayer.handshake_fragment[k] = *src++;\n\n if (recvd_type != NULL)\n *recvd_type = SSL3_RT_HANDSHAKE;\n\n return n;\n }\n\n /*\n * Now s->rlayer.handshake_fragment_len == 0 if type == SSL3_RT_HANDSHAKE.\n */\n\n if (!ossl_statem_get_in_handshake(s) && SSL_in_init(s)) {\n /* type == SSL3_RT_APPLICATION_DATA */\n i = s->handshake_func(s);\n if (i < 0)\n return (i);\n if (i == 0) {\n SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_SSL_HANDSHAKE_FAILURE);\n return (-1);\n }\n }\n start:\n s->rwstate = SSL_NOTHING;\n\n /*-\n * For each record 'i' up to |num_recs]\n * rr[i].type - is the type of record\n * rr[i].data, - data\n * rr[i].off, - offset into 'data' for next read\n * rr[i].length, - number of bytes.\n */\n rr = s->rlayer.rrec;\n num_recs = RECORD_LAYER_get_numrpipes(&s->rlayer);\n\n do {\n /* get new records if necessary */\n if (num_recs == 0) {\n ret = ssl3_get_record(s);\n if (ret <= 0)\n return (ret);\n num_recs = RECORD_LAYER_get_numrpipes(&s->rlayer);\n if (num_recs == 0) {\n /* Shouldn't happen */\n al = SSL_AD_INTERNAL_ERROR;\n SSLerr(SSL_F_SSL3_READ_BYTES, ERR_R_INTERNAL_ERROR);\n goto f_err;\n }\n }\n /* Skip over any records we have already read */\n for (curr_rec = 0;\n curr_rec < num_recs && SSL3_RECORD_is_read(&rr[curr_rec]);\n curr_rec++) ;\n if (curr_rec == num_recs) {\n RECORD_LAYER_set_numrpipes(&s->rlayer, 0);\n num_recs = 0;\n curr_rec = 0;\n }\n } while (num_recs == 0);\n rr = &rr[curr_rec];\n\n /*\n * Reset the count of consecutive warning alerts if we've got a non-empty\n * record that isn't an alert.\n */\n if (SSL3_RECORD_get_type(rr) != SSL3_RT_ALERT\n && SSL3_RECORD_get_length(rr) != 0)\n s->rlayer.alert_count = 0;\n\n /* we now have a packet which can be read and processed */\n\n if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,\n * reset by ssl3_get_finished */\n && (SSL3_RECORD_get_type(rr) != SSL3_RT_HANDSHAKE)) {\n al = SSL_AD_UNEXPECTED_MESSAGE;\n SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_DATA_BETWEEN_CCS_AND_FINISHED);\n goto f_err;\n }\n\n /*\n * If the other end has shut down, throw anything we read away (even in\n * 'peek' mode)\n */\n if (s->shutdown & SSL_RECEIVED_SHUTDOWN) {\n SSL3_RECORD_set_length(rr, 0);\n s->rwstate = SSL_NOTHING;\n return (0);\n }\n\n if (type == SSL3_RECORD_get_type(rr)\n || (SSL3_RECORD_get_type(rr) == SSL3_RT_CHANGE_CIPHER_SPEC\n && type == SSL3_RT_HANDSHAKE && recvd_type != NULL)) {\n /*\n * SSL3_RT_APPLICATION_DATA or\n * SSL3_RT_HANDSHAKE or\n * SSL3_RT_CHANGE_CIPHER_SPEC\n */\n /*\n * make sure that we are not getting application data when we are\n * doing a handshake for the first time\n */\n if (SSL_in_init(s) && (type == SSL3_RT_APPLICATION_DATA) &&\n (s->enc_read_ctx == NULL)) {\n al = SSL_AD_UNEXPECTED_MESSAGE;\n SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_APP_DATA_IN_HANDSHAKE);\n goto f_err;\n }\n\n if (type == SSL3_RT_HANDSHAKE\n && SSL3_RECORD_get_type(rr) == SSL3_RT_CHANGE_CIPHER_SPEC\n && s->rlayer.handshake_fragment_len > 0) {\n al = SSL_AD_UNEXPECTED_MESSAGE;\n SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_CCS_RECEIVED_EARLY);\n goto f_err;\n }\n\n if (recvd_type != NULL)\n *recvd_type = SSL3_RECORD_get_type(rr);\n\n if (len <= 0)\n return (len);\n\n read_bytes = 0;\n do {\n if ((unsigned int)len - read_bytes > SSL3_RECORD_get_length(rr))\n n = SSL3_RECORD_get_length(rr);\n else\n n = (unsigned int)len - read_bytes;\n\n memcpy(buf, &(rr->data[rr->off]), n);\n buf += n;\n if (peek) {\n /* Mark any zero length record as consumed CVE-2016-6305 */\n if (SSL3_RECORD_get_length(rr) == 0)\n SSL3_RECORD_set_read(rr);\n } else {\n SSL3_RECORD_sub_length(rr, n);\n SSL3_RECORD_add_off(rr, n);\n if (SSL3_RECORD_get_length(rr) == 0) {\n s->rlayer.rstate = SSL_ST_READ_HEADER;\n SSL3_RECORD_set_off(rr, 0);\n SSL3_RECORD_set_read(rr);\n }\n }\n if (SSL3_RECORD_get_length(rr) == 0\n || (peek && n == SSL3_RECORD_get_length(rr))) {\n curr_rec++;\n rr++;\n }\n read_bytes += n;\n } while (type == SSL3_RT_APPLICATION_DATA && curr_rec < num_recs\n && read_bytes < (unsigned int)len);\n if (read_bytes == 0) {\n /* We must have read empty records. Get more data */\n goto start;\n }\n if (!peek && curr_rec == num_recs\n && (s->mode & SSL_MODE_RELEASE_BUFFERS)\n && SSL3_BUFFER_get_left(rbuf) == 0)\n ssl3_release_read_buffer(s);\n return read_bytes;\n }\n\n /*\n * If we get here, then type != rr->type; if we have a handshake message,\n * then it was unexpected (Hello Request or Client Hello) or invalid (we\n * were actually expecting a CCS).\n */\n\n /*\n * Lets just double check that we've not got an SSLv2 record\n */\n if (rr->rec_version == SSL2_VERSION) {\n /*\n * Should never happen. ssl3_get_record() should only give us an SSLv2\n * record back if this is the first packet and we are looking for an\n * initial ClientHello. Therefore |type| should always be equal to\n * |rr->type|. If not then something has gone horribly wrong\n */\n al = SSL_AD_INTERNAL_ERROR;\n SSLerr(SSL_F_SSL3_READ_BYTES, ERR_R_INTERNAL_ERROR);\n goto f_err;\n }\n\n if (s->method->version == TLS_ANY_VERSION\n && (s->server || rr->type != SSL3_RT_ALERT)) {\n /*\n * If we've got this far and still haven't decided on what version\n * we're using then this must be a client side alert we're dealing with\n * (we don't allow heartbeats yet). We shouldn't be receiving anything\n * other than a ClientHello if we are a server.\n */\n s->version = rr->rec_version;\n al = SSL_AD_UNEXPECTED_MESSAGE;\n SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_UNEXPECTED_MESSAGE);\n goto f_err;\n }\n\n /*\n * In case of record types for which we have 'fragment' storage, fill\n * that so that we can process the data at a fixed place.\n */\n {\n unsigned int dest_maxlen = 0;\n unsigned char *dest = NULL;\n unsigned int *dest_len = NULL;\n\n if (SSL3_RECORD_get_type(rr) == SSL3_RT_HANDSHAKE) {\n dest_maxlen = sizeof s->rlayer.handshake_fragment;\n dest = s->rlayer.handshake_fragment;\n dest_len = &s->rlayer.handshake_fragment_len;\n } else if (SSL3_RECORD_get_type(rr) == SSL3_RT_ALERT) {\n dest_maxlen = sizeof s->rlayer.alert_fragment;\n dest = s->rlayer.alert_fragment;\n dest_len = &s->rlayer.alert_fragment_len;\n }\n\n if (dest_maxlen > 0) {\n n = dest_maxlen - *dest_len; /* available space in 'dest' */\n if (SSL3_RECORD_get_length(rr) < n)\n n = SSL3_RECORD_get_length(rr); /* available bytes */\n\n /* now move 'n' bytes: */\n while (n-- > 0) {\n dest[(*dest_len)++] =\n SSL3_RECORD_get_data(rr)[SSL3_RECORD_get_off(rr)];\n SSL3_RECORD_add_off(rr, 1);\n SSL3_RECORD_add_length(rr, -1);\n }\n\n if (*dest_len < dest_maxlen) {\n SSL3_RECORD_set_read(rr);\n goto start; /* fragment was too small */\n }\n }\n }\n\n /*-\n * s->rlayer.handshake_fragment_len == 4 iff rr->type == SSL3_RT_HANDSHAKE;\n * s->rlayer.alert_fragment_len == 2 iff rr->type == SSL3_RT_ALERT.\n * (Possibly rr is 'empty' now, i.e. rr->length may be 0.)\n */\n\n /* If we are a client, check for an incoming 'Hello Request': */\n if ((!s->server) &&\n (s->rlayer.handshake_fragment_len >= 4) &&\n (s->rlayer.handshake_fragment[0] == SSL3_MT_HELLO_REQUEST) &&\n (s->session != NULL) && (s->session->cipher != NULL)) {\n s->rlayer.handshake_fragment_len = 0;\n\n if ((s->rlayer.handshake_fragment[1] != 0) ||\n (s->rlayer.handshake_fragment[2] != 0) ||\n (s->rlayer.handshake_fragment[3] != 0)) {\n al = SSL_AD_DECODE_ERROR;\n SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_BAD_HELLO_REQUEST);\n goto f_err;\n }\n\n if (s->msg_callback)\n s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE,\n s->rlayer.handshake_fragment, 4, s,\n s->msg_callback_arg);\n\n if (SSL_is_init_finished(s) &&\n !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) &&\n !s->s3->renegotiate) {\n ssl3_renegotiate(s);\n if (ssl3_renegotiate_check(s)) {\n i = s->handshake_func(s);\n if (i < 0)\n return (i);\n if (i == 0) {\n SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_SSL_HANDSHAKE_FAILURE);\n return (-1);\n }\n\n if (!(s->mode & SSL_MODE_AUTO_RETRY)) {\n if (SSL3_BUFFER_get_left(rbuf) == 0) {\n /* no read-ahead left? */\n BIO *bio;\n /*\n * In the case where we try to read application data,\n * but we trigger an SSL handshake, we return -1 with\n * the retry option set. Otherwise renegotiation may\n * cause nasty problems in the blocking world\n */\n s->rwstate = SSL_READING;\n bio = SSL_get_rbio(s);\n BIO_clear_retry_flags(bio);\n BIO_set_retry_read(bio);\n return (-1);\n }\n }\n }\n }\n /*\n * we either finished a handshake or ignored the request, now try\n * again to obtain the (application) data we were asked for\n */\n goto start;\n }\n /*\n * If we are a server and get a client hello when renegotiation isn't\n * allowed send back a no renegotiation alert and carry on. WARNING:\n * experimental code, needs reviewing (steve)\n */\n if (s->server &&\n SSL_is_init_finished(s) &&\n !s->s3->send_connection_binding &&\n (s->version > SSL3_VERSION) &&\n (s->rlayer.handshake_fragment_len >= 4) &&\n (s->rlayer.handshake_fragment[0] == SSL3_MT_CLIENT_HELLO) &&\n (s->session != NULL) && (s->session->cipher != NULL) &&\n !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {\n SSL3_RECORD_set_length(rr, 0);\n SSL3_RECORD_set_read(rr);\n ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_RENEGOTIATION);\n goto start;\n }\n if (s->rlayer.alert_fragment_len >= 2) {\n int alert_level = s->rlayer.alert_fragment[0];\n int alert_descr = s->rlayer.alert_fragment[1];\n\n s->rlayer.alert_fragment_len = 0;\n\n if (s->msg_callback)\n s->msg_callback(0, s->version, SSL3_RT_ALERT,\n s->rlayer.alert_fragment, 2, s,\n s->msg_callback_arg);\n\n if (s->info_callback != NULL)\n cb = s->info_callback;\n else if (s->ctx->info_callback != NULL)\n cb = s->ctx->info_callback;\n\n if (cb != NULL) {\n j = (alert_level << 8) | alert_descr;\n cb(s, SSL_CB_READ_ALERT, j);\n }\n\n if (alert_level == SSL3_AL_WARNING) {\n s->s3->warn_alert = alert_descr;\n SSL3_RECORD_set_read(rr);\n\n s->rlayer.alert_count++;\n if (s->rlayer.alert_count == MAX_WARN_ALERT_COUNT) {\n al = SSL_AD_UNEXPECTED_MESSAGE;\n SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_TOO_MANY_WARN_ALERTS);\n goto f_err;\n }\n\n if (alert_descr == SSL_AD_CLOSE_NOTIFY) {\n s->shutdown |= SSL_RECEIVED_SHUTDOWN;\n return (0);\n }\n /*\n * This is a warning but we receive it if we requested\n * renegotiation and the peer denied it. Terminate with a fatal\n * alert because if application tried to renegotiate it\n * presumably had a good reason and expects it to succeed. In\n * future we might have a renegotiation where we don't care if\n * the peer refused it where we carry on.\n */\n else if (alert_descr == SSL_AD_NO_RENEGOTIATION) {\n al = SSL_AD_HANDSHAKE_FAILURE;\n SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_NO_RENEGOTIATION);\n goto f_err;\n }\n#ifdef SSL_AD_MISSING_SRP_USERNAME\n else if (alert_descr == SSL_AD_MISSING_SRP_USERNAME)\n return (0);\n#endif\n } else if (alert_level == SSL3_AL_FATAL) {\n char tmp[16];\n\n s->rwstate = SSL_NOTHING;\n s->s3->fatal_alert = alert_descr;\n SSLerr(SSL_F_SSL3_READ_BYTES, SSL_AD_REASON_OFFSET + alert_descr);\n BIO_snprintf(tmp, sizeof tmp, \"%d\", alert_descr);\n ERR_add_error_data(2, \"SSL alert number \", tmp);\n s->shutdown |= SSL_RECEIVED_SHUTDOWN;\n SSL3_RECORD_set_read(rr);\n SSL_CTX_remove_session(s->session_ctx, s->session);\n return (0);\n } else {\n al = SSL_AD_ILLEGAL_PARAMETER;\n SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_UNKNOWN_ALERT_TYPE);\n goto f_err;\n }\n\n goto start;\n }\n\n if (s->shutdown & SSL_SENT_SHUTDOWN) { /* but we have not received a\n * shutdown */\n s->rwstate = SSL_NOTHING;\n SSL3_RECORD_set_length(rr, 0);\n SSL3_RECORD_set_read(rr);\n return (0);\n }\n\n if (SSL3_RECORD_get_type(rr) == SSL3_RT_CHANGE_CIPHER_SPEC) {\n al = SSL_AD_UNEXPECTED_MESSAGE;\n SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_CCS_RECEIVED_EARLY);\n goto f_err;\n }\n\n /*\n * Unexpected handshake message (Client Hello, or protocol violation)\n */\n if ((s->rlayer.handshake_fragment_len >= 4)\n && !ossl_statem_get_in_handshake(s)) {\n if (SSL_is_init_finished(s) &&\n !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)) {\n ossl_statem_set_in_init(s, 1);\n s->renegotiate = 1;\n s->new_session = 1;\n }\n i = s->handshake_func(s);\n if (i < 0)\n return (i);\n if (i == 0) {\n SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_SSL_HANDSHAKE_FAILURE);\n return (-1);\n }\n\n if (!(s->mode & SSL_MODE_AUTO_RETRY)) {\n if (SSL3_BUFFER_get_left(rbuf) == 0) {\n /* no read-ahead left? */\n BIO *bio;\n /*\n * In the case where we try to read application data, but we\n * trigger an SSL handshake, we return -1 with the retry\n * option set. Otherwise renegotiation may cause nasty\n * problems in the blocking world\n */\n s->rwstate = SSL_READING;\n bio = SSL_get_rbio(s);\n BIO_clear_retry_flags(bio);\n BIO_set_retry_read(bio);\n return (-1);\n }\n }\n goto start;\n }\n\n switch (SSL3_RECORD_get_type(rr)) {\n default:\n /*\n * TLS up to v1.1 just ignores unknown message types: TLS v1.2 give\n * an unexpected message alert.\n */\n if (s->version >= TLS1_VERSION && s->version <= TLS1_1_VERSION) {\n SSL3_RECORD_set_length(rr, 0);\n SSL3_RECORD_set_read(rr);\n goto start;\n }\n al = SSL_AD_UNEXPECTED_MESSAGE;\n SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_UNEXPECTED_RECORD);\n goto f_err;\n case SSL3_RT_CHANGE_CIPHER_SPEC:\n case SSL3_RT_ALERT:\n case SSL3_RT_HANDSHAKE:\n /*\n * we already handled all of these, with the possible exception of\n * SSL3_RT_HANDSHAKE when ossl_statem_get_in_handshake(s) is true, but\n * that should not happen when type != rr->type\n */\n al = SSL_AD_UNEXPECTED_MESSAGE;\n SSLerr(SSL_F_SSL3_READ_BYTES, ERR_R_INTERNAL_ERROR);\n goto f_err;\n case SSL3_RT_APPLICATION_DATA:\n /*\n * At this point, we were expecting handshake data, but have\n * application data. If the library was running inside ssl3_read()\n * (i.e. in_read_app_data is set) and it makes sense to read\n * application data at this point (session renegotiation not yet\n * started), we will indulge it.\n */\n if (ossl_statem_app_data_allowed(s)) {\n s->s3->in_read_app_data = 2;\n return (-1);\n } else {\n al = SSL_AD_UNEXPECTED_MESSAGE;\n SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_UNEXPECTED_RECORD);\n goto f_err;\n }\n }\n /* not reached */\n\n f_err:\n ssl3_send_alert(s, SSL3_AL_FATAL, al);\n return (-1);\n}", "target": 0, "cwe": [ "CWE-20" ], "project": "openssl", "commit_id": "63658103d4441924f8dbfc517b99bb54758a98b9", "hash": 282966599163418320840049525998042662202, "size": 536, "message": "Fix a hang with SSL_peek()\n\nIf while calling SSL_peek() we read an empty record then we go into an\ninfinite loop, continually trying to read data from the empty record and\nnever making any progress. This could be exploited by a malicious peer in\na Denial Of Service attack.\n\nCVE-2016-6305\n\nGitHub Issue #1563\n\nReviewed-by: Rich Salz ", "dataset": "other", "idx": 503768 }, { "func": "int bcf_hdr_sync(bcf_hdr_t *h)\n{\n int i;\n for (i = 0; i < 3; i++)\n {\n vdict_t *d = (vdict_t*)h->dict[i];\n khint_t k;\n if ( h->n[i] < kh_size(d) )\n {\n bcf_idpair_t *new_idpair;\n // this should be true only for i=2, BCF_DT_SAMPLE\n new_idpair = (bcf_idpair_t*) realloc(h->id[i], kh_size(d)*sizeof(bcf_idpair_t));\n if (!new_idpair) return -1;\n h->n[i] = kh_size(d);\n h->id[i] = new_idpair;\n }\n for (k=kh_begin(d); kid[i][kh_val(d,k).id].key = kh_key(d,k);\n h->id[i][kh_val(d,k).id].val = &kh_val(d,k);\n }\n }\n h->dirty = 0;\n return 0;\n}", "project": "htslib", "hash": 18296728489751532727168042634316454781, "size": 26, "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c", "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields. It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097", "target": 0, "dataset": "other", "idx": 402235 }, { "func": "static int tty_tiocgicount(struct tty_struct *tty, void __user *arg)\n{\n\tint retval = -EINVAL;\n\tstruct serial_icounter_struct icount;\n\tmemset(&icount, 0, sizeof(icount));\n\tif (tty->ops->get_icount)\n\t\tretval = tty->ops->get_icount(tty, &icount);\n\tif (retval != 0)\n\t\treturn retval;\n\tif (copy_to_user(arg, &icount, sizeof(icount)))\n\t\treturn -EFAULT;\n\treturn 0;\n}", "project": "linux", "hash": 249046161915872083654589121555374717499, "size": 13, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 325962 }, { "func": "static inline unsigned long slabs_node(struct kmem_cache *s, int node)\n\t\t\t\t\t\t\t{ return 0; }", "project": "linux", "hash": 230994308224926419116671484259379557464, "size": 2, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280020 }, { "func": "static inline unsigned long slabs_node(struct kmem_cache *s, int node)\n{\n\tstruct kmem_cache_node *n = get_node(s, node);\n\n\treturn atomic_long_read(&n->nr_slabs);\n}", "project": "linux", "hash": 189024580143585179702742360259744398834, "size": 6, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280042 }, { "func": "static int x25_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)\n{\n\tstruct sock *sk = sock->sk;\n\tstruct x25_sock *x25 = x25_sk(sk);\n\tDECLARE_SOCKADDR(struct sockaddr_x25 *, usx25, msg->msg_name);\n\tstruct sockaddr_x25 sx25;\n\tstruct sk_buff *skb;\n\tunsigned char *asmptr;\n\tint noblock = msg->msg_flags & MSG_DONTWAIT;\n\tsize_t size;\n\tint qbit = 0, rc = -EINVAL;\n\n\tlock_sock(sk);\n\tif (msg->msg_flags & ~(MSG_DONTWAIT|MSG_OOB|MSG_EOR|MSG_CMSG_COMPAT))\n\t\tgoto out;\n\n\t/* we currently don't support segmented records at the user interface */\n\tif (!(msg->msg_flags & (MSG_EOR|MSG_OOB)))\n\t\tgoto out;\n\n\trc = -EADDRNOTAVAIL;\n\tif (sock_flag(sk, SOCK_ZAPPED))\n\t\tgoto out;\n\n\trc = -EPIPE;\n\tif (sk->sk_shutdown & SEND_SHUTDOWN) {\n\t\tsend_sig(SIGPIPE, current, 0);\n\t\tgoto out;\n\t}\n\n\trc = -ENETUNREACH;\n\tif (!x25->neighbour)\n\t\tgoto out;\n\n\tif (usx25) {\n\t\trc = -EINVAL;\n\t\tif (msg->msg_namelen < sizeof(sx25))\n\t\t\tgoto out;\n\t\tmemcpy(&sx25, usx25, sizeof(sx25));\n\t\trc = -EISCONN;\n\t\tif (strcmp(x25->dest_addr.x25_addr, sx25.sx25_addr.x25_addr))\n\t\t\tgoto out;\n\t\trc = -EINVAL;\n\t\tif (sx25.sx25_family != AF_X25)\n\t\t\tgoto out;\n\t} else {\n\t\t/*\n\t\t *\tFIXME 1003.1g - if the socket is like this because\n\t\t *\tit has become closed (not started closed) we ought\n\t\t *\tto SIGPIPE, EPIPE;\n\t\t */\n\t\trc = -ENOTCONN;\n\t\tif (sk->sk_state != TCP_ESTABLISHED)\n\t\t\tgoto out;\n\n\t\tsx25.sx25_family = AF_X25;\n\t\tsx25.sx25_addr = x25->dest_addr;\n\t}\n\n\t/* Sanity check the packet size */\n\tif (len > 65535) {\n\t\trc = -EMSGSIZE;\n\t\tgoto out;\n\t}\n\n\tSOCK_DEBUG(sk, \"x25_sendmsg: sendto: Addresses built.\\n\");\n\n\t/* Build a packet */\n\tSOCK_DEBUG(sk, \"x25_sendmsg: sendto: building packet.\\n\");\n\n\tif ((msg->msg_flags & MSG_OOB) && len > 32)\n\t\tlen = 32;\n\n\tsize = len + X25_MAX_L2_LEN + X25_EXT_MIN_LEN;\n\n\trelease_sock(sk);\n\tskb = sock_alloc_send_skb(sk, size, noblock, &rc);\n\tlock_sock(sk);\n\tif (!skb)\n\t\tgoto out;\n\tX25_SKB_CB(skb)->flags = msg->msg_flags;\n\n\tskb_reserve(skb, X25_MAX_L2_LEN + X25_EXT_MIN_LEN);\n\n\t/*\n\t *\tPut the data on the end\n\t */\n\tSOCK_DEBUG(sk, \"x25_sendmsg: Copying user data\\n\");\n\n\tskb_reset_transport_header(skb);\n\tskb_put(skb, len);\n\n\trc = memcpy_from_msg(skb_transport_header(skb), msg, len);\n\tif (rc)\n\t\tgoto out_kfree_skb;\n\n\t/*\n\t *\tIf the Q BIT Include socket option is in force, the first\n\t *\tbyte of the user data is the logical value of the Q Bit.\n\t */\n\tif (test_bit(X25_Q_BIT_FLAG, &x25->flags)) {\n\t\tif (!pskb_may_pull(skb, 1))\n\t\t\tgoto out_kfree_skb;\n\n\t\tqbit = skb->data[0];\n\t\tskb_pull(skb, 1);\n\t}\n\n\t/*\n\t *\tPush down the X.25 header\n\t */\n\tSOCK_DEBUG(sk, \"x25_sendmsg: Building X.25 Header.\\n\");\n\n\tif (msg->msg_flags & MSG_OOB) {\n\t\tif (x25->neighbour->extended) {\n\t\t\tasmptr = skb_push(skb, X25_STD_MIN_LEN);\n\t\t\t*asmptr++ = ((x25->lci >> 8) & 0x0F) | X25_GFI_EXTSEQ;\n\t\t\t*asmptr++ = (x25->lci >> 0) & 0xFF;\n\t\t\t*asmptr++ = X25_INTERRUPT;\n\t\t} else {\n\t\t\tasmptr = skb_push(skb, X25_STD_MIN_LEN);\n\t\t\t*asmptr++ = ((x25->lci >> 8) & 0x0F) | X25_GFI_STDSEQ;\n\t\t\t*asmptr++ = (x25->lci >> 0) & 0xFF;\n\t\t\t*asmptr++ = X25_INTERRUPT;\n\t\t}\n\t} else {\n\t\tif (x25->neighbour->extended) {\n\t\t\t/* Build an Extended X.25 header */\n\t\t\tasmptr = skb_push(skb, X25_EXT_MIN_LEN);\n\t\t\t*asmptr++ = ((x25->lci >> 8) & 0x0F) | X25_GFI_EXTSEQ;\n\t\t\t*asmptr++ = (x25->lci >> 0) & 0xFF;\n\t\t\t*asmptr++ = X25_DATA;\n\t\t\t*asmptr++ = X25_DATA;\n\t\t} else {\n\t\t\t/* Build an Standard X.25 header */\n\t\t\tasmptr = skb_push(skb, X25_STD_MIN_LEN);\n\t\t\t*asmptr++ = ((x25->lci >> 8) & 0x0F) | X25_GFI_STDSEQ;\n\t\t\t*asmptr++ = (x25->lci >> 0) & 0xFF;\n\t\t\t*asmptr++ = X25_DATA;\n\t\t}\n\n\t\tif (qbit)\n\t\t\tskb->data[0] |= X25_Q_BIT;\n\t}\n\n\tSOCK_DEBUG(sk, \"x25_sendmsg: Built header.\\n\");\n\tSOCK_DEBUG(sk, \"x25_sendmsg: Transmitting buffer\\n\");\n\n\trc = -ENOTCONN;\n\tif (sk->sk_state != TCP_ESTABLISHED)\n\t\tgoto out_kfree_skb;\n\n\tif (msg->msg_flags & MSG_OOB)\n\t\tskb_queue_tail(&x25->interrupt_out_queue, skb);\n\telse {\n\t\trc = x25_output(sk, skb);\n\t\tlen = rc;\n\t\tif (rc < 0)\n\t\t\tkfree_skb(skb);\n\t\telse if (test_bit(X25_Q_BIT_FLAG, &x25->flags))\n\t\t\tlen++;\n\t}\n\n\tx25_kick(sk);\n\trc = len;\nout:\n\trelease_sock(sk);\n\treturn rc;\nout_kfree_skb:\n\tkfree_skb(skb);\n\tgoto out;\n}", "project": "net", "hash": 143748197874594539743284142687351184040, "size": 172, "commit_id": "7781607938c8371d4c2b243527430241c62e39c2", "message": "net/x25: Fix null-ptr-deref caused by x25_disconnect\n\nWhen the link layer is terminating, x25->neighbour will be set to NULL\nin x25_disconnect(). As a result, it could cause null-ptr-deref bugs in\nx25_sendmsg(),x25_recvmsg() and x25_connect(). One of the bugs is\nshown below.\n\n (Thread 1) | (Thread 2)\nx25_link_terminated() | x25_recvmsg()\n x25_kill_by_neigh() | ...\n x25_disconnect() | lock_sock(sk)\n ... | ...\n x25->neighbour = NULL //(1) |\n ... | x25->neighbour->extended //(2)\n\nThe code sets NULL to x25->neighbour in position (1) and dereferences\nx25->neighbour in position (2), which could cause null-ptr-deref bug.\n\nThis patch adds lock_sock() in x25_kill_by_neigh() in order to synchronize\nwith x25_sendmsg(), x25_recvmsg() and x25_connect(). What`s more, the\nsock held by lock_sock() is not NULL, because it is extracted from x25_list\nand uses x25_list_lock to synchronize.\n\nFixes: 4becb7ee5b3d (\"net/x25: Fix x25_neigh refcnt leak when x25 disconnect\")\nSigned-off-by: Duoming Zhou \nReviewed-by: Lin Ma \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 449168 }, { "func": "TEST_P(JSITest, HostObjectWithValueMembers) {\n class Bag : public HostObject {\n public:\n Bag() = default;\n\n const Value& operator[](const std::string& name) const {\n auto iter = data_.find(name);\n if (iter == data_.end()) {\n return undef_;\n }\n return iter->second;\n }\n\n protected:\n Value get(Runtime& rt, const PropNameID& name) override {\n return Value(rt, (*this)[name.utf8(rt)]);\n }\n\n void set(Runtime& rt, const PropNameID& name, const Value& val) override {\n data_.emplace(name.utf8(rt), Value(rt, val));\n }\n\n Value undef_;\n std::map data_;\n };\n\n auto sharedBag = std::make_shared();\n auto& bag = *sharedBag;\n Object jsbag = Object::createFromHostObject(rt, std::move(sharedBag));\n auto set = function(\n \"function (o) {\"\n \" o.foo = 'bar';\"\n \" o.count = 37;\"\n \" o.nul = null;\"\n \" o.iscool = true;\"\n \" o.obj = { 'foo': 'bar' };\"\n \"}\");\n set.call(rt, jsbag);\n auto checkFoo = function(\"function (o) { return o.foo === 'bar'; }\");\n auto checkCount = function(\"function (o) { return o.count === 37; }\");\n auto checkNul = function(\"function (o) { return o.nul === null; }\");\n auto checkIsCool = function(\"function (o) { return o.iscool === true; }\");\n auto checkObj = function(\n \"function (o) {\"\n \" return (typeof o.obj) === 'object' && o.obj.foo === 'bar';\"\n \"}\");\n // Check this looks good from js\n EXPECT_TRUE(checkFoo.call(rt, jsbag).getBool());\n EXPECT_TRUE(checkCount.call(rt, jsbag).getBool());\n EXPECT_TRUE(checkNul.call(rt, jsbag).getBool());\n EXPECT_TRUE(checkIsCool.call(rt, jsbag).getBool());\n EXPECT_TRUE(checkObj.call(rt, jsbag).getBool());\n\n // Check this looks good from c++\n EXPECT_EQ(bag[\"foo\"].getString(rt).utf8(rt), \"bar\");\n EXPECT_EQ(bag[\"count\"].getNumber(), 37);\n EXPECT_TRUE(bag[\"nul\"].isNull());\n EXPECT_TRUE(bag[\"iscool\"].getBool());\n EXPECT_EQ(\n bag[\"obj\"].getObject(rt).getProperty(rt, \"foo\").getString(rt).utf8(rt),\n \"bar\");\n}", "project": "hermes", "hash": 276403470791546223248329874983991579068, "size": 62, "commit_id": "fe52854cdf6725c2eaa9e125995da76e6ceb27da", "message": "[CVE-2020-1911] Look up HostObject computed properties on the right object in the prototype chain.\n\nSummary:\nThe change in the hermes repository fixes the security vulnerability\nCVE-2020-1911. This vulnerability only affects applications which\nallow evaluation of uncontrolled, untrusted JavaScript code not\nshipped with the app, so React Native apps will generally not be affected.\n\nThis revision includes a test for the bug. The test is generic JSI\ncode, so it is included in the hermes and react-native repositories.\n\nChangelog: [Internal]\n\nReviewed By: tmikov\n\nDifferential Revision: D23322992\n\nfbshipit-source-id: 4e88c974afe1ad33a263f9cac03e9dc98d33649a", "target": 0, "dataset": "other", "idx": 230262 }, { "func": "static void hci_cc_read_local_features(struct hci_dev *hdev,\n\t\t\t\t struct sk_buff *skb)\n{\n\tstruct hci_rp_read_local_features *rp = (void *) skb->data;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, rp->status);\n\n\tif (rp->status)\n\t\treturn;\n\n\tmemcpy(hdev->features, rp->features, 8);\n\n\t/* Adjust default settings according to features\n\t * supported by device. */\n\n\tif (hdev->features[0][0] & LMP_3SLOT)\n\t\thdev->pkt_type |= (HCI_DM3 | HCI_DH3);\n\n\tif (hdev->features[0][0] & LMP_5SLOT)\n\t\thdev->pkt_type |= (HCI_DM5 | HCI_DH5);\n\n\tif (hdev->features[0][1] & LMP_HV2) {\n\t\thdev->pkt_type |= (HCI_HV2);\n\t\thdev->esco_type |= (ESCO_HV2);\n\t}\n\n\tif (hdev->features[0][1] & LMP_HV3) {\n\t\thdev->pkt_type |= (HCI_HV3);\n\t\thdev->esco_type |= (ESCO_HV3);\n\t}\n\n\tif (lmp_esco_capable(hdev))\n\t\thdev->esco_type |= (ESCO_EV3);\n\n\tif (hdev->features[0][4] & LMP_EV4)\n\t\thdev->esco_type |= (ESCO_EV4);\n\n\tif (hdev->features[0][4] & LMP_EV5)\n\t\thdev->esco_type |= (ESCO_EV5);\n\n\tif (hdev->features[0][5] & LMP_EDR_ESCO_2M)\n\t\thdev->esco_type |= (ESCO_2EV3);\n\n\tif (hdev->features[0][5] & LMP_EDR_ESCO_3M)\n\t\thdev->esco_type |= (ESCO_3EV3);\n\n\tif (hdev->features[0][5] & LMP_EDR_3S_ESCO)\n\t\thdev->esco_type |= (ESCO_2EV5 | ESCO_3EV5);\n}", "project": "linux", "hash": 83555316181580056827863624350298070375, "size": 49, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 432007 }, { "func": "static void svm_cancel_injection(struct kvm_vcpu *vcpu)\n{\n\tstruct vcpu_svm *svm = to_svm(vcpu);\n\tstruct vmcb_control_area *control = &svm->vmcb->control;\n\n\tcontrol->exit_int_info = control->event_inj;\n\tcontrol->exit_int_info_err = control->event_inj_err;\n\tcontrol->event_inj = 0;\n\tsvm_complete_interrupts(svm);\n}", "project": "linux", "hash": 33761839943210287198364133364575790551, "size": 10, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432581 }, { "func": "\nstatic void io_uring_try_cancel_requests(struct io_ring_ctx *ctx,\n\t\t\t\t\t struct task_struct *task,\n\t\t\t\t\t struct files_struct *files)\n{\n\tstruct io_task_cancel cancel = { .task = task, .files = files, };\n\tstruct io_uring_task *tctx = task ? task->io_uring : NULL;\n\n\twhile (1) {\n\t\tenum io_wq_cancel cret;\n\t\tbool ret = false;\n\n\t\tif (!task) {\n\t\t\tret |= io_uring_try_cancel_iowq(ctx);\n\t\t} else if (tctx && tctx->io_wq) {\n\t\t\t/*\n\t\t\t * Cancels requests of all rings, not only @ctx, but\n\t\t\t * it's fine as the task is in exit/exec.\n\t\t\t */\n\t\t\tcret = io_wq_cancel_cb(tctx->io_wq, io_cancel_task_cb,\n\t\t\t\t\t &cancel, true);\n\t\t\tret |= (cret != IO_WQ_CANCEL_NOTFOUND);\n\t\t}\n\n\t\t/* SQPOLL thread does its own polling */\n\t\tif ((!(ctx->flags & IORING_SETUP_SQPOLL) && !files) ||\n\t\t (ctx->sq_data && ctx->sq_data->thread == current)) {\n\t\t\twhile (!list_empty_careful(&ctx->iopoll_list)) {\n\t\t\t\tio_iopoll_try_reap_events(ctx);\n\t\t\t\tret = true;\n\t\t\t}\n\t\t}\n\n\t\tret |= io_cancel_defer_files(ctx, task, files);\n\t\tret |= io_poll_remove_all(ctx, task, files);\n\t\tret |= io_kill_timeouts(ctx, task, files);\n\t\tret |= io_run_task_work();\n\t\tret |= io_run_ctx_fallback(ctx);\n\t\tif (!ret)\n\t\t\tbreak;\n\t\tcond_resched();\n\t}", "project": "linux", "hash": 49211518103417312193248544999592572881, "size": 42, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338606 }, { "func": "static OPJ_BOOL opj_j2k_update_image_dimensions(opj_image_t* p_image,\n opj_event_mgr_t * p_manager)\n{\n OPJ_UINT32 it_comp;\n OPJ_INT32 l_comp_x1, l_comp_y1;\n opj_image_comp_t* l_img_comp = NULL;\n\n l_img_comp = p_image->comps;\n for (it_comp = 0; it_comp < p_image->numcomps; ++it_comp) {\n OPJ_INT32 l_h, l_w;\n if (p_image->x0 > (OPJ_UINT32)INT_MAX ||\n p_image->y0 > (OPJ_UINT32)INT_MAX ||\n p_image->x1 > (OPJ_UINT32)INT_MAX ||\n p_image->y1 > (OPJ_UINT32)INT_MAX) {\n opj_event_msg(p_manager, EVT_ERROR,\n \"Image coordinates above INT_MAX are not supported\\n\");\n return OPJ_FALSE;\n }\n\n l_img_comp->x0 = (OPJ_UINT32)opj_int_ceildiv((OPJ_INT32)p_image->x0,\n (OPJ_INT32)l_img_comp->dx);\n l_img_comp->y0 = (OPJ_UINT32)opj_int_ceildiv((OPJ_INT32)p_image->y0,\n (OPJ_INT32)l_img_comp->dy);\n l_comp_x1 = opj_int_ceildiv((OPJ_INT32)p_image->x1, (OPJ_INT32)l_img_comp->dx);\n l_comp_y1 = opj_int_ceildiv((OPJ_INT32)p_image->y1, (OPJ_INT32)l_img_comp->dy);\n\n l_w = opj_int_ceildivpow2(l_comp_x1, (OPJ_INT32)l_img_comp->factor)\n - opj_int_ceildivpow2((OPJ_INT32)l_img_comp->x0, (OPJ_INT32)l_img_comp->factor);\n if (l_w < 0) {\n opj_event_msg(p_manager, EVT_ERROR,\n \"Size x of the decoded component image is incorrect (comp[%d].w=%d).\\n\",\n it_comp, l_w);\n return OPJ_FALSE;\n }\n l_img_comp->w = (OPJ_UINT32)l_w;\n\n l_h = opj_int_ceildivpow2(l_comp_y1, (OPJ_INT32)l_img_comp->factor)\n - opj_int_ceildivpow2((OPJ_INT32)l_img_comp->y0, (OPJ_INT32)l_img_comp->factor);\n if (l_h < 0) {\n opj_event_msg(p_manager, EVT_ERROR,\n \"Size y of the decoded component image is incorrect (comp[%d].h=%d).\\n\",\n it_comp, l_h);\n return OPJ_FALSE;\n }\n l_img_comp->h = (OPJ_UINT32)l_h;\n\n l_img_comp++;\n }\n\n return OPJ_TRUE;\n}", "project": "openjpeg", "hash": 268023276993403432472523689958434400874, "size": 51, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357335 }, { "func": "static int load_em86(struct linux_binprm *bprm)\n{\n\tchar *interp, *i_name, *i_arg;\n\tstruct file * file;\n\tint retval;\n\tstruct elfhdr\telf_ex;\n\n\t/* Make sure this is a Linux/Intel ELF executable... */\n\telf_ex = *((struct elfhdr *)bprm->buf);\n\n\tif (memcmp(elf_ex.e_ident, ELFMAG, SELFMAG) != 0)\n\t\treturn -ENOEXEC;\n\n\t/* First of all, some simple consistency checks */\n\tif ((elf_ex.e_type != ET_EXEC && elf_ex.e_type != ET_DYN) ||\n\t\t(!((elf_ex.e_machine == EM_386) || (elf_ex.e_machine == EM_486))) ||\n\t\t(!bprm->file->f_op || !bprm->file->f_op->mmap)) {\n\t\t\treturn -ENOEXEC;\n\t}\n\n\tallow_write_access(bprm->file);\n\tfput(bprm->file);\n\tbprm->file = NULL;\n\n\t/* Unlike in the script case, we don't have to do any hairy\n\t * parsing to find our interpreter... it's hardcoded!\n\t */\n\tinterp = EM86_INTERP;\n\ti_name = EM86_I_NAME;\n\ti_arg = NULL;\t\t/* We reserve the right to add an arg later */\n\n\t/*\n\t * Splice in (1) the interpreter's name for argv[0]\n\t * (2) (optional) argument to interpreter\n\t * (3) filename of emulated file (replace argv[0])\n\t *\n\t * This is done in reverse order, because of how the\n\t * user environment and arguments are stored.\n\t */\n\tremove_arg_zero(bprm);\n\tretval = copy_strings_kernel(1, &bprm->filename, bprm);\n\tif (retval < 0) return retval; \n\tbprm->argc++;\n\tif (i_arg) {\n\t\tretval = copy_strings_kernel(1, &i_arg, bprm);\n\t\tif (retval < 0) return retval; \n\t\tbprm->argc++;\n\t}\n\tretval = copy_strings_kernel(1, &i_name, bprm);\n\tif (retval < 0)\treturn retval;\n\tbprm->argc++;\n\n\t/*\n\t * OK, now restart the process with the interpreter's inode.\n\t * Note that we use open_exec() as the name is now in kernel\n\t * space, and we don't need to copy it.\n\t */\n\tfile = open_exec(interp);\n\tif (IS_ERR(file))\n\t\treturn PTR_ERR(file);\n\n\tbprm->file = file;\n\n\tretval = prepare_binprm(bprm);\n\tif (retval < 0)\n\t\treturn retval;\n\n\treturn search_binary_handler(bprm);\n}", "target": 0, "cwe": [ "CWE-200" ], "project": "linux-2.6", "commit_id": "d740269867021faf4ce38a449353d2b986c34a67", "hash": 267834606675382143038505917048098086100, "size": 69, "message": "exec: use -ELOOP for max recursion depth\n\nTo avoid an explosion of request_module calls on a chain of abusive\nscripts, fail maximum recursion with -ELOOP instead of -ENOEXEC. As soon\nas maximum recursion depth is hit, the error will fail all the way back\nup the chain, aborting immediately.\n\nThis also has the side-effect of stopping the user's shell from attempting\nto reexecute the top-level file as a shell script. As seen in the\ndash source:\n\n if (cmd != path_bshell && errno == ENOEXEC) {\n *argv-- = cmd;\n *argv = cmd = path_bshell;\n goto repeat;\n }\n\nThe above logic was designed for running scripts automatically that lacked\nthe \"#!\" header, not to re-try failed recursion. On a legitimate -ENOEXEC,\nthings continue to behave as the shell expects.\n\nAdditionally, when tracking recursion, the binfmt handlers should not be\ninvolved. The recursion being tracked is the depth of calls through\nsearch_binary_handler(), so that function should be exclusively responsible\nfor tracking the depth.\n\nSigned-off-by: Kees Cook \nCc: halfdog \nCc: P J P \nCc: Alexander Viro \nSigned-off-by: Andrew Morton \nSigned-off-by: Linus Torvalds ", "dataset": "other", "idx": 496255 }, { "func": "parse_file_name(const ref * op, gs_parsed_file_name_t * pfn, bool safemode,\n gs_memory_t *memory)\n{\n int code;\n\n check_read_type(*op, t_string);\n code = gs_parse_file_name(pfn, (const char *)op->value.const_bytes,\n r_size(op), memory);\n if (code < 0)\n return code;\n /*\n * Check here for the %pipe device which is illegal when\n * LockFilePermissions is true. In the future we might want to allow\n * the %pipe device to be included on the PermitFile... paths, but\n * for now it is simply disallowed.\n */\n if (pfn->iodev && safemode && strcmp(pfn->iodev->dname, \"%pipe%\") == 0)\n return gs_error_invalidfileaccess;\n return code;\n}", "project": "ghostpdl", "hash": 189228440374175824137050952901906536534, "size": 20, "commit_id": "ab109aaeb3ddba59518b036fb288402a65cf7ce8", "message": "Bug 694724: Have filenameforall and getenv honor SAFER", "target": 0, "dataset": "other", "idx": 277042 }, { "func": "zfilenamesplit(i_ctx_t *i_ctx_p)\n{\n os_ptr op = osp;\n\n check_read_type(*op, t_string);\n/****** NOT IMPLEMENTED YET ******/\n return_error(gs_error_undefined);\n}", "project": "ghostpdl", "hash": 102410694354468205277613922551157181729, "size": 8, "commit_id": "ab109aaeb3ddba59518b036fb288402a65cf7ce8", "message": "Bug 694724: Have filenameforall and getenv honor SAFER", "target": 0, "dataset": "other", "idx": 277043 }, { "func": "parse_real_file_name(const ref *op, gs_parsed_file_name_t *pfn,\n gs_memory_t *mem, client_name_t cname)\n{\n check_read_type(*op, t_string);\n return gs_parse_real_file_name(pfn, (const char *)op->value.const_bytes,\n r_size(op), mem, cname);\n}", "project": "ghostpdl", "hash": 150155833297574123660287057710866846359, "size": 7, "commit_id": "ab109aaeb3ddba59518b036fb288402a65cf7ce8", "message": "Bug 694724: Have filenameforall and getenv honor SAFER", "target": 0, "dataset": "other", "idx": 277057 }, { "func": "zcopydevice2(i_ctx_t *i_ctx_p)\n{\n os_ptr op = osp;\n gx_device *new_dev;\n int code;\n\n check_read_type(op[-1], t_device);\n check_type(*op, t_boolean);\n if (op[-1].value.pdevice == NULL)\n /* This can happen if we invalidated devices on the stack by calling nulldevice after they were pushed */\n return_error(gs_error_undefined);\n\n code = gs_copydevice2(&new_dev, op[-1].value.pdevice, op->value.boolval,\n imemory);\n if (code < 0)\n return code;\n new_dev->memory = imemory;\n make_tav(op - 1, t_device, icurrent_space | a_all, pdevice, new_dev);\n pop(1);\n return 0;\n}", "project": "ghostpdl", "hash": 161944612753989120019875726063999746588, "size": 21, "commit_id": "661e8d8fb8248c38d67958beda32f3a5876d0c3f", "message": "Bug 700176: check the *output* device for LockSafetyParams\n\nWhen calling .setdevice we were checking if LockSafetyParams was set, and if so\nthrowing an invalidaccess error.\n\nThe problem is, if another device, for example the pdf14 compositor is the 'top'\ndevice, that does not (and cannot) honour LockSafetyParams.\n\nTo solve this, we'll now use the (relatively new) gxdso_current_output_device\nspec_op to retrieve the *actual* output device, and check the LockSafetyParams\nflag in that.", "target": 0, "dataset": "other", "idx": 410235 }, { "func": "zdevicename(i_ctx_t *i_ctx_p)\n{\n os_ptr op = osp;\n const char *dname;\n\n check_read_type(*op, t_device);\n if (op->value.pdevice == NULL)\n /* This can happen if we invalidated devices on the stack by calling nulldevice after they were pushed */\n return_error(gs_error_undefined);\n\n dname = op->value.pdevice->dname;\n make_const_string(op, avm_foreign | a_readonly, strlen(dname),\n (const byte *)dname);\n return 0;\n}", "project": "ghostpdl", "hash": 176319835489871923162857395791135701572, "size": 15, "commit_id": "661e8d8fb8248c38d67958beda32f3a5876d0c3f", "message": "Bug 700176: check the *output* device for LockSafetyParams\n\nWhen calling .setdevice we were checking if LockSafetyParams was set, and if so\nthrowing an invalidaccess error.\n\nThe problem is, if another device, for example the pdf14 compositor is the 'top'\ndevice, that does not (and cannot) honour LockSafetyParams.\n\nTo solve this, we'll now use the (relatively new) gxdso_current_output_device\nspec_op to retrieve the *actual* output device, and check the LockSafetyParams\nflag in that.", "target": 0, "dataset": "other", "idx": 410240 }, { "func": "zgetbitsrect(i_ctx_t *i_ctx_p)\n{\t/*\n * alpha? is 0 for no alpha, -1 for alpha first, 1 for alpha last.\n * std_depth is null for native pixels, depth/component for\n * standard color space.\n */\n os_ptr op = osp;\n gx_device *dev;\n gs_int_rect rect;\n gs_get_bits_params_t params;\n int w, h;\n gs_get_bits_options_t options =\n GB_ALIGN_ANY | GB_RETURN_COPY | GB_OFFSET_0 | GB_RASTER_STANDARD |\n GB_PACKING_CHUNKY;\n int depth;\n uint raster;\n int num_rows;\n int code;\n\n check_read_type(op[-7], t_device);\n dev = op[-7].value.pdevice;\n if (dev == NULL)\n /* This can happen if we invalidated devices on the stack by calling nulldevice after they were pushed */\n return_error(gs_error_undefined);\n\n check_int_leu(op[-6], dev->width);\n rect.p.x = op[-6].value.intval;\n check_int_leu(op[-5], dev->height);\n rect.p.y = op[-5].value.intval;\n check_int_leu(op[-4], dev->width);\n w = op[-4].value.intval;\n check_int_leu(op[-3], dev->height);\n h = op[-3].value.intval;\n check_type(op[-2], t_integer);\n /*\n * We use if/else rather than switch because the value is long,\n * which is not supported as a switch value in pre-ANSI C.\n */\n if (op[-2].value.intval == -1)\n options |= GB_ALPHA_FIRST;\n else if (op[-2].value.intval == 0)\n options |= GB_ALPHA_NONE;\n else if (op[-2].value.intval == 1)\n options |= GB_ALPHA_LAST;\n else\n return_error(gs_error_rangecheck);\n if (r_has_type(op - 1, t_null)) {\n options |= GB_COLORS_NATIVE;\n depth = dev->color_info.depth;\n } else {\n static const gs_get_bits_options_t depths[17] = {\n 0, GB_DEPTH_1, GB_DEPTH_2, 0, GB_DEPTH_4, 0, 0, 0, GB_DEPTH_8,\n 0, 0, 0, GB_DEPTH_12, 0, 0, 0, GB_DEPTH_16\n };\n gs_get_bits_options_t depth_option;\n int std_depth;\n\n check_int_leu(op[-1], 16);\n std_depth = (int)op[-1].value.intval;\n depth_option = depths[std_depth];\n if (depth_option == 0)\n return_error(gs_error_rangecheck);\n options |= depth_option | GB_COLORS_NATIVE;\n depth = (dev->color_info.num_components +\n (options & GB_ALPHA_NONE ? 0 : 1)) * std_depth;\n }\n if (w == 0)\n return_error(gs_error_rangecheck);\n raster = (w * depth + 7) >> 3;\n check_write_type(*op, t_string);\n num_rows = r_size(op) / raster;\n h = min(h, num_rows);\n if (h == 0)\n return_error(gs_error_rangecheck);\n rect.q.x = rect.p.x + w;\n rect.q.y = rect.p.y + h;\n params.options = options;\n params.data[0] = op->value.bytes;\n code = (*dev_proc(dev, get_bits_rectangle))(dev, &rect, ¶ms, NULL);\n if (code < 0)\n return code;\n make_int(op - 7, h);\n op[-6] = *op;\n r_set_size(op - 6, h * raster);\n pop(6);\n return 0;\n}", "project": "ghostpdl", "hash": 17602480222680679000158320114936812978, "size": 87, "commit_id": "661e8d8fb8248c38d67958beda32f3a5876d0c3f", "message": "Bug 700176: check the *output* device for LockSafetyParams\n\nWhen calling .setdevice we were checking if LockSafetyParams was set, and if so\nthrowing an invalidaccess error.\n\nThe problem is, if another device, for example the pdf14 compositor is the 'top'\ndevice, that does not (and cannot) honour LockSafetyParams.\n\nTo solve this, we'll now use the (relatively new) gxdso_current_output_device\nspec_op to retrieve the *actual* output device, and check the LockSafetyParams\nflag in that.", "target": 0, "dataset": "other", "idx": 410241 }, { "func": "wsrep_cb_status_t wsrep_sst_donate_cb (void* app_ctx, void* recv_ctx,\n const void* msg, size_t msg_len,\n const wsrep_gtid_t* current_gtid,\n const char* state, size_t state_len,\n bool bypass)\n{\n /* This will be reset when sync callback is called.\n * Should we set wsrep_ready to FALSE here too? */\n local_status.set(WSREP_MEMBER_DONOR);\n\n const char* method = (char*)msg;\n size_t method_len = strlen (method);\n const char* data = method + method_len + 1;\n\n char uuid_str[37];\n wsrep_uuid_print (¤t_gtid->uuid, uuid_str, sizeof(uuid_str));\n\n wsp::env env(NULL);\n if (env.error())\n {\n WSREP_ERROR(\"wsrep_sst_donate_cb(): env var ctor failed: %d\", -env.error());\n return WSREP_CB_FAILURE;\n }\n\n int ret;\n if ((ret= sst_append_auth_env(env, sst_auth_real)))\n {\n WSREP_ERROR(\"wsrep_sst_donate_cb(): appending auth env failed: %d\", ret);\n return WSREP_CB_FAILURE;\n }\n\n if (!strcmp (WSREP_SST_MYSQLDUMP, method))\n {\n ret = sst_donate_mysqldump(data, ¤t_gtid->uuid, uuid_str,\n current_gtid->seqno, bypass, env());\n }\n else\n {\n ret = sst_donate_other(method, data, uuid_str,\n current_gtid->seqno, bypass, env());\n }\n\n return (ret >= 0 ? WSREP_CB_SUCCESS : WSREP_CB_FAILURE);\n}", "project": "mysql-wsrep", "hash": 340163712951592193597010920393388964257, "size": 44, "commit_id": "4ea4b0c6a318209ac09b15aaa906c7b4a13b988c", "message": "codership/mysql-wsrep-bugs#758 Donor uses invalid SST methods", "target": 1, "dataset": "other", "idx": 212088 }, { "func": "wsrep_cb_status_t wsrep_sst_donate_cb (void* app_ctx, void* recv_ctx,\n const void* msg, size_t msg_len,\n const wsrep_gtid_t* current_gtid,\n const char* state, size_t state_len,\n bool bypass)\n{\n const char* method = (char*)msg;\n size_t method_len = strlen (method);\n\n if (check_request_str(method, filename_char))\n {\n WSREP_ERROR(\"Bad SST method name. SST canceled.\");\n return WSREP_CB_FAILURE;\n }\n\n const char* data = method + method_len + 1;\n\n if (check_request_str(data, address_char))\n {\n WSREP_ERROR(\"Bad SST address string. SST canceled.\");\n return WSREP_CB_FAILURE;\n }\n\n char uuid_str[37];\n wsrep_uuid_print (¤t_gtid->uuid, uuid_str, sizeof(uuid_str));\n\n /* This will be reset when sync callback is called.\n * Should we set wsrep_ready to FALSE here too? */\n local_status.set(WSREP_MEMBER_DONOR);\n\n wsp::env env(NULL);\n if (env.error())\n {\n WSREP_ERROR(\"wsrep_sst_donate_cb(): env var ctor failed: %d\", -env.error());\n return WSREP_CB_FAILURE;\n }\n\n int ret;\n if ((ret= sst_append_auth_env(env, sst_auth_real)))\n {\n WSREP_ERROR(\"wsrep_sst_donate_cb(): appending auth env failed: %d\", ret);\n return WSREP_CB_FAILURE;\n }\n\n if (!strcmp (WSREP_SST_MYSQLDUMP, method))\n {\n ret = sst_donate_mysqldump(data, ¤t_gtid->uuid, uuid_str,\n current_gtid->seqno, bypass, env());\n }\n else\n {\n ret = sst_donate_other(method, data, uuid_str,\n current_gtid->seqno, bypass, env());\n }\n\n return (ret >= 0 ? WSREP_CB_SUCCESS : WSREP_CB_FAILURE);\n}", "project": "mysql-wsrep", "hash": 250096512772440836164701665139796929193, "size": 57, "commit_id": "4ea4b0c6a318209ac09b15aaa906c7b4a13b988c", "message": "codership/mysql-wsrep-bugs#758 Donor uses invalid SST methods", "target": 0, "dataset": "other", "idx": 454781 }, { "func": "static long evdev_do_ioctl(struct file *file, unsigned int cmd,\n\t\t\t void __user *p, int compat_mode)\n{\n\tstruct evdev_client *client = file->private_data;\n\tstruct evdev *evdev = client->evdev;\n\tstruct input_dev *dev = evdev->handle.dev;\n\tstruct input_absinfo abs;\n\tstruct ff_effect effect;\n\tint __user *ip = (int __user *)p;\n\tunsigned int i, t, u, v;\n\tunsigned int size;\n\tint error;\n\n\t/* First we check for fixed-length commands */\n\tswitch (cmd) {\n\n\tcase EVIOCGVERSION:\n\t\treturn put_user(EV_VERSION, ip);\n\n\tcase EVIOCGID:\n\t\tif (copy_to_user(p, &dev->id, sizeof(struct input_id)))\n\t\t\treturn -EFAULT;\n\t\treturn 0;\n\n\tcase EVIOCGREP:\n\t\tif (!test_bit(EV_REP, dev->evbit))\n\t\t\treturn -ENOSYS;\n\t\tif (put_user(dev->rep[REP_DELAY], ip))\n\t\t\treturn -EFAULT;\n\t\tif (put_user(dev->rep[REP_PERIOD], ip + 1))\n\t\t\treturn -EFAULT;\n\t\treturn 0;\n\n\tcase EVIOCSREP:\n\t\tif (!test_bit(EV_REP, dev->evbit))\n\t\t\treturn -ENOSYS;\n\t\tif (get_user(u, ip))\n\t\t\treturn -EFAULT;\n\t\tif (get_user(v, ip + 1))\n\t\t\treturn -EFAULT;\n\n\t\tinput_inject_event(&evdev->handle, EV_REP, REP_DELAY, u);\n\t\tinput_inject_event(&evdev->handle, EV_REP, REP_PERIOD, v);\n\n\t\treturn 0;\n\n\tcase EVIOCRMFF:\n\t\treturn input_ff_erase(dev, (int)(unsigned long) p, file);\n\n\tcase EVIOCGEFFECTS:\n\t\ti = test_bit(EV_FF, dev->evbit) ?\n\t\t\t\tdev->ff->max_effects : 0;\n\t\tif (put_user(i, ip))\n\t\t\treturn -EFAULT;\n\t\treturn 0;\n\n\tcase EVIOCGRAB:\n\t\tif (p)\n\t\t\treturn evdev_grab(evdev, client);\n\t\telse\n\t\t\treturn evdev_ungrab(evdev, client);\n\n\tcase EVIOCSCLOCKID:\n\t\tif (copy_from_user(&i, p, sizeof(unsigned int)))\n\t\t\treturn -EFAULT;\n\t\tif (i != CLOCK_MONOTONIC && i != CLOCK_REALTIME)\n\t\t\treturn -EINVAL;\n\t\tclient->clkid = i;\n\t\treturn 0;\n\n\tcase EVIOCGKEYCODE:\n\t\treturn evdev_handle_get_keycode(dev, p);\n\n\tcase EVIOCSKEYCODE:\n\t\treturn evdev_handle_set_keycode(dev, p);\n\n\tcase EVIOCGKEYCODE_V2:\n\t\treturn evdev_handle_get_keycode_v2(dev, p);\n\n\tcase EVIOCSKEYCODE_V2:\n\t\treturn evdev_handle_set_keycode_v2(dev, p);\n\t}\n\n\tsize = _IOC_SIZE(cmd);\n\n\t/* Now check variable-length commands */\n#define EVIOC_MASK_SIZE(nr)\t((nr) & ~(_IOC_SIZEMASK << _IOC_SIZESHIFT))\n\tswitch (EVIOC_MASK_SIZE(cmd)) {\n\n\tcase EVIOCGPROP(0):\n\t\treturn bits_to_user(dev->propbit, INPUT_PROP_MAX,\n\t\t\t\t size, p, compat_mode);\n\n\tcase EVIOCGMTSLOTS(0):\n\t\treturn evdev_handle_mt_request(dev, size, ip);\n\n\tcase EVIOCGKEY(0):\n\t\treturn bits_to_user(dev->key, KEY_MAX, size, p, compat_mode);\n\n\tcase EVIOCGLED(0):\n\t\treturn bits_to_user(dev->led, LED_MAX, size, p, compat_mode);\n\n\tcase EVIOCGSND(0):\n\t\treturn bits_to_user(dev->snd, SND_MAX, size, p, compat_mode);\n\n\tcase EVIOCGSW(0):\n\t\treturn bits_to_user(dev->sw, SW_MAX, size, p, compat_mode);\n\n\tcase EVIOCGNAME(0):\n\t\treturn str_to_user(dev->name, size, p);\n\n\tcase EVIOCGPHYS(0):\n\t\treturn str_to_user(dev->phys, size, p);\n\n\tcase EVIOCGUNIQ(0):\n\t\treturn str_to_user(dev->uniq, size, p);\n\n\tcase EVIOC_MASK_SIZE(EVIOCSFF):\n\t\tif (input_ff_effect_from_user(p, size, &effect))\n\t\t\treturn -EFAULT;\n\n\t\terror = input_ff_upload(dev, &effect, file);\n\n\t\tif (put_user(effect.id, &(((struct ff_effect __user *)p)->id)))\n\t\t\treturn -EFAULT;\n\n\t\treturn error;\n\t}\n\n\t/* Multi-number variable-length handlers */\n\tif (_IOC_TYPE(cmd) != 'E')\n\t\treturn -EINVAL;\n\n\tif (_IOC_DIR(cmd) == _IOC_READ) {\n\n\t\tif ((_IOC_NR(cmd) & ~EV_MAX) == _IOC_NR(EVIOCGBIT(0, 0)))\n\t\t\treturn handle_eviocgbit(dev,\n\t\t\t\t\t\t_IOC_NR(cmd) & EV_MAX, size,\n\t\t\t\t\t\tp, compat_mode);\n\n\t\tif ((_IOC_NR(cmd) & ~ABS_MAX) == _IOC_NR(EVIOCGABS(0))) {\n\n\t\t\tif (!dev->absinfo)\n\t\t\t\treturn -EINVAL;\n\n\t\t\tt = _IOC_NR(cmd) & ABS_MAX;\n\t\t\tabs = dev->absinfo[t];\n\n\t\t\tif (copy_to_user(p, &abs, min_t(size_t,\n\t\t\t\t\tsize, sizeof(struct input_absinfo))))\n\t\t\t\treturn -EFAULT;\n\n\t\t\treturn 0;\n\t\t}\n\t}\n\n\tif (_IOC_DIR(cmd) == _IOC_WRITE) {\n\n\t\tif ((_IOC_NR(cmd) & ~ABS_MAX) == _IOC_NR(EVIOCSABS(0))) {\n\n\t\t\tif (!dev->absinfo)\n\t\t\t\treturn -EINVAL;\n\n\t\t\tt = _IOC_NR(cmd) & ABS_MAX;\n\n\t\t\tif (copy_from_user(&abs, p, min_t(size_t,\n\t\t\t\t\tsize, sizeof(struct input_absinfo))))\n\t\t\t\treturn -EFAULT;\n\n\t\t\tif (size < sizeof(struct input_absinfo))\n\t\t\t\tabs.resolution = 0;\n\n\t\t\t/* We can't change number of reserved MT slots */\n\t\t\tif (t == ABS_MT_SLOT)\n\t\t\t\treturn -EINVAL;\n\n\t\t\t/*\n\t\t\t * Take event lock to ensure that we are not\n\t\t\t * changing device parameters in the middle\n\t\t\t * of event.\n\t\t\t */\n\t\t\tspin_lock_irq(&dev->event_lock);\n\t\t\tdev->absinfo[t] = abs;\n\t\t\tspin_unlock_irq(&dev->event_lock);\n\n\t\t\treturn 0;\n\t\t}\n\t}\n\n\treturn -EINVAL;\n}", "project": "linux", "hash": 58772209716728897872783601375559144047, "size": 191, "commit_id": "483180281f0ac60d1138710eb21f4b9961901294", "message": "Input: evdev - flush queues during EVIOCGKEY-like ioctls\n\nIf userspace requests current KEY-state, they very likely assume that no\nsuch events are pending in the output queue of the evdev device.\nOtherwise, they will parse events which they already handled via\nEVIOCGKEY(). For XKB applications this can cause irreversible keyboard\nstates if a modifier is locked multiple times because a CTRL-DOWN event is\nhandled once via EVIOCGKEY() and once from the queue via read(), even\nthough it should handle it only once.\n\nTherefore, lets do the only logical thing and flush the evdev queue\natomically during this ioctl. We only flush events that are affected by\nthe given ioctl.\n\nThis only affects boolean events like KEY, SND, SW and LED. ABS, REL and\nothers are not affected as duplicate events can be handled gracefully by\nuser-space.\n\nNote: This actually breaks semantics of the evdev ABI. However,\ninvestigations showed that userspace already expects the new semantics and\nwe end up fixing at least all XKB applications.\nAll applications that are aware of this race-condition mirror the KEY\nstate for each open-file and detect/drop duplicate events. Hence, they do\nnot care whether duplicates are posted or not and work fine with this fix.\n\nAlso note that we need proper locking to guarantee atomicity and avoid\ndead-locks. event_lock must be locked before queue_lock (see input-core).\nHowever, we can safely release event_lock while flushing the queue. This\nallows the input-core to proceed with pending events and only stop if it\nneeds our queue_lock to post new events.\nThis should guarantee that we don't block event-dispatching for too long\nwhile flushing a single event queue.\n\nSigned-off-by: David Herrmann \nAcked-by: Peter Hutterer \nSigned-off-by: Dmitry Torokhov ", "target": 1, "dataset": "other", "idx": 206492 }, { "func": "static long evdev_do_ioctl(struct file *file, unsigned int cmd,\n\t\t\t void __user *p, int compat_mode)\n{\n\tstruct evdev_client *client = file->private_data;\n\tstruct evdev *evdev = client->evdev;\n\tstruct input_dev *dev = evdev->handle.dev;\n\tstruct input_absinfo abs;\n\tstruct ff_effect effect;\n\tint __user *ip = (int __user *)p;\n\tunsigned int i, t, u, v;\n\tunsigned int size;\n\tint error;\n\n\t/* First we check for fixed-length commands */\n\tswitch (cmd) {\n\n\tcase EVIOCGVERSION:\n\t\treturn put_user(EV_VERSION, ip);\n\n\tcase EVIOCGID:\n\t\tif (copy_to_user(p, &dev->id, sizeof(struct input_id)))\n\t\t\treturn -EFAULT;\n\t\treturn 0;\n\n\tcase EVIOCGREP:\n\t\tif (!test_bit(EV_REP, dev->evbit))\n\t\t\treturn -ENOSYS;\n\t\tif (put_user(dev->rep[REP_DELAY], ip))\n\t\t\treturn -EFAULT;\n\t\tif (put_user(dev->rep[REP_PERIOD], ip + 1))\n\t\t\treturn -EFAULT;\n\t\treturn 0;\n\n\tcase EVIOCSREP:\n\t\tif (!test_bit(EV_REP, dev->evbit))\n\t\t\treturn -ENOSYS;\n\t\tif (get_user(u, ip))\n\t\t\treturn -EFAULT;\n\t\tif (get_user(v, ip + 1))\n\t\t\treturn -EFAULT;\n\n\t\tinput_inject_event(&evdev->handle, EV_REP, REP_DELAY, u);\n\t\tinput_inject_event(&evdev->handle, EV_REP, REP_PERIOD, v);\n\n\t\treturn 0;\n\n\tcase EVIOCRMFF:\n\t\treturn input_ff_erase(dev, (int)(unsigned long) p, file);\n\n\tcase EVIOCGEFFECTS:\n\t\ti = test_bit(EV_FF, dev->evbit) ?\n\t\t\t\tdev->ff->max_effects : 0;\n\t\tif (put_user(i, ip))\n\t\t\treturn -EFAULT;\n\t\treturn 0;\n\n\tcase EVIOCGRAB:\n\t\tif (p)\n\t\t\treturn evdev_grab(evdev, client);\n\t\telse\n\t\t\treturn evdev_ungrab(evdev, client);\n\n\tcase EVIOCSCLOCKID:\n\t\tif (copy_from_user(&i, p, sizeof(unsigned int)))\n\t\t\treturn -EFAULT;\n\t\tif (i != CLOCK_MONOTONIC && i != CLOCK_REALTIME)\n\t\t\treturn -EINVAL;\n\t\tclient->clkid = i;\n\t\treturn 0;\n\n\tcase EVIOCGKEYCODE:\n\t\treturn evdev_handle_get_keycode(dev, p);\n\n\tcase EVIOCSKEYCODE:\n\t\treturn evdev_handle_set_keycode(dev, p);\n\n\tcase EVIOCGKEYCODE_V2:\n\t\treturn evdev_handle_get_keycode_v2(dev, p);\n\n\tcase EVIOCSKEYCODE_V2:\n\t\treturn evdev_handle_set_keycode_v2(dev, p);\n\t}\n\n\tsize = _IOC_SIZE(cmd);\n\n\t/* Now check variable-length commands */\n#define EVIOC_MASK_SIZE(nr)\t((nr) & ~(_IOC_SIZEMASK << _IOC_SIZESHIFT))\n\tswitch (EVIOC_MASK_SIZE(cmd)) {\n\n\tcase EVIOCGPROP(0):\n\t\treturn bits_to_user(dev->propbit, INPUT_PROP_MAX,\n\t\t\t\t size, p, compat_mode);\n\n\tcase EVIOCGMTSLOTS(0):\n\t\treturn evdev_handle_mt_request(dev, size, ip);\n\n\tcase EVIOCGKEY(0):\n\t\treturn evdev_handle_get_val(client, dev, EV_KEY, dev->key,\n\t\t\t\t\t KEY_MAX, size, p, compat_mode);\n\n\tcase EVIOCGLED(0):\n\t\treturn evdev_handle_get_val(client, dev, EV_LED, dev->led,\n\t\t\t\t\t LED_MAX, size, p, compat_mode);\n\n\tcase EVIOCGSND(0):\n\t\treturn evdev_handle_get_val(client, dev, EV_SND, dev->snd,\n\t\t\t\t\t SND_MAX, size, p, compat_mode);\n\n\tcase EVIOCGSW(0):\n\t\treturn evdev_handle_get_val(client, dev, EV_SW, dev->sw,\n\t\t\t\t\t SW_MAX, size, p, compat_mode);\n\n\tcase EVIOCGNAME(0):\n\t\treturn str_to_user(dev->name, size, p);\n\n\tcase EVIOCGPHYS(0):\n\t\treturn str_to_user(dev->phys, size, p);\n\n\tcase EVIOCGUNIQ(0):\n\t\treturn str_to_user(dev->uniq, size, p);\n\n\tcase EVIOC_MASK_SIZE(EVIOCSFF):\n\t\tif (input_ff_effect_from_user(p, size, &effect))\n\t\t\treturn -EFAULT;\n\n\t\terror = input_ff_upload(dev, &effect, file);\n\n\t\tif (put_user(effect.id, &(((struct ff_effect __user *)p)->id)))\n\t\t\treturn -EFAULT;\n\n\t\treturn error;\n\t}\n\n\t/* Multi-number variable-length handlers */\n\tif (_IOC_TYPE(cmd) != 'E')\n\t\treturn -EINVAL;\n\n\tif (_IOC_DIR(cmd) == _IOC_READ) {\n\n\t\tif ((_IOC_NR(cmd) & ~EV_MAX) == _IOC_NR(EVIOCGBIT(0, 0)))\n\t\t\treturn handle_eviocgbit(dev,\n\t\t\t\t\t\t_IOC_NR(cmd) & EV_MAX, size,\n\t\t\t\t\t\tp, compat_mode);\n\n\t\tif ((_IOC_NR(cmd) & ~ABS_MAX) == _IOC_NR(EVIOCGABS(0))) {\n\n\t\t\tif (!dev->absinfo)\n\t\t\t\treturn -EINVAL;\n\n\t\t\tt = _IOC_NR(cmd) & ABS_MAX;\n\t\t\tabs = dev->absinfo[t];\n\n\t\t\tif (copy_to_user(p, &abs, min_t(size_t,\n\t\t\t\t\tsize, sizeof(struct input_absinfo))))\n\t\t\t\treturn -EFAULT;\n\n\t\t\treturn 0;\n\t\t}\n\t}\n\n\tif (_IOC_DIR(cmd) == _IOC_WRITE) {\n\n\t\tif ((_IOC_NR(cmd) & ~ABS_MAX) == _IOC_NR(EVIOCSABS(0))) {\n\n\t\t\tif (!dev->absinfo)\n\t\t\t\treturn -EINVAL;\n\n\t\t\tt = _IOC_NR(cmd) & ABS_MAX;\n\n\t\t\tif (copy_from_user(&abs, p, min_t(size_t,\n\t\t\t\t\tsize, sizeof(struct input_absinfo))))\n\t\t\t\treturn -EFAULT;\n\n\t\t\tif (size < sizeof(struct input_absinfo))\n\t\t\t\tabs.resolution = 0;\n\n\t\t\t/* We can't change number of reserved MT slots */\n\t\t\tif (t == ABS_MT_SLOT)\n\t\t\t\treturn -EINVAL;\n\n\t\t\t/*\n\t\t\t * Take event lock to ensure that we are not\n\t\t\t * changing device parameters in the middle\n\t\t\t * of event.\n\t\t\t */\n\t\t\tspin_lock_irq(&dev->event_lock);\n\t\t\tdev->absinfo[t] = abs;\n\t\t\tspin_unlock_irq(&dev->event_lock);\n\n\t\t\treturn 0;\n\t\t}\n\t}\n\n\treturn -EINVAL;\n}", "project": "linux", "hash": 17942239882540888408053190104002056298, "size": 195, "commit_id": "483180281f0ac60d1138710eb21f4b9961901294", "message": "Input: evdev - flush queues during EVIOCGKEY-like ioctls\n\nIf userspace requests current KEY-state, they very likely assume that no\nsuch events are pending in the output queue of the evdev device.\nOtherwise, they will parse events which they already handled via\nEVIOCGKEY(). For XKB applications this can cause irreversible keyboard\nstates if a modifier is locked multiple times because a CTRL-DOWN event is\nhandled once via EVIOCGKEY() and once from the queue via read(), even\nthough it should handle it only once.\n\nTherefore, lets do the only logical thing and flush the evdev queue\natomically during this ioctl. We only flush events that are affected by\nthe given ioctl.\n\nThis only affects boolean events like KEY, SND, SW and LED. ABS, REL and\nothers are not affected as duplicate events can be handled gracefully by\nuser-space.\n\nNote: This actually breaks semantics of the evdev ABI. However,\ninvestigations showed that userspace already expects the new semantics and\nwe end up fixing at least all XKB applications.\nAll applications that are aware of this race-condition mirror the KEY\nstate for each open-file and detect/drop duplicate events. Hence, they do\nnot care whether duplicates are posted or not and work fine with this fix.\n\nAlso note that we need proper locking to guarantee atomicity and avoid\ndead-locks. event_lock must be locked before queue_lock (see input-core).\nHowever, we can safely release event_lock while flushing the queue. This\nallows the input-core to proceed with pending events and only stop if it\nneeds our queue_lock to post new events.\nThis should guarantee that we don't block event-dispatching for too long\nwhile flushing a single event queue.\n\nSigned-off-by: David Herrmann \nAcked-by: Peter Hutterer \nSigned-off-by: Dmitry Torokhov ", "target": 0, "dataset": "other", "idx": 381731 }, { "func": "long kvm_arch_vcpu_ioctl(struct file *filp,\n\t\t\t unsigned int ioctl, unsigned long arg)\n{\n\tstruct kvm_vcpu *vcpu = filp->private_data;\n\tvoid __user *argp = (void __user *)arg;\n\tint idx;\n\tlong r;\n\tu16 rc, rrc;\n\n\tvcpu_load(vcpu);\n\n\tswitch (ioctl) {\n\tcase KVM_S390_STORE_STATUS:\n\t\tidx = srcu_read_lock(&vcpu->kvm->srcu);\n\t\tr = kvm_s390_store_status_unloaded(vcpu, arg);\n\t\tsrcu_read_unlock(&vcpu->kvm->srcu, idx);\n\t\tbreak;\n\tcase KVM_S390_SET_INITIAL_PSW: {\n\t\tpsw_t psw;\n\n\t\tr = -EFAULT;\n\t\tif (copy_from_user(&psw, argp, sizeof(psw)))\n\t\t\tbreak;\n\t\tr = kvm_arch_vcpu_ioctl_set_initial_psw(vcpu, psw);\n\t\tbreak;\n\t}\n\tcase KVM_S390_CLEAR_RESET:\n\t\tr = 0;\n\t\tkvm_arch_vcpu_ioctl_clear_reset(vcpu);\n\t\tif (kvm_s390_pv_cpu_is_protected(vcpu)) {\n\t\t\tr = uv_cmd_nodata(kvm_s390_pv_cpu_get_handle(vcpu),\n\t\t\t\t\t UVC_CMD_CPU_RESET_CLEAR, &rc, &rrc);\n\t\t\tVCPU_EVENT(vcpu, 3, \"PROTVIRT RESET CLEAR VCPU: rc %x rrc %x\",\n\t\t\t\t rc, rrc);\n\t\t}\n\t\tbreak;\n\tcase KVM_S390_INITIAL_RESET:\n\t\tr = 0;\n\t\tkvm_arch_vcpu_ioctl_initial_reset(vcpu);\n\t\tif (kvm_s390_pv_cpu_is_protected(vcpu)) {\n\t\t\tr = uv_cmd_nodata(kvm_s390_pv_cpu_get_handle(vcpu),\n\t\t\t\t\t UVC_CMD_CPU_RESET_INITIAL,\n\t\t\t\t\t &rc, &rrc);\n\t\t\tVCPU_EVENT(vcpu, 3, \"PROTVIRT RESET INITIAL VCPU: rc %x rrc %x\",\n\t\t\t\t rc, rrc);\n\t\t}\n\t\tbreak;\n\tcase KVM_S390_NORMAL_RESET:\n\t\tr = 0;\n\t\tkvm_arch_vcpu_ioctl_normal_reset(vcpu);\n\t\tif (kvm_s390_pv_cpu_is_protected(vcpu)) {\n\t\t\tr = uv_cmd_nodata(kvm_s390_pv_cpu_get_handle(vcpu),\n\t\t\t\t\t UVC_CMD_CPU_RESET, &rc, &rrc);\n\t\t\tVCPU_EVENT(vcpu, 3, \"PROTVIRT RESET NORMAL VCPU: rc %x rrc %x\",\n\t\t\t\t rc, rrc);\n\t\t}\n\t\tbreak;\n\tcase KVM_SET_ONE_REG:\n\tcase KVM_GET_ONE_REG: {\n\t\tstruct kvm_one_reg reg;\n\t\tr = -EINVAL;\n\t\tif (kvm_s390_pv_cpu_is_protected(vcpu))\n\t\t\tbreak;\n\t\tr = -EFAULT;\n\t\tif (copy_from_user(®, argp, sizeof(reg)))\n\t\t\tbreak;\n\t\tif (ioctl == KVM_SET_ONE_REG)\n\t\t\tr = kvm_arch_vcpu_ioctl_set_one_reg(vcpu, ®);\n\t\telse\n\t\t\tr = kvm_arch_vcpu_ioctl_get_one_reg(vcpu, ®);\n\t\tbreak;\n\t}\n#ifdef CONFIG_KVM_S390_UCONTROL\n\tcase KVM_S390_UCAS_MAP: {\n\t\tstruct kvm_s390_ucas_mapping ucasmap;\n\n\t\tif (copy_from_user(&ucasmap, argp, sizeof(ucasmap))) {\n\t\t\tr = -EFAULT;\n\t\t\tbreak;\n\t\t}\n\n\t\tif (!kvm_is_ucontrol(vcpu->kvm)) {\n\t\t\tr = -EINVAL;\n\t\t\tbreak;\n\t\t}\n\n\t\tr = gmap_map_segment(vcpu->arch.gmap, ucasmap.user_addr,\n\t\t\t\t ucasmap.vcpu_addr, ucasmap.length);\n\t\tbreak;\n\t}\n\tcase KVM_S390_UCAS_UNMAP: {\n\t\tstruct kvm_s390_ucas_mapping ucasmap;\n\n\t\tif (copy_from_user(&ucasmap, argp, sizeof(ucasmap))) {\n\t\t\tr = -EFAULT;\n\t\t\tbreak;\n\t\t}\n\n\t\tif (!kvm_is_ucontrol(vcpu->kvm)) {\n\t\t\tr = -EINVAL;\n\t\t\tbreak;\n\t\t}\n\n\t\tr = gmap_unmap_segment(vcpu->arch.gmap, ucasmap.vcpu_addr,\n\t\t\tucasmap.length);\n\t\tbreak;\n\t}\n#endif\n\tcase KVM_S390_VCPU_FAULT: {\n\t\tr = gmap_fault(vcpu->arch.gmap, arg, 0);\n\t\tbreak;\n\t}\n\tcase KVM_ENABLE_CAP:\n\t{\n\t\tstruct kvm_enable_cap cap;\n\t\tr = -EFAULT;\n\t\tif (copy_from_user(&cap, argp, sizeof(cap)))\n\t\t\tbreak;\n\t\tr = kvm_vcpu_ioctl_enable_cap(vcpu, &cap);\n\t\tbreak;\n\t}\n\tcase KVM_S390_MEM_OP: {\n\t\tstruct kvm_s390_mem_op mem_op;\n\n\t\tif (copy_from_user(&mem_op, argp, sizeof(mem_op)) == 0)\n\t\t\tr = kvm_s390_guest_memsida_op(vcpu, &mem_op);\n\t\telse\n\t\t\tr = -EFAULT;\n\t\tbreak;\n\t}\n\tcase KVM_S390_SET_IRQ_STATE: {\n\t\tstruct kvm_s390_irq_state irq_state;\n\n\t\tr = -EFAULT;\n\t\tif (copy_from_user(&irq_state, argp, sizeof(irq_state)))\n\t\t\tbreak;\n\t\tif (irq_state.len > VCPU_IRQS_MAX_BUF ||\n\t\t irq_state.len == 0 ||\n\t\t irq_state.len % sizeof(struct kvm_s390_irq) > 0) {\n\t\t\tr = -EINVAL;\n\t\t\tbreak;\n\t\t}\n\t\t/* do not use irq_state.flags, it will break old QEMUs */\n\t\tr = kvm_s390_set_irq_state(vcpu,\n\t\t\t\t\t (void __user *) irq_state.buf,\n\t\t\t\t\t irq_state.len);\n\t\tbreak;\n\t}\n\tcase KVM_S390_GET_IRQ_STATE: {\n\t\tstruct kvm_s390_irq_state irq_state;\n\n\t\tr = -EFAULT;\n\t\tif (copy_from_user(&irq_state, argp, sizeof(irq_state)))\n\t\t\tbreak;\n\t\tif (irq_state.len == 0) {\n\t\t\tr = -EINVAL;\n\t\t\tbreak;\n\t\t}\n\t\t/* do not use irq_state.flags, it will break old QEMUs */\n\t\tr = kvm_s390_get_irq_state(vcpu,\n\t\t\t\t\t (__u8 __user *) irq_state.buf,\n\t\t\t\t\t irq_state.len);\n\t\tbreak;\n\t}\n\tdefault:\n\t\tr = -ENOTTY;\n\t}\n\n\tvcpu_put(vcpu);\n\treturn r;\n}", "project": "linux", "hash": 193191810816342597880670807633180735750, "size": 171, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354490 }, { "func": "static void put_map(unsigned long *map)\n{\n\tVM_BUG_ON(map != object_map);\n\tlockdep_assert_held(&object_map_lock);\n\n\tspin_unlock(&object_map_lock);\n}", "project": "linux", "hash": 287524518301181821807155019299171473668, "size": 7, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280194 }, { "func": "static int __kvm_map_gfn(struct kvm_memslots *slots, gfn_t gfn,\n\t\t\t struct kvm_host_map *map,\n\t\t\t struct gfn_to_pfn_cache *cache,\n\t\t\t bool atomic)\n{\n\tkvm_pfn_t pfn;\n\tvoid *hva = NULL;\n\tstruct page *page = KVM_UNMAPPED_PAGE;\n\tstruct kvm_memory_slot *slot = __gfn_to_memslot(slots, gfn);\n\tu64 gen = slots->generation;\n\n\tif (!map)\n\t\treturn -EINVAL;\n\n\tif (cache) {\n\t\tif (!cache->pfn || cache->gfn != gfn ||\n\t\t\tcache->generation != gen) {\n\t\t\tif (atomic)\n\t\t\t\treturn -EAGAIN;\n\t\t\tkvm_cache_gfn_to_pfn(slot, gfn, cache, gen);\n\t\t}\n\t\tpfn = cache->pfn;\n\t} else {\n\t\tif (atomic)\n\t\t\treturn -EAGAIN;\n\t\tpfn = gfn_to_pfn_memslot(slot, gfn);\n\t}\n\tif (is_error_noslot_pfn(pfn))\n\t\treturn -EINVAL;\n\n\tif (pfn_valid(pfn)) {\n\t\tpage = pfn_to_page(pfn);\n\t\tif (atomic)\n\t\t\thva = kmap_atomic(page);\n\t\telse\n\t\t\thva = kmap(page);\n#ifdef CONFIG_HAS_IOMEM\n\t} else if (!atomic) {\n\t\thva = memremap(pfn_to_hpa(pfn), PAGE_SIZE, MEMREMAP_WB);\n\t} else {\n\t\treturn -EINVAL;\n#endif\n\t}\n\n\tif (!hva)\n\t\treturn -EFAULT;\n\n\tmap->page = page;\n\tmap->hva = hva;\n\tmap->pfn = pfn;\n\tmap->gfn = gfn;\n\n\treturn 0;\n}", "project": "linux", "hash": 74810279453643610120708944685062233890, "size": 54, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354661 }, { "func": "RGWOp* RGWSwiftWebsiteHandler::get_ws_index_op()\n{\n /* Retarget to get obj on requested index file. */\n if (! s->object.empty()) {\n s->object = s->object.name +\n s->bucket_info.website_conf.get_index_doc();\n } else {\n s->object = s->bucket_info.website_conf.get_index_doc();\n }\n\n auto getop = new RGWGetObj_ObjStore_SWIFT;\n getop->set_get_data(boost::algorithm::equals(\"GET\", s->info.method));\n\n return getop;\n}", "project": "ceph", "hash": 270412789538377591011406584565946569684, "size": 15, "commit_id": "f44a8ae8aa27ecef69528db9aec220f12492810e", "message": "rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name\n\nchecking for empty name avoids later assertion in RGWObjectCtx::set_atomic\n\nFixes: CVE-2021-3531\n\nReviewed-by: Casey Bodley \nSigned-off-by: Casey Bodley \n(cherry picked from commit 7196a469b4470f3c8628489df9a41ec8b00a5610)", "target": 0, "dataset": "other", "idx": 448778 }, { "func": " WuManberReplacement(const Array &arr, size_t minLen)\n : m(minLen), B(MIN(m,2)), Bp(MIN(m,2)),\n valid(initPatterns(arr)) { }", "project": "hhvm", "hash": 291958387239308579485404083056010319985, "size": 3, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219068 }, { "func": "Status CopyTF_TensorStringsToPyArray(const TF_Tensor* src, uint64 nelems,\n PyArrayObject* dst) {\n const void* tensor_data = TF_TensorData(src);\n DCHECK(tensor_data != nullptr);\n DCHECK_EQ(TF_STRING, TF_TensorType(src));\n\n const tstring* tstr = static_cast(tensor_data);\n\n std::unique_ptr status(\n TF_NewStatus(), TF_DeleteStatus);\n auto iter = make_safe(PyArray_IterNew(reinterpret_cast(dst)));\n for (int64 i = 0; i < static_cast(nelems); ++i) {\n const tstring& tstr_i = tstr[i];\n auto py_string =\n make_safe(PyBytes_FromStringAndSize(tstr_i.data(), tstr_i.size()));\n if (py_string == nullptr) {\n return errors::Internal(\n \"failed to create a python byte array when converting element #\", i,\n \" of a TF_STRING tensor to a numpy ndarray\");\n }\n\n if (PyArray_SETITEM(dst, static_cast(PyArray_ITER_DATA(iter.get())),\n py_string.get()) != 0) {\n return errors::Internal(\"Error settings element #\", i,\n \" in the numpy ndarray\");\n }\n PyArray_ITER_NEXT(iter.get());\n }\n return Status::OK();\n}", "project": "tensorflow", "hash": 57119709213555144068246219573914424343, "size": 30, "commit_id": "030af767d357d1b4088c4a25c72cb3906abac489", "message": "Fix `tf.raw_ops.ResourceCountUpTo` null pointer dereference.\n\nPiperOrigin-RevId: 368294347\nChange-Id: I2c16fbfc9b4966c402c3d8e311f0d665a9c852d8", "target": 0, "dataset": "other", "idx": 232657 }, { "func": "int udev_util_replace_whitespace(const char *str, char *to, size_t len)\n{\n\tsize_t i, j;\n\n\t/* strip trailing whitespace */\n\tlen = strnlen(str, len);\n\twhile (len && isspace(str[len-1]))\n\t\tlen--;\n\n\t/* strip leading whitespace */\n\ti = 0;\n\twhile (isspace(str[i]) && (i < len))\n\t\ti++;\n\n\tj = 0;\n\twhile (i < len) {\n\t\t/* substitute multiple whitespace with a single '_' */\n\t\tif (isspace(str[i])) {\n\t\t\twhile (isspace(str[i]))\n\t\t\t\ti++;\n\t\t\tto[j++] = '_';\n\t\t}\n\t\tto[j++] = str[i++];\n\t}\n\tto[j] = '\\0';\n\treturn 0;\n}", "target": 0, "cwe": [ "CWE-120" ], "project": "udev", "commit_id": "662c3110803bd8c1aedacc36788e6fd028944314", "hash": 88884199138926280324446302621973893051, "size": 27, "message": "path_encode: fix max length calculation\n\nSebastian Krahmer wrote:\n> it should reserve 4 times not 3 times len :)", "dataset": "other", "idx": 490342 }, { "func": "static void nfs4_xdr_enc_symlink(struct rpc_rqst *req, struct xdr_stream *xdr,\n\t\t\t\t const void *data)\n{\n\tconst struct nfs4_create_arg *args = data;\n\n\tnfs4_xdr_enc_create(req, xdr, args);\n}", "project": "linux", "hash": 137641244723763047884750420943547646076, "size": 7, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431051 }, { "func": "void tty_free_file(struct file *file)\n{\n\tstruct tty_file_private *priv = file->private_data;\n\n\tfile->private_data = NULL;\n\tkfree(priv);\n}", "project": "linux", "hash": 207654100498953760567421848553427355322, "size": 7, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 326054 }, { "func": " bool matches(const Http::RequestHeaderMap& headers) const override {\n if (BaseMatcherImpl::matchRoute(headers)) {\n const Http::HeaderString& path = headers.Path()->value();\n const absl::string_view query_string = Http::Utility::findQueryStringStart(path);\n absl::string_view path_view = path.getStringView();\n path_view.remove_suffix(query_string.length());\n if (path_matcher_->match(path_view)) {\n ENVOY_LOG(debug, \"Regex requirement '{}' matched.\", regex_str_);\n return true;\n }\n }\n return false;\n }", "project": "envoy", "hash": 76257563614559165334076596514064335521, "size": 13, "commit_id": "9371333230b1a6e1be2eccf4868771e11af6253a", "message": "CVE-2021-43824\n\njwt_atuhn: fixed the crash when a CONNECT request is sent to JWT filter\nconfigured with regex match.\n\nSigned-off-by: Yan Avlasov ", "target": 1, "dataset": "other", "idx": 196858 }, { "func": "bool pcre_literal_data::matches(const StringData* subject,\n int pos,\n int* offsets) const {\n assertx(isLiteral());\n assertx(pos >= 0);\n\n // Subject must be at least as long as the literal pattern\n // for a match to occur.\n if (subject->size() < literal_str->length() + pos) {\n return false;\n }\n\n size_t literal_strlen = literal_str->length();\n auto const subject_c = subject->data();\n auto const literal_c = literal_str->c_str();\n if (match_start) {\n // Make sure an exact match has the right length.\n if (pos || (match_end && subject->size() != literal_strlen)) {\n return false;\n }\n // If only matching the start (^), compare the strings\n // for the length of the literal pattern.\n if (case_insensitive ?\n bstrcaseeq(subject_c, literal_c, literal_strlen) :\n memcmp(subject_c, literal_c, literal_strlen) == 0) {\n offsets[0] = 0;\n offsets[1] = literal_strlen * sizeof(char);\n return true;\n }\n } else if (match_end) {\n // Compare the literal pattern against the tail end of the subject.\n auto const subject_tail = subject_c + (subject->size() - literal_strlen);\n if (case_insensitive ?\n bstrcaseeq(subject_tail, literal_c, literal_strlen) :\n memcmp(subject_tail, literal_c, literal_strlen) == 0) {\n offsets[0] = (subject->size() - literal_strlen) * sizeof(char);\n offsets[1] = subject->size() * sizeof(char);\n return true;\n }\n } else {\n if (!literal_strlen) {\n offsets[0] = offsets[1] = pos;\n return true;\n }\n // Check if the literal pattern occurs as a substring of the subject.\n auto const subject_str = StrNR(subject);\n auto const find_response = subject_str.asString().find(\n *literal_str, pos, !case_insensitive);\n if (find_response >= 0) {\n offsets[0] = find_response * sizeof(char);\n offsets[1] = offsets[0] + literal_strlen * sizeof(char);\n return true;\n }\n }\n return false;\n}", "project": "hhvm", "hash": 128933321319346078985788989970157840922, "size": 56, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219211 }, { "func": "bool lua_text_pattern::matches(const string &s) const\n{\n if (isvalid && !translated)\n translate();\n\n if (!isvalid)\n return false;\n\n return clua.callbooleanfn(false, lua_fn_name.c_str(), \"s\", s.c_str());\n}", "project": "crawl", "hash": 183094236498227976858522158660255785393, "size": 10, "commit_id": "768f60da87a3fa0b5561da5ade9309577c176d04", "message": "Disable lua bytecode loading", "target": 0, "dataset": "other", "idx": 230466 }, { "func": " bool matches(const Http::RequestHeaderMap& headers) const override {\n if (BaseMatcherImpl::matchRoute(headers) && path_matcher_->match(headers.getPathValue())) {\n ENVOY_LOG(debug, \"Prefix requirement '{}' matched.\", prefix_);\n return true;\n }\n return false;\n }", "project": "envoy", "hash": 201824668374756237800648927687156313378, "size": 7, "commit_id": "9371333230b1a6e1be2eccf4868771e11af6253a", "message": "CVE-2021-43824\n\njwt_atuhn: fixed the crash when a CONNECT request is sent to JWT filter\nconfigured with regex match.\n\nSigned-off-by: Yan Avlasov ", "target": 0, "dataset": "other", "idx": 246597 }, { "func": " bool matches(const Http::RequestHeaderMap& headers) const override {\n if (BaseMatcherImpl::matchRoute(headers)) {\n if (headers.Path() == nullptr) {\n return false;\n }\n const Http::HeaderString& path = headers.Path()->value();\n const absl::string_view query_string = Http::Utility::findQueryStringStart(path);\n absl::string_view path_view = path.getStringView();\n path_view.remove_suffix(query_string.length());\n if (path_matcher_->match(path_view)) {\n ENVOY_LOG(debug, \"Regex requirement '{}' matched.\", regex_str_);\n return true;\n }\n }\n return false;\n }", "project": "envoy", "hash": 234200888989403949850149389072672312631, "size": 16, "commit_id": "9371333230b1a6e1be2eccf4868771e11af6253a", "message": "CVE-2021-43824\n\njwt_atuhn: fixed the crash when a CONNECT request is sent to JWT filter\nconfigured with regex match.\n\nSigned-off-by: Yan Avlasov ", "target": 0, "dataset": "other", "idx": 246616 }, { "func": " bool matches(const Http::RequestHeaderMap& headers) const override {\n if (BaseMatcherImpl::matchRoute(headers) && path_matcher_->match(headers.getPathValue())) {\n ENVOY_LOG(debug, \"Path requirement '{}' matched.\", path_);\n return true;\n }\n return false;\n }", "project": "envoy", "hash": 95938626113465667475300040750053447608, "size": 7, "commit_id": "9371333230b1a6e1be2eccf4868771e11af6253a", "message": "CVE-2021-43824\n\njwt_atuhn: fixed the crash when a CONNECT request is sent to JWT filter\nconfigured with regex match.\n\nSigned-off-by: Yan Avlasov ", "target": 0, "dataset": "other", "idx": 246625 }, { "func": " bool matches(const Http::RequestHeaderMap& headers) const override {\n if (Http::HeaderUtility::isConnect(headers) && BaseMatcherImpl::matchRoute(headers)) {\n ENVOY_LOG(debug, \"CONNECT requirement matched.\");\n return true;\n }\n\n return false;\n }", "project": "envoy", "hash": 205561209306454635097780615863323829438, "size": 8, "commit_id": "9371333230b1a6e1be2eccf4868771e11af6253a", "message": "CVE-2021-43824\n\njwt_atuhn: fixed the crash when a CONNECT request is sent to JWT filter\nconfigured with regex match.\n\nSigned-off-by: Yan Avlasov ", "target": 0, "dataset": "other", "idx": 246632 }, { "func": "CairoFont::matches(Ref &other) {\n return (other.num == ref.num && other.gen == ref.gen);\n}", "project": "poppler", "hash": 117601825805029483916978772335767542539, "size": 3, "commit_id": "1a531dcfee1c6fc79a414c38cbe7327fbf9a59d8", "message": "Fix a crash with invalid embedded fonts", "target": 0, "dataset": "other", "idx": 421882 }, { "func": "static void ov519_set_fr(struct sd *sd)\n{\n\tint fr;\n\tu8 clock;\n\t/* frame rate table with indices:\n\t *\t- mode = 0: 320x240, 1: 640x480\n\t *\t- fr rate = 0: 30, 1: 25, 2: 20, 3: 15, 4: 10, 5: 5\n\t *\t- reg = 0: bridge a4, 1: bridge 23, 2: sensor 11 (clock)\n\t */\n\tstatic const u8 fr_tb[2][6][3] = {\n\t\t{{0x04, 0xff, 0x00},\n\t\t {0x04, 0x1f, 0x00},\n\t\t {0x04, 0x1b, 0x00},\n\t\t {0x04, 0x15, 0x00},\n\t\t {0x04, 0x09, 0x00},\n\t\t {0x04, 0x01, 0x00}},\n\t\t{{0x0c, 0xff, 0x00},\n\t\t {0x0c, 0x1f, 0x00},\n\t\t {0x0c, 0x1b, 0x00},\n\t\t {0x04, 0xff, 0x01},\n\t\t {0x04, 0x1f, 0x01},\n\t\t {0x04, 0x1b, 0x01}},\n\t};\n\n\tif (frame_rate > 0)\n\t\tsd->frame_rate = frame_rate;\n\tif (sd->frame_rate >= 30)\n\t\tfr = 0;\n\telse if (sd->frame_rate >= 25)\n\t\tfr = 1;\n\telse if (sd->frame_rate >= 20)\n\t\tfr = 2;\n\telse if (sd->frame_rate >= 15)\n\t\tfr = 3;\n\telse if (sd->frame_rate >= 10)\n\t\tfr = 4;\n\telse\n\t\tfr = 5;\n\treg_w(sd, 0xa4, fr_tb[sd->gspca_dev.curr_mode][fr][0]);\n\treg_w(sd, 0x23, fr_tb[sd->gspca_dev.curr_mode][fr][1]);\n\tclock = fr_tb[sd->gspca_dev.curr_mode][fr][2];\n\tif (sd->sensor == SEN_OV7660)\n\t\tclock |= 0x80;\t\t/* enable double clock */\n\tov518_i2c_w(sd, OV7670_R11_CLKRC, clock);\n}", "project": "linux", "hash": 2543635245732523554886460254266819698, "size": 45, "commit_id": "998912346c0da53a6dbb71fab3a138586b596b30", "message": "media: ov519: add missing endpoint sanity checks\n\nMake sure to check that we have at least one endpoint before accessing\nthe endpoint array to avoid dereferencing a NULL-pointer on stream\nstart.\n\nNote that these sanity checks are not redundant as the driver is mixing\nlooking up altsettings by index and by number, which need not coincide.\n\nFixes: 1876bb923c98 (\"V4L/DVB (12079): gspca_ov519: add support for the ov511 bridge\")\nFixes: b282d87332f5 (\"V4L/DVB (12080): gspca_ov519: Fix ov518+ with OV7620AE (Trust spacecam 320)\")\nCc: stable # 2.6.31\nCc: Hans de Goede \nSigned-off-by: Johan Hovold \nSigned-off-by: Hans Verkuil \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 306290 }, { "func": "static int stimer_set_config(struct kvm_vcpu_hv_stimer *stimer, u64 config,\n\t\t\t bool host)\n{\n\tunion hv_stimer_config new_config = {.as_uint64 = config},\n\t\told_config = {.as_uint64 = stimer->config.as_uint64};\n\tstruct kvm_vcpu *vcpu = hv_stimer_to_vcpu(stimer);\n\tstruct kvm_vcpu_hv_synic *synic = to_hv_synic(vcpu);\n\n\tif (!synic->active && !host)\n\t\treturn 1;\n\n\ttrace_kvm_hv_stimer_set_config(hv_stimer_to_vcpu(stimer)->vcpu_id,\n\t\t\t\t stimer->index, config, host);\n\n\tstimer_cleanup(stimer);\n\tif (old_config.enable &&\n\t !new_config.direct_mode && new_config.sintx == 0)\n\t\tnew_config.enable = 0;\n\tstimer->config.as_uint64 = new_config.as_uint64;\n\n\tif (stimer->config.enable)\n\t\tstimer_mark_pending(stimer, false);\n\n\treturn 0;\n}", "project": "linux", "hash": 46975045619073530694651248147213031569, "size": 25, "commit_id": "919f4ebc598701670e80e31573a58f1f2d2bf918", "message": "KVM: x86: hyper-v: Fix Hyper-V context null-ptr-deref\n\nReported by syzkaller:\n\n KASAN: null-ptr-deref in range [0x0000000000000140-0x0000000000000147]\n CPU: 1 PID: 8370 Comm: syz-executor859 Not tainted 5.11.0-syzkaller #0\n RIP: 0010:synic_get arch/x86/kvm/hyperv.c:165 [inline]\n RIP: 0010:kvm_hv_set_sint_gsi arch/x86/kvm/hyperv.c:475 [inline]\n RIP: 0010:kvm_hv_irq_routing_update+0x230/0x460 arch/x86/kvm/hyperv.c:498\n Call Trace:\n kvm_set_irq_routing+0x69b/0x940 arch/x86/kvm/../../../virt/kvm/irqchip.c:223\n kvm_vm_ioctl+0x12d0/0x2800 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3959\n vfs_ioctl fs/ioctl.c:48 [inline]\n __do_sys_ioctl fs/ioctl.c:753 [inline]\n __se_sys_ioctl fs/ioctl.c:739 [inline]\n __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739\n do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nHyper-V context is lazily allocated until Hyper-V specific MSRs are accessed\nor SynIC is enabled. However, the syzkaller testcase sets irq routing table\ndirectly w/o enabling SynIC. This results in null-ptr-deref when accessing\nSynIC Hyper-V context. This patch fixes it.\n\nsyzkaller source: https://syzkaller.appspot.com/x/repro.c?x=163342ccd00000\n\nReported-by: syzbot+6987f3b2dbd9eda95f12@syzkaller.appspotmail.com\nFixes: 8f014550dfb1 (\"KVM: x86: hyper-v: Make Hyper-V emulation enablement conditional\")\nSigned-off-by: Wanpeng Li \nMessage-Id: <1614326399-5762-1-git-send-email-wanpengli@tencent.com>\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 343498 }, { "func": "static void perftools_addtrace(GCtrace *T)\n{\n static FILE *fp;\n GCproto *pt = &gcref(T->startpt)->pt;\n const BCIns *startpc = mref(T->startpc, const BCIns);\n const char *name = proto_chunknamestr(pt);\n BCLine lineno;\n if (name[0] == '@' || name[0] == '=')\n name++;\n else\n name = \"(string)\";\n lua_assert(startpc >= proto_bc(pt) && startpc < proto_bc(pt) + pt->sizebc);\n lineno = lj_debug_line(pt, proto_bcpos(pt, startpc));\n if (!fp) {\n char fname[40];\n sprintf(fname, \"/tmp/perf-%d.map\", getpid());\n if (!(fp = fopen(fname, \"w\"))) return;\n setlinebuf(fp);\n }\n fprintf(fp, \"%lx %x TRACE_%d::%s:%u\\n\",\n\t (long)T->mcode, T->szmcode, T->traceno, name, lineno);\n}", "project": "LuaJIT", "hash": 281218515340651859557054984256444767212, "size": 22, "commit_id": "e296f56b825c688c3530a981dc6b495d972f3d01", "message": "Call error function on rethrow after trace exit.", "target": 0, "dataset": "other", "idx": 394658 }, { "func": "static void hci_cc_le_read_white_list_size(struct hci_dev *hdev,\n\t\t\t\t\t struct sk_buff *skb)\n{\n\tstruct hci_rp_le_read_white_list_size *rp = (void *) skb->data;\n\n\tBT_DBG(\"%s status 0x%2.2x size %u\", hdev->name, rp->status, rp->size);\n\n\tif (rp->status)\n\t\treturn;\n\n\thdev->le_white_list_size = rp->size;\n}", "project": "linux", "hash": 324670722547111649422870834383917263696, "size": 12, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431876 }, { "func": "int string_copy(char *dst, const char *src, int siz) {\n register char *d = dst;\n register const char *s = src;\n register size_t n = siz;\n\n /* Copy as many bytes as will fit */\n if (n != 0 && --n != 0) {\n do {\n if ((*d++ = *s++) == 0)\n break;\n } while (--n != 0);\n }\n\n /* Not enough room in dst, add NUL and traverse rest of src */\n if (n == 0) {\n if (siz != 0)\n *d = '\\0'; /* NUL-terminate dst */\n while (*s++)\n ;\n }\n\n return(s - src - 1); /* count does not include NUL */\n}", "project": "hhvm", "hash": 329154172614994910323517564943757317330, "size": 23, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219886 }, { "func": "static int tty_driver_install_tty(struct tty_driver *driver,\n\t\t\t\t\t\tstruct tty_struct *tty)\n{\n\treturn driver->ops->install ? driver->ops->install(driver, tty) :\n\t\ttty_standard_install(driver, tty);\n}", "project": "linux", "hash": 104270625519706710591363440828024325007, "size": 6, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 326017 }, { "func": "int mp4read_close(void)\n{\n#define FREE(x) if(x){free(x);x=0;}\n FREE(mp4config.frame.data);\n FREE(mp4config.bitbuf.data);\n\n return ERR_OK;\n}", "project": "faad2", "hash": 154004262558726368012470557527266102135, "size": 8, "commit_id": "1b71a6ba963d131375f5e489b3b25e36f19f3f24", "message": "fix heap-buffer-overflow in mp4read.c\n\nThis originated from an integer overflow: If mp4config.frame.ents\nwould be read-in with a value of (uint32t)(-1), it would overflow to 0\nin the size calculation for the allocation in the next line. The\nmalloc() function would then successfully return a pointer to a memory\nregion of size 0, which will cause a segfault when written to.\n\nFixes #57.", "target": 0, "dataset": "other", "idx": 221457 }, { "func": "static void show_version(void)\n{\n printf(\"NASM version %s compiled on %s%s\\n\",\n nasm_version, nasm_date, nasm_compile_options);\n exit(0);\n}", "project": "nasm", "hash": 230663606622576987870577764220285877766, "size": 6, "commit_id": "e996d28c70d45008085322b442b44a9224308548", "message": "labels: Don't nil dereference if no label provided\n\nAn equ without label may cause nil dereference\n\n |\tequ 0x100\n\nFixes 98578071b9d71ecaa2344dd9c185237c1765041e\n\nSigned-off-by: Cyrill Gorcunov ", "target": 0, "dataset": "other", "idx": 257482 }, { "func": "static void get_contype_from_attrs(map& attrs,\n\t\t\t\t string& content_type)\n{\n map::iterator iter = attrs.find(RGW_ATTR_CONTENT_TYPE);\n if (iter != attrs.end()) {\n content_type = rgw_bl_str(iter->second);\n }\n}", "project": "ceph", "hash": 80707342663950655406765098457776262775, "size": 8, "commit_id": "f44a8ae8aa27ecef69528db9aec220f12492810e", "message": "rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name\n\nchecking for empty name avoids later assertion in RGWObjectCtx::set_atomic\n\nFixes: CVE-2021-3531\n\nReviewed-by: Casey Bodley \nSigned-off-by: Casey Bodley \n(cherry picked from commit 7196a469b4470f3c8628489df9a41ec8b00a5610)", "target": 0, "dataset": "other", "idx": 448829 }, { "func": "int kill_pid_usb_asyncio(int sig, int errno, sigval_t addr,\n\t\t\t struct pid *pid, const struct cred *cred)\n{\n\tstruct kernel_siginfo info;\n\tstruct task_struct *p;\n\tunsigned long flags;\n\tint ret = -EINVAL;\n\n\tclear_siginfo(&info);\n\tinfo.si_signo = sig;\n\tinfo.si_errno = errno;\n\tinfo.si_code = SI_ASYNCIO;\n\t*((sigval_t *)&info.si_pid) = addr;\n\n\tif (!valid_signal(sig))\n\t\treturn ret;\n\n\trcu_read_lock();\n\tp = pid_task(pid, PIDTYPE_PID);\n\tif (!p) {\n\t\tret = -ESRCH;\n\t\tgoto out_unlock;\n\t}\n\tif (!kill_as_cred_perm(cred, p)) {\n\t\tret = -EPERM;\n\t\tgoto out_unlock;\n\t}\n\tret = security_task_kill(p, &info, sig, cred);\n\tif (ret)\n\t\tgoto out_unlock;\n\n\tif (sig) {\n\t\tif (lock_task_sighand(p, &flags)) {\n\t\t\tret = __send_signal(sig, &info, p, PIDTYPE_TGID, false);\n\t\t\tunlock_task_sighand(p, &flags);\n\t\t} else\n\t\t\tret = -ESRCH;\n\t}\nout_unlock:\n\trcu_read_unlock();\n\treturn ret;\n}", "project": "linux", "hash": 11618671393821662048519637010969700519, "size": 42, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375226 }, { "func": "static int test_flags(struct libmnt_test *ts, int argc, char *argv[])\n{\n\tchar *optstr;\n\tint rc;\n\tunsigned long fl = 0;\n\n\tif (argc < 2)\n\t\treturn -EINVAL;\n\n\toptstr = xstrdup(argv[1]);\n\n\trc = mnt_optstr_get_flags(optstr, &fl, mnt_get_builtin_optmap(MNT_LINUX_MAP));\n\tif (rc)\n\t\treturn rc;\n\tprintf(\"mountflags: 0x%08lx\\n\", fl);\n\n\tfl = 0;\n\trc = mnt_optstr_get_flags(optstr, &fl, mnt_get_builtin_optmap(MNT_USERSPACE_MAP));\n\tif (rc)\n\t\treturn rc;\n\tprintf(\"userspace-mountflags: 0x%08lx\\n\", fl);\n\n\tfree(optstr);\n\treturn rc;\n}", "project": "util-linux", "hash": 45167952671634020780429932234677804534, "size": 25, "commit_id": "57202f5713afa2af20ffbb6ab5331481d0396f8d", "message": "libmount: fix UID check for FUSE umount [CVE-2021-3995]\n\nImproper UID check allows an unprivileged user to unmount FUSE\nfilesystems of users with similar UID.\n\nSigned-off-by: Karel Zak ", "target": 0, "dataset": "other", "idx": 410414 }, { "func": "STATIC void GC_init_explicit_typing(void)\n{\n unsigned i;\n\n GC_STATIC_ASSERT(sizeof(struct LeafDescriptor) % sizeof(word) == 0);\n /* Set up object kind with simple indirect descriptor. */\n GC_eobjfreelist = (ptr_t *)GC_new_free_list_inner();\n GC_explicit_kind = GC_new_kind_inner(\n (void **)GC_eobjfreelist,\n (WORDS_TO_BYTES((word)-1) | GC_DS_PER_OBJECT),\n TRUE, TRUE);\n /* Descriptors are in the last word of the object. */\n GC_typed_mark_proc_index = GC_new_proc_inner(GC_typed_mark_proc);\n /* Set up object kind with array descriptor. */\n GC_array_mark_proc_index = GC_new_proc_inner(GC_array_mark_proc);\n GC_array_kind = GC_new_kind_inner(GC_new_free_list_inner(),\n GC_MAKE_PROC(GC_array_mark_proc_index, 0),\n FALSE, TRUE);\n GC_bm_table[0] = GC_DS_BITMAP;\n for (i = 1; i < WORDSZ/2; i++) {\n GC_bm_table[i] = (((word)-1) << (WORDSZ - i)) | GC_DS_BITMAP;\n }\n}", "project": "bdwgc", "hash": 120943983556859737466166647268093491238, "size": 23, "commit_id": "4e1a6f9d8f2a49403bbd00b8c8e5324048fb84d4", "message": "Fix calloc_explicitly_typed in case of lb*n overflow\n\n* typd_mlc.c: Include limits.h (for SIZE_MAX).\n* typd_mlc.c (GC_SIZE_MAX, GC_SQRT_SIZE_MAX): New macro (same as in\nmalloc.c).\n* typd_mlc.c (GC_calloc_explicitly_typed): Return NULL if lb * n\noverflows (same algorithm as in calloc defined in malloc.c); eliminate\nlb *= n code duplication.", "target": 0, "dataset": "other", "idx": 374057 }, { "func": "static void nfs4_init_opendata_res(struct nfs4_opendata *p)\n{\n\tp->o_res.f_attr = &p->f_attr;\n\tp->o_res.f_label = p->f_label;\n\tp->o_res.seqid = p->o_arg.seqid;\n\tp->c_res.seqid = p->c_arg.seqid;\n\tp->o_res.server = p->o_arg.server;\n\tp->o_res.access_request = p->o_arg.access;\n\tnfs_fattr_init(&p->f_attr);\n\tnfs_fattr_init_names(&p->f_attr, &p->owner_name, &p->group_name);\n}", "project": "linux", "hash": 93260394641010472917932346016524970600, "size": 11, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431037 }, { "func": "\tMode(User* source, Channel* Chantarget, User* Usertarget, const Modes::ChangeList& changelist, Modes::ChangeList::List::const_iterator beginiter)\n\t\t: ClientProtocol::Message(\"MODE\", source)\n\t\t, chantarget(Chantarget)\n\t\t, usertarget(Usertarget)\n\t\t, beginit(beginiter)\n\t{\n\t\tPushParamRef(GetStrTarget());\n\t\tPushParam(ToModeLetters(changelist.getlist(), 450, beginit, lastit));\n\t\tPushModeParams();\n\t}", "project": "inspircd", "hash": 246843204120725866236551867786161295624, "size": 10, "commit_id": "4350a11c663b0d75f8119743bffb7736d87abd4d", "message": "Fix sending malformed pong messages in some cases.", "target": 0, "dataset": "other", "idx": 273246 }, { "func": "pid_t kernel_thread(int (*fn)(void *), void *arg, unsigned long flags)\n{\n\tstruct kernel_clone_args args = {\n\t\t.flags\t\t= ((lower_32_bits(flags) | CLONE_VM |\n\t\t\t\t CLONE_UNTRACED) & ~CSIGNAL),\n\t\t.exit_signal\t= (lower_32_bits(flags) & CSIGNAL),\n\t\t.stack\t\t= (unsigned long)fn,\n\t\t.stack_size\t= (unsigned long)arg,\n\t};\n\n\treturn kernel_clone(&args);\n}", "project": "linux", "hash": 162865456439070637366666902188042377030, "size": 12, "commit_id": "b4e00444cab4c3f3fec876dc0cccc8cbb0d1a948", "message": "fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent\n\ncurrent->group_leader->exit_signal may change during copy_process() if\ncurrent->real_parent exits.\n\nMove the assignment inside tasklist_lock to avoid the race.\n\nSigned-off-by: Eddy Wu \nAcked-by: Oleg Nesterov \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 293691 }, { "func": "static inline __u32 tcp_current_ssthresh(const struct sock *sk)\n{\n\tconst struct tcp_sock *tp = tcp_sk(sk);\n\n\tif (tcp_in_cwnd_reduction(sk))\n\t\treturn tp->snd_ssthresh;\n\telse\n\t\treturn max(tp->snd_ssthresh,\n\t\t\t ((tp->snd_cwnd >> 1) +\n\t\t\t (tp->snd_cwnd >> 2)));\n}", "project": "linux", "hash": 229548594206298102269871468832017395807, "size": 11, "commit_id": "bb1fceca22492109be12640d49f5ea5a544c6bb4", "message": "tcp: fix use after free in tcp_xmit_retransmit_queue()\n\nWhen tcp_sendmsg() allocates a fresh and empty skb, it puts it at the\ntail of the write queue using tcp_add_write_queue_tail()\n\nThen it attempts to copy user data into this fresh skb.\n\nIf the copy fails, we undo the work and remove the fresh skb.\n\nUnfortunately, this undo lacks the change done to tp->highest_sack and\nwe can leave a dangling pointer (to a freed skb)\n\nLater, tcp_xmit_retransmit_queue() can dereference this pointer and\naccess freed memory. For regular kernels where memory is not unmapped,\nthis might cause SACK bugs because tcp_highest_sack_seq() is buggy,\nreturning garbage instead of tp->snd_nxt, but with various debug\nfeatures like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel.\n\nThis bug was found by Marco Grassi thanks to syzkaller.\n\nFixes: 6859d49475d4 (\"[TCP]: Abstract tp->highest_sack accessing & point to next skb\")\nReported-by: Marco Grassi \nSigned-off-by: Eric Dumazet \nCc: Ilpo Järvinen \nCc: Yuchung Cheng \nCc: Neal Cardwell \nAcked-by: Neal Cardwell \nReviewed-by: Cong Wang \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 410768 }, { "func": "static long evdev_ioctl_handler(struct file *file, unsigned int cmd,\n\t\t\t\tvoid __user *p, int compat_mode)\n{\n\tstruct evdev_client *client = file->private_data;\n\tstruct evdev *evdev = client->evdev;\n\tint retval;\n\n\tretval = mutex_lock_interruptible(&evdev->mutex);\n\tif (retval)\n\t\treturn retval;\n\n\tif (!evdev->exist) {\n\t\tretval = -ENODEV;\n\t\tgoto out;\n\t}\n\n\tretval = evdev_do_ioctl(file, cmd, p, compat_mode);\n\n out:\n\tmutex_unlock(&evdev->mutex);\n\treturn retval;\n}", "project": "linux", "hash": 327498023406997011587781808432741658507, "size": 22, "commit_id": "483180281f0ac60d1138710eb21f4b9961901294", "message": "Input: evdev - flush queues during EVIOCGKEY-like ioctls\n\nIf userspace requests current KEY-state, they very likely assume that no\nsuch events are pending in the output queue of the evdev device.\nOtherwise, they will parse events which they already handled via\nEVIOCGKEY(). For XKB applications this can cause irreversible keyboard\nstates if a modifier is locked multiple times because a CTRL-DOWN event is\nhandled once via EVIOCGKEY() and once from the queue via read(), even\nthough it should handle it only once.\n\nTherefore, lets do the only logical thing and flush the evdev queue\natomically during this ioctl. We only flush events that are affected by\nthe given ioctl.\n\nThis only affects boolean events like KEY, SND, SW and LED. ABS, REL and\nothers are not affected as duplicate events can be handled gracefully by\nuser-space.\n\nNote: This actually breaks semantics of the evdev ABI. However,\ninvestigations showed that userspace already expects the new semantics and\nwe end up fixing at least all XKB applications.\nAll applications that are aware of this race-condition mirror the KEY\nstate for each open-file and detect/drop duplicate events. Hence, they do\nnot care whether duplicates are posted or not and work fine with this fix.\n\nAlso note that we need proper locking to guarantee atomicity and avoid\ndead-locks. event_lock must be locked before queue_lock (see input-core).\nHowever, we can safely release event_lock while flushing the queue. This\nallows the input-core to proceed with pending events and only stop if it\nneeds our queue_lock to post new events.\nThis should guarantee that we don't block event-dispatching for too long\nwhile flushing a single event queue.\n\nSigned-off-by: David Herrmann \nAcked-by: Peter Hutterer \nSigned-off-by: Dmitry Torokhov ", "target": 0, "dataset": "other", "idx": 381726 }, { "func": "inline int MatchingDim(const RuntimeShape& shape1, int index1,\n const RuntimeShape& shape2, int index2) {\n TFLITE_DCHECK_EQ(shape1.Dims(index1), shape2.Dims(index2));\n return shape1.Dims(index1);\n}", "project": "tensorflow", "hash": 292684460118693762063488568821033472831, "size": 5, "commit_id": "8ee24e7949a203d234489f9da2c5bf45a7d5157d", "message": "[tflite] Ensure `MatchingDim` does not allow buffer overflow.\n\nWe check in `MatchingDim` that both arguments have the same dimensionality, however that is a `DCHECK` only enabled if building in debug mode. Hence, it could be possible to cause buffer overflows by passing in a tensor with larger dimensions as the second argument. To fix, we now make `MatchingDim` return the minimum of the two sizes.\n\nA much better fix would be to return a status object but that requires refactoring a large part of the codebase for minor benefits.\n\nPiperOrigin-RevId: 332526127\nChange-Id: If627d0d2c80a685217b6e0d1e64b0872dbf1c5e4", "target": 1, "dataset": "other", "idx": 198111 }, { "func": "int MatchingDim(const RuntimeShape& shape1, int index1,\n const RuntimeShape& shape2, int index2, Args... args) {\n TFLITE_DCHECK_EQ(shape1.Dims(index1), shape2.Dims(index2));\n return MatchingDim(shape1, index1, args...);\n}", "project": "tensorflow", "hash": 172814225620693063191253420171359217062, "size": 5, "commit_id": "8ee24e7949a203d234489f9da2c5bf45a7d5157d", "message": "[tflite] Ensure `MatchingDim` does not allow buffer overflow.\n\nWe check in `MatchingDim` that both arguments have the same dimensionality, however that is a `DCHECK` only enabled if building in debug mode. Hence, it could be possible to cause buffer overflows by passing in a tensor with larger dimensions as the second argument. To fix, we now make `MatchingDim` return the minimum of the two sizes.\n\nA much better fix would be to return a status object but that requires refactoring a large part of the codebase for minor benefits.\n\nPiperOrigin-RevId: 332526127\nChange-Id: If627d0d2c80a685217b6e0d1e64b0872dbf1c5e4", "target": 0, "dataset": "other", "idx": 269168 }, { "func": "inline int MatchingDim(const RuntimeShape& shape1, int index1,\n const RuntimeShape& shape2, int index2) {\n TFLITE_DCHECK_EQ(shape1.Dims(index1), shape2.Dims(index2));\n return std::min(shape1.Dims(index1), shape2.Dims(index2));\n}", "project": "tensorflow", "hash": 212828257128375980629692282330012667499, "size": 5, "commit_id": "8ee24e7949a203d234489f9da2c5bf45a7d5157d", "message": "[tflite] Ensure `MatchingDim` does not allow buffer overflow.\n\nWe check in `MatchingDim` that both arguments have the same dimensionality, however that is a `DCHECK` only enabled if building in debug mode. Hence, it could be possible to cause buffer overflows by passing in a tensor with larger dimensions as the second argument. To fix, we now make `MatchingDim` return the minimum of the two sizes.\n\nA much better fix would be to return a status object but that requires refactoring a large part of the codebase for minor benefits.\n\nPiperOrigin-RevId: 332526127\nChange-Id: If627d0d2c80a685217b6e0d1e64b0872dbf1c5e4", "target": 0, "dataset": "other", "idx": 269181 }, { "func": "static pcap_t * openPcapFileOrDevice(u_int16_t thread_id, const u_char * pcap_file) {\n u_int snaplen = 1536;\n int promisc = 1;\n char pcap_error_buffer[PCAP_ERRBUF_SIZE];\n pcap_t * pcap_handle = NULL;\n\n /* trying to open a live interface */\n#ifdef USE_DPDK\n struct rte_mempool *mbuf_pool = rte_pktmbuf_pool_create(\"MBUF_POOL\", NUM_MBUFS,\n\t\t\t\t\t\t\t MBUF_CACHE_SIZE, 0,\n\t\t\t\t\t\t\t RTE_MBUF_DEFAULT_BUF_SIZE,\n\t\t\t\t\t\t\t rte_socket_id());\n\n if(mbuf_pool == NULL)\n rte_exit(EXIT_FAILURE, \"Cannot create mbuf pool: are hugepages ok?\\n\");\n\n if(dpdk_port_init(dpdk_port_id, mbuf_pool) != 0)\n rte_exit(EXIT_FAILURE, \"DPDK: Cannot init port %u: please see README.dpdk\\n\", dpdk_port_id);\n#else\n /* Trying to open the interface */\n if((pcap_handle = pcap_open_live((char*)pcap_file, snaplen,\n\t\t\t\t promisc, 500, pcap_error_buffer)) == NULL) {\n capture_for = capture_until = 0;\n\n live_capture = 0;\n num_threads = 1; /* Open pcap files in single threads mode */\n\n /* Trying to open a pcap file */\n if((pcap_handle = pcap_open_offline((char*)pcap_file, pcap_error_buffer)) == NULL) {\n char filename[256] = { 0 };\n\n if(strstr((char*)pcap_file, (char*)\".pcap\"))\n\tprintf(\"ERROR: could not open pcap file %s: %s\\n\", pcap_file, pcap_error_buffer);\n\n /* Trying to open as a playlist as last attempt */\n else if((getNextPcapFileFromPlaylist(thread_id, filename, sizeof(filename)) != 0)\n\t || ((pcap_handle = pcap_open_offline(filename, pcap_error_buffer)) == NULL)) {\n /* This probably was a bad interface name, printing a generic error */\n printf(\"ERROR: could not open %s: %s\\n\", filename, pcap_error_buffer);\n exit(-1);\n } else {\n if((!quiet_mode))\n\t printf(\"Reading packets from playlist %s...\\n\", pcap_file);\n }\n } else {\n if((!quiet_mode))\n\tprintf(\"Reading packets from pcap file %s...\\n\", pcap_file);\n }\n } else {\n live_capture = 1;\n\n if((!quiet_mode)) {\n#ifdef USE_DPDK\n printf(\"Capturing from DPDK (port 0)...\\n\");\n#else\n printf(\"Capturing live traffic from device %s...\\n\", pcap_file);\n#endif\n }\n }\n\n configurePcapHandle(pcap_handle);\n#endif /* !DPDK */\n\n if(capture_for > 0) {\n if((!quiet_mode))\n printf(\"Capturing traffic up to %u seconds\\n\", (unsigned int)capture_for);\n\n#ifndef WIN32\n alarm(capture_for);\n signal(SIGALRM, sigproc);\n#endif\n }\n\n return pcap_handle;\n}", "project": "nDPI", "hash": 24423681612084843929182614970930120798, "size": 75, "commit_id": "b7e666e465f138ae48ab81976726e67deed12701", "message": "Added fix to avoid potential heap buffer overflow in H.323 dissector\nModified HTTP report information to make it closer to the HTTP field names", "target": 0, "dataset": "other", "idx": 254809 }, { "func": "static void encode_lookupp(struct xdr_stream *xdr, struct compound_hdr *hdr)\n{\n\tencode_op_hdr(xdr, OP_LOOKUPP, decode_lookupp_maxsz, hdr);\n}", "project": "linux", "hash": 3127276877911237294352919629506688089, "size": 4, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431507 }, { "func": "static void parse_groups(const char *groups, message_data_t *msg)\n{\n const char *p;\n char *rcpt = NULL;\n char *buf = xstrdup(groups);\n const char sep[] = \", \\t\";\n\n for (p = strtok(buf, sep) ; p ; p = strtok(NULL, sep)) {\n\t/* construct the mailbox name */\n\tfree(rcpt);\n\trcpt = strconcat(newsprefix, p, (char *)NULL);\n\n\t/* skip mailboxes that we don't serve as newsgroups */\n\tif (!is_newsgroup(rcpt)) continue;\n\n\t/* Only add mailboxes that exist */\n\tif (!mlookup(rcpt, NULL)) {\n\t strarray_appendm(&msg->rcpt, rcpt);\n\t rcpt = NULL;\n\t}\n }\n free(rcpt);\n free(buf);\n}", "project": "cyrus-imapd", "hash": 146008030092248002331367280424921403443, "size": 24, "commit_id": "0f8f026699829b65733c3081657b24e2174f4f4d", "message": "CVE-2011-3208 - fix buffer overflow in nntpd", "target": 0, "dataset": "other", "idx": 451893 }, { "func": "bool CWebSock::ValidateCSRFCheck(const CString& sURI) {\n return sURI == \"/login\" || GetParam(\"_CSRF_Check\") == GetCSRFCheck();\n}", "project": "znc", "hash": 291792012206937917974702684804985416606, "size": 3, "commit_id": "a4a5aeeb17d32937d8c7d743dae9a4cc755ce773", "message": "Don't let web skin name ../../../../ access files outside of usual skins directories.\n\nThanks for Jeriko One for finding and reporting this.", "target": 0, "dataset": "other", "idx": 265797 }, { "func": "int __hci_req_schedule_adv_instance(struct hci_request *req, u8 instance,\n\t\t\t\t bool force)\n{\n\tstruct hci_dev *hdev = req->hdev;\n\tstruct adv_info *adv_instance = NULL;\n\tu16 timeout;\n\n\tif (hci_dev_test_flag(hdev, HCI_ADVERTISING) ||\n\t list_empty(&hdev->adv_instances))\n\t\treturn -EPERM;\n\n\tif (hdev->adv_instance_timeout)\n\t\treturn -EBUSY;\n\n\tadv_instance = hci_find_adv_instance(hdev, instance);\n\tif (!adv_instance)\n\t\treturn -ENOENT;\n\n\t/* A zero timeout means unlimited advertising. As long as there is\n\t * only one instance, duration should be ignored. We still set a timeout\n\t * in case further instances are being added later on.\n\t *\n\t * If the remaining lifetime of the instance is more than the duration\n\t * then the timeout corresponds to the duration, otherwise it will be\n\t * reduced to the remaining instance lifetime.\n\t */\n\tif (adv_instance->timeout == 0 ||\n\t adv_instance->duration <= adv_instance->remaining_time)\n\t\ttimeout = adv_instance->duration;\n\telse\n\t\ttimeout = adv_instance->remaining_time;\n\n\t/* The remaining time is being reduced unless the instance is being\n\t * advertised without time limit.\n\t */\n\tif (adv_instance->timeout)\n\t\tadv_instance->remaining_time =\n\t\t\t\tadv_instance->remaining_time - timeout;\n\n\t/* Only use work for scheduling instances with legacy advertising */\n\tif (!ext_adv_capable(hdev)) {\n\t\thdev->adv_instance_timeout = timeout;\n\t\tqueue_delayed_work(hdev->req_workqueue,\n\t\t\t &hdev->adv_instance_expire,\n\t\t\t msecs_to_jiffies(timeout * 1000));\n\t}\n\n\t/* If we're just re-scheduling the same instance again then do not\n\t * execute any HCI commands. This happens when a single instance is\n\t * being advertised.\n\t */\n\tif (!force && hdev->cur_adv_instance == instance &&\n\t hci_dev_test_flag(hdev, HCI_LE_ADV))\n\t\treturn 0;\n\n\thdev->cur_adv_instance = instance;\n\tif (ext_adv_capable(hdev)) {\n\t\t__hci_req_start_ext_adv(req, instance);\n\t} else {\n\t\t__hci_req_update_adv_data(req, instance);\n\t\t__hci_req_update_scan_rsp_data(req, instance);\n\t\t__hci_req_enable_advertising(req);\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 80013164474264268732197114388318699348, "size": 66, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402562 }, { "func": "void updateScanners(struct single_flow_info **scanners, u_int32_t saddr,\n u_int8_t version, u_int32_t dport) {\n struct single_flow_info *f;\n struct port_flow_info *p;\n\n HASH_FIND_INT(*scanners, (int *)&saddr, f);\n\n if(f == NULL) {\n f = (struct single_flow_info*)malloc(sizeof(struct single_flow_info));\n if(!f) return;\n f->saddr = saddr;\n f->version = version;\n f->tot_flows = 1;\n f->ports = NULL;\n\n p = (struct port_flow_info*)malloc(sizeof(struct port_flow_info));\n\n if(!p) {\n free(f);\n return;\n } else\n p->port = dport, p->num_flows = 1;\n\n HASH_ADD_INT(f->ports, port, p);\n HASH_ADD_INT(*scanners, saddr, f);\n } else{\n struct port_flow_info *pp;\n f->tot_flows++;\n\n HASH_FIND_INT(f->ports, (int *)&dport, pp);\n\n if(pp == NULL) {\n pp = (struct port_flow_info*)malloc(sizeof(struct port_flow_info));\n if(!pp) return;\n pp->port = dport, pp->num_flows = 1;\n\n HASH_ADD_INT(f->ports, port, pp);\n } else\n pp->num_flows++;\n }\n}", "project": "nDPI", "hash": 277926132659242292096458302109552098675, "size": 41, "commit_id": "b7e666e465f138ae48ab81976726e67deed12701", "message": "Added fix to avoid potential heap buffer overflow in H.323 dissector\nModified HTTP report information to make it closer to the HTTP field names", "target": 0, "dataset": "other", "idx": 254863 }, { "func": "static void nfs4_xdr_enc_remove(struct rpc_rqst *req, struct xdr_stream *xdr,\n\t\t\t\tconst void *data)\n{\n\tconst struct nfs_removeargs *args = data;\n\tstruct compound_hdr hdr = {\n\t\t.minorversion = nfs4_xdr_minorversion(&args->seq_args),\n\t};\n\n\tencode_compound_hdr(xdr, req, &hdr);\n\tencode_sequence(xdr, &args->seq_args, &hdr);\n\tencode_putfh(xdr, args->fh, &hdr);\n\tencode_remove(xdr, &args->name, &hdr);\n\tencode_nops(&hdr);\n}", "project": "linux", "hash": 208632669037621420696413453381830008180, "size": 14, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431165 }, { "func": "static int oidc_handle_logout(request_rec *r, oidc_cfg *c,\n\t\toidc_session_t *session) {\n\n\toidc_provider_t *provider = NULL;\n\t/* pickup the command or URL where the user wants to go after logout */\n\tchar *url = NULL;\n\tchar *error_str = NULL;\n\tchar *error_description = NULL;\n\n\toidc_util_get_request_parameter(r, OIDC_REDIRECT_URI_REQUEST_LOGOUT, &url);\n\n\toidc_debug(r, \"enter (url=%s)\", url);\n\n\tif (oidc_is_front_channel_logout(url)) {\n\t\treturn oidc_handle_logout_request(r, c, session, url);\n\t} else if (oidc_is_back_channel_logout(url)) {\n\t\treturn oidc_handle_logout_backchannel(r, c);\n\t}\n\n\tif ((url == NULL) || (apr_strnatcmp(url, \"\") == 0)) {\n\n\t\turl = c->default_slo_url;\n\n\t} else {\n\n\t\t/* do input validation on the logout parameter value */\n\t\tif (oidc_validate_redirect_url(r, c, url, TRUE, &error_str,\n\t\t\t\t&error_description) == FALSE) {\n\t\t\treturn oidc_util_html_send_error(r, c->error_template, error_str,\n\t\t\t\t\terror_description,\n\t\t\t\t\tHTTP_BAD_REQUEST);\n\t\t}\n\t}\n\n\toidc_get_provider_from_session(r, c, session, &provider);\n\n\tif ((provider != NULL) && (provider->end_session_endpoint != NULL)) {\n\n\t\tconst char *id_token_hint = oidc_session_get_idtoken(r, session);\n\n\t\tchar *logout_request = apr_pstrdup(r->pool,\n\t\t\t\tprovider->end_session_endpoint);\n\t\tif (id_token_hint != NULL) {\n\t\t\tlogout_request = apr_psprintf(r->pool, \"%s%sid_token_hint=%s\",\n\t\t\t\t\tlogout_request, strchr(logout_request ? logout_request : \"\",\n\t\t\t\t\t\t\tOIDC_CHAR_QUERY) != NULL ?\n\t\t\t\t\t\t\t\t\tOIDC_STR_AMP :\n\t\t\t\t\t\t\t\t\tOIDC_STR_QUERY,\n\t\t\t\t\t\t\t\t\toidc_util_escape_string(r, id_token_hint));\n\t\t}\n\n\t\tif (url != NULL) {\n\t\t\tlogout_request = apr_psprintf(r->pool,\n\t\t\t\t\t\"%s%spost_logout_redirect_uri=%s\", logout_request,\n\t\t\t\t\tstrchr(logout_request ? logout_request : \"\",\n\t\t\t\t\t\t\tOIDC_CHAR_QUERY) != NULL ?\n\t\t\t\t\t\t\t\t\tOIDC_STR_AMP :\n\t\t\t\t\t\t\t\t\tOIDC_STR_QUERY,\n\t\t\t\t\t\t\t\t\toidc_util_escape_string(r, url));\n\t\t}\n\t\turl = logout_request;\n\t}\n\n\treturn oidc_handle_logout_request(r, c, session, url);\n}", "project": "mod_auth_openidc", "hash": 254763731751258438926887575338118223719, "size": 65, "commit_id": "00c315cb0c8ab77c67be4a2ac08a71a83ac58751", "message": "avoid XSS vulnerability when using OIDCPreservePost On\n\nand supplying URLs that contain single quotes; thanks @oss-aimoto\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 381977 }, { "func": "static int oidc_handle_logout(request_rec *r, oidc_cfg *c,\n\t\toidc_session_t *session) {\n\n\toidc_provider_t *provider = NULL;\n\t/* pickup the command or URL where the user wants to go after logout */\n\tchar *url = NULL;\n\tchar *error_str = NULL;\n\tchar *error_description = NULL;\n\n\toidc_util_get_request_parameter(r, OIDC_REDIRECT_URI_REQUEST_LOGOUT, &url);\n\n\toidc_debug(r, \"enter (url=%s)\", url);\n\n\tif (oidc_is_front_channel_logout(url)) {\n\t\treturn oidc_handle_logout_request(r, c, session, url);\n\t} else if (oidc_is_back_channel_logout(url)) {\n\t\treturn oidc_handle_logout_backchannel(r, c);\n\t}\n\n\tif ((url == NULL) || (apr_strnatcmp(url, \"\") == 0)) {\n\n\t\turl = c->default_slo_url;\n\n\t} else {\n\n\t\t/* do input validation on the logout parameter value */\n\t\tif (oidc_validate_post_logout_url(r, url, &error_str,\n\t\t\t\t&error_description) == FALSE) {\n\t\t\treturn oidc_util_html_send_error(r, c->error_template, error_str,\n\t\t\t\t\terror_description,\n\t\t\t\t\tHTTP_BAD_REQUEST);\n\t\t}\n\t}\n\n\toidc_get_provider_from_session(r, c, session, &provider);\n\n\tif ((provider != NULL) && (provider->end_session_endpoint != NULL)) {\n\n\t\tconst char *id_token_hint = oidc_session_get_idtoken(r, session);\n\n\t\tchar *logout_request = apr_pstrdup(r->pool,\n\t\t\t\tprovider->end_session_endpoint);\n\t\tif (id_token_hint != NULL) {\n\t\t\tlogout_request = apr_psprintf(r->pool, \"%s%sid_token_hint=%s\",\n\t\t\t\t\tlogout_request, strchr(logout_request ? logout_request : \"\",\n\t\t\t\t\t\t\tOIDC_CHAR_QUERY) != NULL ?\n\t\t\t\t\t\t\t\t\tOIDC_STR_AMP :\n\t\t\t\t\t\t\t\t\tOIDC_STR_QUERY,\n\t\t\t\t\t\t\t\t\toidc_util_escape_string(r, id_token_hint));\n\t\t}\n\n\t\tif (url != NULL) {\n\t\t\tlogout_request = apr_psprintf(r->pool,\n\t\t\t\t\t\"%s%spost_logout_redirect_uri=%s\", logout_request,\n\t\t\t\t\tstrchr(logout_request ? logout_request : \"\",\n\t\t\t\t\t\t\tOIDC_CHAR_QUERY) != NULL ?\n\t\t\t\t\t\t\t\t\tOIDC_STR_AMP :\n\t\t\t\t\t\t\t\t\tOIDC_STR_QUERY,\n\t\t\t\t\t\t\t\t\toidc_util_escape_string(r, url));\n\t\t}\n\t\turl = logout_request;\n\t}\n\n\treturn oidc_handle_logout_request(r, c, session, url);\n}", "project": "mod_auth_openidc", "hash": 281638391906422447802591413390391932922, "size": 65, "commit_id": "ce37080c6aea30aabae8b4a9b4eea7808445cc8e", "message": "2.4.0.2 oops\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 447675 }, { "func": "void __hci_req_enable_advertising(struct hci_request *req)\n{\n\tstruct hci_dev *hdev = req->hdev;\n\tstruct adv_info *adv_instance;\n\tstruct hci_cp_le_set_adv_param cp;\n\tu8 own_addr_type, enable = 0x01;\n\tbool connectable;\n\tu16 adv_min_interval, adv_max_interval;\n\tu32 flags;\n\n\tflags = get_adv_instance_flags(hdev, hdev->cur_adv_instance);\n\tadv_instance = hci_find_adv_instance(hdev, hdev->cur_adv_instance);\n\n\t/* If the \"connectable\" instance flag was not set, then choose between\n\t * ADV_IND and ADV_NONCONN_IND based on the global connectable setting.\n\t */\n\tconnectable = (flags & MGMT_ADV_FLAG_CONNECTABLE) ||\n\t\t mgmt_get_connectable(hdev);\n\n\tif (!is_advertising_allowed(hdev, connectable))\n\t\treturn;\n\n\tif (hci_dev_test_flag(hdev, HCI_LE_ADV))\n\t\t__hci_req_disable_advertising(req);\n\n\t/* Clear the HCI_LE_ADV bit temporarily so that the\n\t * hci_update_random_address knows that it's safe to go ahead\n\t * and write a new random address. The flag will be set back on\n\t * as soon as the SET_ADV_ENABLE HCI command completes.\n\t */\n\thci_dev_clear_flag(hdev, HCI_LE_ADV);\n\n\t/* Set require_privacy to true only when non-connectable\n\t * advertising is used. In that case it is fine to use a\n\t * non-resolvable private address.\n\t */\n\tif (hci_update_random_address(req, !connectable,\n\t\t\t\t adv_use_rpa(hdev, flags),\n\t\t\t\t &own_addr_type) < 0)\n\t\treturn;\n\n\tmemset(&cp, 0, sizeof(cp));\n\n\tif (adv_instance) {\n\t\tadv_min_interval = adv_instance->min_interval;\n\t\tadv_max_interval = adv_instance->max_interval;\n\t} else {\n\t\tadv_min_interval = hdev->le_adv_min_interval;\n\t\tadv_max_interval = hdev->le_adv_max_interval;\n\t}\n\n\tif (connectable) {\n\t\tcp.type = LE_ADV_IND;\n\t} else {\n\t\tif (adv_cur_instance_is_scannable(hdev))\n\t\t\tcp.type = LE_ADV_SCAN_IND;\n\t\telse\n\t\t\tcp.type = LE_ADV_NONCONN_IND;\n\n\t\tif (!hci_dev_test_flag(hdev, HCI_DISCOVERABLE) ||\n\t\t hci_dev_test_flag(hdev, HCI_LIMITED_DISCOVERABLE)) {\n\t\t\tadv_min_interval = DISCOV_LE_FAST_ADV_INT_MIN;\n\t\t\tadv_max_interval = DISCOV_LE_FAST_ADV_INT_MAX;\n\t\t}\n\t}\n\n\tcp.min_interval = cpu_to_le16(adv_min_interval);\n\tcp.max_interval = cpu_to_le16(adv_max_interval);\n\tcp.own_address_type = own_addr_type;\n\tcp.channel_map = hdev->le_adv_channel_map;\n\n\thci_req_add(req, HCI_OP_LE_SET_ADV_PARAM, sizeof(cp), &cp);\n\n\thci_req_add(req, HCI_OP_LE_SET_ADV_ENABLE, sizeof(enable), &enable);\n}", "project": "linux", "hash": 157666315364590943339186224116960871446, "size": 75, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402505 }, { "func": "int kvm_vm_create_worker_thread(struct kvm *kvm, kvm_vm_thread_fn_t thread_fn,\n\t\t\t\tuintptr_t data, const char *name,\n\t\t\t\tstruct task_struct **thread_ptr)\n{\n\tstruct kvm_vm_worker_thread_context init_context = {};\n\tstruct task_struct *thread;\n\n\t*thread_ptr = NULL;\n\tinit_context.kvm = kvm;\n\tinit_context.parent = current;\n\tinit_context.thread_fn = thread_fn;\n\tinit_context.data = data;\n\tinit_completion(&init_context.init_done);\n\n\tthread = kthread_run(kvm_vm_worker_thread, &init_context,\n\t\t\t \"%s-%d\", name, task_pid_nr(current));\n\tif (IS_ERR(thread))\n\t\treturn PTR_ERR(thread);\n\n\t/* kthread_run is never supposed to return NULL */\n\tWARN_ON(thread == NULL);\n\n\twait_for_completion(&init_context.init_done);\n\n\tif (!init_context.err)\n\t\t*thread_ptr = thread;\n\n\treturn init_context.err;\n}", "project": "linux", "hash": 35467235990556736942964871434965869870, "size": 29, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354766 }, { "func": "static bool fuse_writepage_add(struct fuse_writepage_args *new_wpa,\n\t\t\t struct page *page)\n{\n\tstruct fuse_inode *fi = get_fuse_inode(new_wpa->inode);\n\tstruct fuse_writepage_args *tmp;\n\tstruct fuse_writepage_args *old_wpa;\n\tstruct fuse_args_pages *new_ap = &new_wpa->ia.ap;\n\n\tWARN_ON(new_ap->num_pages != 0);\n\tnew_ap->num_pages = 1;\n\n\tspin_lock(&fi->lock);\n\told_wpa = fuse_insert_writeback(&fi->writepages, new_wpa);\n\tif (!old_wpa) {\n\t\tspin_unlock(&fi->lock);\n\t\treturn true;\n\t}\n\n\tfor (tmp = old_wpa->next; tmp; tmp = tmp->next) {\n\t\tpgoff_t curr_index;\n\n\t\tWARN_ON(tmp->inode != new_wpa->inode);\n\t\tcurr_index = tmp->ia.write.in.offset >> PAGE_SHIFT;\n\t\tif (curr_index == page->index) {\n\t\t\tWARN_ON(tmp->ia.ap.num_pages != 1);\n\t\t\tswap(tmp->ia.ap.pages[0], new_ap->pages[0]);\n\t\t\tbreak;\n\t\t}\n\t}\n\n\tif (!tmp) {\n\t\tnew_wpa->next = old_wpa->next;\n\t\told_wpa->next = new_wpa;\n\t}\n\n\tspin_unlock(&fi->lock);\n\n\tif (tmp) {\n\t\tstruct backing_dev_info *bdi = inode_to_bdi(new_wpa->inode);\n\n\t\tdec_wb_stat(&bdi->wb, WB_WRITEBACK);\n\t\tdec_node_page_state(new_ap->pages[0], NR_WRITEBACK_TEMP);\n\t\twb_writeout_inc(&bdi->wb);\n\t\tfuse_writepage_free(new_wpa);\n\t}\n\n\treturn false;\n}", "project": "linux", "hash": 111385923070829904036218893032345106918, "size": 48, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342070 }, { "func": "OPJ_BOOL opj_j2k_get_tile(opj_j2k_t *p_j2k,\n opj_stream_private_t *p_stream,\n opj_image_t* p_image,\n opj_event_mgr_t * p_manager,\n OPJ_UINT32 tile_index)\n{\n OPJ_UINT32 compno;\n OPJ_UINT32 l_tile_x, l_tile_y;\n opj_image_comp_t* l_img_comp;\n\n if (!p_image) {\n opj_event_msg(p_manager, EVT_ERROR, \"We need an image previously created.\\n\");\n return OPJ_FALSE;\n }\n\n if (p_image->numcomps < p_j2k->m_private_image->numcomps) {\n opj_event_msg(p_manager, EVT_ERROR,\n \"Image has less components than codestream.\\n\");\n return OPJ_FALSE;\n }\n\n if (/*(tile_index < 0) &&*/ (tile_index >= p_j2k->m_cp.tw * p_j2k->m_cp.th)) {\n opj_event_msg(p_manager, EVT_ERROR,\n \"Tile index provided by the user is incorrect %d (max = %d) \\n\", tile_index,\n (p_j2k->m_cp.tw * p_j2k->m_cp.th) - 1);\n return OPJ_FALSE;\n }\n\n /* Compute the dimension of the desired tile*/\n l_tile_x = tile_index % p_j2k->m_cp.tw;\n l_tile_y = tile_index / p_j2k->m_cp.tw;\n\n p_image->x0 = l_tile_x * p_j2k->m_cp.tdx + p_j2k->m_cp.tx0;\n if (p_image->x0 < p_j2k->m_private_image->x0) {\n p_image->x0 = p_j2k->m_private_image->x0;\n }\n p_image->x1 = (l_tile_x + 1) * p_j2k->m_cp.tdx + p_j2k->m_cp.tx0;\n if (p_image->x1 > p_j2k->m_private_image->x1) {\n p_image->x1 = p_j2k->m_private_image->x1;\n }\n\n p_image->y0 = l_tile_y * p_j2k->m_cp.tdy + p_j2k->m_cp.ty0;\n if (p_image->y0 < p_j2k->m_private_image->y0) {\n p_image->y0 = p_j2k->m_private_image->y0;\n }\n p_image->y1 = (l_tile_y + 1) * p_j2k->m_cp.tdy + p_j2k->m_cp.ty0;\n if (p_image->y1 > p_j2k->m_private_image->y1) {\n p_image->y1 = p_j2k->m_private_image->y1;\n }\n\n l_img_comp = p_image->comps;\n for (compno = 0; compno < p_j2k->m_private_image->numcomps; ++compno) {\n OPJ_INT32 l_comp_x1, l_comp_y1;\n\n l_img_comp->factor = p_j2k->m_private_image->comps[compno].factor;\n\n l_img_comp->x0 = (OPJ_UINT32)opj_int_ceildiv((OPJ_INT32)p_image->x0,\n (OPJ_INT32)l_img_comp->dx);\n l_img_comp->y0 = (OPJ_UINT32)opj_int_ceildiv((OPJ_INT32)p_image->y0,\n (OPJ_INT32)l_img_comp->dy);\n l_comp_x1 = opj_int_ceildiv((OPJ_INT32)p_image->x1, (OPJ_INT32)l_img_comp->dx);\n l_comp_y1 = opj_int_ceildiv((OPJ_INT32)p_image->y1, (OPJ_INT32)l_img_comp->dy);\n\n l_img_comp->w = (OPJ_UINT32)(opj_int_ceildivpow2(l_comp_x1,\n (OPJ_INT32)l_img_comp->factor) - opj_int_ceildivpow2((OPJ_INT32)l_img_comp->x0,\n (OPJ_INT32)l_img_comp->factor));\n l_img_comp->h = (OPJ_UINT32)(opj_int_ceildivpow2(l_comp_y1,\n (OPJ_INT32)l_img_comp->factor) - opj_int_ceildivpow2((OPJ_INT32)l_img_comp->y0,\n (OPJ_INT32)l_img_comp->factor));\n\n l_img_comp++;\n }\n\n if (p_image->numcomps > p_j2k->m_private_image->numcomps) {\n /* Can happen when calling repeatdly opj_get_decoded_tile() on an\n * image with a color palette, where color palette expansion is done\n * later in jp2.c */\n for (compno = p_j2k->m_private_image->numcomps; compno < p_image->numcomps;\n ++compno) {\n opj_image_data_free(p_image->comps[compno].data);\n p_image->comps[compno].data = NULL;\n }\n p_image->numcomps = p_j2k->m_private_image->numcomps;\n }\n\n /* Destroy the previous output image*/\n if (p_j2k->m_output_image) {\n opj_image_destroy(p_j2k->m_output_image);\n }\n\n /* Create the ouput image from the information previously computed*/\n p_j2k->m_output_image = opj_image_create0();\n if (!(p_j2k->m_output_image)) {\n return OPJ_FALSE;\n }\n opj_copy_image_header(p_image, p_j2k->m_output_image);\n\n p_j2k->m_specific_param.m_decoder.m_tile_ind_to_dec = (OPJ_INT32)tile_index;\n\n /* customization of the decoding */\n if (!opj_j2k_setup_decoding_tile(p_j2k, p_manager)) {\n return OPJ_FALSE;\n }\n\n /* Decode the codestream */\n if (! opj_j2k_exec(p_j2k, p_j2k->m_procedure_list, p_stream, p_manager)) {\n opj_image_destroy(p_j2k->m_private_image);\n p_j2k->m_private_image = NULL;\n return OPJ_FALSE;\n }\n\n /* Move data and copy one information from codec to output image*/\n return opj_j2k_move_data_from_codec_to_output_image(p_j2k, p_image);\n}", "project": "openjpeg", "hash": 335421420858053660033485874790033418074, "size": 114, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357339 }, { "project": "Chrome", "commit_id": "6834289784ed45b5524de0fb7ef43ae283b0d6d3", "target": 0, "func": "void AudioContext::processAutomaticPullNodes(size_t framesToProcess)\n{\n ASSERT(isAudioThread());\n\n for (unsigned i = 0; i < m_renderingAutomaticPullNodes.size(); ++i)\n m_renderingAutomaticPullNodes[i]->processIfNecessary(framesToProcess);\n}\n", "cwe": "", "big_vul_idx": 139673, "idx": 124822, "hash": 229529511383485598563386002474232466630 }, { "func": "static bool valid_msr_intercept(u32 index)\n{\n\tint i;\n\n\tfor (i = 0; direct_access_msrs[i].index != MSR_INVALID; i++)\n\t\tif (direct_access_msrs[i].index == index)\n\t\t\treturn true;\n\n\treturn false;\n}", "project": "linux", "hash": 149396377764538022174474236035926186131, "size": 10, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432487 }, { "func": "join_read_record_no_init(JOIN_TAB *tab)\n{\n Copy_field *save_copy, *save_copy_end;\n \n /*\n init_read_record resets all elements of tab->read_record().\n Remember things that we don't want to have reset.\n */\n save_copy= tab->read_record.copy_field;\n save_copy_end= tab->read_record.copy_field_end;\n \n init_read_record(&tab->read_record, tab->join->thd, tab->table,\n\t\t tab->select, tab->filesort_result, 1, 1, FALSE);\n\n tab->read_record.copy_field= save_copy;\n tab->read_record.copy_field_end= save_copy_end;\n tab->read_record.read_record_func= rr_sequential_and_unpack;\n\n return tab->read_record.read_record();\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 339530087773082551020397811436495374606, "size": 20, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508645 }, { "func": "int do_epoll_ctl(int epfd, int op, int fd, struct epoll_event *epds,\n\t\t bool nonblock)\n{\n\tint error;\n\tint full_check = 0;\n\tstruct fd f, tf;\n\tstruct eventpoll *ep;\n\tstruct epitem *epi;\n\tstruct eventpoll *tep = NULL;\n\n\terror = -EBADF;\n\tf = fdget(epfd);\n\tif (!f.file)\n\t\tgoto error_return;\n\n\t/* Get the \"struct file *\" for the target file */\n\ttf = fdget(fd);\n\tif (!tf.file)\n\t\tgoto error_fput;\n\n\t/* The target file descriptor must support poll */\n\terror = -EPERM;\n\tif (!file_can_poll(tf.file))\n\t\tgoto error_tgt_fput;\n\n\t/* Check if EPOLLWAKEUP is allowed */\n\tif (ep_op_has_event(op))\n\t\tep_take_care_of_epollwakeup(epds);\n\n\t/*\n\t * We have to check that the file structure underneath the file descriptor\n\t * the user passed to us _is_ an eventpoll file. And also we do not permit\n\t * adding an epoll file descriptor inside itself.\n\t */\n\terror = -EINVAL;\n\tif (f.file == tf.file || !is_file_epoll(f.file))\n\t\tgoto error_tgt_fput;\n\n\t/*\n\t * epoll adds to the wakeup queue at EPOLL_CTL_ADD time only,\n\t * so EPOLLEXCLUSIVE is not allowed for a EPOLL_CTL_MOD operation.\n\t * Also, we do not currently supported nested exclusive wakeups.\n\t */\n\tif (ep_op_has_event(op) && (epds->events & EPOLLEXCLUSIVE)) {\n\t\tif (op == EPOLL_CTL_MOD)\n\t\t\tgoto error_tgt_fput;\n\t\tif (op == EPOLL_CTL_ADD && (is_file_epoll(tf.file) ||\n\t\t\t\t(epds->events & ~EPOLLEXCLUSIVE_OK_BITS)))\n\t\t\tgoto error_tgt_fput;\n\t}\n\n\t/*\n\t * At this point it is safe to assume that the \"private_data\" contains\n\t * our own data structure.\n\t */\n\tep = f.file->private_data;\n\n\t/*\n\t * When we insert an epoll file descriptor, inside another epoll file\n\t * descriptor, there is the change of creating closed loops, which are\n\t * better be handled here, than in more critical paths. While we are\n\t * checking for loops we also determine the list of files reachable\n\t * and hang them on the tfile_check_list, so we can check that we\n\t * haven't created too many possible wakeup paths.\n\t *\n\t * We do not need to take the global 'epumutex' on EPOLL_CTL_ADD when\n\t * the epoll file descriptor is attaching directly to a wakeup source,\n\t * unless the epoll file descriptor is nested. The purpose of taking the\n\t * 'epmutex' on add is to prevent complex toplogies such as loops and\n\t * deep wakeup paths from forming in parallel through multiple\n\t * EPOLL_CTL_ADD operations.\n\t */\n\terror = epoll_mutex_lock(&ep->mtx, 0, nonblock);\n\tif (error)\n\t\tgoto error_tgt_fput;\n\tif (op == EPOLL_CTL_ADD) {\n\t\tif (!list_empty(&f.file->f_ep_links) ||\n\t\t\t\t\t\tis_file_epoll(tf.file)) {\n\t\t\tmutex_unlock(&ep->mtx);\n\t\t\terror = epoll_mutex_lock(&epmutex, 0, nonblock);\n\t\t\tif (error)\n\t\t\t\tgoto error_tgt_fput;\n\t\t\tfull_check = 1;\n\t\t\tif (is_file_epoll(tf.file)) {\n\t\t\t\terror = -ELOOP;\n\t\t\t\tif (ep_loop_check(ep, tf.file) != 0) {\n\t\t\t\t\tclear_tfile_check_list();\n\t\t\t\t\tgoto error_tgt_fput;\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\tget_file(tf.file);\n\t\t\t\tlist_add(&tf.file->f_tfile_llink,\n\t\t\t\t\t\t\t&tfile_check_list);\n\t\t\t}\n\t\t\terror = epoll_mutex_lock(&ep->mtx, 0, nonblock);\n\t\t\tif (error) {\nout_del:\n\t\t\t\tlist_del(&tf.file->f_tfile_llink);\n\t\t\t\tif (!is_file_epoll(tf.file))\n\t\t\t\t\tfput(tf.file);\n\t\t\t\tgoto error_tgt_fput;\n\t\t\t}\n\t\t\tif (is_file_epoll(tf.file)) {\n\t\t\t\ttep = tf.file->private_data;\n\t\t\t\terror = epoll_mutex_lock(&tep->mtx, 1, nonblock);\n\t\t\t\tif (error) {\n\t\t\t\t\tmutex_unlock(&ep->mtx);\n\t\t\t\t\tgoto out_del;\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\n\t/*\n\t * Try to lookup the file inside our RB tree, Since we grabbed \"mtx\"\n\t * above, we can be sure to be able to use the item looked up by\n\t * ep_find() till we release the mutex.\n\t */\n\tepi = ep_find(ep, tf.file, fd);\n\n\terror = -EINVAL;\n\tswitch (op) {\n\tcase EPOLL_CTL_ADD:\n\t\tif (!epi) {\n\t\t\tepds->events |= EPOLLERR | EPOLLHUP;\n\t\t\terror = ep_insert(ep, epds, tf.file, fd, full_check);\n\t\t} else\n\t\t\terror = -EEXIST;\n\t\tif (full_check)\n\t\t\tclear_tfile_check_list();\n\t\tbreak;\n\tcase EPOLL_CTL_DEL:\n\t\tif (epi)\n\t\t\terror = ep_remove(ep, epi);\n\t\telse\n\t\t\terror = -ENOENT;\n\t\tbreak;\n\tcase EPOLL_CTL_MOD:\n\t\tif (epi) {\n\t\t\tif (!(epi->event.events & EPOLLEXCLUSIVE)) {\n\t\t\t\tepds->events |= EPOLLERR | EPOLLHUP;\n\t\t\t\terror = ep_modify(ep, epi, epds);\n\t\t\t}\n\t\t} else\n\t\t\terror = -ENOENT;\n\t\tbreak;\n\t}\n\tif (tep != NULL)\n\t\tmutex_unlock(&tep->mtx);\n\tmutex_unlock(&ep->mtx);\n\nerror_tgt_fput:\n\tif (full_check)\n\t\tmutex_unlock(&epmutex);\n\n\tfdput(tf);\nerror_fput:\n\tfdput(f);\nerror_return:\n\n\treturn error;\n}", "project": "linux", "hash": 278445563960181030958909173096615505008, "size": 162, "commit_id": "52c479697c9b73f628140dcdfcd39ea302d05482", "message": "do_epoll_ctl(): clean the failure exits up a bit\n\nSigned-off-by: Al Viro ", "target": 1, "dataset": "other", "idx": 202665 }, { "func": "int do_epoll_ctl(int epfd, int op, int fd, struct epoll_event *epds,\n\t\t bool nonblock)\n{\n\tint error;\n\tint full_check = 0;\n\tstruct fd f, tf;\n\tstruct eventpoll *ep;\n\tstruct epitem *epi;\n\tstruct eventpoll *tep = NULL;\n\n\terror = -EBADF;\n\tf = fdget(epfd);\n\tif (!f.file)\n\t\tgoto error_return;\n\n\t/* Get the \"struct file *\" for the target file */\n\ttf = fdget(fd);\n\tif (!tf.file)\n\t\tgoto error_fput;\n\n\t/* The target file descriptor must support poll */\n\terror = -EPERM;\n\tif (!file_can_poll(tf.file))\n\t\tgoto error_tgt_fput;\n\n\t/* Check if EPOLLWAKEUP is allowed */\n\tif (ep_op_has_event(op))\n\t\tep_take_care_of_epollwakeup(epds);\n\n\t/*\n\t * We have to check that the file structure underneath the file descriptor\n\t * the user passed to us _is_ an eventpoll file. And also we do not permit\n\t * adding an epoll file descriptor inside itself.\n\t */\n\terror = -EINVAL;\n\tif (f.file == tf.file || !is_file_epoll(f.file))\n\t\tgoto error_tgt_fput;\n\n\t/*\n\t * epoll adds to the wakeup queue at EPOLL_CTL_ADD time only,\n\t * so EPOLLEXCLUSIVE is not allowed for a EPOLL_CTL_MOD operation.\n\t * Also, we do not currently supported nested exclusive wakeups.\n\t */\n\tif (ep_op_has_event(op) && (epds->events & EPOLLEXCLUSIVE)) {\n\t\tif (op == EPOLL_CTL_MOD)\n\t\t\tgoto error_tgt_fput;\n\t\tif (op == EPOLL_CTL_ADD && (is_file_epoll(tf.file) ||\n\t\t\t\t(epds->events & ~EPOLLEXCLUSIVE_OK_BITS)))\n\t\t\tgoto error_tgt_fput;\n\t}\n\n\t/*\n\t * At this point it is safe to assume that the \"private_data\" contains\n\t * our own data structure.\n\t */\n\tep = f.file->private_data;\n\n\t/*\n\t * When we insert an epoll file descriptor, inside another epoll file\n\t * descriptor, there is the change of creating closed loops, which are\n\t * better be handled here, than in more critical paths. While we are\n\t * checking for loops we also determine the list of files reachable\n\t * and hang them on the tfile_check_list, so we can check that we\n\t * haven't created too many possible wakeup paths.\n\t *\n\t * We do not need to take the global 'epumutex' on EPOLL_CTL_ADD when\n\t * the epoll file descriptor is attaching directly to a wakeup source,\n\t * unless the epoll file descriptor is nested. The purpose of taking the\n\t * 'epmutex' on add is to prevent complex toplogies such as loops and\n\t * deep wakeup paths from forming in parallel through multiple\n\t * EPOLL_CTL_ADD operations.\n\t */\n\terror = epoll_mutex_lock(&ep->mtx, 0, nonblock);\n\tif (error)\n\t\tgoto error_tgt_fput;\n\tif (op == EPOLL_CTL_ADD) {\n\t\tif (!list_empty(&f.file->f_ep_links) ||\n\t\t\t\t\t\tis_file_epoll(tf.file)) {\n\t\t\tmutex_unlock(&ep->mtx);\n\t\t\terror = epoll_mutex_lock(&epmutex, 0, nonblock);\n\t\t\tif (error)\n\t\t\t\tgoto error_tgt_fput;\n\t\t\tfull_check = 1;\n\t\t\tif (is_file_epoll(tf.file)) {\n\t\t\t\terror = -ELOOP;\n\t\t\t\tif (ep_loop_check(ep, tf.file) != 0)\n\t\t\t\t\tgoto error_tgt_fput;\n\t\t\t} else {\n\t\t\t\tget_file(tf.file);\n\t\t\t\tlist_add(&tf.file->f_tfile_llink,\n\t\t\t\t\t\t\t&tfile_check_list);\n\t\t\t}\n\t\t\terror = epoll_mutex_lock(&ep->mtx, 0, nonblock);\n\t\t\tif (error)\n\t\t\t\tgoto error_tgt_fput;\n\t\t\tif (is_file_epoll(tf.file)) {\n\t\t\t\ttep = tf.file->private_data;\n\t\t\t\terror = epoll_mutex_lock(&tep->mtx, 1, nonblock);\n\t\t\t\tif (error) {\n\t\t\t\t\tmutex_unlock(&ep->mtx);\n\t\t\t\t\tgoto error_tgt_fput;\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\n\t/*\n\t * Try to lookup the file inside our RB tree, Since we grabbed \"mtx\"\n\t * above, we can be sure to be able to use the item looked up by\n\t * ep_find() till we release the mutex.\n\t */\n\tepi = ep_find(ep, tf.file, fd);\n\n\terror = -EINVAL;\n\tswitch (op) {\n\tcase EPOLL_CTL_ADD:\n\t\tif (!epi) {\n\t\t\tepds->events |= EPOLLERR | EPOLLHUP;\n\t\t\terror = ep_insert(ep, epds, tf.file, fd, full_check);\n\t\t} else\n\t\t\terror = -EEXIST;\n\t\tbreak;\n\tcase EPOLL_CTL_DEL:\n\t\tif (epi)\n\t\t\terror = ep_remove(ep, epi);\n\t\telse\n\t\t\terror = -ENOENT;\n\t\tbreak;\n\tcase EPOLL_CTL_MOD:\n\t\tif (epi) {\n\t\t\tif (!(epi->event.events & EPOLLEXCLUSIVE)) {\n\t\t\t\tepds->events |= EPOLLERR | EPOLLHUP;\n\t\t\t\terror = ep_modify(ep, epi, epds);\n\t\t\t}\n\t\t} else\n\t\t\terror = -ENOENT;\n\t\tbreak;\n\t}\n\tif (tep != NULL)\n\t\tmutex_unlock(&tep->mtx);\n\tmutex_unlock(&ep->mtx);\n\nerror_tgt_fput:\n\tif (full_check) {\n\t\tclear_tfile_check_list();\n\t\tmutex_unlock(&epmutex);\n\t}\n\n\tfdput(tf);\nerror_fput:\n\tfdput(f);\nerror_return:\n\n\treturn error;\n}", "project": "linux", "hash": 291400095598389893794119152689563159831, "size": 155, "commit_id": "52c479697c9b73f628140dcdfcd39ea302d05482", "message": "do_epoll_ctl(): clean the failure exits up a bit\n\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 336269 }, { "func": "OPJ_BOOL opj_j2k_read_header(opj_stream_private_t *p_stream,\n opj_j2k_t* p_j2k,\n opj_image_t** p_image,\n opj_event_mgr_t* p_manager)\n{\n /* preconditions */\n assert(p_j2k != 00);\n assert(p_stream != 00);\n assert(p_manager != 00);\n\n /* create an empty image header */\n p_j2k->m_private_image = opj_image_create0();\n if (! p_j2k->m_private_image) {\n return OPJ_FALSE;\n }\n\n /* customization of the validation */\n if (! opj_j2k_setup_decoding_validation(p_j2k, p_manager)) {\n opj_image_destroy(p_j2k->m_private_image);\n p_j2k->m_private_image = NULL;\n return OPJ_FALSE;\n }\n\n /* validation of the parameters codec */\n if (! opj_j2k_exec(p_j2k, p_j2k->m_validation_list, p_stream, p_manager)) {\n opj_image_destroy(p_j2k->m_private_image);\n p_j2k->m_private_image = NULL;\n return OPJ_FALSE;\n }\n\n /* customization of the encoding */\n if (! opj_j2k_setup_header_reading(p_j2k, p_manager)) {\n opj_image_destroy(p_j2k->m_private_image);\n p_j2k->m_private_image = NULL;\n return OPJ_FALSE;\n }\n\n /* read header */\n if (! opj_j2k_exec(p_j2k, p_j2k->m_procedure_list, p_stream, p_manager)) {\n opj_image_destroy(p_j2k->m_private_image);\n p_j2k->m_private_image = NULL;\n return OPJ_FALSE;\n }\n\n *p_image = opj_image_create0();\n if (!(*p_image)) {\n return OPJ_FALSE;\n }\n\n /* Copy codestream image information to the output image */\n opj_copy_image_header(p_j2k->m_private_image, *p_image);\n\n /*Allocate and initialize some elements of codestrem index*/\n if (!opj_j2k_allocate_tile_element_cstr_index(p_j2k)) {\n opj_image_destroy(*p_image);\n *p_image = NULL;\n return OPJ_FALSE;\n }\n\n return OPJ_TRUE;\n}", "project": "openjpeg", "hash": 178061175886576647241797647262078780917, "size": 61, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357346 }, { "func": "void fuse_release_nowrite(struct inode *inode)\n{\n\tstruct fuse_inode *fi = get_fuse_inode(inode);\n\n\tspin_lock(&fi->lock);\n\t__fuse_release_nowrite(inode);\n\tspin_unlock(&fi->lock);\n}", "project": "linux", "hash": 220581466046437225569705475850655923318, "size": 8, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342065 }, { "func": "static int getprotectedname(FILE *sfd, char *tokbuf) {\n char *pt=tokbuf, *end = tokbuf+100-2; int ch;\n\n while ( (ch = nlgetc(sfd))==' ' || ch=='\\t' );\n while ( ch!=EOF && !isspace(ch) && ch!='[' && ch!=']' && ch!='{' && ch!='}' && ch!='<' && ch!='%' ) {\n\tif ( ptfontname string if it isn't set, fixing #4089 #4090 and many\n other potential issues (many downstream calls to strlen() on the value).", "target": 0, "dataset": "other", "idx": 417766 }, { "func": "static int nfs4_xattr_set_nfs4_acl(const struct xattr_handler *handler,\n\t\t\t\t struct dentry *unused, struct inode *inode,\n\t\t\t\t const char *key, const void *buf,\n\t\t\t\t size_t buflen, int flags)\n{\n\treturn nfs4_proc_set_acl(inode, buf, buflen);\n}", "project": "linux", "hash": 90775750298327652005833628815957987761, "size": 7, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431194 }, { "func": "static void hci_cc_write_local_name(struct hci_dev *hdev, struct sk_buff *skb)\n{\n\t__u8 status = *((__u8 *) skb->data);\n\tvoid *sent;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, status);\n\n\tsent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LOCAL_NAME);\n\tif (!sent)\n\t\treturn;\n\n\thci_dev_lock(hdev);\n\n\tif (hci_dev_test_flag(hdev, HCI_MGMT))\n\t\tmgmt_set_local_name_complete(hdev, sent, status);\n\telse if (!status)\n\t\tmemcpy(hdev->dev_name, sent, HCI_MAX_NAME_LENGTH);\n\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 277471450960583487575748714331006349039, "size": 20, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 432040 }, { "func": "static void vc_uniscr_putc(struct vc_data *vc, char32_t uc)\n{\n\tstruct uni_screen *uniscr = get_vc_uniscr(vc);\n\n\tif (uniscr)\n\t\tuniscr->lines[vc->vc_y][vc->vc_x] = uc;\n}", "project": "linux", "hash": 269462567234873501262336769723825776527, "size": 7, "commit_id": "ca4463bf8438b403596edd0ec961ca0d4fbe0220", "message": "vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console\n\nThe VT_DISALLOCATE ioctl can free a virtual console while tty_release()\nis still running, causing a use-after-free in con_shutdown(). This\noccurs because VT_DISALLOCATE considers a virtual console's\n'struct vc_data' to be unused as soon as the corresponding tty's\nrefcount hits 0. But actually it may be still being closed.\n\nFix this by making vc_data be reference-counted via the embedded\n'struct tty_port'. A newly allocated virtual console has refcount 1.\nOpening it for the first time increments the refcount to 2. Closing it\nfor the last time decrements the refcount (in tty_operations::cleanup()\nso that it happens late enough), as does VT_DISALLOCATE.\n\nReproducer:\n\t#include \n\t#include \n\t#include \n\t#include \n\n\tint main()\n\t{\n\t\tif (fork()) {\n\t\t\tfor (;;)\n\t\t\t\tclose(open(\"/dev/tty5\", O_RDWR));\n\t\t} else {\n\t\t\tint fd = open(\"/dev/tty10\", O_RDWR);\n\n\t\t\tfor (;;)\n\t\t\t\tioctl(fd, VT_DISALLOCATE, 5);\n\t\t}\n\t}\n\nKASAN report:\n\tBUG: KASAN: use-after-free in con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\tWrite of size 8 at addr ffff88806a4ec108 by task syz_vt/129\n\n\tCPU: 0 PID: 129 Comm: syz_vt Not tainted 5.6.0-rc2 #11\n\tHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20191223_100556-anatol 04/01/2014\n\tCall Trace:\n\t [...]\n\t con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\t release_tty+0xa8/0x410 drivers/tty/tty_io.c:1514\n\t tty_release_struct+0x34/0x50 drivers/tty/tty_io.c:1629\n\t tty_release+0x984/0xed0 drivers/tty/tty_io.c:1789\n\t [...]\n\n\tAllocated by task 129:\n\t [...]\n\t kzalloc include/linux/slab.h:669 [inline]\n\t vc_allocate drivers/tty/vt/vt.c:1085 [inline]\n\t vc_allocate+0x1ac/0x680 drivers/tty/vt/vt.c:1066\n\t con_install+0x4d/0x3f0 drivers/tty/vt/vt.c:3229\n\t tty_driver_install_tty drivers/tty/tty_io.c:1228 [inline]\n\t tty_init_dev+0x94/0x350 drivers/tty/tty_io.c:1341\n\t tty_open_by_driver drivers/tty/tty_io.c:1987 [inline]\n\t tty_open+0x3ca/0xb30 drivers/tty/tty_io.c:2035\n\t [...]\n\n\tFreed by task 130:\n\t [...]\n\t kfree+0xbf/0x1e0 mm/slab.c:3757\n\t vt_disallocate drivers/tty/vt/vt_ioctl.c:300 [inline]\n\t vt_ioctl+0x16dc/0x1e30 drivers/tty/vt/vt_ioctl.c:818\n\t tty_ioctl+0x9db/0x11b0 drivers/tty/tty_io.c:2660\n\t [...]\n\nFixes: 4001d7b7fc27 (\"vt: push down the tty lock so we can see what is left to tackle\")\nCc: # v3.4+\nReported-by: syzbot+522643ab5729b0421998@syzkaller.appspotmail.com\nAcked-by: Jiri Slaby \nSigned-off-by: Eric Biggers \nLink: https://lore.kernel.org/r/20200322034305.210082-2-ebiggers@kernel.org\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 437047 }, { "func": "Status GraphConstructor::ModifyNodeDefForImport(NodeDef* node_def) {\n const OpDef* op_def;\n TF_RETURN_IF_ERROR(g_->op_registry()->LookUpOpDef(node_def->op(), &op_def));\n AddDefaultsToNodeDef(*op_def, node_def);\n TF_RETURN_IF_ERROR(ValidateNodeDef(*node_def, *op_def));\n if (versions()) {\n TF_RETURN_IF_ERROR(CheckOpDeprecation(*op_def, versions()->producer()));\n }\n return Status::OK();\n}", "project": "tensorflow", "hash": 41195692426372743327910065911251654345, "size": 10, "commit_id": "0cc38aaa4064fd9e79101994ce9872c6d91f816b", "message": "Prevent unitialized memory access in `GraphConstructor::MakeEdge`\n\nThe `MakeEdge` implementation assumes that there exists an output at `output_index` of `src` node and an input at `input_index` of `dst` node. However, if this is not the case this results in accessing data out of bounds. Because we are accessing an array that is a private member of a class and only in read only mode, this usually results only in unitialized memory access. However, it is reasonable to think that malicious users could manipulate these indexes to actually read data outside the class, thus resulting in information leakage and further exploits.\n\nPiperOrigin-RevId: 346343288\nChange-Id: I2127da27c2023d27f26efd39afa6c853385cab6f", "target": 0, "dataset": "other", "idx": 268310 }, { "func": "static const char* oidc_original_request_method(request_rec *r, oidc_cfg *cfg,\n\t\tapr_byte_t handle_discovery_response) {\n\tconst char *method = OIDC_METHOD_GET;\n\n\tchar *m = NULL;\n\tif ((handle_discovery_response == TRUE)\n\t\t\t&& (oidc_util_request_matches_url(r, oidc_get_redirect_uri(r, cfg)))\n\t\t\t&& (oidc_is_discovery_response(r, cfg))) {\n\t\toidc_util_get_request_parameter(r, OIDC_DISC_RM_PARAM, &m);\n\t\tif (m != NULL)\n\t\t\tmethod = apr_pstrdup(r->pool, m);\n\t} else {\n\n\t\t/*\n\t\t * if POST preserve is not enabled for this location, there's no point in preserving\n\t\t * the method either which would result in POSTing empty data on return;\n\t\t * so we revert to legacy behavior\n\t\t */\n\t\tif (oidc_cfg_dir_preserve_post(r) == 0)\n\t\t\treturn OIDC_METHOD_GET;\n\n\t\tconst char *content_type = oidc_util_hdr_in_content_type_get(r);\n\t\tif ((r->method_number == M_POST) && (apr_strnatcmp(content_type,\n\t\t\t\tOIDC_CONTENT_TYPE_FORM_ENCODED) == 0))\n\t\t\tmethod = OIDC_METHOD_FORM_POST;\n\t}\n\n\toidc_debug(r, \"return: %s\", method);\n\n\treturn method;\n}", "project": "mod_auth_openidc", "hash": 93011658787579636388788281830347701672, "size": 31, "commit_id": "00c315cb0c8ab77c67be4a2ac08a71a83ac58751", "message": "avoid XSS vulnerability when using OIDCPreservePost On\n\nand supplying URLs that contain single quotes; thanks @oss-aimoto\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 381945 }, { "project": "phosphor-host-ipmid", "commit_id": "b265455a2518ece7c004b43c144199ec980fc620", "target": 0, "func": "void PasswdMgr::initPasswordMap(void)\n{\n phosphor::user::shadow::Lock lock();\n std::vector dataBuf;\n\n if (readPasswdFileData(dataBuf) != 0)\n {\n log(\"Error in reading the encrypted pass file\");\n return;\n }\n\n if (dataBuf.size() != 0)\n {\n // populate the user list with password\n char* outPtr = reinterpret_cast(dataBuf.data());\n char* nToken = NULL;\n char* linePtr = strtok_r(outPtr, \"\\n\", &nToken);\n size_t lineSize = 0;\n while (linePtr != NULL)\n {\n size_t userEPos = 0;\n std::string lineStr(linePtr);\n if ((userEPos = lineStr.find(\":\")) != std::string::npos)\n {\n lineSize = lineStr.size();\n passwdMapList.emplace(\n lineStr.substr(0, userEPos),\n lineStr.substr(userEPos + 1, lineSize - (userEPos + 1)));\n }\n linePtr = strtok_r(NULL, \"\\n\", &nToken);\n }\n }\n\n // Update the timestamp\n fileLastUpdatedTime = getUpdatedFileTime();\n return;\n}", "idx": 519587, "cwe": "CWE-276", "hash": 218725880896905610621163001542534463775, "dataset": "other" }, { "func": "static void hci_cc_set_adv_param(struct hci_dev *hdev, struct sk_buff *skb)\n{\n\tstruct hci_cp_le_set_adv_param *cp;\n\tu8 status = *((u8 *) skb->data);\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, status);\n\n\tif (status)\n\t\treturn;\n\n\tcp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_PARAM);\n\tif (!cp)\n\t\treturn;\n\n\thci_dev_lock(hdev);\n\thdev->adv_addr_type = cp->own_address_type;\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 7846481490104010909026530763325435430, "size": 18, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431969 }, { "func": "static inline long kvm_arch_vcpu_async_ioctl(struct file *filp,\n\t\t\t\t\t unsigned int ioctl,\n\t\t\t\t\t unsigned long arg)\n{\n\treturn -ENOIOCTLCMD;\n}", "project": "linux", "hash": 303966935548475674997598569762287678716, "size": 6, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354487 }, { "func": "long kvm_arch_vcpu_async_ioctl(struct file *filp,\n\t\t\t unsigned int ioctl, unsigned long arg)\n{\n\tstruct kvm_vcpu *vcpu = filp->private_data;\n\tvoid __user *argp = (void __user *)arg;\n\n\tswitch (ioctl) {\n\tcase KVM_S390_IRQ: {\n\t\tstruct kvm_s390_irq s390irq;\n\n\t\tif (copy_from_user(&s390irq, argp, sizeof(s390irq)))\n\t\t\treturn -EFAULT;\n\t\treturn kvm_s390_inject_vcpu(vcpu, &s390irq);\n\t}\n\tcase KVM_S390_INTERRUPT: {\n\t\tstruct kvm_s390_interrupt s390int;\n\t\tstruct kvm_s390_irq s390irq = {};\n\n\t\tif (copy_from_user(&s390int, argp, sizeof(s390int)))\n\t\t\treturn -EFAULT;\n\t\tif (s390int_to_s390irq(&s390int, &s390irq))\n\t\t\treturn -EINVAL;\n\t\treturn kvm_s390_inject_vcpu(vcpu, &s390irq);\n\t}\n\t}\n\treturn -ENOIOCTLCMD;\n}", "project": "linux", "hash": 329651889413251860270356563450159904374, "size": 27, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354668 }, { "func": "void gdImageArc (gdImagePtr im, int cx, int cy, int w, int h, int s, int e, int color)\n{\n\tif ((s % 360) == (e % 360)) {\n\t\tgdImageEllipse(im, cx, cy, w, h, color);\n\t} else {\n\t\tgdImageFilledArc(im, cx, cy, w, h, s, e, color, gdNoFill);\n\t}\n}", "project": "php-src", "hash": 322337363913864433224645892723574510145, "size": 8, "commit_id": "c395c6e5d7e8df37a21265ff76e48fe75ceb5ae6", "message": "iFixed bug #72446 - Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow", "target": 0, "dataset": "other", "idx": 295137 }, { "func": "void kvm_hv_process_stimers(struct kvm_vcpu *vcpu)\n{\n\tstruct kvm_vcpu_hv *hv_vcpu = to_hv_vcpu(vcpu);\n\tstruct kvm_vcpu_hv_stimer *stimer;\n\tu64 time_now, exp_time;\n\tint i;\n\n\tif (!hv_vcpu)\n\t\treturn;\n\n\tfor (i = 0; i < ARRAY_SIZE(hv_vcpu->stimer); i++)\n\t\tif (test_and_clear_bit(i, hv_vcpu->stimer_pending_bitmap)) {\n\t\t\tstimer = &hv_vcpu->stimer[i];\n\t\t\tif (stimer->config.enable) {\n\t\t\t\texp_time = stimer->exp_time;\n\n\t\t\t\tif (exp_time) {\n\t\t\t\t\ttime_now =\n\t\t\t\t\t\tget_time_ref_counter(vcpu->kvm);\n\t\t\t\t\tif (time_now >= exp_time)\n\t\t\t\t\t\tstimer_expiration(stimer);\n\t\t\t\t}\n\n\t\t\t\tif ((stimer->config.enable) &&\n\t\t\t\t stimer->count) {\n\t\t\t\t\tif (!stimer->msg_pending)\n\t\t\t\t\t\tstimer_start(stimer);\n\t\t\t\t} else\n\t\t\t\t\tstimer_cleanup(stimer);\n\t\t\t}\n\t\t}\n}", "project": "linux", "hash": 102133489137441497977038144735160839585, "size": 32, "commit_id": "919f4ebc598701670e80e31573a58f1f2d2bf918", "message": "KVM: x86: hyper-v: Fix Hyper-V context null-ptr-deref\n\nReported by syzkaller:\n\n KASAN: null-ptr-deref in range [0x0000000000000140-0x0000000000000147]\n CPU: 1 PID: 8370 Comm: syz-executor859 Not tainted 5.11.0-syzkaller #0\n RIP: 0010:synic_get arch/x86/kvm/hyperv.c:165 [inline]\n RIP: 0010:kvm_hv_set_sint_gsi arch/x86/kvm/hyperv.c:475 [inline]\n RIP: 0010:kvm_hv_irq_routing_update+0x230/0x460 arch/x86/kvm/hyperv.c:498\n Call Trace:\n kvm_set_irq_routing+0x69b/0x940 arch/x86/kvm/../../../virt/kvm/irqchip.c:223\n kvm_vm_ioctl+0x12d0/0x2800 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3959\n vfs_ioctl fs/ioctl.c:48 [inline]\n __do_sys_ioctl fs/ioctl.c:753 [inline]\n __se_sys_ioctl fs/ioctl.c:739 [inline]\n __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739\n do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nHyper-V context is lazily allocated until Hyper-V specific MSRs are accessed\nor SynIC is enabled. However, the syzkaller testcase sets irq routing table\ndirectly w/o enabling SynIC. This results in null-ptr-deref when accessing\nSynIC Hyper-V context. This patch fixes it.\n\nsyzkaller source: https://syzkaller.appspot.com/x/repro.c?x=163342ccd00000\n\nReported-by: syzbot+6987f3b2dbd9eda95f12@syzkaller.appspotmail.com\nFixes: 8f014550dfb1 (\"KVM: x86: hyper-v: Make Hyper-V emulation enablement conditional\")\nSigned-off-by: Wanpeng Li \nMessage-Id: <1614326399-5762-1-git-send-email-wanpengli@tencent.com>\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 343514 }, { "func": " */\nvoid bfq_put_async_queues(struct bfq_data *bfqd, struct bfq_group *bfqg)\n{\n\tint i, j;\n\n\tfor (i = 0; i < 2; i++)\n\t\tfor (j = 0; j < IOPRIO_BE_NR; j++)\n\t\t\t__bfq_put_async_bfqq(bfqd, &bfqg->async_bfqq[i][j]);\n\n\t__bfq_put_async_bfqq(bfqd, &bfqg->async_idle_bfqq);", "project": "linux", "hash": 168476230682110176767434179012281379448, "size": 10, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453349 }, { "func": "static int sctp_setsockopt_bindx(struct sock *sk, struct sockaddr *addrs,\n\t\t\t\t int addrs_size, int op)\n{\n\tint err;\n\tint addrcnt = 0;\n\tint walk_size = 0;\n\tstruct sockaddr *sa_addr;\n\tvoid *addr_buf = addrs;\n\tstruct sctp_af *af;\n\n\tpr_debug(\"%s: sk:%p addrs:%p addrs_size:%d opt:%d\\n\",\n\t\t __func__, sk, addr_buf, addrs_size, op);\n\n\tif (unlikely(addrs_size <= 0))\n\t\treturn -EINVAL;\n\n\t/* Walk through the addrs buffer and count the number of addresses. */\n\twhile (walk_size < addrs_size) {\n\t\tif (walk_size + sizeof(sa_family_t) > addrs_size)\n\t\t\treturn -EINVAL;\n\n\t\tsa_addr = addr_buf;\n\t\taf = sctp_get_af_specific(sa_addr->sa_family);\n\n\t\t/* If the address family is not supported or if this address\n\t\t * causes the address buffer to overflow return EINVAL.\n\t\t */\n\t\tif (!af || (walk_size + af->sockaddr_len) > addrs_size)\n\t\t\treturn -EINVAL;\n\t\taddrcnt++;\n\t\taddr_buf += af->sockaddr_len;\n\t\twalk_size += af->sockaddr_len;\n\t}\n\n\t/* Do the work. */\n\tswitch (op) {\n\tcase SCTP_BINDX_ADD_ADDR:\n\t\t/* Allow security module to validate bindx addresses. */\n\t\terr = security_sctp_bind_connect(sk, SCTP_SOCKOPT_BINDX_ADD,\n\t\t\t\t\t\t addrs, addrs_size);\n\t\tif (err)\n\t\t\treturn err;\n\t\terr = sctp_bindx_add(sk, addrs, addrcnt);\n\t\tif (err)\n\t\t\treturn err;\n\t\treturn sctp_send_asconf_add_ip(sk, addrs, addrcnt);\n\tcase SCTP_BINDX_REM_ADDR:\n\t\terr = sctp_bindx_rem(sk, addrs, addrcnt);\n\t\tif (err)\n\t\t\treturn err;\n\t\treturn sctp_send_asconf_del_ip(sk, addrs, addrcnt);\n\n\tdefault:\n\t\treturn -EINVAL;\n\t}\n}", "project": "linux", "hash": 330241001921533418285955231192673772835, "size": 56, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398122 }, { "func": "static apr_status_t session_identity_encode(request_rec * r, session_rec * z)\n{\n char *buffer = NULL;\n int length = 0;\n if (z->expiry) {\n char *expiry = apr_psprintf(z->pool, \"%\" APR_INT64_T_FMT, z->expiry);\n apr_table_setn(z->entries, SESSION_EXPIRY, expiry);\n }\n apr_table_do(identity_count, &length, z->entries, NULL);\n buffer = apr_pcalloc(r->pool, length + 1);\n apr_table_do(identity_concat, buffer, z->entries, NULL);\n z->encoded = buffer;\n return OK;\n\n}", "project": "httpd", "hash": 287055556834972972733232756374633975456, "size": 15, "commit_id": "7e09dd714fc62c08c5b0319ed7b9702594faf49b", "message": "mod_session: account for the '&' in identity_concat().\n\ngit-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887052 13f79535-47bb-0310-9956-ffa450edef68", "target": 0, "dataset": "other", "idx": 389213 }, { "func": "static __init void create_trace_instances(struct dentry *d_tracer)\n{\n\ttrace_instance_dir = tracefs_create_instance_dir(\"instances\", d_tracer,\n\t\t\t\t\t\t\t instance_mkdir,\n\t\t\t\t\t\t\t instance_rmdir);\n\tif (WARN_ON(!trace_instance_dir))\n\t\treturn;\n}", "project": "linux", "hash": 139653106622112864023552583357386188526, "size": 8, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445592 }, { "func": "void SFDGetKerns( FILE *sfd, SplineChar *sc, char* ttok ) {\n struct splinefont * sf = sc->parent;\n char tok[2001], ch;\n uint32 script = 0;\n SplineFont *sli_sf = sf->cidmaster ? sf->cidmaster : sf;\n\n strncpy(tok,ttok,sizeof(tok)-1);\n tok[2000]=0;\n\n if( strmatch(tok,\"Kerns2:\")==0 ||\n\tstrmatch(tok,\"VKerns2:\")==0 ) {\n\t KernPair *kp, *last=NULL;\n\t int isv = *tok=='V';\n\t int off, index;\n\t struct lookup_subtable *sub;\n\t int kernCount = 0;\n\t if ( sf->sfd_version<2 )\n\t\tLogError(_(\"Found an new style kerning pair inside a version 1 (or lower) sfd file.\\n\") );\n\t while ( fscanf(sfd,\"%d %d\", &index, &off )==2 ) {\n\t\tsub = SFFindLookupSubtableAndFreeName(sf,SFDReadUTF7Str(sfd));\n\t\tif ( sub==NULL ) {\n\t\t LogError(_(\"KernPair with no subtable name.\\n\"));\n\t \t break;\n\t\t}\n\t\tkernCount++;\n\t\tkp = chunkalloc(sizeof(KernPair1));\n\t\tkp->sc = (SplineChar *) (intpt) index;\n\t\tkp->kcid = true;\n\t\tkp->off = off;\n\t\tkp->subtable = sub;\n\t\tkp->next = NULL;\n\t\twhile ( (ch=nlgetc(sfd))==' ' );\n\t\tungetc(ch,sfd);\n\t\tif ( ch=='{' ) {\n\t\t kp->adjust = SFDReadDeviceTable(sfd, NULL);\n\t\t}\n\t\tif ( last != NULL )\n\t\t last->next = kp;\n\t\telse if ( isv )\n\t\t sc->vkerns = kp;\n\t\telse\n\t\t sc->kerns = kp;\n\t\tlast = kp;\n\t }\n\t if( !kernCount ) {\n//\t\tprintf(\"SFDGetKerns() have a BLANK KERN\\n\");\n\t\tsc->kerns = 0;\n\t }\n } else if ( strmatch(tok,\"Kerns:\")==0 ||\n\t\tstrmatch(tok,\"KernsSLI:\")==0 ||\n\t\tstrmatch(tok,\"KernsSLIF:\")==0 ||\n\t\tstrmatch(tok,\"VKernsSLIF:\")==0 ||\n\t\tstrmatch(tok,\"KernsSLIFO:\")==0 ||\n\t\tstrmatch(tok,\"VKernsSLIFO:\")==0 ) {\n\t KernPair1 *kp, *last=NULL;\n\t int index, off, sli, flags=0;\n\t int hassli = (strmatch(tok,\"KernsSLI:\")==0);\n\t int isv = *tok=='V';\n\t int has_orig = strstr(tok,\"SLIFO:\")!=NULL;\n\t if ( sf->sfd_version>=2 ) {\n\t\tIError( \"Found an old style kerning pair inside a version 2 (or higher) sfd file.\" );\nexit(1);\n\t }\n\t if ( strmatch(tok,\"KernsSLIF:\")==0 || strmatch(tok,\"KernsSLIFO:\")==0 ||\n\t\t strmatch(tok,\"VKernsSLIF:\")==0 || strmatch(tok,\"VKernsSLIFO:\")==0 )\n\t\thassli=2;\n\t while ( (hassli==1 && fscanf(sfd,\"%d %d %d\", &index, &off, &sli )==3) ||\n\t\t (hassli==2 && fscanf(sfd,\"%d %d %d %d\", &index, &off, &sli, &flags )==4) ||\n\t\t (hassli==0 && fscanf(sfd,\"%d %d\", &index, &off )==2) ) {\n\t\tif ( !hassli )\n\t\t sli = SFFindBiggestScriptLangIndex(sli_sf,\n\t\t\t script!=0?script:SCScriptFromUnicode(sc),DEFAULT_LANG);\n\t\tif ( sli>=((SplineFont1 *) sli_sf)->sli_cnt && sli!=SLI_NESTED) {\n\t\t static int complained=false;\n\t\t if ( !complained )\n\t\t\tIError(\"'%s' in %s has a script index out of bounds: %d\",\n\t\t\t\tisv ? \"vkrn\" : \"kern\",\n\t\t\t\tsc->name, sli );\n\t\t sli = SFFindBiggestScriptLangIndex(sli_sf,\n\t\t\t SCScriptFromUnicode(sc),DEFAULT_LANG);\n\t\t complained = true;\n\t\t}\n\t\tkp = chunkalloc(sizeof(KernPair1));\n\t\tkp->kp.sc = (SplineChar *) (intpt) index;\n\t\tkp->kp.kcid = has_orig;\n\t\tkp->kp.off = off;\n\t\tkp->sli = sli;\n\t\tkp->flags = flags;\n\t\tkp->kp.next = NULL;\n\t\twhile ( (ch=nlgetc(sfd))==' ' );\n\t\tungetc(ch,sfd);\n\t\tif ( ch=='{' ) {\n\t\t kp->kp.adjust = SFDReadDeviceTable(sfd, NULL);\n\t\t}\n\t\tif ( last != NULL )\n\t\t last->kp.next = (KernPair *) kp;\n\t\telse if ( isv )\n\t\t sc->vkerns = (KernPair *) kp;\n\t\telse\n\t\t sc->kerns = (KernPair *) kp;\n\t\tlast = kp;\n\t }\n } else {\n\treturn;\n }\n\n // we matched something, grab the next top level token to ttok\n getname( sfd, ttok );\n}", "project": "fontforge", "hash": 160037867130586847401690707522902923527, "size": 109, "commit_id": "048a91e2682c1a8936ae34dbc7bd70291ec05410", "message": "Fix for #4084 Use-after-free (heap) in the SFD_GetFontMetaData() function\nFix for #4086 NULL pointer dereference in the SFDGetSpiros() function\nFix for #4088 NULL pointer dereference in the SFD_AssignLookups() function\nAdd empty sf->fontname string if it isn't set, fixing #4089 #4090 and many\n other potential issues (many downstream calls to strlen() on the value).", "target": 0, "dataset": "other", "idx": 417858 }, { "func": "static void process_args(char *args, int pass)\n{\n char *p, *q, *arg, *prevarg;\n char separator = ' ';\n\n p = args;\n if (*p && *p != '-')\n separator = *p++;\n arg = NULL;\n while (*p) {\n q = p;\n while (*p && *p != separator)\n p++;\n while (*p == separator)\n *p++ = '\\0';\n prevarg = arg;\n arg = q;\n if (process_arg(prevarg, arg, pass))\n arg = NULL;\n }\n if (arg)\n process_arg(arg, NULL, pass);\n}", "project": "nasm", "hash": 176632503173236469581677212601598561133, "size": 23, "commit_id": "e996d28c70d45008085322b442b44a9224308548", "message": "labels: Don't nil dereference if no label provided\n\nAn equ without label may cause nil dereference\n\n |\tequ 0x100\n\nFixes 98578071b9d71ecaa2344dd9c185237c1765041e\n\nSigned-off-by: Cyrill Gorcunov ", "target": 0, "dataset": "other", "idx": 257485 }, { "func": "int mnt_context_umount(struct libmnt_context *cxt)\n{\n\tint rc;\n\tstruct libmnt_ns *ns_old;\n\n\tassert(cxt);\n\tassert(cxt->fs);\n\tassert(cxt->helper_exec_status == 1);\n\tassert(cxt->syscall_status == 1);\n\n\tDBG(CXT, ul_debugobj(cxt, \"umount: %s\", mnt_context_get_target(cxt)));\n\n\tns_old = mnt_context_switch_target_ns(cxt);\n\tif (!ns_old)\n\t\treturn -MNT_ERR_NAMESPACE;\n\n\trc = mnt_context_prepare_umount(cxt);\n\tif (!rc)\n\t\trc = mnt_context_prepare_update(cxt);\n\tif (!rc)\n\t\trc = mnt_context_do_umount(cxt);\n\tif (!rc)\n\t\trc = mnt_context_update_tabs(cxt);\n\n\tif (!mnt_context_switch_ns(cxt, ns_old))\n\t\treturn -MNT_ERR_NAMESPACE;\n\n\treturn rc;\n}", "project": "util-linux", "hash": 315747167572487791552667120713167948697, "size": 29, "commit_id": "57202f5713afa2af20ffbb6ab5331481d0396f8d", "message": "libmount: fix UID check for FUSE umount [CVE-2021-3995]\n\nImproper UID check allows an unprivileged user to unmount FUSE\nfilesystems of users with similar UID.\n\nSigned-off-by: Karel Zak ", "target": 0, "dataset": "other", "idx": 410412 }, { "func": "static ssize_t alloc_calls_show(struct kmem_cache *s, char *buf)\n{\n\tif (!(s->flags & SLAB_STORE_USER))\n\t\treturn -ENOSYS;\n\treturn list_locations(s, buf, TRACK_ALLOC);\n}", "project": "linux", "hash": 315403421640697223716228387469282964160, "size": 6, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280213 }, { "func": "Status TF_TensorToMaybeAliasedPyArray(Safe_TF_TensorPtr tensor,\n PyObject** out_ndarray) {\n auto dtype = TF_TensorType(tensor.get());\n if (dtype == TF_STRING || dtype == TF_RESOURCE) {\n return TF_TensorToPyArray(std::move(tensor), out_ndarray);\n }\n\n TF_Tensor* moved = tensor.release();\n int64 nelems = -1;\n gtl::InlinedVector dims;\n TF_RETURN_IF_ERROR(GetPyArrayDimensionsForTensor(moved, &dims, &nelems));\n return ArrayFromMemory(\n dims.size(), dims.data(), TF_TensorData(moved),\n static_cast(dtype), [moved] { TF_DeleteTensor(moved); },\n out_ndarray);\n}", "project": "tensorflow", "hash": 210135801725619248528554388742359010266, "size": 16, "commit_id": "030af767d357d1b4088c4a25c72cb3906abac489", "message": "Fix `tf.raw_ops.ResourceCountUpTo` null pointer dereference.\n\nPiperOrigin-RevId: 368294347\nChange-Id: I2c16fbfc9b4966c402c3d8e311f0d665a9c852d8", "target": 0, "dataset": "other", "idx": 232659 }, { "func": "static apr_byte_t oidc_refresh_access_token(request_rec *r, oidc_cfg *c,\n\t\toidc_session_t *session, oidc_provider_t *provider,\n\t\tchar **new_access_token) {\n\n\toidc_debug(r, \"enter\");\n\n\t/* get the refresh token that was stored in the session */\n\tconst char *refresh_token = oidc_session_get_refresh_token(r, session);\n\tif (refresh_token == NULL) {\n\t\toidc_warn(r,\n\t\t\t\t\"refresh token routine called but no refresh_token found in the session\");\n\t\treturn FALSE;\n\t}\n\n\t/* elements returned in the refresh response */\n\tchar *s_id_token = NULL;\n\tint expires_in = -1;\n\tchar *s_token_type = NULL;\n\tchar *s_access_token = NULL;\n\tchar *s_refresh_token = NULL;\n\n\t/* refresh the tokens by calling the token endpoint */\n\tif (oidc_proto_refresh_request(r, c, provider, refresh_token, &s_id_token,\n\t\t\t&s_access_token, &s_token_type, &expires_in, &s_refresh_token)\n\t\t\t== FALSE) {\n\t\toidc_error(r, \"access_token could not be refreshed\");\n\t\treturn FALSE;\n\t}\n\n\t/* store the new access_token in the session and discard the old one */\n\toidc_session_set_access_token(r, session, s_access_token);\n\toidc_session_set_access_token_expires(r, session, expires_in);\n\n\t/* reset the access token refresh timestamp */\n\toidc_session_reset_access_token_last_refresh(r, session);\n\n\t/* see if we need to return it as a parameter */\n\tif (new_access_token != NULL)\n\t\t*new_access_token = s_access_token;\n\n\t/* if we have a new refresh token (rolling refresh), store it in the session and overwrite the old one */\n\tif (s_refresh_token != NULL)\n\t\toidc_session_set_refresh_token(r, session, s_refresh_token);\n\n\treturn TRUE;\n}", "project": "mod_auth_openidc", "hash": 333040089781698990202621469693275565804, "size": 46, "commit_id": "00c315cb0c8ab77c67be4a2ac08a71a83ac58751", "message": "avoid XSS vulnerability when using OIDCPreservePost On\n\nand supplying URLs that contain single quotes; thanks @oss-aimoto\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 381965 }, { "func": "static apr_byte_t oidc_refresh_access_token(request_rec *r, oidc_cfg *c,\n\t\toidc_session_t *session, oidc_provider_t *provider,\n\t\tchar **new_access_token) {\n\n\toidc_debug(r, \"enter\");\n\n\t/* get the refresh token that was stored in the session */\n\tconst char *refresh_token = oidc_session_get_refresh_token(r, session);\n\tif (refresh_token == NULL) {\n\t\toidc_warn(r,\n\t\t\t\t\"refresh token routine called but no refresh_token found in the session\");\n\t\treturn FALSE;\n\t}\n\n\t/* elements returned in the refresh response */\n\tchar *s_id_token = NULL;\n\tint expires_in = -1;\n\tchar *s_token_type = NULL;\n\tchar *s_access_token = NULL;\n\tchar *s_refresh_token = NULL;\n\n\t/* refresh the tokens by calling the token endpoint */\n\tif (oidc_proto_refresh_request(r, c, provider, refresh_token, &s_id_token,\n\t\t\t&s_access_token, &s_token_type, &expires_in,\n\t\t\t&s_refresh_token) == FALSE) {\n\t\toidc_error(r, \"access_token could not be refreshed\");\n\t\treturn FALSE;\n\t}\n\n\t/* store the new access_token in the session and discard the old one */\n\toidc_session_set_access_token(r, session, s_access_token);\n\toidc_session_set_access_token_expires(r, session, expires_in);\n\n\t/* reset the access token refresh timestamp */\n\toidc_session_reset_access_token_last_refresh(r, session);\n\n\t/* see if we need to return it as a parameter */\n\tif (new_access_token != NULL)\n\t\t*new_access_token = s_access_token;\n\n\t/* if we have a new refresh token (rolling refresh), store it in the session and overwrite the old one */\n\tif (s_refresh_token != NULL)\n\t\toidc_session_set_refresh_token(r, session, s_refresh_token);\n\n\treturn TRUE;\n}", "project": "mod_auth_openidc", "hash": 196864018225708968165486685189990622911, "size": 46, "commit_id": "ce37080c6aea30aabae8b4a9b4eea7808445cc8e", "message": "2.4.0.2 oops\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 447704 }, { "func": "static OPJ_BOOL opj_j2k_update_rates(opj_j2k_t *p_j2k,\n opj_stream_private_t *p_stream,\n opj_event_mgr_t * p_manager)\n{\n opj_cp_t * l_cp = 00;\n opj_image_t * l_image = 00;\n opj_tcp_t * l_tcp = 00;\n opj_image_comp_t * l_img_comp = 00;\n\n OPJ_UINT32 i, j, k;\n OPJ_INT32 l_x0, l_y0, l_x1, l_y1;\n OPJ_FLOAT32 * l_rates = 0;\n OPJ_FLOAT32 l_sot_remove;\n OPJ_UINT32 l_bits_empty, l_size_pixel;\n OPJ_UINT64 l_tile_size = 0;\n OPJ_UINT32 l_last_res;\n OPJ_FLOAT32(* l_tp_stride_func)(opj_tcp_t *) = 00;\n\n /* preconditions */\n assert(p_j2k != 00);\n assert(p_manager != 00);\n assert(p_stream != 00);\n\n OPJ_UNUSED(p_manager);\n\n l_cp = &(p_j2k->m_cp);\n l_image = p_j2k->m_private_image;\n l_tcp = l_cp->tcps;\n\n l_bits_empty = 8 * l_image->comps->dx * l_image->comps->dy;\n l_size_pixel = l_image->numcomps * l_image->comps->prec;\n l_sot_remove = (OPJ_FLOAT32) opj_stream_tell(p_stream) / (OPJ_FLOAT32)(\n l_cp->th * l_cp->tw);\n\n if (l_cp->m_specific_param.m_enc.m_tp_on) {\n l_tp_stride_func = opj_j2k_get_tp_stride;\n } else {\n l_tp_stride_func = opj_j2k_get_default_stride;\n }\n\n for (i = 0; i < l_cp->th; ++i) {\n for (j = 0; j < l_cp->tw; ++j) {\n OPJ_FLOAT32 l_offset = (OPJ_FLOAT32)(*l_tp_stride_func)(l_tcp) /\n (OPJ_FLOAT32)l_tcp->numlayers;\n\n /* 4 borders of the tile rescale on the image if necessary */\n l_x0 = opj_int_max((OPJ_INT32)(l_cp->tx0 + j * l_cp->tdx),\n (OPJ_INT32)l_image->x0);\n l_y0 = opj_int_max((OPJ_INT32)(l_cp->ty0 + i * l_cp->tdy),\n (OPJ_INT32)l_image->y0);\n l_x1 = opj_int_min((OPJ_INT32)(l_cp->tx0 + (j + 1) * l_cp->tdx),\n (OPJ_INT32)l_image->x1);\n l_y1 = opj_int_min((OPJ_INT32)(l_cp->ty0 + (i + 1) * l_cp->tdy),\n (OPJ_INT32)l_image->y1);\n\n l_rates = l_tcp->rates;\n\n /* Modification of the RATE >> */\n for (k = 0; k < l_tcp->numlayers; ++k) {\n if (*l_rates > 0.0f) {\n *l_rates = (OPJ_FLOAT32)(((OPJ_FLOAT64)l_size_pixel * (OPJ_UINT32)(\n l_x1 - l_x0) *\n (OPJ_UINT32)(l_y1 - l_y0))\n / ((*l_rates) * (OPJ_FLOAT32)l_bits_empty))\n -\n l_offset;\n }\n\n ++l_rates;\n }\n\n ++l_tcp;\n\n }\n }\n\n l_tcp = l_cp->tcps;\n\n for (i = 0; i < l_cp->th; ++i) {\n for (j = 0; j < l_cp->tw; ++j) {\n l_rates = l_tcp->rates;\n\n if (*l_rates > 0.0f) {\n *l_rates -= l_sot_remove;\n\n if (*l_rates < 30.0f) {\n *l_rates = 30.0f;\n }\n }\n\n ++l_rates;\n\n l_last_res = l_tcp->numlayers - 1;\n\n for (k = 1; k < l_last_res; ++k) {\n\n if (*l_rates > 0.0f) {\n *l_rates -= l_sot_remove;\n\n if (*l_rates < * (l_rates - 1) + 10.0f) {\n *l_rates = (*(l_rates - 1)) + 20.0f;\n }\n }\n\n ++l_rates;\n }\n\n if (*l_rates > 0.0f) {\n *l_rates -= (l_sot_remove + 2.f);\n\n if (*l_rates < * (l_rates - 1) + 10.0f) {\n *l_rates = (*(l_rates - 1)) + 20.0f;\n }\n }\n\n ++l_tcp;\n }\n }\n\n l_img_comp = l_image->comps;\n l_tile_size = 0;\n\n for (i = 0; i < l_image->numcomps; ++i) {\n l_tile_size += (OPJ_UINT64)opj_uint_ceildiv(l_cp->tdx, l_img_comp->dx)\n *\n opj_uint_ceildiv(l_cp->tdy, l_img_comp->dy)\n *\n l_img_comp->prec;\n\n ++l_img_comp;\n }\n\n /* TODO: where does this magic value come from ? */\n /* This used to be 1.3 / 8, but with random data and very small code */\n /* block sizes, this is not enough. For example with */\n /* bin/test_tile_encoder 1 256 256 32 32 8 0 reversible_with_precinct.j2k 4 4 3 0 0 1 16 16 */\n /* TODO revise this to take into account the overhead linked to the */\n /* number of packets and number of code blocks in packets */\n l_tile_size = (OPJ_UINT64)((double)l_tile_size * 1.4 / 8);\n\n /* Arbitrary amount to make the following work: */\n /* bin/test_tile_encoder 1 256 256 17 16 8 0 reversible_no_precinct.j2k 4 4 3 0 0 1 */\n l_tile_size += 500;\n\n l_tile_size += opj_j2k_get_specific_header_sizes(p_j2k);\n\n if (l_tile_size > UINT_MAX) {\n l_tile_size = UINT_MAX;\n }\n\n p_j2k->m_specific_param.m_encoder.m_encoded_tile_size = (OPJ_UINT32)l_tile_size;\n p_j2k->m_specific_param.m_encoder.m_encoded_tile_data =\n (OPJ_BYTE *) opj_malloc(p_j2k->m_specific_param.m_encoder.m_encoded_tile_size);\n if (p_j2k->m_specific_param.m_encoder.m_encoded_tile_data == 00) {\n opj_event_msg(p_manager, EVT_ERROR,\n \"Not enough memory to allocate m_encoded_tile_data. %u MB required\\n\",\n (OPJ_UINT32)(l_tile_size / 1024 / 1024));\n return OPJ_FALSE;\n }\n\n if (OPJ_IS_CINEMA(l_cp->rsiz) || OPJ_IS_IMF(l_cp->rsiz)) {\n p_j2k->m_specific_param.m_encoder.m_tlm_sot_offsets_buffer =\n (OPJ_BYTE *) opj_malloc(5 *\n p_j2k->m_specific_param.m_encoder.m_total_tile_parts);\n if (! p_j2k->m_specific_param.m_encoder.m_tlm_sot_offsets_buffer) {\n return OPJ_FALSE;\n }\n\n p_j2k->m_specific_param.m_encoder.m_tlm_sot_offsets_current =\n p_j2k->m_specific_param.m_encoder.m_tlm_sot_offsets_buffer;\n }\n\n return OPJ_TRUE;\n}", "project": "openjpeg", "hash": 244217888842535128496488456447514234870, "size": 174, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357354 }, { "func": "void cdev_set_parent(struct cdev *p, struct kobject *kobj)\n{\n\tWARN_ON(!kobj->state_initialized);\n\tp->kobj.parent = kobj;\n}", "project": "linux", "hash": 101057910833469011994299193352005326914, "size": 5, "commit_id": "68faa679b8be1a74e6663c21c3a9d25d32f1c079", "message": "chardev: Avoid potential use-after-free in 'chrdev_open()'\n\n'chrdev_open()' calls 'cdev_get()' to obtain a reference to the\n'struct cdev *' stashed in the 'i_cdev' field of the target inode\nstructure. If the pointer is NULL, then it is initialised lazily by\nlooking up the kobject in the 'cdev_map' and so the whole procedure is\nprotected by the 'cdev_lock' spinlock to serialise initialisation of\nthe shared pointer.\n\nUnfortunately, it is possible for the initialising thread to fail *after*\ninstalling the new pointer, for example if the subsequent '->open()' call\non the file fails. In this case, 'cdev_put()' is called, the reference\ncount on the kobject is dropped and, if nobody else has taken a reference,\nthe release function is called which finally clears 'inode->i_cdev' from\n'cdev_purge()' before potentially freeing the object. The problem here\nis that a racing thread can happily take the 'cdev_lock' and see the\nnon-NULL pointer in the inode, which can result in a refcount increment\nfrom zero and a warning:\n\n | ------------[ cut here ]------------\n | refcount_t: addition on 0; use-after-free.\n | WARNING: CPU: 2 PID: 6385 at lib/refcount.c:25 refcount_warn_saturate+0x6d/0xf0\n | Modules linked in:\n | CPU: 2 PID: 6385 Comm: repro Not tainted 5.5.0-rc2+ #22\n | Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014\n | RIP: 0010:refcount_warn_saturate+0x6d/0xf0\n | Code: 05 55 9a 15 01 01 e8 9d aa c8 ff 0f 0b c3 80 3d 45 9a 15 01 00 75 ce 48 c7 c7 00 9c 62 b3 c6 08\n | RSP: 0018:ffffb524c1b9bc70 EFLAGS: 00010282\n | RAX: 0000000000000000 RBX: ffff9e9da1f71390 RCX: 0000000000000000\n | RDX: ffff9e9dbbd27618 RSI: ffff9e9dbbd18798 RDI: ffff9e9dbbd18798\n | RBP: 0000000000000000 R08: 000000000000095f R09: 0000000000000039\n | R10: 0000000000000000 R11: ffffb524c1b9bb20 R12: ffff9e9da1e8c700\n | R13: ffffffffb25ee8b0 R14: 0000000000000000 R15: ffff9e9da1e8c700\n | FS: 00007f3b87d26700(0000) GS:ffff9e9dbbd00000(0000) knlGS:0000000000000000\n | CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n | CR2: 00007fc16909c000 CR3: 000000012df9c000 CR4: 00000000000006e0\n | DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n | DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n | Call Trace:\n | kobject_get+0x5c/0x60\n | cdev_get+0x2b/0x60\n | chrdev_open+0x55/0x220\n | ? cdev_put.part.3+0x20/0x20\n | do_dentry_open+0x13a/0x390\n | path_openat+0x2c8/0x1470\n | do_filp_open+0x93/0x100\n | ? selinux_file_ioctl+0x17f/0x220\n | do_sys_open+0x186/0x220\n | do_syscall_64+0x48/0x150\n | entry_SYSCALL_64_after_hwframe+0x44/0xa9\n | RIP: 0033:0x7f3b87efcd0e\n | Code: 89 54 24 08 e8 a3 f4 ff ff 8b 74 24 0c 48 8b 3c 24 41 89 c0 44 8b 54 24 08 b8 01 01 00 00 89 f4\n | RSP: 002b:00007f3b87d259f0 EFLAGS: 00000293 ORIG_RAX: 0000000000000101\n | RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f3b87efcd0e\n | RDX: 0000000000000000 RSI: 00007f3b87d25a80 RDI: 00000000ffffff9c\n | RBP: 00007f3b87d25e90 R08: 0000000000000000 R09: 0000000000000000\n | R10: 0000000000000000 R11: 0000000000000293 R12: 00007ffe188f504e\n | R13: 00007ffe188f504f R14: 00007f3b87d26700 R15: 0000000000000000\n | ---[ end trace 24f53ca58db8180a ]---\n\nSince 'cdev_get()' can already fail to obtain a reference, simply move\nit over to use 'kobject_get_unless_zero()' instead of 'kobject_get()',\nwhich will cause the racing thread to return -ENXIO if the initialising\nthread fails unexpectedly.\n\nCc: Hillf Danton \nCc: Andrew Morton \nCc: Al Viro \nReported-by: syzbot+82defefbbd8527e1c2cb@syzkaller.appspotmail.com\nSigned-off-by: Will Deacon \nCc: stable \nLink: https://lore.kernel.org/r/20191219120203.32691-1-will@kernel.org\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 446391 }, { "func": "int tracing_is_enabled(void)\n{\n\t/*\n\t * For quick access (irqsoff uses this in fast path), just\n\t * return the mirror variable of the state of the ring buffer.\n\t * It's a little racy, but we don't really care.\n\t */\n\tsmp_rmb();\n\treturn !global_trace.buffer_disabled;\n}", "project": "linux", "hash": 309096692251888724351427561643725342395, "size": 10, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445708 }, { "func": "int kvm_arch_vcpu_create(struct kvm_vcpu *vcpu)\n{\n\tstruct sie_page *sie_page;\n\tint rc;\n\n\tBUILD_BUG_ON(sizeof(struct sie_page) != 4096);\n\tsie_page = (struct sie_page *) get_zeroed_page(GFP_KERNEL);\n\tif (!sie_page)\n\t\treturn -ENOMEM;\n\n\tvcpu->arch.sie_block = &sie_page->sie_block;\n\tvcpu->arch.sie_block->itdba = (unsigned long) &sie_page->itdb;\n\n\t/* the real guest size will always be smaller than msl */\n\tvcpu->arch.sie_block->mso = 0;\n\tvcpu->arch.sie_block->msl = sclp.hamax;\n\n\tvcpu->arch.sie_block->icpua = vcpu->vcpu_id;\n\tspin_lock_init(&vcpu->arch.local_int.lock);\n\tvcpu->arch.sie_block->gd = (u32)(u64)vcpu->kvm->arch.gisa_int.origin;\n\tif (vcpu->arch.sie_block->gd && sclp.has_gisaf)\n\t\tvcpu->arch.sie_block->gd |= GISA_FORMAT1;\n\tseqcount_init(&vcpu->arch.cputm_seqcount);\n\n\tvcpu->arch.pfault_token = KVM_S390_PFAULT_TOKEN_INVALID;\n\tkvm_clear_async_pf_completion_queue(vcpu);\n\tvcpu->run->kvm_valid_regs = KVM_SYNC_PREFIX |\n\t\t\t\t KVM_SYNC_GPRS |\n\t\t\t\t KVM_SYNC_ACRS |\n\t\t\t\t KVM_SYNC_CRS |\n\t\t\t\t KVM_SYNC_ARCH0 |\n\t\t\t\t KVM_SYNC_PFAULT;\n\tkvm_s390_set_prefix(vcpu, 0);\n\tif (test_kvm_facility(vcpu->kvm, 64))\n\t\tvcpu->run->kvm_valid_regs |= KVM_SYNC_RICCB;\n\tif (test_kvm_facility(vcpu->kvm, 82))\n\t\tvcpu->run->kvm_valid_regs |= KVM_SYNC_BPBC;\n\tif (test_kvm_facility(vcpu->kvm, 133))\n\t\tvcpu->run->kvm_valid_regs |= KVM_SYNC_GSCB;\n\tif (test_kvm_facility(vcpu->kvm, 156))\n\t\tvcpu->run->kvm_valid_regs |= KVM_SYNC_ETOKEN;\n\t/* fprs can be synchronized via vrs, even if the guest has no vx. With\n\t * MACHINE_HAS_VX, (load|store)_fpu_regs() will work with vrs format.\n\t */\n\tif (MACHINE_HAS_VX)\n\t\tvcpu->run->kvm_valid_regs |= KVM_SYNC_VRS;\n\telse\n\t\tvcpu->run->kvm_valid_regs |= KVM_SYNC_FPRS;\n\n\tif (kvm_is_ucontrol(vcpu->kvm)) {\n\t\trc = __kvm_ucontrol_vcpu_init(vcpu);\n\t\tif (rc)\n\t\t\tgoto out_free_sie_block;\n\t}\n\n\tVM_EVENT(vcpu->kvm, 3, \"create cpu %d at 0x%pK, sie block at 0x%pK\",\n\t\t vcpu->vcpu_id, vcpu, vcpu->arch.sie_block);\n\ttrace_kvm_s390_create_vcpu(vcpu->vcpu_id, vcpu, vcpu->arch.sie_block);\n\n\trc = kvm_s390_vcpu_setup(vcpu);\n\tif (rc)\n\t\tgoto out_ucontrol_uninit;\n\treturn 0;\n\nout_ucontrol_uninit:\n\tif (kvm_is_ucontrol(vcpu->kvm))\n\t\tgmap_remove(vcpu->arch.gmap);\nout_free_sie_block:\n\tfree_page((unsigned long)(vcpu->arch.sie_block));\n\treturn rc;\n}", "project": "linux", "hash": 53867637224623238113259739971018778643, "size": 71, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354764 }, { "func": "static int sctp_setsockopt_auto_asconf(struct sock *sk, int *val,\n\t\t\t\t\tunsigned int optlen)\n{\n\tstruct sctp_sock *sp = sctp_sk(sk);\n\n\tif (optlen < sizeof(int))\n\t\treturn -EINVAL;\n\tif (!sctp_is_ep_boundall(sk) && *val)\n\t\treturn -EINVAL;\n\tif ((*val && sp->do_auto_asconf) || (!*val && !sp->do_auto_asconf))\n\t\treturn 0;\n\n\tspin_lock_bh(&sock_net(sk)->sctp.addr_wq_lock);\n\tif (*val == 0 && sp->do_auto_asconf) {\n\t\tlist_del(&sp->auto_asconf_list);\n\t\tsp->do_auto_asconf = 0;\n\t} else if (*val && !sp->do_auto_asconf) {\n\t\tlist_add_tail(&sp->auto_asconf_list,\n\t\t &sock_net(sk)->sctp.auto_asconf_splist);\n\t\tsp->do_auto_asconf = 1;\n\t}\n\tspin_unlock_bh(&sock_net(sk)->sctp.addr_wq_lock);\n\treturn 0;\n}", "project": "linux", "hash": 299375087696507155014890286468900335604, "size": 24, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398068 }, { "func": "static noinline bool io_cqring_fill_event(struct io_ring_ctx *ctx, u64 user_data,\n\t\t\t\t\t long res, unsigned int cflags)\n{\n\treturn __io_cqring_fill_event(ctx, user_data, res, cflags);\n}", "project": "linux", "hash": 212790304100665423847458459975729160943, "size": 5, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338637 }, { "func": "/* returns true if it causes the idle timer to be disabled */\nstatic bool __bfq_insert_request(struct bfq_data *bfqd, struct request *rq)\n{\n\tstruct bfq_queue *bfqq = RQ_BFQQ(rq),\n\t\t*new_bfqq = bfq_setup_cooperator(bfqd, bfqq, rq, true);\n\tbool waiting, idle_timer_disabled = false;\n\n\tif (new_bfqq) {\n\t\t/*\n\t\t * Release the request's reference to the old bfqq\n\t\t * and make sure one is taken to the shared queue.\n\t\t */\n\t\tnew_bfqq->allocated++;\n\t\tbfqq->allocated--;\n\t\tnew_bfqq->ref++;\n\t\t/*\n\t\t * If the bic associated with the process\n\t\t * issuing this request still points to bfqq\n\t\t * (and thus has not been already redirected\n\t\t * to new_bfqq or even some other bfq_queue),\n\t\t * then complete the merge and redirect it to\n\t\t * new_bfqq.\n\t\t */\n\t\tif (bic_to_bfqq(RQ_BIC(rq), 1) == bfqq)\n\t\t\tbfq_merge_bfqqs(bfqd, RQ_BIC(rq),\n\t\t\t\t\tbfqq, new_bfqq);\n\n\t\tbfq_clear_bfqq_just_created(bfqq);\n\t\t/*\n\t\t * rq is about to be enqueued into new_bfqq,\n\t\t * release rq reference on bfqq\n\t\t */\n\t\tbfq_put_queue(bfqq);\n\t\trq->elv.priv[1] = new_bfqq;\n\t\tbfqq = new_bfqq;\n\t}\n\n\tbfq_update_io_thinktime(bfqd, bfqq);\n\tbfq_update_has_short_ttime(bfqd, bfqq, RQ_BIC(rq));\n\tbfq_update_io_seektime(bfqd, bfqq, rq);\n\n\twaiting = bfqq && bfq_bfqq_wait_request(bfqq);\n\tbfq_add_request(rq);\n\tidle_timer_disabled = waiting && !bfq_bfqq_wait_request(bfqq);\n\n\trq->fifo_time = ktime_get_ns() + bfqd->bfq_fifo_expire[rq_is_sync(rq)];\n\tlist_add_tail(&rq->queuelist, &bfqq->fifo);\n\n\tbfq_rq_enqueued(bfqd, bfqq, rq);\n\n\treturn idle_timer_disabled;", "project": "linux", "hash": 90370131632745354619329129301516345049, "size": 51, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453367 }, { "func": "static inline qDeqID getNextDeqID(qqueue_t *pQueue)\n{\n\tISOBJ_TYPE_assert(pQueue, qqueue);\n\treturn pQueue->deqIDAdd++;\n}", "project": "rsyslog", "hash": 293088095136982554403962827133312589651, "size": 5, "commit_id": "dfa88369d4ca4290db56b843f9eabdae1bfe0fd5", "message": "bugfix: memory leak when $RepeatedMsgReduction on was used\n\nbug tracker: http://bugzilla.adiscon.com/show_bug.cgi?id=225", "target": 0, "dataset": "other", "idx": 373772 }, { "func": "CallResult JSObject::deleteNamed(\n Handle selfHandle,\n Runtime *runtime,\n SymbolID name,\n PropOpFlags opFlags) {\n assert(\n !opFlags.getMustExist() && \"mustExist cannot be specified when deleting\");\n\n // Find the property by name.\n NamedPropertyDescriptor desc;\n auto pos = findProperty(selfHandle, runtime, name, desc);\n\n // If the property doesn't exist in this object, return success.\n if (!pos) {\n if (LLVM_LIKELY(\n !selfHandle->flags_.lazyObject &&\n !selfHandle->flags_.proxyObject)) {\n return true;\n } else if (selfHandle->flags_.lazyObject) {\n // object is lazy, initialize and read again.\n initializeLazyObject(runtime, selfHandle);\n pos = findProperty(selfHandle, runtime, name, desc);\n if (!pos) // still not there, return true.\n return true;\n } else {\n assert(selfHandle->flags_.proxyObject && \"object flags are impossible\");\n return proxyOpFlags(\n runtime,\n opFlags,\n \"Proxy delete returned false\",\n JSProxy::deleteNamed(selfHandle, runtime, name));\n }\n }\n // If the property isn't configurable, fail.\n if (LLVM_UNLIKELY(!desc.flags.configurable)) {\n if (opFlags.getThrowOnError()) {\n return runtime->raiseTypeError(\n TwineChar16(\"Property '\") +\n runtime->getIdentifierTable().getStringViewForDev(runtime, name) +\n \"' is not configurable\");\n }\n return false;\n }\n\n // Clear the deleted property value to prevent memory leaks.\n setNamedSlotValue(\n *selfHandle, runtime, desc, HermesValue::encodeEmptyValue());\n\n // Perform the actual deletion.\n auto newClazz = HiddenClass::deleteProperty(\n runtime->makeHandle(selfHandle->clazz_), runtime, *pos);\n selfHandle->clazz_.set(runtime, *newClazz, &runtime->getHeap());\n\n return true;\n}", "project": "hermes", "hash": 79211470231016871957352370210658089937, "size": 55, "commit_id": "fe52854cdf6725c2eaa9e125995da76e6ceb27da", "message": "[CVE-2020-1911] Look up HostObject computed properties on the right object in the prototype chain.\n\nSummary:\nThe change in the hermes repository fixes the security vulnerability\nCVE-2020-1911. This vulnerability only affects applications which\nallow evaluation of uncontrolled, untrusted JavaScript code not\nshipped with the app, so React Native apps will generally not be affected.\n\nThis revision includes a test for the bug. The test is generic JSI\ncode, so it is included in the hermes and react-native repositories.\n\nChangelog: [Internal]\n\nReviewed By: tmikov\n\nDifferential Revision: D23322992\n\nfbshipit-source-id: 4e88c974afe1ad33a263f9cac03e9dc98d33649a", "target": 0, "dataset": "other", "idx": 230181 }, { "func": " bool null_eq(const Item *item) const\n {\n DBUG_ASSERT(is_basic_value(NULL_ITEM));\n return item->type() == NULL_ITEM;\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 186184619677973336794077303895821781324, "size": 5, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509390 }, { "func": "static void _php_image_bw_convert(gdImagePtr im_org, gdIOCtx *out,\n int threshold) {\n gdImagePtr im_dest;\n int white, black;\n int color, color_org, median;\n int dest_height = gdImageSY(im_org);\n int dest_width = gdImageSX(im_org);\n int x, y;\n\n im_dest = gdImageCreate(dest_width, dest_height);\n if (im_dest == nullptr) {\n raise_warning(\"Unable to allocate temporary buffer\");\n return;\n }\n\n white = gdImageColorAllocate(im_dest, 255, 255, 255);\n if (white == -1) {\n raise_warning(\"Unable to allocate the colors for \"\n \"the destination buffer\");\n return;\n }\n\n black = gdImageColorAllocate(im_dest, 0, 0, 0);\n if (black == -1) {\n raise_warning(\"Unable to allocate the colors for \"\n \"the destination buffer\");\n return;\n }\n\n if (im_org->trueColor) {\n gdImageTrueColorToPalette(im_org, 1, 256);\n }\n\n for (y = 0; y < dest_height; y++) {\n for (x = 0; x < dest_width; x++) {\n color_org = gdImageGetPixel(im_org, x, y);\n median = (im_org->red[color_org] +\n im_org->green[color_org] +\n im_org->blue[color_org]) / 3;\n if (median < threshold) {\n color = black;\n } else {\n color = white;\n }\n gdImageSetPixel (im_dest, x, y, color);\n }\n }\n gdImageWBMPCtx (im_dest, black, out);\n}", "project": "hhvm", "hash": 241958760304915171897306570688397741544, "size": 49, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219240 }, { "func": "static int kvm_io_bus_get_first_dev(struct kvm_io_bus *bus,\n\t\t\t gpa_t addr, int len)\n{\n\tstruct kvm_io_range *range, key;\n\tint off;\n\n\tkey = (struct kvm_io_range) {\n\t\t.addr = addr,\n\t\t.len = len,\n\t};\n\n\trange = bsearch(&key, bus->range, bus->dev_count,\n\t\t\tsizeof(struct kvm_io_range), kvm_io_bus_sort_cmp);\n\tif (range == NULL)\n\t\treturn -ENOENT;\n\n\toff = range - bus->range;\n\n\twhile (off > 0 && kvm_io_bus_cmp(&key, &bus->range[off-1]) == 0)\n\t\toff--;\n\n\treturn off;\n}", "project": "linux", "hash": 195966824010624522556070638030747408297, "size": 23, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354737 }, { "func": "static void encode_destroy_session(struct xdr_stream *xdr,\n\t\t\t\t const struct nfs4_session *session,\n\t\t\t\t struct compound_hdr *hdr)\n{\n\tencode_op_hdr(xdr, OP_DESTROY_SESSION, decode_destroy_session_maxsz, hdr);\n\tencode_opaque_fixed(xdr, session->sess_id.data, NFS4_MAX_SESSIONID_LEN);\n}", "project": "linux", "hash": 57660564699198419527329189244146420192, "size": 7, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431040 }, { "func": "static void create_tile_hint(int x, int y, int tw, int th, hint_t *hint) {\n\tint w = dpy_x - x;\n\tint h = dpy_y - y;\n\n\tif (w > tw) {\n\t\tw = tw;\n\t}\n\tif (h > th) {\n\t\th = th;\n\t}\n\n\thint->x = x;\n\thint->y = y;\n\thint->w = w;\n\thint->h = h;\n}", "project": "x11vnc", "hash": 135507842115541545600654342989057397135, "size": 16, "commit_id": "69eeb9f7baa14ca03b16c9de821f9876def7a36a", "message": "scan: limit access to shared memory segments to current user", "target": 0, "dataset": "other", "idx": 360791 }, { "func": "Status GraphConstructor::PopulateReturnNodes() {\n if (opts_.return_nodes.empty()) return Status::OK();\n for (StringPiece name : opts_.return_nodes) {\n auto iter = gdef_nodes_.find(name);\n if (iter == gdef_nodes_.end()) {\n return errors::InvalidArgument(\"Requested return node '\", name,\n \"' not found in graph def\");\n }\n return_nodes_->push_back(iter->second.node);\n }\n return Status::OK();\n}", "project": "tensorflow", "hash": 303938844749384911354409955043330273486, "size": 12, "commit_id": "0cc38aaa4064fd9e79101994ce9872c6d91f816b", "message": "Prevent unitialized memory access in `GraphConstructor::MakeEdge`\n\nThe `MakeEdge` implementation assumes that there exists an output at `output_index` of `src` node and an input at `input_index` of `dst` node. However, if this is not the case this results in accessing data out of bounds. Because we are accessing an array that is a private member of a class and only in read only mode, this usually results only in unitialized memory access. However, it is reasonable to think that malicious users could manipulate these indexes to actually read data outside the class, thus resulting in information leakage and further exploits.\n\nPiperOrigin-RevId: 346343288\nChange-Id: I2127da27c2023d27f26efd39afa6c853385cab6f", "target": 0, "dataset": "other", "idx": 268334 }, { "func": "ScanLineInputFile::ScanLineInputFile(InputPartData* part)\n{\n if (part->header.type() != SCANLINEIMAGE)\n throw IEX_NAMESPACE::ArgExc(\"Can't build a ScanLineInputFile from a type-mismatched part.\");\n\n _data = new Data(part->numThreads);\n _streamData = part->mutex;\n _data->memoryMapped = _streamData->is->isMemoryMapped();\n\n _data->version = part->version;\n\n try\n {\n initialize(part->header);\n }\n catch(...)\n {\n if (!_data->memoryMapped)\n {\n for (size_t i = 0; i < _data->lineBuffers.size(); i++)\n {\n if( _data->lineBuffers[i] )\n {\n EXRFreeAligned(_data->lineBuffers[i]->buffer);\n _data->lineBuffers[i]->buffer=nullptr;\n }\n }\n }\n \n delete _data;\n throw;\n }\n _data->lineOffsets = part->chunkOffsets;\n\n _data->partNumber = part->partNumber;\n //\n // (TODO) change this code later.\n // The completeness of the file should be detected in MultiPartInputFile.\n //\n _data->fileIsComplete = true;\n}", "project": "openexr", "hash": 145831631300828656674149405748760090884, "size": 41, "commit_id": "bc88cdb6c97fbf5bc5d11ad8ca55306da931283a", "message": "sanity check ScanlineInput bytesPerLine instead of lineOffset size (#863)\n\nSigned-off-by: Peter Hillman \r\n\r\nCo-authored-by: Cary Phillips ", "target": 0, "dataset": "other", "idx": 446280 }, { "func": "ScanLineInputFile::ScanLineInputFile\n (const Header &header,\n OPENEXR_IMF_INTERNAL_NAMESPACE::IStream *is,\n int numThreads)\n:\n _data (new Data (numThreads)),\n _streamData (new InputStreamMutex())\n{\n _streamData->is = is;\n _data->memoryMapped = is->isMemoryMapped();\n\n try\n {\n\n initialize(header);\n \n //\n // (TODO) this is nasty - we need a better way of working out what type of file has been used.\n // in any case I believe this constructor only gets used with single part files\n // and 'version' currently only tracks multipart state, so setting to 0 (not multipart) works for us\n //\n \n _data->version=0;\n readLineOffsets (*_streamData->is,\n _data->lineOrder,\n _data->lineOffsets,\n _data->fileIsComplete);\n }\n catch(...)\n {\n if(_data)\n {\n if (!_data->memoryMapped)\n {\n for (size_t i = 0; i < _data->lineBuffers.size(); i++)\n {\n if( _data->lineBuffers[i] )\n {\n EXRFreeAligned(_data->lineBuffers[i]->buffer);\n _data->lineBuffers[i]->buffer=nullptr;\n }\n }\n }\n }\n delete _streamData;\n delete _data;\n throw;\n }\n}", "project": "openexr", "hash": 293914072805258842205831469098413224981, "size": 49, "commit_id": "bc88cdb6c97fbf5bc5d11ad8ca55306da931283a", "message": "sanity check ScanlineInput bytesPerLine instead of lineOffset size (#863)\n\nSigned-off-by: Peter Hillman \r\n\r\nCo-authored-by: Cary Phillips ", "target": 0, "dataset": "other", "idx": 446307 }, { "func": "static int php_getimagetype(const req::ptr& file) {\n String fileType = file->read(3);\n if (fileType.length() != 3) {\n raise_notice(\"Read error!\");\n return IMAGE_FILETYPE_UNKNOWN;\n }\n\n /* BYTES READ: 3 */\n if (!memcmp(fileType.c_str(), php_sig_gif, 3)) {\n return IMAGE_FILETYPE_GIF;\n } else if (!memcmp(fileType.c_str(), php_sig_jpg, 3)) {\n return IMAGE_FILETYPE_JPEG;\n } else if (!memcmp(fileType.c_str(), php_sig_png, 3)) {\n String data = file->read(5);\n if (data.length() != 5) {\n raise_notice(\"Read error!\");\n return IMAGE_FILETYPE_UNKNOWN;\n }\n if (!memcmp((fileType + data).c_str(), php_sig_png, 8)) {\n return IMAGE_FILETYPE_PNG;\n } else {\n raise_warning(\"PNG file corrupted by ASCII conversion\");\n return IMAGE_FILETYPE_UNKNOWN;\n }\n } else if (!memcmp(fileType.c_str(), php_sig_swf, 3)) {\n return IMAGE_FILETYPE_SWF;\n } else if (!memcmp(fileType.c_str(), php_sig_swc, 3)) {\n return IMAGE_FILETYPE_SWC;\n } else if (!memcmp(fileType.c_str(), php_sig_psd, 3)) {\n return IMAGE_FILETYPE_PSD;\n } else if (!memcmp(fileType.c_str(), php_sig_bmp, 2)) {\n return IMAGE_FILETYPE_BMP;\n } else if (!memcmp(fileType.c_str(), php_sig_jpc, 3)) {\n return IMAGE_FILETYPE_JPC;\n }\n\n String data = file->read(1);\n if (data.length() != 1) {\n raise_notice(\"Read error!\");\n return IMAGE_FILETYPE_UNKNOWN;\n }\n\n /* BYTES READ: 4 */\n fileType += data;\n if (!memcmp(fileType.c_str(), php_sig_tif_ii, 4)) {\n return IMAGE_FILETYPE_TIFF_II;\n } else if (!memcmp(fileType.c_str(), php_sig_tif_mm, 4)) {\n return IMAGE_FILETYPE_TIFF_MM;\n } else if (!memcmp(fileType.c_str(), php_sig_iff, 4)) {\n return IMAGE_FILETYPE_IFF;\n } else if (!memcmp(fileType.c_str(), php_sig_ico, 4)) {\n return IMAGE_FILETYPE_ICO;\n }\n\n data = file->read(8);\n if (data.length() != 8) {\n raise_notice(\"Read error!\");\n return IMAGE_FILETYPE_UNKNOWN;\n }\n\n /* BYTES READ: 12 */\n fileType += data;\n if (!memcmp(fileType.c_str(), php_sig_jp2, 12)) {\n return IMAGE_FILETYPE_JP2;\n }\n\n /* AFTER ALL ABOVE FAILED */\n if (php_get_wbmp(file, nullptr, 1)) {\n return IMAGE_FILETYPE_WBMP;\n }\n if (php_get_xbm(file, nullptr)) {\n return IMAGE_FILETYPE_XBM;\n }\n return IMAGE_FILETYPE_UNKNOWN;\n}", "project": "hhvm", "hash": 335945095345368247138459313613765246411, "size": 75, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219270 }, { "func": "int imap_adata_find(const char *path, struct ImapAccountData **adata,\n struct ImapMboxData **mdata)\n{\n struct ConnAccount cac = { { 0 } };\n struct ImapAccountData *tmp_adata = NULL;\n char tmp[1024];\n\n if (imap_parse_path(path, &cac, tmp, sizeof(tmp)) < 0)\n return -1;\n\n struct Account *np = NULL;\n TAILQ_FOREACH(np, &NeoMutt->accounts, entries)\n {\n if (np->type != MUTT_IMAP)\n continue;\n\n tmp_adata = np->adata;\n if (!tmp_adata)\n continue;\n if (imap_account_match(&tmp_adata->conn->account, &cac))\n {\n *mdata = imap_mdata_new(tmp_adata, tmp);\n *adata = tmp_adata;\n return 0;\n }\n }\n mutt_debug(LL_DEBUG3, \"no ImapAccountData found\\n\");\n return -1;\n}", "project": "neomutt", "hash": 145657185537564862983108835163065209804, "size": 29, "commit_id": "fa1db5785e5cfd9d3cd27b7571b9fe268d2ec2dc", "message": "Fix seqset iterator when it ends in a comma\n\nIf the seqset ended with a comma, the substr_end marker would be just\nbefore the trailing nul. In the next call, the loop to skip the\nmarker would iterate right past the end of string too.\n\nThe fix is simple: place the substr_end marker and skip past it\nimmediately.", "target": 0, "dataset": "other", "idx": 399280 }, { "func": "enum MIME SFDGetImage2MIME(FILE *sfd) {\n char mime[128];\n\n if ( !getname(sfd, mime) ) {\n IError(\"Failed to get a MIME type, file corrupt\");\n return UNKNOWN;\n }\n\n if ( !(strmatch(mime, \"image/png\")==0) ) {\n IError(\"MIME type received—%s—is not recognized\", mime);\n return UNKNOWN;\n }\n\n return PNG;\n}", "project": "fontforge", "hash": 227178722532005397077460293953942309274, "size": 15, "commit_id": "048a91e2682c1a8936ae34dbc7bd70291ec05410", "message": "Fix for #4084 Use-after-free (heap) in the SFD_GetFontMetaData() function\nFix for #4086 NULL pointer dereference in the SFDGetSpiros() function\nFix for #4088 NULL pointer dereference in the SFD_AssignLookups() function\nAdd empty sf->fontname string if it isn't set, fixing #4089 #4090 and many\n other potential issues (many downstream calls to strlen() on the value).", "target": 0, "dataset": "other", "idx": 417849 }, { "func": "static int kvm_s390_cpus_to_pv(struct kvm *kvm, u16 *rc, u16 *rrc)\n{\n\tint i, r = 0;\n\tu16 dummy;\n\n\tstruct kvm_vcpu *vcpu;\n\n\tkvm_for_each_vcpu(i, vcpu, kvm) {\n\t\tmutex_lock(&vcpu->mutex);\n\t\tr = kvm_s390_pv_create_cpu(vcpu, rc, rrc);\n\t\tmutex_unlock(&vcpu->mutex);\n\t\tif (r)\n\t\t\tbreak;\n\t}\n\tif (r)\n\t\tkvm_s390_cpus_from_pv(kvm, &dummy, &dummy);\n\treturn r;\n}", "project": "linux", "hash": 220599912180183350456856669506531059243, "size": 18, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354455 }, { "func": "static void ecryptfs_lower_offset_for_extent(loff_t *offset, loff_t extent_num,\n\t\t\t\t\t struct ecryptfs_crypt_stat *crypt_stat)\n{\n\t(*offset) = (crypt_stat->num_header_bytes_at_front\n\t\t + (crypt_stat->extent_size * extent_num));\n}", "target": 0, "cwe": [ "CWE-189" ], "project": "linux-2.6", "commit_id": "8faece5f906725c10e7a1f6caf84452abadbdc7b", "hash": 104927600558702768080977763321133826671, "size": 6, "message": "eCryptfs: Allocate a variable number of pages for file headers\n\nWhen allocating the memory used to store the eCryptfs header contents, a\nsingle, zeroed page was being allocated with get_zeroed_page().\nHowever, the size of an eCryptfs header is either PAGE_CACHE_SIZE or\nECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE (8192), whichever is larger, and is\nstored in the file's private_data->crypt_stat->num_header_bytes_at_front\nfield.\n\necryptfs_write_metadata_to_contents() was using\nnum_header_bytes_at_front to decide how many bytes should be written to\nthe lower filesystem for the file header. Unfortunately, at least 8K\nwas being written from the page, despite the chance of the single,\nzeroed page being smaller than 8K. This resulted in random areas of\nkernel memory being written between the 0x1000 and 0x1FFF bytes offsets\nin the eCryptfs file headers if PAGE_SIZE was 4K.\n\nThis patch allocates a variable number of pages, calculated with\nnum_header_bytes_at_front, and passes the number of allocated pages\nalong to ecryptfs_write_metadata_to_contents().\n\nThanks to Florian Streibelt for reporting the data leak and working with\nme to find the problem. 2.6.28 is the only kernel release with this\nvulnerability. Corresponds to CVE-2009-0787\n\nSigned-off-by: Tyler Hicks \nAcked-by: Dustin Kirkland \nReviewed-by: Eric Sandeen \nReviewed-by: Eugene Teo \nCc: Greg KH \nCc: dann frazier \nCc: Serge E. Hallyn \nCc: Florian Streibelt \nCc: stable@kernel.org\nSigned-off-by: Linus Torvalds ", "dataset": "other", "idx": 490197 }, { "func": "bool AreAttrValuesEqual(const AttrValue& a, const AttrValue& b,\n bool allow_false_negatives) {\n if (a.type() != b.type()) {\n return false;\n } else if (a.type() != DT_INVALID && b.type() != DT_INVALID) {\n return a.type() == b.type();\n }\n\n if (a.has_tensor() != b.has_tensor()) {\n return false;\n } else if (a.has_tensor() && b.has_tensor()) {\n return AreTensorProtosEqual(a.tensor(), b.tensor(), allow_false_negatives);\n }\n\n // `func` field contains a nested AttrValue. Compare such AttrValues\n // recursively.\n if (a.has_func() != b.has_func()) {\n return false;\n } else if (a.has_func() && b.has_func()) {\n const NameAttrList& af = a.func();\n const NameAttrList& bf = b.func();\n if (af.name() != bf.name()) return false;\n std::unordered_map am(af.attr().begin(),\n af.attr().end());\n for (const auto& bm_pair : bf.attr()) {\n const auto& iter = am.find(bm_pair.first);\n if (iter == am.end()) return false;\n if (!AreAttrValuesEqual(iter->second, bm_pair.second,\n allow_false_negatives))\n return false;\n am.erase(iter);\n }\n if (!am.empty()) return false;\n return true;\n }\n\n // All other fields in AttrValue have deterministic representations.\n // It is safe to compare their serialized strings.\n return AreSerializedProtosEqual(a, b);\n}", "project": "tensorflow", "hash": 295764811132322741455255487831427700969, "size": 40, "commit_id": "c2426bba00a01de6913738df8fa78e0215fcce02", "message": "Use `PartialTensorShape` instead of `TensorShape`.\n\n`TensorShape` constructor throws a CHECK-fail if shape is partial/overflows which the other doesn't. We are only determining the number of elements in the shape and partial shape should be used as it returns negative number when needed.\n\nPiperOrigin-RevId: 409205384\nChange-Id: Ia56542ff9ec758f2c9ffc7e4dcc9fa7eecd86e7b", "target": 0, "dataset": "other", "idx": 223157 }, { "func": "void LibRaw::process_Sony_0x9406(uchar *buf, ushort len)\n{\n if (len < 6)\n return;\n uchar bufx = buf[0];\n if ((bufx != 0x01) && (bufx != 0x08) && (bufx != 0x1b))\n return;\n bufx = buf[2];\n if ((bufx != 0x08) && (bufx != 0x1b))\n return;\n\n imCommon.BatteryTemperature =\n (float)(SonySubstitution[buf[5]] - 32) / 1.8f;\n\n return;\n}", "project": "LibRaw", "hash": 207179454436299435565162012813298290000, "size": 16, "commit_id": "c243f4539233053466c1309bde606815351bee81", "message": "additional checks in parseSonySRF\n\nparseSonySR2: buffer size check", "target": 0, "dataset": "other", "idx": 394108 }, { "func": "int _ssh_buffer_unpack(struct ssh_buffer_struct *buffer,\n const char *format,\n size_t argc,\n ...)\n{\n va_list ap;\n int rc;\n\n va_start(ap, argc);\n rc = ssh_buffer_unpack_va(buffer, format, argc, ap);\n va_end(ap);\n return rc;\n}", "project": "libssh-mirror", "hash": 75382200947970459956701791859821951165, "size": 13, "commit_id": "10b3ebbe61a7031a3dae97f05834442220447181", "message": "buffer: Reformat ssh_buffer_add_data()\n\nSigned-off-by: Andreas Schneider \nReviewed-by: Anderson Toshiyuki Sasaki \nReviewed-by: Jakub Jelen ", "target": 0, "dataset": "other", "idx": 345170 }, { "func": "void trace_latency_header(struct seq_file *m)\n{\n\tstruct trace_iterator *iter = m->private;\n\tstruct trace_array *tr = iter->tr;\n\n\t/* print nothing if the buffers are empty */\n\tif (trace_empty(iter))\n\t\treturn;\n\n\tif (iter->iter_flags & TRACE_FILE_LAT_FMT)\n\t\tprint_trace_header(m, iter);\n\n\tif (!(tr->trace_flags & TRACE_ITER_VERBOSE))\n\t\tprint_lat_help_header(m);\n}", "project": "linux", "hash": 43076227198005618985195173073145884583, "size": 15, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445574 }, { "func": "static void ca8210_spi_transfer_complete(void *context)\n{\n\tstruct cas_control *cas_ctl = context;\n\tstruct ca8210_priv *priv = cas_ctl->priv;\n\tbool duplex_rx = false;\n\tint i;\n\tu8 retry_buffer[CA8210_SPI_BUF_SIZE];\n\n\tif (\n\t\tcas_ctl->tx_in_buf[0] == SPI_NACK ||\n\t\t(cas_ctl->tx_in_buf[0] == SPI_IDLE &&\n\t\tcas_ctl->tx_in_buf[1] == SPI_NACK)\n\t) {\n\t\t/* ca8210 is busy */\n\t\tdev_info(&priv->spi->dev, \"ca8210 was busy during attempted write\\n\");\n\t\tif (cas_ctl->tx_buf[0] == SPI_IDLE) {\n\t\t\tdev_warn(\n\t\t\t\t&priv->spi->dev,\n\t\t\t\t\"IRQ servicing NACKd, dropping transfer\\n\"\n\t\t\t);\n\t\t\tkfree(cas_ctl);\n\t\t\treturn;\n\t\t}\n\t\tif (priv->retries > 3) {\n\t\t\tdev_err(&priv->spi->dev, \"too many retries!\\n\");\n\t\t\tkfree(cas_ctl);\n\t\t\tca8210_remove(priv->spi);\n\t\t\treturn;\n\t\t}\n\t\tmemcpy(retry_buffer, cas_ctl->tx_buf, CA8210_SPI_BUF_SIZE);\n\t\tkfree(cas_ctl);\n\t\tca8210_spi_transfer(\n\t\t\tpriv->spi,\n\t\t\tretry_buffer,\n\t\t\tCA8210_SPI_BUF_SIZE\n\t\t);\n\t\tpriv->retries++;\n\t\tdev_info(&priv->spi->dev, \"retried spi write\\n\");\n\t\treturn;\n\t} else if (\n\t\t\tcas_ctl->tx_in_buf[0] != SPI_IDLE &&\n\t\t\tcas_ctl->tx_in_buf[0] != SPI_NACK\n\t\t) {\n\t\tduplex_rx = true;\n\t}\n\n\tif (duplex_rx) {\n\t\tdev_dbg(&priv->spi->dev, \"READ CMD DURING TX\\n\");\n\t\tfor (i = 0; i < cas_ctl->tx_in_buf[1] + 2; i++)\n\t\t\tdev_dbg(\n\t\t\t\t&priv->spi->dev,\n\t\t\t\t\"%#03x\\n\",\n\t\t\t\tcas_ctl->tx_in_buf[i]\n\t\t\t);\n\t\tca8210_rx_done(cas_ctl);\n\t}\n\tcomplete(&priv->spi_transfer_complete);\n\tkfree(cas_ctl);\n\tpriv->retries = 0;\n}", "project": "linux", "hash": 243653354562905719509760318593044969396, "size": 60, "commit_id": "6402939ec86eaf226c8b8ae00ed983936b164908", "message": "ieee802154: ca8210: prevent memory leak\n\nIn ca8210_probe the allocated pdata needs to be assigned to\nspi_device->dev.platform_data before calling ca8210_get_platform_data.\nOthrwise when ca8210_get_platform_data fails pdata cannot be released.\n\nSigned-off-by: Navid Emamdoost \nLink: https://lore.kernel.org/r/20190917224713.26371-1-navid.emamdoost@gmail.com\nSigned-off-by: Stefan Schmidt ", "target": 0, "dataset": "other", "idx": 408767 }, { "func": "void LibRaw::process_Sony_0x9402(uchar *buf, ushort len)\n{\n\n if (len < 23)\n return;\n\n imgdata.shootinginfo.FocusMode = SonySubstitution[buf[0x16]];\n\n if ((imSony.CameraType == LIBRAW_SONY_SLT) ||\n (imSony.CameraType == LIBRAW_SONY_ILCA))\n return;\n\n uchar bufx = buf[0x00];\n if ((bufx == 0x05) || (bufx == 0xff) || (buf[0x02] != 0xff))\n return;\n\n imCommon.AmbientTemperature =\n (float)((short)SonySubstitution[buf[0x04]]);\n\n return;\n}", "project": "LibRaw", "hash": 189236865325124019367285898067709965390, "size": 21, "commit_id": "c243f4539233053466c1309bde606815351bee81", "message": "additional checks in parseSonySRF\n\nparseSonySR2: buffer size check", "target": 0, "dataset": "other", "idx": 394101 }, { "func": "int path_pts(struct path *path)\n{\n\t/* Find something mounted on \"pts\" in the same directory as\n\t * the input path.\n\t */\n\tstruct dentry *child, *parent;\n\tstruct qstr this;\n\tint ret;\n\n\tret = path_parent_directory(path);\n\tif (ret)\n\t\treturn ret;\n\n\tparent = path->dentry;\n\tthis.name = \"pts\";\n\tthis.len = 3;\n\tchild = d_hash_and_lookup(parent, &this);\n\tif (!child)\n\t\treturn -ENOENT;\n\n\tpath->dentry = child;\n\tdput(parent);\n\tfollow_mount(path);\n\treturn 0;\n}", "project": "linux", "hash": 133591648399674245094761222777568663846, "size": 25, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295355 }, { "func": "static int do_job(blosc2_context* context) {\n int32_t ntbytes;\n\n /* Set sentinels */\n context->dref_not_init = 1;\n\n /* Check whether we need to restart threads */\n check_nthreads(context);\n\n /* Run the serial version when nthreads is 1 or when the buffers are\n not larger than blocksize */\n if (context->nthreads == 1 || (context->sourcesize / context->blocksize) <= 1) {\n /* The context for this 'thread' has no been initialized yet */\n if (context->serial_context == NULL) {\n context->serial_context = create_thread_context(context, 0);\n }\n else if (context->blocksize != context->serial_context->tmp_blocksize) {\n free_thread_context(context->serial_context);\n context->serial_context = create_thread_context(context, 0);\n }\n ntbytes = serial_blosc(context->serial_context);\n }\n else {\n ntbytes = parallel_blosc(context);\n }\n\n return ntbytes;\n}", "project": "c-blosc2", "hash": 189878750383948833904443263528968019157, "size": 28, "commit_id": "c4c6470e88210afc95262c8b9fcc27e30ca043ee", "message": "Fixed asan heap buffer overflow when not enough space to write compressed block size.", "target": 0, "dataset": "other", "idx": 303074 }, { "func": "static int tcp_validate_incoming(struct sock *sk, struct sk_buff *skb,\n\t\t\t const struct tcphdr *th, int syn_inerr)\n{\n\tconst u8 *hash_location;\n\tstruct tcp_sock *tp = tcp_sk(sk);\n\n\t/* RFC1323: H1. Apply PAWS check first. */\n\tif (tcp_fast_parse_options(skb, th, tp, &hash_location) &&\n\t tp->rx_opt.saw_tstamp &&\n\t tcp_paws_discard(sk, skb)) {\n\t\tif (!th->rst) {\n\t\t\tNET_INC_STATS_BH(sock_net(sk), LINUX_MIB_PAWSESTABREJECTED);\n\t\t\ttcp_send_dupack(sk, skb);\n\t\t\tgoto discard;\n\t\t}\n\t\t/* Reset is accepted even if it did not pass PAWS. */\n\t}\n\n\t/* Step 1: check sequence number */\n\tif (!tcp_sequence(tp, TCP_SKB_CB(skb)->seq, TCP_SKB_CB(skb)->end_seq)) {\n\t\t/* RFC793, page 37: \"In all states except SYN-SENT, all reset\n\t\t * (RST) segments are validated by checking their SEQ-fields.\"\n\t\t * And page 69: \"If an incoming segment is not acceptable,\n\t\t * an acknowledgment should be sent in reply (unless the RST\n\t\t * bit is set, if so drop the segment and return)\".\n\t\t */\n\t\tif (!th->rst)\n\t\t\ttcp_send_dupack(sk, skb);\n\t\tgoto discard;\n\t}\n\n\t/* Step 2: check RST bit */\n\tif (th->rst) {\n\t\ttcp_reset(sk);\n\t\tgoto discard;\n\t}\n\n\t/* ts_recent update must be made after we are sure that the packet\n\t * is in window.\n\t */\n\ttcp_replace_ts_recent(tp, TCP_SKB_CB(skb)->seq);\n\n\t/* step 3: check security and precedence [ignored] */\n\n\t/* step 4: Check for a SYN in window. */\n\tif (th->syn && !before(TCP_SKB_CB(skb)->seq, tp->rcv_nxt)) {\n\t\tif (syn_inerr)\n\t\t\tTCP_INC_STATS_BH(sock_net(sk), TCP_MIB_INERRS);\n\t\tNET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPABORTONSYN);\n\t\ttcp_reset(sk);\n\t\treturn -1;\n\t}\n\n\treturn 1;\n\ndiscard:\n\t__kfree_skb(skb);\n\treturn 0;\n}", "project": "net-next", "hash": 110463332800686371154057830803632531184, "size": 59, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409889 }, { "func": "static void fuse_dir_changed(struct inode *dir)\n{\n\tfuse_invalidate_attr(dir);\n\tinode_maybe_inc_iversion(dir, false);\n}", "project": "linux", "hash": 209871837252696934568078371798649429051, "size": 5, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341998 }, { "func": "static void svm_clear_vintr(struct vcpu_svm *svm)\n{\n\tclr_intercept(svm, INTERCEPT_VINTR);\n}", "project": "linux", "hash": 88608862170524402457120559933331819134, "size": 4, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432428 }, { "func": " */\nvoid __bfq_weights_tree_remove(struct bfq_data *bfqd,\n\t\t\t struct bfq_queue *bfqq,\n\t\t\t struct rb_root_cached *root)\n{\n\tif (!bfqq->weight_counter)\n\t\treturn;\n\n\tbfqq->weight_counter->num_active--;\n\tif (bfqq->weight_counter->num_active > 0)\n\t\tgoto reset_entity_pointer;\n\n\trb_erase_cached(&bfqq->weight_counter->weights_node, root);\n\tkfree(bfqq->weight_counter);\n\nreset_entity_pointer:\n\tbfqq->weight_counter = NULL;\n\tbfq_put_queue(bfqq);", "project": "linux", "hash": 165962994117450955919097388634405509949, "size": 18, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453360 }, { "func": "static void** cdeque_filter_p(struct filter_info** f) {\n\treturn (void**) (size_t) f;\n}", "project": "libarchive", "hash": 304067395521952546090702083418884394413, "size": 3, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 0, "dataset": "other", "idx": 244718 }, { "func": "static struct gfxinfo *php_handle_xbm(const req::ptr& stream) {\n struct gfxinfo *result;\n php_get_xbm(stream, &result);\n return result;\n}", "project": "hhvm", "hash": 69246419524086590440602574719081309898, "size": 5, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219452 }, { "func": "static int php_get_xbm(const req::ptr& stream, struct gfxinfo **result) {\n String fline;\n char *iname;\n char *type;\n int value;\n unsigned int width = 0, height = 0;\n\n if (result) {\n *result = nullptr;\n }\n if (!stream->rewind()) {\n return 0;\n }\n while (!(fline = HHVM_FN(fgets)(Resource(stream), 0).toString()).empty()) {\n iname = (char *)IM_MALLOC(fline.size() + 1);\n CHECK_ALLOC_R(iname, (fline.size() + 1), 0);\n if (sscanf(fline.c_str(), \"#define %s %d\", iname, &value) == 2) {\n if (!(type = strrchr(iname, '_'))) {\n type = iname;\n } else {\n type++;\n }\n\n if (!strcmp(\"width\", type)) {\n width = (unsigned int)value;\n if (height) {\n IM_FREE(iname);\n break;\n }\n }\n if (!strcmp(\"height\", type)) {\n height = (unsigned int)value;\n if (width) {\n IM_FREE(iname);\n break;\n }\n }\n }\n IM_FREE(iname);\n }\n\n if (width && height) {\n if (result) {\n *result = (struct gfxinfo *)IM_CALLOC(1, sizeof(struct gfxinfo));\n CHECK_ALLOC_R(*result, sizeof(struct gfxinfo), 0);\n (*result)->width = width;\n (*result)->height = height;\n }\n return IMAGE_FILETYPE_XBM;\n }\n\n return 0;\n}", "project": "hhvm", "hash": 241808017771604902539905173363660788062, "size": 53, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219730 }, { "func": "static int php_openssl_write_rand_file(const char * file, int egdsocket, int seeded) /* {{{ */\n{\n\tchar buffer[MAXPATHLEN];\n\n\n\tif (egdsocket || !seeded) {\n\t\t/* if we did not manage to read the seed file, we should not write\n\t\t * a low-entropy seed file back */\n\t\treturn FAILURE;\n\t}\n\tif (file == NULL) {\n\t\tfile = RAND_file_name(buffer, sizeof(buffer));\n\t}\n\tPHP_OPENSSL_RAND_ADD_TIME();\n\tif (file == NULL || !RAND_write_file(file)) {\n\t\tphp_openssl_store_errors();\n\t\tphp_error_docref(NULL, E_WARNING, \"unable to write random state\");\n\t\treturn FAILURE;\n\t}\n\treturn SUCCESS;\n}", "project": "php-src", "hash": 315197500681703004693998301927251383767, "size": 21, "commit_id": "0216630ea2815a5789a24279a1211ac398d4de79", "message": "Fix bug #79601 (Wrong ciphertext/tag in AES-CCM encryption for a 12 bytes IV)", "target": 0, "dataset": "other", "idx": 291444 }, { "func": "static int kvm_s390_cpus_from_pv(struct kvm *kvm, u16 *rcp, u16 *rrcp)\n{\n\tstruct kvm_vcpu *vcpu;\n\tu16 rc, rrc;\n\tint ret = 0;\n\tint i;\n\n\t/*\n\t * We ignore failures and try to destroy as many CPUs as possible.\n\t * At the same time we must not free the assigned resources when\n\t * this fails, as the ultravisor has still access to that memory.\n\t * So kvm_s390_pv_destroy_cpu can leave a \"wanted\" memory leak\n\t * behind.\n\t * We want to return the first failure rc and rrc, though.\n\t */\n\tkvm_for_each_vcpu(i, vcpu, kvm) {\n\t\tmutex_lock(&vcpu->mutex);\n\t\tif (kvm_s390_pv_destroy_cpu(vcpu, &rc, &rrc) && !ret) {\n\t\t\t*rcp = rc;\n\t\t\t*rrcp = rrc;\n\t\t\tret = -EIO;\n\t\t}\n\t\tmutex_unlock(&vcpu->mutex);\n\t}\n\treturn ret;\n}", "project": "linux", "hash": 70371804549305575677886196444051252963, "size": 26, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354770 }, { "func": "static int sctp_getsockopt_default_prinfo(struct sock *sk, int len,\n\t\t\t\t\t char __user *optval,\n\t\t\t\t\t int __user *optlen)\n{\n\tstruct sctp_default_prinfo info;\n\tstruct sctp_association *asoc;\n\tint retval = -EFAULT;\n\n\tif (len < sizeof(info)) {\n\t\tretval = -EINVAL;\n\t\tgoto out;\n\t}\n\n\tlen = sizeof(info);\n\tif (copy_from_user(&info, optval, len))\n\t\tgoto out;\n\n\tasoc = sctp_id2assoc(sk, info.pr_assoc_id);\n\tif (!asoc && info.pr_assoc_id != SCTP_FUTURE_ASSOC &&\n\t sctp_style(sk, UDP)) {\n\t\tretval = -EINVAL;\n\t\tgoto out;\n\t}\n\n\tif (asoc) {\n\t\tinfo.pr_policy = SCTP_PR_POLICY(asoc->default_flags);\n\t\tinfo.pr_value = asoc->default_timetolive;\n\t} else {\n\t\tstruct sctp_sock *sp = sctp_sk(sk);\n\n\t\tinfo.pr_policy = SCTP_PR_POLICY(sp->default_flags);\n\t\tinfo.pr_value = sp->default_timetolive;\n\t}\n\n\tif (put_user(len, optlen))\n\t\tgoto out;\n\n\tif (copy_to_user(optval, &info, len))\n\t\tgoto out;\n\n\tretval = 0;\n\nout:\n\treturn retval;\n}", "project": "linux", "hash": 30555041882778571051551544785423843337, "size": 45, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398087 }, { "func": "static ut64 bbFail(RAnalFunction *fcn, ut64 addr) {\n\tRListIter *iter;\n\tRAnalBlock *bb;\n\tr_list_foreach (fcn->bbs, iter, bb) {\n\t\tif (R_BETWEEN (bb->addr, addr, bb->addr + bb->size - 1)) {\n\t\t\treturn bb->fail;\n\t\t}\n\t}\n\treturn UT64_MAX;\n}", "project": "radare2", "hash": 338168265911036348852465721697140072538, "size": 10, "commit_id": "cb8b683758edddae2d2f62e8e63a738c39f92683", "message": "Fix #16303 - c->table_query double free (#16318)", "target": 0, "dataset": "other", "idx": 232205 }, { "func": "static int nfs4_proc_statfs(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fsstat *fsstat)\n{\n\tstruct nfs4_exception exception = {\n\t\t.interruptible = true,\n\t};\n\tint err;\n\tdo {\n\t\terr = nfs4_handle_exception(server,\n\t\t\t\t_nfs4_proc_statfs(server, fhandle, fsstat),\n\t\t\t\t&exception);\n\t} while (exception.retry);\n\treturn err;\n}", "project": "linux", "hash": 16589350496234503347190927714587720639, "size": 13, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431215 }, { "func": "void tracing_reset_online_cpus(struct trace_buffer *buf)\n{\n\tstruct ring_buffer *buffer = buf->buffer;\n\tint cpu;\n\n\tif (!buffer)\n\t\treturn;\n\n\tring_buffer_record_disable(buffer);\n\n\t/* Make sure all commits have finished */\n\tsynchronize_sched();\n\n\tbuf->time_start = buffer_ftrace_now(buf, buf->cpu);\n\n\tfor_each_online_cpu(cpu)\n\t\tring_buffer_reset_cpu(buffer, cpu);\n\n\tring_buffer_record_enable(buffer);\n}", "project": "linux", "hash": 82857587451535512790418021892408719561, "size": 20, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445838 }, { "func": "static int sctp_getsockopt_pr_supported(struct sock *sk, int len,\n\t\t\t\t\tchar __user *optval,\n\t\t\t\t\tint __user *optlen)\n{\n\tstruct sctp_assoc_value params;\n\tstruct sctp_association *asoc;\n\tint retval = -EFAULT;\n\n\tif (len < sizeof(params)) {\n\t\tretval = -EINVAL;\n\t\tgoto out;\n\t}\n\n\tlen = sizeof(params);\n\tif (copy_from_user(¶ms, optval, len))\n\t\tgoto out;\n\n\tasoc = sctp_id2assoc(sk, params.assoc_id);\n\tif (!asoc && params.assoc_id != SCTP_FUTURE_ASSOC &&\n\t sctp_style(sk, UDP)) {\n\t\tretval = -EINVAL;\n\t\tgoto out;\n\t}\n\n\tparams.assoc_value = asoc ? asoc->peer.prsctp_capable\n\t\t\t\t : sctp_sk(sk)->ep->prsctp_enable;\n\n\tif (put_user(len, optlen))\n\t\tgoto out;\n\n\tif (copy_to_user(optval, ¶ms, len))\n\t\tgoto out;\n\n\tretval = 0;\n\nout:\n\treturn retval;\n}", "project": "linux", "hash": 202174970917444975672845307542524582439, "size": 38, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398115 }, { "func": "static int io_remove_buffers(struct io_kiocb *req, unsigned int issue_flags)\n{\n\tstruct io_provide_buf *p = &req->pbuf;\n\tstruct io_ring_ctx *ctx = req->ctx;\n\tstruct io_buffer *head;\n\tint ret = 0;\n\tbool force_nonblock = issue_flags & IO_URING_F_NONBLOCK;\n\n\tio_ring_submit_lock(ctx, !force_nonblock);\n\n\tlockdep_assert_held(&ctx->uring_lock);\n\n\tret = -ENOENT;\n\thead = xa_load(&ctx->io_buffers, p->bgid);\n\tif (head)\n\t\tret = __io_remove_buffers(ctx, head, p->bgid, p->nbufs);\n\tif (ret < 0)\n\t\treq_set_fail_links(req);\n\n\t/* complete before unlock, IOPOLL may need the lock */\n\t__io_req_complete(req, issue_flags, ret, 0);\n\tio_ring_submit_unlock(ctx, !force_nonblock);\n\treturn 0;\n}", "project": "linux", "hash": 82788064788104949160796674238313529093, "size": 24, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338699 }, { "func": "static inline void clgi(void)\n{\n\tasm volatile (__ex(\"clgi\"));\n}", "project": "linux", "hash": 6309279384856318159031423950125159041, "size": 4, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432620 }, { "func": "static inline void clgi(void)\n{\n\tasm volatile (__ex(SVM_CLGI));\n}", "project": "kvm", "hash": 269828939784065864291875358862733774981, "size": 4, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437629 }, { "func": " void setBuf(char* buf, size_t cap) {\n begin = p = buf;\n#ifndef NDEBUG\n end = begin + cap;\n#endif\n }", "project": "hhvm", "hash": 66709397706838176598996244108340565270, "size": 6, "commit_id": "b3679121bb3c7017ff04b4c08402ffff5cf59b13", "message": "Fix buffer overrun in SimpleParser::handleBackslash\n\nSummary:\nIt read 4 chars, then checked for validity, but any of them could have\nbeen the end of the string, so check after each one instead.\n\nReviewed By: oulgen\n\nDifferential Revision: D19611163\n\nfbshipit-source-id: 3da0a39555cb85a93f4fd98048368f17cf37e2e4", "target": 0, "dataset": "other", "idx": 227315 }, { "func": "bool CPlayListASX::LoadData(std::istream& stream)\n{\n CLog::Log(LOGINFO, \"Parsing ASX\");\n\n if(stream.peek() == '[')\n {\n return LoadAsxIniInfo(stream);\n }\n else\n {\n CXBMCTinyXML xmlDoc;\n stream >> xmlDoc;\n\n if (xmlDoc.Error())\n {\n CLog::Log(LOGERROR, \"Unable to parse ASX info Error: {}\", xmlDoc.ErrorDesc());\n return false;\n }\n\n TiXmlElement *pRootElement = xmlDoc.RootElement();\n\n // lowercase every element\n TiXmlNode *pNode = pRootElement;\n TiXmlNode *pChild = NULL;\n std::string value;\n value = pNode->Value();\n StringUtils::ToLower(value);\n pNode->SetValue(value);\n while(pNode)\n {\n pChild = pNode->IterateChildren(pChild);\n if(pChild)\n {\n if (pChild->Type() == TiXmlNode::TINYXML_ELEMENT)\n {\n value = pChild->Value();\n StringUtils::ToLower(value);\n pChild->SetValue(value);\n\n TiXmlAttribute* pAttr = pChild->ToElement()->FirstAttribute();\n while(pAttr)\n {\n value = pAttr->Name();\n StringUtils::ToLower(value);\n pAttr->SetName(value);\n pAttr = pAttr->Next();\n }\n }\n\n pNode = pChild;\n pChild = NULL;\n continue;\n }\n\n pChild = pNode;\n pNode = pNode->Parent();\n }\n std::string roottitle;\n TiXmlElement *pElement = pRootElement->FirstChildElement();\n while (pElement)\n {\n value = pElement->Value();\n if (value == \"title\" && !pElement->NoChildren())\n {\n roottitle = pElement->FirstChild()->ValueStr();\n }\n else if (value == \"entry\")\n {\n std::string title(roottitle);\n\n TiXmlElement *pRef = pElement->FirstChildElement(\"ref\");\n TiXmlElement *pTitle = pElement->FirstChildElement(\"title\");\n\n if(pTitle && !pTitle->NoChildren())\n title = pTitle->FirstChild()->ValueStr();\n\n while (pRef)\n { // multiple references may appear for one entry\n // duration may exist on this level too\n value = XMLUtils::GetAttribute(pRef, \"href\");\n if (!value.empty())\n {\n if(title.empty())\n title = value;\n\n CLog::Log(LOGINFO, \"Adding element {}, {}\", title, value);\n CFileItemPtr newItem(new CFileItem(title));\n newItem->SetPath(value);\n Add(newItem);\n }\n pRef = pRef->NextSiblingElement(\"ref\");\n }\n }\n else if (value == \"entryref\")\n {\n value = XMLUtils::GetAttribute(pElement, \"href\");\n if (!value.empty())\n { // found an entryref, let's try loading that url\n std::unique_ptr playlist(CPlayListFactory::Create(value));\n if (nullptr != playlist)\n if (playlist->Load(value))\n Add(*playlist);\n }\n }\n pElement = pElement->NextSiblingElement();\n }\n }\n\n return true;\n}", "project": "xbmc", "hash": 328153551345565129880768466980342348853, "size": 110, "commit_id": "80c8138c09598e88b4ddb6dbb279fa193bbb3237", "message": "[Playlist] dont use istream directly to a tinyxml structure\n\nTurn istream into a std::string to handle large buffers (#20305)", "target": 1, "dataset": "other", "idx": 195020 }, { "func": "bool CPlayListRAM::LoadData(std::istream& stream)\n{\n CLog::Log(LOGINFO, \"Parsing RAM\");\n\n std::string strMMS;\n while( stream.peek() != '\\n' && stream.peek() != '\\r' )\n strMMS += stream.get();\n\n CLog::Log(LOGINFO, \"Adding element {}\", strMMS);\n CFileItemPtr newItem(new CFileItem(strMMS));\n newItem->SetPath(strMMS);\n Add(newItem);\n return true;\n}", "project": "xbmc", "hash": 191700743446133038381717048933511949191, "size": 14, "commit_id": "80c8138c09598e88b4ddb6dbb279fa193bbb3237", "message": "[Playlist] dont use istream directly to a tinyxml structure\n\nTurn istream into a std::string to handle large buffers (#20305)", "target": 0, "dataset": "other", "idx": 219933 }, { "func": "bool CPlayListASX::LoadData(std::istream& stream)\n{\n CLog::Log(LOGINFO, \"Parsing ASX\");\n\n if(stream.peek() == '[')\n {\n return LoadAsxIniInfo(stream);\n }\n else\n {\n std::string asxstream(std::istreambuf_iterator(stream), {});\n CXBMCTinyXML xmlDoc;\n xmlDoc.Parse(asxstream, TIXML_DEFAULT_ENCODING);\n\n if (xmlDoc.Error())\n {\n CLog::Log(LOGERROR, \"Unable to parse ASX info Error: {}\", xmlDoc.ErrorDesc());\n return false;\n }\n\n TiXmlElement *pRootElement = xmlDoc.RootElement();\n\n if (!pRootElement)\n return false;\n\n // lowercase every element\n TiXmlNode *pNode = pRootElement;\n TiXmlNode *pChild = NULL;\n std::string value;\n value = pNode->Value();\n StringUtils::ToLower(value);\n pNode->SetValue(value);\n while(pNode)\n {\n pChild = pNode->IterateChildren(pChild);\n if(pChild)\n {\n if (pChild->Type() == TiXmlNode::TINYXML_ELEMENT)\n {\n value = pChild->Value();\n StringUtils::ToLower(value);\n pChild->SetValue(value);\n\n TiXmlAttribute* pAttr = pChild->ToElement()->FirstAttribute();\n while(pAttr)\n {\n value = pAttr->Name();\n StringUtils::ToLower(value);\n pAttr->SetName(value);\n pAttr = pAttr->Next();\n }\n }\n\n pNode = pChild;\n pChild = NULL;\n continue;\n }\n\n pChild = pNode;\n pNode = pNode->Parent();\n }\n std::string roottitle;\n TiXmlElement *pElement = pRootElement->FirstChildElement();\n while (pElement)\n {\n value = pElement->Value();\n if (value == \"title\" && !pElement->NoChildren())\n {\n roottitle = pElement->FirstChild()->ValueStr();\n }\n else if (value == \"entry\")\n {\n std::string title(roottitle);\n\n TiXmlElement *pRef = pElement->FirstChildElement(\"ref\");\n TiXmlElement *pTitle = pElement->FirstChildElement(\"title\");\n\n if(pTitle && !pTitle->NoChildren())\n title = pTitle->FirstChild()->ValueStr();\n\n while (pRef)\n { // multiple references may appear for one entry\n // duration may exist on this level too\n value = XMLUtils::GetAttribute(pRef, \"href\");\n if (!value.empty())\n {\n if(title.empty())\n title = value;\n\n CLog::Log(LOGINFO, \"Adding element {}, {}\", title, value);\n CFileItemPtr newItem(new CFileItem(title));\n newItem->SetPath(value);\n Add(newItem);\n }\n pRef = pRef->NextSiblingElement(\"ref\");\n }\n }\n else if (value == \"entryref\")\n {\n value = XMLUtils::GetAttribute(pElement, \"href\");\n if (!value.empty())\n { // found an entryref, let's try loading that url\n std::unique_ptr playlist(CPlayListFactory::Create(value));\n if (nullptr != playlist)\n if (playlist->Load(value))\n Add(*playlist);\n }\n }\n pElement = pElement->NextSiblingElement();\n }\n }\n\n return true;\n}", "project": "xbmc", "hash": 48091596250511939083384668842890615241, "size": 114, "commit_id": "80c8138c09598e88b4ddb6dbb279fa193bbb3237", "message": "[Playlist] dont use istream directly to a tinyxml structure\n\nTurn istream into a std::string to handle large buffers (#20305)", "target": 0, "dataset": "other", "idx": 219934 }, { "func": "static void free_partial(struct kmem_cache *s, struct kmem_cache_node *n)\n{\n\tLIST_HEAD(discard);\n\tstruct page *page, *h;\n\n\tBUG_ON(irqs_disabled());\n\tspin_lock_irq(&n->list_lock);\n\tlist_for_each_entry_safe(page, h, &n->partial, slab_list) {\n\t\tif (!page->inuse) {\n\t\t\tremove_partial(n, page);\n\t\t\tlist_add(&page->slab_list, &discard);\n\t\t} else {\n\t\t\tlist_slab_objects(s, page,\n\t\t\t\"Objects remaining in %s on __kmem_cache_shutdown()\");\n\t\t}\n\t}\n\tspin_unlock_irq(&n->list_lock);\n\n\tlist_for_each_entry_safe(page, h, &discard, slab_list)\n\t\tdiscard_slab(s, page);\n}", "project": "linux", "hash": 48097983654529409789935183758979470378, "size": 21, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280172 }, { "func": "\nstatic int __io_register_rsrc_update(struct io_ring_ctx *ctx, unsigned type,\n\t\t\t\t struct io_uring_rsrc_update2 *up,\n\t\t\t\t unsigned nr_args)\n{\n\t__u32 tmp;\n\tint err;\n\n\tif (up->resv)\n\t\treturn -EINVAL;\n\tif (check_add_overflow(up->offset, nr_args, &tmp))\n\t\treturn -EOVERFLOW;\n\terr = io_rsrc_node_switch_start(ctx);\n\tif (err)\n\t\treturn err;\n\n\tswitch (type) {\n\tcase IORING_RSRC_FILE:\n\t\treturn __io_sqe_files_update(ctx, up, nr_args);\n\tcase IORING_RSRC_BUFFER:\n\t\treturn __io_sqe_buffers_update(ctx, up, nr_args);\n\t}\n\treturn -EINVAL;", "project": "linux", "hash": 142607771810002741199954997423683373368, "size": 23, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338700 }, { "func": "int __ip_local_out(struct net *net, struct sock *sk, struct sk_buff *skb)\n{\n\tstruct iphdr *iph = ip_hdr(skb);\n\n\tiph->tot_len = htons(skb->len);\n\tip_send_check(iph);\n\n\t/* if egress device is enslaved to an L3 master device pass the\n\t * skb to its handler for processing\n\t */\n\tskb = l3mdev_ip_out(sk, skb);\n\tif (unlikely(!skb))\n\t\treturn 0;\n\n\tskb->protocol = htons(ETH_P_IP);\n\n\treturn nf_hook(NFPROTO_IPV4, NF_INET_LOCAL_OUT,\n\t\t net, sk, skb, NULL, skb_dst(skb)->dev,\n\t\t dst_output);\n}", "project": "net", "hash": 30256930473574327173457621628848148896, "size": 20, "commit_id": "85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa", "message": "udp: consistently apply ufo or fragmentation\n\nWhen iteratively building a UDP datagram with MSG_MORE and that\ndatagram exceeds MTU, consistently choose UFO or fragmentation.\n\nOnce skb_is_gso, always apply ufo. Conversely, once a datagram is\nsplit across multiple skbs, do not consider ufo.\n\nSendpage already maintains the first invariant, only add the second.\nIPv6 does not have a sendpage implementation to modify.\n\nA gso skb must have a partial checksum, do not follow sk_no_check_tx\nin udp_send_skb.\n\nFound by syzkaller.\n\nFixes: e89e9cf539a2 (\"[IPv4/IPv6]: UFO Scatter-gather approach\")\nReported-by: Andrey Konovalov \nSigned-off-by: Willem de Bruijn \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 469012 }, { "func": "OPJ_BOOL opj_j2k_write_tile(opj_j2k_t * p_j2k,\n OPJ_UINT32 p_tile_index,\n OPJ_BYTE * p_data,\n OPJ_UINT32 p_data_size,\n opj_stream_private_t *p_stream,\n opj_event_mgr_t * p_manager)\n{\n if (! opj_j2k_pre_write_tile(p_j2k, p_tile_index, p_stream, p_manager)) {\n opj_event_msg(p_manager, EVT_ERROR,\n \"Error while opj_j2k_pre_write_tile with tile index = %d\\n\", p_tile_index);\n return OPJ_FALSE;\n } else {\n OPJ_UINT32 j;\n /* Allocate data */\n for (j = 0; j < p_j2k->m_tcd->image->numcomps; ++j) {\n opj_tcd_tilecomp_t* l_tilec = p_j2k->m_tcd->tcd_image->tiles->comps + j;\n\n if (! opj_alloc_tile_component_data(l_tilec)) {\n opj_event_msg(p_manager, EVT_ERROR, \"Error allocating tile component data.\");\n return OPJ_FALSE;\n }\n }\n\n /* now copy data into the tile component */\n if (! opj_tcd_copy_tile_data(p_j2k->m_tcd, p_data, p_data_size)) {\n opj_event_msg(p_manager, EVT_ERROR,\n \"Size mismatch between tile data and sent data.\");\n return OPJ_FALSE;\n }\n if (! opj_j2k_post_write_tile(p_j2k, p_stream, p_manager)) {\n opj_event_msg(p_manager, EVT_ERROR,\n \"Error while opj_j2k_post_write_tile with tile index = %d\\n\", p_tile_index);\n return OPJ_FALSE;\n }\n }\n\n return OPJ_TRUE;\n}", "project": "openjpeg", "hash": 33424509099542463918340108962782961222, "size": 38, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357440 }, { "func": "static __printf(3, 4) void slab_err(struct kmem_cache *s, struct page *page,\n\t\t\tconst char *fmt, ...)\n{\n\tva_list args;\n\tchar buf[100];\n\n\tva_start(args, fmt);\n\tvsnprintf(buf, sizeof(buf), fmt, args);\n\tva_end(args);\n\tslab_bug(s, \"%s\", buf);\n\tprint_page_info(page);\n\tdump_stack();\n}", "project": "linux", "hash": 14740750748356127721874934067797243730, "size": 13, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280071 }, { "func": "void blosc_set_delta(int dodelta) {\n\n g_delta = dodelta;\n\n /* Check whether the library should be initialized */\n if (!g_initlib) blosc_init();\n\n}", "project": "c-blosc2", "hash": 154119449601577996372401628248430010534, "size": 8, "commit_id": "c4c6470e88210afc95262c8b9fcc27e30ca043ee", "message": "Fixed asan heap buffer overflow when not enough space to write compressed block size.", "target": 0, "dataset": "other", "idx": 303069 }, { "func": "void kvm_vcpu_unmap(struct kvm_vcpu *vcpu, struct kvm_host_map *map, bool dirty)\n{\n\t__kvm_unmap_gfn(kvm_vcpu_gfn_to_memslot(vcpu, map->gfn), map, NULL,\n\t\t\tdirty, false);\n}", "project": "linux", "hash": 178561469330396514679876762732250006479, "size": 5, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354825 }, { "func": "void kvm_vcpu_unmap(struct kvm_vcpu *vcpu, struct kvm_host_map *map, bool dirty)\n{\n\t__kvm_unmap_gfn(vcpu->kvm, kvm_vcpu_gfn_to_memslot(vcpu, map->gfn),\n\t\t\tmap, NULL, dirty, false);\n}", "project": "linux", "hash": 161881298831411845538482570691778438006, "size": 5, "commit_id": "f8be156be163a052a067306417cd0ff679068c97", "message": "KVM: do not allow mapping valid but non-reference-counted pages\n\nIt's possible to create a region which maps valid but non-refcounted\npages (e.g., tail pages of non-compound higher order allocations). These\nhost pages can then be returned by gfn_to_page, gfn_to_pfn, etc., family\nof APIs, which take a reference to the page, which takes it from 0 to 1.\nWhen the reference is dropped, this will free the page incorrectly.\n\nFix this by only taking a reference on valid pages if it was non-zero,\nwhich indicates it is participating in normal refcounting (and can be\nreleased with put_page).\n\nThis addresses CVE-2021-22543.\n\nSigned-off-by: Nicholas Piggin \nTested-by: Paolo Bonzini \nCc: stable@vger.kernel.org\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 404054 }, { "func": "extern void x11_get_display(uint16_t *port, char **target)\n{\n\tchar *display, *port_split, *port_period;\n\t*target = NULL;\n\n\tdisplay = xstrdup(getenv(\"DISPLAY\"));\n\n\tif (!display) {\n\t\terror(\"No DISPLAY variable set, cannot setup x11 forwarding.\");\n\t\texit(-1);\n\t}\n\n\tif (display[0] == ':') {\n\t\tstruct stat st;\n\t\tchar *screen_period;\n\t\t*port = 0;\n\t\tscreen_period = strchr(display, '.');\n\t\tif (screen_period)\n\t\t\t*screen_period = '\\0';\n\t\txstrfmtcat(*target, \"/tmp/.X11-unix/X%s\", display + 1);\n\t\txfree(display);\n\t\tif (stat(*target, &st) != 0) {\n\t\t\terror(\"Cannot stat() local X11 socket `%s`\", *target);\n\t\t\texit(-1);\n\t\t}\n\t\treturn;\n\t}\n\n\t/*\n\t * Parse out port number\n\t * Example: localhost/unix:89.0 or localhost/unix:89\n\t */\n\tport_split = strchr(display, ':');\n\tif (!port_split) {\n\t\terror(\"Error parsing DISPLAY environment variable. \"\n\t\t \"Cannot use X11 forwarding.\");\n\t\texit(-1);\n\t}\n\t*port_split = '\\0';\n\n\t/*\n\t * Handle the \"screen\" portion of the display port.\n\t * Xorg does not require a screen to be specified, defaults to 0.\n\t */\n\tport_split++;\n\tport_period = strchr(port_split, '.');\n\tif (port_period)\n\t\t*port_period = '\\0';\n\n\t*port = atoi(port_split) + X11_TCP_PORT_OFFSET;\n\t*target = display;\n}", "project": "slurm", "hash": 79778517732032633288347426298880505651, "size": 52, "commit_id": "07309deb45c33e735e191faf9dd31cca1054a15c", "message": "X11 forwarding - avoid unsafe use of magic cookie as arg to xauth command.\n\nMagic cookie can leak through /proc this way. There is a race here between\nthis usually short-lived xauth command running and an attacker scraping\nthe value from /proc. This can be exacerbated through use of\nX11Parameters=home_xauthority on a cluster with a shared home directory\nunder heavy load.\n\nCVE-2020-27746.", "target": 0, "dataset": "other", "idx": 323091 }, { "func": "static void hci_cc_read_local_amp_info(struct hci_dev *hdev,\n\t\t\t\t struct sk_buff *skb)\n{\n\tstruct hci_rp_read_local_amp_info *rp = (void *) skb->data;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, rp->status);\n\n\tif (rp->status)\n\t\treturn;\n\n\thdev->amp_status = rp->amp_status;\n\thdev->amp_total_bw = __le32_to_cpu(rp->total_bw);\n\thdev->amp_max_bw = __le32_to_cpu(rp->max_bw);\n\thdev->amp_min_latency = __le32_to_cpu(rp->min_latency);\n\thdev->amp_max_pdu = __le32_to_cpu(rp->max_pdu);\n\thdev->amp_type = rp->amp_type;\n\thdev->amp_pal_cap = __le16_to_cpu(rp->pal_cap);\n\thdev->amp_assoc_size = __le16_to_cpu(rp->max_assoc_size);\n\thdev->amp_be_flush_to = __le32_to_cpu(rp->be_flush_to);\n\thdev->amp_max_flush_to = __le32_to_cpu(rp->max_flush_to);\n}", "project": "linux", "hash": 89664945208604788929312178312791490601, "size": 21, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431944 }, { "func": "inline void* StringData::payload() { return this + 1; }", "project": "hhvm", "hash": 291988370799243232929257560953731930621, "size": 1, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219469 }, { "func": "inline const void* StringData::payload() const { return this + 1; }", "project": "hhvm", "hash": 19282235676238362761467522860671313822, "size": 1, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219630 }, { "func": "static void get_rmattrs_from_headers(const req_state * const s,\n\t\t\t\t const char * const put_prefix,\n\t\t\t\t const char * const del_prefix,\n\t\t\t\t set& rmattr_names)\n{\n const size_t put_prefix_len = strlen(put_prefix);\n const size_t del_prefix_len = strlen(del_prefix);\n\n for (const auto& kv : s->info.env->get_map()) {\n size_t prefix_len = 0;\n const char * const p = kv.first.c_str();\n\n if (strncasecmp(p, del_prefix, del_prefix_len) == 0) {\n /* Explicitly requested removal. */\n prefix_len = del_prefix_len;\n } else if ((strncasecmp(p, put_prefix, put_prefix_len) == 0)\n\t && kv.second.empty()) {\n /* Removal requested by putting an empty value. */\n prefix_len = put_prefix_len;\n }\n\n if (prefix_len > 0) {\n string name(RGW_ATTR_META_PREFIX);\n name.append(lowercase_dash_http_attr(p + prefix_len));\n rmattr_names.insert(name);\n }\n }\n}", "project": "ceph", "hash": 312412347556127327829668189551258658669, "size": 28, "commit_id": "f44a8ae8aa27ecef69528db9aec220f12492810e", "message": "rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name\n\nchecking for empty name avoids later assertion in RGWObjectCtx::set_atomic\n\nFixes: CVE-2021-3531\n\nReviewed-by: Casey Bodley \nSigned-off-by: Casey Bodley \n(cherry picked from commit 7196a469b4470f3c8628489df9a41ec8b00a5610)", "target": 0, "dataset": "other", "idx": 448798 }, { "func": "static EVP_PKEY * php_openssl_evp_from_zval(\n\t\tzval * val, int public_key, char *passphrase, size_t passphrase_len,\n\t\tint makeresource, zend_resource **resourceval)\n{\n\tEVP_PKEY * key = NULL;\n\tX509 * cert = NULL;\n\tint free_cert = 0;\n\tzend_resource *cert_res = NULL;\n\tchar * filename = NULL;\n\tzval tmp;\n\n\tZVAL_NULL(&tmp);\n\n#define TMP_CLEAN \\\n\tif (Z_TYPE(tmp) == IS_STRING) {\\\n\t\tzval_dtor(&tmp); \\\n\t} \\\n\treturn NULL;\n\n\tif (resourceval) {\n\t\t*resourceval = NULL;\n\t}\n\tif (Z_TYPE_P(val) == IS_ARRAY) {\n\t\tzval * zphrase;\n\n\t\t/* get passphrase */\n\n\t\tif ((zphrase = zend_hash_index_find(Z_ARRVAL_P(val), 1)) == NULL) {\n\t\t\tphp_error_docref(NULL, E_WARNING, \"key array must be of the form array(0 => key, 1 => phrase)\");\n\t\t\treturn NULL;\n\t\t}\n\n\t\tif (Z_TYPE_P(zphrase) == IS_STRING) {\n\t\t\tpassphrase = Z_STRVAL_P(zphrase);\n\t\t\tpassphrase_len = Z_STRLEN_P(zphrase);\n\t\t} else {\n\t\t\tZVAL_COPY(&tmp, zphrase);\n\t\t\tconvert_to_string(&tmp);\n\t\t\tpassphrase = Z_STRVAL(tmp);\n\t\t\tpassphrase_len = Z_STRLEN(tmp);\n\t\t}\n\n\t\t/* now set val to be the key param and continue */\n\t\tif ((val = zend_hash_index_find(Z_ARRVAL_P(val), 0)) == NULL) {\n\t\t\tphp_error_docref(NULL, E_WARNING, \"key array must be of the form array(0 => key, 1 => phrase)\");\n\t\t\tTMP_CLEAN;\n\t\t}\n\t}\n\n\tif (Z_TYPE_P(val) == IS_RESOURCE) {\n\t\tvoid * what;\n\t\tzend_resource * res = Z_RES_P(val);\n\n\t\twhat = zend_fetch_resource2(res, \"OpenSSL X.509/key\", le_x509, le_key);\n\t\tif (!what) {\n\t\t\tTMP_CLEAN;\n\t\t}\n\t\tif (resourceval) {\n\t\t\t*resourceval = res;\n\t\t\tZ_ADDREF_P(val);\n\t\t}\n\t\tif (res->type == le_x509) {\n\t\t\t/* extract key from cert, depending on public_key param */\n\t\t\tcert = (X509*)what;\n\t\t\tfree_cert = 0;\n\t\t} else if (res->type == le_key) {\n\t\t\tint is_priv;\n\n\t\t\tis_priv = php_openssl_is_private_key((EVP_PKEY*)what);\n\n\t\t\t/* check whether it is actually a private key if requested */\n\t\t\tif (!public_key && !is_priv) {\n\t\t\t\tphp_error_docref(NULL, E_WARNING, \"supplied key param is a public key\");\n\t\t\t\tTMP_CLEAN;\n\t\t\t}\n\n\t\t\tif (public_key && is_priv) {\n\t\t\t\tphp_error_docref(NULL, E_WARNING, \"Don't know how to get public key from this private key\");\n\t\t\t\tTMP_CLEAN;\n\t\t\t} else {\n\t\t\t\tif (Z_TYPE(tmp) == IS_STRING) {\n\t\t\t\t\tzval_dtor(&tmp);\n\t\t\t\t}\n\t\t\t\t/* got the key - return it */\n\t\t\t\treturn (EVP_PKEY*)what;\n\t\t\t}\n\t\t} else {\n\t\t\t/* other types could be used here - eg: file pointers and read in the data from them */\n\t\t\tTMP_CLEAN;\n\t\t}\n\t} else {\n\t\t/* force it to be a string and check if it refers to a file */\n\t\t/* passing non string values leaks, object uses toString, it returns NULL\n\t\t * See bug38255.phpt\n\t\t */\n\t\tif (!(Z_TYPE_P(val) == IS_STRING || Z_TYPE_P(val) == IS_OBJECT)) {\n\t\t\tTMP_CLEAN;\n\t\t}\n\t\tconvert_to_string_ex(val);\n\n\t\tif (Z_STRLEN_P(val) > 7 && memcmp(Z_STRVAL_P(val), \"file://\", sizeof(\"file://\") - 1) == 0) {\n\t\t\tfilename = Z_STRVAL_P(val) + (sizeof(\"file://\") - 1);\n\t\t\tif (php_openssl_open_base_dir_chk(filename)) {\n\t\t\t\tTMP_CLEAN;\n\t\t\t}\n\t\t}\n\t\t/* it's an X509 file/cert of some kind, and we need to extract the data from that */\n\t\tif (public_key) {\n\t\t\tcert = php_openssl_x509_from_zval(val, 0, &cert_res);\n\t\t\tfree_cert = (cert_res == NULL);\n\t\t\t/* actual extraction done later */\n\t\t\tif (!cert) {\n\t\t\t\t/* not a X509 certificate, try to retrieve public key */\n\t\t\t\tBIO* in;\n\t\t\t\tif (filename) {\n\t\t\t\t\tin = BIO_new_file(filename, PHP_OPENSSL_BIO_MODE_R(PKCS7_BINARY));\n\t\t\t\t} else {\n\t\t\t\t\tin = BIO_new_mem_buf(Z_STRVAL_P(val), (int)Z_STRLEN_P(val));\n\t\t\t\t}\n\t\t\t\tif (in == NULL) {\n\t\t\t\t\tphp_openssl_store_errors();\n\t\t\t\t\tTMP_CLEAN;\n\t\t\t\t}\n\t\t\t\tkey = PEM_read_bio_PUBKEY(in, NULL,NULL, NULL);\n\t\t\t\tBIO_free(in);\n\t\t\t}\n\t\t} else {\n\t\t\t/* we want the private key */\n\t\t\tBIO *in;\n\n\t\t\tif (filename) {\n\t\t\t\tin = BIO_new_file(filename, PHP_OPENSSL_BIO_MODE_R(PKCS7_BINARY));\n\t\t\t} else {\n\t\t\t\tin = BIO_new_mem_buf(Z_STRVAL_P(val), (int)Z_STRLEN_P(val));\n\t\t\t}\n\n\t\t\tif (in == NULL) {\n\t\t\t\tTMP_CLEAN;\n\t\t\t}\n\t\t\tif (passphrase == NULL) {\n\t\t\t\tkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL);\n\t\t\t} else {\n\t\t\t\tstruct php_openssl_pem_password password;\n\t\t\t\tpassword.key = passphrase;\n\t\t\t\tpassword.len = passphrase_len;\n\t\t\t\tkey = PEM_read_bio_PrivateKey(in, NULL, php_openssl_pem_password_cb, &password);\n\t\t\t}\n\t\t\tBIO_free(in);\n\t\t}\n\t}\n\n\tif (key == NULL) {\n\t\tphp_openssl_store_errors();\n\n\t\tif (public_key && cert) {\n\t\t\t/* extract public key from X509 cert */\n\t\t\tkey = (EVP_PKEY *) X509_get_pubkey(cert);\n\t\t\tif (key == NULL) {\n\t\t\t\tphp_openssl_store_errors();\n\t\t\t}\n\t\t}\n\t}\n\n\tif (free_cert && cert) {\n\t\tX509_free(cert);\n\t}\n\tif (key && makeresource && resourceval) {\n\t\t*resourceval = zend_register_resource(key, le_key);\n\t}\n\tif (Z_TYPE(tmp) == IS_STRING) {\n\t\tzval_dtor(&tmp);\n\t}\n\treturn key;\n}", "project": "php-src", "hash": 284047308518175405451010568432467582367, "size": 174, "commit_id": "0216630ea2815a5789a24279a1211ac398d4de79", "message": "Fix bug #79601 (Wrong ciphertext/tag in AES-CCM encryption for a 12 bytes IV)", "target": 0, "dataset": "other", "idx": 291376 }, { "func": "static void fuse_send_readpages(struct fuse_io_args *ia, struct file *file)\n{\n\tstruct fuse_file *ff = file->private_data;\n\tstruct fuse_mount *fm = ff->fm;\n\tstruct fuse_args_pages *ap = &ia->ap;\n\tloff_t pos = page_offset(ap->pages[0]);\n\tsize_t count = ap->num_pages << PAGE_SHIFT;\n\tssize_t res;\n\tint err;\n\n\tap->args.out_pages = true;\n\tap->args.page_zeroing = true;\n\tap->args.page_replace = true;\n\n\t/* Don't overflow end offset */\n\tif (pos + (count - 1) == LLONG_MAX) {\n\t\tcount--;\n\t\tap->descs[ap->num_pages - 1].length--;\n\t}\n\tWARN_ON((loff_t) (pos + count) < 0);\n\n\tfuse_read_args_fill(ia, file, pos, count, FUSE_READ);\n\tia->read.attr_ver = fuse_get_attr_version(fm->fc);\n\tif (fm->fc->async_read) {\n\t\tia->ff = fuse_file_get(ff);\n\t\tap->args.end = fuse_readpages_end;\n\t\terr = fuse_simple_background(fm, &ap->args, GFP_KERNEL);\n\t\tif (!err)\n\t\t\treturn;\n\t} else {\n\t\tres = fuse_simple_request(fm, &ap->args);\n\t\terr = res < 0 ? res : 0;\n\t}\n\tfuse_readpages_end(fm, &ap->args, err);\n}", "project": "linux", "hash": 193642258636002646489411033703522462377, "size": 35, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342000 }, { "func": "static long fuse_dir_ioctl(struct file *file, unsigned int cmd,\n\t\t\t unsigned long arg)\n{\n\tstruct fuse_conn *fc = get_fuse_conn(file->f_mapping->host);\n\n\t/* FUSE_IOCTL_DIR only supported for API version >= 7.18 */\n\tif (fc->minor < 18)\n\t\treturn -ENOTTY;\n\n\treturn fuse_ioctl_common(file, cmd, arg, FUSE_IOCTL_DIR);\n}", "project": "linux", "hash": 121253100841537323749059262300343803985, "size": 11, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342030 }, { "func": "static char *php_strdup_impl(const char* s\n#ifdef IM_MEMORY_CHECK\n, int ln\n#endif\n ) {\n#ifdef IM_MEMORY_CHECK\n return php_strndup_impl(s, strlen(s), ln);\n#else\n return php_strndup_impl(s, strlen(s));\n#endif\n}", "project": "hhvm", "hash": 191408359473028877413222539669833199878, "size": 11, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219569 }, { "func": "static int emulate_on_interception(struct vcpu_svm *svm)\n{\n\treturn kvm_emulate_instruction(&svm->vcpu, 0);\n}", "project": "linux", "hash": 272321202317136715350618395969377657591, "size": 4, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432632 }, { "func": "static int emulate_on_interception(struct vcpu_svm *svm)\n{\n\treturn emulate_instruction(&svm->vcpu, 0) == EMULATE_DONE;\n}", "project": "kvm", "hash": 28811310339239127373826371418769339057, "size": 4, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437670 }, { "func": " virtual void under_not(Item_func_not * upper\n __attribute__((unused))) {};", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 17916602354656975158484048966145670031, "size": 2, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509112 }, { "func": "static void process_respfile(FILE * rfile, int pass)\n{\n char *buffer, *p, *q, *prevarg;\n int bufsize, prevargsize;\n\n bufsize = prevargsize = ARG_BUF_DELTA;\n buffer = nasm_malloc(ARG_BUF_DELTA);\n prevarg = nasm_malloc(ARG_BUF_DELTA);\n prevarg[0] = '\\0';\n\n while (1) { /* Loop to handle all lines in file */\n p = buffer;\n while (1) { /* Loop to handle long lines */\n q = fgets(p, bufsize - (p - buffer), rfile);\n if (!q)\n break;\n p += strlen(p);\n if (p > buffer && p[-1] == '\\n')\n break;\n if (p - buffer > bufsize - 10) {\n int offset;\n offset = p - buffer;\n bufsize += ARG_BUF_DELTA;\n buffer = nasm_realloc(buffer, bufsize);\n p = buffer + offset;\n }\n }\n\n if (!q && p == buffer) {\n if (prevarg[0])\n process_arg(prevarg, NULL, pass);\n nasm_free(buffer);\n nasm_free(prevarg);\n return;\n }\n\n /*\n * Play safe: remove CRs, LFs and any spurious ^Zs, if any of\n * them are present at the end of the line.\n */\n *(p = &buffer[strcspn(buffer, \"\\r\\n\\032\")]) = '\\0';\n\n while (p > buffer && nasm_isspace(p[-1]))\n *--p = '\\0';\n\n p = nasm_skip_spaces(buffer);\n\n if (process_arg(prevarg, p, pass))\n *p = '\\0';\n\n if ((int) strlen(p) > prevargsize - 10) {\n prevargsize += ARG_BUF_DELTA;\n prevarg = nasm_realloc(prevarg, prevargsize);\n }\n strncpy(prevarg, p, prevargsize);\n }\n}", "project": "nasm", "hash": 34355554013853182520927524005186518523, "size": 57, "commit_id": "e996d28c70d45008085322b442b44a9224308548", "message": "labels: Don't nil dereference if no label provided\n\nAn equ without label may cause nil dereference\n\n |\tequ 0x100\n\nFixes 98578071b9d71ecaa2344dd9c185237c1765041e\n\nSigned-off-by: Cyrill Gorcunov ", "target": 0, "dataset": "other", "idx": 257469 }, { "func": "static void io_req_complete_state(struct io_kiocb *req, long res,\n\t\t\t\t unsigned int cflags)\n{\n\tif (io_req_needs_clean(req))\n\t\tio_clean_op(req);\n\treq->result = res;\n\treq->compl.cflags = cflags;\n\treq->flags |= REQ_F_COMPLETE_INLINE;\n}", "project": "linux", "hash": 66466356372845672200062611086837826782, "size": 9, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338627 }, { "func": "DLLEXPORT int DLLCALL tjCompress2(tjhandle handle, const unsigned char *srcBuf,\n\tint width, int pitch, int height, int pixelFormat, unsigned char **jpegBuf,\n\tunsigned long *jpegSize, int jpegSubsamp, int jpegQual, int flags)\n{\n\tint i, retval=0, alloc=1; JSAMPROW *row_pointer=NULL;\n\t#ifndef JCS_EXTENSIONS\n\tunsigned char *rgbBuf=NULL;\n\t#endif\n\n\tgetcinstance(handle)\n\tif((this->init&COMPRESS)==0)\n\t\t_throw(\"tjCompress2(): Instance has not been initialized for compression\");\n\n\tif(srcBuf==NULL || width<=0 || pitch<0 || height<=0 || pixelFormat<0\n\t\t|| pixelFormat>=TJ_NUMPF || jpegBuf==NULL || jpegSize==NULL\n\t\t|| jpegSubsamp<0 || jpegSubsamp>=NUMSUBOPT || jpegQual<0 || jpegQual>100)\n\t\t_throw(\"tjCompress2(): Invalid argument\");\n\n\tif(pitch==0) pitch=width*tjPixelSize[pixelFormat];\n\n\t#ifndef JCS_EXTENSIONS\n\tif(pixelFormat!=TJPF_GRAY && pixelFormat!=TJPF_CMYK)\n\t{\n\t\trgbBuf=(unsigned char *)malloc(width*height*RGB_PIXELSIZE);\n\t\tif(!rgbBuf) _throw(\"tjCompress2(): Memory allocation failure\");\n\t\tsrcBuf=toRGB(srcBuf, width, pitch, height, pixelFormat, rgbBuf);\n\t\tpitch=width*RGB_PIXELSIZE;\n\t}\n\t#endif\n\n\tif((row_pointer=(JSAMPROW *)malloc(sizeof(JSAMPROW)*height))==NULL)\n\t\t_throw(\"tjCompress2(): Memory allocation failure\");\n\n\tif(setjmp(this->jerr.setjmp_buffer))\n\t{\n\t\t/* If we get here, the JPEG code has signaled an error. */\n\t\tretval=-1; goto bailout;\n\t}\n\n\tcinfo->image_width=width;\n\tcinfo->image_height=height;\n\n#ifndef NO_PUTENV\n\tif(flags&TJFLAG_FORCEMMX) putenv(\"JSIMD_FORCEMMX=1\");\n\telse if(flags&TJFLAG_FORCESSE) putenv(\"JSIMD_FORCESSE=1\");\n\telse if(flags&TJFLAG_FORCESSE2) putenv(\"JSIMD_FORCESSE2=1\");\n#endif\n\n\tif(flags&TJFLAG_NOREALLOC)\n\t{\n\t\talloc=0; *jpegSize=tjBufSize(width, height, jpegSubsamp);\n\t}\n\tjpeg_mem_dest_tj(cinfo, jpegBuf, jpegSize, alloc);\n\tif(setCompDefaults(cinfo, pixelFormat, jpegSubsamp, jpegQual, flags)==-1)\n\t\treturn -1;\n\n\tjpeg_start_compress(cinfo, TRUE);\n\tfor(i=0; inext_scanlineimage_height)\n\t{\n\t\tjpeg_write_scanlines(cinfo, &row_pointer[cinfo->next_scanline],\n\t\t\tcinfo->image_height-cinfo->next_scanline);\n\t}\n\tjpeg_finish_compress(cinfo);\n\n\tbailout:\n\tif(cinfo->global_state>CSTATE_START) jpeg_abort_compress(cinfo);\n\t#ifndef JCS_EXTENSIONS\n\tif(rgbBuf) free(rgbBuf);\n\t#endif\n\tif(row_pointer) free(row_pointer);\n\tif(this->jerr.warning) retval=-1;\n\treturn retval;\n}", "project": "libjpeg-turbo", "hash": 286927478016875013470278919559303253978, "size": 79, "commit_id": "dab6be4cfb2f9307b5378d2d1dc74d9080383dc2", "message": "tjDecompressToYUV*(): Fix OOB write/double free\n\n... when attempting to decompress grayscale JPEG images with sampling\nfactors != 1.\n\nFixes #387", "target": 0, "dataset": "other", "idx": 311125 }, { "func": "static int intel_init_workaround_bb(struct intel_engine_cs *engine)\n{\n\tstruct i915_ctx_workarounds *wa_ctx = &engine->wa_ctx;\n\tstruct i915_wa_ctx_bb *wa_bb[2] = { &wa_ctx->indirect_ctx,\n\t\t\t\t\t &wa_ctx->per_ctx };\n\twa_bb_func_t wa_bb_fn[2];\n\tstruct page *page;\n\tvoid *batch, *batch_ptr;\n\tunsigned int i;\n\tint ret;\n\n\tif (engine->class != RENDER_CLASS)\n\t\treturn 0;\n\n\tswitch (INTEL_GEN(engine->i915)) {\n\tcase 12:\n\tcase 11:\n\t\treturn 0;\n\tcase 10:\n\t\twa_bb_fn[0] = gen10_init_indirectctx_bb;\n\t\twa_bb_fn[1] = NULL;\n\t\tbreak;\n\tcase 9:\n\t\twa_bb_fn[0] = gen9_init_indirectctx_bb;\n\t\twa_bb_fn[1] = NULL;\n\t\tbreak;\n\tcase 8:\n\t\twa_bb_fn[0] = gen8_init_indirectctx_bb;\n\t\twa_bb_fn[1] = NULL;\n\t\tbreak;\n\tdefault:\n\t\tMISSING_CASE(INTEL_GEN(engine->i915));\n\t\treturn 0;\n\t}\n\n\tret = lrc_setup_wa_ctx(engine);\n\tif (ret) {\n\t\tDRM_DEBUG_DRIVER(\"Failed to setup context WA page: %d\\n\", ret);\n\t\treturn ret;\n\t}\n\n\tpage = i915_gem_object_get_dirty_page(wa_ctx->vma->obj, 0);\n\tbatch = batch_ptr = kmap_atomic(page);\n\n\t/*\n\t * Emit the two workaround batch buffers, recording the offset from the\n\t * start of the workaround batch buffer object for each and their\n\t * respective sizes.\n\t */\n\tfor (i = 0; i < ARRAY_SIZE(wa_bb_fn); i++) {\n\t\twa_bb[i]->offset = batch_ptr - batch;\n\t\tif (GEM_DEBUG_WARN_ON(!IS_ALIGNED(wa_bb[i]->offset,\n\t\t\t\t\t\t CACHELINE_BYTES))) {\n\t\t\tret = -EINVAL;\n\t\t\tbreak;\n\t\t}\n\t\tif (wa_bb_fn[i])\n\t\t\tbatch_ptr = wa_bb_fn[i](engine, batch_ptr);\n\t\twa_bb[i]->size = batch_ptr - (batch + wa_bb[i]->offset);\n\t}\n\n\tBUG_ON(batch_ptr - batch > CTX_WA_BB_OBJ_SIZE);\n\n\tkunmap_atomic(batch);\n\tif (ret)\n\t\tlrc_destroy_wa_ctx(engine);\n\n\treturn ret;\n}", "project": "linux", "hash": 217330976511866416721296625540295188381, "size": 69, "commit_id": "bc8a76a152c5f9ef3b48104154a65a68a8b76946", "message": "drm/i915/gen9: Clear residual context state on context switch\n\nIntel ID: PSIRT-TA-201910-001\nCVEID: CVE-2019-14615\n\nIntel GPU Hardware prior to Gen11 does not clear EU state\nduring a context switch. This can result in information\nleakage between contexts.\n\nFor Gen8 and Gen9, hardware provides a mechanism for\nfast cleardown of the EU state, by issuing a PIPE_CONTROL\nwith bit 27 set. We can use this in a context batch buffer\nto explicitly cleardown the state on every context switch.\n\nAs this workaround is already in place for gen8, we can borrow\nthe code verbatim for Gen9.\n\nSigned-off-by: Mika Kuoppala \nSigned-off-by: Akeem G Abodunrin \nCc: Kumar Valsan Prathap \nCc: Chris Wilson \nCc: Balestrieri Francesco \nCc: Bloomfield Jon \nCc: Dutt Sudeep ", "target": 0, "dataset": "other", "idx": 281557 }, { "func": "static COND* substitute_for_best_equal_field(THD *thd, JOIN_TAB *context_tab,\n COND *cond,\n COND_EQUAL *cond_equal,\n void *table_join_idx)\n{\n Item_equal *item_equal;\n COND *org_cond= cond; // Return this in case of fatal error\n\n if (cond->type() == Item::COND_ITEM)\n {\n List *cond_list= ((Item_cond*) cond)->argument_list();\n\n bool and_level= ((Item_cond*) cond)->functype() ==\n Item_func::COND_AND_FUNC;\n if (and_level)\n {\n cond_equal= &((Item_cond_and *) cond)->m_cond_equal;\n cond_list->disjoin((List *) &cond_equal->current_level);/* remove Item_equal objects from the AND. */\n\n List_iterator_fast it(cond_equal->current_level); \n while ((item_equal= it++))\n {\n item_equal->sort(&compare_fields_by_table_order, table_join_idx);\n }\n }\n \n List_iterator li(*cond_list);\n Item *item;\n while ((item= li++))\n {\n Item *new_item= substitute_for_best_equal_field(thd, context_tab,\n item, cond_equal,\n table_join_idx);\n /*\n This works OK with PS/SP re-execution as changes are made to\n the arguments of AND/OR items only\n */\n if (new_item && new_item != item)\n li.replace(new_item);\n }\n\n if (and_level)\n {\n COND *eq_cond= 0;\n List_iterator_fast it(cond_equal->current_level);\n bool false_eq_cond= FALSE;\n while ((item_equal= it++))\n {\n eq_cond= eliminate_item_equal(thd, eq_cond, cond_equal->upper_levels,\n item_equal);\n if (!eq_cond)\n\t{\n eq_cond= 0;\n break;\n }\n else if (eq_cond->type() == Item::INT_ITEM && !eq_cond->val_bool()) \n\t{\n /*\n This occurs when eliminate_item_equal() founds that cond is\n always false and substitutes it with Item_int 0.\n Due to this, value of item_equal will be 0, so just return it.\n\t */\n cond= eq_cond;\n false_eq_cond= TRUE;\n break;\n }\n }\n if (eq_cond && !false_eq_cond)\n {\n /* Insert the generated equalities before all other conditions */\n if (eq_cond->type() == Item::COND_ITEM)\n ((Item_cond *) cond)->add_at_head(\n ((Item_cond *) eq_cond)->argument_list());\n else\n\t{\n if (cond_list->is_empty())\n cond= eq_cond;\n else\n\t {\n /* Do not add an equality condition if it's always true */ \n if (eq_cond->type() != Item::INT_ITEM &&\n cond_list->push_front(eq_cond, thd->mem_root))\n eq_cond= 0;\n }\n\t}\n }\n if (!eq_cond)\n {\n /* \n We are out of memory doing the transformation.\n This is a fatal error now. However we bail out by returning the\n original condition that we had before we started the transformation. \n\t*/\n\tcond_list->append((List *) &cond_equal->current_level);\n }\n }\t \n }\n else if (cond->type() == Item::FUNC_ITEM && \n ((Item_func*) cond)->functype() == Item_func::MULT_EQUAL_FUNC)\n {\n item_equal= (Item_equal *) cond;\n item_equal->sort(&compare_fields_by_table_order, table_join_idx);\n cond_equal= item_equal->upper_levels;\n if (cond_equal && cond_equal->current_level.head() == item_equal)\n cond_equal= cond_equal->upper_levels;\n cond= eliminate_item_equal(thd, 0, cond_equal, item_equal);\n return cond ? cond : org_cond;\n }\n else \n {\n while (cond_equal)\n {\n List_iterator_fast it(cond_equal->current_level);\n while((item_equal= it++))\n {\n REPLACE_EQUAL_FIELD_ARG arg= {item_equal, context_tab};\n if (!(cond= cond->transform(thd, &Item::replace_equal_field,\n (uchar *) &arg)))\n return 0;\n }\n cond_equal= cond_equal->upper_levels;\n }\n }\n return cond;\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 303955290074038624876273073128648303556, "size": 125, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508425 }, { "func": "void CClient::AddBuffer(const T& Message) {\n const CString sTarget = Message.GetTarget();\n\n T Format;\n Format.Clone(Message);\n Format.SetNick(CNick(_NAMEDFMT(GetNickMask())));\n Format.SetTarget(_NAMEDFMT(sTarget));\n Format.SetText(\"{text}\");\n\n CChan* pChan = m_pNetwork->FindChan(sTarget);\n if (pChan) {\n if (!pChan->AutoClearChanBuffer() || !m_pNetwork->IsUserOnline()) {\n pChan->AddBuffer(Format, Message.GetText());\n }\n } else if (Message.GetType() != CMessage::Type::Notice) {\n if (!m_pUser->AutoClearQueryBuffer() || !m_pNetwork->IsUserOnline()) {\n CQuery* pQuery = m_pNetwork->AddQuery(sTarget);\n if (pQuery) {\n pQuery->AddBuffer(Format, Message.GetText());\n }\n }\n }\n}", "project": "znc", "hash": 325743341680083400123826055894467521922, "size": 23, "commit_id": "d229761821da38d984a9e4098ad96842490dc001", "message": "Fix echo-message for *status\n\nClose #1705", "target": 0, "dataset": "other", "idx": 231573 }, { "func": "static void tipc_node_read_lock(struct tipc_node *n)\n{\n\tread_lock_bh(&n->lock);\n}", "project": "linux", "hash": 27585220138286385421791920839534031796, "size": 4, "commit_id": "0217ed2848e8538bcf9172d97ed2eeb4a26041bb", "message": "tipc: better validate user input in tipc_nl_retrieve_key()\n\nBefore calling tipc_aead_key_size(ptr), we need to ensure\nwe have enough data to dereference ptr->keylen.\n\nWe probably also want to make sure tipc_aead_key_size()\nwont overflow with malicious ptr->keylen values.\n\nSyzbot reported:\n\nBUG: KMSAN: uninit-value in __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\nBUG: KMSAN: uninit-value in tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\nCPU: 0 PID: 21060 Comm: syz-executor.5 Not tainted 5.11.0-rc7-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nCall Trace:\n __dump_stack lib/dump_stack.c:79 [inline]\n dump_stack+0x21c/0x280 lib/dump_stack.c:120\n kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118\n __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197\n __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\n tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\n genl_family_rcv_msg_doit net/netlink/genetlink.c:739 [inline]\n genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]\n genl_rcv_msg+0x1319/0x1610 net/netlink/genetlink.c:800\n netlink_rcv_skb+0x6fa/0x810 net/netlink/af_netlink.c:2494\n genl_rcv+0x63/0x80 net/netlink/genetlink.c:811\n netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]\n netlink_unicast+0x11d6/0x14a0 net/netlink/af_netlink.c:1330\n netlink_sendmsg+0x1740/0x1840 net/netlink/af_netlink.c:1919\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\nRIP: 0023:0xf7f60549\nCode: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00\nRSP: 002b:00000000f555a5fc EFLAGS: 00000296 ORIG_RAX: 0000000000000172\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000200\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n\nUninit was created at:\n kmsan_save_stack_with_flags mm/kmsan/kmsan.c:121 [inline]\n kmsan_internal_poison_shadow+0x5c/0xf0 mm/kmsan/kmsan.c:104\n kmsan_slab_alloc+0x8d/0xe0 mm/kmsan/kmsan_hooks.c:76\n slab_alloc_node mm/slub.c:2907 [inline]\n __kmalloc_node_track_caller+0xa37/0x1430 mm/slub.c:4527\n __kmalloc_reserve net/core/skbuff.c:142 [inline]\n __alloc_skb+0x2f8/0xb30 net/core/skbuff.c:210\n alloc_skb include/linux/skbuff.h:1099 [inline]\n netlink_alloc_large_skb net/netlink/af_netlink.c:1176 [inline]\n netlink_sendmsg+0xdbc/0x1840 net/netlink/af_netlink.c:1894\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\n\nFixes: e1f32190cf7d (\"tipc: add support for AEAD key setting via netlink\")\nSigned-off-by: Eric Dumazet \nCc: Tuong Lien \nCc: Jon Maloy \nCc: Ying Xue \nReported-by: syzbot \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 364937 }, { "func": "static void nfs4_xdr_enc_open(struct rpc_rqst *req, struct xdr_stream *xdr,\n\t\t\t const void *data)\n{\n\tconst struct nfs_openargs *args = data;\n\tstruct compound_hdr hdr = {\n\t\t.minorversion = nfs4_xdr_minorversion(&args->seq_args),\n\t};\n\n\tencode_compound_hdr(xdr, req, &hdr);\n\tencode_sequence(xdr, &args->seq_args, &hdr);\n\tencode_putfh(xdr, args->fh, &hdr);\n\tencode_open(xdr, args, &hdr);\n\tencode_getfh(xdr, &hdr);\n\tif (args->access)\n\t\tencode_access(xdr, args->access, &hdr);\n\tencode_getfattr_open(xdr, args->bitmask, args->open_bitmap, &hdr);\n\tif (args->lg_args) {\n\t\tencode_layoutget(xdr, args->lg_args, &hdr);\n\t\trpc_prepare_reply_pages(req, args->lg_args->layout.pages, 0,\n\t\t\t\t\targs->lg_args->layout.pglen,\n\t\t\t\t\thdr.replen);\n\t}\n\tencode_nops(&hdr);\n}", "project": "linux", "hash": 54835633142098830309001303684916833544, "size": 24, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431591 }, { "func": "static void fuse_readdir_cache_end(struct file *file, loff_t pos)\n{\n\tstruct fuse_inode *fi = get_fuse_inode(file_inode(file));\n\tloff_t end;\n\n\tspin_lock(&fi->rdc.lock);\n\t/* does cache end position match current position? */\n\tif (fi->rdc.pos != pos) {\n\t\tspin_unlock(&fi->rdc.lock);\n\t\treturn;\n\t}\n\n\tfi->rdc.cached = true;\n\tend = ALIGN(fi->rdc.size, PAGE_SIZE);\n\tspin_unlock(&fi->rdc.lock);\n\n\t/* truncate unused tail of cache */\n\ttruncate_inode_pages(file->f_mapping, end);\n}", "project": "linux", "hash": 140536965325488594512957553990683203862, "size": 19, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342121 }, { "project": "Chrome", "commit_id": "1da0daecc540238cb473f0d6322da51d3a544244", "target": 0, "func": " FFmpegVideoDecoderTest()\n : decryptor_(new AesDecryptor(&decryptor_client_)),\n decoder_(new FFmpegVideoDecoder(base::Bind(&Identity,\n &message_loop_))),\n demuxer_(new StrictMock()),\n read_cb_(base::Bind(&FFmpegVideoDecoderTest::FrameReady,\n base::Unretained(this))) {\n CHECK(FFmpegGlue::GetInstance());\n\n decoder_->set_decryptor(decryptor_.get());\n\n frame_buffer_.reset(new uint8[kCodedSize.GetArea()]);\n end_of_stream_buffer_ = DecoderBuffer::CreateEOSBuffer();\n i_frame_buffer_ = ReadTestDataFile(\"vp8-I-frame-320x240\");\n corrupt_i_frame_buffer_ = ReadTestDataFile(\"vp8-corrupt-I-frame\");\n encrypted_i_frame_buffer_ = ReadTestDataFile(\n \"vp8-encrypted-I-frame-320x240\");\n\n config_.Initialize(kCodecVP8, VIDEO_CODEC_PROFILE_UNKNOWN,\n kVideoFormat, kCodedSize, kVisibleRect,\n kFrameRate.num, kFrameRate.den,\n kAspectRatio.num, kAspectRatio.den,\n NULL, 0, true);\n }\n", "cwe": "", "big_vul_idx": 113340, "idx": 101632, "hash": 87615632584828447881831462088817955478 }, { "func": "static int __init futex_init(void)\n{\n\tu32 curval;\n\tint i;\n\n\t/*\n\t * This will fail and we want it. Some arch implementations do\n\t * runtime detection of the futex_atomic_cmpxchg_inatomic()\n\t * functionality. We want to know that before we call in any\n\t * of the complex code paths. Also we want to prevent\n\t * registration of robust lists in that case. NULL is\n\t * guaranteed to fault and we get -EFAULT on functional\n\t * implementation, the non functional ones will return\n\t * -ENOSYS.\n\t */\n\tcurval = cmpxchg_futex_value_locked(NULL, 0, 0);\n\tif (curval == -EFAULT)\n\t\tfutex_cmpxchg_enabled = 1;\n\n\tfor (i = 0; i < ARRAY_SIZE(futex_queues); i++) {\n\t\tplist_head_init(&futex_queues[i].chain, &futex_queues[i].lock);\n\t\tspin_lock_init(&futex_queues[i].lock);\n\t}\n\n\treturn 0;\n}", "target": 0, "cwe": [], "project": "linux-2.6", "commit_id": "5ecb01cfdf96c5f465192bdb2a4fd4a61a24c6cc", "hash": 259473844992887084758190432245990354859, "size": 26, "message": "futex_lock_pi() key refcnt fix\n\nThis fixes a futex key reference count bug in futex_lock_pi(),\nwhere a key's reference count is incremented twice but decremented\nonly once, causing the backing object to not be released.\n\nIf the futex is created in a temporary file in an ext3 file system,\nthis bug causes the file's inode to become an \"undead\" orphan,\nwhich causes an oops from a BUG_ON() in ext3_put_super() when the\nfile system is unmounted. glibc's test suite is known to trigger this,\nsee .\n\nThe bug is a regression from 2.6.28-git3, namely Peter Zijlstra's\n38d47c1b7075bd7ec3881141bb3629da58f88dab \"[PATCH] futex: rely on\nget_user_pages() for shared futexes\". That commit made get_futex_key()\nalso increment the reference count of the futex key, and updated its\ncallers to decrement the key's reference count before returning.\nUnfortunately the normal exit path in futex_lock_pi() wasn't corrected:\nthe reference count is incremented by get_futex_key() and queue_lock(),\nbut the normal exit path only decrements once, via unqueue_me_pi().\nThe fix is to put_futex_key() after unqueue_me_pi(), since 2.6.31\nthis is easily done by 'goto out_put_key' rather than 'goto out'.\n\nSigned-off-by: Mikael Pettersson \nAcked-by: Peter Zijlstra \nAcked-by: Darren Hart \nSigned-off-by: Thomas Gleixner \nCc: ", "dataset": "other", "idx": 492309 }, { "func": "int TrustedPrimitives::CreateThread() {\n MessageWriter input;\n MessageReader output;\n PrimitiveStatus status =\n UntrustedCall(kSelectorCreateThread, &input, &output);\n if (!status.ok()) {\n DebugPuts(\"CreateThread failed.\");\n return -1;\n }\n if (output.size() != 1) {\n TrustedPrimitives::BestEffortAbort(\n \"CreateThread error: unexpected output size received.\");\n }\n return output.next();\n}", "project": "asylo", "hash": 239494249183797147264330296542332446258, "size": 15, "commit_id": "53ed5d8fd8118ced1466e509606dd2f473707a5c", "message": "Store untrusted output pointer in enclave\n\nValidate the pointer after it's stored in enclave to avoid unexpected\nmodifications after it's validated.\n\nPiperOrigin-RevId: 365648810\nChange-Id: I3079128040c142e86bab8255b07d03562a6fcb61", "target": 0, "dataset": "other", "idx": 232056 }, { "func": "int nested_svm_check_permissions(struct vcpu_svm *svm)\n{\n\tif (!(svm->vcpu.arch.efer & EFER_SVME) ||\n\t !is_paging(&svm->vcpu)) {\n\t\tkvm_queue_exception(&svm->vcpu, UD_VECTOR);\n\t\treturn 1;\n\t}\n\n\tif (svm->vmcb->save.cpl) {\n\t\tkvm_inject_gp(&svm->vcpu, 0);\n\t\treturn 1;\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 67566461292093484729548732145316944712, "size": 15, "commit_id": "a58d9166a756a0f4a6618e4f593232593d6df134", "message": "KVM: SVM: load control fields from VMCB12 before checking them\n\nAvoid races between check and use of the nested VMCB controls. This\nfor example ensures that the VMRUN intercept is always reflected to the\nnested hypervisor, instead of being processed by the host. Without this\npatch, it is possible to end up with svm->nested.hsave pointing to\nthe MSR permission bitmap for nested guests.\n\nThis bug is CVE-2021-29657.\n\nReported-by: Felix Wilhelm \nCc: stable@vger.kernel.org\nFixes: 2fcf4876ada (\"KVM: nSVM: implement on demand allocation of the nested state\")\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 376648 }, { "func": "static int nested_svm_check_permissions(struct vcpu_svm *svm)\n{\n\tif (!(svm->vcpu.arch.efer & EFER_SVME) ||\n\t !is_paging(&svm->vcpu)) {\n\t\tkvm_queue_exception(&svm->vcpu, UD_VECTOR);\n\t\treturn 1;\n\t}\n\n\tif (svm->vmcb->save.cpl) {\n\t\tkvm_inject_gp(&svm->vcpu, 0);\n\t\treturn 1;\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 280070526025400369038700341611301008773, "size": 15, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432464 }, { "func": "static int nested_svm_check_permissions(struct vcpu_svm *svm)\n{\n\tif (!(svm->vcpu.arch.efer & EFER_SVME)\n\t || !is_paging(&svm->vcpu)) {\n\t\tkvm_queue_exception(&svm->vcpu, UD_VECTOR);\n\t\treturn 1;\n\t}\n\n\tif (svm->vmcb->save.cpl) {\n\t\tkvm_inject_gp(&svm->vcpu, 0);\n\t\treturn 1;\n\t}\n\n return 0;\n}", "project": "kvm", "hash": 206056860988833472591056534735398808571, "size": 15, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437641 }, { "func": "static int nfs41_check_expired_locks(struct nfs4_state *state)\n{\n\tint status, ret = NFS_OK;\n\tstruct nfs4_lock_state *lsp, *prev = NULL;\n\tstruct nfs_server *server = NFS_SERVER(state->inode);\n\n\tif (!test_bit(LK_STATE_IN_USE, &state->flags))\n\t\tgoto out;\n\n\tspin_lock(&state->state_lock);\n\tlist_for_each_entry(lsp, &state->lock_states, ls_locks) {\n\t\tif (test_bit(NFS_LOCK_INITIALIZED, &lsp->ls_flags)) {\n\t\t\tconst struct cred *cred = lsp->ls_state->owner->so_cred;\n\n\t\t\trefcount_inc(&lsp->ls_count);\n\t\t\tspin_unlock(&state->state_lock);\n\n\t\t\tnfs4_put_lock_state(prev);\n\t\t\tprev = lsp;\n\n\t\t\tstatus = nfs41_test_and_free_expired_stateid(server,\n\t\t\t\t\t&lsp->ls_stateid,\n\t\t\t\t\tcred);\n\t\t\ttrace_nfs4_test_lock_stateid(state, lsp, status);\n\t\t\tif (status == -NFS4ERR_EXPIRED ||\n\t\t\t status == -NFS4ERR_BAD_STATEID) {\n\t\t\t\tclear_bit(NFS_LOCK_INITIALIZED, &lsp->ls_flags);\n\t\t\t\tlsp->ls_stateid.type = NFS4_INVALID_STATEID_TYPE;\n\t\t\t\tif (!recover_lost_locks)\n\t\t\t\t\tset_bit(NFS_LOCK_LOST, &lsp->ls_flags);\n\t\t\t} else if (status != NFS_OK) {\n\t\t\t\tret = status;\n\t\t\t\tnfs4_put_lock_state(prev);\n\t\t\t\tgoto out;\n\t\t\t}\n\t\t\tspin_lock(&state->state_lock);\n\t\t}\n\t}\n\tspin_unlock(&state->state_lock);\n\tnfs4_put_lock_state(prev);\nout:\n\treturn ret;\n}", "project": "linux", "hash": 277902978732872793075799527258020424497, "size": 43, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431265 }, { "func": "static bool io_run_task_work_head(struct callback_head **work_head)\n{\n\tstruct callback_head *work, *next;\n\tbool executed = false;\n\n\tdo {\n\t\twork = xchg(work_head, NULL);\n\t\tif (!work)\n\t\t\tbreak;\n\n\t\tdo {\n\t\t\tnext = work->next;\n\t\t\twork->func(work);\n\t\t\twork = next;\n\t\t\tcond_resched();\n\t\t} while (work);\n\t\texecuted = true;\n\t} while (1);\n\n\treturn executed;\n}", "project": "linux", "hash": 318848890499031487135163795588625310070, "size": 21, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338720 }, { "func": "static inline int tcp_sequence(const struct tcp_sock *tp, u32 seq, u32 end_seq)\n{\n\treturn\t!before(end_seq, tp->rcv_wup) &&\n\t\t!after(seq, tp->rcv_nxt + tcp_receive_window(tp));\n}", "project": "net-next", "hash": 50902680853100335089233132665949117854, "size": 5, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409907 }, { "func": " void sample_check() {\n if (m_stack) {\n // While loop is to handle a single function taking a long time\n // and passing several sampling intervals\n while ((cpuCycles() - m_last_sample_tsc) > m_sampling_interval_tsc) {\n m_last_sample_tsc += m_sampling_interval_tsc;\n // HAS TO BE UPDATED BEFORE calling sample_stack\n incr_us_interval(&m_last_sample_time, SAMPLING_INTERVAL);\n sample_stack();\n }\n }\n }", "project": "hhvm", "hash": 158863017646584151771972094815335051096, "size": 12, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219105 }, { "func": "void cdev_del(struct cdev *p)\n{\n\tcdev_unmap(p->dev, p->count);\n\tkobject_put(&p->kobj);\n}", "project": "linux", "hash": 134245302481033889834835324404659110779, "size": 5, "commit_id": "68faa679b8be1a74e6663c21c3a9d25d32f1c079", "message": "chardev: Avoid potential use-after-free in 'chrdev_open()'\n\n'chrdev_open()' calls 'cdev_get()' to obtain a reference to the\n'struct cdev *' stashed in the 'i_cdev' field of the target inode\nstructure. If the pointer is NULL, then it is initialised lazily by\nlooking up the kobject in the 'cdev_map' and so the whole procedure is\nprotected by the 'cdev_lock' spinlock to serialise initialisation of\nthe shared pointer.\n\nUnfortunately, it is possible for the initialising thread to fail *after*\ninstalling the new pointer, for example if the subsequent '->open()' call\non the file fails. In this case, 'cdev_put()' is called, the reference\ncount on the kobject is dropped and, if nobody else has taken a reference,\nthe release function is called which finally clears 'inode->i_cdev' from\n'cdev_purge()' before potentially freeing the object. The problem here\nis that a racing thread can happily take the 'cdev_lock' and see the\nnon-NULL pointer in the inode, which can result in a refcount increment\nfrom zero and a warning:\n\n | ------------[ cut here ]------------\n | refcount_t: addition on 0; use-after-free.\n | WARNING: CPU: 2 PID: 6385 at lib/refcount.c:25 refcount_warn_saturate+0x6d/0xf0\n | Modules linked in:\n | CPU: 2 PID: 6385 Comm: repro Not tainted 5.5.0-rc2+ #22\n | Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014\n | RIP: 0010:refcount_warn_saturate+0x6d/0xf0\n | Code: 05 55 9a 15 01 01 e8 9d aa c8 ff 0f 0b c3 80 3d 45 9a 15 01 00 75 ce 48 c7 c7 00 9c 62 b3 c6 08\n | RSP: 0018:ffffb524c1b9bc70 EFLAGS: 00010282\n | RAX: 0000000000000000 RBX: ffff9e9da1f71390 RCX: 0000000000000000\n | RDX: ffff9e9dbbd27618 RSI: ffff9e9dbbd18798 RDI: ffff9e9dbbd18798\n | RBP: 0000000000000000 R08: 000000000000095f R09: 0000000000000039\n | R10: 0000000000000000 R11: ffffb524c1b9bb20 R12: ffff9e9da1e8c700\n | R13: ffffffffb25ee8b0 R14: 0000000000000000 R15: ffff9e9da1e8c700\n | FS: 00007f3b87d26700(0000) GS:ffff9e9dbbd00000(0000) knlGS:0000000000000000\n | CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n | CR2: 00007fc16909c000 CR3: 000000012df9c000 CR4: 00000000000006e0\n | DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n | DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n | Call Trace:\n | kobject_get+0x5c/0x60\n | cdev_get+0x2b/0x60\n | chrdev_open+0x55/0x220\n | ? cdev_put.part.3+0x20/0x20\n | do_dentry_open+0x13a/0x390\n | path_openat+0x2c8/0x1470\n | do_filp_open+0x93/0x100\n | ? selinux_file_ioctl+0x17f/0x220\n | do_sys_open+0x186/0x220\n | do_syscall_64+0x48/0x150\n | entry_SYSCALL_64_after_hwframe+0x44/0xa9\n | RIP: 0033:0x7f3b87efcd0e\n | Code: 89 54 24 08 e8 a3 f4 ff ff 8b 74 24 0c 48 8b 3c 24 41 89 c0 44 8b 54 24 08 b8 01 01 00 00 89 f4\n | RSP: 002b:00007f3b87d259f0 EFLAGS: 00000293 ORIG_RAX: 0000000000000101\n | RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f3b87efcd0e\n | RDX: 0000000000000000 RSI: 00007f3b87d25a80 RDI: 00000000ffffff9c\n | RBP: 00007f3b87d25e90 R08: 0000000000000000 R09: 0000000000000000\n | R10: 0000000000000000 R11: 0000000000000293 R12: 00007ffe188f504e\n | R13: 00007ffe188f504f R14: 00007f3b87d26700 R15: 0000000000000000\n | ---[ end trace 24f53ca58db8180a ]---\n\nSince 'cdev_get()' can already fail to obtain a reference, simply move\nit over to use 'kobject_get_unless_zero()' instead of 'kobject_get()',\nwhich will cause the racing thread to return -ENXIO if the initialising\nthread fails unexpectedly.\n\nCc: Hillf Danton \nCc: Andrew Morton \nCc: Al Viro \nReported-by: syzbot+82defefbbd8527e1c2cb@syzkaller.appspotmail.com\nSigned-off-by: Will Deacon \nCc: stable \nLink: https://lore.kernel.org/r/20191219120203.32691-1-will@kernel.org\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 446397 }, { "func": "static void autocomplete_flags(RCore *core, RLineCompletion *completion, const char* str) {\n\tr_return_if_fail (str);\n\tint n = strlen (str);\n\tr_flag_foreach_prefix (core->flags, str, n, add_argv, completion);\n}", "project": "radare2", "hash": 50104332735116863087358084664598629472, "size": 5, "commit_id": "cb8b683758edddae2d2f62e8e63a738c39f92683", "message": "Fix #16303 - c->table_query double free (#16318)", "target": 0, "dataset": "other", "idx": 232162 }, { "func": "static int ca8210_skb_rx(\n\tstruct ieee802154_hw *hw,\n\tsize_t len,\n\tu8 *data_ind\n)\n{\n\tstruct ieee802154_hdr hdr;\n\tint msdulen;\n\tint hlen;\n\tu8 mpdulinkquality = data_ind[23];\n\tstruct sk_buff *skb;\n\tstruct ca8210_priv *priv = hw->priv;\n\n\t/* Allocate mtu size buffer for every rx packet */\n\tskb = dev_alloc_skb(IEEE802154_MTU + sizeof(hdr));\n\tif (!skb)\n\t\treturn -ENOMEM;\n\n\tskb_reserve(skb, sizeof(hdr));\n\n\tmsdulen = data_ind[22]; /* msdu_length */\n\tif (msdulen > IEEE802154_MTU) {\n\t\tdev_err(\n\t\t\t&priv->spi->dev,\n\t\t\t\"received erroneously large msdu length!\\n\"\n\t\t);\n\t\tkfree_skb(skb);\n\t\treturn -EMSGSIZE;\n\t}\n\tdev_dbg(&priv->spi->dev, \"skb buffer length = %d\\n\", msdulen);\n\n\tif (priv->promiscuous)\n\t\tgoto copy_payload;\n\n\t/* Populate hdr */\n\thdr.sec.level = data_ind[29 + msdulen];\n\tdev_dbg(&priv->spi->dev, \"security level: %#03x\\n\", hdr.sec.level);\n\tif (hdr.sec.level > 0) {\n\t\thdr.sec.key_id_mode = data_ind[30 + msdulen];\n\t\tmemcpy(&hdr.sec.extended_src, &data_ind[31 + msdulen], 8);\n\t\thdr.sec.key_id = data_ind[39 + msdulen];\n\t}\n\thdr.source.mode = data_ind[0];\n\tdev_dbg(&priv->spi->dev, \"srcAddrMode: %#03x\\n\", hdr.source.mode);\n\thdr.source.pan_id = *(u16 *)&data_ind[1];\n\tdev_dbg(&priv->spi->dev, \"srcPanId: %#06x\\n\", hdr.source.pan_id);\n\tmemcpy(&hdr.source.extended_addr, &data_ind[3], 8);\n\thdr.dest.mode = data_ind[11];\n\tdev_dbg(&priv->spi->dev, \"dstAddrMode: %#03x\\n\", hdr.dest.mode);\n\thdr.dest.pan_id = *(u16 *)&data_ind[12];\n\tdev_dbg(&priv->spi->dev, \"dstPanId: %#06x\\n\", hdr.dest.pan_id);\n\tmemcpy(&hdr.dest.extended_addr, &data_ind[14], 8);\n\n\t/* Fill in FC implicitly */\n\thdr.fc.type = 1; /* Data frame */\n\tif (hdr.sec.level)\n\t\thdr.fc.security_enabled = 1;\n\telse\n\t\thdr.fc.security_enabled = 0;\n\tif (data_ind[1] != data_ind[12] || data_ind[2] != data_ind[13])\n\t\thdr.fc.intra_pan = 1;\n\telse\n\t\thdr.fc.intra_pan = 0;\n\thdr.fc.dest_addr_mode = hdr.dest.mode;\n\thdr.fc.source_addr_mode = hdr.source.mode;\n\n\t/* Add hdr to front of buffer */\n\thlen = ieee802154_hdr_push(skb, &hdr);\n\n\tif (hlen < 0) {\n\t\tdev_crit(&priv->spi->dev, \"failed to push mac hdr onto skb!\\n\");\n\t\tkfree_skb(skb);\n\t\treturn hlen;\n\t}\n\n\tskb_reset_mac_header(skb);\n\tskb->mac_len = hlen;\n\ncopy_payload:\n\t/* Add bytes of space to the back of the buffer */\n\t/* Copy msdu to skb */\n\tskb_put_data(skb, &data_ind[29], msdulen);\n\n\tieee802154_rx_irqsafe(hw, skb, mpdulinkquality);\n\treturn 0;\n}", "project": "linux", "hash": 44306978128960796257608189880597362418, "size": 86, "commit_id": "6402939ec86eaf226c8b8ae00ed983936b164908", "message": "ieee802154: ca8210: prevent memory leak\n\nIn ca8210_probe the allocated pdata needs to be assigned to\nspi_device->dev.platform_data before calling ca8210_get_platform_data.\nOthrwise when ca8210_get_platform_data fails pdata cannot be released.\n\nSigned-off-by: Navid Emamdoost \nLink: https://lore.kernel.org/r/20190917224713.26371-1-navid.emamdoost@gmail.com\nSigned-off-by: Stefan Schmidt ", "target": 0, "dataset": "other", "idx": 408800 }, { "func": "static int io_add_buffers(struct io_provide_buf *pbuf, struct io_buffer **head)\n{\n\tstruct io_buffer *buf;\n\tu64 addr = pbuf->addr;\n\tint i, bid = pbuf->bid;\n\n\tfor (i = 0; i < pbuf->nbufs; i++) {\n\t\tbuf = kmalloc(sizeof(*buf), GFP_KERNEL);\n\t\tif (!buf)\n\t\t\tbreak;\n\n\t\tbuf->addr = addr;\n\t\tbuf->len = pbuf->len;\n\t\tbuf->bid = bid;\n\t\taddr += pbuf->len;\n\t\tbid++;\n\t\tif (!*head) {\n\t\t\tINIT_LIST_HEAD(&buf->list);\n\t\t\t*head = buf;\n\t\t} else {\n\t\t\tlist_add_tail(&buf->list, &(*head)->list);\n\t\t}\n\t}\n\n\treturn i ? i : -ENOMEM;\n}", "project": "linux", "hash": 97053759323757789573775019463585321454, "size": 26, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 1, "dataset": "other", "idx": 202741 }, { "func": "static int io_add_buffers(struct io_provide_buf *pbuf, struct io_buffer **head)\n{\n\tstruct io_buffer *buf;\n\tu64 addr = pbuf->addr;\n\tint i, bid = pbuf->bid;\n\n\tfor (i = 0; i < pbuf->nbufs; i++) {\n\t\tbuf = kmalloc(sizeof(*buf), GFP_KERNEL);\n\t\tif (!buf)\n\t\t\tbreak;\n\n\t\tbuf->addr = addr;\n\t\tbuf->len = min_t(__u32, pbuf->len, MAX_RW_COUNT);\n\t\tbuf->bid = bid;\n\t\taddr += pbuf->len;\n\t\tbid++;\n\t\tif (!*head) {\n\t\t\tINIT_LIST_HEAD(&buf->list);\n\t\t\t*head = buf;\n\t\t} else {\n\t\t\tlist_add_tail(&buf->list, &(*head)->list);\n\t\t}\n\t}\n\n\treturn i ? i : -ENOMEM;\n}", "project": "linux", "hash": 66027508180468263129870084716869579887, "size": 26, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338639 }, { "func": "bool JOIN_TAB::preread_init()\n{\n TABLE_LIST *derived= table->pos_in_table_list;\n DBUG_ENTER(\"JOIN_TAB::preread_init\");\n\n if (!derived || !derived->is_materialized_derived())\n {\n preread_init_done= TRUE;\n DBUG_RETURN(FALSE);\n }\n\n /* Materialize derived table/view. */\n if ((!derived->get_unit()->executed ||\n derived->is_recursive_with_table() ||\n derived->get_unit()->uncacheable) &&\n mysql_handle_single_derived(join->thd->lex,\n derived, DT_CREATE | DT_FILL))\n DBUG_RETURN(TRUE);\n\n if (!(derived->get_unit()->uncacheable & UNCACHEABLE_DEPENDENT) ||\n derived->is_nonrecursive_derived_with_rec_ref())\n preread_init_done= TRUE;\n if (select && select->quick)\n select->quick->replace_handler(table->file);\n\n DBUG_EXECUTE_IF(\"show_explain_probe_join_tab_preread\", \n if (dbug_user_var_equals_int(join->thd, \n \"show_explain_probe_select_id\", \n join->select_lex->select_number))\n dbug_serve_apcs(join->thd, 1);\n );\n\n /* init ftfuns for just initialized derived table */\n if (table->fulltext_searched)\n if (init_ftfuncs(join->thd, join->select_lex, MY_TEST(join->order)))\n DBUG_RETURN(TRUE);\n\n DBUG_RETURN(FALSE);\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 84673119183731012742212292987288194589, "size": 39, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508742 }, { "func": "\nstatic int io_run_task_work_sig(void)\n{\n\tif (io_run_task_work())\n\t\treturn 1;\n\tif (!signal_pending(current))\n\t\treturn 0;\n\tif (test_thread_flag(TIF_NOTIFY_SIGNAL))\n\t\treturn -ERESTARTSYS;\n\treturn -EINTR;", "project": "linux", "hash": 266430643080103889695430965489913223044, "size": 10, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338677 }, { "func": "static bool is_interleave_scanning(struct hci_dev *hdev)\n{\n\treturn hdev->interleave_scan_state != INTERLEAVE_SCAN_NONE;\n}", "project": "linux", "hash": 311779130194068058852857592201911764606, "size": 4, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402484 }, { "func": "static void kvm_create_vcpu_debugfs(struct kvm_vcpu *vcpu)\n{\n#ifdef __KVM_HAVE_ARCH_VCPU_DEBUGFS\n\tchar dir_name[ITOA_MAX_LEN * 2];\n\n\tif (!debugfs_initialized())\n\t\treturn;\n\n\tsnprintf(dir_name, sizeof(dir_name), \"vcpu%d\", vcpu->vcpu_id);\n\tvcpu->debugfs_dentry = debugfs_create_dir(dir_name,\n\t\t\t\t\t\t vcpu->kvm->debugfs_dentry);\n\n\tkvm_arch_create_vcpu_debugfs(vcpu);\n#endif\n}", "project": "linux", "hash": 122350979607203236202074590375136179513, "size": 15, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354726 }, { "func": "static void kvm_create_vcpu_debugfs(struct kvm_vcpu *vcpu)\n{\n#ifdef __KVM_HAVE_ARCH_VCPU_DEBUGFS\n\tstruct dentry *debugfs_dentry;\n\tchar dir_name[ITOA_MAX_LEN * 2];\n\n\tif (!debugfs_initialized())\n\t\treturn;\n\n\tsnprintf(dir_name, sizeof(dir_name), \"vcpu%d\", vcpu->vcpu_id);\n\tdebugfs_dentry = debugfs_create_dir(dir_name,\n\t\t\t\t\t vcpu->kvm->debugfs_dentry);\n\n\tkvm_arch_create_vcpu_debugfs(vcpu, debugfs_dentry);\n#endif\n}", "project": "linux", "hash": 21710856381877166037774714406223222372, "size": 16, "commit_id": "f8be156be163a052a067306417cd0ff679068c97", "message": "KVM: do not allow mapping valid but non-reference-counted pages\n\nIt's possible to create a region which maps valid but non-refcounted\npages (e.g., tail pages of non-compound higher order allocations). These\nhost pages can then be returned by gfn_to_page, gfn_to_pfn, etc., family\nof APIs, which take a reference to the page, which takes it from 0 to 1.\nWhen the reference is dropped, this will free the page incorrectly.\n\nFix this by only taking a reference on valid pages if it was non-zero,\nwhich indicates it is participating in normal refcounting (and can be\nreleased with put_page).\n\nThis addresses CVE-2021-22543.\n\nSigned-off-by: Nicholas Piggin \nTested-by: Paolo Bonzini \nCc: stable@vger.kernel.org\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 404073 }, { "func": "HttpStateData::finishingChunkedRequest()\n{\n if (flags.sentLastChunk) {\n debugs(11, 5, HERE << \"already sent last-chunk\");\n return false;\n }\n\n Must(receivedWholeRequestBody); // or we should not be sending last-chunk\n flags.sentLastChunk = true;\n\n typedef CommCbMemFunT Dialer;\n requestSender = JobCallback(11,5, Dialer, this, HttpStateData::wroteLast);\n Comm::Write(serverConnection, \"0\\r\\n\\r\\n\", 5, requestSender, NULL);\n return true;\n}", "project": "squid", "hash": 25136200410190020910858159173245057470, "size": 15, "commit_id": "fd68382860633aca92065e6c343cfd1b12b126e7", "message": "Improve Transfer-Encoding handling (#702)\n\nReject messages containing Transfer-Encoding header with coding other\nthan chunked or identity. Squid does not support other codings.\n\nFor simplicity and security sake, also reject messages where\nTransfer-Encoding contains unnecessary complex values that are\ntechnically equivalent to \"chunked\" or \"identity\" (e.g., \",,chunked\" or\n\"identity, chunked\").\n\nRFC 7230 formally deprecated and removed identity coding, but it is\nstill used by some agents.", "target": 0, "dataset": "other", "idx": 402385 }, { "func": "void CSoundFile::PortamentoMPT(ModChannel* pChn, int param)\n{\n\t//Behavior: Modifies portamento by param-steps on every tick.\n\t//Note that step meaning depends on tuning.\n\n\tpChn->m_PortamentoFineSteps += param;\n\tpChn->m_CalculateFreq = true;\n}", "project": "openmpt", "hash": 118831681821249925428791422134002294543, "size": 8, "commit_id": "7ebf02af2e90f03e0dbd0e18b8b3164f372fb97c", "message": "[Fix] Possible out-of-bounds read when computing length of some IT files with pattern loops (OpenMPT: formats that are converted to IT, libopenmpt: IT/ITP/MO3), caught with afl-fuzz.\n\ngit-svn-id: https://source.openmpt.org/svn/openmpt/trunk/OpenMPT@10027 56274372-70c3-4bfc-bfc3-4c3a0b034d27", "target": 0, "dataset": "other", "idx": 255192 }, { "func": "static void update_depend_map(JOIN *join)\n{\n JOIN_TAB *join_tab;\n for (join_tab= first_linear_tab(join, WITH_BUSH_ROOTS, WITH_CONST_TABLES); \n join_tab;\n join_tab= next_linear_tab(join, join_tab, WITH_BUSH_ROOTS))\n {\n TABLE_REF *ref= &join_tab->ref;\n table_map depend_map=0;\n Item **item=ref->items;\n uint i;\n for (i=0 ; i < ref->key_parts ; i++,item++)\n depend_map|=(*item)->used_tables();\n depend_map&= ~OUTER_REF_TABLE_BIT;\n ref->depend_map= depend_map;\n for (JOIN_TAB **tab=join->map2table;\n depend_map ;\n tab++,depend_map>>=1 )\n {\n if (depend_map & 1)\n ref->depend_map|=(*tab)->ref.depend_map;\n }\n }\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 13510071310398986952329282030650003437, "size": 24, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508646 }, { "func": "rfbClientConnFailed(rfbClientPtr cl,\n const char *reason)\n{\n char *buf;\n int len = strlen(reason);\n\n rfbLog(\"rfbClientConnFailed(\\\"%s\\\")\\n\", reason);\n\n buf = (char *)malloc(8 + len);\n ((uint32_t *)buf)[0] = Swap32IfLE(rfbConnFailed);\n ((uint32_t *)buf)[1] = Swap32IfLE(len);\n memcpy(buf + 8, reason, len);\n\n if (rfbWriteExact(cl, buf, 8 + len) < 0)\n rfbLogPerror(\"rfbClientConnFailed: write\");\n free(buf);\n\n rfbCloseClient(cl);\n}", "project": "libvncserver", "hash": 98285343993306812020461838769933106905, "size": 19, "commit_id": "673c07a75ed844d74676f3ccdcfdc706a7052dba", "message": "libvncserver/rfbserver: fix possible divide-by-zero\n\nCloses #409", "target": 0, "dataset": "other", "idx": 295860 }, { "func": "rfbClientSendString(rfbClientPtr cl, const char *reason)\n{\n char *buf;\n int len = strlen(reason);\n\n rfbLog(\"rfbClientSendString(\\\"%s\\\")\\n\", reason);\n\n buf = (char *)malloc(4 + len);\n ((uint32_t *)buf)[0] = Swap32IfLE(len);\n memcpy(buf + 4, reason, len);\n\n if (rfbWriteExact(cl, buf, 4 + len) < 0)\n rfbLogPerror(\"rfbClientSendString: write\");\n free(buf);\n\n rfbCloseClient(cl);\n}", "project": "libvncserver", "hash": 318210123158099208989186893042676640940, "size": 17, "commit_id": "673c07a75ed844d74676f3ccdcfdc706a7052dba", "message": "libvncserver/rfbserver: fix possible divide-by-zero\n\nCloses #409", "target": 0, "dataset": "other", "idx": 295862 }, { "func": "static int lrc_ring_mi_mode(const struct intel_engine_cs *engine)\n{\n\tif (INTEL_GEN(engine->i915) >= 12)\n\t\treturn 0x60;\n\telse if (INTEL_GEN(engine->i915) >= 9)\n\t\treturn 0x54;\n\telse if (engine->class == RENDER_CLASS)\n\t\treturn 0x58;\n\telse\n\t\treturn -1;\n}", "project": "linux", "hash": 253402525951632378671638175715151324619, "size": 11, "commit_id": "bc8a76a152c5f9ef3b48104154a65a68a8b76946", "message": "drm/i915/gen9: Clear residual context state on context switch\n\nIntel ID: PSIRT-TA-201910-001\nCVEID: CVE-2019-14615\n\nIntel GPU Hardware prior to Gen11 does not clear EU state\nduring a context switch. This can result in information\nleakage between contexts.\n\nFor Gen8 and Gen9, hardware provides a mechanism for\nfast cleardown of the EU state, by issuing a PIPE_CONTROL\nwith bit 27 set. We can use this in a context batch buffer\nto explicitly cleardown the state on every context switch.\n\nAs this workaround is already in place for gen8, we can borrow\nthe code verbatim for Gen9.\n\nSigned-off-by: Mika Kuoppala \nSigned-off-by: Akeem G Abodunrin \nCc: Kumar Valsan Prathap \nCc: Chris Wilson \nCc: Balestrieri Francesco \nCc: Bloomfield Jon \nCc: Dutt Sudeep ", "target": 0, "dataset": "other", "idx": 281503 }, { "func": "void ip_send_check(struct iphdr *iph)\n{\n\tiph->check = 0;\n\tiph->check = ip_fast_csum((unsigned char *)iph, iph->ihl);\n}", "project": "net", "hash": 147261931036290164642340610371088600978, "size": 5, "commit_id": "85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa", "message": "udp: consistently apply ufo or fragmentation\n\nWhen iteratively building a UDP datagram with MSG_MORE and that\ndatagram exceeds MTU, consistently choose UFO or fragmentation.\n\nOnce skb_is_gso, always apply ufo. Conversely, once a datagram is\nsplit across multiple skbs, do not consider ufo.\n\nSendpage already maintains the first invariant, only add the second.\nIPv6 does not have a sendpage implementation to modify.\n\nA gso skb must have a partial checksum, do not follow sk_no_check_tx\nin udp_send_skb.\n\nFound by syzkaller.\n\nFixes: e89e9cf539a2 (\"[IPv4/IPv6]: UFO Scatter-gather approach\")\nReported-by: Andrey Konovalov \nSigned-off-by: Willem de Bruijn \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 469002 }, { "func": "static void hci_link_key_request_evt(struct hci_dev *hdev, struct sk_buff *skb)\n{\n\tstruct hci_ev_link_key_req *ev = (void *) skb->data;\n\tstruct hci_cp_link_key_reply cp;\n\tstruct hci_conn *conn;\n\tstruct link_key *key;\n\n\tBT_DBG(\"%s\", hdev->name);\n\n\tif (!hci_dev_test_flag(hdev, HCI_MGMT))\n\t\treturn;\n\n\thci_dev_lock(hdev);\n\n\tkey = hci_find_link_key(hdev, &ev->bdaddr);\n\tif (!key) {\n\t\tBT_DBG(\"%s link key not found for %pMR\", hdev->name,\n\t\t &ev->bdaddr);\n\t\tgoto not_found;\n\t}\n\n\tBT_DBG(\"%s found key type %u for %pMR\", hdev->name, key->type,\n\t &ev->bdaddr);\n\n\tconn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);\n\tif (conn) {\n\t\tclear_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);\n\n\t\tif ((key->type == HCI_LK_UNAUTH_COMBINATION_P192 ||\n\t\t key->type == HCI_LK_UNAUTH_COMBINATION_P256) &&\n\t\t conn->auth_type != 0xff && (conn->auth_type & 0x01)) {\n\t\t\tBT_DBG(\"%s ignoring unauthenticated key\", hdev->name);\n\t\t\tgoto not_found;\n\t\t}\n\n\t\tif (key->type == HCI_LK_COMBINATION && key->pin_len < 16 &&\n\t\t (conn->pending_sec_level == BT_SECURITY_HIGH ||\n\t\t conn->pending_sec_level == BT_SECURITY_FIPS)) {\n\t\t\tBT_DBG(\"%s ignoring key unauthenticated for high security\",\n\t\t\t hdev->name);\n\t\t\tgoto not_found;\n\t\t}\n\n\t\tconn_set_key(conn, key->type, key->pin_len);\n\t}\n\n\tbacpy(&cp.bdaddr, &ev->bdaddr);\n\tmemcpy(cp.link_key, key->val, HCI_LINK_KEY_SIZE);\n\n\thci_send_cmd(hdev, HCI_OP_LINK_KEY_REPLY, sizeof(cp), &cp);\n\n\thci_dev_unlock(hdev);\n\n\treturn;\n\nnot_found:\n\thci_send_cmd(hdev, HCI_OP_LINK_KEY_NEG_REPLY, 6, &ev->bdaddr);\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 130595913280548576214583360765997014371, "size": 59, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431927 }, { "func": "void handle_connection(boost::asio::io_context& context,\n RGWProcessEnv& env, Stream& stream,\n parse_buffer& buffer, bool is_ssl,\n SharedMutex& pause_mutex,\n rgw::dmclock::Scheduler *scheduler,\n boost::system::error_code& ec,\n spawn::yield_context yield)\n{\n // limit header to 4k, since we read it all into a single flat_buffer\n static constexpr size_t header_limit = 4096;\n // don't impose a limit on the body, since we read it in pieces\n static constexpr size_t body_limit = std::numeric_limits::max();\n\n auto cct = env.store->ctx();\n\n // read messages from the stream until eof\n for (;;) {\n // configure the parser\n rgw::asio::parser_type parser;\n parser.header_limit(header_limit);\n parser.body_limit(body_limit);\n\n // parse the header\n http::async_read_header(stream, buffer, parser, yield[ec]);\n if (ec == boost::asio::error::connection_reset ||\n ec == boost::asio::error::bad_descriptor ||\n ec == boost::asio::error::operation_aborted ||\n#ifdef WITH_RADOSGW_BEAST_OPENSSL\n ec == ssl::error::stream_truncated ||\n#endif\n ec == http::error::end_of_stream) {\n ldout(cct, 20) << \"failed to read header: \" << ec.message() << dendl;\n return;\n }\n if (ec) {\n ldout(cct, 1) << \"failed to read header: \" << ec.message() << dendl;\n auto& message = parser.get();\n http::response response;\n response.result(http::status::bad_request);\n response.version(message.version() == 10 ? 10 : 11);\n response.prepare_payload();\n http::async_write(stream, response, yield[ec]);\n if (ec) {\n ldout(cct, 5) << \"failed to write response: \" << ec.message() << dendl;\n }\n ldout(cct, 1) << \"====== req done http_status=400 ======\" << dendl;\n return;\n }\n\n {\n auto lock = pause_mutex.async_lock_shared(yield[ec]);\n if (ec == boost::asio::error::operation_aborted) {\n return;\n } else if (ec) {\n ldout(cct, 1) << \"failed to lock: \" << ec.message() << dendl;\n return;\n }\n\n // process the request\n RGWRequest req{env.store->getRados()->get_new_req_id()};\n\n auto& socket = stream.lowest_layer();\n const auto& remote_endpoint = socket.remote_endpoint(ec);\n if (ec) {\n ldout(cct, 1) << \"failed to connect client: \" << ec.message() << dendl;\n return;\n }\n\n StreamIO real_client{cct, stream, parser, yield, buffer, is_ssl,\n socket.local_endpoint(),\n remote_endpoint};\n\n auto real_client_io = rgw::io::add_reordering(\n rgw::io::add_buffering(cct,\n rgw::io::add_chunking(\n rgw::io::add_conlen_controlling(\n &real_client))));\n RGWRestfulIO client(cct, &real_client_io);\n auto y = optional_yield{context, yield};\n process_request(env.store, env.rest, &req, env.uri_prefix,\n *env.auth_registry, &client, env.olog, y, scheduler);\n }\n\n if (!parser.keep_alive()) {\n return;\n }\n\n // if we failed before reading the entire message, discard any remaining\n // bytes before reading the next\n while (!parser.is_done()) {\n static std::array discard_buffer;\n\n auto& body = parser.get().body();\n body.size = discard_buffer.size();\n body.data = discard_buffer.data();\n\n http::async_read_some(stream, buffer, parser, yield[ec]);\n if (ec == http::error::need_buffer) {\n continue;\n }\n if (ec == boost::asio::error::connection_reset) {\n return;\n }\n if (ec) {\n ldout(cct, 5) << \"failed to discard unread message: \"\n << ec.message() << dendl;\n return;\n }\n }\n }\n}", "project": "ceph", "hash": 293193655463156846905051374159910631647, "size": 111, "commit_id": "ff72c50a2c43c57aead933eb4903ad1ca6d1748a", "message": "rgw: improve beast\n\nAvoid leaking connections that had partially-consumed\nclient data on unexpected disconnect.\n\nResolves CVE-2020-1700 (moderate impact flaw).\n\nFixes: https://tracker.ceph.com/issues/42531\n\nSigned-off-by: Or Friedmann \nSigned-off-by: Matt Benjamin ", "target": 0, "dataset": "other", "idx": 384540 }, { "func": "int RGWPutObj_ObjStore_SWIFT::verify_permission()\n{\n op_ret = RGWPutObj_ObjStore::verify_permission();\n\n /* We have to differentiate error codes depending on whether user is\n * anonymous (401 Unauthorized) or he doesn't have necessary permissions\n * (403 Forbidden). */\n if (s->auth.identity->is_anonymous() && op_ret == -EACCES) {\n return -EPERM;\n } else {\n return op_ret;\n }\n}", "project": "ceph", "hash": 200686289014478550838936575091971590838, "size": 13, "commit_id": "f44a8ae8aa27ecef69528db9aec220f12492810e", "message": "rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name\n\nchecking for empty name avoids later assertion in RGWObjectCtx::set_atomic\n\nFixes: CVE-2021-3531\n\nReviewed-by: Casey Bodley \nSigned-off-by: Casey Bodley \n(cherry picked from commit 7196a469b4470f3c8628489df9a41ec8b00a5610)", "target": 0, "dataset": "other", "idx": 448801 }, { "func": "int RGWDeleteObj_ObjStore_SWIFT::verify_permission()\n{\n op_ret = RGWDeleteObj_ObjStore::verify_permission();\n\n /* We have to differentiate error codes depending on whether user is\n * anonymous (401 Unauthorized) or he doesn't have necessary permissions\n * (403 Forbidden). */\n if (s->auth.identity->is_anonymous() && op_ret == -EACCES) {\n return -EPERM;\n } else {\n return op_ret;\n }\n}", "project": "ceph", "hash": 171454596360209557567943792286304825123, "size": 13, "commit_id": "f44a8ae8aa27ecef69528db9aec220f12492810e", "message": "rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name\n\nchecking for empty name avoids later assertion in RGWObjectCtx::set_atomic\n\nFixes: CVE-2021-3531\n\nReviewed-by: Casey Bodley \nSigned-off-by: Casey Bodley \n(cherry picked from commit 7196a469b4470f3c8628489df9a41ec8b00a5610)", "target": 0, "dataset": "other", "idx": 448820 }, { "func": "int RGWGetObj_ObjStore_SWIFT::verify_permission()\n{\n op_ret = RGWGetObj_ObjStore::verify_permission();\n\n /* We have to differentiate error codes depending on whether user is\n * anonymous (401 Unauthorized) or he doesn't have necessary permissions\n * (403 Forbidden). */\n if (s->auth.identity->is_anonymous() && op_ret == -EACCES) {\n return -EPERM;\n } else {\n return op_ret;\n }\n}", "project": "ceph", "hash": 166162702326446070157106988962702904126, "size": 13, "commit_id": "f44a8ae8aa27ecef69528db9aec220f12492810e", "message": "rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name\n\nchecking for empty name avoids later assertion in RGWObjectCtx::set_atomic\n\nFixes: CVE-2021-3531\n\nReviewed-by: Casey Bodley \nSigned-off-by: Casey Bodley \n(cherry picked from commit 7196a469b4470f3c8628489df9a41ec8b00a5610)", "target": 0, "dataset": "other", "idx": 448823 }, { "func": "int RGWSetRequestPayment_ObjStore_S3::get_params()\n{\n char *data;\n int len = 0;\n const auto max_size = s->cct->_conf->rgw_max_put_param_size;\n int r = rgw_rest_read_all_input(s, &data, &len, max_size, false);\n\n if (r < 0) {\n return r;\n }\n\n RGWSetRequestPaymentParser parser;\n\n if (!parser.init()) {\n ldout(s->cct, 0) << \"ERROR: failed to initialize parser\" << dendl;\n r = -EIO;\n goto done;\n }\n\n if (!parser.parse(data, len, 1)) {\n ldout(s->cct, 10) << \"failed to parse data: \" << data << dendl;\n r = -EINVAL;\n goto done;\n }\n\n r = parser.get_request_payment_payer(&requester_pays);\n\ndone:\n free(data);\n\n return r;\n}", "project": "ceph", "hash": 284631986296565818123742646194960861336, "size": 32, "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 281270 }, { "func": "int RGWPutCORS_ObjStore_S3::get_params()\n{\n int r;\n char *data = nullptr;\n int len = 0;\n RGWCORSXMLParser_S3 parser(s->cct);\n RGWCORSConfiguration_S3 *cors_config;\n\n const auto max_size = s->cct->_conf->rgw_max_put_param_size;\n r = rgw_rest_read_all_input(s, &data, &len, max_size, false);\n if (r < 0) {\n return r;\n }\n\n auto data_deleter = std::unique_ptr{data, free};\n\n r = do_aws4_auth_completion();\n if (r < 0) {\n return r;\n }\n\n if (!parser.init()) {\n return -EINVAL;\n }\n\n if (!data || !parser.parse(data, len, 1)) {\n return -EINVAL;\n }\n cors_config =\n static_cast(parser.find_first(\n\t\t\t\t\t \"CORSConfiguration\"));\n if (!cors_config) {\n return -EINVAL;\n }\n\n#define CORS_RULES_MAX_NUM 100\n int max_num = s->cct->_conf->rgw_cors_rules_max_num;\n if (max_num < 0) {\n max_num = CORS_RULES_MAX_NUM;\n }\n int cors_rules_num = cors_config->get_rules().size();\n if (cors_rules_num > max_num) {\n ldout(s->cct, 4) << \"An cors config can have up to \"\n << max_num\n << \" rules, request cors rules num: \"\n << cors_rules_num << dendl;\n op_ret = -ERR_INVALID_CORS_RULES_ERROR;\n s->err.message = \"The number of CORS rules should not exceed allowed limit of \"\n + std::to_string(max_num) + \" rules.\";\n return -ERR_INVALID_REQUEST;\n }\n\n // forward bucket cors requests to meta master zone\n if (!store->is_meta_master()) {\n /* only need to keep this data around if we're not meta master */\n in_data.append(data, len);\n }\n\n if (s->cct->_conf->subsys.should_gather()) {\n ldout(s->cct, 15) << \"CORSConfiguration\";\n cors_config->to_xml(*_dout);\n *_dout << dendl;\n }\n\n cors_config->encode(cors_bl);\n\n return 0;\n}", "project": "ceph", "hash": 177316082195555032843182337405900546341, "size": 68, "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 281271 }, { "func": "int RGWDeleteMultiObj_ObjStore_S3::get_params()\n{\n int ret = RGWDeleteMultiObj_ObjStore::get_params();\n if (ret < 0) {\n return ret;\n }\n\n return do_aws4_auth_completion();\n}", "project": "ceph", "hash": 101925010456756398415790999116479202322, "size": 9, "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 281272 }, { "func": "int RGWListBucket_ObjStore_S3::get_params()\n{\n list_versions = s->info.args.exists(\"versions\");\n prefix = s->info.args.get(\"prefix\");\n if (!list_versions) {\n marker = s->info.args.get(\"marker\");\n } else {\n marker.name = s->info.args.get(\"key-marker\");\n marker.instance = s->info.args.get(\"version-id-marker\");\n }\n\n // non-standard\n s->info.args.get_bool(\"allow-unordered\", &allow_unordered, false);\n\n delimiter = s->info.args.get(\"delimiter\");\n\n max_keys = s->info.args.get(\"max-keys\");\n op_ret = parse_max_keys();\n if (op_ret < 0) {\n return op_ret;\n }\n\n encoding_type = s->info.args.get(\"encoding-type\");\n if (s->system_request) {\n s->info.args.get_bool(\"objs-container\", &objs_container, false);\n const char *shard_id_str = s->info.env->get(\"HTTP_RGWX_SHARD_ID\");\n if (shard_id_str) {\n string err;\n shard_id = strict_strtol(shard_id_str, 10, &err);\n if (!err.empty()) {\n ldout(s->cct, 5) << \"bad shard id specified: \" << shard_id_str << dendl;\n return -EINVAL;\n }\n } else {\n shard_id = s->bucket_instance_shard_id;\n }\n }\n\n return 0;\n}", "project": "ceph", "hash": 156719582632066500242224098838088934437, "size": 40, "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 281273 }, { "func": "int RGWGetObj_ObjStore_S3::get_params()\n{\n // for multisite sync requests, only read the slo manifest itself, rather than\n // all of the data from its parts. the parts will sync as separate objects\n skip_manifest = s->info.args.exists(RGW_SYS_PARAM_PREFIX \"sync-manifest\");\n\n // multisite sync requests should fetch encrypted data, along with the\n // attributes needed to support decryption on the other zone\n if (s->system_request) {\n skip_decrypt = s->info.args.exists(RGW_SYS_PARAM_PREFIX \"skip-decrypt\");\n }\n\n return RGWGetObj_ObjStore::get_params();\n}", "project": "ceph", "hash": 144859211498510675053744287984226887454, "size": 14, "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 281278 }, { "func": "int RGWCopyObj_ObjStore_S3::get_params()\n{\n if_mod = s->info.env->get(\"HTTP_X_AMZ_COPY_IF_MODIFIED_SINCE\");\n if_unmod = s->info.env->get(\"HTTP_X_AMZ_COPY_IF_UNMODIFIED_SINCE\");\n if_match = s->info.env->get(\"HTTP_X_AMZ_COPY_IF_MATCH\");\n if_nomatch = s->info.env->get(\"HTTP_X_AMZ_COPY_IF_NONE_MATCH\");\n\n src_tenant_name = s->src_tenant_name;\n src_bucket_name = s->src_bucket_name;\n src_object = s->src_object;\n dest_tenant_name = s->bucket.tenant;\n dest_bucket_name = s->bucket.name;\n dest_object = s->object.name;\n\n if (s->system_request) {\n source_zone = s->info.args.get(RGW_SYS_PARAM_PREFIX \"source-zone\");\n s->info.args.get_bool(RGW_SYS_PARAM_PREFIX \"copy-if-newer\", ©_if_newer, false);\n if (!source_zone.empty()) {\n client_id = s->info.args.get(RGW_SYS_PARAM_PREFIX \"client-id\");\n op_id = s->info.args.get(RGW_SYS_PARAM_PREFIX \"op-id\");\n\n if (client_id.empty() || op_id.empty()) {\n\tldout(s->cct, 0) <<\n\t RGW_SYS_PARAM_PREFIX \"client-id or \"\n\t RGW_SYS_PARAM_PREFIX \"op-id were not provided, \"\n\t \"required for intra-region copy\"\n\t\t\t << dendl;\n\treturn -EINVAL;\n }\n }\n }\n\n copy_source = s->info.env->get(\"HTTP_X_AMZ_COPY_SOURCE\");\n auto tmp_md_d = s->info.env->get(\"HTTP_X_AMZ_METADATA_DIRECTIVE\");\n if (tmp_md_d) {\n if (strcasecmp(tmp_md_d, \"COPY\") == 0) {\n attrs_mod = RGWRados::ATTRSMOD_NONE;\n } else if (strcasecmp(tmp_md_d, \"REPLACE\") == 0) {\n attrs_mod = RGWRados::ATTRSMOD_REPLACE;\n } else if (!source_zone.empty()) {\n attrs_mod = RGWRados::ATTRSMOD_NONE; // default for intra-zone_group copy\n } else {\n s->err.message = \"Unknown metadata directive.\";\n ldout(s->cct, 0) << s->err.message << dendl;\n return -EINVAL;\n }\n md_directive = tmp_md_d;\n }\n\n if (source_zone.empty() &&\n (dest_tenant_name.compare(src_tenant_name) == 0) &&\n (dest_bucket_name.compare(src_bucket_name) == 0) &&\n (dest_object.compare(src_object.name) == 0) &&\n src_object.instance.empty() &&\n (attrs_mod != RGWRados::ATTRSMOD_REPLACE)) {\n /* can only copy object into itself if replacing attrs */\n s->err.message = \"This copy request is illegal because it is trying to copy \"\n \"an object to itself without changing the object's metadata, \"\n \"storage class, website redirect location or encryption attributes.\";\n ldout(s->cct, 0) << s->err.message << dendl;\n return -ERR_INVALID_REQUEST;\n }\n return 0;\n}", "project": "ceph", "hash": 135517251873390975362108070265714031086, "size": 64, "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 281282 }, { "func": "int RGWPutObjTags_ObjStore_S3::get_params()\n{\n RGWObjTagsXMLParser parser;\n\n if (!parser.init()){\n return -EINVAL;\n }\n\n char *data=nullptr;\n int len=0;\n\n const auto max_size = s->cct->_conf->rgw_max_put_param_size;\n int r = rgw_rest_read_all_input(s, &data, &len, max_size, false);\n\n if (r < 0)\n return r;\n\n auto data_deleter = std::unique_ptr{data, free};\n\n if (!parser.parse(data, len, 1)) {\n return -ERR_MALFORMED_XML;\n }\n\n RGWObjTagSet_S3 *obj_tags_s3;\n RGWObjTagging_S3 *tagging;\n\n tagging = static_cast(parser.find_first(\"Tagging\"));\n obj_tags_s3 = static_cast(tagging->find_first(\"TagSet\"));\n if(!obj_tags_s3){\n return -ERR_MALFORMED_XML;\n }\n\n RGWObjTags obj_tags;\n r = obj_tags_s3->rebuild(obj_tags);\n if (r < 0)\n return r;\n\n obj_tags.encode(tags_bl);\n ldout(s->cct, 20) << \"Read \" << obj_tags.count() << \"tags\" << dendl;\n\n return 0;\n}", "project": "ceph", "hash": 290421945907156899323492167054921742747, "size": 42, "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 281284 }, { "func": "int RGWPutObj_ObjStore_S3::get_params()\n{\n if (!s->length)\n return -ERR_LENGTH_REQUIRED;\n\n RGWObjectCtx& obj_ctx = *static_cast(s->obj_ctx);\n map src_attrs;\n size_t pos;\n int ret;\n\n map_qs_metadata(s);\n\n RGWAccessControlPolicy_S3 s3policy(s->cct);\n ret = create_s3_policy(s, store, s3policy, s->owner);\n if (ret < 0)\n return ret;\n\n policy = s3policy;\n\n if_match = s->info.env->get(\"HTTP_IF_MATCH\");\n if_nomatch = s->info.env->get(\"HTTP_IF_NONE_MATCH\");\n copy_source = url_decode(s->info.env->get(\"HTTP_X_AMZ_COPY_SOURCE\", \"\"));\n copy_source_range = s->info.env->get(\"HTTP_X_AMZ_COPY_SOURCE_RANGE\");\n\n /* handle x-amz-copy-source */\n boost::string_view cs_view(copy_source);\n if (! cs_view.empty()) {\n if (cs_view[0] == '/')\n cs_view.remove_prefix(1);\n copy_source_bucket_name = cs_view.to_string();\n pos = copy_source_bucket_name.find(\"/\");\n if (pos == std::string::npos) {\n ret = -EINVAL;\n ldout(s->cct, 5) << \"x-amz-copy-source bad format\" << dendl;\n return ret;\n }\n copy_source_object_name =\n copy_source_bucket_name.substr(pos + 1, copy_source_bucket_name.size());\n copy_source_bucket_name = copy_source_bucket_name.substr(0, pos);\n#define VERSION_ID_STR \"?versionId=\"\n pos = copy_source_object_name.find(VERSION_ID_STR);\n if (pos == std::string::npos) {\n copy_source_object_name = url_decode(copy_source_object_name);\n } else {\n copy_source_version_id =\n\tcopy_source_object_name.substr(pos + sizeof(VERSION_ID_STR) - 1);\n copy_source_object_name =\n\turl_decode(copy_source_object_name.substr(0, pos));\n }\n pos = copy_source_bucket_name.find(\":\");\n if (pos == std::string::npos) {\n copy_source_tenant_name = s->src_tenant_name;\n } else {\n copy_source_tenant_name = copy_source_bucket_name.substr(0, pos);\n copy_source_bucket_name = copy_source_bucket_name.substr(pos + 1, copy_source_bucket_name.size());\n if (copy_source_bucket_name.empty()) {\n ret = -EINVAL;\n ldout(s->cct, 5) << \"source bucket name is empty\" << dendl;\n return ret;\n }\n }\n ret = store->get_bucket_info(obj_ctx,\n copy_source_tenant_name,\n copy_source_bucket_name,\n copy_source_bucket_info,\n NULL, &src_attrs);\n if (ret < 0) {\n ldout(s->cct, 5) << __func__ << \"(): get_bucket_info() returned ret=\" << ret << dendl;\n return ret;\n }\n\n /* handle x-amz-copy-source-range */\n\n if (copy_source_range) {\n string range = copy_source_range;\n pos = range.find(\"=\");\n if (pos == std::string::npos) {\n ret = -EINVAL;\n ldout(s->cct, 5) << \"x-amz-copy-source-range bad format\" << dendl;\n return ret;\n }\n range = range.substr(pos + 1);\n pos = range.find(\"-\");\n if (pos == std::string::npos) {\n ret = -EINVAL;\n ldout(s->cct, 5) << \"x-amz-copy-source-range bad format\" << dendl;\n return ret;\n }\n string first = range.substr(0, pos);\n string last = range.substr(pos + 1);\n copy_source_range_fst = strtoull(first.c_str(), NULL, 10);\n copy_source_range_lst = strtoull(last.c_str(), NULL, 10);\n }\n\n } /* copy_source */\n\n /* handle object tagging */\n auto tag_str = s->info.env->get(\"HTTP_X_AMZ_TAGGING\");\n if (tag_str){\n obj_tags = std::make_unique();\n ret = obj_tags->set_from_string(tag_str);\n if (ret < 0){\n ldout(s->cct,0) << \"setting obj tags failed with \" << ret << dendl;\n if (ret == -ERR_INVALID_TAG){\n ret = -EINVAL; //s3 returns only -EINVAL for PUT requests\n }\n\n return ret;\n }\n }\n\n return RGWPutObj_ObjStore::get_params();\n}", "project": "ceph", "hash": 73814381681648131247581495832681996382, "size": 113, "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 281288 }, { "func": "int RGWGetUsage_ObjStore_S3::get_params()\n{\n start_date = s->info.args.get(\"start-date\");\n end_date = s->info.args.get(\"end-date\"); \n return 0;\n}", "project": "ceph", "hash": 317335411443302434523627107868907971945, "size": 6, "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 281293 }, { "func": "int RGWSetBucketWebsite_ObjStore_S3::get_params()\n{\n char *data = nullptr;\n int len = 0;\n const auto max_size = s->cct->_conf->rgw_max_put_param_size;\n int r = rgw_rest_read_all_input(s, &data, &len, max_size, false);\n\n if (r < 0) {\n return r;\n }\n\n auto data_deleter = std::unique_ptr{data, free};\n\n r = do_aws4_auth_completion();\n if (r < 0) {\n return r;\n }\n\n bufferptr in_ptr(data, len);\n in_data.append(in_ptr);\n\n RGWXMLDecoder::XMLParser parser;\n if (!parser.init()) {\n ldout(s->cct, 0) << \"ERROR: failed to initialize parser\" << dendl;\n return -EIO;\n }\n\n if (!parser.parse(data, len, 1)) {\n string str(data, len);\n ldout(s->cct, 5) << \"failed to parse xml: \" << str << dendl;\n return -EINVAL;\n }\n\n try {\n RGWXMLDecoder::decode_xml(\"WebsiteConfiguration\", website_conf, &parser, true);\n } catch (RGWXMLDecoder::err& err) {\n string str(data, len);\n ldout(s->cct, 5) << \"unexpected xml: \" << str << dendl;\n return -EINVAL;\n }\n\n if (website_conf.is_redirect_all && website_conf.redirect_all.hostname.empty()) {\n s->err.message = \"A host name must be provided to redirect all requests (e.g. \\\"example.com\\\").\";\n ldout(s->cct, 5) << s->err.message << dendl;\n return -EINVAL;\n } else if (!website_conf.is_redirect_all && !website_conf.is_set_index_doc) {\n s->err.message = \"A value for IndexDocument Suffix must be provided if RedirectAllRequestsTo is empty\";\n ldout(s->cct, 5) << s->err.message << dendl;\n return -EINVAL;\n } else if (!website_conf.is_redirect_all && website_conf.is_set_index_doc &&\n website_conf.index_doc_suffix.empty()) {\n s->err.message = \"The IndexDocument Suffix is not well formed\";\n ldout(s->cct, 5) << s->err.message << dendl;\n return -EINVAL;\n }\n\n return 0;\n}", "project": "ceph", "hash": 256941214934197687962622354070482169459, "size": 58, "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 281341 }, { "func": "int RGWConfigBucketMetaSearch_ObjStore_S3::get_params()\n{\n auto iter = s->info.x_meta_map.find(\"x-amz-meta-search\");\n if (iter == s->info.x_meta_map.end()) {\n s->err.message = \"X-Rgw-Meta-Search header not provided\";\n ldout(s->cct, 5) << s->err.message << dendl;\n return -EINVAL;\n }\n\n list expressions;\n get_str_list(iter->second, \",\", expressions);\n\n for (auto& expression : expressions) {\n vector args;\n get_str_vec(expression, \";\", args);\n\n if (args.empty()) {\n s->err.message = \"invalid empty expression\";\n ldout(s->cct, 5) << s->err.message << dendl;\n return -EINVAL;\n }\n if (args.size() > 2) {\n s->err.message = string(\"invalid expression: \") + expression;\n ldout(s->cct, 5) << s->err.message << dendl;\n return -EINVAL;\n }\n\n string key = boost::algorithm::to_lower_copy(rgw_trim_whitespace(args[0]));\n string val;\n if (args.size() > 1) {\n val = boost::algorithm::to_lower_copy(rgw_trim_whitespace(args[1]));\n }\n\n if (!boost::algorithm::starts_with(key, RGW_AMZ_META_PREFIX)) {\n s->err.message = string(\"invalid expression, key must start with '\" RGW_AMZ_META_PREFIX \"' : \") + expression;\n ldout(s->cct, 5) << s->err.message << dendl;\n return -EINVAL;\n }\n\n key = key.substr(sizeof(RGW_AMZ_META_PREFIX) - 1);\n\n ESEntityTypeMap::EntityType entity_type;\n\n if (val.empty() || val == \"str\" || val == \"string\") {\n entity_type = ESEntityTypeMap::ES_ENTITY_STR;\n } else if (val == \"int\" || val == \"integer\") {\n entity_type = ESEntityTypeMap::ES_ENTITY_INT;\n } else if (val == \"date\" || val == \"datetime\") {\n entity_type = ESEntityTypeMap::ES_ENTITY_DATE;\n } else {\n s->err.message = string(\"invalid entity type: \") + val;\n ldout(s->cct, 5) << s->err.message << dendl;\n return -EINVAL;\n }\n\n mdsearch_config[key] = entity_type;\n }\n\n return 0;\n}", "project": "ceph", "hash": 245072487964882737344756239910308235047, "size": 60, "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 281344 }, { "func": "int RGWPutACLs_ObjStore_S3::get_params()\n{\n int ret = RGWPutACLs_ObjStore::get_params();\n if (ret >= 0) {\n const int ret_auth = do_aws4_auth_completion();\n if (ret_auth < 0) {\n return ret_auth;\n }\n }\n return ret;\n}", "project": "ceph", "hash": 81928506599886509203214910801290257450, "size": 11, "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 281358 }, { "func": "int RGWCreateBucket_ObjStore_S3::get_params()\n{\n RGWAccessControlPolicy_S3 s3policy(s->cct);\n\n int r = create_s3_policy(s, store, s3policy, s->owner);\n if (r < 0)\n return r;\n\n policy = s3policy;\n\n int len = 0;\n char *data = nullptr;\n\n const auto max_size = s->cct->_conf->rgw_max_put_param_size;\n op_ret = rgw_rest_read_all_input(s, &data, &len, max_size, false);\n\n if ((op_ret < 0) && (op_ret != -ERR_LENGTH_REQUIRED))\n return op_ret;\n\n auto data_deleter = std::unique_ptr{data, free};\n\n const int auth_ret = do_aws4_auth_completion();\n if (auth_ret < 0) {\n return auth_ret;\n }\n \n bufferptr in_ptr(data, len);\n in_data.append(in_ptr);\n\n if (len) {\n RGWCreateBucketParser parser;\n\n if (!parser.init()) {\n ldout(s->cct, 0) << \"ERROR: failed to initialize parser\" << dendl;\n return -EIO;\n }\n\n bool success = parser.parse(data, len, 1);\n ldout(s->cct, 20) << \"create bucket input data=\" << data << dendl;\n\n if (!success) {\n ldout(s->cct, 0) << \"failed to parse input: \" << data << dendl;\n return -EINVAL;\n }\n\n if (!parser.get_location_constraint(location_constraint)) {\n ldout(s->cct, 0) << \"provided input did not specify location constraint correctly\" << dendl;\n return -EINVAL;\n }\n\n ldout(s->cct, 10) << \"create bucket location constraint: \"\n\t\t << location_constraint << dendl;\n }\n\n size_t pos = location_constraint.find(':');\n if (pos != string::npos) {\n placement_rule = location_constraint.substr(pos + 1);\n location_constraint = location_constraint.substr(0, pos);\n }\n\n return 0;\n}", "project": "ceph", "hash": 55536394128530893829470391311374700927, "size": 62, "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 281362 }, { "func": "int RGWDeleteObj_ObjStore_S3::get_params()\n{\n const char *if_unmod = s->info.env->get(\"HTTP_X_AMZ_DELETE_IF_UNMODIFIED_SINCE\");\n\n if (s->system_request) {\n s->info.args.get_bool(RGW_SYS_PARAM_PREFIX \"no-precondition-error\", &no_precondition_error, false);\n }\n\n if (if_unmod) {\n std::string if_unmod_decoded = url_decode(if_unmod);\n uint64_t epoch;\n uint64_t nsec;\n if (utime_t::parse_date(if_unmod_decoded, &epoch, &nsec) < 0) {\n ldout(s->cct, 10) << \"failed to parse time: \" << if_unmod_decoded << dendl;\n return -EINVAL;\n }\n unmod_since = utime_t(epoch, nsec).to_real_time();\n }\n\n return 0;\n}", "project": "ceph", "hash": 101501559214317907711836704964979326235, "size": 21, "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 281373 }, { "func": "int RGWInitMultipart_ObjStore_S3::get_params()\n{\n RGWAccessControlPolicy_S3 s3policy(s->cct);\n op_ret = create_s3_policy(s, store, s3policy, s->owner);\n if (op_ret < 0)\n return op_ret;\n\n policy = s3policy;\n\n return 0;\n}", "project": "ceph", "hash": 315039938725904667937114865435707153924, "size": 11, "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 281377 }, { "func": "int RGWCompleteMultipart_ObjStore_S3::get_params()\n{\n int ret = RGWCompleteMultipart_ObjStore::get_params();\n if (ret < 0) {\n return ret;\n }\n\n map_qs_metadata(s);\n\n return do_aws4_auth_completion();\n}", "project": "ceph", "hash": 131468637419174019167026130520192437568, "size": 11, "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 281382 }, { "func": "int RGWPostObj_ObjStore_S3::get_params()\n{\n op_ret = RGWPostObj_ObjStore::get_params();\n if (op_ret < 0) {\n return op_ret;\n }\n\n map_qs_metadata(s);\n\n ldout(s->cct, 20) << \"adding bucket to policy env: \" << s->bucket.name\n\t\t << dendl;\n env.add_var(\"bucket\", s->bucket.name);\n\n bool done;\n do {\n struct post_form_part part;\n int r = read_form_part_header(&part, done);\n if (r < 0)\n return r;\n\n if (s->cct->_conf->subsys.should_gather()) {\n ldout(s->cct, 20) << \"read part header -- part.name=\"\n << part.name << dendl;\n\n for (const auto& pair : part.fields) {\n ldout(s->cct, 20) << \"field.name=\" << pair.first << dendl;\n ldout(s->cct, 20) << \"field.val=\" << pair.second.val << dendl;\n ldout(s->cct, 20) << \"field.params:\" << dendl;\n\n for (const auto& param_pair : pair.second.params) {\n ldout(s->cct, 20) << \" \" << param_pair.first\n << \" -> \" << param_pair.second << dendl;\n }\n }\n }\n\n if (done) { /* unexpected here */\n err_msg = \"Malformed request\";\n return -EINVAL;\n }\n\n if (stringcasecmp(part.name, \"file\") == 0) { /* beginning of data transfer */\n struct post_part_field& field = part.fields[\"Content-Disposition\"];\n map::iterator iter = field.params.find(\"filename\");\n if (iter != field.params.end()) {\n\tfilename = iter->second;\n }\n parts[part.name] = part;\n break;\n }\n\n bool boundary;\n uint64_t chunk_size = s->cct->_conf->rgw_max_chunk_size;\n r = read_data(part.data, chunk_size, boundary, done);\n if (r < 0 || !boundary) {\n err_msg = \"Couldn't find boundary\";\n return -EINVAL;\n }\n parts[part.name] = part;\n string part_str(part.data.c_str(), part.data.length());\n env.add_var(part.name, part_str);\n } while (!done);\n\n string object_str;\n if (!part_str(parts, \"key\", &object_str)) {\n err_msg = \"Key not specified\";\n return -EINVAL;\n }\n\n s->object = rgw_obj_key(object_str);\n\n rebuild_key(s->object.name);\n\n if (s->object.empty()) {\n err_msg = \"Empty object name\";\n return -EINVAL;\n }\n\n env.add_var(\"key\", s->object.name);\n\n part_str(parts, \"Content-Type\", &content_type);\n\n /* AWS permits POST without Content-Type: http://tracker.ceph.com/issues/20201 */\n if (! content_type.empty()) {\n env.add_var(\"Content-Type\", content_type);\n }\n\n map::iterator piter =\n parts.upper_bound(RGW_AMZ_META_PREFIX);\n for (; piter != parts.end(); ++piter) {\n string n = piter->first;\n if (strncasecmp(n.c_str(), RGW_AMZ_META_PREFIX,\n\t\t sizeof(RGW_AMZ_META_PREFIX) - 1) != 0)\n break;\n\n string attr_name = RGW_ATTR_PREFIX;\n attr_name.append(n);\n\n /* need to null terminate it */\n bufferlist& data = piter->second.data;\n string str = string(data.c_str(), data.length());\n\n bufferlist attr_bl;\n attr_bl.append(str.c_str(), str.size() + 1);\n\n attrs[attr_name] = attr_bl;\n }\n // TODO: refactor this and the above loop to share code\n piter = parts.find(RGW_AMZ_WEBSITE_REDIRECT_LOCATION);\n if (piter != parts.end()) {\n string n = piter->first;\n string attr_name = RGW_ATTR_PREFIX;\n attr_name.append(n);\n /* need to null terminate it */\n bufferlist& data = piter->second.data;\n string str = string(data.c_str(), data.length());\n\n bufferlist attr_bl;\n attr_bl.append(str.c_str(), str.size() + 1);\n\n attrs[attr_name] = attr_bl;\n }\n\n int r = get_policy();\n if (r < 0)\n return r;\n\n r = get_tags();\n if (r < 0)\n return r;\n\n\n min_len = post_policy.min_length;\n max_len = post_policy.max_length;\n\n\n\n return 0;\n}", "project": "ceph", "hash": 160616889209508721926292112380258770345, "size": 139, "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 281394 }, { "func": "int RGWSetBucketVersioning_ObjStore_S3::get_params()\n{\n char *data = nullptr;\n int len = 0;\n int r =\n rgw_rest_read_all_input(s, &data, &len, s->cct->_conf->rgw_max_put_param_size, false);\n if (r < 0) {\n return r;\n }\n \n auto data_deleter = std::unique_ptr{data, free};\n\n r = do_aws4_auth_completion();\n if (r < 0) {\n return r;\n }\n\n RGWXMLDecoder::XMLParser parser;\n if (!parser.init()) {\n ldout(s->cct, 0) << \"ERROR: failed to initialize parser\" << dendl;\n return -EIO;\n }\n\n if (!parser.parse(data, len, 1)) {\n ldout(s->cct, 10) << \"NOTICE: failed to parse data: \" << data << dendl;\n r = -EINVAL;\n return r;\n }\n\n ver_config_status status_conf;\n\n if (!RGWXMLDecoder::decode_xml(\"VersioningConfiguration\", status_conf, &parser)) {\n ldout(s->cct, 10) << \"NOTICE: bad versioning config input\" << dendl;\n return -EINVAL;\n }\n\n if (!store->is_meta_master()) {\n /* only need to keep this data around if we're not meta master */\n in_data.append(data, len);\n }\n\n versioning_status = status_conf.status;\n if (versioning_status == VersioningStatusInvalid) {\n r = -EINVAL;\n }\n\n if (status_conf.mfa_status != ver_config_status::MFA_UNKNOWN) {\n mfa_set_status = true;\n switch (status_conf.mfa_status) {\n case ver_config_status::MFA_DISABLED:\n mfa_status = false;\n break;\n case ver_config_status::MFA_ENABLED:\n mfa_status = true;\n break;\n default:\n ldout(s->cct, 0) << \"ERROR: RGWSetBucketVersioning_ObjStore_S3::get_params(): unexpected switch case mfa_status=\" << status_conf.mfa_status << dendl;\n r = -EIO;\n }\n } else if (status_conf.retcode < 0) {\n r = status_conf.retcode;\n }\n return r;\n}", "project": "ceph", "hash": 176145018585975911919730622593048346044, "size": 64, "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 281404 }, { "func": "int RGWCopyObj_ObjStore_S3::get_params()\n{\n if_mod = s->info.env->get(\"HTTP_X_AMZ_COPY_IF_MODIFIED_SINCE\");\n if_unmod = s->info.env->get(\"HTTP_X_AMZ_COPY_IF_UNMODIFIED_SINCE\");\n if_match = s->info.env->get(\"HTTP_X_AMZ_COPY_IF_MATCH\");\n if_nomatch = s->info.env->get(\"HTTP_X_AMZ_COPY_IF_NONE_MATCH\");\n\n src_tenant_name = s->src_tenant_name;\n src_bucket_name = s->src_bucket_name;\n src_object = s->src_object;\n dest_tenant_name = s->bucket.tenant;\n dest_bucket_name = s->bucket.name;\n dest_object = s->object.name;\n\n if (s->system_request) {\n source_zone = s->info.args.get(RGW_SYS_PARAM_PREFIX \"source-zone\");\n s->info.args.get_bool(RGW_SYS_PARAM_PREFIX \"copy-if-newer\", ©_if_newer, false);\n }\n\n copy_source = s->info.env->get(\"HTTP_X_AMZ_COPY_SOURCE\");\n auto tmp_md_d = s->info.env->get(\"HTTP_X_AMZ_METADATA_DIRECTIVE\");\n if (tmp_md_d) {\n if (strcasecmp(tmp_md_d, \"COPY\") == 0) {\n attrs_mod = RGWRados::ATTRSMOD_NONE;\n } else if (strcasecmp(tmp_md_d, \"REPLACE\") == 0) {\n attrs_mod = RGWRados::ATTRSMOD_REPLACE;\n } else if (!source_zone.empty()) {\n attrs_mod = RGWRados::ATTRSMOD_NONE; // default for intra-zone_group copy\n } else {\n s->err.message = \"Unknown metadata directive.\";\n ldout(s->cct, 0) << s->err.message << dendl;\n return -EINVAL;\n }\n md_directive = tmp_md_d;\n }\n\n if (source_zone.empty() &&\n (dest_tenant_name.compare(src_tenant_name) == 0) &&\n (dest_bucket_name.compare(src_bucket_name) == 0) &&\n (dest_object.compare(src_object.name) == 0) &&\n src_object.instance.empty() &&\n (attrs_mod != RGWRados::ATTRSMOD_REPLACE)) {\n need_to_check_storage_class = true;\n }\n\n return 0;\n}", "project": "ceph", "hash": 280041640816203552935902768347468139576, "size": 47, "commit_id": "fce0b267446d6f3f631bb4680ebc3527bbbea002", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 333790 }, { "func": "int RGWSetBucketWebsite_ObjStore_S3::get_params()\n{\n const auto max_size = s->cct->_conf->rgw_max_put_param_size;\n\n int r = 0;\n bufferlist data;\n std::tie(r, data) = rgw_rest_read_all_input(s, max_size, false);\n\n if (r < 0) {\n return r;\n }\n\n r = do_aws4_auth_completion();\n if (r < 0) {\n return r;\n }\n\n in_data.append(data);\n\n RGWXMLDecoder::XMLParser parser;\n if (!parser.init()) {\n ldout(s->cct, 0) << \"ERROR: failed to initialize parser\" << dendl;\n return -EIO;\n }\n\n char* buf = data.c_str();\n if (!parser.parse(buf, data.length(), 1)) {\n ldout(s->cct, 5) << \"failed to parse xml: \" << buf << dendl;\n return -EINVAL;\n }\n\n try {\n RGWXMLDecoder::decode_xml(\"WebsiteConfiguration\", website_conf, &parser, true);\n } catch (RGWXMLDecoder::err& err) {\n ldout(s->cct, 5) << \"unexpected xml: \" << buf << dendl;\n return -EINVAL;\n }\n\n if (website_conf.is_redirect_all && website_conf.redirect_all.hostname.empty()) {\n s->err.message = \"A host name must be provided to redirect all requests (e.g. \\\"example.com\\\").\";\n ldout(s->cct, 5) << s->err.message << dendl;\n return -EINVAL;\n } else if (!website_conf.is_redirect_all && !website_conf.is_set_index_doc) {\n s->err.message = \"A value for IndexDocument Suffix must be provided if RedirectAllRequestsTo is empty\";\n ldout(s->cct, 5) << s->err.message << dendl;\n return -EINVAL;\n } else if (!website_conf.is_redirect_all && website_conf.is_set_index_doc &&\n website_conf.index_doc_suffix.empty()) {\n s->err.message = \"The IndexDocument Suffix is not well formed\";\n ldout(s->cct, 5) << s->err.message << dendl;\n return -EINVAL;\n }\n\n#define WEBSITE_ROUTING_RULES_MAX_NUM 50\n int max_num = s->cct->_conf->rgw_website_routing_rules_max_num;\n if (max_num < 0) {\n max_num = WEBSITE_ROUTING_RULES_MAX_NUM;\n }\n int routing_rules_num = website_conf.routing_rules.rules.size();\n if (routing_rules_num > max_num) {\n ldout(s->cct, 4) << \"An website routing config can have up to \"\n << max_num\n << \" rules, request website routing rules num: \"\n << routing_rules_num << dendl;\n op_ret = -ERR_INVALID_WEBSITE_ROUTING_RULES_ERROR;\n s->err.message = std::to_string(routing_rules_num) +\" routing rules provided, the number of routing rules in a website configuration is limited to \"\n + std::to_string(max_num)\n + \".\";\n return -ERR_INVALID_REQUEST;\n }\n\n return 0;\n}", "project": "ceph", "hash": 267627638693527833031484796991689427993, "size": 73, "commit_id": "fce0b267446d6f3f631bb4680ebc3527bbbea002", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 333791 }, { "func": "int RGWSetBucketVersioning_ObjStore_S3::get_params()\n{\n int r = 0;\n bufferlist data;\n std::tie(r, data) =\n rgw_rest_read_all_input(s, s->cct->_conf->rgw_max_put_param_size, false);\n if (r < 0) {\n return r;\n }\n\n r = do_aws4_auth_completion();\n if (r < 0) {\n return r;\n }\n\n RGWXMLDecoder::XMLParser parser;\n if (!parser.init()) {\n ldout(s->cct, 0) << \"ERROR: failed to initialize parser\" << dendl;\n return -EIO;\n }\n\n char* buf = data.c_str();\n if (!parser.parse(buf, data.length(), 1)) {\n ldout(s->cct, 10) << \"NOTICE: failed to parse data: \" << buf << dendl;\n r = -EINVAL;\n return r;\n }\n\n ver_config_status status_conf;\n\n if (!RGWXMLDecoder::decode_xml(\"VersioningConfiguration\", status_conf, &parser)) {\n ldout(s->cct, 10) << \"NOTICE: bad versioning config input\" << dendl;\n return -EINVAL;\n }\n\n if (!store->svc.zone->is_meta_master()) {\n /* only need to keep this data around if we're not meta master */\n in_data.append(data);\n }\n\n versioning_status = status_conf.status;\n if (versioning_status == VersioningStatusInvalid) {\n r = -EINVAL;\n }\n\n if (status_conf.mfa_status != ver_config_status::MFA_UNKNOWN) {\n mfa_set_status = true;\n switch (status_conf.mfa_status) {\n case ver_config_status::MFA_DISABLED:\n mfa_status = false;\n break;\n case ver_config_status::MFA_ENABLED:\n mfa_status = true;\n break;\n default:\n ldout(s->cct, 0) << \"ERROR: RGWSetBucketVersioning_ObjStore_S3::get_params(): unexpected switch case mfa_status=\" << status_conf.mfa_status << dendl;\n r = -EIO;\n }\n } else if (status_conf.retcode < 0) {\n r = status_conf.retcode;\n }\n return r;\n}", "project": "ceph", "hash": 284062471401063029146088517199572044535, "size": 63, "commit_id": "fce0b267446d6f3f631bb4680ebc3527bbbea002", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 333798 }, { "func": "int RGWDeleteObj_ObjStore_S3::get_params()\n{\n const char *if_unmod = s->info.env->get(\"HTTP_X_AMZ_DELETE_IF_UNMODIFIED_SINCE\");\n\n if (s->system_request) {\n s->info.args.get_bool(RGW_SYS_PARAM_PREFIX \"no-precondition-error\", &no_precondition_error, false);\n }\n\n if (if_unmod) {\n std::string if_unmod_decoded = url_decode(if_unmod);\n uint64_t epoch;\n uint64_t nsec;\n if (utime_t::parse_date(if_unmod_decoded, &epoch, &nsec) < 0) {\n ldout(s->cct, 10) << \"failed to parse time: \" << if_unmod_decoded << dendl;\n return -EINVAL;\n }\n unmod_since = utime_t(epoch, nsec).to_real_time();\n }\n\n const char *bypass_gov_header = s->info.env->get(\"HTTP_X_AMZ_BYPASS_GOVERNANCE_RETENTION\");\n if (bypass_gov_header) {\n std::string bypass_gov_decoded = url_decode(bypass_gov_header);\n bypass_governance_mode = boost::algorithm::iequals(bypass_gov_decoded, \"true\");\n }\n\n return 0;\n}", "project": "ceph", "hash": 34246097919216274005592423684265542091, "size": 27, "commit_id": "fce0b267446d6f3f631bb4680ebc3527bbbea002", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 333804 }, { "func": "int RGWPutObj_ObjStore_S3::get_params()\n{\n if (!s->length)\n return -ERR_LENGTH_REQUIRED;\n\n map src_attrs;\n size_t pos;\n int ret;\n\n map_qs_metadata(s);\n\n RGWAccessControlPolicy_S3 s3policy(s->cct);\n ret = create_s3_policy(s, store, s3policy, s->owner);\n if (ret < 0)\n return ret;\n\n policy = s3policy;\n\n if_match = s->info.env->get(\"HTTP_IF_MATCH\");\n if_nomatch = s->info.env->get(\"HTTP_IF_NONE_MATCH\");\n copy_source = url_decode(s->info.env->get(\"HTTP_X_AMZ_COPY_SOURCE\", \"\"));\n copy_source_range = s->info.env->get(\"HTTP_X_AMZ_COPY_SOURCE_RANGE\");\n\n /* handle x-amz-copy-source */\n boost::string_view cs_view(copy_source);\n if (! cs_view.empty()) {\n if (cs_view[0] == '/')\n cs_view.remove_prefix(1);\n copy_source_bucket_name = cs_view.to_string();\n pos = copy_source_bucket_name.find(\"/\");\n if (pos == std::string::npos) {\n ret = -EINVAL;\n ldout(s->cct, 5) << \"x-amz-copy-source bad format\" << dendl;\n return ret;\n }\n copy_source_object_name =\n copy_source_bucket_name.substr(pos + 1, copy_source_bucket_name.size());\n copy_source_bucket_name = copy_source_bucket_name.substr(0, pos);\n#define VERSION_ID_STR \"?versionId=\"\n pos = copy_source_object_name.find(VERSION_ID_STR);\n if (pos == std::string::npos) {\n copy_source_object_name = url_decode(copy_source_object_name);\n } else {\n copy_source_version_id =\n\tcopy_source_object_name.substr(pos + sizeof(VERSION_ID_STR) - 1);\n copy_source_object_name =\n\turl_decode(copy_source_object_name.substr(0, pos));\n }\n pos = copy_source_bucket_name.find(\":\");\n if (pos == std::string::npos) {\n copy_source_tenant_name = s->src_tenant_name;\n } else {\n copy_source_tenant_name = copy_source_bucket_name.substr(0, pos);\n copy_source_bucket_name = copy_source_bucket_name.substr(pos + 1, copy_source_bucket_name.size());\n if (copy_source_bucket_name.empty()) {\n ret = -EINVAL;\n ldout(s->cct, 5) << \"source bucket name is empty\" << dendl;\n return ret;\n }\n }\n ret = store->get_bucket_info(*s->sysobj_ctx,\n copy_source_tenant_name,\n copy_source_bucket_name,\n copy_source_bucket_info,\n NULL, &src_attrs);\n if (ret < 0) {\n ldout(s->cct, 5) << __func__ << \"(): get_bucket_info() returned ret=\" << ret << dendl;\n return ret;\n }\n\n /* handle x-amz-copy-source-range */\n\n if (copy_source_range) {\n string range = copy_source_range;\n pos = range.find(\"=\");\n if (pos == std::string::npos) {\n ret = -EINVAL;\n ldout(s->cct, 5) << \"x-amz-copy-source-range bad format\" << dendl;\n return ret;\n }\n range = range.substr(pos + 1);\n pos = range.find(\"-\");\n if (pos == std::string::npos) {\n ret = -EINVAL;\n ldout(s->cct, 5) << \"x-amz-copy-source-range bad format\" << dendl;\n return ret;\n }\n string first = range.substr(0, pos);\n string last = range.substr(pos + 1);\n copy_source_range_fst = strtoull(first.c_str(), NULL, 10);\n copy_source_range_lst = strtoull(last.c_str(), NULL, 10);\n }\n\n } /* copy_source */\n\n /* handle object tagging */\n auto tag_str = s->info.env->get(\"HTTP_X_AMZ_TAGGING\");\n if (tag_str){\n obj_tags = std::make_unique();\n ret = obj_tags->set_from_string(tag_str);\n if (ret < 0){\n ldout(s->cct,0) << \"setting obj tags failed with \" << ret << dendl;\n if (ret == -ERR_INVALID_TAG){\n ret = -EINVAL; //s3 returns only -EINVAL for PUT requests\n }\n\n return ret;\n }\n }\n\n //handle object lock\n auto obj_lock_mode_str = s->info.env->get(\"HTTP_X_AMZ_OBJECT_LOCK_MODE\");\n auto obj_lock_date_str = s->info.env->get(\"HTTP_X_AMZ_OBJECT_LOCK_RETAIN_UNTIL_DATE\");\n auto obj_legal_hold_str = s->info.env->get(\"HTTP_X_AMZ_OBJECT_LOCK_LEGAL_HOLD\");\n if (obj_lock_mode_str && obj_lock_date_str) {\n boost::optional date = ceph::from_iso_8601(obj_lock_date_str);\n if (boost::none == date || ceph::real_clock::to_time_t(*date) <= ceph_clock_now()) {\n ret = -EINVAL;\n ldpp_dout(this,0) << \"invalid x-amz-object-lock-retain-until-date value\" << dendl;\n return ret;\n }\n if (strcmp(obj_lock_mode_str, \"GOVERNANCE\") != 0 && strcmp(obj_lock_mode_str, \"COMPLIANCE\") != 0) {\n ret = -EINVAL;\n ldpp_dout(this,0) << \"invalid x-amz-object-lock-mode value\" << dendl;\n return ret;\n }\n obj_retention = new RGWObjectRetention(obj_lock_mode_str, *date);\n } else if ((obj_lock_mode_str && !obj_lock_date_str) || (!obj_lock_mode_str && obj_lock_date_str)) {\n ret = -EINVAL;\n ldpp_dout(this,0) << \"need both x-amz-object-lock-mode and x-amz-object-lock-retain-until-date \" << dendl;\n return ret;\n }\n if (obj_legal_hold_str) {\n if (strcmp(obj_legal_hold_str, \"ON\") != 0 && strcmp(obj_legal_hold_str, \"OFF\") != 0) {\n ret = -EINVAL;\n ldpp_dout(this,0) << \"invalid x-amz-object-lock-legal-hold value\" << dendl;\n return ret;\n }\n obj_legal_hold = new RGWObjectLegalHold(obj_legal_hold_str);\n }\n if (!s->bucket_info.obj_lock_enabled() && (obj_retention || obj_legal_hold)) {\n ldpp_dout(this, 0) << \"ERROR: object retention or legal hold can't be set if bucket object lock not configured\" << dendl;\n ret = -ERR_INVALID_REQUEST;\n return ret;\n }\n multipart_upload_id = s->info.args.get(\"uploadId\");\n multipart_part_str = s->info.args.get(\"partNumber\");\n if (!multipart_part_str.empty()) {\n string err;\n multipart_part_num = strict_strtol(multipart_part_str.c_str(), 10, &err);\n if (!err.empty()) {\n ldpp_dout(s, 10) << \"bad part number: \" << multipart_part_str << \": \" << err << dendl;\n return -EINVAL;\n }\n } else if (!multipart_upload_id.empty()) {\n ldpp_dout(s, 10) << \"part number with no multipart upload id\" << dendl;\n return -EINVAL;\n }\n\n append = s->info.args.exists(\"append\");\n if (append) {\n string pos_str = s->info.args.get(\"position\");\n if (pos_str.empty()) {\n return -EINVAL;\n } else {\n position = strtoull(pos_str.c_str(), NULL, 10);\n }\n }\n \n return RGWPutObj_ObjStore::get_params();\n}", "project": "ceph", "hash": 254168776904088489241223520858658533107, "size": 171, "commit_id": "fce0b267446d6f3f631bb4680ebc3527bbbea002", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 333805 }, { "func": "int RGWPutCORS_ObjStore_S3::get_params()\n{\n RGWCORSXMLParser_S3 parser(s->cct);\n RGWCORSConfiguration_S3 *cors_config;\n\n const auto max_size = s->cct->_conf->rgw_max_put_param_size;\n\n int r = 0;\n bufferlist data;\n std::tie(r, data) = rgw_rest_read_all_input(s, max_size, false);\n if (r < 0) {\n return r;\n }\n\n r = do_aws4_auth_completion();\n if (r < 0) {\n return r;\n }\n\n if (!parser.init()) {\n return -EINVAL;\n }\n\n char* buf = data.c_str();\n if (!buf || !parser.parse(buf, data.length(), 1)) {\n return -ERR_MALFORMED_XML;\n }\n cors_config =\n static_cast(parser.find_first(\n\t\t\t\t\t \"CORSConfiguration\"));\n if (!cors_config) {\n return -ERR_MALFORMED_XML;\n }\n\n#define CORS_RULES_MAX_NUM 100\n int max_num = s->cct->_conf->rgw_cors_rules_max_num;\n if (max_num < 0) {\n max_num = CORS_RULES_MAX_NUM;\n }\n int cors_rules_num = cors_config->get_rules().size();\n if (cors_rules_num > max_num) {\n ldout(s->cct, 4) << \"An cors config can have up to \"\n << max_num\n << \" rules, request cors rules num: \"\n << cors_rules_num << dendl;\n op_ret = -ERR_INVALID_CORS_RULES_ERROR;\n s->err.message = \"The number of CORS rules should not exceed allowed limit of \"\n + std::to_string(max_num) + \" rules.\";\n return -ERR_INVALID_REQUEST;\n }\n\n // forward bucket cors requests to meta master zone\n if (!store->svc.zone->is_meta_master()) {\n /* only need to keep this data around if we're not meta master */\n in_data.append(data);\n }\n\n if (s->cct->_conf->subsys.should_gather()) {\n ldout(s->cct, 15) << \"CORSConfiguration\";\n cors_config->to_xml(*_dout);\n *_dout << dendl;\n }\n\n cors_config->encode(cors_bl);\n\n return 0;\n}", "project": "ceph", "hash": 307073794160877241694770311496059916041, "size": 67, "commit_id": "fce0b267446d6f3f631bb4680ebc3527bbbea002", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 333808 }, { "func": "int RGWPutObjTags_ObjStore_S3::get_params()\n{\n RGWXMLParser parser;\n\n if (!parser.init()){\n return -EINVAL;\n }\n\n const auto max_size = s->cct->_conf->rgw_max_put_param_size;\n\n int r = 0;\n bufferlist data;\n std::tie(r, data) = rgw_rest_read_all_input(s, max_size, false);\n\n if (r < 0)\n return r;\n\n if (!parser.parse(data.c_str(), data.length(), 1)) {\n return -ERR_MALFORMED_XML;\n }\n\n RGWObjTagging_S3 tagging;\n\n try {\n RGWXMLDecoder::decode_xml(\"Tagging\", tagging, &parser);\n } catch (RGWXMLDecoder::err& err) {\n ldout(s->cct, 5) << \"Malformed tagging request: \" << err << dendl;\n return -ERR_MALFORMED_XML;\n }\n\n RGWObjTags obj_tags;\n r = tagging.rebuild(obj_tags);\n if (r < 0)\n return r;\n\n obj_tags.encode(tags_bl);\n ldout(s->cct, 20) << \"Read \" << obj_tags.count() << \"tags\" << dendl;\n\n return 0;\n}", "project": "ceph", "hash": 236440732697855825123299579899790046365, "size": 40, "commit_id": "fce0b267446d6f3f631bb4680ebc3527bbbea002", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 333809 }, { "func": "int RGWSetRequestPayment_ObjStore_S3::get_params()\n{\n const auto max_size = s->cct->_conf->rgw_max_put_param_size;\n\n int r = 0;\n std::tie(r, in_data) = rgw_rest_read_all_input(s, max_size, false);\n\n if (r < 0) {\n return r;\n }\n\n\n RGWSetRequestPaymentParser parser;\n\n if (!parser.init()) {\n ldout(s->cct, 0) << \"ERROR: failed to initialize parser\" << dendl;\n return -EIO;\n }\n\n char* buf = in_data.c_str();\n if (!parser.parse(buf, in_data.length(), 1)) {\n ldout(s->cct, 10) << \"failed to parse data: \" << buf << dendl;\n return -EINVAL;\n }\n\n return parser.get_request_payment_payer(&requester_pays);\n}", "project": "ceph", "hash": 215876697271591984419380983343747683604, "size": 27, "commit_id": "fce0b267446d6f3f631bb4680ebc3527bbbea002", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 333812 }, { "func": "int RGWCreateBucket_ObjStore_S3::get_params()\n{\n RGWAccessControlPolicy_S3 s3policy(s->cct);\n\n int r = create_s3_policy(s, store, s3policy, s->owner);\n if (r < 0)\n return r;\n\n policy = s3policy;\n\n const auto max_size = s->cct->_conf->rgw_max_put_param_size;\n\n int op_ret = 0;\n bufferlist data;\n std::tie(op_ret, data) = rgw_rest_read_all_input(s, max_size, false);\n\n if ((op_ret < 0) && (op_ret != -ERR_LENGTH_REQUIRED))\n return op_ret;\n\n const int auth_ret = do_aws4_auth_completion();\n if (auth_ret < 0) {\n return auth_ret;\n }\n \n in_data.append(data);\n\n if (data.length()) {\n RGWCreateBucketParser parser;\n\n if (!parser.init()) {\n ldout(s->cct, 0) << \"ERROR: failed to initialize parser\" << dendl;\n return -EIO;\n }\n\n char* buf = data.c_str();\n bool success = parser.parse(buf, data.length(), 1);\n ldout(s->cct, 20) << \"create bucket input data=\" << buf << dendl;\n\n if (!success) {\n ldout(s->cct, 0) << \"failed to parse input: \" << buf << dendl;\n return -EINVAL;\n }\n\n if (!parser.get_location_constraint(location_constraint)) {\n ldout(s->cct, 0) << \"provided input did not specify location constraint correctly\" << dendl;\n return -EINVAL;\n }\n\n ldout(s->cct, 10) << \"create bucket location constraint: \"\n\t\t << location_constraint << dendl;\n }\n\n size_t pos = location_constraint.find(':');\n if (pos != string::npos) {\n placement_rule.init(location_constraint.substr(pos + 1), s->info.storage_class);\n location_constraint = location_constraint.substr(0, pos);\n } else {\n placement_rule.storage_class = s->info.storage_class;\n }\n auto iter = s->info.x_meta_map.find(\"x-amz-bucket-object-lock-enabled\");\n if (iter != s->info.x_meta_map.end()) {\n if (!boost::algorithm::iequals(iter->second, \"true\") && !boost::algorithm::iequals(iter->second, \"false\")) {\n return -EINVAL;\n }\n obj_lock_enabled = boost::algorithm::iequals(iter->second, \"true\");\n }\n return 0;\n}", "project": "ceph", "hash": 11827898521194362944122730445173594898, "size": 68, "commit_id": "fce0b267446d6f3f631bb4680ebc3527bbbea002", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 333824 }, { "func": "int RGWPutMetadataObject_ObjStore_SWIFT::get_params()\n{\n if (s->has_bad_meta) {\n return -EINVAL;\n }\n\n /* Handle Swift object expiration. */\n int r = get_delete_at_param(s, delete_at);\n if (r < 0) {\n ldout(s->cct, 5) << \"ERROR: failed to get Delete-At param\" << dendl;\n return r;\n }\n\n dlo_manifest = s->info.env->get(\"HTTP_X_OBJECT_MANIFEST\");\n\n return 0;\n}", "project": "ceph", "hash": 196810164321707191966237637985521005990, "size": 17, "commit_id": "f44a8ae8aa27ecef69528db9aec220f12492810e", "message": "rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name\n\nchecking for empty name avoids later assertion in RGWObjectCtx::set_atomic\n\nFixes: CVE-2021-3531\n\nReviewed-by: Casey Bodley \nSigned-off-by: Casey Bodley \n(cherry picked from commit 7196a469b4470f3c8628489df9a41ec8b00a5610)", "target": 0, "dataset": "other", "idx": 448764 }, { "func": "int RGWGetObj_ObjStore_SWIFT::get_params()\n{\n const string& mm = s->info.args.get(\"multipart-manifest\");\n skip_manifest = (mm.compare(\"get\") == 0);\n\n return RGWGetObj_ObjStore::get_params();\n}", "project": "ceph", "hash": 38355596968640301775437887782444029942, "size": 7, "commit_id": "f44a8ae8aa27ecef69528db9aec220f12492810e", "message": "rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name\n\nchecking for empty name avoids later assertion in RGWObjectCtx::set_atomic\n\nFixes: CVE-2021-3531\n\nReviewed-by: Casey Bodley \nSigned-off-by: Casey Bodley \n(cherry picked from commit 7196a469b4470f3c8628489df9a41ec8b00a5610)", "target": 0, "dataset": "other", "idx": 448775 }, { "func": "int RGWFormPost::get_params()\n{\n /* The parentt class extracts boundary info from the Content-Type. */\n int ret = RGWPostObj_ObjStore::get_params();\n if (ret < 0) {\n return ret;\n }\n\n policy.create_default(s->user->user_id, s->user->display_name);\n\n /* Let's start parsing the HTTP body by parsing each form part step-\n * by-step till encountering the first part with file data. */\n do {\n struct post_form_part part;\n ret = read_form_part_header(&part, stream_done);\n if (ret < 0) {\n return ret;\n }\n\n if (s->cct->_conf->subsys.should_gather()) {\n ldout(s->cct, 20) << \"read part header -- part.name=\"\n << part.name << dendl;\n\n for (const auto& pair : part.fields) {\n ldout(s->cct, 20) << \"field.name=\" << pair.first << dendl;\n ldout(s->cct, 20) << \"field.val=\" << pair.second.val << dendl;\n ldout(s->cct, 20) << \"field.params:\" << dendl;\n\n for (const auto& param_pair : pair.second.params) {\n ldout(s->cct, 20) << \" \" << param_pair.first\n << \" -> \" << param_pair.second << dendl;\n }\n }\n }\n\n if (stream_done) {\n /* Unexpected here. */\n err_msg = \"Malformed request\";\n return -EINVAL;\n }\n\n const auto field_iter = part.fields.find(\"Content-Disposition\");\n if (std::end(part.fields) != field_iter &&\n std::end(field_iter->second.params) != field_iter->second.params.find(\"filename\")) {\n /* First data part ahead. */\n current_data_part = std::move(part);\n\n /* Stop the iteration. We can assume that all control parts have been\n * already parsed. The rest of HTTP body should contain data parts\n * only. They will be picked up by ::get_data(). */\n break;\n } else {\n /* Control part ahead. Receive, parse and store for later usage. */\n bool boundary;\n ret = read_data(part.data, s->cct->_conf->rgw_max_chunk_size,\n boundary, stream_done);\n if (ret < 0) {\n return ret;\n } else if (! boundary) {\n err_msg = \"Couldn't find boundary\";\n return -EINVAL;\n }\n\n ctrl_parts[part.name] = std::move(part);\n }\n } while (! stream_done);\n\n min_len = 0;\n max_len = get_max_file_size();\n\n if (! current_data_part) {\n err_msg = \"FormPost: no files to process\";\n return -EINVAL;\n }\n\n if (! is_non_expired()) {\n err_msg = \"FormPost: Form Expired\";\n return -EPERM;\n }\n\n if (! is_integral()) {\n err_msg = \"FormPost: Invalid Signature\";\n return -EPERM;\n }\n\n return 0;\n}", "project": "ceph", "hash": 215097165292717164879428994132380517226, "size": 87, "commit_id": "f44a8ae8aa27ecef69528db9aec220f12492810e", "message": "rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name\n\nchecking for empty name avoids later assertion in RGWObjectCtx::set_atomic\n\nFixes: CVE-2021-3531\n\nReviewed-by: Casey Bodley \nSigned-off-by: Casey Bodley \n(cherry picked from commit 7196a469b4470f3c8628489df9a41ec8b00a5610)", "target": 0, "dataset": "other", "idx": 448779 }, { "func": "int RGWPutMetadataAccount_ObjStore_SWIFT::get_params()\n{\n if (s->has_bad_meta) {\n return -EINVAL;\n }\n\n int ret = get_swift_account_settings(s,\n store,\n // FIXME: we need to carry unique_ptr in generic class\n // and allocate appropriate ACL class in the ctor\n static_cast(&policy),\n &has_policy);\n if (ret < 0) {\n return ret;\n }\n\n get_rmattrs_from_headers(s, ACCT_PUT_ATTR_PREFIX, ACCT_REMOVE_ATTR_PREFIX,\n\t\t\t rmattr_names);\n return 0;\n}", "project": "ceph", "hash": 167616882687799411269772230263318928888, "size": 20, "commit_id": "f44a8ae8aa27ecef69528db9aec220f12492810e", "message": "rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name\n\nchecking for empty name avoids later assertion in RGWObjectCtx::set_atomic\n\nFixes: CVE-2021-3531\n\nReviewed-by: Casey Bodley \nSigned-off-by: Casey Bodley \n(cherry picked from commit 7196a469b4470f3c8628489df9a41ec8b00a5610)", "target": 0, "dataset": "other", "idx": 448797 }, { "func": "int RGWListBuckets_ObjStore_SWIFT::get_params()\n{\n prefix = s->info.args.get(\"prefix\");\n marker = s->info.args.get(\"marker\");\n end_marker = s->info.args.get(\"end_marker\");\n wants_reversed = s->info.args.exists(\"reverse\");\n\n if (wants_reversed) {\n std::swap(marker, end_marker);\n }\n\n std::string limit_str = s->info.args.get(\"limit\");\n if (!limit_str.empty()) {\n std::string err;\n long l = strict_strtol(limit_str.c_str(), 10, &err);\n if (!err.empty()) {\n return -EINVAL;\n }\n\n if (l > (long)limit_max || l < 0) {\n return -ERR_PRECONDITION_FAILED;\n }\n\n limit = (uint64_t)l;\n }\n\n if (s->cct->_conf->rgw_swift_need_stats) {\n bool stats, exists;\n int r = s->info.args.get_bool(\"stats\", &stats, &exists);\n\n if (r < 0) {\n return r;\n }\n\n if (exists) {\n need_stats = stats;\n }\n } else {\n need_stats = false;\n }\n\n return 0;\n}", "project": "ceph", "hash": 257606900933962785941716328281838493459, "size": 43, "commit_id": "f44a8ae8aa27ecef69528db9aec220f12492810e", "message": "rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name\n\nchecking for empty name avoids later assertion in RGWObjectCtx::set_atomic\n\nFixes: CVE-2021-3531\n\nReviewed-by: Casey Bodley \nSigned-off-by: Casey Bodley \n(cherry picked from commit 7196a469b4470f3c8628489df9a41ec8b00a5610)", "target": 0, "dataset": "other", "idx": 448802 }, { "func": "int RGWPutObj_ObjStore_SWIFT::get_params()\n{\n if (s->has_bad_meta) {\n return -EINVAL;\n }\n\n if (!s->length) {\n const char *encoding = s->info.env->get(\"HTTP_TRANSFER_ENCODING\");\n if (!encoding || strcmp(encoding, \"chunked\") != 0) {\n ldout(s->cct, 20) << \"neither length nor chunked encoding\" << dendl;\n return -ERR_LENGTH_REQUIRED;\n }\n\n chunked_upload = true;\n }\n\n supplied_etag = s->info.env->get(\"HTTP_ETAG\");\n\n if (!s->generic_attrs.count(RGW_ATTR_CONTENT_TYPE)) {\n ldout(s->cct, 5) << \"content type wasn't provided, trying to guess\" << dendl;\n const char *suffix = strrchr(s->object.name.c_str(), '.');\n if (suffix) {\n suffix++;\n if (*suffix) {\n\tstring suffix_str(suffix);\n\tconst char *mime = rgw_find_mime_by_ext(suffix_str);\n\tif (mime) {\n\t s->generic_attrs[RGW_ATTR_CONTENT_TYPE] = mime;\n\t}\n }\n }\n }\n\n policy.create_default(s->user->user_id, s->user->display_name);\n\n int r = get_delete_at_param(s, delete_at);\n if (r < 0) {\n ldout(s->cct, 5) << \"ERROR: failed to get Delete-At param\" << dendl;\n return r;\n }\n\n if (!s->cct->_conf->rgw_swift_custom_header.empty()) {\n string custom_header = s->cct->_conf->rgw_swift_custom_header;\n if (s->info.env->exists(custom_header.c_str())) {\n user_data = s->info.env->get(custom_header.c_str());\n }\n }\n\n dlo_manifest = s->info.env->get(\"HTTP_X_OBJECT_MANIFEST\");\n bool exists;\n string multipart_manifest = s->info.args.get(\"multipart-manifest\", &exists);\n if (exists) {\n if (multipart_manifest != \"put\") {\n ldout(s->cct, 5) << \"invalid multipart-manifest http param: \" << multipart_manifest << dendl;\n return -EINVAL;\n }\n\n#define MAX_SLO_ENTRY_SIZE (1024 + 128) // 1024 - max obj name, 128 - enough extra for other info\n uint64_t max_len = s->cct->_conf->rgw_max_slo_entries * MAX_SLO_ENTRY_SIZE;\n \n slo_info = new RGWSLOInfo;\n \n int r = 0;\n std::tie(r, slo_info->raw_data) = rgw_rest_get_json_input_keep_data(s->cct, s, slo_info->entries, max_len);\n if (r < 0) {\n ldout(s->cct, 5) << \"failed to read input for slo r=\" << r << dendl;\n return r;\n }\n\n if ((int64_t)slo_info->entries.size() > s->cct->_conf->rgw_max_slo_entries) {\n ldout(s->cct, 5) << \"too many entries in slo request: \" << slo_info->entries.size() << dendl;\n return -EINVAL;\n }\n\n MD5 etag_sum;\n uint64_t total_size = 0;\n for (auto& entry : slo_info->entries) {\n etag_sum.Update((const unsigned char *)entry.etag.c_str(),\n entry.etag.length());\n\n /* if size_bytes == 0, it should be replaced with the\n * real segment size (which could be 0); this follows from the\n * fact that Swift requires all segments to exist, but permits\n * the size_bytes element to be omitted from the SLO manifest, see\n * https://docs.openstack.org/swift/latest/api/large_objects.html\n */\n r = update_slo_segment_size(entry);\n if (r < 0) {\n\treturn r;\n }\n\n total_size += entry.size_bytes;\n\n ldout(s->cct, 20) << \"slo_part: \" << entry.path\n << \" size=\" << entry.size_bytes\n << \" etag=\" << entry.etag\n << dendl;\n }\n complete_etag(etag_sum, &lo_etag);\n slo_info->total_size = total_size;\n\n ofs = slo_info->raw_data.length();\n }\n\n return RGWPutObj_ObjStore::get_params();\n}", "project": "ceph", "hash": 324158708845559535943719040869584610540, "size": 106, "commit_id": "f44a8ae8aa27ecef69528db9aec220f12492810e", "message": "rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name\n\nchecking for empty name avoids later assertion in RGWObjectCtx::set_atomic\n\nFixes: CVE-2021-3531\n\nReviewed-by: Casey Bodley \nSigned-off-by: Casey Bodley \n(cherry picked from commit 7196a469b4470f3c8628489df9a41ec8b00a5610)", "target": 0, "dataset": "other", "idx": 448804 }, { "func": "int RGWListBucket_ObjStore_SWIFT::get_params()\n{\n prefix = s->info.args.get(\"prefix\");\n marker = s->info.args.get(\"marker\");\n end_marker = s->info.args.get(\"end_marker\");\n max_keys = s->info.args.get(\"limit\");\n\n // non-standard\n s->info.args.get_bool(\"allow_unordered\", &allow_unordered, false);\n\n delimiter = s->info.args.get(\"delimiter\");\n\n op_ret = parse_max_keys();\n if (op_ret < 0) {\n return op_ret;\n }\n // S3 behavior is to silently cap the max-keys.\n // Swift behavior is to abort.\n if (max > default_max)\n return -ERR_PRECONDITION_FAILED;\n\n string path_args;\n if (s->info.args.exists(\"path\")) { // should handle empty path\n path_args = s->info.args.get(\"path\");\n if (!delimiter.empty() || !prefix.empty()) {\n return -EINVAL;\n }\n prefix = path_args;\n delimiter=\"/\";\n\n path = prefix;\n if (path.size() && path[path.size() - 1] != '/')\n path.append(\"/\");\n\n int len = prefix.size();\n int delim_size = delimiter.size();\n\n if (len >= delim_size) {\n if (prefix.substr(len - delim_size).compare(delimiter) != 0)\n prefix.append(delimiter);\n }\n }\n\n return 0;\n}", "project": "ceph", "hash": 296784584319023503648037767188710541422, "size": 45, "commit_id": "f44a8ae8aa27ecef69528db9aec220f12492810e", "message": "rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name\n\nchecking for empty name avoids later assertion in RGWObjectCtx::set_atomic\n\nFixes: CVE-2021-3531\n\nReviewed-by: Casey Bodley \nSigned-off-by: Casey Bodley \n(cherry picked from commit 7196a469b4470f3c8628489df9a41ec8b00a5610)", "target": 0, "dataset": "other", "idx": 448805 }, { "func": "int RGWDeleteObj_ObjStore_SWIFT::get_params()\n{\n const string& mm = s->info.args.get(\"multipart-manifest\");\n multipart_delete = (mm.compare(\"delete\") == 0);\n\n return RGWDeleteObj_ObjStore::get_params();\n}", "project": "ceph", "hash": 92719500606620134274097697707005982211, "size": 7, "commit_id": "f44a8ae8aa27ecef69528db9aec220f12492810e", "message": "rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name\n\nchecking for empty name avoids later assertion in RGWObjectCtx::set_atomic\n\nFixes: CVE-2021-3531\n\nReviewed-by: Casey Bodley \nSigned-off-by: Casey Bodley \n(cherry picked from commit 7196a469b4470f3c8628489df9a41ec8b00a5610)", "target": 0, "dataset": "other", "idx": 448807 }, { "func": "int RGWPutMetadataBucket_ObjStore_SWIFT::get_params()\n{\n if (s->has_bad_meta) {\n return -EINVAL;\n }\n\n int r = get_swift_container_settings(s, store, &policy, &has_policy,\n\t\t\t\t &policy_rw_mask, &cors_config, &has_cors);\n if (r < 0) {\n return r;\n }\n\n get_rmattrs_from_headers(s, CONT_PUT_ATTR_PREFIX, CONT_REMOVE_ATTR_PREFIX,\n\t\t\t rmattr_names);\n placement_rule.init(s->info.env->get(\"HTTP_X_STORAGE_POLICY\", \"\"), s->info.storage_class);\n\n return get_swift_versioning_settings(s, swift_ver_location);\n}", "project": "ceph", "hash": 24842908774556907883029957688378686505, "size": 18, "commit_id": "f44a8ae8aa27ecef69528db9aec220f12492810e", "message": "rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name\n\nchecking for empty name avoids later assertion in RGWObjectCtx::set_atomic\n\nFixes: CVE-2021-3531\n\nReviewed-by: Casey Bodley \nSigned-off-by: Casey Bodley \n(cherry picked from commit 7196a469b4470f3c8628489df9a41ec8b00a5610)", "target": 0, "dataset": "other", "idx": 448838 }, { "func": "int RGWCopyObj_ObjStore_SWIFT::get_params()\n{\n if_mod = s->info.env->get(\"HTTP_IF_MODIFIED_SINCE\");\n if_unmod = s->info.env->get(\"HTTP_IF_UNMODIFIED_SINCE\");\n if_match = s->info.env->get(\"HTTP_COPY_IF_MATCH\");\n if_nomatch = s->info.env->get(\"HTTP_COPY_IF_NONE_MATCH\");\n\n src_tenant_name = s->src_tenant_name;\n src_bucket_name = s->src_bucket_name;\n src_object = s->src_object;\n dest_tenant_name = s->bucket_tenant;\n dest_bucket_name = s->bucket_name;\n dest_object = s->object.name;\n\n const char * const fresh_meta = s->info.env->get(\"HTTP_X_FRESH_METADATA\");\n if (fresh_meta && strcasecmp(fresh_meta, \"TRUE\") == 0) {\n attrs_mod = RGWRados::ATTRSMOD_REPLACE;\n } else {\n attrs_mod = RGWRados::ATTRSMOD_MERGE;\n }\n\n int r = get_delete_at_param(s, delete_at);\n if (r < 0) {\n ldout(s->cct, 5) << \"ERROR: failed to get Delete-At param\" << dendl;\n return r;\n }\n\n return 0;\n}", "project": "ceph", "hash": 255826117415459864573746625159768350312, "size": 29, "commit_id": "f44a8ae8aa27ecef69528db9aec220f12492810e", "message": "rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name\n\nchecking for empty name avoids later assertion in RGWObjectCtx::set_atomic\n\nFixes: CVE-2021-3531\n\nReviewed-by: Casey Bodley \nSigned-off-by: Casey Bodley \n(cherry picked from commit 7196a469b4470f3c8628489df9a41ec8b00a5610)", "target": 0, "dataset": "other", "idx": 448847 }, { "func": "int RGWCreateBucket_ObjStore_SWIFT::get_params()\n{\n bool has_policy;\n uint32_t policy_rw_mask = 0;\n\n int r = get_swift_container_settings(s, store, &policy, &has_policy,\n\t\t\t\t &policy_rw_mask, &cors_config, &has_cors);\n if (r < 0) {\n return r;\n }\n\n if (!has_policy) {\n policy.create_default(s->user->user_id, s->user->display_name);\n }\n\n location_constraint = store->svc.zone->get_zonegroup().api_name;\n get_rmattrs_from_headers(s, CONT_PUT_ATTR_PREFIX,\n CONT_REMOVE_ATTR_PREFIX, rmattr_names);\n placement_rule.init(s->info.env->get(\"HTTP_X_STORAGE_POLICY\", \"\"), s->info.storage_class);\n\n return get_swift_versioning_settings(s, swift_ver_location);\n}", "project": "ceph", "hash": 2316734743555046331900192990707457267, "size": 22, "commit_id": "f44a8ae8aa27ecef69528db9aec220f12492810e", "message": "rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name\n\nchecking for empty name avoids later assertion in RGWObjectCtx::set_atomic\n\nFixes: CVE-2021-3531\n\nReviewed-by: Casey Bodley \nSigned-off-by: Casey Bodley \n(cherry picked from commit 7196a469b4470f3c8628489df9a41ec8b00a5610)", "target": 0, "dataset": "other", "idx": 448874 }, { "func": "static void hci_cs_sniff_mode(struct hci_dev *hdev, __u8 status)\n{\n\tstruct hci_cp_sniff_mode *cp;\n\tstruct hci_conn *conn;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, status);\n\n\tif (!status)\n\t\treturn;\n\n\tcp = hci_sent_cmd_data(hdev, HCI_OP_SNIFF_MODE);\n\tif (!cp)\n\t\treturn;\n\n\thci_dev_lock(hdev);\n\n\tconn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));\n\tif (conn) {\n\t\tclear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);\n\n\t\tif (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))\n\t\t\thci_sco_setup(conn, status);\n\t}\n\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 23207915281698104654697945122543440353, "size": 26, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 432001 }, { "func": "static int apply_filters(struct archive_read* a) {\n\tstruct filter_info* flt;\n\tstruct rar5* rar = get_context(a);\n\tint ret;\n\n\trar->cstate.all_filters_applied = 0;\n\n\t/* Get the first filter that can be applied to our data. The data\n\t * needs to be fully unpacked before the filter can be run. */\n\tif(CDE_OK == cdeque_front(&rar->cstate.filters,\n\t cdeque_filter_p(&flt))) {\n\t\t/* Check if our unpacked data fully covers this filter's\n\t\t * range. */\n\t\tif(rar->cstate.write_ptr > flt->block_start &&\n\t\t rar->cstate.write_ptr >= flt->block_start +\n\t\t flt->block_length) {\n\t\t\t/* Check if we have some data pending to be written\n\t\t\t * right before the filter's start offset. */\n\t\t\tif(rar->cstate.last_write_ptr == flt->block_start) {\n\t\t\t\t/* Run the filter specified by descriptor\n\t\t\t\t * `flt`. */\n\t\t\t\tret = run_filter(a, flt);\n\t\t\t\tif(ret != ARCHIVE_OK) {\n\t\t\t\t\t/* Filter failure, return error. */\n\t\t\t\t\treturn ret;\n\t\t\t\t}\n\n\t\t\t\t/* Filter descriptor won't be needed anymore\n\t\t\t\t * after it's used, * so remove it from the\n\t\t\t\t * filter list and free its memory. */\n\t\t\t\t(void) cdeque_pop_front(&rar->cstate.filters,\n\t\t\t\t cdeque_filter_p(&flt));\n\n\t\t\t\tfree(flt);\n\t\t\t} else {\n\t\t\t\t/* We can't run filters yet, dump the memory\n\t\t\t\t * right before the filter. */\n\t\t\t\tpush_window_data(a, rar,\n\t\t\t\t rar->cstate.last_write_ptr,\n\t\t\t\t flt->block_start);\n\t\t\t}\n\n\t\t\t/* Return 'filter applied or not needed' state to the\n\t\t\t * caller. */\n\t\t\treturn ARCHIVE_RETRY;\n\t\t}\n\t}\n\n\trar->cstate.all_filters_applied = 1;\n\treturn ARCHIVE_OK;\n}", "project": "libarchive", "hash": 306554851204351451330637233894491616015, "size": 51, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 0, "dataset": "other", "idx": 244795 }, { "func": "long fuse_ioctl_common(struct file *file, unsigned int cmd,\n\t\t unsigned long arg, unsigned int flags)\n{\n\tstruct inode *inode = file_inode(file);\n\tstruct fuse_conn *fc = get_fuse_conn(inode);\n\n\tif (!fuse_allow_current_process(fc))\n\t\treturn -EACCES;\n\n\tif (fuse_is_bad(inode))\n\t\treturn -EIO;\n\n\treturn fuse_do_ioctl(file, cmd, arg, flags);\n}", "project": "linux", "hash": 178223720019580804643790319210430302250, "size": 14, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342077 }, { "func": "static void mp4info(void)\n{\n fprintf(stderr, \"Modification Time:\\t\\t%s\\n\", mp4time(mp4config.mtime));\n fprintf(stderr, \"Samplerate:\\t\\t%d\\n\", mp4config.samplerate);\n fprintf(stderr, \"Total samples:\\t\\t%d\\n\", mp4config.samples);\n fprintf(stderr, \"Total channels:\\t\\t%d\\n\", mp4config.channels);\n fprintf(stderr, \"Bits per sample:\\t%d\\n\", mp4config.bits);\n fprintf(stderr, \"Buffer size:\\t\\t%d\\n\", mp4config.buffersize);\n fprintf(stderr, \"Max bitrate:\\t\\t%d\\n\", mp4config.bitratemax);\n fprintf(stderr, \"Average bitrate:\\t%d\\n\", mp4config.bitrateavg);\n fprintf(stderr, \"Samples per frame:\\t%d\\n\", mp4config.framesamples);\n fprintf(stderr, \"Frames:\\t\\t\\t%d\\n\", mp4config.frame.ents);\n fprintf(stderr, \"ASC size:\\t\\t%d\\n\", mp4config.asc.size);\n fprintf(stderr, \"Duration:\\t\\t%.1f sec\\n\", (float)mp4config.samples/mp4config.samplerate);\n fprintf(stderr, \"Data offset/size:\\t%x/%x\\n\", mp4config.mdatofs, mp4config.mdatsize);\n}", "project": "faad2", "hash": 57868751364064918327267747186855774988, "size": 16, "commit_id": "1b71a6ba963d131375f5e489b3b25e36f19f3f24", "message": "fix heap-buffer-overflow in mp4read.c\n\nThis originated from an integer overflow: If mp4config.frame.ents\nwould be read-in with a value of (uint32t)(-1), it would overflow to 0\nin the size calculation for the allocation in the next line. The\nmalloc() function would then successfully return a pointer to a memory\nregion of size 0, which will cause a segfault when written to.\n\nFixes #57.", "target": 0, "dataset": "other", "idx": 221451 }, { "func": "Variant socket_server_impl(\n const HostURL &hosturl,\n int flags,\n Variant& errnum,\n Variant& errstr,\n const Variant& context /* = uninit_variant */\n) {\n errnum = 0;\n errstr = empty_string();\n auto sock = create_new_socket(hosturl, errnum, errstr, context);\n if (!sock) {\n return false;\n }\n\n sockaddr_storage sa_storage;\n struct sockaddr *sa_ptr;\n size_t sa_size;\n if (!set_sockaddr(sa_storage, sock, hosturl.getHost(),\n hosturl.getPort(), sa_ptr, sa_size)) {\n return false;\n }\n int yes = 1;\n setsockopt(sock->fd(), SOL_SOCKET, SO_REUSEADDR, &yes, sizeof(yes));\n if ((flags & k_STREAM_SERVER_BIND) != 0 &&\n ::bind(sock->fd(), sa_ptr, sa_size) < 0) {\n SOCKET_ERROR(sock, \"unable to bind to given address\", errno);\n return false;\n }\n if ((flags & k_STREAM_SERVER_LISTEN) != 0 && listen(sock->fd(), 128) < 0) {\n SOCKET_ERROR(sock, \"unable to listen on socket\", errno);\n return false;\n }\n\n return Variant(std::move(sock));\n}", "project": "hhvm", "hash": 39552359551421196589399002006163909353, "size": 35, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219405 }, { "func": "int input_flush_device(struct input_handle *handle, struct file *file)\n{\n\tstruct input_dev *dev = handle->dev;\n\tint retval;\n\n\tretval = mutex_lock_interruptible(&dev->mutex);\n\tif (retval)\n\t\treturn retval;\n\n\tif (dev->flush)\n\t\tretval = dev->flush(dev, file);\n\n\tmutex_unlock(&dev->mutex);\n\treturn retval;\n}", "project": "linux", "hash": 32098501581599071817072450117629046742, "size": 15, "commit_id": "cb222aed03d798fc074be55e59d9a112338ee784", "message": "Input: add safety guards to input_set_keycode()\n\nIf we happen to have a garbage in input device's keycode table with values\ntoo big we'll end up doing clear_bit() with offset way outside of our\nbitmaps, damaging other objects within an input device or even outside of\nit. Let's add sanity checks to the returned old keycodes.\n\nReported-by: syzbot+c769968809f9359b07aa@syzkaller.appspotmail.com\nReported-by: syzbot+76f3a30e88d256644c78@syzkaller.appspotmail.com\nLink: https://lore.kernel.org/r/20191207212757.GA245964@dtor-ws\nSigned-off-by: Dmitry Torokhov ", "target": 0, "dataset": "other", "idx": 353395 }, { "func": "UnicodeStringTest::TestBogus() {\n UnicodeString test1(\"This is a test\");\n UnicodeString test2(\"This is a test\");\n UnicodeString test3(\"Me too!\");\n\n // test isBogus() and setToBogus()\n if (test1.isBogus() || test2.isBogus() || test3.isBogus()) {\n errln(\"A string returned TRUE for isBogus()!\");\n }\n\n // NULL pointers are treated like empty strings\n // use other illegal arguments to make a bogus string\n test3.setTo(FALSE, test1.getBuffer(), -2);\n if(!test3.isBogus()) {\n errln(\"A bogus string returned FALSE for isBogus()!\");\n }\n if (test1.hashCode() != test2.hashCode() || test1.hashCode() == test3.hashCode()) {\n errln(\"hashCode() failed\");\n }\n if(test3.getBuffer()!=0 || test3.getBuffer(20)!=0 || test3.getTerminatedBuffer()!=0) {\n errln(\"bogus.getBuffer()!=0\");\n }\n if (test1.indexOf(test3) != -1) {\n errln(\"bogus.indexOf() != -1\");\n }\n if (test1.lastIndexOf(test3) != -1) {\n errln(\"bogus.lastIndexOf() != -1\");\n }\n if (test1.caseCompare(test3, U_FOLD_CASE_DEFAULT) != 1 || test3.caseCompare(test1, U_FOLD_CASE_DEFAULT) != -1) {\n errln(\"caseCompare() doesn't work with bogus strings\");\n }\n if (test1.compareCodePointOrder(test3) != 1 || test3.compareCodePointOrder(test1) != -1) {\n errln(\"compareCodePointOrder() doesn't work with bogus strings\");\n }\n\n // verify that non-assignment modifications fail and do not revive a bogus string\n test3.setToBogus();\n test3.append((UChar)0x61);\n if(!test3.isBogus() || test3.getBuffer()!=0) {\n errln(\"bogus.append('a') worked but must not\");\n }\n\n test3.setToBogus();\n test3.findAndReplace(UnicodeString((UChar)0x61), test2);\n if(!test3.isBogus() || test3.getBuffer()!=0) {\n errln(\"bogus.findAndReplace() worked but must not\");\n }\n\n test3.setToBogus();\n test3.trim();\n if(!test3.isBogus() || test3.getBuffer()!=0) {\n errln(\"bogus.trim() revived bogus but must not\");\n }\n\n test3.setToBogus();\n test3.remove(1);\n if(!test3.isBogus() || test3.getBuffer()!=0) {\n errln(\"bogus.remove(1) revived bogus but must not\");\n }\n\n test3.setToBogus();\n if(!test3.setCharAt(0, 0x62).isBogus() || !test3.isEmpty()) {\n errln(\"bogus.setCharAt(0, 'b') worked but must not\");\n }\n\n test3.setToBogus();\n if(test3.truncate(1) || !test3.isBogus() || !test3.isEmpty()) {\n errln(\"bogus.truncate(1) revived bogus but must not\");\n }\n\n // verify that assignments revive a bogus string\n test3.setToBogus();\n if(!test3.isBogus() || (test3=test1).isBogus() || test3!=test1) {\n errln(\"bogus.operator=() failed\");\n }\n\n test3.setToBogus();\n if(!test3.isBogus() || test3.fastCopyFrom(test1).isBogus() || test3!=test1) {\n errln(\"bogus.fastCopyFrom() failed\");\n }\n\n test3.setToBogus();\n if(!test3.isBogus() || test3.setTo(test1).isBogus() || test3!=test1) {\n errln(\"bogus.setTo(UniStr) failed\");\n }\n\n test3.setToBogus();\n if(!test3.isBogus() || test3.setTo(test1, 0).isBogus() || test3!=test1) {\n errln(\"bogus.setTo(UniStr, 0) failed\");\n }\n\n test3.setToBogus();\n if(!test3.isBogus() || test3.setTo(test1, 0, 0x7fffffff).isBogus() || test3!=test1) {\n errln(\"bogus.setTo(UniStr, 0, len) failed\");\n }\n\n test3.setToBogus();\n if(!test3.isBogus() || test3.setTo(test1.getBuffer(), test1.length()).isBogus() || test3!=test1) {\n errln(\"bogus.setTo(const UChar *, len) failed\");\n }\n\n test3.setToBogus();\n if(!test3.isBogus() || test3.setTo((UChar)0x2028).isBogus() || test3!=UnicodeString((UChar)0x2028)) {\n errln(\"bogus.setTo(UChar) failed\");\n }\n\n test3.setToBogus();\n if(!test3.isBogus() || test3.setTo((UChar32)0x1d157).isBogus() || test3!=UnicodeString((UChar32)0x1d157)) {\n errln(\"bogus.setTo(UChar32) failed\");\n }\n\n test3.setToBogus();\n if(!test3.isBogus() || test3.setTo(FALSE, test1.getBuffer(), test1.length()).isBogus() || test3!=test1) {\n errln(\"bogus.setTo(readonly alias) failed\");\n }\n\n // writable alias to another string's buffer: very bad idea, just convenient for this test\n test3.setToBogus();\n if(!test3.isBogus() ||\n test3.setTo(const_cast(test1.getBuffer()),\n test1.length(), test1.getCapacity()).isBogus() ||\n test3!=test1) {\n errln(\"bogus.setTo(writable alias) failed\");\n }\n\n // verify simple, documented ways to turn a bogus string into an empty one\n test3.setToBogus();\n if(!test3.isBogus() || (test3=UnicodeString()).isBogus() || !test3.isEmpty()) {\n errln(\"bogus.operator=(UnicodeString()) failed\");\n }\n\n test3.setToBogus();\n if(!test3.isBogus() || test3.setTo(UnicodeString()).isBogus() || !test3.isEmpty()) {\n errln(\"bogus.setTo(UnicodeString()) failed\");\n }\n\n test3.setToBogus();\n if(test3.remove().isBogus() || test3.getBuffer()==0 || !test3.isEmpty()) {\n errln(\"bogus.remove() failed\");\n }\n\n test3.setToBogus();\n if(test3.remove(0, INT32_MAX).isBogus() || test3.getBuffer()==0 || !test3.isEmpty()) {\n errln(\"bogus.remove(0, INT32_MAX) failed\");\n }\n\n test3.setToBogus();\n if(test3.truncate(0) || test3.isBogus() || !test3.isEmpty()) {\n errln(\"bogus.truncate(0) failed\");\n }\n\n test3.setToBogus();\n if(!test3.isBogus() || test3.setTo((UChar32)-1).isBogus() || !test3.isEmpty()) {\n errln(\"bogus.setTo((UChar32)-1) failed\");\n }\n\n static const UChar nul=0;\n\n test3.setToBogus();\n if(!test3.isBogus() || test3.setTo(&nul, 0).isBogus() || !test3.isEmpty()) {\n errln(\"bogus.setTo(&nul, 0) failed\");\n }\n\n test3.setToBogus();\n if(!test3.isBogus() || test3.getBuffer()!=0) {\n errln(\"setToBogus() failed to make a string bogus\");\n }\n\n test3.setToBogus();\n if(test1.isBogus() || !(test1=test3).isBogus()) {\n errln(\"normal=bogus failed to make the left string bogus\");\n }\n\n // test that NULL primitive input string values are treated like\n // empty strings, not errors (bogus)\n test2.setTo((UChar32)0x10005);\n if(test2.insert(1, nullptr, 1).length()!=2) {\n errln(\"UniStr.insert(...nullptr...) should not modify the string but does\");\n }\n\n UErrorCode errorCode=U_ZERO_ERROR;\n UnicodeString\n test4((const UChar *)NULL),\n test5(TRUE, (const UChar *)NULL, 1),\n test6((UChar *)NULL, 5, 5),\n test7((const char *)NULL, 3, NULL, errorCode);\n if(test4.isBogus() || test5.isBogus() || test6.isBogus() || test7.isBogus()) {\n errln(\"a constructor set to bogus for a NULL input string, should be empty\");\n }\n\n test4.setTo(NULL, 3);\n test5.setTo(TRUE, (const UChar *)NULL, 1);\n test6.setTo((UChar *)NULL, 5, 5);\n if(test4.isBogus() || test5.isBogus() || test6.isBogus()) {\n errln(\"a setTo() set to bogus for a NULL input string, should be empty\");\n }\n\n // test that bogus==bogus=test2 || !(test2>test1) || test1.compare(test2)>=0 || !(test2.compare(test1)>0)) {\n errln(\"bogus_key = epi->event.events;\n\tif (!is_file_epoll(epi->ffd.file))\n\t\treturn vfs_poll(epi->ffd.file, pt) & epi->event.events;\n\n\tep = epi->ffd.file->private_data;\n\tpoll_wait(epi->ffd.file, &ep->poll_wait, pt);\n\tlocked = pt && (pt->_qproc == ep_ptable_queue_proc);\n\n\treturn ep_scan_ready_list(epi->ffd.file->private_data,\n\t\t\t\t ep_read_events_proc, &depth, depth,\n\t\t\t\t locked) & epi->event.events;\n}", "project": "linux", "hash": 29152277215924168806395362087641879933, "size": 18, "commit_id": "52c479697c9b73f628140dcdfcd39ea302d05482", "message": "do_epoll_ctl(): clean the failure exits up a bit\n\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 336237 }, { "func": "static void suboption(struct Curl_easy *data)\n{\n struct curl_slist *v;\n unsigned char temp[2048];\n ssize_t bytes_written;\n size_t len;\n int err;\n char varname[128] = \"\";\n char varval[128] = \"\";\n struct TELNET *tn = data->req.p.telnet;\n struct connectdata *conn = data->conn;\n\n printsub(data, '<', (unsigned char *)tn->subbuffer, CURL_SB_LEN(tn) + 2);\n switch(CURL_SB_GET(tn)) {\n case CURL_TELOPT_TTYPE:\n len = strlen(tn->subopt_ttype) + 4 + 2;\n msnprintf((char *)temp, sizeof(temp),\n \"%c%c%c%c%s%c%c\", CURL_IAC, CURL_SB, CURL_TELOPT_TTYPE,\n CURL_TELQUAL_IS, tn->subopt_ttype, CURL_IAC, CURL_SE);\n bytes_written = swrite(conn->sock[FIRSTSOCKET], temp, len);\n if(bytes_written < 0) {\n err = SOCKERRNO;\n failf(data,\"Sending data failed (%d)\",err);\n }\n printsub(data, '>', &temp[2], len-2);\n break;\n case CURL_TELOPT_XDISPLOC:\n len = strlen(tn->subopt_xdisploc) + 4 + 2;\n msnprintf((char *)temp, sizeof(temp),\n \"%c%c%c%c%s%c%c\", CURL_IAC, CURL_SB, CURL_TELOPT_XDISPLOC,\n CURL_TELQUAL_IS, tn->subopt_xdisploc, CURL_IAC, CURL_SE);\n bytes_written = swrite(conn->sock[FIRSTSOCKET], temp, len);\n if(bytes_written < 0) {\n err = SOCKERRNO;\n failf(data,\"Sending data failed (%d)\",err);\n }\n printsub(data, '>', &temp[2], len-2);\n break;\n case CURL_TELOPT_NEW_ENVIRON:\n msnprintf((char *)temp, sizeof(temp),\n \"%c%c%c%c\", CURL_IAC, CURL_SB, CURL_TELOPT_NEW_ENVIRON,\n CURL_TELQUAL_IS);\n len = 4;\n\n for(v = tn->telnet_vars; v; v = v->next) {\n size_t tmplen = (strlen(v->data) + 1);\n /* Add the variable only if it fits */\n if(len + tmplen < (int)sizeof(temp)-6) {\n if(sscanf(v->data, \"%127[^,],%127s\", varname, varval)) {\n msnprintf((char *)&temp[len], sizeof(temp) - len,\n \"%c%s%c%s\", CURL_NEW_ENV_VAR, varname,\n CURL_NEW_ENV_VALUE, varval);\n len += tmplen;\n }\n }\n }\n msnprintf((char *)&temp[len], sizeof(temp) - len,\n \"%c%c\", CURL_IAC, CURL_SE);\n len += 2;\n bytes_written = swrite(conn->sock[FIRSTSOCKET], temp, len);\n if(bytes_written < 0) {\n err = SOCKERRNO;\n failf(data,\"Sending data failed (%d)\",err);\n }\n printsub(data, '>', &temp[2], len-2);\n break;\n }\n return;\n}", "project": "curl", "hash": 294290589936532991240501967275180184556, "size": 69, "commit_id": "39ce47f219b09c380b81f89fe54ac586c8db6bde", "message": "telnet: check sscanf() for correct number of matches\n\nCVE-2021-22898\n\nBug: https://curl.se/docs/CVE-2021-22898.html", "target": 1, "dataset": "other", "idx": 214926 }, { "func": "static void suboption(struct Curl_easy *data)\n{\n struct curl_slist *v;\n unsigned char temp[2048];\n ssize_t bytes_written;\n size_t len;\n int err;\n char varname[128] = \"\";\n char varval[128] = \"\";\n struct TELNET *tn = data->req.p.telnet;\n struct connectdata *conn = data->conn;\n\n printsub(data, '<', (unsigned char *)tn->subbuffer, CURL_SB_LEN(tn) + 2);\n switch(CURL_SB_GET(tn)) {\n case CURL_TELOPT_TTYPE:\n len = strlen(tn->subopt_ttype) + 4 + 2;\n msnprintf((char *)temp, sizeof(temp),\n \"%c%c%c%c%s%c%c\", CURL_IAC, CURL_SB, CURL_TELOPT_TTYPE,\n CURL_TELQUAL_IS, tn->subopt_ttype, CURL_IAC, CURL_SE);\n bytes_written = swrite(conn->sock[FIRSTSOCKET], temp, len);\n if(bytes_written < 0) {\n err = SOCKERRNO;\n failf(data,\"Sending data failed (%d)\",err);\n }\n printsub(data, '>', &temp[2], len-2);\n break;\n case CURL_TELOPT_XDISPLOC:\n len = strlen(tn->subopt_xdisploc) + 4 + 2;\n msnprintf((char *)temp, sizeof(temp),\n \"%c%c%c%c%s%c%c\", CURL_IAC, CURL_SB, CURL_TELOPT_XDISPLOC,\n CURL_TELQUAL_IS, tn->subopt_xdisploc, CURL_IAC, CURL_SE);\n bytes_written = swrite(conn->sock[FIRSTSOCKET], temp, len);\n if(bytes_written < 0) {\n err = SOCKERRNO;\n failf(data,\"Sending data failed (%d)\",err);\n }\n printsub(data, '>', &temp[2], len-2);\n break;\n case CURL_TELOPT_NEW_ENVIRON:\n msnprintf((char *)temp, sizeof(temp),\n \"%c%c%c%c\", CURL_IAC, CURL_SB, CURL_TELOPT_NEW_ENVIRON,\n CURL_TELQUAL_IS);\n len = 4;\n\n for(v = tn->telnet_vars; v; v = v->next) {\n size_t tmplen = (strlen(v->data) + 1);\n /* Add the variable only if it fits */\n if(len + tmplen < (int)sizeof(temp)-6) {\n if(sscanf(v->data, \"%127[^,],%127s\", varname, varval) == 2) {\n msnprintf((char *)&temp[len], sizeof(temp) - len,\n \"%c%s%c%s\", CURL_NEW_ENV_VAR, varname,\n CURL_NEW_ENV_VALUE, varval);\n len += tmplen;\n }\n }\n }\n msnprintf((char *)&temp[len], sizeof(temp) - len,\n \"%c%c\", CURL_IAC, CURL_SE);\n len += 2;\n bytes_written = swrite(conn->sock[FIRSTSOCKET], temp, len);\n if(bytes_written < 0) {\n err = SOCKERRNO;\n failf(data,\"Sending data failed (%d)\",err);\n }\n printsub(data, '>', &temp[2], len-2);\n break;\n }\n return;\n}", "project": "curl", "hash": 162263181786713465891376018168428301129, "size": 69, "commit_id": "39ce47f219b09c380b81f89fe54ac586c8db6bde", "message": "telnet: check sscanf() for correct number of matches\n\nCVE-2021-22898\n\nBug: https://curl.se/docs/CVE-2021-22898.html", "target": 0, "dataset": "other", "idx": 481492 }, { "func": "static int svm_check_nested_events(struct kvm_vcpu *vcpu)\n{\n\tstruct vcpu_svm *svm = to_svm(vcpu);\n\tbool block_nested_events =\n\t\tkvm_event_needs_reinjection(vcpu) || svm->nested.nested_run_pending;\n\tstruct kvm_lapic *apic = vcpu->arch.apic;\n\n\tif (lapic_in_kernel(vcpu) &&\n\t test_bit(KVM_APIC_INIT, &apic->pending_events)) {\n\t\tif (block_nested_events)\n\t\t\treturn -EBUSY;\n\t\tif (!nested_exit_on_init(svm))\n\t\t\treturn 0;\n\t\tnested_svm_init(svm);\n\t\treturn 0;\n\t}\n\n\tif (vcpu->arch.exception.pending) {\n\t\tif (block_nested_events)\n return -EBUSY;\n\t\tif (!nested_exit_on_exception(svm))\n\t\t\treturn 0;\n\t\tnested_svm_inject_exception_vmexit(svm);\n\t\treturn 0;\n\t}\n\n\tif (vcpu->arch.smi_pending && !svm_smi_blocked(vcpu)) {\n\t\tif (block_nested_events)\n\t\t\treturn -EBUSY;\n\t\tif (!nested_exit_on_smi(svm))\n\t\t\treturn 0;\n\t\tnested_svm_smi(svm);\n\t\treturn 0;\n\t}\n\n\tif (vcpu->arch.nmi_pending && !svm_nmi_blocked(vcpu)) {\n\t\tif (block_nested_events)\n\t\t\treturn -EBUSY;\n\t\tif (!nested_exit_on_nmi(svm))\n\t\t\treturn 0;\n\t\tnested_svm_nmi(svm);\n\t\treturn 0;\n\t}\n\n\tif (kvm_cpu_has_interrupt(vcpu) && !svm_interrupt_blocked(vcpu)) {\n\t\tif (block_nested_events)\n\t\t\treturn -EBUSY;\n\t\tif (!nested_exit_on_intr(svm))\n\t\t\treturn 0;\n\t\tnested_svm_intr(svm);\n\t\treturn 0;\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 137746694738742285552572593933694560308, "size": 55, "commit_id": "a58d9166a756a0f4a6618e4f593232593d6df134", "message": "KVM: SVM: load control fields from VMCB12 before checking them\n\nAvoid races between check and use of the nested VMCB controls. This\nfor example ensures that the VMRUN intercept is always reflected to the\nnested hypervisor, instead of being processed by the host. Without this\npatch, it is possible to end up with svm->nested.hsave pointing to\nthe MSR permission bitmap for nested guests.\n\nThis bug is CVE-2021-29657.\n\nReported-by: Felix Wilhelm \nCc: stable@vger.kernel.org\nFixes: 2fcf4876ada (\"KVM: nSVM: implement on demand allocation of the nested state\")\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 376658 }, { "func": "static u32 get_adv_instance_flags(struct hci_dev *hdev, u8 instance)\n{\n\tu32 flags;\n\tstruct adv_info *adv_instance;\n\n\tif (instance == 0x00) {\n\t\t/* Instance 0 always manages the \"Tx Power\" and \"Flags\"\n\t\t * fields\n\t\t */\n\t\tflags = MGMT_ADV_FLAG_TX_POWER | MGMT_ADV_FLAG_MANAGED_FLAGS;\n\n\t\t/* For instance 0, the HCI_ADVERTISING_CONNECTABLE setting\n\t\t * corresponds to the \"connectable\" instance flag.\n\t\t */\n\t\tif (hci_dev_test_flag(hdev, HCI_ADVERTISING_CONNECTABLE))\n\t\t\tflags |= MGMT_ADV_FLAG_CONNECTABLE;\n\n\t\tif (hci_dev_test_flag(hdev, HCI_LIMITED_DISCOVERABLE))\n\t\t\tflags |= MGMT_ADV_FLAG_LIMITED_DISCOV;\n\t\telse if (hci_dev_test_flag(hdev, HCI_DISCOVERABLE))\n\t\t\tflags |= MGMT_ADV_FLAG_DISCOV;\n\n\t\treturn flags;\n\t}\n\n\tadv_instance = hci_find_adv_instance(hdev, instance);\n\n\t/* Return 0 when we got an invalid instance identifier. */\n\tif (!adv_instance)\n\t\treturn 0;\n\n\treturn adv_instance->flags;\n}", "project": "linux", "hash": 261342017043689377386188158090343369863, "size": 33, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402580 }, { "func": "static int seed_constraint_attributes(void)\n{\n\tint i;\n\tint ret;\n\n\tfor (i = 0; i < MAX_CONSTRAINTS_PER_ZONE; ++i) {\n\t\tret = create_constraint_attribute(i, \"power_limit_uw\",\n\t\t\t\t\tS_IWUSR | S_IRUGO,\n\t\t\t\t\t&constraint_attrs[i].power_limit_attr,\n\t\t\t\t\tshow_constraint_power_limit_uw,\n\t\t\t\t\tstore_constraint_power_limit_uw);\n\t\tif (ret)\n\t\t\tgoto err_alloc;\n\t\tret = create_constraint_attribute(i, \"time_window_us\",\n\t\t\t\t\tS_IWUSR | S_IRUGO,\n\t\t\t\t\t&constraint_attrs[i].time_window_attr,\n\t\t\t\t\tshow_constraint_time_window_us,\n\t\t\t\t\tstore_constraint_time_window_us);\n\t\tif (ret)\n\t\t\tgoto err_alloc;\n\t\tret = create_constraint_attribute(i, \"name\", S_IRUGO,\n\t\t\t\t&constraint_attrs[i].name_attr,\n\t\t\t\tshow_constraint_name,\n\t\t\t\tNULL);\n\t\tif (ret)\n\t\t\tgoto err_alloc;\n\t\tret = create_constraint_attribute(i, \"max_power_uw\", S_IRUGO,\n\t\t\t\t&constraint_attrs[i].max_power_attr,\n\t\t\t\tshow_constraint_max_power_uw,\n\t\t\t\tNULL);\n\t\tif (ret)\n\t\t\tgoto err_alloc;\n\t\tret = create_constraint_attribute(i, \"min_power_uw\", S_IRUGO,\n\t\t\t\t&constraint_attrs[i].min_power_attr,\n\t\t\t\tshow_constraint_min_power_uw,\n\t\t\t\tNULL);\n\t\tif (ret)\n\t\t\tgoto err_alloc;\n\t\tret = create_constraint_attribute(i, \"max_time_window_us\",\n\t\t\t\tS_IRUGO,\n\t\t\t\t&constraint_attrs[i].max_time_window_attr,\n\t\t\t\tshow_constraint_max_time_window_us,\n\t\t\t\tNULL);\n\t\tif (ret)\n\t\t\tgoto err_alloc;\n\t\tret = create_constraint_attribute(i, \"min_time_window_us\",\n\t\t\t\tS_IRUGO,\n\t\t\t\t&constraint_attrs[i].min_time_window_attr,\n\t\t\t\tshow_constraint_min_time_window_us,\n\t\t\t\tNULL);\n\t\tif (ret)\n\t\t\tgoto err_alloc;\n\n\t}\n\n\treturn 0;\n\nerr_alloc:\n\tfree_constraint_attributes();\n\n\treturn ret;\n}", "project": "linux", "hash": 46791427030579918467566463027625503427, "size": 62, "commit_id": "949dd0104c496fa7c14991a23c03c62e44637e71", "message": "powercap: restrict energy meter to root access\n\nRemove non-privileged user access to power data contained in\n/sys/class/powercap/intel-rapl*/*/energy_uj\n\nNon-privileged users currently have read access to power data and can\nuse this data to form a security attack. Some privileged\ndrivers/applications need read access to this data, but don't expose it\nto non-privileged users.\n\nFor example, thermald uses this data to ensure that power management\nworks correctly. Thus removing non-privileged access is preferred over\ncompletely disabling this power reporting capability with\nCONFIG_INTEL_RAPL=n.\n\nFixes: 95677a9a3847 (\"PowerCap: Fix mode for energy counter\")\n\nSigned-off-by: Len Brown \nCc: stable@vger.kernel.org", "target": 0, "dataset": "other", "idx": 310349 }, { "func": " bool isNull() const { return !m_str; }", "project": "hhvm", "hash": 38531060382615989405208697316717719650, "size": 1, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219897 }, { "func": "static inline int __must_check hid_parse(struct hid_device *hdev)\n{\n\treturn hid_open_report(hdev);\n}", "project": "linux", "hash": 309398269781493073068098085235122583737, "size": 4, "commit_id": "35556bed836f8dc07ac55f69c8d17dce3e7f0e25", "message": "HID: core: Sanitize event code and type when mapping input\n\nWhen calling into hid_map_usage(), the passed event code is\nblindly stored as is, even if it doesn't fit in the associated bitmap.\n\nThis event code can come from a variety of sources, including devices\nmasquerading as input devices, only a bit more \"programmable\".\n\nInstead of taking the event code at face value, check that it actually\nfits the corresponding bitmap, and if it doesn't:\n- spit out a warning so that we know which device is acting up\n- NULLify the bitmap pointer so that we catch unexpected uses\n\nCode paths that can make use of untrusted inputs can now check\nthat the mapping was indeed correct and bail out if not.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Marc Zyngier \nSigned-off-by: Benjamin Tissoires ", "target": 0, "dataset": "other", "idx": 458415 }, { "func": " explicit PhiloxRandomOp(OpKernelConstruction* ctx) : OpKernel(ctx) {\n OP_REQUIRES_OK(ctx, generator_.Init(ctx));\n }", "project": "tensorflow", "hash": 222294347887050889416882389920895173698, "size": 3, "commit_id": "27b417360cbd671ef55915e4bb6bb06af8b8a832", "message": "Prevent `int64` to `int` truncation in `Shard` API usage.\n\nThe function argument in `Shard` must be a function of two `int64` arguments. However, we are passing in a function with two `int` arguments. Thus, for large workloads, these arguments get truncated from positive `int64` values to negative `int` ones, resulting in a buffer out of bounds write.\n\nPiperOrigin-RevId: 332557334\nChange-Id: I236c9a2e7f53580e520571da8ba941a3aa9fa0b5", "target": 0, "dataset": "other", "idx": 262657 }, { "func": "static int list_locations(struct kmem_cache *s, char *buf,\n\t\t\t\t\tenum track_item alloc)\n{\n\tint len = 0;\n\tunsigned long i;\n\tstruct loc_track t = { 0, 0, NULL };\n\tint node;\n\tstruct kmem_cache_node *n;\n\n\tif (!alloc_loc_track(&t, PAGE_SIZE / sizeof(struct location),\n\t\t\t GFP_KERNEL)) {\n\t\treturn sprintf(buf, \"Out of memory\\n\");\n\t}\n\t/* Push back cpu slabs */\n\tflush_all(s);\n\n\tfor_each_kmem_cache_node(s, node, n) {\n\t\tunsigned long flags;\n\t\tstruct page *page;\n\n\t\tif (!atomic_long_read(&n->nr_slabs))\n\t\t\tcontinue;\n\n\t\tspin_lock_irqsave(&n->list_lock, flags);\n\t\tlist_for_each_entry(page, &n->partial, slab_list)\n\t\t\tprocess_slab(&t, s, page, alloc);\n\t\tlist_for_each_entry(page, &n->full, slab_list)\n\t\t\tprocess_slab(&t, s, page, alloc);\n\t\tspin_unlock_irqrestore(&n->list_lock, flags);\n\t}\n\n\tfor (i = 0; i < t.count; i++) {\n\t\tstruct location *l = &t.loc[i];\n\n\t\tif (len > PAGE_SIZE - KSYM_SYMBOL_LEN - 100)\n\t\t\tbreak;\n\t\tlen += sprintf(buf + len, \"%7ld \", l->count);\n\n\t\tif (l->addr)\n\t\t\tlen += sprintf(buf + len, \"%pS\", (void *)l->addr);\n\t\telse\n\t\t\tlen += sprintf(buf + len, \"\");\n\n\t\tif (l->sum_time != l->min_time) {\n\t\t\tlen += sprintf(buf + len, \" age=%ld/%ld/%ld\",\n\t\t\t\tl->min_time,\n\t\t\t\t(long)div_u64(l->sum_time, l->count),\n\t\t\t\tl->max_time);\n\t\t} else\n\t\t\tlen += sprintf(buf + len, \" age=%ld\",\n\t\t\t\tl->min_time);\n\n\t\tif (l->min_pid != l->max_pid)\n\t\t\tlen += sprintf(buf + len, \" pid=%ld-%ld\",\n\t\t\t\tl->min_pid, l->max_pid);\n\t\telse\n\t\t\tlen += sprintf(buf + len, \" pid=%ld\",\n\t\t\t\tl->min_pid);\n\n\t\tif (num_online_cpus() > 1 &&\n\t\t\t\t!cpumask_empty(to_cpumask(l->cpus)) &&\n\t\t\t\tlen < PAGE_SIZE - 60)\n\t\t\tlen += scnprintf(buf + len, PAGE_SIZE - len - 50,\n\t\t\t\t\t \" cpus=%*pbl\",\n\t\t\t\t\t cpumask_pr_args(to_cpumask(l->cpus)));\n\n\t\tif (nr_online_nodes > 1 && !nodes_empty(l->nodes) &&\n\t\t\t\tlen < PAGE_SIZE - 60)\n\t\t\tlen += scnprintf(buf + len, PAGE_SIZE - len - 50,\n\t\t\t\t\t \" nodes=%*pbl\",\n\t\t\t\t\t nodemask_pr_args(&l->nodes));\n\n\t\tlen += sprintf(buf + len, \"\\n\");\n\t}\n\n\tfree_loc_track(&t);\n\tif (!t.count)\n\t\tlen += sprintf(buf, \"No data\\n\");\n\treturn len;\n}", "project": "linux", "hash": 108499803392607372781486618917294336385, "size": 80, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280036 }, { "func": "int vfs_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)\n{\n\tint error = may_create(dir, dentry);\n\n\tif (error)\n\t\treturn error;\n\n\tif ((S_ISCHR(mode) || S_ISBLK(mode)) && !capable(CAP_MKNOD))\n\t\treturn -EPERM;\n\n\tif (!dir->i_op->mknod)\n\t\treturn -EPERM;\n\n\terror = devcgroup_inode_mknod(mode, dev);\n\tif (error)\n\t\treturn error;\n\n\terror = security_inode_mknod(dir, dentry, mode, dev);\n\tif (error)\n\t\treturn error;\n\n\terror = dir->i_op->mknod(dir, dentry, mode, dev);\n\tif (!error)\n\t\tfsnotify_create(dir, dentry);\n\treturn error;\n}", "project": "linux", "hash": 69535808278030901787297450718361148395, "size": 26, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295434 }, { "func": "void fuse_update_ctime(struct inode *inode)\n{\n\tif (!IS_NOCMTIME(inode)) {\n\t\tinode->i_ctime = current_time(inode);\n\t\tmark_inode_dirty_sync(inode);\n\t}\n}", "project": "linux", "hash": 225347894054306291616663496983923006338, "size": 7, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341952 }, { "func": "static void complete_vfork_done(struct task_struct *tsk)\n{\n\tstruct completion *vfork;\n\n\ttask_lock(tsk);\n\tvfork = tsk->vfork_done;\n\tif (likely(vfork)) {\n\t\ttsk->vfork_done = NULL;\n\t\tcomplete(vfork);\n\t}\n\ttask_unlock(tsk);\n}", "project": "linux", "hash": 335801722492950195792743960133773233773, "size": 12, "commit_id": "b4e00444cab4c3f3fec876dc0cccc8cbb0d1a948", "message": "fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent\n\ncurrent->group_leader->exit_signal may change during copy_process() if\ncurrent->real_parent exits.\n\nMove the assignment inside tasklist_lock to avoid the race.\n\nSigned-off-by: Eddy Wu \nAcked-by: Oleg Nesterov \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 293693 }, { "func": "static void tcp_event_data_recv(struct sock *sk, struct sk_buff *skb)\n{\n\tstruct tcp_sock *tp = tcp_sk(sk);\n\tstruct inet_connection_sock *icsk = inet_csk(sk);\n\tu32 now;\n\n\tinet_csk_schedule_ack(sk);\n\n\ttcp_measure_rcv_mss(sk, skb);\n\n\ttcp_rcv_rtt_measure(tp);\n\n\tnow = tcp_time_stamp;\n\n\tif (!icsk->icsk_ack.ato) {\n\t\t/* The _first_ data packet received, initialize\n\t\t * delayed ACK engine.\n\t\t */\n\t\ttcp_incr_quickack(sk);\n\t\ticsk->icsk_ack.ato = TCP_ATO_MIN;\n\t} else {\n\t\tint m = now - icsk->icsk_ack.lrcvtime;\n\n\t\tif (m <= TCP_ATO_MIN / 2) {\n\t\t\t/* The fastest case is the first. */\n\t\t\ticsk->icsk_ack.ato = (icsk->icsk_ack.ato >> 1) + TCP_ATO_MIN / 2;\n\t\t} else if (m < icsk->icsk_ack.ato) {\n\t\t\ticsk->icsk_ack.ato = (icsk->icsk_ack.ato >> 1) + m;\n\t\t\tif (icsk->icsk_ack.ato > icsk->icsk_rto)\n\t\t\t\ticsk->icsk_ack.ato = icsk->icsk_rto;\n\t\t} else if (m > icsk->icsk_rto) {\n\t\t\t/* Too long gap. Apparently sender failed to\n\t\t\t * restart window, so that we send ACKs quickly.\n\t\t\t */\n\t\t\ttcp_incr_quickack(sk);\n\t\t\tsk_mem_reclaim(sk);\n\t\t}\n\t}\n\ticsk->icsk_ack.lrcvtime = now;\n\n\tTCP_ECN_check_ce(tp, skb);\n\n\tif (skb->len >= 128)\n\t\ttcp_grow_window(sk, skb);\n}", "project": "net-next", "hash": 153752792154313770417442980556566073063, "size": 45, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409930 }, { "func": "HttpStateData::checkDateSkew(HttpReply *reply)\n{\n if (reply->date > -1 && !_peer) {\n int skew = abs((int)(reply->date - squid_curtime));\n\n if (skew > 86400)\n debugs(11, 3, \"\" << request->url.host() << \"'s clock is skewed by \" << skew << \" seconds!\");\n }\n}", "project": "squid", "hash": 3794311403390906052527164207468856263, "size": 9, "commit_id": "fd68382860633aca92065e6c343cfd1b12b126e7", "message": "Improve Transfer-Encoding handling (#702)\n\nReject messages containing Transfer-Encoding header with coding other\nthan chunked or identity. Squid does not support other codings.\n\nFor simplicity and security sake, also reject messages where\nTransfer-Encoding contains unnecessary complex values that are\ntechnically equivalent to \"chunked\" or \"identity\" (e.g., \",,chunked\" or\n\"identity, chunked\").\n\nRFC 7230 formally deprecated and removed identity coding, but it is\nstill used by some agents.", "target": 0, "dataset": "other", "idx": 402344 }, { "func": "static void nested_svm_set_tdp_cr3(struct kvm_vcpu *vcpu,\n\t\t\t\t unsigned long root)\n{\n\tstruct vcpu_svm *svm = to_svm(vcpu);\n\n\tsvm->vmcb->control.nested_cr3 = __sme_set(root);\n\tmark_dirty(svm->vmcb, VMCB_NPT);\n}", "project": "linux", "hash": 302250471134694967151031851517159357522, "size": 8, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432448 }, { "func": "static void nested_svm_set_tdp_cr3(struct kvm_vcpu *vcpu,\n\t\t\t\t unsigned long root)\n{\n\tstruct vcpu_svm *svm = to_svm(vcpu);\n\n\tsvm->vmcb->control.nested_cr3 = root;\n\tmark_dirty(svm->vmcb, VMCB_NPT);\n\tsvm_flush_tlb(vcpu);\n}", "project": "kvm", "hash": 147272118117273937922033563446725524821, "size": 9, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437606 }, { "func": "DLLEXPORT int DLLCALL tjDecompressToYUVPlanes(tjhandle handle,\n\tconst unsigned char *jpegBuf, unsigned long jpegSize,\n\tunsigned char **dstPlanes, int width, int *strides, int height, int flags)\n{\n\tint i, sfi, row, retval=0; JSAMPROW *outbuf[MAX_COMPONENTS];\n\tint jpegwidth, jpegheight, jpegSubsamp, scaledw, scaledh;\n\tint pw[MAX_COMPONENTS], ph[MAX_COMPONENTS], iw[MAX_COMPONENTS],\n\t\ttmpbufsize=0, usetmpbuf=0, th[MAX_COMPONENTS];\n\tJSAMPLE *_tmpbuf=NULL, *ptr; JSAMPROW *tmpbuf[MAX_COMPONENTS];\n\tint dctsize;\n\n\tgetdinstance(handle);\n\n\tfor(i=0; iinit&DECOMPRESS)==0)\n\t\t_throw(\"tjDecompressToYUVPlanes(): Instance has not been initialized for decompression\");\n\n\tif(jpegBuf==NULL || jpegSize<=0 || !dstPlanes || !dstPlanes[0] || width<0\n\t\t|| height<0)\n\t\t_throw(\"tjDecompressToYUVPlanes(): Invalid argument\");\n\n#ifndef NO_PUTENV\n\tif(flags&TJFLAG_FORCEMMX) putenv(\"JSIMD_FORCEMMX=1\");\n\telse if(flags&TJFLAG_FORCESSE) putenv(\"JSIMD_FORCESSE=1\");\n\telse if(flags&TJFLAG_FORCESSE2) putenv(\"JSIMD_FORCESSE2=1\");\n#endif\n\n\tif(setjmp(this->jerr.setjmp_buffer))\n\t{\n\t\t/* If we get here, the JPEG code has signaled an error. */\n\t\tretval=-1; goto bailout;\n\t}\n\n\tif(!this->headerRead)\n\t{\n\t\tjpeg_mem_src_tj(dinfo, jpegBuf, jpegSize);\n\t\tjpeg_read_header(dinfo, TRUE);\n\t}\n\tthis->headerRead=0;\n\tjpegSubsamp=getSubsamp(dinfo);\n\tif(jpegSubsamp<0)\n\t\t_throw(\"tjDecompressToYUVPlanes(): Could not determine subsampling type for JPEG image\");\n\n\tif(jpegSubsamp!=TJSAMP_GRAY && (!dstPlanes[1] || !dstPlanes[2]))\n\t\t_throw(\"tjDecompressToYUVPlanes(): Invalid argument\");\n\n\tjpegwidth=dinfo->image_width; jpegheight=dinfo->image_height;\n\tif(width==0) width=jpegwidth;\n\tif(height==0) height=jpegheight;\n\tfor(i=0; i=NUMSF)\n\t\t_throw(\"tjDecompressToYUVPlanes(): Could not scale down to desired image dimensions\");\n\tif(dinfo->num_components>3)\n\t\t_throw(\"tjDecompressToYUVPlanes(): JPEG image must have 3 or fewer components\");\n\n\twidth=scaledw; height=scaledh;\n\tdinfo->scale_num=sf[i].num;\n\tdinfo->scale_denom=sf[i].denom;\n\tsfi=i;\n\tjpeg_calc_output_dimensions(dinfo);\n\n\tdctsize=DCTSIZE*sf[sfi].num/sf[sfi].denom;\n\n\tfor(i=0; inum_components; i++)\n\t{\n\t\tjpeg_component_info *compptr=&dinfo->comp_info[i];\n\t\tint ih;\n\t\tiw[i]=compptr->width_in_blocks*dctsize;\n\t\tih=compptr->height_in_blocks*dctsize;\n\t\tpw[i]=PAD(dinfo->output_width, dinfo->max_h_samp_factor)\n\t\t\t*compptr->h_samp_factor/dinfo->max_h_samp_factor;\n\t\tph[i]=PAD(dinfo->output_height, dinfo->max_v_samp_factor)\n\t\t\t*compptr->v_samp_factor/dinfo->max_v_samp_factor;\n\t\tif(iw[i]!=pw[i] || ih!=ph[i]) usetmpbuf=1;\n\t\tth[i]=compptr->v_samp_factor*dctsize;\n\t\ttmpbufsize+=iw[i]*th[i];\n\t\tif((outbuf[i]=(JSAMPROW *)malloc(sizeof(JSAMPROW)*ph[i]))==NULL)\n\t\t\t_throw(\"tjDecompressToYUVPlanes(): Memory allocation failure\");\n\t\tptr=dstPlanes[i];\n\t\tfor(row=0; rownum_components; i++)\n\t\t{\n\t\t\tif((tmpbuf[i]=(JSAMPROW *)malloc(sizeof(JSAMPROW)*th[i]))==NULL)\n\t\t\t\t_throw(\"tjDecompressToYUVPlanes(): Memory allocation failure\");\n\t\t\tfor(row=0; rowjerr.setjmp_buffer))\n\t{\n\t\t/* If we get here, the JPEG code has signaled an error. */\n\t\tretval=-1; goto bailout;\n\t}\n\n\tif(flags&TJFLAG_FASTUPSAMPLE) dinfo->do_fancy_upsampling=FALSE;\n\tif(flags&TJFLAG_FASTDCT) dinfo->dct_method=JDCT_FASTEST;\n\tdinfo->raw_data_out=TRUE;\n\n\tjpeg_start_decompress(dinfo);\n\tfor(row=0; row<(int)dinfo->output_height;\n\t\trow+=dinfo->max_v_samp_factor*dinfo->_min_DCT_scaled_size)\n\t{\n\t\tJSAMPARRAY yuvptr[MAX_COMPONENTS];\n\t\tint crow[MAX_COMPONENTS];\n\t\tfor(i=0; inum_components; i++)\n\t\t{\n\t\t\tjpeg_component_info *compptr=&dinfo->comp_info[i];\n\t\t\tif(jpegSubsamp==TJ_420)\n\t\t\t{\n\t\t\t\t/* When 4:2:0 subsampling is used with IDCT scaling, libjpeg will try\n\t\t\t\t to be clever and use the IDCT to perform upsampling on the U and V\n\t\t\t\t planes. For instance, if the output image is to be scaled by 1/2\n\t\t\t\t relative to the JPEG image, then the scaling factor and upsampling\n\t\t\t\t effectively cancel each other, so a normal 8x8 IDCT can be used.\n\t\t\t\t However, this is not desirable when using the decompress-to-YUV\n\t\t\t\t functionality in TurboJPEG, since we want to output the U and V\n\t\t\t\t planes in their subsampled form. Thus, we have to override some\n\t\t\t\t internal libjpeg parameters to force it to use the \"scaled\" IDCT\n\t\t\t\t functions on the U and V planes. */\n\t\t\t\tcompptr->_DCT_scaled_size=dctsize;\n\t\t\t\tcompptr->MCU_sample_width=tjMCUWidth[jpegSubsamp]*\n\t\t\t\t\tsf[sfi].num/sf[sfi].denom*\n\t\t\t\t\tcompptr->v_samp_factor/dinfo->max_v_samp_factor;\n\t\t\t\tdinfo->idct->inverse_DCT[i] = dinfo->idct->inverse_DCT[0];\n\t\t\t}\n\t\t\tcrow[i]=row*compptr->v_samp_factor/dinfo->max_v_samp_factor;\n\t\t\tif(usetmpbuf) yuvptr[i]=tmpbuf[i];\n\t\t\telse yuvptr[i]=&outbuf[i][crow[i]];\n\t\t}\n\t\tjpeg_read_raw_data(dinfo, yuvptr,\n\t\t\tdinfo->max_v_samp_factor*dinfo->_min_DCT_scaled_size);\n\t\tif(usetmpbuf)\n\t\t{\n\t\t\tint j;\n\t\t\tfor(i=0; inum_components; i++)\n\t\t\t{\n\t\t\t\tfor(j=0; jglobal_state>DSTATE_START) jpeg_abort_decompress(dinfo);\n\tfor(i=0; ijerr.warning) retval=-1;\n\treturn retval;\n}", "project": "libjpeg-turbo", "hash": 169277103039170376241754039304908975481, "size": 180, "commit_id": "dab6be4cfb2f9307b5378d2d1dc74d9080383dc2", "message": "tjDecompressToYUV*(): Fix OOB write/double free\n\n... when attempting to decompress grayscale JPEG images with sampling\nfactors != 1.\n\nFixes #387", "target": 1, "dataset": "other", "idx": 200866 }, { "func": "DLLEXPORT int DLLCALL tjDecompressToYUVPlanes(tjhandle handle,\n\tconst unsigned char *jpegBuf, unsigned long jpegSize,\n\tunsigned char **dstPlanes, int width, int *strides, int height, int flags)\n{\n\tint i, sfi, row, retval=0; JSAMPROW *outbuf[MAX_COMPONENTS];\n\tint jpegwidth, jpegheight, jpegSubsamp, scaledw, scaledh;\n\tint pw[MAX_COMPONENTS], ph[MAX_COMPONENTS], iw[MAX_COMPONENTS],\n\t\ttmpbufsize=0, usetmpbuf=0, th[MAX_COMPONENTS];\n\tJSAMPLE *_tmpbuf=NULL, *ptr; JSAMPROW *tmpbuf[MAX_COMPONENTS];\n\tint dctsize;\n\n\tgetdinstance(handle);\n\n\tfor(i=0; iinit&DECOMPRESS)==0)\n\t\t_throw(\"tjDecompressToYUVPlanes(): Instance has not been initialized for decompression\");\n\n\tif(jpegBuf==NULL || jpegSize<=0 || !dstPlanes || !dstPlanes[0] || width<0\n\t\t|| height<0)\n\t\t_throw(\"tjDecompressToYUVPlanes(): Invalid argument\");\n\n#ifndef NO_PUTENV\n\tif(flags&TJFLAG_FORCEMMX) putenv(\"JSIMD_FORCEMMX=1\");\n\telse if(flags&TJFLAG_FORCESSE) putenv(\"JSIMD_FORCESSE=1\");\n\telse if(flags&TJFLAG_FORCESSE2) putenv(\"JSIMD_FORCESSE2=1\");\n#endif\n\n\tif(setjmp(this->jerr.setjmp_buffer))\n\t{\n\t\t/* If we get here, the JPEG code has signaled an error. */\n\t\tretval=-1; goto bailout;\n\t}\n\n\tif(!this->headerRead)\n\t{\n\t\tjpeg_mem_src_tj(dinfo, jpegBuf, jpegSize);\n\t\tjpeg_read_header(dinfo, TRUE);\n\t}\n\tthis->headerRead=0;\n\tjpegSubsamp=getSubsamp(dinfo);\n\tif(jpegSubsamp<0)\n\t\t_throw(\"tjDecompressToYUVPlanes(): Could not determine subsampling type for JPEG image\");\n\n\tif(jpegSubsamp!=TJSAMP_GRAY && (!dstPlanes[1] || !dstPlanes[2]))\n\t\t_throw(\"tjDecompressToYUVPlanes(): Invalid argument\");\n\n\tjpegwidth=dinfo->image_width; jpegheight=dinfo->image_height;\n\tif(width==0) width=jpegwidth;\n\tif(height==0) height=jpegheight;\n\tfor(i=0; i=NUMSF)\n\t\t_throw(\"tjDecompressToYUVPlanes(): Could not scale down to desired image dimensions\");\n\tif(dinfo->num_components>3)\n\t\t_throw(\"tjDecompressToYUVPlanes(): JPEG image must have 3 or fewer components\");\n\n\twidth=scaledw; height=scaledh;\n\tdinfo->scale_num=sf[i].num;\n\tdinfo->scale_denom=sf[i].denom;\n\tsfi=i;\n\tjpeg_calc_output_dimensions(dinfo);\n\n\tdctsize=DCTSIZE*sf[sfi].num/sf[sfi].denom;\n\n\tfor(i=0; inum_components; i++)\n\t{\n\t\tjpeg_component_info *compptr=&dinfo->comp_info[i];\n\t\tint ih;\n\t\tiw[i]=compptr->width_in_blocks*dctsize;\n\t\tih=compptr->height_in_blocks*dctsize;\n\t\tpw[i]=tjPlaneWidth(i, dinfo->output_width, jpegSubsamp);\n\t\tph[i]=tjPlaneHeight(i, dinfo->output_height, jpegSubsamp);\n\t\tif(iw[i]!=pw[i] || ih!=ph[i]) usetmpbuf=1;\n\t\tth[i]=compptr->v_samp_factor*dctsize;\n\t\ttmpbufsize+=iw[i]*th[i];\n\t\tif((outbuf[i]=(JSAMPROW *)malloc(sizeof(JSAMPROW)*ph[i]))==NULL)\n\t\t\t_throw(\"tjDecompressToYUVPlanes(): Memory allocation failure\");\n\t\tptr=dstPlanes[i];\n\t\tfor(row=0; rownum_components; i++)\n\t\t{\n\t\t\tif((tmpbuf[i]=(JSAMPROW *)malloc(sizeof(JSAMPROW)*th[i]))==NULL)\n\t\t\t\t_throw(\"tjDecompressToYUVPlanes(): Memory allocation failure\");\n\t\t\tfor(row=0; rowjerr.setjmp_buffer))\n\t{\n\t\t/* If we get here, the JPEG code has signaled an error. */\n\t\tretval=-1; goto bailout;\n\t}\n\n\tif(flags&TJFLAG_FASTUPSAMPLE) dinfo->do_fancy_upsampling=FALSE;\n\tif(flags&TJFLAG_FASTDCT) dinfo->dct_method=JDCT_FASTEST;\n\tdinfo->raw_data_out=TRUE;\n\n\tjpeg_start_decompress(dinfo);\n\tfor(row=0; row<(int)dinfo->output_height;\n\t\trow+=dinfo->max_v_samp_factor*dinfo->_min_DCT_scaled_size)\n\t{\n\t\tJSAMPARRAY yuvptr[MAX_COMPONENTS];\n\t\tint crow[MAX_COMPONENTS];\n\t\tfor(i=0; inum_components; i++)\n\t\t{\n\t\t\tjpeg_component_info *compptr=&dinfo->comp_info[i];\n\t\t\tif(jpegSubsamp==TJ_420)\n\t\t\t{\n\t\t\t\t/* When 4:2:0 subsampling is used with IDCT scaling, libjpeg will try\n\t\t\t\t to be clever and use the IDCT to perform upsampling on the U and V\n\t\t\t\t planes. For instance, if the output image is to be scaled by 1/2\n\t\t\t\t relative to the JPEG image, then the scaling factor and upsampling\n\t\t\t\t effectively cancel each other, so a normal 8x8 IDCT can be used.\n\t\t\t\t However, this is not desirable when using the decompress-to-YUV\n\t\t\t\t functionality in TurboJPEG, since we want to output the U and V\n\t\t\t\t planes in their subsampled form. Thus, we have to override some\n\t\t\t\t internal libjpeg parameters to force it to use the \"scaled\" IDCT\n\t\t\t\t functions on the U and V planes. */\n\t\t\t\tcompptr->_DCT_scaled_size=dctsize;\n\t\t\t\tcompptr->MCU_sample_width=tjMCUWidth[jpegSubsamp]*\n\t\t\t\t\tsf[sfi].num/sf[sfi].denom*\n\t\t\t\t\tcompptr->v_samp_factor/dinfo->max_v_samp_factor;\n\t\t\t\tdinfo->idct->inverse_DCT[i] = dinfo->idct->inverse_DCT[0];\n\t\t\t}\n\t\t\tcrow[i]=row*compptr->v_samp_factor/dinfo->max_v_samp_factor;\n\t\t\tif(usetmpbuf) yuvptr[i]=tmpbuf[i];\n\t\t\telse yuvptr[i]=&outbuf[i][crow[i]];\n\t\t}\n\t\tjpeg_read_raw_data(dinfo, yuvptr,\n\t\t\tdinfo->max_v_samp_factor*dinfo->_min_DCT_scaled_size);\n\t\tif(usetmpbuf)\n\t\t{\n\t\t\tint j;\n\t\t\tfor(i=0; inum_components; i++)\n\t\t\t{\n\t\t\t\tfor(j=0; jglobal_state>DSTATE_START) jpeg_abort_decompress(dinfo);\n\tfor(i=0; ijerr.warning) retval=-1;\n\treturn retval;\n}", "project": "libjpeg-turbo", "hash": 117971814043960851220573612576267403876, "size": 178, "commit_id": "dab6be4cfb2f9307b5378d2d1dc74d9080383dc2", "message": "tjDecompressToYUV*(): Fix OOB write/double free\n\n... when attempting to decompress grayscale JPEG images with sampling\nfactors != 1.\n\nFixes #387", "target": 0, "dataset": "other", "idx": 311112 }, { "func": "static OPJ_UINT32 opj_j2k_get_max_toc_size(opj_j2k_t *p_j2k)\n{\n OPJ_UINT32 i;\n OPJ_UINT32 l_nb_tiles;\n OPJ_UINT32 l_max = 0;\n opj_tcp_t * l_tcp = 00;\n\n l_tcp = p_j2k->m_cp.tcps;\n l_nb_tiles = p_j2k->m_cp.tw * p_j2k->m_cp.th ;\n\n for (i = 0; i < l_nb_tiles; ++i) {\n l_max = opj_uint_max(l_max, l_tcp->m_nb_tile_parts);\n\n ++l_tcp;\n }\n\n return 12 * l_max;\n}", "project": "openjpeg", "hash": 32990928497216841715167200345962270413, "size": 18, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357430 }, { "func": "Status ConvBackpropComputeDimensions(StringPiece label, int num_spatial_dims,\n const TensorShape& input_shape,\n const TensorShape& filter_shape,\n const TensorShape& out_backprop_shape,\n const std::vector& strides,\n Padding padding, TensorFormat data_format,\n ConvBackpropDimensions* dims) {\n static constexpr std::array one_dilations = {{1, 1, 1, 1, 1}};\n return ConvBackpropComputeDimensionsV2(\n label, num_spatial_dims, input_shape, filter_shape, out_backprop_shape,\n one_dilations, strides, padding, /*explicit_paddings=*/{}, data_format,\n dims);\n}", "project": "tensorflow", "hash": 272790429753683605043880865867944521098, "size": 13, "commit_id": "fca9874a9b42a2134f907d2fb46ab774a831404a", "message": "Prevent another division by zero.\n\nPiperOrigin-RevId: 369338598\nChange-Id: I55471d363e401fdcf8d259670ad4eef672b731e2", "target": 0, "dataset": "other", "idx": 255026 }, { "func": "CString CWebSock::GetSkinPath(const CString& sSkinName) {\n CString sRet = CZNC::Get().GetZNCPath() + \"/webskins/\" + sSkinName;\n\n if (!CFile::IsDir(sRet)) {\n sRet = CZNC::Get().GetCurPath() + \"/webskins/\" + sSkinName;\n\n if (!CFile::IsDir(sRet)) {\n sRet = CString(_SKINDIR_) + \"/\" + sSkinName;\n }\n }\n\n return sRet + \"/\";\n}", "project": "znc", "hash": 235465360297438929701123024752111071031, "size": 13, "commit_id": "a4a5aeeb17d32937d8c7d743dae9a4cc755ce773", "message": "Don't let web skin name ../../../../ access files outside of usual skins directories.\n\nThanks for Jeriko One for finding and reporting this.", "target": 1, "dataset": "other", "idx": 197927 }, { "func": "CString CWebSock::GetSkinPath(const CString& sSkinName) {\n const CString sSkin = sSkinName.Replace_n(\"/\", \"_\").Replace_n(\".\", \"_\");\n\n CString sRet = CZNC::Get().GetZNCPath() + \"/webskins/\" + sSkin;\n\n if (!CFile::IsDir(sRet)) {\n sRet = CZNC::Get().GetCurPath() + \"/webskins/\" + sSkin;\n\n if (!CFile::IsDir(sRet)) {\n sRet = CString(_SKINDIR_) + \"/\" + sSkin;\n }\n }\n\n return sRet + \"/\";\n}", "project": "znc", "hash": 9744272250058996937416307326980903460, "size": 15, "commit_id": "a4a5aeeb17d32937d8c7d743dae9a4cc755ce773", "message": "Don't let web skin name ../../../../ access files outside of usual skins directories.\n\nThanks for Jeriko One for finding and reporting this.", "target": 0, "dataset": "other", "idx": 265791 }, { "func": "int fuse_fill_super_submount(struct super_block *sb,\n\t\t\t struct fuse_inode *parent_fi)\n{\n\tstruct fuse_mount *fm = get_fuse_mount_super(sb);\n\tstruct super_block *parent_sb = parent_fi->inode.i_sb;\n\tstruct fuse_attr root_attr;\n\tstruct inode *root;\n\n\tfuse_sb_defaults(sb);\n\tfm->sb = sb;\n\n\tWARN_ON(sb->s_bdi != &noop_backing_dev_info);\n\tsb->s_bdi = bdi_get(parent_sb->s_bdi);\n\n\tsb->s_xattr = parent_sb->s_xattr;\n\tsb->s_time_gran = parent_sb->s_time_gran;\n\tsb->s_blocksize = parent_sb->s_blocksize;\n\tsb->s_blocksize_bits = parent_sb->s_blocksize_bits;\n\tsb->s_subtype = kstrdup(parent_sb->s_subtype, GFP_KERNEL);\n\tif (parent_sb->s_subtype && !sb->s_subtype)\n\t\treturn -ENOMEM;\n\n\tfuse_fill_attr_from_inode(&root_attr, parent_fi);\n\troot = fuse_iget(sb, parent_fi->nodeid, 0, &root_attr, 0, 0);\n\t/*\n\t * This inode is just a duplicate, so it is not looked up and\n\t * its nlookup should not be incremented. fuse_iget() does\n\t * that, though, so undo it here.\n\t */\n\tget_fuse_inode(root)->nlookup--;\n\tsb->s_d_op = &fuse_dentry_operations;\n\tsb->s_root = d_make_root(root);\n\tif (!sb->s_root)\n\t\treturn -ENOMEM;\n\n\treturn 0;\n}", "project": "linux", "hash": 17799002262334613060199133593774543783, "size": 37, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342132 }, { "func": "static inline int step_into(struct nameidata *nd, struct path *path,\n\t\t\t int flags, struct inode *inode, unsigned seq)\n{\n\tif (!(flags & WALK_MORE) && nd->depth)\n\t\tput_link(nd);\n\tif (likely(!d_is_symlink(path->dentry)) ||\n\t !(flags & WALK_FOLLOW || nd->flags & LOOKUP_FOLLOW)) {\n\t\t/* not a symlink or should not follow */\n\t\tpath_to_nameidata(path, nd);\n\t\tnd->inode = inode;\n\t\tnd->seq = seq;\n\t\treturn 0;\n\t}\n\t/* make sure that d_is_symlink above matches inode */\n\tif (nd->flags & LOOKUP_RCU) {\n\t\tif (read_seqcount_retry(&path->dentry->d_seq, seq))\n\t\t\treturn -ECHILD;\n\t}\n\treturn pick_link(nd, path, inode, seq);\n}", "project": "linux", "hash": 91942854555096470101270461866425759469, "size": 20, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295427 }, { "func": "void tcp_rcv_space_adjust(struct sock *sk)\n{\n\tstruct tcp_sock *tp = tcp_sk(sk);\n\tint time;\n\tint space;\n\n\tif (tp->rcvq_space.time == 0)\n\t\tgoto new_measure;\n\n\ttime = tcp_time_stamp - tp->rcvq_space.time;\n\tif (time < (tp->rcv_rtt_est.rtt >> 3) || tp->rcv_rtt_est.rtt == 0)\n\t\treturn;\n\n\tspace = 2 * (tp->copied_seq - tp->rcvq_space.seq);\n\n\tspace = max(tp->rcvq_space.space, space);\n\n\tif (tp->rcvq_space.space != space) {\n\t\tint rcvmem;\n\n\t\ttp->rcvq_space.space = space;\n\n\t\tif (sysctl_tcp_moderate_rcvbuf &&\n\t\t !(sk->sk_userlocks & SOCK_RCVBUF_LOCK)) {\n\t\t\tint new_clamp = space;\n\n\t\t\t/* Receive space grows, normalize in order to\n\t\t\t * take into account packet headers and sk_buff\n\t\t\t * structure overhead.\n\t\t\t */\n\t\t\tspace /= tp->advmss;\n\t\t\tif (!space)\n\t\t\t\tspace = 1;\n\t\t\trcvmem = SKB_TRUESIZE(tp->advmss + MAX_TCP_HEADER);\n\t\t\twhile (tcp_win_from_space(rcvmem) < tp->advmss)\n\t\t\t\trcvmem += 128;\n\t\t\tspace *= rcvmem;\n\t\t\tspace = min(space, sysctl_tcp_rmem[2]);\n\t\t\tif (space > sk->sk_rcvbuf) {\n\t\t\t\tsk->sk_rcvbuf = space;\n\n\t\t\t\t/* Make the window clamp follow along. */\n\t\t\t\ttp->window_clamp = new_clamp;\n\t\t\t}\n\t\t}\n\t}\n\nnew_measure:\n\ttp->rcvq_space.seq = tp->copied_seq;\n\ttp->rcvq_space.time = tcp_time_stamp;\n}", "project": "net-next", "hash": 197838665224103310746787006533721504505, "size": 51, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409913 }, { "func": "static u8 tdme_checkpibattribute(\n\tu8 pib_attribute,\n\tu8 pib_attribute_length,\n\tconst void *pib_attribute_value\n)\n{\n\tu8 status = MAC_SUCCESS;\n\tu8 value;\n\n\tvalue = *((u8 *)pib_attribute_value);\n\n\tswitch (pib_attribute) {\n\t/* PHY */\n\tcase PHY_TRANSMIT_POWER:\n\t\tif (value > 0x3F)\n\t\t\tstatus = MAC_INVALID_PARAMETER;\n\t\tbreak;\n\tcase PHY_CCA_MODE:\n\t\tif (value > 0x03)\n\t\t\tstatus = MAC_INVALID_PARAMETER;\n\t\tbreak;\n\t/* MAC */\n\tcase MAC_BATT_LIFE_EXT_PERIODS:\n\t\tif (value < 6 || value > 41)\n\t\t\tstatus = MAC_INVALID_PARAMETER;\n\t\tbreak;\n\tcase MAC_BEACON_PAYLOAD:\n\t\tif (pib_attribute_length > MAX_BEACON_PAYLOAD_LENGTH)\n\t\t\tstatus = MAC_INVALID_PARAMETER;\n\t\tbreak;\n\tcase MAC_BEACON_PAYLOAD_LENGTH:\n\t\tif (value > MAX_BEACON_PAYLOAD_LENGTH)\n\t\t\tstatus = MAC_INVALID_PARAMETER;\n\t\tbreak;\n\tcase MAC_BEACON_ORDER:\n\t\tif (value > 15)\n\t\t\tstatus = MAC_INVALID_PARAMETER;\n\t\tbreak;\n\tcase MAC_MAX_BE:\n\t\tif (value < 3 || value > 8)\n\t\t\tstatus = MAC_INVALID_PARAMETER;\n\t\tbreak;\n\tcase MAC_MAX_CSMA_BACKOFFS:\n\t\tif (value > 5)\n\t\t\tstatus = MAC_INVALID_PARAMETER;\n\t\tbreak;\n\tcase MAC_MAX_FRAME_RETRIES:\n\t\tif (value > 7)\n\t\t\tstatus = MAC_INVALID_PARAMETER;\n\t\tbreak;\n\tcase MAC_MIN_BE:\n\t\tif (value > 8)\n\t\t\tstatus = MAC_INVALID_PARAMETER;\n\t\tbreak;\n\tcase MAC_RESPONSE_WAIT_TIME:\n\t\tif (value < 2 || value > 64)\n\t\t\tstatus = MAC_INVALID_PARAMETER;\n\t\tbreak;\n\tcase MAC_SUPERFRAME_ORDER:\n\t\tif (value > 15)\n\t\t\tstatus = MAC_INVALID_PARAMETER;\n\t\tbreak;\n\t/* boolean */\n\tcase MAC_ASSOCIATED_PAN_COORD:\n\tcase MAC_ASSOCIATION_PERMIT:\n\tcase MAC_AUTO_REQUEST:\n\tcase MAC_BATT_LIFE_EXT:\n\tcase MAC_GTS_PERMIT:\n\tcase MAC_PROMISCUOUS_MODE:\n\tcase MAC_RX_ON_WHEN_IDLE:\n\tcase MAC_SECURITY_ENABLED:\n\t\tif (value > 1)\n\t\t\tstatus = MAC_INVALID_PARAMETER;\n\t\tbreak;\n\t/* MAC SEC */\n\tcase MAC_AUTO_REQUEST_SECURITY_LEVEL:\n\t\tif (value > 7)\n\t\t\tstatus = MAC_INVALID_PARAMETER;\n\t\tbreak;\n\tcase MAC_AUTO_REQUEST_KEY_ID_MODE:\n\t\tif (value > 3)\n\t\t\tstatus = MAC_INVALID_PARAMETER;\n\t\tbreak;\n\tdefault:\n\t\tbreak;\n\t}\n\n\treturn status;\n}", "project": "linux", "hash": 174994230738365337523944119926123621468, "size": 89, "commit_id": "6402939ec86eaf226c8b8ae00ed983936b164908", "message": "ieee802154: ca8210: prevent memory leak\n\nIn ca8210_probe the allocated pdata needs to be assigned to\nspi_device->dev.platform_data before calling ca8210_get_platform_data.\nOthrwise when ca8210_get_platform_data fails pdata cannot be released.\n\nSigned-off-by: Navid Emamdoost \nLink: https://lore.kernel.org/r/20190917224713.26371-1-navid.emamdoost@gmail.com\nSigned-off-by: Stefan Schmidt ", "target": 0, "dataset": "other", "idx": 408774 }, { "func": "static int read_bits_32(struct rar5* rar, const uint8_t* p, uint32_t* value) {\n\tuint32_t bits = ((uint32_t) p[rar->bits.in_addr]) << 24;\n\tbits |= p[rar->bits.in_addr + 1] << 16;\n\tbits |= p[rar->bits.in_addr + 2] << 8;\n\tbits |= p[rar->bits.in_addr + 3];\n\tbits <<= rar->bits.bit_addr;\n\tbits |= p[rar->bits.in_addr + 4] >> (8 - rar->bits.bit_addr);\n\t*value = bits;\n\treturn ARCHIVE_OK;\n}", "project": "libarchive", "hash": 79843676176985907389971255214449182467, "size": 10, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 0, "dataset": "other", "idx": 244731 }, { "func": "\treturn err;\n}\n\nstatic int iscsi_session_has_conns(int sid)\n{\n\tstruct iscsi_cls_conn *conn;\n\tunsigned long flags;\n\tint found = 0;\n\n\tspin_lock_irqsave(&connlock, flags);\n\tlist_for_each_entry(conn, &connlist, conn_list) {\n\t\tif (iscsi_conn_get_sid(conn) == sid) {\n\t\t\tfound = 1;\n\t\t\tbreak;\n\t\t}\n\t}\n\tspin_unlock_irqrestore(&connlock, flags);", "project": "linux", "hash": 67473531258428240586925117732895169040, "size": 17, "commit_id": "f9dbdf97a5bd92b1a49cee3d591b55b11fd7a6d5", "message": "scsi: iscsi: Verify lengths on passthrough PDUs\n\nOpen-iSCSI sends passthrough PDUs over netlink, but the kernel should be\nverifying that the provided PDU header and data lengths fall within the\nnetlink message to prevent accessing beyond that in memory.\n\nCc: stable@vger.kernel.org\nReported-by: Adam Nichols \nReviewed-by: Lee Duncan \nReviewed-by: Mike Christie \nSigned-off-by: Chris Leech \nSigned-off-by: Martin K. Petersen ", "target": 0, "dataset": "other", "idx": 379919 }, { "func": "static void setfreq_i(struct sd *sd, s32 val)\n{\n\tif (sd->sensor == SEN_OV7660\n\t || sd->sensor == SEN_OV7670) {\n\t\tswitch (val) {\n\t\tcase 0: /* Banding filter disabled */\n\t\t\ti2c_w_mask(sd, OV7670_R13_COM8, 0, OV7670_COM8_BFILT);\n\t\t\tbreak;\n\t\tcase 1: /* 50 hz */\n\t\t\ti2c_w_mask(sd, OV7670_R13_COM8, OV7670_COM8_BFILT,\n\t\t\t\t OV7670_COM8_BFILT);\n\t\t\ti2c_w_mask(sd, OV7670_R3B_COM11, 0x08, 0x18);\n\t\t\tbreak;\n\t\tcase 2: /* 60 hz */\n\t\t\ti2c_w_mask(sd, OV7670_R13_COM8, OV7670_COM8_BFILT,\n\t\t\t\t OV7670_COM8_BFILT);\n\t\t\ti2c_w_mask(sd, OV7670_R3B_COM11, 0x00, 0x18);\n\t\t\tbreak;\n\t\tcase 3: /* Auto hz - ov7670 only */\n\t\t\ti2c_w_mask(sd, OV7670_R13_COM8, OV7670_COM8_BFILT,\n\t\t\t\t OV7670_COM8_BFILT);\n\t\t\ti2c_w_mask(sd, OV7670_R3B_COM11, OV7670_COM11_HZAUTO,\n\t\t\t\t 0x18);\n\t\t\tbreak;\n\t\t}\n\t} else {\n\t\tswitch (val) {\n\t\tcase 0: /* Banding filter disabled */\n\t\t\ti2c_w_mask(sd, 0x2d, 0x00, 0x04);\n\t\t\ti2c_w_mask(sd, 0x2a, 0x00, 0x80);\n\t\t\tbreak;\n\t\tcase 1: /* 50 hz (filter on and framerate adj) */\n\t\t\ti2c_w_mask(sd, 0x2d, 0x04, 0x04);\n\t\t\ti2c_w_mask(sd, 0x2a, 0x80, 0x80);\n\t\t\t/* 20 fps -> 16.667 fps */\n\t\t\tif (sd->sensor == SEN_OV6620 ||\n\t\t\t sd->sensor == SEN_OV6630 ||\n\t\t\t sd->sensor == SEN_OV66308AF)\n\t\t\t\ti2c_w(sd, 0x2b, 0x5e);\n\t\t\telse\n\t\t\t\ti2c_w(sd, 0x2b, 0xac);\n\t\t\tbreak;\n\t\tcase 2: /* 60 hz (filter on, ...) */\n\t\t\ti2c_w_mask(sd, 0x2d, 0x04, 0x04);\n\t\t\tif (sd->sensor == SEN_OV6620 ||\n\t\t\t sd->sensor == SEN_OV6630 ||\n\t\t\t sd->sensor == SEN_OV66308AF) {\n\t\t\t\t/* 20 fps -> 15 fps */\n\t\t\t\ti2c_w_mask(sd, 0x2a, 0x80, 0x80);\n\t\t\t\ti2c_w(sd, 0x2b, 0xa8);\n\t\t\t} else {\n\t\t\t\t/* no framerate adj. */\n\t\t\t\ti2c_w_mask(sd, 0x2a, 0x00, 0x80);\n\t\t\t}\n\t\t\tbreak;\n\t\t}\n\t}\n}", "project": "linux", "hash": 142545649904941596173000219432657457689, "size": 58, "commit_id": "998912346c0da53a6dbb71fab3a138586b596b30", "message": "media: ov519: add missing endpoint sanity checks\n\nMake sure to check that we have at least one endpoint before accessing\nthe endpoint array to avoid dereferencing a NULL-pointer on stream\nstart.\n\nNote that these sanity checks are not redundant as the driver is mixing\nlooking up altsettings by index and by number, which need not coincide.\n\nFixes: 1876bb923c98 (\"V4L/DVB (12079): gspca_ov519: add support for the ov511 bridge\")\nFixes: b282d87332f5 (\"V4L/DVB (12080): gspca_ov519: Fix ov518+ with OV7620AE (Trust spacecam 320)\")\nCc: stable # 2.6.31\nCc: Hans de Goede \nSigned-off-by: Johan Hovold \nSigned-off-by: Hans Verkuil \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 306313 }, { "func": "static inline void io_put_req(struct io_kiocb *req)\n{\n\tif (req_ref_put_and_test(req))\n\t\tio_free_req(req);\n}", "project": "linux", "hash": 218748824809575505717374563949498323703, "size": 5, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338671 }, { "func": "int set_user_sigmask(const sigset_t __user *umask, size_t sigsetsize)\n{\n\tsigset_t kmask;\n\n\tif (!umask)\n\t\treturn 0;\n\tif (sigsetsize != sizeof(sigset_t))\n\t\treturn -EINVAL;\n\tif (copy_from_user(&kmask, umask, sizeof(sigset_t)))\n\t\treturn -EFAULT;\n\n\tset_restore_sigmask();\n\tcurrent->saved_sigmask = current->blocked;\n\tset_current_blocked(&kmask);\n\n\treturn 0;\n}", "project": "linux", "hash": 104710455301398677653544713731171928047, "size": 17, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375203 }, { "func": "umasked_symlink (char *name1, char *name2, int mode)\n{\n int\told_umask;\n int\trc;\n mode = ~(mode & 0777) & 0777;\n old_umask = umask (mode);\n rc = symlink (name1, name2);\n umask (old_umask);\n return rc;\n}", "target": 0, "cwe": [ "CWE-190" ], "project": "cpio", "commit_id": "dd96882877721703e19272fe25034560b794061b", "hash": 12864569247507621412153432792946007206, "size": 10, "message": "Rewrite dynamic string support.\n\n* src/dstring.c (ds_init): Take a single argument.\n(ds_free): New function.\n(ds_resize): Take a single argument. Use x2nrealloc to expand\nthe storage.\n(ds_reset,ds_append,ds_concat,ds_endswith): New function.\n(ds_fgetstr): Rewrite. In particular, this fixes integer overflow.\n* src/dstring.h (dynamic_string): Keep both the allocated length\n(ds_size) and index of the next free byte in the string (ds_idx).\n(ds_init,ds_resize): Change signature.\n(ds_len): New macro.\n(ds_free,ds_reset,ds_append,ds_concat,ds_endswith): New protos.\n* src/copyin.c: Use new ds_ functions.\n* src/copyout.c: Likewise.\n* src/copypass.c: Likewise.\n* src/util.c: Likewise.", "dataset": "other", "idx": 499713 }, { "func": "static inline int is_event_supported(unsigned int code,\n\t\t\t\t unsigned long *bm, unsigned int max)\n{\n\treturn code <= max && test_bit(code, bm);\n}", "project": "linux", "hash": 325922502894411163109718506465732329291, "size": 5, "commit_id": "cb222aed03d798fc074be55e59d9a112338ee784", "message": "Input: add safety guards to input_set_keycode()\n\nIf we happen to have a garbage in input device's keycode table with values\ntoo big we'll end up doing clear_bit() with offset way outside of our\nbitmaps, damaging other objects within an input device or even outside of\nit. Let's add sanity checks to the returned old keycodes.\n\nReported-by: syzbot+c769968809f9359b07aa@syzkaller.appspotmail.com\nReported-by: syzbot+76f3a30e88d256644c78@syzkaller.appspotmail.com\nLink: https://lore.kernel.org/r/20191207212757.GA245964@dtor-ws\nSigned-off-by: Dmitry Torokhov ", "target": 0, "dataset": "other", "idx": 353358 }, { "func": "struct dentry *kern_path_create(int dfd, const char *pathname,\n\t\t\t\tstruct path *path, unsigned int lookup_flags)\n{\n\treturn filename_create(dfd, getname_kernel(pathname),\n\t\t\t\tpath, lookup_flags);\n}", "project": "linux", "hash": 127849302470610897270725502862579096610, "size": 6, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295313 }, { "func": "inline struct dentry *user_path_create(int dfd, const char __user *pathname,\n\t\t\t\tstruct path *path, unsigned int lookup_flags)\n{\n\treturn filename_create(dfd, getname(pathname), path, lookup_flags);\n}", "project": "linux", "hash": 2114919932999349983911548998910652010, "size": 5, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295412 }, { "func": "static void pb_field_init(pb_field_iterator_t *iter, const pb_field_t *fields, void *dest_struct)\n{\n iter->start = iter->pos = fields;\n iter->field_index = 0;\n iter->required_field_index = 0;\n iter->pData = (char*)dest_struct + iter->pos->data_offset;\n iter->pSize = (char*)iter->pData + iter->pos->size_offset;\n iter->dest_struct = dest_struct;\n}", "project": "nanopb", "hash": 245058385241795357875229010321282126733, "size": 9, "commit_id": "7b396821ddd06df8e39143f16e1dc0a4645b89a3", "message": "Fix invalid free() after failed realloc() (GHSA-gcx3-7m76-287p)", "target": 0, "dataset": "other", "idx": 255322 }, { "func": "int vfs_mkobj(struct dentry *dentry, umode_t mode,\n\t\tint (*f)(struct dentry *, umode_t, void *),\n\t\tvoid *arg)\n{\n\tstruct inode *dir = dentry->d_parent->d_inode;\n\tint error = may_create(dir, dentry);\n\tif (error)\n\t\treturn error;\n\n\tmode &= S_IALLUGO;\n\tmode |= S_IFREG;\n\terror = security_inode_create(dir, dentry, mode);\n\tif (error)\n\t\treturn error;\n\terror = f(dentry, mode, arg);\n\tif (!error)\n\t\tfsnotify_create(dir, dentry);\n\treturn error;\n}", "project": "linux", "hash": 130031479537471355218392544495110259650, "size": 19, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295414 }, { "func": "int ecryptfs_read_metadata(struct dentry *ecryptfs_dentry)\n{\n\tint rc = 0;\n\tchar *page_virt = NULL;\n\tstruct inode *ecryptfs_inode = ecryptfs_dentry->d_inode;\n\tstruct ecryptfs_crypt_stat *crypt_stat =\n\t &ecryptfs_inode_to_private(ecryptfs_inode)->crypt_stat;\n\tstruct ecryptfs_mount_crypt_stat *mount_crypt_stat =\n\t\t&ecryptfs_superblock_to_private(\n\t\t\tecryptfs_dentry->d_sb)->mount_crypt_stat;\n\n\tecryptfs_copy_mount_wide_flags_to_inode_flags(crypt_stat,\n\t\t\t\t\t\t mount_crypt_stat);\n\t/* Read the first page from the underlying file */\n\tpage_virt = kmem_cache_alloc(ecryptfs_header_cache_1, GFP_USER);\n\tif (!page_virt) {\n\t\trc = -ENOMEM;\n\t\tprintk(KERN_ERR \"%s: Unable to allocate page_virt\\n\",\n\t\t __func__);\n\t\tgoto out;\n\t}\n\trc = ecryptfs_read_lower(page_virt, 0, crypt_stat->extent_size,\n\t\t\t\t ecryptfs_inode);\n\tif (!rc)\n\t\trc = ecryptfs_read_headers_virt(page_virt, crypt_stat,\n\t\t\t\t\t\tecryptfs_dentry,\n\t\t\t\t\t\tECRYPTFS_VALIDATE_HEADER_SIZE);\n\tif (rc) {\n\t\trc = ecryptfs_read_xattr_region(page_virt, ecryptfs_inode);\n\t\tif (rc) {\n\t\t\tprintk(KERN_DEBUG \"Valid eCryptfs headers not found in \"\n\t\t\t \"file header region or xattr region\\n\");\n\t\t\trc = -EINVAL;\n\t\t\tgoto out;\n\t\t}\n\t\trc = ecryptfs_read_headers_virt(page_virt, crypt_stat,\n\t\t\t\t\t\tecryptfs_dentry,\n\t\t\t\t\t\tECRYPTFS_DONT_VALIDATE_HEADER_SIZE);\n\t\tif (rc) {\n\t\t\tprintk(KERN_DEBUG \"Valid eCryptfs headers not found in \"\n\t\t\t \"file xattr region either\\n\");\n\t\t\trc = -EINVAL;\n\t\t}\n\t\tif (crypt_stat->mount_crypt_stat->flags\n\t\t & ECRYPTFS_XATTR_METADATA_ENABLED) {\n\t\t\tcrypt_stat->flags |= ECRYPTFS_METADATA_IN_XATTR;\n\t\t} else {\n\t\t\tprintk(KERN_WARNING \"Attempt to access file with \"\n\t\t\t \"crypto metadata only in the extended attribute \"\n\t\t\t \"region, but eCryptfs was mounted without \"\n\t\t\t \"xattr support enabled. eCryptfs will not treat \"\n\t\t\t \"this like an encrypted file.\\n\");\n\t\t\trc = -EINVAL;\n\t\t}\n\t}\nout:\n\tif (page_virt) {\n\t\tmemset(page_virt, 0, PAGE_CACHE_SIZE);\n\t\tkmem_cache_free(ecryptfs_header_cache_1, page_virt);\n\t}\n\treturn rc;\n}", "target": 0, "cwe": [ "CWE-189" ], "project": "linux-2.6", "commit_id": "8faece5f906725c10e7a1f6caf84452abadbdc7b", "hash": 148463349741791392433725658919641662982, "size": 62, "message": "eCryptfs: Allocate a variable number of pages for file headers\n\nWhen allocating the memory used to store the eCryptfs header contents, a\nsingle, zeroed page was being allocated with get_zeroed_page().\nHowever, the size of an eCryptfs header is either PAGE_CACHE_SIZE or\nECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE (8192), whichever is larger, and is\nstored in the file's private_data->crypt_stat->num_header_bytes_at_front\nfield.\n\necryptfs_write_metadata_to_contents() was using\nnum_header_bytes_at_front to decide how many bytes should be written to\nthe lower filesystem for the file header. Unfortunately, at least 8K\nwas being written from the page, despite the chance of the single,\nzeroed page being smaller than 8K. This resulted in random areas of\nkernel memory being written between the 0x1000 and 0x1FFF bytes offsets\nin the eCryptfs file headers if PAGE_SIZE was 4K.\n\nThis patch allocates a variable number of pages, calculated with\nnum_header_bytes_at_front, and passes the number of allocated pages\nalong to ecryptfs_write_metadata_to_contents().\n\nThanks to Florian Streibelt for reporting the data leak and working with\nme to find the problem. 2.6.28 is the only kernel release with this\nvulnerability. Corresponds to CVE-2009-0787\n\nSigned-off-by: Tyler Hicks \nAcked-by: Dustin Kirkland \nReviewed-by: Eric Sandeen \nReviewed-by: Eugene Teo \nCc: Greg KH \nCc: dann frazier \nCc: Serge E. Hallyn \nCc: Florian Streibelt \nCc: stable@kernel.org\nSigned-off-by: Linus Torvalds ", "dataset": "other", "idx": 490182 }, { "func": "int CSnapIDPool::NewID()\n{\n\tint64 Now = time_get();\n\n\t// process timed ids\n\twhile(m_FirstTimed != -1 && m_aIDs[m_FirstTimed].m_Timeout < Now)\n\t\tRemoveFirstTimeout();\n\n\tint ID = m_FirstFree;\n\tdbg_assert(ID != -1, \"id error\");\n\tif(ID == -1)\n\t\treturn ID;\n\tm_FirstFree = m_aIDs[m_FirstFree].m_Next;\n\tm_aIDs[ID].m_State = 1;\n\tm_Usage++;\n\tm_InUsage++;\n\treturn ID;\n}", "project": "teeworlds", "hash": 33315017516502727899399249531122725184, "size": 18, "commit_id": "c68402fa7e279d42886d5951d1ea8ac2facc1ea5", "message": "changed a check", "target": 0, "dataset": "other", "idx": 382021 }, { "func": "static loff_t fuse_lseek(struct file *file, loff_t offset, int whence)\n{\n\tstruct inode *inode = file->f_mapping->host;\n\tstruct fuse_mount *fm = get_fuse_mount(inode);\n\tstruct fuse_file *ff = file->private_data;\n\tFUSE_ARGS(args);\n\tstruct fuse_lseek_in inarg = {\n\t\t.fh = ff->fh,\n\t\t.offset = offset,\n\t\t.whence = whence\n\t};\n\tstruct fuse_lseek_out outarg;\n\tint err;\n\n\tif (fm->fc->no_lseek)\n\t\tgoto fallback;\n\n\targs.opcode = FUSE_LSEEK;\n\targs.nodeid = ff->nodeid;\n\targs.in_numargs = 1;\n\targs.in_args[0].size = sizeof(inarg);\n\targs.in_args[0].value = &inarg;\n\targs.out_numargs = 1;\n\targs.out_args[0].size = sizeof(outarg);\n\targs.out_args[0].value = &outarg;\n\terr = fuse_simple_request(fm, &args);\n\tif (err) {\n\t\tif (err == -ENOSYS) {\n\t\t\tfm->fc->no_lseek = 1;\n\t\t\tgoto fallback;\n\t\t}\n\t\treturn err;\n\t}\n\n\treturn vfs_setpos(file, outarg.offset, inode->i_sb->s_maxbytes);\n\nfallback:\n\terr = fuse_update_attributes(inode, file);\n\tif (!err)\n\t\treturn generic_file_llseek(file, offset, whence);\n\telse\n\t\treturn err;\n}", "project": "linux", "hash": 276845804082666365718707542984207755391, "size": 43, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341979 }, { "func": "static int test_fix(struct libmnt_test *ts, int argc, char *argv[])\n{\n\tchar *optstr;\n\tint rc = 0;\n\tchar *name, *val, *next;\n\tsize_t valsz, namesz;\n\n\tif (argc < 2)\n\t\treturn -EINVAL;\n\n\tnext = optstr = xstrdup(argv[1]);\n\n\tprintf(\"optstr: %s\\n\", optstr);\n\n\twhile (!mnt_optstr_next_option(&next, &name, &namesz, &val, &valsz)) {\n\n\t\tif (!strncmp(name, \"uid\", 3))\n\t\t\trc = mnt_optstr_fix_uid(&optstr, val, valsz, &next);\n\t\telse if (!strncmp(name, \"gid\", 3))\n\t\t\trc = mnt_optstr_fix_gid(&optstr, val, valsz, &next);\n\t\telse if (!strncmp(name, \"context\", 7))\n\t\t\trc = mnt_optstr_fix_secontext(&optstr, val, valsz, &next);\n\t\tif (rc)\n\t\t\tbreak;\n\t}\n\tif (rc)\n\t\trc = mnt_optstr_fix_user(&optstr);\n\n\tprintf(\"fixed: %s\\n\", optstr);\n\n\tfree(optstr);\n\treturn rc;\n\n}", "project": "util-linux", "hash": 203115106839634639405377120007346680451, "size": 34, "commit_id": "57202f5713afa2af20ffbb6ab5331481d0396f8d", "message": "libmount: fix UID check for FUSE umount [CVE-2021-3995]\n\nImproper UID check allows an unprivileged user to unmount FUSE\nfilesystems of users with similar UID.\n\nSigned-off-by: Karel Zak ", "target": 0, "dataset": "other", "idx": 410427 }, { "func": "static inline unsigned int oo_order(struct kmem_cache_order_objects x)\n{\n\treturn x.x >> OO_SHIFT;\n}", "project": "linux", "hash": 48186562323963502312091765115878468116, "size": 4, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280110 }, { "func": "UntrustedCacheMalloc::UntrustedCacheMalloc() : lock_(/*is_recursive=*/true) {\n if (is_destroyed_) {\n return;\n }\n // Initialize a free list object in the trusted heap. The free list object\n // stores an array of buffers stored in the untrusted heap.\n free_list_ = absl::make_unique();\n free_list_->buffers.reset(reinterpret_cast(\n primitives::TrustedPrimitives::UntrustedLocalAlloc(sizeof(void *) *\n kFreeListCapacity)));\n free_list_->count = 0;\n}", "project": "asylo", "hash": 328228980050374662071878282754724943317, "size": 12, "commit_id": "a47ef55db2337d29de19c50cd29b0deb2871d31c", "message": "Fix vulnerability in UntrustedCacheMalloc\n\nThe pointer array is stored in untrusted memory, so we cannot trust the\nvalue even after validation. We should validate the pointer is pointing\nto untrusted memory after it's stored inside the enclave.\n\nPiperOrigin-RevId: 358474391\nChange-Id: I63cf6c251bdaf1b491dbf06cc0dcf77f7b141756", "target": 0, "dataset": "other", "idx": 264759 }, { "func": "inline void JOIN::eval_select_list_used_tables()\n{\n select_list_used_tables= 0;\n Item *item;\n List_iterator_fast it(fields_list);\n while ((item= it++))\n {\n select_list_used_tables|= item->used_tables();\n }\n Item_outer_ref *ref;\n List_iterator_fast ref_it(select_lex->inner_refs_list);\n while ((ref= ref_it++))\n {\n item= ref->outer_ref;\n select_list_used_tables|= item->used_tables();\n }\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 158742555689613504487884338751014515119, "size": 17, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508752 }, { "func": "static int synic_set_sint(struct kvm_vcpu_hv_synic *synic, int sint,\n\t\t\t u64 data, bool host)\n{\n\tint vector, old_vector;\n\tbool masked;\n\n\tvector = data & HV_SYNIC_SINT_VECTOR_MASK;\n\tmasked = data & HV_SYNIC_SINT_MASKED;\n\n\t/*\n\t * Valid vectors are 16-255, however, nested Hyper-V attempts to write\n\t * default '0x10000' value on boot and this should not #GP. We need to\n\t * allow zero-initing the register from host as well.\n\t */\n\tif (vector < HV_SYNIC_FIRST_VALID_VECTOR && !host && !masked)\n\t\treturn 1;\n\t/*\n\t * Guest may configure multiple SINTs to use the same vector, so\n\t * we maintain a bitmap of vectors handled by synic, and a\n\t * bitmap of vectors with auto-eoi behavior. The bitmaps are\n\t * updated here, and atomically queried on fast paths.\n\t */\n\told_vector = synic_read_sint(synic, sint) & HV_SYNIC_SINT_VECTOR_MASK;\n\n\tatomic64_set(&synic->sint[sint], data);\n\n\tsynic_update_vector(synic, old_vector);\n\n\tsynic_update_vector(synic, vector);\n\n\t/* Load SynIC vectors into EOI exit bitmap */\n\tkvm_make_request(KVM_REQ_SCAN_IOAPIC, hv_synic_to_vcpu(synic));\n\treturn 0;\n}", "project": "linux", "hash": 237835773783252589390657411488701152998, "size": 34, "commit_id": "919f4ebc598701670e80e31573a58f1f2d2bf918", "message": "KVM: x86: hyper-v: Fix Hyper-V context null-ptr-deref\n\nReported by syzkaller:\n\n KASAN: null-ptr-deref in range [0x0000000000000140-0x0000000000000147]\n CPU: 1 PID: 8370 Comm: syz-executor859 Not tainted 5.11.0-syzkaller #0\n RIP: 0010:synic_get arch/x86/kvm/hyperv.c:165 [inline]\n RIP: 0010:kvm_hv_set_sint_gsi arch/x86/kvm/hyperv.c:475 [inline]\n RIP: 0010:kvm_hv_irq_routing_update+0x230/0x460 arch/x86/kvm/hyperv.c:498\n Call Trace:\n kvm_set_irq_routing+0x69b/0x940 arch/x86/kvm/../../../virt/kvm/irqchip.c:223\n kvm_vm_ioctl+0x12d0/0x2800 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3959\n vfs_ioctl fs/ioctl.c:48 [inline]\n __do_sys_ioctl fs/ioctl.c:753 [inline]\n __se_sys_ioctl fs/ioctl.c:739 [inline]\n __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739\n do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nHyper-V context is lazily allocated until Hyper-V specific MSRs are accessed\nor SynIC is enabled. However, the syzkaller testcase sets irq routing table\ndirectly w/o enabling SynIC. This results in null-ptr-deref when accessing\nSynIC Hyper-V context. This patch fixes it.\n\nsyzkaller source: https://syzkaller.appspot.com/x/repro.c?x=163342ccd00000\n\nReported-by: syzbot+6987f3b2dbd9eda95f12@syzkaller.appspotmail.com\nFixes: 8f014550dfb1 (\"KVM: x86: hyper-v: Make Hyper-V emulation enablement conditional\")\nSigned-off-by: Wanpeng Li \nMessage-Id: <1614326399-5762-1-git-send-email-wanpengli@tencent.com>\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 343523 }, { "func": "float IIR2_filter::update(float x)\r\n{\r\n prev[0] = x;\r\n double y = x * coeffs[0];\r\n\r\n for (int i = 4; i >= 1; i--)\r\n {\r\n y += coeffs[i] * prev[i];\r\n prev[i] = prev[i - 1];\r\n }\r\n\r\n prev[3] = y;\r\n return (float)y;\r\n}\r", "project": "soundtouch", "hash": 325241385808906645495380537690807339082, "size": 14, "commit_id": "a1c400eb2cff849c0e5f9d6916d69ffea3ad2c85", "message": "Fix issue CVE-2018-17096: Replace assert with runtime exception", "target": 0, "dataset": "other", "idx": 368096 }, { "func": "static long long usec(void) {\n struct timeval tv;\n gettimeofday(&tv,NULL);\n return (((long long)tv.tv_sec)*1000000)+tv.tv_usec;\n}", "project": "redis", "hash": 224261805209280749301184049874946891135, "size": 5, "commit_id": "789f10156009b404950ad717642a9496ed887083", "message": "Fix integer overflow in intset (CVE-2021-29478)\n\nAn integer overflow bug in Redis 6.2 could be exploited to corrupt the heap and\npotentially result with remote code execution.\n\nThe vulnerability involves changing the default set-max-intset-entries\nconfiguration value, creating a large set key that consists of integer values\nand using the COPY command to duplicate it.\n\nThe integer overflow bug exists in all versions of Redis starting with 2.6,\nwhere it could result with a corrupted RDB or DUMP payload, but not exploited\nthrough COPY (which did not exist before 6.2).\n\n(cherry picked from commit 29900d4e6bccdf3691bedf0ea9a5d84863fa3592)", "target": 0, "dataset": "other", "idx": 290636 }, { "func": "static int exif_process_undefined(char **result, char *value,\n size_t byte_count) {\n /* we cannot use strlcpy - here the problem is that we have to copy NUL\n * chars up to byte_count, we also have to add a single NUL character to\n * force end of string.\n */\n if (byte_count) {\n PHP_STRNDUP((*result), value, byte_count); /* NULL @ byte_count!!! */\n if (*result) return byte_count+1;\n }\n return 0;\n}", "project": "hhvm", "hash": 225830390173124547419595040778724800058, "size": 12, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219597 }, { "project": "opaque", "commit_id": "5ddda15d89f5ac82f4416208c5319ace4aecdc36", "target": 0, "func": "JNIEXPORT jbyteArray JNICALL Java_edu_berkeley_cs_rise_opaque_execution_SGXEnclave_RemoteAttestation2(\n JNIEnv *env, jobject obj,\n jlong eid,\n jbyteArray msg2_input) {\n\n (void)env;\n (void)obj;\n\n int ret = 0;\n //sgx_ra_context_t context = INT_MAX;\n\n (void)ret;\n (void)eid;\n // Successfully sent msg1 and received a msg2 back.\n // Time now to check msg2.\n\n //uint32_t input_len = (uint32_t) env->GetArrayLength(msg2_input);\n jboolean if_copy = false;\n jbyte *ptr = env->GetByteArrayElements(msg2_input, &if_copy);\n sgx_ra_msg2_t* p_msg2_body = (sgx_ra_msg2_t*)(ptr);\n\n#ifdef DEBUG\n printf(\"Printing p_msg2_body\\n\");\n PRINT_BYTE_ARRAY(stdout, p_msg2_body, sizeof(sgx_ra_msg2_t));\n#endif\n\n uint32_t msg3_size = 0;\n sgx_ra_msg3_t *msg3 = NULL;\n\n // The ISV app now calls uKE sgx_ra_proc_msg2,\n // The ISV app is responsible for freeing the returned p_msg3!\n#ifdef DEBUG\n printf(\"[RemoteAttestation2] context is %u, eid: %u\\n\", (uint32_t) context, (uint32_t) eid);\n#endif\n ret = sgx_ra_proc_msg2(context,\n eid,\n sgx_ra_proc_msg2_trusted,\n sgx_ra_get_msg3_trusted,\n p_msg2_body,\n sizeof(sgx_ra_msg2_t),\n &msg3,\n &msg3_size);\n\n if (!msg3) {\n fprintf(stdout, \"\\nError, call sgx_ra_proc_msg2 fail. msg3 = 0x%p [%s].\\n\", msg3, __FUNCTION__);\n print_error_message((sgx_status_t) ret);\n jbyteArray array_ret = env->NewByteArray(0);\n return array_ret;\n }\n\n if(SGX_SUCCESS != (sgx_status_t)ret) {\n fprintf(stdout, \"\\nError, call sgx_ra_proc_msg2 fail. \"\n \"ret = 0x%08x [%s].\\n\", ret, __FUNCTION__);\n print_error_message((sgx_status_t) ret);\n jbyteArray array_ret = env->NewByteArray(0);\n return array_ret;\n } else {\n#ifdef DEBUG\n fprintf(stdout, \"\\nCall sgx_ra_proc_msg2 success.\\n\");\n#endif\n }\n\n jbyteArray array_ret = env->NewByteArray(msg3_size);\n env->SetByteArrayRegion(array_ret, 0, msg3_size, (jbyte *) msg3);\n\n free(msg3);\n return array_ret;\n}", "idx": 519086, "cwe": "CWE-787", "hash": 257626130092408947197183782108053842137, "dataset": "other" }, { "func": "static void tcp_try_undo_dsack(struct sock *sk)\n{\n\tstruct tcp_sock *tp = tcp_sk(sk);\n\n\tif (tp->undo_marker && !tp->undo_retrans) {\n\t\tDBGUNDO(sk, \"D-SACK\");\n\t\ttcp_undo_cwr(sk, true);\n\t\ttp->undo_marker = 0;\n\t\tNET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPDSACKUNDO);\n\t}\n}", "project": "net-next", "hash": 7843440395133952924119632946601856872, "size": 11, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409880 }, { "func": "ConnStateData::whenClientIpKnown()\n{\n if (Config.onoff.log_fqdn)\n fqdncache_gethostbyaddr(clientConnection->remote, FQDN_LOOKUP_IF_MISS);\n\n#if USE_IDENT\n if (Ident::TheConfig.identLookup) {\n ACLFilledChecklist identChecklist(Ident::TheConfig.identLookup, NULL, NULL);\n identChecklist.src_addr = clientConnection->remote;\n identChecklist.my_addr = clientConnection->local;\n if (identChecklist.fastCheck().allowed())\n Ident::Start(clientConnection, clientIdentDone, this);\n }\n#endif\n\n clientdbEstablished(clientConnection->remote, 1);\n\n#if USE_DELAY_POOLS\n fd_table[clientConnection->fd].clientInfo = NULL;\n\n if (!Config.onoff.client_db)\n return; // client delay pools require client_db\n\n ClientDelayPools& pools(Config.ClientDelay.pools);\n if (pools.size()) {\n ACLFilledChecklist ch(NULL, NULL, NULL);\n\n // TODO: we check early to limit error response bandwith but we\n // should recheck when we can honor delay_pool_uses_indirect\n // TODO: we should also pass the port details for myportname here.\n ch.src_addr = clientConnection->remote;\n ch.my_addr = clientConnection->local;\n\n for (unsigned int pool = 0; pool < pools.size(); ++pool) {\n\n /* pools require explicit 'allow' to assign a client into them */\n if (pools[pool].access) {\n ch.changeAcl(pools[pool].access);\n allow_t answer = ch.fastCheck();\n if (answer.allowed()) {\n\n /* request client information from db after we did all checks\n this will save hash lookup if client failed checks */\n ClientInfo * cli = clientdbGetInfo(clientConnection->remote);\n assert(cli);\n\n /* put client info in FDE */\n fd_table[clientConnection->fd].clientInfo = cli;\n\n /* setup write limiter for this request */\n const double burst = floor(0.5 +\n (pools[pool].highwatermark * Config.ClientDelay.initial)/100.0);\n cli->setWriteLimiter(pools[pool].rate, burst, pools[pool].highwatermark);\n break;\n } else {\n debugs(83, 4, HERE << \"Delay pool \" << pool << \" skipped because ACL \" << answer);\n }\n }\n }\n }\n#endif\n\n // kids must extend to actually start doing something (e.g., reading)\n}", "project": "squid", "hash": 8510654414265530395340790268733647909, "size": 64, "commit_id": "fd68382860633aca92065e6c343cfd1b12b126e7", "message": "Improve Transfer-Encoding handling (#702)\n\nReject messages containing Transfer-Encoding header with coding other\nthan chunked or identity. Squid does not support other codings.\n\nFor simplicity and security sake, also reject messages where\nTransfer-Encoding contains unnecessary complex values that are\ntechnically equivalent to \"chunked\" or \"identity\" (e.g., \",,chunked\" or\n\"identity, chunked\").\n\nRFC 7230 formally deprecated and removed identity coding, but it is\nstill used by some agents.", "target": 0, "dataset": "other", "idx": 402367 }, { "func": "static void nested_svm_init_mmu_context(struct kvm_vcpu *vcpu)\n{\n\tstruct vcpu_svm *svm = to_svm(vcpu);\n\tstruct vmcb *hsave = svm->nested.hsave;\n\n\tWARN_ON(mmu_is_nested(vcpu));\n\n\tvcpu->arch.mmu = &vcpu->arch.guest_mmu;\n\tkvm_init_shadow_npt_mmu(vcpu, X86_CR0_PG, hsave->save.cr4, hsave->save.efer,\n\t\t\t\tsvm->nested.ctl.nested_cr3);\n\tvcpu->arch.mmu->get_guest_pgd = nested_svm_get_tdp_cr3;\n\tvcpu->arch.mmu->get_pdptr = nested_svm_get_tdp_pdptr;\n\tvcpu->arch.mmu->inject_page_fault = nested_svm_inject_npf_exit;\n\treset_shadow_zero_bits_mask(vcpu, vcpu->arch.mmu);\n\tvcpu->arch.walk_mmu = &vcpu->arch.nested_mmu;\n}", "project": "linux", "hash": 159572356458703785929488030626216019007, "size": 16, "commit_id": "a58d9166a756a0f4a6618e4f593232593d6df134", "message": "KVM: SVM: load control fields from VMCB12 before checking them\n\nAvoid races between check and use of the nested VMCB controls. This\nfor example ensures that the VMRUN intercept is always reflected to the\nnested hypervisor, instead of being processed by the host. Without this\npatch, it is possible to end up with svm->nested.hsave pointing to\nthe MSR permission bitmap for nested guests.\n\nThis bug is CVE-2021-29657.\n\nReported-by: Felix Wilhelm \nCc: stable@vger.kernel.org\nFixes: 2fcf4876ada (\"KVM: nSVM: implement on demand allocation of the nested state\")\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 376650 }, { "func": "static void nested_svm_init_mmu_context(struct kvm_vcpu *vcpu)\n{\n\tWARN_ON(mmu_is_nested(vcpu));\n\n\tvcpu->arch.mmu = &vcpu->arch.guest_mmu;\n\tkvm_init_shadow_mmu(vcpu);\n\tvcpu->arch.mmu->set_cr3 = nested_svm_set_tdp_cr3;\n\tvcpu->arch.mmu->get_cr3 = nested_svm_get_tdp_cr3;\n\tvcpu->arch.mmu->get_pdptr = nested_svm_get_tdp_pdptr;\n\tvcpu->arch.mmu->inject_page_fault = nested_svm_inject_npf_exit;\n\tvcpu->arch.mmu->shadow_root_level = get_npt_level(vcpu);\n\treset_shadow_zero_bits_mask(vcpu, vcpu->arch.mmu);\n\tvcpu->arch.walk_mmu = &vcpu->arch.nested_mmu;\n}", "project": "linux", "hash": 299211096375971291176833203843242217767, "size": 14, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432507 }, { "func": "static void nested_svm_init_mmu_context(struct kvm_vcpu *vcpu)\n{\n\tkvm_init_shadow_mmu(vcpu, &vcpu->arch.mmu);\n\n\tvcpu->arch.mmu.set_cr3 = nested_svm_set_tdp_cr3;\n\tvcpu->arch.mmu.get_cr3 = nested_svm_get_tdp_cr3;\n\tvcpu->arch.mmu.get_pdptr = nested_svm_get_tdp_pdptr;\n\tvcpu->arch.mmu.inject_page_fault = nested_svm_inject_npf_exit;\n\tvcpu->arch.mmu.shadow_root_level = get_npt_level();\n\tvcpu->arch.walk_mmu = &vcpu->arch.nested_mmu;\n}", "project": "kvm", "hash": 311275793249507216102360936129295893395, "size": 11, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437597 }, { "func": "void CClient::BouncedOff() {\n PutStatusNotice(\n t_s(\"You are being disconnected because another user just \"\n \"authenticated as you.\"));\n Close(Csock::CLT_AFTERWRITE);\n}", "project": "znc", "hash": 205851344480183006217883651466098076896, "size": 6, "commit_id": "d229761821da38d984a9e4098ad96842490dc001", "message": "Fix echo-message for *status\n\nClose #1705", "target": 0, "dataset": "other", "idx": 231591 }, { "func": "static int run_e8e9_filter(struct rar5* rar, struct filter_info* flt,\n\t\tint extended)\n{\n\tconst uint32_t file_size = 0x1000000;\n\tssize_t i;\n\n\tcircular_memcpy(rar->cstate.filtered_buf,\n\t rar->cstate.window_buf, rar->cstate.window_mask,\n\t rar->cstate.solid_offset + flt->block_start,\n\t rar->cstate.solid_offset + flt->block_start + flt->block_length);\n\n\tfor(i = 0; i < flt->block_length - 4;) {\n\t\tuint8_t b = rar->cstate.window_buf[\n\t\t (rar->cstate.solid_offset + flt->block_start +\n\t\t i++) & rar->cstate.window_mask];\n\n\t\t/*\n\t\t * 0xE8 = x86's call (function call)\n\t\t * 0xE9 = x86's jmp (unconditional jump)\n\t\t */\n\t\tif(b == 0xE8 || (extended && b == 0xE9)) {\n\n\t\t\tuint32_t addr;\n\t\t\tuint32_t offset = (i + flt->block_start) % file_size;\n\n\t\t\taddr = read_filter_data(rar,\n\t\t\t (uint32_t)(rar->cstate.solid_offset +\n\t\t\t flt->block_start + i) & rar->cstate.window_mask);\n\n\t\t\tif(addr & 0x80000000) {\n\t\t\t\tif(((addr + offset) & 0x80000000) == 0) {\n\t\t\t\t\twrite_filter_data(rar, (uint32_t)i,\n\t\t\t\t\t addr + file_size);\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\tif((addr - file_size) & 0x80000000) {\n\t\t\t\t\tuint32_t naddr = addr - offset;\n\t\t\t\t\twrite_filter_data(rar, (uint32_t)i,\n\t\t\t\t\t naddr);\n\t\t\t\t}\n\t\t\t}\n\n\t\t\ti += 4;\n\t\t}\n\t}\n\n\treturn ARCHIVE_OK;\n}", "project": "libarchive", "hash": 131665535256092421009011253714626210190, "size": 48, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 0, "dataset": "other", "idx": 244761 }, { "func": "static int kvm_hv_hypercall_complete(struct kvm_vcpu *vcpu, u64 result)\n{\n\tkvm_hv_hypercall_set_result(vcpu, result);\n\t++vcpu->stat.hypercalls;\n\treturn kvm_skip_emulated_instruction(vcpu);\n}", "project": "linux", "hash": 336690045352582737391098846265084968884, "size": 6, "commit_id": "919f4ebc598701670e80e31573a58f1f2d2bf918", "message": "KVM: x86: hyper-v: Fix Hyper-V context null-ptr-deref\n\nReported by syzkaller:\n\n KASAN: null-ptr-deref in range [0x0000000000000140-0x0000000000000147]\n CPU: 1 PID: 8370 Comm: syz-executor859 Not tainted 5.11.0-syzkaller #0\n RIP: 0010:synic_get arch/x86/kvm/hyperv.c:165 [inline]\n RIP: 0010:kvm_hv_set_sint_gsi arch/x86/kvm/hyperv.c:475 [inline]\n RIP: 0010:kvm_hv_irq_routing_update+0x230/0x460 arch/x86/kvm/hyperv.c:498\n Call Trace:\n kvm_set_irq_routing+0x69b/0x940 arch/x86/kvm/../../../virt/kvm/irqchip.c:223\n kvm_vm_ioctl+0x12d0/0x2800 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3959\n vfs_ioctl fs/ioctl.c:48 [inline]\n __do_sys_ioctl fs/ioctl.c:753 [inline]\n __se_sys_ioctl fs/ioctl.c:739 [inline]\n __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739\n do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nHyper-V context is lazily allocated until Hyper-V specific MSRs are accessed\nor SynIC is enabled. However, the syzkaller testcase sets irq routing table\ndirectly w/o enabling SynIC. This results in null-ptr-deref when accessing\nSynIC Hyper-V context. This patch fixes it.\n\nsyzkaller source: https://syzkaller.appspot.com/x/repro.c?x=163342ccd00000\n\nReported-by: syzbot+6987f3b2dbd9eda95f12@syzkaller.appspotmail.com\nFixes: 8f014550dfb1 (\"KVM: x86: hyper-v: Make Hyper-V emulation enablement conditional\")\nSigned-off-by: Wanpeng Li \nMessage-Id: <1614326399-5762-1-git-send-email-wanpengli@tencent.com>\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 343506 }, { "func": "void CClient::NotifyServerDependentCaps(const SCString& ssCaps) {\n for (const CString& sCap : ssCaps) {\n const auto& it = m_mCoreCaps.find(sCap);\n if (m_mCoreCaps.end() != it) {\n bool bServerDependent = std::get<0>(it->second);\n if (bServerDependent) {\n m_ssServerDependentCaps.insert(sCap);\n }\n }\n }\n\n if (HasCapNotify() && !m_ssServerDependentCaps.empty()) {\n CString sCaps = CString(\" \").Join(m_ssServerDependentCaps.begin(),\n m_ssServerDependentCaps.end());\n PutClient(\":irc.znc.in CAP \" + GetNick() + \" NEW :\" + sCaps);\n }\n}", "project": "znc", "hash": 281477500295721194893014065931173395108, "size": 17, "commit_id": "d229761821da38d984a9e4098ad96842490dc001", "message": "Fix echo-message for *status\n\nClose #1705", "target": 0, "dataset": "other", "idx": 231588 }, { "func": "static inline bool kvm_arch_no_poll(struct kvm_vcpu *vcpu)\n{\n\treturn false;\n}", "project": "linux", "hash": 113536976195694657137033414977715818909, "size": 4, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354659 }, { "func": "bool kvm_arch_no_poll(struct kvm_vcpu *vcpu)\n{\n\t/* do not poll with more than halt_poll_max_steal percent of steal time */\n\tif (S390_lowcore.avg_steal_timer * 100 / (TICK_USEC << 12) >=\n\t halt_poll_max_steal) {\n\t\tvcpu->stat.halt_no_poll_steal++;\n\t\treturn true;\n\t}\n\treturn false;\n}", "project": "linux", "hash": 307624461188730117657376375524997493165, "size": 10, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354665 }, { "func": "static int do_active(char *name, void *rock)\n{\n struct list_rock *lrock = (struct list_rock *) rock;\n int r, postable;\n struct backend *be;\n\n /* open the group */\n r = open_group(name, 1, &be, &postable);\n if (r) {\n\t/* can't open group, skip it */\n }\n else if (be) {\n\tif (!hash_lookup(be->hostname, &lrock->server_table)) {\n\t /* add this server to our table */\n\t hash_insert(be->hostname, (void *)0xDEADBEEF, &lrock->server_table);\n\t}\n }\n else {\n\tprot_printf(nntp_out, \"%s %u %u %c\\r\\n\", name+strlen(newsprefix),\n\t\t group_state->exists ? index_getuid(group_state, group_state->exists) :\n\t\t group_state->mailbox->i.last_uid,\n\t\t group_state->exists ? index_getuid(group_state, 1) :\n\t\t group_state->mailbox->i.last_uid+1,\n\t\t postable ? 'y' : 'n');\n\tindex_close(&group_state);\n }\n\n return 0;\n}", "project": "cyrus-imapd", "hash": 131591387510158109728684238191086856720, "size": 29, "commit_id": "0f8f026699829b65733c3081657b24e2174f4f4d", "message": "CVE-2011-3208 - fix buffer overflow in nntpd", "target": 0, "dataset": "other", "idx": 451901 }, { "func": "static void hci_cc_read_auth_payload_timeout(struct hci_dev *hdev,\n\t\t\t\t\t struct sk_buff *skb)\n{\n\tstruct hci_rp_read_auth_payload_to *rp = (void *)skb->data;\n\tstruct hci_conn *conn;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, rp->status);\n\n\tif (rp->status)\n\t\treturn;\n\n\thci_dev_lock(hdev);\n\n\tconn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));\n\tif (conn)\n\t\tconn->auth_payload_timeout = __le16_to_cpu(rp->timeout);\n\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 171894923897360787542070582942765781067, "size": 19, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431878 }, { "func": "void CWebSock::SetPaths(CModule* pModule, bool bIsTemplate) {\n m_Template.ClearPaths();\n\n VCString vsDirs = GetDirs(pModule, bIsTemplate);\n for (const CString& sDir : vsDirs) {\n m_Template.AppendPath(sDir);\n }\n\n m_bPathsSet = true;\n}", "project": "znc", "hash": 45668514744435951176174967680352865132, "size": 10, "commit_id": "a4a5aeeb17d32937d8c7d743dae9a4cc755ce773", "message": "Don't let web skin name ../../../../ access files outside of usual skins directories.\n\nThanks for Jeriko One for finding and reporting this.", "target": 0, "dataset": "other", "idx": 265785 }, { "func": "static bool vcpu_dy_runnable(struct kvm_vcpu *vcpu)\n{\n\tif (kvm_arch_dy_runnable(vcpu))\n\t\treturn true;\n\n#ifdef CONFIG_KVM_ASYNC_PF\n\tif (!list_empty_careful(&vcpu->async_pf.done))\n\t\treturn true;\n#endif\n\n\treturn false;\n}", "project": "linux", "hash": 55135643668509411649020350160100915110, "size": 12, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354820 }, { "func": "static int _nfs4_proc_readdir(struct dentry *dentry, const struct cred *cred,\n\t\tu64 cookie, struct page **pages, unsigned int count, bool plus)\n{\n\tstruct inode\t\t*dir = d_inode(dentry);\n\tstruct nfs4_readdir_arg args = {\n\t\t.fh = NFS_FH(dir),\n\t\t.pages = pages,\n\t\t.pgbase = 0,\n\t\t.count = count,\n\t\t.bitmask = NFS_SERVER(d_inode(dentry))->attr_bitmask,\n\t\t.plus = plus,\n\t};\n\tstruct nfs4_readdir_res res;\n\tstruct rpc_message msg = {\n\t\t.rpc_proc = &nfs4_procedures[NFSPROC4_CLNT_READDIR],\n\t\t.rpc_argp = &args,\n\t\t.rpc_resp = &res,\n\t\t.rpc_cred = cred,\n\t};\n\tint\t\t\tstatus;\n\n\tdprintk(\"%s: dentry = %pd2, cookie = %Lu\\n\", __func__,\n\t\t\tdentry,\n\t\t\t(unsigned long long)cookie);\n\tnfs4_setup_readdir(cookie, NFS_I(dir)->cookieverf, dentry, &args);\n\tres.pgbase = args.pgbase;\n\tstatus = nfs4_call_sync(NFS_SERVER(dir)->client, NFS_SERVER(dir), &msg, &args.seq_args, &res.seq_res, 0);\n\tif (status >= 0) {\n\t\tmemcpy(NFS_I(dir)->cookieverf, res.verifier.data, NFS4_VERIFIER_SIZE);\n\t\tstatus += args.pgbase;\n\t}\n\n\tnfs_invalidate_atime(dir);\n\n\tdprintk(\"%s: returns %d\\n\", __func__, status);\n\treturn status;\n}", "project": "linux", "hash": 336148073609219235488804953130061423743, "size": 37, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431238 }, { "func": "rpmRC hdrblobGet(hdrblob blob, uint32_t tag, rpmtd td)\n{\n rpmRC rc = RPMRC_NOTFOUND;\n struct indexEntry_s entry;\n struct entryInfo_s einfo;\n const struct entryInfo_s *pe = blob->pe;\n uint32_t ntag = htonl(tag);\n int tsize;\n\n memset(&einfo, 0, sizeof(einfo));\n rpmtdReset(td);\n\n for (int i = 0; i < blob->il; i++, pe++) {\n\tif (pe->tag != ntag)\n\t continue;\n\tei2h(pe, &einfo);\n\n\t/* We can only handle non-byteswappable data */\n\ttsize = typeSizes[einfo.type];\n\tif (tsize != 1 && tsize != -1)\n\t return RPMRC_FAIL;\n\n\tentry.info = einfo; /* struct assignment */\n\tentry.data = blob->dataStart + einfo.offset;\n\tentry.length = dataLength(einfo.type, blob->dataStart + einfo.offset,\n\t\t\t einfo.count, 1, blob->dataEnd);\n\tentry.rdlen = 0;\n\ttd->tag = einfo.tag;\n\trc = copyTdEntry(&entry, td, HEADERGET_MINMEM) ? RPMRC_OK : RPMRC_FAIL;\n\tbreak;\n }\n return rc;\n}", "project": "rpm", "hash": 286734298478698485097822764265492009985, "size": 33, "commit_id": "8f4b3c3cab8922a2022b9e47c71f1ecf906077ef", "message": "hdrblobInit() needs bounds checks too\n\nUsers can pass untrusted data to hdrblobInit() and it must be robust\nagainst this.", "target": 0, "dataset": "other", "idx": 318158 }, { "func": " DataType dtype() const { return vals_.dtype(); }", "project": "tensorflow", "hash": 303038301572815589649139559352014882332, "size": 1, "commit_id": "8ba6fa29cd8bf9cef9b718dc31c78c73081f5b31", "message": "Fix heap-buffer-overflow issue with `tf.raw_ops.SparseSplit`.\n\nPiperOrigin-RevId: 371242872\nChange-Id: I482bb3d12602c7c3cc9446f97fb9f584bb98e9a4", "target": 0, "dataset": "other", "idx": 277014 }, { "project": "Chrome", "commit_id": "6834289784ed45b5524de0fb7ef43ae283b0d6d3", "target": 0, "func": "void AudioContext::refNode(AudioNode* node)\n{\n ASSERT(isMainThread());\n AutoLocker locker(this);\n\n m_referencedNodes.append(node);\n node->makeConnection();\n}\n", "cwe": "", "big_vul_idx": 139674, "idx": 124823, "hash": 223000726913796591014059737568787559764 }, { "func": "bool SFD_GetFontMetaData( FILE *sfd,\n\t\t\t char *tok,\n\t\t\t SplineFont *sf,\n\t\t\t SFD_GetFontMetaDataData* d )\n{\n int ch;\n int i;\n KernClass* kc = 0;\n int old;\n char val[2000];\n\n // This allows us to assume we can dereference d\n // at all times\n static SFD_GetFontMetaDataData my_static_d;\n static int my_static_d_is_virgin = 1;\n if( !d )\n {\n\tif( my_static_d_is_virgin )\n\t{\n\t my_static_d_is_virgin = 0;\n\t SFD_GetFontMetaDataData_Init( &my_static_d );\n\t}\n\td = &my_static_d;\n }\n\n if ( strmatch(tok,\"FontName:\")==0 )\n {\n\tgeteol(sfd,val);\n\tsf->fontname = copy(val);\n }\n else if ( strmatch(tok,\"FullName:\")==0 )\n {\n\tgeteol(sfd,val);\n\tsf->fullname = copy(val);\n }\n else if ( strmatch(tok,\"FamilyName:\")==0 )\n {\n\tgeteol(sfd,val);\n\tsf->familyname = copy(val);\n }\n else if ( strmatch(tok,\"DefaultBaseFilename:\")==0 )\n {\n\tgeteol(sfd,val);\n\tsf->defbasefilename = copy(val);\n }\n else if ( strmatch(tok,\"Weight:\")==0 )\n {\n\tgetprotectedname(sfd,val);\n\tsf->weight = copy(val);\n }\n else if ( strmatch(tok,\"Copyright:\")==0 )\n {\n\tsf->copyright = getquotedeol(sfd);\n }\n else if ( strmatch(tok,\"Comments:\")==0 )\n {\n\tchar *temp = getquotedeol(sfd);\n\tsf->comments = latin1_2_utf8_copy(temp);\n\tfree(temp);\n }\n else if ( strmatch(tok,\"UComments:\")==0 )\n {\n\tsf->comments = SFDReadUTF7Str(sfd);\n }\n else if ( strmatch(tok,\"FontLog:\")==0 )\n {\n\tsf->fontlog = SFDReadUTF7Str(sfd);\n }\n else if ( strmatch(tok,\"Version:\")==0 )\n {\n\tgeteol(sfd,val);\n\tsf->version = copy(val);\n }\n else if ( strmatch(tok,\"StyleMapFamilyName:\")==0 )\n {\n sf->styleMapFamilyName = SFDReadUTF7Str(sfd);\n }\n /* Legacy attribute for StyleMapFamilyName. Deprecated. */\n else if ( strmatch(tok,\"OS2FamilyName:\")==0 )\n {\n if (sf->styleMapFamilyName == NULL)\n sf->styleMapFamilyName = SFDReadUTF7Str(sfd);\n }\n else if ( strmatch(tok,\"FONDName:\")==0 )\n {\n\tgeteol(sfd,val);\n\tsf->fondname = copy(val);\n }\n else if ( strmatch(tok,\"ItalicAngle:\")==0 )\n {\n\tgetreal(sfd,&sf->italicangle);\n }\n else if ( strmatch(tok,\"StrokeWidth:\")==0 )\n {\n\tgetreal(sfd,&sf->strokewidth);\n }\n else if ( strmatch(tok,\"UnderlinePosition:\")==0 )\n {\n\tgetreal(sfd,&sf->upos);\n }\n else if ( strmatch(tok,\"UnderlineWidth:\")==0 )\n {\n\tgetreal(sfd,&sf->uwidth);\n }\n else if ( strmatch(tok,\"ModificationTime:\")==0 )\n {\n\tgetlonglong(sfd,&sf->modificationtime);\n }\n else if ( strmatch(tok,\"CreationTime:\")==0 )\n {\n\tgetlonglong(sfd,&sf->creationtime);\n\td->hadtimes = true;\n }\n else if ( strmatch(tok,\"PfmFamily:\")==0 )\n {\n\tint temp;\n\tgetint(sfd,&temp);\n\tsf->pfminfo.pfmfamily = temp;\n\tsf->pfminfo.pfmset = true;\n }\n else if ( strmatch(tok,\"LangName:\")==0 )\n {\n\tsf->names = SFDGetLangName(sfd,sf->names);\n }\n else if ( strmatch(tok,\"GaspTable:\")==0 )\n {\n\tSFDGetGasp(sfd,sf);\n }\n else if ( strmatch(tok,\"DesignSize:\")==0 )\n {\n\tSFDGetDesignSize(sfd,sf);\n }\n else if ( strmatch(tok,\"OtfFeatName:\")==0 )\n {\n\tSFDGetOtfFeatName(sfd,sf);\n }\n else if ( strmatch(tok,\"PfmWeight:\")==0 || strmatch(tok,\"TTFWeight:\")==0 )\n {\n\tgetsint(sfd,&sf->pfminfo.weight);\n\tsf->pfminfo.pfmset = true;\n }\n else if ( strmatch(tok,\"TTFWidth:\")==0 )\n {\n\tgetsint(sfd,&sf->pfminfo.width);\n\tsf->pfminfo.pfmset = true;\n }\n else if ( strmatch(tok,\"Panose:\")==0 )\n {\n\tint temp,i;\n\tfor ( i=0; i<10; ++i )\n\t{\n\t getint(sfd,&temp);\n\t sf->pfminfo.panose[i] = temp;\n\t}\n\tsf->pfminfo.panose_set = true;\n }\n else if ( strmatch(tok,\"LineGap:\")==0 )\n {\n\tgetsint(sfd,&sf->pfminfo.linegap);\n\tsf->pfminfo.pfmset = true;\n }\n else if ( strmatch(tok,\"VLineGap:\")==0 )\n {\n\tgetsint(sfd,&sf->pfminfo.vlinegap);\n\tsf->pfminfo.pfmset = true;\n }\n else if ( strmatch(tok,\"HheadAscent:\")==0 )\n {\n\tgetsint(sfd,&sf->pfminfo.hhead_ascent);\n }\n else if ( strmatch(tok,\"HheadAOffset:\")==0 )\n {\n\tint temp;\n\tgetint(sfd,&temp); sf->pfminfo.hheadascent_add = temp;\n }\n else if ( strmatch(tok,\"HheadDescent:\")==0 )\n {\n\tgetsint(sfd,&sf->pfminfo.hhead_descent);\n }\n else if ( strmatch(tok,\"HheadDOffset:\")==0 )\n {\n\tint temp;\n\tgetint(sfd,&temp); sf->pfminfo.hheaddescent_add = temp;\n }\n else if ( strmatch(tok,\"OS2TypoLinegap:\")==0 )\n {\n\tgetsint(sfd,&sf->pfminfo.os2_typolinegap);\n }\n else if ( strmatch(tok,\"OS2TypoAscent:\")==0 )\n {\n\tgetsint(sfd,&sf->pfminfo.os2_typoascent);\n }\n else if ( strmatch(tok,\"OS2TypoAOffset:\")==0 )\n {\n\tint temp;\n\tgetint(sfd,&temp); sf->pfminfo.typoascent_add = temp;\n }\n else if ( strmatch(tok,\"OS2TypoDescent:\")==0 )\n {\n\tgetsint(sfd,&sf->pfminfo.os2_typodescent);\n }\n else if ( strmatch(tok,\"OS2TypoDOffset:\")==0 )\n {\n\tint temp;\n\tgetint(sfd,&temp); sf->pfminfo.typodescent_add = temp;\n }\n else if ( strmatch(tok,\"OS2WinAscent:\")==0 )\n {\n\tgetsint(sfd,&sf->pfminfo.os2_winascent);\n }\n else if ( strmatch(tok,\"OS2WinDescent:\")==0 )\n {\n\tgetsint(sfd,&sf->pfminfo.os2_windescent);\n }\n else if ( strmatch(tok,\"OS2WinAOffset:\")==0 )\n {\n\tint temp;\n\tgetint(sfd,&temp); sf->pfminfo.winascent_add = temp;\n }\n else if ( strmatch(tok,\"OS2WinDOffset:\")==0 )\n {\n\tint temp;\n\tgetint(sfd,&temp); sf->pfminfo.windescent_add = temp;\n }\n else if ( strmatch(tok,\"HHeadAscent:\")==0 )\n {\n\t// DUPLICATE OF ABOVE\n\tgetsint(sfd,&sf->pfminfo.hhead_ascent);\n }\n else if ( strmatch(tok,\"HHeadDescent:\")==0 )\n {\n\t// DUPLICATE OF ABOVE\n\tgetsint(sfd,&sf->pfminfo.hhead_descent);\n }\n\n else if ( strmatch(tok,\"HHeadAOffset:\")==0 )\n {\n\t// DUPLICATE OF ABOVE\n\tint temp;\n\tgetint(sfd,&temp); sf->pfminfo.hheadascent_add = temp;\n }\n else if ( strmatch(tok,\"HHeadDOffset:\")==0 )\n {\n\t// DUPLICATE OF ABOVE\n\tint temp;\n\tgetint(sfd,&temp); sf->pfminfo.hheaddescent_add = temp;\n }\n else if ( strmatch(tok,\"MacStyle:\")==0 )\n {\n\tgetsint(sfd,&sf->macstyle);\n }\n else if ( strmatch(tok,\"OS2SubXSize:\")==0 )\n {\n\tgetsint(sfd,&sf->pfminfo.os2_subxsize);\n\tsf->pfminfo.subsuper_set = true;\n }\n else if ( strmatch(tok,\"OS2SubYSize:\")==0 )\n {\n\tgetsint(sfd,&sf->pfminfo.os2_subysize);\n }\n else if ( strmatch(tok,\"OS2SubXOff:\")==0 )\n {\n\tgetsint(sfd,&sf->pfminfo.os2_subxoff);\n }\n else if ( strmatch(tok,\"OS2SubYOff:\")==0 )\n {\n\tgetsint(sfd,&sf->pfminfo.os2_subyoff);\n }\n else if ( strmatch(tok,\"OS2SupXSize:\")==0 )\n {\n\tgetsint(sfd,&sf->pfminfo.os2_supxsize);\n }\n else if ( strmatch(tok,\"OS2SupYSize:\")==0 )\n {\n\tgetsint(sfd,&sf->pfminfo.os2_supysize);\n }\n else if ( strmatch(tok,\"OS2SupXOff:\")==0 )\n {\n\tgetsint(sfd,&sf->pfminfo.os2_supxoff);\n }\n else if ( strmatch(tok,\"OS2SupYOff:\")==0 )\n {\n\tgetsint(sfd,&sf->pfminfo.os2_supyoff);\n }\n else if ( strmatch(tok,\"OS2StrikeYSize:\")==0 )\n {\n\tgetsint(sfd,&sf->pfminfo.os2_strikeysize);\n }\n else if ( strmatch(tok,\"OS2StrikeYPos:\")==0 )\n {\n\tgetsint(sfd,&sf->pfminfo.os2_strikeypos);\n }\n else if ( strmatch(tok,\"OS2CapHeight:\")==0 )\n {\n\tgetsint(sfd,&sf->pfminfo.os2_capheight);\n }\n else if ( strmatch(tok,\"OS2XHeight:\")==0 )\n {\n\tgetsint(sfd,&sf->pfminfo.os2_xheight);\n }\n else if ( strmatch(tok,\"OS2FamilyClass:\")==0 )\n {\n\tgetsint(sfd,&sf->pfminfo.os2_family_class);\n }\n else if ( strmatch(tok,\"OS2Vendor:\")==0 )\n {\n\twhile ( isspace(nlgetc(sfd)));\n\tsf->pfminfo.os2_vendor[0] = nlgetc(sfd);\n\tsf->pfminfo.os2_vendor[1] = nlgetc(sfd);\n\tsf->pfminfo.os2_vendor[2] = nlgetc(sfd);\n\tsf->pfminfo.os2_vendor[3] = nlgetc(sfd);\n\t(void) nlgetc(sfd);\n }\n else if ( strmatch(tok,\"OS2CodePages:\")==0 )\n {\n\tgethexints(sfd,sf->pfminfo.codepages,2);\n\tsf->pfminfo.hascodepages = true;\n }\n else if ( strmatch(tok,\"OS2UnicodeRanges:\")==0 )\n {\n\tgethexints(sfd,sf->pfminfo.unicoderanges,4);\n\tsf->pfminfo.hasunicoderanges = true;\n }\n else if ( strmatch(tok,\"TopEncoding:\")==0 )\n {\n\t/* Obsolete */\n\tgetint(sfd,&sf->top_enc);\n }\n else if ( strmatch(tok,\"Ascent:\")==0 )\n {\n\tgetint(sfd,&sf->ascent);\n }\n else if ( strmatch(tok,\"Descent:\")==0 )\n {\n\tgetint(sfd,&sf->descent);\n }\n else if ( strmatch(tok,\"InvalidEm:\")==0 )\n {\n\tgetint(sfd,&sf->invalidem);\n }\n else if ( strmatch(tok,\"woffMajor:\")==0 )\n {\n\tgetint(sfd,&sf->woffMajor);\n }\n else if ( strmatch(tok,\"woffMinor:\")==0 )\n {\n\tgetint(sfd,&sf->woffMinor);\n }\n else if ( strmatch(tok,\"woffMetadata:\")==0 )\n {\n\tsf->woffMetadata = SFDReadUTF7Str(sfd);\n }\n else if ( strmatch(tok,\"UFOAscent:\")==0 )\n {\n\t getreal(sfd,&sf->ufo_ascent);\n }\n else if ( strmatch(tok,\"UFODescent:\")==0 )\n {\n\tgetreal(sfd,&sf->ufo_descent);\n }\n else if ( strmatch(tok,\"sfntRevision:\")==0 )\n {\n\tgethex(sfd,(uint32 *)&sf->sfntRevision);\n }\n else if ( strmatch(tok,\"LayerCount:\")==0 )\n {\n\td->had_layer_cnt = true;\n\tgetint(sfd,&sf->layer_cnt);\n\tif ( sf->layer_cnt>2 ) {\n\t sf->layers = realloc(sf->layers,sf->layer_cnt*sizeof(LayerInfo));\n\t memset(sf->layers+2,0,(sf->layer_cnt-2)*sizeof(LayerInfo));\n\t}\n }\n else if ( strmatch(tok,\"Layer:\")==0 )\n {\n // TODO: Read the U. F. O. path.\n\tint layer, o2, bk;\n\tgetint(sfd,&layer);\n\tif ( layer>=sf->layer_cnt ) {\n\t sf->layers = realloc(sf->layers,(layer+1)*sizeof(LayerInfo));\n\t memset(sf->layers+sf->layer_cnt,0,((layer+1)-sf->layer_cnt)*sizeof(LayerInfo));\n\t sf->layer_cnt = layer+1;\n\t}\n\tgetint(sfd,&o2);\n\tsf->layers[layer].order2 = o2;\n\tsf->layers[layer].background = layer==ly_back;\n\t/* Used briefly, now background is after layer name */\n\twhile ( (ch=nlgetc(sfd))==' ' );\n\tungetc(ch,sfd);\n\tif ( ch!='\"' ) {\n\t getint(sfd,&bk);\n\t sf->layers[layer].background = bk;\n\t}\n\t/* end of section for obsolete format */\n\tsf->layers[layer].name = SFDReadUTF7Str(sfd);\n\twhile ( (ch=nlgetc(sfd))==' ' );\n\tungetc(ch,sfd);\n\tif ( ch!='\\n' ) {\n\t getint(sfd,&bk);\n\t sf->layers[layer].background = bk;\n\t}\n\twhile ( (ch=nlgetc(sfd))==' ' );\n\tungetc(ch,sfd);\n\tif ( ch!='\\n' ) { sf->layers[layer].ufo_path = SFDReadUTF7Str(sfd); }\n }\n else if ( strmatch(tok,\"PreferredKerning:\")==0 )\n {\n\tint temp;\n\tgetint(sfd,&temp);\n\tsf->preferred_kerning = temp;\n }\n else if ( strmatch(tok,\"StrokedFont:\")==0 )\n {\n\tint temp;\n\tgetint(sfd,&temp);\n\tsf->strokedfont = temp;\n }\n else if ( strmatch(tok,\"MultiLayer:\")==0 )\n {\n\tint temp;\n\tgetint(sfd,&temp);\n\tsf->multilayer = temp;\n }\n else if ( strmatch(tok,\"NeedsXUIDChange:\")==0 )\n {\n\tint temp;\n\tgetint(sfd,&temp);\n\tsf->changed_since_xuidchanged = temp;\n }\n else if ( strmatch(tok,\"VerticalOrigin:\")==0 )\n {\n\t// this doesn't seem to be written ever.\n\tint temp;\n\tgetint(sfd,&temp);\n\tsf->hasvmetrics = true;\n }\n else if ( strmatch(tok,\"HasVMetrics:\")==0 )\n {\n\tint temp;\n\tgetint(sfd,&temp);\n\tsf->hasvmetrics = temp;\n }\n else if ( strmatch(tok,\"Justify:\")==0 )\n {\n\tSFDParseJustify(sfd,sf,tok);\n }\n else if ( strmatch(tok,\"BaseHoriz:\")==0 )\n {\n\tsf->horiz_base = SFDParseBase(sfd);\n\td->last_base = sf->horiz_base;\n\td->last_base_script = NULL;\n }\n else if ( strmatch(tok,\"BaseVert:\")==0 )\n {\n\tsf->vert_base = SFDParseBase(sfd);\n\td->last_base = sf->vert_base;\n\td->last_base_script = NULL;\n }\n else if ( strmatch(tok,\"BaseScript:\")==0 )\n {\n\tstruct basescript *bs = SFDParseBaseScript(sfd,d->last_base);\n\tif ( d->last_base==NULL )\n\t{\n\t BaseScriptFree(bs);\n\t bs = NULL;\n\t}\n\telse if ( d->last_base_script!=NULL )\n\t d->last_base_script->next = bs;\n\telse\n\t d->last_base->scripts = bs;\n\td->last_base_script = bs;\n }\n else if ( strmatch(tok,\"StyleMap:\")==0 )\n {\n gethex(sfd,(uint32 *)&sf->pfminfo.stylemap);\n }\n /* Legacy attribute for StyleMap. Deprecated. */\n else if ( strmatch(tok,\"OS2StyleName:\")==0 )\n {\n char* sname = SFDReadUTF7Str(sfd);\n if (sf->pfminfo.stylemap == -1) {\n if (strcmp(sname,\"bold italic\")==0) sf->pfminfo.stylemap = 0x21;\n else if (strcmp(sname,\"bold\")==0) sf->pfminfo.stylemap = 0x20;\n else if (strcmp(sname,\"italic\")==0) sf->pfminfo.stylemap = 0x01;\n else if (strcmp(sname,\"regular\")==0) sf->pfminfo.stylemap = 0x40;\n }\n free(sname);\n }\n else if ( strmatch(tok,\"FSType:\")==0 )\n {\n\tgetsint(sfd,&sf->pfminfo.fstype);\n }\n else if ( strmatch(tok,\"OS2Version:\")==0 )\n {\n\tgetsint(sfd,&sf->os2_version);\n }\n else if ( strmatch(tok,\"OS2_WeightWidthSlopeOnly:\")==0 )\n {\n\tint temp;\n\tgetint(sfd,&temp);\n\tsf->weight_width_slope_only = temp;\n }\n else if ( strmatch(tok,\"OS2_UseTypoMetrics:\")==0 )\n {\n\tint temp;\n\tgetint(sfd,&temp);\n\tsf->use_typo_metrics = temp;\n }\n else if ( strmatch(tok,\"UseUniqueID:\")==0 )\n {\n\tint temp;\n\tgetint(sfd,&temp);\n\tsf->use_uniqueid = temp;\n }\n else if ( strmatch(tok,\"UseXUID:\")==0 )\n {\n\tint temp;\n\tgetint(sfd,&temp);\n\tsf->use_xuid = temp;\n }\n else if ( strmatch(tok,\"UniqueID:\")==0 )\n {\n\tgetint(sfd,&sf->uniqueid);\n }\n else if ( strmatch(tok,\"XUID:\")==0 )\n {\n\tgeteol(sfd,tok);\n\tsf->xuid = copy(tok);\n }\n else if ( strmatch(tok,\"Lookup:\")==0 )\n {\n\tOTLookup *otl;\n\tint temp;\n\tif ( sf->sfd_version<2 ) {\n\t IError( \"Lookups should not happen in version 1 sfd files.\" );\n\t exit(1);\n\t}\n\totl = chunkalloc(sizeof(OTLookup));\n\tgetint(sfd,&temp); otl->lookup_type = temp;\n\tgetint(sfd,&temp); otl->lookup_flags = temp;\n\tgetint(sfd,&temp); otl->store_in_afm = temp;\n\totl->lookup_name = SFDReadUTF7Str(sfd);\n\tif ( otl->lookup_typelastsotl==NULL )\n\t\tsf->gsub_lookups = otl;\n\t else\n\t\td->lastsotl->next = otl;\n\t d->lastsotl = otl;\n\t} else {\n\t if ( d->lastpotl==NULL )\n\t\tsf->gpos_lookups = otl;\n\t else\n\t\td->lastpotl->next = otl;\n\t d->lastpotl = otl;\n\t}\n\tSFDParseLookup(sfd,otl);\n }\n else if ( strmatch(tok,\"MarkAttachClasses:\")==0 )\n {\n\tgetint(sfd,&sf->mark_class_cnt);\n\tsf->mark_classes = malloc(sf->mark_class_cnt*sizeof(char *));\n\tsf->mark_class_names = malloc(sf->mark_class_cnt*sizeof(char *));\n\tsf->mark_classes[0] = NULL; sf->mark_class_names[0] = NULL;\n\tfor ( i=1; imark_class_cnt; ++i )\n\t{\n\t /* Class 0 is unused */\n\t int temp;\n\t while ( (temp=nlgetc(sfd))=='\\n' || temp=='\\r' ); ungetc(temp,sfd);\n\t sf->mark_class_names[i] = SFDReadUTF7Str(sfd);\n\t getint(sfd,&temp);\n\t sf->mark_classes[i] = malloc(temp+1); sf->mark_classes[i][temp] = '\\0';\n\t nlgetc(sfd);\t/* skip space */\n\t fread(sf->mark_classes[i],1,temp,sfd);\n\t}\n }\n else if ( strmatch(tok,\"MarkAttachSets:\")==0 )\n {\n\tgetint(sfd,&sf->mark_set_cnt);\n\tsf->mark_sets = malloc(sf->mark_set_cnt*sizeof(char *));\n\tsf->mark_set_names = malloc(sf->mark_set_cnt*sizeof(char *));\n\tfor ( i=0; imark_set_cnt; ++i )\n\t{\n\t /* Set 0 is used */\n\t int temp;\n\t while ( (temp=nlgetc(sfd))=='\\n' || temp=='\\r' ); ungetc(temp,sfd);\n\t sf->mark_set_names[i] = SFDReadUTF7Str(sfd);\n\t getint(sfd,&temp);\n\t sf->mark_sets[i] = malloc(temp+1); sf->mark_sets[i][temp] = '\\0';\n\t nlgetc(sfd);\t/* skip space */\n\t fread(sf->mark_sets[i],1,temp,sfd);\n\t}\n }\n else if ( strmatch(tok,\"KernClass2:\")==0 || strmatch(tok,\"VKernClass2:\")==0 ||\n\t strmatch(tok,\"KernClass:\")==0 || strmatch(tok,\"VKernClass:\")==0 ||\n\t strmatch(tok,\"KernClass3:\")==0 || strmatch(tok,\"VKernClass3:\")==0 )\n {\n\tint kernclassversion = 0;\n\tint isv = tok[0]=='V';\n\tint kcvoffset = (isv ? 10 : 9); //Offset to read kerning class version\n\tif (isdigit(tok[kcvoffset])) kernclassversion = tok[kcvoffset] - '0';\n\tint temp, classstart=1;\n\tint old = (kernclassversion == 0);\n\n\tif ( (sf->sfd_version<2)!=old ) {\n\t IError( \"Version mixup in Kerning Classes of sfd file.\" );\n\t exit(1);\n\t}\n\tkc = chunkalloc(old ? sizeof(KernClass1) : sizeof(KernClass));\n\tgetint(sfd,&kc->first_cnt);\n\tch=nlgetc(sfd);\n\tif ( ch=='+' )\n\t classstart = 0;\n\telse\n\t ungetc(ch,sfd);\n\tgetint(sfd,&kc->second_cnt);\n\tif ( old ) {\n\t getint(sfd,&temp); ((KernClass1 *) kc)->sli = temp;\n\t getint(sfd,&temp); ((KernClass1 *) kc)->flags = temp;\n\t} else {\n\t kc->subtable = SFFindLookupSubtableAndFreeName(sf,SFDReadUTF7Str(sfd));\n\t if ( kc->subtable!=NULL && kc->subtable->kc==NULL )\n\t\tkc->subtable->kc = kc;\n\t else {\n\t\tif ( kc->subtable==NULL )\n\t\t LogError(_(\"Bad SFD file, missing subtable in kernclass defn.\\n\") );\n\t\telse\n\t\t LogError(_(\"Bad SFD file, two kerning classes assigned to the same subtable: %s\\n\"), kc->subtable->subtable_name );\n\t\tkc->subtable = NULL;\n\t }\n\t}\n\tkc->firsts = calloc(kc->first_cnt,sizeof(char *));\n\tkc->seconds = calloc(kc->second_cnt,sizeof(char *));\n\tkc->offsets = calloc(kc->first_cnt*kc->second_cnt,sizeof(int16));\n\tkc->adjusts = calloc(kc->first_cnt*kc->second_cnt,sizeof(DeviceTable));\n\tif (kernclassversion >= 3) {\n\t kc->firsts_flags = calloc(kc->first_cnt, sizeof(int));\n\t kc->seconds_flags = calloc(kc->second_cnt, sizeof(int));\n\t kc->offsets_flags = calloc(kc->first_cnt*kc->second_cnt, sizeof(int));\n\t kc->firsts_names = calloc(kc->first_cnt, sizeof(char*));\n\t kc->seconds_names = calloc(kc->second_cnt, sizeof(char*));\n\t}\n\tkc->firsts[0] = NULL;\n\tfor ( i=classstart; ifirst_cnt; ++i ) {\n\t if (kernclassversion < 3) {\n\t getint(sfd,&temp);\n\t kc->firsts[i] = malloc(temp+1); kc->firsts[i][temp] = '\\0';\n\t nlgetc(sfd);\t/* skip space */\n\t fread(kc->firsts[i],1,temp,sfd);\n\t } else {\n\t getint(sfd,&kc->firsts_flags[i]);\n\t while ((ch=nlgetc(sfd)) == ' '); ungetc(ch, sfd); if (ch == '\\n' || ch == EOF) continue;\n\t kc->firsts_names[i] = SFDReadUTF7Str(sfd);\n\t while ((ch=nlgetc(sfd)) == ' '); ungetc(ch, sfd); if (ch == '\\n' || ch == EOF) continue;\n\t kc->firsts[i] = SFDReadUTF7Str(sfd);\n if (kc->firsts[i] == NULL) kc->firsts[i] = copy(\"\"); // In certain places, this must be defined.\n\t while ((ch=nlgetc(sfd)) == ' ' || ch == '\\n'); ungetc(ch, sfd);\n\t }\n\t}\n\tkc->seconds[0] = NULL;\n\tfor ( i=1; isecond_cnt; ++i ) {\n\t if (kernclassversion < 3) {\n\t getint(sfd,&temp);\n\t kc->seconds[i] = malloc(temp+1); kc->seconds[i][temp] = '\\0';\n\t nlgetc(sfd);\t/* skip space */\n\t fread(kc->seconds[i],1,temp,sfd);\n\t } else {\n\t getint(sfd,&temp);\n\t kc->seconds_flags[i] = temp;\n\t while ((ch=nlgetc(sfd)) == ' '); ungetc(ch, sfd); if (ch == '\\n' || ch == EOF) continue;\n\t kc->seconds_names[i] = SFDReadUTF7Str(sfd);\n\t while ((ch=nlgetc(sfd)) == ' '); ungetc(ch, sfd); if (ch == '\\n' || ch == EOF) continue;\n\t kc->seconds[i] = SFDReadUTF7Str(sfd);\n if (kc->seconds[i] == NULL) kc->seconds[i] = copy(\"\"); // In certain places, this must be defined.\n\t while ((ch=nlgetc(sfd)) == ' ' || ch == '\\n'); ungetc(ch, sfd);\n\t }\n\t}\n\tfor ( i=0; ifirst_cnt*kc->second_cnt; ++i ) {\n\t if (kernclassversion >= 3) {\n\t getint(sfd,&temp);\n\t kc->offsets_flags[i] = temp;\n\t }\n\t getint(sfd,&temp);\n\t kc->offsets[i] = temp;\n\t SFDReadDeviceTable(sfd,&kc->adjusts[i]);\n\t}\n\tif ( !old && kc->subtable == NULL ) {\n\t /* Error. Ignore it. Free it. Whatever */;\n\t} else if ( !isv ) {\n\t if ( d->lastkc==NULL )\n\t\tsf->kerns = kc;\n\t else\n\t\td->lastkc->next = kc;\n\t d->lastkc = kc;\n\t} else {\n\t if ( d->lastvkc==NULL )\n\t\tsf->vkerns = kc;\n\t else\n\t\td->lastvkc->next = kc;\n\t d->lastvkc = kc;\n\t}\n }\n else if ( strmatch(tok,\"ContextPos2:\")==0 || strmatch(tok,\"ContextSub2:\")==0 ||\n\t strmatch(tok,\"ChainPos2:\")==0 || strmatch(tok,\"ChainSub2:\")==0 ||\n\t strmatch(tok,\"ReverseChain2:\")==0 ||\n\t strmatch(tok,\"ContextPos:\")==0 || strmatch(tok,\"ContextSub:\")==0 ||\n\t strmatch(tok,\"ChainPos:\")==0 || strmatch(tok,\"ChainSub:\")==0 ||\n\t strmatch(tok,\"ReverseChain:\")==0 )\n {\n\tFPST *fpst;\n\tint old;\n\tif ( strchr(tok,'2')!=NULL ) {\n\t old = false;\n\t fpst = chunkalloc(sizeof(FPST));\n\t} else {\n\t old = true;\n\t fpst = chunkalloc(sizeof(FPST1));\n\t}\n\tif ( (sf->sfd_version<2)!=old ) {\n\t IError( \"Version mixup in FPST of sfd file.\" );\n\t exit(1);\n\t}\n\tif ( d->lastfp==NULL )\n\t sf->possub = fpst;\n\telse\n\t d->lastfp->next = fpst;\n\td->lastfp = fpst;\n\tSFDParseChainContext(sfd,sf,fpst,tok,old);\n }\n else if ( strmatch(tok,\"Group:\")==0 ) {\n struct ff_glyphclasses *grouptmp = calloc(1, sizeof(struct ff_glyphclasses));\n while ((ch=nlgetc(sfd)) == ' '); ungetc(ch, sfd);\n grouptmp->classname = SFDReadUTF7Str(sfd);\n while ((ch=nlgetc(sfd)) == ' '); ungetc(ch, sfd);\n grouptmp->glyphs = SFDReadUTF7Str(sfd);\n while ((ch=nlgetc(sfd)) == ' ' || ch == '\\n'); ungetc(ch, sfd);\n if (d->lastgroup != NULL) d->lastgroup->next = grouptmp; else sf->groups = grouptmp;\n d->lastgroup = grouptmp;\n }\n else if ( strmatch(tok,\"GroupKern:\")==0 ) {\n int temp = 0;\n struct ff_rawoffsets *kerntmp = calloc(1, sizeof(struct ff_rawoffsets));\n while ((ch=nlgetc(sfd)) == ' '); ungetc(ch, sfd);\n kerntmp->left = SFDReadUTF7Str(sfd);\n while ((ch=nlgetc(sfd)) == ' '); ungetc(ch, sfd);\n kerntmp->right = SFDReadUTF7Str(sfd);\n while ((ch=nlgetc(sfd)) == ' '); ungetc(ch, sfd);\n getint(sfd,&temp);\n kerntmp->offset = temp;\n while ((ch=nlgetc(sfd)) == ' ' || ch == '\\n'); ungetc(ch, sfd);\n if (d->lastgroupkern != NULL) d->lastgroupkern->next = kerntmp; else sf->groupkerns = kerntmp;\n d->lastgroupkern = kerntmp;\n }\n else if ( strmatch(tok,\"GroupVKern:\")==0 ) {\n int temp = 0;\n struct ff_rawoffsets *kerntmp = calloc(1, sizeof(struct ff_rawoffsets));\n while ((ch=nlgetc(sfd)) == ' '); ungetc(ch, sfd);\n kerntmp->left = SFDReadUTF7Str(sfd);\n while ((ch=nlgetc(sfd)) == ' '); ungetc(ch, sfd);\n kerntmp->right = SFDReadUTF7Str(sfd);\n while ((ch=nlgetc(sfd)) == ' '); ungetc(ch, sfd);\n getint(sfd,&temp);\n kerntmp->offset = temp;\n while ((ch=nlgetc(sfd)) == ' ' || ch == '\\n'); ungetc(ch, sfd);\n if (d->lastgroupvkern != NULL) d->lastgroupvkern->next = kerntmp; else sf->groupvkerns = kerntmp;\n d->lastgroupvkern = kerntmp;\n }\n else if ( strmatch(tok,\"MacIndic2:\")==0 || strmatch(tok,\"MacContext2:\")==0 ||\n\t strmatch(tok,\"MacLigature2:\")==0 || strmatch(tok,\"MacSimple2:\")==0 ||\n\t strmatch(tok,\"MacKern2:\")==0 || strmatch(tok,\"MacInsert2:\")==0 ||\n\t strmatch(tok,\"MacIndic:\")==0 || strmatch(tok,\"MacContext:\")==0 ||\n\t strmatch(tok,\"MacLigature:\")==0 || strmatch(tok,\"MacSimple:\")==0 ||\n\t strmatch(tok,\"MacKern:\")==0 || strmatch(tok,\"MacInsert:\")==0 )\n {\n\tASM *sm;\n\tif ( strchr(tok,'2')!=NULL ) {\n\t old = false;\n\t sm = chunkalloc(sizeof(ASM));\n\t} else {\n\t old = true;\n\t sm = chunkalloc(sizeof(ASM1));\n\t}\n\tif ( (sf->sfd_version<2)!=old ) {\n\t IError( \"Version mixup in state machine of sfd file.\" );\n\t exit(1);\n\t}\n\tif ( d->lastsm==NULL )\n\t sf->sm = sm;\n\telse\n\t d->lastsm->next = sm;\n\td->lastsm = sm;\n\tSFDParseStateMachine(sfd,sf,sm,tok,old);\n }\n else if ( strmatch(tok,\"MacFeat:\")==0 )\n {\n\tsf->features = SFDParseMacFeatures(sfd,tok);\n }\n else if ( strmatch(tok,\"TtfTable:\")==0 )\n {\n\t/* Old, binary format */\n\t/* still used for maxp and unknown tables */\n\tSFDGetTtfTable(sfd,sf,d->lastttf);\n }\n else if ( strmatch(tok,\"TtTable:\")==0 )\n {\n\t/* text instruction format */\n\tSFDGetTtTable(sfd,sf,d->lastttf);\n }\n\n\n ///////////////////\n\n else if ( strmatch(tok,\"ShortTable:\")==0 )\n {\n\t// only read, not written.\n\t/* text number format */\n\tSFDGetShortTable(sfd,sf,d->lastttf);\n }\n else\n {\n //\n // We didn't have a match ourselves.\n //\n return false;\n }\n return true;\n}", "project": "fontforge", "hash": 174470206429737553728553607144275060858, "size": 826, "commit_id": "048a91e2682c1a8936ae34dbc7bd70291ec05410", "message": "Fix for #4084 Use-after-free (heap) in the SFD_GetFontMetaData() function\nFix for #4086 NULL pointer dereference in the SFDGetSpiros() function\nFix for #4088 NULL pointer dereference in the SFD_AssignLookups() function\nAdd empty sf->fontname string if it isn't set, fixing #4089 #4090 and many\n other potential issues (many downstream calls to strlen() on the value).", "target": 1, "dataset": "other", "idx": 209042 }, { "func": "bool SFD_GetFontMetaData( FILE *sfd,\n\t\t\t char *tok,\n\t\t\t SplineFont *sf,\n\t\t\t SFD_GetFontMetaDataData* d )\n{\n int ch;\n int i;\n KernClass* kc = 0;\n int old;\n char val[2000];\n\n // This allows us to assume we can dereference d\n // at all times\n static SFD_GetFontMetaDataData my_static_d;\n static int my_static_d_is_virgin = 1;\n if( !d )\n {\n\tif( my_static_d_is_virgin )\n\t{\n\t my_static_d_is_virgin = 0;\n\t SFD_GetFontMetaDataData_Init( &my_static_d );\n\t}\n\td = &my_static_d;\n }\n\n if ( strmatch(tok,\"FontName:\")==0 )\n {\n\tgeteol(sfd,val);\n\tsf->fontname = copy(val);\n }\n else if ( strmatch(tok,\"FullName:\")==0 )\n {\n\tgeteol(sfd,val);\n\tsf->fullname = copy(val);\n }\n else if ( strmatch(tok,\"FamilyName:\")==0 )\n {\n\tgeteol(sfd,val);\n\tsf->familyname = copy(val);\n }\n else if ( strmatch(tok,\"DefaultBaseFilename:\")==0 )\n {\n\tgeteol(sfd,val);\n\tsf->defbasefilename = copy(val);\n }\n else if ( strmatch(tok,\"Weight:\")==0 )\n {\n\tgetprotectedname(sfd,val);\n\tsf->weight = copy(val);\n }\n else if ( strmatch(tok,\"Copyright:\")==0 )\n {\n\tsf->copyright = getquotedeol(sfd);\n }\n else if ( strmatch(tok,\"Comments:\")==0 )\n {\n\tchar *temp = getquotedeol(sfd);\n\tsf->comments = latin1_2_utf8_copy(temp);\n\tfree(temp);\n }\n else if ( strmatch(tok,\"UComments:\")==0 )\n {\n\tsf->comments = SFDReadUTF7Str(sfd);\n }\n else if ( strmatch(tok,\"FontLog:\")==0 )\n {\n\tsf->fontlog = SFDReadUTF7Str(sfd);\n }\n else if ( strmatch(tok,\"Version:\")==0 )\n {\n\tgeteol(sfd,val);\n\tsf->version = copy(val);\n }\n else if ( strmatch(tok,\"StyleMapFamilyName:\")==0 )\n {\n sf->styleMapFamilyName = SFDReadUTF7Str(sfd);\n }\n /* Legacy attribute for StyleMapFamilyName. Deprecated. */\n else if ( strmatch(tok,\"OS2FamilyName:\")==0 )\n {\n if (sf->styleMapFamilyName == NULL)\n sf->styleMapFamilyName = SFDReadUTF7Str(sfd);\n }\n else if ( strmatch(tok,\"FONDName:\")==0 )\n {\n\tgeteol(sfd,val);\n\tsf->fondname = copy(val);\n }\n else if ( strmatch(tok,\"ItalicAngle:\")==0 )\n {\n\tgetreal(sfd,&sf->italicangle);\n }\n else if ( strmatch(tok,\"StrokeWidth:\")==0 )\n {\n\tgetreal(sfd,&sf->strokewidth);\n }\n else if ( strmatch(tok,\"UnderlinePosition:\")==0 )\n {\n\tgetreal(sfd,&sf->upos);\n }\n else if ( strmatch(tok,\"UnderlineWidth:\")==0 )\n {\n\tgetreal(sfd,&sf->uwidth);\n }\n else if ( strmatch(tok,\"ModificationTime:\")==0 )\n {\n\tgetlonglong(sfd,&sf->modificationtime);\n }\n else if ( strmatch(tok,\"CreationTime:\")==0 )\n {\n\tgetlonglong(sfd,&sf->creationtime);\n\td->hadtimes = true;\n }\n else if ( strmatch(tok,\"PfmFamily:\")==0 )\n {\n\tint temp;\n\tgetint(sfd,&temp);\n\tsf->pfminfo.pfmfamily = temp;\n\tsf->pfminfo.pfmset = true;\n }\n else if ( strmatch(tok,\"LangName:\")==0 )\n {\n\tsf->names = SFDGetLangName(sfd,sf->names);\n }\n else if ( strmatch(tok,\"GaspTable:\")==0 )\n {\n\tSFDGetGasp(sfd,sf);\n }\n else if ( strmatch(tok,\"DesignSize:\")==0 )\n {\n\tSFDGetDesignSize(sfd,sf);\n }\n else if ( strmatch(tok,\"OtfFeatName:\")==0 )\n {\n\tSFDGetOtfFeatName(sfd,sf);\n }\n else if ( strmatch(tok,\"PfmWeight:\")==0 || strmatch(tok,\"TTFWeight:\")==0 )\n {\n\tgetsint(sfd,&sf->pfminfo.weight);\n\tsf->pfminfo.pfmset = true;\n }\n else if ( strmatch(tok,\"TTFWidth:\")==0 )\n {\n\tgetsint(sfd,&sf->pfminfo.width);\n\tsf->pfminfo.pfmset = true;\n }\n else if ( strmatch(tok,\"Panose:\")==0 )\n {\n\tint temp,i;\n\tfor ( i=0; i<10; ++i )\n\t{\n\t getint(sfd,&temp);\n\t sf->pfminfo.panose[i] = temp;\n\t}\n\tsf->pfminfo.panose_set = true;\n }\n else if ( strmatch(tok,\"LineGap:\")==0 )\n {\n\tgetsint(sfd,&sf->pfminfo.linegap);\n\tsf->pfminfo.pfmset = true;\n }\n else if ( strmatch(tok,\"VLineGap:\")==0 )\n {\n\tgetsint(sfd,&sf->pfminfo.vlinegap);\n\tsf->pfminfo.pfmset = true;\n }\n else if ( strmatch(tok,\"HheadAscent:\")==0 )\n {\n\tgetsint(sfd,&sf->pfminfo.hhead_ascent);\n }\n else if ( strmatch(tok,\"HheadAOffset:\")==0 )\n {\n\tint temp;\n\tgetint(sfd,&temp); sf->pfminfo.hheadascent_add = temp;\n }\n else if ( strmatch(tok,\"HheadDescent:\")==0 )\n {\n\tgetsint(sfd,&sf->pfminfo.hhead_descent);\n }\n else if ( strmatch(tok,\"HheadDOffset:\")==0 )\n {\n\tint temp;\n\tgetint(sfd,&temp); sf->pfminfo.hheaddescent_add = temp;\n }\n else if ( strmatch(tok,\"OS2TypoLinegap:\")==0 )\n {\n\tgetsint(sfd,&sf->pfminfo.os2_typolinegap);\n }\n else if ( strmatch(tok,\"OS2TypoAscent:\")==0 )\n {\n\tgetsint(sfd,&sf->pfminfo.os2_typoascent);\n }\n else if ( strmatch(tok,\"OS2TypoAOffset:\")==0 )\n {\n\tint temp;\n\tgetint(sfd,&temp); sf->pfminfo.typoascent_add = temp;\n }\n else if ( strmatch(tok,\"OS2TypoDescent:\")==0 )\n {\n\tgetsint(sfd,&sf->pfminfo.os2_typodescent);\n }\n else if ( strmatch(tok,\"OS2TypoDOffset:\")==0 )\n {\n\tint temp;\n\tgetint(sfd,&temp); sf->pfminfo.typodescent_add = temp;\n }\n else if ( strmatch(tok,\"OS2WinAscent:\")==0 )\n {\n\tgetsint(sfd,&sf->pfminfo.os2_winascent);\n }\n else if ( strmatch(tok,\"OS2WinDescent:\")==0 )\n {\n\tgetsint(sfd,&sf->pfminfo.os2_windescent);\n }\n else if ( strmatch(tok,\"OS2WinAOffset:\")==0 )\n {\n\tint temp;\n\tgetint(sfd,&temp); sf->pfminfo.winascent_add = temp;\n }\n else if ( strmatch(tok,\"OS2WinDOffset:\")==0 )\n {\n\tint temp;\n\tgetint(sfd,&temp); sf->pfminfo.windescent_add = temp;\n }\n else if ( strmatch(tok,\"HHeadAscent:\")==0 )\n {\n\t// DUPLICATE OF ABOVE\n\tgetsint(sfd,&sf->pfminfo.hhead_ascent);\n }\n else if ( strmatch(tok,\"HHeadDescent:\")==0 )\n {\n\t// DUPLICATE OF ABOVE\n\tgetsint(sfd,&sf->pfminfo.hhead_descent);\n }\n\n else if ( strmatch(tok,\"HHeadAOffset:\")==0 )\n {\n\t// DUPLICATE OF ABOVE\n\tint temp;\n\tgetint(sfd,&temp); sf->pfminfo.hheadascent_add = temp;\n }\n else if ( strmatch(tok,\"HHeadDOffset:\")==0 )\n {\n\t// DUPLICATE OF ABOVE\n\tint temp;\n\tgetint(sfd,&temp); sf->pfminfo.hheaddescent_add = temp;\n }\n else if ( strmatch(tok,\"MacStyle:\")==0 )\n {\n\tgetsint(sfd,&sf->macstyle);\n }\n else if ( strmatch(tok,\"OS2SubXSize:\")==0 )\n {\n\tgetsint(sfd,&sf->pfminfo.os2_subxsize);\n\tsf->pfminfo.subsuper_set = true;\n }\n else if ( strmatch(tok,\"OS2SubYSize:\")==0 )\n {\n\tgetsint(sfd,&sf->pfminfo.os2_subysize);\n }\n else if ( strmatch(tok,\"OS2SubXOff:\")==0 )\n {\n\tgetsint(sfd,&sf->pfminfo.os2_subxoff);\n }\n else if ( strmatch(tok,\"OS2SubYOff:\")==0 )\n {\n\tgetsint(sfd,&sf->pfminfo.os2_subyoff);\n }\n else if ( strmatch(tok,\"OS2SupXSize:\")==0 )\n {\n\tgetsint(sfd,&sf->pfminfo.os2_supxsize);\n }\n else if ( strmatch(tok,\"OS2SupYSize:\")==0 )\n {\n\tgetsint(sfd,&sf->pfminfo.os2_supysize);\n }\n else if ( strmatch(tok,\"OS2SupXOff:\")==0 )\n {\n\tgetsint(sfd,&sf->pfminfo.os2_supxoff);\n }\n else if ( strmatch(tok,\"OS2SupYOff:\")==0 )\n {\n\tgetsint(sfd,&sf->pfminfo.os2_supyoff);\n }\n else if ( strmatch(tok,\"OS2StrikeYSize:\")==0 )\n {\n\tgetsint(sfd,&sf->pfminfo.os2_strikeysize);\n }\n else if ( strmatch(tok,\"OS2StrikeYPos:\")==0 )\n {\n\tgetsint(sfd,&sf->pfminfo.os2_strikeypos);\n }\n else if ( strmatch(tok,\"OS2CapHeight:\")==0 )\n {\n\tgetsint(sfd,&sf->pfminfo.os2_capheight);\n }\n else if ( strmatch(tok,\"OS2XHeight:\")==0 )\n {\n\tgetsint(sfd,&sf->pfminfo.os2_xheight);\n }\n else if ( strmatch(tok,\"OS2FamilyClass:\")==0 )\n {\n\tgetsint(sfd,&sf->pfminfo.os2_family_class);\n }\n else if ( strmatch(tok,\"OS2Vendor:\")==0 )\n {\n\twhile ( isspace(nlgetc(sfd)));\n\tsf->pfminfo.os2_vendor[0] = nlgetc(sfd);\n\tsf->pfminfo.os2_vendor[1] = nlgetc(sfd);\n\tsf->pfminfo.os2_vendor[2] = nlgetc(sfd);\n\tsf->pfminfo.os2_vendor[3] = nlgetc(sfd);\n\t(void) nlgetc(sfd);\n }\n else if ( strmatch(tok,\"OS2CodePages:\")==0 )\n {\n\tgethexints(sfd,sf->pfminfo.codepages,2);\n\tsf->pfminfo.hascodepages = true;\n }\n else if ( strmatch(tok,\"OS2UnicodeRanges:\")==0 )\n {\n\tgethexints(sfd,sf->pfminfo.unicoderanges,4);\n\tsf->pfminfo.hasunicoderanges = true;\n }\n else if ( strmatch(tok,\"TopEncoding:\")==0 )\n {\n\t/* Obsolete */\n\tgetint(sfd,&sf->top_enc);\n }\n else if ( strmatch(tok,\"Ascent:\")==0 )\n {\n\tgetint(sfd,&sf->ascent);\n }\n else if ( strmatch(tok,\"Descent:\")==0 )\n {\n\tgetint(sfd,&sf->descent);\n }\n else if ( strmatch(tok,\"InvalidEm:\")==0 )\n {\n\tgetint(sfd,&sf->invalidem);\n }\n else if ( strmatch(tok,\"woffMajor:\")==0 )\n {\n\tgetint(sfd,&sf->woffMajor);\n }\n else if ( strmatch(tok,\"woffMinor:\")==0 )\n {\n\tgetint(sfd,&sf->woffMinor);\n }\n else if ( strmatch(tok,\"woffMetadata:\")==0 )\n {\n\tsf->woffMetadata = SFDReadUTF7Str(sfd);\n }\n else if ( strmatch(tok,\"UFOAscent:\")==0 )\n {\n\t getreal(sfd,&sf->ufo_ascent);\n }\n else if ( strmatch(tok,\"UFODescent:\")==0 )\n {\n\tgetreal(sfd,&sf->ufo_descent);\n }\n else if ( strmatch(tok,\"sfntRevision:\")==0 )\n {\n\tgethex(sfd,(uint32 *)&sf->sfntRevision);\n }\n else if ( strmatch(tok,\"LayerCount:\")==0 )\n {\n\td->had_layer_cnt = true;\n\tint layer_cnt_tmp;\n\tgetint(sfd,&layer_cnt_tmp);\n\tif ( layer_cnt_tmp>2 ) {\n\t sf->layers = realloc(sf->layers,sf->layer_cnt*sizeof(LayerInfo));\n\t memset(sf->layers+2,0,(sf->layer_cnt-2)*sizeof(LayerInfo));\n\t sf->layer_cnt = layer_cnt_tmp;\n\t}\n }\n else if ( strmatch(tok,\"Layer:\")==0 )\n {\n // TODO: Read the U. F. O. path.\n\tint layer, o2, bk;\n\tgetint(sfd,&layer);\n\tif ( layer>=sf->layer_cnt ) {\n\t sf->layers = realloc(sf->layers,(layer+1)*sizeof(LayerInfo));\n\t memset(sf->layers+sf->layer_cnt,0,((layer+1)-sf->layer_cnt)*sizeof(LayerInfo));\n\t sf->layer_cnt = layer+1;\n\t}\n\tgetint(sfd,&o2);\n\tsf->layers[layer].order2 = o2;\n\tsf->layers[layer].background = layer==ly_back;\n\t/* Used briefly, now background is after layer name */\n\twhile ( (ch=nlgetc(sfd))==' ' );\n\tungetc(ch,sfd);\n\tif ( ch!='\"' ) {\n\t getint(sfd,&bk);\n\t sf->layers[layer].background = bk;\n\t}\n\t/* end of section for obsolete format */\n\tsf->layers[layer].name = SFDReadUTF7Str(sfd);\n\twhile ( (ch=nlgetc(sfd))==' ' );\n\tungetc(ch,sfd);\n\tif ( ch!='\\n' ) {\n\t getint(sfd,&bk);\n\t sf->layers[layer].background = bk;\n\t}\n\twhile ( (ch=nlgetc(sfd))==' ' );\n\tungetc(ch,sfd);\n\tif ( ch!='\\n' ) { sf->layers[layer].ufo_path = SFDReadUTF7Str(sfd); }\n }\n else if ( strmatch(tok,\"PreferredKerning:\")==0 )\n {\n\tint temp;\n\tgetint(sfd,&temp);\n\tsf->preferred_kerning = temp;\n }\n else if ( strmatch(tok,\"StrokedFont:\")==0 )\n {\n\tint temp;\n\tgetint(sfd,&temp);\n\tsf->strokedfont = temp;\n }\n else if ( strmatch(tok,\"MultiLayer:\")==0 )\n {\n\tint temp;\n\tgetint(sfd,&temp);\n\tsf->multilayer = temp;\n }\n else if ( strmatch(tok,\"NeedsXUIDChange:\")==0 )\n {\n\tint temp;\n\tgetint(sfd,&temp);\n\tsf->changed_since_xuidchanged = temp;\n }\n else if ( strmatch(tok,\"VerticalOrigin:\")==0 )\n {\n\t// this doesn't seem to be written ever.\n\tint temp;\n\tgetint(sfd,&temp);\n\tsf->hasvmetrics = true;\n }\n else if ( strmatch(tok,\"HasVMetrics:\")==0 )\n {\n\tint temp;\n\tgetint(sfd,&temp);\n\tsf->hasvmetrics = temp;\n }\n else if ( strmatch(tok,\"Justify:\")==0 )\n {\n\tSFDParseJustify(sfd,sf,tok);\n }\n else if ( strmatch(tok,\"BaseHoriz:\")==0 )\n {\n\tsf->horiz_base = SFDParseBase(sfd);\n\td->last_base = sf->horiz_base;\n\td->last_base_script = NULL;\n }\n else if ( strmatch(tok,\"BaseVert:\")==0 )\n {\n\tsf->vert_base = SFDParseBase(sfd);\n\td->last_base = sf->vert_base;\n\td->last_base_script = NULL;\n }\n else if ( strmatch(tok,\"BaseScript:\")==0 )\n {\n\tstruct basescript *bs = SFDParseBaseScript(sfd,d->last_base);\n\tif ( d->last_base==NULL )\n\t{\n\t BaseScriptFree(bs);\n\t bs = NULL;\n\t}\n\telse if ( d->last_base_script!=NULL )\n\t d->last_base_script->next = bs;\n\telse\n\t d->last_base->scripts = bs;\n\td->last_base_script = bs;\n }\n else if ( strmatch(tok,\"StyleMap:\")==0 )\n {\n gethex(sfd,(uint32 *)&sf->pfminfo.stylemap);\n }\n /* Legacy attribute for StyleMap. Deprecated. */\n else if ( strmatch(tok,\"OS2StyleName:\")==0 )\n {\n char* sname = SFDReadUTF7Str(sfd);\n if (sf->pfminfo.stylemap == -1) {\n if (strcmp(sname,\"bold italic\")==0) sf->pfminfo.stylemap = 0x21;\n else if (strcmp(sname,\"bold\")==0) sf->pfminfo.stylemap = 0x20;\n else if (strcmp(sname,\"italic\")==0) sf->pfminfo.stylemap = 0x01;\n else if (strcmp(sname,\"regular\")==0) sf->pfminfo.stylemap = 0x40;\n }\n free(sname);\n }\n else if ( strmatch(tok,\"FSType:\")==0 )\n {\n\tgetsint(sfd,&sf->pfminfo.fstype);\n }\n else if ( strmatch(tok,\"OS2Version:\")==0 )\n {\n\tgetsint(sfd,&sf->os2_version);\n }\n else if ( strmatch(tok,\"OS2_WeightWidthSlopeOnly:\")==0 )\n {\n\tint temp;\n\tgetint(sfd,&temp);\n\tsf->weight_width_slope_only = temp;\n }\n else if ( strmatch(tok,\"OS2_UseTypoMetrics:\")==0 )\n {\n\tint temp;\n\tgetint(sfd,&temp);\n\tsf->use_typo_metrics = temp;\n }\n else if ( strmatch(tok,\"UseUniqueID:\")==0 )\n {\n\tint temp;\n\tgetint(sfd,&temp);\n\tsf->use_uniqueid = temp;\n }\n else if ( strmatch(tok,\"UseXUID:\")==0 )\n {\n\tint temp;\n\tgetint(sfd,&temp);\n\tsf->use_xuid = temp;\n }\n else if ( strmatch(tok,\"UniqueID:\")==0 )\n {\n\tgetint(sfd,&sf->uniqueid);\n }\n else if ( strmatch(tok,\"XUID:\")==0 )\n {\n\tgeteol(sfd,tok);\n\tsf->xuid = copy(tok);\n }\n else if ( strmatch(tok,\"Lookup:\")==0 )\n {\n\tOTLookup *otl;\n\tint temp;\n\tif ( sf->sfd_version<2 ) {\n\t IError( \"Lookups should not happen in version 1 sfd files.\" );\n\t exit(1);\n\t}\n\totl = chunkalloc(sizeof(OTLookup));\n\tgetint(sfd,&temp); otl->lookup_type = temp;\n\tgetint(sfd,&temp); otl->lookup_flags = temp;\n\tgetint(sfd,&temp); otl->store_in_afm = temp;\n\totl->lookup_name = SFDReadUTF7Str(sfd);\n\tif ( otl->lookup_typelastsotl==NULL )\n\t\tsf->gsub_lookups = otl;\n\t else\n\t\td->lastsotl->next = otl;\n\t d->lastsotl = otl;\n\t} else {\n\t if ( d->lastpotl==NULL )\n\t\tsf->gpos_lookups = otl;\n\t else\n\t\td->lastpotl->next = otl;\n\t d->lastpotl = otl;\n\t}\n\tSFDParseLookup(sfd,otl);\n }\n else if ( strmatch(tok,\"MarkAttachClasses:\")==0 )\n {\n\tgetint(sfd,&sf->mark_class_cnt);\n\tsf->mark_classes = malloc(sf->mark_class_cnt*sizeof(char *));\n\tsf->mark_class_names = malloc(sf->mark_class_cnt*sizeof(char *));\n\tsf->mark_classes[0] = NULL; sf->mark_class_names[0] = NULL;\n\tfor ( i=1; imark_class_cnt; ++i )\n\t{\n\t /* Class 0 is unused */\n\t int temp;\n\t while ( (temp=nlgetc(sfd))=='\\n' || temp=='\\r' ); ungetc(temp,sfd);\n\t sf->mark_class_names[i] = SFDReadUTF7Str(sfd);\n\t getint(sfd,&temp);\n\t sf->mark_classes[i] = malloc(temp+1); sf->mark_classes[i][temp] = '\\0';\n\t nlgetc(sfd);\t/* skip space */\n\t fread(sf->mark_classes[i],1,temp,sfd);\n\t}\n }\n else if ( strmatch(tok,\"MarkAttachSets:\")==0 )\n {\n\tgetint(sfd,&sf->mark_set_cnt);\n\tsf->mark_sets = malloc(sf->mark_set_cnt*sizeof(char *));\n\tsf->mark_set_names = malloc(sf->mark_set_cnt*sizeof(char *));\n\tfor ( i=0; imark_set_cnt; ++i )\n\t{\n\t /* Set 0 is used */\n\t int temp;\n\t while ( (temp=nlgetc(sfd))=='\\n' || temp=='\\r' ); ungetc(temp,sfd);\n\t sf->mark_set_names[i] = SFDReadUTF7Str(sfd);\n\t getint(sfd,&temp);\n\t sf->mark_sets[i] = malloc(temp+1); sf->mark_sets[i][temp] = '\\0';\n\t nlgetc(sfd);\t/* skip space */\n\t fread(sf->mark_sets[i],1,temp,sfd);\n\t}\n }\n else if ( strmatch(tok,\"KernClass2:\")==0 || strmatch(tok,\"VKernClass2:\")==0 ||\n\t strmatch(tok,\"KernClass:\")==0 || strmatch(tok,\"VKernClass:\")==0 ||\n\t strmatch(tok,\"KernClass3:\")==0 || strmatch(tok,\"VKernClass3:\")==0 )\n {\n\tint kernclassversion = 0;\n\tint isv = tok[0]=='V';\n\tint kcvoffset = (isv ? 10 : 9); //Offset to read kerning class version\n\tif (isdigit(tok[kcvoffset])) kernclassversion = tok[kcvoffset] - '0';\n\tint temp, classstart=1;\n\tint old = (kernclassversion == 0);\n\n\tif ( (sf->sfd_version<2)!=old ) {\n\t IError( \"Version mixup in Kerning Classes of sfd file.\" );\n\t exit(1);\n\t}\n\tkc = chunkalloc(old ? sizeof(KernClass1) : sizeof(KernClass));\n\tgetint(sfd,&kc->first_cnt);\n\tch=nlgetc(sfd);\n\tif ( ch=='+' )\n\t classstart = 0;\n\telse\n\t ungetc(ch,sfd);\n\tgetint(sfd,&kc->second_cnt);\n\tif ( old ) {\n\t getint(sfd,&temp); ((KernClass1 *) kc)->sli = temp;\n\t getint(sfd,&temp); ((KernClass1 *) kc)->flags = temp;\n\t} else {\n\t kc->subtable = SFFindLookupSubtableAndFreeName(sf,SFDReadUTF7Str(sfd));\n\t if ( kc->subtable!=NULL && kc->subtable->kc==NULL )\n\t\tkc->subtable->kc = kc;\n\t else {\n\t\tif ( kc->subtable==NULL )\n\t\t LogError(_(\"Bad SFD file, missing subtable in kernclass defn.\\n\") );\n\t\telse\n\t\t LogError(_(\"Bad SFD file, two kerning classes assigned to the same subtable: %s\\n\"), kc->subtable->subtable_name );\n\t\tkc->subtable = NULL;\n\t }\n\t}\n\tkc->firsts = calloc(kc->first_cnt,sizeof(char *));\n\tkc->seconds = calloc(kc->second_cnt,sizeof(char *));\n\tkc->offsets = calloc(kc->first_cnt*kc->second_cnt,sizeof(int16));\n\tkc->adjusts = calloc(kc->first_cnt*kc->second_cnt,sizeof(DeviceTable));\n\tif (kernclassversion >= 3) {\n\t kc->firsts_flags = calloc(kc->first_cnt, sizeof(int));\n\t kc->seconds_flags = calloc(kc->second_cnt, sizeof(int));\n\t kc->offsets_flags = calloc(kc->first_cnt*kc->second_cnt, sizeof(int));\n\t kc->firsts_names = calloc(kc->first_cnt, sizeof(char*));\n\t kc->seconds_names = calloc(kc->second_cnt, sizeof(char*));\n\t}\n\tkc->firsts[0] = NULL;\n\tfor ( i=classstart; ifirst_cnt; ++i ) {\n\t if (kernclassversion < 3) {\n\t getint(sfd,&temp);\n\t kc->firsts[i] = malloc(temp+1); kc->firsts[i][temp] = '\\0';\n\t nlgetc(sfd);\t/* skip space */\n\t fread(kc->firsts[i],1,temp,sfd);\n\t } else {\n\t getint(sfd,&kc->firsts_flags[i]);\n\t while ((ch=nlgetc(sfd)) == ' '); ungetc(ch, sfd); if (ch == '\\n' || ch == EOF) continue;\n\t kc->firsts_names[i] = SFDReadUTF7Str(sfd);\n\t while ((ch=nlgetc(sfd)) == ' '); ungetc(ch, sfd); if (ch == '\\n' || ch == EOF) continue;\n\t kc->firsts[i] = SFDReadUTF7Str(sfd);\n if (kc->firsts[i] == NULL) kc->firsts[i] = copy(\"\"); // In certain places, this must be defined.\n\t while ((ch=nlgetc(sfd)) == ' ' || ch == '\\n'); ungetc(ch, sfd);\n\t }\n\t}\n\tkc->seconds[0] = NULL;\n\tfor ( i=1; isecond_cnt; ++i ) {\n\t if (kernclassversion < 3) {\n\t getint(sfd,&temp);\n\t kc->seconds[i] = malloc(temp+1); kc->seconds[i][temp] = '\\0';\n\t nlgetc(sfd);\t/* skip space */\n\t fread(kc->seconds[i],1,temp,sfd);\n\t } else {\n\t getint(sfd,&temp);\n\t kc->seconds_flags[i] = temp;\n\t while ((ch=nlgetc(sfd)) == ' '); ungetc(ch, sfd); if (ch == '\\n' || ch == EOF) continue;\n\t kc->seconds_names[i] = SFDReadUTF7Str(sfd);\n\t while ((ch=nlgetc(sfd)) == ' '); ungetc(ch, sfd); if (ch == '\\n' || ch == EOF) continue;\n\t kc->seconds[i] = SFDReadUTF7Str(sfd);\n if (kc->seconds[i] == NULL) kc->seconds[i] = copy(\"\"); // In certain places, this must be defined.\n\t while ((ch=nlgetc(sfd)) == ' ' || ch == '\\n'); ungetc(ch, sfd);\n\t }\n\t}\n\tfor ( i=0; ifirst_cnt*kc->second_cnt; ++i ) {\n\t if (kernclassversion >= 3) {\n\t getint(sfd,&temp);\n\t kc->offsets_flags[i] = temp;\n\t }\n\t getint(sfd,&temp);\n\t kc->offsets[i] = temp;\n\t SFDReadDeviceTable(sfd,&kc->adjusts[i]);\n\t}\n\tif ( !old && kc->subtable == NULL ) {\n\t /* Error. Ignore it. Free it. Whatever */;\n\t} else if ( !isv ) {\n\t if ( d->lastkc==NULL )\n\t\tsf->kerns = kc;\n\t else\n\t\td->lastkc->next = kc;\n\t d->lastkc = kc;\n\t} else {\n\t if ( d->lastvkc==NULL )\n\t\tsf->vkerns = kc;\n\t else\n\t\td->lastvkc->next = kc;\n\t d->lastvkc = kc;\n\t}\n }\n else if ( strmatch(tok,\"ContextPos2:\")==0 || strmatch(tok,\"ContextSub2:\")==0 ||\n\t strmatch(tok,\"ChainPos2:\")==0 || strmatch(tok,\"ChainSub2:\")==0 ||\n\t strmatch(tok,\"ReverseChain2:\")==0 ||\n\t strmatch(tok,\"ContextPos:\")==0 || strmatch(tok,\"ContextSub:\")==0 ||\n\t strmatch(tok,\"ChainPos:\")==0 || strmatch(tok,\"ChainSub:\")==0 ||\n\t strmatch(tok,\"ReverseChain:\")==0 )\n {\n\tFPST *fpst;\n\tint old;\n\tif ( strchr(tok,'2')!=NULL ) {\n\t old = false;\n\t fpst = chunkalloc(sizeof(FPST));\n\t} else {\n\t old = true;\n\t fpst = chunkalloc(sizeof(FPST1));\n\t}\n\tif ( (sf->sfd_version<2)!=old ) {\n\t IError( \"Version mixup in FPST of sfd file.\" );\n\t exit(1);\n\t}\n\tif ( d->lastfp==NULL )\n\t sf->possub = fpst;\n\telse\n\t d->lastfp->next = fpst;\n\td->lastfp = fpst;\n\tSFDParseChainContext(sfd,sf,fpst,tok,old);\n }\n else if ( strmatch(tok,\"Group:\")==0 ) {\n struct ff_glyphclasses *grouptmp = calloc(1, sizeof(struct ff_glyphclasses));\n while ((ch=nlgetc(sfd)) == ' '); ungetc(ch, sfd);\n grouptmp->classname = SFDReadUTF7Str(sfd);\n while ((ch=nlgetc(sfd)) == ' '); ungetc(ch, sfd);\n grouptmp->glyphs = SFDReadUTF7Str(sfd);\n while ((ch=nlgetc(sfd)) == ' ' || ch == '\\n'); ungetc(ch, sfd);\n if (d->lastgroup != NULL) d->lastgroup->next = grouptmp; else sf->groups = grouptmp;\n d->lastgroup = grouptmp;\n }\n else if ( strmatch(tok,\"GroupKern:\")==0 ) {\n int temp = 0;\n struct ff_rawoffsets *kerntmp = calloc(1, sizeof(struct ff_rawoffsets));\n while ((ch=nlgetc(sfd)) == ' '); ungetc(ch, sfd);\n kerntmp->left = SFDReadUTF7Str(sfd);\n while ((ch=nlgetc(sfd)) == ' '); ungetc(ch, sfd);\n kerntmp->right = SFDReadUTF7Str(sfd);\n while ((ch=nlgetc(sfd)) == ' '); ungetc(ch, sfd);\n getint(sfd,&temp);\n kerntmp->offset = temp;\n while ((ch=nlgetc(sfd)) == ' ' || ch == '\\n'); ungetc(ch, sfd);\n if (d->lastgroupkern != NULL) d->lastgroupkern->next = kerntmp; else sf->groupkerns = kerntmp;\n d->lastgroupkern = kerntmp;\n }\n else if ( strmatch(tok,\"GroupVKern:\")==0 ) {\n int temp = 0;\n struct ff_rawoffsets *kerntmp = calloc(1, sizeof(struct ff_rawoffsets));\n while ((ch=nlgetc(sfd)) == ' '); ungetc(ch, sfd);\n kerntmp->left = SFDReadUTF7Str(sfd);\n while ((ch=nlgetc(sfd)) == ' '); ungetc(ch, sfd);\n kerntmp->right = SFDReadUTF7Str(sfd);\n while ((ch=nlgetc(sfd)) == ' '); ungetc(ch, sfd);\n getint(sfd,&temp);\n kerntmp->offset = temp;\n while ((ch=nlgetc(sfd)) == ' ' || ch == '\\n'); ungetc(ch, sfd);\n if (d->lastgroupvkern != NULL) d->lastgroupvkern->next = kerntmp; else sf->groupvkerns = kerntmp;\n d->lastgroupvkern = kerntmp;\n }\n else if ( strmatch(tok,\"MacIndic2:\")==0 || strmatch(tok,\"MacContext2:\")==0 ||\n\t strmatch(tok,\"MacLigature2:\")==0 || strmatch(tok,\"MacSimple2:\")==0 ||\n\t strmatch(tok,\"MacKern2:\")==0 || strmatch(tok,\"MacInsert2:\")==0 ||\n\t strmatch(tok,\"MacIndic:\")==0 || strmatch(tok,\"MacContext:\")==0 ||\n\t strmatch(tok,\"MacLigature:\")==0 || strmatch(tok,\"MacSimple:\")==0 ||\n\t strmatch(tok,\"MacKern:\")==0 || strmatch(tok,\"MacInsert:\")==0 )\n {\n\tASM *sm;\n\tif ( strchr(tok,'2')!=NULL ) {\n\t old = false;\n\t sm = chunkalloc(sizeof(ASM));\n\t} else {\n\t old = true;\n\t sm = chunkalloc(sizeof(ASM1));\n\t}\n\tif ( (sf->sfd_version<2)!=old ) {\n\t IError( \"Version mixup in state machine of sfd file.\" );\n\t exit(1);\n\t}\n\tif ( d->lastsm==NULL )\n\t sf->sm = sm;\n\telse\n\t d->lastsm->next = sm;\n\td->lastsm = sm;\n\tSFDParseStateMachine(sfd,sf,sm,tok,old);\n }\n else if ( strmatch(tok,\"MacFeat:\")==0 )\n {\n\tsf->features = SFDParseMacFeatures(sfd,tok);\n }\n else if ( strmatch(tok,\"TtfTable:\")==0 )\n {\n\t/* Old, binary format */\n\t/* still used for maxp and unknown tables */\n\tSFDGetTtfTable(sfd,sf,d->lastttf);\n }\n else if ( strmatch(tok,\"TtTable:\")==0 )\n {\n\t/* text instruction format */\n\tSFDGetTtTable(sfd,sf,d->lastttf);\n }\n\n\n ///////////////////\n\n else if ( strmatch(tok,\"ShortTable:\")==0 )\n {\n\t// only read, not written.\n\t/* text number format */\n\tSFDGetShortTable(sfd,sf,d->lastttf);\n }\n else\n {\n //\n // We didn't have a match ourselves.\n //\n return false;\n }\n return true;\n}", "project": "fontforge", "hash": 325003590001280455271075128217041102898, "size": 828, "commit_id": "048a91e2682c1a8936ae34dbc7bd70291ec05410", "message": "Fix for #4084 Use-after-free (heap) in the SFD_GetFontMetaData() function\nFix for #4086 NULL pointer dereference in the SFDGetSpiros() function\nFix for #4088 NULL pointer dereference in the SFD_AssignLookups() function\nAdd empty sf->fontname string if it isn't set, fixing #4089 #4090 and many\n other potential issues (many downstream calls to strlen() on the value).", "target": 0, "dataset": "other", "idx": 417765 }, { "func": "static bool svm_get_nested_state_pages(struct kvm_vcpu *vcpu)\n{\n\tstruct vcpu_svm *svm = to_svm(vcpu);\n\tif (!nested_svm_vmrun_msrpm(svm)) {\n\t\tvcpu->run->exit_reason = KVM_EXIT_INTERNAL_ERROR;\n\t\tvcpu->run->internal.suberror =\n\t\t\tKVM_INTERNAL_ERROR_EMULATION;\n\t\tvcpu->run->internal.ndata = 0;\n\t\treturn false;\n\t}\n\n\treturn true;\n}", "project": "linux", "hash": 212525857173666907644455201593984207204, "size": 13, "commit_id": "a58d9166a756a0f4a6618e4f593232593d6df134", "message": "KVM: SVM: load control fields from VMCB12 before checking them\n\nAvoid races between check and use of the nested VMCB controls. This\nfor example ensures that the VMRUN intercept is always reflected to the\nnested hypervisor, instead of being processed by the host. Without this\npatch, it is possible to end up with svm->nested.hsave pointing to\nthe MSR permission bitmap for nested guests.\n\nThis bug is CVE-2021-29657.\n\nReported-by: Felix Wilhelm \nCc: stable@vger.kernel.org\nFixes: 2fcf4876ada (\"KVM: nSVM: implement on demand allocation of the nested state\")\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 376666 }, { "func": "static void copyData(rpm_tagtype_t type, rpm_data_t dstPtr, \n\t\trpm_constdata_t srcPtr, rpm_count_t cnt, int dataLength)\n{\n switch (type) {\n case RPM_STRING_ARRAY_TYPE:\n case RPM_I18NSTRING_TYPE:\n {\tconst char ** av = (const char **) srcPtr;\n\tchar * t = dstPtr;\n\n\twhile (cnt-- > 0 && dataLength > 0) {\n\t const char * s;\n\t if ((s = *av++) == NULL)\n\t\tcontinue;\n\t do {\n\t\t*t++ = *s++;\n\t } while (s[-1] && --dataLength > 0);\n\t}\n }\tbreak;\n\n default:\n\tmemmove(dstPtr, srcPtr, dataLength);\n\tbreak;\n }\n}", "project": "rpm", "hash": 241043100445478951494965994224171376802, "size": 24, "commit_id": "8f4b3c3cab8922a2022b9e47c71f1ecf906077ef", "message": "hdrblobInit() needs bounds checks too\n\nUsers can pass untrusted data to hdrblobInit() and it must be robust\nagainst this.", "target": 0, "dataset": "other", "idx": 318203 }, { "func": "int fuse_update_attributes(struct inode *inode, struct file *file)\n{\n\t/* Do *not* need to get atime for internal purposes */\n\treturn fuse_update_get_attr(inode, file, NULL,\n\t\t\t\t STATX_BASIC_STATS & ~STATX_ATIME, 0);\n}", "project": "linux", "hash": 329440549132031693373213467810554767597, "size": 6, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341967 }, { "func": "static void autocomplete_flagspaces(RCore *core, RLineCompletion *completion, const char* msg) {\n\tr_return_if_fail (msg);\n\tint length = strlen (msg);\n\tRFlag *flag = core->flags;\n\tRSpaceIter it;\n\tRSpace *s;\n\tr_flag_space_foreach (flag, it, s) {\n\t\tif (!strncmp (msg, s->name, length)) {\n\t\t\tr_line_completion_push (completion, s->name);\n\t\t}\n\t}\n\n\tif (strlen (msg) == 0) {\n\t\tr_line_completion_push (completion, \"*\");\n\t}\n}", "project": "radare2", "hash": 58591064270912553810036056426766945264, "size": 16, "commit_id": "cb8b683758edddae2d2f62e8e63a738c39f92683", "message": "Fix #16303 - c->table_query double free (#16318)", "target": 0, "dataset": "other", "idx": 232129 }, { "func": "static int sctp_setsockopt_primary_addr(struct sock *sk, struct sctp_prim *prim,\n\t\t\t\t\tunsigned int optlen)\n{\n\tstruct sctp_transport *trans;\n\tstruct sctp_af *af;\n\tint err;\n\n\tif (optlen != sizeof(struct sctp_prim))\n\t\treturn -EINVAL;\n\n\t/* Allow security module to validate address but need address len. */\n\taf = sctp_get_af_specific(prim->ssp_addr.ss_family);\n\tif (!af)\n\t\treturn -EINVAL;\n\n\terr = security_sctp_bind_connect(sk, SCTP_PRIMARY_ADDR,\n\t\t\t\t\t (struct sockaddr *)&prim->ssp_addr,\n\t\t\t\t\t af->sockaddr_len);\n\tif (err)\n\t\treturn err;\n\n\ttrans = sctp_addr_id2transport(sk, &prim->ssp_addr, prim->ssp_assoc_id);\n\tif (!trans)\n\t\treturn -EINVAL;\n\n\tsctp_assoc_set_primary(trans->asoc, trans);\n\n\treturn 0;\n}", "project": "linux", "hash": 135097181013425326469118325147483478113, "size": 29, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398193 }, { "func": "\nstatic void bfq_check_ioprio_change(struct bfq_io_cq *bic, struct bio *bio)\n{\n\tstruct bfq_data *bfqd = bic_to_bfqd(bic);\n\tstruct bfq_queue *bfqq;\n\tint ioprio = bic->icq.ioc->ioprio;\n\n\t/*\n\t * This condition may trigger on a newly created bic, be sure to\n\t * drop the lock before returning.\n\t */\n\tif (unlikely(!bfqd) || likely(bic->ioprio == ioprio))\n\t\treturn;\n\n\tbic->ioprio = ioprio;\n\n\tbfqq = bic_to_bfqq(bic, false);\n\tif (bfqq) {\n\t\tbfq_release_process_ref(bfqd, bfqq);\n\t\tbfqq = bfq_get_queue(bfqd, bio, BLK_RW_ASYNC, bic);\n\t\tbic_set_bfqq(bic, bfqq, false);\n\t}\n\n\tbfqq = bic_to_bfqq(bic, true);\n\tif (bfqq)\n\t\tbfq_set_next_ioprio_data(bfqq, bic);", "project": "linux", "hash": 127921487655068757179781936762766307763, "size": 26, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453403 }, { "func": "static long kvm_vcpu_compat_ioctl(struct file *filp,\n\t\t\t\t unsigned int ioctl, unsigned long arg)\n{\n\tstruct kvm_vcpu *vcpu = filp->private_data;\n\tvoid __user *argp = compat_ptr(arg);\n\tint r;\n\n\tif (vcpu->kvm->mm != current->mm)\n\t\treturn -EIO;\n\n\tswitch (ioctl) {\n\tcase KVM_SET_SIGNAL_MASK: {\n\t\tstruct kvm_signal_mask __user *sigmask_arg = argp;\n\t\tstruct kvm_signal_mask kvm_sigmask;\n\t\tsigset_t sigset;\n\n\t\tif (argp) {\n\t\t\tr = -EFAULT;\n\t\t\tif (copy_from_user(&kvm_sigmask, argp,\n\t\t\t\t\t sizeof(kvm_sigmask)))\n\t\t\t\tgoto out;\n\t\t\tr = -EINVAL;\n\t\t\tif (kvm_sigmask.len != sizeof(compat_sigset_t))\n\t\t\t\tgoto out;\n\t\t\tr = -EFAULT;\n\t\t\tif (get_compat_sigset(&sigset, (void *)sigmask_arg->sigset))\n\t\t\t\tgoto out;\n\t\t\tr = kvm_vcpu_ioctl_set_sigmask(vcpu, &sigset);\n\t\t} else\n\t\t\tr = kvm_vcpu_ioctl_set_sigmask(vcpu, NULL);\n\t\tbreak;\n\t}\n\tdefault:\n\t\tr = kvm_vcpu_ioctl(filp, ioctl, arg);\n\t}\n\nout:\n\treturn r;\n}", "project": "linux", "hash": 338411762718769092983531805537377713074, "size": 39, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354711 }, { "func": "static long kvm_vcpu_compat_ioctl(struct file *filp,\n\t\t\t\t unsigned int ioctl, unsigned long arg)\n{\n\tstruct kvm_vcpu *vcpu = filp->private_data;\n\tvoid __user *argp = compat_ptr(arg);\n\tint r;\n\n\tif (vcpu->kvm->mm != current->mm)\n\t\treturn -EIO;\n\n\tswitch (ioctl) {\n\tcase KVM_SET_SIGNAL_MASK: {\n\t\tstruct kvm_signal_mask __user *sigmask_arg = argp;\n\t\tstruct kvm_signal_mask kvm_sigmask;\n\t\tsigset_t sigset;\n\n\t\tif (argp) {\n\t\t\tr = -EFAULT;\n\t\t\tif (copy_from_user(&kvm_sigmask, argp,\n\t\t\t\t\t sizeof(kvm_sigmask)))\n\t\t\t\tgoto out;\n\t\t\tr = -EINVAL;\n\t\t\tif (kvm_sigmask.len != sizeof(compat_sigset_t))\n\t\t\t\tgoto out;\n\t\t\tr = -EFAULT;\n\t\t\tif (get_compat_sigset(&sigset,\n\t\t\t\t\t (compat_sigset_t __user *)sigmask_arg->sigset))\n\t\t\t\tgoto out;\n\t\t\tr = kvm_vcpu_ioctl_set_sigmask(vcpu, &sigset);\n\t\t} else\n\t\t\tr = kvm_vcpu_ioctl_set_sigmask(vcpu, NULL);\n\t\tbreak;\n\t}\n\tdefault:\n\t\tr = kvm_vcpu_ioctl(filp, ioctl, arg);\n\t}\n\nout:\n\treturn r;\n}", "project": "linux", "hash": 117993800862553615920574324305754840080, "size": 40, "commit_id": "f8be156be163a052a067306417cd0ff679068c97", "message": "KVM: do not allow mapping valid but non-reference-counted pages\n\nIt's possible to create a region which maps valid but non-refcounted\npages (e.g., tail pages of non-compound higher order allocations). These\nhost pages can then be returned by gfn_to_page, gfn_to_pfn, etc., family\nof APIs, which take a reference to the page, which takes it from 0 to 1.\nWhen the reference is dropped, this will free the page incorrectly.\n\nFix this by only taking a reference on valid pages if it was non-zero,\nwhich indicates it is participating in normal refcounting (and can be\nreleased with put_page).\n\nThis addresses CVE-2021-22543.\n\nSigned-off-by: Nicholas Piggin \nTested-by: Paolo Bonzini \nCc: stable@vger.kernel.org\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 404082 }, { "func": "static void __fuse_release_nowrite(struct inode *inode)\n{\n\tstruct fuse_inode *fi = get_fuse_inode(inode);\n\n\tBUG_ON(fi->writectr != FUSE_NOWRITE);\n\tfi->writectr = 0;\n\tfuse_flush_writepages(inode);\n}", "project": "linux", "hash": 157650995865299725346877244944101362477, "size": 8, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341958 }, { "func": " Status RetrieveAndClearSparseTensors(\n OpKernelContext* ctx, const TTypes::ConstVec& handles,\n std::vector* sparse_tensors) {\n sparse_tensors->clear();\n sparse_tensors->reserve(handles.size());\n {\n mutex_lock l(mu_);\n for (size_t i = 0; i < handles.size(); ++i) {\n const int64 handle = handles(i);\n auto sp_iter = sp_tensors_.find(handle);\n if (sp_iter == sp_tensors_.end()) {\n return errors::InvalidArgument(\n \"Unable to find SparseTensor: \", handle, \" in map: \", name_);\n }\n const Tensor* ix = sp_iter->second.indices.AccessTensor(ctx);\n const Tensor* values = sp_iter->second.values.AccessTensor(ctx);\n const auto& shape = sp_iter->second.shape;\n SparseTensor tensor;\n TF_RETURN_IF_ERROR(SparseTensor::Create(*ix, *values, shape, &tensor));\n sparse_tensors->push_back(std::move(tensor));\n sp_tensors_.erase(sp_iter);\n }\n }\n\n return Status::OK();\n }", "project": "tensorflow", "hash": 14467469284450338182476734938955673079, "size": 26, "commit_id": "69c68ecbb24dff3fa0e46da0d16c821a2dd22d7c", "message": "Fix overflow CHECK issue with `tf.raw_ops.AddManySparseToTensorsMap`.\n\nPiperOrigin-RevId: 369492969\nChange-Id: I1d70d6c0c92e3d7a25bc3b3aa2a0c0ac9688bf81", "target": 0, "dataset": "other", "idx": 270287 }, { "func": "Item_func_like::add_key_fields(JOIN *join, KEY_FIELD **key_fields,\n uint *and_level, table_map usable_tables,\n SARGABLE_PARAM **sargables)\n{\n if (is_local_field(args[0]) && with_sargable_pattern())\n {\n /*\n SELECT * FROM t1 WHERE field LIKE const_pattern\n const_pattern starts with a non-wildcard character\n */\n add_key_equal_fields(join, key_fields, *and_level, this,\n (Item_field*) args[0]->real_item(), false,\n args + 1, 1, usable_tables, sargables);\n }\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 335931159983518597700183565250157811482, "size": 15, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508465 }, { "func": "Item_func_ne::add_key_fields(JOIN *join, KEY_FIELD **key_fields,\n uint *and_level, table_map usable_tables,\n SARGABLE_PARAM **sargables)\n{\n if (!(used_tables() & OUTER_REF_TABLE_BIT))\n {\n /*\n QQ: perhaps test for !is_local_field(args[1]) is not really needed here.\n Other comparison functions, e.g. Item_func_le, Item_func_gt, etc,\n do not have this test. See Item_bool_func2::add_key_fieldoptimize_op().\n Check with the optimizer team.\n */\n if (is_local_field(args[0]) && !is_local_field(args[1]))\n add_key_equal_fields(join, key_fields, *and_level, this,\n (Item_field*) (args[0]->real_item()), false,\n &args[1], 1, usable_tables, sargables);\n /*\n QQ: perhaps test for !is_local_field(args[0]) is not really needed here.\n */\n if (is_local_field(args[1]) && !is_local_field(args[0]))\n add_key_equal_fields(join, key_fields, *and_level, this,\n (Item_field*) (args[1]->real_item()), false,\n &args[0], 1, usable_tables, sargables);\n }\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 29912199872891403182046693790172359099, "size": 25, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508504 }, { "func": "Item_cond_and::add_key_fields(JOIN *join, KEY_FIELD **key_fields,\n uint *and_level, table_map usable_tables,\n SARGABLE_PARAM **sargables)\n{\n List_iterator_fast li(*argument_list());\n KEY_FIELD *org_key_fields= *key_fields;\n\n Item *item;\n while ((item=li++))\n item->add_key_fields(join, key_fields, and_level, usable_tables,\n sargables);\n for (; org_key_fields != *key_fields ; org_key_fields++)\n org_key_fields->level= *and_level;\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 303226824635788086431101411621521745929, "size": 14, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508511 }, { "func": "Item_func_null_predicate::add_key_fields(JOIN *join, KEY_FIELD **key_fields,\n uint *and_level,\n table_map usable_tables,\n SARGABLE_PARAM **sargables)\n{\n /* column_name IS [NOT] NULL */\n if (is_local_field(args[0]) && !(used_tables() & OUTER_REF_TABLE_BIT))\n {\n Item *tmp= new (join->thd->mem_root) Item_null(join->thd);\n if (unlikely(!tmp)) // Should never be true\n return;\n add_key_equal_fields(join, key_fields, *and_level, this,\n (Item_field*) args[0]->real_item(),\n functype() == Item_func::ISNULL_FUNC,\n &tmp, 1, usable_tables, sargables);\n }\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 54861376959147795971092673438593933703, "size": 17, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508518 }, { "func": "Item_equal::add_key_fields(JOIN *join, KEY_FIELD **key_fields,\n uint *and_level, table_map usable_tables,\n SARGABLE_PARAM **sargables)\n{\n Item *const_item2= get_const();\n Item_equal_fields_iterator it(*this);\n if (const_item2)\n {\n \n /*\n For each field field1 from item_equal consider the equality \n field1=const_item as a condition allowing an index access of the table\n with field1 by the keys value of field1.\n */ \n while (it++)\n {\n Field *equal_field= it.get_curr_field();\n add_key_field(join, key_fields, *and_level, this, equal_field,\n TRUE, &const_item2, 1, usable_tables, sargables);\n }\n }\n else \n {\n /*\n Consider all pairs of different fields included into item_equal.\n For each of them (field1, field1) consider the equality \n field1=field2 as a condition allowing an index access of the table\n with field1 by the keys value of field2.\n */ \n Item_equal_fields_iterator fi(*this);\n while (fi++)\n {\n Field *field= fi.get_curr_field();\n Item *item;\n while ((item= it++))\n {\n Field *equal_field= it.get_curr_field();\n if (!field->eq(equal_field))\n {\n add_key_field(join, key_fields, *and_level, this, field,\n TRUE, &item, 1, usable_tables,\n sargables);\n }\n }\n it.rewind();\n }\n }\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 34370014753570129751770800728250869997, "size": 48, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508525 }, { "func": "Item_func_in::add_key_fields(JOIN *join, KEY_FIELD **key_fields,\n uint *and_level, table_map usable_tables,\n SARGABLE_PARAM **sargables)\n{\n if (is_local_field(args[0]) && !(used_tables() & OUTER_REF_TABLE_BIT))\n {\n DBUG_ASSERT(arg_count != 2);\n add_key_equal_fields(join, key_fields, *and_level, this,\n (Item_field*) (args[0]->real_item()), false,\n args + 1, arg_count - 1, usable_tables, sargables);\n }\n else if (key_item()->type() == Item::ROW_ITEM &&\n !(used_tables() & OUTER_REF_TABLE_BIT))\n {\n Item_row *key_row= (Item_row *) key_item();\n Item **key_col= key_row->addr(0);\n uint row_cols= key_row->cols();\n for (uint i= 0; i < row_cols; i++, key_col++)\n {\n if (is_local_field(*key_col))\n {\n Item_field *field_item= (Item_field *)((*key_col)->real_item());\n add_key_equal_fields(join, key_fields, *and_level, this,\n field_item, false, args + 1, arg_count - 1,\n usable_tables, sargables, i + 1);\n } \n }\n }\n \n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 323005677369671995650674425045555660096, "size": 30, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508625 }, { "func": "Item_cond::add_key_fields(JOIN *join, KEY_FIELD **key_fields,\n uint *and_level, table_map usable_tables,\n SARGABLE_PARAM **sargables)\n{\n List_iterator_fast li(*argument_list());\n KEY_FIELD *org_key_fields= *key_fields;\n\n (*and_level)++;\n (li++)->add_key_fields(join, key_fields, and_level, usable_tables,\n sargables);\n Item *item;\n while ((item=li++))\n {\n KEY_FIELD *start_key_fields= *key_fields;\n (*and_level)++;\n item->add_key_fields(join, key_fields, and_level, usable_tables,\n sargables);\n *key_fields= merge_key_fields(org_key_fields,start_key_fields,\n *key_fields, ++(*and_level));\n }\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 325431133034671127114582561776192951410, "size": 21, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508631 }, { "func": "Item_func_between::add_key_fields(JOIN *join, KEY_FIELD **key_fields,\n uint *and_level, table_map usable_tables,\n SARGABLE_PARAM **sargables)\n{\n /*\n Build list of possible keys for 'a BETWEEN low AND high'.\n It is handled similar to the equivalent condition \n 'a >= low AND a <= high':\n */\n Item_field *field_item;\n bool equal_func= false;\n uint num_values= 2;\n\n bool binary_cmp= (args[0]->real_item()->type() == Item::FIELD_ITEM)\n ? ((Item_field*) args[0]->real_item())->field->binary()\n : true;\n /*\n Additional optimization: If 'low = high':\n Handle as if the condition was \"t.key = low\".\n */\n if (!negated && args[1]->eq(args[2], binary_cmp))\n {\n equal_func= true;\n num_values= 1;\n }\n\n /*\n Append keys for 'field value[]' if the\n condition is of the form::\n ' BETWEEN value[1] AND value[2]'\n */\n if (is_local_field(args[0]))\n {\n field_item= (Item_field *) (args[0]->real_item());\n add_key_equal_fields(join, key_fields, *and_level, this,\n field_item, equal_func, &args[1],\n num_values, usable_tables, sargables);\n }\n /*\n Append keys for 'value[0] field' if the\n condition is of the form:\n 'value[0] BETWEEN field1 AND field2'\n */\n for (uint i= 1; i <= num_values; i++)\n {\n if (is_local_field(args[i]))\n {\n field_item= (Item_field *) (args[i]->real_item());\n add_key_equal_fields(join, key_fields, *and_level, this,\n field_item, equal_func, args,\n 1, usable_tables, sargables);\n }\n }\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 329581698051768225359470479749079731725, "size": 54, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508663 }, { "func": "Item_func_trig_cond::add_key_fields(JOIN *join, KEY_FIELD **key_fields,\n uint *and_level, table_map usable_tables,\n SARGABLE_PARAM **sargables)\n{\n /* \n Subquery optimization: Conditions that are pushed down into subqueries\n are wrapped into Item_func_trig_cond. We process the wrapped condition\n but need to set cond_guard for KEYUSE elements generated from it.\n */\n if (!join->group_list && !join->order &&\n join->unit->item && \n join->unit->item->substype() == Item_subselect::IN_SUBS &&\n !join->unit->is_unit_op())\n {\n KEY_FIELD *save= *key_fields;\n args[0]->add_key_fields(join, key_fields, and_level, usable_tables,\n sargables);\n // Indicate that this ref access candidate is for subquery lookup:\n for (; save != *key_fields; save++)\n save->cond_guard= get_trig_var();\n }\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 87509156789211198340415555322264109776, "size": 22, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508687 }, { "func": " virtual void add_key_fields(JOIN *join, KEY_FIELD **key_fields,\n uint *and_level,\n table_map usable_tables,\n SARGABLE_PARAM **sargables)\n {\n return;\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 176351907258485858065054473667205071668, "size": 7, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509458 }, { "func": "static void huf_canonical_code_table(uint64_t *freq)\n{\n uint64_t c, n[59] = { 0 };\n int i;\n\n for (i = 0; i < HUF_ENCSIZE; i++)\n n[freq[i]] += 1;\n\n c = 0;\n for (i = 58; i > 0; --i) {\n uint64_t nc = ((c + n[i]) >> 1);\n n[i] = c;\n c = nc;\n }\n\n for (i = 0; i < HUF_ENCSIZE; ++i) {\n int l = freq[i];\n\n if (l > 0)\n freq[i] = l | (n[l]++ << 6);\n }\n}", "project": "FFmpeg", "hash": 173692258863672924495702120366614175648, "size": 22, "commit_id": "26d3c81bc5ef2f8c3f09d45eaeacfb4b1139a777", "message": "avcodec/exr: More strictly check dc_count\n\nFixes: out of array access\nFixes: exr/deneme\n\nFound-by: Burak Çarıkçı \nSigned-off-by: Michael Niedermayer ", "target": 0, "dataset": "other", "idx": 262674 }, { "func": "static void hci_cc_le_read_resolv_list_size(struct hci_dev *hdev,\n\t\t\t\t\t struct sk_buff *skb)\n{\n\tstruct hci_rp_le_read_resolv_list_size *rp = (void *) skb->data;\n\n\tBT_DBG(\"%s status 0x%2.2x size %u\", hdev->name, rp->status, rp->size);\n\n\tif (rp->status)\n\t\treturn;\n\n\thdev->le_resolv_list_size = rp->size;\n}", "project": "linux", "hash": 173210242326782543737773589442677287967, "size": 12, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 432012 }, { "func": "CWebSock::EPageReqResult CWebSock::PrintStaticFile(const CString& sPath,\n CString& sPageRet,\n CModule* pModule) {\n SetPaths(pModule);\n CString sFile = m_Template.ExpandFile(sPath.TrimLeft_n(\"/\"));\n DEBUG(\"About to print [\" + sFile + \"]\");\n // Either PrintFile() fails and sends an error page or it succeeds and\n // sends a result. In both cases we don't have anything more to do.\n PrintFile(sFile);\n return PAGE_DONE;\n}", "project": "znc", "hash": 176478034739424718734748107901032955805, "size": 11, "commit_id": "a4a5aeeb17d32937d8c7d743dae9a4cc755ce773", "message": "Don't let web skin name ../../../../ access files outside of usual skins directories.\n\nThanks for Jeriko One for finding and reporting this.", "target": 0, "dataset": "other", "idx": 265774 }, { "func": "static int sctp_connect(struct sock *sk, struct sockaddr *addr,\n\t\t\tint addr_len, int flags)\n{\n\tstruct sctp_af *af;\n\tint err = -EINVAL;\n\n\tlock_sock(sk);\n\tpr_debug(\"%s: sk:%p, sockaddr:%p, addr_len:%d\\n\", __func__, sk,\n\t\t addr, addr_len);\n\n\t/* Validate addr_len before calling common connect/connectx routine. */\n\taf = sctp_get_af_specific(addr->sa_family);\n\tif (af && addr_len >= af->sockaddr_len)\n\t\terr = __sctp_connect(sk, addr, af->sockaddr_len, flags, NULL);\n\n\trelease_sock(sk);\n\treturn err;\n}", "project": "linux", "hash": 26955355585856795472991055165487286568, "size": 18, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398090 }, { "func": "static int x25_recvmsg(struct socket *sock, struct msghdr *msg, size_t size,\n\t\t int flags)\n{\n\tstruct sock *sk = sock->sk;\n\tstruct x25_sock *x25 = x25_sk(sk);\n\tDECLARE_SOCKADDR(struct sockaddr_x25 *, sx25, msg->msg_name);\n\tsize_t copied;\n\tint qbit, header_len;\n\tstruct sk_buff *skb;\n\tunsigned char *asmptr;\n\tint rc = -ENOTCONN;\n\n\tlock_sock(sk);\n\n\tif (x25->neighbour == NULL)\n\t\tgoto out;\n\n\theader_len = x25->neighbour->extended ?\n\t\tX25_EXT_MIN_LEN : X25_STD_MIN_LEN;\n\n\t/*\n\t * This works for seqpacket too. The receiver has ordered the queue for\n\t * us! We do one quick check first though\n\t */\n\tif (sk->sk_state != TCP_ESTABLISHED)\n\t\tgoto out;\n\n\tif (flags & MSG_OOB) {\n\t\trc = -EINVAL;\n\t\tif (sock_flag(sk, SOCK_URGINLINE) ||\n\t\t !skb_peek(&x25->interrupt_in_queue))\n\t\t\tgoto out;\n\n\t\tskb = skb_dequeue(&x25->interrupt_in_queue);\n\n\t\tif (!pskb_may_pull(skb, X25_STD_MIN_LEN))\n\t\t\tgoto out_free_dgram;\n\n\t\tskb_pull(skb, X25_STD_MIN_LEN);\n\n\t\t/*\n\t\t *\tNo Q bit information on Interrupt data.\n\t\t */\n\t\tif (test_bit(X25_Q_BIT_FLAG, &x25->flags)) {\n\t\t\tasmptr = skb_push(skb, 1);\n\t\t\t*asmptr = 0x00;\n\t\t}\n\n\t\tmsg->msg_flags |= MSG_OOB;\n\t} else {\n\t\t/* Now we can treat all alike */\n\t\trelease_sock(sk);\n\t\tskb = skb_recv_datagram(sk, flags & ~MSG_DONTWAIT,\n\t\t\t\t\tflags & MSG_DONTWAIT, &rc);\n\t\tlock_sock(sk);\n\t\tif (!skb)\n\t\t\tgoto out;\n\n\t\tif (!pskb_may_pull(skb, header_len))\n\t\t\tgoto out_free_dgram;\n\n\t\tqbit = (skb->data[0] & X25_Q_BIT) == X25_Q_BIT;\n\n\t\tskb_pull(skb, header_len);\n\n\t\tif (test_bit(X25_Q_BIT_FLAG, &x25->flags)) {\n\t\t\tasmptr = skb_push(skb, 1);\n\t\t\t*asmptr = qbit;\n\t\t}\n\t}\n\n\tskb_reset_transport_header(skb);\n\tcopied = skb->len;\n\n\tif (copied > size) {\n\t\tcopied = size;\n\t\tmsg->msg_flags |= MSG_TRUNC;\n\t}\n\n\t/* Currently, each datagram always contains a complete record */\n\tmsg->msg_flags |= MSG_EOR;\n\n\trc = skb_copy_datagram_msg(skb, 0, msg, copied);\n\tif (rc)\n\t\tgoto out_free_dgram;\n\n\tif (sx25) {\n\t\tsx25->sx25_family = AF_X25;\n\t\tsx25->sx25_addr = x25->dest_addr;\n\t\tmsg->msg_namelen = sizeof(*sx25);\n\t}\n\n\tx25_check_rbuf(sk);\n\trc = copied;\nout_free_dgram:\n\tskb_free_datagram(sk, skb);\nout:\n\trelease_sock(sk);\n\treturn rc;\n}", "project": "net", "hash": 307921331182350312235508968145574152574, "size": 100, "commit_id": "7781607938c8371d4c2b243527430241c62e39c2", "message": "net/x25: Fix null-ptr-deref caused by x25_disconnect\n\nWhen the link layer is terminating, x25->neighbour will be set to NULL\nin x25_disconnect(). As a result, it could cause null-ptr-deref bugs in\nx25_sendmsg(),x25_recvmsg() and x25_connect(). One of the bugs is\nshown below.\n\n (Thread 1) | (Thread 2)\nx25_link_terminated() | x25_recvmsg()\n x25_kill_by_neigh() | ...\n x25_disconnect() | lock_sock(sk)\n ... | ...\n x25->neighbour = NULL //(1) |\n ... | x25->neighbour->extended //(2)\n\nThe code sets NULL to x25->neighbour in position (1) and dereferences\nx25->neighbour in position (2), which could cause null-ptr-deref bug.\n\nThis patch adds lock_sock() in x25_kill_by_neigh() in order to synchronize\nwith x25_sendmsg(), x25_recvmsg() and x25_connect(). What`s more, the\nsock held by lock_sock() is not NULL, because it is extracted from x25_list\nand uses x25_list_lock to synchronize.\n\nFixes: 4becb7ee5b3d (\"net/x25: Fix x25_neigh refcnt leak when x25 disconnect\")\nSigned-off-by: Duoming Zhou \nReviewed-by: Lin Ma \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 449187 }, { "func": "static int push_data_ready(struct archive_read* a, struct rar5* rar,\n const uint8_t* buf, size_t size, int64_t offset)\n{\n\tint i;\n\n\t/* Don't push if we're in skip mode. This is needed because solid\n\t * streams need full processing even if we're skipping data. After\n\t * fully processing the stream, we need to discard the generated bytes,\n\t * because we're interested only in the side effect: building up the\n\t * internal window circular buffer. This window buffer will be used\n\t * later during unpacking of requested data. */\n\tif(rar->skip_mode)\n\t\treturn ARCHIVE_OK;\n\n\t/* Sanity check. */\n\tif(offset != rar->file.last_offset + rar->file.last_size) {\n\t\tarchive_set_error(&a->archive, ARCHIVE_ERRNO_PROGRAMMER,\n\t\t \"Sanity check error: output stream is not continuous\");\n\t\treturn ARCHIVE_FATAL;\n\t}\n\n\tfor(i = 0; i < rar5_countof(rar->cstate.dready); i++) {\n\t\tstruct data_ready* d = &rar->cstate.dready[i];\n\t\tif(!d->used) {\n\t\t\td->used = 1;\n\t\t\td->buf = buf;\n\t\t\td->size = size;\n\t\t\td->offset = offset;\n\n\t\t\t/* These fields are used only in sanity checking. */\n\t\t\trar->file.last_offset = offset;\n\t\t\trar->file.last_size = size;\n\n\t\t\t/* Calculate the checksum of this new block before\n\t\t\t * submitting data to libarchive's engine. */\n\t\t\tupdate_crc(rar, d->buf, d->size);\n\n\t\t\treturn ARCHIVE_OK;\n\t\t}\n\t}\n\n\t/* Program counter will reach this code if the `rar->cstate.data_ready`\n\t * stack will be filled up so that no new entries will be allowed. The\n\t * code shouldn't allow such situation to occur. So we treat this case\n\t * as an internal error. */\n\n\tarchive_set_error(&a->archive, ARCHIVE_ERRNO_PROGRAMMER,\n\t \"Error: premature end of data_ready stack\");\n\treturn ARCHIVE_FATAL;\n}", "project": "libarchive", "hash": 156316784169244025955838011625222088324, "size": 50, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 0, "dataset": "other", "idx": 244720 }, { "func": "static int on_frame(h2_stream_state_t state, int frame_type, \n int frame_map[][H2_SS_MAX], apr_size_t maxlen)\n{\n ap_assert(frame_type >= 0);\n ap_assert(state >= 0);\n if (frame_type >= maxlen) {\n return state; /* NOP, ignore unknown frame types */\n }\n return on_map(state, frame_map[frame_type]);\n}", "project": "httpd", "hash": 34007716458842985580792989986441637094, "size": 10, "commit_id": "f990e5ecad40b100a8a5c7c1033c46044a9cb244", "message": "mod_htt2: fix incomplete sync with latest changes in github, adjust version number.\n\n\n\ngit-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1889119 13f79535-47bb-0310-9956-ffa450edef68", "target": 0, "dataset": "other", "idx": 284262 }, { "func": "static void get_map(char *p)\n{\n\tstruct map *map;\n\tstruct note_map *note_map;\n\tchar *name, *q;\n\tint l, type, pit, acc;\n\n\tif (*p == '\\0')\n\t\treturn;\n\n\t/* map name */\n\tname = p;\n\twhile (!isspace((unsigned char) *p) && *p != '\\0')\n\t\tp++;\n\tl = p - name;\n\n\t/* base note */\n\twhile (isspace((unsigned char) *p))\n\t\tp++;\n\tif (*p == '*') {\n\t\ttype = MAP_ALL;\n\t\tp++;\n\t} else if (strncmp(p, \"octave,\", 7) == 0) {\n\t\ttype = MAP_OCT;\n\t\tp += 7;\n\t} else if (strncmp(p, \"key,\", 4) == 0) {\n\t\ttype = MAP_KEY;\n\t\tp += 4;\n\t} else if (strncmp(p, \"all\", 3) == 0) {\n\t\ttype = MAP_ALL;\n\t\twhile (!isspace((unsigned char) *p) && *p != '\\0')\n\t\t\tp++;\n\t} else {\n\t\ttype = MAP_ONE;\n\t}\n\tif (type != MAP_ALL) {\n\t\tp = parse_acc_pit(p, &pit, &acc);\n\t\tif (acc < 0)\t\t\t// if error\n\t\t\tpit = acc = 0;\n\t\tif (type == MAP_OCT || type == MAP_KEY) {\n\t\t\tpit %= 7;\n\t\t\tif (type == MAP_KEY)\n\t\t\t\tacc = A_NULL;\n\t\t}\n\t} else {\n\t\tpit = acc = 0;\n\t}\n\n\t// get/create the map\n\tfor (map = maps; map; map = map->next) {\n\t\tif (strncmp(name, map->name, l) == 0)\n\t\t\tbreak;\n\t}\n\tif (!map) {\n\t\tmap = getarena(sizeof *map);\n\t\tmap->next = maps;\n\t\tmaps = map;\n\t\tmap->name = getarena(l + 1);\n\t\tstrncpy(map->name, name, l);\n\t\tmap->name[l] = '\\0';\n\t\tmap->notes = NULL;\n\t}\n\tfor (note_map = map->notes; note_map; note_map = note_map->next) {\n\t\tif (note_map->type == type\n\t\t && note_map->pit == pit\n\t\t && note_map->acc == acc)\n\t\t\tbreak;\n\t}\n\tif (!note_map) {\n\t\tnote_map = getarena(sizeof *note_map);\n\t\tmemset(note_map, 0, sizeof *note_map);\n\t\tnote_map->next = map->notes;\n\t\tmap->notes = note_map;\n\t\tnote_map->type = type;\n\t\tnote_map->pit = pit;\n\t\tnote_map->acc = acc;\n\t\tnote_map->print_pit = -128;\n\t\tnote_map->color = -1;\n\t}\n\n\t/* try the optional 'print' and 'heads' parameters */\n\twhile (isspace((unsigned char) *p))\n\t\tp++;\n\tif (*p == '\\0')\n\t\treturn;\n\tq = p;\n\twhile (!isspace((unsigned char) *q) && *q != '\\0') {\n\t\tif (*q == '=')\n\t\t\tbreak;\n\t\tq++;\n\t}\n\tif (isspace((unsigned char) *q) || *q == '\\0') {\n\t\tif (*p != '*') {\n\t\t\tp = parse_acc_pit(p, &pit, &acc);\n\t\t\tif (acc >= 0) {\n\t\t\t\tnote_map->print_pit = pit;\n\t\t\t\tnote_map->print_acc = acc;\n\t\t\t}\n\t\t\tif (*p == '\\0')\n\t\t\t\treturn;\n\t\t}\n\t\tp = q;\n\t\twhile (isspace((unsigned char) *p))\n\t\t\tp++;\n\t\tif (*p == '\\0')\n\t\t\treturn;\n\t\tq = p;\n\t\twhile (!isspace((unsigned char) *q) && *q != '\\0') {\n\t\t\tif (*q == '=')\n\t\t\t\tbreak;\n\t\t\tq++;\n\t\t}\n\t\tif (isspace((unsigned char) *q) || *q == '\\0') {\n\t\t\tname = p;\n\t\t\tp = q;\n\t\t\tl = p - name;\n\t\t\tnote_map->heads = getarena(l + 1);\n\t\t\tstrncpy(note_map->heads, name, l);\n\t\t\tnote_map->heads[l] = '\\0';\n\t\t}\n\t}\n\n\t/* loop on the parameters */\n\tfor (;;) {\n\t\twhile (isspace((unsigned char) *p))\n\t\t\tp++;\n\t\tif (*p == '\\0')\n\t\t\tbreak;\n\t\tif (strncmp(p, \"heads=\", 6) == 0) {\n\t\t\tp += 6;\n\t\t\tname = p;\n\t\t\twhile (!isspace((unsigned char) *p) && *p != '\\0')\n\t\t\t\tp++;\n\t\t\tl = p - name;\n\t\t\tnote_map->heads = getarena(l + 1);\n\t\t\tstrncpy(note_map->heads, name, l);\n\t\t\tnote_map->heads[l] = '\\0';\n\t\t} else if (strncmp(p, \"print=\", 6) == 0) {\n\t\t\tp += 6;\n\t\t\tp = parse_acc_pit(p, &pit, &acc);\n\t\t\tif (acc >= 0) {\n\t\t\t\tnote_map->print_pit = pit;\n\t\t\t\tnote_map->print_acc = acc;\n\t\t\t}\n\t\t} else if (strncmp(p, \"color=\", 6) == 0) {\n\t\t\tint color;\n\n\t\t\tcolor = get_color(p + 6);\n\t\t\tif (color < 0) {\n\t\t\t\terror(1, NULL, \"Bad color in %%%%map\");\n\t\t\t\treturn;\n\t\t\t}\n\t\t\tnote_map->color = color;\n\t\t}\n\t\twhile (!isspace((unsigned char) *p) && *p != '\\0')\n\t\t\tp++;\n\t}\n}", "project": "abcm2ps", "hash": 144411729812375616768485865367357522921, "size": 158, "commit_id": "2f56e1179cab6affeb8afa9d6c324008fe40d8e3", "message": "fix: array overflow when wrong duration in voice overlay\n\nIssue #83,", "target": 0, "dataset": "other", "idx": 484348 }, { "func": "static void gdImageHLine(gdImagePtr im, int y, int x1, int x2, int col)\n{\n\tif (im->thick > 1) {\n\t\tint thickhalf = im->thick >> 1;\n\t\tgdImageFilledRectangle(im, x1, y - thickhalf, x2, y + im->thick - thickhalf - 1, col);\n\t} else {\n\t\tif (x2 < x1) {\n\t\t\tint t = x2;\n\t\t\tx2 = x1;\n\t\t\tx1 = t;\n\t\t}\n\n\t\tfor (;x1 <= x2; x1++) {\n\t\t\tgdImageSetPixel(im, x1, y, col);\n\t\t}\n\t}\n\treturn;\n}", "project": "php-src", "hash": 91038157956486533617676427013013527269, "size": 18, "commit_id": "c395c6e5d7e8df37a21265ff76e48fe75ceb5ae6", "message": "iFixed bug #72446 - Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow", "target": 0, "dataset": "other", "idx": 295186 }, { "func": "static void hci_le_remote_feat_complete_evt(struct hci_dev *hdev,\n\t\t\t\t\t struct sk_buff *skb)\n{\n\tstruct hci_ev_le_remote_feat_complete *ev = (void *)skb->data;\n\tstruct hci_conn *conn;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, ev->status);\n\n\thci_dev_lock(hdev);\n\n\tconn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));\n\tif (conn) {\n\t\tif (!ev->status)\n\t\t\tmemcpy(conn->features[0], ev->features, 8);\n\n\t\tif (conn->state == BT_CONFIG) {\n\t\t\t__u8 status;\n\n\t\t\t/* If the local controller supports slave-initiated\n\t\t\t * features exchange, but the remote controller does\n\t\t\t * not, then it is possible that the error code 0x1a\n\t\t\t * for unsupported remote feature gets returned.\n\t\t\t *\n\t\t\t * In this specific case, allow the connection to\n\t\t\t * transition into connected state and mark it as\n\t\t\t * successful.\n\t\t\t */\n\t\t\tif ((hdev->le_features[0] & HCI_LE_SLAVE_FEATURES) &&\n\t\t\t !conn->out && ev->status == 0x1a)\n\t\t\t\tstatus = 0x00;\n\t\t\telse\n\t\t\t\tstatus = ev->status;\n\n\t\t\tconn->state = BT_CONNECTED;\n\t\t\thci_connect_cfm(conn, status);\n\t\t\thci_conn_drop(conn);\n\t\t}\n\t}\n\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 254376498955939757077950381489431223874, "size": 41, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431874 }, { "func": "void tipc_node_remove_conn(struct net *net, u32 dnode, u32 port)\n{\n\tstruct tipc_node *node;\n\tstruct tipc_sock_conn *conn, *safe;\n\n\tif (in_own_node(net, dnode))\n\t\treturn;\n\n\tnode = tipc_node_find(net, dnode);\n\tif (!node)\n\t\treturn;\n\n\ttipc_node_write_lock(node);\n\tlist_for_each_entry_safe(conn, safe, &node->conn_sks, list) {\n\t\tif (port != conn->port)\n\t\t\tcontinue;\n\t\tlist_del(&conn->list);\n\t\tkfree(conn);\n\t}\n\ttipc_node_write_unlock(node);\n\ttipc_node_put(node);\n}", "project": "linux", "hash": 202987491101983312089565570707245976494, "size": 22, "commit_id": "0217ed2848e8538bcf9172d97ed2eeb4a26041bb", "message": "tipc: better validate user input in tipc_nl_retrieve_key()\n\nBefore calling tipc_aead_key_size(ptr), we need to ensure\nwe have enough data to dereference ptr->keylen.\n\nWe probably also want to make sure tipc_aead_key_size()\nwont overflow with malicious ptr->keylen values.\n\nSyzbot reported:\n\nBUG: KMSAN: uninit-value in __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\nBUG: KMSAN: uninit-value in tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\nCPU: 0 PID: 21060 Comm: syz-executor.5 Not tainted 5.11.0-rc7-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nCall Trace:\n __dump_stack lib/dump_stack.c:79 [inline]\n dump_stack+0x21c/0x280 lib/dump_stack.c:120\n kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118\n __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197\n __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\n tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\n genl_family_rcv_msg_doit net/netlink/genetlink.c:739 [inline]\n genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]\n genl_rcv_msg+0x1319/0x1610 net/netlink/genetlink.c:800\n netlink_rcv_skb+0x6fa/0x810 net/netlink/af_netlink.c:2494\n genl_rcv+0x63/0x80 net/netlink/genetlink.c:811\n netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]\n netlink_unicast+0x11d6/0x14a0 net/netlink/af_netlink.c:1330\n netlink_sendmsg+0x1740/0x1840 net/netlink/af_netlink.c:1919\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\nRIP: 0023:0xf7f60549\nCode: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00\nRSP: 002b:00000000f555a5fc EFLAGS: 00000296 ORIG_RAX: 0000000000000172\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000200\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n\nUninit was created at:\n kmsan_save_stack_with_flags mm/kmsan/kmsan.c:121 [inline]\n kmsan_internal_poison_shadow+0x5c/0xf0 mm/kmsan/kmsan.c:104\n kmsan_slab_alloc+0x8d/0xe0 mm/kmsan/kmsan_hooks.c:76\n slab_alloc_node mm/slub.c:2907 [inline]\n __kmalloc_node_track_caller+0xa37/0x1430 mm/slub.c:4527\n __kmalloc_reserve net/core/skbuff.c:142 [inline]\n __alloc_skb+0x2f8/0xb30 net/core/skbuff.c:210\n alloc_skb include/linux/skbuff.h:1099 [inline]\n netlink_alloc_large_skb net/netlink/af_netlink.c:1176 [inline]\n netlink_sendmsg+0xdbc/0x1840 net/netlink/af_netlink.c:1894\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\n\nFixes: e1f32190cf7d (\"tipc: add support for AEAD key setting via netlink\")\nSigned-off-by: Eric Dumazet \nCc: Tuong Lien \nCc: Jon Maloy \nCc: Ying Xue \nReported-by: syzbot \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 364951 }, { "func": "static int skip_emulated_instruction(struct kvm_vcpu *vcpu)\n{\n\tstruct vcpu_svm *svm = to_svm(vcpu);\n\n\tif (nrips && svm->vmcb->control.next_rip != 0) {\n\t\tWARN_ON_ONCE(!static_cpu_has(X86_FEATURE_NRIPS));\n\t\tsvm->next_rip = svm->vmcb->control.next_rip;\n\t}\n\n\tif (!svm->next_rip) {\n\t\tif (!kvm_emulate_instruction(vcpu, EMULTYPE_SKIP))\n\t\t\treturn 0;\n\t} else {\n\t\tif (svm->next_rip - kvm_rip_read(vcpu) > MAX_INST_SIZE)\n\t\t\tpr_err(\"%s: ip 0x%lx next 0x%llx\\n\",\n\t\t\t __func__, kvm_rip_read(vcpu), svm->next_rip);\n\t\tkvm_rip_write(vcpu, svm->next_rip);\n\t}\n\tsvm_set_interrupt_shadow(vcpu, 0);\n\n\treturn 1;\n}", "project": "linux", "hash": 220551463606932012024050936603096563269, "size": 22, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432486 }, { "func": "static void skip_emulated_instruction(struct kvm_vcpu *vcpu)\n{\n\tstruct vcpu_svm *svm = to_svm(vcpu);\n\n\tif (svm->vmcb->control.next_rip != 0)\n\t\tsvm->next_rip = svm->vmcb->control.next_rip;\n\n\tif (!svm->next_rip) {\n\t\tif (emulate_instruction(vcpu, EMULTYPE_SKIP) !=\n\t\t\t\tEMULATE_DONE)\n\t\t\tprintk(KERN_DEBUG \"%s: NOP\\n\", __func__);\n\t\treturn;\n\t}\n\tif (svm->next_rip - kvm_rip_read(vcpu) > MAX_INST_SIZE)\n\t\tprintk(KERN_ERR \"%s: ip 0x%lx next 0x%llx\\n\",\n\t\t __func__, kvm_rip_read(vcpu), svm->next_rip);\n\n\tkvm_rip_write(vcpu, svm->next_rip);\n\tsvm_set_interrupt_shadow(vcpu, 0);\n}", "project": "kvm", "hash": 284814656182433301733276642943217905354, "size": 20, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437664 }, { "project": "Chrome", "commit_id": "1da0daecc540238cb473f0d6322da51d3a544244", "target": 0, "func": " media::StatisticsCB NewStatisticsCB() {\n return base::Bind(&media::MockStatisticsCB::OnStatistics,\n base::Unretained(&statistics_cb_object_));\n }\n", "cwe": "", "big_vul_idx": 113325, "idx": 101618, "hash": 160762575598560332542478277109288719953 }, { "project": "Chrome", "commit_id": "1da0daecc540238cb473f0d6322da51d3a544244", "target": 0, "func": " StatisticsCB NewStatisticsCB() {\n return base::Bind(&MockStatisticsCB::OnStatistics,\n base::Unretained(&statistics_cb_));\n }\n", "cwe": "", "big_vul_idx": 113331, "idx": 101623, "hash": 285286332472861925361991245163583739994 }, { "func": "void LibRaw::identify_process_dng_fields()\n{\n\tif (!dng_version) return;\n\tint c;\n\t{\n\t\t/* copy DNG data from per-IFD field to color.dng */\n\t\tint iifd = find_ifd_by_offset(data_offset);\n\t\tint pifd = find_ifd_by_offset(thumb_offset);\n\n#define CFAROUND(value, filters) \\\n filters ? (filters >= 1000 ? ((value + 1) / 2) * 2 : ((value + 5) / 6) * 6) \\\n : value\n\n#define IFDCOLORINDEX(ifd, subset, bit) \\\n (tiff_ifd[ifd].dng_color[subset].parsedfields & bit) \\\n ? ifd \\\n : ((tiff_ifd[0].dng_color[subset].parsedfields & bit) ? 0 : -1)\n\n#define IFDLEVELINDEX(ifd, bit) \\\n (tiff_ifd[ifd].dng_levels.parsedfields & bit) \\\n ? ifd \\\n : ((tiff_ifd[0].dng_levels.parsedfields & bit) ? 0 : -1)\n\n#define COPYARR(to, from) memmove(&to, &from, sizeof(from))\n\n\t\tif (iifd < (int)tiff_nifds && iifd >= 0)\n\t\t{\n\t\t\tint sidx;\n\t\t\t// Per field, not per structure\n\t\t\tif (!(imgdata.params.raw_processing_options &\n\t\t\t\tLIBRAW_PROCESSING_DONT_CHECK_DNG_ILLUMINANT))\n\t\t\t{\n\t\t\t\tint illidx[2], cmidx[2], calidx[2], abidx;\n\t\t\t\tfor (int i = 0; i < 2; i++)\n\t\t\t\t{\n\t\t\t\t\tillidx[i] = IFDCOLORINDEX(iifd, i, LIBRAW_DNGFM_ILLUMINANT);\n\t\t\t\t\tcmidx[i] = IFDCOLORINDEX(iifd, i, LIBRAW_DNGFM_COLORMATRIX);\n\t\t\t\t\tcalidx[i] = IFDCOLORINDEX(iifd, i, LIBRAW_DNGFM_CALIBRATION);\n\t\t\t\t}\n\t\t\t\tabidx = IFDLEVELINDEX(iifd, LIBRAW_DNGFM_ANALOGBALANCE);\n\t\t\t\t// Data found, all in same ifd, illuminants are inited\n\t\t\t\tif (illidx[0] >= 0 && illidx[0] < (int)tiff_nifds &&\n\t\t\t\t\tillidx[0] == illidx[1] && illidx[0] == cmidx[0] &&\n\t\t\t\t\tillidx[0] == cmidx[1] &&\n\t\t\t\t\ttiff_ifd[illidx[0]].dng_color[0].illuminant > 0 &&\n\t\t\t\t\ttiff_ifd[illidx[0]].dng_color[1].illuminant > 0)\n\t\t\t\t{\n\t\t\t\t\tsidx = illidx[0]; // => selected IFD\n\t\t\t\t\tdouble cc[4][4], cm[4][3], cam_xyz[4][3];\n\t\t\t\t\t// CM -> Color Matrix\n\t\t\t\t\t// CC -> Camera calibration\n\t\t\t\t\tfor (int j = 0; j < 4; j++)\n\t\t\t\t\t\tfor (int i = 0; i < 4; i++)\n\t\t\t\t\t\t\tcc[j][i] = i == j;\n\t\t\t\t\tint colidx = -1;\n\n\t\t\t\t\t// IS D65 here?\n\t\t\t\t\tfor (int i = 0; i < 2; i++)\n\t\t\t\t\t{\n\t\t\t\t\t\tif (tiff_ifd[sidx].dng_color[i].illuminant == LIBRAW_WBI_D65)\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tcolidx = i;\n\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\n\t\t\t\t\t// Other daylight-type ill\n\t\t\t\t\tif (colidx < 0)\n\t\t\t\t\t\tfor (int i = 0; i < 2; i++)\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tint ill = tiff_ifd[sidx].dng_color[i].illuminant;\n\t\t\t\t\t\t\tif (ill == LIBRAW_WBI_Daylight || ill == LIBRAW_WBI_D55 ||\n\t\t\t\t\t\t\t\till == LIBRAW_WBI_D75 || ill == LIBRAW_WBI_D50 ||\n\t\t\t\t\t\t\t\till == LIBRAW_WBI_Flash)\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tcolidx = i;\n\t\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}\n\t\t\t\t\tif (colidx >= 0) // Selected\n\t\t\t\t\t{\n\t\t\t\t\t\t// Init camera matrix from DNG\n\t\t\t\t\t\tFORCC for (int j = 0; j < 3; j++) cm[c][j] =\n\t\t\t\t\t\t\ttiff_ifd[sidx].dng_color[colidx].colormatrix[c][j];\n\n\t\t\t\t\t\tif (calidx[colidx] == sidx)\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tfor (int i = 0; i < colors; i++)\n\t\t\t\t\t\t\t\tFORCC\n\t\t\t\t\t\t\t\tcc[i][c] = tiff_ifd[sidx].dng_color[colidx].calibration[i][c];\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\tif (abidx == sidx)\n\t\t\t\t\t\t\tfor (int i = 0; i < colors; i++)\n\t\t\t\t\t\t\t\tFORCC cc[i][c] *= tiff_ifd[sidx].dng_levels.analogbalance[i];\n\t\t\t\t\t\tint j;\n\t\t\t\t\t\tFORCC for (int i = 0; i < 3; i++) for (cam_xyz[c][i] = j = 0;\n\t\t\t\t\t\t\tj < colors; j++)\n\t\t\t\t\t\t\tcam_xyz[c][i] +=\n\t\t\t\t\t\t\tcc[c][j] * cm[j][i]; // add AsShotXY later * xyz[i];\n\t\t\t\t\t\tcam_xyz_coeff(cmatrix, cam_xyz);\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tbool noFujiDNGCrop = makeIs(LIBRAW_CAMERAMAKER_Fujifilm)\n\t\t\t\t&& (!strcmp(normalized_model, \"S3Pro\")\n\t\t\t\t\t|| !strcmp(normalized_model, \"S5Pro\")\n\t\t\t\t\t|| !strcmp(normalized_model, \"S2Pro\"));\n\n\t\t\tif (!noFujiDNGCrop &&\n\t\t\t\t(imgdata.params.raw_processing_options &LIBRAW_PROCESSING_USE_DNG_DEFAULT_CROP))\n\t\t\t{\n\t\t\t\tsidx = IFDLEVELINDEX(iifd, LIBRAW_DNGFM_CROPORIGIN);\n\t\t\t\tint sidx2 = IFDLEVELINDEX(iifd, LIBRAW_DNGFM_CROPSIZE);\n\t\t\t\tif (sidx >= 0 && sidx == sidx2 &&\n\t\t\t\t\ttiff_ifd[sidx].dng_levels.default_crop[2] > 0 &&\n\t\t\t\t\ttiff_ifd[sidx].dng_levels.default_crop[3] > 0)\n\t\t\t\t{\n\t\t\t\t\tint lm = tiff_ifd[sidx].dng_levels.default_crop[0];\n\t\t\t\t\tint lmm = CFAROUND(lm, filters);\n\t\t\t\t\tint tm = tiff_ifd[sidx].dng_levels.default_crop[1];\n\t\t\t\t\tint tmm = CFAROUND(tm, filters);\n\t\t\t\t\tint ww = tiff_ifd[sidx].dng_levels.default_crop[2];\n\t\t\t\t\tint hh = tiff_ifd[sidx].dng_levels.default_crop[3];\n\t\t\t\t\tif (lmm > lm)\n\t\t\t\t\t\tww -= (lmm - lm);\n\t\t\t\t\tif (tmm > tm)\n\t\t\t\t\t\thh -= (tmm - tm);\n\t\t\t\t\tif (left_margin + lm + ww <= raw_width &&\n\t\t\t\t\t\ttop_margin + tm + hh <= raw_height)\n\t\t\t\t\t{\n\t\t\t\t\t\tleft_margin += lmm;\n\t\t\t\t\t\ttop_margin += tmm;\n\t\t\t\t\t\twidth = ww;\n\t\t\t\t\t\theight = hh;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t\tif (!(imgdata.color.dng_color[0].parsedfields &\n\t\t\t\tLIBRAW_DNGFM_FORWARDMATRIX)) // Not set already (Leica makernotes)\n\t\t\t{\n\t\t\t\tsidx = IFDCOLORINDEX(iifd, 0, LIBRAW_DNGFM_FORWARDMATRIX);\n\t\t\t\tif (sidx >= 0)\n\t\t\t\t\tCOPYARR(imgdata.color.dng_color[0].forwardmatrix,\n\t\t\t\t\t\ttiff_ifd[sidx].dng_color[0].forwardmatrix);\n\t\t\t}\n\t\t\tif (!(imgdata.color.dng_color[1].parsedfields &\n\t\t\t\tLIBRAW_DNGFM_FORWARDMATRIX)) // Not set already (Leica makernotes)\n\t\t\t{\n\t\t\t\tsidx = IFDCOLORINDEX(iifd, 1, LIBRAW_DNGFM_FORWARDMATRIX);\n\t\t\t\tif (sidx >= 0)\n\t\t\t\t\tCOPYARR(imgdata.color.dng_color[1].forwardmatrix,\n\t\t\t\t\t\ttiff_ifd[sidx].dng_color[1].forwardmatrix);\n\t\t\t}\n\t\t\tfor (int ss = 0; ss < 2; ss++)\n\t\t\t{\n\t\t\t\tsidx = IFDCOLORINDEX(iifd, ss, LIBRAW_DNGFM_COLORMATRIX);\n\t\t\t\tif (sidx >= 0)\n\t\t\t\t\tCOPYARR(imgdata.color.dng_color[ss].colormatrix,\n\t\t\t\t\t\ttiff_ifd[sidx].dng_color[ss].colormatrix);\n\n\t\t\t\tsidx = IFDCOLORINDEX(iifd, ss, LIBRAW_DNGFM_CALIBRATION);\n\t\t\t\tif (sidx >= 0)\n\t\t\t\t\tCOPYARR(imgdata.color.dng_color[ss].calibration,\n\t\t\t\t\t\ttiff_ifd[sidx].dng_color[ss].calibration);\n\n\t\t\t\tsidx = IFDCOLORINDEX(iifd, ss, LIBRAW_DNGFM_ILLUMINANT);\n\t\t\t\tif (sidx >= 0)\n\t\t\t\t\timgdata.color.dng_color[ss].illuminant =\n\t\t\t\t\ttiff_ifd[sidx].dng_color[ss].illuminant;\n\t\t\t}\n\t\t\t// Levels\n\t\t\tsidx = IFDLEVELINDEX(iifd, LIBRAW_DNGFM_ANALOGBALANCE);\n\t\t\tif (sidx >= 0)\n\t\t\t\tCOPYARR(imgdata.color.dng_levels.analogbalance,\n\t\t\t\t\ttiff_ifd[sidx].dng_levels.analogbalance);\n\n\t\t\tsidx = IFDLEVELINDEX(iifd, LIBRAW_DNGFM_BASELINEEXPOSURE);\n\t\t\tif (sidx >= 0)\n\t\t\t\timgdata.color.dng_levels.baseline_exposure =\n\t\t\t\ttiff_ifd[sidx].dng_levels.baseline_exposure;\n\n\t\t\tsidx = IFDLEVELINDEX(iifd, LIBRAW_DNGFM_WHITE);\n\t\t\tif (sidx >= 0 && tiff_ifd[sidx].dng_levels.dng_whitelevel[0])\n\t\t\t\tCOPYARR(imgdata.color.dng_levels.dng_whitelevel,\n\t\t\t\t\ttiff_ifd[sidx].dng_levels.dng_whitelevel);\n\t\t\telse if (tiff_ifd[iifd].sample_format <= 2 && tiff_ifd[iifd].bps > 0 && tiff_ifd[iifd].bps < 32)\n\t\t\t\tFORC4\n\t\t\t\timgdata.color.dng_levels.dng_whitelevel[c] = (1 << tiff_ifd[iifd].bps) - 1;\n\n\n\n\t\t\tsidx = IFDLEVELINDEX(iifd, LIBRAW_DNGFM_ASSHOTNEUTRAL);\n\t\t\tif (sidx >= 0)\n\t\t\t{\n\t\t\t\tCOPYARR(imgdata.color.dng_levels.asshotneutral,\n\t\t\t\t\ttiff_ifd[sidx].dng_levels.asshotneutral);\n\t\t\t\tif (imgdata.color.dng_levels.asshotneutral[0])\n\t\t\t\t{\n\t\t\t\t\tcam_mul[3] = 0;\n\t\t\t\t\tFORCC\n\t\t\t\t\t\tif (fabs(imgdata.color.dng_levels.asshotneutral[c]) > 0.0001)\n\t\t\t\t\t\t\tcam_mul[c] = 1 / imgdata.color.dng_levels.asshotneutral[c];\n\t\t\t\t}\n\t\t\t}\n\t\t\tsidx = IFDLEVELINDEX(iifd, LIBRAW_DNGFM_BLACK);\n\t\t\tif (sidx >= 0)\n\t\t\t{\n\t\t\t\timgdata.color.dng_levels.dng_fblack =\n\t\t\t\t\ttiff_ifd[sidx].dng_levels.dng_fblack;\n\t\t\t\timgdata.color.dng_levels.dng_black =\n\t\t\t\t\ttiff_ifd[sidx].dng_levels.dng_black;\n\t\t\t\tCOPYARR(imgdata.color.dng_levels.dng_cblack,\n\t\t\t\t\ttiff_ifd[sidx].dng_levels.dng_cblack);\n\t\t\t\tCOPYARR(imgdata.color.dng_levels.dng_fcblack,\n\t\t\t\t\ttiff_ifd[sidx].dng_levels.dng_fcblack);\n\t\t\t}\n\n\n\t\t\tif (pifd >= 0)\n\t\t\t{\n\t\t\t\tsidx = IFDLEVELINDEX(pifd, LIBRAW_DNGFM_PREVIEWCS);\n\t\t\t\tif (sidx >= 0)\n\t\t\t\t\timgdata.color.dng_levels.preview_colorspace =\n\t\t\t\t\ttiff_ifd[sidx].dng_levels.preview_colorspace;\n\t\t\t}\n\t\t\tsidx = IFDLEVELINDEX(iifd, LIBRAW_DNGFM_OPCODE2);\n\t\t\tif (sidx >= 0)\n\t\t\t\tmeta_offset = tiff_ifd[sidx].opcode2_offset;\n\n\t\t\tsidx = IFDLEVELINDEX(iifd, LIBRAW_DNGFM_LINTABLE);\n\t\t\tINT64 linoff = -1;\n\t\t\tint linlen = 0;\n\t\t\tif (sidx >= 0)\n\t\t\t{\n\t\t\t\tlinoff = tiff_ifd[sidx].lineartable_offset;\n\t\t\t\tlinlen = tiff_ifd[sidx].lineartable_len;\n\t\t\t}\n\n\t\t\tif (linoff >= 0 && linlen > 0)\n\t\t\t{\n\t\t\t\tINT64 pos = ftell(ifp);\n\t\t\t\tfseek(ifp, linoff, SEEK_SET);\n\t\t\t\tlinear_table(linlen);\n\t\t\t\tfseek(ifp, pos, SEEK_SET);\n\t\t\t}\n\t\t\t// Need to add curve too\n\t\t}\n\t\t/* Copy DNG black level to LibRaw's */\n\t\tif (load_raw == &LibRaw::lossy_dng_load_raw)\n\t\t{\n\t\t\tmaximum = 0xffff;\n\t\t\tFORC4 imgdata.color.linear_max[c] = imgdata.color.dng_levels.dng_whitelevel[c] = 0xffff;\n\t\t}\n\t\telse\n\t\t{\n\t\t\tmaximum = imgdata.color.dng_levels.dng_whitelevel[0];\n\t\t}\n\t\tblack = imgdata.color.dng_levels.dng_black;\n\n\t\tif (tiff_samples == 2 && imgdata.color.dng_levels.dng_cblack[4] * imgdata.color.dng_levels.dng_cblack[5] * tiff_samples\n\t\t\t== imgdata.color.dng_levels.dng_cblack[LIBRAW_CBLACK_SIZE - 1])\n\t\t{\n\t\t\tunsigned ff = filters;\n\t\t\tif (filters > 999 && colors == 3)\n\t\t\t\tfilters |= ((filters >> 2 & 0x22222222) | (filters << 2 & 0x88888888)) &\n\t\t\t\tfilters << 1;\n\n\t\t\t/* Special case, Fuji SuperCCD dng */\n\t\t\tint csum[4] = { 0,0,0,0 }, ccount[4] = { 0,0,0,0 };\n\t\t\tint i = 6 + shot_select;\n\t\t\tfor (unsigned row = 0; row < imgdata.color.dng_levels.dng_cblack[4]; row++)\n\t\t\t\tfor (unsigned col = 0; col < imgdata.color.dng_levels.dng_cblack[5]; col++)\n\t\t\t\t{\n\t\t\t\t\tcsum[FC(row, col)] += imgdata.color.dng_levels.dng_cblack[i];\n\t\t\t\t\tccount[FC(row, col)]++;\n\t\t\t\t\ti += tiff_samples;\n\t\t\t\t}\n\t\t\tfor (int c = 0; c < 4; c++)\n\t\t\t\tif (ccount[c])\n\t\t\t\t\timgdata.color.dng_levels.dng_cblack[c] += csum[c] / ccount[c];\n\t\t\timgdata.color.dng_levels.dng_cblack[4] = imgdata.color.dng_levels.dng_cblack[5] = 0;\n\t\t\tfilters = ff;\n\t\t}\n\t\telse if (tiff_samples > 2 && tiff_samples <= 4 && imgdata.color.dng_levels.dng_cblack[4] * imgdata.color.dng_levels.dng_cblack[5] * tiff_samples\n\t\t\t== imgdata.color.dng_levels.dng_cblack[LIBRAW_CBLACK_SIZE - 1])\n\t\t{\n\t\t\t/* Special case, per_channel blacks in RepeatDim, average for per-channel */\n\t\t\tint csum[4] = { 0,0,0,0 }, ccount[4] = { 0,0,0,0 };\n\t\t\tint i = 6;\n\t\t\tfor (unsigned row = 0; row < imgdata.color.dng_levels.dng_cblack[4]; row++)\n\t\t\t\tfor (unsigned col = 0; col < imgdata.color.dng_levels.dng_cblack[5]; col++)\n\t\t\t\t\tfor (unsigned c = 0; c < tiff_samples; c++)\n\t\t\t\t\t{\n\t\t\t\t\t\tcsum[c] += imgdata.color.dng_levels.dng_cblack[i];\n\t\t\t\t\t\tccount[c]++;\n\t\t\t\t\t\ti++;\n\t\t\t\t\t}\n\t\t\tfor (int c = 0; c < 4; c++)\n\t\t\t\tif (ccount[c])\n\t\t\t\t\timgdata.color.dng_levels.dng_cblack[c] += csum[c] / ccount[c];\n\t\t\timgdata.color.dng_levels.dng_cblack[4] = imgdata.color.dng_levels.dng_cblack[5] = 0;\n\t\t}\n\n\t\tmemmove(cblack, imgdata.color.dng_levels.dng_cblack, sizeof(cblack));\n\n\t\tif (iifd < (int)tiff_nifds && iifd >= 0)\n\t\t{\n\t\t\tint sidx = IFDLEVELINDEX(iifd, LIBRAW_DNGFM_LINEARRESPONSELIMIT);\n\t\t\tif (sidx >= 0)\n\t\t\t{\n\t\t\t\timgdata.color.dng_levels.LinearResponseLimit =\n\t\t\t\t\ttiff_ifd[sidx].dng_levels.LinearResponseLimit;\n\t\t\t\tif (imgdata.color.dng_levels.LinearResponseLimit > 0.1 &&\n\t\t\t\t\timgdata.color.dng_levels.LinearResponseLimit <= 1.0)\n\t\t\t\t{\n\t\t\t\t\t// And approx promote it to linear_max:\n\t\t\t\t\tint bl4 = 0, bl64 = 0;\n\t\t\t\t\tfor (int chan = 0; chan < colors && chan < 4; chan++)\n\t\t\t\t\t\tbl4 += cblack[chan];\n\t\t\t\t\tbl4 /= LIM(colors, 1, 4);\n\n\t\t\t\t\tif (cblack[4] * cblack[5] > 0)\n\t\t\t\t\t{\n\t\t\t\t\t\tunsigned cnt = 0;\n\t\t\t\t\t\tfor (unsigned c = 0; c < 4096 && c < cblack[4] * cblack[5]; c++)\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tbl64 += cblack[c + 6];\n\t\t\t\t\t\t\tcnt++;\n\t\t\t\t\t\t}\n\t\t\t\t\t\tbl64 /= LIM(cnt, 1, 4096);\n\t\t\t\t\t}\n\t\t\t\t\tint rblack = black + bl4 + bl64;\n\t\t\t\t\tfor (int chan = 0; chan < colors && chan < 4; chan++)\n\t\t\t\t\t\timgdata.color.linear_max[chan] =\n\t\t\t\t\t\t(maximum - rblack) *\n\t\t\t\t\t\timgdata.color.dng_levels.LinearResponseLimit +\n\t\t\t\t\t\trblack;\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n}", "project": "LibRaw", "hash": 208600525321410359156531031353922710019, "size": 344, "commit_id": "4feaed4dea636cee4fee010f615881ccf76a096d", "message": "limit loops to MIN(colors,4) in dng fields parser", "target": 1, "dataset": "other", "idx": 214990 }, { "func": "void LibRaw::identify_process_dng_fields()\n{\n\tif (!dng_version) return;\n\tint c;\n\t{\n\t\t/* copy DNG data from per-IFD field to color.dng */\n\t\tint iifd = find_ifd_by_offset(data_offset);\n\t\tint pifd = find_ifd_by_offset(thumb_offset);\n\n#define CFAROUND(value, filters) \\\n filters ? (filters >= 1000 ? ((value + 1) / 2) * 2 : ((value + 5) / 6) * 6) \\\n : value\n\n#define IFDCOLORINDEX(ifd, subset, bit) \\\n (tiff_ifd[ifd].dng_color[subset].parsedfields & bit) \\\n ? ifd \\\n : ((tiff_ifd[0].dng_color[subset].parsedfields & bit) ? 0 : -1)\n\n#define IFDLEVELINDEX(ifd, bit) \\\n (tiff_ifd[ifd].dng_levels.parsedfields & bit) \\\n ? ifd \\\n : ((tiff_ifd[0].dng_levels.parsedfields & bit) ? 0 : -1)\n\n#define COPYARR(to, from) memmove(&to, &from, sizeof(from))\n\n\t\tif (iifd < (int)tiff_nifds && iifd >= 0)\n\t\t{\n\t\t\tint sidx;\n\t\t\t// Per field, not per structure\n\t\t\tif (!(imgdata.params.raw_processing_options &\n\t\t\t\tLIBRAW_PROCESSING_DONT_CHECK_DNG_ILLUMINANT))\n\t\t\t{\n\t\t\t\tint illidx[2], cmidx[2], calidx[2], abidx;\n\t\t\t\tfor (int i = 0; i < 2; i++)\n\t\t\t\t{\n\t\t\t\t\tillidx[i] = IFDCOLORINDEX(iifd, i, LIBRAW_DNGFM_ILLUMINANT);\n\t\t\t\t\tcmidx[i] = IFDCOLORINDEX(iifd, i, LIBRAW_DNGFM_COLORMATRIX);\n\t\t\t\t\tcalidx[i] = IFDCOLORINDEX(iifd, i, LIBRAW_DNGFM_CALIBRATION);\n\t\t\t\t}\n\t\t\t\tabidx = IFDLEVELINDEX(iifd, LIBRAW_DNGFM_ANALOGBALANCE);\n\t\t\t\t// Data found, all in same ifd, illuminants are inited\n\t\t\t\tif (illidx[0] >= 0 && illidx[0] < (int)tiff_nifds &&\n\t\t\t\t\tillidx[0] == illidx[1] && illidx[0] == cmidx[0] &&\n\t\t\t\t\tillidx[0] == cmidx[1] &&\n\t\t\t\t\ttiff_ifd[illidx[0]].dng_color[0].illuminant > 0 &&\n\t\t\t\t\ttiff_ifd[illidx[0]].dng_color[1].illuminant > 0)\n\t\t\t\t{\n\t\t\t\t\tsidx = illidx[0]; // => selected IFD\n\t\t\t\t\tdouble cc[4][4], cm[4][3], cam_xyz[4][3];\n\t\t\t\t\t// CM -> Color Matrix\n\t\t\t\t\t// CC -> Camera calibration\n\t\t\t\t\tfor (int j = 0; j < 4; j++)\n\t\t\t\t\t\tfor (int i = 0; i < 4; i++)\n\t\t\t\t\t\t\tcc[j][i] = i == j;\n\t\t\t\t\tint colidx = -1;\n\n\t\t\t\t\t// IS D65 here?\n\t\t\t\t\tfor (int i = 0; i < 2; i++)\n\t\t\t\t\t{\n\t\t\t\t\t\tif (tiff_ifd[sidx].dng_color[i].illuminant == LIBRAW_WBI_D65)\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tcolidx = i;\n\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\n\t\t\t\t\t// Other daylight-type ill\n\t\t\t\t\tif (colidx < 0)\n\t\t\t\t\t\tfor (int i = 0; i < 2; i++)\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tint ill = tiff_ifd[sidx].dng_color[i].illuminant;\n\t\t\t\t\t\t\tif (ill == LIBRAW_WBI_Daylight || ill == LIBRAW_WBI_D55 ||\n\t\t\t\t\t\t\t\till == LIBRAW_WBI_D75 || ill == LIBRAW_WBI_D50 ||\n\t\t\t\t\t\t\t\till == LIBRAW_WBI_Flash)\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tcolidx = i;\n\t\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}\n\t\t\t\t\tif (colidx >= 0) // Selected\n\t\t\t\t\t{\n\t\t\t\t\t\t// Init camera matrix from DNG\n\t\t\t\t\t\tFORCC for (int j = 0; j < 3; j++) cm[c][j] =\n\t\t\t\t\t\t\ttiff_ifd[sidx].dng_color[colidx].colormatrix[c][j];\n\n\t\t\t\t\t\tif (calidx[colidx] == sidx)\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tfor (int i = 0; i < colors && i < 4; i++)\n\t\t\t\t\t\t\t\tFORCC\n\t\t\t\t\t\t\t\tcc[i][c] = tiff_ifd[sidx].dng_color[colidx].calibration[i][c];\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\tif (abidx == sidx)\n\t\t\t\t\t\t\tfor (int i = 0; i < colors && i < 4; i++)\n\t\t\t\t\t\t\t\tFORCC cc[i][c] *= tiff_ifd[sidx].dng_levels.analogbalance[i];\n\t\t\t\t\t\tint j;\n\t\t\t\t\t\tFORCC for (int i = 0; i < 3; i++) \n for (cam_xyz[c][i] = j = 0; j < colors && j < 4; j++)\n\t\t\t\t\t\t\t cam_xyz[c][i] +=\n\t\t\t\t\t\t\t cc[c][j] * cm[j][i]; // add AsShotXY later * xyz[i];\n\t\t\t\t\t\tcam_xyz_coeff(cmatrix, cam_xyz);\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tbool noFujiDNGCrop = makeIs(LIBRAW_CAMERAMAKER_Fujifilm)\n\t\t\t\t&& (!strcmp(normalized_model, \"S3Pro\")\n\t\t\t\t\t|| !strcmp(normalized_model, \"S5Pro\")\n\t\t\t\t\t|| !strcmp(normalized_model, \"S2Pro\"));\n\n\t\t\tif (!noFujiDNGCrop &&\n\t\t\t\t(imgdata.params.raw_processing_options &LIBRAW_PROCESSING_USE_DNG_DEFAULT_CROP))\n\t\t\t{\n\t\t\t\tsidx = IFDLEVELINDEX(iifd, LIBRAW_DNGFM_CROPORIGIN);\n\t\t\t\tint sidx2 = IFDLEVELINDEX(iifd, LIBRAW_DNGFM_CROPSIZE);\n\t\t\t\tif (sidx >= 0 && sidx == sidx2 &&\n\t\t\t\t\ttiff_ifd[sidx].dng_levels.default_crop[2] > 0 &&\n\t\t\t\t\ttiff_ifd[sidx].dng_levels.default_crop[3] > 0)\n\t\t\t\t{\n\t\t\t\t\tint lm = tiff_ifd[sidx].dng_levels.default_crop[0];\n\t\t\t\t\tint lmm = CFAROUND(lm, filters);\n\t\t\t\t\tint tm = tiff_ifd[sidx].dng_levels.default_crop[1];\n\t\t\t\t\tint tmm = CFAROUND(tm, filters);\n\t\t\t\t\tint ww = tiff_ifd[sidx].dng_levels.default_crop[2];\n\t\t\t\t\tint hh = tiff_ifd[sidx].dng_levels.default_crop[3];\n\t\t\t\t\tif (lmm > lm)\n\t\t\t\t\t\tww -= (lmm - lm);\n\t\t\t\t\tif (tmm > tm)\n\t\t\t\t\t\thh -= (tmm - tm);\n\t\t\t\t\tif (left_margin + lm + ww <= raw_width &&\n\t\t\t\t\t\ttop_margin + tm + hh <= raw_height)\n\t\t\t\t\t{\n\t\t\t\t\t\tleft_margin += lmm;\n\t\t\t\t\t\ttop_margin += tmm;\n\t\t\t\t\t\twidth = ww;\n\t\t\t\t\t\theight = hh;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t\tif (!(imgdata.color.dng_color[0].parsedfields &\n\t\t\t\tLIBRAW_DNGFM_FORWARDMATRIX)) // Not set already (Leica makernotes)\n\t\t\t{\n\t\t\t\tsidx = IFDCOLORINDEX(iifd, 0, LIBRAW_DNGFM_FORWARDMATRIX);\n\t\t\t\tif (sidx >= 0)\n\t\t\t\t\tCOPYARR(imgdata.color.dng_color[0].forwardmatrix,\n\t\t\t\t\t\ttiff_ifd[sidx].dng_color[0].forwardmatrix);\n\t\t\t}\n\t\t\tif (!(imgdata.color.dng_color[1].parsedfields &\n\t\t\t\tLIBRAW_DNGFM_FORWARDMATRIX)) // Not set already (Leica makernotes)\n\t\t\t{\n\t\t\t\tsidx = IFDCOLORINDEX(iifd, 1, LIBRAW_DNGFM_FORWARDMATRIX);\n\t\t\t\tif (sidx >= 0)\n\t\t\t\t\tCOPYARR(imgdata.color.dng_color[1].forwardmatrix,\n\t\t\t\t\t\ttiff_ifd[sidx].dng_color[1].forwardmatrix);\n\t\t\t}\n\t\t\tfor (int ss = 0; ss < 2; ss++)\n\t\t\t{\n\t\t\t\tsidx = IFDCOLORINDEX(iifd, ss, LIBRAW_DNGFM_COLORMATRIX);\n\t\t\t\tif (sidx >= 0)\n\t\t\t\t\tCOPYARR(imgdata.color.dng_color[ss].colormatrix,\n\t\t\t\t\t\ttiff_ifd[sidx].dng_color[ss].colormatrix);\n\n\t\t\t\tsidx = IFDCOLORINDEX(iifd, ss, LIBRAW_DNGFM_CALIBRATION);\n\t\t\t\tif (sidx >= 0)\n\t\t\t\t\tCOPYARR(imgdata.color.dng_color[ss].calibration,\n\t\t\t\t\t\ttiff_ifd[sidx].dng_color[ss].calibration);\n\n\t\t\t\tsidx = IFDCOLORINDEX(iifd, ss, LIBRAW_DNGFM_ILLUMINANT);\n\t\t\t\tif (sidx >= 0)\n\t\t\t\t\timgdata.color.dng_color[ss].illuminant =\n\t\t\t\t\ttiff_ifd[sidx].dng_color[ss].illuminant;\n\t\t\t}\n\t\t\t// Levels\n\t\t\tsidx = IFDLEVELINDEX(iifd, LIBRAW_DNGFM_ANALOGBALANCE);\n\t\t\tif (sidx >= 0)\n\t\t\t\tCOPYARR(imgdata.color.dng_levels.analogbalance,\n\t\t\t\t\ttiff_ifd[sidx].dng_levels.analogbalance);\n\n\t\t\tsidx = IFDLEVELINDEX(iifd, LIBRAW_DNGFM_BASELINEEXPOSURE);\n\t\t\tif (sidx >= 0)\n\t\t\t\timgdata.color.dng_levels.baseline_exposure =\n\t\t\t\ttiff_ifd[sidx].dng_levels.baseline_exposure;\n\n\t\t\tsidx = IFDLEVELINDEX(iifd, LIBRAW_DNGFM_WHITE);\n\t\t\tif (sidx >= 0 && tiff_ifd[sidx].dng_levels.dng_whitelevel[0])\n\t\t\t\tCOPYARR(imgdata.color.dng_levels.dng_whitelevel,\n\t\t\t\t\ttiff_ifd[sidx].dng_levels.dng_whitelevel);\n\t\t\telse if (tiff_ifd[iifd].sample_format <= 2 && tiff_ifd[iifd].bps > 0 && tiff_ifd[iifd].bps < 32)\n\t\t\t\tFORC4\n\t\t\t\timgdata.color.dng_levels.dng_whitelevel[c] = (1 << tiff_ifd[iifd].bps) - 1;\n\n\n\n\t\t\tsidx = IFDLEVELINDEX(iifd, LIBRAW_DNGFM_ASSHOTNEUTRAL);\n\t\t\tif (sidx >= 0)\n\t\t\t{\n\t\t\t\tCOPYARR(imgdata.color.dng_levels.asshotneutral,\n\t\t\t\t\ttiff_ifd[sidx].dng_levels.asshotneutral);\n\t\t\t\tif (imgdata.color.dng_levels.asshotneutral[0])\n\t\t\t\t{\n\t\t\t\t\tcam_mul[3] = 0;\n\t\t\t\t\tFORCC\n\t\t\t\t\t\tif (fabs(imgdata.color.dng_levels.asshotneutral[c]) > 0.0001)\n\t\t\t\t\t\t\tcam_mul[c] = 1 / imgdata.color.dng_levels.asshotneutral[c];\n\t\t\t\t}\n\t\t\t}\n\t\t\tsidx = IFDLEVELINDEX(iifd, LIBRAW_DNGFM_BLACK);\n\t\t\tif (sidx >= 0)\n\t\t\t{\n\t\t\t\timgdata.color.dng_levels.dng_fblack =\n\t\t\t\t\ttiff_ifd[sidx].dng_levels.dng_fblack;\n\t\t\t\timgdata.color.dng_levels.dng_black =\n\t\t\t\t\ttiff_ifd[sidx].dng_levels.dng_black;\n\t\t\t\tCOPYARR(imgdata.color.dng_levels.dng_cblack,\n\t\t\t\t\ttiff_ifd[sidx].dng_levels.dng_cblack);\n\t\t\t\tCOPYARR(imgdata.color.dng_levels.dng_fcblack,\n\t\t\t\t\ttiff_ifd[sidx].dng_levels.dng_fcblack);\n\t\t\t}\n\n\n\t\t\tif (pifd >= 0)\n\t\t\t{\n\t\t\t\tsidx = IFDLEVELINDEX(pifd, LIBRAW_DNGFM_PREVIEWCS);\n\t\t\t\tif (sidx >= 0)\n\t\t\t\t\timgdata.color.dng_levels.preview_colorspace =\n\t\t\t\t\ttiff_ifd[sidx].dng_levels.preview_colorspace;\n\t\t\t}\n\t\t\tsidx = IFDLEVELINDEX(iifd, LIBRAW_DNGFM_OPCODE2);\n\t\t\tif (sidx >= 0)\n\t\t\t\tmeta_offset = tiff_ifd[sidx].opcode2_offset;\n\n\t\t\tsidx = IFDLEVELINDEX(iifd, LIBRAW_DNGFM_LINTABLE);\n\t\t\tINT64 linoff = -1;\n\t\t\tint linlen = 0;\n\t\t\tif (sidx >= 0)\n\t\t\t{\n\t\t\t\tlinoff = tiff_ifd[sidx].lineartable_offset;\n\t\t\t\tlinlen = tiff_ifd[sidx].lineartable_len;\n\t\t\t}\n\n\t\t\tif (linoff >= 0 && linlen > 0)\n\t\t\t{\n\t\t\t\tINT64 pos = ftell(ifp);\n\t\t\t\tfseek(ifp, linoff, SEEK_SET);\n\t\t\t\tlinear_table(linlen);\n\t\t\t\tfseek(ifp, pos, SEEK_SET);\n\t\t\t}\n\t\t\t// Need to add curve too\n\t\t}\n\t\t/* Copy DNG black level to LibRaw's */\n\t\tif (load_raw == &LibRaw::lossy_dng_load_raw)\n\t\t{\n\t\t\tmaximum = 0xffff;\n\t\t\tFORC4 imgdata.color.linear_max[c] = imgdata.color.dng_levels.dng_whitelevel[c] = 0xffff;\n\t\t}\n\t\telse\n\t\t{\n\t\t\tmaximum = imgdata.color.dng_levels.dng_whitelevel[0];\n\t\t}\n\t\tblack = imgdata.color.dng_levels.dng_black;\n\n\t\tif (tiff_samples == 2 && imgdata.color.dng_levels.dng_cblack[4] * imgdata.color.dng_levels.dng_cblack[5] * tiff_samples\n\t\t\t== imgdata.color.dng_levels.dng_cblack[LIBRAW_CBLACK_SIZE - 1])\n\t\t{\n\t\t\tunsigned ff = filters;\n\t\t\tif (filters > 999 && colors == 3)\n\t\t\t\tfilters |= ((filters >> 2 & 0x22222222) | (filters << 2 & 0x88888888)) &\n\t\t\t\tfilters << 1;\n\n\t\t\t/* Special case, Fuji SuperCCD dng */\n\t\t\tint csum[4] = { 0,0,0,0 }, ccount[4] = { 0,0,0,0 };\n\t\t\tint i = 6 + shot_select;\n\t\t\tfor (unsigned row = 0; row < imgdata.color.dng_levels.dng_cblack[4]; row++)\n\t\t\t\tfor (unsigned col = 0; col < imgdata.color.dng_levels.dng_cblack[5]; col++)\n\t\t\t\t{\n\t\t\t\t\tcsum[FC(row, col)] += imgdata.color.dng_levels.dng_cblack[i];\n\t\t\t\t\tccount[FC(row, col)]++;\n\t\t\t\t\ti += tiff_samples;\n\t\t\t\t}\n\t\t\tfor (int c = 0; c < 4; c++)\n\t\t\t\tif (ccount[c])\n\t\t\t\t\timgdata.color.dng_levels.dng_cblack[c] += csum[c] / ccount[c];\n\t\t\timgdata.color.dng_levels.dng_cblack[4] = imgdata.color.dng_levels.dng_cblack[5] = 0;\n\t\t\tfilters = ff;\n\t\t}\n\t\telse if (tiff_samples > 2 && tiff_samples <= 4 && imgdata.color.dng_levels.dng_cblack[4] * imgdata.color.dng_levels.dng_cblack[5] * tiff_samples\n\t\t\t== imgdata.color.dng_levels.dng_cblack[LIBRAW_CBLACK_SIZE - 1])\n\t\t{\n\t\t\t/* Special case, per_channel blacks in RepeatDim, average for per-channel */\n\t\t\tint csum[4] = { 0,0,0,0 }, ccount[4] = { 0,0,0,0 };\n\t\t\tint i = 6;\n\t\t\tfor (unsigned row = 0; row < imgdata.color.dng_levels.dng_cblack[4]; row++)\n\t\t\t\tfor (unsigned col = 0; col < imgdata.color.dng_levels.dng_cblack[5]; col++)\n\t\t\t\t\tfor (unsigned c = 0; c < tiff_samples && c < 4; c++)\n\t\t\t\t\t{\n\t\t\t\t\t\tcsum[c] += imgdata.color.dng_levels.dng_cblack[i];\n\t\t\t\t\t\tccount[c]++;\n\t\t\t\t\t\ti++;\n\t\t\t\t\t}\n\t\t\tfor (int c = 0; c < 4; c++)\n\t\t\t\tif (ccount[c])\n\t\t\t\t\timgdata.color.dng_levels.dng_cblack[c] += csum[c] / ccount[c];\n\t\t\timgdata.color.dng_levels.dng_cblack[4] = imgdata.color.dng_levels.dng_cblack[5] = 0;\n\t\t}\n\n\t\tmemmove(cblack, imgdata.color.dng_levels.dng_cblack, sizeof(cblack));\n\n\t\tif (iifd < (int)tiff_nifds && iifd >= 0)\n\t\t{\n\t\t\tint sidx = IFDLEVELINDEX(iifd, LIBRAW_DNGFM_LINEARRESPONSELIMIT);\n\t\t\tif (sidx >= 0)\n\t\t\t{\n\t\t\t\timgdata.color.dng_levels.LinearResponseLimit =\n\t\t\t\t\ttiff_ifd[sidx].dng_levels.LinearResponseLimit;\n\t\t\t\tif (imgdata.color.dng_levels.LinearResponseLimit > 0.1 &&\n\t\t\t\t\timgdata.color.dng_levels.LinearResponseLimit <= 1.0)\n\t\t\t\t{\n\t\t\t\t\t// And approx promote it to linear_max:\n\t\t\t\t\tint bl4 = 0, bl64 = 0;\n\t\t\t\t\tfor (int chan = 0; chan < colors && chan < 4; chan++)\n\t\t\t\t\t\tbl4 += cblack[chan];\n\t\t\t\t\tbl4 /= LIM(colors, 1, 4);\n\n\t\t\t\t\tif (cblack[4] * cblack[5] > 0)\n\t\t\t\t\t{\n\t\t\t\t\t\tunsigned cnt = 0;\n\t\t\t\t\t\tfor (unsigned c = 0; c < 4096 && c < cblack[4] * cblack[5]; c++)\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tbl64 += cblack[c + 6];\n\t\t\t\t\t\t\tcnt++;\n\t\t\t\t\t\t}\n\t\t\t\t\t\tbl64 /= LIM(cnt, 1, 4096);\n\t\t\t\t\t}\n\t\t\t\t\tint rblack = black + bl4 + bl64;\n\t\t\t\t\tfor (int chan = 0; chan < colors && chan < 4; chan++)\n\t\t\t\t\t\timgdata.color.linear_max[chan] =\n\t\t\t\t\t\t(maximum - rblack) *\n\t\t\t\t\t\timgdata.color.dng_levels.LinearResponseLimit +\n\t\t\t\t\t\trblack;\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n}", "project": "LibRaw", "hash": 37186369853422378844569840658555284518, "size": 344, "commit_id": "4feaed4dea636cee4fee010f615881ccf76a096d", "message": "limit loops to MIN(colors,4) in dng fields parser", "target": 0, "dataset": "other", "idx": 482359 }, { "func": "static int ctnetlink_dump_tuples_ip(struct sk_buff *skb,\n\t\t\t\t const struct nf_conntrack_tuple *tuple)\n{\n\tint ret = 0;\n\tstruct nlattr *nest_parms;\n\n\tnest_parms = nla_nest_start(skb, CTA_TUPLE_IP);\n\tif (!nest_parms)\n\t\tgoto nla_put_failure;\n\n\tswitch (tuple->src.l3num) {\n\tcase NFPROTO_IPV4:\n\t\tret = ipv4_tuple_to_nlattr(skb, tuple);\n\t\tbreak;\n\tcase NFPROTO_IPV6:\n\t\tret = ipv6_tuple_to_nlattr(skb, tuple);\n\t\tbreak;\n\t}\n\n\tnla_nest_end(skb, nest_parms);\n\n\treturn ret;\n\nnla_put_failure:\n\treturn -1;\n}", "project": "linux", "hash": 76939280148328285504642034583660631402, "size": 26, "commit_id": "1cc5ef91d2ff94d2bf2de3b3585423e8a1051cb6", "message": "netfilter: ctnetlink: add a range check for l3/l4 protonum\n\nThe indexes to the nf_nat_l[34]protos arrays come from userspace. So\ncheck the tuple's family, e.g. l3num, when creating the conntrack in\norder to prevent an OOB memory access during setup. Here is an example\nkernel panic on 4.14.180 when userspace passes in an index greater than\nNFPROTO_NUMPROTO.\n\nInternal error: Oops - BUG: 0 [#1] PREEMPT SMP\nModules linked in:...\nProcess poc (pid: 5614, stack limit = 0x00000000a3933121)\nCPU: 4 PID: 5614 Comm: poc Tainted: G S W O 4.14.180-g051355490483\nHardware name: Qualcomm Technologies, Inc. SM8150 V2 PM8150 Google Inc. MSM\ntask: 000000002a3dfffe task.stack: 00000000a3933121\npc : __cfi_check_fail+0x1c/0x24\nlr : __cfi_check_fail+0x1c/0x24\n...\nCall trace:\n__cfi_check_fail+0x1c/0x24\nname_to_dev_t+0x0/0x468\nnfnetlink_parse_nat_setup+0x234/0x258\nctnetlink_parse_nat_setup+0x4c/0x228\nctnetlink_new_conntrack+0x590/0xc40\nnfnetlink_rcv_msg+0x31c/0x4d4\nnetlink_rcv_skb+0x100/0x184\nnfnetlink_rcv+0xf4/0x180\nnetlink_unicast+0x360/0x770\nnetlink_sendmsg+0x5a0/0x6a4\n___sys_sendmsg+0x314/0x46c\nSyS_sendmsg+0xb4/0x108\nel0_svc_naked+0x34/0x38\n\nThis crash is not happening since 5.4+, however, ctnetlink still\nallows for creating entries with unsupported layer 3 protocol number.\n\nFixes: c1d10adb4a521 (\"[NETFILTER]: Add ctnetlink port for nf_conntrack\")\nSigned-off-by: Will McVicker \n[pablo@netfilter.org: rebased original patch on top of nf.git]\nSigned-off-by: Pablo Neira Ayuso ", "target": 0, "dataset": "other", "idx": 394183 }, { "func": "static __always_inline void maybe_wipe_obj_freeptr(struct kmem_cache *s,\n\t\t\t\t\t\t void *obj)\n{\n\tif (unlikely(slab_want_init_on_free(s)) && obj)\n\t\tmemset((void *)((char *)obj + s->offset), 0, sizeof(void *));\n}", "project": "linux", "hash": 263565247291370816592839180826040647054, "size": 6, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280062 }, { "func": "static void cdeque_front_fast(struct cdeque* d, void** value) {\n\t*value = (void*) d->arr[d->beg_pos];\n}", "project": "libarchive", "hash": 37740196436426915713110210586701593070, "size": 3, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 0, "dataset": "other", "idx": 244772 }, { "func": "int tracer_tracing_is_on(struct trace_array *tr)\n{\n\tif (tr->trace_buffer.buffer)\n\t\treturn ring_buffer_record_is_on(tr->trace_buffer.buffer);\n\treturn !tr->buffer_disabled;\n}", "project": "linux", "hash": 321270736436360697152835575543005978920, "size": 6, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445774 }, { "project": "Chrome", "commit_id": "6834289784ed45b5524de0fb7ef43ae283b0d6d3", "target": 0, "func": "void AudioContext::addAutomaticPullNode(AudioNode* node)\n{\n ASSERT(isGraphOwner());\n\n if (!m_automaticPullNodes.contains(node)) {\n m_automaticPullNodes.add(node);\n m_automaticPullNodesNeedUpdating = true;\n }\n}\n", "cwe": "", "big_vul_idx": 139620, "idx": 124772, "hash": 149918817481603042947381093647580575353 }, { "func": "static void tcp_mtup_probe_failed(struct sock *sk)\n{\n\tstruct inet_connection_sock *icsk = inet_csk(sk);\n\n\ticsk->icsk_mtup.search_high = icsk->icsk_mtup.probe_size - 1;\n\ticsk->icsk_mtup.probe_size = 0;\n}", "project": "net-next", "hash": 130311609847299809758162590836388998919, "size": 7, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409922 }, { "func": "void scale_and_mark_rect(int X1, int Y1, int X2, int Y2, int mark) {\n\tchar *dst_fb, *src_fb = main_fb;\n\tint dst_bpl, Bpp = bpp/8, fac = 1;\n\n\tif (!screen || !rfb_fb || !main_fb) {\n\t\treturn;\n\t}\n\tif (! screen->serverFormat.trueColour) {\n\t\t/*\n\t\t * PseudoColor colormap... blending leads to random colors.\n\t\t * User can override with \":fb\"\n\t\t */\n\t\tif (scaling_blend == 1) {\n\t\t\t/* :fb option sets it to 2 */\n\t\t\tif (default_visual->class == StaticGray) {\n\t\t\t\t/*\n\t\t\t\t * StaticGray can be blended OK, otherwise\n\t\t\t\t * user can disable with :nb\n\t\t\t\t */\n\t\t\t\t;\n\t\t\t} else {\n\t\t\t\tscaling_blend = 0;\n\t\t\t}\n\t\t}\n\t}\n\n\tif (cmap8to24 && cmap8to24_fb) {\n\t\tsrc_fb = cmap8to24_fb;\n\t\tif (scaling) {\n\t\t\tif (depth <= 8) {\n\t\t\t\tfac = 4;\n\t\t\t} else if (depth <= 16) {\n\t\t\t\tfac = 2;\n\t\t\t}\n\t\t}\n\t}\n\tdst_fb = rfb_fb;\n\tdst_bpl = rfb_bytes_per_line;\n\n\tscale_rect(scale_fac_x, scale_fac_y, scaling_blend, scaling_interpolate, fac * Bpp,\n\t src_fb, fac * main_bytes_per_line, dst_fb, dst_bpl, dpy_x, dpy_y,\n\t scaled_x, scaled_y, X1, Y1, X2, Y2, mark);\n}", "project": "x11vnc", "hash": 99348845391182345840930527493143325667, "size": 43, "commit_id": "69eeb9f7baa14ca03b16c9de821f9876def7a36a", "message": "scan: limit access to shared memory segments to current user", "target": 0, "dataset": "other", "idx": 360754 }, { "func": "static int SFDGetBitmapFont(FILE *sfd,SplineFont *sf,int fromdir,char *dirname) {\n BDFFont *bdf, *prev;\n char tok[2000];\n int pixelsize, ascent, descent, depth=1;\n int ch, enccount;\n\n if ( getint(sfd,&pixelsize)!=1 || pixelsize<=0 )\nreturn( 0 );\n if ( getint(sfd,&enccount)!=1 || enccount<0 )\nreturn( 0 );\n if ( getint(sfd,&ascent)!=1 || ascent<0 )\nreturn( 0 );\n if ( getint(sfd,&descent)!=1 || descent<0 )\nreturn( 0 );\n if ( getint(sfd,&depth)!=1 )\n\tdepth = 1;\t/* old sfds don't have a depth here */\n else if ( depth!=1 && depth!=2 && depth!=4 && depth!=8 )\nreturn( 0 );\n while ( (ch = nlgetc(sfd))==' ' );\n ungetc(ch,sfd);\t\t/* old sfds don't have a foundry */\n\n bdf = calloc(1,sizeof(BDFFont));\n if (bdf == NULL)\n return 0;\n\n if ( ch!='\\n' && ch!='\\r' ) {\n\tgetname(sfd,tok);\n\tbdf->foundry = copy(tok);\n }\n bdf->pixelsize = pixelsize;\n bdf->ascent = ascent;\n bdf->descent = descent;\n if ( depth!=1 )\n\tBDFClut(bdf,(1<<(depth/2)));\n\n if ( sf->bitmaps==NULL )\n\tsf->bitmaps = bdf;\n else {\n\tfor ( prev=sf->bitmaps; prev->next!=NULL; prev=prev->next );\n\tprev->next = bdf;\n }\n bdf->sf = sf;\n bdf->glyphcnt = bdf->glyphmax = sf->glyphcnt;\n bdf->glyphs = calloc(bdf->glyphcnt,sizeof(BDFChar *));\n\n while ( getname(sfd,tok)==1 ) {\n\tif ( strcmp(tok,\"BDFStartProperties:\")==0 )\n\t SFDGetBitmapProps(sfd,bdf,tok);\n\telse if ( strcmp(tok,\"BDFEndProperties\")==0 )\n\t /* Do Nothing */;\n\telse if ( strcmp(tok,\"Resolution:\")==0 )\n\t getint(sfd,&bdf->res);\n\telse if ( strcmp(tok,\"BDFChar:\")==0 )\n\t SFDGetBitmapChar(sfd,bdf);\n\telse if ( strcmp(tok,\"BDFRefChar:\")==0 )\n\t SFDGetBitmapReference(sfd,bdf);\n\telse if ( strcmp(tok,\"EndBitmapFont\")==0 )\n break;\n }\n if ( fromdir ) {\n\tDIR *dir;\n\tstruct dirent *ent;\n\tchar *name;\n\n\tdir = opendir(dirname);\n\tif ( dir==NULL )\nreturn( 0 );\n\tname = malloc(strlen(dirname)+NAME_MAX+3);\n\n\twhile ( (ent=readdir(dir))!=NULL ) {\n\t char *pt = strrchr(ent->d_name,EXT_CHAR);\n\t if ( pt==NULL )\n\t\t/* Nothing interesting */;\n\t else if ( strcmp(pt,BITMAP_EXT)==0 ) {\n\t\tFILE *gsfd;\n\t\tsprintf(name,\"%s/%s\", dirname, ent->d_name);\n\t\tgsfd = fopen(name,\"r\");\n\t\tif ( gsfd!=NULL ) {\n\t\t if ( getname(gsfd,tok) && strcmp(tok,\"BDFChar:\")==0)\n\t\t\tSFDGetBitmapChar(gsfd,bdf);\n\t\t fclose(gsfd);\n\t\t ff_progress_next();\n\t\t}\n\t }\n\t}\n\tfree(name);\n\tclosedir(dir);\n }\n SFDFixupBitmapRefs( bdf );\nreturn( 1 );\n}", "project": "fontforge", "hash": 147787445983825389234502792477711476972, "size": 91, "commit_id": "048a91e2682c1a8936ae34dbc7bd70291ec05410", "message": "Fix for #4084 Use-after-free (heap) in the SFD_GetFontMetaData() function\nFix for #4086 NULL pointer dereference in the SFDGetSpiros() function\nFix for #4088 NULL pointer dereference in the SFD_AssignLookups() function\nAdd empty sf->fontname string if it isn't set, fixing #4089 #4090 and many\n other potential issues (many downstream calls to strlen() on the value).", "target": 0, "dataset": "other", "idx": 417921 }, { "func": "static void php_openssl_add_assoc_name_entry(zval * val, char * key, X509_NAME * name, int shortname) /* {{{ */\n{\n\tzval *data;\n\tzval subitem, tmp;\n\tint i;\n\tchar *sname;\n\tint nid;\n\tX509_NAME_ENTRY * ne;\n\tASN1_STRING * str = NULL;\n\tASN1_OBJECT * obj;\n\n\tif (key != NULL) {\n\t\tarray_init(&subitem);\n\t} else {\n\t\tZVAL_COPY_VALUE(&subitem, val);\n\t}\n\n\tfor (i = 0; i < X509_NAME_entry_count(name); i++) {\n\t\tconst unsigned char *to_add = NULL;\n\t\tint to_add_len = 0;\n\t\tunsigned char *to_add_buf = NULL;\n\n\t\tne = X509_NAME_get_entry(name, i);\n\t\tobj = X509_NAME_ENTRY_get_object(ne);\n\t\tnid = OBJ_obj2nid(obj);\n\n\t\tif (shortname) {\n\t\t\tsname = (char *) OBJ_nid2sn(nid);\n\t\t} else {\n\t\t\tsname = (char *) OBJ_nid2ln(nid);\n\t\t}\n\n\t\tstr = X509_NAME_ENTRY_get_data(ne);\n\t\tif (ASN1_STRING_type(str) != V_ASN1_UTF8STRING) {\n\t\t\t/* ASN1_STRING_to_UTF8(3): The converted data is copied into a newly allocated buffer */\n\t\t\tto_add_len = ASN1_STRING_to_UTF8(&to_add_buf, str);\n\t\t\tto_add = to_add_buf;\n\t\t} else {\n\t\t\t/* ASN1_STRING_get0_data(3): Since this is an internal pointer it should not be freed or modified in any way */\n\t\t\tto_add = ASN1_STRING_get0_data(str);\n\t\t\tto_add_len = ASN1_STRING_length(str);\n\t\t}\n\n\t\tif (to_add_len != -1) {\n\t\t\tif ((data = zend_hash_str_find(Z_ARRVAL(subitem), sname, strlen(sname))) != NULL) {\n\t\t\t\tif (Z_TYPE_P(data) == IS_ARRAY) {\n\t\t\t\t\tadd_next_index_stringl(data, (const char *)to_add, to_add_len);\n\t\t\t\t} else if (Z_TYPE_P(data) == IS_STRING) {\n\t\t\t\t\tarray_init(&tmp);\n\t\t\t\t\tadd_next_index_str(&tmp, zend_string_copy(Z_STR_P(data)));\n\t\t\t\t\tadd_next_index_stringl(&tmp, (const char *)to_add, to_add_len);\n\t\t\t\t\tzend_hash_str_update(Z_ARRVAL(subitem), sname, strlen(sname), &tmp);\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\t/* it might be better to expand it and pass zval from ZVAL_STRING\n\t\t\t\t * to zend_symtable_str_update so we do not silently drop const\n\t\t\t\t * but we need a test to cover this part first */\n\t\t\t\tadd_assoc_stringl(&subitem, sname, (char *)to_add, to_add_len);\n\t\t\t}\n\t\t} else {\n\t\t\tphp_openssl_store_errors();\n\t\t}\n\n\t\tif (to_add_buf != NULL) {\n\t\t\tOPENSSL_free(to_add_buf);\n\t\t}\n\t}\n\n\tif (key != NULL) {\n\t\tzend_hash_str_update(Z_ARRVAL_P(val), key, strlen(key), &subitem);\n\t}\n}", "project": "php-src", "hash": 107180705367285772441286032142715632469, "size": 72, "commit_id": "0216630ea2815a5789a24279a1211ac398d4de79", "message": "Fix bug #79601 (Wrong ciphertext/tag in AES-CCM encryption for a 12 bytes IV)", "target": 0, "dataset": "other", "idx": 291382 }, { "func": "static int sctp_getsockopt_maxseg(struct sock *sk, int len,\n\t\t\t\t char __user *optval, int __user *optlen)\n{\n\tstruct sctp_assoc_value params;\n\tstruct sctp_association *asoc;\n\n\tif (len == sizeof(int)) {\n\t\tpr_warn_ratelimited(DEPRECATED\n\t\t\t\t \"%s (pid %d) \"\n\t\t\t\t \"Use of int in maxseg socket option.\\n\"\n\t\t\t\t \"Use struct sctp_assoc_value instead\\n\",\n\t\t\t\t current->comm, task_pid_nr(current));\n\t\tparams.assoc_id = SCTP_FUTURE_ASSOC;\n\t} else if (len >= sizeof(struct sctp_assoc_value)) {\n\t\tlen = sizeof(struct sctp_assoc_value);\n\t\tif (copy_from_user(¶ms, optval, len))\n\t\t\treturn -EFAULT;\n\t} else\n\t\treturn -EINVAL;\n\n\tasoc = sctp_id2assoc(sk, params.assoc_id);\n\tif (!asoc && params.assoc_id != SCTP_FUTURE_ASSOC &&\n\t sctp_style(sk, UDP))\n\t\treturn -EINVAL;\n\n\tif (asoc)\n\t\tparams.assoc_value = asoc->frag_point;\n\telse\n\t\tparams.assoc_value = sctp_sk(sk)->user_frag;\n\n\tif (put_user(len, optlen))\n\t\treturn -EFAULT;\n\tif (len == sizeof(int)) {\n\t\tif (copy_to_user(optval, ¶ms.assoc_value, len))\n\t\t\treturn -EFAULT;\n\t} else {\n\t\tif (copy_to_user(optval, ¶ms, len))\n\t\t\treturn -EFAULT;\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 10173438555491137093660343986249799088, "size": 42, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398197 }, { "func": "static ssize_t poison_store(struct kmem_cache *s,\n\t\t\t\tconst char *buf, size_t length)\n{\n\tif (any_slab_objects(s))\n\t\treturn -EBUSY;\n\n\ts->flags &= ~SLAB_POISON;\n\tif (buf[0] == '1') {\n\t\ts->flags |= SLAB_POISON;\n\t}\n\tcalculate_sizes(s, -1);\n\treturn length;\n}", "project": "linux", "hash": 323482901904561001651665171823685327515, "size": 13, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280146 }, { "func": "int mnt_optstr_remove_option(char **optstr, const char *name)\n{\n\tstruct libmnt_optloc ol = MNT_INIT_OPTLOC;\n\tint rc;\n\n\tif (!optstr || !name)\n\t\treturn -EINVAL;\n\n\trc = mnt_optstr_locate_option(*optstr, name, &ol);\n\tif (rc != 0)\n\t\treturn rc;\n\n\tmnt_optstr_remove_option_at(optstr, ol.begin, ol.end);\n\treturn 0;\n}", "project": "util-linux", "hash": 174751904470293867314304873611460211672, "size": 15, "commit_id": "57202f5713afa2af20ffbb6ab5331481d0396f8d", "message": "libmount: fix UID check for FUSE umount [CVE-2021-3995]\n\nImproper UID check allows an unprivileged user to unmount FUSE\nfilesystems of users with similar UID.\n\nSigned-off-by: Karel Zak ", "target": 0, "dataset": "other", "idx": 410393 }, { "func": "static u64 check_and_compute_delta(u64 prev, u64 val)\n{\n\tu64 delta = (val - prev) & 0xfffffffful;\n\n\t/*\n\t * POWER7 can roll back counter values, if the new value is smaller\n\t * than the previous value it will cause the delta and the counter to\n\t * have bogus values unless we rolled a counter over. If a coutner is\n\t * rolled back, it will be smaller, but within 256, which is the maximum\n\t * number of events to rollback at once. If we detect a rollback\n\t * return 0. This can lead to a small lack of precision in the\n\t * counters.\n\t */\n\tif (prev > val && (prev - val) < 256)\n\t\tdelta = 0;\n\n\treturn delta;\n}", "project": "linux", "hash": 6206562622873835768064650016984495939, "size": 18, "commit_id": "60b7ed54a41b550d50caf7f2418db4a7e75b5bdc", "message": "powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set\n\nOn systems without any specific PMU driver support registered, running\nperf record causes Oops.\n\nThe relevant portion from call trace:\n\n BUG: Kernel NULL pointer dereference on read at 0x00000040\n Faulting instruction address: 0xc0021f0c\n Oops: Kernel access of bad area, sig: 11 [#1]\n BE PAGE_SIZE=4K PREEMPT CMPCPRO\n SAF3000 DIE NOTIFICATION\n CPU: 0 PID: 442 Comm: null_syscall Not tainted 5.13.0-rc6-s3k-dev-01645-g7649ee3d2957 #5164\n NIP: c0021f0c LR: c00e8ad8 CTR: c00d8a5c\n NIP perf_instruction_pointer+0x10/0x60\n LR perf_prepare_sample+0x344/0x674\n Call Trace:\n perf_prepare_sample+0x7c/0x674 (unreliable)\n perf_event_output_forward+0x3c/0x94\n __perf_event_overflow+0x74/0x14c\n perf_swevent_hrtimer+0xf8/0x170\n __hrtimer_run_queues.constprop.0+0x160/0x318\n hrtimer_interrupt+0x148/0x3b0\n timer_interrupt+0xc4/0x22c\n Decrementer_virt+0xb8/0xbc\n\nDuring perf record session, perf_instruction_pointer() is called to\ncapture the sample IP. This function in core-book3s accesses\nppmu->flags. If a platform specific PMU driver is not registered, ppmu\nis set to NULL and accessing its members results in a crash. Fix this\ncrash by checking if ppmu is set.\n\nFixes: 2ca13a4cc56c (\"powerpc/perf: Use regs->nip when SIAR is zero\")\nCc: stable@vger.kernel.org # v5.11+\nReported-by: Christophe Leroy \nSigned-off-by: Athira Rajeev \nTested-by: Christophe Leroy \nSigned-off-by: Michael Ellerman \nLink: https://lore.kernel.org/r/1623952506-1431-1-git-send-email-atrajeev@linux.vnet.ibm.com", "target": 0, "dataset": "other", "idx": 374734 }, { "func": "static void update_tracer_options(struct trace_array *tr)\n{\n\tmutex_lock(&trace_types_lock);\n\t__update_tracer_options(tr);\n\tmutex_unlock(&trace_types_lock);\n}", "project": "linux", "hash": 257165348612255064349646897163780485784, "size": 6, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445684 }, { "func": " bool int_eq(longlong value, const Item *item) const\n {\n DBUG_ASSERT(is_basic_value(INT_ITEM));\n return is_basic_value(item, INT_ITEM) &&\n value == ((Item_basic_value*)item)->val_int() &&\n (value >= 0 || item->unsigned_flag == unsigned_flag);\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 76692969542529422234239009624196293725, "size": 7, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509144 }, { "func": "static inline void kvm_vcpu_set_dy_eligible(struct kvm_vcpu *vcpu, bool val)\n{\n\tvcpu->spin_loop.dy_eligible = val;\n}", "project": "linux", "hash": 261680852158549068568820652996828050844, "size": 4, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354424 }, { "func": "static inline void kvm_vcpu_set_dy_eligible(struct kvm_vcpu *vcpu, bool val)\n{\n}", "project": "linux", "hash": 87557499832800792318366056740999375909, "size": 3, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354837 }, { "func": "static void fuse_invalidate_attr_mask(struct inode *inode, u32 mask)\n{\n\tset_mask_bits(&get_fuse_inode(inode)->inval_mask, 0, mask);\n}", "project": "linux", "hash": 30355885061461245303563380290442224866, "size": 4, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342048 }, { "func": "static rsRetVal qqueueChkPersist(qqueue_t *pThis, int nUpdates)\n{\n\tDEFiRet;\n\tISOBJ_TYPE_assert(pThis, qqueue);\n\tassert(nUpdates >= 0);\n\n\tif(nUpdates == 0)\n\t\tFINALIZE;\n\n\tpThis->iUpdsSincePersist += nUpdates;\n\tif(pThis->iPersistUpdCnt && pThis->iUpdsSincePersist >= pThis->iPersistUpdCnt) {\n\t\tqqueuePersist(pThis, QUEUE_CHECKPOINT);\n\t\tpThis->iUpdsSincePersist = 0;\n\t}\n\nfinalize_it:\n\tRETiRet;\n}", "project": "rsyslog", "hash": 180543421268690715056686647371243202864, "size": 18, "commit_id": "dfa88369d4ca4290db56b843f9eabdae1bfe0fd5", "message": "bugfix: memory leak when $RepeatedMsgReduction on was used\n\nbug tracker: http://bugzilla.adiscon.com/show_bug.cgi?id=225", "target": 0, "dataset": "other", "idx": 373763 }, { "func": "static void fuse_kill_sb_anon(struct super_block *sb)\n{\n\tfuse_sb_destroy(sb);\n\tkill_anon_super(sb);\n}", "project": "linux", "hash": 2068081725139690331886954493507685698, "size": 5, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341972 }, { "func": "uint32 CSoundFile::GetNoteFromPeriod(uint32 period, int32 nFineTune, uint32 nC5Speed) const\n{\n\tif(!period) return 0;\n\tif(m_playBehaviour[kFT2Periods])\n\t{\n\t\t// FT2's \"RelocateTon\" function actually rounds up and down, while GetNoteFromPeriod normally just truncates.\n\t\tnFineTune += 64;\n\t}\n\t// This essentially implements std::lower_bound, with the difference that we don't need an iterable container.\n\tuint32 minNote = NOTE_MIN, maxNote = NOTE_MAX, count = maxNote - minNote + 1;\n\tconst bool periodIsFreq = PeriodsAreFrequencies();\n\twhile(count > 0)\n\t{\n\t\tconst uint32 step = count / 2, midNote = minNote + step;\n\t\tuint32 n = GetPeriodFromNote(midNote, nFineTune, nC5Speed);\n\t\tif((n > period && !periodIsFreq) || (n < period && periodIsFreq) || !n)\n\t\t{\n\t\t\tminNote = midNote + 1;\n\t\t\tcount -= step + 1;\n\t\t} else\n\t\t{\n\t\t\tcount = step;\n\t\t}\n\t}\n\treturn minNote;\n}", "project": "openmpt", "hash": 183060540006397247900022061405127028425, "size": 26, "commit_id": "7ebf02af2e90f03e0dbd0e18b8b3164f372fb97c", "message": "[Fix] Possible out-of-bounds read when computing length of some IT files with pattern loops (OpenMPT: formats that are converted to IT, libopenmpt: IT/ITP/MO3), caught with afl-fuzz.\n\ngit-svn-id: https://source.openmpt.org/svn/openmpt/trunk/OpenMPT@10027 56274372-70c3-4bfc-bfc3-4c3a0b034d27", "target": 0, "dataset": "other", "idx": 255184 }, { "func": "void input_close_device(struct input_handle *handle)\n{\n\tstruct input_dev *dev = handle->dev;\n\n\tmutex_lock(&dev->mutex);\n\n\t__input_release_device(handle);\n\n\tif (!--dev->users) {\n\t\tif (dev->poller)\n\t\t\tinput_dev_poller_stop(dev->poller);\n\n\t\tif (dev->close)\n\t\t\tdev->close(dev);\n\t}\n\n\tif (!--handle->open) {\n\t\t/*\n\t\t * synchronize_rcu() makes sure that input_pass_event()\n\t\t * completed and that no more input events are delivered\n\t\t * through this handle\n\t\t */\n\t\tsynchronize_rcu();\n\t}\n\n\tmutex_unlock(&dev->mutex);\n}", "project": "linux", "hash": 105808199685794277633111499335310323243, "size": 27, "commit_id": "cb222aed03d798fc074be55e59d9a112338ee784", "message": "Input: add safety guards to input_set_keycode()\n\nIf we happen to have a garbage in input device's keycode table with values\ntoo big we'll end up doing clear_bit() with offset way outside of our\nbitmaps, damaging other objects within an input device or even outside of\nit. Let's add sanity checks to the returned old keycodes.\n\nReported-by: syzbot+c769968809f9359b07aa@syzkaller.appspotmail.com\nReported-by: syzbot+76f3a30e88d256644c78@syzkaller.appspotmail.com\nLink: https://lore.kernel.org/r/20191207212757.GA245964@dtor-ws\nSigned-off-by: Dmitry Torokhov ", "target": 0, "dataset": "other", "idx": 353314 }, { "func": "int kvm_get_dirty_log(struct kvm *kvm, struct kvm_dirty_log *log,\n\t\t int *is_dirty, struct kvm_memory_slot **memslot)\n{\n\tstruct kvm_memslots *slots;\n\tint i, as_id, id;\n\tunsigned long n;\n\tunsigned long any = 0;\n\n\t*memslot = NULL;\n\t*is_dirty = 0;\n\n\tas_id = log->slot >> 16;\n\tid = (u16)log->slot;\n\tif (as_id >= KVM_ADDRESS_SPACE_NUM || id >= KVM_USER_MEM_SLOTS)\n\t\treturn -EINVAL;\n\n\tslots = __kvm_memslots(kvm, as_id);\n\t*memslot = id_to_memslot(slots, id);\n\tif (!(*memslot) || !(*memslot)->dirty_bitmap)\n\t\treturn -ENOENT;\n\n\tkvm_arch_sync_dirty_log(kvm, *memslot);\n\n\tn = kvm_dirty_bitmap_bytes(*memslot);\n\n\tfor (i = 0; !any && i < n/sizeof(long); ++i)\n\t\tany = (*memslot)->dirty_bitmap[i];\n\n\tif (copy_to_user(log->dirty_bitmap, (*memslot)->dirty_bitmap, n))\n\t\treturn -EFAULT;\n\n\tif (any)\n\t\t*is_dirty = 1;\n\treturn 0;\n}", "project": "linux", "hash": 31920105490771148437294291958046104409, "size": 35, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354685 }, { "func": "int kvm_get_dirty_log(struct kvm *kvm, struct kvm_dirty_log *log,\n\t\t int *is_dirty, struct kvm_memory_slot **memslot)\n{\n\tstruct kvm_memslots *slots;\n\tint i, as_id, id;\n\tunsigned long n;\n\tunsigned long any = 0;\n\n\t/* Dirty ring tracking is exclusive to dirty log tracking */\n\tif (kvm->dirty_ring_size)\n\t\treturn -ENXIO;\n\n\t*memslot = NULL;\n\t*is_dirty = 0;\n\n\tas_id = log->slot >> 16;\n\tid = (u16)log->slot;\n\tif (as_id >= KVM_ADDRESS_SPACE_NUM || id >= KVM_USER_MEM_SLOTS)\n\t\treturn -EINVAL;\n\n\tslots = __kvm_memslots(kvm, as_id);\n\t*memslot = id_to_memslot(slots, id);\n\tif (!(*memslot) || !(*memslot)->dirty_bitmap)\n\t\treturn -ENOENT;\n\n\tkvm_arch_sync_dirty_log(kvm, *memslot);\n\n\tn = kvm_dirty_bitmap_bytes(*memslot);\n\n\tfor (i = 0; !any && i < n/sizeof(long); ++i)\n\t\tany = (*memslot)->dirty_bitmap[i];\n\n\tif (copy_to_user(log->dirty_bitmap, (*memslot)->dirty_bitmap, n))\n\t\treturn -EFAULT;\n\n\tif (any)\n\t\t*is_dirty = 1;\n\treturn 0;\n}", "project": "linux", "hash": 112942733845864348027694407489575922634, "size": 39, "commit_id": "f8be156be163a052a067306417cd0ff679068c97", "message": "KVM: do not allow mapping valid but non-reference-counted pages\n\nIt's possible to create a region which maps valid but non-refcounted\npages (e.g., tail pages of non-compound higher order allocations). These\nhost pages can then be returned by gfn_to_page, gfn_to_pfn, etc., family\nof APIs, which take a reference to the page, which takes it from 0 to 1.\nWhen the reference is dropped, this will free the page incorrectly.\n\nFix this by only taking a reference on valid pages if it was non-zero,\nwhich indicates it is participating in normal refcounting (and can be\nreleased with put_page).\n\nThis addresses CVE-2021-22543.\n\nSigned-off-by: Nicholas Piggin \nTested-by: Paolo Bonzini \nCc: stable@vger.kernel.org\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 404099 }, { "func": "static int trace_downrec(jit_State *J)\n{\n /* Restart recording at the return instruction. */\n lua_assert(J->pt != NULL);\n lua_assert(bc_isret(bc_op(*J->pc)));\n if (bc_op(*J->pc) == BC_RETM)\n return 0; /* NYI: down-recursion with RETM. */\n J->parent = 0;\n J->exitno = 0;\n J->state = LJ_TRACE_RECORD;\n trace_start(J);\n return 1;\n}", "project": "LuaJIT", "hash": 315663960767979538114332999870463048460, "size": 13, "commit_id": "e296f56b825c688c3530a981dc6b495d972f3d01", "message": "Call error function on rethrow after trace exit.", "target": 0, "dataset": "other", "idx": 394642 }, { "func": "int cmd_grep(int argc, const char **argv, const char *prefix)\n{\n\tint hit = 0;\n\tint cached = 0;\n\tint seen_dashdash = 0;\n\tstruct grep_opt opt;\n\tstruct object_array list = { 0, 0, NULL };\n\tconst char **paths = NULL;\n\tint i;\n\n\tmemset(&opt, 0, sizeof(opt));\n\topt.prefix_length = (prefix && *prefix) ? strlen(prefix) : 0;\n\topt.relative = 1;\n\topt.pathname = 1;\n\topt.pattern_tail = &opt.pattern_list;\n\topt.regflags = REG_NEWLINE;\n\n\t/*\n\t * If there is no -- then the paths must exist in the working\n\t * tree. If there is no explicit pattern specified with -e or\n\t * -f, we take the first unrecognized non option to be the\n\t * pattern, but then what follows it must be zero or more\n\t * valid refs up to the -- (if exists), and then existing\n\t * paths. If there is an explicit pattern, then the first\n\t * unrecognized non option is the beginning of the refs list\n\t * that continues up to the -- (if exists), and then paths.\n\t */\n\n\twhile (1 < argc) {\n\t\tconst char *arg = argv[1];\n\t\targc--; argv++;\n\t\tif (!strcmp(\"--cached\", arg)) {\n\t\t\tcached = 1;\n\t\t\tcontinue;\n\t\t}\n\t\tif (!strcmp(\"-a\", arg) ||\n\t\t !strcmp(\"--text\", arg)) {\n\t\t\topt.binary = GREP_BINARY_TEXT;\n\t\t\tcontinue;\n\t\t}\n\t\tif (!strcmp(\"-i\", arg) ||\n\t\t !strcmp(\"--ignore-case\", arg)) {\n\t\t\topt.regflags |= REG_ICASE;\n\t\t\tcontinue;\n\t\t}\n\t\tif (!strcmp(\"-I\", arg)) {\n\t\t\topt.binary = GREP_BINARY_NOMATCH;\n\t\t\tcontinue;\n\t\t}\n\t\tif (!strcmp(\"-v\", arg) ||\n\t\t !strcmp(\"--invert-match\", arg)) {\n\t\t\topt.invert = 1;\n\t\t\tcontinue;\n\t\t}\n\t\tif (!strcmp(\"-E\", arg) ||\n\t\t !strcmp(\"--extended-regexp\", arg)) {\n\t\t\topt.regflags |= REG_EXTENDED;\n\t\t\tcontinue;\n\t\t}\n\t\tif (!strcmp(\"-F\", arg) ||\n\t\t !strcmp(\"--fixed-strings\", arg)) {\n\t\t\topt.fixed = 1;\n\t\t\tcontinue;\n\t\t}\n\t\tif (!strcmp(\"-G\", arg) ||\n\t\t !strcmp(\"--basic-regexp\", arg)) {\n\t\t\topt.regflags &= ~REG_EXTENDED;\n\t\t\tcontinue;\n\t\t}\n\t\tif (!strcmp(\"-n\", arg)) {\n\t\t\topt.linenum = 1;\n\t\t\tcontinue;\n\t\t}\n\t\tif (!strcmp(\"-h\", arg)) {\n\t\t\topt.pathname = 0;\n\t\t\tcontinue;\n\t\t}\n\t\tif (!strcmp(\"-H\", arg)) {\n\t\t\topt.pathname = 1;\n\t\t\tcontinue;\n\t\t}\n\t\tif (!strcmp(\"-l\", arg) ||\n\t\t !strcmp(\"--name-only\", arg) ||\n\t\t !strcmp(\"--files-with-matches\", arg)) {\n\t\t\topt.name_only = 1;\n\t\t\tcontinue;\n\t\t}\n\t\tif (!strcmp(\"-L\", arg) ||\n\t\t !strcmp(\"--files-without-match\", arg)) {\n\t\t\topt.unmatch_name_only = 1;\n\t\t\tcontinue;\n\t\t}\n\t\tif (!strcmp(\"-c\", arg) ||\n\t\t !strcmp(\"--count\", arg)) {\n\t\t\topt.count = 1;\n\t\t\tcontinue;\n\t\t}\n\t\tif (!strcmp(\"-w\", arg) ||\n\t\t !strcmp(\"--word-regexp\", arg)) {\n\t\t\topt.word_regexp = 1;\n\t\t\tcontinue;\n\t\t}\n\t\tif (!prefixcmp(arg, \"-A\") ||\n\t\t !prefixcmp(arg, \"-B\") ||\n\t\t !prefixcmp(arg, \"-C\") ||\n\t\t (arg[0] == '-' && '1' <= arg[1] && arg[1] <= '9')) {\n\t\t\tunsigned num;\n\t\t\tconst char *scan;\n\t\t\tswitch (arg[1]) {\n\t\t\tcase 'A': case 'B': case 'C':\n\t\t\t\tif (!arg[2]) {\n\t\t\t\t\tif (argc <= 1)\n\t\t\t\t\t\tdie(emsg_missing_context_len);\n\t\t\t\t\tscan = *++argv;\n\t\t\t\t\targc--;\n\t\t\t\t}\n\t\t\t\telse\n\t\t\t\t\tscan = arg + 2;\n\t\t\t\tbreak;\n\t\t\tdefault:\n\t\t\t\tscan = arg + 1;\n\t\t\t\tbreak;\n\t\t\t}\n\t\t\tif (strtoul_ui(scan, 10, &num))\n\t\t\t\tdie(emsg_invalid_context_len, scan);\n\t\t\tswitch (arg[1]) {\n\t\t\tcase 'A':\n\t\t\t\topt.post_context = num;\n\t\t\t\tbreak;\n\t\t\tdefault:\n\t\t\tcase 'C':\n\t\t\t\topt.post_context = num;\n\t\t\tcase 'B':\n\t\t\t\topt.pre_context = num;\n\t\t\t\tbreak;\n\t\t\t}\n\t\t\tcontinue;\n\t\t}\n\t\tif (!strcmp(\"-f\", arg)) {\n\t\t\tFILE *patterns;\n\t\t\tint lno = 0;\n\t\t\tchar buf[1024];\n\t\t\tif (argc <= 1)\n\t\t\t\tdie(emsg_missing_argument, arg);\n\t\t\tpatterns = fopen(argv[1], \"r\");\n\t\t\tif (!patterns)\n\t\t\t\tdie(\"'%s': %s\", argv[1], strerror(errno));\n\t\t\twhile (fgets(buf, sizeof(buf), patterns)) {\n\t\t\t\tint len = strlen(buf);\n\t\t\t\tif (len && buf[len-1] == '\\n')\n\t\t\t\t\tbuf[len-1] = 0;\n\t\t\t\t/* ignore empty line like grep does */\n\t\t\t\tif (!buf[0])\n\t\t\t\t\tcontinue;\n\t\t\t\tappend_grep_pattern(&opt, xstrdup(buf),\n\t\t\t\t\t\t argv[1], ++lno,\n\t\t\t\t\t\t GREP_PATTERN);\n\t\t\t}\n\t\t\tfclose(patterns);\n\t\t\targv++;\n\t\t\targc--;\n\t\t\tcontinue;\n\t\t}\n\t\tif (!strcmp(\"--not\", arg)) {\n\t\t\tappend_grep_pattern(&opt, arg, \"command line\", 0,\n\t\t\t\t\t GREP_NOT);\n\t\t\tcontinue;\n\t\t}\n\t\tif (!strcmp(\"--and\", arg)) {\n\t\t\tappend_grep_pattern(&opt, arg, \"command line\", 0,\n\t\t\t\t\t GREP_AND);\n\t\t\tcontinue;\n\t\t}\n\t\tif (!strcmp(\"--or\", arg))\n\t\t\tcontinue; /* no-op */\n\t\tif (!strcmp(\"(\", arg)) {\n\t\t\tappend_grep_pattern(&opt, arg, \"command line\", 0,\n\t\t\t\t\t GREP_OPEN_PAREN);\n\t\t\tcontinue;\n\t\t}\n\t\tif (!strcmp(\")\", arg)) {\n\t\t\tappend_grep_pattern(&opt, arg, \"command line\", 0,\n\t\t\t\t\t GREP_CLOSE_PAREN);\n\t\t\tcontinue;\n\t\t}\n\t\tif (!strcmp(\"--all-match\", arg)) {\n\t\t\topt.all_match = 1;\n\t\t\tcontinue;\n\t\t}\n\t\tif (!strcmp(\"-e\", arg)) {\n\t\t\tif (1 < argc) {\n\t\t\t\tappend_grep_pattern(&opt, argv[1],\n\t\t\t\t\t\t \"-e option\", 0,\n\t\t\t\t\t\t GREP_PATTERN);\n\t\t\t\targv++;\n\t\t\t\targc--;\n\t\t\t\tcontinue;\n\t\t\t}\n\t\t\tdie(emsg_missing_argument, arg);\n\t\t}\n\t\tif (!strcmp(\"--full-name\", arg)) {\n\t\t\topt.relative = 0;\n\t\t\tcontinue;\n\t\t}\n\t\tif (!strcmp(\"--\", arg)) {\n\t\t\t/* later processing wants to have this at argv[1] */\n\t\t\targv--;\n\t\t\targc++;\n\t\t\tbreak;\n\t\t}\n\t\tif (*arg == '-')\n\t\t\tusage(builtin_grep_usage);\n\n\t\t/* First unrecognized non-option token */\n\t\tif (!opt.pattern_list) {\n\t\t\tappend_grep_pattern(&opt, arg, \"command line\", 0,\n\t\t\t\t\t GREP_PATTERN);\n\t\t\tbreak;\n\t\t}\n\t\telse {\n\t\t\t/* We are looking at the first path or rev;\n\t\t\t * it is found at argv[1] after leaving the\n\t\t\t * loop.\n\t\t\t */\n\t\t\targc++; argv--;\n\t\t\tbreak;\n\t\t}\n\t}\n\n\tif (!opt.pattern_list)\n\t\tdie(\"no pattern given.\");\n\tif ((opt.regflags != REG_NEWLINE) && opt.fixed)\n\t\tdie(\"cannot mix --fixed-strings and regexp\");\n\tcompile_grep_patterns(&opt);\n\n\t/* Check revs and then paths */\n\tfor (i = 1; i < argc; i++) {\n\t\tconst char *arg = argv[i];\n\t\tunsigned char sha1[20];\n\t\t/* Is it a rev? */\n\t\tif (!get_sha1(arg, sha1)) {\n\t\t\tstruct object *object = parse_object(sha1);\n\t\t\tif (!object)\n\t\t\t\tdie(\"bad object %s\", arg);\n\t\t\tadd_object_array(object, arg, &list);\n\t\t\tcontinue;\n\t\t}\n\t\tif (!strcmp(arg, \"--\")) {\n\t\t\ti++;\n\t\t\tseen_dashdash = 1;\n\t\t}\n\t\tbreak;\n\t}\n\n\t/* The rest are paths */\n\tif (!seen_dashdash) {\n\t\tint j;\n\t\tfor (j = i; j < argc; j++)\n\t\t\tverify_filename(prefix, argv[j]);\n\t}\n\n\tif (i < argc) {\n\t\tpaths = get_pathspec(prefix, argv + i);\n\t\tif (opt.prefix_length && opt.relative) {\n\t\t\t/* Make sure we do not get outside of paths */\n\t\t\tfor (i = 0; paths[i]; i++)\n\t\t\t\tif (strncmp(prefix, paths[i], opt.prefix_length))\n\t\t\t\t\tdie(\"git-grep: cannot generate relative filenames containing '..'\");\n\t\t}\n\t}\n\telse if (prefix) {\n\t\tpaths = xcalloc(2, sizeof(const char *));\n\t\tpaths[0] = prefix;\n\t\tpaths[1] = NULL;\n\t}\n\n\tif (!list.nr)\n\t\treturn !grep_cache(&opt, paths, cached);\n\n\tif (cached)\n\t\tdie(\"both --cached and trees are given.\");\n\n\tfor (i = 0; i < list.nr; i++) {\n\t\tstruct object *real_obj;\n\t\treal_obj = deref_tag(list.objects[i].item, NULL, 0);\n\t\tif (grep_object(&opt, paths, real_obj, list.objects[i].name))\n\t\t\thit = 1;\n\t}\n\tfree_grep_patterns(&opt);\n\treturn !hit;\n}", "project": "git", "hash": 156117168430009164673737231560440741507, "size": 291, "commit_id": "620e2bb93785ed8eb60846d94fd4753d4817c8ec", "message": "Fix buffer overflow in git-grep\n\nIf PATH_MAX on your system is smaller than any path stored in the git\nrepository, that can cause memory corruption inside of the grep_tree\nfunction used by git-grep.\n\nSigned-off-by: Dmitry Potapov \nSigned-off-by: Junio C Hamano ", "target": 0, "dataset": "other", "idx": 446046 }, { "func": "void CSoundFile::InvertLoop(ModChannel *pChn)\n{\n\t// EFx implementation for MOD files (PT 1.1A and up: Invert Loop)\n\t// This effect trashes samples. Thanks to 8bitbubsy for making this work. :)\n\tif(GetType() != MOD_TYPE_MOD || pChn->nEFxSpeed == 0) return;\n\n\t// we obviously also need a sample for this\n\tModSample *pModSample = const_cast(pChn->pModSample);\n\tif(pModSample == nullptr || !pModSample->HasSampleData() || !pModSample->uFlags[CHN_LOOP] || pModSample->uFlags[CHN_16BIT]) return;\n\n\tpChn->nEFxDelay += ModEFxTable[pChn->nEFxSpeed & 0x0F];\n\tif((pChn->nEFxDelay & 0x80) == 0) return; // only applied if the \"delay\" reaches 128\n\tpChn->nEFxDelay = 0;\n\n\tif (++pChn->nEFxOffset >= pModSample->nLoopEnd - pModSample->nLoopStart)\n\t\tpChn->nEFxOffset = 0;\n\n\t// TRASH IT!!! (Yes, the sample!)\n\tuint8 &sample = mpt::byte_cast(pModSample->sampleb())[pModSample->nLoopStart + pChn->nEFxOffset];\n\tsample = ~sample;\n\tctrlSmp::PrecomputeLoops(*pModSample, *this, false);\n}", "project": "openmpt", "hash": 79519396803105060262316464261397752469, "size": 22, "commit_id": "7ebf02af2e90f03e0dbd0e18b8b3164f372fb97c", "message": "[Fix] Possible out-of-bounds read when computing length of some IT files with pattern loops (OpenMPT: formats that are converted to IT, libopenmpt: IT/ITP/MO3), caught with afl-fuzz.\n\ngit-svn-id: https://source.openmpt.org/svn/openmpt/trunk/OpenMPT@10027 56274372-70c3-4bfc-bfc3-4c3a0b034d27", "target": 0, "dataset": "other", "idx": 255205 }, { "func": "int CServer::LoadMap(const char *pMapName)\n{\n\tchar aBuf[IO_MAX_PATH_LENGTH];\n\tstr_format(aBuf, sizeof(aBuf), \"maps/%s.map\", pMapName);\n\n\t// check for valid standard map\n\tif(!m_MapChecker.ReadAndValidateMap(Storage(), aBuf, IStorage::TYPE_ALL))\n\t{\n\t\tConsole()->Print(IConsole::OUTPUT_LEVEL_STANDARD, \"mapchecker\", \"invalid standard map\");\n\t\treturn 0;\n\t}\n\n\tif(!m_pMap->Load(aBuf))\n\t\treturn 0;\n\n\t// stop recording when we change map\n\tm_DemoRecorder.Stop();\n\n\t// reinit snapshot ids\n\tm_IDPool.TimeoutIDs();\n\n\t// get the sha256 and crc of the map\n\tm_CurrentMapSha256 = m_pMap->Sha256();\n\tm_CurrentMapCrc = m_pMap->Crc();\n\tchar aSha256[SHA256_MAXSTRSIZE];\n\tsha256_str(m_CurrentMapSha256, aSha256, sizeof(aSha256));\n\tchar aBufMsg[256];\n\tstr_format(aBufMsg, sizeof(aBufMsg), \"%s sha256 is %s\", aBuf, aSha256);\n\tConsole()->Print(IConsole::OUTPUT_LEVEL_ADDINFO, \"server\", aBufMsg);\n\tstr_format(aBufMsg, sizeof(aBufMsg), \"%s crc is %08x\", aBuf, m_CurrentMapCrc);\n\tConsole()->Print(IConsole::OUTPUT_LEVEL_ADDINFO, \"server\", aBufMsg);\n\n\tstr_copy(m_aCurrentMap, pMapName, sizeof(m_aCurrentMap));\n\n\t// load complete map into memory for download\n\t{\n\t\tIOHANDLE File = Storage()->OpenFile(aBuf, IOFLAG_READ, IStorage::TYPE_ALL);\n\t\tm_CurrentMapSize = (int)io_length(File);\n\t\tif(m_pCurrentMapData)\n\t\t\tmem_free(m_pCurrentMapData);\n\t\tm_pCurrentMapData = (unsigned char *)mem_alloc(m_CurrentMapSize, 1);\n\t\tio_read(File, m_pCurrentMapData, m_CurrentMapSize);\n\t\tio_close(File);\n\t}\n\treturn 1;\n}", "project": "teeworlds", "hash": 330265696619737173985396507223212423217, "size": 46, "commit_id": "c68402fa7e279d42886d5951d1ea8ac2facc1ea5", "message": "changed a check", "target": 0, "dataset": "other", "idx": 382054 }, { "func": "void __hci_req_update_eir(struct hci_request *req)\n{\n\tstruct hci_dev *hdev = req->hdev;\n\tstruct hci_cp_write_eir cp;\n\n\tif (!hdev_is_powered(hdev))\n\t\treturn;\n\n\tif (!lmp_ext_inq_capable(hdev))\n\t\treturn;\n\n\tif (!hci_dev_test_flag(hdev, HCI_SSP_ENABLED))\n\t\treturn;\n\n\tif (hci_dev_test_flag(hdev, HCI_SERVICE_CACHE))\n\t\treturn;\n\n\tmemset(&cp, 0, sizeof(cp));\n\n\tcreate_eir(hdev, cp.data);\n\n\tif (memcmp(cp.data, hdev->eir, sizeof(cp.data)) == 0)\n\t\treturn;\n\n\tmemcpy(hdev->eir, cp.data, sizeof(cp.data));\n\n\thci_req_add(req, HCI_OP_WRITE_EIR, sizeof(cp), &cp);\n}", "project": "linux", "hash": 35184557097993937601556083677242278841, "size": 28, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402558 }, { "func": "static void hci_cc_le_set_adv_set_random_addr(struct hci_dev *hdev,\n struct sk_buff *skb)\n{\n\t__u8 status = *((__u8 *) skb->data);\n\tstruct hci_cp_le_set_adv_set_rand_addr *cp;\n\tstruct adv_info *adv_instance;\n\n\tif (status)\n\t\treturn;\n\n\tcp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_SET_RAND_ADDR);\n\tif (!cp)\n\t\treturn;\n\n\thci_dev_lock(hdev);\n\n\tif (!hdev->cur_adv_instance) {\n\t\t/* Store in hdev for instance 0 (Set adv and Directed advs) */\n\t\tbacpy(&hdev->random_addr, &cp->bdaddr);\n\t} else {\n\t\tadv_instance = hci_find_adv_instance(hdev,\n\t\t\t\t\t\t hdev->cur_adv_instance);\n\t\tif (adv_instance)\n\t\t\tbacpy(&adv_instance->random_addr, &cp->bdaddr);\n\t}\n\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 39139062277620824457869450494919412539, "size": 28, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 432005 }, { "func": "AP_DECLARE(apr_socket_t *) ap_get_conn_socket(conn_rec *c)\n{\n return ap_get_core_module_config(c->conn_config);\n}", "project": "httpd", "hash": 25459883583574920762198319616437690582, "size": 4, "commit_id": "4cc27823899e070268b906ca677ee838d07cf67a", "message": "core: Disallow Methods' registration at run time (.htaccess), they may be\nused only if registered at init time (httpd.conf).\n\nCalling ap_method_register() in children processes is not the right scope\nsince it won't be shared for all requests.\n\n\ngit-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1807655 13f79535-47bb-0310-9956-ffa450edef68", "target": 0, "dataset": "other", "idx": 246272 }, { "func": "static const char *set_http_protocol_options(cmd_parms *cmd, void *dummy,\n const char *arg)\n{\n core_server_config *conf =\n ap_get_core_module_config(cmd->server->module_config);\n\n if (strcasecmp(arg, \"allow0.9\") == 0)\n conf->http09_enable |= AP_HTTP09_ENABLE;\n else if (strcasecmp(arg, \"require1.0\") == 0)\n conf->http09_enable |= AP_HTTP09_DISABLE;\n else if (strcasecmp(arg, \"strict\") == 0)\n conf->http_conformance |= AP_HTTP_CONFORMANCE_STRICT;\n else if (strcasecmp(arg, \"unsafe\") == 0)\n conf->http_conformance |= AP_HTTP_CONFORMANCE_UNSAFE;\n else if (strcasecmp(arg, \"registeredmethods\") == 0)\n conf->http_methods |= AP_HTTP_METHODS_REGISTERED;\n else if (strcasecmp(arg, \"lenientmethods\") == 0)\n conf->http_methods |= AP_HTTP_METHODS_LENIENT;\n else\n return \"HttpProtocolOptions accepts \"\n \"'Unsafe' or 'Strict' (default), \"\n \"'RegisteredMethods' or 'LenientMethods' (default), and \"\n \"'Require1.0' or 'Allow0.9' (default)\";\n\n if ((conf->http09_enable & AP_HTTP09_ENABLE)\n && (conf->http09_enable & AP_HTTP09_DISABLE))\n return \"HttpProtocolOptions 'Allow0.9' and 'Require1.0'\"\n \" are mutually exclusive\";\n\n if ((conf->http_conformance & AP_HTTP_CONFORMANCE_STRICT)\n && (conf->http_conformance & AP_HTTP_CONFORMANCE_UNSAFE))\n return \"HttpProtocolOptions 'Strict' and 'Unsafe'\"\n \" are mutually exclusive\";\n\n if ((conf->http_methods & AP_HTTP_METHODS_REGISTERED)\n && (conf->http_methods & AP_HTTP_METHODS_LENIENT))\n return \"HttpProtocolOptions 'RegisteredMethods' and 'LenientMethods'\"\n \" are mutually exclusive\";\n\n return NULL;\n}", "project": "httpd", "hash": 3916605968787869211081376254071248321, "size": 41, "commit_id": "4cc27823899e070268b906ca677ee838d07cf67a", "message": "core: Disallow Methods' registration at run time (.htaccess), they may be\nused only if registered at init time (httpd.conf).\n\nCalling ap_method_register() in children processes is not the right scope\nsince it won't be shared for all requests.\n\n\ngit-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1807655 13f79535-47bb-0310-9956-ffa450edef68", "target": 0, "dataset": "other", "idx": 246329 }, { "func": "static const char *set_trace_enable(cmd_parms *cmd, void *dummy,\n const char *arg1)\n{\n core_server_config *conf =\n ap_get_core_module_config(cmd->server->module_config);\n\n if (ap_cstr_casecmp(arg1, \"on\") == 0) {\n conf->trace_enable = AP_TRACE_ENABLE;\n }\n else if (ap_cstr_casecmp(arg1, \"off\") == 0) {\n conf->trace_enable = AP_TRACE_DISABLE;\n }\n else if (ap_cstr_casecmp(arg1, \"extended\") == 0) {\n conf->trace_enable = AP_TRACE_EXTENDED;\n }\n else {\n return \"TraceEnable must be one of 'on', 'off', or 'extended'\";\n }\n\n return NULL;\n}", "project": "httpd", "hash": 195902872307148838932292316628755875604, "size": 21, "commit_id": "4cc27823899e070268b906ca677ee838d07cf67a", "message": "core: Disallow Methods' registration at run time (.htaccess), they may be\nused only if registered at init time (httpd.conf).\n\nCalling ap_method_register() in children processes is not the right scope\nsince it won't be shared for all requests.\n\n\ngit-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1807655 13f79535-47bb-0310-9956-ffa450edef68", "target": 0, "dataset": "other", "idx": 246344 }, { "func": "static float to_linear(float x, float scale)\n{\n float ax = fabsf(x);\n\n if (ax <= 1.f) {\n return FFSIGN(x) * powf(ax, 2.2f * scale);\n } else {\n const float log_base = expf(2.2f * scale);\n\n return FFSIGN(x) * powf(log_base, ax - 1.f);\n }\n}", "project": "FFmpeg", "hash": 115046664476034166271223322747268047820, "size": 12, "commit_id": "26d3c81bc5ef2f8c3f09d45eaeacfb4b1139a777", "message": "avcodec/exr: More strictly check dc_count\n\nFixes: out of array access\nFixes: exr/deneme\n\nFound-by: Burak Çarıkçı \nSigned-off-by: Michael Niedermayer ", "target": 0, "dataset": "other", "idx": 262688 }, { "func": "static apr_byte_t oidc_validate_post_logout_url(request_rec *r, const char *url,\n\t\tchar **err_str, char **err_desc) {\n\tapr_uri_t uri;\n\tconst char *c_host = NULL;\n\n\tif (apr_uri_parse(r->pool, url, &uri) != APR_SUCCESS) {\n\t\t*err_str = apr_pstrdup(r->pool, \"Malformed URL\");\n\t\t*err_desc = apr_psprintf(r->pool, \"Logout URL malformed: %s\", url);\n\t\toidc_error(r, \"%s: %s\", *err_str, *err_desc);\n\t\treturn FALSE;\n\t}\n\n\tc_host = oidc_get_current_url_host(r);\n\tif ((uri.hostname != NULL)\n\t\t\t&& ((strstr(c_host, uri.hostname) == NULL)\n\t\t\t\t\t|| (strstr(uri.hostname, c_host) == NULL))) {\n\t\t*err_str = apr_pstrdup(r->pool, \"Invalid Request\");\n\t\t*err_desc =\n\t\t\t\tapr_psprintf(r->pool,\n\t\t\t\t\t\t\"logout value \\\"%s\\\" does not match the hostname of the current request \\\"%s\\\"\",\n\t\t\t\t\t\tapr_uri_unparse(r->pool, &uri, 0), c_host);\n\t\toidc_error(r, \"%s: %s\", *err_str, *err_desc);\n\t\treturn FALSE;\n\t} else if (strstr(url, \"/\") != url) {\n\t\t*err_str = apr_pstrdup(r->pool, \"Malformed URL\");\n\t\t*err_desc =\n\t\t\t\tapr_psprintf(r->pool,\n\t\t\t\t\t\t\"No hostname was parsed and it does not seem to be relative, i.e starting with '/': %s\",\n\t\t\t\t\t\turl);\n\t\toidc_error(r, \"%s: %s\", *err_str, *err_desc);\n\t\treturn FALSE;\n\t}\n\n\t/* validate the URL to prevent HTTP header splitting */\n\tif (((strstr(url, \"\\n\") != NULL) || strstr(url, \"\\r\") != NULL)) {\n\t\t*err_str = apr_pstrdup(r->pool, \"Invalid Request\");\n\t\t*err_desc =\n\t\t\t\tapr_psprintf(r->pool,\n\t\t\t\t\t\t\"logout value \\\"%s\\\" contains illegal \\\"\\n\\\" or \\\"\\r\\\" character(s)\",\n\t\t\t\t\t\turl);\n\t\toidc_error(r, \"%s: %s\", *err_str, *err_desc);\n\t\treturn FALSE;\n\t}\n\n\treturn TRUE;\n}", "project": "mod_auth_openidc", "hash": 194756554862366516881552658213654354928, "size": 46, "commit_id": "ce37080c6aea30aabae8b4a9b4eea7808445cc8e", "message": "2.4.0.2 oops\n\nSigned-off-by: Hans Zandbelt ", "target": 1, "dataset": "other", "idx": 211253 }, { "func": "static apr_byte_t oidc_validate_post_logout_url(request_rec *r, const char *url,\n\t\tchar **err_str, char **err_desc) {\n\tapr_uri_t uri;\n\tconst char *c_host = NULL;\n\n\tif (apr_uri_parse(r->pool, url, &uri) != APR_SUCCESS) {\n\t\t*err_str = apr_pstrdup(r->pool, \"Malformed URL\");\n\t\t*err_desc = apr_psprintf(r->pool, \"Logout URL malformed: %s\", url);\n\t\toidc_error(r, \"%s: %s\", *err_str, *err_desc);\n\t\treturn FALSE;\n\t}\n\n\tc_host = oidc_get_current_url_host(r);\n\tif ((uri.hostname != NULL)\n\t\t\t&& ((strstr(c_host, uri.hostname) == NULL)\n\t\t\t\t\t|| (strstr(uri.hostname, c_host) == NULL))) {\n\t\t*err_str = apr_pstrdup(r->pool, \"Invalid Request\");\n\t\t*err_desc =\n\t\t\t\tapr_psprintf(r->pool,\n\t\t\t\t\t\t\"logout value \\\"%s\\\" does not match the hostname of the current request \\\"%s\\\"\",\n\t\t\t\t\t\tapr_uri_unparse(r->pool, &uri, 0), c_host);\n\t\toidc_error(r, \"%s: %s\", *err_str, *err_desc);\n\t\treturn FALSE;\n\t} else if ((uri.hostname == NULL) && (strstr(url, \"/\") != url)) {\n\t\t*err_str = apr_pstrdup(r->pool, \"Malformed URL\");\n\t\t*err_desc =\n\t\t\t\tapr_psprintf(r->pool,\n\t\t\t\t\t\t\"No hostname was parsed and it does not seem to be relative, i.e starting with '/': %s\",\n\t\t\t\t\t\turl);\n\t\toidc_error(r, \"%s: %s\", *err_str, *err_desc);\n\t\treturn FALSE;\n\t}\n\n\t/* validate the URL to prevent HTTP header splitting */\n\tif (((strstr(url, \"\\n\") != NULL) || strstr(url, \"\\r\") != NULL)) {\n\t\t*err_str = apr_pstrdup(r->pool, \"Invalid Request\");\n\t\t*err_desc =\n\t\t\t\tapr_psprintf(r->pool,\n\t\t\t\t\t\t\"logout value \\\"%s\\\" contains illegal \\\"\\n\\\" or \\\"\\r\\\" character(s)\",\n\t\t\t\t\t\turl);\n\t\toidc_error(r, \"%s: %s\", *err_str, *err_desc);\n\t\treturn FALSE;\n\t}\n\n\treturn TRUE;\n}", "project": "mod_auth_openidc", "hash": 168048052487772235272643922731757152176, "size": 46, "commit_id": "ce37080c6aea30aabae8b4a9b4eea7808445cc8e", "message": "2.4.0.2 oops\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 447708 }, { "func": "static bool process_arg(char *p, char *q, int pass)\n{\n char *param;\n bool advance = false;\n\n if (!p || !p[0])\n return false;\n\n if (p[0] == '-' && !stopoptions) {\n if (strchr(\"oOfpPdDiIlFXuUZwW\", p[1])) {\n /* These parameters take values */\n if (!(param = get_param(p, q, &advance)))\n return advance;\n }\n\n switch (p[1]) {\n case 's':\n if (pass == 1)\n error_file = stdout;\n break;\n\n case 'o': /* output file */\n if (pass == 2)\n copy_filename(&outname, param, \"output\");\n break;\n\n case 'f': /* output format */\n if (pass == 1) {\n ofmt = ofmt_find(param, &ofmt_alias);\n if (!ofmt) {\n nasm_fatal(ERR_NOFILE | ERR_USAGE,\n \"unrecognised output format `%s' - \"\n \"use -hf for a list\", param);\n }\n }\n break;\n\n case 'O': /* Optimization level */\n if (pass == 2) {\n int opt;\n\n if (!*param) {\n /* Naked -O == -Ox */\n optimizing.level = MAX_OPTIMIZE;\n } else {\n while (*param) {\n switch (*param) {\n case '0': case '1': case '2': case '3': case '4':\n case '5': case '6': case '7': case '8': case '9':\n opt = strtoul(param, ¶m, 10);\n\n /* -O0 -> optimizing.level == -1, 0.98 behaviour */\n /* -O1 -> optimizing.level == 0, 0.98.09 behaviour */\n if (opt < 2)\n optimizing.level = opt - 1;\n else\n optimizing.level = opt;\n break;\n\n case 'v':\n case '+':\n param++;\n opt_verbose_info = true;\n break;\n\n case 'x':\n param++;\n optimizing.level = MAX_OPTIMIZE;\n break;\n\n default:\n nasm_fatal(0,\n \"unknown optimization option -O%c\\n\",\n *param);\n break;\n }\n }\n if (optimizing.level > MAX_OPTIMIZE)\n optimizing.level = MAX_OPTIMIZE;\n }\n }\n break;\n\n case 'p': /* pre-include */\n case 'P':\n if (pass == 2)\n preproc->pre_include(param);\n break;\n\n case 'd': /* pre-define */\n case 'D':\n if (pass == 2)\n preproc->pre_define(param);\n break;\n\n case 'u': /* un-define */\n case 'U':\n if (pass == 2)\n preproc->pre_undefine(param);\n break;\n\n case 'i': /* include search path */\n case 'I':\n if (pass == 2)\n preproc->include_path(param);\n break;\n\n case 'l': /* listing file */\n if (pass == 2)\n copy_filename(&listname, param, \"listing\");\n break;\n\n case 'Z': /* error messages file */\n if (pass == 1)\n copy_filename(&errname, param, \"error\");\n break;\n\n case 'F': /* specify debug format */\n if (pass == 2) {\n using_debug_info = true;\n debug_format = param;\n }\n break;\n\n case 'X': /* specify error reporting format */\n if (pass == 1) {\n if (nasm_stricmp(\"vc\", param) == 0)\n nasm_set_verror(nasm_verror_vc);\n else if (nasm_stricmp(\"gnu\", param) == 0)\n nasm_set_verror(nasm_verror_gnu);\n else\n nasm_fatal(ERR_NOFILE | ERR_USAGE,\n \"unrecognized error reporting format `%s'\",\n param);\n }\n break;\n\n case 'g':\n if (pass == 2) {\n using_debug_info = true;\n if (p[2])\n debug_format = nasm_skip_spaces(p + 2);\n }\n break;\n\n case 'h':\n help(p[2]);\n exit(0); /* never need usage message here */\n break;\n\n case 'y':\n printf(\"\\nvalid debug formats for '%s' output format are\"\n \" ('*' denotes default):\\n\", ofmt->shortname);\n dfmt_list(ofmt, stdout);\n exit(0);\n break;\n\n case 't':\n if (pass == 2)\n tasm_compatible_mode = true;\n break;\n\n case 'v':\n show_version();\n break;\n\n case 'e': /* preprocess only */\n case 'E':\n if (pass == 1)\n operating_mode = OP_PREPROCESS;\n break;\n\n case 'a': /* assemble only - don't preprocess */\n if (pass == 1)\n preproc = &preproc_nop;\n break;\n\n case 'w':\n case 'W':\n if (pass == 2) {\n if (!set_warning_status(param)) {\n nasm_error(ERR_WARNING|ERR_NOFILE|ERR_WARN_UNK_WARNING,\n\t\t\t \"unknown warning option: %s\", param);\n }\n }\n break;\n\n case 'M':\n if (pass == 1) {\n switch (p[2]) {\n case 'W':\n quote_for_make = quote_for_wmake;\n break;\n case 'D':\n case 'F':\n case 'T':\n case 'Q':\n advance = true;\n break;\n default:\n break;\n }\n } else {\n switch (p[2]) {\n case 0:\n operating_mode = OP_DEPEND;\n break;\n case 'G':\n operating_mode = OP_DEPEND;\n depend_missing_ok = true;\n break;\n case 'P':\n depend_emit_phony = true;\n break;\n case 'D':\n operating_mode = OP_NORMAL;\n depend_file = q;\n advance = true;\n break;\n case 'F':\n depend_file = q;\n advance = true;\n break;\n case 'T':\n depend_target = q;\n advance = true;\n break;\n case 'Q':\n depend_target = quote_for_make(q);\n advance = true;\n break;\n case 'W':\n /* handled in pass 1 */\n break;\n default:\n nasm_error(ERR_NONFATAL|ERR_NOFILE|ERR_USAGE,\n \"unknown dependency option `-M%c'\", p[2]);\n break;\n }\n }\n if (advance && (!q || !q[0])) {\n nasm_error(ERR_NONFATAL|ERR_NOFILE|ERR_USAGE,\n \"option `-M%c' requires a parameter\", p[2]);\n break;\n }\n break;\n\n case '-':\n {\n const struct textargs *tx;\n size_t olen, plen;\n char *eqsave;\n\n p += 2;\n\n if (!*p) { /* -- => stop processing options */\n stopoptions = true;\n break;\n }\n\n plen = strlen(p);\n for (tx = textopts; tx->label; tx++) {\n olen = strlen(tx->label);\n\n if (olen > plen)\n continue;\n\n if (nasm_memicmp(p, tx->label, olen))\n continue;\n\n if (tx->label[olen-1] == '-')\n break; /* Incomplete option */\n\n if (!p[olen] || p[olen] == '=')\n break; /* Complete option */\n }\n\n if (!tx->label) {\n nasm_error(ERR_NONFATAL | ERR_NOFILE | ERR_USAGE,\n \"unrecognized option `--%s'\", p);\n }\n\n eqsave = param = strchr(p+olen, '=');\n if (param)\n *param++ = '\\0';\n\n if (tx->need_arg) {\n if (!param) {\n param = q;\n advance = true;\n }\n\n /* Note: a null string is a valid parameter */\n if (!param) {\n nasm_error(ERR_NONFATAL | ERR_NOFILE | ERR_USAGE,\n \"option `--%s' requires an argument\",\n p);\n break;\n }\n } else {\n if (param) {\n nasm_error(ERR_NONFATAL | ERR_NOFILE | ERR_USAGE,\n \"option `--%s' does not take an argument\",\n p);\n\n }\n }\n\n switch (tx->opt) {\n case OPT_VERSION:\n show_version();\n break;\n case OPT_ABORT_ON_PANIC:\n abort_on_panic = true;\n break;\n case OPT_MANGLE:\n if (pass == 2)\n set_label_mangle(tx->pvt, param);\n break;\n case OPT_INCLUDE:\n if (pass == 2)\n preproc->pre_include(q);\n break;\n case OPT_PRAGMA:\n if (pass == 2)\n preproc->pre_command(\"pragma\", param);\n break;\n case OPT_BEFORE:\n if (pass == 2)\n preproc->pre_command(NULL, param);\n break;\n case OPT_LIMIT:\n if (pass == 2)\n nasm_set_limit(p+olen, param);\n break;\n case OPT_KEEP_ALL:\n keep_all = true;\n break;\n case OPT_HELP:\n help(0);\n exit(0);\n default:\n panic();\n }\n\n if (eqsave)\n *eqsave = '='; /* Restore = argument separator */\n\n break;\n }\n\n default:\n nasm_error(ERR_NONFATAL | ERR_NOFILE | ERR_USAGE,\n \"unrecognised option `-%c'\", p[1]);\n break;\n }\n } else if (pass == 2) {\n /* In theory we could allow multiple input files... */\n copy_filename(&inname, p, \"input\");\n }\n\n return advance;\n}", "project": "nasm", "hash": 230701890884531066864434854347795748710, "size": 363, "commit_id": "e996d28c70d45008085322b442b44a9224308548", "message": "labels: Don't nil dereference if no label provided\n\nAn equ without label may cause nil dereference\n\n |\tequ 0x100\n\nFixes 98578071b9d71ecaa2344dd9c185237c1765041e\n\nSigned-off-by: Cyrill Gorcunov ", "target": 0, "dataset": "other", "idx": 257491 }, { "func": "static int sctp_setsockopt_enable_strreset(struct sock *sk,\n\t\t\t\t\t struct sctp_assoc_value *params,\n\t\t\t\t\t unsigned int optlen)\n{\n\tstruct sctp_endpoint *ep = sctp_sk(sk)->ep;\n\tstruct sctp_association *asoc;\n\tint retval = -EINVAL;\n\n\tif (optlen != sizeof(*params))\n\t\tgoto out;\n\n\tif (params->assoc_value & (~SCTP_ENABLE_STRRESET_MASK))\n\t\tgoto out;\n\n\tasoc = sctp_id2assoc(sk, params->assoc_id);\n\tif (!asoc && params->assoc_id > SCTP_ALL_ASSOC &&\n\t sctp_style(sk, UDP))\n\t\tgoto out;\n\n\tretval = 0;\n\n\tif (asoc) {\n\t\tasoc->strreset_enable = params->assoc_value;\n\t\tgoto out;\n\t}\n\n\tif (sctp_style(sk, TCP))\n\t\tparams->assoc_id = SCTP_FUTURE_ASSOC;\n\n\tif (params->assoc_id == SCTP_FUTURE_ASSOC ||\n\t params->assoc_id == SCTP_ALL_ASSOC)\n\t\tep->strreset_enable = params->assoc_value;\n\n\tif (params->assoc_id == SCTP_CURRENT_ASSOC ||\n\t params->assoc_id == SCTP_ALL_ASSOC)\n\t\tlist_for_each_entry(asoc, &ep->asocs, asocs)\n\t\t\tasoc->strreset_enable = params->assoc_value;\n\nout:\n\treturn retval;\n}", "project": "linux", "hash": 33049702446414874998828030829003579080, "size": 41, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398171 }, { "func": "static void slab_bug(struct kmem_cache *s, char *fmt, ...)\n{\n\tstruct va_format vaf;\n\tva_list args;\n\n\tva_start(args, fmt);\n\tvaf.fmt = fmt;\n\tvaf.va = &args;\n\tpr_err(\"=============================================================================\\n\");\n\tpr_err(\"BUG %s (%s): %pV\\n\", s->name, print_tainted(), &vaf);\n\tpr_err(\"-----------------------------------------------------------------------------\\n\\n\");\n\n\tadd_taint(TAINT_BAD_PAGE, LOCKDEP_NOW_UNRELIABLE);\n\tva_end(args);\n}", "project": "linux", "hash": 288108884034692173109136246258359219590, "size": 15, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280159 }, { "func": "void CClient::ReachedMaxBuffer() {\n DEBUG(GetSockName() << \" == ReachedMaxBuffer()\");\n if (IsAttached()) {\n PutClient(\"ERROR :\" + t_s(\"Closing link: Too long raw line\"));\n }\n Close();\n}", "project": "znc", "hash": 209893263349341266745750997007950990161, "size": 7, "commit_id": "d229761821da38d984a9e4098ad96842490dc001", "message": "Fix echo-message for *status\n\nClose #1705", "target": 0, "dataset": "other", "idx": 231601 }, { "func": "CWebSock::CWebSock(const CString& sURIPrefix)\n : CHTTPSock(nullptr, sURIPrefix),\n m_bPathsSet(false),\n m_Template(),\n m_spAuth(),\n m_sModName(\"\"),\n m_sPath(\"\"),\n m_sPage(\"\"),\n m_spSession() {\n m_Template.AddTagHandler(std::make_shared(*this));\n}", "project": "znc", "hash": 165111621657318098830437069191661811339, "size": 11, "commit_id": "a4a5aeeb17d32937d8c7d743dae9a4cc755ce773", "message": "Don't let web skin name ../../../../ access files outside of usual skins directories.\n\nThanks for Jeriko One for finding and reporting this.", "target": 0, "dataset": "other", "idx": 265770 }, { "func": " void Compute(OpKernelContext* ctx) final {\n // Extract inputs and validate shapes and types.\n const CSRSparseMatrix* input_matrix;\n OP_REQUIRES_OK(ctx, ExtractVariantFromInput(ctx, 0, &input_matrix));\n const Tensor& input_permutation_indices = ctx->input(1);\n\n int64 num_rows;\n int batch_size;\n OP_REQUIRES_OK(ctx, ValidateInputs(*input_matrix, input_permutation_indices,\n &batch_size, &num_rows));\n\n // Allocate batch pointers.\n Tensor batch_ptr(cpu_allocator(), DT_INT32, TensorShape({batch_size + 1}));\n auto batch_ptr_vec = batch_ptr.vec();\n batch_ptr_vec(0) = 0;\n\n // Temporary vector of Eigen SparseMatrices to store the Sparse Cholesky\n // factors.\n // Note: we use column-compressed (CSC) SparseMatrix because SimplicialLLT\n // returns the factors in column major format. Since our input should be\n // symmetric, column major and row major is identical in storage. We just\n // have to switch to reading the upper triangular part of the input, which\n // corresponds to the lower triangular part in row major format.\n std::vector sparse_cholesky_factors(batch_size);\n\n // TODO(anudhyan): Tune the cost per unit based on benchmarks.\n const double nnz_per_row =\n (input_matrix->total_nnz() / batch_size) / num_rows;\n const int64 sparse_cholesky_cost_per_batch =\n nnz_per_row * nnz_per_row * num_rows;\n // Perform sparse Cholesky factorization of each batch in parallel.\n auto worker_threads = *(ctx->device()->tensorflow_cpu_worker_threads());\n std::atomic invalid_input_index(-1);\n Shard(worker_threads.num_threads, worker_threads.workers, batch_size,\n sparse_cholesky_cost_per_batch,\n [&](int64 batch_begin, int64 batch_end) {\n for (int64 batch_index = batch_begin; batch_index < batch_end;\n ++batch_index) {\n // Define an Eigen SparseMatrix Map to operate on the\n // CSRSparseMatrix component without copying the data.\n Eigen::Map sparse_matrix(\n num_rows, num_rows, input_matrix->nnz(batch_index),\n input_matrix->row_pointers_vec(batch_index).data(),\n input_matrix->col_indices_vec(batch_index).data(),\n input_matrix->values_vec(batch_index).data());\n\n Eigen::SimplicialLLT>\n solver;\n auto permutation_indices_flat =\n input_permutation_indices.flat().data();\n\n // Invert the fill-in reducing ordering and apply it to the input\n // sparse matrix.\n Eigen::Map<\n Eigen::PermutationMatrix>\n permutation(permutation_indices_flat + batch_index * num_rows,\n num_rows);\n auto permutation_inverse = permutation.inverse();\n\n SparseMatrix permuted_sparse_matrix;\n permuted_sparse_matrix.template selfadjointView() =\n sparse_matrix.template selfadjointView()\n .twistedBy(permutation_inverse);\n\n // Compute the Cholesky decomposition.\n solver.compute(permuted_sparse_matrix);\n if (solver.info() != Eigen::Success) {\n invalid_input_index = batch_index;\n return;\n }\n\n // Get the upper triangular factor, which would end up in the\n // lower triangular part of the output CSRSparseMatrix when\n // interpreted in row major format.\n sparse_cholesky_factors[batch_index] =\n std::move(solver.matrixU());\n // For now, batch_ptr contains the number of nonzeros in each\n // batch.\n batch_ptr_vec(batch_index + 1) =\n sparse_cholesky_factors[batch_index].nonZeros();\n }\n });\n\n // Check for invalid input.\n OP_REQUIRES(\n ctx, invalid_input_index == -1,\n errors::InvalidArgument(\n \"Sparse Cholesky factorization failed for batch index \",\n invalid_input_index.load(), \". The input might not be valid.\"));\n\n // Compute a cumulative sum to obtain the batch pointers.\n std::partial_sum(batch_ptr_vec.data(),\n batch_ptr_vec.data() + batch_size + 1,\n batch_ptr_vec.data());\n\n // Allocate output Tensors.\n const int64 total_nnz = batch_ptr_vec(batch_size);\n Tensor output_row_ptr(cpu_allocator(), DT_INT32,\n TensorShape({(num_rows + 1) * batch_size}));\n Tensor output_col_ind(cpu_allocator(), DT_INT32, TensorShape({total_nnz}));\n Tensor output_values(cpu_allocator(), DataTypeToEnum::value,\n TensorShape({total_nnz}));\n auto output_row_ptr_ptr = output_row_ptr.flat().data();\n auto output_col_ind_ptr = output_col_ind.flat().data();\n auto output_values_ptr = output_values.flat().data();\n\n // Copy the output matrices from each batch into the CSRSparseMatrix\n // Tensors.\n // TODO(b/129906419): Factor out the copy from Eigen SparseMatrix to\n // CSRSparseMatrix into common utils. This is also used in\n // SparseMatrixSparseMatMul.\n Shard(worker_threads.num_threads, worker_threads.workers, batch_size,\n (3 * total_nnz) / batch_size /* cost per unit */,\n [&](int64 batch_begin, int64 batch_end) {\n for (int64 batch_index = batch_begin; batch_index < batch_end;\n ++batch_index) {\n const SparseMatrix& cholesky_factor =\n sparse_cholesky_factors[batch_index];\n const int64 nnz = cholesky_factor.nonZeros();\n\n std::copy(cholesky_factor.outerIndexPtr(),\n cholesky_factor.outerIndexPtr() + num_rows + 1,\n output_row_ptr_ptr + batch_index * (num_rows + 1));\n std::copy(cholesky_factor.innerIndexPtr(),\n cholesky_factor.innerIndexPtr() + nnz,\n output_col_ind_ptr + batch_ptr_vec(batch_index));\n std::copy(cholesky_factor.valuePtr(),\n cholesky_factor.valuePtr() + nnz,\n output_values_ptr + batch_ptr_vec(batch_index));\n }\n });\n\n // Create the CSRSparseMatrix instance from its component Tensors and\n // prepare the Variant output Tensor.\n CSRSparseMatrix output_csr_matrix;\n OP_REQUIRES_OK(\n ctx,\n CSRSparseMatrix::CreateCSRSparseMatrix(\n DataTypeToEnum::value, input_matrix->dense_shape(), batch_ptr,\n output_row_ptr, output_col_ind, output_values, &output_csr_matrix));\n Tensor* output_csr_matrix_tensor;\n AllocatorAttributes cpu_alloc;\n cpu_alloc.set_on_host(true);\n OP_REQUIRES_OK(\n ctx, ctx->allocate_output(0, TensorShape({}), &output_csr_matrix_tensor,\n cpu_alloc));\n output_csr_matrix_tensor->scalar()() =\n std::move(output_csr_matrix);\n }", "project": "tensorflow", "hash": 223013328169434175220042866199618633744, "size": 150, "commit_id": "e6a7c7cc18c3aaad1ae0872cb0a959f5c923d2bd", "message": "Remove `OP_REQUIRES` call from helper function.\n\nSince `OP_REQUIRES` macro expands to a `return;` (among other), calling it in a helper function only ends the helper function's execution earlier, but the kernel will still run from start to end. Thus, all the expected validations are actually broken/useless as the code ploughs through the next crash anyway.\n\nPiperOrigin-RevId: 369524386\nChange-Id: I54f6cf9328445675ccc392e661b04336b229c9da", "target": 0, "dataset": "other", "idx": 262774 }, { "func": "static void print_fatal_signal(int signr)\n{\n\tstruct pt_regs *regs = signal_pt_regs();\n\tpr_info(\"potentially unexpected fatal signal %d.\\n\", signr);\n\n#if defined(__i386__) && !defined(__arch_um__)\n\tpr_info(\"code at %08lx: \", regs->ip);\n\t{\n\t\tint i;\n\t\tfor (i = 0; i < 16; i++) {\n\t\t\tunsigned char insn;\n\n\t\t\tif (get_user(insn, (unsigned char *)(regs->ip + i)))\n\t\t\t\tbreak;\n\t\t\tpr_cont(\"%02x \", insn);\n\t\t}\n\t}\n\tpr_cont(\"\\n\");\n#endif\n\tpreempt_disable();\n\tshow_regs(regs);\n\tpreempt_enable();\n}", "project": "linux", "hash": 205486032534553751059278265986388626412, "size": 23, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375281 }, { "func": "static bool set_sockaddr(sockaddr_storage &sa_storage, req::ptr sock,\n const String& addr, int port,\n struct sockaddr *&sa_ptr, size_t &sa_size) {\n // Always zero it out:\n // - fields are added over time; zeroing it out is future-proofing; for\n // example, sockaddr_in6 did not originally include sin6_scope_id or\n // sin6_flowinfo.\n // - required for all on MacOS for correct behavior\n // - on Linux, required for sockaddr_un to deal with buggy sun_path readers\n // (they should look at the length)\n memset(&sa_storage, 0, sizeof(struct sockaddr_storage));\n struct sockaddr *sock_type = (struct sockaddr*) &sa_storage;\n switch (sock->getType()) {\n case AF_UNIX:\n {\n#ifdef _MSC_VER\n return false;\n#else\n struct sockaddr_un *sa = (struct sockaddr_un *)sock_type;\n sa->sun_family = AF_UNIX;\n if (addr.length() > sizeof(sa->sun_path)) {\n raise_warning(\n \"Unix socket path length (%ld) is larger than system limit (%lu)\",\n addr.length(),\n sizeof(sa->sun_path)\n );\n return false;\n }\n memcpy(sa->sun_path, addr.data(), addr.length());\n sa_ptr = (struct sockaddr *)sa;\n sa_size = offsetof(struct sockaddr_un, sun_path) + addr.length();\n#ifdef __linux__\n if (addr.length() == 0) {\n // Linux supports 3 kinds of unix sockets; behavior of this struct\n // is in `man 7 unix`; relevant parts:\n // - unnamed: 0-length path. As paths are not required to be\n // null-terminated, this needs to be undicated by the size.\n // These might be created by `socketpair()`, for eaxmple.\n // - pathname (common): nothing strange. struct size technically\n // indicates length, but null terminators are usually set. This\n // does matter if addr.length() == size of the char array though\n // - abstract: these have a meaningful name, but start with `\\0`\n //\n // Setting sa_size to indicate a 0-length path is required to\n // distinguish between unnamed and abstract.\n sa_size = offsetof(struct sockaddr_un, sun_path);\n }\n#endif\n\n#endif // ifdef _MSC_VER\n }\n break;\n case AF_INET:\n {\n struct sockaddr_in *sa = (struct sockaddr_in *)sock_type;\n sa->sin_family = AF_INET;\n sa->sin_port = htons((unsigned short) port);\n if (!php_set_inet_addr(sa, addr.c_str(), sock)) {\n return false;\n }\n sa_ptr = (struct sockaddr *)sa;\n sa_size = sizeof(struct sockaddr_in);\n }\n break;\n case AF_INET6:\n {\n struct sockaddr_in6 *sa = (struct sockaddr_in6 *)sock_type;\n sa->sin6_family = AF_INET6;\n sa->sin6_port = htons((unsigned short) port);\n if (!php_set_inet6_addr(sa, addr.c_str(), sock)) {\n return false;\n }\n sa_ptr = (struct sockaddr *)sa;\n sa_size = sizeof(struct sockaddr_in6);\n }\n break;\n default:\n raise_warning(\"unsupported socket type '%d', must be \"\n \"AF_UNIX, AF_INET, or AF_INET6\", sock->getType());\n return false;\n }\n#ifdef __APPLE__\n // This field is not in the relevant standards, not defined on Linux, but is\n // technically required on MacOS (and other BSDs) according to the man pages:\n // - `man 4 netintro` covers the base sa_len\n // - `man 4 unix` and `man 4 inet6` cover AF_UNIX sun_len and AF_INET6\n // sin6_len\n // - ... At least MacOS Catalina includes the wrong `man 4 inet`. Look at the\n // (Net|Free|Open)BSD `man 4 inet` instead.\n // The MacOS man page says it starts with `sin_family`, which would conflict\n // with the base sockaddr definition. `sin_len` is actually the first field\n // in the header file, matching `sa_len`.\n sa_ptr->sa_len = sa_size;\n#endif\n return true;\n}", "project": "hhvm", "hash": 170013887994481250848736553954767457313, "size": 96, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219450 }, { "func": "void ethereumFormatAmount(const bignum256 *amnt, const TokenType *token,\n uint32_t cid, char *buf, int buflen) {\n bignum256 bn1e9;\n bn_read_uint32(1000000000, &bn1e9);\n const char *suffix = NULL;\n int decimals = 18;\n if (token == UnknownToken) {\n strlcpy(buf, \"Unknown token value\", buflen);\n return;\n } else if (token != NULL) {\n suffix = token->ticker;\n decimals = token->decimals;\n } else if (bn_is_less(amnt, &bn1e9)) {\n suffix = \" Wei\";\n decimals = 0;\n } else {\n if (tx_type == 1 || tx_type == 6) {\n suffix = \" WAN\";\n } else {\n // constants from trezor-common/defs/ethereum/networks.json\n switch (cid) {\n case 1:\n suffix = \" ETH\";\n break; // Ethereum\n case 2:\n suffix = \" EXP\";\n break; // Expanse\n case 3:\n suffix = \" tROP\";\n break; // Ethereum Testnet Ropsten\n case 4:\n suffix = \" tRIN\";\n break; // Ethereum Testnet Rinkeby\n case 8:\n suffix = \" UBQ\";\n break; // UBIQ\n case 20:\n suffix = \" EOSC\";\n break; // EOS Classic\n case 28:\n suffix = \" ETSC\";\n break; // Ethereum Social\n case 30:\n suffix = \" RBTC\";\n break; // RSK\n case 31:\n suffix = \" tRBTC\";\n break; // RSK Testnet\n case 42:\n suffix = \" tKOV\";\n break; // Ethereum Testnet Kovan\n case 61:\n suffix = \" ETC\";\n break; // Ethereum Classic\n case 62:\n suffix = \" tETC\";\n break; // Ethereum Classic Testnet\n case 64:\n suffix = \" ELLA\";\n break; // Ellaism\n case 820:\n suffix = \" CLO\";\n break; // Callisto\n case 1987:\n suffix = \" EGEM\";\n break; // EtherGem\n default:\n suffix = \" UNKN\";\n break; // unknown chain\n }\n }\n }\n bn_format(amnt, NULL, suffix, decimals, 0, false, buf, buflen);\n}", "project": "keepkey-firmware", "hash": 202827982874876209997925508471655400446, "size": 74, "commit_id": "e49d45594002d4d3fbc1f03488e6dfc0a0a65836", "message": "710 merge", "target": 0, "dataset": "other", "idx": 220877 }, { "func": "static void io_free_req_deferred(struct io_kiocb *req)\n{\n\treq->task_work.func = io_put_req_deferred_cb;\n\tif (unlikely(io_req_task_work_add(req)))\n\t\tio_req_task_work_add_fallback(req, io_put_req_deferred_cb);\n}", "project": "linux", "hash": 289664238135635690693355322953384787738, "size": 6, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338654 }, { "func": "static int xbuf_format_converter(char **outbuf, const char *fmt, va_list ap)\n{\n register char *s = nullptr;\n char *q;\n int s_len;\n\n register int min_width = 0;\n int precision = 0;\n enum {\n LEFT, RIGHT\n } adjust;\n char pad_char;\n char prefix_char;\n\n double fp_num;\n wide_int i_num = (wide_int) 0;\n u_wide_int ui_num;\n\n char num_buf[NUM_BUF_SIZE];\n char char_buf[2]; /* for printing %% and % */\n\n#ifdef HAVE_LOCALE_H\n struct lconv *lconv = nullptr;\n#endif\n\n /*\n * Flag variables\n */\n length_modifier_e modifier;\n boolean_e alternate_form;\n boolean_e print_sign;\n boolean_e print_blank;\n boolean_e adjust_precision;\n boolean_e adjust_width;\n int is_negative;\n\n int size = 240;\n char *result = (char *)malloc(size);\n int outpos = 0;\n\n while (*fmt) {\n if (*fmt != '%') {\n appendchar(&result, &outpos, &size, *fmt);\n } else {\n /*\n * Default variable settings\n */\n adjust = RIGHT;\n alternate_form = print_sign = print_blank = NO;\n pad_char = ' ';\n prefix_char = NUL;\n\n fmt++;\n\n /*\n * Try to avoid checking for flags, width or precision\n */\n if (isascii((int)*fmt) && !islower((int)*fmt)) {\n /*\n * Recognize flags: -, #, BLANK, +\n */\n for (;; fmt++) {\n if (*fmt == '-')\n adjust = LEFT;\n else if (*fmt == '+')\n print_sign = YES;\n else if (*fmt == '#')\n alternate_form = YES;\n else if (*fmt == ' ')\n print_blank = YES;\n else if (*fmt == '0')\n pad_char = '0';\n else\n break;\n }\n\n /*\n * Check if a width was specified\n */\n if (isdigit((int)*fmt)) {\n STR_TO_DEC(fmt, min_width);\n adjust_width = YES;\n } else if (*fmt == '*') {\n min_width = va_arg(ap, int);\n fmt++;\n adjust_width = YES;\n if (min_width < 0) {\n adjust = LEFT;\n min_width = -min_width;\n }\n } else\n adjust_width = NO;\n\n /*\n * Check if a precision was specified\n *\n * XXX: an unreasonable amount of precision may be specified\n * resulting in overflow of num_buf. Currently we\n * ignore this possibility.\n */\n if (*fmt == '.') {\n adjust_precision = YES;\n fmt++;\n if (isdigit((int)*fmt)) {\n STR_TO_DEC(fmt, precision);\n } else if (*fmt == '*') {\n precision = va_arg(ap, int);\n fmt++;\n if (precision < 0)\n precision = 0;\n } else\n precision = 0;\n } else\n adjust_precision = NO;\n } else\n adjust_precision = adjust_width = NO;\n\n /*\n * Modifier check\n */\n switch (*fmt) {\n case 'L':\n fmt++;\n modifier = LM_LONG_DOUBLE;\n break;\n case 'I':\n fmt++;\n#if SIZEOF_LONG_LONG\n if (*fmt == '6' && *(fmt+1) == '4') {\n fmt += 2;\n modifier = LM_LONG_LONG;\n } else\n#endif\n if (*fmt == '3' && *(fmt+1) == '2') {\n fmt += 2;\n modifier = LM_LONG;\n } else {\n#ifdef _WIN64\n modifier = LM_LONG_LONG;\n#else\n modifier = LM_LONG;\n#endif\n }\n break;\n case 'l':\n fmt++;\n#if SIZEOF_LONG_LONG\n if (*fmt == 'l') {\n fmt++;\n modifier = LM_LONG_LONG;\n } else\n#endif\n modifier = LM_LONG;\n break;\n case 'z':\n fmt++;\n modifier = LM_SIZE_T;\n break;\n case 'j':\n fmt++;\n#if SIZEOF_INTMAX_T\n modifier = LM_INTMAX_T;\n#else\n modifier = LM_SIZE_T;\n#endif\n break;\n case 't':\n fmt++;\n#if SIZEOF_PTRDIFF_T\n modifier = LM_PTRDIFF_T;\n#else\n modifier = LM_SIZE_T;\n#endif\n break;\n case 'h':\n fmt++;\n if (*fmt == 'h') {\n fmt++;\n }\n /* these are promoted to int, so no break */\n default:\n modifier = LM_STD;\n break;\n }\n\n /*\n * Argument extraction and printing.\n * First we determine the argument type.\n * Then, we convert the argument to a string.\n * On exit from the switch, s points to the string that\n * must be printed, s_len has the length of the string\n * The precision requirements, if any, are reflected in s_len.\n *\n * NOTE: pad_char may be set to '0' because of the 0 flag.\n * It is reset to ' ' by non-numeric formats\n */\n switch (*fmt) {\n case 'u':\n switch(modifier) {\n default:\n i_num = (wide_int) va_arg(ap, unsigned int);\n break;\n case LM_LONG_DOUBLE:\n goto fmt_error;\n case LM_LONG:\n i_num = (wide_int) va_arg(ap, unsigned long int);\n break;\n case LM_SIZE_T:\n i_num = (wide_int) va_arg(ap, size_t);\n break;\n#if SIZEOF_LONG_LONG\n case LM_LONG_LONG:\n i_num = (wide_int) va_arg(ap, u_wide_int);\n break;\n#endif\n#if SIZEOF_INTMAX_T\n case LM_INTMAX_T:\n i_num = (wide_int) va_arg(ap, uintmax_t);\n break;\n#endif\n#if SIZEOF_PTRDIFF_T\n case LM_PTRDIFF_T:\n i_num = (wide_int) va_arg(ap, ptrdiff_t);\n break;\n#endif\n }\n /*\n * The rest also applies to other integer formats, so fall\n * into that case.\n */\n case 'd':\n case 'i':\n /*\n * Get the arg if we haven't already.\n */\n if ((*fmt) != 'u') {\n switch(modifier) {\n default:\n i_num = (wide_int) va_arg(ap, int);\n break;\n case LM_LONG_DOUBLE:\n goto fmt_error;\n case LM_LONG:\n i_num = (wide_int) va_arg(ap, long int);\n break;\n case LM_SIZE_T:\n#if SIZEOF_SSIZE_T\n i_num = (wide_int) va_arg(ap, ssize_t);\n#else\n i_num = (wide_int) va_arg(ap, size_t);\n#endif\n break;\n#if SIZEOF_LONG_LONG\n case LM_LONG_LONG:\n i_num = (wide_int) va_arg(ap, wide_int);\n break;\n#endif\n#if SIZEOF_INTMAX_T\n case LM_INTMAX_T:\n i_num = (wide_int) va_arg(ap, intmax_t);\n break;\n#endif\n#if SIZEOF_PTRDIFF_T\n case LM_PTRDIFF_T:\n i_num = (wide_int) va_arg(ap, ptrdiff_t);\n break;\n#endif\n }\n }\n s = ap_php_conv_10(i_num, (*fmt) == 'u', &is_negative,\n &num_buf[NUM_BUF_SIZE], &s_len);\n FIX_PRECISION(adjust_precision, precision, s, s_len);\n\n if (*fmt != 'u') {\n if (is_negative)\n prefix_char = '-';\n else if (print_sign)\n prefix_char = '+';\n else if (print_blank)\n prefix_char = ' ';\n }\n break;\n\n\n case 'o':\n switch(modifier) {\n default:\n ui_num = (u_wide_int) va_arg(ap, unsigned int);\n break;\n case LM_LONG_DOUBLE:\n goto fmt_error;\n case LM_LONG:\n ui_num = (u_wide_int) va_arg(ap, unsigned long int);\n break;\n case LM_SIZE_T:\n ui_num = (u_wide_int) va_arg(ap, size_t);\n break;\n#if SIZEOF_LONG_LONG\n case LM_LONG_LONG:\n ui_num = (u_wide_int) va_arg(ap, u_wide_int);\n break;\n#endif\n#if SIZEOF_INTMAX_T\n case LM_INTMAX_T:\n ui_num = (u_wide_int) va_arg(ap, uintmax_t);\n break;\n#endif\n#if SIZEOF_PTRDIFF_T\n case LM_PTRDIFF_T:\n ui_num = (u_wide_int) va_arg(ap, ptrdiff_t);\n break;\n#endif\n }\n s = ap_php_conv_p2(ui_num, 3, *fmt,\n &num_buf[NUM_BUF_SIZE], &s_len);\n FIX_PRECISION(adjust_precision, precision, s, s_len);\n if (alternate_form && *s != '0') {\n *--s = '0';\n s_len++;\n }\n break;\n\n\n case 'x':\n case 'X':\n switch(modifier) {\n default:\n ui_num = (u_wide_int) va_arg(ap, unsigned int);\n break;\n case LM_LONG_DOUBLE:\n goto fmt_error;\n case LM_LONG:\n ui_num = (u_wide_int) va_arg(ap, unsigned long int);\n break;\n case LM_SIZE_T:\n ui_num = (u_wide_int) va_arg(ap, size_t);\n break;\n#if SIZEOF_LONG_LONG\n case LM_LONG_LONG:\n ui_num = (u_wide_int) va_arg(ap, u_wide_int);\n break;\n#endif\n#if SIZEOF_INTMAX_T\n case LM_INTMAX_T:\n ui_num = (u_wide_int) va_arg(ap, uintmax_t);\n break;\n#endif\n#if SIZEOF_PTRDIFF_T\n case LM_PTRDIFF_T:\n ui_num = (u_wide_int) va_arg(ap, ptrdiff_t);\n break;\n#endif\n }\n s = ap_php_conv_p2(ui_num, 4, *fmt,\n &num_buf[NUM_BUF_SIZE], &s_len);\n FIX_PRECISION(adjust_precision, precision, s, s_len);\n if (alternate_form && i_num != 0) {\n *--s = *fmt; /* 'x' or 'X' */\n *--s = '0';\n s_len += 2;\n }\n break;\n\n\n case 's':\n case 'v':\n s = va_arg(ap, char *);\n if (s != nullptr) {\n s_len = strlen(s);\n if (adjust_precision && precision < s_len)\n s_len = precision;\n } else {\n s = const_cast(s_null);\n s_len = S_NULL_LEN;\n }\n pad_char = ' ';\n break;\n\n\n case 'f':\n case 'F':\n case 'e':\n case 'E':\n switch(modifier) {\n case LM_LONG_DOUBLE:\n fp_num = (double) va_arg(ap, long double);\n break;\n case LM_STD:\n fp_num = va_arg(ap, double);\n break;\n default:\n goto fmt_error;\n }\n\n if (std::isnan(fp_num)) {\n s = const_cast(\"nan\");\n s_len = 3;\n } else if (std::isinf(fp_num)) {\n s = const_cast(\"inf\");\n s_len = 3;\n } else {\n#ifdef HAVE_LOCALE_H\n if (!lconv) {\n lconv = localeconv();\n }\n#endif\n s = php_conv_fp((*fmt == 'f')?'F':*fmt, fp_num, alternate_form,\n (adjust_precision == NO) ? FLOAT_DIGITS : precision,\n (*fmt == 'f')?LCONV_DECIMAL_POINT:'.',\n &is_negative, &num_buf[1], &s_len);\n if (is_negative)\n prefix_char = '-';\n else if (print_sign)\n prefix_char = '+';\n else if (print_blank)\n prefix_char = ' ';\n }\n break;\n\n\n case 'g':\n case 'k':\n case 'G':\n case 'H':\n switch(modifier) {\n case LM_LONG_DOUBLE:\n fp_num = (double) va_arg(ap, long double);\n break;\n case LM_STD:\n fp_num = va_arg(ap, double);\n break;\n default:\n goto fmt_error;\n }\n\n if (std::isnan(fp_num)) {\n s = const_cast(\"NAN\");\n s_len = 3;\n break;\n } else if (std::isinf(fp_num)) {\n if (fp_num > 0) {\n s = const_cast(\"INF\");\n s_len = 3;\n } else {\n s = const_cast(\"-INF\");\n s_len = 4;\n }\n break;\n }\n\n if (adjust_precision == NO)\n precision = FLOAT_DIGITS;\n else if (precision == 0)\n precision = 1;\n /*\n * * We use &num_buf[ 1 ], so that we have room for the sign\n */\n#ifdef HAVE_LOCALE_H\n if (!lconv) {\n lconv = localeconv();\n }\n#endif\n s = php_gcvt(fp_num, precision,\n (*fmt=='H' || *fmt == 'k') ? '.' : LCONV_DECIMAL_POINT,\n (*fmt == 'G' || *fmt == 'H')?'E':'e', &num_buf[1]);\n if (*s == '-')\n prefix_char = *s++;\n else if (print_sign)\n prefix_char = '+';\n else if (print_blank)\n prefix_char = ' ';\n\n s_len = strlen(s);\n\n if (alternate_form && (q = strchr(s, '.')) == nullptr)\n s[s_len++] = '.';\n break;\n\n\n case 'c':\n char_buf[0] = (char) (va_arg(ap, int));\n s = &char_buf[0];\n s_len = 1;\n pad_char = ' ';\n break;\n\n\n case '%':\n char_buf[0] = '%';\n s = &char_buf[0];\n s_len = 1;\n pad_char = ' ';\n break;\n\n\n case 'n':\n *(va_arg(ap, int *)) = outpos;\n goto skip_output;\n\n /*\n * Always extract the argument as a \"char *\" pointer. We\n * should be using \"void *\" but there are still machines\n * that don't understand it.\n * If the pointer size is equal to the size of an unsigned\n * integer we convert the pointer to a hex number, otherwise\n * we print \"%p\" to indicate that we don't handle \"%p\".\n */\n case 'p':\n if (sizeof(char *) <= sizeof(u_wide_int)) {\n ui_num = (u_wide_int)((size_t) va_arg(ap, char *));\n s = ap_php_conv_p2(ui_num, 4, 'x',\n &num_buf[NUM_BUF_SIZE], &s_len);\n if (ui_num != 0) {\n *--s = 'x';\n *--s = '0';\n s_len += 2;\n }\n } else {\n s = const_cast(\"%p\");\n s_len = 2;\n }\n pad_char = ' ';\n break;\n\n\n case NUL:\n /*\n * The last character of the format string was %.\n * We ignore it.\n */\n continue;\n\n\nfmt_error:\n throw Exception(\"Illegal length modifier specified '%c'\", *fmt);\n\n /*\n * The default case is for unrecognized %'s.\n * We print % to help the user identify what\n * option is not understood.\n * This is also useful in case the user wants to pass\n * the output of format_converter to another function\n * that understands some other % (like syslog).\n * Note that we can't point s inside fmt because the\n * unknown could be preceded by width etc.\n */\n default:\n char_buf[0] = '%';\n char_buf[1] = *fmt;\n s = char_buf;\n s_len = 2;\n pad_char = ' ';\n break;\n }\n\n if (prefix_char != NUL) {\n *--s = prefix_char;\n s_len++;\n }\n if (adjust_width && adjust == RIGHT && min_width > s_len) {\n if (pad_char == '0' && prefix_char != NUL) {\n appendchar(&result, &outpos, &size, *s);\n s++;\n s_len--;\n min_width--;\n }\n for (int i = 0; i < min_width - s_len; i++) {\n appendchar(&result, &outpos, &size, pad_char);\n }\n }\n /*\n * Print the (for now) non-null terminated string s.\n */\n appendsimplestring(&result, &outpos, &size, s, s_len);\n\n if (adjust_width && adjust == LEFT && min_width > s_len) {\n for (int i = 0; i < min_width - s_len; i++) {\n appendchar(&result, &outpos, &size, pad_char);\n }\n }\n }\nskip_output:\n fmt++;\n }\n /*\n * Add the terminating null here since it wasn't added incrementally above\n * once the whole string has been composed.\n */\n result[outpos] = NUL;\n *outbuf = result;\n return outpos;\n}", "project": "hhvm", "hash": 262008690145899457289472739326596420497, "size": 592, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 1, "dataset": "other", "idx": 195007 }, { "func": "static int xbuf_format_converter(char **outbuf, const char *fmt, va_list ap)\n{\n register char *s = nullptr;\n char *q;\n int s_len;\n\n register int min_width = 0;\n int precision = 0;\n enum {\n LEFT, RIGHT\n } adjust;\n char pad_char;\n char prefix_char;\n\n double fp_num;\n wide_int i_num = (wide_int) 0;\n u_wide_int ui_num;\n\n char num_buf[NUM_BUF_SIZE];\n char char_buf[2]; /* for printing %% and % */\n\n#ifdef HAVE_LOCALE_H\n struct lconv *lconv = nullptr;\n#endif\n\n /*\n * Flag variables\n */\n length_modifier_e modifier;\n boolean_e alternate_form;\n boolean_e print_sign;\n boolean_e print_blank;\n boolean_e adjust_precision;\n boolean_e adjust_width;\n int is_negative;\n\n int size = 240;\n char *result = (char *)malloc(size);\n int outpos = 0;\n\n while (*fmt) {\n if (*fmt != '%') {\n appendchar(&result, &outpos, &size, *fmt);\n } else {\n /*\n * Default variable settings\n */\n adjust = RIGHT;\n alternate_form = print_sign = print_blank = NO;\n pad_char = ' ';\n prefix_char = NUL;\n\n fmt++;\n\n /*\n * Try to avoid checking for flags, width or precision\n */\n if (isascii((int)*fmt) && !islower((int)*fmt)) {\n /*\n * Recognize flags: -, #, BLANK, +\n */\n for (;; fmt++) {\n if (*fmt == '-')\n adjust = LEFT;\n else if (*fmt == '+')\n print_sign = YES;\n else if (*fmt == '#')\n alternate_form = YES;\n else if (*fmt == ' ')\n print_blank = YES;\n else if (*fmt == '0')\n pad_char = '0';\n else\n break;\n }\n\n /*\n * Check if a width was specified\n */\n if (isdigit((int)*fmt)) {\n STR_TO_DEC(fmt, min_width);\n adjust_width = YES;\n } else if (*fmt == '*') {\n min_width = va_arg(ap, int);\n fmt++;\n adjust_width = YES;\n if (min_width < 0) {\n adjust = LEFT;\n min_width = -min_width;\n }\n } else\n adjust_width = NO;\n\n /*\n * Check if a precision was specified\n *\n * XXX: an unreasonable amount of precision may be specified\n * resulting in overflow of num_buf. Currently we\n * ignore this possibility.\n */\n if (*fmt == '.') {\n adjust_precision = YES;\n fmt++;\n if (isdigit((int)*fmt)) {\n STR_TO_DEC(fmt, precision);\n } else if (*fmt == '*') {\n precision = va_arg(ap, int);\n fmt++;\n if (precision < 0)\n precision = 0;\n } else\n precision = 0;\n } else\n adjust_precision = NO;\n } else\n adjust_precision = adjust_width = NO;\n\n /*\n * Modifier check\n */\n switch (*fmt) {\n case 'L':\n fmt++;\n modifier = LM_LONG_DOUBLE;\n break;\n case 'I':\n fmt++;\n#if SIZEOF_LONG_LONG\n if (*fmt == '6' && *(fmt+1) == '4') {\n fmt += 2;\n modifier = LM_LONG_LONG;\n } else\n#endif\n if (*fmt == '3' && *(fmt+1) == '2') {\n fmt += 2;\n modifier = LM_LONG;\n } else {\n#ifdef _WIN64\n modifier = LM_LONG_LONG;\n#else\n modifier = LM_LONG;\n#endif\n }\n break;\n case 'l':\n fmt++;\n#if SIZEOF_LONG_LONG\n if (*fmt == 'l') {\n fmt++;\n modifier = LM_LONG_LONG;\n } else\n#endif\n modifier = LM_LONG;\n break;\n case 'z':\n fmt++;\n modifier = LM_SIZE_T;\n break;\n case 'j':\n fmt++;\n#if SIZEOF_INTMAX_T\n modifier = LM_INTMAX_T;\n#else\n modifier = LM_SIZE_T;\n#endif\n break;\n case 't':\n fmt++;\n#if SIZEOF_PTRDIFF_T\n modifier = LM_PTRDIFF_T;\n#else\n modifier = LM_SIZE_T;\n#endif\n break;\n case 'h':\n fmt++;\n if (*fmt == 'h') {\n fmt++;\n }\n /* these are promoted to int, so no break */\n default:\n modifier = LM_STD;\n break;\n }\n\n /*\n * Argument extraction and printing.\n * First we determine the argument type.\n * Then, we convert the argument to a string.\n * On exit from the switch, s points to the string that\n * must be printed, s_len has the length of the string\n * The precision requirements, if any, are reflected in s_len.\n *\n * NOTE: pad_char may be set to '0' because of the 0 flag.\n * It is reset to ' ' by non-numeric formats\n */\n switch (*fmt) {\n case 'u':\n switch(modifier) {\n default:\n i_num = (wide_int) va_arg(ap, unsigned int);\n break;\n case LM_LONG_DOUBLE:\n goto fmt_error;\n case LM_LONG:\n i_num = (wide_int) va_arg(ap, unsigned long int);\n break;\n case LM_SIZE_T:\n i_num = (wide_int) va_arg(ap, size_t);\n break;\n#if SIZEOF_LONG_LONG\n case LM_LONG_LONG:\n i_num = (wide_int) va_arg(ap, u_wide_int);\n break;\n#endif\n#if SIZEOF_INTMAX_T\n case LM_INTMAX_T:\n i_num = (wide_int) va_arg(ap, uintmax_t);\n break;\n#endif\n#if SIZEOF_PTRDIFF_T\n case LM_PTRDIFF_T:\n i_num = (wide_int) va_arg(ap, ptrdiff_t);\n break;\n#endif\n }\n /*\n * The rest also applies to other integer formats, so fall\n * into that case.\n */\n case 'd':\n case 'i':\n /*\n * Get the arg if we haven't already.\n */\n if ((*fmt) != 'u') {\n switch(modifier) {\n default:\n i_num = (wide_int) va_arg(ap, int);\n break;\n case LM_LONG_DOUBLE:\n goto fmt_error;\n case LM_LONG:\n i_num = (wide_int) va_arg(ap, long int);\n break;\n case LM_SIZE_T:\n#if SIZEOF_SSIZE_T\n i_num = (wide_int) va_arg(ap, ssize_t);\n#else\n i_num = (wide_int) va_arg(ap, size_t);\n#endif\n break;\n#if SIZEOF_LONG_LONG\n case LM_LONG_LONG:\n i_num = (wide_int) va_arg(ap, wide_int);\n break;\n#endif\n#if SIZEOF_INTMAX_T\n case LM_INTMAX_T:\n i_num = (wide_int) va_arg(ap, intmax_t);\n break;\n#endif\n#if SIZEOF_PTRDIFF_T\n case LM_PTRDIFF_T:\n i_num = (wide_int) va_arg(ap, ptrdiff_t);\n break;\n#endif\n }\n }\n s = ap_php_conv_10(i_num, (*fmt) == 'u', &is_negative,\n &num_buf[NUM_BUF_SIZE], &s_len);\n FIX_PRECISION(adjust_precision, precision, s, s_len);\n\n if (*fmt != 'u') {\n if (is_negative)\n prefix_char = '-';\n else if (print_sign)\n prefix_char = '+';\n else if (print_blank)\n prefix_char = ' ';\n }\n break;\n\n\n case 'o':\n switch(modifier) {\n default:\n ui_num = (u_wide_int) va_arg(ap, unsigned int);\n break;\n case LM_LONG_DOUBLE:\n goto fmt_error;\n case LM_LONG:\n ui_num = (u_wide_int) va_arg(ap, unsigned long int);\n break;\n case LM_SIZE_T:\n ui_num = (u_wide_int) va_arg(ap, size_t);\n break;\n#if SIZEOF_LONG_LONG\n case LM_LONG_LONG:\n ui_num = (u_wide_int) va_arg(ap, u_wide_int);\n break;\n#endif\n#if SIZEOF_INTMAX_T\n case LM_INTMAX_T:\n ui_num = (u_wide_int) va_arg(ap, uintmax_t);\n break;\n#endif\n#if SIZEOF_PTRDIFF_T\n case LM_PTRDIFF_T:\n ui_num = (u_wide_int) va_arg(ap, ptrdiff_t);\n break;\n#endif\n }\n s = ap_php_conv_p2(ui_num, 3, *fmt,\n &num_buf[NUM_BUF_SIZE], &s_len);\n FIX_PRECISION(adjust_precision, precision, s, s_len);\n if (alternate_form && *s != '0') {\n *--s = '0';\n s_len++;\n }\n break;\n\n\n case 'x':\n case 'X':\n switch(modifier) {\n default:\n ui_num = (u_wide_int) va_arg(ap, unsigned int);\n break;\n case LM_LONG_DOUBLE:\n goto fmt_error;\n case LM_LONG:\n ui_num = (u_wide_int) va_arg(ap, unsigned long int);\n break;\n case LM_SIZE_T:\n ui_num = (u_wide_int) va_arg(ap, size_t);\n break;\n#if SIZEOF_LONG_LONG\n case LM_LONG_LONG:\n ui_num = (u_wide_int) va_arg(ap, u_wide_int);\n break;\n#endif\n#if SIZEOF_INTMAX_T\n case LM_INTMAX_T:\n ui_num = (u_wide_int) va_arg(ap, uintmax_t);\n break;\n#endif\n#if SIZEOF_PTRDIFF_T\n case LM_PTRDIFF_T:\n ui_num = (u_wide_int) va_arg(ap, ptrdiff_t);\n break;\n#endif\n }\n s = ap_php_conv_p2(ui_num, 4, *fmt,\n &num_buf[NUM_BUF_SIZE], &s_len);\n FIX_PRECISION(adjust_precision, precision, s, s_len);\n if (alternate_form && i_num != 0) {\n *--s = *fmt; /* 'x' or 'X' */\n *--s = '0';\n s_len += 2;\n }\n break;\n\n\n case 's':\n case 'v':\n s = va_arg(ap, char *);\n if (s != nullptr) {\n s_len = strlen(s);\n if (adjust_precision && precision < s_len)\n s_len = precision;\n } else {\n s = const_cast(s_null);\n s_len = S_NULL_LEN;\n }\n pad_char = ' ';\n break;\n\n\n case 'f':\n case 'F':\n case 'e':\n case 'E':\n switch(modifier) {\n case LM_LONG_DOUBLE:\n fp_num = (double) va_arg(ap, long double);\n break;\n case LM_STD:\n fp_num = va_arg(ap, double);\n break;\n default:\n goto fmt_error;\n }\n\n if (std::isnan(fp_num)) {\n s = const_cast(\"nan\");\n s_len = 3;\n } else if (std::isinf(fp_num)) {\n s = const_cast(\"inf\");\n s_len = 3;\n } else {\n#ifdef HAVE_LOCALE_H\n if (!lconv) {\n lconv = localeconv();\n }\n#endif\n s = php_conv_fp((*fmt == 'f')?'F':*fmt, fp_num, alternate_form,\n (adjust_precision == NO) ? FLOAT_DIGITS : precision,\n (*fmt == 'f')?LCONV_DECIMAL_POINT:'.',\n &is_negative, &num_buf[1], &s_len);\n if (is_negative)\n prefix_char = '-';\n else if (print_sign)\n prefix_char = '+';\n else if (print_blank)\n prefix_char = ' ';\n }\n break;\n\n\n case 'g':\n case 'k':\n case 'G':\n case 'H':\n switch(modifier) {\n case LM_LONG_DOUBLE:\n fp_num = (double) va_arg(ap, long double);\n break;\n case LM_STD:\n fp_num = va_arg(ap, double);\n break;\n default:\n goto fmt_error;\n }\n\n if (std::isnan(fp_num)) {\n s = const_cast(\"NAN\");\n s_len = 3;\n break;\n } else if (std::isinf(fp_num)) {\n if (fp_num > 0) {\n s = const_cast(\"INF\");\n s_len = 3;\n } else {\n s = const_cast(\"-INF\");\n s_len = 4;\n }\n break;\n }\n\n if (adjust_precision == NO)\n precision = FLOAT_DIGITS;\n else if (precision == 0)\n precision = 1;\n /*\n * * We use &num_buf[ 1 ], so that we have room for the sign\n */\n#ifdef HAVE_LOCALE_H\n if (!lconv) {\n lconv = localeconv();\n }\n#endif\n s = php_gcvt(fp_num, precision,\n (*fmt=='H' || *fmt == 'k') ? '.' : LCONV_DECIMAL_POINT,\n (*fmt == 'G' || *fmt == 'H')?'E':'e', &num_buf[1]);\n if (*s == '-')\n prefix_char = *s++;\n else if (print_sign)\n prefix_char = '+';\n else if (print_blank)\n prefix_char = ' ';\n\n s_len = strlen(s);\n\n if (alternate_form && (q = strchr(s, '.')) == nullptr)\n s[s_len++] = '.';\n break;\n\n\n case 'c':\n char_buf[0] = (char) (va_arg(ap, int));\n s = &char_buf[0];\n s_len = 1;\n pad_char = ' ';\n break;\n\n\n case '%':\n char_buf[0] = '%';\n s = &char_buf[0];\n s_len = 1;\n pad_char = ' ';\n break;\n\n\n case 'n':\n *(va_arg(ap, int *)) = outpos;\n goto skip_output;\n\n /*\n * Always extract the argument as a \"char *\" pointer. We\n * should be using \"void *\" but there are still machines\n * that don't understand it.\n * If the pointer size is equal to the size of an unsigned\n * integer we convert the pointer to a hex number, otherwise\n * we print \"%p\" to indicate that we don't handle \"%p\".\n */\n case 'p':\n if (sizeof(char *) <= sizeof(u_wide_int)) {\n ui_num = (u_wide_int)((size_t) va_arg(ap, char *));\n s = ap_php_conv_p2(ui_num, 4, 'x',\n &num_buf[NUM_BUF_SIZE], &s_len);\n if (ui_num != 0) {\n *--s = 'x';\n *--s = '0';\n s_len += 2;\n }\n } else {\n s = const_cast(\"%p\");\n s_len = 2;\n }\n pad_char = ' ';\n break;\n\n\n case NUL:\n /*\n * The last character of the format string was %.\n * We ignore it.\n */\n continue;\n\n\nfmt_error:\n throw Exception(\"Illegal length modifier specified '%c'\", *fmt);\n\n /*\n * The default case is for unrecognized %'s.\n * We print % to help the user identify what\n * option is not understood.\n * This is also useful in case the user wants to pass\n * the output of format_converter to another function\n * that understands some other % (like syslog).\n * Note that we can't point s inside fmt because the\n * unknown could be preceded by width etc.\n */\n default:\n char_buf[0] = '%';\n char_buf[1] = *fmt;\n s = char_buf;\n s_len = 2;\n pad_char = ' ';\n break;\n }\n\n if (prefix_char != NUL) {\n *--s = prefix_char;\n s_len++;\n }\n if (adjust_width && adjust == RIGHT && min_width > s_len) {\n if (pad_char == '0' && prefix_char != NUL) {\n appendchar(&result, &outpos, &size, *s);\n s++;\n s_len--;\n min_width--;\n }\n for (int i = 0; i < min_width - s_len; i++) {\n appendchar(&result, &outpos, &size, pad_char);\n }\n }\n /*\n * Print the (for now) non-null terminated string s.\n */\n appendsimplestring(&result, &outpos, &size, s, s_len);\n\n if (adjust_width && adjust == LEFT && min_width > s_len) {\n for (int i = 0; i < min_width - s_len; i++) {\n appendchar(&result, &outpos, &size, pad_char);\n }\n }\n }\nskip_output:\n fmt++;\n }\n /*\n * Add the terminating null here since it wasn't added incrementally above\n * once the whole string has been composed.\n */\n appendchar(&result, &outpos, &size, NUL);\n *outbuf = result;\n return outpos - 1;\n}", "project": "hhvm", "hash": 85852174078948997591369954532322878743, "size": 592, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219451 }, { "func": "void CClient::PutStatusNotice(const CString& sLine) {\n PutModNotice(\"status\", sLine);\n}", "project": "znc", "hash": 275107447495430132327261172632189140199, "size": 3, "commit_id": "d229761821da38d984a9e4098ad96842490dc001", "message": "Fix echo-message for *status\n\nClose #1705", "target": 0, "dataset": "other", "idx": 231539 }, { "func": "COND *Item_cond::build_equal_items(THD *thd,\n COND_EQUAL *inherited,\n bool link_item_fields,\n COND_EQUAL **cond_equal_ref)\n{\n List *cond_args= argument_list();\n \n List_iterator li(*cond_args);\n Item *item;\n\n DBUG_ASSERT(!cond_equal_ref || !cond_equal_ref[0]);\n /*\n Make replacement of equality predicates for lower levels\n of the condition expression.\n Update used_tables_cache and const_item_cache on the way.\n */\n used_tables_and_const_cache_init();\n while ((item= li++))\n { \n Item *new_item;\n if ((new_item= item->build_equal_items(thd, inherited, false, NULL))\n != item)\n {\n /* This replacement happens only for standalone equalities */\n /*\n This is ok with PS/SP as the replacement is done for\n arguments of an AND/OR item, which are restored for each\n execution of PS/SP.\n */\n li.replace(new_item);\n }\n used_tables_and_const_cache_join(new_item);\n }\n return this;\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 42976538366352719313808362171593482432, "size": 35, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508438 }, { "func": "find_field_in_item_list (Field *field, void *data)\n{\n List *fields= (List *) data;\n bool part_found= 0;\n List_iterator li(*fields);\n Item *item;\n\n while ((item= li++))\n {\n if (item->real_item()->type() == Item::FIELD_ITEM &&\n\t((Item_field*) (item->real_item()))->field->eq(field))\n {\n part_found= 1;\n break;\n }\n }\n return part_found;\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 146407912227111138229316365063677878169, "size": 18, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508705 }, { "func": "int kvm_arch_vcpu_runnable(struct kvm_vcpu *vcpu)\n{\n\treturn kvm_s390_vcpu_has_irq(vcpu, 0);\n}", "project": "linux", "hash": 4423054399873979202196419812632977969, "size": 4, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354552 }, { "func": "static void snap_all_rawfb(void) {\n\tint pixelsize = bpp/8;\n\tint n, sz;\n\tchar *dst;\n\tstatic char *unclipped_dst = NULL;\n\tstatic int unclipped_len = 0;\n\n\tdst = snap->data;\n\n\tif (xform24to32 && bpp == 32) {\n\t\tpixelsize = 3;\n\t}\n\tsz = dpy_y * snap->bytes_per_line;\n\n\tif (wdpy_x > dpy_x || wdpy_y > dpy_y) {\n\t\tsz = wdpy_x * wdpy_y * pixelsize;\n\t\tif (sz > unclipped_len || unclipped_dst == NULL) {\n\t\t\tif (unclipped_dst) {\n\t\t\t\tfree(unclipped_dst);\n\t\t\t}\n\t\t\tunclipped_dst = (char *) malloc(sz+4);\n\t\t\tunclipped_len = sz;\n\t\t}\n\t\tdst = unclipped_dst;\n\t}\n\t\t\n\tif (! raw_fb_seek) {\n\t\tmemcpy(dst, raw_fb_addr + raw_fb_offset, sz);\n\n\t} else {\n\t\tint len = sz, del = 0;\n\t\toff_t off = (off_t) raw_fb_offset;\n\n\t\tlseek(raw_fb_fd, off, SEEK_SET);\n\t\twhile (len > 0) {\n\t\t\tn = read(raw_fb_fd, dst + del, len);\n\t\t\tif (n > 0) {\n\t\t\t\tdel += n;\n\t\t\t\tlen -= n;\n\t\t\t} else if (n == 0) {\n\t\t\t\tbreak;\n\t\t\t} else if (errno != EINTR && errno != EAGAIN) {\n\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\t}\n\n\tif (dst == unclipped_dst) {\n\t\tchar *src;\n\t\tint h;\n\t\tint x = off_x + coff_x;\n\t\tint y = off_y + coff_y;\n\n\t\tsrc = unclipped_dst + y * wdpy_x * pixelsize +\n\t\t x * pixelsize;\n\t\tdst = snap->data;\n\n\t\tfor (h = 0; h < dpy_y; h++) {\n\t\t\tmemcpy(dst, src, dpy_x * pixelsize);\n\t\t\tsrc += wdpy_x * pixelsize;\n\t\t\tdst += snap->bytes_per_line;\n\t\t}\n\t}\n}", "project": "x11vnc", "hash": 152039501147350800478072273267378765324, "size": 64, "commit_id": "69eeb9f7baa14ca03b16c9de821f9876def7a36a", "message": "scan: limit access to shared memory segments to current user", "target": 0, "dataset": "other", "idx": 360772 }, { "func": "\nstatic bool io_wait_rsrc_data(struct io_rsrc_data *data)\n{\n\tif (!data)\n\t\treturn false;\n\tif (!atomic_dec_and_test(&data->refs))\n\t\twait_for_completion(&data->done);\n\treturn true;", "project": "linux", "hash": 195583677590800300363341830296502003334, "size": 8, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338592 }, { "func": "static void hci_le_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)\n{\n\tstruct hci_ev_le_conn_complete *ev = (void *) skb->data;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, ev->status);\n\n\tle_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type,\n\t\t\t ev->role, le16_to_cpu(ev->handle),\n\t\t\t le16_to_cpu(ev->interval),\n\t\t\t le16_to_cpu(ev->latency),\n\t\t\t le16_to_cpu(ev->supervision_timeout));\n}", "project": "linux", "hash": 197091280638039036291318775369878667042, "size": 12, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 432002 }, { "func": "void CSoundFile::PortamentoExtraFineMPT(ModChannel* pChn, int param)\n{\n\t// This kinda behaves like regular fine portamento.\n\t// It changes the pitch by n finetune steps on the first tick.\n\n\tif(pChn->isFirstTick)\n\t{\n\t\tpChn->m_PortamentoFineSteps += param;\n\t\tpChn->m_CalculateFreq = true;\n\t}\n}", "project": "openmpt", "hash": 34297884145468060798859401115897536833, "size": 11, "commit_id": "7ebf02af2e90f03e0dbd0e18b8b3164f372fb97c", "message": "[Fix] Possible out-of-bounds read when computing length of some IT files with pattern loops (OpenMPT: formats that are converted to IT, libopenmpt: IT/ITP/MO3), caught with afl-fuzz.\n\ngit-svn-id: https://source.openmpt.org/svn/openmpt/trunk/OpenMPT@10027 56274372-70c3-4bfc-bfc3-4c3a0b034d27", "target": 0, "dataset": "other", "idx": 255187 }, { "func": "static inline rsRetVal tdlAdd(qqueue_t *pQueue, qDeqID deqID, int nElemDeq)\n{\n\ttoDeleteLst_t *pNew;\n\ttoDeleteLst_t *pPrev;\n\tDEFiRet;\n\n\tISOBJ_TYPE_assert(pQueue, qqueue);\n\tassert(pQueue->toDeleteLst != NULL);\n\n\tCHKmalloc(pNew = MALLOC(sizeof(toDeleteLst_t)));\n\tpNew->deqID = deqID;\n\tpNew->nElemDeq = nElemDeq;\n\n\t/* now find right spot */\n\tfor( pPrev = pQueue->toDeleteLst\n\t ; pPrev != NULL && deqID > pPrev->deqID\n\t ; pPrev = pPrev->pNext) {\n\t\t/*JUST SEARCH*/;\n\t}\n\n\tif(pPrev == NULL) {\n\t\tpNew->pNext = pQueue->toDeleteLst;\n\t\tpQueue->toDeleteLst = pNew;\n\t} else {\n\t\tpNew->pNext = pPrev->pNext;\n\t\tpPrev->pNext = pNew;\n\t}\n\nfinalize_it:\n\tRETiRet;\n}", "project": "rsyslog", "hash": 118562929632115536259032709478849916195, "size": 31, "commit_id": "dfa88369d4ca4290db56b843f9eabdae1bfe0fd5", "message": "bugfix: memory leak when $RepeatedMsgReduction on was used\n\nbug tracker: http://bugzilla.adiscon.com/show_bug.cgi?id=225", "target": 0, "dataset": "other", "idx": 373767 }, { "func": "void WebContents::DevToolsOpened() {\n v8::Locker locker(isolate());\n v8::HandleScope handle_scope(isolate());\n auto handle =\n FromOrCreate(isolate(), managed_web_contents()->GetDevToolsWebContents());\n devtools_web_contents_.Reset(isolate(), handle.ToV8());\n\n // Set inspected tabID.\n base::Value tab_id(ID());\n managed_web_contents()->CallClientFunction(\"DevToolsAPI.setInspectedTabId\",\n &tab_id, nullptr, nullptr);\n\n // Inherit owner window in devtools when it doesn't have one.\n auto* devtools = managed_web_contents()->GetDevToolsWebContents();\n bool has_window = devtools->GetUserData(NativeWindowRelay::UserDataKey());\n if (owner_window() && !has_window)\n handle->SetOwnerWindow(devtools, owner_window());\n\n Emit(\"devtools-opened\");\n}", "project": "electron", "hash": 278753487359648223065893551539365650164, "size": 20, "commit_id": "18613925610ba319da7f497b6deed85ad712c59b", "message": "refactor: wire will-navigate up to a navigation throttle instead of OpenURL (#25108)\n\n* refactor: wire will-navigate up to a navigation throttle instead of OpenURL (#25065)\r\n\r\n* refactor: wire will-navigate up to a navigation throttle instead of OpenURL\r\n\r\n* spec: add test for x-site _top navigation\r\n\r\n* chore: old code be old", "target": 0, "dataset": "other", "idx": 269756 }, { "func": "int imap_cmd_start (IMAP_DATA* idata, const char* cmdstr)\n{\n return cmd_start (idata, cmdstr, 0);\n}", "project": "mutt", "hash": 170886860068161768089248005539872606190, "size": 4, "commit_id": "9347b5c01dc52682cb6be11539d9b7ebceae4416", "message": "Handle NO response without message properly", "target": 0, "dataset": "other", "idx": 338013 }, { "func": "size_t Frame::getName(char *result_buf, size_t result_len) {\n if (result_len <= 1) {\n return 0; // Insufficient result_bug. Bail!\n }\n\n // Add '@recurse_level' if required\n // NOTE: Dont use snprintf's return val as it is compiler dependent\n if (m_recursion) {\n snprintf(result_buf, result_len, \"%s@%d\", m_name, m_recursion);\n } else {\n snprintf(result_buf, result_len, \"%s\", m_name);\n }\n\n // Force null-termination at MAX\n result_buf[result_len - 1] = 0;\n return strlen(result_buf);\n}", "project": "hhvm", "hash": 185942404093682651860868413956059863170, "size": 17, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219295 }, { "project": "Chrome", "commit_id": "6834289784ed45b5524de0fb7ef43ae283b0d6d3", "target": 0, "func": "void AudioContext::markSummingJunctionDirty(AudioSummingJunction* summingJunction)\n{\n ASSERT(isGraphOwner());\n m_dirtySummingJunctions.add(summingJunction);\n}\n", "cwe": "", "big_vul_idx": 139669, "idx": 124819, "hash": 121185792017017088978507686389416105065 }, { "func": "static INLINE void cliprdr_write_lock_unlock_clipdata(wStream* s, UINT32 clipDataId)\n{\n\tStream_Write_UINT32(s, clipDataId);\n}", "project": "FreeRDP", "hash": 6486311579466861197613388206736775688, "size": 4, "commit_id": "b73143cf7ee5fe4cdabcbf56908aa15d8a883821", "message": "Fixed oob read in cliprdr_read_format_list", "target": 0, "dataset": "other", "idx": 388315 }, { "func": " enum Item_result cmp_type () const\n { return Type_handler_hybrid_field_type::cmp_type(); }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 225664909988508510894226132498511498677, "size": 2, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509029 }, { "func": " virtual CHARSET_INFO *charset_for_protocol(void) const\n {\n return cmp_type() == STRING_RESULT ? collation.collation :\n &my_charset_bin;\n };", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 12540931568300602815198928543149479723, "size": 5, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509166 }, { "func": " Item_result cmp_type() const { return type_handler()->cmp_type(); }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 309696976514517156132142621946672130284, "size": 1, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509253 }, { "func": " Item_result cmp_type() const { return TIME_RESULT; }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 45598384580594820033147143373134020366, "size": 1, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509262 }, { "func": "timeslice(const struct intel_engine_cs *engine)\n{\n\treturn READ_ONCE(engine->props.timeslice_duration_ms);\n}", "project": "linux", "hash": 40946176738009561378332022734345921687, "size": 4, "commit_id": "bc8a76a152c5f9ef3b48104154a65a68a8b76946", "message": "drm/i915/gen9: Clear residual context state on context switch\n\nIntel ID: PSIRT-TA-201910-001\nCVEID: CVE-2019-14615\n\nIntel GPU Hardware prior to Gen11 does not clear EU state\nduring a context switch. This can result in information\nleakage between contexts.\n\nFor Gen8 and Gen9, hardware provides a mechanism for\nfast cleardown of the EU state, by issuing a PIPE_CONTROL\nwith bit 27 set. We can use this in a context batch buffer\nto explicitly cleardown the state on every context switch.\n\nAs this workaround is already in place for gen8, we can borrow\nthe code verbatim for Gen9.\n\nSigned-off-by: Mika Kuoppala \nSigned-off-by: Akeem G Abodunrin \nCc: Kumar Valsan Prathap \nCc: Chris Wilson \nCc: Balestrieri Francesco \nCc: Bloomfield Jon \nCc: Dutt Sudeep ", "target": 0, "dataset": "other", "idx": 281425 }, { "func": "struct page *mm_get_huge_zero_page(struct mm_struct *mm)\n{\n\tif (test_bit(MMF_HUGE_ZERO_PAGE, &mm->flags))\n\t\treturn READ_ONCE(huge_zero_page);\n\n\tif (!get_huge_zero_page())\n\t\treturn NULL;\n\n\tif (test_and_set_bit(MMF_HUGE_ZERO_PAGE, &mm->flags))\n\t\tput_huge_zero_page();\n\n\treturn READ_ONCE(huge_zero_page);\n}", "project": "linux", "hash": 73708120053503573212653622395182720642, "size": 13, "commit_id": "c444eb564fb16645c172d550359cb3d75fe8a040", "message": "mm: thp: make the THP mapcount atomic against __split_huge_pmd_locked()\n\nWrite protect anon page faults require an accurate mapcount to decide\nif to break the COW or not. This is implemented in the THP path with\nreuse_swap_page() ->\npage_trans_huge_map_swapcount()/page_trans_huge_mapcount().\n\nIf the COW triggers while the other processes sharing the page are\nunder a huge pmd split, to do an accurate reading, we must ensure the\nmapcount isn't computed while it's being transferred from the head\npage to the tail pages.\n\nreuse_swap_cache() already runs serialized by the page lock, so it's\nenough to add the page lock around __split_huge_pmd_locked too, in\norder to add the missing serialization.\n\nNote: the commit in \"Fixes\" is just to facilitate the backporting,\nbecause the code before such commit didn't try to do an accurate THP\nmapcount calculation and it instead used the page_count() to decide if\nto COW or not. Both the page_count and the pin_count are THP-wide\nrefcounts, so they're inaccurate if used in\nreuse_swap_page(). Reverting such commit (besides the unrelated fix to\nthe local anon_vma assignment) would have also opened the window for\nmemory corruption side effects to certain workloads as documented in\nsuch commit header.\n\nSigned-off-by: Andrea Arcangeli \nSuggested-by: Jann Horn \nReported-by: Jann Horn \nAcked-by: Kirill A. Shutemov \nFixes: 6d0a07edd17c (\"mm: thp: calculate the mapcount correctly for THP pages during WP faults\")\nCc: stable@vger.kernel.org\nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 364193 }, { "func": "bool kvm_hv_get_assist_page(struct kvm_vcpu *vcpu,\n\t\t\t struct hv_vp_assist_page *assist_page)\n{\n\tif (!kvm_hv_assist_page_enabled(vcpu))\n\t\treturn false;\n\treturn !kvm_read_guest_cached(vcpu->kvm, &vcpu->arch.pv_eoi.data,\n\t\t\t\t assist_page, sizeof(*assist_page));\n}", "project": "linux", "hash": 74670062188467007899819103674703576269, "size": 8, "commit_id": "919f4ebc598701670e80e31573a58f1f2d2bf918", "message": "KVM: x86: hyper-v: Fix Hyper-V context null-ptr-deref\n\nReported by syzkaller:\n\n KASAN: null-ptr-deref in range [0x0000000000000140-0x0000000000000147]\n CPU: 1 PID: 8370 Comm: syz-executor859 Not tainted 5.11.0-syzkaller #0\n RIP: 0010:synic_get arch/x86/kvm/hyperv.c:165 [inline]\n RIP: 0010:kvm_hv_set_sint_gsi arch/x86/kvm/hyperv.c:475 [inline]\n RIP: 0010:kvm_hv_irq_routing_update+0x230/0x460 arch/x86/kvm/hyperv.c:498\n Call Trace:\n kvm_set_irq_routing+0x69b/0x940 arch/x86/kvm/../../../virt/kvm/irqchip.c:223\n kvm_vm_ioctl+0x12d0/0x2800 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3959\n vfs_ioctl fs/ioctl.c:48 [inline]\n __do_sys_ioctl fs/ioctl.c:753 [inline]\n __se_sys_ioctl fs/ioctl.c:739 [inline]\n __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739\n do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nHyper-V context is lazily allocated until Hyper-V specific MSRs are accessed\nor SynIC is enabled. However, the syzkaller testcase sets irq routing table\ndirectly w/o enabling SynIC. This results in null-ptr-deref when accessing\nSynIC Hyper-V context. This patch fixes it.\n\nsyzkaller source: https://syzkaller.appspot.com/x/repro.c?x=163342ccd00000\n\nReported-by: syzbot+6987f3b2dbd9eda95f12@syzkaller.appspotmail.com\nFixes: 8f014550dfb1 (\"KVM: x86: hyper-v: Make Hyper-V emulation enablement conditional\")\nSigned-off-by: Wanpeng Li \nMessage-Id: <1614326399-5762-1-git-send-email-wanpengli@tencent.com>\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 343490 }, { "func": "static inline int add_post_vars(zval *arr, post_var_data_t *vars, zend_bool eof)\n{\n\tuint64_t max_vars = PG(max_input_vars);\n\n\tvars->ptr = ZSTR_VAL(vars->str.s);\n\tvars->end = ZSTR_VAL(vars->str.s) + ZSTR_LEN(vars->str.s);\n\twhile (add_post_var(arr, vars, eof)) {\n\t\tif (++vars->cnt > max_vars) {\n\t\t\tphp_error_docref(NULL, E_WARNING,\n\t\t\t\t\t\"Input variables exceeded %\" PRIu64 \". \"\n\t\t\t\t\t\"To increase the limit change max_input_vars in php.ini.\",\n\t\t\t\t\tmax_vars);\n\t\t\treturn FAILURE;\n\t\t}\n\t}\n\n\tif (!eof && ZSTR_VAL(vars->str.s) != vars->ptr) {\n\t\tmemmove(ZSTR_VAL(vars->str.s), vars->ptr, ZSTR_LEN(vars->str.s) = vars->end - vars->ptr);\n\t}\n\treturn SUCCESS;\n}", "project": "php-src", "hash": 67928002579923033906920170776599445016, "size": 21, "commit_id": "6559fe912661ca5ce5f0eeeb591d928451428ed0", "message": "Do not decode cookie names anymore", "target": 0, "dataset": "other", "idx": 374960 }, { "func": "static inline int mmu_notifier_retry(struct kvm *kvm, unsigned long mmu_seq)\n{\n\tif (unlikely(kvm->mmu_notifier_count))\n\t\treturn 1;\n\t/*\n\t * Ensure the read of mmu_notifier_count happens before the read\n\t * of mmu_notifier_seq. This interacts with the smp_wmb() in\n\t * mmu_notifier_invalidate_range_end to make sure that the caller\n\t * either sees the old (non-zero) value of mmu_notifier_count or\n\t * the new (incremented) value of mmu_notifier_seq.\n\t * PowerPC Book3s HV KVM calls this under a per-page lock\n\t * rather than under kvm->mmu_lock, for scalability, so\n\t * can't rely on kvm->mmu_lock to keep things ordered.\n\t */\n\tsmp_rmb();\n\tif (kvm->mmu_notifier_seq != mmu_seq)\n\t\treturn 1;\n\treturn 0;\n}", "project": "linux", "hash": 150424035927606232467746041892098333231, "size": 19, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354517 }, { "func": "void CServer::ConRecord(IConsole::IResult *pResult, void *pUser)\n{\n\tCServer* pServer = (CServer *)pUser;\n\tchar aFilename[128];\n\tif(pResult->NumArguments())\n\t\tstr_format(aFilename, sizeof(aFilename), \"demos/%s.demo\", pResult->GetString(0));\n\telse\n\t{\n\t\tchar aDate[20];\n\t\tstr_timestamp(aDate, sizeof(aDate));\n\t\tstr_format(aFilename, sizeof(aFilename), \"demos/demo_%s.demo\", aDate);\n\t}\n\tpServer->m_DemoRecorder.Start(pServer->Storage(), pServer->Console(), aFilename, pServer->GameServer()->NetVersion(), pServer->m_aCurrentMap, pServer->m_CurrentMapSha256, pServer->m_CurrentMapCrc, \"server\");\n}", "project": "teeworlds", "hash": 149863967839868050719500664600056072839, "size": 14, "commit_id": "c68402fa7e279d42886d5951d1ea8ac2facc1ea5", "message": "changed a check", "target": 0, "dataset": "other", "idx": 382013 }, { "func": "static OPJ_UINT32 opj_j2k_get_num_tp(opj_cp_t *cp, OPJ_UINT32 pino,\n OPJ_UINT32 tileno)\n{\n const OPJ_CHAR *prog = 00;\n OPJ_INT32 i;\n OPJ_UINT32 tpnum = 1;\n opj_tcp_t *tcp = 00;\n opj_poc_t * l_current_poc = 00;\n\n /* preconditions */\n assert(tileno < (cp->tw * cp->th));\n assert(pino < (cp->tcps[tileno].numpocs + 1));\n\n /* get the given tile coding parameter */\n tcp = &cp->tcps[tileno];\n assert(tcp != 00);\n\n l_current_poc = &(tcp->pocs[pino]);\n assert(l_current_poc != 0);\n\n /* get the progression order as a character string */\n prog = opj_j2k_convert_progression_order(tcp->prg);\n assert(strlen(prog) > 0);\n\n if (cp->m_specific_param.m_enc.m_tp_on == 1) {\n for (i = 0; i < 4; ++i) {\n switch (prog[i]) {\n /* component wise */\n case 'C':\n tpnum *= l_current_poc->compE;\n break;\n /* resolution wise */\n case 'R':\n tpnum *= l_current_poc->resE;\n break;\n /* precinct wise */\n case 'P':\n tpnum *= l_current_poc->prcE;\n break;\n /* layer wise */\n case 'L':\n tpnum *= l_current_poc->layE;\n break;\n }\n /* whould we split here ? */\n if (cp->m_specific_param.m_enc.m_tp_flag == prog[i]) {\n cp->m_specific_param.m_enc.m_tp_pos = i;\n break;\n }\n }\n } else {\n tpnum = 1;\n }\n\n return tpnum;\n}", "project": "openjpeg", "hash": 191715954468397393518109930311806095923, "size": 56, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357360 }, { "func": "static void kvm_s390_vcpu_request_handled(struct kvm_vcpu *vcpu)\n{\n\tatomic_andnot(PROG_REQUEST, &vcpu->arch.sie_block->prog20);\n}", "project": "linux", "hash": 267281285343503053275289600138381971514, "size": 4, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354818 }, { "func": "static void input_handle_event(struct input_dev *dev,\n\t\t\t unsigned int type, unsigned int code, int value)\n{\n\tint disposition = input_get_disposition(dev, type, code, &value);\n\n\tif (disposition != INPUT_IGNORE_EVENT && type != EV_SYN)\n\t\tadd_input_randomness(type, code, value);\n\n\tif ((disposition & INPUT_PASS_TO_DEVICE) && dev->event)\n\t\tdev->event(dev, type, code, value);\n\n\tif (!dev->vals)\n\t\treturn;\n\n\tif (disposition & INPUT_PASS_TO_HANDLERS) {\n\t\tstruct input_value *v;\n\n\t\tif (disposition & INPUT_SLOT) {\n\t\t\tv = &dev->vals[dev->num_vals++];\n\t\t\tv->type = EV_ABS;\n\t\t\tv->code = ABS_MT_SLOT;\n\t\t\tv->value = dev->mt->slot;\n\t\t}\n\n\t\tv = &dev->vals[dev->num_vals++];\n\t\tv->type = type;\n\t\tv->code = code;\n\t\tv->value = value;\n\t}\n\n\tif (disposition & INPUT_FLUSH) {\n\t\tif (dev->num_vals >= 2)\n\t\t\tinput_pass_values(dev, dev->vals, dev->num_vals);\n\t\tdev->num_vals = 0;\n\t\t/*\n\t\t * Reset the timestamp on flush so we won't end up\n\t\t * with a stale one. Note we only need to reset the\n\t\t * monolithic one as we use its presence when deciding\n\t\t * whether to generate a synthetic timestamp.\n\t\t */\n\t\tdev->timestamp[INPUT_CLK_MONO] = ktime_set(0, 0);\n\t} else if (dev->num_vals >= dev->max_vals - 2) {\n\t\tdev->vals[dev->num_vals++] = input_value_sync;\n\t\tinput_pass_values(dev, dev->vals, dev->num_vals);\n\t\tdev->num_vals = 0;\n\t}\n\n}", "project": "linux", "hash": 97706506921051953643504169165998218065, "size": 48, "commit_id": "cb222aed03d798fc074be55e59d9a112338ee784", "message": "Input: add safety guards to input_set_keycode()\n\nIf we happen to have a garbage in input device's keycode table with values\ntoo big we'll end up doing clear_bit() with offset way outside of our\nbitmaps, damaging other objects within an input device or even outside of\nit. Let's add sanity checks to the returned old keycodes.\n\nReported-by: syzbot+c769968809f9359b07aa@syzkaller.appspotmail.com\nReported-by: syzbot+76f3a30e88d256644c78@syzkaller.appspotmail.com\nLink: https://lore.kernel.org/r/20191207212757.GA245964@dtor-ws\nSigned-off-by: Dmitry Torokhov ", "target": 0, "dataset": "other", "idx": 353374 }, { "func": "static int nfs4_check_cl_exchange_flags(u32 flags)\n{\n\tif (flags & ~EXCHGID4_FLAG_MASK_R)\n\t\tgoto out_inval;\n\tif ((flags & EXCHGID4_FLAG_USE_PNFS_MDS) &&\n\t (flags & EXCHGID4_FLAG_USE_NON_PNFS))\n\t\tgoto out_inval;\n\tif (!(flags & (EXCHGID4_FLAG_MASK_PNFS)))\n\t\tgoto out_inval;\n\treturn NFS_OK;\nout_inval:\n\treturn -NFS4ERR_INVAL;\n}", "project": "linux", "hash": 76475109584097270412844609719857912371, "size": 13, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431064 }, { "func": "static int fuse_write_begin(struct file *file, struct address_space *mapping,\n\t\tloff_t pos, unsigned len, unsigned flags,\n\t\tstruct page **pagep, void **fsdata)\n{\n\tpgoff_t index = pos >> PAGE_SHIFT;\n\tstruct fuse_conn *fc = get_fuse_conn(file_inode(file));\n\tstruct page *page;\n\tloff_t fsize;\n\tint err = -ENOMEM;\n\n\tWARN_ON(!fc->writeback_cache);\n\n\tpage = grab_cache_page_write_begin(mapping, index, flags);\n\tif (!page)\n\t\tgoto error;\n\n\tfuse_wait_on_page_writeback(mapping->host, page->index);\n\n\tif (PageUptodate(page) || len == PAGE_SIZE)\n\t\tgoto success;\n\t/*\n\t * Check if the start this page comes after the end of file, in which\n\t * case the readpage can be optimized away.\n\t */\n\tfsize = i_size_read(mapping->host);\n\tif (fsize <= (pos & PAGE_MASK)) {\n\t\tsize_t off = pos & ~PAGE_MASK;\n\t\tif (off)\n\t\t\tzero_user_segment(page, 0, off);\n\t\tgoto success;\n\t}\n\terr = fuse_do_readpage(file, page);\n\tif (err)\n\t\tgoto cleanup;\nsuccess:\n\t*pagep = page;\n\treturn 0;\n\ncleanup:\n\tunlock_page(page);\n\tput_page(page);\nerror:\n\treturn err;\n}", "project": "linux", "hash": 187668835553152717770852090419006814151, "size": 44, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342001 }, { "func": "static void scan_update_work(struct work_struct *work)\n{\n\tstruct hci_dev *hdev = container_of(work, struct hci_dev, scan_update);\n\n\thci_req_sync(hdev, update_scan, 0, HCI_CMD_TIMEOUT, NULL);\n}", "project": "linux", "hash": 96290100555191166643277176627867768058, "size": 6, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402492 }, { "func": "static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,\n\t\t\t u8 policy, u32 flags,\n\t\t\t struct netlink_ext_ack *extack)\n{\n\tconst struct nlattr * const *nla = ctx->nla;\n\tstruct nft_table *table = ctx->table;\n\tstruct nft_base_chain *basechain;\n\tstruct nft_stats __percpu *stats;\n\tstruct net *net = ctx->net;\n\tchar name[NFT_NAME_MAXLEN];\n\tstruct nft_trans *trans;\n\tstruct nft_chain *chain;\n\tstruct nft_rule **rules;\n\tint err;\n\n\tif (table->use == UINT_MAX)\n\t\treturn -EOVERFLOW;\n\n\tif (nla[NFTA_CHAIN_HOOK]) {\n\t\tstruct nft_chain_hook hook;\n\n\t\tif (flags & NFT_CHAIN_BINDING)\n\t\t\treturn -EOPNOTSUPP;\n\n\t\terr = nft_chain_parse_hook(net, nla, &hook, family, extack,\n\t\t\t\t\t true);\n\t\tif (err < 0)\n\t\t\treturn err;\n\n\t\tbasechain = kzalloc(sizeof(*basechain), GFP_KERNEL);\n\t\tif (basechain == NULL) {\n\t\t\tnft_chain_release_hook(&hook);\n\t\t\treturn -ENOMEM;\n\t\t}\n\t\tchain = &basechain->chain;\n\n\t\tif (nla[NFTA_CHAIN_COUNTERS]) {\n\t\t\tstats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);\n\t\t\tif (IS_ERR(stats)) {\n\t\t\t\tnft_chain_release_hook(&hook);\n\t\t\t\tkfree(basechain);\n\t\t\t\treturn PTR_ERR(stats);\n\t\t\t}\n\t\t\trcu_assign_pointer(basechain->stats, stats);\n\t\t\tstatic_branch_inc(&nft_counters_enabled);\n\t\t}\n\n\t\terr = nft_basechain_init(basechain, family, &hook, flags);\n\t\tif (err < 0) {\n\t\t\tnft_chain_release_hook(&hook);\n\t\t\tkfree(basechain);\n\t\t\treturn err;\n\t\t}\n\t} else {\n\t\tif (flags & NFT_CHAIN_BASE)\n\t\t\treturn -EINVAL;\n\t\tif (flags & NFT_CHAIN_HW_OFFLOAD)\n\t\t\treturn -EOPNOTSUPP;\n\n\t\tchain = kzalloc(sizeof(*chain), GFP_KERNEL);\n\t\tif (chain == NULL)\n\t\t\treturn -ENOMEM;\n\n\t\tchain->flags = flags;\n\t}\n\tctx->chain = chain;\n\n\tINIT_LIST_HEAD(&chain->rules);\n\tchain->handle = nf_tables_alloc_handle(table);\n\tchain->table = table;\n\n\tif (nla[NFTA_CHAIN_NAME]) {\n\t\tchain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);\n\t} else {\n\t\tif (!(flags & NFT_CHAIN_BINDING)) {\n\t\t\terr = -EINVAL;\n\t\t\tgoto err_destroy_chain;\n\t\t}\n\n\t\tsnprintf(name, sizeof(name), \"__chain%llu\", ++chain_id);\n\t\tchain->name = kstrdup(name, GFP_KERNEL);\n\t}\n\n\tif (!chain->name) {\n\t\terr = -ENOMEM;\n\t\tgoto err_destroy_chain;\n\t}\n\n\tif (nla[NFTA_CHAIN_USERDATA]) {\n\t\tchain->udata = nla_memdup(nla[NFTA_CHAIN_USERDATA], GFP_KERNEL);\n\t\tif (chain->udata == NULL) {\n\t\t\terr = -ENOMEM;\n\t\t\tgoto err_destroy_chain;\n\t\t}\n\t\tchain->udlen = nla_len(nla[NFTA_CHAIN_USERDATA]);\n\t}\n\n\trules = nf_tables_chain_alloc_rules(chain, 0);\n\tif (!rules) {\n\t\terr = -ENOMEM;\n\t\tgoto err_destroy_chain;\n\t}\n\n\t*rules = NULL;\n\trcu_assign_pointer(chain->rules_gen_0, rules);\n\trcu_assign_pointer(chain->rules_gen_1, rules);\n\n\terr = nf_tables_register_hook(net, table, chain);\n\tif (err < 0)\n\t\tgoto err_destroy_chain;\n\n\ttrans = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN);\n\tif (IS_ERR(trans)) {\n\t\terr = PTR_ERR(trans);\n\t\tgoto err_unregister_hook;\n\t}\n\n\tnft_trans_chain_policy(trans) = NFT_CHAIN_POLICY_UNSET;\n\tif (nft_is_base_chain(chain))\n\t\tnft_trans_chain_policy(trans) = policy;\n\n\terr = nft_chain_add(table, chain);\n\tif (err < 0) {\n\t\tnft_trans_destroy(trans);\n\t\tgoto err_unregister_hook;\n\t}\n\n\ttable->use++;\n\n\treturn 0;\nerr_unregister_hook:\n\tnf_tables_unregister_hook(net, table, chain);\nerr_destroy_chain:\n\tnf_tables_chain_destroy(ctx);\n\n\treturn err;\n}", "project": "linux", "hash": 24590560417026880254067535780356100029, "size": 137, "commit_id": "ad9f151e560b016b6ad3280b48e42fa11e1a5440", "message": "netfilter: nf_tables: initialize set before expression setup\n\nnft_set_elem_expr_alloc() needs an initialized set if expression sets on\nthe NFT_EXPR_GC flag. Move set fields initialization before expression\nsetup.\n\n[4512935.019450] ==================================================================\n[4512935.019456] BUG: KASAN: null-ptr-deref in nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019487] Read of size 8 at addr 0000000000000070 by task nft/23532\n[4512935.019494] CPU: 1 PID: 23532 Comm: nft Not tainted 5.12.0-rc4+ #48\n[...]\n[4512935.019502] Call Trace:\n[4512935.019505] dump_stack+0x89/0xb4\n[4512935.019512] ? nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019536] ? nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019560] kasan_report.cold.12+0x5f/0xd8\n[4512935.019566] ? nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019590] nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019615] nf_tables_newset+0xc7f/0x1460 [nf_tables]\n\nReported-by: syzbot+ce96ca2b1d0b37c6422d@syzkaller.appspotmail.com\nFixes: 65038428b2c6 (\"netfilter: nf_tables: allow to specify stateful expression in set definition\")\nSigned-off-by: Pablo Neira Ayuso ", "target": 0, "dataset": "other", "idx": 328342 }, { "func": "static MagickBooleanType InvokePDFDelegate(const MagickBooleanType verbose,\n const char *command,char *message,ExceptionInfo *exception)\n{\n int\n status;\n\n#define ExecuteGhostscriptCommand(command,status) \\\n{ \\\n status=ExternalDelegateCommand(MagickFalse,verbose,command,message, \\\n exception); \\\n if (status == 0) \\\n return(MagickTrue); \\\n if (status < 0) \\\n return(MagickFalse); \\\n (void) ThrowMagickException(exception,GetMagickModule(),DelegateError, \\\n \"FailedToExecuteCommand\",\"`%s' (%d)\",command,status); \\\n return(MagickFalse); \\\n}\n\n#if defined(MAGICKCORE_GS_DELEGATE) || defined(MAGICKCORE_WINDOWS_SUPPORT)\n#define SetArgsStart(command,args_start) \\\n if (args_start == (const char *) NULL) \\\n { \\\n if (*command != '\"') \\\n args_start=strchr(command,' '); \\\n else \\\n { \\\n args_start=strchr(command+1,'\"'); \\\n if (args_start != (const char *) NULL) \\\n args_start++; \\\n } \\\n }\n\n char\n **argv,\n *errors;\n\n const char\n *args_start = (const char *) NULL;\n\n const GhostInfo\n *ghost_info;\n\n gs_main_instance\n *interpreter;\n\n gsapi_revision_t\n revision;\n\n int\n argc,\n code;\n\n register ssize_t\n i;\n\n#if defined(MAGICKCORE_WINDOWS_SUPPORT)\n ghost_info=NTGhostscriptDLLVectors();\n#else\n GhostInfo\n ghost_info_struct;\n\n ghost_info=(&ghost_info_struct);\n (void) memset(&ghost_info_struct,0,sizeof(ghost_info_struct));\n ghost_info_struct.delete_instance=(void (*)(gs_main_instance *))\n gsapi_delete_instance;\n ghost_info_struct.exit=(int (*)(gs_main_instance *)) gsapi_exit;\n ghost_info_struct.new_instance=(int (*)(gs_main_instance **,void *))\n gsapi_new_instance;\n ghost_info_struct.init_with_args=(int (*)(gs_main_instance *,int,char **))\n gsapi_init_with_args;\n ghost_info_struct.run_string=(int (*)(gs_main_instance *,const char *,int,\n int *)) gsapi_run_string;\n ghost_info_struct.set_stdio=(int (*)(gs_main_instance *,int (*)(void *,char *,\n int),int (*)(void *,const char *,int),int (*)(void *, const char *, int)))\n gsapi_set_stdio;\n ghost_info_struct.revision=(int (*)(gsapi_revision_t *,int)) gsapi_revision;\n#endif\n if (ghost_info == (GhostInfo *) NULL)\n ExecuteGhostscriptCommand(command,status);\n if ((ghost_info->revision)(&revision,sizeof(revision)) != 0)\n revision.revision=0;\n if (verbose != MagickFalse)\n {\n (void) fprintf(stdout,\"[ghostscript library %.2f]\",(double)\n revision.revision/100.0);\n SetArgsStart(command,args_start);\n (void) fputs(args_start,stdout);\n }\n interpreter=(gs_main_instance *) NULL;\n errors=(char *) NULL;\n status=(ghost_info->new_instance)(&interpreter,(void *) &errors);\n if (status < 0)\n ExecuteGhostscriptCommand(command,status);\n code=0;\n argv=StringToArgv(command,&argc);\n if (argv == (char **) NULL)\n {\n (ghost_info->delete_instance)(interpreter);\n return(MagickFalse);\n }\n (void) (ghost_info->set_stdio)(interpreter,(int (MagickDLLCall *)(void *,\n char *,int)) NULL,PDFDelegateMessage,PDFDelegateMessage);\n status=(ghost_info->init_with_args)(interpreter,argc-1,argv+1);\n if (status == 0)\n status=(ghost_info->run_string)(interpreter,\"systemdict /start get exec\\n\",\n 0,&code);\n (ghost_info->exit)(interpreter);\n (ghost_info->delete_instance)(interpreter);\n for (i=0; i < (ssize_t) argc; i++)\n argv[i]=DestroyString(argv[i]);\n argv=(char **) RelinquishMagickMemory(argv);\n if (status != 0)\n {\n SetArgsStart(command,args_start);\n if (status == -101) /* quit */\n (void) FormatLocaleString(message,MagickPathExtent,\n \"[ghostscript library %.2f]%s: %s\",(double) revision.revision/100.0,\n args_start,errors);\n else\n {\n (void) ThrowMagickException(exception,GetMagickModule(),DelegateError,\n \"PDFDelegateFailed\",\"`[ghostscript library %.2f]%s': %s\",(double)\n revision.revision/100.0,args_start,errors);\n if (errors != (char *) NULL)\n errors=DestroyString(errors);\n (void) LogMagickEvent(CoderEvent,GetMagickModule(),\n \"Ghostscript returns status %d, exit code %d\",status,code);\n return(MagickFalse);\n }\n }\n if (errors != (char *) NULL)\n errors=DestroyString(errors);\n return(MagickTrue);\n#else\n ExecuteGhostscriptCommand(command,status);\n#endif\n}", "project": "ImageMagick", "hash": 131059297689808698878702446600841066099, "size": 138, "commit_id": "7b04c53c69792243d66d6876f843b850b3cc002b", "message": "Fixed memory leaks reported in #1557.", "target": 0, "dataset": "other", "idx": 416805 }, { "func": "WebContents::~WebContents() {\n // The destroy() is called.\n if (managed_web_contents()) {\n managed_web_contents()->GetView()->SetDelegate(nullptr);\n\n RenderViewDeleted(web_contents()->GetRenderViewHost());\n\n if (type_ == Type::BROWSER_WINDOW && owner_window()) {\n // For BrowserWindow we should close the window and clean up everything\n // before WebContents is destroyed.\n for (ExtendedWebContentsObserver& observer : observers_)\n observer.OnCloseContents();\n // BrowserWindow destroys WebContents asynchronously, manually emit the\n // destroyed event here.\n WebContentsDestroyed();\n } else if (Browser::Get()->is_shutting_down()) {\n // Destroy WebContents directly when app is shutting down.\n DestroyWebContents(false /* async */);\n } else {\n // Destroy WebContents asynchronously unless app is shutting down,\n // because destroy() might be called inside WebContents's event handler.\n DestroyWebContents(!IsGuest() /* async */);\n // The WebContentsDestroyed will not be called automatically because we\n // destroy the webContents in the next tick. So we have to manually\n // call it here to make sure \"destroyed\" event is emitted.\n WebContentsDestroyed();\n }\n }\n}", "project": "electron", "hash": 183299027615314279599216294130255612073, "size": 29, "commit_id": "18613925610ba319da7f497b6deed85ad712c59b", "message": "refactor: wire will-navigate up to a navigation throttle instead of OpenURL (#25108)\n\n* refactor: wire will-navigate up to a navigation throttle instead of OpenURL (#25065)\r\n\r\n* refactor: wire will-navigate up to a navigation throttle instead of OpenURL\r\n\r\n* spec: add test for x-site _top navigation\r\n\r\n* chore: old code be old", "target": 0, "dataset": "other", "idx": 269776 }, { "func": "static bool vma_is_valid(struct vm_area_struct *vma, bool write_fault)\n{\n\tif (unlikely(!(vma->vm_flags & VM_READ)))\n\t\treturn false;\n\n\tif (write_fault && (unlikely(!(vma->vm_flags & VM_WRITE))))\n\t\treturn false;\n\n\treturn true;\n}", "project": "linux", "hash": 175426869426386037151772244674090452538, "size": 10, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354641 }, { "func": "void xdr_write_pages(struct xdr_stream *xdr, struct page **pages, unsigned int base,\n\t\t unsigned int len)\n{\n\tstruct xdr_buf *buf = xdr->buf;\n\tstruct kvec *iov = buf->tail;\n\tbuf->pages = pages;\n\tbuf->page_base = base;\n\tbuf->page_len = len;\n\n\tiov->iov_base = (char *)xdr->p;\n\tiov->iov_len = 0;\n\txdr->iov = iov;\n\n\tif (len & 3) {\n\t\tunsigned int pad = 4 - (len & 3);\n\n\t\tBUG_ON(xdr->p >= xdr->end);\n\t\tiov->iov_base = (char *)xdr->p + (len & 3);\n\t\tiov->iov_len += pad;\n\t\tlen += pad;\n\t\t*xdr->p++ = 0;\n\t}\n\tbuf->buflen += len;\n\tbuf->len += len;\n}", "project": "linux", "hash": 113071427747784861459149362972355003805, "size": 25, "commit_id": "6d1c0f3d28f98ea2736128ed3e46821496dc3a8c", "message": "sunrpc: Avoid a KASAN slab-out-of-bounds bug in xdr_set_page_base()\n\nThis seems to happen fairly easily during READ_PLUS testing on NFS v4.2.\nI found that we could end up accessing xdr->buf->pages[pgnr] with a pgnr\ngreater than the number of pages in the array. So let's just return\nearly if we're setting base to a point at the end of the page data and\nlet xdr_set_tail_base() handle setting up the buffer pointers instead.\n\nSigned-off-by: Anna Schumaker \nFixes: 8d86e373b0ef (\"SUNRPC: Clean up helpers xdr_set_iov() and xdr_set_page_base()\")\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 481064 }, { "func": "static void io_poll_remove_double(struct io_kiocb *req, void *data)\n{\n\tstruct io_poll_iocb *poll = data;\n\n\tlockdep_assert_held(&req->ctx->completion_lock);\n\n\tif (poll && poll->head) {\n\t\tstruct wait_queue_head *head = poll->head;\n\n\t\tspin_lock(&head->lock);\n\t\tlist_del_init(&poll->wait.entry);\n\t\tif (poll->wait.private)\n\t\t\trefcount_dec(&req->refs);\n\t\tpoll->head = NULL;\n\t\tspin_unlock(&head->lock);\n\t}\n}", "project": "linux", "hash": 208198800272646872555647358289369601730, "size": 17, "commit_id": "6d816e088c359866f9867057e04f244c608c42fe", "message": "io_uring: hold 'ctx' reference around task_work queue + execute\n\nWe're holding the request reference, but we need to go one higher\nto ensure that the ctx remains valid after the request has finished.\nIf the ring is closed with pending task_work inflight, and the\ngiven io_kiocb finishes sync during issue, then we need a reference\nto the ring itself around the task_work execution cycle.\n\nCc: stable@vger.kernel.org # v5.7+\nReported-by: syzbot+9b260fc33297966f5a8e@syzkaller.appspotmail.com\nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 456949 }, { "func": "CString CAuthBase::GetRemoteIP() const {\n if (m_pSock) return m_pSock->GetRemoteIP();\n return \"\";\n}", "project": "znc", "hash": 289186345435321268367518773406429287272, "size": 4, "commit_id": "d229761821da38d984a9e4098ad96842490dc001", "message": "Fix echo-message for *status\n\nClose #1705", "target": 0, "dataset": "other", "idx": 231580 }, { "func": "void WebContents::PluginCrashed(const base::FilePath& plugin_path,\n base::ProcessId plugin_pid) {\n#if BUILDFLAG(ENABLE_PLUGINS)\n content::WebPluginInfo info;\n auto* plugin_service = content::PluginService::GetInstance();\n plugin_service->GetPluginInfoByPath(plugin_path, &info);\n Emit(\"plugin-crashed\", info.name, info.version);\n#endif // BUILDFLAG(ENABLE_PLUIGNS)\n}", "project": "electron", "hash": 231705595698222158369534918621827020382, "size": 9, "commit_id": "18613925610ba319da7f497b6deed85ad712c59b", "message": "refactor: wire will-navigate up to a navigation throttle instead of OpenURL (#25108)\n\n* refactor: wire will-navigate up to a navigation throttle instead of OpenURL (#25065)\r\n\r\n* refactor: wire will-navigate up to a navigation throttle instead of OpenURL\r\n\r\n* spec: add test for x-site _top navigation\r\n\r\n* chore: old code be old", "target": 0, "dataset": "other", "idx": 269778 }, { "func": "static int nfs41_test_stateid(struct nfs_server *server,\n\t\tnfs4_stateid *stateid,\n\t\tconst struct cred *cred)\n{\n\tstruct nfs4_exception exception = {\n\t\t.interruptible = true,\n\t};\n\tint err;\n\tdo {\n\t\terr = _nfs41_test_stateid(server, stateid, cred);\n\t\tnfs4_handle_delay_or_session_error(server, err, &exception);\n\t} while (exception.retry);\n\treturn err;\n}", "project": "linux", "hash": 120592098235231961992175932103701846938, "size": 14, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431388 }, { "project": "opaque", "commit_id": "5ddda15d89f5ac82f4416208c5319ace4aecdc36", "target": 0, "func": "JNIEXPORT jbyteArray JNICALL Java_edu_berkeley_cs_rise_opaque_execution_SGXEnclave_Project(\n JNIEnv *env, jobject obj, jlong eid, jbyteArray project_list, jbyteArray input_rows) {\n (void)obj;\n\n jboolean if_copy;\n\n uint32_t project_list_length = (uint32_t) env->GetArrayLength(project_list);\n uint8_t *project_list_ptr = (uint8_t *) env->GetByteArrayElements(project_list, &if_copy);\n\n uint32_t input_rows_length = (uint32_t) env->GetArrayLength(input_rows);\n uint8_t *input_rows_ptr = (uint8_t *) env->GetByteArrayElements(input_rows, &if_copy);\n\n uint8_t *output_rows;\n size_t output_rows_length;\n\n sgx_check(\"Project\",\n ecall_project(\n eid,\n project_list_ptr, project_list_length,\n input_rows_ptr, input_rows_length,\n &output_rows, &output_rows_length));\n\n env->ReleaseByteArrayElements(project_list, (jbyte *) project_list_ptr, 0);\n env->ReleaseByteArrayElements(input_rows, (jbyte *) input_rows_ptr, 0);\n\n jbyteArray ret = env->NewByteArray(output_rows_length);\n env->SetByteArrayRegion(ret, 0, output_rows_length, (jbyte *) output_rows);\n free(output_rows);\n\n return ret;\n}", "idx": 519096, "cwe": "CWE-787", "hash": 207124804324370148996576894460062619703, "dataset": "other" }, { "func": "static int h264_slice_header_init(H264Context *h, int reinit)\n{\n int nb_slices = (HAVE_THREADS &&\n h->avctx->active_thread_type & FF_THREAD_SLICE) ?\n h->avctx->thread_count : 1;\n int i, ret;\n\n h->avctx->sample_aspect_ratio = h->sps.sar;\n av_assert0(h->avctx->sample_aspect_ratio.den);\n av_pix_fmt_get_chroma_sub_sample(h->avctx->pix_fmt,\n &h->chroma_x_shift, &h->chroma_y_shift);\n\n if (h->sps.timing_info_present_flag) {\n int64_t den = h->sps.time_scale;\n if (h->x264_build < 44U)\n den *= 2;\n av_reduce(&h->avctx->time_base.num, &h->avctx->time_base.den,\n h->sps.num_units_in_tick, den, 1 << 30);\n }\n\n h->avctx->hwaccel = ff_find_hwaccel(h->avctx);\n\n if (reinit)\n free_tables(h, 0);\n h->first_field = 0;\n h->prev_interlaced_frame = 1;\n\n init_scan_tables(h);\n ret = ff_h264_alloc_tables(h);\n if (ret < 0) {\n av_log(h->avctx, AV_LOG_ERROR,\n \"Could not allocate memory for h264\\n\");\n return ret;\n }\n\n if (nb_slices > MAX_THREADS || (nb_slices > h->mb_height && h->mb_height)) {\n int max_slices;\n if (h->mb_height)\n max_slices = FFMIN(MAX_THREADS, h->mb_height);\n else\n max_slices = MAX_THREADS;\n av_log(h->avctx, AV_LOG_WARNING, \"too many threads/slices (%d),\"\n \" reducing to %d\\n\", nb_slices, max_slices);\n nb_slices = max_slices;\n }\n h->slice_context_count = nb_slices;\n\n if (!HAVE_THREADS || !(h->avctx->active_thread_type & FF_THREAD_SLICE)) {\n ret = context_init(h);\n if (ret < 0) {\n av_log(h->avctx, AV_LOG_ERROR, \"context_init() failed.\\n\");\n return ret;\n }\n } else {\n for (i = 1; i < h->slice_context_count; i++) {\n H264Context *c;\n c = h->thread_context[i] = av_mallocz(sizeof(H264Context));\n if (!c)\n return AVERROR(ENOMEM);\n c->avctx = h->avctx;\n if (CONFIG_ERROR_RESILIENCE) {\n c->dsp = h->dsp;\n }\n c->vdsp = h->vdsp;\n c->h264dsp = h->h264dsp;\n c->h264qpel = h->h264qpel;\n c->h264chroma = h->h264chroma;\n c->sps = h->sps;\n c->pps = h->pps;\n c->pixel_shift = h->pixel_shift;\n c->cur_chroma_format_idc = h->cur_chroma_format_idc;\n c->width = h->width;\n c->height = h->height;\n c->linesize = h->linesize;\n c->uvlinesize = h->uvlinesize;\n c->chroma_x_shift = h->chroma_x_shift;\n c->chroma_y_shift = h->chroma_y_shift;\n c->qscale = h->qscale;\n c->droppable = h->droppable;\n c->data_partitioning = h->data_partitioning;\n c->low_delay = h->low_delay;\n c->mb_width = h->mb_width;\n c->mb_height = h->mb_height;\n c->mb_stride = h->mb_stride;\n c->mb_num = h->mb_num;\n c->flags = h->flags;\n c->workaround_bugs = h->workaround_bugs;\n c->pict_type = h->pict_type;\n\n init_scan_tables(c);\n clone_tables(c, h, i);\n c->context_initialized = 1;\n }\n\n for (i = 0; i < h->slice_context_count; i++)\n if ((ret = context_init(h->thread_context[i])) < 0) {\n av_log(h->avctx, AV_LOG_ERROR, \"context_init() failed.\\n\");\n return ret;\n }\n }\n\n h->context_initialized = 1;\n\n return 0;\n}", "project": "FFmpeg", "hash": 281597525004632707773468548174907718590, "size": 105, "commit_id": "8a3b85f3a7952c54a2c36ba1797f7e0cde9f85aa", "message": "avcodec/h264: update current_sps & sps->new only after the whole slice header decoder and init code finished\n\nThis avoids them being cleared before the full initialization finished\n\nFixes out of array read\nFixes: asan_heap-oob_f0c5e6_7071_cov_1605985132_mov_h264_aac__Demo_FlagOfOurFathers.mov\nFound-by: Mateusz \"j00ru\" Jurczyk and Gynvael Coldwind\nSigned-off-by: Michael Niedermayer ", "target": 0, "dataset": "other", "idx": 270125 }, { "func": "static int _nfs4_open_expired(struct nfs_open_context *ctx, struct nfs4_state *state)\n{\n\tstruct nfs4_opendata *opendata;\n\tint ret;\n\n\topendata = nfs4_open_recoverdata_alloc(ctx, state,\n\t\t\tNFS4_OPEN_CLAIM_FH);\n\tif (IS_ERR(opendata))\n\t\treturn PTR_ERR(opendata);\n\tret = nfs4_open_recover(opendata, state);\n\tif (ret == -ESTALE)\n\t\td_drop(ctx->dentry);\n\tnfs4_opendata_put(opendata);\n\treturn ret;\n}", "project": "linux", "hash": 264835609958504921209567501131356873889, "size": 15, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431023 }, { "func": "R_API char* r_str_replace(char *str, const char *key, const char *val, int g) {\n\tif (g == 'i') {\n\t\treturn r_str_replace_icase (str, key, val, g, true);\n\t}\n\tr_return_val_if_fail (str && key && val, NULL);\n\n\tint off, i, slen;\n\tchar *newstr, *p = str;\n\tint klen = strlen (key);\n\tint vlen = strlen (val);\n\tif (klen == 1 && vlen < 2) {\n\t\tr_str_replace_char (str, *key, *val);\n\t\treturn str;\n\t}\n\tif (klen == vlen && !strcmp (key, val)) {\n\t\treturn str;\n\t}\n\tslen = strlen (str);\n\tchar *q = str;\n\tfor (;;) {\n\t\tp = strstr (q, key);\n\t\tif (!p) {\n\t\t\tbreak;\n\t\t}\n\t\toff = (int)(size_t)(p - str);\n\t\tif (vlen != klen) {\n\t\t\tint tlen = slen - (off + klen);\n\t\t\tslen += vlen - klen;\n\t\t\tif (vlen > klen) {\n\t\t\t\tnewstr = realloc (str, slen + 1);\n\t\t\t\tif (!newstr) {\n\t\t\t\t\teprintf (\"realloc fail\\n\");\n\t\t\t\t\tR_FREE (str);\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t\tstr = newstr;\n\t\t\t}\n\t\t\tp = str + off;\n\t\t\tmemmove (p + vlen, p + klen, tlen + 1);\n\t\t}\n\t\tmemcpy (p, val, vlen);\n\t\ti = off + vlen;\n\t\tq = str + i;\n\t\tif (!g) {\n\t\t\tbreak;\n\t\t}\n\t}\n\treturn str;\n}", "project": "radare2", "hash": 162790597335836273119078022777110052507, "size": 49, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 0, "dataset": "other", "idx": 268865 }, { "func": "static void le_scan_disable_work(struct work_struct *work)\n{\n\tstruct hci_dev *hdev = container_of(work, struct hci_dev,\n\t\t\t\t\t le_scan_disable.work);\n\tu8 status;\n\n\tbt_dev_dbg(hdev, \"\");\n\n\tif (!hci_dev_test_flag(hdev, HCI_LE_SCAN))\n\t\treturn;\n\n\tcancel_delayed_work(&hdev->le_scan_restart);\n\n\thci_req_sync(hdev, le_scan_disable, 0, HCI_CMD_TIMEOUT, &status);\n\tif (status) {\n\t\tbt_dev_err(hdev, \"failed to disable LE scan: status 0x%02x\",\n\t\t\t status);\n\t\treturn;\n\t}\n\n\thdev->discovery.scan_start = 0;\n\n\t/* If we were running LE only scan, change discovery state. If\n\t * we were running both LE and BR/EDR inquiry simultaneously,\n\t * and BR/EDR inquiry is already finished, stop discovery,\n\t * otherwise BR/EDR inquiry will stop discovery when finished.\n\t * If we will resolve remote device name, do not change\n\t * discovery state.\n\t */\n\n\tif (hdev->discovery.type == DISCOV_TYPE_LE)\n\t\tgoto discov_stopped;\n\n\tif (hdev->discovery.type != DISCOV_TYPE_INTERLEAVED)\n\t\treturn;\n\n\tif (test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks)) {\n\t\tif (!test_bit(HCI_INQUIRY, &hdev->flags) &&\n\t\t hdev->discovery.state != DISCOVERY_RESOLVING)\n\t\t\tgoto discov_stopped;\n\n\t\treturn;\n\t}\n\n\thci_req_sync(hdev, bredr_inquiry, DISCOV_INTERLEAVED_INQUIRY_LEN,\n\t\t HCI_CMD_TIMEOUT, &status);\n\tif (status) {\n\t\tbt_dev_err(hdev, \"inquiry failed: status 0x%02x\", status);\n\t\tgoto discov_stopped;\n\t}\n\n\treturn;\n\ndiscov_stopped:\n\thci_dev_lock(hdev);\n\thci_discovery_set_state(hdev, DISCOVERY_STOPPED);\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 149639487621119552789062673135370710636, "size": 58, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402557 }, { "func": "static int irda_sendmsg_dgram(struct kiocb *iocb, struct socket *sock,\n\t\t\t struct msghdr *msg, size_t len)\n{\n\tstruct sock *sk = sock->sk;\n\tstruct irda_sock *self;\n\tstruct sk_buff *skb;\n\tint err;\n\n\tIRDA_DEBUG(4, \"%s(), len=%zd\\n\", __func__, len);\n\n\tif (msg->msg_flags & ~(MSG_DONTWAIT|MSG_CMSG_COMPAT))\n\t\treturn -EINVAL;\n\n\tif (sk->sk_shutdown & SEND_SHUTDOWN) {\n\t\tsend_sig(SIGPIPE, current, 0);\n\t\treturn -EPIPE;\n\t}\n\n\tif (sk->sk_state != TCP_ESTABLISHED)\n\t\treturn -ENOTCONN;\n\n\tself = irda_sk(sk);\n\n\t/*\n\t * Check that we don't send out too big frames. This is an unreliable\n\t * service, so we have no fragmentation and no coalescence\n\t */\n\tif (len > self->max_data_size) {\n\t\tIRDA_DEBUG(0, \"%s(), Warning to much data! \"\n\t\t\t \"Chopping frame from %zd to %d bytes!\\n\",\n\t\t\t __func__, len, self->max_data_size);\n\t\tlen = self->max_data_size;\n\t}\n\n\tskb = sock_alloc_send_skb(sk, len + self->max_header_size,\n\t\t\t\t msg->msg_flags & MSG_DONTWAIT, &err);\n\tif (!skb)\n\t\treturn -ENOBUFS;\n\n\tskb_reserve(skb, self->max_header_size);\n\tskb_reset_transport_header(skb);\n\n\tIRDA_DEBUG(4, \"%s(), appending user data\\n\", __func__);\n\tskb_put(skb, len);\n\terr = memcpy_fromiovec(skb_transport_header(skb), msg->msg_iov, len);\n\tif (err) {\n\t\tkfree_skb(skb);\n\t\treturn err;\n\t}\n\n\t/*\n\t * Just send the message to TinyTP, and let it deal with possible\n\t * errors. No need to duplicate all that here\n\t */\n\terr = irttp_udata_request(self->tsap, skb);\n\tif (err) {\n\t\tIRDA_DEBUG(0, \"%s(), err=%d\\n\", __func__, err);\n\t\treturn err;\n\t}\n\treturn len;\n}", "target": 0, "cwe": [ "CWE-200" ], "project": "linux-2.6", "commit_id": "09384dfc76e526c3993c09c42e016372dc9dd22c", "hash": 317253786056699994947363377800248395332, "size": 61, "message": "irda: Fix irda_getname() leak\n\nirda_getname() can leak kernel memory to user.\n\nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "dataset": "other", "idx": 490843 }, { "func": "tracing_saved_cmdlines_size_read(struct file *filp, char __user *ubuf,\n\t\t\t\t size_t cnt, loff_t *ppos)\n{\n\tchar buf[64];\n\tint r;\n\n\tarch_spin_lock(&trace_cmdline_lock);\n\tr = scnprintf(buf, sizeof(buf), \"%u\\n\", savedcmd->cmdline_num);\n\tarch_spin_unlock(&trace_cmdline_lock);\n\n\treturn simple_read_from_buffer(ubuf, cnt, ppos, buf, r);\n}", "project": "linux", "hash": 61720593496411446808008793396171195861, "size": 12, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445529 }, { "func": "static void cmd_parse_enabled (IMAP_DATA* idata, const char* s)\n{\n dprint (2, (debugfile, \"Handling ENABLED\\n\"));\n\n while ((s = imap_next_word ((char*)s)) && *s != '\\0')\n {\n if (ascii_strncasecmp(s, \"UTF8=ACCEPT\", 11) == 0 ||\n ascii_strncasecmp(s, \"UTF8=ONLY\", 9) == 0)\n idata->unicode = 1;\n }\n}", "project": "mutt", "hash": 271516175167422964522621559427391572343, "size": 11, "commit_id": "9347b5c01dc52682cb6be11539d9b7ebceae4416", "message": "Handle NO response without message properly", "target": 0, "dataset": "other", "idx": 338024 }, { "func": "static int futex_unlock_pi(u32 __user *uaddr, int fshared)\n{\n\tstruct futex_hash_bucket *hb;\n\tstruct futex_q *this, *next;\n\tu32 uval;\n\tstruct plist_head *head;\n\tunion futex_key key = FUTEX_KEY_INIT;\n\tint ret;\n\nretry:\n\tif (get_user(uval, uaddr))\n\t\treturn -EFAULT;\n\t/*\n\t * We release only a lock we actually own:\n\t */\n\tif ((uval & FUTEX_TID_MASK) != task_pid_vnr(current))\n\t\treturn -EPERM;\n\n\tret = get_futex_key(uaddr, fshared, &key);\n\tif (unlikely(ret != 0))\n\t\tgoto out;\n\n\thb = hash_futex(&key);\n\tspin_lock(&hb->lock);\n\n\t/*\n\t * To avoid races, try to do the TID -> 0 atomic transition\n\t * again. If it succeeds then we can return without waking\n\t * anyone else up:\n\t */\n\tif (!(uval & FUTEX_OWNER_DIED))\n\t\tuval = cmpxchg_futex_value_locked(uaddr, task_pid_vnr(current), 0);\n\n\n\tif (unlikely(uval == -EFAULT))\n\t\tgoto pi_faulted;\n\t/*\n\t * Rare case: we managed to release the lock atomically,\n\t * no need to wake anyone else up:\n\t */\n\tif (unlikely(uval == task_pid_vnr(current)))\n\t\tgoto out_unlock;\n\n\t/*\n\t * Ok, other tasks may need to be woken up - check waiters\n\t * and do the wakeup if necessary:\n\t */\n\thead = &hb->chain;\n\n\tplist_for_each_entry_safe(this, next, head, list) {\n\t\tif (!match_futex (&this->key, &key))\n\t\t\tcontinue;\n\t\tret = wake_futex_pi(uaddr, uval, this);\n\t\t/*\n\t\t * The atomic access to the futex value\n\t\t * generated a pagefault, so retry the\n\t\t * user-access and the wakeup:\n\t\t */\n\t\tif (ret == -EFAULT)\n\t\t\tgoto pi_faulted;\n\t\tgoto out_unlock;\n\t}\n\t/*\n\t * No waiters - kernel unlocks the futex:\n\t */\n\tif (!(uval & FUTEX_OWNER_DIED)) {\n\t\tret = unlock_futex_pi(uaddr, uval);\n\t\tif (ret == -EFAULT)\n\t\t\tgoto pi_faulted;\n\t}\n\nout_unlock:\n\tspin_unlock(&hb->lock);\n\tput_futex_key(fshared, &key);\n\nout:\n\treturn ret;\n\npi_faulted:\n\tspin_unlock(&hb->lock);\n\tput_futex_key(fshared, &key);\n\n\tret = fault_in_user_writeable(uaddr);\n\tif (!ret)\n\t\tgoto retry;\n\n\treturn ret;\n}", "target": 0, "cwe": [], "project": "linux-2.6", "commit_id": "5ecb01cfdf96c5f465192bdb2a4fd4a61a24c6cc", "hash": 65974420351083572478069586419595141911, "size": 88, "message": "futex_lock_pi() key refcnt fix\n\nThis fixes a futex key reference count bug in futex_lock_pi(),\nwhere a key's reference count is incremented twice but decremented\nonly once, causing the backing object to not be released.\n\nIf the futex is created in a temporary file in an ext3 file system,\nthis bug causes the file's inode to become an \"undead\" orphan,\nwhich causes an oops from a BUG_ON() in ext3_put_super() when the\nfile system is unmounted. glibc's test suite is known to trigger this,\nsee .\n\nThe bug is a regression from 2.6.28-git3, namely Peter Zijlstra's\n38d47c1b7075bd7ec3881141bb3629da58f88dab \"[PATCH] futex: rely on\nget_user_pages() for shared futexes\". That commit made get_futex_key()\nalso increment the reference count of the futex key, and updated its\ncallers to decrement the key's reference count before returning.\nUnfortunately the normal exit path in futex_lock_pi() wasn't corrected:\nthe reference count is incremented by get_futex_key() and queue_lock(),\nbut the normal exit path only decrements once, via unqueue_me_pi().\nThe fix is to put_futex_key() after unqueue_me_pi(), since 2.6.31\nthis is easily done by 'goto out_put_key' rather than 'goto out'.\n\nSigned-off-by: Mikael Pettersson \nAcked-by: Peter Zijlstra \nAcked-by: Darren Hart \nSigned-off-by: Thomas Gleixner \nCc: ", "dataset": "other", "idx": 492304 }, { "func": "R_API int r_socket_free (RSocket *s) {\n\treturn -1;\n}", "project": "radare2", "hash": 161275675040601301451632531758858406354, "size": 3, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 0, "dataset": "other", "idx": 268843 }, { "func": "R_API int r_socket_free(RSocket *s) {\n\tint res = r_socket_close (s);\n#if HAVE_LIB_SSL\n\tif (s && s->is_ssl) {\n\t\tif (s->sfd) {\n\t\t\tSSL_free (s->sfd);\n\t\t}\n\t\tif (s->ctx) {\n\t\t\tSSL_CTX_free (s->ctx);\n\t\t}\n\t}\n#endif\n\tfree (s);\n\treturn res;\n}", "project": "radare2", "hash": 38584942888963741623603762240327536037, "size": 15, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 0, "dataset": "other", "idx": 268844 }, { "func": "static inline bool hci_is_le_conn_scanning(struct hci_dev *hdev)\n{\n\tstruct hci_conn_hash *h = &hdev->conn_hash;\n\tstruct hci_conn *c;\n\n\trcu_read_lock();\n\n\tlist_for_each_entry_rcu(c, &h->list, list) {\n\t\tif (c->type == LE_LINK && c->state == BT_CONNECT &&\n\t\t test_bit(HCI_CONN_SCANNING, &c->flags)) {\n\t\t\trcu_read_unlock();\n\t\t\treturn true;\n\t\t}\n\t}\n\n\trcu_read_unlock();\n\n\treturn false;\n}", "project": "linux", "hash": 130156446670390939896042798188819244902, "size": 19, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402530 }, { "func": "static u64 svm_compute_tsc_offset(struct kvm_vcpu *vcpu, u64 target_tsc)\n{\n\tu64 tsc;\n\n\ttsc = svm_scale_tsc(vcpu, native_read_tsc());\n\n\treturn target_tsc - tsc;\n}", "project": "kvm", "hash": 310156845382623273022583736628618024491, "size": 8, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437634 }, { "func": "static void flush_all(struct kmem_cache *s)\n{\n\ton_each_cpu_cond(has_cpu_slab, flush_cpu_slab, s, 1);\n}", "project": "linux", "hash": 104174263572132418887660548394511688151, "size": 4, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280191 }, { "func": "static int _nfs41_proc_fsid_present(struct inode *inode, const struct cred *cred)\n{\n\tstruct nfs_server *server = NFS_SERVER(inode);\n\tstruct rpc_clnt *clnt = server->client;\n\tstruct nfs4_fsid_present_arg args = {\n\t\t.fh\t\t= NFS_FH(inode),\n\t};\n\tstruct nfs4_fsid_present_res res = {\n\t};\n\tstruct rpc_message msg = {\n\t\t.rpc_proc\t= &nfs4_procedures[NFSPROC4_CLNT_FSID_PRESENT],\n\t\t.rpc_argp\t= &args,\n\t\t.rpc_resp\t= &res,\n\t\t.rpc_cred\t= cred,\n\t};\n\tint status;\n\n\tres.fh = nfs_alloc_fhandle();\n\tif (res.fh == NULL)\n\t\treturn -ENOMEM;\n\n\tnfs4_init_sequence(&args.seq_args, &res.seq_res, 0, 1);\n\tstatus = nfs4_call_sync_sequence(clnt, server, &msg,\n\t\t\t\t\t\t&args.seq_args, &res.seq_res);\n\tnfs_free_fhandle(res.fh);\n\tif (status == NFS4_OK &&\n\t res.seq_res.sr_status_flags & SEQ4_STATUS_LEASE_MOVED)\n\t\tstatus = -NFS4ERR_LEASE_MOVED;\n\treturn status;\n}", "project": "linux", "hash": 103124819270327351018567925895145239735, "size": 30, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431548 }, { "func": "HttpStateData::buildRequestPrefix(MemBuf * mb)\n{\n const int offset = mb->size;\n /* Uses a local httpver variable to print the HTTP label\n * since the HttpRequest may have an older version label.\n * XXX: This could create protocol bugs as the headers sent and\n * flow control should all be based on the HttpRequest version\n * not the one we are sending. Needs checking.\n */\n const AnyP::ProtocolVersion httpver = Http::ProtocolVersion();\n const SBuf url(_peer && !_peer->options.originserver ? request->effectiveRequestUri() : request->url.path());\n mb->appendf(SQUIDSBUFPH \" \" SQUIDSBUFPH \" %s/%d.%d\\r\\n\",\n SQUIDSBUFPRINT(request->method.image()),\n SQUIDSBUFPRINT(url),\n AnyP::ProtocolType_str[httpver.protocol],\n httpver.major,httpver.minor);\n /* build and pack headers */\n {\n HttpHeader hdr(hoRequest);\n httpBuildRequestHeader(request, entry, fwd->al, &hdr, flags);\n\n if (request->flags.pinned && request->flags.connectionAuth)\n request->flags.authSent = true;\n else if (hdr.has(Http::HdrType::AUTHORIZATION))\n request->flags.authSent = true;\n\n hdr.packInto(mb);\n hdr.clean();\n }\n /* append header terminator */\n mb->append(crlf, 2);\n return mb->size - offset;\n}", "project": "squid", "hash": 97294484913292336480810060245138185827, "size": 33, "commit_id": "fd68382860633aca92065e6c343cfd1b12b126e7", "message": "Improve Transfer-Encoding handling (#702)\n\nReject messages containing Transfer-Encoding header with coding other\nthan chunked or identity. Squid does not support other codings.\n\nFor simplicity and security sake, also reject messages where\nTransfer-Encoding contains unnecessary complex values that are\ntechnically equivalent to \"chunked\" or \"identity\" (e.g., \",,chunked\" or\n\"identity, chunked\").\n\nRFC 7230 formally deprecated and removed identity coding, but it is\nstill used by some agents.", "target": 0, "dataset": "other", "idx": 402359 }, { "func": "static void cmd_parse_expunge (IMAP_DATA* idata, const char* s)\n{\n unsigned int exp_msn, cur;\n HEADER* h;\n\n dprint (2, (debugfile, \"Handling EXPUNGE\\n\"));\n\n if (mutt_atoui (s, &exp_msn) < 0 ||\n exp_msn < 1 || exp_msn > idata->max_msn)\n return;\n\n h = idata->msn_index[exp_msn - 1];\n if (h)\n {\n /* imap_expunge_mailbox() will rewrite h->index.\n * It needs to resort using SORT_ORDER anyway, so setting to INT_MAX\n * makes the code simpler and possibly more efficient. */\n h->index = INT_MAX;\n HEADER_DATA(h)->msn = 0;\n }\n\n /* decrement seqno of those above. */\n for (cur = exp_msn; cur < idata->max_msn; cur++)\n {\n h = idata->msn_index[cur];\n if (h)\n HEADER_DATA(h)->msn--;\n idata->msn_index[cur - 1] = h;\n }\n\n idata->msn_index[idata->max_msn - 1] = NULL;\n idata->max_msn--;\n\n idata->reopen |= IMAP_EXPUNGE_PENDING;\n}", "project": "mutt", "hash": 287362746778290242422928640679019386321, "size": 35, "commit_id": "9347b5c01dc52682cb6be11539d9b7ebceae4416", "message": "Handle NO response without message properly", "target": 0, "dataset": "other", "idx": 338016 }, { "func": " virtual void save_val(Field *to) { save_org_in_field(to, NULL); }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 84596011729285272760105974365076052281, "size": 1, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509181 }, { "func": " void save_val(Field *to)\n {\n if (check_null_ref())\n to->set_null();\n else\n Item_direct_ref::save_val(to);\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 103463485856565133203859643693328233545, "size": 7, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509406 }, { "func": "static __sum16 __tcp_checksum_complete_user(struct sock *sk,\n\t\t\t\t\t struct sk_buff *skb)\n{\n\t__sum16 result;\n\n\tif (sock_owned_by_user(sk)) {\n\t\tlocal_bh_enable();\n\t\tresult = __tcp_checksum_complete(skb);\n\t\tlocal_bh_disable();\n\t} else {\n\t\tresult = __tcp_checksum_complete(skb);\n\t}\n\treturn result;\n}", "project": "net-next", "hash": 153544585492933436711539461609541914319, "size": 14, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409910 }, { "func": "static int io_connect(struct io_kiocb *req, unsigned int issue_flags)\n{\n\tstruct io_async_connect __io, *io;\n\tunsigned file_flags;\n\tint ret;\n\tbool force_nonblock = issue_flags & IO_URING_F_NONBLOCK;\n\n\tif (req->async_data) {\n\t\tio = req->async_data;\n\t} else {\n\t\tret = move_addr_to_kernel(req->connect.addr,\n\t\t\t\t\t\treq->connect.addr_len,\n\t\t\t\t\t\t&__io.address);\n\t\tif (ret)\n\t\t\tgoto out;\n\t\tio = &__io;\n\t}\n\n\tfile_flags = force_nonblock ? O_NONBLOCK : 0;\n\n\tret = __sys_connect_file(req->file, &io->address,\n\t\t\t\t\treq->connect.addr_len, file_flags);\n\tif ((ret == -EAGAIN || ret == -EINPROGRESS) && force_nonblock) {\n\t\tif (req->async_data)\n\t\t\treturn -EAGAIN;\n\t\tif (io_alloc_async_data(req)) {\n\t\t\tret = -ENOMEM;\n\t\t\tgoto out;\n\t\t}\n\t\tmemcpy(req->async_data, &__io, sizeof(__io));\n\t\treturn -EAGAIN;\n\t}\n\tif (ret == -ERESTARTSYS)\n\t\tret = -EINTR;\nout:\n\tif (ret < 0)\n\t\treq_set_fail_links(req);\n\t__io_req_complete(req, issue_flags, ret, 0);\n\treturn 0;\n}", "project": "linux", "hash": 225233260557854040739014676903790963550, "size": 40, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338632 }, { "project": "Chrome", "commit_id": "6834289784ed45b5524de0fb7ef43ae283b0d6d3", "target": 0, "func": "ChannelSplitterNode* AudioContext::createChannelSplitter(ExceptionState& exceptionState)\n{\n const unsigned ChannelSplitterDefaultNumberOfOutputs = 6;\n return createChannelSplitter(ChannelSplitterDefaultNumberOfOutputs, exceptionState);\n}\n", "cwe": "", "big_vul_idx": 139631, "idx": 124783, "hash": 280325934741415351042966443448927618679 }, { "project": "Chrome", "commit_id": "6834289784ed45b5524de0fb7ef43ae283b0d6d3", "target": 0, "func": "ChannelSplitterNode* AudioContext::createChannelSplitter(size_t numberOfOutputs, ExceptionState& exceptionState)\n{\n ASSERT(isMainThread());\n\n ChannelSplitterNode* node = ChannelSplitterNode::create(this, m_destinationNode->sampleRate(), numberOfOutputs);\n\n if (!node) {\n exceptionState.throwDOMException(\n IndexSizeError,\n \"number of outputs (\" + String::number(numberOfOutputs)\n + \") must be between 1 and \"\n + String::number(AudioContext::maxNumberOfChannels()) + \".\");\n return 0;\n }\n\n return node;\n}\n", "cwe": "", "big_vul_idx": 139632, "idx": 124784, "hash": 105775721356622060267181714200253528923 }, { "func": "UnicodeStringTest::TestPrefixAndSuffix()\n{\n UnicodeString test1(\"Now is the time for all good men to come to the aid of their country.\");\n UnicodeString test2(\"Now\");\n UnicodeString test3(\"country.\");\n UnicodeString test4(\"count\");\n\n if (!test1.startsWith(test2) || !test1.startsWith(test2, 0, test2.length())) {\n errln(\"startsWith() failed: \\\"\" + test2 + \"\\\" should be a prefix of \\\"\" + test1 + \"\\\".\");\n }\n\n if (test1.startsWith(test3) ||\n test1.startsWith(test3.getBuffer(), test3.length()) ||\n test1.startsWith(test3.getTerminatedBuffer(), 0, -1)\n ) {\n errln(\"startsWith() failed: \\\"\" + test3 + \"\\\" shouldn't be a prefix of \\\"\" + test1 + \"\\\".\");\n }\n\n if (test1.endsWith(test2)) {\n errln(\"endsWith() failed: \\\"\" + test2 + \"\\\" shouldn't be a suffix of \\\"\" + test1 + \"\\\".\");\n }\n\n if (!test1.endsWith(test3)) { \n errln(\"endsWith(test3) failed: \\\"\" + test3 + \"\\\" should be a suffix of \\\"\" + test1 + \"\\\".\");\n }\n if (!test1.endsWith(test3, 0, INT32_MAX)) {\n errln(\"endsWith(test3, 0, INT32_MAX) failed: \\\"\" + test3 + \"\\\" should be a suffix of \\\"\" + test1 + \"\\\".\");\n }\n\n if(!test1.endsWith(test3.getBuffer(), test3.length())) {\n errln(\"endsWith(test3.getBuffer(), test3.length()) failed: \\\"\" + test3 + \"\\\" should be a suffix of \\\"\" + test1 + \"\\\".\");\n }\n if(!test1.endsWith(test3.getTerminatedBuffer(), 0, -1)) {\n errln(\"endsWith(test3.getTerminatedBuffer(), 0, -1) failed: \\\"\" + test3 + \"\\\" should be a suffix of \\\"\" + test1 + \"\\\".\");\n }\n\n if (!test3.startsWith(test4)) {\n errln(\"endsWith(test4) failed: \\\"\" + test4 + \"\\\" should be a prefix of \\\"\" + test3 + \"\\\".\");\n }\n\n if (test4.startsWith(test3)) {\n errln(\"startsWith(test3) failed: \\\"\" + test3 + \"\\\" shouldn't be a prefix of \\\"\" + test4 + \"\\\".\");\n }\n}", "project": "icu", "hash": 140836047910130161343670217972187629814, "size": 44, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430815 }, { "func": "\nstatic int io_rsrc_ref_quiesce(struct io_rsrc_data *data, struct io_ring_ctx *ctx)\n{\n\tint ret;\n\n\t/* As we may drop ->uring_lock, other task may have started quiesce */\n\tif (data->quiesce)\n\t\treturn -ENXIO;\n\n\tdata->quiesce = true;\n\tdo {\n\t\tret = io_rsrc_node_switch_start(ctx);\n\t\tif (ret)\n\t\t\tbreak;\n\t\tio_rsrc_node_switch(ctx, data);\n\n\t\t/* kill initial ref, already quiesced if zero */\n\t\tif (atomic_dec_and_test(&data->refs))\n\t\t\tbreak;\n\t\tflush_delayed_work(&ctx->rsrc_put_work);\n\t\tret = wait_for_completion_interruptible(&data->done);\n\t\tif (!ret)\n\t\t\tbreak;\n\n\t\tatomic_inc(&data->refs);\n\t\t/* wait for all works potentially completing data->done */\n\t\tflush_delayed_work(&ctx->rsrc_put_work);\n\t\treinit_completion(&data->done);\n\n\t\tmutex_unlock(&ctx->uring_lock);\n\t\tret = io_run_task_work_sig();\n\t\tmutex_lock(&ctx->uring_lock);\n\t} while (ret >= 0);\n\tdata->quiesce = false;\n\n\treturn ret;", "project": "linux", "hash": 120428282952475506159065372590145641221, "size": 36, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338695 }, { "func": "static inline unsigned int slab_index(void *p, struct kmem_cache *s, void *addr)\n{\n\treturn (kasan_reset_tag(p) - addr) / s->size;\n}", "project": "linux", "hash": 123715339795547899099470073230878879554, "size": 4, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280108 }, { "func": "OPJ_BOOL opj_tcd_rateallocate(opj_tcd_t *tcd,\n OPJ_BYTE *dest,\n OPJ_UINT32 * p_data_written,\n OPJ_UINT32 len,\n opj_codestream_info_t *cstr_info,\n opj_event_mgr_t *p_manager)\n{\n OPJ_UINT32 compno, resno, bandno, precno, cblkno, layno;\n OPJ_UINT32 passno;\n OPJ_FLOAT64 min, max;\n OPJ_FLOAT64 cumdisto[100]; /* fixed_quality */\n const OPJ_FLOAT64 K = 1; /* 1.1; fixed_quality */\n OPJ_FLOAT64 maxSE = 0;\n\n opj_cp_t *cp = tcd->cp;\n opj_tcd_tile_t *tcd_tile = tcd->tcd_image->tiles;\n opj_tcp_t *tcd_tcp = tcd->tcp;\n\n min = DBL_MAX;\n max = 0;\n\n tcd_tile->numpix = 0; /* fixed_quality */\n\n for (compno = 0; compno < tcd_tile->numcomps; compno++) {\n opj_tcd_tilecomp_t *tilec = &tcd_tile->comps[compno];\n tilec->numpix = 0;\n\n for (resno = 0; resno < tilec->numresolutions; resno++) {\n opj_tcd_resolution_t *res = &tilec->resolutions[resno];\n\n for (bandno = 0; bandno < res->numbands; bandno++) {\n opj_tcd_band_t *band = &res->bands[bandno];\n\n /* Skip empty bands */\n if (opj_tcd_is_band_empty(band)) {\n continue;\n }\n\n for (precno = 0; precno < res->pw * res->ph; precno++) {\n opj_tcd_precinct_t *prc = &band->precincts[precno];\n\n for (cblkno = 0; cblkno < prc->cw * prc->ch; cblkno++) {\n opj_tcd_cblk_enc_t *cblk = &prc->cblks.enc[cblkno];\n\n for (passno = 0; passno < cblk->totalpasses; passno++) {\n opj_tcd_pass_t *pass = &cblk->passes[passno];\n OPJ_INT32 dr;\n OPJ_FLOAT64 dd, rdslope;\n\n if (passno == 0) {\n dr = (OPJ_INT32)pass->rate;\n dd = pass->distortiondec;\n } else {\n dr = (OPJ_INT32)(pass->rate - cblk->passes[passno - 1].rate);\n dd = pass->distortiondec - cblk->passes[passno - 1].distortiondec;\n }\n\n if (dr == 0) {\n continue;\n }\n\n rdslope = dd / dr;\n if (rdslope < min) {\n min = rdslope;\n }\n\n if (rdslope > max) {\n max = rdslope;\n }\n } /* passno */\n\n /* fixed_quality */\n tcd_tile->numpix += ((cblk->x1 - cblk->x0) * (cblk->y1 - cblk->y0));\n tilec->numpix += ((cblk->x1 - cblk->x0) * (cblk->y1 - cblk->y0));\n } /* cbklno */\n } /* precno */\n } /* bandno */\n } /* resno */\n\n maxSE += (((OPJ_FLOAT64)(1 << tcd->image->comps[compno].prec) - 1.0)\n * ((OPJ_FLOAT64)(1 << tcd->image->comps[compno].prec) - 1.0))\n * ((OPJ_FLOAT64)(tilec->numpix));\n } /* compno */\n\n /* index file */\n if (cstr_info) {\n opj_tile_info_t *tile_info = &cstr_info->tile[tcd->tcd_tileno];\n tile_info->numpix = tcd_tile->numpix;\n tile_info->distotile = tcd_tile->distotile;\n tile_info->thresh = (OPJ_FLOAT64 *) opj_malloc(tcd_tcp->numlayers * sizeof(\n OPJ_FLOAT64));\n if (!tile_info->thresh) {\n /* FIXME event manager error callback */\n return OPJ_FALSE;\n }\n }\n\n for (layno = 0; layno < tcd_tcp->numlayers; layno++) {\n OPJ_FLOAT64 lo = min;\n OPJ_FLOAT64 hi = max;\n OPJ_UINT32 maxlen = tcd_tcp->rates[layno] > 0.0f ? opj_uint_min(((\n OPJ_UINT32) ceil(tcd_tcp->rates[layno])), len) : len;\n OPJ_FLOAT64 goodthresh = 0;\n OPJ_FLOAT64 stable_thresh = 0;\n OPJ_UINT32 i;\n OPJ_FLOAT64 distotarget; /* fixed_quality */\n\n /* fixed_quality */\n distotarget = tcd_tile->distotile - ((K * maxSE) / pow((OPJ_FLOAT32)10,\n tcd_tcp->distoratio[layno] / 10));\n\n /* Don't try to find an optimal threshold but rather take everything not included yet, if\n -r xx,yy,zz,0 (disto_alloc == 1 and rates == 0)\n -q xx,yy,zz,0 (fixed_quality == 1 and distoratio == 0)\n ==> possible to have some lossy layers and the last layer for sure lossless */\n if (((cp->m_specific_param.m_enc.m_disto_alloc == 1) &&\n (tcd_tcp->rates[layno] > 0.0f)) ||\n ((cp->m_specific_param.m_enc.m_fixed_quality == 1) &&\n (tcd_tcp->distoratio[layno] > 0.0))) {\n opj_t2_t*t2 = opj_t2_create(tcd->image, cp);\n OPJ_FLOAT64 thresh = 0;\n\n if (t2 == 00) {\n return OPJ_FALSE;\n }\n\n for (i = 0; i < 128; ++i) {\n OPJ_FLOAT64 distoachieved = 0; /* fixed_quality */\n\n thresh = (lo + hi) / 2;\n\n opj_tcd_makelayer(tcd, layno, thresh, 0);\n\n if (cp->m_specific_param.m_enc.m_fixed_quality) { /* fixed_quality */\n if (OPJ_IS_CINEMA(cp->rsiz) || OPJ_IS_IMF(cp->rsiz)) {\n if (! opj_t2_encode_packets(t2, tcd->tcd_tileno, tcd_tile, layno + 1, dest,\n p_data_written, maxlen, cstr_info, NULL, tcd->cur_tp_num, tcd->tp_pos,\n tcd->cur_pino,\n THRESH_CALC, p_manager)) {\n\n lo = thresh;\n continue;\n } else {\n distoachieved = layno == 0 ?\n tcd_tile->distolayer[0] : cumdisto[layno - 1] + tcd_tile->distolayer[layno];\n\n if (distoachieved < distotarget) {\n hi = thresh;\n stable_thresh = thresh;\n continue;\n } else {\n lo = thresh;\n }\n }\n } else {\n distoachieved = (layno == 0) ?\n tcd_tile->distolayer[0] : (cumdisto[layno - 1] + tcd_tile->distolayer[layno]);\n\n if (distoachieved < distotarget) {\n hi = thresh;\n stable_thresh = thresh;\n continue;\n }\n lo = thresh;\n }\n } else {\n if (! opj_t2_encode_packets(t2, tcd->tcd_tileno, tcd_tile, layno + 1, dest,\n p_data_written, maxlen, cstr_info, NULL, tcd->cur_tp_num, tcd->tp_pos,\n tcd->cur_pino,\n THRESH_CALC, p_manager)) {\n /* TODO: what to do with l ??? seek / tell ??? */\n /* opj_event_msg(tcd->cinfo, EVT_INFO, \"rate alloc: len=%d, max=%d\\n\", l, maxlen); */\n lo = thresh;\n continue;\n }\n\n hi = thresh;\n stable_thresh = thresh;\n }\n }\n\n goodthresh = stable_thresh == 0 ? thresh : stable_thresh;\n\n opj_t2_destroy(t2);\n } else {\n /* Special value to indicate to use all passes */\n goodthresh = -1;\n }\n\n if (cstr_info) { /* Threshold for Marcela Index */\n cstr_info->tile[tcd->tcd_tileno].thresh[layno] = goodthresh;\n }\n\n opj_tcd_makelayer(tcd, layno, goodthresh, 1);\n\n /* fixed_quality */\n cumdisto[layno] = (layno == 0) ? tcd_tile->distolayer[0] :\n (cumdisto[layno - 1] + tcd_tile->distolayer[layno]);\n }\n\n return OPJ_TRUE;\n}", "project": "openjpeg", "hash": 64516769401291931404358883895355277477, "size": 202, "commit_id": "15cf3d95814dc931ca0ecb132f81cb152e051bae", "message": "Encoder: grow again buffer size in opj_tcd_code_block_enc_allocate_data() (fixes #1283)", "target": 0, "dataset": "other", "idx": 359192 }, { "func": "OPJ_BOOL opj_tcd_rateallocate(opj_tcd_t *tcd,\n OPJ_BYTE *dest,\n OPJ_UINT32 * p_data_written,\n OPJ_UINT32 len,\n opj_codestream_info_t *cstr_info,\n opj_event_mgr_t *p_manager)\n{\n OPJ_UINT32 compno, resno, bandno, precno, cblkno, layno;\n OPJ_UINT32 passno;\n OPJ_FLOAT64 min, max;\n OPJ_FLOAT64 cumdisto[100]; /* fixed_quality */\n const OPJ_FLOAT64 K = 1; /* 1.1; fixed_quality */\n OPJ_FLOAT64 maxSE = 0;\n\n opj_cp_t *cp = tcd->cp;\n opj_tcd_tile_t *tcd_tile = tcd->tcd_image->tiles;\n opj_tcp_t *tcd_tcp = tcd->tcp;\n\n min = DBL_MAX;\n max = 0;\n\n tcd_tile->numpix = 0; /* fixed_quality */\n\n for (compno = 0; compno < tcd_tile->numcomps; compno++) {\n opj_tcd_tilecomp_t *tilec = &tcd_tile->comps[compno];\n tilec->numpix = 0;\n\n for (resno = 0; resno < tilec->numresolutions; resno++) {\n opj_tcd_resolution_t *res = &tilec->resolutions[resno];\n\n for (bandno = 0; bandno < res->numbands; bandno++) {\n opj_tcd_band_t *band = &res->bands[bandno];\n\n /* Skip empty bands */\n if (opj_tcd_is_band_empty(band)) {\n continue;\n }\n\n for (precno = 0; precno < res->pw * res->ph; precno++) {\n opj_tcd_precinct_t *prc = &band->precincts[precno];\n\n for (cblkno = 0; cblkno < prc->cw * prc->ch; cblkno++) {\n opj_tcd_cblk_enc_t *cblk = &prc->cblks.enc[cblkno];\n\n for (passno = 0; passno < cblk->totalpasses; passno++) {\n opj_tcd_pass_t *pass = &cblk->passes[passno];\n OPJ_INT32 dr;\n OPJ_FLOAT64 dd, rdslope;\n\n if (passno == 0) {\n dr = (OPJ_INT32)pass->rate;\n dd = pass->distortiondec;\n } else {\n dr = (OPJ_INT32)(pass->rate - cblk->passes[passno - 1].rate);\n dd = pass->distortiondec - cblk->passes[passno - 1].distortiondec;\n }\n\n if (dr == 0) {\n continue;\n }\n\n rdslope = dd / dr;\n if (rdslope < min) {\n min = rdslope;\n }\n\n if (rdslope > max) {\n max = rdslope;\n }\n } /* passno */\n\n /* fixed_quality */\n tcd_tile->numpix += ((cblk->x1 - cblk->x0) * (cblk->y1 - cblk->y0));\n tilec->numpix += ((cblk->x1 - cblk->x0) * (cblk->y1 - cblk->y0));\n } /* cbklno */\n } /* precno */\n } /* bandno */\n } /* resno */\n\n maxSE += (((OPJ_FLOAT64)(1 << tcd->image->comps[compno].prec) - 1.0)\n * ((OPJ_FLOAT64)(1 << tcd->image->comps[compno].prec) - 1.0))\n * ((OPJ_FLOAT64)(tilec->numpix));\n } /* compno */\n\n /* index file */\n if (cstr_info) {\n opj_tile_info_t *tile_info = &cstr_info->tile[tcd->tcd_tileno];\n tile_info->numpix = tcd_tile->numpix;\n tile_info->distotile = tcd_tile->distotile;\n tile_info->thresh = (OPJ_FLOAT64 *) opj_malloc(tcd_tcp->numlayers * sizeof(\n OPJ_FLOAT64));\n if (!tile_info->thresh) {\n /* FIXME event manager error callback */\n return OPJ_FALSE;\n }\n }\n\n for (layno = 0; layno < tcd_tcp->numlayers; layno++) {\n OPJ_FLOAT64 lo = min;\n OPJ_FLOAT64 hi = max;\n OPJ_UINT32 maxlen = tcd_tcp->rates[layno] > 0.0f ? opj_uint_min(((\n OPJ_UINT32) ceil(tcd_tcp->rates[layno])), len) : len;\n OPJ_FLOAT64 goodthresh = 0;\n OPJ_FLOAT64 stable_thresh = 0;\n OPJ_UINT32 i;\n OPJ_FLOAT64 distotarget; /* fixed_quality */\n\n /* fixed_quality */\n distotarget = tcd_tile->distotile - ((K * maxSE) / pow((OPJ_FLOAT32)10,\n tcd_tcp->distoratio[layno] / 10));\n\n /* Don't try to find an optimal threshold but rather take everything not included yet, if\n -r xx,yy,zz,0 (disto_alloc == 1 and rates == 0)\n -q xx,yy,zz,0 (fixed_quality == 1 and distoratio == 0)\n ==> possible to have some lossy layers and the last layer for sure lossless */\n if (((cp->m_specific_param.m_enc.m_disto_alloc == 1) &&\n (tcd_tcp->rates[layno] > 0.0f)) ||\n ((cp->m_specific_param.m_enc.m_fixed_quality == 1) &&\n (tcd_tcp->distoratio[layno] > 0.0))) {\n opj_t2_t*t2 = opj_t2_create(tcd->image, cp);\n OPJ_FLOAT64 thresh = 0;\n\n if (t2 == 00) {\n return OPJ_FALSE;\n }\n\n for (i = 0; i < 128; ++i) {\n OPJ_FLOAT64 distoachieved = 0; /* fixed_quality */\n\n thresh = (lo + hi) / 2;\n\n opj_tcd_makelayer(tcd, layno, thresh, 0);\n\n if (cp->m_specific_param.m_enc.m_fixed_quality) { /* fixed_quality */\n if (OPJ_IS_CINEMA(cp->rsiz)) {\n if (! opj_t2_encode_packets(t2, tcd->tcd_tileno, tcd_tile, layno + 1, dest,\n p_data_written, maxlen, cstr_info, tcd->cur_tp_num, tcd->tp_pos, tcd->cur_pino,\n THRESH_CALC, p_manager)) {\n\n lo = thresh;\n continue;\n } else {\n distoachieved = layno == 0 ?\n tcd_tile->distolayer[0] : cumdisto[layno - 1] + tcd_tile->distolayer[layno];\n\n if (distoachieved < distotarget) {\n hi = thresh;\n stable_thresh = thresh;\n continue;\n } else {\n lo = thresh;\n }\n }\n } else {\n distoachieved = (layno == 0) ?\n tcd_tile->distolayer[0] : (cumdisto[layno - 1] + tcd_tile->distolayer[layno]);\n\n if (distoachieved < distotarget) {\n hi = thresh;\n stable_thresh = thresh;\n continue;\n }\n lo = thresh;\n }\n } else {\n if (! opj_t2_encode_packets(t2, tcd->tcd_tileno, tcd_tile, layno + 1, dest,\n p_data_written, maxlen, cstr_info, tcd->cur_tp_num, tcd->tp_pos, tcd->cur_pino,\n THRESH_CALC, p_manager)) {\n /* TODO: what to do with l ??? seek / tell ??? */\n /* opj_event_msg(tcd->cinfo, EVT_INFO, \"rate alloc: len=%d, max=%d\\n\", l, maxlen); */\n lo = thresh;\n continue;\n }\n\n hi = thresh;\n stable_thresh = thresh;\n }\n }\n\n goodthresh = stable_thresh == 0 ? thresh : stable_thresh;\n\n opj_t2_destroy(t2);\n } else {\n /* Special value to indicate to use all passes */\n goodthresh = -1;\n }\n\n if (cstr_info) { /* Threshold for Marcela Index */\n cstr_info->tile[tcd->tcd_tileno].thresh[layno] = goodthresh;\n }\n\n opj_tcd_makelayer(tcd, layno, goodthresh, 1);\n\n /* fixed_quality */\n cumdisto[layno] = (layno == 0) ? tcd_tile->distolayer[0] :\n (cumdisto[layno - 1] + tcd_tile->distolayer[layno]);\n }\n\n return OPJ_TRUE;\n}", "project": "openjpeg", "hash": 281516821070102742001035593160959166381, "size": 200, "commit_id": "05f9b91e60debda0e83977e5e63b2e66486f7074", "message": "opj_tcd_init_tile(): avoid integer overflow\n\nThat could lead to later assertion failures.\n\nFixes #1231 / CVE-2020-8112", "target": 0, "dataset": "other", "idx": 451983 }, { "func": "static void execlists_submission_tasklet(unsigned long data)\n{\n\tstruct intel_engine_cs * const engine = (struct intel_engine_cs *)data;\n\tbool timeout = preempt_timeout(engine);\n\n\tprocess_csb(engine);\n\tif (!READ_ONCE(engine->execlists.pending[0]) || timeout) {\n\t\tunsigned long flags;\n\n\t\tspin_lock_irqsave(&engine->active.lock, flags);\n\t\t__execlists_submission_tasklet(engine);\n\t\tspin_unlock_irqrestore(&engine->active.lock, flags);\n\n\t\t/* Recheck after serialising with direct-submission */\n\t\tif (timeout && preempt_timeout(engine))\n\t\t\tpreempt_reset(engine);\n\t}\n}", "project": "linux", "hash": 78159693961488576157708391991625276150, "size": 18, "commit_id": "bc8a76a152c5f9ef3b48104154a65a68a8b76946", "message": "drm/i915/gen9: Clear residual context state on context switch\n\nIntel ID: PSIRT-TA-201910-001\nCVEID: CVE-2019-14615\n\nIntel GPU Hardware prior to Gen11 does not clear EU state\nduring a context switch. This can result in information\nleakage between contexts.\n\nFor Gen8 and Gen9, hardware provides a mechanism for\nfast cleardown of the EU state, by issuing a PIPE_CONTROL\nwith bit 27 set. We can use this in a context batch buffer\nto explicitly cleardown the state on every context switch.\n\nAs this workaround is already in place for gen8, we can borrow\nthe code verbatim for Gen9.\n\nSigned-off-by: Mika Kuoppala \nSigned-off-by: Akeem G Abodunrin \nCc: Kumar Valsan Prathap \nCc: Chris Wilson \nCc: Balestrieri Francesco \nCc: Bloomfield Jon \nCc: Dutt Sudeep ", "target": 0, "dataset": "other", "idx": 281467 }, { "func": "LineBuffer::~LineBuffer ()\n{\n delete compressor;\n}", "project": "openexr", "hash": 208654535637908341884177809145250693200, "size": 4, "commit_id": "bc88cdb6c97fbf5bc5d11ad8ca55306da931283a", "message": "sanity check ScanlineInput bytesPerLine instead of lineOffset size (#863)\n\nSigned-off-by: Peter Hillman \r\n\r\nCo-authored-by: Cary Phillips ", "target": 0, "dataset": "other", "idx": 446297 }, { "func": " bool parsePacked() {\n auto const fp = top;\n if (!matchSeparator(']')) {\n if (++array_depth >= 0) return false;\n do {\n if (!parseValue(true)) return false;\n } while (matchSeparator(','));\n --array_depth;\n if (!matchSeparator(']')) return false; // Trailing ',' not supported.\n }\n auto arr = [&] {\n if (container_type == JSONContainerType::HACK_ARRAYS) {\n return top == fp\n ? ArrayData::CreateVec()\n : PackedArray::MakeVecNatural(top - fp, fp);\n }\n if (container_type == JSONContainerType::LEGACY_HACK_ARRAYS) {\n auto ret = top == fp\n ? staticEmptyVecArray()->copy()\n : PackedArray::MakeVecNatural(top - fp, fp);\n ret->setLegacyArray(true);\n return ret;\n }\n if (container_type == JSONContainerType::DARRAYS_AND_VARRAYS) {\n return top == fp\n ? ArrayData::CreateVArray()\n : PackedArray::MakeVArrayNatural(top - fp, fp);\n }\n assertx(container_type == JSONContainerType::DARRAYS);\n return top == fp\n ? ArrayData::CreateDArray()\n : MixedArray::MakeDArrayNatural(top - fp, fp);\n }();\n top = fp;\n pushArrayData(arr);\n check_non_safepoint_surprise();\n return true;\n }", "project": "hhvm", "hash": 254819416168447378582922361459921790929, "size": 38, "commit_id": "b3679121bb3c7017ff04b4c08402ffff5cf59b13", "message": "Fix buffer overrun in SimpleParser::handleBackslash\n\nSummary:\nIt read 4 chars, then checked for validity, but any of them could have\nbeen the end of the string, so check after each one instead.\n\nReviewed By: oulgen\n\nDifferential Revision: D19611163\n\nfbshipit-source-id: 3da0a39555cb85a93f4fd98048368f17cf37e2e4", "target": 0, "dataset": "other", "idx": 227304 }, { "func": "int64_t MemFile::tell() {\n assertx(m_len != -1);\n return getPosition();\n}", "project": "hhvm", "hash": 14805596140106130460935987107946336549, "size": 4, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219388 }, { "func": " int64 RemoteIo::tell() const\n {\n return static_cast(p_->idx_);\n }", "project": "exiv2", "hash": 293601005369749419189060730426990929409, "size": 4, "commit_id": "bd0afe0390439b2c424d881c8c6eb0c5624e31d9", "message": "Add bounds check to MemIo::seek(). (#944)\n\n- Regression test for missing bounds check in MemIo::seek()\r\n- Add bounds check to MemIo::seek(), this fixes CVE-2019-13504", "target": 0, "dataset": "other", "idx": 367060 }, { "func": " int64 MemIo::tell() const\n {\n return (long)p_->idx_;\n }", "project": "exiv2", "hash": 262340375556523580629192870654818540039, "size": 4, "commit_id": "bd0afe0390439b2c424d881c8c6eb0c5624e31d9", "message": "Add bounds check to MemIo::seek(). (#944)\n\n- Regression test for missing bounds check in MemIo::seek()\r\n- Add bounds check to MemIo::seek(), this fixes CVE-2019-13504", "target": 0, "dataset": "other", "idx": 367070 }, { "func": " int64 FileIo::tell() const\n {\n assert(p_->fp_ != 0);\n return std::ftell(p_->fp_);\n }", "project": "exiv2", "hash": 11643884145949492992602911895672577828, "size": 5, "commit_id": "bd0afe0390439b2c424d881c8c6eb0c5624e31d9", "message": "Add bounds check to MemIo::seek(). (#944)\n\n- Regression test for missing bounds check in MemIo::seek()\r\n- Add bounds check to MemIo::seek(), this fixes CVE-2019-13504", "target": 0, "dataset": "other", "idx": 367074 }, { "func": "static int h264_set_parameter_from_sps(H264Context *h)\n{\n if (h->flags & CODEC_FLAG_LOW_DELAY ||\n (h->sps.bitstream_restriction_flag &&\n !h->sps.num_reorder_frames)) {\n if (h->avctx->has_b_frames > 1 || h->delayed_pic[0])\n av_log(h->avctx, AV_LOG_WARNING, \"Delayed frames seen. \"\n \"Reenabling low delay requires a codec flush.\\n\");\n else\n h->low_delay = 1;\n }\n\n if (h->avctx->has_b_frames < 2)\n h->avctx->has_b_frames = !h->low_delay;\n\n if (h->avctx->bits_per_raw_sample != h->sps.bit_depth_luma ||\n h->cur_chroma_format_idc != h->sps.chroma_format_idc) {\n if (h->avctx->codec &&\n h->avctx->codec->capabilities & CODEC_CAP_HWACCEL_VDPAU &&\n (h->sps.bit_depth_luma != 8 || h->sps.chroma_format_idc > 1)) {\n av_log(h->avctx, AV_LOG_ERROR,\n \"VDPAU decoding does not support video colorspace.\\n\");\n return AVERROR_INVALIDDATA;\n }\n if (h->sps.bit_depth_luma >= 8 && h->sps.bit_depth_luma <= 14 &&\n h->sps.bit_depth_luma != 11 && h->sps.bit_depth_luma != 13) {\n h->avctx->bits_per_raw_sample = h->sps.bit_depth_luma;\n h->cur_chroma_format_idc = h->sps.chroma_format_idc;\n h->pixel_shift = h->sps.bit_depth_luma > 8;\n\n ff_h264dsp_init(&h->h264dsp, h->sps.bit_depth_luma,\n h->sps.chroma_format_idc);\n ff_h264chroma_init(&h->h264chroma, h->sps.bit_depth_chroma);\n ff_h264qpel_init(&h->h264qpel, h->sps.bit_depth_luma);\n ff_h264_pred_init(&h->hpc, h->avctx->codec_id, h->sps.bit_depth_luma,\n h->sps.chroma_format_idc);\n\n if (CONFIG_ERROR_RESILIENCE)\n ff_dsputil_init(&h->dsp, h->avctx);\n ff_videodsp_init(&h->vdsp, h->sps.bit_depth_luma);\n } else {\n av_log(h->avctx, AV_LOG_ERROR, \"Unsupported bit depth: %d\\n\",\n h->sps.bit_depth_luma);\n return AVERROR_INVALIDDATA;\n }\n }\n return 0;\n}", "project": "FFmpeg", "hash": 121637838377274408078189975312285165086, "size": 48, "commit_id": "8a3b85f3a7952c54a2c36ba1797f7e0cde9f85aa", "message": "avcodec/h264: update current_sps & sps->new only after the whole slice header decoder and init code finished\n\nThis avoids them being cleared before the full initialization finished\n\nFixes out of array read\nFixes: asan_heap-oob_f0c5e6_7071_cov_1605985132_mov_h264_aac__Demo_FlagOfOurFathers.mov\nFound-by: Mateusz \"j00ru\" Jurczyk and Gynvael Coldwind\nSigned-off-by: Michael Niedermayer ", "target": 0, "dataset": "other", "idx": 270124 }, { "func": " virtual void update_used_tables()\n {\n if (field && field->default_value)\n field->default_value->expr->update_used_tables();\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 286805591539851146994097552543307421448, "size": 5, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509082 }, { "func": " void update_used_tables()\n {\n update_table_bitmaps();\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 337183472008039237882416259083387951524, "size": 4, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509224 }, { "func": " void update_used_tables()\n {\n orig_item->update_used_tables();\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 63424804441176263380758686915602386094, "size": 4, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509256 }, { "func": " virtual COND *build_equal_items(THD *thd, COND_EQUAL *inheited,\n bool link_item_fields,\n COND_EQUAL **cond_equal_ref)\n {\n update_used_tables();\n DBUG_ASSERT(!cond_equal_ref || !cond_equal_ref[0]);\n return this;\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 147812469303339820772870737450123134851, "size": 8, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509455 }, { "func": "\nstatic int io_poll_update(struct io_kiocb *req, unsigned int issue_flags)\n{\n\tstruct io_ring_ctx *ctx = req->ctx;\n\tstruct io_kiocb *preq;\n\tbool completing;\n\tint ret;\n\n\tspin_lock_irq(&ctx->completion_lock);\n\tpreq = io_poll_find(ctx, req->poll_update.old_user_data, true);\n\tif (!preq) {\n\t\tret = -ENOENT;\n\t\tgoto err;\n\t}\n\n\tif (!req->poll_update.update_events && !req->poll_update.update_user_data) {\n\t\tcompleting = true;\n\t\tret = io_poll_remove_one(preq) ? 0 : -EALREADY;\n\t\tgoto err;\n\t}\n\n\t/*\n\t * Don't allow racy completion with singleshot, as we cannot safely\n\t * update those. For multishot, if we're racing with completion, just\n\t * let completion re-add it.\n\t */\n\tcompleting = !__io_poll_remove_one(preq, &preq->poll, false);\n\tif (completing && (preq->poll.events & EPOLLONESHOT)) {\n\t\tret = -EALREADY;\n\t\tgoto err;\n\t}\n\t/* we now have a detached poll request. reissue. */\n\tret = 0;\nerr:\n\tif (ret < 0) {\n\t\tspin_unlock_irq(&ctx->completion_lock);\n\t\treq_set_fail_links(req);\n\t\tio_req_complete(req, ret);\n\t\treturn 0;\n\t}\n\t/* only mask one event flags, keep behavior flags */\n\tif (req->poll_update.update_events) {\n\t\tpreq->poll.events &= ~0xffff;\n\t\tpreq->poll.events |= req->poll_update.events & 0xffff;\n\t\tpreq->poll.events |= IO_POLL_UNMASK;\n\t}\n\tif (req->poll_update.update_user_data)\n\t\tpreq->user_data = req->poll_update.new_user_data;\n\tspin_unlock_irq(&ctx->completion_lock);\n\n\t/* complete update request, we're done with it */\n\tio_req_complete(req, ret);\n\n\tif (!completing) {\n\t\tret = io_poll_add(preq, issue_flags);\n\t\tif (ret < 0) {\n\t\t\treq_set_fail_links(preq);\n\t\t\tio_req_complete(preq, ret);\n\t\t}\n\t}\n\treturn 0;", "project": "linux", "hash": 48415735362676577278353968219309155482, "size": 61, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338722 }, { "func": "static void sd_stop0(struct gspca_dev *gspca_dev)\n{\n\tstruct sd *sd = (struct sd *) gspca_dev;\n\n\tif (!sd->gspca_dev.present)\n\t\treturn;\n\tif (sd->bridge == BRIDGE_W9968CF)\n\t\tw9968cf_stop0(sd);\n\n#if IS_ENABLED(CONFIG_INPUT)\n\t/* If the last button state is pressed, release it now! */\n\tif (sd->snapshot_pressed) {\n\t\tinput_report_key(gspca_dev->input_dev, KEY_CAMERA, 0);\n\t\tinput_sync(gspca_dev->input_dev);\n\t\tsd->snapshot_pressed = 0;\n\t}\n#endif\n\tif (sd->bridge == BRIDGE_OV519)\n\t\treg_w(sd, OV519_R57_SNAPSHOT, 0x23);\n}", "project": "linux", "hash": 337926608282140872102079271413331664172, "size": 20, "commit_id": "998912346c0da53a6dbb71fab3a138586b596b30", "message": "media: ov519: add missing endpoint sanity checks\n\nMake sure to check that we have at least one endpoint before accessing\nthe endpoint array to avoid dereferencing a NULL-pointer on stream\nstart.\n\nNote that these sanity checks are not redundant as the driver is mixing\nlooking up altsettings by index and by number, which need not coincide.\n\nFixes: 1876bb923c98 (\"V4L/DVB (12079): gspca_ov519: add support for the ov511 bridge\")\nFixes: b282d87332f5 (\"V4L/DVB (12080): gspca_ov519: Fix ov518+ with OV7620AE (Trust spacecam 320)\")\nCc: stable # 2.6.31\nCc: Hans de Goede \nSigned-off-by: Johan Hovold \nSigned-off-by: Hans Verkuil \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 306347 }, { "func": "static void __foreach(RCore *core, const char **cmds, int type) {\n\tint i;\n\tfor (i = 0; cmds[i]; i++) {\n\t\tr_core_autocomplete_add (core->autocomplete, cmds[i], type, true);\n\t}\n}", "project": "radare2", "hash": 219758697589252675520909475006191802830, "size": 6, "commit_id": "cb8b683758edddae2d2f62e8e63a738c39f92683", "message": "Fix #16303 - c->table_query double free (#16318)", "target": 0, "dataset": "other", "idx": 232176 }, { "func": "TfLiteStatus CreateLedgerTensor(const TfLiteSparsity* sparsity,\n TfLiteContext* context, TfLiteTensor* ledger) {\n TF_LITE_ENSURE(context, sparsity != nullptr);\n ledger->type = kTfLiteUInt8;\n ledger->allocation_type = kTfLiteArenaRwPersistent;\n TfLiteIntArray* ledger_size = TfLiteIntArrayCreate(1);\n ledger_size->data[0] = sparsity->dim_metadata[1].array_indices->size +\n sparsity->dim_metadata[1].array_segments->size - 1;\n return context->ResizeTensor(context, ledger, ledger_size);\n}", "project": "tensorflow", "hash": 33569040372662834916068991002940347062, "size": 10, "commit_id": "6c0b2b70eeee588591680f5b7d5d38175fd7cdf6", "message": "[lite] add validation check for sparse fully connected\n\nPiperOrigin-RevId: 417629354\nChange-Id: If96171c4bd4f5fdb01d6368d6deab19d1c9beca7", "target": 0, "dataset": "other", "idx": 220491 }, { "func": "void CLua::set_error(int err, lua_State *ls)\n{\n if (!err)\n {\n error.clear();\n return;\n }\n if (!ls && !(ls = _state))\n {\n error = \"\";\n return;\n }\n const char *serr = lua_tostring(ls, -1);\n lua_pop(ls, 1);\n error = serr? serr : \"\";\n}", "project": "crawl", "hash": 36431416906901148242651499463911584766, "size": 16, "commit_id": "768f60da87a3fa0b5561da5ade9309577c176d04", "message": "Disable lua bytecode loading", "target": 0, "dataset": "other", "idx": 230530 }, { "func": "rfbBool rfbSendFileTransferMessage(rfbClientPtr cl, uint8_t contentType, uint8_t contentParam, uint32_t size, uint32_t length, const char *buffer)\n{\n rfbFileTransferMsg ft;\n ft.type = rfbFileTransfer;\n ft.contentType = contentType;\n ft.contentParam = contentParam;\n ft.pad = 0; /* UltraVNC did not Swap16LE(ft.contentParam) (Looks like it might be BigEndian) */\n ft.size = Swap32IfLE(size);\n ft.length = Swap32IfLE(length);\n \n FILEXFER_ALLOWED_OR_CLOSE_AND_RETURN(\"\", cl, FALSE);\n /*\n rfbLog(\"rfbSendFileTransferMessage( %dtype, %dparam, %dsize, %dlen, %p)\\n\", contentType, contentParam, size, length, buffer);\n */\n LOCK(cl->sendMutex);\n if (rfbWriteExact(cl, (char *)&ft, sz_rfbFileTransferMsg) < 0) {\n rfbLogPerror(\"rfbSendFileTransferMessage: write\");\n rfbCloseClient(cl);\n UNLOCK(cl->sendMutex);\n return FALSE;\n }\n\n if (length>0)\n {\n if (rfbWriteExact(cl, buffer, length) < 0) {\n rfbLogPerror(\"rfbSendFileTransferMessage: write\");\n rfbCloseClient(cl);\n UNLOCK(cl->sendMutex);\n return FALSE;\n }\n }\n UNLOCK(cl->sendMutex);\n\n rfbStatRecordMessageSent(cl, rfbFileTransfer, sz_rfbFileTransferMsg+length, sz_rfbFileTransferMsg+length);\n\n return TRUE;\n}", "project": "libvncserver", "hash": 289152223219240016318716559394958475544, "size": 37, "commit_id": "673c07a75ed844d74676f3ccdcfdc706a7052dba", "message": "libvncserver/rfbserver: fix possible divide-by-zero\n\nCloses #409", "target": 0, "dataset": "other", "idx": 295867 }, { "func": "UChar32 UnicodeString::unescapeAt(int32_t &offset) const {\n return u_unescapeAt(UnicodeString_charAt, &offset, length(), (void*)this);\n}", "project": "icu", "hash": 137394042723486222392981356790850669961, "size": 3, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430831 }, { "func": "static int kvm_s390_set_cpu_model(struct kvm *kvm, struct kvm_device_attr *attr)\n{\n\tint ret = -ENXIO;\n\n\tswitch (attr->attr) {\n\tcase KVM_S390_VM_CPU_PROCESSOR:\n\t\tret = kvm_s390_set_processor(kvm, attr);\n\t\tbreak;\n\tcase KVM_S390_VM_CPU_PROCESSOR_FEAT:\n\t\tret = kvm_s390_set_processor_feat(kvm, attr);\n\t\tbreak;\n\tcase KVM_S390_VM_CPU_PROCESSOR_SUBFUNC:\n\t\tret = kvm_s390_set_processor_subfunc(kvm, attr);\n\t\tbreak;\n\t}\n\treturn ret;\n}", "project": "linux", "hash": 246251831072955239876469348120423250710, "size": 17, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354643 }, { "func": "static bool hci_resolve_next_name(struct hci_dev *hdev)\n{\n\tstruct discovery_state *discov = &hdev->discovery;\n\tstruct inquiry_entry *e;\n\n\tif (list_empty(&discov->resolve))\n\t\treturn false;\n\n\te = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);\n\tif (!e)\n\t\treturn false;\n\n\tif (hci_resolve_name(hdev, e) == 0) {\n\t\te->name_state = NAME_PENDING;\n\t\treturn true;\n\t}\n\n\treturn false;\n}", "project": "linux", "hash": 201521020320710277435414092552687966206, "size": 19, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431981 }, { "func": "void tipc_node_apply_property(struct net *net, struct tipc_bearer *b,\n\t\t\t int prop)\n{\n\tstruct tipc_net *tn = tipc_net(net);\n\tint bearer_id = b->identity;\n\tstruct sk_buff_head xmitq;\n\tstruct tipc_link_entry *e;\n\tstruct tipc_node *n;\n\n\t__skb_queue_head_init(&xmitq);\n\n\trcu_read_lock();\n\n\tlist_for_each_entry_rcu(n, &tn->node_list, list) {\n\t\ttipc_node_write_lock(n);\n\t\te = &n->links[bearer_id];\n\t\tif (e->link) {\n\t\t\tif (prop == TIPC_NLA_PROP_TOL)\n\t\t\t\ttipc_link_set_tolerance(e->link, b->tolerance,\n\t\t\t\t\t\t\t&xmitq);\n\t\t\telse if (prop == TIPC_NLA_PROP_MTU)\n\t\t\t\ttipc_link_set_mtu(e->link, b->mtu);\n\n\t\t\t/* Update MTU for node link entry */\n\t\t\te->mtu = tipc_link_mss(e->link);\n\t\t}\n\n\t\ttipc_node_write_unlock(n);\n\t\ttipc_bearer_xmit(net, bearer_id, &xmitq, &e->maddr, NULL);\n\t}\n\n\trcu_read_unlock();\n}", "project": "linux", "hash": 183488716847796238738153664614013692583, "size": 33, "commit_id": "0217ed2848e8538bcf9172d97ed2eeb4a26041bb", "message": "tipc: better validate user input in tipc_nl_retrieve_key()\n\nBefore calling tipc_aead_key_size(ptr), we need to ensure\nwe have enough data to dereference ptr->keylen.\n\nWe probably also want to make sure tipc_aead_key_size()\nwont overflow with malicious ptr->keylen values.\n\nSyzbot reported:\n\nBUG: KMSAN: uninit-value in __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\nBUG: KMSAN: uninit-value in tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\nCPU: 0 PID: 21060 Comm: syz-executor.5 Not tainted 5.11.0-rc7-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nCall Trace:\n __dump_stack lib/dump_stack.c:79 [inline]\n dump_stack+0x21c/0x280 lib/dump_stack.c:120\n kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118\n __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197\n __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\n tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\n genl_family_rcv_msg_doit net/netlink/genetlink.c:739 [inline]\n genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]\n genl_rcv_msg+0x1319/0x1610 net/netlink/genetlink.c:800\n netlink_rcv_skb+0x6fa/0x810 net/netlink/af_netlink.c:2494\n genl_rcv+0x63/0x80 net/netlink/genetlink.c:811\n netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]\n netlink_unicast+0x11d6/0x14a0 net/netlink/af_netlink.c:1330\n netlink_sendmsg+0x1740/0x1840 net/netlink/af_netlink.c:1919\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\nRIP: 0023:0xf7f60549\nCode: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00\nRSP: 002b:00000000f555a5fc EFLAGS: 00000296 ORIG_RAX: 0000000000000172\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000200\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n\nUninit was created at:\n kmsan_save_stack_with_flags mm/kmsan/kmsan.c:121 [inline]\n kmsan_internal_poison_shadow+0x5c/0xf0 mm/kmsan/kmsan.c:104\n kmsan_slab_alloc+0x8d/0xe0 mm/kmsan/kmsan_hooks.c:76\n slab_alloc_node mm/slub.c:2907 [inline]\n __kmalloc_node_track_caller+0xa37/0x1430 mm/slub.c:4527\n __kmalloc_reserve net/core/skbuff.c:142 [inline]\n __alloc_skb+0x2f8/0xb30 net/core/skbuff.c:210\n alloc_skb include/linux/skbuff.h:1099 [inline]\n netlink_alloc_large_skb net/netlink/af_netlink.c:1176 [inline]\n netlink_sendmsg+0xdbc/0x1840 net/netlink/af_netlink.c:1894\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\n\nFixes: e1f32190cf7d (\"tipc: add support for AEAD key setting via netlink\")\nSigned-off-by: Eric Dumazet \nCc: Tuong Lien \nCc: Jon Maloy \nCc: Ying Xue \nReported-by: syzbot \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 364922 }, { "func": "static u32 svm_msrpm_offset(u32 msr)\n{\n\tu32 offset;\n\tint i;\n\n\tfor (i = 0; i < NUM_MSR_MAPS; i++) {\n\t\tif (msr < msrpm_ranges[i] ||\n\t\t msr >= msrpm_ranges[i] + MSRS_IN_RANGE)\n\t\t\tcontinue;\n\n\t\toffset = (msr - msrpm_ranges[i]) / 4; /* 4 msrs per u8 */\n\t\toffset += (i * MSRS_RANGE_SIZE); /* add range offset */\n\n\t\t/* Now we have the u8 offset - but need the u32 offset */\n\t\treturn offset / 4;\n\t}\n\n\t/* MSR not in any range */\n\treturn MSR_INVALID;\n}", "project": "linux", "hash": 316465180362961017365548196014840200367, "size": 20, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432604 }, { "func": "static int lookup_node(struct mm_struct *mm, unsigned long addr)\n{\n\tstruct page *p;\n\tint err;\n\n\tint locked = 1;\n\terr = get_user_pages_locked(addr & PAGE_MASK, 1, 0, &p, &locked);\n\tif (err >= 0) {\n\t\terr = page_to_nid(p);\n\t\tput_page(p);\n\t}\n\tif (locked)\n\t\tup_read(&mm->mmap_sem);\n\treturn err;\n}", "project": "linux", "hash": 66328628686648163090334282914493187247, "size": 15, "commit_id": "aa9f7d5172fac9bf1f09e678c35e287a40a7b7dd", "message": "mm: mempolicy: require at least one nodeid for MPOL_PREFERRED\n\nUsing an empty (malformed) nodelist that is not caught during mount option\nparsing leads to a stack-out-of-bounds access.\n\nThe option string that was used was: \"mpol=prefer:,\". However,\nMPOL_PREFERRED requires a single node number, which is not being provided\nhere.\n\nAdd a check that 'nodes' is not empty after parsing for MPOL_PREFERRED's\nnodeid.\n\nFixes: 095f1fc4ebf3 (\"mempolicy: rework shmem mpol parsing and display\")\nReported-by: Entropy Moe <3ntr0py1337@gmail.com>\nReported-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nSigned-off-by: Randy Dunlap \nSigned-off-by: Andrew Morton \nTested-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nCc: Lee Schermerhorn \nLink: http://lkml.kernel.org/r/89526377-7eb6-b662-e1d8-4430928abde9@infradead.org\nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 366798 }, { "func": "static bool update_mtime(unsigned ivalid, bool trust_local_mtime)\n{\n\t/* Always update if mtime is explicitly set */\n\tif (ivalid & ATTR_MTIME_SET)\n\t\treturn true;\n\n\t/* Or if kernel i_mtime is the official one */\n\tif (trust_local_mtime)\n\t\treturn true;\n\n\t/* If it's an open(O_TRUNC) or an ftruncate(), don't update */\n\tif ((ivalid & ATTR_SIZE) && (ivalid & (ATTR_OPEN | ATTR_FILE)))\n\t\treturn false;\n\n\t/* In all other cases update */\n\treturn true;\n}", "project": "linux", "hash": 308695600033709879283255416267377640190, "size": 17, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342095 }, { "func": "static int kvm_hv_set_msr(struct kvm_vcpu *vcpu, u32 msr, u64 data, bool host)\n{\n\tstruct kvm_vcpu_hv *hv_vcpu = to_hv_vcpu(vcpu);\n\n\tswitch (msr) {\n\tcase HV_X64_MSR_VP_INDEX: {\n\t\tstruct kvm_hv *hv = to_kvm_hv(vcpu->kvm);\n\t\tint vcpu_idx = kvm_vcpu_get_idx(vcpu);\n\t\tu32 new_vp_index = (u32)data;\n\n\t\tif (!host || new_vp_index >= KVM_MAX_VCPUS)\n\t\t\treturn 1;\n\n\t\tif (new_vp_index == hv_vcpu->vp_index)\n\t\t\treturn 0;\n\n\t\t/*\n\t\t * The VP index is initialized to vcpu_index by\n\t\t * kvm_hv_vcpu_postcreate so they initially match. Now the\n\t\t * VP index is changing, adjust num_mismatched_vp_indexes if\n\t\t * it now matches or no longer matches vcpu_idx.\n\t\t */\n\t\tif (hv_vcpu->vp_index == vcpu_idx)\n\t\t\tatomic_inc(&hv->num_mismatched_vp_indexes);\n\t\telse if (new_vp_index == vcpu_idx)\n\t\t\tatomic_dec(&hv->num_mismatched_vp_indexes);\n\n\t\thv_vcpu->vp_index = new_vp_index;\n\t\tbreak;\n\t}\n\tcase HV_X64_MSR_VP_ASSIST_PAGE: {\n\t\tu64 gfn;\n\t\tunsigned long addr;\n\n\t\tif (!(data & HV_X64_MSR_VP_ASSIST_PAGE_ENABLE)) {\n\t\t\thv_vcpu->hv_vapic = data;\n\t\t\tif (kvm_lapic_enable_pv_eoi(vcpu, 0, 0))\n\t\t\t\treturn 1;\n\t\t\tbreak;\n\t\t}\n\t\tgfn = data >> HV_X64_MSR_VP_ASSIST_PAGE_ADDRESS_SHIFT;\n\t\taddr = kvm_vcpu_gfn_to_hva(vcpu, gfn);\n\t\tif (kvm_is_error_hva(addr))\n\t\t\treturn 1;\n\n\t\t/*\n\t\t * Clear apic_assist portion of struct hv_vp_assist_page\n\t\t * only, there can be valuable data in the rest which needs\n\t\t * to be preserved e.g. on migration.\n\t\t */\n\t\tif (__put_user(0, (u32 __user *)addr))\n\t\t\treturn 1;\n\t\thv_vcpu->hv_vapic = data;\n\t\tkvm_vcpu_mark_page_dirty(vcpu, gfn);\n\t\tif (kvm_lapic_enable_pv_eoi(vcpu,\n\t\t\t\t\t gfn_to_gpa(gfn) | KVM_MSR_ENABLED,\n\t\t\t\t\t sizeof(struct hv_vp_assist_page)))\n\t\t\treturn 1;\n\t\tbreak;\n\t}\n\tcase HV_X64_MSR_EOI:\n\t\treturn kvm_hv_vapic_msr_write(vcpu, APIC_EOI, data);\n\tcase HV_X64_MSR_ICR:\n\t\treturn kvm_hv_vapic_msr_write(vcpu, APIC_ICR, data);\n\tcase HV_X64_MSR_TPR:\n\t\treturn kvm_hv_vapic_msr_write(vcpu, APIC_TASKPRI, data);\n\tcase HV_X64_MSR_VP_RUNTIME:\n\t\tif (!host)\n\t\t\treturn 1;\n\t\thv_vcpu->runtime_offset = data - current_task_runtime_100ns();\n\t\tbreak;\n\tcase HV_X64_MSR_SCONTROL:\n\tcase HV_X64_MSR_SVERSION:\n\tcase HV_X64_MSR_SIEFP:\n\tcase HV_X64_MSR_SIMP:\n\tcase HV_X64_MSR_EOM:\n\tcase HV_X64_MSR_SINT0 ... HV_X64_MSR_SINT15:\n\t\treturn synic_set_msr(to_hv_synic(vcpu), msr, data, host);\n\tcase HV_X64_MSR_STIMER0_CONFIG:\n\tcase HV_X64_MSR_STIMER1_CONFIG:\n\tcase HV_X64_MSR_STIMER2_CONFIG:\n\tcase HV_X64_MSR_STIMER3_CONFIG: {\n\t\tint timer_index = (msr - HV_X64_MSR_STIMER0_CONFIG)/2;\n\n\t\treturn stimer_set_config(to_hv_stimer(vcpu, timer_index),\n\t\t\t\t\t data, host);\n\t}\n\tcase HV_X64_MSR_STIMER0_COUNT:\n\tcase HV_X64_MSR_STIMER1_COUNT:\n\tcase HV_X64_MSR_STIMER2_COUNT:\n\tcase HV_X64_MSR_STIMER3_COUNT: {\n\t\tint timer_index = (msr - HV_X64_MSR_STIMER0_COUNT)/2;\n\n\t\treturn stimer_set_count(to_hv_stimer(vcpu, timer_index),\n\t\t\t\t\tdata, host);\n\t}\n\tcase HV_X64_MSR_TSC_FREQUENCY:\n\tcase HV_X64_MSR_APIC_FREQUENCY:\n\t\t/* read-only, but still ignore it if host-initiated */\n\t\tif (!host)\n\t\t\treturn 1;\n\t\tbreak;\n\tdefault:\n\t\tvcpu_unimpl(vcpu, \"Hyper-V unhandled wrmsr: 0x%x data 0x%llx\\n\",\n\t\t\t msr, data);\n\t\treturn 1;\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 216629113180667458042120052579349117505, "size": 110, "commit_id": "919f4ebc598701670e80e31573a58f1f2d2bf918", "message": "KVM: x86: hyper-v: Fix Hyper-V context null-ptr-deref\n\nReported by syzkaller:\n\n KASAN: null-ptr-deref in range [0x0000000000000140-0x0000000000000147]\n CPU: 1 PID: 8370 Comm: syz-executor859 Not tainted 5.11.0-syzkaller #0\n RIP: 0010:synic_get arch/x86/kvm/hyperv.c:165 [inline]\n RIP: 0010:kvm_hv_set_sint_gsi arch/x86/kvm/hyperv.c:475 [inline]\n RIP: 0010:kvm_hv_irq_routing_update+0x230/0x460 arch/x86/kvm/hyperv.c:498\n Call Trace:\n kvm_set_irq_routing+0x69b/0x940 arch/x86/kvm/../../../virt/kvm/irqchip.c:223\n kvm_vm_ioctl+0x12d0/0x2800 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3959\n vfs_ioctl fs/ioctl.c:48 [inline]\n __do_sys_ioctl fs/ioctl.c:753 [inline]\n __se_sys_ioctl fs/ioctl.c:739 [inline]\n __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739\n do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nHyper-V context is lazily allocated until Hyper-V specific MSRs are accessed\nor SynIC is enabled. However, the syzkaller testcase sets irq routing table\ndirectly w/o enabling SynIC. This results in null-ptr-deref when accessing\nSynIC Hyper-V context. This patch fixes it.\n\nsyzkaller source: https://syzkaller.appspot.com/x/repro.c?x=163342ccd00000\n\nReported-by: syzbot+6987f3b2dbd9eda95f12@syzkaller.appspotmail.com\nFixes: 8f014550dfb1 (\"KVM: x86: hyper-v: Make Hyper-V emulation enablement conditional\")\nSigned-off-by: Wanpeng Li \nMessage-Id: <1614326399-5762-1-git-send-email-wanpengli@tencent.com>\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 343533 }, { "func": "static int nfs4_proc_pgio_rpc_prepare(struct rpc_task *task,\n\t\t\t\t struct nfs_pgio_header *hdr)\n{\n\tif (nfs4_setup_sequence(NFS_SERVER(hdr->inode)->nfs_client,\n\t\t\t&hdr->args.seq_args,\n\t\t\t&hdr->res.seq_res,\n\t\t\ttask))\n\t\treturn 0;\n\tif (nfs4_set_rw_stateid(&hdr->args.stateid, hdr->args.context,\n\t\t\t\thdr->args.lock_context,\n\t\t\t\thdr->rw_mode) == -EIO)\n\t\treturn -EIO;\n\tif (unlikely(test_bit(NFS_CONTEXT_BAD, &hdr->args.context->flags)))\n\t\treturn -EIO;\n\treturn 0;\n}", "project": "linux", "hash": 61515831891709728128392424728849038605, "size": 16, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431556 }, { "func": " void DoFFTInternal(OpKernelContext* ctx, se::Stream* stream,\n se::fft::Plan* plan, const se::fft::Type fft_type,\n const uint64 output_distance, const Tensor& in,\n Tensor* out) {\n const TensorShape& input_shape = in.shape();\n const TensorShape& output_shape = out->shape();\n auto src =\n AsDeviceMemory(in.flat().data(), input_shape.num_elements());\n auto dst = AsDeviceMemory(out->flat().data(),\n output_shape.num_elements());\n OP_REQUIRES(\n ctx, stream->ThenFft(plan, src, &dst).ok(),\n errors::Internal(\"fft failed : type=\", static_cast(fft_type),\n \" in.shape=\", input_shape.DebugString()));\n if (!IsForward()) {\n typedef typename RealTypeFromComplexType::RealT RealT;\n RealT alpha = 1.0 / output_distance;\n OP_REQUIRES(\n ctx,\n stream->ThenBlasScal(output_shape.num_elements(), alpha, &dst, 1)\n .ok(),\n errors::Internal(\"BlasScal failed : in.shape=\",\n input_shape.DebugString()));\n }\n }", "project": "tensorflow", "hash": 94012920786138743119211267201949061140, "size": 25, "commit_id": "31bd5026304677faa8a0b77602c6154171b9aec1", "message": "Prevent check fail in FFT\n\nPiperOrigin-RevId: 372031044\nChange-Id: I50994e3e8a5d1342d01bde80256f6bf2730ca299", "target": 0, "dataset": "other", "idx": 235729 }, { "func": "inline static void appendsimplestring(char **buffer, int *pos, int *size,\n const char *add, int len) {\n int req_size = *pos + len;\n\n if (req_size > *size) {\n while (req_size > *size) {\n *size <<= 1;\n }\n *buffer = (char *)realloc(*buffer, *size);\n }\n memcpy(&(*buffer)[*pos], add, len);\n *pos += len;\n}", "project": "hhvm", "hash": 153550786110767197216217697696185338133, "size": 13, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219491 }, { "func": "int dequeue_signal(struct task_struct *tsk, sigset_t *mask, kernel_siginfo_t *info)\n{\n\tbool resched_timer = false;\n\tint signr;\n\n\t/* We only dequeue private signals from ourselves, we don't let\n\t * signalfd steal them\n\t */\n\tsignr = __dequeue_signal(&tsk->pending, mask, info, &resched_timer);\n\tif (!signr) {\n\t\tsignr = __dequeue_signal(&tsk->signal->shared_pending,\n\t\t\t\t\t mask, info, &resched_timer);\n#ifdef CONFIG_POSIX_TIMERS\n\t\t/*\n\t\t * itimer signal ?\n\t\t *\n\t\t * itimers are process shared and we restart periodic\n\t\t * itimers in the signal delivery path to prevent DoS\n\t\t * attacks in the high resolution timer case. This is\n\t\t * compliant with the old way of self-restarting\n\t\t * itimers, as the SIGALRM is a legacy signal and only\n\t\t * queued once. Changing the restart behaviour to\n\t\t * restart the timer in the signal dequeue path is\n\t\t * reducing the timer noise on heavy loaded !highres\n\t\t * systems too.\n\t\t */\n\t\tif (unlikely(signr == SIGALRM)) {\n\t\t\tstruct hrtimer *tmr = &tsk->signal->real_timer;\n\n\t\t\tif (!hrtimer_is_queued(tmr) &&\n\t\t\t tsk->signal->it_real_incr != 0) {\n\t\t\t\thrtimer_forward(tmr, tmr->base->get_time(),\n\t\t\t\t\t\ttsk->signal->it_real_incr);\n\t\t\t\thrtimer_restart(tmr);\n\t\t\t}\n\t\t}\n#endif\n\t}\n\n\trecalc_sigpending();\n\tif (!signr)\n\t\treturn 0;\n\n\tif (unlikely(sig_kernel_stop(signr))) {\n\t\t/*\n\t\t * Set a marker that we have dequeued a stop signal. Our\n\t\t * caller might release the siglock and then the pending\n\t\t * stop signal it is about to process is no longer in the\n\t\t * pending bitmasks, but must still be cleared by a SIGCONT\n\t\t * (and overruled by a SIGKILL). So those cases clear this\n\t\t * shared flag after we've set it. Note that this flag may\n\t\t * remain set after the signal we return is ignored or\n\t\t * handled. That doesn't matter because its only purpose\n\t\t * is to alert stop-signal processing code when another\n\t\t * processor has come along and cleared the flag.\n\t\t */\n\t\tcurrent->jobctl |= JOBCTL_STOP_DEQUEUED;\n\t}\n#ifdef CONFIG_POSIX_TIMERS\n\tif (resched_timer) {\n\t\t/*\n\t\t * Release the siglock to ensure proper locking order\n\t\t * of timer locks outside of siglocks. Note, we leave\n\t\t * irqs disabled here, since the posix-timers code is\n\t\t * about to disable them again anyway.\n\t\t */\n\t\tspin_unlock(&tsk->sighand->siglock);\n\t\tposixtimer_rearm(info);\n\t\tspin_lock(&tsk->sighand->siglock);\n\n\t\t/* Don't expose the si_sys_private value to userspace */\n\t\tinfo->si_sys_private = 0;\n\t}\n#endif\n\treturn signr;\n}", "project": "linux", "hash": 314283153019600657603390768065477130535, "size": 76, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375213 }, { "func": "void tty_vhangup_self(void)\n{\n\tstruct tty_struct *tty;\n\n\ttty = get_current_tty();\n\tif (tty) {\n\t\ttty_vhangup(tty);\n\t\ttty_kref_put(tty);\n\t}\n}", "project": "linux", "hash": 234412633392022124308522810933956420004, "size": 10, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 325977 }, { "func": " uint32_t capacity() const {\n return m_px->capacity(); // intentionally skip nullptr check\n }", "project": "hhvm", "hash": 316195736077715645985165311529041476013, "size": 3, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219586 }, { "func": "inline uint32_t StringData::capacity() const {\n assertx(isRefCounted());\n return kSizeIndex2StringCapacity[m_aux16 & 0xff];\n}", "project": "hhvm", "hash": 212015605587540460207628627377905960417, "size": 4, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219786 }, { "func": " uint32_t capacity() const {\n return m_str->capacity(); // intentionally skip nullptr check\n }", "project": "hhvm", "hash": 205801228923851693729067805268958649243, "size": 3, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219832 }, { "func": "static inline int kvm_memslot_insert_back(struct kvm_memslots *slots)\n{\n\treturn slots->used_slots++;\n}", "project": "linux", "hash": 50666587500507512642071899972560993335, "size": 4, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354505 }, { "func": "static int sctp_setsockopt_reuse_port(struct sock *sk, int *val,\n\t\t\t\t unsigned int optlen)\n{\n\tif (!sctp_style(sk, TCP))\n\t\treturn -EOPNOTSUPP;\n\n\tif (sctp_sk(sk)->ep->base.bind_addr.port)\n\t\treturn -EFAULT;\n\n\tif (optlen < sizeof(int))\n\t\treturn -EINVAL;\n\n\tsctp_sk(sk)->reuse = !!*val;\n\n\treturn 0;\n}", "project": "linux", "hash": 130394560790651867592315340919971121464, "size": 16, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398179 }, { "func": "int kvm_arch_vcpu_ioctl_set_regs(struct kvm_vcpu *vcpu, struct kvm_regs *regs)\n{\n\tvcpu_load(vcpu);\n\tmemcpy(&vcpu->run->s.regs.gprs, ®s->gprs, sizeof(regs->gprs));\n\tvcpu_put(vcpu);\n\treturn 0;\n}", "project": "linux", "hash": 286158306738526819812346787746832548843, "size": 7, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354492 }, { "func": "DwaCompressor::uncompressTile\n (const char *inPtr,\n int inSize,\n IMATH_NAMESPACE::Box2i range,\n const char *&outPtr)\n{\n return uncompress (inPtr, inSize, range, outPtr);\n}", "project": "openexr", "hash": 127517492851255350338448077621613717058, "size": 8, "commit_id": "3eda5d70aba127bae9bd6bae9956fcf024b64031", "message": "fixes for DWA uncompress: sanity check unknown data reading, off-by-one error on max suffix string length\n\nSigned-off-by: Peter Hillman ", "target": 0, "dataset": "other", "idx": 440096 }, { "func": "static void nf_tables_rule_notify(const struct nft_ctx *ctx,\n\t\t\t\t const struct nft_rule *rule, int event)\n{\n\tstruct nftables_pernet *nft_net = nft_pernet(ctx->net);\n\tstruct sk_buff *skb;\n\tint err;\n\n\tif (!ctx->report &&\n\t !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))\n\t\treturn;\n\n\tskb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);\n\tif (skb == NULL)\n\t\tgoto err;\n\n\terr = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq,\n\t\t\t\t event, 0, ctx->family, ctx->table,\n\t\t\t\t ctx->chain, rule, NULL);\n\tif (err < 0) {\n\t\tkfree_skb(skb);\n\t\tgoto err;\n\t}\n\n\tnft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);\n\treturn;\nerr:\n\tnfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);\n}", "project": "linux", "hash": 280782292227456820137016451314727530083, "size": 28, "commit_id": "ad9f151e560b016b6ad3280b48e42fa11e1a5440", "message": "netfilter: nf_tables: initialize set before expression setup\n\nnft_set_elem_expr_alloc() needs an initialized set if expression sets on\nthe NFT_EXPR_GC flag. Move set fields initialization before expression\nsetup.\n\n[4512935.019450] ==================================================================\n[4512935.019456] BUG: KASAN: null-ptr-deref in nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019487] Read of size 8 at addr 0000000000000070 by task nft/23532\n[4512935.019494] CPU: 1 PID: 23532 Comm: nft Not tainted 5.12.0-rc4+ #48\n[...]\n[4512935.019502] Call Trace:\n[4512935.019505] dump_stack+0x89/0xb4\n[4512935.019512] ? nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019536] ? nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019560] kasan_report.cold.12+0x5f/0xd8\n[4512935.019566] ? nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019590] nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019615] nf_tables_newset+0xc7f/0x1460 [nf_tables]\n\nReported-by: syzbot+ce96ca2b1d0b37c6422d@syzkaller.appspotmail.com\nFixes: 65038428b2c6 (\"netfilter: nf_tables: allow to specify stateful expression in set definition\")\nSigned-off-by: Pablo Neira Ayuso ", "target": 0, "dataset": "other", "idx": 328394 }, { "func": "static int _nfs4_proc_open_confirm(struct nfs4_opendata *data)\n{\n\tstruct nfs_server *server = NFS_SERVER(d_inode(data->dir));\n\tstruct rpc_task *task;\n\tstruct rpc_message msg = {\n\t\t.rpc_proc = &nfs4_procedures[NFSPROC4_CLNT_OPEN_CONFIRM],\n\t\t.rpc_argp = &data->c_arg,\n\t\t.rpc_resp = &data->c_res,\n\t\t.rpc_cred = data->owner->so_cred,\n\t};\n\tstruct rpc_task_setup task_setup_data = {\n\t\t.rpc_client = server->client,\n\t\t.rpc_message = &msg,\n\t\t.callback_ops = &nfs4_open_confirm_ops,\n\t\t.callback_data = data,\n\t\t.workqueue = nfsiod_workqueue,\n\t\t.flags = RPC_TASK_ASYNC | RPC_TASK_CRED_NOREF,\n\t};\n\tint status;\n\n\tnfs4_init_sequence(&data->c_arg.seq_args, &data->c_res.seq_res, 1,\n\t\t\t\tdata->is_recover);\n\tkref_get(&data->kref);\n\tdata->rpc_done = false;\n\tdata->rpc_status = 0;\n\tdata->timestamp = jiffies;\n\ttask = rpc_run_task(&task_setup_data);\n\tif (IS_ERR(task))\n\t\treturn PTR_ERR(task);\n\tstatus = rpc_wait_for_completion_task(task);\n\tif (status != 0) {\n\t\tdata->cancelled = true;\n\t\tsmp_wmb();\n\t} else\n\t\tstatus = data->rpc_status;\n\trpc_put_task(task);\n\treturn status;\n}", "project": "linux", "hash": 58831642294027886053067720643748283223, "size": 38, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 430950 }, { "func": "static apr_byte_t oidc_handle_flows(request_rec *r, oidc_cfg *c,\n\t\toidc_proto_state_t *proto_state, oidc_provider_t *provider,\n\t\tapr_table_t *params, const char *response_mode, oidc_jwt_t **jwt) {\n\n\tapr_byte_t rc = FALSE;\n\n\tconst char *requested_response_type = oidc_proto_state_get_response_type(\n\t\t\tproto_state);\n\n\t/* handle the requested response type/mode */\n\tif (oidc_util_spaced_string_equals(r->pool, requested_response_type,\n\t\t\tOIDC_PROTO_RESPONSE_TYPE_CODE_IDTOKEN_TOKEN)) {\n\t\trc = oidc_proto_authorization_response_code_idtoken_token(r, c,\n\t\t\t\tproto_state, provider, params, response_mode, jwt);\n\t} else if (oidc_util_spaced_string_equals(r->pool, requested_response_type,\n\t\t\tOIDC_PROTO_RESPONSE_TYPE_CODE_IDTOKEN)) {\n\t\trc = oidc_proto_authorization_response_code_idtoken(r, c, proto_state,\n\t\t\t\tprovider, params, response_mode, jwt);\n\t} else if (oidc_util_spaced_string_equals(r->pool, requested_response_type,\n\t\t\tOIDC_PROTO_RESPONSE_TYPE_CODE_TOKEN)) {\n\t\trc = oidc_proto_handle_authorization_response_code_token(r, c,\n\t\t\t\tproto_state, provider, params, response_mode, jwt);\n\t} else if (oidc_util_spaced_string_equals(r->pool, requested_response_type,\n\t\t\tOIDC_PROTO_RESPONSE_TYPE_CODE)) {\n\t\trc = oidc_proto_handle_authorization_response_code(r, c, proto_state,\n\t\t\t\tprovider, params, response_mode, jwt);\n\t} else if (oidc_util_spaced_string_equals(r->pool, requested_response_type,\n\t\t\tOIDC_PROTO_RESPONSE_TYPE_IDTOKEN_TOKEN)) {\n\t\trc = oidc_proto_handle_authorization_response_idtoken_token(r, c,\n\t\t\t\tproto_state, provider, params, response_mode, jwt);\n\t} else if (oidc_util_spaced_string_equals(r->pool, requested_response_type,\n\t\t\tOIDC_PROTO_RESPONSE_TYPE_IDTOKEN)) {\n\t\trc = oidc_proto_handle_authorization_response_idtoken(r, c, proto_state,\n\t\t\t\tprovider, params, response_mode, jwt);\n\t} else {\n\t\toidc_error(r, \"unsupported response type: \\\"%s\\\"\",\n\t\t\t\trequested_response_type);\n\t}\n\n\tif ((rc == FALSE) && (*jwt != NULL)) {\n\t\toidc_jwt_destroy(*jwt);\n\t\t*jwt = NULL;\n\t}\n\n\treturn rc;\n}", "project": "mod_auth_openidc", "hash": 286878390085018916578794231329085930377, "size": 46, "commit_id": "00c315cb0c8ab77c67be4a2ac08a71a83ac58751", "message": "avoid XSS vulnerability when using OIDCPreservePost On\n\nand supplying URLs that contain single quotes; thanks @oss-aimoto\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 381941 }, { "func": "DLLEXPORT int DLLCALL tjEncodeYUV3(tjhandle handle,\n\tconst unsigned char *srcBuf, int width, int pitch, int height,\n\tint pixelFormat, unsigned char *dstBuf, int pad, int subsamp, int flags)\n{\n\tunsigned char *dstPlanes[3];\n\tint pw0, ph0, strides[3], retval=-1;\n\n\tif(width<=0 || height<=0 || dstBuf==NULL || pad<0 || !isPow2(pad)\n\t\t|| subsamp<0 || subsamp>=NUMSUBOPT)\n\t\t_throw(\"tjEncodeYUV3(): Invalid argument\");\n\n\tpw0=tjPlaneWidth(0, width, subsamp);\n\tph0=tjPlaneHeight(0, height, subsamp);\n\tdstPlanes[0]=dstBuf;\n\tstrides[0]=PAD(pw0, pad);\n\tif(subsamp==TJSAMP_GRAY)\n\t{\n\t\tstrides[1]=strides[2]=0;\n\t\tdstPlanes[1]=dstPlanes[2]=NULL;\n\t}\n\telse\n\t{\n\t\tint pw1=tjPlaneWidth(1, width, subsamp);\n\t\tint ph1=tjPlaneHeight(1, height, subsamp);\n\t\tstrides[1]=strides[2]=PAD(pw1, pad);\n\t\tdstPlanes[1]=dstPlanes[0]+strides[0]*ph0;\n\t\tdstPlanes[2]=dstPlanes[1]+strides[1]*ph1;\n\t}\n\n\treturn tjEncodeYUVPlanes(handle, srcBuf, width, pitch, height, pixelFormat,\n\t\tdstPlanes, strides, subsamp, flags);\n\n\tbailout:\n\treturn retval;\n}", "project": "libjpeg-turbo", "hash": 198949772923858181307044027123405582521, "size": 35, "commit_id": "dab6be4cfb2f9307b5378d2d1dc74d9080383dc2", "message": "tjDecompressToYUV*(): Fix OOB write/double free\n\n... when attempting to decompress grayscale JPEG images with sampling\nfactors != 1.\n\nFixes #387", "target": 0, "dataset": "other", "idx": 311098 }, { "func": "static void svm_set_cr3(struct kvm_vcpu *vcpu, unsigned long root)\n{\n\tstruct vcpu_svm *svm = to_svm(vcpu);\n\n\tsvm->vmcb->save.cr3 = __sme_set(root);\n\tmark_dirty(svm->vmcb, VMCB_CR);\n}", "project": "linux", "hash": 287850328786932584484933000735241494870, "size": 7, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432465 }, { "func": "static void svm_set_cr3(struct kvm_vcpu *vcpu, unsigned long root)\n{\n\tstruct vcpu_svm *svm = to_svm(vcpu);\n\n\tsvm->vmcb->save.cr3 = root;\n\tmark_dirty(svm->vmcb, VMCB_CR);\n\tsvm_flush_tlb(vcpu);\n}", "project": "kvm", "hash": 36249767508317046929106520343838530667, "size": 8, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437642 }, { "func": "static void iattr_to_fattr(struct fuse_conn *fc, struct iattr *iattr,\n\t\t\t struct fuse_setattr_in *arg, bool trust_local_cmtime)\n{\n\tunsigned ivalid = iattr->ia_valid;\n\n\tif (ivalid & ATTR_MODE)\n\t\targ->valid |= FATTR_MODE, arg->mode = iattr->ia_mode;\n\tif (ivalid & ATTR_UID)\n\t\targ->valid |= FATTR_UID, arg->uid = from_kuid(fc->user_ns, iattr->ia_uid);\n\tif (ivalid & ATTR_GID)\n\t\targ->valid |= FATTR_GID, arg->gid = from_kgid(fc->user_ns, iattr->ia_gid);\n\tif (ivalid & ATTR_SIZE)\n\t\targ->valid |= FATTR_SIZE, arg->size = iattr->ia_size;\n\tif (ivalid & ATTR_ATIME) {\n\t\targ->valid |= FATTR_ATIME;\n\t\targ->atime = iattr->ia_atime.tv_sec;\n\t\targ->atimensec = iattr->ia_atime.tv_nsec;\n\t\tif (!(ivalid & ATTR_ATIME_SET))\n\t\t\targ->valid |= FATTR_ATIME_NOW;\n\t}\n\tif ((ivalid & ATTR_MTIME) && update_mtime(ivalid, trust_local_cmtime)) {\n\t\targ->valid |= FATTR_MTIME;\n\t\targ->mtime = iattr->ia_mtime.tv_sec;\n\t\targ->mtimensec = iattr->ia_mtime.tv_nsec;\n\t\tif (!(ivalid & ATTR_MTIME_SET) && !trust_local_cmtime)\n\t\t\targ->valid |= FATTR_MTIME_NOW;\n\t}\n\tif ((ivalid & ATTR_CTIME) && trust_local_cmtime) {\n\t\targ->valid |= FATTR_CTIME;\n\t\targ->ctime = iattr->ia_ctime.tv_sec;\n\t\targ->ctimensec = iattr->ia_ctime.tv_nsec;\n\t}\n}", "project": "linux", "hash": 72075864780034218651034384267211870271, "size": 33, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341927 }, { "func": "\nstatic int io_buffers_map_alloc(struct io_ring_ctx *ctx, unsigned int nr_args)\n{\n\tctx->user_bufs = kcalloc(nr_args, sizeof(*ctx->user_bufs), GFP_KERNEL);\n\treturn ctx->user_bufs ? 0 : -ENOMEM;", "project": "linux", "hash": 287419555976958132028631832234787649300, "size": 5, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338678 }, { "func": "static int do_newsgroups(char *name, void *rock)\n{\n struct list_rock *lrock = (struct list_rock *) rock;\n struct mboxlist_entry *mbentry = NULL;\n int r;\n\n r = mlookup(name, &mbentry);\n\n if (r || !mbentry->acl ||\n\t!(cyrus_acl_myrights(nntp_authstate, mbentry->acl) && ACL_LOOKUP)) {\n\tmboxlist_entry_free(&mbentry);\n\treturn 0;\n }\n\n if (mbentry->server) {\n\t/* remote group */\n\tif (!hash_lookup(mbentry->server, &lrock->server_table)) {\n\t /* add this server to our table */\n\t hash_insert(mbentry->server, (void *)0xDEADBEEF, &lrock->server_table);\n\t}\n\tmboxlist_entry_free(&mbentry);\n }\n else {\n\t/* local group */\n\tmboxlist_entry_free(&mbentry);\n\treturn CYRUSDB_DONE;\n }\n\n return 0;\n}", "project": "cyrus-imapd", "hash": 137443464666905264150195133810087059206, "size": 30, "commit_id": "0f8f026699829b65733c3081657b24e2174f4f4d", "message": "CVE-2011-3208 - fix buffer overflow in nntpd", "target": 0, "dataset": "other", "idx": 451902 }, { "func": "static void encode_getfh(struct xdr_stream *xdr, struct compound_hdr *hdr)\n{\n\tencode_op_hdr(xdr, OP_GETFH, decode_getfh_maxsz, hdr);\n}", "project": "linux", "hash": 197960973520960875486359944072925058008, "size": 4, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431431 }, { "func": "static int atomic_open(struct nameidata *nd, struct dentry *dentry,\n\t\t\tstruct path *path, struct file *file,\n\t\t\tconst struct open_flags *op,\n\t\t\tint open_flag, umode_t mode)\n{\n\tstruct dentry *const DENTRY_NOT_SET = (void *) -1UL;\n\tstruct inode *dir = nd->path.dentry->d_inode;\n\tint error;\n\n\tif (!(~open_flag & (O_EXCL | O_CREAT)))\t/* both O_EXCL and O_CREAT */\n\t\topen_flag &= ~O_TRUNC;\n\n\tif (nd->flags & LOOKUP_DIRECTORY)\n\t\topen_flag |= O_DIRECTORY;\n\n\tfile->f_path.dentry = DENTRY_NOT_SET;\n\tfile->f_path.mnt = nd->path.mnt;\n\terror = dir->i_op->atomic_open(dir, dentry, file,\n\t\t\t\t open_to_namei_flags(open_flag), mode);\n\td_lookup_done(dentry);\n\tif (!error) {\n\t\tif (file->f_mode & FMODE_OPENED) {\n\t\t\t/*\n\t\t\t * We didn't have the inode before the open, so check open\n\t\t\t * permission here.\n\t\t\t */\n\t\t\tint acc_mode = op->acc_mode;\n\t\t\tif (file->f_mode & FMODE_CREATED) {\n\t\t\t\tWARN_ON(!(open_flag & O_CREAT));\n\t\t\t\tfsnotify_create(dir, dentry);\n\t\t\t\tacc_mode = 0;\n\t\t\t}\n\t\t\terror = may_open(&file->f_path, acc_mode, open_flag);\n\t\t\tif (WARN_ON(error > 0))\n\t\t\t\terror = -EINVAL;\n\t\t} else if (WARN_ON(file->f_path.dentry == DENTRY_NOT_SET)) {\n\t\t\terror = -EIO;\n\t\t} else {\n\t\t\tif (file->f_path.dentry) {\n\t\t\t\tdput(dentry);\n\t\t\t\tdentry = file->f_path.dentry;\n\t\t\t}\n\t\t\tif (file->f_mode & FMODE_CREATED)\n\t\t\t\tfsnotify_create(dir, dentry);\n\t\t\tif (unlikely(d_is_negative(dentry))) {\n\t\t\t\terror = -ENOENT;\n\t\t\t} else {\n\t\t\t\tpath->dentry = dentry;\n\t\t\t\tpath->mnt = nd->path.mnt;\n\t\t\t\treturn 0;\n\t\t\t}\n\t\t}\n\t}\n\tdput(dentry);\n\treturn error;\n}", "project": "linux", "hash": 183150936686575120456451912943142604042, "size": 56, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295350 }, { "func": "tcp_collapse(struct sock *sk, struct sk_buff_head *list,\n\t struct sk_buff *head, struct sk_buff *tail,\n\t u32 start, u32 end)\n{\n\tstruct sk_buff *skb, *n;\n\tbool end_of_skbs;\n\n\t/* First, check that queue is collapsible and find\n\t * the point where collapsing can be useful. */\n\tskb = head;\nrestart:\n\tend_of_skbs = true;\n\tskb_queue_walk_from_safe(list, skb, n) {\n\t\tif (skb == tail)\n\t\t\tbreak;\n\t\t/* No new bits? It is possible on ofo queue. */\n\t\tif (!before(start, TCP_SKB_CB(skb)->end_seq)) {\n\t\t\tskb = tcp_collapse_one(sk, skb, list);\n\t\t\tif (!skb)\n\t\t\t\tbreak;\n\t\t\tgoto restart;\n\t\t}\n\n\t\t/* The first skb to collapse is:\n\t\t * - not SYN/FIN and\n\t\t * - bloated or contains data before \"start\" or\n\t\t * overlaps to the next one.\n\t\t */\n\t\tif (!tcp_hdr(skb)->syn && !tcp_hdr(skb)->fin &&\n\t\t (tcp_win_from_space(skb->truesize) > skb->len ||\n\t\t before(TCP_SKB_CB(skb)->seq, start))) {\n\t\t\tend_of_skbs = false;\n\t\t\tbreak;\n\t\t}\n\n\t\tif (!skb_queue_is_last(list, skb)) {\n\t\t\tstruct sk_buff *next = skb_queue_next(list, skb);\n\t\t\tif (next != tail &&\n\t\t\t TCP_SKB_CB(skb)->end_seq != TCP_SKB_CB(next)->seq) {\n\t\t\t\tend_of_skbs = false;\n\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\n\t\t/* Decided to skip this, advance start seq. */\n\t\tstart = TCP_SKB_CB(skb)->end_seq;\n\t}\n\tif (end_of_skbs || tcp_hdr(skb)->syn || tcp_hdr(skb)->fin)\n\t\treturn;\n\n\twhile (before(start, end)) {\n\t\tstruct sk_buff *nskb;\n\t\tunsigned int header = skb_headroom(skb);\n\t\tint copy = SKB_MAX_ORDER(header, 0);\n\n\t\t/* Too big header? This can happen with IPv6. */\n\t\tif (copy < 0)\n\t\t\treturn;\n\t\tif (end - start < copy)\n\t\t\tcopy = end - start;\n\t\tnskb = alloc_skb(copy + header, GFP_ATOMIC);\n\t\tif (!nskb)\n\t\t\treturn;\n\n\t\tskb_set_mac_header(nskb, skb_mac_header(skb) - skb->head);\n\t\tskb_set_network_header(nskb, (skb_network_header(skb) -\n\t\t\t\t\t skb->head));\n\t\tskb_set_transport_header(nskb, (skb_transport_header(skb) -\n\t\t\t\t\t\tskb->head));\n\t\tskb_reserve(nskb, header);\n\t\tmemcpy(nskb->head, skb->head, header);\n\t\tmemcpy(nskb->cb, skb->cb, sizeof(skb->cb));\n\t\tTCP_SKB_CB(nskb)->seq = TCP_SKB_CB(nskb)->end_seq = start;\n\t\t__skb_queue_before(list, skb, nskb);\n\t\tskb_set_owner_r(nskb, sk);\n\n\t\t/* Copy data, releasing collapsed skbs. */\n\t\twhile (copy > 0) {\n\t\t\tint offset = start - TCP_SKB_CB(skb)->seq;\n\t\t\tint size = TCP_SKB_CB(skb)->end_seq - start;\n\n\t\t\tBUG_ON(offset < 0);\n\t\t\tif (size > 0) {\n\t\t\t\tsize = min(copy, size);\n\t\t\t\tif (skb_copy_bits(skb, offset, skb_put(nskb, size), size))\n\t\t\t\t\tBUG();\n\t\t\t\tTCP_SKB_CB(nskb)->end_seq += size;\n\t\t\t\tcopy -= size;\n\t\t\t\tstart += size;\n\t\t\t}\n\t\t\tif (!before(start, TCP_SKB_CB(skb)->end_seq)) {\n\t\t\t\tskb = tcp_collapse_one(sk, skb, list);\n\t\t\t\tif (!skb ||\n\t\t\t\t skb == tail ||\n\t\t\t\t tcp_hdr(skb)->syn ||\n\t\t\t\t tcp_hdr(skb)->fin)\n\t\t\t\t\treturn;\n\t\t\t}\n\t\t}\n\t}\n}", "project": "net-next", "hash": 29923354512870527499751554425406826694, "size": 101, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409857 }, { "func": "static bool synic_has_vector_connected(struct kvm_vcpu_hv_synic *synic,\n\t\t\t\t int vector)\n{\n\tint i;\n\n\tfor (i = 0; i < ARRAY_SIZE(synic->sint); i++) {\n\t\tif (synic_get_sint_vector(synic_read_sint(synic, i)) == vector)\n\t\t\treturn true;\n\t}\n\treturn false;\n}", "project": "linux", "hash": 260343780318006237293791651929949388911, "size": 11, "commit_id": "919f4ebc598701670e80e31573a58f1f2d2bf918", "message": "KVM: x86: hyper-v: Fix Hyper-V context null-ptr-deref\n\nReported by syzkaller:\n\n KASAN: null-ptr-deref in range [0x0000000000000140-0x0000000000000147]\n CPU: 1 PID: 8370 Comm: syz-executor859 Not tainted 5.11.0-syzkaller #0\n RIP: 0010:synic_get arch/x86/kvm/hyperv.c:165 [inline]\n RIP: 0010:kvm_hv_set_sint_gsi arch/x86/kvm/hyperv.c:475 [inline]\n RIP: 0010:kvm_hv_irq_routing_update+0x230/0x460 arch/x86/kvm/hyperv.c:498\n Call Trace:\n kvm_set_irq_routing+0x69b/0x940 arch/x86/kvm/../../../virt/kvm/irqchip.c:223\n kvm_vm_ioctl+0x12d0/0x2800 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3959\n vfs_ioctl fs/ioctl.c:48 [inline]\n __do_sys_ioctl fs/ioctl.c:753 [inline]\n __se_sys_ioctl fs/ioctl.c:739 [inline]\n __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739\n do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nHyper-V context is lazily allocated until Hyper-V specific MSRs are accessed\nor SynIC is enabled. However, the syzkaller testcase sets irq routing table\ndirectly w/o enabling SynIC. This results in null-ptr-deref when accessing\nSynIC Hyper-V context. This patch fixes it.\n\nsyzkaller source: https://syzkaller.appspot.com/x/repro.c?x=163342ccd00000\n\nReported-by: syzbot+6987f3b2dbd9eda95f12@syzkaller.appspotmail.com\nFixes: 8f014550dfb1 (\"KVM: x86: hyper-v: Make Hyper-V emulation enablement conditional\")\nSigned-off-by: Wanpeng Li \nMessage-Id: <1614326399-5762-1-git-send-email-wanpengli@tencent.com>\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 343539 }, { "func": "void CSoundFile::InstrumentChange(ModChannel *pChn, uint32 instr, bool bPorta, bool bUpdVol, bool bResetEnv) const\n{\n\tconst ModInstrument *pIns = instr <= GetNumInstruments() ? Instruments[instr] : nullptr;\n\tconst ModSample *pSmp = &Samples[instr];\n\tModCommand::NOTE note = pChn->nNewNote;\n\n\tif(note == NOTE_NONE && m_playBehaviour[kITInstrWithoutNote]) return;\n\n\tif(pIns != nullptr && ModCommand::IsNote(note))\n\t{\n\t\t// Impulse Tracker ignores empty slots.\n\t\t// We won't ignore them if a plugin is assigned to this slot, so that VSTis still work as intended.\n\t\t// Test case: emptyslot.it, PortaInsNum.it, gxsmp.it, gxsmp2.it\n\t\tif(pIns->Keyboard[note - NOTE_MIN] == 0 && m_playBehaviour[kITEmptyNoteMapSlot] && !pIns->HasValidMIDIChannel())\n\t\t{\n\t\t\tpChn->pModInstrument = pIns;\n\t\t\treturn;\n\t\t}\n\n\t\tif(pIns->NoteMap[note - NOTE_MIN] > NOTE_MAX) return;\n\t\tuint32 n = pIns->Keyboard[note - NOTE_MIN];\n\t\tpSmp = ((n) && (n < MAX_SAMPLES)) ? &Samples[n] : nullptr;\n\t} else if(GetNumInstruments())\n\t{\n\t\t// No valid instrument, or not a valid note.\n\t\tif (note >= NOTE_MIN_SPECIAL) return;\n\t\tif(m_playBehaviour[kITEmptyNoteMapSlot] && (pIns == nullptr || !pIns->HasValidMIDIChannel()))\n\t\t{\n\t\t\t// Impulse Tracker ignores empty slots.\n\t\t\t// We won't ignore them if a plugin is assigned to this slot, so that VSTis still work as intended.\n\t\t\t// Test case: emptyslot.it, PortaInsNum.it, gxsmp.it, gxsmp2.it\n\t\t\tpChn->pModInstrument = nullptr;\n\t\t\tpChn->nNewIns = 0;\n\t\t\treturn;\n\t\t}\n\t\tpSmp = nullptr;\n\t}\n\n\tbool returnAfterVolumeAdjust = false;\n\n\t// instrumentChanged is used for IT carry-on env option\n\tbool instrumentChanged = (pIns != pChn->pModInstrument);\n\tconst bool sampleChanged = (pChn->pModSample != nullptr) && (pSmp != pChn->pModSample);\n\n\tconst bool newTuning = (GetType() == MOD_TYPE_MPT && pIns && pIns->pTuning);\n\t// Playback behavior change for MPT: With portamento don't change sample if it is in\n\t// the same instrument as previous sample.\n\tif(bPorta && newTuning && pIns == pChn->pModInstrument && sampleChanged)\n\t\treturn;\n\n\tif(sampleChanged && bPorta)\n\t{\n\t\t// IT compatibility: No sample change (also within multi-sample instruments) during portamento when using Compatible Gxx.\n\t\t// Test case: PortaInsNumCompat.it, PortaSampleCompat.it, PortaCutCompat.it\n\t\tif(m_playBehaviour[kITPortamentoInstrument] && m_SongFlags[SONG_ITCOMPATGXX] && !pChn->increment.IsZero())\n\t\t{\n\t\t\tpSmp = pChn->pModSample;\n\t\t}\n\n\t\t// Special XM hack (also applies to MOD / S3M, except when playing IT-style S3Ms, such as k_vision.s3m)\n\t\t// Test case: PortaSmpChange.mod, PortaSmpChange.s3m\n\t\tif((!instrumentChanged && (GetType() & (MOD_TYPE_XM | MOD_TYPE_MT2)) && pIns)\n\t\t\t|| (GetType() == MOD_TYPE_PLM)\n\t\t\t|| (GetType() == MOD_TYPE_MOD && pChn->IsSamplePlaying())\n\t\t\t|| m_playBehaviour[kST3PortaSampleChange])\n\t\t{\n\t\t\t// FT2 doesn't change the sample in this case,\n\t\t\t// but still uses the sample info from the old one (bug?)\n\t\t\treturnAfterVolumeAdjust = true;\n\t\t}\n\t}\n\t// IT compatibility: A lone instrument number should only reset sample properties to those of the corresponding sample in instrument mode.\n\t// C#5 01 ... <-- sample 1\n\t// C-5 .. g02 <-- sample 2\n\t// ... 01 ... <-- still sample 1, but with properties of sample 2\n\t// In the above example, no sample change happens on the second row. In the third row, sample 1 keeps playing but with the\n\t// volume and panning properties of sample 2.\n\t// Test case: InstrAfterMultisamplePorta.it\n\tif(m_nInstruments && !instrumentChanged && sampleChanged && pChn->pCurrentSample != nullptr && m_playBehaviour[kITMultiSampleInstrumentNumber] && !pChn->rowCommand.IsNote())\n\t{\n\t\treturnAfterVolumeAdjust = true;\n\t}\n\n\t// IT Compatibility: Envelope pickup after SCx cut (but don't do this when working with plugins, or else envelope carry stops working)\n\t// Test case: cut-carry.it\n\tif(!pChn->IsSamplePlaying() && (GetType() & (MOD_TYPE_IT | MOD_TYPE_MPT)) && (!pIns || !pIns->HasValidMIDIChannel()))\n\t{\n\t\tinstrumentChanged = true;\n\t}\n\n\t// FT2 compatibility: new instrument + portamento = ignore new instrument number, but reload old instrument settings (the world of XM is upside down...)\n\t// And this does *not* happen if volume column portamento is used together with note delay... (handled in ProcessEffects(), where all the other note delay stuff is.)\n\t// Test case: porta-delay.xm\n\tif(instrumentChanged && bPorta && m_playBehaviour[kFT2PortaIgnoreInstr] && (pChn->pModInstrument != nullptr || pChn->pModSample != nullptr))\n\t{\n\t\tpIns = pChn->pModInstrument;\n\t\tpSmp = pChn->pModSample;\n\t\tinstrumentChanged = false;\n\t} else\n\t{\n\t\tpChn->pModInstrument = pIns;\n\t}\n\n\t// Update Volume\n\tif (bUpdVol && (!(GetType() & (MOD_TYPE_MOD | MOD_TYPE_S3M)) || ((pSmp != nullptr && pSmp->HasSampleData()) || pChn->HasMIDIOutput())))\n\t{\n\t\tif(pSmp)\n\t\t{\n\t\t\tif(!pSmp->uFlags[SMP_NODEFAULTVOLUME])\n\t\t\t\tpChn->nVolume = pSmp->nVolume;\n\t\t} else if(pIns && pIns->nMixPlug)\n\t\t{\n\t\t\tpChn->nVolume = pChn->GetVSTVolume();\n\t\t} else\n\t\t{\n\t\t\tpChn->nVolume = 0;\n\t\t}\n\t}\n\n\tif(returnAfterVolumeAdjust && sampleChanged && m_playBehaviour[kMODSampleSwap] && pSmp != nullptr)\n\t{\n\t\t// ProTracker applies new instrument's finetune but keeps the old sample playing.\n\t\t// Test case: PortaSwapPT.mod\n\t\tpChn->nFineTune = pSmp->nFineTune;\n\t}\n\n\tif(returnAfterVolumeAdjust) return;\n\n\n\t// Instrument adjust\n\tpChn->nNewIns = 0;\n\n\t// IT Compatiblity: NNA is reset on every note change, not every instrument change (fixes s7xinsnum.it).\n\tif (pIns && ((!m_playBehaviour[kITNNAReset] && pSmp) || pIns->nMixPlug))\n\t\tpChn->nNNA = pIns->nNNA;\n\n\t// Update volume\n\tpChn->UpdateInstrumentVolume(pSmp, pIns);\n\n\t// Update panning\n\t// FT2 compatibility: Only reset panning on instrument numbers, not notes (bUpdVol condition)\n\t// Test case: PanMemory.xm\n\t// IT compatibility: Sample and instrument panning is only applied on note change, not instrument change\n\t// Test case: PanReset.it\n\tif((bUpdVol || !(GetType() & (MOD_TYPE_XM | MOD_TYPE_MT2))) && !m_playBehaviour[kITPanningReset])\n\t{\n\t\tApplyInstrumentPanning(pChn, pIns, pSmp);\n\t}\n\n\t// Reset envelopes\n\tif(bResetEnv)\n\t{\n\t\t// Blurb by Storlek (from the SchismTracker code):\n\t\t// Conditions experimentally determined to cause envelope reset in Impulse Tracker:\n\t\t// - no note currently playing (of course)\n\t\t// - note given, no portamento\n\t\t// - instrument number given, portamento, compat gxx enabled\n\t\t// - instrument number given, no portamento, after keyoff, old effects enabled\n\t\t// If someone can enlighten me to what the logic really is here, I'd appreciate it.\n\t\t// Seems like it's just a total mess though, probably to get XMs to play right.\n\n\t\tbool reset, resetAlways;\n\n\t\t// IT Compatibility: Envelope reset\n\t\t// Test case: EnvReset.it\n\t\tif(m_playBehaviour[kITEnvelopeReset])\n\t\t{\n\t\t\tconst bool insNumber = (instr != 0);\n\t\t\treset = (!pChn->nLength\n\t\t\t\t|| (insNumber && bPorta && m_SongFlags[SONG_ITCOMPATGXX])\n\t\t\t\t|| (insNumber && !bPorta && pChn->dwFlags[CHN_NOTEFADE | CHN_KEYOFF] && m_SongFlags[SONG_ITOLDEFFECTS]));\n\t\t\t// NOTE: IT2.14 with SB/GUS/etc. output is different. We are going after IT's WAV writer here.\n\t\t\t// For SB/GUS/etc. emulation, envelope carry should only apply when the NNA isn't set to \"Note Cut\".\n\t\t\t// Test case: CarryNNA.it\n\t\t\tresetAlways = (!pChn->nFadeOutVol || instrumentChanged || pChn->dwFlags[CHN_KEYOFF]);\n\t\t} else\n\t\t{\n\t\t\treset = (!bPorta || !(GetType() & (MOD_TYPE_IT | MOD_TYPE_MPT | MOD_TYPE_DBM)) || m_SongFlags[SONG_ITCOMPATGXX]\n\t\t\t\t|| !pChn->nLength || (pChn->dwFlags[CHN_NOTEFADE] && !pChn->nFadeOutVol));\n\t\t\tresetAlways = !(GetType() & (MOD_TYPE_IT | MOD_TYPE_MPT | MOD_TYPE_DBM)) || instrumentChanged || pIns == nullptr || pChn->dwFlags[CHN_KEYOFF | CHN_NOTEFADE];\n\t\t}\n\n\t\tif(reset)\n\t\t{\n\t\t\tpChn->dwFlags.set(CHN_FASTVOLRAMP);\n\t\t\tif(pIns != nullptr)\n\t\t\t{\n\t\t\t\tif(resetAlways)\n\t\t\t\t{\n\t\t\t\t\tpChn->ResetEnvelopes();\n\t\t\t\t} else\n\t\t\t\t{\n\t\t\t\t\tif(!pIns->VolEnv.dwFlags[ENV_CARRY]) pChn->VolEnv.Reset();\n\t\t\t\t\tif(!pIns->PanEnv.dwFlags[ENV_CARRY]) pChn->PanEnv.Reset();\n\t\t\t\t\tif(!pIns->PitchEnv.dwFlags[ENV_CARRY]) pChn->PitchEnv.Reset();\n\t\t\t\t}\n\t\t\t}\n\n\t\t\t// IT Compatibility: Autovibrato reset\n\t\t\tif(!m_playBehaviour[kITVibratoTremoloPanbrello])\n\t\t\t{\n\t\t\t\tpChn->nAutoVibDepth = 0;\n\t\t\t\tpChn->nAutoVibPos = 0;\n\t\t\t}\n\t\t} else if(pIns != nullptr && !pIns->VolEnv.dwFlags[ENV_ENABLED])\n\t\t{\n\t\t\tif(m_playBehaviour[kITPortamentoInstrument])\n\t\t\t{\n\t\t\t\tpChn->VolEnv.Reset();\n\t\t\t} else\n\t\t\t{\n\t\t\t\tpChn->ResetEnvelopes();\n\t\t\t}\n\t\t}\n\t}\n\t// Invalid sample ?\n\tif(pSmp == nullptr && (pIns == nullptr || !pIns->HasValidMIDIChannel()))\n\t{\n\t\tpChn->pModSample = nullptr;\n\t\tpChn->nInsVol = 0;\n\t\treturn;\n\t}\n\n\t// Tone-Portamento doesn't reset the pingpong direction flag\n\tif(bPorta && pSmp == pChn->pModSample && pSmp != nullptr)\n\t{\n\t\t// If channel length is 0, we cut a previous sample using SCx. In that case, we have to update sample length, loop points, etc...\n\t\tif(GetType() & (MOD_TYPE_S3M|MOD_TYPE_IT|MOD_TYPE_MPT) && pChn->nLength != 0) return;\n\t\tpChn->dwFlags.reset(CHN_KEYOFF | CHN_NOTEFADE);\n\t\tpChn->dwFlags = (pChn->dwFlags & (CHN_CHANNELFLAGS | CHN_PINGPONGFLAG));\n\t} else //if(!instrumentChanged || pChn->rowCommand.instr != 0 || !IsCompatibleMode(TRK_FASTTRACKER2))\t// SampleChange.xm?\n\t{\n\t\tpChn->dwFlags.reset(CHN_KEYOFF | CHN_NOTEFADE);\n\n\t\t// IT compatibility tentative fix: Don't change bidi loop direction when\n\t\t// no sample nor instrument is changed.\n\t\tif((m_playBehaviour[kITPingPongNoReset] || !(GetType() & (MOD_TYPE_IT | MOD_TYPE_MPT))) && pSmp == pChn->pModSample && !instrumentChanged)\n\t\t\tpChn->dwFlags = (pChn->dwFlags & (CHN_CHANNELFLAGS | CHN_PINGPONGFLAG));\n\t\telse\n\t\t\tpChn->dwFlags = (pChn->dwFlags & CHN_CHANNELFLAGS);\n\n\t\tif(pIns)\n\t\t{\n\t\t\t// Copy envelope flags (we actually only need the \"enabled\" and \"pitch\" flag)\n\t\t\tpChn->VolEnv.flags = pIns->VolEnv.dwFlags;\n\t\t\tpChn->PanEnv.flags = pIns->PanEnv.dwFlags;\n\t\t\tpChn->PitchEnv.flags = pIns->PitchEnv.dwFlags;\n\n\t\t\t// A cutoff frequency of 0 should not be reset just because the filter envelope is enabled.\n\t\t\t// Test case: FilterEnvReset.it\n\t\t\tif((pIns->PitchEnv.dwFlags & (ENV_ENABLED | ENV_FILTER)) == (ENV_ENABLED | ENV_FILTER) && !m_playBehaviour[kITFilterBehaviour])\n\t\t\t{\n\t\t\t\tif(!pChn->nCutOff) pChn->nCutOff = 0x7F;\n\t\t\t}\n\n\t\t\tif(pIns->IsCutoffEnabled()) pChn->nCutOff = pIns->GetCutoff();\n\t\t\tif(pIns->IsResonanceEnabled()) pChn->nResonance = pIns->GetResonance();\n\t\t}\n\t}\n\n\tif(pSmp == nullptr)\n\t{\n\t\tpChn->pModSample = nullptr;\n\t\tpChn->nLength = 0;\n\t\treturn;\n\t}\n\n\tif(bPorta && pChn->nLength == 0 && (m_playBehaviour[kFT2PortaNoNote] || m_playBehaviour[kITPortaNoNote]))\n\t{\n\t\t// IT/FT2 compatibility: If the note just stopped on the previous tick, prevent it from restarting.\n\t\t// Test cases: PortaJustStoppedNote.xm, PortaJustStoppedNote.it\n\t\tpChn->increment.Set(0);\n\t}\n\n\tpChn->pModSample = pSmp;\n\tpChn->nLength = pSmp->nLength;\n\tpChn->nLoopStart = pSmp->nLoopStart;\n\tpChn->nLoopEnd = pSmp->nLoopEnd;\n\t// ProTracker \"oneshot\" loops (if loop start is 0, play the whole sample once and then repeat until loop end)\n\tif(m_playBehaviour[kMODOneShotLoops] && pChn->nLoopStart == 0) pChn->nLoopEnd = pSmp->nLength;\n\tpChn->dwFlags |= (pSmp->uFlags & (CHN_SAMPLEFLAGS | CHN_SURROUND));\n\n\t// IT Compatibility: Autovibrato reset\n\tif(m_playBehaviour[kITVibratoTremoloPanbrello])\n\t{\n\t\tpChn->nAutoVibDepth = 0;\n\t\tpChn->nAutoVibPos = 0;\n\t}\n\n\tif(newTuning)\n\t{\n\t\tpChn->nC5Speed = pSmp->nC5Speed;\n\t\tpChn->m_CalculateFreq = true;\n\t\tpChn->nFineTune = 0;\n\t} else if(!bPorta || sampleChanged || !(GetType() & (MOD_TYPE_MOD | MOD_TYPE_XM)))\n\t{\n\t\t// Don't reset finetune changed by \"set finetune\" command.\n\t\t// Test case: finetune.xm, finetune.mod\n\t\t// But *do* change the finetune if we switch to a different sample, to fix\n\t\t// Miranda`s axe by Jamson (jam007.xm) - this file doesn't use compatible play mode,\n\t\t// so we may want to use IsCompatibleMode instead if further problems arise.\n\t\tpChn->nC5Speed = pSmp->nC5Speed;\n\t\tpChn->nFineTune = pSmp->nFineTune;\n\t}\n\n\n\tpChn->nTranspose = pSmp->RelativeTone;\n\n\t// FT2 compatibility: Don't reset portamento target with new instrument numbers.\n\t// Test case: Porta-Pickup.xm\n\t// ProTracker does the same.\n\t// Test case: PortaTarget.mod\n\tif(!m_playBehaviour[kFT2PortaTargetNoReset] && GetType() != MOD_TYPE_MOD)\n\t{\n\t\tpChn->nPortamentoDest = 0;\n\t}\n\tpChn->m_PortamentoFineSteps = 0;\n\n\tif(pChn->dwFlags[CHN_SUSTAINLOOP])\n\t{\n\t\tpChn->nLoopStart = pSmp->nSustainStart;\n\t\tpChn->nLoopEnd = pSmp->nSustainEnd;\n\t\tif(pChn->dwFlags[CHN_PINGPONGSUSTAIN]) pChn->dwFlags.set(CHN_PINGPONGLOOP);\n\t\tpChn->dwFlags.set(CHN_LOOP);\n\t}\n\tif(pChn->dwFlags[CHN_LOOP] && pChn->nLoopEnd < pChn->nLength) pChn->nLength = pChn->nLoopEnd;\n\n\t// Fix sample position on instrument change. This is needed for IT \"on the fly\" sample change.\n\t// XXX is this actually called? In ProcessEffects(), a note-on effect is emulated if there's an on the fly sample change!\n\tif(pChn->position.GetUInt() >= pChn->nLength)\n\t{\n\t\tif((GetType() & (MOD_TYPE_IT | MOD_TYPE_MPT)))\n\t\t{\n\t\t\tpChn->position.Set(0);\n\t\t}\n\t}\n}", "project": "openmpt", "hash": 274069214138365432016801720237594158877, "size": 337, "commit_id": "7ebf02af2e90f03e0dbd0e18b8b3164f372fb97c", "message": "[Fix] Possible out-of-bounds read when computing length of some IT files with pattern loops (OpenMPT: formats that are converted to IT, libopenmpt: IT/ITP/MO3), caught with afl-fuzz.\n\ngit-svn-id: https://source.openmpt.org/svn/openmpt/trunk/OpenMPT@10027 56274372-70c3-4bfc-bfc3-4c3a0b034d27", "target": 0, "dataset": "other", "idx": 255204 }, { "func": "static void get_futex_key_refs(union futex_key *key)\n{\n\tif (!key->both.ptr)\n\t\treturn;\n\n\tswitch (key->both.offset & (FUT_OFF_INODE|FUT_OFF_MMSHARED)) {\n\tcase FUT_OFF_INODE:\n\t\tatomic_inc(&key->shared.inode->i_count);\n\t\tbreak;\n\tcase FUT_OFF_MMSHARED:\n\t\tatomic_inc(&key->private.mm->mm_count);\n\t\tbreak;\n\t}\n}", "target": 0, "cwe": [], "project": "linux-2.6", "commit_id": "5ecb01cfdf96c5f465192bdb2a4fd4a61a24c6cc", "hash": 131541348380483442090494081510522715901, "size": 14, "message": "futex_lock_pi() key refcnt fix\n\nThis fixes a futex key reference count bug in futex_lock_pi(),\nwhere a key's reference count is incremented twice but decremented\nonly once, causing the backing object to not be released.\n\nIf the futex is created in a temporary file in an ext3 file system,\nthis bug causes the file's inode to become an \"undead\" orphan,\nwhich causes an oops from a BUG_ON() in ext3_put_super() when the\nfile system is unmounted. glibc's test suite is known to trigger this,\nsee .\n\nThe bug is a regression from 2.6.28-git3, namely Peter Zijlstra's\n38d47c1b7075bd7ec3881141bb3629da58f88dab \"[PATCH] futex: rely on\nget_user_pages() for shared futexes\". That commit made get_futex_key()\nalso increment the reference count of the futex key, and updated its\ncallers to decrement the key's reference count before returning.\nUnfortunately the normal exit path in futex_lock_pi() wasn't corrected:\nthe reference count is incremented by get_futex_key() and queue_lock(),\nbut the normal exit path only decrements once, via unqueue_me_pi().\nThe fix is to put_futex_key() after unqueue_me_pi(), since 2.6.31\nthis is easily done by 'goto out_put_key' rather than 'goto out'.\n\nSigned-off-by: Mikael Pettersson \nAcked-by: Peter Zijlstra \nAcked-by: Darren Hart \nSigned-off-by: Thomas Gleixner \nCc: ", "dataset": "other", "idx": 492314 }, { "func": "int nfs4_proc_setclientid(struct nfs_client *clp, u32 program,\n\t\tunsigned short port, const struct cred *cred,\n\t\tstruct nfs4_setclientid_res *res)\n{\n\tnfs4_verifier sc_verifier;\n\tstruct nfs4_setclientid setclientid = {\n\t\t.sc_verifier = &sc_verifier,\n\t\t.sc_prog = program,\n\t\t.sc_clnt = clp,\n\t};\n\tstruct rpc_message msg = {\n\t\t.rpc_proc = &nfs4_procedures[NFSPROC4_CLNT_SETCLIENTID],\n\t\t.rpc_argp = &setclientid,\n\t\t.rpc_resp = res,\n\t\t.rpc_cred = cred,\n\t};\n\tstruct rpc_task_setup task_setup_data = {\n\t\t.rpc_client = clp->cl_rpcclient,\n\t\t.rpc_message = &msg,\n\t\t.callback_ops = &nfs4_setclientid_ops,\n\t\t.callback_data = &setclientid,\n\t\t.flags = RPC_TASK_TIMEOUT | RPC_TASK_NO_ROUND_ROBIN,\n\t};\n\tunsigned long now = jiffies;\n\tint status;\n\n\t/* nfs_client_id4 */\n\tnfs4_init_boot_verifier(clp, &sc_verifier);\n\n\tif (test_bit(NFS_CS_MIGRATION, &clp->cl_flags))\n\t\tstatus = nfs4_init_uniform_client_string(clp);\n\telse\n\t\tstatus = nfs4_init_nonuniform_client_string(clp);\n\n\tif (status)\n\t\tgoto out;\n\n\t/* cb_client4 */\n\tsetclientid.sc_netid_len =\n\t\t\t\tnfs4_init_callback_netid(clp,\n\t\t\t\t\t\tsetclientid.sc_netid,\n\t\t\t\t\t\tsizeof(setclientid.sc_netid));\n\tsetclientid.sc_uaddr_len = scnprintf(setclientid.sc_uaddr,\n\t\t\t\tsizeof(setclientid.sc_uaddr), \"%s.%u.%u\",\n\t\t\t\tclp->cl_ipaddr, port >> 8, port & 255);\n\n\tdprintk(\"NFS call setclientid auth=%s, '%s'\\n\",\n\t\tclp->cl_rpcclient->cl_auth->au_ops->au_name,\n\t\tclp->cl_owner_id);\n\n\tstatus = nfs4_call_sync_custom(&task_setup_data);\n\tif (setclientid.sc_cred) {\n\t\tkfree(clp->cl_acceptor);\n\t\tclp->cl_acceptor = rpcauth_stringify_acceptor(setclientid.sc_cred);\n\t\tput_rpccred(setclientid.sc_cred);\n\t}\n\n\tif (status == 0)\n\t\tdo_renew_lease(clp, now);\nout:\n\ttrace_nfs4_setclientid(clp, status);\n\tdprintk(\"NFS reply setclientid: %d\\n\", status);\n\treturn status;\n}", "project": "linux", "hash": 192402496309102251127683400663943410796, "size": 64, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431593 }, { "func": "otError Commissioner::SendMgmtCommissionerSetRequest(const otCommissioningDataset &aDataset,\n const uint8_t * aTlvs,\n uint8_t aLength)\n{\n otError error = OT_ERROR_NONE;\n Coap::Message * message;\n Ip6::MessageInfo messageInfo;\n\n VerifyOrExit((message = NewMeshCoPMessage(Get())) != NULL, error = OT_ERROR_NO_BUFS);\n\n SuccessOrExit(error = message->Init(OT_COAP_TYPE_CONFIRMABLE, OT_COAP_CODE_POST, OT_URI_PATH_COMMISSIONER_SET));\n SuccessOrExit(error = message->SetPayloadMarker());\n\n if (aDataset.mIsLocatorSet)\n {\n MeshCoP::BorderAgentLocatorTlv locator;\n locator.Init();\n locator.SetBorderAgentLocator(aDataset.mLocator);\n SuccessOrExit(error = message->AppendTlv(locator));\n }\n\n if (aDataset.mIsSessionIdSet)\n {\n MeshCoP::CommissionerSessionIdTlv sessionId;\n sessionId.Init();\n sessionId.SetCommissionerSessionId(aDataset.mSessionId);\n SuccessOrExit(error = message->AppendTlv(sessionId));\n }\n\n if (aDataset.mIsSteeringDataSet)\n {\n MeshCoP::SteeringDataTlv steeringData;\n steeringData.Init();\n steeringData.SetLength(aDataset.mSteeringData.mLength);\n SuccessOrExit(error = message->Append(&steeringData, sizeof(MeshCoP::Tlv)));\n SuccessOrExit(error = message->Append(&aDataset.mSteeringData.m8, aDataset.mSteeringData.mLength));\n }\n\n if (aDataset.mIsJoinerUdpPortSet)\n {\n MeshCoP::JoinerUdpPortTlv joinerUdpPort;\n joinerUdpPort.Init();\n joinerUdpPort.SetUdpPort(aDataset.mJoinerUdpPort);\n SuccessOrExit(error = message->AppendTlv(joinerUdpPort));\n }\n\n if (aLength > 0)\n {\n SuccessOrExit(error = message->Append(aTlvs, aLength));\n }\n\n if (message->GetLength() == message->GetOffset())\n {\n // no payload, remove coap payload marker\n message->SetLength(message->GetLength() - 1);\n }\n\n messageInfo.SetSockAddr(Get().GetMeshLocal16());\n SuccessOrExit(error = Get().GetLeaderAloc(messageInfo.GetPeerAddr()));\n messageInfo.SetPeerPort(kCoapUdpPort);\n SuccessOrExit(error = Get().SendMessage(*message, messageInfo,\n Commissioner::HandleMgmtCommissionerSetResponse, this));\n\n otLogInfoMeshCoP(\"sent MGMT_COMMISSIONER_SET.req to leader\");\n\nexit:\n\n if (error != OT_ERROR_NONE && message != NULL)\n {\n message->Free();\n }\n\n return error;\n}", "project": "openthread", "hash": 301555190683436123984960636369635925142, "size": 74, "commit_id": "c3a3a0c424322009fec3ab735fb20ce8f6e19e70", "message": "[commissioner] use strnlen instead of strlen (#4404)", "target": 0, "dataset": "other", "idx": 269905 }, { "func": "static void clear_pending_adv_report(struct hci_dev *hdev)\n{\n\tstruct discovery_state *d = &hdev->discovery;\n\n\tbacpy(&d->last_adv_addr, BDADDR_ANY);\n\td->last_adv_data_len = 0;\n}", "project": "linux", "hash": 92766383748679312095600195953524136043, "size": 7, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431893 }, { "project": "opaque", "commit_id": "5ddda15d89f5ac82f4416208c5319ace4aecdc36", "target": 0, "func": "JNIEXPORT void JNICALL Java_edu_berkeley_cs_rise_opaque_execution_SGXEnclave_RemoteAttestation3(\n JNIEnv *env, jobject obj,\n jlong eid,\n jbyteArray att_result_input) {\n\n (void)env;\n (void)obj;\n\n#ifdef DEBUG\n printf(\"RemoteAttestation3 called\\n\");\n#endif\n\n sgx_status_t status = SGX_SUCCESS;\n //uint32_t input_len = (uint32_t) env->GetArrayLength(att_result_input);\n jboolean if_copy = false;\n jbyte *ptr = env->GetByteArrayElements(att_result_input, &if_copy);\n\n ra_samp_response_header_t *att_result_full = (ra_samp_response_header_t *)(ptr);\n sample_ra_att_result_msg_t *att_result = (sample_ra_att_result_msg_t *) att_result_full->body;\n\n#ifdef DEBUG\n printf(\"[RemoteAttestation3] att_result's size is %u\\n\", att_result_full->size);\n#endif\n\n // Check the MAC using MK on the attestation result message.\n // The format of the attestation result message is ISV specific.\n // This is a simple form for demonstration. In a real product,\n // the ISV may want to communicate more information.\n int ret = 0;\n ret = ecall_verify_att_result_mac(eid,\n &status,\n context,\n (uint8_t*)&att_result->platform_info_blob,\n sizeof(ias_platform_info_blob_t),\n (uint8_t*)&att_result->mac,\n sizeof(sgx_mac_t));\n\n if((SGX_SUCCESS != ret) || (SGX_SUCCESS != status)) {\n fprintf(stdout, \"\\nError: INTEGRITY FAILED - attestation result message MK based cmac failed in [%s], status is %u\", __FUNCTION__, (uint32_t) status);\n return ;\n }\n\n bool attestation_passed = true;\n // Check the attestation result for pass or fail.\n // Whether attestation passes or fails is a decision made by the ISV Server.\n // When the ISV server decides to trust the enclave, then it will return success.\n // When the ISV server decided to not trust the enclave, then it will return failure.\n if (0 != att_result_full->status[0] || 0 != att_result_full->status[1]) {\n fprintf(stdout, \"\\nError, attestation result message MK based cmac \"\n \"failed in [%s].\", __FUNCTION__);\n attestation_passed = false;\n }\n\n // The attestation result message should contain a field for the Platform\n // Info Blob (PIB). The PIB is returned by attestation server in the attestation report.\n // It is not returned in all cases, but when it is, the ISV app\n // should pass it to the blob analysis API called sgx_report_attestation_status()\n // along with the trust decision from the ISV server.\n // The ISV application will take action based on the update_info.\n // returned in update_info by the API.\n // This call is stubbed out for the sample.\n //\n // sgx_update_info_bit_t update_info;\n // ret = sgx_report_attestation_status(\n // &p_att_result_msg_body->platform_info_blob,\n // attestation_passed ? 0 : 1, &update_info);\n\n // Get the shared secret sent by the server using SK (if attestation\n // passed)\n#ifdef DEBUG\n printf(\"[RemoteAttestation3] %u\\n\", attestation_passed);\n#endif\n if (attestation_passed) {\n ret = ecall_put_secret_data(eid,\n &status,\n context,\n att_result->secret.payload,\n att_result->secret.payload_size,\n att_result->secret.payload_tag);\n\n if((SGX_SUCCESS != ret) || (SGX_SUCCESS != status)) {\n fprintf(stdout, \"\\nError, attestation result message secret \"\n \"using SK based AESGCM failed in [%s]. ret = \"\n \"0x%0x. status = 0x%0x\", __FUNCTION__, ret,\n status);\n return ;\n }\n }\n\n fprintf(stdout, \"\\nSecret successfully received from server.\");\n fprintf(stdout, \"\\nRemote attestation success!\\n\");\n\n#ifdef DEBUG\n fprintf(stdout, \"Destroying the key exchange context\\n\");\n#endif\n ecall_enclave_ra_close(eid, context);\n}", "idx": 519095, "cwe": "CWE-787", "hash": 29013845155613725181101139682173369323, "dataset": "other" }, { "func": "static pmd_t move_soft_dirty_pmd(pmd_t pmd)\n{\n#ifdef CONFIG_MEM_SOFT_DIRTY\n\tif (unlikely(is_pmd_migration_entry(pmd)))\n\t\tpmd = pmd_swp_mksoft_dirty(pmd);\n\telse if (pmd_present(pmd))\n\t\tpmd = pmd_mksoft_dirty(pmd);\n#endif\n\treturn pmd;\n}", "project": "linux", "hash": 6250896434490613342040645477497326028, "size": 10, "commit_id": "c444eb564fb16645c172d550359cb3d75fe8a040", "message": "mm: thp: make the THP mapcount atomic against __split_huge_pmd_locked()\n\nWrite protect anon page faults require an accurate mapcount to decide\nif to break the COW or not. This is implemented in the THP path with\nreuse_swap_page() ->\npage_trans_huge_map_swapcount()/page_trans_huge_mapcount().\n\nIf the COW triggers while the other processes sharing the page are\nunder a huge pmd split, to do an accurate reading, we must ensure the\nmapcount isn't computed while it's being transferred from the head\npage to the tail pages.\n\nreuse_swap_cache() already runs serialized by the page lock, so it's\nenough to add the page lock around __split_huge_pmd_locked too, in\norder to add the missing serialization.\n\nNote: the commit in \"Fixes\" is just to facilitate the backporting,\nbecause the code before such commit didn't try to do an accurate THP\nmapcount calculation and it instead used the page_count() to decide if\nto COW or not. Both the page_count and the pin_count are THP-wide\nrefcounts, so they're inaccurate if used in\nreuse_swap_page(). Reverting such commit (besides the unrelated fix to\nthe local anon_vma assignment) would have also opened the window for\nmemory corruption side effects to certain workloads as documented in\nsuch commit header.\n\nSigned-off-by: Andrea Arcangeli \nSuggested-by: Jann Horn \nReported-by: Jann Horn \nAcked-by: Kirill A. Shutemov \nFixes: 6d0a07edd17c (\"mm: thp: calculate the mapcount correctly for THP pages during WP faults\")\nCc: stable@vger.kernel.org\nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 364164 }, { "func": "static void set_banner(apr_pool_t *pconf)\n{\n if (ap_server_tokens == SrvTk_PRODUCT_ONLY) {\n ap_add_version_component(pconf, AP_SERVER_BASEPRODUCT);\n }\n else if (ap_server_tokens == SrvTk_MINIMAL) {\n ap_add_version_component(pconf, AP_SERVER_BASEVERSION);\n }\n else if (ap_server_tokens == SrvTk_MINOR) {\n ap_add_version_component(pconf, AP_SERVER_BASEPRODUCT \"/\" AP_SERVER_MINORREVISION);\n }\n else if (ap_server_tokens == SrvTk_MAJOR) {\n ap_add_version_component(pconf, AP_SERVER_BASEPRODUCT \"/\" AP_SERVER_MAJORVERSION);\n }\n else {\n ap_add_version_component(pconf, AP_SERVER_BASEVERSION \" (\" PLATFORM \")\");\n }\n\n /*\n * Lock the server_banner string if we're not displaying\n * the full set of tokens\n */\n if (ap_server_tokens != SrvTk_FULL) {\n banner_locked++;\n }\n server_description = AP_SERVER_BASEVERSION \" (\" PLATFORM \")\";\n}", "project": "httpd", "hash": 232915052381824669622591822043626451232, "size": 27, "commit_id": "4cc27823899e070268b906ca677ee838d07cf67a", "message": "core: Disallow Methods' registration at run time (.htaccess), they may be\nused only if registered at init time (httpd.conf).\n\nCalling ap_method_register() in children processes is not the right scope\nsince it won't be shared for all requests.\n\n\ngit-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1807655 13f79535-47bb-0310-9956-ffa450edef68", "target": 0, "dataset": "other", "idx": 246372 }, { "func": "void imap_disallow_reopen(struct Mailbox *m)\n{\n struct ImapAccountData *adata = imap_adata_get(m);\n struct ImapMboxData *mdata = imap_mdata_get(m);\n if (!adata || !adata->mailbox || (adata->mailbox != m) || !mdata)\n return;\n mdata->reopen &= ~IMAP_REOPEN_ALLOW;\n}", "project": "neomutt", "hash": 286422291667906154940242483556481017452, "size": 8, "commit_id": "fa1db5785e5cfd9d3cd27b7571b9fe268d2ec2dc", "message": "Fix seqset iterator when it ends in a comma\n\nIf the seqset ended with a comma, the substr_end marker would be just\nbefore the trailing nul. In the next call, the loop to skip the\nmarker would iterate right past the end of string too.\n\nThe fix is simple: place the substr_end marker and skip past it\nimmediately.", "target": 0, "dataset": "other", "idx": 399269 }, { "func": "void tty_hangup(struct tty_struct *tty)\n{\n\ttty_debug_hangup(tty, \"hangup\\n\");\n\tschedule_work(&tty->hangup_work);\n}", "project": "linux", "hash": 17176858845283211082277113333879430169, "size": 5, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 326063 }, { "func": "static void submit_queue(struct intel_engine_cs *engine,\n\t\t\t const struct i915_request *rq)\n{\n\tstruct intel_engine_execlists *execlists = &engine->execlists;\n\n\tif (rq_prio(rq) <= execlists->queue_priority_hint)\n\t\treturn;\n\n\texeclists->queue_priority_hint = rq_prio(rq);\n\t__submit_queue_imm(engine);\n}", "project": "linux", "hash": 130170645449823499653729878113584399308, "size": 11, "commit_id": "bc8a76a152c5f9ef3b48104154a65a68a8b76946", "message": "drm/i915/gen9: Clear residual context state on context switch\n\nIntel ID: PSIRT-TA-201910-001\nCVEID: CVE-2019-14615\n\nIntel GPU Hardware prior to Gen11 does not clear EU state\nduring a context switch. This can result in information\nleakage between contexts.\n\nFor Gen8 and Gen9, hardware provides a mechanism for\nfast cleardown of the EU state, by issuing a PIPE_CONTROL\nwith bit 27 set. We can use this in a context batch buffer\nto explicitly cleardown the state on every context switch.\n\nAs this workaround is already in place for gen8, we can borrow\nthe code verbatim for Gen9.\n\nSigned-off-by: Mika Kuoppala \nSigned-off-by: Akeem G Abodunrin \nCc: Kumar Valsan Prathap \nCc: Chris Wilson \nCc: Balestrieri Francesco \nCc: Bloomfield Jon \nCc: Dutt Sudeep ", "target": 0, "dataset": "other", "idx": 281531 }, { "func": "static bool confirmFromAccountMatch(const EthereumSignTx *msg, char *addremStr) {\n // Determine withdrawal address\n char addressStr[43] = {'0', 'x', '\\0'};\n char *fromSrc;\n uint8_t *fromAddress;\n uint8_t addressBytes[20];\n\n HDNode *node = zx_getDerivedNode(SECP256K1_NAME, msg->address_n,\n msg->address_n_count, NULL);\n if (!node) return false;\n\n if (!hdnode_get_ethereum_pubkeyhash(node, addressBytes)) {\n memzero(node, sizeof(*node));\n }\n\n fromAddress = (uint8_t *)(msg->data_initial_chunk.bytes + 4 + 5*32 - 20);\n\n if (memcmp(fromAddress, addressBytes, 20) == 0) {\n fromSrc = \"self\";\n } else {\n fromSrc = \"NOT this wallet\";\n }\n\n for (uint32_t ctr=0; ctr<20; ctr++) {\n snprintf(&addressStr[2+ctr*2], 3, \"%02x\", fromAddress[ctr]);\n }\n\n if (!confirm(ButtonRequestType_ButtonRequest_ConfirmOutput, addremStr,\n \"Confirming ETH address is %s: %s\", fromSrc, addressStr)) {\n return false;\n }\n return true;\n}", "project": "keepkey-firmware", "hash": 207063400935139938646929812041661870840, "size": 33, "commit_id": "e49d45594002d4d3fbc1f03488e6dfc0a0a65836", "message": "710 merge", "target": 0, "dataset": "other", "idx": 220897 }, { "func": "static inline void tcp_sack_reset(struct tcp_options_received *rx_opt)\n{\n\trx_opt->dsack = 0;\n\trx_opt->num_sacks = 0;\n}", "project": "linux", "hash": 30832424500674524358612183218386503630, "size": 5, "commit_id": "bb1fceca22492109be12640d49f5ea5a544c6bb4", "message": "tcp: fix use after free in tcp_xmit_retransmit_queue()\n\nWhen tcp_sendmsg() allocates a fresh and empty skb, it puts it at the\ntail of the write queue using tcp_add_write_queue_tail()\n\nThen it attempts to copy user data into this fresh skb.\n\nIf the copy fails, we undo the work and remove the fresh skb.\n\nUnfortunately, this undo lacks the change done to tp->highest_sack and\nwe can leave a dangling pointer (to a freed skb)\n\nLater, tcp_xmit_retransmit_queue() can dereference this pointer and\naccess freed memory. For regular kernels where memory is not unmapped,\nthis might cause SACK bugs because tcp_highest_sack_seq() is buggy,\nreturning garbage instead of tp->snd_nxt, but with various debug\nfeatures like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel.\n\nThis bug was found by Marco Grassi thanks to syzkaller.\n\nFixes: 6859d49475d4 (\"[TCP]: Abstract tp->highest_sack accessing & point to next skb\")\nReported-by: Marco Grassi \nSigned-off-by: Eric Dumazet \nCc: Ilpo Järvinen \nCc: Yuchung Cheng \nCc: Neal Cardwell \nAcked-by: Neal Cardwell \nReviewed-by: Cong Wang \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 410762 }, { "func": "static apr_byte_t oidc_authorization_response_match_state(request_rec *r,\n\t\toidc_cfg *c, const char *state, struct oidc_provider_t **provider,\n\t\toidc_proto_state_t **proto_state) {\n\n\toidc_debug(r, \"enter (state=%s)\", state);\n\n\tif ((state == NULL) || (apr_strnatcmp(state, \"\") == 0)) {\n\t\toidc_error(r, \"state parameter is not set\");\n\t\treturn FALSE;\n\t}\n\n\t/* check the state parameter against what we stored in a cookie */\n\tif (oidc_restore_proto_state(r, c, state, proto_state) == FALSE) {\n\t\toidc_error(r, \"unable to restore state\");\n\t\treturn FALSE;\n\t}\n\n\t*provider = oidc_get_provider_for_issuer(r, c,\n\t\t\toidc_proto_state_get_issuer(*proto_state), FALSE);\n\n\tif (*provider == NULL) {\n\t\toidc_proto_state_destroy(*proto_state);\n\t\t*proto_state = NULL;\n\t\treturn FALSE;\n\t}\n\n\treturn TRUE;\n}", "project": "mod_auth_openidc", "hash": 210541214827352955007128169055287231157, "size": 28, "commit_id": "00c315cb0c8ab77c67be4a2ac08a71a83ac58751", "message": "avoid XSS vulnerability when using OIDCPreservePost On\n\nand supplying URLs that contain single quotes; thanks @oss-aimoto\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 381970 }, { "func": "static apr_byte_t oidc_authorization_response_match_state(request_rec *r,\n\t\toidc_cfg *c, const char *state, struct oidc_provider_t **provider,\n\t\toidc_proto_state_t **proto_state) {\n\n\toidc_debug(r, \"enter (state=%s)\", state);\n\n\tif ((state == NULL) || (apr_strnatcmp(state, \"\") == 0)) {\n\t\toidc_error(r, \"state parameter is not set\");\n\t\treturn FALSE;\n\t}\n\n\t/* check the state parameter against what we stored in a cookie */\n\tif (oidc_restore_proto_state(r, c, state, proto_state) == FALSE) {\n\t\toidc_error(r, \"unable to restore state\");\n\t\treturn FALSE;\n\t}\n\n\t*provider = oidc_get_provider_for_issuer(r, c,\n\t\t\toidc_proto_state_get_issuer(*proto_state), FALSE);\n\n\treturn (*provider != NULL);\n}", "project": "mod_auth_openidc", "hash": 209380788212598381807103323287591413894, "size": 22, "commit_id": "ce37080c6aea30aabae8b4a9b4eea7808445cc8e", "message": "2.4.0.2 oops\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 447697 }, { "func": "BOOL glyph_cache_fragment_put(rdpGlyphCache* glyphCache, UINT32 index, UINT32 size,\n const void* fragment)\n{\n\tvoid* prevFragment;\n\tvoid* copy;\n\n\tif (index > 255)\n\t{\n\t\tWLog_ERR(TAG, \"invalid glyph cache fragment index: %\" PRIu32 \"\", index);\n\t\treturn FALSE;\n\t}\n\n\tcopy = malloc(size);\n\n\tif (!copy)\n\t\treturn FALSE;\n\n\tWLog_Print(glyphCache->log, WLOG_DEBUG,\n\t \"GlyphCacheFragmentPut: index: %\" PRIu32 \" size: %\" PRIu32 \"\", index, size);\n\tCopyMemory(copy, fragment, size);\n\tprevFragment = glyphCache->fragCache.entries[index].fragment;\n\tglyphCache->fragCache.entries[index].fragment = copy;\n\tglyphCache->fragCache.entries[index].size = size;\n\tfree(prevFragment);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 184650086189964763927616764077872875420, "size": 26, "commit_id": "c0fd449ec0870b050d350d6d844b1ea6dad4bc7d", "message": "Fixed Out-of-bound read in glyph_cache_put\n\nCVE-2020-11098 thanks to @antonio-morales for finding this.", "target": 0, "dataset": "other", "idx": 432864 }, { "func": "int init_ftfuncs(THD *thd, SELECT_LEX *select_lex, bool no_order)\n{\n if (select_lex->ftfunc_list->elements)\n {\n List_iterator li(*(select_lex->ftfunc_list));\n Item_func_match *ifm;\n\n while ((ifm=li++))\n if (unlikely(!ifm->is_fixed()))\n /*\n it mean that clause where was FT function was removed, so we have\n to remove the function from the list.\n */\n li.remove();\n else if (ifm->init_search(thd, no_order))\n\treturn 1;\n }\n return 0;\n}", "target": 0, "cwe": [ "CWE-416" ], "project": "server", "commit_id": "0beed9b5e933f0ff79b3bb346524f7a451d14e38", "hash": 139735218094075390487369177824799987601, "size": 19, "message": "MDEV-28097 use-after-free when WHERE has subquery with an outer reference in HAVING\n\nwhen resolving WHERE and ON clauses, do not look in\nSELECT list/aliases.", "dataset": "other", "idx": 514560 }, { "func": "SDB_API bool sdb_disk_create(Sdb* s) {\n\tint nlen;\n\tchar *str;\n\tconst char *dir;\n\tif (!s || s->fdump >= 0) {\n\t\treturn false; // cannot re-create\n\t}\n\tif (!s->dir && s->name) {\n\t\ts->dir = strdup (s->name);\n\t}\n\tdir = s->dir ? s->dir : \"./\";\n\tR_FREE (s->ndump);\n\tnlen = strlen (dir);\n\tstr = malloc (nlen + 5);\n\tif (!str) {\n\t\treturn false;\n\t}\n\tmemcpy (str, dir, nlen + 1);\n\tr_sys_mkdirp (str);\n\tmemcpy (str + nlen, \".tmp\", 5);\n\tif (s->fdump != -1) {\n\t\tclose (s->fdump);\n\t}\n#if __SDB_WINDOWS__ && UNICODE\n\twchar_t *wstr = r_sys_conv_utf8_to_utf16 (str);\n\tif (wstr) {\n\t\ts->fdump = _wopen (wstr, O_BINARY | O_RDWR | O_CREAT | O_TRUNC, SDB_MODE);\n\t\tfree (wstr);\n\t} else {\n\t\ts->fdump = -1;\n\t}\n#else\n\ts->fdump = open (str, O_BINARY | O_RDWR | O_CREAT | O_TRUNC, SDB_MODE);\n#endif\n\tif (s->fdump == -1) {\n\t\teprintf (\"sdb: Cannot open '%s' for writing.\\n\", str);\n\t\tfree (str);\n\t\treturn false;\n\t}\n\tcdb_make_start (&s->m, s->fdump);\n\ts->ndump = str;\n\treturn true;\n}", "project": "radare2", "hash": 17223934752740394589193950542235728806, "size": 43, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 0, "dataset": "other", "idx": 268936 }, { "func": "static int open_url(HLSContext *c, URLContext **uc, const char *url, AVDictionary *opts)\n{\n AVDictionary *tmp = NULL;\n int ret;\n const char *proto_name = avio_find_protocol_name(url);\n\n if (!proto_name)\n return AVERROR_INVALIDDATA;\n\n // only http(s) & file are allowed\n if (av_strstart(proto_name, \"file\", NULL)) {\n if (strcmp(c->allowed_extensions, \"ALL\") && !av_match_ext(url, c->allowed_extensions)) {\n av_log(c, AV_LOG_ERROR,\n \"Filename extension of \\'%s\\' is not a common multimedia extension, blocked for security reasons.\\n\"\n \"If you wish to override this adjust allowed_extensions, you can set it to \\'ALL\\' to allow all\\n\",\n url);\n return AVERROR_INVALIDDATA;\n }\n } else if (av_strstart(proto_name, \"http\", NULL)) {\n ;\n } else\n return AVERROR_INVALIDDATA;\n\n if (!strncmp(proto_name, url, strlen(proto_name)) && url[strlen(proto_name)] == ':')\n ;\n else if (strcmp(proto_name, \"file\") || !strncmp(url, \"file,\", 5))\n return AVERROR_INVALIDDATA;\n\n av_dict_copy(&tmp, c->avio_opts, 0);\n av_dict_copy(&tmp, opts, 0);\n\n ret = ffurl_open(uc, url, AVIO_FLAG_READ, c->interrupt_callback, &tmp);\n if( ret >= 0) {\n // update cookies on http response with setcookies.\n URLContext *u = *uc;\n update_options(&c->cookies, \"cookies\", u->priv_data);\n av_dict_set(&opts, \"cookies\", c->cookies, 0);\n }\n\n av_dict_free(&tmp);\n\n return ret;\n}", "project": "FFmpeg", "hash": 10429006717406580615461923611122386086, "size": 43, "commit_id": "6959358683c7533f586c07a766acc5fe9544d8b2", "message": "avformat/hls: check segment duration value of EXTINF\n\nfix ticket: 8673\nset the default EXTINF duration to 1ms if duration is smaller than 1ms\n\nSigned-off-by: Steven Liu \n(cherry picked from commit 9dfb19baeb86a8bb02c53a441682c6e9a6e104cc)", "target": 0, "dataset": "other", "idx": 270456 }, { "func": "static int shared_policy_replace(struct shared_policy *sp, unsigned long start,\n\t\t\t\t unsigned long end, struct sp_node *new)\n{\n\tstruct sp_node *n;\n\tstruct sp_node *n_new = NULL;\n\tstruct mempolicy *mpol_new = NULL;\n\tint ret = 0;\n\nrestart:\n\twrite_lock(&sp->lock);\n\tn = sp_lookup(sp, start, end);\n\t/* Take care of old policies in the same range. */\n\twhile (n && n->start < end) {\n\t\tstruct rb_node *next = rb_next(&n->nd);\n\t\tif (n->start >= start) {\n\t\t\tif (n->end <= end)\n\t\t\t\tsp_delete(sp, n);\n\t\t\telse\n\t\t\t\tn->start = end;\n\t\t} else {\n\t\t\t/* Old policy spanning whole new range. */\n\t\t\tif (n->end > end) {\n\t\t\t\tif (!n_new)\n\t\t\t\t\tgoto alloc_new;\n\n\t\t\t\t*mpol_new = *n->policy;\n\t\t\t\tatomic_set(&mpol_new->refcnt, 1);\n\t\t\t\tsp_node_init(n_new, end, n->end, mpol_new);\n\t\t\t\tn->end = start;\n\t\t\t\tsp_insert(sp, n_new);\n\t\t\t\tn_new = NULL;\n\t\t\t\tmpol_new = NULL;\n\t\t\t\tbreak;\n\t\t\t} else\n\t\t\t\tn->end = start;\n\t\t}\n\t\tif (!next)\n\t\t\tbreak;\n\t\tn = rb_entry(next, struct sp_node, nd);\n\t}\n\tif (new)\n\t\tsp_insert(sp, new);\n\twrite_unlock(&sp->lock);\n\tret = 0;\n\nerr_out:\n\tif (mpol_new)\n\t\tmpol_put(mpol_new);\n\tif (n_new)\n\t\tkmem_cache_free(sn_cache, n_new);\n\n\treturn ret;\n\nalloc_new:\n\twrite_unlock(&sp->lock);\n\tret = -ENOMEM;\n\tn_new = kmem_cache_alloc(sn_cache, GFP_KERNEL);\n\tif (!n_new)\n\t\tgoto err_out;\n\tmpol_new = kmem_cache_alloc(policy_cache, GFP_KERNEL);\n\tif (!mpol_new)\n\t\tgoto err_out;\n\tgoto restart;\n}", "project": "linux", "hash": 274709590112653146678350807506396821673, "size": 64, "commit_id": "aa9f7d5172fac9bf1f09e678c35e287a40a7b7dd", "message": "mm: mempolicy: require at least one nodeid for MPOL_PREFERRED\n\nUsing an empty (malformed) nodelist that is not caught during mount option\nparsing leads to a stack-out-of-bounds access.\n\nThe option string that was used was: \"mpol=prefer:,\". However,\nMPOL_PREFERRED requires a single node number, which is not being provided\nhere.\n\nAdd a check that 'nodes' is not empty after parsing for MPOL_PREFERRED's\nnodeid.\n\nFixes: 095f1fc4ebf3 (\"mempolicy: rework shmem mpol parsing and display\")\nReported-by: Entropy Moe <3ntr0py1337@gmail.com>\nReported-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nSigned-off-by: Randy Dunlap \nSigned-off-by: Andrew Morton \nTested-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nCc: Lee Schermerhorn \nLink: http://lkml.kernel.org/r/89526377-7eb6-b662-e1d8-4430928abde9@infradead.org\nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 366720 }, { "func": "static void __hci_update_background_scan(struct hci_request *req)\n{\n\tstruct hci_dev *hdev = req->hdev;\n\n\tif (!test_bit(HCI_UP, &hdev->flags) ||\n\t test_bit(HCI_INIT, &hdev->flags) ||\n\t hci_dev_test_flag(hdev, HCI_SETUP) ||\n\t hci_dev_test_flag(hdev, HCI_CONFIG) ||\n\t hci_dev_test_flag(hdev, HCI_AUTO_OFF) ||\n\t hci_dev_test_flag(hdev, HCI_UNREGISTER))\n\t\treturn;\n\n\t/* No point in doing scanning if LE support hasn't been enabled */\n\tif (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))\n\t\treturn;\n\n\t/* If discovery is active don't interfere with it */\n\tif (hdev->discovery.state != DISCOVERY_STOPPED)\n\t\treturn;\n\n\t/* Reset RSSI and UUID filters when starting background scanning\n\t * since these filters are meant for service discovery only.\n\t *\n\t * The Start Discovery and Start Service Discovery operations\n\t * ensure to set proper values for RSSI threshold and UUID\n\t * filter list. So it is safe to just reset them here.\n\t */\n\thci_discovery_filter_clear(hdev);\n\n\tbt_dev_dbg(hdev, \"ADV monitoring is %s\",\n\t\t hci_is_adv_monitoring(hdev) ? \"on\" : \"off\");\n\n\tif (list_empty(&hdev->pend_le_conns) &&\n\t list_empty(&hdev->pend_le_reports) &&\n\t !hci_is_adv_monitoring(hdev)) {\n\t\t/* If there is no pending LE connections or devices\n\t\t * to be scanned for or no ADV monitors, we should stop the\n\t\t * background scanning.\n\t\t */\n\n\t\t/* If controller is not scanning we are done. */\n\t\tif (!hci_dev_test_flag(hdev, HCI_LE_SCAN))\n\t\t\treturn;\n\n\t\thci_req_add_le_scan_disable(req, false);\n\n\t\tbt_dev_dbg(hdev, \"stopping background scanning\");\n\t} else {\n\t\t/* If there is at least one pending LE connection, we should\n\t\t * keep the background scan running.\n\t\t */\n\n\t\t/* If controller is connecting, we should not start scanning\n\t\t * since some controllers are not able to scan and connect at\n\t\t * the same time.\n\t\t */\n\t\tif (hci_lookup_le_connect(hdev))\n\t\t\treturn;\n\n\t\t/* If controller is currently scanning, we stop it to ensure we\n\t\t * don't miss any advertising (due to duplicates filter).\n\t\t */\n\t\tif (hci_dev_test_flag(hdev, HCI_LE_SCAN))\n\t\t\thci_req_add_le_scan_disable(req, false);\n\n\t\thci_req_add_le_passive_scan(req);\n\t\tbt_dev_dbg(hdev, \"starting background scanning\");\n\t}\n}", "project": "linux", "hash": 103538687173199365057880950576284621934, "size": 69, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402503 }, { "func": "int bcf_hdr_write(htsFile *hfp, bcf_hdr_t *h)\n{\n if (!h) {\n errno = EINVAL;\n return -1;\n }\n if ( h->dirty ) {\n if (bcf_hdr_sync(h) < 0) return -1;\n }\n hfp->format.category = variant_data;\n if (hfp->format.format == vcf || hfp->format.format == text_format) {\n hfp->format.format = vcf;\n return vcf_hdr_write(hfp, h);\n }\n\n if (hfp->format.format == binary_format)\n hfp->format.format = bcf;\n\n kstring_t htxt = {0,0,0};\n bcf_hdr_format(h, 1, &htxt);\n kputc('\\0', &htxt); // include the \\0 byte\n\n BGZF *fp = hfp->fp.bgzf;\n if ( bgzf_write(fp, \"BCF\\2\\2\", 5) !=5 ) return -1;\n uint8_t hlen[4];\n u32_to_le(htxt.l, hlen);\n if ( bgzf_write(fp, hlen, 4) !=4 ) return -1;\n if ( bgzf_write(fp, htxt.s, htxt.l) != htxt.l ) return -1;\n\n free(htxt.s);\n return 0;\n}", "project": "htslib", "hash": 72604491786464689389070737442876927706, "size": 32, "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c", "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields. It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097", "target": 0, "dataset": "other", "idx": 402154 }, { "func": "static int do_last(struct nameidata *nd,\n\t\t struct file *file, const struct open_flags *op)\n{\n\tstruct dentry *dir = nd->path.dentry;\n\tkuid_t dir_uid = dir->d_inode->i_uid;\n\tumode_t dir_mode = dir->d_inode->i_mode;\n\tint open_flag = op->open_flag;\n\tbool will_truncate = (open_flag & O_TRUNC) != 0;\n\tbool got_write = false;\n\tint acc_mode = op->acc_mode;\n\tunsigned seq;\n\tstruct inode *inode;\n\tstruct path path;\n\tint error;\n\n\tnd->flags &= ~LOOKUP_PARENT;\n\tnd->flags |= op->intent;\n\n\tif (nd->last_type != LAST_NORM) {\n\t\terror = handle_dots(nd, nd->last_type);\n\t\tif (unlikely(error))\n\t\t\treturn error;\n\t\tgoto finish_open;\n\t}\n\n\tif (!(open_flag & O_CREAT)) {\n\t\tif (nd->last.name[nd->last.len])\n\t\t\tnd->flags |= LOOKUP_FOLLOW | LOOKUP_DIRECTORY;\n\t\t/* we _can_ be in RCU mode here */\n\t\terror = lookup_fast(nd, &path, &inode, &seq);\n\t\tif (likely(error > 0))\n\t\t\tgoto finish_lookup;\n\n\t\tif (error < 0)\n\t\t\treturn error;\n\n\t\tBUG_ON(nd->inode != dir->d_inode);\n\t\tBUG_ON(nd->flags & LOOKUP_RCU);\n\t} else {\n\t\t/* create side of things */\n\t\t/*\n\t\t * This will *only* deal with leaving RCU mode - LOOKUP_JUMPED\n\t\t * has been cleared when we got to the last component we are\n\t\t * about to look up\n\t\t */\n\t\terror = complete_walk(nd);\n\t\tif (error)\n\t\t\treturn error;\n\n\t\taudit_inode(nd->name, dir, AUDIT_INODE_PARENT);\n\t\t/* trailing slashes? */\n\t\tif (unlikely(nd->last.name[nd->last.len]))\n\t\t\treturn -EISDIR;\n\t}\n\n\tif (open_flag & (O_CREAT | O_TRUNC | O_WRONLY | O_RDWR)) {\n\t\terror = mnt_want_write(nd->path.mnt);\n\t\tif (!error)\n\t\t\tgot_write = true;\n\t\t/*\n\t\t * do _not_ fail yet - we might not need that or fail with\n\t\t * a different error; let lookup_open() decide; we'll be\n\t\t * dropping this one anyway.\n\t\t */\n\t}\n\tif (open_flag & O_CREAT)\n\t\tinode_lock(dir->d_inode);\n\telse\n\t\tinode_lock_shared(dir->d_inode);\n\terror = lookup_open(nd, &path, file, op, got_write);\n\tif (open_flag & O_CREAT)\n\t\tinode_unlock(dir->d_inode);\n\telse\n\t\tinode_unlock_shared(dir->d_inode);\n\n\tif (error)\n\t\tgoto out;\n\n\tif (file->f_mode & FMODE_OPENED) {\n\t\tif ((file->f_mode & FMODE_CREATED) ||\n\t\t !S_ISREG(file_inode(file)->i_mode))\n\t\t\twill_truncate = false;\n\n\t\taudit_inode(nd->name, file->f_path.dentry, 0);\n\t\tgoto opened;\n\t}\n\n\tif (file->f_mode & FMODE_CREATED) {\n\t\t/* Don't check for write permission, don't truncate */\n\t\topen_flag &= ~O_TRUNC;\n\t\twill_truncate = false;\n\t\tacc_mode = 0;\n\t\tpath_to_nameidata(&path, nd);\n\t\tgoto finish_open_created;\n\t}\n\n\t/*\n\t * If atomic_open() acquired write access it is dropped now due to\n\t * possible mount and symlink following (this might be optimized away if\n\t * necessary...)\n\t */\n\tif (got_write) {\n\t\tmnt_drop_write(nd->path.mnt);\n\t\tgot_write = false;\n\t}\n\n\terror = follow_managed(&path, nd);\n\tif (unlikely(error < 0))\n\t\treturn error;\n\n\t/*\n\t * create/update audit record if it already exists.\n\t */\n\taudit_inode(nd->name, path.dentry, 0);\n\n\tif (unlikely((open_flag & (O_EXCL | O_CREAT)) == (O_EXCL | O_CREAT))) {\n\t\tpath_to_nameidata(&path, nd);\n\t\treturn -EEXIST;\n\t}\n\n\tseq = 0;\t/* out of RCU mode, so the value doesn't matter */\n\tinode = d_backing_inode(path.dentry);\nfinish_lookup:\n\terror = step_into(nd, &path, 0, inode, seq);\n\tif (unlikely(error))\n\t\treturn error;\nfinish_open:\n\t/* Why this, you ask? _Now_ we might have grown LOOKUP_JUMPED... */\n\terror = complete_walk(nd);\n\tif (error)\n\t\treturn error;\n\taudit_inode(nd->name, nd->path.dentry, 0);\n\tif (open_flag & O_CREAT) {\n\t\terror = -EISDIR;\n\t\tif (d_is_dir(nd->path.dentry))\n\t\t\tgoto out;\n\t\terror = may_create_in_sticky(dir_mode, dir_uid,\n\t\t\t\t\t d_backing_inode(nd->path.dentry));\n\t\tif (unlikely(error))\n\t\t\tgoto out;\n\t}\n\terror = -ENOTDIR;\n\tif ((nd->flags & LOOKUP_DIRECTORY) && !d_can_lookup(nd->path.dentry))\n\t\tgoto out;\n\tif (!d_is_reg(nd->path.dentry))\n\t\twill_truncate = false;\n\n\tif (will_truncate) {\n\t\terror = mnt_want_write(nd->path.mnt);\n\t\tif (error)\n\t\t\tgoto out;\n\t\tgot_write = true;\n\t}\nfinish_open_created:\n\terror = may_open(&nd->path, acc_mode, open_flag);\n\tif (error)\n\t\tgoto out;\n\tBUG_ON(file->f_mode & FMODE_OPENED); /* once it's opened, it's opened */\n\terror = vfs_open(&nd->path, file);\n\tif (error)\n\t\tgoto out;\nopened:\n\terror = ima_file_check(file, op->acc_mode);\n\tif (!error && will_truncate)\n\t\terror = handle_truncate(file);\nout:\n\tif (unlikely(error > 0)) {\n\t\tWARN_ON(1);\n\t\terror = -EINVAL;\n\t}\n\tif (got_write)\n\t\tmnt_drop_write(nd->path.mnt);\n\treturn error;\n}", "project": "linux", "hash": 185915795809950262799940714977962946995, "size": 174, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295311 }, { "func": "static void hci_key_refresh_complete_evt(struct hci_dev *hdev,\n\t\t\t\t\t struct sk_buff *skb)\n{\n\tstruct hci_ev_key_refresh_complete *ev = (void *) skb->data;\n\tstruct hci_conn *conn;\n\n\tBT_DBG(\"%s status 0x%2.2x handle 0x%4.4x\", hdev->name, ev->status,\n\t __le16_to_cpu(ev->handle));\n\n\thci_dev_lock(hdev);\n\n\tconn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));\n\tif (!conn)\n\t\tgoto unlock;\n\n\t/* For BR/EDR the necessary steps are taken through the\n\t * auth_complete event.\n\t */\n\tif (conn->type != LE_LINK)\n\t\tgoto unlock;\n\n\tif (!ev->status)\n\t\tconn->sec_level = conn->pending_sec_level;\n\n\tclear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);\n\n\tif (ev->status && conn->state == BT_CONNECTED) {\n\t\thci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);\n\t\thci_conn_drop(conn);\n\t\tgoto unlock;\n\t}\n\n\tif (conn->state == BT_CONFIG) {\n\t\tif (!ev->status)\n\t\t\tconn->state = BT_CONNECTED;\n\n\t\thci_connect_cfm(conn, ev->status);\n\t\thci_conn_drop(conn);\n\t} else {\n\t\thci_auth_cfm(conn, ev->status);\n\n\t\thci_conn_hold(conn);\n\t\tconn->disc_timeout = HCI_DISCONN_TIMEOUT;\n\t\thci_conn_drop(conn);\n\t}\n\nunlock:\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 66784769786923412228506906183313201183, "size": 49, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431959 }, { "func": "void kdb_send_sig(struct task_struct *t, int sig)\n{\n\tstatic struct task_struct *kdb_prev_t;\n\tint new_t, ret;\n\tif (!spin_trylock(&t->sighand->siglock)) {\n\t\tkdb_printf(\"Can't do kill command now.\\n\"\n\t\t\t \"The sigmask lock is held somewhere else in \"\n\t\t\t \"kernel, try again later\\n\");\n\t\treturn;\n\t}\n\tnew_t = kdb_prev_t != t;\n\tkdb_prev_t = t;\n\tif (t->state != TASK_RUNNING && new_t) {\n\t\tspin_unlock(&t->sighand->siglock);\n\t\tkdb_printf(\"Process is not RUNNING, sending a signal from \"\n\t\t\t \"kdb risks deadlock\\n\"\n\t\t\t \"on the run queue locks. \"\n\t\t\t \"The signal has _not_ been sent.\\n\"\n\t\t\t \"Reissue the kill command if you want to risk \"\n\t\t\t \"the deadlock.\\n\");\n\t\treturn;\n\t}\n\tret = send_signal(sig, SEND_SIG_PRIV, t, PIDTYPE_PID);\n\tspin_unlock(&t->sighand->siglock);\n\tif (ret)\n\t\tkdb_printf(\"Fail to deliver Signal %d to process %d.\\n\",\n\t\t\t sig, t->pid);\n\telse\n\t\tkdb_printf(\"Signal %d is sent to process %d.\\n\", sig, t->pid);\n}", "project": "linux", "hash": 41931629993591723842807410983112146340, "size": 30, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375256 }, { "func": "static void encode_nfs4_seqid(struct xdr_stream *xdr,\n\t\tconst struct nfs_seqid *seqid)\n{\n\tif (seqid != NULL)\n\t\tencode_uint32(xdr, seqid->sequence->counter);\n\telse\n\t\tencode_uint32(xdr, 0);\n}", "project": "linux", "hash": 306138728654644549788549413750476838567, "size": 8, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431447 }, { "func": "static int sctp_setsockopt_maxburst(struct sock *sk,\n\t\t\t\t struct sctp_assoc_value *params,\n\t\t\t\t unsigned int optlen)\n{\n\tstruct sctp_sock *sp = sctp_sk(sk);\n\tstruct sctp_association *asoc;\n\tsctp_assoc_t assoc_id;\n\tu32 assoc_value;\n\n\tif (optlen == sizeof(int)) {\n\t\tpr_warn_ratelimited(DEPRECATED\n\t\t\t\t \"%s (pid %d) \"\n\t\t\t\t \"Use of int in max_burst socket option deprecated.\\n\"\n\t\t\t\t \"Use struct sctp_assoc_value instead\\n\",\n\t\t\t\t current->comm, task_pid_nr(current));\n\t\tassoc_id = SCTP_FUTURE_ASSOC;\n\t\tassoc_value = *((int *)params);\n\t} else if (optlen == sizeof(struct sctp_assoc_value)) {\n\t\tassoc_id = params->assoc_id;\n\t\tassoc_value = params->assoc_value;\n\t} else\n\t\treturn -EINVAL;\n\n\tasoc = sctp_id2assoc(sk, assoc_id);\n\tif (!asoc && assoc_id > SCTP_ALL_ASSOC && sctp_style(sk, UDP))\n\t\treturn -EINVAL;\n\n\tif (asoc) {\n\t\tasoc->max_burst = assoc_value;\n\n\t\treturn 0;\n\t}\n\n\tif (sctp_style(sk, TCP))\n\t\tassoc_id = SCTP_FUTURE_ASSOC;\n\n\tif (assoc_id == SCTP_FUTURE_ASSOC || assoc_id == SCTP_ALL_ASSOC)\n\t\tsp->max_burst = assoc_value;\n\n\tif (assoc_id == SCTP_CURRENT_ASSOC || assoc_id == SCTP_ALL_ASSOC)\n\t\tlist_for_each_entry(asoc, &sp->ep->asocs, asocs)\n\t\t\tasoc->max_burst = assoc_value;\n\n\treturn 0;\n}", "project": "linux", "hash": 132189963864690729435162988625326374647, "size": 45, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398147 }, { "func": "\nstatic enum hrtimer_restart io_timeout_fn(struct hrtimer *timer)\n{\n\tstruct io_timeout_data *data = container_of(timer,\n\t\t\t\t\t\tstruct io_timeout_data, timer);\n\tstruct io_kiocb *req = data->req;\n\tstruct io_ring_ctx *ctx = req->ctx;\n\tunsigned long flags;\n\n\tspin_lock_irqsave(&ctx->completion_lock, flags);\n\tlist_del_init(&req->timeout.list);\n\tatomic_set(&req->ctx->cq_timeouts,\n\t\tatomic_read(&req->ctx->cq_timeouts) + 1);\n\n\tio_cqring_fill_event(ctx, req->user_data, -ETIME, 0);\n\tio_commit_cqring(ctx);\n\tspin_unlock_irqrestore(&ctx->completion_lock, flags);\n\n\tio_cqring_ev_posted(ctx);\n\treq_set_fail_links(req);\n\tio_put_req(req);\n\treturn HRTIMER_NORESTART;", "project": "linux", "hash": 137194222656649185051621604847356930110, "size": 22, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338703 }, { "func": "static int kvm_s390_vm_stop_migration(struct kvm *kvm)\n{\n\t/* migration mode already disabled */\n\tif (!kvm->arch.migration_mode)\n\t\treturn 0;\n\tkvm->arch.migration_mode = 0;\n\tif (kvm->arch.use_cmma)\n\t\tkvm_s390_sync_request_broadcast(kvm, KVM_REQ_STOP_MIGRATION);\n\treturn 0;\n}", "project": "linux", "hash": 171918911036585190784576817791235709255, "size": 10, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354578 }, { "func": "static int can_go_on_limited_pmc(struct perf_event *event, u64 ev,\n\t\t\t\t unsigned int flags)\n{\n\tint n;\n\tu64 alt[MAX_EVENT_ALTERNATIVES];\n\n\tif (event->attr.exclude_user\n\t || event->attr.exclude_kernel\n\t || event->attr.exclude_hv\n\t || event->attr.sample_period)\n\t\treturn 0;\n\n\tif (ppmu->limited_pmc_event(ev))\n\t\treturn 1;\n\n\t/*\n\t * The requested event_id isn't on a limited PMC already;\n\t * see if any alternative code goes on a limited PMC.\n\t */\n\tif (!ppmu->get_alternatives)\n\t\treturn 0;\n\n\tflags |= PPMU_LIMITED_PMC_OK | PPMU_LIMITED_PMC_REQD;\n\tn = ppmu->get_alternatives(ev, flags, alt);\n\n\treturn n > 0;\n}", "project": "linux", "hash": 209543686282312148748404708797737475207, "size": 27, "commit_id": "60b7ed54a41b550d50caf7f2418db4a7e75b5bdc", "message": "powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set\n\nOn systems without any specific PMU driver support registered, running\nperf record causes Oops.\n\nThe relevant portion from call trace:\n\n BUG: Kernel NULL pointer dereference on read at 0x00000040\n Faulting instruction address: 0xc0021f0c\n Oops: Kernel access of bad area, sig: 11 [#1]\n BE PAGE_SIZE=4K PREEMPT CMPCPRO\n SAF3000 DIE NOTIFICATION\n CPU: 0 PID: 442 Comm: null_syscall Not tainted 5.13.0-rc6-s3k-dev-01645-g7649ee3d2957 #5164\n NIP: c0021f0c LR: c00e8ad8 CTR: c00d8a5c\n NIP perf_instruction_pointer+0x10/0x60\n LR perf_prepare_sample+0x344/0x674\n Call Trace:\n perf_prepare_sample+0x7c/0x674 (unreliable)\n perf_event_output_forward+0x3c/0x94\n __perf_event_overflow+0x74/0x14c\n perf_swevent_hrtimer+0xf8/0x170\n __hrtimer_run_queues.constprop.0+0x160/0x318\n hrtimer_interrupt+0x148/0x3b0\n timer_interrupt+0xc4/0x22c\n Decrementer_virt+0xb8/0xbc\n\nDuring perf record session, perf_instruction_pointer() is called to\ncapture the sample IP. This function in core-book3s accesses\nppmu->flags. If a platform specific PMU driver is not registered, ppmu\nis set to NULL and accessing its members results in a crash. Fix this\ncrash by checking if ppmu is set.\n\nFixes: 2ca13a4cc56c (\"powerpc/perf: Use regs->nip when SIAR is zero\")\nCc: stable@vger.kernel.org # v5.11+\nReported-by: Christophe Leroy \nSigned-off-by: Athira Rajeev \nTested-by: Christophe Leroy \nSigned-off-by: Michael Ellerman \nLink: https://lore.kernel.org/r/1623952506-1431-1-git-send-email-atrajeev@linux.vnet.ibm.com", "target": 0, "dataset": "other", "idx": 374676 }, { "func": "static void php_ifd_set32u(char *data, size_t value, int motorola_intel) {\n if (motorola_intel) {\n data[0] = (value & 0xFF000000) >> 24;\n data[1] = (value & 0x00FF0000) >> 16;\n data[2] = (value & 0x0000FF00) >> 8;\n data[3] = (value & 0x000000FF);\n } else {\n data[3] = (value & 0xFF000000) >> 24;\n data[2] = (value & 0x00FF0000) >> 16;\n data[1] = (value & 0x0000FF00) >> 8;\n data[0] = (value & 0x000000FF);\n }\n}", "project": "hhvm", "hash": 326171713720557426075894157056417497947, "size": 13, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219722 }, { "func": "static apr_byte_t oidc_is_back_channel_logout(const char *logout_param_value) {\n\treturn ((logout_param_value != NULL) && (apr_strnatcmp(logout_param_value,\n\t\t\tOIDC_BACKCHANNEL_STYLE_LOGOUT_PARAM_VALUE) == 0));\n}", "project": "mod_auth_openidc", "hash": 150822773263893294069700476514606037456, "size": 4, "commit_id": "00c315cb0c8ab77c67be4a2ac08a71a83ac58751", "message": "avoid XSS vulnerability when using OIDCPreservePost On\n\nand supplying URLs that contain single quotes; thanks @oss-aimoto\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 381939 }, { "func": "static int add_to_white_list(struct hci_request *req,\n\t\t\t struct hci_conn_params *params, u8 *num_entries,\n\t\t\t bool allow_rpa)\n{\n\tstruct hci_cp_le_add_to_white_list cp;\n\tstruct hci_dev *hdev = req->hdev;\n\n\t/* Already in white list */\n\tif (hci_bdaddr_list_lookup(&hdev->le_white_list, ¶ms->addr,\n\t\t\t\t params->addr_type))\n\t\treturn 0;\n\n\t/* Select filter policy to accept all advertising */\n\tif (*num_entries >= hdev->le_white_list_size)\n\t\treturn -1;\n\n\t/* White list can not be used with RPAs */\n\tif (!allow_rpa &&\n\t !hci_dev_test_flag(hdev, HCI_ENABLE_LL_PRIVACY) &&\n\t hci_find_irk_by_addr(hdev, ¶ms->addr, params->addr_type)) {\n\t\treturn -1;\n\t}\n\n\t/* During suspend, only wakeable devices can be in whitelist */\n\tif (hdev->suspended && !hci_conn_test_flag(HCI_CONN_FLAG_REMOTE_WAKEUP,\n\t\t\t\t\t\t params->current_flags))\n\t\treturn 0;\n\n\t*num_entries += 1;\n\tcp.bdaddr_type = params->addr_type;\n\tbacpy(&cp.bdaddr, ¶ms->addr);\n\n\tbt_dev_dbg(hdev, \"Add %pMR (0x%x) to whitelist\", &cp.bdaddr,\n\t\t cp.bdaddr_type);\n\thci_req_add(req, HCI_OP_LE_ADD_TO_WHITE_LIST, sizeof(cp), &cp);\n\n\tif (use_ll_privacy(hdev) &&\n\t hci_dev_test_flag(hdev, HCI_ENABLE_LL_PRIVACY)) {\n\t\tstruct smp_irk *irk;\n\n\t\tirk = hci_find_irk_by_addr(hdev, ¶ms->addr,\n\t\t\t\t\t params->addr_type);\n\t\tif (irk) {\n\t\t\tstruct hci_cp_le_add_to_resolv_list cp;\n\n\t\t\tcp.bdaddr_type = params->addr_type;\n\t\t\tbacpy(&cp.bdaddr, ¶ms->addr);\n\t\t\tmemcpy(cp.peer_irk, irk->val, 16);\n\n\t\t\tif (hci_dev_test_flag(hdev, HCI_PRIVACY))\n\t\t\t\tmemcpy(cp.local_irk, hdev->irk, 16);\n\t\t\telse\n\t\t\t\tmemset(cp.local_irk, 0, 16);\n\n\t\t\thci_req_add(req, HCI_OP_LE_ADD_TO_RESOLV_LIST,\n\t\t\t\t sizeof(cp), &cp);\n\t\t}\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 302720057706346902431946904281788430914, "size": 61, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402522 }, { "func": "otError Commissioner::GetNextJoinerInfo(uint16_t &aIterator, otJoinerInfo &aJoiner) const\n{\n otError error = OT_ERROR_NONE;\n size_t index;\n\n for (index = aIterator; index < OT_ARRAY_LENGTH(mJoiners); index++)\n {\n if (!mJoiners[index].mValid)\n {\n continue;\n }\n\n memset(&aJoiner, 0, sizeof(aJoiner));\n\n aJoiner.mAny = mJoiners[index].mAny;\n aJoiner.mEui64 = mJoiners[index].mEui64;\n strlcpy(aJoiner.mPsk, mJoiners[index].mPsk, sizeof(aJoiner.mPsk));\n aJoiner.mExpirationTime = mJoiners[index].mExpirationTime - TimerMilli::GetNow();\n aIterator = static_cast(index) + 1;\n ExitNow();\n }\n\n error = OT_ERROR_NOT_FOUND;\n\nexit:\n return error;\n}", "project": "openthread", "hash": 293885040720524294765761754937478768575, "size": 27, "commit_id": "c3a3a0c424322009fec3ab735fb20ce8f6e19e70", "message": "[commissioner] use strnlen instead of strlen (#4404)", "target": 0, "dataset": "other", "idx": 269887 }, { "func": "static int sctp_getsockopt_assoc_stats(struct sock *sk, int len,\n\t\t\t\t char __user *optval,\n\t\t\t\t int __user *optlen)\n{\n\tstruct sctp_assoc_stats sas;\n\tstruct sctp_association *asoc = NULL;\n\n\t/* User must provide at least the assoc id */\n\tif (len < sizeof(sctp_assoc_t))\n\t\treturn -EINVAL;\n\n\t/* Allow the struct to grow and fill in as much as possible */\n\tlen = min_t(size_t, len, sizeof(sas));\n\n\tif (copy_from_user(&sas, optval, len))\n\t\treturn -EFAULT;\n\n\tasoc = sctp_id2assoc(sk, sas.sas_assoc_id);\n\tif (!asoc)\n\t\treturn -EINVAL;\n\n\tsas.sas_rtxchunks = asoc->stats.rtxchunks;\n\tsas.sas_gapcnt = asoc->stats.gapcnt;\n\tsas.sas_outofseqtsns = asoc->stats.outofseqtsns;\n\tsas.sas_osacks = asoc->stats.osacks;\n\tsas.sas_isacks = asoc->stats.isacks;\n\tsas.sas_octrlchunks = asoc->stats.octrlchunks;\n\tsas.sas_ictrlchunks = asoc->stats.ictrlchunks;\n\tsas.sas_oodchunks = asoc->stats.oodchunks;\n\tsas.sas_iodchunks = asoc->stats.iodchunks;\n\tsas.sas_ouodchunks = asoc->stats.ouodchunks;\n\tsas.sas_iuodchunks = asoc->stats.iuodchunks;\n\tsas.sas_idupchunks = asoc->stats.idupchunks;\n\tsas.sas_opackets = asoc->stats.opackets;\n\tsas.sas_ipackets = asoc->stats.ipackets;\n\n\t/* New high max rto observed, will return 0 if not a single\n\t * RTO update took place. obs_rto_ipaddr will be bogus\n\t * in such a case\n\t */\n\tsas.sas_maxrto = asoc->stats.max_obs_rto;\n\tmemcpy(&sas.sas_obs_rto_ipaddr, &asoc->stats.obs_rto_ipaddr,\n\t\tsizeof(struct sockaddr_storage));\n\n\t/* Mark beginning of a new observation period */\n\tasoc->stats.max_obs_rto = asoc->rto_min;\n\n\tif (put_user(len, optlen))\n\t\treturn -EFAULT;\n\n\tpr_debug(\"%s: len:%d, assoc_id:%d\\n\", __func__, len, sas.sas_assoc_id);\n\n\tif (copy_to_user(optval, &sas, len))\n\t\treturn -EFAULT;\n\n\treturn 0;\n}", "project": "linux", "hash": 227635596356910298811247582184713468173, "size": 57, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398129 }, { "func": "static inline struct kvm_memslots *kvm_memslots(struct kvm *kvm)\n{\n\treturn __kvm_memslots(kvm, 0);\n}", "project": "linux", "hash": 103886635159353443934071802818942567787, "size": 4, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354568 }, { "func": "static inline struct kvm_memslots *kvm_vcpu_memslots(struct kvm_vcpu *vcpu)\n{\n\tint as_id = kvm_arch_vcpu_memslots_id(vcpu);\n\n\treturn __kvm_memslots(vcpu->kvm, as_id);\n}", "project": "linux", "hash": 30121393938396301661335782032145085714, "size": 6, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354650 }, { "func": "UnicodeStringTest::TestUInt16Pointers() {\n static const uint16_t carr[] = { 0x61, 0x62, 0x63, 0 };\n uint16_t arr[4];\n\n UnicodeString expected(u\"abc\");\n assertEquals(\"abc from pointer\", expected, UnicodeString(carr));\n assertEquals(\"abc from pointer+length\", expected, UnicodeString(carr, 3));\n assertEquals(\"abc from read-only-alias pointer\", expected, UnicodeString(TRUE, carr, 3));\n\n UnicodeString alias(arr, 0, 4);\n alias.append(u'a').append(u'b').append(u'c');\n assertEquals(\"abc from writable alias\", expected, alias);\n assertEquals(\"buffer=abc from writable alias\", expected, UnicodeString(arr, 3));\n\n UErrorCode errorCode = U_ZERO_ERROR;\n int32_t length = UnicodeString(u\"def\").extract(arr, 4, errorCode);\n assertSuccess(WHERE, errorCode);\n assertEquals(\"def from extract()\", UnicodeString(u\"def\"), UnicodeString(arr, length));\n}", "project": "icu", "hash": 192378845102147724641197445877973373348, "size": 19, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430796 }, { "func": "OPJ_UINT32 opj_tcd_get_decoded_tile_size(opj_tcd_t *p_tcd,\n OPJ_BOOL take_into_account_partial_decoding)\n{\n OPJ_UINT32 i;\n OPJ_UINT32 l_data_size = 0;\n opj_image_comp_t * l_img_comp = 00;\n opj_tcd_tilecomp_t * l_tile_comp = 00;\n opj_tcd_resolution_t * l_res = 00;\n OPJ_UINT32 l_size_comp, l_remaining;\n OPJ_UINT32 l_temp;\n\n l_tile_comp = p_tcd->tcd_image->tiles->comps;\n l_img_comp = p_tcd->image->comps;\n\n for (i = 0; i < p_tcd->image->numcomps; ++i) {\n OPJ_UINT32 w, h;\n l_size_comp = l_img_comp->prec >> 3; /*(/ 8)*/\n l_remaining = l_img_comp->prec & 7; /* (%8) */\n\n if (l_remaining) {\n ++l_size_comp;\n }\n\n if (l_size_comp == 3) {\n l_size_comp = 4;\n }\n\n l_res = l_tile_comp->resolutions + l_tile_comp->minimum_num_resolutions - 1;\n if (take_into_account_partial_decoding && !p_tcd->whole_tile_decoding) {\n w = l_res->win_x1 - l_res->win_x0;\n h = l_res->win_y1 - l_res->win_y0;\n } else {\n w = (OPJ_UINT32)(l_res->x1 - l_res->x0);\n h = (OPJ_UINT32)(l_res->y1 - l_res->y0);\n }\n if (h > 0 && UINT_MAX / w < h) {\n return UINT_MAX;\n }\n l_temp = w * h;\n if (l_size_comp && UINT_MAX / l_size_comp < l_temp) {\n return UINT_MAX;\n }\n l_temp *= l_size_comp;\n\n if (l_temp > UINT_MAX - l_data_size) {\n return UINT_MAX;\n }\n l_data_size += l_temp;\n ++l_img_comp;\n ++l_tile_comp;\n }\n\n return l_data_size;\n}", "project": "openjpeg", "hash": 213792873579899825888867200061009833565, "size": 54, "commit_id": "15cf3d95814dc931ca0ecb132f81cb152e051bae", "message": "Encoder: grow again buffer size in opj_tcd_code_block_enc_allocate_data() (fixes #1283)", "target": 0, "dataset": "other", "idx": 359182 }, { "func": "static int nfs4_get_referral(struct rpc_clnt *client, struct inode *dir,\n\t\t\t const struct qstr *name, struct nfs_fattr *fattr,\n\t\t\t struct nfs_fh *fhandle)\n{\n\tint status = -ENOMEM;\n\tstruct page *page = NULL;\n\tstruct nfs4_fs_locations *locations = NULL;\n\n\tpage = alloc_page(GFP_KERNEL);\n\tif (page == NULL)\n\t\tgoto out;\n\tlocations = kmalloc(sizeof(struct nfs4_fs_locations), GFP_KERNEL);\n\tif (locations == NULL)\n\t\tgoto out;\n\n\tstatus = nfs4_proc_fs_locations(client, dir, name, locations, page);\n\tif (status != 0)\n\t\tgoto out;\n\n\t/*\n\t * If the fsid didn't change, this is a migration event, not a\n\t * referral. Cause us to drop into the exception handler, which\n\t * will kick off migration recovery.\n\t */\n\tif (nfs_fsid_equal(&NFS_SERVER(dir)->fsid, &locations->fattr.fsid)) {\n\t\tdprintk(\"%s: server did not return a different fsid for\"\n\t\t\t\" a referral at %s\\n\", __func__, name->name);\n\t\tstatus = -NFS4ERR_MOVED;\n\t\tgoto out;\n\t}\n\t/* Fixup attributes for the nfs_lookup() call to nfs_fhget() */\n\tnfs_fixup_referral_attributes(&locations->fattr);\n\n\t/* replace the lookup nfs_fattr with the locations nfs_fattr */\n\tmemcpy(fattr, &locations->fattr, sizeof(struct nfs_fattr));\n\tmemset(fhandle, 0, sizeof(struct nfs_fh));\nout:\n\tif (page)\n\t\t__free_page(page);\n\tkfree(locations);\n\treturn status;\n}", "project": "linux", "hash": 305567771733043839379741726563210853433, "size": 42, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 430989 }, { "func": "String ipaddr_convert(struct sockaddr *addr, int addrlen) {\n char buffer[NI_MAXHOST];\n int error = getnameinfo(addr, addrlen, buffer, sizeof(buffer), NULL, 0, NI_NUMERICHOST);\n\n if (error) {\n raise_warning(\"%s\", gai_strerror(error));\n return empty_string();\n }\n return String(buffer, CopyString);\n}", "project": "hhvm", "hash": 15540710752646998361524617545403643652, "size": 10, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219816 }, { "func": "std::vector EagerKernelArgs::GetLocalTensors() const {\n std::vector lcoal_inputs;\n lcoal_inputs.reserve(tensor_args_.size());\n for (const TensorValue& tensor_value : tensor_args_) {\n lcoal_inputs.push_back(*tensor_value.tensor);\n }\n return lcoal_inputs;\n}", "project": "tensorflow", "hash": 129656216533850952720091097081350972001, "size": 8, "commit_id": "da8558533d925694483d2c136a9220d6d49d843c", "message": "Fix undefined behavior in `tf.raw_ops.Switch` in eager mode.\n\nPiperOrigin-RevId: 332578058\nChange-Id: I9727571d2f21476b10d8aa27c1b7176564b76ac9", "target": 0, "dataset": "other", "idx": 270137 }, { "func": "std::vector WebContents::GetPreloadPaths() const {\n auto result = SessionPreferences::GetValidPreloads(GetBrowserContext());\n\n if (auto* web_preferences = WebContentsPreferences::From(web_contents())) {\n base::FilePath::StringType preload;\n if (web_preferences->GetPreloadPath(&preload)) {\n result.emplace_back(preload);\n }\n }\n\n return result;\n}", "project": "electron", "hash": 242081364501809232759321407465770682153, "size": 12, "commit_id": "18613925610ba319da7f497b6deed85ad712c59b", "message": "refactor: wire will-navigate up to a navigation throttle instead of OpenURL (#25108)\n\n* refactor: wire will-navigate up to a navigation throttle instead of OpenURL (#25065)\r\n\r\n* refactor: wire will-navigate up to a navigation throttle instead of OpenURL\r\n\r\n* spec: add test for x-site _top navigation\r\n\r\n* chore: old code be old", "target": 0, "dataset": "other", "idx": 269735 }, { "func": "static void hci_cc_read_local_oob_ext_data(struct hci_dev *hdev,\n\t\t\t\t\t struct sk_buff *skb)\n{\n\tstruct hci_rp_read_local_oob_ext_data *rp = (void *) skb->data;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, rp->status);\n}", "project": "linux", "hash": 221036603394065385949045810832716127253, "size": 7, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431971 }, { "func": "void xdr_truncate_encode(struct xdr_stream *xdr, size_t len)\n{\n\tstruct xdr_buf *buf = xdr->buf;\n\tstruct kvec *head = buf->head;\n\tstruct kvec *tail = buf->tail;\n\tint fraglen;\n\tint new;\n\n\tif (len > buf->len) {\n\t\tWARN_ON_ONCE(1);\n\t\treturn;\n\t}\n\txdr_commit_encode(xdr);\n\n\tfraglen = min_t(int, buf->len - len, tail->iov_len);\n\ttail->iov_len -= fraglen;\n\tbuf->len -= fraglen;\n\tif (tail->iov_len) {\n\t\txdr->p = tail->iov_base + tail->iov_len;\n\t\tWARN_ON_ONCE(!xdr->end);\n\t\tWARN_ON_ONCE(!xdr->iov);\n\t\treturn;\n\t}\n\tWARN_ON_ONCE(fraglen);\n\tfraglen = min_t(int, buf->len - len, buf->page_len);\n\tbuf->page_len -= fraglen;\n\tbuf->len -= fraglen;\n\n\tnew = buf->page_base + buf->page_len;\n\n\txdr->page_ptr = buf->pages + (new >> PAGE_SHIFT);\n\n\tif (buf->page_len) {\n\t\txdr->p = page_address(*xdr->page_ptr);\n\t\txdr->end = (void *)xdr->p + PAGE_SIZE;\n\t\txdr->p = (void *)xdr->p + (new % PAGE_SIZE);\n\t\tWARN_ON_ONCE(xdr->iov);\n\t\treturn;\n\t}\n\tif (fraglen)\n\t\txdr->end = head->iov_base + head->iov_len;\n\t/* (otherwise assume xdr->end is already set) */\n\txdr->page_ptr--;\n\thead->iov_len = len;\n\tbuf->len = len;\n\txdr->p = head->iov_base + head->iov_len;\n\txdr->iov = buf->head;\n}", "project": "linux", "hash": 237926644535829547945920479965244282206, "size": 48, "commit_id": "6d1c0f3d28f98ea2736128ed3e46821496dc3a8c", "message": "sunrpc: Avoid a KASAN slab-out-of-bounds bug in xdr_set_page_base()\n\nThis seems to happen fairly easily during READ_PLUS testing on NFS v4.2.\nI found that we could end up accessing xdr->buf->pages[pgnr] with a pgnr\ngreater than the number of pages in the array. So let's just return\nearly if we're setting base to a point at the end of the page data and\nlet xdr_set_tail_base() handle setting up the buffer pointers instead.\n\nSigned-off-by: Anna Schumaker \nFixes: 8d86e373b0ef (\"SUNRPC: Clean up helpers xdr_set_iov() and xdr_set_page_base()\")\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 481055 }, { "func": "static void __io_clean_op(struct io_kiocb *req)\n{\n\tstruct io_async_ctx *io = req->io;\n\n\tif (req->flags & REQ_F_BUFFER_SELECTED) {\n\t\tswitch (req->opcode) {\n\t\tcase IORING_OP_READV:\n\t\tcase IORING_OP_READ_FIXED:\n\t\tcase IORING_OP_READ:\n\t\t\tkfree((void *)(unsigned long)req->rw.addr);\n\t\t\tbreak;\n\t\tcase IORING_OP_RECVMSG:\n\t\tcase IORING_OP_RECV:\n\t\t\tkfree(req->sr_msg.kbuf);\n\t\t\tbreak;\n\t\t}\n\t\treq->flags &= ~REQ_F_BUFFER_SELECTED;\n\t}\n\n\tif (req->flags & REQ_F_NEED_CLEANUP) {\n\t\tswitch (req->opcode) {\n\t\tcase IORING_OP_READV:\n\t\tcase IORING_OP_READ_FIXED:\n\t\tcase IORING_OP_READ:\n\t\tcase IORING_OP_WRITEV:\n\t\tcase IORING_OP_WRITE_FIXED:\n\t\tcase IORING_OP_WRITE:\n\t\t\tif (io->rw.iov != io->rw.fast_iov)\n\t\t\t\tkfree(io->rw.iov);\n\t\t\tbreak;\n\t\tcase IORING_OP_RECVMSG:\n\t\tcase IORING_OP_SENDMSG:\n\t\t\tif (io->msg.iov != io->msg.fast_iov)\n\t\t\t\tkfree(io->msg.iov);\n\t\t\tbreak;\n\t\tcase IORING_OP_SPLICE:\n\t\tcase IORING_OP_TEE:\n\t\t\tio_put_file(req, req->splice.file_in,\n\t\t\t\t (req->splice.flags & SPLICE_F_FD_IN_FIXED));\n\t\t\tbreak;\n\t\t}\n\t\treq->flags &= ~REQ_F_NEED_CLEANUP;\n\t}\n}", "project": "linux", "hash": 328019230648437311802277598959553999175, "size": 44, "commit_id": "6d816e088c359866f9867057e04f244c608c42fe", "message": "io_uring: hold 'ctx' reference around task_work queue + execute\n\nWe're holding the request reference, but we need to go one higher\nto ensure that the ctx remains valid after the request has finished.\nIf the ring is closed with pending task_work inflight, and the\ngiven io_kiocb finishes sync during issue, then we need a reference\nto the ring itself around the task_work execution cycle.\n\nCc: stable@vger.kernel.org # v5.7+\nReported-by: syzbot+9b260fc33297966f5a8e@syzkaller.appspotmail.com\nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 456914 }, { "func": "static unsigned int pfkey_sockaddr_fill(const xfrm_address_t *xaddr, __be16 port,\n\t\t\t\t\tstruct sockaddr *sa,\n\t\t\t\t\tunsigned short family)\n{\n\tswitch (family) {\n\tcase AF_INET:\n\t {\n\t\tstruct sockaddr_in *sin = (struct sockaddr_in *)sa;\n\t\tsin->sin_family = AF_INET;\n\t\tsin->sin_port = port;\n\t\tsin->sin_addr.s_addr = xaddr->a4;\n\t\tmemset(sin->sin_zero, 0, sizeof(sin->sin_zero));\n\t\treturn 32;\n\t }\n#if IS_ENABLED(CONFIG_IPV6)\n\tcase AF_INET6:\n\t {\n\t\tstruct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)sa;\n\t\tsin6->sin6_family = AF_INET6;\n\t\tsin6->sin6_port = port;\n\t\tsin6->sin6_flowinfo = 0;\n\t\tsin6->sin6_addr = xaddr->in6;\n\t\tsin6->sin6_scope_id = 0;\n\t\treturn 128;\n\t }\n#endif\n\t}\n\treturn 0;\n}", "project": "linux", "hash": 52285285126747088695457604253248259135, "size": 29, "commit_id": "9a564bccb78a76740ea9d75a259942df8143d02c", "message": "af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\n\nAdd __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\nto initialize the buffer of supp_skb to fix a kernel-info-leak issue.\n1) Function pfkey_register calls compose_sadb_supported to request\na sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate\na sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then\ncompose_sadb_supported treats the memory as a struct sadb_supported and\nbegins to initialize. But it just initializes the field sadb_supported_len\nand field sadb_supported_exttype without field sadb_supported_reserved.\n\nReported-by: TCS Robot \nSigned-off-by: Haimin Zhang \nSigned-off-by: Steffen Klassert ", "target": 0, "dataset": "other", "idx": 268019 }, { "func": "BPMDetect::~BPMDetect()\r\n{\r\n delete[] xcorr;\r\n delete[] beatcorr_ringbuff;\r\n delete[] hamw;\r\n delete[] hamw2;\r\n delete buffer;\r\n}\r", "project": "soundtouch", "hash": 54954985986950655700686716354858725390, "size": 8, "commit_id": "a1c400eb2cff849c0e5f9d6916d69ffea3ad2c85", "message": "Fix issue CVE-2018-17096: Replace assert with runtime exception", "target": 0, "dataset": "other", "idx": 368093 }, { "project": "Chrome", "commit_id": "6834289784ed45b5524de0fb7ef43ae283b0d6d3", "target": 0, "func": "MediaElementAudioSourceNode* AudioContext::createMediaElementSource(HTMLMediaElement* mediaElement, ExceptionState& exceptionState)\n{\n ASSERT(isMainThread());\n if (!mediaElement) {\n exceptionState.throwDOMException(\n InvalidStateError,\n \"invalid HTMLMedialElement.\");\n return 0;\n }\n\n if (mediaElement->audioSourceNode()) {\n exceptionState.throwDOMException(\n InvalidStateError,\n \"HTMLMediaElement already connected previously to a different MediaElementSourceNode.\");\n return 0;\n }\n\n MediaElementAudioSourceNode* node = MediaElementAudioSourceNode::create(this, mediaElement);\n\n mediaElement->setAudioSourceNode(node);\n\n refNode(node); // context keeps reference until node is disconnected\n return node;\n}\n", "cwe": "", "big_vul_idx": 139638, "idx": 124790, "hash": 339157209970603172695700240029729635667 }, { "func": "OPJ_BOOL opj_j2k_set_decode_area(opj_j2k_t *p_j2k,\n opj_image_t* p_image,\n OPJ_INT32 p_start_x, OPJ_INT32 p_start_y,\n OPJ_INT32 p_end_x, OPJ_INT32 p_end_y,\n opj_event_mgr_t * p_manager)\n{\n opj_cp_t * l_cp = &(p_j2k->m_cp);\n opj_image_t * l_image = p_j2k->m_private_image;\n OPJ_BOOL ret;\n OPJ_UINT32 it_comp;\n\n if (p_j2k->m_cp.tw == 1 && p_j2k->m_cp.th == 1 &&\n p_j2k->m_cp.tcps[0].m_data != NULL) {\n /* In the case of a single-tiled image whose codestream we have already */\n /* ingested, go on */\n }\n /* Check if we are read the main header */\n else if (p_j2k->m_specific_param.m_decoder.m_state != J2K_STATE_TPHSOT) {\n opj_event_msg(p_manager, EVT_ERROR,\n \"Need to decode the main header before begin to decode the remaining codestream.\\n\");\n return OPJ_FALSE;\n }\n\n /* Update the comps[].factor member of the output image with the one */\n /* of m_reduce */\n for (it_comp = 0; it_comp < p_image->numcomps; ++it_comp) {\n p_image->comps[it_comp].factor = p_j2k->m_cp.m_specific_param.m_dec.m_reduce;\n }\n\n if (!p_start_x && !p_start_y && !p_end_x && !p_end_y) {\n opj_event_msg(p_manager, EVT_INFO,\n \"No decoded area parameters, set the decoded area to the whole image\\n\");\n\n p_j2k->m_specific_param.m_decoder.m_start_tile_x = 0;\n p_j2k->m_specific_param.m_decoder.m_start_tile_y = 0;\n p_j2k->m_specific_param.m_decoder.m_end_tile_x = l_cp->tw;\n p_j2k->m_specific_param.m_decoder.m_end_tile_y = l_cp->th;\n\n p_image->x0 = l_image->x0;\n p_image->y0 = l_image->y0;\n p_image->x1 = l_image->x1;\n p_image->y1 = l_image->y1;\n\n return opj_j2k_update_image_dimensions(p_image, p_manager);\n }\n\n /* ----- */\n /* Check if the positions provided by the user are correct */\n\n /* Left */\n if (p_start_x < 0) {\n opj_event_msg(p_manager, EVT_ERROR,\n \"Left position of the decoded area (region_x0=%d) should be >= 0.\\n\",\n p_start_x);\n return OPJ_FALSE;\n } else if ((OPJ_UINT32)p_start_x > l_image->x1) {\n opj_event_msg(p_manager, EVT_ERROR,\n \"Left position of the decoded area (region_x0=%d) is outside the image area (Xsiz=%d).\\n\",\n p_start_x, l_image->x1);\n return OPJ_FALSE;\n } else if ((OPJ_UINT32)p_start_x < l_image->x0) {\n opj_event_msg(p_manager, EVT_WARNING,\n \"Left position of the decoded area (region_x0=%d) is outside the image area (XOsiz=%d).\\n\",\n p_start_x, l_image->x0);\n p_j2k->m_specific_param.m_decoder.m_start_tile_x = 0;\n p_image->x0 = l_image->x0;\n } else {\n p_j2k->m_specific_param.m_decoder.m_start_tile_x = ((OPJ_UINT32)p_start_x -\n l_cp->tx0) / l_cp->tdx;\n p_image->x0 = (OPJ_UINT32)p_start_x;\n }\n\n /* Up */\n if (p_start_y < 0) {\n opj_event_msg(p_manager, EVT_ERROR,\n \"Up position of the decoded area (region_y0=%d) should be >= 0.\\n\",\n p_start_y);\n return OPJ_FALSE;\n } else if ((OPJ_UINT32)p_start_y > l_image->y1) {\n opj_event_msg(p_manager, EVT_ERROR,\n \"Up position of the decoded area (region_y0=%d) is outside the image area (Ysiz=%d).\\n\",\n p_start_y, l_image->y1);\n return OPJ_FALSE;\n } else if ((OPJ_UINT32)p_start_y < l_image->y0) {\n opj_event_msg(p_manager, EVT_WARNING,\n \"Up position of the decoded area (region_y0=%d) is outside the image area (YOsiz=%d).\\n\",\n p_start_y, l_image->y0);\n p_j2k->m_specific_param.m_decoder.m_start_tile_y = 0;\n p_image->y0 = l_image->y0;\n } else {\n p_j2k->m_specific_param.m_decoder.m_start_tile_y = ((OPJ_UINT32)p_start_y -\n l_cp->ty0) / l_cp->tdy;\n p_image->y0 = (OPJ_UINT32)p_start_y;\n }\n\n /* Right */\n if (p_end_x <= 0) {\n opj_event_msg(p_manager, EVT_ERROR,\n \"Right position of the decoded area (region_x1=%d) should be > 0.\\n\",\n p_end_x);\n return OPJ_FALSE;\n } else if ((OPJ_UINT32)p_end_x < l_image->x0) {\n opj_event_msg(p_manager, EVT_ERROR,\n \"Right position of the decoded area (region_x1=%d) is outside the image area (XOsiz=%d).\\n\",\n p_end_x, l_image->x0);\n return OPJ_FALSE;\n } else if ((OPJ_UINT32)p_end_x > l_image->x1) {\n opj_event_msg(p_manager, EVT_WARNING,\n \"Right position of the decoded area (region_x1=%d) is outside the image area (Xsiz=%d).\\n\",\n p_end_x, l_image->x1);\n p_j2k->m_specific_param.m_decoder.m_end_tile_x = l_cp->tw;\n p_image->x1 = l_image->x1;\n } else {\n p_j2k->m_specific_param.m_decoder.m_end_tile_x = (OPJ_UINT32)opj_int_ceildiv(\n p_end_x - (OPJ_INT32)l_cp->tx0, (OPJ_INT32)l_cp->tdx);\n p_image->x1 = (OPJ_UINT32)p_end_x;\n }\n\n /* Bottom */\n if (p_end_y <= 0) {\n opj_event_msg(p_manager, EVT_ERROR,\n \"Bottom position of the decoded area (region_y1=%d) should be > 0.\\n\",\n p_end_y);\n return OPJ_FALSE;\n } else if ((OPJ_UINT32)p_end_y < l_image->y0) {\n opj_event_msg(p_manager, EVT_ERROR,\n \"Bottom position of the decoded area (region_y1=%d) is outside the image area (YOsiz=%d).\\n\",\n p_end_y, l_image->y0);\n return OPJ_FALSE;\n }\n if ((OPJ_UINT32)p_end_y > l_image->y1) {\n opj_event_msg(p_manager, EVT_WARNING,\n \"Bottom position of the decoded area (region_y1=%d) is outside the image area (Ysiz=%d).\\n\",\n p_end_y, l_image->y1);\n p_j2k->m_specific_param.m_decoder.m_end_tile_y = l_cp->th;\n p_image->y1 = l_image->y1;\n } else {\n p_j2k->m_specific_param.m_decoder.m_end_tile_y = (OPJ_UINT32)opj_int_ceildiv(\n p_end_y - (OPJ_INT32)l_cp->ty0, (OPJ_INT32)l_cp->tdy);\n p_image->y1 = (OPJ_UINT32)p_end_y;\n }\n /* ----- */\n\n p_j2k->m_specific_param.m_decoder.m_discard_tiles = 1;\n\n ret = opj_j2k_update_image_dimensions(p_image, p_manager);\n\n if (ret) {\n opj_event_msg(p_manager, EVT_INFO, \"Setting decoding area to %d,%d,%d,%d\\n\",\n p_image->x0, p_image->y0, p_image->x1, p_image->y1);\n }\n\n return ret;\n}", "project": "openjpeg", "hash": 41051638577468026452590970301078659521, "size": 154, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357413 }, { "func": "static ssize_t ca8210_test_int_user_write(\n\tstruct file *filp,\n\tconst char __user *in_buf,\n\tsize_t len,\n\tloff_t *off\n)\n{\n\tint ret;\n\tstruct ca8210_priv *priv = filp->private_data;\n\tu8 command[CA8210_SPI_BUF_SIZE];\n\n\tmemset(command, SPI_IDLE, 6);\n\tif (len > CA8210_SPI_BUF_SIZE || len < 2) {\n\t\tdev_warn(\n\t\t\t&priv->spi->dev,\n\t\t\t\"userspace requested erroneous write length (%zu)\\n\",\n\t\t\tlen\n\t\t);\n\t\treturn -EBADE;\n\t}\n\n\tret = copy_from_user(command, in_buf, len);\n\tif (ret) {\n\t\tdev_err(\n\t\t\t&priv->spi->dev,\n\t\t\t\"%d bytes could not be copied from userspace\\n\",\n\t\t\tret\n\t\t);\n\t\treturn -EIO;\n\t}\n\tif (len != command[1] + 2) {\n\t\tdev_err(\n\t\t\t&priv->spi->dev,\n\t\t\t\"write len does not match packet length field\\n\"\n\t\t);\n\t\treturn -EBADE;\n\t}\n\n\tret = ca8210_test_check_upstream(command, priv->spi);\n\tif (ret == 0) {\n\t\tret = ca8210_spi_exchange(\n\t\t\tcommand,\n\t\t\tcommand[1] + 2,\n\t\t\tNULL,\n\t\t\tpriv->spi\n\t\t);\n\t\tif (ret < 0) {\n\t\t\t/* effectively 0 bytes were written successfully */\n\t\t\tdev_err(\n\t\t\t\t&priv->spi->dev,\n\t\t\t\t\"spi exchange failed\\n\"\n\t\t\t);\n\t\t\treturn ret;\n\t\t}\n\t\tif (command[0] & SPI_SYN)\n\t\t\tpriv->sync_down++;\n\t}\n\n\treturn len;\n}", "project": "linux", "hash": 184768094734317584941846246523845901671, "size": 60, "commit_id": "6402939ec86eaf226c8b8ae00ed983936b164908", "message": "ieee802154: ca8210: prevent memory leak\n\nIn ca8210_probe the allocated pdata needs to be assigned to\nspi_device->dev.platform_data before calling ca8210_get_platform_data.\nOthrwise when ca8210_get_platform_data fails pdata cannot be released.\n\nSigned-off-by: Navid Emamdoost \nLink: https://lore.kernel.org/r/20190917224713.26371-1-navid.emamdoost@gmail.com\nSigned-off-by: Stefan Schmidt ", "target": 0, "dataset": "other", "idx": 408820 }, { "func": "static int nfs4_do_call_sync(struct rpc_clnt *clnt,\n\t\t\t struct nfs_server *server,\n\t\t\t struct rpc_message *msg,\n\t\t\t struct nfs4_sequence_args *args,\n\t\t\t struct nfs4_sequence_res *res,\n\t\t\t unsigned short task_flags)\n{\n\tstruct nfs_client *clp = server->nfs_client;\n\tstruct nfs4_call_sync_data data = {\n\t\t.seq_server = server,\n\t\t.seq_args = args,\n\t\t.seq_res = res,\n\t};\n\tstruct rpc_task_setup task_setup = {\n\t\t.rpc_client = clnt,\n\t\t.rpc_message = msg,\n\t\t.callback_ops = clp->cl_mvops->call_sync_ops,\n\t\t.callback_data = &data,\n\t\t.flags = task_flags,\n\t};\n\n\treturn nfs4_call_sync_custom(&task_setup);\n}", "project": "linux", "hash": 186446125151282934168114776859566109836, "size": 23, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431411 }, { "func": "\nstatic void io_destroy_buffers(struct io_ring_ctx *ctx)\n{\n\tstruct io_buffer *buf;\n\tunsigned long index;\n\n\txa_for_each(&ctx->io_buffers, index, buf)\n\t\t__io_remove_buffers(ctx, buf, index, -1U);", "project": "linux", "hash": 107500712400324810997878756334065344897, "size": 8, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338685 }, { "func": "static void nfs4_xdr_enc_release_lockowner(struct rpc_rqst *req,\n\t\t\t\t\t struct xdr_stream *xdr,\n\t\t\t\t\t const void *data)\n{\n\tconst struct nfs_release_lockowner_args *args = data;\n\tstruct compound_hdr hdr = {\n\t\t.minorversion = 0,\n\t};\n\n\tencode_compound_hdr(xdr, req, &hdr);\n\tencode_release_lockowner(xdr, &args->lock_owner, &hdr);\n\tencode_nops(&hdr);\n}", "project": "linux", "hash": 283799693303539525000059963551951452253, "size": 13, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431045 }, { "func": "static void encode_open_downgrade(struct xdr_stream *xdr, const struct nfs_closeargs *arg, struct compound_hdr *hdr)\n{\n\tencode_op_hdr(xdr, OP_OPEN_DOWNGRADE, decode_open_downgrade_maxsz, hdr);\n\tencode_nfs4_stateid(xdr, &arg->stateid);\n\tencode_nfs4_seqid(xdr, arg->seqid);\n\tencode_share_access(xdr, arg->share_access);\n}", "project": "linux", "hash": 224681372147948816121262510261011340928, "size": 7, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431392 }, { "func": "static int ctnetlink_dump_timeout(struct sk_buff *skb, const struct nf_conn *ct)\n{\n\tlong timeout = nf_ct_expires(ct) / HZ;\n\n\tif (nla_put_be32(skb, CTA_TIMEOUT, htonl(timeout)))\n\t\tgoto nla_put_failure;\n\treturn 0;\n\nnla_put_failure:\n\treturn -1;\n}", "project": "linux", "hash": 26583163019464102250864113965544306983, "size": 11, "commit_id": "1cc5ef91d2ff94d2bf2de3b3585423e8a1051cb6", "message": "netfilter: ctnetlink: add a range check for l3/l4 protonum\n\nThe indexes to the nf_nat_l[34]protos arrays come from userspace. So\ncheck the tuple's family, e.g. l3num, when creating the conntrack in\norder to prevent an OOB memory access during setup. Here is an example\nkernel panic on 4.14.180 when userspace passes in an index greater than\nNFPROTO_NUMPROTO.\n\nInternal error: Oops - BUG: 0 [#1] PREEMPT SMP\nModules linked in:...\nProcess poc (pid: 5614, stack limit = 0x00000000a3933121)\nCPU: 4 PID: 5614 Comm: poc Tainted: G S W O 4.14.180-g051355490483\nHardware name: Qualcomm Technologies, Inc. SM8150 V2 PM8150 Google Inc. MSM\ntask: 000000002a3dfffe task.stack: 00000000a3933121\npc : __cfi_check_fail+0x1c/0x24\nlr : __cfi_check_fail+0x1c/0x24\n...\nCall trace:\n__cfi_check_fail+0x1c/0x24\nname_to_dev_t+0x0/0x468\nnfnetlink_parse_nat_setup+0x234/0x258\nctnetlink_parse_nat_setup+0x4c/0x228\nctnetlink_new_conntrack+0x590/0xc40\nnfnetlink_rcv_msg+0x31c/0x4d4\nnetlink_rcv_skb+0x100/0x184\nnfnetlink_rcv+0xf4/0x180\nnetlink_unicast+0x360/0x770\nnetlink_sendmsg+0x5a0/0x6a4\n___sys_sendmsg+0x314/0x46c\nSyS_sendmsg+0xb4/0x108\nel0_svc_naked+0x34/0x38\n\nThis crash is not happening since 5.4+, however, ctnetlink still\nallows for creating entries with unsupported layer 3 protocol number.\n\nFixes: c1d10adb4a521 (\"[NETFILTER]: Add ctnetlink port for nf_conntrack\")\nSigned-off-by: Will McVicker \n[pablo@netfilter.org: rebased original patch on top of nf.git]\nSigned-off-by: Pablo Neira Ayuso ", "target": 0, "dataset": "other", "idx": 394205 }, { "project": "Chrome", "commit_id": "6834289784ed45b5524de0fb7ef43ae283b0d6d3", "target": 0, "func": "void AudioContext::resolvePromisesForResume()\n{\n ASSERT(isAudioThread());\n ASSERT(isGraphOwner());\n\n if (!m_isResolvingResumePromises && m_resumeResolvers.size() > 0) {\n m_isResolvingResumePromises = true;\n callOnMainThread(bind(&AudioContext::resolvePromisesForResumeOnMainThread, this));\n }\n}\n", "cwe": "", "big_vul_idx": 139682, "idx": 124830, "hash": 310993298490578052999252093458957683147 }, { "func": "static CURLcode telnet_do(struct Curl_easy *data, bool *done)\n{\n CURLcode result;\n struct connectdata *conn = data->conn;\n curl_socket_t sockfd = conn->sock[FIRSTSOCKET];\n#ifdef USE_WINSOCK\n WSAEVENT event_handle;\n WSANETWORKEVENTS events;\n HANDLE stdin_handle;\n HANDLE objs[2];\n DWORD obj_count;\n DWORD wait_timeout;\n DWORD readfile_read;\n int err;\n#else\n timediff_t interval_ms;\n struct pollfd pfd[2];\n int poll_cnt;\n curl_off_t total_dl = 0;\n curl_off_t total_ul = 0;\n#endif\n ssize_t nread;\n struct curltime now;\n bool keepon = TRUE;\n char *buf = data->state.buffer;\n struct TELNET *tn;\n\n *done = TRUE; /* unconditionally */\n\n result = init_telnet(data);\n if(result)\n return result;\n\n tn = data->req.p.telnet;\n\n result = check_telnet_options(data);\n if(result)\n return result;\n\n#ifdef USE_WINSOCK\n /* We want to wait for both stdin and the socket. Since\n ** the select() function in winsock only works on sockets\n ** we have to use the WaitForMultipleObjects() call.\n */\n\n /* First, create a sockets event object */\n event_handle = WSACreateEvent();\n if(event_handle == WSA_INVALID_EVENT) {\n failf(data, \"WSACreateEvent failed (%d)\", SOCKERRNO);\n return CURLE_FAILED_INIT;\n }\n\n /* Tell winsock what events we want to listen to */\n if(WSAEventSelect(sockfd, event_handle, FD_READ|FD_CLOSE) == SOCKET_ERROR) {\n WSACloseEvent(event_handle);\n return CURLE_OK;\n }\n\n /* The get the Windows file handle for stdin */\n stdin_handle = GetStdHandle(STD_INPUT_HANDLE);\n\n /* Create the list of objects to wait for */\n objs[0] = event_handle;\n objs[1] = stdin_handle;\n\n /* If stdin_handle is a pipe, use PeekNamedPipe() method to check it,\n else use the old WaitForMultipleObjects() way */\n if(GetFileType(stdin_handle) == FILE_TYPE_PIPE ||\n data->set.is_fread_set) {\n /* Don't wait for stdin_handle, just wait for event_handle */\n obj_count = 1;\n /* Check stdin_handle per 100 milliseconds */\n wait_timeout = 100;\n }\n else {\n obj_count = 2;\n wait_timeout = 1000;\n }\n\n /* Keep on listening and act on events */\n while(keepon) {\n const DWORD buf_size = (DWORD)data->set.buffer_size;\n DWORD waitret = WaitForMultipleObjects(obj_count, objs,\n FALSE, wait_timeout);\n switch(waitret) {\n\n case WAIT_TIMEOUT:\n {\n for(;;) {\n if(data->set.is_fread_set) {\n size_t n;\n /* read from user-supplied method */\n n = data->state.fread_func(buf, 1, buf_size, data->state.in);\n if(n == CURL_READFUNC_ABORT) {\n keepon = FALSE;\n result = CURLE_READ_ERROR;\n break;\n }\n\n if(n == CURL_READFUNC_PAUSE)\n break;\n\n if(n == 0) /* no bytes */\n break;\n\n /* fall through with number of bytes read */\n readfile_read = (DWORD)n;\n }\n else {\n /* read from stdin */\n if(!PeekNamedPipe(stdin_handle, NULL, 0, NULL,\n &readfile_read, NULL)) {\n keepon = FALSE;\n result = CURLE_READ_ERROR;\n break;\n }\n\n if(!readfile_read)\n break;\n\n if(!ReadFile(stdin_handle, buf, buf_size,\n &readfile_read, NULL)) {\n keepon = FALSE;\n result = CURLE_READ_ERROR;\n break;\n }\n }\n\n result = send_telnet_data(data, buf, readfile_read);\n if(result) {\n keepon = FALSE;\n break;\n }\n }\n }\n break;\n\n case WAIT_OBJECT_0 + 1:\n {\n if(!ReadFile(stdin_handle, buf, buf_size,\n &readfile_read, NULL)) {\n keepon = FALSE;\n result = CURLE_READ_ERROR;\n break;\n }\n\n result = send_telnet_data(data, buf, readfile_read);\n if(result) {\n keepon = FALSE;\n break;\n }\n }\n break;\n\n case WAIT_OBJECT_0:\n {\n events.lNetworkEvents = 0;\n if(WSAEnumNetworkEvents(sockfd, event_handle, &events) == SOCKET_ERROR) {\n err = SOCKERRNO;\n if(err != EINPROGRESS) {\n infof(data, \"WSAEnumNetworkEvents failed (%d)\", err);\n keepon = FALSE;\n result = CURLE_READ_ERROR;\n }\n break;\n }\n if(events.lNetworkEvents & FD_READ) {\n /* read data from network */\n result = Curl_read(data, sockfd, buf, data->set.buffer_size, &nread);\n /* read would've blocked. Loop again */\n if(result == CURLE_AGAIN)\n break;\n /* returned not-zero, this an error */\n else if(result) {\n keepon = FALSE;\n break;\n }\n /* returned zero but actually received 0 or less here,\n the server closed the connection and we bail out */\n else if(nread <= 0) {\n keepon = FALSE;\n break;\n }\n\n result = telrcv(data, (unsigned char *) buf, nread);\n if(result) {\n keepon = FALSE;\n break;\n }\n\n /* Negotiate if the peer has started negotiating,\n otherwise don't. We don't want to speak telnet with\n non-telnet servers, like POP or SMTP. */\n if(tn->please_negotiate && !tn->already_negotiated) {\n negotiate(data);\n tn->already_negotiated = 1;\n }\n }\n if(events.lNetworkEvents & FD_CLOSE) {\n keepon = FALSE;\n }\n }\n break;\n\n }\n\n if(data->set.timeout) {\n now = Curl_now();\n if(Curl_timediff(now, conn->created) >= data->set.timeout) {\n failf(data, \"Time-out\");\n result = CURLE_OPERATION_TIMEDOUT;\n keepon = FALSE;\n }\n }\n }\n\n /* We called WSACreateEvent, so call WSACloseEvent */\n if(!WSACloseEvent(event_handle)) {\n infof(data, \"WSACloseEvent failed (%d)\", SOCKERRNO);\n }\n#else\n pfd[0].fd = sockfd;\n pfd[0].events = POLLIN;\n\n if(data->set.is_fread_set) {\n poll_cnt = 1;\n interval_ms = 100; /* poll user-supplied read function */\n }\n else {\n /* really using fread, so infile is a FILE* */\n pfd[1].fd = fileno((FILE *)data->state.in);\n pfd[1].events = POLLIN;\n poll_cnt = 2;\n interval_ms = 1 * 1000;\n }\n\n while(keepon) {\n switch(Curl_poll(pfd, poll_cnt, interval_ms)) {\n case -1: /* error, stop reading */\n keepon = FALSE;\n continue;\n case 0: /* timeout */\n pfd[0].revents = 0;\n pfd[1].revents = 0;\n /* FALLTHROUGH */\n default: /* read! */\n if(pfd[0].revents & POLLIN) {\n /* read data from network */\n result = Curl_read(data, sockfd, buf, data->set.buffer_size, &nread);\n /* read would've blocked. Loop again */\n if(result == CURLE_AGAIN)\n break;\n /* returned not-zero, this an error */\n if(result) {\n keepon = FALSE;\n break;\n }\n /* returned zero but actually received 0 or less here,\n the server closed the connection and we bail out */\n else if(nread <= 0) {\n keepon = FALSE;\n break;\n }\n\n total_dl += nread;\n Curl_pgrsSetDownloadCounter(data, total_dl);\n result = telrcv(data, (unsigned char *)buf, nread);\n if(result) {\n keepon = FALSE;\n break;\n }\n\n /* Negotiate if the peer has started negotiating,\n otherwise don't. We don't want to speak telnet with\n non-telnet servers, like POP or SMTP. */\n if(tn->please_negotiate && !tn->already_negotiated) {\n negotiate(data);\n tn->already_negotiated = 1;\n }\n }\n\n nread = 0;\n if(poll_cnt == 2) {\n if(pfd[1].revents & POLLIN) { /* read from in file */\n nread = read(pfd[1].fd, buf, data->set.buffer_size);\n }\n }\n else {\n /* read from user-supplied method */\n nread = (int)data->state.fread_func(buf, 1, data->set.buffer_size,\n data->state.in);\n if(nread == CURL_READFUNC_ABORT) {\n keepon = FALSE;\n break;\n }\n if(nread == CURL_READFUNC_PAUSE)\n break;\n }\n\n if(nread > 0) {\n result = send_telnet_data(data, buf, nread);\n if(result) {\n keepon = FALSE;\n break;\n }\n total_ul += nread;\n Curl_pgrsSetUploadCounter(data, total_ul);\n }\n else if(nread < 0)\n keepon = FALSE;\n\n break;\n } /* poll switch statement */\n\n if(data->set.timeout) {\n now = Curl_now();\n if(Curl_timediff(now, conn->created) >= data->set.timeout) {\n failf(data, \"Time-out\");\n result = CURLE_OPERATION_TIMEDOUT;\n keepon = FALSE;\n }\n }\n\n if(Curl_pgrsUpdate(data)) {\n result = CURLE_ABORTED_BY_CALLBACK;\n break;\n }\n }\n#endif\n /* mark this as \"no further transfer wanted\" */\n Curl_setup_transfer(data, -1, -1, FALSE, -1);\n\n return result;\n}", "project": "curl", "hash": 132190688323899187134803477130417631834, "size": 334, "commit_id": "39ce47f219b09c380b81f89fe54ac586c8db6bde", "message": "telnet: check sscanf() for correct number of matches\n\nCVE-2021-22898\n\nBug: https://curl.se/docs/CVE-2021-22898.html", "target": 0, "dataset": "other", "idx": 481488 }, { "func": " Item_hex_string(THD *thd): Item_hex_constant(thd) {}", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 262355115783207214907227556960567822194, "size": 1, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509322 }, { "func": "gdImagePtr gdImageCreate (int sx, int sy)\n{\n\tint i;\n\tgdImagePtr im;\n\n\tif (overflow2(sx, sy)) {\n\t\treturn NULL;\n\t}\n\n\tif (overflow2(sizeof(unsigned char *), sy)) {\n\t\treturn NULL;\n\t}\n\n\tif (overflow2(sizeof(unsigned char *), sx)) {\n\t\treturn NULL;\n\t}\n\n\tim = (gdImage *) gdCalloc(1, sizeof(gdImage));\n\n\t/* Row-major ever since gd 1.3 */\n\tim->pixels = (unsigned char **) gdMalloc(sizeof(unsigned char *) * sy);\n\tim->AA_opacity = (unsigned char **) gdMalloc(sizeof(unsigned char *) * sy);\n\tim->polyInts = 0;\n\tim->polyAllocated = 0;\n\tim->brush = 0;\n\tim->tile = 0;\n\tim->style = 0;\n\tfor (i = 0; i < sy; i++) {\n\t\t/* Row-major ever since gd 1.3 */\n\t\tim->pixels[i] = (unsigned char *) gdCalloc(sx, sizeof(unsigned char));\n\t\tim->AA_opacity[i] = (unsigned char *) gdCalloc(sx, sizeof(unsigned char));\n\t}\n\tim->sx = sx;\n\tim->sy = sy;\n\tim->colorsTotal = 0;\n\tim->transparent = (-1);\n\tim->interlace = 0;\n\tim->thick = 1;\n\tim->AA = 0;\n\tim->AA_polygon = 0;\n\tfor (i = 0; i < gdMaxColors; i++) {\n\t\tim->open[i] = 1;\n\t\tim->red[i] = 0;\n\t\tim->green[i] = 0;\n\t\tim->blue[i] = 0;\n\t}\n\tim->trueColor = 0;\n\tim->tpixels = 0;\n\tim->cx1 = 0;\n\tim->cy1 = 0;\n\tim->cx2 = im->sx - 1;\n\tim->cy2 = im->sy - 1;\n\tim->interpolation = NULL;\n\tim->interpolation_id = GD_BILINEAR_FIXED;\n\treturn im;\n}", "project": "php-src", "hash": 21404625845625905212139387270698897518, "size": 56, "commit_id": "c395c6e5d7e8df37a21265ff76e48fe75ceb5ae6", "message": "iFixed bug #72446 - Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow", "target": 0, "dataset": "other", "idx": 295177 }, { "func": "static inline void zap_deposited_table(struct mm_struct *mm, pmd_t *pmd)\n{\n\tpgtable_t pgtable;\n\n\tpgtable = pgtable_trans_huge_withdraw(mm, pmd);\n\tpte_free(mm, pgtable);\n\tmm_dec_nr_ptes(mm);\n}", "project": "linux", "hash": 316257009362821680766518451271517322639, "size": 8, "commit_id": "c444eb564fb16645c172d550359cb3d75fe8a040", "message": "mm: thp: make the THP mapcount atomic against __split_huge_pmd_locked()\n\nWrite protect anon page faults require an accurate mapcount to decide\nif to break the COW or not. This is implemented in the THP path with\nreuse_swap_page() ->\npage_trans_huge_map_swapcount()/page_trans_huge_mapcount().\n\nIf the COW triggers while the other processes sharing the page are\nunder a huge pmd split, to do an accurate reading, we must ensure the\nmapcount isn't computed while it's being transferred from the head\npage to the tail pages.\n\nreuse_swap_cache() already runs serialized by the page lock, so it's\nenough to add the page lock around __split_huge_pmd_locked too, in\norder to add the missing serialization.\n\nNote: the commit in \"Fixes\" is just to facilitate the backporting,\nbecause the code before such commit didn't try to do an accurate THP\nmapcount calculation and it instead used the page_count() to decide if\nto COW or not. Both the page_count and the pin_count are THP-wide\nrefcounts, so they're inaccurate if used in\nreuse_swap_page(). Reverting such commit (besides the unrelated fix to\nthe local anon_vma assignment) would have also opened the window for\nmemory corruption side effects to certain workloads as documented in\nsuch commit header.\n\nSigned-off-by: Andrea Arcangeli \nSuggested-by: Jann Horn \nReported-by: Jann Horn \nAcked-by: Kirill A. Shutemov \nFixes: 6d0a07edd17c (\"mm: thp: calculate the mapcount correctly for THP pages during WP faults\")\nCc: stable@vger.kernel.org\nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 364199 }, { "func": "\nstatic void __io_sqe_files_unregister(struct io_ring_ctx *ctx)\n{\n#if defined(CONFIG_UNIX)\n\tif (ctx->ring_sock) {\n\t\tstruct sock *sock = ctx->ring_sock->sk;\n\t\tstruct sk_buff *skb;\n\n\t\twhile ((skb = skb_dequeue(&sock->sk_receive_queue)) != NULL)\n\t\t\tkfree_skb(skb);\n\t}\n#else\n\tint i;\n\n\tfor (i = 0; i < ctx->nr_user_files; i++) {\n\t\tstruct file *file;\n\n\t\tfile = io_file_from_index(ctx, i);\n\t\tif (file)\n\t\t\tfput(file);\n\t}\n#endif\n\tio_free_file_tables(&ctx->file_table, ctx->nr_user_files);\n\tio_rsrc_data_free(ctx->file_data);\n\tctx->file_data = NULL;\n\tctx->nr_user_files = 0;", "project": "linux", "hash": 317313977515539920623781839964081126679, "size": 26, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338641 }, { "func": "static ssize_t slabs_show(struct kmem_cache *s, char *buf)\n{\n\treturn show_slab_objects(s, buf, SO_ALL);\n}", "project": "linux", "hash": 300787585659354279513574584397038783774, "size": 4, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280145 }, { "func": "static void printResults(u_int64_t processing_time_usec, u_int64_t setup_time_usec) {\n u_int32_t i;\n u_int64_t total_flow_bytes = 0;\n u_int32_t avg_pkt_size = 0;\n struct ndpi_stats cumulative_stats;\n int thread_id;\n char buf[32];\n long long unsigned int breed_stats[NUM_BREEDS] = { 0 };\n\n memset(&cumulative_stats, 0, sizeof(cumulative_stats));\n\n for(thread_id = 0; thread_id < num_threads; thread_id++) {\n if((ndpi_thread_info[thread_id].workflow->stats.total_wire_bytes == 0)\n && (ndpi_thread_info[thread_id].workflow->stats.raw_packet_count == 0))\n continue;\n\n for(i=0; indpi_flows_root[i],\n\t\t node_proto_guess_walker, &thread_id);\n if(verbose == 3)\n\tndpi_twalk(ndpi_thread_info[thread_id].workflow->ndpi_flows_root[i],\n\t\t port_stats_walker, &thread_id);\n }\n\n /* Stats aggregation */\n cumulative_stats.guessed_flow_protocols += ndpi_thread_info[thread_id].workflow->stats.guessed_flow_protocols;\n cumulative_stats.raw_packet_count += ndpi_thread_info[thread_id].workflow->stats.raw_packet_count;\n cumulative_stats.ip_packet_count += ndpi_thread_info[thread_id].workflow->stats.ip_packet_count;\n cumulative_stats.total_wire_bytes += ndpi_thread_info[thread_id].workflow->stats.total_wire_bytes;\n cumulative_stats.total_ip_bytes += ndpi_thread_info[thread_id].workflow->stats.total_ip_bytes;\n cumulative_stats.total_discarded_bytes += ndpi_thread_info[thread_id].workflow->stats.total_discarded_bytes;\n\n for(i = 0; i < ndpi_get_num_supported_protocols(ndpi_thread_info[0].workflow->ndpi_struct); i++) {\n cumulative_stats.protocol_counter[i] += ndpi_thread_info[thread_id].workflow->stats.protocol_counter[i];\n cumulative_stats.protocol_counter_bytes[i] += ndpi_thread_info[thread_id].workflow->stats.protocol_counter_bytes[i];\n cumulative_stats.protocol_flows[i] += ndpi_thread_info[thread_id].workflow->stats.protocol_flows[i];\n }\n\n cumulative_stats.ndpi_flow_count += ndpi_thread_info[thread_id].workflow->stats.ndpi_flow_count;\n cumulative_stats.tcp_count += ndpi_thread_info[thread_id].workflow->stats.tcp_count;\n cumulative_stats.udp_count += ndpi_thread_info[thread_id].workflow->stats.udp_count;\n cumulative_stats.mpls_count += ndpi_thread_info[thread_id].workflow->stats.mpls_count;\n cumulative_stats.pppoe_count += ndpi_thread_info[thread_id].workflow->stats.pppoe_count;\n cumulative_stats.vlan_count += ndpi_thread_info[thread_id].workflow->stats.vlan_count;\n cumulative_stats.fragmented_count += ndpi_thread_info[thread_id].workflow->stats.fragmented_count;\n for(i = 0; i < sizeof(cumulative_stats.packet_len)/sizeof(cumulative_stats.packet_len[0]); i++)\n cumulative_stats.packet_len[i] += ndpi_thread_info[thread_id].workflow->stats.packet_len[i];\n cumulative_stats.max_packet_len += ndpi_thread_info[thread_id].workflow->stats.max_packet_len;\n }\n\n if(cumulative_stats.total_wire_bytes == 0)\n goto free_stats;\n\n if(!quiet_mode) {\n printf(\"\\nnDPI Memory statistics:\\n\");\n printf(\"\\tnDPI Memory (once): %-13s\\n\", formatBytes(ndpi_get_ndpi_detection_module_size(), buf, sizeof(buf)));\n printf(\"\\tFlow Memory (per flow): %-13s\\n\", formatBytes(sizeof(struct ndpi_flow_struct), buf, sizeof(buf)));\n printf(\"\\tActual Memory: %-13s\\n\", formatBytes(current_ndpi_memory, buf, sizeof(buf)));\n printf(\"\\tPeak Memory: %-13s\\n\", formatBytes(max_ndpi_memory, buf, sizeof(buf)));\n printf(\"\\tSetup Time: %lu msec\\n\", (unsigned long)(setup_time_usec/1000));\n printf(\"\\tPacket Processing Time: %lu msec\\n\", (unsigned long)(processing_time_usec/1000));\n\n printf(\"\\nTraffic statistics:\\n\");\n printf(\"\\tEthernet bytes: %-13llu (includes ethernet CRC/IFC/trailer)\\n\",\n\t (long long unsigned int)cumulative_stats.total_wire_bytes);\n printf(\"\\tDiscarded bytes: %-13llu\\n\",\n\t (long long unsigned int)cumulative_stats.total_discarded_bytes);\n printf(\"\\tIP packets: %-13llu of %llu packets total\\n\",\n\t (long long unsigned int)cumulative_stats.ip_packet_count,\n\t (long long unsigned int)cumulative_stats.raw_packet_count);\n /* In order to prevent Floating point exception in case of no traffic*/\n if(cumulative_stats.total_ip_bytes && cumulative_stats.raw_packet_count)\n\tavg_pkt_size = (unsigned int)(cumulative_stats.total_ip_bytes/cumulative_stats.raw_packet_count);\n printf(\"\\tIP bytes: %-13llu (avg pkt size %u bytes)\\n\",\n\t (long long unsigned int)cumulative_stats.total_ip_bytes,avg_pkt_size);\n printf(\"\\tUnique flows: %-13u\\n\", cumulative_stats.ndpi_flow_count);\n\n printf(\"\\tTCP Packets: %-13lu\\n\", (unsigned long)cumulative_stats.tcp_count);\n printf(\"\\tUDP Packets: %-13lu\\n\", (unsigned long)cumulative_stats.udp_count);\n printf(\"\\tVLAN Packets: %-13lu\\n\", (unsigned long)cumulative_stats.vlan_count);\n printf(\"\\tMPLS Packets: %-13lu\\n\", (unsigned long)cumulative_stats.mpls_count);\n printf(\"\\tPPPoE Packets: %-13lu\\n\", (unsigned long)cumulative_stats.pppoe_count);\n printf(\"\\tFragmented Packets: %-13lu\\n\", (unsigned long)cumulative_stats.fragmented_count);\n printf(\"\\tMax Packet size: %-13u\\n\", cumulative_stats.max_packet_len);\n printf(\"\\tPacket Len < 64: %-13lu\\n\", (unsigned long)cumulative_stats.packet_len[0]);\n printf(\"\\tPacket Len 64-128: %-13lu\\n\", (unsigned long)cumulative_stats.packet_len[1]);\n printf(\"\\tPacket Len 128-256: %-13lu\\n\", (unsigned long)cumulative_stats.packet_len[2]);\n printf(\"\\tPacket Len 256-1024: %-13lu\\n\", (unsigned long)cumulative_stats.packet_len[3]);\n printf(\"\\tPacket Len 1024-1500: %-13lu\\n\", (unsigned long)cumulative_stats.packet_len[4]);\n printf(\"\\tPacket Len > 1500: %-13lu\\n\", (unsigned long)cumulative_stats.packet_len[5]);\n\n if(processing_time_usec > 0) {\n\tchar buf[32], buf1[32], when[64];\n\tfloat t = (float)(cumulative_stats.ip_packet_count*1000000)/(float)processing_time_usec;\n\tfloat b = (float)(cumulative_stats.total_wire_bytes * 8 *1000000)/(float)processing_time_usec;\n\tfloat traffic_duration;\n\tstruct tm result;\n\t\n\tif(live_capture) traffic_duration = processing_time_usec;\n\telse traffic_duration = (pcap_end.tv_sec*1000000 + pcap_end.tv_usec) - (pcap_start.tv_sec*1000000 + pcap_start.tv_usec);\n\n\tprintf(\"\\tnDPI throughput: %s pps / %s/sec\\n\", formatPackets(t, buf), formatTraffic(b, 1, buf1));\n\tif(traffic_duration != 0) {\n\t t = (float)(cumulative_stats.ip_packet_count*1000000)/(float)traffic_duration;\n\t b = (float)(cumulative_stats.total_wire_bytes * 8 *1000000)/(float)traffic_duration;\n\t} else {\n\t t = 0;\n\t b = 0;\n\t}\n\tstrftime(when, sizeof(when), \"%d/%b/%Y %H:%M:%S\", localtime_r(&pcap_start.tv_sec, &result));\n\tprintf(\"\\tAnalysis begin: %s\\n\", when);\n\tstrftime(when, sizeof(when), \"%d/%b/%Y %H:%M:%S\", localtime_r(&pcap_end.tv_sec, &result));\n\tprintf(\"\\tAnalysis end: %s\\n\", when);\n\tprintf(\"\\tTraffic throughput: %s pps / %s/sec\\n\", formatPackets(t, buf), formatTraffic(b, 1, buf1));\n\tprintf(\"\\tTraffic duration: %.3f sec\\n\", traffic_duration/1000000);\n }\n\n if(enable_protocol_guess)\n\tprintf(\"\\tGuessed flow protos: %-13u\\n\", cumulative_stats.guessed_flow_protocols);\n }\n\n\n if(!quiet_mode) printf(\"\\n\\nDetected protocols:\\n\");\n for(i = 0; i <= ndpi_get_num_supported_protocols(ndpi_thread_info[0].workflow->ndpi_struct); i++) {\n ndpi_protocol_breed_t breed = ndpi_get_proto_breed(ndpi_thread_info[0].workflow->ndpi_struct, i);\n\n if(cumulative_stats.protocol_counter[i] > 0) {\n breed_stats[breed] += (long long unsigned int)cumulative_stats.protocol_counter_bytes[i];\n\n if(results_file)\n\tfprintf(results_file, \"%s\\t%llu\\t%llu\\t%u\\n\",\n\t\tndpi_get_proto_name(ndpi_thread_info[0].workflow->ndpi_struct, i),\n\t\t(long long unsigned int)cumulative_stats.protocol_counter[i],\n\t\t(long long unsigned int)cumulative_stats.protocol_counter_bytes[i],\n\t\tcumulative_stats.protocol_flows[i]);\n\n if((!quiet_mode)) {\n\tprintf(\"\\t%-20s packets: %-13llu bytes: %-13llu \"\n\t \"flows: %-13u\\n\",\n\t ndpi_get_proto_name(ndpi_thread_info[0].workflow->ndpi_struct, i),\n\t (long long unsigned int)cumulative_stats.protocol_counter[i],\n\t (long long unsigned int)cumulative_stats.protocol_counter_bytes[i],\n\t cumulative_stats.protocol_flows[i]);\n }\n\n total_flow_bytes += cumulative_stats.protocol_counter_bytes[i];\n }\n }\n\n if((!quiet_mode)) {\n printf(\"\\n\\nProtocol statistics:\\n\");\n\n for(i=0; i < NUM_BREEDS; i++) {\n if(breed_stats[i] > 0) {\n\tprintf(\"\\t%-20s %13llu bytes\\n\",\n\t ndpi_get_proto_breed_name(ndpi_thread_info[0].workflow->ndpi_struct, i),\n\t breed_stats[i]);\n }\n }\n }\n\n // printf(\"\\n\\nTotal Flow Traffic: %llu (diff: %llu)\\n\", total_flow_bytes, cumulative_stats.total_ip_bytes-total_flow_bytes);\n\n printFlowsStats();\n\n if(verbose == 3) {\n HASH_SORT(srcStats, port_stats_sort);\n HASH_SORT(dstStats, port_stats_sort);\n\n printf(\"\\n\\nSource Ports Stats:\\n\");\n printPortStats(srcStats);\n\n printf(\"\\nDestination Ports Stats:\\n\");\n printPortStats(dstStats);\n }\n\nfree_stats:\n if(scannerHosts) {\n deleteScanners(scannerHosts);\n scannerHosts = NULL;\n }\n\n if(receivers) {\n deleteReceivers(receivers);\n receivers = NULL;\n }\n\n if(topReceivers) {\n deleteReceivers(topReceivers);\n topReceivers = NULL;\n }\n\n if(srcStats) {\n deletePortsStats(srcStats);\n srcStats = NULL;\n }\n\n if(dstStats) {\n deletePortsStats(dstStats);\n dstStats = NULL;\n }\n}", "project": "nDPI", "hash": 226019730728697995372925327049204647495, "size": 202, "commit_id": "b7e666e465f138ae48ab81976726e67deed12701", "message": "Added fix to avoid potential heap buffer overflow in H.323 dissector\nModified HTTP report information to make it closer to the HTTP field names", "target": 0, "dataset": "other", "idx": 254866 }, { "func": "static void fuse_put_super(struct super_block *sb)\n{\n\tstruct fuse_mount *fm = get_fuse_mount_super(sb);\n\n\tfuse_conn_put(fm->fc);\n\tkfree(fm);\n}", "project": "linux", "hash": 280047054346882609216245019996108189307, "size": 7, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342005 }, { "func": "static OPJ_BOOL opj_tcd_mct_encode(opj_tcd_t *p_tcd)\n{\n opj_tcd_tile_t * l_tile = p_tcd->tcd_image->tiles;\n opj_tcd_tilecomp_t * l_tile_comp = p_tcd->tcd_image->tiles->comps;\n OPJ_SIZE_T samples = (OPJ_SIZE_T)(l_tile_comp->x1 - l_tile_comp->x0) *\n (OPJ_SIZE_T)(l_tile_comp->y1 - l_tile_comp->y0);\n OPJ_UINT32 i;\n OPJ_BYTE ** l_data = 00;\n opj_tcp_t * l_tcp = p_tcd->tcp;\n\n if (!p_tcd->tcp->mct) {\n return OPJ_TRUE;\n }\n\n if (p_tcd->tcp->mct == 2) {\n if (! p_tcd->tcp->m_mct_coding_matrix) {\n return OPJ_TRUE;\n }\n\n l_data = (OPJ_BYTE **) opj_malloc(l_tile->numcomps * sizeof(OPJ_BYTE*));\n if (! l_data) {\n return OPJ_FALSE;\n }\n\n for (i = 0; i < l_tile->numcomps; ++i) {\n l_data[i] = (OPJ_BYTE*) l_tile_comp->data;\n ++l_tile_comp;\n }\n\n if (! opj_mct_encode_custom(/* MCT data */\n (OPJ_BYTE*) p_tcd->tcp->m_mct_coding_matrix,\n /* size of components */\n samples,\n /* components */\n l_data,\n /* nb of components (i.e. size of pData) */\n l_tile->numcomps,\n /* tells if the data is signed */\n p_tcd->image->comps->sgnd)) {\n opj_free(l_data);\n return OPJ_FALSE;\n }\n\n opj_free(l_data);\n } else if (l_tcp->tccps->qmfbid == 0) {\n opj_mct_encode_real(\n (OPJ_FLOAT32*)l_tile->comps[0].data,\n (OPJ_FLOAT32*)l_tile->comps[1].data,\n (OPJ_FLOAT32*)l_tile->comps[2].data,\n samples);\n } else {\n opj_mct_encode(l_tile->comps[0].data, l_tile->comps[1].data,\n l_tile->comps[2].data, samples);\n }\n\n return OPJ_TRUE;\n}", "project": "openjpeg", "hash": 171724812816171901871141545708644317649, "size": 57, "commit_id": "15cf3d95814dc931ca0ecb132f81cb152e051bae", "message": "Encoder: grow again buffer size in opj_tcd_code_block_enc_allocate_data() (fixes #1283)", "target": 0, "dataset": "other", "idx": 359176 }, { "func": "static int pop(json_parser *json, Mode mode) {\n if (json->top < 0 || json->stack[json->top].mode != mode) {\n return false;\n }\n json->stack[json->top].mode = Mode::INVALID;\n json->top -= 1;\n return true;\n}", "project": "hhvm", "hash": 238206006279165981348223413912210911426, "size": 8, "commit_id": "b3679121bb3c7017ff04b4c08402ffff5cf59b13", "message": "Fix buffer overrun in SimpleParser::handleBackslash\n\nSummary:\nIt read 4 chars, then checked for validity, but any of them could have\nbeen the end of the string, so check after each one instead.\n\nReviewed By: oulgen\n\nDifferential Revision: D19611163\n\nfbshipit-source-id: 3da0a39555cb85a93f4fd98048368f17cf37e2e4", "target": 0, "dataset": "other", "idx": 227298 }, { "func": "char* formatTraffic(float numBits, int bits, char *buf) {\n char unit;\n\n if(bits)\n unit = 'b';\n else\n unit = 'B';\n\n if(numBits < 1024) {\n snprintf(buf, 32, \"%lu %c\", (unsigned long)numBits, unit);\n } else if(numBits < (1024*1024)) {\n snprintf(buf, 32, \"%.2f K%c\", (float)(numBits)/1024, unit);\n } else {\n float tmpMBits = ((float)numBits)/(1024*1024);\n\n if(tmpMBits < 1024) {\n snprintf(buf, 32, \"%.2f M%c\", tmpMBits, unit);\n } else {\n tmpMBits /= 1024;\n\n if(tmpMBits < 1024) {\n\tsnprintf(buf, 32, \"%.2f G%c\", tmpMBits, unit);\n } else {\n\tsnprintf(buf, 32, \"%.2f T%c\", (float)(tmpMBits)/1024, unit);\n }\n }\n }\n\n return(buf);\n}", "project": "nDPI", "hash": 324080780606130502773964254909509478295, "size": 30, "commit_id": "b7e666e465f138ae48ab81976726e67deed12701", "message": "Added fix to avoid potential heap buffer overflow in H.323 dissector\nModified HTTP report information to make it closer to the HTTP field names", "target": 0, "dataset": "other", "idx": 254830 }, { "func": "int imap_check_mailbox(struct Mailbox *m, bool force)\n{\n if (!m || !m->account)\n return -1;\n\n struct ImapAccountData *adata = imap_adata_get(m);\n struct ImapMboxData *mdata = imap_mdata_get(m);\n\n /* overload keyboard timeout to avoid many mailbox checks in a row.\n * Most users don't like having to wait exactly when they press a key. */\n int rc = 0;\n\n /* try IDLE first, unless force is set */\n if (!force && C_ImapIdle && (adata->capabilities & IMAP_CAP_IDLE) &&\n ((adata->state != IMAP_IDLE) || (mutt_date_epoch() >= adata->lastread + C_ImapKeepalive)))\n {\n if (imap_cmd_idle(adata) < 0)\n return -1;\n }\n if (adata->state == IMAP_IDLE)\n {\n while ((rc = mutt_socket_poll(adata->conn, 0)) > 0)\n {\n if (imap_cmd_step(adata) != IMAP_RES_CONTINUE)\n {\n mutt_debug(LL_DEBUG1, \"Error reading IDLE response\\n\");\n return -1;\n }\n }\n if (rc < 0)\n {\n mutt_debug(LL_DEBUG1, \"Poll failed, disabling IDLE\\n\");\n adata->capabilities &= ~IMAP_CAP_IDLE; // Clear the flag\n }\n }\n\n if ((force || ((adata->state != IMAP_IDLE) &&\n (mutt_date_epoch() >= adata->lastread + C_Timeout))) &&\n (imap_exec(adata, \"NOOP\", IMAP_CMD_POLL) != IMAP_EXEC_SUCCESS))\n {\n return -1;\n }\n\n /* We call this even when we haven't run NOOP in case we have pending\n * changes to process, since we can reopen here. */\n imap_cmd_finish(adata);\n\n if (mdata->check_status & IMAP_EXPUNGE_PENDING)\n rc = MUTT_REOPENED;\n else if (mdata->check_status & IMAP_NEWMAIL_PENDING)\n rc = MUTT_NEW_MAIL;\n else if (mdata->check_status & IMAP_FLAGS_PENDING)\n rc = MUTT_FLAGS;\n\n mdata->check_status = IMAP_OPEN_NO_FLAGS;\n\n return rc;\n}", "project": "neomutt", "hash": 238651219299645381448563767548493726030, "size": 58, "commit_id": "9c36717a3e2af1f2c1b7242035455ec8112b4b06", "message": "imap: close connection on all failures\n\nThanks to Gabriel Salles-Loustau for spotting the problem.\n\nCo-authored-by: Kevin McCarthy ", "target": 0, "dataset": "other", "idx": 357010 }, { "func": "void h2_stream_rst(h2_stream *stream, int error_code)\n{\n stream->rst_error = error_code;\n if (stream->input) {\n h2_beam_abort(stream->input);\n }\n if (stream->output) {\n h2_beam_leave(stream->output);\n }\n ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, stream->session->c,\n H2_STRM_MSG(stream, \"reset, error=%d\"), error_code);\n h2_stream_dispatch(stream, H2_SEV_CANCELLED);\n}", "project": "httpd", "hash": 105072850160191037672224451998625832412, "size": 13, "commit_id": "f990e5ecad40b100a8a5c7c1033c46044a9cb244", "message": "mod_htt2: fix incomplete sync with latest changes in github, adjust version number.\n\n\n\ngit-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1889119 13f79535-47bb-0310-9956-ffa450edef68", "target": 0, "dataset": "other", "idx": 284246 }, { "func": "UnicodeStringTest::TestRemoveReplace()\n{\n UnicodeString test1(\"The rain in Spain stays mainly on the plain\");\n UnicodeString test2(\"eat SPAMburgers!\");\n UChar test3[] = { 0x53, 0x50, 0x41, 0x4d, 0x4d, 0 };\n char test4[] = \"SPAM\";\n UnicodeString& test5 = test1;\n\n test1.replace(4, 4, test2, 4, 4);\n test1.replace(12, 5, test3, 4);\n test3[4] = 0;\n test1.replace(17, 4, test3);\n test1.replace(23, 4, test4);\n test1.replaceBetween(37, 42, test2, 4, 8);\n\n if (test1 != \"The SPAM in SPAM SPAMs SPAMly on the SPAM\")\n errln(\"One of the replace methods failed:\\n\"\n \" expected \\\"The SPAM in SPAM SPAMs SPAMly on the SPAM\\\",\\n\"\n \" got \\\"\" + test1 + \"\\\"\");\n\n test1.remove(21, 1);\n test1.removeBetween(26, 28);\n\n if (test1 != \"The SPAM in SPAM SPAM SPAM on the SPAM\")\n errln(\"One of the remove methods failed:\\n\"\n \" expected \\\"The SPAM in SPAM SPAM SPAM on the SPAM\\\",\\n\"\n \" got \\\"\" + test1 + \"\\\"\");\n\n for (int32_t i = 0; i < test1.length(); i++) {\n if (test5[i] != 0x53 && test5[i] != 0x50 && test5[i] != 0x41 && test5[i] != 0x4d && test5[i] != 0x20) {\n test1.setCharAt(i, 0x78);\n }\n }\n\n if (test1 != \"xxx SPAM xx SPAM SPAM SPAM xx xxx SPAM\")\n errln(\"One of the remove methods failed:\\n\"\n \" expected \\\"xxx SPAM xx SPAM SPAM SPAM xx xxx SPAM\\\",\\n\"\n \" got \\\"\" + test1 + \"\\\"\");\n\n test1.remove();\n if (test1.length() != 0)\n errln(\"Remove() failed: expected empty string, got \\\"\" + test1 + \"\\\"\");\n}", "project": "icu", "hash": 294580399475269285995302980253773873278, "size": 43, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430759 }, { "func": "\nstatic int io_sq_thread(void *data)\n{\n\tstruct io_sq_data *sqd = data;\n\tstruct io_ring_ctx *ctx;\n\tunsigned long timeout = 0;\n\tchar buf[TASK_COMM_LEN];\n\tDEFINE_WAIT(wait);\n\n\tsnprintf(buf, sizeof(buf), \"iou-sqp-%d\", sqd->task_pid);\n\tset_task_comm(current, buf);\n\n\tif (sqd->sq_cpu != -1)\n\t\tset_cpus_allowed_ptr(current, cpumask_of(sqd->sq_cpu));\n\telse\n\t\tset_cpus_allowed_ptr(current, cpu_online_mask);\n\tcurrent->flags |= PF_NO_SETAFFINITY;\n\n\tmutex_lock(&sqd->lock);\n\t/* a user may had exited before the thread started */\n\tio_run_task_work_head(&sqd->park_task_work);\n\n\twhile (!test_bit(IO_SQ_THREAD_SHOULD_STOP, &sqd->state)) {\n\t\tint ret;\n\t\tbool cap_entries, sqt_spin, needs_sched;\n\n\t\tif (test_bit(IO_SQ_THREAD_SHOULD_PARK, &sqd->state) ||\n\t\t signal_pending(current)) {\n\t\t\tbool did_sig = false;\n\n\t\t\tmutex_unlock(&sqd->lock);\n\t\t\tif (signal_pending(current)) {\n\t\t\t\tstruct ksignal ksig;\n\n\t\t\t\tdid_sig = get_signal(&ksig);\n\t\t\t}\n\t\t\tcond_resched();\n\t\t\tmutex_lock(&sqd->lock);\n\t\t\tio_run_task_work();\n\t\t\tio_run_task_work_head(&sqd->park_task_work);\n\t\t\tif (did_sig)\n\t\t\t\tbreak;\n\t\t\ttimeout = jiffies + sqd->sq_thread_idle;\n\t\t\tcontinue;\n\t\t}\n\t\tsqt_spin = false;\n\t\tcap_entries = !list_is_singular(&sqd->ctx_list);\n\t\tlist_for_each_entry(ctx, &sqd->ctx_list, sqd_list) {\n\t\t\tconst struct cred *creds = NULL;\n\n\t\t\tif (ctx->sq_creds != current_cred())\n\t\t\t\tcreds = override_creds(ctx->sq_creds);\n\t\t\tret = __io_sq_thread(ctx, cap_entries);\n\t\t\tif (creds)\n\t\t\t\trevert_creds(creds);\n\t\t\tif (!sqt_spin && (ret > 0 || !list_empty(&ctx->iopoll_list)))\n\t\t\t\tsqt_spin = true;\n\t\t}\n\n\t\tif (sqt_spin || !time_after(jiffies, timeout)) {\n\t\t\tio_run_task_work();\n\t\t\tcond_resched();\n\t\t\tif (sqt_spin)\n\t\t\t\ttimeout = jiffies + sqd->sq_thread_idle;\n\t\t\tcontinue;\n\t\t}\n\n\t\tprepare_to_wait(&sqd->wait, &wait, TASK_INTERRUPTIBLE);\n\t\tif (!test_bit(IO_SQ_THREAD_SHOULD_PARK, &sqd->state)) {\n\t\t\tlist_for_each_entry(ctx, &sqd->ctx_list, sqd_list)\n\t\t\t\tio_ring_set_wakeup_flag(ctx);\n\n\t\t\tneeds_sched = true;\n\t\t\tlist_for_each_entry(ctx, &sqd->ctx_list, sqd_list) {\n\t\t\t\tif ((ctx->flags & IORING_SETUP_IOPOLL) &&\n\t\t\t\t !list_empty_careful(&ctx->iopoll_list)) {\n\t\t\t\t\tneeds_sched = false;\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t\tif (io_sqring_entries(ctx)) {\n\t\t\t\t\tneeds_sched = false;\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tif (needs_sched) {\n\t\t\t\tmutex_unlock(&sqd->lock);\n\t\t\t\tschedule();\n\t\t\t\tmutex_lock(&sqd->lock);\n\t\t\t}\n\t\t\tlist_for_each_entry(ctx, &sqd->ctx_list, sqd_list)\n\t\t\t\tio_ring_clear_wakeup_flag(ctx);\n\t\t}\n\n\t\tfinish_wait(&sqd->wait, &wait);\n\t\tio_run_task_work_head(&sqd->park_task_work);\n\t\ttimeout = jiffies + sqd->sq_thread_idle;\n\t}\n\n\tio_uring_cancel_sqpoll(sqd);\n\tsqd->thread = NULL;\n\tlist_for_each_entry(ctx, &sqd->ctx_list, sqd_list)\n\t\tio_ring_set_wakeup_flag(ctx);\n\tio_run_task_work();\n\tio_run_task_work_head(&sqd->park_task_work);\n\tmutex_unlock(&sqd->lock);\n\n\tcomplete(&sqd->exited);\n\tdo_exit(0);", "project": "linux", "hash": 80631862409050659721307170255470511866, "size": 109, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338727 }, { "func": "static bool fuse_range_is_writeback(struct inode *inode, pgoff_t idx_from,\n\t\t\t\t pgoff_t idx_to)\n{\n\tstruct fuse_inode *fi = get_fuse_inode(inode);\n\tbool found;\n\n\tspin_lock(&fi->lock);\n\tfound = fuse_find_writeback(fi, idx_from, idx_to);\n\tspin_unlock(&fi->lock);\n\n\treturn found;\n}", "project": "linux", "hash": 290332733110572819184979078237493934336, "size": 12, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341929 }, { "func": "UnicodeString UnicodeString::fromUTF32(const UChar32 *utf32, int32_t length) {\n UnicodeString result;\n int32_t capacity;\n // Most UTF-32 strings will be BMP-only and result in a same-length\n // UTF-16 string. We overestimate the capacity just slightly,\n // just in case there are a few supplementary characters.\n if(length <= US_STACKBUF_SIZE) {\n capacity = US_STACKBUF_SIZE;\n } else {\n capacity = length + (length >> 4) + 4;\n }\n do {\n UChar *utf16 = result.getBuffer(capacity);\n int32_t length16;\n UErrorCode errorCode = U_ZERO_ERROR;\n u_strFromUTF32WithSub(utf16, result.getCapacity(), &length16,\n utf32, length,\n 0xfffd, // Substitution character.\n NULL, // Don't care about number of substitutions.\n &errorCode);\n result.releaseBuffer(length16);\n if(errorCode == U_BUFFER_OVERFLOW_ERROR) {\n capacity = length16 + 1; // +1 for the terminating NUL.\n continue;\n } else if(U_FAILURE(errorCode)) {\n result.setToBogus();\n }\n break;\n } while(TRUE);\n return result;\n}", "project": "icu", "hash": 249814399729649456695522777736362061542, "size": 31, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430834 }, { "func": "static int fuse_launder_page(struct page *page)\n{\n\tint err = 0;\n\tif (clear_page_dirty_for_io(page)) {\n\t\tstruct inode *inode = page->mapping->host;\n\n\t\t/* Serialize with pending writeback for the same page */\n\t\tfuse_wait_on_page_writeback(inode, page->index);\n\t\terr = fuse_writepage_locked(page);\n\t\tif (!err)\n\t\t\tfuse_wait_on_page_writeback(inode, page->index);\n\t}\n\treturn err;\n}", "project": "linux", "hash": 243088609570864356709908383194499738888, "size": 14, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341932 }, { "func": "static rsRetVal qDestructFixedArray(qqueue_t *pThis)\n{\n\tDEFiRet;\n\t\n\tASSERT(pThis != NULL);\n\n\tqueueDrain(pThis); /* discard any remaining queue entries */\n\tfree(pThis->tVars.farray.pBuf);\n\n\tRETiRet;\n}", "project": "rsyslog", "hash": 268171172748746546133847515543778680455, "size": 11, "commit_id": "dfa88369d4ca4290db56b843f9eabdae1bfe0fd5", "message": "bugfix: memory leak when $RepeatedMsgReduction on was used\n\nbug tracker: http://bugzilla.adiscon.com/show_bug.cgi?id=225", "target": 0, "dataset": "other", "idx": 373804 }, { "func": "static int sctp_listen_start(struct sock *sk, int backlog)\n{\n\tstruct sctp_sock *sp = sctp_sk(sk);\n\tstruct sctp_endpoint *ep = sp->ep;\n\tstruct crypto_shash *tfm = NULL;\n\tchar alg[32];\n\n\t/* Allocate HMAC for generating cookie. */\n\tif (!sp->hmac && sp->sctp_hmac_alg) {\n\t\tsprintf(alg, \"hmac(%s)\", sp->sctp_hmac_alg);\n\t\ttfm = crypto_alloc_shash(alg, 0, 0);\n\t\tif (IS_ERR(tfm)) {\n\t\t\tnet_info_ratelimited(\"failed to load transform for %s: %ld\\n\",\n\t\t\t\t\t sp->sctp_hmac_alg, PTR_ERR(tfm));\n\t\t\treturn -ENOSYS;\n\t\t}\n\t\tsctp_sk(sk)->hmac = tfm;\n\t}\n\n\t/*\n\t * If a bind() or sctp_bindx() is not called prior to a listen()\n\t * call that allows new associations to be accepted, the system\n\t * picks an ephemeral port and will choose an address set equivalent\n\t * to binding with a wildcard address.\n\t *\n\t * This is not currently spelled out in the SCTP sockets\n\t * extensions draft, but follows the practice as seen in TCP\n\t * sockets.\n\t *\n\t */\n\tinet_sk_set_state(sk, SCTP_SS_LISTENING);\n\tif (!ep->base.bind_addr.port) {\n\t\tif (sctp_autobind(sk))\n\t\t\treturn -EAGAIN;\n\t} else {\n\t\tif (sctp_get_port(sk, inet_sk(sk)->inet_num)) {\n\t\t\tinet_sk_set_state(sk, SCTP_SS_CLOSED);\n\t\t\treturn -EADDRINUSE;\n\t\t}\n\t}\n\n\tWRITE_ONCE(sk->sk_max_ack_backlog, backlog);\n\treturn sctp_hash_endpoint(ep);\n}", "project": "linux", "hash": 160122670454093498230390464213369419410, "size": 44, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398063 }, { "func": "static void kvm_arch_vcpu_ioctl_normal_reset(struct kvm_vcpu *vcpu)\n{\n\tvcpu->arch.sie_block->gpsw.mask &= ~PSW_MASK_RI;\n\tvcpu->arch.pfault_token = KVM_S390_PFAULT_TOKEN_INVALID;\n\tmemset(vcpu->run->s.regs.riccb, 0, sizeof(vcpu->run->s.regs.riccb));\n\n\tkvm_clear_async_pf_completion_queue(vcpu);\n\tif (!kvm_s390_user_cpu_state_ctrl(vcpu->kvm))\n\t\tkvm_s390_vcpu_stop(vcpu);\n\tkvm_s390_clear_local_irqs(vcpu);\n}", "project": "linux", "hash": 67433681779723053841944643508209984013, "size": 11, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354582 }, { "func": "static void hci_cc_read_buffer_size(struct hci_dev *hdev, struct sk_buff *skb)\n{\n\tstruct hci_rp_read_buffer_size *rp = (void *) skb->data;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, rp->status);\n\n\tif (rp->status)\n\t\treturn;\n\n\thdev->acl_mtu = __le16_to_cpu(rp->acl_mtu);\n\thdev->sco_mtu = rp->sco_mtu;\n\thdev->acl_pkts = __le16_to_cpu(rp->acl_max_pkt);\n\thdev->sco_pkts = __le16_to_cpu(rp->sco_max_pkt);\n\n\tif (test_bit(HCI_QUIRK_FIXUP_BUFFER_SIZE, &hdev->quirks)) {\n\t\thdev->sco_mtu = 64;\n\t\thdev->sco_pkts = 8;\n\t}\n\n\thdev->acl_cnt = hdev->acl_pkts;\n\thdev->sco_cnt = hdev->sco_pkts;\n\n\tBT_DBG(\"%s acl mtu %d:%d sco mtu %d:%d\", hdev->name, hdev->acl_mtu,\n\t hdev->acl_pkts, hdev->sco_mtu, hdev->sco_pkts);\n}", "project": "linux", "hash": 250580068541777269774376870561437759960, "size": 25, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431997 }, { "func": "static int tiocsti(struct tty_struct *tty, char __user *p)\n{\n\tchar ch, mbz = 0;\n\tstruct tty_ldisc *ld;\n\n\tif ((current->signal->tty != tty) && !capable(CAP_SYS_ADMIN))\n\t\treturn -EPERM;\n\tif (get_user(ch, p))\n\t\treturn -EFAULT;\n\ttty_audit_tiocsti(tty, ch);\n\tld = tty_ldisc_ref_wait(tty);\n\tif (!ld)\n\t\treturn -EIO;\n\tif (ld->ops->receive_buf)\n\t\tld->ops->receive_buf(tty, &ch, &mbz, 1);\n\ttty_ldisc_deref(ld);\n\treturn 0;\n}", "project": "linux", "hash": 315103105570392132514723866781836851380, "size": 18, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 326078 }, { "func": "TEST(EqOp, MatchesElement) {\n BSONObj operand = BSON(\"a\" << 5);\n BSONObj match = BSON(\"a\" << 5.0);\n BSONObj notMatch = BSON(\"a\" << 6);\n\n EqualityMatchExpression eq(\"\", operand[\"a\"]);\n ASSERT(eq.matchesSingleElement(match.firstElement()));\n ASSERT(!eq.matchesSingleElement(notMatch.firstElement()));\n\n ASSERT(eq.equivalent(&eq));\n}", "project": "mongo", "hash": 303876289915203862641173855803600293146, "size": 11, "commit_id": "64095239f41e9f3841d8be9088347db56d35c891", "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions", "target": 0, "dataset": "other", "idx": 422532 }, { "func": "TEST(EqOp, ElemMatchKeyWithImplicitAndExplicitTraversal) {\n BSONObj operand = BSON(\"a.0.b\" << 3);\n BSONElement operandFirstElt = operand.firstElement();\n EqualityMatchExpression eq(operandFirstElt.fieldName(), operandFirstElt);\n MatchDetails details;\n details.requestElemMatchKey();\n BSONObj obj = fromjson(\"{a: [{b: [2, 3]}, {b: [4, 5]}]}\");\n ASSERT(eq.matchesBSON(obj, &details));\n ASSERT(details.hasElemMatchKey());\n ASSERT_EQUALS(\"1\", details.elemMatchKey());\n}", "project": "mongo", "hash": 170000141786049652677968799310790810446, "size": 11, "commit_id": "64095239f41e9f3841d8be9088347db56d35c891", "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions", "target": 0, "dataset": "other", "idx": 422538 }, { "func": "TEST(EqOp, MatchesMaxKey) {\n BSONObj operand = BSON(\"a\" << MaxKey);\n EqualityMatchExpression eq(\"a\", operand[\"a\"]);\n BSONObj minKeyObj = BSON(\"a\" << MinKey);\n BSONObj maxKeyObj = BSON(\"a\" << MaxKey);\n BSONObj numObj = BSON(\"a\" << 4);\n\n ASSERT(!eq.matchesBSON(minKeyObj, NULL));\n ASSERT(eq.matchesBSON(maxKeyObj, NULL));\n ASSERT(!eq.matchesBSON(numObj, NULL));\n\n ASSERT(!eq.matchesSingleElement(minKeyObj.firstElement()));\n ASSERT(eq.matchesSingleElement(maxKeyObj.firstElement()));\n ASSERT(!eq.matchesSingleElement(numObj.firstElement()));\n}", "project": "mongo", "hash": 27108478964709364476447606752976013786, "size": 15, "commit_id": "64095239f41e9f3841d8be9088347db56d35c891", "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions", "target": 0, "dataset": "other", "idx": 422566 }, { "func": "TEST(EqOp, MatchesMinKey) {\n BSONObj operand = BSON(\"a\" << MinKey);\n EqualityMatchExpression eq(\"a\", operand[\"a\"]);\n BSONObj minKeyObj = BSON(\"a\" << MinKey);\n BSONObj maxKeyObj = BSON(\"a\" << MaxKey);\n BSONObj numObj = BSON(\"a\" << 4);\n\n ASSERT(eq.matchesBSON(minKeyObj, NULL));\n ASSERT(!eq.matchesBSON(maxKeyObj, NULL));\n ASSERT(!eq.matchesBSON(numObj, NULL));\n\n ASSERT(eq.matchesSingleElement(minKeyObj.firstElement()));\n ASSERT(!eq.matchesSingleElement(maxKeyObj.firstElement()));\n ASSERT(!eq.matchesSingleElement(numObj.firstElement()));\n}", "project": "mongo", "hash": 334434487142588755692354954208143129463, "size": 15, "commit_id": "64095239f41e9f3841d8be9088347db56d35c891", "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions", "target": 0, "dataset": "other", "idx": 422573 }, { "func": "TEST(EqOp, ElemMatchKey) {\n BSONObj operand = BSON(\"a\" << 5);\n EqualityMatchExpression eq(\"a\", operand[\"a\"]);\n MatchDetails details;\n details.requestElemMatchKey();\n ASSERT(!eq.matchesBSON(BSON(\"a\" << 4), &details));\n ASSERT(!details.hasElemMatchKey());\n ASSERT(eq.matchesBSON(BSON(\"a\" << 5), &details));\n ASSERT(!details.hasElemMatchKey());\n ASSERT(eq.matchesBSON(BSON(\"a\" << BSON_ARRAY(1 << 2 << 5)), &details));\n ASSERT(details.hasElemMatchKey());\n ASSERT_EQUALS(\"2\", details.elemMatchKey());\n}", "project": "mongo", "hash": 199566477650740051196104318141084958158, "size": 13, "commit_id": "64095239f41e9f3841d8be9088347db56d35c891", "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions", "target": 0, "dataset": "other", "idx": 422583 }, { "func": "DEATH_TEST(EqOp, InvalidEooOperand, \"Invariant failure _rhs\") {\n BSONObj operand;\n EqualityMatchExpression eq(\"\", operand.firstElement());\n}", "project": "mongo", "hash": 197073764651601432011594226288898712403, "size": 4, "commit_id": "64095239f41e9f3841d8be9088347db56d35c891", "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions", "target": 0, "dataset": "other", "idx": 422587 }, { "func": "TEST(EqOp, MatchesFullArray) {\n BSONObj operand = BSON(\"a\" << BSON_ARRAY(1 << 2));\n EqualityMatchExpression eq(\"a\", operand[\"a\"]);\n ASSERT(eq.matchesBSON(BSON(\"a\" << BSON_ARRAY(1 << 2)), NULL));\n ASSERT(!eq.matchesBSON(BSON(\"a\" << BSON_ARRAY(1 << 2 << 3)), NULL));\n ASSERT(!eq.matchesBSON(BSON(\"a\" << BSON_ARRAY(1)), NULL));\n ASSERT(!eq.matchesBSON(BSON(\"a\" << 1), NULL));\n}", "project": "mongo", "hash": 68071614553587097726739186747369813747, "size": 8, "commit_id": "64095239f41e9f3841d8be9088347db56d35c891", "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions", "target": 0, "dataset": "other", "idx": 422588 }, { "func": "TEST(EqOp, MatchesNull) {\n BSONObj operand = BSON(\"a\" << BSONNULL);\n EqualityMatchExpression eq(\"a\", operand[\"a\"]);\n ASSERT(eq.matchesBSON(BSONObj(), NULL));\n ASSERT(eq.matchesBSON(BSON(\"a\" << BSONNULL), NULL));\n ASSERT(!eq.matchesBSON(BSON(\"a\" << 4), NULL));\n // A non-existent field is treated same way as an empty bson object\n ASSERT(eq.matchesBSON(BSON(\"b\" << 4), NULL));\n}", "project": "mongo", "hash": 85537256331183865406138871127195951919, "size": 9, "commit_id": "64095239f41e9f3841d8be9088347db56d35c891", "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions", "target": 0, "dataset": "other", "idx": 422590 }, { "func": "TEST(EqOp, MatchesArrayValue) {\n BSONObj operand = BSON(\"a\" << 5);\n EqualityMatchExpression eq(\"a\", operand[\"a\"]);\n ASSERT(eq.matchesBSON(BSON(\"a\" << BSON_ARRAY(5.0 << 6)), NULL));\n ASSERT(!eq.matchesBSON(BSON(\"a\" << BSON_ARRAY(6 << 7)), NULL));\n}", "project": "mongo", "hash": 208657009271266166213272229160847576542, "size": 6, "commit_id": "64095239f41e9f3841d8be9088347db56d35c891", "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions", "target": 0, "dataset": "other", "idx": 422593 }, { "func": "TEST(EqOp, MatchesReferencedObjectValue) {\n BSONObj operand = BSON(\"a.b\" << 5);\n EqualityMatchExpression eq(\"a.b\", operand[\"a.b\"]);\n ASSERT(eq.matchesBSON(BSON(\"a\" << BSON(\"b\" << 5)), NULL));\n ASSERT(eq.matchesBSON(BSON(\"a\" << BSON(\"b\" << BSON_ARRAY(5))), NULL));\n ASSERT(eq.matchesBSON(BSON(\"a\" << BSON_ARRAY(BSON(\"b\" << 5))), NULL));\n}", "project": "mongo", "hash": 291510310868855512166490008617195095063, "size": 7, "commit_id": "64095239f41e9f3841d8be9088347db56d35c891", "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions", "target": 0, "dataset": "other", "idx": 422600 }, { "func": "TEST(EqOp, MatchesScalar) {\n BSONObj operand = BSON(\"a\" << 5);\n EqualityMatchExpression eq(\"a\", operand[\"a\"]);\n ASSERT(eq.matchesBSON(BSON(\"a\" << 5.0), NULL));\n ASSERT(!eq.matchesBSON(BSON(\"a\" << 4), NULL));\n}", "project": "mongo", "hash": 301621230419444339144854359912771034724, "size": 6, "commit_id": "64095239f41e9f3841d8be9088347db56d35c891", "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions", "target": 0, "dataset": "other", "idx": 422602 }, { "func": "TEST(EqOp, MatchesNestedNull) {\n BSONObj operand = BSON(\"a.b\" << BSONNULL);\n EqualityMatchExpression eq(\"a.b\", operand[\"a.b\"]);\n // null matches any empty object that is on a subpath of a.b\n ASSERT(eq.matchesBSON(BSONObj(), NULL));\n ASSERT(eq.matchesBSON(BSON(\"a\" << BSONObj()), NULL));\n ASSERT(eq.matchesBSON(BSON(\"a\" << BSON_ARRAY(BSONObj())), NULL));\n ASSERT(eq.matchesBSON(BSON(\"a\" << BSON(\"b\" << BSONNULL)), NULL));\n // b does not exist as an element in array under a.\n ASSERT(!eq.matchesBSON(BSON(\"a\" << BSONArray()), NULL));\n ASSERT(!eq.matchesBSON(BSON(\"a\" << BSON_ARRAY(BSONNULL)), NULL));\n ASSERT(!eq.matchesBSON(BSON(\"a\" << BSON_ARRAY(1 << 2)), NULL));\n // a.b exists but is not null.\n ASSERT(!eq.matchesBSON(BSON(\"a\" << BSON(\"b\" << 4)), NULL));\n ASSERT(!eq.matchesBSON(BSON(\"a\" << BSON(\"b\" << BSONObj())), NULL));\n // A non-existent field is treated same way as an empty bson object\n ASSERT(eq.matchesBSON(BSON(\"b\" << 4), NULL));\n}", "project": "mongo", "hash": 300602477384809088383931701252427367144, "size": 18, "commit_id": "64095239f41e9f3841d8be9088347db56d35c891", "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions", "target": 0, "dataset": "other", "idx": 422613 }, { "func": "TEST(ComparisonMatchExpression, StringMatchingWithNullCollatorUsesBinaryComparison) {\n BSONObj operand = BSON(\"a\"\n << \"string\");\n EqualityMatchExpression eq(\"a\", operand[\"a\"]);\n ASSERT(!eq.matchesBSON(BSON(\"a\"\n << \"string2\"),\n NULL));\n}", "project": "mongo", "hash": 260578883203634827435809833866782340014, "size": 8, "commit_id": "64095239f41e9f3841d8be9088347db56d35c891", "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions", "target": 0, "dataset": "other", "idx": 422633 }, { "func": "TEST(EqOp, MatchesReferencedArrayValue) {\n BSONObj operand = BSON(\"a.0\" << 5);\n EqualityMatchExpression eq(\"a.0\", operand[\"a.0\"]);\n ASSERT(eq.matchesBSON(BSON(\"a\" << BSON_ARRAY(5)), NULL));\n ASSERT(!eq.matchesBSON(BSON(\"a\" << BSON_ARRAY(BSON_ARRAY(5))), NULL));\n}", "project": "mongo", "hash": 98398432688180267481670061031219075388, "size": 6, "commit_id": "64095239f41e9f3841d8be9088347db56d35c891", "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions", "target": 0, "dataset": "other", "idx": 422660 }, { "func": "TEST(EqOp, MatchesThroughNestedArray) {\n BSONObj operand = BSON(\"a.b.c.d\" << 3);\n EqualityMatchExpression eq(\"a.b.c.d\", operand[\"a.b.c.d\"]);\n BSONObj obj = fromjson(\"{a:{b:[{c:[{d:1},{d:2}]},{c:[{d:3}]}]}}\");\n ASSERT(eq.matchesBSON(obj, NULL));\n}", "project": "mongo", "hash": 278002948881734861040755994404360772502, "size": 6, "commit_id": "64095239f41e9f3841d8be9088347db56d35c891", "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions", "target": 0, "dataset": "other", "idx": 422684 }, { "func": " bool eq(const Item *item, bool binary_cmp) const\n {\n return item->basic_const_item() && item->type() == type() &&\n item->cast_to_int_type() == cast_to_int_type() &&\n str_value.bin_eq(&((Item_hex_constant*)item)->str_value);\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 2295061448205418070488265263571587527, "size": 6, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 508940 }, { "func": " bool eq(const Item *item, bool binary_cmp) const\n { return int_eq(value, item); }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 308404885688000791932144746033681759304, "size": 2, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 508981 }, { "func": " bool eq(const Item *item, bool binary_cmp) const\n { return real_eq(value, item); }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 131025288630832118439076950959288650186, "size": 2, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509008 }, { "func": " bool eq(const Item *item, bool binary_cmp) const { return null_eq(item); }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 22441778471899605588628426258908389510, "size": 1, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509269 }, { "func": " bool eq(const Item *item, bool binary_cmp) const\n {\n return str_eq(&str_value, item, binary_cmp);\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 214048860671496825727051958285747622559, "size": 4, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509299 }, { "func": " bool eq(const Item *item, bool binary_cmp) const\n {\n Item *it= ((Item *) item)->real_item();\n return orig_item->eq(it, binary_cmp);\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 124701880747104595306287966100751859790, "size": 5, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509371 }, { "func": "static OPJ_BOOL opj_j2k_setup_decoding_tile(opj_j2k_t *p_j2k,\n opj_event_mgr_t * p_manager)\n{\n /* preconditions*/\n assert(p_j2k != 00);\n assert(p_manager != 00);\n\n if (! opj_procedure_list_add_procedure(p_j2k->m_procedure_list,\n (opj_procedure)opj_j2k_decode_one_tile, p_manager)) {\n return OPJ_FALSE;\n }\n /* DEVELOPER CORNER, add your custom procedures */\n\n return OPJ_TRUE;\n}", "project": "openjpeg", "hash": 282836111995521690706454259886724486163, "size": 15, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357334 }, { "func": "UnicodeStringTest::TestBasicManipulation()\n{\n UnicodeString test1(\"Now is the time for all men to come swiftly to the aid of the party.\\n\");\n UnicodeString expectedValue;\n UnicodeString *c;\n\n c=test1.clone();\n test1.insert(24, \"good \");\n expectedValue = \"Now is the time for all good men to come swiftly to the aid of the party.\\n\";\n if (test1 != expectedValue)\n errln(\"insert() failed: expected \\\"\" + expectedValue + \"\\\"\\n,got \\\"\" + test1 + \"\\\"\");\n\n c->insert(24, \"good \");\n if(*c != expectedValue) {\n errln(\"clone()->insert() failed: expected \\\"\" + expectedValue + \"\\\"\\n,got \\\"\" + *c + \"\\\"\");\n }\n delete c;\n\n test1.remove(41, 8);\n expectedValue = \"Now is the time for all good men to come to the aid of the party.\\n\";\n if (test1 != expectedValue)\n errln(\"remove() failed: expected \\\"\" + expectedValue + \"\\\"\\n,got \\\"\" + test1 + \"\\\"\");\n \n test1.replace(58, 6, \"ir country\");\n expectedValue = \"Now is the time for all good men to come to the aid of their country.\\n\";\n if (test1 != expectedValue)\n errln(\"replace() failed: expected \\\"\" + expectedValue + \"\\\"\\n,got \\\"\" + test1 + \"\\\"\");\n \n UChar temp[80];\n test1.extract(0, 15, temp);\n \n UnicodeString test2(temp, 15);\n \n expectedValue = \"Now is the time\";\n if (test2 != expectedValue)\n errln(\"extract() failed: expected \\\"\" + expectedValue + \"\\\"\\n,got \\\"\" + test2 + \"\\\"\");\n \n test2 += \" for me to go!\\n\";\n expectedValue = \"Now is the time for me to go!\\n\";\n if (test2 != expectedValue)\n errln(\"operator+=() failed: expected \\\"\" + expectedValue + \"\\\"\\n,got \\\"\" + test2 + \"\\\"\");\n \n if (test1.length() != 70)\n errln(UnicodeString(\"length() failed: expected 70, got \") + test1.length());\n if (test2.length() != 30)\n errln(UnicodeString(\"length() failed: expected 30, got \") + test2.length());\n\n UnicodeString test3;\n test3.append((UChar32)0x20402);\n if(test3 != CharsToUnicodeString(\"\\\\uD841\\\\uDC02\")){\n errln((UnicodeString)\"append failed for UChar32, expected \\\"\\\\\\\\ud841\\\\\\\\udc02\\\", got \" + prettify(test3));\n }\n if(test3.length() != 2){\n errln(UnicodeString(\"append or length failed for UChar32, expected 2, got \") + test3.length());\n }\n test3.append((UChar32)0x0074);\n if(test3 != CharsToUnicodeString(\"\\\\uD841\\\\uDC02t\")){\n errln((UnicodeString)\"append failed for UChar32, expected \\\"\\\\\\\\uD841\\\\\\\\uDC02t\\\", got \" + prettify(test3));\n }\n if(test3.length() != 3){\n errln((UnicodeString)\"append or length failed for UChar32, expected 2, got \" + test3.length());\n }\n\n // test some UChar32 overloads\n if( test3.setTo((UChar32)0x10330).length() != 2 ||\n test3.insert(0, (UChar32)0x20100).length() != 4 ||\n test3.replace(2, 2, (UChar32)0xe0061).length() != 4 ||\n (test3 = (UChar32)0x14001).length() != 2\n ) {\n errln((UnicodeString)\"simple UChar32 overloads for replace, insert, setTo or = failed\");\n }\n\n {\n // test moveIndex32()\n UnicodeString s=UNICODE_STRING(\"\\\\U0002f999\\\\U0001d15f\\\\u00c4\\\\u1ed0\", 32).unescape();\n\n if(\n s.moveIndex32(2, -1)!=0 ||\n s.moveIndex32(2, 1)!=4 ||\n s.moveIndex32(2, 2)!=5 ||\n s.moveIndex32(5, -2)!=2 ||\n s.moveIndex32(0, -1)!=0 ||\n s.moveIndex32(6, 1)!=6\n ) {\n errln(\"UnicodeString::moveIndex32() failed\");\n }\n\n if(s.getChar32Start(1)!=0 || s.getChar32Start(2)!=2) {\n errln(\"UnicodeString::getChar32Start() failed\");\n }\n\n if(s.getChar32Limit(1)!=2 || s.getChar32Limit(2)!=2) {\n errln(\"UnicodeString::getChar32Limit() failed\");\n }\n }\n\n {\n // test new 2.2 constructors and setTo function that parallel Java's substring function.\n UnicodeString src(\"Hello folks how are you?\");\n UnicodeString target1(\"how are you?\");\n if (target1 != UnicodeString(src, 12)) {\n errln(\"UnicodeString(const UnicodeString&, int32_t) failed\");\n }\n UnicodeString target2(\"folks\");\n if (target2 != UnicodeString(src, 6, 5)) {\n errln(\"UnicodeString(const UnicodeString&, int32_t, int32_t) failed\");\n }\n if (target1 != target2.setTo(src, 12)) {\n errln(\"UnicodeString::setTo(const UnicodeString&, int32_t) failed\");\n }\n }\n\n {\n // op+ is new in ICU 2.8\n UnicodeString s=UnicodeString(\"abc\", \"\")+UnicodeString(\"def\", \"\")+UnicodeString(\"ghi\", \"\");\n if(s!=UnicodeString(\"abcdefghi\", \"\")) {\n errln(\"operator+(UniStr, UniStr) failed\");\n }\n }\n\n {\n // tests for Jitterbug 2360\n // verify that APIs with source pointer + length accept length == -1\n // mostly test only where modified, only few functions did not already do this\n if(UnicodeString(\"abc\", -1, \"\")!=UnicodeString(\"abc\", \"\")) {\n errln(\"UnicodeString(codepageData, dataLength, codepage) does not work with dataLength==-1\");\n }\n\n UChar buffer[10]={ 0x61, 0x62, 0x20ac, 0xd900, 0xdc05, 0, 0x62, 0xffff, 0xdbff, 0xdfff };\n UnicodeString s, t(buffer, -1, UPRV_LENGTHOF(buffer));\n\n if(s.setTo(buffer, -1, UPRV_LENGTHOF(buffer)).length()!=u_strlen(buffer)) {\n errln(\"UnicodeString.setTo(buffer, length, capacity) does not work with length==-1\");\n }\n if(t.length()!=u_strlen(buffer)) {\n errln(\"UnicodeString(buffer, length, capacity) does not work with length==-1\");\n }\n\n if(0!=s.caseCompare(buffer, -1, U_FOLD_CASE_DEFAULT)) {\n errln(\"UnicodeString.caseCompare(const UChar *, length, options) does not work with length==-1\");\n }\n if(0!=s.caseCompare(0, s.length(), buffer, U_FOLD_CASE_DEFAULT)) {\n errln(\"UnicodeString.caseCompare(start, _length, const UChar *, options) does not work\");\n }\n\n buffer[u_strlen(buffer)]=0xe4;\n UnicodeString u(buffer, -1, UPRV_LENGTHOF(buffer));\n if(s.setTo(buffer, -1, UPRV_LENGTHOF(buffer)).length()!=UPRV_LENGTHOF(buffer)) {\n errln(\"UnicodeString.setTo(buffer without NUL, length, capacity) does not work with length==-1\");\n }\n if(u.length()!=UPRV_LENGTHOF(buffer)) {\n errln(\"UnicodeString(buffer without NUL, length, capacity) does not work with length==-1\");\n }\n\n static const char cs[]={ 0x61, (char)0xe4, (char)0x85, 0 };\n UConverter *cnv;\n UErrorCode errorCode=U_ZERO_ERROR;\n\n cnv=ucnv_open(\"ISO-8859-1\", &errorCode);\n UnicodeString v(cs, -1, cnv, errorCode);\n ucnv_close(cnv);\n if(v!=CharsToUnicodeString(\"a\\\\xe4\\\\x85\")) {\n errln(\"UnicodeString(const char *, length, cnv, errorCode) does not work with length==-1\");\n }\n }\n\n#if U_CHARSET_IS_UTF8\n {\n // Test the hardcoded-UTF-8 UnicodeString optimizations.\n static const uint8_t utf8[]={ 0x61, 0xC3, 0xA4, 0xC3, 0x9F, 0xE4, 0xB8, 0x80, 0 };\n static const UChar utf16[]={ 0x61, 0xE4, 0xDF, 0x4E00 };\n UnicodeString from8a = UnicodeString((const char *)utf8);\n UnicodeString from8b = UnicodeString((const char *)utf8, (int32_t)sizeof(utf8)-1);\n UnicodeString from16(FALSE, utf16, UPRV_LENGTHOF(utf16));\n if(from8a != from16 || from8b != from16) {\n errln(\"UnicodeString(const char * U_CHARSET_IS_UTF8) failed\");\n }\n char buffer[16];\n int32_t length8=from16.extract(0, 0x7fffffff, buffer, (uint32_t)sizeof(buffer));\n if(length8!=((int32_t)sizeof(utf8)-1) || 0!=uprv_memcmp(buffer, utf8, sizeof(utf8))) {\n errln(\"UnicodeString::extract(char * U_CHARSET_IS_UTF8) failed\");\n }\n length8=from16.extract(1, 2, buffer, (uint32_t)sizeof(buffer));\n if(length8!=4 || buffer[length8]!=0 || 0!=uprv_memcmp(buffer, utf8+1, length8)) {\n errln(\"UnicodeString::extract(substring to char * U_CHARSET_IS_UTF8) failed\");\n }\n }\n#endif\n}", "project": "icu", "hash": 181693644886683255058251329597250612715, "size": 189, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430824 }, { "func": "void __kmem_cache_release(struct kmem_cache *s)\n{\n\tcache_random_seq_destroy(s);\n\tfree_percpu(s->cpu_slab);\n\tfree_kmem_cache_nodes(s);\n}", "project": "linux", "hash": 98973883033047132989455025483185457016, "size": 6, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280083 }, { "func": "static int read_u32(struct archive_read* a, uint32_t* pvalue) {\n\tconst uint8_t* p;\n\tif(!read_ahead(a, 4, &p))\n\t\treturn 0;\n\n\t*pvalue = archive_le32dec(p);\n\treturn ARCHIVE_OK == consume(a, 4) ? 1 : 0;\n}", "project": "libarchive", "hash": 294745983464932336216253300392474597814, "size": 8, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 0, "dataset": "other", "idx": 244764 }, { "func": "static int kvm_s390_handle_pv(struct kvm *kvm, struct kvm_pv_cmd *cmd)\n{\n\tint r = 0;\n\tu16 dummy;\n\tvoid __user *argp = (void __user *)cmd->data;\n\n\tswitch (cmd->cmd) {\n\tcase KVM_PV_ENABLE: {\n\t\tr = -EINVAL;\n\t\tif (kvm_s390_pv_is_protected(kvm))\n\t\t\tbreak;\n\n\t\t/*\n\t\t * FMT 4 SIE needs esca. As we never switch back to bsca from\n\t\t * esca, we need no cleanup in the error cases below\n\t\t */\n\t\tr = sca_switch_to_extended(kvm);\n\t\tif (r)\n\t\t\tbreak;\n\n\t\tdown_write(¤t->mm->mmap_sem);\n\t\tr = gmap_mark_unmergeable();\n\t\tup_write(¤t->mm->mmap_sem);\n\t\tif (r)\n\t\t\tbreak;\n\n\t\tr = kvm_s390_pv_init_vm(kvm, &cmd->rc, &cmd->rrc);\n\t\tif (r)\n\t\t\tbreak;\n\n\t\tr = kvm_s390_cpus_to_pv(kvm, &cmd->rc, &cmd->rrc);\n\t\tif (r)\n\t\t\tkvm_s390_pv_deinit_vm(kvm, &dummy, &dummy);\n\n\t\t/* we need to block service interrupts from now on */\n\t\tset_bit(IRQ_PEND_EXT_SERVICE, &kvm->arch.float_int.masked_irqs);\n\t\tbreak;\n\t}\n\tcase KVM_PV_DISABLE: {\n\t\tr = -EINVAL;\n\t\tif (!kvm_s390_pv_is_protected(kvm))\n\t\t\tbreak;\n\n\t\tr = kvm_s390_cpus_from_pv(kvm, &cmd->rc, &cmd->rrc);\n\t\t/*\n\t\t * If a CPU could not be destroyed, destroy VM will also fail.\n\t\t * There is no point in trying to destroy it. Instead return\n\t\t * the rc and rrc from the first CPU that failed destroying.\n\t\t */\n\t\tif (r)\n\t\t\tbreak;\n\t\tr = kvm_s390_pv_deinit_vm(kvm, &cmd->rc, &cmd->rrc);\n\n\t\t/* no need to block service interrupts any more */\n\t\tclear_bit(IRQ_PEND_EXT_SERVICE, &kvm->arch.float_int.masked_irqs);\n\t\tbreak;\n\t}\n\tcase KVM_PV_SET_SEC_PARMS: {\n\t\tstruct kvm_s390_pv_sec_parm parms = {};\n\t\tvoid *hdr;\n\n\t\tr = -EINVAL;\n\t\tif (!kvm_s390_pv_is_protected(kvm))\n\t\t\tbreak;\n\n\t\tr = -EFAULT;\n\t\tif (copy_from_user(&parms, argp, sizeof(parms)))\n\t\t\tbreak;\n\n\t\t/* Currently restricted to 8KB */\n\t\tr = -EINVAL;\n\t\tif (parms.length > PAGE_SIZE * 2)\n\t\t\tbreak;\n\n\t\tr = -ENOMEM;\n\t\thdr = vmalloc(parms.length);\n\t\tif (!hdr)\n\t\t\tbreak;\n\n\t\tr = -EFAULT;\n\t\tif (!copy_from_user(hdr, (void __user *)parms.origin,\n\t\t\t\t parms.length))\n\t\t\tr = kvm_s390_pv_set_sec_parms(kvm, hdr, parms.length,\n\t\t\t\t\t\t &cmd->rc, &cmd->rrc);\n\n\t\tvfree(hdr);\n\t\tbreak;\n\t}\n\tcase KVM_PV_UNPACK: {\n\t\tstruct kvm_s390_pv_unp unp = {};\n\n\t\tr = -EINVAL;\n\t\tif (!kvm_s390_pv_is_protected(kvm))\n\t\t\tbreak;\n\n\t\tr = -EFAULT;\n\t\tif (copy_from_user(&unp, argp, sizeof(unp)))\n\t\t\tbreak;\n\n\t\tr = kvm_s390_pv_unpack(kvm, unp.addr, unp.size, unp.tweak,\n\t\t\t\t &cmd->rc, &cmd->rrc);\n\t\tbreak;\n\t}\n\tcase KVM_PV_VERIFY: {\n\t\tr = -EINVAL;\n\t\tif (!kvm_s390_pv_is_protected(kvm))\n\t\t\tbreak;\n\n\t\tr = uv_cmd_nodata(kvm_s390_pv_get_handle(kvm),\n\t\t\t\t UVC_CMD_VERIFY_IMG, &cmd->rc, &cmd->rrc);\n\t\tKVM_UV_EVENT(kvm, 3, \"PROTVIRT VERIFY: rc %x rrc %x\", cmd->rc,\n\t\t\t cmd->rrc);\n\t\tbreak;\n\t}\n\tcase KVM_PV_PREP_RESET: {\n\t\tr = -EINVAL;\n\t\tif (!kvm_s390_pv_is_protected(kvm))\n\t\t\tbreak;\n\n\t\tr = uv_cmd_nodata(kvm_s390_pv_get_handle(kvm),\n\t\t\t\t UVC_CMD_PREPARE_RESET, &cmd->rc, &cmd->rrc);\n\t\tKVM_UV_EVENT(kvm, 3, \"PROTVIRT PREP RESET: rc %x rrc %x\",\n\t\t\t cmd->rc, cmd->rrc);\n\t\tbreak;\n\t}\n\tcase KVM_PV_UNSHARE_ALL: {\n\t\tr = -EINVAL;\n\t\tif (!kvm_s390_pv_is_protected(kvm))\n\t\t\tbreak;\n\n\t\tr = uv_cmd_nodata(kvm_s390_pv_get_handle(kvm),\n\t\t\t\t UVC_CMD_SET_UNSHARE_ALL, &cmd->rc, &cmd->rrc);\n\t\tKVM_UV_EVENT(kvm, 3, \"PROTVIRT UNSHARE: rc %x rrc %x\",\n\t\t\t cmd->rc, cmd->rrc);\n\t\tbreak;\n\t}\n\tdefault:\n\t\tr = -ENOTTY;\n\t}\n\treturn r;\n}", "project": "linux", "hash": 56379133803043655714505075943821598219, "size": 141, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354458 }, { "func": "static inline int managed_dentry_rcu(const struct path *path)\n{\n\treturn (path->dentry->d_flags & DCACHE_MANAGE_TRANSIT) ?\n\t\tpath->dentry->d_op->d_manage(path, true) : 0;\n}", "project": "linux", "hash": 81668465466519257959283422461784338964, "size": 5, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295397 }, { "func": "static ExecutionStatus raiseErrorForOverridingStaticBuiltin(\n Handle selfHandle,\n Runtime *runtime,\n Handle name) {\n Handle methodNameHnd =\n runtime->makeHandle(runtime->getStringPrimFromSymbolID(name.get()));\n // If the 'name' property does not exist or is an accessor, we don't display\n // the name.\n NamedPropertyDescriptor desc;\n auto *obj = JSObject::getNamedDescriptor(\n selfHandle, runtime, Predefined::getSymbolID(Predefined::name), desc);\n assert(\n !selfHandle->isProxyObject() &&\n \"raiseErrorForOverridingStaticBuiltin cannot be used with proxy objects\");\n\n if (!obj || desc.flags.accessor) {\n return runtime->raiseTypeError(\n TwineChar16(\"Attempting to override read-only builtin method '\") +\n TwineChar16(methodNameHnd.get()) + \"'\");\n }\n\n // Display the name property of the builtin object if it is a string.\n StringPrimitive *objName = dyn_vmcast(\n JSObject::getNamedSlotValue(selfHandle.get(), runtime, desc));\n if (!objName) {\n return runtime->raiseTypeError(\n TwineChar16(\"Attempting to override read-only builtin method '\") +\n TwineChar16(methodNameHnd.get()) + \"'\");\n }\n\n return runtime->raiseTypeError(\n TwineChar16(\"Attempting to override read-only builtin method '\") +\n TwineChar16(objName) + \".\" + TwineChar16(methodNameHnd.get()) + \"'\");\n}", "project": "hermes", "hash": 233524857374949928053240681707300142363, "size": 34, "commit_id": "fe52854cdf6725c2eaa9e125995da76e6ceb27da", "message": "[CVE-2020-1911] Look up HostObject computed properties on the right object in the prototype chain.\n\nSummary:\nThe change in the hermes repository fixes the security vulnerability\nCVE-2020-1911. This vulnerability only affects applications which\nallow evaluation of uncontrolled, untrusted JavaScript code not\nshipped with the app, so React Native apps will generally not be affected.\n\nThis revision includes a test for the bug. The test is generic JSI\ncode, so it is included in the hermes and react-native repositories.\n\nChangelog: [Internal]\n\nReviewed By: tmikov\n\nDifferential Revision: D23322992\n\nfbshipit-source-id: 4e88c974afe1ad33a263f9cac03e9dc98d33649a", "target": 0, "dataset": "other", "idx": 230197 }, { "project": "Chrome", "commit_id": "6834289784ed45b5524de0fb7ef43ae283b0d6d3", "target": 0, "func": "void AudioContext::addChangedChannelCountMode(AudioNode* node)\n{\n ASSERT(isGraphOwner());\n ASSERT(isMainThread());\n m_deferredCountModeChange.add(node);\n}\n", "cwe": "", "big_vul_idx": 139621, "idx": 124773, "hash": 254639833542123332630043758564799680846 }, { "func": "static void nfs4_xdr_enc_bind_conn_to_session(struct rpc_rqst *req,\n\t\t\t\tstruct xdr_stream *xdr,\n\t\t\t\tconst void *data)\n{\n\tconst struct nfs41_bind_conn_to_session_args *args = data;\n\tstruct compound_hdr hdr = {\n\t\t.minorversion = args->client->cl_mvops->minor_version,\n\t};\n\n\tencode_compound_hdr(xdr, req, &hdr);\n\tencode_bind_conn_to_session(xdr, args, &hdr);\n\tencode_nops(&hdr);\n}", "project": "linux", "hash": 223925445586500820886190571345935973815, "size": 13, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431423 }, { "func": "inline bool StringData::isFlat() const { return m_data == payload(); }", "project": "hhvm", "hash": 100186285336631540655871633339795514895, "size": 1, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219301 }, { "func": "bfad_im_symbolic_name_show(struct device *dev, struct device_attribute *attr,\n\t\t\t\t char *buf)\n{\n\tstruct Scsi_Host *shost = class_to_shost(dev);\n\tstruct bfad_im_port_s *im_port =\n\t\t\t(struct bfad_im_port_s *) shost->hostdata[0];\n\tstruct bfad_s *bfad = im_port->bfad;\n\tstruct bfa_lport_attr_s port_attr;\n\tchar symname[BFA_SYMNAME_MAXLEN];\n\n\tbfa_fcs_lport_get_attr(&bfad->bfa_fcs.fabric.bport, &port_attr);\n\tstrlcpy(symname, port_attr.port_cfg.sym_name.symname,\n\t\t\tBFA_SYMNAME_MAXLEN);\n\treturn snprintf(buf, PAGE_SIZE, \"%s\\n\", symname);\n}", "project": "linux", "hash": 129812432221971215100387270524225943098, "size": 15, "commit_id": "0e62395da2bd5166d7c9e14cbc7503b256a34cb0", "message": "scsi: bfa: release allocated memory in case of error\n\nIn bfad_im_get_stats if bfa_port_get_stats fails, allocated memory needs to\nbe released.\n\nLink: https://lore.kernel.org/r/20190910234417.22151-1-navid.emamdoost@gmail.com\nSigned-off-by: Navid Emamdoost \nSigned-off-by: Martin K. Petersen ", "target": 0, "dataset": "other", "idx": 439513 }, { "func": "void pcre_reinit() {\n PCRECache::CacheKind kind;\n if (RuntimeOption::EvalPCRECacheType == \"static\") {\n kind = PCRECache::CacheKind::Static;\n } else if (RuntimeOption::EvalPCRECacheType == \"lru\") {\n kind = PCRECache::CacheKind::Lru;\n } else if (RuntimeOption::EvalPCRECacheType == \"scalable\") {\n kind = PCRECache::CacheKind::Scalable;\n } else {\n Logger::Warning(\"Eval.PCRECacheType should be either static, \"\n \"lru or scalable\");\n kind = PCRECache::CacheKind::Scalable;\n }\n s_pcreCache.reinit(kind);\n}", "project": "hhvm", "hash": 275082238605530253575911091342723424539, "size": 15, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219360 }, { "func": "static inline int kiocb_wait_page_queue_init(struct kiocb *kiocb,\n\t\t\t\t\t struct wait_page_queue *wait,\n\t\t\t\t\t wait_queue_func_t func,\n\t\t\t\t\t void *data)\n{\n\t/* Can't support async wakeup with polled IO */\n\tif (kiocb->ki_flags & IOCB_HIPRI)\n\t\treturn -EINVAL;\n\tif (kiocb->ki_filp->f_mode & FMODE_BUF_RASYNC) {\n\t\twait->wait.func = func;\n\t\twait->wait.private = data;\n\t\twait->wait.flags = 0;\n\t\tINIT_LIST_HEAD(&wait->wait.entry);\n\t\tkiocb->ki_flags |= IOCB_WAITQ;\n\t\tkiocb->ki_waitq = wait;\n\t\treturn 0;\n\t}\n\n\treturn -EOPNOTSUPP;\n}", "project": "linux", "hash": 271626974880219898977461235541627316633, "size": 20, "commit_id": "6d816e088c359866f9867057e04f244c608c42fe", "message": "io_uring: hold 'ctx' reference around task_work queue + execute\n\nWe're holding the request reference, but we need to go one higher\nto ensure that the ctx remains valid after the request has finished.\nIf the ring is closed with pending task_work inflight, and the\ngiven io_kiocb finishes sync during issue, then we need a reference\nto the ring itself around the task_work execution cycle.\n\nCc: stable@vger.kernel.org # v5.7+\nReported-by: syzbot+9b260fc33297966f5a8e@syzkaller.appspotmail.com\nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 456960 }, { "func": " */\nstatic void io_uring_del_task_file(unsigned long index)\n{\n\tstruct io_uring_task *tctx = current->io_uring;\n\tstruct io_tctx_node *node;\n\n\tif (!tctx)\n\t\treturn;\n\tnode = xa_erase(&tctx->xa, index);\n\tif (!node)\n\t\treturn;\n\n\tWARN_ON_ONCE(current != node->task);\n\tWARN_ON_ONCE(list_empty(&node->ctx_node));\n\n\tmutex_lock(&node->ctx->uring_lock);\n\tlist_del(&node->ctx_node);\n\tmutex_unlock(&node->ctx->uring_lock);\n\n\tif (tctx->last == node->ctx)\n\t\ttctx->last = NULL;\n\tkfree(node);", "project": "linux", "hash": 90936191103523447837140816270447997579, "size": 22, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338575 }, { "func": "static void write_pmc(int idx, unsigned long val)\n{\n\tswitch (idx) {\n\tcase 1:\n\t\tmtspr(SPRN_PMC1, val);\n\t\tbreak;\n\tcase 2:\n\t\tmtspr(SPRN_PMC2, val);\n\t\tbreak;\n\tcase 3:\n\t\tmtspr(SPRN_PMC3, val);\n\t\tbreak;\n\tcase 4:\n\t\tmtspr(SPRN_PMC4, val);\n\t\tbreak;\n\tcase 5:\n\t\tmtspr(SPRN_PMC5, val);\n\t\tbreak;\n\tcase 6:\n\t\tmtspr(SPRN_PMC6, val);\n\t\tbreak;\n#ifdef CONFIG_PPC64\n\tcase 7:\n\t\tmtspr(SPRN_PMC7, val);\n\t\tbreak;\n\tcase 8:\n\t\tmtspr(SPRN_PMC8, val);\n\t\tbreak;\n#endif /* CONFIG_PPC64 */\n\tdefault:\n\t\tprintk(KERN_ERR \"oops trying to write PMC%d\\n\", idx);\n\t}\n}", "project": "linux", "hash": 265782861626244256745944935510139323104, "size": 33, "commit_id": "60b7ed54a41b550d50caf7f2418db4a7e75b5bdc", "message": "powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set\n\nOn systems without any specific PMU driver support registered, running\nperf record causes Oops.\n\nThe relevant portion from call trace:\n\n BUG: Kernel NULL pointer dereference on read at 0x00000040\n Faulting instruction address: 0xc0021f0c\n Oops: Kernel access of bad area, sig: 11 [#1]\n BE PAGE_SIZE=4K PREEMPT CMPCPRO\n SAF3000 DIE NOTIFICATION\n CPU: 0 PID: 442 Comm: null_syscall Not tainted 5.13.0-rc6-s3k-dev-01645-g7649ee3d2957 #5164\n NIP: c0021f0c LR: c00e8ad8 CTR: c00d8a5c\n NIP perf_instruction_pointer+0x10/0x60\n LR perf_prepare_sample+0x344/0x674\n Call Trace:\n perf_prepare_sample+0x7c/0x674 (unreliable)\n perf_event_output_forward+0x3c/0x94\n __perf_event_overflow+0x74/0x14c\n perf_swevent_hrtimer+0xf8/0x170\n __hrtimer_run_queues.constprop.0+0x160/0x318\n hrtimer_interrupt+0x148/0x3b0\n timer_interrupt+0xc4/0x22c\n Decrementer_virt+0xb8/0xbc\n\nDuring perf record session, perf_instruction_pointer() is called to\ncapture the sample IP. This function in core-book3s accesses\nppmu->flags. If a platform specific PMU driver is not registered, ppmu\nis set to NULL and accessing its members results in a crash. Fix this\ncrash by checking if ppmu is set.\n\nFixes: 2ca13a4cc56c (\"powerpc/perf: Use regs->nip when SIAR is zero\")\nCc: stable@vger.kernel.org # v5.11+\nReported-by: Christophe Leroy \nSigned-off-by: Athira Rajeev \nTested-by: Christophe Leroy \nSigned-off-by: Michael Ellerman \nLink: https://lore.kernel.org/r/1623952506-1431-1-git-send-email-atrajeev@linux.vnet.ibm.com", "target": 0, "dataset": "other", "idx": 374744 }, { "func": "void kvm_release_pfn_dirty(kvm_pfn_t pfn)\n{\n\tkvm_set_pfn_dirty(pfn);\n\tkvm_release_pfn_clean(pfn);\n}", "project": "linux", "hash": 319978091351431799676987896152276258313, "size": 5, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354804 }, { "func": "void LibRaw::selectCRXTrack(short maxTrack)\n{\n if (maxTrack < 0)\n return;\n INT64 bitcounts[LIBRAW_CRXTRACKS_MAXCOUNT], maxbitcount = 0;\n uint32_t maxjpegbytes = 0;\n memset(bitcounts, 0, sizeof(bitcounts));\n for (int i = 0; i <= maxTrack && i < LIBRAW_CRXTRACKS_MAXCOUNT; i++)\n {\n crx_data_header_t *d = &libraw_internal_data.unpacker_data.crx_header[i];\n if (d->MediaType == 1) // RAW\n {\n bitcounts[i] = INT64(d->nBits) * INT64(d->f_width) * INT64(d->f_height);\n if (bitcounts[i] > maxbitcount)\n maxbitcount = bitcounts[i];\n }\n else if (d->MediaType == 2) // JPEG\n {\n if (d->MediaSize > maxjpegbytes)\n {\n maxjpegbytes = d->MediaSize;\n thumb_offset = d->MediaOffset;\n thumb_length = d->MediaSize;\n }\n }\n }\n if (maxbitcount < 8)\n return;\n int framei = -1, framecnt = 0;\n for (int i = 0; i <= maxTrack && i < LIBRAW_CRXTRACKS_MAXCOUNT; i++)\n {\n if (bitcounts[i] == maxbitcount)\n {\n if (framecnt <= (int)shot_select)\n framei = i;\n framecnt++;\n }\n }\n is_raw = framecnt;\n if (framei >= 0 && framei < LIBRAW_CRXTRACKS_MAXCOUNT)\n {\n crx_data_header_t *d =\n &libraw_internal_data.unpacker_data.crx_header[framei];\n data_offset = d->MediaOffset;\n data_size = d->MediaSize;\n raw_width = d->f_width;\n raw_height = d->f_height;\n load_raw = &LibRaw::crxLoadRaw;\n switch (d->cfaLayout)\n {\n case 0:\n filters = 0x94949494;\n break;\n case 1:\n filters = 0x61616161;\n break;\n case 2:\n filters = 0x49494949;\n break;\n case 3:\n filters = 0x16161616;\n break;\n }\n\n libraw_internal_data.unpacker_data.crx_track_selected = framei;\n\n int tiff_idx = -1;\n INT64 tpixels = 0;\n for (unsigned i = 0; i < tiff_nifds && i < LIBRAW_IFD_MAXCOUNT; i++)\n if (INT64(tiff_ifd[i].t_height) * INT64(tiff_ifd[i].t_height) > tpixels)\n {\n tpixels = INT64(tiff_ifd[i].t_height) * INT64(tiff_ifd[i].t_height);\n tiff_idx = i;\n }\n if (tiff_idx >= 0)\n flip = tiff_ifd[tiff_idx].t_flip;\n }\n}", "project": "LibRaw", "hash": 150888878342737502107130307642078273533, "size": 78, "commit_id": "55f0a0c08974b8b79ebfa7762b555a1704b25fb2", "message": "possible buffer underrun in exif parser", "target": 0, "dataset": "other", "idx": 395531 }, { "project": "Chrome", "commit_id": "6834289784ed45b5524de0fb7ef43ae283b0d6d3", "target": 0, "func": "void AudioContext::registerLiveAudioSummingJunction(AudioSummingJunction& junction)\n{\n ASSERT(isMainThread());\n m_liveAudioSummingJunctions.add(&junction, adoptPtr(new AudioSummingJunctionDisposer(junction)));\n}\n", "cwe": "", "big_vul_idx": 139675, "idx": 124824, "hash": 139664784124562251022910778347672086414 }, { "func": "static int sctp_getsockopt_reconfig_supported(struct sock *sk, int len,\n\t\t\t\t\t char __user *optval,\n\t\t\t\t\t int __user *optlen)\n{\n\tstruct sctp_assoc_value params;\n\tstruct sctp_association *asoc;\n\tint retval = -EFAULT;\n\n\tif (len < sizeof(params)) {\n\t\tretval = -EINVAL;\n\t\tgoto out;\n\t}\n\n\tlen = sizeof(params);\n\tif (copy_from_user(¶ms, optval, len))\n\t\tgoto out;\n\n\tasoc = sctp_id2assoc(sk, params.assoc_id);\n\tif (!asoc && params.assoc_id != SCTP_FUTURE_ASSOC &&\n\t sctp_style(sk, UDP)) {\n\t\tretval = -EINVAL;\n\t\tgoto out;\n\t}\n\n\tparams.assoc_value = asoc ? asoc->peer.reconf_capable\n\t\t\t\t : sctp_sk(sk)->ep->reconf_enable;\n\n\tif (put_user(len, optlen))\n\t\tgoto out;\n\n\tif (copy_to_user(optval, ¶ms, len))\n\t\tgoto out;\n\n\tretval = 0;\n\nout:\n\treturn retval;\n}", "project": "linux", "hash": 311385543675461528649272316089734505651, "size": 38, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398195 }, { "func": "static void input_dev_release_keys(struct input_dev *dev)\n{\n\tbool need_sync = false;\n\tint code;\n\n\tif (is_event_supported(EV_KEY, dev->evbit, EV_MAX)) {\n\t\tfor_each_set_bit(code, dev->key, KEY_CNT) {\n\t\t\tinput_pass_event(dev, EV_KEY, code, 0);\n\t\t\tneed_sync = true;\n\t\t}\n\n\t\tif (need_sync)\n\t\t\tinput_pass_event(dev, EV_SYN, SYN_REPORT, 1);\n\n\t\tmemset(dev->key, 0, sizeof(dev->key));\n\t}\n}", "project": "linux", "hash": 233882427825667931440676267338696943134, "size": 17, "commit_id": "cb222aed03d798fc074be55e59d9a112338ee784", "message": "Input: add safety guards to input_set_keycode()\n\nIf we happen to have a garbage in input device's keycode table with values\ntoo big we'll end up doing clear_bit() with offset way outside of our\nbitmaps, damaging other objects within an input device or even outside of\nit. Let's add sanity checks to the returned old keycodes.\n\nReported-by: syzbot+c769968809f9359b07aa@syzkaller.appspotmail.com\nReported-by: syzbot+76f3a30e88d256644c78@syzkaller.appspotmail.com\nLink: https://lore.kernel.org/r/20191207212757.GA245964@dtor-ws\nSigned-off-by: Dmitry Torokhov ", "target": 0, "dataset": "other", "idx": 353375 }, { "func": "int fuse_notify_poll_wakeup(struct fuse_conn *fc,\n\t\t\t struct fuse_notify_poll_wakeup_out *outarg)\n{\n\tu64 kh = outarg->kh;\n\tstruct rb_node **link;\n\n\tspin_lock(&fc->lock);\n\n\tlink = fuse_find_polled_node(fc, kh, NULL);\n\tif (*link) {\n\t\tstruct fuse_file *ff;\n\n\t\tff = rb_entry(*link, struct fuse_file, polled_node);\n\t\twake_up_interruptible_sync(&ff->poll_wait);\n\t}\n\n\tspin_unlock(&fc->lock);\n\treturn 0;\n}", "project": "linux", "hash": 14541361655257254761334303056363766611, "size": 19, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341924 }, { "func": "static inline void trace_access_lock_init(void)\n{\n\tint cpu;\n\n\tfor_each_possible_cpu(cpu)\n\t\tmutex_init(&per_cpu(cpu_access_lock, cpu));\n}", "project": "linux", "hash": 116526645359832015707829462242027264485, "size": 7, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445542 }, { "func": "static inline void trace_access_lock_init(void)\n{\n}", "project": "linux", "hash": 198097281318353972602897028362557246045, "size": 3, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445689 }, { "func": "static int stop_discovery(struct hci_request *req, unsigned long opt)\n{\n\thci_dev_lock(req->hdev);\n\thci_req_stop_discovery(req);\n\thci_dev_unlock(req->hdev);\n\n\treturn 0;\n}", "project": "linux", "hash": 66569582403021604625138338151109139309, "size": 8, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402493 }, { "func": "int vfs_path_lookup(struct dentry *dentry, struct vfsmount *mnt,\n\t\t const char *name, unsigned int flags,\n\t\t struct path *path)\n{\n\tstruct path root = {.mnt = mnt, .dentry = dentry};\n\t/* the first argument of filename_lookup() is ignored with root */\n\treturn filename_lookup(AT_FDCWD, getname_kernel(name),\n\t\t\t flags , path, &root);\n}", "project": "linux", "hash": 313868203443789038613331239031688192338, "size": 9, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295295 }, { "func": "void CSoundFile::ExtendedMODCommands(CHANNELINDEX nChn, ModCommand::PARAM param)\n{\n\tModChannel *pChn = &m_PlayState.Chn[nChn];\n\tuint8 command = param & 0xF0;\n\tparam &= 0x0F;\n\tswitch(command)\n\t{\n\t// E0x: Set Filter\n\tcase 0x00:\n\t\tfor(CHANNELINDEX chn = 0; chn < GetNumChannels(); chn++)\n\t\t{\n\t\t\tm_PlayState.Chn[chn].dwFlags.set(CHN_AMIGAFILTER, !(param & 1));\n\t\t}\n\t\tbreak;\n\t// E1x: Fine Portamento Up\n\tcase 0x10:\tif ((param) || (GetType() & (MOD_TYPE_XM|MOD_TYPE_MT2))) FinePortamentoUp(pChn, param); break;\n\t// E2x: Fine Portamento Down\n\tcase 0x20:\tif ((param) || (GetType() & (MOD_TYPE_XM|MOD_TYPE_MT2))) FinePortamentoDown(pChn, param); break;\n\t// E3x: Set Glissando Control\n\tcase 0x30:\tpChn->dwFlags.set(CHN_GLISSANDO, param != 0); break;\n\t// E4x: Set Vibrato WaveForm\n\tcase 0x40:\tpChn->nVibratoType = param & 0x07; break;\n\t// E5x: Set FineTune\n\tcase 0x50:\tif(!m_SongFlags[SONG_FIRSTTICK])\n\t\t\t\t{\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t\tif(GetType() & (MOD_TYPE_MOD | MOD_TYPE_DIGI | MOD_TYPE_AMF0 | MOD_TYPE_MED))\n\t\t\t\t{\n\t\t\t\t\tpChn->nFineTune = MOD2XMFineTune(param);\n\t\t\t\t\tif(pChn->nPeriod && pChn->rowCommand.IsNote()) pChn->nPeriod = GetPeriodFromNote(pChn->nNote, pChn->nFineTune, pChn->nC5Speed);\n\t\t\t\t} else if(pChn->rowCommand.IsNote())\n\t\t\t\t{\n\t\t\t\t\tpChn->nFineTune = MOD2XMFineTune(param - 8);\n\t\t\t\t\tif(pChn->nPeriod) pChn->nPeriod = GetPeriodFromNote(pChn->nNote, pChn->nFineTune, pChn->nC5Speed);\n\t\t\t\t}\n\t\t\t\tbreak;\n\t// E6x: Pattern Loop\n\t// E7x: Set Tremolo WaveForm\n\tcase 0x70:\tpChn->nTremoloType = param & 0x07; break;\n\t// E8x: Set 4-bit Panning\n\tcase 0x80:\n\t\tif(m_SongFlags[SONG_FIRSTTICK])\n\t\t{\n\t\t\tPanning(pChn, param, Pan4bit);\n\t\t}\n\t\tbreak;\n\t// E9x: Retrig\n\tcase 0x90:\tRetrigNote(nChn, param); break;\n\t// EAx: Fine Volume Up\n\tcase 0xA0:\tif ((param) || (GetType() & (MOD_TYPE_XM|MOD_TYPE_MT2))) FineVolumeUp(pChn, param, false); break;\n\t// EBx: Fine Volume Down\n\tcase 0xB0:\tif ((param) || (GetType() & (MOD_TYPE_XM|MOD_TYPE_MT2))) FineVolumeDown(pChn, param, false); break;\n\t// ECx: Note Cut\n\tcase 0xC0:\tNoteCut(nChn, param, false); break;\n\t// EDx: Note Delay\n\t// EEx: Pattern Delay\n\tcase 0xF0:\n\t\tif(GetType() == MOD_TYPE_MOD) // MOD: Invert Loop\n\t\t{\n\t\t\tpChn->nEFxSpeed = param;\n\t\t\tif(m_SongFlags[SONG_FIRSTTICK]) InvertLoop(pChn);\n\t\t} else // XM: Set Active Midi Macro\n\t\t{\n\t\t\tpChn->nActiveMacro = param;\n\t\t}\n\t\tbreak;\n\t}\n}", "project": "openmpt", "hash": 184225871549270586341761118934626561820, "size": 69, "commit_id": "7ebf02af2e90f03e0dbd0e18b8b3164f372fb97c", "message": "[Fix] Possible out-of-bounds read when computing length of some IT files with pattern loops (OpenMPT: formats that are converted to IT, libopenmpt: IT/ITP/MO3), caught with afl-fuzz.\n\ngit-svn-id: https://source.openmpt.org/svn/openmpt/trunk/OpenMPT@10027 56274372-70c3-4bfc-bfc3-4c3a0b034d27", "target": 0, "dataset": "other", "idx": 255225 }, { "func": "void list_proxy(const char *server, void *data __attribute__((unused)), void *rock)\n{\n struct enum_rock *erock = (struct enum_rock *) rock;\n struct backend *be;\n int r;\n char *result;\n\n be = proxy_findserver(server, &nntp_protocol,\n\t\t\t nntp_userid ? nntp_userid : \"anonymous\",\n\t\t\t &backend_cached, &backend_current, NULL, nntp_in);\n if (!be) return;\n\n prot_printf(be->out, \"LIST %s %s\\r\\n\", erock->cmd, erock->wild);\n\n r = read_response(be, 0, &result);\n if (!r && !strncmp(result, \"215 \", 4)) {\n\twhile (!(r = read_response(be, 0, &result)) && result[0] != '.') {\n\t prot_printf(nntp_out, \"%s\", result);\n\t}\n }\n}", "project": "cyrus-imapd", "hash": 250209430193940275801647617174701659041, "size": 21, "commit_id": "0f8f026699829b65733c3081657b24e2174f4f4d", "message": "CVE-2011-3208 - fix buffer overflow in nntpd", "target": 0, "dataset": "other", "idx": 451909 }, { "func": "static void __disable_ibs_on_vcpu(struct kvm_vcpu *vcpu)\n{\n\tkvm_check_request(KVM_REQ_ENABLE_IBS, vcpu);\n\tkvm_s390_sync_request(KVM_REQ_DISABLE_IBS, vcpu);\n}", "project": "linux", "hash": 16048809322962770126951613473974007222, "size": 5, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354763 }, { "func": " void ValidateInputs(OpKernelContext* ctx,\n const CSRSparseMatrix& sparse_matrix,\n const Tensor& permutation_indices, int* batch_size,\n int64* num_rows) {\n OP_REQUIRES(ctx, sparse_matrix.dtype() == DataTypeToEnum::value,\n errors::InvalidArgument(\n \"Asked for a CSRSparseMatrix of type \",\n DataTypeString(DataTypeToEnum::value),\n \" but saw dtype: \", DataTypeString(sparse_matrix.dtype())));\n\n const Tensor& dense_shape = sparse_matrix.dense_shape();\n const int rank = dense_shape.dim_size(0);\n OP_REQUIRES(ctx, rank == 2 || rank == 3,\n errors::InvalidArgument(\"sparse matrix must have rank 2 or 3; \",\n \"but dense_shape has size \", rank));\n const int row_dim = (rank == 2) ? 0 : 1;\n auto dense_shape_vec = dense_shape.vec();\n *num_rows = dense_shape_vec(row_dim);\n const int64 num_cols = dense_shape_vec(row_dim + 1);\n OP_REQUIRES(ctx, *num_rows == num_cols,\n errors::InvalidArgument(\"sparse matrix must be square; got: \",\n *num_rows, \" != \", num_cols));\n const TensorShape& perm_shape = permutation_indices.shape();\n OP_REQUIRES(\n ctx, perm_shape.dims() + 1 == rank,\n errors::InvalidArgument(\n \"sparse matrix must have the same rank as permutation; got: \", rank,\n \" != \", perm_shape.dims(), \" + 1.\"));\n OP_REQUIRES(\n ctx, perm_shape.dim_size(rank - 2) == *num_rows,\n errors::InvalidArgument(\n \"permutation must have the same number of elements in each batch \"\n \"as the number of rows in sparse matrix; got: \",\n perm_shape.dim_size(rank - 2), \" != \", *num_rows));\n\n *batch_size = sparse_matrix.batch_size();\n if (*batch_size > 1) {\n OP_REQUIRES(\n ctx, perm_shape.dim_size(0) == *batch_size,\n errors::InvalidArgument(\"permutation must have the same batch size \"\n \"as sparse matrix; got: \",\n perm_shape.dim_size(0), \" != \", *batch_size));\n }\n }", "project": "tensorflow", "hash": 336558180459502144170088935707234439720, "size": 44, "commit_id": "e6a7c7cc18c3aaad1ae0872cb0a959f5c923d2bd", "message": "Remove `OP_REQUIRES` call from helper function.\n\nSince `OP_REQUIRES` macro expands to a `return;` (among other), calling it in a helper function only ends the helper function's execution earlier, but the kernel will still run from start to end. Thus, all the expected validations are actually broken/useless as the code ploughs through the next crash anyway.\n\nPiperOrigin-RevId: 369524386\nChange-Id: I54f6cf9328445675ccc392e661b04336b229c9da", "target": 1, "dataset": "other", "idx": 197715 }, { "func": " Status ValidateInputs(const CSRSparseMatrix& sparse_matrix,\n const Tensor& permutation_indices, int* batch_size,\n int64* num_rows) {\n if (sparse_matrix.dtype() != DataTypeToEnum::value)\n return errors::InvalidArgument(\n \"Asked for a CSRSparseMatrix of type \",\n DataTypeString(DataTypeToEnum::value),\n \" but saw dtype: \", DataTypeString(sparse_matrix.dtype()));\n\n const Tensor& dense_shape = sparse_matrix.dense_shape();\n const int rank = dense_shape.dim_size(0);\n if (rank < 2 || rank > 3)\n return errors::InvalidArgument(\"sparse matrix must have rank 2 or 3; \",\n \"but dense_shape has size \", rank);\n const int row_dim = (rank == 2) ? 0 : 1;\n auto dense_shape_vec = dense_shape.vec();\n *num_rows = dense_shape_vec(row_dim);\n const int64 num_cols = dense_shape_vec(row_dim + 1);\n if (*num_rows != num_cols)\n return errors::InvalidArgument(\n \"sparse matrix must be square; got: \", *num_rows, \" != \", num_cols);\n const TensorShape& perm_shape = permutation_indices.shape();\n if (perm_shape.dims() + 1 != rank)\n return errors::InvalidArgument(\n \"sparse matrix must have the same rank as permutation; got: \", rank,\n \" != \", perm_shape.dims(), \" + 1.\");\n if (perm_shape.dim_size(rank - 2) != *num_rows)\n return errors::InvalidArgument(\n \"permutation must have the same number of elements in each batch \"\n \"as the number of rows in sparse matrix; got: \",\n perm_shape.dim_size(rank - 2), \" != \", *num_rows);\n\n *batch_size = sparse_matrix.batch_size();\n if (*batch_size > 1) {\n if (perm_shape.dim_size(0) != *batch_size)\n return errors::InvalidArgument(\n \"permutation must have the same batch size \"\n \"as sparse matrix; got: \",\n perm_shape.dim_size(0), \" != \", *batch_size);\n }\n\n return Status::OK();\n }", "project": "tensorflow", "hash": 71539368152818315797596681434801050349, "size": 43, "commit_id": "e6a7c7cc18c3aaad1ae0872cb0a959f5c923d2bd", "message": "Remove `OP_REQUIRES` call from helper function.\n\nSince `OP_REQUIRES` macro expands to a `return;` (among other), calling it in a helper function only ends the helper function's execution earlier, but the kernel will still run from start to end. Thus, all the expected validations are actually broken/useless as the code ploughs through the next crash anyway.\n\nPiperOrigin-RevId: 369524386\nChange-Id: I54f6cf9328445675ccc392e661b04336b229c9da", "target": 0, "dataset": "other", "idx": 262772 }, { "func": "static void reset_file_context(struct rar5* rar) {\n\tmemset(&rar->file, 0, sizeof(rar->file));\n\tblake2sp_init(&rar->file.b2state, 32);\n\n\tif(rar->main.solid) {\n\t\trar->cstate.solid_offset += rar->cstate.write_ptr;\n\t} else {\n\t\trar->cstate.solid_offset = 0;\n\t}\n\n\trar->cstate.write_ptr = 0;\n\trar->cstate.last_write_ptr = 0;\n\trar->cstate.last_unstore_ptr = 0;\n\n\trar->file.redir_type = REDIR_TYPE_NONE;\n\trar->file.redir_flags = 0;\n\n\tfree_filters(rar);\n}", "project": "libarchive", "hash": 313373205079747797122665992027967939027, "size": 19, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 0, "dataset": "other", "idx": 244781 }, { "func": "void __check_heap_object(const void *ptr, unsigned long n, struct page *page,\n\t\t\t bool to_user)\n{\n\tstruct kmem_cache *s;\n\tunsigned int offset;\n\tsize_t object_size;\n\n\tptr = kasan_reset_tag(ptr);\n\n\t/* Find object and usable object size. */\n\ts = page->slab_cache;\n\n\t/* Reject impossible pointers. */\n\tif (ptr < page_address(page))\n\t\tusercopy_abort(\"SLUB object not in SLUB page?!\", NULL,\n\t\t\t to_user, 0, n);\n\n\t/* Find offset within object. */\n\toffset = (ptr - page_address(page)) % s->size;\n\n\t/* Adjust for redzone and reject if within the redzone. */\n\tif (kmem_cache_debug(s) && s->flags & SLAB_RED_ZONE) {\n\t\tif (offset < s->red_left_pad)\n\t\t\tusercopy_abort(\"SLUB object in left red zone\",\n\t\t\t\t s->name, to_user, offset, n);\n\t\toffset -= s->red_left_pad;\n\t}\n\n\t/* Allow address range falling entirely within usercopy region. */\n\tif (offset >= s->useroffset &&\n\t offset - s->useroffset <= s->usersize &&\n\t n <= s->useroffset - offset + s->usersize)\n\t\treturn;\n\n\t/*\n\t * If the copy is still within the allocated object, produce\n\t * a warning instead of rejecting the copy. This is intended\n\t * to be a temporary method to find any missing usercopy\n\t * whitelists.\n\t */\n\tobject_size = slab_ksize(s);\n\tif (usercopy_fallback &&\n\t offset <= object_size && n <= object_size - offset) {\n\t\tusercopy_warn(\"SLUB object\", s->name, to_user, offset, n);\n\t\treturn;\n\t}\n\n\tusercopy_abort(\"SLUB object\", s->name, to_user, offset, n);\n}", "project": "linux", "hash": 110298305139328244391324729861294181530, "size": 49, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280230 }, { "func": " explicit NodeInfo(int i) : gdef_index(i), node(nullptr) {}", "project": "tensorflow", "hash": 17860783212935164198529440019219410681, "size": 1, "commit_id": "0cc38aaa4064fd9e79101994ce9872c6d91f816b", "message": "Prevent unitialized memory access in `GraphConstructor::MakeEdge`\n\nThe `MakeEdge` implementation assumes that there exists an output at `output_index` of `src` node and an input at `input_index` of `dst` node. However, if this is not the case this results in accessing data out of bounds. Because we are accessing an array that is a private member of a class and only in read only mode, this usually results only in unitialized memory access. However, it is reasonable to think that malicious users could manipulate these indexes to actually read data outside the class, thus resulting in information leakage and further exploits.\n\nPiperOrigin-RevId: 346343288\nChange-Id: I2127da27c2023d27f26efd39afa6c853385cab6f", "target": 0, "dataset": "other", "idx": 268364 }, { "func": "\nstatic void bfq_insert_request(struct blk_mq_hw_ctx *hctx, struct request *rq,\n\t\t\t bool at_head)\n{\n\tstruct request_queue *q = hctx->queue;\n\tstruct bfq_data *bfqd = q->elevator->elevator_data;\n\tstruct bfq_queue *bfqq;\n\tbool idle_timer_disabled = false;\n\tunsigned int cmd_flags;\n\n#ifdef CONFIG_BFQ_GROUP_IOSCHED\n\tif (!cgroup_subsys_on_dfl(io_cgrp_subsys) && rq->bio)\n\t\tbfqg_stats_update_legacy_io(q, rq);\n#endif\n\tspin_lock_irq(&bfqd->lock);\n\tif (blk_mq_sched_try_insert_merge(q, rq)) {\n\t\tspin_unlock_irq(&bfqd->lock);\n\t\treturn;\n\t}\n\n\tspin_unlock_irq(&bfqd->lock);\n\n\tblk_mq_sched_request_inserted(rq);\n\n\tspin_lock_irq(&bfqd->lock);\n\tbfqq = bfq_init_rq(rq);\n\tif (!bfqq || at_head || blk_rq_is_passthrough(rq)) {\n\t\tif (at_head)\n\t\t\tlist_add(&rq->queuelist, &bfqd->dispatch);\n\t\telse\n\t\t\tlist_add_tail(&rq->queuelist, &bfqd->dispatch);\n\t} else {\n\t\tidle_timer_disabled = __bfq_insert_request(bfqd, rq);\n\t\t/*\n\t\t * Update bfqq, because, if a queue merge has occurred\n\t\t * in __bfq_insert_request, then rq has been\n\t\t * redirected into a new queue.\n\t\t */\n\t\tbfqq = RQ_BFQQ(rq);\n\n\t\tif (rq_mergeable(rq)) {\n\t\t\telv_rqhash_add(q, rq);\n\t\t\tif (!q->last_merge)\n\t\t\t\tq->last_merge = rq;\n\t\t}\n\t}\n\n\t/*\n\t * Cache cmd_flags before releasing scheduler lock, because rq\n\t * may disappear afterwards (for example, because of a request\n\t * merge).\n\t */\n\tcmd_flags = rq->cmd_flags;\n\n\tspin_unlock_irq(&bfqd->lock);\n\n\tbfq_update_insert_stats(q, bfqq, idle_timer_disabled,\n\t\t\t\tcmd_flags);", "project": "linux", "hash": 13191345185081846436204576689974986386, "size": 58, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453391 }, { "func": "static void hci_cc_le_set_ext_scan_enable(struct hci_dev *hdev,\n\t\t\t\t struct sk_buff *skb)\n{\n\tstruct hci_cp_le_set_ext_scan_enable *cp;\n\t__u8 status = *((__u8 *) skb->data);\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, status);\n\n\tif (status)\n\t\treturn;\n\n\tcp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_SCAN_ENABLE);\n\tif (!cp)\n\t\treturn;\n\n\tle_set_scan_enable_complete(hdev, cp->enable);\n}", "project": "linux", "hash": 1196983289048727844577291938984618454, "size": 17, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431948 }, { "func": "static int lookup_umount_fs_by_statfs(struct libmnt_context *cxt, const char *tgt)\n{\n\tstruct stat st;\n\tconst char *type;\n\n\tassert(cxt);\n\tassert(cxt->fs);\n\n\tDBG(CXT, ul_debugobj(cxt, \" lookup by statfs\"));\n\n\t/*\n\t * Let's try to avoid mountinfo usage at all to minimize performance\n\t * degradation. Don't forget that kernel has to compose *whole*\n\t * mountinfo about all mountpoints although we look for only one entry.\n\t *\n\t * All we need is fstype and to check if there is no userspace mount\n\t * options for the target (e.g. helper=udisks to call /sbin/umount.udisks).\n\t *\n\t * So, let's use statfs() if possible (it's bad idea for --lazy/--force\n\t * umounts as target is probably unreachable NFS, also for --detach-loop\n\t * as this additionally needs to know the name of the loop device).\n\t */\n\tif (mnt_context_is_restricted(cxt)\n\t || *tgt != '/'\n\t || (cxt->flags & MNT_FL_HELPER)\n\t || mnt_context_mtab_writable(cxt)\n\t || mnt_context_is_force(cxt)\n\t || mnt_context_is_lazy(cxt)\n\t || mnt_context_is_nocanonicalize(cxt)\n\t || mnt_context_is_loopdel(cxt)\n\t || mnt_stat_mountpoint(tgt, &st) != 0 || !S_ISDIR(st.st_mode)\n\t || has_utab_entry(cxt, tgt))\n\t\treturn 1; /* not found */\n\n\ttype = mnt_fs_get_fstype(cxt->fs);\n\tif (!type) {\n\t\tstruct statfs vfs;\n\t\tint fd;\n\n\t\tDBG(CXT, ul_debugobj(cxt, \" trying fstatfs()\"));\n\n\t\t/* O_PATH avoids triggering automount points. */\n\t\tfd = open(tgt, O_PATH);\n\t\tif (fd >= 0) {\n\t\t\tif (fstatfs(fd, &vfs) == 0)\n\t\t\t\ttype = mnt_statfs_get_fstype(&vfs);\n\t\t\tclose(fd);\n\t\t}\n\t\tif (type) {\n\t\t\tint rc = mnt_fs_set_fstype(cxt->fs, type);\n\t\t\tif (rc)\n\t\t\t\treturn rc;\n\t\t}\n\t}\n\tif (type) {\n\t\tDBG(CXT, ul_debugobj(cxt, \" umount: disabling mtab\"));\n\t\tmnt_context_disable_mtab(cxt, TRUE);\n\n\t\tDBG(CXT, ul_debugobj(cxt,\n\t\t\t\" mountinfo unnecessary [type=%s]\", type));\n\t\treturn 0;\n\t}\n\n\treturn 1; /* not found */\n}", "project": "util-linux", "hash": 234684132324000316377357325667584759526, "size": 65, "commit_id": "57202f5713afa2af20ffbb6ab5331481d0396f8d", "message": "libmount: fix UID check for FUSE umount [CVE-2021-3995]\n\nImproper UID check allows an unprivileged user to unmount FUSE\nfilesystems of users with similar UID.\n\nSigned-off-by: Karel Zak ", "target": 0, "dataset": "other", "idx": 410420 }, { "func": "static void reset_active(struct i915_request *rq,\n\t\t\t struct intel_engine_cs *engine)\n{\n\tstruct intel_context * const ce = rq->hw_context;\n\tu32 head;\n\n\t/*\n\t * The executing context has been cancelled. We want to prevent\n\t * further execution along this context and propagate the error on\n\t * to anything depending on its results.\n\t *\n\t * In __i915_request_submit(), we apply the -EIO and remove the\n\t * requests' payloads for any banned requests. But first, we must\n\t * rewind the context back to the start of the incomplete request so\n\t * that we do not jump back into the middle of the batch.\n\t *\n\t * We preserve the breadcrumbs and semaphores of the incomplete\n\t * requests so that inter-timeline dependencies (i.e other timelines)\n\t * remain correctly ordered. And we defer to __i915_request_submit()\n\t * so that all asynchronous waits are correctly handled.\n\t */\n\tGEM_TRACE(\"%s(%s): { rq=%llx:%lld }\\n\",\n\t\t __func__, engine->name, rq->fence.context, rq->fence.seqno);\n\n\t/* On resubmission of the active request, payload will be scrubbed */\n\tif (i915_request_completed(rq))\n\t\thead = rq->tail;\n\telse\n\t\thead = active_request(ce->timeline, rq)->head;\n\tce->ring->head = intel_ring_wrap(ce->ring, head);\n\tintel_ring_update_space(ce->ring);\n\n\t/* Scrub the context image to prevent replaying the previous batch */\n\trestore_default_state(ce, engine);\n\t__execlists_update_reg_state(ce, engine);\n\n\t/* We've switched away, so this should be a no-op, but intent matters */\n\tce->lrc_desc |= CTX_DESC_FORCE_RESTORE;\n}", "project": "linux", "hash": 284702890034524468562094545193089885324, "size": 39, "commit_id": "bc8a76a152c5f9ef3b48104154a65a68a8b76946", "message": "drm/i915/gen9: Clear residual context state on context switch\n\nIntel ID: PSIRT-TA-201910-001\nCVEID: CVE-2019-14615\n\nIntel GPU Hardware prior to Gen11 does not clear EU state\nduring a context switch. This can result in information\nleakage between contexts.\n\nFor Gen8 and Gen9, hardware provides a mechanism for\nfast cleardown of the EU state, by issuing a PIPE_CONTROL\nwith bit 27 set. We can use this in a context batch buffer\nto explicitly cleardown the state on every context switch.\n\nAs this workaround is already in place for gen8, we can borrow\nthe code verbatim for Gen9.\n\nSigned-off-by: Mika Kuoppala \nSigned-off-by: Akeem G Abodunrin \nCc: Kumar Valsan Prathap \nCc: Chris Wilson \nCc: Balestrieri Francesco \nCc: Bloomfield Jon \nCc: Dutt Sudeep ", "target": 0, "dataset": "other", "idx": 281485 }, { "func": "static void SFDParseJustify(FILE *sfd, SplineFont *sf, char *tok) {\n Justify *last=NULL, *cur;\n struct jstf_lang *jlang, *llast;\n int p = 0,ch;\n\n while ( strcmp(tok,\"Justify:\")==0 ) {\n\tcur = chunkalloc(sizeof(Justify));\n\tif ( last==NULL )\n\t sf->justify = cur;\n\telse\n\t last->next = cur;\n\tlast = cur;\n\tllast = jlang = NULL;\n\tcur->script = gettag(sfd);\n\twhile ( getname(sfd,tok)>0 ) {\n\t if ( strcmp(tok,\"Justify:\")==0 || strcmp(tok,\"EndJustify\")==0 )\n\tbreak;\n\t if ( strcmp(tok,\"JstfExtender:\")==0 ) {\n\t\twhile ( (ch=nlgetc(sfd))==' ' );\n\t\tungetc(ch,sfd);\n\t\tgeteol(sfd,tok);\n\t\tcur->extenders = copy(tok);\n\t } else if ( strcmp(tok,\"JstfLang:\")==0 ) {\n\t\tjlang = chunkalloc(sizeof(struct jstf_lang));\n\t\tif ( llast==NULL )\n\t\t cur->langs = jlang;\n\t\telse\n\t\t llast->next = jlang;\n\t\tllast = jlang;\n\t\tjlang->lang = gettag(sfd);\n\t\tp = -1;\n\t\tgetint(sfd,&jlang->cnt);\n\t\tif ( jlang->cnt!=0 )\n\t\t jlang->prios = calloc(jlang->cnt,sizeof(struct jstf_prio));\n\t } else if ( strcmp(tok,\"JstfPrio:\")==0 ) {\n\t\tif ( jlang!=NULL ) {\n\t\t ++p;\n\t\t if ( p>= jlang->cnt ) {\n\t\t\tjlang->prios = realloc(jlang->prios,(p+1)*sizeof(struct jstf_prio));\n\t\t\tmemset(jlang->prios+jlang->cnt,0,(p+1-jlang->cnt)*sizeof(struct jstf_prio));\n\t\t\tjlang->cnt = p+1;\n\t\t }\n\t\t}\n\t } else if ( strcmp(tok,\"JstfEnableShrink:\" )==0 ) {\n\t\tif ( p<0 ) p=0;\n\t\tif ( jlang!=NULL && pcnt )\n\t\t jlang->prios[p].enableShrink = SFDLookupList(sfd,sf);\n\t } else if ( strcmp(tok,\"JstfDisableShrink:\" )==0 ) {\n\t\tif ( p<0 ) p=0;\n\t\tif ( jlang!=NULL && pcnt )\n\t\t jlang->prios[p].disableShrink = SFDLookupList(sfd,sf);\n\t } else if ( strcmp(tok,\"JstfMaxShrink:\" )==0 ) {\n\t\tif ( p<0 ) p=0;\n\t\tif ( jlang!=NULL && pcnt )\n\t\t jlang->prios[p].maxShrink = SFDLookupList(sfd,sf);\n\t } else if ( strcmp(tok,\"JstfEnableExtend:\" )==0 ) {\n\t\tif ( p<0 ) p=0;\n\t\tif ( jlang!=NULL && pcnt )\n\t\t jlang->prios[p].enableExtend = SFDLookupList(sfd,sf);\n\t } else if ( strcmp(tok,\"JstfDisableExtend:\" )==0 ) {\n\t\tif ( p<0 ) p=0;\n\t\tif ( jlang!=NULL && pcnt )\n\t\t jlang->prios[p].disableExtend = SFDLookupList(sfd,sf);\n\t } else if ( strcmp(tok,\"JstfMaxExtend:\" )==0 ) {\n\t\tif ( p<0 ) p=0;\n\t\tif ( jlang!=NULL && pcnt )\n\t\t jlang->prios[p].maxExtend = SFDLookupList(sfd,sf);\n\t } else\n\t\tgeteol(sfd,tok);\n\t}\n }\n}", "project": "fontforge", "hash": 277997500515554675482039845727317558810, "size": 72, "commit_id": "048a91e2682c1a8936ae34dbc7bd70291ec05410", "message": "Fix for #4084 Use-after-free (heap) in the SFD_GetFontMetaData() function\nFix for #4086 NULL pointer dereference in the SFDGetSpiros() function\nFix for #4088 NULL pointer dereference in the SFD_AssignLookups() function\nAdd empty sf->fontname string if it isn't set, fixing #4089 #4090 and many\n other potential issues (many downstream calls to strlen() on the value).", "target": 0, "dataset": "other", "idx": 417782 }, { "func": "void SFDGetPSTs( FILE *sfd, SplineChar *sc, char* ttok ) {\n struct splinefont * sf = sc->parent;\n char tok[2001], ch;\n int isliga = 0, ispos, issubs, ismult, islcar, ispair, temp;\n PST *last = NULL;\n uint32 script = 0;\n SplineFont *sli_sf = sf->cidmaster ? sf->cidmaster : sf;\n\n strncpy(tok,ttok,sizeof(tok)-1);\n\n if ( strmatch(tok,\"Script:\")==0 ) {\n\t/* Obsolete. But still used for parsing obsolete ligature/subs tags */\n\twhile ( (ch=nlgetc(sfd))==' ' || ch=='\\t' );\n\tif ( ch=='\\n' || ch=='\\r' )\n\t script = 0;\n\telse {\n\t ungetc(ch,sfd);\n\t script = gettag(sfd);\n\t}\n } else if ( (ispos = (strmatch(tok,\"Position:\")==0)) ||\n\t\t( ispos = (strmatch(tok,\"Position2:\")==0)) ||\n\t\t( ispair = (strmatch(tok,\"PairPos:\")==0)) ||\n\t\t( ispair = (strmatch(tok,\"PairPos2:\")==0)) ||\n\t\t( islcar = (strmatch(tok,\"LCarets:\")==0)) ||\n\t\t( islcar = (strmatch(tok,\"LCarets2:\")==0)) ||\n\t\t( isliga = (strmatch(tok,\"Ligature:\")==0)) ||\n\t\t( isliga = (strmatch(tok,\"Ligature2:\")==0)) ||\n\t\t( issubs = (strmatch(tok,\"Substitution:\")==0)) ||\n\t\t( issubs = (strmatch(tok,\"Substitution2:\")==0)) ||\n\t\t( ismult = (strmatch(tok,\"MultipleSubs:\")==0)) ||\n\t\t( ismult = (strmatch(tok,\"MultipleSubs2:\")==0)) ||\n\t\tstrmatch(tok,\"AlternateSubs:\")==0 ||\n\t\tstrmatch(tok,\"AlternateSubs2:\")==0 ) {\n\t PST *pst;\n\t int old, type;\n\t type = ispos ? pst_position :\n\t\t\t ispair ? pst_pair :\n\t\t\t islcar ? pst_lcaret :\n\t\t\t isliga ? pst_ligature :\n\t\t\t issubs ? pst_substitution :\n\t\t\t ismult ? pst_multiple :\n\t\t\t pst_alternate;\n\t if ( strchr(tok,'2')!=NULL ) {\n\t\told = false;\n\t\tpst = chunkalloc(sizeof(PST));\n\t\tif ( type!=pst_lcaret )\n\t\t pst->subtable = SFFindLookupSubtableAndFreeName(sf,SFDReadUTF7Str(sfd));\n\t } else {\n\t\told = true;\n\t\tpst = chunkalloc(sizeof(PST1));\n\t\t((PST1 *) pst)->tag = CHR('l','i','g','a');\n\t\t((PST1 *) pst)->script_lang_index = 0xffff;\n\t\twhile ( (ch=nlgetc(sfd))==' ' || ch=='\\t' );\n\t\tif ( isdigit(ch)) {\n\t\t int temp;\n\t\t ungetc(ch,sfd);\n\t\t getint(sfd,&temp);\n\t\t ((PST1 *) pst)->flags = temp;\n\t\t while ( (ch=nlgetc(sfd))==' ' || ch=='\\t' );\n\t\t} else\n\t\t ((PST1 *) pst)->flags = 0 /*PSTDefaultFlags(type,sc)*/;\n\t\tif ( isdigit(ch)) {\n\t\t ungetc(ch,sfd);\n\t\t getusint(sfd,&((PST1 *) pst)->script_lang_index);\n\t\t while ( (ch=nlgetc(sfd))==' ' || ch=='\\t' );\n\t\t} else\n\t\t ((PST1 *) pst)->script_lang_index = SFFindBiggestScriptLangIndex(sf,\n\t\t\t script!=0?script:SCScriptFromUnicode(sc),DEFAULT_LANG);\n\t\tif ( ch=='\\'' ) {\n\t\t ungetc(ch,sfd);\n\t\t ((PST1 *) pst)->tag = gettag(sfd);\n\t\t} else if ( ch=='<' ) {\n\t\t getint(sfd,&temp);\n\t\t ((PST1 *) pst)->tag = temp<<16;\n\t\t nlgetc(sfd);\t/* comma */\n\t\t getint(sfd,&temp);\n\t\t ((PST1 *) pst)->tag |= temp;\n\t\t nlgetc(sfd);\t/* close '>' */\n\t\t ((PST1 *) pst)->macfeature = true;\n\t\t} else\n\t\t ungetc(ch,sfd);\n\t\tif ( type==pst_lcaret ) {\n\t\t/* These are meaningless for lcarets, set them to innocuous values */\n\t\t ((PST1 *) pst)->script_lang_index = SLI_UNKNOWN;\n\t\t ((PST1 *) pst)->tag = CHR(' ',' ',' ',' ');\n\t\t} else if ( ((PST1 *) pst)->script_lang_index>=((SplineFont1 *) sli_sf)->sli_cnt && ((PST1 *) pst)->script_lang_index!=SLI_NESTED ) {\n\t\t static int complained=false;\n\t\t if ( !complained )\n\t\t\tIError(\"'%c%c%c%c' in %s has a script index out of bounds: %d\",\n\t\t\t\t(((PST1 *) pst)->tag>>24), (((PST1 *) pst)->tag>>16)&0xff, (((PST1 *) pst)->tag>>8)&0xff, ((PST1 *) pst)->tag&0xff,\n\t\t\t\tsc->name, ((PST1 *) pst)->script_lang_index );\n\t\t else\n\t\t\tIError( \"'%c%c%c%c' in %s has a script index out of bounds: %d\\n\",\n\t\t\t\t(((PST1 *) pst)->tag>>24), (((PST1 *) pst)->tag>>16)&0xff, (((PST1 *) pst)->tag>>8)&0xff, ((PST1 *) pst)->tag&0xff,\n\t\t\t\tsc->name, ((PST1 *) pst)->script_lang_index );\n\t\t ((PST1 *) pst)->script_lang_index = SFFindBiggestScriptLangIndex(sli_sf,\n\t\t\t SCScriptFromUnicode(sc),DEFAULT_LANG);\n\t\t complained = true;\n\t\t}\n\t }\n\t if ( (sf->sfd_version<2)!=old ) {\n\t\tIError( \"Version mixup in PST of sfd file.\" );\nexit(1);\n\t }\n\t if ( last==NULL )\n\t\tsc->possub = pst;\n\t else\n\t\tlast->next = pst;\n\t last = pst;\n\t pst->type = type;\n\t if ( pst->type==pst_position ) {\n\t\tfscanf( sfd, \" dx=%hd dy=%hd dh=%hd dv=%hd\",\n\t\t\t&pst->u.pos.xoff, &pst->u.pos.yoff,\n\t\t\t&pst->u.pos.h_adv_off, &pst->u.pos.v_adv_off);\n\t\tpst->u.pos.adjust = SFDReadValDevTab(sfd);\n\t\tch = nlgetc(sfd);\t\t/* Eat new line */\n\t } else if ( pst->type==pst_pair ) {\n\t\tgetname(sfd,tok);\n\t\tpst->u.pair.paired = copy(tok);\n\t\tpst->u.pair.vr = chunkalloc(sizeof(struct vr [2]));\n\t\tfscanf( sfd, \" dx=%hd dy=%hd dh=%hd dv=%hd\",\n\t\t\t&pst->u.pair.vr[0].xoff, &pst->u.pair.vr[0].yoff,\n\t\t\t&pst->u.pair.vr[0].h_adv_off, &pst->u.pair.vr[0].v_adv_off);\n\t\tpst->u.pair.vr[0].adjust = SFDReadValDevTab(sfd);\n\t\tfscanf( sfd, \" dx=%hd dy=%hd dh=%hd dv=%hd\",\n\t\t\t&pst->u.pair.vr[1].xoff, &pst->u.pair.vr[1].yoff,\n\t\t\t&pst->u.pair.vr[1].h_adv_off, &pst->u.pair.vr[1].v_adv_off);\n\t\tpst->u.pair.vr[0].adjust = SFDReadValDevTab(sfd);\n\t\tch = nlgetc(sfd);\n\t } else if ( pst->type==pst_lcaret ) {\n\t\tint i;\n\t\tfscanf( sfd, \" %d\", &pst->u.lcaret.cnt );\n\t\tpst->u.lcaret.carets = malloc(pst->u.lcaret.cnt*sizeof(int16));\n\t\tfor ( i=0; iu.lcaret.cnt; ++i )\n\t\t fscanf( sfd, \" %hd\", &pst->u.lcaret.carets[i]);\n\t\tgeteol(sfd,tok);\n\t } else {\n\t\tgeteol(sfd,tok);\n\t\tpst->u.lig.components = copy(tok);\t/* it's in the same place for all formats */\n\t\tif ( isliga ) {\n\t\t pst->u.lig.lig = sc;\n\t\t if ( old )\n\t\t\tlast = (PST *) LigaCreateFromOldStyleMultiple((PST1 *) pst);\n\t\t}\n\t }\n#ifdef FONTFORGE_CONFIG_CVT_OLD_MAC_FEATURES\n\t if ( old )\n\t\tCvtOldMacFeature((PST1 *) pst);\n#endif\n } else {\n\treturn;\n }\n\n // we matched something, grab the next top level token to ttok\n getname( sfd, ttok );\n}", "project": "fontforge", "hash": 37960721350366624344868466491685970306, "size": 156, "commit_id": "048a91e2682c1a8936ae34dbc7bd70291ec05410", "message": "Fix for #4084 Use-after-free (heap) in the SFD_GetFontMetaData() function\nFix for #4086 NULL pointer dereference in the SFDGetSpiros() function\nFix for #4088 NULL pointer dereference in the SFD_AssignLookups() function\nAdd empty sf->fontname string if it isn't set, fixing #4089 #4090 and many\n other potential issues (many downstream calls to strlen() on the value).", "target": 0, "dataset": "other", "idx": 417939 }, { "func": "static int sctp_setsockopt_events(struct sock *sk, __u8 *sn_type,\n\t\t\t\t unsigned int optlen)\n{\n\tstruct sctp_sock *sp = sctp_sk(sk);\n\tstruct sctp_association *asoc;\n\tint i;\n\n\tif (optlen > sizeof(struct sctp_event_subscribe))\n\t\treturn -EINVAL;\n\n\tfor (i = 0; i < optlen; i++)\n\t\tsctp_ulpevent_type_set(&sp->subscribe, SCTP_SN_TYPE_BASE + i,\n\t\t\t\t sn_type[i]);\n\n\tlist_for_each_entry(asoc, &sp->ep->asocs, asocs)\n\t\tasoc->subscribe = sctp_sk(sk)->subscribe;\n\n\t/* At the time when a user app subscribes to SCTP_SENDER_DRY_EVENT,\n\t * if there is no data to be sent or retransmit, the stack will\n\t * immediately send up this notification.\n\t */\n\tif (sctp_ulpevent_type_enabled(sp->subscribe, SCTP_SENDER_DRY_EVENT)) {\n\t\tstruct sctp_ulpevent *event;\n\n\t\tasoc = sctp_id2assoc(sk, 0);\n\t\tif (asoc && sctp_outq_is_empty(&asoc->outqueue)) {\n\t\t\tevent = sctp_ulpevent_make_sender_dry_event(asoc,\n\t\t\t\t\tGFP_USER | __GFP_NOWARN);\n\t\t\tif (!event)\n\t\t\t\treturn -ENOMEM;\n\n\t\t\tasoc->stream.si->enqueue_event(&asoc->ulpq, event);\n\t\t}\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 167176923303763008845719468904495462184, "size": 37, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398080 }, { "func": "R_API int r_socket_read(RSocket *s, unsigned char *buf, int len) {\n\tif (!s) {\n\t\treturn -1;\n\t}\n#if HAVE_LIB_SSL\n\tif (s->is_ssl) {\n\t\tif (s->bio) {\n\t\t\treturn BIO_read (s->bio, buf, len);\n\t\t}\n\t\treturn SSL_read (s->sfd, buf, len);\n\t}\n#endif\n\t// int r = read (s->fd, buf, len);\n\tint r = recv (s->fd, buf, len, 0);\n\tD { eprintf (\"READ \"); int i; for (i = 0; i\nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445618 }, { "func": "static struct sk_buff *pep_alloc_skb(struct sock *sk, const void *payload,\n\t\t\t\t\tint len, gfp_t priority)\n{\n\tstruct sk_buff *skb = alloc_skb(MAX_PNPIPE_HEADER + len, priority);\n\tif (!skb)\n\t\treturn NULL;\n\tskb_set_owner_w(skb, sk);\n\n\tskb_reserve(skb, MAX_PNPIPE_HEADER);\n\t__skb_put(skb, len);\n\tskb_copy_to_linear_data(skb, payload, len);\n\t__skb_push(skb, sizeof(struct pnpipehdr));\n\tskb_reset_transport_header(skb);\n\treturn skb;\n}", "project": "linux", "hash": 23515559913809312293433829541237846103, "size": 15, "commit_id": "bcd0f93353326954817a4f9fa55ec57fb38acbb0", "message": "phonet: refcount leak in pep_sock_accep\n\nsock_hold(sk) is invoked in pep_sock_accept(), but __sock_put(sk) is not\ninvoked in subsequent failure branches(pep_accept_conn() != 0).\n\nSigned-off-by: Hangyu Hua \nLink: https://lore.kernel.org/r/20211209082839.33985-1-hbh25y@gmail.com\nSigned-off-by: Jakub Kicinski ", "target": 0, "dataset": "other", "idx": 224791 }, { "func": "isdn_net_ciscohdlck_alloc_skb(isdn_net_local *lp, int len)\n{\n\tunsigned short hl = dev->drv[lp->isdn_device]->interface->hl_hdrlen;\n\tstruct sk_buff *skb;\n\n\tskb = alloc_skb(hl + len, GFP_ATOMIC);\n\tif (skb)\n\t\tskb_reserve(skb, hl);\n\telse \n\t\tprintk(\"isdn out of mem at %s:%d!\\n\", __FILE__, __LINE__);\n\treturn skb;\n}", "target": 0, "cwe": [ "CWE-119" ], "project": "linux-2.6", "commit_id": "0f13864e5b24d9cbe18d125d41bfa4b726a82e40", "hash": 86943454838659718355616549011443288839, "size": 12, "message": "isdn: avoid copying overly-long strings\n\nAddresses http://bugzilla.kernel.org/show_bug.cgi?id=9416\n\nSigned-off-by: Karsten Keil \nSigned-off-by: Andrew Morton \nSigned-off-by: Linus Torvalds ", "dataset": "other", "idx": 487435 }, { "func": "get_rx_buf( struct net_device *dev )\n{\n\t/* +2 is to compensate for the alignment fixup below */\n\tstruct sk_buff *skb = dev_alloc_skb( ETHER_MAX_LEN + 2 );\n\tif( !skb )\n\t\treturn NULL;\n\n\tskb_reserve( skb, 2 );\t\t/* Align IP on longword boundaries */\n\treturn skb;\n}", "target": 0, "cwe": [ "CWE-264" ], "project": "linux-2.6", "commit_id": "f2455eb176ac87081bbfc9a44b21c7cd2bc1967e", "hash": 113351945922228978478593125696310408843, "size": 10, "message": "wan: Missing capability checks in sbni_ioctl()\n\nThere are missing capability checks in the following code:\n\n1300 static int\n1301 sbni_ioctl( struct net_device *dev, struct ifreq *ifr, int cmd)\n1302 {\n[...]\n1319 case SIOCDEVRESINSTATS :\n1320 if( current->euid != 0 ) /* root only */\n1321 return -EPERM;\n[...]\n1336 case SIOCDEVSHWSTATE :\n1337 if( current->euid != 0 ) /* root only */\n1338 return -EPERM;\n[...]\n1357 case SIOCDEVENSLAVE :\n1358 if( current->euid != 0 ) /* root only */\n1359 return -EPERM;\n[...]\n1372 case SIOCDEVEMANSIPATE :\n1373 if( current->euid != 0 ) /* root only */\n1374 return -EPERM;\n\nHere's my proposed fix:\n\nMissing capability checks.\n\nSigned-off-by: Eugene Teo \nSigned-off-by: David S. Miller ", "dataset": "other", "idx": 488957 }, { "func": "static int sctp_getsockopt_default_send_param(struct sock *sk,\n\t\t\t\t\tint len, char __user *optval,\n\t\t\t\t\tint __user *optlen)\n{\n\tstruct sctp_sock *sp = sctp_sk(sk);\n\tstruct sctp_association *asoc;\n\tstruct sctp_sndrcvinfo info;\n\n\tif (len < sizeof(info))\n\t\treturn -EINVAL;\n\n\tlen = sizeof(info);\n\n\tif (copy_from_user(&info, optval, len))\n\t\treturn -EFAULT;\n\n\tasoc = sctp_id2assoc(sk, info.sinfo_assoc_id);\n\tif (!asoc && info.sinfo_assoc_id != SCTP_FUTURE_ASSOC &&\n\t sctp_style(sk, UDP))\n\t\treturn -EINVAL;\n\n\tif (asoc) {\n\t\tinfo.sinfo_stream = asoc->default_stream;\n\t\tinfo.sinfo_flags = asoc->default_flags;\n\t\tinfo.sinfo_ppid = asoc->default_ppid;\n\t\tinfo.sinfo_context = asoc->default_context;\n\t\tinfo.sinfo_timetolive = asoc->default_timetolive;\n\t} else {\n\t\tinfo.sinfo_stream = sp->default_stream;\n\t\tinfo.sinfo_flags = sp->default_flags;\n\t\tinfo.sinfo_ppid = sp->default_ppid;\n\t\tinfo.sinfo_context = sp->default_context;\n\t\tinfo.sinfo_timetolive = sp->default_timetolive;\n\t}\n\n\tif (put_user(len, optlen))\n\t\treturn -EFAULT;\n\tif (copy_to_user(optval, &info, len))\n\t\treturn -EFAULT;\n\n\treturn 0;\n}", "project": "linux", "hash": 245168897267753461628570512854637178039, "size": 42, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398111 }, { "func": "static void delete_char(struct vc_data *vc, unsigned int nr)\n{\n\tunsigned short *p = (unsigned short *) vc->vc_pos;\n\n\tvc_uniscr_delete(vc, nr);\n\tscr_memcpyw(p, p + nr, (vc->vc_cols - vc->vc_x - nr) * 2);\n\tscr_memsetw(p + vc->vc_cols - vc->vc_x - nr, vc->vc_video_erase_char,\n\t\t\tnr * 2);\n\tvc->vc_need_wrap = 0;\n\tif (con_should_update(vc))\n\t\tdo_update_region(vc, (unsigned long) p,\n\t\t\tvc->vc_cols - vc->vc_x);\n}", "project": "linux", "hash": 85952579391231367258172411380895494516, "size": 13, "commit_id": "ca4463bf8438b403596edd0ec961ca0d4fbe0220", "message": "vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console\n\nThe VT_DISALLOCATE ioctl can free a virtual console while tty_release()\nis still running, causing a use-after-free in con_shutdown(). This\noccurs because VT_DISALLOCATE considers a virtual console's\n'struct vc_data' to be unused as soon as the corresponding tty's\nrefcount hits 0. But actually it may be still being closed.\n\nFix this by making vc_data be reference-counted via the embedded\n'struct tty_port'. A newly allocated virtual console has refcount 1.\nOpening it for the first time increments the refcount to 2. Closing it\nfor the last time decrements the refcount (in tty_operations::cleanup()\nso that it happens late enough), as does VT_DISALLOCATE.\n\nReproducer:\n\t#include \n\t#include \n\t#include \n\t#include \n\n\tint main()\n\t{\n\t\tif (fork()) {\n\t\t\tfor (;;)\n\t\t\t\tclose(open(\"/dev/tty5\", O_RDWR));\n\t\t} else {\n\t\t\tint fd = open(\"/dev/tty10\", O_RDWR);\n\n\t\t\tfor (;;)\n\t\t\t\tioctl(fd, VT_DISALLOCATE, 5);\n\t\t}\n\t}\n\nKASAN report:\n\tBUG: KASAN: use-after-free in con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\tWrite of size 8 at addr ffff88806a4ec108 by task syz_vt/129\n\n\tCPU: 0 PID: 129 Comm: syz_vt Not tainted 5.6.0-rc2 #11\n\tHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20191223_100556-anatol 04/01/2014\n\tCall Trace:\n\t [...]\n\t con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\t release_tty+0xa8/0x410 drivers/tty/tty_io.c:1514\n\t tty_release_struct+0x34/0x50 drivers/tty/tty_io.c:1629\n\t tty_release+0x984/0xed0 drivers/tty/tty_io.c:1789\n\t [...]\n\n\tAllocated by task 129:\n\t [...]\n\t kzalloc include/linux/slab.h:669 [inline]\n\t vc_allocate drivers/tty/vt/vt.c:1085 [inline]\n\t vc_allocate+0x1ac/0x680 drivers/tty/vt/vt.c:1066\n\t con_install+0x4d/0x3f0 drivers/tty/vt/vt.c:3229\n\t tty_driver_install_tty drivers/tty/tty_io.c:1228 [inline]\n\t tty_init_dev+0x94/0x350 drivers/tty/tty_io.c:1341\n\t tty_open_by_driver drivers/tty/tty_io.c:1987 [inline]\n\t tty_open+0x3ca/0xb30 drivers/tty/tty_io.c:2035\n\t [...]\n\n\tFreed by task 130:\n\t [...]\n\t kfree+0xbf/0x1e0 mm/slab.c:3757\n\t vt_disallocate drivers/tty/vt/vt_ioctl.c:300 [inline]\n\t vt_ioctl+0x16dc/0x1e30 drivers/tty/vt/vt_ioctl.c:818\n\t tty_ioctl+0x9db/0x11b0 drivers/tty/tty_io.c:2660\n\t [...]\n\nFixes: 4001d7b7fc27 (\"vt: push down the tty lock so we can see what is left to tackle\")\nCc: # v3.4+\nReported-by: syzbot+522643ab5729b0421998@syzkaller.appspotmail.com\nAcked-by: Jiri Slaby \nSigned-off-by: Eric Biggers \nLink: https://lore.kernel.org/r/20200322034305.210082-2-ebiggers@kernel.org\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 437094 }, { "func": "static int core_upgrade_storage(request_rec *r)\n{\n if ((r->method_number == M_OPTIONS) && r->uri && (r->uri[0] == '*') &&\n (r->uri[1] == '\\0')) {\n return core_upgrade_handler(r);\n }\n return DECLINED;\n}", "project": "httpd", "hash": 76819344389186198310462425751005522776, "size": 8, "commit_id": "4cc27823899e070268b906ca677ee838d07cf67a", "message": "core: Disallow Methods' registration at run time (.htaccess), they may be\nused only if registered at init time (httpd.conf).\n\nCalling ap_method_register() in children processes is not the right scope\nsince it won't be shared for all requests.\n\n\ngit-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1807655 13f79535-47bb-0310-9956-ffa450edef68", "target": 0, "dataset": "other", "idx": 246305 }, { "func": "static int reorder_sorter(const void *va, const void *vb)\n{\n const struct reorder_sort_rec *a = va;\n const struct reorder_sort_rec *b = vb;\n core_dir_config *core_a;\n core_dir_config *core_b;\n\n core_a = ap_get_core_module_config(a->elt);\n core_b = ap_get_core_module_config(b->elt);\n\n /* a regex always sorts after a non-regex\n */\n if (!core_a->r && core_b->r) {\n return -1;\n }\n else if (core_a->r && !core_b->r) {\n return 1;\n }\n\n /* we always sort next by the number of components\n */\n if (core_a->d_components < core_b->d_components) {\n return -1;\n }\n else if (core_a->d_components > core_b->d_components) {\n return 1;\n }\n\n /* They have the same number of components, we now have to compare\n * the minor key to maintain the original order (from the config.)\n */\n return a->orig_index - b->orig_index;\n}", "project": "httpd", "hash": 324814566742524365816154759345164763357, "size": 33, "commit_id": "4cc27823899e070268b906ca677ee838d07cf67a", "message": "core: Disallow Methods' registration at run time (.htaccess), they may be\nused only if registered at init time (httpd.conf).\n\nCalling ap_method_register() in children processes is not the right scope\nsince it won't be shared for all requests.\n\n\ngit-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1807655 13f79535-47bb-0310-9956-ffa450edef68", "target": 0, "dataset": "other", "idx": 246243 }, { "func": "static void add_key_fields_for_nj(JOIN *join, TABLE_LIST *nested_join_table,\n KEY_FIELD **end, uint *and_level,\n SARGABLE_PARAM **sargables)\n{\n List_iterator li(nested_join_table->nested_join->join_list);\n List_iterator li2(nested_join_table->nested_join->join_list);\n bool have_another = FALSE;\n table_map tables= 0;\n TABLE_LIST *table;\n DBUG_ASSERT(nested_join_table->nested_join);\n\n while ((table= li++) || (have_another && (li=li2, have_another=FALSE,\n (table= li++))))\n {\n if (table->nested_join)\n {\n if (!table->on_expr)\n {\n /* It's a semi-join nest. Walk into it as if it wasn't a nest */\n have_another= TRUE;\n li2= li;\n li= List_iterator(table->nested_join->join_list); \n }\n else\n add_key_fields_for_nj(join, table, end, and_level, sargables);\n }\n else\n if (!table->on_expr)\n tables |= table->table->map;\n }\n if (nested_join_table->on_expr)\n nested_join_table->on_expr->add_key_fields(join, end, and_level, tables,\n sargables);\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 38020807419244222385050535399551953040, "size": 34, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508436 }, { "func": "inline bool IsMerge(const NodeDef& node_def) {\n return node_def.op() == \"Merge\" || node_def.op() == \"RefMerge\" ||\n node_def.op() == \"_XlaMerge\";\n}", "project": "tensorflow", "hash": 261047703137670304946174508842190103431, "size": 4, "commit_id": "0cc38aaa4064fd9e79101994ce9872c6d91f816b", "message": "Prevent unitialized memory access in `GraphConstructor::MakeEdge`\n\nThe `MakeEdge` implementation assumes that there exists an output at `output_index` of `src` node and an input at `input_index` of `dst` node. However, if this is not the case this results in accessing data out of bounds. Because we are accessing an array that is a private member of a class and only in read only mode, this usually results only in unitialized memory access. However, it is reasonable to think that malicious users could manipulate these indexes to actually read data outside the class, thus resulting in information leakage and further exploits.\n\nPiperOrigin-RevId: 346343288\nChange-Id: I2127da27c2023d27f26efd39afa6c853385cab6f", "target": 0, "dataset": "other", "idx": 268354 }, { "func": "int force_sig_info(struct kernel_siginfo *info)\n{\n\treturn force_sig_info_to_task(info, current);\n}", "project": "linux", "hash": 309906472535133300066600568165759711726, "size": 4, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375201 }, { "func": "static unsigned long gfn_to_hva_many(struct kvm_memory_slot *slot, gfn_t gfn,\n\t\t\t\t gfn_t *nr_pages)\n{\n\treturn __gfn_to_hva_many(slot, gfn, nr_pages, true);\n}", "project": "linux", "hash": 225594266337023295383860627479485947311, "size": 5, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354773 }, { "func": "err_badarraysub (s)\n const char *s;\n{\n report_error (\"%s: %s\", s, _(bash_badsub_errmsg));\n}", "project": "bash", "hash": 320257581890753472105635861918737791339, "size": 5, "commit_id": "863d31ae775d56b785dc5b0105b6d251515d81d5", "message": "commit bash-20120224 snapshot", "target": 0, "dataset": "other", "idx": 379504 }, { "func": "file_error (filename)\n const char *filename;\n{\n report_error (\"%s: %s\", filename, strerror (errno));\n}", "project": "bash", "hash": 266844337158332294912502069410806496916, "size": 5, "commit_id": "863d31ae775d56b785dc5b0105b6d251515d81d5", "message": "commit bash-20120224 snapshot", "target": 0, "dataset": "other", "idx": 379597 }, { "func": "err_readonly (s)\n const char *s;\n{\n report_error (_(\"%s: readonly variable\"), s);\n}", "project": "bash", "hash": 201659239858027621548475654508703137740, "size": 5, "commit_id": "863d31ae775d56b785dc5b0105b6d251515d81d5", "message": "commit bash-20120224 snapshot", "target": 0, "dataset": "other", "idx": 379636 }, { "func": "err_unboundvar (s)\n const char *s;\n{\n report_error (_(\"%s: unbound variable\"), s);\n}", "project": "bash", "hash": 204246416396848599130865296412141616938, "size": 5, "commit_id": "863d31ae775d56b785dc5b0105b6d251515d81d5", "message": "commit bash-20120224 snapshot", "target": 0, "dataset": "other", "idx": 379647 }, { "func": "int report_error(TABLE *table, int error)\n{\n if (error == HA_ERR_END_OF_FILE || error == HA_ERR_KEY_NOT_FOUND)\n {\n table->status= STATUS_GARBAGE;\n return -1;\t\t\t\t\t// key not found; ok\n }\n /*\n Locking reads can legally return also these errors, do not\n print them to the .err log\n */\n if (error != HA_ERR_LOCK_DEADLOCK && error != HA_ERR_LOCK_WAIT_TIMEOUT\n && error != HA_ERR_TABLE_DEF_CHANGED && !table->in_use->killed)\n sql_print_error(\"Got error %d when reading table '%s'\",\n\t\t error, table->s->path.str);\n table->file->print_error(error,MYF(0));\n return 1;\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 276650347715410084167358693527314225778, "size": 18, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508453 }, { "func": "int input_handler_for_each_handle(struct input_handler *handler, void *data,\n\t\t\t\t int (*fn)(struct input_handle *, void *))\n{\n\tstruct input_handle *handle;\n\tint retval = 0;\n\n\trcu_read_lock();\n\n\tlist_for_each_entry_rcu(handle, &handler->h_list, h_node) {\n\t\tretval = fn(handle, data);\n\t\tif (retval)\n\t\t\tbreak;\n\t}\n\n\trcu_read_unlock();\n\n\treturn retval;\n}", "project": "linux", "hash": 119692698824444207741991823774379922065, "size": 18, "commit_id": "cb222aed03d798fc074be55e59d9a112338ee784", "message": "Input: add safety guards to input_set_keycode()\n\nIf we happen to have a garbage in input device's keycode table with values\ntoo big we'll end up doing clear_bit() with offset way outside of our\nbitmaps, damaging other objects within an input device or even outside of\nit. Let's add sanity checks to the returned old keycodes.\n\nReported-by: syzbot+c769968809f9359b07aa@syzkaller.appspotmail.com\nReported-by: syzbot+76f3a30e88d256644c78@syzkaller.appspotmail.com\nLink: https://lore.kernel.org/r/20191207212757.GA245964@dtor-ws\nSigned-off-by: Dmitry Torokhov ", "target": 0, "dataset": "other", "idx": 353390 }, { "func": "static struct tipc_node *tipc_node_find_by_name(struct net *net,\n\t\t\t\t\t\tconst char *link_name,\n\t\t\t\t\t\tunsigned int *bearer_id)\n{\n\tstruct tipc_net *tn = net_generic(net, tipc_net_id);\n\tstruct tipc_link *l;\n\tstruct tipc_node *n;\n\tstruct tipc_node *found_node = NULL;\n\tint i;\n\n\t*bearer_id = 0;\n\trcu_read_lock();\n\tlist_for_each_entry_rcu(n, &tn->node_list, list) {\n\t\ttipc_node_read_lock(n);\n\t\tfor (i = 0; i < MAX_BEARERS; i++) {\n\t\t\tl = n->links[i].link;\n\t\t\tif (l && !strcmp(tipc_link_name(l), link_name)) {\n\t\t\t\t*bearer_id = i;\n\t\t\t\tfound_node = n;\n\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\t\ttipc_node_read_unlock(n);\n\t\tif (found_node)\n\t\t\tbreak;\n\t}\n\trcu_read_unlock();\n\n\treturn found_node;\n}", "project": "linux", "hash": 160149190106172391644566489240490334486, "size": 30, "commit_id": "0217ed2848e8538bcf9172d97ed2eeb4a26041bb", "message": "tipc: better validate user input in tipc_nl_retrieve_key()\n\nBefore calling tipc_aead_key_size(ptr), we need to ensure\nwe have enough data to dereference ptr->keylen.\n\nWe probably also want to make sure tipc_aead_key_size()\nwont overflow with malicious ptr->keylen values.\n\nSyzbot reported:\n\nBUG: KMSAN: uninit-value in __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\nBUG: KMSAN: uninit-value in tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\nCPU: 0 PID: 21060 Comm: syz-executor.5 Not tainted 5.11.0-rc7-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nCall Trace:\n __dump_stack lib/dump_stack.c:79 [inline]\n dump_stack+0x21c/0x280 lib/dump_stack.c:120\n kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118\n __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197\n __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\n tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\n genl_family_rcv_msg_doit net/netlink/genetlink.c:739 [inline]\n genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]\n genl_rcv_msg+0x1319/0x1610 net/netlink/genetlink.c:800\n netlink_rcv_skb+0x6fa/0x810 net/netlink/af_netlink.c:2494\n genl_rcv+0x63/0x80 net/netlink/genetlink.c:811\n netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]\n netlink_unicast+0x11d6/0x14a0 net/netlink/af_netlink.c:1330\n netlink_sendmsg+0x1740/0x1840 net/netlink/af_netlink.c:1919\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\nRIP: 0023:0xf7f60549\nCode: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00\nRSP: 002b:00000000f555a5fc EFLAGS: 00000296 ORIG_RAX: 0000000000000172\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000200\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n\nUninit was created at:\n kmsan_save_stack_with_flags mm/kmsan/kmsan.c:121 [inline]\n kmsan_internal_poison_shadow+0x5c/0xf0 mm/kmsan/kmsan.c:104\n kmsan_slab_alloc+0x8d/0xe0 mm/kmsan/kmsan_hooks.c:76\n slab_alloc_node mm/slub.c:2907 [inline]\n __kmalloc_node_track_caller+0xa37/0x1430 mm/slub.c:4527\n __kmalloc_reserve net/core/skbuff.c:142 [inline]\n __alloc_skb+0x2f8/0xb30 net/core/skbuff.c:210\n alloc_skb include/linux/skbuff.h:1099 [inline]\n netlink_alloc_large_skb net/netlink/af_netlink.c:1176 [inline]\n netlink_sendmsg+0xdbc/0x1840 net/netlink/af_netlink.c:1894\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\n\nFixes: e1f32190cf7d (\"tipc: add support for AEAD key setting via netlink\")\nSigned-off-by: Eric Dumazet \nCc: Tuong Lien \nCc: Jon Maloy \nCc: Ying Xue \nReported-by: syzbot \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 364897 }, { "func": "static struct tipc_node *tipc_node_find_by_id(struct net *net, u8 *id)\n{\n\tstruct tipc_net *tn = tipc_net(net);\n\tstruct tipc_node *n;\n\tbool found = false;\n\n\trcu_read_lock();\n\tlist_for_each_entry_rcu(n, &tn->node_list, list) {\n\t\tread_lock_bh(&n->lock);\n\t\tif (!memcmp(id, n->peer_id, 16) &&\n\t\t kref_get_unless_zero(&n->kref))\n\t\t\tfound = true;\n\t\tread_unlock_bh(&n->lock);\n\t\tif (found)\n\t\t\tbreak;\n\t}\n\trcu_read_unlock();\n\treturn found ? n : NULL;\n}", "project": "linux", "hash": 283995033077007313397863685684251980835, "size": 19, "commit_id": "0217ed2848e8538bcf9172d97ed2eeb4a26041bb", "message": "tipc: better validate user input in tipc_nl_retrieve_key()\n\nBefore calling tipc_aead_key_size(ptr), we need to ensure\nwe have enough data to dereference ptr->keylen.\n\nWe probably also want to make sure tipc_aead_key_size()\nwont overflow with malicious ptr->keylen values.\n\nSyzbot reported:\n\nBUG: KMSAN: uninit-value in __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\nBUG: KMSAN: uninit-value in tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\nCPU: 0 PID: 21060 Comm: syz-executor.5 Not tainted 5.11.0-rc7-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nCall Trace:\n __dump_stack lib/dump_stack.c:79 [inline]\n dump_stack+0x21c/0x280 lib/dump_stack.c:120\n kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118\n __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197\n __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\n tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\n genl_family_rcv_msg_doit net/netlink/genetlink.c:739 [inline]\n genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]\n genl_rcv_msg+0x1319/0x1610 net/netlink/genetlink.c:800\n netlink_rcv_skb+0x6fa/0x810 net/netlink/af_netlink.c:2494\n genl_rcv+0x63/0x80 net/netlink/genetlink.c:811\n netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]\n netlink_unicast+0x11d6/0x14a0 net/netlink/af_netlink.c:1330\n netlink_sendmsg+0x1740/0x1840 net/netlink/af_netlink.c:1919\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\nRIP: 0023:0xf7f60549\nCode: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00\nRSP: 002b:00000000f555a5fc EFLAGS: 00000296 ORIG_RAX: 0000000000000172\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000200\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n\nUninit was created at:\n kmsan_save_stack_with_flags mm/kmsan/kmsan.c:121 [inline]\n kmsan_internal_poison_shadow+0x5c/0xf0 mm/kmsan/kmsan.c:104\n kmsan_slab_alloc+0x8d/0xe0 mm/kmsan/kmsan_hooks.c:76\n slab_alloc_node mm/slub.c:2907 [inline]\n __kmalloc_node_track_caller+0xa37/0x1430 mm/slub.c:4527\n __kmalloc_reserve net/core/skbuff.c:142 [inline]\n __alloc_skb+0x2f8/0xb30 net/core/skbuff.c:210\n alloc_skb include/linux/skbuff.h:1099 [inline]\n netlink_alloc_large_skb net/netlink/af_netlink.c:1176 [inline]\n netlink_sendmsg+0xdbc/0x1840 net/netlink/af_netlink.c:1894\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\n\nFixes: e1f32190cf7d (\"tipc: add support for AEAD key setting via netlink\")\nSigned-off-by: Eric Dumazet \nCc: Tuong Lien \nCc: Jon Maloy \nCc: Ying Xue \nReported-by: syzbot \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 364956 }, { "func": "nfs4_state_find_open_context_mode(struct nfs4_state *state, fmode_t mode)\n{\n\tstruct nfs_inode *nfsi = NFS_I(state->inode);\n\tstruct nfs_open_context *ctx;\n\n\trcu_read_lock();\n\tlist_for_each_entry_rcu(ctx, &nfsi->open_files, list) {\n\t\tif (ctx->state != state)\n\t\t\tcontinue;\n\t\tif ((ctx->mode & mode) != mode)\n\t\t\tcontinue;\n\t\tif (!get_nfs_open_context(ctx))\n\t\t\tcontinue;\n\t\trcu_read_unlock();\n\t\treturn ctx;\n\t}\n\trcu_read_unlock();\n\treturn ERR_PTR(-ENOENT);\n}", "project": "linux", "hash": 35677679367615445929280483127775224200, "size": 19, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431433 }, { "func": "static apr_byte_t oidc_save_in_session(request_rec *r, oidc_cfg *c,\n\t\toidc_session_t *session, oidc_provider_t *provider,\n\t\tconst char *remoteUser, const char *id_token, oidc_jwt_t *id_token_jwt,\n\t\tconst char *claims, const char *access_token, const int expires_in,\n\t\tconst char *refresh_token, const char *session_state, const char *state,\n\t\tconst char *original_url, const char *userinfo_jwt) {\n\n\t/* store the user in the session */\n\tsession->remote_user = remoteUser;\n\n\t/* set the session expiry to the inactivity timeout */\n\tsession->expiry =\n\t\t\tapr_time_now() + apr_time_from_sec(c->session_inactivity_timeout);\n\n\t/* store the claims payload in the id_token for later reference */\n\toidc_session_set_idtoken_claims(r, session,\n\t\t\tid_token_jwt->payload.value.str);\n\n\tif (c->session_type != OIDC_SESSION_TYPE_CLIENT_COOKIE) {\n\t\t/* store the compact serialized representation of the id_token for later reference */\n\t\toidc_session_set_idtoken(r, session, id_token);\n\t}\n\n\t/* store the issuer in the session (at least needed for session mgmt and token refresh */\n\toidc_session_set_issuer(r, session, provider->issuer);\n\n\t/* store the state and original URL in the session for handling browser-back more elegantly */\n\toidc_session_set_request_state(r, session, state);\n\toidc_session_set_original_url(r, session, original_url);\n\n\tif ((session_state != NULL) && (provider->check_session_iframe != NULL)) {\n\t\t/* store the session state and required parameters session management */\n\t\toidc_session_set_session_state(r, session, session_state);\n\t\toidc_debug(r,\n\t\t\t\t\"session management enabled: stored session_state (%s), check_session_iframe (%s) and client_id (%s) in the session\",\n\t\t\t\tsession_state, provider->check_session_iframe,\n\t\t\t\tprovider->client_id);\n\t} else if (provider->check_session_iframe == NULL) {\n\t\toidc_debug(r,\n\t\t\t\t\"session management disabled: \\\"check_session_iframe\\\" is not set in provider configuration\");\n\t} else {\n\t\toidc_debug(r,\n\t\t\t\t\"session management disabled: no \\\"session_state\\\" value is provided in the authentication response even though \\\"check_session_iframe\\\" (%s) is set in the provider configuration\",\n\t\t\t\tprovider->check_session_iframe);\n\t}\n\n\t/* store claims resolved from userinfo endpoint */\n\toidc_store_userinfo_claims(r, c, session, provider, claims, userinfo_jwt);\n\n\t/* see if we have an access_token */\n\tif (access_token != NULL) {\n\t\t/* store the access_token in the session context */\n\t\toidc_session_set_access_token(r, session, access_token);\n\t\t/* store the associated expires_in value */\n\t\toidc_session_set_access_token_expires(r, session, expires_in);\n\t\t/* reset the access token refresh timestamp */\n\t\toidc_session_reset_access_token_last_refresh(r, session);\n\t}\n\n\t/* see if we have a refresh_token */\n\tif (refresh_token != NULL) {\n\t\t/* store the refresh_token in the session context */\n\t\toidc_session_set_refresh_token(r, session, refresh_token);\n\t}\n\n\t/* store max session duration in the session as a hard cut-off expiry timestamp */\n\tapr_time_t session_expires =\n\t\t\t(provider->session_max_duration == 0) ?\n\t\t\t\t\tapr_time_from_sec(id_token_jwt->payload.exp) :\n\t\t\t\t\t(apr_time_now()\n\t\t\t\t\t\t\t+ apr_time_from_sec(provider->session_max_duration));\n\toidc_session_set_session_expires(r, session, session_expires);\n\n\toidc_debug(r,\n\t\t\t\"provider->session_max_duration = %d, session_expires=%\" APR_TIME_T_FMT,\n\t\t\tprovider->session_max_duration, session_expires);\n\n\t/* log message about max session duration */\n\toidc_log_session_expires(r, \"session max lifetime\", session_expires);\n\n\t/* store the domain for which this session is valid */\n\toidc_session_set_cookie_domain(r, session,\n\t\t\tc->cookie_domain ? c->cookie_domain : oidc_get_current_url_host(r));\n\n\tchar *sid = NULL;\n\toidc_debug(r, \"provider->backchannel_logout_supported=%d\",\n\t\t\tprovider->backchannel_logout_supported);\n\tif (provider->backchannel_logout_supported > 0) {\n\t\toidc_jose_get_string(r->pool, id_token_jwt->payload.value.json,\n\t\t\t\tOIDC_CLAIM_SID, FALSE, &sid, NULL);\n\t\tif (sid == NULL)\n\t\t\tsid = id_token_jwt->payload.sub;\n\t\tsession->sid = oidc_make_sid_iss_unique(r, sid, provider->issuer);\n\t}\n\n\t/* store the session */\n\treturn oidc_session_save(r, session, TRUE);\n}", "project": "mod_auth_openidc", "hash": 5738731572048370714350812130386889936, "size": 98, "commit_id": "00c315cb0c8ab77c67be4a2ac08a71a83ac58751", "message": "avoid XSS vulnerability when using OIDCPreservePost On\n\nand supplying URLs that contain single quotes; thanks @oss-aimoto\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 381924 }, { "func": "int kvm_io_bus_read(struct kvm_vcpu *vcpu, enum kvm_bus bus_idx, gpa_t addr,\n\t\t int len, void *val)\n{\n\tstruct kvm_io_bus *bus;\n\tstruct kvm_io_range range;\n\tint r;\n\n\trange = (struct kvm_io_range) {\n\t\t.addr = addr,\n\t\t.len = len,\n\t};\n\n\tbus = srcu_dereference(vcpu->kvm->buses[bus_idx], &vcpu->kvm->srcu);\n\tif (!bus)\n\t\treturn -ENOMEM;\n\tr = __kvm_io_bus_read(vcpu, bus, &range, val);\n\treturn r < 0 ? r : 0;\n}", "project": "linux", "hash": 47562152840941991781745734716182858111, "size": 18, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354551 }, { "func": "static inline u32 hid_report_len(struct hid_report *report)\n{\n\t/* equivalent to DIV_ROUND_UP(report->size, 8) + !!(report->id > 0) */\n\treturn ((report->size - 1) >> 3) + 1 + (report->id > 0);\n}", "project": "linux", "hash": 153629575982571204152286241125762273460, "size": 5, "commit_id": "35556bed836f8dc07ac55f69c8d17dce3e7f0e25", "message": "HID: core: Sanitize event code and type when mapping input\n\nWhen calling into hid_map_usage(), the passed event code is\nblindly stored as is, even if it doesn't fit in the associated bitmap.\n\nThis event code can come from a variety of sources, including devices\nmasquerading as input devices, only a bit more \"programmable\".\n\nInstead of taking the event code at face value, check that it actually\nfits the corresponding bitmap, and if it doesn't:\n- spit out a warning so that we know which device is acting up\n- NULLify the bitmap pointer so that we catch unexpected uses\n\nCode paths that can make use of untrusted inputs can now check\nthat the mapping was indeed correct and bail out if not.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Marc Zyngier \nSigned-off-by: Benjamin Tissoires ", "target": 0, "dataset": "other", "idx": 458391 }, { "func": "void LibRaw::identify_finetune_dcr(char head[64], int fsize, int flen)\n{\n\tstatic const short pana[][6] = {\n\t\t// raw_width, raw_height, left_margin, top_margin, width_increment,\n\t\t// height_increment\n\t\t{3130, 1743, 4, 0, -6, 0}, /* 00 */\n\t\t{3130, 2055, 4, 0, -6, 0}, /* 01 */\n\t\t{3130, 2319, 4, 0, -6, 0}, /* 02 DMC-FZ8 */\n\t\t{3170, 2103, 18, 0, -42, 20}, /* 03 */\n\t\t{3170, 2367, 18, 13, -42, -21}, /* 04 */\n\t\t{3177, 2367, 0, 0, -1, 0}, /* 05 DMC-L1 */\n\t\t{3304, 2458, 0, 0, -1, 0}, /* 06 DMC-FZ30 */\n\t\t{3330, 2463, 9, 0, -5, 0}, /* 07 DMC-FZ18 */\n\t\t{3330, 2479, 9, 0, -17, 4}, /* 08 */\n\t\t{3370, 1899, 15, 0, -44, 20}, /* 09 */\n\t\t{3370, 2235, 15, 0, -44, 20}, /* 10 */\n\t\t{3370, 2511, 15, 10, -44, -21}, /* 11 */\n\t\t{3690, 2751, 3, 0, -8, -3}, /* 12 DMC-FZ50 */\n\t\t{3710, 2751, 0, 0, -3, 0}, /* 13 DMC-L10 */\n\t\t{3724, 2450, 0, 0, 0, -2}, /* 14 */\n\t\t{3770, 2487, 17, 0, -44, 19}, /* 15 */\n\t\t{3770, 2799, 17, 15, -44, -19}, /* 16 */\n\t\t{3880, 2170, 6, 0, -6, 0}, /* 17 DMC-LX1 */\n\t\t{4060, 3018, 0, 0, 0, -2}, /* 18 DMC-FZ35, DMC-FZ38 */\n\t\t{4290, 2391, 3, 0, -8, -1}, /* 19 DMC-LX2 */\n\t\t{4330, 2439, 17, 15, -44, -19}, /* 20 \"D-LUX 3\" */\n\t\t{4508, 2962, 0, 0, -3, -4}, /* 21 */\n\t\t{4508, 3330, 0, 0, -3, -6}, /* 22 */\n\t\t{10480, 7794, 0, 0, -2, 0}, /* 23: G9 in high-res */\n\t};\n\tint i,c;\n\tstruct jhead jh;\n\n\tif (makeIs(LIBRAW_CAMERAMAKER_Canon) && !tiff_flip && imCanon.MakernotesFlip)\n\t{\n\t\ttiff_flip = imCanon.MakernotesFlip;\n\t}\n\n\telse if (makeIs(LIBRAW_CAMERAMAKER_Nikon))\n\t{\n\t\tif (!load_raw)\n\t\t\tload_raw = &LibRaw::packed_load_raw;\n\t\tif (model[0] == 'E') // Nikon E8800, E8700, E8400, E5700, E5400, E5000,\n\t\t\t\t\t\t\t // others are diag hacks?\n\t\t\tload_flags |= !data_offset << 2 | 2;\n\t}\n\t/* Set parameters based on camera name (for non-DNG files). */\n\n\t/* Always 512 for arw2_load_raw */\n\telse if (makeIs(LIBRAW_CAMERAMAKER_Sony) &&\n\t\t(raw_width > 3888) && !black && !cblack[0])\n\t{\n\t\tblack = (load_raw == &LibRaw::sony_arw2_load_raw)\n\t\t\t? 512\n\t\t\t: (128 << (tiff_bps - 12));\n\t}\n\n\tif (is_foveon) {\n\t\tif (height * 2 < width)\n\t\t\tpixel_aspect = 0.5;\n\t\tif (height > width)\n\t\t\tpixel_aspect = 2;\n\t\tfilters = 0;\n\n\t}\n\telse if (makeIs(LIBRAW_CAMERAMAKER_Pentax)) {\n\t\tif ((unique_id == PentaxID_K_1) ||\n\t\t\t(unique_id == PentaxID_K_1_Mark_II)) {\n\t\t\ttop_margin = 18;\n\t\t\theight = raw_height - top_margin;\n\t\t\tif (raw_width == 7392) {\n\t\t\t\tleft_margin = 6;\n\t\t\t\twidth = 7376;\n\t\t\t}\n\n\t\t}\n\t\telse if (unique_id == PentaxID_Optio_S_V101) { // (fsize == 3178560)\n\t\t\tcam_mul[0] *= 4;\n\t\t\tcam_mul[2] *= 4;\n\n\t\t}\n\t\telse if (unique_id == PentaxID_Optio_33WR) { // (fsize == 4775936)\n\t\t\tflip = 1;\n\t\t\tfilters = 0x16161616;\n\n\t\t}\n\t\telse if (unique_id == PentaxID_staristD) {\n\t\t\tload_raw = &LibRaw::unpacked_load_raw;\n\t\t\tdata_error = -1;\n\n\t\t}\n\t\telse if (unique_id == PentaxID_staristDS) {\n\t\t\theight -= 2;\n\t\t}\n\n\t}\n\telse if (makeIs(LIBRAW_CAMERAMAKER_Canon)) {\n\t\tif (tiff_bps == 15) { // Canon sRAW\n\t\t\tif (width == 3344)\n\t\t\t\twidth = 3272;\n\t\t\telse if (width == 3872)\n\t\t\t\twidth = 3866;\n\n\t\t\tif (height > width) {\n\t\t\t\tSWAP(height, width);\n\t\t\t\tSWAP(raw_height, raw_width);\n\t\t\t}\n\t\t\tif (width == 7200 &&\n\t\t\t\theight == 3888) { // Canon EOS 5DS (R);\n\t\t\t\traw_width = width = 6480;\n\t\t\t\traw_height = height = 4320;\n\t\t\t}\n\t\t\tfilters = 0;\n\t\t\ttiff_samples = colors = 3;\n\t\t\tload_raw = &LibRaw::canon_sraw_load_raw;\n\t\t}\n\n\t\tif (!strcmp(normalized_model, \"PowerShot 600\")) {\n\t\t\theight = 613;\n\t\t\twidth = 854;\n\t\t\traw_width = 896;\n\t\t\tcolors = 4;\n\t\t\tfilters = 0xe1e4e1e4;\n\t\t\tload_raw = &LibRaw::canon_600_load_raw;\n\n\t\t}\n\t\telse if (!strcmp(normalized_model, \"PowerShot A5\") ||\n\t\t\t!strcmp(normalized_model, \"PowerShot A5 Zoom\")) {\n\t\t\theight = 773;\n\t\t\twidth = 960;\n\t\t\traw_width = 992;\n\t\t\tpixel_aspect = 256 / 235.0;\n\t\t\tfilters = 0x1e4e1e4e;\n\t\t\tgoto canon_a5;\n\n\t\t}\n\t\telse if (!strcmp(normalized_model, \"PowerShot A50\")) {\n\t\t\theight = 968;\n\t\t\twidth = 1290;\n\t\t\traw_width = 1320;\n\t\t\tfilters = 0x1b4e4b1e;\n\t\t\tgoto canon_a5;\n\n\t\t}\n\t\telse if (!strcmp(normalized_model, \"PowerShot Pro70\")) {\n\t\t\theight = 1024;\n\t\t\twidth = 1552;\n\t\t\tfilters = 0x1e4b4e1b;\n\t\tcanon_a5:\n\t\t\tcolors = 4;\n\t\t\ttiff_bps = 10;\n\t\t\tload_raw = &LibRaw::packed_load_raw;\n\t\t\tload_flags = 40;\n\n\t\t}\n\t\telse if (!strcmp(normalized_model, \"PowerShot Pro90 IS\") ||\n\t\t\t!strcmp(normalized_model, \"PowerShot G1\")) {\n\t\t\tcolors = 4;\n\t\t\tfilters = 0xb4b4b4b4;\n\n\t\t}\n\t\telse if (!strcmp(normalized_model, \"PowerShot A610\")) { // chdk hack\n\t\t\tif (canon_s2is())\n\t\t\t\tstrcpy(model + 10, \"S2 IS\"); // chdk hack\n\n\t\t}\n\t\telse if (!strcmp(normalized_model, \"PowerShot SX220 HS\")) { // chdk hack\n\t\t\tmask[1][3] = -4;\n\t\t\ttop_margin = 16;\n\t\t\tleft_margin = 92;\n\n\t\t}\n\t\telse if (!strcmp(normalized_model, \"PowerShot S120\")) { // chdk hack\n\t\t\traw_width = 4192;\n\t\t\traw_height = 3062;\n\t\t\twidth = 4022;\n\t\t\theight = 3016;\n\t\t\tmask[0][0] = top_margin = 31;\n\t\t\tmask[0][2] = top_margin + height;\n\t\t\tleft_margin = 120;\n\t\t\tmask[0][1] = 23;\n\t\t\tmask[0][3] = 72;\n\n\t\t}\n\t\telse if (!strcmp(normalized_model, \"PowerShot G16\")) {\n\t\t\tmask[0][0] = 0;\n\t\t\tmask[0][2] = 80;\n\t\t\tmask[0][1] = 0;\n\t\t\tmask[0][3] = 16;\n\t\t\ttop_margin = 29;\n\t\t\tleft_margin = 120;\n\t\t\twidth = raw_width - left_margin - 48;\n\t\t\theight = raw_height - top_margin - 14;\n\n\t\t}\n\t\telse if (!strcmp(normalized_model, \"PowerShot SX50 HS\")) {\n\t\t\ttop_margin = 17;\n\t\t}\n\n\t}\n\telse if (makeIs(LIBRAW_CAMERAMAKER_Nikon)) {\n\t\tif (!strcmp(model, \"D1\"))\n\t\t{\n\t\t\timgdata.other.analogbalance[0] = cam_mul[0];\n\t\t\timgdata.other.analogbalance[2] = cam_mul[2];\n\t\t\timgdata.other.analogbalance[1] = imgdata.other.analogbalance[3] =\n\t\t\t\tcam_mul[1];\n\t\t\tcam_mul[0] = cam_mul[1] = cam_mul[2] = 1.0f;\n\t\t}\n\n\t\telse if (!strcmp(model, \"D1X\"))\n\t\t{\n\t\t\twidth -= 4;\n\t\t\tpixel_aspect = 0.5;\n\t\t}\n\t\telse if (!strcmp(model, \"D40X\") ||\n\t\t\t!strcmp(model, \"D60\") ||\n\t\t\t!strcmp(model, \"D80\") ||\n\t\t\t!strcmp(model, \"D3000\"))\n\t\t{\n\t\t\theight -= 3;\n\t\t\twidth -= 4;\n\t\t}\n\t\telse if (!strcmp(model, \"D3\") ||\n\t\t\t!strcmp(model, \"D3S\") ||\n\t\t\t!strcmp(model, \"D700\"))\n\t\t{\n\t\t\twidth -= 4;\n\t\t\tleft_margin = 2;\n\t\t}\n\t\telse if (!strcmp(model, \"D3100\"))\n\t\t{\n\t\t\twidth -= 28;\n\t\t\tleft_margin = 6;\n\t\t}\n\t\telse if (!strcmp(model, \"D5000\") ||\n\t\t\t!strcmp(model, \"D90\"))\n\t\t{\n\t\t\twidth -= 42;\n\t\t}\n\t\telse if (!strcmp(model, \"D5100\") ||\n\t\t\t!strcmp(model, \"D7000\") ||\n\t\t\t!strcmp(model, \"COOLPIX A\"))\n\t\t{\n\t\t\twidth -= 44;\n\t\t}\n\t\telse if (!strcmp(model, \"D3200\") ||\n\t\t\t!strcmp(model, \"D600\") ||\n\t\t\t!strcmp(model, \"D610\") ||\n\t\t\t!strncmp(model, \"D800\", 4)) // Nikons: D800, D800E\n\t\t{\n\t\t\twidth -= 46;\n\t\t}\n\t\telse if (!strcmp(model, \"D4\") ||\n\t\t\t!strcmp(model, \"Df\"))\n\t\t{\n\t\t\twidth -= 52;\n\t\t\tleft_margin = 2;\n\t\t}\n\t\telse if (!strcmp(model, \"D500\"))\n\t\t{\n\t\t\t// Empty - to avoid width-1 below\n\t\t}\n\t\telse if (!strncmp(model, \"D40\", 3) ||\n\t\t\t!strncmp(model, \"D50\", 3) ||\n\t\t\t!strncmp(model, \"D70\", 3))\n\t\t{\n\t\t\twidth--;\n\t\t}\n\t\telse if (!strcmp(model, \"D100\"))\n\t\t{\n\t\t\tif (load_flags) // compressed NEF\n\t\t\t\traw_width = (width += 3) + 3;\n\t\t}\n\t\telse if (!strcmp(model, \"D200\"))\n\t\t{\n\t\t\tleft_margin = 1;\n\t\t\twidth -= 4;\n\t\t\tfilters = 0x94949494;\n\t\t}\n\t\telse if (!strncmp(model, \"D2H\", 3)) // Nikons: D2H, D2Hs\n\t\t{\n\t\t\tleft_margin = 6;\n\t\t\twidth -= 14;\n\t\t}\n\t\telse if (!strncmp(model, \"D2X\", 3)) // Nikons: D2X, D2Xs\n\t\t{\n\t\t\tif (width == 3264) // in-camera Hi-speed crop: On\n\t\t\t\twidth -= 32;\n\t\t\telse\n\t\t\t\twidth -= 8;\n\t\t}\n\t\telse if (!strncmp(model, \"D300\", 4)) // Nikons: D300, D300s\n\t\t{\n\t\t\twidth -= 32;\n\t\t}\n\t\telse if (raw_width == 4032) // Nikon \"COOLPIX P7700\", \"COOLPIX P7800\",\n\t\t\t\t\t\t\t\t\t// \"COOLPIX P330\", \"COOLPIX P340\"\n\t\t{\n\t\t\tif (!strcmp(normalized_model, \"COOLPIX P7700\"))\n\t\t\t{\n\t\t\t\tmaximum = 65504;\n\t\t\t\tload_flags = 0;\n\t\t\t}\n\t\t\telse if (!strcmp(normalized_model, \"COOLPIX P7800\"))\n\t\t\t{\n\t\t\t\tmaximum = 65504;\n\t\t\t\tload_flags = 0;\n\t\t\t}\n\t\t\telse if (!strcmp(model, \"COOLPIX P340\"))\n\t\t\t{\n\t\t\t\tload_flags = 0;\n\t\t\t}\n\t\t}\n\t\telse if (!strncmp(model, \"COOLPIX P\", 9) &&\n\t\t\traw_width != 4032) // Nikon \"COOLPIX P1000\", \"COOLPIX P6000\",\n\t\t\t\t\t\t\t // \"COOLPIX P7000\", \"COOLPIX P7100\"\n\t\t{\n\t\t\tload_flags = 24;\n\t\t\tfilters = 0x94949494;\n\t\t\t/* the following 'if' is most probably obsolete, because we now read black\n\t\t\t * level from metadata */\n\t\t\tif ((model[9] == '7') && /* P7000, P7100 */\n\t\t\t\t((iso_speed >= 400) || (iso_speed == 0)) &&\n\t\t\t\t!strstr(software, \"V1.2\")) /* v. 1.2 seen for P7000 only */\n\t\t\t\tblack = 255;\n\t\t}\n\t\telse if (!strncmp(model, \"COOLPIX B700\", 12))\n\t\t{\n\t\t\tload_flags = 24;\n\t\t}\n\t\telse if (!strncmp(model, \"1 \",\n\t\t\t2)) // Nikons: \"1 AW1\", \"1 J1\", \"1 J2\", \"1 J3\", \"1 J4\",\n\t\t\t\t// \"1 J5\", \"1 S1\", \"1 S2\", \"1 V1\", \"1 V2\", \"1 V3\"\n\t\t{\n\t\t\theight -= 2;\n\t\t}\n\t\telse if (fsize == 1581060) // hack Nikon 1mpix: E900\n\t\t{\n\t\t\tsimple_coeff(3);\n\t\t\tpre_mul[0] = 1.2085;\n\t\t\tpre_mul[1] = 1.0943;\n\t\t\tpre_mul[3] = 1.1103;\n\t\t}\n\t\telse if ((fsize == 4771840) && // hack Nikon 3mpix: E880, E885, E990\n\t\t\tstrcmp(model, \"E995\")) // but not E995\n\t\t{\n\t\t\tfilters = 0xb4b4b4b4;\n\t\t\tsimple_coeff(3);\n\t\t\tpre_mul[0] = 1.196;\n\t\t\tpre_mul[1] = 1.246;\n\t\t\tpre_mul[2] = 1.018;\n\t\t}\n\t\telse if ((fsize == 4775936) && // hack Nikon 3mpix: E3100, E3200, E3500\n\t\t\t(atoi(model + 1) < 3700)) // but not E3700;\n\t\t{\n\t\t\tfilters = 0x49494949;\n\t\t}\n\t\telse if (fsize == 5869568) // hack Nikon 4mpix: E4300;\n\t\t{\n\t\t\tload_flags = 6;\n\t\t}\n\t\telse if (!strcmp(model, \"E2500\"))\n\t\t{\n\t\t\theight -= 2;\n\t\t\tload_flags = 6;\n\t\t\tcolors = 4;\n\t\t\tfilters = 0x4b4b4b4b;\n\t\t}\n\t}\n\n\telse if (makeIs(LIBRAW_CAMERAMAKER_Olympus)) {\n\t\tif (OlyID == OlyID_C_740UZ) { // (fsize == 4775936)\n\t\t\ti = find_green(12, 32, 1188864, 3576832);\n\t\t\tc = find_green(12, 32, 2383920, 2387016);\n\t\t\tif (abs(i) < abs(c)) {\n\t\t\t\tSWAP(i, c);\n\t\t\t\tload_flags = 24;\n\t\t\t}\n\t\t\tif (i < 0)\n\t\t\t\tfilters = 0x61616161;\n\t\t}\n\t\telse if (OlyID == OlyID_C_770UZ) {\n\t\t\theight = 1718;\n\t\t\twidth = 2304;\n\t\t\tfilters = 0x16161616;\n\t\t\tload_raw = &LibRaw::packed_load_raw;\n\t\t\tload_flags = 30;\n\t\t}\n\t\telse {\n\t\t\theight += height & 1;\n\t\t\tif (exif_cfa)\n\t\t\t\tfilters = exif_cfa;\n\n\t\t\tif (width == 4100) // Olympus E-PL2, E-PL1, E-P2, E-P1, E-620, E-600, E-5, E-30;\n\t\t\t\twidth -= 4;\n\n\t\t\tif (width == 4080) // Olympus E-PM1, E-PL3, E-P3;\n\t\t\t\twidth -= 24;\n\n\t\t\tif (width == 10400) // Olympus PEN-F, E-M1-II, E-M1-III, E-M1X\n\t\t\t\twidth -= 12;\n\n\t\t\tif (width == 8200) // E-M1-III in 50Mp mode, E-M1X\n\t\t\t\twidth -= 30;\n\n\t\t\tif (width == 9280) { // Olympus E-M5 Mark II;\n\t\t\t\twidth -= 6;\n\t\t\t\theight -= 6;\n\t\t\t}\n\n\t\t\tif (load_raw == &LibRaw::unpacked_load_raw)\n\t\t\t\tload_flags = 4;\n\t\t\ttiff_bps = 12;\n\t\t\tif ((OlyID == OlyID_E_300) ||\n\t\t\t\t(OlyID == OlyID_E_500)) {\n\t\t\t\twidth -= 20;\n\t\t\t\tif (load_raw == &LibRaw::unpacked_load_raw) {\n\t\t\t\t\tmaximum = 0xfc3;\n\t\t\t\t\tmemset(cblack, 0, sizeof cblack);\n\t\t\t\t}\n\n\t\t\t}\n\t\t\telse if (OlyID == OlyID_STYLUS_1) {\n\t\t\t\twidth -= 16;\n\t\t\t\tmaximum = 0xfff;\n\n\t\t\t}\n\t\t\telse if (OlyID == OlyID_E_330) {\n\t\t\t\twidth -= 30;\n\t\t\t\tif (load_raw == &LibRaw::unpacked_load_raw)\n\t\t\t\t\tmaximum = 0xf79;\n\n\t\t\t}\n\t\t\telse if (OlyID == OlyID_SP_550UZ) {\n\t\t\t\tthumb_length = flen - (thumb_offset = 0xa39800);\n\t\t\t\tthumb_height = 480;\n\t\t\t\tthumb_width = 640;\n\n\t\t\t}\n\t\t\telse if (OlyID == OlyID_TG_4) {\n\t\t\t\twidth -= 16;\n\n\t\t\t}\n\t\t\telse if ((OlyID == OlyID_TG_5) ||\n\t\t\t\t(OlyID == OlyID_TG_6)) {\n\t\t\t\twidth -= 26;\n\t\t\t}\n\t\t}\n\n\t}\n\telse if (makeIs(LIBRAW_CAMERAMAKER_RoverShot) &&\n\t\t(fsize == 6291456)) { // RoverShot 3320AF\n\t\tfseek(ifp, 0x300000, SEEK_SET);\n\t\tif ((order = guess_byte_order(0x10000)) == 0x4d4d)\n\t\t{\n\t\t\theight -= (top_margin = 16);\n\t\t\twidth -= (left_margin = 28);\n\t\t\tmaximum = 0xf5c0;\n\t\t\tstrcpy(make, \"ISG\");\n\t\t\tmodel[0] = 0;\n\t\t}\n\n\t}\n\telse if (makeIs(LIBRAW_CAMERAMAKER_Fujifilm)) {\n\t\tif (!strcmp(model, \"S2Pro\"))\n\t\t{\n\t\t\theight = 2144;\n\t\t\twidth = 2880;\n\t\t\tflip = 6;\n\t\t}\n\t\telse if (load_raw != &LibRaw::packed_load_raw && strncmp(model, \"X-\", 2) &&\n\t\t\tfilters >= 1000) // Bayer and not an X-model\n\t\t\tmaximum = (is_raw == 2 && shot_select) ? 0x2f00 : 0x3e00;\n\n\t\tif (FujiCropMode == 1)\n\t\t{ // FF crop on GFX\n\t\t\twidth = raw_width;\n\t\t\theight = raw_height;\n\t\t}\n\t\telse if (FujiCropMode == 4)\n\t\t{ /* electronic shutter, high speed mode (1.25x crop) */\n\t\t\theight = raw_height;\n\t\t}\n\n\t\ttop_margin = (raw_height >= height) ? (raw_height - height) >> 2 << 1 : 0;\n\t\tleft_margin = (raw_width >= width) ? (raw_width - width) >> 2 << 1 : 0;\n\n\t\tif (!strcmp(model, \"X-T3\") || !strcmp(model, \"X-T4\") || !strcmp(model, \"X100V\") || !strcmp(model, \"X-T30\") || !strcmp(model, \"X-Pro3\"))\n\t\t{\n\t\t\ttop_margin = 0;\n\t\t\tif (FujiCropMode == 0)\n\t\t\t{\n\t\t\t\ttop_margin = 6;\n\t\t\t\theight = 4170;\n\t\t\t\tleft_margin = 0;\n\t\t\t\twidth = 6246;\n\t\t\t}\n\t\t\telse if (FujiCropMode == 4)\n\t\t\t{ /* electronic shutter, high speed mode (1.25x crop) */\n\t\t\t\tleft_margin = 624;\n\t\t\t\twidth = 5004;\n\t\t\t}\n\t\t}\n\n\t\tif (width == 2848 || // Fujifilm X-S1, X10, XF1\n\t\t\twidth == 3664) // Fujifilm \"HS10 HS11\"\n\t\t\tfilters = 0x16161616;\n\n\t\tif (width == 4032 || // Fujifilm X20, X30, XQ1, XQ2\n\t\t\twidth == 4952) // Fujifilm X-A1, X-A2, X-E1, X-M1, X-Pro1\n\t\t\tleft_margin = 0;\n\n\t\tif (width == 3328 &&\n\t\t\t(width -= 66)) // Fujifilm F550EXR, F600EXR, F770EXR, F800EXR, F900EXR,\n\t\t\t\t\t\t // HS20EXR, HS30EXR, HS33EXR, HS50EXR\n\t\t\tleft_margin = 34;\n\n\t\tif (width == 4936) // Fujifilm X-E2S, X-E2, X-T10, X-T1, X100S, X100T, X70\n\t\t\tleft_margin = 4;\n\n\t\tif (width == 6032) // Fujifilm X100F, X-T2, X-T20, X-Pro2, X-H1, X-E3\n\t\t\tleft_margin = 0;\n\n\t\tif (!strcmp(normalized_model, \"DBP for GX680\"))\n\t\t{\n\t\t\t/*\n\t\t\t7712 2752 -> 5504 3856\n\t\t\t*/\n\n\t\t\t/*\n\t\t\twidth = 688;\n\t\t\theight = 30848;\n\t\t\traw_width = 688;\n\t\t\traw_height = 30848;\n\t\t\t*/\n\n\t\t\traw_width = 5504;\n\t\t\traw_height = 3856;\n\t\t\tleft_margin = 32;\n\t\t\ttop_margin = 8;\n\t\t\twidth = raw_width - left_margin - 32;\n\t\t\theight = raw_height - top_margin - 8;\n\n\t\t\tload_raw = &LibRaw::unpacked_load_raw_FujiDBP;\n\t\t\t// maximum = 0x0fff;\n\t\t\tfilters = 0x16161616;\n\t\t\tload_flags = 0;\n\t\t\tflip = 6;\n\t\t}\n\n\t\tif (!strcmp(model, \"HS50EXR\") || !strcmp(model, \"F900EXR\"))\n\t\t{\n\t\t\twidth += 2;\n\t\t\tleft_margin = 0;\n\t\t\tfilters = 0x16161616;\n\t\t}\n\t\tif (!strncmp(model, \"GFX 50\", 6))\n\t\t{\n\t\t\tleft_margin = 0;\n\t\t\ttop_margin = 0;\n\t\t}\n\t\tif (!strncmp(model, \"GFX 100\", 7))\n\t\t{\n\t\t\tleft_margin = 0;\n\t\t\twidth = raw_width - 146;\n\t\t\theight = raw_height - (top_margin = 2);\n\t\t\tif (tiff_bps == 16)\n\t\t\t\tmaximum = 0xffff;\n\t\t}\n\t\tif (!strcmp(normalized_model, \"S5100\"))\n\t\t{\n\t\t\theight -= (top_margin = 6);\n\t\t}\n\t\tif (fuji_layout)\n\t\t\traw_width *= is_raw;\n\t\tif (filters == 9)\n\t\t\tFORC(36)\n\t\t\t((char *)xtrans)[c] =\n\t\t\txtrans_abs[(c / 6 + top_margin) % 6][(c + left_margin) % 6];\n\n\t}\n\telse if (makeIs(LIBRAW_CAMERAMAKER_Konica)) {\n\t\tif (!strcmp(model, \"KD-400Z\")) {\n\t\t\theight = 1712;\n\t\t\twidth = 2312;\n\t\t\traw_width = 2336;\n\t\t\tgoto konica_400z;\n\t\t}\n\t\telse if (!strcmp(model, \"KD-510Z\")) {\n\t\t\tgoto konica_510z;\n\t\t}\n\n\t}\n\telse if (makeIs(LIBRAW_CAMERAMAKER_Minolta)) {\n\t\tif (fsize == 5869568) { // hack Minolta \"DiMAGE Z2\"\n\t\t\tload_flags = 30;\n\t\t}\n\n\t\tif (!load_raw && (maximum = 0xfff))\n\t\t{\n\t\t\tload_raw = &LibRaw::unpacked_load_raw;\n\t\t}\n\t\tif (!strncmp(model, \"DiMAGE A\",\n\t\t\t8)) // Minolta \"DiMAGE A1\", \"DiMAGE A2\", \"DiMAGE A200\"\n\t\t{\n\t\t\tif (!strcmp(model, \"DiMAGE A200\"))\n\t\t\t\tfilters = 0x49494949;\n\t\t\ttiff_bps = 12;\n\t\t\tload_raw = &LibRaw::packed_load_raw;\n\t\t}\n\t\telse if (!strncmp(normalized_model, \"DG-\", 3))\n\t\t{\n\t\t\tload_raw = &LibRaw::packed_load_raw;\n\t\t}\n\t\telse if (!strncmp(model, \"DiMAGE G\",\n\t\t\t8)) // hack Minolta \"DiMAGE G400\", \"DiMAGE G500\",\n\t\t\t\t// \"DiMAGE G530\", \"DiMAGE G600\"\n\t\t{\n\t\t\tif (model[8] == '4') // DiMAGE G400\n\t\t\t{\n\t\t\t\theight = 1716;\n\t\t\t\twidth = 2304;\n\t\t\t}\n\t\t\telse if (model[8] == '5') // DiMAGE G500 / G530\n\t\t\t{\n\t\t\tkonica_510z:\n\t\t\t\theight = 1956;\n\t\t\t\twidth = 2607;\n\t\t\t\traw_width = 2624;\n\t\t\t}\n\t\t\telse if (model[8] == '6') // DiMAGE G600\n\t\t\t{\n\t\t\t\theight = 2136;\n\t\t\t\twidth = 2848;\n\t\t\t}\n\t\t\tdata_offset += 14;\n\t\t\tfilters = 0x61616161;\n\t\tkonica_400z:\n\t\t\tload_raw = &LibRaw::unpacked_load_raw;\n\t\t\tmaximum = 0x3df;\n\t\t\torder = 0x4d4d;\n\t\t}\n\n\t}\n\telse if (makeIs(LIBRAW_CAMERAMAKER_Samsung)) {\n\t\tif (raw_width == 4704) // Samsung NX100, NX10, NX11,\n\t\t{\n\t\t\theight -= top_margin = 8;\n\t\t\twidth -= 2 * (left_margin = 8);\n\t\t\tload_flags = 32;\n\t\t}\n\t\telse if (!strcmp(model, \"NX3000\")) // Samsung NX3000; raw_width: 5600\n\t\t{\n\t\t\ttop_margin = 38;\n\t\t\tleft_margin = 92;\n\t\t\twidth = 5456;\n\t\t\theight = 3634;\n\t\t\tfilters = 0x61616161;\n\t\t\tcolors = 3;\n\t\t}\n\t\telse if (raw_height == 3714) // Samsung NX2000, NX300M, NX300, NX30, EK-GN120\n\t\t{\n\t\t\theight -= top_margin = 18;\n\t\t\tleft_margin = raw_width - (width = 5536);\n\t\t\tif (raw_width != 5600)\n\t\t\t\tleft_margin = top_margin = 0;\n\t\t\tfilters = 0x61616161;\n\t\t\tcolors = 3;\n\t\t}\n\t\telse if (raw_width == 5632) // Samsung NX1000, NX200, NX20, NX210\n\t\t{\n\t\t\torder = 0x4949;\n\t\t\theight = 3694;\n\t\t\ttop_margin = 2;\n\t\t\twidth = 5574 - (left_margin = 32 + tiff_bps);\n\t\t\tif (tiff_bps == 12)\n\t\t\t\tload_flags = 80;\n\t\t}\n\t\telse if (raw_width == 5664) // Samsung \"NX mini\"\n\t\t{\n\t\t\theight -= top_margin = 17;\n\t\t\tleft_margin = 96;\n\t\t\twidth = 5544;\n\t\t\tfilters = 0x49494949;\n\t\t}\n\t\telse if (raw_width == 6496) // Samsung NX1, NX500\n\t\t{\n\t\t\tfilters = 0x61616161;\n\t\t\tif (!black && !cblack[0] && !cblack[1] && !cblack[2] && !cblack[3])\n\t\t\t\tblack = 1 << (tiff_bps - 7);\n\t\t}\n\t\telse if (!strcmp(model, \"EX1\")) // Samsung EX1; raw_width: 3688\n\t\t{\n\t\t\torder = 0x4949;\n\t\t\theight -= 20;\n\t\t\ttop_margin = 2;\n\t\t\tif ((width -= 6) > 3682)\n\t\t\t{\n\t\t\t\theight -= 10;\n\t\t\t\twidth -= 46;\n\t\t\t\ttop_margin = 8;\n\t\t\t}\n\t\t}\n\t\telse if (!strcmp(model, \"WB2000\")) // Samsung WB2000; raw_width: 3728\n\t\t{\n\t\t\torder = 0x4949;\n\t\t\theight -= 3;\n\t\t\ttop_margin = 2;\n\t\t\tif ((width -= 10) > 3718)\n\t\t\t{\n\t\t\t\theight -= 28;\n\t\t\t\twidth -= 56;\n\t\t\t\ttop_margin = 8;\n\t\t\t}\n\t\t}\n\t\telse if (!strcmp(model, \"WB550\")) // Samsung WB550; raw_width: 4000\n\t\t{\n\t\t\torder = 0x4949;\n\t\t}\n\t\telse if (!strcmp(model, \"EX2F\")) // Samsung EX2F; raw_width: 4176\n\t\t{\n\t\t\theight = 3030;\n\t\t\twidth = 4040;\n\t\t\ttop_margin = 15;\n\t\t\tleft_margin = 24;\n\t\t\torder = 0x4949;\n\t\t\tfilters = 0x49494949;\n\t\t\tload_raw = &LibRaw::unpacked_load_raw;\n\t\t}\n\t}\n\n\telse if (makeIs(LIBRAW_CAMERAMAKER_ST_Micro) && !strcmp(model, \"STV680 VGA\"))\n\t{\n\t\tblack = 16;\n\t}\n\telse if (!strcmp(model, \"N95\"))\n\t{\n\t\theight = raw_height - (top_margin = 2);\n\t}\n\telse if (!strcmp(model, \"640x480\"))\n\t{\n\t\tgamma_curve(0.45, 4.5, 1, 255);\n\t}\n\telse if (makeIs(LIBRAW_CAMERAMAKER_Hasselblad))\n\t{\n\t\tif (load_raw == &LibRaw::lossless_jpeg_load_raw)\n\t\t\tload_raw = &LibRaw::hasselblad_load_raw;\n\n\t\tif ((imHassy.SensorCode == 4) && !strncmp(model, \"V96C\", 4)) { // Hasselblad V96C\n\t\t\tstrcpy(model, \"V96C\");\n\t\t\tstrcpy(normalized_model, model);\n\t\t\theight -= (top_margin = 6);\n\t\t\twidth -= (left_margin = 3) + 7;\n\t\t\tfilters = 0x61616161;\n\n\t\t}\n\t\telse if ((imHassy.SensorCode == 9) && imHassy.uncropped) { // various Hasselblad '-39'\n\t\t\theight = 5444;\n\t\t\twidth = 7248;\n\t\t\ttop_margin = 4;\n\t\t\tleft_margin = 7;\n\t\t\tfilters = 0x61616161;\n\n\t\t}\n\t\telse if ((imHassy.SensorCode == 13) && imHassy.uncropped) { // Hasselblad H4D-40, H5D-40\n\t\t\theight -= 84;\n\t\t\twidth -= 82;\n\t\t\ttop_margin = 4;\n\t\t\tleft_margin = 41;\n\t\t\tfilters = 0x61616161;\n\n\t\t}\n\t\telse if ((imHassy.SensorCode == 11) && imHassy.uncropped) { // Hasselblad H5D-50\n\t\t\theight -= 84;\n\t\t\twidth -= 82;\n\t\t\ttop_margin = 4;\n\t\t\tleft_margin = 41;\n\t\t\tfilters = 0x61616161;\n\n\t\t}\n\t\telse if ((imHassy.SensorCode == 15) &&\n\t\t\t!imHassy.SensorSubCode && // Hasselblad H5D-50c\n\t\t\timHassy.uncropped) {\n\t\t\tleft_margin = 52;\n\t\t\ttop_margin = 100;\n\t\t\twidth = 8272;\n\t\t\theight = 6200;\n\t\t\tblack = 256;\n\n\t\t}\n\t\telse if ((imHassy.SensorCode == 15) &&\n\t\t\t(imHassy.SensorSubCode == 2) && // various Hasselblad X1D cameras\n\t\t\timHassy.uncropped) {\n\t\t\ttop_margin = 96;\n\t\t\theight -= 96;\n\t\t\tleft_margin = 48;\n\t\t\twidth -= 106;\n\t\t\tmaximum = 0xffff;\n\t\t\ttiff_bps = 16;\n\n\t\t}\n\t\telse if ((imHassy.SensorCode == 12) && imHassy.uncropped) { // Hasselblad H4D-60\n\t\t\tif (black > 500) { // (imHassy.format == LIBRAW_HF_FFF)\n\t\t\t\ttop_margin = 12;\n\t\t\t\tleft_margin = 44;\n\t\t\t\twidth = 8956;\n\t\t\t\theight = 6708;\n\t\t\t\tmemset(cblack, 0, sizeof(cblack));\n\t\t\t\tblack = 512;\n\t\t\t}\n\t\t\telse { // (imHassy.format == LIBRAW_HF_3FR)\n\t\t\t\ttop_margin = 8;\n\t\t\t\tleft_margin = 40;\n\t\t\t\twidth = 8964;\n\t\t\t\theight = 6716;\n\t\t\t\tblack += load_flags = 256;\n\t\t\t\tmaximum = 0x8101;\n\t\t\t}\n\n\t\t}\n\t\telse if ((imHassy.SensorCode == 17) && imHassy.uncropped) { // Hasselblad H6D-100c, A6D-100c\n\t\t\tleft_margin = 64;\n\t\t\twidth = 11608;\n\t\t\ttop_margin = 108;\n\t\t\theight = raw_height - top_margin;\n\t\t}\n\n\t\tif (tiff_samples > 1)\n\t\t{\n\t\t\tis_raw = tiff_samples + 1;\n\t\t\tif (!shot_select && !half_size)\n\t\t\t\tfilters = 0;\n\t\t}\n\t}\n\telse if (makeIs(LIBRAW_CAMERAMAKER_Sinar))\n\t{\n\t\tif (!load_raw)\n\t\t\tload_raw = &LibRaw::unpacked_load_raw;\n\t\tif (is_raw > 1 && !shot_select)\n\t\t\tfilters = 0;\n\t\tmaximum = 0x3fff;\n\t}\n\n\tif (load_raw == &LibRaw::sinar_4shot_load_raw)\n\t{\n\t\tif (is_raw > 1 && !shot_select)\n\t\t\tfilters = 0;\n\t}\n\telse if (makeIs(LIBRAW_CAMERAMAKER_Leaf))\n\t{\n\t\tmaximum = 0x3fff;\n\t\tfseek(ifp, data_offset, SEEK_SET);\n\t\tif (ljpeg_start(&jh, 1) && jh.bits == 15)\n\t\t\tmaximum = 0x1fff;\n\t\tif (tiff_samples > 1)\n\t\t\tfilters = 0;\n\t\tif (tiff_samples > 1 || tile_length < raw_height)\n\t\t{\n\t\t\tload_raw = &LibRaw::leaf_hdr_load_raw;\n\t\t\traw_width = tile_width;\n\t\t}\n\t\tif ((width | height) == 2048)\n\t\t{\n\t\t\tif (tiff_samples == 1)\n\t\t\t{\n\t\t\t\tfilters = 1;\n\t\t\t\tstrcpy(cdesc, \"RBTG\");\n\t\t\t\tstrcpy(model, \"CatchLight\");\n\t\t\t\tstrcpy(normalized_model, model);\n\t\t\t\ttop_margin = 8;\n\t\t\t\tleft_margin = 18;\n\t\t\t\theight = 2032;\n\t\t\t\twidth = 2016;\n\t\t\t}\n\t\t\telse\n\t\t\t{\n\t\t\t\tstrcpy(model, \"DCB2\");\n\t\t\t\tstrcpy(normalized_model, model);\n\t\t\t\ttop_margin = 10;\n\t\t\t\tleft_margin = 16;\n\t\t\t\theight = 2028;\n\t\t\t\twidth = 2022;\n\t\t\t}\n\t\t}\n\t\telse if (width + height == 3144 + 2060)\n\t\t{\n\t\t\tif (!model[0])\n\t\t\t{\n\t\t\t\tstrcpy(model, \"Cantare\");\n\t\t\t\tstrcpy(normalized_model, model);\n\t\t\t}\n\t\t\tif (width > height)\n\t\t\t{\n\t\t\t\ttop_margin = 6;\n\t\t\t\tleft_margin = 32;\n\t\t\t\theight = 2048;\n\t\t\t\twidth = 3072;\n\t\t\t\tfilters = 0x61616161;\n\t\t\t}\n\t\t\telse\n\t\t\t{\n\t\t\t\tleft_margin = 6;\n\t\t\t\ttop_margin = 32;\n\t\t\t\twidth = 2048;\n\t\t\t\theight = 3072;\n\t\t\t\tfilters = 0x16161616;\n\t\t\t}\n\t\t\tif (!cam_mul[0] || model[0] == 'V')\n\t\t\t\tfilters = 0;\n\t\t\telse\n\t\t\t\tis_raw = tiff_samples;\n\t\t}\n\t\telse if (width == 2116) // Leaf \"Valeo 6\"\n\t\t{\n\t\t\tstrcpy(model, \"Valeo 6\");\n\t\t\tstrcpy(normalized_model, model);\n\t\t\theight -= 2 * (top_margin = 30);\n\t\t\twidth -= 2 * (left_margin = 55);\n\t\t\tfilters = 0x49494949;\n\t\t}\n\t\telse if (width == 3171) // Leaf \"Valeo 6\"\n\t\t{\n\t\t\tstrcpy(model, \"Valeo 6\");\n\t\t\tstrcpy(normalized_model, model);\n\t\t\theight -= 2 * (top_margin = 24);\n\t\t\twidth -= 2 * (left_margin = 24);\n\t\t\tfilters = 0x16161616;\n\t\t}\n\t}\n\telse if (makeIs(LIBRAW_CAMERAMAKER_Panasonic))\n\t{\n\t\tif (raw_width > 0 &&\n\t\t\t((flen - data_offset) / (raw_width * 8 / 7) == raw_height))\n\t\t\tload_raw = &LibRaw::panasonic_load_raw;\n\t\tif (!load_raw)\n\t\t{\n\t\t\tload_raw = &LibRaw::unpacked_load_raw;\n\t\t\tload_flags = 4;\n\t\t}\n\t\tzero_is_bad = 1;\n\t\tif ((height += 12) > raw_height)\n\t\t\theight = raw_height;\n\t\tfor (i = 0; i < int(sizeof pana / sizeof *pana); i++)\n\t\t\tif (raw_width == pana[i][0] && raw_height == pana[i][1])\n\t\t\t{\n\t\t\t\tleft_margin = pana[i][2];\n\t\t\t\ttop_margin = pana[i][3];\n\t\t\t\twidth += pana[i][4];\n\t\t\t\theight += pana[i][5];\n\t\t\t}\n\t\tif (!tiff_bps && pana_bpp >= 12 && pana_bpp <= 14)\n\t\t\ttiff_bps = pana_bpp;\n\n\t\tfilters = 0x01010101U *\n\t\t\t(uchar) \"\\x94\\x61\\x49\\x16\"[((filters - 1) ^ (left_margin & 1) ^\n\t\t\t(top_margin << 1)) &\n\t\t\t3];\n\n\t}\n\telse if (makeIs(LIBRAW_CAMERAMAKER_Contax) &&\n\t\t!strcmp(model, \"N Digital\")) {\n\t\theight = 2047;\n\t\twidth = 3072;\n\t\tfilters = 0x61616161;\n\t\tdata_offset = 0x1a00;\n\t\tload_raw = &LibRaw::packed_load_raw;\n\n\t}\n\telse if (makeIs(LIBRAW_CAMERAMAKER_Sony)) {\n\t\tif (!strcmp(model, \"DSC-F828\")) { // Sony DSC-F828\n\t\t\twidth = 3288;\n\t\t\tleft_margin = 5;\n\t\t\tmask[1][3] = -17;\n\t\t\tdata_offset = 862144;\n\t\t\tload_raw = &LibRaw::sony_load_raw;\n\t\t\tfilters = 0x9c9c9c9c;\n\t\t\tcolors = 4;\n\t\t\tstrcpy(cdesc, \"RGBE\");\n\n\t\t}\n\t\telse if (!strcmp(model, \"DSC-V3\")) { // Sony DSC-V3\n\t\t\twidth = 3109;\n\t\t\tleft_margin = 59;\n\t\t\tmask[0][1] = 9;\n\t\t\tdata_offset = 787392;\n\t\t\tload_raw = &LibRaw::sony_load_raw;\n\n\t\t}\n\t\telse if (raw_width == 3984) { // Sony DSC-R1;\n\t\t\twidth = 3925;\n\t\t\torder = 0x4d4d;\n\n\t\t}\n\t\telse if (raw_width == 4288) { // Sony ILCE-7S, ILCE-7SM2, DSLR-A700, DSLR-A500;\n\t\t\twidth -= 32;\n\n\t\t}\n\t\telse if (raw_width == 4600) { // Sony DSLR-A290, DSLR-A350, DSLR-A380;\n\t\t\tif (!strcmp(model, \"DSLR-A350\"))\n\t\t\t\theight -= 4;\n\t\t\tblack = 0;\n\n\t\t}\n\t\telse if (raw_width == 4928) {\n\t\t\t// Sony DSLR-A580, NEX-C3, SLT-A35, DSC-HX99, SLT-A55,\n\t\t\t// NEX-5N, SLT-A37, SLT-A57, NEX-F3, NEX-6, NEX-5R, NEX-3N, NEX-5T;\n\t\t\tif (height < 3280)\n\t\t\t\twidth -= 8;\n\n\t\t}\n\t\telse if (raw_width == 5504) {\n\t\t\t// Sony ILCE-3000, SLT-A58, DSC-RX100M3, ILCE-QX1,\n\t\t\t// DSC-RX10M4, DSC-RX100M6, DSC-RX100, DSC-RX100M2, DSC-RX10,\n\t\t\t// ILCE-5000, DSC-RX100M4, DSC-RX10M2, DSC-RX10M3,\n\t\t\t// DSC-RX100M5, DSC-RX100M5A;\n\t\t\twidth -= height > 3664 ? 8 : 32;\n\n\t\t}\n\t\telse if (raw_width == 6048) {\n\t\t\t// Sony SLT-A65, DSC-RX1, SLT-A77, DSC-RX1, ILCA-77M2,\n\t\t\t// ILCE-7M3, NEX-7, SLT-A99, ILCE-7, DSC-RX1R, ILCE-6000,\n\t\t\t// ILCE-5100, ILCE-7M2, ILCA-68, ILCE-6300, ILCE-9,\n\t\t\t// ILCE-6500, ILCE-6400;\n\t\t\twidth -= 24;\n\t\t\tif (strstr(normalized_model, \"RX1\") ||\n\t\t\t\tstrstr(normalized_model, \"A99\"))\n\t\t\t\twidth -= 6;\n\n\t\t}\n\t\telse if (raw_width == 7392) { // Sony ILCE-7R;\n\t\t\twidth -= 30;\n\n\t\t}\n\t\telse if (raw_width == 8000) {\n\t\t\t// Sony ILCE-7RM2, ILCE-7RM2, ILCE-7RM3, DSC-RX1RM2, ILCA-99M2;\n\t\t\twidth -= 32;\n\n\t\t}\n\t\telse if (raw_width == 9600) { // Sony ILCE-7RM4\n\t\t\twidth -= 32;\n\n\t\t}\n\t\telse if (!strcmp(model, \"DSLR-A100\")) {\n\t\t\tif (width == 3880) {\n\t\t\t\theight--;\n\t\t\t\twidth = ++raw_width;\n\t\t\t}\n\t\t\telse {\n\t\t\t\theight -= 4;\n\t\t\t\twidth -= 4;\n\t\t\t\torder = 0x4d4d;\n\t\t\t\tload_flags = 2;\n\t\t\t}\n\t\t\tfilters = 0x61616161;\n\t\t}\n\t}\n\n\telse if (!strcmp(model, \"PIXL\")) {\n\t\theight -= top_margin = 4;\n\t\twidth -= left_margin = 32;\n\t\tgamma_curve(0, 7, 1, 255);\n\n\t}\n\telse if (makeIs(LIBRAW_CAMERAMAKER_Kodak)) {\n\n\t\tif (!strncasecmp(model, \"EasyShare\", 9)) {\n\t\t\tdata_offset = data_offset < 0x15000 ? 0x15000 : 0x17000;\n\t\t\tload_raw = &LibRaw::packed_load_raw;\n\n\t\t}\n\t\telse if (!strcmp(model, \"C603\") ||\n\t\t\t!strcmp(model, \"C330\") ||\n\t\t\t!strcmp(model, \"12MP\")) {\n\t\t\torder = 0x4949;\n\t\t\tif (filters && data_offset) {\n\t\t\t\tfseek(ifp, data_offset < 4096 ? 168 : 5252, SEEK_SET);\n\t\t\t\tread_shorts(curve, 256);\n\t\t\t}\n\t\t\telse\n\t\t\t\tgamma_curve(0, 3.875, 1, 255);\n\n\t\t\tload_raw = filters ? &LibRaw::eight_bit_load_raw\n\t\t\t\t: strcmp(model, \"C330\") ? &LibRaw::kodak_c603_load_raw\n\t\t\t\t: &LibRaw::kodak_c330_load_raw;\n\t\t\tload_flags = tiff_bps > 16;\n\t\t\ttiff_bps = 8;\n\n\t\t}\n\t\telse {\n\t\t\tif (!strncmp(model, \"NC2000\", 6) ||\n\t\t\t\t!strncmp(model, \"EOSDCS\", 6) ||\n\t\t\t\t!strncmp(model, \"DCS4\", 4)) {\n\t\t\t\twidth -= 4;\n\t\t\t\tleft_margin = 2;\n\n\t\t\t}\n\t\t\telse if (!strcmp(model, \"DCS660M\")) {\n\t\t\t\tblack = 214;\n\n\t\t\t}\n\t\t\telse if (!strcmp(model, \"EOS D2000C\")) {\n\t\t\t\tfilters = 0x61616161;\n\t\t\t\tif (!black) black = curve[200];\n\t\t\t}\n\n\t\t\tif (filters == UINT_MAX) filters = 0x61616161;\n\n\t\t\tif (!strcmp(model + 4, \"20X\"))\n\t\t\t\tstrcpy(cdesc, \"MYCY\");\n\t\t\tif (!strcmp(model, \"DC25\")) {\n\t\t\t\tdata_offset = 15424;\n\t\t\t}\n\n\t\t\tif (!strncmp(model, \"DC2\", 3)) {\n\t\t\t\traw_height = 2 + (height = 242);\n\t\t\t\tif (!strncmp(model, \"DC290\", 5))\n\t\t\t\t\tiso_speed = 100;\n\t\t\t\tif (!strncmp(model, \"DC280\", 5))\n\t\t\t\t\tiso_speed = 70;\n\t\t\t\tif (flen < 100000) {\n\t\t\t\t\traw_width = 256;\n\t\t\t\t\twidth = 249;\n\t\t\t\t\tpixel_aspect = (4.0 * height) / (3.0 * width);\n\t\t\t\t}\n\t\t\t\telse {\n\t\t\t\t\traw_width = 512;\n\t\t\t\t\twidth = 501;\n\t\t\t\t\tpixel_aspect = (493.0 * height) / (373.0 * width);\n\t\t\t\t}\n\t\t\t\ttop_margin = left_margin = 1;\n\t\t\t\tcolors = 4;\n\t\t\t\tfilters = 0x8d8d8d8d;\n\t\t\t\tsimple_coeff(1);\n\t\t\t\tpre_mul[1] = 1.179;\n\t\t\t\tpre_mul[2] = 1.209;\n\t\t\t\tpre_mul[3] = 1.036;\n\t\t\t\tload_raw = &LibRaw::eight_bit_load_raw;\n\n\t\t\t}\n\t\t\telse if (!strcmp(model, \"DC40\")) {\n\t\t\t\theight = 512;\n\t\t\t\twidth = 768;\n\t\t\t\tdata_offset = 1152;\n\t\t\t\tload_raw = &LibRaw::kodak_radc_load_raw;\n\t\t\t\ttiff_bps = 12;\n\t\t\t\tFORC4 cam_mul[c] = 1.0f;\n\n\t\t\t}\n\t\t\telse if (!strcmp(model, \"DC50\")) {\n\t\t\t\theight = 512;\n\t\t\t\twidth = 768;\n\t\t\t\tiso_speed = 84;\n\t\t\t\tdata_offset = 19712;\n\t\t\t\tload_raw = &LibRaw::kodak_radc_load_raw;\n\t\t\t\tFORC4 cam_mul[c] = 1.0f;\n\n\t\t\t}\n\t\t\telse if (!strcmp(model, \"DC120\")) {\n\t\t\t\traw_height = height = 976;\n\t\t\t\traw_width = width = 848;\n\t\t\t\tiso_speed = 160;\n\t\t\t\tpixel_aspect = height / 0.75 / width;\n\t\t\t\tload_raw = tiff_compress == 7 ? &LibRaw::kodak_jpeg_load_raw\n\t\t\t\t\t: &LibRaw::kodak_dc120_load_raw;\n\n\t\t\t}\n\t\t\telse if (!strcmp(model, \"DCS200\")) {\n\t\t\t\tthumb_height = 128;\n\t\t\t\tthumb_width = 192;\n\t\t\t\tthumb_offset = 6144;\n\t\t\t\tthumb_misc = 360;\n\t\t\t\tiso_speed = 140;\n\t\t\t\twrite_thumb = &LibRaw::layer_thumb;\n\t\t\t\tblack = 17;\n\t\t\t}\n\t\t}\n\n\t}\n\telse if (makeIs(LIBRAW_CAMERAMAKER_Logitech) &&\n\t\t!strcmp(model, \"Fotoman Pixtura\")) {\n\t\theight = 512;\n\t\twidth = 768;\n\t\tdata_offset = 3632;\n\t\tload_raw = &LibRaw::kodak_radc_load_raw;\n\t\tfilters = 0x61616161;\n\t\tsimple_coeff(2);\n\n\t}\n\telse if (makeIs(LIBRAW_CAMERAMAKER_Apple) &&\n\t\t!strncmp(model, \"QuickTake\", 9)) {\n\t\tif (head[5])\n\t\t\tstrcpy(model + 10, \"200\");\n\t\tfseek(ifp, 544, SEEK_SET);\n\t\theight = get2();\n\t\twidth = get2();\n\t\tdata_offset = (get4(), get2()) == 30 ? 738 : 736;\n\t\tif (height > width) {\n\t\t\tSWAP(height, width);\n\t\t\tfseek(ifp, data_offset - 6, SEEK_SET);\n\t\t\tflip = ~get2() & 3 ? 5 : 6;\n\t\t}\n\t\tfilters = 0x61616161;\n\n\t}\n\telse if (makeIs(LIBRAW_CAMERAMAKER_Rollei) &&\n\t\t!load_raw) {\n\t\tswitch (raw_width) {\n\t\tcase 1316: // Rollei d530flex\n\t\t\theight = 1030;\n\t\t\twidth = 1300;\n\t\t\ttop_margin = 1;\n\t\t\tleft_margin = 6;\n\t\t\tbreak;\n\t\tcase 2568:\n\t\t\theight = 1960;\n\t\t\twidth = 2560;\n\t\t\ttop_margin = 2;\n\t\t\tleft_margin = 8;\n\t\t}\n\t\tfilters = 0x16161616;\n\t\tload_raw = &LibRaw::rollei_load_raw;\n\n\t}\n\telse if (!strcmp(model, \"GRAS-50S5C\")) {\n\t\theight = 2048;\n\t\twidth = 2440;\n\t\tload_raw = &LibRaw::unpacked_load_raw;\n\t\tdata_offset = 0;\n\t\tfilters = 0x49494949;\n\t\torder = 0x4949;\n\t\tmaximum = 0xfffC;\n\n\t}\n\telse if (!strcmp(model, \"BB-500CL\")) {\n\t\theight = 2058;\n\t\twidth = 2448;\n\t\tload_raw = &LibRaw::unpacked_load_raw;\n\t\tdata_offset = 0;\n\t\tfilters = 0x94949494;\n\t\torder = 0x4949;\n\t\tmaximum = 0x3fff;\n\n\t}\n\telse if (!strcmp(model, \"BB-500GE\")) {\n\t\theight = 2058;\n\t\twidth = 2456;\n\t\tload_raw = &LibRaw::unpacked_load_raw;\n\t\tdata_offset = 0;\n\t\tfilters = 0x94949494;\n\t\torder = 0x4949;\n\t\tmaximum = 0x3fff;\n\n\t}\n\telse if (!strcmp(model, \"SVS625CL\")) {\n\t\theight = 2050;\n\t\twidth = 2448;\n\t\tload_raw = &LibRaw::unpacked_load_raw;\n\t\tdata_offset = 0;\n\t\tfilters = 0x94949494;\n\t\torder = 0x4949;\n\t\tmaximum = 0x0fff;\n\t}\n}", "project": "LibRaw", "hash": 335218431926478684904680552905371523580, "size": 1264, "commit_id": "4feaed4dea636cee4fee010f615881ccf76a096d", "message": "limit loops to MIN(colors,4) in dng fields parser", "target": 0, "dataset": "other", "idx": 482364 }, { "func": "static inline bool tcp_skb_is_last(const struct sock *sk,\n\t\t\t\t const struct sk_buff *skb)\n{\n\treturn skb_queue_is_last(&sk->sk_write_queue, skb);\n}", "project": "linux", "hash": 131067909928526394176127522559774317623, "size": 5, "commit_id": "bb1fceca22492109be12640d49f5ea5a544c6bb4", "message": "tcp: fix use after free in tcp_xmit_retransmit_queue()\n\nWhen tcp_sendmsg() allocates a fresh and empty skb, it puts it at the\ntail of the write queue using tcp_add_write_queue_tail()\n\nThen it attempts to copy user data into this fresh skb.\n\nIf the copy fails, we undo the work and remove the fresh skb.\n\nUnfortunately, this undo lacks the change done to tp->highest_sack and\nwe can leave a dangling pointer (to a freed skb)\n\nLater, tcp_xmit_retransmit_queue() can dereference this pointer and\naccess freed memory. For regular kernels where memory is not unmapped,\nthis might cause SACK bugs because tcp_highest_sack_seq() is buggy,\nreturning garbage instead of tp->snd_nxt, but with various debug\nfeatures like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel.\n\nThis bug was found by Marco Grassi thanks to syzkaller.\n\nFixes: 6859d49475d4 (\"[TCP]: Abstract tp->highest_sack accessing & point to next skb\")\nReported-by: Marco Grassi \nSigned-off-by: Eric Dumazet \nCc: Ilpo Järvinen \nCc: Yuchung Cheng \nCc: Neal Cardwell \nAcked-by: Neal Cardwell \nReviewed-by: Cong Wang \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 410721 }, { "func": "\nstatic void bfq_bfqq_handle_idle_busy_switch(struct bfq_data *bfqd,\n\t\t\t\t\t struct bfq_queue *bfqq,\n\t\t\t\t\t int old_wr_coeff,\n\t\t\t\t\t struct request *rq,\n\t\t\t\t\t bool *interactive)\n{\n\tbool soft_rt, in_burst,\twr_or_deserves_wr,\n\t\tbfqq_wants_to_preempt,\n\t\tidle_for_long_time = bfq_bfqq_idle_for_long_time(bfqd, bfqq),\n\t\t/*\n\t\t * See the comments on\n\t\t * bfq_bfqq_update_budg_for_activation for\n\t\t * details on the usage of the next variable.\n\t\t */\n\t\tarrived_in_time = ktime_get_ns() <=\n\t\t\tbfqq->ttime.last_end_request +\n\t\t\tbfqd->bfq_slice_idle * 3;\n\n\n\t/*\n\t * bfqq deserves to be weight-raised if:\n\t * - it is sync,\n\t * - it does not belong to a large burst,\n\t * - it has been idle for enough time or is soft real-time,\n\t * - is linked to a bfq_io_cq (it is not shared in any sense).\n\t */\n\tin_burst = bfq_bfqq_in_large_burst(bfqq);\n\tsoft_rt = bfqd->bfq_wr_max_softrt_rate > 0 &&\n\t\t!BFQQ_TOTALLY_SEEKY(bfqq) &&\n\t\t!in_burst &&\n\t\ttime_is_before_jiffies(bfqq->soft_rt_next_start) &&\n\t\tbfqq->dispatched == 0;\n\t*interactive = !in_burst && idle_for_long_time;\n\twr_or_deserves_wr = bfqd->low_latency &&\n\t\t(bfqq->wr_coeff > 1 ||\n\t\t (bfq_bfqq_sync(bfqq) &&\n\t\t bfqq->bic && (*interactive || soft_rt)));\n\n\t/*\n\t * Using the last flag, update budget and check whether bfqq\n\t * may want to preempt the in-service queue.\n\t */\n\tbfqq_wants_to_preempt =\n\t\tbfq_bfqq_update_budg_for_activation(bfqd, bfqq,\n\t\t\t\t\t\t arrived_in_time);\n\n\t/*\n\t * If bfqq happened to be activated in a burst, but has been\n\t * idle for much more than an interactive queue, then we\n\t * assume that, in the overall I/O initiated in the burst, the\n\t * I/O associated with bfqq is finished. So bfqq does not need\n\t * to be treated as a queue belonging to a burst\n\t * anymore. Accordingly, we reset bfqq's in_large_burst flag\n\t * if set, and remove bfqq from the burst list if it's\n\t * there. We do not decrement burst_size, because the fact\n\t * that bfqq does not need to belong to the burst list any\n\t * more does not invalidate the fact that bfqq was created in\n\t * a burst.\n\t */\n\tif (likely(!bfq_bfqq_just_created(bfqq)) &&\n\t idle_for_long_time &&\n\t time_is_before_jiffies(\n\t\t bfqq->budget_timeout +\n\t\t msecs_to_jiffies(10000))) {\n\t\thlist_del_init(&bfqq->burst_list_node);\n\t\tbfq_clear_bfqq_in_large_burst(bfqq);\n\t}\n\n\tbfq_clear_bfqq_just_created(bfqq);\n\n\n\tif (!bfq_bfqq_IO_bound(bfqq)) {\n\t\tif (arrived_in_time) {\n\t\t\tbfqq->requests_within_timer++;\n\t\t\tif (bfqq->requests_within_timer >=\n\t\t\t bfqd->bfq_requests_within_timer)\n\t\t\t\tbfq_mark_bfqq_IO_bound(bfqq);\n\t\t} else\n\t\t\tbfqq->requests_within_timer = 0;\n\t}\n\n\tif (bfqd->low_latency) {\n\t\tif (unlikely(time_is_after_jiffies(bfqq->split_time)))\n\t\t\t/* wraparound */\n\t\t\tbfqq->split_time =\n\t\t\t\tjiffies - bfqd->bfq_wr_min_idle_time - 1;\n\n\t\tif (time_is_before_jiffies(bfqq->split_time +\n\t\t\t\t\t bfqd->bfq_wr_min_idle_time)) {\n\t\t\tbfq_update_bfqq_wr_on_rq_arrival(bfqd, bfqq,\n\t\t\t\t\t\t\t old_wr_coeff,\n\t\t\t\t\t\t\t wr_or_deserves_wr,\n\t\t\t\t\t\t\t *interactive,\n\t\t\t\t\t\t\t in_burst,\n\t\t\t\t\t\t\t soft_rt);\n\n\t\t\tif (old_wr_coeff != bfqq->wr_coeff)\n\t\t\t\tbfqq->entity.prio_changed = 1;\n\t\t}\n\t}\n\n\tbfqq->last_idle_bklogged = jiffies;\n\tbfqq->service_from_backlogged = 0;\n\tbfq_clear_bfqq_softrt_update(bfqq);\n\n\tbfq_add_bfqq_busy(bfqd, bfqq);\n\n\t/*\n\t * Expire in-service queue only if preemption may be needed\n\t * for guarantees. In particular, we care only about two\n\t * cases. The first is that bfqq has to recover a service\n\t * hole, as explained in the comments on\n\t * bfq_bfqq_update_budg_for_activation(), i.e., that\n\t * bfqq_wants_to_preempt is true. However, if bfqq does not\n\t * carry time-critical I/O, then bfqq's bandwidth is less\n\t * important than that of queues that carry time-critical I/O.\n\t * So, as a further constraint, we consider this case only if\n\t * bfqq is at least as weight-raised, i.e., at least as time\n\t * critical, as the in-service queue.\n\t *\n\t * The second case is that bfqq is in a higher priority class,\n\t * or has a higher weight than the in-service queue. If this\n\t * condition does not hold, we don't care because, even if\n\t * bfqq does not start to be served immediately, the resulting\n\t * delay for bfqq's I/O is however lower or much lower than\n\t * the ideal completion time to be guaranteed to bfqq's I/O.\n\t *\n\t * In both cases, preemption is needed only if, according to\n\t * the timestamps of both bfqq and of the in-service queue,\n\t * bfqq actually is the next queue to serve. So, to reduce\n\t * useless preemptions, the return value of\n\t * next_queue_may_preempt() is considered in the next compound\n\t * condition too. Yet next_queue_may_preempt() just checks a\n\t * simple, necessary condition for bfqq to be the next queue\n\t * to serve. In fact, to evaluate a sufficient condition, the\n\t * timestamps of the in-service queue would need to be\n\t * updated, and this operation is quite costly (see the\n\t * comments on bfq_bfqq_update_budg_for_activation()).\n\t */\n\tif (bfqd->in_service_queue &&\n\t ((bfqq_wants_to_preempt &&\n\t bfqq->wr_coeff >= bfqd->in_service_queue->wr_coeff) ||\n\t bfq_bfqq_higher_class_or_weight(bfqq, bfqd->in_service_queue)) &&\n\t next_queue_may_preempt(bfqd))\n\t\tbfq_bfqq_expire(bfqd, bfqd->in_service_queue,\n\t\t\t\tfalse, BFQQE_PREEMPTED);", "project": "linux", "hash": 43693643734079294685948446733890553412, "size": 147, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453302 }, { "func": "bool dbug_user_var_equals_int(THD *thd, const char *name, int value)\n{\n user_var_entry *var;\n LEX_CSTRING varname= { name, strlen(name)};\n if ((var= get_variable(&thd->user_vars, &varname, FALSE)))\n {\n bool null_value;\n longlong var_value= var->val_int(&null_value);\n if (!null_value && var_value == value)\n return TRUE;\n }\n return FALSE;\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 260349548041902620647118328421260770343, "size": 13, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508670 }, { "func": "static int nfs41_open_expired(struct nfs4_state_owner *sp, struct nfs4_state *state)\n{\n\tint status;\n\n\tstatus = nfs41_check_delegation_stateid(state);\n\tif (status != NFS_OK)\n\t\treturn status;\n\tnfs41_delegation_recover_stateid(state);\n\n\tstatus = nfs41_check_expired_locks(state);\n\tif (status != NFS_OK)\n\t\treturn status;\n\tstatus = nfs41_check_open_stateid(state);\n\tif (status != NFS_OK)\n\t\tstatus = nfs4_open_expired(sp, state);\n\treturn status;\n}", "project": "linux", "hash": 222191157532242558248930986436129464015, "size": 17, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431544 }, { "func": " Item_string_with_introducer(THD *thd, const char *name_arg,\n const char *str, uint length, CHARSET_INFO *tocs):\n Item_string(thd, name_arg, str, length, tocs)\n { }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 93234717829768750141444243398414428326, "size": 4, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 508990 }, { "func": " Item_string(THD *thd, const char *str, uint length, CHARSET_INFO *cs,\n Derivation dv, uint repertoire): Item_basic_constant(thd)\n {\n str_value.set_or_copy_aligned(str, length, cs);\n fix_and_set_name_from_value(thd, dv, Metadata(&str_value, repertoire));\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 250299246678016922285984167384737069151, "size": 6, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509026 }, { "func": " Item_string_ascii(THD *thd, const char *str, uint length):\n Item_string(thd, str, length, &my_charset_latin1,\n DERIVATION_COERCIBLE, MY_REPERTOIRE_ASCII)\n { }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 337020910930886973644779169189455631430, "size": 4, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509042 }, { "func": " Item_string_with_introducer(THD *thd, const char *str, uint length,\n CHARSET_INFO *cs):\n Item_string(thd, str, length, cs)\n { }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 67860141309573963821434451256556700651, "size": 4, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509049 }, { "func": " Item_string_sys(THD *thd, const char *str, uint length):\n Item_string(thd, str, length, system_charset_info)\n { }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 148826800995720996988198775782625770982, "size": 3, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509235 }, { "func": " Item_string(THD *thd, const String *str, CHARSET_INFO *tocs, uint *conv_errors,\n Derivation dv, uint repertoire): Item_basic_constant(thd)\n {\n if (str_value.copy(str, tocs, conv_errors))\n str_value.set(\"\", 0, tocs); // EOM ?\n str_value.mark_as_const();\n fix_and_set_name_from_value(thd, dv, Metadata(&str_value, repertoire));\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 157217769601499101563430563940211132120, "size": 8, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509320 }, { "func": " Item_partition_func_safe_string(THD *thd, const char *name_arg, uint length,\n CHARSET_INFO *cs= NULL):\n Item_string(thd, name_arg, length, cs)\n {}", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 325770973356299969271524859150796924315, "size": 4, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509382 }, { "func": "bool JOIN::make_sum_func_list(List &field_list,\n List &send_result_set_metadata,\n\t\t\t bool before_group_by, bool recompute)\n{\n List_iterator_fast it(field_list);\n Item_sum **func;\n Item *item;\n DBUG_ENTER(\"make_sum_func_list\");\n\n if (*sum_funcs && !recompute)\n DBUG_RETURN(FALSE); /* We have already initialized sum_funcs. */\n\n func= sum_funcs;\n while ((item=it++))\n {\n if (item->type() == Item::SUM_FUNC_ITEM && !item->const_item() &&\n (!((Item_sum*) item)->depended_from() ||\n ((Item_sum *)item)->depended_from() == select_lex))\n *func++= (Item_sum*) item;\n }\n if (before_group_by && rollup.state == ROLLUP::STATE_INITED)\n {\n rollup.state= ROLLUP::STATE_READY;\n if (rollup_make_fields(field_list, send_result_set_metadata, &func))\n DBUG_RETURN(TRUE);\t\t\t// Should never happen\n }\n else if (rollup.state == ROLLUP::STATE_NONE)\n {\n for (uint i=0 ; i <= send_group_parts ;i++)\n sum_funcs_end[i]= func;\n }\n else if (rollup.state == ROLLUP::STATE_READY)\n DBUG_RETURN(FALSE); // Don't put end marker\n *func=0;\t\t\t\t\t// End marker\n DBUG_RETURN(FALSE);\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 257270389513267848700720823809258043058, "size": 36, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508521 }, { "func": "static inline bool kill_as_cred_perm(const struct cred *cred,\n\t\t\t\t struct task_struct *target)\n{\n\tconst struct cred *pcred = __task_cred(target);\n\n\treturn uid_eq(cred->euid, pcred->suid) ||\n\t uid_eq(cred->euid, pcred->uid) ||\n\t uid_eq(cred->uid, pcred->suid) ||\n\t uid_eq(cred->uid, pcred->uid);\n}", "project": "linux", "hash": 154532118437472241759476060484008246275, "size": 10, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375197 }, { "func": "int main(int argc, char **argv, char **envp)\n{\n // dynamically load shared library\n#ifdef DYNLOAD\n if (!uc_dyn_load(NULL, 0)) {\n printf(\"Error dynamically loading shared library.\\n\");\n printf(\"Please check that unicorn.dll/unicorn.so is available as well as\\n\");\n printf(\"any other dependent dll/so files.\\n\");\n printf(\"The easiest way is to place them in the same directory as this app.\\n\");\n return 1;\n }\n#endif\n \n test_arm();\n printf(\"==========================\\n\");\n test_thumb();\n\n // dynamically free shared library\n#ifdef DYNLOAD\n uc_dyn_free();\n#endif\n \n return 0;\n}", "project": "unicorn", "hash": 185725400238744388569454420547208561164, "size": 24, "commit_id": "bf1713d9e011b55ca1f502a6779fc4722b4bb077", "message": "Add arm ite blocks samples from #853 (#1381)", "target": 1, "dataset": "other", "idx": 214241 }, { "func": "int main(int argc, char **argv)\n{\n StrList **depend_ptr;\n\n timestamp();\n\n iflag_set_default_cpu(&cpu);\n iflag_set_default_cpu(&cmd_cpu);\n\n pass0 = 0;\n want_usage = terminate_after_phase = false;\n nasm_set_verror(nasm_verror_gnu);\n\n error_file = stderr;\n\n tolower_init();\n src_init();\n\n /*\n * We must call init_labels() before the command line parsing,\n * because we may be setting prefixes/suffixes from the command\n * line.\n */\n init_labels();\n\n offsets = raa_init();\n forwrefs = saa_init((int32_t)sizeof(struct forwrefinfo));\n\n preproc = &nasmpp;\n operating_mode = OP_NORMAL;\n\n parse_cmdline(argc, argv, 1);\n if (terminate_after_phase) {\n if (want_usage)\n usage();\n return 1;\n }\n\n /*\n * Define some macros dependent on the runtime, but not\n * on the command line (as those are scanned in cmdline pass 2.)\n */\n preproc->init();\n define_macros_early();\n\n parse_cmdline(argc, argv, 2);\n if (terminate_after_phase) {\n if (want_usage)\n usage();\n return 1;\n }\n\n /* Save away the default state of warnings */\n memcpy(warning_state_init, warning_state, sizeof warning_state);\n\n if (!using_debug_info) {\n /* No debug info, redirect to the null backend (empty stubs) */\n dfmt = &null_debug_form;\n } else if (!debug_format) {\n /* Default debug format for this backend */\n\tdfmt = ofmt->default_dfmt;\n } else {\n dfmt = dfmt_find(ofmt, debug_format);\n if (!dfmt) {\n nasm_fatal(ERR_NOFILE | ERR_USAGE,\n \"unrecognized debug format `%s' for\"\n \" output format `%s'\",\n debug_format, ofmt->shortname);\n }\n }\n\n if (ofmt->stdmac)\n preproc->extra_stdmac(ofmt->stdmac);\n\n /*\n * If no output file name provided and this\n * is a preprocess mode, we're perfectly\n * fine to output into stdout.\n */\n if (!outname) {\n if (!(operating_mode & OP_PREPROCESS))\n outname = filename_set_extension(inname, ofmt->extension);\n }\n\n /* define some macros dependent of command-line */\n define_macros_late();\n\n depend_ptr = (depend_file || (operating_mode & OP_DEPEND)) ? &depend_list : NULL;\n\n if (!depend_target)\n depend_target = quote_for_make(outname);\n\n if (operating_mode & OP_DEPEND) {\n char *line;\n\n if (depend_missing_ok)\n preproc->include_path(NULL); /* \"assume generated\" */\n\n preproc->reset(inname, 0, depend_ptr);\n ofile = NULL;\n while ((line = preproc->getline()))\n nasm_free(line);\n preproc->cleanup(0);\n } else if (operating_mode & OP_PREPROCESS) {\n char *line;\n const char *file_name = NULL;\n int32_t prior_linnum = 0;\n int lineinc = 0;\n\n if (outname) {\n ofile = nasm_open_write(outname, NF_TEXT);\n if (!ofile)\n nasm_fatal(ERR_NOFILE,\n \"unable to open output file `%s'\",\n outname);\n } else\n ofile = NULL;\n\n location.known = false;\n\n /* pass = 1; */\n preproc->reset(inname, 3, depend_ptr);\n\n\t /* Revert all warnings to the default state */\n\t memcpy(warning_state, warning_state_init, sizeof warning_state);\n\n while ((line = preproc->getline())) {\n /*\n * We generate %line directives if needed for later programs\n */\n int32_t linnum = prior_linnum += lineinc;\n int altline = src_get(&linnum, &file_name);\n if (altline) {\n if (altline == 1 && lineinc == 1)\n nasm_fputs(\"\", ofile);\n else {\n lineinc = (altline != -1 || lineinc != 1);\n fprintf(ofile ? ofile : stdout,\n \"%%line %\"PRId32\"+%d %s\\n\", linnum, lineinc,\n file_name);\n }\n prior_linnum = linnum;\n }\n nasm_fputs(line, ofile);\n nasm_free(line);\n }\n preproc->cleanup(0);\n if (ofile)\n fclose(ofile);\n if (ofile && terminate_after_phase && !keep_all)\n remove(outname);\n ofile = NULL;\n }\n\n if (operating_mode & OP_NORMAL) {\n ofile = nasm_open_write(outname, (ofmt->flags & OFMT_TEXT) ? NF_TEXT : NF_BINARY);\n if (!ofile)\n nasm_fatal(ERR_NOFILE,\n \"unable to open output file `%s'\", outname);\n\n ofmt->init();\n dfmt->init();\n\n assemble_file(inname, depend_ptr);\n\n if (!terminate_after_phase) {\n ofmt->cleanup();\n cleanup_labels();\n fflush(ofile);\n if (ferror(ofile)) {\n nasm_error(ERR_NONFATAL|ERR_NOFILE,\n \"write error on output file `%s'\", outname);\n terminate_after_phase = true;\n }\n }\n\n if (ofile) {\n fclose(ofile);\n if (terminate_after_phase && !keep_all)\n remove(outname);\n ofile = NULL;\n }\n }\n\n if (depend_list && !terminate_after_phase)\n emit_dependencies(depend_list);\n\n if (want_usage)\n usage();\n\n raa_free(offsets);\n saa_free(forwrefs);\n eval_cleanup();\n stdscan_cleanup();\n src_free();\n\n return terminate_after_phase;\n}", "project": "nasm", "hash": 252512517825300643734891795269975347323, "size": 198, "commit_id": "e996d28c70d45008085322b442b44a9224308548", "message": "labels: Don't nil dereference if no label provided\n\nAn equ without label may cause nil dereference\n\n |\tequ 0x100\n\nFixes 98578071b9d71ecaa2344dd9c185237c1765041e\n\nSigned-off-by: Cyrill Gorcunov ", "target": 0, "dataset": "other", "idx": 257468 }, { "func": "int main(int argc, char **argv) {\n\treturn all_tests();\n}", "project": "radare2", "hash": 208412567434597268551602527191903249877, "size": 3, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 0, "dataset": "other", "idx": 268826 }, { "func": "void main () {\n\tint ret;\n\tchar *p = r_socket_http_post (\"http://www.radare.org/y/index.php\", \"a=b\", &ret);\n\tprintf (\"%s\\n\", p);\n}", "project": "radare2", "hash": 269480592312528653470313216878448126592, "size": 5, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 0, "dataset": "other", "idx": 268958 }, { "func": "int main(void)\n{\nuschar buffer[256];\n\nprintf(\"Testing is_ip_address\\n\");\n\nwhile (fgets(CS buffer, sizeof(buffer), stdin) != NULL)\n {\n int offset;\n buffer[Ustrlen(buffer) - 1] = 0;\n printf(\"%d\\n\", string_is_ip_address(buffer, NULL));\n printf(\"%d %d %s\\n\", string_is_ip_address(buffer, &offset), offset, buffer);\n }\n\nprintf(\"Testing string_nextinlist\\n\");\n\nwhile (fgets(CS buffer, sizeof(buffer), stdin) != NULL)\n {\n uschar *list = buffer;\n uschar *lp1, *lp2;\n uschar item[256];\n int sep1 = 0;\n int sep2 = 0;\n\n if (*list == '<')\n {\n sep1 = sep2 = list[1];\n list += 2;\n }\n\n lp1 = lp2 = list;\n for (;;)\n {\n uschar *item1 = string_nextinlist(&lp1, &sep1, item, sizeof(item));\n uschar *item2 = string_nextinlist(&lp2, &sep2, NULL, 0);\n\n if (item1 == NULL && item2 == NULL) break;\n if (item == NULL || item2 == NULL || Ustrcmp(item1, item2) != 0)\n {\n printf(\"***ERROR\\nitem1=\\\"%s\\\"\\nitem2=\\\"%s\\\"\\n\",\n (item1 == NULL)? \"NULL\" : CS item1,\n (item2 == NULL)? \"NULL\" : CS item2);\n break;\n }\n else printf(\" \\\"%s\\\"\\n\", CS item1);\n }\n }\n\n/* This is a horrible lash-up, but it serves its purpose. */\n\nprintf(\"Testing string_format\\n\");\n\nwhile (fgets(CS buffer, sizeof(buffer), stdin) != NULL)\n {\n void *args[3];\n long long llargs[3];\n double dargs[3];\n int dflag = 0;\n int llflag = 0;\n int n = 0;\n int count;\n int countset = 0;\n uschar format[256];\n uschar outbuf[256];\n uschar *s;\n buffer[Ustrlen(buffer) - 1] = 0;\n\n s = Ustrchr(buffer, ',');\n if (s == NULL) s = buffer + Ustrlen(buffer);\n\n Ustrncpy(format, buffer, s - buffer);\n format[s-buffer] = 0;\n\n if (*s == ',') s++;\n\n while (*s != 0)\n {\n uschar *ss = s;\n s = Ustrchr(ss, ',');\n if (s == NULL) s = ss + Ustrlen(ss);\n\n if (isdigit(*ss))\n {\n Ustrncpy(outbuf, ss, s-ss);\n if (Ustrchr(outbuf, '.') != NULL)\n {\n dflag = 1;\n dargs[n++] = Ustrtod(outbuf, NULL);\n }\n else if (Ustrstr(outbuf, \"ll\") != NULL)\n {\n llflag = 1;\n llargs[n++] = strtoull(CS outbuf, NULL, 10);\n }\n else\n {\n args[n++] = (void *)Uatoi(outbuf);\n }\n }\n\n else if (Ustrcmp(ss, \"*\") == 0)\n {\n args[n++] = (void *)(&count);\n countset = 1;\n }\n\n else\n {\n uschar *sss = malloc(s - ss + 1);\n Ustrncpy(sss, ss, s-ss);\n args[n++] = sss;\n }\n\n if (*s == ',') s++;\n }\n\n if (!dflag && !llflag)\n printf(\"%s\\n\", string_format(outbuf, sizeof(outbuf), CS format,\n args[0], args[1], args[2])? \"True\" : \"False\");\n\n else if (dflag)\n printf(\"%s\\n\", string_format(outbuf, sizeof(outbuf), CS format,\n dargs[0], dargs[1], dargs[2])? \"True\" : \"False\");\n\n else printf(\"%s\\n\", string_format(outbuf, sizeof(outbuf), CS format,\n llargs[0], llargs[1], llargs[2])? \"True\" : \"False\");\n\n printf(\"%s\\n\", CS outbuf);\n if (countset) printf(\"count=%d\\n\", count);\n }\n\nreturn 0;\n}", "project": "exim", "hash": 12004623687539338572280642470549622982, "size": 133, "commit_id": "24c929a27415c7cfc7126c47e4cad39acf3efa6b", "message": "Buffer overrun fix. fixes: bug #787", "target": 0, "dataset": "other", "idx": 301219 }, { "func": "l_int32 main(int argc,\n char **argv)\n{\nL_DEWARP *dew1, *dew2;\nL_DEWARPA *dewa;\nPIX *pixs, *pixn, *pixg, *pixb, *pixd, *pixt1, *pixt2;\nPIX *pixs2, *pixn2, *pixg2, *pixb2, *pixd2;\n\n setLeptDebugOK(1);\n lept_mkdir(\"lept/model\");\n lept_rmdir(\"lept/dewmod\");\n lept_mkdir(\"lept/dewmod\");\n\n/* pixs = pixRead(\"1555.007.jpg\"); */\n pixs = pixRead(\"cat.035.jpg\");\n/* pixs = pixRead(\"cat.010.jpg\"); */\n\n /* Normalize for varying background and binarize */\n pixn = pixBackgroundNormSimple(pixs, NULL, NULL);\n pixg = pixConvertRGBToGray(pixn, 0.5, 0.3, 0.2);\n pixb = pixThresholdToBinary(pixg, 130);\n\n /* Run the basic functions */\n dewa = dewarpaCreate(2, 30, 1, 10, 30);\n dewarpaUseBothArrays(dewa, 1);\n dew1 = dewarpCreate(pixb, 35);\n dewarpaInsertDewarp(dewa, dew1);\n dewarpBuildPageModel(dew1, \"/tmp/lept/model/dewarp_model1.pdf\");\n dewarpaApplyDisparity(dewa, 35, pixg, 200, 0, 0, &pixd,\n \"/tmp/lept/model/dewarp_apply1.pdf\");\n\n /* Write out some of the files to be imaged */\n lept_rmdir(\"lept/dewtest\");\n lept_mkdir(\"lept/dewtest\");\n pixWrite(\"/tmp/lept/dewtest/001.jpg\", pixs, IFF_JFIF_JPEG);\n pixWrite(\"/tmp/lept/dewtest/002.jpg\", pixn, IFF_JFIF_JPEG);\n pixWrite(\"/tmp/lept/dewtest/003.jpg\", pixg, IFF_JFIF_JPEG);\n pixWrite(\"/tmp/lept/dewtest/004.png\", pixb, IFF_TIFF_G4);\n pixWrite(\"/tmp/lept/dewtest/005.jpg\", pixd, IFF_JFIF_JPEG);\n pixt1 = pixRead(\"/tmp/lept/dewmod/0020.png\");\n pixWrite(\"/tmp/lept/dewtest/006.png\", pixt1, IFF_PNG);\n pixDestroy(&pixt1);\n pixt1 = pixRead(\"/tmp/lept/dewmod/0030.png\");\n pixWrite(\"/tmp/lept/dewtest/007.png\", pixt1, IFF_PNG);\n pixDestroy(&pixt1);\n pixt1 = pixRead(\"/tmp/lept/dewmod/0060.png\");\n pixWrite(\"/tmp/lept/dewtest/008.png\", pixt1, IFF_PNG);\n pixDestroy(&pixt1);\n pixt1 = pixRead(\"/tmp/lept/dewmod/0070.png\");\n pixWrite(\"/tmp/lept/dewtest/009.png\", pixt1, IFF_PNG);\n pixDestroy(&pixt1);\n pixt1 = pixRead(\"/tmp/lept/dewapply/002.png\");\n pixWrite(\"/tmp/lept/dewtest/010.png\", pixt1, IFF_PNG);\n pixDestroy(&pixt1);\n pixt1 = pixRead(\"/tmp/lept/dewapply/003.png\");\n pixWrite(\"/tmp/lept/dewtest/011.png\", pixt1, IFF_PNG);\n pixt2 = pixThresholdToBinary(pixt1, 130);\n pixWrite(\"/tmp/lept/dewtest/012.png\", pixt2, IFF_TIFF_G4);\n pixDestroy(&pixt1);\n pixDestroy(&pixt2);\n pixt1 = pixRead(\"/tmp/lept/dewmod/0041.png\");\n pixWrite(\"/tmp/lept/dewtest/013.png\", pixt1, IFF_PNG);\n pixDestroy(&pixt1);\n pixt1 = pixRead(\"/tmp/lept/dewmod/0042.png\");\n pixWrite(\"/tmp/lept/dewtest/014.png\", pixt1, IFF_PNG);\n pixDestroy(&pixt1);\n pixt1 = pixRead(\"/tmp/lept/dewmod/0051.png\");\n pixWrite(\"/tmp/lept/dewtest/015.png\", pixt1, IFF_PNG);\n pixDestroy(&pixt1);\n pixt1 = pixRead(\"/tmp/lept/dewmod/0052.png\");\n pixWrite(\"/tmp/lept/dewtest/016.png\", pixt1, IFF_PNG);\n pixDestroy(&pixt1);\n\n /* Normalize another image, that may not have enough textlines\n * to build an accurate model */\n/* pixs2 = pixRead(\"1555.003.jpg\"); */\n pixs2 = pixRead(\"cat.007.jpg\");\n/* pixs2 = pixRead(\"cat.014.jpg\"); */\n pixn2 = pixBackgroundNormSimple(pixs2, NULL, NULL);\n pixg2 = pixConvertRGBToGray(pixn2, 0.5, 0.3, 0.2);\n pixb2 = pixThresholdToBinary(pixg2, 130);\n\n /* Apply the previous disparity model to this image */\n dew2 = dewarpCreate(pixb2, 7);\n dewarpaInsertDewarp(dewa, dew2);\n dewarpaInsertRefModels(dewa, 0, 1);\n dewarpaInfo(stderr, dewa);\n dewarpaApplyDisparity(dewa, 7, pixg2, 200, 0, 0, &pixd2,\n \"/tmp/lept/model/dewarp_apply2.pdf\");\n dewarpaDestroy(&dewa);\n\n /* Write out files for the second image */\n pixWrite(\"/tmp/lept/dewtest/017.jpg\", pixs2, IFF_JFIF_JPEG);\n pixWrite(\"/tmp/lept/dewtest/018.jpg\", pixg2, IFF_JFIF_JPEG);\n pixWrite(\"/tmp/lept/dewtest/019.png\", pixb2, IFF_TIFF_G4);\n pixWrite(\"/tmp/lept/dewtest/020.jpg\", pixd2, IFF_JFIF_JPEG);\n pixt1 = pixRead(\"/tmp/lept/dewmod/0060.png\");\n pixWrite(\"/tmp/lept/dewtest/021.png\", pixt1, IFF_PNG);\n pixDestroy(&pixt1);\n pixt1 = pixRead(\"/tmp/lept/dewapply/002.png\");\n pixWrite(\"/tmp/lept/dewtest/022.png\", pixt1, IFF_PNG);\n pixt2 = pixThresholdToBinary(pixt1, 130);\n pixWrite(\"/tmp/lept/dewtest/023.png\", pixt2, IFF_TIFF_G4);\n pixDestroy(&pixt1);\n pixDestroy(&pixt2);\n pixt1 = pixRead(\"/tmp/lept/dewmod/0070.png\");\n pixWrite(\"/tmp/lept/dewtest/024.png\", pixt1, IFF_PNG);\n pixDestroy(&pixt1);\n pixt1 = pixRead(\"/tmp/lept/dewapply/003.png\");\n pixWrite(\"/tmp/lept/dewtest/025.png\", pixt1, IFF_PNG);\n pixt2 = pixThresholdToBinary(pixt1, 130);\n pixWrite(\"/tmp/lept/dewtest/026.png\", pixt2, IFF_TIFF_G4);\n pixDestroy(&pixt1);\n pixDestroy(&pixt2);\n\n /* Generate the big pdf file */\n convertFilesToPdf(\"/tmp/lept/dewtest\", NULL, 135, 1.0, 0, 0, \"Dewarp Test\",\n \"/tmp/lept/dewarptest1.pdf\");\n lept_stderr(\"pdf file made: /tmp/lept/model/dewarptest1.pdf\\n\");\n\n pixDestroy(&pixs);\n pixDestroy(&pixn);\n pixDestroy(&pixg);\n pixDestroy(&pixb);\n pixDestroy(&pixd);\n pixDestroy(&pixs2);\n pixDestroy(&pixn2);\n pixDestroy(&pixg2);\n pixDestroy(&pixb2);\n pixDestroy(&pixd2);\n return 0;\n}", "project": "leptonica", "hash": 88282334964305976471566982983573332373, "size": 132, "commit_id": "5ba34b1fe741d69d43a6c8cf767756997eadd87c", "message": "Issue 23654 in oss-fuzz: Heap-buffer-overflow in pixReadFromTiffStream\n * Increase scanline buffer for reading gray+alpha and converting to RGBA", "target": 0, "dataset": "other", "idx": 350356 }, { "func": "int main(int argc, const char **argv) // ignore_convention\n{\n#if defined(CONF_FAMILY_WINDOWS)\n\tfor(int i = 1; i < argc; i++) // ignore_convention\n\t{\n\t\tif(str_comp(\"-s\", argv[i]) == 0 || str_comp(\"--silent\", argv[i]) == 0) // ignore_convention\n\t\t{\n\t\t\tShowWindow(GetConsoleWindow(), SW_HIDE);\n\t\t\tbreak;\n\t\t}\n\t}\n#endif\n\n\tbool UseDefaultConfig = false;\n\tfor(int i = 1; i < argc; i++) // ignore_convention\n\t{\n\t\tif(str_comp(\"-d\", argv[i]) == 0 || str_comp(\"--default\", argv[i]) == 0) // ignore_convention\n\t\t{\n\t\t\tUseDefaultConfig = true;\n\t\t\tbreak;\n\t\t}\n\t}\n\n\tif(secure_random_init() != 0)\n\t{\n\t\tdbg_msg(\"secure\", \"could not initialize secure RNG\");\n\t\treturn -1;\n\t}\n\n\tCServer *pServer = CreateServer();\n\tIKernel *pKernel = IKernel::Create();\n\n\t// create the components\n\tint FlagMask = CFGFLAG_SERVER|CFGFLAG_ECON;\n\tIEngine *pEngine = CreateEngine(\"Teeworlds_Server\");\n\tIEngineMap *pEngineMap = CreateEngineMap();\n\tIGameServer *pGameServer = CreateGameServer();\n\tIConsole *pConsole = CreateConsole(CFGFLAG_SERVER|CFGFLAG_ECON);\n\tIEngineMasterServer *pEngineMasterServer = CreateEngineMasterServer();\n\tIStorage *pStorage = CreateStorage(\"Teeworlds\", IStorage::STORAGETYPE_SERVER, argc, argv); // ignore_convention\n\tIConfigManager *pConfigManager = CreateConfigManager();\n\n\tpServer->InitRegister(&pServer->m_NetServer, pEngineMasterServer, pConfigManager->Values(), pConsole);\n\n\t{\n\t\tbool RegisterFail = false;\n\n\t\tRegisterFail = RegisterFail || !pKernel->RegisterInterface(pServer); // register as both\n\t\tRegisterFail = RegisterFail || !pKernel->RegisterInterface(pEngine);\n\t\tRegisterFail = RegisterFail || !pKernel->RegisterInterface(static_cast(pEngineMap)); // register as both\n\t\tRegisterFail = RegisterFail || !pKernel->RegisterInterface(static_cast(pEngineMap));\n\t\tRegisterFail = RegisterFail || !pKernel->RegisterInterface(pGameServer);\n\t\tRegisterFail = RegisterFail || !pKernel->RegisterInterface(pConsole);\n\t\tRegisterFail = RegisterFail || !pKernel->RegisterInterface(pStorage);\n\t\tRegisterFail = RegisterFail || !pKernel->RegisterInterface(pConfigManager);\n\t\tRegisterFail = RegisterFail || !pKernel->RegisterInterface(static_cast(pEngineMasterServer)); // register as both\n\t\tRegisterFail = RegisterFail || !pKernel->RegisterInterface(static_cast(pEngineMasterServer));\n\n\t\tif(RegisterFail)\n\t\t\treturn -1;\n\t}\n\n\tpEngine->Init();\n\tpConfigManager->Init(FlagMask);\n\tpConsole->Init();\n\tpEngineMasterServer->Init();\n\tpEngineMasterServer->Load();\n\n\tpServer->InitInterfaces(pConfigManager->Values(), pConsole, pGameServer, pEngineMap, pStorage);\n\tif(!UseDefaultConfig)\n\t{\n\t\t// register all console commands\n\t\tpServer->RegisterCommands();\n\n\t\t// execute autoexec file\n\t\tpConsole->ExecuteFile(\"autoexec.cfg\");\n\n\t\t// parse the command line arguments\n\t\tif(argc > 1) // ignore_convention\n\t\t\tpConsole->ParseArguments(argc-1, &argv[1]); // ignore_convention\n\t}\n\n\t// restore empty config strings to their defaults\n\tpConfigManager->RestoreStrings();\n\n\tpEngine->InitLogfile();\n\n\tpServer->InitRconPasswordIfUnset();\n\n\t// run the server\n\tdbg_msg(\"server\", \"starting...\");\n\tint Ret = pServer->Run();\n\n\t// free\n\tdelete pServer;\n\tdelete pKernel;\n\tdelete pEngine;\n\tdelete pEngineMap;\n\tdelete pGameServer;\n\tdelete pConsole;\n\tdelete pEngineMasterServer;\n\tdelete pStorage;\n\tdelete pConfigManager;\n\n\treturn Ret;\n}", "project": "teeworlds", "hash": 295896773299094728069154861929994685366, "size": 106, "commit_id": "c68402fa7e279d42886d5951d1ea8ac2facc1ea5", "message": "changed a check", "target": 0, "dataset": "other", "idx": 381987 }, { "func": "int main(int argc, char *argv[])\n{\n\tstruct libmnt_test tss[] = {\n\t\t{ \"--append\", test_append, \" [] append value to optstr\" },\n\t\t{ \"--prepend\",test_prepend,\" [] prepend value to optstr\" },\n\t\t{ \"--set\", test_set, \" [] (un)set value\" },\n\t\t{ \"--get\", test_get, \" search name in optstr\" },\n\t\t{ \"--remove\", test_remove, \" remove name in optstr\" },\n\t\t{ \"--dedup\", test_dedup, \" deduplicate name in optstr\" },\n\t\t{ \"--split\", test_split, \" split into FS, VFS and userspace\" },\n\t\t{ \"--flags\", test_flags, \" convert options to MS_* flags\" },\n\t\t{ \"--apply\", test_apply, \"--{linux,user} apply mask to optstr\" },\n\t\t{ \"--fix\", test_fix, \" fix uid=, gid=, user, and context=\" },\n\n\t\t{ NULL }\n\t};\n\treturn mnt_run_test(tss, argc, argv);\n}", "project": "util-linux", "hash": 110146862383382127192665294130977736903, "size": 18, "commit_id": "57202f5713afa2af20ffbb6ab5331481d0396f8d", "message": "libmount: fix UID check for FUSE umount [CVE-2021-3995]\n\nImproper UID check allows an unprivileged user to unmount FUSE\nfilesystems of users with similar UID.\n\nSigned-off-by: Karel Zak ", "target": 0, "dataset": "other", "idx": 410404 }, { "func": "int main(int argc, char* argv[])\n{\n\tint option_index = 0;\n\tint opt, result;\n\n\tchar* in_path = NULL;\n\tchar* out_path = NULL;\n\tchar* file_pin = NULL;\n\n\tif (argc == 1)\n\t{\n\t\tusage();\n\t\texit(0);\n\t}\n\n\twhile ((opt = getopt_long(argc, argv, \"hv\", long_options, &option_index)) != -1)\n\t{\n\t\tswitch (opt)\n\t\t{\n\t\t\tcase OPT_IN:\n\t\t\t\tin_path = optarg;\n\t\t\t\tbreak;\n\t\t\tcase OPT_OUT:\n\t\t\t\tout_path = optarg;\n\t\t\t\tbreak;\n\t\t\tcase OPT_PIN:\n\t\t\t\tfile_pin = optarg;\n\t\t\t\tbreak;\n\t\t\tcase OPT_VERSION:\n\t\t\tcase 'v':\n\t\t\t\tprintf(\"%s\\n\", PACKAGE_VERSION);\n\t\t\t\texit(0);\n\t\t\t\tbreak;\n\t\t\tcase OPT_HELP:\n\t\t\tcase 'h':\n\t\t\tdefault:\n\t\t\t\tusage();\n\t\t\t\texit(0);\n\t\t\t\tbreak;\n\t\t}\n\t}\n\n\t// We should convert to PKCS#8\n\tresult = to_pkcs8(in_path, out_path, file_pin);\n\n\treturn result;\n}", "project": "SoftHSMv2", "hash": 253868811509797186947730426118800546671, "size": 47, "commit_id": "492447cd4a2be449e99fb9ad2519ea3277aaad28", "message": "SUPPORT-136: softhsm2-keyconv creates files with sensitive material in insecure way.", "target": 0, "dataset": "other", "idx": 452352 }, { "func": "int main(int argc, char** argv){\n#if !HAVE_DECL_OPTARG\n\textern char *optarg;\n\textern int optind;\n#endif\n\tconst char *outfilename = NULL;\n\tT2P *t2p = NULL;\n\tTIFF *input = NULL, *output = NULL;\n\tint c, ret = EXIT_SUCCESS;\n\n\tt2p = t2p_init();\n\n\tif (t2p == NULL){\n\t\tTIFFError(TIFF2PDF_MODULE, \"Can't initialize context\");\n\t\tgoto fail;\n\t}\n\n\twhile (argv &&\n\t (c = getopt(argc, argv,\n\t\t\t \"m:o:q:u:x:y:w:l:r:p:e:c:a:t:s:k:jzndifbhF\")) != -1){\n\t\tswitch (c) {\n\t\t\tcase 'm':\n\t\t\t\tt2p->tiff_maxdatasize = (tsize_t)strtoul(optarg, NULL, 0) << 20;\n\t\t\t\tbreak;\n\t\t\tcase 'o':\n\t\t\t\toutfilename = optarg;\n\t\t\t\tbreak;\n#ifdef JPEG_SUPPORT\n\t\t\tcase 'j': \n\t\t\t\tt2p->pdf_defaultcompression=T2P_COMPRESS_JPEG;\n\t\t\t\tbreak;\n#endif\n#ifndef JPEG_SUPPORT\n\t\t\tcase 'j': \n\t\t\t\tTIFFWarning(\n\t\t\t\t\tTIFF2PDF_MODULE, \n\t\t\t\t\t\"JPEG support in libtiff required for JPEG compression, ignoring option\");\n\t\t\t\tbreak;\n#endif\n#ifdef ZIP_SUPPORT\n\t\t\tcase 'z': \n\t\t\t\tt2p->pdf_defaultcompression=T2P_COMPRESS_ZIP;\n\t\t\t\tbreak;\n#endif\n#ifndef ZIP_SUPPORT\n\t\t\tcase 'z': \n\t\t\t\tTIFFWarning(\n\t\t\t\t\tTIFF2PDF_MODULE, \n\t\t\t\t\t\"Zip support in libtiff required for Zip compression, ignoring option\");\n\t\t\t\tbreak;\n#endif\n\t\t\tcase 'q': \n\t\t\t\tt2p->pdf_defaultcompressionquality=atoi(optarg);\n\t\t\t\tbreak;\n\t\t\tcase 'n': \n\t\t\t\tt2p->pdf_nopassthrough=1;\n\t\t\t\tbreak;\n\t\t\tcase 'd': \n\t\t\t\tt2p->pdf_defaultcompression=T2P_COMPRESS_NONE;\n\t\t\t\tbreak;\n\t\t\tcase 'u': \n\t\t\t\tif(optarg[0]=='m'){\n\t\t\t\t\tt2p->pdf_centimeters=1;\n\t\t\t\t}\n\t\t\t\tbreak;\n\t\t\tcase 'x': \n\t\t\t\tt2p->pdf_defaultxres = \n\t\t\t\t\t(float)atof(optarg) / (t2p->pdf_centimeters?2.54F:1.0F);\n\t\t\t\tbreak;\n\t\t\tcase 'y': \n\t\t\t\tt2p->pdf_defaultyres = \n\t\t\t\t\t(float)atof(optarg) / (t2p->pdf_centimeters?2.54F:1.0F);\n\t\t\t\tbreak;\n\t\t\tcase 'w': \n\t\t\t\tt2p->pdf_overridepagesize=1;\n\t\t\t\tt2p->pdf_defaultpagewidth = \n\t\t\t\t\t((float)atof(optarg) * PS_UNIT_SIZE) / (t2p->pdf_centimeters?2.54F:1.0F);\n\t\t\t\tbreak;\n\t\t\tcase 'l': \n\t\t\t\tt2p->pdf_overridepagesize=1;\n\t\t\t\tt2p->pdf_defaultpagelength = \n\t\t\t\t\t((float)atof(optarg) * PS_UNIT_SIZE) / (t2p->pdf_centimeters?2.54F:1.0F);\n\t\t\t\tbreak;\n\t\t\tcase 'r': \n\t\t\t\tif(optarg[0]=='o'){\n\t\t\t\t\tt2p->pdf_overrideres=1;\n\t\t\t\t}\n\t\t\t\tbreak;\n\t\t\tcase 'p': \n\t\t\t\tif(tiff2pdf_match_paper_size(\n\t\t\t\t\t&(t2p->pdf_defaultpagewidth), \n\t\t\t\t\t&(t2p->pdf_defaultpagelength), \n\t\t\t\t\toptarg)){\n\t\t\t\t\tt2p->pdf_overridepagesize=1;\n\t\t\t\t} else {\n\t\t\t\t\tTIFFWarning(TIFF2PDF_MODULE, \n\t\t\t\t\t\"Unknown paper size %s, ignoring option\",\n\t\t\t\t\t\toptarg);\n\t\t\t\t}\n\t\t\t\tbreak;\n\t\t\tcase 'i':\n\t\t\t\tt2p->pdf_colorspace_invert=1;\n\t\t\t\tbreak;\n\t\t\tcase 'F':\n\t\t\t\tt2p->pdf_image_fillpage = 1;\n\t\t\t\tbreak;\n\t\t\tcase 'f': \n\t\t\t\tt2p->pdf_fitwindow=1;\n\t\t\t\tbreak;\n\t\t\tcase 'e':\n\t\t\t\tif (strlen(optarg) == 0) {\n\t\t\t\t\tt2p->pdf_datetime[0] = '\\0';\n\t\t\t\t} else {\n\t\t\t\t\tt2p->pdf_datetime[0] = 'D';\n\t\t\t\t\tt2p->pdf_datetime[1] = ':';\n\t\t\t\t\tstrncpy(t2p->pdf_datetime + 2, optarg,\n\t\t\t\t\t\tsizeof(t2p->pdf_datetime) - 3);\n\t\t\t\t\tt2p->pdf_datetime[sizeof(t2p->pdf_datetime) - 1] = '\\0';\n\t\t\t\t}\n\t\t\t\tbreak;\n\t\t\tcase 'c': \n\t\t\t\tstrncpy(t2p->pdf_creator, optarg, sizeof(t2p->pdf_creator) - 1);\n\t\t\t\tt2p->pdf_creator[sizeof(t2p->pdf_creator) - 1] = '\\0';\n\t\t\t\tt2p->pdf_creator_set = 1;\n\t\t\t\tbreak;\n\t\t\tcase 'a': \n\t\t\t\tstrncpy(t2p->pdf_author, optarg, sizeof(t2p->pdf_author) - 1);\n\t\t\t\tt2p->pdf_author[sizeof(t2p->pdf_author) - 1] = '\\0';\n\t\t\t\tt2p->pdf_author_set = 1;\n\t\t\t\tbreak;\n\t\t\tcase 't': \n\t\t\t\tstrncpy(t2p->pdf_title, optarg, sizeof(t2p->pdf_title) - 1);\n\t\t\t\tt2p->pdf_title[sizeof(t2p->pdf_title) - 1] = '\\0';\n\t\t\t\tt2p->pdf_title_set = 1;\n\t\t\t\tbreak;\n\t\t\tcase 's': \n\t\t\t\tstrncpy(t2p->pdf_subject, optarg, sizeof(t2p->pdf_subject) - 1);\n\t\t\t\tt2p->pdf_subject[sizeof(t2p->pdf_subject) - 1] = '\\0';\n\t\t\t\tt2p->pdf_subject_set = 1;\n\t\t\t\tbreak;\n\t\t\tcase 'k': \n\t\t\t\tstrncpy(t2p->pdf_keywords, optarg, sizeof(t2p->pdf_keywords) - 1);\n\t\t\t\tt2p->pdf_keywords[sizeof(t2p->pdf_keywords) - 1] = '\\0';\n\t\t\t\tt2p->pdf_keywords_set = 1;\n\t\t\t\tbreak;\n\t\t\tcase 'b':\n\t\t\t\tt2p->pdf_image_interpolate = 1;\n\t\t\t\tbreak;\n\t\t\tcase 'h':\n\t\t\t\ttiff2pdf_usage(EXIT_SUCCESS);\n\t\t\t\tgoto success;\n\t\t\tcase '?':\n\t\t\t\ttiff2pdf_usage(EXIT_FAILURE);\n\t\t\t\tgoto fail;\n\t\t}\n\t}\n\n\t/*\n\t * Input\n\t */\n\tif(argc > optind) {\n\t\tinput = TIFFOpen(argv[optind++], \"r\");\n\t\tif (input==NULL) {\n\t\t\tTIFFError(TIFF2PDF_MODULE, \n\t\t\t\t \"Can't open input file %s for reading\", \n\t\t\t\t argv[optind-1]);\n\t\t\tgoto fail;\n\t\t}\n\t} else {\n\t\tTIFFError(TIFF2PDF_MODULE, \"No input file specified\"); \n\t\ttiff2pdf_usage(EXIT_FAILURE);\n\t\tgoto fail;\n\t}\n\n\tif(argc > optind) {\n\t\tTIFFError(TIFF2PDF_MODULE, \n\t\t\t \"No support for multiple input files\"); \n\t\ttiff2pdf_usage(EXIT_FAILURE);\n\t\tgoto fail;\n\t}\n\n\t/*\n\t * Output\n\t */\n\tt2p->outputdisable = 1;\n\tif (outfilename) {\n\t\tt2p->outputfile = fopen(outfilename, \"wb\");\n\t\tif (t2p->outputfile == NULL) {\n\t\t\tTIFFError(TIFF2PDF_MODULE,\n\t\t\t\t \"Can't open output file %s for writing\",\n\t\t\t\t outfilename);\n\t\t\tgoto fail;\n\t\t}\n\t} else {\n\t\toutfilename = \"-\";\n\t\tt2p->outputfile = stdout;\n\t}\n\n\toutput = TIFFClientOpen(outfilename, \"w\", (thandle_t) t2p,\n\t\t\t\tt2p_readproc, t2p_writeproc, t2p_seekproc, \n\t\t\t\tt2p_closeproc, t2p_sizeproc, \n\t\t\t\tt2p_mapproc, t2p_unmapproc);\n\tt2p->outputdisable = 0;\n\tif (output == NULL) {\n\t\tTIFFError(TIFF2PDF_MODULE,\n\t\t\t \"Can't initialize output descriptor\");\n\t\tgoto fail;\n\t}\n\t\n\t/*\n\t * Validate\n\t */\n\tt2p_validate(t2p);\n\tt2pSeekFile(output, (toff_t) 0, SEEK_SET);\n\n\t/*\n\t * Write\n\t */\n\tt2p_write_pdf(t2p, input, output);\n\tif (t2p->t2p_error != 0) {\n\t\tTIFFError(TIFF2PDF_MODULE,\n\t\t\t \"An error occurred creating output PDF file\");\n\t\tgoto fail;\n\t}\n\n\tgoto success;\nfail:\n\tret = EXIT_FAILURE;\nsuccess:\n\tif(input != NULL)\n\t\tTIFFClose(input);\n\tif (output != NULL)\n\t\tTIFFClose(output);\n\tif (t2p != NULL)\n\t\tt2p_free(t2p);\n\treturn ret;\n \n}", "project": "libtiff", "hash": 80740232365350788199230677249283741306, "size": 238, "commit_id": "7be2e452ddcf6d7abca88f41d3761e6edab72b22", "message": "tiff2pdf.c: properly calculate datasize when saving to JPEG YCbCr\n\nfixes #220", "target": 0, "dataset": "other", "idx": 458972 }, { "func": "int main(int argc, char **argv, char **envp)\n{\n // dynamically load shared library\n#ifdef DYNLOAD\n if (!uc_dyn_load(NULL, 0)) {\n printf(\"Error dynamically loading shared library.\\n\");\n printf(\"Please check that unicorn.dll/unicorn.so is available as well as\\n\");\n printf(\"any other dependent dll/so files.\\n\");\n printf(\"The easiest way is to place them in the same directory as this app.\\n\");\n return 1;\n }\n#endif\n \n test_arm();\n printf(\"==========================\\n\");\n test_thumb();\n printf(\"==========================\\n\");\n test_thumb_ite();\n // dynamically free shared library\n#ifdef DYNLOAD\n uc_dyn_free();\n#endif\n \n return 0;\n}", "project": "unicorn", "hash": 168497872221435357783029447196663285853, "size": 25, "commit_id": "bf1713d9e011b55ca1f502a6779fc4722b4bb077", "message": "Add arm ite blocks samples from #853 (#1381)", "target": 0, "dataset": "other", "idx": 476899 }, { "func": "int main(int argc, char *argv[])\n{\n\tint opt;\n\tchar *line;\n\n\tprogname = basename(argv[0]);\n\n#if POSIXLY_CORRECT\n\tcmd_line_options = POSIXLY_CMD_LINE_OPTIONS;\n#else\n\tif (getenv(POSIXLY_CORRECT_STR))\n\t\tposixly_correct = 1;\n\tif (!posixly_correct)\n\t\tcmd_line_options = CMD_LINE_OPTIONS;\n\telse\n\t\tcmd_line_options = POSIXLY_CMD_LINE_OPTIONS;\n#endif\n\n\tsetlocale(LC_CTYPE, \"\");\n\tsetlocale(LC_MESSAGES, \"\");\n\tbindtextdomain(PACKAGE, LOCALEDIR);\n\ttextdomain(PACKAGE);\n\n\t/* Align `#effective:' comments to column 40 for tty's */\n\tif (!posixly_correct && isatty(fileno(stdout)))\n\t\tprint_options |= TEXT_SMART_INDENT;\n\n\twhile ((opt = getopt_long(argc, argv, cmd_line_options,\n\t\t long_options, NULL)) != -1) {\n\t\tswitch (opt) {\n\t\t\tcase 'a': /* acl only */\n\t\t\t\tif (posixly_correct)\n\t\t\t\t\tgoto synopsis;\n\t\t\t\topt_print_acl = 1;\n\t\t\t\tbreak;\n\n\t\t\tcase 'd': /* default acl only */\n\t\t\t\topt_print_default_acl = 1;\n\t\t\t\tbreak;\n\n\t\t\tcase 'c': /* no comments */\n\t\t\t\tif (posixly_correct)\n\t\t\t\t\tgoto synopsis;\n\t\t\t\topt_comments = 0;\n\t\t\t\tbreak;\n\n\t\t\tcase 'e': /* all #effective comments */\n\t\t\t\tif (posixly_correct)\n\t\t\t\t\tgoto synopsis;\n\t\t\t\tprint_options |= TEXT_ALL_EFFECTIVE;\n\t\t\t\tbreak;\n\n\t\t\tcase 'E': /* no #effective comments */\n\t\t\t\tif (posixly_correct)\n\t\t\t\t\tgoto synopsis;\n\t\t\t\tprint_options &= ~(TEXT_SOME_EFFECTIVE |\n\t\t\t\t TEXT_ALL_EFFECTIVE);\n\t\t\t\tbreak;\n\n\t\t\tcase 'R': /* recursive */\n\t\t\t\tif (posixly_correct)\n\t\t\t\t\tgoto synopsis;\n\t\t\t\twalk_flags |= WALK_TREE_RECURSIVE;\n\t\t\t\tbreak;\n\n\t\t\tcase 'L': /* follow all symlinks */\n\t\t\t\tif (posixly_correct)\n\t\t\t\t\tgoto synopsis;\n\t\t\t\twalk_flags |= WALK_TREE_LOGICAL | WALK_TREE_DEREFERENCE;\n\t\t\t\twalk_flags &= ~WALK_TREE_PHYSICAL;\n\t\t\t\tbreak;\n\n\t\t\tcase 'P': /* skip all symlinks */\n\t\t\t\tif (posixly_correct)\n\t\t\t\t\tgoto synopsis;\n\t\t\t\twalk_flags |= WALK_TREE_PHYSICAL;\n\t\t\t\twalk_flags &= ~(WALK_TREE_LOGICAL | WALK_TREE_DEREFERENCE |\n\t\t\t\t\t\tWALK_TREE_DEREFERENCE_TOPLEVEL);\n\t\t\t\tbreak;\n\n\t\t\tcase 's': /* skip files with only base entries */\n\t\t\t\tif (posixly_correct)\n\t\t\t\t\tgoto synopsis;\n\t\t\t\topt_skip_base = 1;\n\t\t\t\tbreak;\n\n\t\t\tcase 'p':\n\t\t\t\tif (posixly_correct)\n\t\t\t\t\tgoto synopsis;\n\t\t\t\topt_strip_leading_slash = 0;\n\t\t\t\tbreak;\n\n\t\t\tcase 't':\n\t\t\t\tif (posixly_correct)\n\t\t\t\t\tgoto synopsis;\n\t\t\t\topt_tabular = 1;\n\t\t\t\tbreak;\n\n\t\t\tcase 'n': /* numeric */\n\t\t\t\topt_numeric = 1;\n\t\t\t\tprint_options |= TEXT_NUMERIC_IDS;\n\t\t\t\tbreak;\n\n\t\t\tcase 'v': /* print version */\n\t\t\t\tprintf(\"%s \" VERSION \"\\n\", progname);\n\t\t\t\treturn 0;\n\n\t\t\tcase 'h': /* help */\n\t\t\t\thelp();\n\t\t\t\treturn 0;\n\n\t\t\tcase ':': /* option missing */\n\t\t\tcase '?': /* unknown option */\n\t\t\tdefault:\n\t\t\t\tgoto synopsis;\n\t\t}\n\t}\n\n\tif (!(opt_print_acl || opt_print_default_acl)) {\n\t\topt_print_acl = 1;\n\t\tif (!posixly_correct)\n\t\t\topt_print_default_acl = 1;\n\t}\n\t\t\n\tif ((optind == argc) && !posixly_correct)\n\t\tgoto synopsis;\n\n\tdo {\n\t\tif (optind == argc ||\n\t\t strcmp(argv[optind], \"-\") == 0) {\n\t\t\twhile ((line = next_line(stdin)) != NULL) {\n\t\t\t\tif (*line == '\\0')\n\t\t\t\t\tcontinue;\n\n\t\t\t\thad_errors += walk_tree(line, walk_flags, 0,\n\t\t\t\t\t\t\tdo_print, NULL);\n\t\t\t}\n\t\t\tif (!feof(stdin)) {\n\t\t\t\tfprintf(stderr, _(\"%s: Standard input: %s\\n\"),\n\t\t\t\t progname, strerror(errno));\n\t\t\t\thad_errors++;\n\t\t\t}\n\t\t} else\n\t\t\thad_errors += walk_tree(argv[optind], walk_flags, 0,\n\t\t\t\t\t\tdo_print, NULL);\n\t\toptind++;\n\t} while (optind < argc);\n\n\treturn had_errors ? 1 : 0;\n\nsynopsis:\n\tfprintf(stderr, _(\"Usage: %s [-%s] file ...\\n\"),\n\t progname, cmd_line_options);\n\tfprintf(stderr, _(\"Try `%s --help' for more information.\\n\"),\n\t\tprogname);\n\treturn 2;\n}", "target": 0, "cwe": [], "project": "acl", "commit_id": "63451a06b7484d220750ed8574d3ee84e156daf5", "hash": 262151764480633723075756054005892276227, "size": 157, "message": "Make sure that getfacl -R only calls stat(2) on symlinks when it needs to\n\nThis fixes http://oss.sgi.com/bugzilla/show_bug.cgi?id=790\n\"getfacl follows symlinks, even without -L\".", "dataset": "other", "idx": 491969 }, { "func": "int main(int argc, char **argv)\n{\n Agraph_t *G;\n Agraph_t *prev = 0;\n FILE *inFile;\n int rv, gcnt = 0;\n\n#ifdef HAVE_EXPAT\n initargs(argc, argv);\n while ((inFile = getFile())) {\n\twhile ((G = graphml_to_gv(nameOf(gname, gcnt), inFile, &rv))) {\n\t gcnt++;\n\t if (prev)\n\t\tagclose(prev);\n\t prev = G;\n\t if (Verbose) \n\t\tfprintf (stderr, \"%s: %d nodes %d edges\\n\",\n\t\t agnameof (G), agnnodes(G), agnedges(G));\n\t agwrite(G, outFile);\n\t fflush(outFile);\n\t}\n }\n exit(rv);\n#else\n fputs(\"cvtgxl: not configured for conversion from GXL to GV\\n\", stderr);\n exit(1);\n#endif\n}", "target": 0, "cwe": [ "CWE-476" ], "project": "graphviz", "commit_id": "839085f8026afd6f6920a0c31ad2a9d880d97932", "hash": 113828455562781222327930200432144819873, "size": 28, "message": "attempted fix for null pointer deference on malformed input", "dataset": "other", "idx": 505510 }, { "project": "opaque", "commit_id": "5ddda15d89f5ac82f4416208c5319ace4aecdc36", "target": 0, "func": "int SGX_CDECL main(int argc, char *argv[])\n{\n (void)(argc);\n (void)(argv);\n\n#if defined(_MSC_VER)\n if (query_sgx_status() < 0) {\n /* either SGX is disabled, or a reboot is required to enable SGX */\n printf(\"Enter a character before exit ...\\n\");\n getchar();\n return -1;\n }\n#endif\n\n /* Initialize the enclave */\n if(initialize_enclave() < 0){\n printf(\"Enter a character before exit ...\\n\");\n getchar();\n return -1;\n }\n\n /* Destroy the enclave */\n sgx_destroy_enclave(global_eid);\n\n printf(\"Info: SampleEnclave successfully returned.\\n\");\n\n return 0;\n}", "idx": 519055, "cwe": "CWE-787", "hash": 327692335520483879905975641000683888773, "dataset": "other" }, { "func": "void CLASS parse_fuji (int offset)\n{\n unsigned entries, tag, len, save, c;\n\n fseek (ifp, offset, SEEK_SET);\n entries = get4();\n if (entries > 255) return;\n while (entries--) {\n tag = get2();\n len = get2();\n save = ftell(ifp);\n\n if (tag == 0x100) {\n raw_height = get2();\n raw_width = get2();\n } else if (tag == 0x121) {\n height = get2();\n if ((width = get2()) == 4284) width += 3;\n } else if (tag == 0x130) {\n fuji_layout = fgetc(ifp) >> 7;\n fuji_width = !(fgetc(ifp) & 8);\n } else if (tag == 0x131) {\n filters = 9;\n FORC(36)\n {\n int q = fgetc(ifp);\n xtrans_abs[0][35 - c] = MAX(0,MIN(q,2)); /* & 3;*/\n }\n } else if (tag == 0x2ff0) {\n FORC4 cam_mul[c ^ 1] = get2();\n }\n// IB start\n#ifdef LIBRAW_LIBRARY_BUILD\n else if (tag == 0x9650)\n {\n short a = (short)get2();\n float b =fMAX(1.0f, get2());\n imgdata.makernotes.fuji.FujiExpoMidPointShift = a / b;\n } else if (tag == 0x2100) {\n FORC4 imgdata.color.WB_Coeffs[LIBRAW_WBI_Daylight][c ^ 1] = get2();\n } else if (tag == 0x2200) {\n FORC4 imgdata.color.WB_Coeffs[LIBRAW_WBI_Cloudy][c ^ 1] = get2();\n } else if (tag == 0x2300) {\n FORC4 imgdata.color.WB_Coeffs[LIBRAW_WBI_FL_D][c ^ 1] = get2();\n } else if (tag == 0x2301) {\n FORC4 imgdata.color.WB_Coeffs[LIBRAW_WBI_FL_N][c ^ 1] = get2();\n } else if (tag == 0x2302) {\n FORC4 imgdata.color.WB_Coeffs[LIBRAW_WBI_FL_WW][c ^ 1] = get2();\n } else if (tag == 0x2310) {\n FORC4 imgdata.color.WB_Coeffs[LIBRAW_WBI_FL_L][c ^ 1] = get2();\n } else if (tag == 0x2400) {\n FORC4 imgdata.color.WB_Coeffs[LIBRAW_WBI_Tungsten][c ^ 1] = get2();\n }\n#endif\n// IB end\n else if (tag == 0xc000) {\n c = order;\n order = 0x4949;\n if ((tag = get4()) > 10000) tag = get4();\n if (tag > 10000) tag = get4();\n width = tag;\n height = get4();\n#ifdef LIBRAW_LIBRARY_BUILD\n libraw_internal_data.unpacker_data.posRAFData = save;\n libraw_internal_data.unpacker_data.lenRAFData = (len>>1);\n#endif\n\t order = c;\n }\n fseek (ifp, save+len, SEEK_SET);\n }\n height <<= fuji_layout;\n width >>= fuji_layout;\n}", "project": "LibRaw", "hash": 186489593116868865639790292956490177046, "size": 73, "commit_id": "d13e8f6d1e987b7491182040a188c16a395f1d21", "message": "CVE-2017-1438 credits; fix for Kodak 65000 out of bounds access", "target": 0, "dataset": "other", "idx": 391456 }, { "func": "int ssh_buffer_get_u8(struct ssh_buffer_struct *buffer, uint8_t *data){\n return ssh_buffer_get_data(buffer,data,sizeof(uint8_t));\n}", "project": "libssh-mirror", "hash": 231210314595914264903505510444583999944, "size": 3, "commit_id": "10b3ebbe61a7031a3dae97f05834442220447181", "message": "buffer: Reformat ssh_buffer_add_data()\n\nSigned-off-by: Andreas Schneider \nReviewed-by: Anderson Toshiyuki Sasaki \nReviewed-by: Jakub Jelen ", "target": 0, "dataset": "other", "idx": 345146 }, { "func": "static int __tipc_nl_add_node_links(struct net *net, struct tipc_nl_msg *msg,\n\t\t\t\t struct tipc_node *node, u32 *prev_link,\n\t\t\t\t bool bc_link)\n{\n\tu32 i;\n\tint err;\n\n\tfor (i = *prev_link; i < MAX_BEARERS; i++) {\n\t\t*prev_link = i;\n\n\t\tif (!node->links[i].link)\n\t\t\tcontinue;\n\n\t\terr = __tipc_nl_add_link(net, msg,\n\t\t\t\t\t node->links[i].link, NLM_F_MULTI);\n\t\tif (err)\n\t\t\treturn err;\n\t}\n\n\tif (bc_link) {\n\t\t*prev_link = i;\n\t\terr = tipc_nl_add_bc_link(net, msg, node->bc_entry.link);\n\t\tif (err)\n\t\t\treturn err;\n\t}\n\n\t*prev_link = 0;\n\n\treturn 0;\n}", "project": "linux", "hash": 4926889942421321052278127161021291044, "size": 30, "commit_id": "0217ed2848e8538bcf9172d97ed2eeb4a26041bb", "message": "tipc: better validate user input in tipc_nl_retrieve_key()\n\nBefore calling tipc_aead_key_size(ptr), we need to ensure\nwe have enough data to dereference ptr->keylen.\n\nWe probably also want to make sure tipc_aead_key_size()\nwont overflow with malicious ptr->keylen values.\n\nSyzbot reported:\n\nBUG: KMSAN: uninit-value in __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\nBUG: KMSAN: uninit-value in tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\nCPU: 0 PID: 21060 Comm: syz-executor.5 Not tainted 5.11.0-rc7-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nCall Trace:\n __dump_stack lib/dump_stack.c:79 [inline]\n dump_stack+0x21c/0x280 lib/dump_stack.c:120\n kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118\n __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197\n __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\n tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\n genl_family_rcv_msg_doit net/netlink/genetlink.c:739 [inline]\n genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]\n genl_rcv_msg+0x1319/0x1610 net/netlink/genetlink.c:800\n netlink_rcv_skb+0x6fa/0x810 net/netlink/af_netlink.c:2494\n genl_rcv+0x63/0x80 net/netlink/genetlink.c:811\n netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]\n netlink_unicast+0x11d6/0x14a0 net/netlink/af_netlink.c:1330\n netlink_sendmsg+0x1740/0x1840 net/netlink/af_netlink.c:1919\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\nRIP: 0023:0xf7f60549\nCode: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00\nRSP: 002b:00000000f555a5fc EFLAGS: 00000296 ORIG_RAX: 0000000000000172\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000200\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n\nUninit was created at:\n kmsan_save_stack_with_flags mm/kmsan/kmsan.c:121 [inline]\n kmsan_internal_poison_shadow+0x5c/0xf0 mm/kmsan/kmsan.c:104\n kmsan_slab_alloc+0x8d/0xe0 mm/kmsan/kmsan_hooks.c:76\n slab_alloc_node mm/slub.c:2907 [inline]\n __kmalloc_node_track_caller+0xa37/0x1430 mm/slub.c:4527\n __kmalloc_reserve net/core/skbuff.c:142 [inline]\n __alloc_skb+0x2f8/0xb30 net/core/skbuff.c:210\n alloc_skb include/linux/skbuff.h:1099 [inline]\n netlink_alloc_large_skb net/netlink/af_netlink.c:1176 [inline]\n netlink_sendmsg+0xdbc/0x1840 net/netlink/af_netlink.c:1894\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\n\nFixes: e1f32190cf7d (\"tipc: add support for AEAD key setting via netlink\")\nSigned-off-by: Eric Dumazet \nCc: Tuong Lien \nCc: Jon Maloy \nCc: Ying Xue \nReported-by: syzbot \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 364924 }, { "func": "void CLua::setregistry(const char *name)\n{\n lua_pushstring(state(), name);\n // Slide name round before the value\n lua_insert(state(), -2);\n lua_settable(state(), LUA_REGISTRYINDEX);\n}", "project": "crawl", "hash": 202209051942872661334658509467253133064, "size": 7, "commit_id": "768f60da87a3fa0b5561da5ade9309577c176d04", "message": "Disable lua bytecode loading", "target": 0, "dataset": "other", "idx": 230524 }, { "func": "Status GetPyArrayDimensionsForTensor(const TF_Tensor* tensor,\n gtl::InlinedVector* dims,\n tensorflow::int64* nelems) {\n dims->clear();\n const int ndims = TF_NumDims(tensor);\n if (TF_TensorType(tensor) == TF_RESOURCE) {\n if (ndims != 0) {\n return errors::InvalidArgument(\n \"Fetching of non-scalar resource tensors is not supported.\");\n }\n dims->push_back(TF_TensorByteSize(tensor));\n *nelems = dims->back();\n } else {\n *nelems = 1;\n for (int i = 0; i < ndims; ++i) {\n dims->push_back(TF_Dim(tensor, i));\n *nelems *= dims->back();\n }\n }\n return Status::OK();\n}", "project": "tensorflow", "hash": 255495948154909372803333508751450141813, "size": 21, "commit_id": "030af767d357d1b4088c4a25c72cb3906abac489", "message": "Fix `tf.raw_ops.ResourceCountUpTo` null pointer dereference.\n\nPiperOrigin-RevId: 368294347\nChange-Id: I2c16fbfc9b4966c402c3d8e311f0d665a9c852d8", "target": 0, "dataset": "other", "idx": 232658 }, { "func": " Status BuildFeatureReaders(const OpInputList& ragged_values_list,\n const OpInputList& ragged_splits_list,\n const OpInputList& sparse_indices_list,\n const OpInputList& sparse_values_list,\n const OpInputList& dense_list, int64 batch_size,\n FeatureReaders* features) {\n features->reserve(input_order_.size());\n\n int next_ragged = 0;\n int next_sparse = 0;\n int next_dense = 0;\n for (char c : input_order_) {\n if (c == 'R') {\n TF_RETURN_IF_ERROR(BuildRaggedFeatureReader(\n ragged_values_list[next_ragged], ragged_splits_list[next_ragged],\n features));\n next_ragged++;\n } else if (c == 'S') {\n TF_RETURN_IF_ERROR(BuildSparseFeatureReader(\n sparse_indices_list[next_sparse], sparse_values_list[next_sparse],\n batch_size, features));\n next_sparse++;\n } else if (c == 'D') {\n TF_RETURN_IF_ERROR(\n BuildDenseFeatureReader(dense_list[next_dense++], features));\n } else {\n return errors::InvalidArgument(\"Unexpected input_order value.\");\n }\n }\n\n return Status::OK();\n }", "project": "tensorflow", "hash": 119852077215802301992803812414131651636, "size": 32, "commit_id": "44b7f486c0143f68b56c34e2d01e146ee445134a", "message": "Fix out of bounds read in `ragged_cross_op.cc`.\n\nPiperOrigin-RevId: 369757702\nChange-Id: Ie6e5d2c21513a8d56bf41fcf35960caf76e890f9", "target": 1, "dataset": "other", "idx": 195659 }, { "func": " Status BuildFeatureReaders(const OpInputList& ragged_values_list,\n const OpInputList& ragged_splits_list,\n const OpInputList& sparse_indices_list,\n const OpInputList& sparse_values_list,\n const OpInputList& dense_list, int64 batch_size,\n FeatureReaders* features) {\n features->reserve(input_order_.size());\n\n int next_ragged = 0;\n int next_sparse = 0;\n int next_dense = 0;\n for (char c : input_order_) {\n if (c == 'R') {\n if (next_ragged >= ragged_values_list.size())\n return errors::InvalidArgument(\n \"input_order \\\"\", input_order_,\n \"\\\" specifies reading a ragged tensor value at index \",\n next_ragged, \" from a list of \", ragged_values_list.size(),\n \" values.\");\n if (next_ragged >= ragged_splits_list.size())\n return errors::InvalidArgument(\n \"input_order \\\"\", input_order_,\n \"\\\" specifies reading a ragged tensor split at index \",\n next_ragged, \" from a list of \", ragged_splits_list.size(),\n \" splits.\");\n TF_RETURN_IF_ERROR(BuildRaggedFeatureReader(\n ragged_values_list[next_ragged], ragged_splits_list[next_ragged],\n features));\n next_ragged++;\n } else if (c == 'S') {\n if (next_sparse >= sparse_values_list.size())\n return errors::InvalidArgument(\n \"input_order \\\"\", input_order_,\n \"\\\" specifies reading a sparse tensor value at index \",\n next_sparse, \" from a list of \", sparse_values_list.size(),\n \" values.\");\n if (next_sparse >= sparse_indices_list.size())\n return errors::InvalidArgument(\n \"input_order \\\"\", input_order_,\n \"\\\" specifies reading a sparse tensor index at index \",\n next_sparse, \" from a list of \", sparse_indices_list.size(),\n \" indices.\");\n TF_RETURN_IF_ERROR(BuildSparseFeatureReader(\n sparse_indices_list[next_sparse], sparse_values_list[next_sparse],\n batch_size, features));\n next_sparse++;\n } else if (c == 'D') {\n if (next_dense >= dense_list.size())\n return errors::InvalidArgument(\n \"input_order \\\"\", input_order_,\n \"\\\" specifies reading a dense tensor at index \", next_dense,\n \" from a list of \", dense_list.size(), \" tensors.\");\n TF_RETURN_IF_ERROR(\n BuildDenseFeatureReader(dense_list[next_dense++], features));\n } else {\n return errors::InvalidArgument(\"Unexpected input_order value.\");\n }\n }\n\n return Status::OK();\n }", "project": "tensorflow", "hash": 17914142839785054126542444128922850158, "size": 61, "commit_id": "44b7f486c0143f68b56c34e2d01e146ee445134a", "message": "Fix out of bounds read in `ragged_cross_op.cc`.\n\nPiperOrigin-RevId: 369757702\nChange-Id: Ie6e5d2c21513a8d56bf41fcf35960caf76e890f9", "target": 0, "dataset": "other", "idx": 230086 }, { "func": "static int update_init_section(struct playlist *pls, struct segment *seg)\n{\n static const int max_init_section_size = 1024*1024;\n HLSContext *c = pls->parent->priv_data;\n int64_t sec_size;\n int64_t urlsize;\n int ret;\n\n if (seg->init_section == pls->cur_init_section)\n return 0;\n\n pls->cur_init_section = NULL;\n\n if (!seg->init_section)\n return 0;\n\n /* this will clobber playlist URLContext stuff, so this should be\n * called between segments only */\n ret = open_input(c, pls, seg->init_section);\n if (ret < 0) {\n av_log(pls->parent, AV_LOG_WARNING,\n \"Failed to open an initialization section in playlist %d\\n\",\n pls->index);\n return ret;\n }\n\n if (seg->init_section->size >= 0)\n sec_size = seg->init_section->size;\n else if ((urlsize = ffurl_size(pls->input)) >= 0)\n sec_size = urlsize;\n else\n sec_size = max_init_section_size;\n\n av_log(pls->parent, AV_LOG_DEBUG,\n \"Downloading an initialization section of size %\"PRId64\"\\n\",\n sec_size);\n\n sec_size = FFMIN(sec_size, max_init_section_size);\n\n av_fast_malloc(&pls->init_sec_buf, &pls->init_sec_buf_size, sec_size);\n\n ret = read_from_url(pls, seg->init_section, pls->init_sec_buf,\n pls->init_sec_buf_size, READ_COMPLETE);\n ffurl_close(pls->input);\n pls->input = NULL;\n\n if (ret < 0)\n return ret;\n\n pls->cur_init_section = seg->init_section;\n pls->init_sec_data_len = ret;\n pls->init_sec_buf_read_offset = 0;\n\n /* spec says audio elementary streams do not have media initialization\n * sections, so there should be no ID3 timestamps */\n pls->is_id3_timestamped = 0;\n\n return 0;\n}", "project": "FFmpeg", "hash": 107090314270450800748342738368896466296, "size": 59, "commit_id": "6959358683c7533f586c07a766acc5fe9544d8b2", "message": "avformat/hls: check segment duration value of EXTINF\n\nfix ticket: 8673\nset the default EXTINF duration to 1ms if duration is smaller than 1ms\n\nSigned-off-by: Steven Liu \n(cherry picked from commit 9dfb19baeb86a8bb02c53a441682c6e9a6e104cc)", "target": 0, "dataset": "other", "idx": 270445 }, { "func": " bool get_location_constraint(string& zone_group) {\n XMLObj *config = find_first(\"CreateBucketConfiguration\");\n if (!config)\n return false;\n\n XMLObj *constraint = config->find_first(\"LocationConstraint\");\n if (!constraint)\n return false;\n\n zone_group = constraint->get_data();\n\n return true;\n }", "project": "ceph", "hash": 108163517394010745135400810090090518110, "size": 13, "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 281379 }, { "func": "static int kvm_mmu_notifier_test_young(struct mmu_notifier *mn,\n\t\t\t\t struct mm_struct *mm,\n\t\t\t\t unsigned long address)\n{\n\ttrace_kvm_test_age_hva(address);\n\n\treturn kvm_handle_hva_range_no_flush(mn, address, address + 1,\n\t\t\t\t\t kvm_test_age_gfn);\n}", "project": "linux", "hash": 107080947488634650221144098730415120103, "size": 9, "commit_id": "f8be156be163a052a067306417cd0ff679068c97", "message": "KVM: do not allow mapping valid but non-reference-counted pages\n\nIt's possible to create a region which maps valid but non-refcounted\npages (e.g., tail pages of non-compound higher order allocations). These\nhost pages can then be returned by gfn_to_page, gfn_to_pfn, etc., family\nof APIs, which take a reference to the page, which takes it from 0 to 1.\nWhen the reference is dropped, this will free the page incorrectly.\n\nFix this by only taking a reference on valid pages if it was non-zero,\nwhich indicates it is participating in normal refcounting (and can be\nreleased with put_page).\n\nThis addresses CVE-2021-22543.\n\nSigned-off-by: Nicholas Piggin \nTested-by: Paolo Bonzini \nCc: stable@vger.kernel.org\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 404078 }, { "func": "HttpStateData::wroteLast(const CommIoCbParams &io)\n{\n debugs(11, 5, HERE << serverConnection << \": size \" << io.size << \": errflag \" << io.flag << \".\");\n#if URL_CHECKSUM_DEBUG\n\n entry->mem_obj->checkUrlChecksum();\n#endif\n\n // XXX: Keep in sync with Client::sentRequestBody().\n // TODO: Extract common parts.\n\n if (io.size > 0) {\n fd_bytes(io.fd, io.size, FD_WRITE);\n statCounter.server.all.kbytes_out += io.size;\n statCounter.server.http.kbytes_out += io.size;\n }\n\n if (io.flag == Comm::ERR_CLOSING)\n return;\n\n // both successful and failed writes affect response times\n request->hier.notePeerWrite();\n\n if (io.flag) {\n ErrorState *err = new ErrorState(ERR_WRITE_ERROR, Http::scBadGateway, fwd->request);\n err->xerrno = io.xerrno;\n fwd->fail(err);\n closeServer();\n mustStop(\"HttpStateData::wroteLast\");\n return;\n }\n\n sendComplete();\n}", "project": "squid", "hash": 57801462608912155400626873154046655718, "size": 34, "commit_id": "fd68382860633aca92065e6c343cfd1b12b126e7", "message": "Improve Transfer-Encoding handling (#702)\n\nReject messages containing Transfer-Encoding header with coding other\nthan chunked or identity. Squid does not support other codings.\n\nFor simplicity and security sake, also reject messages where\nTransfer-Encoding contains unnecessary complex values that are\ntechnically equivalent to \"chunked\" or \"identity\" (e.g., \",,chunked\" or\n\"identity, chunked\").\n\nRFC 7230 formally deprecated and removed identity coding, but it is\nstill used by some agents.", "target": 0, "dataset": "other", "idx": 402337 }, { "func": "static inline bool kvm_is_error_gpa(struct kvm *kvm, gpa_t gpa)\n{\n\tunsigned long hva = gfn_to_hva(kvm, gpa_to_gfn(gpa));\n\n\treturn kvm_is_error_hva(hva);\n}", "project": "linux", "hash": 168234784618395717134968340835674356675, "size": 6, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354583 }, { "project": "Chrome", "commit_id": "6834289784ed45b5524de0fb7ef43ae283b0d6d3", "target": 0, "func": "void MediaElementAudioSourceNode::setFormat(size_t numberOfChannels, float sourceSampleRate)\n{\n if (numberOfChannels != m_sourceNumberOfChannels || sourceSampleRate != m_sourceSampleRate) {\n if (!numberOfChannels || numberOfChannels > AudioContext::maxNumberOfChannels() || !AudioUtilities::isValidAudioBufferSampleRate(sourceSampleRate)) {\n WTF_LOG(Media, \"MediaElementAudioSourceNode::setFormat(%u, %f) - unhandled format change\", static_cast(numberOfChannels), sourceSampleRate);\n m_sourceNumberOfChannels = 0;\n m_sourceSampleRate = 0;\n return;\n }\n\n m_sourceNumberOfChannels = numberOfChannels;\n m_sourceSampleRate = sourceSampleRate;\n\n Locker locker(*this);\n\n if (sourceSampleRate != sampleRate()) {\n double scaleFactor = sourceSampleRate / sampleRate();\n m_multiChannelResampler = adoptPtr(new MultiChannelResampler(scaleFactor, numberOfChannels));\n } else {\n m_multiChannelResampler.clear();\n }\n\n {\n AudioContext::AutoLocker contextLocker(context());\n\n output(0)->setNumberOfChannels(numberOfChannels);\n }\n }\n}\n", "cwe": "", "big_vul_idx": 139705, "idx": 124853, "hash": 280046101278932052459518298077473220507 }, { "func": "static int read_data(void *opaque, uint8_t *buf, int buf_size)\n{\n struct playlist *v = opaque;\n HLSContext *c = v->parent->priv_data;\n int ret, i;\n int just_opened = 0;\n int reload_count = 0;\n\nrestart:\n if (!v->needed)\n return AVERROR_EOF;\n\n if (!v->input) {\n int64_t reload_interval;\n struct segment *seg;\n\n /* Check that the playlist is still needed before opening a new\n * segment. */\n if (v->ctx && v->ctx->nb_streams &&\n v->parent->nb_streams >= v->stream_offset + v->ctx->nb_streams) {\n v->needed = 0;\n for (i = v->stream_offset; i < v->stream_offset + v->ctx->nb_streams;\n i++) {\n if (v->parent->streams[i]->discard < AVDISCARD_ALL)\n v->needed = 1;\n }\n }\n if (!v->needed) {\n av_log(v->parent, AV_LOG_INFO, \"No longer receiving playlist %d\\n\",\n v->index);\n return AVERROR_EOF;\n }\n\n /* If this is a live stream and the reload interval has elapsed since\n * the last playlist reload, reload the playlists now. */\n reload_interval = default_reload_interval(v);\n\nreload:\n reload_count++;\n if (reload_count > c->max_reload)\n return AVERROR_EOF;\n if (!v->finished &&\n av_gettime_relative() - v->last_load_time >= reload_interval) {\n if ((ret = parse_playlist(c, v->url, v, NULL)) < 0) {\n av_log(v->parent, AV_LOG_WARNING, \"Failed to reload playlist %d\\n\",\n v->index);\n return ret;\n }\n /* If we need to reload the playlist again below (if\n * there's still no more segments), switch to a reload\n * interval of half the target duration. */\n reload_interval = v->target_duration / 2;\n }\n if (v->cur_seq_no < v->start_seq_no) {\n av_log(NULL, AV_LOG_WARNING,\n \"skipping %d segments ahead, expired from playlists\\n\",\n v->start_seq_no - v->cur_seq_no);\n v->cur_seq_no = v->start_seq_no;\n }\n if (v->cur_seq_no >= v->start_seq_no + v->n_segments) {\n if (v->finished)\n return AVERROR_EOF;\n while (av_gettime_relative() - v->last_load_time < reload_interval) {\n if (ff_check_interrupt(c->interrupt_callback))\n return AVERROR_EXIT;\n av_usleep(100*1000);\n }\n /* Enough time has elapsed since the last reload */\n goto reload;\n }\n\n seg = current_segment(v);\n\n /* load/update Media Initialization Section, if any */\n ret = update_init_section(v, seg);\n if (ret)\n return ret;\n\n ret = open_input(c, v, seg);\n if (ret < 0) {\n if (ff_check_interrupt(c->interrupt_callback))\n return AVERROR_EXIT;\n av_log(v->parent, AV_LOG_WARNING, \"Failed to open segment of playlist %d\\n\",\n v->index);\n v->cur_seq_no += 1;\n goto reload;\n }\n just_opened = 1;\n }\n\n if (v->init_sec_buf_read_offset < v->init_sec_data_len) {\n /* Push init section out first before first actual segment */\n int copy_size = FFMIN(v->init_sec_data_len - v->init_sec_buf_read_offset, buf_size);\n memcpy(buf, v->init_sec_buf, copy_size);\n v->init_sec_buf_read_offset += copy_size;\n return copy_size;\n }\n\n ret = read_from_url(v, current_segment(v), buf, buf_size, READ_NORMAL);\n if (ret > 0) {\n if (just_opened && v->is_id3_timestamped != 0) {\n /* Intercept ID3 tags here, elementary audio streams are required\n * to convey timestamps using them in the beginning of each segment. */\n intercept_id3(v, buf, buf_size, &ret);\n }\n\n return ret;\n }\n ffurl_close(v->input);\n v->input = NULL;\n v->cur_seq_no++;\n\n c->cur_seq_no = v->cur_seq_no;\n\n goto restart;\n}", "project": "FFmpeg", "hash": 230988185553634681617225737854887522080, "size": 116, "commit_id": "6959358683c7533f586c07a766acc5fe9544d8b2", "message": "avformat/hls: check segment duration value of EXTINF\n\nfix ticket: 8673\nset the default EXTINF duration to 1ms if duration is smaller than 1ms\n\nSigned-off-by: Steven Liu \n(cherry picked from commit 9dfb19baeb86a8bb02c53a441682c6e9a6e104cc)", "target": 0, "dataset": "other", "idx": 270447 }, { "func": "static int sctp_setsockopt_scheduler(struct sock *sk,\n\t\t\t\t struct sctp_assoc_value *params,\n\t\t\t\t unsigned int optlen)\n{\n\tstruct sctp_sock *sp = sctp_sk(sk);\n\tstruct sctp_association *asoc;\n\tint retval = 0;\n\n\tif (optlen < sizeof(*params))\n\t\treturn -EINVAL;\n\n\tif (params->assoc_value > SCTP_SS_MAX)\n\t\treturn -EINVAL;\n\n\tasoc = sctp_id2assoc(sk, params->assoc_id);\n\tif (!asoc && params->assoc_id > SCTP_ALL_ASSOC &&\n\t sctp_style(sk, UDP))\n\t\treturn -EINVAL;\n\n\tif (asoc)\n\t\treturn sctp_sched_set_sched(asoc, params->assoc_value);\n\n\tif (sctp_style(sk, TCP))\n\t\tparams->assoc_id = SCTP_FUTURE_ASSOC;\n\n\tif (params->assoc_id == SCTP_FUTURE_ASSOC ||\n\t params->assoc_id == SCTP_ALL_ASSOC)\n\t\tsp->default_ss = params->assoc_value;\n\n\tif (params->assoc_id == SCTP_CURRENT_ASSOC ||\n\t params->assoc_id == SCTP_ALL_ASSOC) {\n\t\tlist_for_each_entry(asoc, &sp->ep->asocs, asocs) {\n\t\t\tint ret = sctp_sched_set_sched(asoc,\n\t\t\t\t\t\t params->assoc_value);\n\n\t\t\tif (ret && !retval)\n\t\t\t\tretval = ret;\n\t\t}\n\t}\n\n\treturn retval;\n}", "project": "linux", "hash": 268425910568456175137185902824726301007, "size": 42, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398135 }, { "func": "static unsigned short php_read2(const req::ptr& stream) {\n unsigned char *a;\n String str = stream->read(2);\n /* just return 0 if we hit the end-of-file */\n if (str.length() != 2) return 0;\n a = (unsigned char *)str.c_str();\n return (((unsigned short)a[0]) << 8) + ((unsigned short)a[1]);\n}", "project": "hhvm", "hash": 124379999273586529215962062362066747857, "size": 8, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219055 }, { "project": "Chrome", "commit_id": "957973753ec4159003ff7930d946b7e89c7e09f3", "target": 0, "func": "void BlobURLRequestJob::CloseStream() {\n if (stream_ != NULL) {\n stream_->Close();\n stream_.reset(NULL);\n }\n}\n", "cwe": "", "big_vul_idx": 106406, "idx": 176352, "hash": 261641814869687807703528737130616112401 }, { "func": "static int copy_all_tile_runs(void) {\n\tint x, y, n, m, i;\n\tint diffs = 0, ct;\n\tint in_run = 0, run = 0;\n\tint ntave = 0, ntcnt = 0;\n\n\tif (unixpw_in_progress) return 0;\n\n\tfor (y=0; y < ntiles_y; y++) {\n\t\tfor (x=0; x < ntiles_x + 1; x++) {\n\t\t\tn = x + y * ntiles_x;\n\n\t\t\tif (x != ntiles_x && tile_has_diff[n]) {\n\t\t\t\tin_run = 1;\n\t\t\t\trun++;\n\t\t\t} else {\n\t\t\t\tif (! in_run) {\n\t\t\t\t\tin_run = 0;\n\t\t\t\t\trun = 0;\n\t\t\t\t\tcontinue;\n\t\t\t\t}\n\t\t\t\tct = copy_tiles(x - run, y, run);\n\t\t\t\tif (ct < 0) return ct;\t/* fatal */\n\n\t\t\t\tntcnt++;\n\t\t\t\tntave += run;\n\t\t\t\tdiffs += run;\n\n\t\t\t\t/* neighboring tile downward: */\n\t\t\t\tfor (i=1; i <= run; i++) {\n\t\t\t\t\tif ((y+1) < ntiles_y\n\t\t\t\t\t && tile_region[n-i].bot_diff) {\n\t\t\t\t\t\tm = (x-i) + (y+1) * ntiles_x;\n\t\t\t\t\t\tif (! tile_has_diff[m]) {\n\t\t\t\t\t\t\ttile_has_diff[m] = 2;\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t}\n\n\t\t\t\t/* neighboring tile to right: */\n\t\t\t\tif (((x-1)+1) < ntiles_x\n\t\t\t\t && tile_region[n-1].right_diff) {\n\t\t\t\t\tm = ((x-1)+1) + y * ntiles_x;\n\t\t\t\t\tif (! tile_has_diff[m]) {\n\t\t\t\t\t\ttile_has_diff[m] = 2;\n\t\t\t\t\t}\n\t\t\t\t\t\n\t\t\t\t\t/* note that this starts a new run */\n\t\t\t\t\tin_run = 1;\n\t\t\t\t\trun = 1;\n\t\t\t\t} else {\n\t\t\t\t\tin_run = 0;\n\t\t\t\t\trun = 0;\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\t/*\n\t\t * Could some activity go here, to emulate threaded\n\t\t * behavior by servicing some libvncserver tasks?\n\t\t */\n\t}\n\treturn diffs;\n}", "project": "x11vnc", "hash": 170798164564296654087599232482965097168, "size": 63, "commit_id": "69eeb9f7baa14ca03b16c9de821f9876def7a36a", "message": "scan: limit access to shared memory segments to current user", "target": 0, "dataset": "other", "idx": 360758 }, { "func": "static int kvm_hv_hypercall_complete_userspace(struct kvm_vcpu *vcpu)\n{\n\treturn kvm_hv_hypercall_complete(vcpu, vcpu->run->hyperv.u.hcall.result);\n}", "project": "linux", "hash": 49708232272907444760950139433750435169, "size": 4, "commit_id": "919f4ebc598701670e80e31573a58f1f2d2bf918", "message": "KVM: x86: hyper-v: Fix Hyper-V context null-ptr-deref\n\nReported by syzkaller:\n\n KASAN: null-ptr-deref in range [0x0000000000000140-0x0000000000000147]\n CPU: 1 PID: 8370 Comm: syz-executor859 Not tainted 5.11.0-syzkaller #0\n RIP: 0010:synic_get arch/x86/kvm/hyperv.c:165 [inline]\n RIP: 0010:kvm_hv_set_sint_gsi arch/x86/kvm/hyperv.c:475 [inline]\n RIP: 0010:kvm_hv_irq_routing_update+0x230/0x460 arch/x86/kvm/hyperv.c:498\n Call Trace:\n kvm_set_irq_routing+0x69b/0x940 arch/x86/kvm/../../../virt/kvm/irqchip.c:223\n kvm_vm_ioctl+0x12d0/0x2800 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3959\n vfs_ioctl fs/ioctl.c:48 [inline]\n __do_sys_ioctl fs/ioctl.c:753 [inline]\n __se_sys_ioctl fs/ioctl.c:739 [inline]\n __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739\n do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nHyper-V context is lazily allocated until Hyper-V specific MSRs are accessed\nor SynIC is enabled. However, the syzkaller testcase sets irq routing table\ndirectly w/o enabling SynIC. This results in null-ptr-deref when accessing\nSynIC Hyper-V context. This patch fixes it.\n\nsyzkaller source: https://syzkaller.appspot.com/x/repro.c?x=163342ccd00000\n\nReported-by: syzbot+6987f3b2dbd9eda95f12@syzkaller.appspotmail.com\nFixes: 8f014550dfb1 (\"KVM: x86: hyper-v: Make Hyper-V emulation enablement conditional\")\nSigned-off-by: Wanpeng Li \nMessage-Id: <1614326399-5762-1-git-send-email-wanpengli@tencent.com>\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 343535 }, { "func": "static void hci_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)\n{\n\tstruct hci_ev_conn_complete *ev = (void *) skb->data;\n\tstruct inquiry_entry *ie;\n\tstruct hci_conn *conn;\n\n\tBT_DBG(\"%s\", hdev->name);\n\n\thci_dev_lock(hdev);\n\n\tconn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);\n\tif (!conn) {\n\t\t/* Connection may not exist if auto-connected. Check the inquiry\n\t\t * cache to see if we've already discovered this bdaddr before.\n\t\t * If found and link is an ACL type, create a connection class\n\t\t * automatically.\n\t\t */\n\t\tie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);\n\t\tif (ie && ev->link_type == ACL_LINK) {\n\t\t\tconn = hci_conn_add(hdev, ev->link_type, &ev->bdaddr,\n\t\t\t\t\t HCI_ROLE_SLAVE);\n\t\t\tif (!conn) {\n\t\t\t\tbt_dev_err(hdev, \"no memory for new conn\");\n\t\t\t\tgoto unlock;\n\t\t\t}\n\t\t} else {\n\t\t\tif (ev->link_type != SCO_LINK)\n\t\t\t\tgoto unlock;\n\n\t\t\tconn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK,\n\t\t\t\t\t\t &ev->bdaddr);\n\t\t\tif (!conn)\n\t\t\t\tgoto unlock;\n\n\t\t\tconn->type = SCO_LINK;\n\t\t}\n\t}\n\n\tif (!ev->status) {\n\t\tconn->handle = __le16_to_cpu(ev->handle);\n\n\t\tif (conn->type == ACL_LINK) {\n\t\t\tconn->state = BT_CONFIG;\n\t\t\thci_conn_hold(conn);\n\n\t\t\tif (!conn->out && !hci_conn_ssp_enabled(conn) &&\n\t\t\t !hci_find_link_key(hdev, &ev->bdaddr))\n\t\t\t\tconn->disc_timeout = HCI_PAIRING_TIMEOUT;\n\t\t\telse\n\t\t\t\tconn->disc_timeout = HCI_DISCONN_TIMEOUT;\n\t\t} else\n\t\t\tconn->state = BT_CONNECTED;\n\n\t\thci_debugfs_create_conn(conn);\n\t\thci_conn_add_sysfs(conn);\n\n\t\tif (test_bit(HCI_AUTH, &hdev->flags))\n\t\t\tset_bit(HCI_CONN_AUTH, &conn->flags);\n\n\t\tif (test_bit(HCI_ENCRYPT, &hdev->flags))\n\t\t\tset_bit(HCI_CONN_ENCRYPT, &conn->flags);\n\n\t\t/* Get remote features */\n\t\tif (conn->type == ACL_LINK) {\n\t\t\tstruct hci_cp_read_remote_features cp;\n\t\t\tcp.handle = ev->handle;\n\t\t\thci_send_cmd(hdev, HCI_OP_READ_REMOTE_FEATURES,\n\t\t\t\t sizeof(cp), &cp);\n\n\t\t\thci_req_update_scan(hdev);\n\t\t}\n\n\t\t/* Set packet type for incoming connection */\n\t\tif (!conn->out && hdev->hci_ver < BLUETOOTH_VER_2_0) {\n\t\t\tstruct hci_cp_change_conn_ptype cp;\n\t\t\tcp.handle = ev->handle;\n\t\t\tcp.pkt_type = cpu_to_le16(conn->pkt_type);\n\t\t\thci_send_cmd(hdev, HCI_OP_CHANGE_CONN_PTYPE, sizeof(cp),\n\t\t\t\t &cp);\n\t\t}\n\t} else {\n\t\tconn->state = BT_CLOSED;\n\t\tif (conn->type == ACL_LINK)\n\t\t\tmgmt_connect_failed(hdev, &conn->dst, conn->type,\n\t\t\t\t\t conn->dst_type, ev->status);\n\t}\n\n\tif (conn->type == ACL_LINK)\n\t\thci_sco_setup(conn, ev->status);\n\n\tif (ev->status) {\n\t\thci_connect_cfm(conn, ev->status);\n\t\thci_conn_del(conn);\n\t} else if (ev->link_type == SCO_LINK) {\n\t\tswitch (conn->setting & SCO_AIRMODE_MASK) {\n\t\tcase SCO_AIRMODE_CVSD:\n\t\t\tif (hdev->notify)\n\t\t\t\thdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_CVSD);\n\t\t\tbreak;\n\t\t}\n\n\t\thci_connect_cfm(conn, ev->status);\n\t}\n\nunlock:\n\thci_dev_unlock(hdev);\n\n\thci_conn_check_pending(hdev);\n}", "project": "linux", "hash": 131765125059125155015020640604960804794, "size": 109, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 432039 }, { "func": "\nstatic int io_uring_create(unsigned entries, struct io_uring_params *p,\n\t\t\t struct io_uring_params __user *params)\n{\n\tstruct io_ring_ctx *ctx;\n\tstruct file *file;\n\tint ret;\n\n\tif (!entries)\n\t\treturn -EINVAL;\n\tif (entries > IORING_MAX_ENTRIES) {\n\t\tif (!(p->flags & IORING_SETUP_CLAMP))\n\t\t\treturn -EINVAL;\n\t\tentries = IORING_MAX_ENTRIES;\n\t}\n\n\t/*\n\t * Use twice as many entries for the CQ ring. It's possible for the\n\t * application to drive a higher depth than the size of the SQ ring,\n\t * since the sqes are only used at submission time. This allows for\n\t * some flexibility in overcommitting a bit. If the application has\n\t * set IORING_SETUP_CQSIZE, it will have passed in the desired number\n\t * of CQ ring entries manually.\n\t */\n\tp->sq_entries = roundup_pow_of_two(entries);\n\tif (p->flags & IORING_SETUP_CQSIZE) {\n\t\t/*\n\t\t * If IORING_SETUP_CQSIZE is set, we do the same roundup\n\t\t * to a power-of-two, if it isn't already. We do NOT impose\n\t\t * any cq vs sq ring sizing.\n\t\t */\n\t\tif (!p->cq_entries)\n\t\t\treturn -EINVAL;\n\t\tif (p->cq_entries > IORING_MAX_CQ_ENTRIES) {\n\t\t\tif (!(p->flags & IORING_SETUP_CLAMP))\n\t\t\t\treturn -EINVAL;\n\t\t\tp->cq_entries = IORING_MAX_CQ_ENTRIES;\n\t\t}\n\t\tp->cq_entries = roundup_pow_of_two(p->cq_entries);\n\t\tif (p->cq_entries < p->sq_entries)\n\t\t\treturn -EINVAL;\n\t} else {\n\t\tp->cq_entries = 2 * p->sq_entries;\n\t}\n\n\tctx = io_ring_ctx_alloc(p);\n\tif (!ctx)\n\t\treturn -ENOMEM;\n\tctx->compat = in_compat_syscall();\n\tif (!capable(CAP_IPC_LOCK))\n\t\tctx->user = get_uid(current_user());\n\n\t/*\n\t * This is just grabbed for accounting purposes. When a process exits,\n\t * the mm is exited and dropped before the files, hence we need to hang\n\t * on to this mm purely for the purposes of being able to unaccount\n\t * memory (locked/pinned vm). It's not used for anything else.\n\t */\n\tmmgrab(current->mm);\n\tctx->mm_account = current->mm;\n\n\tret = io_allocate_scq_urings(ctx, p);\n\tif (ret)\n\t\tgoto err;\n\n\tret = io_sq_offload_create(ctx, p);\n\tif (ret)\n\t\tgoto err;\n\t/* always set a rsrc node */\n\tret = io_rsrc_node_switch_start(ctx);\n\tif (ret)\n\t\tgoto err;\n\tio_rsrc_node_switch(ctx, NULL);\n\n\tmemset(&p->sq_off, 0, sizeof(p->sq_off));\n\tp->sq_off.head = offsetof(struct io_rings, sq.head);\n\tp->sq_off.tail = offsetof(struct io_rings, sq.tail);\n\tp->sq_off.ring_mask = offsetof(struct io_rings, sq_ring_mask);\n\tp->sq_off.ring_entries = offsetof(struct io_rings, sq_ring_entries);\n\tp->sq_off.flags = offsetof(struct io_rings, sq_flags);\n\tp->sq_off.dropped = offsetof(struct io_rings, sq_dropped);\n\tp->sq_off.array = (char *)ctx->sq_array - (char *)ctx->rings;\n\n\tmemset(&p->cq_off, 0, sizeof(p->cq_off));\n\tp->cq_off.head = offsetof(struct io_rings, cq.head);\n\tp->cq_off.tail = offsetof(struct io_rings, cq.tail);\n\tp->cq_off.ring_mask = offsetof(struct io_rings, cq_ring_mask);\n\tp->cq_off.ring_entries = offsetof(struct io_rings, cq_ring_entries);\n\tp->cq_off.overflow = offsetof(struct io_rings, cq_overflow);\n\tp->cq_off.cqes = offsetof(struct io_rings, cqes);\n\tp->cq_off.flags = offsetof(struct io_rings, cq_flags);\n\n\tp->features = IORING_FEAT_SINGLE_MMAP | IORING_FEAT_NODROP |\n\t\t\tIORING_FEAT_SUBMIT_STABLE | IORING_FEAT_RW_CUR_POS |\n\t\t\tIORING_FEAT_CUR_PERSONALITY | IORING_FEAT_FAST_POLL |\n\t\t\tIORING_FEAT_POLL_32BITS | IORING_FEAT_SQPOLL_NONFIXED |\n\t\t\tIORING_FEAT_EXT_ARG | IORING_FEAT_NATIVE_WORKERS;\n\n\tif (copy_to_user(params, p, sizeof(*p))) {\n\t\tret = -EFAULT;\n\t\tgoto err;\n\t}\n\n\tfile = io_uring_get_file(ctx);\n\tif (IS_ERR(file)) {\n\t\tret = PTR_ERR(file);\n\t\tgoto err;\n\t}\n\n\t/*\n\t * Install ring fd as the very last thing, so we don't risk someone\n\t * having closed it before we finish setup\n\t */\n\tret = io_uring_install_fd(ctx, file);\n\tif (ret < 0) {\n\t\t/* fput will clean it up */\n\t\tfput(file);\n\t\treturn ret;\n\t}\n\n\ttrace_io_uring_create(ret, ctx, p->sq_entries, p->cq_entries, p->flags);\n\treturn ret;\nerr:\n\tio_ring_ctx_wait_and_kill(ctx);\n\treturn ret;", "project": "linux", "hash": 214958276256860153431543365798852217174, "size": 125, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338710 }, { "func": "static int io_uring_create(unsigned entries, struct io_uring_params *p,\n\t\t\t struct io_uring_params __user *params)\n{\n\tstruct user_struct *user = NULL;\n\tstruct io_ring_ctx *ctx;\n\tbool limit_mem;\n\tint ret;\n\n\tif (!entries)\n\t\treturn -EINVAL;\n\tif (entries > IORING_MAX_ENTRIES) {\n\t\tif (!(p->flags & IORING_SETUP_CLAMP))\n\t\t\treturn -EINVAL;\n\t\tentries = IORING_MAX_ENTRIES;\n\t}\n\n\t/*\n\t * Use twice as many entries for the CQ ring. It's possible for the\n\t * application to drive a higher depth than the size of the SQ ring,\n\t * since the sqes are only used at submission time. This allows for\n\t * some flexibility in overcommitting a bit. If the application has\n\t * set IORING_SETUP_CQSIZE, it will have passed in the desired number\n\t * of CQ ring entries manually.\n\t */\n\tp->sq_entries = roundup_pow_of_two(entries);\n\tif (p->flags & IORING_SETUP_CQSIZE) {\n\t\t/*\n\t\t * If IORING_SETUP_CQSIZE is set, we do the same roundup\n\t\t * to a power-of-two, if it isn't already. We do NOT impose\n\t\t * any cq vs sq ring sizing.\n\t\t */\n\t\tif (p->cq_entries < p->sq_entries)\n\t\t\treturn -EINVAL;\n\t\tif (p->cq_entries > IORING_MAX_CQ_ENTRIES) {\n\t\t\tif (!(p->flags & IORING_SETUP_CLAMP))\n\t\t\t\treturn -EINVAL;\n\t\t\tp->cq_entries = IORING_MAX_CQ_ENTRIES;\n\t\t}\n\t\tp->cq_entries = roundup_pow_of_two(p->cq_entries);\n\t} else {\n\t\tp->cq_entries = 2 * p->sq_entries;\n\t}\n\n\tuser = get_uid(current_user());\n\tlimit_mem = !capable(CAP_IPC_LOCK);\n\n\tif (limit_mem) {\n\t\tret = __io_account_mem(user,\n\t\t\t\tring_pages(p->sq_entries, p->cq_entries));\n\t\tif (ret) {\n\t\t\tfree_uid(user);\n\t\t\treturn ret;\n\t\t}\n\t}\n\n\tctx = io_ring_ctx_alloc(p);\n\tif (!ctx) {\n\t\tif (limit_mem)\n\t\t\t__io_unaccount_mem(user, ring_pages(p->sq_entries,\n\t\t\t\t\t\t\t\tp->cq_entries));\n\t\tfree_uid(user);\n\t\treturn -ENOMEM;\n\t}\n\tctx->compat = in_compat_syscall();\n\tctx->user = user;\n\tctx->creds = get_current_cred();\n\n\t/*\n\t * Account memory _before_ installing the file descriptor. Once\n\t * the descriptor is installed, it can get closed at any time. Also\n\t * do this before hitting the general error path, as ring freeing\n\t * will un-account as well.\n\t */\n\tio_account_mem(ctx, ring_pages(p->sq_entries, p->cq_entries),\n\t\t ACCT_LOCKED);\n\tctx->limit_mem = limit_mem;\n\n\tret = io_allocate_scq_urings(ctx, p);\n\tif (ret)\n\t\tgoto err;\n\n\tret = io_sq_offload_start(ctx, p);\n\tif (ret)\n\t\tgoto err;\n\n\tmemset(&p->sq_off, 0, sizeof(p->sq_off));\n\tp->sq_off.head = offsetof(struct io_rings, sq.head);\n\tp->sq_off.tail = offsetof(struct io_rings, sq.tail);\n\tp->sq_off.ring_mask = offsetof(struct io_rings, sq_ring_mask);\n\tp->sq_off.ring_entries = offsetof(struct io_rings, sq_ring_entries);\n\tp->sq_off.flags = offsetof(struct io_rings, sq_flags);\n\tp->sq_off.dropped = offsetof(struct io_rings, sq_dropped);\n\tp->sq_off.array = (char *)ctx->sq_array - (char *)ctx->rings;\n\n\tmemset(&p->cq_off, 0, sizeof(p->cq_off));\n\tp->cq_off.head = offsetof(struct io_rings, cq.head);\n\tp->cq_off.tail = offsetof(struct io_rings, cq.tail);\n\tp->cq_off.ring_mask = offsetof(struct io_rings, cq_ring_mask);\n\tp->cq_off.ring_entries = offsetof(struct io_rings, cq_ring_entries);\n\tp->cq_off.overflow = offsetof(struct io_rings, cq_overflow);\n\tp->cq_off.cqes = offsetof(struct io_rings, cqes);\n\tp->cq_off.flags = offsetof(struct io_rings, cq_flags);\n\n\tp->features = IORING_FEAT_SINGLE_MMAP | IORING_FEAT_NODROP |\n\t\t\tIORING_FEAT_SUBMIT_STABLE | IORING_FEAT_RW_CUR_POS |\n\t\t\tIORING_FEAT_CUR_PERSONALITY | IORING_FEAT_FAST_POLL |\n\t\t\tIORING_FEAT_POLL_32BITS;\n\n\tif (copy_to_user(params, p, sizeof(*p))) {\n\t\tret = -EFAULT;\n\t\tgoto err;\n\t}\n\n\t/*\n\t * Install ring fd as the very last thing, so we don't risk someone\n\t * having closed it before we finish setup\n\t */\n\tret = io_uring_get_fd(ctx);\n\tif (ret < 0)\n\t\tgoto err;\n\n\ttrace_io_uring_create(ret, ctx, p->sq_entries, p->cq_entries, p->flags);\n\treturn ret;\nerr:\n\tio_ring_ctx_wait_and_kill(ctx);\n\treturn ret;\n}", "project": "linux", "hash": 176329902268494231725306724919225464053, "size": 127, "commit_id": "6d816e088c359866f9867057e04f244c608c42fe", "message": "io_uring: hold 'ctx' reference around task_work queue + execute\n\nWe're holding the request reference, but we need to go one higher\nto ensure that the ctx remains valid after the request has finished.\nIf the ring is closed with pending task_work inflight, and the\ngiven io_kiocb finishes sync during issue, then we need a reference\nto the ring itself around the task_work execution cycle.\n\nCc: stable@vger.kernel.org # v5.7+\nReported-by: syzbot+9b260fc33297966f5a8e@syzkaller.appspotmail.com\nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 456920 }, { "func": "CtPtr ProtocolV1::handle_connect_reply_2() {\n ldout(cct, 20) << __func__ << dendl;\n\n if (connect_reply.tag == CEPH_MSGR_TAG_FEATURES) {\n ldout(cct, 0) << __func__ << \" connect protocol feature mismatch, my \"\n << std::hex << connection->policy.features_supported\n << \" < peer \" << connect_reply.features << \" missing \"\n << (connect_reply.features &\n ~connection->policy.features_supported)\n << std::dec << dendl;\n return _fault();\n }\n\n if (connect_reply.tag == CEPH_MSGR_TAG_BADPROTOVER) {\n ldout(cct, 0) << __func__ << \" connect protocol version mismatch, my \"\n << messenger->get_proto_version(connection->peer_type, true)\n << \" != \" << connect_reply.protocol_version << dendl;\n return _fault();\n }\n\n if (connect_reply.tag == CEPH_MSGR_TAG_BADAUTHORIZER) {\n ldout(cct, 0) << __func__ << \" connect got BADAUTHORIZER\" << dendl;\n authorizer_more.clear();\n return _fault();\n }\n\n if (connect_reply.tag == CEPH_MSGR_TAG_RESETSESSION) {\n ldout(cct, 0) << __func__ << \" connect got RESETSESSION\" << dendl;\n session_reset();\n connect_seq = 0;\n\n // see session_reset\n connection->outgoing_bl.clear();\n\n return CONTINUE(send_connect_message);\n }\n\n if (connect_reply.tag == CEPH_MSGR_TAG_RETRY_GLOBAL) {\n global_seq = messenger->get_global_seq(connect_reply.global_seq);\n ldout(cct, 5) << __func__ << \" connect got RETRY_GLOBAL \"\n << connect_reply.global_seq << \" chose new \" << global_seq\n << dendl;\n return CONTINUE(send_connect_message);\n }\n\n if (connect_reply.tag == CEPH_MSGR_TAG_RETRY_SESSION) {\n ceph_assert(connect_reply.connect_seq > connect_seq);\n ldout(cct, 5) << __func__ << \" connect got RETRY_SESSION \" << connect_seq\n << \" -> \" << connect_reply.connect_seq << dendl;\n connect_seq = connect_reply.connect_seq;\n return CONTINUE(send_connect_message);\n }\n\n if (connect_reply.tag == CEPH_MSGR_TAG_WAIT) {\n ldout(cct, 1) << __func__ << \" connect got WAIT (connection race)\" << dendl;\n state = WAIT;\n return _fault();\n }\n\n uint64_t feat_missing;\n feat_missing =\n connection->policy.features_required & ~(uint64_t)connect_reply.features;\n if (feat_missing) {\n ldout(cct, 1) << __func__ << \" missing required features \" << std::hex\n << feat_missing << std::dec << dendl;\n return _fault();\n }\n\n if (connect_reply.tag == CEPH_MSGR_TAG_SEQ) {\n ldout(cct, 10)\n << __func__\n << \" got CEPH_MSGR_TAG_SEQ, reading acked_seq and writing in_seq\"\n << dendl;\n\n return wait_ack_seq();\n }\n\n if (connect_reply.tag == CEPH_MSGR_TAG_READY) {\n ldout(cct, 10) << __func__ << \" got CEPH_MSGR_TAG_READY \" << dendl;\n }\n\n return client_ready();\n}", "project": "ceph", "hash": 28423674245084326244706269898947970440, "size": 83, "commit_id": "bafdfec8f974f1a3f7d404bcfd0a4cfad784937d", "message": "msg/async/ProtocolV1: resurrect \"implement cephx_*require_version options\"\n\nThis was added in commit 9bcbc2a3621f (\"mon,msg: implement\ncephx_*_require_version options\") and inadvertently dropped in\ncommit e6f043f7d2dc (\"msgr/async: huge refactoring of protocol V1\").\nAs a result, service daemons don't enforce cephx_require_version\nand cephx_cluster_require_version options and connections without\nCEPH_FEATURE_CEPHX_V2 are allowed through.\n\n(cephx_service_require_version enforcement was brought back a\nyear later in commit 321548010578 (\"mon/MonClient: skip CEPHX_V2\nchallenge if client doesn't support it\"), although the peer gets\nTAG_BADAUTHORIZER instead of TAG_FEATURES.)\n\nResurrect the original behaviour: all cephx_*require_version\noptions are enforced and the peer gets TAG_FEATURES, signifying\nthat it is missing a required feature.\n\nSigned-off-by: Ilya Dryomov \n(cherry picked from commit 6f5c4152ca2c6423e665cde2196c6301f76043a2)", "target": 0, "dataset": "other", "idx": 356902 }, { "func": "int kvm_arch_vcpu_ioctl_get_mpstate(struct kvm_vcpu *vcpu,\n\t\t\t\t struct kvm_mp_state *mp_state)\n{\n\tint ret;\n\n\tvcpu_load(vcpu);\n\n\t/* CHECK_STOP and LOAD are not supported yet */\n\tret = is_vcpu_stopped(vcpu) ? KVM_MP_STATE_STOPPED :\n\t\t\t\t KVM_MP_STATE_OPERATING;\n\n\tvcpu_put(vcpu);\n\treturn ret;\n}", "project": "linux", "hash": 243166783217553139004502960287860150376, "size": 14, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354472 }, { "func": "static int add_location(struct loc_track *t, struct kmem_cache *s,\n\t\t\t\tconst struct track *track)\n{\n\tlong start, end, pos;\n\tstruct location *l;\n\tunsigned long caddr;\n\tunsigned long age = jiffies - track->when;\n\n\tstart = -1;\n\tend = t->count;\n\n\tfor ( ; ; ) {\n\t\tpos = start + (end - start + 1) / 2;\n\n\t\t/*\n\t\t * There is nothing at \"end\". If we end up there\n\t\t * we need to add something to before end.\n\t\t */\n\t\tif (pos == end)\n\t\t\tbreak;\n\n\t\tcaddr = t->loc[pos].addr;\n\t\tif (track->addr == caddr) {\n\n\t\t\tl = &t->loc[pos];\n\t\t\tl->count++;\n\t\t\tif (track->when) {\n\t\t\t\tl->sum_time += age;\n\t\t\t\tif (age < l->min_time)\n\t\t\t\t\tl->min_time = age;\n\t\t\t\tif (age > l->max_time)\n\t\t\t\t\tl->max_time = age;\n\n\t\t\t\tif (track->pid < l->min_pid)\n\t\t\t\t\tl->min_pid = track->pid;\n\t\t\t\tif (track->pid > l->max_pid)\n\t\t\t\t\tl->max_pid = track->pid;\n\n\t\t\t\tcpumask_set_cpu(track->cpu,\n\t\t\t\t\t\tto_cpumask(l->cpus));\n\t\t\t}\n\t\t\tnode_set(page_to_nid(virt_to_page(track)), l->nodes);\n\t\t\treturn 1;\n\t\t}\n\n\t\tif (track->addr < caddr)\n\t\t\tend = pos;\n\t\telse\n\t\t\tstart = pos;\n\t}\n\n\t/*\n\t * Not found. Insert new tracking element.\n\t */\n\tif (t->count >= t->max && !alloc_loc_track(t, 2 * t->max, GFP_ATOMIC))\n\t\treturn 0;\n\n\tl = t->loc + pos;\n\tif (pos < t->count)\n\t\tmemmove(l + 1, l,\n\t\t\t(t->count - pos) * sizeof(struct location));\n\tt->count++;\n\tl->count = 1;\n\tl->addr = track->addr;\n\tl->sum_time = age;\n\tl->min_time = age;\n\tl->max_time = age;\n\tl->min_pid = track->pid;\n\tl->max_pid = track->pid;\n\tcpumask_clear(to_cpumask(l->cpus));\n\tcpumask_set_cpu(track->cpu, to_cpumask(l->cpus));\n\tnodes_clear(l->nodes);\n\tnode_set(page_to_nid(virt_to_page(track)), l->nodes);\n\treturn 1;\n}", "project": "linux", "hash": 337139615144086696024467699456765768808, "size": 75, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280065 }, { "func": "static int pfkey_spdadd(struct sock *sk, struct sk_buff *skb, const struct sadb_msg *hdr, void * const *ext_hdrs)\n{\n\tstruct net *net = sock_net(sk);\n\tint err = 0;\n\tstruct sadb_lifetime *lifetime;\n\tstruct sadb_address *sa;\n\tstruct sadb_x_policy *pol;\n\tstruct xfrm_policy *xp;\n\tstruct km_event c;\n\tstruct sadb_x_sec_ctx *sec_ctx;\n\n\tif (!present_and_same_family(ext_hdrs[SADB_EXT_ADDRESS_SRC-1],\n\t\t\t\t ext_hdrs[SADB_EXT_ADDRESS_DST-1]) ||\n\t !ext_hdrs[SADB_X_EXT_POLICY-1])\n\t\treturn -EINVAL;\n\n\tpol = ext_hdrs[SADB_X_EXT_POLICY-1];\n\tif (pol->sadb_x_policy_type > IPSEC_POLICY_IPSEC)\n\t\treturn -EINVAL;\n\tif (!pol->sadb_x_policy_dir || pol->sadb_x_policy_dir >= IPSEC_DIR_MAX)\n\t\treturn -EINVAL;\n\n\txp = xfrm_policy_alloc(net, GFP_KERNEL);\n\tif (xp == NULL)\n\t\treturn -ENOBUFS;\n\n\txp->action = (pol->sadb_x_policy_type == IPSEC_POLICY_DISCARD ?\n\t\t XFRM_POLICY_BLOCK : XFRM_POLICY_ALLOW);\n\txp->priority = pol->sadb_x_policy_priority;\n\n\tsa = ext_hdrs[SADB_EXT_ADDRESS_SRC-1];\n\txp->family = pfkey_sadb_addr2xfrm_addr(sa, &xp->selector.saddr);\n\txp->selector.family = xp->family;\n\txp->selector.prefixlen_s = sa->sadb_address_prefixlen;\n\txp->selector.proto = pfkey_proto_to_xfrm(sa->sadb_address_proto);\n\txp->selector.sport = ((struct sockaddr_in *)(sa+1))->sin_port;\n\tif (xp->selector.sport)\n\t\txp->selector.sport_mask = htons(0xffff);\n\n\tsa = ext_hdrs[SADB_EXT_ADDRESS_DST-1];\n\tpfkey_sadb_addr2xfrm_addr(sa, &xp->selector.daddr);\n\txp->selector.prefixlen_d = sa->sadb_address_prefixlen;\n\n\t/* Amusing, we set this twice. KAME apps appear to set same value\n\t * in both addresses.\n\t */\n\txp->selector.proto = pfkey_proto_to_xfrm(sa->sadb_address_proto);\n\n\txp->selector.dport = ((struct sockaddr_in *)(sa+1))->sin_port;\n\tif (xp->selector.dport)\n\t\txp->selector.dport_mask = htons(0xffff);\n\n\tsec_ctx = ext_hdrs[SADB_X_EXT_SEC_CTX - 1];\n\tif (sec_ctx != NULL) {\n\t\tstruct xfrm_user_sec_ctx *uctx = pfkey_sadb2xfrm_user_sec_ctx(sec_ctx, GFP_KERNEL);\n\n\t\tif (!uctx) {\n\t\t\terr = -ENOBUFS;\n\t\t\tgoto out;\n\t\t}\n\n\t\terr = security_xfrm_policy_alloc(&xp->security, uctx, GFP_KERNEL);\n\t\tkfree(uctx);\n\n\t\tif (err)\n\t\t\tgoto out;\n\t}\n\n\txp->lft.soft_byte_limit = XFRM_INF;\n\txp->lft.hard_byte_limit = XFRM_INF;\n\txp->lft.soft_packet_limit = XFRM_INF;\n\txp->lft.hard_packet_limit = XFRM_INF;\n\tif ((lifetime = ext_hdrs[SADB_EXT_LIFETIME_HARD-1]) != NULL) {\n\t\txp->lft.hard_packet_limit = _KEY2X(lifetime->sadb_lifetime_allocations);\n\t\txp->lft.hard_byte_limit = _KEY2X(lifetime->sadb_lifetime_bytes);\n\t\txp->lft.hard_add_expires_seconds = lifetime->sadb_lifetime_addtime;\n\t\txp->lft.hard_use_expires_seconds = lifetime->sadb_lifetime_usetime;\n\t}\n\tif ((lifetime = ext_hdrs[SADB_EXT_LIFETIME_SOFT-1]) != NULL) {\n\t\txp->lft.soft_packet_limit = _KEY2X(lifetime->sadb_lifetime_allocations);\n\t\txp->lft.soft_byte_limit = _KEY2X(lifetime->sadb_lifetime_bytes);\n\t\txp->lft.soft_add_expires_seconds = lifetime->sadb_lifetime_addtime;\n\t\txp->lft.soft_use_expires_seconds = lifetime->sadb_lifetime_usetime;\n\t}\n\txp->xfrm_nr = 0;\n\tif (pol->sadb_x_policy_type == IPSEC_POLICY_IPSEC &&\n\t (err = parse_ipsecrequests(xp, pol)) < 0)\n\t\tgoto out;\n\n\terr = xfrm_policy_insert(pol->sadb_x_policy_dir-1, xp,\n\t\t\t\t hdr->sadb_msg_type != SADB_X_SPDUPDATE);\n\n\txfrm_audit_policy_add(xp, err ? 0 : 1, true);\n\n\tif (err)\n\t\tgoto out;\n\n\tif (hdr->sadb_msg_type == SADB_X_SPDUPDATE)\n\t\tc.event = XFRM_MSG_UPDPOLICY;\n\telse\n\t\tc.event = XFRM_MSG_NEWPOLICY;\n\n\tc.seq = hdr->sadb_msg_seq;\n\tc.portid = hdr->sadb_msg_pid;\n\n\tkm_policy_notify(xp, pol->sadb_x_policy_dir-1, &c);\n\txfrm_pol_put(xp);\n\treturn 0;\n\nout:\n\txp->walk.dead = 1;\n\txfrm_policy_destroy(xp);\n\treturn err;\n}", "project": "linux", "hash": 16580677247849350170459655429525425556, "size": 114, "commit_id": "9a564bccb78a76740ea9d75a259942df8143d02c", "message": "af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\n\nAdd __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\nto initialize the buffer of supp_skb to fix a kernel-info-leak issue.\n1) Function pfkey_register calls compose_sadb_supported to request\na sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate\na sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then\ncompose_sadb_supported treats the memory as a struct sadb_supported and\nbegins to initialize. But it just initializes the field sadb_supported_len\nand field sadb_supported_exttype without field sadb_supported_reserved.\n\nReported-by: TCS Robot \nSigned-off-by: Haimin Zhang \nSigned-off-by: Steffen Klassert ", "target": 0, "dataset": "other", "idx": 268012 }, { "func": "static inline bool chain_epi_lockless(struct epitem *epi)\n{\n\tstruct eventpoll *ep = epi->ep;\n\n\t/* Fast preliminary check */\n\tif (epi->next != EP_UNACTIVE_PTR)\n\t\treturn false;\n\n\t/* Check that the same epi has not been just chained from another CPU */\n\tif (cmpxchg(&epi->next, EP_UNACTIVE_PTR, NULL) != EP_UNACTIVE_PTR)\n\t\treturn false;\n\n\t/* Atomically exchange tail */\n\tepi->next = xchg(&ep->ovflist, epi);\n\n\treturn true;\n}", "project": "linux", "hash": 163214714426721968317964859974143371230, "size": 17, "commit_id": "52c479697c9b73f628140dcdfcd39ea302d05482", "message": "do_epoll_ctl(): clean the failure exits up a bit\n\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 336284 }, { "func": " Item_cache(THD *thd, enum_field_types field_type_arg):\n Item_basic_constant(thd),\n Type_handler_hybrid_field_type(field_type_arg),\n example(0), cached_field(0),\n value_cached(0)\n {\n fixed= 1;\n maybe_null= 1;\n null_value= 1;\n null_value_inside= true;\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 134373962016520984648231853435380895336, "size": 11, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509106 }, { "func": " Item_cache(THD *thd):\n Item_basic_constant(thd),\n Type_handler_hybrid_field_type(MYSQL_TYPE_STRING),\n example(0), cached_field(0),\n value_cached(0)\n {\n fixed= 1;\n maybe_null= 1;\n null_value= 1;\n null_value_inside= true;\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 34577753386699995480149779810160860235, "size": 11, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509193 }, { "func": " Status TryImport() {\n TF_RETURN_IF_ERROR(EnsureNoNameCollisions());\n TF_RETURN_IF_ERROR(ValidateInputMapAndControlDependencies());\n TF_RETURN_IF_ERROR(BuildNodeIndex());\n TF_RETURN_IF_ERROR(InitFromEdges());\n\n // NOTE: Convert() invokes `consume_node_def()` on each node in the input\n // graph, so `get_node_def()` is no longer usable once it is called.\n TF_RETURN_IF_ERROR(Convert());\n\n TF_RETURN_IF_ERROR(AddBackEdges());\n TF_RETURN_IF_ERROR(UpdateVersionDef());\n TF_RETURN_IF_ERROR(PopulateReturnTensors());\n TF_RETURN_IF_ERROR(PopulateReturnNodes());\n TF_RETURN_IF_ERROR(PopulateMissingUnusedInputMapKeys());\n UpdateUniquifiedColocationNames();\n FixupSourceAndSinkEdges(g_);\n return Status::OK();\n }", "project": "tensorflow", "hash": 10666909073366846255796173406353518465, "size": 19, "commit_id": "0cc38aaa4064fd9e79101994ce9872c6d91f816b", "message": "Prevent unitialized memory access in `GraphConstructor::MakeEdge`\n\nThe `MakeEdge` implementation assumes that there exists an output at `output_index` of `src` node and an input at `input_index` of `dst` node. However, if this is not the case this results in accessing data out of bounds. Because we are accessing an array that is a private member of a class and only in read only mode, this usually results only in unitialized memory access. However, it is reasonable to think that malicious users could manipulate these indexes to actually read data outside the class, thus resulting in information leakage and further exploits.\n\nPiperOrigin-RevId: 346343288\nChange-Id: I2127da27c2023d27f26efd39afa6c853385cab6f", "target": 0, "dataset": "other", "idx": 268311 }, { "func": "inline StringData::Proxy* StringData::proxy() {\n return static_cast(payload());\n}", "project": "hhvm", "hash": 329688095479316137714201427141088114667, "size": 3, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219401 }, { "func": "inline const StringData::Proxy* StringData::proxy() const {\n return static_cast(payload());\n}", "project": "hhvm", "hash": 100130370874029438693811100563017289945, "size": 3, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219734 }, { "func": "url_set_file (struct url *url, const char *newfile)\n{\n xfree (url->file);\n url->file = xstrdup (newfile);\n sync_path (url);\n}", "target": 0, "cwe": [], "project": "wget", "commit_id": "59b920874daa565a1323ffa1e756e80493190686", "hash": 243135268307449136734205928824782094237, "size": 6, "message": "Support non-ASCII URLs\n\n* src/url.c [HAVE_ICONV]: Include iconv.h and langinfo.h.\n(convert_fname): New function.\n[HAVE_ICONV]: Convert file name from remote encoding to local\nencoding.\n(url_file_name): Call convert_fname.\n(filechr_table): Don't consider bytes in 128..159 as control\ncharacters.\n\n* tests/Test-ftp-iri.px: Fix the expected file name to match the\nnew file-name recoding. State the remote encoding explicitly on\nthe Wget command line.\n\n* NEWS: Mention the URI recoding when built with libiconv.", "dataset": "other", "idx": 498265 }, { "func": "sync_path (struct url *u)\n{\n char *newpath, *efile, *edir;\n\n xfree (u->path);\n\n /* u->dir and u->file are not escaped. URL-escape them before\n reassembling them into u->path. That way, if they contain\n separators like '?' or even if u->file contains slashes, the\n path will be correctly assembled. (u->file can contain slashes\n if the URL specifies it with %2f, or if an FTP server returns\n it.) */\n edir = url_escape_dir (u->dir);\n efile = url_escape_1 (u->file, urlchr_unsafe | urlchr_reserved, 1);\n\n if (!*edir)\n newpath = xstrdup (efile);\n else\n {\n int dirlen = strlen (edir);\n int filelen = strlen (efile);\n\n /* Copy \"DIR/FILE\" to newpath. */\n char *p = newpath = xmalloc (dirlen + 1 + filelen + 1);\n memcpy (p, edir, dirlen);\n p += dirlen;\n *p++ = '/';\n memcpy (p, efile, filelen);\n p += filelen;\n *p = '\\0';\n }\n\n u->path = newpath;\n\n if (edir != u->dir)\n xfree (edir);\n if (efile != u->file)\n xfree (efile);\n\n /* Regenerate u->url as well. */\n xfree (u->url);\n u->url = url_string (u, URL_AUTH_SHOW);\n}", "target": 0, "cwe": [], "project": "wget", "commit_id": "59b920874daa565a1323ffa1e756e80493190686", "hash": 207999684885135778916474678089319613969, "size": 43, "message": "Support non-ASCII URLs\n\n* src/url.c [HAVE_ICONV]: Include iconv.h and langinfo.h.\n(convert_fname): New function.\n[HAVE_ICONV]: Convert file name from remote encoding to local\nencoding.\n(url_file_name): Call convert_fname.\n(filechr_table): Don't consider bytes in 128..159 as control\ncharacters.\n\n* tests/Test-ftp-iri.px: Fix the expected file name to match the\nnew file-name recoding. State the remote encoding explicitly on\nthe Wget command line.\n\n* NEWS: Mention the URI recoding when built with libiconv.", "dataset": "other", "idx": 498274 }, { "func": "url_set_dir (struct url *url, const char *newdir)\n{\n xfree (url->dir);\n url->dir = xstrdup (newdir);\n sync_path (url);\n}", "target": 0, "cwe": [], "project": "wget", "commit_id": "59b920874daa565a1323ffa1e756e80493190686", "hash": 82868318601970913482559953420569681537, "size": 6, "message": "Support non-ASCII URLs\n\n* src/url.c [HAVE_ICONV]: Include iconv.h and langinfo.h.\n(convert_fname): New function.\n[HAVE_ICONV]: Convert file name from remote encoding to local\nencoding.\n(url_file_name): Call convert_fname.\n(filechr_table): Don't consider bytes in 128..159 as control\ncharacters.\n\n* tests/Test-ftp-iri.px: Fix the expected file name to match the\nnew file-name recoding. State the remote encoding explicitly on\nthe Wget command line.\n\n* NEWS: Mention the URI recoding when built with libiconv.", "dataset": "other", "idx": 498280 }, { "func": "void fuse_change_attributes(struct inode *inode, struct fuse_attr *attr,\n\t\t\t u64 attr_valid, u64 attr_version)\n{\n\tstruct fuse_conn *fc = get_fuse_conn(inode);\n\tstruct fuse_inode *fi = get_fuse_inode(inode);\n\tbool is_wb = fc->writeback_cache;\n\tloff_t oldsize;\n\tstruct timespec64 old_mtime;\n\n\tspin_lock(&fi->lock);\n\tif ((attr_version != 0 && fi->attr_version > attr_version) ||\n\t test_bit(FUSE_I_SIZE_UNSTABLE, &fi->state)) {\n\t\tspin_unlock(&fi->lock);\n\t\treturn;\n\t}\n\n\told_mtime = inode->i_mtime;\n\tfuse_change_attributes_common(inode, attr, attr_valid);\n\n\toldsize = inode->i_size;\n\t/*\n\t * In case of writeback_cache enabled, the cached writes beyond EOF\n\t * extend local i_size without keeping userspace server in sync. So,\n\t * attr->size coming from server can be stale. We cannot trust it.\n\t */\n\tif (!is_wb || !S_ISREG(inode->i_mode))\n\t\ti_size_write(inode, attr->size);\n\tspin_unlock(&fi->lock);\n\n\tif (!is_wb && S_ISREG(inode->i_mode)) {\n\t\tbool inval = false;\n\n\t\tif (oldsize != attr->size) {\n\t\t\ttruncate_pagecache(inode, attr->size);\n\t\t\tif (!fc->explicit_inval_data)\n\t\t\t\tinval = true;\n\t\t} else if (fc->auto_inval_data) {\n\t\t\tstruct timespec64 new_mtime = {\n\t\t\t\t.tv_sec = attr->mtime,\n\t\t\t\t.tv_nsec = attr->mtimensec,\n\t\t\t};\n\n\t\t\t/*\n\t\t\t * Auto inval mode also checks and invalidates if mtime\n\t\t\t * has changed.\n\t\t\t */\n\t\t\tif (!timespec64_equal(&old_mtime, &new_mtime))\n\t\t\t\tinval = true;\n\t\t}\n\n\t\tif (inval)\n\t\t\tinvalidate_inode_pages2(inode->i_mapping);\n\t}\n}", "project": "linux", "hash": 263108081412866567854358936527737945139, "size": 54, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342054 }, { "func": "lua_call_throttle::~lua_call_throttle()\n{\n if (!--lua->mixed_call_depth)\n lua_map.erase(lua->state());\n}", "project": "crawl", "hash": 213011944396032132272710571457318822478, "size": 5, "commit_id": "768f60da87a3fa0b5561da5ade9309577c176d04", "message": "Disable lua bytecode loading", "target": 0, "dataset": "other", "idx": 230516 }, { "func": "std::string getAsyncFetchFilterConfig(const std::string& config_str, bool fast_listener) {\n JwtAuthentication proto_config;\n TestUtility::loadFromYaml(config_str, proto_config);\n\n auto& provider0 = (*proto_config.mutable_providers())[std::string(ProviderName)];\n auto* async_fetch = provider0.mutable_remote_jwks()->mutable_async_fetch();\n async_fetch->set_fast_listener(fast_listener);\n\n HttpFilter filter;\n filter.set_name(\"envoy.filters.http.jwt_authn\");\n filter.mutable_typed_config()->PackFrom(proto_config);\n return MessageUtil::getJsonStringFromMessageOrDie(filter);\n}", "project": "envoy", "hash": 24036486187776501420876924092236145817, "size": 13, "commit_id": "9371333230b1a6e1be2eccf4868771e11af6253a", "message": "CVE-2021-43824\n\njwt_atuhn: fixed the crash when a CONNECT request is sent to JWT filter\nconfigured with regex match.\n\nSigned-off-by: Yan Avlasov ", "target": 0, "dataset": "other", "idx": 246626 }, { "project": "Chrome", "commit_id": "87190165c55bcf3eecd8824dd8d083f5e3236552", "target": 0, "func": "AudioInputStream* AudioManagerBase::MakeAudioInputStream(\n const AudioParameters& params, const std::string& device_id) {\n if (!params.IsValid() || (params.channels() > kMaxInputChannels) ||\n device_id.empty()) {\n DLOG(ERROR) << \"Audio parameters are invalid for device \" << device_id;\n return NULL;\n }\n\n if (num_input_streams_ >= max_num_input_streams_) {\n DLOG(ERROR) << \"Number of opened input audio streams \"\n << num_input_streams_\n << \" exceed the max allowed number \" << max_num_input_streams_;\n return NULL;\n }\n\n AudioInputStream* stream = NULL;\n if (params.format() == AudioParameters::AUDIO_MOCK) {\n stream = FakeAudioInputStream::MakeFakeStream(this, params);\n } else if (params.format() == AudioParameters::AUDIO_PCM_LINEAR) {\n stream = MakeLinearInputStream(params, device_id);\n } else if (params.format() == AudioParameters::AUDIO_PCM_LOW_LATENCY) {\n stream = MakeLowLatencyInputStream(params, device_id);\n }\n\n if (stream)\n ++num_input_streams_;\n\n return stream;\n}\n", "cwe": "", "big_vul_idx": 113845, "idx": 102046, "hash": 70846404849214912905712334678039865588 }, { "func": "static void encode_read(struct xdr_stream *xdr, const struct nfs_pgio_args *args,\n\t\t\tstruct compound_hdr *hdr)\n{\n\t__be32 *p;\n\n\tencode_op_hdr(xdr, OP_READ, decode_read_maxsz, hdr);\n\tencode_nfs4_stateid(xdr, &args->stateid);\n\n\tp = reserve_space(xdr, 12);\n\tp = xdr_encode_hyper(p, args->offset);\n\t*p = cpu_to_be32(args->count);\n}", "project": "linux", "hash": 97988507660233597560606180452573857345, "size": 12, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431081 }, { "func": "PHPAPI void php_register_variable(char *var, char *strval, zval *track_vars_array)\n{\n\tphp_register_variable_safe(var, strval, strlen(strval), track_vars_array);\n}", "project": "php-src", "hash": 299983276149361725597584020519946067920, "size": 4, "commit_id": "6559fe912661ca5ce5f0eeeb591d928451428ed0", "message": "Do not decode cookie names anymore", "target": 0, "dataset": "other", "idx": 374973 }, { "project": "Chrome", "commit_id": "3454ed7b88318dcd4539c6e1a50d27b0ca535686", "target": 0, "func": "bool IsFormSubmit(const NavigationEntry* entry) {\n return (ui::PageTransitionStripQualifier(entry->GetTransitionType()) ==\n ui::PAGE_TRANSITION_FORM_SUBMIT);\n}\n", "cwe": "", "big_vul_idx": 130382, "idx": 179058, "hash": 100582242152559326519779665758243763247 }, { "func": "Expression::ExpressionVector ExpressionNary::parseArguments(ExpressionContext* const expCtx,\n BSONElement exprElement,\n const VariablesParseState& vps) {\n ExpressionVector out;\n if (exprElement.type() == Array) {\n BSONForEach(elem, exprElement.Obj()) {\n out.push_back(Expression::parseOperand(expCtx, elem, vps));\n }\n } else { // Assume it's an operand that accepts a single argument.\n out.push_back(Expression::parseOperand(expCtx, exprElement, vps));\n }\n\n return out;\n}", "project": "mongo", "hash": 302142423051680368620664334337213803883, "size": 14, "commit_id": "1772b9a0393b55e6a280a35e8f0a1f75c014f301", "message": "SERVER-49404 Enforce additional checks in $arrayToObject", "target": 0, "dataset": "other", "idx": 370055 }, { "func": "static void mm_release(struct task_struct *tsk, struct mm_struct *mm)\n{\n\tuprobe_free_utask(tsk);\n\n\t/* Get rid of any cached register state */\n\tdeactivate_mm(tsk, mm);\n\n\t/*\n\t * Signal userspace if we're not exiting with a core dump\n\t * because we want to leave the value intact for debugging\n\t * purposes.\n\t */\n\tif (tsk->clear_child_tid) {\n\t\tif (!(tsk->signal->flags & SIGNAL_GROUP_COREDUMP) &&\n\t\t atomic_read(&mm->mm_users) > 1) {\n\t\t\t/*\n\t\t\t * We don't check the error code - if userspace has\n\t\t\t * not set up a proper pointer then tough luck.\n\t\t\t */\n\t\t\tput_user(0, tsk->clear_child_tid);\n\t\t\tdo_futex(tsk->clear_child_tid, FUTEX_WAKE,\n\t\t\t\t\t1, NULL, NULL, 0, 0);\n\t\t}\n\t\ttsk->clear_child_tid = NULL;\n\t}\n\n\t/*\n\t * All done, finally we can wake up parent and return this mm to him.\n\t * Also kthread_stop() uses this completion for synchronization.\n\t */\n\tif (tsk->vfork_done)\n\t\tcomplete_vfork_done(tsk);\n}", "project": "linux", "hash": 31811927508372958543614042353691115013, "size": 33, "commit_id": "b4e00444cab4c3f3fec876dc0cccc8cbb0d1a948", "message": "fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent\n\ncurrent->group_leader->exit_signal may change during copy_process() if\ncurrent->real_parent exits.\n\nMove the assignment inside tasklist_lock to avoid the race.\n\nSigned-off-by: Eddy Wu \nAcked-by: Oleg Nesterov \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 293675 }, { "func": "bool pb_decode_delimited_noinit(pb_istream_t *stream, const pb_field_t fields[], void *dest_struct)\n{\n pb_istream_t substream;\n bool status;\n\n if (!pb_make_string_substream(stream, &substream))\n return false;\n\n status = pb_decode_noinit(&substream, fields, dest_struct);\n\n if (!pb_close_string_substream(stream, &substream))\n return false;\n return status;\n}", "project": "nanopb", "hash": 331546788660327621976823748313748550797, "size": 14, "commit_id": "aa9d0d1ca78d6adec3adfeecf3a706c7f9df81f2", "message": "Fix invalid free() after failed realloc() (GHSA-gcx3-7m76-287p)", "target": 0, "dataset": "other", "idx": 252496 }, { "func": "static u64 kvm_hv_send_ipi(struct kvm_vcpu *vcpu, u64 ingpa, u64 outgpa,\n\t\t\t bool ex, bool fast)\n{\n\tstruct kvm *kvm = vcpu->kvm;\n\tstruct hv_send_ipi_ex send_ipi_ex;\n\tstruct hv_send_ipi send_ipi;\n\tu64 vp_bitmap[KVM_HV_MAX_SPARSE_VCPU_SET_BITS];\n\tDECLARE_BITMAP(vcpu_bitmap, KVM_MAX_VCPUS);\n\tunsigned long *vcpu_mask;\n\tunsigned long valid_bank_mask;\n\tu64 sparse_banks[64];\n\tint sparse_banks_len;\n\tu32 vector;\n\tbool all_cpus;\n\n\tif (!ex) {\n\t\tif (!fast) {\n\t\t\tif (unlikely(kvm_read_guest(kvm, ingpa, &send_ipi,\n\t\t\t\t\t\t sizeof(send_ipi))))\n\t\t\t\treturn HV_STATUS_INVALID_HYPERCALL_INPUT;\n\t\t\tsparse_banks[0] = send_ipi.cpu_mask;\n\t\t\tvector = send_ipi.vector;\n\t\t} else {\n\t\t\t/* 'reserved' part of hv_send_ipi should be 0 */\n\t\t\tif (unlikely(ingpa >> 32 != 0))\n\t\t\t\treturn HV_STATUS_INVALID_HYPERCALL_INPUT;\n\t\t\tsparse_banks[0] = outgpa;\n\t\t\tvector = (u32)ingpa;\n\t\t}\n\t\tall_cpus = false;\n\t\tvalid_bank_mask = BIT_ULL(0);\n\n\t\ttrace_kvm_hv_send_ipi(vector, sparse_banks[0]);\n\t} else {\n\t\tif (unlikely(kvm_read_guest(kvm, ingpa, &send_ipi_ex,\n\t\t\t\t\t sizeof(send_ipi_ex))))\n\t\t\treturn HV_STATUS_INVALID_HYPERCALL_INPUT;\n\n\t\ttrace_kvm_hv_send_ipi_ex(send_ipi_ex.vector,\n\t\t\t\t\t send_ipi_ex.vp_set.format,\n\t\t\t\t\t send_ipi_ex.vp_set.valid_bank_mask);\n\n\t\tvector = send_ipi_ex.vector;\n\t\tvalid_bank_mask = send_ipi_ex.vp_set.valid_bank_mask;\n\t\tsparse_banks_len = bitmap_weight(&valid_bank_mask, 64) *\n\t\t\tsizeof(sparse_banks[0]);\n\n\t\tall_cpus = send_ipi_ex.vp_set.format == HV_GENERIC_SET_ALL;\n\n\t\tif (!sparse_banks_len)\n\t\t\tgoto ret_success;\n\n\t\tif (!all_cpus &&\n\t\t kvm_read_guest(kvm,\n\t\t\t\t ingpa + offsetof(struct hv_send_ipi_ex,\n\t\t\t\t\t\t vp_set.bank_contents),\n\t\t\t\t sparse_banks,\n\t\t\t\t sparse_banks_len))\n\t\t\treturn HV_STATUS_INVALID_HYPERCALL_INPUT;\n\t}\n\n\tif ((vector < HV_IPI_LOW_VECTOR) || (vector > HV_IPI_HIGH_VECTOR))\n\t\treturn HV_STATUS_INVALID_HYPERCALL_INPUT;\n\n\tvcpu_mask = all_cpus ? NULL :\n\t\tsparse_set_to_vcpu_mask(kvm, sparse_banks, valid_bank_mask,\n\t\t\t\t\tvp_bitmap, vcpu_bitmap);\n\n\tkvm_send_ipi_to_many(kvm, vector, vcpu_mask);\n\nret_success:\n\treturn HV_STATUS_SUCCESS;\n}", "project": "linux", "hash": 303985030816439606896717451611032536898, "size": 73, "commit_id": "919f4ebc598701670e80e31573a58f1f2d2bf918", "message": "KVM: x86: hyper-v: Fix Hyper-V context null-ptr-deref\n\nReported by syzkaller:\n\n KASAN: null-ptr-deref in range [0x0000000000000140-0x0000000000000147]\n CPU: 1 PID: 8370 Comm: syz-executor859 Not tainted 5.11.0-syzkaller #0\n RIP: 0010:synic_get arch/x86/kvm/hyperv.c:165 [inline]\n RIP: 0010:kvm_hv_set_sint_gsi arch/x86/kvm/hyperv.c:475 [inline]\n RIP: 0010:kvm_hv_irq_routing_update+0x230/0x460 arch/x86/kvm/hyperv.c:498\n Call Trace:\n kvm_set_irq_routing+0x69b/0x940 arch/x86/kvm/../../../virt/kvm/irqchip.c:223\n kvm_vm_ioctl+0x12d0/0x2800 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3959\n vfs_ioctl fs/ioctl.c:48 [inline]\n __do_sys_ioctl fs/ioctl.c:753 [inline]\n __se_sys_ioctl fs/ioctl.c:739 [inline]\n __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739\n do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nHyper-V context is lazily allocated until Hyper-V specific MSRs are accessed\nor SynIC is enabled. However, the syzkaller testcase sets irq routing table\ndirectly w/o enabling SynIC. This results in null-ptr-deref when accessing\nSynIC Hyper-V context. This patch fixes it.\n\nsyzkaller source: https://syzkaller.appspot.com/x/repro.c?x=163342ccd00000\n\nReported-by: syzbot+6987f3b2dbd9eda95f12@syzkaller.appspotmail.com\nFixes: 8f014550dfb1 (\"KVM: x86: hyper-v: Make Hyper-V emulation enablement conditional\")\nSigned-off-by: Wanpeng Li \nMessage-Id: <1614326399-5762-1-git-send-email-wanpengli@tencent.com>\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 343499 }, { "func": "void moveFrom(UnicodeString &dest, UnicodeString &src) {\n dest = std::move(src);\n}", "project": "icu", "hash": 143236381344283007563254242521614183087, "size": 3, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430760 }, { "func": "void LanLinkProvider::addLink(const QString& deviceId, QSslSocket* socket, NetworkPacket* receivedPacket, LanDeviceLink::ConnectionStarted connectionOrigin)\n{\n // Socket disconnection will now be handled by LanDeviceLink\n disconnect(socket, &QAbstractSocket::disconnected, socket, &QObject::deleteLater);\n\n LanDeviceLink* deviceLink;\n //Do we have a link for this device already?\n QMap< QString, LanDeviceLink* >::iterator linkIterator = m_links.find(deviceId);\n if (linkIterator != m_links.end()) {\n //qCDebug(KDECONNECT_CORE) << \"Reusing link to\" << deviceId;\n deviceLink = linkIterator.value();\n deviceLink->reset(socket, connectionOrigin);\n } else {\n deviceLink = new LanDeviceLink(deviceId, this, socket, connectionOrigin);\n connect(deviceLink, &QObject::destroyed, this, &LanLinkProvider::deviceLinkDestroyed);\n m_links[deviceId] = deviceLink;\n if (m_pairingHandlers.contains(deviceId)) {\n //We shouldn't have a pairinghandler if we didn't have a link.\n //Crash if debug, recover if release (by setting the new devicelink to the old pairinghandler)\n Q_ASSERT(m_pairingHandlers.contains(deviceId));\n m_pairingHandlers[deviceId]->setDeviceLink(deviceLink);\n }\n }\n Q_EMIT onConnectionReceived(*receivedPacket, deviceLink);\n}", "project": "kdeconnect-kde", "hash": 173422384228019084279107414716208706323, "size": 25, "commit_id": "542d94a70c56aa386c8d4d793481ce181b0422e8", "message": "Limit number of connected sockets from unpaired devices\n\nThanks Matthias Gerstner for reporting this.", "target": 1, "dataset": "other", "idx": 195488 }, { "func": "void LanLinkProvider::addLink(const QString& deviceId, QSslSocket* socket, NetworkPacket* receivedPacket, LanDeviceLink::ConnectionStarted connectionOrigin)\n{\n // Socket disconnection will now be handled by LanDeviceLink\n disconnect(socket, &QAbstractSocket::disconnected, socket, &QObject::deleteLater);\n\n LanDeviceLink* deviceLink;\n //Do we have a link for this device already?\n QMap< QString, LanDeviceLink* >::iterator linkIterator = m_links.find(deviceId);\n if (linkIterator != m_links.end()) {\n //qCDebug(KDECONNECT_CORE) << \"Reusing link to\" << deviceId;\n deviceLink = linkIterator.value();\n deviceLink->reset(socket, connectionOrigin);\n } else {\n deviceLink = new LanDeviceLink(deviceId, this, socket, connectionOrigin);\n // Socket disconnection will now be handled by LanDeviceLink\n disconnect(socket, &QAbstractSocket::disconnected, socket, &QObject::deleteLater);\n bool isDeviceTrusted = KdeConnectConfig::instance().trustedDevices().contains(deviceId);\n if (!isDeviceTrusted && m_links.size() > MAX_UNPAIRED_CONNECTIONS) {\n qCWarning(KDECONNECT_CORE) << \"Too many unpaired devices to remember them all. Ignoring \" << deviceId;\n socket->disconnectFromHost();\n socket->deleteLater();\n return;\n }\n connect(deviceLink, &QObject::destroyed, this, &LanLinkProvider::deviceLinkDestroyed);\n m_links[deviceId] = deviceLink;\n if (m_pairingHandlers.contains(deviceId)) {\n //We shouldn't have a pairinghandler if we didn't have a link.\n //Crash if debug, recover if release (by setting the new devicelink to the old pairinghandler)\n Q_ASSERT(m_pairingHandlers.contains(deviceId));\n m_pairingHandlers[deviceId]->setDeviceLink(deviceLink);\n }\n }\n Q_EMIT onConnectionReceived(*receivedPacket, deviceLink);\n}", "project": "kdeconnect-kde", "hash": 240980444615899412189553804947186003078, "size": 34, "commit_id": "542d94a70c56aa386c8d4d793481ce181b0422e8", "message": "Limit number of connected sockets from unpaired devices\n\nThanks Matthias Gerstner for reporting this.", "target": 0, "dataset": "other", "idx": 227355 }, { "func": "static void ecryptfs_copy_mount_wide_flags_to_inode_flags(\n\tstruct ecryptfs_crypt_stat *crypt_stat,\n\tstruct ecryptfs_mount_crypt_stat *mount_crypt_stat)\n{\n\tif (mount_crypt_stat->flags & ECRYPTFS_XATTR_METADATA_ENABLED)\n\t\tcrypt_stat->flags |= ECRYPTFS_METADATA_IN_XATTR;\n\tif (mount_crypt_stat->flags & ECRYPTFS_ENCRYPTED_VIEW_ENABLED)\n\t\tcrypt_stat->flags |= ECRYPTFS_VIEW_AS_ENCRYPTED;\n\tif (mount_crypt_stat->flags & ECRYPTFS_GLOBAL_ENCRYPT_FILENAMES) {\n\t\tcrypt_stat->flags |= ECRYPTFS_ENCRYPT_FILENAMES;\n\t\tif (mount_crypt_stat->flags\n\t\t & ECRYPTFS_GLOBAL_ENCFN_USE_MOUNT_FNEK)\n\t\t\tcrypt_stat->flags |= ECRYPTFS_ENCFN_USE_MOUNT_FNEK;\n\t\telse if (mount_crypt_stat->flags\n\t\t\t & ECRYPTFS_GLOBAL_ENCFN_USE_FEK)\n\t\t\tcrypt_stat->flags |= ECRYPTFS_ENCFN_USE_FEK;\n\t}\n}", "target": 0, "cwe": [ "CWE-189" ], "project": "linux-2.6", "commit_id": "8faece5f906725c10e7a1f6caf84452abadbdc7b", "hash": 281506798891054053130707203242543280591, "size": 18, "message": "eCryptfs: Allocate a variable number of pages for file headers\n\nWhen allocating the memory used to store the eCryptfs header contents, a\nsingle, zeroed page was being allocated with get_zeroed_page().\nHowever, the size of an eCryptfs header is either PAGE_CACHE_SIZE or\nECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE (8192), whichever is larger, and is\nstored in the file's private_data->crypt_stat->num_header_bytes_at_front\nfield.\n\necryptfs_write_metadata_to_contents() was using\nnum_header_bytes_at_front to decide how many bytes should be written to\nthe lower filesystem for the file header. Unfortunately, at least 8K\nwas being written from the page, despite the chance of the single,\nzeroed page being smaller than 8K. This resulted in random areas of\nkernel memory being written between the 0x1000 and 0x1FFF bytes offsets\nin the eCryptfs file headers if PAGE_SIZE was 4K.\n\nThis patch allocates a variable number of pages, calculated with\nnum_header_bytes_at_front, and passes the number of allocated pages\nalong to ecryptfs_write_metadata_to_contents().\n\nThanks to Florian Streibelt for reporting the data leak and working with\nme to find the problem. 2.6.28 is the only kernel release with this\nvulnerability. Corresponds to CVE-2009-0787\n\nSigned-off-by: Tyler Hicks \nAcked-by: Dustin Kirkland \nReviewed-by: Eric Sandeen \nReviewed-by: Eugene Teo \nCc: Greg KH \nCc: dann frazier \nCc: Serge E. Hallyn \nCc: Florian Streibelt \nCc: stable@kernel.org\nSigned-off-by: Linus Torvalds ", "dataset": "other", "idx": 490185 }, { "func": "static void vc_uniscr_set(struct vc_data *vc, struct uni_screen *new_uniscr)\n{\n\tkfree(vc->vc_uni_screen);\n\tvc->vc_uni_screen = new_uniscr;\n}", "project": "linux", "hash": 139808957940369159483292270591836788646, "size": 5, "commit_id": "ca4463bf8438b403596edd0ec961ca0d4fbe0220", "message": "vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console\n\nThe VT_DISALLOCATE ioctl can free a virtual console while tty_release()\nis still running, causing a use-after-free in con_shutdown(). This\noccurs because VT_DISALLOCATE considers a virtual console's\n'struct vc_data' to be unused as soon as the corresponding tty's\nrefcount hits 0. But actually it may be still being closed.\n\nFix this by making vc_data be reference-counted via the embedded\n'struct tty_port'. A newly allocated virtual console has refcount 1.\nOpening it for the first time increments the refcount to 2. Closing it\nfor the last time decrements the refcount (in tty_operations::cleanup()\nso that it happens late enough), as does VT_DISALLOCATE.\n\nReproducer:\n\t#include \n\t#include \n\t#include \n\t#include \n\n\tint main()\n\t{\n\t\tif (fork()) {\n\t\t\tfor (;;)\n\t\t\t\tclose(open(\"/dev/tty5\", O_RDWR));\n\t\t} else {\n\t\t\tint fd = open(\"/dev/tty10\", O_RDWR);\n\n\t\t\tfor (;;)\n\t\t\t\tioctl(fd, VT_DISALLOCATE, 5);\n\t\t}\n\t}\n\nKASAN report:\n\tBUG: KASAN: use-after-free in con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\tWrite of size 8 at addr ffff88806a4ec108 by task syz_vt/129\n\n\tCPU: 0 PID: 129 Comm: syz_vt Not tainted 5.6.0-rc2 #11\n\tHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20191223_100556-anatol 04/01/2014\n\tCall Trace:\n\t [...]\n\t con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\t release_tty+0xa8/0x410 drivers/tty/tty_io.c:1514\n\t tty_release_struct+0x34/0x50 drivers/tty/tty_io.c:1629\n\t tty_release+0x984/0xed0 drivers/tty/tty_io.c:1789\n\t [...]\n\n\tAllocated by task 129:\n\t [...]\n\t kzalloc include/linux/slab.h:669 [inline]\n\t vc_allocate drivers/tty/vt/vt.c:1085 [inline]\n\t vc_allocate+0x1ac/0x680 drivers/tty/vt/vt.c:1066\n\t con_install+0x4d/0x3f0 drivers/tty/vt/vt.c:3229\n\t tty_driver_install_tty drivers/tty/tty_io.c:1228 [inline]\n\t tty_init_dev+0x94/0x350 drivers/tty/tty_io.c:1341\n\t tty_open_by_driver drivers/tty/tty_io.c:1987 [inline]\n\t tty_open+0x3ca/0xb30 drivers/tty/tty_io.c:2035\n\t [...]\n\n\tFreed by task 130:\n\t [...]\n\t kfree+0xbf/0x1e0 mm/slab.c:3757\n\t vt_disallocate drivers/tty/vt/vt_ioctl.c:300 [inline]\n\t vt_ioctl+0x16dc/0x1e30 drivers/tty/vt/vt_ioctl.c:818\n\t tty_ioctl+0x9db/0x11b0 drivers/tty/tty_io.c:2660\n\t [...]\n\nFixes: 4001d7b7fc27 (\"vt: push down the tty lock so we can see what is left to tackle\")\nCc: # v3.4+\nReported-by: syzbot+522643ab5729b0421998@syzkaller.appspotmail.com\nAcked-by: Jiri Slaby \nSigned-off-by: Eric Biggers \nLink: https://lore.kernel.org/r/20200322034305.210082-2-ebiggers@kernel.org\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 437048 }, { "func": "static inline void queue_me(struct futex_q *q, struct futex_hash_bucket *hb)\n{\n\tint prio;\n\n\t/*\n\t * The priority used to register this element is\n\t * - either the real thread-priority for the real-time threads\n\t * (i.e. threads with a priority lower than MAX_RT_PRIO)\n\t * - or MAX_RT_PRIO for non-RT threads.\n\t * Thus, all RT-threads are woken first in priority order, and\n\t * the others are woken last, in FIFO order.\n\t */\n\tprio = min(current->normal_prio, MAX_RT_PRIO);\n\n\tplist_node_init(&q->list, prio);\n#ifdef CONFIG_DEBUG_PI_LIST\n\tq->list.plist.spinlock = &hb->lock;\n#endif\n\tplist_add(&q->list, &hb->chain);\n\tq->task = current;\n\tspin_unlock(&hb->lock);\n}", "target": 0, "cwe": [], "project": "linux-2.6", "commit_id": "5ecb01cfdf96c5f465192bdb2a4fd4a61a24c6cc", "hash": 198218879814110985619697847933236795138, "size": 22, "message": "futex_lock_pi() key refcnt fix\n\nThis fixes a futex key reference count bug in futex_lock_pi(),\nwhere a key's reference count is incremented twice but decremented\nonly once, causing the backing object to not be released.\n\nIf the futex is created in a temporary file in an ext3 file system,\nthis bug causes the file's inode to become an \"undead\" orphan,\nwhich causes an oops from a BUG_ON() in ext3_put_super() when the\nfile system is unmounted. glibc's test suite is known to trigger this,\nsee .\n\nThe bug is a regression from 2.6.28-git3, namely Peter Zijlstra's\n38d47c1b7075bd7ec3881141bb3629da58f88dab \"[PATCH] futex: rely on\nget_user_pages() for shared futexes\". That commit made get_futex_key()\nalso increment the reference count of the futex key, and updated its\ncallers to decrement the key's reference count before returning.\nUnfortunately the normal exit path in futex_lock_pi() wasn't corrected:\nthe reference count is incremented by get_futex_key() and queue_lock(),\nbut the normal exit path only decrements once, via unqueue_me_pi().\nThe fix is to put_futex_key() after unqueue_me_pi(), since 2.6.31\nthis is easily done by 'goto out_put_key' rather than 'goto out'.\n\nSigned-off-by: Mikael Pettersson \nAcked-by: Peter Zijlstra \nAcked-by: Darren Hart \nSigned-off-by: Thomas Gleixner \nCc: ", "dataset": "other", "idx": 492311 }, { "func": "UnicodeStringTest::TestSpacePadding()\n{\n UnicodeString test1(\"hello\");\n UnicodeString test2(\" there\");\n UnicodeString test3(\"Hi! How ya doin'? Beautiful day, isn't it?\");\n UnicodeString test4;\n UBool returnVal;\n UnicodeString expectedValue;\n\n returnVal = test1.padLeading(15);\n expectedValue = \" hello\";\n if (returnVal == FALSE || test1 != expectedValue)\n errln(\"padLeading() failed: expected \\\"\" + expectedValue + \"\\\", got \\\"\" + test1 + \"\\\".\");\n\n returnVal = test2.padTrailing(15);\n expectedValue = \" there \";\n if (returnVal == FALSE || test2 != expectedValue)\n errln(\"padTrailing() failed: expected \\\"\" + expectedValue + \"\\\", got \\\"\" + test2 + \"\\\".\");\n\n expectedValue = test3;\n returnVal = test3.padTrailing(15);\n if (returnVal == TRUE || test3 != expectedValue)\n errln(\"padTrailing() failed: expected \\\"\" + expectedValue + \"\\\", got \\\"\" + test3 + \"\\\".\");\n\n expectedValue = \"hello\";\n test4.setTo(test1).trim();\n\n if (test4 != expectedValue || test1 == expectedValue || test4 != expectedValue)\n errln(\"trim(UnicodeString&) failed\");\n \n test1.trim();\n if (test1 != expectedValue)\n errln(\"trim() failed: expected \\\"\" + expectedValue + \"\\\", got \\\"\" + test1 + \"\\\".\");\n\n test2.trim();\n expectedValue = \"there\";\n if (test2 != expectedValue)\n errln(\"trim() failed: expected \\\"\" + expectedValue + \"\\\", got \\\"\" + test2 + \"\\\".\");\n\n test3.trim();\n expectedValue = \"Hi! How ya doin'? Beautiful day, isn't it?\";\n if (test3 != expectedValue)\n errln(\"trim() failed: expected \\\"\" + expectedValue + \"\\\", got \\\"\" + test3 + \"\\\".\");\n\n returnVal = test1.truncate(15);\n expectedValue = \"hello\";\n if (returnVal == TRUE || test1 != expectedValue)\n errln(\"truncate() failed: expected \\\"\" + expectedValue + \"\\\", got \\\"\" + test1 + \"\\\".\");\n\n returnVal = test2.truncate(15);\n expectedValue = \"there\";\n if (returnVal == TRUE || test2 != expectedValue)\n errln(\"truncate() failed: expected \\\"\" + expectedValue + \"\\\", got \\\"\" + test2 + \"\\\".\");\n\n returnVal = test3.truncate(15);\n expectedValue = \"Hi! How ya doi\";\n if (returnVal == FALSE || test3 != expectedValue)\n errln(\"truncate() failed: expected \\\"\" + expectedValue + \"\\\", got \\\"\" + test3 + \"\\\".\");\n}", "project": "icu", "hash": 214246111402289179092777689446459984853, "size": 59, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430861 }, { "func": "void mark_rect_as_modified(int x1, int y1, int x2, int y2, int force) {\n\n\tif (damage_time != 0) {\n\t\t/*\n\t\t * This is not XDAMAGE, rather a hack for testing\n\t\t * where we allow the framebuffer to be corrupted for\n\t\t * damage_delay seconds.\n\t\t */\n\t\tint debug = 0;\n\t\tif (time(NULL) > damage_time + damage_delay) {\n\t\t\tif (! quiet) {\n\t\t\t\trfbLog(\"damaging turned off.\\n\");\n\t\t\t}\n\t\t\tdamage_time = 0;\n\t\t\tdamage_delay = 0;\n\t\t} else {\n\t\t\tif (debug) {\n\t\t\t\trfbLog(\"damaging viewer fb by not marking \"\n\t\t\t\t \"rect: %d,%d,%d,%d\\n\", x1, y1, x2, y2);\n\t\t\t}\n\t\t\treturn;\n\t\t}\n\t}\n\n\n\tif (rfb_fb == main_fb || force) {\n\t\tmark_wrapper(x1, y1, x2, y2);\n\t\treturn;\n\t}\n\n\tif (cmap8to24) {\n\t\tbpp8to24(x1, y1, x2, y2);\n\t}\n\n\tif (scaling) {\n\t\tscale_and_mark_rect(x1, y1, x2, y2, 1);\n\t} else {\n\t\tmark_wrapper(x1, y1, x2, y2);\n\t}\n}", "project": "x11vnc", "hash": 104053314330558577261028035095976544542, "size": 40, "commit_id": "69eeb9f7baa14ca03b16c9de821f9876def7a36a", "message": "scan: limit access to shared memory segments to current user", "target": 0, "dataset": "other", "idx": 360777 }, { "func": "static int fuse_dentry_revalidate(struct dentry *entry, unsigned int flags)\n{\n\tstruct inode *inode;\n\tstruct dentry *parent;\n\tstruct fuse_mount *fm;\n\tstruct fuse_inode *fi;\n\tint ret;\n\n\tinode = d_inode_rcu(entry);\n\tif (inode && fuse_is_bad(inode))\n\t\tgoto invalid;\n\telse if (time_before64(fuse_dentry_time(entry), get_jiffies_64()) ||\n\t\t (flags & (LOOKUP_EXCL | LOOKUP_REVAL))) {\n\t\tstruct fuse_entry_out outarg;\n\t\tFUSE_ARGS(args);\n\t\tstruct fuse_forget_link *forget;\n\t\tu64 attr_version;\n\n\t\t/* For negative dentries, always do a fresh lookup */\n\t\tif (!inode)\n\t\t\tgoto invalid;\n\n\t\tret = -ECHILD;\n\t\tif (flags & LOOKUP_RCU)\n\t\t\tgoto out;\n\n\t\tfm = get_fuse_mount(inode);\n\n\t\tforget = fuse_alloc_forget();\n\t\tret = -ENOMEM;\n\t\tif (!forget)\n\t\t\tgoto out;\n\n\t\tattr_version = fuse_get_attr_version(fm->fc);\n\n\t\tparent = dget_parent(entry);\n\t\tfuse_lookup_init(fm->fc, &args, get_node_id(d_inode(parent)),\n\t\t\t\t &entry->d_name, &outarg);\n\t\tret = fuse_simple_request(fm, &args);\n\t\tdput(parent);\n\t\t/* Zero nodeid is same as -ENOENT */\n\t\tif (!ret && !outarg.nodeid)\n\t\t\tret = -ENOENT;\n\t\tif (!ret) {\n\t\t\tfi = get_fuse_inode(inode);\n\t\t\tif (outarg.nodeid != get_node_id(inode) ||\n\t\t\t (bool) IS_AUTOMOUNT(inode) != (bool) (outarg.attr.flags & FUSE_ATTR_SUBMOUNT)) {\n\t\t\t\tfuse_queue_forget(fm->fc, forget,\n\t\t\t\t\t\t outarg.nodeid, 1);\n\t\t\t\tgoto invalid;\n\t\t\t}\n\t\t\tspin_lock(&fi->lock);\n\t\t\tfi->nlookup++;\n\t\t\tspin_unlock(&fi->lock);\n\t\t}\n\t\tkfree(forget);\n\t\tif (ret == -ENOMEM)\n\t\t\tgoto out;\n\t\tif (ret || fuse_invalid_attr(&outarg.attr) ||\n\t\t (outarg.attr.mode ^ inode->i_mode) & S_IFMT)\n\t\t\tgoto invalid;\n\n\t\tforget_all_cached_acls(inode);\n\t\tfuse_change_attributes(inode, &outarg.attr,\n\t\t\t\t entry_attr_timeout(&outarg),\n\t\t\t\t attr_version);\n\t\tfuse_change_entry_timeout(entry, &outarg);\n\t} else if (inode) {\n\t\tfi = get_fuse_inode(inode);\n\t\tif (flags & LOOKUP_RCU) {\n\t\t\tif (test_bit(FUSE_I_INIT_RDPLUS, &fi->state))\n\t\t\t\treturn -ECHILD;\n\t\t} else if (test_and_clear_bit(FUSE_I_INIT_RDPLUS, &fi->state)) {\n\t\t\tparent = dget_parent(entry);\n\t\t\tfuse_advise_use_readdirplus(d_inode(parent));\n\t\t\tdput(parent);\n\t\t}\n\t}\n\tret = 1;\nout:\n\treturn ret;\n\ninvalid:\n\tret = 0;\n\tgoto out;\n}", "project": "linux", "hash": 223297076476149852647190991999332319113, "size": 86, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342043 }, { "func": "static void hci_num_comp_blocks_evt(struct hci_dev *hdev, struct sk_buff *skb)\n{\n\tstruct hci_ev_num_comp_blocks *ev = (void *) skb->data;\n\tint i;\n\n\tif (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_BLOCK_BASED) {\n\t\tbt_dev_err(hdev, \"wrong event for mode %d\", hdev->flow_ctl_mode);\n\t\treturn;\n\t}\n\n\tif (skb->len < sizeof(*ev) ||\n\t skb->len < struct_size(ev, handles, ev->num_hndl)) {\n\t\tBT_DBG(\"%s bad parameters\", hdev->name);\n\t\treturn;\n\t}\n\n\tBT_DBG(\"%s num_blocks %d num_hndl %d\", hdev->name, ev->num_blocks,\n\t ev->num_hndl);\n\n\tfor (i = 0; i < ev->num_hndl; i++) {\n\t\tstruct hci_comp_blocks_info *info = &ev->handles[i];\n\t\tstruct hci_conn *conn = NULL;\n\t\t__u16 handle, block_count;\n\n\t\thandle = __le16_to_cpu(info->handle);\n\t\tblock_count = __le16_to_cpu(info->blocks);\n\n\t\tconn = __hci_conn_lookup_handle(hdev, handle);\n\t\tif (!conn)\n\t\t\tcontinue;\n\n\t\tconn->sent -= block_count;\n\n\t\tswitch (conn->type) {\n\t\tcase ACL_LINK:\n\t\tcase AMP_LINK:\n\t\t\thdev->block_cnt += block_count;\n\t\t\tif (hdev->block_cnt > hdev->num_blocks)\n\t\t\t\thdev->block_cnt = hdev->num_blocks;\n\t\t\tbreak;\n\n\t\tdefault:\n\t\t\tbt_dev_err(hdev, \"unknown type %d conn %p\",\n\t\t\t\t conn->type, conn);\n\t\t\tbreak;\n\t\t}\n\t}\n\n\tqueue_work(hdev->workqueue, &hdev->tx_work);\n}", "project": "linux", "hash": 156920025715537019972793355808170773646, "size": 50, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431957 }, { "func": "static void retarget_shared_pending(struct task_struct *tsk, sigset_t *which)\n{\n\tsigset_t retarget;\n\tstruct task_struct *t;\n\n\tsigandsets(&retarget, &tsk->signal->shared_pending.signal, which);\n\tif (sigisemptyset(&retarget))\n\t\treturn;\n\n\tt = tsk;\n\twhile_each_thread(tsk, t) {\n\t\tif (t->flags & PF_EXITING)\n\t\t\tcontinue;\n\n\t\tif (!has_pending_signals(&retarget, &t->blocked))\n\t\t\tcontinue;\n\t\t/* Remove the signals this thread can handle. */\n\t\tsigandsets(&retarget, &retarget, &t->blocked);\n\n\t\tif (!signal_pending(t))\n\t\t\tsignal_wake_up(t, 0);\n\n\t\tif (sigisemptyset(&retarget))\n\t\t\tbreak;\n\t}\n}", "project": "linux", "hash": 201217727652209676356214227950289821304, "size": 26, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375191 }, { "func": "static struct bfq_queue *\nbfq_rq_pos_tree_lookup(struct bfq_data *bfqd, struct rb_root *root,\n\t\t sector_t sector, struct rb_node **ret_parent,\n\t\t struct rb_node ***rb_link)\n{\n\tstruct rb_node **p, *parent;\n\tstruct bfq_queue *bfqq = NULL;\n\n\tparent = NULL;\n\tp = &root->rb_node;\n\twhile (*p) {\n\t\tstruct rb_node **n;\n\n\t\tparent = *p;\n\t\tbfqq = rb_entry(parent, struct bfq_queue, pos_node);\n\n\t\t/*\n\t\t * Sort strictly based on sector. Smallest to the left,\n\t\t * largest to the right.\n\t\t */\n\t\tif (sector > blk_rq_pos(bfqq->next_rq))\n\t\t\tn = &(*p)->rb_right;\n\t\telse if (sector < blk_rq_pos(bfqq->next_rq))\n\t\t\tn = &(*p)->rb_left;\n\t\telse\n\t\t\tbreak;\n\t\tp = n;\n\t\tbfqq = NULL;\n\t}\n\n\t*ret_parent = parent;\n\tif (rb_link)\n\t\t*rb_link = p;\n\n\tbfq_log(bfqd, \"rq_pos_tree_lookup %llu: returning %d\",\n\t\t(unsigned long long)sector,\n\t\tbfqq ? bfqq->pid : 0);\n\n\treturn bfqq;", "project": "linux", "hash": 292806134496644230529599631783393346159, "size": 39, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453350 }, { "func": "void oidc_strip_cookies(request_rec *r) {\n\n\tchar *cookie, *ctx, *result = NULL;\n\tconst char *name = NULL;\n\tint i;\n\n\tapr_array_header_t *strip = oidc_dir_cfg_strip_cookies(r);\n\n\tchar *cookies = apr_pstrdup(r->pool, oidc_util_hdr_in_cookie_get(r));\n\n\tif ((cookies != NULL) && (strip != NULL)) {\n\n\t\toidc_debug(r,\n\t\t\t\t\"looking for the following cookies to strip from cookie header: %s\",\n\t\t\t\tapr_array_pstrcat(r->pool, strip, OIDC_CHAR_COMMA));\n\n\t\tcookie = apr_strtok(cookies, OIDC_STR_SEMI_COLON, &ctx);\n\n\t\tdo {\n\t\t\twhile (cookie != NULL && *cookie == OIDC_CHAR_SPACE)\n\t\t\t\tcookie++;\n\n\t\t\tfor (i = 0; i < strip->nelts; i++) {\n\t\t\t\tname = ((const char**) strip->elts)[i];\n\t\t\t\tif ((strncmp(cookie, name, strlen(name)) == 0)\n\t\t\t\t\t\t&& (cookie[strlen(name)] == OIDC_CHAR_EQUAL)) {\n\t\t\t\t\toidc_debug(r, \"stripping: %s\", name);\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tif (i == strip->nelts) {\n\t\t\t\tresult = result ? apr_psprintf(r->pool, \"%s%s %s\", result,\n\t\t\t\t\t\tOIDC_STR_SEMI_COLON, cookie) :\n\t\t\t\t\t\tcookie;\n\t\t\t}\n\n\t\t\tcookie = apr_strtok(NULL, OIDC_STR_SEMI_COLON, &ctx);\n\t\t} while (cookie != NULL);\n\n\t\toidc_util_hdr_in_cookie_set(r, result);\n\t}\n}", "project": "mod_auth_openidc", "hash": 51963733914420950738874115356000418536, "size": 43, "commit_id": "00c315cb0c8ab77c67be4a2ac08a71a83ac58751", "message": "avoid XSS vulnerability when using OIDCPreservePost On\n\nand supplying URLs that contain single quotes; thanks @oss-aimoto\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 381972 }, { "func": "void oidc_strip_cookies(request_rec *r) {\n\n\tchar *cookie, *ctx, *result = NULL;\n\tconst char *name = NULL;\n\tint i;\n\n\tapr_array_header_t *strip = oidc_dir_cfg_strip_cookies(r);\n\n\tchar *cookies = apr_pstrdup(r->pool, oidc_util_hdr_in_cookie_get(r));\n\n\tif ((cookies != NULL) && (strip != NULL)) {\n\n\t\toidc_debug(r,\n\t\t\t\t\"looking for the following cookies to strip from cookie header: %s\",\n\t\t\t\tapr_array_pstrcat(r->pool, strip, OIDC_CHAR_COMMA));\n\n\t\tcookie = apr_strtok(cookies, OIDC_STR_SEMI_COLON, &ctx);\n\n\t\tdo {\n\t\t\twhile (cookie != NULL && *cookie == OIDC_CHAR_SPACE)\n\t\t\t\tcookie++;\n\n\t\t\tfor (i = 0; i < strip->nelts; i++) {\n\t\t\t\tname = ((const char**) strip->elts)[i];\n\t\t\t\tif ((strncmp(cookie, name, strlen(name)) == 0)\n\t\t\t\t\t\t&& (cookie[strlen(name)] == OIDC_CHAR_EQUAL)) {\n\t\t\t\t\toidc_debug(r, \"stripping: %s\", name);\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tif (i == strip->nelts) {\n\t\t\t\tresult = result ? apr_psprintf(r->pool, \"%s%s%s\", result,\n\t\t\t\t\t\tOIDC_STR_SEMI_COLON, cookie) :\n\t\t\t\t\t\tcookie;\n\t\t\t}\n\n\t\t\tcookie = apr_strtok(NULL, OIDC_STR_SEMI_COLON, &ctx);\n\t\t} while (cookie != NULL);\n\n\t\toidc_util_hdr_in_cookie_set(r, result);\n\t}\n}", "project": "mod_auth_openidc", "hash": 189818593347524362337705220105453462140, "size": 43, "commit_id": "ce37080c6aea30aabae8b4a9b4eea7808445cc8e", "message": "2.4.0.2 oops\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 447717 }, { "func": "int mnt_split_optstr(const char *optstr, char **user, char **vfs,\n\t\t char **fs, int ignore_user, int ignore_vfs)\n{\n\tint rc = 0;\n\tchar *name, *val, *str = (char *) optstr;\n\tsize_t namesz, valsz, chunsz;\n\tstruct libmnt_optmap const *maps[2];\n\tstruct ul_buffer xvfs = UL_INIT_BUFFER,\n\t\t\t xfs = UL_INIT_BUFFER,\n\t\t\t xuser = UL_INIT_BUFFER;\n\n\tif (!optstr)\n\t\treturn -EINVAL;\n\n\tmaps[0] = mnt_get_builtin_optmap(MNT_LINUX_MAP);\n\tmaps[1] = mnt_get_builtin_optmap(MNT_USERSPACE_MAP);\n\n\tchunsz = strlen(optstr) / 2;\n\n\twhile (!mnt_optstr_next_option(&str, &name, &namesz, &val, &valsz)) {\n\t\tstruct ul_buffer *buf = NULL;\n\t\tconst struct libmnt_optmap *ent = NULL;\n\t\tconst struct libmnt_optmap *m =\n\t\t\t mnt_optmap_get_entry(maps, 2, name, namesz, &ent);\n\n\t\tif (ent && !ent->id)\n\t\t\tcontinue;\t/* ignore undefined options (comments) */\n\n\t\t/* ignore name= if options map expects only */\n\t\tif (valsz && mnt_optmap_entry_novalue(ent))\n\t\t\tm = NULL;\n\n\t\tif (ent && m && m == maps[0] && vfs) {\n\t\t\tif (ignore_vfs && (ent->mask & ignore_vfs))\n\t\t\t\tcontinue;\n\t\t\tif (vfs)\n\t\t\t\tbuf = &xvfs;\n\t\t} else if (ent && m && m == maps[1] && user) {\n\t\t\tif (ignore_user && (ent->mask & ignore_user))\n\t\t\t\tcontinue;\n\t\t\tif (user)\n\t\t\t\tbuf = &xuser;\n\t\t} else if (!m && fs) {\n\t\t\tif (fs)\n\t\t\t\tbuf = &xfs;\n\t\t}\n\n\t\tif (buf) {\n\t\t\tif (ul_buffer_is_empty(buf))\n\t\t\t\tul_buffer_set_chunksize(buf, chunsz);\n\t\t\trc = __buffer_append_option(buf, name, namesz, val, valsz);\n\t\t}\n\t\tif (rc)\n\t\t\tbreak;\n\t}\n\n\tif (vfs)\n\t\t*vfs = rc ? NULL : ul_buffer_get_data(&xvfs, NULL, NULL);\n\tif (fs)\n\t\t*fs = rc ? NULL : ul_buffer_get_data(&xfs, NULL, NULL);\n\tif (user)\n\t\t*user = rc ? NULL : ul_buffer_get_data(&xuser, NULL, NULL);\n\tif (rc) {\n\t\tul_buffer_free_data(&xvfs);\n\t\tul_buffer_free_data(&xfs);\n\t\tul_buffer_free_data(&xuser);\n\t}\n\n\treturn rc;\n}", "project": "util-linux", "hash": 311045917185752226200744368938318607946, "size": 70, "commit_id": "57202f5713afa2af20ffbb6ab5331481d0396f8d", "message": "libmount: fix UID check for FUSE umount [CVE-2021-3995]\n\nImproper UID check allows an unprivileged user to unmount FUSE\nfilesystems of users with similar UID.\n\nSigned-off-by: Karel Zak ", "target": 0, "dataset": "other", "idx": 410406 }, { "func": "void CSoundFile::ReverseSampleOffset(ModChannel &chn, ModCommand::PARAM param) const\n{\n\tif(chn.pModSample != nullptr)\n\t{\n\t\tchn.dwFlags.set(CHN_PINGPONGFLAG);\n\t\tchn.dwFlags.reset(CHN_LOOP);\n\t\tchn.nLength = chn.pModSample->nLength;\t// If there was a loop, extend sample to whole length.\n\t\tchn.position.Set((chn.nLength - 1) - std::min(SmpLength(param) << 8, chn.nLength - 1), 0);\n\t}\n}", "project": "openmpt", "hash": 199229929675318185733084471503294026655, "size": 10, "commit_id": "7ebf02af2e90f03e0dbd0e18b8b3164f372fb97c", "message": "[Fix] Possible out-of-bounds read when computing length of some IT files with pattern loops (OpenMPT: formats that are converted to IT, libopenmpt: IT/ITP/MO3), caught with afl-fuzz.\n\ngit-svn-id: https://source.openmpt.org/svn/openmpt/trunk/OpenMPT@10027 56274372-70c3-4bfc-bfc3-4c3a0b034d27", "target": 0, "dataset": "other", "idx": 255226 }, { "func": "static int kvm_s390_vcpu_setup(struct kvm_vcpu *vcpu)\n{\n\tint rc = 0;\n\tu16 uvrc, uvrrc;\n\n\tatomic_set(&vcpu->arch.sie_block->cpuflags, CPUSTAT_ZARCH |\n\t\t\t\t\t\t CPUSTAT_SM |\n\t\t\t\t\t\t CPUSTAT_STOPPED);\n\n\tif (test_kvm_facility(vcpu->kvm, 78))\n\t\tkvm_s390_set_cpuflags(vcpu, CPUSTAT_GED2);\n\telse if (test_kvm_facility(vcpu->kvm, 8))\n\t\tkvm_s390_set_cpuflags(vcpu, CPUSTAT_GED);\n\n\tkvm_s390_vcpu_setup_model(vcpu);\n\n\t/* pgste_set_pte has special handling for !MACHINE_HAS_ESOP */\n\tif (MACHINE_HAS_ESOP)\n\t\tvcpu->arch.sie_block->ecb |= ECB_HOSTPROTINT;\n\tif (test_kvm_facility(vcpu->kvm, 9))\n\t\tvcpu->arch.sie_block->ecb |= ECB_SRSI;\n\tif (test_kvm_facility(vcpu->kvm, 73))\n\t\tvcpu->arch.sie_block->ecb |= ECB_TE;\n\n\tif (test_kvm_facility(vcpu->kvm, 8) && vcpu->kvm->arch.use_pfmfi)\n\t\tvcpu->arch.sie_block->ecb2 |= ECB2_PFMFI;\n\tif (test_kvm_facility(vcpu->kvm, 130))\n\t\tvcpu->arch.sie_block->ecb2 |= ECB2_IEP;\n\tvcpu->arch.sie_block->eca = ECA_MVPGI | ECA_PROTEXCI;\n\tif (sclp.has_cei)\n\t\tvcpu->arch.sie_block->eca |= ECA_CEI;\n\tif (sclp.has_ib)\n\t\tvcpu->arch.sie_block->eca |= ECA_IB;\n\tif (sclp.has_siif)\n\t\tvcpu->arch.sie_block->eca |= ECA_SII;\n\tif (sclp.has_sigpif)\n\t\tvcpu->arch.sie_block->eca |= ECA_SIGPI;\n\tif (test_kvm_facility(vcpu->kvm, 129)) {\n\t\tvcpu->arch.sie_block->eca |= ECA_VX;\n\t\tvcpu->arch.sie_block->ecd |= ECD_HOSTREGMGMT;\n\t}\n\tif (test_kvm_facility(vcpu->kvm, 139))\n\t\tvcpu->arch.sie_block->ecd |= ECD_MEF;\n\tif (test_kvm_facility(vcpu->kvm, 156))\n\t\tvcpu->arch.sie_block->ecd |= ECD_ETOKENF;\n\tif (vcpu->arch.sie_block->gd) {\n\t\tvcpu->arch.sie_block->eca |= ECA_AIV;\n\t\tVCPU_EVENT(vcpu, 3, \"AIV gisa format-%u enabled for cpu %03u\",\n\t\t\t vcpu->arch.sie_block->gd & 0x3, vcpu->vcpu_id);\n\t}\n\tvcpu->arch.sie_block->sdnxo = ((unsigned long) &vcpu->run->s.regs.sdnx)\n\t\t\t\t\t| SDNXC;\n\tvcpu->arch.sie_block->riccbd = (unsigned long) &vcpu->run->s.regs.riccb;\n\n\tif (sclp.has_kss)\n\t\tkvm_s390_set_cpuflags(vcpu, CPUSTAT_KSS);\n\telse\n\t\tvcpu->arch.sie_block->ictl |= ICTL_ISKE | ICTL_SSKE | ICTL_RRBE;\n\n\tif (vcpu->kvm->arch.use_cmma) {\n\t\trc = kvm_s390_vcpu_setup_cmma(vcpu);\n\t\tif (rc)\n\t\t\treturn rc;\n\t}\n\thrtimer_init(&vcpu->arch.ckc_timer, CLOCK_MONOTONIC, HRTIMER_MODE_REL);\n\tvcpu->arch.ckc_timer.function = kvm_s390_idle_wakeup;\n\n\tvcpu->arch.sie_block->hpid = HPID_KVM;\n\n\tkvm_s390_vcpu_crypto_setup(vcpu);\n\n\tmutex_lock(&vcpu->kvm->lock);\n\tif (kvm_s390_pv_is_protected(vcpu->kvm)) {\n\t\trc = kvm_s390_pv_create_cpu(vcpu, &uvrc, &uvrrc);\n\t\tif (rc)\n\t\t\tkvm_s390_vcpu_unsetup_cmma(vcpu);\n\t}\n\tmutex_unlock(&vcpu->kvm->lock);\n\n\treturn rc;\n}", "project": "linux", "hash": 149476364836180619786528018005437582218, "size": 81, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354657 }, { "func": "static u8 bredr_oob_data_present(struct hci_conn *conn)\n{\n\tstruct hci_dev *hdev = conn->hdev;\n\tstruct oob_data *data;\n\n\tdata = hci_find_remote_oob_data(hdev, &conn->dst, BDADDR_BREDR);\n\tif (!data)\n\t\treturn 0x00;\n\n\tif (bredr_sc_enabled(hdev)) {\n\t\t/* When Secure Connections is enabled, then just\n\t\t * return the present value stored with the OOB\n\t\t * data. The stored value contains the right present\n\t\t * information. However it can only be trusted when\n\t\t * not in Secure Connection Only mode.\n\t\t */\n\t\tif (!hci_dev_test_flag(hdev, HCI_SC_ONLY))\n\t\t\treturn data->present;\n\n\t\t/* When Secure Connections Only mode is enabled, then\n\t\t * the P-256 values are required. If they are not\n\t\t * available, then do not declare that OOB data is\n\t\t * present.\n\t\t */\n\t\tif (!memcmp(data->rand256, ZERO_KEY, 16) ||\n\t\t !memcmp(data->hash256, ZERO_KEY, 16))\n\t\t\treturn 0x00;\n\n\t\treturn 0x02;\n\t}\n\n\t/* When Secure Connections is not enabled or actually\n\t * not supported by the hardware, then check that if\n\t * P-192 data values are present.\n\t */\n\tif (!memcmp(data->rand192, ZERO_KEY, 16) ||\n\t !memcmp(data->hash192, ZERO_KEY, 16))\n\t\treturn 0x00;\n\n\treturn 0x01;\n}", "project": "linux", "hash": 50800853709590461884218237143794736554, "size": 41, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431953 }, { "func": "static void nf_tables_set_notify(const struct nft_ctx *ctx,\n\t\t\t\t const struct nft_set *set, int event,\n\t\t\t gfp_t gfp_flags)\n{\n\tstruct nftables_pernet *nft_net = nft_pernet(ctx->net);\n\tstruct sk_buff *skb;\n\tu32 portid = ctx->portid;\n\tint err;\n\n\tif (!ctx->report &&\n\t !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))\n\t\treturn;\n\n\tskb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags);\n\tif (skb == NULL)\n\t\tgoto err;\n\n\terr = nf_tables_fill_set(skb, ctx, set, event, 0);\n\tif (err < 0) {\n\t\tkfree_skb(skb);\n\t\tgoto err;\n\t}\n\n\tnft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);\n\treturn;\nerr:\n\tnfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, -ENOBUFS);\n}", "project": "linux", "hash": 194811021072310663234268869685710629408, "size": 28, "commit_id": "ad9f151e560b016b6ad3280b48e42fa11e1a5440", "message": "netfilter: nf_tables: initialize set before expression setup\n\nnft_set_elem_expr_alloc() needs an initialized set if expression sets on\nthe NFT_EXPR_GC flag. Move set fields initialization before expression\nsetup.\n\n[4512935.019450] ==================================================================\n[4512935.019456] BUG: KASAN: null-ptr-deref in nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019487] Read of size 8 at addr 0000000000000070 by task nft/23532\n[4512935.019494] CPU: 1 PID: 23532 Comm: nft Not tainted 5.12.0-rc4+ #48\n[...]\n[4512935.019502] Call Trace:\n[4512935.019505] dump_stack+0x89/0xb4\n[4512935.019512] ? nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019536] ? nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019560] kasan_report.cold.12+0x5f/0xd8\n[4512935.019566] ? nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019590] nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019615] nf_tables_newset+0xc7f/0x1460 [nf_tables]\n\nReported-by: syzbot+ce96ca2b1d0b37c6422d@syzkaller.appspotmail.com\nFixes: 65038428b2c6 (\"netfilter: nf_tables: allow to specify stateful expression in set definition\")\nSigned-off-by: Pablo Neira Ayuso ", "target": 0, "dataset": "other", "idx": 328374 }, { "func": "void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb)\n{\n\tstruct hci_event_hdr *hdr = (void *) skb->data;\n\thci_req_complete_t req_complete = NULL;\n\thci_req_complete_skb_t req_complete_skb = NULL;\n\tstruct sk_buff *orig_skb = NULL;\n\tu8 status = 0, event = hdr->evt, req_evt = 0;\n\tu16 opcode = HCI_OP_NOP;\n\n\tif (!event) {\n\t\tbt_dev_warn(hdev, \"Received unexpected HCI Event 00000000\");\n\t\tgoto done;\n\t}\n\n\tif (hdev->sent_cmd && bt_cb(hdev->sent_cmd)->hci.req_event == event) {\n\t\tstruct hci_command_hdr *cmd_hdr = (void *) hdev->sent_cmd->data;\n\t\topcode = __le16_to_cpu(cmd_hdr->opcode);\n\t\thci_req_cmd_complete(hdev, opcode, status, &req_complete,\n\t\t\t\t &req_complete_skb);\n\t\treq_evt = event;\n\t}\n\n\t/* If it looks like we might end up having to call\n\t * req_complete_skb, store a pristine copy of the skb since the\n\t * various handlers may modify the original one through\n\t * skb_pull() calls, etc.\n\t */\n\tif (req_complete_skb || event == HCI_EV_CMD_STATUS ||\n\t event == HCI_EV_CMD_COMPLETE)\n\t\torig_skb = skb_clone(skb, GFP_KERNEL);\n\n\tskb_pull(skb, HCI_EVENT_HDR_SIZE);\n\n\tswitch (event) {\n\tcase HCI_EV_INQUIRY_COMPLETE:\n\t\thci_inquiry_complete_evt(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_EV_INQUIRY_RESULT:\n\t\thci_inquiry_result_evt(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_EV_CONN_COMPLETE:\n\t\thci_conn_complete_evt(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_EV_CONN_REQUEST:\n\t\thci_conn_request_evt(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_EV_DISCONN_COMPLETE:\n\t\thci_disconn_complete_evt(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_EV_AUTH_COMPLETE:\n\t\thci_auth_complete_evt(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_EV_REMOTE_NAME:\n\t\thci_remote_name_evt(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_EV_ENCRYPT_CHANGE:\n\t\thci_encrypt_change_evt(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_EV_CHANGE_LINK_KEY_COMPLETE:\n\t\thci_change_link_key_complete_evt(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_EV_REMOTE_FEATURES:\n\t\thci_remote_features_evt(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_EV_CMD_COMPLETE:\n\t\thci_cmd_complete_evt(hdev, skb, &opcode, &status,\n\t\t\t\t &req_complete, &req_complete_skb);\n\t\tbreak;\n\n\tcase HCI_EV_CMD_STATUS:\n\t\thci_cmd_status_evt(hdev, skb, &opcode, &status, &req_complete,\n\t\t\t\t &req_complete_skb);\n\t\tbreak;\n\n\tcase HCI_EV_HARDWARE_ERROR:\n\t\thci_hardware_error_evt(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_EV_ROLE_CHANGE:\n\t\thci_role_change_evt(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_EV_NUM_COMP_PKTS:\n\t\thci_num_comp_pkts_evt(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_EV_MODE_CHANGE:\n\t\thci_mode_change_evt(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_EV_PIN_CODE_REQ:\n\t\thci_pin_code_request_evt(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_EV_LINK_KEY_REQ:\n\t\thci_link_key_request_evt(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_EV_LINK_KEY_NOTIFY:\n\t\thci_link_key_notify_evt(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_EV_CLOCK_OFFSET:\n\t\thci_clock_offset_evt(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_EV_PKT_TYPE_CHANGE:\n\t\thci_pkt_type_change_evt(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_EV_PSCAN_REP_MODE:\n\t\thci_pscan_rep_mode_evt(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_EV_INQUIRY_RESULT_WITH_RSSI:\n\t\thci_inquiry_result_with_rssi_evt(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_EV_REMOTE_EXT_FEATURES:\n\t\thci_remote_ext_features_evt(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_EV_SYNC_CONN_COMPLETE:\n\t\thci_sync_conn_complete_evt(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_EV_EXTENDED_INQUIRY_RESULT:\n\t\thci_extended_inquiry_result_evt(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_EV_KEY_REFRESH_COMPLETE:\n\t\thci_key_refresh_complete_evt(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_EV_IO_CAPA_REQUEST:\n\t\thci_io_capa_request_evt(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_EV_IO_CAPA_REPLY:\n\t\thci_io_capa_reply_evt(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_EV_USER_CONFIRM_REQUEST:\n\t\thci_user_confirm_request_evt(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_EV_USER_PASSKEY_REQUEST:\n\t\thci_user_passkey_request_evt(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_EV_USER_PASSKEY_NOTIFY:\n\t\thci_user_passkey_notify_evt(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_EV_KEYPRESS_NOTIFY:\n\t\thci_keypress_notify_evt(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_EV_SIMPLE_PAIR_COMPLETE:\n\t\thci_simple_pair_complete_evt(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_EV_REMOTE_HOST_FEATURES:\n\t\thci_remote_host_features_evt(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_EV_LE_META:\n\t\thci_le_meta_evt(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_EV_REMOTE_OOB_DATA_REQUEST:\n\t\thci_remote_oob_data_request_evt(hdev, skb);\n\t\tbreak;\n\n#if IS_ENABLED(CONFIG_BT_HS)\n\tcase HCI_EV_CHANNEL_SELECTED:\n\t\thci_chan_selected_evt(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_EV_PHY_LINK_COMPLETE:\n\t\thci_phy_link_complete_evt(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_EV_LOGICAL_LINK_COMPLETE:\n\t\thci_loglink_complete_evt(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_EV_DISCONN_LOGICAL_LINK_COMPLETE:\n\t\thci_disconn_loglink_complete_evt(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_EV_DISCONN_PHY_LINK_COMPLETE:\n\t\thci_disconn_phylink_complete_evt(hdev, skb);\n\t\tbreak;\n#endif\n\n\tcase HCI_EV_NUM_COMP_BLOCKS:\n\t\thci_num_comp_blocks_evt(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_EV_VENDOR:\n\t\tmsft_vendor_evt(hdev, skb);\n\t\tbreak;\n\n\tdefault:\n\t\tBT_DBG(\"%s event 0x%2.2x\", hdev->name, event);\n\t\tbreak;\n\t}\n\n\tif (req_complete) {\n\t\treq_complete(hdev, status, opcode);\n\t} else if (req_complete_skb) {\n\t\tif (!hci_get_cmd_complete(hdev, opcode, req_evt, orig_skb)) {\n\t\t\tkfree_skb(orig_skb);\n\t\t\torig_skb = NULL;\n\t\t}\n\t\treq_complete_skb(hdev, status, opcode, orig_skb);\n\t}\n\ndone:\n\tkfree_skb(orig_skb);\n\tkfree_skb(skb);\n\thdev->stat.evt_rx++;\n}", "project": "linux", "hash": 324677493386654097309155519863602685837, "size": 234, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431917 }, { "func": "void CSoundFile::FineVolumeDown(ModChannel *pChn, ModCommand::PARAM param, bool volCol) const\n{\n\tif(GetType() == MOD_TYPE_XM)\n\t{\n\t\t// FT2 compatibility: EAx / EBx memory is not linked\n\t\t// Test case: FineVol-LinkMem.xm\n\t\tif(param) pChn->nOldFineVolUpDown = param | (pChn->nOldFineVolUpDown & 0xF0); else param = (pChn->nOldFineVolUpDown & 0x0F);\n\t} else if(volCol)\n\t{\n\t\tif(param) pChn->nOldVolParam = param; else param = pChn->nOldVolParam;\n\t} else\n\t{\n\t\tif(param) pChn->nOldFineVolUpDown = param; else param = pChn->nOldFineVolUpDown;\n\t}\n\n\tif(pChn->isFirstTick)\n\t{\n\t\tpChn->nVolume -= param * 4;\n\t\tif(pChn->nVolume < 0) pChn->nVolume = 0;\n\t\tif(GetType() & MOD_TYPE_MOD) pChn->dwFlags.set(CHN_FASTVOLRAMP);\n\t}\n}", "project": "openmpt", "hash": 286709257813975002206154360389140523460, "size": 22, "commit_id": "7ebf02af2e90f03e0dbd0e18b8b3164f372fb97c", "message": "[Fix] Possible out-of-bounds read when computing length of some IT files with pattern loops (OpenMPT: formats that are converted to IT, libopenmpt: IT/ITP/MO3), caught with afl-fuzz.\n\ngit-svn-id: https://source.openmpt.org/svn/openmpt/trunk/OpenMPT@10027 56274372-70c3-4bfc-bfc3-4c3a0b034d27", "target": 0, "dataset": "other", "idx": 255175 }, { "func": "static int kvm_s390_get_tod_low(struct kvm *kvm, struct kvm_device_attr *attr)\n{\n\tu64 gtod;\n\n\tgtod = kvm_s390_get_tod_clock_fast(kvm);\n\tif (copy_to_user((void __user *)attr->addr, >od, sizeof(gtod)))\n\t\treturn -EFAULT;\n\tVM_EVENT(kvm, 3, \"QUERY: TOD base: 0x%llx\", gtod);\n\n\treturn 0;\n}", "project": "linux", "hash": 25147969058779241765359395020139854323, "size": 11, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354593 }, { "func": "void input_set_abs_params(struct input_dev *dev, unsigned int axis,\n\t\t\t int min, int max, int fuzz, int flat)\n{\n\tstruct input_absinfo *absinfo;\n\n\tinput_alloc_absinfo(dev);\n\tif (!dev->absinfo)\n\t\treturn;\n\n\tabsinfo = &dev->absinfo[axis];\n\tabsinfo->minimum = min;\n\tabsinfo->maximum = max;\n\tabsinfo->fuzz = fuzz;\n\tabsinfo->flat = flat;\n\n\t__set_bit(EV_ABS, dev->evbit);\n\t__set_bit(axis, dev->absbit);\n}", "project": "linux", "hash": 53362303417859689209061272608263730212, "size": 18, "commit_id": "cb222aed03d798fc074be55e59d9a112338ee784", "message": "Input: add safety guards to input_set_keycode()\n\nIf we happen to have a garbage in input device's keycode table with values\ntoo big we'll end up doing clear_bit() with offset way outside of our\nbitmaps, damaging other objects within an input device or even outside of\nit. Let's add sanity checks to the returned old keycodes.\n\nReported-by: syzbot+c769968809f9359b07aa@syzkaller.appspotmail.com\nReported-by: syzbot+76f3a30e88d256644c78@syzkaller.appspotmail.com\nLink: https://lore.kernel.org/r/20191207212757.GA245964@dtor-ws\nSigned-off-by: Dmitry Torokhov ", "target": 0, "dataset": "other", "idx": 353393 }, { "func": "static int vmsave_interception(struct vcpu_svm *svm)\n{\n\tstruct vmcb *nested_vmcb;\n\tstruct kvm_host_map map;\n\tint ret;\n\n\tif (nested_svm_check_permissions(svm))\n\t\treturn 1;\n\n\tret = kvm_vcpu_map(&svm->vcpu, gpa_to_gfn(svm->vmcb->save.rax), &map);\n\tif (ret) {\n\t\tif (ret == -EINVAL)\n\t\t\tkvm_inject_gp(&svm->vcpu, 0);\n\t\treturn 1;\n\t}\n\n\tnested_vmcb = map.hva;\n\n\tret = kvm_skip_emulated_instruction(&svm->vcpu);\n\n\tnested_svm_vmloadsave(svm->vmcb, nested_vmcb);\n\tkvm_vcpu_unmap(&svm->vcpu, &map, true);\n\n\treturn ret;\n}", "project": "linux", "hash": 60987741539746965945704654170318041878, "size": 25, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432424 }, { "func": "static int vmsave_interception(struct vcpu_svm *svm)\n{\n\tstruct vmcb *nested_vmcb;\n\tstruct page *page;\n\n\tif (nested_svm_check_permissions(svm))\n\t\treturn 1;\n\n\tnested_vmcb = nested_svm_map(svm, svm->vmcb->save.rax, &page);\n\tif (!nested_vmcb)\n\t\treturn 1;\n\n\tsvm->next_rip = kvm_rip_read(&svm->vcpu) + 3;\n\tskip_emulated_instruction(&svm->vcpu);\n\n\tnested_svm_vmloadsave(svm->vmcb, nested_vmcb);\n\tnested_svm_unmap(page);\n\n\treturn 1;\n}", "project": "kvm", "hash": 171605282454115263116586291400351321607, "size": 20, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437552 }, { "func": "int send_sig_mceerr(int code, void __user *addr, short lsb, struct task_struct *t)\n{\n\tstruct kernel_siginfo info;\n\n\tWARN_ON((code != BUS_MCEERR_AO) && (code != BUS_MCEERR_AR));\n\tclear_siginfo(&info);\n\tinfo.si_signo = SIGBUS;\n\tinfo.si_errno = 0;\n\tinfo.si_code = code;\n\tinfo.si_addr = addr;\n\tinfo.si_addr_lsb = lsb;\n\treturn send_sig_info(info.si_signo, &info, t);\n}", "project": "linux", "hash": 291620284780924332813439327835966446485, "size": 13, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375163 }, { "func": "static int kvm_s390_get_cpu_model(struct kvm *kvm, struct kvm_device_attr *attr)\n{\n\tint ret = -ENXIO;\n\n\tswitch (attr->attr) {\n\tcase KVM_S390_VM_CPU_PROCESSOR:\n\t\tret = kvm_s390_get_processor(kvm, attr);\n\t\tbreak;\n\tcase KVM_S390_VM_CPU_MACHINE:\n\t\tret = kvm_s390_get_machine(kvm, attr);\n\t\tbreak;\n\tcase KVM_S390_VM_CPU_PROCESSOR_FEAT:\n\t\tret = kvm_s390_get_processor_feat(kvm, attr);\n\t\tbreak;\n\tcase KVM_S390_VM_CPU_MACHINE_FEAT:\n\t\tret = kvm_s390_get_machine_feat(kvm, attr);\n\t\tbreak;\n\tcase KVM_S390_VM_CPU_PROCESSOR_SUBFUNC:\n\t\tret = kvm_s390_get_processor_subfunc(kvm, attr);\n\t\tbreak;\n\tcase KVM_S390_VM_CPU_MACHINE_SUBFUNC:\n\t\tret = kvm_s390_get_machine_subfunc(kvm, attr);\n\t\tbreak;\n\t}\n\treturn ret;\n}", "project": "linux", "hash": 243673424200040064545984847408700202628, "size": 26, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354745 }, { "func": "static int core_post_config(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *ptemp, server_rec *s)\n{\n ap__logio_add_bytes_out = APR_RETRIEVE_OPTIONAL_FN(ap_logio_add_bytes_out);\n ident_lookup = APR_RETRIEVE_OPTIONAL_FN(ap_ident_lookup);\n ap__authz_ap_some_auth_required = APR_RETRIEVE_OPTIONAL_FN(authz_some_auth_required);\n authn_ap_auth_type = APR_RETRIEVE_OPTIONAL_FN(authn_ap_auth_type);\n authn_ap_auth_name = APR_RETRIEVE_OPTIONAL_FN(authn_ap_auth_name);\n access_compat_ap_satisfies = APR_RETRIEVE_OPTIONAL_FN(access_compat_ap_satisfies);\n\n set_banner(pconf);\n ap_setup_make_content_type(pconf);\n ap_setup_auth_internal(ptemp);\n if (!sys_privileges) {\n ap_log_error(APLOG_MARK, APLOG_CRIT, 0, NULL, APLOGNO(00136)\n \"Server MUST relinquish startup privileges before \"\n \"accepting connections. Please ensure mod_unixd \"\n \"or other system security module is loaded.\");\n return !OK;\n }\n apr_pool_cleanup_register(pconf, NULL, ap_mpm_end_gen_helper,\n apr_pool_cleanup_null);\n return OK;\n}", "project": "httpd", "hash": 315790722177886048594861196489151630262, "size": 23, "commit_id": "4cc27823899e070268b906ca677ee838d07cf67a", "message": "core: Disallow Methods' registration at run time (.htaccess), they may be\nused only if registered at init time (httpd.conf).\n\nCalling ap_method_register() in children processes is not the right scope\nsince it won't be shared for all requests.\n\n\ngit-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1807655 13f79535-47bb-0310-9956-ffa450edef68", "target": 0, "dataset": "other", "idx": 246308 }, { "func": "static void hci_cs_read_remote_features(struct hci_dev *hdev, __u8 status)\n{\n\tstruct hci_cp_read_remote_features *cp;\n\tstruct hci_conn *conn;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, status);\n\n\tif (!status)\n\t\treturn;\n\n\tcp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_FEATURES);\n\tif (!cp)\n\t\treturn;\n\n\thci_dev_lock(hdev);\n\n\tconn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));\n\tif (conn) {\n\t\tif (conn->state == BT_CONFIG) {\n\t\t\thci_connect_cfm(conn, status);\n\t\t\thci_conn_drop(conn);\n\t\t}\n\t}\n\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 98573659227463083696991274191851492234, "size": 26, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 432027 }, { "func": "static int discoverable_update(struct hci_request *req, unsigned long opt)\n{\n\tstruct hci_dev *hdev = req->hdev;\n\n\thci_dev_lock(hdev);\n\n\tif (hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) {\n\t\twrite_iac(req);\n\t\t__hci_req_update_scan(req);\n\t\t__hci_req_update_class(req);\n\t}\n\n\t/* Advertising instances don't use the global discoverable setting, so\n\t * only update AD if advertising was enabled using Set Advertising.\n\t */\n\tif (hci_dev_test_flag(hdev, HCI_ADVERTISING)) {\n\t\t__hci_req_update_adv_data(req, 0x00);\n\n\t\t/* Discoverable mode affects the local advertising\n\t\t * address in limited privacy mode.\n\t\t */\n\t\tif (hci_dev_test_flag(hdev, HCI_LIMITED_PRIVACY)) {\n\t\t\tif (ext_adv_capable(hdev))\n\t\t\t\t__hci_req_start_ext_adv(req, 0x00);\n\t\t\telse\n\t\t\t\t__hci_req_enable_advertising(req);\n\t\t}\n\t}\n\n\thci_dev_unlock(hdev);\n\n\treturn 0;\n}", "project": "linux", "hash": 324876049940772235118647490119912450911, "size": 33, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402521 }, { "func": "static int test_get(struct libmnt_test *ts, int argc, char *argv[])\n{\n\tchar *optstr;\n\tconst char *name;\n\tchar *val = NULL;\n\tsize_t sz = 0;\n\tint rc;\n\n\tif (argc < 2)\n\t\treturn -EINVAL;\n\toptstr = argv[1];\n\tname = argv[2];\n\n\trc = mnt_optstr_get_option(optstr, name, &val, &sz);\n\tif (rc == 0) {\n\t\tprintf(\"found; name: %s\", name);\n\t\tif (sz) {\n\t\t\tprintf(\", argument: size=%zd data=\", sz);\n\t\t\tif (fwrite(val, 1, sz, stdout) != sz)\n\t\t\t\treturn -1;\n\t\t}\n\t\tprintf(\"\\n\");\n\t} else if (rc == 1)\n\t\tprintf(\"%s: not found\\n\", name);\n\telse\n\t\tprintf(\"parse error: %s\\n\", optstr);\n\treturn rc;\n}", "project": "util-linux", "hash": 117013181593018265491982445888258305823, "size": 28, "commit_id": "57202f5713afa2af20ffbb6ab5331481d0396f8d", "message": "libmount: fix UID check for FUSE umount [CVE-2021-3995]\n\nImproper UID check allows an unprivileged user to unmount FUSE\nfilesystems of users with similar UID.\n\nSigned-off-by: Karel Zak ", "target": 0, "dataset": "other", "idx": 410437 }, { "func": "static int fuse_symlink_readpage(struct file *null, struct page *page)\n{\n\tint err = fuse_readlink_page(page->mapping->host, page);\n\n\tif (!err)\n\t\tSetPageUptodate(page);\n\n\tunlock_page(page);\n\n\treturn err;\n}", "project": "linux", "hash": 13831113524935701202597498541883270333, "size": 11, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341911 }, { "func": "static int copy_all_tiles(void) {\n\tint x, y, n, m;\n\tint diffs = 0, ct;\n\n\tif (unixpw_in_progress) return 0;\n\n\tfor (y=0; y < ntiles_y; y++) {\n\t\tfor (x=0; x < ntiles_x; x++) {\n\t\t\tn = x + y * ntiles_x;\n\n\t\t\tif (tile_has_diff[n]) {\n\t\t\t\tct = copy_tiles(x, y, 1);\n\t\t\t\tif (ct < 0) return ct;\t/* fatal */\n\t\t\t}\n\t\t\tif (! tile_has_diff[n]) {\n\t\t\t\t/*\n\t\t\t\t * n.b. copy_tiles() may have detected\n\t\t\t\t * no change and reset tile_has_diff to 0.\n\t\t\t\t */\n\t\t\t\tcontinue;\n\t\t\t}\n\t\t\tdiffs++;\n\n\t\t\t/* neighboring tile downward: */\n\t\t\tif ( (y+1) < ntiles_y && tile_region[n].bot_diff) {\n\t\t\t\tm = x + (y+1) * ntiles_x;\n\t\t\t\tif (! tile_has_diff[m]) {\n\t\t\t\t\ttile_has_diff[m] = 2;\n\t\t\t\t}\n\t\t\t}\n\t\t\t/* neighboring tile to right: */\n\t\t\tif ( (x+1) < ntiles_x && tile_region[n].right_diff) {\n\t\t\t\tm = (x+1) + y * ntiles_x;\n\t\t\t\tif (! tile_has_diff[m]) {\n\t\t\t\t\ttile_has_diff[m] = 2;\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\treturn diffs;\n}", "project": "x11vnc", "hash": 305294853621088311764525711706298309958, "size": 41, "commit_id": "69eeb9f7baa14ca03b16c9de821f9876def7a36a", "message": "scan: limit access to shared memory segments to current user", "target": 0, "dataset": "other", "idx": 360756 }, { "func": "static void hci_io_capa_request_evt(struct hci_dev *hdev, struct sk_buff *skb)\n{\n\tstruct hci_ev_io_capa_request *ev = (void *) skb->data;\n\tstruct hci_conn *conn;\n\n\tBT_DBG(\"%s\", hdev->name);\n\n\thci_dev_lock(hdev);\n\n\tconn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);\n\tif (!conn)\n\t\tgoto unlock;\n\n\thci_conn_hold(conn);\n\n\tif (!hci_dev_test_flag(hdev, HCI_MGMT))\n\t\tgoto unlock;\n\n\t/* Allow pairing if we're pairable, the initiators of the\n\t * pairing or if the remote is not requesting bonding.\n\t */\n\tif (hci_dev_test_flag(hdev, HCI_BONDABLE) ||\n\t test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags) ||\n\t (conn->remote_auth & ~0x01) == HCI_AT_NO_BONDING) {\n\t\tstruct hci_cp_io_capability_reply cp;\n\n\t\tbacpy(&cp.bdaddr, &ev->bdaddr);\n\t\t/* Change the IO capability from KeyboardDisplay\n\t\t * to DisplayYesNo as it is not supported by BT spec. */\n\t\tcp.capability = (conn->io_capability == 0x04) ?\n\t\t\t\tHCI_IO_DISPLAY_YESNO : conn->io_capability;\n\n\t\t/* If we are initiators, there is no remote information yet */\n\t\tif (conn->remote_auth == 0xff) {\n\t\t\t/* Request MITM protection if our IO caps allow it\n\t\t\t * except for the no-bonding case.\n\t\t\t */\n\t\t\tif (conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&\n\t\t\t conn->auth_type != HCI_AT_NO_BONDING)\n\t\t\t\tconn->auth_type |= 0x01;\n\t\t} else {\n\t\t\tconn->auth_type = hci_get_auth_req(conn);\n\t\t}\n\n\t\t/* If we're not bondable, force one of the non-bondable\n\t\t * authentication requirement values.\n\t\t */\n\t\tif (!hci_dev_test_flag(hdev, HCI_BONDABLE))\n\t\t\tconn->auth_type &= HCI_AT_NO_BONDING_MITM;\n\n\t\tcp.authentication = conn->auth_type;\n\t\tcp.oob_data = bredr_oob_data_present(conn);\n\n\t\thci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_REPLY,\n\t\t\t sizeof(cp), &cp);\n\t} else {\n\t\tstruct hci_cp_io_capability_neg_reply cp;\n\n\t\tbacpy(&cp.bdaddr, &ev->bdaddr);\n\t\tcp.reason = HCI_ERROR_PAIRING_NOT_ALLOWED;\n\n\t\thci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_NEG_REPLY,\n\t\t\t sizeof(cp), &cp);\n\t}\n\nunlock:\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 129563898001970420748318176799700899359, "size": 68, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 432025 }, { "func": "static int oidc_handle_authorization_response(request_rec *r, oidc_cfg *c,\n\t\toidc_session_t *session, apr_table_t *params, const char *response_mode) {\n\n\toidc_debug(r, \"enter, response_mode=%s\", response_mode);\n\n\toidc_provider_t *provider = NULL;\n\toidc_proto_state_t *proto_state = NULL;\n\toidc_jwt_t *jwt = NULL;\n\n\t/* see if this response came from a browser-back event */\n\tif (oidc_handle_browser_back(r, apr_table_get(params, OIDC_PROTO_STATE),\n\t\t\tsession) == TRUE)\n\t\treturn HTTP_MOVED_TEMPORARILY;\n\n\t/* match the returned state parameter against the state stored in the browser */\n\tif (oidc_authorization_response_match_state(r, c,\n\t\t\tapr_table_get(params, OIDC_PROTO_STATE), &provider, &proto_state)\n\t\t\t== FALSE) {\n\t\tif (c->default_sso_url != NULL) {\n\t\t\toidc_warn(r,\n\t\t\t\t\t\"invalid authorization response state; a default SSO URL is set, sending the user there: %s\",\n\t\t\t\t\tc->default_sso_url);\n\t\t\toidc_util_hdr_out_location_set(r, c->default_sso_url);\n\t\t\t//oidc_util_hdr_err_out_add(r, \"Location\", c->default_sso_url));\n\t\t\treturn HTTP_MOVED_TEMPORARILY;\n\t\t}\n\t\toidc_error(r,\n\t\t\t\t\"invalid authorization response state and no default SSO URL is set, sending an error...\");\n\t\t// if content was already returned via html/http send then don't return 500\n\t\t// but send 200 to avoid extraneous internal error document text to be sent\n\t\treturn ((r->user) && (strncmp(r->user, \"\", 1) == 0)) ?\n\t\t\t\tOK :\n\t\t\t\tHTTP_BAD_REQUEST;\n\t}\n\n\t/* see if the response is an error response */\n\tif (apr_table_get(params, OIDC_PROTO_ERROR) != NULL)\n\t\treturn oidc_authorization_response_error(r, c, proto_state,\n\t\t\t\tapr_table_get(params, OIDC_PROTO_ERROR),\n\t\t\t\tapr_table_get(params, OIDC_PROTO_ERROR_DESCRIPTION));\n\n\t/* handle the code, implicit or hybrid flow */\n\tif (oidc_handle_flows(r, c, proto_state, provider, params, response_mode,\n\t\t\t&jwt) == FALSE)\n\t\treturn oidc_authorization_response_error(r, c, proto_state,\n\t\t\t\t\"Error in handling response type.\", NULL);\n\n\tif (jwt == NULL) {\n\t\toidc_error(r, \"no id_token was provided\");\n\t\treturn oidc_authorization_response_error(r, c, proto_state,\n\t\t\t\t\"No id_token was provided.\", NULL);\n\t}\n\n\tint expires_in = oidc_parse_expires_in(r,\n\t\t\tapr_table_get(params, OIDC_PROTO_EXPIRES_IN));\n\tchar *userinfo_jwt = NULL;\n\n\t/*\n\t * optionally resolve additional claims against the userinfo endpoint\n\t * parsed claims are not actually used here but need to be parsed anyway for error checking purposes\n\t */\n\tconst char *claims = oidc_retrieve_claims_from_userinfo_endpoint(r, c,\n\t\t\tprovider, apr_table_get(params, OIDC_PROTO_ACCESS_TOKEN), NULL,\n\t\t\tjwt->payload.sub, &userinfo_jwt);\n\n\t/* restore the original protected URL that the user was trying to access */\n\tconst char *original_url = oidc_proto_state_get_original_url(proto_state);\n\tif (original_url != NULL)\n\t\toriginal_url = apr_pstrdup(r->pool, original_url);\n\tconst char *original_method = oidc_proto_state_get_original_method(\n\t\t\tproto_state);\n\tif (original_method != NULL)\n\t\toriginal_method = apr_pstrdup(r->pool, original_method);\n\tconst char *prompt = oidc_proto_state_get_prompt(proto_state);\n\n\t/* set the user */\n\tif (oidc_set_request_user(r, c, provider, jwt, claims) == TRUE) {\n\n\t\t/* session management: if the user in the new response is not equal to the old one, error out */\n\t\tif ((prompt != NULL)\n\t\t\t\t&& (apr_strnatcmp(prompt, OIDC_PROTO_PROMPT_NONE) == 0)) {\n\t\t\t// TOOD: actually need to compare sub? (need to store it in the session separately then\n\t\t\t//const char *sub = NULL;\n\t\t\t//oidc_session_get(r, session, \"sub\", &sub);\n\t\t\t//if (apr_strnatcmp(sub, jwt->payload.sub) != 0) {\n\t\t\tif (apr_strnatcmp(session->remote_user, r->user) != 0) {\n\t\t\t\toidc_warn(r,\n\t\t\t\t\t\t\"user set from new id_token is different from current one\");\n\t\t\t\toidc_jwt_destroy(jwt);\n\t\t\t\treturn oidc_authorization_response_error(r, c, proto_state,\n\t\t\t\t\t\t\"User changed!\", NULL);\n\t\t\t}\n\t\t}\n\n\t\t/* store resolved information in the session */\n\t\tif (oidc_save_in_session(r, c, session, provider, r->user,\n\t\t\t\tapr_table_get(params, OIDC_PROTO_ID_TOKEN), jwt, claims,\n\t\t\t\tapr_table_get(params, OIDC_PROTO_ACCESS_TOKEN), expires_in,\n\t\t\t\tapr_table_get(params, OIDC_PROTO_REFRESH_TOKEN),\n\t\t\t\tapr_table_get(params, OIDC_PROTO_SESSION_STATE),\n\t\t\t\tapr_table_get(params, OIDC_PROTO_STATE), original_url,\n\t\t\t\tuserinfo_jwt) == FALSE) {\n\t\t\toidc_proto_state_destroy(proto_state);\n\t\t\toidc_jwt_destroy(jwt);\n\t\t\treturn HTTP_INTERNAL_SERVER_ERROR;\n\t\t}\n\n\t} else {\n\t\toidc_error(r, \"remote user could not be set\");\n\t\toidc_jwt_destroy(jwt);\n\t\treturn oidc_authorization_response_error(r, c, proto_state,\n\t\t\t\t\"Remote user could not be set: contact the website administrator\",\n\t\t\t\tNULL);\n\t}\n\n\t/* cleanup */\n\toidc_proto_state_destroy(proto_state);\n\toidc_jwt_destroy(jwt);\n\n\t/* check that we've actually authenticated a user; functions as error handling for oidc_get_remote_user */\n\tif (r->user == NULL)\n\t\treturn HTTP_UNAUTHORIZED;\n\n\t/* log the successful response */\n\toidc_debug(r,\n\t\t\t\"session created and stored, returning to original URL: %s, original method: %s\",\n\t\t\toriginal_url, original_method);\n\n\t/* check whether form post data was preserved; if so restore it */\n\tif (apr_strnatcmp(original_method, OIDC_METHOD_FORM_POST) == 0) {\n\t\treturn oidc_request_post_preserved_restore(r, original_url);\n\t}\n\n\t/* now we've authenticated the user so go back to the URL that he originally tried to access */\n\toidc_util_hdr_out_location_set(r, original_url);\n\n\t/* do the actual redirect to the original URL */\n\treturn HTTP_MOVED_TEMPORARILY;\n}", "project": "mod_auth_openidc", "hash": 176839213961216576820346388792533106367, "size": 139, "commit_id": "00c315cb0c8ab77c67be4a2ac08a71a83ac58751", "message": "avoid XSS vulnerability when using OIDCPreservePost On\n\nand supplying URLs that contain single quotes; thanks @oss-aimoto\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 381969 }, { "func": "static int oidc_handle_authorization_response(request_rec *r, oidc_cfg *c,\n\t\toidc_session_t *session, apr_table_t *params, const char *response_mode) {\n\n\toidc_debug(r, \"enter, response_mode=%s\", response_mode);\n\n\toidc_provider_t *provider = NULL;\n\toidc_proto_state_t *proto_state = NULL;\n\toidc_jwt_t *jwt = NULL;\n\n\t/* see if this response came from a browser-back event */\n\tif (oidc_handle_browser_back(r, apr_table_get(params, OIDC_PROTO_STATE),\n\t\t\tsession) == TRUE)\n\t\treturn HTTP_MOVED_TEMPORARILY;\n\n\t/* match the returned state parameter against the state stored in the browser */\n\tif (oidc_authorization_response_match_state(r, c,\n\t\t\tapr_table_get(params, OIDC_PROTO_STATE), &provider,\n\t\t\t&proto_state) == FALSE) {\n\t\tif (c->default_sso_url != NULL) {\n\t\t\toidc_warn(r,\n\t\t\t\t\t\"invalid authorization response state; a default SSO URL is set, sending the user there: %s\",\n\t\t\t\t\tc->default_sso_url);\n\t\t\toidc_util_hdr_out_location_set(r, c->default_sso_url);\n\t\t\treturn HTTP_MOVED_TEMPORARILY;\n\t\t}\n\t\toidc_error(r,\n\t\t\t\t\"invalid authorization response state and no default SSO URL is set, sending an error...\");\n\t\treturn HTTP_INTERNAL_SERVER_ERROR;\n\t}\n\n\t/* see if the response is an error response */\n\tif (apr_table_get(params, OIDC_PROTO_ERROR) != NULL)\n\t\treturn oidc_authorization_response_error(r, c, proto_state,\n\t\t\t\tapr_table_get(params, OIDC_PROTO_ERROR),\n\t\t\t\tapr_table_get(params, OIDC_PROTO_ERROR_DESCRIPTION));\n\n\t/* handle the code, implicit or hybrid flow */\n\tif (oidc_handle_flows(r, c, proto_state, provider, params, response_mode,\n\t\t\t&jwt) == FALSE)\n\t\treturn oidc_authorization_response_error(r, c, proto_state,\n\t\t\t\t\"Error in handling response type.\", NULL);\n\n\tif (jwt == NULL) {\n\t\toidc_error(r, \"no id_token was provided\");\n\t\treturn oidc_authorization_response_error(r, c, proto_state,\n\t\t\t\t\"No id_token was provided.\", NULL);\n\t}\n\n\tint expires_in = oidc_parse_expires_in(r,\n\t\t\tapr_table_get(params, OIDC_PROTO_EXPIRES_IN));\n\tchar *userinfo_jwt = NULL;\n\n\t/*\n\t * optionally resolve additional claims against the userinfo endpoint\n\t * parsed claims are not actually used here but need to be parsed anyway for error checking purposes\n\t */\n\tconst char *claims = oidc_retrieve_claims_from_userinfo_endpoint(r, c,\n\t\t\tprovider, apr_table_get(params, OIDC_PROTO_ACCESS_TOKEN), NULL,\n\t\t\tjwt->payload.sub, &userinfo_jwt);\n\n\t/* restore the original protected URL that the user was trying to access */\n\tconst char *original_url = oidc_proto_state_get_original_url(proto_state);\n\tif (original_url != NULL)\n\t\toriginal_url = apr_pstrdup(r->pool, original_url);\n\tconst char *original_method = oidc_proto_state_get_original_method(\n\t\t\tproto_state);\n\tif (original_method != NULL)\n\t\toriginal_method = apr_pstrdup(r->pool, original_method);\n\tconst char *prompt = oidc_proto_state_get_prompt(proto_state);\n\n\t/* set the user */\n\tif (oidc_set_request_user(r, c, provider, jwt, claims) == TRUE) {\n\n\t\t/* session management: if the user in the new response is not equal to the old one, error out */\n\t\tif ((prompt != NULL)\n\t\t\t\t&& (apr_strnatcmp(prompt, OIDC_PROTO_PROMPT_NONE) == 0)) {\n\t\t\t// TOOD: actually need to compare sub? (need to store it in the session separately then\n\t\t\t//const char *sub = NULL;\n\t\t\t//oidc_session_get(r, session, \"sub\", &sub);\n\t\t\t//if (apr_strnatcmp(sub, jwt->payload.sub) != 0) {\n\t\t\tif (apr_strnatcmp(session->remote_user, r->user) != 0) {\n\t\t\t\toidc_warn(r,\n\t\t\t\t\t\t\"user set from new id_token is different from current one\");\n\t\t\t\toidc_jwt_destroy(jwt);\n\t\t\t\treturn oidc_authorization_response_error(r, c, proto_state,\n\t\t\t\t\t\t\"User changed!\", NULL);\n\t\t\t}\n\t\t}\n\n\t\t/* store resolved information in the session */\n\t\tif (oidc_save_in_session(r, c, session, provider, r->user,\n\t\t\t\tapr_table_get(params, OIDC_PROTO_ID_TOKEN), jwt, claims,\n\t\t\t\tapr_table_get(params, OIDC_PROTO_ACCESS_TOKEN), expires_in,\n\t\t\t\tapr_table_get(params, OIDC_PROTO_REFRESH_TOKEN),\n\t\t\t\tapr_table_get(params, OIDC_PROTO_SESSION_STATE),\n\t\t\t\tapr_table_get(params, OIDC_PROTO_STATE), original_url,\n\t\t\t\tuserinfo_jwt) == FALSE)\n\t\t\treturn HTTP_INTERNAL_SERVER_ERROR;\n\n\t} else {\n\t\toidc_error(r, \"remote user could not be set\");\n\t\treturn oidc_authorization_response_error(r, c, proto_state,\n\t\t\t\t\"Remote user could not be set: contact the website administrator\",\n\t\t\t\tNULL);\n\t}\n\n\t/* cleanup */\n\toidc_proto_state_destroy(proto_state);\n\toidc_jwt_destroy(jwt);\n\n\t/* check that we've actually authenticated a user; functions as error handling for oidc_get_remote_user */\n\tif (r->user == NULL)\n\t\treturn HTTP_UNAUTHORIZED;\n\n\t/* log the successful response */\n\toidc_debug(r,\n\t\t\t\"session created and stored, returning to original URL: %s, original method: %s\",\n\t\t\toriginal_url, original_method);\n\n\t/* check whether form post data was preserved; if so restore it */\n\tif (apr_strnatcmp(original_method, OIDC_METHOD_FORM_POST) == 0) {\n\t\treturn oidc_request_post_preserved_restore(r, original_url);\n\t}\n\n\t/* now we've authenticated the user so go back to the URL that he originally tried to access */\n\toidc_util_hdr_out_location_set(r, original_url);\n\n\t/* do the actual redirect to the original URL */\n\treturn HTTP_MOVED_TEMPORARILY;\n}", "project": "mod_auth_openidc", "hash": 309152895473284450071898494463246743242, "size": 130, "commit_id": "ce37080c6aea30aabae8b4a9b4eea7808445cc8e", "message": "2.4.0.2 oops\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 447688 }, { "func": "DLLEXPORT int DLLCALL tjDecodeYUVPlanes(tjhandle handle,\n\tconst unsigned char **srcPlanes, const int *strides, int subsamp,\n\tunsigned char *dstBuf, int width, int pitch, int height, int pixelFormat,\n\tint flags)\n{\n\tint i, retval=0; JSAMPROW *row_pointer=NULL;\n\tJSAMPLE *_tmpbuf[MAX_COMPONENTS];\n\tJSAMPROW *tmpbuf[MAX_COMPONENTS], *inbuf[MAX_COMPONENTS];\n\tint row, pw0, ph0, pw[MAX_COMPONENTS], ph[MAX_COMPONENTS];\n\tJSAMPLE *ptr;\n\tjpeg_component_info *compptr;\n\t#ifndef JCS_EXTENSIONS\n\tunsigned char *rgbBuf=NULL;\n\tunsigned char *_dstBuf=NULL; int _pitch=0;\n\t#endif\n\tint (*old_read_markers)(j_decompress_ptr);\n\tvoid (*old_reset_marker_reader)(j_decompress_ptr);\n\n\tgetdinstance(handle);\n\n\tfor(i=0; iinit&DECOMPRESS)==0)\n\t\t_throw(\"tjDecodeYUVPlanes(): Instance has not been initialized for decompression\");\n\n\tif(!srcPlanes || !srcPlanes[0] || subsamp<0 || subsamp>=NUMSUBOPT\n\t\t|| dstBuf==NULL || width<=0 || pitch<0 || height<=0 || pixelFormat<0\n\t\t|| pixelFormat>=TJ_NUMPF)\n\t\t_throw(\"tjDecodeYUVPlanes(): Invalid argument\");\n\tif(subsamp!=TJSAMP_GRAY && (!srcPlanes[1] || !srcPlanes[2]))\n\t\t_throw(\"tjDecodeYUVPlanes(): Invalid argument\");\n\n\tif(setjmp(this->jerr.setjmp_buffer))\n\t{\n\t\t/* If we get here, the JPEG code has signaled an error. */\n\t\tretval=-1; goto bailout;\n\t}\n\n\tif(pixelFormat==TJPF_CMYK)\n\t\t_throw(\"tjDecodeYUVPlanes(): Cannot decode YUV images into CMYK pixels.\");\n\n\tif(pitch==0) pitch=width*tjPixelSize[pixelFormat];\n\tdinfo->image_width=width;\n\tdinfo->image_height=height;\n\n#ifndef NO_PUTENV\n\tif(flags&TJFLAG_FORCEMMX) putenv(\"JSIMD_FORCEMMX=1\");\n\telse if(flags&TJFLAG_FORCESSE) putenv(\"JSIMD_FORCESSE=1\");\n\telse if(flags&TJFLAG_FORCESSE2) putenv(\"JSIMD_FORCESSE2=1\");\n#endif\n\n\tdinfo->progressive_mode=dinfo->inputctl->has_multiple_scans=FALSE;\n\tdinfo->Ss=dinfo->Ah=dinfo->Al=0;\n\tdinfo->Se=DCTSIZE2-1;\n\tif(setDecodeDefaults(dinfo, pixelFormat, subsamp, flags)==-1)\n\t{\n\t\tretval=-1; goto bailout;\n\t}\n\told_read_markers=dinfo->marker->read_markers;\n\tdinfo->marker->read_markers=my_read_markers;\n\told_reset_marker_reader=dinfo->marker->reset_marker_reader;\n\tdinfo->marker->reset_marker_reader=my_reset_marker_reader;\n\tjpeg_read_header(dinfo, TRUE);\n\tdinfo->marker->read_markers=old_read_markers;\n\tdinfo->marker->reset_marker_reader=old_reset_marker_reader;\n\n\tif(setDecompDefaults(dinfo, pixelFormat, flags)==-1)\n\t{\n\t\tretval=-1; goto bailout;\n\t}\n\tdinfo->do_fancy_upsampling=FALSE;\n\tdinfo->Se=DCTSIZE2-1;\n\tjinit_master_decompress(dinfo);\n\t(*dinfo->upsample->start_pass)(dinfo);\n\n\tpw0=PAD(width, dinfo->max_h_samp_factor);\n\tph0=PAD(height, dinfo->max_v_samp_factor);\n\n\tif(pitch==0) pitch=dinfo->output_width*tjPixelSize[pixelFormat];\n\n\t#ifndef JCS_EXTENSIONS\n\tif(pixelFormat!=TJPF_GRAY && pixelFormat!=TJPF_CMYK &&\n\t\t(RGB_RED!=tjRedOffset[pixelFormat] ||\n\t\t\tRGB_GREEN!=tjGreenOffset[pixelFormat] ||\n\t\t\tRGB_BLUE!=tjBlueOffset[pixelFormat] ||\n\t\t\tRGB_PIXELSIZE!=tjPixelSize[pixelFormat]))\n\t{\n\t\trgbBuf=(unsigned char *)malloc(width*height*3);\n\t\tif(!rgbBuf) _throw(\"tjDecodeYUVPlanes(): Memory allocation failure\");\n\t\t_pitch=pitch; pitch=width*3;\n\t\t_dstBuf=dstBuf; dstBuf=rgbBuf;\n\t}\n\t#endif\n\n\tif((row_pointer=(JSAMPROW *)malloc(sizeof(JSAMPROW)*ph0))==NULL)\n\t\t_throw(\"tjDecodeYUVPlanes(): Memory allocation failure\");\n\tfor(i=0; inum_components; i++)\n\t{\n\t\tcompptr=&dinfo->comp_info[i];\n\t\t_tmpbuf[i]=(JSAMPLE *)malloc(PAD(compptr->width_in_blocks*DCTSIZE, 16)\n\t\t\t* compptr->v_samp_factor + 16);\n\t\tif(!_tmpbuf[i]) _throw(\"tjDecodeYUVPlanes(): Memory allocation failure\");\n\t\ttmpbuf[i]=(JSAMPROW *)malloc(sizeof(JSAMPROW)*compptr->v_samp_factor);\n\t\tif(!tmpbuf[i]) _throw(\"tjDecodeYUVPlanes(): Memory allocation failure\");\n\t\tfor(row=0; rowv_samp_factor; row++)\n\t\t{\n\t\t\tunsigned char *_tmpbuf_aligned=\n\t\t\t\t(unsigned char *)PAD((size_t)_tmpbuf[i], 16);\n\t\t\ttmpbuf[i][row]=&_tmpbuf_aligned[\n\t\t\t\tPAD(compptr->width_in_blocks*DCTSIZE, 16) * row];\n\t\t}\n\t\tpw[i]=pw0*compptr->h_samp_factor/dinfo->max_h_samp_factor;\n\t\tph[i]=ph0*compptr->v_samp_factor/dinfo->max_v_samp_factor;\n\t\tinbuf[i]=(JSAMPROW *)malloc(sizeof(JSAMPROW)*ph[i]);\n\t\tif(!inbuf[i]) _throw(\"tjDecodeYUVPlanes(): Memory allocation failure\");\n\t\tptr=(JSAMPLE *)srcPlanes[i];\n\t\tfor(row=0; rowjerr.setjmp_buffer))\n\t{\n\t\t/* If we get here, the JPEG code has signaled an error. */\n\t\tretval=-1; goto bailout;\n\t}\n\n\tfor(row=0; rowmax_v_samp_factor)\n\t{\n\t\tJDIMENSION inrow=0, outrow=0;\n\t\tfor(i=0, compptr=dinfo->comp_info; inum_components; i++, compptr++)\n\t\t\tjcopy_sample_rows(inbuf[i],\n\t\t\t\trow*compptr->v_samp_factor/dinfo->max_v_samp_factor, tmpbuf[i], 0,\n\t\t\t\tcompptr->v_samp_factor, pw[i]);\n\t\t(dinfo->upsample->upsample)(dinfo, tmpbuf, &inrow,\n\t\t\tdinfo->max_v_samp_factor, &row_pointer[row], &outrow,\n\t\t\tdinfo->max_v_samp_factor);\n\t}\n\tjpeg_abort_decompress(dinfo);\n\n\t#ifndef JCS_EXTENSIONS\n\tfromRGB(rgbBuf, _dstBuf, width, _pitch, height, pixelFormat);\n\t#endif\n\n\tbailout:\n\tif(dinfo->global_state>DSTATE_START) jpeg_abort_decompress(dinfo);\n\t#ifndef JCS_EXTENSIONS\n\tif(rgbBuf) free(rgbBuf);\n\t#endif\n\tif(row_pointer) free(row_pointer);\n\tfor(i=0; ijerr.warning) retval=-1;\n\treturn retval;\n}", "project": "libjpeg-turbo", "hash": 150571125501177399366781537631109561831, "size": 172, "commit_id": "dab6be4cfb2f9307b5378d2d1dc74d9080383dc2", "message": "tjDecompressToYUV*(): Fix OOB write/double free\n\n... when attempting to decompress grayscale JPEG images with sampling\nfactors != 1.\n\nFixes #387", "target": 0, "dataset": "other", "idx": 311135 }, { "func": " bool isPrivate() {\n assertx(m_key);\n switch (EVP_PKEY_id(m_key)) {\n#ifndef NO_RSA\n case EVP_PKEY_RSA:\n case EVP_PKEY_RSA2:\n {\n const auto rsa = EVP_PKEY_get0_RSA(m_key);\n assertx(rsa);\n const BIGNUM *p, *q;\n RSA_get0_factors(rsa, &p, &q);\n if (!p || !q) {\n return false;\n }\n break;\n }\n#endif\n#ifndef NO_DSA\n case EVP_PKEY_DSA:\n case EVP_PKEY_DSA1:\n case EVP_PKEY_DSA2:\n case EVP_PKEY_DSA3:\n case EVP_PKEY_DSA4:\n {\n const auto dsa = EVP_PKEY_get0_DSA(m_key);\n assertx(dsa);\n const BIGNUM *p, *q, *g, *pub_key, *priv_key;\n DSA_get0_pqg(dsa, &p, &q, &g);\n if (!p || !q || !g) {\n return false;\n }\n DSA_get0_key(dsa, &pub_key, &priv_key);\n if (!priv_key) {\n return false;\n }\n break;\n }\n#endif\n#ifndef NO_DH\n case EVP_PKEY_DH:\n {\n const auto dh = EVP_PKEY_get0_DH(m_key);\n assertx(dh);\n const BIGNUM *p, *q, *g, *pub_key, *priv_key;\n DH_get0_pqg(dh, &p, &q, &g);\n if (!p) {\n return false;\n }\n DH_get0_key(dh, &pub_key, &priv_key);\n if (!priv_key) {\n return false;\n }\n break;\n }\n#endif\n#ifdef HAVE_EVP_PKEY_EC\n case EVP_PKEY_EC:\n {\n const auto ec_key = EVP_PKEY_get0_EC_KEY(m_key);\n assertx(ec_key);\n if (EC_KEY_get0_private_key(ec_key) == nullptr) {\n return false;\n }\n break;\n }\n#endif\n default:\n raise_warning(\"key type not supported in this PHP build!\");\n break;\n }\n return true;\n }", "project": "hhvm", "hash": 291273689175100906243005402669792183890, "size": 72, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219701 }, { "func": "static TraceNo trace_exit_find(jit_State *J, MCode *pc)\n{\n TraceNo traceno;\n for (traceno = 1; traceno < J->sizetrace; traceno++) {\n GCtrace *T = traceref(J, traceno);\n if (T && pc >= T->mcode && pc < (MCode *)((char *)T->mcode + T->szmcode))\n return traceno;\n }\n lua_assert(0);\n return 0;\n}", "project": "LuaJIT", "hash": 114969803445767633173128023785856885991, "size": 11, "commit_id": "e296f56b825c688c3530a981dc6b495d972f3d01", "message": "Call error function on rethrow after trace exit.", "target": 0, "dataset": "other", "idx": 394640 }, { "func": "static void __unregister_prot_hook(struct sock *sk, bool sync)\n{\n\tstruct packet_sock *po = pkt_sk(sk);\n\n\tlockdep_assert_held_once(&po->bind_lock);\n\n\tpo->running = 0;\n\n\tif (po->fanout)\n\t\t__fanout_unlink(sk, po);\n\telse\n\t\t__dev_remove_pack(&po->prot_hook);\n\n\t__sock_put(sk);\n\n\tif (sync) {\n\t\tspin_unlock(&po->bind_lock);\n\t\tsynchronize_net();\n\t\tspin_lock(&po->bind_lock);\n\t}\n}", "project": "linux", "hash": 312523202874081304775109041429530595928, "size": 21, "commit_id": "acf69c946233259ab4d64f8869d4037a198c7f06", "message": "net/packet: fix overflow in tpacket_rcv\n\nUsing tp_reserve to calculate netoff can overflow as\ntp_reserve is unsigned int and netoff is unsigned short.\n\nThis may lead to macoff receving a smaller value then\nsizeof(struct virtio_net_hdr), and if po->has_vnet_hdr\nis set, an out-of-bounds write will occur when\ncalling virtio_net_hdr_from_skb.\n\nThe bug is fixed by converting netoff to unsigned int\nand checking if it exceeds USHRT_MAX.\n\nThis addresses CVE-2020-14386\n\nFixes: 8913336a7e8d (\"packet: add PACKET_RESERVE sockopt\")\nSigned-off-by: Or Cohen \nSigned-off-by: Eric Dumazet \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 330385 }, { "func": "static int sctp_getsockopt_event(struct sock *sk, int len, char __user *optval,\n\t\t\t\t int __user *optlen)\n{\n\tstruct sctp_association *asoc;\n\tstruct sctp_event param;\n\t__u16 subscribe;\n\n\tif (len < sizeof(param))\n\t\treturn -EINVAL;\n\n\tlen = sizeof(param);\n\tif (copy_from_user(¶m, optval, len))\n\t\treturn -EFAULT;\n\n\tif (param.se_type < SCTP_SN_TYPE_BASE ||\n\t param.se_type > SCTP_SN_TYPE_MAX)\n\t\treturn -EINVAL;\n\n\tasoc = sctp_id2assoc(sk, param.se_assoc_id);\n\tif (!asoc && param.se_assoc_id != SCTP_FUTURE_ASSOC &&\n\t sctp_style(sk, UDP))\n\t\treturn -EINVAL;\n\n\tsubscribe = asoc ? asoc->subscribe : sctp_sk(sk)->subscribe;\n\tparam.se_on = sctp_ulpevent_type_enabled(subscribe, param.se_type);\n\n\tif (put_user(len, optlen))\n\t\treturn -EFAULT;\n\n\tif (copy_to_user(optval, ¶m, len))\n\t\treturn -EFAULT;\n\n\treturn 0;\n}", "project": "linux", "hash": 313480264496799143639331505224200261326, "size": 34, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398073 }, { "func": "static int external_grep(struct grep_opt *opt, const char **paths, int cached)\n{\n\tint i, nr, argc, hit, len, status;\n\tconst char *argv[MAXARGS+1];\n\tchar randarg[ARGBUF];\n\tchar *argptr = randarg;\n\tstruct grep_pat *p;\n\n\tif (opt->extended || (opt->relative && opt->prefix_length))\n\t\treturn -1;\n\tlen = nr = 0;\n\tpush_arg(\"grep\");\n\tif (opt->fixed)\n\t\tpush_arg(\"-F\");\n\tif (opt->linenum)\n\t\tpush_arg(\"-n\");\n\tif (!opt->pathname)\n\t\tpush_arg(\"-h\");\n\tif (opt->regflags & REG_EXTENDED)\n\t\tpush_arg(\"-E\");\n\tif (opt->regflags & REG_ICASE)\n\t\tpush_arg(\"-i\");\n\tif (opt->word_regexp)\n\t\tpush_arg(\"-w\");\n\tif (opt->name_only)\n\t\tpush_arg(\"-l\");\n\tif (opt->unmatch_name_only)\n\t\tpush_arg(\"-L\");\n\tif (opt->count)\n\t\tpush_arg(\"-c\");\n\tif (opt->post_context || opt->pre_context) {\n\t\tif (opt->post_context != opt->pre_context) {\n\t\t\tif (opt->pre_context) {\n\t\t\t\tpush_arg(\"-B\");\n\t\t\t\tlen += snprintf(argptr, sizeof(randarg)-len,\n\t\t\t\t\t\t\"%u\", opt->pre_context) + 1;\n\t\t\t\tif (sizeof(randarg) <= len)\n\t\t\t\t\tdie(\"maximum length of args exceeded\");\n\t\t\t\tpush_arg(argptr);\n\t\t\t\targptr += len;\n\t\t\t}\n\t\t\tif (opt->post_context) {\n\t\t\t\tpush_arg(\"-A\");\n\t\t\t\tlen += snprintf(argptr, sizeof(randarg)-len,\n\t\t\t\t\t\t\"%u\", opt->post_context) + 1;\n\t\t\t\tif (sizeof(randarg) <= len)\n\t\t\t\t\tdie(\"maximum length of args exceeded\");\n\t\t\t\tpush_arg(argptr);\n\t\t\t\targptr += len;\n\t\t\t}\n\t\t}\n\t\telse {\n\t\t\tpush_arg(\"-C\");\n\t\t\tlen += snprintf(argptr, sizeof(randarg)-len,\n\t\t\t\t\t\"%u\", opt->post_context) + 1;\n\t\t\tif (sizeof(randarg) <= len)\n\t\t\t\tdie(\"maximum length of args exceeded\");\n\t\t\tpush_arg(argptr);\n\t\t\targptr += len;\n\t\t}\n\t}\n\tfor (p = opt->pattern_list; p; p = p->next) {\n\t\tpush_arg(\"-e\");\n\t\tpush_arg(p->pattern);\n\t}\n\n\thit = 0;\n\targc = nr;\n\tfor (i = 0; i < active_nr; i++) {\n\t\tstruct cache_entry *ce = active_cache[i];\n\t\tchar *name;\n\t\tint kept;\n\t\tif (!S_ISREG(ce->ce_mode))\n\t\t\tcontinue;\n\t\tif (!pathspec_matches(paths, ce->name))\n\t\t\tcontinue;\n\t\tname = ce->name;\n\t\tif (name[0] == '-') {\n\t\t\tint len = ce_namelen(ce);\n\t\t\tname = xmalloc(len + 3);\n\t\t\tmemcpy(name, \"./\", 2);\n\t\t\tmemcpy(name + 2, ce->name, len + 1);\n\t\t}\n\t\targv[argc++] = name;\n\t\tif (MAXARGS <= argc) {\n\t\t\tstatus = flush_grep(opt, argc, nr, argv, &kept);\n\t\t\tif (0 < status)\n\t\t\t\thit = 1;\n\t\t\targc = nr + kept;\n\t\t}\n\t\tif (ce_stage(ce)) {\n\t\t\tdo {\n\t\t\t\ti++;\n\t\t\t} while (i < active_nr &&\n\t\t\t\t !strcmp(ce->name, active_cache[i]->name));\n\t\t\ti--; /* compensate for loop control */\n\t\t}\n\t}\n\tif (argc > nr) {\n\t\tstatus = flush_grep(opt, argc, nr, argv, NULL);\n\t\tif (0 < status)\n\t\t\thit = 1;\n\t}\n\treturn hit;\n}", "project": "git", "hash": 8244171449665246138663611675969186414, "size": 105, "commit_id": "620e2bb93785ed8eb60846d94fd4753d4817c8ec", "message": "Fix buffer overflow in git-grep\n\nIf PATH_MAX on your system is smaller than any path stored in the git\nrepository, that can cause memory corruption inside of the grep_tree\nfunction used by git-grep.\n\nSigned-off-by: Dmitry Potapov \nSigned-off-by: Junio C Hamano ", "target": 0, "dataset": "other", "idx": 446044 }, { "func": " Item_string_ascii(THD *thd, const char *str):\n Item_string(thd, str, (uint)strlen(str), &my_charset_latin1,\n DERIVATION_COERCIBLE, MY_REPERTOIRE_ASCII)\n { }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 188031856836034302328913741194028726568, "size": 4, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509423 }, { "func": "static int php_openssl_make_REQ(struct php_x509_request * req, X509_REQ * csr, zval * dn, zval * attribs)\n{\n\tSTACK_OF(CONF_VALUE) * dn_sk, *attr_sk = NULL;\n\tchar * str, *dn_sect, *attr_sect;\n\n\tdn_sect = CONF_get_string(req->req_config, req->section_name, \"distinguished_name\");\n\tif (dn_sect == NULL) {\n\t\tphp_openssl_store_errors();\n\t\treturn FAILURE;\n\t}\n\tdn_sk = CONF_get_section(req->req_config, dn_sect);\n\tif (dn_sk == NULL) {\n\t\tphp_openssl_store_errors();\n\t\treturn FAILURE;\n\t}\n\tattr_sect = CONF_get_string(req->req_config, req->section_name, \"attributes\");\n\tif (attr_sect == NULL) {\n\t\tphp_openssl_store_errors();\n\t\tattr_sk = NULL;\n\t} else {\n\t\tattr_sk = CONF_get_section(req->req_config, attr_sect);\n\t\tif (attr_sk == NULL) {\n\t\t\tphp_openssl_store_errors();\n\t\t\treturn FAILURE;\n\t\t}\n\t}\n\t/* setup the version number: version 1 */\n\tif (X509_REQ_set_version(csr, 0L)) {\n\t\tint i, nid;\n\t\tchar * type;\n\t\tCONF_VALUE * v;\n\t\tX509_NAME * subj;\n\t\tzval * item;\n\t\tzend_string * strindex = NULL;\n\n\t\tsubj = X509_REQ_get_subject_name(csr);\n\t\t/* apply values from the dn hash */\n\t\tZEND_HASH_FOREACH_STR_KEY_VAL(Z_ARRVAL_P(dn), strindex, item) {\n\t\t\tif (strindex) {\n\t\t\t\tint nid;\n\n\t\t\t\tconvert_to_string_ex(item);\n\n\t\t\t\tnid = OBJ_txt2nid(ZSTR_VAL(strindex));\n\t\t\t\tif (nid != NID_undef) {\n\t\t\t\t\tif (!X509_NAME_add_entry_by_NID(subj, nid, MBSTRING_UTF8,\n\t\t\t\t\t\t\t\t(unsigned char*)Z_STRVAL_P(item), -1, -1, 0))\n\t\t\t\t\t{\n\t\t\t\t\t\tphp_openssl_store_errors();\n\t\t\t\t\t\tphp_error_docref(NULL, E_WARNING,\n\t\t\t\t\t\t\t\"dn: add_entry_by_NID %d -> %s (failed; check error\"\n\t\t\t\t\t\t\t\" queue and value of string_mask OpenSSL option \"\n\t\t\t\t\t\t\t\"if illegal characters are reported)\",\n\t\t\t\t\t\t\tnid, Z_STRVAL_P(item));\n\t\t\t\t\t\treturn FAILURE;\n\t\t\t\t\t}\n\t\t\t\t} else {\n\t\t\t\t\tphp_error_docref(NULL, E_WARNING, \"dn: %s is not a recognized name\", ZSTR_VAL(strindex));\n\t\t\t\t}\n\t\t\t}\n\t\t} ZEND_HASH_FOREACH_END();\n\n\t\t/* Finally apply defaults from config file */\n\t\tfor(i = 0; i < sk_CONF_VALUE_num(dn_sk); i++) {\n\t\t\tsize_t len;\n\t\t\tchar buffer[200 + 1]; /*200 + \\0 !*/\n\n\t\t\tv = sk_CONF_VALUE_value(dn_sk, i);\n\t\t\ttype = v->name;\n\n\t\t\tlen = strlen(type);\n\t\t\tif (len < sizeof(\"_default\")) {\n\t\t\t\tcontinue;\n\t\t\t}\n\t\t\tlen -= sizeof(\"_default\") - 1;\n\t\t\tif (strcmp(\"_default\", type + len) != 0) {\n\t\t\t\tcontinue;\n\t\t\t}\n\t\t\tif (len > 200) {\n\t\t\t\tlen = 200;\n\t\t\t}\n\t\t\tmemcpy(buffer, type, len);\n\t\t\tbuffer[len] = '\\0';\n\t\t\ttype = buffer;\n\n\t\t\t/* Skip past any leading X. X: X, etc to allow for multiple\n\t\t\t * instances */\n\t\t\tfor (str = type; *str; str++) {\n\t\t\t\tif (*str == ':' || *str == ',' || *str == '.') {\n\t\t\t\t\tstr++;\n\t\t\t\t\tif (*str) {\n\t\t\t\t\t\ttype = str;\n\t\t\t\t\t}\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t}\n\t\t\t/* if it is already set, skip this */\n\t\t\tnid = OBJ_txt2nid(type);\n\t\t\tif (X509_NAME_get_index_by_NID(subj, nid, -1) >= 0) {\n\t\t\t\tcontinue;\n\t\t\t}\n\t\t\tif (!X509_NAME_add_entry_by_txt(subj, type, MBSTRING_UTF8, (unsigned char*)v->value, -1, -1, 0)) {\n\t\t\t\tphp_openssl_store_errors();\n\t\t\t\tphp_error_docref(NULL, E_WARNING, \"add_entry_by_txt %s -> %s (failed)\", type, v->value);\n\t\t\t\treturn FAILURE;\n\t\t\t}\n\t\t\tif (!X509_NAME_entry_count(subj)) {\n\t\t\t\tphp_error_docref(NULL, E_WARNING, \"no objects specified in config file\");\n\t\t\t\treturn FAILURE;\n\t\t\t}\n\t\t}\n\t\tif (attribs) {\n\t\t\tZEND_HASH_FOREACH_STR_KEY_VAL(Z_ARRVAL_P(attribs), strindex, item) {\n\t\t\t\tint nid;\n\n\t\t\t\tif (NULL == strindex) {\n\t\t\t\t\tphp_error_docref(NULL, E_WARNING, \"dn: numeric fild names are not supported\");\n\t\t\t\t\tcontinue;\n\t\t\t\t}\n\n\t\t\t\tconvert_to_string_ex(item);\n\n\t\t\t\tnid = OBJ_txt2nid(ZSTR_VAL(strindex));\n\t\t\t\tif (nid != NID_undef) {\n\t\t\t\t\tif (!X509_NAME_add_entry_by_NID(subj, nid, MBSTRING_UTF8, (unsigned char*)Z_STRVAL_P(item), -1, -1, 0)) {\n\t\t\t\t\t\tphp_openssl_store_errors();\n\t\t\t\t\t\tphp_error_docref(NULL, E_WARNING, \"attribs: add_entry_by_NID %d -> %s (failed)\", nid, Z_STRVAL_P(item));\n\t\t\t\t\t\treturn FAILURE;\n\t\t\t\t\t}\n\t\t\t\t} else {\n\t\t\t\t\tphp_error_docref(NULL, E_WARNING, \"dn: %s is not a recognized name\", ZSTR_VAL(strindex));\n\t\t\t\t}\n\t\t\t} ZEND_HASH_FOREACH_END();\n\t\t\tfor (i = 0; i < sk_CONF_VALUE_num(attr_sk); i++) {\n\t\t\t\tv = sk_CONF_VALUE_value(attr_sk, i);\n\t\t\t\t/* if it is already set, skip this */\n\t\t\t\tnid = OBJ_txt2nid(v->name);\n\t\t\t\tif (X509_REQ_get_attr_by_NID(csr, nid, -1) >= 0) {\n\t\t\t\t\tcontinue;\n\t\t\t\t}\n\t\t\t\tif (!X509_REQ_add1_attr_by_txt(csr, v->name, MBSTRING_UTF8, (unsigned char*)v->value, -1)) {\n\t\t\t\t\tphp_openssl_store_errors();\n\t\t\t\t\tphp_error_docref(NULL, E_WARNING,\n\t\t\t\t\t\t\"add1_attr_by_txt %s -> %s (failed; check error queue \"\n\t\t\t\t\t\t\"and value of string_mask OpenSSL option if illegal \"\n\t\t\t\t\t\t\"characters are reported)\",\n\t\t\t\t\t\tv->name, v->value);\n\t\t\t\t\treturn FAILURE;\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t} else {\n\t\tphp_openssl_store_errors();\n\t}\n\n\tif (!X509_REQ_set_pubkey(csr, req->priv_key)) {\n\t\tphp_openssl_store_errors();\n\t}\n\treturn SUCCESS;\n}", "project": "php-src", "hash": 13337587840675239770585395224535813764, "size": 160, "commit_id": "0216630ea2815a5789a24279a1211ac398d4de79", "message": "Fix bug #79601 (Wrong ciphertext/tag in AES-CCM encryption for a 12 bytes IV)", "target": 0, "dataset": "other", "idx": 291384 }, { "func": "PrimitiveStatus TrustedPrimitives::RegisterEntryHandler(\n uint64_t selector, const EntryHandler &handler) {\n return asylo::primitives::RegisterEntryHandler(selector, handler);\n}", "project": "asylo", "hash": 123810154767339854078529903934240455110, "size": 4, "commit_id": "53ed5d8fd8118ced1466e509606dd2f473707a5c", "message": "Store untrusted output pointer in enclave\n\nValidate the pointer after it's stored in enclave to avoid unexpected\nmodifications after it's validated.\n\nPiperOrigin-RevId: 365648810\nChange-Id: I3079128040c142e86bab8255b07d03562a6fcb61", "target": 0, "dataset": "other", "idx": 232053 }, { "func": "static int _nfs4_do_setlk(struct nfs4_state *state, int cmd, struct file_lock *fl, int recovery_type)\n{\n\tstruct nfs4_lockdata *data;\n\tstruct rpc_task *task;\n\tstruct rpc_message msg = {\n\t\t.rpc_proc = &nfs4_procedures[NFSPROC4_CLNT_LOCK],\n\t\t.rpc_cred = state->owner->so_cred,\n\t};\n\tstruct rpc_task_setup task_setup_data = {\n\t\t.rpc_client = NFS_CLIENT(state->inode),\n\t\t.rpc_message = &msg,\n\t\t.callback_ops = &nfs4_lock_ops,\n\t\t.workqueue = nfsiod_workqueue,\n\t\t.flags = RPC_TASK_ASYNC | RPC_TASK_CRED_NOREF,\n\t};\n\tint ret;\n\n\tdprintk(\"%s: begin!\\n\", __func__);\n\tdata = nfs4_alloc_lockdata(fl, nfs_file_open_context(fl->fl_file),\n\t\t\tfl->fl_u.nfs4_fl.owner,\n\t\t\trecovery_type == NFS_LOCK_NEW ? GFP_KERNEL : GFP_NOFS);\n\tif (data == NULL)\n\t\treturn -ENOMEM;\n\tif (IS_SETLKW(cmd))\n\t\tdata->arg.block = 1;\n\tnfs4_init_sequence(&data->arg.seq_args, &data->res.seq_res, 1,\n\t\t\t\trecovery_type > NFS_LOCK_NEW);\n\tmsg.rpc_argp = &data->arg;\n\tmsg.rpc_resp = &data->res;\n\ttask_setup_data.callback_data = data;\n\tif (recovery_type > NFS_LOCK_NEW) {\n\t\tif (recovery_type == NFS_LOCK_RECLAIM)\n\t\t\tdata->arg.reclaim = NFS_LOCK_RECLAIM;\n\t} else\n\t\tdata->arg.new_lock = 1;\n\ttask = rpc_run_task(&task_setup_data);\n\tif (IS_ERR(task))\n\t\treturn PTR_ERR(task);\n\tret = rpc_wait_for_completion_task(task);\n\tif (ret == 0) {\n\t\tret = data->rpc_status;\n\t\tif (ret)\n\t\t\tnfs4_handle_setlk_error(data->server, data->lsp,\n\t\t\t\t\tdata->arg.new_lock_owner, ret);\n\t} else\n\t\tdata->cancelled = true;\n\trpc_put_task(task);\n\tdprintk(\"%s: done, ret = %d!\\n\", __func__, ret);\n\ttrace_nfs4_set_lock(fl, state, &data->res.stateid, cmd, ret);\n\treturn ret;\n}", "project": "linux", "hash": 12396951534127030361316180184881569679, "size": 51, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 430994 }, { "func": "static void tcp_incr_quickack(struct sock *sk)\n{\n\tstruct inet_connection_sock *icsk = inet_csk(sk);\n\tunsigned quickacks = tcp_sk(sk)->rcv_wnd / (2 * icsk->icsk_ack.rcv_mss);\n\n\tif (quickacks == 0)\n\t\tquickacks = 2;\n\tif (quickacks > icsk->icsk_ack.quick)\n\t\ticsk->icsk_ack.quick = min(quickacks, TCP_MAX_QUICKACKS);\n}", "project": "net-next", "hash": 76321953188661900279713869856035293845, "size": 10, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409843 }, { "func": "static void SFDParseStateMachine(FILE *sfd,SplineFont *sf,ASM *sm, char *tok,int old) {\n int i, temp;\n\n sm->type = strnmatch(tok,\"MacIndic\",8)==0 ? asm_indic :\n\t\tstrnmatch(tok,\"MacContext\",10)==0 ? asm_context :\n\t\tstrnmatch(tok,\"MacLigature\",11)==0 ? asm_lig :\n\t\tstrnmatch(tok,\"MacSimple\",9)==0 ? asm_simple :\n\t\tstrnmatch(tok,\"MacKern\",7)==0 ? asm_kern : asm_insert;\n if ( old ) {\n\tgetusint(sfd,&((ASM1 *) sm)->feature);\n\tnlgetc(sfd);\t\t/* Skip comma */\n\tgetusint(sfd,&((ASM1 *) sm)->setting);\n } else {\n\tsm->subtable = SFFindLookupSubtableAndFreeName(sf,SFDReadUTF7Str(sfd));\n\tsm->subtable->sm = sm;\n }\n getusint(sfd,&sm->flags);\n getusint(sfd,&sm->class_cnt);\n getusint(sfd,&sm->state_cnt);\n\n sm->classes = malloc(sm->class_cnt*sizeof(char *));\n sm->classes[0] = sm->classes[1] = sm->classes[2] = sm->classes[3] = NULL;\n for ( i=4; iclass_cnt; ++i ) {\n\tgetname(sfd,tok);\n\tgetint(sfd,&temp);\n\tsm->classes[i] = malloc(temp+1); sm->classes[i][temp] = '\\0';\n\tnlgetc(sfd);\t/* skip space */\n\tfread(sm->classes[i],1,temp,sfd);\n }\n\n sm->state = malloc(sm->class_cnt*sm->state_cnt*sizeof(struct asm_state));\n for ( i=0; iclass_cnt*sm->state_cnt; ++i ) {\n\tgetusint(sfd,&sm->state[i].next_state);\n\tgetusint(sfd,&sm->state[i].flags);\n\tif ( sm->type == asm_context ) {\n\t sm->state[i].u.context.mark_lookup = SFD_ParseNestedLookup(sfd,sf,old);\n\t sm->state[i].u.context.cur_lookup = SFD_ParseNestedLookup(sfd,sf,old);\n\t} else if ( sm->type == asm_insert ) {\n\t getint(sfd,&temp);\n\t if ( temp==0 )\n\t\tsm->state[i].u.insert.mark_ins = NULL;\n\t else {\n\t\tsm->state[i].u.insert.mark_ins = malloc(temp+1); sm->state[i].u.insert.mark_ins[temp] = '\\0';\n\t\tnlgetc(sfd);\t/* skip space */\n\t\tfread(sm->state[i].u.insert.mark_ins,1,temp,sfd);\n\t }\n\t getint(sfd,&temp);\n\t if ( temp==0 )\n\t\tsm->state[i].u.insert.cur_ins = NULL;\n\t else {\n\t\tsm->state[i].u.insert.cur_ins = malloc(temp+1); sm->state[i].u.insert.cur_ins[temp] = '\\0';\n\t\tnlgetc(sfd);\t/* skip space */\n\t\tfread(sm->state[i].u.insert.cur_ins,1,temp,sfd);\n\t }\n\t} else if ( sm->type == asm_kern ) {\n\t int j;\n\t getint(sfd,&sm->state[i].u.kern.kcnt);\n\t if ( sm->state[i].u.kern.kcnt!=0 )\n\t\tsm->state[i].u.kern.kerns = malloc(sm->state[i].u.kern.kcnt*sizeof(int16));\n\t for ( j=0; jstate[i].u.kern.kcnt; ++j ) {\n\t\tgetint(sfd,&temp);\n\t\tsm->state[i].u.kern.kerns[j] = temp;\n\t }\n\t}\n }\n getname(sfd,tok);\t\t\t/* EndASM */\n}", "project": "fontforge", "hash": 9425767721241909131049346357587539610, "size": 67, "commit_id": "048a91e2682c1a8936ae34dbc7bd70291ec05410", "message": "Fix for #4084 Use-after-free (heap) in the SFD_GetFontMetaData() function\nFix for #4086 NULL pointer dereference in the SFDGetSpiros() function\nFix for #4088 NULL pointer dereference in the SFD_AssignLookups() function\nAdd empty sf->fontname string if it isn't set, fixing #4089 #4090 and many\n other potential issues (many downstream calls to strlen() on the value).", "target": 0, "dataset": "other", "idx": 417770 }, { "func": "static void rap_break (void *u) {\n\tRIORap *rior = (RIORap*) u;\n\tif (u) {\n\t\tr_socket_close (rior->fd);\n\t\trior->fd = NULL;\n\t}\n}", "project": "radare2", "hash": 10825611692024548546193917115298623813, "size": 7, "commit_id": "cb8b683758edddae2d2f62e8e63a738c39f92683", "message": "Fix #16303 - c->table_query double free (#16318)", "target": 0, "dataset": "other", "idx": 232140 }, { "func": "static void updateReceivers(struct receiver **rcvrs, u_int32_t dst_addr,\n u_int8_t version, u_int32_t num_pkts,\n struct receiver **topRcvrs) {\n struct receiver *r;\n u_int32_t size;\n int a;\n\n HASH_FIND_INT(*rcvrs, (int *)&dst_addr, r);\n if(r == NULL) {\n if(((size = HASH_COUNT(*rcvrs)) < MAX_TABLE_SIZE_1)\n || ((a = acceptable(num_pkts)) != 0)){\n r = (struct receiver *)malloc(sizeof(struct receiver));\n if(!r) return;\n\n r->addr = dst_addr;\n r->version = version;\n r->num_pkts = num_pkts;\n\n HASH_ADD_INT(*rcvrs, addr, r);\n\n if((size = HASH_COUNT(*rcvrs)) > MAX_TABLE_SIZE_2){\n\n HASH_SORT(*rcvrs, receivers_sort_asc);\n *rcvrs = cutBackTo(rcvrs, size, MAX_TABLE_SIZE_1);\n mergeTables(rcvrs, topRcvrs);\n\n if((size = HASH_COUNT(*topRcvrs)) > MAX_TABLE_SIZE_1){\n HASH_SORT(*topRcvrs, receivers_sort_asc);\n *topRcvrs = cutBackTo(topRcvrs, size, MAX_TABLE_SIZE_1);\n }\n\n *rcvrs = NULL;\n }\n }\n }\n else\n r->num_pkts += num_pkts;\n}", "project": "nDPI", "hash": 15361089686654609589835862672136960027, "size": 38, "commit_id": "b7e666e465f138ae48ab81976726e67deed12701", "message": "Added fix to avoid potential heap buffer overflow in H.323 dissector\nModified HTTP report information to make it closer to the HTTP field names", "target": 0, "dataset": "other", "idx": 254840 }, { "func": "int kvm_read_guest_offset_cached(struct kvm *kvm, struct gfn_to_hva_cache *ghc,\n\t\t\t\t void *data, unsigned int offset,\n\t\t\t\t unsigned long len)\n{\n\tstruct kvm_memslots *slots = kvm_memslots(kvm);\n\tint r;\n\tgpa_t gpa = ghc->gpa + offset;\n\n\tBUG_ON(len + offset > ghc->len);\n\n\tif (slots->generation != ghc->generation) {\n\t\tif (__kvm_gfn_to_hva_cache_init(slots, ghc, ghc->gpa, ghc->len))\n\t\t\treturn -EFAULT;\n\t}\n\n\tif (kvm_is_error_hva(ghc->hva))\n\t\treturn -EFAULT;\n\n\tif (unlikely(!ghc->memslot))\n\t\treturn kvm_read_guest(kvm, gpa, data, len);\n\n\tr = __copy_from_user(data, (void __user *)ghc->hva + offset, len);\n\tif (r)\n\t\treturn -EFAULT;\n\n\treturn 0;\n}", "project": "linux", "hash": 264761070425815494946856784052664933353, "size": 27, "commit_id": "f8be156be163a052a067306417cd0ff679068c97", "message": "KVM: do not allow mapping valid but non-reference-counted pages\n\nIt's possible to create a region which maps valid but non-refcounted\npages (e.g., tail pages of non-compound higher order allocations). These\nhost pages can then be returned by gfn_to_page, gfn_to_pfn, etc., family\nof APIs, which take a reference to the page, which takes it from 0 to 1.\nWhen the reference is dropped, this will free the page incorrectly.\n\nFix this by only taking a reference on valid pages if it was non-zero,\nwhich indicates it is participating in normal refcounting (and can be\nreleased with put_page).\n\nThis addresses CVE-2021-22543.\n\nSigned-off-by: Nicholas Piggin \nTested-by: Paolo Bonzini \nCc: stable@vger.kernel.org\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 404081 }, { "func": "static inline int tcp_packet_delayed(const struct tcp_sock *tp)\n{\n\treturn !tp->retrans_stamp ||\n\t\t(tp->rx_opt.saw_tstamp && tp->rx_opt.rcv_tsecr &&\n\t\t before(tp->rx_opt.rcv_tsecr, tp->retrans_stamp));\n}", "project": "net-next", "hash": 313987516508460737297833583593452666026, "size": 6, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409906 }, { "func": "static int interleaved_discov(struct hci_request *req, unsigned long opt)\n{\n\tint err;\n\n\tbt_dev_dbg(req->hdev, \"\");\n\n\terr = active_scan(req, opt);\n\tif (err)\n\t\treturn err;\n\n\treturn bredr_inquiry(req, DISCOV_BREDR_INQUIRY_LEN);\n}", "project": "linux", "hash": 255800952700984820887521912483102799677, "size": 12, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402542 }, { "func": "static void hci_remote_name_evt(struct hci_dev *hdev, struct sk_buff *skb)\n{\n\tstruct hci_ev_remote_name *ev = (void *) skb->data;\n\tstruct hci_conn *conn;\n\n\tBT_DBG(\"%s\", hdev->name);\n\n\thci_conn_check_pending(hdev);\n\n\thci_dev_lock(hdev);\n\n\tconn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);\n\n\tif (!hci_dev_test_flag(hdev, HCI_MGMT))\n\t\tgoto check_auth;\n\n\tif (ev->status == 0)\n\t\thci_check_pending_name(hdev, conn, &ev->bdaddr, ev->name,\n\t\t\t\t strnlen(ev->name, HCI_MAX_NAME_LENGTH));\n\telse\n\t\thci_check_pending_name(hdev, conn, &ev->bdaddr, NULL, 0);\n\ncheck_auth:\n\tif (!conn)\n\t\tgoto unlock;\n\n\tif (!hci_outgoing_auth_needed(hdev, conn))\n\t\tgoto unlock;\n\n\tif (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {\n\t\tstruct hci_cp_auth_requested cp;\n\n\t\tset_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);\n\n\t\tcp.handle = __cpu_to_le16(conn->handle);\n\t\thci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, sizeof(cp), &cp);\n\t}\n\nunlock:\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 248897857163410130233689032468506982560, "size": 41, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431980 }, { "func": "inline char* StringData::mutableData() const {\n assertx(!isImmutable());\n return const_cast(data());\n}", "project": "hhvm", "hash": 34232897406597671205454667935475359197, "size": 4, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219703 }, { "func": "static void encode_create(struct xdr_stream *xdr, const struct nfs4_create_arg *create, struct compound_hdr *hdr)\n{\n\t__be32 *p;\n\n\tencode_op_hdr(xdr, OP_CREATE, decode_create_maxsz, hdr);\n\tencode_uint32(xdr, create->ftype);\n\n\tswitch (create->ftype) {\n\tcase NF4LNK:\n\t\tp = reserve_space(xdr, 4);\n\t\t*p = cpu_to_be32(create->u.symlink.len);\n\t\txdr_write_pages(xdr, create->u.symlink.pages, 0,\n\t\t\t\tcreate->u.symlink.len);\n\t\txdr->buf->flags |= XDRBUF_WRITE;\n\t\tbreak;\n\n\tcase NF4BLK: case NF4CHR:\n\t\tp = reserve_space(xdr, 8);\n\t\t*p++ = cpu_to_be32(create->u.device.specdata1);\n\t\t*p = cpu_to_be32(create->u.device.specdata2);\n\t\tbreak;\n\n\tdefault:\n\t\tbreak;\n\t}\n\n\tencode_string(xdr, create->name->len, create->name->name);\n\tencode_attrs(xdr, create->attrs, create->label, &create->umask,\n\t\t\tcreate->server, create->server->attr_bitmask);\n}", "project": "linux", "hash": 148172241921854493187179925241179414493, "size": 30, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431145 }, { "func": "static int check_object(struct kmem_cache *s, struct page *page,\n\t\t\t\t\tvoid *object, u8 val)\n{\n\tu8 *p = object;\n\tu8 *endobject = object + s->object_size;\n\n\tif (s->flags & SLAB_RED_ZONE) {\n\t\tif (!check_bytes_and_report(s, page, object, \"Redzone\",\n\t\t\tobject - s->red_left_pad, val, s->red_left_pad))\n\t\t\treturn 0;\n\n\t\tif (!check_bytes_and_report(s, page, object, \"Redzone\",\n\t\t\tendobject, val, s->inuse - s->object_size))\n\t\t\treturn 0;\n\t} else {\n\t\tif ((s->flags & SLAB_POISON) && s->object_size < s->inuse) {\n\t\t\tcheck_bytes_and_report(s, page, p, \"Alignment padding\",\n\t\t\t\tendobject, POISON_INUSE,\n\t\t\t\ts->inuse - s->object_size);\n\t\t}\n\t}\n\n\tif (s->flags & SLAB_POISON) {\n\t\tif (val != SLUB_RED_ACTIVE && (s->flags & __OBJECT_POISON) &&\n\t\t\t(!check_bytes_and_report(s, page, p, \"Poison\", p,\n\t\t\t\t\tPOISON_FREE, s->object_size - 1) ||\n\t\t\t !check_bytes_and_report(s, page, p, \"Poison\",\n\t\t\t\tp + s->object_size - 1, POISON_END, 1)))\n\t\t\treturn 0;\n\t\t/*\n\t\t * check_pad_bytes cleans up on its own.\n\t\t */\n\t\tcheck_pad_bytes(s, page, p);\n\t}\n\n\tif (!s->offset && val == SLUB_RED_ACTIVE)\n\t\t/*\n\t\t * Object and freepointer overlap. Cannot check\n\t\t * freepointer while object is allocated.\n\t\t */\n\t\treturn 1;\n\n\t/* Check free pointer validity */\n\tif (!check_valid_pointer(s, page, get_freepointer(s, p))) {\n\t\tobject_err(s, page, p, \"Freepointer corrupt\");\n\t\t/*\n\t\t * No choice but to zap it and thus lose the remainder\n\t\t * of the free objects in this slab. May cause\n\t\t * another error because the object count is now wrong.\n\t\t */\n\t\tset_freepointer(s, p, NULL);\n\t\treturn 0;\n\t}\n\treturn 1;\n}", "project": "linux", "hash": 130339137035694784581821640899461157924, "size": 55, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280244 }, { "func": "static inline int check_object(struct kmem_cache *s, struct page *page,\n\t\t\tvoid *object, u8 val) { return 1; }", "project": "linux", "hash": 116985851672907611021696617167359882199, "size": 2, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280262 }, { "func": " longlong val_int()\n {\n DBUG_ASSERT(fixed == 1);\n return longlong_from_string_with_check(&str_value);\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 2008560027964156316729108562975965625, "size": 5, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509141 }, { "func": " longlong val_int()\n { return val_int_from_date(); }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 116554634427359656147216186873583923338, "size": 2, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509211 }, { "func": " longlong val_int()\n {\n if (check_null_ref())\n return 0;\n else\n return Item_direct_ref::val_int();\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 41244178709543407459971598717116496832, "size": 7, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509230 }, { "func": " longlong val_int()\n {\n // following assert is redundant, because fixed=1 assigned in constructor\n DBUG_ASSERT(fixed == 1);\n return longlong_from_hex_hybrid(str_value.ptr(), str_value.length());\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 297174892167250416409899978654105575212, "size": 6, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509453 }, { "func": "bfad_im_reset_stats(struct Scsi_Host *shost)\n{\n\tstruct bfad_im_port_s *im_port =\n\t\t\t(struct bfad_im_port_s *) shost->hostdata[0];\n\tstruct bfad_s *bfad = im_port->bfad;\n\tstruct bfad_hal_comp fcomp;\n\tunsigned long flags;\n\tbfa_status_t rc;\n\n\tinit_completion(&fcomp.comp);\n\tspin_lock_irqsave(&bfad->bfad_lock, flags);\n\trc = bfa_port_clear_stats(BFA_FCPORT(&bfad->bfa), bfad_hcb_comp,\n\t\t\t\t\t&fcomp);\n\tspin_unlock_irqrestore(&bfad->bfad_lock, flags);\n\n\tif (rc != BFA_STATUS_OK)\n\t\treturn;\n\n\twait_for_completion(&fcomp.comp);\n\n\treturn;\n}", "project": "linux", "hash": 173066802928273124910720967520987704687, "size": 22, "commit_id": "0e62395da2bd5166d7c9e14cbc7503b256a34cb0", "message": "scsi: bfa: release allocated memory in case of error\n\nIn bfad_im_get_stats if bfa_port_get_stats fails, allocated memory needs to\nbe released.\n\nLink: https://lore.kernel.org/r/20190910234417.22151-1-navid.emamdoost@gmail.com\nSigned-off-by: Navid Emamdoost \nSigned-off-by: Martin K. Petersen ", "target": 0, "dataset": "other", "idx": 439525 }, { "func": "bfad_im_issue_fc_host_lip(struct Scsi_Host *shost)\n{\n\tstruct bfad_im_port_s *im_port =\n\t\t\t(struct bfad_im_port_s *) shost->hostdata[0];\n\tstruct bfad_s *bfad = im_port->bfad;\n\tstruct bfad_hal_comp fcomp;\n\tunsigned long flags;\n\tuint32_t status;\n\n\tinit_completion(&fcomp.comp);\n\tspin_lock_irqsave(&bfad->bfad_lock, flags);\n\tstatus = bfa_port_disable(&bfad->bfa.modules.port,\n\t\t\t\t\tbfad_hcb_comp, &fcomp);\n\tspin_unlock_irqrestore(&bfad->bfad_lock, flags);\n\n\tif (status != BFA_STATUS_OK)\n\t\treturn -EIO;\n\n\twait_for_completion(&fcomp.comp);\n\tif (fcomp.status != BFA_STATUS_OK)\n\t\treturn -EIO;\n\n\tspin_lock_irqsave(&bfad->bfad_lock, flags);\n\tstatus = bfa_port_enable(&bfad->bfa.modules.port,\n\t\t\t\t\tbfad_hcb_comp, &fcomp);\n\tspin_unlock_irqrestore(&bfad->bfad_lock, flags);\n\tif (status != BFA_STATUS_OK)\n\t\treturn -EIO;\n\n\twait_for_completion(&fcomp.comp);\n\tif (fcomp.status != BFA_STATUS_OK)\n\t\treturn -EIO;\n\n\treturn 0;\n}", "project": "linux", "hash": 311483974350107459712653949252347699238, "size": 35, "commit_id": "0e62395da2bd5166d7c9e14cbc7503b256a34cb0", "message": "scsi: bfa: release allocated memory in case of error\n\nIn bfad_im_get_stats if bfa_port_get_stats fails, allocated memory needs to\nbe released.\n\nLink: https://lore.kernel.org/r/20190910234417.22151-1-navid.emamdoost@gmail.com\nSigned-off-by: Navid Emamdoost \nSigned-off-by: Martin K. Petersen ", "target": 0, "dataset": "other", "idx": 439532 }, { "func": "static UINT32 update_glyph_offset(const BYTE* data, size_t length, UINT32 index, INT32* x, INT32* y,\n UINT32 ulCharInc, UINT32 flAccel)\n{\n\tif ((ulCharInc == 0) && (!(flAccel & SO_CHAR_INC_EQUAL_BM_BASE)))\n\t{\n\t\tUINT32 offset = data[index++];\n\n\t\tif (offset & 0x80)\n\t\t{\n\n\t\t\tif (index + 1 < length)\n\t\t\t{\n\t\t\t\toffset = data[index++];\n\t\t\t\toffset |= ((UINT32)data[index++]) << 8;\n\t\t\t}\n\t\t\telse\n\t\t\t\tWLog_WARN(TAG, \"[%s] glyph index out of bound %\" PRIu32 \" [max %\" PRIuz \"]\", index,\n\t\t\t\t length);\n\t\t}\n\n\t\tif (flAccel & SO_VERTICAL)\n\t\t\t*y += offset;\n\n\t\tif (flAccel & SO_HORIZONTAL)\n\t\t\t*x += offset;\n\t}\n\n\treturn index;\n}", "project": "FreeRDP", "hash": 41150128179172720693701677420965758635, "size": 29, "commit_id": "c0fd449ec0870b050d350d6d844b1ea6dad4bc7d", "message": "Fixed Out-of-bound read in glyph_cache_put\n\nCVE-2020-11098 thanks to @antonio-morales for finding this.", "target": 0, "dataset": "other", "idx": 432854 }, { "func": "static inline int kvm_ioeventfd(struct kvm *kvm, struct kvm_ioeventfd *args)\n{\n\treturn -ENOSYS;\n}", "project": "linux", "hash": 60812763869598687516017611445549494084, "size": 4, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354700 }, { "func": "static void input_dev_toggle(struct input_dev *dev, bool activate)\n{\n\tif (!dev->event)\n\t\treturn;\n\n\tINPUT_DO_TOGGLE(dev, LED, led, activate);\n\tINPUT_DO_TOGGLE(dev, SND, snd, activate);\n\n\tif (activate && test_bit(EV_REP, dev->evbit)) {\n\t\tdev->event(dev, EV_REP, REP_PERIOD, dev->rep[REP_PERIOD]);\n\t\tdev->event(dev, EV_REP, REP_DELAY, dev->rep[REP_DELAY]);\n\t}\n}", "project": "linux", "hash": 71005472358076033840803149290230287131, "size": 13, "commit_id": "cb222aed03d798fc074be55e59d9a112338ee784", "message": "Input: add safety guards to input_set_keycode()\n\nIf we happen to have a garbage in input device's keycode table with values\ntoo big we'll end up doing clear_bit() with offset way outside of our\nbitmaps, damaging other objects within an input device or even outside of\nit. Let's add sanity checks to the returned old keycodes.\n\nReported-by: syzbot+c769968809f9359b07aa@syzkaller.appspotmail.com\nReported-by: syzbot+76f3a30e88d256644c78@syzkaller.appspotmail.com\nLink: https://lore.kernel.org/r/20191207212757.GA245964@dtor-ws\nSigned-off-by: Dmitry Torokhov ", "target": 0, "dataset": "other", "idx": 353327 }, { "func": "static void hci_cc_read_bd_addr(struct hci_dev *hdev, struct sk_buff *skb)\n{\n\tstruct hci_rp_read_bd_addr *rp = (void *) skb->data;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, rp->status);\n\n\tif (rp->status)\n\t\treturn;\n\n\tif (test_bit(HCI_INIT, &hdev->flags))\n\t\tbacpy(&hdev->bdaddr, &rp->bdaddr);\n\n\tif (hci_dev_test_flag(hdev, HCI_SETUP))\n\t\tbacpy(&hdev->setup_addr, &rp->bdaddr);\n}", "project": "linux", "hash": 255988954814842984030056588615003725647, "size": 15, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431982 }, { "func": "static unsigned int input_to_handler(struct input_handle *handle,\n\t\t\tstruct input_value *vals, unsigned int count)\n{\n\tstruct input_handler *handler = handle->handler;\n\tstruct input_value *end = vals;\n\tstruct input_value *v;\n\n\tif (handler->filter) {\n\t\tfor (v = vals; v != vals + count; v++) {\n\t\t\tif (handler->filter(handle, v->type, v->code, v->value))\n\t\t\t\tcontinue;\n\t\t\tif (end != v)\n\t\t\t\t*end = *v;\n\t\t\tend++;\n\t\t}\n\t\tcount = end - vals;\n\t}\n\n\tif (!count)\n\t\treturn 0;\n\n\tif (handler->events)\n\t\thandler->events(handle, vals, count);\n\telse if (handler->event)\n\t\tfor (v = vals; v != vals + count; v++)\n\t\t\thandler->event(handle, v->type, v->code, v->value);\n\n\treturn count;\n}", "project": "linux", "hash": 248175943063348081017490602195955916455, "size": 29, "commit_id": "cb222aed03d798fc074be55e59d9a112338ee784", "message": "Input: add safety guards to input_set_keycode()\n\nIf we happen to have a garbage in input device's keycode table with values\ntoo big we'll end up doing clear_bit() with offset way outside of our\nbitmaps, damaging other objects within an input device or even outside of\nit. Let's add sanity checks to the returned old keycodes.\n\nReported-by: syzbot+c769968809f9359b07aa@syzkaller.appspotmail.com\nReported-by: syzbot+76f3a30e88d256644c78@syzkaller.appspotmail.com\nLink: https://lore.kernel.org/r/20191207212757.GA245964@dtor-ws\nSigned-off-by: Dmitry Torokhov ", "target": 0, "dataset": "other", "idx": 353316 }, { "func": "static void sst_reject_queries(my_bool close_conn)\n{\n wsrep_ready_set (FALSE); // this will be resotred when donor becomes synced\n WSREP_INFO(\"Rejecting client queries for the duration of SST.\");\n if (TRUE == close_conn) wsrep_close_client_connections(FALSE);\n}", "project": "mysql-wsrep", "hash": 330536249496874096948526232573588825911, "size": 6, "commit_id": "4ea4b0c6a318209ac09b15aaa906c7b4a13b988c", "message": "codership/mysql-wsrep-bugs#758 Donor uses invalid SST methods", "target": 0, "dataset": "other", "idx": 454805 }, { "func": "static int kvm_hv_set_msr_pw(struct kvm_vcpu *vcpu, u32 msr, u64 data,\n\t\t\t bool host)\n{\n\tstruct kvm *kvm = vcpu->kvm;\n\tstruct kvm_hv *hv = to_kvm_hv(kvm);\n\n\tswitch (msr) {\n\tcase HV_X64_MSR_GUEST_OS_ID:\n\t\thv->hv_guest_os_id = data;\n\t\t/* setting guest os id to zero disables hypercall page */\n\t\tif (!hv->hv_guest_os_id)\n\t\t\thv->hv_hypercall &= ~HV_X64_MSR_HYPERCALL_ENABLE;\n\t\tbreak;\n\tcase HV_X64_MSR_HYPERCALL: {\n\t\tu8 instructions[9];\n\t\tint i = 0;\n\t\tu64 addr;\n\n\t\t/* if guest os id is not set hypercall should remain disabled */\n\t\tif (!hv->hv_guest_os_id)\n\t\t\tbreak;\n\t\tif (!(data & HV_X64_MSR_HYPERCALL_ENABLE)) {\n\t\t\thv->hv_hypercall = data;\n\t\t\tbreak;\n\t\t}\n\n\t\t/*\n\t\t * If Xen and Hyper-V hypercalls are both enabled, disambiguate\n\t\t * the same way Xen itself does, by setting the bit 31 of EAX\n\t\t * which is RsvdZ in the 32-bit Hyper-V hypercall ABI and just\n\t\t * going to be clobbered on 64-bit.\n\t\t */\n\t\tif (kvm_xen_hypercall_enabled(kvm)) {\n\t\t\t/* orl $0x80000000, %eax */\n\t\t\tinstructions[i++] = 0x0d;\n\t\t\tinstructions[i++] = 0x00;\n\t\t\tinstructions[i++] = 0x00;\n\t\t\tinstructions[i++] = 0x00;\n\t\t\tinstructions[i++] = 0x80;\n\t\t}\n\n\t\t/* vmcall/vmmcall */\n\t\tstatic_call(kvm_x86_patch_hypercall)(vcpu, instructions + i);\n\t\ti += 3;\n\n\t\t/* ret */\n\t\t((unsigned char *)instructions)[i++] = 0xc3;\n\n\t\taddr = data & HV_X64_MSR_HYPERCALL_PAGE_ADDRESS_MASK;\n\t\tif (kvm_vcpu_write_guest(vcpu, addr, instructions, i))\n\t\t\treturn 1;\n\t\thv->hv_hypercall = data;\n\t\tbreak;\n\t}\n\tcase HV_X64_MSR_REFERENCE_TSC:\n\t\thv->hv_tsc_page = data;\n\t\tif (hv->hv_tsc_page & HV_X64_MSR_TSC_REFERENCE_ENABLE)\n\t\t\tkvm_make_request(KVM_REQ_MASTERCLOCK_UPDATE, vcpu);\n\t\tbreak;\n\tcase HV_X64_MSR_CRASH_P0 ... HV_X64_MSR_CRASH_P4:\n\t\treturn kvm_hv_msr_set_crash_data(kvm,\n\t\t\t\t\t\t msr - HV_X64_MSR_CRASH_P0,\n\t\t\t\t\t\t data);\n\tcase HV_X64_MSR_CRASH_CTL:\n\t\tif (host)\n\t\t\treturn kvm_hv_msr_set_crash_ctl(kvm, data);\n\n\t\tif (data & HV_CRASH_CTL_CRASH_NOTIFY) {\n\t\t\tvcpu_debug(vcpu, \"hv crash (0x%llx 0x%llx 0x%llx 0x%llx 0x%llx)\\n\",\n\t\t\t\t hv->hv_crash_param[0],\n\t\t\t\t hv->hv_crash_param[1],\n\t\t\t\t hv->hv_crash_param[2],\n\t\t\t\t hv->hv_crash_param[3],\n\t\t\t\t hv->hv_crash_param[4]);\n\n\t\t\t/* Send notification about crash to user space */\n\t\t\tkvm_make_request(KVM_REQ_HV_CRASH, vcpu);\n\t\t}\n\t\tbreak;\n\tcase HV_X64_MSR_RESET:\n\t\tif (data == 1) {\n\t\t\tvcpu_debug(vcpu, \"hyper-v reset requested\\n\");\n\t\t\tkvm_make_request(KVM_REQ_HV_RESET, vcpu);\n\t\t}\n\t\tbreak;\n\tcase HV_X64_MSR_REENLIGHTENMENT_CONTROL:\n\t\thv->hv_reenlightenment_control = data;\n\t\tbreak;\n\tcase HV_X64_MSR_TSC_EMULATION_CONTROL:\n\t\thv->hv_tsc_emulation_control = data;\n\t\tbreak;\n\tcase HV_X64_MSR_TSC_EMULATION_STATUS:\n\t\thv->hv_tsc_emulation_status = data;\n\t\tbreak;\n\tcase HV_X64_MSR_TIME_REF_COUNT:\n\t\t/* read-only, but still ignore it if host-initiated */\n\t\tif (!host)\n\t\t\treturn 1;\n\t\tbreak;\n\tcase HV_X64_MSR_SYNDBG_OPTIONS:\n\tcase HV_X64_MSR_SYNDBG_CONTROL ... HV_X64_MSR_SYNDBG_PENDING_BUFFER:\n\t\treturn syndbg_set_msr(vcpu, msr, data, host);\n\tdefault:\n\t\tvcpu_unimpl(vcpu, \"Hyper-V unhandled wrmsr: 0x%x data 0x%llx\\n\",\n\t\t\t msr, data);\n\t\treturn 1;\n\t}\n\treturn 0;\n}", "project": "linux", "hash": 105075353119560887263966037529879241295, "size": 109, "commit_id": "919f4ebc598701670e80e31573a58f1f2d2bf918", "message": "KVM: x86: hyper-v: Fix Hyper-V context null-ptr-deref\n\nReported by syzkaller:\n\n KASAN: null-ptr-deref in range [0x0000000000000140-0x0000000000000147]\n CPU: 1 PID: 8370 Comm: syz-executor859 Not tainted 5.11.0-syzkaller #0\n RIP: 0010:synic_get arch/x86/kvm/hyperv.c:165 [inline]\n RIP: 0010:kvm_hv_set_sint_gsi arch/x86/kvm/hyperv.c:475 [inline]\n RIP: 0010:kvm_hv_irq_routing_update+0x230/0x460 arch/x86/kvm/hyperv.c:498\n Call Trace:\n kvm_set_irq_routing+0x69b/0x940 arch/x86/kvm/../../../virt/kvm/irqchip.c:223\n kvm_vm_ioctl+0x12d0/0x2800 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3959\n vfs_ioctl fs/ioctl.c:48 [inline]\n __do_sys_ioctl fs/ioctl.c:753 [inline]\n __se_sys_ioctl fs/ioctl.c:739 [inline]\n __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739\n do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nHyper-V context is lazily allocated until Hyper-V specific MSRs are accessed\nor SynIC is enabled. However, the syzkaller testcase sets irq routing table\ndirectly w/o enabling SynIC. This results in null-ptr-deref when accessing\nSynIC Hyper-V context. This patch fixes it.\n\nsyzkaller source: https://syzkaller.appspot.com/x/repro.c?x=163342ccd00000\n\nReported-by: syzbot+6987f3b2dbd9eda95f12@syzkaller.appspotmail.com\nFixes: 8f014550dfb1 (\"KVM: x86: hyper-v: Make Hyper-V emulation enablement conditional\")\nSigned-off-by: Wanpeng Li \nMessage-Id: <1614326399-5762-1-git-send-email-wanpengli@tencent.com>\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 343469 }, { "func": "int kvm_map_gfn(struct kvm_vcpu *vcpu, gfn_t gfn, struct kvm_host_map *map,\n\t\tstruct gfn_to_pfn_cache *cache, bool atomic)\n{\n\treturn __kvm_map_gfn(kvm_memslots(vcpu->kvm), gfn, map,\n\t\t\tcache, atomic);\n}", "project": "linux", "hash": 63760092667617808430394541785651402928, "size": 6, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354557 }, { "func": "static void select_describe(JOIN *join, bool need_tmp_table, bool need_order,\n\t\t\t bool distinct,const char *message)\n{\n THD *thd=join->thd;\n select_result *result=join->result;\n DBUG_ENTER(\"select_describe\");\n \n /* Update the QPF with latest values of using_temporary, using_filesort */\n for (SELECT_LEX_UNIT *unit= join->select_lex->first_inner_unit();\n unit;\n unit= unit->next_unit())\n {\n /*\n This fix_fields() call is to handle an edge case like this:\n \n SELECT ... UNION SELECT ... ORDER BY (SELECT ...)\n \n for such queries, we'll get here before having called\n subquery_expr->fix_fields(), which will cause failure to\n */\n if (unit->item && !unit->item->fixed)\n {\n Item *ref= unit->item;\n if (unit->item->fix_fields(thd, &ref))\n DBUG_VOID_RETURN;\n DBUG_ASSERT(ref == unit->item);\n }\n\n /* \n Save plans for child subqueries, when\n (1) they are not parts of eliminated WHERE/ON clauses.\n (2) they are not VIEWs that were \"merged for INSERT\".\n (3) they are not hanging CTEs (they are needed for execution)\n */\n if (!(unit->item && unit->item->eliminated) && // (1)\n !(unit->derived && unit->derived->merged_for_insert) && // (2)\n (!unit->with_element ||\n (unit->derived &&\n unit->derived->derived_result &&\n !unit->with_element->is_hanging_recursive()))) // (3)\n {\n if (mysql_explain_union(thd, unit, result))\n DBUG_VOID_RETURN;\n }\n }\n DBUG_VOID_RETURN;\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 9365789175673347769078003700048014734, "size": 47, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508731 }, { "func": "static bool nfs4_stateid_is_current(nfs4_stateid *stateid,\n\t\tconst struct nfs_open_context *ctx,\n\t\tconst struct nfs_lock_context *l_ctx,\n\t\tfmode_t fmode)\n{\n\tnfs4_stateid _current_stateid;\n\n\t/* If the current stateid represents a lost lock, then exit */\n\tif (nfs4_set_rw_stateid(&_current_stateid, ctx, l_ctx, fmode) == -EIO)\n\t\treturn true;\n\treturn nfs4_stateid_match(stateid, &_current_stateid);\n}", "project": "linux", "hash": 252873204198902257293985151556412222851, "size": 12, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431093 }, { "func": "static int sctp_get_port_local(struct sock *sk, union sctp_addr *addr)\n{\n\tstruct sctp_sock *sp = sctp_sk(sk);\n\tbool reuse = (sk->sk_reuse || sp->reuse);\n\tstruct sctp_bind_hashbucket *head; /* hash list */\n\tstruct net *net = sock_net(sk);\n\tkuid_t uid = sock_i_uid(sk);\n\tstruct sctp_bind_bucket *pp;\n\tunsigned short snum;\n\tint ret;\n\n\tsnum = ntohs(addr->v4.sin_port);\n\n\tpr_debug(\"%s: begins, snum:%d\\n\", __func__, snum);\n\n\tif (snum == 0) {\n\t\t/* Search for an available port. */\n\t\tint low, high, remaining, index;\n\t\tunsigned int rover;\n\n\t\tinet_get_local_port_range(net, &low, &high);\n\t\tremaining = (high - low) + 1;\n\t\trover = prandom_u32() % remaining + low;\n\n\t\tdo {\n\t\t\trover++;\n\t\t\tif ((rover < low) || (rover > high))\n\t\t\t\trover = low;\n\t\t\tif (inet_is_local_reserved_port(net, rover))\n\t\t\t\tcontinue;\n\t\t\tindex = sctp_phashfn(net, rover);\n\t\t\thead = &sctp_port_hashtable[index];\n\t\t\tspin_lock_bh(&head->lock);\n\t\t\tsctp_for_each_hentry(pp, &head->chain)\n\t\t\t\tif ((pp->port == rover) &&\n\t\t\t\t net_eq(net, pp->net))\n\t\t\t\t\tgoto next;\n\t\t\tbreak;\n\t\tnext:\n\t\t\tspin_unlock_bh(&head->lock);\n\t\t\tcond_resched();\n\t\t} while (--remaining > 0);\n\n\t\t/* Exhausted local port range during search? */\n\t\tret = 1;\n\t\tif (remaining <= 0)\n\t\t\treturn ret;\n\n\t\t/* OK, here is the one we will use. HEAD (the port\n\t\t * hash table list entry) is non-NULL and we hold it's\n\t\t * mutex.\n\t\t */\n\t\tsnum = rover;\n\t} else {\n\t\t/* We are given an specific port number; we verify\n\t\t * that it is not being used. If it is used, we will\n\t\t * exahust the search in the hash list corresponding\n\t\t * to the port number (snum) - we detect that with the\n\t\t * port iterator, pp being NULL.\n\t\t */\n\t\thead = &sctp_port_hashtable[sctp_phashfn(net, snum)];\n\t\tspin_lock_bh(&head->lock);\n\t\tsctp_for_each_hentry(pp, &head->chain) {\n\t\t\tif ((pp->port == snum) && net_eq(pp->net, net))\n\t\t\t\tgoto pp_found;\n\t\t}\n\t}\n\tpp = NULL;\n\tgoto pp_not_found;\npp_found:\n\tif (!hlist_empty(&pp->owner)) {\n\t\t/* We had a port hash table hit - there is an\n\t\t * available port (pp != NULL) and it is being\n\t\t * used by other socket (pp->owner not empty); that other\n\t\t * socket is going to be sk2.\n\t\t */\n\t\tstruct sock *sk2;\n\n\t\tpr_debug(\"%s: found a possible match\\n\", __func__);\n\n\t\tif ((pp->fastreuse && reuse &&\n\t\t sk->sk_state != SCTP_SS_LISTENING) ||\n\t\t (pp->fastreuseport && sk->sk_reuseport &&\n\t\t uid_eq(pp->fastuid, uid)))\n\t\t\tgoto success;\n\n\t\t/* Run through the list of sockets bound to the port\n\t\t * (pp->port) [via the pointers bind_next and\n\t\t * bind_pprev in the struct sock *sk2 (pp->sk)]. On each one,\n\t\t * we get the endpoint they describe and run through\n\t\t * the endpoint's list of IP (v4 or v6) addresses,\n\t\t * comparing each of the addresses with the address of\n\t\t * the socket sk. If we find a match, then that means\n\t\t * that this port/socket (sk) combination are already\n\t\t * in an endpoint.\n\t\t */\n\t\tsk_for_each_bound(sk2, &pp->owner) {\n\t\t\tstruct sctp_sock *sp2 = sctp_sk(sk2);\n\t\t\tstruct sctp_endpoint *ep2 = sp2->ep;\n\n\t\t\tif (sk == sk2 ||\n\t\t\t (reuse && (sk2->sk_reuse || sp2->reuse) &&\n\t\t\t sk2->sk_state != SCTP_SS_LISTENING) ||\n\t\t\t (sk->sk_reuseport && sk2->sk_reuseport &&\n\t\t\t uid_eq(uid, sock_i_uid(sk2))))\n\t\t\t\tcontinue;\n\n\t\t\tif (sctp_bind_addr_conflict(&ep2->base.bind_addr,\n\t\t\t\t\t\t addr, sp2, sp)) {\n\t\t\t\tret = 1;\n\t\t\t\tgoto fail_unlock;\n\t\t\t}\n\t\t}\n\n\t\tpr_debug(\"%s: found a match\\n\", __func__);\n\t}\npp_not_found:\n\t/* If there was a hash table miss, create a new port. */\n\tret = 1;\n\tif (!pp && !(pp = sctp_bucket_create(head, net, snum)))\n\t\tgoto fail_unlock;\n\n\t/* In either case (hit or miss), make sure fastreuse is 1 only\n\t * if sk->sk_reuse is too (that is, if the caller requested\n\t * SO_REUSEADDR on this socket -sk-).\n\t */\n\tif (hlist_empty(&pp->owner)) {\n\t\tif (reuse && sk->sk_state != SCTP_SS_LISTENING)\n\t\t\tpp->fastreuse = 1;\n\t\telse\n\t\t\tpp->fastreuse = 0;\n\n\t\tif (sk->sk_reuseport) {\n\t\t\tpp->fastreuseport = 1;\n\t\t\tpp->fastuid = uid;\n\t\t} else {\n\t\t\tpp->fastreuseport = 0;\n\t\t}\n\t} else {\n\t\tif (pp->fastreuse &&\n\t\t (!reuse || sk->sk_state == SCTP_SS_LISTENING))\n\t\t\tpp->fastreuse = 0;\n\n\t\tif (pp->fastreuseport &&\n\t\t (!sk->sk_reuseport || !uid_eq(pp->fastuid, uid)))\n\t\t\tpp->fastreuseport = 0;\n\t}\n\n\t/* We are set, so fill up all the data in the hash table\n\t * entry, tie the socket list information with the rest of the\n\t * sockets FIXME: Blurry, NPI (ipg).\n\t */\nsuccess:\n\tif (!sp->bind_hash) {\n\t\tinet_sk(sk)->inet_num = snum;\n\t\tsk_add_bind_node(sk, &pp->owner);\n\t\tsp->bind_hash = pp;\n\t}\n\tret = 0;\n\nfail_unlock:\n\tspin_unlock_bh(&head->lock);\n\treturn ret;\n}", "project": "linux", "hash": 114645420471530319730993408431145015429, "size": 164, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398194 }, { "func": "\nstatic void io_rsrc_data_free(struct io_rsrc_data *data)\n{\n\tkvfree(data->tags);\n\tkfree(data);", "project": "linux", "hash": 19376891216364280321801300925847255748, "size": 5, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338609 }, { "func": "static void virtual_submission_tasklet(unsigned long data)\n{\n\tstruct virtual_engine * const ve = (struct virtual_engine *)data;\n\tconst int prio = ve->base.execlists.queue_priority_hint;\n\tintel_engine_mask_t mask;\n\tunsigned int n;\n\n\trcu_read_lock();\n\tmask = virtual_submission_mask(ve);\n\trcu_read_unlock();\n\tif (unlikely(!mask))\n\t\treturn;\n\n\tlocal_irq_disable();\n\tfor (n = 0; READ_ONCE(ve->request) && n < ve->num_siblings; n++) {\n\t\tstruct intel_engine_cs *sibling = ve->siblings[n];\n\t\tstruct ve_node * const node = &ve->nodes[sibling->id];\n\t\tstruct rb_node **parent, *rb;\n\t\tbool first;\n\n\t\tif (unlikely(!(mask & sibling->mask))) {\n\t\t\tif (!RB_EMPTY_NODE(&node->rb)) {\n\t\t\t\tspin_lock(&sibling->active.lock);\n\t\t\t\trb_erase_cached(&node->rb,\n\t\t\t\t\t\t&sibling->execlists.virtual);\n\t\t\t\tRB_CLEAR_NODE(&node->rb);\n\t\t\t\tspin_unlock(&sibling->active.lock);\n\t\t\t}\n\t\t\tcontinue;\n\t\t}\n\n\t\tspin_lock(&sibling->active.lock);\n\n\t\tif (!RB_EMPTY_NODE(&node->rb)) {\n\t\t\t/*\n\t\t\t * Cheat and avoid rebalancing the tree if we can\n\t\t\t * reuse this node in situ.\n\t\t\t */\n\t\t\tfirst = rb_first_cached(&sibling->execlists.virtual) ==\n\t\t\t\t&node->rb;\n\t\t\tif (prio == node->prio || (prio > node->prio && first))\n\t\t\t\tgoto submit_engine;\n\n\t\t\trb_erase_cached(&node->rb, &sibling->execlists.virtual);\n\t\t}\n\n\t\trb = NULL;\n\t\tfirst = true;\n\t\tparent = &sibling->execlists.virtual.rb_root.rb_node;\n\t\twhile (*parent) {\n\t\t\tstruct ve_node *other;\n\n\t\t\trb = *parent;\n\t\t\tother = rb_entry(rb, typeof(*other), rb);\n\t\t\tif (prio > other->prio) {\n\t\t\t\tparent = &rb->rb_left;\n\t\t\t} else {\n\t\t\t\tparent = &rb->rb_right;\n\t\t\t\tfirst = false;\n\t\t\t}\n\t\t}\n\n\t\trb_link_node(&node->rb, rb, parent);\n\t\trb_insert_color_cached(&node->rb,\n\t\t\t\t &sibling->execlists.virtual,\n\t\t\t\t first);\n\nsubmit_engine:\n\t\tGEM_BUG_ON(RB_EMPTY_NODE(&node->rb));\n\t\tnode->prio = prio;\n\t\tif (first && prio > sibling->execlists.queue_priority_hint) {\n\t\t\tsibling->execlists.queue_priority_hint = prio;\n\t\t\ttasklet_hi_schedule(&sibling->execlists.tasklet);\n\t\t}\n\n\t\tspin_unlock(&sibling->active.lock);\n\t}\n\tlocal_irq_enable();\n}", "project": "linux", "hash": 280800221333123503205571169166288196413, "size": 79, "commit_id": "bc8a76a152c5f9ef3b48104154a65a68a8b76946", "message": "drm/i915/gen9: Clear residual context state on context switch\n\nIntel ID: PSIRT-TA-201910-001\nCVEID: CVE-2019-14615\n\nIntel GPU Hardware prior to Gen11 does not clear EU state\nduring a context switch. This can result in information\nleakage between contexts.\n\nFor Gen8 and Gen9, hardware provides a mechanism for\nfast cleardown of the EU state, by issuing a PIPE_CONTROL\nwith bit 27 set. We can use this in a context batch buffer\nto explicitly cleardown the state on every context switch.\n\nAs this workaround is already in place for gen8, we can borrow\nthe code verbatim for Gen9.\n\nSigned-off-by: Mika Kuoppala \nSigned-off-by: Akeem G Abodunrin \nCc: Kumar Valsan Prathap \nCc: Chris Wilson \nCc: Balestrieri Francesco \nCc: Bloomfield Jon \nCc: Dutt Sudeep ", "target": 0, "dataset": "other", "idx": 281463 }, { "func": "static inline u32 tcp_highest_sack_seq(struct tcp_sock *tp)\n{\n\tif (!tp->sacked_out)\n\t\treturn tp->snd_una;\n\n\tif (tp->highest_sack == NULL)\n\t\treturn tp->snd_nxt;\n\n\treturn TCP_SKB_CB(tp->highest_sack)->seq;\n}", "project": "linux", "hash": 212584129984855830430817577249782152611, "size": 10, "commit_id": "bb1fceca22492109be12640d49f5ea5a544c6bb4", "message": "tcp: fix use after free in tcp_xmit_retransmit_queue()\n\nWhen tcp_sendmsg() allocates a fresh and empty skb, it puts it at the\ntail of the write queue using tcp_add_write_queue_tail()\n\nThen it attempts to copy user data into this fresh skb.\n\nIf the copy fails, we undo the work and remove the fresh skb.\n\nUnfortunately, this undo lacks the change done to tp->highest_sack and\nwe can leave a dangling pointer (to a freed skb)\n\nLater, tcp_xmit_retransmit_queue() can dereference this pointer and\naccess freed memory. For regular kernels where memory is not unmapped,\nthis might cause SACK bugs because tcp_highest_sack_seq() is buggy,\nreturning garbage instead of tp->snd_nxt, but with various debug\nfeatures like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel.\n\nThis bug was found by Marco Grassi thanks to syzkaller.\n\nFixes: 6859d49475d4 (\"[TCP]: Abstract tp->highest_sack accessing & point to next skb\")\nReported-by: Marco Grassi \nSigned-off-by: Eric Dumazet \nCc: Ilpo Järvinen \nCc: Yuchung Cheng \nCc: Neal Cardwell \nAcked-by: Neal Cardwell \nReviewed-by: Cong Wang \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 410753 }, { "func": "int headerNext(HeaderIterator hi, rpmtd td)\n{\n indexEntry entry = nextIndex(hi);\n int rc = 0;\n\n rpmtdReset(td);\n if (entry) {\n\ttd->tag = entry->info.tag;\n\trc = copyTdEntry(entry, td, HEADERGET_DEFAULT);\n }\n return ((rc == 1) ? 1 : 0);\n}", "project": "rpm", "hash": 175304733320886648622054302800162586718, "size": 12, "commit_id": "8f4b3c3cab8922a2022b9e47c71f1ecf906077ef", "message": "hdrblobInit() needs bounds checks too\n\nUsers can pass untrusted data to hdrblobInit() and it must be robust\nagainst this.", "target": 0, "dataset": "other", "idx": 318166 }, { "func": "static void sanitize_string(std::string &str)\n{\n\tstr.erase(std::remove(str.begin(), str.end(), DESERIALIZE_START), str.end());\n\tstr.erase(std::remove(str.begin(), str.end(), DESERIALIZE_KV_DELIM), str.end());\n\tstr.erase(std::remove(str.begin(), str.end(), DESERIALIZE_PAIR_DELIM), str.end());\n}", "project": "minetest", "hash": 107287701748750631419518263334297586847, "size": 6, "commit_id": "b5956bde259faa240a81060ff4e598e25ad52dae", "message": "Sanitize ItemStack meta text", "target": 0, "dataset": "other", "idx": 279956 }, { "func": "static inline int lookup_last(struct nameidata *nd)\n{\n\tif (nd->last_type == LAST_NORM && nd->last.name[nd->last.len])\n\t\tnd->flags |= LOOKUP_FOLLOW | LOOKUP_DIRECTORY;\n\n\tnd->flags &= ~LOOKUP_PARENT;\n\treturn walk_component(nd, 0);\n}", "project": "linux", "hash": 222950059507820991945597778568717602533, "size": 8, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295405 }, { "func": "static void autocomplete_breakpoints(RCore *core, RLineCompletion *completion, const char *str) {\n\tr_return_if_fail (str);\n\tRListIter *iter;\n\tRBreakpoint *bp = core->dbg->bp;\n\tRBreakpointItem *b;\n\tint n = strlen (str);\n\tr_list_foreach (bp->bps, iter, b) {\n\t\tchar *addr = r_str_newf (\"0x%\"PFMT64x\"\", b->addr);\n\t\tif (!strncmp (addr, str, n)) {\n\t\t\tr_line_completion_push (completion, addr);\n\t\t}\n\t\tfree (addr);\n\t}\n}", "project": "radare2", "hash": 180932195363043463152102259594159461283, "size": 14, "commit_id": "cb8b683758edddae2d2f62e8e63a738c39f92683", "message": "Fix #16303 - c->table_query double free (#16318)", "target": 0, "dataset": "other", "idx": 232102 }, { "func": "void path_get(const struct path *path)\n{\n\tmntget(path->mnt);\n\tdget(path->dentry);\n}", "project": "linux", "hash": 295040896957197595973884831944660403694, "size": 5, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295403 }, { "func": "static int exif_scan_FILE_header(image_info_type *ImageInfo) {\n unsigned char *file_header;\n int ret = 0;\n\n ImageInfo->FileType = IMAGE_FILETYPE_UNKNOWN;\n\n if (ImageInfo->FileSize >= 2) {\n ImageInfo->infile->seek(0, SEEK_SET);\n String fileHeader = ImageInfo->infile->read(2);\n if (fileHeader.length() != 2) {\n return 0;\n }\n file_header = (unsigned char *)fileHeader.c_str();\n if ((file_header[0]==0xff) && (file_header[1]==M_SOI)) {\n ImageInfo->FileType = IMAGE_FILETYPE_JPEG;\n if (exif_scan_JPEG_header(ImageInfo)) {\n ret = 1;\n } else {\n raise_warning(\"Invalid JPEG file\");\n }\n } else if (ImageInfo->FileSize >= 8) {\n String str = ImageInfo->infile->read(6);\n if (str.length() != 6) {\n return 0;\n }\n fileHeader += str;\n file_header = (unsigned char *)fileHeader.c_str();\n if (!memcmp(file_header, \"II\\x2A\\x00\", 4)) {\n ImageInfo->FileType = IMAGE_FILETYPE_TIFF_II;\n ImageInfo->motorola_intel = 0;\n ImageInfo->sections_found |= FOUND_IFD0;\n if (exif_process_IFD_in_TIFF(ImageInfo,\n php_ifd_get32u(file_header + 4, ImageInfo->motorola_intel),\n SECTION_IFD0)) {\n ret = 1;\n } else {\n raise_warning(\"Invalid TIFF file\");\n }\n } else if (!memcmp(file_header, \"MM\\x00\\x2a\", 4)) {\n ImageInfo->FileType = IMAGE_FILETYPE_TIFF_MM;\n ImageInfo->motorola_intel = 1;\n ImageInfo->sections_found |= FOUND_IFD0;\n if (exif_process_IFD_in_TIFF(ImageInfo,\n php_ifd_get32u(file_header + 4, ImageInfo->motorola_intel),\n SECTION_IFD0)) {\n ret = 1;\n } else {\n raise_warning(\"Invalid TIFF file\");\n }\n } else {\n raise_warning(\"File not supported\");\n return 0;\n }\n }\n } else {\n raise_warning(\"File too small (%lu)\", ImageInfo->FileSize);\n }\n return ret;\n}", "project": "hhvm", "hash": 279413608859574511563582705997572192051, "size": 59, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219272 }, { "func": "void enc_untrusted_thread_wait_value(int32_t *const queue, int32_t value,\n uint64_t timeout_microsec) {\n enc_untrusted_sys_futex_wait(queue, value, timeout_microsec);\n}", "project": "asylo", "hash": 334129685020692336631338006046934267718, "size": 4, "commit_id": "a37fb6a0e7daf30134dbbf357c9a518a1026aa02", "message": "Check untrusted queue is in outside enclave\n\nPiperOrigin-RevId: 333370935\nChange-Id: Ic3f15d5db1302d95c7cb199b44172474fecb81ca", "target": 0, "dataset": "other", "idx": 231077 }, { "func": "UnicodeString::setToBogus()\n{\n releaseArray();\n\n fUnion.fFields.fLengthAndFlags = kIsBogus;\n fUnion.fFields.fArray = 0;\n fUnion.fFields.fCapacity = 0;\n}", "project": "icu", "hash": 175240954268397445842840368059280007573, "size": 8, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430774 }, { "func": "static void hci_cc_write_scan_enable(struct hci_dev *hdev, struct sk_buff *skb)\n{\n\t__u8 status = *((__u8 *) skb->data);\n\t__u8 param;\n\tvoid *sent;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, status);\n\n\tsent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SCAN_ENABLE);\n\tif (!sent)\n\t\treturn;\n\n\tparam = *((__u8 *) sent);\n\n\thci_dev_lock(hdev);\n\n\tif (status) {\n\t\thdev->discov_timeout = 0;\n\t\tgoto done;\n\t}\n\n\tif (param & SCAN_INQUIRY)\n\t\tset_bit(HCI_ISCAN, &hdev->flags);\n\telse\n\t\tclear_bit(HCI_ISCAN, &hdev->flags);\n\n\tif (param & SCAN_PAGE)\n\t\tset_bit(HCI_PSCAN, &hdev->flags);\n\telse\n\t\tclear_bit(HCI_PSCAN, &hdev->flags);\n\ndone:\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 67300382797711753105063007998975290875, "size": 34, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431879 }, { "func": "static enum_func_status\nphp_mysqlnd_rset_field_read(void * _packet, MYSQLND_CONN_DATA * conn TSRMLS_DC)\n{\n\t/* Should be enough for the metadata of a single row */\n\tMYSQLND_PACKET_RES_FIELD *packet= (MYSQLND_PACKET_RES_FIELD *) _packet;\n\tsize_t buf_len = conn->net->cmd_buffer.length, total_len = 0;\n\tzend_uchar *buf = (zend_uchar *) conn->net->cmd_buffer.buffer;\n\tzend_uchar *p = buf;\n\tzend_uchar *begin = buf;\n\tchar *root_ptr;\n\tunsigned long len;\n\tMYSQLND_FIELD *meta;\n\tunsigned int i, field_count = sizeof(rset_field_offsets)/sizeof(size_t);\n\n\tDBG_ENTER(\"php_mysqlnd_rset_field_read\");\n\n\tPACKET_READ_HEADER_AND_BODY(packet, conn, buf, buf_len, \"field\", PROT_RSET_FLD_PACKET);\n\n\tif (packet->skip_parsing) {\n\t\tDBG_RETURN(PASS);\n\t}\n\n\tBAIL_IF_NO_MORE_DATA;\n\tif (ERROR_MARKER == *p) {\n\t\t/* Error */\n\t\tp++;\n\t\tBAIL_IF_NO_MORE_DATA;\n\t\tphp_mysqlnd_read_error_from_line(p, packet->header.size - 1,\n\t\t\t\t\t\t\t\t\t\t packet->error_info.error, sizeof(packet->error_info.error),\n\t\t\t\t\t\t\t\t\t\t &packet->error_info.error_no, packet->error_info.sqlstate\n\t\t\t\t\t\t\t\t\t\t TSRMLS_CC);\n\t\tDBG_ERR_FMT(\"Server error : (%u) %s\", packet->error_info.error_no, packet->error_info.error);\n\t\tDBG_RETURN(PASS);\n\t} else if (EODATA_MARKER == *p && packet->header.size < 8) {\n\t\t/* Premature EOF. That should be COM_FIELD_LIST */\n\t\tDBG_INF(\"Premature EOF. That should be COM_FIELD_LIST\");\n\t\tpacket->stupid_list_fields_eof = TRUE;\n\t\tDBG_RETURN(PASS);\n\t}\n\n\tmeta = packet->metadata;\n\n\tfor (i = 0; i < field_count; i += 2) {\n\t\tlen = php_mysqlnd_net_field_length(&p);\n\t\tBAIL_IF_NO_MORE_DATA;\n\t\tswitch ((len)) {\n\t\t\tcase 0:\n\t\t\t\t*(const char **)(((char*)meta) + rset_field_offsets[i]) = mysqlnd_empty_string;\n\t\t\t\t*(unsigned int *)(((char*)meta) + rset_field_offsets[i+1]) = 0;\n\t\t\t\tbreak;\n\t\t\tcase MYSQLND_NULL_LENGTH:\n\t\t\t\tgoto faulty_or_fake;\n\t\t\tdefault:\n\t\t\t\t*(const char **)(((char *)meta) + rset_field_offsets[i]) = (const char *)p;\n\t\t\t\t*(unsigned int *)(((char*)meta) + rset_field_offsets[i+1]) = len;\n\t\t\t\tp += len;\n\t\t\t\ttotal_len += len + 1;\n\t\t\t\tbreak;\n\t\t}\n\t\tBAIL_IF_NO_MORE_DATA;\n\t}\n\n\t/* 1 byte length */\n\tif (12 != *p) {\n\t\tDBG_ERR_FMT(\"Protocol error. Server sent false length. Expected 12 got %d\", (int) *p);\n\t\tphp_error_docref(NULL TSRMLS_CC, E_WARNING, \"Protocol error. Server sent false length. Expected 12\");\n\t}\n\tp++;\n\tBAIL_IF_NO_MORE_DATA;\n\n\tmeta->charsetnr = uint2korr(p);\n\tp += 2;\n\tBAIL_IF_NO_MORE_DATA;\n\n\tmeta->length = uint4korr(p);\n\tp += 4;\n\tBAIL_IF_NO_MORE_DATA;\n\n\tmeta->type = uint1korr(p);\n\tp += 1;\n\tBAIL_IF_NO_MORE_DATA;\n\n\tmeta->flags = uint2korr(p);\n\tp += 2;\n\tBAIL_IF_NO_MORE_DATA;\n\n\tmeta->decimals = uint1korr(p);\n\tp += 1;\n\tBAIL_IF_NO_MORE_DATA;\n\n\t/* 2 byte filler */\n\tp +=2;\n\tBAIL_IF_NO_MORE_DATA;\n\n\t/* Should we set NUM_FLAG (libmysql does it) ? */\n\tif (\n\t\t(meta->type <= MYSQL_TYPE_INT24 &&\n\t\t\t(meta->type != MYSQL_TYPE_TIMESTAMP || meta->length == 14 || meta->length == 8)\n\t\t) || meta->type == MYSQL_TYPE_YEAR)\n\t{\n\t\tmeta->flags |= NUM_FLAG;\n\t}\n\n\n\t/*\n\t def could be empty, thus don't allocate on the root.\n\t NULL_LENGTH (0xFB) comes from COM_FIELD_LIST when the default value is NULL.\n\t Otherwise the string is length encoded.\n\t*/\n\tif (packet->header.size > (size_t) (p - buf) &&\n\t\t(len = php_mysqlnd_net_field_length(&p)) &&\n\t\tlen != MYSQLND_NULL_LENGTH)\n\t{\n\t\tBAIL_IF_NO_MORE_DATA;\n\t\tDBG_INF_FMT(\"Def found, length %lu, persistent=%u\", len, packet->persistent_alloc);\n\t\tmeta->def = mnd_pemalloc(len + 1, packet->persistent_alloc);\n\t\tif (!meta->def) {\n\t\t\tSET_OOM_ERROR(*conn->error_info);\n\t\t\tDBG_RETURN(FAIL);\t\t\n\t\t}\n\t\tmemcpy(meta->def, p, len);\n\t\tmeta->def[len] = '\\0';\n\t\tmeta->def_length = len;\n\t\tp += len;\n\t}\n\n\tDBG_INF_FMT(\"allocing root. persistent=%u\", packet->persistent_alloc);\n\troot_ptr = meta->root = mnd_pemalloc(total_len, packet->persistent_alloc);\n\tif (!root_ptr) {\n\t\tSET_OOM_ERROR(*conn->error_info);\n\t\tDBG_RETURN(FAIL);\t\n\t}\n\t\n\tmeta->root_len = total_len;\n\t/* Now do allocs */\n\tif (meta->catalog && meta->catalog != mysqlnd_empty_string) {\n\t\tlen = meta->catalog_length;\n\t\tmeta->catalog = memcpy(root_ptr, meta->catalog, len);\n\t\t*(root_ptr +=len) = '\\0';\n\t\troot_ptr++;\n\t}\n\n\tif (meta->db && meta->db != mysqlnd_empty_string) {\n\t\tlen = meta->db_length;\n\t\tmeta->db = memcpy(root_ptr, meta->db, len);\n\t\t*(root_ptr +=len) = '\\0';\n\t\troot_ptr++;\n\t}\n\n\tif (meta->table && meta->table != mysqlnd_empty_string) {\n\t\tlen = meta->table_length;\n\t\tmeta->table = memcpy(root_ptr, meta->table, len);\n\t\t*(root_ptr +=len) = '\\0';\n\t\troot_ptr++;\n\t}\n\n\tif (meta->org_table && meta->org_table != mysqlnd_empty_string) {\n\t\tlen = meta->org_table_length;\n\t\tmeta->org_table = memcpy(root_ptr, meta->org_table, len);\n\t\t*(root_ptr +=len) = '\\0';\n\t\troot_ptr++;\n\t}\n\n\tif (meta->name && meta->name != mysqlnd_empty_string) {\n\t\tlen = meta->name_length;\n\t\tmeta->name = memcpy(root_ptr, meta->name, len);\n\t\t*(root_ptr +=len) = '\\0';\n\t\troot_ptr++;\n\t}\n\n\tif (meta->org_name && meta->org_name != mysqlnd_empty_string) {\n\t\tlen = meta->org_name_length;\n\t\tmeta->org_name = memcpy(root_ptr, meta->org_name, len);\n\t\t*(root_ptr +=len) = '\\0';\n\t\troot_ptr++;\n\t}\n\n\tDBG_INF_FMT(\"FIELD=[%s.%s.%s]\", meta->db? meta->db:\"*NA*\", meta->table? meta->table:\"*NA*\",\n\t\t\t\tmeta->name? meta->name:\"*NA*\");\n\n\tDBG_RETURN(PASS);\n\nfaulty_or_fake:\n\tDBG_ERR_FMT(\"Protocol error. Server sent NULL_LENGTH. The server is faulty\");\n\tphp_error_docref(NULL TSRMLS_CC, E_WARNING, \"Protocol error. Server sent NULL_LENGTH.\"\n\t\t\t\t\t \" The server is faulty\");\n\tDBG_RETURN(FAIL);\npremature_end:\n\tDBG_ERR_FMT(\"RSET field packet %d bytes shorter than expected\", p - begin - packet->header.size);\n\tphp_error_docref(NULL TSRMLS_CC, E_WARNING, \"Result set field packet \"MYSQLND_SZ_T_SPEC\" bytes \"\n\t\t\t \t\t\"shorter than expected\", p - begin - packet->header.size);\n\tDBG_RETURN(FAIL);", "project": "php-src", "hash": 338361316054610932407132552228316066995, "size": 192, "commit_id": "28f80baf3c53e267c9ce46a2a0fadbb981585132", "message": "Fix bug #72293 - Heap overflow in mysqlnd related to BIT fields", "target": 0, "dataset": "other", "idx": 416638 }, { "func": "static void release_one_tty(struct work_struct *work)\n{\n\tstruct tty_struct *tty =\n\t\tcontainer_of(work, struct tty_struct, hangup_work);\n\tstruct tty_driver *driver = tty->driver;\n\tstruct module *owner = driver->owner;\n\n\tif (tty->ops->cleanup)\n\t\ttty->ops->cleanup(tty);\n\n\ttty->magic = 0;\n\ttty_driver_kref_put(driver);\n\tmodule_put(owner);\n\n\tspin_lock(&tty->files_lock);\n\tlist_del_init(&tty->tty_files);\n\tspin_unlock(&tty->files_lock);\n\n\tput_pid(tty->pgrp);\n\tput_pid(tty->session);\n\tfree_tty_struct(tty);\n}", "project": "linux", "hash": 319836633828103881066335794665781051315, "size": 22, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 326077 }, { "func": "void kvm_s390_sync_request(int req, struct kvm_vcpu *vcpu)\n{\n\tkvm_make_request(req, vcpu);\n\tkvm_s390_vcpu_request(vcpu);\n}", "project": "linux", "hash": 60141793950354954461220500905415183213, "size": 5, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354814 }, { "func": "static OPJ_BOOL opj_j2k_write_cod(opj_j2k_t *p_j2k,\n opj_stream_private_t *p_stream,\n opj_event_mgr_t * p_manager)\n{\n opj_cp_t *l_cp = 00;\n opj_tcp_t *l_tcp = 00;\n OPJ_UINT32 l_code_size, l_remaining_size;\n OPJ_BYTE * l_current_data = 00;\n\n /* preconditions */\n assert(p_j2k != 00);\n assert(p_manager != 00);\n assert(p_stream != 00);\n\n l_cp = &(p_j2k->m_cp);\n l_tcp = &l_cp->tcps[p_j2k->m_current_tile_number];\n l_code_size = 9 + opj_j2k_get_SPCod_SPCoc_size(p_j2k,\n p_j2k->m_current_tile_number, 0);\n l_remaining_size = l_code_size;\n\n if (l_code_size > p_j2k->m_specific_param.m_encoder.m_header_tile_data_size) {\n OPJ_BYTE *new_header_tile_data = (OPJ_BYTE *) opj_realloc(\n p_j2k->m_specific_param.m_encoder.m_header_tile_data, l_code_size);\n if (! new_header_tile_data) {\n opj_free(p_j2k->m_specific_param.m_encoder.m_header_tile_data);\n p_j2k->m_specific_param.m_encoder.m_header_tile_data = NULL;\n p_j2k->m_specific_param.m_encoder.m_header_tile_data_size = 0;\n opj_event_msg(p_manager, EVT_ERROR, \"Not enough memory to write COD marker\\n\");\n return OPJ_FALSE;\n }\n p_j2k->m_specific_param.m_encoder.m_header_tile_data = new_header_tile_data;\n p_j2k->m_specific_param.m_encoder.m_header_tile_data_size = l_code_size;\n }\n\n l_current_data = p_j2k->m_specific_param.m_encoder.m_header_tile_data;\n\n opj_write_bytes(l_current_data, J2K_MS_COD, 2); /* COD */\n l_current_data += 2;\n\n opj_write_bytes(l_current_data, l_code_size - 2, 2); /* L_COD */\n l_current_data += 2;\n\n opj_write_bytes(l_current_data, l_tcp->csty, 1); /* Scod */\n ++l_current_data;\n\n opj_write_bytes(l_current_data, (OPJ_UINT32)l_tcp->prg, 1); /* SGcod (A) */\n ++l_current_data;\n\n opj_write_bytes(l_current_data, l_tcp->numlayers, 2); /* SGcod (B) */\n l_current_data += 2;\n\n opj_write_bytes(l_current_data, l_tcp->mct, 1); /* SGcod (C) */\n ++l_current_data;\n\n l_remaining_size -= 9;\n\n if (! opj_j2k_write_SPCod_SPCoc(p_j2k, p_j2k->m_current_tile_number, 0,\n l_current_data, &l_remaining_size, p_manager)) {\n opj_event_msg(p_manager, EVT_ERROR, \"Error writing COD marker\\n\");\n return OPJ_FALSE;\n }\n\n if (l_remaining_size != 0) {\n opj_event_msg(p_manager, EVT_ERROR, \"Error writing COD marker\\n\");\n return OPJ_FALSE;\n }\n\n if (opj_stream_write_data(p_stream,\n p_j2k->m_specific_param.m_encoder.m_header_tile_data, l_code_size,\n p_manager) != l_code_size) {\n return OPJ_FALSE;\n }\n\n return OPJ_TRUE;\n}", "project": "openjpeg", "hash": 130379455448953484919880499989527001773, "size": 75, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357403 }, { "func": "void gdImageAABlend (gdImagePtr im)\n{\n\tfloat p_alpha, old_alpha;\n\tint color = im->AA_color, color_red, color_green, color_blue;\n\tint old_color, old_red, old_green, old_blue;\n\tint p_color, p_red, p_green, p_blue;\n\tint px, py;\n\n\tcolor_red = gdImageRed(im, color);\n\tcolor_green = gdImageGreen(im, color);\n\tcolor_blue = gdImageBlue(im, color);\n\n\t/* Impose the anti-aliased drawing on the image. */\n\tfor (py = 0; py < im->sy; py++) {\n\t\tfor (px = 0; px < im->sx; px++) {\n\t\t\tif (im->AA_opacity[py][px] != 0) {\n\t\t\t\told_color = gdImageGetPixel(im, px, py);\n\n\t\t\t\tif ((old_color != color) && ((old_color != im->AA_dont_blend) || (im->AA_opacity[py][px] == 255))) {\n\t\t\t\t\t/* Only blend with different colors that aren't the dont_blend color. */\n\t\t\t\t\tp_alpha = (float) (im->AA_opacity[py][px]) / 255.0;\n\t\t\t\t\told_alpha = 1.0 - p_alpha;\n\n\t\t\t\t\tif (p_alpha >= 1.0) {\n\t\t\t\t\t\tp_color = color;\n\t\t\t\t\t} else {\n\t\t\t\t\t\told_red = gdImageRed(im, old_color);\n\t\t\t\t\t\told_green = gdImageGreen(im, old_color);\n\t\t\t\t\t\told_blue = gdImageBlue(im, old_color);\n\n\t\t\t\t\t\tp_red = (int) (((float) color_red * p_alpha) + ((float) old_red * old_alpha));\n\t\t\t\t\t\tp_green = (int) (((float) color_green * p_alpha) + ((float) old_green * old_alpha));\n\t\t\t\t\t\tp_blue = (int) (((float) color_blue * p_alpha) + ((float) old_blue * old_alpha));\n\t\t\t\t\t\tp_color = gdImageColorResolve(im, p_red, p_green, p_blue);\n\t\t\t\t\t}\n\t\t\t\t\tgdImageSetPixel(im, px, py, p_color);\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\t/* Clear the AA_opacity array behind us. */\n\t\tmemset(im->AA_opacity[py], 0, im->sx);\n\t}\n}", "project": "php-src", "hash": 65007263738933565500640244052885308781, "size": 43, "commit_id": "c395c6e5d7e8df37a21265ff76e48fe75ceb5ae6", "message": "iFixed bug #72446 - Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow", "target": 0, "dataset": "other", "idx": 295144 }, { "func": "long kvm_arch_fault_in_page(struct kvm_vcpu *vcpu, gpa_t gpa, int writable)\n{\n\treturn gmap_fault(vcpu->arch.gmap, gpa,\n\t\t\t writable ? FAULT_FLAG_WRITE : 0);\n}", "project": "linux", "hash": 209397422855655461158597629432580275238, "size": 5, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354781 }, { "func": "static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action)\n{\n\tstruct nftables_pernet *nft_net = nft_pernet(net);\n\tstruct nft_trans *trans, *next;\n\tstruct nft_trans_elem *te;\n\tstruct nft_hook *hook;\n\n\tif (action == NFNL_ABORT_VALIDATE &&\n\t nf_tables_validate(net) < 0)\n\t\treturn -EAGAIN;\n\n\tlist_for_each_entry_safe_reverse(trans, next, &nft_net->commit_list,\n\t\t\t\t\t list) {\n\t\tswitch (trans->msg_type) {\n\t\tcase NFT_MSG_NEWTABLE:\n\t\t\tif (nft_trans_table_update(trans)) {\n\t\t\t\tif (!(trans->ctx.table->flags & __NFT_TABLE_F_UPDATE)) {\n\t\t\t\t\tnft_trans_destroy(trans);\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t\tif (trans->ctx.table->flags & __NFT_TABLE_F_WAS_DORMANT) {\n\t\t\t\t\tnf_tables_table_disable(net, trans->ctx.table);\n\t\t\t\t\ttrans->ctx.table->flags |= NFT_TABLE_F_DORMANT;\n\t\t\t\t} else if (trans->ctx.table->flags & __NFT_TABLE_F_WAS_AWAKEN) {\n\t\t\t\t\ttrans->ctx.table->flags &= ~NFT_TABLE_F_DORMANT;\n\t\t\t\t}\n\t\t\t\ttrans->ctx.table->flags &= ~__NFT_TABLE_F_UPDATE;\n\t\t\t\tnft_trans_destroy(trans);\n\t\t\t} else {\n\t\t\t\tlist_del_rcu(&trans->ctx.table->list);\n\t\t\t}\n\t\t\tbreak;\n\t\tcase NFT_MSG_DELTABLE:\n\t\t\tnft_clear(trans->ctx.net, trans->ctx.table);\n\t\t\tnft_trans_destroy(trans);\n\t\t\tbreak;\n\t\tcase NFT_MSG_NEWCHAIN:\n\t\t\tif (nft_trans_chain_update(trans)) {\n\t\t\t\tfree_percpu(nft_trans_chain_stats(trans));\n\t\t\t\tkfree(nft_trans_chain_name(trans));\n\t\t\t\tnft_trans_destroy(trans);\n\t\t\t} else {\n\t\t\t\tif (nft_chain_is_bound(trans->ctx.chain)) {\n\t\t\t\t\tnft_trans_destroy(trans);\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t\ttrans->ctx.table->use--;\n\t\t\t\tnft_chain_del(trans->ctx.chain);\n\t\t\t\tnf_tables_unregister_hook(trans->ctx.net,\n\t\t\t\t\t\t\t trans->ctx.table,\n\t\t\t\t\t\t\t trans->ctx.chain);\n\t\t\t}\n\t\t\tbreak;\n\t\tcase NFT_MSG_DELCHAIN:\n\t\t\ttrans->ctx.table->use++;\n\t\t\tnft_clear(trans->ctx.net, trans->ctx.chain);\n\t\t\tnft_trans_destroy(trans);\n\t\t\tbreak;\n\t\tcase NFT_MSG_NEWRULE:\n\t\t\ttrans->ctx.chain->use--;\n\t\t\tlist_del_rcu(&nft_trans_rule(trans)->list);\n\t\t\tnft_rule_expr_deactivate(&trans->ctx,\n\t\t\t\t\t\t nft_trans_rule(trans),\n\t\t\t\t\t\t NFT_TRANS_ABORT);\n\t\t\tbreak;\n\t\tcase NFT_MSG_DELRULE:\n\t\t\ttrans->ctx.chain->use++;\n\t\t\tnft_clear(trans->ctx.net, nft_trans_rule(trans));\n\t\t\tnft_rule_expr_activate(&trans->ctx, nft_trans_rule(trans));\n\t\t\tnft_trans_destroy(trans);\n\t\t\tbreak;\n\t\tcase NFT_MSG_NEWSET:\n\t\t\ttrans->ctx.table->use--;\n\t\t\tif (nft_trans_set_bound(trans)) {\n\t\t\t\tnft_trans_destroy(trans);\n\t\t\t\tbreak;\n\t\t\t}\n\t\t\tlist_del_rcu(&nft_trans_set(trans)->list);\n\t\t\tbreak;\n\t\tcase NFT_MSG_DELSET:\n\t\t\ttrans->ctx.table->use++;\n\t\t\tnft_clear(trans->ctx.net, nft_trans_set(trans));\n\t\t\tnft_trans_destroy(trans);\n\t\t\tbreak;\n\t\tcase NFT_MSG_NEWSETELEM:\n\t\t\tif (nft_trans_elem_set_bound(trans)) {\n\t\t\t\tnft_trans_destroy(trans);\n\t\t\t\tbreak;\n\t\t\t}\n\t\t\tte = (struct nft_trans_elem *)trans->data;\n\t\t\tnft_setelem_remove(net, te->set, &te->elem);\n\t\t\tif (!nft_setelem_is_catchall(te->set, &te->elem))\n\t\t\t\tatomic_dec(&te->set->nelems);\n\t\t\tbreak;\n\t\tcase NFT_MSG_DELSETELEM:\n\t\t\tte = (struct nft_trans_elem *)trans->data;\n\n\t\t\tnft_setelem_data_activate(net, te->set, &te->elem);\n\t\t\tnft_setelem_activate(net, te->set, &te->elem);\n\t\t\tif (!nft_setelem_is_catchall(te->set, &te->elem))\n\t\t\t\tte->set->ndeact--;\n\n\t\t\tnft_trans_destroy(trans);\n\t\t\tbreak;\n\t\tcase NFT_MSG_NEWOBJ:\n\t\t\tif (nft_trans_obj_update(trans)) {\n\t\t\t\tkfree(nft_trans_obj_newobj(trans));\n\t\t\t\tnft_trans_destroy(trans);\n\t\t\t} else {\n\t\t\t\ttrans->ctx.table->use--;\n\t\t\t\tnft_obj_del(nft_trans_obj(trans));\n\t\t\t}\n\t\t\tbreak;\n\t\tcase NFT_MSG_DELOBJ:\n\t\t\ttrans->ctx.table->use++;\n\t\t\tnft_clear(trans->ctx.net, nft_trans_obj(trans));\n\t\t\tnft_trans_destroy(trans);\n\t\t\tbreak;\n\t\tcase NFT_MSG_NEWFLOWTABLE:\n\t\t\tif (nft_trans_flowtable_update(trans)) {\n\t\t\t\tnft_unregister_flowtable_net_hooks(net,\n\t\t\t\t\t\t&nft_trans_flowtable_hooks(trans));\n\t\t\t} else {\n\t\t\t\ttrans->ctx.table->use--;\n\t\t\t\tlist_del_rcu(&nft_trans_flowtable(trans)->list);\n\t\t\t\tnft_unregister_flowtable_net_hooks(net,\n\t\t\t\t\t\t&nft_trans_flowtable(trans)->hook_list);\n\t\t\t}\n\t\t\tbreak;\n\t\tcase NFT_MSG_DELFLOWTABLE:\n\t\t\tif (nft_trans_flowtable_update(trans)) {\n\t\t\t\tlist_for_each_entry(hook, &nft_trans_flowtable(trans)->hook_list, list)\n\t\t\t\t\thook->inactive = false;\n\t\t\t} else {\n\t\t\t\ttrans->ctx.table->use++;\n\t\t\t\tnft_clear(trans->ctx.net, nft_trans_flowtable(trans));\n\t\t\t}\n\t\t\tnft_trans_destroy(trans);\n\t\t\tbreak;\n\t\t}\n\t}\n\n\tsynchronize_rcu();\n\n\tlist_for_each_entry_safe_reverse(trans, next,\n\t\t\t\t\t &nft_net->commit_list, list) {\n\t\tlist_del(&trans->list);\n\t\tnf_tables_abort_release(trans);\n\t}\n\n\tif (action == NFNL_ABORT_AUTOLOAD)\n\t\tnf_tables_module_autoload(net);\n\telse\n\t\tnf_tables_module_autoload_cleanup(net);\n\n\treturn 0;\n}", "project": "linux", "hash": 331598992669868464207711486126987490386, "size": 157, "commit_id": "ad9f151e560b016b6ad3280b48e42fa11e1a5440", "message": "netfilter: nf_tables: initialize set before expression setup\n\nnft_set_elem_expr_alloc() needs an initialized set if expression sets on\nthe NFT_EXPR_GC flag. Move set fields initialization before expression\nsetup.\n\n[4512935.019450] ==================================================================\n[4512935.019456] BUG: KASAN: null-ptr-deref in nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019487] Read of size 8 at addr 0000000000000070 by task nft/23532\n[4512935.019494] CPU: 1 PID: 23532 Comm: nft Not tainted 5.12.0-rc4+ #48\n[...]\n[4512935.019502] Call Trace:\n[4512935.019505] dump_stack+0x89/0xb4\n[4512935.019512] ? nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019536] ? nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019560] kasan_report.cold.12+0x5f/0xd8\n[4512935.019566] ? nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019590] nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019615] nf_tables_newset+0xc7f/0x1460 [nf_tables]\n\nReported-by: syzbot+ce96ca2b1d0b37c6422d@syzkaller.appspotmail.com\nFixes: 65038428b2c6 (\"netfilter: nf_tables: allow to specify stateful expression in set definition\")\nSigned-off-by: Pablo Neira Ayuso ", "target": 0, "dataset": "other", "idx": 328391 }, { "func": "static void ov519_mode_init_regs(struct sd *sd)\n{\n\tstatic const struct ov_regvals mode_init_519_ov7670[] = {\n\t\t{ 0x5d,\t0x03 }, /* Turn off suspend mode */\n\t\t{ 0x53,\t0x9f }, /* was 9b in 1.65-1.08 */\n\t\t{ OV519_R54_EN_CLK1, 0x0f }, /* bit2 (jpeg enable) */\n\t\t{ 0xa2,\t0x20 }, /* a2-a5 are undocumented */\n\t\t{ 0xa3,\t0x18 },\n\t\t{ 0xa4,\t0x04 },\n\t\t{ 0xa5,\t0x28 },\n\t\t{ 0x37,\t0x00 },\t/* SetUsbInit */\n\t\t{ 0x55,\t0x02 }, /* 4.096 Mhz audio clock */\n\t\t/* Enable both fields, YUV Input, disable defect comp (why?) */\n\t\t{ 0x20,\t0x0c },\n\t\t{ 0x21,\t0x38 },\n\t\t{ 0x22,\t0x1d },\n\t\t{ 0x17,\t0x50 }, /* undocumented */\n\t\t{ 0x37,\t0x00 }, /* undocumented */\n\t\t{ 0x40,\t0xff }, /* I2C timeout counter */\n\t\t{ 0x46,\t0x00 }, /* I2C clock prescaler */\n\t\t{ 0x59,\t0x04 },\t/* new from windrv 090403 */\n\t\t{ 0xff,\t0x00 }, /* undocumented */\n\t\t/* windows reads 0x55 at this point, why? */\n\t};\n\n\tstatic const struct ov_regvals mode_init_519[] = {\n\t\t{ 0x5d,\t0x03 }, /* Turn off suspend mode */\n\t\t{ 0x53,\t0x9f }, /* was 9b in 1.65-1.08 */\n\t\t{ OV519_R54_EN_CLK1, 0x0f }, /* bit2 (jpeg enable) */\n\t\t{ 0xa2,\t0x20 }, /* a2-a5 are undocumented */\n\t\t{ 0xa3,\t0x18 },\n\t\t{ 0xa4,\t0x04 },\n\t\t{ 0xa5,\t0x28 },\n\t\t{ 0x37,\t0x00 },\t/* SetUsbInit */\n\t\t{ 0x55,\t0x02 }, /* 4.096 Mhz audio clock */\n\t\t/* Enable both fields, YUV Input, disable defect comp (why?) */\n\t\t{ 0x22,\t0x1d },\n\t\t{ 0x17,\t0x50 }, /* undocumented */\n\t\t{ 0x37,\t0x00 }, /* undocumented */\n\t\t{ 0x40,\t0xff }, /* I2C timeout counter */\n\t\t{ 0x46,\t0x00 }, /* I2C clock prescaler */\n\t\t{ 0x59,\t0x04 },\t/* new from windrv 090403 */\n\t\t{ 0xff,\t0x00 }, /* undocumented */\n\t\t/* windows reads 0x55 at this point, why? */\n\t};\n\n\tstruct gspca_dev *gspca_dev = (struct gspca_dev *)sd;\n\n\t/******** Set the mode ********/\n\tswitch (sd->sensor) {\n\tdefault:\n\t\twrite_regvals(sd, mode_init_519, ARRAY_SIZE(mode_init_519));\n\t\tif (sd->sensor == SEN_OV7640 ||\n\t\t sd->sensor == SEN_OV7648) {\n\t\t\t/* Select 8-bit input mode */\n\t\t\treg_w_mask(sd, OV519_R20_DFR, 0x10, 0x10);\n\t\t}\n\t\tbreak;\n\tcase SEN_OV7660:\n\t\treturn;\t\t/* done by ov519_set_mode/fr() */\n\tcase SEN_OV7670:\n\t\twrite_regvals(sd, mode_init_519_ov7670,\n\t\t\t\tARRAY_SIZE(mode_init_519_ov7670));\n\t\tbreak;\n\t}\n\n\treg_w(sd, OV519_R10_H_SIZE,\tsd->gspca_dev.pixfmt.width >> 4);\n\treg_w(sd, OV519_R11_V_SIZE,\tsd->gspca_dev.pixfmt.height >> 3);\n\tif (sd->sensor == SEN_OV7670 &&\n\t sd->gspca_dev.cam.cam_mode[sd->gspca_dev.curr_mode].priv)\n\t\treg_w(sd, OV519_R12_X_OFFSETL, 0x04);\n\telse if (sd->sensor == SEN_OV7648 &&\n\t sd->gspca_dev.cam.cam_mode[sd->gspca_dev.curr_mode].priv)\n\t\treg_w(sd, OV519_R12_X_OFFSETL, 0x01);\n\telse\n\t\treg_w(sd, OV519_R12_X_OFFSETL, 0x00);\n\treg_w(sd, OV519_R13_X_OFFSETH,\t0x00);\n\treg_w(sd, OV519_R14_Y_OFFSETL,\t0x00);\n\treg_w(sd, OV519_R15_Y_OFFSETH,\t0x00);\n\treg_w(sd, OV519_R16_DIVIDER,\t0x00);\n\treg_w(sd, OV519_R25_FORMAT,\t0x03); /* YUV422 */\n\treg_w(sd, 0x26,\t\t\t0x00); /* Undocumented */\n\n\t/******** Set the framerate ********/\n\tif (frame_rate > 0)\n\t\tsd->frame_rate = frame_rate;\n\n/* FIXME: These are only valid at the max resolution. */\n\tsd->clockdiv = 0;\n\tswitch (sd->sensor) {\n\tcase SEN_OV7640:\n\tcase SEN_OV7648:\n\t\tswitch (sd->frame_rate) {\n\t\tdefault:\n/*\t\tcase 30: */\n\t\t\treg_w(sd, 0xa4, 0x0c);\n\t\t\treg_w(sd, 0x23, 0xff);\n\t\t\tbreak;\n\t\tcase 25:\n\t\t\treg_w(sd, 0xa4, 0x0c);\n\t\t\treg_w(sd, 0x23, 0x1f);\n\t\t\tbreak;\n\t\tcase 20:\n\t\t\treg_w(sd, 0xa4, 0x0c);\n\t\t\treg_w(sd, 0x23, 0x1b);\n\t\t\tbreak;\n\t\tcase 15:\n\t\t\treg_w(sd, 0xa4, 0x04);\n\t\t\treg_w(sd, 0x23, 0xff);\n\t\t\tsd->clockdiv = 1;\n\t\t\tbreak;\n\t\tcase 10:\n\t\t\treg_w(sd, 0xa4, 0x04);\n\t\t\treg_w(sd, 0x23, 0x1f);\n\t\t\tsd->clockdiv = 1;\n\t\t\tbreak;\n\t\tcase 5:\n\t\t\treg_w(sd, 0xa4, 0x04);\n\t\t\treg_w(sd, 0x23, 0x1b);\n\t\t\tsd->clockdiv = 1;\n\t\t\tbreak;\n\t\t}\n\t\tbreak;\n\tcase SEN_OV8610:\n\t\tswitch (sd->frame_rate) {\n\t\tdefault:\t/* 15 fps */\n/*\t\tcase 15: */\n\t\t\treg_w(sd, 0xa4, 0x06);\n\t\t\treg_w(sd, 0x23, 0xff);\n\t\t\tbreak;\n\t\tcase 10:\n\t\t\treg_w(sd, 0xa4, 0x06);\n\t\t\treg_w(sd, 0x23, 0x1f);\n\t\t\tbreak;\n\t\tcase 5:\n\t\t\treg_w(sd, 0xa4, 0x06);\n\t\t\treg_w(sd, 0x23, 0x1b);\n\t\t\tbreak;\n\t\t}\n\t\tbreak;\n\tcase SEN_OV7670:\t\t/* guesses, based on 7640 */\n\t\tgspca_dbg(gspca_dev, D_STREAM, \"Setting framerate to %d fps\\n\",\n\t\t\t (sd->frame_rate == 0) ? 15 : sd->frame_rate);\n\t\treg_w(sd, 0xa4, 0x10);\n\t\tswitch (sd->frame_rate) {\n\t\tcase 30:\n\t\t\treg_w(sd, 0x23, 0xff);\n\t\t\tbreak;\n\t\tcase 20:\n\t\t\treg_w(sd, 0x23, 0x1b);\n\t\t\tbreak;\n\t\tdefault:\n/*\t\tcase 15: */\n\t\t\treg_w(sd, 0x23, 0xff);\n\t\t\tsd->clockdiv = 1;\n\t\t\tbreak;\n\t\t}\n\t\tbreak;\n\t}\n}", "project": "linux", "hash": 248797853930512952352475914978354442190, "size": 160, "commit_id": "998912346c0da53a6dbb71fab3a138586b596b30", "message": "media: ov519: add missing endpoint sanity checks\n\nMake sure to check that we have at least one endpoint before accessing\nthe endpoint array to avoid dereferencing a NULL-pointer on stream\nstart.\n\nNote that these sanity checks are not redundant as the driver is mixing\nlooking up altsettings by index and by number, which need not coincide.\n\nFixes: 1876bb923c98 (\"V4L/DVB (12079): gspca_ov519: add support for the ov511 bridge\")\nFixes: b282d87332f5 (\"V4L/DVB (12080): gspca_ov519: Fix ov518+ with OV7620AE (Trust spacecam 320)\")\nCc: stable # 2.6.31\nCc: Hans de Goede \nSigned-off-by: Johan Hovold \nSigned-off-by: Hans Verkuil \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 306297 }, { "func": "bool test_r_str_replace(void) {\n\t// infinite loop test\n\tchar *str = r_str_replace (strdup (\"hello world\"), \"hell\", \"ihell\", 0);\n\tmu_assert_streq (str, \"ihello world\", \"error, replace char multi failed\");\n\tfree (str);\n\n\tstr = r_str_replace (strdup (\"hello world\"), \"hell\", \"ihell\", 1);\n\tmu_assert_streq (str, \"ihello world\", \"error, replace char multi failed\");\n\tfree (str);\n\n\tstr = r_str_replace (strdup (\"hello world\"), \"hello\", \"\", 1);\n\tmu_assert_streq (str, \" world\", \"error, replace char multi failed\");\n\tfree (str);\n\n\tstr = r_str_replace (strdup (\"hello world\"), \"h\", \"hello\", 0);\n\tmu_assert_streq (str, \"helloello world\", \"error, replace char multi failed\");\n\tfree (str);\n\n\tstr = r_str_replace (strdup (\"hello horld\"), \"h\", \"hello\", 1);\n\tmu_assert_streq (str, \"helloello helloorld\", \"error, replace char multi failed\");\n\tfree (str);\n\tstr = r_str_replace (strdup (\"hello horld\"), \"h\", \"hello\", 0);\n\tmu_assert_streq (str, \"helloello horld\", \"error, replace char multi failed\");\n\tfree (str);\n\tmu_end;\n}", "project": "radare2", "hash": 309598697646575964965521587795518868922, "size": 26, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 0, "dataset": "other", "idx": 268860 }, { "func": "static int SLCount(struct script_record *sr) {\n int sl_cnt = 0;\n int i,j;\n\n for ( i=0; sr[i].script!=0; ++i ) {\n\tfor ( j=0; sr[i].langs[j]!=0; ++j )\n\t ++sl_cnt;\n }\nreturn( sl_cnt );\n}", "project": "fontforge", "hash": 211083015321129707737210097525492488114, "size": 10, "commit_id": "048a91e2682c1a8936ae34dbc7bd70291ec05410", "message": "Fix for #4084 Use-after-free (heap) in the SFD_GetFontMetaData() function\nFix for #4086 NULL pointer dereference in the SFDGetSpiros() function\nFix for #4088 NULL pointer dereference in the SFD_AssignLookups() function\nAdd empty sf->fontname string if it isn't set, fixing #4089 #4090 and many\n other potential issues (many downstream calls to strlen() on the value).", "target": 0, "dataset": "other", "idx": 417908 }, { "func": "static void mt_get_feature(struct hid_device *hdev, struct hid_report *report)\n{\n\tint ret;\n\tu32 size = hid_report_len(report);\n\tu8 *buf;\n\n\t/*\n\t * Do not fetch the feature report if the device has been explicitly\n\t * marked as non-capable.\n\t */\n\tif (hdev->quirks & HID_QUIRK_NO_INIT_REPORTS)\n\t\treturn;\n\n\tbuf = hid_alloc_report_buf(report, GFP_KERNEL);\n\tif (!buf)\n\t\treturn;\n\n\tret = hid_hw_raw_request(hdev, report->id, buf, size,\n\t\t\t\t HID_FEATURE_REPORT, HID_REQ_GET_REPORT);\n\tif (ret < 0) {\n\t\tdev_warn(&hdev->dev, \"failed to fetch feature %d\\n\",\n\t\t\t report->id);\n\t} else {\n\t\tret = hid_report_raw_event(hdev, HID_FEATURE_REPORT, buf,\n\t\t\t\t\t size, 0);\n\t\tif (ret)\n\t\t\tdev_warn(&hdev->dev, \"failed to report feature\\n\");\n\t}\n\n\tkfree(buf);\n}", "project": "linux", "hash": 186662286966934137307167506717207453728, "size": 31, "commit_id": "35556bed836f8dc07ac55f69c8d17dce3e7f0e25", "message": "HID: core: Sanitize event code and type when mapping input\n\nWhen calling into hid_map_usage(), the passed event code is\nblindly stored as is, even if it doesn't fit in the associated bitmap.\n\nThis event code can come from a variety of sources, including devices\nmasquerading as input devices, only a bit more \"programmable\".\n\nInstead of taking the event code at face value, check that it actually\nfits the corresponding bitmap, and if it doesn't:\n- spit out a warning so that we know which device is acting up\n- NULLify the bitmap pointer so that we catch unexpected uses\n\nCode paths that can make use of untrusted inputs can now check\nthat the mapping was indeed correct and bail out if not.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Marc Zyngier \nSigned-off-by: Benjamin Tissoires ", "target": 0, "dataset": "other", "idx": 458409 }, { "func": "static void nf_tables_flowtable_notify(struct nft_ctx *ctx,\n\t\t\t\t struct nft_flowtable *flowtable,\n\t\t\t\t struct list_head *hook_list,\n\t\t\t\t int event)\n{\n\tstruct nftables_pernet *nft_net = nft_pernet(ctx->net);\n\tstruct sk_buff *skb;\n\tint err;\n\n\tif (!ctx->report &&\n\t !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))\n\t\treturn;\n\n\tskb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);\n\tif (skb == NULL)\n\t\tgoto err;\n\n\terr = nf_tables_fill_flowtable_info(skb, ctx->net, ctx->portid,\n\t\t\t\t\t ctx->seq, event, 0,\n\t\t\t\t\t ctx->family, flowtable, hook_list);\n\tif (err < 0) {\n\t\tkfree_skb(skb);\n\t\tgoto err;\n\t}\n\n\tnft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);\n\treturn;\nerr:\n\tnfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);\n}", "project": "linux", "hash": 83191711465014022768579076026299362632, "size": 30, "commit_id": "ad9f151e560b016b6ad3280b48e42fa11e1a5440", "message": "netfilter: nf_tables: initialize set before expression setup\n\nnft_set_elem_expr_alloc() needs an initialized set if expression sets on\nthe NFT_EXPR_GC flag. Move set fields initialization before expression\nsetup.\n\n[4512935.019450] ==================================================================\n[4512935.019456] BUG: KASAN: null-ptr-deref in nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019487] Read of size 8 at addr 0000000000000070 by task nft/23532\n[4512935.019494] CPU: 1 PID: 23532 Comm: nft Not tainted 5.12.0-rc4+ #48\n[...]\n[4512935.019502] Call Trace:\n[4512935.019505] dump_stack+0x89/0xb4\n[4512935.019512] ? nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019536] ? nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019560] kasan_report.cold.12+0x5f/0xd8\n[4512935.019566] ? nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019590] nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019615] nf_tables_newset+0xc7f/0x1460 [nf_tables]\n\nReported-by: syzbot+ce96ca2b1d0b37c6422d@syzkaller.appspotmail.com\nFixes: 65038428b2c6 (\"netfilter: nf_tables: allow to specify stateful expression in set definition\")\nSigned-off-by: Pablo Neira Ayuso ", "target": 0, "dataset": "other", "idx": 328376 }, { "func": "static void hci_cc_le_del_from_white_list(struct hci_dev *hdev,\n\t\t\t\t\t struct sk_buff *skb)\n{\n\tstruct hci_cp_le_del_from_white_list *sent;\n\t__u8 status = *((__u8 *) skb->data);\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, status);\n\n\tif (status)\n\t\treturn;\n\n\tsent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_WHITE_LIST);\n\tif (!sent)\n\t\treturn;\n\n\thci_bdaddr_list_del(&hdev->le_white_list, &sent->bdaddr,\n\t\t\t sent->bdaddr_type);\n}", "project": "linux", "hash": 128290453503878222264087101101150564477, "size": 18, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 432017 }, { "func": "LUA_API int lua_setcstacklimit (lua_State *L, unsigned int limit) {\n global_State *g = G(L);\n int ccalls;\n luaE_freeCI(L); /* release unused CIs */\n ccalls = getCcalls(L);\n if (limit >= 40000)\n return 0; /* out of bounds */\n limit += CSTACKERR;\n if (L != g-> mainthread)\n return 0; /* only main thread can change the C stack */\n else if (ccalls <= CSTACKERR)\n return 0; /* handling overflow */\n else {\n int diff = limit - g->Cstacklimit;\n if (ccalls + diff <= CSTACKERR)\n return 0; /* new limit would cause an overflow */\n g->Cstacklimit = limit; /* set new limit */\n L->nCcalls += diff; /* correct 'nCcalls' */\n return limit - diff - CSTACKERR; /* success; return previous limit */\n }\n}", "project": "lua", "hash": 159101277889676543764874820822851918056, "size": 21, "commit_id": "a2195644d89812e5b157ce7bac35543e06db05e3", "message": "Fixed bug: invalid 'oldpc' when returning to a function\n\nThe field 'L->oldpc' is not always updated when control returns to a\nfunction; an invalid value can seg. fault when computing 'changedline'.\n(One example is an error in a finalizer; control can return to\n'luaV_execute' without executing 'luaD_poscall'.) Instead of trying to\nfix all possible corner cases, it seems safer to be resilient to invalid\nvalues for 'oldpc'. Valid but wrong values at most cause an extra call\nto a line hook.", "target": 0, "dataset": "other", "idx": 462780 }, { "func": "void fuse_sync_release(struct fuse_inode *fi, struct fuse_file *ff, int flags)\n{\n\tWARN_ON(refcount_read(&ff->count) > 1);\n\tfuse_prepare_release(fi, ff, flags, FUSE_RELEASE);\n\t/*\n\t * iput(NULL) is a no-op and since the refcount is 1 and everything's\n\t * synchronous, we are fine with not doing igrab() here\"\n\t */\n\tfuse_file_put(ff, true, false);\n}", "project": "linux", "hash": 78786232833345023330358574949244955342, "size": 10, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342002 }, { "func": "bool ethereum_isStandardERC20Transfer(const EthereumSignTx *msg) {\n if (msg->has_to && msg->to.size == 20 && msg->value.size == 0 &&\n msg->data_initial_chunk.size == 68 &&\n memcmp(msg->data_initial_chunk.bytes,\n \"\\xa9\\x05\\x9c\\xbb\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\",\n 16) == 0) {\n return true;\n }\n return false;\n}", "project": "keepkey-firmware", "hash": 149824564449201129463334210969992060418, "size": 10, "commit_id": "e49d45594002d4d3fbc1f03488e6dfc0a0a65836", "message": "710 merge", "target": 0, "dataset": "other", "idx": 220875 }, { "func": "const char* ExpressionBinarySize::getOpName() const {\n return \"$binarySize\";\n}", "project": "mongo", "hash": 58663208023515025297997039439060690734, "size": 3, "commit_id": "1772b9a0393b55e6a280a35e8f0a1f75c014f301", "message": "SERVER-49404 Enforce additional checks in $arrayToObject", "target": 0, "dataset": "other", "idx": 370045 }, { "func": "const char* ExpressionLast::getOpName() const {\n return \"$last\";\n}", "project": "mongo", "hash": 216760605097340390952923854155547467844, "size": 3, "commit_id": "1772b9a0393b55e6a280a35e8f0a1f75c014f301", "message": "SERVER-49404 Enforce additional checks in $arrayToObject", "target": 0, "dataset": "other", "idx": 370052 }, { "func": "const char* ExpressionFirst::getOpName() const {\n return \"$first\";\n}", "project": "mongo", "hash": 27474929426888351110021665410017484306, "size": 3, "commit_id": "1772b9a0393b55e6a280a35e8f0a1f75c014f301", "message": "SERVER-49404 Enforce additional checks in $arrayToObject", "target": 0, "dataset": "other", "idx": 370058 }, { "func": "const char* ExpressionRandom::getOpName() const {\n return \"$rand\";\n}", "project": "mongo", "hash": 135459898714150320757397142510561499570, "size": 3, "commit_id": "1772b9a0393b55e6a280a35e8f0a1f75c014f301", "message": "SERVER-49404 Enforce additional checks in $arrayToObject", "target": 0, "dataset": "other", "idx": 370097 }, { "func": "static inline bool tcp_paws_reject(const struct tcp_options_received *rx_opt,\n\t\t\t\t int rst)\n{\n\tif (tcp_paws_check(rx_opt, 0))\n\t\treturn false;\n\n\t/* RST segments are not recommended to carry timestamp,\n\t and, if they do, it is recommended to ignore PAWS because\n\t \"their cleanup function should take precedence over timestamps.\"\n\t Certainly, it is mistake. It is necessary to understand the reasons\n\t of this constraint to relax it: if peer reboots, clock may go\n\t out-of-sync and half-open connections will not be reset.\n\t Actually, the problem would be not existing if all\n\t the implementations followed draft about maintaining clock\n\t via reboots. Linux-2.2 DOES NOT!\n\n\t However, we can relax time bounds for RST segments to MSL.\n\t */\n\tif (rst && get_seconds() >= rx_opt->ts_recent_stamp + TCP_PAWS_MSL)\n\t\treturn false;\n\treturn true;\n}", "project": "linux", "hash": 36512795407272233163525206646631545275, "size": 22, "commit_id": "bb1fceca22492109be12640d49f5ea5a544c6bb4", "message": "tcp: fix use after free in tcp_xmit_retransmit_queue()\n\nWhen tcp_sendmsg() allocates a fresh and empty skb, it puts it at the\ntail of the write queue using tcp_add_write_queue_tail()\n\nThen it attempts to copy user data into this fresh skb.\n\nIf the copy fails, we undo the work and remove the fresh skb.\n\nUnfortunately, this undo lacks the change done to tp->highest_sack and\nwe can leave a dangling pointer (to a freed skb)\n\nLater, tcp_xmit_retransmit_queue() can dereference this pointer and\naccess freed memory. For regular kernels where memory is not unmapped,\nthis might cause SACK bugs because tcp_highest_sack_seq() is buggy,\nreturning garbage instead of tp->snd_nxt, but with various debug\nfeatures like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel.\n\nThis bug was found by Marco Grassi thanks to syzkaller.\n\nFixes: 6859d49475d4 (\"[TCP]: Abstract tp->highest_sack accessing & point to next skb\")\nReported-by: Marco Grassi \nSigned-off-by: Eric Dumazet \nCc: Ilpo Järvinen \nCc: Yuchung Cheng \nCc: Neal Cardwell \nAcked-by: Neal Cardwell \nReviewed-by: Cong Wang \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 410776 }, { "func": "int bcf_hdr_set(bcf_hdr_t *hdr, const char *fname)\n{\n int i = 0, n = 0, save_errno;\n char **lines = hts_readlines(fname, &n);\n if ( !lines ) return 1;\n for (i=0; iarch.pfault_token == KVM_S390_PFAULT_TOKEN_INVALID)\n\t\treturn 0;\n\tif ((vcpu->arch.sie_block->gpsw.mask & vcpu->arch.pfault_select) !=\n\t vcpu->arch.pfault_compare)\n\t\treturn 0;\n\tif (psw_extint_disabled(vcpu))\n\t\treturn 0;\n\tif (kvm_s390_vcpu_has_irq(vcpu, 0))\n\t\treturn 0;\n\tif (!(vcpu->arch.sie_block->gcr[0] & CR0_SERVICE_SIGNAL_SUBMASK))\n\t\treturn 0;\n\tif (!vcpu->arch.gmap->pfault_enabled)\n\t\treturn 0;\n\n\thva = gfn_to_hva(vcpu->kvm, gpa_to_gfn(current->thread.gmap_addr));\n\thva += current->thread.gmap_addr & ~PAGE_MASK;\n\tif (read_guest_real(vcpu, vcpu->arch.pfault_token, &arch.pfault_token, 8))\n\t\treturn 0;\n\n\trc = kvm_setup_async_pf(vcpu, current->thread.gmap_addr, hva, &arch);\n\treturn rc;\n}", "project": "linux", "hash": 111706299555522172586583005392669060760, "size": 28, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354555 }, { "func": "static struct nft_rule **nf_tables_chain_alloc_rules(const struct nft_chain *chain,\n\t\t\t\t\t\t unsigned int alloc)\n{\n\tif (alloc > INT_MAX)\n\t\treturn NULL;\n\n\talloc += 1;\t/* NULL, ends rules */\n\tif (sizeof(struct nft_rule *) > INT_MAX / alloc)\n\t\treturn NULL;\n\n\talloc *= sizeof(struct nft_rule *);\n\talloc += sizeof(struct nft_rules_old);\n\n\treturn kvmalloc(alloc, GFP_KERNEL);\n}", "project": "linux", "hash": 170194615561717014446342523474921993208, "size": 15, "commit_id": "ad9f151e560b016b6ad3280b48e42fa11e1a5440", "message": "netfilter: nf_tables: initialize set before expression setup\n\nnft_set_elem_expr_alloc() needs an initialized set if expression sets on\nthe NFT_EXPR_GC flag. Move set fields initialization before expression\nsetup.\n\n[4512935.019450] ==================================================================\n[4512935.019456] BUG: KASAN: null-ptr-deref in nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019487] Read of size 8 at addr 0000000000000070 by task nft/23532\n[4512935.019494] CPU: 1 PID: 23532 Comm: nft Not tainted 5.12.0-rc4+ #48\n[...]\n[4512935.019502] Call Trace:\n[4512935.019505] dump_stack+0x89/0xb4\n[4512935.019512] ? nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019536] ? nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019560] kasan_report.cold.12+0x5f/0xd8\n[4512935.019566] ? nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019590] nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019615] nf_tables_newset+0xc7f/0x1460 [nf_tables]\n\nReported-by: syzbot+ce96ca2b1d0b37c6422d@syzkaller.appspotmail.com\nFixes: 65038428b2c6 (\"netfilter: nf_tables: allow to specify stateful expression in set definition\")\nSigned-off-by: Pablo Neira Ayuso ", "target": 0, "dataset": "other", "idx": 328378 }, { "func": "static inline int ep_cmp_ffd(struct epoll_filefd *p1,\n\t\t\t struct epoll_filefd *p2)\n{\n\treturn (p1->file > p2->file ? +1:\n\t (p1->file < p2->file ? -1 : p1->fd - p2->fd));\n}", "project": "linux", "hash": 194314094547196058639920970904288448164, "size": 6, "commit_id": "52c479697c9b73f628140dcdfcd39ea302d05482", "message": "do_epoll_ctl(): clean the failure exits up a bit\n\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 336273 }, { "func": "static int packet_rcv_spkt(struct sk_buff *skb, struct net_device *dev,\n\t\t\t struct packet_type *pt, struct net_device *orig_dev)\n{\n\tstruct sock *sk;\n\tstruct sockaddr_pkt *spkt;\n\n\t/*\n\t *\tWhen we registered the protocol we saved the socket in the data\n\t *\tfield for just this event.\n\t */\n\n\tsk = pt->af_packet_priv;\n\n\t/*\n\t *\tYank back the headers [hope the device set this\n\t *\tright or kerboom...]\n\t *\n\t *\tIncoming packets have ll header pulled,\n\t *\tpush it back.\n\t *\n\t *\tFor outgoing ones skb->data == skb_mac_header(skb)\n\t *\tso that this procedure is noop.\n\t */\n\n\tif (skb->pkt_type == PACKET_LOOPBACK)\n\t\tgoto out;\n\n\tif (!net_eq(dev_net(dev), sock_net(sk)))\n\t\tgoto out;\n\n\tskb = skb_share_check(skb, GFP_ATOMIC);\n\tif (skb == NULL)\n\t\tgoto oom;\n\n\t/* drop any routing info */\n\tskb_dst_drop(skb);\n\n\t/* drop conntrack reference */\n\tnf_reset_ct(skb);\n\n\tspkt = &PACKET_SKB_CB(skb)->sa.pkt;\n\n\tskb_push(skb, skb->data - skb_mac_header(skb));\n\n\t/*\n\t *\tThe SOCK_PACKET socket receives _all_ frames.\n\t */\n\n\tspkt->spkt_family = dev->type;\n\tstrlcpy(spkt->spkt_device, dev->name, sizeof(spkt->spkt_device));\n\tspkt->spkt_protocol = skb->protocol;\n\n\t/*\n\t *\tCharge the memory to the socket. This is done specifically\n\t *\tto prevent sockets using all the memory up.\n\t */\n\n\tif (sock_queue_rcv_skb(sk, skb) == 0)\n\t\treturn 0;\n\nout:\n\tkfree_skb(skb);\noom:\n\treturn 0;\n}", "project": "linux", "hash": 97048306256492539837615726767839381483, "size": 65, "commit_id": "acf69c946233259ab4d64f8869d4037a198c7f06", "message": "net/packet: fix overflow in tpacket_rcv\n\nUsing tp_reserve to calculate netoff can overflow as\ntp_reserve is unsigned int and netoff is unsigned short.\n\nThis may lead to macoff receving a smaller value then\nsizeof(struct virtio_net_hdr), and if po->has_vnet_hdr\nis set, an out-of-bounds write will occur when\ncalling virtio_net_hdr_from_skb.\n\nThe bug is fixed by converting netoff to unsigned int\nand checking if it exceeds USHRT_MAX.\n\nThis addresses CVE-2020-14386\n\nFixes: 8913336a7e8d (\"packet: add PACKET_RESERVE sockopt\")\nSigned-off-by: Or Cohen \nSigned-off-by: Eric Dumazet \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 330401 }, { "func": "int headerAddI18NString(Header h, rpmTagVal tag, const char * string,\n\t\tconst char * lang)\n{\n indexEntry table, entry;\n const char ** strArray;\n int length;\n int ghosts;\n rpm_count_t i, langNum;\n char * buf;\n\n table = findEntry(h, RPMTAG_HEADERI18NTABLE, RPM_STRING_ARRAY_TYPE);\n entry = findEntry(h, tag, RPM_I18NSTRING_TYPE);\n\n if (!table && entry)\n\treturn 0;\t\t/* this shouldn't ever happen!! */\n\n if (!table && !entry) {\n\tconst char * charArray[2];\n\trpm_count_t count = 0;\n\tstruct rpmtd_s td;\n\tif (!lang || (lang[0] == 'C' && lang[1] == '\\0')) {\n\t charArray[count++] = \"C\";\n\t} else {\n\t charArray[count++] = \"C\";\n\t charArray[count++] = lang;\n\t}\n\t\n\trpmtdReset(&td);\n\ttd.tag = RPMTAG_HEADERI18NTABLE;\n\ttd.type = RPM_STRING_ARRAY_TYPE;\n\ttd.data = (void *) charArray;\n\ttd.count = count;\n\tif (!headerPut(h, &td, HEADERPUT_DEFAULT))\n\t return 0;\n\ttable = findEntry(h, RPMTAG_HEADERI18NTABLE, RPM_STRING_ARRAY_TYPE);\n }\n\n if (!table)\n\treturn 0;\n if (!lang) lang = \"C\";\n\n {\tconst char * l = table->data;\n\tfor (langNum = 0; langNum < table->info.count; langNum++) {\n\t if (rstreq(l, lang)) break;\n\t l += strlen(l) + 1;\n\t}\n }\n\n if (langNum >= table->info.count) {\n\tlength = strlen(lang) + 1;\n\tif (ENTRY_IN_REGION(table)) {\n\t char * t = xmalloc(table->length + length);\n\t memcpy(t, table->data, table->length);\n\t table->data = t;\n\t table->info.offset = 0;\n\t} else\n\t table->data = xrealloc(table->data, table->length + length);\n\tmemmove(((char *)table->data) + table->length, lang, length);\n\ttable->length += length;\n\ttable->info.count++;\n }\n\n if (!entry) {\n\tint rc;\n\tstruct rpmtd_s td;\n\tstrArray = xmalloc(sizeof(*strArray) * (langNum + 1));\n\tfor (i = 0; i < langNum; i++)\n\t strArray[i] = \"\";\n\tstrArray[langNum] = string;\n\n\trpmtdReset(&td);\n\ttd.tag = tag;\n\ttd.type = RPM_I18NSTRING_TYPE;\n\ttd.data = strArray;\n\ttd.count = langNum + 1;\n\trc = headerPut(h, &td, HEADERPUT_DEFAULT);\n\tfree(strArray);\n\treturn rc;\n } else if (langNum >= entry->info.count) {\n\tghosts = langNum - entry->info.count;\n\t\n\tlength = strlen(string) + 1 + ghosts;\n\tif (ENTRY_IN_REGION(entry)) {\n\t char * t = xmalloc(entry->length + length);\n\t memcpy(t, entry->data, entry->length);\n\t entry->data = t;\n\t entry->info.offset = 0;\n\t} else\n\t entry->data = xrealloc(entry->data, entry->length + length);\n\n\tmemset(((char *)entry->data) + entry->length, '\\0', ghosts);\n\tmemmove(((char *)entry->data) + entry->length + ghosts, string, strlen(string)+1);\n\n\tentry->length += length;\n\tentry->info.count = langNum + 1;\n } else {\n\tchar *b, *be, *e, *ee, *t;\n\tsize_t bn, sn, en;\n\n\t/* Set beginning/end pointers to previous data */\n\tb = be = e = ee = entry->data;\n\tfor (i = 0; i < table->info.count; i++) {\n\t if (i == langNum)\n\t\tbe = ee;\n\t ee += strlen(ee) + 1;\n\t if (i == langNum)\n\t\te = ee;\n\t}\n\n\t/* Get storage for new buffer */\n\tbn = (be-b);\n\tsn = strlen(string) + 1;\n\ten = (ee-e);\n\tlength = bn + sn + en;\n\tt = buf = xmalloc(length);\n\n\t/* Copy values into new storage */\n\tmemcpy(t, b, bn);\n\tt += bn;\n\tmemcpy(t, string, sn);\n\tt += sn;\n\tmemcpy(t, e, en);\n\tt += en;\n\n\t/* Replace i18N string array */\n\tentry->length -= strlen(be) + 1;\n\tentry->length += sn;\n\t\n\tif (ENTRY_IN_REGION(entry)) {\n\t entry->info.offset = 0;\n\t} else\n\t entry->data = _free(entry->data);\n\tentry->data = buf;\n }\n\n return 0;\n}", "project": "rpm", "hash": 229734753014982108409269460418047592724, "size": 137, "commit_id": "8f4b3c3cab8922a2022b9e47c71f1ecf906077ef", "message": "hdrblobInit() needs bounds checks too\n\nUsers can pass untrusted data to hdrblobInit() and it must be robust\nagainst this.", "target": 0, "dataset": "other", "idx": 318170 }, { "func": "tcp::endpoint parse_endpoint(boost::asio::string_view input,\n unsigned short default_port,\n boost::system::error_code& ec)\n{\n tcp::endpoint endpoint;\n\n if (input.empty()) {\n ec = boost::asio::error::invalid_argument;\n return endpoint;\n }\n\n if (input[0] == '[') { // ipv6\n const size_t addr_begin = 1;\n const size_t addr_end = input.find(']');\n if (addr_end == input.npos) { // no matching ]\n ec = boost::asio::error::invalid_argument;\n return endpoint;\n }\n if (addr_end + 1 < input.size()) {\n // :port must must follow [ipv6]\n if (input[addr_end + 1] != ':') {\n ec = boost::asio::error::invalid_argument;\n return endpoint;\n } else {\n auto port_str = input.substr(addr_end + 2);\n endpoint.port(parse_port(port_str.data(), ec));\n }\n } else {\n endpoint.port(default_port);\n }\n auto addr = input.substr(addr_begin, addr_end - addr_begin);\n endpoint.address(boost::asio::ip::make_address_v6(addr, ec));\n } else { // ipv4\n auto colon = input.find(':');\n if (colon != input.npos) {\n auto port_str = input.substr(colon + 1);\n endpoint.port(parse_port(port_str.data(), ec));\n if (ec) {\n return endpoint;\n }\n } else {\n endpoint.port(default_port);\n }\n auto addr = input.substr(0, colon);\n endpoint.address(boost::asio::ip::make_address_v4(addr, ec));\n }\n return endpoint;\n}", "project": "ceph", "hash": 315324189109878588657270778206329145184, "size": 48, "commit_id": "ff72c50a2c43c57aead933eb4903ad1ca6d1748a", "message": "rgw: improve beast\n\nAvoid leaking connections that had partially-consumed\nclient data on unexpected disconnect.\n\nResolves CVE-2020-1700 (moderate impact flaw).\n\nFixes: https://tracker.ceph.com/issues/42531\n\nSigned-off-by: Or Friedmann \nSigned-off-by: Matt Benjamin ", "target": 0, "dataset": "other", "idx": 384541 }, { "func": "static ssize_t partial_show(struct kmem_cache *s, char *buf)\n{\n\treturn show_slab_objects(s, buf, SO_PARTIAL);\n}", "project": "linux", "hash": 82314046791431247311080494336875427182, "size": 4, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280242 }, { "func": "static void printoption(struct Curl_easy *data,\n const char *direction, int cmd, int option)\n{\n if(data->set.verbose) {\n if(cmd == CURL_IAC) {\n if(CURL_TELCMD_OK(option))\n infof(data, \"%s IAC %s\\n\", direction, CURL_TELCMD(option));\n else\n infof(data, \"%s IAC %d\\n\", direction, option);\n }\n else {\n const char *fmt = (cmd == CURL_WILL) ? \"WILL\" :\n (cmd == CURL_WONT) ? \"WONT\" :\n (cmd == CURL_DO) ? \"DO\" :\n (cmd == CURL_DONT) ? \"DONT\" : 0;\n if(fmt) {\n const char *opt;\n if(CURL_TELOPT_OK(option))\n opt = CURL_TELOPT(option);\n else if(option == CURL_TELOPT_EXOPL)\n opt = \"EXOPL\";\n else\n opt = NULL;\n\n if(opt)\n infof(data, \"%s %s %s\\n\", direction, fmt, opt);\n else\n infof(data, \"%s %s %d\\n\", direction, fmt, option);\n }\n else\n infof(data, \"%s %d %d\\n\", direction, cmd, option);\n }\n }\n}", "project": "curl", "hash": 330940035035204989493358016740294016112, "size": 34, "commit_id": "39ce47f219b09c380b81f89fe54ac586c8db6bde", "message": "telnet: check sscanf() for correct number of matches\n\nCVE-2021-22898\n\nBug: https://curl.se/docs/CVE-2021-22898.html", "target": 0, "dataset": "other", "idx": 481487 }, { "func": "static int insert_key(\n\tsc_pkcs15_card_t *p15card,\n\tconst char *path,\n\tunsigned char id,\n\tunsigned char key_reference,\n\tint key_length,\n\tunsigned char auth_id,\n\tconst char *label\n)\n{\n\tsc_card_t *card = p15card->card;\n\tsc_context_t *ctx = p15card->card->ctx;\n\tsc_file_t *f;\n\tstruct sc_pkcs15_prkey_info prkey_info;\n\tstruct sc_pkcs15_object prkey_obj;\n\tint r, can_sign, can_crypt;\n\n\tmemset(&prkey_info, 0, sizeof(prkey_info));\n\tprkey_info.id.len = 1;\n\tprkey_info.id.value[0] = id;\n\tprkey_info.native = 1;\n\tprkey_info.key_reference = key_reference;\n\tprkey_info.modulus_length = key_length;\n\tsc_format_path(path, &prkey_info.path);\n\n\tmemset(&prkey_obj, 0, sizeof(prkey_obj));\n\tstrlcpy(prkey_obj.label, label, sizeof(prkey_obj.label));\n\tprkey_obj.flags = SC_PKCS15_CO_FLAG_PRIVATE;\n\tprkey_obj.auth_id.len = 1;\n\tprkey_obj.auth_id.value[0] = auth_id;\n\n\tcan_sign = can_crypt = 0;\n\tif (card->type == SC_CARD_TYPE_TCOS_V3) {\n\t\tunsigned char buf[256];\n\t\tint i, rec_no = 0;\n\t\tif (prkey_info.path.len >= 2)\n\t\t\tprkey_info.path.len -= 2;\n\t\tsc_append_file_id(&prkey_info.path, 0x5349);\n\t\tif (sc_select_file(card, &prkey_info.path, NULL) != SC_SUCCESS) {\n\t\t\tsc_log(ctx, \n\t\t\t\t\"Select(%s) failed\\n\",\n\t\t\t\tsc_print_path(&prkey_info.path));\n\t\t\treturn 1;\n\t\t}\n\t\tsc_log(ctx, \n\t\t\t\"Searching for Key-Ref %02X\\n\", key_reference);\n\t\twhile ((r = sc_read_record(card, ++rec_no, buf, sizeof(buf), SC_RECORD_BY_REC_NR)) > 0) {\n\t\t\tint found = 0;\n\t\t\tif (buf[0] != 0xA0 || r < 2)\n\t\t\t\tcontinue;\n\t\t\tfor (i = 2; i < buf[1] + 2 && i < r - 2; i += 2 + buf[i + 1]) {\n\t\t\t\tif (buf[i] == 0x83 && buf[i + 1] == 1 && buf[i + 2] == key_reference)\n\t\t\t\t\t++found;\n\t\t\t}\n\t\t\tif (found)\n\t\t\t\tbreak;\n\t\t}\n\t\tif (r <= 0) {\n\t\t\tsc_log(ctx, \"No EF_KEYD-Record found\\n\");\n\t\t\treturn 1;\n\t\t}\n\t\tfor (i = 0; i < r; i += 2 + buf[i + 1]) {\n\t\t\tif (buf[i] == 0xB6)\n\t\t\t\tcan_sign++;\n\t\t\tif (buf[i] == 0xB8)\n\t\t\t\tcan_crypt++;\n\t\t}\n\t} else {\n\t\tif (sc_select_file(card, &prkey_info.path, &f) != SC_SUCCESS\n\t\t\t \t|| !f->prop_attr || f->prop_attr_len < 2){\n\t\t\tsc_log(ctx, \n\t\t\t\t\"Select(%s) failed\\n\",\n\t\t\t\tsc_print_path(&prkey_info.path));\n\t\t\tsc_file_free(f);\n\t\t\treturn 1;\n\t\t}\n\t\tif (f->prop_attr[1] & 0x04)\n\t\t\tcan_crypt = 1;\n\t\tif (f->prop_attr[1] & 0x08)\n\t\t\tcan_sign = 1;\n\t\tsc_file_free(f);\n\t}\n\tprkey_info.usage = SC_PKCS15_PRKEY_USAGE_SIGN;\n\tif (can_crypt)\n\t\tprkey_info.usage |= SC_PKCS15_PRKEY_USAGE_ENCRYPT | SC_PKCS15_PRKEY_USAGE_DECRYPT;\n\tif (can_sign)\n\t\tprkey_info.usage |= SC_PKCS15_PRKEY_USAGE_NONREPUDIATION;\n\n\tr = sc_pkcs15emu_add_rsa_prkey(p15card, &prkey_obj, &prkey_info);\n\tif(r != SC_SUCCESS) {\n\t\tsc_log(ctx, \"sc_pkcs15emu_add_rsa_prkey(%s) failed\\n\", path);\n\t\treturn 4;\n\t}\n\tsc_log(ctx, \"%s: OK%s%s\\n\", path, can_sign ? \", Sign\" : \"\", can_crypt ? \", Crypt\" : \"\");\n\treturn 0;\n}", "project": "OpenSC", "hash": 215523050943564995586301589122098835745, "size": 96, "commit_id": "78cdab949f098ad7e593d853229fccf57d749d0c", "message": "tcos: prevent out of bounds read\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27719", "target": 1, "dataset": "other", "idx": 197025 }, { "func": "static int insert_key(\n\tsc_pkcs15_card_t *p15card,\n\tconst char *path,\n\tunsigned char id,\n\tunsigned char key_reference,\n\tint key_length,\n\tunsigned char auth_id,\n\tconst char *label\n)\n{\n\tsc_card_t *card = p15card->card;\n\tsc_context_t *ctx = p15card->card->ctx;\n\tsc_file_t *f;\n\tstruct sc_pkcs15_prkey_info prkey_info;\n\tstruct sc_pkcs15_object prkey_obj;\n\tint r, can_sign, can_crypt;\n\n\tmemset(&prkey_info, 0, sizeof(prkey_info));\n\tprkey_info.id.len = 1;\n\tprkey_info.id.value[0] = id;\n\tprkey_info.native = 1;\n\tprkey_info.key_reference = key_reference;\n\tprkey_info.modulus_length = key_length;\n\tsc_format_path(path, &prkey_info.path);\n\n\tmemset(&prkey_obj, 0, sizeof(prkey_obj));\n\tstrlcpy(prkey_obj.label, label, sizeof(prkey_obj.label));\n\tprkey_obj.flags = SC_PKCS15_CO_FLAG_PRIVATE;\n\tprkey_obj.auth_id.len = 1;\n\tprkey_obj.auth_id.value[0] = auth_id;\n\n\tcan_sign = can_crypt = 0;\n\tif (card->type == SC_CARD_TYPE_TCOS_V3) {\n\t\tunsigned char buf[256];\n\t\tint i, rec_no = 0;\n\t\tif (prkey_info.path.len >= 2)\n\t\t\tprkey_info.path.len -= 2;\n\t\tsc_append_file_id(&prkey_info.path, 0x5349);\n\t\tif (sc_select_file(card, &prkey_info.path, NULL) != SC_SUCCESS) {\n\t\t\tsc_log(ctx, \n\t\t\t\t\"Select(%s) failed\\n\",\n\t\t\t\tsc_print_path(&prkey_info.path));\n\t\t\treturn 1;\n\t\t}\n\t\tsc_log(ctx, \n\t\t\t\"Searching for Key-Ref %02X\\n\", key_reference);\n\t\twhile ((r = sc_read_record(card, ++rec_no, buf, sizeof(buf), SC_RECORD_BY_REC_NR)) > 0) {\n\t\t\tint found = 0;\n\t\t\tif (buf[0] != 0xA0 || r < 2)\n\t\t\t\tcontinue;\n\t\t\tfor (i = 2; i < buf[1] + 2 && i < r - 2; i += 2 + buf[i + 1]) {\n\t\t\t\tif (buf[i] == 0x83 && buf[i + 1] == 1 && buf[i + 2] == key_reference)\n\t\t\t\t\t++found;\n\t\t\t}\n\t\t\tif (found)\n\t\t\t\tbreak;\n\t\t}\n\t\tif (r <= 0) {\n\t\t\tsc_log(ctx, \"No EF_KEYD-Record found\\n\");\n\t\t\treturn 1;\n\t\t}\n\t\tfor (i = 0; i + 1 < r; i += 2 + buf[i + 1]) {\n\t\t\tif (buf[i] == 0xB6)\n\t\t\t\tcan_sign++;\n\t\t\tif (buf[i] == 0xB8)\n\t\t\t\tcan_crypt++;\n\t\t}\n\t} else {\n\t\tif (sc_select_file(card, &prkey_info.path, &f) != SC_SUCCESS\n\t\t\t \t|| !f->prop_attr || f->prop_attr_len < 2){\n\t\t\tsc_log(ctx, \n\t\t\t\t\"Select(%s) failed\\n\",\n\t\t\t\tsc_print_path(&prkey_info.path));\n\t\t\tsc_file_free(f);\n\t\t\treturn 1;\n\t\t}\n\t\tif (f->prop_attr[1] & 0x04)\n\t\t\tcan_crypt = 1;\n\t\tif (f->prop_attr[1] & 0x08)\n\t\t\tcan_sign = 1;\n\t\tsc_file_free(f);\n\t}\n\tprkey_info.usage = SC_PKCS15_PRKEY_USAGE_SIGN;\n\tif (can_crypt)\n\t\tprkey_info.usage |= SC_PKCS15_PRKEY_USAGE_ENCRYPT | SC_PKCS15_PRKEY_USAGE_DECRYPT;\n\tif (can_sign)\n\t\tprkey_info.usage |= SC_PKCS15_PRKEY_USAGE_NONREPUDIATION;\n\n\tr = sc_pkcs15emu_add_rsa_prkey(p15card, &prkey_obj, &prkey_info);\n\tif(r != SC_SUCCESS) {\n\t\tsc_log(ctx, \"sc_pkcs15emu_add_rsa_prkey(%s) failed\\n\", path);\n\t\treturn 4;\n\t}\n\tsc_log(ctx, \"%s: OK%s%s\\n\", path, can_sign ? \", Sign\" : \"\", can_crypt ? \", Crypt\" : \"\");\n\treturn 0;\n}", "project": "OpenSC", "hash": 152298900040865108330260205458806798087, "size": 96, "commit_id": "5df913b7f57ad89b9832555d24c08d23a534311e", "message": "tcos: Check bounds in insert_pin()\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28383", "target": 0, "dataset": "other", "idx": 243957 }, { "func": "static apr_status_t setup_input(h2_stream *stream) {\n if (stream->input == NULL) {\n int empty = (stream->input_eof \n && (!stream->in_buffer \n || APR_BRIGADE_EMPTY(stream->in_buffer)));\n if (!empty) {\n h2_beam_create(&stream->input, stream->pool, stream->id, \n \"input\", H2_BEAM_OWNER_SEND, 0, \n stream->session->s->timeout);\n h2_beam_send_from(stream->input, stream->pool);\n }\n }\n return APR_SUCCESS;\n}", "project": "httpd", "hash": 105148630079289675267260326829752040117, "size": 14, "commit_id": "f990e5ecad40b100a8a5c7c1033c46044a9cb244", "message": "mod_htt2: fix incomplete sync with latest changes in github, adjust version number.\n\n\n\ngit-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1889119 13f79535-47bb-0310-9956-ffa450edef68", "target": 0, "dataset": "other", "idx": 284243 }, { "func": "static inline struct fuse_conn *get_fuse_conn(struct inode *inode)\n{\n\treturn get_fuse_mount_super(inode->i_sb)->fc;\n}", "project": "linux", "hash": 143045403651558942209978807095191726151, "size": 4, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341914 }, { "func": "static inline struct fuse_conn *get_fuse_conn_super(struct super_block *sb)\n{\n\treturn get_fuse_mount_super(sb)->fc;\n}", "project": "linux", "hash": 31965575041249677653685307295057140412, "size": 4, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342021 }, { "func": "static inline struct fuse_mount *get_fuse_mount(struct inode *inode)\n{\n\treturn get_fuse_mount_super(inode->i_sb);\n}", "project": "linux", "hash": 255262011036235018408615268637846130591, "size": 4, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342071 }, { "func": "apr_status_t h2_stream_set_request_rec(h2_stream *stream, \n request_rec *r, int eos)\n{\n h2_request *req;\n apr_status_t status;\n\n ap_assert(stream->request == NULL);\n ap_assert(stream->rtmp == NULL);\n if (stream->rst_error) {\n return APR_ECONNRESET;\n }\n status = h2_request_rcreate(&req, stream->pool, r);\n if (status == APR_SUCCESS) {\n ap_log_rerror(APLOG_MARK, APLOG_DEBUG, status, r, \n H2_STRM_LOG(APLOGNO(03058), stream, \n \"set_request_rec %s host=%s://%s%s\"),\n req->method, req->scheme, req->authority, req->path);\n stream->rtmp = req;\n /* simulate the frames that led to this */\n return h2_stream_recv_frame(stream, NGHTTP2_HEADERS, \n NGHTTP2_FLAG_END_STREAM, 0);\n }\n return status;\n}", "project": "httpd", "hash": 148547979983319649111532606604905968551, "size": 24, "commit_id": "f990e5ecad40b100a8a5c7c1033c46044a9cb244", "message": "mod_htt2: fix incomplete sync with latest changes in github, adjust version number.\n\n\n\ngit-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1889119 13f79535-47bb-0310-9956-ffa450edef68", "target": 0, "dataset": "other", "idx": 284232 }, { "func": "int bcf_enc_vchar(kstring_t *s, int l, const char *a)\n{\n bcf_enc_size(s, l, BCF_BT_CHAR);\n kputsn(a, l, s);\n return 0; // FIXME: check for errs in this function\n}", "project": "htslib", "hash": 67360363887614494098437992528574274646, "size": 6, "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c", "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields. It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097", "target": 0, "dataset": "other", "idx": 402248 }, { "project": "Chrome", "commit_id": "9a3dbf43f97aa7cb6b4399f9b11ce1de20f0680f", "target": 0, "func": "void SpeechSynthesis::cancel()\n{\n m_utteranceQueue.clear();\n m_platformSpeechSynthesizer->cancel();\n}\n", "cwe": "", "big_vul_idx": 129887, "idx": 116212, "hash": 127264807998056401364218574496888152037 }, { "func": "bool flush_tables(THD *thd, flush_tables_type flag)\n{\n bool result= TRUE;\n tc_collect_arg collect_arg;\n TABLE *tmp_table;\n flush_tables_error_handler error_handler;\n DBUG_ENTER(\"flush_tables\");\n\n purge_tables(false); /* Flush unused tables and shares */\n\n /*\n Loop over all shares and collect shares that have open tables\n TODO:\n Optimize this to only collect shares that have been used for\n write after last time all tables was closed.\n */\n\n if (!(tmp_table= (TABLE*) my_malloc(sizeof(*tmp_table),\n MYF(MY_WME | MY_THREAD_SPECIFIC))))\n DBUG_RETURN(1);\n\n my_init_dynamic_array(&collect_arg.shares, sizeof(TABLE_SHARE*), 100, 100,\n MYF(0));\n collect_arg.flush_type= flag;\n if (tdc_iterate(thd, (my_hash_walk_action) tc_collect_used_shares,\n &collect_arg, true))\n {\n /* Release already collected shares */\n for (uint i= 0 ; i < collect_arg.shares.elements ; i++)\n {\n TABLE_SHARE *share= *dynamic_element(&collect_arg.shares, i,\n TABLE_SHARE**);\n tdc_release_share(share);\n }\n goto err;\n }\n\n /* Call HA_EXTRA_FLUSH on all found shares */\n\n thd->push_internal_handler(&error_handler);\n for (uint i= 0 ; i < collect_arg.shares.elements ; i++)\n {\n TABLE_SHARE *share= *dynamic_element(&collect_arg.shares, i,\n TABLE_SHARE**);\n TABLE *table= tc_acquire_table(thd, share->tdc);\n if (table)\n {\n (void) table->file->extra(HA_EXTRA_FLUSH);\n tc_release_table(table);\n }\n else\n {\n /*\n HA_OPEN_FOR_ALTER is used to allow us to open the table even if\n TABLE_SHARE::incompatible_version is set.\n */\n if (!open_table_from_share(thd, share, &empty_clex_str,\n HA_OPEN_KEYFILE, 0,\n HA_OPEN_FOR_ALTER,\n tmp_table, FALSE,\n NULL))\n {\n (void) tmp_table->file->extra(HA_EXTRA_FLUSH);\n /*\n We don't put the table into the TDC as the table was not fully\n opened (we didn't open triggers)\n */\n closefrm(tmp_table);\n }\n }\n tdc_release_share(share);\n }\n thd->pop_internal_handler();\n result= error_handler.got_fatal_error();\n DBUG_PRINT(\"note\", (\"open_errors: %u %u\",\n error_handler.handled_errors,\n error_handler.unhandled_errors));\nerr:\n my_free(tmp_table);\n delete_dynamic(&collect_arg.shares);\n DBUG_RETURN(result);\n}", "target": 0, "cwe": [ "CWE-416" ], "project": "server", "commit_id": "0beed9b5e933f0ff79b3bb346524f7a451d14e38", "hash": 37203738904063806202310413179316462812, "size": 82, "message": "MDEV-28097 use-after-free when WHERE has subquery with an outer reference in HAVING\n\nwhen resolving WHERE and ON clauses, do not look in\nSELECT list/aliases.", "dataset": "other", "idx": 514564 }, { "func": "intrusive_ptr Expression::parseOperand(ExpressionContext* const expCtx,\n BSONElement exprElement,\n const VariablesParseState& vps) {\n BSONType type = exprElement.type();\n\n if (type == String && exprElement.valuestr()[0] == '$') {\n /* if we got here, this is a field path expression */\n return ExpressionFieldPath::parse(expCtx, exprElement.str(), vps);\n } else if (type == Object) {\n return Expression::parseObject(expCtx, exprElement.Obj(), vps);\n } else if (type == Array) {\n return ExpressionArray::parse(expCtx, exprElement, vps);\n } else {\n return ExpressionConstant::parse(expCtx, exprElement, vps);\n }\n}", "project": "mongo", "hash": 30414243385780537291514495569550713905, "size": 16, "commit_id": "1772b9a0393b55e6a280a35e8f0a1f75c014f301", "message": "SERVER-49404 Enforce additional checks in $arrayToObject", "target": 0, "dataset": "other", "idx": 370035 }, { "func": "static int get_delete_at_param(req_state *s, boost::optional &delete_at)\n{\n /* Handle Swift object expiration. */\n real_time delat_proposal;\n string x_delete = s->info.env->get(\"HTTP_X_DELETE_AFTER\", \"\");\n\n if (x_delete.empty()) {\n x_delete = s->info.env->get(\"HTTP_X_DELETE_AT\", \"\");\n } else {\n /* X-Delete-After HTTP is present. It means we need add its value\n * to the current time. */\n delat_proposal = real_clock::now();\n }\n\n if (x_delete.empty()) {\n delete_at = boost::none;\n if (s->info.env->exists(\"HTTP_X_REMOVE_DELETE_AT\")) {\n delete_at = boost::in_place(real_time());\n }\n return 0;\n }\n string err;\n long ts = strict_strtoll(x_delete.c_str(), 10, &err);\n\n if (!err.empty()) {\n return -EINVAL;\n }\n\n delat_proposal += make_timespan(ts);\n if (delat_proposal < real_clock::now()) {\n return -EINVAL;\n }\n\n delete_at = delat_proposal;\n\n return 0;\n}", "project": "ceph", "hash": 40994477373010843823487919295745245846, "size": 37, "commit_id": "f44a8ae8aa27ecef69528db9aec220f12492810e", "message": "rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name\n\nchecking for empty name avoids later assertion in RGWObjectCtx::set_atomic\n\nFixes: CVE-2021-3531\n\nReviewed-by: Casey Bodley \nSigned-off-by: Casey Bodley \n(cherry picked from commit 7196a469b4470f3c8628489df9a41ec8b00a5610)", "target": 0, "dataset": "other", "idx": 448800 }, { "func": "static inline void tcp_complete_cwr(struct sock *sk)\n{\n\tstruct tcp_sock *tp = tcp_sk(sk);\n\n\t/* Do not moderate cwnd if it's already undone in cwr or recovery. */\n\tif (tp->undo_marker) {\n\t\tif (inet_csk(sk)->icsk_ca_state == TCP_CA_CWR)\n\t\t\ttp->snd_cwnd = min(tp->snd_cwnd, tp->snd_ssthresh);\n\t\telse /* PRR */\n\t\t\ttp->snd_cwnd = tp->snd_ssthresh;\n\t\ttp->snd_cwnd_stamp = tcp_time_stamp;\n\t}\n\ttcp_ca_event(sk, CA_EVENT_COMPLETE_CWR);\n}", "project": "net-next", "hash": 75620928975168968530375430709096590127, "size": 14, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409921 }, { "func": "int blosc2_getitem_ctx(blosc2_context* context, const void* src, int32_t srcsize,\n int start, int nitems, void* dest) {\n uint8_t* _src = (uint8_t*)(src);\n int result;\n\n /* Minimally populate the context */\n context->typesize = (uint8_t)_src[3];\n context->blocksize = sw32_(_src + 8);\n context->header_flags = *(_src + 2);\n context->filter_flags = get_filter_flags(*(_src + 2), context->typesize);\n if (context->serial_context == NULL) {\n context->serial_context = create_thread_context(context, 0);\n }\n\n /* Call the actual getitem function */\n result = _blosc_getitem(context, src, srcsize, start, nitems, dest);\n\n return result;\n}", "project": "c-blosc2", "hash": 27420352579420790852553785747636469742, "size": 19, "commit_id": "c4c6470e88210afc95262c8b9fcc27e30ca043ee", "message": "Fixed asan heap buffer overflow when not enough space to write compressed block size.", "target": 0, "dataset": "other", "idx": 303055 }, { "func": "static int imap_mbox_check_stats(struct Mailbox *m, int flags)\n{\n return imap_mailbox_status(m, true);\n}", "project": "neomutt", "hash": 212771978112706746004163620470955528170, "size": 4, "commit_id": "9c36717a3e2af1f2c1b7242035455ec8112b4b06", "message": "imap: close connection on all failures\n\nThanks to Gabriel Salles-Loustau for spotting the problem.\n\nCo-authored-by: Kevin McCarthy ", "target": 0, "dataset": "other", "idx": 357049 }, { "func": "static int kvm_dev_ioctl_create_vm(unsigned long type)\n{\n\tint r;\n\tstruct kvm *kvm;\n\tstruct file *file;\n\n\tkvm = kvm_create_vm(type);\n\tif (IS_ERR(kvm))\n\t\treturn PTR_ERR(kvm);\n#ifdef CONFIG_KVM_MMIO\n\tr = kvm_coalesced_mmio_init(kvm);\n\tif (r < 0)\n\t\tgoto put_kvm;\n#endif\n\tr = get_unused_fd_flags(O_CLOEXEC);\n\tif (r < 0)\n\t\tgoto put_kvm;\n\n\tfile = anon_inode_getfile(\"kvm-vm\", &kvm_vm_fops, kvm, O_RDWR);\n\tif (IS_ERR(file)) {\n\t\tput_unused_fd(r);\n\t\tr = PTR_ERR(file);\n\t\tgoto put_kvm;\n\t}\n\n\t/*\n\t * Don't call kvm_put_kvm anymore at this point; file->f_op is\n\t * already set, with ->release() being kvm_vm_release(). In error\n\t * cases it will be called by the final fput(file) and will take\n\t * care of doing kvm_put_kvm(kvm).\n\t */\n\tif (kvm_create_vm_debugfs(kvm, r) < 0) {\n\t\tput_unused_fd(r);\n\t\tfput(file);\n\t\treturn -ENOMEM;\n\t}\n\tkvm_uevent_notify_change(KVM_EVENT_CREATE_VM, kvm);\n\n\tfd_install(r, file);\n\treturn r;\n\nput_kvm:\n\tkvm_put_kvm(kvm);\n\treturn r;\n}", "project": "linux", "hash": 262531038463391853231406491120276720772, "size": 45, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354461 }, { "func": "static bool ctx_single_port_submission(const struct intel_context *ce)\n{\n\treturn (IS_ENABLED(CONFIG_DRM_I915_GVT) &&\n\t\ti915_gem_context_force_single_submission(ce->gem_context));\n}", "project": "linux", "hash": 331753797948501224298766823685234730085, "size": 5, "commit_id": "bc8a76a152c5f9ef3b48104154a65a68a8b76946", "message": "drm/i915/gen9: Clear residual context state on context switch\n\nIntel ID: PSIRT-TA-201910-001\nCVEID: CVE-2019-14615\n\nIntel GPU Hardware prior to Gen11 does not clear EU state\nduring a context switch. This can result in information\nleakage between contexts.\n\nFor Gen8 and Gen9, hardware provides a mechanism for\nfast cleardown of the EU state, by issuing a PIPE_CONTROL\nwith bit 27 set. We can use this in a context batch buffer\nto explicitly cleardown the state on every context switch.\n\nAs this workaround is already in place for gen8, we can borrow\nthe code verbatim for Gen9.\n\nSigned-off-by: Mika Kuoppala \nSigned-off-by: Akeem G Abodunrin \nCc: Kumar Valsan Prathap \nCc: Chris Wilson \nCc: Balestrieri Francesco \nCc: Bloomfield Jon \nCc: Dutt Sudeep ", "target": 0, "dataset": "other", "idx": 281556 }, { "func": "static int parse_htime_item(struct archive_read* a, char unix_time,\n uint64_t* where, ssize_t* extra_data_size)\n{\n\tif(unix_time) {\n\t\tuint32_t time_val;\n\t\tif(!read_u32(a, &time_val))\n\t\t\treturn ARCHIVE_EOF;\n\n\t\t*extra_data_size -= 4;\n\t\t*where = (uint64_t) time_val;\n\t} else {\n\t\tuint64_t windows_time;\n\t\tif(!read_u64(a, &windows_time))\n\t\t\treturn ARCHIVE_EOF;\n\n\t\t*where = time_win_to_unix(windows_time);\n\t\t*extra_data_size -= 8;\n\t}\n\n\treturn ARCHIVE_OK;\n}", "project": "libarchive", "hash": 83553667837545010499594245293721745666, "size": 21, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 0, "dataset": "other", "idx": 244748 }, { "func": "static void fuse_lk_fill(struct fuse_args *args, struct file *file,\n\t\t\t const struct file_lock *fl, int opcode, pid_t pid,\n\t\t\t int flock, struct fuse_lk_in *inarg)\n{\n\tstruct inode *inode = file_inode(file);\n\tstruct fuse_conn *fc = get_fuse_conn(inode);\n\tstruct fuse_file *ff = file->private_data;\n\n\tmemset(inarg, 0, sizeof(*inarg));\n\tinarg->fh = ff->fh;\n\tinarg->owner = fuse_lock_owner_id(fc, fl->fl_owner);\n\tinarg->lk.start = fl->fl_start;\n\tinarg->lk.end = fl->fl_end;\n\tinarg->lk.type = fl->fl_type;\n\tinarg->lk.pid = pid;\n\tif (flock)\n\t\tinarg->lk_flags |= FUSE_LK_FLOCK;\n\targs->opcode = opcode;\n\targs->nodeid = get_node_id(inode);\n\targs->in_numargs = 1;\n\targs->in_args[0].size = sizeof(*inarg);\n\targs->in_args[0].value = inarg;\n}", "project": "linux", "hash": 282920405418443257352926078715519852052, "size": 23, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342092 }, { "func": "static inline int kvm_arch_vcpu_run_pid_change(struct kvm_vcpu *vcpu)\n{\n\treturn 0;\n}", "project": "linux", "hash": 87527021479309183328590282370548972063, "size": 4, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354569 }, { "func": "void tipc_rcv(struct net *net, struct sk_buff *skb, struct tipc_bearer *b)\n{\n\tstruct sk_buff_head xmitq;\n\tstruct tipc_link_entry *le;\n\tstruct tipc_msg *hdr;\n\tstruct tipc_node *n;\n\tint bearer_id = b->identity;\n\tu32 self = tipc_own_addr(net);\n\tint usr, rc = 0;\n\tu16 bc_ack;\n#ifdef CONFIG_TIPC_CRYPTO\n\tstruct tipc_ehdr *ehdr;\n\n\t/* Check if message must be decrypted first */\n\tif (TIPC_SKB_CB(skb)->decrypted || !tipc_ehdr_validate(skb))\n\t\tgoto rcv;\n\n\tehdr = (struct tipc_ehdr *)skb->data;\n\tif (likely(ehdr->user != LINK_CONFIG)) {\n\t\tn = tipc_node_find(net, ntohl(ehdr->addr));\n\t\tif (unlikely(!n))\n\t\t\tgoto discard;\n\t} else {\n\t\tn = tipc_node_find_by_id(net, ehdr->id);\n\t}\n\ttipc_crypto_rcv(net, (n) ? n->crypto_rx : NULL, &skb, b);\n\tif (!skb)\n\t\treturn;\n\nrcv:\n#endif\n\t/* Ensure message is well-formed before touching the header */\n\tif (unlikely(!tipc_msg_validate(&skb)))\n\t\tgoto discard;\n\t__skb_queue_head_init(&xmitq);\n\thdr = buf_msg(skb);\n\tusr = msg_user(hdr);\n\tbc_ack = msg_bcast_ack(hdr);\n\n\t/* Handle arrival of discovery or broadcast packet */\n\tif (unlikely(msg_non_seq(hdr))) {\n\t\tif (unlikely(usr == LINK_CONFIG))\n\t\t\treturn tipc_disc_rcv(net, skb, b);\n\t\telse\n\t\t\treturn tipc_node_bc_rcv(net, skb, bearer_id);\n\t}\n\n\t/* Discard unicast link messages destined for another node */\n\tif (unlikely(!msg_short(hdr) && (msg_destnode(hdr) != self)))\n\t\tgoto discard;\n\n\t/* Locate neighboring node that sent packet */\n\tn = tipc_node_find(net, msg_prevnode(hdr));\n\tif (unlikely(!n))\n\t\tgoto discard;\n\tle = &n->links[bearer_id];\n\n\t/* Ensure broadcast reception is in synch with peer's send state */\n\tif (unlikely(usr == LINK_PROTOCOL)) {\n\t\tif (unlikely(skb_linearize(skb))) {\n\t\t\ttipc_node_put(n);\n\t\t\tgoto discard;\n\t\t}\n\t\thdr = buf_msg(skb);\n\t\ttipc_node_bc_sync_rcv(n, hdr, bearer_id, &xmitq);\n\t} else if (unlikely(tipc_link_acked(n->bc_entry.link) != bc_ack)) {\n\t\ttipc_bcast_ack_rcv(net, n->bc_entry.link, hdr);\n\t}\n\n\t/* Receive packet directly if conditions permit */\n\ttipc_node_read_lock(n);\n\tif (likely((n->state == SELF_UP_PEER_UP) && (usr != TUNNEL_PROTOCOL))) {\n\t\tspin_lock_bh(&le->lock);\n\t\tif (le->link) {\n\t\t\trc = tipc_link_rcv(le->link, skb, &xmitq);\n\t\t\tskb = NULL;\n\t\t}\n\t\tspin_unlock_bh(&le->lock);\n\t}\n\ttipc_node_read_unlock(n);\n\n\t/* Check/update node state before receiving */\n\tif (unlikely(skb)) {\n\t\tif (unlikely(skb_linearize(skb)))\n\t\t\tgoto out_node_put;\n\t\ttipc_node_write_lock(n);\n\t\tif (tipc_node_check_state(n, skb, bearer_id, &xmitq)) {\n\t\t\tif (le->link) {\n\t\t\t\trc = tipc_link_rcv(le->link, skb, &xmitq);\n\t\t\t\tskb = NULL;\n\t\t\t}\n\t\t}\n\t\ttipc_node_write_unlock(n);\n\t}\n\n\tif (unlikely(rc & TIPC_LINK_UP_EVT))\n\t\ttipc_node_link_up(n, bearer_id, &xmitq);\n\n\tif (unlikely(rc & TIPC_LINK_DOWN_EVT))\n\t\ttipc_node_link_down(n, bearer_id, false);\n\n\tif (unlikely(!skb_queue_empty(&n->bc_entry.namedq)))\n\t\ttipc_named_rcv(net, &n->bc_entry.namedq,\n\t\t\t &n->bc_entry.named_rcv_nxt,\n\t\t\t &n->bc_entry.named_open);\n\n\tif (unlikely(!skb_queue_empty(&n->bc_entry.inputq1)))\n\t\ttipc_node_mcast_rcv(n);\n\n\tif (!skb_queue_empty(&le->inputq))\n\t\ttipc_sk_rcv(net, &le->inputq);\n\n\tif (!skb_queue_empty(&xmitq))\n\t\ttipc_bearer_xmit(net, bearer_id, &xmitq, &le->maddr, n);\n\nout_node_put:\n\ttipc_node_put(n);\ndiscard:\n\tkfree_skb(skb);\n}", "project": "linux", "hash": 226100098871681922638166672301749729561, "size": 120, "commit_id": "0217ed2848e8538bcf9172d97ed2eeb4a26041bb", "message": "tipc: better validate user input in tipc_nl_retrieve_key()\n\nBefore calling tipc_aead_key_size(ptr), we need to ensure\nwe have enough data to dereference ptr->keylen.\n\nWe probably also want to make sure tipc_aead_key_size()\nwont overflow with malicious ptr->keylen values.\n\nSyzbot reported:\n\nBUG: KMSAN: uninit-value in __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\nBUG: KMSAN: uninit-value in tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\nCPU: 0 PID: 21060 Comm: syz-executor.5 Not tainted 5.11.0-rc7-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nCall Trace:\n __dump_stack lib/dump_stack.c:79 [inline]\n dump_stack+0x21c/0x280 lib/dump_stack.c:120\n kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118\n __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197\n __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\n tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\n genl_family_rcv_msg_doit net/netlink/genetlink.c:739 [inline]\n genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]\n genl_rcv_msg+0x1319/0x1610 net/netlink/genetlink.c:800\n netlink_rcv_skb+0x6fa/0x810 net/netlink/af_netlink.c:2494\n genl_rcv+0x63/0x80 net/netlink/genetlink.c:811\n netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]\n netlink_unicast+0x11d6/0x14a0 net/netlink/af_netlink.c:1330\n netlink_sendmsg+0x1740/0x1840 net/netlink/af_netlink.c:1919\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\nRIP: 0023:0xf7f60549\nCode: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00\nRSP: 002b:00000000f555a5fc EFLAGS: 00000296 ORIG_RAX: 0000000000000172\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000200\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n\nUninit was created at:\n kmsan_save_stack_with_flags mm/kmsan/kmsan.c:121 [inline]\n kmsan_internal_poison_shadow+0x5c/0xf0 mm/kmsan/kmsan.c:104\n kmsan_slab_alloc+0x8d/0xe0 mm/kmsan/kmsan_hooks.c:76\n slab_alloc_node mm/slub.c:2907 [inline]\n __kmalloc_node_track_caller+0xa37/0x1430 mm/slub.c:4527\n __kmalloc_reserve net/core/skbuff.c:142 [inline]\n __alloc_skb+0x2f8/0xb30 net/core/skbuff.c:210\n alloc_skb include/linux/skbuff.h:1099 [inline]\n netlink_alloc_large_skb net/netlink/af_netlink.c:1176 [inline]\n netlink_sendmsg+0xdbc/0x1840 net/netlink/af_netlink.c:1894\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\n\nFixes: e1f32190cf7d (\"tipc: add support for AEAD key setting via netlink\")\nSigned-off-by: Eric Dumazet \nCc: Tuong Lien \nCc: Jon Maloy \nCc: Ying Xue \nReported-by: syzbot \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 364899 }, { "func": "static void madvise_pageout_page_range(struct mmu_gather *tlb,\n\t\t\t struct vm_area_struct *vma,\n\t\t\t unsigned long addr, unsigned long end)\n{\n\tstruct madvise_walk_private walk_private = {\n\t\t.pageout = true,\n\t\t.tlb = tlb,\n\t};\n\n\ttlb_start_vma(tlb, vma);\n\twalk_page_range(vma->vm_mm, addr, end, &cold_walk_ops, &walk_private);\n\ttlb_end_vma(tlb, vma);\n}", "project": "linux", "hash": 273096214397565565683477075142576179317, "size": 13, "commit_id": "bc0c4d1e176eeb614dc8734fc3ace34292771f11", "message": "mm: check that mm is still valid in madvise()\n\nIORING_OP_MADVISE can end up basically doing mprotect() on the VM of\nanother process, which means that it can race with our crazy core dump\nhandling which accesses the VM state without holding the mmap_sem\n(because it incorrectly thinks that it is the final user).\n\nThis is clearly a core dumping problem, but we've never fixed it the\nright way, and instead have the notion of \"check that the mm is still\nok\" using mmget_still_valid() after getting the mmap_sem for writing in\nany situation where we're not the original VM thread.\n\nSee commit 04f5866e41fb (\"coredump: fix race condition between\nmmget_not_zero()/get_task_mm() and core dumping\") for more background on\nthis whole mmget_still_valid() thing. You might want to have a barf bag\nhandy when you do.\n\nWe're discussing just fixing this properly in the only remaining core\ndumping routines. But even if we do that, let's make do_madvise() do\nthe right thing, and then when we fix core dumping, we can remove all\nthese mmget_still_valid() checks.\n\nReported-and-tested-by: Jann Horn \nFixes: c1ca757bd6f4 (\"io_uring: add IORING_OP_MADVISE\")\nAcked-by: Jens Axboe \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 323570 }, { "func": "void exec_mm_release(struct task_struct *tsk, struct mm_struct *mm)\n{\n\tfutex_exec_release(tsk);\n\tmm_release(tsk, mm);\n}", "project": "linux", "hash": 100866887683678452956847229722059662432, "size": 5, "commit_id": "b4e00444cab4c3f3fec876dc0cccc8cbb0d1a948", "message": "fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent\n\ncurrent->group_leader->exit_signal may change during copy_process() if\ncurrent->real_parent exits.\n\nMove the assignment inside tasklist_lock to avoid the race.\n\nSigned-off-by: Eddy Wu \nAcked-by: Oleg Nesterov \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 293655 }, { "func": "void EvalSparseHybridImpl(TfLiteContext* context, TfLiteNode* node,\n TfLiteFullyConnectedParams* params, OpData* data,\n const TfLiteTensor* input, const TfLiteTensor* filter,\n const TfLiteTensor* bias, int thread_start,\n int thread_end, TfLiteTensor* input_quantized,\n TfLiteTensor* scaling_factors,\n TfLiteTensor* accum_scratch, TfLiteTensor* row_sums,\n TfLiteTensor* input_offsets, TfLiteTensor* output) {\n ruy::profiler::ScopeLabel label(\"FullyConnected\");\n ruy::profiler::ScopeLabel inner_label(\"Sparse Hybrid Kernel\");\n const auto& input_shape = GetTensorShape(input);\n const auto& output_shape = GetTensorShape(output);\n const auto& filter_shape = GetTensorShape(filter);\n const int input_dims_count = input_shape.DimensionsCount();\n const int output_dims_count = output_shape.DimensionsCount();\n const int filter_dims_count = filter_shape.DimensionsCount();\n const int batch_size = thread_end - thread_start;\n const int input_depth = MatchingDim(filter_shape, filter_dims_count - 1,\n input_shape, input_dims_count - 1);\n const int output_depth = MatchingDim(filter_shape, filter_dims_count - 2,\n output_shape, output_dims_count - 1);\n const int per_thread_input_size = batch_size * input_depth;\n\n const float* per_thread_input =\n GetTensorData(input) + thread_start * input_depth;\n float* per_thread_output =\n GetTensorData(output) + thread_start * output_depth;\n\n // Output = bias if bias tensor exists.\n if (bias) {\n tensor_utils::VectorBatchVectorAssign(GetTensorData(bias),\n output_depth, batch_size,\n per_thread_output);\n } else {\n std::fill_n(per_thread_output, batch_size * output_depth, 0.0f);\n }\n\n // Save matrix multiplication computation for all zero input.\n if (tensor_utils::IsZeroVector(per_thread_input, per_thread_input_size)) {\n tensor_utils::ApplyActivationToVector(\n per_thread_output, batch_size * output_depth, params->activation,\n per_thread_output);\n return;\n }\n\n // Quantize input from float to uint8 + quantization params (scaling factor).\n float* scaling_factors_ptr =\n GetTensorData(scaling_factors) + thread_start;\n int32_t* input_offset_ptr = nullptr;\n int32_t* row_sums_ptr = nullptr;\n if (params->asymmetric_quantize_inputs) {\n input_offset_ptr = GetTensorData(input_offsets) + thread_start;\n row_sums_ptr = GetTensorData(row_sums);\n }\n int8_t* quant_data =\n GetTensorData(input_quantized) + thread_start * input_depth;\n tensor_utils::BatchQuantizeFloats(per_thread_input, batch_size, input_depth,\n quant_data, scaling_factors_ptr,\n input_offset_ptr,\n params->asymmetric_quantize_inputs);\n for (int b = 0; b < batch_size; ++b) {\n // Incorporate scaling of the filter.\n scaling_factors_ptr[b] *= filter->params.scale;\n }\n\n if (params->asymmetric_quantize_inputs) {\n float* per_thread_output_ptr = per_thread_output;\n for (int b = 0; b < batch_size; ++b) {\n const float scaled_zp = scaling_factors_ptr[b] * input_offset_ptr[b];\n for (int row = 0; row < output_depth; ++row) {\n *per_thread_output_ptr++ -= scaled_zp * row_sums_ptr[row];\n }\n }\n }\n\n // Compute output += weight * quantized_input\n TfLiteTensor* filter_ledger = &context->tensors[node->temporaries->data[5]];\n tensor_utils::SparseMatrixBatchVectorMultiplyAccumulate(\n GetTensorData(filter), GetTensorData(filter_ledger),\n output_depth, input_depth, quant_data, scaling_factors_ptr, batch_size,\n per_thread_output);\n\n // Apply activation function to floats.\n tensor_utils::ApplyActivationToVector(per_thread_output,\n batch_size * output_depth,\n params->activation, per_thread_output);\n}", "project": "tensorflow", "hash": 97249073938723031516005297977016746402, "size": 87, "commit_id": "6c0b2b70eeee588591680f5b7d5d38175fd7cdf6", "message": "[lite] add validation check for sparse fully connected\n\nPiperOrigin-RevId: 417629354\nChange-Id: If96171c4bd4f5fdb01d6368d6deab19d1c9beca7", "target": 0, "dataset": "other", "idx": 220471 }, { "func": "static int tracing_open_generic_tr(struct inode *inode, struct file *filp)\n{\n\tstruct trace_array *tr = inode->i_private;\n\n\tif (tracing_disabled)\n\t\treturn -ENODEV;\n\n\tif (trace_array_get(tr) < 0)\n\t\treturn -ENODEV;\n\n\tfilp->private_data = inode->i_private;\n\n\treturn 0;\n}", "project": "linux", "hash": 72381649238444580125845477520806064599, "size": 14, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445576 }, { "func": "void lua_text_pattern::pre_pattern(string &pat, string &fn) const\n{\n // Trim trailing spaces\n pat.erase(pat.find_last_not_of(\" \\t\\n\\r\") + 1);\n\n fn += \" pmatch([[\";\n fn += pat;\n fn += \"]], text, false) \";\n\n pat.clear();\n}", "project": "crawl", "hash": 37986387477684811302161134521080471834, "size": 11, "commit_id": "768f60da87a3fa0b5561da5ade9309577c176d04", "message": "Disable lua bytecode loading", "target": 0, "dataset": "other", "idx": 230471 }, { "func": "\nstatic int io_buffer_validate(struct iovec *iov)\n{\n\tunsigned long tmp, acct_len = iov->iov_len + (PAGE_SIZE - 1);\n\n\t/*\n\t * Don't impose further limits on the size and buffer\n\t * constraints here, we'll -EINVAL later when IO is\n\t * submitted if they are wrong.\n\t */\n\tif (!iov->iov_base)\n\t\treturn iov->iov_len ? -EFAULT : 0;\n\tif (!iov->iov_len)\n\t\treturn -EFAULT;\n\n\t/* arbitrary limit, but we need something */\n\tif (iov->iov_len > SZ_1G)\n\t\treturn -EFAULT;\n\n\tif (check_add_overflow((unsigned long)iov->iov_base, acct_len, &tmp))\n\t\treturn -EOVERFLOW;\n\n\treturn 0;", "project": "linux", "hash": 144811983268688954864195409934303853510, "size": 23, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338514 }, { "func": "static long kvm_s390_guest_mem_op(struct kvm_vcpu *vcpu,\n\t\t\t\t struct kvm_s390_mem_op *mop)\n{\n\tvoid __user *uaddr = (void __user *)mop->buf;\n\tvoid *tmpbuf = NULL;\n\tint r = 0;\n\tconst u64 supported_flags = KVM_S390_MEMOP_F_INJECT_EXCEPTION\n\t\t\t\t | KVM_S390_MEMOP_F_CHECK_ONLY;\n\n\tif (mop->flags & ~supported_flags || mop->ar >= NUM_ACRS || !mop->size)\n\t\treturn -EINVAL;\n\n\tif (mop->size > MEM_OP_MAX_SIZE)\n\t\treturn -E2BIG;\n\n\tif (kvm_s390_pv_cpu_is_protected(vcpu))\n\t\treturn -EINVAL;\n\n\tif (!(mop->flags & KVM_S390_MEMOP_F_CHECK_ONLY)) {\n\t\ttmpbuf = vmalloc(mop->size);\n\t\tif (!tmpbuf)\n\t\t\treturn -ENOMEM;\n\t}\n\n\tswitch (mop->op) {\n\tcase KVM_S390_MEMOP_LOGICAL_READ:\n\t\tif (mop->flags & KVM_S390_MEMOP_F_CHECK_ONLY) {\n\t\t\tr = check_gva_range(vcpu, mop->gaddr, mop->ar,\n\t\t\t\t\t mop->size, GACC_FETCH);\n\t\t\tbreak;\n\t\t}\n\t\tr = read_guest(vcpu, mop->gaddr, mop->ar, tmpbuf, mop->size);\n\t\tif (r == 0) {\n\t\t\tif (copy_to_user(uaddr, tmpbuf, mop->size))\n\t\t\t\tr = -EFAULT;\n\t\t}\n\t\tbreak;\n\tcase KVM_S390_MEMOP_LOGICAL_WRITE:\n\t\tif (mop->flags & KVM_S390_MEMOP_F_CHECK_ONLY) {\n\t\t\tr = check_gva_range(vcpu, mop->gaddr, mop->ar,\n\t\t\t\t\t mop->size, GACC_STORE);\n\t\t\tbreak;\n\t\t}\n\t\tif (copy_from_user(tmpbuf, uaddr, mop->size)) {\n\t\t\tr = -EFAULT;\n\t\t\tbreak;\n\t\t}\n\t\tr = write_guest(vcpu, mop->gaddr, mop->ar, tmpbuf, mop->size);\n\t\tbreak;\n\t}\n\n\tif (r > 0 && (mop->flags & KVM_S390_MEMOP_F_INJECT_EXCEPTION) != 0)\n\t\tkvm_s390_inject_prog_irq(vcpu, &vcpu->arch.pgm);\n\n\tvfree(tmpbuf);\n\treturn r;\n}", "project": "linux", "hash": 249518750324614643415953177913475100464, "size": 57, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354533 }, { "func": "static void nfs4_slot_sequence_acked(struct nfs4_slot *slot,\n\t\tu32 seqnr)\n{\n\tslot->seq_nr_highest_sent = seqnr;\n\tslot->seq_nr_last_acked = seqnr;\n}", "project": "linux", "hash": 74101109266512418982020959836645520250, "size": 6, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431566 }, { "func": "R_API char *r_str_scale(const char *s, int w, int h) {\n\t// count lines and rows in (s) string\n\t// compute how many lines we should remove or combine\n\t// return a string containing\n\t// for now this function is ascii only (no utf8 or ansi escapes)\n\tRListIter *iter;\n\tchar *line;\n\tchar *str = strdup (s);\n\tRList *lines = r_str_split_list (str, \"\\n\", 0);\n\tint i, j;\n\tint rows = 0;\n\tint maxcol = 0;\n\n\trows = r_list_length (lines);\n\tr_list_foreach (lines, iter, line) {\n\t\tmaxcol = R_MAX (strlen (line), maxcol);\n\t}\n\n\tRList *out = r_list_newf (free);\n\n\tint curline = -1;\n\tchar *linetext = (char*)r_str_pad (' ', w);\n\tfor (i = 0; i < h; i++) {\n\t\tint zoomedline = i * ((float)rows / h);\n\t\tconst char *srcline = r_list_get_n (lines, zoomedline);\n\t\tint cols = strlen (srcline);\n\t\tfor (j = 0; j < w; j++) {\n\t\t\tint zoomedcol = j * ( (float)cols / w);\n\t\t\tlinetext[j] = srcline[zoomedcol];\n\t\t}\n\t\tif (curline != zoomedline) {\n\t\t\tr_list_append (out, strdup (linetext));\n\t\t\tcurline = zoomedline;\n\t\t}\n\t\tmemset (linetext, ' ', w);\n\t}\n\tfree (str);\n\treturn r_str_list_join (out, \"\\n\");\n}", "project": "radare2", "hash": 280227933619535254377415418930309099591, "size": 39, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 0, "dataset": "other", "idx": 268967 }, { "func": "void utf16_to_utf8(UncheckedBuffer &buf, unsigned short utf16) {\n if (LIKELY(utf16 < 0x80)) {\n buf.append((char)utf16);\n return;\n }\n return utf16_to_utf8_tail(buf, utf16);\n}", "project": "hhvm", "hash": 69198379605732427431748680009156580018, "size": 7, "commit_id": "b3679121bb3c7017ff04b4c08402ffff5cf59b13", "message": "Fix buffer overrun in SimpleParser::handleBackslash\n\nSummary:\nIt read 4 chars, then checked for validity, but any of them could have\nbeen the end of the string, so check after each one instead.\n\nReviewed By: oulgen\n\nDifferential Revision: D19611163\n\nfbshipit-source-id: 3da0a39555cb85a93f4fd98048368f17cf37e2e4", "target": 0, "dataset": "other", "idx": 227280 }, { "func": " * non-zero.\n */\nstruct iscsi_cls_conn *\niscsi_create_conn(struct iscsi_cls_session *session, int dd_size, uint32_t cid)\n{\n\tstruct iscsi_transport *transport = session->transport;\n\tstruct iscsi_cls_conn *conn;\n\tunsigned long flags;\n\tint err;\n\n\tconn = kzalloc(sizeof(*conn) + dd_size, GFP_KERNEL);\n\tif (!conn)\n\t\treturn NULL;\n\tif (dd_size)\n\t\tconn->dd_data = &conn[1];\n\n\tmutex_init(&conn->ep_mutex);\n\tINIT_LIST_HEAD(&conn->conn_list);\n\tINIT_LIST_HEAD(&conn->conn_list_err);\n\tconn->transport = transport;\n\tconn->cid = cid;\n\tconn->state = ISCSI_CONN_DOWN;\n\n\t/* this is released in the dev's release function */\n\tif (!get_device(&session->dev))\n\t\tgoto free_conn;\n\n\tdev_set_name(&conn->dev, \"connection%d:%u\", session->sid, cid);\n\tconn->dev.parent = &session->dev;\n\tconn->dev.release = iscsi_conn_release;\n\terr = device_register(&conn->dev);\n\tif (err) {\n\t\tiscsi_cls_session_printk(KERN_ERR, session, \"could not \"\n\t\t\t\t\t \"register connection's dev\\n\");\n\t\tgoto release_parent_ref;\n\t}\n\terr = transport_register_device(&conn->dev);\n\tif (err) {\n\t\tiscsi_cls_session_printk(KERN_ERR, session, \"could not \"\n\t\t\t\t\t \"register transport's dev\\n\");\n\t\tgoto release_conn_ref;\n\t}\n\n\tspin_lock_irqsave(&connlock, flags);\n\tlist_add(&conn->conn_list, &connlist);\n\tspin_unlock_irqrestore(&connlock, flags);\n\n\tISCSI_DBG_TRANS_CONN(conn, \"Completed conn creation\\n\");\n\treturn conn;\n\nrelease_conn_ref:\n\tdevice_unregister(&conn->dev);\n\tput_device(&session->dev);\n\treturn NULL;\nrelease_parent_ref:\n\tput_device(&session->dev);\nfree_conn:", "project": "linux", "hash": 193516033863363788677273720764504618566, "size": 57, "commit_id": "f9dbdf97a5bd92b1a49cee3d591b55b11fd7a6d5", "message": "scsi: iscsi: Verify lengths on passthrough PDUs\n\nOpen-iSCSI sends passthrough PDUs over netlink, but the kernel should be\nverifying that the provided PDU header and data lengths fall within the\nnetlink message to prevent accessing beyond that in memory.\n\nCc: stable@vger.kernel.org\nReported-by: Adam Nichols \nReviewed-by: Lee Duncan \nReviewed-by: Mike Christie \nSigned-off-by: Chris Leech \nSigned-off-by: Martin K. Petersen ", "target": 0, "dataset": "other", "idx": 379915 }, { "func": "static void nfs4_xdr_enc_fs_locations(struct rpc_rqst *req,\n\t\t\t\t struct xdr_stream *xdr,\n\t\t\t\t const void *data)\n{\n\tconst struct nfs4_fs_locations_arg *args = data;\n\tstruct compound_hdr hdr = {\n\t\t.minorversion = nfs4_xdr_minorversion(&args->seq_args),\n\t};\n\tuint32_t replen;\n\n\tencode_compound_hdr(xdr, req, &hdr);\n\tencode_sequence(xdr, &args->seq_args, &hdr);\n\tif (args->migration) {\n\t\tencode_putfh(xdr, args->fh, &hdr);\n\t\treplen = hdr.replen;\n\t\tencode_fs_locations(xdr, args->bitmask, &hdr);\n\t\tif (args->renew)\n\t\t\tencode_renew(xdr, args->clientid, &hdr);\n\t} else {\n\t\tencode_putfh(xdr, args->dir_fh, &hdr);\n\t\tencode_lookup(xdr, args->name, &hdr);\n\t\treplen = hdr.replen;\n\t\tencode_fs_locations(xdr, args->bitmask, &hdr);\n\t}\n\n\trpc_prepare_reply_pages(req, (struct page **)&args->page, 0,\n\t\t\t\tPAGE_SIZE, replen + 1);\n\tencode_nops(&hdr);\n}", "project": "linux", "hash": 102318295252079867656240120068047198431, "size": 29, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431354 }, { "func": "inline SparseTensor SparseTensor::Concat(\n const gtl::ArraySlice& tensors) {\n DCHECK_GE(tensors.size(), size_t{1}) << \"Cannot concat 0 SparseTensors\";\n const int dims = tensors[0].dims_;\n DCHECK_GE(dims, 1) << \"Cannot concat 0-dimensional SparseTensors\";\n auto order_0 = tensors[0].order();\n const int primary_dim = order_0[0];\n ShapeArray final_order(order_0.begin(), order_0.end());\n ShapeArray final_shape(tensors[0].shape().begin(), tensors[0].shape().end());\n final_shape[primary_dim] = 0; // We'll build this up as we go along.\n int num_entries = 0;\n\n bool fully_ordered = true;\n for (const SparseTensor& st : tensors) {\n DCHECK_EQ(st.dims_, dims) << \"All SparseTensors must have the same rank.\";\n DCHECK_EQ(DataTypeToEnum::v(), st.dtype())\n << \"Concat requested with the wrong data type\";\n DCHECK_GE(st.order()[0], 0) << \"SparseTensor must be ordered\";\n DCHECK_EQ(st.order()[0], primary_dim)\n << \"All SparseTensors' order[0] must match. This is the concat dim.\";\n if (st.order() != final_order) fully_ordered = false;\n const VarDimArray& st_shape = st.shape();\n for (int d = 0; d < dims - 1; ++d) {\n const int cdim = (d < primary_dim) ? d : d + 1;\n DCHECK_EQ(final_shape[cdim], st_shape[cdim])\n << \"All SparseTensors' shapes must match except on the concat dim. \"\n << \"Concat dim: \" << primary_dim\n << \", mismatched shape at dim: \" << cdim\n << \". Expecting shape like: [\" << str_util::Join(final_shape, \",\")\n << \"] but saw shape: [\" << str_util::Join(st_shape, \",\") << \"]\";\n }\n\n // Update dimension of final shape\n final_shape[primary_dim] =\n (final_shape[primary_dim] + st_shape[primary_dim]);\n\n num_entries += st.num_entries(); // Update number of entries\n }\n\n // If nonconsistent ordering among inputs, set final order to -1s.\n if (!fully_ordered) {\n final_order = UndefinedOrder(final_shape);\n }\n\n Tensor output_ix(DT_INT64, TensorShape({num_entries, dims}));\n Tensor output_vals(DataTypeToEnum::v(), TensorShape({num_entries}));\n\n TTypes::Matrix ix_t = output_ix.matrix();\n typename TTypes::Vec vals_t = output_vals.vec();\n\n Eigen::DenseIndex offset = 0;\n int64 shape_offset = 0;\n for (const SparseTensor& st : tensors) {\n const int st_num_entries = st.num_entries();\n\n // Fill in indices & values.\n if (st_num_entries > 0) {\n std::copy_n(&st.vals_.vec()(0), st_num_entries, &vals_t(offset));\n\n const auto* st_ix = &st.ix_.matrix()(0, 0);\n auto* ix_out = &ix_t(offset, 0);\n for (std::size_t i = 0; i < st_num_entries * dims; ++i) {\n *ix_out++ = *st_ix++ + ((i % dims == primary_dim) ? shape_offset : 0);\n }\n }\n\n offset += st_num_entries;\n shape_offset += st.shape()[primary_dim];\n }\n\n return SparseTensor(output_ix, output_vals, final_shape, final_order);\n}", "project": "tensorflow", "hash": 8751950502100553921570472710972167662, "size": 72, "commit_id": "8ba6fa29cd8bf9cef9b718dc31c78c73081f5b31", "message": "Fix heap-buffer-overflow issue with `tf.raw_ops.SparseSplit`.\n\nPiperOrigin-RevId: 371242872\nChange-Id: I482bb3d12602c7c3cc9446f97fb9f584bb98e9a4", "target": 0, "dataset": "other", "idx": 277007 }, { "func": "int filename_lookup(int dfd, struct filename *name, unsigned flags,\n\t\t struct path *path, struct path *root)\n{\n\tint retval;\n\tstruct nameidata nd;\n\tif (IS_ERR(name))\n\t\treturn PTR_ERR(name);\n\tif (unlikely(root)) {\n\t\tnd.root = *root;\n\t\tflags |= LOOKUP_ROOT;\n\t}\n\tset_nameidata(&nd, dfd, name);\n\tretval = path_lookupat(&nd, flags | LOOKUP_RCU, path);\n\tif (unlikely(retval == -ECHILD))\n\t\tretval = path_lookupat(&nd, flags, path);\n\tif (unlikely(retval == -ESTALE))\n\t\tretval = path_lookupat(&nd, flags | LOOKUP_REVAL, path);\n\n\tif (likely(!retval))\n\t\taudit_inode(name, path->dentry, 0);\n\trestore_nameidata();\n\tputname(name);\n\treturn retval;\n}", "project": "linux", "hash": 232798336475919877383246636046310549194, "size": 24, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295333 }, { "func": "static void chop_prompt (const char *filename, char *tmp, size_t max_tmp_size) {\n\tsize_t tmp_len, file_len;\n\tunsigned int OTHRSCH = 3;\n\tconst char DOTS[] = \"...\";\n\tint w, p_len;\n\n\tw = r_cons_get_size (NULL);\n\tfile_len = strlen (filename);\n\ttmp_len = strlen (tmp);\n\tp_len = R_MAX (0, w - 6);\n\tif (file_len + tmp_len + OTHRSCH >= p_len) {\n\t\tsize_t dots_size = sizeof (DOTS);\n\t\tsize_t chop_point = (size_t)(p_len - OTHRSCH - file_len - dots_size - 1);\n\t\tif (chop_point < (max_tmp_size - dots_size - 1)) {\n\t\t\ttmp[chop_point] = '\\0';\n\t\t\tstrncat (tmp, DOTS, dots_size);\n\t\t}\n\t}\n}", "project": "radare2", "hash": 308627185210907586117916839038391611050, "size": 19, "commit_id": "cb8b683758edddae2d2f62e8e63a738c39f92683", "message": "Fix #16303 - c->table_query double free (#16318)", "target": 0, "dataset": "other", "idx": 232190 }, { "func": "int bcf_hdr_format(const bcf_hdr_t *hdr, int is_bcf, kstring_t *str)\n{\n int i;\n for (i=0; inhrec; i++)\n _bcf_hrec_format(hdr->hrec[i], is_bcf, str);\n\n ksprintf(str, \"#CHROM\\tPOS\\tID\\tREF\\tALT\\tQUAL\\tFILTER\\tINFO\");\n if ( bcf_hdr_nsamples(hdr) )\n {\n ksprintf(str, \"\\tFORMAT\");\n for (i=0; isamples[i]);\n }\n ksprintf(str, \"\\n\");\n\n return 0;\n}", "project": "htslib", "hash": 81358785455678534029451473421292172904, "size": 17, "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c", "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields. It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097", "target": 0, "dataset": "other", "idx": 402165 }, { "func": "char *bcf_hdr_fmt_text(const bcf_hdr_t *hdr, int is_bcf, int *len)\n{\n kstring_t txt = {0,0,0};\n bcf_hdr_format(hdr, is_bcf, &txt);\n if ( len ) *len = txt.l;\n return txt.s;\n}", "project": "htslib", "hash": 296618685472939345457811787801716690721, "size": 7, "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c", "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields. It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097", "target": 0, "dataset": "other", "idx": 402245 }, { "func": "static int mlookup(const char *name, struct mboxlist_entry **mbentryptr)\n{\n struct mboxlist_entry *mbentry = NULL;\n int r;\n \n r = mboxlist_lookup(name, &mbentry, NULL);\n if (r == IMAP_MAILBOX_NONEXISTENT && config_mupdate_server) {\n\tkick_mupdate();\n\tmboxlist_entry_free(&mbentry);\n\tr = mboxlist_lookup(name, &mbentry, NULL);\n }\n\n if (mbentryptr && !r) *mbentryptr = mbentry;\n else mboxlist_entry_free(&mbentry);\n\n return r;\n}", "project": "cyrus-imapd", "hash": 194983485187558242637372849124026860792, "size": 17, "commit_id": "0f8f026699829b65733c3081657b24e2174f4f4d", "message": "CVE-2011-3208 - fix buffer overflow in nntpd", "target": 0, "dataset": "other", "idx": 451905 }, { "func": "static bool hidinput_has_been_populated(struct hid_input *hidinput)\n{\n\tint i;\n\tunsigned long r = 0;\n\n\tfor (i = 0; i < BITS_TO_LONGS(EV_CNT); i++)\n\t\tr |= hidinput->input->evbit[i];\n\n\tfor (i = 0; i < BITS_TO_LONGS(KEY_CNT); i++)\n\t\tr |= hidinput->input->keybit[i];\n\n\tfor (i = 0; i < BITS_TO_LONGS(REL_CNT); i++)\n\t\tr |= hidinput->input->relbit[i];\n\n\tfor (i = 0; i < BITS_TO_LONGS(ABS_CNT); i++)\n\t\tr |= hidinput->input->absbit[i];\n\n\tfor (i = 0; i < BITS_TO_LONGS(MSC_CNT); i++)\n\t\tr |= hidinput->input->mscbit[i];\n\n\tfor (i = 0; i < BITS_TO_LONGS(LED_CNT); i++)\n\t\tr |= hidinput->input->ledbit[i];\n\n\tfor (i = 0; i < BITS_TO_LONGS(SND_CNT); i++)\n\t\tr |= hidinput->input->sndbit[i];\n\n\tfor (i = 0; i < BITS_TO_LONGS(FF_CNT); i++)\n\t\tr |= hidinput->input->ffbit[i];\n\n\tfor (i = 0; i < BITS_TO_LONGS(SW_CNT); i++)\n\t\tr |= hidinput->input->swbit[i];\n\n\treturn !!r;\n}", "project": "linux", "hash": 322805109979663061071160223909156986946, "size": 34, "commit_id": "35556bed836f8dc07ac55f69c8d17dce3e7f0e25", "message": "HID: core: Sanitize event code and type when mapping input\n\nWhen calling into hid_map_usage(), the passed event code is\nblindly stored as is, even if it doesn't fit in the associated bitmap.\n\nThis event code can come from a variety of sources, including devices\nmasquerading as input devices, only a bit more \"programmable\".\n\nInstead of taking the event code at face value, check that it actually\nfits the corresponding bitmap, and if it doesn't:\n- spit out a warning so that we know which device is acting up\n- NULLify the bitmap pointer so that we catch unexpected uses\n\nCode paths that can make use of untrusted inputs can now check\nthat the mapping was indeed correct and bail out if not.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Marc Zyngier \nSigned-off-by: Benjamin Tissoires ", "target": 0, "dataset": "other", "idx": 458410 }, { "func": "static int parse_file_extra_hash(struct archive_read* a, struct rar5* rar,\n ssize_t* extra_data_size)\n{\n\tsize_t hash_type = 0;\n\tsize_t value_len;\n\n\tenum HASH_TYPE {\n\t\tBLAKE2sp = 0x00\n\t};\n\n\tif(!read_var_sized(a, &hash_type, &value_len))\n\t\treturn ARCHIVE_EOF;\n\n\t*extra_data_size -= value_len;\n\tif(ARCHIVE_OK != consume(a, value_len)) {\n\t\treturn ARCHIVE_EOF;\n\t}\n\n\t/* The file uses BLAKE2sp checksum algorithm instead of plain old\n\t * CRC32. */\n\tif(hash_type == BLAKE2sp) {\n\t\tconst uint8_t* p;\n\t\tconst int hash_size = sizeof(rar->file.blake2sp);\n\n\t\tif(!read_ahead(a, hash_size, &p))\n\t\t\treturn ARCHIVE_EOF;\n\n\t\trar->file.has_blake2 = 1;\n\t\tmemcpy(&rar->file.blake2sp, p, hash_size);\n\n\t\tif(ARCHIVE_OK != consume(a, hash_size)) {\n\t\t\treturn ARCHIVE_EOF;\n\t\t}\n\n\t\t*extra_data_size -= hash_size;\n\t} else {\n\t\tarchive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,\n\t\t \"Unsupported hash type (0x%x)\", (int) hash_type);\n\t\treturn ARCHIVE_FATAL;\n\t}\n\n\treturn ARCHIVE_OK;\n}", "project": "libarchive", "hash": 207120952197944898363925584641734907729, "size": 43, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 0, "dataset": "other", "idx": 244754 }, { "func": "int __kvm_set_memory_region(struct kvm *kvm,\n\t\t\t const struct kvm_userspace_memory_region *mem)\n{\n\tstruct kvm_memory_slot old, new;\n\tstruct kvm_memory_slot *tmp;\n\tenum kvm_mr_change change;\n\tint as_id, id;\n\tint r;\n\n\tr = check_memory_region_flags(mem);\n\tif (r)\n\t\treturn r;\n\n\tas_id = mem->slot >> 16;\n\tid = (u16)mem->slot;\n\n\t/* General sanity checks */\n\tif (mem->memory_size & (PAGE_SIZE - 1))\n\t\treturn -EINVAL;\n\tif (mem->guest_phys_addr & (PAGE_SIZE - 1))\n\t\treturn -EINVAL;\n\t/* We can read the guest memory with __xxx_user() later on. */\n\tif ((id < KVM_USER_MEM_SLOTS) &&\n\t ((mem->userspace_addr & (PAGE_SIZE - 1)) ||\n\t !access_ok((void __user *)(unsigned long)mem->userspace_addr,\n\t\t\tmem->memory_size)))\n\t\treturn -EINVAL;\n\tif (as_id >= KVM_ADDRESS_SPACE_NUM || id >= KVM_MEM_SLOTS_NUM)\n\t\treturn -EINVAL;\n\tif (mem->guest_phys_addr + mem->memory_size < mem->guest_phys_addr)\n\t\treturn -EINVAL;\n\n\t/*\n\t * Make a full copy of the old memslot, the pointer will become stale\n\t * when the memslots are re-sorted by update_memslots(), and the old\n\t * memslot needs to be referenced after calling update_memslots(), e.g.\n\t * to free its resources and for arch specific behavior.\n\t */\n\ttmp = id_to_memslot(__kvm_memslots(kvm, as_id), id);\n\tif (tmp) {\n\t\told = *tmp;\n\t\ttmp = NULL;\n\t} else {\n\t\tmemset(&old, 0, sizeof(old));\n\t\told.id = id;\n\t}\n\n\tif (!mem->memory_size)\n\t\treturn kvm_delete_memslot(kvm, mem, &old, as_id);\n\n\tnew.id = id;\n\tnew.base_gfn = mem->guest_phys_addr >> PAGE_SHIFT;\n\tnew.npages = mem->memory_size >> PAGE_SHIFT;\n\tnew.flags = mem->flags;\n\tnew.userspace_addr = mem->userspace_addr;\n\n\tif (new.npages > KVM_MEM_MAX_NR_PAGES)\n\t\treturn -EINVAL;\n\n\tif (!old.npages) {\n\t\tchange = KVM_MR_CREATE;\n\t\tnew.dirty_bitmap = NULL;\n\t\tmemset(&new.arch, 0, sizeof(new.arch));\n\t} else { /* Modify an existing slot. */\n\t\tif ((new.userspace_addr != old.userspace_addr) ||\n\t\t (new.npages != old.npages) ||\n\t\t ((new.flags ^ old.flags) & KVM_MEM_READONLY))\n\t\t\treturn -EINVAL;\n\n\t\tif (new.base_gfn != old.base_gfn)\n\t\t\tchange = KVM_MR_MOVE;\n\t\telse if (new.flags != old.flags)\n\t\t\tchange = KVM_MR_FLAGS_ONLY;\n\t\telse /* Nothing to change. */\n\t\t\treturn 0;\n\n\t\t/* Copy dirty_bitmap and arch from the current memslot. */\n\t\tnew.dirty_bitmap = old.dirty_bitmap;\n\t\tmemcpy(&new.arch, &old.arch, sizeof(new.arch));\n\t}\n\n\tif ((change == KVM_MR_CREATE) || (change == KVM_MR_MOVE)) {\n\t\t/* Check for overlaps */\n\t\tkvm_for_each_memslot(tmp, __kvm_memslots(kvm, as_id)) {\n\t\t\tif (tmp->id == id)\n\t\t\t\tcontinue;\n\t\t\tif (!((new.base_gfn + new.npages <= tmp->base_gfn) ||\n\t\t\t (new.base_gfn >= tmp->base_gfn + tmp->npages)))\n\t\t\t\treturn -EEXIST;\n\t\t}\n\t}\n\n\t/* Allocate/free page dirty bitmap as needed */\n\tif (!(new.flags & KVM_MEM_LOG_DIRTY_PAGES))\n\t\tnew.dirty_bitmap = NULL;\n\telse if (!new.dirty_bitmap) {\n\t\tr = kvm_alloc_dirty_bitmap(&new);\n\t\tif (r)\n\t\t\treturn r;\n\n\t\tif (kvm_dirty_log_manual_protect_and_init_set(kvm))\n\t\t\tbitmap_set(new.dirty_bitmap, 0, new.npages);\n\t}\n\n\tr = kvm_set_memslot(kvm, mem, &old, &new, as_id, change);\n\tif (r)\n\t\tgoto out_bitmap;\n\n\tif (old.dirty_bitmap && !new.dirty_bitmap)\n\t\tkvm_destroy_dirty_bitmap(&old);\n\treturn 0;\n\nout_bitmap:\n\tif (new.dirty_bitmap && !old.dirty_bitmap)\n\t\tkvm_destroy_dirty_bitmap(&new);\n\treturn r;\n}", "project": "linux", "hash": 327177946364855947057035527333690129081, "size": 117, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354478 }, { "func": "int __kvm_set_memory_region(struct kvm *kvm,\n\t\t\t const struct kvm_userspace_memory_region *mem)\n{\n\tstruct kvm_memory_slot old, new;\n\tstruct kvm_memory_slot *tmp;\n\tenum kvm_mr_change change;\n\tint as_id, id;\n\tint r;\n\n\tr = check_memory_region_flags(mem);\n\tif (r)\n\t\treturn r;\n\n\tas_id = mem->slot >> 16;\n\tid = (u16)mem->slot;\n\n\t/* General sanity checks */\n\tif (mem->memory_size & (PAGE_SIZE - 1))\n\t\treturn -EINVAL;\n\tif (mem->guest_phys_addr & (PAGE_SIZE - 1))\n\t\treturn -EINVAL;\n\t/* We can read the guest memory with __xxx_user() later on. */\n\tif ((mem->userspace_addr & (PAGE_SIZE - 1)) ||\n\t (mem->userspace_addr != untagged_addr(mem->userspace_addr)) ||\n\t !access_ok((void __user *)(unsigned long)mem->userspace_addr,\n\t\t\tmem->memory_size))\n\t\treturn -EINVAL;\n\tif (as_id >= KVM_ADDRESS_SPACE_NUM || id >= KVM_MEM_SLOTS_NUM)\n\t\treturn -EINVAL;\n\tif (mem->guest_phys_addr + mem->memory_size < mem->guest_phys_addr)\n\t\treturn -EINVAL;\n\n\t/*\n\t * Make a full copy of the old memslot, the pointer will become stale\n\t * when the memslots are re-sorted by update_memslots(), and the old\n\t * memslot needs to be referenced after calling update_memslots(), e.g.\n\t * to free its resources and for arch specific behavior.\n\t */\n\ttmp = id_to_memslot(__kvm_memslots(kvm, as_id), id);\n\tif (tmp) {\n\t\told = *tmp;\n\t\ttmp = NULL;\n\t} else {\n\t\tmemset(&old, 0, sizeof(old));\n\t\told.id = id;\n\t}\n\n\tif (!mem->memory_size)\n\t\treturn kvm_delete_memslot(kvm, mem, &old, as_id);\n\n\tnew.as_id = as_id;\n\tnew.id = id;\n\tnew.base_gfn = mem->guest_phys_addr >> PAGE_SHIFT;\n\tnew.npages = mem->memory_size >> PAGE_SHIFT;\n\tnew.flags = mem->flags;\n\tnew.userspace_addr = mem->userspace_addr;\n\n\tif (new.npages > KVM_MEM_MAX_NR_PAGES)\n\t\treturn -EINVAL;\n\n\tif (!old.npages) {\n\t\tchange = KVM_MR_CREATE;\n\t\tnew.dirty_bitmap = NULL;\n\t\tmemset(&new.arch, 0, sizeof(new.arch));\n\t} else { /* Modify an existing slot. */\n\t\tif ((new.userspace_addr != old.userspace_addr) ||\n\t\t (new.npages != old.npages) ||\n\t\t ((new.flags ^ old.flags) & KVM_MEM_READONLY))\n\t\t\treturn -EINVAL;\n\n\t\tif (new.base_gfn != old.base_gfn)\n\t\t\tchange = KVM_MR_MOVE;\n\t\telse if (new.flags != old.flags)\n\t\t\tchange = KVM_MR_FLAGS_ONLY;\n\t\telse /* Nothing to change. */\n\t\t\treturn 0;\n\n\t\t/* Copy dirty_bitmap and arch from the current memslot. */\n\t\tnew.dirty_bitmap = old.dirty_bitmap;\n\t\tmemcpy(&new.arch, &old.arch, sizeof(new.arch));\n\t}\n\n\tif ((change == KVM_MR_CREATE) || (change == KVM_MR_MOVE)) {\n\t\t/* Check for overlaps */\n\t\tkvm_for_each_memslot(tmp, __kvm_memslots(kvm, as_id)) {\n\t\t\tif (tmp->id == id)\n\t\t\t\tcontinue;\n\t\t\tif (!((new.base_gfn + new.npages <= tmp->base_gfn) ||\n\t\t\t (new.base_gfn >= tmp->base_gfn + tmp->npages)))\n\t\t\t\treturn -EEXIST;\n\t\t}\n\t}\n\n\t/* Allocate/free page dirty bitmap as needed */\n\tif (!(new.flags & KVM_MEM_LOG_DIRTY_PAGES))\n\t\tnew.dirty_bitmap = NULL;\n\telse if (!new.dirty_bitmap && !kvm->dirty_ring_size) {\n\t\tr = kvm_alloc_dirty_bitmap(&new);\n\t\tif (r)\n\t\t\treturn r;\n\n\t\tif (kvm_dirty_log_manual_protect_and_init_set(kvm))\n\t\t\tbitmap_set(new.dirty_bitmap, 0, new.npages);\n\t}\n\n\tr = kvm_set_memslot(kvm, mem, &old, &new, as_id, change);\n\tif (r)\n\t\tgoto out_bitmap;\n\n\tif (old.dirty_bitmap && !new.dirty_bitmap)\n\t\tkvm_destroy_dirty_bitmap(&old);\n\treturn 0;\n\nout_bitmap:\n\tif (new.dirty_bitmap && !old.dirty_bitmap)\n\t\tkvm_destroy_dirty_bitmap(&new);\n\treturn r;\n}", "project": "linux", "hash": 250594492873924671776260038022059796119, "size": 118, "commit_id": "f8be156be163a052a067306417cd0ff679068c97", "message": "KVM: do not allow mapping valid but non-reference-counted pages\n\nIt's possible to create a region which maps valid but non-refcounted\npages (e.g., tail pages of non-compound higher order allocations). These\nhost pages can then be returned by gfn_to_page, gfn_to_pfn, etc., family\nof APIs, which take a reference to the page, which takes it from 0 to 1.\nWhen the reference is dropped, this will free the page incorrectly.\n\nFix this by only taking a reference on valid pages if it was non-zero,\nwhich indicates it is participating in normal refcounting (and can be\nreleased with put_page).\n\nThis addresses CVE-2021-22543.\n\nSigned-off-by: Nicholas Piggin \nTested-by: Paolo Bonzini \nCc: stable@vger.kernel.org\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 404109 }, { "func": "fetch_token (re_token_t *result, re_string_t *input, reg_syntax_t syntax)\n{\n re_string_skip_bytes (input, peek_token (result, input, syntax));\n}", "project": "gnulib", "hash": 285764946907118611673391384086338835455, "size": 4, "commit_id": "5513b40999149090987a0341c018d05d3eea1272", "message": "Diagnose ERE '()|\\1'\n\nProblem reported by Hanno Böck in: http://bugs.gnu.org/21513\n* lib/regcomp.c (parse_reg_exp): While parsing alternatives, keep\ntrack of the set of previously-completed subexpressions available\nbefore the first alternative, and restore this set just before\nparsing each subsequent alternative. This lets us diagnose the\ninvalid back-reference in the ERE '()|\\1'.", "target": 0, "dataset": "other", "idx": 285570 }, { "func": "/* switch back from soft real-time to interactive weight raising */\nstatic void switch_back_to_interactive_wr(struct bfq_queue *bfqq,\n\t\t\t\t\t struct bfq_data *bfqd)\n{\n\tbfqq->wr_coeff = bfqd->bfq_wr_coeff;\n\tbfqq->wr_cur_max_time = bfq_wr_duration(bfqd);\n\tbfqq->last_wr_start_finish = bfqq->wr_start_at_switch_to_srt;", "project": "linux", "hash": 281042636660819739182934872628278926727, "size": 7, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453313 }, { "func": "static int decode_slice_header(H264Context *h, H264Context *h0)\n{\n unsigned int first_mb_in_slice;\n unsigned int pps_id;\n int ret;\n unsigned int slice_type, tmp, i, j;\n int last_pic_structure, last_pic_droppable;\n int must_reinit;\n int needs_reinit = 0;\n int field_pic_flag, bottom_field_flag;\n\n h->me.qpel_put = h->h264qpel.put_h264_qpel_pixels_tab;\n h->me.qpel_avg = h->h264qpel.avg_h264_qpel_pixels_tab;\n\n first_mb_in_slice = get_ue_golomb_long(&h->gb);\n\n if (first_mb_in_slice == 0) { // FIXME better field boundary detection\n if (h0->current_slice && h->cur_pic_ptr && FIELD_PICTURE(h)) {\n field_end(h, 1);\n }\n\n h0->current_slice = 0;\n if (!h0->first_field) {\n if (h->cur_pic_ptr && !h->droppable) {\n ff_thread_report_progress(&h->cur_pic_ptr->tf, INT_MAX,\n h->picture_structure == PICT_BOTTOM_FIELD);\n }\n h->cur_pic_ptr = NULL;\n }\n }\n\n slice_type = get_ue_golomb_31(&h->gb);\n if (slice_type > 9) {\n av_log(h->avctx, AV_LOG_ERROR,\n \"slice type too large (%d) at %d %d\\n\",\n slice_type, h->mb_x, h->mb_y);\n return AVERROR_INVALIDDATA;\n }\n if (slice_type > 4) {\n slice_type -= 5;\n h->slice_type_fixed = 1;\n } else\n h->slice_type_fixed = 0;\n\n slice_type = golomb_to_pict_type[slice_type];\n h->slice_type = slice_type;\n h->slice_type_nos = slice_type & 3;\n\n if (h->nal_unit_type == NAL_IDR_SLICE &&\n h->slice_type_nos != AV_PICTURE_TYPE_I) {\n av_log(h->avctx, AV_LOG_ERROR, \"A non-intra slice in an IDR NAL unit.\\n\");\n return AVERROR_INVALIDDATA;\n }\n\n // to make a few old functions happy, it's wrong though\n h->pict_type = h->slice_type;\n\n pps_id = get_ue_golomb(&h->gb);\n if (pps_id >= MAX_PPS_COUNT) {\n av_log(h->avctx, AV_LOG_ERROR, \"pps_id %d out of range\\n\", pps_id);\n return AVERROR_INVALIDDATA;\n }\n if (!h0->pps_buffers[pps_id]) {\n av_log(h->avctx, AV_LOG_ERROR,\n \"non-existing PPS %u referenced\\n\",\n pps_id);\n return AVERROR_INVALIDDATA;\n }\n if (h0->au_pps_id >= 0 && pps_id != h0->au_pps_id) {\n av_log(h->avctx, AV_LOG_ERROR,\n \"PPS change from %d to %d forbidden\\n\",\n h0->au_pps_id, pps_id);\n return AVERROR_INVALIDDATA;\n }\n h->pps = *h0->pps_buffers[pps_id];\n\n if (!h0->sps_buffers[h->pps.sps_id]) {\n av_log(h->avctx, AV_LOG_ERROR,\n \"non-existing SPS %u referenced\\n\",\n h->pps.sps_id);\n return AVERROR_INVALIDDATA;\n }\n\n if (h->pps.sps_id != h->current_sps_id ||\n h0->sps_buffers[h->pps.sps_id]->new) {\n h0->sps_buffers[h->pps.sps_id]->new = 0;\n\n h->current_sps_id = h->pps.sps_id;\n h->sps = *h0->sps_buffers[h->pps.sps_id];\n\n if (h->mb_width != h->sps.mb_width ||\n h->mb_height != h->sps.mb_height * (2 - h->sps.frame_mbs_only_flag) ||\n h->avctx->bits_per_raw_sample != h->sps.bit_depth_luma ||\n h->cur_chroma_format_idc != h->sps.chroma_format_idc\n )\n needs_reinit = 1;\n\n if (h->bit_depth_luma != h->sps.bit_depth_luma ||\n h->chroma_format_idc != h->sps.chroma_format_idc) {\n h->bit_depth_luma = h->sps.bit_depth_luma;\n h->chroma_format_idc = h->sps.chroma_format_idc;\n needs_reinit = 1;\n }\n if ((ret = h264_set_parameter_from_sps(h)) < 0)\n return ret;\n }\n\n h->avctx->profile = ff_h264_get_profile(&h->sps);\n h->avctx->level = h->sps.level_idc;\n h->avctx->refs = h->sps.ref_frame_count;\n\n must_reinit = (h->context_initialized &&\n ( 16*h->sps.mb_width != h->avctx->coded_width\n || 16*h->sps.mb_height * (2 - h->sps.frame_mbs_only_flag) != h->avctx->coded_height\n || h->avctx->bits_per_raw_sample != h->sps.bit_depth_luma\n || h->cur_chroma_format_idc != h->sps.chroma_format_idc\n || av_cmp_q(h->sps.sar, h->avctx->sample_aspect_ratio)\n || h->mb_width != h->sps.mb_width\n || h->mb_height != h->sps.mb_height * (2 - h->sps.frame_mbs_only_flag)\n ));\n if (h0->avctx->pix_fmt != get_pixel_format(h0, 0))\n must_reinit = 1;\n\n h->mb_width = h->sps.mb_width;\n h->mb_height = h->sps.mb_height * (2 - h->sps.frame_mbs_only_flag);\n h->mb_num = h->mb_width * h->mb_height;\n h->mb_stride = h->mb_width + 1;\n\n h->b_stride = h->mb_width * 4;\n\n h->chroma_y_shift = h->sps.chroma_format_idc <= 1; // 400 uses yuv420p\n\n h->width = 16 * h->mb_width;\n h->height = 16 * h->mb_height;\n\n ret = init_dimensions(h);\n if (ret < 0)\n return ret;\n\n if (h->sps.video_signal_type_present_flag) {\n h->avctx->color_range = h->sps.full_range>0 ? AVCOL_RANGE_JPEG\n : AVCOL_RANGE_MPEG;\n if (h->sps.colour_description_present_flag) {\n if (h->avctx->colorspace != h->sps.colorspace)\n needs_reinit = 1;\n h->avctx->color_primaries = h->sps.color_primaries;\n h->avctx->color_trc = h->sps.color_trc;\n h->avctx->colorspace = h->sps.colorspace;\n }\n }\n\n if (h->context_initialized &&\n (h->width != h->avctx->coded_width ||\n h->height != h->avctx->coded_height ||\n must_reinit ||\n needs_reinit)) {\n if (h != h0) {\n av_log(h->avctx, AV_LOG_ERROR, \"changing width/height on \"\n \"slice %d\\n\", h0->current_slice + 1);\n return AVERROR_INVALIDDATA;\n }\n\n flush_change(h);\n\n if ((ret = get_pixel_format(h, 1)) < 0)\n return ret;\n h->avctx->pix_fmt = ret;\n\n av_log(h->avctx, AV_LOG_INFO, \"Reinit context to %dx%d, \"\n \"pix_fmt: %s\\n\", h->width, h->height, av_get_pix_fmt_name(h->avctx->pix_fmt));\n\n if ((ret = h264_slice_header_init(h, 1)) < 0) {\n av_log(h->avctx, AV_LOG_ERROR,\n \"h264_slice_header_init() failed\\n\");\n return ret;\n }\n }\n if (!h->context_initialized) {\n if (h != h0) {\n av_log(h->avctx, AV_LOG_ERROR,\n \"Cannot (re-)initialize context during parallel decoding.\\n\");\n return AVERROR_PATCHWELCOME;\n }\n\n if ((ret = get_pixel_format(h, 1)) < 0)\n return ret;\n h->avctx->pix_fmt = ret;\n\n if ((ret = h264_slice_header_init(h, 0)) < 0) {\n av_log(h->avctx, AV_LOG_ERROR,\n \"h264_slice_header_init() failed\\n\");\n return ret;\n }\n }\n\n if (h == h0 && h->dequant_coeff_pps != pps_id) {\n h->dequant_coeff_pps = pps_id;\n init_dequant_tables(h);\n }\n\n h->frame_num = get_bits(&h->gb, h->sps.log2_max_frame_num);\n\n h->mb_mbaff = 0;\n h->mb_aff_frame = 0;\n last_pic_structure = h0->picture_structure;\n last_pic_droppable = h0->droppable;\n h->droppable = h->nal_ref_idc == 0;\n if (h->sps.frame_mbs_only_flag) {\n h->picture_structure = PICT_FRAME;\n } else {\n if (!h->sps.direct_8x8_inference_flag && slice_type == AV_PICTURE_TYPE_B) {\n av_log(h->avctx, AV_LOG_ERROR, \"This stream was generated by a broken encoder, invalid 8x8 inference\\n\");\n return -1;\n }\n field_pic_flag = get_bits1(&h->gb);\n if (field_pic_flag) {\n bottom_field_flag = get_bits1(&h->gb);\n h->picture_structure = PICT_TOP_FIELD + bottom_field_flag;\n } else {\n h->picture_structure = PICT_FRAME;\n h->mb_aff_frame = h->sps.mb_aff;\n }\n }\n h->mb_field_decoding_flag = h->picture_structure != PICT_FRAME;\n\n if (h0->current_slice != 0) {\n if (last_pic_structure != h->picture_structure ||\n last_pic_droppable != h->droppable) {\n av_log(h->avctx, AV_LOG_ERROR,\n \"Changing field mode (%d -> %d) between slices is not allowed\\n\",\n last_pic_structure, h->picture_structure);\n h->picture_structure = last_pic_structure;\n h->droppable = last_pic_droppable;\n return AVERROR_INVALIDDATA;\n } else if (!h0->cur_pic_ptr) {\n av_log(h->avctx, AV_LOG_ERROR,\n \"unset cur_pic_ptr on %d. slice\\n\",\n h0->current_slice + 1);\n return AVERROR_INVALIDDATA;\n }\n } else {\n /* Shorten frame num gaps so we don't have to allocate reference\n * frames just to throw them away */\n if (h->frame_num != h->prev_frame_num) {\n int unwrap_prev_frame_num = h->prev_frame_num;\n int max_frame_num = 1 << h->sps.log2_max_frame_num;\n\n if (unwrap_prev_frame_num > h->frame_num)\n unwrap_prev_frame_num -= max_frame_num;\n\n if ((h->frame_num - unwrap_prev_frame_num) > h->sps.ref_frame_count) {\n unwrap_prev_frame_num = (h->frame_num - h->sps.ref_frame_count) - 1;\n if (unwrap_prev_frame_num < 0)\n unwrap_prev_frame_num += max_frame_num;\n\n h->prev_frame_num = unwrap_prev_frame_num;\n }\n }\n\n /* See if we have a decoded first field looking for a pair...\n * Here, we're using that to see if we should mark previously\n * decode frames as \"finished\".\n * We have to do that before the \"dummy\" in-between frame allocation,\n * since that can modify h->cur_pic_ptr. */\n if (h0->first_field) {\n assert(h0->cur_pic_ptr);\n assert(h0->cur_pic_ptr->f.buf[0]);\n assert(h0->cur_pic_ptr->reference != DELAYED_PIC_REF);\n\n /* Mark old field/frame as completed */\n if (h0->cur_pic_ptr->tf.owner == h0->avctx) {\n ff_thread_report_progress(&h0->cur_pic_ptr->tf, INT_MAX,\n last_pic_structure == PICT_BOTTOM_FIELD);\n }\n\n /* figure out if we have a complementary field pair */\n if (!FIELD_PICTURE(h) || h->picture_structure == last_pic_structure) {\n /* Previous field is unmatched. Don't display it, but let it\n * remain for reference if marked as such. */\n if (last_pic_structure != PICT_FRAME) {\n ff_thread_report_progress(&h0->cur_pic_ptr->tf, INT_MAX,\n last_pic_structure == PICT_TOP_FIELD);\n }\n } else {\n if (h0->cur_pic_ptr->frame_num != h->frame_num) {\n /* This and previous field were reference, but had\n * different frame_nums. Consider this field first in\n * pair. Throw away previous field except for reference\n * purposes. */\n if (last_pic_structure != PICT_FRAME) {\n ff_thread_report_progress(&h0->cur_pic_ptr->tf, INT_MAX,\n last_pic_structure == PICT_TOP_FIELD);\n }\n } else {\n /* Second field in complementary pair */\n if (!((last_pic_structure == PICT_TOP_FIELD &&\n h->picture_structure == PICT_BOTTOM_FIELD) ||\n (last_pic_structure == PICT_BOTTOM_FIELD &&\n h->picture_structure == PICT_TOP_FIELD))) {\n av_log(h->avctx, AV_LOG_ERROR,\n \"Invalid field mode combination %d/%d\\n\",\n last_pic_structure, h->picture_structure);\n h->picture_structure = last_pic_structure;\n h->droppable = last_pic_droppable;\n return AVERROR_INVALIDDATA;\n } else if (last_pic_droppable != h->droppable) {\n avpriv_request_sample(h->avctx,\n \"Found reference and non-reference fields in the same frame, which\");\n h->picture_structure = last_pic_structure;\n h->droppable = last_pic_droppable;\n return AVERROR_PATCHWELCOME;\n }\n }\n }\n }\n\n while (h->frame_num != h->prev_frame_num && !h0->first_field &&\n h->frame_num != (h->prev_frame_num + 1) % (1 << h->sps.log2_max_frame_num)) {\n Picture *prev = h->short_ref_count ? h->short_ref[0] : NULL;\n av_log(h->avctx, AV_LOG_DEBUG, \"Frame num gap %d %d\\n\",\n h->frame_num, h->prev_frame_num);\n if (!h->sps.gaps_in_frame_num_allowed_flag)\n for(i=0; ilast_pocs); i++)\n h->last_pocs[i] = INT_MIN;\n ret = h264_frame_start(h);\n if (ret < 0) {\n h0->first_field = 0;\n return ret;\n }\n\n h->prev_frame_num++;\n h->prev_frame_num %= 1 << h->sps.log2_max_frame_num;\n h->cur_pic_ptr->frame_num = h->prev_frame_num;\n ff_thread_report_progress(&h->cur_pic_ptr->tf, INT_MAX, 0);\n ff_thread_report_progress(&h->cur_pic_ptr->tf, INT_MAX, 1);\n ret = ff_generate_sliding_window_mmcos(h, 1);\n if (ret < 0 && (h->avctx->err_recognition & AV_EF_EXPLODE))\n return ret;\n ret = ff_h264_execute_ref_pic_marking(h, h->mmco, h->mmco_index);\n if (ret < 0 && (h->avctx->err_recognition & AV_EF_EXPLODE))\n return ret;\n /* Error concealment: If a ref is missing, copy the previous ref\n * in its place.\n * FIXME: Avoiding a memcpy would be nice, but ref handling makes\n * many assumptions about there being no actual duplicates.\n * FIXME: This does not copy padding for out-of-frame motion\n * vectors. Given we are concealing a lost frame, this probably\n * is not noticeable by comparison, but it should be fixed. */\n if (h->short_ref_count) {\n if (prev) {\n av_image_copy(h->short_ref[0]->f.data,\n h->short_ref[0]->f.linesize,\n (const uint8_t **)prev->f.data,\n prev->f.linesize,\n h->avctx->pix_fmt,\n h->mb_width * 16,\n h->mb_height * 16);\n h->short_ref[0]->poc = prev->poc + 2;\n }\n h->short_ref[0]->frame_num = h->prev_frame_num;\n }\n }\n\n /* See if we have a decoded first field looking for a pair...\n * We're using that to see whether to continue decoding in that\n * frame, or to allocate a new one. */\n if (h0->first_field) {\n assert(h0->cur_pic_ptr);\n assert(h0->cur_pic_ptr->f.buf[0]);\n assert(h0->cur_pic_ptr->reference != DELAYED_PIC_REF);\n\n /* figure out if we have a complementary field pair */\n if (!FIELD_PICTURE(h) || h->picture_structure == last_pic_structure) {\n /* Previous field is unmatched. Don't display it, but let it\n * remain for reference if marked as such. */\n h0->cur_pic_ptr = NULL;\n h0->first_field = FIELD_PICTURE(h);\n } else {\n if (h0->cur_pic_ptr->frame_num != h->frame_num) {\n ff_thread_report_progress(&h0->cur_pic_ptr->tf, INT_MAX,\n h0->picture_structure==PICT_BOTTOM_FIELD);\n /* This and the previous field had different frame_nums.\n * Consider this field first in pair. Throw away previous\n * one except for reference purposes. */\n h0->first_field = 1;\n h0->cur_pic_ptr = NULL;\n } else {\n /* Second field in complementary pair */\n h0->first_field = 0;\n }\n }\n } else {\n /* Frame or first field in a potentially complementary pair */\n h0->first_field = FIELD_PICTURE(h);\n }\n\n if (!FIELD_PICTURE(h) || h0->first_field) {\n if (h264_frame_start(h) < 0) {\n h0->first_field = 0;\n return AVERROR_INVALIDDATA;\n }\n } else {\n release_unused_pictures(h, 0);\n }\n /* Some macroblocks can be accessed before they're available in case\n * of lost slices, MBAFF or threading. */\n if (FIELD_PICTURE(h)) {\n for(i = (h->picture_structure == PICT_BOTTOM_FIELD); imb_height; i++)\n memset(h->slice_table + i*h->mb_stride, -1, (h->mb_stride - (i+1==h->mb_height)) * sizeof(*h->slice_table));\n } else {\n memset(h->slice_table, -1,\n (h->mb_height * h->mb_stride - 1) * sizeof(*h->slice_table));\n }\n h0->last_slice_type = -1;\n }\n if (h != h0 && (ret = clone_slice(h, h0)) < 0)\n return ret;\n\n /* can't be in alloc_tables because linesize isn't known there.\n * FIXME: redo bipred weight to not require extra buffer? */\n for (i = 0; i < h->slice_context_count; i++)\n if (h->thread_context[i]) {\n ret = alloc_scratch_buffers(h->thread_context[i], h->linesize);\n if (ret < 0)\n return ret;\n }\n\n h->cur_pic_ptr->frame_num = h->frame_num; // FIXME frame_num cleanup\n\n av_assert1(h->mb_num == h->mb_width * h->mb_height);\n if (first_mb_in_slice << FIELD_OR_MBAFF_PICTURE(h) >= h->mb_num ||\n first_mb_in_slice >= h->mb_num) {\n av_log(h->avctx, AV_LOG_ERROR, \"first_mb_in_slice overflow\\n\");\n return AVERROR_INVALIDDATA;\n }\n h->resync_mb_x = h->mb_x = first_mb_in_slice % h->mb_width;\n h->resync_mb_y = h->mb_y = (first_mb_in_slice / h->mb_width) <<\n FIELD_OR_MBAFF_PICTURE(h);\n if (h->picture_structure == PICT_BOTTOM_FIELD)\n h->resync_mb_y = h->mb_y = h->mb_y + 1;\n av_assert1(h->mb_y < h->mb_height);\n\n if (h->picture_structure == PICT_FRAME) {\n h->curr_pic_num = h->frame_num;\n h->max_pic_num = 1 << h->sps.log2_max_frame_num;\n } else {\n h->curr_pic_num = 2 * h->frame_num + 1;\n h->max_pic_num = 1 << (h->sps.log2_max_frame_num + 1);\n }\n\n if (h->nal_unit_type == NAL_IDR_SLICE)\n get_ue_golomb(&h->gb); /* idr_pic_id */\n\n if (h->sps.poc_type == 0) {\n h->poc_lsb = get_bits(&h->gb, h->sps.log2_max_poc_lsb);\n\n if (h->pps.pic_order_present == 1 && h->picture_structure == PICT_FRAME)\n h->delta_poc_bottom = get_se_golomb(&h->gb);\n }\n\n if (h->sps.poc_type == 1 && !h->sps.delta_pic_order_always_zero_flag) {\n h->delta_poc[0] = get_se_golomb(&h->gb);\n\n if (h->pps.pic_order_present == 1 && h->picture_structure == PICT_FRAME)\n h->delta_poc[1] = get_se_golomb(&h->gb);\n }\n\n ff_init_poc(h, h->cur_pic_ptr->field_poc, &h->cur_pic_ptr->poc);\n\n if (h->pps.redundant_pic_cnt_present)\n h->redundant_pic_count = get_ue_golomb(&h->gb);\n\n ret = ff_set_ref_count(h);\n if (ret < 0)\n return ret;\n\n if (slice_type != AV_PICTURE_TYPE_I &&\n (h0->current_slice == 0 ||\n slice_type != h0->last_slice_type ||\n memcmp(h0->last_ref_count, h0->ref_count, sizeof(h0->ref_count)))) {\n\n ff_h264_fill_default_ref_list(h);\n }\n\n if (h->slice_type_nos != AV_PICTURE_TYPE_I) {\n ret = ff_h264_decode_ref_pic_list_reordering(h);\n if (ret < 0) {\n h->ref_count[1] = h->ref_count[0] = 0;\n return ret;\n }\n }\n\n if ((h->pps.weighted_pred && h->slice_type_nos == AV_PICTURE_TYPE_P) ||\n (h->pps.weighted_bipred_idc == 1 &&\n h->slice_type_nos == AV_PICTURE_TYPE_B))\n ff_pred_weight_table(h);\n else if (h->pps.weighted_bipred_idc == 2 &&\n h->slice_type_nos == AV_PICTURE_TYPE_B) {\n implicit_weight_table(h, -1);\n } else {\n h->use_weight = 0;\n for (i = 0; i < 2; i++) {\n h->luma_weight_flag[i] = 0;\n h->chroma_weight_flag[i] = 0;\n }\n }\n\n // If frame-mt is enabled, only update mmco tables for the first slice\n // in a field. Subsequent slices can temporarily clobber h->mmco_index\n // or h->mmco, which will cause ref list mix-ups and decoding errors\n // further down the line. This may break decoding if the first slice is\n // corrupt, thus we only do this if frame-mt is enabled.\n if (h->nal_ref_idc) {\n ret = ff_h264_decode_ref_pic_marking(h0, &h->gb,\n !(h->avctx->active_thread_type & FF_THREAD_FRAME) ||\n h0->current_slice == 0);\n if (ret < 0 && (h->avctx->err_recognition & AV_EF_EXPLODE))\n return AVERROR_INVALIDDATA;\n }\n\n if (FRAME_MBAFF(h)) {\n ff_h264_fill_mbaff_ref_list(h);\n\n if (h->pps.weighted_bipred_idc == 2 && h->slice_type_nos == AV_PICTURE_TYPE_B) {\n implicit_weight_table(h, 0);\n implicit_weight_table(h, 1);\n }\n }\n\n if (h->slice_type_nos == AV_PICTURE_TYPE_B && !h->direct_spatial_mv_pred)\n ff_h264_direct_dist_scale_factor(h);\n ff_h264_direct_ref_list_init(h);\n\n if (h->slice_type_nos != AV_PICTURE_TYPE_I && h->pps.cabac) {\n tmp = get_ue_golomb_31(&h->gb);\n if (tmp > 2) {\n av_log(h->avctx, AV_LOG_ERROR, \"cabac_init_idc overflow\\n\");\n return AVERROR_INVALIDDATA;\n }\n h->cabac_init_idc = tmp;\n }\n\n h->last_qscale_diff = 0;\n tmp = h->pps.init_qp + get_se_golomb(&h->gb);\n if (tmp > 51 + 6 * (h->sps.bit_depth_luma - 8)) {\n av_log(h->avctx, AV_LOG_ERROR, \"QP %u out of range\\n\", tmp);\n return AVERROR_INVALIDDATA;\n }\n h->qscale = tmp;\n h->chroma_qp[0] = get_chroma_qp(h, 0, h->qscale);\n h->chroma_qp[1] = get_chroma_qp(h, 1, h->qscale);\n // FIXME qscale / qp ... stuff\n if (h->slice_type == AV_PICTURE_TYPE_SP)\n get_bits1(&h->gb); /* sp_for_switch_flag */\n if (h->slice_type == AV_PICTURE_TYPE_SP ||\n h->slice_type == AV_PICTURE_TYPE_SI)\n get_se_golomb(&h->gb); /* slice_qs_delta */\n\n h->deblocking_filter = 1;\n h->slice_alpha_c0_offset = 52;\n h->slice_beta_offset = 52;\n if (h->pps.deblocking_filter_parameters_present) {\n tmp = get_ue_golomb_31(&h->gb);\n if (tmp > 2) {\n av_log(h->avctx, AV_LOG_ERROR,\n \"deblocking_filter_idc %u out of range\\n\", tmp);\n return AVERROR_INVALIDDATA;\n }\n h->deblocking_filter = tmp;\n if (h->deblocking_filter < 2)\n h->deblocking_filter ^= 1; // 1<->0\n\n if (h->deblocking_filter) {\n h->slice_alpha_c0_offset += get_se_golomb(&h->gb) << 1;\n h->slice_beta_offset += get_se_golomb(&h->gb) << 1;\n if (h->slice_alpha_c0_offset > 104U ||\n h->slice_beta_offset > 104U) {\n av_log(h->avctx, AV_LOG_ERROR,\n \"deblocking filter parameters %d %d out of range\\n\",\n h->slice_alpha_c0_offset, h->slice_beta_offset);\n return AVERROR_INVALIDDATA;\n }\n }\n }\n\n if (h->avctx->skip_loop_filter >= AVDISCARD_ALL ||\n (h->avctx->skip_loop_filter >= AVDISCARD_NONKEY &&\n h->slice_type_nos != AV_PICTURE_TYPE_I) ||\n (h->avctx->skip_loop_filter >= AVDISCARD_BIDIR &&\n h->slice_type_nos == AV_PICTURE_TYPE_B) ||\n (h->avctx->skip_loop_filter >= AVDISCARD_NONREF &&\n h->nal_ref_idc == 0))\n h->deblocking_filter = 0;\n\n if (h->deblocking_filter == 1 && h0->max_contexts > 1) {\n if (h->avctx->flags2 & CODEC_FLAG2_FAST) {\n /* Cheat slightly for speed:\n * Do not bother to deblock across slices. */\n h->deblocking_filter = 2;\n } else {\n h0->max_contexts = 1;\n if (!h0->single_decode_warning) {\n av_log(h->avctx, AV_LOG_INFO,\n \"Cannot parallelize deblocking type 1, decoding such frames in sequential order\\n\");\n h0->single_decode_warning = 1;\n }\n if (h != h0) {\n av_log(h->avctx, AV_LOG_ERROR,\n \"Deblocking switched inside frame.\\n\");\n return 1;\n }\n }\n }\n h->qp_thresh = 15 + 52 -\n FFMIN(h->slice_alpha_c0_offset, h->slice_beta_offset) -\n FFMAX3(0,\n h->pps.chroma_qp_index_offset[0],\n h->pps.chroma_qp_index_offset[1]) +\n 6 * (h->sps.bit_depth_luma - 8);\n\n h0->last_slice_type = slice_type;\n memcpy(h0->last_ref_count, h0->ref_count, sizeof(h0->last_ref_count));\n h->slice_num = ++h0->current_slice;\n\n if (h->slice_num)\n h0->slice_row[(h->slice_num-1)&(MAX_SLICES-1)]= h->resync_mb_y;\n if ( h0->slice_row[h->slice_num&(MAX_SLICES-1)] + 3 >= h->resync_mb_y\n && h0->slice_row[h->slice_num&(MAX_SLICES-1)] <= h->resync_mb_y\n && h->slice_num >= MAX_SLICES) {\n //in case of ASO this check needs to be updated depending on how we decide to assign slice numbers in this case\n av_log(h->avctx, AV_LOG_WARNING, \"Possibly too many slices (%d >= %d), increase MAX_SLICES and recompile if there are artifacts\\n\", h->slice_num, MAX_SLICES);\n }\n\n for (j = 0; j < 2; j++) {\n int id_list[16];\n int *ref2frm = h->ref2frm[h->slice_num & (MAX_SLICES - 1)][j];\n for (i = 0; i < 16; i++) {\n id_list[i] = 60;\n if (j < h->list_count && i < h->ref_count[j] &&\n h->ref_list[j][i].f.buf[0]) {\n int k;\n AVBuffer *buf = h->ref_list[j][i].f.buf[0]->buffer;\n for (k = 0; k < h->short_ref_count; k++)\n if (h->short_ref[k]->f.buf[0]->buffer == buf) {\n id_list[i] = k;\n break;\n }\n for (k = 0; k < h->long_ref_count; k++)\n if (h->long_ref[k] && h->long_ref[k]->f.buf[0]->buffer == buf) {\n id_list[i] = h->short_ref_count + k;\n break;\n }\n }\n }\n\n ref2frm[0] =\n ref2frm[1] = -1;\n for (i = 0; i < 16; i++)\n ref2frm[i + 2] = 4 * id_list[i] + (h->ref_list[j][i].reference & 3);\n ref2frm[18 + 0] =\n ref2frm[18 + 1] = -1;\n for (i = 16; i < 48; i++)\n ref2frm[i + 4] = 4 * id_list[(i - 16) >> 1] +\n (h->ref_list[j][i].reference & 3);\n }\n\n if (h->ref_count[0]) h->er.last_pic = &h->ref_list[0][0];\n if (h->ref_count[1]) h->er.next_pic = &h->ref_list[1][0];\n h->er.ref_count = h->ref_count[0];\n h0->au_pps_id = pps_id;\n\n if (h->avctx->debug & FF_DEBUG_PICT_INFO) {\n av_log(h->avctx, AV_LOG_DEBUG,\n \"slice:%d %s mb:%d %c%s%s pps:%u frame:%d poc:%d/%d ref:%d/%d qp:%d loop:%d:%d:%d weight:%d%s %s\\n\",\n h->slice_num,\n (h->picture_structure == PICT_FRAME ? \"F\" : h->picture_structure == PICT_TOP_FIELD ? \"T\" : \"B\"),\n first_mb_in_slice,\n av_get_picture_type_char(h->slice_type),\n h->slice_type_fixed ? \" fix\" : \"\",\n h->nal_unit_type == NAL_IDR_SLICE ? \" IDR\" : \"\",\n pps_id, h->frame_num,\n h->cur_pic_ptr->field_poc[0],\n h->cur_pic_ptr->field_poc[1],\n h->ref_count[0], h->ref_count[1],\n h->qscale,\n h->deblocking_filter,\n h->slice_alpha_c0_offset / 2 - 26, h->slice_beta_offset / 2 - 26,\n h->use_weight,\n h->use_weight == 1 && h->use_weight_chroma ? \"c\" : \"\",\n h->slice_type == AV_PICTURE_TYPE_B ? (h->direct_spatial_mv_pred ? \"SPAT\" : \"TEMP\") : \"\");\n }\n\n return 0;\n}", "project": "FFmpeg", "hash": 24783762682806170514184972114597660646, "size": 694, "commit_id": "8a3b85f3a7952c54a2c36ba1797f7e0cde9f85aa", "message": "avcodec/h264: update current_sps & sps->new only after the whole slice header decoder and init code finished\n\nThis avoids them being cleared before the full initialization finished\n\nFixes out of array read\nFixes: asan_heap-oob_f0c5e6_7071_cov_1605985132_mov_h264_aac__Demo_FlagOfOurFathers.mov\nFound-by: Mateusz \"j00ru\" Jurczyk and Gynvael Coldwind\nSigned-off-by: Michael Niedermayer ", "target": 1, "dataset": "other", "idx": 198173 }, { "func": "static int decode_slice_header(H264Context *h, H264Context *h0)\n{\n unsigned int first_mb_in_slice;\n unsigned int pps_id;\n int ret;\n unsigned int slice_type, tmp, i, j;\n int last_pic_structure, last_pic_droppable;\n int must_reinit;\n int needs_reinit = 0;\n int field_pic_flag, bottom_field_flag;\n\n h->me.qpel_put = h->h264qpel.put_h264_qpel_pixels_tab;\n h->me.qpel_avg = h->h264qpel.avg_h264_qpel_pixels_tab;\n\n first_mb_in_slice = get_ue_golomb_long(&h->gb);\n\n if (first_mb_in_slice == 0) { // FIXME better field boundary detection\n if (h0->current_slice && h->cur_pic_ptr && FIELD_PICTURE(h)) {\n field_end(h, 1);\n }\n\n h0->current_slice = 0;\n if (!h0->first_field) {\n if (h->cur_pic_ptr && !h->droppable) {\n ff_thread_report_progress(&h->cur_pic_ptr->tf, INT_MAX,\n h->picture_structure == PICT_BOTTOM_FIELD);\n }\n h->cur_pic_ptr = NULL;\n }\n }\n\n slice_type = get_ue_golomb_31(&h->gb);\n if (slice_type > 9) {\n av_log(h->avctx, AV_LOG_ERROR,\n \"slice type too large (%d) at %d %d\\n\",\n slice_type, h->mb_x, h->mb_y);\n return AVERROR_INVALIDDATA;\n }\n if (slice_type > 4) {\n slice_type -= 5;\n h->slice_type_fixed = 1;\n } else\n h->slice_type_fixed = 0;\n\n slice_type = golomb_to_pict_type[slice_type];\n h->slice_type = slice_type;\n h->slice_type_nos = slice_type & 3;\n\n if (h->nal_unit_type == NAL_IDR_SLICE &&\n h->slice_type_nos != AV_PICTURE_TYPE_I) {\n av_log(h->avctx, AV_LOG_ERROR, \"A non-intra slice in an IDR NAL unit.\\n\");\n return AVERROR_INVALIDDATA;\n }\n\n // to make a few old functions happy, it's wrong though\n h->pict_type = h->slice_type;\n\n pps_id = get_ue_golomb(&h->gb);\n if (pps_id >= MAX_PPS_COUNT) {\n av_log(h->avctx, AV_LOG_ERROR, \"pps_id %d out of range\\n\", pps_id);\n return AVERROR_INVALIDDATA;\n }\n if (!h0->pps_buffers[pps_id]) {\n av_log(h->avctx, AV_LOG_ERROR,\n \"non-existing PPS %u referenced\\n\",\n pps_id);\n return AVERROR_INVALIDDATA;\n }\n if (h0->au_pps_id >= 0 && pps_id != h0->au_pps_id) {\n av_log(h->avctx, AV_LOG_ERROR,\n \"PPS change from %d to %d forbidden\\n\",\n h0->au_pps_id, pps_id);\n return AVERROR_INVALIDDATA;\n }\n h->pps = *h0->pps_buffers[pps_id];\n\n if (!h0->sps_buffers[h->pps.sps_id]) {\n av_log(h->avctx, AV_LOG_ERROR,\n \"non-existing SPS %u referenced\\n\",\n h->pps.sps_id);\n return AVERROR_INVALIDDATA;\n }\n\n if (h->pps.sps_id != h->current_sps_id ||\n h0->sps_buffers[h->pps.sps_id]->new) {\n\n h->sps = *h0->sps_buffers[h->pps.sps_id];\n\n if (h->mb_width != h->sps.mb_width ||\n h->mb_height != h->sps.mb_height * (2 - h->sps.frame_mbs_only_flag) ||\n h->avctx->bits_per_raw_sample != h->sps.bit_depth_luma ||\n h->cur_chroma_format_idc != h->sps.chroma_format_idc\n )\n needs_reinit = 1;\n\n if (h->bit_depth_luma != h->sps.bit_depth_luma ||\n h->chroma_format_idc != h->sps.chroma_format_idc) {\n h->bit_depth_luma = h->sps.bit_depth_luma;\n h->chroma_format_idc = h->sps.chroma_format_idc;\n needs_reinit = 1;\n }\n if ((ret = h264_set_parameter_from_sps(h)) < 0)\n return ret;\n }\n\n h->avctx->profile = ff_h264_get_profile(&h->sps);\n h->avctx->level = h->sps.level_idc;\n h->avctx->refs = h->sps.ref_frame_count;\n\n must_reinit = (h->context_initialized &&\n ( 16*h->sps.mb_width != h->avctx->coded_width\n || 16*h->sps.mb_height * (2 - h->sps.frame_mbs_only_flag) != h->avctx->coded_height\n || h->avctx->bits_per_raw_sample != h->sps.bit_depth_luma\n || h->cur_chroma_format_idc != h->sps.chroma_format_idc\n || av_cmp_q(h->sps.sar, h->avctx->sample_aspect_ratio)\n || h->mb_width != h->sps.mb_width\n || h->mb_height != h->sps.mb_height * (2 - h->sps.frame_mbs_only_flag)\n ));\n if (h0->avctx->pix_fmt != get_pixel_format(h0, 0))\n must_reinit = 1;\n\n h->mb_width = h->sps.mb_width;\n h->mb_height = h->sps.mb_height * (2 - h->sps.frame_mbs_only_flag);\n h->mb_num = h->mb_width * h->mb_height;\n h->mb_stride = h->mb_width + 1;\n\n h->b_stride = h->mb_width * 4;\n\n h->chroma_y_shift = h->sps.chroma_format_idc <= 1; // 400 uses yuv420p\n\n h->width = 16 * h->mb_width;\n h->height = 16 * h->mb_height;\n\n ret = init_dimensions(h);\n if (ret < 0)\n return ret;\n\n if (h->sps.video_signal_type_present_flag) {\n h->avctx->color_range = h->sps.full_range>0 ? AVCOL_RANGE_JPEG\n : AVCOL_RANGE_MPEG;\n if (h->sps.colour_description_present_flag) {\n if (h->avctx->colorspace != h->sps.colorspace)\n needs_reinit = 1;\n h->avctx->color_primaries = h->sps.color_primaries;\n h->avctx->color_trc = h->sps.color_trc;\n h->avctx->colorspace = h->sps.colorspace;\n }\n }\n\n if (h->context_initialized &&\n (h->width != h->avctx->coded_width ||\n h->height != h->avctx->coded_height ||\n must_reinit ||\n needs_reinit)) {\n if (h != h0) {\n av_log(h->avctx, AV_LOG_ERROR, \"changing width/height on \"\n \"slice %d\\n\", h0->current_slice + 1);\n return AVERROR_INVALIDDATA;\n }\n\n flush_change(h);\n\n if ((ret = get_pixel_format(h, 1)) < 0)\n return ret;\n h->avctx->pix_fmt = ret;\n\n av_log(h->avctx, AV_LOG_INFO, \"Reinit context to %dx%d, \"\n \"pix_fmt: %s\\n\", h->width, h->height, av_get_pix_fmt_name(h->avctx->pix_fmt));\n\n if ((ret = h264_slice_header_init(h, 1)) < 0) {\n av_log(h->avctx, AV_LOG_ERROR,\n \"h264_slice_header_init() failed\\n\");\n return ret;\n }\n }\n if (!h->context_initialized) {\n if (h != h0) {\n av_log(h->avctx, AV_LOG_ERROR,\n \"Cannot (re-)initialize context during parallel decoding.\\n\");\n return AVERROR_PATCHWELCOME;\n }\n\n if ((ret = get_pixel_format(h, 1)) < 0)\n return ret;\n h->avctx->pix_fmt = ret;\n\n if ((ret = h264_slice_header_init(h, 0)) < 0) {\n av_log(h->avctx, AV_LOG_ERROR,\n \"h264_slice_header_init() failed\\n\");\n return ret;\n }\n }\n\n if (h == h0 && h->dequant_coeff_pps != pps_id) {\n h->dequant_coeff_pps = pps_id;\n init_dequant_tables(h);\n }\n\n h->frame_num = get_bits(&h->gb, h->sps.log2_max_frame_num);\n\n h->mb_mbaff = 0;\n h->mb_aff_frame = 0;\n last_pic_structure = h0->picture_structure;\n last_pic_droppable = h0->droppable;\n h->droppable = h->nal_ref_idc == 0;\n if (h->sps.frame_mbs_only_flag) {\n h->picture_structure = PICT_FRAME;\n } else {\n if (!h->sps.direct_8x8_inference_flag && slice_type == AV_PICTURE_TYPE_B) {\n av_log(h->avctx, AV_LOG_ERROR, \"This stream was generated by a broken encoder, invalid 8x8 inference\\n\");\n return -1;\n }\n field_pic_flag = get_bits1(&h->gb);\n if (field_pic_flag) {\n bottom_field_flag = get_bits1(&h->gb);\n h->picture_structure = PICT_TOP_FIELD + bottom_field_flag;\n } else {\n h->picture_structure = PICT_FRAME;\n h->mb_aff_frame = h->sps.mb_aff;\n }\n }\n h->mb_field_decoding_flag = h->picture_structure != PICT_FRAME;\n\n if (h0->current_slice != 0) {\n if (last_pic_structure != h->picture_structure ||\n last_pic_droppable != h->droppable) {\n av_log(h->avctx, AV_LOG_ERROR,\n \"Changing field mode (%d -> %d) between slices is not allowed\\n\",\n last_pic_structure, h->picture_structure);\n h->picture_structure = last_pic_structure;\n h->droppable = last_pic_droppable;\n return AVERROR_INVALIDDATA;\n } else if (!h0->cur_pic_ptr) {\n av_log(h->avctx, AV_LOG_ERROR,\n \"unset cur_pic_ptr on %d. slice\\n\",\n h0->current_slice + 1);\n return AVERROR_INVALIDDATA;\n }\n } else {\n /* Shorten frame num gaps so we don't have to allocate reference\n * frames just to throw them away */\n if (h->frame_num != h->prev_frame_num) {\n int unwrap_prev_frame_num = h->prev_frame_num;\n int max_frame_num = 1 << h->sps.log2_max_frame_num;\n\n if (unwrap_prev_frame_num > h->frame_num)\n unwrap_prev_frame_num -= max_frame_num;\n\n if ((h->frame_num - unwrap_prev_frame_num) > h->sps.ref_frame_count) {\n unwrap_prev_frame_num = (h->frame_num - h->sps.ref_frame_count) - 1;\n if (unwrap_prev_frame_num < 0)\n unwrap_prev_frame_num += max_frame_num;\n\n h->prev_frame_num = unwrap_prev_frame_num;\n }\n }\n\n /* See if we have a decoded first field looking for a pair...\n * Here, we're using that to see if we should mark previously\n * decode frames as \"finished\".\n * We have to do that before the \"dummy\" in-between frame allocation,\n * since that can modify h->cur_pic_ptr. */\n if (h0->first_field) {\n assert(h0->cur_pic_ptr);\n assert(h0->cur_pic_ptr->f.buf[0]);\n assert(h0->cur_pic_ptr->reference != DELAYED_PIC_REF);\n\n /* Mark old field/frame as completed */\n if (h0->cur_pic_ptr->tf.owner == h0->avctx) {\n ff_thread_report_progress(&h0->cur_pic_ptr->tf, INT_MAX,\n last_pic_structure == PICT_BOTTOM_FIELD);\n }\n\n /* figure out if we have a complementary field pair */\n if (!FIELD_PICTURE(h) || h->picture_structure == last_pic_structure) {\n /* Previous field is unmatched. Don't display it, but let it\n * remain for reference if marked as such. */\n if (last_pic_structure != PICT_FRAME) {\n ff_thread_report_progress(&h0->cur_pic_ptr->tf, INT_MAX,\n last_pic_structure == PICT_TOP_FIELD);\n }\n } else {\n if (h0->cur_pic_ptr->frame_num != h->frame_num) {\n /* This and previous field were reference, but had\n * different frame_nums. Consider this field first in\n * pair. Throw away previous field except for reference\n * purposes. */\n if (last_pic_structure != PICT_FRAME) {\n ff_thread_report_progress(&h0->cur_pic_ptr->tf, INT_MAX,\n last_pic_structure == PICT_TOP_FIELD);\n }\n } else {\n /* Second field in complementary pair */\n if (!((last_pic_structure == PICT_TOP_FIELD &&\n h->picture_structure == PICT_BOTTOM_FIELD) ||\n (last_pic_structure == PICT_BOTTOM_FIELD &&\n h->picture_structure == PICT_TOP_FIELD))) {\n av_log(h->avctx, AV_LOG_ERROR,\n \"Invalid field mode combination %d/%d\\n\",\n last_pic_structure, h->picture_structure);\n h->picture_structure = last_pic_structure;\n h->droppable = last_pic_droppable;\n return AVERROR_INVALIDDATA;\n } else if (last_pic_droppable != h->droppable) {\n avpriv_request_sample(h->avctx,\n \"Found reference and non-reference fields in the same frame, which\");\n h->picture_structure = last_pic_structure;\n h->droppable = last_pic_droppable;\n return AVERROR_PATCHWELCOME;\n }\n }\n }\n }\n\n while (h->frame_num != h->prev_frame_num && !h0->first_field &&\n h->frame_num != (h->prev_frame_num + 1) % (1 << h->sps.log2_max_frame_num)) {\n Picture *prev = h->short_ref_count ? h->short_ref[0] : NULL;\n av_log(h->avctx, AV_LOG_DEBUG, \"Frame num gap %d %d\\n\",\n h->frame_num, h->prev_frame_num);\n if (!h->sps.gaps_in_frame_num_allowed_flag)\n for(i=0; ilast_pocs); i++)\n h->last_pocs[i] = INT_MIN;\n ret = h264_frame_start(h);\n if (ret < 0) {\n h0->first_field = 0;\n return ret;\n }\n\n h->prev_frame_num++;\n h->prev_frame_num %= 1 << h->sps.log2_max_frame_num;\n h->cur_pic_ptr->frame_num = h->prev_frame_num;\n ff_thread_report_progress(&h->cur_pic_ptr->tf, INT_MAX, 0);\n ff_thread_report_progress(&h->cur_pic_ptr->tf, INT_MAX, 1);\n ret = ff_generate_sliding_window_mmcos(h, 1);\n if (ret < 0 && (h->avctx->err_recognition & AV_EF_EXPLODE))\n return ret;\n ret = ff_h264_execute_ref_pic_marking(h, h->mmco, h->mmco_index);\n if (ret < 0 && (h->avctx->err_recognition & AV_EF_EXPLODE))\n return ret;\n /* Error concealment: If a ref is missing, copy the previous ref\n * in its place.\n * FIXME: Avoiding a memcpy would be nice, but ref handling makes\n * many assumptions about there being no actual duplicates.\n * FIXME: This does not copy padding for out-of-frame motion\n * vectors. Given we are concealing a lost frame, this probably\n * is not noticeable by comparison, but it should be fixed. */\n if (h->short_ref_count) {\n if (prev) {\n av_image_copy(h->short_ref[0]->f.data,\n h->short_ref[0]->f.linesize,\n (const uint8_t **)prev->f.data,\n prev->f.linesize,\n h->avctx->pix_fmt,\n h->mb_width * 16,\n h->mb_height * 16);\n h->short_ref[0]->poc = prev->poc + 2;\n }\n h->short_ref[0]->frame_num = h->prev_frame_num;\n }\n }\n\n /* See if we have a decoded first field looking for a pair...\n * We're using that to see whether to continue decoding in that\n * frame, or to allocate a new one. */\n if (h0->first_field) {\n assert(h0->cur_pic_ptr);\n assert(h0->cur_pic_ptr->f.buf[0]);\n assert(h0->cur_pic_ptr->reference != DELAYED_PIC_REF);\n\n /* figure out if we have a complementary field pair */\n if (!FIELD_PICTURE(h) || h->picture_structure == last_pic_structure) {\n /* Previous field is unmatched. Don't display it, but let it\n * remain for reference if marked as such. */\n h0->cur_pic_ptr = NULL;\n h0->first_field = FIELD_PICTURE(h);\n } else {\n if (h0->cur_pic_ptr->frame_num != h->frame_num) {\n ff_thread_report_progress(&h0->cur_pic_ptr->tf, INT_MAX,\n h0->picture_structure==PICT_BOTTOM_FIELD);\n /* This and the previous field had different frame_nums.\n * Consider this field first in pair. Throw away previous\n * one except for reference purposes. */\n h0->first_field = 1;\n h0->cur_pic_ptr = NULL;\n } else {\n /* Second field in complementary pair */\n h0->first_field = 0;\n }\n }\n } else {\n /* Frame or first field in a potentially complementary pair */\n h0->first_field = FIELD_PICTURE(h);\n }\n\n if (!FIELD_PICTURE(h) || h0->first_field) {\n if (h264_frame_start(h) < 0) {\n h0->first_field = 0;\n return AVERROR_INVALIDDATA;\n }\n } else {\n release_unused_pictures(h, 0);\n }\n /* Some macroblocks can be accessed before they're available in case\n * of lost slices, MBAFF or threading. */\n if (FIELD_PICTURE(h)) {\n for(i = (h->picture_structure == PICT_BOTTOM_FIELD); imb_height; i++)\n memset(h->slice_table + i*h->mb_stride, -1, (h->mb_stride - (i+1==h->mb_height)) * sizeof(*h->slice_table));\n } else {\n memset(h->slice_table, -1,\n (h->mb_height * h->mb_stride - 1) * sizeof(*h->slice_table));\n }\n h0->last_slice_type = -1;\n }\n if (h != h0 && (ret = clone_slice(h, h0)) < 0)\n return ret;\n\n /* can't be in alloc_tables because linesize isn't known there.\n * FIXME: redo bipred weight to not require extra buffer? */\n for (i = 0; i < h->slice_context_count; i++)\n if (h->thread_context[i]) {\n ret = alloc_scratch_buffers(h->thread_context[i], h->linesize);\n if (ret < 0)\n return ret;\n }\n\n h->cur_pic_ptr->frame_num = h->frame_num; // FIXME frame_num cleanup\n\n av_assert1(h->mb_num == h->mb_width * h->mb_height);\n if (first_mb_in_slice << FIELD_OR_MBAFF_PICTURE(h) >= h->mb_num ||\n first_mb_in_slice >= h->mb_num) {\n av_log(h->avctx, AV_LOG_ERROR, \"first_mb_in_slice overflow\\n\");\n return AVERROR_INVALIDDATA;\n }\n h->resync_mb_x = h->mb_x = first_mb_in_slice % h->mb_width;\n h->resync_mb_y = h->mb_y = (first_mb_in_slice / h->mb_width) <<\n FIELD_OR_MBAFF_PICTURE(h);\n if (h->picture_structure == PICT_BOTTOM_FIELD)\n h->resync_mb_y = h->mb_y = h->mb_y + 1;\n av_assert1(h->mb_y < h->mb_height);\n\n if (h->picture_structure == PICT_FRAME) {\n h->curr_pic_num = h->frame_num;\n h->max_pic_num = 1 << h->sps.log2_max_frame_num;\n } else {\n h->curr_pic_num = 2 * h->frame_num + 1;\n h->max_pic_num = 1 << (h->sps.log2_max_frame_num + 1);\n }\n\n if (h->nal_unit_type == NAL_IDR_SLICE)\n get_ue_golomb(&h->gb); /* idr_pic_id */\n\n if (h->sps.poc_type == 0) {\n h->poc_lsb = get_bits(&h->gb, h->sps.log2_max_poc_lsb);\n\n if (h->pps.pic_order_present == 1 && h->picture_structure == PICT_FRAME)\n h->delta_poc_bottom = get_se_golomb(&h->gb);\n }\n\n if (h->sps.poc_type == 1 && !h->sps.delta_pic_order_always_zero_flag) {\n h->delta_poc[0] = get_se_golomb(&h->gb);\n\n if (h->pps.pic_order_present == 1 && h->picture_structure == PICT_FRAME)\n h->delta_poc[1] = get_se_golomb(&h->gb);\n }\n\n ff_init_poc(h, h->cur_pic_ptr->field_poc, &h->cur_pic_ptr->poc);\n\n if (h->pps.redundant_pic_cnt_present)\n h->redundant_pic_count = get_ue_golomb(&h->gb);\n\n ret = ff_set_ref_count(h);\n if (ret < 0)\n return ret;\n\n if (slice_type != AV_PICTURE_TYPE_I &&\n (h0->current_slice == 0 ||\n slice_type != h0->last_slice_type ||\n memcmp(h0->last_ref_count, h0->ref_count, sizeof(h0->ref_count)))) {\n\n ff_h264_fill_default_ref_list(h);\n }\n\n if (h->slice_type_nos != AV_PICTURE_TYPE_I) {\n ret = ff_h264_decode_ref_pic_list_reordering(h);\n if (ret < 0) {\n h->ref_count[1] = h->ref_count[0] = 0;\n return ret;\n }\n }\n\n if ((h->pps.weighted_pred && h->slice_type_nos == AV_PICTURE_TYPE_P) ||\n (h->pps.weighted_bipred_idc == 1 &&\n h->slice_type_nos == AV_PICTURE_TYPE_B))\n ff_pred_weight_table(h);\n else if (h->pps.weighted_bipred_idc == 2 &&\n h->slice_type_nos == AV_PICTURE_TYPE_B) {\n implicit_weight_table(h, -1);\n } else {\n h->use_weight = 0;\n for (i = 0; i < 2; i++) {\n h->luma_weight_flag[i] = 0;\n h->chroma_weight_flag[i] = 0;\n }\n }\n\n // If frame-mt is enabled, only update mmco tables for the first slice\n // in a field. Subsequent slices can temporarily clobber h->mmco_index\n // or h->mmco, which will cause ref list mix-ups and decoding errors\n // further down the line. This may break decoding if the first slice is\n // corrupt, thus we only do this if frame-mt is enabled.\n if (h->nal_ref_idc) {\n ret = ff_h264_decode_ref_pic_marking(h0, &h->gb,\n !(h->avctx->active_thread_type & FF_THREAD_FRAME) ||\n h0->current_slice == 0);\n if (ret < 0 && (h->avctx->err_recognition & AV_EF_EXPLODE))\n return AVERROR_INVALIDDATA;\n }\n\n if (FRAME_MBAFF(h)) {\n ff_h264_fill_mbaff_ref_list(h);\n\n if (h->pps.weighted_bipred_idc == 2 && h->slice_type_nos == AV_PICTURE_TYPE_B) {\n implicit_weight_table(h, 0);\n implicit_weight_table(h, 1);\n }\n }\n\n if (h->slice_type_nos == AV_PICTURE_TYPE_B && !h->direct_spatial_mv_pred)\n ff_h264_direct_dist_scale_factor(h);\n ff_h264_direct_ref_list_init(h);\n\n if (h->slice_type_nos != AV_PICTURE_TYPE_I && h->pps.cabac) {\n tmp = get_ue_golomb_31(&h->gb);\n if (tmp > 2) {\n av_log(h->avctx, AV_LOG_ERROR, \"cabac_init_idc overflow\\n\");\n return AVERROR_INVALIDDATA;\n }\n h->cabac_init_idc = tmp;\n }\n\n h->last_qscale_diff = 0;\n tmp = h->pps.init_qp + get_se_golomb(&h->gb);\n if (tmp > 51 + 6 * (h->sps.bit_depth_luma - 8)) {\n av_log(h->avctx, AV_LOG_ERROR, \"QP %u out of range\\n\", tmp);\n return AVERROR_INVALIDDATA;\n }\n h->qscale = tmp;\n h->chroma_qp[0] = get_chroma_qp(h, 0, h->qscale);\n h->chroma_qp[1] = get_chroma_qp(h, 1, h->qscale);\n // FIXME qscale / qp ... stuff\n if (h->slice_type == AV_PICTURE_TYPE_SP)\n get_bits1(&h->gb); /* sp_for_switch_flag */\n if (h->slice_type == AV_PICTURE_TYPE_SP ||\n h->slice_type == AV_PICTURE_TYPE_SI)\n get_se_golomb(&h->gb); /* slice_qs_delta */\n\n h->deblocking_filter = 1;\n h->slice_alpha_c0_offset = 52;\n h->slice_beta_offset = 52;\n if (h->pps.deblocking_filter_parameters_present) {\n tmp = get_ue_golomb_31(&h->gb);\n if (tmp > 2) {\n av_log(h->avctx, AV_LOG_ERROR,\n \"deblocking_filter_idc %u out of range\\n\", tmp);\n return AVERROR_INVALIDDATA;\n }\n h->deblocking_filter = tmp;\n if (h->deblocking_filter < 2)\n h->deblocking_filter ^= 1; // 1<->0\n\n if (h->deblocking_filter) {\n h->slice_alpha_c0_offset += get_se_golomb(&h->gb) << 1;\n h->slice_beta_offset += get_se_golomb(&h->gb) << 1;\n if (h->slice_alpha_c0_offset > 104U ||\n h->slice_beta_offset > 104U) {\n av_log(h->avctx, AV_LOG_ERROR,\n \"deblocking filter parameters %d %d out of range\\n\",\n h->slice_alpha_c0_offset, h->slice_beta_offset);\n return AVERROR_INVALIDDATA;\n }\n }\n }\n\n if (h->avctx->skip_loop_filter >= AVDISCARD_ALL ||\n (h->avctx->skip_loop_filter >= AVDISCARD_NONKEY &&\n h->slice_type_nos != AV_PICTURE_TYPE_I) ||\n (h->avctx->skip_loop_filter >= AVDISCARD_BIDIR &&\n h->slice_type_nos == AV_PICTURE_TYPE_B) ||\n (h->avctx->skip_loop_filter >= AVDISCARD_NONREF &&\n h->nal_ref_idc == 0))\n h->deblocking_filter = 0;\n\n if (h->deblocking_filter == 1 && h0->max_contexts > 1) {\n if (h->avctx->flags2 & CODEC_FLAG2_FAST) {\n /* Cheat slightly for speed:\n * Do not bother to deblock across slices. */\n h->deblocking_filter = 2;\n } else {\n h0->max_contexts = 1;\n if (!h0->single_decode_warning) {\n av_log(h->avctx, AV_LOG_INFO,\n \"Cannot parallelize deblocking type 1, decoding such frames in sequential order\\n\");\n h0->single_decode_warning = 1;\n }\n if (h != h0) {\n av_log(h->avctx, AV_LOG_ERROR,\n \"Deblocking switched inside frame.\\n\");\n return 1;\n }\n }\n }\n h->qp_thresh = 15 + 52 -\n FFMIN(h->slice_alpha_c0_offset, h->slice_beta_offset) -\n FFMAX3(0,\n h->pps.chroma_qp_index_offset[0],\n h->pps.chroma_qp_index_offset[1]) +\n 6 * (h->sps.bit_depth_luma - 8);\n\n h0->last_slice_type = slice_type;\n memcpy(h0->last_ref_count, h0->ref_count, sizeof(h0->last_ref_count));\n h->slice_num = ++h0->current_slice;\n\n if (h->slice_num)\n h0->slice_row[(h->slice_num-1)&(MAX_SLICES-1)]= h->resync_mb_y;\n if ( h0->slice_row[h->slice_num&(MAX_SLICES-1)] + 3 >= h->resync_mb_y\n && h0->slice_row[h->slice_num&(MAX_SLICES-1)] <= h->resync_mb_y\n && h->slice_num >= MAX_SLICES) {\n //in case of ASO this check needs to be updated depending on how we decide to assign slice numbers in this case\n av_log(h->avctx, AV_LOG_WARNING, \"Possibly too many slices (%d >= %d), increase MAX_SLICES and recompile if there are artifacts\\n\", h->slice_num, MAX_SLICES);\n }\n\n for (j = 0; j < 2; j++) {\n int id_list[16];\n int *ref2frm = h->ref2frm[h->slice_num & (MAX_SLICES - 1)][j];\n for (i = 0; i < 16; i++) {\n id_list[i] = 60;\n if (j < h->list_count && i < h->ref_count[j] &&\n h->ref_list[j][i].f.buf[0]) {\n int k;\n AVBuffer *buf = h->ref_list[j][i].f.buf[0]->buffer;\n for (k = 0; k < h->short_ref_count; k++)\n if (h->short_ref[k]->f.buf[0]->buffer == buf) {\n id_list[i] = k;\n break;\n }\n for (k = 0; k < h->long_ref_count; k++)\n if (h->long_ref[k] && h->long_ref[k]->f.buf[0]->buffer == buf) {\n id_list[i] = h->short_ref_count + k;\n break;\n }\n }\n }\n\n ref2frm[0] =\n ref2frm[1] = -1;\n for (i = 0; i < 16; i++)\n ref2frm[i + 2] = 4 * id_list[i] + (h->ref_list[j][i].reference & 3);\n ref2frm[18 + 0] =\n ref2frm[18 + 1] = -1;\n for (i = 16; i < 48; i++)\n ref2frm[i + 4] = 4 * id_list[(i - 16) >> 1] +\n (h->ref_list[j][i].reference & 3);\n }\n\n if (h->ref_count[0]) h->er.last_pic = &h->ref_list[0][0];\n if (h->ref_count[1]) h->er.next_pic = &h->ref_list[1][0];\n h->er.ref_count = h->ref_count[0];\n h0->au_pps_id = pps_id;\n h->sps.new =\n h0->sps_buffers[h->pps.sps_id]->new = 0;\n h->current_sps_id = h->pps.sps_id;\n\n if (h->avctx->debug & FF_DEBUG_PICT_INFO) {\n av_log(h->avctx, AV_LOG_DEBUG,\n \"slice:%d %s mb:%d %c%s%s pps:%u frame:%d poc:%d/%d ref:%d/%d qp:%d loop:%d:%d:%d weight:%d%s %s\\n\",\n h->slice_num,\n (h->picture_structure == PICT_FRAME ? \"F\" : h->picture_structure == PICT_TOP_FIELD ? \"T\" : \"B\"),\n first_mb_in_slice,\n av_get_picture_type_char(h->slice_type),\n h->slice_type_fixed ? \" fix\" : \"\",\n h->nal_unit_type == NAL_IDR_SLICE ? \" IDR\" : \"\",\n pps_id, h->frame_num,\n h->cur_pic_ptr->field_poc[0],\n h->cur_pic_ptr->field_poc[1],\n h->ref_count[0], h->ref_count[1],\n h->qscale,\n h->deblocking_filter,\n h->slice_alpha_c0_offset / 2 - 26, h->slice_beta_offset / 2 - 26,\n h->use_weight,\n h->use_weight == 1 && h->use_weight_chroma ? \"c\" : \"\",\n h->slice_type == AV_PICTURE_TYPE_B ? (h->direct_spatial_mv_pred ? \"SPAT\" : \"TEMP\") : \"\");\n }\n\n return 0;\n}", "project": "FFmpeg", "hash": 200232776860561206754163513001485909644, "size": 695, "commit_id": "8a3b85f3a7952c54a2c36ba1797f7e0cde9f85aa", "message": "avcodec/h264: update current_sps & sps->new only after the whole slice header decoder and init code finished\n\nThis avoids them being cleared before the full initialization finished\n\nFixes out of array read\nFixes: asan_heap-oob_f0c5e6_7071_cov_1605985132_mov_h264_aac__Demo_FlagOfOurFathers.mov\nFound-by: Mateusz \"j00ru\" Jurczyk and Gynvael Coldwind\nSigned-off-by: Michael Niedermayer ", "target": 0, "dataset": "other", "idx": 270122 }, { "func": "static inline void tcp_update_wl(struct tcp_sock *tp, u32 seq)\n{\n\ttp->snd_wl1 = seq;\n}", "project": "linux", "hash": 250913340616269221719340585586373529757, "size": 4, "commit_id": "bb1fceca22492109be12640d49f5ea5a544c6bb4", "message": "tcp: fix use after free in tcp_xmit_retransmit_queue()\n\nWhen tcp_sendmsg() allocates a fresh and empty skb, it puts it at the\ntail of the write queue using tcp_add_write_queue_tail()\n\nThen it attempts to copy user data into this fresh skb.\n\nIf the copy fails, we undo the work and remove the fresh skb.\n\nUnfortunately, this undo lacks the change done to tp->highest_sack and\nwe can leave a dangling pointer (to a freed skb)\n\nLater, tcp_xmit_retransmit_queue() can dereference this pointer and\naccess freed memory. For regular kernels where memory is not unmapped,\nthis might cause SACK bugs because tcp_highest_sack_seq() is buggy,\nreturning garbage instead of tp->snd_nxt, but with various debug\nfeatures like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel.\n\nThis bug was found by Marco Grassi thanks to syzkaller.\n\nFixes: 6859d49475d4 (\"[TCP]: Abstract tp->highest_sack accessing & point to next skb\")\nReported-by: Marco Grassi \nSigned-off-by: Eric Dumazet \nCc: Ilpo Järvinen \nCc: Yuchung Cheng \nCc: Neal Cardwell \nAcked-by: Neal Cardwell \nReviewed-by: Cong Wang \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 410754 }, { "func": "static int blackout_line_skip(int n, int x, int y, int rescan,\n int *tile_count) {\n\t\n\tif (tile_blackout[n].cover == 2) {\n\t\ttile_has_diff[n] = 0;\n\t\treturn 1;\t/* skip it */\n\n\t} else if (tile_blackout[n].cover == 1) {\n\t\tint w, x1, y1, x2, y2, b, hit = 0;\n\t\tif (x + NSCAN > dpy_x) {\n\t\t\tw = dpy_x - x;\n\t\t} else {\n\t\t\tw = NSCAN;\n\t\t}\n\n\t\tfor (b=0; b < tile_blackout[n].count; b++) {\n\t\t\t\n\t\t\t/* n.b. these coords are in full display space: */\n\t\t\tx1 = tile_blackout[n].bo[b].x1;\n\t\t\tx2 = tile_blackout[n].bo[b].x2;\n\t\t\ty1 = tile_blackout[n].bo[b].y1;\n\t\t\ty2 = tile_blackout[n].bo[b].y2;\n\n\t\t\tif (x2 - x1 < w) {\n\t\t\t\t/* need to cover full width */\n\t\t\t\tcontinue;\n\t\t\t}\n\t\t\tif (y1 <= y && y < y2) {\n\t\t\t\thit = 1;\n\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\t\tif (hit) {\n\t\t\tif (! rescan) {\n\t\t\t\ttile_has_diff[n] = 0;\n\t\t\t} else {\n\t\t\t\t*tile_count += tile_has_diff[n];\n\t\t\t}\n\t\t\treturn 1;\t/* skip */\n\t\t}\n\t}\n\treturn 0;\t/* do not skip */\n}", "project": "x11vnc", "hash": 204116544704043961255228647339453404996, "size": 43, "commit_id": "69eeb9f7baa14ca03b16c9de821f9876def7a36a", "message": "scan: limit access to shared memory segments to current user", "target": 0, "dataset": "other", "idx": 360780 }, { "func": "bool zx_isZxLiquidTx(const EthereumSignTx *msg) {\n if (memcmp(msg->to.bytes, UNISWAP_ROUTER_ADDRESS, 20) == 0) { // correct contract address?\n\n if (isAddLiquidityEthCall(msg)) return true;\n \n if (isRemoveLiquidityEthCall(msg)) return true;\n }\n return false;\n}", "project": "keepkey-firmware", "hash": 127250159331330533601444117585440871888, "size": 9, "commit_id": "e49d45594002d4d3fbc1f03488e6dfc0a0a65836", "message": "710 merge", "target": 0, "dataset": "other", "idx": 220866 }, { "func": " Item_cache_row(THD *thd):\n Item_cache(thd), values(0), item_count(2),\n save_array(0) {}", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 188611865652132485617022801656072203592, "size": 3, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509056 }, { "func": "static int core_override_type(request_rec *r)\n{\n core_dir_config *conf =\n (core_dir_config *)ap_get_core_module_config(r->per_dir_config);\n\n /* Check for overrides with ForceType / SetHandler\n */\n if (conf->mime_type && strcmp(conf->mime_type, \"none\"))\n ap_set_content_type(r, (char*) conf->mime_type);\n\n if (conf->expr_handler) { \n const char *err;\n const char *val;\n val = ap_expr_str_exec(r, conf->expr_handler, &err);\n if (err) {\n ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(03154)\n \"Can't evaluate handler expression: %s\", err);\n return HTTP_INTERNAL_SERVER_ERROR;\n }\n\n if (val != ap_strstr_c(val, \"proxy:unix\")) { \n /* Retained for compatibility -- but not for UDS */\n char *tmp = apr_pstrdup(r->pool, val);\n ap_str_tolower(tmp);\n val = tmp;\n }\n\n if (strcmp(val, \"none\")) { \n r->handler = val;\n }\n }\n else if (conf->handler && strcmp(conf->handler, \"none\")) { \n r->handler = conf->handler;\n }\n\n /* Deal with the poor soul who is trying to force path_info to be\n * accepted within the core_handler, where they will let the subreq\n * address its contents. This is toggled by the user in the very\n * beginning of the fixup phase (here!), so modules should override the user's\n * discretion in their own module fixup phase. It is tristate, if\n * the user doesn't specify, the result is AP_REQ_DEFAULT_PATH_INFO.\n * (which the module may interpret to its own customary behavior.)\n * It won't be touched if the value is no longer AP_ACCEPT_PATHINFO_UNSET,\n * so any module changing the value prior to the fixup phase\n * OVERRIDES the user's choice.\n */\n if ((r->used_path_info == AP_REQ_DEFAULT_PATH_INFO)\n && (conf->accept_path_info != AP_ACCEPT_PATHINFO_UNSET)) {\n /* No module knew better, and the user coded AcceptPathInfo */\n r->used_path_info = conf->accept_path_info;\n }\n\n return OK;\n}", "project": "httpd", "hash": 58299898612666169203957206294109317212, "size": 54, "commit_id": "4cc27823899e070268b906ca677ee838d07cf67a", "message": "core: Disallow Methods' registration at run time (.htaccess), they may be\nused only if registered at init time (httpd.conf).\n\nCalling ap_method_register() in children processes is not the right scope\nsince it won't be shared for all requests.\n\n\ngit-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1807655 13f79535-47bb-0310-9956-ffa450edef68", "target": 0, "dataset": "other", "idx": 246261 }, { "func": "ALWAYS_INLINE String& asStrRef(tv_lval tv) {\n assertx(tvIsPlausible(*tv));\n assertx(isStringType(type(tv)));\n type(tv) = KindOfString;\n return reinterpret_cast(val(tv).pstr);\n}", "project": "hhvm", "hash": 37536310745239260095520547958069625118, "size": 6, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219773 }, { "func": "int kvm_hv_activate_synic(struct kvm_vcpu *vcpu, bool dont_zero_synic_pages)\n{\n\tstruct kvm_vcpu_hv_synic *synic;\n\tint r;\n\n\tif (!to_hv_vcpu(vcpu)) {\n\t\tr = kvm_hv_vcpu_init(vcpu);\n\t\tif (r)\n\t\t\treturn r;\n\t}\n\n\tsynic = to_hv_synic(vcpu);\n\n\t/*\n\t * Hyper-V SynIC auto EOI SINT's are\n\t * not compatible with APICV, so request\n\t * to deactivate APICV permanently.\n\t */\n\tkvm_request_apicv_update(vcpu->kvm, false, APICV_INHIBIT_REASON_HYPERV);\n\tsynic->active = true;\n\tsynic->dont_zero_synic_pages = dont_zero_synic_pages;\n\tsynic->control = HV_SYNIC_CONTROL_ENABLE;\n\treturn 0;\n}", "project": "linux", "hash": 28143831885148211132578013509945630531, "size": 24, "commit_id": "919f4ebc598701670e80e31573a58f1f2d2bf918", "message": "KVM: x86: hyper-v: Fix Hyper-V context null-ptr-deref\n\nReported by syzkaller:\n\n KASAN: null-ptr-deref in range [0x0000000000000140-0x0000000000000147]\n CPU: 1 PID: 8370 Comm: syz-executor859 Not tainted 5.11.0-syzkaller #0\n RIP: 0010:synic_get arch/x86/kvm/hyperv.c:165 [inline]\n RIP: 0010:kvm_hv_set_sint_gsi arch/x86/kvm/hyperv.c:475 [inline]\n RIP: 0010:kvm_hv_irq_routing_update+0x230/0x460 arch/x86/kvm/hyperv.c:498\n Call Trace:\n kvm_set_irq_routing+0x69b/0x940 arch/x86/kvm/../../../virt/kvm/irqchip.c:223\n kvm_vm_ioctl+0x12d0/0x2800 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3959\n vfs_ioctl fs/ioctl.c:48 [inline]\n __do_sys_ioctl fs/ioctl.c:753 [inline]\n __se_sys_ioctl fs/ioctl.c:739 [inline]\n __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739\n do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nHyper-V context is lazily allocated until Hyper-V specific MSRs are accessed\nor SynIC is enabled. However, the syzkaller testcase sets irq routing table\ndirectly w/o enabling SynIC. This results in null-ptr-deref when accessing\nSynIC Hyper-V context. This patch fixes it.\n\nsyzkaller source: https://syzkaller.appspot.com/x/repro.c?x=163342ccd00000\n\nReported-by: syzbot+6987f3b2dbd9eda95f12@syzkaller.appspotmail.com\nFixes: 8f014550dfb1 (\"KVM: x86: hyper-v: Make Hyper-V emulation enablement conditional\")\nSigned-off-by: Wanpeng Li \nMessage-Id: <1614326399-5762-1-git-send-email-wanpengli@tencent.com>\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 343529 }, { "func": "static long random_ioctl(struct file *f, unsigned int cmd, unsigned long arg)\n{\n\tint size, ent_count;\n\tint __user *p = (int __user *)arg;\n\tint retval;\n\n\tswitch (cmd) {\n\tcase RNDGETENTCNT:\n\t\t/* inherently racy, no point locking */\n\t\tif (put_user(input_pool.entropy_count, p))\n\t\t\treturn -EFAULT;\n\t\treturn 0;\n\tcase RNDADDTOENTCNT:\n\t\tif (!capable(CAP_SYS_ADMIN))\n\t\t\treturn -EPERM;\n\t\tif (get_user(ent_count, p))\n\t\t\treturn -EFAULT;\n\t\tcredit_entropy_bits(&input_pool, ent_count);\n\t\treturn 0;\n\tcase RNDADDENTROPY:\n\t\tif (!capable(CAP_SYS_ADMIN))\n\t\t\treturn -EPERM;\n\t\tif (get_user(ent_count, p++))\n\t\t\treturn -EFAULT;\n\t\tif (ent_count < 0)\n\t\t\treturn -EINVAL;\n\t\tif (get_user(size, p++))\n\t\t\treturn -EFAULT;\n\t\tretval = write_pool(&input_pool, (const char __user *)p,\n\t\t\t\t size);\n\t\tif (retval < 0)\n\t\t\treturn retval;\n\t\tcredit_entropy_bits(&input_pool, ent_count);\n\t\treturn 0;\n\tcase RNDZAPENTCNT:\n\tcase RNDCLEARPOOL:\n\t\t/* Clear the entropy pool counters. */\n\t\tif (!capable(CAP_SYS_ADMIN))\n\t\t\treturn -EPERM;\n\t\trand_initialize();\n\t\treturn 0;\n\tdefault:\n\t\treturn -EINVAL;\n\t}\n}", "target": 0, "cwe": [ "CWE-310" ], "project": "linux-2.6", "commit_id": "8a0a9bd4db63bc45e3017bedeafbd88d0eb84d02", "hash": 210897557406026227920863520993438396973, "size": 45, "message": "random: make get_random_int() more random\n\nIt's a really simple patch that basically just open-codes the current\n\"secure_ip_id()\" call, but when open-coding it we now use a _static_\nhashing area, so that it gets updated every time.\n\nAnd to make sure somebody can't just start from the same original seed of\nall-zeroes, and then do the \"half_md4_transform()\" over and over until\nthey get the same sequence as the kernel has, each iteration also mixes in\nthe same old \"current->pid + jiffies\" we used - so we should now have a\nregular strong pseudo-number generator, but we also have one that doesn't\nhave a single seed.\n\nNote: the \"pid + jiffies\" is just meant to be a tiny tiny bit of noise. It\nhas no real meaning. It could be anything. I just picked the previous\nseed, it's just that now we keep the state in between calls and that will\nfeed into the next result, and that should make all the difference.\n\nI made that hash be a per-cpu data just to avoid cache-line ping-pong:\nhaving multiple CPU's write to the same data would be fine for randomness,\nand add yet another layer of chaos to it, but since get_random_int() is\nsupposed to be a fast interface I did it that way instead. I considered\nusing \"__raw_get_cpu_var()\" to avoid any preemption overhead while still\ngetting the hash be _mostly_ ping-pong free, but in the end good taste won\nout.\n\nSigned-off-by: Ingo Molnar \nSigned-off-by: Linus Torvalds ", "dataset": "other", "idx": 499897 }, { "func": "static bool create_hj_key_for_table(JOIN *join, JOIN_TAB *join_tab,\n KEYUSE *org_keyuse, table_map used_tables)\n{\n KEY *keyinfo;\n KEY_PART_INFO *key_part_info;\n KEYUSE *keyuse= org_keyuse;\n uint key_parts= 0;\n THD *thd= join->thd;\n TABLE *table= join_tab->table;\n bool first_keyuse= TRUE;\n DBUG_ENTER(\"create_hj_key_for_table\");\n\n do\n {\n if (!(~used_tables & keyuse->used_tables) &&\n join_tab->keyuse_is_valid_for_access_in_chosen_plan(join, keyuse) &&\n are_tables_local(join_tab, keyuse->used_tables)) \n {\n if (first_keyuse)\n {\n key_parts++;\n }\n else\n {\n KEYUSE *curr= org_keyuse;\n for( ; curr < keyuse; curr++)\n {\n if (curr->keypart == keyuse->keypart &&\n !(~used_tables & curr->used_tables) &&\n join_tab->keyuse_is_valid_for_access_in_chosen_plan(join,\n curr) &&\n are_tables_local(join_tab, curr->used_tables))\n break;\n }\n if (curr == keyuse)\n key_parts++;\n }\n }\n first_keyuse= FALSE;\n keyuse++;\n } while (keyuse->table == table && keyuse->is_for_hash_join());\n if (!key_parts)\n DBUG_RETURN(TRUE);\n /* This memory is allocated only once for the joined table join_tab */\n if (!(keyinfo= (KEY *) thd->alloc(sizeof(KEY))) ||\n !(key_part_info = (KEY_PART_INFO *) thd->alloc(sizeof(KEY_PART_INFO)*\n key_parts)))\n DBUG_RETURN(TRUE);\n keyinfo->usable_key_parts= keyinfo->user_defined_key_parts = key_parts;\n keyinfo->ext_key_parts= keyinfo->user_defined_key_parts;\n keyinfo->key_part= key_part_info;\n keyinfo->key_length=0;\n keyinfo->algorithm= HA_KEY_ALG_UNDEF;\n keyinfo->flags= HA_GENERATED_KEY;\n keyinfo->is_statistics_from_stat_tables= FALSE;\n keyinfo->name.str= \"$hj\";\n keyinfo->name.length= 3;\n keyinfo->rec_per_key= (ulong*) thd->calloc(sizeof(ulong)*key_parts);\n if (!keyinfo->rec_per_key)\n DBUG_RETURN(TRUE);\n keyinfo->key_part= key_part_info;\n\n first_keyuse= TRUE;\n keyuse= org_keyuse;\n do\n {\n if (!(~used_tables & keyuse->used_tables) &&\n join_tab->keyuse_is_valid_for_access_in_chosen_plan(join, keyuse) &&\n are_tables_local(join_tab, keyuse->used_tables))\n { \n bool add_key_part= TRUE;\n if (!first_keyuse)\n {\n for(KEYUSE *curr= org_keyuse; curr < keyuse; curr++)\n {\n if (curr->keypart == keyuse->keypart &&\n !(~used_tables & curr->used_tables) &&\n join_tab->keyuse_is_valid_for_access_in_chosen_plan(join,\n curr) &&\n are_tables_local(join_tab, curr->used_tables))\n\t {\n keyuse->keypart= NO_KEYPART;\n add_key_part= FALSE;\n break;\n }\n }\n }\n if (add_key_part)\n {\n Field *field= table->field[keyuse->keypart];\n uint fieldnr= keyuse->keypart+1;\n table->create_key_part_by_field(key_part_info, field, fieldnr);\n keyinfo->key_length += key_part_info->store_length;\n key_part_info++;\n }\n }\n first_keyuse= FALSE;\n keyuse++;\n } while (keyuse->table == table && keyuse->is_for_hash_join());\n\n keyinfo->ext_key_parts= keyinfo->user_defined_key_parts;\n keyinfo->ext_key_flags= keyinfo->flags;\n keyinfo->ext_key_part_map= 0;\n\n join_tab->hj_key= keyinfo;\n\n DBUG_RETURN(FALSE);\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 106337958253966485747194022759742138802, "size": 108, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508506 }, { "func": "DwaCompressor::setupChannelData (int minX, int minY, int maxX, int maxY)\n{\n char *planarUncBuffer[NUM_COMPRESSOR_SCHEMES];\n\n for (int i=0; iwidth = OPENEXR_IMF_NAMESPACE::numSamples (cd->xSampling, minX, maxX);\n cd->height = OPENEXR_IMF_NAMESPACE::numSamples (cd->ySampling, minY, maxY);\n \n cd->planarUncSize =\n cd->width * cd->height * OPENEXR_IMF_NAMESPACE::pixelTypeSize (cd->type);\n \n cd->planarUncBuffer = planarUncBuffer[cd->compression];\n cd->planarUncBufferEnd = cd->planarUncBuffer;\n\n cd->planarUncRle[0] = cd->planarUncBuffer;\n cd->planarUncRleEnd[0] = cd->planarUncRle[0];\n\n for (int byte = 1; byte < OPENEXR_IMF_NAMESPACE::pixelTypeSize(cd->type); ++byte)\n {\n cd->planarUncRle[byte] = \n cd->planarUncRle[byte-1] + cd->width * cd->height;\n\n cd->planarUncRleEnd[byte] =\n cd->planarUncRle[byte];\n }\n\n cd->planarUncType = cd->type;\n\n if (cd->compression == LOSSY_DCT)\n {\n cd->planarUncType = FLOAT;\n }\n else\n {\n planarUncBuffer[cd->compression] +=\n cd->width * cd->height * OPENEXR_IMF_NAMESPACE::pixelTypeSize (cd->planarUncType);\n }\n }\n}", "project": "openexr", "hash": 25473930724221136425269303672942827779, "size": 50, "commit_id": "3eda5d70aba127bae9bd6bae9956fcf024b64031", "message": "fixes for DWA uncompress: sanity check unknown data reading, off-by-one error on max suffix string length\n\nSigned-off-by: Peter Hillman ", "target": 0, "dataset": "other", "idx": 440092 }, { "func": "static void encode_readdir(struct xdr_stream *xdr, const struct nfs4_readdir_arg *readdir, struct rpc_rqst *req, struct compound_hdr *hdr)\n{\n\tuint32_t attrs[3] = {\n\t\tFATTR4_WORD0_RDATTR_ERROR,\n\t\tFATTR4_WORD1_MOUNTED_ON_FILEID,\n\t};\n\tuint32_t dircount = readdir->count >> 1;\n\t__be32 *p, verf[2];\n\tuint32_t attrlen = 0;\n\tunsigned int i;\n\n\tif (readdir->plus) {\n\t\tattrs[0] |= FATTR4_WORD0_TYPE|FATTR4_WORD0_CHANGE|FATTR4_WORD0_SIZE|\n\t\t\tFATTR4_WORD0_FSID|FATTR4_WORD0_FILEHANDLE|FATTR4_WORD0_FILEID;\n\t\tattrs[1] |= FATTR4_WORD1_MODE|FATTR4_WORD1_NUMLINKS|FATTR4_WORD1_OWNER|\n\t\t\tFATTR4_WORD1_OWNER_GROUP|FATTR4_WORD1_RAWDEV|\n\t\t\tFATTR4_WORD1_SPACE_USED|FATTR4_WORD1_TIME_ACCESS|\n\t\t\tFATTR4_WORD1_TIME_METADATA|FATTR4_WORD1_TIME_MODIFY;\n\t\tattrs[2] |= FATTR4_WORD2_SECURITY_LABEL;\n\t\tdircount >>= 1;\n\t}\n\t/* Use mounted_on_fileid only if the server supports it */\n\tif (!(readdir->bitmask[1] & FATTR4_WORD1_MOUNTED_ON_FILEID))\n\t\tattrs[0] |= FATTR4_WORD0_FILEID;\n\tfor (i = 0; i < ARRAY_SIZE(attrs); i++) {\n\t\tattrs[i] &= readdir->bitmask[i];\n\t\tif (attrs[i] != 0)\n\t\t\tattrlen = i+1;\n\t}\n\n\tencode_op_hdr(xdr, OP_READDIR, decode_readdir_maxsz, hdr);\n\tencode_uint64(xdr, readdir->cookie);\n\tencode_nfs4_verifier(xdr, &readdir->verifier);\n\tp = reserve_space(xdr, 12 + (attrlen << 2));\n\t*p++ = cpu_to_be32(dircount);\n\t*p++ = cpu_to_be32(readdir->count);\n\t*p++ = cpu_to_be32(attrlen);\n\tfor (i = 0; i < attrlen; i++)\n\t\t*p++ = cpu_to_be32(attrs[i]);\n\tmemcpy(verf, readdir->verifier.data, sizeof(verf));\n\n\tdprintk(\"%s: cookie = %llu, verifier = %08x:%08x, bitmap = %08x:%08x:%08x\\n\",\n\t\t\t__func__,\n\t\t\t(unsigned long long)readdir->cookie,\n\t\t\tverf[0], verf[1],\n\t\t\tattrs[0] & readdir->bitmask[0],\n\t\t\tattrs[1] & readdir->bitmask[1],\n\t\t\tattrs[2] & readdir->bitmask[2]);\n}", "project": "linux", "hash": 279385769561943135582220235685132707974, "size": 49, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431349 }, { "func": "void ptrace_notify(int exit_code)\n{\n\tBUG_ON((exit_code & (0x7f | ~0xffff)) != SIGTRAP);\n\tif (unlikely(current->task_works))\n\t\ttask_work_run();\n\n\tspin_lock_irq(¤t->sighand->siglock);\n\tptrace_do_notify(SIGTRAP, exit_code, CLD_TRAPPED);\n\tspin_unlock_irq(¤t->sighand->siglock);\n}", "project": "linux", "hash": 233902779240712747310007798816534327277, "size": 10, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375271 }, { "func": "static int nfs4_call_sync_custom(struct rpc_task_setup *task_setup)\n{\n\tint ret;\n\tstruct rpc_task *task;\n\n\ttask = rpc_run_task(task_setup);\n\tif (IS_ERR(task))\n\t\treturn PTR_ERR(task);\n\n\tret = task->tk_status;\n\trpc_put_task(task);\n\treturn ret;\n}", "project": "linux", "hash": 178808367421024965558678620807801486861, "size": 13, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431539 }, { "func": "static void nfs4_sequence_free_slot(struct nfs4_sequence_res *res)\n{\n\tif (res->sr_slot != NULL) {\n\t\tif (res->sr_slot->table->session != NULL)\n\t\t\tnfs41_sequence_free_slot(res);\n\t\telse\n\t\t\tnfs40_sequence_free_slot(res);\n\t}\n}", "project": "linux", "hash": 24819224614433014281519053973930103329, "size": 9, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431231 }, { "func": "static void nfs4_sequence_free_slot(struct nfs4_sequence_res *res)\n{\n\tif (res->sr_slot != NULL)\n\t\tnfs40_sequence_free_slot(res);\n}", "project": "linux", "hash": 229027850341317379470929152409086184585, "size": 5, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431258 }, { "func": "int fuse_fill_super_common(struct super_block *sb, struct fuse_fs_context *ctx)\n{\n\tstruct fuse_dev *fud = NULL;\n\tstruct fuse_mount *fm = get_fuse_mount_super(sb);\n\tstruct fuse_conn *fc = fm->fc;\n\tstruct inode *root;\n\tstruct dentry *root_dentry;\n\tint err;\n\n\terr = -EINVAL;\n\tif (sb->s_flags & SB_MANDLOCK)\n\t\tgoto err;\n\n\tfuse_sb_defaults(sb);\n\n\tif (ctx->is_bdev) {\n#ifdef CONFIG_BLOCK\n\t\terr = -EINVAL;\n\t\tif (!sb_set_blocksize(sb, ctx->blksize))\n\t\t\tgoto err;\n#endif\n\t} else {\n\t\tsb->s_blocksize = PAGE_SIZE;\n\t\tsb->s_blocksize_bits = PAGE_SHIFT;\n\t}\n\n\tsb->s_subtype = ctx->subtype;\n\tctx->subtype = NULL;\n\tif (IS_ENABLED(CONFIG_FUSE_DAX)) {\n\t\terr = fuse_dax_conn_alloc(fc, ctx->dax_dev);\n\t\tif (err)\n\t\t\tgoto err;\n\t}\n\n\tif (ctx->fudptr) {\n\t\terr = -ENOMEM;\n\t\tfud = fuse_dev_alloc_install(fc);\n\t\tif (!fud)\n\t\t\tgoto err_free_dax;\n\t}\n\n\tfc->dev = sb->s_dev;\n\tfm->sb = sb;\n\terr = fuse_bdi_init(fc, sb);\n\tif (err)\n\t\tgoto err_dev_free;\n\n\t/* Handle umasking inside the fuse code */\n\tif (sb->s_flags & SB_POSIXACL)\n\t\tfc->dont_mask = 1;\n\tsb->s_flags |= SB_POSIXACL;\n\n\tfc->default_permissions = ctx->default_permissions;\n\tfc->allow_other = ctx->allow_other;\n\tfc->user_id = ctx->user_id;\n\tfc->group_id = ctx->group_id;\n\tfc->legacy_opts_show = ctx->legacy_opts_show;\n\tfc->max_read = max_t(unsigned int, 4096, ctx->max_read);\n\tfc->destroy = ctx->destroy;\n\tfc->no_control = ctx->no_control;\n\tfc->no_force_umount = ctx->no_force_umount;\n\n\terr = -ENOMEM;\n\troot = fuse_get_root_inode(sb, ctx->rootmode);\n\tsb->s_d_op = &fuse_root_dentry_operations;\n\troot_dentry = d_make_root(root);\n\tif (!root_dentry)\n\t\tgoto err_dev_free;\n\t/* Root dentry doesn't have .d_revalidate */\n\tsb->s_d_op = &fuse_dentry_operations;\n\n\tmutex_lock(&fuse_mutex);\n\terr = -EINVAL;\n\tif (ctx->fudptr && *ctx->fudptr)\n\t\tgoto err_unlock;\n\n\terr = fuse_ctl_add_conn(fc);\n\tif (err)\n\t\tgoto err_unlock;\n\n\tlist_add_tail(&fc->entry, &fuse_conn_list);\n\tsb->s_root = root_dentry;\n\tif (ctx->fudptr)\n\t\t*ctx->fudptr = fud;\n\tmutex_unlock(&fuse_mutex);\n\treturn 0;\n\n err_unlock:\n\tmutex_unlock(&fuse_mutex);\n\tdput(root_dentry);\n err_dev_free:\n\tif (fud)\n\t\tfuse_dev_free(fud);\n err_free_dax:\n\tif (IS_ENABLED(CONFIG_FUSE_DAX))\n\t\tfuse_dax_conn_free(fc);\n err:\n\treturn err;\n}", "project": "linux", "hash": 247902311578807300448530395397095607437, "size": 99, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341962 }, { "func": "static void hci_cc_remote_name_req_cancel(struct hci_dev *hdev,\n\t\t\t\t\t struct sk_buff *skb)\n{\n\tBT_DBG(\"%s\", hdev->name);\n}", "project": "linux", "hash": 152167766458633126150506482281909774465, "size": 5, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431949 }, { "func": "HttpStateData::keepaliveAccounting(HttpReply *reply)\n{\n if (flags.keepalive)\n if (_peer)\n ++ _peer->stats.n_keepalives_sent;\n\n if (reply->keep_alive) {\n if (_peer)\n ++ _peer->stats.n_keepalives_recv;\n\n if (Config.onoff.detect_broken_server_pconns\n && reply->bodySize(request->method) == -1 && !flags.chunked) {\n debugs(11, DBG_IMPORTANT, \"keepaliveAccounting: Impossible keep-alive header from '\" << entry->url() << \"'\" );\n // debugs(11, 2, \"GOT HTTP REPLY HDR:\\n---------\\n\" << readBuf->content() << \"\\n----------\" );\n flags.keepalive_broken = true;\n }\n }\n}", "project": "squid", "hash": 102286858480031857414994669383500569662, "size": 18, "commit_id": "fd68382860633aca92065e6c343cfd1b12b126e7", "message": "Improve Transfer-Encoding handling (#702)\n\nReject messages containing Transfer-Encoding header with coding other\nthan chunked or identity. Squid does not support other codings.\n\nFor simplicity and security sake, also reject messages where\nTransfer-Encoding contains unnecessary complex values that are\ntechnically equivalent to \"chunked\" or \"identity\" (e.g., \",,chunked\" or\n\"identity, chunked\").\n\nRFC 7230 formally deprecated and removed identity coding, but it is\nstill used by some agents.", "target": 0, "dataset": "other", "idx": 402315 }, { "func": "static ssize_t __nfs4_get_acl_uncached(struct inode *inode, void *buf, size_t buflen)\n{\n\tstruct page **pages;\n\tstruct nfs_getaclargs args = {\n\t\t.fh = NFS_FH(inode),\n\t\t.acl_len = buflen,\n\t};\n\tstruct nfs_getaclres res = {\n\t\t.acl_len = buflen,\n\t};\n\tstruct rpc_message msg = {\n\t\t.rpc_proc = &nfs4_procedures[NFSPROC4_CLNT_GETACL],\n\t\t.rpc_argp = &args,\n\t\t.rpc_resp = &res,\n\t};\n\tunsigned int npages;\n\tint ret = -ENOMEM, i;\n\tstruct nfs_server *server = NFS_SERVER(inode);\n\n\tif (buflen == 0)\n\t\tbuflen = server->rsize;\n\n\tnpages = DIV_ROUND_UP(buflen, PAGE_SIZE) + 1;\n\tpages = kmalloc_array(npages, sizeof(struct page *), GFP_NOFS);\n\tif (!pages)\n\t\treturn -ENOMEM;\n\n\targs.acl_pages = pages;\n\n\tfor (i = 0; i < npages; i++) {\n\t\tpages[i] = alloc_page(GFP_KERNEL);\n\t\tif (!pages[i])\n\t\t\tgoto out_free;\n\t}\n\n\t/* for decoding across pages */\n\tres.acl_scratch = alloc_page(GFP_KERNEL);\n\tif (!res.acl_scratch)\n\t\tgoto out_free;\n\n\targs.acl_len = npages * PAGE_SIZE;\n\n\tdprintk(\"%s buf %p buflen %zu npages %d args.acl_len %zu\\n\",\n\t\t__func__, buf, buflen, npages, args.acl_len);\n\tret = nfs4_call_sync(NFS_SERVER(inode)->client, NFS_SERVER(inode),\n\t\t\t &msg, &args.seq_args, &res.seq_res, 0);\n\tif (ret)\n\t\tgoto out_free;\n\n\t/* Handle the case where the passed-in buffer is too short */\n\tif (res.acl_flags & NFS4_ACL_TRUNC) {\n\t\t/* Did the user only issue a request for the acl length? */\n\t\tif (buf == NULL)\n\t\t\tgoto out_ok;\n\t\tret = -ERANGE;\n\t\tgoto out_free;\n\t}\n\tnfs4_write_cached_acl(inode, pages, res.acl_data_offset, res.acl_len);\n\tif (buf) {\n\t\tif (res.acl_len > buflen) {\n\t\t\tret = -ERANGE;\n\t\t\tgoto out_free;\n\t\t}\n\t\t_copy_from_pages(buf, pages, res.acl_data_offset, res.acl_len);\n\t}\nout_ok:\n\tret = res.acl_len;\nout_free:\n\tfor (i = 0; i < npages; i++)\n\t\tif (pages[i])\n\t\t\t__free_page(pages[i]);\n\tif (res.acl_scratch)\n\t\t__free_page(res.acl_scratch);\n\tkfree(pages);\n\treturn ret;\n}", "project": "linux", "hash": 125265206885823338342973093153053979613, "size": 76, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431186 }, { "func": "static void __input_unregister_device(struct input_dev *dev)\n{\n\tstruct input_handle *handle, *next;\n\n\tinput_disconnect_device(dev);\n\n\tmutex_lock(&input_mutex);\n\n\tlist_for_each_entry_safe(handle, next, &dev->h_list, d_node)\n\t\thandle->handler->disconnect(handle);\n\tWARN_ON(!list_empty(&dev->h_list));\n\n\tdel_timer_sync(&dev->timer);\n\tlist_del_init(&dev->node);\n\n\tinput_wakeup_procfs_readers();\n\n\tmutex_unlock(&input_mutex);\n\n\tdevice_del(&dev->dev);\n}", "project": "linux", "hash": 222393483702072351267196557204190068397, "size": 21, "commit_id": "cb222aed03d798fc074be55e59d9a112338ee784", "message": "Input: add safety guards to input_set_keycode()\n\nIf we happen to have a garbage in input device's keycode table with values\ntoo big we'll end up doing clear_bit() with offset way outside of our\nbitmaps, damaging other objects within an input device or even outside of\nit. Let's add sanity checks to the returned old keycodes.\n\nReported-by: syzbot+c769968809f9359b07aa@syzkaller.appspotmail.com\nReported-by: syzbot+76f3a30e88d256644c78@syzkaller.appspotmail.com\nLink: https://lore.kernel.org/r/20191207212757.GA245964@dtor-ws\nSigned-off-by: Dmitry Torokhov ", "target": 0, "dataset": "other", "idx": 353353 }, { "func": "static int sctp_getsockopt_local_auth_chunks(struct sock *sk, int len,\n\t\t\t\t char __user *optval, int __user *optlen)\n{\n\tstruct sctp_endpoint *ep = sctp_sk(sk)->ep;\n\tstruct sctp_authchunks __user *p = (void __user *)optval;\n\tstruct sctp_authchunks val;\n\tstruct sctp_association *asoc;\n\tstruct sctp_chunks_param *ch;\n\tu32 num_chunks = 0;\n\tchar __user *to;\n\n\tif (len < sizeof(struct sctp_authchunks))\n\t\treturn -EINVAL;\n\n\tif (copy_from_user(&val, optval, sizeof(val)))\n\t\treturn -EFAULT;\n\n\tto = p->gauth_chunks;\n\tasoc = sctp_id2assoc(sk, val.gauth_assoc_id);\n\tif (!asoc && val.gauth_assoc_id != SCTP_FUTURE_ASSOC &&\n\t sctp_style(sk, UDP))\n\t\treturn -EINVAL;\n\n\tif (asoc) {\n\t\tif (!asoc->peer.auth_capable)\n\t\t\treturn -EACCES;\n\t\tch = (struct sctp_chunks_param *)asoc->c.auth_chunks;\n\t} else {\n\t\tif (!ep->auth_enable)\n\t\t\treturn -EACCES;\n\t\tch = ep->auth_chunk_list;\n\t}\n\tif (!ch)\n\t\tgoto num;\n\n\tnum_chunks = ntohs(ch->param_hdr.length) - sizeof(struct sctp_paramhdr);\n\tif (len < sizeof(struct sctp_authchunks) + num_chunks)\n\t\treturn -EINVAL;\n\n\tif (copy_to_user(to, ch->chunks, num_chunks))\n\t\treturn -EFAULT;\nnum:\n\tlen = sizeof(struct sctp_authchunks) + num_chunks;\n\tif (put_user(len, optlen))\n\t\treturn -EFAULT;\n\tif (put_user(num_chunks, &p->gauth_number_of_chunks))\n\t\treturn -EFAULT;\n\n\treturn 0;\n}", "project": "linux", "hash": 261095862475458105688163788380861519492, "size": 50, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398183 }, { "func": "static int vhost_net_tx_get_vq_desc(struct vhost_net *net,\n\t\t\t\t struct vhost_net_virtqueue *tnvq,\n\t\t\t\t unsigned int *out_num, unsigned int *in_num,\n\t\t\t\t struct msghdr *msghdr, bool *busyloop_intr)\n{\n\tstruct vhost_net_virtqueue *rnvq = &net->vqs[VHOST_NET_VQ_RX];\n\tstruct vhost_virtqueue *rvq = &rnvq->vq;\n\tstruct vhost_virtqueue *tvq = &tnvq->vq;\n\n\tint r = vhost_get_vq_desc(tvq, tvq->iov, ARRAY_SIZE(tvq->iov),\n\t\t\t\t out_num, in_num, NULL, NULL);\n\n\tif (r == tvq->num && tvq->busyloop_timeout) {\n\t\t/* Flush batched packets first */\n\t\tif (!vhost_sock_zcopy(tvq->private_data))\n\t\t\tvhost_tx_batch(net, tnvq, tvq->private_data, msghdr);\n\n\t\tvhost_net_busy_poll(net, rvq, tvq, busyloop_intr, false);\n\n\t\tr = vhost_get_vq_desc(tvq, tvq->iov, ARRAY_SIZE(tvq->iov),\n\t\t\t\t out_num, in_num, NULL, NULL);\n\t}\n\n\treturn r;\n}", "project": "linux", "hash": 37771115221742724896040649261386195716, "size": 25, "commit_id": "42d84c8490f9f0931786f1623191fcab397c3d64", "message": "vhost: Check docket sk_family instead of call getname\n\nDoing so, we save one call to get data we already have in the struct.\n\nAlso, since there is no guarantee that getname use sockaddr_ll\nparameter beyond its size, we add a little bit of security here.\nIt should do not do beyond MAX_ADDR_LEN, but syzbot found that\nax25_getname writes more (72 bytes, the size of full_sockaddr_ax25,\nversus 20 + 32 bytes of sockaddr_ll + MAX_ADDR_LEN in syzbot repro).\n\nFixes: 3a4d5c94e9593 (\"vhost_net: a kernel-level virtio server\")\nReported-by: syzbot+f2a62d07a5198c819c7b@syzkaller.appspotmail.com\nSigned-off-by: Eugenio Pérez \nAcked-by: Michael S. Tsirkin \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 441973 }, { "func": "int gfn_to_page_many_atomic(struct kvm_memory_slot *slot, gfn_t gfn,\n\t\t\t struct page **pages, int nr_pages)\n{\n\tunsigned long addr;\n\tgfn_t entry = 0;\n\n\taddr = gfn_to_hva_many(slot, gfn, &entry);\n\tif (kvm_is_error_hva(addr))\n\t\treturn -1;\n\n\tif (entry < nr_pages)\n\t\treturn 0;\n\n\treturn __get_user_pages_fast(addr, nr_pages, 1, pages);\n}", "project": "linux", "hash": 59226345458829223929141217371566996268, "size": 15, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354806 }, { "func": "int gfn_to_page_many_atomic(struct kvm_memory_slot *slot, gfn_t gfn,\n\t\t\t struct page **pages, int nr_pages)\n{\n\tunsigned long addr;\n\tgfn_t entry = 0;\n\n\taddr = gfn_to_hva_many(slot, gfn, &entry);\n\tif (kvm_is_error_hva(addr))\n\t\treturn -1;\n\n\tif (entry < nr_pages)\n\t\treturn 0;\n\n\treturn get_user_pages_fast_only(addr, nr_pages, FOLL_WRITE, pages);\n}", "project": "linux", "hash": 139724882862081392805075040377359832784, "size": 15, "commit_id": "f8be156be163a052a067306417cd0ff679068c97", "message": "KVM: do not allow mapping valid but non-reference-counted pages\n\nIt's possible to create a region which maps valid but non-refcounted\npages (e.g., tail pages of non-compound higher order allocations). These\nhost pages can then be returned by gfn_to_page, gfn_to_pfn, etc., family\nof APIs, which take a reference to the page, which takes it from 0 to 1.\nWhen the reference is dropped, this will free the page incorrectly.\n\nFix this by only taking a reference on valid pages if it was non-zero,\nwhich indicates it is participating in normal refcounting (and can be\nreleased with put_page).\n\nThis addresses CVE-2021-22543.\n\nSigned-off-by: Nicholas Piggin \nTested-by: Paolo Bonzini \nCc: stable@vger.kernel.org\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 404066 }, { "func": "int hidinput_connect(struct hid_device *hid, unsigned int force)\n{\n\tstruct hid_driver *drv = hid->driver;\n\tstruct hid_report *report;\n\tstruct hid_input *next, *hidinput = NULL;\n\tunsigned int application;\n\tint i, k;\n\n\tINIT_LIST_HEAD(&hid->inputs);\n\tINIT_WORK(&hid->led_work, hidinput_led_worker);\n\n\thid->status &= ~HID_STAT_DUP_DETECTED;\n\n\tif (!force) {\n\t\tfor (i = 0; i < hid->maxcollection; i++) {\n\t\t\tstruct hid_collection *col = &hid->collection[i];\n\t\t\tif (col->type == HID_COLLECTION_APPLICATION ||\n\t\t\t\t\tcol->type == HID_COLLECTION_PHYSICAL)\n\t\t\t\tif (IS_INPUT_APPLICATION(col->usage))\n\t\t\t\t\tbreak;\n\t\t}\n\n\t\tif (i == hid->maxcollection)\n\t\t\treturn -1;\n\t}\n\n\treport_features(hid);\n\n\tfor (k = HID_INPUT_REPORT; k <= HID_OUTPUT_REPORT; k++) {\n\t\tif (k == HID_OUTPUT_REPORT &&\n\t\t\thid->quirks & HID_QUIRK_SKIP_OUTPUT_REPORTS)\n\t\t\tcontinue;\n\n\t\tlist_for_each_entry(report, &hid->report_enum[k].report_list, list) {\n\n\t\t\tif (!report->maxfield)\n\t\t\t\tcontinue;\n\n\t\t\tapplication = report->application;\n\n\t\t\t/*\n\t\t\t * Find the previous hidinput report attached\n\t\t\t * to this report id.\n\t\t\t */\n\t\t\tif (hid->quirks & HID_QUIRK_MULTI_INPUT)\n\t\t\t\thidinput = hidinput_match(report);\n\t\t\telse if (hid->maxapplication > 1 &&\n\t\t\t\t (hid->quirks & HID_QUIRK_INPUT_PER_APP))\n\t\t\t\thidinput = hidinput_match_application(report);\n\n\t\t\tif (!hidinput) {\n\t\t\t\thidinput = hidinput_allocate(hid, application);\n\t\t\t\tif (!hidinput)\n\t\t\t\t\tgoto out_unwind;\n\t\t\t}\n\n\t\t\thidinput_configure_usages(hidinput, report);\n\n\t\t\tif (hid->quirks & HID_QUIRK_MULTI_INPUT)\n\t\t\t\thidinput->report = report;\n\n\t\t\tlist_add_tail(&report->hidinput_list,\n\t\t\t\t &hidinput->reports);\n\t\t}\n\t}\n\n\thidinput_change_resolution_multipliers(hid);\n\n\tlist_for_each_entry_safe(hidinput, next, &hid->inputs, list) {\n\t\tif (drv->input_configured &&\n\t\t drv->input_configured(hid, hidinput))\n\t\t\tgoto out_unwind;\n\n\t\tif (!hidinput_has_been_populated(hidinput)) {\n\t\t\t/* no need to register an input device not populated */\n\t\t\thidinput_cleanup_hidinput(hid, hidinput);\n\t\t\tcontinue;\n\t\t}\n\n\t\tif (input_register_device(hidinput->input))\n\t\t\tgoto out_unwind;\n\t\thidinput->registered = true;\n\t}\n\n\tif (list_empty(&hid->inputs)) {\n\t\thid_err(hid, \"No inputs registered, leaving\\n\");\n\t\tgoto out_unwind;\n\t}\n\n\tif (hid->status & HID_STAT_DUP_DETECTED)\n\t\thid_dbg(hid,\n\t\t\t\"Some usages could not be mapped, please use HID_QUIRK_INCREMENT_USAGE_ON_DUPLICATE if this is legitimate.\\n\");\n\n\treturn 0;\n\nout_unwind:\n\t/* unwind the ones we already registered */\n\thidinput_disconnect(hid);\n\n\treturn -1;\n}", "project": "linux", "hash": 154060005193955231739076621239093517594, "size": 101, "commit_id": "35556bed836f8dc07ac55f69c8d17dce3e7f0e25", "message": "HID: core: Sanitize event code and type when mapping input\n\nWhen calling into hid_map_usage(), the passed event code is\nblindly stored as is, even if it doesn't fit in the associated bitmap.\n\nThis event code can come from a variety of sources, including devices\nmasquerading as input devices, only a bit more \"programmable\".\n\nInstead of taking the event code at face value, check that it actually\nfits the corresponding bitmap, and if it doesn't:\n- spit out a warning so that we know which device is acting up\n- NULLify the bitmap pointer so that we catch unexpected uses\n\nCode paths that can make use of untrusted inputs can now check\nthat the mapping was indeed correct and bail out if not.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Marc Zyngier \nSigned-off-by: Benjamin Tissoires ", "target": 0, "dataset": "other", "idx": 458412 }, { "func": "static void init_config_defines(apr_pool_t *pconf)\n{\n saved_server_config_defines = ap_server_config_defines;\n /* Use apr_array_copy instead of apr_array_copy_hdr because it does not\n * protect from the way unset_define removes entries.\n */\n ap_server_config_defines = apr_array_copy(pconf, ap_server_config_defines);\n}", "project": "httpd", "hash": 235152762190330429735992588357768478317, "size": 8, "commit_id": "4cc27823899e070268b906ca677ee838d07cf67a", "message": "core: Disallow Methods' registration at run time (.htaccess), they may be\nused only if registered at init time (httpd.conf).\n\nCalling ap_method_register() in children processes is not the right scope\nsince it won't be shared for all requests.\n\n\ngit-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1807655 13f79535-47bb-0310-9956-ffa450edef68", "target": 0, "dataset": "other", "idx": 246314 }, { "func": "int bcf_hdr_parse(bcf_hdr_t *hdr, char *htxt)\n{\n int len, done = 0;\n char *p = htxt;\n\n // Check sanity: \"fileformat\" string must come as first\n bcf_hrec_t *hrec = bcf_hdr_parse_line(hdr,p,&len);\n if ( !hrec || !hrec->key || strcasecmp(hrec->key,\"fileformat\") )\n hts_log_warning(\"The first line should be ##fileformat; is the VCF/BCF header broken?\");\n if (bcf_hdr_add_hrec(hdr, hrec) < 0) {\n bcf_hrec_destroy(hrec);\n return -1;\n }\n\n // The filter PASS must appear first in the dictionary\n hrec = bcf_hdr_parse_line(hdr,\"##FILTER=\",&len);\n if (bcf_hdr_add_hrec(hdr, hrec) < 0) {\n bcf_hrec_destroy(hrec);\n return -1;\n }\n\n // Parse the whole header\n do {\n while (NULL != (hrec = bcf_hdr_parse_line(hdr, p, &len))) {\n if (bcf_hdr_add_hrec(hdr, hrec) < 0) {\n bcf_hrec_destroy(hrec);\n return -1;\n }\n p += len;\n }\n\n // Next should be the sample line. If not, it was a malformed\n // header, in which case print a warning and skip (many VCF\n // operations do not really care about a few malformed lines).\n // In the future we may want to add a strict mode that errors in\n // this case.\n if ( strncmp(\"#CHROM\\tPOS\",p,10) != 0 ) {\n char *eol = strchr(p, '\\n');\n if (*p != '\\0') {\n hts_log_warning(\"Could not parse header line: %.*s\",\n eol ? (int)(eol - p) : INT_MAX, p);\n }\n if (eol) {\n p = eol + 1; // Try from the next line.\n } else {\n done = -1; // No more lines left, give up.\n }\n } else {\n done = 1; // Sample line found\n }\n } while (!done);\n\n if (done < 0) {\n // No sample line is fatal.\n hts_log_error(\"Could not parse the header, sample line not found\");\n return -1;\n }\n\n if (bcf_hdr_parse_sample_line(hdr,p) < 0)\n return -1;\n if (bcf_hdr_sync(hdr) < 0)\n return -1;\n bcf_hdr_check_sanity(hdr);\n return 0;\n}", "project": "htslib", "hash": 229903556775720088553812168611182849213, "size": 65, "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c", "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields. It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097", "target": 0, "dataset": "other", "idx": 402179 }, { "func": "static int push(json_parser *json, Mode mode) {\n if (json->top + 1 >= json->depth) {\n return false;\n }\n json->top += 1;\n json->stack[json->top].mode = mode;\n if (json->top > json->mark) {\n json->mark = json->top;\n }\n return true;\n}", "project": "hhvm", "hash": 86247015688219153987589003809379581430, "size": 11, "commit_id": "b3679121bb3c7017ff04b4c08402ffff5cf59b13", "message": "Fix buffer overrun in SimpleParser::handleBackslash\n\nSummary:\nIt read 4 chars, then checked for validity, but any of them could have\nbeen the end of the string, so check after each one instead.\n\nReviewed By: oulgen\n\nDifferential Revision: D19611163\n\nfbshipit-source-id: 3da0a39555cb85a93f4fd98048368f17cf37e2e4", "target": 0, "dataset": "other", "idx": 227292 }, { "func": "void lua_datum::push() const\n{\n lua_pushlightuserdata(lua, const_cast(this));\n lua_gettable(lua, LUA_REGISTRYINDEX);\n\n // The value we saved is now on top of the Lua stack.\n}", "project": "crawl", "hash": 317125872028753413359639134933098220000, "size": 7, "commit_id": "768f60da87a3fa0b5561da5ade9309577c176d04", "message": "Disable lua bytecode loading", "target": 0, "dataset": "other", "idx": 230463 }, { "func": "zfilenamelistseparator(i_ctx_t *i_ctx_p)\n{\n os_ptr op = osp;\n\n push(1);\n make_const_string(op, avm_foreign | a_readonly, 1,\n (const byte *)&gp_file_name_list_separator);\n return 0;\n}", "project": "ghostpdl", "hash": 303429232965454971224063379917987597181, "size": 9, "commit_id": "ab109aaeb3ddba59518b036fb288402a65cf7ce8", "message": "Bug 694724: Have filenameforall and getenv honor SAFER", "target": 0, "dataset": "other", "idx": 277046 }, { "func": "zcurrentdevice(i_ctx_t *i_ctx_p)\n{\n os_ptr op = osp;\n gx_device *dev = gs_currentdevice(igs);\n gs_ref_memory_t *mem = (gs_ref_memory_t *) dev->memory;\n\n push(1);\n make_tav(op, t_device,\n (mem == 0 ? avm_foreign : imemory_space(mem)) | a_all,\n pdevice, dev);\n return 0;\n}", "project": "ghostpdl", "hash": 86334833731193966840982052488442675337, "size": 12, "commit_id": "661e8d8fb8248c38d67958beda32f3a5876d0c3f", "message": "Bug 700176: check the *output* device for LockSafetyParams\n\nWhen calling .setdevice we were checking if LockSafetyParams was set, and if so\nthrowing an invalidaccess error.\n\nThe problem is, if another device, for example the pdf14 compositor is the 'top'\ndevice, that does not (and cannot) honour LockSafetyParams.\n\nTo solve this, we'll now use the (relatively new) gxdso_current_output_device\nspec_op to retrieve the *actual* output device, and check the LockSafetyParams\nflag in that.", "target": 0, "dataset": "other", "idx": 410236 }, { "func": "void trace_find_cmdline(int pid, char comm[])\n{\n\tpreempt_disable();\n\tarch_spin_lock(&trace_cmdline_lock);\n\n\t__trace_find_cmdline(pid, comm);\n\n\tarch_spin_unlock(&trace_cmdline_lock);\n\tpreempt_enable();\n}", "project": "linux", "hash": 68724650791977700700724746387126377429, "size": 10, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445835 }, { "func": "void check_join_cache_usage_for_tables(JOIN *join, ulonglong options,\n uint no_jbuf_after)\n{\n JOIN_TAB *tab;\n JOIN_TAB *prev_tab;\n\n for (tab= first_linear_tab(join, WITH_BUSH_ROOTS, WITHOUT_CONST_TABLES);\n tab; \n tab= next_linear_tab(join, tab, WITH_BUSH_ROOTS))\n {\n tab->used_join_cache_level= join->max_allowed_join_cache_level; \n }\n\n uint idx= join->const_tables;\n for (tab= first_linear_tab(join, WITH_BUSH_ROOTS, WITHOUT_CONST_TABLES);\n tab; \n tab= next_linear_tab(join, tab, WITH_BUSH_ROOTS))\n {\nrestart:\n tab->icp_other_tables_ok= TRUE;\n tab->idx_cond_fact_out= TRUE;\n \n /* \n Check if we have a preceding join_tab, as something that will feed us\n records that we could buffer. We don't have it, if \n - this is the first non-const table in the join order,\n - this is the first table inside an SJM nest.\n */\n prev_tab= tab - 1;\n if (tab == join->join_tab + join->const_tables ||\n (tab->bush_root_tab && tab->bush_root_tab->bush_children->start == tab))\n prev_tab= NULL;\n\n switch (tab->type) {\n case JT_SYSTEM:\n case JT_CONST:\n case JT_EQ_REF:\n case JT_REF:\n case JT_REF_OR_NULL:\n case JT_ALL:\n tab->used_join_cache_level= check_join_cache_usage(tab, options,\n no_jbuf_after,\n idx,\n prev_tab);\n tab->use_join_cache= MY_TEST(tab->used_join_cache_level);\n /*\n psergey-merge: todo: raise the question that this is really stupid that\n we can first allocate a join buffer, then decide not to use it and free\n it.\n */\n if (join->return_tab)\n {\n tab= join->return_tab;\n goto restart;\n }\n break; \n default:\n tab->used_join_cache_level= 0;\n }\n if (!tab->bush_children)\n idx++;\n }\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 266992038549718810370887153889245629443, "size": 63, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508621 }, { "func": "static inline void remove_partial(struct kmem_cache_node *n,\n\t\t\t\t\tstruct page *page)\n{\n\tlockdep_assert_held(&n->list_lock);\n\tlist_del(&page->slab_list);\n\tn->nr_partial--;\n}", "project": "linux", "hash": 240723058014893836752367691708283920596, "size": 7, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280072 }, { "func": "static void __io_req_task_submit(struct io_kiocb *req)\n{\n\tstruct io_ring_ctx *ctx = req->ctx;\n\n\t/* ctx stays valid until unlock, even if we drop all ours ctx->refs */\n\tmutex_lock(&ctx->uring_lock);\n\tif (!(current->flags & PF_EXITING) && !current->in_execve)\n\t\t__io_queue_sqe(req);\n\telse\n\t\tio_req_complete_failed(req, -EFAULT);\n\tmutex_unlock(&ctx->uring_lock);\n}", "project": "linux", "hash": 249568905379095317399773129246017011159, "size": 12, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338558 }, { "func": "void tcp_clear_retrans(struct tcp_sock *tp)\n{\n\ttcp_clear_retrans_partial(tp);\n\n\ttp->fackets_out = 0;\n\ttp->sacked_out = 0;\n}", "project": "net-next", "hash": 138730323974640584102932628486362977530, "size": 7, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409848 }, { "func": "static void nfs4_xdr_enc_destroy_clientid(struct rpc_rqst *req,\n\t\t\t\t\t struct xdr_stream *xdr,\n\t\t\t\t\t const void *data)\n{\n\tconst struct nfs_client *clp = data;\n\tstruct compound_hdr hdr = {\n\t\t.minorversion = clp->cl_mvops->minor_version,\n\t};\n\n\tencode_compound_hdr(xdr, req, &hdr);\n\tencode_destroy_clientid(xdr, clp->cl_clientid, &hdr);\n\tencode_nops(&hdr);\n}", "project": "linux", "hash": 240514297120148719939518113295100776355, "size": 13, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431282 }, { "func": "static void nfs4_xdr_enc_create(struct rpc_rqst *req, struct xdr_stream *xdr,\n\t\t\t\tconst void *data)\n{\n\tconst struct nfs4_create_arg *args = data;\n\tstruct compound_hdr hdr = {\n\t\t.minorversion = nfs4_xdr_minorversion(&args->seq_args),\n\t};\n\n\tencode_compound_hdr(xdr, req, &hdr);\n\tencode_sequence(xdr, &args->seq_args, &hdr);\n\tencode_putfh(xdr, args->dir_fh, &hdr);\n\tencode_create(xdr, args, &hdr);\n\tencode_getfh(xdr, &hdr);\n\tencode_getfattr(xdr, args->bitmask, &hdr);\n\tencode_nops(&hdr);\n}", "project": "linux", "hash": 318881084404935126359566851389660309970, "size": 16, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431438 }, { "func": "static void store_regs(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)\n{\n\tkvm_run->psw_mask = vcpu->arch.sie_block->gpsw.mask;\n\tkvm_run->psw_addr = vcpu->arch.sie_block->gpsw.addr;\n\tkvm_run->s.regs.prefix = kvm_s390_get_prefix(vcpu);\n\tmemcpy(&kvm_run->s.regs.crs, &vcpu->arch.sie_block->gcr, 128);\n\tkvm_run->s.regs.cputm = kvm_s390_get_cpu_timer(vcpu);\n\tkvm_run->s.regs.ckc = vcpu->arch.sie_block->ckc;\n\tkvm_run->s.regs.pft = vcpu->arch.pfault_token;\n\tkvm_run->s.regs.pfs = vcpu->arch.pfault_select;\n\tkvm_run->s.regs.pfc = vcpu->arch.pfault_compare;\n\tsave_access_regs(vcpu->run->s.regs.acrs);\n\trestore_access_regs(vcpu->arch.host_acrs);\n\t/* Save guest register state */\n\tsave_fpu_regs();\n\tvcpu->run->s.regs.fpc = current->thread.fpu.fpc;\n\t/* Restore will be done lazily at return */\n\tcurrent->thread.fpu.fpc = vcpu->arch.host_fpregs.fpc;\n\tcurrent->thread.fpu.regs = vcpu->arch.host_fpregs.regs;\n\tif (likely(!kvm_s390_pv_cpu_is_protected(vcpu)))\n\t\tstore_regs_fmt2(vcpu, kvm_run);\n}", "project": "linux", "hash": 39089660942412556581223127878150321046, "size": 22, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354503 }, { "func": "void __hci_req_disable_advertising(struct hci_request *req)\n{\n\tif (ext_adv_capable(req->hdev)) {\n\t\t__hci_req_disable_ext_adv_instance(req, 0x00);\n\n\t} else {\n\t\tu8 enable = 0x00;\n\n\t\thci_req_add(req, HCI_OP_LE_SET_ADV_ENABLE, sizeof(enable), &enable);\n\t}\n}", "project": "linux", "hash": 300593733546770774081040660782570975746, "size": 11, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402575 }, { "func": "static int x25_wait_for_connection_establishment(struct sock *sk)\n{\n\tDECLARE_WAITQUEUE(wait, current);\n\tint rc;\n\n\tadd_wait_queue_exclusive(sk_sleep(sk), &wait);\n\tfor (;;) {\n\t\t__set_current_state(TASK_INTERRUPTIBLE);\n\t\trc = -ERESTARTSYS;\n\t\tif (signal_pending(current))\n\t\t\tbreak;\n\t\trc = sock_error(sk);\n\t\tif (rc) {\n\t\t\tsk->sk_socket->state = SS_UNCONNECTED;\n\t\t\tbreak;\n\t\t}\n\t\trc = 0;\n\t\tif (sk->sk_state != TCP_ESTABLISHED) {\n\t\t\trelease_sock(sk);\n\t\t\tschedule();\n\t\t\tlock_sock(sk);\n\t\t} else\n\t\t\tbreak;\n\t}\n\t__set_current_state(TASK_RUNNING);\n\tremove_wait_queue(sk_sleep(sk), &wait);\n\treturn rc;\n}", "project": "net", "hash": 135324843768830367785761366845189260369, "size": 28, "commit_id": "7781607938c8371d4c2b243527430241c62e39c2", "message": "net/x25: Fix null-ptr-deref caused by x25_disconnect\n\nWhen the link layer is terminating, x25->neighbour will be set to NULL\nin x25_disconnect(). As a result, it could cause null-ptr-deref bugs in\nx25_sendmsg(),x25_recvmsg() and x25_connect(). One of the bugs is\nshown below.\n\n (Thread 1) | (Thread 2)\nx25_link_terminated() | x25_recvmsg()\n x25_kill_by_neigh() | ...\n x25_disconnect() | lock_sock(sk)\n ... | ...\n x25->neighbour = NULL //(1) |\n ... | x25->neighbour->extended //(2)\n\nThe code sets NULL to x25->neighbour in position (1) and dereferences\nx25->neighbour in position (2), which could cause null-ptr-deref bug.\n\nThis patch adds lock_sock() in x25_kill_by_neigh() in order to synchronize\nwith x25_sendmsg(), x25_recvmsg() and x25_connect(). What`s more, the\nsock held by lock_sock() is not NULL, because it is extracted from x25_list\nand uses x25_list_lock to synchronize.\n\nFixes: 4becb7ee5b3d (\"net/x25: Fix x25_neigh refcnt leak when x25 disconnect\")\nSigned-off-by: Duoming Zhou \nReviewed-by: Lin Ma \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 449178 }, { "func": "static void _gdImageFillTiled(gdImagePtr im, int x, int y, int nc)\n{\n\tint i, l, x1, x2, dy;\n\tint oc; /* old pixel value */\n\tint wx2,wy2;\n\t/* stack of filled segments */\n\tstruct seg *stack;\n\tstruct seg *sp;\n\tchar **pts;\n\n\tif (!im->tile) {\n\t\treturn;\n\t}\n\n\twx2=im->sx;wy2=im->sy;\n\n\tnc = gdImageTileGet(im,x,y);\n\n\tpts = (char **) ecalloc(im->sy + 1, sizeof(char *));\n\tfor (i = 0; i < im->sy + 1; i++) {\n\t\tpts[i] = (char *) ecalloc(im->sx + 1, sizeof(char));\n\t}\n\n\tstack = (struct seg *)safe_emalloc(sizeof(struct seg), ((int)(im->sy*im->sx)/4), 1);\n\tsp = stack;\n\n\toc = gdImageGetPixel(im, x, y);\n\n\t/* required! */\n\tFILL_PUSH(y,x,x,1);\n\t/* seed segment (popped 1st) */\n \tFILL_PUSH(y+1, x, x, -1);\n\twhile (sp>stack) {\n\t\tFILL_POP(y, x1, x2, dy);\n\t\tfor (x=x1; x>=0 && (!pts[y][x] && gdImageGetPixel(im,x,y)==oc); x--) {\n\t\t\tnc = gdImageTileGet(im,x,y);\n\t\t\tpts[y][x] = 1;\n\t\t\tgdImageSetPixel(im,x, y, nc);\n\t\t}\n\t\tif (x>=x1) {\n\t\t\tgoto skip;\n\t\t}\n\t\tl = x+1;\n\n\t\t/* leak on left? */\n\t\tif (lx2+1) {\n\t\t\t\tFILL_PUSH(y, x2+1, x-1, -dy);\n\t\t\t}\nskip:\t\tfor(x++; x<=x2 && (pts[y][x] || gdImageGetPixel(im,x, y)!=oc); x++);\n\t\t\tl = x;\n\t\t} while (x<=x2);\n\t}\n\n\tfor(i = 0; i < im->sy + 1; i++) {\n\t\tefree(pts[i]);\n\t}\n\n\tefree(pts);\n\tefree(stack);\n}", "project": "php-src", "hash": 72546678816116945460884693694800285817, "size": 72, "commit_id": "c395c6e5d7e8df37a21265ff76e48fe75ceb5ae6", "message": "iFixed bug #72446 - Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow", "target": 0, "dataset": "other", "idx": 295165 }, { "func": "static enum AVPixelFormat get_pixel_format(H264Context *h, int force_callback)\n{\n switch (h->sps.bit_depth_luma) {\n case 9:\n if (CHROMA444(h)) {\n if (h->avctx->colorspace == AVCOL_SPC_RGB) {\n return AV_PIX_FMT_GBRP9;\n } else\n return AV_PIX_FMT_YUV444P9;\n } else if (CHROMA422(h))\n return AV_PIX_FMT_YUV422P9;\n else\n return AV_PIX_FMT_YUV420P9;\n break;\n case 10:\n if (CHROMA444(h)) {\n if (h->avctx->colorspace == AVCOL_SPC_RGB) {\n return AV_PIX_FMT_GBRP10;\n } else\n return AV_PIX_FMT_YUV444P10;\n } else if (CHROMA422(h))\n return AV_PIX_FMT_YUV422P10;\n else\n return AV_PIX_FMT_YUV420P10;\n break;\n case 12:\n if (CHROMA444(h)) {\n if (h->avctx->colorspace == AVCOL_SPC_RGB) {\n return AV_PIX_FMT_GBRP12;\n } else\n return AV_PIX_FMT_YUV444P12;\n } else if (CHROMA422(h))\n return AV_PIX_FMT_YUV422P12;\n else\n return AV_PIX_FMT_YUV420P12;\n break;\n case 14:\n if (CHROMA444(h)) {\n if (h->avctx->colorspace == AVCOL_SPC_RGB) {\n return AV_PIX_FMT_GBRP14;\n } else\n return AV_PIX_FMT_YUV444P14;\n } else if (CHROMA422(h))\n return AV_PIX_FMT_YUV422P14;\n else\n return AV_PIX_FMT_YUV420P14;\n break;\n case 8:\n if (CHROMA444(h)) {\n if (h->avctx->colorspace == AVCOL_SPC_RGB) {\n av_log(h->avctx, AV_LOG_DEBUG, \"Detected GBR colorspace.\\n\");\n return AV_PIX_FMT_GBR24P;\n } else if (h->avctx->colorspace == AVCOL_SPC_YCGCO) {\n av_log(h->avctx, AV_LOG_WARNING, \"Detected unsupported YCgCo colorspace.\\n\");\n }\n return h->avctx->color_range == AVCOL_RANGE_JPEG ? AV_PIX_FMT_YUVJ444P\n : AV_PIX_FMT_YUV444P;\n } else if (CHROMA422(h)) {\n return h->avctx->color_range == AVCOL_RANGE_JPEG ? AV_PIX_FMT_YUVJ422P\n : AV_PIX_FMT_YUV422P;\n } else {\n int i;\n const enum AVPixelFormat * fmt = h->avctx->codec->pix_fmts ?\n h->avctx->codec->pix_fmts :\n h->avctx->color_range == AVCOL_RANGE_JPEG ?\n h264_hwaccel_pixfmt_list_jpeg_420 :\n h264_hwaccel_pixfmt_list_420;\n\n for (i=0; fmt[i] != AV_PIX_FMT_NONE; i++)\n if (fmt[i] == h->avctx->pix_fmt && !force_callback)\n return fmt[i];\n return ff_thread_get_format(h->avctx, fmt);\n }\n break;\n default:\n av_log(h->avctx, AV_LOG_ERROR,\n \"Unsupported bit depth: %d\\n\", h->sps.bit_depth_luma);\n return AVERROR_INVALIDDATA;\n }\n}", "project": "FFmpeg", "hash": 5346165788927222490040770111894194094, "size": 80, "commit_id": "8a3b85f3a7952c54a2c36ba1797f7e0cde9f85aa", "message": "avcodec/h264: update current_sps & sps->new only after the whole slice header decoder and init code finished\n\nThis avoids them being cleared before the full initialization finished\n\nFixes out of array read\nFixes: asan_heap-oob_f0c5e6_7071_cov_1605985132_mov_h264_aac__Demo_FlagOfOurFathers.mov\nFound-by: Mateusz \"j00ru\" Jurczyk and Gynvael Coldwind\nSigned-off-by: Michael Niedermayer ", "target": 0, "dataset": "other", "idx": 270123 }, { "func": "bool CWebSock::ForceLogin() {\n if (GetSession()->IsLoggedIn()) {\n return true;\n }\n\n GetSession()->AddError(\"You must login to view that page\");\n Redirect(\"/\");\n return false;\n}", "project": "znc", "hash": 14441888654270048633371038766739405151, "size": 9, "commit_id": "a4a5aeeb17d32937d8c7d743dae9a4cc755ce773", "message": "Don't let web skin name ../../../../ access files outside of usual skins directories.\n\nThanks for Jeriko One for finding and reporting this.", "target": 0, "dataset": "other", "idx": 265777 }, { "func": " bool matchSeparatorSlow(char ch) {\n --p;\n skipSpace();\n if (LIKELY(*p++ == ch)) return true;\n --p;\n return false;\n }", "project": "hhvm", "hash": 145505863980905701294499356185983093104, "size": 7, "commit_id": "b3679121bb3c7017ff04b4c08402ffff5cf59b13", "message": "Fix buffer overrun in SimpleParser::handleBackslash\n\nSummary:\nIt read 4 chars, then checked for validity, but any of them could have\nbeen the end of the string, so check after each one instead.\n\nReviewed By: oulgen\n\nDifferential Revision: D19611163\n\nfbshipit-source-id: 3da0a39555cb85a93f4fd98048368f17cf37e2e4", "target": 0, "dataset": "other", "idx": 227317 }, { "func": " static void json_free(void* ptr) {\n if (RuntimeOption::EvalJsonParserUseLocalArena) {\n return local_free(ptr);\n } else {\n return free(ptr);\n }\n }", "project": "hhvm", "hash": 13341165287061213771735908873990506722, "size": 7, "commit_id": "b3679121bb3c7017ff04b4c08402ffff5cf59b13", "message": "Fix buffer overrun in SimpleParser::handleBackslash\n\nSummary:\nIt read 4 chars, then checked for validity, but any of them could have\nbeen the end of the string, so check after each one instead.\n\nReviewed By: oulgen\n\nDifferential Revision: D19611163\n\nfbshipit-source-id: 3da0a39555cb85a93f4fd98048368f17cf37e2e4", "target": 0, "dataset": "other", "idx": 227310 }, { "func": "static int io_recvmsg_prep_async(struct io_kiocb *req)\n{\n\tint ret;\n\n\tret = io_recvmsg_copy_hdr(req, req->async_data);\n\tif (!ret)\n\t\treq->flags |= REQ_F_NEED_CLEANUP;\n\treturn ret;\n}", "project": "linux", "hash": 235173801412850682965772167527834792506, "size": 9, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338547 }, { "func": "static inline int may_create(struct inode *dir, struct dentry *child)\n{\n\tstruct user_namespace *s_user_ns;\n\taudit_inode_child(dir, child, AUDIT_TYPE_CHILD_CREATE);\n\tif (child->d_inode)\n\t\treturn -EEXIST;\n\tif (IS_DEADDIR(dir))\n\t\treturn -ENOENT;\n\ts_user_ns = dir->i_sb->s_user_ns;\n\tif (!kuid_has_mapping(s_user_ns, current_fsuid()) ||\n\t !kgid_has_mapping(s_user_ns, current_fsgid()))\n\t\treturn -EOVERFLOW;\n\treturn inode_permission(dir, MAY_WRITE | MAY_EXEC);\n}", "project": "linux", "hash": 214537772883286760353555052211290099469, "size": 14, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295435 }, { "func": "int fuse_removexattr(struct inode *inode, const char *name)\n{\n\tstruct fuse_mount *fm = get_fuse_mount(inode);\n\tFUSE_ARGS(args);\n\tint err;\n\n\tif (fm->fc->no_removexattr)\n\t\treturn -EOPNOTSUPP;\n\n\targs.opcode = FUSE_REMOVEXATTR;\n\targs.nodeid = get_node_id(inode);\n\targs.in_numargs = 1;\n\targs.in_args[0].size = strlen(name) + 1;\n\targs.in_args[0].value = name;\n\terr = fuse_simple_request(fm, &args);\n\tif (err == -ENOSYS) {\n\t\tfm->fc->no_removexattr = 1;\n\t\terr = -EOPNOTSUPP;\n\t}\n\tif (!err) {\n\t\tfuse_invalidate_attr(inode);\n\t\tfuse_update_ctime(inode);\n\t}\n\treturn err;\n}", "project": "linux", "hash": 30713570867668706328065524246288278829, "size": 25, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341891 }, { "project": "Chrome", "commit_id": "327585cb0eab0859518643a2d00917081f7e7645", "target": 0, "func": "bool WebGraphicsContext3DDefaultImpl::getActiveUniform(WebGLId program, unsigned long index, ActiveInfo& info)\n{\n makeContextCurrent();\n GLint maxNameLength = -1;\n glGetProgramiv(program, GL_ACTIVE_UNIFORM_MAX_LENGTH, &maxNameLength);\n if (maxNameLength < 0)\n return false;\n GLchar* name = 0;\n if (!tryFastMalloc(maxNameLength * sizeof(GLchar)).getValue(name)) {\n synthesizeGLError(GL_OUT_OF_MEMORY);\n return false;\n }\n GLsizei length = 0;\n GLint size = -1;\n GLenum type = 0;\n glGetActiveUniform(program, index, maxNameLength,\n &length, &size, &type, name);\n if (size < 0) {\n fastFree(name);\n return false;\n }\n info.name = WebString::fromUTF8(name, length);\n info.type = type;\n info.size = size;\n fastFree(name);\n return true;\n}\n", "cwe": "", "big_vul_idx": 98997, "idx": 89054, "hash": 155186107548599050712463474412850183959 }, { "func": " virtual void split_sum_func(THD *thd, Ref_ptr_array ref_pointer_array,\n List &fields, uint flags) {}", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 338900113782752913637275258353111925711, "size": 2, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509250 }, { "func": "static int mt_touch_input_mapping(struct hid_device *hdev, struct hid_input *hi,\n\t\tstruct hid_field *field, struct hid_usage *usage,\n\t\tunsigned long **bit, int *max, struct mt_application *app)\n{\n\tstruct mt_device *td = hid_get_drvdata(hdev);\n\tstruct mt_class *cls = &td->mtclass;\n\tint code;\n\tstruct hid_usage *prev_usage = NULL;\n\n\t/*\n\t * Model touchscreens providing buttons as touchpads.\n\t */\n\tif (field->application == HID_DG_TOUCHSCREEN &&\n\t (usage->hid & HID_USAGE_PAGE) == HID_UP_BUTTON) {\n\t\tapp->mt_flags |= INPUT_MT_POINTER;\n\t\ttd->inputmode_value = MT_INPUTMODE_TOUCHPAD;\n\t}\n\n\t/* count the buttons on touchpads */\n\tif ((usage->hid & HID_USAGE_PAGE) == HID_UP_BUTTON)\n\t\tapp->buttons_count++;\n\n\tif (usage->usage_index)\n\t\tprev_usage = &field->usage[usage->usage_index - 1];\n\n\tswitch (usage->hid & HID_USAGE_PAGE) {\n\n\tcase HID_UP_GENDESK:\n\t\tswitch (usage->hid) {\n\t\tcase HID_GD_X:\n\t\t\tif (prev_usage && (prev_usage->hid == usage->hid)) {\n\t\t\t\tcode = ABS_MT_TOOL_X;\n\t\t\t\tMT_STORE_FIELD(cx);\n\t\t\t} else {\n\t\t\t\tcode = ABS_MT_POSITION_X;\n\t\t\t\tMT_STORE_FIELD(x);\n\t\t\t}\n\n\t\t\tset_abs(hi->input, code, field, cls->sn_move);\n\n\t\t\t/*\n\t\t\t * A system multi-axis that exports X and Y has a high\n\t\t\t * chance of being used directly on a surface\n\t\t\t */\n\t\t\tif (field->application == HID_GD_SYSTEM_MULTIAXIS) {\n\t\t\t\t__set_bit(INPUT_PROP_DIRECT,\n\t\t\t\t\t hi->input->propbit);\n\t\t\t\tinput_set_abs_params(hi->input,\n\t\t\t\t\t\t ABS_MT_TOOL_TYPE,\n\t\t\t\t\t\t MT_TOOL_DIAL,\n\t\t\t\t\t\t MT_TOOL_DIAL, 0, 0);\n\t\t\t}\n\n\t\t\treturn 1;\n\t\tcase HID_GD_Y:\n\t\t\tif (prev_usage && (prev_usage->hid == usage->hid)) {\n\t\t\t\tcode = ABS_MT_TOOL_Y;\n\t\t\t\tMT_STORE_FIELD(cy);\n\t\t\t} else {\n\t\t\t\tcode = ABS_MT_POSITION_Y;\n\t\t\t\tMT_STORE_FIELD(y);\n\t\t\t}\n\n\t\t\tset_abs(hi->input, code, field, cls->sn_move);\n\n\t\t\treturn 1;\n\t\t}\n\t\treturn 0;\n\n\tcase HID_UP_DIGITIZER:\n\t\tswitch (usage->hid) {\n\t\tcase HID_DG_INRANGE:\n\t\t\tif (app->quirks & MT_QUIRK_HOVERING) {\n\t\t\t\tinput_set_abs_params(hi->input,\n\t\t\t\t\tABS_MT_DISTANCE, 0, 1, 0, 0);\n\t\t\t}\n\t\t\tMT_STORE_FIELD(inrange_state);\n\t\t\treturn 1;\n\t\tcase HID_DG_CONFIDENCE:\n\t\t\tif (cls->name == MT_CLS_WIN_8 &&\n\t\t\t\t(field->application == HID_DG_TOUCHPAD ||\n\t\t\t\t field->application == HID_DG_TOUCHSCREEN))\n\t\t\t\tapp->quirks |= MT_QUIRK_CONFIDENCE;\n\n\t\t\tif (app->quirks & MT_QUIRK_CONFIDENCE)\n\t\t\t\tinput_set_abs_params(hi->input,\n\t\t\t\t\t\t ABS_MT_TOOL_TYPE,\n\t\t\t\t\t\t MT_TOOL_FINGER,\n\t\t\t\t\t\t MT_TOOL_PALM, 0, 0);\n\n\t\t\tMT_STORE_FIELD(confidence_state);\n\t\t\treturn 1;\n\t\tcase HID_DG_TIPSWITCH:\n\t\t\tif (field->application != HID_GD_SYSTEM_MULTIAXIS)\n\t\t\t\tinput_set_capability(hi->input,\n\t\t\t\t\t\t EV_KEY, BTN_TOUCH);\n\t\t\tMT_STORE_FIELD(tip_state);\n\t\t\treturn 1;\n\t\tcase HID_DG_CONTACTID:\n\t\t\tMT_STORE_FIELD(contactid);\n\t\t\tapp->touches_by_report++;\n\t\t\treturn 1;\n\t\tcase HID_DG_WIDTH:\n\t\t\tif (!(app->quirks & MT_QUIRK_NO_AREA))\n\t\t\t\tset_abs(hi->input, ABS_MT_TOUCH_MAJOR, field,\n\t\t\t\t\tcls->sn_width);\n\t\t\tMT_STORE_FIELD(w);\n\t\t\treturn 1;\n\t\tcase HID_DG_HEIGHT:\n\t\t\tif (!(app->quirks & MT_QUIRK_NO_AREA)) {\n\t\t\t\tset_abs(hi->input, ABS_MT_TOUCH_MINOR, field,\n\t\t\t\t\tcls->sn_height);\n\n\t\t\t\t/*\n\t\t\t\t * Only set ABS_MT_ORIENTATION if it is not\n\t\t\t\t * already set by the HID_DG_AZIMUTH usage.\n\t\t\t\t */\n\t\t\t\tif (!test_bit(ABS_MT_ORIENTATION,\n\t\t\t\t\t\thi->input->absbit))\n\t\t\t\t\tinput_set_abs_params(hi->input,\n\t\t\t\t\t\tABS_MT_ORIENTATION, 0, 1, 0, 0);\n\t\t\t}\n\t\t\tMT_STORE_FIELD(h);\n\t\t\treturn 1;\n\t\tcase HID_DG_TIPPRESSURE:\n\t\t\tset_abs(hi->input, ABS_MT_PRESSURE, field,\n\t\t\t\tcls->sn_pressure);\n\t\t\tMT_STORE_FIELD(p);\n\t\t\treturn 1;\n\t\tcase HID_DG_SCANTIME:\n\t\t\tinput_set_capability(hi->input, EV_MSC, MSC_TIMESTAMP);\n\t\t\tapp->scantime = &field->value[usage->usage_index];\n\t\t\tapp->scantime_logical_max = field->logical_maximum;\n\t\t\treturn 1;\n\t\tcase HID_DG_CONTACTCOUNT:\n\t\t\tapp->have_contact_count = true;\n\t\t\tapp->raw_cc = &field->value[usage->usage_index];\n\t\t\treturn 1;\n\t\tcase HID_DG_AZIMUTH:\n\t\t\t/*\n\t\t\t * Azimuth has the range of [0, MAX) representing a full\n\t\t\t * revolution. Set ABS_MT_ORIENTATION to a quarter of\n\t\t\t * MAX according the definition of ABS_MT_ORIENTATION\n\t\t\t */\n\t\t\tinput_set_abs_params(hi->input, ABS_MT_ORIENTATION,\n\t\t\t\t-field->logical_maximum / 4,\n\t\t\t\tfield->logical_maximum / 4,\n\t\t\t\tcls->sn_move ?\n\t\t\t\tfield->logical_maximum / cls->sn_move : 0, 0);\n\t\t\tMT_STORE_FIELD(a);\n\t\t\treturn 1;\n\t\tcase HID_DG_CONTACTMAX:\n\t\t\t/* contact max are global to the report */\n\t\t\treturn -1;\n\t\tcase HID_DG_TOUCH:\n\t\t\t/* Legacy devices use TIPSWITCH and not TOUCH.\n\t\t\t * Let's just ignore this field. */\n\t\t\treturn -1;\n\t\t}\n\t\t/* let hid-input decide for the others */\n\t\treturn 0;\n\n\tcase HID_UP_BUTTON:\n\t\tcode = BTN_MOUSE + ((usage->hid - 1) & HID_USAGE);\n\t\t/*\n\t\t * MS PTP spec says that external buttons left and right have\n\t\t * usages 2 and 3.\n\t\t */\n\t\tif ((app->quirks & MT_QUIRK_WIN8_PTP_BUTTONS) &&\n\t\t field->application == HID_DG_TOUCHPAD &&\n\t\t (usage->hid & HID_USAGE) > 1)\n\t\t\tcode--;\n\n\t\tif (field->application == HID_GD_SYSTEM_MULTIAXIS)\n\t\t\tcode = BTN_0 + ((usage->hid - 1) & HID_USAGE);\n\n\t\thid_map_usage(hi, usage, bit, max, EV_KEY, code);\n\t\tinput_set_capability(hi->input, EV_KEY, code);\n\t\treturn 1;\n\n\tcase 0xff000000:\n\t\t/* we do not want to map these: no input-oriented meaning */\n\t\treturn -1;\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 48282048289716496461900266037257497045, "size": 187, "commit_id": "35556bed836f8dc07ac55f69c8d17dce3e7f0e25", "message": "HID: core: Sanitize event code and type when mapping input\n\nWhen calling into hid_map_usage(), the passed event code is\nblindly stored as is, even if it doesn't fit in the associated bitmap.\n\nThis event code can come from a variety of sources, including devices\nmasquerading as input devices, only a bit more \"programmable\".\n\nInstead of taking the event code at face value, check that it actually\nfits the corresponding bitmap, and if it doesn't:\n- spit out a warning so that we know which device is acting up\n- NULLify the bitmap pointer so that we catch unexpected uses\n\nCode paths that can make use of untrusted inputs can now check\nthat the mapping was indeed correct and bail out if not.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Marc Zyngier \nSigned-off-by: Benjamin Tissoires ", "target": 1, "dataset": "other", "idx": 212377 }, { "func": "static int mt_touch_input_mapping(struct hid_device *hdev, struct hid_input *hi,\n\t\tstruct hid_field *field, struct hid_usage *usage,\n\t\tunsigned long **bit, int *max, struct mt_application *app)\n{\n\tstruct mt_device *td = hid_get_drvdata(hdev);\n\tstruct mt_class *cls = &td->mtclass;\n\tint code;\n\tstruct hid_usage *prev_usage = NULL;\n\n\t/*\n\t * Model touchscreens providing buttons as touchpads.\n\t */\n\tif (field->application == HID_DG_TOUCHSCREEN &&\n\t (usage->hid & HID_USAGE_PAGE) == HID_UP_BUTTON) {\n\t\tapp->mt_flags |= INPUT_MT_POINTER;\n\t\ttd->inputmode_value = MT_INPUTMODE_TOUCHPAD;\n\t}\n\n\t/* count the buttons on touchpads */\n\tif ((usage->hid & HID_USAGE_PAGE) == HID_UP_BUTTON)\n\t\tapp->buttons_count++;\n\n\tif (usage->usage_index)\n\t\tprev_usage = &field->usage[usage->usage_index - 1];\n\n\tswitch (usage->hid & HID_USAGE_PAGE) {\n\n\tcase HID_UP_GENDESK:\n\t\tswitch (usage->hid) {\n\t\tcase HID_GD_X:\n\t\t\tif (prev_usage && (prev_usage->hid == usage->hid)) {\n\t\t\t\tcode = ABS_MT_TOOL_X;\n\t\t\t\tMT_STORE_FIELD(cx);\n\t\t\t} else {\n\t\t\t\tcode = ABS_MT_POSITION_X;\n\t\t\t\tMT_STORE_FIELD(x);\n\t\t\t}\n\n\t\t\tset_abs(hi->input, code, field, cls->sn_move);\n\n\t\t\t/*\n\t\t\t * A system multi-axis that exports X and Y has a high\n\t\t\t * chance of being used directly on a surface\n\t\t\t */\n\t\t\tif (field->application == HID_GD_SYSTEM_MULTIAXIS) {\n\t\t\t\t__set_bit(INPUT_PROP_DIRECT,\n\t\t\t\t\t hi->input->propbit);\n\t\t\t\tinput_set_abs_params(hi->input,\n\t\t\t\t\t\t ABS_MT_TOOL_TYPE,\n\t\t\t\t\t\t MT_TOOL_DIAL,\n\t\t\t\t\t\t MT_TOOL_DIAL, 0, 0);\n\t\t\t}\n\n\t\t\treturn 1;\n\t\tcase HID_GD_Y:\n\t\t\tif (prev_usage && (prev_usage->hid == usage->hid)) {\n\t\t\t\tcode = ABS_MT_TOOL_Y;\n\t\t\t\tMT_STORE_FIELD(cy);\n\t\t\t} else {\n\t\t\t\tcode = ABS_MT_POSITION_Y;\n\t\t\t\tMT_STORE_FIELD(y);\n\t\t\t}\n\n\t\t\tset_abs(hi->input, code, field, cls->sn_move);\n\n\t\t\treturn 1;\n\t\t}\n\t\treturn 0;\n\n\tcase HID_UP_DIGITIZER:\n\t\tswitch (usage->hid) {\n\t\tcase HID_DG_INRANGE:\n\t\t\tif (app->quirks & MT_QUIRK_HOVERING) {\n\t\t\t\tinput_set_abs_params(hi->input,\n\t\t\t\t\tABS_MT_DISTANCE, 0, 1, 0, 0);\n\t\t\t}\n\t\t\tMT_STORE_FIELD(inrange_state);\n\t\t\treturn 1;\n\t\tcase HID_DG_CONFIDENCE:\n\t\t\tif (cls->name == MT_CLS_WIN_8 &&\n\t\t\t\t(field->application == HID_DG_TOUCHPAD ||\n\t\t\t\t field->application == HID_DG_TOUCHSCREEN))\n\t\t\t\tapp->quirks |= MT_QUIRK_CONFIDENCE;\n\n\t\t\tif (app->quirks & MT_QUIRK_CONFIDENCE)\n\t\t\t\tinput_set_abs_params(hi->input,\n\t\t\t\t\t\t ABS_MT_TOOL_TYPE,\n\t\t\t\t\t\t MT_TOOL_FINGER,\n\t\t\t\t\t\t MT_TOOL_PALM, 0, 0);\n\n\t\t\tMT_STORE_FIELD(confidence_state);\n\t\t\treturn 1;\n\t\tcase HID_DG_TIPSWITCH:\n\t\t\tif (field->application != HID_GD_SYSTEM_MULTIAXIS)\n\t\t\t\tinput_set_capability(hi->input,\n\t\t\t\t\t\t EV_KEY, BTN_TOUCH);\n\t\t\tMT_STORE_FIELD(tip_state);\n\t\t\treturn 1;\n\t\tcase HID_DG_CONTACTID:\n\t\t\tMT_STORE_FIELD(contactid);\n\t\t\tapp->touches_by_report++;\n\t\t\treturn 1;\n\t\tcase HID_DG_WIDTH:\n\t\t\tif (!(app->quirks & MT_QUIRK_NO_AREA))\n\t\t\t\tset_abs(hi->input, ABS_MT_TOUCH_MAJOR, field,\n\t\t\t\t\tcls->sn_width);\n\t\t\tMT_STORE_FIELD(w);\n\t\t\treturn 1;\n\t\tcase HID_DG_HEIGHT:\n\t\t\tif (!(app->quirks & MT_QUIRK_NO_AREA)) {\n\t\t\t\tset_abs(hi->input, ABS_MT_TOUCH_MINOR, field,\n\t\t\t\t\tcls->sn_height);\n\n\t\t\t\t/*\n\t\t\t\t * Only set ABS_MT_ORIENTATION if it is not\n\t\t\t\t * already set by the HID_DG_AZIMUTH usage.\n\t\t\t\t */\n\t\t\t\tif (!test_bit(ABS_MT_ORIENTATION,\n\t\t\t\t\t\thi->input->absbit))\n\t\t\t\t\tinput_set_abs_params(hi->input,\n\t\t\t\t\t\tABS_MT_ORIENTATION, 0, 1, 0, 0);\n\t\t\t}\n\t\t\tMT_STORE_FIELD(h);\n\t\t\treturn 1;\n\t\tcase HID_DG_TIPPRESSURE:\n\t\t\tset_abs(hi->input, ABS_MT_PRESSURE, field,\n\t\t\t\tcls->sn_pressure);\n\t\t\tMT_STORE_FIELD(p);\n\t\t\treturn 1;\n\t\tcase HID_DG_SCANTIME:\n\t\t\tinput_set_capability(hi->input, EV_MSC, MSC_TIMESTAMP);\n\t\t\tapp->scantime = &field->value[usage->usage_index];\n\t\t\tapp->scantime_logical_max = field->logical_maximum;\n\t\t\treturn 1;\n\t\tcase HID_DG_CONTACTCOUNT:\n\t\t\tapp->have_contact_count = true;\n\t\t\tapp->raw_cc = &field->value[usage->usage_index];\n\t\t\treturn 1;\n\t\tcase HID_DG_AZIMUTH:\n\t\t\t/*\n\t\t\t * Azimuth has the range of [0, MAX) representing a full\n\t\t\t * revolution. Set ABS_MT_ORIENTATION to a quarter of\n\t\t\t * MAX according the definition of ABS_MT_ORIENTATION\n\t\t\t */\n\t\t\tinput_set_abs_params(hi->input, ABS_MT_ORIENTATION,\n\t\t\t\t-field->logical_maximum / 4,\n\t\t\t\tfield->logical_maximum / 4,\n\t\t\t\tcls->sn_move ?\n\t\t\t\tfield->logical_maximum / cls->sn_move : 0, 0);\n\t\t\tMT_STORE_FIELD(a);\n\t\t\treturn 1;\n\t\tcase HID_DG_CONTACTMAX:\n\t\t\t/* contact max are global to the report */\n\t\t\treturn -1;\n\t\tcase HID_DG_TOUCH:\n\t\t\t/* Legacy devices use TIPSWITCH and not TOUCH.\n\t\t\t * Let's just ignore this field. */\n\t\t\treturn -1;\n\t\t}\n\t\t/* let hid-input decide for the others */\n\t\treturn 0;\n\n\tcase HID_UP_BUTTON:\n\t\tcode = BTN_MOUSE + ((usage->hid - 1) & HID_USAGE);\n\t\t/*\n\t\t * MS PTP spec says that external buttons left and right have\n\t\t * usages 2 and 3.\n\t\t */\n\t\tif ((app->quirks & MT_QUIRK_WIN8_PTP_BUTTONS) &&\n\t\t field->application == HID_DG_TOUCHPAD &&\n\t\t (usage->hid & HID_USAGE) > 1)\n\t\t\tcode--;\n\n\t\tif (field->application == HID_GD_SYSTEM_MULTIAXIS)\n\t\t\tcode = BTN_0 + ((usage->hid - 1) & HID_USAGE);\n\n\t\thid_map_usage(hi, usage, bit, max, EV_KEY, code);\n\t\tif (!*bit)\n\t\t\treturn -1;\n\t\tinput_set_capability(hi->input, EV_KEY, code);\n\t\treturn 1;\n\n\tcase 0xff000000:\n\t\t/* we do not want to map these: no input-oriented meaning */\n\t\treturn -1;\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 237709689285808653462224634864316547202, "size": 189, "commit_id": "35556bed836f8dc07ac55f69c8d17dce3e7f0e25", "message": "HID: core: Sanitize event code and type when mapping input\n\nWhen calling into hid_map_usage(), the passed event code is\nblindly stored as is, even if it doesn't fit in the associated bitmap.\n\nThis event code can come from a variety of sources, including devices\nmasquerading as input devices, only a bit more \"programmable\".\n\nInstead of taking the event code at face value, check that it actually\nfits the corresponding bitmap, and if it doesn't:\n- spit out a warning so that we know which device is acting up\n- NULLify the bitmap pointer so that we catch unexpected uses\n\nCode paths that can make use of untrusted inputs can now check\nthat the mapping was indeed correct and bail out if not.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Marc Zyngier \nSigned-off-by: Benjamin Tissoires ", "target": 0, "dataset": "other", "idx": 458382 }, { "func": "void CClient::ClearServerDependentCaps() {\n if (HasCapNotify() && !m_ssServerDependentCaps.empty()) {\n CString sCaps = CString(\" \").Join(m_ssServerDependentCaps.begin(),\n m_ssServerDependentCaps.end());\n PutClient(\":irc.znc.in CAP \" + GetNick() + \" DEL :\" + sCaps);\n\n for (const CString& sCap : m_ssServerDependentCaps) {\n const auto& it = m_mCoreCaps.find(sCap);\n if (m_mCoreCaps.end() != it) {\n const auto& handler = std::get<1>(it->second);\n handler(false);\n }\n }\n }\n\n m_ssServerDependentCaps.clear();\n}", "project": "znc", "hash": 89915658497475664381917073054217405711, "size": 17, "commit_id": "d229761821da38d984a9e4098ad96842490dc001", "message": "Fix echo-message for *status\n\nClose #1705", "target": 0, "dataset": "other", "idx": 231552 }, { "func": "static bool legitimize_path(struct nameidata *nd,\n\t\t\t struct path *path, unsigned seq)\n{\n\tint res = __legitimize_mnt(path->mnt, nd->m_seq);\n\tif (unlikely(res)) {\n\t\tif (res > 0)\n\t\t\tpath->mnt = NULL;\n\t\tpath->dentry = NULL;\n\t\treturn false;\n\t}\n\tif (unlikely(!lockref_get_not_dead(&path->dentry->d_lockref))) {\n\t\tpath->dentry = NULL;\n\t\treturn false;\n\t}\n\treturn !read_seqcount_retry(&path->dentry->d_seq, seq);\n}", "project": "linux", "hash": 118376188908630669152817591857954063231, "size": 16, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295340 }, { "func": "static long hung_up_tty_ioctl(struct file *file, unsigned int cmd,\n\t\tunsigned long arg)\n{\n\treturn cmd == TIOCSPGRP ? -ENOTTY : -EIO;\n}", "project": "linux", "hash": 208995867060832914563730293064495878125, "size": 5, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 326025 }, { "project": "Chrome", "commit_id": "6834289784ed45b5524de0fb7ef43ae283b0d6d3", "target": 0, "func": "void AudioContext::unlock()\n{\n m_contextGraphMutex.unlock();\n}\n", "cwe": "", "big_vul_idx": 139696, "idx": 124844, "hash": 59875498462487225607323596763561765658 }, { "project": "Chrome", "commit_id": "6834289784ed45b5524de0fb7ef43ae283b0d6d3", "target": 0, "func": "void MediaElementAudioSourceNode::unlock()\n{\n m_processLock.unlock();\n}\n", "cwe": "", "big_vul_idx": 139707, "idx": 124855, "hash": 189917907204466236818408205342661979127 }, { "func": "UnicodeString::doReverse(int32_t start, int32_t length) {\n if(length <= 1 || !cloneArrayIfNeeded()) {\n return *this;\n }\n\n // pin the indices to legal values\n pinIndices(start, length);\n if(length <= 1) { // pinIndices() might have shrunk the length\n return *this;\n }\n\n UChar *left = getArrayStart() + start;\n UChar *right = left + length - 1; // -1 for inclusive boundary (length>=2)\n UChar swap;\n UBool hasSupplementary = FALSE;\n\n // Before the loop we know left=2.\n do {\n hasSupplementary |= (UBool)U16_IS_LEAD(swap = *left);\n hasSupplementary |= (UBool)U16_IS_LEAD(*left++ = *right);\n *right-- = swap;\n } while(left < right);\n // Make sure to test the middle code unit of an odd-length string.\n // Redundant if the length is even.\n hasSupplementary |= (UBool)U16_IS_LEAD(*left);\n\n /* if there are supplementary code points in the reversed range, then re-swap their surrogates */\n if(hasSupplementary) {\n UChar swap2;\n\n left = getArrayStart() + start;\n right = left + length - 1; // -1 so that we can look at *(left+1) if left\nSigned-off-by: Willem de Bruijn \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 468948 }, { "func": "int oidc_auth_checker(request_rec *r) {\n\n\t/* check for anonymous access and PASS mode */\n\tif (r->user != NULL && strlen(r->user) == 0) {\n\t\tr->user = NULL;\n\t\tif (oidc_dir_cfg_unauth_action(r) == OIDC_UNAUTH_PASS)\n\t\t\treturn OK;\n\t}\n\n\t/* get the set of claims from the request state (they've been set in the authentication part earlier */\n\tjson_t *claims = NULL, *id_token = NULL;\n\toidc_authz_get_claims_and_idtoken(r, &claims, &id_token);\n\n\t/* get the Require statements */\n\tconst apr_array_header_t * const reqs_arr = ap_requires(r);\n\n\t/* see if we have any */\n\tconst require_line * const reqs =\n\t\t\treqs_arr ? (require_line *) reqs_arr->elts : NULL;\n\tif (!reqs_arr) {\n\t\toidc_debug(r,\n\t\t\t\t\"no require statements found, so declining to perform authorization.\");\n\t\treturn DECLINED;\n\t}\n\n\t/* merge id_token claims (e.g. \"iss\") in to claims json object */\n\tif (claims)\n\t\toidc_util_json_merge(r, id_token, claims);\n\n\t/* dispatch to the <2.4 specific authz routine */\n\tint rc = oidc_authz_worker22(r, claims ? claims : id_token, reqs,\n\t\t\treqs_arr->nelts);\n\n\t/* cleanup */\n\tif (claims)\n\t\tjson_decref(claims);\n\tif (id_token)\n\t\tjson_decref(id_token);\n\n\tif ((rc == HTTP_UNAUTHORIZED) && ap_auth_type(r))\n\t\trc = oidc_handle_unauthorized_user22(r);\n\n\treturn rc;\n}", "project": "mod_auth_openidc", "hash": 63899768142112194009591010389236271244, "size": 44, "commit_id": "00c315cb0c8ab77c67be4a2ac08a71a83ac58751", "message": "avoid XSS vulnerability when using OIDCPreservePost On\n\nand supplying URLs that contain single quotes; thanks @oss-aimoto\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 381928 }, { "func": "static inline void hid_map_usage(struct hid_input *hidinput,\n\t\tstruct hid_usage *usage, unsigned long **bit, int *max,\n\t\t__u8 type, unsigned int c)\n{\n\tstruct input_dev *input = hidinput->input;\n\tunsigned long *bmap = NULL;\n\tunsigned int limit = 0;\n\n\tswitch (type) {\n\tcase EV_ABS:\n\t\tbmap = input->absbit;\n\t\tlimit = ABS_MAX;\n\t\tbreak;\n\tcase EV_REL:\n\t\tbmap = input->relbit;\n\t\tlimit = REL_MAX;\n\t\tbreak;\n\tcase EV_KEY:\n\t\tbmap = input->keybit;\n\t\tlimit = KEY_MAX;\n\t\tbreak;\n\tcase EV_LED:\n\t\tbmap = input->ledbit;\n\t\tlimit = LED_MAX;\n\t\tbreak;\n\t}\n\n\tif (unlikely(c > limit || !bmap)) {\n\t\tpr_warn_ratelimited(\"%s: Invalid code %d type %d\\n\",\n\t\t\t\t input->name, c, type);\n\t\t*bit = NULL;\n\t\treturn;\n\t}\n\n\tusage->type = type;\n\tusage->code = c;\n\t*max = limit;\n\t*bit = bmap;\n}", "project": "linux", "hash": 150773222813736727725058350708816882189, "size": 39, "commit_id": "35556bed836f8dc07ac55f69c8d17dce3e7f0e25", "message": "HID: core: Sanitize event code and type when mapping input\n\nWhen calling into hid_map_usage(), the passed event code is\nblindly stored as is, even if it doesn't fit in the associated bitmap.\n\nThis event code can come from a variety of sources, including devices\nmasquerading as input devices, only a bit more \"programmable\".\n\nInstead of taking the event code at face value, check that it actually\nfits the corresponding bitmap, and if it doesn't:\n- spit out a warning so that we know which device is acting up\n- NULLify the bitmap pointer so that we catch unexpected uses\n\nCode paths that can make use of untrusted inputs can now check\nthat the mapping was indeed correct and bail out if not.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Marc Zyngier \nSigned-off-by: Benjamin Tissoires ", "target": 0, "dataset": "other", "idx": 458408 }, { "func": "int RGWSwiftWebsiteHandler::retarget_object(RGWOp* op, RGWOp** new_op)\n{\n ldout(s->cct, 10) << \"Starting object retarget\" << dendl;\n RGWOp* op_override = nullptr;\n\n /* In Swift static web content is served if the request is anonymous or\n * has X-Web-Mode HTTP header specified to true. */\n if (can_be_website_req() && is_web_dir()) {\n const auto& ws_conf = s->bucket_info.website_conf;\n const auto& index = s->bucket_info.website_conf.get_index_doc();\n\n if (s->decoded_uri.back() != '/') {\n op_override = get_ws_redirect_op();\n } else if (! index.empty() && is_index_present(index)) {\n op_override = get_ws_index_op();\n } else if (ws_conf.listing_enabled) {\n op_override = get_ws_listing_op();\n }\n } else {\n /* A regular request or the specified object isn't a subdirectory marker.\n * We don't need any re-targeting. Error handling (like sending a custom\n * error page) will be performed by error_handler of the actual RGWOp. */\n return 0;\n }\n\n if (op_override) {\n handler->put_op(op);\n op_override->init(store, s, handler);\n\n *new_op = op_override;\n } else {\n *new_op = op;\n }\n\n /* Return 404 Not Found if we aren't able to re-target for subdir marker. */\n return ! op_override ? -ENOENT : 0;\n}", "project": "ceph", "hash": 58451452937261278351017141244613145179, "size": 37, "commit_id": "f44a8ae8aa27ecef69528db9aec220f12492810e", "message": "rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name\n\nchecking for empty name avoids later assertion in RGWObjectCtx::set_atomic\n\nFixes: CVE-2021-3531\n\nReviewed-by: Casey Bodley \nSigned-off-by: Casey Bodley \n(cherry picked from commit 7196a469b4470f3c8628489df9a41ec8b00a5610)", "target": 0, "dataset": "other", "idx": 448812 }, { "func": "float CSoundFile::CalculateSmoothParamChange(float currentValue, float param) const\n{\n\tMPT_ASSERT(GetNumTicksOnCurrentRow() > m_PlayState.m_nTickCount);\n\tconst uint32 ticksLeft = GetNumTicksOnCurrentRow() - m_PlayState.m_nTickCount;\n\tif(ticksLeft > 1)\n\t{\n\t\t// Slide param\n\t\tconst float step = (param - currentValue) / (float)ticksLeft;\n\t\treturn (currentValue + step);\n\t} else\n\t{\n\t\t// On last tick, set exact value.\n\t\treturn param;\n\t}\n}", "project": "openmpt", "hash": 260693468688297394869486782180700528998, "size": 15, "commit_id": "7ebf02af2e90f03e0dbd0e18b8b3164f372fb97c", "message": "[Fix] Possible out-of-bounds read when computing length of some IT files with pattern loops (OpenMPT: formats that are converted to IT, libopenmpt: IT/ITP/MO3), caught with afl-fuzz.\n\ngit-svn-id: https://source.openmpt.org/svn/openmpt/trunk/OpenMPT@10027 56274372-70c3-4bfc-bfc3-4c3a0b034d27", "target": 0, "dataset": "other", "idx": 255174 }, { "func": "bool JOIN::rollup_init()\n{\n uint i,j;\n Item **ref_array;\n\n tmp_table_param.quick_group= 0;\t// Can't create groups in tmp table\n rollup.state= ROLLUP::STATE_INITED;\n\n /*\n Create pointers to the different sum function groups\n These are updated by rollup_make_fields()\n */\n tmp_table_param.group_parts= send_group_parts;\n\n Item_null_result **null_items=\n static_cast(thd->alloc(sizeof(Item*)*send_group_parts));\n\n rollup.null_items= Item_null_array(null_items, send_group_parts);\n rollup.ref_pointer_arrays=\n static_cast\n (thd->alloc((sizeof(Ref_ptr_array) +\n all_fields.elements * sizeof(Item*)) * send_group_parts));\n rollup.fields=\n static_cast*>(thd->alloc(sizeof(List) * send_group_parts));\n\n if (!null_items || !rollup.ref_pointer_arrays || !rollup.fields)\n return true;\n\n ref_array= (Item**) (rollup.ref_pointer_arrays+send_group_parts);\n\n\n /*\n Prepare space for field list for the different levels\n These will be filled up in rollup_make_fields()\n */\n for (i= 0 ; i < send_group_parts ; i++)\n {\n if (!(rollup.null_items[i]= new (thd->mem_root) Item_null_result(thd)))\n return true;\n\n List *rollup_fields= &rollup.fields[i];\n rollup_fields->empty();\n rollup.ref_pointer_arrays[i]= Ref_ptr_array(ref_array, all_fields.elements);\n ref_array+= all_fields.elements;\n }\n for (i= 0 ; i < send_group_parts; i++)\n {\n for (j=0 ; j < fields_list.elements ; j++)\n rollup.fields[i].push_back(rollup.null_items[i], thd->mem_root);\n }\n List_iterator it(all_fields);\n Item *item;\n while ((item= it++))\n {\n ORDER *group_tmp;\n bool found_in_group= 0;\n\n for (group_tmp= group_list; group_tmp; group_tmp= group_tmp->next)\n {\n if (*group_tmp->item == item)\n {\n item->maybe_null= 1;\n item->in_rollup= 1;\n found_in_group= 1;\n break;\n }\n }\n if (item->type() == Item::FUNC_ITEM && !found_in_group)\n {\n bool changed= FALSE;\n if (change_group_ref(thd, (Item_func *) item, group_list, &changed))\n return 1;\n /*\n We have to prevent creation of a field in a temporary table for\n an expression that contains GROUP BY attributes.\n Marking the expression item as 'with_sum_func' will ensure this.\n */ \n if (changed)\n item->with_sum_func= 1;\n }\n }\n return 0;\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 18959136581322715896645940916409567330, "size": 83, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508541 }, { "func": "static void csi_P(struct vc_data *vc, unsigned int nr)\n{\n\tif (nr > vc->vc_cols - vc->vc_x)\n\t\tnr = vc->vc_cols - vc->vc_x;\n\telse if (!nr)\n\t\tnr = 1;\n\tdelete_char(vc, nr);\n}", "project": "linux", "hash": 165869720873793334641301429464635152680, "size": 8, "commit_id": "ca4463bf8438b403596edd0ec961ca0d4fbe0220", "message": "vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console\n\nThe VT_DISALLOCATE ioctl can free a virtual console while tty_release()\nis still running, causing a use-after-free in con_shutdown(). This\noccurs because VT_DISALLOCATE considers a virtual console's\n'struct vc_data' to be unused as soon as the corresponding tty's\nrefcount hits 0. But actually it may be still being closed.\n\nFix this by making vc_data be reference-counted via the embedded\n'struct tty_port'. A newly allocated virtual console has refcount 1.\nOpening it for the first time increments the refcount to 2. Closing it\nfor the last time decrements the refcount (in tty_operations::cleanup()\nso that it happens late enough), as does VT_DISALLOCATE.\n\nReproducer:\n\t#include \n\t#include \n\t#include \n\t#include \n\n\tint main()\n\t{\n\t\tif (fork()) {\n\t\t\tfor (;;)\n\t\t\t\tclose(open(\"/dev/tty5\", O_RDWR));\n\t\t} else {\n\t\t\tint fd = open(\"/dev/tty10\", O_RDWR);\n\n\t\t\tfor (;;)\n\t\t\t\tioctl(fd, VT_DISALLOCATE, 5);\n\t\t}\n\t}\n\nKASAN report:\n\tBUG: KASAN: use-after-free in con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\tWrite of size 8 at addr ffff88806a4ec108 by task syz_vt/129\n\n\tCPU: 0 PID: 129 Comm: syz_vt Not tainted 5.6.0-rc2 #11\n\tHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20191223_100556-anatol 04/01/2014\n\tCall Trace:\n\t [...]\n\t con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\t release_tty+0xa8/0x410 drivers/tty/tty_io.c:1514\n\t tty_release_struct+0x34/0x50 drivers/tty/tty_io.c:1629\n\t tty_release+0x984/0xed0 drivers/tty/tty_io.c:1789\n\t [...]\n\n\tAllocated by task 129:\n\t [...]\n\t kzalloc include/linux/slab.h:669 [inline]\n\t vc_allocate drivers/tty/vt/vt.c:1085 [inline]\n\t vc_allocate+0x1ac/0x680 drivers/tty/vt/vt.c:1066\n\t con_install+0x4d/0x3f0 drivers/tty/vt/vt.c:3229\n\t tty_driver_install_tty drivers/tty/tty_io.c:1228 [inline]\n\t tty_init_dev+0x94/0x350 drivers/tty/tty_io.c:1341\n\t tty_open_by_driver drivers/tty/tty_io.c:1987 [inline]\n\t tty_open+0x3ca/0xb30 drivers/tty/tty_io.c:2035\n\t [...]\n\n\tFreed by task 130:\n\t [...]\n\t kfree+0xbf/0x1e0 mm/slab.c:3757\n\t vt_disallocate drivers/tty/vt/vt_ioctl.c:300 [inline]\n\t vt_ioctl+0x16dc/0x1e30 drivers/tty/vt/vt_ioctl.c:818\n\t tty_ioctl+0x9db/0x11b0 drivers/tty/tty_io.c:2660\n\t [...]\n\nFixes: 4001d7b7fc27 (\"vt: push down the tty lock so we can see what is left to tackle\")\nCc: # v3.4+\nReported-by: syzbot+522643ab5729b0421998@syzkaller.appspotmail.com\nAcked-by: Jiri Slaby \nSigned-off-by: Eric Biggers \nLink: https://lore.kernel.org/r/20200322034305.210082-2-ebiggers@kernel.org\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 437054 }, { "func": "bus_reset_irq_handler(struct pcilynx *lynx)\n{\n\tstruct client *client;\n\tstruct timespec64 ts64;\n\tu32 timestamp;\n\n\tktime_get_real_ts64(&ts64);\n\ttimestamp = ts64.tv_nsec / NSEC_PER_USEC;\n\n\tspin_lock(&lynx->client_list_lock);\n\n\tlist_for_each_entry(client, &lynx->client_list, link)\n\t\tpacket_buffer_put(&client->buffer, ×tamp, 4);\n\n\tspin_unlock(&lynx->client_list_lock);\n}", "project": "linux", "hash": 259167235554409865148782792263780912723, "size": 16, "commit_id": "829933ef05a951c8ff140e814656d73e74915faf", "message": "firewire: nosy: Fix a use-after-free bug in nosy_ioctl()\n\nFor each device, the nosy driver allocates a pcilynx structure.\nA use-after-free might happen in the following scenario:\n\n 1. Open nosy device for the first time and call ioctl with command\n NOSY_IOC_START, then a new client A will be malloced and added to\n doubly linked list.\n 2. Open nosy device for the second time and call ioctl with command\n NOSY_IOC_START, then a new client B will be malloced and added to\n doubly linked list.\n 3. Call ioctl with command NOSY_IOC_START for client A, then client A\n will be readded to the doubly linked list. Now the doubly linked\n list is messed up.\n 4. Close the first nosy device and nosy_release will be called. In\n nosy_release, client A will be unlinked and freed.\n 5. Close the second nosy device, and client A will be referenced,\n resulting in UAF.\n\nThe root cause of this bug is that the element in the doubly linked list\nis reentered into the list.\n\nFix this bug by adding a check before inserting a client. If a client\nis already in the linked list, don't insert it.\n\nThe following KASAN report reveals it:\n\n BUG: KASAN: use-after-free in nosy_release+0x1ea/0x210\n Write of size 8 at addr ffff888102ad7360 by task poc\n CPU: 3 PID: 337 Comm: poc Not tainted 5.12.0-rc5+ #6\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014\n Call Trace:\n nosy_release+0x1ea/0x210\n __fput+0x1e2/0x840\n task_work_run+0xe8/0x180\n exit_to_user_mode_prepare+0x114/0x120\n syscall_exit_to_user_mode+0x1d/0x40\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\n Allocated by task 337:\n nosy_open+0x154/0x4d0\n misc_open+0x2ec/0x410\n chrdev_open+0x20d/0x5a0\n do_dentry_open+0x40f/0xe80\n path_openat+0x1cf9/0x37b0\n do_filp_open+0x16d/0x390\n do_sys_openat2+0x11d/0x360\n __x64_sys_open+0xfd/0x1a0\n do_syscall_64+0x33/0x40\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\n Freed by task 337:\n kfree+0x8f/0x210\n nosy_release+0x158/0x210\n __fput+0x1e2/0x840\n task_work_run+0xe8/0x180\n exit_to_user_mode_prepare+0x114/0x120\n syscall_exit_to_user_mode+0x1d/0x40\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\n The buggy address belongs to the object at ffff888102ad7300 which belongs to the cache kmalloc-128 of size 128\n The buggy address is located 96 bytes inside of 128-byte region [ffff888102ad7300, ffff888102ad7380)\n\n[ Modified to use 'list_empty()' inside proper lock - Linus ]\n\nLink: https://lore.kernel.org/lkml/1617433116-5930-1-git-send-email-zheyuma97@gmail.com/\nReported-and-tested-by: 马哲宇 (Zheyu Ma) \nSigned-off-by: Zheyu Ma \nCc: Greg Kroah-Hartman \nCc: Stefan Richter \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 279636 }, { "func": "packet_irq_handler(struct pcilynx *lynx)\n{\n\tstruct client *client;\n\tu32 tcode_mask, tcode, timestamp;\n\tsize_t length;\n\tstruct timespec64 ts64;\n\n\t/* FIXME: Also report rcv_speed. */\n\n\tlength = __le32_to_cpu(lynx->rcv_pcl->pcl_status) & 0x00001fff;\n\ttcode = __le32_to_cpu(lynx->rcv_buffer[1]) >> 4 & 0xf;\n\n\tktime_get_real_ts64(&ts64);\n\ttimestamp = ts64.tv_nsec / NSEC_PER_USEC;\n\tlynx->rcv_buffer[0] = (__force __le32)timestamp;\n\n\tif (length == PHY_PACKET_SIZE)\n\t\ttcode_mask = 1 << TCODE_PHY_PACKET;\n\telse\n\t\ttcode_mask = 1 << tcode;\n\n\tspin_lock(&lynx->client_list_lock);\n\n\tlist_for_each_entry(client, &lynx->client_list, link)\n\t\tif (client->tcode_mask & tcode_mask)\n\t\t\tpacket_buffer_put(&client->buffer,\n\t\t\t\t\t lynx->rcv_buffer, length + 4);\n\n\tspin_unlock(&lynx->client_list_lock);\n}", "project": "linux", "hash": 318198583542687679867042139471193411792, "size": 30, "commit_id": "829933ef05a951c8ff140e814656d73e74915faf", "message": "firewire: nosy: Fix a use-after-free bug in nosy_ioctl()\n\nFor each device, the nosy driver allocates a pcilynx structure.\nA use-after-free might happen in the following scenario:\n\n 1. Open nosy device for the first time and call ioctl with command\n NOSY_IOC_START, then a new client A will be malloced and added to\n doubly linked list.\n 2. Open nosy device for the second time and call ioctl with command\n NOSY_IOC_START, then a new client B will be malloced and added to\n doubly linked list.\n 3. Call ioctl with command NOSY_IOC_START for client A, then client A\n will be readded to the doubly linked list. Now the doubly linked\n list is messed up.\n 4. Close the first nosy device and nosy_release will be called. In\n nosy_release, client A will be unlinked and freed.\n 5. Close the second nosy device, and client A will be referenced,\n resulting in UAF.\n\nThe root cause of this bug is that the element in the doubly linked list\nis reentered into the list.\n\nFix this bug by adding a check before inserting a client. If a client\nis already in the linked list, don't insert it.\n\nThe following KASAN report reveals it:\n\n BUG: KASAN: use-after-free in nosy_release+0x1ea/0x210\n Write of size 8 at addr ffff888102ad7360 by task poc\n CPU: 3 PID: 337 Comm: poc Not tainted 5.12.0-rc5+ #6\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014\n Call Trace:\n nosy_release+0x1ea/0x210\n __fput+0x1e2/0x840\n task_work_run+0xe8/0x180\n exit_to_user_mode_prepare+0x114/0x120\n syscall_exit_to_user_mode+0x1d/0x40\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\n Allocated by task 337:\n nosy_open+0x154/0x4d0\n misc_open+0x2ec/0x410\n chrdev_open+0x20d/0x5a0\n do_dentry_open+0x40f/0xe80\n path_openat+0x1cf9/0x37b0\n do_filp_open+0x16d/0x390\n do_sys_openat2+0x11d/0x360\n __x64_sys_open+0xfd/0x1a0\n do_syscall_64+0x33/0x40\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\n Freed by task 337:\n kfree+0x8f/0x210\n nosy_release+0x158/0x210\n __fput+0x1e2/0x840\n task_work_run+0xe8/0x180\n exit_to_user_mode_prepare+0x114/0x120\n syscall_exit_to_user_mode+0x1d/0x40\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\n The buggy address belongs to the object at ffff888102ad7300 which belongs to the cache kmalloc-128 of size 128\n The buggy address is located 96 bytes inside of 128-byte region [ffff888102ad7300, ffff888102ad7380)\n\n[ Modified to use 'list_empty()' inside proper lock - Linus ]\n\nLink: https://lore.kernel.org/lkml/1617433116-5930-1-git-send-email-zheyuma97@gmail.com/\nReported-and-tested-by: 马哲宇 (Zheyu Ma) \nSigned-off-by: Zheyu Ma \nCc: Greg Kroah-Hartman \nCc: Stefan Richter \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 279638 }, { "func": "\nstatic void io_queue_sqe(struct io_kiocb *req)\n{\n\tint ret;\n\n\tret = io_req_defer(req);\n\tif (ret) {\n\t\tif (ret != -EIOCBQUEUED) {\nfail_req:\n\t\t\tio_req_complete_failed(req, ret);\n\t\t}\n\t} else if (req->flags & REQ_F_FORCE_ASYNC) {\n\t\tret = io_req_prep_async(req);\n\t\tif (unlikely(ret))\n\t\t\tgoto fail_req;\n\t\tio_queue_async_work(req);\n\t} else {\n\t\t__io_queue_sqe(req);\n\t}", "project": "linux", "hash": 61254787381095826016313126567838114204, "size": 19, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338560 }, { "func": "\nstatic int bfq_init_queue(struct request_queue *q, struct elevator_type *e)\n{\n\tstruct bfq_data *bfqd;\n\tstruct elevator_queue *eq;\n\n\teq = elevator_alloc(q, e);\n\tif (!eq)\n\t\treturn -ENOMEM;\n\n\tbfqd = kzalloc_node(sizeof(*bfqd), GFP_KERNEL, q->node);\n\tif (!bfqd) {\n\t\tkobject_put(&eq->kobj);\n\t\treturn -ENOMEM;\n\t}\n\teq->elevator_data = bfqd;\n\n\tspin_lock_irq(&q->queue_lock);\n\tq->elevator = eq;\n\tspin_unlock_irq(&q->queue_lock);\n\n\t/*\n\t * Our fallback bfqq if bfq_find_alloc_queue() runs into OOM issues.\n\t * Grab a permanent reference to it, so that the normal code flow\n\t * will not attempt to free it.\n\t */\n\tbfq_init_bfqq(bfqd, &bfqd->oom_bfqq, NULL, 1, 0);\n\tbfqd->oom_bfqq.ref++;\n\tbfqd->oom_bfqq.new_ioprio = BFQ_DEFAULT_QUEUE_IOPRIO;\n\tbfqd->oom_bfqq.new_ioprio_class = IOPRIO_CLASS_BE;\n\tbfqd->oom_bfqq.entity.new_weight =\n\t\tbfq_ioprio_to_weight(bfqd->oom_bfqq.new_ioprio);\n\n\t/* oom_bfqq does not participate to bursts */\n\tbfq_clear_bfqq_just_created(&bfqd->oom_bfqq);\n\n\t/*\n\t * Trigger weight initialization, according to ioprio, at the\n\t * oom_bfqq's first activation. The oom_bfqq's ioprio and ioprio\n\t * class won't be changed any more.\n\t */\n\tbfqd->oom_bfqq.entity.prio_changed = 1;\n\n\tbfqd->queue = q;\n\n\tINIT_LIST_HEAD(&bfqd->dispatch);\n\n\thrtimer_init(&bfqd->idle_slice_timer, CLOCK_MONOTONIC,\n\t\t HRTIMER_MODE_REL);\n\tbfqd->idle_slice_timer.function = bfq_idle_slice_timer;\n\n\tbfqd->queue_weights_tree = RB_ROOT_CACHED;\n\tbfqd->num_groups_with_pending_reqs = 0;\n\n\tINIT_LIST_HEAD(&bfqd->active_list);\n\tINIT_LIST_HEAD(&bfqd->idle_list);\n\tINIT_HLIST_HEAD(&bfqd->burst_list);\n\n\tbfqd->hw_tag = -1;\n\tbfqd->nonrot_with_queueing = blk_queue_nonrot(bfqd->queue);\n\n\tbfqd->bfq_max_budget = bfq_default_max_budget;\n\n\tbfqd->bfq_fifo_expire[0] = bfq_fifo_expire[0];\n\tbfqd->bfq_fifo_expire[1] = bfq_fifo_expire[1];\n\tbfqd->bfq_back_max = bfq_back_max;\n\tbfqd->bfq_back_penalty = bfq_back_penalty;\n\tbfqd->bfq_slice_idle = bfq_slice_idle;\n\tbfqd->bfq_timeout = bfq_timeout;\n\n\tbfqd->bfq_requests_within_timer = 120;\n\n\tbfqd->bfq_large_burst_thresh = 8;\n\tbfqd->bfq_burst_interval = msecs_to_jiffies(180);\n\n\tbfqd->low_latency = true;\n\n\t/*\n\t * Trade-off between responsiveness and fairness.\n\t */\n\tbfqd->bfq_wr_coeff = 30;\n\tbfqd->bfq_wr_rt_max_time = msecs_to_jiffies(300);\n\tbfqd->bfq_wr_max_time = 0;\n\tbfqd->bfq_wr_min_idle_time = msecs_to_jiffies(2000);\n\tbfqd->bfq_wr_min_inter_arr_async = msecs_to_jiffies(500);\n\tbfqd->bfq_wr_max_softrt_rate = 7000; /*\n\t\t\t\t\t * Approximate rate required\n\t\t\t\t\t * to playback or record a\n\t\t\t\t\t * high-definition compressed\n\t\t\t\t\t * video.\n\t\t\t\t\t */\n\tbfqd->wr_busy_queues = 0;\n\n\t/*\n\t * Begin by assuming, optimistically, that the device peak\n\t * rate is equal to 2/3 of the highest reference rate.\n\t */\n\tbfqd->rate_dur_prod = ref_rate[blk_queue_nonrot(bfqd->queue)] *\n\t\tref_wr_duration[blk_queue_nonrot(bfqd->queue)];\n\tbfqd->peak_rate = ref_rate[blk_queue_nonrot(bfqd->queue)] * 2 / 3;\n\n\tspin_lock_init(&bfqd->lock);\n\n\t/*\n\t * The invocation of the next bfq_create_group_hierarchy\n\t * function is the head of a chain of function calls\n\t * (bfq_create_group_hierarchy->blkcg_activate_policy->\n\t * blk_mq_freeze_queue) that may lead to the invocation of the\n\t * has_work hook function. For this reason,\n\t * bfq_create_group_hierarchy is invoked only after all\n\t * scheduler data has been initialized, apart from the fields\n\t * that can be initialized only after invoking\n\t * bfq_create_group_hierarchy. This, in particular, enables\n\t * has_work to correctly return false. Of course, to avoid\n\t * other inconsistencies, the blk-mq stack must then refrain\n\t * from invoking further scheduler hooks before this init\n\t * function is finished.\n\t */\n\tbfqd->root_group = bfq_create_group_hierarchy(bfqd, q->node);\n\tif (!bfqd->root_group)\n\t\tgoto out_free;\n\tbfq_init_root_group(bfqd->root_group, bfqd);\n\tbfq_init_entity(&bfqd->oom_bfqq.entity, bfqd->root_group);\n\n\twbt_disable_default(q);\n\treturn 0;\n\nout_free:\n\tkfree(bfqd);\n\tkobject_put(&eq->kobj);\n\treturn -ENOMEM;", "project": "linux", "hash": 145474557608018276845270066018783575621, "size": 131, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453290 }, { "func": "static ut64 bbInstructions(RAnalFunction *fcn, ut64 addr) {\n\tRListIter *iter;\n\tRAnalBlock *bb;\n\tr_list_foreach (fcn->bbs, iter, bb) {\n\t\tif (R_BETWEEN (bb->addr, addr, bb->addr + bb->size - 1)) {\n\t\t\treturn bb->ninstr;\n\t\t}\n\t}\n\treturn UT64_MAX;\n}", "project": "radare2", "hash": 246041134407410459129007145793128840261, "size": 10, "commit_id": "cb8b683758edddae2d2f62e8e63a738c39f92683", "message": "Fix #16303 - c->table_query double free (#16318)", "target": 0, "dataset": "other", "idx": 232110 }, { "func": "static int instance_mkdir(const char *name)\n{\n\tstruct trace_array *tr;\n\tint ret;\n\n\tmutex_lock(&event_mutex);\n\tmutex_lock(&trace_types_lock);\n\n\tret = -EEXIST;\n\tlist_for_each_entry(tr, &ftrace_trace_arrays, list) {\n\t\tif (tr->name && strcmp(tr->name, name) == 0)\n\t\t\tgoto out_unlock;\n\t}\n\n\tret = -ENOMEM;\n\ttr = kzalloc(sizeof(*tr), GFP_KERNEL);\n\tif (!tr)\n\t\tgoto out_unlock;\n\n\ttr->name = kstrdup(name, GFP_KERNEL);\n\tif (!tr->name)\n\t\tgoto out_free_tr;\n\n\tif (!alloc_cpumask_var(&tr->tracing_cpumask, GFP_KERNEL))\n\t\tgoto out_free_tr;\n\n\ttr->trace_flags = global_trace.trace_flags & ~ZEROED_TRACE_FLAGS;\n\n\tcpumask_copy(tr->tracing_cpumask, cpu_all_mask);\n\n\traw_spin_lock_init(&tr->start_lock);\n\n\ttr->max_lock = (arch_spinlock_t)__ARCH_SPIN_LOCK_UNLOCKED;\n\n\ttr->current_trace = &nop_trace;\n\n\tINIT_LIST_HEAD(&tr->systems);\n\tINIT_LIST_HEAD(&tr->events);\n\n\tif (allocate_trace_buffers(tr, trace_buf_size) < 0)\n\t\tgoto out_free_tr;\n\n\ttr->dir = tracefs_create_dir(name, trace_instance_dir);\n\tif (!tr->dir)\n\t\tgoto out_free_tr;\n\n\tret = event_trace_add_tracer(tr->dir, tr);\n\tif (ret) {\n\t\ttracefs_remove_recursive(tr->dir);\n\t\tgoto out_free_tr;\n\t}\n\n\tftrace_init_trace_array(tr);\n\n\tinit_tracer_tracefs(tr, tr->dir);\n\tinit_trace_flags_index(tr);\n\t__update_tracer_options(tr);\n\n\tlist_add(&tr->list, &ftrace_trace_arrays);\n\n\tmutex_unlock(&trace_types_lock);\n\tmutex_unlock(&event_mutex);\n\n\treturn 0;\n\n out_free_tr:\n\tfree_trace_buffers(tr);\n\tfree_cpumask_var(tr->tracing_cpumask);\n\tkfree(tr->name);\n\tkfree(tr);\n\n out_unlock:\n\tmutex_unlock(&trace_types_lock);\n\tmutex_unlock(&event_mutex);\n\n\treturn ret;\n\n}", "project": "linux", "hash": 13732287088184516742700229981154381103, "size": 78, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445836 }, { "func": "static int reverse_path_check_proc(void *priv, void *cookie, int call_nests)\n{\n\tint error = 0;\n\tstruct file *file = priv;\n\tstruct file *child_file;\n\tstruct epitem *epi;\n\n\t/* CTL_DEL can remove links here, but that can't increase our count */\n\trcu_read_lock();\n\tlist_for_each_entry_rcu(epi, &file->f_ep_links, fllink) {\n\t\tchild_file = epi->ep->file;\n\t\tif (is_file_epoll(child_file)) {\n\t\t\tif (list_empty(&child_file->f_ep_links)) {\n\t\t\t\tif (path_count_inc(call_nests)) {\n\t\t\t\t\terror = -1;\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\terror = ep_call_nested(&poll_loop_ncalls,\n\t\t\t\t\t\t\treverse_path_check_proc,\n\t\t\t\t\t\t\tchild_file, child_file,\n\t\t\t\t\t\t\tcurrent);\n\t\t\t}\n\t\t\tif (error != 0)\n\t\t\t\tbreak;\n\t\t} else {\n\t\t\tprintk(KERN_ERR \"reverse_path_check_proc: \"\n\t\t\t\t\"file is not an ep!\\n\");\n\t\t}\n\t}\n\trcu_read_unlock();\n\treturn error;\n}", "project": "linux", "hash": 170315180486594942438584083338389768605, "size": 33, "commit_id": "52c479697c9b73f628140dcdfcd39ea302d05482", "message": "do_epoll_ctl(): clean the failure exits up a bit\n\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 336248 }, { "func": "Status AttrValueHasType(const AttrValue& attr_value, StringPiece type) {\n int num_set = 0;\n\n#define VALIDATE_FIELD(name, type_string, oneof_case) \\\n do { \\\n if (attr_value.has_list()) { \\\n if (attr_value.list().name##_size() > 0) { \\\n if (type != \"list(\" type_string \")\") { \\\n return errors::InvalidArgument( \\\n \"AttrValue had value with type 'list(\" type_string \")' when '\", \\\n type, \"' expected\"); \\\n } \\\n ++num_set; \\\n } \\\n } else if (attr_value.value_case() == AttrValue::oneof_case) { \\\n if (type != type_string) { \\\n return errors::InvalidArgument( \\\n \"AttrValue had value with type '\" type_string \"' when '\", type, \\\n \"' expected\"); \\\n } \\\n ++num_set; \\\n } \\\n } while (false)\n\n VALIDATE_FIELD(s, \"string\", kS);\n VALIDATE_FIELD(i, \"int\", kI);\n VALIDATE_FIELD(f, \"float\", kF);\n VALIDATE_FIELD(b, \"bool\", kB);\n VALIDATE_FIELD(type, \"type\", kType);\n VALIDATE_FIELD(shape, \"shape\", kShape);\n VALIDATE_FIELD(tensor, \"tensor\", kTensor);\n VALIDATE_FIELD(func, \"func\", kFunc);\n\n#undef VALIDATE_FIELD\n\n if (attr_value.value_case() == AttrValue::kPlaceholder) {\n return errors::InvalidArgument(\n \"AttrValue had value with unexpected type 'placeholder'\");\n }\n\n // If the attr type is 'list', we expect attr_value.has_list() to be\n // true. However, proto3's attr_value.has_list() can be false when\n // set to an empty list for GraphDef versions <= 4. So we simply\n // check if has_list is false and some other field in attr_value is\n // set to flag the error. This test can be made more strict once\n // support for GraphDef versions <= 4 is dropped.\n if (absl::StartsWith(type, \"list(\") && !attr_value.has_list()) {\n if (num_set) {\n return errors::InvalidArgument(\n \"AttrValue missing value with expected type '\", type, \"'\");\n } else {\n // Indicate that we have a list, but an empty one.\n ++num_set;\n }\n }\n\n // Okay to have an empty list, but not to be missing a non-list value.\n if (num_set == 0 && !absl::StartsWith(type, \"list(\")) {\n return errors::InvalidArgument(\n \"AttrValue missing value with expected type '\", type, \"'\");\n }\n\n // Ref types and DT_INVALID are illegal, and DataTypes must\n // be a valid enum type.\n if (type == \"type\") {\n if (!DataType_IsValid(attr_value.type())) {\n return errors::InvalidArgument(\"AttrValue has invalid DataType enum: \",\n attr_value.type());\n }\n if (IsRefType(attr_value.type())) {\n return errors::InvalidArgument(\n \"AttrValue must not have reference type value of \",\n DataTypeString(attr_value.type()));\n }\n if (attr_value.type() == DT_INVALID) {\n return errors::InvalidArgument(\"AttrValue has invalid DataType\");\n }\n } else if (type == \"list(type)\") {\n for (auto as_int : attr_value.list().type()) {\n const DataType dtype = static_cast(as_int);\n if (!DataType_IsValid(dtype)) {\n return errors::InvalidArgument(\"AttrValue has invalid DataType enum: \",\n as_int);\n }\n if (IsRefType(dtype)) {\n return errors::InvalidArgument(\n \"AttrValue must not have reference type value of \",\n DataTypeString(dtype));\n }\n if (dtype == DT_INVALID) {\n return errors::InvalidArgument(\"AttrValue contains invalid DataType\");\n }\n }\n }\n\n return Status::OK();\n}", "project": "tensorflow", "hash": 316030032876330763700899669535802259064, "size": 97, "commit_id": "c2426bba00a01de6913738df8fa78e0215fcce02", "message": "Use `PartialTensorShape` instead of `TensorShape`.\n\n`TensorShape` constructor throws a CHECK-fail if shape is partial/overflows which the other doesn't. We are only determining the number of elements in the shape and partial shape should be used as it returns negative number when needed.\n\nPiperOrigin-RevId: 409205384\nChange-Id: Ia56542ff9ec758f2c9ffc7e4dcc9fa7eecd86e7b", "target": 0, "dataset": "other", "idx": 223166 }, { "func": "static OPJ_UINT32 opj_j2k_get_SPCod_SPCoc_size(opj_j2k_t *p_j2k,\n OPJ_UINT32 p_tile_no,\n OPJ_UINT32 p_comp_no)\n{\n opj_cp_t *l_cp = 00;\n opj_tcp_t *l_tcp = 00;\n opj_tccp_t *l_tccp = 00;\n\n /* preconditions */\n assert(p_j2k != 00);\n\n l_cp = &(p_j2k->m_cp);\n l_tcp = &l_cp->tcps[p_tile_no];\n l_tccp = &l_tcp->tccps[p_comp_no];\n\n /* preconditions again */\n assert(p_tile_no < (l_cp->tw * l_cp->th));\n assert(p_comp_no < p_j2k->m_private_image->numcomps);\n\n if (l_tccp->csty & J2K_CCP_CSTY_PRT) {\n return 5 + l_tccp->numresolutions;\n } else {\n return 5;\n }\n}", "project": "openjpeg", "hash": 58647661365990530801662339477923451882, "size": 25, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357303 }, { "func": "int oidc_handle_remove_at_cache(request_rec *r, oidc_cfg *c) {\n\tchar *access_token = NULL;\n\toidc_util_get_request_parameter(r,\n\t\t\tOIDC_REDIRECT_URI_REQUEST_REMOVE_AT_CACHE, &access_token);\n\n\tchar *cache_entry = NULL;\n\toidc_cache_get_access_token(r, access_token, &cache_entry);\n\tif (cache_entry == NULL) {\n\t\toidc_error(r, \"no cached access token found for value: %s\",\n\t\t\t\taccess_token);\n\t\treturn HTTP_NOT_FOUND;\n\t}\n\n\toidc_cache_set_access_token(r, access_token, NULL, 0);\n\n\treturn OK;\n}", "project": "mod_auth_openidc", "hash": 295461248116813250901741004324573414913, "size": 17, "commit_id": "00c315cb0c8ab77c67be4a2ac08a71a83ac58751", "message": "avoid XSS vulnerability when using OIDCPreservePost On\n\nand supplying URLs that contain single quotes; thanks @oss-aimoto\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 381931 }, { "func": "OPJ_SIZE_T opj_tcd_get_encoded_tile_size(opj_tcd_t *p_tcd)\n{\n OPJ_UINT32 i;\n OPJ_SIZE_T l_data_size = 0;\n opj_image_comp_t * l_img_comp = 00;\n opj_tcd_tilecomp_t * l_tilec = 00;\n OPJ_UINT32 l_size_comp, l_remaining;\n\n l_tilec = p_tcd->tcd_image->tiles->comps;\n l_img_comp = p_tcd->image->comps;\n for (i = 0; i < p_tcd->image->numcomps; ++i) {\n l_size_comp = l_img_comp->prec >> 3; /*(/ 8)*/\n l_remaining = l_img_comp->prec & 7; /* (%8) */\n\n if (l_remaining) {\n ++l_size_comp;\n }\n\n if (l_size_comp == 3) {\n l_size_comp = 4;\n }\n\n l_data_size += l_size_comp * ((OPJ_SIZE_T)(l_tilec->x1 - l_tilec->x0) *\n (OPJ_SIZE_T)(l_tilec->y1 - l_tilec->y0));\n ++l_img_comp;\n ++l_tilec;\n }\n\n return l_data_size;\n}", "project": "openjpeg", "hash": 216118520754968093992494245041520211035, "size": 30, "commit_id": "05f9b91e60debda0e83977e5e63b2e66486f7074", "message": "opj_tcd_init_tile(): avoid integer overflow\n\nThat could lead to later assertion failures.\n\nFixes #1231 / CVE-2020-8112", "target": 0, "dataset": "other", "idx": 451984 }, { "func": "void CClient::ParseIdentifier(const CString& sAuthLine) {\n // user[@identifier]\n\n const size_t uAt = sAuthLine.rfind(\"@\");\n if (uAt != CString::npos) {\n const CString sId = sAuthLine.substr(uAt + 1);\n\n if (IsValidIdentifier(sId)) {\n m_sIdentifier = sId;\n m_sUser = sAuthLine.substr(0, uAt);\n } else {\n m_sUser = sAuthLine;\n }\n } else {\n m_sUser = sAuthLine;\n }\n}", "project": "znc", "hash": 12897915487508938825333915333557584553, "size": 17, "commit_id": "d229761821da38d984a9e4098ad96842490dc001", "message": "Fix echo-message for *status\n\nClose #1705", "target": 0, "dataset": "other", "idx": 231562 }, { "func": "const char* oidc_request_state_get(request_rec *r, const char *key) {\n\n\t/* get a handle to the global state, which is a table */\n\tapr_table_t *state = oidc_request_state(r);\n\n\t/* return the value from the table */\n\treturn apr_table_get(state, key);\n}", "project": "mod_auth_openidc", "hash": 148542268492264877877452834502198844581, "size": 8, "commit_id": "00c315cb0c8ab77c67be4a2ac08a71a83ac58751", "message": "avoid XSS vulnerability when using OIDCPreservePost On\n\nand supplying URLs that contain single quotes; thanks @oss-aimoto\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 381930 }, { "func": "void fuse_change_entry_timeout(struct dentry *entry, struct fuse_entry_out *o)\n{\n\tfuse_dentry_settime(entry,\n\t\ttime_to_jiffies(o->entry_valid, o->entry_valid_nsec));\n}", "project": "linux", "hash": 118633676907391318110362410668351307278, "size": 5, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341957 }, { "func": "void vc_uniscr_copy_line(struct vc_data *vc, void *dest, int viewed,\n\t\t\t unsigned int row, unsigned int col, unsigned int nr)\n{\n\tstruct uni_screen *uniscr = get_vc_uniscr(vc);\n\tint offset = row * vc->vc_size_row + col * 2;\n\tunsigned long pos;\n\n\tBUG_ON(!uniscr);\n\n\tpos = (unsigned long)screenpos(vc, offset, viewed);\n\tif (pos >= vc->vc_origin && pos < vc->vc_scr_end) {\n\t\t/*\n\t\t * Desired position falls in the main screen buffer.\n\t\t * However the actual row/col might be different if\n\t\t * scrollback is active.\n\t\t */\n\t\trow = (pos - vc->vc_origin) / vc->vc_size_row;\n\t\tcol = ((pos - vc->vc_origin) % vc->vc_size_row) / 2;\n\t\tmemcpy(dest, &uniscr->lines[row][col], nr * sizeof(char32_t));\n\t} else {\n\t\t/*\n\t\t * Scrollback is active. For now let's simply backtranslate\n\t\t * the screen glyphs until the unicode screen buffer does\n\t\t * synchronize with console display drivers for a scrollback\n\t\t * buffer of its own.\n\t\t */\n\t\tu16 *p = (u16 *)pos;\n\t\tint mask = vc->vc_hi_font_mask | 0xff;\n\t\tchar32_t *uni_buf = dest;\n\t\twhile (nr--) {\n\t\t\tu16 glyph = scr_readw(p++) & mask;\n\t\t\t*uni_buf++ = inverse_translate(vc, glyph, true);\n\t\t}\n\t}\n}", "project": "linux", "hash": 76417725861936491342666001177807699464, "size": 35, "commit_id": "ca4463bf8438b403596edd0ec961ca0d4fbe0220", "message": "vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console\n\nThe VT_DISALLOCATE ioctl can free a virtual console while tty_release()\nis still running, causing a use-after-free in con_shutdown(). This\noccurs because VT_DISALLOCATE considers a virtual console's\n'struct vc_data' to be unused as soon as the corresponding tty's\nrefcount hits 0. But actually it may be still being closed.\n\nFix this by making vc_data be reference-counted via the embedded\n'struct tty_port'. A newly allocated virtual console has refcount 1.\nOpening it for the first time increments the refcount to 2. Closing it\nfor the last time decrements the refcount (in tty_operations::cleanup()\nso that it happens late enough), as does VT_DISALLOCATE.\n\nReproducer:\n\t#include \n\t#include \n\t#include \n\t#include \n\n\tint main()\n\t{\n\t\tif (fork()) {\n\t\t\tfor (;;)\n\t\t\t\tclose(open(\"/dev/tty5\", O_RDWR));\n\t\t} else {\n\t\t\tint fd = open(\"/dev/tty10\", O_RDWR);\n\n\t\t\tfor (;;)\n\t\t\t\tioctl(fd, VT_DISALLOCATE, 5);\n\t\t}\n\t}\n\nKASAN report:\n\tBUG: KASAN: use-after-free in con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\tWrite of size 8 at addr ffff88806a4ec108 by task syz_vt/129\n\n\tCPU: 0 PID: 129 Comm: syz_vt Not tainted 5.6.0-rc2 #11\n\tHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20191223_100556-anatol 04/01/2014\n\tCall Trace:\n\t [...]\n\t con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\t release_tty+0xa8/0x410 drivers/tty/tty_io.c:1514\n\t tty_release_struct+0x34/0x50 drivers/tty/tty_io.c:1629\n\t tty_release+0x984/0xed0 drivers/tty/tty_io.c:1789\n\t [...]\n\n\tAllocated by task 129:\n\t [...]\n\t kzalloc include/linux/slab.h:669 [inline]\n\t vc_allocate drivers/tty/vt/vt.c:1085 [inline]\n\t vc_allocate+0x1ac/0x680 drivers/tty/vt/vt.c:1066\n\t con_install+0x4d/0x3f0 drivers/tty/vt/vt.c:3229\n\t tty_driver_install_tty drivers/tty/tty_io.c:1228 [inline]\n\t tty_init_dev+0x94/0x350 drivers/tty/tty_io.c:1341\n\t tty_open_by_driver drivers/tty/tty_io.c:1987 [inline]\n\t tty_open+0x3ca/0xb30 drivers/tty/tty_io.c:2035\n\t [...]\n\n\tFreed by task 130:\n\t [...]\n\t kfree+0xbf/0x1e0 mm/slab.c:3757\n\t vt_disallocate drivers/tty/vt/vt_ioctl.c:300 [inline]\n\t vt_ioctl+0x16dc/0x1e30 drivers/tty/vt/vt_ioctl.c:818\n\t tty_ioctl+0x9db/0x11b0 drivers/tty/tty_io.c:2660\n\t [...]\n\nFixes: 4001d7b7fc27 (\"vt: push down the tty lock so we can see what is left to tackle\")\nCc: # v3.4+\nReported-by: syzbot+522643ab5729b0421998@syzkaller.appspotmail.com\nAcked-by: Jiri Slaby \nSigned-off-by: Eric Biggers \nLink: https://lore.kernel.org/r/20200322034305.210082-2-ebiggers@kernel.org\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 437034 }, { "func": "static int oidc_handle_refresh_token_request(request_rec *r, oidc_cfg *c,\n\t\toidc_session_t *session) {\n\n\tchar *return_to = NULL;\n\tchar *r_access_token = NULL;\n\tchar *error_code = NULL;\n\tchar *error_str = NULL;\n\tchar *error_description = NULL;\n\tapr_byte_t needs_save = TRUE;\n\n\t/* get the command passed to the session management handler */\n\toidc_util_get_request_parameter(r, OIDC_REDIRECT_URI_REQUEST_REFRESH,\n\t\t\t&return_to);\n\toidc_util_get_request_parameter(r, OIDC_PROTO_ACCESS_TOKEN,\n\t\t\t&r_access_token);\n\n\t/* check the input parameters */\n\tif (return_to == NULL) {\n\t\toidc_error(r,\n\t\t\t\t\"refresh token request handler called with no URL to return to\");\n\t\treturn HTTP_INTERNAL_SERVER_ERROR;\n\t}\n\n\t/* do input validation on the return to parameter value */\n\tif (oidc_validate_redirect_url(r, c, return_to, TRUE, &error_str,\n\t\t\t&error_description) == FALSE) {\n\t\toidc_error(r, \"return_to URL validation failed: %s: %s\", error_str,\n\t\t\t\terror_description);\n\t\treturn HTTP_INTERNAL_SERVER_ERROR;\n\t}\n\n\tif (r_access_token == NULL) {\n\t\toidc_error(r,\n\t\t\t\t\"refresh token request handler called with no access_token parameter\");\n\t\terror_code = \"no_access_token\";\n\t\tgoto end;\n\t}\n\n\tconst char *s_access_token = oidc_session_get_access_token(r, session);\n\tif (s_access_token == NULL) {\n\t\toidc_error(r,\n\t\t\t\t\"no existing access_token found in the session, nothing to refresh\");\n\t\terror_code = \"no_access_token_exists\";\n\t\tgoto end;\n\t}\n\n\t/* compare the access_token parameter used for XSRF protection */\n\tif (apr_strnatcmp(s_access_token, r_access_token) != 0) {\n\t\toidc_error(r,\n\t\t\t\t\"access_token passed in refresh request does not match the one stored in the session\");\n\t\terror_code = \"no_access_token_match\";\n\t\tgoto end;\n\t}\n\n\t/* get a handle to the provider configuration */\n\toidc_provider_t *provider = NULL;\n\tif (oidc_get_provider_from_session(r, c, session, &provider) == FALSE) {\n\t\terror_code = \"session_corruption\";\n\t\tgoto end;\n\t}\n\n\t/* execute the actual refresh grant */\n\tif (oidc_refresh_access_token(r, c, session, provider, NULL) == FALSE) {\n\t\toidc_error(r, \"access_token could not be refreshed\");\n\t\terror_code = \"refresh_failed\";\n\t\tgoto end;\n\t}\n\n\t/* pass the tokens to the application, possibly updating the expiry */\n\tif (oidc_session_pass_tokens(r, c, session, &needs_save) == FALSE) {\n\t\terror_code = \"session_corruption\";\n\t\tgoto end;\n\t}\n\n\tif (oidc_session_save(r, session, FALSE) == FALSE) {\n\t\terror_code = \"error saving session\";\n\t\tgoto end;\n\t}\n\nend:\n\n\t/* pass optional error message to the return URL */\n\tif (error_code != NULL)\n\t\treturn_to = apr_psprintf(r->pool, \"%s%serror_code=%s\", return_to,\n\t\t\t\tstrchr(return_to ? return_to : \"\", OIDC_CHAR_QUERY) ?\n\t\t\t\t\t\tOIDC_STR_AMP :\n\t\t\t\t\t\tOIDC_STR_QUERY, oidc_util_escape_string(r, error_code));\n\n\t/* add the redirect location header */\n\toidc_util_hdr_out_location_set(r, return_to);\n\n\treturn HTTP_MOVED_TEMPORARILY;\n}", "project": "mod_auth_openidc", "hash": 268111742054039640909971892627847932667, "size": 93, "commit_id": "00c315cb0c8ab77c67be4a2ac08a71a83ac58751", "message": "avoid XSS vulnerability when using OIDCPreservePost On\n\nand supplying URLs that contain single quotes; thanks @oss-aimoto\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 381932 }, { "func": "static int oidc_handle_refresh_token_request(request_rec *r, oidc_cfg *c,\n\t\toidc_session_t *session) {\n\n\tchar *return_to = NULL;\n\tchar *r_access_token = NULL;\n\tchar *error_code = NULL;\n\n\t/* get the command passed to the session management handler */\n\toidc_util_get_request_parameter(r, OIDC_REDIRECT_URI_REQUEST_REFRESH,\n\t\t\t&return_to);\n\toidc_util_get_request_parameter(r, OIDC_PROTO_ACCESS_TOKEN,\n\t\t\t&r_access_token);\n\n\t/* check the input parameters */\n\tif (return_to == NULL) {\n\t\toidc_error(r,\n\t\t\t\t\"refresh token request handler called with no URL to return to\");\n\t\treturn HTTP_INTERNAL_SERVER_ERROR;\n\t}\n\n\tif (r_access_token == NULL) {\n\t\toidc_error(r,\n\t\t\t\t\"refresh token request handler called with no access_token parameter\");\n\t\terror_code = \"no_access_token\";\n\t\tgoto end;\n\t}\n\n\tconst char *s_access_token = oidc_session_get_access_token(r, session);\n\tif (s_access_token == NULL) {\n\t\toidc_error(r,\n\t\t\t\t\"no existing access_token found in the session, nothing to refresh\");\n\t\terror_code = \"no_access_token_exists\";\n\t\tgoto end;\n\t}\n\n\t/* compare the access_token parameter used for XSRF protection */\n\tif (apr_strnatcmp(s_access_token, r_access_token) != 0) {\n\t\toidc_error(r,\n\t\t\t\t\"access_token passed in refresh request does not match the one stored in the session\");\n\t\terror_code = \"no_access_token_match\";\n\t\tgoto end;\n\t}\n\n\t/* get a handle to the provider configuration */\n\toidc_provider_t *provider = NULL;\n\tif (oidc_get_provider_from_session(r, c, session, &provider) == FALSE) {\n\t\terror_code = \"session_corruption\";\n\t\tgoto end;\n\t}\n\n\t/* execute the actual refresh grant */\n\tif (oidc_refresh_access_token(r, c, session, provider, NULL) == FALSE) {\n\t\toidc_error(r, \"access_token could not be refreshed\");\n\t\terror_code = \"refresh_failed\";\n\t\tgoto end;\n\t}\n\n\t/* pass the tokens to the application and save the session, possibly updating the expiry */\n\tif (oidc_session_pass_tokens_and_save(r, c, session, TRUE) == FALSE) {\n\t\terror_code = \"session_corruption\";\n\t\tgoto end;\n\t}\n\nend:\n\n\t/* pass optional error message to the return URL */\n\tif (error_code != NULL)\n\t\treturn_to = apr_psprintf(r->pool, \"%s%serror_code=%s\", return_to,\n\t\t\t\tstrchr(return_to ? return_to : \"\", OIDC_CHAR_QUERY) ?\n\t\t\t\t\t\tOIDC_STR_AMP :\n\t\t\t\t\t\tOIDC_STR_QUERY, oidc_util_escape_string(r, error_code));\n\n\t/* add the redirect location header */\n\toidc_util_hdr_out_location_set(r, return_to);\n\n\treturn HTTP_MOVED_TEMPORARILY;\n}", "project": "mod_auth_openidc", "hash": 149551310913941710354693445523226809769, "size": 77, "commit_id": "ce37080c6aea30aabae8b4a9b4eea7808445cc8e", "message": "2.4.0.2 oops\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 447699 }, { "func": "void gdImageString16 (gdImagePtr im, gdFontPtr f, int x, int y, unsigned short *s, int color)\n{\n\tint i;\n\tint l;\n\tl = strlen16(s);\n\tfor (i = 0; (i < l); i++) {\n\t\tgdImageChar(im, f, x, y, s[i], color);\n\t\tx += f->w;\n\t}\n}", "project": "php-src", "hash": 168902098138914667999026501860561393139, "size": 10, "commit_id": "c395c6e5d7e8df37a21265ff76e48fe75ceb5ae6", "message": "iFixed bug #72446 - Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow", "target": 0, "dataset": "other", "idx": 295183 }, { "func": "static int kvm_s390_handle_requests(struct kvm_vcpu *vcpu)\n{\nretry:\n\tkvm_s390_vcpu_request_handled(vcpu);\n\tif (!kvm_request_pending(vcpu))\n\t\treturn 0;\n\t/*\n\t * We use MMU_RELOAD just to re-arm the ipte notifier for the\n\t * guest prefix page. gmap_mprotect_notify will wait on the ptl lock.\n\t * This ensures that the ipte instruction for this request has\n\t * already finished. We might race against a second unmapper that\n\t * wants to set the blocking bit. Lets just retry the request loop.\n\t */\n\tif (kvm_check_request(KVM_REQ_MMU_RELOAD, vcpu)) {\n\t\tint rc;\n\t\trc = gmap_mprotect_notify(vcpu->arch.gmap,\n\t\t\t\t\t kvm_s390_get_prefix(vcpu),\n\t\t\t\t\t PAGE_SIZE * 2, PROT_WRITE);\n\t\tif (rc) {\n\t\t\tkvm_make_request(KVM_REQ_MMU_RELOAD, vcpu);\n\t\t\treturn rc;\n\t\t}\n\t\tgoto retry;\n\t}\n\n\tif (kvm_check_request(KVM_REQ_TLB_FLUSH, vcpu)) {\n\t\tvcpu->arch.sie_block->ihcpu = 0xffff;\n\t\tgoto retry;\n\t}\n\n\tif (kvm_check_request(KVM_REQ_ENABLE_IBS, vcpu)) {\n\t\tif (!ibs_enabled(vcpu)) {\n\t\t\ttrace_kvm_s390_enable_disable_ibs(vcpu->vcpu_id, 1);\n\t\t\tkvm_s390_set_cpuflags(vcpu, CPUSTAT_IBS);\n\t\t}\n\t\tgoto retry;\n\t}\n\n\tif (kvm_check_request(KVM_REQ_DISABLE_IBS, vcpu)) {\n\t\tif (ibs_enabled(vcpu)) {\n\t\t\ttrace_kvm_s390_enable_disable_ibs(vcpu->vcpu_id, 0);\n\t\t\tkvm_s390_clear_cpuflags(vcpu, CPUSTAT_IBS);\n\t\t}\n\t\tgoto retry;\n\t}\n\n\tif (kvm_check_request(KVM_REQ_ICPT_OPEREXC, vcpu)) {\n\t\tvcpu->arch.sie_block->ictl |= ICTL_OPEREXC;\n\t\tgoto retry;\n\t}\n\n\tif (kvm_check_request(KVM_REQ_START_MIGRATION, vcpu)) {\n\t\t/*\n\t\t * Disable CMM virtualization; we will emulate the ESSA\n\t\t * instruction manually, in order to provide additional\n\t\t * functionalities needed for live migration.\n\t\t */\n\t\tvcpu->arch.sie_block->ecb2 &= ~ECB2_CMMA;\n\t\tgoto retry;\n\t}\n\n\tif (kvm_check_request(KVM_REQ_STOP_MIGRATION, vcpu)) {\n\t\t/*\n\t\t * Re-enable CMM virtualization if CMMA is available and\n\t\t * CMM has been used.\n\t\t */\n\t\tif ((vcpu->kvm->arch.use_cmma) &&\n\t\t (vcpu->kvm->mm->context.uses_cmm))\n\t\t\tvcpu->arch.sie_block->ecb2 |= ECB2_CMMA;\n\t\tgoto retry;\n\t}\n\n\t/* nothing to do, just clear the request */\n\tkvm_clear_request(KVM_REQ_UNHALT, vcpu);\n\t/* we left the vsie handler, nothing to do, just clear the request */\n\tkvm_clear_request(KVM_REQ_VSIE_RESTART, vcpu);\n\n\treturn 0;\n}", "project": "linux", "hash": 113530936744472529321525199395752985885, "size": 79, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354720 }, { "func": "static int nfs41_test_and_free_expired_stateid(struct nfs_server *server,\n\t\tnfs4_stateid *stateid,\n\t\tconst struct cred *cred)\n{\n\tint status;\n\n\tswitch (stateid->type) {\n\tdefault:\n\t\tbreak;\n\tcase NFS4_INVALID_STATEID_TYPE:\n\tcase NFS4_SPECIAL_STATEID_TYPE:\n\t\treturn -NFS4ERR_BAD_STATEID;\n\tcase NFS4_REVOKED_STATEID_TYPE:\n\t\tgoto out_free;\n\t}\n\n\tstatus = nfs41_test_stateid(server, stateid, cred);\n\tswitch (status) {\n\tcase -NFS4ERR_EXPIRED:\n\tcase -NFS4ERR_ADMIN_REVOKED:\n\tcase -NFS4ERR_DELEG_REVOKED:\n\t\tbreak;\n\tdefault:\n\t\treturn status;\n\t}\nout_free:\n\t/* Ack the revoked state to the server */\n\tnfs41_free_stateid(server, stateid, cred, true);\n\treturn -NFS4ERR_EXPIRED;\n}", "project": "linux", "hash": 76517342922110761473786599061975812688, "size": 30, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431578 }, { "func": "int bcf_update_filter(const bcf_hdr_t *hdr, bcf1_t *line, int *flt_ids, int n)\n{\n if ( !(line->unpacked & BCF_UN_FLT) ) bcf_unpack(line, BCF_UN_FLT);\n line->d.shared_dirty |= BCF1_DIRTY_FLT;\n line->d.n_flt = n;\n if ( !n ) return 0;\n hts_expand(int, line->d.n_flt, line->d.m_flt, line->d.flt);\n int i;\n for (i=0; id.flt[i] = flt_ids[i];\n return 0;\n}", "project": "htslib", "hash": 112255303761078420505899017163059092688, "size": 12, "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c", "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields. It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097", "target": 0, "dataset": "other", "idx": 402202 }, { "func": "\tkfree(session);\n}\n\nint iscsi_is_session_dev(const struct device *dev)", "project": "linux", "hash": 318717283178661384213725443318314124198, "size": 4, "commit_id": "f9dbdf97a5bd92b1a49cee3d591b55b11fd7a6d5", "message": "scsi: iscsi: Verify lengths on passthrough PDUs\n\nOpen-iSCSI sends passthrough PDUs over netlink, but the kernel should be\nverifying that the provided PDU header and data lengths fall within the\nnetlink message to prevent accessing beyond that in memory.\n\nCc: stable@vger.kernel.org\nReported-by: Adam Nichols \nReviewed-by: Lee Duncan \nReviewed-by: Mike Christie \nSigned-off-by: Chris Leech \nSigned-off-by: Martin K. Petersen ", "target": 0, "dataset": "other", "idx": 379967 }, { "project": "phosphor-host-ipmid", "commit_id": "b265455a2518ece7c004b43c144199ec980fc620", "target": 0, "func": "std::time_t PasswdMgr::getUpdatedFileTime()\n{\n struct stat fileStat = {};\n if (stat(passwdFileName, &fileStat) != 0)\n {\n log(\"Error - Getting passwd file time stamp\");\n return -EIO;\n }\n return fileStat.st_mtime;\n}", "idx": 519581, "cwe": "CWE-276", "hash": 148138489644515395895610594693377995254, "dataset": "other" }, { "func": "int r_bin_pdb_download(RCore *core, int isradjson, int *actions_done, SPDBOptions *options) {\n\tint ret;\n\tSPDBDownloaderOpt opt;\n\tSPDBDownloader pdb_downloader;\n\tRBinInfo *info = r_bin_get_info (core->bin);\n\n\tif (!info || !info->debug_file_name) {\n\t\teprintf (\"Can't find debug filename\\n\");\n\t\treturn 1;\n\t}\n\n\tif (!is_valid_guid (info->guid)) {\n\t\teprintf (\"Invalid GUID for file\\n\");\n\t\treturn 1;\n\t}\n\n\tif (!options || !options->symbol_server || !options->user_agent) {\n\t\teprintf (\"Can't retrieve pdb configurations\\n\");\n\t\treturn 1;\n\t}\n\n\topt.dbg_file = (char*) r_file_basename (info->debug_file_name);\n\topt.guid = info->guid;\n\topt.symbol_server = options->symbol_server;\n\topt.user_agent = options->user_agent;\n\topt.symbol_store_path = options->symbol_store_path;\n\topt.extract = options->extract;\n\n\tinit_pdb_downloader (&opt, &pdb_downloader);\n\tret = pdb_downloader.download ? pdb_downloader.download (&pdb_downloader) : 0;\n\tif (isradjson && actions_done) {\n\t\tprintf (\"%s\\\"pdb\\\":{\\\"file\\\":\\\"%s\\\",\\\"download\\\":%s}\",\n\t\t *actions_done ? \",\" : \"\", opt.dbg_file, ret ? \"true\" : \"false\");\n\t} else {\n\t\tprintf (\"PDB \\\"%s\\\" download %s\\n\",\n\t\t opt.dbg_file, ret ? \"success\" : \"failed\");\n\t}\n\tif (actions_done) {\n\t\t(*actions_done)++;\n\t}\n\tdeinit_pdb_downloader (&pdb_downloader);\n\n\treturn 0;\n}", "project": "radare2", "hash": 153392012748967202329860792572221348999, "size": 44, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 0, "dataset": "other", "idx": 268822 }, { "func": "UnicodeStringTest::TestCountChar32(void) {\n {\n UnicodeString s=UNICODE_STRING(\"\\\\U0002f999\\\\U0001d15f\\\\u00c4\\\\u1ed0\", 32).unescape();\n\n // test countChar32()\n // note that this also calls and tests u_countChar32(length>=0)\n if(\n s.countChar32()!=4 ||\n s.countChar32(1)!=4 ||\n s.countChar32(2)!=3 ||\n s.countChar32(2, 3)!=2 ||\n s.countChar32(2, 0)!=0\n ) {\n errln(\"UnicodeString::countChar32() failed\");\n }\n\n // NUL-terminate the string buffer and test u_countChar32(length=-1)\n const UChar *buffer=s.getTerminatedBuffer();\n if(\n u_countChar32(buffer, -1)!=4 ||\n u_countChar32(buffer+1, -1)!=4 ||\n u_countChar32(buffer+2, -1)!=3 ||\n u_countChar32(buffer+3, -1)!=3 ||\n u_countChar32(buffer+4, -1)!=2 ||\n u_countChar32(buffer+5, -1)!=1 ||\n u_countChar32(buffer+6, -1)!=0\n ) {\n errln(\"u_countChar32(length=-1) failed\");\n }\n\n // test u_countChar32() with bad input\n if(u_countChar32(NULL, 5)!=0 || u_countChar32(buffer, -2)!=0) {\n errln(\"u_countChar32(bad input) failed (returned non-zero counts)\");\n }\n }\n\n /* test data and variables for hasMoreChar32Than() */\n static const UChar str[]={\n 0x61, 0x62, 0xd800, 0xdc00,\n 0xd801, 0xdc01, 0x63, 0xd802,\n 0x64, 0xdc03, 0x65, 0x66,\n 0xd804, 0xdc04, 0xd805, 0xdc05,\n 0x67\n };\n UnicodeString string(str, UPRV_LENGTHOF(str));\n int32_t start, length, number;\n\n /* test hasMoreChar32Than() */\n for(length=string.length(); length>=0; --length) {\n for(start=0; start<=length; ++start) {\n for(number=-1; number<=((length-start)+2); ++number) {\n _testUnicodeStringHasMoreChar32Than(string, start, length-start, number);\n }\n }\n }\n\n /* test hasMoreChar32Than() with pinning */\n for(start=-1; start<=string.length()+1; ++start) {\n for(number=-1; number<=((string.length()-start)+2); ++number) {\n _testUnicodeStringHasMoreChar32Than(string, start, 0x7fffffff, number);\n }\n }\n\n /* test hasMoreChar32Than() with a bogus string */\n string.setToBogus();\n for(length=-1; length<=1; ++length) {\n for(start=-1; start<=length; ++start) {\n for(number=-1; number<=((length-start)+2); ++number) {\n _testUnicodeStringHasMoreChar32Than(string, start, length-start, number);\n }\n }\n }\n}", "project": "icu", "hash": 150443622598826222449877830520160337630, "size": 73, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430823 }, { "func": "static int grep_cache(struct grep_opt *opt, const char **paths, int cached)\n{\n\tint hit = 0;\n\tint nr;\n\tread_cache();\n\n#if !NO_EXTERNAL_GREP\n\t/*\n\t * Use the external \"grep\" command for the case where\n\t * we grep through the checked-out files. It tends to\n\t * be a lot more optimized\n\t */\n\tif (!cached) {\n\t\thit = external_grep(opt, paths, cached);\n\t\tif (hit >= 0)\n\t\t\treturn hit;\n\t}\n#endif\n\n\tfor (nr = 0; nr < active_nr; nr++) {\n\t\tstruct cache_entry *ce = active_cache[nr];\n\t\tif (!S_ISREG(ce->ce_mode))\n\t\t\tcontinue;\n\t\tif (!pathspec_matches(paths, ce->name))\n\t\t\tcontinue;\n\t\tif (cached) {\n\t\t\tif (ce_stage(ce))\n\t\t\t\tcontinue;\n\t\t\thit |= grep_sha1(opt, ce->sha1, ce->name, 0);\n\t\t}\n\t\telse\n\t\t\thit |= grep_file(opt, ce->name);\n\t\tif (ce_stage(ce)) {\n\t\t\tdo {\n\t\t\t\tnr++;\n\t\t\t} while (nr < active_nr &&\n\t\t\t\t !strcmp(ce->name, active_cache[nr]->name));\n\t\t\tnr--; /* compensate for loop control */\n\t\t}\n\t}\n\tfree_grep_patterns(opt);\n\treturn hit;\n}", "project": "git", "hash": 209658755404871282058550620696987540617, "size": 43, "commit_id": "620e2bb93785ed8eb60846d94fd4753d4817c8ec", "message": "Fix buffer overflow in git-grep\n\nIf PATH_MAX on your system is smaller than any path stored in the git\nrepository, that can cause memory corruption inside of the grep_tree\nfunction used by git-grep.\n\nSigned-off-by: Dmitry Potapov \nSigned-off-by: Junio C Hamano ", "target": 0, "dataset": "other", "idx": 446049 }, { "func": "static OPJ_BOOL opj_tcd_dwt_decode(opj_tcd_t *p_tcd)\n{\n OPJ_UINT32 compno;\n opj_tcd_tile_t * l_tile = p_tcd->tcd_image->tiles;\n opj_tcd_tilecomp_t * l_tile_comp = l_tile->comps;\n opj_tccp_t * l_tccp = p_tcd->tcp->tccps;\n opj_image_comp_t * l_img_comp = p_tcd->image->comps;\n\n for (compno = 0; compno < l_tile->numcomps;\n compno++, ++l_tile_comp, ++l_img_comp, ++l_tccp) {\n if (p_tcd->used_component != NULL && !p_tcd->used_component[compno]) {\n continue;\n }\n\n if (l_tccp->qmfbid == 1) {\n if (! opj_dwt_decode(p_tcd, l_tile_comp,\n l_img_comp->resno_decoded + 1)) {\n return OPJ_FALSE;\n }\n } else {\n if (! opj_dwt_decode_real(p_tcd, l_tile_comp,\n l_img_comp->resno_decoded + 1)) {\n return OPJ_FALSE;\n }\n }\n\n }\n\n return OPJ_TRUE;\n}", "project": "openjpeg", "hash": 333916928880907470160430852037855428323, "size": 30, "commit_id": "15cf3d95814dc931ca0ecb132f81cb152e051bae", "message": "Encoder: grow again buffer size in opj_tcd_code_block_enc_allocate_data() (fixes #1283)", "target": 0, "dataset": "other", "idx": 359154 }, { "func": "static void io_req_map_rw(struct io_kiocb *req, ssize_t io_size,\n\t\t\t struct iovec *iovec, struct iovec *fast_iov,\n\t\t\t struct iov_iter *iter)\n{\n\tstruct io_async_rw *rw = &req->io->rw;\n\n\trw->nr_segs = iter->nr_segs;\n\trw->size = io_size;\n\tif (!iovec) {\n\t\trw->iov = rw->fast_iov;\n\t\tif (rw->iov != fast_iov)\n\t\t\tmemcpy(rw->iov, fast_iov,\n\t\t\t sizeof(struct iovec) * iter->nr_segs);\n\t} else {\n\t\trw->iov = iovec;\n\t\treq->flags |= REQ_F_NEED_CLEANUP;\n\t}\n}", "project": "linux", "hash": 247318394988768294541516957464493717195, "size": 18, "commit_id": "6d816e088c359866f9867057e04f244c608c42fe", "message": "io_uring: hold 'ctx' reference around task_work queue + execute\n\nWe're holding the request reference, but we need to go one higher\nto ensure that the ctx remains valid after the request has finished.\nIf the ring is closed with pending task_work inflight, and the\ngiven io_kiocb finishes sync during issue, then we need a reference\nto the ring itself around the task_work execution cycle.\n\nCc: stable@vger.kernel.org # v5.7+\nReported-by: syzbot+9b260fc33297966f5a8e@syzkaller.appspotmail.com\nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 456934 }, { "func": "static ssize_t fuse_cache_read_iter(struct kiocb *iocb, struct iov_iter *to)\n{\n\tstruct inode *inode = iocb->ki_filp->f_mapping->host;\n\tstruct fuse_conn *fc = get_fuse_conn(inode);\n\n\t/*\n\t * In auto invalidate mode, always update attributes on read.\n\t * Otherwise, only update if we attempt to read past EOF (to ensure\n\t * i_size is up to date).\n\t */\n\tif (fc->auto_inval_data ||\n\t (iocb->ki_pos + iov_iter_count(to) > i_size_read(inode))) {\n\t\tint err;\n\t\terr = fuse_update_attributes(inode, iocb->ki_filp);\n\t\tif (err)\n\t\t\treturn err;\n\t}\n\n\treturn generic_file_read_iter(iocb, to);\n}", "project": "linux", "hash": 278629213990136057339649673280083755534, "size": 20, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342133 }, { "func": "int preg_replace_callback(Variant& result,\n const Variant& pattern,\n const Variant& callback,\n const Variant& subject,\n int limit /* = -1 */) {\n int64_t count;\n result = preg_replace_impl(pattern, callback, subject,\n limit, &count, true, false);\n return count;\n}", "project": "hhvm", "hash": 191688456344292024186090164701612845554, "size": 10, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219363 }, { "func": "static int sctp_setsockopt_delayed_ack(struct sock *sk,\n\t\t\t\t struct sctp_sack_info *params,\n\t\t\t\t unsigned int optlen)\n{\n\tif (optlen == sizeof(struct sctp_assoc_value)) {\n\t\tstruct sctp_assoc_value *v = (struct sctp_assoc_value *)params;\n\t\tstruct sctp_sack_info p;\n\n\t\tpr_warn_ratelimited(DEPRECATED\n\t\t\t\t \"%s (pid %d) \"\n\t\t\t\t \"Use of struct sctp_assoc_value in delayed_ack socket option.\\n\"\n\t\t\t\t \"Use struct sctp_sack_info instead\\n\",\n\t\t\t\t current->comm, task_pid_nr(current));\n\n\t\tp.sack_assoc_id = v->assoc_id;\n\t\tp.sack_delay = v->assoc_value;\n\t\tp.sack_freq = v->assoc_value ? 0 : 1;\n\t\treturn __sctp_setsockopt_delayed_ack(sk, &p);\n\t}\n\n\tif (optlen != sizeof(struct sctp_sack_info))\n\t\treturn -EINVAL;\n\tif (params->sack_delay == 0 && params->sack_freq == 0)\n\t\treturn 0;\n\treturn __sctp_setsockopt_delayed_ack(sk, params);\n}", "project": "linux", "hash": 144622845071646258217700011765635471926, "size": 26, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398117 }, { "func": "void CLua::init_libraries()\n{\n lua_stack_cleaner clean(state());\n\n // Open Crawl bindings\n cluaopen_kills(_state);\n cluaopen_you(_state);\n cluaopen_item(_state);\n cluaopen_food(_state);\n cluaopen_crawl(_state);\n cluaopen_file(_state);\n cluaopen_moninf(_state);\n cluaopen_options(_state);\n cluaopen_travel(_state);\n cluaopen_view(_state);\n cluaopen_spells(_state);\n\n cluaopen_globals(_state);\n\n execfile(\"dlua/macro.lua\", true, true);\n\n // All hook names must be chk_????\n execstring(\"chk_startgame = { }\", \"base\");\n\n lua_register(_state, \"loadfile\", _clua_loadfile);\n lua_register(_state, \"dofile\", _clua_dofile);\n\n lua_register(_state, \"crawl_require\", _clua_require);\n\n execfile(\"dlua/util.lua\", true, true);\n execfile(\"dlua/iter.lua\", true, true);\n execfile(\"dlua/tags.lua\", true, true);\n execfile(\"dlua/init.lua\", true, true);\n\n if (managed_vm)\n {\n lua_register(_state, \"pcall\", _clua_guarded_pcall);\n execfile(\"dlua/userbase.lua\", true, true);\n execfile(\"dlua/persist.lua\", true, true);\n }\n}", "project": "crawl", "hash": 154780829118697956425756187036263034182, "size": 41, "commit_id": "768f60da87a3fa0b5561da5ade9309577c176d04", "message": "Disable lua bytecode loading", "target": 1, "dataset": "other", "idx": 195675 }, { "func": " size_t node_def_count() const override { return node_defs_.size(); }", "project": "tensorflow", "hash": 325843240656447073306619792409449993789, "size": 1, "commit_id": "0cc38aaa4064fd9e79101994ce9872c6d91f816b", "message": "Prevent unitialized memory access in `GraphConstructor::MakeEdge`\n\nThe `MakeEdge` implementation assumes that there exists an output at `output_index` of `src` node and an input at `input_index` of `dst` node. However, if this is not the case this results in accessing data out of bounds. Because we are accessing an array that is a private member of a class and only in read only mode, this usually results only in unitialized memory access. However, it is reasonable to think that malicious users could manipulate these indexes to actually read data outside the class, thus resulting in information leakage and further exploits.\n\nPiperOrigin-RevId: 346343288\nChange-Id: I2127da27c2023d27f26efd39afa6c853385cab6f", "target": 0, "dataset": "other", "idx": 268343 }, { "func": " size_t node_def_count() const override { return graph_def_.node().size(); }", "project": "tensorflow", "hash": 238298430597127109581121275007957481833, "size": 1, "commit_id": "0cc38aaa4064fd9e79101994ce9872c6d91f816b", "message": "Prevent unitialized memory access in `GraphConstructor::MakeEdge`\n\nThe `MakeEdge` implementation assumes that there exists an output at `output_index` of `src` node and an input at `input_index` of `dst` node. However, if this is not the case this results in accessing data out of bounds. Because we are accessing an array that is a private member of a class and only in read only mode, this usually results only in unitialized memory access. However, it is reasonable to think that malicious users could manipulate these indexes to actually read data outside the class, thus resulting in information leakage and further exploits.\n\nPiperOrigin-RevId: 346343288\nChange-Id: I2127da27c2023d27f26efd39afa6c853385cab6f", "target": 0, "dataset": "other", "idx": 268367 }, { "func": "static int process_main_locator_extra_block(struct archive_read* a,\n struct rar5* rar)\n{\n\tuint64_t locator_flags;\n\n\tenum LOCATOR_FLAGS {\n\t\tQLIST = 0x01, RECOVERY = 0x02,\n\t};\n\n\tif(!read_var(a, &locator_flags, NULL)) {\n\t\treturn ARCHIVE_EOF;\n\t}\n\n\tif(locator_flags & QLIST) {\n\t\tif(!read_var(a, &rar->qlist_offset, NULL)) {\n\t\t\treturn ARCHIVE_EOF;\n\t\t}\n\n\t\t/* qlist is not used */\n\t}\n\n\tif(locator_flags & RECOVERY) {\n\t\tif(!read_var(a, &rar->rr_offset, NULL)) {\n\t\t\treturn ARCHIVE_EOF;\n\t\t}\n\n\t\t/* rr is not used */\n\t}\n\n\treturn ARCHIVE_OK;\n}", "project": "libarchive", "hash": 305621940465193371351051213094128559443, "size": 31, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 0, "dataset": "other", "idx": 244792 }, { "func": "static inline bool can_do_pageout(struct vm_area_struct *vma)\n{\n\tif (vma_is_anonymous(vma))\n\t\treturn true;\n\tif (!vma->vm_file)\n\t\treturn false;\n\t/*\n\t * paging out pagecache only for non-anonymous mappings that correspond\n\t * to the files the calling process could (if tried) open for writing;\n\t * otherwise we'd be including shared non-exclusive mappings, which\n\t * opens a side channel.\n\t */\n\treturn inode_owner_or_capable(file_inode(vma->vm_file)) ||\n\t\tinode_permission(file_inode(vma->vm_file), MAY_WRITE) == 0;\n}", "project": "linux", "hash": 122348106628299355736721767968415604242, "size": 15, "commit_id": "bc0c4d1e176eeb614dc8734fc3ace34292771f11", "message": "mm: check that mm is still valid in madvise()\n\nIORING_OP_MADVISE can end up basically doing mprotect() on the VM of\nanother process, which means that it can race with our crazy core dump\nhandling which accesses the VM state without holding the mmap_sem\n(because it incorrectly thinks that it is the final user).\n\nThis is clearly a core dumping problem, but we've never fixed it the\nright way, and instead have the notion of \"check that the mm is still\nok\" using mmget_still_valid() after getting the mmap_sem for writing in\nany situation where we're not the original VM thread.\n\nSee commit 04f5866e41fb (\"coredump: fix race condition between\nmmget_not_zero()/get_task_mm() and core dumping\") for more background on\nthis whole mmget_still_valid() thing. You might want to have a barf bag\nhandy when you do.\n\nWe're discussing just fixing this properly in the only remaining core\ndumping routines. But even if we do that, let's make do_madvise() do\nthe right thing, and then when we fix core dumping, we can remove all\nthese mmget_still_valid() checks.\n\nReported-and-tested-by: Jann Horn \nFixes: c1ca757bd6f4 (\"io_uring: add IORING_OP_MADVISE\")\nAcked-by: Jens Axboe \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 323568 }, { "func": "int ecryptfs_read_xattr_region(char *page_virt, struct inode *ecryptfs_inode)\n{\n\tstruct dentry *lower_dentry =\n\t\tecryptfs_inode_to_private(ecryptfs_inode)->lower_file->f_dentry;\n\tssize_t size;\n\tint rc = 0;\n\n\tsize = ecryptfs_getxattr_lower(lower_dentry, ECRYPTFS_XATTR_NAME,\n\t\t\t\t page_virt, ECRYPTFS_DEFAULT_EXTENT_SIZE);\n\tif (size < 0) {\n\t\tif (unlikely(ecryptfs_verbosity > 0))\n\t\t\tprintk(KERN_INFO \"Error attempting to read the [%s] \"\n\t\t\t \"xattr from the lower file; return value = \"\n\t\t\t \"[%zd]\\n\", ECRYPTFS_XATTR_NAME, size);\n\t\trc = -EINVAL;\n\t\tgoto out;\n\t}\nout:\n\treturn rc;\n}", "target": 0, "cwe": [ "CWE-189" ], "project": "linux-2.6", "commit_id": "8faece5f906725c10e7a1f6caf84452abadbdc7b", "hash": 134451557958631518601837398582934823999, "size": 20, "message": "eCryptfs: Allocate a variable number of pages for file headers\n\nWhen allocating the memory used to store the eCryptfs header contents, a\nsingle, zeroed page was being allocated with get_zeroed_page().\nHowever, the size of an eCryptfs header is either PAGE_CACHE_SIZE or\nECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE (8192), whichever is larger, and is\nstored in the file's private_data->crypt_stat->num_header_bytes_at_front\nfield.\n\necryptfs_write_metadata_to_contents() was using\nnum_header_bytes_at_front to decide how many bytes should be written to\nthe lower filesystem for the file header. Unfortunately, at least 8K\nwas being written from the page, despite the chance of the single,\nzeroed page being smaller than 8K. This resulted in random areas of\nkernel memory being written between the 0x1000 and 0x1FFF bytes offsets\nin the eCryptfs file headers if PAGE_SIZE was 4K.\n\nThis patch allocates a variable number of pages, calculated with\nnum_header_bytes_at_front, and passes the number of allocated pages\nalong to ecryptfs_write_metadata_to_contents().\n\nThanks to Florian Streibelt for reporting the data leak and working with\nme to find the problem. 2.6.28 is the only kernel release with this\nvulnerability. Corresponds to CVE-2009-0787\n\nSigned-off-by: Tyler Hicks \nAcked-by: Dustin Kirkland \nReviewed-by: Eric Sandeen \nReviewed-by: Eugene Teo \nCc: Greg KH \nCc: dann frazier \nCc: Serge E. Hallyn \nCc: Florian Streibelt \nCc: stable@kernel.org\nSigned-off-by: Linus Torvalds ", "dataset": "other", "idx": 490206 }, { "func": "static int sst_donate_mysqldump (const char* addr,\n const wsrep_uuid_t* uuid,\n const char* uuid_str,\n wsrep_seqno_t seqno,\n bool bypass,\n char** env) // carries auth info\n{\n int const cmd_len= 4096;\n wsp::string cmd_str(cmd_len);\n\n if (!cmd_str())\n {\n WSREP_ERROR(\"sst_donate_mysqldump(): \"\n \"could not allocate cmd buffer of %d bytes\", cmd_len);\n return -ENOMEM;\n }\n\n if (!bypass && wsrep_sst_donor_rejects_queries) sst_reject_queries(TRUE);\n\n int ret= snprintf (cmd_str(), cmd_len,\n \"wsrep_sst_mysqldump \"\n WSREP_SST_OPT_ADDR\" '%s' \"\n WSREP_SST_OPT_LPORT\" '%u' \"\n WSREP_SST_OPT_SOCKET\" '%s' \"\n WSREP_SST_OPT_CONF\" '%s' \"\n WSREP_SST_OPT_GTID\" '%s:%lld'\"\n \"%s\",\n addr, mysqld_port, mysqld_unix_port,\n wsrep_defaults_file, uuid_str,\n (long long)seqno, bypass ? \" \" WSREP_SST_OPT_BYPASS : \"\");\n\n if (ret < 0 || ret >= cmd_len)\n {\n WSREP_ERROR(\"sst_donate_mysqldump(): snprintf() failed: %d\", ret);\n return (ret < 0 ? ret : -EMSGSIZE);\n }\n\n WSREP_DEBUG(\"Running: '%s'\", cmd_str());\n\n ret= sst_run_shell (cmd_str(), env, 3);\n\n wsrep_gtid_t const state_id = { *uuid, (ret ? WSREP_SEQNO_UNDEFINED : seqno)};\n\n wsrep->sst_sent (wsrep, &state_id, ret);\n\n return ret;\n}", "project": "mysql-wsrep", "hash": 238709487271869589688883942049178943366, "size": 47, "commit_id": "4ea4b0c6a318209ac09b15aaa906c7b4a13b988c", "message": "codership/mysql-wsrep-bugs#758 Donor uses invalid SST methods", "target": 0, "dataset": "other", "idx": 454782 }, { "func": "static int initialize_context_decompression(blosc2_context* context, const void* src, int32_t srcsize,\n void* dest, int32_t destsize) {\n uint8_t blosc2_flags = 0;\n int32_t cbytes;\n int32_t bstarts_offset;\n int32_t bstarts_end;\n\n context->do_compress = 0;\n context->src = (const uint8_t*)src;\n context->srcsize = srcsize;\n context->dest = (uint8_t*)dest;\n context->destsize = destsize;\n context->output_bytes = 0;\n context->end_threads = 0;\n\n if (context->srcsize < BLOSC_MIN_HEADER_LENGTH) {\n /* Not enough input to read minimum header */\n return -1;\n }\n\n context->header_flags = context->src[2];\n context->typesize = context->src[3];\n context->sourcesize = sw32_(context->src + 4);\n context->blocksize = sw32_(context->src + 8);\n cbytes = sw32_(context->src + 12);\n\n // Some checks for malformed headers\n if (context->blocksize <= 0 || context->blocksize > destsize ||\n context->typesize <= 0 || context->typesize > BLOSC_MAX_TYPESIZE ||\n cbytes > srcsize) {\n return -1;\n }\n /* Check that we have enough space to decompress */\n if (context->sourcesize > (int32_t)destsize) {\n return -1;\n }\n\n /* Total blocks */\n context->nblocks = context->sourcesize / context->blocksize;\n context->leftover = context->sourcesize % context->blocksize;\n context->nblocks = (context->leftover > 0) ?\n context->nblocks + 1 : context->nblocks;\n\n if (context->block_maskout != NULL && context->block_maskout_nitems != context->nblocks) {\n fprintf(stderr, \"The number of items in block_maskout (%d) must match the number\"\n \" of blocks in chunk (%d)\", context->block_maskout_nitems, context->nblocks);\n return -2;\n }\n\n if ((context->header_flags & BLOSC_DOSHUFFLE) &&\n (context->header_flags & BLOSC_DOBITSHUFFLE)) {\n /* Extended header */\n if (context->srcsize < BLOSC_EXTENDED_HEADER_LENGTH) {\n /* Not enough input to read extended header */\n return -1;\n }\n uint8_t* filters = (uint8_t*)(context->src + BLOSC_MIN_HEADER_LENGTH);\n uint8_t* filters_meta = filters + 8;\n uint8_t header_version = context->src[0];\n // The number of filters depends on the version of the header\n // (we need to read less because filters where not initialized to zero in blosc2 alpha series)\n int max_filters = (header_version == BLOSC2_VERSION_FORMAT_ALPHA) ? 5 : BLOSC2_MAX_FILTERS;\n for (int i = 0; i < max_filters; i++) {\n context->filters[i] = filters[i];\n context->filters_meta[i] = filters_meta[i];\n }\n context->filter_flags = filters_to_flags(filters);\n bstarts_offset = BLOSC_EXTENDED_HEADER_LENGTH;\n blosc2_flags = context->src[0x1F];\n } else {\n /* Regular (Blosc1) header */\n context->filter_flags = get_filter_flags(context->header_flags,\n context->typesize);\n flags_to_filters(context->header_flags, context->filters);\n bstarts_offset = BLOSC_MIN_HEADER_LENGTH;\n }\n\n context->bstarts = (int32_t*)(context->src + bstarts_offset);\n bstarts_end = bstarts_offset + (context->nblocks * sizeof(int32_t));\n if (srcsize < bstarts_end) {\n /* Not enough input to read entire `bstarts` section */\n return -1;\n }\n srcsize -= bstarts_end;\n\n /* Read optional dictionary if flag set */\n if (blosc2_flags & BLOSC2_USEDICT) {\n#if defined(HAVE_ZSTD)\n context->use_dict = 1;\n if (context->dict_ddict != NULL) {\n // Free the existing dictionary (probably from another chunk)\n ZSTD_freeDDict(context->dict_ddict);\n }\n // The trained dictionary is after the bstarts block\n if (srcsize < sizeof(int32_t)) {\n /* Not enough input to size of dictionary */\n return -1;\n }\n srcsize -= sizeof(int32_t);\n context->dict_size = (size_t)sw32_(context->src + bstarts_end);\n if (context->dict_size <= 0 || context->dict_size > BLOSC2_MAXDICTSIZE) {\n /* Dictionary size is smaller than minimum or larger than maximum allowed */\n return -1;\n }\n if (srcsize < (int32_t)context->dict_size) {\n /* Not enough input to read entire dictionary */\n return -1;\n }\n srcsize -= context->dict_size;\n context->dict_buffer = (void*)(context->src + bstarts_end + sizeof(int32_t));\n context->dict_ddict = ZSTD_createDDict(context->dict_buffer, context->dict_size);\n#endif // HAVE_ZSTD\n }\n\n\n return 0;\n}", "project": "c-blosc2", "hash": 296674429024113534222815312449365498384, "size": 117, "commit_id": "c4c6470e88210afc95262c8b9fcc27e30ca043ee", "message": "Fixed asan heap buffer overflow when not enough space to write compressed block size.", "target": 0, "dataset": "other", "idx": 303097 }, { "func": "static int le_scan_restart(struct hci_request *req, unsigned long opt)\n{\n\tstruct hci_dev *hdev = req->hdev;\n\n\t/* If controller is not scanning we are done. */\n\tif (!hci_dev_test_flag(hdev, HCI_LE_SCAN))\n\t\treturn 0;\n\n\tif (hdev->scanning_paused) {\n\t\tbt_dev_dbg(hdev, \"Scanning is paused for suspend\");\n\t\treturn 0;\n\t}\n\n\thci_req_add_le_scan_disable(req, false);\n\n\tif (use_ext_scan(hdev)) {\n\t\tstruct hci_cp_le_set_ext_scan_enable ext_enable_cp;\n\n\t\tmemset(&ext_enable_cp, 0, sizeof(ext_enable_cp));\n\t\text_enable_cp.enable = LE_SCAN_ENABLE;\n\t\text_enable_cp.filter_dup = LE_SCAN_FILTER_DUP_ENABLE;\n\n\t\thci_req_add(req, HCI_OP_LE_SET_EXT_SCAN_ENABLE,\n\t\t\t sizeof(ext_enable_cp), &ext_enable_cp);\n\t} else {\n\t\tstruct hci_cp_le_set_scan_enable cp;\n\n\t\tmemset(&cp, 0, sizeof(cp));\n\t\tcp.enable = LE_SCAN_ENABLE;\n\t\tcp.filter_dup = LE_SCAN_FILTER_DUP_ENABLE;\n\t\thci_req_add(req, HCI_OP_LE_SET_SCAN_ENABLE, sizeof(cp), &cp);\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 37137585053029094028718737761511218993, "size": 35, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402507 }, { "func": "Header headerImport(void * blob, unsigned int bsize, headerImportFlags flags)\n{\n Header h = NULL;\n struct hdrblob_s hblob;\n char *buf = NULL;\n void * b = blob;\n\n if (flags & HEADERIMPORT_COPY) {\n\tif (bsize == 0 && hdrblobInit(b, 0, 0, 0, &hblob, &buf) == RPMRC_OK)\n\t bsize = hblob.pvlen;\n\tif (bsize == 0)\n\t goto exit;\n\tb = memcpy(xmalloc(bsize), b, bsize);\n }\n\n /* Sanity checks on header intro. */\n if (hdrblobInit(b, bsize, 0, 0, &hblob, &buf) == RPMRC_OK)\n\thdrblobImport(&hblob, (flags & HEADERIMPORT_FAST), &h, &buf);\n\nexit:\n if (h == NULL && b != blob)\n\tfree(b);\n free(buf);\n\n return h;\n}", "project": "rpm", "hash": 321743162953772911953506880391514766407, "size": 26, "commit_id": "8f4b3c3cab8922a2022b9e47c71f1ecf906077ef", "message": "hdrblobInit() needs bounds checks too\n\nUsers can pass untrusted data to hdrblobInit() and it must be robust\nagainst this.", "target": 0, "dataset": "other", "idx": 318182 }, { "func": "void build_filters(const int doshuffle, const int delta,\n const size_t typesize, uint8_t* filters) {\n\n /* Fill the end part of the filter pipeline */\n if ((doshuffle == BLOSC_SHUFFLE) && (typesize > 1))\n filters[BLOSC2_MAX_FILTERS - 1] = BLOSC_SHUFFLE;\n if (doshuffle == BLOSC_BITSHUFFLE)\n filters[BLOSC2_MAX_FILTERS - 1] = BLOSC_BITSHUFFLE;\n if (delta)\n filters[BLOSC2_MAX_FILTERS - 2] = BLOSC_DELTA;\n}", "project": "c-blosc2", "hash": 76273734349148005564383942304921394134, "size": 11, "commit_id": "c4c6470e88210afc95262c8b9fcc27e30ca043ee", "message": "Fixed asan heap buffer overflow when not enough space to write compressed block size.", "target": 0, "dataset": "other", "idx": 303064 }, { "func": "static void mt_fix_const_field(struct hid_field *field, unsigned int usage)\n{\n\tif (field->usage[0].hid != usage ||\n\t !(field->flags & HID_MAIN_ITEM_CONSTANT))\n\t\treturn;\n\n\tfield->flags &= ~HID_MAIN_ITEM_CONSTANT;\n\tfield->flags |= HID_MAIN_ITEM_VARIABLE;\n}", "project": "linux", "hash": 293767444653032703790563075496348791630, "size": 9, "commit_id": "35556bed836f8dc07ac55f69c8d17dce3e7f0e25", "message": "HID: core: Sanitize event code and type when mapping input\n\nWhen calling into hid_map_usage(), the passed event code is\nblindly stored as is, even if it doesn't fit in the associated bitmap.\n\nThis event code can come from a variety of sources, including devices\nmasquerading as input devices, only a bit more \"programmable\".\n\nInstead of taking the event code at face value, check that it actually\nfits the corresponding bitmap, and if it doesn't:\n- spit out a warning so that we know which device is acting up\n- NULLify the bitmap pointer so that we catch unexpected uses\n\nCode paths that can make use of untrusted inputs can now check\nthat the mapping was indeed correct and bail out if not.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Marc Zyngier \nSigned-off-by: Benjamin Tissoires ", "target": 0, "dataset": "other", "idx": 458377 }, { "func": "static int input_handle_abs_event(struct input_dev *dev,\n\t\t\t\t unsigned int code, int *pval)\n{\n\tstruct input_mt *mt = dev->mt;\n\tbool is_mt_event;\n\tint *pold;\n\n\tif (code == ABS_MT_SLOT) {\n\t\t/*\n\t\t * \"Stage\" the event; we'll flush it later, when we\n\t\t * get actual touch data.\n\t\t */\n\t\tif (mt && *pval >= 0 && *pval < mt->num_slots)\n\t\t\tmt->slot = *pval;\n\n\t\treturn INPUT_IGNORE_EVENT;\n\t}\n\n\tis_mt_event = input_is_mt_value(code);\n\n\tif (!is_mt_event) {\n\t\tpold = &dev->absinfo[code].value;\n\t} else if (mt) {\n\t\tpold = &mt->slots[mt->slot].abs[code - ABS_MT_FIRST];\n\t} else {\n\t\t/*\n\t\t * Bypass filtering for multi-touch events when\n\t\t * not employing slots.\n\t\t */\n\t\tpold = NULL;\n\t}\n\n\tif (pold) {\n\t\t*pval = input_defuzz_abs_event(*pval, *pold,\n\t\t\t\t\t\tdev->absinfo[code].fuzz);\n\t\tif (*pold == *pval)\n\t\t\treturn INPUT_IGNORE_EVENT;\n\n\t\t*pold = *pval;\n\t}\n\n\t/* Flush pending \"slot\" event */\n\tif (is_mt_event && mt && mt->slot != input_abs_get_val(dev, ABS_MT_SLOT)) {\n\t\tinput_abs_set_val(dev, ABS_MT_SLOT, mt->slot);\n\t\treturn INPUT_PASS_TO_HANDLERS | INPUT_SLOT;\n\t}\n\n\treturn INPUT_PASS_TO_HANDLERS;\n}", "project": "linux", "hash": 90065058608423057814768964959242946875, "size": 49, "commit_id": "cb222aed03d798fc074be55e59d9a112338ee784", "message": "Input: add safety guards to input_set_keycode()\n\nIf we happen to have a garbage in input device's keycode table with values\ntoo big we'll end up doing clear_bit() with offset way outside of our\nbitmaps, damaging other objects within an input device or even outside of\nit. Let's add sanity checks to the returned old keycodes.\n\nReported-by: syzbot+c769968809f9359b07aa@syzkaller.appspotmail.com\nReported-by: syzbot+76f3a30e88d256644c78@syzkaller.appspotmail.com\nLink: https://lore.kernel.org/r/20191207212757.GA245964@dtor-ws\nSigned-off-by: Dmitry Torokhov ", "target": 0, "dataset": "other", "idx": 353310 }, { "func": "static void dct_inverse(float *block)\n{\n for (int i = 0; i < 8; i++)\n idct_1d(block + i, 8);\n\n for (int i = 0; i < 8; i++) {\n idct_1d(block, 1);\n block += 8;\n }\n}", "project": "FFmpeg", "hash": 255085706960092540266648163807431178087, "size": 10, "commit_id": "26d3c81bc5ef2f8c3f09d45eaeacfb4b1139a777", "message": "avcodec/exr: More strictly check dc_count\n\nFixes: out of array access\nFixes: exr/deneme\n\nFound-by: Burak Çarıkçı \nSigned-off-by: Michael Niedermayer ", "target": 0, "dataset": "other", "idx": 262672 }, { "project": "Chrome", "commit_id": "957973753ec4159003ff7930d946b7e89c7e09f3", "target": 0, "func": "void BlobURLRequestJob::Start() {\n MessageLoop::current()->PostTask(\n FROM_HERE,\n method_factory_.NewRunnableMethod(&BlobURLRequestJob::DidStart));\n}\n", "cwe": "", "big_vul_idx": 106427, "idx": 95577, "hash": 233177778290780457490949377680861209398 }, { "func": "otError Commissioner::Start(otCommissionerStateCallback aStateCallback,\n otCommissionerJoinerCallback aJoinerCallback,\n void * aCallbackContext)\n{\n otError error = OT_ERROR_NONE;\n\n VerifyOrExit(Get().IsAttached(), error = OT_ERROR_INVALID_STATE);\n VerifyOrExit(mState == OT_COMMISSIONER_STATE_DISABLED, error = OT_ERROR_INVALID_STATE);\n\n SuccessOrExit(error = Get().Start(SendRelayTransmit, this));\n Get().SetConnectedCallback(&Commissioner::HandleCoapsConnected, this);\n\n mStateCallback = aStateCallback;\n mJoinerCallback = aJoinerCallback;\n mCallbackContext = aCallbackContext;\n mTransmitAttempts = 0;\n\n SuccessOrExit(error = SendPetition());\n SetState(OT_COMMISSIONER_STATE_PETITION);\n\nexit:\n return error;\n}", "project": "openthread", "hash": 139433746056836502033473204497690968007, "size": 23, "commit_id": "c3a3a0c424322009fec3ab735fb20ce8f6e19e70", "message": "[commissioner] use strnlen instead of strlen (#4404)", "target": 0, "dataset": "other", "idx": 269889 }, { "func": "R_API int r_sys_getpid() {\n#if __UNIX__\n\treturn getpid ();\n#elif __WINDOWS__\n\treturn GetCurrentProcessId();\n#else\n#warning r_sys_getpid not implemented for this platform\n\treturn -1;\n#endif\n}", "project": "radare2", "hash": 77566649574019957314274447648247788583, "size": 10, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 0, "dataset": "other", "idx": 268874 }, { "func": "static void cliprdr_write_file_contents_response(wStream* s,\n const CLIPRDR_FILE_CONTENTS_RESPONSE* response)\n{\n\tStream_Write_UINT32(s, response->streamId); /* streamId (4 bytes) */\n\tStream_Write(s, response->requestedData, response->cbRequested);\n}", "project": "FreeRDP", "hash": 52714304488049344229148743883182964932, "size": 6, "commit_id": "b73143cf7ee5fe4cdabcbf56908aa15d8a883821", "message": "Fixed oob read in cliprdr_read_format_list", "target": 0, "dataset": "other", "idx": 388309 }, { "func": "\nvoid bic_set_bfqq(struct bfq_io_cq *bic, struct bfq_queue *bfqq, bool is_sync)\n{\n\tbic->bfqq[is_sync] = bfqq;", "project": "linux", "hash": 78789484474108627362726006367355667569, "size": 4, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453387 }, { "func": "SYSCALL_DEFINE1(sigsuspend, old_sigset_t, mask)\n{\n\tsigset_t blocked;\n\tsiginitset(&blocked, mask);\n\treturn sigsuspend(&blocked);\n}", "project": "linux", "hash": 335111860735657354058088123739087849434, "size": 6, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375137 }, { "func": "static int sigsuspend(sigset_t *set)\n{\n\tcurrent->saved_sigmask = current->blocked;\n\tset_current_blocked(set);\n\n\twhile (!signal_pending(current)) {\n\t\t__set_current_state(TASK_INTERRUPTIBLE);\n\t\tschedule();\n\t}\n\tset_restore_sigmask();\n\treturn -ERESTARTNOHAND;\n}", "project": "linux", "hash": 45061831593517539945795260464917938117, "size": 12, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375251 }, { "func": "SYSCALL_DEFINE3(sigsuspend, int, unused1, int, unused2, old_sigset_t, mask)\n{\n\tsigset_t blocked;\n\tsiginitset(&blocked, mask);\n\treturn sigsuspend(&blocked);\n}", "project": "linux", "hash": 38306401845800533640636247036242099181, "size": 6, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375310 }, { "func": "static int packet_do_bind(struct sock *sk, const char *name, int ifindex,\n\t\t\t __be16 proto)\n{\n\tstruct packet_sock *po = pkt_sk(sk);\n\tstruct net_device *dev_curr;\n\t__be16 proto_curr;\n\tbool need_rehook;\n\tstruct net_device *dev = NULL;\n\tint ret = 0;\n\tbool unlisted = false;\n\n\tlock_sock(sk);\n\tspin_lock(&po->bind_lock);\n\trcu_read_lock();\n\n\tif (po->fanout) {\n\t\tret = -EINVAL;\n\t\tgoto out_unlock;\n\t}\n\n\tif (name) {\n\t\tdev = dev_get_by_name_rcu(sock_net(sk), name);\n\t\tif (!dev) {\n\t\t\tret = -ENODEV;\n\t\t\tgoto out_unlock;\n\t\t}\n\t} else if (ifindex) {\n\t\tdev = dev_get_by_index_rcu(sock_net(sk), ifindex);\n\t\tif (!dev) {\n\t\t\tret = -ENODEV;\n\t\t\tgoto out_unlock;\n\t\t}\n\t}\n\n\tif (dev)\n\t\tdev_hold(dev);\n\n\tproto_curr = po->prot_hook.type;\n\tdev_curr = po->prot_hook.dev;\n\n\tneed_rehook = proto_curr != proto || dev_curr != dev;\n\n\tif (need_rehook) {\n\t\tif (po->running) {\n\t\t\trcu_read_unlock();\n\t\t\t/* prevents packet_notifier() from calling\n\t\t\t * register_prot_hook()\n\t\t\t */\n\t\t\tpo->num = 0;\n\t\t\t__unregister_prot_hook(sk, true);\n\t\t\trcu_read_lock();\n\t\t\tdev_curr = po->prot_hook.dev;\n\t\t\tif (dev)\n\t\t\t\tunlisted = !dev_get_by_index_rcu(sock_net(sk),\n\t\t\t\t\t\t\t\t dev->ifindex);\n\t\t}\n\n\t\tBUG_ON(po->running);\n\t\tpo->num = proto;\n\t\tpo->prot_hook.type = proto;\n\n\t\tif (unlikely(unlisted)) {\n\t\t\tdev_put(dev);\n\t\t\tpo->prot_hook.dev = NULL;\n\t\t\tpo->ifindex = -1;\n\t\t\tpacket_cached_dev_reset(po);\n\t\t} else {\n\t\t\tpo->prot_hook.dev = dev;\n\t\t\tpo->ifindex = dev ? dev->ifindex : 0;\n\t\t\tpacket_cached_dev_assign(po, dev);\n\t\t}\n\t}\n\tif (dev_curr)\n\t\tdev_put(dev_curr);\n\n\tif (proto == 0 || !need_rehook)\n\t\tgoto out_unlock;\n\n\tif (!unlisted && (!dev || (dev->flags & IFF_UP))) {\n\t\tregister_prot_hook(sk);\n\t} else {\n\t\tsk->sk_err = ENETDOWN;\n\t\tif (!sock_flag(sk, SOCK_DEAD))\n\t\t\tsk->sk_error_report(sk);\n\t}\n\nout_unlock:\n\trcu_read_unlock();\n\tspin_unlock(&po->bind_lock);\n\trelease_sock(sk);\n\treturn ret;\n}", "project": "linux", "hash": 165864981779554058974000547683902895977, "size": 92, "commit_id": "acf69c946233259ab4d64f8869d4037a198c7f06", "message": "net/packet: fix overflow in tpacket_rcv\n\nUsing tp_reserve to calculate netoff can overflow as\ntp_reserve is unsigned int and netoff is unsigned short.\n\nThis may lead to macoff receving a smaller value then\nsizeof(struct virtio_net_hdr), and if po->has_vnet_hdr\nis set, an out-of-bounds write will occur when\ncalling virtio_net_hdr_from_skb.\n\nThe bug is fixed by converting netoff to unsigned int\nand checking if it exceeds USHRT_MAX.\n\nThis addresses CVE-2020-14386\n\nFixes: 8913336a7e8d (\"packet: add PACKET_RESERVE sockopt\")\nSigned-off-by: Or Cohen \nSigned-off-by: Eric Dumazet \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 330374 }, { "func": "int enter_svm_guest_mode(struct vcpu_svm *svm, u64 vmcb12_gpa,\n\t\t\t struct vmcb *vmcb12)\n{\n\tint ret;\n\n\tsvm->nested.vmcb12_gpa = vmcb12_gpa;\n\tnested_prepare_vmcb_save(svm, vmcb12);\n\tnested_prepare_vmcb_control(svm);\n\n\tret = nested_svm_load_cr3(&svm->vcpu, vmcb12->save.cr3,\n\t\t\t\t nested_npt_enabled(svm));\n\tif (ret)\n\t\treturn ret;\n\n\tsvm_set_gif(svm, true);\n\n\treturn 0;\n}", "project": "linux", "hash": 86474258549066419189499799289271507560, "size": 18, "commit_id": "a58d9166a756a0f4a6618e4f593232593d6df134", "message": "KVM: SVM: load control fields from VMCB12 before checking them\n\nAvoid races between check and use of the nested VMCB controls. This\nfor example ensures that the VMRUN intercept is always reflected to the\nnested hypervisor, instead of being processed by the host. Without this\npatch, it is possible to end up with svm->nested.hsave pointing to\nthe MSR permission bitmap for nested guests.\n\nThis bug is CVE-2021-29657.\n\nReported-by: Felix Wilhelm \nCc: stable@vger.kernel.org\nFixes: 2fcf4876ada (\"KVM: nSVM: implement on demand allocation of the nested state\")\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 376670 }, { "func": "static void enter_svm_guest_mode(struct vcpu_svm *svm, u64 vmcb_gpa,\n\t\t\t\t struct vmcb *nested_vmcb, struct kvm_host_map *map)\n{\n\tif (kvm_get_rflags(&svm->vcpu) & X86_EFLAGS_IF)\n\t\tsvm->vcpu.arch.hflags |= HF_HIF_MASK;\n\telse\n\t\tsvm->vcpu.arch.hflags &= ~HF_HIF_MASK;\n\n\tif (nested_vmcb->control.nested_ctl & SVM_NESTED_CTL_NP_ENABLE) {\n\t\tsvm->nested.nested_cr3 = nested_vmcb->control.nested_cr3;\n\t\tnested_svm_init_mmu_context(&svm->vcpu);\n\t}\n\n\t/* Load the nested guest state */\n\tsvm->vmcb->save.es = nested_vmcb->save.es;\n\tsvm->vmcb->save.cs = nested_vmcb->save.cs;\n\tsvm->vmcb->save.ss = nested_vmcb->save.ss;\n\tsvm->vmcb->save.ds = nested_vmcb->save.ds;\n\tsvm->vmcb->save.gdtr = nested_vmcb->save.gdtr;\n\tsvm->vmcb->save.idtr = nested_vmcb->save.idtr;\n\tkvm_set_rflags(&svm->vcpu, nested_vmcb->save.rflags);\n\tsvm_set_efer(&svm->vcpu, nested_vmcb->save.efer);\n\tsvm_set_cr0(&svm->vcpu, nested_vmcb->save.cr0);\n\tsvm_set_cr4(&svm->vcpu, nested_vmcb->save.cr4);\n\tif (npt_enabled) {\n\t\tsvm->vmcb->save.cr3 = nested_vmcb->save.cr3;\n\t\tsvm->vcpu.arch.cr3 = nested_vmcb->save.cr3;\n\t} else\n\t\t(void)kvm_set_cr3(&svm->vcpu, nested_vmcb->save.cr3);\n\n\t/* Guest paging mode is active - reset mmu */\n\tkvm_mmu_reset_context(&svm->vcpu);\n\n\tsvm->vmcb->save.cr2 = svm->vcpu.arch.cr2 = nested_vmcb->save.cr2;\n\tkvm_rax_write(&svm->vcpu, nested_vmcb->save.rax);\n\tkvm_rsp_write(&svm->vcpu, nested_vmcb->save.rsp);\n\tkvm_rip_write(&svm->vcpu, nested_vmcb->save.rip);\n\n\t/* In case we don't even reach vcpu_run, the fields are not updated */\n\tsvm->vmcb->save.rax = nested_vmcb->save.rax;\n\tsvm->vmcb->save.rsp = nested_vmcb->save.rsp;\n\tsvm->vmcb->save.rip = nested_vmcb->save.rip;\n\tsvm->vmcb->save.dr7 = nested_vmcb->save.dr7;\n\tsvm->vmcb->save.dr6 = nested_vmcb->save.dr6;\n\tsvm->vmcb->save.cpl = nested_vmcb->save.cpl;\n\n\tsvm->nested.vmcb_msrpm = nested_vmcb->control.msrpm_base_pa & ~0x0fffULL;\n\tsvm->nested.vmcb_iopm = nested_vmcb->control.iopm_base_pa & ~0x0fffULL;\n\n\t/* cache intercepts */\n\tsvm->nested.intercept_cr = nested_vmcb->control.intercept_cr;\n\tsvm->nested.intercept_dr = nested_vmcb->control.intercept_dr;\n\tsvm->nested.intercept_exceptions = nested_vmcb->control.intercept_exceptions;\n\tsvm->nested.intercept = nested_vmcb->control.intercept;\n\n\tsvm_flush_tlb(&svm->vcpu, true);\n\tsvm->vmcb->control.int_ctl = nested_vmcb->control.int_ctl | V_INTR_MASKING_MASK;\n\tif (nested_vmcb->control.int_ctl & V_INTR_MASKING_MASK)\n\t\tsvm->vcpu.arch.hflags |= HF_VINTR_MASK;\n\telse\n\t\tsvm->vcpu.arch.hflags &= ~HF_VINTR_MASK;\n\n\tif (svm->vcpu.arch.hflags & HF_VINTR_MASK) {\n\t\t/* We only want the cr8 intercept bits of the guest */\n\t\tclr_cr_intercept(svm, INTERCEPT_CR8_READ);\n\t\tclr_cr_intercept(svm, INTERCEPT_CR8_WRITE);\n\t}\n\n\t/* We don't want to see VMMCALLs from a nested guest */\n\tclr_intercept(svm, INTERCEPT_VMMCALL);\n\n\tsvm->vcpu.arch.tsc_offset += nested_vmcb->control.tsc_offset;\n\tsvm->vmcb->control.tsc_offset = svm->vcpu.arch.tsc_offset;\n\n\tsvm->vmcb->control.virt_ext = nested_vmcb->control.virt_ext;\n\tsvm->vmcb->control.int_vector = nested_vmcb->control.int_vector;\n\tsvm->vmcb->control.int_state = nested_vmcb->control.int_state;\n\tsvm->vmcb->control.event_inj = nested_vmcb->control.event_inj;\n\tsvm->vmcb->control.event_inj_err = nested_vmcb->control.event_inj_err;\n\n\tsvm->vmcb->control.pause_filter_count =\n\t\tnested_vmcb->control.pause_filter_count;\n\tsvm->vmcb->control.pause_filter_thresh =\n\t\tnested_vmcb->control.pause_filter_thresh;\n\n\tkvm_vcpu_unmap(&svm->vcpu, map, true);\n\n\t/* Enter Guest-Mode */\n\tenter_guest_mode(&svm->vcpu);\n\n\t/*\n\t * Merge guest and host intercepts - must be called with vcpu in\n\t * guest-mode to take affect here\n\t */\n\trecalc_intercepts(svm);\n\n\tsvm->nested.vmcb = vmcb_gpa;\n\n\tenable_gif(svm);\n\n\tmark_all_dirty(svm->vmcb);\n}", "project": "linux", "hash": 223341233138669632024872825139234589296, "size": 102, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432468 }, { "func": "void CServer::PumpNetwork()\n{\n\tCNetChunk Packet;\n\tTOKEN ResponseToken;\n\n\tm_NetServer.Update();\n\n\t// process packets\n\twhile(m_NetServer.Recv(&Packet, &ResponseToken))\n\t{\n\t\tif(Packet.m_Flags&NETSENDFLAG_CONNLESS)\n\t\t{\n\t\t\tif(m_Register.RegisterProcessPacket(&Packet, ResponseToken))\n\t\t\t\tcontinue;\n\t\t\tif(Packet.m_DataSize >= int(sizeof(SERVERBROWSE_GETINFO)) &&\n\t\t\t\tmem_comp(Packet.m_pData, SERVERBROWSE_GETINFO, sizeof(SERVERBROWSE_GETINFO)) == 0)\n\t\t\t{\n\t\t\t\tCUnpacker Unpacker;\n\t\t\t\tUnpacker.Reset((unsigned char*)Packet.m_pData+sizeof(SERVERBROWSE_GETINFO), Packet.m_DataSize-sizeof(SERVERBROWSE_GETINFO));\n\t\t\t\tint SrvBrwsToken = Unpacker.GetInt();\n\t\t\t\tif(Unpacker.Error())\n\t\t\t\t\tcontinue;\n\n\t\t\t\tCPacker Packer;\n\t\t\t\tCNetChunk Response;\n\n\t\t\t\tGenerateServerInfo(&Packer, SrvBrwsToken);\n\n\t\t\t\tResponse.m_ClientID = -1;\n\t\t\t\tResponse.m_Address = Packet.m_Address;\n\t\t\t\tResponse.m_Flags = NETSENDFLAG_CONNLESS;\n\t\t\t\tResponse.m_pData = Packer.Data();\n\t\t\t\tResponse.m_DataSize = Packer.Size();\n\t\t\t\tm_NetServer.Send(&Response, ResponseToken);\n\t\t\t}\n\t\t}\n\t\telse\n\t\t\tProcessClientPacket(&Packet);\n\t}\n\n\tm_ServerBan.Update();\n\tm_Econ.Update();\n}", "project": "teeworlds", "hash": 137702239443939583176065942398616111876, "size": 43, "commit_id": "c68402fa7e279d42886d5951d1ea8ac2facc1ea5", "message": "changed a check", "target": 0, "dataset": "other", "idx": 382004 }, { "func": "static u16 kvm_hvcall_signal_event(struct kvm_vcpu *vcpu, bool fast, u64 param)\n{\n\tstruct kvm_hv *hv = to_kvm_hv(vcpu->kvm);\n\tstruct eventfd_ctx *eventfd;\n\n\tif (unlikely(!fast)) {\n\t\tint ret;\n\t\tgpa_t gpa = param;\n\n\t\tif ((gpa & (__alignof__(param) - 1)) ||\n\t\t offset_in_page(gpa) + sizeof(param) > PAGE_SIZE)\n\t\t\treturn HV_STATUS_INVALID_ALIGNMENT;\n\n\t\tret = kvm_vcpu_read_guest(vcpu, gpa, ¶m, sizeof(param));\n\t\tif (ret < 0)\n\t\t\treturn HV_STATUS_INVALID_ALIGNMENT;\n\t}\n\n\t/*\n\t * Per spec, bits 32-47 contain the extra \"flag number\". However, we\n\t * have no use for it, and in all known usecases it is zero, so just\n\t * report lookup failure if it isn't.\n\t */\n\tif (param & 0xffff00000000ULL)\n\t\treturn HV_STATUS_INVALID_PORT_ID;\n\t/* remaining bits are reserved-zero */\n\tif (param & ~KVM_HYPERV_CONN_ID_MASK)\n\t\treturn HV_STATUS_INVALID_HYPERCALL_INPUT;\n\n\t/* the eventfd is protected by vcpu->kvm->srcu, but conn_to_evt isn't */\n\trcu_read_lock();\n\teventfd = idr_find(&hv->conn_to_evt, param);\n\trcu_read_unlock();\n\tif (!eventfd)\n\t\treturn HV_STATUS_INVALID_PORT_ID;\n\n\teventfd_signal(eventfd, 1);\n\treturn HV_STATUS_SUCCESS;\n}", "project": "linux", "hash": 338864900058265995513592574917449465506, "size": 39, "commit_id": "919f4ebc598701670e80e31573a58f1f2d2bf918", "message": "KVM: x86: hyper-v: Fix Hyper-V context null-ptr-deref\n\nReported by syzkaller:\n\n KASAN: null-ptr-deref in range [0x0000000000000140-0x0000000000000147]\n CPU: 1 PID: 8370 Comm: syz-executor859 Not tainted 5.11.0-syzkaller #0\n RIP: 0010:synic_get arch/x86/kvm/hyperv.c:165 [inline]\n RIP: 0010:kvm_hv_set_sint_gsi arch/x86/kvm/hyperv.c:475 [inline]\n RIP: 0010:kvm_hv_irq_routing_update+0x230/0x460 arch/x86/kvm/hyperv.c:498\n Call Trace:\n kvm_set_irq_routing+0x69b/0x940 arch/x86/kvm/../../../virt/kvm/irqchip.c:223\n kvm_vm_ioctl+0x12d0/0x2800 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3959\n vfs_ioctl fs/ioctl.c:48 [inline]\n __do_sys_ioctl fs/ioctl.c:753 [inline]\n __se_sys_ioctl fs/ioctl.c:739 [inline]\n __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739\n do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nHyper-V context is lazily allocated until Hyper-V specific MSRs are accessed\nor SynIC is enabled. However, the syzkaller testcase sets irq routing table\ndirectly w/o enabling SynIC. This results in null-ptr-deref when accessing\nSynIC Hyper-V context. This patch fixes it.\n\nsyzkaller source: https://syzkaller.appspot.com/x/repro.c?x=163342ccd00000\n\nReported-by: syzbot+6987f3b2dbd9eda95f12@syzkaller.appspotmail.com\nFixes: 8f014550dfb1 (\"KVM: x86: hyper-v: Make Hyper-V emulation enablement conditional\")\nSigned-off-by: Wanpeng Li \nMessage-Id: <1614326399-5762-1-git-send-email-wanpengli@tencent.com>\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 343480 }, { "func": "CURLcode telrcv(struct Curl_easy *data,\n const unsigned char *inbuf, /* Data received from socket */\n ssize_t count) /* Number of bytes received */\n{\n unsigned char c;\n CURLcode result;\n int in = 0;\n int startwrite = -1;\n struct TELNET *tn = data->req.p.telnet;\n\n#define startskipping() \\\n if(startwrite >= 0) { \\\n result = Curl_client_write(data, \\\n CLIENTWRITE_BODY, \\\n (char *)&inbuf[startwrite], \\\n in-startwrite); \\\n if(result) \\\n return result; \\\n } \\\n startwrite = -1\n\n#define writebyte() \\\n if(startwrite < 0) \\\n startwrite = in\n\n#define bufferflush() startskipping()\n\n while(count--) {\n c = inbuf[in];\n\n switch(tn->telrcv_state) {\n case CURL_TS_CR:\n tn->telrcv_state = CURL_TS_DATA;\n if(c == '\\0') {\n startskipping();\n break; /* Ignore \\0 after CR */\n }\n writebyte();\n break;\n\n case CURL_TS_DATA:\n if(c == CURL_IAC) {\n tn->telrcv_state = CURL_TS_IAC;\n startskipping();\n break;\n }\n else if(c == '\\r')\n tn->telrcv_state = CURL_TS_CR;\n writebyte();\n break;\n\n case CURL_TS_IAC:\n process_iac:\n DEBUGASSERT(startwrite < 0);\n switch(c) {\n case CURL_WILL:\n tn->telrcv_state = CURL_TS_WILL;\n break;\n case CURL_WONT:\n tn->telrcv_state = CURL_TS_WONT;\n break;\n case CURL_DO:\n tn->telrcv_state = CURL_TS_DO;\n break;\n case CURL_DONT:\n tn->telrcv_state = CURL_TS_DONT;\n break;\n case CURL_SB:\n CURL_SB_CLEAR(tn);\n tn->telrcv_state = CURL_TS_SB;\n break;\n case CURL_IAC:\n tn->telrcv_state = CURL_TS_DATA;\n writebyte();\n break;\n case CURL_DM:\n case CURL_NOP:\n case CURL_GA:\n default:\n tn->telrcv_state = CURL_TS_DATA;\n printoption(data, \"RCVD\", CURL_IAC, c);\n break;\n }\n break;\n\n case CURL_TS_WILL:\n printoption(data, \"RCVD\", CURL_WILL, c);\n tn->please_negotiate = 1;\n rec_will(data, c);\n tn->telrcv_state = CURL_TS_DATA;\n break;\n\n case CURL_TS_WONT:\n printoption(data, \"RCVD\", CURL_WONT, c);\n tn->please_negotiate = 1;\n rec_wont(data, c);\n tn->telrcv_state = CURL_TS_DATA;\n break;\n\n case CURL_TS_DO:\n printoption(data, \"RCVD\", CURL_DO, c);\n tn->please_negotiate = 1;\n rec_do(data, c);\n tn->telrcv_state = CURL_TS_DATA;\n break;\n\n case CURL_TS_DONT:\n printoption(data, \"RCVD\", CURL_DONT, c);\n tn->please_negotiate = 1;\n rec_dont(data, c);\n tn->telrcv_state = CURL_TS_DATA;\n break;\n\n case CURL_TS_SB:\n if(c == CURL_IAC)\n tn->telrcv_state = CURL_TS_SE;\n else\n CURL_SB_ACCUM(tn, c);\n break;\n\n case CURL_TS_SE:\n if(c != CURL_SE) {\n if(c != CURL_IAC) {\n /*\n * This is an error. We only expect to get \"IAC IAC\" or \"IAC SE\".\n * Several things may have happened. An IAC was not doubled, the\n * IAC SE was left off, or another option got inserted into the\n * suboption are all possibilities. If we assume that the IAC was\n * not doubled, and really the IAC SE was left off, we could get\n * into an infinite loop here. So, instead, we terminate the\n * suboption, and process the partial suboption if we can.\n */\n CURL_SB_ACCUM(tn, CURL_IAC);\n CURL_SB_ACCUM(tn, c);\n tn->subpointer -= 2;\n CURL_SB_TERM(tn);\n\n printoption(data, \"In SUBOPTION processing, RCVD\", CURL_IAC, c);\n suboption(data); /* handle sub-option */\n tn->telrcv_state = CURL_TS_IAC;\n goto process_iac;\n }\n CURL_SB_ACCUM(tn, c);\n tn->telrcv_state = CURL_TS_SB;\n }\n else {\n CURL_SB_ACCUM(tn, CURL_IAC);\n CURL_SB_ACCUM(tn, CURL_SE);\n tn->subpointer -= 2;\n CURL_SB_TERM(tn);\n suboption(data); /* handle sub-option */\n tn->telrcv_state = CURL_TS_DATA;\n }\n break;\n }\n ++in;\n }\n bufferflush();\n return CURLE_OK;\n}", "project": "curl", "hash": 37388920861072610577935596359350937343, "size": 160, "commit_id": "39ce47f219b09c380b81f89fe54ac586c8db6bde", "message": "telnet: check sscanf() for correct number of matches\n\nCVE-2021-22898\n\nBug: https://curl.se/docs/CVE-2021-22898.html", "target": 0, "dataset": "other", "idx": 481497 }, { "func": "void tty_init_termios(struct tty_struct *tty)\n{\n\tstruct ktermios *tp;\n\tint idx = tty->index;\n\n\tif (tty->driver->flags & TTY_DRIVER_RESET_TERMIOS)\n\t\ttty->termios = tty->driver->init_termios;\n\telse {\n\t\t/* Check for lazy saved data */\n\t\ttp = tty->driver->termios[idx];\n\t\tif (tp != NULL) {\n\t\t\ttty->termios = *tp;\n\t\t\ttty->termios.c_line = tty->driver->init_termios.c_line;\n\t\t} else\n\t\t\ttty->termios = tty->driver->init_termios;\n\t}\n\t/* Compatibility until drivers always set this */\n\ttty->termios.c_ispeed = tty_termios_input_baud_rate(&tty->termios);\n\ttty->termios.c_ospeed = tty_termios_baud_rate(&tty->termios);\n}", "project": "linux", "hash": 189209743279904428507299246807927458803, "size": 20, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 325973 }, { "func": "void imap_cachepath(char delim, const char *mailbox, struct Buffer *dest)\n{\n const char *p = mailbox;\n mutt_buffer_reset(dest);\n if (!p)\n return;\n\n while (*p)\n {\n if (p[0] == delim)\n {\n mutt_buffer_addch(dest, '/');\n /* simple way to avoid collisions with UIDs */\n if ((p[1] >= '0') && (p[1] <= '9'))\n mutt_buffer_addch(dest, '_');\n }\n else\n mutt_buffer_addch(dest, *p);\n p++;\n }\n}", "project": "neomutt", "hash": 256324226953453119796838268369916413856, "size": 21, "commit_id": "fa1db5785e5cfd9d3cd27b7571b9fe268d2ec2dc", "message": "Fix seqset iterator when it ends in a comma\n\nIf the seqset ended with a comma, the substr_end marker would be just\nbefore the trailing nul. In the next call, the loop to skip the\nmarker would iterate right past the end of string too.\n\nThe fix is simple: place the substr_end marker and skip past it\nimmediately.", "target": 0, "dataset": "other", "idx": 399287 }, { "func": "void ip_send_unicast_reply(struct sock *sk, struct sk_buff *skb,\n\t\t\t const struct ip_options *sopt,\n\t\t\t __be32 daddr, __be32 saddr,\n\t\t\t const struct ip_reply_arg *arg,\n\t\t\t unsigned int len)\n{\n\tstruct ip_options_data replyopts;\n\tstruct ipcm_cookie ipc;\n\tstruct flowi4 fl4;\n\tstruct rtable *rt = skb_rtable(skb);\n\tstruct net *net = sock_net(sk);\n\tstruct sk_buff *nskb;\n\tint err;\n\tint oif;\n\n\tif (__ip_options_echo(&replyopts.opt.opt, skb, sopt))\n\t\treturn;\n\n\tipc.addr = daddr;\n\tipc.opt = NULL;\n\tipc.tx_flags = 0;\n\tipc.ttl = 0;\n\tipc.tos = -1;\n\n\tif (replyopts.opt.opt.optlen) {\n\t\tipc.opt = &replyopts.opt;\n\n\t\tif (replyopts.opt.opt.srr)\n\t\t\tdaddr = replyopts.opt.opt.faddr;\n\t}\n\n\toif = arg->bound_dev_if;\n\tif (!oif && netif_index_is_l3_master(net, skb->skb_iif))\n\t\toif = skb->skb_iif;\n\n\tflowi4_init_output(&fl4, oif,\n\t\t\t IP4_REPLY_MARK(net, skb->mark),\n\t\t\t RT_TOS(arg->tos),\n\t\t\t RT_SCOPE_UNIVERSE, ip_hdr(skb)->protocol,\n\t\t\t ip_reply_arg_flowi_flags(arg),\n\t\t\t daddr, saddr,\n\t\t\t tcp_hdr(skb)->source, tcp_hdr(skb)->dest,\n\t\t\t arg->uid);\n\tsecurity_skb_classify_flow(skb, flowi4_to_flowi(&fl4));\n\trt = ip_route_output_key(net, &fl4);\n\tif (IS_ERR(rt))\n\t\treturn;\n\n\tinet_sk(sk)->tos = arg->tos;\n\n\tsk->sk_priority = skb->priority;\n\tsk->sk_protocol = ip_hdr(skb)->protocol;\n\tsk->sk_bound_dev_if = arg->bound_dev_if;\n\tsk->sk_sndbuf = sysctl_wmem_default;\n\tsk->sk_mark = fl4.flowi4_mark;\n\terr = ip_append_data(sk, &fl4, ip_reply_glue_bits, arg->iov->iov_base,\n\t\t\t len, 0, &ipc, &rt, MSG_DONTWAIT);\n\tif (unlikely(err)) {\n\t\tip_flush_pending_frames(sk);\n\t\tgoto out;\n\t}\n\n\tnskb = skb_peek(&sk->sk_write_queue);\n\tif (nskb) {\n\t\tif (arg->csumoffset >= 0)\n\t\t\t*((__sum16 *)skb_transport_header(nskb) +\n\t\t\t arg->csumoffset) = csum_fold(csum_add(nskb->csum,\n\t\t\t\t\t\t\t\targ->csum));\n\t\tnskb->ip_summed = CHECKSUM_NONE;\n\t\tip_push_pending_frames(sk, &fl4);\n\t}\nout:\n\tip_rt_put(rt);\n}", "project": "net", "hash": 120990692533715639038894723110033243362, "size": 74, "commit_id": "85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa", "message": "udp: consistently apply ufo or fragmentation\n\nWhen iteratively building a UDP datagram with MSG_MORE and that\ndatagram exceeds MTU, consistently choose UFO or fragmentation.\n\nOnce skb_is_gso, always apply ufo. Conversely, once a datagram is\nsplit across multiple skbs, do not consider ufo.\n\nSendpage already maintains the first invariant, only add the second.\nIPv6 does not have a sendpage implementation to modify.\n\nA gso skb must have a partial checksum, do not follow sk_no_check_tx\nin udp_send_skb.\n\nFound by syzkaller.\n\nFixes: e89e9cf539a2 (\"[IPv4/IPv6]: UFO Scatter-gather approach\")\nReported-by: Andrey Konovalov \nSigned-off-by: Willem de Bruijn \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 468994 }, { "func": " inline int32_t DimensionsCount() const { return size_; }", "project": "tensorflow", "hash": 196489527926568298081928752696724736944, "size": 1, "commit_id": "8ee24e7949a203d234489f9da2c5bf45a7d5157d", "message": "[tflite] Ensure `MatchingDim` does not allow buffer overflow.\n\nWe check in `MatchingDim` that both arguments have the same dimensionality, however that is a `DCHECK` only enabled if building in debug mode. Hence, it could be possible to cause buffer overflows by passing in a tensor with larger dimensions as the second argument. To fix, we now make `MatchingDim` return the minimum of the two sizes.\n\nA much better fix would be to return a status object but that requires refactoring a large part of the codebase for minor benefits.\n\nPiperOrigin-RevId: 332526127\nChange-Id: If627d0d2c80a685217b6e0d1e64b0872dbf1c5e4", "target": 0, "dataset": "other", "idx": 269145 }, { "func": "static int sca_switch_to_extended(struct kvm *kvm)\n{\n\tstruct bsca_block *old_sca = kvm->arch.sca;\n\tstruct esca_block *new_sca;\n\tstruct kvm_vcpu *vcpu;\n\tunsigned int vcpu_idx;\n\tu32 scaol, scaoh;\n\n\tif (kvm->arch.use_esca)\n\t\treturn 0;\n\n\tnew_sca = alloc_pages_exact(sizeof(*new_sca), GFP_KERNEL|__GFP_ZERO);\n\tif (!new_sca)\n\t\treturn -ENOMEM;\n\n\tscaoh = (u32)((u64)(new_sca) >> 32);\n\tscaol = (u32)(u64)(new_sca) & ~0x3fU;\n\n\tkvm_s390_vcpu_block_all(kvm);\n\twrite_lock(&kvm->arch.sca_lock);\n\n\tsca_copy_b_to_e(new_sca, old_sca);\n\n\tkvm_for_each_vcpu(vcpu_idx, vcpu, kvm) {\n\t\tvcpu->arch.sie_block->scaoh = scaoh;\n\t\tvcpu->arch.sie_block->scaol = scaol;\n\t\tvcpu->arch.sie_block->ecb2 |= ECB2_ESCA;\n\t}\n\tkvm->arch.sca = new_sca;\n\tkvm->arch.use_esca = 1;\n\n\twrite_unlock(&kvm->arch.sca_lock);\n\tkvm_s390_vcpu_unblock_all(kvm);\n\n\tfree_page((unsigned long)old_sca);\n\n\tVM_EVENT(kvm, 2, \"Switched to ESCA (0x%pK -> 0x%pK)\",\n\t\t old_sca, kvm->arch.sca);\n\treturn 0;\n}", "project": "linux", "hash": 325178666500199767380902356683972934087, "size": 40, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354704 }, { "func": "static void autocomplete_file(RLineCompletion *completion, const char *str) {\n\tr_return_if_fail (str);\n\tchar *pipe = strchr (str, '>');\n\n\tif (pipe) {\n\t\tstr = r_str_trim_head_ro (pipe + 1);\n\t}\n\tif (str && !*str) {\n\t\tautocomplete_process_path (completion, str, \"./\");\n\t} else {\n\t\tautocomplete_process_path (completion, str, str);\n\t}\n\n}", "project": "radare2", "hash": 233603104007460254617944414103050129444, "size": 14, "commit_id": "cb8b683758edddae2d2f62e8e63a738c39f92683", "message": "Fix #16303 - c->table_query double free (#16318)", "target": 0, "dataset": "other", "idx": 232196 }, { "func": "static BOOL update_gdi_fast_glyph(rdpContext* context, const FAST_GLYPH_ORDER* fastGlyph)\n{\n\tINT32 x, y;\n\tBYTE text_data[4] = { 0 };\n\tINT32 opLeft, opTop;\n\tINT32 opRight, opBottom;\n\tINT32 opWidth = 0, opHeight = 0;\n\tINT32 bkWidth = 0, bkHeight = 0;\n\trdpCache* cache;\n\n\tif (!context || !fastGlyph || !context->cache)\n\t\treturn FALSE;\n\n\tcache = context->cache;\n\topLeft = fastGlyph->opLeft;\n\topTop = fastGlyph->opTop;\n\topRight = fastGlyph->opRight;\n\topBottom = fastGlyph->opBottom;\n\tx = fastGlyph->x;\n\ty = fastGlyph->y;\n\n\tif (opBottom == -32768)\n\t{\n\t\tBYTE flags = (BYTE)(opTop & 0x0F);\n\n\t\tif (flags & 0x01)\n\t\t\topBottom = fastGlyph->bkBottom;\n\n\t\tif (flags & 0x02)\n\t\t\topRight = fastGlyph->bkRight;\n\n\t\tif (flags & 0x04)\n\t\t\topTop = fastGlyph->bkTop;\n\n\t\tif (flags & 0x08)\n\t\t\topLeft = fastGlyph->bkLeft;\n\t}\n\n\tif (opLeft == 0)\n\t\topLeft = fastGlyph->bkLeft;\n\n\tif (opRight == 0)\n\t\topRight = fastGlyph->bkRight;\n\n\t/* See update_gdi_fast_index opRight comment. */\n\tif (opRight > (INT64)context->instance->settings->DesktopWidth)\n\t\topRight = (int)context->instance->settings->DesktopWidth;\n\n\tif (x == -32768)\n\t\tx = fastGlyph->bkLeft;\n\n\tif (y == -32768)\n\t\ty = fastGlyph->bkTop;\n\n\tif ((fastGlyph->cbData > 1) && (fastGlyph->glyphData.aj))\n\t{\n\t\t/* got option font that needs to go into cache */\n\t\trdpGlyph* glyph;\n\t\tconst GLYPH_DATA_V2* glyphData = &fastGlyph->glyphData;\n\n\t\tglyph = Glyph_Alloc(context, glyphData->x, glyphData->y, glyphData->cx, glyphData->cy,\n\t\t glyphData->cb, glyphData->aj);\n\n\t\tif (!glyph)\n\t\t\treturn FALSE;\n\n\t\tif (!glyph_cache_put(cache->glyph, fastGlyph->cacheId, fastGlyph->data[0], glyph))\n\t\t{\n\t\t\tglyph->Free(context, glyph);\n\t\t\treturn FALSE;\n\t\t}\n\t}\n\n\ttext_data[0] = fastGlyph->data[0];\n\ttext_data[1] = 0;\n\n\tif (fastGlyph->bkRight > fastGlyph->bkLeft)\n\t\tbkWidth = fastGlyph->bkRight - fastGlyph->bkLeft + 1;\n\n\tif (fastGlyph->bkBottom > fastGlyph->bkTop)\n\t\tbkHeight = fastGlyph->bkBottom - fastGlyph->bkTop + 1;\n\n\tif (opRight > opLeft)\n\t\topWidth = opRight - opLeft + 1;\n\n\tif (opBottom > opTop)\n\t\topHeight = opBottom - opTop + 1;\n\n\treturn update_process_glyph_fragments(\n\t context, text_data, sizeof(text_data), fastGlyph->cacheId, fastGlyph->ulCharInc,\n\t fastGlyph->flAccel, fastGlyph->backColor, fastGlyph->foreColor, x, y, fastGlyph->bkLeft,\n\t fastGlyph->bkTop, bkWidth, bkHeight, opLeft, opTop, opWidth, opHeight, FALSE);\n}", "project": "FreeRDP", "hash": 41929801464715391817233925733533118762, "size": 93, "commit_id": "c0fd449ec0870b050d350d6d844b1ea6dad4bc7d", "message": "Fixed Out-of-bound read in glyph_cache_put\n\nCVE-2020-11098 thanks to @antonio-morales for finding this.", "target": 0, "dataset": "other", "idx": 432856 }, { "func": "static void deleteScanners(struct single_flow_info *scanners) {\n struct single_flow_info *s, *tmp;\n struct port_flow_info *p, *tmp2;\n\n HASH_ITER(hh, scanners, s, tmp) {\n HASH_ITER(hh, s->ports, p, tmp2) {\n if(s->ports) HASH_DEL(s->ports, p);\n free(p);\n }\n HASH_DEL(scanners, s);\n free(s);\n }\n}", "project": "nDPI", "hash": 281678950192541602069174586043573719585, "size": 13, "commit_id": "b7e666e465f138ae48ab81976726e67deed12701", "message": "Added fix to avoid potential heap buffer overflow in H.323 dissector\nModified HTTP report information to make it closer to the HTTP field names", "target": 0, "dataset": "other", "idx": 254817 }, { "func": "static void terminate_walk(struct nameidata *nd)\n{\n\tdrop_links(nd);\n\tif (!(nd->flags & LOOKUP_RCU)) {\n\t\tint i;\n\t\tpath_put(&nd->path);\n\t\tfor (i = 0; i < nd->depth; i++)\n\t\t\tpath_put(&nd->stack[i].link);\n\t\tif (nd->flags & LOOKUP_ROOT_GRABBED) {\n\t\t\tpath_put(&nd->root);\n\t\t\tnd->flags &= ~LOOKUP_ROOT_GRABBED;\n\t\t}\n\t} else {\n\t\tnd->flags &= ~LOOKUP_RCU;\n\t\trcu_read_unlock();\n\t}\n\tnd->depth = 0;\n}", "project": "linux", "hash": 242649041444200570236883642846794575709, "size": 18, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295407 }, { "func": "static int hidinput_get_battery_property(struct power_supply *psy,\n\t\t\t\t\t enum power_supply_property prop,\n\t\t\t\t\t union power_supply_propval *val)\n{\n\tstruct hid_device *dev = power_supply_get_drvdata(psy);\n\tint value;\n\tint ret = 0;\n\n\tswitch (prop) {\n\tcase POWER_SUPPLY_PROP_PRESENT:\n\tcase POWER_SUPPLY_PROP_ONLINE:\n\t\tval->intval = 1;\n\t\tbreak;\n\n\tcase POWER_SUPPLY_PROP_CAPACITY:\n\t\tif (dev->battery_status != HID_BATTERY_REPORTED &&\n\t\t !dev->battery_avoid_query) {\n\t\t\tvalue = hidinput_query_battery_capacity(dev);\n\t\t\tif (value < 0)\n\t\t\t\treturn value;\n\t\t} else {\n\t\t\tvalue = dev->battery_capacity;\n\t\t}\n\n\t\tval->intval = value;\n\t\tbreak;\n\n\tcase POWER_SUPPLY_PROP_MODEL_NAME:\n\t\tval->strval = dev->name;\n\t\tbreak;\n\n\tcase POWER_SUPPLY_PROP_STATUS:\n\t\tif (dev->battery_status != HID_BATTERY_REPORTED &&\n\t\t !dev->battery_avoid_query) {\n\t\t\tvalue = hidinput_query_battery_capacity(dev);\n\t\t\tif (value < 0)\n\t\t\t\treturn value;\n\n\t\t\tdev->battery_capacity = value;\n\t\t\tdev->battery_status = HID_BATTERY_QUERIED;\n\t\t}\n\n\t\tif (dev->battery_status == HID_BATTERY_UNKNOWN)\n\t\t\tval->intval = POWER_SUPPLY_STATUS_UNKNOWN;\n\t\telse if (dev->battery_capacity == 100)\n\t\t\tval->intval = POWER_SUPPLY_STATUS_FULL;\n\t\telse\n\t\t\tval->intval = POWER_SUPPLY_STATUS_DISCHARGING;\n\t\tbreak;\n\n\tcase POWER_SUPPLY_PROP_SCOPE:\n\t\tval->intval = POWER_SUPPLY_SCOPE_DEVICE;\n\t\tbreak;\n\n\tdefault:\n\t\tret = -EINVAL;\n\t\tbreak;\n\t}\n\n\treturn ret;\n}", "project": "linux", "hash": 287557949231494518625508235336530248457, "size": 61, "commit_id": "35556bed836f8dc07ac55f69c8d17dce3e7f0e25", "message": "HID: core: Sanitize event code and type when mapping input\n\nWhen calling into hid_map_usage(), the passed event code is\nblindly stored as is, even if it doesn't fit in the associated bitmap.\n\nThis event code can come from a variety of sources, including devices\nmasquerading as input devices, only a bit more \"programmable\".\n\nInstead of taking the event code at face value, check that it actually\nfits the corresponding bitmap, and if it doesn't:\n- spit out a warning so that we know which device is acting up\n- NULLify the bitmap pointer so that we catch unexpected uses\n\nCode paths that can make use of untrusted inputs can now check\nthat the mapping was indeed correct and bail out if not.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Marc Zyngier \nSigned-off-by: Benjamin Tissoires ", "target": 0, "dataset": "other", "idx": 458402 }, { "func": "int tty_unregister_driver(struct tty_driver *driver)\n{\n#if 0\n\t/* FIXME */\n\tif (driver->refcount)\n\t\treturn -EBUSY;\n#endif\n\tunregister_chrdev_region(MKDEV(driver->major, driver->minor_start),\n\t\t\t\tdriver->num);\n\tmutex_lock(&tty_mutex);\n\tlist_del(&driver->tty_drivers);\n\tmutex_unlock(&tty_mutex);\n\treturn 0;\n}", "project": "linux", "hash": 246747221275095196290157422693501461407, "size": 14, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 325976 }, { "func": "static void fuse_file_put(struct fuse_file *ff, bool sync, bool isdir)\n{\n\tif (refcount_dec_and_test(&ff->count)) {\n\t\tstruct fuse_args *args = &ff->release_args->args;\n\n\t\tif (isdir ? ff->fm->fc->no_opendir : ff->fm->fc->no_open) {\n\t\t\t/* Do nothing when client does not implement 'open' */\n\t\t\tfuse_release_end(ff->fm, args, 0);\n\t\t} else if (sync) {\n\t\t\tfuse_simple_request(ff->fm, args);\n\t\t\tfuse_release_end(ff->fm, args, 0);\n\t\t} else {\n\t\t\targs->end = fuse_release_end;\n\t\t\tif (fuse_simple_background(ff->fm, args,\n\t\t\t\t\t\t GFP_KERNEL | __GFP_NOFAIL))\n\t\t\t\tfuse_release_end(ff->fm, args, -ENOTCONN);\n\t\t}\n\t\tkfree(ff);\n\t}\n}", "project": "linux", "hash": 205299854741459145999076378062764253028, "size": 20, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342042 }, { "func": " bool check_cols(uint c)\n {\n return (result_type() == ROW_RESULT ?\n orig_item->check_cols(c) :\n Item::check_cols(c));\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 198713463670198151946252756874020865421, "size": 6, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509167 }, { "func": "static int zstd_wrap_decompress(struct thread_context* thread_context,\n const char* input, size_t compressed_length,\n char* output, size_t maxout) {\n size_t code;\n blosc2_context* context = thread_context->parent_context;\n\n if (thread_context->zstd_dctx == NULL) {\n thread_context->zstd_dctx = ZSTD_createDCtx();\n }\n\n if (context->use_dict) {\n assert(context->dict_ddict != NULL);\n code = ZSTD_decompress_usingDDict(\n thread_context->zstd_dctx, (void*)output, maxout, (void*)input,\n compressed_length, context->dict_ddict);\n } else {\n code = ZSTD_decompressDCtx(thread_context->zstd_dctx,\n (void*)output, maxout, (void*)input, compressed_length);\n }\n if (ZSTD_isError(code) != ZSTD_error_no_error) {\n fprintf(stderr, \"Error in ZSTD decompression: '%s'. Giving up.\\n\",\n ZDICT_getErrorName(code));\n return 0;\n }\n return (int)code;\n}", "project": "c-blosc2", "hash": 283243316909596087197028163048837436734, "size": 26, "commit_id": "c4c6470e88210afc95262c8b9fcc27e30ca043ee", "message": "Fixed asan heap buffer overflow when not enough space to write compressed block size.", "target": 0, "dataset": "other", "idx": 303091 }, { "func": "static int test_append(struct libmnt_test *ts, int argc, char *argv[])\n{\n\tconst char *value = NULL, *name;\n\tchar *optstr;\n\tint rc;\n\n\tif (argc < 3)\n\t\treturn -EINVAL;\n\toptstr = xstrdup(argv[1]);\n\tname = argv[2];\n\n\tif (argc == 4)\n\t\tvalue = argv[3];\n\n\trc = mnt_optstr_append_option(&optstr, name, value);\n\tif (!rc)\n\t\tprintf(\"result: >%s<\\n\", optstr);\n\tfree(optstr);\n\treturn rc;\n}", "project": "util-linux", "hash": 205787988364395190409112547997287500237, "size": 20, "commit_id": "57202f5713afa2af20ffbb6ab5331481d0396f8d", "message": "libmount: fix UID check for FUSE umount [CVE-2021-3995]\n\nImproper UID check allows an unprivileged user to unmount FUSE\nfilesystems of users with similar UID.\n\nSigned-off-by: Karel Zak ", "target": 0, "dataset": "other", "idx": 410410 }, { "func": "static void ep_show_fdinfo(struct seq_file *m, struct file *f)\n{\n\tstruct eventpoll *ep = f->private_data;\n\tstruct rb_node *rbp;\n\n\tmutex_lock(&ep->mtx);\n\tfor (rbp = rb_first_cached(&ep->rbr); rbp; rbp = rb_next(rbp)) {\n\t\tstruct epitem *epi = rb_entry(rbp, struct epitem, rbn);\n\t\tstruct inode *inode = file_inode(epi->ffd.file);\n\n\t\tseq_printf(m, \"tfd: %8d events: %8x data: %16llx \"\n\t\t\t \" pos:%lli ino:%lx sdev:%x\\n\",\n\t\t\t epi->ffd.fd, epi->event.events,\n\t\t\t (long long)epi->event.data,\n\t\t\t (long long)epi->ffd.file->f_pos,\n\t\t\t inode->i_ino, inode->i_sb->s_dev);\n\t\tif (seq_has_overflowed(m))\n\t\t\tbreak;\n\t}\n\tmutex_unlock(&ep->mtx);\n}", "project": "linux", "hash": 118856697599720424687327131144414597416, "size": 21, "commit_id": "52c479697c9b73f628140dcdfcd39ea302d05482", "message": "do_epoll_ctl(): clean the failure exits up a bit\n\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 336244 }, { "func": "void CServer::SendMap(int ClientID)\n{\n\tCMsgPacker Msg(NETMSG_MAP_CHANGE, true);\n\tMsg.AddString(GetMapName(), 0);\n\tMsg.AddInt(m_CurrentMapCrc);\n\tMsg.AddInt(m_CurrentMapSize);\n\tMsg.AddInt(m_MapChunksPerRequest);\n\tMsg.AddInt(MAP_CHUNK_SIZE);\n\tMsg.AddRaw(&m_CurrentMapSha256, sizeof(m_CurrentMapSha256));\n\tSendMsg(&Msg, MSGFLAG_VITAL|MSGFLAG_FLUSH, ClientID);\n}", "project": "teeworlds", "hash": 303252465203613184114467315720133446078, "size": 11, "commit_id": "c68402fa7e279d42886d5951d1ea8ac2facc1ea5", "message": "changed a check", "target": 0, "dataset": "other", "idx": 381992 }, { "func": "static void exif_thumbnail_extract(image_info_type *ImageInfo,\n char *offset, size_t length) {\n if (ImageInfo->Thumbnail.data) {\n raise_warning(\"Multiple possible thumbnails\");\n return; /* Should not happen */\n }\n if (!ImageInfo->read_thumbnail) {\n return; /* ignore this call */\n }\n /* according to exif2.1, the thumbnail is not supposed to be greater\n than 64K */\n if (ImageInfo->Thumbnail.size >= 65536 ||\n ImageInfo->Thumbnail.size <= 0 ||\n ImageInfo->Thumbnail.offset <= 0) {\n raise_warning(\"Illegal thumbnail size/offset\");\n return;\n }\n /* Check to make sure we are not going to go past the ExifLength */\n if ((ImageInfo->Thumbnail.offset + ImageInfo->Thumbnail.size) > length) {\n raise_warning(\"Thumbnail goes IFD boundary or end of file reached\");\n return;\n }\n PHP_STRNDUP(ImageInfo->Thumbnail.data, offset + ImageInfo->Thumbnail.offset,\n ImageInfo->Thumbnail.size);\n exif_thumbnail_build(ImageInfo);\n}", "project": "hhvm", "hash": 174706382297125494343742679967243457746, "size": 26, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219544 }, { "func": "void init_netbios_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask)\n{\n ndpi_set_bitmask_protocol_detection(\"NETBIOS\", ndpi_struct, detection_bitmask, *id,\n\t\t\t\t NDPI_PROTOCOL_NETBIOS,\n\t\t\t\t ndpi_search_netbios,\n\t\t\t\t NDPI_SELECTION_BITMASK_PROTOCOL_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION,\n\t\t\t\t SAVE_DETECTION_BITMASK_AS_UNKNOWN,\n\t\t\t\t ADD_TO_DETECTION_BITMASK);\n\n *id += 1;\n}", "project": "nDPI", "hash": 217778911706103777212915908109603983088, "size": 11, "commit_id": "1ec621c85b9411cc611652fd57a892cfef478af3", "message": "Added further checks", "target": 0, "dataset": "other", "idx": 234092 }, { "func": "static int io_recvmsg_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)\n{\n\tstruct io_sr_msg *sr = &req->sr_msg;\n\n\tif (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))\n\t\treturn -EINVAL;\n\n\tsr->umsg = u64_to_user_ptr(READ_ONCE(sqe->addr));\n\tsr->len = READ_ONCE(sqe->len);\n\tsr->bgid = READ_ONCE(sqe->buf_group);\n\tsr->msg_flags = READ_ONCE(sqe->msg_flags) | MSG_NOSIGNAL;\n\tif (sr->msg_flags & MSG_DONTWAIT)\n\t\treq->flags |= REQ_F_NOWAIT;\n\n#ifdef CONFIG_COMPAT\n\tif (req->ctx->compat)\n\t\tsr->msg_flags |= MSG_CMSG_COMPAT;\n#endif\n\treturn 0;\n}", "project": "linux", "hash": 130398944121917020095711855454140758608, "size": 20, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338650 }, { "func": "int mp4read_open(char *name)\n{\n uint32_t atomsize;\n int ret;\n\n mp4read_close();\n\n g_fin = faad_fopen(name, \"rb\");\n if (!g_fin)\n return ERR_FAIL;\n\n if (mp4config.verbose.header)\n fprintf(stderr, \"**** MP4 header ****\\n\");\n g_atom = g_head;\n atomsize = INT_MAX;\n if (parse(&atomsize) < 0)\n goto err;\n g_atom = g_moov;\n atomsize = INT_MAX;\n rewind(g_fin);\n if ((ret = parse(&atomsize)) < 0)\n {\n fprintf(stderr, \"parse:%d\\n\", ret);\n goto err;\n }\n\n // alloc frame buffer\n mp4config.bitbuf.data = malloc(mp4config.frame.maxsize);\n\n if (!mp4config.bitbuf.data)\n goto err;\n\n if (mp4config.verbose.header)\n {\n mp4info();\n fprintf(stderr, \"********************\\n\");\n }\n\n if (mp4config.verbose.tags)\n {\n rewind(g_fin);\n g_atom = g_meta1;\n atomsize = INT_MAX;\n ret = parse(&atomsize);\n if (ret < 0)\n {\n rewind(g_fin);\n g_atom = g_meta2;\n atomsize = INT_MAX;\n ret = parse(&atomsize);\n }\n }\n\n return ERR_OK;\nerr:\n mp4read_close();\n return ERR_FAIL;\n}", "project": "faad2", "hash": 249858116907371755516911942604522309435, "size": 58, "commit_id": "1b71a6ba963d131375f5e489b3b25e36f19f3f24", "message": "fix heap-buffer-overflow in mp4read.c\n\nThis originated from an integer overflow: If mp4config.frame.ents\nwould be read-in with a value of (uint32t)(-1), it would overflow to 0\nin the size calculation for the allocation in the next line. The\nmalloc() function would then successfully return a pointer to a memory\nregion of size 0, which will cause a segfault when written to.\n\nFixes #57.", "target": 0, "dataset": "other", "idx": 221438 }, { "func": " bool agg_arg_charsets_for_string_result(DTCollation &c,\n Item **items, uint nitems,\n int item_sep= 1)\n {\n uint flags= MY_COLL_ALLOW_SUPERSET_CONV |\n MY_COLL_ALLOW_COERCIBLE_CONV |\n MY_COLL_ALLOW_NUMERIC_CONV;\n return agg_arg_charsets(c, items, nitems, flags, item_sep);\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 229454471091480419363811044717874123390, "size": 9, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 508968 }, { "func": "static void nfs4_open_done(struct rpc_task *task, void *calldata)\n{\n\tstruct nfs4_opendata *data = calldata;\n\n\tdata->rpc_status = task->tk_status;\n\n\tif (!nfs4_sequence_process(task, &data->o_res.seq_res))\n\t\treturn;\n\n\tif (task->tk_status == 0) {\n\t\tif (data->o_res.f_attr->valid & NFS_ATTR_FATTR_TYPE) {\n\t\t\tswitch (data->o_res.f_attr->mode & S_IFMT) {\n\t\t\tcase S_IFREG:\n\t\t\t\tbreak;\n\t\t\tcase S_IFLNK:\n\t\t\t\tdata->rpc_status = -ELOOP;\n\t\t\t\tbreak;\n\t\t\tcase S_IFDIR:\n\t\t\t\tdata->rpc_status = -EISDIR;\n\t\t\t\tbreak;\n\t\t\tdefault:\n\t\t\t\tdata->rpc_status = -ENOTDIR;\n\t\t\t}\n\t\t}\n\t\trenew_lease(data->o_res.server, data->timestamp);\n\t\tif (!(data->o_res.rflags & NFS4_OPEN_RESULT_CONFIRM))\n\t\t\tnfs_confirm_seqid(&data->owner->so_seqid, 0);\n\t}\n\tdata->rpc_done = true;\n}", "project": "linux", "hash": 22700097922930468134133398148081469232, "size": 30, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431230 }, { "project": "opaque", "commit_id": "5ddda15d89f5ac82f4416208c5319ace4aecdc36", "target": 0, "func": "int query_sgx_status()\n{\n sgx_device_status_t sgx_device_status;\n sgx_status_t sgx_ret = sgx_enable_device(&sgx_device_status);\n if (sgx_ret != SGX_SUCCESS) {\n printf(\"Failed to get SGX device status.\\n\");\n return -1;\n }\n else {\n switch (sgx_device_status) {\n case SGX_ENABLED:\n return 0;\n case SGX_DISABLED_REBOOT_REQUIRED:\n printf(\"SGX device has been enabled. Please reboot your machine.\\n\");\n return -1;\n case SGX_DISABLED_LEGACY_OS:\n printf(\"SGX device can't be enabled on an OS that doesn't support EFI interface.\\n\");\n return -1;\n case SGX_DISABLED:\n printf(\"SGX device not found.\\n\");\n return -1;\n default:\n printf(\"Unexpected error.\\n\");\n return -1;\n }\n }\n}", "idx": 519059, "cwe": "CWE-787", "hash": 104504049287531787574777563572260526435, "dataset": "other" }, { "func": "unsigned long\nphp_mysqlnd_net_field_length(zend_uchar **packet)\n{\n\tregister zend_uchar *p= (zend_uchar *)*packet;\n\n\tif (*p < 251) {\n\t\t(*packet)++;\n\t\treturn (unsigned long) *p;\n\t}\n\n\tswitch (*p) {\n\t\tcase 251:\n\t\t\t(*packet)++;\n\t\t\treturn MYSQLND_NULL_LENGTH;\n\t\tcase 252:\n\t\t\t(*packet) += 3;\n\t\t\treturn (unsigned long) uint2korr(p+1);\n\t\tcase 253:\n\t\t\t(*packet) += 4;\n\t\t\treturn (unsigned long) uint3korr(p+1);\n\t\tdefault:\n\t\t\t(*packet) += 9;\n\t\t\treturn (unsigned long) uint4korr(p+1);\n\t}", "project": "php-src", "hash": 80095402990839168576424085314394068800, "size": 24, "commit_id": "28f80baf3c53e267c9ce46a2a0fadbb981585132", "message": "Fix bug #72293 - Heap overflow in mysqlnd related to BIT fields", "target": 0, "dataset": "other", "idx": 416666 }, { "func": "static void hci_cc_read_def_link_policy(struct hci_dev *hdev,\n\t\t\t\t\tstruct sk_buff *skb)\n{\n\tstruct hci_rp_read_def_link_policy *rp = (void *) skb->data;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, rp->status);\n\n\tif (rp->status)\n\t\treturn;\n\n\thdev->link_policy = __le16_to_cpu(rp->policy);\n}", "project": "linux", "hash": 313298966030849572781128836420418091540, "size": 12, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 432003 }, { "func": "static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * value_ptr, int value_len, char *offset_base, size_t IFDlength, size_t displacement)\n{\n\tsize_t i;\n\tint de, section_index = SECTION_MAKERNOTE;\n\tint NumDirEntries, old_motorola_intel, offset_diff;\n\tconst maker_note_type *maker_note;\n\tchar *dir_start;\n\tint data_len;\n\n\tfor (i=0; i<=sizeof(maker_note_array)/sizeof(maker_note_type); i++) {\n\t\tif (i==sizeof(maker_note_array)/sizeof(maker_note_type)) {\n#ifdef EXIF_DEBUG\n\t\t\texif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, \"No maker note data found. Detected maker: %s (length = %d)\", ImageInfo->make, strlen(ImageInfo->make));\n#endif\n\t\t\t/* unknown manufacturer, not an error, use it as a string */\n\t\t\treturn TRUE;\n\t\t}\n\n\t\tmaker_note = maker_note_array+i;\n\n\t\t/*exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, \"check (%s,%s)\", maker_note->make?maker_note->make:\"\", maker_note->model?maker_note->model:\"\");*/\n\t\tif (maker_note->make && (!ImageInfo->make || strcmp(maker_note->make, ImageInfo->make)))\n\t\t\tcontinue;\n\t\tif (maker_note->model && (!ImageInfo->model || strcmp(maker_note->model, ImageInfo->model)))\n\t\t\tcontinue;\n\t\tif (maker_note->id_string && strncmp(maker_note->id_string, value_ptr, maker_note->id_string_len))\n\t\t\tcontinue;\n\t\tbreak;\n\t}\n\n\tif (value_len < 2 || maker_note->offset >= value_len - 1) {\n\t\t/* Do not go past the value end */\n\t\texif_error_docref(\"exif_read_data#error_ifd\" EXIFERR_CC, ImageInfo, E_WARNING, \"IFD data too short: 0x%04X offset 0x%04X\", value_len, maker_note->offset);\n\t\treturn FALSE;\n\t}\n\n\tdir_start = value_ptr + maker_note->offset;\n\n#ifdef EXIF_DEBUG\n\texif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, \"Process %s @x%04X + 0x%04X=%d: %s\", exif_get_sectionname(section_index), (int)dir_start-(int)offset_base+maker_note->offset+displacement, value_len, value_len, exif_char_dump(value_ptr, value_len, (int)dir_start-(int)offset_base+maker_note->offset+displacement));\n#endif\n\n\tImageInfo->sections_found |= FOUND_MAKERNOTE;\n\n\told_motorola_intel = ImageInfo->motorola_intel;\n\tswitch (maker_note->byte_order) {\n\t\tcase MN_ORDER_INTEL:\n\t\t\tImageInfo->motorola_intel = 0;\n\t\t\tbreak;\n\t\tcase MN_ORDER_MOTOROLA:\n\t\t\tImageInfo->motorola_intel = 1;\n\t\t\tbreak;\n\t\tdefault:\n\t\tcase MN_ORDER_NORMAL:\n\t\t\tbreak;\n\t}\n\n\tNumDirEntries = php_ifd_get16u(dir_start, ImageInfo->motorola_intel);\n\n\tswitch (maker_note->offset_mode) {\n\t\tcase MN_OFFSET_MAKER:\n\t\t\toffset_base = value_ptr;\n\t\t\tdata_len = value_len;\n\t\t\tbreak;\n\t\tcase MN_OFFSET_GUESS:\n\t\t\tif (maker_note->offset + 10 + 4 >= value_len) {\n\t\t\t\t/* Can not read dir_start+10 since it's beyond value end */\n\t\t\t\texif_error_docref(\"exif_read_data#error_ifd\" EXIFERR_CC, ImageInfo, E_WARNING, \"IFD data too short: 0x%04X\", value_len);\n\t\t\t\treturn FALSE;\n\t\t\t}\n\t\t\toffset_diff = 2 + NumDirEntries*12 + 4 - php_ifd_get32u(dir_start+10, ImageInfo->motorola_intel);\n#ifdef EXIF_DEBUG\n\t\t\texif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, \"Using automatic offset correction: 0x%04X\", ((int)dir_start-(int)offset_base+maker_note->offset+displacement) + offset_diff);\n#endif\n\t\t\tif (offset_diff < 0 || offset_diff >= value_len ) {\n\t\t\t\texif_error_docref(\"exif_read_data#error_ifd\" EXIFERR_CC, ImageInfo, E_WARNING, \"IFD data bad offset: 0x%04X length 0x%04X\", offset_diff, value_len);\n\t\t\t\treturn FALSE;\n\t\t\t}\n\t\t\toffset_base = value_ptr + offset_diff;\n\t\t\tdata_len = value_len - offset_diff;\n\t\t\tbreak;\n\t\tdefault:\n\t\tcase MN_OFFSET_NORMAL:\n\t\t\tdata_len = value_len;\n\t\t\tbreak;\n\t}\n\n\tif ((2+NumDirEntries*12) > value_len) {\n\t\texif_error_docref(\"exif_read_data#error_ifd\" EXIFERR_CC, ImageInfo, E_WARNING, \"Illegal IFD size: 2 + 0x%04X*12 = 0x%04X > 0x%04X\", NumDirEntries, 2+NumDirEntries*12, value_len);\n\t\treturn FALSE;\n\t}\n\n\tfor (de=0;detag_table)) {\n\t\t\treturn FALSE;\n\t\t}\n\t}\n\tImageInfo->motorola_intel = old_motorola_intel;\n/*\tNextDirOffset (must be NULL) = php_ifd_get32u(dir_start+2+12*de, ImageInfo->motorola_intel);*/\n#ifdef EXIF_DEBUG\n\texif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, \"Subsection %s done\", exif_get_sectionname(SECTION_MAKERNOTE));\n#endif\n\treturn TRUE;\n}", "project": "php-src", "hash": 21602760048140945903631443135683774566, "size": 105, "commit_id": "f3aefc6d071b807ddacae0a0bc49f09c38e18490", "message": "Fix bug #77753 - Heap-buffer-overflow in php_ifd_get32s", "target": 1, "dataset": "other", "idx": 210735 }, { "func": "static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * value_ptr, int value_len, char *offset_base, size_t IFDlength, size_t displacement TSRMLS_DC)\n{\n\tint de, i=0, section_index = SECTION_MAKERNOTE;\n\tint NumDirEntries, old_motorola_intel, offset_diff;\n\tconst maker_note_type *maker_note;\n\tchar *dir_start;\n\n\tfor (i=0; i<=sizeof(maker_note_array)/sizeof(maker_note_type); i++) {\n\t\tif (i==sizeof(maker_note_array)/sizeof(maker_note_type)) {\n#ifdef EXIF_DEBUG\n\t\t\texif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, \"No maker note data found. Detected maker: %s (length = %d)\", ImageInfo->make, strlen(ImageInfo->make));\n#endif\n\t\t\t/* unknown manufacturer, not an error, use it as a string */\n\t\t\treturn TRUE;\n\t\t}\n\n\t\tmaker_note = maker_note_array+i;\n\n\t\t/*exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, \"check (%s,%s)\", maker_note->make?maker_note->make:\"\", maker_note->model?maker_note->model:\"\");*/\n\t\tif (maker_note->make && (!ImageInfo->make || strcmp(maker_note->make, ImageInfo->make)))\n\t\t\tcontinue;\n\t\tif (maker_note->model && (!ImageInfo->model || strcmp(maker_note->model, ImageInfo->model)))\n\t\t\tcontinue;\n\t\tif (maker_note->id_string && strncmp(maker_note->id_string, value_ptr, maker_note->id_string_len))\n\t\t\tcontinue;\n\t\tbreak;\n\t}\n\n\tif (maker_note->offset >= value_len) {\n\t\t/* Do not go past the value end */\n\t\texif_error_docref(\"exif_read_data#error_ifd\" EXIFERR_CC, ImageInfo, E_WARNING, \"IFD data too short: 0x%04X offset 0x%04X\", value_len, maker_note->offset);\n\t\treturn FALSE;\n\t}\n\n\tdir_start = value_ptr + maker_note->offset;\n\n#ifdef EXIF_DEBUG\n\texif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, \"Process %s @x%04X + 0x%04X=%d: %s\", exif_get_sectionname(section_index), (int)dir_start-(int)offset_base+maker_note->offset+displacement, value_len, value_len, exif_char_dump(value_ptr, value_len, (int)dir_start-(int)offset_base+maker_note->offset+displacement));\n#endif\n\n\tImageInfo->sections_found |= FOUND_MAKERNOTE;\n\n\told_motorola_intel = ImageInfo->motorola_intel;\n\tswitch (maker_note->byte_order) {\n\t\tcase MN_ORDER_INTEL:\n\t\t\tImageInfo->motorola_intel = 0;\n\t\t\tbreak;\n\t\tcase MN_ORDER_MOTOROLA:\n\t\t\tImageInfo->motorola_intel = 1;\n\t\t\tbreak;\n\t\tdefault:\n\t\tcase MN_ORDER_NORMAL:\n\t\t\tbreak;\n\t}\n\n\tNumDirEntries = php_ifd_get16u(dir_start, ImageInfo->motorola_intel);\n\n\tswitch (maker_note->offset_mode) {\n\t\tcase MN_OFFSET_MAKER:\n\t\t\toffset_base = value_ptr;\n\t\t\tbreak;\n\t\tcase MN_OFFSET_GUESS:\n\t\t\tif (maker_note->offset + 10 + 4 >= value_len) {\n\t\t\t\t/* Can not read dir_start+10 since it's beyond value end */\n\t\t\t\texif_error_docref(\"exif_read_data#error_ifd\" EXIFERR_CC, ImageInfo, E_WARNING, \"IFD data too short: 0x%04X\", value_len);\n\t\t\t\treturn FALSE;\n\t\t\t}\n\t\t\toffset_diff = 2 + NumDirEntries*12 + 4 - php_ifd_get32u(dir_start+10, ImageInfo->motorola_intel);\n#ifdef EXIF_DEBUG\n\t\t\texif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, \"Using automatic offset correction: 0x%04X\", ((int)dir_start-(int)offset_base+maker_note->offset+displacement) + offset_diff);\n#endif\n\t\t\tif (offset_diff < 0 || offset_diff >= value_len ) {\n\t\t\t\texif_error_docref(\"exif_read_data#error_ifd\" EXIFERR_CC, ImageInfo, E_WARNING, \"IFD data bad offset: 0x%04X length 0x%04X\", offset_diff, value_len);\n\t\t\t\treturn FALSE;\n\t\t\t}\n\t\t\toffset_base = value_ptr + offset_diff;\n\t\t\tbreak;\n\t\tdefault:\n\t\tcase MN_OFFSET_NORMAL:\n\t\t\tbreak;\n\t}\n\n\tif ((2+NumDirEntries*12) > value_len) {\n\t\texif_error_docref(\"exif_read_data#error_ifd\" EXIFERR_CC, ImageInfo, E_WARNING, \"Illegal IFD size: 2 + 0x%04X*12 = 0x%04X > 0x%04X\", NumDirEntries, 2+NumDirEntries*12, value_len);\n\t\treturn FALSE;\n\t}\n\n\tfor (de=0;detag_table TSRMLS_CC)) {\n\t\t\treturn FALSE;\n\t\t}\n\t}\n\tImageInfo->motorola_intel = old_motorola_intel;\n/*\tNextDirOffset (must be NULL) = php_ifd_get32u(dir_start+2+12*de, ImageInfo->motorola_intel);*/\n#ifdef EXIF_DEBUG\n\texif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, \"Subsection %s done\", exif_get_sectionname(SECTION_MAKERNOTE));\n#endif\n\treturn TRUE;\n}", "project": "php-src", "hash": 22189568364832264784102840174267992879, "size": 100, "commit_id": "3462efa386f26d343062094514af604c29e3edce", "message": "Fix bug #76557: heap-buffer-overflow (READ of size 48) while reading exif data\n\nUse MAKERNOTE length as data size.", "target": 1, "dataset": "other", "idx": 215213 }, { "func": "static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo,\n char * value_ptr, int value_len,\n char *offset_base, size_t IFDlength,\n size_t displacement) {\n int de, section_index = SECTION_MAKERNOTE;\n int NumDirEntries, old_motorola_intel, offset_diff;\n const maker_note_type *maker_note;\n char *dir_start;\n char *value_end = value_ptr + value_len;\n\n for (unsigned int i=0;\n i<=sizeof(maker_note_array)/sizeof(maker_note_type); i++) {\n if (i==sizeof(maker_note_array)/sizeof(maker_note_type))\n return 0;\n maker_note = maker_note_array+i;\n\n if (maker_note->make &&\n (!ImageInfo->make || strcmp(maker_note->make, ImageInfo->make))) {\n continue;\n }\n if (maker_note->model &&\n (!ImageInfo->model || strcmp(maker_note->model, ImageInfo->model))) {\n continue;\n }\n if (maker_note->id_string &&\n strncmp(maker_note->id_string, value_ptr,\n (maker_note->id_string_len < value_len ?\n maker_note->id_string_len : value_len))) {\n continue;\n }\n break;\n }\n\n if (value_len < 2 || maker_note->offset >= value_len - 1) {\n raise_warning(\"IFD data too short: 0x%04X offset 0x%04X\", value_len, maker_note->offset);\n return 0;\n }\n\n dir_start = value_ptr + maker_note->offset;\n ImageInfo->sections_found |= FOUND_MAKERNOTE;\n\n old_motorola_intel = ImageInfo->motorola_intel;\n switch (maker_note->byte_order) {\n case MN_ORDER_INTEL:\n ImageInfo->motorola_intel = 0;\n break;\n case MN_ORDER_MOTOROLA:\n ImageInfo->motorola_intel = 1;\n break;\n default:\n case MN_ORDER_NORMAL:\n break;\n }\n if (value_end - dir_start < 2) return 0;\n NumDirEntries = php_ifd_get16u(dir_start, ImageInfo->motorola_intel);\n\n switch (maker_note->offset_mode) {\n case MN_OFFSET_MAKER:\n offset_base = value_ptr;\n break;\n case MN_OFFSET_GUESS:\n if (value_end - (dir_start+10) < 4) return 0;\n offset_diff = 2 + NumDirEntries*12 + 4 -\n php_ifd_get32u(dir_start+10, ImageInfo->motorola_intel);\n if (offset_diff < 0 || offset_diff >= value_len) return 0;\n offset_base = value_ptr + offset_diff;\n break;\n default:\n case MN_OFFSET_NORMAL:\n break;\n }\n\n if ((2+NumDirEntries*12) > value_len) {\n raise_warning(\"Illegal IFD size: 2 + x%04X*12 = x%04X > x%04X\",\n NumDirEntries, 2+NumDirEntries*12, value_len);\n return 0;\n }\n if ((dir_start - value_ptr) > value_len - (2+NumDirEntries*12)) {\n raise_warning(\"Illegal IFD size: 0x%04lX > 0x%04X\",\n (dir_start - value_ptr) + (2+NumDirEntries*12),\n value_len);\n return 0;\n }\n\n for (de=0;detag_table)) {\n return 0;\n }\n }\n ImageInfo->motorola_intel = old_motorola_intel;\n return 0;\n}", "project": "hhvm", "hash": 338073978721442319188162831476397068420, "size": 94, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219254 }, { "func": "static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * value_ptr, int value_len, char *offset_base, size_t IFDlength, size_t displacement)\n{\n\tsize_t i;\n\tint de, section_index = SECTION_MAKERNOTE;\n\tint NumDirEntries, old_motorola_intel;\n#ifdef KALLE_0\n\tint offset_diff;\n#endif\n\tconst maker_note_type *maker_note;\n\tchar *dir_start;\n\tint data_len;\n\n\tfor (i=0; i<=sizeof(maker_note_array)/sizeof(maker_note_type); i++) {\n\t\tif (i==sizeof(maker_note_array)/sizeof(maker_note_type)) {\n#ifdef EXIF_DEBUG\n\t\t\texif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, \"No maker note data found. Detected maker: %s (length = %d)\", ImageInfo->make, strlen(ImageInfo->make));\n#endif\n\t\t\t/* unknown manufacturer, not an error, use it as a string */\n\t\t\treturn TRUE;\n\t\t}\n\n\t\tmaker_note = maker_note_array+i;\n\n\t\t/*exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, \"check (%s)\", maker_note->make?maker_note->make:\"\");*/\n\t\tif (maker_note->make && (!ImageInfo->make || strcmp(maker_note->make, ImageInfo->make)))\n\t\t\tcontinue;\n\t\tif (maker_note->id_string && strncmp(maker_note->id_string, value_ptr, maker_note->id_string_len))\n\t\t\tcontinue;\n\t\tbreak;\n\t}\n\n\tif (value_len < 2 || maker_note->offset >= value_len - 1) {\n\t\t/* Do not go past the value end */\n\t\texif_error_docref(\"exif_read_data#error_ifd\" EXIFERR_CC, ImageInfo, E_WARNING, \"IFD data too short: 0x%04X offset 0x%04X\", value_len, maker_note->offset);\n\t\treturn FALSE;\n\t}\n\n\tdir_start = value_ptr + maker_note->offset;\n\n#ifdef EXIF_DEBUG\n\texif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, \"Process %s @x%04X + 0x%04X=%d: %s\", exif_get_sectionname(section_index), (int)dir_start-(int)offset_base+maker_note->offset+displacement, value_len, value_len, exif_char_dump(value_ptr, value_len, (int)dir_start-(int)offset_base+maker_note->offset+displacement));\n#endif\n\n\tImageInfo->sections_found |= FOUND_MAKERNOTE;\n\n\told_motorola_intel = ImageInfo->motorola_intel;\n\tswitch (maker_note->byte_order) {\n\t\tcase MN_ORDER_INTEL:\n\t\t\tImageInfo->motorola_intel = 0;\n\t\t\tbreak;\n\t\tcase MN_ORDER_MOTOROLA:\n\t\t\tImageInfo->motorola_intel = 1;\n\t\t\tbreak;\n\t\tdefault:\n\t\tcase MN_ORDER_NORMAL:\n\t\t\tbreak;\n\t}\n\n\tNumDirEntries = php_ifd_get16u(dir_start, ImageInfo->motorola_intel);\n\n\tswitch (maker_note->offset_mode) {\n\t\tcase MN_OFFSET_MAKER:\n\t\t\toffset_base = value_ptr;\n\t\t\tdata_len = value_len;\n\t\t\tbreak;\n#ifdef KALLE_0\n\t\tcase MN_OFFSET_GUESS:\n\t\t\tif (maker_note->offset + 10 + 4 >= value_len) {\n\t\t\t\t/* Can not read dir_start+10 since it's beyond value end */\n\t\t\t\texif_error_docref(\"exif_read_data#error_ifd\" EXIFERR_CC, ImageInfo, E_WARNING, \"IFD data too short: 0x%04X\", value_len);\n\t\t\t\treturn FALSE;\n\t\t\t}\n\t\t\toffset_diff = 2 + NumDirEntries*12 + 4 - php_ifd_get32u(dir_start+10, ImageInfo->motorola_intel);\n#ifdef EXIF_DEBUG\n\t\t\texif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, \"Using automatic offset correction: 0x%04X\", ((int)dir_start-(int)offset_base+maker_note->offset+displacement) + offset_diff);\n#endif\n\t\t\tif (offset_diff < 0 || offset_diff >= value_len ) {\n\t\t\t\texif_error_docref(\"exif_read_data#error_ifd\" EXIFERR_CC, ImageInfo, E_WARNING, \"IFD data bad offset: 0x%04X length 0x%04X\", offset_diff, value_len);\n\t\t\t\treturn FALSE;\n\t\t\t}\n\t\t\toffset_base = value_ptr + offset_diff;\n\t\t\tdata_len = value_len - offset_diff;\n\t\t\tbreak;\n#endif\n\t\tdefault:\n\t\tcase MN_OFFSET_NORMAL:\n\t\t\tdata_len = value_len;\n\t\t\tbreak;\n\t}\n\n\tif ((2+NumDirEntries*12) > value_len) {\n\t\texif_error_docref(\"exif_read_data#error_ifd\" EXIFERR_CC, ImageInfo, E_WARNING, \"Illegal IFD size: 2 + 0x%04X*12 = 0x%04X > 0x%04X\", NumDirEntries, 2+NumDirEntries*12, value_len);\n\t\treturn FALSE;\n\t}\n\tif ((dir_start - value_ptr) > value_len - (2+NumDirEntries*12)) {\n\t\texif_error_docref(\"exif_read_data#error_ifd\" EXIFERR_CC, ImageInfo, E_WARNING, \"Illegal IFD size: 0x%04X > 0x%04X\", (dir_start - value_ptr) + (2+NumDirEntries*12), value_len);\n\t\treturn FALSE;\n\t}\n\n\tfor (de=0;detag_table)) {\n\t\t\treturn FALSE;\n\t\t}\n\t}\n\tImageInfo->motorola_intel = old_motorola_intel;\n/*\tNextDirOffset (must be NULL) = php_ifd_get32u(dir_start+2+12*de, ImageInfo->motorola_intel);*/\n#ifdef EXIF_DEBUG\n\texif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, \"Subsection %s done\", exif_get_sectionname(SECTION_MAKERNOTE));\n#endif\n\treturn TRUE;\n}", "project": "php-src", "hash": 188020261381849923170323586055140956037, "size": 112, "commit_id": "e648fa4699e8d072db6db34fcc09826e8127fab8", "message": "Fix bug #78256 (heap-buffer-overflow on exif_process_user_comment)\n\n(cherry picked from commit aeb6d13185a2ea4f1496ede2697469faed98ce05)", "target": 0, "dataset": "other", "idx": 335783 }, { "func": "static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * value_ptr, int value_len, char *offset_base, size_t IFDlength, size_t displacement TSRMLS_DC)\n{\n\tint de, i=0, section_index = SECTION_MAKERNOTE;\n\tint NumDirEntries, old_motorola_intel, offset_diff;\n\tconst maker_note_type *maker_note;\n\tchar *dir_start;\n\tint data_len;\n\n\tfor (i=0; i<=sizeof(maker_note_array)/sizeof(maker_note_type); i++) {\n\t\tif (i==sizeof(maker_note_array)/sizeof(maker_note_type)) {\n#ifdef EXIF_DEBUG\n\t\t\texif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, \"No maker note data found. Detected maker: %s (length = %d)\", ImageInfo->make, strlen(ImageInfo->make));\n#endif\n\t\t\t/* unknown manufacturer, not an error, use it as a string */\n\t\t\treturn TRUE;\n\t\t}\n\n\t\tmaker_note = maker_note_array+i;\n\n\t\t/*exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, \"check (%s,%s)\", maker_note->make?maker_note->make:\"\", maker_note->model?maker_note->model:\"\");*/\n\t\tif (maker_note->make && (!ImageInfo->make || strcmp(maker_note->make, ImageInfo->make)))\n\t\t\tcontinue;\n\t\tif (maker_note->model && (!ImageInfo->model || strcmp(maker_note->model, ImageInfo->model)))\n\t\t\tcontinue;\n\t\tif (maker_note->id_string && strncmp(maker_note->id_string, value_ptr, maker_note->id_string_len))\n\t\t\tcontinue;\n\t\tbreak;\n\t}\n\n\tif (maker_note->offset >= value_len) {\n\t\t/* Do not go past the value end */\n\t\texif_error_docref(\"exif_read_data#error_ifd\" EXIFERR_CC, ImageInfo, E_WARNING, \"IFD data too short: 0x%04X offset 0x%04X\", value_len, maker_note->offset);\n\t\treturn FALSE;\n\t}\n\n\tdir_start = value_ptr + maker_note->offset;\n\n#ifdef EXIF_DEBUG\n\texif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, \"Process %s @x%04X + 0x%04X=%d: %s\", exif_get_sectionname(section_index), (int)dir_start-(int)offset_base+maker_note->offset+displacement, value_len, value_len, exif_char_dump(value_ptr, value_len, (int)dir_start-(int)offset_base+maker_note->offset+displacement));\n#endif\n\n\tImageInfo->sections_found |= FOUND_MAKERNOTE;\n\n\told_motorola_intel = ImageInfo->motorola_intel;\n\tswitch (maker_note->byte_order) {\n\t\tcase MN_ORDER_INTEL:\n\t\t\tImageInfo->motorola_intel = 0;\n\t\t\tbreak;\n\t\tcase MN_ORDER_MOTOROLA:\n\t\t\tImageInfo->motorola_intel = 1;\n\t\t\tbreak;\n\t\tdefault:\n\t\tcase MN_ORDER_NORMAL:\n\t\t\tbreak;\n\t}\n\n\tNumDirEntries = php_ifd_get16u(dir_start, ImageInfo->motorola_intel);\n\n\tswitch (maker_note->offset_mode) {\n\t\tcase MN_OFFSET_MAKER:\n\t\t\toffset_base = value_ptr;\n\t\t\tdata_len = value_len;\n\t\t\tbreak;\n\t\tcase MN_OFFSET_GUESS:\n\t\t\tif (maker_note->offset + 10 + 4 >= value_len) {\n\t\t\t\t/* Can not read dir_start+10 since it's beyond value end */\n\t\t\t\texif_error_docref(\"exif_read_data#error_ifd\" EXIFERR_CC, ImageInfo, E_WARNING, \"IFD data too short: 0x%04X\", value_len);\n\t\t\t\treturn FALSE;\n\t\t\t}\n\t\t\toffset_diff = 2 + NumDirEntries*12 + 4 - php_ifd_get32u(dir_start+10, ImageInfo->motorola_intel);\n#ifdef EXIF_DEBUG\n\t\t\texif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, \"Using automatic offset correction: 0x%04X\", ((int)dir_start-(int)offset_base+maker_note->offset+displacement) + offset_diff);\n#endif\n\t\t\tif (offset_diff < 0 || offset_diff >= value_len ) {\n\t\t\t\texif_error_docref(\"exif_read_data#error_ifd\" EXIFERR_CC, ImageInfo, E_WARNING, \"IFD data bad offset: 0x%04X length 0x%04X\", offset_diff, value_len);\n\t\t\t\treturn FALSE;\n\t\t\t}\n\t\t\toffset_base = value_ptr + offset_diff;\n\t\t\tdata_len = value_len - offset_diff;\n\t\t\tbreak;\n\t\tdefault:\n\t\tcase MN_OFFSET_NORMAL:\n\t\t\tbreak;\n\t}\n\n\tif ((2+NumDirEntries*12) > value_len) {\n\t\texif_error_docref(\"exif_read_data#error_ifd\" EXIFERR_CC, ImageInfo, E_WARNING, \"Illegal IFD size: 2 + 0x%04X*12 = 0x%04X > 0x%04X\", NumDirEntries, 2+NumDirEntries*12, value_len);\n\t\treturn FALSE;\n\t}\n\n\tfor (de=0;detag_table TSRMLS_CC)) {\n\t\t\treturn FALSE;\n\t\t}\n\t}\n\tImageInfo->motorola_intel = old_motorola_intel;\n/*\tNextDirOffset (must be NULL) = php_ifd_get32u(dir_start+2+12*de, ImageInfo->motorola_intel);*/\n#ifdef EXIF_DEBUG\n\texif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, \"Subsection %s done\", exif_get_sectionname(SECTION_MAKERNOTE));\n#endif\n\treturn TRUE;\n}", "project": "php-src", "hash": 179703936053344348653074411508239418076, "size": 103, "commit_id": "3462efa386f26d343062094514af604c29e3edce", "message": "Fix bug #76557: heap-buffer-overflow (READ of size 48) while reading exif data\n\nUse MAKERNOTE length as data size.", "target": 0, "dataset": "other", "idx": 485283 }, { "func": "static int sctp_setsockopt_peer_addr_params(struct sock *sk,\n\t\t\t\t\t struct sctp_paddrparams *params,\n\t\t\t\t\t unsigned int optlen)\n{\n\tstruct sctp_transport *trans = NULL;\n\tstruct sctp_association *asoc = NULL;\n\tstruct sctp_sock *sp = sctp_sk(sk);\n\tint error;\n\tint hb_change, pmtud_change, sackdelay_change;\n\n\tif (optlen == ALIGN(offsetof(struct sctp_paddrparams,\n\t\t\t\t\t spp_ipv6_flowlabel), 4)) {\n\t\tif (params->spp_flags & (SPP_DSCP | SPP_IPV6_FLOWLABEL))\n\t\t\treturn -EINVAL;\n\t} else if (optlen != sizeof(*params)) {\n\t\treturn -EINVAL;\n\t}\n\n\t/* Validate flags and value parameters. */\n\thb_change = params->spp_flags & SPP_HB;\n\tpmtud_change = params->spp_flags & SPP_PMTUD;\n\tsackdelay_change = params->spp_flags & SPP_SACKDELAY;\n\n\tif (hb_change == SPP_HB ||\n\t pmtud_change == SPP_PMTUD ||\n\t sackdelay_change == SPP_SACKDELAY ||\n\t params->spp_sackdelay > 500 ||\n\t (params->spp_pathmtu &&\n\t params->spp_pathmtu < SCTP_DEFAULT_MINSEGMENT))\n\t\treturn -EINVAL;\n\n\t/* If an address other than INADDR_ANY is specified, and\n\t * no transport is found, then the request is invalid.\n\t */\n\tif (!sctp_is_any(sk, (union sctp_addr *)¶ms->spp_address)) {\n\t\ttrans = sctp_addr_id2transport(sk, ¶ms->spp_address,\n\t\t\t\t\t params->spp_assoc_id);\n\t\tif (!trans)\n\t\t\treturn -EINVAL;\n\t}\n\n\t/* Get association, if assoc_id != SCTP_FUTURE_ASSOC and the\n\t * socket is a one to many style socket, and an association\n\t * was not found, then the id was invalid.\n\t */\n\tasoc = sctp_id2assoc(sk, params->spp_assoc_id);\n\tif (!asoc && params->spp_assoc_id != SCTP_FUTURE_ASSOC &&\n\t sctp_style(sk, UDP))\n\t\treturn -EINVAL;\n\n\t/* Heartbeat demand can only be sent on a transport or\n\t * association, but not a socket.\n\t */\n\tif (params->spp_flags & SPP_HB_DEMAND && !trans && !asoc)\n\t\treturn -EINVAL;\n\n\t/* Process parameters. */\n\terror = sctp_apply_peer_addr_params(params, trans, asoc, sp,\n\t\t\t\t\t hb_change, pmtud_change,\n\t\t\t\t\t sackdelay_change);\n\n\tif (error)\n\t\treturn error;\n\n\t/* If changes are for association, also apply parameters to each\n\t * transport.\n\t */\n\tif (!trans && asoc) {\n\t\tlist_for_each_entry(trans, &asoc->peer.transport_addr_list,\n\t\t\t\ttransports) {\n\t\t\tsctp_apply_peer_addr_params(params, trans, asoc, sp,\n\t\t\t\t\t\t hb_change, pmtud_change,\n\t\t\t\t\t\t sackdelay_change);\n\t\t}\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 260074251703018335399263115269025161882, "size": 78, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398175 }, { "func": "static OPJ_BOOL opj_j2k_write_all_coc(\n opj_j2k_t *p_j2k,\n struct opj_stream_private *p_stream,\n struct opj_event_mgr * p_manager)\n{\n OPJ_UINT32 compno;\n\n /* preconditions */\n assert(p_j2k != 00);\n assert(p_manager != 00);\n assert(p_stream != 00);\n\n for (compno = 1; compno < p_j2k->m_private_image->numcomps; ++compno) {\n /* cod is first component of first tile */\n if (! opj_j2k_compare_coc(p_j2k, 0, compno)) {\n if (! opj_j2k_write_coc(p_j2k, compno, p_stream, p_manager)) {\n return OPJ_FALSE;\n }\n }\n }\n\n return OPJ_TRUE;\n}", "project": "openjpeg", "hash": 37636152966959443824488566624512614657, "size": 23, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357306 }, { "func": "AGGR_OP::put_record(bool end_of_records)\n{\n // Lasy tmp table creation/initialization\n if (!join_tab->table->file->inited)\n if (prepare_tmp_table())\n return NESTED_LOOP_ERROR;\n enum_nested_loop_state rc= (*write_func)(join_tab->join, join_tab,\n end_of_records);\n return rc;\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 290347188017898073062572731353778011859, "size": 10, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508577 }, { "func": "static inline int nfs4_lock_type(struct file_lock *fl, int block)\n{\n\tif (fl->fl_type == F_RDLCK)\n\t\treturn block ? NFS4_READW_LT : NFS4_READ_LT;\n\treturn block ? NFS4_WRITEW_LT : NFS4_WRITE_LT;\n}", "project": "linux", "hash": 325462182803808691917207680705099072876, "size": 6, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431271 }, { "func": "static void fuse_invalidate_entry(struct dentry *entry)\n{\n\td_invalidate(entry);\n\tfuse_invalidate_entry_cache(entry);\n}", "project": "linux", "hash": 10166185306595712262754788841283204221, "size": 5, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342151 }, { "func": "\nstatic inline bool io_run_ctx_fallback(struct io_ring_ctx *ctx)\n{\n\treturn io_run_task_work_head(&ctx->exit_task_work);", "project": "linux", "hash": 197458905018770842793094208180606038344, "size": 4, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338553 }, { "func": "int imap_complete(char *buf, size_t buflen, const char *path)\n{\n struct ImapAccountData *adata = NULL;\n struct ImapMboxData *mdata = NULL;\n char tmp[2048];\n struct ImapList listresp = { 0 };\n char completion[1024];\n int clen;\n size_t matchlen = 0;\n int completions = 0;\n int rc;\n\n if (imap_adata_find(path, &adata, &mdata) < 0)\n {\n mutt_str_copy(buf, path, buflen);\n return complete_hosts(buf, buflen);\n }\n\n /* fire off command */\n snprintf(tmp, sizeof(tmp), \"%s \\\"\\\" \\\"%s%%\\\"\",\n C_ImapListSubscribed ? \"LSUB\" : \"LIST\", mdata->real_name);\n\n imap_cmd_start(adata, tmp);\n\n /* and see what the results are */\n mutt_str_copy(completion, mdata->name, sizeof(completion));\n imap_mdata_free((void *) &mdata);\n\n adata->cmdresult = &listresp;\n do\n {\n listresp.name = NULL;\n rc = imap_cmd_step(adata);\n\n if ((rc == IMAP_RES_CONTINUE) && listresp.name)\n {\n /* if the folder isn't selectable, append delimiter to force browse\n * to enter it on second tab. */\n if (listresp.noselect)\n {\n clen = strlen(listresp.name);\n listresp.name[clen++] = listresp.delim;\n listresp.name[clen] = '\\0';\n }\n /* copy in first word */\n if (!completions)\n {\n mutt_str_copy(completion, listresp.name, sizeof(completion));\n matchlen = strlen(completion);\n completions++;\n continue;\n }\n\n matchlen = longest_common_prefix(completion, listresp.name, 0, matchlen);\n completions++;\n }\n } while (rc == IMAP_RES_CONTINUE);\n adata->cmdresult = NULL;\n\n if (completions)\n {\n /* reformat output */\n imap_qualify_path(buf, buflen, &adata->conn->account, completion);\n mutt_pretty_mailbox(buf, buflen);\n return 0;\n }\n\n return -1;\n}", "project": "neomutt", "hash": 288717760491404051493146818935961641861, "size": 69, "commit_id": "9c36717a3e2af1f2c1b7242035455ec8112b4b06", "message": "imap: close connection on all failures\n\nThanks to Gabriel Salles-Loustau for spotting the problem.\n\nCo-authored-by: Kevin McCarthy ", "target": 0, "dataset": "other", "idx": 357012 }, { "func": "static int wrmsr_interception(struct vcpu_svm *svm)\n{\n\treturn kvm_emulate_wrmsr(&svm->vcpu);\n}", "project": "linux", "hash": 11003260814379022647513855695263365184, "size": 4, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432491 }, { "func": "static int wrmsr_interception(struct vcpu_svm *svm)\n{\n\tstruct msr_data msr;\n\tu32 ecx = svm->vcpu.arch.regs[VCPU_REGS_RCX];\n\tu64 data = (svm->vcpu.arch.regs[VCPU_REGS_RAX] & -1u)\n\t\t| ((u64)(svm->vcpu.arch.regs[VCPU_REGS_RDX] & -1u) << 32);\n\n\tmsr.data = data;\n\tmsr.index = ecx;\n\tmsr.host_initiated = false;\n\n\tsvm->next_rip = kvm_rip_read(&svm->vcpu) + 2;\n\tif (kvm_set_msr(&svm->vcpu, &msr)) {\n\t\ttrace_kvm_msr_write_ex(ecx, data);\n\t\tkvm_inject_gp(&svm->vcpu, 0);\n\t} else {\n\t\ttrace_kvm_msr_write(ecx, data);\n\t\tskip_emulated_instruction(&svm->vcpu);\n\t}\n\treturn 1;\n}", "project": "kvm", "hash": 45391758632426974543840602672366993362, "size": 21, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437628 }, { "func": "static int nfs4_do_set_security_label(struct inode *inode,\n\t\tstruct nfs4_label *ilabel,\n\t\tstruct nfs_fattr *fattr,\n\t\tstruct nfs4_label *olabel)\n{\n\tstruct nfs4_exception exception = { };\n\tint err;\n\n\tdo {\n\t\terr = _nfs4_do_set_security_label(inode, ilabel,\n\t\t\t\tfattr, olabel);\n\t\ttrace_nfs4_set_security_label(inode, err);\n\t\terr = nfs4_handle_exception(NFS_SERVER(inode), err,\n\t\t\t\t&exception);\n\t} while (exception.retry);\n\treturn err;\n}", "project": "linux", "hash": 16345669015124389619254885918642200755, "size": 17, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431417 }, { "func": "static void svm_pre_update_apicv_exec_ctrl(struct kvm *kvm, bool activate)\n{\n\tavic_update_access_page(kvm, activate);\n}", "project": "linux", "hash": 6427881846746888115772935830436726819, "size": 4, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432642 }, { "func": "static IMAP_COMMAND* cmd_new (IMAP_DATA* idata)\n{\n IMAP_COMMAND* cmd;\n\n if (cmd_queue_full (idata))\n {\n dprint (3, (debugfile, \"cmd_new: IMAP command queue full\\n\"));\n return NULL;\n }\n\n cmd = idata->cmds + idata->nextcmd;\n idata->nextcmd = (idata->nextcmd + 1) % idata->cmdslots;\n\n snprintf (cmd->seq, sizeof (cmd->seq), \"a%04u\", idata->seqno++);\n if (idata->seqno > 9999)\n idata->seqno = 0;\n\n cmd->state = IMAP_CMD_NEW;\n\n return cmd;\n}", "project": "mutt", "hash": 202376002173292262456860350097306682402, "size": 21, "commit_id": "9347b5c01dc52682cb6be11539d9b7ebceae4416", "message": "Handle NO response without message properly", "target": 0, "dataset": "other", "idx": 338018 }, { "func": "static int process_block(struct archive_read* a) {\n\tconst uint8_t* p;\n\tstruct rar5* rar = get_context(a);\n\tint ret;\n\n\t/* If we don't have any data to be processed, this most probably means\n\t * we need to switch to the next volume. */\n\tif(rar->main.volume && rar->file.bytes_remaining == 0) {\n\t\tret = advance_multivolume(a);\n\t\tif(ret != ARCHIVE_OK)\n\t\t\treturn ret;\n\t}\n\n\tif(rar->cstate.block_parsing_finished) {\n\t\tssize_t block_size;\n\t\tssize_t to_skip;\n\t\tssize_t cur_block_size;\n\n\t\t/* The header size won't be bigger than 6 bytes. */\n\t\tif(!read_ahead(a, 6, &p)) {\n\t\t\t/* Failed to prefetch data block header. */\n\t\t\treturn ARCHIVE_EOF;\n\t\t}\n\n\t\t/*\n\t\t * Read block_size by parsing block header. Validate the header\n\t\t * by calculating CRC byte stored inside the header. Size of\n\t\t * the header is not constant (block size can be stored either\n\t\t * in 1 or 2 bytes), that's why block size is left out from the\n\t\t * `compressed_block_header` structure and returned by\n\t\t * `parse_block_header` as the second argument. */\n\n\t\tret = parse_block_header(a, p, &block_size,\n\t\t &rar->last_block_hdr);\n\t\tif(ret != ARCHIVE_OK) {\n\t\t\treturn ret;\n\t\t}\n\n\t\t/* Skip block header. Next data is huffman tables,\n\t\t * if present. */\n\t\tto_skip = sizeof(struct compressed_block_header) +\n\t\t\tbf_byte_count(&rar->last_block_hdr) + 1;\n\n\t\tif(ARCHIVE_OK != consume(a, to_skip))\n\t\t\treturn ARCHIVE_EOF;\n\n\t\trar->file.bytes_remaining -= to_skip;\n\n\t\t/* The block size gives information about the whole block size,\n\t\t * but the block could be stored in split form when using\n\t\t * multi-volume archives. In this case, the block size will be\n\t\t * bigger than the actual data stored in this file. Remaining\n\t\t * part of the data will be in another file. */\n\n\t\tcur_block_size =\n\t\t\trar5_min(rar->file.bytes_remaining, block_size);\n\n\t\tif(block_size > rar->file.bytes_remaining) {\n\t\t\t/* If current blocks' size is bigger than our data\n\t\t\t * size, this means we have a multivolume archive.\n\t\t\t * In this case, skip all base headers until the end\n\t\t\t * of the file, proceed to next \"partXXX.rar\" volume,\n\t\t\t * find its signature, skip all headers up to the first\n\t\t\t * FILE base header, and continue from there.\n\t\t\t *\n\t\t\t * Note that `merge_block` will update the `rar`\n\t\t\t * context structure quite extensively. */\n\n\t\t\tret = merge_block(a, block_size, &p);\n\t\t\tif(ret != ARCHIVE_OK) {\n\t\t\t\treturn ret;\n\t\t\t}\n\n\t\t\tcur_block_size = block_size;\n\n\t\t\t/* Current stream pointer should be now directly\n\t\t\t * *after* the block that spanned through multiple\n\t\t\t * archive files. `p` pointer should have the data of\n\t\t\t * the *whole* block (merged from partial blocks\n\t\t\t * stored in multiple archives files). */\n\t\t} else {\n\t\t\trar->cstate.switch_multivolume = 0;\n\n\t\t\t/* Read the whole block size into memory. This can take\n\t\t\t * up to 8 megabytes of memory in theoretical cases.\n\t\t\t * Might be worth to optimize this and use a standard\n\t\t\t * chunk of 4kb's. */\n\t\t\tif(!read_ahead(a, 4 + cur_block_size, &p)) {\n\t\t\t\t/* Failed to prefetch block data. */\n\t\t\t\treturn ARCHIVE_EOF;\n\t\t\t}\n\t\t}\n\n\t\trar->cstate.block_buf = p;\n\t\trar->cstate.cur_block_size = cur_block_size;\n\t\trar->cstate.block_parsing_finished = 0;\n\n\t\trar->bits.in_addr = 0;\n\t\trar->bits.bit_addr = 0;\n\n\t\tif(bf_is_table_present(&rar->last_block_hdr)) {\n\t\t\t/* Load Huffman tables. */\n\t\t\tret = parse_tables(a, rar, p);\n\t\t\tif(ret != ARCHIVE_OK) {\n\t\t\t\t/* Error during decompression of Huffman\n\t\t\t\t * tables. */\n\t\t\t\treturn ret;\n\t\t\t}\n\t\t}\n\t} else {\n\t\t/* Block parsing not finished, reuse previous memory buffer. */\n\t\tp = rar->cstate.block_buf;\n\t}\n\n\t/* Uncompress the block, or a part of it, depending on how many bytes\n\t * will be generated by uncompressing the block.\n\t *\n\t * In case too many bytes will be generated, calling this function\n\t * again will resume the uncompression operation. */\n\tret = do_uncompress_block(a, p);\n\tif(ret != ARCHIVE_OK) {\n\t\treturn ret;\n\t}\n\n\tif(rar->cstate.block_parsing_finished &&\n\t rar->cstate.switch_multivolume == 0 &&\n\t rar->cstate.cur_block_size > 0)\n\t{\n\t\t/* If we're processing a normal block, consume the whole\n\t\t * block. We can do this because we've already read the whole\n\t\t * block to memory. */\n\t\tif(ARCHIVE_OK != consume(a, rar->cstate.cur_block_size))\n\t\t\treturn ARCHIVE_FATAL;\n\n\t\trar->file.bytes_remaining -= rar->cstate.cur_block_size;\n\t} else if(rar->cstate.switch_multivolume) {\n\t\t/* Don't consume the block if we're doing multivolume\n\t\t * processing. The volume switching function will consume\n\t\t * the proper count of bytes instead. */\n\t\trar->cstate.switch_multivolume = 0;\n\t}\n\n\treturn ARCHIVE_OK;\n}", "project": "libarchive", "hash": 205048655297507124691800095442355562960, "size": 144, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 0, "dataset": "other", "idx": 244796 }, { "func": "static void tcp_update_reordering(struct sock *sk, const int metric,\n\t\t\t\t const int ts)\n{\n\tstruct tcp_sock *tp = tcp_sk(sk);\n\tif (metric > tp->reordering) {\n\t\tint mib_idx;\n\n\t\ttp->reordering = min(TCP_MAX_REORDERING, metric);\n\n\t\t/* This exciting event is worth to be remembered. 8) */\n\t\tif (ts)\n\t\t\tmib_idx = LINUX_MIB_TCPTSREORDER;\n\t\telse if (tcp_is_reno(tp))\n\t\t\tmib_idx = LINUX_MIB_TCPRENOREORDER;\n\t\telse if (tcp_is_fack(tp))\n\t\t\tmib_idx = LINUX_MIB_TCPFACKREORDER;\n\t\telse\n\t\t\tmib_idx = LINUX_MIB_TCPSACKREORDER;\n\n\t\tNET_INC_STATS_BH(sock_net(sk), mib_idx);\n#if FASTRETRANS_DEBUG > 1\n\t\tprintk(KERN_DEBUG \"Disorder%d %d %u f%u s%u rr%d\\n\",\n\t\t tp->rx_opt.sack_ok, inet_csk(sk)->icsk_ca_state,\n\t\t tp->reordering,\n\t\t tp->fackets_out,\n\t\t tp->sacked_out,\n\t\t tp->undo_marker ? tp->undo_retrans : 0);\n#endif\n\t\ttcp_disable_fack(tp);\n\t}\n}", "project": "net-next", "hash": 107815869129429554340444672808177674702, "size": 31, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409951 }, { "func": "static int fuse_xattr_set(const struct xattr_handler *handler,\n\t\t\t struct dentry *dentry, struct inode *inode,\n\t\t\t const char *name, const void *value, size_t size,\n\t\t\t int flags)\n{\n\tif (fuse_is_bad(inode))\n\t\treturn -EIO;\n\n\tif (!value)\n\t\treturn fuse_removexattr(inode, name);\n\n\treturn fuse_setxattr(inode, name, value, size, flags);\n}", "project": "linux", "hash": 180749627197187687048602167673508478964, "size": 13, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342089 }, { "func": "static int _nfs40_proc_get_locations(struct inode *inode,\n\t\t\t\t struct nfs4_fs_locations *locations,\n\t\t\t\t struct page *page, const struct cred *cred)\n{\n\tstruct nfs_server *server = NFS_SERVER(inode);\n\tstruct rpc_clnt *clnt = server->client;\n\tu32 bitmask[2] = {\n\t\t[0] = FATTR4_WORD0_FSID | FATTR4_WORD0_FS_LOCATIONS,\n\t};\n\tstruct nfs4_fs_locations_arg args = {\n\t\t.clientid\t= server->nfs_client->cl_clientid,\n\t\t.fh\t\t= NFS_FH(inode),\n\t\t.page\t\t= page,\n\t\t.bitmask\t= bitmask,\n\t\t.migration\t= 1,\t\t/* skip LOOKUP */\n\t\t.renew\t\t= 1,\t\t/* append RENEW */\n\t};\n\tstruct nfs4_fs_locations_res res = {\n\t\t.fs_locations\t= locations,\n\t\t.migration\t= 1,\n\t\t.renew\t\t= 1,\n\t};\n\tstruct rpc_message msg = {\n\t\t.rpc_proc\t= &nfs4_procedures[NFSPROC4_CLNT_FS_LOCATIONS],\n\t\t.rpc_argp\t= &args,\n\t\t.rpc_resp\t= &res,\n\t\t.rpc_cred\t= cred,\n\t};\n\tunsigned long now = jiffies;\n\tint status;\n\n\tnfs_fattr_init(&locations->fattr);\n\tlocations->server = server;\n\tlocations->nlocations = 0;\n\n\tnfs4_init_sequence(&args.seq_args, &res.seq_res, 0, 1);\n\tstatus = nfs4_call_sync_sequence(clnt, server, &msg,\n\t\t\t\t\t&args.seq_args, &res.seq_res);\n\tif (status)\n\t\treturn status;\n\n\trenew_lease(server, now);\n\treturn 0;\n}", "project": "linux", "hash": 131302984578174486134768547305382924367, "size": 44, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431597 }, { "func": "static int decode_slice(struct AVCodecContext *avctx, void *arg)\n{\n H264Context *h = *(void **)arg;\n int lf_x_start = h->mb_x;\n\n h->mb_skip_run = -1;\n\n av_assert0(h->block_offset[15] == (4 * ((scan8[15] - scan8[0]) & 7) << h->pixel_shift) + 4 * h->linesize * ((scan8[15] - scan8[0]) >> 3));\n\n h->is_complex = FRAME_MBAFF(h) || h->picture_structure != PICT_FRAME ||\n avctx->codec_id != AV_CODEC_ID_H264 ||\n (CONFIG_GRAY && (h->flags & CODEC_FLAG_GRAY));\n\n if (!(h->avctx->active_thread_type & FF_THREAD_SLICE) && h->picture_structure == PICT_FRAME && h->er.error_status_table) {\n const int start_i = av_clip(h->resync_mb_x + h->resync_mb_y * h->mb_width, 0, h->mb_num - 1);\n if (start_i) {\n int prev_status = h->er.error_status_table[h->er.mb_index2xy[start_i - 1]];\n prev_status &= ~ VP_START;\n if (prev_status != (ER_MV_END | ER_DC_END | ER_AC_END))\n h->er.error_occurred = 1;\n }\n }\n\n if (h->pps.cabac) {\n /* realign */\n align_get_bits(&h->gb);\n\n /* init cabac */\n ff_init_cabac_decoder(&h->cabac,\n h->gb.buffer + get_bits_count(&h->gb) / 8,\n (get_bits_left(&h->gb) + 7) / 8);\n\n ff_h264_init_cabac_states(h);\n\n for (;;) {\n // START_TIMER\n int ret = ff_h264_decode_mb_cabac(h);\n int eos;\n // STOP_TIMER(\"decode_mb_cabac\")\n\n if (ret >= 0)\n ff_h264_hl_decode_mb(h);\n\n // FIXME optimal? or let mb_decode decode 16x32 ?\n if (ret >= 0 && FRAME_MBAFF(h)) {\n h->mb_y++;\n\n ret = ff_h264_decode_mb_cabac(h);\n\n if (ret >= 0)\n ff_h264_hl_decode_mb(h);\n h->mb_y--;\n }\n eos = get_cabac_terminate(&h->cabac);\n\n if ((h->workaround_bugs & FF_BUG_TRUNCATED) &&\n h->cabac.bytestream > h->cabac.bytestream_end + 2) {\n er_add_slice(h, h->resync_mb_x, h->resync_mb_y, h->mb_x - 1,\n h->mb_y, ER_MB_END);\n if (h->mb_x >= lf_x_start)\n loop_filter(h, lf_x_start, h->mb_x + 1);\n return 0;\n }\n if (h->cabac.bytestream > h->cabac.bytestream_end + 2 )\n av_log(h->avctx, AV_LOG_DEBUG, \"bytestream overread %td\\n\", h->cabac.bytestream_end - h->cabac.bytestream);\n if (ret < 0 || h->cabac.bytestream > h->cabac.bytestream_end + 4) {\n av_log(h->avctx, AV_LOG_ERROR,\n \"error while decoding MB %d %d, bytestream (%td)\\n\",\n h->mb_x, h->mb_y,\n h->cabac.bytestream_end - h->cabac.bytestream);\n er_add_slice(h, h->resync_mb_x, h->resync_mb_y, h->mb_x,\n h->mb_y, ER_MB_ERROR);\n return AVERROR_INVALIDDATA;\n }\n\n if (++h->mb_x >= h->mb_width) {\n loop_filter(h, lf_x_start, h->mb_x);\n h->mb_x = lf_x_start = 0;\n decode_finish_row(h);\n ++h->mb_y;\n if (FIELD_OR_MBAFF_PICTURE(h)) {\n ++h->mb_y;\n if (FRAME_MBAFF(h) && h->mb_y < h->mb_height)\n predict_field_decoding_flag(h);\n }\n }\n\n if (eos || h->mb_y >= h->mb_height) {\n tprintf(h->avctx, \"slice end %d %d\\n\",\n get_bits_count(&h->gb), h->gb.size_in_bits);\n er_add_slice(h, h->resync_mb_x, h->resync_mb_y, h->mb_x - 1,\n h->mb_y, ER_MB_END);\n if (h->mb_x > lf_x_start)\n loop_filter(h, lf_x_start, h->mb_x);\n return 0;\n }\n }\n } else {\n for (;;) {\n int ret = ff_h264_decode_mb_cavlc(h);\n\n if (ret >= 0)\n ff_h264_hl_decode_mb(h);\n\n // FIXME optimal? or let mb_decode decode 16x32 ?\n if (ret >= 0 && FRAME_MBAFF(h)) {\n h->mb_y++;\n ret = ff_h264_decode_mb_cavlc(h);\n\n if (ret >= 0)\n ff_h264_hl_decode_mb(h);\n h->mb_y--;\n }\n\n if (ret < 0) {\n av_log(h->avctx, AV_LOG_ERROR,\n \"error while decoding MB %d %d\\n\", h->mb_x, h->mb_y);\n er_add_slice(h, h->resync_mb_x, h->resync_mb_y, h->mb_x,\n h->mb_y, ER_MB_ERROR);\n return ret;\n }\n\n if (++h->mb_x >= h->mb_width) {\n loop_filter(h, lf_x_start, h->mb_x);\n h->mb_x = lf_x_start = 0;\n decode_finish_row(h);\n ++h->mb_y;\n if (FIELD_OR_MBAFF_PICTURE(h)) {\n ++h->mb_y;\n if (FRAME_MBAFF(h) && h->mb_y < h->mb_height)\n predict_field_decoding_flag(h);\n }\n if (h->mb_y >= h->mb_height) {\n tprintf(h->avctx, \"slice end %d %d\\n\",\n get_bits_count(&h->gb), h->gb.size_in_bits);\n\n if ( get_bits_left(&h->gb) == 0\n || get_bits_left(&h->gb) > 0 && !(h->avctx->err_recognition & AV_EF_AGGRESSIVE)) {\n er_add_slice(h, h->resync_mb_x, h->resync_mb_y,\n h->mb_x - 1, h->mb_y,\n ER_MB_END);\n\n return 0;\n } else {\n er_add_slice(h, h->resync_mb_x, h->resync_mb_y,\n h->mb_x, h->mb_y,\n ER_MB_END);\n\n return AVERROR_INVALIDDATA;\n }\n }\n }\n\n if (get_bits_left(&h->gb) <= 0 && h->mb_skip_run <= 0) {\n tprintf(h->avctx, \"slice end %d %d\\n\",\n get_bits_count(&h->gb), h->gb.size_in_bits);\n\n if (get_bits_left(&h->gb) == 0) {\n er_add_slice(h, h->resync_mb_x, h->resync_mb_y,\n h->mb_x - 1, h->mb_y,\n ER_MB_END);\n if (h->mb_x > lf_x_start)\n loop_filter(h, lf_x_start, h->mb_x);\n\n return 0;\n } else {\n er_add_slice(h, h->resync_mb_x, h->resync_mb_y, h->mb_x,\n h->mb_y, ER_MB_ERROR);\n\n return AVERROR_INVALIDDATA;\n }\n }\n }\n }\n}", "project": "FFmpeg", "hash": 282101329196158289076259966143377461108, "size": 175, "commit_id": "8a3b85f3a7952c54a2c36ba1797f7e0cde9f85aa", "message": "avcodec/h264: update current_sps & sps->new only after the whole slice header decoder and init code finished\n\nThis avoids them being cleared before the full initialization finished\n\nFixes out of array read\nFixes: asan_heap-oob_f0c5e6_7071_cov_1605985132_mov_h264_aac__Demo_FlagOfOurFathers.mov\nFound-by: Mateusz \"j00ru\" Jurczyk and Gynvael Coldwind\nSigned-off-by: Michael Niedermayer ", "target": 0, "dataset": "other", "idx": 270129 }, { "project": "Chrome", "commit_id": "ea994548ed483e234a6fadd0cbdfa10d58b75cef", "target": 0, "func": "void SoftwareFrameManager::DiscardCurrentFrame() {\n if (!HasCurrentFrame())\n return;\n current_frame_ = NULL;\n RendererFrameManager::GetInstance()->RemoveFrame(this);\n}\n", "cwe": "", "big_vul_idx": 129963, "idx": 116277, "hash": 332547952439326782877712316276374588842 }, { "func": "void imap_cmd_finish (IMAP_DATA* idata)\n{\n if (idata->status == IMAP_FATAL)\n {\n cmd_handle_fatal (idata);\n return;\n }\n\n if (!(idata->state >= IMAP_SELECTED) || idata->ctx->closing)\n return;\n \n if (idata->reopen & IMAP_REOPEN_ALLOW)\n {\n unsigned int count = idata->newMailCount;\n\n if (!(idata->reopen & IMAP_EXPUNGE_PENDING) &&\n\t(idata->reopen & IMAP_NEWMAIL_PENDING)\n\t&& count > idata->max_msn)\n {\n /* read new mail messages */\n dprint (2, (debugfile, \"imap_cmd_finish: Fetching new mail\\n\"));\n /* check_status: curs_main uses imap_check_mailbox to detect\n * whether the index needs updating */\n idata->check_status = IMAP_NEWMAIL_PENDING;\n imap_read_headers (idata, idata->max_msn+1, count);\n }\n else if (idata->reopen & IMAP_EXPUNGE_PENDING)\n {\n dprint (2, (debugfile, \"imap_cmd_finish: Expunging mailbox\\n\"));\n imap_expunge_mailbox (idata);\n /* Detect whether we've gotten unexpected EXPUNGE messages */\n if ((idata->reopen & IMAP_EXPUNGE_PENDING) &&\n\t !(idata->reopen & IMAP_EXPUNGE_EXPECTED))\n\tidata->check_status = IMAP_EXPUNGE_PENDING;\n idata->reopen &= ~(IMAP_EXPUNGE_PENDING | IMAP_NEWMAIL_PENDING |\n\t\t\t IMAP_EXPUNGE_EXPECTED);\n }\n }\n\n idata->status = 0;\n}", "project": "mutt", "hash": 31221664271373169700589240627500270904, "size": 41, "commit_id": "9347b5c01dc52682cb6be11539d9b7ebceae4416", "message": "Handle NO response without message properly", "target": 0, "dataset": "other", "idx": 338021 }, { "func": " Item_int(THD *thd, int32 i,uint length= MY_INT32_NUM_DECIMAL_DIGITS):\n Item_num(thd), value((longlong) i)\n { max_length=length; fixed= 1; }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 14577023364024008737461608390668976754, "size": 3, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 508972 }, { "func": " Item_int(THD *thd, ulonglong i, uint length= MY_INT64_NUM_DECIMAL_DIGITS):\n Item_num(thd), value((longlong)i)\n { max_length=length; fixed= 1; unsigned_flag= 1; }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 301053823774172596911586581307357467095, "size": 3, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509296 }, { "func": " Item_bool(THD *thd, const char *str_arg, longlong i):\n Item_int(thd, str_arg, i, 1) {}", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 1123971018797302052710713245020497944, "size": 2, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509367 }, { "func": "static int autocomplete_pfele (RCore *core, RLineCompletion *completion, char *key, char *pfx, int idx, char *ptr) {\n\tint i, ret = 0;\n\tint len = strlen (ptr);\n\tchar* fmt = sdb_get (core->print->formats, key, NULL);\n\tif (fmt) {\n\t\tint nargs = r_str_word_set0_stack (fmt);\n\t\tif (nargs > 1) {\n\t\t\tfor (i = 1; i < nargs; i++) {\n\t\t\t\tconst char *arg = r_str_word_get0 (fmt, i);\n\t\t\t\tchar *p = strchr (arg, '(');\n\t\t\t\tchar *p2 = strchr (arg, ')');\n\t\t\t\t// remove '(' and ')' from fmt\n\t\t\t\tif (p && p2) {\n\t\t\t\t\targ = p + 1;\n\t\t\t\t\t*p2 = '\\0';\n\t\t\t\t}\n\t\t\t\tif (!len || !strncmp (ptr, arg, len)) {\n\t\t\t\t\tchar *s = r_str_newf (\"pf%s.%s.%s\", pfx, key, arg);\n\t\t\t\t\tr_line_completion_push (completion, s);\n\t\t\t\t\tfree (s);\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\tfree (fmt);\n\treturn ret;\n}", "project": "radare2", "hash": 69915150607460687575929693196297933871, "size": 27, "commit_id": "cb8b683758edddae2d2f62e8e63a738c39f92683", "message": "Fix #16303 - c->table_query double free (#16318)", "target": 0, "dataset": "other", "idx": 232200 }, { "func": "static int __sctp_setsockopt_delayed_ack(struct sock *sk,\n\t\t\t\t\t struct sctp_sack_info *params)\n{\n\tstruct sctp_sock *sp = sctp_sk(sk);\n\tstruct sctp_association *asoc;\n\n\t/* Validate value parameter. */\n\tif (params->sack_delay > 500)\n\t\treturn -EINVAL;\n\n\t/* Get association, if sack_assoc_id != SCTP_FUTURE_ASSOC and the\n\t * socket is a one to many style socket, and an association\n\t * was not found, then the id was invalid.\n\t */\n\tasoc = sctp_id2assoc(sk, params->sack_assoc_id);\n\tif (!asoc && params->sack_assoc_id > SCTP_ALL_ASSOC &&\n\t sctp_style(sk, UDP))\n\t\treturn -EINVAL;\n\n\tif (asoc) {\n\t\tsctp_apply_asoc_delayed_ack(params, asoc);\n\n\t\treturn 0;\n\t}\n\n\tif (sctp_style(sk, TCP))\n\t\tparams->sack_assoc_id = SCTP_FUTURE_ASSOC;\n\n\tif (params->sack_assoc_id == SCTP_FUTURE_ASSOC ||\n\t params->sack_assoc_id == SCTP_ALL_ASSOC) {\n\t\tif (params->sack_delay) {\n\t\t\tsp->sackdelay = params->sack_delay;\n\t\t\tsp->param_flags =\n\t\t\t\tsctp_spp_sackdelay_enable(sp->param_flags);\n\t\t}\n\t\tif (params->sack_freq == 1) {\n\t\t\tsp->param_flags =\n\t\t\t\tsctp_spp_sackdelay_disable(sp->param_flags);\n\t\t} else if (params->sack_freq > 1) {\n\t\t\tsp->sackfreq = params->sack_freq;\n\t\t\tsp->param_flags =\n\t\t\t\tsctp_spp_sackdelay_enable(sp->param_flags);\n\t\t}\n\t}\n\n\tif (params->sack_assoc_id == SCTP_CURRENT_ASSOC ||\n\t params->sack_assoc_id == SCTP_ALL_ASSOC)\n\t\tlist_for_each_entry(asoc, &sp->ep->asocs, asocs)\n\t\t\tsctp_apply_asoc_delayed_ack(params, asoc);\n\n\treturn 0;\n}", "project": "linux", "hash": 48247759800357975335870183322271750313, "size": 52, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398096 }, { "func": "static int kvm_s390_set_processor_subfunc(struct kvm *kvm,\n\t\t\t\t\t struct kvm_device_attr *attr)\n{\n\tmutex_lock(&kvm->lock);\n\tif (kvm->created_vcpus) {\n\t\tmutex_unlock(&kvm->lock);\n\t\treturn -EBUSY;\n\t}\n\n\tif (copy_from_user(&kvm->arch.model.subfuncs, (void __user *)attr->addr,\n\t\t\t sizeof(struct kvm_s390_vm_cpu_subfunc))) {\n\t\tmutex_unlock(&kvm->lock);\n\t\treturn -EFAULT;\n\t}\n\tmutex_unlock(&kvm->lock);\n\n\tVM_EVENT(kvm, 3, \"SET: guest PLO subfunc 0x%16.16lx.%16.16lx.%16.16lx.%16.16lx\",\n\t\t ((unsigned long *) &kvm->arch.model.subfuncs.plo)[0],\n\t\t ((unsigned long *) &kvm->arch.model.subfuncs.plo)[1],\n\t\t ((unsigned long *) &kvm->arch.model.subfuncs.plo)[2],\n\t\t ((unsigned long *) &kvm->arch.model.subfuncs.plo)[3]);\n\tVM_EVENT(kvm, 3, \"SET: guest PTFF subfunc 0x%16.16lx.%16.16lx\",\n\t\t ((unsigned long *) &kvm->arch.model.subfuncs.ptff)[0],\n\t\t ((unsigned long *) &kvm->arch.model.subfuncs.ptff)[1]);\n\tVM_EVENT(kvm, 3, \"SET: guest KMAC subfunc 0x%16.16lx.%16.16lx\",\n\t\t ((unsigned long *) &kvm->arch.model.subfuncs.kmac)[0],\n\t\t ((unsigned long *) &kvm->arch.model.subfuncs.kmac)[1]);\n\tVM_EVENT(kvm, 3, \"SET: guest KMC subfunc 0x%16.16lx.%16.16lx\",\n\t\t ((unsigned long *) &kvm->arch.model.subfuncs.kmc)[0],\n\t\t ((unsigned long *) &kvm->arch.model.subfuncs.kmc)[1]);\n\tVM_EVENT(kvm, 3, \"SET: guest KM subfunc 0x%16.16lx.%16.16lx\",\n\t\t ((unsigned long *) &kvm->arch.model.subfuncs.km)[0],\n\t\t ((unsigned long *) &kvm->arch.model.subfuncs.km)[1]);\n\tVM_EVENT(kvm, 3, \"SET: guest KIMD subfunc 0x%16.16lx.%16.16lx\",\n\t\t ((unsigned long *) &kvm->arch.model.subfuncs.kimd)[0],\n\t\t ((unsigned long *) &kvm->arch.model.subfuncs.kimd)[1]);\n\tVM_EVENT(kvm, 3, \"SET: guest KLMD subfunc 0x%16.16lx.%16.16lx\",\n\t\t ((unsigned long *) &kvm->arch.model.subfuncs.klmd)[0],\n\t\t ((unsigned long *) &kvm->arch.model.subfuncs.klmd)[1]);\n\tVM_EVENT(kvm, 3, \"SET: guest PCKMO subfunc 0x%16.16lx.%16.16lx\",\n\t\t ((unsigned long *) &kvm->arch.model.subfuncs.pckmo)[0],\n\t\t ((unsigned long *) &kvm->arch.model.subfuncs.pckmo)[1]);\n\tVM_EVENT(kvm, 3, \"SET: guest KMCTR subfunc 0x%16.16lx.%16.16lx\",\n\t\t ((unsigned long *) &kvm->arch.model.subfuncs.kmctr)[0],\n\t\t ((unsigned long *) &kvm->arch.model.subfuncs.kmctr)[1]);\n\tVM_EVENT(kvm, 3, \"SET: guest KMF subfunc 0x%16.16lx.%16.16lx\",\n\t\t ((unsigned long *) &kvm->arch.model.subfuncs.kmf)[0],\n\t\t ((unsigned long *) &kvm->arch.model.subfuncs.kmf)[1]);\n\tVM_EVENT(kvm, 3, \"SET: guest KMO subfunc 0x%16.16lx.%16.16lx\",\n\t\t ((unsigned long *) &kvm->arch.model.subfuncs.kmo)[0],\n\t\t ((unsigned long *) &kvm->arch.model.subfuncs.kmo)[1]);\n\tVM_EVENT(kvm, 3, \"SET: guest PCC subfunc 0x%16.16lx.%16.16lx\",\n\t\t ((unsigned long *) &kvm->arch.model.subfuncs.pcc)[0],\n\t\t ((unsigned long *) &kvm->arch.model.subfuncs.pcc)[1]);\n\tVM_EVENT(kvm, 3, \"SET: guest PPNO subfunc 0x%16.16lx.%16.16lx\",\n\t\t ((unsigned long *) &kvm->arch.model.subfuncs.ppno)[0],\n\t\t ((unsigned long *) &kvm->arch.model.subfuncs.ppno)[1]);\n\tVM_EVENT(kvm, 3, \"SET: guest KMA subfunc 0x%16.16lx.%16.16lx\",\n\t\t ((unsigned long *) &kvm->arch.model.subfuncs.kma)[0],\n\t\t ((unsigned long *) &kvm->arch.model.subfuncs.kma)[1]);\n\tVM_EVENT(kvm, 3, \"SET: guest KDSA subfunc 0x%16.16lx.%16.16lx\",\n\t\t ((unsigned long *) &kvm->arch.model.subfuncs.kdsa)[0],\n\t\t ((unsigned long *) &kvm->arch.model.subfuncs.kdsa)[1]);\n\tVM_EVENT(kvm, 3, \"SET: guest SORTL subfunc 0x%16.16lx.%16.16lx.%16.16lx.%16.16lx\",\n\t\t ((unsigned long *) &kvm->arch.model.subfuncs.sortl)[0],\n\t\t ((unsigned long *) &kvm->arch.model.subfuncs.sortl)[1],\n\t\t ((unsigned long *) &kvm->arch.model.subfuncs.sortl)[2],\n\t\t ((unsigned long *) &kvm->arch.model.subfuncs.sortl)[3]);\n\tVM_EVENT(kvm, 3, \"SET: guest DFLTCC subfunc 0x%16.16lx.%16.16lx.%16.16lx.%16.16lx\",\n\t\t ((unsigned long *) &kvm->arch.model.subfuncs.dfltcc)[0],\n\t\t ((unsigned long *) &kvm->arch.model.subfuncs.dfltcc)[1],\n\t\t ((unsigned long *) &kvm->arch.model.subfuncs.dfltcc)[2],\n\t\t ((unsigned long *) &kvm->arch.model.subfuncs.dfltcc)[3]);\n\n\treturn 0;\n}", "project": "linux", "hash": 324193430265275788680165727248482499014, "size": 76, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354731 }, { "func": "void CheckErrors(OpKernelContext* context, int batch_dim, int seq_dim) {\n const Tensor& input = context->input(0);\n const Tensor& seq_lengths = context->input(1);\n\n auto seq_lens_t = seq_lengths.vec();\n\n std::vector seq_lens_vec(seq_lens_t.size());\n\n // Copy seq_len info down for validity checks\n context->eigen_device().memcpyDeviceToHost(\n seq_lens_vec.data(), seq_lens_t.data(), sizeof(Tlen) * seq_lens_t.size());\n\n OP_REQUIRES(context, batch_dim != seq_dim,\n errors::InvalidArgument(\"batch_dim == seq_dim == \", seq_dim));\n OP_REQUIRES(context, seq_dim < input.dims(),\n errors::InvalidArgument(\"seq_dim must be < input rank\", \" ( \",\n seq_dim, \" vs. \", input.dims(), \")\"));\n OP_REQUIRES(context, batch_dim < input.dims(),\n errors::InvalidArgument(\"batch_dim must be < input rank\", \" ( \",\n batch_dim, \" vs. \", input.dims(), \")\"));\n OP_REQUIRES(\n context, seq_lengths.NumElements() == input.dim_size(batch_dim),\n errors::InvalidArgument(\"Length of seq_lengths != input.dims(\", batch_dim,\n \"), \", \"(\", seq_lengths.NumElements(), \" vs. \",\n input.dim_size(batch_dim), \")\"));\n\n for (size_t d = 0; d < seq_lens_vec.size(); ++d) {\n OP_REQUIRES(context, seq_lens_vec[d] >= 0,\n errors::InvalidArgument(\"seq_lens(\", d, \") < 0\"));\n OP_REQUIRES(context, seq_lens_vec[d] <= input.dim_size(seq_dim),\n errors::InvalidArgument(\"seq_lens(\", d, \") > input.dims(\",\n seq_dim, \")\"));\n }\n}", "project": "tensorflow", "hash": 339021854586863354765695565182214673568, "size": 34, "commit_id": "ecf768cbe50cedc0a45ce1ee223146a3d3d26d23", "message": "Add missing validations to reverse_sequence_op\n\nPiperOrigin-RevId: 372178683\nChange-Id: Iac97ebab5b342f1262c77a7d9bcb4267b305ce5b", "target": 0, "dataset": "other", "idx": 258257 }, { "func": "extern int x11_set_xauth(char *xauthority, char *cookie,\n\t\t\t char *host, uint16_t display)\n{\n\tint i=0, status;\n\tchar *result;\n\tchar **xauth_argv;\n\n\txauth_argv = xmalloc(sizeof(char *) * 10);\n\txauth_argv[i++] = xstrdup(\"xauth\");\n\txauth_argv[i++] = xstrdup(\"-v\");\n\txauth_argv[i++] = xstrdup(\"-f\");\n\txauth_argv[i++] = xstrdup(xauthority);\n\txauth_argv[i++] = xstrdup(\"add\");\n\txauth_argv[i++] = xstrdup_printf(\"%s/unix:%u\", host, display);\n\txauth_argv[i++] = xstrdup(\"MIT-MAGIC-COOKIE-1\");\n\txauth_argv[i++] = xstrdup(cookie);\n\txauth_argv[i++] = NULL;\n\txassert(i < 10);\n\n\tresult = run_command(\"xauth\", XAUTH_PATH, xauth_argv, 10000, 0,\n\t\t\t &status);\n\n\tfree_command_argv(xauth_argv);\n\n\tdebug2(\"%s: result from xauth: %s\", __func__, result);\n\txfree(result);\n\n\treturn status;\n}", "project": "slurm", "hash": 84215474414950344258573648975773029635, "size": 29, "commit_id": "07309deb45c33e735e191faf9dd31cca1054a15c", "message": "X11 forwarding - avoid unsafe use of magic cookie as arg to xauth command.\n\nMagic cookie can leak through /proc this way. There is a race here between\nthis usually short-lived xauth command running and an attacker scraping\nthe value from /proc. This can be exacerbated through use of\nX11Parameters=home_xauthority on a cluster with a shared home directory\nunder heavy load.\n\nCVE-2020-27746.", "target": 1, "dataset": "other", "idx": 201848 }, { "func": "extern int x11_set_xauth(char *xauthority, char *cookie,\n\t\t\t char *host, uint16_t display)\n{\n\tint i=0, status;\n\tchar *result;\n\tchar **xauth_argv;\n\tchar template[] = \"/tmp/xauth-source-XXXXXX\";\n\tchar *contents = NULL;\n\tint fd;\n\n\t/* protect against weak file permissions in old glibc */\n\tumask(0077);\n\tif ((fd = mkstemp(template)) < 0)\n\t\tfatal(\"%s: could not create temp file\", __func__);\n\n\txstrfmtcat(contents, \"add %s/unix:%u MIT-MAGIC-COOKIE-1 %s\\n\",\n\t\t host, display, cookie);\n\tsafe_write(fd, contents, strlen(contents));\n\txfree(contents);\n\tclose(fd);\n\n\txauth_argv = xmalloc(sizeof(char *) * 10);\n\txauth_argv[i++] = \"xauth\";\n\txauth_argv[i++] = \"-v\";\n\txauth_argv[i++] = \"-f\";\n\txauth_argv[i++] = xauthority;\n\txauth_argv[i++] = \"source\";\n\txauth_argv[i++] = template;\n\txauth_argv[i++] = NULL;\n\txassert(i < 10);\n\n\tresult = run_command(\"xauth\", XAUTH_PATH, xauth_argv, 10000, 0,\n\t\t\t &status);\n\n\t(void) unlink(template);\n\txfree(xauth_argv);\n\n\tdebug2(\"%s: result from xauth: %s\", __func__, result);\n\txfree(result);\n\n\treturn status;\n\nrwfail:\n\tfatal(\"%s: could not write temporary xauth file\", __func__);\n\treturn SLURM_ERROR;\n}", "project": "slurm", "hash": 36226054552913346194370237937910986844, "size": 46, "commit_id": "07309deb45c33e735e191faf9dd31cca1054a15c", "message": "X11 forwarding - avoid unsafe use of magic cookie as arg to xauth command.\n\nMagic cookie can leak through /proc this way. There is a race here between\nthis usually short-lived xauth command running and an attacker scraping\nthe value from /proc. This can be exacerbated through use of\nX11Parameters=home_xauthority on a cluster with a shared home directory\nunder heavy load.\n\nCVE-2020-27746.", "target": 0, "dataset": "other", "idx": 323086 }, { "func": "static BOOL update_gdi_cache_glyph(rdpContext* context, const CACHE_GLYPH_ORDER* cacheGlyph)\n{\n\tUINT32 i;\n\trdpCache* cache;\n\n\tif (!context || !cacheGlyph || !context->cache)\n\t\treturn FALSE;\n\n\tcache = context->cache;\n\n\tfor (i = 0; i < cacheGlyph->cGlyphs; i++)\n\t{\n\t\tconst GLYPH_DATA* glyph_data = &cacheGlyph->glyphData[i];\n\t\trdpGlyph* glyph;\n\n\t\tif (!glyph_data)\n\t\t\treturn FALSE;\n\n\t\tif (!(glyph = Glyph_Alloc(context, glyph_data->x, glyph_data->y, glyph_data->cx,\n\t\t glyph_data->cy, glyph_data->cb, glyph_data->aj)))\n\t\t\treturn FALSE;\n\n\t\tif (!glyph_cache_put(cache->glyph, cacheGlyph->cacheId, glyph_data->cacheIndex, glyph))\n\t\t{\n\t\t\tglyph->Free(context, glyph);\n\t\t\treturn FALSE;\n\t\t}\n\t}\n\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 304527912783538622545931634954095310001, "size": 31, "commit_id": "c0fd449ec0870b050d350d6d844b1ea6dad4bc7d", "message": "Fixed Out-of-bound read in glyph_cache_put\n\nCVE-2020-11098 thanks to @antonio-morales for finding this.", "target": 0, "dataset": "other", "idx": 432852 }, { "func": "CSnapIDPool::CSnapIDPool()\n{\n\tReset();\n}", "project": "teeworlds", "hash": 206573541280117243608113325176205879746, "size": 4, "commit_id": "c68402fa7e279d42886d5951d1ea8ac2facc1ea5", "message": "changed a check", "target": 0, "dataset": "other", "idx": 382038 }, { "func": "static int ca8210_register_ext_clock(struct spi_device *spi)\n{\n\tstruct device_node *np = spi->dev.of_node;\n\tstruct ca8210_priv *priv = spi_get_drvdata(spi);\n\tstruct ca8210_platform_data *pdata = spi->dev.platform_data;\n\tint ret = 0;\n\n\tif (!np)\n\t\treturn -EFAULT;\n\n\tpriv->clk = clk_register_fixed_rate(\n\t\t&spi->dev,\n\t\tnp->name,\n\t\tNULL,\n\t\t0,\n\t\tpdata->extclockfreq\n\t);\n\n\tif (IS_ERR(priv->clk)) {\n\t\tdev_crit(&spi->dev, \"Failed to register external clk\\n\");\n\t\treturn PTR_ERR(priv->clk);\n\t}\n\tret = of_clk_add_provider(np, of_clk_src_simple_get, priv->clk);\n\tif (ret) {\n\t\tclk_unregister(priv->clk);\n\t\tdev_crit(\n\t\t\t&spi->dev,\n\t\t\t\"Failed to register external clock as clock provider\\n\"\n\t\t);\n\t} else {\n\t\tdev_info(&spi->dev, \"External clock set as clock provider\\n\");\n\t}\n\n\treturn ret;\n}", "project": "linux", "hash": 272507479640332191168019423142710763396, "size": 35, "commit_id": "6402939ec86eaf226c8b8ae00ed983936b164908", "message": "ieee802154: ca8210: prevent memory leak\n\nIn ca8210_probe the allocated pdata needs to be assigned to\nspi_device->dev.platform_data before calling ca8210_get_platform_data.\nOthrwise when ca8210_get_platform_data fails pdata cannot be released.\n\nSigned-off-by: Navid Emamdoost \nLink: https://lore.kernel.org/r/20190917224713.26371-1-navid.emamdoost@gmail.com\nSigned-off-by: Stefan Schmidt ", "target": 0, "dataset": "other", "idx": 408788 }, { "func": "\nstatic int io_sqe_buffers_register(struct io_ring_ctx *ctx, void __user *arg,\n\t\t\t\t unsigned int nr_args, u64 __user *tags)\n{\n\tstruct page *last_hpage = NULL;\n\tstruct io_rsrc_data *data;\n\tint i, ret;\n\tstruct iovec iov;\n\n\tif (ctx->user_bufs)\n\t\treturn -EBUSY;\n\tif (!nr_args || nr_args > UIO_MAXIOV)\n\t\treturn -EINVAL;\n\tret = io_rsrc_node_switch_start(ctx);\n\tif (ret)\n\t\treturn ret;\n\tdata = io_rsrc_data_alloc(ctx, io_rsrc_buf_put, nr_args);\n\tif (!data)\n\t\treturn -ENOMEM;\n\tret = io_buffers_map_alloc(ctx, nr_args);\n\tif (ret) {\n\t\tio_rsrc_data_free(data);\n\t\treturn ret;\n\t}\n\n\tfor (i = 0; i < nr_args; i++, ctx->nr_user_bufs++) {\n\t\tu64 tag = 0;\n\n\t\tif (tags && copy_from_user(&tag, &tags[i], sizeof(tag))) {\n\t\t\tret = -EFAULT;\n\t\t\tbreak;\n\t\t}\n\t\tret = io_copy_iov(ctx, &iov, arg, i);\n\t\tif (ret)\n\t\t\tbreak;\n\t\tret = io_buffer_validate(&iov);\n\t\tif (ret)\n\t\t\tbreak;\n\t\tif (!iov.iov_base && tag) {\n\t\t\tret = -EINVAL;\n\t\t\tbreak;\n\t\t}\n\n\t\tret = io_sqe_buffer_register(ctx, &iov, &ctx->user_bufs[i],\n\t\t\t\t\t &last_hpage);\n\t\tif (ret)\n\t\t\tbreak;\n\t\tdata->tags[i] = tag;\n\t}\n\n\tWARN_ON_ONCE(ctx->buf_data);\n\n\tctx->buf_data = data;\n\tif (ret)\n\t\t__io_sqe_buffers_unregister(ctx);\n\telse\n\t\tio_rsrc_node_switch(ctx, NULL);\n\treturn ret;", "project": "linux", "hash": 170130416388719167980977867921224123377, "size": 58, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338682 }, { "func": "void init_pdb_downloader(SPDBDownloaderOpt *opt, SPDBDownloader *pd) {\n\tpd->opt = R_NEW0 (SPDBDownloaderOpt);\n\tif (!pd->opt) {\n\t\tpd->download = 0;\n\t\teprintf (\"Cannot allocate memory for SPDBDownloaderOpt.\\n\");\n\t\treturn;\n\t}\n\tpd->opt->dbg_file = strdup (opt->dbg_file);\n\tpd->opt->guid = strdup (opt->guid);\n\tpd->opt->symbol_server = strdup (opt->symbol_server);\n\tpd->opt->user_agent = strdup (opt->user_agent);\n\tpd->opt->symbol_store_path = strdup (opt->symbol_store_path);\n\tpd->opt->extract = opt->extract;\n\tpd->download = download;\n}", "project": "radare2", "hash": 71915699794675331971352687833852912747, "size": 15, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 0, "dataset": "other", "idx": 269059 }, { "func": "enum print_line_t print_trace_line(struct trace_iterator *iter)\n{\n\tstruct trace_array *tr = iter->tr;\n\tunsigned long trace_flags = tr->trace_flags;\n\tenum print_line_t ret;\n\n\tif (iter->lost_events) {\n\t\ttrace_seq_printf(&iter->seq, \"CPU:%d [LOST %lu EVENTS]\\n\",\n\t\t\t\t iter->cpu, iter->lost_events);\n\t\tif (trace_seq_has_overflowed(&iter->seq))\n\t\t\treturn TRACE_TYPE_PARTIAL_LINE;\n\t}\n\n\tif (iter->trace && iter->trace->print_line) {\n\t\tret = iter->trace->print_line(iter);\n\t\tif (ret != TRACE_TYPE_UNHANDLED)\n\t\t\treturn ret;\n\t}\n\n\tif (iter->ent->type == TRACE_BPUTS &&\n\t\t\ttrace_flags & TRACE_ITER_PRINTK &&\n\t\t\ttrace_flags & TRACE_ITER_PRINTK_MSGONLY)\n\t\treturn trace_print_bputs_msg_only(iter);\n\n\tif (iter->ent->type == TRACE_BPRINT &&\n\t\t\ttrace_flags & TRACE_ITER_PRINTK &&\n\t\t\ttrace_flags & TRACE_ITER_PRINTK_MSGONLY)\n\t\treturn trace_print_bprintk_msg_only(iter);\n\n\tif (iter->ent->type == TRACE_PRINT &&\n\t\t\ttrace_flags & TRACE_ITER_PRINTK &&\n\t\t\ttrace_flags & TRACE_ITER_PRINTK_MSGONLY)\n\t\treturn trace_print_printk_msg_only(iter);\n\n\tif (trace_flags & TRACE_ITER_BIN)\n\t\treturn print_bin_fmt(iter);\n\n\tif (trace_flags & TRACE_ITER_HEX)\n\t\treturn print_hex_fmt(iter);\n\n\tif (trace_flags & TRACE_ITER_RAW)\n\t\treturn print_raw_fmt(iter);\n\n\treturn print_trace_fmt(iter);\n}", "project": "linux", "hash": 278988852620786685345715888530366433280, "size": 45, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445562 }, { "func": "int do_sigaction(int sig, struct k_sigaction *act, struct k_sigaction *oact)\n{\n\tstruct task_struct *p = current, *t;\n\tstruct k_sigaction *k;\n\tsigset_t mask;\n\n\tif (!valid_signal(sig) || sig < 1 || (act && sig_kernel_only(sig)))\n\t\treturn -EINVAL;\n\n\tk = &p->sighand->action[sig-1];\n\n\tspin_lock_irq(&p->sighand->siglock);\n\tif (oact)\n\t\t*oact = *k;\n\n\tsigaction_compat_abi(act, oact);\n\n\tif (act) {\n\t\tsigdelsetmask(&act->sa.sa_mask,\n\t\t\t sigmask(SIGKILL) | sigmask(SIGSTOP));\n\t\t*k = *act;\n\t\t/*\n\t\t * POSIX 3.3.1.3:\n\t\t * \"Setting a signal action to SIG_IGN for a signal that is\n\t\t * pending shall cause the pending signal to be discarded,\n\t\t * whether or not it is blocked.\"\n\t\t *\n\t\t * \"Setting a signal action to SIG_DFL for a signal that is\n\t\t * pending and whose default action is to ignore the signal\n\t\t * (for example, SIGCHLD), shall cause the pending signal to\n\t\t * be discarded, whether or not it is blocked\"\n\t\t */\n\t\tif (sig_handler_ignored(sig_handler(p, sig), sig)) {\n\t\t\tsigemptyset(&mask);\n\t\t\tsigaddset(&mask, sig);\n\t\t\tflush_sigqueue_mask(&mask, &p->signal->shared_pending);\n\t\t\tfor_each_thread(p, t)\n\t\t\t\tflush_sigqueue_mask(&mask, &t->pending);\n\t\t}\n\t}\n\n\tspin_unlock_irq(&p->sighand->siglock);\n\treturn 0;\n}", "project": "linux", "hash": 298016344861728561770869917773523798016, "size": 44, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375233 }, { "func": "static void store_regs_fmt2(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)\n{\n\tkvm_run->s.regs.todpr = vcpu->arch.sie_block->todpr;\n\tkvm_run->s.regs.pp = vcpu->arch.sie_block->pp;\n\tkvm_run->s.regs.gbea = vcpu->arch.sie_block->gbea;\n\tkvm_run->s.regs.bpbc = (vcpu->arch.sie_block->fpf & FPF_BPBC) == FPF_BPBC;\n\tif (MACHINE_HAS_GS) {\n\t\t__ctl_set_bit(2, 4);\n\t\tif (vcpu->arch.gs_enabled)\n\t\t\tsave_gs_cb(current->thread.gs_cb);\n\t\tpreempt_disable();\n\t\tcurrent->thread.gs_cb = vcpu->arch.host_gscb;\n\t\trestore_gs_cb(vcpu->arch.host_gscb);\n\t\tpreempt_enable();\n\t\tif (!vcpu->arch.host_gscb)\n\t\t\t__ctl_clear_bit(2, 4);\n\t\tvcpu->arch.host_gscb = NULL;\n\t}\n\t/* SIE will save etoken directly into SDNX and therefore kvm_run */\n}", "project": "linux", "hash": 77654547859517787817423157808223057267, "size": 20, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354428 }, { "func": "ssize_t\tip_append_page(struct sock *sk, struct flowi4 *fl4, struct page *page,\n\t\t int offset, size_t size, int flags)\n{\n\tstruct inet_sock *inet = inet_sk(sk);\n\tstruct sk_buff *skb;\n\tstruct rtable *rt;\n\tstruct ip_options *opt = NULL;\n\tstruct inet_cork *cork;\n\tint hh_len;\n\tint mtu;\n\tint len;\n\tint err;\n\tunsigned int maxfraglen, fragheaderlen, fraggap, maxnonfragsize;\n\n\tif (inet->hdrincl)\n\t\treturn -EPERM;\n\n\tif (flags&MSG_PROBE)\n\t\treturn 0;\n\n\tif (skb_queue_empty(&sk->sk_write_queue))\n\t\treturn -EINVAL;\n\n\tcork = &inet->cork.base;\n\trt = (struct rtable *)cork->dst;\n\tif (cork->flags & IPCORK_OPT)\n\t\topt = cork->opt;\n\n\tif (!(rt->dst.dev->features&NETIF_F_SG))\n\t\treturn -EOPNOTSUPP;\n\n\thh_len = LL_RESERVED_SPACE(rt->dst.dev);\n\tmtu = cork->fragsize;\n\n\tfragheaderlen = sizeof(struct iphdr) + (opt ? opt->optlen : 0);\n\tmaxfraglen = ((mtu - fragheaderlen) & ~7) + fragheaderlen;\n\tmaxnonfragsize = ip_sk_ignore_df(sk) ? 0xFFFF : mtu;\n\n\tif (cork->length + size > maxnonfragsize - fragheaderlen) {\n\t\tip_local_error(sk, EMSGSIZE, fl4->daddr, inet->inet_dport,\n\t\t\t mtu - (opt ? opt->optlen : 0));\n\t\treturn -EMSGSIZE;\n\t}\n\n\tskb = skb_peek_tail(&sk->sk_write_queue);\n\tif (!skb)\n\t\treturn -EINVAL;\n\n\tif ((size + skb->len > mtu) &&\n\t (skb_queue_len(&sk->sk_write_queue) == 1) &&\n\t (sk->sk_protocol == IPPROTO_UDP) &&\n\t (rt->dst.dev->features & NETIF_F_UFO)) {\n\t\tif (skb->ip_summed != CHECKSUM_PARTIAL)\n\t\t\treturn -EOPNOTSUPP;\n\n\t\tskb_shinfo(skb)->gso_size = mtu - fragheaderlen;\n\t\tskb_shinfo(skb)->gso_type = SKB_GSO_UDP;\n\t}\n\tcork->length += size;\n\n\twhile (size > 0) {\n\t\tif (skb_is_gso(skb)) {\n\t\t\tlen = size;\n\t\t} else {\n\n\t\t\t/* Check if the remaining data fits into current packet. */\n\t\t\tlen = mtu - skb->len;\n\t\t\tif (len < size)\n\t\t\t\tlen = maxfraglen - skb->len;\n\t\t}\n\t\tif (len <= 0) {\n\t\t\tstruct sk_buff *skb_prev;\n\t\t\tint alloclen;\n\n\t\t\tskb_prev = skb;\n\t\t\tfraggap = skb_prev->len - maxfraglen;\n\n\t\t\talloclen = fragheaderlen + hh_len + fraggap + 15;\n\t\t\tskb = sock_wmalloc(sk, alloclen, 1, sk->sk_allocation);\n\t\t\tif (unlikely(!skb)) {\n\t\t\t\terr = -ENOBUFS;\n\t\t\t\tgoto error;\n\t\t\t}\n\n\t\t\t/*\n\t\t\t *\tFill in the control structures\n\t\t\t */\n\t\t\tskb->ip_summed = CHECKSUM_NONE;\n\t\t\tskb->csum = 0;\n\t\t\tskb_reserve(skb, hh_len);\n\n\t\t\t/*\n\t\t\t *\tFind where to start putting bytes.\n\t\t\t */\n\t\t\tskb_put(skb, fragheaderlen + fraggap);\n\t\t\tskb_reset_network_header(skb);\n\t\t\tskb->transport_header = (skb->network_header +\n\t\t\t\t\t\t fragheaderlen);\n\t\t\tif (fraggap) {\n\t\t\t\tskb->csum = skb_copy_and_csum_bits(skb_prev,\n\t\t\t\t\t\t\t\t maxfraglen,\n\t\t\t\t\t\t skb_transport_header(skb),\n\t\t\t\t\t\t\t\t fraggap, 0);\n\t\t\t\tskb_prev->csum = csum_sub(skb_prev->csum,\n\t\t\t\t\t\t\t skb->csum);\n\t\t\t\tpskb_trim_unique(skb_prev, maxfraglen);\n\t\t\t}\n\n\t\t\t/*\n\t\t\t * Put the packet on the pending queue.\n\t\t\t */\n\t\t\t__skb_queue_tail(&sk->sk_write_queue, skb);\n\t\t\tcontinue;\n\t\t}\n\n\t\tif (len > size)\n\t\t\tlen = size;\n\n\t\tif (skb_append_pagefrags(skb, page, offset, len)) {\n\t\t\terr = -EMSGSIZE;\n\t\t\tgoto error;\n\t\t}\n\n\t\tif (skb->ip_summed == CHECKSUM_NONE) {\n\t\t\t__wsum csum;\n\t\t\tcsum = csum_page(page, offset, len);\n\t\t\tskb->csum = csum_block_add(skb->csum, csum, skb->len);\n\t\t}\n\n\t\tskb->len += len;\n\t\tskb->data_len += len;\n\t\tskb->truesize += len;\n\t\trefcount_add(len, &sk->sk_wmem_alloc);\n\t\toffset += len;\n\t\tsize -= len;\n\t}\n\treturn 0;\n\nerror:\n\tcork->length -= size;\n\tIP_INC_STATS(sock_net(sk), IPSTATS_MIB_OUTDISCARDS);\n\treturn err;\n}", "project": "net", "hash": 84400422865102374728656687743063586549, "size": 143, "commit_id": "85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa", "message": "udp: consistently apply ufo or fragmentation\n\nWhen iteratively building a UDP datagram with MSG_MORE and that\ndatagram exceeds MTU, consistently choose UFO or fragmentation.\n\nOnce skb_is_gso, always apply ufo. Conversely, once a datagram is\nsplit across multiple skbs, do not consider ufo.\n\nSendpage already maintains the first invariant, only add the second.\nIPv6 does not have a sendpage implementation to modify.\n\nA gso skb must have a partial checksum, do not follow sk_no_check_tx\nin udp_send_skb.\n\nFound by syzkaller.\n\nFixes: e89e9cf539a2 (\"[IPv4/IPv6]: UFO Scatter-gather approach\")\nReported-by: Andrey Konovalov \nSigned-off-by: Willem de Bruijn \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 468999 }, { "func": "static void* t_blosc(void* ctxt) {\n struct thread_context* thcontext = (struct thread_context*)ctxt;\n blosc2_context* context = thcontext->parent_context;\n#ifdef BLOSC_POSIX_BARRIERS\n int rc;\n#endif\n\n while (1) {\n /* Synchronization point for all threads (wait for initialization) */\n WAIT_INIT(NULL, context);\n\n if (context->end_threads) {\n break;\n }\n\n t_blosc_do_job(ctxt);\n\n /* Meeting point for all threads (wait for finalization) */\n WAIT_FINISH(NULL, context);\n }\n\n /* Cleanup our working space and context */\n free_thread_context(thcontext);\n\n return (NULL);\n}", "project": "c-blosc2", "hash": 272670850875973906528385917803761285260, "size": 26, "commit_id": "c4c6470e88210afc95262c8b9fcc27e30ca043ee", "message": "Fixed asan heap buffer overflow when not enough space to write compressed block size.", "target": 0, "dataset": "other", "idx": 303124 }, { "func": "static int kvm_s390_get_tod_ext(struct kvm *kvm, struct kvm_device_attr *attr)\n{\n\tstruct kvm_s390_vm_tod_clock gtod;\n\n\tmemset(>od, 0, sizeof(gtod));\n\tkvm_s390_get_tod_clock(kvm, >od);\n\tif (copy_to_user((void __user *)attr->addr, >od, sizeof(gtod)))\n\t\treturn -EFAULT;\n\n\tVM_EVENT(kvm, 3, \"QUERY: TOD extension: 0x%x, TOD base: 0x%llx\",\n\t\tgtod.epoch_idx, gtod.tod);\n\treturn 0;\n}", "project": "linux", "hash": 126599229124085211823359065459419225667, "size": 13, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354598 }, { "func": "static int udp_lib_lport_inuse2(struct net *net, __u16 num,\n\t\t\t\tstruct udp_hslot *hslot2,\n\t\t\t\tstruct sock *sk)\n{\n\tstruct sock *sk2;\n\tkuid_t uid = sock_i_uid(sk);\n\tint res = 0;\n\n\tspin_lock(&hslot2->lock);\n\tudp_portaddr_for_each_entry(sk2, &hslot2->head) {\n\t\tif (net_eq(sock_net(sk2), net) &&\n\t\t sk2 != sk &&\n\t\t (udp_sk(sk2)->udp_port_hash == num) &&\n\t\t (!sk2->sk_reuse || !sk->sk_reuse) &&\n\t\t (!sk2->sk_bound_dev_if || !sk->sk_bound_dev_if ||\n\t\t sk2->sk_bound_dev_if == sk->sk_bound_dev_if) &&\n\t\t inet_rcv_saddr_equal(sk, sk2, true)) {\n\t\t\tif (sk2->sk_reuseport && sk->sk_reuseport &&\n\t\t\t !rcu_access_pointer(sk->sk_reuseport_cb) &&\n\t\t\t uid_eq(uid, sock_i_uid(sk2))) {\n\t\t\t\tres = 0;\n\t\t\t} else {\n\t\t\t\tres = 1;\n\t\t\t}\n\t\t\tbreak;\n\t\t}\n\t}\n\tspin_unlock(&hslot2->lock);\n\treturn res;\n}", "project": "net", "hash": 43245564562687334592680625314816961881, "size": 30, "commit_id": "85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa", "message": "udp: consistently apply ufo or fragmentation\n\nWhen iteratively building a UDP datagram with MSG_MORE and that\ndatagram exceeds MTU, consistently choose UFO or fragmentation.\n\nOnce skb_is_gso, always apply ufo. Conversely, once a datagram is\nsplit across multiple skbs, do not consider ufo.\n\nSendpage already maintains the first invariant, only add the second.\nIPv6 does not have a sendpage implementation to modify.\n\nA gso skb must have a partial checksum, do not follow sk_no_check_tx\nin udp_send_skb.\n\nFound by syzkaller.\n\nFixes: e89e9cf539a2 (\"[IPv4/IPv6]: UFO Scatter-gather approach\")\nReported-by: Andrey Konovalov \nSigned-off-by: Willem de Bruijn \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 468931 }, { "func": "static bool svm_apic_init_signal_blocked(struct kvm_vcpu *vcpu)\n{\n\tstruct vcpu_svm *svm = to_svm(vcpu);\n\n\t/*\n\t * TODO: Last condition latch INIT signals on vCPU when\n\t * vCPU is in guest-mode and vmcb12 defines intercept on INIT.\n\t * To properly emulate the INIT intercept, SVM should implement\n\t * kvm_x86_ops->check_nested_events() and call nested_svm_vmexit()\n\t * there if an INIT signal is pending.\n\t */\n\treturn !gif_set(svm) ||\n\t\t (svm->vmcb->control.intercept & (1ULL << INTERCEPT_INIT));\n}", "project": "linux", "hash": 152069560449821687995661559294019600116, "size": 14, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432612 }, { "func": "static int sctp_do_bind(struct sock *sk, union sctp_addr *addr, int len)\n{\n\tstruct net *net = sock_net(sk);\n\tstruct sctp_sock *sp = sctp_sk(sk);\n\tstruct sctp_endpoint *ep = sp->ep;\n\tstruct sctp_bind_addr *bp = &ep->base.bind_addr;\n\tstruct sctp_af *af;\n\tunsigned short snum;\n\tint ret = 0;\n\n\t/* Common sockaddr verification. */\n\taf = sctp_sockaddr_af(sp, addr, len);\n\tif (!af) {\n\t\tpr_debug(\"%s: sk:%p, newaddr:%p, len:%d EINVAL\\n\",\n\t\t\t __func__, sk, addr, len);\n\t\treturn -EINVAL;\n\t}\n\n\tsnum = ntohs(addr->v4.sin_port);\n\n\tpr_debug(\"%s: sk:%p, new addr:%pISc, port:%d, new port:%d, len:%d\\n\",\n\t\t __func__, sk, &addr->sa, bp->port, snum, len);\n\n\t/* PF specific bind() address verification. */\n\tif (!sp->pf->bind_verify(sp, addr))\n\t\treturn -EADDRNOTAVAIL;\n\n\t/* We must either be unbound, or bind to the same port.\n\t * It's OK to allow 0 ports if we are already bound.\n\t * We'll just inhert an already bound port in this case\n\t */\n\tif (bp->port) {\n\t\tif (!snum)\n\t\t\tsnum = bp->port;\n\t\telse if (snum != bp->port) {\n\t\t\tpr_debug(\"%s: new port %d doesn't match existing port \"\n\t\t\t\t \"%d\\n\", __func__, snum, bp->port);\n\t\t\treturn -EINVAL;\n\t\t}\n\t}\n\n\tif (snum && inet_port_requires_bind_service(net, snum) &&\n\t !ns_capable(net->user_ns, CAP_NET_BIND_SERVICE))\n\t\treturn -EACCES;\n\n\t/* See if the address matches any of the addresses we may have\n\t * already bound before checking against other endpoints.\n\t */\n\tif (sctp_bind_addr_match(bp, addr, sp))\n\t\treturn -EINVAL;\n\n\t/* Make sure we are allowed to bind here.\n\t * The function sctp_get_port_local() does duplicate address\n\t * detection.\n\t */\n\taddr->v4.sin_port = htons(snum);\n\tif (sctp_get_port_local(sk, addr))\n\t\treturn -EADDRINUSE;\n\n\t/* Refresh ephemeral port. */\n\tif (!bp->port)\n\t\tbp->port = inet_sk(sk)->inet_num;\n\n\t/* Add the address to the bind address list.\n\t * Use GFP_ATOMIC since BHs will be disabled.\n\t */\n\tret = sctp_add_bind_addr(bp, addr, af->sockaddr_len,\n\t\t\t\t SCTP_ADDR_SRC, GFP_ATOMIC);\n\n\tif (ret) {\n\t\tsctp_put_port(sk);\n\t\treturn ret;\n\t}\n\t/* Copy back into socket for getsockname() use. */\n\tinet_sk(sk)->inet_sport = htons(inet_sk(sk)->inet_num);\n\tsp->pf->to_sk_saddr(addr, sk);\n\n\treturn ret;\n}", "project": "linux", "hash": 140913082982662568442834577615127239872, "size": 79, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398116 }, { "func": "static int tcp_ack_update_window(struct sock *sk, const struct sk_buff *skb, u32 ack,\n\t\t\t\t u32 ack_seq)\n{\n\tstruct tcp_sock *tp = tcp_sk(sk);\n\tint flag = 0;\n\tu32 nwin = ntohs(tcp_hdr(skb)->window);\n\n\tif (likely(!tcp_hdr(skb)->syn))\n\t\tnwin <<= tp->rx_opt.snd_wscale;\n\n\tif (tcp_may_update_window(tp, ack, ack_seq, nwin)) {\n\t\tflag |= FLAG_WIN_UPDATE;\n\t\ttcp_update_wl(tp, ack_seq);\n\n\t\tif (tp->snd_wnd != nwin) {\n\t\t\ttp->snd_wnd = nwin;\n\n\t\t\t/* Note, it is the only place, where\n\t\t\t * fast path is recovered for sending TCP.\n\t\t\t */\n\t\t\ttp->pred_flags = 0;\n\t\t\ttcp_fast_path_check(sk);\n\n\t\t\tif (nwin > tp->max_window) {\n\t\t\t\ttp->max_window = nwin;\n\t\t\t\ttcp_sync_mss(sk, inet_csk(sk)->icsk_pmtu_cookie);\n\t\t\t}\n\t\t}\n\t}\n\n\ttp->snd_una = ack;\n\n\treturn flag;\n}", "project": "net-next", "hash": 243235681079742759738017289666361258523, "size": 34, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409956 }, { "func": "int imap_cmd_step (IMAP_DATA* idata)\n{\n size_t len = 0;\n int c;\n int rc;\n int stillrunning = 0;\n IMAP_COMMAND* cmd;\n\n if (idata->status == IMAP_FATAL)\n {\n cmd_handle_fatal (idata);\n return IMAP_CMD_BAD;\n }\n\n /* read into buffer, expanding buffer as necessary until we have a full\n * line */\n do\n {\n if (len == idata->blen)\n {\n safe_realloc (&idata->buf, idata->blen + IMAP_CMD_BUFSIZE);\n idata->blen = idata->blen + IMAP_CMD_BUFSIZE;\n dprint (3, (debugfile, \"imap_cmd_step: grew buffer to %u bytes\\n\",\n\t\t idata->blen));\n }\n\n /* back up over '\\0' */\n if (len)\n len--;\n c = mutt_socket_readln (idata->buf + len, idata->blen - len, idata->conn);\n if (c <= 0)\n {\n dprint (1, (debugfile, \"imap_cmd_step: Error reading server response.\\n\"));\n cmd_handle_fatal (idata);\n return IMAP_CMD_BAD;\n }\n\n len += c;\n }\n /* if we've read all the way to the end of the buffer, we haven't read a\n * full line (mutt_socket_readln strips the \\r, so we always have at least\n * one character free when we've read a full line) */\n while (len == idata->blen);\n\n /* don't let one large string make cmd->buf hog memory forever */\n if ((idata->blen > IMAP_CMD_BUFSIZE) && (len <= IMAP_CMD_BUFSIZE))\n {\n safe_realloc (&idata->buf, IMAP_CMD_BUFSIZE);\n idata->blen = IMAP_CMD_BUFSIZE;\n dprint (3, (debugfile, \"imap_cmd_step: shrank buffer to %u bytes\\n\", idata->blen));\n }\n\n idata->lastread = time (NULL);\n\n /* handle untagged messages. The caller still gets its shot afterwards. */\n if ((!ascii_strncmp (idata->buf, \"* \", 2)\n || !ascii_strncmp (imap_next_word (idata->buf), \"OK [\", 4))\n && cmd_handle_untagged (idata))\n return IMAP_CMD_BAD;\n\n /* server demands a continuation response from us */\n if (idata->buf[0] == '+')\n return IMAP_CMD_RESPOND;\n\n /* Look for tagged command completions.\n *\n * Some response handlers can end up recursively calling\n * imap_cmd_step() and end up handling all tagged command\n * completions.\n * (e.g. FETCH->set_flag->set_header_color->~h pattern match.)\n *\n * Other callers don't even create an idata->cmds entry.\n *\n * For both these cases, we default to returning OK */\n rc = IMAP_CMD_OK;\n c = idata->lastcmd;\n do\n {\n cmd = &idata->cmds[c];\n if (cmd->state == IMAP_CMD_NEW)\n {\n if (!ascii_strncmp (idata->buf, cmd->seq, SEQLEN)) {\n\tif (!stillrunning)\n\t{\n\t /* first command in queue has finished - move queue pointer up */\n\t idata->lastcmd = (idata->lastcmd + 1) % idata->cmdslots;\n\t}\n\tcmd->state = cmd_status (idata->buf);\n\t/* bogus - we don't know which command result to return here. Caller\n\t * should provide a tag. */\n\trc = cmd->state;\n }\n else\n\tstillrunning++;\n }\n\n c = (c + 1) % idata->cmdslots;\n }\n while (c != idata->nextcmd);\n\n if (stillrunning)\n rc = IMAP_CMD_CONTINUE;\n else\n {\n dprint (3, (debugfile, \"IMAP queue drained\\n\"));\n imap_cmd_finish (idata);\n }\n \n\n return rc;\n}", "project": "mutt", "hash": 133677900621072925495027529424860299791, "size": 111, "commit_id": "9347b5c01dc52682cb6be11539d9b7ebceae4416", "message": "Handle NO response without message properly", "target": 0, "dataset": "other", "idx": 338019 }, { "func": "static bool checkreturn pb_dec_uvarint(pb_istream_t *stream, const pb_field_t *field, void *dest)\n{\n pb_uint64_t value, clamped;\n if (!pb_decode_varint(stream, &value))\n return false;\n \n /* Cast to the proper field size, while checking for overflows */\n if (field->data_size == sizeof(pb_uint64_t))\n clamped = *(pb_uint64_t*)dest = value;\n else if (field->data_size == sizeof(uint32_t))\n clamped = *(uint32_t*)dest = (uint32_t)value;\n else if (field->data_size == sizeof(uint_least16_t))\n clamped = *(uint_least16_t*)dest = (uint_least16_t)value;\n else if (field->data_size == sizeof(uint_least8_t))\n clamped = *(uint_least8_t*)dest = (uint_least8_t)value;\n else\n PB_RETURN_ERROR(stream, \"invalid data_size\");\n \n if (clamped != value)\n PB_RETURN_ERROR(stream, \"integer too large\");\n\n return true;\n}", "project": "nanopb", "hash": 293741825586761842253265905810150576598, "size": 23, "commit_id": "aa9d0d1ca78d6adec3adfeecf3a706c7f9df81f2", "message": "Fix invalid free() after failed realloc() (GHSA-gcx3-7m76-287p)", "target": 0, "dataset": "other", "idx": 252494 }, { "func": "static bool checkreturn pb_dec_uvarint(pb_istream_t *stream, const pb_field_t *field, void *dest)\n{\n uint64_t value;\n if (!pb_decode_varint(stream, &value))\n return false;\n \n switch (field->data_size)\n {\n case 4: *(uint32_t*)dest = (uint32_t)value; break;\n case 8: *(uint64_t*)dest = value; break;\n default: PB_RETURN_ERROR(stream, \"invalid data_size\");\n }\n \n return true;\n}", "project": "nanopb", "hash": 63610557502600986685198379111906516597, "size": 15, "commit_id": "7b396821ddd06df8e39143f16e1dc0a4645b89a3", "message": "Fix invalid free() after failed realloc() (GHSA-gcx3-7m76-287p)", "target": 0, "dataset": "other", "idx": 255334 }, { "func": "nfs4_ff_layout_stat_io_end_read(struct rpc_task *task,\n\t\tstruct nfs4_ff_layout_mirror *mirror,\n\t\t__u64 requested,\n\t\t__u64 completed)\n{\n\tspin_lock(&mirror->lock);\n\tnfs4_ff_layout_stat_io_update_completed(&mirror->read_stat,\n\t\t\trequested, completed,\n\t\t\tktime_get(), task->tk_start);\n\tset_bit(NFS4_FF_MIRROR_STAT_AVAIL, &mirror->flags);\n\tspin_unlock(&mirror->lock);\n}", "project": "linux", "hash": 29671484406862314732361663328836399096, "size": 12, "commit_id": "ed34695e15aba74f45247f1ee2cf7e09d449f925", "message": "pNFS/flexfiles: fix incorrect size check in decode_nfs_fh()\n\nWe (adam zabrocki, alexander matrosov, alexander tereshkin, maksym\nbazalii) observed the check:\n\n\tif (fh->size > sizeof(struct nfs_fh))\n\nshould not use the size of the nfs_fh struct which includes an extra two\nbytes from the size field.\n\nstruct nfs_fh {\n\tunsigned short size;\n\tunsigned char data[NFS_MAXFHSIZE];\n}\n\nbut should determine the size from data[NFS_MAXFHSIZE] so the memcpy\nwill not write 2 bytes beyond destination. The proposed fix is to\ncompare against the NFS_MAXFHSIZE directly, as is done elsewhere in fs\ncode base.\n\nFixes: d67ae825a59d (\"pnfs/flexfiles: Add the FlexFile Layout Driver\")\nSigned-off-by: Nikola Livic \nSigned-off-by: Dan Carpenter \nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 234480 }, { "func": "static void tcp_disable_fack(struct tcp_sock *tp)\n{\n\t/* RFC3517 uses different metric in lost marker => reset on change */\n\tif (tcp_is_fack(tp))\n\t\ttp->lost_skb_hint = NULL;\n\ttp->rx_opt.sack_ok &= ~2;\n}", "project": "net-next", "hash": 284879015936962839753066345128721324277, "size": 7, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409846 }, { "func": "static int kvm_hv_msr_get_crash_ctl(struct kvm *kvm, u64 *pdata)\n{\n\tstruct kvm_hv *hv = to_kvm_hv(kvm);\n\n\t*pdata = hv->hv_crash_ctl;\n\treturn 0;\n}", "project": "linux", "hash": 322789681697131014033809830489711031610, "size": 7, "commit_id": "919f4ebc598701670e80e31573a58f1f2d2bf918", "message": "KVM: x86: hyper-v: Fix Hyper-V context null-ptr-deref\n\nReported by syzkaller:\n\n KASAN: null-ptr-deref in range [0x0000000000000140-0x0000000000000147]\n CPU: 1 PID: 8370 Comm: syz-executor859 Not tainted 5.11.0-syzkaller #0\n RIP: 0010:synic_get arch/x86/kvm/hyperv.c:165 [inline]\n RIP: 0010:kvm_hv_set_sint_gsi arch/x86/kvm/hyperv.c:475 [inline]\n RIP: 0010:kvm_hv_irq_routing_update+0x230/0x460 arch/x86/kvm/hyperv.c:498\n Call Trace:\n kvm_set_irq_routing+0x69b/0x940 arch/x86/kvm/../../../virt/kvm/irqchip.c:223\n kvm_vm_ioctl+0x12d0/0x2800 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3959\n vfs_ioctl fs/ioctl.c:48 [inline]\n __do_sys_ioctl fs/ioctl.c:753 [inline]\n __se_sys_ioctl fs/ioctl.c:739 [inline]\n __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739\n do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nHyper-V context is lazily allocated until Hyper-V specific MSRs are accessed\nor SynIC is enabled. However, the syzkaller testcase sets irq routing table\ndirectly w/o enabling SynIC. This results in null-ptr-deref when accessing\nSynIC Hyper-V context. This patch fixes it.\n\nsyzkaller source: https://syzkaller.appspot.com/x/repro.c?x=163342ccd00000\n\nReported-by: syzbot+6987f3b2dbd9eda95f12@syzkaller.appspotmail.com\nFixes: 8f014550dfb1 (\"KVM: x86: hyper-v: Make Hyper-V emulation enablement conditional\")\nSigned-off-by: Wanpeng Li \nMessage-Id: <1614326399-5762-1-git-send-email-wanpengli@tencent.com>\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 343470 }, { "func": "void LibRaw::canon_sraw_load_raw()\n{\n struct jhead jh;\n short *rp = 0, (*ip)[4];\n int jwide, slice, scol, ecol, row, col, jrow = 0, jcol = 0, pix[3], c;\n int v[3] = {0, 0, 0}, ver, hue;\n int saved_w = width, saved_h = height;\n char *cp;\n\n if (!ljpeg_start(&jh, 0) || jh.clrs < 4)\n return;\n jwide = (jh.wide >>= 1) * jh.clrs;\n\n if (load_flags & 256)\n {\n width = raw_width;\n height = raw_height;\n }\n\n try\n {\n for (ecol = slice = 0; slice <= cr2_slice[0]; slice++)\n {\n scol = ecol;\n ecol += cr2_slice[1] * 2 / jh.clrs;\n if (!cr2_slice[0] || ecol > raw_width - 1)\n ecol = raw_width & -2;\n for (row = 0; row < height; row += (jh.clrs >> 1) - 1)\n {\n checkCancel();\n ip = (short(*)[4])image + row * width;\n for (col = scol; col < ecol; col += 2, jcol += jh.clrs)\n {\n if ((jcol %= jwide) == 0)\n rp = (short *)ljpeg_row(jrow++, &jh);\n if (col >= width)\n continue;\n if (imgdata.params.raw_processing_options &\n LIBRAW_PROCESSING_SRAW_NO_INTERPOLATE)\n {\n FORC(jh.clrs - 2)\n {\n ip[col + (c >> 1) * width + (c & 1)][0] = rp[jcol + c];\n ip[col + (c >> 1) * width + (c & 1)][1] =\n ip[col + (c >> 1) * width + (c & 1)][2] = 8192;\n }\n ip[col][1] = rp[jcol + jh.clrs - 2] - 8192;\n ip[col][2] = rp[jcol + jh.clrs - 1] - 8192;\n }\n else if (imgdata.params.raw_processing_options &\n LIBRAW_PROCESSING_SRAW_NO_RGB)\n {\n FORC(jh.clrs - 2)\n ip[col + (c >> 1) * width + (c & 1)][0] = rp[jcol + c];\n ip[col][1] = rp[jcol + jh.clrs - 2] - 8192;\n ip[col][2] = rp[jcol + jh.clrs - 1] - 8192;\n }\n else\n {\n FORC(jh.clrs - 2)\n ip[col + (c >> 1) * width + (c & 1)][0] = rp[jcol + c];\n ip[col][1] = rp[jcol + jh.clrs - 2] - 16384;\n ip[col][2] = rp[jcol + jh.clrs - 1] - 16384;\n }\n }\n }\n }\n }\n catch (...)\n {\n ljpeg_end(&jh);\n throw;\n }\n\n if (imgdata.params.raw_processing_options &\n LIBRAW_PROCESSING_SRAW_NO_INTERPOLATE)\n {\n ljpeg_end(&jh);\n maximum = 0x3fff;\n height = saved_h;\n width = saved_w;\n return;\n }\n\n try\n {\n for (cp = model2; *cp && !isdigit(*cp); cp++)\n ;\n sscanf(cp, \"%d.%d.%d\", v, v + 1, v + 2);\n ver = (v[0] * 1000 + v[1]) * 1000 + v[2];\n hue = (jh.sraw + 1) << 2;\n if (unique_id >= 0x80000281ULL ||\n (unique_id == 0x80000218ULL && ver > 1000006))\n hue = jh.sraw << 1;\n ip = (short(*)[4])image;\n rp = ip[0];\n for (row = 0; row < height; row++, ip += width)\n {\n checkCancel();\n if (row & (jh.sraw >> 1))\n {\n for (col = 0; col < width; col += 2)\n for (c = 1; c < 3; c++)\n if (row == height - 1)\n {\n ip[col][c] = ip[col - width][c];\n }\n else\n {\n ip[col][c] = (ip[col - width][c] + ip[col + width][c] + 1) >> 1;\n }\n }\n for (col = 1; col < width; col += 2)\n for (c = 1; c < 3; c++)\n if (col == width - 1)\n ip[col][c] = ip[col - 1][c];\n else\n ip[col][c] = (ip[col - 1][c] + ip[col + 1][c] + 1) >> 1;\n }\n if (!(imgdata.params.raw_processing_options &\n LIBRAW_PROCESSING_SRAW_NO_RGB))\n for (; rp < ip[0]; rp += 4)\n {\n checkCancel();\n if (unique_id == 0x80000218ULL || unique_id == 0x80000250ULL ||\n unique_id == 0x80000261ULL || unique_id == 0x80000281ULL ||\n unique_id == 0x80000287ULL)\n {\n rp[1] = (rp[1] << 2) + hue;\n rp[2] = (rp[2] << 2) + hue;\n pix[0] = rp[0] + ((50 * rp[1] + 22929 * rp[2]) >> 14);\n pix[1] = rp[0] + ((-5640 * rp[1] - 11751 * rp[2]) >> 14);\n pix[2] = rp[0] + ((29040 * rp[1] - 101 * rp[2]) >> 14);\n }\n else\n {\n if (unique_id < 0x80000218ULL)\n rp[0] -= 512;\n pix[0] = rp[0] + rp[2];\n pix[2] = rp[0] + rp[1];\n pix[1] = rp[0] + ((-778 * rp[1] - (rp[2] << 11)) >> 12);\n }\n FORC3 rp[c] = CLIP15(pix[c] * sraw_mul[c] >> 10);\n }\n }\n catch (...)\n {\n ljpeg_end(&jh);\n throw;\n }\n height = saved_h;\n width = saved_w;\n ljpeg_end(&jh);\n maximum = 0x3fff;\n}", "project": "LibRaw", "hash": 60531155344120009979186825860704589110, "size": 155, "commit_id": "a6937d4046a7c4742b683a04c8564605fd9be4fb", "message": "more room for ljpeg row", "target": 0, "dataset": "other", "idx": 319450 }, { "func": "static bool fanout_flow_is_huge(struct packet_sock *po, struct sk_buff *skb)\n{\n\tu32 *history = po->rollover->history;\n\tu32 victim, rxhash;\n\tint i, count = 0;\n\n\trxhash = skb_get_hash(skb);\n\tfor (i = 0; i < ROLLOVER_HLEN; i++)\n\t\tif (READ_ONCE(history[i]) == rxhash)\n\t\t\tcount++;\n\n\tvictim = prandom_u32() % ROLLOVER_HLEN;\n\n\t/* Avoid dirtying the cache line if possible */\n\tif (READ_ONCE(history[victim]) != rxhash)\n\t\tWRITE_ONCE(history[victim], rxhash);\n\n\treturn count > (ROLLOVER_HLEN >> 1);\n}", "project": "linux", "hash": 142828602932283686943097120771752881126, "size": 19, "commit_id": "acf69c946233259ab4d64f8869d4037a198c7f06", "message": "net/packet: fix overflow in tpacket_rcv\n\nUsing tp_reserve to calculate netoff can overflow as\ntp_reserve is unsigned int and netoff is unsigned short.\n\nThis may lead to macoff receving a smaller value then\nsizeof(struct virtio_net_hdr), and if po->has_vnet_hdr\nis set, an out-of-bounds write will occur when\ncalling virtio_net_hdr_from_skb.\n\nThe bug is fixed by converting netoff to unsigned int\nand checking if it exceeds USHRT_MAX.\n\nThis addresses CVE-2020-14386\n\nFixes: 8913336a7e8d (\"packet: add PACKET_RESERVE sockopt\")\nSigned-off-by: Or Cohen \nSigned-off-by: Eric Dumazet \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 330378 }, { "func": "static int vm_stat_clear(void *_offset, u64 val)\n{\n\tunsigned offset = (long)_offset;\n\tstruct kvm *kvm;\n\n\tif (val)\n\t\treturn -EINVAL;\n\n\tmutex_lock(&kvm_lock);\n\tlist_for_each_entry(kvm, &vm_list, vm_list) {\n\t\tkvm_clear_stat_per_vm(kvm, offset);\n\t}\n\tmutex_unlock(&kvm_lock);\n\n\treturn 0;\n}", "project": "linux", "hash": 222542183254366098055800869419747773377, "size": 16, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354812 }, { "func": "static int php_openssl_validate_iv(char **piv, size_t *piv_len, size_t iv_required_len,\n\t\tzend_bool *free_iv, EVP_CIPHER_CTX *cipher_ctx, struct php_openssl_cipher_mode *mode) /* {{{ */\n{\n\tchar *iv_new;\n\n\t/* Best case scenario, user behaved */\n\tif (*piv_len == iv_required_len) {\n\t\treturn SUCCESS;\n\t}\n\n\tif (mode->is_aead) {\n\t\tif (EVP_CIPHER_CTX_ctrl(cipher_ctx, mode->aead_ivlen_flag, *piv_len, NULL) != 1) {\n\t\t\tphp_error_docref(NULL, E_WARNING, \"Setting of IV length for AEAD mode failed\");\n\t\t\treturn FAILURE;\n\t\t}\n\t\treturn SUCCESS;\n\t}\n\n\tiv_new = ecalloc(1, iv_required_len + 1);\n\n\tif (*piv_len == 0) {\n\t\t/* BC behavior */\n\t\t*piv_len = iv_required_len;\n\t\t*piv = iv_new;\n\t\t*free_iv = 1;\n\t\treturn SUCCESS;\n\n\t}\n\n\tif (*piv_len < iv_required_len) {\n\t\tphp_error_docref(NULL, E_WARNING,\n\t\t\t\t\"IV passed is only %zd bytes long, cipher expects an IV of precisely %zd bytes, padding with \\\\0\",\n\t\t\t\t*piv_len, iv_required_len);\n\t\tmemcpy(iv_new, *piv, *piv_len);\n\t\t*piv_len = iv_required_len;\n\t\t*piv = iv_new;\n\t\t*free_iv = 1;\n\t\treturn SUCCESS;\n\t}\n\n\tphp_error_docref(NULL, E_WARNING,\n\t\t\t\"IV passed is %zd bytes long which is longer than the %zd expected by selected cipher, truncating\",\n\t\t\t*piv_len, iv_required_len);\n\tmemcpy(iv_new, *piv, iv_required_len);\n\t*piv_len = iv_required_len;\n\t*piv = iv_new;\n\t*free_iv = 1;\n\treturn SUCCESS;\n\n}", "project": "php-src", "hash": 232840072465422852413169490519972262918, "size": 50, "commit_id": "0216630ea2815a5789a24279a1211ac398d4de79", "message": "Fix bug #79601 (Wrong ciphertext/tag in AES-CCM encryption for a 12 bytes IV)", "target": 1, "dataset": "other", "idx": 199700 }, { "func": "static int php_openssl_validate_iv(char **piv, size_t *piv_len, size_t iv_required_len,\n\t\tzend_bool *free_iv, EVP_CIPHER_CTX *cipher_ctx, struct php_openssl_cipher_mode *mode) /* {{{ */\n{\n\tchar *iv_new;\n\n\tif (mode->is_aead) {\n\t\tif (EVP_CIPHER_CTX_ctrl(cipher_ctx, mode->aead_ivlen_flag, *piv_len, NULL) != 1) {\n\t\t\tphp_error_docref(NULL, E_WARNING, \"Setting of IV length for AEAD mode failed\");\n\t\t\treturn FAILURE;\n\t\t}\n\t\treturn SUCCESS;\n\t}\n\n\t/* Best case scenario, user behaved */\n\tif (*piv_len == iv_required_len) {\n\t\treturn SUCCESS;\n\t}\n\n\tiv_new = ecalloc(1, iv_required_len + 1);\n\n\tif (*piv_len == 0) {\n\t\t/* BC behavior */\n\t\t*piv_len = iv_required_len;\n\t\t*piv = iv_new;\n\t\t*free_iv = 1;\n\t\treturn SUCCESS;\n\n\t}\n\n\tif (*piv_len < iv_required_len) {\n\t\tphp_error_docref(NULL, E_WARNING,\n\t\t\t\t\"IV passed is only %zd bytes long, cipher expects an IV of precisely %zd bytes, padding with \\\\0\",\n\t\t\t\t*piv_len, iv_required_len);\n\t\tmemcpy(iv_new, *piv, *piv_len);\n\t\t*piv_len = iv_required_len;\n\t\t*piv = iv_new;\n\t\t*free_iv = 1;\n\t\treturn SUCCESS;\n\t}\n\n\tphp_error_docref(NULL, E_WARNING,\n\t\t\t\"IV passed is %zd bytes long which is longer than the %zd expected by selected cipher, truncating\",\n\t\t\t*piv_len, iv_required_len);\n\tmemcpy(iv_new, *piv, iv_required_len);\n\t*piv_len = iv_required_len;\n\t*piv = iv_new;\n\t*free_iv = 1;\n\treturn SUCCESS;\n\n}", "project": "php-src", "hash": 248839184558979669461751117706652524696, "size": 50, "commit_id": "0216630ea2815a5789a24279a1211ac398d4de79", "message": "Fix bug #79601 (Wrong ciphertext/tag in AES-CCM encryption for a 12 bytes IV)", "target": 0, "dataset": "other", "idx": 291448 }, { "func": "static void opj_j2k_tcp_destroy(opj_tcp_t *p_tcp)\n{\n if (p_tcp == 00) {\n return;\n }\n\n if (p_tcp->ppt_markers != 00) {\n OPJ_UINT32 i;\n for (i = 0U; i < p_tcp->ppt_markers_count; ++i) {\n if (p_tcp->ppt_markers[i].m_data != NULL) {\n opj_free(p_tcp->ppt_markers[i].m_data);\n }\n }\n p_tcp->ppt_markers_count = 0U;\n opj_free(p_tcp->ppt_markers);\n p_tcp->ppt_markers = NULL;\n }\n\n if (p_tcp->ppt_buffer != 00) {\n opj_free(p_tcp->ppt_buffer);\n p_tcp->ppt_buffer = 00;\n }\n\n if (p_tcp->tccps != 00) {\n opj_free(p_tcp->tccps);\n p_tcp->tccps = 00;\n }\n\n if (p_tcp->m_mct_coding_matrix != 00) {\n opj_free(p_tcp->m_mct_coding_matrix);\n p_tcp->m_mct_coding_matrix = 00;\n }\n\n if (p_tcp->m_mct_decoding_matrix != 00) {\n opj_free(p_tcp->m_mct_decoding_matrix);\n p_tcp->m_mct_decoding_matrix = 00;\n }\n\n if (p_tcp->m_mcc_records) {\n opj_free(p_tcp->m_mcc_records);\n p_tcp->m_mcc_records = 00;\n p_tcp->m_nb_max_mcc_records = 0;\n p_tcp->m_nb_mcc_records = 0;\n }\n\n if (p_tcp->m_mct_records) {\n opj_mct_data_t * l_mct_data = p_tcp->m_mct_records;\n OPJ_UINT32 i;\n\n for (i = 0; i < p_tcp->m_nb_mct_records; ++i) {\n if (l_mct_data->m_data) {\n opj_free(l_mct_data->m_data);\n l_mct_data->m_data = 00;\n }\n\n ++l_mct_data;\n }\n\n opj_free(p_tcp->m_mct_records);\n p_tcp->m_mct_records = 00;\n }\n\n if (p_tcp->mct_norms != 00) {\n opj_free(p_tcp->mct_norms);\n p_tcp->mct_norms = 00;\n }\n\n opj_j2k_tcp_data_destroy(p_tcp);\n\n}", "project": "openjpeg", "hash": 143154677446513174689087903360846425587, "size": 70, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357349 }, { "func": "kvm_pfn_t gfn_to_pfn_prot(struct kvm *kvm, gfn_t gfn, bool write_fault,\n\t\t bool *writable)\n{\n\treturn __gfn_to_pfn_memslot(gfn_to_memslot(kvm, gfn), gfn, false, NULL,\n\t\t\t\t write_fault, writable);\n}", "project": "linux", "hash": 35097666524602477645151977874712898510, "size": 6, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354751 }, { "func": "kvm_pfn_t gfn_to_pfn_prot(struct kvm *kvm, gfn_t gfn, bool write_fault,\n\t\t bool *writable)\n{\n\treturn __gfn_to_pfn_memslot(gfn_to_memslot(kvm, gfn), gfn, false, NULL,\n\t\t\t\t write_fault, writable, NULL);\n}", "project": "linux", "hash": 294617806227876017798379480269820062545, "size": 6, "commit_id": "f8be156be163a052a067306417cd0ff679068c97", "message": "KVM: do not allow mapping valid but non-reference-counted pages\n\nIt's possible to create a region which maps valid but non-refcounted\npages (e.g., tail pages of non-compound higher order allocations). These\nhost pages can then be returned by gfn_to_page, gfn_to_pfn, etc., family\nof APIs, which take a reference to the page, which takes it from 0 to 1.\nWhen the reference is dropped, this will free the page incorrectly.\n\nFix this by only taking a reference on valid pages if it was non-zero,\nwhich indicates it is participating in normal refcounting (and can be\nreleased with put_page).\n\nThis addresses CVE-2021-22543.\n\nSigned-off-by: Nicholas Piggin \nTested-by: Paolo Bonzini \nCc: stable@vger.kernel.org\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 404112 }, { "func": "bool CClient::OnJoinMessage(CJoinMessage& Message) {\n CString sChans = Message.GetTarget();\n CString sKeys = Message.GetKey();\n\n VCString vsChans;\n sChans.Split(\",\", vsChans, false);\n sChans.clear();\n\n VCString vsKeys;\n sKeys.Split(\",\", vsKeys, true);\n sKeys.clear();\n\n for (unsigned int a = 0; a < vsChans.size(); a++) {\n Message.SetTarget(vsChans[a]);\n Message.SetKey((a < vsKeys.size()) ? vsKeys[a] : \"\");\n if (m_pNetwork) {\n // May be nullptr.\n Message.SetChan(m_pNetwork->FindChan(vsChans[a]));\n }\n bool bContinue = false;\n NETWORKMODULECALL(OnUserJoinMessage(Message), m_pUser, m_pNetwork, this,\n &bContinue);\n if (bContinue) continue;\n\n CString sChannel = Message.GetTarget();\n CString sKey = Message.GetKey();\n\n if (m_pNetwork) {\n CChan* pChan = m_pNetwork->FindChan(sChannel);\n if (pChan) {\n if (pChan->IsDetached())\n pChan->AttachUser(this);\n else\n pChan->JoinUser(sKey);\n continue;\n } else if (!sChannel.empty()) {\n pChan = new CChan(sChannel, m_pNetwork, false);\n if (m_pNetwork->AddChan(pChan)) {\n pChan->SetKey(sKey);\n }\n }\n }\n\n if (!sChannel.empty()) {\n sChans += (sChans.empty()) ? sChannel : CString(\",\" + sChannel);\n\n if (!vsKeys.empty()) {\n sKeys += (sKeys.empty()) ? sKey : CString(\",\" + sKey);\n }\n }\n }\n\n Message.SetTarget(sChans);\n Message.SetKey(sKeys);\n\n return sChans.empty();\n}", "project": "znc", "hash": 189150216393226071707534204521415653129, "size": 57, "commit_id": "d229761821da38d984a9e4098ad96842490dc001", "message": "Fix echo-message for *status\n\nClose #1705", "target": 0, "dataset": "other", "idx": 231592 }, { "func": "static uint8_t get_filter_flags(const uint8_t header_flags,\n const int32_t typesize) {\n uint8_t flags = 0;\n\n if ((header_flags & BLOSC_DOSHUFFLE) && (typesize > 1)) {\n flags |= BLOSC_DOSHUFFLE;\n }\n if (header_flags & BLOSC_DOBITSHUFFLE) {\n flags |= BLOSC_DOBITSHUFFLE;\n }\n if (header_flags & BLOSC_DODELTA) {\n flags |= BLOSC_DODELTA;\n }\n if (header_flags & BLOSC_MEMCPYED) {\n flags |= BLOSC_MEMCPYED;\n }\n return flags;\n}", "project": "c-blosc2", "hash": 42634776470086300103834706668963036837, "size": 18, "commit_id": "c4c6470e88210afc95262c8b9fcc27e30ca043ee", "message": "Fixed asan heap buffer overflow when not enough space to write compressed block size.", "target": 0, "dataset": "other", "idx": 303072 }, { "func": "int __init register_tracer(struct tracer *type)\n{\n\tstruct tracer *t;\n\tint ret = 0;\n\n\tif (!type->name) {\n\t\tpr_info(\"Tracer must have a name\\n\");\n\t\treturn -1;\n\t}\n\n\tif (strlen(type->name) >= MAX_TRACER_SIZE) {\n\t\tpr_info(\"Tracer has a name longer than %d\\n\", MAX_TRACER_SIZE);\n\t\treturn -1;\n\t}\n\n\tmutex_lock(&trace_types_lock);\n\n\ttracing_selftest_running = true;\n\n\tfor (t = trace_types; t; t = t->next) {\n\t\tif (strcmp(type->name, t->name) == 0) {\n\t\t\t/* already found */\n\t\t\tpr_info(\"Tracer %s already registered\\n\",\n\t\t\t\ttype->name);\n\t\t\tret = -1;\n\t\t\tgoto out;\n\t\t}\n\t}\n\n\tif (!type->set_flag)\n\t\ttype->set_flag = &dummy_set_flag;\n\tif (!type->flags) {\n\t\t/*allocate a dummy tracer_flags*/\n\t\ttype->flags = kmalloc(sizeof(*type->flags), GFP_KERNEL);\n\t\tif (!type->flags) {\n\t\t\tret = -ENOMEM;\n\t\t\tgoto out;\n\t\t}\n\t\ttype->flags->val = 0;\n\t\ttype->flags->opts = dummy_tracer_opt;\n\t} else\n\t\tif (!type->flags->opts)\n\t\t\ttype->flags->opts = dummy_tracer_opt;\n\n\t/* store the tracer for __set_tracer_option */\n\ttype->flags->trace = type;\n\n\tret = run_tracer_selftest(type);\n\tif (ret < 0)\n\t\tgoto out;\n\n\ttype->next = trace_types;\n\ttrace_types = type;\n\tadd_tracer_options(&global_trace, type);\n\n out:\n\ttracing_selftest_running = false;\n\tmutex_unlock(&trace_types_lock);\n\n\tif (ret || !default_bootup_tracer)\n\t\tgoto out_unlock;\n\n\tif (strncmp(default_bootup_tracer, type->name, MAX_TRACER_SIZE))\n\t\tgoto out_unlock;\n\n\tprintk(KERN_INFO \"Starting tracer '%s'\\n\", type->name);\n\t/* Do we want this tracer to start on bootup? */\n\ttracing_set_tracer(&global_trace, type->name);\n\tdefault_bootup_tracer = NULL;\n\n\tapply_trace_boot_options();\n\n\t/* disable other selftests, since this will break it. */\n\ttracing_selftest_disabled = true;\n#ifdef CONFIG_FTRACE_STARTUP_TEST\n\tprintk(KERN_INFO \"Disabling FTRACE selftests due to running tracer '%s'\\n\",\n\t type->name);\n#endif\n\n out_unlock:\n\treturn ret;\n}", "project": "linux", "hash": 253248871025078150061879114403334798568, "size": 82, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445700 }, { "func": "int _ssh_buffer_pack(struct ssh_buffer_struct *buffer,\n const char *format,\n size_t argc,\n ...)\n{\n va_list ap;\n int rc;\n\n if (argc > 256) {\n return SSH_ERROR;\n }\n\n va_start(ap, argc);\n rc = ssh_buffer_pack_allocate_va(buffer, format, argc, ap);\n va_end(ap);\n\n if (rc != SSH_OK) {\n return rc;\n }\n\n va_start(ap, argc);\n rc = ssh_buffer_pack_va(buffer, format, argc, ap);\n va_end(ap);\n\n return rc;\n}", "project": "libssh-mirror", "hash": 219385040632471886813683361860802641800, "size": 26, "commit_id": "10b3ebbe61a7031a3dae97f05834442220447181", "message": "buffer: Reformat ssh_buffer_add_data()\n\nSigned-off-by: Andreas Schneider \nReviewed-by: Anderson Toshiyuki Sasaki \nReviewed-by: Jakub Jelen ", "target": 0, "dataset": "other", "idx": 345171 }, { "func": "KernelAndDeviceFunc::~KernelAndDeviceFunc() {\n if (handle_ != kInvalidHandle) {\n Status status = pflr_->ReleaseHandle(handle_);\n if (!status.ok()) {\n LOG(INFO) << \"Ignoring error status when releasing multi-device function \"\n \"handle \"\n << status.ToString();\n }\n }\n}", "project": "tensorflow", "hash": 269813431707707815936859130999763568582, "size": 10, "commit_id": "da8558533d925694483d2c136a9220d6d49d843c", "message": "Fix undefined behavior in `tf.raw_ops.Switch` in eager mode.\n\nPiperOrigin-RevId: 332578058\nChange-Id: I9727571d2f21476b10d8aa27c1b7176564b76ac9", "target": 0, "dataset": "other", "idx": 270132 }, { "func": "static int vhost_net_open(struct inode *inode, struct file *f)\n{\n\tstruct vhost_net *n;\n\tstruct vhost_dev *dev;\n\tstruct vhost_virtqueue **vqs;\n\tvoid **queue;\n\tstruct xdp_buff *xdp;\n\tint i;\n\n\tn = kvmalloc(sizeof *n, GFP_KERNEL | __GFP_RETRY_MAYFAIL);\n\tif (!n)\n\t\treturn -ENOMEM;\n\tvqs = kmalloc_array(VHOST_NET_VQ_MAX, sizeof(*vqs), GFP_KERNEL);\n\tif (!vqs) {\n\t\tkvfree(n);\n\t\treturn -ENOMEM;\n\t}\n\n\tqueue = kmalloc_array(VHOST_NET_BATCH, sizeof(void *),\n\t\t\t GFP_KERNEL);\n\tif (!queue) {\n\t\tkfree(vqs);\n\t\tkvfree(n);\n\t\treturn -ENOMEM;\n\t}\n\tn->vqs[VHOST_NET_VQ_RX].rxq.queue = queue;\n\n\txdp = kmalloc_array(VHOST_NET_BATCH, sizeof(*xdp), GFP_KERNEL);\n\tif (!xdp) {\n\t\tkfree(vqs);\n\t\tkvfree(n);\n\t\tkfree(queue);\n\t\treturn -ENOMEM;\n\t}\n\tn->vqs[VHOST_NET_VQ_TX].xdp = xdp;\n\n\tdev = &n->dev;\n\tvqs[VHOST_NET_VQ_TX] = &n->vqs[VHOST_NET_VQ_TX].vq;\n\tvqs[VHOST_NET_VQ_RX] = &n->vqs[VHOST_NET_VQ_RX].vq;\n\tn->vqs[VHOST_NET_VQ_TX].vq.handle_kick = handle_tx_kick;\n\tn->vqs[VHOST_NET_VQ_RX].vq.handle_kick = handle_rx_kick;\n\tfor (i = 0; i < VHOST_NET_VQ_MAX; i++) {\n\t\tn->vqs[i].ubufs = NULL;\n\t\tn->vqs[i].ubuf_info = NULL;\n\t\tn->vqs[i].upend_idx = 0;\n\t\tn->vqs[i].done_idx = 0;\n\t\tn->vqs[i].batched_xdp = 0;\n\t\tn->vqs[i].vhost_hlen = 0;\n\t\tn->vqs[i].sock_hlen = 0;\n\t\tn->vqs[i].rx_ring = NULL;\n\t\tvhost_net_buf_init(&n->vqs[i].rxq);\n\t}\n\tvhost_dev_init(dev, vqs, VHOST_NET_VQ_MAX,\n\t\t UIO_MAXIOV + VHOST_NET_BATCH,\n\t\t VHOST_NET_PKT_WEIGHT, VHOST_NET_WEIGHT);\n\n\tvhost_poll_init(n->poll + VHOST_NET_VQ_TX, handle_tx_net, EPOLLOUT, dev);\n\tvhost_poll_init(n->poll + VHOST_NET_VQ_RX, handle_rx_net, EPOLLIN, dev);\n\n\tf->private_data = n;\n\tn->page_frag.page = NULL;\n\tn->refcnt_bias = 0;\n\n\treturn 0;\n}", "project": "linux", "hash": 292151692906604503399522084128696524247, "size": 65, "commit_id": "42d84c8490f9f0931786f1623191fcab397c3d64", "message": "vhost: Check docket sk_family instead of call getname\n\nDoing so, we save one call to get data we already have in the struct.\n\nAlso, since there is no guarantee that getname use sockaddr_ll\nparameter beyond its size, we add a little bit of security here.\nIt should do not do beyond MAX_ADDR_LEN, but syzbot found that\nax25_getname writes more (72 bytes, the size of full_sockaddr_ax25,\nversus 20 + 32 bytes of sockaddr_ll + MAX_ADDR_LEN in syzbot repro).\n\nFixes: 3a4d5c94e9593 (\"vhost_net: a kernel-level virtio server\")\nReported-by: syzbot+f2a62d07a5198c819c7b@syzkaller.appspotmail.com\nSigned-off-by: Eugenio Pérez \nAcked-by: Michael S. Tsirkin \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 441984 }, { "func": "static int bcf_hdr_register_hrec(bcf_hdr_t *hdr, bcf_hrec_t *hrec)\n{\n // contig\n int i, ret, replacing = 0;\n khint_t k;\n char *str = NULL;\n\n if ( !strcmp(hrec->key, \"contig\") )\n {\n hts_pos_t len = 0;\n hrec->type = BCF_HL_CTG;\n\n // Get the contig ID ($str) and length ($j)\n i = bcf_hrec_find_key(hrec,\"length\");\n if ( i<0 ) len = 0;\n else {\n char *end = hrec->vals[i];\n len = strtoll(hrec->vals[i], &end, 10);\n if (end == hrec->vals[i] || len < 0) return 0;\n }\n\n i = bcf_hrec_find_key(hrec,\"ID\");\n if ( i<0 ) return 0;\n str = strdup(hrec->vals[i]);\n if (!str) return -1;\n\n // Register in the dictionary\n vdict_t *d = (vdict_t*)hdr->dict[BCF_DT_CTG];\n khint_t k = kh_get(vdict, d, str);\n if ( k != kh_end(d) ) { // already present\n free(str); str=NULL;\n if (kh_val(d, k).hrec[0] != NULL) // and not removed\n return 0;\n replacing = 1;\n } else {\n k = kh_put(vdict, d, str, &ret);\n if (ret < 0) { free(str); return -1; }\n }\n\n int idx = bcf_hrec_find_key(hrec,\"IDX\");\n if ( idx!=-1 )\n {\n char *tmp = hrec->vals[idx];\n idx = strtol(hrec->vals[idx], &tmp, 10);\n if ( *tmp || idx < 0 || idx >= INT_MAX - 1)\n {\n if (!replacing) {\n kh_del(vdict, d, k);\n free(str);\n }\n hts_log_warning(\"Error parsing the IDX tag, skipping\");\n return 0;\n }\n }\n\n kh_val(d, k) = bcf_idinfo_def;\n kh_val(d, k).id = idx;\n kh_val(d, k).info[0] = len;\n kh_val(d, k).hrec[0] = hrec;\n if (bcf_hdr_set_idx(hdr, BCF_DT_CTG, kh_key(d,k), &kh_val(d,k)) < 0) {\n if (!replacing) {\n kh_del(vdict, d, k);\n free(str);\n }\n return -1;\n }\n if ( idx==-1 ) {\n if (hrec_add_idx(hrec, kh_val(d,k).id) < 0) {\n return -1;\n }\n }\n\n return 1;\n }\n\n if ( !strcmp(hrec->key, \"INFO\") ) hrec->type = BCF_HL_INFO;\n else if ( !strcmp(hrec->key, \"FILTER\") ) hrec->type = BCF_HL_FLT;\n else if ( !strcmp(hrec->key, \"FORMAT\") ) hrec->type = BCF_HL_FMT;\n else if ( hrec->nkeys>0 ) { hrec->type = BCF_HL_STR; return 1; }\n else return 0;\n\n // INFO/FILTER/FORMAT\n char *id = NULL;\n uint32_t type = UINT32_MAX, var = UINT32_MAX;\n int num = -1, idx = -1;\n for (i=0; inkeys; i++)\n {\n if ( !strcmp(hrec->keys[i], \"ID\") ) id = hrec->vals[i];\n else if ( !strcmp(hrec->keys[i], \"IDX\") )\n {\n char *tmp = hrec->vals[i];\n idx = strtol(hrec->vals[i], &tmp, 10);\n if ( *tmp || idx < 0 || idx >= INT_MAX - 1)\n {\n hts_log_warning(\"Error parsing the IDX tag, skipping\");\n return 0;\n }\n }\n else if ( !strcmp(hrec->keys[i], \"Type\") )\n {\n if ( !strcmp(hrec->vals[i], \"Integer\") ) type = BCF_HT_INT;\n else if ( !strcmp(hrec->vals[i], \"Float\") ) type = BCF_HT_REAL;\n else if ( !strcmp(hrec->vals[i], \"String\") ) type = BCF_HT_STR;\n else if ( !strcmp(hrec->vals[i], \"Character\") ) type = BCF_HT_STR;\n else if ( !strcmp(hrec->vals[i], \"Flag\") ) type = BCF_HT_FLAG;\n else\n {\n hts_log_warning(\"The type \\\"%s\\\" is not supported, assuming \\\"String\\\"\", hrec->vals[i]);\n type = BCF_HT_STR;\n }\n }\n else if ( !strcmp(hrec->keys[i], \"Number\") )\n {\n if ( !strcmp(hrec->vals[i],\"A\") ) var = BCF_VL_A;\n else if ( !strcmp(hrec->vals[i],\"R\") ) var = BCF_VL_R;\n else if ( !strcmp(hrec->vals[i],\"G\") ) var = BCF_VL_G;\n else if ( !strcmp(hrec->vals[i],\".\") ) var = BCF_VL_VAR;\n else\n {\n sscanf(hrec->vals[i],\"%d\",&num);\n var = BCF_VL_FIXED;\n }\n if (var != BCF_VL_FIXED) num = 0xfffff;\n }\n }\n if (hrec->type == BCF_HL_INFO || hrec->type == BCF_HL_FMT) {\n if (type == -1) {\n hts_log_warning(\"%s %s field has no Type defined. Assuming String\",\n *hrec->key == 'I' ? \"An\" : \"A\", hrec->key);\n type = BCF_HT_STR;\n }\n if (var == -1) {\n hts_log_warning(\"%s %s field has no Number defined. Assuming '.'\",\n *hrec->key == 'I' ? \"An\" : \"A\", hrec->key);\n var = BCF_VL_VAR;\n }\n }\n uint32_t info = ((((uint32_t)num) & 0xfffff)<<12 |\n (var & 0xf) << 8 |\n (type & 0xf) << 4 |\n (((uint32_t) hrec->type) & 0xf));\n\n if ( !id ) return 0;\n str = strdup(id);\n if (!str) return -1;\n\n vdict_t *d = (vdict_t*)hdr->dict[BCF_DT_ID];\n k = kh_get(vdict, d, str);\n if ( k != kh_end(d) )\n {\n // already present\n free(str);\n if ( kh_val(d, k).hrec[info&0xf] ) return 0;\n kh_val(d, k).info[info&0xf] = info;\n kh_val(d, k).hrec[info&0xf] = hrec;\n if ( idx==-1 ) {\n if (hrec_add_idx(hrec, kh_val(d, k).id) < 0) {\n return -1;\n }\n }\n return 1;\n }\n k = kh_put(vdict, d, str, &ret);\n if (ret < 0) {\n free(str);\n return -1;\n }\n kh_val(d, k) = bcf_idinfo_def;\n kh_val(d, k).info[info&0xf] = info;\n kh_val(d, k).hrec[info&0xf] = hrec;\n kh_val(d, k).id = idx;\n if (bcf_hdr_set_idx(hdr, BCF_DT_ID, kh_key(d,k), &kh_val(d,k)) < 0) {\n kh_del(vdict, d, k);\n free(str);\n return -1;\n }\n if ( idx==-1 ) {\n if (hrec_add_idx(hrec, kh_val(d,k).id) < 0) {\n return -1;\n }\n }\n\n return 1;\n}", "project": "htslib", "hash": 157247945047849029465612618999816745824, "size": 184, "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c", "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields. It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097", "target": 0, "dataset": "other", "idx": 402156 }, { "func": "static apr_byte_t oidc_validate_redirect_url(request_rec *r, oidc_cfg *c,\n\t\tconst char *url, apr_byte_t restrict_to_host, char **err_str,\n\t\tchar **err_desc) {\n\tapr_uri_t uri;\n\tconst char *c_host = NULL;\n\tapr_hash_index_t *hi = NULL;\n\n\tif (apr_uri_parse(r->pool, url, &uri) != APR_SUCCESS) {\n\t\t*err_str = apr_pstrdup(r->pool, \"Malformed URL\");\n\t\t*err_desc = apr_psprintf(r->pool, \"not a valid URL value: %s\", url);\n\t\toidc_error(r, \"%s: %s\", *err_str, *err_desc);\n\t\treturn FALSE;\n\t}\n\n\tif (c->redirect_urls_allowed != NULL) {\n\t\tfor (hi = apr_hash_first(NULL, c->redirect_urls_allowed); hi; hi =\n\t\t\t\tapr_hash_next(hi)) {\n\t\t\tapr_hash_this(hi, (const void**) &c_host, NULL, NULL);\n\t\t\tif (oidc_util_regexp_first_match(r->pool, url, c_host,\n\t\t\t\t\tNULL, err_str) == TRUE)\n\t\t\t\tbreak;\n\t\t}\n\t\tif (hi == NULL) {\n\t\t\t*err_str = apr_pstrdup(r->pool, \"URL not allowed\");\n\t\t\t*err_desc =\n\t\t\t\t\tapr_psprintf(r->pool,\n\t\t\t\t\t\t\t\"value does not match the list of allowed redirect URLs: %s\",\n\t\t\t\t\t\t\turl);\n\t\t\toidc_error(r, \"%s: %s\", *err_str, *err_desc);\n\t\t\treturn FALSE;\n\t\t}\n\t} else if ((uri.hostname != NULL) && (restrict_to_host == TRUE)) {\n\t\tc_host = oidc_get_current_url_host(r);\n\t\tif ((strstr(c_host, uri.hostname) == NULL)\n\t\t\t\t|| (strstr(uri.hostname, c_host) == NULL)) {\n\t\t\t*err_str = apr_pstrdup(r->pool, \"Invalid Request\");\n\t\t\t*err_desc =\n\t\t\t\t\tapr_psprintf(r->pool,\n\t\t\t\t\t\t\t\"URL value \\\"%s\\\" does not match the hostname of the current request \\\"%s\\\"\",\n\t\t\t\t\t\t\tapr_uri_unparse(r->pool, &uri, 0), c_host);\n\t\t\toidc_error(r, \"%s: %s\", *err_str, *err_desc);\n\t\t\treturn FALSE;\n\t\t}\n\t}\n\n\tif ((uri.hostname == NULL) && (strstr(url, \"/\") != url)) {\n\t\t*err_str = apr_pstrdup(r->pool, \"Malformed URL\");\n\t\t*err_desc =\n\t\t\t\tapr_psprintf(r->pool,\n\t\t\t\t\t\t\"No hostname was parsed and it does not seem to be relative, i.e starting with '/': %s\",\n\t\t\t\t\t\turl);\n\t\toidc_error(r, \"%s: %s\", *err_str, *err_desc);\n\t\treturn FALSE;\n\t} else if ((uri.hostname == NULL) && (strstr(url, \"//\") == url)) {\n\t\t*err_str = apr_pstrdup(r->pool, \"Malformed URL\");\n\t\t*err_desc = apr_psprintf(r->pool,\n\t\t\t\t\"No hostname was parsed and starting with '//': %s\", url);\n\t\toidc_error(r, \"%s: %s\", *err_str, *err_desc);\n\t\treturn FALSE;\n\t} else if ((uri.hostname == NULL) && (strstr(url, \"/\\\\\") == url)) {\n\t\t*err_str = apr_pstrdup(r->pool, \"Malformed URL\");\n\t\t*err_desc = apr_psprintf(r->pool,\n\t\t\t\t\"No hostname was parsed and starting with '/\\\\': %s\", url);\n\t\toidc_error(r, \"%s: %s\", *err_str, *err_desc);\n\t\treturn FALSE;\n\t}\n\n\t/* validate the URL to prevent HTTP header splitting */\n\tif (((strstr(url, \"\\n\") != NULL) || strstr(url, \"\\r\") != NULL)) {\n\t\t*err_str = apr_pstrdup(r->pool, \"Invalid URL\");\n\t\t*err_desc =\n\t\t\t\tapr_psprintf(r->pool,\n\t\t\t\t\t\t\"URL value \\\"%s\\\" contains illegal \\\"\\n\\\" or \\\"\\r\\\" character(s)\",\n\t\t\t\t\t\turl);\n\t\toidc_error(r, \"%s: %s\", *err_str, *err_desc);\n\t\treturn FALSE;\n\t}\n\n\treturn TRUE;\n}", "project": "mod_auth_openidc", "hash": 295618594193518318487977681942538217675, "size": 80, "commit_id": "00c315cb0c8ab77c67be4a2ac08a71a83ac58751", "message": "avoid XSS vulnerability when using OIDCPreservePost On\n\nand supplying URLs that contain single quotes; thanks @oss-aimoto\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 381921 }, { "func": "static inline void tcp_moderate_cwnd(struct tcp_sock *tp)\n{\n\ttp->snd_cwnd = min(tp->snd_cwnd,\n\t\t\t tcp_packets_in_flight(tp) + tcp_max_burst(tp));\n\ttp->snd_cwnd_stamp = tcp_time_stamp;\n}", "project": "net-next", "hash": 17108476637422466414107020846965034404, "size": 6, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409885 }, { "func": "static void autocompleteFilename(RLineCompletion *completion, RLineBuffer *buf, char **extra_paths, int narg) {\n\tchar *args = NULL, *input = NULL;\n\tint n = 0, i = 0;\n\tchar *pipe = strchr (buf->data, '>');\n\tif (pipe) {\n\t\targs = r_str_new (pipe + 1);\n\t} else {\n\t\targs = r_str_new (buf->data);\n\t}\n\tif (!args) {\n\t\tgoto out;\n\t}\n\n\tn = r_str_word_set0 (args);\n\tif (n < narg) {\n\t\tgoto out;\n\t}\n\n\tinput = r_str_new (r_str_word_get0 (args, narg));\n\tif (!input) {\n\t\tgoto out;\n\t}\n\tconst char *tinput = r_str_trim_head_ro (input);\n\n\tautocomplete_process_path (completion, buf->data, tinput);\n\n\tif (input[0] == '/' || input[0] == '.' || !extra_paths) {\n\t\tgoto out;\n\t}\n\n\tfor (i = 0; extra_paths[i]; i ++) {\n\t\tchar *s = r_str_newf (\"%s%s%s\", extra_paths[i], R_SYS_DIR, tinput);\n\t\tif (!s) {\n\t\t\tbreak;\n\t\t}\n\t\tautocomplete_process_path (completion, buf->data, s);\n\t\tfree (s);\n\t}\nout:\n\tfree (args);\n\tfree (input);\n}", "project": "radare2", "hash": 176833830937377409547633061785895731347, "size": 42, "commit_id": "cb8b683758edddae2d2f62e8e63a738c39f92683", "message": "Fix #16303 - c->table_query double free (#16318)", "target": 0, "dataset": "other", "idx": 232154 }, { "func": "static void tcp_timeout_skbs(struct sock *sk)\n{\n\tstruct tcp_sock *tp = tcp_sk(sk);\n\tstruct sk_buff *skb;\n\n\tif (!tcp_is_fack(tp) || !tcp_head_timedout(sk))\n\t\treturn;\n\n\tskb = tp->scoreboard_skb_hint;\n\tif (tp->scoreboard_skb_hint == NULL)\n\t\tskb = tcp_write_queue_head(sk);\n\n\ttcp_for_write_queue_from(skb, sk) {\n\t\tif (skb == tcp_send_head(sk))\n\t\t\tbreak;\n\t\tif (!tcp_skb_timedout(sk, skb))\n\t\t\tbreak;\n\n\t\ttcp_skb_mark_lost(tp, skb);\n\t}\n\n\ttp->scoreboard_skb_hint = skb;\n\n\ttcp_verify_left_out(tp);\n}", "project": "net-next", "hash": 193153834383938598764153180564633196304, "size": 25, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409872 }, { "func": "void GraphConstructor::UniquifyNames(\n const std::vector& input_already_exists, NodeDef* node_def) {\n if (NameExistsInGraph(node_def->name())) {\n string old_name = node_def->name();\n node_def->set_name(FindUniqueName(node_def->name()));\n uniquified_names_[old_name] = node_def->name();\n // Note that we don't have to update gdef_nodes_ or gdef_prefixes_ with\n // `name` because we guarantee the original NodeDef names are unique,\n // meaning we won't generate this name again.\n }\n for (int i = 0; i < node_def->input_size(); ++i) {\n // Skip remapped inputs (which already exist in g_ and are not being\n // imported).\n if (input_already_exists[i]) continue;\n TensorId id = ParseTensorName(node_def->input(i));\n // We require that UniquifyNames() is called on all NodeDefs in topological\n // order. This guarantees that node_def's inputs will already be uniquified\n // if necessary.\n auto iter = uniquified_names_.find(string(id.first));\n if (iter == uniquified_names_.end()) continue;\n id.first = iter->second;\n node_def->set_input(i, id.ToString());\n }\n}", "project": "tensorflow", "hash": 200260242502766113096503117336010483607, "size": 24, "commit_id": "0cc38aaa4064fd9e79101994ce9872c6d91f816b", "message": "Prevent unitialized memory access in `GraphConstructor::MakeEdge`\n\nThe `MakeEdge` implementation assumes that there exists an output at `output_index` of `src` node and an input at `input_index` of `dst` node. However, if this is not the case this results in accessing data out of bounds. Because we are accessing an array that is a private member of a class and only in read only mode, this usually results only in unitialized memory access. However, it is reasonable to think that malicious users could manipulate these indexes to actually read data outside the class, thus resulting in information leakage and further exploits.\n\nPiperOrigin-RevId: 346343288\nChange-Id: I2127da27c2023d27f26efd39afa6c853385cab6f", "target": 0, "dataset": "other", "idx": 268360 }, { "func": "static void free_loc_track(struct loc_track *t)\n{\n\tif (t->max)\n\t\tfree_pages((unsigned long)t->loc,\n\t\t\tget_order(sizeof(struct location) * t->max));\n}", "project": "linux", "hash": 313801485681031654103431044468107134118, "size": 6, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280043 }, { "project": "opaque", "commit_id": "5ddda15d89f5ac82f4416208c5319ace4aecdc36", "target": 0, "func": "void ecall_non_oblivious_sort_merge_join(uint8_t *join_expr, size_t join_expr_length,\n uint8_t *input_rows, size_t input_rows_length,\n uint8_t *join_row, size_t join_row_length,\n uint8_t **output_rows, size_t *output_rows_length) {\n // Guard against operating on arbitrary enclave memory\n assert(sgx_is_outside_enclave(input_rows, input_rows_length) == 1);\n assert(sgx_is_outside_enclave(join_row, join_row_length) == 1);\n sgx_lfence();\n\n try {\n non_oblivious_sort_merge_join(join_expr, join_expr_length,\n input_rows, input_rows_length,\n join_row, join_row_length,\n output_rows, output_rows_length);\n } catch (const std::runtime_error &e) {\n ocall_throw(e.what());\n }\n}", "idx": 519073, "cwe": "CWE-787", "hash": 161950257868400760973752362729262860596, "dataset": "other" }, { "func": " Guard(ConnectionList *list, Connection *conn) : list(list), conn(conn) {}", "project": "ceph", "hash": 219879380294101914652002463700684291091, "size": 1, "commit_id": "ff72c50a2c43c57aead933eb4903ad1ca6d1748a", "message": "rgw: improve beast\n\nAvoid leaking connections that had partially-consumed\nclient data on unexpected disconnect.\n\nResolves CVE-2020-1700 (moderate impact flaw).\n\nFixes: https://tracker.ceph.com/issues/42531\n\nSigned-off-by: Or Friedmann \nSigned-off-by: Matt Benjamin ", "target": 0, "dataset": "other", "idx": 384539 }, { "func": "\tstatic std::string ToModeLetters(const Modes::ChangeList& changelist)\n\t{\n\t\t// TODO: This assumes that std::string::max_size() >= UINT_MAX\n\t\tModes::ChangeList::List::const_iterator dummy;\n\t\treturn ToModeLetters(changelist.getlist(), UINT_MAX, changelist.getlist().begin(), dummy);\n\t}", "project": "inspircd", "hash": 88340055276783678292704337450172851453, "size": 6, "commit_id": "4350a11c663b0d75f8119743bffb7736d87abd4d", "message": "Fix sending malformed pong messages in some cases.", "target": 0, "dataset": "other", "idx": 273238 }, { "func": "\tstatic std::string ToModeLetters(const Modes::ChangeList::List& list, std::string::size_type maxlinelen, Modes::ChangeList::List::const_iterator beginit, Modes::ChangeList::List::const_iterator& lastit)\n\t{\n\t\tstd::string ret;\n\t\tstd::string::size_type paramlength = 0;\n\t\tchar output_pm = '\\0'; // current output state, '+' or '-'\n\n\t\tModes::ChangeList::List::const_iterator i;\n\t\tfor (i = beginit; i != list.end(); ++i)\n\t\t{\n\t\t\tconst Modes::Change& item = *i;\n\n\t\t\tconst char needed_pm = (item.adding ? '+' : '-');\n\t\t\tif (needed_pm != output_pm)\n\t\t\t{\n\t\t\t\toutput_pm = needed_pm;\n\t\t\t\tret.push_back(output_pm);\n\t\t\t}\n\n\t\t\tif (!item.param.empty())\n\t\t\t\tparamlength += item.param.length() + 1;\n\t\t\tif (ret.length() + 1 + paramlength > maxlinelen)\n\t\t\t{\n\t\t\t\t// Mode sequence is getting too long\n\t\t\t\tconst char c = *ret.rbegin();\n\t\t\t\tif ((c == '+') || (c == '-'))\n\t\t\t\t\tret.erase(ret.size()-1);\n\t\t\t\tbreak;\n\t\t\t}\n\n\t\t\tret.push_back(item.mh->GetModeChar());\n\t\t}\n\n\t\tlastit = i;\n\t\treturn ret;\n\t}", "project": "inspircd", "hash": 252602382332501216118628484519083104960, "size": 35, "commit_id": "4350a11c663b0d75f8119743bffb7736d87abd4d", "message": "Fix sending malformed pong messages in some cases.", "target": 0, "dataset": "other", "idx": 273242 }, { "func": "static void nfs_state_log_update_open_stateid(struct nfs4_state *state)\n{\n\tif (test_and_clear_bit(NFS_STATE_CHANGE_WAIT, &state->flags))\n\t\twake_up_all(&state->waitq);\n}", "project": "linux", "hash": 270359079411468477683111671446669449543, "size": 5, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 430977 }, { "func": "int gdImageColorAllocate (gdImagePtr im, int r, int g, int b)\n{\n\treturn gdImageColorAllocateAlpha (im, r, g, b, gdAlphaOpaque);\n}", "project": "php-src", "hash": 128297349197287934706573450478592604092, "size": 4, "commit_id": "c395c6e5d7e8df37a21265ff76e48fe75ceb5ae6", "message": "iFixed bug #72446 - Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow", "target": 0, "dataset": "other", "idx": 295181 }, { "func": "void compute_part_of_sort_key_for_equals(JOIN *join, TABLE *table,\n Item_field *item_field,\n key_map *col_keys)\n{\n col_keys->clear_all();\n col_keys->merge(item_field->field->part_of_sortkey);\n \n if (!optimizer_flag(join->thd, OPTIMIZER_SWITCH_ORDERBY_EQ_PROP))\n return;\n\n Item_equal *item_eq= NULL;\n\n if (item_field->item_equal)\n {\n /* \n The item_field is from ORDER structure, but it already has an item_equal\n pointer set (UseMultipleEqualitiesToRemoveTempTable code have set it)\n */\n item_eq= item_field->item_equal;\n }\n else\n {\n /* \n Walk through join's muliple equalities and find the one that contains\n item_field.\n */\n if (!join->cond_equal)\n return;\n table_map needed_tbl_map= item_field->used_tables() | table->map;\n List_iterator li(join->cond_equal->current_level);\n Item_equal *cur_item_eq;\n while ((cur_item_eq= li++))\n {\n if ((cur_item_eq->used_tables() & needed_tbl_map) &&\n cur_item_eq->contains(item_field->field))\n {\n item_eq= cur_item_eq;\n item_field->item_equal= item_eq; // Save the pointer to our Item_equal.\n break;\n }\n }\n }\n \n if (item_eq)\n {\n Item_equal_fields_iterator it(*item_eq);\n Item *item;\n /* Loop through other members that belong to table table */\n while ((item= it++))\n {\n if (item->type() == Item::FIELD_ITEM &&\n ((Item_field*)item)->field->table == table)\n {\n col_keys->merge(((Item_field*)item)->field->part_of_sortkey);\n }\n }\n }\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 339186718154815908237916186887738173123, "size": 58, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508482 }, { "func": "void recalc_intercepts(struct vcpu_svm *svm)\n{\n\tstruct vmcb_control_area *c, *h, *g;\n\tunsigned int i;\n\n\tvmcb_mark_dirty(svm->vmcb, VMCB_INTERCEPTS);\n\n\tif (!is_guest_mode(&svm->vcpu))\n\t\treturn;\n\n\tc = &svm->vmcb->control;\n\th = &svm->nested.hsave->control;\n\tg = &svm->nested.ctl;\n\n\tfor (i = 0; i < MAX_INTERCEPT; i++)\n\t\tc->intercepts[i] = h->intercepts[i];\n\n\tif (g->int_ctl & V_INTR_MASKING_MASK) {\n\t\t/* We only want the cr8 intercept bits of L1 */\n\t\tvmcb_clr_intercept(c, INTERCEPT_CR8_READ);\n\t\tvmcb_clr_intercept(c, INTERCEPT_CR8_WRITE);\n\n\t\t/*\n\t\t * Once running L2 with HF_VINTR_MASK, EFLAGS.IF does not\n\t\t * affect any interrupt we may want to inject; therefore,\n\t\t * interrupt window vmexits are irrelevant to L0.\n\t\t */\n\t\tvmcb_clr_intercept(c, INTERCEPT_VINTR);\n\t}\n\n\t/* We don't want to see VMMCALLs from a nested guest */\n\tvmcb_clr_intercept(c, INTERCEPT_VMMCALL);\n\n\tfor (i = 0; i < MAX_INTERCEPT; i++)\n\t\tc->intercepts[i] |= g->intercepts[i];\n}", "project": "linux", "hash": 31291621218292781751734854547191198457, "size": 36, "commit_id": "a58d9166a756a0f4a6618e4f593232593d6df134", "message": "KVM: SVM: load control fields from VMCB12 before checking them\n\nAvoid races between check and use of the nested VMCB controls. This\nfor example ensures that the VMRUN intercept is always reflected to the\nnested hypervisor, instead of being processed by the host. Without this\npatch, it is possible to end up with svm->nested.hsave pointing to\nthe MSR permission bitmap for nested guests.\n\nThis bug is CVE-2021-29657.\n\nReported-by: Felix Wilhelm \nCc: stable@vger.kernel.org\nFixes: 2fcf4876ada (\"KVM: nSVM: implement on demand allocation of the nested state\")\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 376665 }, { "func": "static void recalc_intercepts(struct vcpu_svm *svm)\n{\n\tstruct vmcb_control_area *c, *h;\n\tstruct nested_state *g;\n\n\tmark_dirty(svm->vmcb, VMCB_INTERCEPTS);\n\n\tif (!is_guest_mode(&svm->vcpu))\n\t\treturn;\n\n\tc = &svm->vmcb->control;\n\th = &svm->nested.hsave->control;\n\tg = &svm->nested;\n\n\tc->intercept_cr = h->intercept_cr | g->intercept_cr;\n\tc->intercept_dr = h->intercept_dr | g->intercept_dr;\n\tc->intercept_exceptions = h->intercept_exceptions | g->intercept_exceptions;\n\tc->intercept = h->intercept | g->intercept;\n}", "project": "linux", "hash": 180062028390890457383562648418196301209, "size": 19, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432580 }, { "func": "void CSoundFile::TonePortamento(ModChannel *pChn, uint32 param) const\n{\n\tpChn->dwFlags.set(CHN_PORTAMENTO);\n\n\t//IT compatibility 03: Share effect memory with portamento up/down\n\tif((!m_SongFlags[SONG_ITCOMPATGXX] && m_playBehaviour[kITPortaMemoryShare]) || GetType() == MOD_TYPE_PLM)\n\t{\n\t\tif(param == 0) param = pChn->nOldPortaUp;\n\t\tpChn->nOldPortaUp = pChn->nOldPortaDown = static_cast(param);\n\t}\n\n\tif(GetType() == MOD_TYPE_MPT && pChn->pModInstrument && pChn->pModInstrument->pTuning)\n\t{\n\t\t//Behavior: Param tells number of finesteps(or 'fullsteps'(notes) with glissando)\n\t\t//to slide per row(not per tick).\n\t\tconst int32 old_PortamentoTickSlide = (m_PlayState.m_nTickCount != 0) ? pChn->m_PortamentoTickSlide : 0;\n\n\t\tif(param)\n\t\t\tpChn->nPortamentoSlide = param;\n\t\telse\n\t\t\tif(pChn->nPortamentoSlide == 0)\n\t\t\t\treturn;\n\n\n\t\tif((pChn->nPortamentoDest > 0 && pChn->nPortamentoSlide < 0) ||\n\t\t\t(pChn->nPortamentoDest < 0 && pChn->nPortamentoSlide > 0))\n\t\t\tpChn->nPortamentoSlide = -pChn->nPortamentoSlide;\n\n\t\tpChn->m_PortamentoTickSlide = static_cast((m_PlayState.m_nTickCount + 1.0) * pChn->nPortamentoSlide / m_PlayState.m_nMusicSpeed);\n\n\t\tif(pChn->dwFlags[CHN_GLISSANDO])\n\t\t{\n\t\t\tpChn->m_PortamentoTickSlide *= pChn->pModInstrument->pTuning->GetFineStepCount() + 1;\n\t\t\t//With glissando interpreting param as notes instead of finesteps.\n\t\t}\n\n\t\tconst int32 slide = pChn->m_PortamentoTickSlide - old_PortamentoTickSlide;\n\n\t\tif(mpt::abs(pChn->nPortamentoDest) <= mpt::abs(slide))\n\t\t{\n\t\t\tif(pChn->nPortamentoDest != 0)\n\t\t\t{\n\t\t\t\tpChn->m_PortamentoFineSteps += pChn->nPortamentoDest;\n\t\t\t\tpChn->nPortamentoDest = 0;\n\t\t\t\tpChn->m_CalculateFreq = true;\n\t\t\t}\n\t\t} else\n\t\t{\n\t\t\tpChn->m_PortamentoFineSteps += slide;\n\t\t\tpChn->nPortamentoDest -= slide;\n\t\t\tpChn->m_CalculateFreq = true;\n\t\t}\n\n\t\treturn;\n\t} //End candidate MPT behavior.\n\n\tbool doPorta = !pChn->isFirstTick || (GetType() & (MOD_TYPE_DBM | MOD_TYPE_669)) || (m_PlayState.m_nMusicSpeed == 1 && m_playBehaviour[kSlidesAtSpeed1]);\n\tif(GetType() == MOD_TYPE_PLM && param >= 0xF0)\n\t{\n\t\tparam -= 0xF0;\n\t\tdoPorta = pChn->isFirstTick;\n\t}\n\n\tif(param)\n\t{\n\t\tif(GetType() == MOD_TYPE_669)\n\t\t{\n\t\t\tparam *= 10;\n\t\t}\n\t\tpChn->nPortamentoSlide = param * 4;\n\t}\n\n\tif(pChn->nPeriod && pChn->nPortamentoDest && doPorta)\n\t{\n\t\tif (pChn->nPeriod < pChn->nPortamentoDest)\n\t\t{\n\t\t\tint32 delta = pChn->nPortamentoSlide;\n\t\t\tif(m_SongFlags[SONG_LINEARSLIDES] && GetType() != MOD_TYPE_XM)\n\t\t\t{\n\t\t\t\tuint32 n = pChn->nPortamentoSlide / 4;\n\t\t\t\tif (n > 255) n = 255;\n\t\t\t\t// Return (a*b+c/2)/c - no divide error\n\t\t\t\t// Table is 65536*2(n/192)\n\t\t\t\tdelta = Util::muldivr(pChn->nPeriod, LinearSlideUpTable[n], 65536) - pChn->nPeriod;\n\t\t\t\tif (delta < 1) delta = 1;\n\t\t\t}\n\t\t\tpChn->nPeriod += delta;\n\t\t\tif (pChn->nPeriod > pChn->nPortamentoDest) pChn->nPeriod = pChn->nPortamentoDest;\n\t\t} else\n\t\tif (pChn->nPeriod > pChn->nPortamentoDest)\n\t\t{\n\t\t\tint32 delta = -pChn->nPortamentoSlide;\n\t\t\tif(m_SongFlags[SONG_LINEARSLIDES] && GetType() != MOD_TYPE_XM)\n\t\t\t{\n\t\t\t\tuint32 n = pChn->nPortamentoSlide / 4;\n\t\t\t\tif (n > 255) n = 255;\n\t\t\t\tdelta = Util::muldivr(pChn->nPeriod, LinearSlideDownTable[n], 65536) - pChn->nPeriod;\n\t\t\t\tif (delta > -1) delta = -1;\n\t\t\t}\n\t\t\tpChn->nPeriod += delta;\n\t\t\tif (pChn->nPeriod < pChn->nPortamentoDest) pChn->nPeriod = pChn->nPortamentoDest;\n\t\t}\n\t}\n\n\t// IT compatibility 23. Portamento with no note\n\t// ProTracker also disables portamento once the target is reached.\n\t// Test case: PortaTarget.mod\n\tif(pChn->nPeriod == pChn->nPortamentoDest && (m_playBehaviour[kITPortaTargetReached] || GetType() == MOD_TYPE_MOD))\n\t\tpChn->nPortamentoDest = 0;\n\n}", "project": "openmpt", "hash": 134354497658111545163426309478473053929, "size": 111, "commit_id": "7ebf02af2e90f03e0dbd0e18b8b3164f372fb97c", "message": "[Fix] Possible out-of-bounds read when computing length of some IT files with pattern loops (OpenMPT: formats that are converted to IT, libopenmpt: IT/ITP/MO3), caught with afl-fuzz.\n\ngit-svn-id: https://source.openmpt.org/svn/openmpt/trunk/OpenMPT@10027 56274372-70c3-4bfc-bfc3-4c3a0b034d27", "target": 0, "dataset": "other", "idx": 255173 }, { "project": "Chrome", "commit_id": "ea994548ed483e234a6fadd0cbdfa10d58b75cef", "target": 0, "func": "gfx::Size SoftwareFrameManager::GetCurrentFrameSizeInPixels() const {\n DCHECK(HasCurrentFrame());\n return current_frame_->frame_size_pixels_;\n}\n", "cwe": "", "big_vul_idx": 129970, "idx": 116282, "hash": 1977391455046310638460282974857187085 }, { "func": "static void hci_cc_delete_stored_link_key(struct hci_dev *hdev,\n\t\t\t\t\t struct sk_buff *skb)\n{\n\tstruct hci_rp_delete_stored_link_key *rp = (void *)skb->data;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, rp->status);\n\n\tif (rp->status)\n\t\treturn;\n\n\tif (rp->num_keys <= hdev->stored_num_keys)\n\t\thdev->stored_num_keys -= rp->num_keys;\n\telse\n\t\thdev->stored_num_keys = 0;\n}", "project": "linux", "hash": 308533975464089845108902508931557974083, "size": 15, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431909 }, { "func": "static void hci_auth_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)\n{\n\tstruct hci_ev_auth_complete *ev = (void *) skb->data;\n\tstruct hci_conn *conn;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, ev->status);\n\n\thci_dev_lock(hdev);\n\n\tconn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));\n\tif (!conn)\n\t\tgoto unlock;\n\n\tif (!ev->status) {\n\t\tclear_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);\n\n\t\tif (!hci_conn_ssp_enabled(conn) &&\n\t\t test_bit(HCI_CONN_REAUTH_PEND, &conn->flags)) {\n\t\t\tbt_dev_info(hdev, \"re-auth of legacy device is not possible.\");\n\t\t} else {\n\t\t\tset_bit(HCI_CONN_AUTH, &conn->flags);\n\t\t\tconn->sec_level = conn->pending_sec_level;\n\t\t}\n\t} else {\n\t\tif (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING)\n\t\t\tset_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);\n\n\t\tmgmt_auth_failed(conn, ev->status);\n\t}\n\n\tclear_bit(HCI_CONN_AUTH_PEND, &conn->flags);\n\tclear_bit(HCI_CONN_REAUTH_PEND, &conn->flags);\n\n\tif (conn->state == BT_CONFIG) {\n\t\tif (!ev->status && hci_conn_ssp_enabled(conn)) {\n\t\t\tstruct hci_cp_set_conn_encrypt cp;\n\t\t\tcp.handle = ev->handle;\n\t\t\tcp.encrypt = 0x01;\n\t\t\thci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),\n\t\t\t\t &cp);\n\t\t} else {\n\t\t\tconn->state = BT_CONNECTED;\n\t\t\thci_connect_cfm(conn, ev->status);\n\t\t\thci_conn_drop(conn);\n\t\t}\n\t} else {\n\t\thci_auth_cfm(conn, ev->status);\n\n\t\thci_conn_hold(conn);\n\t\tconn->disc_timeout = HCI_DISCONN_TIMEOUT;\n\t\thci_conn_drop(conn);\n\t}\n\n\tif (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) {\n\t\tif (!ev->status) {\n\t\t\tstruct hci_cp_set_conn_encrypt cp;\n\t\t\tcp.handle = ev->handle;\n\t\t\tcp.encrypt = 0x01;\n\t\t\thci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),\n\t\t\t\t &cp);\n\t\t} else {\n\t\t\tclear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);\n\t\t\thci_encrypt_cfm(conn, ev->status);\n\t\t}\n\t}\n\nunlock:\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 15351480288091872500159398055518769416, "size": 69, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 432037 }, { "func": "static void ndpi_process_packet(u_char *args,\n\t\t\t\tconst struct pcap_pkthdr *header,\n\t\t\t\tconst u_char *packet) {\n struct ndpi_proto p;\n u_int16_t thread_id = *((u_int16_t*)args);\n\n /* allocate an exact size buffer to check overflows */\n uint8_t *packet_checked = malloc(header->caplen);\n\n memcpy(packet_checked, packet, header->caplen);\n p = ndpi_workflow_process_packet(ndpi_thread_info[thread_id].workflow, header, packet_checked);\n\n if(!pcap_start.tv_sec) pcap_start.tv_sec = header->ts.tv_sec, pcap_start.tv_usec = header->ts.tv_usec;\n pcap_end.tv_sec = header->ts.tv_sec, pcap_end.tv_usec = header->ts.tv_usec;\n\n /* Idle flows cleanup */\n if(live_capture) {\n if(ndpi_thread_info[thread_id].last_idle_scan_time + IDLE_SCAN_PERIOD < ndpi_thread_info[thread_id].workflow->last_time) {\n /* scan for idle flows */\n ndpi_twalk(ndpi_thread_info[thread_id].workflow->ndpi_flows_root[ndpi_thread_info[thread_id].idle_scan_idx],\n\t\t node_idle_scan_walker, &thread_id);\n\n /* remove idle flows (unfortunately we cannot do this inline) */\n while(ndpi_thread_info[thread_id].num_idle_flows > 0) {\n\t/* search and delete the idle flow from the \"ndpi_flow_root\" (see struct reader thread) - here flows are the node of a b-tree */\n\tndpi_tdelete(ndpi_thread_info[thread_id].idle_flows[--ndpi_thread_info[thread_id].num_idle_flows],\n\t\t &ndpi_thread_info[thread_id].workflow->ndpi_flows_root[ndpi_thread_info[thread_id].idle_scan_idx],\n\t\t ndpi_workflow_node_cmp);\n\n\t/* free the memory associated to idle flow in \"idle_flows\" - (see struct reader thread)*/\n\tndpi_free_flow_info_half(ndpi_thread_info[thread_id].idle_flows[ndpi_thread_info[thread_id].num_idle_flows]);\n\tndpi_free(ndpi_thread_info[thread_id].idle_flows[ndpi_thread_info[thread_id].num_idle_flows]);\n }\n\n if(++ndpi_thread_info[thread_id].idle_scan_idx == ndpi_thread_info[thread_id].workflow->prefs.num_roots)\n\tndpi_thread_info[thread_id].idle_scan_idx = 0;\n\n ndpi_thread_info[thread_id].last_idle_scan_time = ndpi_thread_info[thread_id].workflow->last_time;\n }\n }\n\n#ifdef DEBUG_TRACE\n if(trace) fprintf(trace, \"Found %u bytes packet %u.%u\\n\", header->caplen, p.app_protocol, p.master_protocol);\n#endif\n\n if(extcap_dumper\n && ((extcap_packet_filter == (u_int16_t)-1)\n\t || (p.app_protocol == extcap_packet_filter)\n\t || (p.master_protocol == extcap_packet_filter)\n )\n ) {\n struct pcap_pkthdr h;\n uint32_t *crc, delta = sizeof(struct ndpi_packet_trailer) + 4 /* ethernet trailer */;\n struct ndpi_packet_trailer *trailer;\n\n memcpy(&h, header, sizeof(h));\n\n if(h.caplen > (sizeof(extcap_buf)-sizeof(struct ndpi_packet_trailer) - 4)) {\n printf(\"INTERNAL ERROR: caplen=%u\\n\", h.caplen);\n h.caplen = sizeof(extcap_buf)-sizeof(struct ndpi_packet_trailer) - 4;\n }\n\n trailer = (struct ndpi_packet_trailer*)&extcap_buf[h.caplen];\n memcpy(extcap_buf, packet, h.caplen);\n memset(trailer, 0, sizeof(struct ndpi_packet_trailer));\n trailer->magic = htonl(0x19680924);\n trailer->master_protocol = htons(p.master_protocol), trailer->app_protocol = htons(p.app_protocol);\n ndpi_protocol2name(ndpi_thread_info[thread_id].workflow->ndpi_struct, p, trailer->name, sizeof(trailer->name));\n crc = (uint32_t*)&extcap_buf[h.caplen+sizeof(struct ndpi_packet_trailer)];\n *crc = ethernet_crc32((const void*)extcap_buf, h.caplen+sizeof(struct ndpi_packet_trailer));\n h.caplen += delta, h.len += delta;\n\n#ifdef DEBUG_TRACE\n if(trace) fprintf(trace, \"Dumping %u bytes packet\\n\", h.caplen);\n#endif\n\n pcap_dump((u_char*)extcap_dumper, &h, (const u_char *)extcap_buf);\n pcap_dump_flush(extcap_dumper);\n }\n\n /* check for buffer changes */\n if(memcmp(packet, packet_checked, header->caplen) != 0)\n printf(\"INTERNAL ERROR: ingress packet was modified by nDPI: this should not happen [thread_id=%u, packetId=%lu, caplen=%u]\\n\",\n\t thread_id, (unsigned long)ndpi_thread_info[thread_id].workflow->stats.raw_packet_count, header->caplen);\n\n if((pcap_end.tv_sec-pcap_start.tv_sec) > pcap_analysis_duration) {\n int i;\n u_int64_t processing_time_usec, setup_time_usec;\n\n gettimeofday(&end, NULL);\n processing_time_usec = end.tv_sec*1000000 + end.tv_usec - (begin.tv_sec*1000000 + begin.tv_usec);\n setup_time_usec = begin.tv_sec*1000000 + begin.tv_usec - (startup_time.tv_sec*1000000 + startup_time.tv_usec);\n\n printResults(processing_time_usec, setup_time_usec);\n\n for(i=0; iprefs.num_roots; i++) {\n ndpi_tdestroy(ndpi_thread_info[thread_id].workflow->ndpi_flows_root[i], ndpi_flow_info_freer);\n ndpi_thread_info[thread_id].workflow->ndpi_flows_root[i] = NULL;\n\n memset(&ndpi_thread_info[thread_id].workflow->stats, 0, sizeof(struct ndpi_stats));\n }\n\n if(!quiet_mode)\n printf(\"\\n-------------------------------------------\\n\\n\");\n\n memcpy(&begin, &end, sizeof(begin));\n memcpy(&pcap_start, &pcap_end, sizeof(pcap_start));\n }\n\n /*\n Leave the free as last statement to avoid crashes when ndpi_detection_giveup()\n is called above by printResults()\n */\n free(packet_checked);\n}", "project": "nDPI", "hash": 324816884566851603655893262218689065793, "size": 115, "commit_id": "b7e666e465f138ae48ab81976726e67deed12701", "message": "Added fix to avoid potential heap buffer overflow in H.323 dissector\nModified HTTP report information to make it closer to the HTTP field names", "target": 0, "dataset": "other", "idx": 254865 }, { "func": "static void tcp_cwnd_down(struct sock *sk, int flag)\n{\n\tstruct tcp_sock *tp = tcp_sk(sk);\n\tint decr = tp->snd_cwnd_cnt + 1;\n\n\tif ((flag & (FLAG_ANY_PROGRESS | FLAG_DSACKING_ACK)) ||\n\t (tcp_is_reno(tp) && !(flag & FLAG_NOT_DUP))) {\n\t\ttp->snd_cwnd_cnt = decr & 1;\n\t\tdecr >>= 1;\n\n\t\tif (decr && tp->snd_cwnd > tcp_cwnd_min(sk))\n\t\t\ttp->snd_cwnd -= decr;\n\n\t\ttp->snd_cwnd = min(tp->snd_cwnd, tcp_packets_in_flight(tp) + 1);\n\t\ttp->snd_cwnd_stamp = tcp_time_stamp;\n\t}\n}", "project": "net-next", "hash": 306946120037806781007239494055564392043, "size": 17, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409955 }, { "func": "int nfs4_handle_exception(struct nfs_server *server, int errorcode, struct nfs4_exception *exception)\n{\n\tstruct nfs_client *clp = server->nfs_client;\n\tint ret;\n\n\tret = nfs4_do_handle_exception(server, errorcode, exception);\n\tif (exception->delay) {\n\t\tret = nfs4_delay(&exception->timeout,\n\t\t\t\texception->interruptible);\n\t\tgoto out_retry;\n\t}\n\tif (exception->recovering) {\n\t\tret = nfs4_wait_clnt_recover(clp);\n\t\tif (test_bit(NFS_MIG_FAILED, &server->mig_status))\n\t\t\treturn -EIO;\n\t\tgoto out_retry;\n\t}\n\treturn ret;\nout_retry:\n\tif (ret == 0)\n\t\texception->retry = 1;\n\treturn ret;\n}", "project": "linux", "hash": 137362231547358045854063124466162520312, "size": 23, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431401 }, { "func": "static void mergeTables(struct receiver **primary, struct receiver **secondary) {\n struct receiver *r, *s, *tmp;\n\n HASH_ITER(hh, *primary, r, tmp) {\n HASH_FIND_INT(*secondary, (int *)&(r->addr), s);\n if(s == NULL){\n s = (struct receiver *)malloc(sizeof(struct receiver));\n if(!s) return;\n\n s->addr = r->addr;\n s->version = r->version;\n s->num_pkts = r->num_pkts;\n\n HASH_ADD_INT(*secondary, addr, s);\n }\n else\n s->num_pkts += r->num_pkts;\n\n HASH_DEL(*primary, r);\n free(r);\n }\n}", "project": "nDPI", "hash": 314131033858450956118086106447576366215, "size": 22, "commit_id": "b7e666e465f138ae48ab81976726e67deed12701", "message": "Added fix to avoid potential heap buffer overflow in H.323 dissector\nModified HTTP report information to make it closer to the HTTP field names", "target": 0, "dataset": "other", "idx": 254839 }, { "func": " static bool TryParse(const char* inp, int length,\n TypedValue* buf, Variant& out,\n JSONContainerType container_type, bool is_tsimplejson) {\n SimpleParser parser(inp, length, buf, container_type, is_tsimplejson);\n bool ok = parser.parseValue();\n parser.skipSpace();\n if (!ok || parser.p != inp + length) {\n // Unsupported, malformed, or trailing garbage. Release entire stack.\n tvDecRefRange(buf, parser.top);\n return false;\n }\n out = Variant::attach(*--parser.top);\n return true;\n }", "project": "hhvm", "hash": 208478693828090870727742383371258619322, "size": 14, "commit_id": "bd586671a3c22eb2f07e55f11b3ce64e1f7961e7", "message": "Fix a buffer-overrun in SimpleParser\n\nSummary: In the failure case, we might have already consumed the entire string.\n\nReviewed By: binliu19, ottoni\n\nDifferential Revision: D19610775\n\nfbshipit-source-id: d387df15994a310f5a31cfbb5fa11679997f7ae7", "target": 1, "dataset": "other", "idx": 195564 }, { "func": " static bool TryParse(const char* inp, int length,\n TypedValue* buf, Variant& out,\n JSONContainerType container_type, bool is_tsimplejson) {\n SimpleParser parser(inp, length, buf, container_type, is_tsimplejson);\n bool ok = parser.parseValue();\n if (!ok ||\n (parser.skipSpace(), parser.p != inp + length)) {\n // Unsupported, malformed, or trailing garbage. Release entire stack.\n tvDecRefRange(buf, parser.top);\n return false;\n }\n out = Variant::attach(*--parser.top);\n return true;\n }", "project": "hhvm", "hash": 104483107725837201853860742831578207421, "size": 14, "commit_id": "b3679121bb3c7017ff04b4c08402ffff5cf59b13", "message": "Fix buffer overrun in SimpleParser::handleBackslash\n\nSummary:\nIt read 4 chars, then checked for validity, but any of them could have\nbeen the end of the string, so check after each one instead.\n\nReviewed By: oulgen\n\nDifferential Revision: D19611163\n\nfbshipit-source-id: 3da0a39555cb85a93f4fd98048368f17cf37e2e4", "target": 0, "dataset": "other", "idx": 227305 }, { "func": "int imap_exec_msgset(struct Mailbox *m, const char *pre, const char *post,\n int flag, bool changed, bool invert)\n{\n struct ImapAccountData *adata = imap_adata_get(m);\n if (!adata || (adata->mailbox != m))\n return -1;\n\n struct Email **emails = NULL;\n short oldsort;\n int pos;\n int rc;\n int count = 0;\n\n struct Buffer cmd = mutt_buffer_make(0);\n\n /* We make a copy of the headers just in case resorting doesn't give\n exactly the original order (duplicate messages?), because other parts of\n the ctx are tied to the header order. This may be overkill. */\n oldsort = C_Sort;\n if (C_Sort != SORT_ORDER)\n {\n emails = m->emails;\n // We overcommit here, just in case new mail arrives whilst we're sync-ing\n m->emails = mutt_mem_malloc(m->email_max * sizeof(struct Email *));\n memcpy(m->emails, emails, m->email_max * sizeof(struct Email *));\n\n C_Sort = SORT_ORDER;\n qsort(m->emails, m->msg_count, sizeof(struct Email *), compare_uid);\n }\n\n pos = 0;\n\n do\n {\n mutt_buffer_reset(&cmd);\n mutt_buffer_add_printf(&cmd, \"%s \", pre);\n rc = make_msg_set(m, &cmd, flag, changed, invert, &pos);\n if (rc > 0)\n {\n mutt_buffer_add_printf(&cmd, \" %s\", post);\n if (imap_exec(adata, cmd.data, IMAP_CMD_QUEUE) != IMAP_EXEC_SUCCESS)\n {\n rc = -1;\n goto out;\n }\n count += rc;\n }\n } while (rc > 0);\n\n rc = count;\n\nout:\n mutt_buffer_dealloc(&cmd);\n if (oldsort != C_Sort)\n {\n C_Sort = oldsort;\n FREE(&m->emails);\n m->emails = emails;\n }\n\n return rc;\n}", "project": "neomutt", "hash": 3488880800975329775473637082381342302, "size": 62, "commit_id": "9c36717a3e2af1f2c1b7242035455ec8112b4b06", "message": "imap: close connection on all failures\n\nThanks to Gabriel Salles-Loustau for spotting the problem.\n\nCo-authored-by: Kevin McCarthy ", "target": 0, "dataset": "other", "idx": 357020 }, { "func": "static void perf_event_interrupt(struct pt_regs *regs)\n{\n\tu64 start_clock = sched_clock();\n\n\t__perf_event_interrupt(regs);\n\tperf_sample_event_took(sched_clock() - start_clock);\n}", "project": "linux", "hash": 208348210702648200348288663747388452721, "size": 7, "commit_id": "60b7ed54a41b550d50caf7f2418db4a7e75b5bdc", "message": "powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set\n\nOn systems without any specific PMU driver support registered, running\nperf record causes Oops.\n\nThe relevant portion from call trace:\n\n BUG: Kernel NULL pointer dereference on read at 0x00000040\n Faulting instruction address: 0xc0021f0c\n Oops: Kernel access of bad area, sig: 11 [#1]\n BE PAGE_SIZE=4K PREEMPT CMPCPRO\n SAF3000 DIE NOTIFICATION\n CPU: 0 PID: 442 Comm: null_syscall Not tainted 5.13.0-rc6-s3k-dev-01645-g7649ee3d2957 #5164\n NIP: c0021f0c LR: c00e8ad8 CTR: c00d8a5c\n NIP perf_instruction_pointer+0x10/0x60\n LR perf_prepare_sample+0x344/0x674\n Call Trace:\n perf_prepare_sample+0x7c/0x674 (unreliable)\n perf_event_output_forward+0x3c/0x94\n __perf_event_overflow+0x74/0x14c\n perf_swevent_hrtimer+0xf8/0x170\n __hrtimer_run_queues.constprop.0+0x160/0x318\n hrtimer_interrupt+0x148/0x3b0\n timer_interrupt+0xc4/0x22c\n Decrementer_virt+0xb8/0xbc\n\nDuring perf record session, perf_instruction_pointer() is called to\ncapture the sample IP. This function in core-book3s accesses\nppmu->flags. If a platform specific PMU driver is not registered, ppmu\nis set to NULL and accessing its members results in a crash. Fix this\ncrash by checking if ppmu is set.\n\nFixes: 2ca13a4cc56c (\"powerpc/perf: Use regs->nip when SIAR is zero\")\nCc: stable@vger.kernel.org # v5.11+\nReported-by: Christophe Leroy \nSigned-off-by: Athira Rajeev \nTested-by: Christophe Leroy \nSigned-off-by: Michael Ellerman \nLink: https://lore.kernel.org/r/1623952506-1431-1-git-send-email-atrajeev@linux.vnet.ibm.com", "target": 0, "dataset": "other", "idx": 374722 }, { "func": "static u8 build_attr(struct vc_data *vc, u8 _color, u8 _intensity, u8 _blink,\n u8 _underline, u8 _reverse, u8 _italic)\n{\n\tif (vc->vc_sw->con_build_attr)\n\t\treturn vc->vc_sw->con_build_attr(vc, _color, _intensity,\n\t\t _blink, _underline, _reverse, _italic);\n\n/*\n * ++roman: I completely changed the attribute format for monochrome\n * mode (!can_do_color). The formerly used MDA (monochrome display\n * adapter) format didn't allow the combination of certain effects.\n * Now the attribute is just a bit vector:\n * Bit 0..1: intensity (0..2)\n * Bit 2 : underline\n * Bit 3 : reverse\n * Bit 7 : blink\n */\n\t{\n\tu8 a = _color;\n\tif (!vc->vc_can_do_color)\n\t\treturn _intensity |\n\t\t (_italic ? 2 : 0) |\n\t\t (_underline ? 4 : 0) |\n\t\t (_reverse ? 8 : 0) |\n\t\t (_blink ? 0x80 : 0);\n\tif (_italic)\n\t\ta = (a & 0xF0) | vc->vc_itcolor;\n\telse if (_underline)\n\t\ta = (a & 0xf0) | vc->vc_ulcolor;\n\telse if (_intensity == 0)\n\t\ta = (a & 0xf0) | vc->vc_halfcolor;\n\tif (_reverse)\n\t\ta = ((a) & 0x88) | ((((a) >> 4) | ((a) << 4)) & 0x77);\n\tif (_blink)\n\t\ta ^= 0x80;\n\tif (_intensity == 2)\n\t\ta ^= 0x08;\n\tif (vc->vc_hi_font_mask == 0x100)\n\t\ta <<= 1;\n\treturn a;\n\t}\n}", "project": "linux", "hash": 330715392037771718502521958109229916005, "size": 42, "commit_id": "ca4463bf8438b403596edd0ec961ca0d4fbe0220", "message": "vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console\n\nThe VT_DISALLOCATE ioctl can free a virtual console while tty_release()\nis still running, causing a use-after-free in con_shutdown(). This\noccurs because VT_DISALLOCATE considers a virtual console's\n'struct vc_data' to be unused as soon as the corresponding tty's\nrefcount hits 0. But actually it may be still being closed.\n\nFix this by making vc_data be reference-counted via the embedded\n'struct tty_port'. A newly allocated virtual console has refcount 1.\nOpening it for the first time increments the refcount to 2. Closing it\nfor the last time decrements the refcount (in tty_operations::cleanup()\nso that it happens late enough), as does VT_DISALLOCATE.\n\nReproducer:\n\t#include \n\t#include \n\t#include \n\t#include \n\n\tint main()\n\t{\n\t\tif (fork()) {\n\t\t\tfor (;;)\n\t\t\t\tclose(open(\"/dev/tty5\", O_RDWR));\n\t\t} else {\n\t\t\tint fd = open(\"/dev/tty10\", O_RDWR);\n\n\t\t\tfor (;;)\n\t\t\t\tioctl(fd, VT_DISALLOCATE, 5);\n\t\t}\n\t}\n\nKASAN report:\n\tBUG: KASAN: use-after-free in con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\tWrite of size 8 at addr ffff88806a4ec108 by task syz_vt/129\n\n\tCPU: 0 PID: 129 Comm: syz_vt Not tainted 5.6.0-rc2 #11\n\tHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20191223_100556-anatol 04/01/2014\n\tCall Trace:\n\t [...]\n\t con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\t release_tty+0xa8/0x410 drivers/tty/tty_io.c:1514\n\t tty_release_struct+0x34/0x50 drivers/tty/tty_io.c:1629\n\t tty_release+0x984/0xed0 drivers/tty/tty_io.c:1789\n\t [...]\n\n\tAllocated by task 129:\n\t [...]\n\t kzalloc include/linux/slab.h:669 [inline]\n\t vc_allocate drivers/tty/vt/vt.c:1085 [inline]\n\t vc_allocate+0x1ac/0x680 drivers/tty/vt/vt.c:1066\n\t con_install+0x4d/0x3f0 drivers/tty/vt/vt.c:3229\n\t tty_driver_install_tty drivers/tty/tty_io.c:1228 [inline]\n\t tty_init_dev+0x94/0x350 drivers/tty/tty_io.c:1341\n\t tty_open_by_driver drivers/tty/tty_io.c:1987 [inline]\n\t tty_open+0x3ca/0xb30 drivers/tty/tty_io.c:2035\n\t [...]\n\n\tFreed by task 130:\n\t [...]\n\t kfree+0xbf/0x1e0 mm/slab.c:3757\n\t vt_disallocate drivers/tty/vt/vt_ioctl.c:300 [inline]\n\t vt_ioctl+0x16dc/0x1e30 drivers/tty/vt/vt_ioctl.c:818\n\t tty_ioctl+0x9db/0x11b0 drivers/tty/tty_io.c:2660\n\t [...]\n\nFixes: 4001d7b7fc27 (\"vt: push down the tty lock so we can see what is left to tackle\")\nCc: # v3.4+\nReported-by: syzbot+522643ab5729b0421998@syzkaller.appspotmail.com\nAcked-by: Jiri Slaby \nSigned-off-by: Eric Biggers \nLink: https://lore.kernel.org/r/20200322034305.210082-2-ebiggers@kernel.org\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 437066 }, { "func": "static void hci_cc_le_read_local_features(struct hci_dev *hdev,\n\t\t\t\t\t struct sk_buff *skb)\n{\n\tstruct hci_rp_le_read_local_features *rp = (void *) skb->data;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, rp->status);\n\n\tif (rp->status)\n\t\treturn;\n\n\tmemcpy(hdev->le_features, rp->features, 8);\n}", "project": "linux", "hash": 245060875569032705157026583066530475487, "size": 12, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431922 }, { "func": "lua_text_pattern::~lua_text_pattern()\n{\n if (translated && !lua_fn_name.empty())\n {\n lua_State *ls = clua;\n if (ls)\n {\n lua_pushnil(ls);\n clua.setglobal(lua_fn_name.c_str());\n }\n }\n}", "project": "crawl", "hash": 32991625849544084521595316039704546577, "size": 12, "commit_id": "768f60da87a3fa0b5561da5ade9309577c176d04", "message": "Disable lua bytecode loading", "target": 0, "dataset": "other", "idx": 230495 }, { "func": "static int kvm_stat_data_open(struct inode *inode, struct file *file)\n{\n\t__simple_attr_check_format(\"%llu\\n\", 0ull);\n\treturn kvm_debugfs_open(inode, file, kvm_stat_data_get,\n\t\t\t\tkvm_stat_data_clear, \"%llu\\n\");\n}", "project": "linux", "hash": 148226843072737169731448811990787565876, "size": 6, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354464 }, { "func": "int imap_sync_mailbox(struct Mailbox *m, bool expunge, bool close)\n{\n if (!m)\n return -1;\n\n struct Email **emails = NULL;\n int oldsort;\n int rc;\n int check;\n\n struct ImapAccountData *adata = imap_adata_get(m);\n struct ImapMboxData *mdata = imap_mdata_get(m);\n\n if (adata->state < IMAP_SELECTED)\n {\n mutt_debug(LL_DEBUG2, \"no mailbox selected\\n\");\n return -1;\n }\n\n /* This function is only called when the calling code expects the context\n * to be changed. */\n imap_allow_reopen(m);\n\n check = imap_check_mailbox(m, false);\n if (check < 0)\n return check;\n\n /* if we are expunging anyway, we can do deleted messages very quickly... */\n if (expunge && (m->rights & MUTT_ACL_DELETE))\n {\n rc = imap_exec_msgset(m, \"UID STORE\", \"+FLAGS.SILENT (\\\\Deleted)\",\n MUTT_DELETED, true, false);\n if (rc < 0)\n {\n mutt_error(_(\"Expunge failed\"));\n return rc;\n }\n\n if (rc > 0)\n {\n /* mark these messages as unchanged so second pass ignores them. Done\n * here so BOGUS UW-IMAP 4.7 SILENT FLAGS updates are ignored. */\n for (int i = 0; i < m->msg_count; i++)\n {\n struct Email *e = m->emails[i];\n if (!e)\n break;\n if (e->deleted && e->changed)\n e->active = false;\n }\n if (m->verbose)\n {\n mutt_message(ngettext(\"Marking %d message deleted...\",\n \"Marking %d messages deleted...\", rc),\n rc);\n }\n }\n }\n\n#ifdef USE_HCACHE\n imap_hcache_open(adata, mdata);\n#endif\n\n /* save messages with real (non-flag) changes */\n for (int i = 0; i < m->msg_count; i++)\n {\n struct Email *e = m->emails[i];\n if (!e)\n break;\n\n if (e->deleted)\n {\n imap_cache_del(m, e);\n#ifdef USE_HCACHE\n imap_hcache_del(mdata, imap_edata_get(e)->uid);\n#endif\n }\n\n if (e->active && e->changed)\n {\n#ifdef USE_HCACHE\n imap_hcache_put(mdata, e);\n#endif\n /* if the message has been rethreaded or attachments have been deleted\n * we delete the message and reupload it.\n * This works better if we're expunging, of course. */\n /* TODO: why the e->env check? */\n if ((e->env && e->env->changed) || e->attach_del)\n {\n /* L10N: The plural is chosen by the last %d, i.e. the total number */\n if (m->verbose)\n {\n mutt_message(ngettext(\"Saving changed message... [%d/%d]\",\n \"Saving changed messages... [%d/%d]\", m->msg_count),\n i + 1, m->msg_count);\n }\n bool save_append = m->append;\n m->append = true;\n mutt_save_message_ctx(e, true, false, false, m);\n m->append = save_append;\n /* TODO: why the check for e->env? Is this possible? */\n if (e->env)\n e->env->changed = 0;\n }\n }\n }\n\n#ifdef USE_HCACHE\n imap_hcache_close(mdata);\n#endif\n\n /* presort here to avoid doing 10 resorts in imap_exec_msgset */\n oldsort = C_Sort;\n if (C_Sort != SORT_ORDER)\n {\n emails = m->emails;\n m->emails = mutt_mem_malloc(m->msg_count * sizeof(struct Email *));\n memcpy(m->emails, emails, m->msg_count * sizeof(struct Email *));\n\n C_Sort = SORT_ORDER;\n qsort(m->emails, m->msg_count, sizeof(struct Email *), mutt_get_sort_func(SORT_ORDER));\n }\n\n rc = sync_helper(m, MUTT_ACL_DELETE, MUTT_DELETED, \"\\\\Deleted\");\n if (rc >= 0)\n rc |= sync_helper(m, MUTT_ACL_WRITE, MUTT_FLAG, \"\\\\Flagged\");\n if (rc >= 0)\n rc |= sync_helper(m, MUTT_ACL_WRITE, MUTT_OLD, \"Old\");\n if (rc >= 0)\n rc |= sync_helper(m, MUTT_ACL_SEEN, MUTT_READ, \"\\\\Seen\");\n if (rc >= 0)\n rc |= sync_helper(m, MUTT_ACL_WRITE, MUTT_REPLIED, \"\\\\Answered\");\n\n if (oldsort != C_Sort)\n {\n C_Sort = oldsort;\n FREE(&m->emails);\n m->emails = emails;\n }\n\n /* Flush the queued flags if any were changed in sync_helper. */\n if (rc > 0)\n if (imap_exec(adata, NULL, IMAP_CMD_NO_FLAGS) != IMAP_EXEC_SUCCESS)\n rc = -1;\n\n if (rc < 0)\n {\n if (close)\n {\n if (mutt_yesorno(_(\"Error saving flags. Close anyway?\"), MUTT_NO) == MUTT_YES)\n {\n adata->state = IMAP_AUTHENTICATED;\n return 0;\n }\n }\n else\n mutt_error(_(\"Error saving flags\"));\n return -1;\n }\n\n /* Update local record of server state to reflect the synchronization just\n * completed. imap_read_headers always overwrites hcache-origin flags, so\n * there is no need to mutate the hcache after flag-only changes. */\n for (int i = 0; i < m->msg_count; i++)\n {\n struct Email *e = m->emails[i];\n if (!e)\n break;\n struct ImapEmailData *edata = imap_edata_get(e);\n edata->deleted = e->deleted;\n edata->flagged = e->flagged;\n edata->old = e->old;\n edata->read = e->read;\n edata->replied = e->replied;\n e->changed = false;\n }\n m->changed = false;\n\n /* We must send an EXPUNGE command if we're not closing. */\n if (expunge && !close && (m->rights & MUTT_ACL_DELETE))\n {\n if (m->verbose)\n mutt_message(_(\"Expunging messages from server...\"));\n /* Set expunge bit so we don't get spurious reopened messages */\n mdata->reopen |= IMAP_EXPUNGE_EXPECTED;\n if (imap_exec(adata, \"EXPUNGE\", IMAP_CMD_NO_FLAGS) != IMAP_EXEC_SUCCESS)\n {\n mdata->reopen &= ~IMAP_EXPUNGE_EXPECTED;\n imap_error(_(\"imap_sync_mailbox: EXPUNGE failed\"), adata->buf);\n return -1;\n }\n mdata->reopen &= ~IMAP_EXPUNGE_EXPECTED;\n }\n\n if (expunge && close)\n {\n adata->closing = true;\n imap_exec(adata, \"CLOSE\", IMAP_CMD_QUEUE);\n adata->state = IMAP_AUTHENTICATED;\n }\n\n if (C_MessageCacheClean)\n imap_cache_clean(m);\n\n return check;\n}", "project": "neomutt", "hash": 187327623549953694228569720708957029445, "size": 206, "commit_id": "9c36717a3e2af1f2c1b7242035455ec8112b4b06", "message": "imap: close connection on all failures\n\nThanks to Gabriel Salles-Loustau for spotting the problem.\n\nCo-authored-by: Kevin McCarthy ", "target": 0, "dataset": "other", "idx": 357047 }, { "func": "unsigned long perf_instruction_pointer(struct pt_regs *regs)\n{\n\tbool use_siar = regs_use_siar(regs);\n\tunsigned long siar = mfspr(SPRN_SIAR);\n\n\tif (ppmu->flags & PPMU_P10_DD1) {\n\t\tif (siar)\n\t\t\treturn siar;\n\t\telse\n\t\t\treturn regs->nip;\n\t} else if (use_siar && siar_valid(regs))\n\t\treturn mfspr(SPRN_SIAR) + perf_ip_adjust(regs);\n\telse if (use_siar)\n\t\treturn 0;\t\t// no valid instruction pointer\n\telse\n\t\treturn regs->nip;\n}", "project": "linux", "hash": 8700491383079660474540574671645428931, "size": 17, "commit_id": "60b7ed54a41b550d50caf7f2418db4a7e75b5bdc", "message": "powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set\n\nOn systems without any specific PMU driver support registered, running\nperf record causes Oops.\n\nThe relevant portion from call trace:\n\n BUG: Kernel NULL pointer dereference on read at 0x00000040\n Faulting instruction address: 0xc0021f0c\n Oops: Kernel access of bad area, sig: 11 [#1]\n BE PAGE_SIZE=4K PREEMPT CMPCPRO\n SAF3000 DIE NOTIFICATION\n CPU: 0 PID: 442 Comm: null_syscall Not tainted 5.13.0-rc6-s3k-dev-01645-g7649ee3d2957 #5164\n NIP: c0021f0c LR: c00e8ad8 CTR: c00d8a5c\n NIP perf_instruction_pointer+0x10/0x60\n LR perf_prepare_sample+0x344/0x674\n Call Trace:\n perf_prepare_sample+0x7c/0x674 (unreliable)\n perf_event_output_forward+0x3c/0x94\n __perf_event_overflow+0x74/0x14c\n perf_swevent_hrtimer+0xf8/0x170\n __hrtimer_run_queues.constprop.0+0x160/0x318\n hrtimer_interrupt+0x148/0x3b0\n timer_interrupt+0xc4/0x22c\n Decrementer_virt+0xb8/0xbc\n\nDuring perf record session, perf_instruction_pointer() is called to\ncapture the sample IP. This function in core-book3s accesses\nppmu->flags. If a platform specific PMU driver is not registered, ppmu\nis set to NULL and accessing its members results in a crash. Fix this\ncrash by checking if ppmu is set.\n\nFixes: 2ca13a4cc56c (\"powerpc/perf: Use regs->nip when SIAR is zero\")\nCc: stable@vger.kernel.org # v5.11+\nReported-by: Christophe Leroy \nSigned-off-by: Athira Rajeev \nTested-by: Christophe Leroy \nSigned-off-by: Michael Ellerman \nLink: https://lore.kernel.org/r/1623952506-1431-1-git-send-email-atrajeev@linux.vnet.ibm.com", "target": 1, "dataset": "other", "idx": 205900 }, { "func": "unsigned long perf_instruction_pointer(struct pt_regs *regs)\n{\n\tbool use_siar = regs_use_siar(regs);\n\tunsigned long siar = mfspr(SPRN_SIAR);\n\n\tif (ppmu && (ppmu->flags & PPMU_P10_DD1)) {\n\t\tif (siar)\n\t\t\treturn siar;\n\t\telse\n\t\t\treturn regs->nip;\n\t} else if (use_siar && siar_valid(regs))\n\t\treturn mfspr(SPRN_SIAR) + perf_ip_adjust(regs);\n\telse if (use_siar)\n\t\treturn 0;\t\t// no valid instruction pointer\n\telse\n\t\treturn regs->nip;\n}", "project": "linux", "hash": 187281309875844152562266298810867406643, "size": 17, "commit_id": "60b7ed54a41b550d50caf7f2418db4a7e75b5bdc", "message": "powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set\n\nOn systems without any specific PMU driver support registered, running\nperf record causes Oops.\n\nThe relevant portion from call trace:\n\n BUG: Kernel NULL pointer dereference on read at 0x00000040\n Faulting instruction address: 0xc0021f0c\n Oops: Kernel access of bad area, sig: 11 [#1]\n BE PAGE_SIZE=4K PREEMPT CMPCPRO\n SAF3000 DIE NOTIFICATION\n CPU: 0 PID: 442 Comm: null_syscall Not tainted 5.13.0-rc6-s3k-dev-01645-g7649ee3d2957 #5164\n NIP: c0021f0c LR: c00e8ad8 CTR: c00d8a5c\n NIP perf_instruction_pointer+0x10/0x60\n LR perf_prepare_sample+0x344/0x674\n Call Trace:\n perf_prepare_sample+0x7c/0x674 (unreliable)\n perf_event_output_forward+0x3c/0x94\n __perf_event_overflow+0x74/0x14c\n perf_swevent_hrtimer+0xf8/0x170\n __hrtimer_run_queues.constprop.0+0x160/0x318\n hrtimer_interrupt+0x148/0x3b0\n timer_interrupt+0xc4/0x22c\n Decrementer_virt+0xb8/0xbc\n\nDuring perf record session, perf_instruction_pointer() is called to\ncapture the sample IP. This function in core-book3s accesses\nppmu->flags. If a platform specific PMU driver is not registered, ppmu\nis set to NULL and accessing its members results in a crash. Fix this\ncrash by checking if ppmu is set.\n\nFixes: 2ca13a4cc56c (\"powerpc/perf: Use regs->nip when SIAR is zero\")\nCc: stable@vger.kernel.org # v5.11+\nReported-by: Christophe Leroy \nSigned-off-by: Athira Rajeev \nTested-by: Christophe Leroy \nSigned-off-by: Michael Ellerman \nLink: https://lore.kernel.org/r/1623952506-1431-1-git-send-email-atrajeev@linux.vnet.ibm.com", "target": 0, "dataset": "other", "idx": 374683 }, { "func": "static int fuse_send_open(struct fuse_mount *fm, u64 nodeid, struct file *file,\n\t\t\t int opcode, struct fuse_open_out *outargp)\n{\n\tstruct fuse_open_in inarg;\n\tFUSE_ARGS(args);\n\n\tmemset(&inarg, 0, sizeof(inarg));\n\tinarg.flags = file->f_flags & ~(O_CREAT | O_EXCL | O_NOCTTY);\n\tif (!fm->fc->atomic_o_trunc)\n\t\tinarg.flags &= ~O_TRUNC;\n\n\tif (fm->fc->handle_killpriv_v2 &&\n\t (inarg.flags & O_TRUNC) && !capable(CAP_FSETID)) {\n\t\tinarg.open_flags |= FUSE_OPEN_KILL_SUIDGID;\n\t}\n\n\targs.opcode = opcode;\n\targs.nodeid = nodeid;\n\targs.in_numargs = 1;\n\targs.in_args[0].size = sizeof(inarg);\n\targs.in_args[0].value = &inarg;\n\targs.out_numargs = 1;\n\targs.out_args[0].size = sizeof(*outargp);\n\targs.out_args[0].value = outargp;\n\n\treturn fuse_simple_request(fm, &args);\n}", "project": "linux", "hash": 116806294345070398329802285255272763921, "size": 27, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341894 }, { "func": "int bcf_is_snp(bcf1_t *v)\n{\n int i;\n bcf_unpack(v, BCF_UN_STR);\n for (i = 0; i < v->n_allele; ++i)\n {\n if ( v->d.allele[i][1]==0 && v->d.allele[i][0]!='*' ) continue;\n\n // mpileup's allele, see also below. This is not completely satisfactory,\n // a general library is here narrowly tailored to fit samtools.\n if ( v->d.allele[i][0]=='<' && v->d.allele[i][1]=='X' && v->d.allele[i][2]=='>' ) continue;\n if ( v->d.allele[i][0]=='<' && v->d.allele[i][1]=='*' && v->d.allele[i][2]=='>' ) continue;\n\n break;\n }\n return i == v->n_allele;\n}", "project": "htslib", "hash": 74158198686623255083282780190615898565, "size": 17, "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c", "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields. It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097", "target": 0, "dataset": "other", "idx": 402142 }, { "func": "static inline int check_valid_pointer(struct kmem_cache *s,\n\t\t\t\tstruct page *page, void *object)\n{\n\tvoid *base;\n\n\tif (!object)\n\t\treturn 1;\n\n\tbase = page_address(page);\n\tobject = kasan_reset_tag(object);\n\tobject = restore_red_left(s, object);\n\tif (object < base || object >= base + page->objects * s->size ||\n\t\t(object - base) % s->size) {\n\t\treturn 0;\n\t}\n\n\treturn 1;\n}", "project": "linux", "hash": 6234298566204218296400086339659963568, "size": 18, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280209 }, { "func": "static int __sctp_setsockopt_connectx(struct sock *sk, struct sockaddr *kaddrs,\n\t\t\t\t int addrs_size, sctp_assoc_t *assoc_id)\n{\n\tint err = 0, flags = 0;\n\n\tpr_debug(\"%s: sk:%p addrs:%p addrs_size:%d\\n\",\n\t\t __func__, sk, kaddrs, addrs_size);\n\n\t/* make sure the 1st addr's sa_family is accessible later */\n\tif (unlikely(addrs_size < sizeof(sa_family_t)))\n\t\treturn -EINVAL;\n\n\t/* Allow security module to validate connectx addresses. */\n\terr = security_sctp_bind_connect(sk, SCTP_SOCKOPT_CONNECTX,\n\t\t\t\t\t (struct sockaddr *)kaddrs,\n\t\t\t\t\t addrs_size);\n\tif (err)\n\t\treturn err;\n\n\t/* in-kernel sockets don't generally have a file allocated to them\n\t * if all they do is call sock_create_kern().\n\t */\n\tif (sk->sk_socket->file)\n\t\tflags = sk->sk_socket->file->f_flags;\n\n\treturn __sctp_connect(sk, kaddrs, addrs_size, flags, assoc_id);\n}", "project": "linux", "hash": 244899937213637385351544936398706624634, "size": 27, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398088 }, { "func": "static void handle_tx_copy(struct vhost_net *net, struct socket *sock)\n{\n\tstruct vhost_net_virtqueue *nvq = &net->vqs[VHOST_NET_VQ_TX];\n\tstruct vhost_virtqueue *vq = &nvq->vq;\n\tunsigned out, in;\n\tint head;\n\tstruct msghdr msg = {\n\t\t.msg_name = NULL,\n\t\t.msg_namelen = 0,\n\t\t.msg_control = NULL,\n\t\t.msg_controllen = 0,\n\t\t.msg_flags = MSG_DONTWAIT,\n\t};\n\tsize_t len, total_len = 0;\n\tint err;\n\tint sent_pkts = 0;\n\tbool sock_can_batch = (sock->sk->sk_sndbuf == INT_MAX);\n\n\tdo {\n\t\tbool busyloop_intr = false;\n\n\t\tif (nvq->done_idx == VHOST_NET_BATCH)\n\t\t\tvhost_tx_batch(net, nvq, sock, &msg);\n\n\t\thead = get_tx_bufs(net, nvq, &msg, &out, &in, &len,\n\t\t\t\t &busyloop_intr);\n\t\t/* On error, stop handling until the next kick. */\n\t\tif (unlikely(head < 0))\n\t\t\tbreak;\n\t\t/* Nothing new? Wait for eventfd to tell us they refilled. */\n\t\tif (head == vq->num) {\n\t\t\tif (unlikely(busyloop_intr)) {\n\t\t\t\tvhost_poll_queue(&vq->poll);\n\t\t\t} else if (unlikely(vhost_enable_notify(&net->dev,\n\t\t\t\t\t\t\t\tvq))) {\n\t\t\t\tvhost_disable_notify(&net->dev, vq);\n\t\t\t\tcontinue;\n\t\t\t}\n\t\t\tbreak;\n\t\t}\n\n\t\ttotal_len += len;\n\n\t\t/* For simplicity, TX batching is only enabled if\n\t\t * sndbuf is unlimited.\n\t\t */\n\t\tif (sock_can_batch) {\n\t\t\terr = vhost_net_build_xdp(nvq, &msg.msg_iter);\n\t\t\tif (!err) {\n\t\t\t\tgoto done;\n\t\t\t} else if (unlikely(err != -ENOSPC)) {\n\t\t\t\tvhost_tx_batch(net, nvq, sock, &msg);\n\t\t\t\tvhost_discard_vq_desc(vq, 1);\n\t\t\t\tvhost_net_enable_vq(net, vq);\n\t\t\t\tbreak;\n\t\t\t}\n\n\t\t\t/* We can't build XDP buff, go for single\n\t\t\t * packet path but let's flush batched\n\t\t\t * packets.\n\t\t\t */\n\t\t\tvhost_tx_batch(net, nvq, sock, &msg);\n\t\t\tmsg.msg_control = NULL;\n\t\t} else {\n\t\t\tif (tx_can_batch(vq, total_len))\n\t\t\t\tmsg.msg_flags |= MSG_MORE;\n\t\t\telse\n\t\t\t\tmsg.msg_flags &= ~MSG_MORE;\n\t\t}\n\n\t\t/* TODO: Check specific error and bomb out unless ENOBUFS? */\n\t\terr = sock->ops->sendmsg(sock, &msg, len);\n\t\tif (unlikely(err < 0)) {\n\t\t\tvhost_discard_vq_desc(vq, 1);\n\t\t\tvhost_net_enable_vq(net, vq);\n\t\t\tbreak;\n\t\t}\n\t\tif (err != len)\n\t\t\tpr_debug(\"Truncated TX packet: len %d != %zd\\n\",\n\t\t\t\t err, len);\ndone:\n\t\tvq->heads[nvq->done_idx].id = cpu_to_vhost32(vq, head);\n\t\tvq->heads[nvq->done_idx].len = 0;\n\t\t++nvq->done_idx;\n\t} while (likely(!vhost_exceeds_weight(vq, ++sent_pkts, total_len)));\n\n\tvhost_tx_batch(net, nvq, sock, &msg);\n}", "project": "linux", "hash": 297316603507102327958286859476945685780, "size": 88, "commit_id": "42d84c8490f9f0931786f1623191fcab397c3d64", "message": "vhost: Check docket sk_family instead of call getname\n\nDoing so, we save one call to get data we already have in the struct.\n\nAlso, since there is no guarantee that getname use sockaddr_ll\nparameter beyond its size, we add a little bit of security here.\nIt should do not do beyond MAX_ADDR_LEN, but syzbot found that\nax25_getname writes more (72 bytes, the size of full_sockaddr_ax25,\nversus 20 + 32 bytes of sockaddr_ll + MAX_ADDR_LEN in syzbot repro).\n\nFixes: 3a4d5c94e9593 (\"vhost_net: a kernel-level virtio server\")\nReported-by: syzbot+f2a62d07a5198c819c7b@syzkaller.appspotmail.com\nSigned-off-by: Eugenio Pérez \nAcked-by: Michael S. Tsirkin \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 441982 }, { "project": "Chrome", "commit_id": "1da0daecc540238cb473f0d6322da51d3a544244", "target": 0, "func": " void Reset() {\n decoder_->Reset(NewExpectedClosure());\n message_loop_.RunAllPending();\n }\n", "cwe": "", "big_vul_idx": 113344, "idx": 101636, "hash": 226207011865816152560945878633149024265 }, { "func": "\tvoid Reset()\n\t{\n\t\tplugParams.clear();\n\t\telapsedTime = 0.0;\n\t\tstate->m_lTotalSampleCount = 0;\n\t\tstate->m_nMusicSpeed = sndFile.m_nDefaultSpeed;\n\t\tstate->m_nMusicTempo = sndFile.m_nDefaultTempo;\n\t\tstate->m_nGlobalVolume = sndFile.m_nDefaultGlobalVolume;\n\t\tchnSettings.assign(sndFile.GetNumChannels(), ChnSettings());\n\t\tfor(CHANNELINDEX chn = 0; chn < sndFile.GetNumChannels(); chn++)\n\t\t{\n\t\t\tstate->Chn[chn].Reset(ModChannel::resetTotal, sndFile, chn);\n\t\t\tstate->Chn[chn].nOldGlobalVolSlide = 0;\n\t\t\tstate->Chn[chn].nOldChnVolSlide = 0;\n\t\t\tstate->Chn[chn].nNote = state->Chn[chn].nNewNote = state->Chn[chn].nLastNote = NOTE_NONE;\n\t\t}\n\t}", "project": "openmpt", "hash": 65050338668544105406417419465657480662, "size": 17, "commit_id": "7ebf02af2e90f03e0dbd0e18b8b3164f372fb97c", "message": "[Fix] Possible out-of-bounds read when computing length of some IT files with pattern loops (OpenMPT: formats that are converted to IT, libopenmpt: IT/ITP/MO3), caught with afl-fuzz.\n\ngit-svn-id: https://source.openmpt.org/svn/openmpt/trunk/OpenMPT@10027 56274372-70c3-4bfc-bfc3-4c3a0b034d27", "target": 0, "dataset": "other", "idx": 255191 }, { "func": "void CSnapIDPool::Reset()\n{\n\tfor(int i = 0; i < MAX_IDS; i++)\n\t{\n\t\tm_aIDs[i].m_Next = i+1;\n\t\tm_aIDs[i].m_State = 0;\n\t}\n\n\tm_aIDs[MAX_IDS-1].m_Next = -1;\n\tm_FirstFree = 0;\n\tm_FirstTimed = -1;\n\tm_LastTimed = -1;\n\tm_Usage = 0;\n\tm_InUsage = 0;\n}", "project": "teeworlds", "hash": 261196001259054719466323588630132934422, "size": 15, "commit_id": "c68402fa7e279d42886d5951d1ea8ac2facc1ea5", "message": "changed a check", "target": 0, "dataset": "other", "idx": 382022 }, { "func": "void Utf8DecoderBase::Reset(uint16_t* buffer,\n unsigned buffer_length,\n const uint8_t* stream,\n unsigned stream_length) {\n // Assume everything will fit in the buffer and stream won't be needed.\n last_byte_of_buffer_unused_ = false;\n unbuffered_start_ = NULL;\n unbuffered_length_ = 0;\n bool writing_to_buffer = true;\n // Loop until stream is read, writing to buffer as long as buffer has space.\n unsigned utf16_length = 0;\n while (stream_length != 0) {\n unsigned cursor = 0;\n uint32_t character = Utf8::ValueOf(stream, stream_length, &cursor);\n DCHECK(cursor > 0 && cursor <= stream_length);\n stream += cursor;\n stream_length -= cursor;\n bool is_two_characters = character > Utf16::kMaxNonSurrogateCharCode;\n utf16_length += is_two_characters ? 2 : 1;\n // Don't need to write to the buffer, but still need utf16_length.\n if (!writing_to_buffer) continue;\n // Write out the characters to the buffer.\n // Must check for equality with buffer_length as we've already updated it.\n if (utf16_length <= buffer_length) {\n if (is_two_characters) {\n *buffer++ = Utf16::LeadSurrogate(character);\n *buffer++ = Utf16::TrailSurrogate(character);\n } else {\n *buffer++ = character;\n }\n if (utf16_length == buffer_length) {\n // Just wrote last character of buffer\n writing_to_buffer = false;\n unbuffered_start_ = stream;\n unbuffered_length_ = stream_length;\n }\n continue;\n }\n // Have gone over buffer.\n // Last char of buffer is unused, set cursor back.\n DCHECK(is_two_characters);\n writing_to_buffer = false;\n last_byte_of_buffer_unused_ = true;\n unbuffered_start_ = stream - cursor;\n unbuffered_length_ = stream_length + cursor;\n }\n utf16_length_ = utf16_length;\n}", "project": "node", "hash": 177559890365200057348757035928590646498, "size": 48, "commit_id": "78b0e30954111cfaba0edbeee85450d8cbc6fdf6", "message": "deps: fix out-of-band write in utf8 decoder\n\nOriginally reported by: Kris Reeves \n\nReviewed-By: Trevor Norris ", "target": 0, "dataset": "other", "idx": 385636 }, { "func": " void pushInt64(int64_t data) {\n auto const tv = top++;\n tv->m_type = KindOfInt64;\n tv->m_data.num = data;\n }", "project": "hhvm", "hash": 273440011081481812685202144139049741810, "size": 5, "commit_id": "b3679121bb3c7017ff04b4c08402ffff5cf59b13", "message": "Fix buffer overrun in SimpleParser::handleBackslash\n\nSummary:\nIt read 4 chars, then checked for validity, but any of them could have\nbeen the end of the string, so check after each one instead.\n\nReviewed By: oulgen\n\nDifferential Revision: D19611163\n\nfbshipit-source-id: 3da0a39555cb85a93f4fd98048368f17cf37e2e4", "target": 0, "dataset": "other", "idx": 227279 }, { "func": "static int trace_save_tgid(struct task_struct *tsk)\n{\n\t/* treat recording of idle task as a success */\n\tif (!tsk->pid)\n\t\treturn 1;\n\n\tif (unlikely(!tgid_map || tsk->pid > PID_MAX_DEFAULT))\n\t\treturn 0;\n\n\ttgid_map[tsk->pid] = tsk->tgid;\n\treturn 1;\n}", "project": "linux", "hash": 336405559792292185390051144724406719973, "size": 12, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445706 }, { "func": "static void csi_M(struct vc_data *vc, unsigned int nr)\n{\n\tif (nr > vc->vc_rows - vc->vc_y)\n\t\tnr = vc->vc_rows - vc->vc_y;\n\telse if (!nr)\n\t\tnr=1;\n\tcon_scroll(vc, vc->vc_y, vc->vc_bottom, SM_UP, nr);\n\tvc->vc_need_wrap = 0;\n}", "project": "linux", "hash": 318135207962333294431921413746425514395, "size": 9, "commit_id": "ca4463bf8438b403596edd0ec961ca0d4fbe0220", "message": "vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console\n\nThe VT_DISALLOCATE ioctl can free a virtual console while tty_release()\nis still running, causing a use-after-free in con_shutdown(). This\noccurs because VT_DISALLOCATE considers a virtual console's\n'struct vc_data' to be unused as soon as the corresponding tty's\nrefcount hits 0. But actually it may be still being closed.\n\nFix this by making vc_data be reference-counted via the embedded\n'struct tty_port'. A newly allocated virtual console has refcount 1.\nOpening it for the first time increments the refcount to 2. Closing it\nfor the last time decrements the refcount (in tty_operations::cleanup()\nso that it happens late enough), as does VT_DISALLOCATE.\n\nReproducer:\n\t#include \n\t#include \n\t#include \n\t#include \n\n\tint main()\n\t{\n\t\tif (fork()) {\n\t\t\tfor (;;)\n\t\t\t\tclose(open(\"/dev/tty5\", O_RDWR));\n\t\t} else {\n\t\t\tint fd = open(\"/dev/tty10\", O_RDWR);\n\n\t\t\tfor (;;)\n\t\t\t\tioctl(fd, VT_DISALLOCATE, 5);\n\t\t}\n\t}\n\nKASAN report:\n\tBUG: KASAN: use-after-free in con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\tWrite of size 8 at addr ffff88806a4ec108 by task syz_vt/129\n\n\tCPU: 0 PID: 129 Comm: syz_vt Not tainted 5.6.0-rc2 #11\n\tHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20191223_100556-anatol 04/01/2014\n\tCall Trace:\n\t [...]\n\t con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\t release_tty+0xa8/0x410 drivers/tty/tty_io.c:1514\n\t tty_release_struct+0x34/0x50 drivers/tty/tty_io.c:1629\n\t tty_release+0x984/0xed0 drivers/tty/tty_io.c:1789\n\t [...]\n\n\tAllocated by task 129:\n\t [...]\n\t kzalloc include/linux/slab.h:669 [inline]\n\t vc_allocate drivers/tty/vt/vt.c:1085 [inline]\n\t vc_allocate+0x1ac/0x680 drivers/tty/vt/vt.c:1066\n\t con_install+0x4d/0x3f0 drivers/tty/vt/vt.c:3229\n\t tty_driver_install_tty drivers/tty/tty_io.c:1228 [inline]\n\t tty_init_dev+0x94/0x350 drivers/tty/tty_io.c:1341\n\t tty_open_by_driver drivers/tty/tty_io.c:1987 [inline]\n\t tty_open+0x3ca/0xb30 drivers/tty/tty_io.c:2035\n\t [...]\n\n\tFreed by task 130:\n\t [...]\n\t kfree+0xbf/0x1e0 mm/slab.c:3757\n\t vt_disallocate drivers/tty/vt/vt_ioctl.c:300 [inline]\n\t vt_ioctl+0x16dc/0x1e30 drivers/tty/vt/vt_ioctl.c:818\n\t tty_ioctl+0x9db/0x11b0 drivers/tty/tty_io.c:2660\n\t [...]\n\nFixes: 4001d7b7fc27 (\"vt: push down the tty lock so we can see what is left to tackle\")\nCc: # v3.4+\nReported-by: syzbot+522643ab5729b0421998@syzkaller.appspotmail.com\nAcked-by: Jiri Slaby \nSigned-off-by: Eric Biggers \nLink: https://lore.kernel.org/r/20200322034305.210082-2-ebiggers@kernel.org\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 437035 }, { "func": "int blosc_compcode_to_compname(int compcode, const char** compname) {\n int code = -1; /* -1 means non-existent compressor code */\n const char* name = NULL;\n\n /* Map the compressor code */\n if (compcode == BLOSC_BLOSCLZ)\n name = BLOSC_BLOSCLZ_COMPNAME;\n else if (compcode == BLOSC_LZ4)\n name = BLOSC_LZ4_COMPNAME;\n else if (compcode == BLOSC_LZ4HC)\n name = BLOSC_LZ4HC_COMPNAME;\n else if (compcode == BLOSC_LIZARD)\n name = BLOSC_LIZARD_COMPNAME;\n else if (compcode == BLOSC_SNAPPY)\n name = BLOSC_SNAPPY_COMPNAME;\n else if (compcode == BLOSC_ZLIB)\n name = BLOSC_ZLIB_COMPNAME;\n else if (compcode == BLOSC_ZSTD)\n name = BLOSC_ZSTD_COMPNAME;\n\n *compname = name;\n\n /* Guess if there is support for this code */\n if (compcode == BLOSC_BLOSCLZ)\n code = BLOSC_BLOSCLZ;\n#if defined(HAVE_LZ4)\n else if (compcode == BLOSC_LZ4)\n code = BLOSC_LZ4;\n else if (compcode == BLOSC_LZ4HC)\n code = BLOSC_LZ4HC;\n#endif /* HAVE_LZ4 */\n#if defined(HAVE_LIZARD)\n else if (compcode == BLOSC_LIZARD)\n code = BLOSC_LIZARD;\n#endif /* HAVE_LIZARD */\n#if defined(HAVE_SNAPPY)\n else if (compcode == BLOSC_SNAPPY)\n code = BLOSC_SNAPPY;\n#endif /* HAVE_SNAPPY */\n#if defined(HAVE_ZLIB)\n else if (compcode == BLOSC_ZLIB)\n code = BLOSC_ZLIB;\n#endif /* HAVE_ZLIB */\n#if defined(HAVE_ZSTD)\n else if (compcode == BLOSC_ZSTD)\n code = BLOSC_ZSTD;\n#endif /* HAVE_ZSTD */\n\n return code;\n}", "project": "c-blosc2", "hash": 8880791716901025738179780855979325910, "size": 50, "commit_id": "c4c6470e88210afc95262c8b9fcc27e30ca043ee", "message": "Fixed asan heap buffer overflow when not enough space to write compressed block size.", "target": 0, "dataset": "other", "idx": 303101 }, { "func": "static int __packet_rcv_has_room(const struct packet_sock *po,\n\t\t\t\t const struct sk_buff *skb)\n{\n\tconst struct sock *sk = &po->sk;\n\tint ret = ROOM_NONE;\n\n\tif (po->prot_hook.func != tpacket_rcv) {\n\t\tint rcvbuf = READ_ONCE(sk->sk_rcvbuf);\n\t\tint avail = rcvbuf - atomic_read(&sk->sk_rmem_alloc)\n\t\t\t\t - (skb ? skb->truesize : 0);\n\n\t\tif (avail > (rcvbuf >> ROOM_POW_OFF))\n\t\t\treturn ROOM_NORMAL;\n\t\telse if (avail > 0)\n\t\t\treturn ROOM_LOW;\n\t\telse\n\t\t\treturn ROOM_NONE;\n\t}\n\n\tif (po->tp_version == TPACKET_V3) {\n\t\tif (__tpacket_v3_has_room(po, ROOM_POW_OFF))\n\t\t\tret = ROOM_NORMAL;\n\t\telse if (__tpacket_v3_has_room(po, 0))\n\t\t\tret = ROOM_LOW;\n\t} else {\n\t\tif (__tpacket_has_room(po, ROOM_POW_OFF))\n\t\t\tret = ROOM_NORMAL;\n\t\telse if (__tpacket_has_room(po, 0))\n\t\t\tret = ROOM_LOW;\n\t}\n\n\treturn ret;\n}", "project": "linux", "hash": 201475409533706674778268714440522648805, "size": 33, "commit_id": "acf69c946233259ab4d64f8869d4037a198c7f06", "message": "net/packet: fix overflow in tpacket_rcv\n\nUsing tp_reserve to calculate netoff can overflow as\ntp_reserve is unsigned int and netoff is unsigned short.\n\nThis may lead to macoff receving a smaller value then\nsizeof(struct virtio_net_hdr), and if po->has_vnet_hdr\nis set, an out-of-bounds write will occur when\ncalling virtio_net_hdr_from_skb.\n\nThe bug is fixed by converting netoff to unsigned int\nand checking if it exceeds USHRT_MAX.\n\nThis addresses CVE-2020-14386\n\nFixes: 8913336a7e8d (\"packet: add PACKET_RESERVE sockopt\")\nSigned-off-by: Or Cohen \nSigned-off-by: Eric Dumazet \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 330398 }, { "func": "void hci_req_disable_address_resolution(struct hci_dev *hdev)\n{\n\tstruct hci_request req;\n\t__u8 enable = 0x00;\n\n\tif (!use_ll_privacy(hdev) &&\n\t !hci_dev_test_flag(hdev, HCI_LL_RPA_RESOLUTION))\n\t\treturn;\n\n\thci_req_init(&req, hdev);\n\n\thci_req_add(&req, HCI_OP_LE_SET_ADDR_RESOLV_ENABLE, 1, &enable);\n\n\thci_req_run(&req, enable_addr_resolution_complete);\n}", "project": "linux", "hash": 27632522766650744474069080704563447760, "size": 15, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402506 }, { "func": "uint8_t bf_is_table_present(const struct compressed_block_header* hdr) {\n\treturn (hdr->block_flags_u8 >> 7) & 1;\n}", "project": "libarchive", "hash": 79573724867715279397376043111926246682, "size": 3, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 0, "dataset": "other", "idx": 244685 }, { "func": "static int virtual_context_pin(struct intel_context *ce)\n{\n\tstruct virtual_engine *ve = container_of(ce, typeof(*ve), context);\n\tint err;\n\n\t/* Note: we must use a real engine class for setting up reg state */\n\terr = __execlists_context_pin(ce, ve->siblings[0]);\n\tif (err)\n\t\treturn err;\n\n\tvirtual_engine_initial_hint(ve);\n\treturn 0;\n}", "project": "linux", "hash": 263814000467750375934538938474776776536, "size": 13, "commit_id": "bc8a76a152c5f9ef3b48104154a65a68a8b76946", "message": "drm/i915/gen9: Clear residual context state on context switch\n\nIntel ID: PSIRT-TA-201910-001\nCVEID: CVE-2019-14615\n\nIntel GPU Hardware prior to Gen11 does not clear EU state\nduring a context switch. This can result in information\nleakage between contexts.\n\nFor Gen8 and Gen9, hardware provides a mechanism for\nfast cleardown of the EU state, by issuing a PIPE_CONTROL\nwith bit 27 set. We can use this in a context batch buffer\nto explicitly cleardown the state on every context switch.\n\nAs this workaround is already in place for gen8, we can borrow\nthe code verbatim for Gen9.\n\nSigned-off-by: Mika Kuoppala \nSigned-off-by: Akeem G Abodunrin \nCc: Kumar Valsan Prathap \nCc: Chris Wilson \nCc: Balestrieri Francesco \nCc: Bloomfield Jon \nCc: Dutt Sudeep ", "target": 0, "dataset": "other", "idx": 281429 }, { "func": " enum_field_types string_field_type() const\n {\n return Type_handler::string_type_handler(max_length)->field_type();\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 332200259576817222893406937266717878906, "size": 4, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509130 }, { "func": "static int process_head_file(struct archive_read* a, struct rar5* rar,\n struct archive_entry* entry, size_t block_flags)\n{\n\tssize_t extra_data_size = 0;\n\tsize_t data_size = 0;\n\tsize_t file_flags = 0;\n\tsize_t file_attr = 0;\n\tsize_t compression_info = 0;\n\tsize_t host_os = 0;\n\tsize_t name_size = 0;\n\tuint64_t unpacked_size, window_size;\n\tuint32_t mtime = 0, crc = 0;\n\tint c_method = 0, c_version = 0;\n\tchar name_utf8_buf[MAX_NAME_IN_BYTES];\n\tconst uint8_t* p;\n\n\tenum FILE_FLAGS {\n\t\tDIRECTORY = 0x0001, UTIME = 0x0002, CRC32 = 0x0004,\n\t\tUNKNOWN_UNPACKED_SIZE = 0x0008,\n\t};\n\n\tenum FILE_ATTRS {\n\t\tATTR_READONLY = 0x1, ATTR_HIDDEN = 0x2, ATTR_SYSTEM = 0x4,\n\t\tATTR_DIRECTORY = 0x10,\n\t};\n\n\tenum COMP_INFO_FLAGS {\n\t\tSOLID = 0x0040,\n\t};\n\n\tenum HOST_OS {\n\t\tHOST_WINDOWS = 0,\n\t\tHOST_UNIX = 1,\n\t};\n\n\tarchive_entry_clear(entry);\n\n\t/* Do not reset file context if we're switching archives. */\n\tif(!rar->cstate.switch_multivolume) {\n\t\treset_file_context(rar);\n\t}\n\n\tif(block_flags & HFL_EXTRA_DATA) {\n\t\tsize_t edata_size = 0;\n\t\tif(!read_var_sized(a, &edata_size, NULL))\n\t\t\treturn ARCHIVE_EOF;\n\n\t\t/* Intentional type cast from unsigned to signed. */\n\t\textra_data_size = (ssize_t) edata_size;\n\t}\n\n\tif(block_flags & HFL_DATA) {\n\t\tif(!read_var_sized(a, &data_size, NULL))\n\t\t\treturn ARCHIVE_EOF;\n\n\t\trar->file.bytes_remaining = data_size;\n\t} else {\n\t\trar->file.bytes_remaining = 0;\n\n\t\tarchive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,\n\t\t\t\t\"no data found in file/service block\");\n\t\treturn ARCHIVE_FATAL;\n\t}\n\n\tif(!read_var_sized(a, &file_flags, NULL))\n\t\treturn ARCHIVE_EOF;\n\n\tif(!read_var(a, &unpacked_size, NULL))\n\t\treturn ARCHIVE_EOF;\n\n\tif(file_flags & UNKNOWN_UNPACKED_SIZE) {\n\t\tarchive_set_error(&a->archive, ARCHIVE_ERRNO_PROGRAMMER,\n\t\t \"Files with unknown unpacked size are not supported\");\n\t\treturn ARCHIVE_FATAL;\n\t}\n\n\trar->file.dir = (uint8_t) ((file_flags & DIRECTORY) > 0);\n\n\tif(!read_var_sized(a, &file_attr, NULL))\n\t\treturn ARCHIVE_EOF;\n\n\tif(file_flags & UTIME) {\n\t\tif(!read_u32(a, &mtime))\n\t\t\treturn ARCHIVE_EOF;\n\t}\n\n\tif(file_flags & CRC32) {\n\t\tif(!read_u32(a, &crc))\n\t\t\treturn ARCHIVE_EOF;\n\t}\n\n\tif(!read_var_sized(a, &compression_info, NULL))\n\t\treturn ARCHIVE_EOF;\n\n\tc_method = (int) (compression_info >> 7) & 0x7;\n\tc_version = (int) (compression_info & 0x3f);\n\n\t/* RAR5 seems to limit the dictionary size to 64MB. */\n\twindow_size = (rar->file.dir > 0) ?\n\t\t0 :\n\t\tg_unpack_window_size << ((compression_info >> 10) & 15);\n\trar->cstate.method = c_method;\n\trar->cstate.version = c_version + 50;\n\trar->file.solid = (compression_info & SOLID) > 0;\n\n\t/* Archives which declare solid files without initializing the window\n\t * buffer first are invalid. */\n\n\tif(rar->file.solid > 0 && rar->cstate.window_buf == NULL) {\n\t\tarchive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,\n\t\t\t\t \"Declared solid file, but no window buffer \"\n\t\t\t\t \"initialized yet.\");\n\t\treturn ARCHIVE_FATAL;\n\t}\n\n\t/* Check if window_size is a sane value. Also, if the file is not\n\t * declared as a directory, disallow window_size == 0. */\n\tif(window_size > (64 * 1024 * 1024) ||\n\t (rar->file.dir == 0 && window_size == 0))\n\t{\n\t\tarchive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,\n\t\t \"Declared dictionary size is not supported.\");\n\t\treturn ARCHIVE_FATAL;\n\t}\n\n\tif(rar->file.solid > 0) {\n\t\t/* Re-check if current window size is the same as previous\n\t\t * window size (for solid files only). */\n\t\tif(rar->file.solid_window_size > 0 &&\n\t\t rar->file.solid_window_size != (ssize_t) window_size)\n\t\t{\n\t\t\tarchive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,\n\t\t\t \"Window size for this solid file doesn't match \"\n\t\t\t \"the window size used in previous solid file. \");\n\t\t\treturn ARCHIVE_FATAL;\n\t\t}\n\t}\n\n\t/* If we're currently switching volumes, ignore the new definition of\n\t * window_size. */\n\tif(rar->cstate.switch_multivolume == 0) {\n\t\t/* Values up to 64M should fit into ssize_t on every\n\t\t * architecture. */\n\t\trar->cstate.window_size = (ssize_t) window_size;\n\t}\n\n\tif(rar->file.solid > 0 && rar->file.solid_window_size == 0) {\n\t\t/* Solid files have to have the same window_size across\n\t\t whole archive. Remember the window_size parameter\n\t\t for first solid file found. */\n\t\trar->file.solid_window_size = rar->cstate.window_size;\n\t}\n\n\tinit_window_mask(rar);\n\n\trar->file.service = 0;\n\n\tif(!read_var_sized(a, &host_os, NULL))\n\t\treturn ARCHIVE_EOF;\n\n\tif(host_os == HOST_WINDOWS) {\n\t\t/* Host OS is Windows */\n\n\t\t__LA_MODE_T mode;\n\n\t\tif(file_attr & ATTR_DIRECTORY) {\n\t\t\tif (file_attr & ATTR_READONLY) {\n\t\t\t\tmode = 0555 | AE_IFDIR;\n\t\t\t} else {\n\t\t\t\tmode = 0755 | AE_IFDIR;\n\t\t\t}\n\t\t} else {\n\t\t\tif (file_attr & ATTR_READONLY) {\n\t\t\t\tmode = 0444 | AE_IFREG;\n\t\t\t} else {\n\t\t\t\tmode = 0644 | AE_IFREG;\n\t\t\t}\n\t\t}\n\n\t\tarchive_entry_set_mode(entry, mode);\n\n\t\tif (file_attr & (ATTR_READONLY | ATTR_HIDDEN | ATTR_SYSTEM)) {\n\t\t\tchar *fflags_text, *ptr;\n\t\t\t/* allocate for \"rdonly,hidden,system,\" */\n\t\t\tfflags_text = malloc(22 * sizeof(char));\n\t\t\tif (fflags_text != NULL) {\n\t\t\t\tptr = fflags_text;\n\t\t\t\tif (file_attr & ATTR_READONLY) {\n\t\t\t\t\tstrcpy(ptr, \"rdonly,\");\n\t\t\t\t\tptr = ptr + 7;\n\t\t\t\t}\n\t\t\t\tif (file_attr & ATTR_HIDDEN) {\n\t\t\t\t\tstrcpy(ptr, \"hidden,\");\n\t\t\t\t\tptr = ptr + 7;\n\t\t\t\t}\n\t\t\t\tif (file_attr & ATTR_SYSTEM) {\n\t\t\t\t\tstrcpy(ptr, \"system,\");\n\t\t\t\t\tptr = ptr + 7;\n\t\t\t\t}\n\t\t\t\tif (ptr > fflags_text) {\n\t\t\t\t\t/* Delete trailing comma */\n\t\t\t\t\t*(ptr - 1) = '\\0';\n\t\t\t\t\tarchive_entry_copy_fflags_text(entry,\n\t\t\t\t\t fflags_text);\n\t\t\t\t}\n\t\t\t\tfree(fflags_text);\n\t\t\t}\n\t\t}\n\t} else if(host_os == HOST_UNIX) {\n\t\t/* Host OS is Unix */\n\t\tarchive_entry_set_mode(entry, (__LA_MODE_T) file_attr);\n\t} else {\n\t\t/* Unknown host OS */\n\t\tarchive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,\n\t\t\t\t\"Unsupported Host OS: 0x%x\", (int) host_os);\n\n\t\treturn ARCHIVE_FATAL;\n\t}\n\n\tif(!read_var_sized(a, &name_size, NULL))\n\t\treturn ARCHIVE_EOF;\n\n\tif(!read_ahead(a, name_size, &p))\n\t\treturn ARCHIVE_EOF;\n\n\tif(name_size > (MAX_NAME_IN_CHARS - 1)) {\n\t\tarchive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,\n\t\t\t\t\"Filename is too long\");\n\n\t\treturn ARCHIVE_FATAL;\n\t}\n\n\tif(name_size == 0) {\n\t\tarchive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,\n\t\t\t\t\"No filename specified\");\n\n\t\treturn ARCHIVE_FATAL;\n\t}\n\n\tmemcpy(name_utf8_buf, p, name_size);\n\tname_utf8_buf[name_size] = 0;\n\tif(ARCHIVE_OK != consume(a, name_size)) {\n\t\treturn ARCHIVE_EOF;\n\t}\n\n\tarchive_entry_update_pathname_utf8(entry, name_utf8_buf);\n\n\tif(extra_data_size > 0) {\n\t\tint ret = process_head_file_extra(a, entry, rar,\n\t\t extra_data_size);\n\n\t\t/*\n\t\t * TODO: rewrite or remove useless sanity check\n\t\t * as extra_data_size is not passed as a pointer\n\t\t *\n\t\tif(extra_data_size < 0) {\n\t\t\tarchive_set_error(&a->archive, ARCHIVE_ERRNO_PROGRAMMER,\n\t\t\t \"File extra data size is not zero\");\n\t\t\treturn ARCHIVE_FATAL;\n\t\t}\n\t\t */\n\n\t\tif(ret != ARCHIVE_OK)\n\t\t\treturn ret;\n\t}\n\n\tif((file_flags & UNKNOWN_UNPACKED_SIZE) == 0) {\n\t\trar->file.unpacked_size = (ssize_t) unpacked_size;\n\t\tif(rar->file.redir_type == REDIR_TYPE_NONE)\n\t\t\tarchive_entry_set_size(entry, unpacked_size);\n\t}\n\n\tif(file_flags & UTIME) {\n\t\tarchive_entry_set_mtime(entry, (time_t) mtime, 0);\n\t}\n\n\tif(file_flags & CRC32) {\n\t\trar->file.stored_crc32 = crc;\n\t}\n\n\tif(!rar->cstate.switch_multivolume) {\n\t\t/* Do not reinitialize unpacking state if we're switching\n\t\t * archives. */\n\t\trar->cstate.block_parsing_finished = 1;\n\t\trar->cstate.all_filters_applied = 1;\n\t\trar->cstate.initialized = 0;\n\t}\n\n\tif(rar->generic.split_before > 0) {\n\t\t/* If now we're standing on a header that has a 'split before'\n\t\t * mark, it means we're standing on a 'continuation' file\n\t\t * header. Signal the caller that if it wants to move to\n\t\t * another file, it must call rar5_read_header() function\n\t\t * again. */\n\n\t\treturn ARCHIVE_RETRY;\n\t} else {\n\t\treturn ARCHIVE_OK;\n\t}\n}", "project": "libarchive", "hash": 323999517348299506061624470417054079920, "size": 300, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 0, "dataset": "other", "idx": 244767 }, { "func": "static void flush_cpu_slab(void *d)\n{\n\tstruct kmem_cache *s = d;\n\n\t__flush_cpu_slab(s, smp_processor_id());\n}", "project": "linux", "hash": 148917511392805057991644149804005983073, "size": 6, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280032 }, { "func": "static void init_vmcb(struct vcpu_svm *svm)\n{\n\tstruct vmcb_control_area *control = &svm->vmcb->control;\n\tstruct vmcb_save_area *save = &svm->vmcb->save;\n\n\tsvm->vcpu.arch.hflags = 0;\n\n\tset_cr_intercept(svm, INTERCEPT_CR0_READ);\n\tset_cr_intercept(svm, INTERCEPT_CR3_READ);\n\tset_cr_intercept(svm, INTERCEPT_CR4_READ);\n\tset_cr_intercept(svm, INTERCEPT_CR0_WRITE);\n\tset_cr_intercept(svm, INTERCEPT_CR3_WRITE);\n\tset_cr_intercept(svm, INTERCEPT_CR4_WRITE);\n\tif (!kvm_vcpu_apicv_active(&svm->vcpu))\n\t\tset_cr_intercept(svm, INTERCEPT_CR8_WRITE);\n\n\tset_dr_intercepts(svm);\n\n\tset_exception_intercept(svm, PF_VECTOR);\n\tset_exception_intercept(svm, UD_VECTOR);\n\tset_exception_intercept(svm, MC_VECTOR);\n\tset_exception_intercept(svm, AC_VECTOR);\n\tset_exception_intercept(svm, DB_VECTOR);\n\t/*\n\t * Guest access to VMware backdoor ports could legitimately\n\t * trigger #GP because of TSS I/O permission bitmap.\n\t * We intercept those #GP and allow access to them anyway\n\t * as VMware does.\n\t */\n\tif (enable_vmware_backdoor)\n\t\tset_exception_intercept(svm, GP_VECTOR);\n\n\tset_intercept(svm, INTERCEPT_INTR);\n\tset_intercept(svm, INTERCEPT_NMI);\n\tset_intercept(svm, INTERCEPT_SMI);\n\tset_intercept(svm, INTERCEPT_SELECTIVE_CR0);\n\tset_intercept(svm, INTERCEPT_RDPMC);\n\tset_intercept(svm, INTERCEPT_CPUID);\n\tset_intercept(svm, INTERCEPT_INVD);\n\tset_intercept(svm, INTERCEPT_INVLPG);\n\tset_intercept(svm, INTERCEPT_INVLPGA);\n\tset_intercept(svm, INTERCEPT_IOIO_PROT);\n\tset_intercept(svm, INTERCEPT_MSR_PROT);\n\tset_intercept(svm, INTERCEPT_TASK_SWITCH);\n\tset_intercept(svm, INTERCEPT_SHUTDOWN);\n\tset_intercept(svm, INTERCEPT_VMRUN);\n\tset_intercept(svm, INTERCEPT_VMMCALL);\n\tset_intercept(svm, INTERCEPT_VMLOAD);\n\tset_intercept(svm, INTERCEPT_VMSAVE);\n\tset_intercept(svm, INTERCEPT_STGI);\n\tset_intercept(svm, INTERCEPT_CLGI);\n\tset_intercept(svm, INTERCEPT_SKINIT);\n\tset_intercept(svm, INTERCEPT_WBINVD);\n\tset_intercept(svm, INTERCEPT_XSETBV);\n\tset_intercept(svm, INTERCEPT_RDPRU);\n\tset_intercept(svm, INTERCEPT_RSM);\n\n\tif (!kvm_mwait_in_guest(svm->vcpu.kvm)) {\n\t\tset_intercept(svm, INTERCEPT_MONITOR);\n\t\tset_intercept(svm, INTERCEPT_MWAIT);\n\t}\n\n\tif (!kvm_hlt_in_guest(svm->vcpu.kvm))\n\t\tset_intercept(svm, INTERCEPT_HLT);\n\n\tcontrol->iopm_base_pa = __sme_set(iopm_base);\n\tcontrol->msrpm_base_pa = __sme_set(__pa(svm->msrpm));\n\tcontrol->int_ctl = V_INTR_MASKING_MASK;\n\n\tinit_seg(&save->es);\n\tinit_seg(&save->ss);\n\tinit_seg(&save->ds);\n\tinit_seg(&save->fs);\n\tinit_seg(&save->gs);\n\n\tsave->cs.selector = 0xf000;\n\tsave->cs.base = 0xffff0000;\n\t/* Executable/Readable Code Segment */\n\tsave->cs.attrib = SVM_SELECTOR_READ_MASK | SVM_SELECTOR_P_MASK |\n\t\tSVM_SELECTOR_S_MASK | SVM_SELECTOR_CODE_MASK;\n\tsave->cs.limit = 0xffff;\n\n\tsave->gdtr.limit = 0xffff;\n\tsave->idtr.limit = 0xffff;\n\n\tinit_sys_seg(&save->ldtr, SEG_TYPE_LDT);\n\tinit_sys_seg(&save->tr, SEG_TYPE_BUSY_TSS16);\n\n\tsvm_set_efer(&svm->vcpu, 0);\n\tsave->dr6 = 0xffff0ff0;\n\tkvm_set_rflags(&svm->vcpu, 2);\n\tsave->rip = 0x0000fff0;\n\tsvm->vcpu.arch.regs[VCPU_REGS_RIP] = save->rip;\n\n\t/*\n\t * svm_set_cr0() sets PG and WP and clears NW and CD on save->cr0.\n\t * It also updates the guest-visible cr0 value.\n\t */\n\tsvm_set_cr0(&svm->vcpu, X86_CR0_NW | X86_CR0_CD | X86_CR0_ET);\n\tkvm_mmu_reset_context(&svm->vcpu);\n\n\tsave->cr4 = X86_CR4_PAE;\n\t/* rdx = ?? */\n\n\tif (npt_enabled) {\n\t\t/* Setup VMCB for Nested Paging */\n\t\tcontrol->nested_ctl |= SVM_NESTED_CTL_NP_ENABLE;\n\t\tclr_intercept(svm, INTERCEPT_INVLPG);\n\t\tclr_exception_intercept(svm, PF_VECTOR);\n\t\tclr_cr_intercept(svm, INTERCEPT_CR3_READ);\n\t\tclr_cr_intercept(svm, INTERCEPT_CR3_WRITE);\n\t\tsave->g_pat = svm->vcpu.arch.pat;\n\t\tsave->cr3 = 0;\n\t\tsave->cr4 = 0;\n\t}\n\tsvm->asid_generation = 0;\n\n\tsvm->nested.vmcb = 0;\n\tsvm->vcpu.arch.hflags = 0;\n\n\tif (pause_filter_count) {\n\t\tcontrol->pause_filter_count = pause_filter_count;\n\t\tif (pause_filter_thresh)\n\t\t\tcontrol->pause_filter_thresh = pause_filter_thresh;\n\t\tset_intercept(svm, INTERCEPT_PAUSE);\n\t} else {\n\t\tclr_intercept(svm, INTERCEPT_PAUSE);\n\t}\n\n\tif (kvm_vcpu_apicv_active(&svm->vcpu))\n\t\tavic_init_vmcb(svm);\n\n\t/*\n\t * If hardware supports Virtual VMLOAD VMSAVE then enable it\n\t * in VMCB and clear intercepts to avoid #VMEXIT.\n\t */\n\tif (vls) {\n\t\tclr_intercept(svm, INTERCEPT_VMLOAD);\n\t\tclr_intercept(svm, INTERCEPT_VMSAVE);\n\t\tsvm->vmcb->control.virt_ext |= VIRTUAL_VMLOAD_VMSAVE_ENABLE_MASK;\n\t}\n\n\tif (vgif) {\n\t\tclr_intercept(svm, INTERCEPT_STGI);\n\t\tclr_intercept(svm, INTERCEPT_CLGI);\n\t\tsvm->vmcb->control.int_ctl |= V_GIF_ENABLE_MASK;\n\t}\n\n\tif (sev_guest(svm->vcpu.kvm)) {\n\t\tsvm->vmcb->control.nested_ctl |= SVM_NESTED_CTL_SEV_ENABLE;\n\t\tclr_exception_intercept(svm, UD_VECTOR);\n\t}\n\n\tmark_all_dirty(svm->vmcb);\n\n\tenable_gif(svm);\n\n}", "project": "linux", "hash": 270758943632791936807980384586951977537, "size": 158, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432492 }, { "func": "static void init_vmcb(struct vcpu_svm *svm)\n{\n\tstruct vmcb_control_area *control = &svm->vmcb->control;\n\tstruct vmcb_save_area *save = &svm->vmcb->save;\n\n\tsvm->vcpu.fpu_active = 1;\n\tsvm->vcpu.arch.hflags = 0;\n\n\tset_cr_intercept(svm, INTERCEPT_CR0_READ);\n\tset_cr_intercept(svm, INTERCEPT_CR3_READ);\n\tset_cr_intercept(svm, INTERCEPT_CR4_READ);\n\tset_cr_intercept(svm, INTERCEPT_CR0_WRITE);\n\tset_cr_intercept(svm, INTERCEPT_CR3_WRITE);\n\tset_cr_intercept(svm, INTERCEPT_CR4_WRITE);\n\tset_cr_intercept(svm, INTERCEPT_CR8_WRITE);\n\n\tset_dr_intercepts(svm);\n\n\tset_exception_intercept(svm, PF_VECTOR);\n\tset_exception_intercept(svm, UD_VECTOR);\n\tset_exception_intercept(svm, MC_VECTOR);\n\n\tset_intercept(svm, INTERCEPT_INTR);\n\tset_intercept(svm, INTERCEPT_NMI);\n\tset_intercept(svm, INTERCEPT_SMI);\n\tset_intercept(svm, INTERCEPT_SELECTIVE_CR0);\n\tset_intercept(svm, INTERCEPT_RDPMC);\n\tset_intercept(svm, INTERCEPT_CPUID);\n\tset_intercept(svm, INTERCEPT_INVD);\n\tset_intercept(svm, INTERCEPT_HLT);\n\tset_intercept(svm, INTERCEPT_INVLPG);\n\tset_intercept(svm, INTERCEPT_INVLPGA);\n\tset_intercept(svm, INTERCEPT_IOIO_PROT);\n\tset_intercept(svm, INTERCEPT_MSR_PROT);\n\tset_intercept(svm, INTERCEPT_TASK_SWITCH);\n\tset_intercept(svm, INTERCEPT_SHUTDOWN);\n\tset_intercept(svm, INTERCEPT_VMRUN);\n\tset_intercept(svm, INTERCEPT_VMMCALL);\n\tset_intercept(svm, INTERCEPT_VMLOAD);\n\tset_intercept(svm, INTERCEPT_VMSAVE);\n\tset_intercept(svm, INTERCEPT_STGI);\n\tset_intercept(svm, INTERCEPT_CLGI);\n\tset_intercept(svm, INTERCEPT_SKINIT);\n\tset_intercept(svm, INTERCEPT_WBINVD);\n\tset_intercept(svm, INTERCEPT_MONITOR);\n\tset_intercept(svm, INTERCEPT_MWAIT);\n\tset_intercept(svm, INTERCEPT_XSETBV);\n\n\tcontrol->iopm_base_pa = iopm_base;\n\tcontrol->msrpm_base_pa = __pa(svm->msrpm);\n\tcontrol->int_ctl = V_INTR_MASKING_MASK;\n\n\tinit_seg(&save->es);\n\tinit_seg(&save->ss);\n\tinit_seg(&save->ds);\n\tinit_seg(&save->fs);\n\tinit_seg(&save->gs);\n\n\tsave->cs.selector = 0xf000;\n\tsave->cs.base = 0xffff0000;\n\t/* Executable/Readable Code Segment */\n\tsave->cs.attrib = SVM_SELECTOR_READ_MASK | SVM_SELECTOR_P_MASK |\n\t\tSVM_SELECTOR_S_MASK | SVM_SELECTOR_CODE_MASK;\n\tsave->cs.limit = 0xffff;\n\n\tsave->gdtr.limit = 0xffff;\n\tsave->idtr.limit = 0xffff;\n\n\tinit_sys_seg(&save->ldtr, SEG_TYPE_LDT);\n\tinit_sys_seg(&save->tr, SEG_TYPE_BUSY_TSS16);\n\n\tsvm_set_efer(&svm->vcpu, 0);\n\tsave->dr6 = 0xffff0ff0;\n\tkvm_set_rflags(&svm->vcpu, 2);\n\tsave->rip = 0x0000fff0;\n\tsvm->vcpu.arch.regs[VCPU_REGS_RIP] = save->rip;\n\n\t/*\n\t * This is the guest-visible cr0 value.\n\t * svm_set_cr0() sets PG and WP and clears NW and CD on save->cr0.\n\t */\n\tsvm->vcpu.arch.cr0 = 0;\n\t(void)kvm_set_cr0(&svm->vcpu, X86_CR0_NW | X86_CR0_CD | X86_CR0_ET);\n\n\tsave->cr4 = X86_CR4_PAE;\n\t/* rdx = ?? */\n\n\tif (npt_enabled) {\n\t\t/* Setup VMCB for Nested Paging */\n\t\tcontrol->nested_ctl = 1;\n\t\tclr_intercept(svm, INTERCEPT_INVLPG);\n\t\tclr_exception_intercept(svm, PF_VECTOR);\n\t\tclr_cr_intercept(svm, INTERCEPT_CR3_READ);\n\t\tclr_cr_intercept(svm, INTERCEPT_CR3_WRITE);\n\t\tsave->g_pat = 0x0007040600070406ULL;\n\t\tsave->cr3 = 0;\n\t\tsave->cr4 = 0;\n\t}\n\tsvm->asid_generation = 0;\n\n\tsvm->nested.vmcb = 0;\n\tsvm->vcpu.arch.hflags = 0;\n\n\tif (boot_cpu_has(X86_FEATURE_PAUSEFILTER)) {\n\t\tcontrol->pause_filter_count = 3000;\n\t\tset_intercept(svm, INTERCEPT_PAUSE);\n\t}\n\n\tmark_all_dirty(svm->vmcb);\n\n\tenable_gif(svm);\n}", "project": "kvm", "hash": 219083400102702501066618680598589159847, "size": 112, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437595 }, { "func": "void kvm_sigset_deactivate(struct kvm_vcpu *vcpu)\n{\n\tif (!vcpu->sigset_active)\n\t\treturn;\n\n\tsigprocmask(SIG_SETMASK, ¤t->real_blocked, NULL);\n\tsigemptyset(¤t->real_blocked);\n}", "project": "linux", "hash": 104483486444639620863380056225844502774, "size": 8, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354625 }, { "func": "static int open_input(HLSContext *c, struct playlist *pls, struct segment *seg)\n{\n AVDictionary *opts = NULL;\n int ret;\n\n // broker prior HTTP options that should be consistent across requests\n av_dict_set(&opts, \"user-agent\", c->user_agent, 0);\n av_dict_set(&opts, \"cookies\", c->cookies, 0);\n av_dict_set(&opts, \"headers\", c->headers, 0);\n av_dict_set(&opts, \"seekable\", \"0\", 0);\n\n if (seg->size >= 0) {\n /* try to restrict the HTTP request to the part we want\n * (if this is in fact a HTTP request) */\n av_dict_set_int(&opts, \"offset\", seg->url_offset, 0);\n av_dict_set_int(&opts, \"end_offset\", seg->url_offset + seg->size, 0);\n }\n\n av_log(pls->parent, AV_LOG_VERBOSE, \"HLS request for url '%s', offset %\"PRId64\", playlist %d\\n\",\n seg->url, seg->url_offset, pls->index);\n\n if (seg->key_type == KEY_NONE) {\n ret = open_url(pls->parent->priv_data, &pls->input, seg->url, opts);\n } else if (seg->key_type == KEY_AES_128) {\n// HLSContext *c = var->parent->priv_data;\n char iv[33], key[33], url[MAX_URL_SIZE];\n if (strcmp(seg->key, pls->key_url)) {\n URLContext *uc;\n if (open_url(pls->parent->priv_data, &uc, seg->key, opts) == 0) {\n if (ffurl_read_complete(uc, pls->key, sizeof(pls->key))\n != sizeof(pls->key)) {\n av_log(NULL, AV_LOG_ERROR, \"Unable to read key file %s\\n\",\n seg->key);\n }\n ffurl_close(uc);\n } else {\n av_log(NULL, AV_LOG_ERROR, \"Unable to open key file %s\\n\",\n seg->key);\n }\n av_strlcpy(pls->key_url, seg->key, sizeof(pls->key_url));\n }\n ff_data_to_hex(iv, seg->iv, sizeof(seg->iv), 0);\n ff_data_to_hex(key, pls->key, sizeof(pls->key), 0);\n iv[32] = key[32] = '\\0';\n if (strstr(seg->url, \"://\"))\n snprintf(url, sizeof(url), \"crypto+%s\", seg->url);\n else\n snprintf(url, sizeof(url), \"crypto:%s\", seg->url);\n\n if ((ret = ffurl_alloc(&pls->input, url, AVIO_FLAG_READ,\n &pls->parent->interrupt_callback)) < 0)\n goto cleanup;\n av_opt_set(pls->input->priv_data, \"key\", key, 0);\n av_opt_set(pls->input->priv_data, \"iv\", iv, 0);\n\n if ((ret = url_connect(pls, c->avio_opts, opts)) < 0) {\n goto cleanup;\n }\n ret = 0;\n } else if (seg->key_type == KEY_SAMPLE_AES) {\n av_log(pls->parent, AV_LOG_ERROR,\n \"SAMPLE-AES encryption is not supported yet\\n\");\n ret = AVERROR_PATCHWELCOME;\n }\n else\n ret = AVERROR(ENOSYS);\n\n /* Seek to the requested position. If this was a HTTP request, the offset\n * should already be where want it to, but this allows e.g. local testing\n * without a HTTP server. */\n if (ret == 0 && seg->key_type == KEY_NONE && seg->url_offset) {\n int seekret = ffurl_seek(pls->input, seg->url_offset, SEEK_SET);\n if (seekret < 0) {\n av_log(pls->parent, AV_LOG_ERROR, \"Unable to seek to offset %\"PRId64\" of HLS segment '%s'\\n\", seg->url_offset, seg->url);\n ret = seekret;\n ffurl_close(pls->input);\n pls->input = NULL;\n }\n }\n\ncleanup:\n av_dict_free(&opts);\n pls->cur_seg_offset = 0;\n return ret;\n}", "project": "FFmpeg", "hash": 113013360304667818603598915290802467940, "size": 85, "commit_id": "6959358683c7533f586c07a766acc5fe9544d8b2", "message": "avformat/hls: check segment duration value of EXTINF\n\nfix ticket: 8673\nset the default EXTINF duration to 1ms if duration is smaller than 1ms\n\nSigned-off-by: Steven Liu \n(cherry picked from commit 9dfb19baeb86a8bb02c53a441682c6e9a6e104cc)", "target": 0, "dataset": "other", "idx": 270457 }, { "func": "static ssize_t fuse_direct_write_iter(struct kiocb *iocb, struct iov_iter *from)\n{\n\tstruct inode *inode = file_inode(iocb->ki_filp);\n\tstruct fuse_io_priv io = FUSE_IO_PRIV_SYNC(iocb);\n\tssize_t res;\n\n\t/* Don't allow parallel writes to the same file */\n\tinode_lock(inode);\n\tres = generic_write_checks(iocb, from);\n\tif (res > 0) {\n\t\tif (!is_sync_kiocb(iocb) && iocb->ki_flags & IOCB_DIRECT) {\n\t\t\tres = fuse_direct_IO(iocb, from);\n\t\t} else {\n\t\t\tres = fuse_direct_io(&io, from, &iocb->ki_pos,\n\t\t\t\t\t FUSE_DIO_WRITE);\n\t\t}\n\t}\n\tfuse_invalidate_attr(inode);\n\tif (res > 0)\n\t\tfuse_write_update_size(inode, iocb->ki_pos);\n\tinode_unlock(inode);\n\n\treturn res;\n}", "project": "linux", "hash": 249709024595273748997634302561549977850, "size": 24, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341992 }, { "func": "static int packet_rcv_has_room(struct packet_sock *po, struct sk_buff *skb)\n{\n\tint pressure, ret;\n\n\tret = __packet_rcv_has_room(po, skb);\n\tpressure = ret != ROOM_NORMAL;\n\n\tif (READ_ONCE(po->pressure) != pressure)\n\t\tWRITE_ONCE(po->pressure, pressure);\n\n\treturn ret;\n}", "project": "linux", "hash": 279078525274996514492086046933409477110, "size": 12, "commit_id": "acf69c946233259ab4d64f8869d4037a198c7f06", "message": "net/packet: fix overflow in tpacket_rcv\n\nUsing tp_reserve to calculate netoff can overflow as\ntp_reserve is unsigned int and netoff is unsigned short.\n\nThis may lead to macoff receving a smaller value then\nsizeof(struct virtio_net_hdr), and if po->has_vnet_hdr\nis set, an out-of-bounds write will occur when\ncalling virtio_net_hdr_from_skb.\n\nThe bug is fixed by converting netoff to unsigned int\nand checking if it exceeds USHRT_MAX.\n\nThis addresses CVE-2020-14386\n\nFixes: 8913336a7e8d (\"packet: add PACKET_RESERVE sockopt\")\nSigned-off-by: Or Cohen \nSigned-off-by: Eric Dumazet \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 330373 }, { "func": "static void csi_K(struct vc_data *vc, int vpar)\n{\n\tunsigned int count;\n\tunsigned short *start = (unsigned short *)vc->vc_pos;\n\tint offset;\n\n\tswitch (vpar) {\n\t\tcase 0:\t/* erase from cursor to end of line */\n\t\t\toffset = 0;\n\t\t\tcount = vc->vc_cols - vc->vc_x;\n\t\t\tbreak;\n\t\tcase 1:\t/* erase from start of line to cursor */\n\t\t\toffset = -vc->vc_x;\n\t\t\tcount = vc->vc_x + 1;\n\t\t\tbreak;\n\t\tcase 2: /* erase whole line */\n\t\t\toffset = -vc->vc_x;\n\t\t\tcount = vc->vc_cols;\n\t\t\tbreak;\n\t\tdefault:\n\t\t\treturn;\n\t}\n\tvc_uniscr_clear_line(vc, vc->vc_x + offset, count);\n\tscr_memsetw(start + offset, vc->vc_video_erase_char, 2 * count);\n\tvc->vc_need_wrap = 0;\n\tif (con_should_update(vc))\n\t\tdo_update_region(vc, (unsigned long)(start + offset), count);\n}", "project": "linux", "hash": 56050857449503526187534859405049730294, "size": 28, "commit_id": "ca4463bf8438b403596edd0ec961ca0d4fbe0220", "message": "vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console\n\nThe VT_DISALLOCATE ioctl can free a virtual console while tty_release()\nis still running, causing a use-after-free in con_shutdown(). This\noccurs because VT_DISALLOCATE considers a virtual console's\n'struct vc_data' to be unused as soon as the corresponding tty's\nrefcount hits 0. But actually it may be still being closed.\n\nFix this by making vc_data be reference-counted via the embedded\n'struct tty_port'. A newly allocated virtual console has refcount 1.\nOpening it for the first time increments the refcount to 2. Closing it\nfor the last time decrements the refcount (in tty_operations::cleanup()\nso that it happens late enough), as does VT_DISALLOCATE.\n\nReproducer:\n\t#include \n\t#include \n\t#include \n\t#include \n\n\tint main()\n\t{\n\t\tif (fork()) {\n\t\t\tfor (;;)\n\t\t\t\tclose(open(\"/dev/tty5\", O_RDWR));\n\t\t} else {\n\t\t\tint fd = open(\"/dev/tty10\", O_RDWR);\n\n\t\t\tfor (;;)\n\t\t\t\tioctl(fd, VT_DISALLOCATE, 5);\n\t\t}\n\t}\n\nKASAN report:\n\tBUG: KASAN: use-after-free in con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\tWrite of size 8 at addr ffff88806a4ec108 by task syz_vt/129\n\n\tCPU: 0 PID: 129 Comm: syz_vt Not tainted 5.6.0-rc2 #11\n\tHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20191223_100556-anatol 04/01/2014\n\tCall Trace:\n\t [...]\n\t con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\t release_tty+0xa8/0x410 drivers/tty/tty_io.c:1514\n\t tty_release_struct+0x34/0x50 drivers/tty/tty_io.c:1629\n\t tty_release+0x984/0xed0 drivers/tty/tty_io.c:1789\n\t [...]\n\n\tAllocated by task 129:\n\t [...]\n\t kzalloc include/linux/slab.h:669 [inline]\n\t vc_allocate drivers/tty/vt/vt.c:1085 [inline]\n\t vc_allocate+0x1ac/0x680 drivers/tty/vt/vt.c:1066\n\t con_install+0x4d/0x3f0 drivers/tty/vt/vt.c:3229\n\t tty_driver_install_tty drivers/tty/tty_io.c:1228 [inline]\n\t tty_init_dev+0x94/0x350 drivers/tty/tty_io.c:1341\n\t tty_open_by_driver drivers/tty/tty_io.c:1987 [inline]\n\t tty_open+0x3ca/0xb30 drivers/tty/tty_io.c:2035\n\t [...]\n\n\tFreed by task 130:\n\t [...]\n\t kfree+0xbf/0x1e0 mm/slab.c:3757\n\t vt_disallocate drivers/tty/vt/vt_ioctl.c:300 [inline]\n\t vt_ioctl+0x16dc/0x1e30 drivers/tty/vt/vt_ioctl.c:818\n\t tty_ioctl+0x9db/0x11b0 drivers/tty/tty_io.c:2660\n\t [...]\n\nFixes: 4001d7b7fc27 (\"vt: push down the tty lock so we can see what is left to tackle\")\nCc: # v3.4+\nReported-by: syzbot+522643ab5729b0421998@syzkaller.appspotmail.com\nAcked-by: Jiri Slaby \nSigned-off-by: Eric Biggers \nLink: https://lore.kernel.org/r/20200322034305.210082-2-ebiggers@kernel.org\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 437078 }, { "func": "int init_threadpool(blosc2_context *context) {\n int32_t tid;\n int rc2;\n\n /* Initialize mutex and condition variable objects */\n pthread_mutex_init(&context->count_mutex, NULL);\n pthread_mutex_init(&context->delta_mutex, NULL);\n pthread_cond_init(&context->delta_cv, NULL);\n\n /* Set context thread sentinels */\n context->thread_giveup_code = 1;\n context->thread_nblock = -1;\n\n /* Barrier initialization */\n#ifdef BLOSC_POSIX_BARRIERS\n pthread_barrier_init(&context->barr_init, NULL, context->nthreads + 1);\n pthread_barrier_init(&context->barr_finish, NULL, context->nthreads + 1);\n#else\n pthread_mutex_init(&context->count_threads_mutex, NULL);\n pthread_cond_init(&context->count_threads_cv, NULL);\n context->count_threads = 0; /* Reset threads counter */\n#endif\n\n if (threads_callback) {\n /* Create thread contexts to store data for callback threads */\n context->thread_contexts = (struct thread_context *)my_malloc(\n context->nthreads * sizeof(struct thread_context));\n for (tid = 0; tid < context->nthreads; tid++)\n init_thread_context(context->thread_contexts + tid, context, tid);\n }\n else {\n #if !defined(_WIN32)\n /* Initialize and set thread detached attribute */\n pthread_attr_init(&context->ct_attr);\n pthread_attr_setdetachstate(&context->ct_attr, PTHREAD_CREATE_JOINABLE);\n #endif\n\n /* Make space for thread handlers */\n context->threads = (pthread_t*)my_malloc(\n context->nthreads * sizeof(pthread_t));\n /* Finally, create the threads */\n for (tid = 0; tid < context->nthreads; tid++) {\n /* Create a thread context (will destroy when finished) */\n struct thread_context *thread_context = create_thread_context(context, tid);\n\n #if !defined(_WIN32)\n rc2 = pthread_create(&context->threads[tid], &context->ct_attr, t_blosc,\n (void*)thread_context);\n #else\n rc2 = pthread_create(&context->threads[tid], NULL, t_blosc,\n (void *)thread_context);\n #endif\n if (rc2) {\n fprintf(stderr, \"ERROR; return code from pthread_create() is %d\\n\", rc2);\n fprintf(stderr, \"\\tError detail: %s\\n\", strerror(rc2));\n return (-1);\n }\n }\n }\n\n /* We have now started/initialized the threads */\n context->threads_started = context->nthreads;\n context->new_nthreads = context->nthreads;\n\n return (0);\n}", "project": "c-blosc2", "hash": 322271672123930351863857690524778360537, "size": 66, "commit_id": "c4c6470e88210afc95262c8b9fcc27e30ca043ee", "message": "Fixed asan heap buffer overflow when not enough space to write compressed block size.", "target": 0, "dataset": "other", "idx": 303131 }, { "func": "int bcf_get_info_values(const bcf_hdr_t *hdr, bcf1_t *line, const char *tag, void **dst, int *ndst, int type)\n{\n int i, ret = -4, tag_id = bcf_hdr_id2int(hdr, BCF_DT_ID, tag);\n if ( !bcf_hdr_idinfo_exists(hdr,BCF_HL_INFO,tag_id) ) return -1; // no such INFO field in the header\n if ( bcf_hdr_id2type(hdr,BCF_HL_INFO,tag_id)!=(type & 0xff) ) return -2; // expected different type\n\n if ( !(line->unpacked & BCF_UN_INFO) ) bcf_unpack(line, BCF_UN_INFO);\n\n for (i=0; in_info; i++)\n if ( line->d.info[i].key==tag_id ) break;\n if ( i==line->n_info ) return ( type==BCF_HT_FLAG ) ? 0 : -3; // the tag is not present in this record\n if ( type==BCF_HT_FLAG ) return 1;\n\n bcf_info_t *info = &line->d.info[i];\n if ( !info->vptr ) return -3; // the tag was marked for removal\n if ( type==BCF_HT_STR )\n {\n if ( *ndst < info->len+1 )\n {\n *ndst = info->len + 1;\n *dst = realloc(*dst, *ndst);\n }\n memcpy(*dst,info->vptr,info->len);\n ((uint8_t*)*dst)[info->len] = 0;\n return info->len;\n }\n\n // Make sure the buffer is big enough\n int size1;\n switch (type) {\n case BCF_HT_INT: size1 = sizeof(int32_t); break;\n case BCF_HT_LONG: size1 = sizeof(int64_t); break;\n case BCF_HT_REAL: size1 = sizeof(float); break;\n default:\n hts_log_error(\"Unexpected output type %d at %s:%\"PRIhts_pos, type, bcf_seqname_safe(hdr,line), line->pos+1);\n return -2;\n }\n if ( *ndst < info->len )\n {\n *ndst = info->len;\n *dst = realloc(*dst, *ndst * size1);\n }\n\n #define BRANCH(type_t, convert, is_missing, is_vector_end, set_missing, set_regular, out_type_t) do { \\\n out_type_t *tmp = (out_type_t *) *dst; \\\n int j; \\\n for (j=0; jlen; j++) \\\n { \\\n type_t p = convert(info->vptr + j * sizeof(type_t)); \\\n if ( is_vector_end ) break; \\\n if ( is_missing ) set_missing; \\\n else set_regular; \\\n tmp++; \\\n } \\\n ret = j; \\\n } while (0)\n switch (info->type) {\n case BCF_BT_INT8:\n if (type == BCF_HT_LONG) {\n BRANCH(int8_t, le_to_i8, p==bcf_int8_missing, p==bcf_int8_vector_end, *tmp=bcf_int64_missing, *tmp=p, int64_t);\n } else {\n BRANCH(int8_t, le_to_i8, p==bcf_int8_missing, p==bcf_int8_vector_end, *tmp=bcf_int32_missing, *tmp=p, int32_t);\n }\n break;\n case BCF_BT_INT16:\n if (type == BCF_HT_LONG) {\n BRANCH(int16_t, le_to_i16, p==bcf_int16_missing, p==bcf_int16_vector_end, *tmp=bcf_int64_missing, *tmp=p, int64_t);\n } else {\n BRANCH(int16_t, le_to_i16, p==bcf_int16_missing, p==bcf_int16_vector_end, *tmp=bcf_int32_missing, *tmp=p, int32_t);\n }\n break;\n case BCF_BT_INT32:\n if (type == BCF_HT_LONG) {\n BRANCH(int32_t, le_to_i32, p==bcf_int32_missing, p==bcf_int32_vector_end, *tmp=bcf_int64_missing, *tmp=p, int64_t); break;\n } else {\n BRANCH(int32_t, le_to_i32, p==bcf_int32_missing, p==bcf_int32_vector_end, *tmp=bcf_int32_missing, *tmp=p, int32_t); break;\n }\n case BCF_BT_FLOAT: BRANCH(uint32_t, le_to_u32, p==bcf_float_missing, p==bcf_float_vector_end, bcf_float_set_missing(*tmp), bcf_float_set(tmp, p), float); break;\n default: hts_log_error(\"Unexpected type %d at %s:%\"PRIhts_pos, info->type, bcf_seqname_safe(hdr,line), line->pos+1); return -2;\n }\n #undef BRANCH\n return ret; // set by BRANCH\n}", "project": "htslib", "hash": 10039698937167177077556469006999045223, "size": 83, "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c", "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields. It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097", "target": 0, "dataset": "other", "idx": 402210 }, { "func": "void WebContents::InspectServiceWorker() {\n if (type_ == Type::REMOTE)\n return;\n\n if (!enable_devtools_)\n return;\n\n for (const auto& agent_host : content::DevToolsAgentHost::GetOrCreateAll()) {\n if (agent_host->GetType() ==\n content::DevToolsAgentHost::kTypeServiceWorker) {\n OpenDevTools(nullptr);\n managed_web_contents()->AttachTo(agent_host);\n break;\n }\n }\n}", "project": "electron", "hash": 303076037970439668172832626671710248100, "size": 16, "commit_id": "18613925610ba319da7f497b6deed85ad712c59b", "message": "refactor: wire will-navigate up to a navigation throttle instead of OpenURL (#25108)\n\n* refactor: wire will-navigate up to a navigation throttle instead of OpenURL (#25065)\r\n\r\n* refactor: wire will-navigate up to a navigation throttle instead of OpenURL\r\n\r\n* spec: add test for x-site _top navigation\r\n\r\n* chore: old code be old", "target": 0, "dataset": "other", "idx": 269744 }, { "func": "static bool r_sys_mkdir(const char *path) {\n\tLPTSTR path_ = r_sys_conv_utf8_to_utf16 (path);\n\tbool ret = CreateDirectory (path_, NULL);\n\n\tfree (path_);\n\treturn ret;\n}", "project": "radare2", "hash": 241262750562684298140758599418242757383, "size": 7, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 0, "dataset": "other", "idx": 268953 }, { "func": "R_API bool r_sys_mkdir(const char *dir) {\n\tbool ret;\n\n\tif (r_sandbox_enable (0)) {\n\t\treturn false;\n\t}\n#if __WINDOWS__\n\tLPTSTR dir_ = r_sys_conv_utf8_to_win (dir);\n\n\tret = CreateDirectory (dir_, NULL) != 0;\n\tfree (dir_);\n#else\n\tret = mkdir (dir, 0755) != -1;\n#endif\n\treturn ret;\n}", "project": "radare2", "hash": 122739618404322751617920991414117732915, "size": 16, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 0, "dataset": "other", "idx": 268984 }, { "func": "Sfdouble_t sh_arith(Shell_t *shp, const char *str) { return sh_strnum(shp, str, NULL, 1); }", "project": "ast", "hash": 126103299187724476876883680988476612141, "size": 1, "commit_id": "c7de8b641266bac7c77942239ac659edfee9ecd2", "message": "Harden env var imports", "target": 0, "dataset": "other", "idx": 321867 }, { "func": "}\n\nstatic int\niscsi_if_create_conn(struct iscsi_transport *transport, struct iscsi_uevent *ev)\n{\n\tstruct iscsi_cls_conn *conn;\n\tstruct iscsi_cls_session *session;\n\n\tsession = iscsi_session_lookup(ev->u.c_conn.sid);\n\tif (!session) {\n\t\tprintk(KERN_ERR \"iscsi: invalid session %d.\\n\",\n\t\t ev->u.c_conn.sid);\n\t\treturn -EINVAL;\n\t}\n\n\tconn = transport->create_conn(session, ev->u.c_conn.cid);\n\tif (!conn) {\n\t\tiscsi_cls_session_printk(KERN_ERR, session,\n\t\t\t\t\t \"couldn't create a new connection.\");\n\t\treturn -ENOMEM;\n\t}\n\n\tev->r.c_conn_ret.sid = session->sid;\n\tev->r.c_conn_ret.cid = conn->cid;\n", "project": "linux", "hash": 95271017467066722428930504057368893752, "size": 25, "commit_id": "f9dbdf97a5bd92b1a49cee3d591b55b11fd7a6d5", "message": "scsi: iscsi: Verify lengths on passthrough PDUs\n\nOpen-iSCSI sends passthrough PDUs over netlink, but the kernel should be\nverifying that the provided PDU header and data lengths fall within the\nnetlink message to prevent accessing beyond that in memory.\n\nCc: stable@vger.kernel.org\nReported-by: Adam Nichols \nReviewed-by: Lee Duncan \nReviewed-by: Mike Christie \nSigned-off-by: Chris Leech \nSigned-off-by: Martin K. Petersen ", "target": 0, "dataset": "other", "idx": 380001 }, { "project": "ardour", "commit_id": "96daa4036a425ff3f23a7dfcba57bfb0f942bec6", "target": 0, "func": "XMLNode::add_child(const char* n)\n{\n\treturn add_child_copy(XMLNode (n));\n}", "idx": 519684, "cwe": "CWE-416", "hash": 313588554201807602609559930050417161150, "dataset": "other" }, { "func": "bool JSON_parser(Variant &z, const char *p, int length, bool const assoc,\n int depth, int64_t options) {\n // No GC safepoints during JSON parsing, please. Code is not re-entrant.\n NoHandleSurpriseScope no_surprise(SafepointFlags);\n\n json_parser *json = s_json_parser.get(); /* the parser state */\n // Clear and reuse the thread-local string buffers. They are only freed if\n // they exceed kMaxPersistentStringBufferCapacity at exit or if the thread\n // is explicitly flushed (e.g., due to being idle).\n json->initSb(length);\n if (depth <= 0) {\n json->error_code = json_error_codes::JSON_ERROR_DEPTH;\n return false;\n }\n SCOPE_EXIT {\n constexpr int kMaxPersistentStringBufferCapacity = 256 * 1024;\n if (json->sb_cap > kMaxPersistentStringBufferCapacity) json->flushSb();\n };\n // SimpleParser only handles the most common set of options. Also, only use it\n // if its array nesting depth check is *more* restrictive than what the user\n // asks for, to ensure that the precise semantics of the general case is\n // applied for all nesting overflows.\n if (assoc &&\n options == (options & (k_JSON_FB_LOOSE |\n k_JSON_FB_DARRAYS |\n k_JSON_FB_DARRAYS_AND_VARRAYS |\n k_JSON_FB_HACK_ARRAYS |\n k_JSON_FB_THRIFT_SIMPLE_JSON |\n k_JSON_FB_LEGACY_HACK_ARRAYS)) &&\n depth >= SimpleParser::kMaxArrayDepth &&\n length <= RuntimeOption::EvalSimpleJsonMaxLength &&\n SimpleParser::TryParse(p, length, json->tl_buffer.tv, z,\n get_container_type_from_options(options),\n options & k_JSON_FB_THRIFT_SIMPLE_JSON)) {\n return true;\n }\n\n int b; /* the next character */\n int c; /* the next character class */\n int s; /* the next state */\n int state = 0;\n\n /**/\n bool const loose = options & k_JSON_FB_LOOSE;\n JSONContainerType const container_type =\n get_container_type_from_options(options);\n int qchr = 0;\n int8_t const *byte_class;\n int8_t const (*next_state_table)[32];\n if (loose) {\n byte_class = loose_ascii_class;\n next_state_table = loose_state_transition_table;\n } else {\n byte_class = ascii_class;\n next_state_table = state_transition_table;\n }\n /**/\n\n UncheckedBuffer *buf = &json->sb_buf;\n UncheckedBuffer *key = &json->sb_key;\n\n DataType type = kInvalidDataType;\n unsigned short escaped_bytes = 0;\n\n auto reset_type = [&] { type = kInvalidDataType; };\n\n json->depth = depth;\n // Since the stack is maintainined on a per request basis, for performance\n // reasons, it only makes sense to expand if necessary and cycles are wasted\n // contracting. Calls with a depth other than default should be rare.\n if (depth > json->stack.size()) {\n json->stack.resize(depth);\n }\n SCOPE_EXIT {\n if (json->stack.empty()) return;\n for (int i = 0; i <= json->mark; i++) {\n json->stack[i].key.reset();\n json->stack[i].val.unset();\n }\n json->mark = -1;\n };\n\n json->mark = json->top = -1;\n push(json, Mode::DONE);\n\n UTF8To16Decoder decoder(p, length, loose);\n for (;;) {\n b = decoder.decode();\n // Fast-case most common transition: append a simple string character.\n if (state == 3 && type == KindOfString) {\n while (b != '\\\"' && b != '\\\\' && b != '\\'' && b <= 127 && b >= ' ') {\n buf->append((char)b);\n b = decoder.decode();\n }\n }\n if (b == UTF8_END) break; // UTF-8 decoding finishes successfully.\n if (b == UTF8_ERROR) {\n s_json_parser->error_code = JSON_ERROR_UTF8;\n return false;\n }\n assertx(b >= 0);\n\n if ((b & 127) == b) {\n /**/\n c = byte_class[b];\n /**/\n if (c <= S_ERR) {\n s_json_parser->error_code = JSON_ERROR_CTRL_CHAR;\n return false;\n }\n } else {\n c = S_ETC;\n }\n /*\n Get the next state from the transition table.\n */\n\n /**/\n s = next_state_table[state][c];\n\n if (s == -4) {\n if (b != qchr) {\n s = 3;\n } else {\n qchr = 0;\n }\n }\n /**/\n\n if (s < 0) {\n /*\n Perform one of the predefined actions.\n */\n switch (s) {\n /*\n empty }\n */\n case -9:\n /**/\n if (json->top == 1) z = json->stack[json->top].val;\n else {\n /**/\n attach_zval(json, json->stack[json->top].key, assoc, container_type);\n /**/\n }\n /**/\n if (!pop(json, Mode::KEY)) {\n return false;\n }\n state = 9;\n break;\n /*\n {\n */\n case -8:\n if (!push(json, Mode::KEY)) {\n s_json_parser->error_code = JSON_ERROR_DEPTH;\n return false;\n }\n\n state = 1;\n if (json->top > 0) {\n Variant &top = json->stack[json->top].val;\n /**/\n if (container_type == JSONContainerType::COLLECTIONS) {\n // stable_maps is meaningless\n top = req::make();\n } else {\n /**/\n if (!assoc) {\n top = SystemLib::AllocStdClassObject();\n /* */\n } else if (container_type == JSONContainerType::HACK_ARRAYS) {\n top = Array::CreateDict();\n } else if (container_type == JSONContainerType::DARRAYS ||\n container_type == JSONContainerType::DARRAYS_AND_VARRAYS)\n {\n top = Array::CreateDArray();\n /* */\n } else if (\n container_type == JSONContainerType::LEGACY_HACK_ARRAYS) {\n auto arr = staticEmptyDictArray()->copy();\n arr->setLegacyArray(true);\n top = arr;\n } else {\n top = Array::CreateDArray();\n }\n /**/\n }\n /**/\n json->stack[json->top].key = copy_and_clear(*key);\n reset_type();\n }\n break;\n /*\n }\n */\n case -7:\n /*** BEGIN Facebook: json_utf8_loose ***/\n /*\n If this is a trailing comma in an object definition,\n we're in Mode::KEY. In that case, throw that off the\n stack and restore Mode::OBJECT so that we pretend the\n trailing comma just didn't happen.\n */\n if (loose) {\n if (pop(json, Mode::KEY)) {\n push(json, Mode::OBJECT);\n }\n }\n /*** END Facebook: json_utf8_loose ***/\n\n if (type != kInvalidDataType &&\n json->stack[json->top].mode == Mode::OBJECT) {\n Variant mval;\n json_create_zval(mval, *buf, type, options);\n Variant &top = json->stack[json->top].val;\n object_set(json, top, copy_and_clear(*key),\n mval, assoc, container_type);\n buf->clear();\n reset_type();\n }\n\n /**/\n if (json->top == 1) z = json->stack[json->top].val;\n else {\n /**/\n attach_zval(json, json->stack[json->top].key,\n assoc, container_type);\n /**/\n }\n /**/\n if (!pop(json, Mode::OBJECT)) {\n s_json_parser->error_code = JSON_ERROR_STATE_MISMATCH;\n return false;\n }\n state = 9;\n break;\n /*\n [\n */\n case -6:\n if (!push(json, Mode::ARRAY)) {\n s_json_parser->error_code = JSON_ERROR_DEPTH;\n return false;\n }\n state = 2;\n\n if (json->top > 0) {\n Variant &top = json->stack[json->top].val;\n /**/\n if (container_type == JSONContainerType::COLLECTIONS) {\n top = req::make();\n } else if (container_type == JSONContainerType::HACK_ARRAYS) {\n top = Array::CreateVec();\n } else if (container_type == JSONContainerType::DARRAYS_AND_VARRAYS) {\n top = Array::CreateVArray();\n } else if (container_type == JSONContainerType::DARRAYS) {\n top = Array::CreateDArray();\n } else if (container_type == JSONContainerType::LEGACY_HACK_ARRAYS) {\n auto arr = staticEmptyVecArray()->copy();\n arr->setLegacyArray(true);\n top = arr;\n } else {\n top = Array::CreateDArray();\n }\n /**/\n json->stack[json->top].key = copy_and_clear(*key);\n reset_type();\n }\n break;\n /*\n ]\n */\n case -5:\n {\n if (type != kInvalidDataType &&\n json->stack[json->top].mode == Mode::ARRAY) {\n Variant mval;\n json_create_zval(mval, *buf, type, options);\n auto& top = json->stack[json->top].val;\n if (container_type == JSONContainerType::COLLECTIONS) {\n collections::append(top.getObjectData(), mval.asTypedValue());\n } else {\n top.asArrRef().append(mval);\n }\n buf->clear();\n reset_type();\n }\n\n /**/\n if (json->top == 1) z = json->stack[json->top].val;\n else {\n /**/\n attach_zval(json, json->stack[json->top].key, assoc,\n container_type);\n /**/\n }\n /**/\n if (!pop(json, Mode::ARRAY)) {\n s_json_parser->error_code = JSON_ERROR_STATE_MISMATCH;\n return false;\n }\n state = 9;\n }\n break;\n /*\n \"\n */\n case -4:\n switch (json->stack[json->top].mode) {\n case Mode::KEY:\n state = 27;\n std::swap(buf, key);\n reset_type();\n break;\n case Mode::ARRAY:\n case Mode::OBJECT:\n state = 9;\n break;\n case Mode::DONE:\n if (type == KindOfString) {\n z = copy_and_clear(*buf);\n state = 9;\n break;\n }\n /* fall through if not KindOfString */\n default:\n s_json_parser->error_code = JSON_ERROR_SYNTAX;\n return false;\n }\n break;\n /*\n ,\n */\n case -3:\n {\n Variant mval;\n if (type != kInvalidDataType &&\n (json->stack[json->top].mode == Mode::OBJECT ||\n json->stack[json->top].mode == Mode::ARRAY)) {\n json_create_zval(mval, *buf, type, options);\n }\n\n switch (json->stack[json->top].mode) {\n case Mode::OBJECT:\n if (pop(json, Mode::OBJECT) &&\n push(json, Mode::KEY)) {\n if (type != kInvalidDataType) {\n Variant &top = json->stack[json->top].val;\n object_set(\n json,\n top,\n copy_and_clear(*key),\n mval,\n assoc,\n container_type\n );\n }\n state = 29;\n }\n break;\n case Mode::ARRAY:\n if (type != kInvalidDataType) {\n auto& top = json->stack[json->top].val;\n if (container_type == JSONContainerType::COLLECTIONS) {\n collections::append(top.getObjectData(), mval.asTypedValue());\n } else {\n top.asArrRef().append(mval);\n }\n }\n state = 28;\n break;\n default:\n s_json_parser->error_code = JSON_ERROR_SYNTAX;\n return false;\n }\n buf->clear();\n reset_type();\n check_non_safepoint_surprise();\n }\n break;\n\n /**/\n /*\n : (after unquoted string)\n */\n case -10:\n if (json->stack[json->top].mode == Mode::KEY) {\n state = 27;\n std::swap(buf, key);\n reset_type();\n s = -2;\n } else {\n s = 3;\n break;\n }\n /**/\n\n /*\n :\n */\n case -2:\n if (pop(json, Mode::KEY) && push(json, Mode::OBJECT)) {\n state = 28;\n break;\n }\n /*\n syntax error\n */\n case -1:\n s_json_parser->error_code = JSON_ERROR_SYNTAX;\n return false;\n }\n } else {\n /*\n Change the state and iterate.\n */\n bool is_tsimplejson = options & k_JSON_FB_THRIFT_SIMPLE_JSON;\n if (type == KindOfString) {\n if (/**/(/**/s == 3/**/ || s == 30)/**/ &&\n state != 8) {\n if (state != 4) {\n utf16_to_utf8(*buf, b);\n } else {\n switch (b) {\n case 'b': buf->append('\\b'); break;\n case 't': buf->append('\\t'); break;\n case 'n': buf->append('\\n'); break;\n case 'f': buf->append('\\f'); break;\n case 'r': buf->append('\\r'); break;\n default:\n utf16_to_utf8(*buf, b);\n break;\n }\n }\n } else if (s == 6) {\n if (UNLIKELY(is_tsimplejson)) {\n if (UNLIKELY(b != '0')) {\n s_json_parser->error_code = JSON_ERROR_SYNTAX;\n return false;\n }\n escaped_bytes = 0;\n } else {\n escaped_bytes = dehexchar(b) << 12;\n }\n } else if (s == 7) {\n if (UNLIKELY(is_tsimplejson)) {\n if (UNLIKELY(b != '0')) {\n s_json_parser->error_code = JSON_ERROR_SYNTAX;\n return false;\n }\n } else {\n escaped_bytes += dehexchar(b) << 8;\n }\n } else if (s == 8) {\n escaped_bytes += dehexchar(b) << 4;\n } else if (s == 3 && state == 8) {\n escaped_bytes += dehexchar(b);\n if (UNLIKELY(is_tsimplejson)) {\n buf->append((char)escaped_bytes);\n } else {\n utf16_to_utf8(*buf, escaped_bytes);\n }\n }\n } else if ((type == kInvalidDataType || type == KindOfNull) &&\n (c == S_DIG || c == S_ZER)) {\n type = KindOfInt64;\n buf->append((char)b);\n } else if (type == KindOfInt64 && s == 24) {\n type = KindOfDouble;\n buf->append((char)b);\n } else if ((type == kInvalidDataType || type == KindOfNull ||\n type == KindOfInt64) &&\n c == S_DOT) {\n type = KindOfDouble;\n buf->append((char)b);\n } else if (type != KindOfString && c == S_QUO) {\n type = KindOfString;\n /**/qchr = b;/**/\n } else if ((type == kInvalidDataType || type == KindOfNull ||\n type == KindOfInt64 || type == KindOfDouble) &&\n ((state == 12 && s == 9) ||\n (state == 16 && s == 9))) {\n type = KindOfBoolean;\n } else if (type == kInvalidDataType && state == 19 && s == 9) {\n type = KindOfNull;\n } else if (type != KindOfString && c > S_WSP) {\n utf16_to_utf8(*buf, b);\n }\n\n state = s;\n }\n }\n\n if (state == 9 && pop(json, Mode::DONE)) {\n s_json_parser->error_code = JSON_ERROR_NONE;\n return true;\n }\n\n s_json_parser->error_code = JSON_ERROR_SYNTAX;\n return false;\n}", "project": "hhvm", "hash": 252506487515416982018261179717517294426, "size": 503, "commit_id": "b3679121bb3c7017ff04b4c08402ffff5cf59b13", "message": "Fix buffer overrun in SimpleParser::handleBackslash\n\nSummary:\nIt read 4 chars, then checked for validity, but any of them could have\nbeen the end of the string, so check after each one instead.\n\nReviewed By: oulgen\n\nDifferential Revision: D19611163\n\nfbshipit-source-id: 3da0a39555cb85a93f4fd98048368f17cf37e2e4", "target": 0, "dataset": "other", "idx": 227318 }, { "func": "static void SFDGetNameList(FILE *sfd, char *tok, SplineFont *sf) {\n NameList *nl;\n\n geteol(sfd,tok);\n nl = NameListByName(tok);\n if ( nl==NULL )\n\tLogError(_(\"Failed to find NameList: %s\"), tok);\n else\n\tsf->for_new_glyphs = nl;\n}", "project": "fontforge", "hash": 330830897941203699846830971505771098578, "size": 10, "commit_id": "048a91e2682c1a8936ae34dbc7bd70291ec05410", "message": "Fix for #4084 Use-after-free (heap) in the SFD_GetFontMetaData() function\nFix for #4086 NULL pointer dereference in the SFDGetSpiros() function\nFix for #4088 NULL pointer dereference in the SFD_AssignLookups() function\nAdd empty sf->fontname string if it isn't set, fixing #4089 #4090 and many\n other potential issues (many downstream calls to strlen() on the value).", "target": 0, "dataset": "other", "idx": 417761 }, { "func": "static int fuse_sysfs_init(void)\n{\n\tint err;\n\n\tfuse_kobj = kobject_create_and_add(\"fuse\", fs_kobj);\n\tif (!fuse_kobj) {\n\t\terr = -ENOMEM;\n\t\tgoto out_err;\n\t}\n\n\terr = sysfs_create_mount_point(fuse_kobj, \"connections\");\n\tif (err)\n\t\tgoto out_fuse_unregister;\n\n\treturn 0;\n\n out_fuse_unregister:\n\tkobject_put(fuse_kobj);\n out_err:\n\treturn err;\n}", "project": "linux", "hash": 102046385845094936731119040229162758233, "size": 21, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341910 }, { "func": "static void deactivate_slab(struct kmem_cache *s, struct page *page,\n\t\t\t\tvoid *freelist, struct kmem_cache_cpu *c)\n{\n\tenum slab_modes { M_NONE, M_PARTIAL, M_FULL, M_FREE };\n\tstruct kmem_cache_node *n = get_node(s, page_to_nid(page));\n\tint lock = 0;\n\tenum slab_modes l = M_NONE, m = M_NONE;\n\tvoid *nextfree;\n\tint tail = DEACTIVATE_TO_HEAD;\n\tstruct page new;\n\tstruct page old;\n\n\tif (page->freelist) {\n\t\tstat(s, DEACTIVATE_REMOTE_FREES);\n\t\ttail = DEACTIVATE_TO_TAIL;\n\t}\n\n\t/*\n\t * Stage one: Free all available per cpu objects back\n\t * to the page freelist while it is still frozen. Leave the\n\t * last one.\n\t *\n\t * There is no need to take the list->lock because the page\n\t * is still frozen.\n\t */\n\twhile (freelist && (nextfree = get_freepointer(s, freelist))) {\n\t\tvoid *prior;\n\t\tunsigned long counters;\n\n\t\tdo {\n\t\t\tprior = page->freelist;\n\t\t\tcounters = page->counters;\n\t\t\tset_freepointer(s, freelist, prior);\n\t\t\tnew.counters = counters;\n\t\t\tnew.inuse--;\n\t\t\tVM_BUG_ON(!new.frozen);\n\n\t\t} while (!__cmpxchg_double_slab(s, page,\n\t\t\tprior, counters,\n\t\t\tfreelist, new.counters,\n\t\t\t\"drain percpu freelist\"));\n\n\t\tfreelist = nextfree;\n\t}\n\n\t/*\n\t * Stage two: Ensure that the page is unfrozen while the\n\t * list presence reflects the actual number of objects\n\t * during unfreeze.\n\t *\n\t * We setup the list membership and then perform a cmpxchg\n\t * with the count. If there is a mismatch then the page\n\t * is not unfrozen but the page is on the wrong list.\n\t *\n\t * Then we restart the process which may have to remove\n\t * the page from the list that we just put it on again\n\t * because the number of objects in the slab may have\n\t * changed.\n\t */\nredo:\n\n\told.freelist = page->freelist;\n\told.counters = page->counters;\n\tVM_BUG_ON(!old.frozen);\n\n\t/* Determine target state of the slab */\n\tnew.counters = old.counters;\n\tif (freelist) {\n\t\tnew.inuse--;\n\t\tset_freepointer(s, freelist, old.freelist);\n\t\tnew.freelist = freelist;\n\t} else\n\t\tnew.freelist = old.freelist;\n\n\tnew.frozen = 0;\n\n\tif (!new.inuse && n->nr_partial >= s->min_partial)\n\t\tm = M_FREE;\n\telse if (new.freelist) {\n\t\tm = M_PARTIAL;\n\t\tif (!lock) {\n\t\t\tlock = 1;\n\t\t\t/*\n\t\t\t * Taking the spinlock removes the possibility\n\t\t\t * that acquire_slab() will see a slab page that\n\t\t\t * is frozen\n\t\t\t */\n\t\t\tspin_lock(&n->list_lock);\n\t\t}\n\t} else {\n\t\tm = M_FULL;\n\t\tif (kmem_cache_debug(s) && !lock) {\n\t\t\tlock = 1;\n\t\t\t/*\n\t\t\t * This also ensures that the scanning of full\n\t\t\t * slabs from diagnostic functions will not see\n\t\t\t * any frozen slabs.\n\t\t\t */\n\t\t\tspin_lock(&n->list_lock);\n\t\t}\n\t}\n\n\tif (l != m) {\n\t\tif (l == M_PARTIAL)\n\t\t\tremove_partial(n, page);\n\t\telse if (l == M_FULL)\n\t\t\tremove_full(s, n, page);\n\n\t\tif (m == M_PARTIAL)\n\t\t\tadd_partial(n, page, tail);\n\t\telse if (m == M_FULL)\n\t\t\tadd_full(s, n, page);\n\t}\n\n\tl = m;\n\tif (!__cmpxchg_double_slab(s, page,\n\t\t\t\told.freelist, old.counters,\n\t\t\t\tnew.freelist, new.counters,\n\t\t\t\t\"unfreezing slab\"))\n\t\tgoto redo;\n\n\tif (lock)\n\t\tspin_unlock(&n->list_lock);\n\n\tif (m == M_PARTIAL)\n\t\tstat(s, tail);\n\telse if (m == M_FULL)\n\t\tstat(s, DEACTIVATE_FULL);\n\telse if (m == M_FREE) {\n\t\tstat(s, DEACTIVATE_EMPTY);\n\t\tdiscard_slab(s, page);\n\t\tstat(s, FREE_SLAB);\n\t}\n\n\tc->page = NULL;\n\tc->freelist = NULL;\n}", "project": "linux", "hash": 228558104902412318965634482181248959252, "size": 137, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280190 }, { "func": "static int prb_curr_blk_in_use(struct tpacket_block_desc *pbd)\n{\n\treturn TP_STATUS_USER & BLOCK_STATUS(pbd);\n}", "project": "linux", "hash": 272063916143306272001053456334259657125, "size": 4, "commit_id": "acf69c946233259ab4d64f8869d4037a198c7f06", "message": "net/packet: fix overflow in tpacket_rcv\n\nUsing tp_reserve to calculate netoff can overflow as\ntp_reserve is unsigned int and netoff is unsigned short.\n\nThis may lead to macoff receving a smaller value then\nsizeof(struct virtio_net_hdr), and if po->has_vnet_hdr\nis set, an out-of-bounds write will occur when\ncalling virtio_net_hdr_from_skb.\n\nThe bug is fixed by converting netoff to unsigned int\nand checking if it exceeds USHRT_MAX.\n\nThis addresses CVE-2020-14386\n\nFixes: 8913336a7e8d (\"packet: add PACKET_RESERVE sockopt\")\nSigned-off-by: Or Cohen \nSigned-off-by: Eric Dumazet \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 330403 }, { "func": "static inline void tcp_ca_event(struct sock *sk, const enum tcp_ca_event event)\n{\n\tconst struct inet_connection_sock *icsk = inet_csk(sk);\n\n\tif (icsk->icsk_ca_ops->cwnd_event)\n\t\ticsk->icsk_ca_ops->cwnd_event(sk, event);\n}", "project": "linux", "hash": 333995339054238966383161878156208579610, "size": 7, "commit_id": "bb1fceca22492109be12640d49f5ea5a544c6bb4", "message": "tcp: fix use after free in tcp_xmit_retransmit_queue()\n\nWhen tcp_sendmsg() allocates a fresh and empty skb, it puts it at the\ntail of the write queue using tcp_add_write_queue_tail()\n\nThen it attempts to copy user data into this fresh skb.\n\nIf the copy fails, we undo the work and remove the fresh skb.\n\nUnfortunately, this undo lacks the change done to tp->highest_sack and\nwe can leave a dangling pointer (to a freed skb)\n\nLater, tcp_xmit_retransmit_queue() can dereference this pointer and\naccess freed memory. For regular kernels where memory is not unmapped,\nthis might cause SACK bugs because tcp_highest_sack_seq() is buggy,\nreturning garbage instead of tp->snd_nxt, but with various debug\nfeatures like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel.\n\nThis bug was found by Marco Grassi thanks to syzkaller.\n\nFixes: 6859d49475d4 (\"[TCP]: Abstract tp->highest_sack accessing & point to next skb\")\nReported-by: Marco Grassi \nSigned-off-by: Eric Dumazet \nCc: Ilpo Järvinen \nCc: Yuchung Cheng \nCc: Neal Cardwell \nAcked-by: Neal Cardwell \nReviewed-by: Cong Wang \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 410791 }, { "func": "R_API int r_socket_block_time(RSocket *s, int block, int sec, int usec) {\n#if __UNIX__\n\tint ret, flags;\n#endif\n\tif (!s) {\n\t\treturn false;\n\t}\n#if __UNIX__\n\tflags = fcntl (s->fd, F_GETFL, 0);\n\tif (flags < 0) {\n\t\treturn false;\n\t}\n\tret = fcntl (s->fd, F_SETFL, block?\n\t\t\t(flags & ~O_NONBLOCK):\n\t\t\t(flags | O_NONBLOCK));\n\tif (ret < 0) {\n\t\treturn false;\n\t}\n#elif __WINDOWS__\n\tioctlsocket (s->fd, FIONBIO, (u_long FAR*)&block);\n#endif\n\tif (sec > 0 || usec > 0) {\n\t\tstruct timeval tv = {sec, usec};\n\t\tif (setsockopt (s->fd, SOL_SOCKET, SO_RCVTIMEO, (char *)&tv, sizeof (tv)) < 0) {\n\t\t\treturn false;\n\t\t}\n\t}\n\treturn true;\n}", "project": "radare2", "hash": 281993977580223949998058349311397639301, "size": 29, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 0, "dataset": "other", "idx": 268973 }, { "func": "static int intGetTdEntry(Header h, rpmtd td, headerGetFlags flags)\n{\n indexEntry entry;\n int rc;\n\n /* First find the tag */\n /* FIX: h modified by sort. */\n entry = findEntry(h, td->tag, RPM_NULL_TYPE);\n if (entry == NULL) {\n\t/* Td is zeroed above, just return... */\n\treturn 0;\n }\n\n if (entry->info.type == RPM_I18NSTRING_TYPE && !(flags & HEADERGET_RAW))\n\trc = copyI18NEntry(h, entry, td, flags);\n else\n\trc = copyTdEntry(entry, td, flags);\n\n if (rc == 0)\n\ttd->flags |= RPMTD_INVALID;\n\n /* XXX 1 on success */\n return ((rc == 1) ? 1 : 0);\n}", "project": "rpm", "hash": 9841129409287822886787292609950503247, "size": 24, "commit_id": "8f4b3c3cab8922a2022b9e47c71f1ecf906077ef", "message": "hdrblobInit() needs bounds checks too\n\nUsers can pass untrusted data to hdrblobInit() and it must be robust\nagainst this.", "target": 0, "dataset": "other", "idx": 318184 }, { "func": "\nstatic void __io_rsrc_put_work(struct io_rsrc_node *ref_node)\n{\n\tstruct io_rsrc_data *rsrc_data = ref_node->rsrc_data;\n\tstruct io_ring_ctx *ctx = rsrc_data->ctx;\n\tstruct io_rsrc_put *prsrc, *tmp;\n\n\tlist_for_each_entry_safe(prsrc, tmp, &ref_node->rsrc_list, list) {\n\t\tlist_del(&prsrc->list);\n\n\t\tif (prsrc->tag) {\n\t\t\tbool lock_ring = ctx->flags & IORING_SETUP_IOPOLL;\n\t\t\tunsigned long flags;\n\n\t\t\tio_ring_submit_lock(ctx, lock_ring);\n\t\t\tspin_lock_irqsave(&ctx->completion_lock, flags);\n\t\t\tio_cqring_fill_event(ctx, prsrc->tag, 0, 0);\n\t\t\tctx->cq_extra++;\n\t\t\tio_commit_cqring(ctx);\n\t\t\tspin_unlock_irqrestore(&ctx->completion_lock, flags);\n\t\t\tio_cqring_ev_posted(ctx);\n\t\t\tio_ring_submit_unlock(ctx, lock_ring);\n\t\t}\n\n\t\trsrc_data->do_put(ctx, prsrc);\n\t\tkfree(prsrc);\n\t}\n\n\tio_rsrc_node_destroy(ref_node);\n\tif (atomic_dec_and_test(&rsrc_data->refs))\n\t\tcomplete(&rsrc_data->done);", "project": "linux", "hash": 162811571610978643935284975847867390318, "size": 31, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338551 }, { "func": "void opj_tcd_reinit_segment(opj_tcd_seg_t* seg)\n{\n memset(seg, 0, sizeof(opj_tcd_seg_t));\n}", "project": "openjpeg", "hash": 263823550213410232942342253239099864562, "size": 4, "commit_id": "15cf3d95814dc931ca0ecb132f81cb152e051bae", "message": "Encoder: grow again buffer size in opj_tcd_code_block_enc_allocate_data() (fixes #1283)", "target": 0, "dataset": "other", "idx": 359184 }, { "func": "static bool get_sockaddr(sockaddr *sa, socklen_t salen,\n Variant &address, Variant &port) {\n switch (sa->sa_family) {\n case AF_INET6:\n {\n struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)sa;\n try {\n folly::SocketAddress addr;\n addr.setFromSockaddr(sin6);\n\n address = String(addr.getAddressStr(), CopyString);\n port = addr.getPort();\n } catch (...) {\n address = s_2colons;\n port = 0;\n }\n }\n return true;\n case AF_INET:\n {\n struct sockaddr_in *sin = (struct sockaddr_in *)sa;\n try {\n folly::SocketAddress addr;\n addr.setFromSockaddr(sin);\n\n address = String(addr.getAddressStr(), CopyString);\n port = addr.getPort();\n } catch (...) {\n address = s_0_0_0_0;\n port = 0;\n }\n }\n return true;\n case AF_UNIX:\n {\n#ifdef _MSC_VER\n address = String(\"Unsupported\");\n#else\n // NB: an unnamed socket has no path, and sun_path should not be\n // inspected. In that case the length is just the size of the\n // struct without sun_path.\n struct sockaddr_un *s_un = (struct sockaddr_un *)sa;\n if (salen > offsetof(sockaddr_un, sun_path)) {\n // - `sun_path` MAY have trailing nulls\n // - `sun_len` MAY include that trailing null on Linux.\n const auto max_path_len = salen - offsetof(struct sockaddr_un, sun_path);\n const auto actual_path_len = ::strnlen(s_un->sun_path, max_path_len);\n address = String(s_un->sun_path, actual_path_len, CopyString);\n } else {\n address = empty_string();\n }\n#endif\n }\n return true;\n\n default:\n break;\n }\n\n raise_warning(\"Unsupported address family %d\", sa->sa_family);\n return false;\n}", "project": "hhvm", "hash": 70356184115100411926844468820120290553, "size": 62, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219265 }, { "func": "int sc_pkcs15emu_tcos_init_ex(\n\tsc_pkcs15_card_t *p15card,\n\tstruct sc_aid *aid\n){\n\tsc_card_t *card = p15card->card;\n\tsc_context_t *ctx = p15card->card->ctx;\n\tsc_serial_number_t serialnr;\n\tchar serial[30];\n\tint r;\n\n\t/* check if we have the correct card OS unless SC_PKCS15EMU_FLAGS_NO_CHECK */\n\tif (card->type!=SC_CARD_TYPE_TCOS_V2 && card->type!=SC_CARD_TYPE_TCOS_V3) return SC_ERROR_WRONG_CARD;\n\n\t/* get the card serial number */\n\tr = sc_card_ctl(card, SC_CARDCTL_GET_SERIALNR, &serialnr);\n\tif (r < 0) {\n\t\tsc_log(ctx, \"unable to get ICCSN\\n\");\n\t\treturn SC_ERROR_WRONG_CARD;\n\t}\n\tsc_bin_to_hex(serialnr.value, serialnr.len , serial, sizeof(serial), 0);\n\tserial[19] = '\\0';\n\tset_string(&p15card->tokeninfo->serial_number, serial);\n\n\tif(!detect_netkey(p15card)) return SC_SUCCESS;\n\tif(!detect_idkey(p15card)) return SC_SUCCESS;\n\tif(!detect_unicard(p15card)) return SC_SUCCESS;\n\tif(!detect_signtrust(p15card)) return SC_SUCCESS;\n\tif(!detect_datev(p15card)) return SC_SUCCESS;\n\n\treturn SC_ERROR_INTERNAL;\n}", "project": "OpenSC", "hash": 184560724176551427347993456364307648180, "size": 31, "commit_id": "5df913b7f57ad89b9832555d24c08d23a534311e", "message": "tcos: Check bounds in insert_pin()\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28383", "target": 0, "dataset": "other", "idx": 243963 }, { "project": "ardour", "commit_id": "96daa4036a425ff3f23a7dfcba57bfb0f942bec6", "target": 0, "func": "XMLNode::add_child_copy(const XMLNode& n)\n{\n\tXMLNode *copy = new XMLNode(n);\n\t_children.insert(_children.end(), copy);\n\treturn copy;\n}", "idx": 519667, "cwe": "CWE-416", "hash": 329162364845724524239936052882701183417, "dataset": "other" }, { "func": "static void set_policy_for(h2_stream *stream, h2_request *r) \n{\n int enabled = h2_session_push_enabled(stream->session);\n stream->push_policy = h2_push_policy_determine(r->headers, stream->pool, enabled);\n r->serialize = h2_config_sgeti(stream->session->s, H2_CONF_SER_HEADERS);\n}", "project": "httpd", "hash": 209081447734607898892355330977829273018, "size": 6, "commit_id": "f990e5ecad40b100a8a5c7c1033c46044a9cb244", "message": "mod_htt2: fix incomplete sync with latest changes in github, adjust version number.\n\n\n\ngit-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1889119 13f79535-47bb-0310-9956-ffa450edef68", "target": 0, "dataset": "other", "idx": 284235 }, { "func": "static inline Status ParseAndCheckBoxSizes(const Tensor& boxes,\n const Tensor& box_index,\n int* num_boxes) {\n if (boxes.NumElements() == 0 && box_index.NumElements() == 0) {\n *num_boxes = 0;\n return Status::OK();\n }\n // The shape of 'boxes' is [num_boxes, 4].\n if (boxes.dims() != 2) {\n return errors::InvalidArgument(\"boxes must be 2-D\",\n boxes.shape().DebugString());\n }\n *num_boxes = boxes.dim_size(0);\n if (boxes.dim_size(1) != 4) {\n return errors::InvalidArgument(\"boxes must have 4 columns\");\n }\n // The shape of 'box_index' is [num_boxes].\n if (box_index.dims() != 1) {\n return errors::InvalidArgument(\"box_index must be 1-D\",\n box_index.shape().DebugString());\n }\n if (box_index.dim_size(0) != *num_boxes) {\n return errors::InvalidArgument(\"box_index has incompatible shape\");\n }\n return Status::OK();\n}", "project": "tensorflow", "hash": 327348859222179558551343679127178889587, "size": 26, "commit_id": "3ade2efec2e90c6237de32a19680caaa3ebc2845", "message": "Fix segmentation fault in tf.image.crop_and_resize when boxes is inf or nan\n\nThis fix tries to address the issue raised in 42129 where segmentation fault\nhappened in tf.image.crop_and_resize when boxes is inf or nan.\n\nThis fix adds the check to make sure boxes is not inf or nan (isfinite)\n\nThis fix fixes 42129.\n\nSigned-off-by: Yong Tang ", "target": 1, "dataset": "other", "idx": 196330 }, { "func": "static inline Status ParseAndCheckBoxSizes(const Tensor& boxes,\n const Tensor& box_index,\n int* num_boxes) {\n if (boxes.NumElements() == 0 && box_index.NumElements() == 0) {\n *num_boxes = 0;\n return Status::OK();\n }\n // The shape of 'boxes' is [num_boxes, 4].\n if (boxes.dims() != 2) {\n return errors::InvalidArgument(\"boxes must be 2-D\",\n boxes.shape().DebugString());\n }\n *num_boxes = boxes.dim_size(0);\n if (boxes.dim_size(1) != 4) {\n return errors::InvalidArgument(\"boxes must have 4 columns\");\n }\n for (int64 i = 0; i < *num_boxes; i++) {\n for (int64 j = 0; j < 4; j++) {\n if (!isfinite(boxes.tensor()(i, j))) {\n return errors::InvalidArgument(\n \"boxes values must be finite, received boxes[\", i, \"]: \",\n boxes.tensor()(i, 0), \", \",\n boxes.tensor()(i, 1), \", \",\n boxes.tensor()(i, 2), \", \",\n boxes.tensor()(i, 3));\n }\n }\n }\n // The shape of 'box_index' is [num_boxes].\n if (box_index.dims() != 1) {\n return errors::InvalidArgument(\"box_index must be 1-D\",\n box_index.shape().DebugString());\n }\n if (box_index.dim_size(0) != *num_boxes) {\n return errors::InvalidArgument(\"box_index has incompatible shape\");\n }\n return Status::OK();\n}", "project": "tensorflow", "hash": 162824839659560449491498365320039591607, "size": 38, "commit_id": "3ade2efec2e90c6237de32a19680caaa3ebc2845", "message": "Fix segmentation fault in tf.image.crop_and_resize when boxes is inf or nan\n\nThis fix tries to address the issue raised in 42129 where segmentation fault\nhappened in tf.image.crop_and_resize when boxes is inf or nan.\n\nThis fix adds the check to make sure boxes is not inf or nan (isfinite)\n\nThis fix fixes 42129.\n\nSigned-off-by: Yong Tang ", "target": 0, "dataset": "other", "idx": 238855 }, { "func": " */\nstatic unsigned long bfq_bfqq_softrt_next_start(struct bfq_data *bfqd,\n\t\t\t\t\t\tstruct bfq_queue *bfqq)\n{\n\treturn max3(bfqq->soft_rt_next_start,\n\t\t bfqq->last_idle_bklogged +\n\t\t HZ * bfqq->service_from_backlogged /\n\t\t bfqd->bfq_wr_max_softrt_rate,\n\t\t jiffies + nsecs_to_jiffies(bfqq->bfqd->bfq_slice_idle) + 4);", "project": "linux", "hash": 198804499718208767870477186555544878302, "size": 9, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453402 }, { "func": "static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm)\n{\n\tmmap_write_lock(oldmm);\n\tRCU_INIT_POINTER(mm->exe_file, get_mm_exe_file(oldmm));\n\tmmap_write_unlock(oldmm);\n\treturn 0;\n}", "project": "linux", "hash": 129693139207930042463461552124211617076, "size": 7, "commit_id": "b4e00444cab4c3f3fec876dc0cccc8cbb0d1a948", "message": "fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent\n\ncurrent->group_leader->exit_signal may change during copy_process() if\ncurrent->real_parent exits.\n\nMove the assignment inside tasklist_lock to avoid the race.\n\nSigned-off-by: Eddy Wu \nAcked-by: Oleg Nesterov \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 293643 }, { "func": "static __latent_entropy int dup_mmap(struct mm_struct *mm,\n\t\t\t\t\tstruct mm_struct *oldmm)\n{\n\tstruct vm_area_struct *mpnt, *tmp, *prev, **pprev;\n\tstruct rb_node **rb_link, *rb_parent;\n\tint retval;\n\tunsigned long charge;\n\tLIST_HEAD(uf);\n\n\tuprobe_start_dup_mmap();\n\tif (mmap_write_lock_killable(oldmm)) {\n\t\tretval = -EINTR;\n\t\tgoto fail_uprobe_end;\n\t}\n\tflush_cache_dup_mm(oldmm);\n\tuprobe_dup_mmap(oldmm, mm);\n\t/*\n\t * Not linked in yet - no deadlock potential:\n\t */\n\tmmap_write_lock_nested(mm, SINGLE_DEPTH_NESTING);\n\n\t/* No ordering required: file already has been exposed. */\n\tRCU_INIT_POINTER(mm->exe_file, get_mm_exe_file(oldmm));\n\n\tmm->total_vm = oldmm->total_vm;\n\tmm->data_vm = oldmm->data_vm;\n\tmm->exec_vm = oldmm->exec_vm;\n\tmm->stack_vm = oldmm->stack_vm;\n\n\trb_link = &mm->mm_rb.rb_node;\n\trb_parent = NULL;\n\tpprev = &mm->mmap;\n\tretval = ksm_fork(mm, oldmm);\n\tif (retval)\n\t\tgoto out;\n\tretval = khugepaged_fork(mm, oldmm);\n\tif (retval)\n\t\tgoto out;\n\n\tprev = NULL;\n\tfor (mpnt = oldmm->mmap; mpnt; mpnt = mpnt->vm_next) {\n\t\tstruct file *file;\n\n\t\tif (mpnt->vm_flags & VM_DONTCOPY) {\n\t\t\tvm_stat_account(mm, mpnt->vm_flags, -vma_pages(mpnt));\n\t\t\tcontinue;\n\t\t}\n\t\tcharge = 0;\n\t\t/*\n\t\t * Don't duplicate many vmas if we've been oom-killed (for\n\t\t * example)\n\t\t */\n\t\tif (fatal_signal_pending(current)) {\n\t\t\tretval = -EINTR;\n\t\t\tgoto out;\n\t\t}\n\t\tif (mpnt->vm_flags & VM_ACCOUNT) {\n\t\t\tunsigned long len = vma_pages(mpnt);\n\n\t\t\tif (security_vm_enough_memory_mm(oldmm, len)) /* sic */\n\t\t\t\tgoto fail_nomem;\n\t\t\tcharge = len;\n\t\t}\n\t\ttmp = vm_area_dup(mpnt);\n\t\tif (!tmp)\n\t\t\tgoto fail_nomem;\n\t\tretval = vma_dup_policy(mpnt, tmp);\n\t\tif (retval)\n\t\t\tgoto fail_nomem_policy;\n\t\ttmp->vm_mm = mm;\n\t\tretval = dup_userfaultfd(tmp, &uf);\n\t\tif (retval)\n\t\t\tgoto fail_nomem_anon_vma_fork;\n\t\tif (tmp->vm_flags & VM_WIPEONFORK) {\n\t\t\t/*\n\t\t\t * VM_WIPEONFORK gets a clean slate in the child.\n\t\t\t * Don't prepare anon_vma until fault since we don't\n\t\t\t * copy page for current vma.\n\t\t\t */\n\t\t\ttmp->anon_vma = NULL;\n\t\t} else if (anon_vma_fork(tmp, mpnt))\n\t\t\tgoto fail_nomem_anon_vma_fork;\n\t\ttmp->vm_flags &= ~(VM_LOCKED | VM_LOCKONFAULT);\n\t\tfile = tmp->vm_file;\n\t\tif (file) {\n\t\t\tstruct inode *inode = file_inode(file);\n\t\t\tstruct address_space *mapping = file->f_mapping;\n\n\t\t\tget_file(file);\n\t\t\tif (tmp->vm_flags & VM_DENYWRITE)\n\t\t\t\tput_write_access(inode);\n\t\t\ti_mmap_lock_write(mapping);\n\t\t\tif (tmp->vm_flags & VM_SHARED)\n\t\t\t\tmapping_allow_writable(mapping);\n\t\t\tflush_dcache_mmap_lock(mapping);\n\t\t\t/* insert tmp into the share list, just after mpnt */\n\t\t\tvma_interval_tree_insert_after(tmp, mpnt,\n\t\t\t\t\t&mapping->i_mmap);\n\t\t\tflush_dcache_mmap_unlock(mapping);\n\t\t\ti_mmap_unlock_write(mapping);\n\t\t}\n\n\t\t/*\n\t\t * Clear hugetlb-related page reserves for children. This only\n\t\t * affects MAP_PRIVATE mappings. Faults generated by the child\n\t\t * are not guaranteed to succeed, even if read-only\n\t\t */\n\t\tif (is_vm_hugetlb_page(tmp))\n\t\t\treset_vma_resv_huge_pages(tmp);\n\n\t\t/*\n\t\t * Link in the new vma and copy the page table entries.\n\t\t */\n\t\t*pprev = tmp;\n\t\tpprev = &tmp->vm_next;\n\t\ttmp->vm_prev = prev;\n\t\tprev = tmp;\n\n\t\t__vma_link_rb(mm, tmp, rb_link, rb_parent);\n\t\trb_link = &tmp->vm_rb.rb_right;\n\t\trb_parent = &tmp->vm_rb;\n\n\t\tmm->map_count++;\n\t\tif (!(tmp->vm_flags & VM_WIPEONFORK))\n\t\t\tretval = copy_page_range(tmp, mpnt);\n\n\t\tif (tmp->vm_ops && tmp->vm_ops->open)\n\t\t\ttmp->vm_ops->open(tmp);\n\n\t\tif (retval)\n\t\t\tgoto out;\n\t}\n\t/* a new mm has just been created */\n\tretval = arch_dup_mmap(oldmm, mm);\nout:\n\tmmap_write_unlock(mm);\n\tflush_tlb_mm(oldmm);\n\tmmap_write_unlock(oldmm);\n\tdup_userfaultfd_complete(&uf);\nfail_uprobe_end:\n\tuprobe_end_dup_mmap();\n\treturn retval;\nfail_nomem_anon_vma_fork:\n\tmpol_put(vma_policy(tmp));\nfail_nomem_policy:\n\tvm_area_free(tmp);\nfail_nomem:\n\tretval = -ENOMEM;\n\tvm_unacct_memory(charge);\n\tgoto out;\n}", "project": "linux", "hash": 230410561545710926387850335257456040844, "size": 151, "commit_id": "b4e00444cab4c3f3fec876dc0cccc8cbb0d1a948", "message": "fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent\n\ncurrent->group_leader->exit_signal may change during copy_process() if\ncurrent->real_parent exits.\n\nMove the assignment inside tasklist_lock to avoid the race.\n\nSigned-off-by: Eddy Wu \nAcked-by: Oleg Nesterov \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 293722 }, { "func": "void CSoundFile::ExtendedS3MCommands(CHANNELINDEX nChn, ModCommand::PARAM param)\n{\n\tModChannel *pChn = &m_PlayState.Chn[nChn];\n\tuint8 command = param & 0xF0;\n\tparam &= 0x0F;\n\tswitch(command)\n\t{\n\t// S0x: Set Filter\n\t// S1x: Set Glissando Control\n\tcase 0x10:\tpChn->dwFlags.set(CHN_GLISSANDO, param != 0); break;\n\t// S2x: Set FineTune\n\tcase 0x20:\tif(!m_SongFlags[SONG_FIRSTTICK]) break;\n\t\t\t\tif(GetType() != MOD_TYPE_669)\n\t\t\t\t{\n\t\t\t\t\tpChn->nC5Speed = S3MFineTuneTable[param];\n\t\t\t\t\tpChn->nFineTune = MOD2XMFineTune(param);\n\t\t\t\t\tif (pChn->nPeriod) pChn->nPeriod = GetPeriodFromNote(pChn->nNote, pChn->nFineTune, pChn->nC5Speed);\n\t\t\t\t} else if(pChn->pModSample != nullptr)\n\t\t\t\t{\n\t\t\t\t\tpChn->nC5Speed = pChn->pModSample->nC5Speed + param * 80;\n\t\t\t\t}\n\t\t\t\tbreak;\n\t// S3x: Set Vibrato Waveform\n\tcase 0x30:\tif(GetType() == MOD_TYPE_S3M)\n\t\t\t\t{\n\t\t\t\t\tpChn->nVibratoType = param & 0x03;\n\t\t\t\t} else\n\t\t\t\t{\n\t\t\t\t\t// IT compatibility: Ignore waveform types > 3\n\t\t\t\t\tif(m_playBehaviour[kITVibratoTremoloPanbrello])\n\t\t\t\t\t\tpChn->nVibratoType = (param < 0x04) ? param : 0;\n\t\t\t\t\telse\n\t\t\t\t\t\tpChn->nVibratoType = param & 0x07;\n\t\t\t\t}\n\t\t\t\tbreak;\n\t// S4x: Set Tremolo Waveform\n\tcase 0x40:\tif(GetType() == MOD_TYPE_S3M)\n\t\t\t\t{\n\t\t\t\t\tpChn->nTremoloType = param & 0x03;\n\t\t\t\t} else\n\t\t\t\t{\n\t\t\t\t\t// IT compatibility: Ignore waveform types > 3\n\t\t\t\t\tif(m_playBehaviour[kITVibratoTremoloPanbrello])\n\t\t\t\t\t\tpChn->nTremoloType = (param < 0x04) ? param : 0;\n\t\t\t\t\telse\n\t\t\t\t\t\tpChn->nTremoloType = param & 0x07;\n\t\t\t\t}\n\t\t\t\tbreak;\n\t// S5x: Set Panbrello Waveform\n\tcase 0x50:\n\t\t// IT compatibility: Ignore waveform types > 3\n\t\t\t\tif(m_playBehaviour[kITVibratoTremoloPanbrello])\n\t\t\t\t{\n\t\t\t\t\tpChn->nPanbrelloType = (param < 0x04) ? param : 0;\n\t\t\t\t\tpChn->nPanbrelloPos = 0;\n\t\t\t\t} else\n\t\t\t\t{\n\t\t\t\t\tpChn->nPanbrelloType = param & 0x07;\n\t\t\t\t}\n\t\t\t\tbreak;\n\t// S6x: Pattern Delay for x frames\n\tcase 0x60:\n\t\t\t\tif(m_SongFlags[SONG_FIRSTTICK] && m_PlayState.m_nTickCount == 0)\n\t\t\t\t{\n\t\t\t\t\t// Tick delays are added up.\n\t\t\t\t\t// Scream Tracker 3 does actually not support this command.\n\t\t\t\t\t// We'll use the same behaviour as for Impulse Tracker, as we can assume that\n\t\t\t\t\t// most S3Ms that make use of this command were made with Impulse Tracker.\n\t\t\t\t\t// MPT added this command to the XM format through the X6x effect, so we will use\n\t\t\t\t\t// the same behaviour here as well.\n\t\t\t\t\t// Test cases: PatternDelays.it, PatternDelays.s3m, PatternDelays.xm\n\t\t\t\t\tm_PlayState.m_nFrameDelay += param;\n\t\t\t\t}\n\t\t\t\tbreak;\n\t// S7x: Envelope Control / Instrument Control\n\tcase 0x70:\tif(!m_SongFlags[SONG_FIRSTTICK]) break;\n\t\t\t\tswitch(param)\n\t\t\t\t{\n\t\t\t\tcase 0:\n\t\t\t\tcase 1:\n\t\t\t\tcase 2:\n\t\t\t\t\t{\n\t\t\t\t\t\tModChannel *bkp = &m_PlayState.Chn[m_nChannels];\n\t\t\t\t\t\tfor (CHANNELINDEX i=m_nChannels; inMasterChn == nChn+1)\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tif (param == 1)\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tKeyOff(bkp);\n\t\t\t\t\t\t\t\t} else if (param == 2)\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tbkp->dwFlags.set(CHN_NOTEFADE);\n\t\t\t\t\t\t\t\t} else\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tbkp->dwFlags.set(CHN_NOTEFADE);\n\t\t\t\t\t\t\t\t\tbkp->nFadeOutVol = 0;\n\t\t\t\t\t\t\t\t}\n#ifndef NO_PLUGINS\n\t\t\t\t\t\t\t\tconst ModInstrument *pIns = bkp->pModInstrument;\n\t\t\t\t\t\t\t\tIMixPlugin *pPlugin;\n\t\t\t\t\t\t\t\tif(pIns != nullptr && pIns->nMixPlug && (pPlugin = m_MixPlugins[pIns->nMixPlug - 1].pMixPlugin) != nullptr)\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tpPlugin->MidiCommand(GetBestMidiChannel(nChn), pIns->nMidiProgram, pIns->wMidiBank, bkp->nNote + NOTE_MAX_SPECIAL, 0, nChn);\n\t\t\t\t\t\t\t\t}\n#endif // NO_PLUGINS\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t\tbreak;\n\t\t\t\tcase 3:\t\tpChn->nNNA = NNA_NOTECUT; break;\n\t\t\t\tcase 4:\t\tpChn->nNNA = NNA_CONTINUE; break;\n\t\t\t\tcase 5:\t\tpChn->nNNA = NNA_NOTEOFF; break;\n\t\t\t\tcase 6:\t\tpChn->nNNA = NNA_NOTEFADE; break;\n\t\t\t\tcase 7:\t\tpChn->VolEnv.flags.reset(ENV_ENABLED); break;\n\t\t\t\tcase 8:\t\tpChn->VolEnv.flags.set(ENV_ENABLED); break;\n\t\t\t\tcase 9:\t\tpChn->PanEnv.flags.reset(ENV_ENABLED); break;\n\t\t\t\tcase 10:\tpChn->PanEnv.flags.set(ENV_ENABLED); break;\n\t\t\t\tcase 11:\tpChn->PitchEnv.flags.reset(ENV_ENABLED); break;\n\t\t\t\tcase 12:\tpChn->PitchEnv.flags.set(ENV_ENABLED); break;\n\t\t\t\tcase 13:\t// S7D: Enable pitch envelope, force to play as pitch envelope\n\t\t\t\tcase 14:\t// S7E: Enable pitch envelope, force to play as filter envelope\n\t\t\t\t\tif(GetType() == MOD_TYPE_MPT)\n\t\t\t\t\t{\n\t\t\t\t\t\tpChn->PitchEnv.flags.set(ENV_ENABLED);\n\t\t\t\t\t\tpChn->PitchEnv.flags.set(ENV_FILTER, param != 13);\n\t\t\t\t\t}\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t\tbreak;\n\t// S8x: Set 4-bit Panning\n\tcase 0x80:\n\t\tif(m_SongFlags[SONG_FIRSTTICK])\n\t\t{\n\t\t\tPanning(pChn, param, Pan4bit);\n\t\t}\n\t\tbreak;\n\t// S9x: Sound Control\n\tcase 0x90:\tExtendedChannelEffect(pChn, param); break;\n\t// SAx: Set 64k Offset\n\tcase 0xA0:\tif(m_SongFlags[SONG_FIRSTTICK])\n\t\t\t\t{\n\t\t\t\t\tpChn->nOldHiOffset = static_cast(param);\n\t\t\t\t\tif (!m_playBehaviour[kITHighOffsetNoRetrig] && pChn->rowCommand.IsNote())\n\t\t\t\t\t{\n\t\t\t\t\t\tSmpLength pos = param << 16;\n\t\t\t\t\t\tif (pos < pChn->nLength) pChn->position.SetInt(pos);\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\tbreak;\n\t// SBx: Pattern Loop\n\t// SCx: Note Cut\n\tcase 0xC0:\n\t\tif(param == 0)\n\t\t{\n\t\t\t//IT compatibility 22. SC0 == SC1\n\t\t\tif(GetType() & (MOD_TYPE_IT | MOD_TYPE_MPT))\n\t\t\t\tparam = 1;\n\t\t\t// ST3 doesn't cut notes with SC0\n\t\t\telse if(GetType() == MOD_TYPE_S3M)\n\t\t\t\treturn;\n\t\t}\n\t\t// S3M/IT compatibility: Note Cut really cuts notes and does not just mute them (so that following volume commands could restore the sample)\n\t\t// Test case: scx.it\n\t\tNoteCut(nChn, param, m_playBehaviour[kITSCxStopsSample] || GetType() == MOD_TYPE_S3M);\n\t\tbreak;\n\t// SDx: Note Delay\n\t// SEx: Pattern Delay for x rows\n\t// SFx: S3M: Not used, IT: Set Active Midi Macro\n\tcase 0xF0:\n\t\tif(GetType() != MOD_TYPE_S3M)\n\t\t{\n\t\t\tpChn->nActiveMacro = static_cast(param);\n\t\t}\n\t\tbreak;\n\t}\n}", "project": "openmpt", "hash": 281140335538073875129149978616954941363, "size": 177, "commit_id": "7ebf02af2e90f03e0dbd0e18b8b3164f372fb97c", "message": "[Fix] Possible out-of-bounds read when computing length of some IT files with pattern loops (OpenMPT: formats that are converted to IT, libopenmpt: IT/ITP/MO3), caught with afl-fuzz.\n\ngit-svn-id: https://source.openmpt.org/svn/openmpt/trunk/OpenMPT@10027 56274372-70c3-4bfc-bfc3-4c3a0b034d27", "target": 0, "dataset": "other", "idx": 255216 }, { "func": "static zend_bool php_auto_globals_create_get(zend_string *name)\n{\n\tif (PG(variables_order) && (strchr(PG(variables_order),'G') || strchr(PG(variables_order),'g'))) {\n\t\tsapi_module.treat_data(PARSE_GET, NULL, NULL);\n\t} else {\n\t\tzval_ptr_dtor(&PG(http_globals)[TRACK_VARS_GET]);\n\t\tarray_init(&PG(http_globals)[TRACK_VARS_GET]);\n\t}\n\n\tzend_hash_update(&EG(symbol_table), name, &PG(http_globals)[TRACK_VARS_GET]);\n\tZ_ADDREF(PG(http_globals)[TRACK_VARS_GET]);\n\n\treturn 0; /* don't rearm */\n}", "project": "php-src", "hash": 311346380094484964132411694861562190058, "size": 14, "commit_id": "6559fe912661ca5ce5f0eeeb591d928451428ed0", "message": "Do not decode cookie names anymore", "target": 0, "dataset": "other", "idx": 374970 }, { "func": "static intel_engine_mask_t virtual_submission_mask(struct virtual_engine *ve)\n{\n\tstruct i915_request *rq;\n\tintel_engine_mask_t mask;\n\n\trq = READ_ONCE(ve->request);\n\tif (!rq)\n\t\treturn 0;\n\n\t/* The rq is ready for submission; rq->execution_mask is now stable. */\n\tmask = rq->execution_mask;\n\tif (unlikely(!mask)) {\n\t\t/* Invalid selection, submit to a random engine in error */\n\t\ti915_request_skip(rq, -ENODEV);\n\t\tmask = ve->siblings[0]->mask;\n\t}\n\n\tGEM_TRACE(\"%s: rq=%llx:%lld, mask=%x, prio=%d\\n\",\n\t\t ve->base.name,\n\t\t rq->fence.context, rq->fence.seqno,\n\t\t mask, ve->base.execlists.queue_priority_hint);\n\n\treturn mask;\n}", "project": "linux", "hash": 146276551557867064142985939016914762986, "size": 24, "commit_id": "bc8a76a152c5f9ef3b48104154a65a68a8b76946", "message": "drm/i915/gen9: Clear residual context state on context switch\n\nIntel ID: PSIRT-TA-201910-001\nCVEID: CVE-2019-14615\n\nIntel GPU Hardware prior to Gen11 does not clear EU state\nduring a context switch. This can result in information\nleakage between contexts.\n\nFor Gen8 and Gen9, hardware provides a mechanism for\nfast cleardown of the EU state, by issuing a PIPE_CONTROL\nwith bit 27 set. We can use this in a context batch buffer\nto explicitly cleardown the state on every context switch.\n\nAs this workaround is already in place for gen8, we can borrow\nthe code verbatim for Gen9.\n\nSigned-off-by: Mika Kuoppala \nSigned-off-by: Akeem G Abodunrin \nCc: Kumar Valsan Prathap \nCc: Chris Wilson \nCc: Balestrieri Francesco \nCc: Bloomfield Jon \nCc: Dutt Sudeep ", "target": 0, "dataset": "other", "idx": 281499 }, { "func": "void rfbDecrClientRef(rfbClientPtr cl) {}", "project": "libvncserver", "hash": 13942778540591176142266363323598205500, "size": 1, "commit_id": "673c07a75ed844d74676f3ccdcfdc706a7052dba", "message": "libvncserver/rfbserver: fix possible divide-by-zero\n\nCloses #409", "target": 0, "dataset": "other", "idx": 295872 }, { "func": "void rfbDecrClientRef(rfbClientPtr cl)\n{\n LOCK(cl->refCountMutex);\n cl->refCount--;\n if(cl->refCount<=0) /* just to be sure also < 0 */\n TSIGNAL(cl->deleteCond);\n UNLOCK(cl->refCountMutex);\n}", "project": "libvncserver", "hash": 244794453525977160052616027813185930694, "size": 8, "commit_id": "673c07a75ed844d74676f3ccdcfdc706a7052dba", "message": "libvncserver/rfbserver: fix possible divide-by-zero\n\nCloses #409", "target": 0, "dataset": "other", "idx": 295875 }, { "func": "static int tpacket_fill_skb(struct packet_sock *po, struct sk_buff *skb,\n\t\tvoid *frame, struct net_device *dev, void *data, int tp_len,\n\t\t__be16 proto, unsigned char *addr, int hlen, int copylen,\n\t\tconst struct sockcm_cookie *sockc)\n{\n\tunion tpacket_uhdr ph;\n\tint to_write, offset, len, nr_frags, len_max;\n\tstruct socket *sock = po->sk.sk_socket;\n\tstruct page *page;\n\tint err;\n\n\tph.raw = frame;\n\n\tskb->protocol = proto;\n\tskb->dev = dev;\n\tskb->priority = po->sk.sk_priority;\n\tskb->mark = po->sk.sk_mark;\n\tskb->tstamp = sockc->transmit_time;\n\tskb_setup_tx_timestamp(skb, sockc->tsflags);\n\tskb_zcopy_set_nouarg(skb, ph.raw);\n\n\tskb_reserve(skb, hlen);\n\tskb_reset_network_header(skb);\n\n\tto_write = tp_len;\n\n\tif (sock->type == SOCK_DGRAM) {\n\t\terr = dev_hard_header(skb, dev, ntohs(proto), addr,\n\t\t\t\tNULL, tp_len);\n\t\tif (unlikely(err < 0))\n\t\t\treturn -EINVAL;\n\t} else if (copylen) {\n\t\tint hdrlen = min_t(int, copylen, tp_len);\n\n\t\tskb_push(skb, dev->hard_header_len);\n\t\tskb_put(skb, copylen - dev->hard_header_len);\n\t\terr = skb_store_bits(skb, 0, data, hdrlen);\n\t\tif (unlikely(err))\n\t\t\treturn err;\n\t\tif (!dev_validate_header(dev, skb->data, hdrlen))\n\t\t\treturn -EINVAL;\n\n\t\tdata += hdrlen;\n\t\tto_write -= hdrlen;\n\t}\n\n\toffset = offset_in_page(data);\n\tlen_max = PAGE_SIZE - offset;\n\tlen = ((to_write > len_max) ? len_max : to_write);\n\n\tskb->data_len = to_write;\n\tskb->len += to_write;\n\tskb->truesize += to_write;\n\trefcount_add(to_write, &po->sk.sk_wmem_alloc);\n\n\twhile (likely(to_write)) {\n\t\tnr_frags = skb_shinfo(skb)->nr_frags;\n\n\t\tif (unlikely(nr_frags >= MAX_SKB_FRAGS)) {\n\t\t\tpr_err(\"Packet exceed the number of skb frags(%lu)\\n\",\n\t\t\t MAX_SKB_FRAGS);\n\t\t\treturn -EFAULT;\n\t\t}\n\n\t\tpage = pgv_to_page(data);\n\t\tdata += len;\n\t\tflush_dcache_page(page);\n\t\tget_page(page);\n\t\tskb_fill_page_desc(skb, nr_frags, page, offset, len);\n\t\tto_write -= len;\n\t\toffset = 0;\n\t\tlen_max = PAGE_SIZE;\n\t\tlen = ((to_write > len_max) ? len_max : to_write);\n\t}\n\n\tpacket_parse_headers(skb, sock);\n\n\treturn tp_len;\n}", "project": "linux", "hash": 145897326053460069189935664172162707550, "size": 79, "commit_id": "acf69c946233259ab4d64f8869d4037a198c7f06", "message": "net/packet: fix overflow in tpacket_rcv\n\nUsing tp_reserve to calculate netoff can overflow as\ntp_reserve is unsigned int and netoff is unsigned short.\n\nThis may lead to macoff receving a smaller value then\nsizeof(struct virtio_net_hdr), and if po->has_vnet_hdr\nis set, an out-of-bounds write will occur when\ncalling virtio_net_hdr_from_skb.\n\nThe bug is fixed by converting netoff to unsigned int\nand checking if it exceeds USHRT_MAX.\n\nThis addresses CVE-2020-14386\n\nFixes: 8913336a7e8d (\"packet: add PACKET_RESERVE sockopt\")\nSigned-off-by: Or Cohen \nSigned-off-by: Eric Dumazet \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 330399 }, { "func": "Status MaybeAppendVersionWarning(const VersionDef* versions,\n const Status& import_status) {\n if (versions && ForwardCompatibilityWindowPassed(*versions)) {\n return Status(\n import_status.code(),\n absl::StrCat(\n \"Converting GraphDef to Graph has failed with an error: '\",\n import_status.error_message(),\n \"' The binary trying to import the GraphDef was built when \"\n \"GraphDef version was \",\n TF_GRAPH_DEF_VERSION,\n \". The GraphDef was produced by a binary built when GraphDef \"\n \"version was \",\n versions->producer(),\n \". The difference between these versions is larger than \"\n \"TensorFlow's forward compatibility guarantee, and might be the \"\n \"root cause for failing to import the GraphDef.\"));\n }\n return import_status;\n}", "project": "tensorflow", "hash": 37277311893870470276157400904439697500, "size": 20, "commit_id": "0cc38aaa4064fd9e79101994ce9872c6d91f816b", "message": "Prevent unitialized memory access in `GraphConstructor::MakeEdge`\n\nThe `MakeEdge` implementation assumes that there exists an output at `output_index` of `src` node and an input at `input_index` of `dst` node. However, if this is not the case this results in accessing data out of bounds. Because we are accessing an array that is a private member of a class and only in read only mode, this usually results only in unitialized memory access. However, it is reasonable to think that malicious users could manipulate these indexes to actually read data outside the class, thus resulting in information leakage and further exploits.\n\nPiperOrigin-RevId: 346343288\nChange-Id: I2127da27c2023d27f26efd39afa6c853385cab6f", "target": 0, "dataset": "other", "idx": 268346 }, { "func": "static void fuse_sysfs_cleanup(void)\n{\n\tsysfs_remove_mount_point(fuse_kobj, \"connections\");\n\tkobject_put(fuse_kobj);\n}", "project": "linux", "hash": 237782382531068903079691011382996420611, "size": 5, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342135 }, { "func": "UnicodeString::releaseArray() {\n if((fUnion.fFields.fLengthAndFlags & kRefCounted) && removeRef() == 0) {\n uprv_free((int32_t *)fUnion.fFields.fArray - 1);\n }\n}", "project": "icu", "hash": 201031594077475476284048930300872004011, "size": 5, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430786 }, { "func": "UnicodeString &UnicodeString::operator=(UnicodeString &&src) U_NOEXCEPT {\n // No explicit check for self move assignment, consistent with standard library.\n // Self move assignment causes no crash nor leak but might make the object bogus.\n releaseArray();\n copyFieldsFrom(src, TRUE);\n return *this;\n}", "project": "icu", "hash": 54300326970283331418271987938106339286, "size": 7, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430858 }, { "func": "void set_mm_exe_file(struct mm_struct *mm, struct file *new_exe_file)\n{\n\tstruct file *old_exe_file;\n\n\t/*\n\t * It is safe to dereference the exe_file without RCU as\n\t * this function is only called if nobody else can access\n\t * this mm -- see comment above for justification.\n\t */\n\told_exe_file = rcu_dereference_raw(mm->exe_file);\n\n\tif (new_exe_file)\n\t\tget_file(new_exe_file);\n\trcu_assign_pointer(mm->exe_file, new_exe_file);\n\tif (old_exe_file)\n\t\tfput(old_exe_file);\n}", "project": "linux", "hash": 90355923986486522185560957562593776530, "size": 17, "commit_id": "b4e00444cab4c3f3fec876dc0cccc8cbb0d1a948", "message": "fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent\n\ncurrent->group_leader->exit_signal may change during copy_process() if\ncurrent->real_parent exits.\n\nMove the assignment inside tasklist_lock to avoid the race.\n\nSigned-off-by: Eddy Wu \nAcked-by: Oleg Nesterov \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 293726 }, { "func": "static void kvm_s390_sync_request_broadcast(struct kvm *kvm, int req)\n{\n\tint cx;\n\tstruct kvm_vcpu *vcpu;\n\n\tkvm_for_each_vcpu(cx, vcpu, kvm)\n\t\tkvm_s390_sync_request(req, vcpu);\n}", "project": "linux", "hash": 238492261311250957101965968727572921044, "size": 8, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354779 }, { "project": "Chrome", "commit_id": "327585cb0eab0859518643a2d00917081f7e7645", "target": 0, "func": "void WebGraphicsContext3DDefaultImpl::synthesizeGLError(unsigned long error)\n{\n m_syntheticErrors.add(error);\n}\n", "cwe": "", "big_vul_idx": 99027, "idx": 89081, "hash": 112914502995466514000980784578842146538 }, { "func": "static int fuse_rename2(struct inode *olddir, struct dentry *oldent,\n\t\t\tstruct inode *newdir, struct dentry *newent,\n\t\t\tunsigned int flags)\n{\n\tstruct fuse_conn *fc = get_fuse_conn(olddir);\n\tint err;\n\n\tif (fuse_is_bad(olddir))\n\t\treturn -EIO;\n\n\tif (flags & ~(RENAME_NOREPLACE | RENAME_EXCHANGE | RENAME_WHITEOUT))\n\t\treturn -EINVAL;\n\n\tif (flags) {\n\t\tif (fc->no_rename2 || fc->minor < 23)\n\t\t\treturn -EINVAL;\n\n\t\terr = fuse_rename_common(olddir, oldent, newdir, newent, flags,\n\t\t\t\t\t FUSE_RENAME2,\n\t\t\t\t\t sizeof(struct fuse_rename2_in));\n\t\tif (err == -ENOSYS) {\n\t\t\tfc->no_rename2 = 1;\n\t\t\terr = -EINVAL;\n\t\t}\n\t} else {\n\t\terr = fuse_rename_common(olddir, oldent, newdir, newent, 0,\n\t\t\t\t\t FUSE_RENAME,\n\t\t\t\t\t sizeof(struct fuse_rename_in));\n\t}\n\n\treturn err;\n}", "project": "linux", "hash": 230830133309366698870228118182401959538, "size": 32, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342141 }, { "func": "static bool sig_ignored(struct task_struct *t, int sig, bool force)\n{\n\t/*\n\t * Blocked signals are never ignored, since the\n\t * signal handler may change by the time it is\n\t * unblocked.\n\t */\n\tif (sigismember(&t->blocked, sig) || sigismember(&t->real_blocked, sig))\n\t\treturn false;\n\n\t/*\n\t * Tracers may want to know about even ignored signal unless it\n\t * is SIGKILL which can't be reported anyway but can be ignored\n\t * by SIGNAL_UNKILLABLE task.\n\t */\n\tif (t->ptrace && sig != SIGKILL)\n\t\treturn false;\n\n\treturn sig_task_ignored(t, sig, force);\n}", "project": "linux", "hash": 58254238224919146627568621472389335926, "size": 20, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375196 }, { "func": "static int has_utab_entry(struct libmnt_context *cxt, const char *target)\n{\n\tstruct libmnt_cache *cache = NULL;\n\tstruct libmnt_fs *fs;\n\tstruct libmnt_iter itr;\n\tchar *cn = NULL;\n\tint rc = 0;\n\n\tassert(cxt);\n\n\tif (!cxt->utab) {\n\t\tconst char *path = mnt_get_utab_path();\n\n\t\tif (!path || is_file_empty(path))\n\t\t\treturn 0;\n\t\tcxt->utab = mnt_new_table();\n\t\tif (!cxt->utab)\n\t\t\treturn 0;\n\t\tcxt->utab->fmt = MNT_FMT_UTAB;\n\t\tif (mnt_table_parse_file(cxt->utab, path))\n\t\t\treturn 0;\n\t}\n\n\t/* paths in utab are canonicalized */\n\tcache = mnt_context_get_cache(cxt);\n\tcn = mnt_resolve_path(target, cache);\n\tmnt_reset_iter(&itr, MNT_ITER_BACKWARD);\n\n\twhile (mnt_table_next_fs(cxt->utab, &itr, &fs) == 0) {\n\t\tif (mnt_fs_streq_target(fs, cn)) {\n\t\t\trc = 1;\n\t\t\tbreak;\n\t\t}\n\t}\n\n\tif (!cache)\n\t\tfree(cn);\n\treturn rc;\n}", "project": "util-linux", "hash": 296737102618458410961341778708836742651, "size": 39, "commit_id": "57202f5713afa2af20ffbb6ab5331481d0396f8d", "message": "libmount: fix UID check for FUSE umount [CVE-2021-3995]\n\nImproper UID check allows an unprivileged user to unmount FUSE\nfilesystems of users with similar UID.\n\nSigned-off-by: Karel Zak ", "target": 0, "dataset": "other", "idx": 410423 }, { "func": "static inline void perf_get_data_addr(struct perf_event *event, struct pt_regs *regs, u64 *addrp) { }", "project": "linux", "hash": 173955947728960832041913836208347248611, "size": 1, "commit_id": "60b7ed54a41b550d50caf7f2418db4a7e75b5bdc", "message": "powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set\n\nOn systems without any specific PMU driver support registered, running\nperf record causes Oops.\n\nThe relevant portion from call trace:\n\n BUG: Kernel NULL pointer dereference on read at 0x00000040\n Faulting instruction address: 0xc0021f0c\n Oops: Kernel access of bad area, sig: 11 [#1]\n BE PAGE_SIZE=4K PREEMPT CMPCPRO\n SAF3000 DIE NOTIFICATION\n CPU: 0 PID: 442 Comm: null_syscall Not tainted 5.13.0-rc6-s3k-dev-01645-g7649ee3d2957 #5164\n NIP: c0021f0c LR: c00e8ad8 CTR: c00d8a5c\n NIP perf_instruction_pointer+0x10/0x60\n LR perf_prepare_sample+0x344/0x674\n Call Trace:\n perf_prepare_sample+0x7c/0x674 (unreliable)\n perf_event_output_forward+0x3c/0x94\n __perf_event_overflow+0x74/0x14c\n perf_swevent_hrtimer+0xf8/0x170\n __hrtimer_run_queues.constprop.0+0x160/0x318\n hrtimer_interrupt+0x148/0x3b0\n timer_interrupt+0xc4/0x22c\n Decrementer_virt+0xb8/0xbc\n\nDuring perf record session, perf_instruction_pointer() is called to\ncapture the sample IP. This function in core-book3s accesses\nppmu->flags. If a platform specific PMU driver is not registered, ppmu\nis set to NULL and accessing its members results in a crash. Fix this\ncrash by checking if ppmu is set.\n\nFixes: 2ca13a4cc56c (\"powerpc/perf: Use regs->nip when SIAR is zero\")\nCc: stable@vger.kernel.org # v5.11+\nReported-by: Christophe Leroy \nSigned-off-by: Athira Rajeev \nTested-by: Christophe Leroy \nSigned-off-by: Michael Ellerman \nLink: https://lore.kernel.org/r/1623952506-1431-1-git-send-email-atrajeev@linux.vnet.ibm.com", "target": 0, "dataset": "other", "idx": 374685 }, { "func": "static inline void perf_get_data_addr(struct perf_event *event, struct pt_regs *regs, u64 *addrp)\n{\n\tunsigned long mmcra = regs->dsisr;\n\tbool sdar_valid;\n\n\tif (ppmu->flags & PPMU_HAS_SIER)\n\t\tsdar_valid = regs->dar & SIER_SDAR_VALID;\n\telse {\n\t\tunsigned long sdsync;\n\n\t\tif (ppmu->flags & PPMU_SIAR_VALID)\n\t\t\tsdsync = POWER7P_MMCRA_SDAR_VALID;\n\t\telse if (ppmu->flags & PPMU_ALT_SIPR)\n\t\t\tsdsync = POWER6_MMCRA_SDSYNC;\n\t\telse if (ppmu->flags & PPMU_NO_SIAR)\n\t\t\tsdsync = MMCRA_SAMPLE_ENABLE;\n\t\telse\n\t\t\tsdsync = MMCRA_SDSYNC;\n\n\t\tsdar_valid = mmcra & sdsync;\n\t}\n\n\tif (!(mmcra & MMCRA_SAMPLE_ENABLE) || sdar_valid)\n\t\t*addrp = mfspr(SPRN_SDAR);\n\n\tif (is_kernel_addr(mfspr(SPRN_SDAR)) && event->attr.exclude_kernel)\n\t\t*addrp = 0;\n}", "project": "linux", "hash": 290514798756806542497953639746796248482, "size": 28, "commit_id": "60b7ed54a41b550d50caf7f2418db4a7e75b5bdc", "message": "powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set\n\nOn systems without any specific PMU driver support registered, running\nperf record causes Oops.\n\nThe relevant portion from call trace:\n\n BUG: Kernel NULL pointer dereference on read at 0x00000040\n Faulting instruction address: 0xc0021f0c\n Oops: Kernel access of bad area, sig: 11 [#1]\n BE PAGE_SIZE=4K PREEMPT CMPCPRO\n SAF3000 DIE NOTIFICATION\n CPU: 0 PID: 442 Comm: null_syscall Not tainted 5.13.0-rc6-s3k-dev-01645-g7649ee3d2957 #5164\n NIP: c0021f0c LR: c00e8ad8 CTR: c00d8a5c\n NIP perf_instruction_pointer+0x10/0x60\n LR perf_prepare_sample+0x344/0x674\n Call Trace:\n perf_prepare_sample+0x7c/0x674 (unreliable)\n perf_event_output_forward+0x3c/0x94\n __perf_event_overflow+0x74/0x14c\n perf_swevent_hrtimer+0xf8/0x170\n __hrtimer_run_queues.constprop.0+0x160/0x318\n hrtimer_interrupt+0x148/0x3b0\n timer_interrupt+0xc4/0x22c\n Decrementer_virt+0xb8/0xbc\n\nDuring perf record session, perf_instruction_pointer() is called to\ncapture the sample IP. This function in core-book3s accesses\nppmu->flags. If a platform specific PMU driver is not registered, ppmu\nis set to NULL and accessing its members results in a crash. Fix this\ncrash by checking if ppmu is set.\n\nFixes: 2ca13a4cc56c (\"powerpc/perf: Use regs->nip when SIAR is zero\")\nCc: stable@vger.kernel.org # v5.11+\nReported-by: Christophe Leroy \nSigned-off-by: Athira Rajeev \nTested-by: Christophe Leroy \nSigned-off-by: Michael Ellerman \nLink: https://lore.kernel.org/r/1623952506-1431-1-git-send-email-atrajeev@linux.vnet.ibm.com", "target": 0, "dataset": "other", "idx": 374735 }, { "func": "void proto_register_dvb_s2_modeadapt(void)\n{\n module_t *dvb_s2_modeadapt_module;\n\n static hf_register_info hf_modeadapt[] = {\n {&hf_dvb_s2_modeadapt_sync, {\n \"Sync Byte\", \"dvb-s2_modeadapt.sync\",\n FT_UINT8, BASE_HEX, NULL, 0x0,\n \"Das Sync Byte\", HFILL}\n },\n {&hf_dvb_s2_modeadapt_acm, {\n \"ACM command\", \"dvb-s2_modeadapt.acmcmd\",\n FT_UINT8, BASE_HEX, NULL, 0x0,\n NULL, HFILL}\n },\n {&hf_dvb_s2_modeadapt_acm_fecframe, {\n \"FEC frame size\", \"dvb-s2_modeadapt.acmcmd.fecframe\",\n FT_BOOLEAN, 8, TFS(&tfs_modeadapt_fecframe), DVB_S2_MODEADAPT_FECFRAME_MASK,\n \"FEC\", HFILL}\n },\n {&hf_dvb_s2_modeadapt_acm_pilot, {\n \"Pilots configuration\", \"dvb-s2_modeadapt.acmcmd.pilots\",\n FT_BOOLEAN, 8, TFS(&tfs_modeadapt_pilots), DVB_S2_MODEADAPT_PILOTS_MASK,\n \"Pilots\", HFILL}\n },\n {&hf_dvb_s2_modeadapt_acm_modcod, {\n \"Modcod indicator\", \"dvb-s2_modeadapt.acmcmd.modcod\",\n FT_UINT8, BASE_DEC|BASE_EXT_STRING, &modeadapt_modcods_ext, DVB_S2_MODEADAPT_MODCODS_MASK,\n \"Modcod\", HFILL}\n },\n {&hf_dvb_s2_modeadapt_acm_modcod_s2x, {\n \"Modcod indicator\", \"dvb-s2_modeadapt.acmcmd.modcod\",\n FT_UINT8, BASE_DEC|BASE_EXT_STRING, &modeadapt_modcods_ext, DVB_S2_MODEADAPT_MODCODS_S2X_MASK,\n \"Modcod S2X\", HFILL}\n },\n {&hf_dvb_s2_modeadapt_cni, {\n \"Carrier to Noise [dB]\", \"dvb-s2_modeadapt.cni\",\n FT_UINT8, BASE_DEC|BASE_EXT_STRING, &modeadapt_esno_ext, 0x0,\n \"CNI\", HFILL}\n },\n {&hf_dvb_s2_modeadapt_frameno, {\n \"Frame number\", \"dvb-s2_modeadapt.frameno\",\n FT_UINT8, BASE_DEC, NULL, 0x0,\n \"fno\", HFILL}\n }\n };\n\n/* Setup protocol subtree array */\n static gint *ett_modeadapt[] = {\n &ett_dvb_s2_modeadapt,\n &ett_dvb_s2_modeadapt_acm\n };\n\n static hf_register_info hf_bb[] = {\n {&hf_dvb_s2_bb_matype1, {\n \"MATYPE1\", \"dvb-s2_bb.matype1\",\n FT_UINT8, BASE_HEX, NULL, 0x0,\n \"MATYPE1 Header Field\", HFILL}\n },\n {&hf_dvb_s2_bb_matype1_gs, {\n \"TS/GS Stream Input\", \"dvb-s2_bb.matype1.tsgs\",\n FT_UINT8, BASE_DEC, VALS(bb_tsgs), DVB_S2_BB_TSGS_MASK,\n \"Transport Stream Input or Generic Stream Input\", HFILL}\n },\n {&hf_dvb_s2_bb_matype1_mis, {\n \"Input Stream\", \"dvb-s2_bb.matype1.mis\",\n FT_BOOLEAN, 8, TFS(&tfs_bb_mis), DVB_S2_BB_MIS_MASK,\n \"Single Input Stream or Multiple Input Stream\", HFILL}\n },\n {&hf_dvb_s2_bb_matype1_acm, {\n \"Coding and Modulation\", \"dvb-s2_bb.matype1.acm\",\n FT_BOOLEAN, 8, TFS(&tfs_bb_acm), DVB_S2_BB_ACM_MASK,\n \"Constant Coding and Modulation or Adaptive Coding and Modulation\", HFILL}\n },\n {&hf_dvb_s2_bb_matype1_issyi, {\n \"ISSYI\", \"dvb-s2_bb.matype1.issyi\",\n FT_BOOLEAN, 8, TFS(&tfs_bb_issyi), DVB_S2_BB_ISSYI_MASK,\n \"Input Stream Synchronization Indicator\", HFILL}\n },\n {&hf_dvb_s2_bb_matype1_npd, {\n \"NPD\", \"dvb-s2_bb.matype1.npd\",\n FT_BOOLEAN, 8, TFS(&tfs_bb_npd), DVB_S2_BB_NPD_MASK,\n \"Null-packet deletion enabled\", HFILL}\n },\n {&hf_dvb_s2_bb_matype1_high_ro, {\n \"RO\", \"dvb-s2_bb.matype1.ro\",\n FT_UINT8, BASE_DEC, VALS(bb_high_ro), DVB_S2_BB_RO_MASK,\n \"Transmission Roll-off factor\", HFILL}\n },\n {&hf_dvb_s2_bb_matype1_low_ro, {\n \"RO\", \"dvb-s2_bb.matype1.ro\",\n FT_UINT8, BASE_DEC, VALS(bb_low_ro), DVB_S2_BB_RO_MASK,\n \"Transmission Roll-off factor\", HFILL}\n },\n {&hf_dvb_s2_bb_matype2, {\n \"MATYPE2\", \"dvb-s2_bb.matype2\",\n FT_UINT8, BASE_HEX, NULL, 0x0,\n \"MATYPE2 Header Field\", HFILL}\n },\n {&hf_dvb_s2_bb_upl, {\n \"UPL\", \"dvb-s2_bb.upl\",\n FT_UINT16, BASE_HEX, NULL, 0x0,\n \"User Packet Length\", HFILL}\n },\n {&hf_dvb_s2_bb_dfl, {\n \"DFL\", \"dvb-s2_bb.dfl\",\n FT_UINT16, BASE_HEX, NULL, 0x0,\n \"Data Field Length\", HFILL}\n },\n {&hf_dvb_s2_bb_sync, {\n \"SYNC\", \"dvb-s2_bb.sync\",\n FT_UINT8, BASE_HEX, NULL, 0x0,\n \"Copy of the User Packet Sync-byte\", HFILL}\n },\n {&hf_dvb_s2_bb_syncd, {\n \"SYNCD\", \"dvb-s2_bb.syncd\",\n FT_UINT16, BASE_HEX, NULL, 0x0,\n \"Distance to first user packet\", HFILL}\n },\n {&hf_dvb_s2_bb_crc, {\n \"Checksum\", \"dvb-s2_bb.crc\",\n FT_UINT8, BASE_HEX, NULL, 0x0,\n \"BB Header CRC-8\", HFILL}\n },\n {&hf_dvb_s2_bb_crc_status, {\n \"Checksum Status\", \"dvb-s2_bb.crc.status\",\n FT_UINT8, BASE_NONE, VALS(proto_checksum_vals), 0x0,\n NULL, HFILL}\n },\n {&hf_dvb_s2_bb_packetized, {\n \"Packetized Generic Stream Data\", \"dvb-s2_bb.packetized\",\n FT_BYTES, BASE_NONE, NULL, 0x0,\n \"Packetized Generic Stream (non-TS) Data\", HFILL}\n },\n {&hf_dvb_s2_bb_transport, {\n \"Transport Stream Data\", \"dvb-s2_bb.transport\",\n FT_BYTES, BASE_NONE, NULL, 0x0,\n \"Transport Stream (TS) Data\", HFILL}\n },\n {&hf_dvb_s2_bb_reserved, {\n \"Reserved Stream Type Data\", \"dvb-s2_bb.reserved\",\n FT_BYTES, BASE_NONE, NULL, 0x0,\n \"Stream of an unknown reserved type\", HFILL}\n },\n {&hf_dvb_s2_bb_df, {\n \"BBFrame user data\", \"dvb-s2_bb.df\",\n FT_BYTES, BASE_NONE, NULL, 0x0,\n NULL, HFILL}\n },\n {&hf_dvb_s2_bb_eip_crc32, {\n \"EIP CRC32\", \"dvb-s2_bb.eip_crc32\",\n FT_UINT32, BASE_HEX, NULL, 0x0,\n \"Explicit Integrity Protection CRC32\", HFILL}\n }\n };\n\n static gint *ett_bb[] = {\n &ett_dvb_s2_bb,\n &ett_dvb_s2_bb_matype1\n };\n\n /* DVB-S2 GSE Frame */\n static hf_register_info hf_gse[] = {\n {&hf_dvb_s2_gse_hdr, {\n \"GSE header\", \"dvb-s2_gse.hdr\",\n FT_UINT16, BASE_HEX, NULL, 0x0,\n \"GSE Header (start/stop/length)\", HFILL}\n },\n {&hf_dvb_s2_gse_hdr_start, {\n \"Start\", \"dvb-s2_gse.hdr.start\",\n FT_BOOLEAN, 16, TFS(&tfs_enabled_disabled), DVB_S2_GSE_HDR_START_MASK,\n \"Start Indicator\", HFILL}\n },\n {&hf_dvb_s2_gse_hdr_stop, {\n \"Stop\", \"dvb-s2_gse.hdr.stop\",\n FT_BOOLEAN, 16, TFS(&tfs_enabled_disabled), DVB_S2_GSE_HDR_STOP_MASK,\n \"Stop Indicator\", HFILL}\n },\n {&hf_dvb_s2_gse_hdr_labeltype, {\n \"Label Type\", \"dvb-s2_gse.hdr.labeltype\",\n FT_UINT16, BASE_HEX, VALS(gse_labeltype), DVB_S2_GSE_HDR_LABELTYPE_MASK,\n \"Label Type Indicator\", HFILL}\n },\n {&hf_dvb_s2_gse_hdr_length, {\n \"Length\", \"dvb-s2_gse.hdr.length\",\n FT_UINT16, BASE_DEC, NULL, DVB_S2_GSE_HDR_LENGTH_MASK,\n \"GSE Length\", HFILL}\n },\n {&hf_dvb_s2_gse_padding, {\n \"GSE Padding\", \"dvb-s2_gse.padding\",\n FT_UINT16, BASE_DEC, NULL, 0x0,\n \"GSE Padding Bytes\", HFILL}\n },\n {&hf_dvb_s2_gse_proto_next_header, {\n \"Protocol\", \"dvb-s2_gse.proto\",\n FT_UINT16, BASE_HEX, VALS(gse_proto_next_header_str), 0x0,\n \"Protocol Type\", HFILL}\n },\n {&hf_dvb_s2_gse_proto_ethertype, {\n \"Protocol\", \"dvb-s2_gse.proto\",\n FT_UINT16, BASE_HEX, VALS(etype_vals), 0x0,\n \"Protocol Type\", HFILL}\n },\n {&hf_dvb_s2_gse_label6, {\n \"Label\", \"dvb-s2_gse.label_ether\",\n FT_ETHER, BASE_NONE, NULL, 0x0,\n \"Label Field\", HFILL}\n },\n {&hf_dvb_s2_gse_label3, {\n \"Label\", \"dvb-s2_gse.label\",\n FT_UINT24, BASE_HEX, NULL, 0x0,\n \"Label Field\", HFILL}\n },\n {&hf_dvb_s2_gse_fragid, {\n \"Frag ID\", \"dvb-s2_gse.fragid\",\n FT_UINT8, BASE_HEX, NULL, 0x0,\n \"Fragment ID\", HFILL}\n },\n {&hf_dvb_s2_gse_totlength, {\n \"Total Length\", \"dvb-s2_gse.totlength\",\n FT_UINT16, BASE_DEC, NULL, 0x0,\n \"GSE Total Frame Length\", HFILL}\n },\n {&hf_dvb_s2_gse_exthdr, {\n \"Extension Header\", \"dvb-s2_gse.exthdr\",\n FT_UINT8, BASE_HEX, NULL, 0x0,\n \"optional Extension Header\", HFILL}\n },\n {&hf_dvb_s2_gse_ncr, {\n \"NCR Packet\", \"dvb-s2_gse.ncr\",\n FT_BYTES, BASE_NONE, NULL, 0x0,\n \"GSE NCR PAcket\", HFILL}\n },\n {&hf_dvb_s2_gse_data, {\n \"PDU Data\", \"dvb-s2_gse.data\",\n FT_BYTES, BASE_NONE, NULL, 0x0,\n \"GSE Frame User Data\", HFILL}\n },\n {&hf_dvb_s2_gse_crc32, {\n \"CRC\", \"dvb-s2_gse.crc\",\n FT_UINT32, BASE_HEX, NULL, 0x0,\n \"CRC-32\", HFILL}\n },\n { &hf_dvbs2_fragment_overlap,\n { \"Fragment overlap\", \"dvb-s2_gse.fragment.overlap\", FT_BOOLEAN, BASE_NONE,\n NULL, 0x0, \"Fragment overlaps with other fragments\", HFILL }},\n\n { &hf_dvbs2_fragment_overlap_conflict,\n { \"Conflicting data in fragment overlap\", \"dvb-s2_gse.fragment.overlap.conflict\",\n FT_BOOLEAN, BASE_NONE, NULL, 0x0,\n \"Overlapping fragments contained conflicting data\", HFILL }},\n\n { &hf_dvbs2_fragment_multiple_tails,\n { \"Multiple tail fragments found\", \"dvb-s2_gse.fragment.multipletails\",\n FT_BOOLEAN, BASE_NONE, NULL, 0x0,\n \"Several tails were found when defragmenting the packet\", HFILL }},\n\n { &hf_dvbs2_fragment_too_long_fragment,\n { \"Fragment too long\", \"dvb-s2_gse.fragment.toolongfragment\",\n FT_BOOLEAN, BASE_NONE, NULL, 0x0,\n \"Fragment contained data past end of packet\", HFILL }},\n\n { &hf_dvbs2_fragment_error,\n { \"Defragmentation error\", \"dvb-s2_gse.fragment.error\", FT_FRAMENUM, BASE_NONE,\n NULL, 0x0, \"Defragmentation error due to illegal fragments\", HFILL }},\n\n { &hf_dvbs2_fragment_count,\n { \"Fragment count\", \"dvb-s2_gse.fragment.count\", FT_UINT32, BASE_DEC,\n NULL, 0x0, NULL, HFILL }},\n\n { &hf_dvbs2_fragment,\n { \"DVB-S2 GSE Fragment\", \"dvb-s2_gse.fragment\", FT_FRAMENUM, BASE_NONE,\n NULL, 0x0, NULL, HFILL }},\n\n { &hf_dvbs2_fragments,\n { \"DVB-S2 GSE Fragments\", \"dvb-s2_gse.fragments\", FT_BYTES, BASE_NONE,\n NULL, 0x0, NULL, HFILL }},\n\n { &hf_dvbs2_reassembled_in,\n { \"Reassembled DVB-S2 GSE in frame\", \"dvb-s2_gse.reassembled_in\", FT_FRAMENUM, BASE_NONE,\n NULL, 0x0, \"This GSE packet is reassembled in this frame\", HFILL }},\n\n { &hf_dvbs2_reassembled_length,\n { \"Reassembled DVB-S2 GSE length\", \"dvb-s2_gse.reassembled.length\", FT_UINT32, BASE_DEC,\n NULL, 0x0, \"The total length of the reassembled payload\", HFILL }},\n\n { &hf_dvbs2_reassembled_data,\n { \"Reassembled DVB-S2 GSE data\", \"dvb-s2_gse.reassembled.data\", FT_BYTES, BASE_NONE,\n NULL, 0x0, \"The reassembled payload\", HFILL }}\n };\n\n static gint *ett_gse[] = {\n &ett_dvb_s2_gse,\n &ett_dvb_s2_gse_hdr,\n &ett_dvb_s2_gse_ncr,\n &ett_dvbs2_fragments,\n &ett_dvbs2_fragment,\n };\n\n static ei_register_info ei[] = {\n { &ei_dvb_s2_bb_crc, { \"dvb-s2_bb.bad_checksum\", PI_CHECKSUM, PI_ERROR, \"Bad checksum\", EXPFILL }},\n { &ei_dvb_s2_bb_issy_invalid, {\"dvb-s2_bb.issy_invalid\", PI_PROTOCOL, PI_WARN, \"ISSY is active, which is not allowed for GSE packets\", EXPFILL }},\n { &ei_dvb_s2_bb_npd_invalid, {\"dvb-s2_bb.npd_invalid\", PI_PROTOCOL, PI_WARN, \"NPD is active, which is not allowed for GSE packets\", EXPFILL }},\n { &ei_dvb_s2_bb_upl_invalid, {\"dvb-s2_bb.upl_invalid\", PI_PROTOCOL, PI_WARN, \"User Packet Length non-zero, which is not allowed for GSE packets\", EXPFILL }},\n { &ei_dvb_s2_bb_reserved, {\"dvb-s2_bb.reserved_frame_format\", PI_PROTOCOL, PI_WARN, \"Reserved frame format in TS/GS is not defined\", EXPFILL }},\n { &ei_dvb_s2_bb_header_ambiguous, { \"dvb-s2_bb.header_ambiguous\", PI_ASSUMPTION, PI_WARN, \"Mode Adaptation header ambiguous\", EXPFILL }},\n };\n\n expert_module_t* expert_dvb_s2_bb;\n\n proto_dvb_s2_modeadapt = proto_register_protocol(\"DVB-S2 Mode Adaptation Header\", \"DVB-S2\", \"dvb-s2_modeadapt\");\n\n proto_dvb_s2_bb = proto_register_protocol(\"DVB-S2 Baseband Frame\", \"DVB-S2-BB\", \"dvb-s2_bb\");\n\n proto_dvb_s2_gse = proto_register_protocol(\"DVB-S2 GSE Packet\", \"DVB-S2-GSE\", \"dvb-s2_gse\");\n\n proto_register_field_array(proto_dvb_s2_modeadapt, hf_modeadapt, array_length(hf_modeadapt));\n proto_register_subtree_array(ett_modeadapt, array_length(ett_modeadapt));\n\n proto_register_field_array(proto_dvb_s2_bb, hf_bb, array_length(hf_bb));\n proto_register_subtree_array(ett_bb, array_length(ett_bb));\n expert_dvb_s2_bb = expert_register_protocol(proto_dvb_s2_bb);\n expert_register_field_array(expert_dvb_s2_bb, ei, array_length(ei));\n\n proto_register_field_array(proto_dvb_s2_gse, hf_gse, array_length(hf_gse));\n proto_register_subtree_array(ett_gse, array_length(ett_gse));\n\n dvb_s2_modeadapt_module = prefs_register_protocol(proto_dvb_s2_modeadapt, proto_reg_handoff_dvb_s2_modeadapt);\n\n prefs_register_obsolete_preference(dvb_s2_modeadapt_module, \"enable\");\n\n prefs_register_bool_preference(dvb_s2_modeadapt_module, \"decode_df\",\n \"Enable dissection of DATA FIELD\",\n \"Check this to enable full protocol dissection of data above BBHeader\",\n &dvb_s2_df_dissection);\n\n prefs_register_bool_preference(dvb_s2_modeadapt_module, \"full_decode\",\n \"Enable dissection of GSE data\",\n \"Check this to enable full protocol dissection of data above GSE Layer\",\n &dvb_s2_full_dissection);\n\n register_init_routine(dvbs2_defragment_init);\n}", "project": "wireshark", "hash": 325992223450439822496688994379856126344, "size": 343, "commit_id": "0137c24d60934f131b25506a88c9464e4dc827de", "message": "DVB-S2-BB: Prevent infinite loop\n\nCommit 4bf4ee88f0544727e7f89f3f288c6afd2f650a4c removed an else\nstatement that broke out of the BBFrame processing loop. Without\nit, infinite loops might be possible if the GSE frames have bit errors\nin the length field.", "target": 0, "dataset": "other", "idx": 283348 }, { "func": "static signed short php_ifd_get16s(void *Short, int motorola_intel) {\n return (signed short)php_ifd_get16u(Short, motorola_intel);\n}", "project": "hhvm", "hash": 242643195632030946953046459244719095939, "size": 3, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219756 }, { "project": "Chrome", "commit_id": "6834289784ed45b5524de0fb7ef43ae283b0d6d3", "target": 0, "func": "void AudioContext::disposeOutputs(AudioNode& node)\n{\n ASSERT(isGraphOwner());\n ASSERT(isMainThread());\n for (unsigned i = 0; i < node.numberOfOutputs(); ++i)\n node.output(i)->dispose();\n}\n", "cwe": "", "big_vul_idx": 139654, "idx": 124804, "hash": 148292575814470003455793573203638595449 }, { "func": "static int follow_dotdot_rcu(struct nameidata *nd)\n{\n\tstruct inode *inode = nd->inode;\n\n\twhile (1) {\n\t\tif (path_equal(&nd->path, &nd->root))\n\t\t\tbreak;\n\t\tif (nd->path.dentry != nd->path.mnt->mnt_root) {\n\t\t\tstruct dentry *old = nd->path.dentry;\n\t\t\tstruct dentry *parent = old->d_parent;\n\t\t\tunsigned seq;\n\n\t\t\tinode = parent->d_inode;\n\t\t\tseq = read_seqcount_begin(&parent->d_seq);\n\t\t\tif (unlikely(read_seqcount_retry(&old->d_seq, nd->seq)))\n\t\t\t\treturn -ECHILD;\n\t\t\tnd->path.dentry = parent;\n\t\t\tnd->seq = seq;\n\t\t\tif (unlikely(!path_connected(&nd->path)))\n\t\t\t\treturn -ENOENT;\n\t\t\tbreak;\n\t\t} else {\n\t\t\tstruct mount *mnt = real_mount(nd->path.mnt);\n\t\t\tstruct mount *mparent = mnt->mnt_parent;\n\t\t\tstruct dentry *mountpoint = mnt->mnt_mountpoint;\n\t\t\tstruct inode *inode2 = mountpoint->d_inode;\n\t\t\tunsigned seq = read_seqcount_begin(&mountpoint->d_seq);\n\t\t\tif (unlikely(read_seqretry(&mount_lock, nd->m_seq)))\n\t\t\t\treturn -ECHILD;\n\t\t\tif (&mparent->mnt == nd->path.mnt)\n\t\t\t\tbreak;\n\t\t\t/* we know that mountpoint was pinned */\n\t\t\tnd->path.dentry = mountpoint;\n\t\t\tnd->path.mnt = &mparent->mnt;\n\t\t\tinode = inode2;\n\t\t\tnd->seq = seq;\n\t\t}\n\t}\n\twhile (unlikely(d_mountpoint(nd->path.dentry))) {\n\t\tstruct mount *mounted;\n\t\tmounted = __lookup_mnt(nd->path.mnt, nd->path.dentry);\n\t\tif (unlikely(read_seqretry(&mount_lock, nd->m_seq)))\n\t\t\treturn -ECHILD;\n\t\tif (!mounted)\n\t\t\tbreak;\n\t\tnd->path.mnt = &mounted->mnt;\n\t\tnd->path.dentry = mounted->mnt.mnt_root;\n\t\tinode = nd->path.dentry->d_inode;\n\t\tnd->seq = read_seqcount_begin(&nd->path.dentry->d_seq);\n\t}\n\tnd->inode = inode;\n\treturn 0;\n}", "project": "linux", "hash": 113078316229703088680310881298215825712, "size": 53, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295418 }, { "func": "\nstatic ssize_t bfq_low_latency_store(struct elevator_queue *e,\n\t\t\t\t const char *page, size_t count)\n{\n\tstruct bfq_data *bfqd = e->elevator_data;\n\tunsigned long __data;\n\tint ret;\n\n\tret = bfq_var_store(&__data, (page));\n\tif (ret)\n\t\treturn ret;\n\n\tif (__data > 1)\n\t\t__data = 1;\n\tif (__data == 0 && bfqd->low_latency != 0)\n\t\tbfq_end_wr(bfqd);\n\tbfqd->low_latency = __data;\n\n\treturn count;", "project": "linux", "hash": 104084270119240536543221447894771358815, "size": 19, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453333 }, { "func": "static long madvise_pageout(struct vm_area_struct *vma,\n\t\t\tstruct vm_area_struct **prev,\n\t\t\tunsigned long start_addr, unsigned long end_addr)\n{\n\tstruct mm_struct *mm = vma->vm_mm;\n\tstruct mmu_gather tlb;\n\n\t*prev = vma;\n\tif (!can_madv_lru_vma(vma))\n\t\treturn -EINVAL;\n\n\tif (!can_do_pageout(vma))\n\t\treturn 0;\n\n\tlru_add_drain();\n\ttlb_gather_mmu(&tlb, mm, start_addr, end_addr);\n\tmadvise_pageout_page_range(&tlb, vma, start_addr, end_addr);\n\ttlb_finish_mmu(&tlb, start_addr, end_addr);\n\n\treturn 0;\n}", "project": "linux", "hash": 127876520542342303595893427647332882744, "size": 21, "commit_id": "bc0c4d1e176eeb614dc8734fc3ace34292771f11", "message": "mm: check that mm is still valid in madvise()\n\nIORING_OP_MADVISE can end up basically doing mprotect() on the VM of\nanother process, which means that it can race with our crazy core dump\nhandling which accesses the VM state without holding the mmap_sem\n(because it incorrectly thinks that it is the final user).\n\nThis is clearly a core dumping problem, but we've never fixed it the\nright way, and instead have the notion of \"check that the mm is still\nok\" using mmget_still_valid() after getting the mmap_sem for writing in\nany situation where we're not the original VM thread.\n\nSee commit 04f5866e41fb (\"coredump: fix race condition between\nmmget_not_zero()/get_task_mm() and core dumping\") for more background on\nthis whole mmget_still_valid() thing. You might want to have a barf bag\nhandy when you do.\n\nWe're discussing just fixing this properly in the only remaining core\ndumping routines. But even if we do that, let's make do_madvise() do\nthe right thing, and then when we fix core dumping, we can remove all\nthese mmget_still_valid() checks.\n\nReported-and-tested-by: Jann Horn \nFixes: c1ca757bd6f4 (\"io_uring: add IORING_OP_MADVISE\")\nAcked-by: Jens Axboe \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 323579 }, { "func": "\nstatic int io_files_update(struct io_kiocb *req, unsigned int issue_flags)\n{\n\tstruct io_ring_ctx *ctx = req->ctx;\n\tstruct io_uring_rsrc_update2 up;\n\tint ret;\n\n\tif (issue_flags & IO_URING_F_NONBLOCK)\n\t\treturn -EAGAIN;\n\n\tup.offset = req->rsrc_update.offset;\n\tup.data = req->rsrc_update.arg;\n\tup.nr = 0;\n\tup.tags = 0;\n\tup.resv = 0;\n\n\tmutex_lock(&ctx->uring_lock);\n\tret = __io_register_rsrc_update(ctx, IORING_RSRC_FILE,\n\t\t\t\t\t&up, req->rsrc_update.nr_args);\n\tmutex_unlock(&ctx->uring_lock);\n\n\tif (ret < 0)\n\t\treq_set_fail_links(req);\n\t__io_req_complete(req, issue_flags, ret, 0);\n\treturn 0;", "project": "linux", "hash": 148823172897473012293859696009007447318, "size": 25, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338581 }, { "project": "Chrome", "commit_id": "9a3dbf43f97aa7cb6b4399f9b11ce1de20f0680f", "target": 0, "func": "void SpeechSynthesis::trace(Visitor* visitor)\n{\n visitor->trace(m_voiceList);\n visitor->trace(m_utteranceQueue);\n}\n", "cwe": "", "big_vul_idx": 129906, "idx": 116231, "hash": 82117434991637742473571342461543977023 }, { "project": "Chrome", "commit_id": "6834289784ed45b5524de0fb7ef43ae283b0d6d3", "target": 0, "func": "void AudioContext::trace(Visitor* visitor)\n{\n visitor->trace(m_offlineResolver);\n visitor->trace(m_renderTarget);\n visitor->trace(m_destinationNode);\n visitor->trace(m_listener);\n if (m_didInitializeContextGraphMutex) {\n AutoLocker lock(this);\n visitor->trace(m_referencedNodes);\n } else {\n visitor->trace(m_referencedNodes);\n }\n visitor->trace(m_resumeResolvers);\n visitor->trace(m_suspendResolvers);\n visitor->trace(m_liveNodes);\n visitor->trace(m_liveAudioSummingJunctions);\n RefCountedGarbageCollectedEventTargetWithInlineData::trace(visitor);\n ActiveDOMObject::trace(visitor);\n}\n", "cwe": "", "big_vul_idx": 139693, "idx": 124841, "hash": 113896653649637514584787336564205155211 }, { "project": "Chrome", "commit_id": "6834289784ed45b5524de0fb7ef43ae283b0d6d3", "target": 0, "func": "void MediaElementAudioSourceNode::trace(Visitor* visitor)\n{\n visitor->trace(m_mediaElement);\n AudioSourceNode::trace(visitor);\n AudioSourceProviderClient::trace(visitor);\n}\n", "cwe": "", "big_vul_idx": 139706, "idx": 124854, "hash": 143633053793214012424545415709883459289 }, { "func": "static void trace(struct kmem_cache *s, struct page *page, void *object,\n\t\t\t\t\t\t\t\tint alloc)\n{\n\tif (s->flags & SLAB_TRACE) {\n\t\tpr_info(\"TRACE %s %s 0x%p inuse=%d fp=0x%p\\n\",\n\t\t\ts->name,\n\t\t\talloc ? \"alloc\" : \"free\",\n\t\t\tobject, page->inuse,\n\t\t\tpage->freelist);\n\n\t\tif (!alloc)\n\t\t\tprint_section(KERN_INFO, \"Object \", (void *)object,\n\t\t\t\t\ts->object_size);\n\n\t\tdump_stack();\n\t}\n}", "project": "linux", "hash": 237932956876884839972740174079522643683, "size": 17, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280120 }, { "func": "Status ImportGraphDef(const ImportGraphDefOptions& opts, const GraphDef& gdef,\n Graph* g, ShapeRefiner* refiner,\n ImportGraphDefResults* results) {\n if (!opts.return_tensors.empty()) {\n if (results == nullptr) {\n return errors::InvalidArgument(\n \"results argument to ImportGraphDef() must be non-null if \"\n \"opts.return_tensors is non-empty\");\n }\n }\n\n if (!opts.return_nodes.empty()) {\n if (opts.skip_mapped_nodes) {\n return errors::InvalidArgument(\n \"Requesting return_nodes with skip_mapped_nodes set is not currently \"\n \"supported\");\n }\n if (results == nullptr) {\n return errors::InvalidArgument(\n \"results argument to ImportGraphDef() must be non-null if \"\n \"opts.return_nodes is non-empty\");\n }\n }\n\n if (results != nullptr) {\n if (!results->return_tensors.empty() || !results->return_nodes.empty() ||\n !results->missing_unused_input_map_keys.empty()) {\n return errors::InvalidArgument(\n \"All fields in results argument to ImportGraphDef() must be empty.\");\n }\n }\n\n ShapeRefiner default_refiner(gdef.versions().producer(), g->op_registry());\n if (refiner == nullptr) {\n refiner = &default_refiner;\n } else {\n // Log a warning if we are importing a GraphDef at an older\n // producer version after already having added non-source/sink\n // nodes to the graph in the past.\n if (gdef.versions().producer() > 0 &&\n gdef.versions().producer() < refiner->graph_def_version() &&\n g->num_nodes() > 2) {\n LOG(WARNING) << \"Importing a graph with a lower producer version \"\n << gdef.versions().producer()\n << \" into an existing graph with producer version \"\n << refiner->graph_def_version() << \". Shape inference will \"\n << \"have run different parts of the graph with different \"\n << \"producer versions.\";\n }\n }\n\n // Set the graph def version of the refiner as the min of the\n // current value and the version from the graph we are about to\n // import.\n //\n // Note: to match Run() semantics, we should re-run shape inference\n // on the entire graph if the producer version has changed. For now\n // we log the warning above.\n refiner->set_graph_def_version(\n std::min(refiner->graph_def_version(), gdef.versions().producer()));\n\n if (results == nullptr) {\n return GraphConstructor::Construct(opts, gdef.node(), &gdef.versions(),\n &gdef.library(), g, refiner, nullptr,\n nullptr, nullptr);\n } else {\n return GraphConstructor::Construct(\n opts, gdef.node(), &gdef.versions(), &gdef.library(), g, refiner,\n &results->return_tensors, &results->return_nodes,\n &results->missing_unused_input_map_keys);\n }\n}", "project": "tensorflow", "hash": 243570005050465009685038261168261602962, "size": 72, "commit_id": "0cc38aaa4064fd9e79101994ce9872c6d91f816b", "message": "Prevent unitialized memory access in `GraphConstructor::MakeEdge`\n\nThe `MakeEdge` implementation assumes that there exists an output at `output_index` of `src` node and an input at `input_index` of `dst` node. However, if this is not the case this results in accessing data out of bounds. Because we are accessing an array that is a private member of a class and only in read only mode, this usually results only in unitialized memory access. However, it is reasonable to think that malicious users could manipulate these indexes to actually read data outside the class, thus resulting in information leakage and further exploits.\n\nPiperOrigin-RevId: 346343288\nChange-Id: I2127da27c2023d27f26efd39afa6c853385cab6f", "target": 0, "dataset": "other", "idx": 268322 }, { "func": "DLLEXPORT int DLLCALL tjDecompress(tjhandle handle, unsigned char *jpegBuf,\n\tunsigned long jpegSize, unsigned char *dstBuf, int width, int pitch,\n\tint height, int pixelSize, int flags)\n{\n\tif(flags&TJ_YUV)\n\t\treturn tjDecompressToYUV(handle, jpegBuf, jpegSize, dstBuf, flags);\n\telse\n\t\treturn tjDecompress2(handle, jpegBuf, jpegSize, dstBuf, width, pitch,\n\t\t\theight, getPixelFormat(pixelSize, flags), flags);\n}", "project": "libjpeg-turbo", "hash": 116785686567044670687505688355333011075, "size": 10, "commit_id": "dab6be4cfb2f9307b5378d2d1dc74d9080383dc2", "message": "tjDecompressToYUV*(): Fix OOB write/double free\n\n... when attempting to decompress grayscale JPEG images with sampling\nfactors != 1.\n\nFixes #387", "target": 0, "dataset": "other", "idx": 311108 }, { "func": "static int intAddEntry(Header h, rpmtd td)\n{\n indexEntry entry;\n rpm_data_t data;\n int length = 0;\n\n /* Count must always be >= 1 for headerAddEntry. */\n if (td->count <= 0)\n\treturn 0;\n\n if (hdrchkType(td->type))\n\treturn 0;\n if (hdrchkData(td->count))\n\treturn 0;\n\n data = grabData(td->type, td->data, td->count, &length);\n if (data == NULL)\n\treturn 0;\n\n /* Allocate more index space if necessary */\n if (h->indexUsed == h->indexAlloced) {\n\th->indexAlloced += INDEX_MALLOC_SIZE;\n\th->index = xrealloc(h->index, h->indexAlloced * sizeof(*h->index));\n }\n\n /* Fill in the index */\n entry = h->index + h->indexUsed;\n entry->info.tag = td->tag;\n entry->info.type = td->type;\n entry->info.count = td->count;\n entry->info.offset = 0;\n entry->data = data;\n entry->length = length;\n\n if (h->indexUsed > 0 && td->tag < h->index[h->indexUsed-1].info.tag)\n\th->sorted = 0;\n h->indexUsed++;\n\n return 1;\n}", "project": "rpm", "hash": 266924498674138484146712217851714001829, "size": 40, "commit_id": "8f4b3c3cab8922a2022b9e47c71f1ecf906077ef", "message": "hdrblobInit() needs bounds checks too\n\nUsers can pass untrusted data to hdrblobInit() and it must be robust\nagainst this.", "target": 0, "dataset": "other", "idx": 318187 }, { "func": "static inline int tcp_space(const struct sock *sk)\n{\n\treturn tcp_win_from_space(sk->sk_rcvbuf -\n\t\t\t\t atomic_read(&sk->sk_rmem_alloc));\n}", "project": "linux", "hash": 53620239552915244525948154126922573761, "size": 5, "commit_id": "bb1fceca22492109be12640d49f5ea5a544c6bb4", "message": "tcp: fix use after free in tcp_xmit_retransmit_queue()\n\nWhen tcp_sendmsg() allocates a fresh and empty skb, it puts it at the\ntail of the write queue using tcp_add_write_queue_tail()\n\nThen it attempts to copy user data into this fresh skb.\n\nIf the copy fails, we undo the work and remove the fresh skb.\n\nUnfortunately, this undo lacks the change done to tp->highest_sack and\nwe can leave a dangling pointer (to a freed skb)\n\nLater, tcp_xmit_retransmit_queue() can dereference this pointer and\naccess freed memory. For regular kernels where memory is not unmapped,\nthis might cause SACK bugs because tcp_highest_sack_seq() is buggy,\nreturning garbage instead of tp->snd_nxt, but with various debug\nfeatures like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel.\n\nThis bug was found by Marco Grassi thanks to syzkaller.\n\nFixes: 6859d49475d4 (\"[TCP]: Abstract tp->highest_sack accessing & point to next skb\")\nReported-by: Marco Grassi \nSigned-off-by: Eric Dumazet \nCc: Ilpo Järvinen \nCc: Yuchung Cheng \nCc: Neal Cardwell \nAcked-by: Neal Cardwell \nReviewed-by: Cong Wang \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 410822 }, { "func": "static int tty_tiocmset(struct tty_struct *tty, unsigned int cmd,\n\t unsigned __user *p)\n{\n\tint retval;\n\tunsigned int set, clear, val;\n\n\tif (tty->ops->tiocmset == NULL)\n\t\treturn -EINVAL;\n\n\tretval = get_user(val, p);\n\tif (retval)\n\t\treturn retval;\n\tset = clear = 0;\n\tswitch (cmd) {\n\tcase TIOCMBIS:\n\t\tset = val;\n\t\tbreak;\n\tcase TIOCMBIC:\n\t\tclear = val;\n\t\tbreak;\n\tcase TIOCMSET:\n\t\tset = val;\n\t\tclear = ~val;\n\t\tbreak;\n\t}\n\tset &= TIOCM_DTR|TIOCM_RTS|TIOCM_OUT1|TIOCM_OUT2|TIOCM_LOOP;\n\tclear &= TIOCM_DTR|TIOCM_RTS|TIOCM_OUT1|TIOCM_OUT2|TIOCM_LOOP;\n\treturn tty->ops->tiocmset(tty, set, clear);\n}", "project": "linux", "hash": 19972223796640078675370986157529468147, "size": 29, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 325951 }, { "func": "static int queue_pages_pte_range(pmd_t *pmd, unsigned long addr,\n\t\t\tunsigned long end, struct mm_walk *walk)\n{\n\tstruct vm_area_struct *vma = walk->vma;\n\tstruct page *page;\n\tstruct queue_pages *qp = walk->private;\n\tunsigned long flags = qp->flags;\n\tint ret;\n\tbool has_unmovable = false;\n\tpte_t *pte;\n\tspinlock_t *ptl;\n\n\tptl = pmd_trans_huge_lock(pmd, vma);\n\tif (ptl) {\n\t\tret = queue_pages_pmd(pmd, ptl, addr, end, walk);\n\t\tif (ret != 2)\n\t\t\treturn ret;\n\t}\n\t/* THP was split, fall through to pte walk */\n\n\tif (pmd_trans_unstable(pmd))\n\t\treturn 0;\n\n\tpte = pte_offset_map_lock(walk->mm, pmd, addr, &ptl);\n\tfor (; addr != end; pte++, addr += PAGE_SIZE) {\n\t\tif (!pte_present(*pte))\n\t\t\tcontinue;\n\t\tpage = vm_normal_page(vma, addr, *pte);\n\t\tif (!page)\n\t\t\tcontinue;\n\t\t/*\n\t\t * vm_normal_page() filters out zero pages, but there might\n\t\t * still be PageReserved pages to skip, perhaps in a VDSO.\n\t\t */\n\t\tif (PageReserved(page))\n\t\t\tcontinue;\n\t\tif (!queue_pages_required(page, qp))\n\t\t\tcontinue;\n\t\tif (flags & (MPOL_MF_MOVE | MPOL_MF_MOVE_ALL)) {\n\t\t\t/* MPOL_MF_STRICT must be specified if we get here */\n\t\t\tif (!vma_migratable(vma)) {\n\t\t\t\thas_unmovable = true;\n\t\t\t\tbreak;\n\t\t\t}\n\n\t\t\t/*\n\t\t\t * Do not abort immediately since there may be\n\t\t\t * temporary off LRU pages in the range. Still\n\t\t\t * need migrate other LRU pages.\n\t\t\t */\n\t\t\tif (migrate_page_add(page, qp->pagelist, flags))\n\t\t\t\thas_unmovable = true;\n\t\t} else\n\t\t\tbreak;\n\t}\n\tpte_unmap_unlock(pte - 1, ptl);\n\tcond_resched();\n\n\tif (has_unmovable)\n\t\treturn 1;\n\n\treturn addr != end ? -EIO : 0;\n}", "project": "linux", "hash": 143506076573246334144335800042034608485, "size": 63, "commit_id": "aa9f7d5172fac9bf1f09e678c35e287a40a7b7dd", "message": "mm: mempolicy: require at least one nodeid for MPOL_PREFERRED\n\nUsing an empty (malformed) nodelist that is not caught during mount option\nparsing leads to a stack-out-of-bounds access.\n\nThe option string that was used was: \"mpol=prefer:,\". However,\nMPOL_PREFERRED requires a single node number, which is not being provided\nhere.\n\nAdd a check that 'nodes' is not empty after parsing for MPOL_PREFERRED's\nnodeid.\n\nFixes: 095f1fc4ebf3 (\"mempolicy: rework shmem mpol parsing and display\")\nReported-by: Entropy Moe <3ntr0py1337@gmail.com>\nReported-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nSigned-off-by: Randy Dunlap \nSigned-off-by: Andrew Morton \nTested-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nCc: Lee Schermerhorn \nLink: http://lkml.kernel.org/r/89526377-7eb6-b662-e1d8-4430928abde9@infradead.org\nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 366745 }, { "func": "__gfn_to_memslot(struct kvm_memslots *slots, gfn_t gfn)\n{\n\treturn search_memslots(slots, gfn);\n}", "project": "linux", "hash": 180240767505990210506898987839484935319, "size": 4, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354570 }, { "func": "static Variant mcrypt_generic(const Resource& td, const String& data,\n bool dencrypt) {\n auto pm = get_valid_mcrypt_resource(td);\n if (!pm) {\n return false;\n } else if (!pm->m_init) {\n raise_warning(\"Operation disallowed prior to mcrypt_generic_init().\");\n return false;\n }\n\n if (data.empty()) {\n raise_warning(\"An empty string was passed\");\n return false;\n }\n\n String s;\n unsigned char* data_s;\n int block_size, data_size;\n /* Check blocksize */\n if (mcrypt_enc_is_block_mode(pm->m_td) == 1) { /* It's a block algorithm */\n block_size = mcrypt_enc_get_block_size(pm->m_td);\n data_size = (((data.size() - 1) / block_size) + 1) * block_size;\n s = String(data_size, ReserveString);\n data_s = (unsigned char *)s.mutableData();\n memset(data_s, 0, data_size);\n memcpy(data_s, data.data(), data.size());\n } else { /* It's not a block algorithm */\n data_size = data.size();\n s = String(data_size, ReserveString);\n data_s = (unsigned char *)s.mutableData();\n memcpy(data_s, data.data(), data.size());\n }\n\n if (dencrypt) {\n mdecrypt_generic(pm->m_td, data_s, data_size);\n } else {\n mcrypt_generic(pm->m_td, data_s, data_size);\n }\n s.setSize(data_size);\n return s;\n}", "project": "hhvm", "hash": 305993152205202082474447997665656711267, "size": 41, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219354 }, { "func": "static void fuse_link_write_file(struct file *file)\n{\n\tstruct inode *inode = file_inode(file);\n\tstruct fuse_inode *fi = get_fuse_inode(inode);\n\tstruct fuse_file *ff = file->private_data;\n\t/*\n\t * file may be written through mmap, so chain it onto the\n\t * inodes's write_file list\n\t */\n\tspin_lock(&fi->lock);\n\tif (list_empty(&ff->write_entry))\n\t\tlist_add(&ff->write_entry, &fi->write_files);\n\tspin_unlock(&fi->lock);\n}", "project": "linux", "hash": 133017235969672782705669727053537555465, "size": 14, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341921 }, { "func": "bool strtr_slow(const Array& arr, StringBuffer& result, String& key,\n const char*s, int& pos, int minlen, int maxlen) {\n\n memcpy(key.mutableData(), s + pos, maxlen);\n for (int len = maxlen; len >= minlen; len--) {\n key.setSize(len);\n auto const tv = arr->get(key);\n if (tv.is_init()) {\n String replace = tvCastToString(tv);\n if (!replace.empty()) {\n result.append(replace);\n }\n pos += len;\n return true;\n }\n }\n return false;\n}", "project": "hhvm", "hash": 151269179396656147532466600244507120149, "size": 18, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219712 }, { "func": "static int wait_on_pipe(struct trace_iterator *iter, bool full)\n{\n\t/* Iterators are static, they should be filled or empty */\n\tif (trace_buffer_iter(iter, iter->cpu_file))\n\t\treturn 0;\n\n\treturn ring_buffer_wait(iter->trace_buffer->buffer, iter->cpu_file,\n\t\t\t\tfull);\n}", "project": "linux", "hash": 171110290416496471818480742121184448242, "size": 9, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445743 }, { "func": "int set_compat_user_sigmask(const compat_sigset_t __user *umask,\n\t\t\t size_t sigsetsize)\n{\n\tsigset_t kmask;\n\n\tif (!umask)\n\t\treturn 0;\n\tif (sigsetsize != sizeof(compat_sigset_t))\n\t\treturn -EINVAL;\n\tif (get_compat_sigset(&kmask, umask))\n\t\treturn -EFAULT;\n\n\tset_restore_sigmask();\n\tcurrent->saved_sigmask = current->blocked;\n\tset_current_blocked(&kmask);\n\n\treturn 0;\n}", "project": "linux", "hash": 293287819023682357441741920516031377685, "size": 18, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375291 }, { "func": "DwaCompressor::initializeBuffers (size_t &outBufferSize)\n{\n classifyChannels (_channels, _channelData, _cscSets);\n\n //\n // _outBuffer needs to be big enough to hold all our \n // compressed data - which could vary depending on what sort\n // of channels we have. \n //\n\n int maxOutBufferSize = 0;\n int numLossyDctChans = 0;\n int unknownBufferSize = 0;\n int rleBufferSize = 0;\n\n int maxLossyDctAcSize = (int)ceil ((float)numScanLines() / 8.0f) * \n (int)ceil ((float)(_max[0] - _min[0] + 1) / 8.0f) *\n 63 * sizeof (unsigned short);\n\n int maxLossyDctDcSize = (int)ceil ((float)numScanLines() / 8.0f) * \n (int)ceil ((float)(_max[0] - _min[0] + 1) / 8.0f) *\n sizeof (unsigned short);\n\n for (unsigned int chan = 0; chan < _channelData.size(); ++chan)\n {\n switch (_channelData[chan].compression)\n {\n case LOSSY_DCT:\n\n //\n // This is the size of the number of packed\n // components, plus the requirements for\n // maximum Huffman encoding size (for STATIC_HUFFMAN)\n // or for zlib compression (for DEFLATE)\n //\n\n maxOutBufferSize += std::max(\n (int)(2 * maxLossyDctAcSize + 65536),\n (int)compressBound (maxLossyDctAcSize) );\n numLossyDctChans++;\n break;\n\n case RLE:\n {\n //\n // RLE, if gone horribly wrong, could double the size\n // of the source data.\n //\n\n int rleAmount = 2 * numScanLines() * (_max[0] - _min[0] + 1) *\n OPENEXR_IMF_NAMESPACE::pixelTypeSize (_channelData[chan].type);\n\n rleBufferSize += rleAmount;\n }\n break;\n\n\n case UNKNOWN:\n\n unknownBufferSize += numScanLines() * (_max[0] - _min[0] + 1) *\n OPENEXR_IMF_NAMESPACE::pixelTypeSize (_channelData[chan].type);\n break;\n\n default:\n\n throw IEX_NAMESPACE::NoImplExc (\"Unhandled compression scheme case\");\n break;\n }\n }\n\n //\n // Also, since the results of the RLE are packed into \n // the output buffer, we need the extra room there. But\n // we're going to zlib compress() the data we pack, \n // which could take slightly more space\n //\n\n maxOutBufferSize += (int)compressBound ((uLongf)rleBufferSize);\n \n //\n // And the same goes for the UNKNOWN data\n //\n\n maxOutBufferSize += (int)compressBound ((uLongf)unknownBufferSize);\n\n //\n // Allocate a zip/deflate compressor big enought to hold the DC data\n // and include it's compressed results in the size requirements\n // for our output buffer\n //\n\n if (_zip == 0) \n _zip = new Zip (maxLossyDctDcSize * numLossyDctChans);\n else if (_zip->maxRawSize() < static_cast(maxLossyDctDcSize * numLossyDctChans))\n {\n delete _zip;\n _zip = new Zip (maxLossyDctDcSize * numLossyDctChans);\n }\n\n\n maxOutBufferSize += _zip->maxCompressedSize();\n\n //\n // We also need to reserve space at the head of the buffer to \n // write out the size of our various packed and compressed data.\n //\n\n maxOutBufferSize += NUM_SIZES_SINGLE * sizeof (Int64); \n \n\n //\n // Later, we're going to hijack outBuffer for the result of\n // both encoding and decoding. So it needs to be big enough\n // to hold either a buffers' worth of uncompressed or\n // compressed data\n //\n // For encoding, we'll need _outBuffer to hold maxOutBufferSize bytes,\n // but for decoding, we only need it to be maxScanLineSize*numScanLines.\n // Cache the max size for now, and alloc the buffer when we either\n // encode or decode.\n //\n\n outBufferSize = maxOutBufferSize;\n\n\n //\n // _packedAcBuffer holds the quantized DCT coefficients prior\n // to Huffman encoding\n //\n\n if (static_cast(maxLossyDctAcSize * numLossyDctChans) > _packedAcBufferSize)\n {\n _packedAcBufferSize = maxLossyDctAcSize * numLossyDctChans;\n if (_packedAcBuffer != 0) \n delete[] _packedAcBuffer;\n _packedAcBuffer = new char[_packedAcBufferSize];\n }\n\n //\n // _packedDcBuffer holds one quantized DCT coef per 8x8 block\n //\n\n if (static_cast(maxLossyDctDcSize * numLossyDctChans) > _packedDcBufferSize)\n {\n _packedDcBufferSize = maxLossyDctDcSize * numLossyDctChans;\n if (_packedDcBuffer != 0) \n delete[] _packedDcBuffer;\n _packedDcBuffer = new char[_packedDcBufferSize];\n }\n\n if (static_cast(rleBufferSize) > _rleBufferSize) \n {\n _rleBufferSize = rleBufferSize;\n if (_rleBuffer != 0) \n delete[] _rleBuffer;\n _rleBuffer = new char[rleBufferSize];\n }\n\n // \n // The planar uncompressed buffer will hold float data for LOSSY_DCT\n // compressed values, and whatever the native type is for other\n // channels. We're going to use this to hold data in a planar\n // format, as opposed to the native interleaved format we take\n // into compress() and give back from uncompress().\n //\n // This also makes it easier to compress the UNKNOWN and RLE data\n // all in one swoop (for each compression scheme).\n //\n\n int planarUncBufferSize[NUM_COMPRESSOR_SCHEMES];\n for (int i=0; i 0)\n {\n planarUncBufferSize[UNKNOWN] = \n compressBound ((uLongf)planarUncBufferSize[UNKNOWN]);\n }\n\n for (int i = 0; i < NUM_COMPRESSOR_SCHEMES; ++i)\n {\n if (static_cast(planarUncBufferSize[i]) > _planarUncBufferSize[i]) \n {\n _planarUncBufferSize[i] = planarUncBufferSize[i];\n if (_planarUncBuffer[i] != 0) \n delete[] _planarUncBuffer[i];\n _planarUncBuffer[i] = new char[planarUncBufferSize[i]];\n }\n }\n}", "project": "openexr", "hash": 276310541815640906428038702997144182661, "size": 220, "commit_id": "3eda5d70aba127bae9bd6bae9956fcf024b64031", "message": "fixes for DWA uncompress: sanity check unknown data reading, off-by-one error on max suffix string length\n\nSigned-off-by: Peter Hillman ", "target": 0, "dataset": "other", "idx": 440085 }, { "func": "static int queue_pages_test_walk(unsigned long start, unsigned long end,\n\t\t\t\tstruct mm_walk *walk)\n{\n\tstruct vm_area_struct *vma = walk->vma;\n\tstruct queue_pages *qp = walk->private;\n\tunsigned long endvma = vma->vm_end;\n\tunsigned long flags = qp->flags;\n\n\t/* range check first */\n\tVM_BUG_ON_VMA((vma->vm_start > start) || (vma->vm_end < end), vma);\n\n\tif (!qp->first) {\n\t\tqp->first = vma;\n\t\tif (!(flags & MPOL_MF_DISCONTIG_OK) &&\n\t\t\t(qp->start < vma->vm_start))\n\t\t\t/* hole at head side of range */\n\t\t\treturn -EFAULT;\n\t}\n\tif (!(flags & MPOL_MF_DISCONTIG_OK) &&\n\t\t((vma->vm_end < qp->end) &&\n\t\t(!vma->vm_next || vma->vm_end < vma->vm_next->vm_start)))\n\t\t/* hole at middle or tail of range */\n\t\treturn -EFAULT;\n\n\t/*\n\t * Need check MPOL_MF_STRICT to return -EIO if possible\n\t * regardless of vma_migratable\n\t */\n\tif (!vma_migratable(vma) &&\n\t !(flags & MPOL_MF_STRICT))\n\t\treturn 1;\n\n\tif (endvma > end)\n\t\tendvma = end;\n\n\tif (flags & MPOL_MF_LAZY) {\n\t\t/* Similar to task_numa_work, skip inaccessible VMAs */\n\t\tif (!is_vm_hugetlb_page(vma) &&\n\t\t\t(vma->vm_flags & (VM_READ | VM_EXEC | VM_WRITE)) &&\n\t\t\t!(vma->vm_flags & VM_MIXEDMAP))\n\t\t\tchange_prot_numa(vma, start, endvma);\n\t\treturn 1;\n\t}\n\n\t/* queue pages from current vma */\n\tif (flags & MPOL_MF_VALID)\n\t\treturn 0;\n\treturn 1;\n}", "project": "linux", "hash": 274176772742766464171891085341886840886, "size": 49, "commit_id": "aa9f7d5172fac9bf1f09e678c35e287a40a7b7dd", "message": "mm: mempolicy: require at least one nodeid for MPOL_PREFERRED\n\nUsing an empty (malformed) nodelist that is not caught during mount option\nparsing leads to a stack-out-of-bounds access.\n\nThe option string that was used was: \"mpol=prefer:,\". However,\nMPOL_PREFERRED requires a single node number, which is not being provided\nhere.\n\nAdd a check that 'nodes' is not empty after parsing for MPOL_PREFERRED's\nnodeid.\n\nFixes: 095f1fc4ebf3 (\"mempolicy: rework shmem mpol parsing and display\")\nReported-by: Entropy Moe <3ntr0py1337@gmail.com>\nReported-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nSigned-off-by: Randy Dunlap \nSigned-off-by: Andrew Morton \nTested-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nCc: Lee Schermerhorn \nLink: http://lkml.kernel.org/r/89526377-7eb6-b662-e1d8-4430928abde9@infradead.org\nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 366788 }, { "func": "static int copy_tiles_additional_pass(void) {\n\tint x, y, n;\n\tint diffs = 0, ct;\n\n\tif (unixpw_in_progress) return 0;\n\n\tfor (y=0; y < ntiles_y; y++) {\n\t\tfor (x=0; x < ntiles_x; x++) {\n\t\t\tn = x + y * ntiles_x;\t\t/* number of this tile */\n\n\t\t\tif (! tile_has_diff[n]) {\n\t\t\t\tcontinue;\n\t\t\t}\n\t\t\tif (tile_copied[n]) {\n\t\t\t\tcontinue;\n\t\t\t}\n\n\t\t\tct = copy_tiles(x, y, 1);\n\t\t\tif (ct < 0) return ct;\t/* fatal */\n\t\t}\n\t}\n\tfor (n=0; n < ntiles; n++) {\n\t\tif (tile_has_diff[n]) {\n\t\t\tdiffs++;\n\t\t}\n\t}\n\treturn diffs;\n}", "project": "x11vnc", "hash": 318391645954495555857173861631877162651, "size": 28, "commit_id": "69eeb9f7baa14ca03b16c9de821f9876def7a36a", "message": "scan: limit access to shared memory segments to current user", "target": 0, "dataset": "other", "idx": 360749 }, { "func": "BPMDetect::BPMDetect(int numChannels, int aSampleRate) :\r\n beat_lpf(_LPF_coeffs)\r\n{\r\n beats.reserve(250); // initial reservation to prevent frequent reallocation\r\n\r\n this->sampleRate = aSampleRate;\r\n this->channels = numChannels;\r\n\r\n decimateSum = 0;\r\n decimateCount = 0;\r\n\r\n // choose decimation factor so that result is approx. 1000 Hz\r\n decimateBy = sampleRate / TARGET_SRATE;\r\n assert(decimateBy > 0);\r\n assert(INPUT_BLOCK_SIZE < decimateBy * DECIMATED_BLOCK_SIZE);\r\n\r\n // Calculate window length & starting item according to desired min & max bpms\r\n windowLen = (60 * sampleRate) / (decimateBy * MIN_BPM);\r\n windowStart = (60 * sampleRate) / (decimateBy * MAX_BPM_RANGE);\r\n\r\n assert(windowLen > windowStart);\r\n\r\n // allocate new working objects\r\n xcorr = new float[windowLen];\r\n memset(xcorr, 0, windowLen * sizeof(float));\r\n\r\n pos = 0;\r\n peakPos = 0;\r\n peakVal = 0;\r\n init_scaler = 1;\r\n beatcorr_ringbuffpos = 0;\r\n beatcorr_ringbuff = new float[windowLen];\r\n memset(beatcorr_ringbuff, 0, windowLen * sizeof(float));\r\n\r\n // allocate processing buffer\r\n buffer = new FIFOSampleBuffer();\r\n // we do processing in mono mode\r\n buffer->setChannels(1);\r\n buffer->clear();\r\n\r\n // calculate hamming windows\r\n hamw = new float[XCORR_UPDATE_SEQUENCE];\r\n hamming(hamw, XCORR_UPDATE_SEQUENCE);\r\n hamw2 = new float[XCORR_UPDATE_SEQUENCE / 2];\r\n hamming(hamw2, XCORR_UPDATE_SEQUENCE / 2);\r\n}\r", "project": "soundtouch", "hash": 338493797798567657703708124487583988357, "size": 46, "commit_id": "a1c400eb2cff849c0e5f9d6916d69ffea3ad2c85", "message": "Fix issue CVE-2018-17096: Replace assert with runtime exception", "target": 1, "dataset": "other", "idx": 205562 }, { "func": "BPMDetect::BPMDetect(int numChannels, int aSampleRate) :\r\n beat_lpf(_LPF_coeffs)\r\n{\r\n beats.reserve(250); // initial reservation to prevent frequent reallocation\r\n\r\n this->sampleRate = aSampleRate;\r\n this->channels = numChannels;\r\n\r\n decimateSum = 0;\r\n decimateCount = 0;\r\n\r\n // choose decimation factor so that result is approx. 1000 Hz\r\n decimateBy = sampleRate / TARGET_SRATE;\r\n if ((decimateBy <= 0) || (decimateBy * DECIMATED_BLOCK_SIZE < INPUT_BLOCK_SIZE))\r\n {\r\n ST_THROW_RT_ERROR(\"Too small samplerate\");\r\n }\r\n\r\n // Calculate window length & starting item according to desired min & max bpms\r\n windowLen = (60 * sampleRate) / (decimateBy * MIN_BPM);\r\n windowStart = (60 * sampleRate) / (decimateBy * MAX_BPM_RANGE);\r\n\r\n assert(windowLen > windowStart);\r\n\r\n // allocate new working objects\r\n xcorr = new float[windowLen];\r\n memset(xcorr, 0, windowLen * sizeof(float));\r\n\r\n pos = 0;\r\n peakPos = 0;\r\n peakVal = 0;\r\n init_scaler = 1;\r\n beatcorr_ringbuffpos = 0;\r\n beatcorr_ringbuff = new float[windowLen];\r\n memset(beatcorr_ringbuff, 0, windowLen * sizeof(float));\r\n\r\n // allocate processing buffer\r\n buffer = new FIFOSampleBuffer();\r\n // we do processing in mono mode\r\n buffer->setChannels(1);\r\n buffer->clear();\r\n\r\n // calculate hamming windows\r\n hamw = new float[XCORR_UPDATE_SEQUENCE];\r\n hamming(hamw, XCORR_UPDATE_SEQUENCE);\r\n hamw2 = new float[XCORR_UPDATE_SEQUENCE / 2];\r\n hamming(hamw2, XCORR_UPDATE_SEQUENCE / 2);\r\n}\r", "project": "soundtouch", "hash": 9975483775436489168942805933636882922, "size": 48, "commit_id": "a1c400eb2cff849c0e5f9d6916d69ffea3ad2c85", "message": "Fix issue CVE-2018-17096: Replace assert with runtime exception", "target": 0, "dataset": "other", "idx": 368106 }, { "func": "static void kvm_mmu_notifier_invalidate_range_end(struct mmu_notifier *mn,\n\t\t\t\t\tconst struct mmu_notifier_range *range)\n{\n\tstruct kvm *kvm = mmu_notifier_to_kvm(mn);\n\n\tspin_lock(&kvm->mmu_lock);\n\t/*\n\t * This sequence increase will notify the kvm page fault that\n\t * the page that is going to be mapped in the spte could have\n\t * been freed.\n\t */\n\tkvm->mmu_notifier_seq++;\n\tsmp_wmb();\n\t/*\n\t * The above sequence increase must be visible before the\n\t * below count decrease, which is ensured by the smp_wmb above\n\t * in conjunction with the smp_rmb in mmu_notifier_retry().\n\t */\n\tkvm->mmu_notifier_count--;\n\tspin_unlock(&kvm->mmu_lock);\n\n\tBUG_ON(kvm->mmu_notifier_count < 0);\n}", "project": "linux", "hash": 83513377536859176877670027602972021487, "size": 23, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354673 }, { "func": "static void kvm_mmu_notifier_invalidate_range_end(struct mmu_notifier *mn,\n\t\t\t\t\tconst struct mmu_notifier_range *range)\n{\n\tstruct kvm *kvm = mmu_notifier_to_kvm(mn);\n\tconst struct kvm_hva_range hva_range = {\n\t\t.start\t\t= range->start,\n\t\t.end\t\t= range->end,\n\t\t.pte\t\t= __pte(0),\n\t\t.handler\t= (void *)kvm_null_fn,\n\t\t.on_lock\t= kvm_dec_notifier_count,\n\t\t.flush_on_ret\t= false,\n\t\t.may_block\t= mmu_notifier_range_blockable(range),\n\t};\n\n\t__kvm_handle_hva_range(kvm, &hva_range);\n\n\tBUG_ON(kvm->mmu_notifier_count < 0);\n}", "project": "linux", "hash": 194988488211097970926737616085536261244, "size": 18, "commit_id": "f8be156be163a052a067306417cd0ff679068c97", "message": "KVM: do not allow mapping valid but non-reference-counted pages\n\nIt's possible to create a region which maps valid but non-refcounted\npages (e.g., tail pages of non-compound higher order allocations). These\nhost pages can then be returned by gfn_to_page, gfn_to_pfn, etc., family\nof APIs, which take a reference to the page, which takes it from 0 to 1.\nWhen the reference is dropped, this will free the page incorrectly.\n\nFix this by only taking a reference on valid pages if it was non-zero,\nwhich indicates it is participating in normal refcounting (and can be\nreleased with put_page).\n\nThis addresses CVE-2021-22543.\n\nSigned-off-by: Nicholas Piggin \nTested-by: Paolo Bonzini \nCc: stable@vger.kernel.org\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 404046 }, { "func": "pattern_match lua_text_pattern::match_location(const string &s) const\n{\n // lua_text_pattern is only used if a special non-regex op is detected (^F\n // for \"armour && ego\", for instance), and in those situations, it's\n // unclear what exactly to use for the matched text here (especially in\n // more complicated expressions that include things like <<>>, !!, etc).\n return matches(s)\n ? pattern_match::succeeded(s)\n : pattern_match::failed(s);\n}", "project": "crawl", "hash": 76156159028110913476280912322595889363, "size": 10, "commit_id": "768f60da87a3fa0b5561da5ade9309577c176d04", "message": "Disable lua bytecode loading", "target": 0, "dataset": "other", "idx": 230541 }, { "project": "opaque", "commit_id": "5ddda15d89f5ac82f4416208c5319ace4aecdc36", "target": 0, "func": "void ecall_scan_collect_last_primary(uint8_t *join_expr, size_t join_expr_length,\n uint8_t *input_rows, size_t input_rows_length,\n uint8_t **output_rows, size_t *output_rows_length) {\n // Guard against operating on arbitrary enclave memory\n assert(sgx_is_outside_enclave(input_rows, input_rows_length) == 1);\n sgx_lfence();\n\n try {\n scan_collect_last_primary(join_expr, join_expr_length,\n input_rows, input_rows_length,\n output_rows, output_rows_length);\n } catch (const std::runtime_error &e) {\n ocall_throw(e.what());\n }\n}", "idx": 519069, "cwe": "CWE-787", "hash": 215372699505163812039258473462108415770, "dataset": "other" }, { "func": "static void create_refuse_error(int which)\n{\n\t/* The \"which\" value is the index + OPT_REFUSED_BASE. */\n\tstruct poptOption *op = &long_options[which - OPT_REFUSED_BASE];\n\tint n = snprintf(err_buf, sizeof err_buf,\n\t\t\t \"The server is configured to refuse --%s\\n\",\n\t\t\t op->longName) - 1;\n\tif (op->shortName) {\n\t\tsnprintf(err_buf + n, sizeof err_buf - n,\n\t\t\t \" (-%c)\\n\", op->shortName);\n\t}\n}", "project": "rsync", "hash": 292872943372785518347813194445845000833, "size": 12, "commit_id": "7706303828fcde524222babb2833864a4bd09e07", "message": "Ignore --protect-args when already sent by client\n\nIn parse_arguments when --protect-args is encountered the function exits\nearly. The caller is expected to check protect_args, and recall\nparse_arguments setting protect_args to 2. This patch prevents the\nclient from resetting protect_args during the second pass of\nparse_arguments. This prevents parse_arguments returning early the\nsecond time before it's able to sanitize the arguments it received.", "target": 0, "dataset": "other", "idx": 364669 }, { "func": "void gdImageCopyMerge (gdImagePtr dst, gdImagePtr src, int dstX, int dstY, int srcX, int srcY, int w, int h, int pct)\n{\n\tint c, dc;\n\tint x, y;\n\tint tox, toy;\n\tint ncR, ncG, ncB;\n\ttoy = dstY;\n\n\tfor (y = srcY; y < (srcY + h); y++) {\n\t\ttox = dstX;\n\t\tfor (x = srcX; x < (srcX + w); x++) {\n\t\t\tint nc;\n\t\t\tc = gdImageGetPixel(src, x, y);\n\t\t\t/* Added 7/24/95: support transparent copies */\n\t\t\tif (gdImageGetTransparent(src) == c) {\n\t\t\t\ttox++;\n\t\t\t\tcontinue;\n\t\t\t}\n\t\t\t/* If it's the same image, mapping is trivial */\n\t\t\tif (dst == src) {\n\t\t\t\tnc = c;\n\t\t\t} else {\n\t\t\t\tdc = gdImageGetPixel(dst, tox, toy);\n\n \t\t\t\tncR = (int)(gdImageRed (src, c) * (pct / 100.0) + gdImageRed (dst, dc) * ((100 - pct) / 100.0));\n \t\t\t\tncG = (int)(gdImageGreen (src, c) * (pct / 100.0) + gdImageGreen (dst, dc) * ((100 - pct) / 100.0));\n \t\t\t\tncB = (int)(gdImageBlue (src, c) * (pct / 100.0) + gdImageBlue (dst, dc) * ((100 - pct) / 100.0));\n\n\t\t\t\t/* Find a reasonable color */\n\t\t\t\tnc = gdImageColorResolve (dst, ncR, ncG, ncB);\n\t\t\t}\n\t\t\tgdImageSetPixel (dst, tox, toy, nc);\n\t\t\ttox++;\n\t\t}\n\t\ttoy++;\n\t}\n}", "project": "php-src", "hash": 317220248356442540359629585219990403703, "size": 37, "commit_id": "c395c6e5d7e8df37a21265ff76e48fe75ceb5ae6", "message": "iFixed bug #72446 - Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow", "target": 0, "dataset": "other", "idx": 295163 }, { "func": "static int rand_initialize(void)\n{\n\tinit_std_data(&input_pool);\n\tinit_std_data(&blocking_pool);\n\tinit_std_data(&nonblocking_pool);\n\treturn 0;\n}", "target": 0, "cwe": [ "CWE-310" ], "project": "linux-2.6", "commit_id": "8a0a9bd4db63bc45e3017bedeafbd88d0eb84d02", "hash": 132667507196834451665247568234752637895, "size": 7, "message": "random: make get_random_int() more random\n\nIt's a really simple patch that basically just open-codes the current\n\"secure_ip_id()\" call, but when open-coding it we now use a _static_\nhashing area, so that it gets updated every time.\n\nAnd to make sure somebody can't just start from the same original seed of\nall-zeroes, and then do the \"half_md4_transform()\" over and over until\nthey get the same sequence as the kernel has, each iteration also mixes in\nthe same old \"current->pid + jiffies\" we used - so we should now have a\nregular strong pseudo-number generator, but we also have one that doesn't\nhave a single seed.\n\nNote: the \"pid + jiffies\" is just meant to be a tiny tiny bit of noise. It\nhas no real meaning. It could be anything. I just picked the previous\nseed, it's just that now we keep the state in between calls and that will\nfeed into the next result, and that should make all the difference.\n\nI made that hash be a per-cpu data just to avoid cache-line ping-pong:\nhaving multiple CPU's write to the same data would be fine for randomness,\nand add yet another layer of chaos to it, but since get_random_int() is\nsupposed to be a fast interface I did it that way instead. I considered\nusing \"__raw_get_cpu_var()\" to avoid any preemption overhead while still\ngetting the hash be _mostly_ ping-pong free, but in the end good taste won\nout.\n\nSigned-off-by: Ingo Molnar \nSigned-off-by: Linus Torvalds ", "dataset": "other", "idx": 499909 }, { "func": "static int test_apply(struct libmnt_test *ts, int argc, char *argv[])\n{\n\tchar *optstr;\n\tint rc, map;\n\tunsigned long flags;\n\n\tif (argc < 4)\n\t\treturn -EINVAL;\n\n\tif (!strcmp(argv[1], \"--user\"))\n\t\tmap = MNT_USERSPACE_MAP;\n\telse if (!strcmp(argv[1], \"--linux\"))\n\t\tmap = MNT_LINUX_MAP;\n\telse {\n\t\tfprintf(stderr, \"unknown option '%s'\\n\", argv[1]);\n\t\treturn -EINVAL;\n\t}\n\n\toptstr = xstrdup(argv[2]);\n\tflags = strtoul(argv[3], NULL, 16);\n\n\tprintf(\"flags: 0x%08lx\\n\", flags);\n\n\trc = mnt_optstr_apply_flags(&optstr, flags, mnt_get_builtin_optmap(map));\n\tprintf(\"optstr: %s\\n\", optstr);\n\n\tfree(optstr);\n\treturn rc;\n}", "project": "util-linux", "hash": 222299549736471289104505906577653963728, "size": 29, "commit_id": "57202f5713afa2af20ffbb6ab5331481d0396f8d", "message": "libmount: fix UID check for FUSE umount [CVE-2021-3995]\n\nImproper UID check allows an unprivileged user to unmount FUSE\nfilesystems of users with similar UID.\n\nSigned-off-by: Karel Zak ", "target": 0, "dataset": "other", "idx": 410430 }, { "func": "static bool setup_sum_funcs(THD *thd, Item_sum **func_ptr)\n{\n Item_sum *func;\n DBUG_ENTER(\"setup_sum_funcs\");\n while ((func= *(func_ptr++)))\n {\n if (func->aggregator_setup(thd))\n DBUG_RETURN(TRUE);\n }\n DBUG_RETURN(FALSE);\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 47502317036692722352041614279055798766, "size": 11, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508680 }, { "func": "static unsigned int evdev_poll(struct file *file, poll_table *wait)\n{\n\tstruct evdev_client *client = file->private_data;\n\tstruct evdev *evdev = client->evdev;\n\tunsigned int mask;\n\n\tpoll_wait(file, &evdev->wait, wait);\n\n\tmask = evdev->exist ? POLLOUT | POLLWRNORM : POLLHUP | POLLERR;\n\tif (client->packet_head != client->tail)\n\t\tmask |= POLLIN | POLLRDNORM;\n\n\treturn mask;\n}", "project": "linux", "hash": 316123145457949701780551957475638518926, "size": 14, "commit_id": "483180281f0ac60d1138710eb21f4b9961901294", "message": "Input: evdev - flush queues during EVIOCGKEY-like ioctls\n\nIf userspace requests current KEY-state, they very likely assume that no\nsuch events are pending in the output queue of the evdev device.\nOtherwise, they will parse events which they already handled via\nEVIOCGKEY(). For XKB applications this can cause irreversible keyboard\nstates if a modifier is locked multiple times because a CTRL-DOWN event is\nhandled once via EVIOCGKEY() and once from the queue via read(), even\nthough it should handle it only once.\n\nTherefore, lets do the only logical thing and flush the evdev queue\natomically during this ioctl. We only flush events that are affected by\nthe given ioctl.\n\nThis only affects boolean events like KEY, SND, SW and LED. ABS, REL and\nothers are not affected as duplicate events can be handled gracefully by\nuser-space.\n\nNote: This actually breaks semantics of the evdev ABI. However,\ninvestigations showed that userspace already expects the new semantics and\nwe end up fixing at least all XKB applications.\nAll applications that are aware of this race-condition mirror the KEY\nstate for each open-file and detect/drop duplicate events. Hence, they do\nnot care whether duplicates are posted or not and work fine with this fix.\n\nAlso note that we need proper locking to guarantee atomicity and avoid\ndead-locks. event_lock must be locked before queue_lock (see input-core).\nHowever, we can safely release event_lock while flushing the queue. This\nallows the input-core to proceed with pending events and only stop if it\nneeds our queue_lock to post new events.\nThis should guarantee that we don't block event-dispatching for too long\nwhile flushing a single event queue.\n\nSigned-off-by: David Herrmann \nAcked-by: Peter Hutterer \nSigned-off-by: Dmitry Torokhov ", "target": 0, "dataset": "other", "idx": 381728 }, { "func": "static void cancel_adv_timeout(struct hci_dev *hdev)\n{\n\tif (hdev->adv_instance_timeout) {\n\t\thdev->adv_instance_timeout = 0;\n\t\tcancel_delayed_work(&hdev->adv_instance_expire);\n\t}\n}", "project": "linux", "hash": 113439902478682901771993219217537666767, "size": 7, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402508 }, { "func": "apr_status_t h2_stream_in_consumed(h2_stream *stream, apr_off_t amount)\n{\n h2_session *session = stream->session;\n \n if (amount > 0) {\n apr_off_t consumed = amount;\n \n while (consumed > 0) {\n int len = (consumed > INT_MAX)? INT_MAX : (int)consumed;\n nghttp2_session_consume(session->ngh2, stream->id, len);\n consumed -= len;\n }\n\n#ifdef H2_NG2_LOCAL_WIN_SIZE\n if (1) {\n int cur_size = nghttp2_session_get_stream_local_window_size(\n session->ngh2, stream->id);\n int win = stream->in_window_size;\n int thigh = win * 8/10;\n int tlow = win * 2/10;\n const int win_max = 2*1024*1024;\n const int win_min = 32*1024;\n \n /* Work in progress, probably should add directives for these\n * values once this stabilizes somewhat. The general idea is\n * to adapt stream window sizes if the input window changes\n * a) very quickly (< good RTT) from full to empty\n * b) only a little bit (> bad RTT)\n * where in a) it grows and in b) it shrinks again.\n */\n if (cur_size > thigh && amount > thigh && win < win_max) {\n /* almost empty again with one reported consumption, how\n * long did this take? */\n long ms = apr_time_msec(apr_time_now() - stream->in_last_write);\n if (ms < 40) {\n win = H2MIN(win_max, win + (64*1024));\n }\n }\n else if (cur_size < tlow && amount < tlow && win > win_min) {\n /* staying full, for how long already? */\n long ms = apr_time_msec(apr_time_now() - stream->in_last_write);\n if (ms > 700) {\n win = H2MAX(win_min, win - (32*1024));\n }\n }\n \n if (win != stream->in_window_size) {\n stream->in_window_size = win;\n nghttp2_session_set_local_window_size(session->ngh2, \n NGHTTP2_FLAG_NONE, stream->id, win);\n } \n ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, session->c,\n \"h2_stream(%ld-%d): consumed %ld bytes, window now %d/%d\",\n session->id, stream->id, (long)amount, \n cur_size, stream->in_window_size);\n }\n#endif\n }\n return APR_SUCCESS; \n}", "project": "httpd", "hash": 104932347823630372378514759056859691504, "size": 60, "commit_id": "f990e5ecad40b100a8a5c7c1033c46044a9cb244", "message": "mod_htt2: fix incomplete sync with latest changes in github, adjust version number.\n\n\n\ngit-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1889119 13f79535-47bb-0310-9956-ffa450edef68", "target": 0, "dataset": "other", "idx": 284231 }, { "func": "bool HasPlaceHolder(const AttrValue& val) {\n switch (val.value_case()) {\n case AttrValue::kList: {\n for (const NameAttrList& func : val.list().func()) {\n for (const auto& p : func.attr()) {\n if (HasPlaceHolder(p.second)) {\n return true;\n }\n }\n }\n break;\n }\n case AttrValue::kFunc:\n for (const auto& p : val.func().attr()) {\n if (HasPlaceHolder(p.second)) {\n return true;\n }\n }\n break;\n case AttrValue::kPlaceholder:\n return true;\n default:\n break;\n }\n return false;\n}", "project": "tensorflow", "hash": 119183324478552945049298700899212921017, "size": 26, "commit_id": "c2426bba00a01de6913738df8fa78e0215fcce02", "message": "Use `PartialTensorShape` instead of `TensorShape`.\n\n`TensorShape` constructor throws a CHECK-fail if shape is partial/overflows which the other doesn't. We are only determining the number of elements in the shape and partial shape should be used as it returns negative number when needed.\n\nPiperOrigin-RevId: 409205384\nChange-Id: Ia56542ff9ec758f2c9ffc7e4dcc9fa7eecd86e7b", "target": 0, "dataset": "other", "idx": 223148 }, { "func": " bool operator()(const StringData *s1, const StringData *s2) const {\n assertx(s1 && s2);\n return s1->isame(s2);\n }", "project": "hhvm", "hash": 112080833468345441393251354027125271186, "size": 4, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219050 }, { "func": " bool operator()(const StringData *s1, const StringData *s2) const {\n assertx(s1 && s2);\n return s1->same(s2);\n }", "project": "hhvm", "hash": 138050354492290314079910131652594855441, "size": 4, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219126 }, { "func": " bool operator()(const StringData* s1, const StringData* s2) {\n // ahm uses -1, -2, -3 as magic values\n return int64_t(s1) > 0 && (s1 == s2 || s1->same(s2));\n }", "project": "hhvm", "hash": 94736760801795026306176112903315853448, "size": 4, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219287 }, { "func": " size_t operator()(const StringData *s) const {\n return s->hash();\n }", "project": "hhvm", "hash": 33819320204584052494950260227959991809, "size": 3, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219395 }, { "func": " bool operator()(const StringData* a, const StringData* b) const {\n return a == b || a->same(b);\n }", "project": "hhvm", "hash": 56071489879356495347268164940664457298, "size": 3, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219462 }, { "func": " bool operator()(const StringData *s1, const StringData *s2) const {\n return bstrcasecmp(s1->data(), s1->size(), s2->data(), s2->size()) < 0;\n }", "project": "hhvm", "hash": 119416975806497634736684320741168009264, "size": 3, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219642 }, { "func": " void operator()(const Device& d,\n const Eigen::DSizes& shape,\n const Eigen::array& logits_bcast,\n const Eigen::array& labels_bcast,\n typename TTypes::ConstMatrix logits,\n typename TTypes::ConstMatrix labels,\n typename TTypes::Matrix scratch,\n typename TTypes::Vec loss,\n typename TTypes::Matrix backprop) {\n XentEigenImpl::Compute(d, shape, logits_bcast, labels_bcast,\n logits, labels, scratch, loss, backprop);\n }", "project": "tensorflow", "hash": 216213126617434260656596852102301116798, "size": 12, "commit_id": "4d74d8a00b07441cba090a02e0dd9ed385145bf4", "message": "Fix crash in softmax-xent when some input dimensions are 1.\n\nBefore, tf.nn.softmax_cross_entropy_with_logits would fail a CHECK if one input tensor had shape (1, 1) and the other did not.\n\nIn particular, the call to ToIndexArray<2> here https://github.com/tensorflow/tensorflow/blob/1f3da84a89702d3b4f234ee83762d738caffe098/tensorflow/core/kernels/xent_op.cc#L99 would fail, since the call assumed the array had two dimensions. If both dimensions were 1, BCast would merge the two dimensions into a single dimension. Passing fewer_dims_optimization=false stops this optimization\n\nPiperOrigin-RevId: 384844496\nChange-Id: Ifb02dc74964132c3ed3f3bc98b0858dbe4e258b7", "target": 0, "dataset": "other", "idx": 229859 }, { "func": " void operator()(OpKernelContext* ctx, const T* out_data, const T* filter_data,\n const int filter_total_size, const int output_image_size,\n const int dims_out_depth, T* im2col_buf) {\n // Inputs are in RowMajor order.\n // im2col = out_data * filter_data^T\n // [ois x fts] = [ois x dod] * [fts x dod]^T\n //\n // Dimension names:\n // out_image_size -> ois\n // filter_total_size -> fts\n // dims_out_depth -> dod\n\n const int m = output_image_size;\n const int n = filter_total_size;\n const int k = dims_out_depth; // contraction dim\n\n const char transposeA = 'N'; // sgemm(A) == filter_data\n const char transposeB = 'T'; // sgemm(B) == out_data\n\n const int ldA = dims_out_depth;\n const int ldB = dims_out_depth;\n const int ldC = filter_total_size;\n\n const float alpha = 1.0;\n const float beta = 0.0;\n\n // dnnl_sgemm code can't be instrumented with msan.\n ANNOTATE_MEMORY_IS_INITIALIZED(\n im2col_buf, filter_total_size * output_image_size * sizeof(T));\n\n dnnl_status_t st =\n dnnl_sgemm(transposeA, transposeB, m, n, k, alpha, out_data, ldA,\n filter_data, ldB, beta, im2col_buf, ldC);\n\n OP_REQUIRES(\n ctx, st == 0,\n errors::Internal(\"Failed to call dnnl_sgemm. Error code: \", st));\n }", "project": "tensorflow", "hash": 96962519768559459794461599728393021097, "size": 38, "commit_id": "2be2cdf3a123e231b16f766aa0e27d56b4606535", "message": "Prevent yet another division by zero\n\nPiperOrigin-RevId: 369343977\nChange-Id: I1a60da4cf512e60fd91e069c16e026544632fe7f", "target": 0, "dataset": "other", "idx": 241525 }, { "func": " void operator()(OpKernelContext* ctx, const T* out_data, const T* filter_data,\n const int filter_total_size, const int output_image_size,\n const int dims_out_depth, T* im2col_buf) {\n // Compute gradient into 'im2col_buf'.\n MatrixMap C(im2col_buf, output_image_size, filter_total_size);\n\n ConstMatrixMap A(out_data, output_image_size, dims_out_depth);\n ConstMatrixMap B(filter_data, filter_total_size, dims_out_depth);\n\n C.noalias() = A * B.transpose();\n }", "project": "tensorflow", "hash": 23617949133847215579020074429643541447, "size": 11, "commit_id": "2be2cdf3a123e231b16f766aa0e27d56b4606535", "message": "Prevent yet another division by zero\n\nPiperOrigin-RevId: 369343977\nChange-Id: I1a60da4cf512e60fd91e069c16e026544632fe7f", "target": 0, "dataset": "other", "idx": 241528 }, { "func": " void operator()(OpKernelContext* ctx, bool use_cudnn, bool cudnn_use_autotune,\n const Tensor& out_backprop, const Tensor& filter,\n int row_dilation, int col_dilation, int row_stride,\n int col_stride, const Padding& padding,\n const std::vector& explicit_paddings,\n Tensor* in_backprop, TensorFormat data_format) {\n LaunchConv2DBackpropInputOpImpl launcher;\n launcher(ctx, use_cudnn, cudnn_use_autotune, out_backprop, filter,\n row_dilation, col_dilation, row_stride, col_stride, padding,\n explicit_paddings, in_backprop, data_format);\n }", "project": "tensorflow", "hash": 334317202995897049504047039250548372142, "size": 11, "commit_id": "2be2cdf3a123e231b16f766aa0e27d56b4606535", "message": "Prevent yet another division by zero\n\nPiperOrigin-RevId: 369343977\nChange-Id: I1a60da4cf512e60fd91e069c16e026544632fe7f", "target": 0, "dataset": "other", "idx": 241529 }, { "func": " bool operator()(OpKernelContext* context, const Device& d,\n typename TTypes::Tensor input_backward,\n typename TTypes::ConstTensor kernel,\n typename TTypes::ConstTensor output_backward,\n int input_rows, int input_cols, int row_stride,\n int col_stride, int pad_h, int pad_w,\n TensorFormat data_format) const {\n return false;\n }", "project": "tensorflow", "hash": 314016232014171063534367014136337213487, "size": 9, "commit_id": "2be2cdf3a123e231b16f766aa0e27d56b4606535", "message": "Prevent yet another division by zero\n\nPiperOrigin-RevId: 369343977\nChange-Id: I1a60da4cf512e60fd91e069c16e026544632fe7f", "target": 0, "dataset": "other", "idx": 241530 }, { "func": " bool operator()(OpKernelContext* context, const CPUDevice& d,\n typename TTypes::Tensor input_backward,\n typename TTypes::ConstTensor kernel,\n typename TTypes::ConstTensor output_backward,\n int input_rows, int input_cols, int row_stride,\n int col_stride, int pad_h, int pad_w,\n TensorFormat data_format) const {\n auto batch = input_backward.dimension(0);\n auto in_depth = input_backward.dimension(3);\n auto out_depth = output_backward.dimension(3);\n auto filter_rows = kernel.dimension(0);\n auto filter_cols = kernel.dimension(1);\n auto num_threads =\n context->device()->tensorflow_cpu_worker_threads()->num_threads;\n // See libxsmm_dnn.h for this struct definition.\n libxsmm_dnn_conv_desc desc;\n desc.N = batch;\n desc.C = in_depth;\n desc.H = input_rows;\n desc.W = input_cols;\n desc.K = out_depth;\n desc.R = filter_rows;\n desc.S = filter_cols;\n desc.u = row_stride;\n desc.v = col_stride;\n desc.pad_h = pad_h;\n desc.pad_w = pad_w;\n desc.pad_h_in = 0;\n desc.pad_w_in = 0;\n desc.pad_h_out = 0;\n desc.pad_w_out = 0;\n desc.threads = num_threads;\n desc.algo = LIBXSMM_DNN_CONV_ALGO_DIRECT;\n desc.buffer_format = LIBXSMM_DNN_TENSOR_FORMAT_NHWC;\n desc.filter_format =\n LIBXSMM_DNN_TENSOR_FORMAT_LIBXSMM; // LIBXSMM_DNN_TENSOR_FORMAT_RSCK;\n desc.fuse_ops = LIBXSMM_DNN_CONV_FUSE_NONE;\n desc.options = LIBXSMM_DNN_CONV_OPTION_OVERWRITE;\n desc.datatype_out = LIBXSMM_DNN_DATATYPE_F32;\n desc.datatype_in = LIBXSMM_DNN_DATATYPE_F32;\n auto input_ptr = input_backward.data();\n auto filter_ptr = kernel.data();\n auto output_ptr = output_backward.data();\n\n bool success = functor::XsmmBkwInputConv2D()(\n context, desc, input_ptr, filter_ptr, output_ptr);\n return success;\n }", "project": "tensorflow", "hash": 275034381176362593758025393269308047026, "size": 48, "commit_id": "2be2cdf3a123e231b16f766aa0e27d56b4606535", "message": "Prevent yet another division by zero\n\nPiperOrigin-RevId: 369343977\nChange-Id: I1a60da4cf512e60fd91e069c16e026544632fe7f", "target": 0, "dataset": "other", "idx": 241534 }, { "func": " void operator()(const CPUDevice& d, typename TTypes::ConstVec input,\n const bool signed_input, const int num_bits,\n const bool range_given, Tensor* input_min_tensor,\n Tensor* input_max_tensor, QuantizerRoundMode round_mode,\n bool narrow_range, typename TTypes::Vec out) {\n QuantizeAndDequantizeOneScaleImpl::Compute(\n d, input, signed_input, num_bits, range_given, input_min_tensor,\n input_max_tensor, round_mode, narrow_range, out);\n }", "project": "tensorflow", "hash": 277356999210015791333189500999269347168, "size": 9, "commit_id": "eccb7ec454e6617738554a255d77f08e60ee0808", "message": "Prevent segfault in `quantize_and_dequantize`\n\nFixes #42105.\n\nIf `tf.quantization.quantize_and_dequantize` is called with `axis` argument pointing to outside of the input tensor, we obtain a `CHECK` fail which then aborts the application/interpreter. This change adds a condition check and returns a `Status` instead of crashing.\n\nPiperOrigin-RevId: 337972243\nChange-Id: I71ec32c00a87266e364fb017f0ad5dfd3e23542f", "target": 0, "dataset": "other", "idx": 245426 }, { "func": " void operator()(const CPUDevice& d, typename TTypes::ConstTensor input,\n bool signed_input, int num_bits, bool range_given,\n Tensor* input_min_tensor, Tensor* input_max_tensor,\n QuantizerRoundMode round_mode, bool narrow_range,\n typename TTypes::Tensor out) {\n QuantizeAndDequantizePerChannelImpl::Compute(\n d, input, signed_input, num_bits, range_given, input_min_tensor,\n input_max_tensor, round_mode, narrow_range, out);\n }", "project": "tensorflow", "hash": 94806133023475090878295153528927102396, "size": 9, "commit_id": "eccb7ec454e6617738554a255d77f08e60ee0808", "message": "Prevent segfault in `quantize_and_dequantize`\n\nFixes #42105.\n\nIf `tf.quantization.quantize_and_dequantize` is called with `axis` argument pointing to outside of the input tensor, we obtain a `CHECK` fail which then aborts the application/interpreter. This change adds a condition check and returns a `Status` instead of crashing.\n\nPiperOrigin-RevId: 337972243\nChange-Id: I71ec32c00a87266e364fb017f0ad5dfd3e23542f", "target": 0, "dataset": "other", "idx": 245428 }, { "func": " void operator()(const CPUDevice& d, typename TTypes::ConstFlat gradient,\n typename TTypes::ConstFlat input,\n typename TTypes::ConstScalar input_min_tensor,\n typename TTypes::ConstScalar input_max_tensor,\n typename TTypes::Flat input_backprop,\n typename TTypes::Scalar input_min_backprop,\n typename TTypes::Scalar input_max_backprop) {\n QuantizeAndDequantizeOneScaleGradientImpl::Compute(\n d, gradient, input, input_min_tensor, input_max_tensor, input_backprop,\n input_min_backprop, input_max_backprop);\n }", "project": "tensorflow", "hash": 203718510649890175037536217787812882055, "size": 11, "commit_id": "eccb7ec454e6617738554a255d77f08e60ee0808", "message": "Prevent segfault in `quantize_and_dequantize`\n\nFixes #42105.\n\nIf `tf.quantization.quantize_and_dequantize` is called with `axis` argument pointing to outside of the input tensor, we obtain a `CHECK` fail which then aborts the application/interpreter. This change adds a condition check and returns a `Status` instead of crashing.\n\nPiperOrigin-RevId: 337972243\nChange-Id: I71ec32c00a87266e364fb017f0ad5dfd3e23542f", "target": 0, "dataset": "other", "idx": 245429 }, { "func": " void operator()(const CPUDevice& d,\n typename TTypes::ConstTensor gradient,\n typename TTypes::ConstTensor input,\n const Tensor* input_min_tensor,\n const Tensor* input_max_tensor,\n typename TTypes::Tensor input_backprop,\n typename TTypes::Flat input_min_backprop,\n typename TTypes::Flat input_max_backprop) {\n QuantizeAndDequantizePerChannelGradientImpl::Compute(\n d, gradient, input, input_min_tensor, input_max_tensor, input_backprop,\n input_min_backprop, input_max_backprop);\n }", "project": "tensorflow", "hash": 250892127400077848456787978225230724640, "size": 12, "commit_id": "eccb7ec454e6617738554a255d77f08e60ee0808", "message": "Prevent segfault in `quantize_and_dequantize`\n\nFixes #42105.\n\nIf `tf.quantization.quantize_and_dequantize` is called with `axis` argument pointing to outside of the input tensor, we obtain a `CHECK` fail which then aborts the application/interpreter. This change adds a condition check and returns a `Status` instead of crashing.\n\nPiperOrigin-RevId: 337972243\nChange-Id: I71ec32c00a87266e364fb017f0ad5dfd3e23542f", "target": 0, "dataset": "other", "idx": 245431 }, { "func": " void operator()(uint8_t *buffer) { free(buffer); }", "project": "asylo", "hash": 312237490566146008074453621541660794973, "size": 1, "commit_id": "90d7619e9dd99bcdb6cd28c7649d741d254d9a1a", "message": "Add sysno check in MessageReader\n\nThe sysno in MessageReader is interpreted from the Message header passed\nfrom the host. A malicious Message header may provide a modified sysno\nto bypass the validation, and overwrites enclave memory. This change\nadds a check for sysno to make sure it matches the expected value.\n\nThis issue was reported by Qinkun Bao, Zhaofeng Chen, Mingshen Sun, and\nKang Li from Baidu Security.\n\nPiperOrigin-RevId: 377328054\nChange-Id: I3ff6f60694d3390f66da89d139cf7cc7b49abaea", "target": 0, "dataset": "other", "idx": 248768 }, { "func": " auto operator()(ExpressionContext* const expCtx,\n BSONElement bsonExpr,\n const VariablesParseState& vps) const {\n return ExpressionCompare::parse(expCtx, std::move(bsonExpr), vps, op);\n }", "project": "mongo", "hash": 149511902304184957450643014540511371294, "size": 5, "commit_id": "1772b9a0393b55e6a280a35e8f0a1f75c014f301", "message": "SERVER-49404 Enforce additional checks in $arrayToObject", "target": 0, "dataset": "other", "idx": 370042 }, { "func": "R_API int r_core_prompt_exec(RCore *r) {\n\tint ret = r_core_cmd (r, r->cmdqueue, true);\n\tr->rc = r->num->value;\n\t//int ret = r_core_cmd (r, r->cmdqueue, true);\n\tif (r->cons && r->cons->use_tts) {\n\t\tconst char *buf = r_cons_get_buffer();\n\t\tr_sys_tts (buf, true);\n\t\tr->cons->use_tts = false;\n\t}\n\tr_cons_echo (NULL);\n\tr_cons_flush ();\n\tif (r->cons && r->cons->line && r->cons->line->zerosep) {\n\t\tr_cons_zero ();\n\t}\n\treturn ret;\n}", "project": "radare2", "hash": 99167884797279871553382148387721150660, "size": 16, "commit_id": "cb8b683758edddae2d2f62e8e63a738c39f92683", "message": "Fix #16303 - c->table_query double free (#16318)", "target": 0, "dataset": "other", "idx": 232206 }, { "func": "UnicodeString::~UnicodeString()\n{\n#ifdef UNISTR_COUNT_FINAL_STRING_LENGTHS\n // Count lengths of strings at the end of their lifetime.\n // Useful for discussion of a desirable stack buffer size.\n // Count the contents length, not the optional NUL terminator nor further capacity.\n // Ignore open-buffer strings and strings which alias external storage.\n if((fUnion.fFields.fLengthAndFlags&(kOpenGetBuffer|kReadonlyAlias|kWritableAlias)) == 0) {\n if(hasShortLength()) {\n umtx_atomic_inc(finalLengthCounts + getShortLength());\n } else {\n umtx_atomic_inc(&beyondCount);\n }\n }\n#endif\n\n releaseArray();\n}", "project": "icu", "hash": 277876373567912318525644659275634361301, "size": 18, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430738 }, { "func": "virtio_vq_enable(struct virtio_base *base)\n{\n\tstruct virtio_vq_info *vq;\n\tuint16_t qsz;\n\tuint64_t phys;\n\tsize_t size;\n\tchar *vb;\n\n\tvq = &base->queues[base->curq];\n\tqsz = vq->qsize;\n\n\t/* descriptors */\n\tphys = (((uint64_t)vq->gpa_desc[1]) << 32) | vq->gpa_desc[0];\n\tsize = qsz * sizeof(struct vring_desc);\n\tvb = paddr_guest2host(base->dev->vmctx, phys, size);\n\tif (!vb)\n\t\tgoto error;\n\tvq->desc = (struct vring_desc *)vb;\n\n\t/* available ring */\n\tphys = (((uint64_t)vq->gpa_avail[1]) << 32) | vq->gpa_avail[0];\n\tsize = (2 + qsz + 1) * sizeof(uint16_t);\n\tvb = paddr_guest2host(base->dev->vmctx, phys, size);\n\tif (!vb)\n\t\tgoto error;\n\n\tvq->avail = (struct vring_avail *)vb;\n\n\t/* used ring */\n\tphys = (((uint64_t)vq->gpa_used[1]) << 32) | vq->gpa_used[0];\n\tsize = sizeof(uint16_t) * 3 + sizeof(struct vring_used_elem) * qsz;\n\tvb = paddr_guest2host(base->dev->vmctx, phys, size);\n\tif (!vb)\n\t\tgoto error;\n\tvq->used = (struct vring_used *)vb;\n\n\t/* Start at 0 when we use it. */\n\tvq->last_avail = 0;\n\tvq->save_used = 0;\n\n\t/* Mark queue as enabled. */\n\tvq->enabled = true;\n\n\t/* Mark queue as allocated after initialization is complete. */\n\tmb();\n\tvq->flags = VQ_ALLOC;\n\treturn;\n error:\n\tvq->flags = 0;\n\tpr_err(\"%s: vq enable failed\\n\", __func__);\n}", "project": "acrn-hypervisor", "hash": 21928776782375644989001619766428352618, "size": 51, "commit_id": "154fe59531c12b82e26d1b24b5531f5066d224f5", "message": "dm: validate inputs in vq_endchains\n\n inputs shall be validated to avoid NULL pointer access.\n\nTracked-On: #6129\nSigned-off-by: Yonghua Huang ", "target": 0, "dataset": "other", "idx": 232988 }, { "func": "virtio_vq_init(struct virtio_base *base, uint32_t pfn)\n{\n\tstruct virtio_vq_info *vq;\n\tuint64_t phys;\n\tsize_t size;\n\tchar *vb;\n\n\tvq = &base->queues[base->curq];\n\tvq->pfn = pfn;\n\tphys = (uint64_t)pfn << VRING_PAGE_BITS;\n\tsize = vring_size(vq->qsize, VIRTIO_PCI_VRING_ALIGN);\n\tvb = paddr_guest2host(base->dev->vmctx, phys, size);\n\tif (!vb)\n\t\tgoto error;\n\n\t/* First page(s) are descriptors... */\n\tvq->desc = (struct vring_desc *)vb;\n\tvb += vq->qsize * sizeof(struct vring_desc);\n\n\t/* ... immediately followed by \"avail\" ring (entirely uint16_t's) */\n\tvq->avail = (struct vring_avail *)vb;\n\tvb += (2 + vq->qsize + 1) * sizeof(uint16_t);\n\n\t/* Then it's rounded up to the next page... */\n\tvb = (char *)roundup2((uintptr_t)vb, VIRTIO_PCI_VRING_ALIGN);\n\n\t/* ... and the last page(s) are the used ring. */\n\tvq->used = (struct vring_used *)vb;\n\n\t/* Start at 0 when we use it. */\n\tvq->last_avail = 0;\n\tvq->save_used = 0;\n\n\t/* Mark queue as allocated after initialization is complete. */\n\tmb();\n\tvq->flags = VQ_ALLOC;\n\n\treturn;\n\nerror:\n\tvq->flags = 0;\n\tpr_err(\"%s: vq enable failed\\n\", __func__);\n}", "project": "acrn-hypervisor", "hash": 262121393924580436150705074884334361662, "size": 43, "commit_id": "154fe59531c12b82e26d1b24b5531f5066d224f5", "message": "dm: validate inputs in vq_endchains\n\n inputs shall be validated to avoid NULL pointer access.\n\nTracked-On: #6129\nSigned-off-by: Yonghua Huang ", "target": 0, "dataset": "other", "idx": 232991 }, { "func": "void CopyGraph(const Graph& src, Graph* dest) {\n dest->SetConstructionContext(src.GetConstructionContextInternal());\n\n for (Node* n : dest->nodes()) {\n CHECK(n->IsSource() || n->IsSink()) << \"*dest must be empty\";\n }\n\n // Copy GraphDef versions\n dest->set_versions(src.versions());\n\n // Copy the nodes.\n // \"Node in src\" -> \"Node in *dest\"\n gtl::FlatMap node_map;\n node_map[src.source_node()] = dest->source_node();\n node_map[src.sink_node()] = dest->sink_node();\n for (Node* n : src.op_nodes()) {\n node_map[n] = dest->CopyNode(n);\n }\n\n // Copy the edges\n for (const Edge* e : src.edges()) {\n Node* src_copy = node_map[e->src()];\n Node* dst_copy = node_map[e->dst()];\n dest->AddEdge(src_copy, e->src_output(), dst_copy, e->dst_input());\n }\n}", "project": "tensorflow", "hash": 27385145029506077503420233123002344614, "size": 26, "commit_id": "0cc38aaa4064fd9e79101994ce9872c6d91f816b", "message": "Prevent unitialized memory access in `GraphConstructor::MakeEdge`\n\nThe `MakeEdge` implementation assumes that there exists an output at `output_index` of `src` node and an input at `input_index` of `dst` node. However, if this is not the case this results in accessing data out of bounds. Because we are accessing an array that is a private member of a class and only in read only mode, this usually results only in unitialized memory access. However, it is reasonable to think that malicious users could manipulate these indexes to actually read data outside the class, thus resulting in information leakage and further exploits.\n\nPiperOrigin-RevId: 346343288\nChange-Id: I2127da27c2023d27f26efd39afa6c853385cab6f", "target": 0, "dataset": "other", "idx": 268303 }, { "func": "int ff_h264_decode_extradata(H264Context *h, const uint8_t *buf, int size)\n{\n AVCodecContext *avctx = h->avctx;\n int ret;\n\n if (!buf || size <= 0)\n return -1;\n\n if (buf[0] == 1) {\n int i, cnt, nalsize;\n const unsigned char *p = buf;\n\n h->is_avc = 1;\n\n if (size < 7) {\n av_log(avctx, AV_LOG_ERROR, \"avcC too short\\n\");\n return AVERROR_INVALIDDATA;\n }\n /* sps and pps in the avcC always have length coded with 2 bytes,\n * so put a fake nal_length_size = 2 while parsing them */\n h->nal_length_size = 2;\n // Decode sps from avcC\n cnt = *(p + 5) & 0x1f; // Number of sps\n p += 6;\n for (i = 0; i < cnt; i++) {\n nalsize = AV_RB16(p) + 2;\n if(nalsize > size - (p-buf))\n return AVERROR_INVALIDDATA;\n ret = decode_nal_units(h, p, nalsize, 1);\n if (ret < 0) {\n av_log(avctx, AV_LOG_ERROR,\n \"Decoding sps %d from avcC failed\\n\", i);\n return ret;\n }\n p += nalsize;\n }\n // Decode pps from avcC\n cnt = *(p++); // Number of pps\n for (i = 0; i < cnt; i++) {\n nalsize = AV_RB16(p) + 2;\n if(nalsize > size - (p-buf))\n return AVERROR_INVALIDDATA;\n ret = decode_nal_units(h, p, nalsize, 1);\n if (ret < 0) {\n av_log(avctx, AV_LOG_ERROR,\n \"Decoding pps %d from avcC failed\\n\", i);\n return ret;\n }\n p += nalsize;\n }\n // Now store right nal length size, that will be used to parse all other nals\n h->nal_length_size = (buf[4] & 0x03) + 1;\n } else {\n h->is_avc = 0;\n ret = decode_nal_units(h, buf, size, 1);\n if (ret < 0)\n return ret;\n }\n return size;\n}", "project": "FFmpeg", "hash": 251620096800692214832772540876391620604, "size": 60, "commit_id": "8a3b85f3a7952c54a2c36ba1797f7e0cde9f85aa", "message": "avcodec/h264: update current_sps & sps->new only after the whole slice header decoder and init code finished\n\nThis avoids them being cleared before the full initialization finished\n\nFixes out of array read\nFixes: asan_heap-oob_f0c5e6_7071_cov_1605985132_mov_h264_aac__Demo_FlagOfOurFathers.mov\nFound-by: Mateusz \"j00ru\" Jurczyk and Gynvael Coldwind\nSigned-off-by: Michael Niedermayer ", "target": 0, "dataset": "other", "idx": 270127 }, { "func": "static inline struct sk_buff *tcp_write_queue_prev(const struct sock *sk,\n\t\t\t\t\t\t const struct sk_buff *skb)\n{\n\treturn skb_queue_prev(&sk->sk_write_queue, skb);\n}", "project": "linux", "hash": 244613986103607814990184628904852906357, "size": 5, "commit_id": "bb1fceca22492109be12640d49f5ea5a544c6bb4", "message": "tcp: fix use after free in tcp_xmit_retransmit_queue()\n\nWhen tcp_sendmsg() allocates a fresh and empty skb, it puts it at the\ntail of the write queue using tcp_add_write_queue_tail()\n\nThen it attempts to copy user data into this fresh skb.\n\nIf the copy fails, we undo the work and remove the fresh skb.\n\nUnfortunately, this undo lacks the change done to tp->highest_sack and\nwe can leave a dangling pointer (to a freed skb)\n\nLater, tcp_xmit_retransmit_queue() can dereference this pointer and\naccess freed memory. For regular kernels where memory is not unmapped,\nthis might cause SACK bugs because tcp_highest_sack_seq() is buggy,\nreturning garbage instead of tp->snd_nxt, but with various debug\nfeatures like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel.\n\nThis bug was found by Marco Grassi thanks to syzkaller.\n\nFixes: 6859d49475d4 (\"[TCP]: Abstract tp->highest_sack accessing & point to next skb\")\nReported-by: Marco Grassi \nSigned-off-by: Eric Dumazet \nCc: Ilpo Järvinen \nCc: Yuchung Cheng \nCc: Neal Cardwell \nAcked-by: Neal Cardwell \nReviewed-by: Cong Wang \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 410815 }, { "func": "static inline __sum16 __tcp_checksum_complete(struct sk_buff *skb)\n{\n\treturn __skb_checksum_complete(skb);\n}", "project": "linux", "hash": 304921909522892288360620778458282823231, "size": 4, "commit_id": "bb1fceca22492109be12640d49f5ea5a544c6bb4", "message": "tcp: fix use after free in tcp_xmit_retransmit_queue()\n\nWhen tcp_sendmsg() allocates a fresh and empty skb, it puts it at the\ntail of the write queue using tcp_add_write_queue_tail()\n\nThen it attempts to copy user data into this fresh skb.\n\nIf the copy fails, we undo the work and remove the fresh skb.\n\nUnfortunately, this undo lacks the change done to tp->highest_sack and\nwe can leave a dangling pointer (to a freed skb)\n\nLater, tcp_xmit_retransmit_queue() can dereference this pointer and\naccess freed memory. For regular kernels where memory is not unmapped,\nthis might cause SACK bugs because tcp_highest_sack_seq() is buggy,\nreturning garbage instead of tp->snd_nxt, but with various debug\nfeatures like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel.\n\nThis bug was found by Marco Grassi thanks to syzkaller.\n\nFixes: 6859d49475d4 (\"[TCP]: Abstract tp->highest_sack accessing & point to next skb\")\nReported-by: Marco Grassi \nSigned-off-by: Eric Dumazet \nCc: Ilpo Järvinen \nCc: Yuchung Cheng \nCc: Neal Cardwell \nAcked-by: Neal Cardwell \nReviewed-by: Cong Wang \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 410793 }, { "project": "Chrome", "commit_id": "ea994548ed483e234a6fadd0cbdfa10d58b75cef", "target": 0, "func": "float SoftwareFrameManager::GetCurrentFrameDeviceScaleFactor() const {\n DCHECK(HasCurrentFrame());\n return current_frame_->frame_device_scale_factor_;\n}\n", "cwe": "", "big_vul_idx": 129965, "idx": 116278, "hash": 249281827218080751428432927447896701421 }, { "func": "static int SFDGetBitmapChar(FILE *sfd,BDFFont *bdf) {\n BDFChar *bfc;\n struct enc85 dec;\n int i, enc, orig;\n int width,xmax,xmin,ymax,ymin, vwidth=-1;\n EncMap *map;\n int ch;\n\n map = bdf->sf->map;\n\n if ( getint(sfd,&orig)!=1 || orig<0 )\nreturn( 0 );\n if ( getint(sfd,&enc)!=1 )\nreturn( 0 );\n if ( getint(sfd,&width)!=1 )\nreturn( 0 );\n if ( getint(sfd,&xmin)!=1 )\nreturn( 0 );\n if ( getint(sfd,&xmax)!=1 )\nreturn( 0 );\n if ( getint(sfd,&ymin)!=1 )\nreturn( 0 );\n while ( (ch=nlgetc(sfd))==' ');\n ungetc(ch,sfd);\n if ( ch=='\\n' || ch=='\\r' || getint(sfd,&ymax)!=1 ) {\n\t/* Old style format, no orig_pos given, shift everything by 1 */\n\tymax = ymin;\n\tymin = xmax;\n\txmax = xmin;\n\txmin = width;\n\twidth = enc;\n\tenc = orig;\n\torig = map->map[enc];\n } else {\n\twhile ( (ch=nlgetc(sfd))==' ');\n\tungetc(ch,sfd);\n\tif ( ch!='\\n' && ch!='\\r' )\n\t getint(sfd,&vwidth);\n }\n if ( enc<0 ||xmaxsc = SFMakeChar(bdf->sf,map,enc);\n\torig = bfc->sc->orig_pos;\n }\n\n bfc->orig_pos = orig;\n bfc->width = width;\n bfc->ymax = ymax; bfc->ymin = ymin;\n bfc->xmax = xmax; bfc->xmin = xmin;\n bdf->glyphs[orig] = bfc;\n bfc->sc = bdf->sf->glyphs[orig];\n bfc->vwidth = vwidth!=-1 ? vwidth :\n\t rint(bfc->sc->vwidth*bdf->pixelsize / (real) (bdf->sf->ascent+bdf->sf->descent));\n if ( bdf->clut==NULL ) {\n\tbfc->bytes_per_line = (bfc->xmax-bfc->xmin)/8 +1;\n\tbfc->depth = 1;\n } else {\n\tbfc->bytes_per_line = bfc->xmax-bfc->xmin +1;\n\tbfc->byte_data = true;\n\tbfc->depth = bdf->clut->clut_len==4 ? 2 : bdf->clut->clut_len==16 ? 4 : 8;\n }\n bfc->bitmap = calloc((bfc->ymax-bfc->ymin+1)*bfc->bytes_per_line,sizeof(uint8));\n\n memset(&dec,'\\0', sizeof(dec)); dec.pos = -1;\n dec.sfd = sfd;\n for ( i=0; i<=bfc->ymax-bfc->ymin; ++i ) {\n\tuint8 *pt = (uint8 *) (bfc->bitmap + i*bfc->bytes_per_line);\n\tuint8 *end = (uint8 *) (bfc->bitmap + (i+1)*bfc->bytes_per_line);\n\twhile ( ptsc==NULL ) {\n\tbdf->glyphs[bfc->orig_pos] = NULL;\n\tBDFCharFree(bfc);\n }\n/* This fixes a bug: We didn't set \"widthset\" on splinechars when reading in */\n/* winfonts. We should set it now on any bitmaps worth outputting to make up*/\n/* for that. Eventually we should have good sfd files and can remove this */\n else if ( bfc->sc->width!=bdf->sf->ascent + bdf->sf->descent )\n\tbfc->sc->widthset = true;\nreturn( 1 );\n}", "project": "fontforge", "hash": 115937420323054431608204312352946433623, "size": 89, "commit_id": "048a91e2682c1a8936ae34dbc7bd70291ec05410", "message": "Fix for #4084 Use-after-free (heap) in the SFD_GetFontMetaData() function\nFix for #4086 NULL pointer dereference in the SFDGetSpiros() function\nFix for #4088 NULL pointer dereference in the SFD_AssignLookups() function\nAdd empty sf->fontname string if it isn't set, fixing #4089 #4090 and many\n other potential issues (many downstream calls to strlen() on the value).", "target": 0, "dataset": "other", "idx": 417788 }, { "func": "static inline int handle_metadata_errors(req_state* const s, const int op_ret)\n{\n if (op_ret == -EFBIG) {\n /* Handle the custom error message of exceeding maximum custom attribute\n * (stored as xattr) size. */\n const auto error_message = boost::str(\n boost::format(\"Metadata value longer than %lld\")\n % s->cct->_conf.get_val(\"rgw_max_attr_size\"));\n set_req_state_err(s, EINVAL, error_message);\n return -EINVAL;\n } else if (op_ret == -E2BIG) {\n const auto error_message = boost::str(\n boost::format(\"Too many metadata items; max %lld\")\n % s->cct->_conf.get_val(\"rgw_max_attrs_num_in_req\"));\n set_req_state_err(s, EINVAL, error_message);\n return -EINVAL;\n }\n\n return op_ret;\n}", "project": "ceph", "hash": 339559037910041782615121730409608450405, "size": 20, "commit_id": "f44a8ae8aa27ecef69528db9aec220f12492810e", "message": "rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name\n\nchecking for empty name avoids later assertion in RGWObjectCtx::set_atomic\n\nFixes: CVE-2021-3531\n\nReviewed-by: Casey Bodley \nSigned-off-by: Casey Bodley \n(cherry picked from commit 7196a469b4470f3c8628489df9a41ec8b00a5610)", "target": 0, "dataset": "other", "idx": 448810 }, { "func": " * %NULL on failure\n */\nstatic struct iscsi_bus_flash_session *\niscsi_get_flashnode_by_index(struct Scsi_Host *shost, uint32_t idx)\n{\n\tstruct iscsi_bus_flash_session *fnode_sess = NULL;\n\tstruct device *dev;\n\n\tdev = device_find_child(&shost->shost_gendev, &idx,\n\t\t\t\tflashnode_match_index);\n\tif (dev)\n\t\tfnode_sess = iscsi_dev_to_flash_session(dev);", "project": "linux", "hash": 294830858083157226614503758303581535485, "size": 12, "commit_id": "f9dbdf97a5bd92b1a49cee3d591b55b11fd7a6d5", "message": "scsi: iscsi: Verify lengths on passthrough PDUs\n\nOpen-iSCSI sends passthrough PDUs over netlink, but the kernel should be\nverifying that the provided PDU header and data lengths fall within the\nnetlink message to prevent accessing beyond that in memory.\n\nCc: stable@vger.kernel.org\nReported-by: Adam Nichols \nReviewed-by: Lee Duncan \nReviewed-by: Mike Christie \nSigned-off-by: Chris Leech \nSigned-off-by: Martin K. Petersen ", "target": 0, "dataset": "other", "idx": 379981 }, { "func": "static void freeze_limited_counters(struct cpu_hw_events *cpuhw,\n\t\t\t\t unsigned long pmc5, unsigned long pmc6)\n{\n\tstruct perf_event *event;\n\tu64 val, prev, delta;\n\tint i;\n\n\tfor (i = 0; i < cpuhw->n_limited; ++i) {\n\t\tevent = cpuhw->limited_counter[i];\n\t\tif (!event->hw.idx)\n\t\t\tcontinue;\n\t\tval = (event->hw.idx == 5) ? pmc5 : pmc6;\n\t\tprev = local64_read(&event->hw.prev_count);\n\t\tevent->hw.idx = 0;\n\t\tdelta = check_and_compute_delta(prev, val);\n\t\tif (delta)\n\t\t\tlocal64_add(delta, &event->count);\n\t}\n}", "project": "linux", "hash": 264842682977757285624288756786383383099, "size": 19, "commit_id": "60b7ed54a41b550d50caf7f2418db4a7e75b5bdc", "message": "powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set\n\nOn systems without any specific PMU driver support registered, running\nperf record causes Oops.\n\nThe relevant portion from call trace:\n\n BUG: Kernel NULL pointer dereference on read at 0x00000040\n Faulting instruction address: 0xc0021f0c\n Oops: Kernel access of bad area, sig: 11 [#1]\n BE PAGE_SIZE=4K PREEMPT CMPCPRO\n SAF3000 DIE NOTIFICATION\n CPU: 0 PID: 442 Comm: null_syscall Not tainted 5.13.0-rc6-s3k-dev-01645-g7649ee3d2957 #5164\n NIP: c0021f0c LR: c00e8ad8 CTR: c00d8a5c\n NIP perf_instruction_pointer+0x10/0x60\n LR perf_prepare_sample+0x344/0x674\n Call Trace:\n perf_prepare_sample+0x7c/0x674 (unreliable)\n perf_event_output_forward+0x3c/0x94\n __perf_event_overflow+0x74/0x14c\n perf_swevent_hrtimer+0xf8/0x170\n __hrtimer_run_queues.constprop.0+0x160/0x318\n hrtimer_interrupt+0x148/0x3b0\n timer_interrupt+0xc4/0x22c\n Decrementer_virt+0xb8/0xbc\n\nDuring perf record session, perf_instruction_pointer() is called to\ncapture the sample IP. This function in core-book3s accesses\nppmu->flags. If a platform specific PMU driver is not registered, ppmu\nis set to NULL and accessing its members results in a crash. Fix this\ncrash by checking if ppmu is set.\n\nFixes: 2ca13a4cc56c (\"powerpc/perf: Use regs->nip when SIAR is zero\")\nCc: stable@vger.kernel.org # v5.11+\nReported-by: Christophe Leroy \nSigned-off-by: Athira Rajeev \nTested-by: Christophe Leroy \nSigned-off-by: Michael Ellerman \nLink: https://lore.kernel.org/r/1623952506-1431-1-git-send-email-atrajeev@linux.vnet.ibm.com", "target": 0, "dataset": "other", "idx": 374696 }, { "func": "static void fuse_sb_destroy(struct super_block *sb)\n{\n\tstruct fuse_mount *fm = get_fuse_mount_super(sb);\n\tbool last;\n\n\tif (fm) {\n\t\tlast = fuse_mount_remove(fm);\n\t\tif (last)\n\t\t\tfuse_conn_destroy(fm);\n\t}\n}", "project": "linux", "hash": 316200149138171367636592689103056977238, "size": 11, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341933 }, { "func": " */\nstatic void update_thr_responsiveness_params(struct bfq_data *bfqd)\n{\n\tif (bfqd->bfq_user_max_budget == 0) {\n\t\tbfqd->bfq_max_budget =\n\t\t\tbfq_calc_max_budget(bfqd);\n\t\tbfq_log(bfqd, \"new max_budget = %d\", bfqd->bfq_max_budget);\n\t}", "project": "linux", "hash": 30697867704370376375255270613872295163, "size": 8, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453389 }, { "project": "phosphor-host-ipmid", "commit_id": "b265455a2518ece7c004b43c144199ec980fc620", "target": 0, "func": "int PasswdMgr::updateUserEntry(const std::string& userName,\n const std::string& newUserName)\n{\n std::time_t updatedTime = getUpdatedFileTime();\n // Check file time stamp to know passwdMapList is up-to-date.\n // If not up-to-date, then updatePasswdSpecialFile will read and\n // check the user entry existance.\n if (fileLastUpdatedTime == updatedTime && updatedTime != -EIO)\n {\n if (passwdMapList.find(userName) == passwdMapList.end())\n {\n log(\"User not found\");\n return 0;\n }\n }\n\n // Write passwdMap to Encryted file\n if (updatePasswdSpecialFile(userName, newUserName) != 0)\n {\n log(\"Passwd file update failed\");\n return -EIO;\n }\n\n log(\"Passwd file updated successfully\");\n return 0;\n}", "idx": 519583, "cwe": "CWE-276", "hash": 26320306695619518879735261227209295308, "dataset": "other" }, { "func": "opj_j2k_t* opj_j2k_create_compress(void)\n{\n opj_j2k_t *l_j2k = (opj_j2k_t*) opj_calloc(1, sizeof(opj_j2k_t));\n if (!l_j2k) {\n return NULL;\n }\n\n\n l_j2k->m_is_decoder = 0;\n l_j2k->m_cp.m_is_decoder = 0;\n\n l_j2k->m_specific_param.m_encoder.m_header_tile_data = (OPJ_BYTE *) opj_malloc(\n OPJ_J2K_DEFAULT_HEADER_SIZE);\n if (! l_j2k->m_specific_param.m_encoder.m_header_tile_data) {\n opj_j2k_destroy(l_j2k);\n return NULL;\n }\n\n l_j2k->m_specific_param.m_encoder.m_header_tile_data_size =\n OPJ_J2K_DEFAULT_HEADER_SIZE;\n\n /* validation list creation*/\n l_j2k->m_validation_list = opj_procedure_list_create();\n if (! l_j2k->m_validation_list) {\n opj_j2k_destroy(l_j2k);\n return NULL;\n }\n\n /* execution list creation*/\n l_j2k->m_procedure_list = opj_procedure_list_create();\n if (! l_j2k->m_procedure_list) {\n opj_j2k_destroy(l_j2k);\n return NULL;\n }\n\n l_j2k->m_tp = opj_thread_pool_create(opj_j2k_get_default_thread_count());\n if (!l_j2k->m_tp) {\n l_j2k->m_tp = opj_thread_pool_create(0);\n }\n if (!l_j2k->m_tp) {\n opj_j2k_destroy(l_j2k);\n return NULL;\n }\n\n return l_j2k;\n}", "project": "openjpeg", "hash": 301599792878553961076239233412113087824, "size": 46, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357416 }, { "func": "static void hci_cc_read_flow_control_mode(struct hci_dev *hdev,\n\t\t\t\t\t struct sk_buff *skb)\n{\n\tstruct hci_rp_read_flow_control_mode *rp = (void *) skb->data;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, rp->status);\n\n\tif (rp->status)\n\t\treturn;\n\n\thdev->flow_ctl_mode = rp->mode;\n}", "project": "linux", "hash": 128066859430278251683755746830541282561, "size": 12, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431903 }, { "func": "void php_openssl_store_errors()\n{\n\tstruct php_openssl_errors *errors;\n\tint error_code = ERR_get_error();\n\n\tif (!error_code) {\n\t\treturn;\n\t}\n\n\tif (!OPENSSL_G(errors)) {\n\t\tOPENSSL_G(errors) = pecalloc(1, sizeof(struct php_openssl_errors), 1);\n\t}\n\n\terrors = OPENSSL_G(errors);\n\n\tdo {\n\t\terrors->top = (errors->top + 1) % ERR_NUM_ERRORS;\n\t\tif (errors->top == errors->bottom) {\n\t\t\terrors->bottom = (errors->bottom + 1) % ERR_NUM_ERRORS;\n\t\t}\n\t\terrors->buffer[errors->top] = error_code;\n\t} while ((error_code = ERR_get_error()));\n\n}", "project": "php-src", "hash": 86827123441030923436854542505399311001, "size": 24, "commit_id": "0216630ea2815a5789a24279a1211ac398d4de79", "message": "Fix bug #79601 (Wrong ciphertext/tag in AES-CCM encryption for a 12 bytes IV)", "target": 0, "dataset": "other", "idx": 291393 }, { "func": "static void tvDecRefRange(TypedValue* begin, TypedValue* end) {\n assertx(begin <= end);\n for (auto tv = begin; tv != end; ++tv) {\n tvDecRefGen(tv);\n }\n}", "project": "hhvm", "hash": 37391326031733830578846846853416699467, "size": 6, "commit_id": "b3679121bb3c7017ff04b4c08402ffff5cf59b13", "message": "Fix buffer overrun in SimpleParser::handleBackslash\n\nSummary:\nIt read 4 chars, then checked for validity, but any of them could have\nbeen the end of the string, so check after each one instead.\n\nReviewed By: oulgen\n\nDifferential Revision: D19611163\n\nfbshipit-source-id: 3da0a39555cb85a93f4fd98048368f17cf37e2e4", "target": 0, "dataset": "other", "idx": 227291 }, { "func": "\nstatic int io_req_defer(struct io_kiocb *req)\n{\n\tstruct io_ring_ctx *ctx = req->ctx;\n\tstruct io_defer_entry *de;\n\tint ret;\n\tu32 seq;\n\n\t/* Still need defer if there is pending req in defer list. */\n\tif (likely(list_empty_careful(&ctx->defer_list) &&\n\t\t!(req->flags & REQ_F_IO_DRAIN)))\n\t\treturn 0;\n\n\tseq = io_get_sequence(req);\n\t/* Still a chance to pass the sequence check */\n\tif (!req_need_defer(req, seq) && list_empty_careful(&ctx->defer_list))\n\t\treturn 0;\n\n\tret = io_req_prep_async(req);\n\tif (ret)\n\t\treturn ret;\n\tio_prep_async_link(req);\n\tde = kmalloc(sizeof(*de), GFP_KERNEL);\n\tif (!de)\n\t\treturn -ENOMEM;\n\n\tspin_lock_irq(&ctx->completion_lock);\n\tif (!req_need_defer(req, seq) && list_empty(&ctx->defer_list)) {\n\t\tspin_unlock_irq(&ctx->completion_lock);\n\t\tkfree(de);\n\t\tio_queue_async_work(req);\n\t\treturn -EIOCBQUEUED;\n\t}\n\n\ttrace_io_uring_defer(ctx, req, req->user_data);\n\tde->req = req;\n\tde->seq = seq;\n\tlist_add_tail(&de->list, &ctx->defer_list);\n\tspin_unlock_irq(&ctx->completion_lock);\n\treturn -EIOCBQUEUED;", "project": "linux", "hash": 240012646033559216002070725711460019838, "size": 40, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338543 }, { "func": "static inline void tcp_unlink_write_queue(struct sk_buff *skb, struct sock *sk)\n{\n\t__skb_unlink(skb, &sk->sk_write_queue);\n}", "project": "linux", "hash": 190822674715962639671535263240755393275, "size": 4, "commit_id": "bb1fceca22492109be12640d49f5ea5a544c6bb4", "message": "tcp: fix use after free in tcp_xmit_retransmit_queue()\n\nWhen tcp_sendmsg() allocates a fresh and empty skb, it puts it at the\ntail of the write queue using tcp_add_write_queue_tail()\n\nThen it attempts to copy user data into this fresh skb.\n\nIf the copy fails, we undo the work and remove the fresh skb.\n\nUnfortunately, this undo lacks the change done to tp->highest_sack and\nwe can leave a dangling pointer (to a freed skb)\n\nLater, tcp_xmit_retransmit_queue() can dereference this pointer and\naccess freed memory. For regular kernels where memory is not unmapped,\nthis might cause SACK bugs because tcp_highest_sack_seq() is buggy,\nreturning garbage instead of tp->snd_nxt, but with various debug\nfeatures like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel.\n\nThis bug was found by Marco Grassi thanks to syzkaller.\n\nFixes: 6859d49475d4 (\"[TCP]: Abstract tp->highest_sack accessing & point to next skb\")\nReported-by: Marco Grassi \nSigned-off-by: Eric Dumazet \nCc: Ilpo Järvinen \nCc: Yuchung Cheng \nCc: Neal Cardwell \nAcked-by: Neal Cardwell \nReviewed-by: Cong Wang \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 410734 }, { "func": "static ssize_t objs_per_slab_show(struct kmem_cache *s, char *buf)\n{\n\treturn sprintf(buf, \"%u\\n\", oo_objects(s->oo));\n}", "project": "linux", "hash": 141255851254876667081794175426814808091, "size": 4, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280188 }, { "func": "static void cliprdr_write_unlock_clipdata(wStream* s,\n const CLIPRDR_UNLOCK_CLIPBOARD_DATA* unlockClipboardData)\n{\n\tcliprdr_write_lock_unlock_clipdata(s, unlockClipboardData->clipDataId);\n}", "project": "FreeRDP", "hash": 38691301595662716437539716170160044349, "size": 5, "commit_id": "b73143cf7ee5fe4cdabcbf56908aa15d8a883821", "message": "Fixed oob read in cliprdr_read_format_list", "target": 0, "dataset": "other", "idx": 388316 }, { "func": "void CSoundFile::NoteSlide(ModChannel *pChn, uint32 param, bool slideUp, bool retrig) const\n{\n\tuint8 x, y;\n\tif(m_SongFlags[SONG_FIRSTTICK])\n\t{\n\t\tx = param & 0xF0;\n\t\tif (x)\n\t\t\tpChn->nNoteSlideSpeed = (x >> 4);\n\t\ty = param & 0x0F;\n\t\tif (y)\n\t\t\tpChn->nNoteSlideStep = y;\n\t\tpChn->nNoteSlideCounter = pChn->nNoteSlideSpeed;\n\t} else\n\t{\n\t\tif (--pChn->nNoteSlideCounter == 0)\n\t\t{\n\t\t\tpChn->nNoteSlideCounter = pChn->nNoteSlideSpeed;\n\t\t\t// update it\n\t\t\tpChn->nPeriod = GetPeriodFromNote\n\t\t\t\t((slideUp ? 1 : -1) * pChn->nNoteSlideStep + GetNoteFromPeriod(pChn->nPeriod), 8363, 0);\n\n\t\t\tif(retrig)\n\t\t\t{\n\t\t\t\tpChn->position.Set(0);\n\t\t\t}\n\t\t}\n\t}\n}", "project": "openmpt", "hash": 94500632474156691599868210585317022627, "size": 28, "commit_id": "7ebf02af2e90f03e0dbd0e18b8b3164f372fb97c", "message": "[Fix] Possible out-of-bounds read when computing length of some IT files with pattern loops (OpenMPT: formats that are converted to IT, libopenmpt: IT/ITP/MO3), caught with afl-fuzz.\n\ngit-svn-id: https://source.openmpt.org/svn/openmpt/trunk/OpenMPT@10027 56274372-70c3-4bfc-bfc3-4c3a0b034d27", "target": 0, "dataset": "other", "idx": 255219 }, { "func": "static X509_REQ * php_openssl_csr_from_zval(zval * val, int makeresource, zend_resource **resourceval)\n{\n\tX509_REQ * csr = NULL;\n\tchar * filename = NULL;\n\tBIO * in;\n\n\tif (resourceval) {\n\t\t*resourceval = NULL;\n\t}\n\tif (Z_TYPE_P(val) == IS_RESOURCE) {\n\t\tvoid * what;\n\t\tzend_resource *res = Z_RES_P(val);\n\n\t\twhat = zend_fetch_resource(res, \"OpenSSL X.509 CSR\", le_csr);\n\t\tif (what) {\n\t\t\tif (resourceval) {\n\t\t\t\t*resourceval = res;\n\t\t\t\tif (makeresource) {\n\t\t\t\t\tZ_ADDREF_P(val);\n\t\t\t\t}\n\t\t\t}\n\t\t\treturn (X509_REQ*)what;\n\t\t}\n\t\treturn NULL;\n\t} else if (Z_TYPE_P(val) != IS_STRING) {\n\t\treturn NULL;\n\t}\n\n\tif (Z_STRLEN_P(val) > 7 && memcmp(Z_STRVAL_P(val), \"file://\", sizeof(\"file://\") - 1) == 0) {\n\t\tfilename = Z_STRVAL_P(val) + (sizeof(\"file://\") - 1);\n\t}\n\tif (filename) {\n\t\tif (php_openssl_open_base_dir_chk(filename)) {\n\t\t\treturn NULL;\n\t\t}\n\t\tin = BIO_new_file(filename, PHP_OPENSSL_BIO_MODE_R(PKCS7_BINARY));\n\t} else {\n\t\tin = BIO_new_mem_buf(Z_STRVAL_P(val), (int)Z_STRLEN_P(val));\n\t}\n\n\tif (in == NULL) {\n\t\tphp_openssl_store_errors();\n\t\treturn NULL;\n\t}\n\n\tcsr = PEM_read_bio_X509_REQ(in, NULL,NULL,NULL);\n\tif (csr == NULL) {\n\t\tphp_openssl_store_errors();\n\t}\n\n\tBIO_free(in);\n\n\treturn csr;\n}", "project": "php-src", "hash": 245427876122680148321975214985342635612, "size": 54, "commit_id": "0216630ea2815a5789a24279a1211ac398d4de79", "message": "Fix bug #79601 (Wrong ciphertext/tag in AES-CCM encryption for a 12 bytes IV)", "target": 0, "dataset": "other", "idx": 291483 }, { "func": "void imap_error(const char *where, const char *msg)\n{\n mutt_error(\"%s [%s]\", where, msg);\n}", "project": "neomutt", "hash": 152985551808729740301723353517455271894, "size": 4, "commit_id": "fa1db5785e5cfd9d3cd27b7571b9fe268d2ec2dc", "message": "Fix seqset iterator when it ends in a comma\n\nIf the seqset ended with a comma, the substr_end marker would be just\nbefore the trailing nul. In the next call, the loop to skip the\nmarker would iterate right past the end of string too.\n\nThe fix is simple: place the substr_end marker and skip past it\nimmediately.", "target": 0, "dataset": "other", "idx": 399262 }, { "func": "HttpStateData::processReply()\n{\n\n if (flags.handling1xx) { // we came back after handling a 1xx response\n debugs(11, 5, HERE << \"done with 1xx handling\");\n flags.handling1xx = false;\n Must(!flags.headers_parsed);\n }\n\n if (!flags.headers_parsed) { // have not parsed headers yet?\n PROF_start(HttpStateData_processReplyHeader);\n processReplyHeader();\n PROF_stop(HttpStateData_processReplyHeader);\n\n if (!continueAfterParsingHeader()) // parsing error or need more data\n return; // TODO: send errors to ICAP\n\n adaptOrFinalizeReply(); // may write to, abort, or \"close\" the entry\n }\n\n // kick more reads if needed and/or process the response body, if any\n PROF_start(HttpStateData_processReplyBody);\n processReplyBody(); // may call serverComplete()\n PROF_stop(HttpStateData_processReplyBody);\n}", "project": "squid", "hash": 181343613244623172090715483769693594723, "size": 25, "commit_id": "fd68382860633aca92065e6c343cfd1b12b126e7", "message": "Improve Transfer-Encoding handling (#702)\n\nReject messages containing Transfer-Encoding header with coding other\nthan chunked or identity. Squid does not support other codings.\n\nFor simplicity and security sake, also reject messages where\nTransfer-Encoding contains unnecessary complex values that are\ntechnically equivalent to \"chunked\" or \"identity\" (e.g., \",,chunked\" or\n\"identity, chunked\").\n\nRFC 7230 formally deprecated and removed identity coding, but it is\nstill used by some agents.", "target": 0, "dataset": "other", "idx": 402370 }, { "func": "UnicodeString::addRef() {\n umtx_atomic_inc((u_atomic_int32_t *)fUnion.fFields.fArray - 1);\n}", "project": "icu", "hash": 55069875704393669846320797856927767706, "size": 3, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430804 }, { "func": "static void init_prb_bdqc(struct packet_sock *po,\n\t\t\tstruct packet_ring_buffer *rb,\n\t\t\tstruct pgv *pg_vec,\n\t\t\tunion tpacket_req_u *req_u)\n{\n\tstruct tpacket_kbdq_core *p1 = GET_PBDQC_FROM_RB(rb);\n\tstruct tpacket_block_desc *pbd;\n\n\tmemset(p1, 0x0, sizeof(*p1));\n\n\tp1->knxt_seq_num = 1;\n\tp1->pkbdq = pg_vec;\n\tpbd = (struct tpacket_block_desc *)pg_vec[0].buffer;\n\tp1->pkblk_start\t= pg_vec[0].buffer;\n\tp1->kblk_size = req_u->req3.tp_block_size;\n\tp1->knum_blocks\t= req_u->req3.tp_block_nr;\n\tp1->hdrlen = po->tp_hdrlen;\n\tp1->version = po->tp_version;\n\tp1->last_kactive_blk_num = 0;\n\tpo->stats.stats3.tp_freeze_q_cnt = 0;\n\tif (req_u->req3.tp_retire_blk_tov)\n\t\tp1->retire_blk_tov = req_u->req3.tp_retire_blk_tov;\n\telse\n\t\tp1->retire_blk_tov = prb_calc_retire_blk_tmo(po,\n\t\t\t\t\t\treq_u->req3.tp_block_size);\n\tp1->tov_in_jiffies = msecs_to_jiffies(p1->retire_blk_tov);\n\tp1->blk_sizeof_priv = req_u->req3.tp_sizeof_priv;\n\trwlock_init(&p1->blk_fill_in_prog_lock);\n\n\tp1->max_frame_len = p1->kblk_size - BLK_PLUS_PRIV(p1->blk_sizeof_priv);\n\tprb_init_ft_ops(p1, req_u);\n\tprb_setup_retire_blk_timer(po);\n\tprb_open_block(p1, pbd);\n}", "project": "linux", "hash": 84204198632406848388968884850304531921, "size": 34, "commit_id": "acf69c946233259ab4d64f8869d4037a198c7f06", "message": "net/packet: fix overflow in tpacket_rcv\n\nUsing tp_reserve to calculate netoff can overflow as\ntp_reserve is unsigned int and netoff is unsigned short.\n\nThis may lead to macoff receving a smaller value then\nsizeof(struct virtio_net_hdr), and if po->has_vnet_hdr\nis set, an out-of-bounds write will occur when\ncalling virtio_net_hdr_from_skb.\n\nThe bug is fixed by converting netoff to unsigned int\nand checking if it exceeds USHRT_MAX.\n\nThis addresses CVE-2020-14386\n\nFixes: 8913336a7e8d (\"packet: add PACKET_RESERVE sockopt\")\nSigned-off-by: Or Cohen \nSigned-off-by: Eric Dumazet \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 330376 }, { "func": "static void fuse_sync_writes(struct inode *inode)\n{\n\tfuse_set_nowrite(inode);\n\tfuse_release_nowrite(inode);\n}", "project": "linux", "hash": 310649068061049188248440248598387177219, "size": 5, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342146 }, { "func": "static void hci_cc_le_set_ext_adv_enable(struct hci_dev *hdev,\n\t\t\t\t\t struct sk_buff *skb)\n{\n\tstruct hci_cp_le_set_ext_adv_enable *cp;\n\t__u8 status = *((__u8 *) skb->data);\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, status);\n\n\tif (status)\n\t\treturn;\n\n\tcp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_ENABLE);\n\tif (!cp)\n\t\treturn;\n\n\thci_dev_lock(hdev);\n\n\tif (cp->enable) {\n\t\tstruct hci_conn *conn;\n\n\t\thci_dev_set_flag(hdev, HCI_LE_ADV);\n\n\t\tconn = hci_lookup_le_connect(hdev);\n\t\tif (conn)\n\t\t\tqueue_delayed_work(hdev->workqueue,\n\t\t\t\t\t &conn->le_conn_timeout,\n\t\t\t\t\t conn->conn_timeout);\n\t} else {\n\t\thci_dev_clear_flag(hdev, HCI_LE_ADV);\n\t}\n\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 59046636794371888691930255688449153560, "size": 33, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 432036 }, { "func": "\nstatic void bfq_add_request(struct request *rq)\n{\n\tstruct bfq_queue *bfqq = RQ_BFQQ(rq);\n\tstruct bfq_data *bfqd = bfqq->bfqd;\n\tstruct request *next_rq, *prev;\n\tunsigned int old_wr_coeff = bfqq->wr_coeff;\n\tbool interactive = false;\n\n\tbfq_log_bfqq(bfqd, bfqq, \"add_request %d\", rq_is_sync(rq));\n\tbfqq->queued[rq_is_sync(rq)]++;\n\tbfqd->queued++;\n\n\tif (RB_EMPTY_ROOT(&bfqq->sort_list) && bfq_bfqq_sync(bfqq)) {\n\t\t/*\n\t\t * Detect whether bfqq's I/O seems synchronized with\n\t\t * that of some other queue, i.e., whether bfqq, after\n\t\t * remaining empty, happens to receive new I/O only\n\t\t * right after some I/O request of the other queue has\n\t\t * been completed. We call waker queue the other\n\t\t * queue, and we assume, for simplicity, that bfqq may\n\t\t * have at most one waker queue.\n\t\t *\n\t\t * A remarkable throughput boost can be reached by\n\t\t * unconditionally injecting the I/O of the waker\n\t\t * queue, every time a new bfq_dispatch_request\n\t\t * happens to be invoked while I/O is being plugged\n\t\t * for bfqq. In addition to boosting throughput, this\n\t\t * unblocks bfqq's I/O, thereby improving bandwidth\n\t\t * and latency for bfqq. Note that these same results\n\t\t * may be achieved with the general injection\n\t\t * mechanism, but less effectively. For details on\n\t\t * this aspect, see the comments on the choice of the\n\t\t * queue for injection in bfq_select_queue().\n\t\t *\n\t\t * Turning back to the detection of a waker queue, a\n\t\t * queue Q is deemed as a waker queue for bfqq if, for\n\t\t * two consecutive times, bfqq happens to become non\n\t\t * empty right after a request of Q has been\n\t\t * completed. In particular, on the first time, Q is\n\t\t * tentatively set as a candidate waker queue, while\n\t\t * on the second time, the flag\n\t\t * bfq_bfqq_has_waker(bfqq) is set to confirm that Q\n\t\t * is a waker queue for bfqq. These detection steps\n\t\t * are performed only if bfqq has a long think time,\n\t\t * so as to make it more likely that bfqq's I/O is\n\t\t * actually being blocked by a synchronization. This\n\t\t * last filter, plus the above two-times requirement,\n\t\t * make false positives less likely.\n\t\t *\n\t\t * NOTE\n\t\t *\n\t\t * The sooner a waker queue is detected, the sooner\n\t\t * throughput can be boosted by injecting I/O from the\n\t\t * waker queue. Fortunately, detection is likely to be\n\t\t * actually fast, for the following reasons. While\n\t\t * blocked by synchronization, bfqq has a long think\n\t\t * time. This implies that bfqq's inject limit is at\n\t\t * least equal to 1 (see the comments in\n\t\t * bfq_update_inject_limit()). So, thanks to\n\t\t * injection, the waker queue is likely to be served\n\t\t * during the very first I/O-plugging time interval\n\t\t * for bfqq. This triggers the first step of the\n\t\t * detection mechanism. Thanks again to injection, the\n\t\t * candidate waker queue is then likely to be\n\t\t * confirmed no later than during the next\n\t\t * I/O-plugging interval for bfqq.\n\t\t */\n\t\tif (bfqd->last_completed_rq_bfqq &&\n\t\t !bfq_bfqq_has_short_ttime(bfqq) &&\n\t\t ktime_get_ns() - bfqd->last_completion <\n\t\t 200 * NSEC_PER_USEC) {\n\t\t\tif (bfqd->last_completed_rq_bfqq != bfqq &&\n\t\t\t bfqd->last_completed_rq_bfqq !=\n\t\t\t bfqq->waker_bfqq) {\n\t\t\t\t/*\n\t\t\t\t * First synchronization detected with\n\t\t\t\t * a candidate waker queue, or with a\n\t\t\t\t * different candidate waker queue\n\t\t\t\t * from the current one.\n\t\t\t\t */\n\t\t\t\tbfqq->waker_bfqq = bfqd->last_completed_rq_bfqq;\n\n\t\t\t\t/*\n\t\t\t\t * If the waker queue disappears, then\n\t\t\t\t * bfqq->waker_bfqq must be reset. To\n\t\t\t\t * this goal, we maintain in each\n\t\t\t\t * waker queue a list, woken_list, of\n\t\t\t\t * all the queues that reference the\n\t\t\t\t * waker queue through their\n\t\t\t\t * waker_bfqq pointer. When the waker\n\t\t\t\t * queue exits, the waker_bfqq pointer\n\t\t\t\t * of all the queues in the woken_list\n\t\t\t\t * is reset.\n\t\t\t\t *\n\t\t\t\t * In addition, if bfqq is already in\n\t\t\t\t * the woken_list of a waker queue,\n\t\t\t\t * then, before being inserted into\n\t\t\t\t * the woken_list of a new waker\n\t\t\t\t * queue, bfqq must be removed from\n\t\t\t\t * the woken_list of the old waker\n\t\t\t\t * queue.\n\t\t\t\t */\n\t\t\t\tif (!hlist_unhashed(&bfqq->woken_list_node))\n\t\t\t\t\thlist_del_init(&bfqq->woken_list_node);\n\t\t\t\thlist_add_head(&bfqq->woken_list_node,\n\t\t\t\t &bfqd->last_completed_rq_bfqq->woken_list);\n\n\t\t\t\tbfq_clear_bfqq_has_waker(bfqq);\n\t\t\t} else if (bfqd->last_completed_rq_bfqq ==\n\t\t\t\t bfqq->waker_bfqq &&\n\t\t\t\t !bfq_bfqq_has_waker(bfqq)) {\n\t\t\t\t/*\n\t\t\t\t * synchronization with waker_bfqq\n\t\t\t\t * seen for the second time\n\t\t\t\t */\n\t\t\t\tbfq_mark_bfqq_has_waker(bfqq);\n\t\t\t}\n\t\t}\n\n\t\t/*\n\t\t * Periodically reset inject limit, to make sure that\n\t\t * the latter eventually drops in case workload\n\t\t * changes, see step (3) in the comments on\n\t\t * bfq_update_inject_limit().\n\t\t */\n\t\tif (time_is_before_eq_jiffies(bfqq->decrease_time_jif +\n\t\t\t\t\t msecs_to_jiffies(1000)))\n\t\t\tbfq_reset_inject_limit(bfqd, bfqq);\n\n\t\t/*\n\t\t * The following conditions must hold to setup a new\n\t\t * sampling of total service time, and then a new\n\t\t * update of the inject limit:\n\t\t * - bfqq is in service, because the total service\n\t\t * time is evaluated only for the I/O requests of\n\t\t * the queues in service;\n\t\t * - this is the right occasion to compute or to\n\t\t * lower the baseline total service time, because\n\t\t * there are actually no requests in the drive,\n\t\t * or\n\t\t * the baseline total service time is available, and\n\t\t * this is the right occasion to compute the other\n\t\t * quantity needed to update the inject limit, i.e.,\n\t\t * the total service time caused by the amount of\n\t\t * injection allowed by the current value of the\n\t\t * limit. It is the right occasion because injection\n\t\t * has actually been performed during the service\n\t\t * hole, and there are still in-flight requests,\n\t\t * which are very likely to be exactly the injected\n\t\t * requests, or part of them;\n\t\t * - the minimum interval for sampling the total\n\t\t * service time and updating the inject limit has\n\t\t * elapsed.\n\t\t */\n\t\tif (bfqq == bfqd->in_service_queue &&\n\t\t (bfqd->rq_in_driver == 0 ||\n\t\t (bfqq->last_serv_time_ns > 0 &&\n\t\t bfqd->rqs_injected && bfqd->rq_in_driver > 0)) &&\n\t\t time_is_before_eq_jiffies(bfqq->decrease_time_jif +\n\t\t\t\t\t msecs_to_jiffies(10))) {\n\t\t\tbfqd->last_empty_occupied_ns = ktime_get_ns();\n\t\t\t/*\n\t\t\t * Start the state machine for measuring the\n\t\t\t * total service time of rq: setting\n\t\t\t * wait_dispatch will cause bfqd->waited_rq to\n\t\t\t * be set when rq will be dispatched.\n\t\t\t */\n\t\t\tbfqd->wait_dispatch = true;\n\t\t\t/*\n\t\t\t * If there is no I/O in service in the drive,\n\t\t\t * then possible injection occurred before the\n\t\t\t * arrival of rq will not affect the total\n\t\t\t * service time of rq. So the injection limit\n\t\t\t * must not be updated as a function of such\n\t\t\t * total service time, unless new injection\n\t\t\t * occurs before rq is completed. To have the\n\t\t\t * injection limit updated only in the latter\n\t\t\t * case, reset rqs_injected here (rqs_injected\n\t\t\t * will be set in case injection is performed\n\t\t\t * on bfqq before rq is completed).\n\t\t\t */\n\t\t\tif (bfqd->rq_in_driver == 0)\n\t\t\t\tbfqd->rqs_injected = false;\n\t\t}\n\t}\n\n\telv_rb_add(&bfqq->sort_list, rq);\n\n\t/*\n\t * Check if this request is a better next-serve candidate.\n\t */\n\tprev = bfqq->next_rq;\n\tnext_rq = bfq_choose_req(bfqd, bfqq->next_rq, rq, bfqd->last_position);\n\tbfqq->next_rq = next_rq;\n\n\t/*\n\t * Adjust priority tree position, if next_rq changes.\n\t * See comments on bfq_pos_tree_add_move() for the unlikely().\n\t */\n\tif (unlikely(!bfqd->nonrot_with_queueing && prev != bfqq->next_rq))\n\t\tbfq_pos_tree_add_move(bfqd, bfqq);\n\n\tif (!bfq_bfqq_busy(bfqq)) /* switching to busy ... */\n\t\tbfq_bfqq_handle_idle_busy_switch(bfqd, bfqq, old_wr_coeff,\n\t\t\t\t\t\t rq, &interactive);\n\telse {\n\t\tif (bfqd->low_latency && old_wr_coeff == 1 && !rq_is_sync(rq) &&\n\t\t time_is_before_jiffies(\n\t\t\t\tbfqq->last_wr_start_finish +\n\t\t\t\tbfqd->bfq_wr_min_inter_arr_async)) {\n\t\t\tbfqq->wr_coeff = bfqd->bfq_wr_coeff;\n\t\t\tbfqq->wr_cur_max_time = bfq_wr_duration(bfqd);\n\n\t\t\tbfqd->wr_busy_queues++;\n\t\t\tbfqq->entity.prio_changed = 1;\n\t\t}\n\t\tif (prev != bfqq->next_rq)\n\t\t\tbfq_updated_next_req(bfqd, bfqq);\n\t}\n\n\t/*\n\t * Assign jiffies to last_wr_start_finish in the following\n\t * cases:\n\t *\n\t * . if bfqq is not going to be weight-raised, because, for\n\t * non weight-raised queues, last_wr_start_finish stores the\n\t * arrival time of the last request; as of now, this piece\n\t * of information is used only for deciding whether to\n\t * weight-raise async queues\n\t *\n\t * . if bfqq is not weight-raised, because, if bfqq is now\n\t * switching to weight-raised, then last_wr_start_finish\n\t * stores the time when weight-raising starts\n\t *\n\t * . if bfqq is interactive, because, regardless of whether\n\t * bfqq is currently weight-raised, the weight-raising\n\t * period must start or restart (this case is considered\n\t * separately because it is not detected by the above\n\t * conditions, if bfqq is already weight-raised)\n\t *\n\t * last_wr_start_finish has to be updated also if bfqq is soft\n\t * real-time, because the weight-raising period is constantly\n\t * restarted on idle-to-busy transitions for these queues, but\n\t * this is already done in bfq_bfqq_handle_idle_busy_switch if\n\t * needed.\n\t */\n\tif (bfqd->low_latency &&\n\t\t(old_wr_coeff == 1 || bfqq->wr_coeff == 1 || interactive))\n\t\tbfqq->last_wr_start_finish = jiffies;", "project": "linux", "hash": 162153084901737492399247047545546360818, "size": 250, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453295 }, { "func": "static int nfs4_open_recover(struct nfs4_opendata *opendata, struct nfs4_state *state)\n{\n\tint ret;\n\n\t/* memory barrier prior to reading state->n_* */\n\tsmp_rmb();\n\tret = nfs4_open_recover_helper(opendata, FMODE_READ|FMODE_WRITE);\n\tif (ret != 0)\n\t\treturn ret;\n\tret = nfs4_open_recover_helper(opendata, FMODE_WRITE);\n\tif (ret != 0)\n\t\treturn ret;\n\tret = nfs4_open_recover_helper(opendata, FMODE_READ);\n\tif (ret != 0)\n\t\treturn ret;\n\t/*\n\t * We may have performed cached opens for all three recoveries.\n\t * Check if we need to update the current stateid.\n\t */\n\tif (test_bit(NFS_DELEGATED_STATE, &state->flags) == 0 &&\n\t !nfs4_stateid_match(&state->stateid, &state->open_stateid)) {\n\t\twrite_seqlock(&state->seqlock);\n\t\tif (test_bit(NFS_DELEGATED_STATE, &state->flags) == 0)\n\t\t\tnfs4_stateid_copy(&state->stateid, &state->open_stateid);\n\t\twrite_sequnlock(&state->seqlock);\n\t}\n\treturn 0;\n}", "project": "linux", "hash": 257932162284368924822379855041080276424, "size": 28, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431457 }, { "func": "void CSoundFile::FinePortamentoUp(ModChannel *pChn, ModCommand::PARAM param) const\n{\n\tif(GetType() == MOD_TYPE_XM)\n\t{\n\t\t// FT2 compatibility: E1x / E2x / X1x / X2x memory is not linked\n\t\t// Test case: Porta-LinkMem.xm\n\t\tif(param) pChn->nOldFinePortaUpDown = (pChn->nOldFinePortaUpDown & 0x0F) | (param << 4); else param = (pChn->nOldFinePortaUpDown >> 4);\n\t} else if(GetType() == MOD_TYPE_MT2)\n\t{\n\t\tif(param) pChn->nOldFinePortaUpDown = param; else param = pChn->nOldFinePortaUpDown;\n\t}\n\n\tif(pChn->isFirstTick)\n\t{\n\t\tif ((pChn->nPeriod) && (param))\n\t\t{\n\t\t\tif(m_SongFlags[SONG_LINEARSLIDES] && GetType() != MOD_TYPE_XM)\n\t\t\t{\n\t\t\t\tconst auto oldPeriod = pChn->nPeriod;\n\t\t\t\tpChn->nPeriod = Util::muldivr(pChn->nPeriod, GetLinearSlideUpTable(this, param & 0x0F), 65536);\n\t\t\t\tif(oldPeriod == pChn->nPeriod)\n\t\t\t\t{\n\t\t\t\t\tif(m_playBehaviour[kHertzInLinearMode] && pChn->nPeriod < Util::MaxValueOfType(pChn->nPeriod))\n\t\t\t\t\t\tpChn->nPeriod++;\n\t\t\t\t\telse if(!m_playBehaviour[kHertzInLinearMode] && pChn->nPeriod > 1)\n\t\t\t\t\t\tpChn->nPeriod--;\n\t\t\t\t}\n\t\t\t} else\n\t\t\t{\n\t\t\t\tpChn->nPeriod -= (int)(param * 4);\n\t\t\t\tif (pChn->nPeriod < 1)\n\t\t\t\t{\n\t\t\t\t\tpChn->nPeriod = 1;\n\t\t\t\t\tif(GetType() == MOD_TYPE_S3M)\n\t\t\t\t\t{\n\t\t\t\t\t\tpChn->nFadeOutVol = 0;\n\t\t\t\t\t\tpChn->dwFlags.set(CHN_NOTEFADE | CHN_FASTVOLRAMP);\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n}", "project": "openmpt", "hash": 308620185653042794959843252687411895100, "size": 43, "commit_id": "7ebf02af2e90f03e0dbd0e18b8b3164f372fb97c", "message": "[Fix] Possible out-of-bounds read when computing length of some IT files with pattern loops (OpenMPT: formats that are converted to IT, libopenmpt: IT/ITP/MO3), caught with afl-fuzz.\n\ngit-svn-id: https://source.openmpt.org/svn/openmpt/trunk/OpenMPT@10027 56274372-70c3-4bfc-bfc3-4c3a0b034d27", "target": 0, "dataset": "other", "idx": 255195 }, { "func": "uint64 FastTensorProtoHash(const TensorProto& tp) {\n if (TensorByteSize(tp) > kMaxAttrValueTensorByteSize) {\n return DeterministicProtoHash64(tp);\n } else {\n return TensorProtoHash(tp);\n }\n}", "project": "tensorflow", "hash": 308655384053363011992965831360690068418, "size": 7, "commit_id": "c2426bba00a01de6913738df8fa78e0215fcce02", "message": "Use `PartialTensorShape` instead of `TensorShape`.\n\n`TensorShape` constructor throws a CHECK-fail if shape is partial/overflows which the other doesn't. We are only determining the number of elements in the shape and partial shape should be used as it returns negative number when needed.\n\nPiperOrigin-RevId: 409205384\nChange-Id: Ia56542ff9ec758f2c9ffc7e4dcc9fa7eecd86e7b", "target": 0, "dataset": "other", "idx": 223138 }, { "func": "void numa_default_policy(void)\n{\n\tdo_set_mempolicy(MPOL_DEFAULT, 0, NULL);\n}", "project": "linux", "hash": 141896239059915238986767534276091412147, "size": 4, "commit_id": "aa9f7d5172fac9bf1f09e678c35e287a40a7b7dd", "message": "mm: mempolicy: require at least one nodeid for MPOL_PREFERRED\n\nUsing an empty (malformed) nodelist that is not caught during mount option\nparsing leads to a stack-out-of-bounds access.\n\nThe option string that was used was: \"mpol=prefer:,\". However,\nMPOL_PREFERRED requires a single node number, which is not being provided\nhere.\n\nAdd a check that 'nodes' is not empty after parsing for MPOL_PREFERRED's\nnodeid.\n\nFixes: 095f1fc4ebf3 (\"mempolicy: rework shmem mpol parsing and display\")\nReported-by: Entropy Moe <3ntr0py1337@gmail.com>\nReported-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nSigned-off-by: Randy Dunlap \nSigned-off-by: Andrew Morton \nTested-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nCc: Lee Schermerhorn \nLink: http://lkml.kernel.org/r/89526377-7eb6-b662-e1d8-4430928abde9@infradead.org\nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 366718 }, { "func": "void tipc_node_broadcast(struct net *net, struct sk_buff *skb, int rc_dests)\n{\n\tstruct sk_buff_head xmitq;\n\tstruct sk_buff *txskb;\n\tstruct tipc_node *n;\n\tu16 dummy;\n\tu32 dst;\n\n\t/* Use broadcast if all nodes support it */\n\tif (!rc_dests && tipc_bcast_get_mode(net) != BCLINK_MODE_RCAST) {\n\t\t__skb_queue_head_init(&xmitq);\n\t\t__skb_queue_tail(&xmitq, skb);\n\t\ttipc_bcast_xmit(net, &xmitq, &dummy);\n\t\treturn;\n\t}\n\n\t/* Otherwise use legacy replicast method */\n\trcu_read_lock();\n\tlist_for_each_entry_rcu(n, tipc_nodes(net), list) {\n\t\tdst = n->addr;\n\t\tif (in_own_node(net, dst))\n\t\t\tcontinue;\n\t\tif (!node_is_up(n))\n\t\t\tcontinue;\n\t\ttxskb = pskb_copy(skb, GFP_ATOMIC);\n\t\tif (!txskb)\n\t\t\tbreak;\n\t\tmsg_set_destnode(buf_msg(txskb), dst);\n\t\ttipc_node_xmit_skb(net, txskb, dst, 0);\n\t}\n\trcu_read_unlock();\n\tkfree_skb(skb);\n}", "project": "linux", "hash": 240313117716637606636664913849120561142, "size": 33, "commit_id": "0217ed2848e8538bcf9172d97ed2eeb4a26041bb", "message": "tipc: better validate user input in tipc_nl_retrieve_key()\n\nBefore calling tipc_aead_key_size(ptr), we need to ensure\nwe have enough data to dereference ptr->keylen.\n\nWe probably also want to make sure tipc_aead_key_size()\nwont overflow with malicious ptr->keylen values.\n\nSyzbot reported:\n\nBUG: KMSAN: uninit-value in __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\nBUG: KMSAN: uninit-value in tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\nCPU: 0 PID: 21060 Comm: syz-executor.5 Not tainted 5.11.0-rc7-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nCall Trace:\n __dump_stack lib/dump_stack.c:79 [inline]\n dump_stack+0x21c/0x280 lib/dump_stack.c:120\n kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118\n __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197\n __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\n tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\n genl_family_rcv_msg_doit net/netlink/genetlink.c:739 [inline]\n genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]\n genl_rcv_msg+0x1319/0x1610 net/netlink/genetlink.c:800\n netlink_rcv_skb+0x6fa/0x810 net/netlink/af_netlink.c:2494\n genl_rcv+0x63/0x80 net/netlink/genetlink.c:811\n netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]\n netlink_unicast+0x11d6/0x14a0 net/netlink/af_netlink.c:1330\n netlink_sendmsg+0x1740/0x1840 net/netlink/af_netlink.c:1919\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\nRIP: 0023:0xf7f60549\nCode: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00\nRSP: 002b:00000000f555a5fc EFLAGS: 00000296 ORIG_RAX: 0000000000000172\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000200\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n\nUninit was created at:\n kmsan_save_stack_with_flags mm/kmsan/kmsan.c:121 [inline]\n kmsan_internal_poison_shadow+0x5c/0xf0 mm/kmsan/kmsan.c:104\n kmsan_slab_alloc+0x8d/0xe0 mm/kmsan/kmsan_hooks.c:76\n slab_alloc_node mm/slub.c:2907 [inline]\n __kmalloc_node_track_caller+0xa37/0x1430 mm/slub.c:4527\n __kmalloc_reserve net/core/skbuff.c:142 [inline]\n __alloc_skb+0x2f8/0xb30 net/core/skbuff.c:210\n alloc_skb include/linux/skbuff.h:1099 [inline]\n netlink_alloc_large_skb net/netlink/af_netlink.c:1176 [inline]\n netlink_sendmsg+0xdbc/0x1840 net/netlink/af_netlink.c:1894\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\n\nFixes: e1f32190cf7d (\"tipc: add support for AEAD key setting via netlink\")\nSigned-off-by: Eric Dumazet \nCc: Tuong Lien \nCc: Jon Maloy \nCc: Ying Xue \nReported-by: syzbot \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 364936 }, { "func": "CString CClient::GetFullName() const {\n if (!m_pUser) return GetRemoteIP();\n CString sFullName = m_pUser->GetUsername();\n if (!m_sIdentifier.empty()) sFullName += \"@\" + m_sIdentifier;\n if (m_pNetwork) sFullName += \"/\" + m_pNetwork->GetName();\n return sFullName;\n}", "project": "znc", "hash": 245018869446521753342473722176160025808, "size": 7, "commit_id": "d229761821da38d984a9e4098ad96842490dc001", "message": "Fix echo-message for *status\n\nClose #1705", "target": 0, "dataset": "other", "idx": 231585 }, { "func": "kvm_pfn_t kvm_vcpu_gfn_to_pfn(struct kvm_vcpu *vcpu, gfn_t gfn)\n{\n\treturn gfn_to_pfn_memslot(kvm_vcpu_gfn_to_memslot(vcpu, gfn), gfn);\n}", "project": "linux", "hash": 214856710676217161620088674912661836755, "size": 4, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354702 }, { "func": "static int lookup_umount_fs_by_mountinfo(struct libmnt_context *cxt, const char *tgt)\n{\n\tstruct libmnt_fs *fs = NULL;\n\tint rc;\n\n\tassert(cxt);\n\tassert(cxt->fs);\n\n\tDBG(CXT, ul_debugobj(cxt, \" lookup by mountinfo\"));\n\n\t/* search */\n\trc = __mtab_find_umount_fs(cxt, tgt, &fs);\n\tif (rc != 0)\n\t\treturn rc;\n\n\t/* apply result */\n\tif (fs != cxt->fs) {\n\t\tmnt_fs_set_source(cxt->fs, NULL);\n\t\tmnt_fs_set_target(cxt->fs, NULL);\n\n\t\tif (!mnt_copy_fs(cxt->fs, fs)) {\n\t\t\tDBG(CXT, ul_debugobj(cxt, \" failed to copy FS\"));\n\t\t\treturn -errno;\n\t\t}\n\t\tDBG(CXT, ul_debugobj(cxt, \" mtab applied\"));\n\t}\n\n\tcxt->flags |= MNT_FL_TAB_APPLIED;\n\treturn 0;\n}", "project": "util-linux", "hash": 61479788189084856039782035758785030566, "size": 30, "commit_id": "57202f5713afa2af20ffbb6ab5331481d0396f8d", "message": "libmount: fix UID check for FUSE umount [CVE-2021-3995]\n\nImproper UID check allows an unprivileged user to unmount FUSE\nfilesystems of users with similar UID.\n\nSigned-off-by: Karel Zak ", "target": 0, "dataset": "other", "idx": 410397 }, { "func": "static void tipc_node_bc_rcv(struct net *net, struct sk_buff *skb, int bearer_id)\n{\n\tint rc;\n\tstruct sk_buff_head xmitq;\n\tstruct tipc_bclink_entry *be;\n\tstruct tipc_link_entry *le;\n\tstruct tipc_msg *hdr = buf_msg(skb);\n\tint usr = msg_user(hdr);\n\tu32 dnode = msg_destnode(hdr);\n\tstruct tipc_node *n;\n\n\t__skb_queue_head_init(&xmitq);\n\n\t/* If NACK for other node, let rcv link for that node peek into it */\n\tif ((usr == BCAST_PROTOCOL) && (dnode != tipc_own_addr(net)))\n\t\tn = tipc_node_find(net, dnode);\n\telse\n\t\tn = tipc_node_find(net, msg_prevnode(hdr));\n\tif (!n) {\n\t\tkfree_skb(skb);\n\t\treturn;\n\t}\n\tbe = &n->bc_entry;\n\tle = &n->links[bearer_id];\n\n\trc = tipc_bcast_rcv(net, be->link, skb);\n\n\t/* Broadcast ACKs are sent on a unicast link */\n\tif (rc & TIPC_LINK_SND_STATE) {\n\t\ttipc_node_read_lock(n);\n\t\ttipc_link_build_state_msg(le->link, &xmitq);\n\t\ttipc_node_read_unlock(n);\n\t}\n\n\tif (!skb_queue_empty(&xmitq))\n\t\ttipc_bearer_xmit(net, bearer_id, &xmitq, &le->maddr, n);\n\n\tif (!skb_queue_empty(&be->inputq1))\n\t\ttipc_node_mcast_rcv(n);\n\n\t/* Handle NAME_DISTRIBUTOR messages sent from 1.7 nodes */\n\tif (!skb_queue_empty(&n->bc_entry.namedq))\n\t\ttipc_named_rcv(net, &n->bc_entry.namedq,\n\t\t\t &n->bc_entry.named_rcv_nxt,\n\t\t\t &n->bc_entry.named_open);\n\n\t/* If reassembly or retransmission failure => reset all links to peer */\n\tif (rc & TIPC_LINK_DOWN_EVT)\n\t\ttipc_node_reset_links(n);\n\n\ttipc_node_put(n);\n}", "project": "linux", "hash": 217853972928646022383585563676728226396, "size": 52, "commit_id": "0217ed2848e8538bcf9172d97ed2eeb4a26041bb", "message": "tipc: better validate user input in tipc_nl_retrieve_key()\n\nBefore calling tipc_aead_key_size(ptr), we need to ensure\nwe have enough data to dereference ptr->keylen.\n\nWe probably also want to make sure tipc_aead_key_size()\nwont overflow with malicious ptr->keylen values.\n\nSyzbot reported:\n\nBUG: KMSAN: uninit-value in __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\nBUG: KMSAN: uninit-value in tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\nCPU: 0 PID: 21060 Comm: syz-executor.5 Not tainted 5.11.0-rc7-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nCall Trace:\n __dump_stack lib/dump_stack.c:79 [inline]\n dump_stack+0x21c/0x280 lib/dump_stack.c:120\n kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118\n __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197\n __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\n tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\n genl_family_rcv_msg_doit net/netlink/genetlink.c:739 [inline]\n genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]\n genl_rcv_msg+0x1319/0x1610 net/netlink/genetlink.c:800\n netlink_rcv_skb+0x6fa/0x810 net/netlink/af_netlink.c:2494\n genl_rcv+0x63/0x80 net/netlink/genetlink.c:811\n netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]\n netlink_unicast+0x11d6/0x14a0 net/netlink/af_netlink.c:1330\n netlink_sendmsg+0x1740/0x1840 net/netlink/af_netlink.c:1919\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\nRIP: 0023:0xf7f60549\nCode: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00\nRSP: 002b:00000000f555a5fc EFLAGS: 00000296 ORIG_RAX: 0000000000000172\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000200\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n\nUninit was created at:\n kmsan_save_stack_with_flags mm/kmsan/kmsan.c:121 [inline]\n kmsan_internal_poison_shadow+0x5c/0xf0 mm/kmsan/kmsan.c:104\n kmsan_slab_alloc+0x8d/0xe0 mm/kmsan/kmsan_hooks.c:76\n slab_alloc_node mm/slub.c:2907 [inline]\n __kmalloc_node_track_caller+0xa37/0x1430 mm/slub.c:4527\n __kmalloc_reserve net/core/skbuff.c:142 [inline]\n __alloc_skb+0x2f8/0xb30 net/core/skbuff.c:210\n alloc_skb include/linux/skbuff.h:1099 [inline]\n netlink_alloc_large_skb net/netlink/af_netlink.c:1176 [inline]\n netlink_sendmsg+0xdbc/0x1840 net/netlink/af_netlink.c:1894\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\n\nFixes: e1f32190cf7d (\"tipc: add support for AEAD key setting via netlink\")\nSigned-off-by: Eric Dumazet \nCc: Tuong Lien \nCc: Jon Maloy \nCc: Ying Xue \nReported-by: syzbot \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 364925 }, { "func": "static unsigned long ecryptfs_get_zeroed_pages(gfp_t gfp_mask,\n\t\t\t\t\t unsigned int order)\n{\n\tstruct page *page;\n\n\tpage = alloc_pages(gfp_mask | __GFP_ZERO, order);\n\tif (page)\n\t\treturn (unsigned long) page_address(page);\n\treturn 0;\n}", "target": 0, "cwe": [ "CWE-189" ], "project": "linux-2.6", "commit_id": "8faece5f906725c10e7a1f6caf84452abadbdc7b", "hash": 259163028708462752931707737861439187763, "size": 10, "message": "eCryptfs: Allocate a variable number of pages for file headers\n\nWhen allocating the memory used to store the eCryptfs header contents, a\nsingle, zeroed page was being allocated with get_zeroed_page().\nHowever, the size of an eCryptfs header is either PAGE_CACHE_SIZE or\nECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE (8192), whichever is larger, and is\nstored in the file's private_data->crypt_stat->num_header_bytes_at_front\nfield.\n\necryptfs_write_metadata_to_contents() was using\nnum_header_bytes_at_front to decide how many bytes should be written to\nthe lower filesystem for the file header. Unfortunately, at least 8K\nwas being written from the page, despite the chance of the single,\nzeroed page being smaller than 8K. This resulted in random areas of\nkernel memory being written between the 0x1000 and 0x1FFF bytes offsets\nin the eCryptfs file headers if PAGE_SIZE was 4K.\n\nThis patch allocates a variable number of pages, calculated with\nnum_header_bytes_at_front, and passes the number of allocated pages\nalong to ecryptfs_write_metadata_to_contents().\n\nThanks to Florian Streibelt for reporting the data leak and working with\nme to find the problem. 2.6.28 is the only kernel release with this\nvulnerability. Corresponds to CVE-2009-0787\n\nSigned-off-by: Tyler Hicks \nAcked-by: Dustin Kirkland \nReviewed-by: Eric Sandeen \nReviewed-by: Eugene Teo \nCc: Greg KH \nCc: dann frazier \nCc: Serge E. Hallyn \nCc: Florian Streibelt \nCc: stable@kernel.org\nSigned-off-by: Linus Torvalds ", "dataset": "other", "idx": 490192 }, { "func": "void ethereum_signing_abort(void) {\n if (ethereum_signing) {\n memzero(privkey, sizeof(privkey));\n layoutHome();\n ethereum_signing = false;\n }\n}", "project": "keepkey-firmware", "hash": 36542358002639338201372787835324702544, "size": 7, "commit_id": "e49d45594002d4d3fbc1f03488e6dfc0a0a65836", "message": "710 merge", "target": 0, "dataset": "other", "idx": 220890 }, { "func": "static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size,\n int parse_extradata)\n{\n AVCodecContext *const avctx = h->avctx;\n H264Context *hx; ///< thread context\n int buf_index;\n int context_count;\n int next_avc;\n int pass = !(avctx->active_thread_type & FF_THREAD_FRAME);\n int nals_needed = 0; ///< number of NALs that need decoding before the next frame thread starts\n int nal_index;\n int idr_cleared=0;\n int first_slice = 0;\n int ret = 0;\n\n h->nal_unit_type= 0;\n\n if(!h->slice_context_count)\n h->slice_context_count= 1;\n h->max_contexts = h->slice_context_count;\n if (!(avctx->flags2 & CODEC_FLAG2_CHUNKS)) {\n h->current_slice = 0;\n if (!h->first_field)\n h->cur_pic_ptr = NULL;\n ff_h264_reset_sei(h);\n }\n\n if (h->nal_length_size == 4) {\n if (buf_size > 8 && AV_RB32(buf) == 1 && AV_RB32(buf+5) > (unsigned)buf_size) {\n h->is_avc = 0;\n }else if(buf_size > 3 && AV_RB32(buf) > 1 && AV_RB32(buf) <= (unsigned)buf_size)\n h->is_avc = 1;\n }\n\n for (; pass <= 1; pass++) {\n buf_index = 0;\n context_count = 0;\n next_avc = h->is_avc ? 0 : buf_size;\n nal_index = 0;\n for (;;) {\n int consumed;\n int dst_length;\n int bit_length;\n const uint8_t *ptr;\n int i, nalsize = 0;\n int err;\n\n if (buf_index >= next_avc) {\n if (buf_index >= buf_size - h->nal_length_size)\n break;\n nalsize = 0;\n for (i = 0; i < h->nal_length_size; i++)\n nalsize = (nalsize << 8) | buf[buf_index++];\n if (nalsize <= 0 || nalsize > buf_size - buf_index) {\n av_log(h->avctx, AV_LOG_ERROR,\n \"AVC: nal size %d\\n\", nalsize);\n break;\n }\n next_avc = buf_index + nalsize;\n } else {\n // start code prefix search\n for (; buf_index + 3 < next_avc; buf_index++)\n // This should always succeed in the first iteration.\n if (buf[buf_index] == 0 &&\n buf[buf_index + 1] == 0 &&\n buf[buf_index + 2] == 1)\n break;\n\n if (buf_index + 3 >= buf_size) {\n buf_index = buf_size;\n break;\n }\n\n buf_index += 3;\n if (buf_index >= next_avc)\n continue;\n }\n\n hx = h->thread_context[context_count];\n\n ptr = ff_h264_decode_nal(hx, buf + buf_index, &dst_length,\n &consumed, next_avc - buf_index);\n if (ptr == NULL || dst_length < 0) {\n ret = -1;\n goto end;\n }\n i = buf_index + consumed;\n if ((h->workaround_bugs & FF_BUG_AUTODETECT) && i + 3 < next_avc &&\n buf[i] == 0x00 && buf[i + 1] == 0x00 &&\n buf[i + 2] == 0x01 && buf[i + 3] == 0xE0)\n h->workaround_bugs |= FF_BUG_TRUNCATED;\n\n if (!(h->workaround_bugs & FF_BUG_TRUNCATED))\n while (dst_length > 0 && ptr[dst_length - 1] == 0)\n dst_length--;\n bit_length = !dst_length ? 0\n : (8 * dst_length -\n decode_rbsp_trailing(h, ptr + dst_length - 1));\n\n if (h->avctx->debug & FF_DEBUG_STARTCODE)\n av_log(h->avctx, AV_LOG_DEBUG,\n \"NAL %d/%d at %d/%d length %d pass %d\\n\",\n hx->nal_unit_type, hx->nal_ref_idc, buf_index, buf_size, dst_length, pass);\n\n if (h->is_avc && (nalsize != consumed) && nalsize)\n av_log(h->avctx, AV_LOG_DEBUG,\n \"AVC: Consumed only %d bytes instead of %d\\n\",\n consumed, nalsize);\n\n buf_index += consumed;\n nal_index++;\n\n if (pass == 0) {\n /* packets can sometimes contain multiple PPS/SPS,\n * e.g. two PAFF field pictures in one packet, or a demuxer\n * which splits NALs strangely if so, when frame threading we\n * can't start the next thread until we've read all of them */\n switch (hx->nal_unit_type) {\n case NAL_SPS:\n case NAL_PPS:\n nals_needed = nal_index;\n break;\n case NAL_DPA:\n case NAL_IDR_SLICE:\n case NAL_SLICE:\n init_get_bits(&hx->gb, ptr, bit_length);\n if (!get_ue_golomb(&hx->gb) || !first_slice)\n nals_needed = nal_index;\n if (!first_slice)\n first_slice = hx->nal_unit_type;\n }\n continue;\n }\n\n if (!first_slice)\n switch (hx->nal_unit_type) {\n case NAL_DPA:\n case NAL_IDR_SLICE:\n case NAL_SLICE:\n first_slice = hx->nal_unit_type;\n }\n\n if (avctx->skip_frame >= AVDISCARD_NONREF &&\n h->nal_ref_idc == 0 &&\n h->nal_unit_type != NAL_SEI)\n continue;\n\nagain:\n if ( !(avctx->active_thread_type & FF_THREAD_FRAME)\n || nals_needed >= nal_index)\n h->au_pps_id = -1;\n /* Ignore per frame NAL unit type during extradata\n * parsing. Decoding slices is not possible in codec init\n * with frame-mt */\n if (parse_extradata) {\n switch (hx->nal_unit_type) {\n case NAL_IDR_SLICE:\n case NAL_SLICE:\n case NAL_DPA:\n case NAL_DPB:\n case NAL_DPC:\n av_log(h->avctx, AV_LOG_WARNING,\n \"Ignoring NAL %d in global header/extradata\\n\",\n hx->nal_unit_type);\n // fall through to next case\n case NAL_AUXILIARY_SLICE:\n hx->nal_unit_type = NAL_FF_IGNORE;\n }\n }\n\n err = 0;\n\n switch (hx->nal_unit_type) {\n case NAL_IDR_SLICE:\n if (first_slice != NAL_IDR_SLICE) {\n av_log(h->avctx, AV_LOG_ERROR,\n \"Invalid mix of idr and non-idr slices\\n\");\n ret = -1;\n goto end;\n }\n if(!idr_cleared)\n idr(h); // FIXME ensure we don't lose some frames if there is reordering\n idr_cleared = 1;\n case NAL_SLICE:\n init_get_bits(&hx->gb, ptr, bit_length);\n hx->intra_gb_ptr =\n hx->inter_gb_ptr = &hx->gb;\n hx->data_partitioning = 0;\n\n if ((err = decode_slice_header(hx, h)))\n break;\n\n if (h->sei_recovery_frame_cnt >= 0) {\n if (h->frame_num != h->sei_recovery_frame_cnt || hx->slice_type_nos != AV_PICTURE_TYPE_I)\n h->valid_recovery_point = 1;\n\n if ( h->recovery_frame < 0\n || ((h->recovery_frame - h->frame_num) & ((1 << h->sps.log2_max_frame_num)-1)) > h->sei_recovery_frame_cnt) {\n h->recovery_frame = (h->frame_num + h->sei_recovery_frame_cnt) &\n ((1 << h->sps.log2_max_frame_num) - 1);\n\n if (!h->valid_recovery_point)\n h->recovery_frame = h->frame_num;\n }\n }\n\n h->cur_pic_ptr->f.key_frame |=\n (hx->nal_unit_type == NAL_IDR_SLICE);\n\n if (hx->nal_unit_type == NAL_IDR_SLICE ||\n h->recovery_frame == h->frame_num) {\n h->recovery_frame = -1;\n h->cur_pic_ptr->recovered = 1;\n }\n // If we have an IDR, all frames after it in decoded order are\n // \"recovered\".\n if (hx->nal_unit_type == NAL_IDR_SLICE)\n h->frame_recovered |= FRAME_RECOVERED_IDR;\n h->frame_recovered |= 3*!!(avctx->flags2 & CODEC_FLAG2_SHOW_ALL);\n h->frame_recovered |= 3*!!(avctx->flags & CODEC_FLAG_OUTPUT_CORRUPT);\n#if 1\n h->cur_pic_ptr->recovered |= h->frame_recovered;\n#else\n h->cur_pic_ptr->recovered |= !!(h->frame_recovered & FRAME_RECOVERED_IDR);\n#endif\n\n if (h->current_slice == 1) {\n if (!(avctx->flags2 & CODEC_FLAG2_CHUNKS))\n decode_postinit(h, nal_index >= nals_needed);\n\n if (h->avctx->hwaccel &&\n (ret = h->avctx->hwaccel->start_frame(h->avctx, NULL, 0)) < 0)\n return ret;\n if (CONFIG_H264_VDPAU_DECODER &&\n h->avctx->codec->capabilities & CODEC_CAP_HWACCEL_VDPAU)\n ff_vdpau_h264_picture_start(h);\n }\n\n if (hx->redundant_pic_count == 0 &&\n (avctx->skip_frame < AVDISCARD_NONREF ||\n hx->nal_ref_idc) &&\n (avctx->skip_frame < AVDISCARD_BIDIR ||\n hx->slice_type_nos != AV_PICTURE_TYPE_B) &&\n (avctx->skip_frame < AVDISCARD_NONKEY ||\n hx->slice_type_nos == AV_PICTURE_TYPE_I) &&\n avctx->skip_frame < AVDISCARD_ALL) {\n if (avctx->hwaccel) {\n ret = avctx->hwaccel->decode_slice(avctx,\n &buf[buf_index - consumed],\n consumed);\n if (ret < 0)\n return ret;\n } else if (CONFIG_H264_VDPAU_DECODER &&\n h->avctx->codec->capabilities & CODEC_CAP_HWACCEL_VDPAU) {\n ff_vdpau_add_data_chunk(h->cur_pic_ptr->f.data[0],\n start_code,\n sizeof(start_code));\n ff_vdpau_add_data_chunk(h->cur_pic_ptr->f.data[0],\n &buf[buf_index - consumed],\n consumed);\n } else\n context_count++;\n }\n break;\n case NAL_DPA:\n init_get_bits(&hx->gb, ptr, bit_length);\n hx->intra_gb_ptr =\n hx->inter_gb_ptr = NULL;\n\n if ((err = decode_slice_header(hx, h)) < 0) {\n /* make sure data_partitioning is cleared if it was set\n * before, so we don't try decoding a slice without a valid\n * slice header later */\n h->data_partitioning = 0;\n break;\n }\n\n hx->data_partitioning = 1;\n break;\n case NAL_DPB:\n init_get_bits(&hx->intra_gb, ptr, bit_length);\n hx->intra_gb_ptr = &hx->intra_gb;\n break;\n case NAL_DPC:\n init_get_bits(&hx->inter_gb, ptr, bit_length);\n hx->inter_gb_ptr = &hx->inter_gb;\n\n av_log(h->avctx, AV_LOG_ERROR, \"Partitioned H.264 support is incomplete\\n\");\n break;\n\n if (hx->redundant_pic_count == 0 &&\n hx->intra_gb_ptr &&\n hx->data_partitioning &&\n h->cur_pic_ptr && h->context_initialized &&\n (avctx->skip_frame < AVDISCARD_NONREF || hx->nal_ref_idc) &&\n (avctx->skip_frame < AVDISCARD_BIDIR ||\n hx->slice_type_nos != AV_PICTURE_TYPE_B) &&\n (avctx->skip_frame < AVDISCARD_NONKEY ||\n hx->slice_type_nos == AV_PICTURE_TYPE_I) &&\n avctx->skip_frame < AVDISCARD_ALL)\n context_count++;\n break;\n case NAL_SEI:\n init_get_bits(&h->gb, ptr, bit_length);\n ff_h264_decode_sei(h);\n break;\n case NAL_SPS:\n init_get_bits(&h->gb, ptr, bit_length);\n if (ff_h264_decode_seq_parameter_set(h) < 0 && (h->is_avc ? nalsize : 1)) {\n av_log(h->avctx, AV_LOG_DEBUG,\n \"SPS decoding failure, trying again with the complete NAL\\n\");\n if (h->is_avc)\n av_assert0(next_avc - buf_index + consumed == nalsize);\n if ((next_avc - buf_index + consumed - 1) >= INT_MAX/8)\n break;\n init_get_bits(&h->gb, &buf[buf_index + 1 - consumed],\n 8*(next_avc - buf_index + consumed - 1));\n ff_h264_decode_seq_parameter_set(h);\n }\n\n break;\n case NAL_PPS:\n init_get_bits(&h->gb, ptr, bit_length);\n ff_h264_decode_picture_parameter_set(h, bit_length);\n break;\n case NAL_AUD:\n case NAL_END_SEQUENCE:\n case NAL_END_STREAM:\n case NAL_FILLER_DATA:\n case NAL_SPS_EXT:\n case NAL_AUXILIARY_SLICE:\n break;\n case NAL_FF_IGNORE:\n break;\n default:\n av_log(avctx, AV_LOG_DEBUG, \"Unknown NAL code: %d (%d bits)\\n\",\n hx->nal_unit_type, bit_length);\n }\n\n if (context_count == h->max_contexts) {\n execute_decode_slices(h, context_count);\n context_count = 0;\n }\n\n if (err < 0) {\n av_log(h->avctx, AV_LOG_ERROR, \"decode_slice_header error\\n\");\n h->ref_count[0] = h->ref_count[1] = h->list_count = 0;\n } else if (err == 1) {\n /* Slice could not be decoded in parallel mode, copy down\n * NAL unit stuff to context 0 and restart. Note that\n * rbsp_buffer is not transferred, but since we no longer\n * run in parallel mode this should not be an issue. */\n h->nal_unit_type = hx->nal_unit_type;\n h->nal_ref_idc = hx->nal_ref_idc;\n hx = h;\n goto again;\n }\n }\n }\n if (context_count)\n execute_decode_slices(h, context_count);\n\nend:\n /* clean up */\n if (h->cur_pic_ptr && !h->droppable) {\n ff_thread_report_progress(&h->cur_pic_ptr->tf, INT_MAX,\n h->picture_structure == PICT_BOTTOM_FIELD);\n }\n\n return (ret < 0) ? ret : buf_index;\n}", "project": "FFmpeg", "hash": 145591785258243330045267440778819677539, "size": 371, "commit_id": "8a3b85f3a7952c54a2c36ba1797f7e0cde9f85aa", "message": "avcodec/h264: update current_sps & sps->new only after the whole slice header decoder and init code finished\n\nThis avoids them being cleared before the full initialization finished\n\nFixes out of array read\nFixes: asan_heap-oob_f0c5e6_7071_cov_1605985132_mov_h264_aac__Demo_FlagOfOurFathers.mov\nFound-by: Mateusz \"j00ru\" Jurczyk and Gynvael Coldwind\nSigned-off-by: Michael Niedermayer ", "target": 0, "dataset": "other", "idx": 270131 }, { "func": "v8::Local WebContents::GetOwnerBrowserWindow() const {\n if (owner_window())\n return BrowserWindow::From(isolate(), owner_window());\n else\n return v8::Null(isolate());\n}", "project": "electron", "hash": 171298972511747116557704786671045502356, "size": 6, "commit_id": "18613925610ba319da7f497b6deed85ad712c59b", "message": "refactor: wire will-navigate up to a navigation throttle instead of OpenURL (#25108)\n\n* refactor: wire will-navigate up to a navigation throttle instead of OpenURL (#25065)\r\n\r\n* refactor: wire will-navigate up to a navigation throttle instead of OpenURL\r\n\r\n* spec: add test for x-site _top navigation\r\n\r\n* chore: old code be old", "target": 0, "dataset": "other", "idx": 269750 }, { "func": "void __hci_req_update_scan(struct hci_request *req)\n{\n\tstruct hci_dev *hdev = req->hdev;\n\tu8 scan;\n\n\tif (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))\n\t\treturn;\n\n\tif (!hdev_is_powered(hdev))\n\t\treturn;\n\n\tif (mgmt_powering_down(hdev))\n\t\treturn;\n\n\tif (hdev->scanning_paused)\n\t\treturn;\n\n\tif (hci_dev_test_flag(hdev, HCI_CONNECTABLE) ||\n\t disconnected_whitelist_entries(hdev))\n\t\tscan = SCAN_PAGE;\n\telse\n\t\tscan = SCAN_DISABLED;\n\n\tif (hci_dev_test_flag(hdev, HCI_DISCOVERABLE))\n\t\tscan |= SCAN_INQUIRY;\n\n\tif (test_bit(HCI_PSCAN, &hdev->flags) == !!(scan & SCAN_PAGE) &&\n\t test_bit(HCI_ISCAN, &hdev->flags) == !!(scan & SCAN_INQUIRY))\n\t\treturn;\n\n\thci_req_add(req, HCI_OP_WRITE_SCAN_ENABLE, 1, &scan);\n}", "project": "linux", "hash": 294285262482885895253893694193421307887, "size": 32, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402527 }, { "func": " virtual table_map all_used_tables() const { return used_tables(); }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 251639310822259959762714967803821739205, "size": 1, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509168 }, { "func": "static void update_sdb(RCore *core) {\n\tSdb *d;\n\tRBinObject *o;\n\tif (!core) {\n\t\treturn;\n\t}\n\t//SDB// anal/\n\tif (core->anal && core->anal->sdb) {\n\t\tsdb_ns_set (DB, \"anal\", core->anal->sdb);\n\t}\n\t//SDB// bin/\n\tif (core->bin && core->bin->sdb) {\n\t\tsdb_ns_set (DB, \"bin\", core->bin->sdb);\n\t}\n\t//SDB// bin/info\n\to = r_bin_cur_object (core->bin);\n\tif (o) {\n\t\tsdb_ns_set (sdb_ns (DB, \"bin\", 1), \"info\", o->kv);\n\t}\n\t//sdb_ns_set (core->sdb, \"flags\", core->flags->sdb);\n\t//sdb_ns_set (core->sdb, \"bin\", core->bin->sdb);\n\t//SDB// syscall/\n\tif (core->assembler && core->assembler->syscall && core->assembler->syscall->db) {\n\t\tcore->assembler->syscall->db->refs++;\n\t\tsdb_ns_set (DB, \"syscall\", core->assembler->syscall->db);\n\t}\n\td = sdb_ns (DB, \"debug\", 1);\n\tif (core->dbg->sgnls) {\n\t\tcore->dbg->sgnls->refs++;\n\t\tsdb_ns_set (d, \"signals\", core->dbg->sgnls);\n\t}\n}", "project": "radare2", "hash": 303436359925665344672951531741905708258, "size": 32, "commit_id": "cb8b683758edddae2d2f62e8e63a738c39f92683", "message": "Fix #16303 - c->table_query double free (#16318)", "target": 0, "dataset": "other", "idx": 232149 }, { "func": "\treturn 0;\n}\n\nvoid iscsi_host_for_each_session(struct Scsi_Host *shost,\n\t\t\t\t void (*fn)(struct iscsi_cls_session *))\n{", "project": "linux", "hash": 166345410314649586480600086939823159965, "size": 6, "commit_id": "f9dbdf97a5bd92b1a49cee3d591b55b11fd7a6d5", "message": "scsi: iscsi: Verify lengths on passthrough PDUs\n\nOpen-iSCSI sends passthrough PDUs over netlink, but the kernel should be\nverifying that the provided PDU header and data lengths fall within the\nnetlink message to prevent accessing beyond that in memory.\n\nCc: stable@vger.kernel.org\nReported-by: Adam Nichols \nReviewed-by: Lee Duncan \nReviewed-by: Mike Christie \nSigned-off-by: Chris Leech \nSigned-off-by: Martin K. Petersen ", "target": 0, "dataset": "other", "idx": 379904 }, { "func": "Variant sockopen_impl(const HostURL &hosturl, Variant& errnum,\n Variant& errstr, double timeout, bool persistent,\n const Variant& context) {\n errnum = 0;\n errstr = empty_string();\n std::string key;\n if (persistent) {\n key = hosturl.getHostURL() + \":\" +\n folly::to(hosturl.getPort());\n\n // Check our persistent storage and determine if it's an SSLSocket\n // or just a regular socket.\n auto sockItr = s_sockets->find(key);\n if (sockItr != s_sockets->end()) {\n req::ptr sock;\n if (auto sslSocketData =\n std::dynamic_pointer_cast(sockItr->second)) {\n sock = req::make(sslSocketData);\n } else {\n sock = req::make(sockItr->second);\n }\n\n if (sock->getError() == 0 && sock->checkLiveness()) {\n return Variant(sock);\n }\n\n // socket had an error earlier, we need to close it, remove it from\n // persistent storage, and create a new one (in that order)\n sock->close();\n s_sockets->erase(sockItr);\n }\n }\n\n if (timeout < 0) {\n timeout = RequestInfo::s_requestInfo.getNoCheck()->\n m_reqInjectionData.getSocketDefaultTimeout();\n }\n\n\n req::ptr streamctx;\n if (context.isResource()) {\n streamctx = cast(context.toResource());\n }\n auto socket = new_socket_connect(hosturl, timeout, streamctx, errnum, errstr);\n if (!socket.isResource()) {\n return false;\n }\n\n if (persistent) {\n assertx(!key.empty());\n (*s_sockets)[key] = cast(socket)->getData();\n assertx((*s_sockets)[key]);\n }\n\n return socket;\n}", "project": "hhvm", "hash": 93814684363720155155824937192641780735, "size": 56, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219307 }, { "func": "static int __kvm_ucontrol_vcpu_init(struct kvm_vcpu *vcpu)\n{\n\tvcpu->arch.gmap = gmap_create(current->mm, -1UL);\n\tif (!vcpu->arch.gmap)\n\t\treturn -ENOMEM;\n\tvcpu->arch.gmap->private = vcpu->kvm;\n\n\treturn 0;\n}", "project": "linux", "hash": 319507774568355581701856530001646979413, "size": 9, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354786 }, { "func": "static inline void tcp_set_ca_state(struct sock *sk, const u8 ca_state)\n{\n\tstruct inet_connection_sock *icsk = inet_csk(sk);\n\n\tif (icsk->icsk_ca_ops->set_state)\n\t\ticsk->icsk_ca_ops->set_state(sk, ca_state);\n\ticsk->icsk_ca_state = ca_state;\n}", "project": "linux", "hash": 38589085445959530295091395001244519788, "size": 8, "commit_id": "bb1fceca22492109be12640d49f5ea5a544c6bb4", "message": "tcp: fix use after free in tcp_xmit_retransmit_queue()\n\nWhen tcp_sendmsg() allocates a fresh and empty skb, it puts it at the\ntail of the write queue using tcp_add_write_queue_tail()\n\nThen it attempts to copy user data into this fresh skb.\n\nIf the copy fails, we undo the work and remove the fresh skb.\n\nUnfortunately, this undo lacks the change done to tp->highest_sack and\nwe can leave a dangling pointer (to a freed skb)\n\nLater, tcp_xmit_retransmit_queue() can dereference this pointer and\naccess freed memory. For regular kernels where memory is not unmapped,\nthis might cause SACK bugs because tcp_highest_sack_seq() is buggy,\nreturning garbage instead of tp->snd_nxt, but with various debug\nfeatures like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel.\n\nThis bug was found by Marco Grassi thanks to syzkaller.\n\nFixes: 6859d49475d4 (\"[TCP]: Abstract tp->highest_sack accessing & point to next skb\")\nReported-by: Marco Grassi \nSigned-off-by: Eric Dumazet \nCc: Ilpo Järvinen \nCc: Yuchung Cheng \nCc: Neal Cardwell \nAcked-by: Neal Cardwell \nReviewed-by: Cong Wang \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 410794 }, { "func": "static inline void fuse_page_descs_length_init(struct fuse_page_desc *descs,\n\t\t\t\t\t unsigned int index,\n\t\t\t\t\t unsigned int nr_pages)\n{\n\tint i;\n\n\tfor (i = index; i < index + nr_pages; i++)\n\t\tdescs[i].length = PAGE_SIZE - descs[i].offset;\n}", "project": "linux", "hash": 194460512338418824472931697800734323426, "size": 9, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342055 }, { "func": "void input_unregister_handler(struct input_handler *handler)\n{\n\tstruct input_handle *handle, *next;\n\n\tmutex_lock(&input_mutex);\n\n\tlist_for_each_entry_safe(handle, next, &handler->h_list, h_node)\n\t\thandler->disconnect(handle);\n\tWARN_ON(!list_empty(&handler->h_list));\n\n\tlist_del_init(&handler->node);\n\n\tinput_wakeup_procfs_readers();\n\n\tmutex_unlock(&input_mutex);\n}", "project": "linux", "hash": 33990801478137199341870869951513559465, "size": 16, "commit_id": "cb222aed03d798fc074be55e59d9a112338ee784", "message": "Input: add safety guards to input_set_keycode()\n\nIf we happen to have a garbage in input device's keycode table with values\ntoo big we'll end up doing clear_bit() with offset way outside of our\nbitmaps, damaging other objects within an input device or even outside of\nit. Let's add sanity checks to the returned old keycodes.\n\nReported-by: syzbot+c769968809f9359b07aa@syzkaller.appspotmail.com\nReported-by: syzbot+76f3a30e88d256644c78@syzkaller.appspotmail.com\nLink: https://lore.kernel.org/r/20191207212757.GA245964@dtor-ws\nSigned-off-by: Dmitry Torokhov ", "target": 0, "dataset": "other", "idx": 353312 }, { "func": "bool checkreturn pb_decode_tag(pb_istream_t *stream, pb_wire_type_t *wire_type, uint32_t *tag, bool *eof)\n{\n uint32_t temp;\n *eof = false;\n *wire_type = (pb_wire_type_t) 0;\n *tag = 0;\n \n if (!pb_decode_varint32_eof(stream, &temp, eof))\n {\n return false;\n }\n \n if (temp == 0)\n {\n *eof = true; /* Special feature: allow 0-terminated messages. */\n return false;\n }\n \n *tag = temp >> 3;\n *wire_type = (pb_wire_type_t)(temp & 7);\n return true;\n}", "project": "nanopb", "hash": 103774425679645039787946438618618480630, "size": 22, "commit_id": "aa9d0d1ca78d6adec3adfeecf3a706c7f9df81f2", "message": "Fix invalid free() after failed realloc() (GHSA-gcx3-7m76-287p)", "target": 0, "dataset": "other", "idx": 252500 }, { "func": "bool checkreturn pb_decode_tag(pb_istream_t *stream, pb_wire_type_t *wire_type, uint32_t *tag, bool *eof)\n{\n uint32_t temp;\n *eof = false;\n *wire_type = (pb_wire_type_t) 0;\n *tag = 0;\n \n if (!pb_decode_varint32(stream, &temp))\n {\n if (stream->bytes_left == 0)\n *eof = true;\n\n return false;\n }\n \n if (temp == 0)\n {\n *eof = true; /* Special feature: allow 0-terminated messages. */\n return false;\n }\n \n *tag = temp >> 3;\n *wire_type = (pb_wire_type_t)(temp & 7);\n return true;\n}", "project": "nanopb", "hash": 170342111089157683498513043313598536297, "size": 25, "commit_id": "7b396821ddd06df8e39143f16e1dc0a4645b89a3", "message": "Fix invalid free() after failed realloc() (GHSA-gcx3-7m76-287p)", "target": 0, "dataset": "other", "idx": 255320 }, { "func": "static int oidc_handle_existing_session(request_rec *r, oidc_cfg *cfg,\n\t\toidc_session_t *session, apr_byte_t *needs_save) {\n\n\tapr_byte_t rv = FALSE;\n\n\toidc_debug(r, \"enter\");\n\n\t/* set the user in the main request for further (incl. sub-request) processing */\n\tr->user = apr_pstrdup(r->pool, session->remote_user);\n\toidc_debug(r, \"set remote_user to \\\"%s\\\"\", r->user);\n\n\t/* get the header name in which the remote user name needs to be passed */\n\tchar *authn_header = oidc_cfg_dir_authn_header(r);\n\tapr_byte_t pass_headers = oidc_cfg_dir_pass_info_in_headers(r);\n\tapr_byte_t pass_envvars = oidc_cfg_dir_pass_info_in_envvars(r);\n\tapr_byte_t pass_base64url = oidc_cfg_dir_pass_info_base64url(r);\n\n\t/* verify current cookie domain against issued cookie domain */\n\tif (oidc_check_cookie_domain(r, cfg, session) == FALSE)\n\t\treturn HTTP_UNAUTHORIZED;\n\n\t/* check if the maximum session duration was exceeded */\n\tint rc = oidc_check_max_session_duration(r, cfg, session);\n\tif (rc != OK)\n\t\treturn rc;\n\n\t/* if needed, refresh the access token */\n\trv = oidc_refresh_access_token_before_expiry(r, cfg, session,\n\t\t\toidc_cfg_dir_refresh_access_token_before_expiry(r),\n\t\t\toidc_cfg_dir_logout_on_error_refresh(r));\n\n\tif (rv == OIDC_REFRESH_ERROR) {\n\t\t*needs_save = FALSE;\n\t\treturn oidc_handle_logout_request(r, cfg, session, cfg->default_slo_url);\n\t}\n\n\t*needs_save |= rv;\n\n\t/* if needed, refresh claims from the user info endpoint */\n\tif (oidc_refresh_claims_from_userinfo_endpoint(r, cfg, session) == TRUE)\n\t\t*needs_save = TRUE;\n\n\t/*\n\t * we're going to pass the information that we have to the application,\n\t * but first we need to scrub the headers that we're going to use for security reasons\n\t */\n\toidc_scrub_headers(r);\n\n\t/* set the user authentication HTTP header if set and required */\n\tif ((r->user != NULL) && (authn_header != NULL))\n\t\toidc_util_hdr_in_set(r, authn_header, r->user);\n\n\tconst char *s_claims = NULL;\n\tconst char *s_id_token = NULL;\n\n\t/* copy id_token and claims from session to request state and obtain their values */\n\toidc_copy_tokens_to_request_state(r, session, &s_id_token, &s_claims);\n\n\tif ((cfg->pass_userinfo_as & OIDC_PASS_USERINFO_AS_CLAIMS)) {\n\t\t/* set the userinfo claims in the app headers */\n\t\tif (oidc_set_app_claims(r, cfg, session, s_claims) == FALSE)\n\t\t\treturn HTTP_INTERNAL_SERVER_ERROR;\n\t}\n\n\tif ((cfg->pass_userinfo_as & OIDC_PASS_USERINFO_AS_JSON_OBJECT)) {\n\t\t/* pass the userinfo JSON object to the app in a header or environment variable */\n\t\toidc_util_set_app_info(r, OIDC_APP_INFO_USERINFO_JSON, s_claims,\n\t\t\t\tOIDC_DEFAULT_HEADER_PREFIX, pass_headers, pass_envvars, pass_base64url);\n\t}\n\n\tif ((cfg->pass_userinfo_as & OIDC_PASS_USERINFO_AS_JWT)) {\n\t\tif (cfg->session_type != OIDC_SESSION_TYPE_CLIENT_COOKIE) {\n\t\t\t/* get the compact serialized JWT from the session */\n\t\t\tconst char *s_userinfo_jwt = oidc_session_get_userinfo_jwt(r,\n\t\t\t\t\tsession);\n\t\t\tif (s_userinfo_jwt != NULL) {\n\t\t\t\t/* pass the compact serialized JWT to the app in a header or environment variable */\n\t\t\t\toidc_util_set_app_info(r, OIDC_APP_INFO_USERINFO_JWT,\n\t\t\t\t\t\ts_userinfo_jwt,\n\t\t\t\t\t\tOIDC_DEFAULT_HEADER_PREFIX, pass_headers, pass_envvars,\n\t\t\t\t\t\tpass_base64url);\n\t\t\t} else {\n\t\t\t\toidc_debug(r,\n\t\t\t\t\t\t\"configured to pass userinfo in a JWT, but no such JWT was found in the session (probably no such JWT was returned from the userinfo endpoint)\");\n\t\t\t}\n\t\t} else {\n\t\t\toidc_error(r,\n\t\t\t\t\t\"session type \\\"client-cookie\\\" does not allow storing/passing a userinfo JWT; use \\\"\" OIDCSessionType \" server-cache\\\" for that\");\n\t\t}\n\t}\n\n\tif ((cfg->pass_idtoken_as & OIDC_PASS_IDTOKEN_AS_CLAIMS)) {\n\t\t/* set the id_token in the app headers */\n\t\tif (oidc_set_app_claims(r, cfg, session, s_id_token) == FALSE)\n\t\t\treturn HTTP_INTERNAL_SERVER_ERROR;\n\t}\n\n\tif ((cfg->pass_idtoken_as & OIDC_PASS_IDTOKEN_AS_PAYLOAD)) {\n\t\t/* pass the id_token JSON object to the app in a header or environment variable */\n\t\toidc_util_set_app_info(r, OIDC_APP_INFO_ID_TOKEN_PAYLOAD, s_id_token,\n\t\t\t\tOIDC_DEFAULT_HEADER_PREFIX, pass_headers, pass_envvars, pass_base64url);\n\t}\n\n\tif ((cfg->pass_idtoken_as & OIDC_PASS_IDTOKEN_AS_SERIALIZED)) {\n\t\tif (cfg->session_type != OIDC_SESSION_TYPE_CLIENT_COOKIE) {\n\t\t\t/* get the compact serialized JWT from the session */\n\t\t\tconst char *s_id_token = oidc_session_get_idtoken(r, session);\n\t\t\t/* pass the compact serialized JWT to the app in a header or environment variable */\n\t\t\toidc_util_set_app_info(r, OIDC_APP_INFO_ID_TOKEN, s_id_token,\n\t\t\t\t\tOIDC_DEFAULT_HEADER_PREFIX, pass_headers, pass_envvars,\n\t\t\t\t\tpass_base64url);\n\t\t} else {\n\t\t\toidc_error(r,\n\t\t\t\t\t\"session type \\\"client-cookie\\\" does not allow storing/passing the id_token; use \\\"\" OIDCSessionType \" server-cache\\\" for that\");\n\t\t}\n\t}\n\n\t/* pass the at, rt and at expiry to the application, possibly update the session expiry */\n\tif (oidc_session_pass_tokens(r, cfg, session, needs_save) == FALSE)\n\t\treturn HTTP_INTERNAL_SERVER_ERROR;\n\n\t/* return \"user authenticated\" status */\n\treturn OK;\n}", "project": "mod_auth_openidc", "hash": 56056935304978636903433197488508390259, "size": 124, "commit_id": "00c315cb0c8ab77c67be4a2ac08a71a83ac58751", "message": "avoid XSS vulnerability when using OIDCPreservePost On\n\nand supplying URLs that contain single quotes; thanks @oss-aimoto\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 381908 }, { "func": "static int oidc_handle_existing_session(request_rec *r, oidc_cfg *cfg,\n\t\toidc_session_t *session) {\n\n\toidc_debug(r, \"enter\");\n\n\t/* track if the session needs to be updated/saved into the cache */\n\tapr_byte_t needs_save = FALSE;\n\n\t/* set the user in the main request for further (incl. sub-request) processing */\n\tr->user = apr_pstrdup(r->pool, session->remote_user);\n\toidc_debug(r, \"set remote_user to \\\"%s\\\"\", r->user);\n\n\t/* get the header name in which the remote user name needs to be passed */\n\tchar *authn_header = oidc_cfg_dir_authn_header(r);\n\tapr_byte_t pass_headers = oidc_cfg_dir_pass_info_in_headers(r);\n\tapr_byte_t pass_envvars = oidc_cfg_dir_pass_info_in_envvars(r);\n\n\t/* verify current cookie domain against issued cookie domain */\n\tif (oidc_check_cookie_domain(r, cfg, session) == FALSE)\n\t\treturn HTTP_UNAUTHORIZED;\n\n\t/* check if the maximum session duration was exceeded */\n\tint rc = oidc_check_max_session_duration(r, cfg, session);\n\tif (rc != OK)\n\t\treturn rc;\n\n\t/* if needed, refresh the access token */\n\tneeds_save = oidc_refresh_access_token_before_expiry(r, cfg, session,\n\t\t\toidc_cfg_dir_refresh_access_token_before_expiry(r),\n\t\t\toidc_cfg_dir_logout_on_error_refresh(r));\n\tif (needs_save == ERROR)\n\t\treturn oidc_handle_logout_request(r, cfg, session, cfg->default_slo_url);\n\n\t/* if needed, refresh claims from the user info endpoint */\n\tif (oidc_refresh_claims_from_userinfo_endpoint(r, cfg, session) == TRUE)\n\t\tneeds_save = TRUE;\n\n\t/*\n\t * we're going to pass the information that we have to the application,\n\t * but first we need to scrub the headers that we're going to use for security reasons\n\t */\n\toidc_scrub_headers(r);\n\n\t/* set the user authentication HTTP header if set and required */\n\tif ((r->user != NULL) && (authn_header != NULL))\n\t\toidc_util_hdr_in_set(r, authn_header, r->user);\n\n\tconst char *s_claims = NULL;\n\tconst char *s_id_token = NULL;\n\n\t/* copy id_token and claims from session to request state and obtain their values */\n\toidc_copy_tokens_to_request_state(r, session, &s_id_token, &s_claims);\n\n\tif ((cfg->pass_userinfo_as & OIDC_PASS_USERINFO_AS_CLAIMS)) {\n\t\t/* set the userinfo claims in the app headers */\n\t\tif (oidc_set_app_claims(r, cfg, session, s_claims) == FALSE)\n\t\t\treturn HTTP_INTERNAL_SERVER_ERROR;\n\t}\n\n\tif ((cfg->pass_userinfo_as & OIDC_PASS_USERINFO_AS_JSON_OBJECT)) {\n\t\t/* pass the userinfo JSON object to the app in a header or environment variable */\n\t\toidc_util_set_app_info(r, OIDC_APP_INFO_USERINFO_JSON, s_claims,\n\t\t\t\tOIDC_DEFAULT_HEADER_PREFIX, pass_headers, pass_envvars);\n\t}\n\n\tif ((cfg->pass_userinfo_as & OIDC_PASS_USERINFO_AS_JWT)) {\n\t\tif (cfg->session_type != OIDC_SESSION_TYPE_CLIENT_COOKIE) {\n\t\t\t/* get the compact serialized JWT from the session */\n\t\t\tconst char *s_userinfo_jwt = oidc_session_get_userinfo_jwt(r,\n\t\t\t\t\tsession);\n\t\t\tif (s_userinfo_jwt != NULL) {\n\t\t\t\t/* pass the compact serialized JWT to the app in a header or environment variable */\n\t\t\t\toidc_util_set_app_info(r, OIDC_APP_INFO_USERINFO_JWT,\n\t\t\t\t\t\ts_userinfo_jwt,\n\t\t\t\t\t\tOIDC_DEFAULT_HEADER_PREFIX, pass_headers, pass_envvars);\n\t\t\t} else {\n\t\t\t\toidc_debug(r,\n\t\t\t\t\t\t\"configured to pass userinfo in a JWT, but no such JWT was found in the session (probably no such JWT was returned from the userinfo endpoint)\");\n\t\t\t}\n\t\t} else {\n\t\t\toidc_error(r,\n\t\t\t\t\t\"session type \\\"client-cookie\\\" does not allow storing/passing a userinfo JWT; use \\\"\" OIDCSessionType \" server-cache\\\" for that\");\n\t\t}\n\t}\n\n\tif ((cfg->pass_idtoken_as & OIDC_PASS_IDTOKEN_AS_CLAIMS)) {\n\t\t/* set the id_token in the app headers */\n\t\tif (oidc_set_app_claims(r, cfg, session, s_id_token) == FALSE)\n\t\t\treturn HTTP_INTERNAL_SERVER_ERROR;\n\t}\n\n\tif ((cfg->pass_idtoken_as & OIDC_PASS_IDTOKEN_AS_PAYLOAD)) {\n\t\t/* pass the id_token JSON object to the app in a header or environment variable */\n\t\toidc_util_set_app_info(r, OIDC_APP_INFO_ID_TOKEN_PAYLOAD, s_id_token,\n\t\t\t\tOIDC_DEFAULT_HEADER_PREFIX, pass_headers, pass_envvars);\n\t}\n\n\tif ((cfg->pass_idtoken_as & OIDC_PASS_IDTOKEN_AS_SERIALIZED)) {\n\t\tif (cfg->session_type != OIDC_SESSION_TYPE_CLIENT_COOKIE) {\n\t\t\t/* get the compact serialized JWT from the session */\n\t\t\tconst char *s_id_token = oidc_session_get_idtoken(r, session);\n\t\t\t/* pass the compact serialized JWT to the app in a header or environment variable */\n\t\t\toidc_util_set_app_info(r, OIDC_APP_INFO_ID_TOKEN, s_id_token,\n\t\t\t\t\tOIDC_DEFAULT_HEADER_PREFIX, pass_headers, pass_envvars);\n\t\t} else {\n\t\t\toidc_error(r,\n\t\t\t\t\t\"session type \\\"client-cookie\\\" does not allow storing/passing the id_token; use \\\"\" OIDCSessionType \" server-cache\\\" for that\");\n\t\t}\n\t}\n\n\t/* pass the at, rt and at expiry to the application, possibly update the session expiry and save the session */\n\tif (oidc_session_pass_tokens_and_save(r, cfg, session, needs_save) == FALSE)\n\t\treturn HTTP_INTERNAL_SERVER_ERROR;\n\n\t/* return \"user authenticated\" status */\n\treturn OK;\n}", "project": "mod_auth_openidc", "hash": 239799040167659207475115349156172383893, "size": 117, "commit_id": "ce37080c6aea30aabae8b4a9b4eea7808445cc8e", "message": "2.4.0.2 oops\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 447679 }, { "func": "static bool disconnected_whitelist_entries(struct hci_dev *hdev)\n{\n\tstruct bdaddr_list *b;\n\n\tlist_for_each_entry(b, &hdev->whitelist, list) {\n\t\tstruct hci_conn *conn;\n\n\t\tconn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &b->bdaddr);\n\t\tif (!conn)\n\t\t\treturn true;\n\n\t\tif (conn->state != BT_CONNECTED && conn->state != BT_CONFIG)\n\t\t\treturn true;\n\t}\n\n\treturn false;\n}", "project": "linux", "hash": 258985222302500877615811262257234159164, "size": 17, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402576 }, { "func": "void recalc_sigpending(void)\n{\n\tif (!recalc_sigpending_tsk(current) && !freezing(current) &&\n\t !klp_patch_pending(current))\n\t\tclear_thread_flag(TIF_SIGPENDING);\n\n}", "project": "linux", "hash": 231537487190961794194193542864246236419, "size": 7, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375231 }, { "func": "static bool adv_use_rpa(struct hci_dev *hdev, uint32_t flags)\n{\n\t/* If privacy is not enabled don't use RPA */\n\tif (!hci_dev_test_flag(hdev, HCI_PRIVACY))\n\t\treturn false;\n\n\t/* If basic privacy mode is enabled use RPA */\n\tif (!hci_dev_test_flag(hdev, HCI_LIMITED_PRIVACY))\n\t\treturn true;\n\n\t/* If limited privacy mode is enabled don't use RPA if we're\n\t * both discoverable and bondable.\n\t */\n\tif ((flags & MGMT_ADV_FLAG_DISCOV) &&\n\t hci_dev_test_flag(hdev, HCI_BONDABLE))\n\t\treturn false;\n\n\t/* We're neither bondable nor discoverable in the limited\n\t * privacy mode, therefore use RPA.\n\t */\n\treturn true;\n}", "project": "linux", "hash": 170980695871559814552332639056078430759, "size": 22, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402564 }, { "func": "static int kvm_arch_vcpu_ioctl_get_one_reg(struct kvm_vcpu *vcpu,\n\t\t\t\t\t struct kvm_one_reg *reg)\n{\n\tint r = -EINVAL;\n\n\tswitch (reg->id) {\n\tcase KVM_REG_S390_TODPR:\n\t\tr = put_user(vcpu->arch.sie_block->todpr,\n\t\t\t (u32 __user *)reg->addr);\n\t\tbreak;\n\tcase KVM_REG_S390_EPOCHDIFF:\n\t\tr = put_user(vcpu->arch.sie_block->epoch,\n\t\t\t (u64 __user *)reg->addr);\n\t\tbreak;\n\tcase KVM_REG_S390_CPU_TIMER:\n\t\tr = put_user(kvm_s390_get_cpu_timer(vcpu),\n\t\t\t (u64 __user *)reg->addr);\n\t\tbreak;\n\tcase KVM_REG_S390_CLOCK_COMP:\n\t\tr = put_user(vcpu->arch.sie_block->ckc,\n\t\t\t (u64 __user *)reg->addr);\n\t\tbreak;\n\tcase KVM_REG_S390_PFTOKEN:\n\t\tr = put_user(vcpu->arch.pfault_token,\n\t\t\t (u64 __user *)reg->addr);\n\t\tbreak;\n\tcase KVM_REG_S390_PFCOMPARE:\n\t\tr = put_user(vcpu->arch.pfault_compare,\n\t\t\t (u64 __user *)reg->addr);\n\t\tbreak;\n\tcase KVM_REG_S390_PFSELECT:\n\t\tr = put_user(vcpu->arch.pfault_select,\n\t\t\t (u64 __user *)reg->addr);\n\t\tbreak;\n\tcase KVM_REG_S390_PP:\n\t\tr = put_user(vcpu->arch.sie_block->pp,\n\t\t\t (u64 __user *)reg->addr);\n\t\tbreak;\n\tcase KVM_REG_S390_GBEA:\n\t\tr = put_user(vcpu->arch.sie_block->gbea,\n\t\t\t (u64 __user *)reg->addr);\n\t\tbreak;\n\tdefault:\n\t\tbreak;\n\t}\n\n\treturn r;\n}", "project": "linux", "hash": 189141960913066419191300627040397252272, "size": 48, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354656 }, { "func": "static int nfs4_get_security_label(struct inode *inode, void *buf,\n\t\t\t\t\tsize_t buflen)\n{\n\tstruct nfs4_exception exception = {\n\t\t.interruptible = true,\n\t};\n\tint err;\n\n\tif (!nfs_server_capable(inode, NFS_CAP_SECURITY_LABEL))\n\t\treturn -EOPNOTSUPP;\n\n\tdo {\n\t\terr = _nfs4_get_security_label(inode, buf, buflen);\n\t\ttrace_nfs4_get_security_label(inode, err);\n\t\terr = nfs4_handle_exception(NFS_SERVER(inode), err,\n\t\t\t\t&exception);\n\t} while (exception.retry);\n\treturn err;\n}", "project": "linux", "hash": 118295425589927244965425202275428290424, "size": 19, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431379 }, { "func": "static int parse_exthdrs(struct sk_buff *skb, const struct sadb_msg *hdr, void **ext_hdrs)\n{\n\tconst char *p = (char *) hdr;\n\tint len = skb->len;\n\n\tlen -= sizeof(*hdr);\n\tp += sizeof(*hdr);\n\twhile (len > 0) {\n\t\tconst struct sadb_ext *ehdr = (const struct sadb_ext *) p;\n\t\tuint16_t ext_type;\n\t\tint ext_len;\n\n\t\tif (len < sizeof(*ehdr))\n\t\t\treturn -EINVAL;\n\n\t\text_len = ehdr->sadb_ext_len;\n\t\text_len *= sizeof(uint64_t);\n\t\text_type = ehdr->sadb_ext_type;\n\t\tif (ext_len < sizeof(uint64_t) ||\n\t\t ext_len > len ||\n\t\t ext_type == SADB_EXT_RESERVED)\n\t\t\treturn -EINVAL;\n\n\t\tif (ext_type <= SADB_EXT_MAX) {\n\t\t\tint min = (int) sadb_ext_min_len[ext_type];\n\t\t\tif (ext_len < min)\n\t\t\t\treturn -EINVAL;\n\t\t\tif (ext_hdrs[ext_type-1] != NULL)\n\t\t\t\treturn -EINVAL;\n\t\t\tswitch (ext_type) {\n\t\t\tcase SADB_EXT_ADDRESS_SRC:\n\t\t\tcase SADB_EXT_ADDRESS_DST:\n\t\t\tcase SADB_EXT_ADDRESS_PROXY:\n\t\t\tcase SADB_X_EXT_NAT_T_OA:\n\t\t\t\tif (verify_address_len(p))\n\t\t\t\t\treturn -EINVAL;\n\t\t\t\tbreak;\n\t\t\tcase SADB_X_EXT_SEC_CTX:\n\t\t\t\tif (verify_sec_ctx_len(p))\n\t\t\t\t\treturn -EINVAL;\n\t\t\t\tbreak;\n\t\t\tcase SADB_EXT_KEY_AUTH:\n\t\t\tcase SADB_EXT_KEY_ENCRYPT:\n\t\t\t\tif (verify_key_len(p))\n\t\t\t\t\treturn -EINVAL;\n\t\t\t\tbreak;\n\t\t\tdefault:\n\t\t\t\tbreak;\n\t\t\t}\n\t\t\text_hdrs[ext_type-1] = (void *) p;\n\t\t}\n\t\tp += ext_len;\n\t\tlen -= ext_len;\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 44921802055303459157141178978727507884, "size": 57, "commit_id": "9a564bccb78a76740ea9d75a259942df8143d02c", "message": "af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\n\nAdd __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\nto initialize the buffer of supp_skb to fix a kernel-info-leak issue.\n1) Function pfkey_register calls compose_sadb_supported to request\na sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate\na sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then\ncompose_sadb_supported treats the memory as a struct sadb_supported and\nbegins to initialize. But it just initializes the field sadb_supported_len\nand field sadb_supported_exttype without field sadb_supported_reserved.\n\nReported-by: TCS Robot \nSigned-off-by: Haimin Zhang \nSigned-off-by: Steffen Klassert ", "target": 0, "dataset": "other", "idx": 268077 }, { "func": "void tipc_node_get(struct tipc_node *node)\n{\n\tkref_get(&node->kref);\n}", "project": "linux", "hash": 203902851193967389756250845832057910312, "size": 4, "commit_id": "0217ed2848e8538bcf9172d97ed2eeb4a26041bb", "message": "tipc: better validate user input in tipc_nl_retrieve_key()\n\nBefore calling tipc_aead_key_size(ptr), we need to ensure\nwe have enough data to dereference ptr->keylen.\n\nWe probably also want to make sure tipc_aead_key_size()\nwont overflow with malicious ptr->keylen values.\n\nSyzbot reported:\n\nBUG: KMSAN: uninit-value in __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\nBUG: KMSAN: uninit-value in tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\nCPU: 0 PID: 21060 Comm: syz-executor.5 Not tainted 5.11.0-rc7-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nCall Trace:\n __dump_stack lib/dump_stack.c:79 [inline]\n dump_stack+0x21c/0x280 lib/dump_stack.c:120\n kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118\n __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197\n __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\n tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\n genl_family_rcv_msg_doit net/netlink/genetlink.c:739 [inline]\n genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]\n genl_rcv_msg+0x1319/0x1610 net/netlink/genetlink.c:800\n netlink_rcv_skb+0x6fa/0x810 net/netlink/af_netlink.c:2494\n genl_rcv+0x63/0x80 net/netlink/genetlink.c:811\n netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]\n netlink_unicast+0x11d6/0x14a0 net/netlink/af_netlink.c:1330\n netlink_sendmsg+0x1740/0x1840 net/netlink/af_netlink.c:1919\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\nRIP: 0023:0xf7f60549\nCode: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00\nRSP: 002b:00000000f555a5fc EFLAGS: 00000296 ORIG_RAX: 0000000000000172\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000200\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n\nUninit was created at:\n kmsan_save_stack_with_flags mm/kmsan/kmsan.c:121 [inline]\n kmsan_internal_poison_shadow+0x5c/0xf0 mm/kmsan/kmsan.c:104\n kmsan_slab_alloc+0x8d/0xe0 mm/kmsan/kmsan_hooks.c:76\n slab_alloc_node mm/slub.c:2907 [inline]\n __kmalloc_node_track_caller+0xa37/0x1430 mm/slub.c:4527\n __kmalloc_reserve net/core/skbuff.c:142 [inline]\n __alloc_skb+0x2f8/0xb30 net/core/skbuff.c:210\n alloc_skb include/linux/skbuff.h:1099 [inline]\n netlink_alloc_large_skb net/netlink/af_netlink.c:1176 [inline]\n netlink_sendmsg+0xdbc/0x1840 net/netlink/af_netlink.c:1894\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\n\nFixes: e1f32190cf7d (\"tipc: add support for AEAD key setting via netlink\")\nSigned-off-by: Eric Dumazet \nCc: Tuong Lien \nCc: Jon Maloy \nCc: Ying Xue \nReported-by: syzbot \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 364896 }, { "func": "static apr_status_t close_output(h2_stream *stream)\n{\n if (!stream->output || h2_beam_is_closed(stream->output)) {\n return APR_SUCCESS;\n }\n ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, stream->session->c,\n H2_STRM_MSG(stream, \"closing output\"));\n return h2_beam_leave(stream->output);\n}", "project": "httpd", "hash": 70468956939533744840370806453007719046, "size": 9, "commit_id": "f990e5ecad40b100a8a5c7c1033c46044a9cb244", "message": "mod_htt2: fix incomplete sync with latest changes in github, adjust version number.\n\n\n\ngit-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1889119 13f79535-47bb-0310-9956-ffa450edef68", "target": 0, "dataset": "other", "idx": 284242 }, { "project": "Chrome", "commit_id": "ea994548ed483e234a6fadd0cbdfa10d58b75cef", "target": 0, "func": "void SoftwareFrameManager::EvictCurrentFrame() {\n DCHECK(HasCurrentFrame());\n DiscardCurrentFrame();\n if (client_)\n client_->ReleaseReferencesToSoftwareFrame();\n}\n", "cwe": "", "big_vul_idx": 129964, "idx": 179013, "hash": 253366365890314429466315786523407232220 }, { "func": "void *php_stream_xmlIO_open_wrapper(const char *filename)\n{\n\tTSRMLS_FETCH();\n\treturn php_stream_open_wrapper((char*)filename, \"rb\", ENFORCE_SAFE_MODE|REPORT_ERRORS, NULL);\n}", "project": "php-src", "hash": 316884937486201232722811306691446966893, "size": 5, "commit_id": "fcd4b5335a6df4e0676ee32e2267ca71d70fe623", "message": "Fix TSRM (after afc1debb)", "target": 0, "dataset": "other", "idx": 285592 }, { "func": "static void mpol_relative_nodemask(nodemask_t *ret, const nodemask_t *orig,\n\t\t\t\t const nodemask_t *rel)\n{\n\tnodemask_t tmp;\n\tnodes_fold(tmp, *orig, nodes_weight(*rel));\n\tnodes_onto(*ret, tmp, *rel);\n}", "project": "linux", "hash": 306588558255873009685457779162275749233, "size": 7, "commit_id": "aa9f7d5172fac9bf1f09e678c35e287a40a7b7dd", "message": "mm: mempolicy: require at least one nodeid for MPOL_PREFERRED\n\nUsing an empty (malformed) nodelist that is not caught during mount option\nparsing leads to a stack-out-of-bounds access.\n\nThe option string that was used was: \"mpol=prefer:,\". However,\nMPOL_PREFERRED requires a single node number, which is not being provided\nhere.\n\nAdd a check that 'nodes' is not empty after parsing for MPOL_PREFERRED's\nnodeid.\n\nFixes: 095f1fc4ebf3 (\"mempolicy: rework shmem mpol parsing and display\")\nReported-by: Entropy Moe <3ntr0py1337@gmail.com>\nReported-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nSigned-off-by: Randy Dunlap \nSigned-off-by: Andrew Morton \nTested-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nCc: Lee Schermerhorn \nLink: http://lkml.kernel.org/r/89526377-7eb6-b662-e1d8-4430928abde9@infradead.org\nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 366775 }, { "func": "static void on_state_invalid(h2_stream *stream) \n{\n if (stream->monitor && stream->monitor->on_state_invalid) {\n stream->monitor->on_state_invalid(stream->monitor->ctx, stream);\n }\n /* stream got an event/frame invalid in its state */\n ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, stream->session->c,\n H2_STRM_MSG(stream, \"invalid state event\")); \n switch (stream->state) {\n case H2_SS_OPEN:\n case H2_SS_RSVD_L:\n case H2_SS_RSVD_R:\n case H2_SS_CLOSED_L:\n case H2_SS_CLOSED_R:\n h2_stream_rst(stream, H2_ERR_INTERNAL_ERROR);\n break;\n default:\n break;\n }\n}", "project": "httpd", "hash": 185356688631192914620474402949022177368, "size": 20, "commit_id": "f990e5ecad40b100a8a5c7c1033c46044a9cb244", "message": "mod_htt2: fix incomplete sync with latest changes in github, adjust version number.\n\n\n\ngit-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1889119 13f79535-47bb-0310-9956-ffa450edef68", "target": 0, "dataset": "other", "idx": 284244 }, { "func": "\nstatic void io_uring_try_cancel(struct files_struct *files)\n{\n\tstruct io_uring_task *tctx = current->io_uring;\n\tstruct io_tctx_node *node;\n\tunsigned long index;\n\n\txa_for_each(&tctx->xa, index, node) {\n\t\tstruct io_ring_ctx *ctx = node->ctx;\n\n\t\t/* sqpoll task will cancel all its requests */\n\t\tif (!ctx->sq_data)\n\t\t\tio_uring_try_cancel_requests(ctx, current, files);\n\t}", "project": "linux", "hash": 302989284711963458532269569039644353455, "size": 14, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338721 }, { "func": "long tty_jobctrl_ioctl(struct tty_struct *tty, struct tty_struct *real_tty,\n\t\t struct file *file, unsigned int cmd, unsigned long arg)\n{\n\tvoid __user *p = (void __user *)arg;\n\n\tswitch (cmd) {\n\tcase TIOCNOTTY:\n\t\tif (current->signal->tty != tty)\n\t\t\treturn -ENOTTY;\n\t\tno_tty();\n\t\treturn 0;\n\tcase TIOCSCTTY:\n\t\treturn tiocsctty(real_tty, file, arg);\n\tcase TIOCGPGRP:\n\t\treturn tiocgpgrp(tty, real_tty, p);\n\tcase TIOCSPGRP:\n\t\treturn tiocspgrp(tty, real_tty, p);\n\tcase TIOCGSID:\n\t\treturn tiocgsid(tty, real_tty, p);\n\t}\n\treturn -ENOIOCTLCMD;\n}", "project": "linux", "hash": 267786291138939280406823901351964445246, "size": 22, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 326053 }, { "func": "add_trace_export(struct trace_export **list, struct trace_export *export)\n{\n\trcu_assign_pointer(export->next, *list);\n\t/*\n\t * We are entering export into the list but another\n\t * CPU might be walking that list. We need to make sure\n\t * the export->next pointer is valid before another CPU sees\n\t * the export pointer included into the list.\n\t */\n\trcu_assign_pointer(*list, export);\n}", "project": "linux", "hash": 277186107855689858031538626418805579004, "size": 11, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445532 }, { "func": " virtual longlong val_datetime_packed()\n {\n MYSQL_TIME ltime;\n uint fuzzydate= TIME_FUZZY_DATES | TIME_INVALID_DATES;\n return get_date_with_conversion(<ime, fuzzydate) ? 0 : pack_time(<ime);\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 52848687277467144955456864858081500588, "size": 6, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509079 }, { "func": " longlong val_datetime_packed()\n {\n if (check_null_ref())\n return 0;\n else\n return Item_direct_ref::val_datetime_packed();\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 37228014945282190090226750839875673651, "size": 7, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509210 }, { "func": "static int tiocsetd(struct tty_struct *tty, int __user *p)\n{\n\tint disc;\n\tint ret;\n\n\tif (get_user(disc, p))\n\t\treturn -EFAULT;\n\n\tret = tty_set_ldisc(tty, disc);\n\n\treturn ret;\n}", "project": "linux", "hash": 48064641240269158455650311444421710545, "size": 12, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 326006 }, { "func": "int kvm_io_bus_register_dev(struct kvm *kvm, enum kvm_bus bus_idx, gpa_t addr,\n\t\t\t int len, struct kvm_io_device *dev)\n{\n\tint i;\n\tstruct kvm_io_bus *new_bus, *bus;\n\tstruct kvm_io_range range;\n\n\tbus = kvm_get_bus(kvm, bus_idx);\n\tif (!bus)\n\t\treturn -ENOMEM;\n\n\t/* exclude ioeventfd which is limited by maximum fd */\n\tif (bus->dev_count - bus->ioeventfd_count > NR_IOBUS_DEVS - 1)\n\t\treturn -ENOSPC;\n\n\tnew_bus = kmalloc(struct_size(bus, range, bus->dev_count + 1),\n\t\t\t GFP_KERNEL_ACCOUNT);\n\tif (!new_bus)\n\t\treturn -ENOMEM;\n\n\trange = (struct kvm_io_range) {\n\t\t.addr = addr,\n\t\t.len = len,\n\t\t.dev = dev,\n\t};\n\n\tfor (i = 0; i < bus->dev_count; i++)\n\t\tif (kvm_io_bus_cmp(&bus->range[i], &range) > 0)\n\t\t\tbreak;\n\n\tmemcpy(new_bus, bus, sizeof(*bus) + i * sizeof(struct kvm_io_range));\n\tnew_bus->dev_count++;\n\tnew_bus->range[i] = range;\n\tmemcpy(new_bus->range + i + 1, bus->range + i,\n\t\t(bus->dev_count - i) * sizeof(struct kvm_io_range));\n\trcu_assign_pointer(kvm->buses[bus_idx], new_bus);\n\tsynchronize_srcu_expedited(&kvm->srcu);\n\tkfree(bus);\n\n\treturn 0;\n}", "project": "linux", "hash": 146070929989740227421151112463951222043, "size": 41, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354545 }, { "func": "static bool io_resubmit_prep(struct io_kiocb *req)\n{\n\treturn false;\n}", "project": "linux", "hash": 287858411243302231160563745003888366028, "size": 4, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338515 }, { "func": "static bool io_resubmit_prep(struct io_kiocb *req)\n{\n\tstruct io_async_rw *rw = req->async_data;\n\n\tif (!rw)\n\t\treturn !io_req_prep_async(req);\n\t/* may have left rw->iter inconsistent on -EIOCBQUEUED */\n\tiov_iter_revert(&rw->iter, req->result - iov_iter_count(&rw->iter));\n\treturn true;\n}", "project": "linux", "hash": 298467341068417202517408943652727720768, "size": 10, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338589 }, { "func": "static bool io_resubmit_prep(struct io_kiocb *req, int error)\n{\n\tstruct iovec inline_vecs[UIO_FASTIOV], *iovec = inline_vecs;\n\tssize_t ret = -ECANCELED;\n\tstruct iov_iter iter;\n\tint rw;\n\n\tif (error) {\n\t\tret = error;\n\t\tgoto end_req;\n\t}\n\n\tswitch (req->opcode) {\n\tcase IORING_OP_READV:\n\tcase IORING_OP_READ_FIXED:\n\tcase IORING_OP_READ:\n\t\trw = READ;\n\t\tbreak;\n\tcase IORING_OP_WRITEV:\n\tcase IORING_OP_WRITE_FIXED:\n\tcase IORING_OP_WRITE:\n\t\trw = WRITE;\n\t\tbreak;\n\tdefault:\n\t\tprintk_once(KERN_WARNING \"io_uring: bad opcode in resubmit %d\\n\",\n\t\t\t\treq->opcode);\n\t\tgoto end_req;\n\t}\n\n\tret = io_import_iovec(rw, req, &iovec, &iter, false);\n\tif (ret < 0)\n\t\tgoto end_req;\n\tret = io_setup_async_rw(req, ret, iovec, inline_vecs, &iter);\n\tif (!ret)\n\t\treturn true;\n\tkfree(iovec);\nend_req:\n\treq_set_fail_links(req);\n\tio_req_complete(req, ret);\n\treturn false;\n}", "project": "linux", "hash": 103708959240370861225517495197922310446, "size": 41, "commit_id": "6d816e088c359866f9867057e04f244c608c42fe", "message": "io_uring: hold 'ctx' reference around task_work queue + execute\n\nWe're holding the request reference, but we need to go one higher\nto ensure that the ctx remains valid after the request has finished.\nIf the ring is closed with pending task_work inflight, and the\ngiven io_kiocb finishes sync during issue, then we need a reference\nto the ring itself around the task_work execution cycle.\n\nCc: stable@vger.kernel.org # v5.7+\nReported-by: syzbot+9b260fc33297966f5a8e@syzkaller.appspotmail.com\nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 456916 }, { "func": "static int fuse_file_lock(struct file *file, int cmd, struct file_lock *fl)\n{\n\tstruct inode *inode = file_inode(file);\n\tstruct fuse_conn *fc = get_fuse_conn(inode);\n\tint err;\n\n\tif (cmd == F_CANCELLK) {\n\t\terr = 0;\n\t} else if (cmd == F_GETLK) {\n\t\tif (fc->no_lock) {\n\t\t\tposix_test_lock(file, fl);\n\t\t\terr = 0;\n\t\t} else\n\t\t\terr = fuse_getlk(file, fl);\n\t} else {\n\t\tif (fc->no_lock)\n\t\t\terr = posix_lock_file(file, fl, NULL);\n\t\telse\n\t\t\terr = fuse_setlk(file, fl, 0);\n\t}\n\treturn err;\n}", "project": "linux", "hash": 253842610108664511859569208495464847356, "size": 22, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342068 }, { "func": "static int ep_eventpoll_release(struct inode *inode, struct file *file)\n{\n\tstruct eventpoll *ep = file->private_data;\n\n\tif (ep)\n\t\tep_free(ep);\n\n\treturn 0;\n}", "project": "linux", "hash": 180927586550112406118665944644743769436, "size": 9, "commit_id": "52c479697c9b73f628140dcdfcd39ea302d05482", "message": "do_epoll_ctl(): clean the failure exits up a bit\n\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 336236 }, { "func": "static void ping_clients(int tile_cnt) {\n\tstatic time_t last_send = 0;\n\ttime_t now = time(NULL);\n\n\tif (rfbMaxClientWait < 20000) {\n\t\trfbMaxClientWait = 20000;\n\t\trfbLog(\"reset rfbMaxClientWait to %d msec.\\n\",\n\t\t rfbMaxClientWait);\n\t}\n\tif (tile_cnt > 0) {\n\t\tlast_send = now;\n\t} else if (tile_cnt < 0) {\n\t\t/* negative tile_cnt is -ping case */\n\t\tif (now >= last_send - tile_cnt) {\n\t\t\tmark_rect_as_modified(0, 0, 1, 1, 1);\n\t\t\tlast_send = now;\n\t\t}\n\t} else if (now - last_send > 5) {\n\t\t/* Send small heartbeat to client */\n\t\tmark_rect_as_modified(0, 0, 1, 1, 1);\n\t\tlast_send = now;\n\t}\n}", "project": "x11vnc", "hash": 233892215246269487033456575430420845482, "size": 23, "commit_id": "69eeb9f7baa14ca03b16c9de821f9876def7a36a", "message": "scan: limit access to shared memory segments to current user", "target": 0, "dataset": "other", "idx": 360769 }, { "func": "static void encode_release_lockowner(struct xdr_stream *xdr, const struct nfs_lowner *lowner, struct compound_hdr *hdr)\n{\n\tencode_op_hdr(xdr, OP_RELEASE_LOCKOWNER, decode_release_lockowner_maxsz, hdr);\n\tencode_lockowner(xdr, lowner);\n}", "project": "linux", "hash": 51772362485028810554437093262183802543, "size": 5, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431011 }, { "func": "int ssh_buffer_add_data(struct ssh_buffer_struct *buffer, const void *data, uint32_t len)\n{\n buffer_verify(buffer);\n\n if (data == NULL) {\n return -1;\n }\n\n if (buffer->used + len < len) {\n return -1;\n }\n\n if (buffer->allocated < (buffer->used + len)) {\n if(buffer->pos > 0)\n buffer_shift(buffer);\n if (realloc_buffer(buffer, buffer->used + len) < 0) {\n return -1;\n }\n }\n\n memcpy(buffer->data+buffer->used, data, len);\n buffer->used+=len;\n buffer_verify(buffer);\n return 0;\n}", "project": "libssh-mirror", "hash": 245892501454401043574922830759233496776, "size": 25, "commit_id": "10b3ebbe61a7031a3dae97f05834442220447181", "message": "buffer: Reformat ssh_buffer_add_data()\n\nSigned-off-by: Andreas Schneider \nReviewed-by: Anderson Toshiyuki Sasaki \nReviewed-by: Jakub Jelen ", "target": 1, "dataset": "other", "idx": 203616 }, { "func": "int force_sig_pkuerr(void __user *addr, u32 pkey)\n{\n\tstruct kernel_siginfo info;\n\n\tclear_siginfo(&info);\n\tinfo.si_signo = SIGSEGV;\n\tinfo.si_errno = 0;\n\tinfo.si_code = SEGV_PKUERR;\n\tinfo.si_addr = addr;\n\tinfo.si_pkey = pkey;\n\treturn force_sig_info(&info);\n}", "project": "linux", "hash": 1443422852605694453397088867949969958, "size": 12, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375274 }, { "func": "static void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *skb,\n\t\t\t\t u16 *opcode, u8 *status,\n\t\t\t\t hci_req_complete_t *req_complete,\n\t\t\t\t hci_req_complete_skb_t *req_complete_skb)\n{\n\tstruct hci_ev_cmd_complete *ev = (void *) skb->data;\n\n\t*opcode = __le16_to_cpu(ev->opcode);\n\t*status = skb->data[sizeof(*ev)];\n\n\tskb_pull(skb, sizeof(*ev));\n\n\tswitch (*opcode) {\n\tcase HCI_OP_INQUIRY_CANCEL:\n\t\thci_cc_inquiry_cancel(hdev, skb, status);\n\t\tbreak;\n\n\tcase HCI_OP_PERIODIC_INQ:\n\t\thci_cc_periodic_inq(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_OP_EXIT_PERIODIC_INQ:\n\t\thci_cc_exit_periodic_inq(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_OP_REMOTE_NAME_REQ_CANCEL:\n\t\thci_cc_remote_name_req_cancel(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_OP_ROLE_DISCOVERY:\n\t\thci_cc_role_discovery(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_OP_READ_LINK_POLICY:\n\t\thci_cc_read_link_policy(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_OP_WRITE_LINK_POLICY:\n\t\thci_cc_write_link_policy(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_OP_READ_DEF_LINK_POLICY:\n\t\thci_cc_read_def_link_policy(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_OP_WRITE_DEF_LINK_POLICY:\n\t\thci_cc_write_def_link_policy(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_OP_RESET:\n\t\thci_cc_reset(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_OP_READ_STORED_LINK_KEY:\n\t\thci_cc_read_stored_link_key(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_OP_DELETE_STORED_LINK_KEY:\n\t\thci_cc_delete_stored_link_key(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_OP_WRITE_LOCAL_NAME:\n\t\thci_cc_write_local_name(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_OP_READ_LOCAL_NAME:\n\t\thci_cc_read_local_name(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_OP_WRITE_AUTH_ENABLE:\n\t\thci_cc_write_auth_enable(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_OP_WRITE_ENCRYPT_MODE:\n\t\thci_cc_write_encrypt_mode(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_OP_WRITE_SCAN_ENABLE:\n\t\thci_cc_write_scan_enable(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_OP_READ_CLASS_OF_DEV:\n\t\thci_cc_read_class_of_dev(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_OP_WRITE_CLASS_OF_DEV:\n\t\thci_cc_write_class_of_dev(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_OP_READ_VOICE_SETTING:\n\t\thci_cc_read_voice_setting(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_OP_WRITE_VOICE_SETTING:\n\t\thci_cc_write_voice_setting(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_OP_READ_NUM_SUPPORTED_IAC:\n\t\thci_cc_read_num_supported_iac(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_OP_WRITE_SSP_MODE:\n\t\thci_cc_write_ssp_mode(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_OP_WRITE_SC_SUPPORT:\n\t\thci_cc_write_sc_support(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_OP_READ_AUTH_PAYLOAD_TO:\n\t\thci_cc_read_auth_payload_timeout(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_OP_WRITE_AUTH_PAYLOAD_TO:\n\t\thci_cc_write_auth_payload_timeout(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_OP_READ_LOCAL_VERSION:\n\t\thci_cc_read_local_version(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_OP_READ_LOCAL_COMMANDS:\n\t\thci_cc_read_local_commands(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_OP_READ_LOCAL_FEATURES:\n\t\thci_cc_read_local_features(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_OP_READ_LOCAL_EXT_FEATURES:\n\t\thci_cc_read_local_ext_features(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_OP_READ_BUFFER_SIZE:\n\t\thci_cc_read_buffer_size(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_OP_READ_BD_ADDR:\n\t\thci_cc_read_bd_addr(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_OP_READ_LOCAL_PAIRING_OPTS:\n\t\thci_cc_read_local_pairing_opts(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_OP_READ_PAGE_SCAN_ACTIVITY:\n\t\thci_cc_read_page_scan_activity(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_OP_WRITE_PAGE_SCAN_ACTIVITY:\n\t\thci_cc_write_page_scan_activity(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_OP_READ_PAGE_SCAN_TYPE:\n\t\thci_cc_read_page_scan_type(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_OP_WRITE_PAGE_SCAN_TYPE:\n\t\thci_cc_write_page_scan_type(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_OP_READ_DATA_BLOCK_SIZE:\n\t\thci_cc_read_data_block_size(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_OP_READ_FLOW_CONTROL_MODE:\n\t\thci_cc_read_flow_control_mode(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_OP_READ_LOCAL_AMP_INFO:\n\t\thci_cc_read_local_amp_info(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_OP_READ_CLOCK:\n\t\thci_cc_read_clock(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_OP_READ_INQ_RSP_TX_POWER:\n\t\thci_cc_read_inq_rsp_tx_power(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_OP_READ_DEF_ERR_DATA_REPORTING:\n\t\thci_cc_read_def_err_data_reporting(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_OP_WRITE_DEF_ERR_DATA_REPORTING:\n\t\thci_cc_write_def_err_data_reporting(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_OP_PIN_CODE_REPLY:\n\t\thci_cc_pin_code_reply(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_OP_PIN_CODE_NEG_REPLY:\n\t\thci_cc_pin_code_neg_reply(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_OP_READ_LOCAL_OOB_DATA:\n\t\thci_cc_read_local_oob_data(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_OP_READ_LOCAL_OOB_EXT_DATA:\n\t\thci_cc_read_local_oob_ext_data(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_OP_LE_READ_BUFFER_SIZE:\n\t\thci_cc_le_read_buffer_size(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_OP_LE_READ_LOCAL_FEATURES:\n\t\thci_cc_le_read_local_features(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_OP_LE_READ_ADV_TX_POWER:\n\t\thci_cc_le_read_adv_tx_power(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_OP_USER_CONFIRM_REPLY:\n\t\thci_cc_user_confirm_reply(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_OP_USER_CONFIRM_NEG_REPLY:\n\t\thci_cc_user_confirm_neg_reply(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_OP_USER_PASSKEY_REPLY:\n\t\thci_cc_user_passkey_reply(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_OP_USER_PASSKEY_NEG_REPLY:\n\t\thci_cc_user_passkey_neg_reply(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_OP_LE_SET_RANDOM_ADDR:\n\t\thci_cc_le_set_random_addr(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_OP_LE_SET_ADV_ENABLE:\n\t\thci_cc_le_set_adv_enable(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_OP_LE_SET_SCAN_PARAM:\n\t\thci_cc_le_set_scan_param(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_OP_LE_SET_SCAN_ENABLE:\n\t\thci_cc_le_set_scan_enable(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_OP_LE_READ_WHITE_LIST_SIZE:\n\t\thci_cc_le_read_white_list_size(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_OP_LE_CLEAR_WHITE_LIST:\n\t\thci_cc_le_clear_white_list(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_OP_LE_ADD_TO_WHITE_LIST:\n\t\thci_cc_le_add_to_white_list(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_OP_LE_DEL_FROM_WHITE_LIST:\n\t\thci_cc_le_del_from_white_list(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_OP_LE_READ_SUPPORTED_STATES:\n\t\thci_cc_le_read_supported_states(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_OP_LE_READ_DEF_DATA_LEN:\n\t\thci_cc_le_read_def_data_len(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_OP_LE_WRITE_DEF_DATA_LEN:\n\t\thci_cc_le_write_def_data_len(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_OP_LE_ADD_TO_RESOLV_LIST:\n\t\thci_cc_le_add_to_resolv_list(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_OP_LE_DEL_FROM_RESOLV_LIST:\n\t\thci_cc_le_del_from_resolv_list(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_OP_LE_CLEAR_RESOLV_LIST:\n\t\thci_cc_le_clear_resolv_list(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_OP_LE_READ_RESOLV_LIST_SIZE:\n\t\thci_cc_le_read_resolv_list_size(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_OP_LE_SET_ADDR_RESOLV_ENABLE:\n\t\thci_cc_le_set_addr_resolution_enable(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_OP_LE_READ_MAX_DATA_LEN:\n\t\thci_cc_le_read_max_data_len(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_OP_WRITE_LE_HOST_SUPPORTED:\n\t\thci_cc_write_le_host_supported(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_OP_LE_SET_ADV_PARAM:\n\t\thci_cc_set_adv_param(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_OP_READ_RSSI:\n\t\thci_cc_read_rssi(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_OP_READ_TX_POWER:\n\t\thci_cc_read_tx_power(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_OP_WRITE_SSP_DEBUG_MODE:\n\t\thci_cc_write_ssp_debug_mode(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_OP_LE_SET_EXT_SCAN_PARAMS:\n\t\thci_cc_le_set_ext_scan_param(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_OP_LE_SET_EXT_SCAN_ENABLE:\n\t\thci_cc_le_set_ext_scan_enable(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_OP_LE_SET_DEFAULT_PHY:\n\t\thci_cc_le_set_default_phy(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_OP_LE_READ_NUM_SUPPORTED_ADV_SETS:\n\t\thci_cc_le_read_num_adv_sets(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_OP_LE_SET_EXT_ADV_PARAMS:\n\t\thci_cc_set_ext_adv_param(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_OP_LE_SET_EXT_ADV_ENABLE:\n\t\thci_cc_le_set_ext_adv_enable(hdev, skb);\n\t\tbreak;\n\n\tcase HCI_OP_LE_SET_ADV_SET_RAND_ADDR:\n\t\thci_cc_le_set_adv_set_random_addr(hdev, skb);\n\t\tbreak;\n\n\tdefault:\n\t\tBT_DBG(\"%s opcode 0x%4.4x\", hdev->name, *opcode);\n\t\tbreak;\n\t}\n\n\tif (*opcode != HCI_OP_NOP)\n\t\tcancel_delayed_work(&hdev->cmd_timer);\n\n\tif (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags))\n\t\tatomic_set(&hdev->cmd_cnt, 1);\n\n\thci_req_cmd_complete(hdev, *opcode, *status, req_complete,\n\t\t\t req_complete_skb);\n\n\tif (hci_dev_test_flag(hdev, HCI_CMD_PENDING)) {\n\t\tbt_dev_err(hdev,\n\t\t\t \"unexpected event for opcode 0x%4.4x\", *opcode);\n\t\treturn;\n\t}\n\n\tif (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))\n\t\tqueue_work(hdev->workqueue, &hdev->cmd_work);\n}", "project": "linux", "hash": 132631435312758489016229423628709763479, "size": 372, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 432016 }, { "func": "static char *oidc_get_state_cookie_name(request_rec *r, const char *state) {\n\treturn apr_psprintf(r->pool, \"%s%s\", OIDC_STATE_COOKIE_PREFIX, state);\n}", "project": "mod_auth_openidc", "hash": 78169052432189946232140075422045289234, "size": 3, "commit_id": "ce37080c6aea30aabae8b4a9b4eea7808445cc8e", "message": "2.4.0.2 oops\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 447677 }, { "func": "static char *oidc_make_sid_iss_unique(request_rec *r, const char *sid,\n\t\tconst char *issuer) {\n\treturn apr_psprintf(r->pool, \"%s@%s\", sid, issuer);\n}", "project": "mod_auth_openidc", "hash": 326905977568244847360955592482199413566, "size": 4, "commit_id": "ce37080c6aea30aabae8b4a9b4eea7808445cc8e", "message": "2.4.0.2 oops\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 447700 }, { "func": "static int check_pad_bytes(struct kmem_cache *s, struct page *page, u8 *p)\n{\n\tunsigned long off = s->inuse;\t/* The end of info */\n\n\tif (s->offset)\n\t\t/* Freepointer is placed after the object. */\n\t\toff += sizeof(void *);\n\n\tif (s->flags & SLAB_STORE_USER)\n\t\t/* We also have user information there */\n\t\toff += 2 * sizeof(struct track);\n\n\toff += kasan_metadata_size(s);\n\n\tif (size_from_object(s) == off)\n\t\treturn 1;\n\n\treturn check_bytes_and_report(s, page, p, \"Object padding\",\n\t\t\tp + off, POISON_INUSE, size_from_object(s) - off);\n}", "project": "linux", "hash": 284728884531132107477568690111958547768, "size": 20, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280278 }, { "func": "std::string RGWPostObj_ObjStore_S3::get_current_content_type() const\n{\n return content_type;\n}", "project": "ceph", "hash": 203925281510153338733347233634340319410, "size": 4, "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 281266 }, { "func": "std::string RGWFormPost::get_current_content_type() const\n{\n try {\n const auto& field = current_data_part->fields.at(\"Content-Type\");\n return field.val;\n } catch (std::out_of_range&) {\n /* NOP */;\n }\n\n return std::string();\n}", "project": "ceph", "hash": 233254321960688239905411422886925864858, "size": 11, "commit_id": "f44a8ae8aa27ecef69528db9aec220f12492810e", "message": "rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name\n\nchecking for empty name avoids later assertion in RGWObjectCtx::set_atomic\n\nFixes: CVE-2021-3531\n\nReviewed-by: Casey Bodley \nSigned-off-by: Casey Bodley \n(cherry picked from commit 7196a469b4470f3c8628489df9a41ec8b00a5610)", "target": 0, "dataset": "other", "idx": 448774 }, { "func": "static void hci_cc_write_le_host_supported(struct hci_dev *hdev,\n\t\t\t\t\t struct sk_buff *skb)\n{\n\tstruct hci_cp_write_le_host_supported *sent;\n\t__u8 status = *((__u8 *) skb->data);\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, status);\n\n\tif (status)\n\t\treturn;\n\n\tsent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LE_HOST_SUPPORTED);\n\tif (!sent)\n\t\treturn;\n\n\thci_dev_lock(hdev);\n\n\tif (sent->le) {\n\t\thdev->features[1][0] |= LMP_HOST_LE;\n\t\thci_dev_set_flag(hdev, HCI_LE_ENABLED);\n\t} else {\n\t\thdev->features[1][0] &= ~LMP_HOST_LE;\n\t\thci_dev_clear_flag(hdev, HCI_LE_ENABLED);\n\t\thci_dev_clear_flag(hdev, HCI_ADVERTISING);\n\t}\n\n\tif (sent->simul)\n\t\thdev->features[1][0] |= LMP_HOST_LE_BREDR;\n\telse\n\t\thdev->features[1][0] &= ~LMP_HOST_LE_BREDR;\n\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 147431325649177116505079824383689350164, "size": 33, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431880 }, { "func": "static void tcp_ack_no_tstamp(struct sock *sk, u32 seq_rtt, int flag)\n{\n\t/* We don't have a timestamp. Can only use\n\t * packets that are not retransmitted to determine\n\t * rtt estimates. Also, we must not reset the\n\t * backoff for rto until we get a non-retransmitted\n\t * packet. This allows us to deal with a situation\n\t * where the network delay has increased suddenly.\n\t * I.e. Karn's algorithm. (SIGCOMM '87, p5.)\n\t */\n\n\tif (flag & FLAG_RETRANS_DATA_ACKED)\n\t\treturn;\n\n\ttcp_valid_rtt_meas(sk, seq_rtt);\n}", "project": "net-next", "hash": 118430673282930439762564664976678380461, "size": 16, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409909 }, { "func": " void sortlength(THD *thd,\n const Type_std_attributes *item,\n SORT_FIELD_ATTR *attr) const\n {\n type_handler()->sortlength(thd, item, attr);\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 181669366859216696543111846334259883563, "size": 6, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 508976 }, { "func": "static void hci_req_add_set_adv_filter_enable(struct hci_request *req,\n\t\t\t\t\t bool enable)\n{\n\tstruct hci_dev *hdev = req->hdev;\n\n\tswitch (hci_get_adv_monitor_offload_ext(hdev)) {\n\tcase HCI_ADV_MONITOR_EXT_MSFT:\n\t\tmsft_req_add_set_filter_enable(req, enable);\n\t\tbreak;\n\tdefault:\n\t\treturn;\n\t}\n\n\t/* No need to block when enabling since it's on resume path */\n\tif (hdev->suspended && !enable)\n\t\tset_bit(SUSPEND_SET_ADV_FILTER, hdev->suspend_tasks);\n}", "project": "linux", "hash": 181803336159137387158267023681992045901, "size": 17, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402525 }, { "func": "\nstatic int __io_sq_thread(struct io_ring_ctx *ctx, bool cap_entries)\n{\n\tunsigned int to_submit;\n\tint ret = 0;\n\n\tto_submit = io_sqring_entries(ctx);\n\t/* if we're handling multiple rings, cap submit size for fairness */\n\tif (cap_entries && to_submit > 8)\n\t\tto_submit = 8;\n\n\tif (!list_empty(&ctx->iopoll_list) || to_submit) {\n\t\tunsigned nr_events = 0;\n\n\t\tmutex_lock(&ctx->uring_lock);\n\t\tif (!list_empty(&ctx->iopoll_list))\n\t\t\tio_do_iopoll(ctx, &nr_events, 0);\n\n\t\t/*\n\t\t * Don't submit if refs are dying, good for io_uring_register(),\n\t\t * but also it is relied upon by io_ring_exit_work()\n\t\t */\n\t\tif (to_submit && likely(!percpu_ref_is_dying(&ctx->refs)) &&\n\t\t !(ctx->flags & IORING_SETUP_R_DISABLED))\n\t\t\tret = io_submit_sqes(ctx, to_submit);\n\t\tmutex_unlock(&ctx->uring_lock);\n\t}\n\n\tif (!io_sqring_full(ctx) && wq_has_sleeper(&ctx->sqo_sq_wait))\n\t\twake_up(&ctx->sqo_sq_wait);\n\n\treturn ret;", "project": "linux", "hash": 119229255833298234447680090079898394417, "size": 32, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338697 }, { "func": "bool CClient::OnPartMessage(CPartMessage& Message) {\n CString sChans = Message.GetTarget();\n\n VCString vsChans;\n sChans.Split(\",\", vsChans, false);\n sChans.clear();\n\n for (CString& sChan : vsChans) {\n bool bContinue = false;\n Message.SetTarget(sChan);\n if (m_pNetwork) {\n // May be nullptr.\n Message.SetChan(m_pNetwork->FindChan(sChan));\n }\n NETWORKMODULECALL(OnUserPartMessage(Message), m_pUser, m_pNetwork, this,\n &bContinue);\n if (bContinue) continue;\n\n sChan = Message.GetTarget();\n\n CChan* pChan = m_pNetwork ? m_pNetwork->FindChan(sChan) : nullptr;\n\n if (pChan && !pChan->IsOn()) {\n PutStatusNotice(t_f(\"Removing channel {1}\")(sChan));\n m_pNetwork->DelChan(sChan);\n } else {\n sChans += (sChans.empty()) ? sChan : CString(\",\" + sChan);\n }\n }\n\n if (sChans.empty()) {\n return true;\n }\n\n Message.SetTarget(sChans);\n\n return false;\n}", "project": "znc", "hash": 93323335206542502047454114051645302413, "size": 38, "commit_id": "d229761821da38d984a9e4098ad96842490dc001", "message": "Fix echo-message for *status\n\nClose #1705", "target": 0, "dataset": "other", "idx": 231595 }, { "func": " */\nvoid bfq_put_queue(struct bfq_queue *bfqq)\n{\n\tstruct bfq_queue *item;\n\tstruct hlist_node *n;\n\tstruct bfq_group *bfqg = bfqq_group(bfqq);\n\n\tif (bfqq->bfqd)\n\t\tbfq_log_bfqq(bfqq->bfqd, bfqq, \"put_queue: %p %d\",\n\t\t\t bfqq, bfqq->ref);\n\n\tbfqq->ref--;\n\tif (bfqq->ref)\n\t\treturn;\n\n\tif (!hlist_unhashed(&bfqq->burst_list_node)) {\n\t\thlist_del_init(&bfqq->burst_list_node);\n\t\t/*\n\t\t * Decrement also burst size after the removal, if the\n\t\t * process associated with bfqq is exiting, and thus\n\t\t * does not contribute to the burst any longer. This\n\t\t * decrement helps filter out false positives of large\n\t\t * bursts, when some short-lived process (often due to\n\t\t * the execution of commands by some service) happens\n\t\t * to start and exit while a complex application is\n\t\t * starting, and thus spawning several processes that\n\t\t * do I/O (and that *must not* be treated as a large\n\t\t * burst, see comments on bfq_handle_burst).\n\t\t *\n\t\t * In particular, the decrement is performed only if:\n\t\t * 1) bfqq is not a merged queue, because, if it is,\n\t\t * then this free of bfqq is not triggered by the exit\n\t\t * of the process bfqq is associated with, but exactly\n\t\t * by the fact that bfqq has just been merged.\n\t\t * 2) burst_size is greater than 0, to handle\n\t\t * unbalanced decrements. Unbalanced decrements may\n\t\t * happen in te following case: bfqq is inserted into\n\t\t * the current burst list--without incrementing\n\t\t * bust_size--because of a split, but the current\n\t\t * burst list is not the burst list bfqq belonged to\n\t\t * (see comments on the case of a split in\n\t\t * bfq_set_request).\n\t\t */\n\t\tif (bfqq->bic && bfqq->bfqd->burst_size > 0)\n\t\t\tbfqq->bfqd->burst_size--;\n\t}\n\n\t/*\n\t * bfqq does not exist any longer, so it cannot be woken by\n\t * any other queue, and cannot wake any other queue. Then bfqq\n\t * must be removed from the woken list of its possible waker\n\t * queue, and all queues in the woken list of bfqq must stop\n\t * having a waker queue. Strictly speaking, these updates\n\t * should be performed when bfqq remains with no I/O source\n\t * attached to it, which happens before bfqq gets freed. In\n\t * particular, this happens when the last process associated\n\t * with bfqq exits or gets associated with a different\n\t * queue. However, both events lead to bfqq being freed soon,\n\t * and dangling references would come out only after bfqq gets\n\t * freed. So these updates are done here, as a simple and safe\n\t * way to handle all cases.\n\t */\n\t/* remove bfqq from woken list */\n\tif (!hlist_unhashed(&bfqq->woken_list_node))\n\t\thlist_del_init(&bfqq->woken_list_node);\n\n\t/* reset waker for all queues in woken list */\n\thlist_for_each_entry_safe(item, n, &bfqq->woken_list,\n\t\t\t\t woken_list_node) {\n\t\titem->waker_bfqq = NULL;\n\t\tbfq_clear_bfqq_has_waker(item);\n\t\thlist_del_init(&item->woken_list_node);\n\t}\n\n\tif (bfqq->bfqd && bfqq->bfqd->last_completed_rq_bfqq == bfqq)\n\t\tbfqq->bfqd->last_completed_rq_bfqq = NULL;\n\n\tkmem_cache_free(bfq_pool, bfqq);\n\tbfqg_and_blkg_put(bfqg);", "project": "linux", "hash": 318247294754096371274305278284467683770, "size": 79, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453330 }, { "func": "static inline uint16_t strtr_hash(const char *str, int len) {\n uint16_t res = 0;\n for (int i = 0; i < len; i++) {\n res = res * 33 + (unsigned char)str[i];\n }\n\n return res;\n}", "project": "hhvm", "hash": 92723497454054233249207877395311499565, "size": 8, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219847 }, { "func": "auto make_stack_allocator() {\n return boost::context::protected_fixedsize_stack{512*1024};\n}", "project": "ceph", "hash": 152183509052082330235584601758026958660, "size": 3, "commit_id": "ff72c50a2c43c57aead933eb4903ad1ca6d1748a", "message": "rgw: improve beast\n\nAvoid leaking connections that had partially-consumed\nclient data on unexpected disconnect.\n\nResolves CVE-2020-1700 (moderate impact flaw).\n\nFixes: https://tracker.ceph.com/issues/42531\n\nSigned-off-by: Or Friedmann \nSigned-off-by: Matt Benjamin ", "target": 0, "dataset": "other", "idx": 384548 }, { "func": "\nstatic void io_rsrc_node_destroy(struct io_rsrc_node *ref_node)\n{\n\tpercpu_ref_exit(&ref_node->refs);\n\tkfree(ref_node);", "project": "linux", "hash": 154080672122561726630361130464667078162, "size": 5, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338701 }, { "func": "void opj_j2k_destroy(opj_j2k_t *p_j2k)\n{\n if (p_j2k == 00) {\n return;\n }\n\n if (p_j2k->m_is_decoder) {\n\n if (p_j2k->m_specific_param.m_decoder.m_default_tcp != 00) {\n opj_j2k_tcp_destroy(p_j2k->m_specific_param.m_decoder.m_default_tcp);\n opj_free(p_j2k->m_specific_param.m_decoder.m_default_tcp);\n p_j2k->m_specific_param.m_decoder.m_default_tcp = 00;\n }\n\n if (p_j2k->m_specific_param.m_decoder.m_header_data != 00) {\n opj_free(p_j2k->m_specific_param.m_decoder.m_header_data);\n p_j2k->m_specific_param.m_decoder.m_header_data = 00;\n p_j2k->m_specific_param.m_decoder.m_header_data_size = 0;\n }\n\n opj_free(p_j2k->m_specific_param.m_decoder.m_comps_indices_to_decode);\n p_j2k->m_specific_param.m_decoder.m_comps_indices_to_decode = 00;\n p_j2k->m_specific_param.m_decoder.m_numcomps_to_decode = 0;\n\n } else {\n\n if (p_j2k->m_specific_param.m_encoder.m_encoded_tile_data) {\n opj_free(p_j2k->m_specific_param.m_encoder.m_encoded_tile_data);\n p_j2k->m_specific_param.m_encoder.m_encoded_tile_data = 00;\n }\n\n if (p_j2k->m_specific_param.m_encoder.m_tlm_sot_offsets_buffer) {\n opj_free(p_j2k->m_specific_param.m_encoder.m_tlm_sot_offsets_buffer);\n p_j2k->m_specific_param.m_encoder.m_tlm_sot_offsets_buffer = 00;\n p_j2k->m_specific_param.m_encoder.m_tlm_sot_offsets_current = 00;\n }\n\n if (p_j2k->m_specific_param.m_encoder.m_header_tile_data) {\n opj_free(p_j2k->m_specific_param.m_encoder.m_header_tile_data);\n p_j2k->m_specific_param.m_encoder.m_header_tile_data = 00;\n p_j2k->m_specific_param.m_encoder.m_header_tile_data_size = 0;\n }\n }\n\n opj_tcd_destroy(p_j2k->m_tcd);\n\n opj_j2k_cp_destroy(&(p_j2k->m_cp));\n memset(&(p_j2k->m_cp), 0, sizeof(opj_cp_t));\n\n opj_procedure_list_destroy(p_j2k->m_procedure_list);\n p_j2k->m_procedure_list = 00;\n\n opj_procedure_list_destroy(p_j2k->m_validation_list);\n p_j2k->m_procedure_list = 00;\n\n j2k_destroy_cstr_index(p_j2k->cstr_index);\n p_j2k->cstr_index = NULL;\n\n opj_image_destroy(p_j2k->m_private_image);\n p_j2k->m_private_image = NULL;\n\n opj_image_destroy(p_j2k->m_output_image);\n p_j2k->m_output_image = NULL;\n\n opj_thread_pool_destroy(p_j2k->m_tp);\n p_j2k->m_tp = NULL;\n\n opj_free(p_j2k);\n}", "project": "openjpeg", "hash": 137578825143513814238332572301819296506, "size": 69, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357379 }, { "func": "int ecryptfs_derive_iv(char *iv, struct ecryptfs_crypt_stat *crypt_stat,\n\t\t loff_t offset)\n{\n\tint rc = 0;\n\tchar dst[MD5_DIGEST_SIZE];\n\tchar src[ECRYPTFS_MAX_IV_BYTES + 16];\n\n\tif (unlikely(ecryptfs_verbosity > 0)) {\n\t\tecryptfs_printk(KERN_DEBUG, \"root iv:\\n\");\n\t\tecryptfs_dump_hex(crypt_stat->root_iv, crypt_stat->iv_bytes);\n\t}\n\t/* TODO: It is probably secure to just cast the least\n\t * significant bits of the root IV into an unsigned long and\n\t * add the offset to that rather than go through all this\n\t * hashing business. -Halcrow */\n\tmemcpy(src, crypt_stat->root_iv, crypt_stat->iv_bytes);\n\tmemset((src + crypt_stat->iv_bytes), 0, 16);\n\tsnprintf((src + crypt_stat->iv_bytes), 16, \"%lld\", offset);\n\tif (unlikely(ecryptfs_verbosity > 0)) {\n\t\tecryptfs_printk(KERN_DEBUG, \"source:\\n\");\n\t\tecryptfs_dump_hex(src, (crypt_stat->iv_bytes + 16));\n\t}\n\trc = ecryptfs_calculate_md5(dst, crypt_stat, src,\n\t\t\t\t (crypt_stat->iv_bytes + 16));\n\tif (rc) {\n\t\tecryptfs_printk(KERN_WARNING, \"Error attempting to compute \"\n\t\t\t\t\"MD5 while generating IV for a page\\n\");\n\t\tgoto out;\n\t}\n\tmemcpy(iv, dst, crypt_stat->iv_bytes);\n\tif (unlikely(ecryptfs_verbosity > 0)) {\n\t\tecryptfs_printk(KERN_DEBUG, \"derived iv:\\n\");\n\t\tecryptfs_dump_hex(iv, crypt_stat->iv_bytes);\n\t}\nout:\n\treturn rc;\n}", "target": 0, "cwe": [ "CWE-189" ], "project": "linux-2.6", "commit_id": "8faece5f906725c10e7a1f6caf84452abadbdc7b", "hash": 179532666883780723165537695902649453242, "size": 37, "message": "eCryptfs: Allocate a variable number of pages for file headers\n\nWhen allocating the memory used to store the eCryptfs header contents, a\nsingle, zeroed page was being allocated with get_zeroed_page().\nHowever, the size of an eCryptfs header is either PAGE_CACHE_SIZE or\nECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE (8192), whichever is larger, and is\nstored in the file's private_data->crypt_stat->num_header_bytes_at_front\nfield.\n\necryptfs_write_metadata_to_contents() was using\nnum_header_bytes_at_front to decide how many bytes should be written to\nthe lower filesystem for the file header. Unfortunately, at least 8K\nwas being written from the page, despite the chance of the single,\nzeroed page being smaller than 8K. This resulted in random areas of\nkernel memory being written between the 0x1000 and 0x1FFF bytes offsets\nin the eCryptfs file headers if PAGE_SIZE was 4K.\n\nThis patch allocates a variable number of pages, calculated with\nnum_header_bytes_at_front, and passes the number of allocated pages\nalong to ecryptfs_write_metadata_to_contents().\n\nThanks to Florian Streibelt for reporting the data leak and working with\nme to find the problem. 2.6.28 is the only kernel release with this\nvulnerability. Corresponds to CVE-2009-0787\n\nSigned-off-by: Tyler Hicks \nAcked-by: Dustin Kirkland \nReviewed-by: Eric Sandeen \nReviewed-by: Eugene Teo \nCc: Greg KH \nCc: dann frazier \nCc: Serge E. Hallyn \nCc: Florian Streibelt \nCc: stable@kernel.org\nSigned-off-by: Linus Torvalds ", "dataset": "other", "idx": 490179 }, { "func": "static void io_req_task_queue(struct io_kiocb *req)\n{\n\treq->task_work.func = io_req_task_submit;\n\n\tif (unlikely(io_req_task_work_add(req)))\n\t\tio_req_task_queue_fail(req, -ECANCELED);\n}", "project": "linux", "hash": 36533155600118148661269597248141473861, "size": 7, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338673 }, { "func": "static void io_req_task_queue(struct io_kiocb *req)\n{\n\tint ret;\n\n\tinit_task_work(&req->task_work, io_req_task_submit);\n\tpercpu_ref_get(&req->ctx->refs);\n\n\tret = io_req_task_work_add(req, &req->task_work);\n\tif (unlikely(ret)) {\n\t\tstruct task_struct *tsk;\n\n\t\tinit_task_work(&req->task_work, io_req_task_cancel);\n\t\ttsk = io_wq_get_task(req->ctx->io_wq);\n\t\ttask_work_add(tsk, &req->task_work, 0);\n\t\twake_up_process(tsk);\n\t}\n}", "project": "linux", "hash": 26329896884683390189119813619255757243, "size": 17, "commit_id": "6d816e088c359866f9867057e04f244c608c42fe", "message": "io_uring: hold 'ctx' reference around task_work queue + execute\n\nWe're holding the request reference, but we need to go one higher\nto ensure that the ctx remains valid after the request has finished.\nIf the ring is closed with pending task_work inflight, and the\ngiven io_kiocb finishes sync during issue, then we need a reference\nto the ring itself around the task_work execution cycle.\n\nCc: stable@vger.kernel.org # v5.7+\nReported-by: syzbot+9b260fc33297966f5a8e@syzkaller.appspotmail.com\nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 456923 }, { "func": "\nstatic int io_register_files_update(struct io_ring_ctx *ctx, void __user *arg,\n\t\t\t\t unsigned nr_args)\n{\n\tstruct io_uring_rsrc_update2 up;\n\n\tif (!nr_args)\n\t\treturn -EINVAL;\n\tmemset(&up, 0, sizeof(up));\n\tif (copy_from_user(&up, arg, sizeof(struct io_uring_rsrc_update)))\n\t\treturn -EFAULT;\n\treturn __io_register_rsrc_update(ctx, IORING_RSRC_FILE, &up, nr_args);", "project": "linux", "hash": 204902999113528549511559880826191589659, "size": 12, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338728 }, { "func": "ConnStateData::parseProxy2p0()\n{\n static const SBuf::size_type prefixLen = Proxy2p0magic.length();\n if (inBuf.length() < prefixLen + 4)\n return false; // need more bytes\n\n if ((inBuf[prefixLen] & 0xF0) != 0x20) // version == 2 is mandatory\n return proxyProtocolError(\"PROXY/2.0 error: invalid version\");\n\n const char command = (inBuf[prefixLen] & 0x0F);\n if ((command & 0xFE) != 0x00) // values other than 0x0-0x1 are invalid\n return proxyProtocolError(\"PROXY/2.0 error: invalid command\");\n\n const char family = (inBuf[prefixLen+1] & 0xF0) >>4;\n if (family > 0x3) // values other than 0x0-0x3 are invalid\n return proxyProtocolError(\"PROXY/2.0 error: invalid family\");\n\n const char proto = (inBuf[prefixLen+1] & 0x0F);\n if (proto > 0x2) // values other than 0x0-0x2 are invalid\n return proxyProtocolError(\"PROXY/2.0 error: invalid protocol type\");\n\n const char *clen = inBuf.rawContent() + prefixLen + 2;\n uint16_t len;\n memcpy(&len, clen, sizeof(len));\n len = ntohs(len);\n\n if (inBuf.length() < prefixLen + 4 + len)\n return false; // need more bytes\n\n inBuf.consume(prefixLen + 4); // 4 being the extra bytes\n const SBuf extra = inBuf.consume(len);\n needProxyProtocolHeader_ = false; // found successfully\n\n // LOCAL connections do nothing with the extras\n if (command == 0x00/* LOCAL*/)\n return true;\n\n union pax {\n struct { /* for TCP/UDP over IPv4, len = 12 */\n struct in_addr src_addr;\n struct in_addr dst_addr;\n uint16_t src_port;\n uint16_t dst_port;\n } ipv4_addr;\n struct { /* for TCP/UDP over IPv6, len = 36 */\n struct in6_addr src_addr;\n struct in6_addr dst_addr;\n uint16_t src_port;\n uint16_t dst_port;\n } ipv6_addr;\n#if NOT_SUPPORTED\n struct { /* for AF_UNIX sockets, len = 216 */\n uint8_t src_addr[108];\n uint8_t dst_addr[108];\n } unix_addr;\n#endif\n };\n\n pax ipu;\n memcpy(&ipu, extra.rawContent(), sizeof(pax));\n\n // replace the client connection values\n debugs(33, 5, \"PROXY/2.0 protocol on connection \" << clientConnection);\n switch (family) {\n case 0x1: // IPv4\n clientConnection->local = ipu.ipv4_addr.dst_addr;\n clientConnection->local.port(ntohs(ipu.ipv4_addr.dst_port));\n clientConnection->remote = ipu.ipv4_addr.src_addr;\n clientConnection->remote.port(ntohs(ipu.ipv4_addr.src_port));\n if ((clientConnection->flags & COMM_TRANSPARENT))\n clientConnection->flags ^= COMM_TRANSPARENT; // prevent TPROXY spoofing of this new IP.\n break;\n case 0x2: // IPv6\n clientConnection->local = ipu.ipv6_addr.dst_addr;\n clientConnection->local.port(ntohs(ipu.ipv6_addr.dst_port));\n clientConnection->remote = ipu.ipv6_addr.src_addr;\n clientConnection->remote.port(ntohs(ipu.ipv6_addr.src_port));\n if ((clientConnection->flags & COMM_TRANSPARENT))\n clientConnection->flags ^= COMM_TRANSPARENT; // prevent TPROXY spoofing of this new IP.\n break;\n default: // do nothing\n break;\n }\n debugs(33, 5, \"PROXY/2.0 upgrade: \" << clientConnection);\n return true;\n}", "project": "squid", "hash": 319002894382110747970905644779022469454, "size": 86, "commit_id": "fd68382860633aca92065e6c343cfd1b12b126e7", "message": "Improve Transfer-Encoding handling (#702)\n\nReject messages containing Transfer-Encoding header with coding other\nthan chunked or identity. Squid does not support other codings.\n\nFor simplicity and security sake, also reject messages where\nTransfer-Encoding contains unnecessary complex values that are\ntechnically equivalent to \"chunked\" or \"identity\" (e.g., \",,chunked\" or\n\"identity, chunked\").\n\nRFC 7230 formally deprecated and removed identity coding, but it is\nstill used by some agents.", "target": 0, "dataset": "other", "idx": 402355 }, { "func": "static int vm_stat_get(void *_offset, u64 *val)\n{\n\tunsigned offset = (long)_offset;\n\tstruct kvm *kvm;\n\tu64 tmp_val;\n\n\t*val = 0;\n\tmutex_lock(&kvm_lock);\n\tlist_for_each_entry(kvm, &vm_list, vm_list) {\n\t\tkvm_get_stat_per_vm(kvm, offset, &tmp_val);\n\t\t*val += tmp_val;\n\t}\n\tmutex_unlock(&kvm_lock);\n\treturn 0;\n}", "project": "linux", "hash": 19943905460217274261888517125122560888, "size": 15, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354482 }, { "func": "static enum_func_status\nphp_mysqlnd_prepare_read(void * _packet, MYSQLND_CONN_DATA * conn TSRMLS_DC)\n{\n\t/* In case of an error, we should have place to put it */\n\tsize_t buf_len = conn->net->cmd_buffer.length;\n\tzend_uchar *buf = (zend_uchar *) conn->net->cmd_buffer.buffer;\n\tzend_uchar *p = buf;\n\tzend_uchar *begin = buf;\n\tunsigned int data_size;\n\tMYSQLND_PACKET_PREPARE_RESPONSE *packet= (MYSQLND_PACKET_PREPARE_RESPONSE *) _packet;\n\n\tDBG_ENTER(\"php_mysqlnd_prepare_read\");\n\n\tPACKET_READ_HEADER_AND_BODY(packet, conn, buf, buf_len, \"prepare\", PROT_PREPARE_RESP_PACKET);\n\tBAIL_IF_NO_MORE_DATA;\n\n\tdata_size = packet->header.size;\n\tpacket->error_code = uint1korr(p);\n\tp++;\n\tBAIL_IF_NO_MORE_DATA;\n\n\tif (ERROR_MARKER == packet->error_code) {\n\t\tphp_mysqlnd_read_error_from_line(p, data_size - 1,\n\t\t\t\t\t\t\t\t\t\t packet->error_info.error,\n\t\t\t\t\t\t\t\t\t\t sizeof(packet->error_info.error),\n\t\t\t\t\t\t\t\t\t\t &packet->error_info.error_no,\n\t\t\t\t\t\t\t\t\t\t packet->error_info.sqlstate\n\t\t\t\t\t\t\t\t\t\t TSRMLS_CC);\n\t\tDBG_RETURN(PASS);\n\t}\n\n\tif (data_size != PREPARE_RESPONSE_SIZE_41 &&\n\t\tdata_size != PREPARE_RESPONSE_SIZE_50 &&\n\t\t!(data_size > PREPARE_RESPONSE_SIZE_50)) {\n\t\tDBG_ERR_FMT(\"Wrong COM_STMT_PREPARE response size. Received %u\", data_size);\n\t\tphp_error(E_WARNING, \"Wrong COM_STMT_PREPARE response size. Received %u\", data_size);\n\t\tDBG_RETURN(FAIL);\n\t}\n\n\tpacket->stmt_id = uint4korr(p);\n\tp += 4;\n\tBAIL_IF_NO_MORE_DATA;\n\n\t/* Number of columns in result set */\n\tpacket->field_count = uint2korr(p);\n\tp += 2;\n\tBAIL_IF_NO_MORE_DATA;\n\n\tpacket->param_count = uint2korr(p);\n\tp += 2;\n\tBAIL_IF_NO_MORE_DATA;\n\n\tif (data_size > 9) {\n\t\t/* 0x0 filler sent by the server for 5.0+ clients */\n\t\tp++;\n\t\tBAIL_IF_NO_MORE_DATA;\n\n\t\tpacket->warning_count = uint2korr(p);\n\t}\n\n\tDBG_INF_FMT(\"Prepare packet read: stmt_id=%u fields=%u params=%u\",\n\t\t\t\tpacket->stmt_id, packet->field_count, packet->param_count);\n\n\tBAIL_IF_NO_MORE_DATA;\n\n\tDBG_RETURN(PASS);\npremature_end:\n\tDBG_ERR_FMT(\"PREPARE packet %d bytes shorter than expected\", p - begin - packet->header.size);\n\tphp_error_docref(NULL TSRMLS_CC, E_WARNING, \"PREPARE packet \"MYSQLND_SZ_T_SPEC\" bytes shorter than expected\",\n\t\t\t\t\t p - begin - packet->header.size);\n\tDBG_RETURN(FAIL);", "project": "php-src", "hash": 148555744830031491665691815907621773345, "size": 71, "commit_id": "28f80baf3c53e267c9ce46a2a0fadbb981585132", "message": "Fix bug #72293 - Heap overflow in mysqlnd related to BIT fields", "target": 0, "dataset": "other", "idx": 416640 }, { "func": "\tenum scsi_scan_mode rescan;\n};\n\nstatic int iscsi_user_scan_session(struct device *dev, void *data)\n{\n\tstruct iscsi_scan_data *scan_data = data;\n\tstruct iscsi_cls_session *session;\n\tstruct Scsi_Host *shost;\n\tstruct iscsi_cls_host *ihost;\n\tunsigned long flags;\n\tunsigned int id;\n\n\tif (!iscsi_is_session_dev(dev))\n\t\treturn 0;\n\n\tsession = iscsi_dev_to_session(dev);\n\n\tISCSI_DBG_TRANS_SESSION(session, \"Scanning session\\n\");\n\n\tshost = iscsi_session_to_shost(session);\n\tihost = shost->shost_data;\n\n\tmutex_lock(&ihost->mutex);\n\tspin_lock_irqsave(&session->lock, flags);\n\tif (session->state != ISCSI_SESSION_LOGGED_IN) {\n\t\tspin_unlock_irqrestore(&session->lock, flags);\n\t\tgoto user_scan_exit;\n\t}\n\tid = session->target_id;\n\tspin_unlock_irqrestore(&session->lock, flags);\n\n\tif (id != ISCSI_MAX_TARGET) {\n\t\tif ((scan_data->channel == SCAN_WILD_CARD ||\n\t\t scan_data->channel == 0) &&\n\t\t (scan_data->id == SCAN_WILD_CARD ||\n\t\t scan_data->id == id))\n\t\t\tscsi_scan_target(&session->dev, 0, id,\n\t\t\t\t\t scan_data->lun, scan_data->rescan);\n\t}\n\nuser_scan_exit:\n\tmutex_unlock(&ihost->mutex);", "project": "linux", "hash": 273481396964351064219004058532752975964, "size": 42, "commit_id": "f9dbdf97a5bd92b1a49cee3d591b55b11fd7a6d5", "message": "scsi: iscsi: Verify lengths on passthrough PDUs\n\nOpen-iSCSI sends passthrough PDUs over netlink, but the kernel should be\nverifying that the provided PDU header and data lengths fall within the\nnetlink message to prevent accessing beyond that in memory.\n\nCc: stable@vger.kernel.org\nReported-by: Adam Nichols \nReviewed-by: Lee Duncan \nReviewed-by: Mike Christie \nSigned-off-by: Chris Leech \nSigned-off-by: Martin K. Petersen ", "target": 0, "dataset": "other", "idx": 379987 }, { "func": "static void set_cpu_partial(struct kmem_cache *s)\n{\n#ifdef CONFIG_SLUB_CPU_PARTIAL\n\t/*\n\t * cpu_partial determined the maximum number of objects kept in the\n\t * per cpu partial lists of a processor.\n\t *\n\t * Per cpu partial lists mainly contain slabs that just have one\n\t * object freed. If they are used for allocation then they can be\n\t * filled up again with minimal effort. The slab will never hit the\n\t * per node partial lists and therefore no locking will be required.\n\t *\n\t * This setting also determines\n\t *\n\t * A) The number of objects from per cpu partial slabs dumped to the\n\t * per node list when we reach the limit.\n\t * B) The number of objects in cpu partial slabs to extract from the\n\t * per node list when we run out of per cpu objects. We only fetch\n\t * 50% to keep some capacity around for frees.\n\t */\n\tif (!kmem_cache_has_cpu_partial(s))\n\t\ts->cpu_partial = 0;\n\telse if (s->size >= PAGE_SIZE)\n\t\ts->cpu_partial = 2;\n\telse if (s->size >= 1024)\n\t\ts->cpu_partial = 6;\n\telse if (s->size >= 256)\n\t\ts->cpu_partial = 13;\n\telse\n\t\ts->cpu_partial = 30;\n#endif\n}", "project": "linux", "hash": 280402884762009267864964163597654014414, "size": 32, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280024 }, { "func": "static void kvm_uevent_notify_change(unsigned int type, struct kvm *kvm)\n{\n\tstruct kobj_uevent_env *env;\n\tunsigned long long created, active;\n\n\tif (!kvm_dev.this_device || !kvm)\n\t\treturn;\n\n\tmutex_lock(&kvm_lock);\n\tif (type == KVM_EVENT_CREATE_VM) {\n\t\tkvm_createvm_count++;\n\t\tkvm_active_vms++;\n\t} else if (type == KVM_EVENT_DESTROY_VM) {\n\t\tkvm_active_vms--;\n\t}\n\tcreated = kvm_createvm_count;\n\tactive = kvm_active_vms;\n\tmutex_unlock(&kvm_lock);\n\n\tenv = kzalloc(sizeof(*env), GFP_KERNEL_ACCOUNT);\n\tif (!env)\n\t\treturn;\n\n\tadd_uevent_var(env, \"CREATED=%llu\", created);\n\tadd_uevent_var(env, \"COUNT=%llu\", active);\n\n\tif (type == KVM_EVENT_CREATE_VM) {\n\t\tadd_uevent_var(env, \"EVENT=create\");\n\t\tkvm->userspace_pid = task_pid_nr(current);\n\t} else if (type == KVM_EVENT_DESTROY_VM) {\n\t\tadd_uevent_var(env, \"EVENT=destroy\");\n\t}\n\tadd_uevent_var(env, \"PID=%d\", kvm->userspace_pid);\n\n\tif (!IS_ERR_OR_NULL(kvm->debugfs_dentry)) {\n\t\tchar *tmp, *p = kmalloc(PATH_MAX, GFP_KERNEL_ACCOUNT);\n\n\t\tif (p) {\n\t\t\ttmp = dentry_path_raw(kvm->debugfs_dentry, p, PATH_MAX);\n\t\t\tif (!IS_ERR(tmp))\n\t\t\t\tadd_uevent_var(env, \"STATS_PATH=%s\", tmp);\n\t\t\tkfree(p);\n\t\t}\n\t}\n\t/* no need for checks, since we are adding at most only 5 keys */\n\tenv->envp[env->envp_idx++] = NULL;\n\tkobject_uevent_env(&kvm_dev.this_device->kobj, KOBJ_CHANGE, env->envp);\n\tkfree(env);\n}", "project": "linux", "hash": 240493933533685444042918359723938142384, "size": 49, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354783 }, { "func": "int ssh_buffer_validate_length(struct ssh_buffer_struct *buffer, size_t len)\n{\n if (buffer->pos + len < len || buffer->pos + len > buffer->used) {\n return SSH_ERROR;\n }\n\n return SSH_OK;\n}", "project": "libssh-mirror", "hash": 288019464236335750445456914302620550724, "size": 8, "commit_id": "10b3ebbe61a7031a3dae97f05834442220447181", "message": "buffer: Reformat ssh_buffer_add_data()\n\nSigned-off-by: Andreas Schneider \nReviewed-by: Anderson Toshiyuki Sasaki \nReviewed-by: Jakub Jelen ", "target": 0, "dataset": "other", "idx": 345162 }, { "project": "Chrome", "commit_id": "ea994548ed483e234a6fadd0cbdfa10d58b75cef", "target": 0, "func": "SoftwareFrameManager::SoftwareFrameManager(\n base::WeakPtr client)\n : client_(client) {}\n", "cwe": "", "big_vul_idx": 129975, "idx": 116286, "hash": 97063019852350501603368979675996570947 }, { "func": " bool parseUll() {\n if (*p++ != 'u') return false;\n if (*p++ != 'l') return false;\n if (*p++ != 'l') return false;\n top++->m_type = KindOfNull;\n return true;\n }", "project": "hhvm", "hash": 256296392907618611043052824685453196343, "size": 7, "commit_id": "b3679121bb3c7017ff04b4c08402ffff5cf59b13", "message": "Fix buffer overrun in SimpleParser::handleBackslash\n\nSummary:\nIt read 4 chars, then checked for validity, but any of them could have\nbeen the end of the string, so check after each one instead.\n\nReviewed By: oulgen\n\nDifferential Revision: D19611163\n\nfbshipit-source-id: 3da0a39555cb85a93f4fd98048368f17cf37e2e4", "target": 0, "dataset": "other", "idx": 227313 }, { "func": "static bool compare_flags_for_copy(struct Email *e)\n{\n struct ImapEmailData *edata = e->edata;\n\n if (e->read != edata->read)\n return true;\n if (e->old != edata->old)\n return true;\n if (e->flagged != edata->flagged)\n return true;\n if (e->replied != edata->replied)\n return true;\n\n return false;\n}", "project": "neomutt", "hash": 236891373578658278572926399238916336536, "size": 15, "commit_id": "9c36717a3e2af1f2c1b7242035455ec8112b4b06", "message": "imap: close connection on all failures\n\nThanks to Gabriel Salles-Loustau for spotting the problem.\n\nCo-authored-by: Kevin McCarthy ", "target": 0, "dataset": "other", "idx": 357011 }, { "func": "static void load_xref_entries(FILE *fp, xref_t *xref)\n{\n if (xref->is_stream)\n load_xref_from_stream(fp, xref);\n else\n load_xref_from_plaintext(fp, xref);\n}", "project": "pdfresurrect", "hash": 241310829488560265020015937196796495219, "size": 7, "commit_id": "7e35d1806e111fd28610ccc86bb33f54792ac370", "message": "Fix possible infinite loop case when looking for a trailer.\n\nThanks to chibataiki for reporting and isolating this!", "target": 0, "dataset": "other", "idx": 355592 }, { "func": "static Array str_offset_pair(const String& str, int offset,\n bool hackArrOutput) {\n return hackArrOutput ? make_vec_array(str, offset)\n : make_varray(str, offset);\n}", "project": "hhvm", "hash": 129596365541936584046034002531454339835, "size": 5, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219045 }, { "func": "void task_join_group_stop(struct task_struct *task)\n{\n\t/* Have the new thread join an on-going signal group stop */\n\tunsigned long jobctl = current->jobctl;\n\tif (jobctl & JOBCTL_STOP_PENDING) {\n\t\tstruct signal_struct *sig = current->signal;\n\t\tunsigned long signr = jobctl & JOBCTL_STOP_SIGMASK;\n\t\tunsigned long gstop = JOBCTL_STOP_PENDING | JOBCTL_STOP_CONSUME;\n\t\tif (task_set_jobctl_pending(task, signr | gstop)) {\n\t\t\tsig->group_stop_count++;\n\t\t}\n\t}\n}", "project": "linux", "hash": 182219603959282074648487953010142536515, "size": 13, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375183 }, { "func": "void flush_sigqueue(struct sigpending *queue)\n{\n\tstruct sigqueue *q;\n\n\tsigemptyset(&queue->signal);\n\twhile (!list_empty(&queue->list)) {\n\t\tq = list_entry(queue->list.next, struct sigqueue , list);\n\t\tlist_del_init(&q->list);\n\t\t__sigqueue_free(q);\n\t}\n}", "project": "linux", "hash": 309686707737256268529774755058779662902, "size": 11, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375249 }, { "func": "static void nfs4_bitmap_copy_adjust_setattr(__u32 *dst,\n\t\tconst __u32 *src, struct inode *inode)\n{\n\tnfs4_bitmap_copy_adjust(dst, src, inode);\n}", "project": "linux", "hash": 157309184515288514469605992400324440203, "size": 5, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431347 }, { "func": "static u8 tdme_channelinit(u8 channel, void *device_ref)\n{\n\t/* Transceiver front-end local oscillator tx two-point calibration\n\t * value. Tuned for the hardware.\n\t */\n\tu8 txcalval;\n\n\tif (channel >= 25)\n\t\ttxcalval = 0xA7;\n\telse if (channel >= 23)\n\t\ttxcalval = 0xA8;\n\telse if (channel >= 22)\n\t\ttxcalval = 0xA9;\n\telse if (channel >= 20)\n\t\ttxcalval = 0xAA;\n\telse if (channel >= 17)\n\t\ttxcalval = 0xAB;\n\telse if (channel >= 16)\n\t\ttxcalval = 0xAC;\n\telse if (channel >= 14)\n\t\ttxcalval = 0xAD;\n\telse if (channel >= 12)\n\t\ttxcalval = 0xAE;\n\telse\n\t\ttxcalval = 0xAF;\n\n\treturn tdme_setsfr_request_sync(\n\t\t1,\n\t\tCA8210_SFR_LOTXCAL,\n\t\ttxcalval,\n\t\tdevice_ref\n\t); /* LO Tx Cal */\n}", "project": "linux", "hash": 160379353616764154650061615807916593207, "size": 33, "commit_id": "6402939ec86eaf226c8b8ae00ed983936b164908", "message": "ieee802154: ca8210: prevent memory leak\n\nIn ca8210_probe the allocated pdata needs to be assigned to\nspi_device->dev.platform_data before calling ca8210_get_platform_data.\nOthrwise when ca8210_get_platform_data fails pdata cannot be released.\n\nSigned-off-by: Navid Emamdoost \nLink: https://lore.kernel.org/r/20190917224713.26371-1-navid.emamdoost@gmail.com\nSigned-off-by: Stefan Schmidt ", "target": 0, "dataset": "other", "idx": 408791 }, { "func": "static bool pb_release_union_field(pb_istream_t *stream, pb_field_iter_t *field)\n{\n pb_field_iter_t old_field = *field;\n pb_size_t old_tag = *(pb_size_t*)field->pSize; /* Previous which_ value */\n pb_size_t new_tag = field->tag; /* New which_ value */\n\n if (old_tag == 0)\n return true; /* Ok, no old data in union */\n\n if (old_tag == new_tag)\n return true; /* Ok, old data is of same type => merge */\n\n /* Release old data. The find can fail if the message struct contains\n * invalid data. */\n if (!pb_field_iter_find(&old_field, old_tag))\n PB_RETURN_ERROR(stream, \"invalid union tag\");\n\n pb_release_single_field(&old_field);\n\n return true;\n}", "project": "nanopb", "hash": 112412675508427426387109317948700128093, "size": 21, "commit_id": "e2f0ccf939d9f82931d085acb6df8e9a182a4261", "message": "Fix invalid free() with oneof (#647)\n\nNanopb would call free() or realloc() on an invalid\n(attacker controlled) pointer value when all the following\nconditions are true:\n\n- PB_ENABLE_MALLOC is defined at the compile time\n- Message definition contains an oneof field, and the oneof\n contains at least one pointer type field and at least one\n non-pointer type field.\n- Data being decoded first contains a non-pointer value for\n the oneof field, and later contains an overwriting pointer\n value.\n\nDepending on message layout, the bug may not be exploitable in all\ncases, but it is known to be exploitable at least with string and\nbytes fields. Actual security impact will also depend on the heap\nimplementation used.", "target": 1, "dataset": "other", "idx": 197172 }, { "func": "static bool pb_release_union_field(pb_istream_t *stream, pb_field_iter_t *iter)\n{\n pb_size_t old_tag = *(pb_size_t*)iter->pSize; /* Previous which_ value */\n pb_size_t new_tag = iter->pos->tag; /* New which_ value */\n\n if (old_tag == 0)\n return true; /* Ok, no old data in union */\n\n if (old_tag == new_tag)\n return true; /* Ok, old data is of same type => merge */\n\n /* Release old data. The find can fail if the message struct contains\n * invalid data. */\n if (!pb_field_iter_find(iter, old_tag))\n PB_RETURN_ERROR(stream, \"invalid union tag\");\n\n pb_release_single_field(iter);\n\n /* Restore iterator to where it should be.\n * This shouldn't fail unless the pb_field_t structure is corrupted. */\n if (!pb_field_iter_find(iter, new_tag))\n PB_RETURN_ERROR(stream, \"iterator error\");\n \n return true;\n}", "project": "nanopb", "hash": 4097575955936835060032977891288705780, "size": 25, "commit_id": "aa9d0d1ca78d6adec3adfeecf3a706c7f9df81f2", "message": "Fix invalid free() after failed realloc() (GHSA-gcx3-7m76-287p)", "target": 0, "dataset": "other", "idx": 252518 }, { "func": "static bool pb_release_union_field(pb_istream_t *stream, pb_field_iter_t *field)\n{\n pb_field_iter_t old_field = *field;\n pb_size_t old_tag = *(pb_size_t*)field->pSize; /* Previous which_ value */\n pb_size_t new_tag = field->tag; /* New which_ value */\n\n if (old_tag == 0)\n return true; /* Ok, no old data in union */\n\n if (old_tag == new_tag)\n return true; /* Ok, old data is of same type => merge */\n\n /* Release old data. The find can fail if the message struct contains\n * invalid data. */\n if (!pb_field_iter_find(&old_field, old_tag))\n PB_RETURN_ERROR(stream, \"invalid union tag\");\n\n pb_release_single_field(&old_field);\n\n if (PB_ATYPE(field->type) == PB_ATYPE_POINTER)\n {\n /* Initialize the pointer to NULL to make sure it is valid\n * even in case of error return. */\n *(void**)field->pField = NULL;\n field->pData = NULL;\n }\n\n return true;\n}", "project": "nanopb", "hash": 141020607398662900410401211462596595087, "size": 29, "commit_id": "e2f0ccf939d9f82931d085acb6df8e9a182a4261", "message": "Fix invalid free() with oneof (#647)\n\nNanopb would call free() or realloc() on an invalid\n(attacker controlled) pointer value when all the following\nconditions are true:\n\n- PB_ENABLE_MALLOC is defined at the compile time\n- Message definition contains an oneof field, and the oneof\n contains at least one pointer type field and at least one\n non-pointer type field.\n- Data being decoded first contains a non-pointer value for\n the oneof field, and later contains an overwriting pointer\n value.\n\nDepending on message layout, the bug may not be exploitable in all\ncases, but it is known to be exploitable at least with string and\nbytes fields. Actual security impact will also depend on the heap\nimplementation used.", "target": 0, "dataset": "other", "idx": 254699 }, { "func": "static int ctnetlink_dump_helpinfo(struct sk_buff *skb,\n\t\t\t\t const struct nf_conn *ct)\n{\n\tstruct nlattr *nest_helper;\n\tconst struct nf_conn_help *help = nfct_help(ct);\n\tstruct nf_conntrack_helper *helper;\n\n\tif (!help)\n\t\treturn 0;\n\n\thelper = rcu_dereference(help->helper);\n\tif (!helper)\n\t\tgoto out;\n\n\tnest_helper = nla_nest_start(skb, CTA_HELP);\n\tif (!nest_helper)\n\t\tgoto nla_put_failure;\n\tif (nla_put_string(skb, CTA_HELP_NAME, helper->name))\n\t\tgoto nla_put_failure;\n\n\tif (helper->to_nlattr)\n\t\thelper->to_nlattr(skb, ct);\n\n\tnla_nest_end(skb, nest_helper);\nout:\n\treturn 0;\n\nnla_put_failure:\n\treturn -1;\n}", "project": "linux", "hash": 330720418630447621000036456049286923362, "size": 30, "commit_id": "1cc5ef91d2ff94d2bf2de3b3585423e8a1051cb6", "message": "netfilter: ctnetlink: add a range check for l3/l4 protonum\n\nThe indexes to the nf_nat_l[34]protos arrays come from userspace. So\ncheck the tuple's family, e.g. l3num, when creating the conntrack in\norder to prevent an OOB memory access during setup. Here is an example\nkernel panic on 4.14.180 when userspace passes in an index greater than\nNFPROTO_NUMPROTO.\n\nInternal error: Oops - BUG: 0 [#1] PREEMPT SMP\nModules linked in:...\nProcess poc (pid: 5614, stack limit = 0x00000000a3933121)\nCPU: 4 PID: 5614 Comm: poc Tainted: G S W O 4.14.180-g051355490483\nHardware name: Qualcomm Technologies, Inc. SM8150 V2 PM8150 Google Inc. MSM\ntask: 000000002a3dfffe task.stack: 00000000a3933121\npc : __cfi_check_fail+0x1c/0x24\nlr : __cfi_check_fail+0x1c/0x24\n...\nCall trace:\n__cfi_check_fail+0x1c/0x24\nname_to_dev_t+0x0/0x468\nnfnetlink_parse_nat_setup+0x234/0x258\nctnetlink_parse_nat_setup+0x4c/0x228\nctnetlink_new_conntrack+0x590/0xc40\nnfnetlink_rcv_msg+0x31c/0x4d4\nnetlink_rcv_skb+0x100/0x184\nnfnetlink_rcv+0xf4/0x180\nnetlink_unicast+0x360/0x770\nnetlink_sendmsg+0x5a0/0x6a4\n___sys_sendmsg+0x314/0x46c\nSyS_sendmsg+0xb4/0x108\nel0_svc_naked+0x34/0x38\n\nThis crash is not happening since 5.4+, however, ctnetlink still\nallows for creating entries with unsupported layer 3 protocol number.\n\nFixes: c1d10adb4a521 (\"[NETFILTER]: Add ctnetlink port for nf_conntrack\")\nSigned-off-by: Will McVicker \n[pablo@netfilter.org: rebased original patch on top of nf.git]\nSigned-off-by: Pablo Neira Ayuso ", "target": 0, "dataset": "other", "idx": 394163 }, { "func": "void CSoundFile::Vibrato(ModChannel *p, uint32 param) const\n{\n\tif (param & 0x0F) p->nVibratoDepth = (param & 0x0F) * 4;\n\tif (param & 0xF0) p->nVibratoSpeed = (param >> 4) & 0x0F;\n\tp->dwFlags.set(CHN_VIBRATO);\n}", "project": "openmpt", "hash": 286946649073831597522729872300586819860, "size": 6, "commit_id": "7ebf02af2e90f03e0dbd0e18b8b3164f372fb97c", "message": "[Fix] Possible out-of-bounds read when computing length of some IT files with pattern loops (OpenMPT: formats that are converted to IT, libopenmpt: IT/ITP/MO3), caught with afl-fuzz.\n\ngit-svn-id: https://source.openmpt.org/svn/openmpt/trunk/OpenMPT@10027 56274372-70c3-4bfc-bfc3-4c3a0b034d27", "target": 0, "dataset": "other", "idx": 255214 }, { "func": "static void nap_set(int tile_cnt) {\n\tint nap_in = nap_ok;\n\ttime_t now = time(NULL);\n\n\tif (scan_count == 0) {\n\t\t/* roll up check for all NSCAN scans */\n\t\tnap_ok = 0;\n\t\tif (naptile && nap_diff_count < 2 * NSCAN * naptile) {\n\t\t\t/* \"2\" is a fudge to permit a bit of bg drawing */\n\t\t\tnap_ok = 1;\n\t\t}\n\t\tnap_diff_count = 0;\n\t}\n\tif (nap_ok && ! nap_in && use_xdamage) {\n\t\tif (XD_skip > 0.8 * XD_tot) \t{\n\t\t\t/* X DAMAGE is keeping load low, so skip nap */\n\t\t\tnap_ok = 0;\n\t\t}\n\t}\n\tif (! nap_ok && client_count) {\n\t\tif(now > last_fb_bytes_sent + no_fbu_blank) {\n\t\t\tif (debug_tiles > 1) {\n\t\t\t\tfprintf(stderr, \"nap_set: nap_ok=1: now: %d last: %d\\n\",\n\t\t\t\t (int) now, (int) last_fb_bytes_sent);\n\t\t\t}\n\t\t\tnap_ok = 1;\n\t\t}\n\t}\n\n\tif (show_cursor) {\n\t\t/* kludge for the up to 4 tiles the mouse patch could occupy */\n\t\tif ( tile_cnt > 4) {\n\t\t\tlast_event = now;\n\t\t}\n\t} else if (tile_cnt != 0) {\n\t\tlast_event = now;\n\t}\n}", "project": "x11vnc", "hash": 110802071216284124201516070927325020702, "size": 38, "commit_id": "69eeb9f7baa14ca03b16c9de821f9876def7a36a", "message": "scan: limit access to shared memory segments to current user", "target": 0, "dataset": "other", "idx": 360787 }, { "func": "static struct xfrm_state * pfkey_msg2xfrm_state(struct net *net,\n\t\t\t\t\t\tconst struct sadb_msg *hdr,\n\t\t\t\t\t\tvoid * const *ext_hdrs)\n{\n\tstruct xfrm_state *x;\n\tconst struct sadb_lifetime *lifetime;\n\tconst struct sadb_sa *sa;\n\tconst struct sadb_key *key;\n\tconst struct sadb_x_sec_ctx *sec_ctx;\n\tuint16_t proto;\n\tint err;\n\n\n\tsa = ext_hdrs[SADB_EXT_SA - 1];\n\tif (!sa ||\n\t !present_and_same_family(ext_hdrs[SADB_EXT_ADDRESS_SRC-1],\n\t\t\t\t ext_hdrs[SADB_EXT_ADDRESS_DST-1]))\n\t\treturn ERR_PTR(-EINVAL);\n\tif (hdr->sadb_msg_satype == SADB_SATYPE_ESP &&\n\t !ext_hdrs[SADB_EXT_KEY_ENCRYPT-1])\n\t\treturn ERR_PTR(-EINVAL);\n\tif (hdr->sadb_msg_satype == SADB_SATYPE_AH &&\n\t !ext_hdrs[SADB_EXT_KEY_AUTH-1])\n\t\treturn ERR_PTR(-EINVAL);\n\tif (!!ext_hdrs[SADB_EXT_LIFETIME_HARD-1] !=\n\t !!ext_hdrs[SADB_EXT_LIFETIME_SOFT-1])\n\t\treturn ERR_PTR(-EINVAL);\n\n\tproto = pfkey_satype2proto(hdr->sadb_msg_satype);\n\tif (proto == 0)\n\t\treturn ERR_PTR(-EINVAL);\n\n\t/* default error is no buffer space */\n\terr = -ENOBUFS;\n\n\t/* RFC2367:\n\n Only SADB_SASTATE_MATURE SAs may be submitted in an SADB_ADD message.\n SADB_SASTATE_LARVAL SAs are created by SADB_GETSPI and it is not\n sensible to add a new SA in the DYING or SADB_SASTATE_DEAD state.\n Therefore, the sadb_sa_state field of all submitted SAs MUST be\n SADB_SASTATE_MATURE and the kernel MUST return an error if this is\n not true.\n\n\t However, KAME setkey always uses SADB_SASTATE_LARVAL.\n\t Hence, we have to _ignore_ sadb_sa_state, which is also reasonable.\n\t */\n\tif (sa->sadb_sa_auth > SADB_AALG_MAX ||\n\t (hdr->sadb_msg_satype == SADB_X_SATYPE_IPCOMP &&\n\t sa->sadb_sa_encrypt > SADB_X_CALG_MAX) ||\n\t sa->sadb_sa_encrypt > SADB_EALG_MAX)\n\t\treturn ERR_PTR(-EINVAL);\n\tkey = ext_hdrs[SADB_EXT_KEY_AUTH - 1];\n\tif (key != NULL &&\n\t sa->sadb_sa_auth != SADB_X_AALG_NULL &&\n\t key->sadb_key_bits == 0)\n\t\treturn ERR_PTR(-EINVAL);\n\tkey = ext_hdrs[SADB_EXT_KEY_ENCRYPT-1];\n\tif (key != NULL &&\n\t sa->sadb_sa_encrypt != SADB_EALG_NULL &&\n\t key->sadb_key_bits == 0)\n\t\treturn ERR_PTR(-EINVAL);\n\n\tx = xfrm_state_alloc(net);\n\tif (x == NULL)\n\t\treturn ERR_PTR(-ENOBUFS);\n\n\tx->id.proto = proto;\n\tx->id.spi = sa->sadb_sa_spi;\n\tx->props.replay_window = min_t(unsigned int, sa->sadb_sa_replay,\n\t\t\t\t\t(sizeof(x->replay.bitmap) * 8));\n\tif (sa->sadb_sa_flags & SADB_SAFLAGS_NOECN)\n\t\tx->props.flags |= XFRM_STATE_NOECN;\n\tif (sa->sadb_sa_flags & SADB_SAFLAGS_DECAP_DSCP)\n\t\tx->props.flags |= XFRM_STATE_DECAP_DSCP;\n\tif (sa->sadb_sa_flags & SADB_SAFLAGS_NOPMTUDISC)\n\t\tx->props.flags |= XFRM_STATE_NOPMTUDISC;\n\n\tlifetime = ext_hdrs[SADB_EXT_LIFETIME_HARD - 1];\n\tif (lifetime != NULL) {\n\t\tx->lft.hard_packet_limit = _KEY2X(lifetime->sadb_lifetime_allocations);\n\t\tx->lft.hard_byte_limit = _KEY2X(lifetime->sadb_lifetime_bytes);\n\t\tx->lft.hard_add_expires_seconds = lifetime->sadb_lifetime_addtime;\n\t\tx->lft.hard_use_expires_seconds = lifetime->sadb_lifetime_usetime;\n\t}\n\tlifetime = ext_hdrs[SADB_EXT_LIFETIME_SOFT - 1];\n\tif (lifetime != NULL) {\n\t\tx->lft.soft_packet_limit = _KEY2X(lifetime->sadb_lifetime_allocations);\n\t\tx->lft.soft_byte_limit = _KEY2X(lifetime->sadb_lifetime_bytes);\n\t\tx->lft.soft_add_expires_seconds = lifetime->sadb_lifetime_addtime;\n\t\tx->lft.soft_use_expires_seconds = lifetime->sadb_lifetime_usetime;\n\t}\n\n\tsec_ctx = ext_hdrs[SADB_X_EXT_SEC_CTX - 1];\n\tif (sec_ctx != NULL) {\n\t\tstruct xfrm_user_sec_ctx *uctx = pfkey_sadb2xfrm_user_sec_ctx(sec_ctx, GFP_KERNEL);\n\n\t\tif (!uctx)\n\t\t\tgoto out;\n\n\t\terr = security_xfrm_state_alloc(x, uctx);\n\t\tkfree(uctx);\n\n\t\tif (err)\n\t\t\tgoto out;\n\t}\n\n\terr = -ENOBUFS;\n\tkey = ext_hdrs[SADB_EXT_KEY_AUTH - 1];\n\tif (sa->sadb_sa_auth) {\n\t\tint keysize = 0;\n\t\tstruct xfrm_algo_desc *a = xfrm_aalg_get_byid(sa->sadb_sa_auth);\n\t\tif (!a || !a->pfkey_supported) {\n\t\t\terr = -ENOSYS;\n\t\t\tgoto out;\n\t\t}\n\t\tif (key)\n\t\t\tkeysize = (key->sadb_key_bits + 7) / 8;\n\t\tx->aalg = kmalloc(sizeof(*x->aalg) + keysize, GFP_KERNEL);\n\t\tif (!x->aalg) {\n\t\t\terr = -ENOMEM;\n\t\t\tgoto out;\n\t\t}\n\t\tstrcpy(x->aalg->alg_name, a->name);\n\t\tx->aalg->alg_key_len = 0;\n\t\tif (key) {\n\t\t\tx->aalg->alg_key_len = key->sadb_key_bits;\n\t\t\tmemcpy(x->aalg->alg_key, key+1, keysize);\n\t\t}\n\t\tx->aalg->alg_trunc_len = a->uinfo.auth.icv_truncbits;\n\t\tx->props.aalgo = sa->sadb_sa_auth;\n\t\t/* x->algo.flags = sa->sadb_sa_flags; */\n\t}\n\tif (sa->sadb_sa_encrypt) {\n\t\tif (hdr->sadb_msg_satype == SADB_X_SATYPE_IPCOMP) {\n\t\t\tstruct xfrm_algo_desc *a = xfrm_calg_get_byid(sa->sadb_sa_encrypt);\n\t\t\tif (!a || !a->pfkey_supported) {\n\t\t\t\terr = -ENOSYS;\n\t\t\t\tgoto out;\n\t\t\t}\n\t\t\tx->calg = kmalloc(sizeof(*x->calg), GFP_KERNEL);\n\t\t\tif (!x->calg) {\n\t\t\t\terr = -ENOMEM;\n\t\t\t\tgoto out;\n\t\t\t}\n\t\t\tstrcpy(x->calg->alg_name, a->name);\n\t\t\tx->props.calgo = sa->sadb_sa_encrypt;\n\t\t} else {\n\t\t\tint keysize = 0;\n\t\t\tstruct xfrm_algo_desc *a = xfrm_ealg_get_byid(sa->sadb_sa_encrypt);\n\t\t\tif (!a || !a->pfkey_supported) {\n\t\t\t\terr = -ENOSYS;\n\t\t\t\tgoto out;\n\t\t\t}\n\t\t\tkey = (struct sadb_key*) ext_hdrs[SADB_EXT_KEY_ENCRYPT-1];\n\t\t\tif (key)\n\t\t\t\tkeysize = (key->sadb_key_bits + 7) / 8;\n\t\t\tx->ealg = kmalloc(sizeof(*x->ealg) + keysize, GFP_KERNEL);\n\t\t\tif (!x->ealg) {\n\t\t\t\terr = -ENOMEM;\n\t\t\t\tgoto out;\n\t\t\t}\n\t\t\tstrcpy(x->ealg->alg_name, a->name);\n\t\t\tx->ealg->alg_key_len = 0;\n\t\t\tif (key) {\n\t\t\t\tx->ealg->alg_key_len = key->sadb_key_bits;\n\t\t\t\tmemcpy(x->ealg->alg_key, key+1, keysize);\n\t\t\t}\n\t\t\tx->props.ealgo = sa->sadb_sa_encrypt;\n\t\t\tx->geniv = a->uinfo.encr.geniv;\n\t\t}\n\t}\n\t/* x->algo.flags = sa->sadb_sa_flags; */\n\n\tx->props.family = pfkey_sadb_addr2xfrm_addr((struct sadb_address *) ext_hdrs[SADB_EXT_ADDRESS_SRC-1],\n\t\t\t\t\t\t &x->props.saddr);\n\tpfkey_sadb_addr2xfrm_addr((struct sadb_address *) ext_hdrs[SADB_EXT_ADDRESS_DST-1],\n\t\t\t\t &x->id.daddr);\n\n\tif (ext_hdrs[SADB_X_EXT_SA2-1]) {\n\t\tconst struct sadb_x_sa2 *sa2 = ext_hdrs[SADB_X_EXT_SA2-1];\n\t\tint mode = pfkey_mode_to_xfrm(sa2->sadb_x_sa2_mode);\n\t\tif (mode < 0) {\n\t\t\terr = -EINVAL;\n\t\t\tgoto out;\n\t\t}\n\t\tx->props.mode = mode;\n\t\tx->props.reqid = sa2->sadb_x_sa2_reqid;\n\t}\n\n\tif (ext_hdrs[SADB_EXT_ADDRESS_PROXY-1]) {\n\t\tconst struct sadb_address *addr = ext_hdrs[SADB_EXT_ADDRESS_PROXY-1];\n\n\t\t/* Nobody uses this, but we try. */\n\t\tx->sel.family = pfkey_sadb_addr2xfrm_addr(addr, &x->sel.saddr);\n\t\tx->sel.prefixlen_s = addr->sadb_address_prefixlen;\n\t}\n\n\tif (!x->sel.family)\n\t\tx->sel.family = x->props.family;\n\n\tif (ext_hdrs[SADB_X_EXT_NAT_T_TYPE-1]) {\n\t\tconst struct sadb_x_nat_t_type* n_type;\n\t\tstruct xfrm_encap_tmpl *natt;\n\n\t\tx->encap = kmalloc(sizeof(*x->encap), GFP_KERNEL);\n\t\tif (!x->encap) {\n\t\t\terr = -ENOMEM;\n\t\t\tgoto out;\n\t\t}\n\n\t\tnatt = x->encap;\n\t\tn_type = ext_hdrs[SADB_X_EXT_NAT_T_TYPE-1];\n\t\tnatt->encap_type = n_type->sadb_x_nat_t_type_type;\n\n\t\tif (ext_hdrs[SADB_X_EXT_NAT_T_SPORT-1]) {\n\t\t\tconst struct sadb_x_nat_t_port *n_port =\n\t\t\t\text_hdrs[SADB_X_EXT_NAT_T_SPORT-1];\n\t\t\tnatt->encap_sport = n_port->sadb_x_nat_t_port_port;\n\t\t}\n\t\tif (ext_hdrs[SADB_X_EXT_NAT_T_DPORT-1]) {\n\t\t\tconst struct sadb_x_nat_t_port *n_port =\n\t\t\t\text_hdrs[SADB_X_EXT_NAT_T_DPORT-1];\n\t\t\tnatt->encap_dport = n_port->sadb_x_nat_t_port_port;\n\t\t}\n\t\tmemset(&natt->encap_oa, 0, sizeof(natt->encap_oa));\n\t}\n\n\terr = xfrm_init_state(x);\n\tif (err)\n\t\tgoto out;\n\n\tx->km.seq = hdr->sadb_msg_seq;\n\treturn x;\n\nout:\n\tx->km.state = XFRM_STATE_DEAD;\n\txfrm_state_put(x);\n\treturn ERR_PTR(err);\n}", "project": "linux", "hash": 234014325557070899528084247075399096037, "size": 240, "commit_id": "9a564bccb78a76740ea9d75a259942df8143d02c", "message": "af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\n\nAdd __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\nto initialize the buffer of supp_skb to fix a kernel-info-leak issue.\n1) Function pfkey_register calls compose_sadb_supported to request\na sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate\na sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then\ncompose_sadb_supported treats the memory as a struct sadb_supported and\nbegins to initialize. But it just initializes the field sadb_supported_len\nand field sadb_supported_exttype without field sadb_supported_reserved.\n\nReported-by: TCS Robot \nSigned-off-by: Haimin Zhang \nSigned-off-by: Steffen Klassert ", "target": 0, "dataset": "other", "idx": 268083 }, { "func": "static u64 time_to_jiffies(u64 sec, u32 nsec)\n{\n\tif (sec || nsec) {\n\t\tstruct timespec64 ts = {\n\t\t\tsec,\n\t\t\tmin_t(u32, nsec, NSEC_PER_SEC - 1)\n\t\t};\n\n\t\treturn get_jiffies_64() + timespec64_to_jiffies(&ts);\n\t} else\n\t\treturn 0;\n}", "project": "linux", "hash": 67145748064715489480488596153380681013, "size": 12, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341983 }, { "func": "static int setDecompDefaults(struct jpeg_decompress_struct *dinfo,\n\tint pixelFormat, int flags)\n{\n\tint retval=0;\n\n\tswitch(pixelFormat)\n\t{\n\t\tcase TJPF_GRAY:\n\t\t\tdinfo->out_color_space=JCS_GRAYSCALE; break;\n\t\t#if JCS_EXTENSIONS==1\n\t\tcase TJPF_RGB:\n\t\t\tdinfo->out_color_space=JCS_EXT_RGB; break;\n\t\tcase TJPF_BGR:\n\t\t\tdinfo->out_color_space=JCS_EXT_BGR; break;\n\t\tcase TJPF_RGBX:\n\t\t\tdinfo->out_color_space=JCS_EXT_RGBX; break;\n\t\tcase TJPF_BGRX:\n\t\t\tdinfo->out_color_space=JCS_EXT_BGRX; break;\n\t\tcase TJPF_XRGB:\n\t\t\tdinfo->out_color_space=JCS_EXT_XRGB; break;\n\t\tcase TJPF_XBGR:\n\t\t\tdinfo->out_color_space=JCS_EXT_XBGR; break;\n\t\t#if JCS_ALPHA_EXTENSIONS==1\n\t\tcase TJPF_RGBA:\n\t\t\tdinfo->out_color_space=JCS_EXT_RGBA; break;\n\t\tcase TJPF_BGRA:\n\t\t\tdinfo->out_color_space=JCS_EXT_BGRA; break;\n\t\tcase TJPF_ARGB:\n\t\t\tdinfo->out_color_space=JCS_EXT_ARGB; break;\n\t\tcase TJPF_ABGR:\n\t\t\tdinfo->out_color_space=JCS_EXT_ABGR; break;\n\t\t#endif\n\t\t#else\n\t\tcase TJPF_RGB:\n\t\tcase TJPF_BGR:\n\t\tcase TJPF_RGBX:\n\t\tcase TJPF_BGRX:\n\t\tcase TJPF_XRGB:\n\t\tcase TJPF_XBGR:\n\t\tcase TJPF_RGBA:\n\t\tcase TJPF_BGRA:\n\t\tcase TJPF_ARGB:\n\t\tcase TJPF_ABGR:\n\t\t\tdinfo->out_color_space=JCS_RGB; break;\n\t\t#endif\n\t\tcase TJPF_CMYK:\n\t\t\tdinfo->out_color_space=JCS_CMYK; break;\n\t\tdefault:\n\t\t\t_throw(\"Unsupported pixel format\");\n\t}\n\n\tif(flags&TJFLAG_FASTDCT) dinfo->dct_method=JDCT_FASTEST;\n\n\tbailout:\n\treturn retval;\n}", "project": "libjpeg-turbo", "hash": 104147667515149078383512849459438039778, "size": 56, "commit_id": "dab6be4cfb2f9307b5378d2d1dc74d9080383dc2", "message": "tjDecompressToYUV*(): Fix OOB write/double free\n\n... when attempting to decompress grayscale JPEG images with sampling\nfactors != 1.\n\nFixes #387", "target": 0, "dataset": "other", "idx": 311095 }, { "func": "void __stop_tty(struct tty_struct *tty)\n{\n\tif (tty->stopped)\n\t\treturn;\n\ttty->stopped = 1;\n\tif (tty->ops->stop)\n\t\ttty->ops->stop(tty);\n}", "project": "linux", "hash": 165123404079248248376232150277190571210, "size": 8, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 326052 }, { "func": "void PCRECache::dump(folly::File& file) {\n switch (m_kind) {\n case CacheKind::Static:\n for (auto& it : *m_staticCache) {\n folly::writeFull(file.fd(), it.first->data(), it.first->size());\n folly::writeFull(file.fd(), \"\\n\", 1);\n }\n break;\n case CacheKind::Lru:\n case CacheKind::Scalable:\n {\n std::vector keys;\n if (m_kind == CacheKind::Lru) {\n m_lruCache->snapshotKeys(keys);\n } else {\n m_scalableCache->snapshotKeys(keys);\n }\n for (auto& key: keys) {\n folly::writeFull(file.fd(), key.data(), key.size());\n folly::writeFull(file.fd(), \"\\n\", 1);\n }\n }\n break;\n }\n}", "project": "hhvm", "hash": 167536739022664395434489192525125609128, "size": 25, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219178 }, { "func": " String& asString() {\n return *reinterpret_cast(this);\n }", "project": "hhvm", "hash": 163241970501384495546025720174465472966, "size": 3, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219177 }, { "func": " const String& asString() const {\n return const_cast(this)->asString();\n }", "project": "hhvm", "hash": 172312308268506998792438156147602479262, "size": 3, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219749 }, { "func": "static int huf_unpack_enc_table(GetByteContext *gb,\n int32_t im, int32_t iM, uint64_t *freq)\n{\n GetBitContext gbit;\n int ret = init_get_bits8(&gbit, gb->buffer, bytestream2_get_bytes_left(gb));\n if (ret < 0)\n return ret;\n\n for (; im <= iM; im++) {\n uint64_t l = freq[im] = get_bits(&gbit, 6);\n\n if (l == LONG_ZEROCODE_RUN) {\n int zerun = get_bits(&gbit, 8) + SHORTEST_LONG_RUN;\n\n if (im + zerun > iM + 1)\n return AVERROR_INVALIDDATA;\n\n while (zerun--)\n freq[im++] = 0;\n\n im--;\n } else if (l >= SHORT_ZEROCODE_RUN) {\n int zerun = l - SHORT_ZEROCODE_RUN + 2;\n\n if (im + zerun > iM + 1)\n return AVERROR_INVALIDDATA;\n\n while (zerun--)\n freq[im++] = 0;\n\n im--;\n }\n }\n\n bytestream2_skip(gb, (get_bits_count(&gbit) + 7) / 8);\n huf_canonical_code_table(freq);\n\n return 0;\n}", "project": "FFmpeg", "hash": 131368495107229039074406063779614251319, "size": 39, "commit_id": "26d3c81bc5ef2f8c3f09d45eaeacfb4b1139a777", "message": "avcodec/exr: More strictly check dc_count\n\nFixes: out of array access\nFixes: exr/deneme\n\nFound-by: Burak Çarıkçı \nSigned-off-by: Michael Niedermayer ", "target": 0, "dataset": "other", "idx": 262681 }, { "func": "static unsigned find_battery_quirk(struct hid_device *hdev)\n{\n\tunsigned quirks = 0;\n\tconst struct hid_device_id *match;\n\n\tmatch = hid_match_id(hdev, hid_battery_quirks);\n\tif (match != NULL)\n\t\tquirks = match->driver_data;\n\n\treturn quirks;\n}", "project": "linux", "hash": 67560435761805107857795495651730779615, "size": 11, "commit_id": "35556bed836f8dc07ac55f69c8d17dce3e7f0e25", "message": "HID: core: Sanitize event code and type when mapping input\n\nWhen calling into hid_map_usage(), the passed event code is\nblindly stored as is, even if it doesn't fit in the associated bitmap.\n\nThis event code can come from a variety of sources, including devices\nmasquerading as input devices, only a bit more \"programmable\".\n\nInstead of taking the event code at face value, check that it actually\nfits the corresponding bitmap, and if it doesn't:\n- spit out a warning so that we know which device is acting up\n- NULLify the bitmap pointer so that we catch unexpected uses\n\nCode paths that can make use of untrusted inputs can now check\nthat the mapping was indeed correct and bail out if not.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Marc Zyngier \nSigned-off-by: Benjamin Tissoires ", "target": 0, "dataset": "other", "idx": 458356 }, { "func": "static int GSubOrder(SplineFont1 *sf,FeatureScriptLangList *fl) {\n struct table_ordering *ord;\n int sofar = 30000, temp;\n\n for ( ord=sf->orders; ord!=NULL && ord->table_tag!=CHR('G','S','U','B');\n\t ord = ord->next );\n for ( ; fl!=NULL; fl=fl->next ) {\n\ttemp = TTFFeatureIndex(fl->featuretag,ord);\n\tif ( tempfontname string if it isn't set, fixing #4089 #4090 and many\n other potential issues (many downstream calls to strlen() on the value).", "target": 0, "dataset": "other", "idx": 417783 }, { "func": "static long tty_compat_ioctl(struct file *file, unsigned int cmd,\n\t\t\t\tunsigned long arg)\n{\n\tstruct tty_struct *tty = file_tty(file);\n\tstruct tty_ldisc *ld;\n\tint retval = -ENOIOCTLCMD;\n\n\tswitch (cmd) {\n\tcase TIOCOUTQ:\n\tcase TIOCSTI:\n\tcase TIOCGWINSZ:\n\tcase TIOCSWINSZ:\n\tcase TIOCGEXCL:\n\tcase TIOCGETD:\n\tcase TIOCSETD:\n\tcase TIOCGDEV:\n\tcase TIOCMGET:\n\tcase TIOCMSET:\n\tcase TIOCMBIC:\n\tcase TIOCMBIS:\n\tcase TIOCGICOUNT:\n\tcase TIOCGPGRP:\n\tcase TIOCSPGRP:\n\tcase TIOCGSID:\n\tcase TIOCSERGETLSR:\n\tcase TIOCGRS485:\n\tcase TIOCSRS485:\n#ifdef TIOCGETP\n\tcase TIOCGETP:\n\tcase TIOCSETP:\n\tcase TIOCSETN:\n#endif\n#ifdef TIOCGETC\n\tcase TIOCGETC:\n\tcase TIOCSETC:\n#endif\n#ifdef TIOCGLTC\n\tcase TIOCGLTC:\n\tcase TIOCSLTC:\n#endif\n\tcase TCSETSF:\n\tcase TCSETSW:\n\tcase TCSETS:\n\tcase TCGETS:\n#ifdef TCGETS2\n\tcase TCGETS2:\n\tcase TCSETSF2:\n\tcase TCSETSW2:\n\tcase TCSETS2:\n#endif\n\tcase TCGETA:\n\tcase TCSETAF:\n\tcase TCSETAW:\n\tcase TCSETA:\n\tcase TIOCGLCKTRMIOS:\n\tcase TIOCSLCKTRMIOS:\n#ifdef TCGETX\n\tcase TCGETX:\n\tcase TCSETX:\n\tcase TCSETXW:\n\tcase TCSETXF:\n#endif\n\tcase TIOCGSOFTCAR:\n\tcase TIOCSSOFTCAR:\n\n\tcase PPPIOCGCHAN:\n\tcase PPPIOCGUNIT:\n\t\treturn tty_ioctl(file, cmd, (unsigned long)compat_ptr(arg));\n\tcase TIOCCONS:\n\tcase TIOCEXCL:\n\tcase TIOCNXCL:\n\tcase TIOCVHANGUP:\n\tcase TIOCSBRK:\n\tcase TIOCCBRK:\n\tcase TCSBRK:\n\tcase TCSBRKP:\n\tcase TCFLSH:\n\tcase TIOCGPTPEER:\n\tcase TIOCNOTTY:\n\tcase TIOCSCTTY:\n\tcase TCXONC:\n\tcase TIOCMIWAIT:\n\tcase TIOCSERCONFIG:\n\t\treturn tty_ioctl(file, cmd, arg);\n\t}\n\n\tif (tty_paranoia_check(tty, file_inode(file), \"tty_ioctl\"))\n\t\treturn -EINVAL;\n\n\tswitch (cmd) {\n\tcase TIOCSSERIAL:\n\t\treturn compat_tty_tiocsserial(tty, compat_ptr(arg));\n\tcase TIOCGSERIAL:\n\t\treturn compat_tty_tiocgserial(tty, compat_ptr(arg));\n\t}\n\tif (tty->ops->compat_ioctl) {\n\t\tretval = tty->ops->compat_ioctl(tty, cmd, arg);\n\t\tif (retval != -ENOIOCTLCMD)\n\t\t\treturn retval;\n\t}\n\n\tld = tty_ldisc_ref_wait(tty);\n\tif (!ld)\n\t\treturn hung_up_tty_compat_ioctl(file, cmd, arg);\n\tif (ld->ops->compat_ioctl)\n\t\tretval = ld->ops->compat_ioctl(tty, file, cmd, arg);\n\tif (retval == -ENOIOCTLCMD && ld->ops->ioctl)\n\t\tretval = ld->ops->ioctl(tty, file,\n\t\t\t\t(unsigned long)compat_ptr(cmd), arg);\n\ttty_ldisc_deref(ld);\n\n\treturn retval;\n}", "project": "linux", "hash": 219858840913392802329410719146886576356, "size": 113, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 325955 }, { "func": "static void encode_link(struct xdr_stream *xdr, const struct qstr *name, struct compound_hdr *hdr)\n{\n\tencode_op_hdr(xdr, OP_LINK, decode_link_maxsz, hdr);\n\tencode_string(xdr, name->len, name->name);\n}", "project": "linux", "hash": 207468107807858809816909285195297344281, "size": 5, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431277 }, { "func": "static void execlists_cancel_requests(struct intel_engine_cs *engine)\n{\n\tstruct intel_engine_execlists * const execlists = &engine->execlists;\n\tstruct i915_request *rq, *rn;\n\tstruct rb_node *rb;\n\tunsigned long flags;\n\n\tGEM_TRACE(\"%s\\n\", engine->name);\n\n\t/*\n\t * Before we call engine->cancel_requests(), we should have exclusive\n\t * access to the submission state. This is arranged for us by the\n\t * caller disabling the interrupt generation, the tasklet and other\n\t * threads that may then access the same state, giving us a free hand\n\t * to reset state. However, we still need to let lockdep be aware that\n\t * we know this state may be accessed in hardirq context, so we\n\t * disable the irq around this manipulation and we want to keep\n\t * the spinlock focused on its duties and not accidentally conflate\n\t * coverage to the submission's irq state. (Similarly, although we\n\t * shouldn't need to disable irq around the manipulation of the\n\t * submission's irq state, we also wish to remind ourselves that\n\t * it is irq state.)\n\t */\n\tspin_lock_irqsave(&engine->active.lock, flags);\n\n\t__execlists_reset(engine, true);\n\n\t/* Mark all executing requests as skipped. */\n\tlist_for_each_entry(rq, &engine->active.requests, sched.link)\n\t\tmark_eio(rq);\n\n\t/* Flush the queued requests to the timeline list (for retiring). */\n\twhile ((rb = rb_first_cached(&execlists->queue))) {\n\t\tstruct i915_priolist *p = to_priolist(rb);\n\t\tint i;\n\n\t\tpriolist_for_each_request_consume(rq, rn, p, i) {\n\t\t\tmark_eio(rq);\n\t\t\t__i915_request_submit(rq);\n\t\t}\n\n\t\trb_erase_cached(&p->node, &execlists->queue);\n\t\ti915_priolist_free(p);\n\t}\n\n\t/* Cancel all attached virtual engines */\n\twhile ((rb = rb_first_cached(&execlists->virtual))) {\n\t\tstruct virtual_engine *ve =\n\t\t\trb_entry(rb, typeof(*ve), nodes[engine->id].rb);\n\n\t\trb_erase_cached(rb, &execlists->virtual);\n\t\tRB_CLEAR_NODE(rb);\n\n\t\tspin_lock(&ve->base.active.lock);\n\t\trq = fetch_and_zero(&ve->request);\n\t\tif (rq) {\n\t\t\tmark_eio(rq);\n\n\t\t\trq->engine = engine;\n\t\t\t__i915_request_submit(rq);\n\t\t\ti915_request_put(rq);\n\n\t\t\tve->base.execlists.queue_priority_hint = INT_MIN;\n\t\t}\n\t\tspin_unlock(&ve->base.active.lock);\n\t}\n\n\t/* Remaining _unready_ requests will be nop'ed when submitted */\n\n\texeclists->queue_priority_hint = INT_MIN;\n\texeclists->queue = RB_ROOT_CACHED;\n\n\tGEM_BUG_ON(__tasklet_is_enabled(&execlists->tasklet));\n\texeclists->tasklet.func = nop_submission_tasklet;\n\n\tspin_unlock_irqrestore(&engine->active.lock, flags);\n}", "project": "linux", "hash": 293188672394436489090091577608529028094, "size": 77, "commit_id": "bc8a76a152c5f9ef3b48104154a65a68a8b76946", "message": "drm/i915/gen9: Clear residual context state on context switch\n\nIntel ID: PSIRT-TA-201910-001\nCVEID: CVE-2019-14615\n\nIntel GPU Hardware prior to Gen11 does not clear EU state\nduring a context switch. This can result in information\nleakage between contexts.\n\nFor Gen8 and Gen9, hardware provides a mechanism for\nfast cleardown of the EU state, by issuing a PIPE_CONTROL\nwith bit 27 set. We can use this in a context batch buffer\nto explicitly cleardown the state on every context switch.\n\nAs this workaround is already in place for gen8, we can borrow\nthe code verbatim for Gen9.\n\nSigned-off-by: Mika Kuoppala \nSigned-off-by: Akeem G Abodunrin \nCc: Kumar Valsan Prathap \nCc: Chris Wilson \nCc: Balestrieri Francesco \nCc: Bloomfield Jon \nCc: Dutt Sudeep ", "target": 0, "dataset": "other", "idx": 281554 }, { "func": "int tty_send_xchar(struct tty_struct *tty, char ch)\n{\n\tint\twas_stopped = tty->stopped;\n\n\tif (tty->ops->send_xchar) {\n\t\tdown_read(&tty->termios_rwsem);\n\t\ttty->ops->send_xchar(tty, ch);\n\t\tup_read(&tty->termios_rwsem);\n\t\treturn 0;\n\t}\n\n\tif (tty_write_lock(tty, 0) < 0)\n\t\treturn -ERESTARTSYS;\n\n\tdown_read(&tty->termios_rwsem);\n\tif (was_stopped)\n\t\tstart_tty(tty);\n\ttty->ops->write(tty, &ch, 1);\n\tif (was_stopped)\n\t\tstop_tty(tty);\n\tup_read(&tty->termios_rwsem);\n\ttty_write_unlock(tty);\n\treturn 0;\n}", "project": "linux", "hash": 338123997720171559825454702742717117825, "size": 24, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 326061 }, { "func": "string_sprintf(char *format, ...)\n{\nva_list ap;\nuschar buffer[STRING_SPRINTF_BUFFER_SIZE];\nva_start(ap, format);\nif (!string_vformat(buffer, sizeof(buffer), format, ap))\n log_write(0, LOG_MAIN|LOG_PANIC_DIE,\n \"string_sprintf expansion was longer than %d\", sizeof(buffer));\nva_end(ap);\nreturn string_copy(buffer);\n}", "project": "exim", "hash": 3490545976954254243963454060932429812, "size": 11, "commit_id": "24c929a27415c7cfc7126c47e4cad39acf3efa6b", "message": "Buffer overrun fix. fixes: bug #787", "target": 0, "dataset": "other", "idx": 301233 }, { "func": "static int fuse_writepages_fill(struct page *page,\n\t\tstruct writeback_control *wbc, void *_data)\n{\n\tstruct fuse_fill_wb_data *data = _data;\n\tstruct fuse_writepage_args *wpa = data->wpa;\n\tstruct fuse_args_pages *ap = &wpa->ia.ap;\n\tstruct inode *inode = data->inode;\n\tstruct fuse_inode *fi = get_fuse_inode(inode);\n\tstruct fuse_conn *fc = get_fuse_conn(inode);\n\tstruct page *tmp_page;\n\tint err;\n\n\tif (!data->ff) {\n\t\terr = -EIO;\n\t\tdata->ff = fuse_write_file_get(fc, fi);\n\t\tif (!data->ff)\n\t\t\tgoto out_unlock;\n\t}\n\n\tif (wpa && fuse_writepage_need_send(fc, page, ap, data)) {\n\t\tfuse_writepages_send(data);\n\t\tdata->wpa = NULL;\n\t}\n\n\terr = -ENOMEM;\n\ttmp_page = alloc_page(GFP_NOFS | __GFP_HIGHMEM);\n\tif (!tmp_page)\n\t\tgoto out_unlock;\n\n\t/*\n\t * The page must not be redirtied until the writeout is completed\n\t * (i.e. userspace has sent a reply to the write request). Otherwise\n\t * there could be more than one temporary page instance for each real\n\t * page.\n\t *\n\t * This is ensured by holding the page lock in page_mkwrite() while\n\t * checking fuse_page_is_writeback(). We already hold the page lock\n\t * since clear_page_dirty_for_io() and keep it held until we add the\n\t * request to the fi->writepages list and increment ap->num_pages.\n\t * After this fuse_page_is_writeback() will indicate that the page is\n\t * under writeback, so we can release the page lock.\n\t */\n\tif (data->wpa == NULL) {\n\t\terr = -ENOMEM;\n\t\twpa = fuse_writepage_args_alloc();\n\t\tif (!wpa) {\n\t\t\t__free_page(tmp_page);\n\t\t\tgoto out_unlock;\n\t\t}\n\t\tdata->max_pages = 1;\n\n\t\tap = &wpa->ia.ap;\n\t\tfuse_write_args_fill(&wpa->ia, data->ff, page_offset(page), 0);\n\t\twpa->ia.write.in.write_flags |= FUSE_WRITE_CACHE;\n\t\twpa->next = NULL;\n\t\tap->args.in_pages = true;\n\t\tap->args.end = fuse_writepage_end;\n\t\tap->num_pages = 0;\n\t\twpa->inode = inode;\n\t}\n\tset_page_writeback(page);\n\n\tcopy_highpage(tmp_page, page);\n\tap->pages[ap->num_pages] = tmp_page;\n\tap->descs[ap->num_pages].offset = 0;\n\tap->descs[ap->num_pages].length = PAGE_SIZE;\n\tdata->orig_pages[ap->num_pages] = page;\n\n\tinc_wb_stat(&inode_to_bdi(inode)->wb, WB_WRITEBACK);\n\tinc_node_page_state(tmp_page, NR_WRITEBACK_TEMP);\n\n\terr = 0;\n\tif (data->wpa) {\n\t\t/*\n\t\t * Protected by fi->lock against concurrent access by\n\t\t * fuse_page_is_writeback().\n\t\t */\n\t\tspin_lock(&fi->lock);\n\t\tap->num_pages++;\n\t\tspin_unlock(&fi->lock);\n\t} else if (fuse_writepage_add(wpa, page)) {\n\t\tdata->wpa = wpa;\n\t} else {\n\t\tend_page_writeback(page);\n\t}\nout_unlock:\n\tunlock_page(page);\n\n\treturn err;\n}", "project": "linux", "hash": 275079379474245772814713287262229009360, "size": 90, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341940 }, { "func": "LUA_API void lua_close (lua_State *L) {\n lua_lock(L);\n L = G(L)->mainthread; /* only the main thread can be closed */\n close_state(L);\n}", "project": "lua", "hash": 23626588948256951994244395525447503773, "size": 5, "commit_id": "a2195644d89812e5b157ce7bac35543e06db05e3", "message": "Fixed bug: invalid 'oldpc' when returning to a function\n\nThe field 'L->oldpc' is not always updated when control returns to a\nfunction; an invalid value can seg. fault when computing 'changedline'.\n(One example is an error in a finalizer; control can return to\n'luaV_execute' without executing 'luaD_poscall'.) Instead of trying to\nfix all possible corner cases, it seems safer to be resilient to invalid\nvalues for 'oldpc'. Valid but wrong values at most cause an extra call\nto a line hook.", "target": 0, "dataset": "other", "idx": 462767 }, { "func": "uchar Utf8::ValueOf(const byte* bytes, unsigned length, unsigned* cursor) {\n if (length <= 0) return kBadChar;\n byte first = bytes[0];\n // Characters between 0000 and 0007F are encoded as a single character\n if (first <= kMaxOneByteChar) {\n *cursor += 1;\n return first;\n }\n return CalculateValue(bytes, length, cursor);\n}", "project": "node", "hash": 65186874853431292138769405944889355648, "size": 10, "commit_id": "78b0e30954111cfaba0edbeee85450d8cbc6fdf6", "message": "deps: fix out-of-band write in utf8 decoder\n\nOriginally reported by: Kris Reeves \n\nReviewed-By: Trevor Norris ", "target": 0, "dataset": "other", "idx": 385631 }, { "func": "void fuse_conn_put(struct fuse_conn *fc)\n{\n\tif (refcount_dec_and_test(&fc->count)) {\n\t\tstruct fuse_iqueue *fiq = &fc->iq;\n\n\t\tif (IS_ENABLED(CONFIG_FUSE_DAX))\n\t\t\tfuse_dax_conn_free(fc);\n\t\tif (fiq->ops->release)\n\t\t\tfiq->ops->release(fiq);\n\t\tput_pid_ns(fc->pid_ns);\n\t\tput_user_ns(fc->user_ns);\n\t\tfc->release(fc);\n\t}\n}", "project": "linux", "hash": 281884520960520143290007587504333284076, "size": 14, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341984 }, { "func": "int hci_abort_conn(struct hci_conn *conn, u8 reason)\n{\n\tstruct hci_request req;\n\tint err;\n\n\thci_req_init(&req, conn->hdev);\n\n\t__hci_abort_conn(&req, conn, reason);\n\n\terr = hci_req_run(&req, abort_conn_complete);\n\tif (err && err != -ENODATA) {\n\t\tbt_dev_err(conn->hdev, \"failed to run HCI request: err %d\", err);\n\t\treturn err;\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 118762057157499938689164069447593923686, "size": 17, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402476 }, { "func": "std::function)>* KernelAndDevice::get_runner()\n const {\n if (runner_) {\n return runner_;\n } else {\n static auto* default_runner =\n new std::function)>(\n [](const std::function& f) { f(); });\n return default_runner;\n }\n}", "project": "tensorflow", "hash": 55546901054031806234665415551293755459, "size": 11, "commit_id": "da8558533d925694483d2c136a9220d6d49d843c", "message": "Fix undefined behavior in `tf.raw_ops.Switch` in eager mode.\n\nPiperOrigin-RevId: 332578058\nChange-Id: I9727571d2f21476b10d8aa27c1b7176564b76ac9", "target": 0, "dataset": "other", "idx": 270147 }, { "func": "UnicodeString::releaseBuffer(int32_t newLength) {\n if(fUnion.fFields.fLengthAndFlags&kOpenGetBuffer && newLength>=-1) {\n // set the new fLength\n int32_t capacity=getCapacity();\n if(newLength==-1) {\n // the new length is the string length, capped by fCapacity\n const UChar *array=getArrayStart(), *p=array, *limit=array+capacity;\n while(pcapacity) {\n newLength=capacity;\n }\n setLength(newLength);\n fUnion.fFields.fLengthAndFlags&=~kOpenGetBuffer;\n }\n}", "project": "icu", "hash": 151759919707425379495011490496259787157, "size": 18, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430813 }, { "func": "static int nfs4_proc_get_root(struct nfs_server *server, struct nfs_fh *mntfh,\n\t\t\t struct nfs_fsinfo *info)\n{\n\tint error;\n\tstruct nfs_fattr *fattr = info->fattr;\n\tstruct nfs4_label *label = fattr->label;\n\n\terror = nfs4_server_capabilities(server, mntfh);\n\tif (error < 0) {\n\t\tdprintk(\"nfs4_get_root: getcaps error = %d\\n\", -error);\n\t\treturn error;\n\t}\n\n\terror = nfs4_proc_getattr(server, mntfh, fattr, label, NULL);\n\tif (error < 0) {\n\t\tdprintk(\"nfs4_get_root: getattr error = %d\\n\", -error);\n\t\tgoto out;\n\t}\n\n\tif (fattr->valid & NFS_ATTR_FATTR_FSID &&\n\t !nfs_fsid_equal(&server->fsid, &fattr->fsid))\n\t\tmemcpy(&server->fsid, &fattr->fsid, sizeof(server->fsid));\n\nout:\n\treturn error;\n}", "project": "linux", "hash": 132395343793845863199878083211350287953, "size": 26, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431237 }, { "func": "\tPong(const std::string& cookie, const std::string& server = \"\")\n\t\t: ClientProtocol::Message(\"PONG\", ServerInstance->Config->GetServerName())\n\t{\n\t\tPushParamRef(ServerInstance->Config->GetServerName());\n\t\tif (!server.empty())\n\t\t\tPushParamRef(server);\n\t\tPushParamRef(cookie);\n\t}", "project": "inspircd", "hash": 261166146508544882843094418005234060063, "size": 8, "commit_id": "4350a11c663b0d75f8119743bffb7736d87abd4d", "message": "Fix sending malformed pong messages in some cases.", "target": 1, "dataset": "other", "idx": 198370 }, { "func": "\tTopic(User* source, const Channel* chan, const std::string& newtopic)\n\t\t: ClientProtocol::Message(\"TOPIC\", source)\n\t{\n\t\tPushParamRef(chan->name);\n\t\tPushParamRef(newtopic);\n\t}", "project": "inspircd", "hash": 208704326500446920862172969851130927060, "size": 6, "commit_id": "4350a11c663b0d75f8119743bffb7736d87abd4d", "message": "Fix sending malformed pong messages in some cases.", "target": 0, "dataset": "other", "idx": 273213 }, { "func": "\tInvite(User* source, User* target, Channel* chan)\n\t\t: ClientProtocol::Message(\"INVITE\", source)\n\t{\n\t\tPushParamRef(target->nick);\n\t\tPushParamRef(chan->name);\n\t}", "project": "inspircd", "hash": 245257461814393381992839412991555323514, "size": 6, "commit_id": "4350a11c663b0d75f8119743bffb7736d87abd4d", "message": "Fix sending malformed pong messages in some cases.", "target": 0, "dataset": "other", "idx": 273231 }, { "func": "\tNick(User* source, const std::string& newnick)\n\t\t: ClientProtocol::Message(\"NICK\", source)\n\t{\n\t\tPushParamRef(newnick);\n\t}", "project": "inspircd", "hash": 201601426895679107573935283862624238766, "size": 5, "commit_id": "4350a11c663b0d75f8119743bffb7736d87abd4d", "message": "Fix sending malformed pong messages in some cases.", "target": 0, "dataset": "other", "idx": 273239 }, { "func": "\tPart(Membership* memb, const std::string& reason)\n\t\t: ClientProtocol::Message(\"PART\", memb->user)\n\t{\n\t\tPushParamRef(memb->chan->name);\n\t\tif (!reason.empty())\n\t\t\tPushParamRef(reason);\n\t}", "project": "inspircd", "hash": 111781907237692621271719281270079966931, "size": 7, "commit_id": "4350a11c663b0d75f8119743bffb7736d87abd4d", "message": "Fix sending malformed pong messages in some cases.", "target": 0, "dataset": "other", "idx": 273240 }, { "func": "\tPing()\n\t\t: ClientProtocol::Message(\"PING\")\n\t{\n\t\tPushParamRef(ServerInstance->Config->GetServerName());\n\t}", "project": "inspircd", "hash": 135583109415776300616476814804666144732, "size": 5, "commit_id": "4350a11c663b0d75f8119743bffb7736d87abd4d", "message": "Fix sending malformed pong messages in some cases.", "target": 0, "dataset": "other", "idx": 273245 }, { "func": "\tNumeric(const ::Numeric::Numeric& num, const std::string& target)\n\t\t: ClientProtocol::Message(NULL, (num.GetServer() ? num.GetServer() : ServerInstance->FakeClient->server)->GetName())\n\t{\n\t\tPushParamRef(target);\n\t\tInitFromNumeric(num);\n\t}", "project": "inspircd", "hash": 79088325446545733361232799923876478432, "size": 6, "commit_id": "4350a11c663b0d75f8119743bffb7736d87abd4d", "message": "Fix sending malformed pong messages in some cases.", "target": 0, "dataset": "other", "idx": 273256 }, { "func": "\tPing(const std::string& cookie)\n\t\t: ClientProtocol::Message(\"PING\")\n\t{\n\t\tPushParamRef(cookie);\n\t}", "project": "inspircd", "hash": 221713721810606793185819479552424033829, "size": 5, "commit_id": "4350a11c663b0d75f8119743bffb7736d87abd4d", "message": "Fix sending malformed pong messages in some cases.", "target": 0, "dataset": "other", "idx": 273257 }, { "func": "\tKick(User* source, Membership* memb, const std::string& reason)\n\t\t: ClientProtocol::Message(\"KICK\", source)\n\t{\n\t\tPushParamRef(memb->chan->name);\n\t\tPushParamRef(memb->user->nick);\n\t\tPushParamRef(reason);\n\t}", "project": "inspircd", "hash": 336445299574069061537838073447971576629, "size": 7, "commit_id": "4350a11c663b0d75f8119743bffb7736d87abd4d", "message": "Fix sending malformed pong messages in some cases.", "target": 0, "dataset": "other", "idx": 273267 }, { "func": "static int do_uncompress_block(struct archive_read* a, const uint8_t* p) {\n\tstruct rar5* rar = get_context(a);\n\tuint16_t num;\n\tint ret;\n\n\tconst uint64_t cmask = rar->cstate.window_mask;\n\tconst struct compressed_block_header* hdr = &rar->last_block_hdr;\n\tconst uint8_t bit_size = 1 + bf_bit_size(hdr);\n\n\twhile(1) {\n\t\tif(rar->cstate.write_ptr - rar->cstate.last_write_ptr >\n\t\t (rar->cstate.window_size >> 1)) {\n\t\t\t/* Don't allow growing data by more than half of the\n\t\t\t * window size at a time. In such case, break the loop;\n\t\t\t * next call to this function will continue processing\n\t\t\t * from this moment. */\n\t\t\tbreak;\n\t\t}\n\n\t\tif(rar->bits.in_addr > rar->cstate.cur_block_size - 1 ||\n\t\t (rar->bits.in_addr == rar->cstate.cur_block_size - 1 &&\n\t\t rar->bits.bit_addr >= bit_size))\n\t\t{\n\t\t\t/* If the program counter is here, it means the\n\t\t\t * function has finished processing the block. */\n\t\t\trar->cstate.block_parsing_finished = 1;\n\t\t\tbreak;\n\t\t}\n\n\t\t/* Decode the next literal. */\n\t\tif(ARCHIVE_OK != decode_number(a, &rar->cstate.ld, p, &num)) {\n\t\t\treturn ARCHIVE_EOF;\n\t\t}\n\n\t\t/* Num holds a decompression literal, or 'command code'.\n\t\t *\n\t\t * - Values lower than 256 are just bytes. Those codes\n\t\t * can be stored in the output buffer directly.\n\t\t *\n\t\t * - Code 256 defines a new filter, which is later used to\n\t\t * ransform the data block accordingly to the filter type.\n\t\t * The data block needs to be fully uncompressed first.\n\t\t *\n\t\t * - Code bigger than 257 and smaller than 262 define\n\t\t * a repetition pattern that should be copied from\n\t\t * an already uncompressed chunk of data.\n\t\t */\n\n\t\tif(num < 256) {\n\t\t\t/* Directly store the byte. */\n\t\t\tint64_t write_idx = rar->cstate.solid_offset +\n\t\t\t rar->cstate.write_ptr++;\n\n\t\t\trar->cstate.window_buf[write_idx & cmask] =\n\t\t\t (uint8_t) num;\n\t\t\tcontinue;\n\t\t} else if(num >= 262) {\n\t\t\tuint16_t dist_slot;\n\t\t\tint len = decode_code_length(rar, p, num - 262),\n\t\t\t\tdbits,\n\t\t\t\tdist = 1;\n\n\t\t\tif(len == -1) {\n\t\t\t\tarchive_set_error(&a->archive,\n\t\t\t\t ARCHIVE_ERRNO_PROGRAMMER,\n\t\t\t\t \"Failed to decode the code length\");\n\n\t\t\t\treturn ARCHIVE_FATAL;\n\t\t\t}\n\n\t\t\tif(ARCHIVE_OK != decode_number(a, &rar->cstate.dd, p,\n\t\t\t &dist_slot))\n\t\t\t{\n\t\t\t\tarchive_set_error(&a->archive,\n\t\t\t\t ARCHIVE_ERRNO_PROGRAMMER,\n\t\t\t\t \"Failed to decode the distance slot\");\n\n\t\t\t\treturn ARCHIVE_FATAL;\n\t\t\t}\n\n\t\t\tif(dist_slot < 4) {\n\t\t\t\tdbits = 0;\n\t\t\t\tdist += dist_slot;\n\t\t\t} else {\n\t\t\t\tdbits = dist_slot / 2 - 1;\n\n\t\t\t\t/* Cast to uint32_t will make sure the shift\n\t\t\t\t * left operation won't produce undefined\n\t\t\t\t * result. Then, the uint32_t type will\n\t\t\t\t * be implicitly casted to int. */\n\t\t\t\tdist += (uint32_t) (2 |\n\t\t\t\t (dist_slot & 1)) << dbits;\n\t\t\t}\n\n\t\t\tif(dbits > 0) {\n\t\t\t\tif(dbits >= 4) {\n\t\t\t\t\tuint32_t add = 0;\n\t\t\t\t\tuint16_t low_dist;\n\n\t\t\t\t\tif(dbits > 4) {\n\t\t\t\t\t\tif(ARCHIVE_OK != read_bits_32(\n\t\t\t\t\t\t rar, p, &add)) {\n\t\t\t\t\t\t\t/* Return EOF if we\n\t\t\t\t\t\t\t * can't read more\n\t\t\t\t\t\t\t * data. */\n\t\t\t\t\t\t\treturn ARCHIVE_EOF;\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\tskip_bits(rar, dbits - 4);\n\t\t\t\t\t\tadd = (add >> (\n\t\t\t\t\t\t 36 - dbits)) << 4;\n\t\t\t\t\t\tdist += add;\n\t\t\t\t\t}\n\n\t\t\t\t\tif(ARCHIVE_OK != decode_number(a,\n\t\t\t\t\t &rar->cstate.ldd, p, &low_dist))\n\t\t\t\t\t{\n\t\t\t\t\t\tarchive_set_error(&a->archive,\n\t\t\t\t\t\t ARCHIVE_ERRNO_PROGRAMMER,\n\t\t\t\t\t\t \"Failed to decode the \"\n\t\t\t\t\t\t \"distance slot\");\n\n\t\t\t\t\t\treturn ARCHIVE_FATAL;\n\t\t\t\t\t}\n\n\t\t\t\t\tif(dist >= INT_MAX - low_dist - 1) {\n\t\t\t\t\t\t/* This only happens in\n\t\t\t\t\t\t * invalid archives. */\n\t\t\t\t\t\tarchive_set_error(&a->archive,\n\t\t\t\t\t\t ARCHIVE_ERRNO_FILE_FORMAT,\n\t\t\t\t\t\t \"Distance pointer \"\n\t\t\t\t\t\t \"overflow\");\n\t\t\t\t\t\treturn ARCHIVE_FATAL;\n\t\t\t\t\t}\n\n\t\t\t\t\tdist += low_dist;\n\t\t\t\t} else {\n\t\t\t\t\t/* dbits is one of [0,1,2,3] */\n\t\t\t\t\tint add;\n\n\t\t\t\t\tif(ARCHIVE_OK != read_consume_bits(rar,\n\t\t\t\t\t p, dbits, &add)) {\n\t\t\t\t\t\t/* Return EOF if we can't read\n\t\t\t\t\t\t * more data. */\n\t\t\t\t\t\treturn ARCHIVE_EOF;\n\t\t\t\t\t}\n\n\t\t\t\t\tdist += add;\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tif(dist > 0x100) {\n\t\t\t\tlen++;\n\n\t\t\t\tif(dist > 0x2000) {\n\t\t\t\t\tlen++;\n\n\t\t\t\t\tif(dist > 0x40000) {\n\t\t\t\t\t\tlen++;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tdist_cache_push(rar, dist);\n\t\t\trar->cstate.last_len = len;\n\n\t\t\tif(ARCHIVE_OK != copy_string(a, len, dist))\n\t\t\t\treturn ARCHIVE_FATAL;\n\n\t\t\tcontinue;\n\t\t} else if(num == 256) {\n\t\t\t/* Create a filter. */\n\t\t\tret = parse_filter(a, p);\n\t\t\tif(ret != ARCHIVE_OK)\n\t\t\t\treturn ret;\n\n\t\t\tcontinue;\n\t\t} else if(num == 257) {\n\t\t\tif(rar->cstate.last_len != 0) {\n\t\t\t\tif(ARCHIVE_OK != copy_string(a,\n\t\t\t\t rar->cstate.last_len,\n\t\t\t\t rar->cstate.dist_cache[0]))\n\t\t\t\t{\n\t\t\t\t\treturn ARCHIVE_FATAL;\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tcontinue;\n\t\t} else {\n\t\t\t/* num < 262 */\n\t\t\tconst int idx = num - 258;\n\t\t\tconst int dist = dist_cache_touch(rar, idx);\n\n\t\t\tuint16_t len_slot;\n\t\t\tint len;\n\n\t\t\tif(ARCHIVE_OK != decode_number(a, &rar->cstate.rd, p,\n\t\t\t &len_slot)) {\n\t\t\t\treturn ARCHIVE_FATAL;\n\t\t\t}\n\n\t\t\tlen = decode_code_length(rar, p, len_slot);\n\t\t\trar->cstate.last_len = len;\n\n\t\t\tif(ARCHIVE_OK != copy_string(a, len, dist))\n\t\t\t\treturn ARCHIVE_FATAL;\n\n\t\t\tcontinue;\n\t\t}\n\n\t\t/* The program counter shouldn't reach here. */\n\t\tarchive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,\n\t\t \"Unsupported block code: 0x%x\", num);\n\n\t\treturn ARCHIVE_FATAL;\n\t}\n\n\treturn ARCHIVE_OK;\n}", "project": "libarchive", "hash": 97470012693427052171968561629891244327, "size": 219, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 0, "dataset": "other", "idx": 244802 }, { "func": "static uint reset_nj_counters(JOIN *join, List *join_list)\n{\n List_iterator li(*join_list);\n TABLE_LIST *table;\n DBUG_ENTER(\"reset_nj_counters\");\n uint n=0;\n while ((table= li++))\n {\n NESTED_JOIN *nested_join;\n bool is_eliminated_nest= FALSE;\n if ((nested_join= table->nested_join))\n {\n nested_join->counter= 0;\n nested_join->n_tables= reset_nj_counters(join, &nested_join->join_list);\n if (!nested_join->n_tables)\n is_eliminated_nest= TRUE;\n }\n const table_map removed_tables= join->eliminated_tables |\n join->const_table_map;\n\n if ((table->nested_join && !is_eliminated_nest) ||\n (!table->nested_join && (table->table->map & ~removed_tables)))\n n++;\n }\n DBUG_RETURN(n);\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 338677914198808918337841071759456439026, "size": 26, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508715 }, { "func": "apr_status_t h2_stream_flush_input(h2_stream *stream)\n{\n apr_status_t status = APR_SUCCESS;\n \n if (stream->in_buffer && !APR_BRIGADE_EMPTY(stream->in_buffer)) {\n setup_input(stream);\n status = h2_beam_send(stream->input, stream->in_buffer, APR_BLOCK_READ);\n stream->in_last_write = apr_time_now();\n }\n if (stream->input_eof \n && stream->input && !h2_beam_is_closed(stream->input)) {\n status = h2_beam_close(stream->input);\n }\n return status;\n}", "project": "httpd", "hash": 181423409533905731036651207776802343197, "size": 15, "commit_id": "f990e5ecad40b100a8a5c7c1033c46044a9cb244", "message": "mod_htt2: fix incomplete sync with latest changes in github, adjust version number.\n\n\n\ngit-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1889119 13f79535-47bb-0310-9956-ffa450edef68", "target": 0, "dataset": "other", "idx": 284249 }, { "func": "int input_register_handle(struct input_handle *handle)\n{\n\tstruct input_handler *handler = handle->handler;\n\tstruct input_dev *dev = handle->dev;\n\tint error;\n\n\t/*\n\t * We take dev->mutex here to prevent race with\n\t * input_release_device().\n\t */\n\terror = mutex_lock_interruptible(&dev->mutex);\n\tif (error)\n\t\treturn error;\n\n\t/*\n\t * Filters go to the head of the list, normal handlers\n\t * to the tail.\n\t */\n\tif (handler->filter)\n\t\tlist_add_rcu(&handle->d_node, &dev->h_list);\n\telse\n\t\tlist_add_tail_rcu(&handle->d_node, &dev->h_list);\n\n\tmutex_unlock(&dev->mutex);\n\n\t/*\n\t * Since we are supposed to be called from ->connect()\n\t * which is mutually exclusive with ->disconnect()\n\t * we can't be racing with input_unregister_handle()\n\t * and so separate lock is not needed here.\n\t */\n\tlist_add_tail_rcu(&handle->h_node, &handler->h_list);\n\n\tif (handler->start)\n\t\thandler->start(handle);\n\n\treturn 0;\n}", "project": "linux", "hash": 205741539845119905025165823841254233709, "size": 38, "commit_id": "cb222aed03d798fc074be55e59d9a112338ee784", "message": "Input: add safety guards to input_set_keycode()\n\nIf we happen to have a garbage in input device's keycode table with values\ntoo big we'll end up doing clear_bit() with offset way outside of our\nbitmaps, damaging other objects within an input device or even outside of\nit. Let's add sanity checks to the returned old keycodes.\n\nReported-by: syzbot+c769968809f9359b07aa@syzkaller.appspotmail.com\nReported-by: syzbot+76f3a30e88d256644c78@syzkaller.appspotmail.com\nLink: https://lore.kernel.org/r/20191207212757.GA245964@dtor-ws\nSigned-off-by: Dmitry Torokhov ", "target": 0, "dataset": "other", "idx": 353329 }, { "func": "\nstatic void bfq_update_hw_tag(struct bfq_data *bfqd)\n{\n\tstruct bfq_queue *bfqq = bfqd->in_service_queue;\n\n\tbfqd->max_rq_in_driver = max_t(int, bfqd->max_rq_in_driver,\n\t\t\t\t bfqd->rq_in_driver);\n\n\tif (bfqd->hw_tag == 1)\n\t\treturn;\n\n\t/*\n\t * This sample is valid if the number of outstanding requests\n\t * is large enough to allow a queueing behavior. Note that the\n\t * sum is not exact, as it's not taking into account deactivated\n\t * requests.\n\t */\n\tif (bfqd->rq_in_driver + bfqd->queued <= BFQ_HW_QUEUE_THRESHOLD)\n\t\treturn;\n\n\t/*\n\t * If active queue hasn't enough requests and can idle, bfq might not\n\t * dispatch sufficient requests to hardware. Don't zero hw_tag in this\n\t * case\n\t */\n\tif (bfqq && bfq_bfqq_has_short_ttime(bfqq) &&\n\t bfqq->dispatched + bfqq->queued[0] + bfqq->queued[1] <\n\t BFQ_HW_QUEUE_THRESHOLD &&\n\t bfqd->rq_in_driver < BFQ_HW_QUEUE_THRESHOLD)\n\t\treturn;\n\n\tif (bfqd->hw_tag_samples++ < BFQ_HW_QUEUE_SAMPLES)\n\t\treturn;\n\n\tbfqd->hw_tag = bfqd->max_rq_in_driver > BFQ_HW_QUEUE_THRESHOLD;\n\tbfqd->max_rq_in_driver = 0;\n\tbfqd->hw_tag_samples = 0;\n\n\tbfqd->nonrot_with_queueing =\n\t\tblk_queue_nonrot(bfqd->queue) && bfqd->hw_tag;", "project": "linux", "hash": 203466810760532714660748653376578822204, "size": 40, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453408 }, { "func": "static int read_bits_16(struct rar5* rar, const uint8_t* p, uint16_t* value) {\n\tint bits = (int) ((uint32_t) p[rar->bits.in_addr]) << 16;\n\tbits |= (int) p[rar->bits.in_addr + 1] << 8;\n\tbits |= (int) p[rar->bits.in_addr + 2];\n\tbits >>= (8 - rar->bits.bit_addr);\n\t*value = bits & 0xffff;\n\treturn ARCHIVE_OK;\n}", "project": "libarchive", "hash": 238533148380652894709349061375099899749, "size": 8, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 0, "dataset": "other", "idx": 244693 }, { "func": "static int set_sadb_kmaddress(struct sk_buff *skb, const struct xfrm_kmaddress *k)\n{\n\tstruct sadb_x_kmaddress *kma;\n\tu8 *sa;\n\tint family = k->family;\n\tint socklen = pfkey_sockaddr_len(family);\n\tint size_req;\n\n\tsize_req = (sizeof(struct sadb_x_kmaddress) +\n\t\t pfkey_sockaddr_pair_size(family));\n\n\tkma = skb_put_zero(skb, size_req);\n\tkma->sadb_x_kmaddress_len = size_req / 8;\n\tkma->sadb_x_kmaddress_exttype = SADB_X_EXT_KMADDRESS;\n\tkma->sadb_x_kmaddress_reserved = k->reserved;\n\n\tsa = (u8 *)(kma + 1);\n\tif (!pfkey_sockaddr_fill(&k->local, 0, (struct sockaddr *)sa, family) ||\n\t !pfkey_sockaddr_fill(&k->remote, 0, (struct sockaddr *)(sa+socklen), family))\n\t\treturn -EINVAL;\n\n\treturn 0;\n}", "project": "linux", "hash": 56746547998073760948392211727987950724, "size": 23, "commit_id": "9a564bccb78a76740ea9d75a259942df8143d02c", "message": "af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\n\nAdd __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\nto initialize the buffer of supp_skb to fix a kernel-info-leak issue.\n1) Function pfkey_register calls compose_sadb_supported to request\na sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate\na sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then\ncompose_sadb_supported treats the memory as a struct sadb_supported and\nbegins to initialize. But it just initializes the field sadb_supported_len\nand field sadb_supported_exttype without field sadb_supported_reserved.\n\nReported-by: TCS Robot \nSigned-off-by: Haimin Zhang \nSigned-off-by: Steffen Klassert ", "target": 0, "dataset": "other", "idx": 268097 }, { "func": "static void init_kmem_cache_cpus(struct kmem_cache *s)\n{\n\tint cpu;\n\n\tfor_each_possible_cpu(cpu)\n\t\tper_cpu_ptr(s->cpu_slab, cpu)->tid = init_tid(cpu);\n}", "project": "linux", "hash": 301694830943293630727707257597382132258, "size": 7, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280270 }, { "func": "SAPI_API SAPI_TREAT_DATA_FUNC(php_default_treat_data)\n{\n\tchar *res = NULL, *var, *val, *separator = NULL;\n\tconst char *c_var;\n\tzval array;\n\tint free_buffer = 0;\n\tchar *strtok_buf = NULL;\n\tzend_long count = 0;\n\n\tZVAL_UNDEF(&array);\n\tswitch (arg) {\n\t\tcase PARSE_POST:\n\t\tcase PARSE_GET:\n\t\tcase PARSE_COOKIE:\n\t\t\tarray_init(&array);\n\t\t\tswitch (arg) {\n\t\t\t\tcase PARSE_POST:\n\t\t\t\t\tzval_ptr_dtor(&PG(http_globals)[TRACK_VARS_POST]);\n\t\t\t\t\tZVAL_COPY_VALUE(&PG(http_globals)[TRACK_VARS_POST], &array);\n\t\t\t\t\tbreak;\n\t\t\t\tcase PARSE_GET:\n\t\t\t\t\tzval_ptr_dtor(&PG(http_globals)[TRACK_VARS_GET]);\n\t\t\t\t\tZVAL_COPY_VALUE(&PG(http_globals)[TRACK_VARS_GET], &array);\n\t\t\t\t\tbreak;\n\t\t\t\tcase PARSE_COOKIE:\n\t\t\t\t\tzval_ptr_dtor(&PG(http_globals)[TRACK_VARS_COOKIE]);\n\t\t\t\t\tZVAL_COPY_VALUE(&PG(http_globals)[TRACK_VARS_COOKIE], &array);\n\t\t\t\t\tbreak;\n\t\t\t}\n\t\t\tbreak;\n\t\tdefault:\n\t\t\tZVAL_COPY_VALUE(&array, destArray);\n\t\t\tbreak;\n\t}\n\n\tif (arg == PARSE_POST) {\n\t\tsapi_handle_post(&array);\n\t\treturn;\n\t}\n\n\tif (arg == PARSE_GET) {\t\t/* GET data */\n\t\tc_var = SG(request_info).query_string;\n\t\tif (c_var && *c_var) {\n\t\t\tres = (char *) estrdup(c_var);\n\t\t\tfree_buffer = 1;\n\t\t} else {\n\t\t\tfree_buffer = 0;\n\t\t}\n\t} else if (arg == PARSE_COOKIE) {\t\t/* Cookie data */\n\t\tc_var = SG(request_info).cookie_data;\n\t\tif (c_var && *c_var) {\n\t\t\tres = (char *) estrdup(c_var);\n\t\t\tfree_buffer = 1;\n\t\t} else {\n\t\t\tfree_buffer = 0;\n\t\t}\n\t} else if (arg == PARSE_STRING) {\t\t/* String data */\n\t\tres = str;\n\t\tfree_buffer = 1;\n\t}\n\n\tif (!res) {\n\t\treturn;\n\t}\n\n\tswitch (arg) {\n\t\tcase PARSE_GET:\n\t\tcase PARSE_STRING:\n\t\t\tseparator = PG(arg_separator).input;\n\t\t\tbreak;\n\t\tcase PARSE_COOKIE:\n\t\t\tseparator = \";\\0\";\n\t\t\tbreak;\n\t}\n\n\tvar = php_strtok_r(res, separator, &strtok_buf);\n\n\twhile (var) {\n\t\tval = strchr(var, '=');\n\n\t\tif (arg == PARSE_COOKIE) {\n\t\t\t/* Remove leading spaces from cookie names, needed for multi-cookie header where ; can be followed by a space */\n\t\t\twhile (isspace(*var)) {\n\t\t\t\tvar++;\n\t\t\t}\n\t\t\tif (var == val || *var == '\\0') {\n\t\t\t\tgoto next_cookie;\n\t\t\t}\n\t\t}\n\n\t\tif (++count > PG(max_input_vars)) {\n\t\t\tphp_error_docref(NULL, E_WARNING, \"Input variables exceeded \" ZEND_LONG_FMT \". To increase the limit change max_input_vars in php.ini.\", PG(max_input_vars));\n\t\t\tbreak;\n\t\t}\n\n\t\tif (val) { /* have a value */\n\t\t\tsize_t val_len;\n\t\t\tsize_t new_val_len;\n\n\t\t\t*val++ = '\\0';\n\t\t\tphp_url_decode(var, strlen(var));\n\t\t\tval_len = php_url_decode(val, strlen(val));\n\t\t\tval = estrndup(val, val_len);\n\t\t\tif (sapi_module.input_filter(arg, var, &val, val_len, &new_val_len)) {\n\t\t\t\tphp_register_variable_safe(var, val, new_val_len, &array);\n\t\t\t}\n\t\t\tefree(val);\n\t\t} else {\n\t\t\tsize_t val_len;\n\t\t\tsize_t new_val_len;\n\n\t\t\tphp_url_decode(var, strlen(var));\n\t\t\tval_len = 0;\n\t\t\tval = estrndup(\"\", val_len);\n\t\t\tif (sapi_module.input_filter(arg, var, &val, val_len, &new_val_len)) {\n\t\t\t\tphp_register_variable_safe(var, val, new_val_len, &array);\n\t\t\t}\n\t\t\tefree(val);\n\t\t}\nnext_cookie:\n\t\tvar = php_strtok_r(NULL, separator, &strtok_buf);\n\t}\n\n\tif (free_buffer) {\n\t\tefree(res);\n\t}\n}", "project": "php-src", "hash": 129611870495713562053024480121638591020, "size": 127, "commit_id": "6559fe912661ca5ce5f0eeeb591d928451428ed0", "message": "Do not decode cookie names anymore", "target": 1, "dataset": "other", "idx": 205909 }, { "func": "SAPI_API SAPI_TREAT_DATA_FUNC(php_default_treat_data)\n{\n\tchar *res = NULL, *var, *val, *separator = NULL;\n\tconst char *c_var;\n\tzval array;\n\tint free_buffer = 0;\n\tchar *strtok_buf = NULL;\n\tzend_long count = 0;\n\n\tZVAL_UNDEF(&array);\n\tswitch (arg) {\n\t\tcase PARSE_POST:\n\t\tcase PARSE_GET:\n\t\tcase PARSE_COOKIE:\n\t\t\tarray_init(&array);\n\t\t\tswitch (arg) {\n\t\t\t\tcase PARSE_POST:\n\t\t\t\t\tzval_ptr_dtor(&PG(http_globals)[TRACK_VARS_POST]);\n\t\t\t\t\tZVAL_COPY_VALUE(&PG(http_globals)[TRACK_VARS_POST], &array);\n\t\t\t\t\tbreak;\n\t\t\t\tcase PARSE_GET:\n\t\t\t\t\tzval_ptr_dtor(&PG(http_globals)[TRACK_VARS_GET]);\n\t\t\t\t\tZVAL_COPY_VALUE(&PG(http_globals)[TRACK_VARS_GET], &array);\n\t\t\t\t\tbreak;\n\t\t\t\tcase PARSE_COOKIE:\n\t\t\t\t\tzval_ptr_dtor(&PG(http_globals)[TRACK_VARS_COOKIE]);\n\t\t\t\t\tZVAL_COPY_VALUE(&PG(http_globals)[TRACK_VARS_COOKIE], &array);\n\t\t\t\t\tbreak;\n\t\t\t}\n\t\t\tbreak;\n\t\tdefault:\n\t\t\tZVAL_COPY_VALUE(&array, destArray);\n\t\t\tbreak;\n\t}\n\n\tif (arg == PARSE_POST) {\n\t\tsapi_handle_post(&array);\n\t\treturn;\n\t}\n\n\tif (arg == PARSE_GET) {\t\t/* GET data */\n\t\tc_var = SG(request_info).query_string;\n\t\tif (c_var && *c_var) {\n\t\t\tres = (char *) estrdup(c_var);\n\t\t\tfree_buffer = 1;\n\t\t} else {\n\t\t\tfree_buffer = 0;\n\t\t}\n\t} else if (arg == PARSE_COOKIE) {\t\t/* Cookie data */\n\t\tc_var = SG(request_info).cookie_data;\n\t\tif (c_var && *c_var) {\n\t\t\tres = (char *) estrdup(c_var);\n\t\t\tfree_buffer = 1;\n\t\t} else {\n\t\t\tfree_buffer = 0;\n\t\t}\n\t} else if (arg == PARSE_STRING) {\t\t/* String data */\n\t\tres = str;\n\t\tfree_buffer = 1;\n\t}\n\n\tif (!res) {\n\t\treturn;\n\t}\n\n\tswitch (arg) {\n\t\tcase PARSE_GET:\n\t\tcase PARSE_STRING:\n\t\t\tseparator = PG(arg_separator).input;\n\t\t\tbreak;\n\t\tcase PARSE_COOKIE:\n\t\t\tseparator = \";\\0\";\n\t\t\tbreak;\n\t}\n\n\tvar = php_strtok_r(res, separator, &strtok_buf);\n\n\twhile (var) {\n\t\tval = strchr(var, '=');\n\n\t\tif (arg == PARSE_COOKIE) {\n\t\t\t/* Remove leading spaces from cookie names, needed for multi-cookie header where ; can be followed by a space */\n\t\t\twhile (isspace(*var)) {\n\t\t\t\tvar++;\n\t\t\t}\n\t\t\tif (var == val || *var == '\\0') {\n\t\t\t\tgoto next_cookie;\n\t\t\t}\n\t\t}\n\n\t\tif (++count > PG(max_input_vars)) {\n\t\t\tphp_error_docref(NULL, E_WARNING, \"Input variables exceeded \" ZEND_LONG_FMT \". To increase the limit change max_input_vars in php.ini.\", PG(max_input_vars));\n\t\t\tbreak;\n\t\t}\n\n\t\tif (val) { /* have a value */\n\t\t\tsize_t val_len;\n\t\t\tsize_t new_val_len;\n\n\t\t\t*val++ = '\\0';\n\t\t\tif (arg != PARSE_COOKIE) {\n\t\t\t\tphp_url_decode(var, strlen(var));\n\t\t\t}\n\t\t\tval_len = php_url_decode(val, strlen(val));\n\t\t\tval = estrndup(val, val_len);\n\t\t\tif (sapi_module.input_filter(arg, var, &val, val_len, &new_val_len)) {\n\t\t\t\tphp_register_variable_safe(var, val, new_val_len, &array);\n\t\t\t}\n\t\t\tefree(val);\n\t\t} else {\n\t\t\tsize_t val_len;\n\t\t\tsize_t new_val_len;\n\n\t\t\tif (arg != PARSE_COOKIE) {\n\t\t\t\tphp_url_decode(var, strlen(var));\n\t\t\t}\n\t\t\tval_len = 0;\n\t\t\tval = estrndup(\"\", val_len);\n\t\t\tif (sapi_module.input_filter(arg, var, &val, val_len, &new_val_len)) {\n\t\t\t\tphp_register_variable_safe(var, val, new_val_len, &array);\n\t\t\t}\n\t\t\tefree(val);\n\t\t}\nnext_cookie:\n\t\tvar = php_strtok_r(NULL, separator, &strtok_buf);\n\t}\n\n\tif (free_buffer) {\n\t\tefree(res);\n\t}\n}", "project": "php-src", "hash": 99217299303506150311767680298916812323, "size": 131, "commit_id": "6559fe912661ca5ce5f0eeeb591d928451428ed0", "message": "Do not decode cookie names anymore", "target": 0, "dataset": "other", "idx": 374974 }, { "func": "apr_status_t h2_stream_recv_DATA(h2_stream *stream, uint8_t flags,\n const uint8_t *data, size_t len)\n{\n h2_session *session = stream->session;\n apr_status_t status = APR_SUCCESS;\n \n stream->in_data_frames++;\n if (len > 0) {\n if (APLOGctrace3(session->c)) {\n const char *load = apr_pstrndup(stream->pool, (const char *)data, len);\n ap_log_cerror(APLOG_MARK, APLOG_TRACE3, 0, session->c,\n H2_STRM_MSG(stream, \"recv DATA, len=%d: -->%s<--\"), \n (int)len, load);\n }\n else {\n ap_log_cerror(APLOG_MARK, APLOG_TRACE2, status, session->c,\n H2_STRM_MSG(stream, \"recv DATA, len=%d\"), (int)len);\n }\n stream->in_data_octets += len;\n if (!stream->in_buffer) {\n stream->in_buffer = apr_brigade_create(stream->pool, \n session->c->bucket_alloc);\n }\n apr_brigade_write(stream->in_buffer, NULL, NULL, (const char *)data, len);\n h2_stream_dispatch(stream, H2_SEV_IN_DATA_PENDING);\n }\n return status;\n}", "project": "httpd", "hash": 242204756429971897689777043260553745223, "size": 28, "commit_id": "f990e5ecad40b100a8a5c7c1033c46044a9cb244", "message": "mod_htt2: fix incomplete sync with latest changes in github, adjust version number.\n\n\n\ngit-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1889119 13f79535-47bb-0310-9956-ffa450edef68", "target": 0, "dataset": "other", "idx": 284247 }, { "func": "void tracing_record_tgid(struct task_struct *task)\n{\n\ttracing_record_taskinfo(task, TRACE_RECORD_TGID);\n}", "project": "linux", "hash": 250433393035023756416267320176748448545, "size": 4, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445730 }, { "func": " bool is_basic_value(const Item *item, Type type_arg) const\n {\n return item->basic_const_item() && item->type() == type_arg;\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 102227271985766292901693304096287823741, "size": 4, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509002 }, { "func": " bool is_basic_value(Type type_arg) const\n {\n return basic_const_item() && type() == type_arg;\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 246787359034917405554613401814635122667, "size": 4, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509030 }, { "func": "void httpsSslBumpStep2AccessCheckDone(allow_t answer, void *data)\n{\n ConnStateData *connState = (ConnStateData *) data;\n\n // if the connection is closed or closing, just return.\n if (!connState->isOpen())\n return;\n\n debugs(33, 5, \"Answer: \" << answer << \" kind:\" << answer.kind);\n assert(connState->serverBump());\n Ssl::BumpMode bumpAction;\n if (answer.allowed()) {\n bumpAction = (Ssl::BumpMode)answer.kind;\n } else\n bumpAction = Ssl::bumpSplice;\n\n connState->serverBump()->act.step2 = bumpAction;\n connState->sslBumpMode = bumpAction;\n Http::StreamPointer context = connState->pipeline.front();\n if (ClientHttpRequest *http = (context ? context->http : nullptr))\n http->al->ssl.bumpMode = bumpAction;\n\n if (bumpAction == Ssl::bumpTerminate) {\n connState->clientConnection->close();\n } else if (bumpAction != Ssl::bumpSplice) {\n connState->startPeekAndSplice();\n } else if (!connState->splice())\n connState->clientConnection->close();\n}", "project": "squid", "hash": 31434313419617983053340924197182367307, "size": 29, "commit_id": "fd68382860633aca92065e6c343cfd1b12b126e7", "message": "Improve Transfer-Encoding handling (#702)\n\nReject messages containing Transfer-Encoding header with coding other\nthan chunked or identity. Squid does not support other codings.\n\nFor simplicity and security sake, also reject messages where\nTransfer-Encoding contains unnecessary complex values that are\ntechnically equivalent to \"chunked\" or \"identity\" (e.g., \",,chunked\" or\n\"identity, chunked\").\n\nRFC 7230 formally deprecated and removed identity coding, but it is\nstill used by some agents.", "target": 0, "dataset": "other", "idx": 402374 }, { "func": "Status Conv2DBackpropComputeInputShape(const Tensor& input_sizes,\n const TensorShape& filter_shape,\n const TensorShape& out_backprop_shape,\n const TensorFormat& data_format,\n TensorShape* input_shape) {\n if (!TensorShapeUtils::IsVector(input_sizes.shape())) {\n return errors::InvalidArgument(\n \"Conv2DBackpropInput: input_sizes input must be 1-dim, not \",\n input_sizes.dims());\n }\n\n if (input_sizes.dim_size(0) == 4) {\n return TensorShapeUtils::MakeShape(input_sizes.vec(), input_shape);\n }\n\n if (input_sizes.dim_size(0) == 2) {\n const int batch_size = GetTensorDim(out_backprop_shape, data_format, 'N');\n const int output_height = input_sizes.vec()(0);\n const int output_width = input_sizes.vec()(1);\n const int output_depth = filter_shape.dim_size(2);\n *input_shape = ShapeFromFormat(data_format, batch_size, output_height,\n output_width, output_depth);\n return Status::OK();\n }\n\n return errors::InvalidArgument(\n \"Conv2DBackpropInput requires input_sizes to \"\n \"contain 4 values or 2 values, but got: \",\n input_sizes.dim_size(0));\n}", "project": "tensorflow", "hash": 160393542166973341905488054174328252091, "size": 30, "commit_id": "fca9874a9b42a2134f907d2fb46ab774a831404a", "message": "Prevent another division by zero.\n\nPiperOrigin-RevId: 369338598\nChange-Id: I55471d363e401fdcf8d259670ad4eef672b731e2", "target": 0, "dataset": "other", "idx": 255025 }, { "func": "static void tcp_skb_mark_lost_uncond_verify(struct tcp_sock *tp,\n\t\t\t\t\t struct sk_buff *skb)\n{\n\ttcp_verify_retransmit_hint(tp, skb);\n\n\tif (!(TCP_SKB_CB(skb)->sacked & (TCPCB_LOST|TCPCB_SACKED_ACKED))) {\n\t\ttp->lost_out += tcp_skb_pcount(skb);\n\t\tTCP_SKB_CB(skb)->sacked |= TCPCB_LOST;\n\t}\n}", "project": "net-next", "hash": 84748975507269220040927808138459248213, "size": 10, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409953 }, { "func": "PHP_METHOD(Phar, getSupportedSignatures)\n{\n\tif (zend_parse_parameters_none() == FAILURE) {\n\t\treturn;\n\t}\n\t\n\tarray_init(return_value);\n\n\tadd_next_index_stringl(return_value, \"MD5\", 3, 1);\n\tadd_next_index_stringl(return_value, \"SHA-1\", 5, 1);\n#ifdef PHAR_HASH_OK\n\tadd_next_index_stringl(return_value, \"SHA-256\", 7, 1);\n\tadd_next_index_stringl(return_value, \"SHA-512\", 7, 1);\n#endif\n#if PHAR_HAVE_OPENSSL\n\tadd_next_index_stringl(return_value, \"OpenSSL\", 7, 1);\n#else\n\tif (zend_hash_exists(&module_registry, \"openssl\", sizeof(\"openssl\"))) {\n\t\tadd_next_index_stringl(return_value, \"OpenSSL\", 7, 1);\n\t}\n#endif\n}", "project": "php-src", "hash": 180516881934146205813772543859433832723, "size": 22, "commit_id": "b2cf3f064b8f5efef89bb084521b61318c71781b", "message": "Fixed bug #68901 (use after free)", "target": 0, "dataset": "other", "idx": 413461 }, { "func": "PHP_METHOD(Phar, getSupportedCompression)\n{\n\tif (zend_parse_parameters_none() == FAILURE) {\n\t\treturn;\n\t}\n\t\n\tarray_init(return_value);\n\tphar_request_initialize(TSRMLS_C);\n\n\tif (PHAR_G(has_zlib)) {\n\t\tadd_next_index_stringl(return_value, \"GZ\", 2, 1);\n\t}\n\n\tif (PHAR_G(has_bz2)) {\n\t\tadd_next_index_stringl(return_value, \"BZIP2\", 5, 1);\n\t}\n}", "project": "php-src", "hash": 103700509863967375273285114712371928464, "size": 17, "commit_id": "b2cf3f064b8f5efef89bb084521b61318c71781b", "message": "Fixed bug #68901 (use after free)", "target": 0, "dataset": "other", "idx": 413471 }, { "func": "static int oidc_handle_unauthorized_user22(request_rec *r) {\n\n\toidc_cfg *c = ap_get_module_config(r->server->module_config,\n\t\t\t&auth_openidc_module);\n\n\tif (apr_strnatcasecmp((const char *) ap_auth_type(r), OIDC_AUTH_TYPE_OPENID_OAUTH20) == 0) {\n\t\toidc_oauth_return_www_authenticate(r, \"insufficient_scope\", \"Different scope(s) or other claims required\");\n\t\treturn HTTP_UNAUTHORIZED;\n\t}\n\n\t/* see if we've configured OIDCUnAutzAction for this path */\n\tswitch (oidc_dir_cfg_unautz_action(r)) {\n\tcase OIDC_UNAUTZ_RETURN403:\n\t\treturn HTTP_FORBIDDEN;\n\tcase OIDC_UNAUTZ_RETURN401:\n\t\treturn HTTP_UNAUTHORIZED;\n\tcase OIDC_UNAUTZ_AUTHENTICATE:\n\t\t/*\n\t\t * exception handling: if this looks like a XMLHttpRequest call we\n\t\t * won't redirect the user and thus avoid creating a state cookie\n\t\t * for a non-browser (= Javascript) call that will never return from the OP\n\t\t */\n\t\tif (oidc_is_xml_http_request(r) == TRUE)\n\t\t\treturn HTTP_UNAUTHORIZED;\n\t}\n\n\treturn oidc_authenticate_user(r, c, NULL, oidc_get_current_url(r), NULL,\n\t\t\tNULL, NULL, oidc_dir_cfg_path_auth_request_params(r), oidc_dir_cfg_path_scope(r));\n}", "project": "mod_auth_openidc", "hash": 190332782060844471811806357193958558670, "size": 29, "commit_id": "00c315cb0c8ab77c67be4a2ac08a71a83ac58751", "message": "avoid XSS vulnerability when using OIDCPreservePost On\n\nand supplying URLs that contain single quotes; thanks @oss-aimoto\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 381910 }, { "func": "static int rdpmc_interception(struct vcpu_svm *svm)\n{\n\tint err;\n\n\tif (!nrips)\n\t\treturn emulate_on_interception(svm);\n\n\terr = kvm_rdpmc(&svm->vcpu);\n\treturn kvm_complete_insn_gp(&svm->vcpu, err);\n}", "project": "linux", "hash": 57523356552314704089257998577307645938, "size": 10, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432392 }, { "func": "static int rdpmc_interception(struct vcpu_svm *svm)\n{\n\tint err;\n\n\tif (!static_cpu_has(X86_FEATURE_NRIPS))\n\t\treturn emulate_on_interception(svm);\n\n\terr = kvm_rdpmc(&svm->vcpu);\n\tkvm_complete_insn_gp(&svm->vcpu, err);\n\n\treturn 1;\n}", "project": "kvm", "hash": 294996096203277581043744507028429912910, "size": 12, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437607 }, { "func": "CClient::~CClient() {\n if (m_spAuth) {\n CClientAuth* pAuth = (CClientAuth*)&(*m_spAuth);\n pAuth->Invalidate();\n }\n if (m_pUser != nullptr) {\n m_pUser->AddBytesRead(GetBytesRead());\n m_pUser->AddBytesWritten(GetBytesWritten());\n }\n}", "project": "znc", "hash": 332361790383686379538669381002145119695, "size": 10, "commit_id": "d229761821da38d984a9e4098ad96842490dc001", "message": "Fix echo-message for *status\n\nClose #1705", "target": 0, "dataset": "other", "idx": 231589 }, { "func": "static rsRetVal qDeqLinkedList(qqueue_t *pThis, obj_t **ppUsr)\n{\n\tqLinkedList_t *pEntry;\n\tDEFiRet;\n\n\tpEntry = pThis->tVars.linklist.pDeqRoot;\n\tISOBJ_TYPE_assert(pEntry->pUsr, msg);\n\t*ppUsr = pEntry->pUsr;\n\tpThis->tVars.linklist.pDeqRoot = pEntry->pNext;\n\n\tRETiRet;\n}", "project": "rsyslog", "hash": 122480689591241768321031124688590111143, "size": 12, "commit_id": "dfa88369d4ca4290db56b843f9eabdae1bfe0fd5", "message": "bugfix: memory leak when $RepeatedMsgReduction on was used\n\nbug tracker: http://bugzilla.adiscon.com/show_bug.cgi?id=225", "target": 0, "dataset": "other", "idx": 373784 }, { "func": "\treturn nlmsg_unicast(nls, skb, portid);\n}\n\nint iscsi_recv_pdu(struct iscsi_cls_conn *conn, struct iscsi_hdr *hdr,\n\t\t char *data, uint32_t data_size)\n{\n\tstruct nlmsghdr\t*nlh;\n\tstruct sk_buff *skb;\n\tstruct iscsi_uevent *ev;\n\tchar *pdu;\n\tstruct iscsi_internal *priv;\n\tint len = nlmsg_total_size(sizeof(*ev) + sizeof(struct iscsi_hdr) +\n\t\t\t\t data_size);\n\n\tpriv = iscsi_if_transport_lookup(conn->transport);\n\tif (!priv)\n\t\treturn -EINVAL;\n\n\tskb = alloc_skb(len, GFP_ATOMIC);\n\tif (!skb) {\n\t\tiscsi_conn_error_event(conn, ISCSI_ERR_CONN_FAILED);\n\t\tiscsi_cls_conn_printk(KERN_ERR, conn, \"can not deliver \"\n\t\t\t\t \"control PDU: OOM\\n\");\n\t\treturn -ENOMEM;\n\t}\n\n\tnlh = __nlmsg_put(skb, 0, 0, 0, (len - sizeof(*nlh)), 0);\n\tev = nlmsg_data(nlh);\n\tmemset(ev, 0, sizeof(*ev));\n\tev->transport_handle = iscsi_handle(conn->transport);\n\tev->type = ISCSI_KEVENT_RECV_PDU;\n\tev->r.recv_req.cid = conn->cid;\n\tev->r.recv_req.sid = iscsi_conn_get_sid(conn);\n\tpdu = (char*)ev + sizeof(*ev);\n\tmemcpy(pdu, hdr, sizeof(struct iscsi_hdr));\n\tmemcpy(pdu + sizeof(struct iscsi_hdr), data, data_size);", "project": "linux", "hash": 328715890920134548653168781090179824264, "size": 36, "commit_id": "f9dbdf97a5bd92b1a49cee3d591b55b11fd7a6d5", "message": "scsi: iscsi: Verify lengths on passthrough PDUs\n\nOpen-iSCSI sends passthrough PDUs over netlink, but the kernel should be\nverifying that the provided PDU header and data lengths fall within the\nnetlink message to prevent accessing beyond that in memory.\n\nCc: stable@vger.kernel.org\nReported-by: Adam Nichols \nReviewed-by: Lee Duncan \nReviewed-by: Mike Christie \nSigned-off-by: Chris Leech \nSigned-off-by: Martin K. Petersen ", "target": 0, "dataset": "other", "idx": 379931 }, { "func": "static Variant substr_replace(const Variant& str, const Variant& replacement,\n const Variant& start, const Variant& length) {\n if (!str.isArray()) {\n String repl;\n if (replacement.isArray()) {\n repl = replacement.asCArrRef()[0].toString();\n } else {\n repl = replacement.toString();\n }\n if (start.isArray()) {\n if (!length.isArray()) {\n raise_invalid_argument_warning(\"start and length should be of same type - \"\n \"numerical or array\");\n return str;\n }\n Array startArr = start.toArray();\n Array lengthArr = length.toArray();\n if (startArr.size() != lengthArr.size()) {\n raise_invalid_argument_warning(\"start and length: (different item count)\");\n return str;\n }\n raise_invalid_argument_warning(\"start and length as arrays not implemented\");\n return str;\n }\n return string_replace(str.toString(), start.toInt32(), length.toInt32(),\n repl);\n }\n\n // 'start' and 'length' can be arrays (in which case we step through them in\n // sync with stepping through 'str'), or not arrays, in which case we convert\n // them to ints and always use those.\n Array ret;\n Array strArr = str.toArray();\n folly::Optional opStart;\n folly::Optional opLength;\n if (!start.isArray()) {\n opStart = start.toInt32();\n }\n if (!length.isArray()) {\n opLength = length.toInt32();\n }\n\n Array startArr = start.toArray();\n Array lengthArr = length.toArray();\n ArrayIter startIter(startArr);\n ArrayIter lengthIter(lengthArr);\n\n if (replacement.isArray()) {\n Array replArr = replacement.toArray();\n ArrayIter replIter(replArr);\n for (ArrayIter iter(strArr); iter; ++iter) {\n auto str = iter.second().toString();\n // If 'start' or 'length' are arrays and we've gone past the end, default\n // to 0 for start and the length of the input string for length.\n int nStart =\n (opStart.has_value()\n ? opStart.value()\n : (startIter ? startIter.second().toInt32() : 0));\n int nLength =\n (opLength.has_value()\n ? opLength.value()\n : (lengthIter ? lengthIter.second().toInt32() : str.length()));\n if (startIter) ++startIter;\n if (lengthIter) ++lengthIter;\n\n String repl;\n if (replIter) {\n repl = replIter.second().toString();\n ++replIter;\n } else {\n repl = empty_string();\n }\n auto s2 = string_replace(str, nStart, nLength, repl);\n ret.append(s2);\n }\n } else {\n String repl = replacement.toString();\n for (ArrayIter iter(strArr); iter; ++iter) {\n auto str = iter.second().toString();\n int nStart =\n (opStart.has_value()\n ? opStart.value()\n : (startIter ? startIter.second().toInt32() : 0));\n int nLength =\n (opLength.has_value()\n ? opLength.value()\n : (lengthIter ? lengthIter.second().toInt32() : str.length()));\n if (startIter) ++startIter;\n if (lengthIter) ++lengthIter;\n\n auto s2 = string_replace(str, nStart, nLength, repl);\n ret.append(s2);\n }\n }\n return ret;\n}", "project": "hhvm", "hash": 313534704796131402672482143691578560977, "size": 96, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219571 }, { "func": "static inline void ep_busy_loop(struct eventpoll *ep, int nonblock)\n{\n}", "project": "linux", "hash": 147133537434172423649765930634242788493, "size": 3, "commit_id": "52c479697c9b73f628140dcdfcd39ea302d05482", "message": "do_epoll_ctl(): clean the failure exits up a bit\n\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 336231 }, { "func": "static void ep_busy_loop(struct eventpoll *ep, int nonblock)\n{\n\tunsigned int napi_id = READ_ONCE(ep->napi_id);\n\n\tif ((napi_id >= MIN_NAPI_ID) && net_busy_loop_on())\n\t\tnapi_busy_loop(napi_id, nonblock ? NULL : ep_busy_loop_end, ep);\n}", "project": "linux", "hash": 35030566638844542817679889301600052407, "size": 7, "commit_id": "52c479697c9b73f628140dcdfcd39ea302d05482", "message": "do_epoll_ctl(): clean the failure exits up a bit\n\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 336260 }, { "project": "opaque", "commit_id": "5ddda15d89f5ac82f4416208c5319ace4aecdc36", "target": 0, "func": "sgx_status_t ecall_verify_att_result_mac(sgx_ra_context_t context, uint8_t* message,\n size_t message_size, uint8_t* mac,\n size_t mac_size) {\n try {\n return verify_att_result_mac(context, message, message_size, mac, mac_size);\n } catch (const std::runtime_error &e) {\n ocall_throw(e.what());\n return SGX_ERROR_UNEXPECTED;\n }\n}", "idx": 519074, "cwe": "CWE-787", "hash": 88200751529222744817831057849872714027, "dataset": "other" }, { "func": "static void nfs4_close_prepare(struct rpc_task *task, void *data)\n{\n\tstruct nfs4_closedata *calldata = data;\n\tstruct nfs4_state *state = calldata->state;\n\tstruct inode *inode = calldata->inode;\n\tstruct pnfs_layout_hdr *lo;\n\tbool is_rdonly, is_wronly, is_rdwr;\n\tint call_close = 0;\n\n\tdprintk(\"%s: begin!\\n\", __func__);\n\tif (nfs_wait_on_sequence(calldata->arg.seqid, task) != 0)\n\t\tgoto out_wait;\n\n\ttask->tk_msg.rpc_proc = &nfs4_procedures[NFSPROC4_CLNT_OPEN_DOWNGRADE];\n\tspin_lock(&state->owner->so_lock);\n\tis_rdwr = test_bit(NFS_O_RDWR_STATE, &state->flags);\n\tis_rdonly = test_bit(NFS_O_RDONLY_STATE, &state->flags);\n\tis_wronly = test_bit(NFS_O_WRONLY_STATE, &state->flags);\n\t/* Calculate the change in open mode */\n\tcalldata->arg.fmode = 0;\n\tif (state->n_rdwr == 0) {\n\t\tif (state->n_rdonly == 0)\n\t\t\tcall_close |= is_rdonly;\n\t\telse if (is_rdonly)\n\t\t\tcalldata->arg.fmode |= FMODE_READ;\n\t\tif (state->n_wronly == 0)\n\t\t\tcall_close |= is_wronly;\n\t\telse if (is_wronly)\n\t\t\tcalldata->arg.fmode |= FMODE_WRITE;\n\t\tif (calldata->arg.fmode != (FMODE_READ|FMODE_WRITE))\n\t\t\tcall_close |= is_rdwr;\n\t} else if (is_rdwr)\n\t\tcalldata->arg.fmode |= FMODE_READ|FMODE_WRITE;\n\n\tnfs4_sync_open_stateid(&calldata->arg.stateid, state);\n\tif (!nfs4_valid_open_stateid(state))\n\t\tcall_close = 0;\n\tspin_unlock(&state->owner->so_lock);\n\n\tif (!call_close) {\n\t\t/* Note: exit _without_ calling nfs4_close_done */\n\t\tgoto out_no_action;\n\t}\n\n\tif (!calldata->lr.roc && nfs4_wait_on_layoutreturn(inode, task)) {\n\t\tnfs_release_seqid(calldata->arg.seqid);\n\t\tgoto out_wait;\n\t}\n\n\tlo = calldata->arg.lr_args ? calldata->arg.lr_args->layout : NULL;\n\tif (lo && !pnfs_layout_is_valid(lo)) {\n\t\tcalldata->arg.lr_args = NULL;\n\t\tcalldata->res.lr_res = NULL;\n\t}\n\n\tif (calldata->arg.fmode == 0)\n\t\ttask->tk_msg.rpc_proc = &nfs4_procedures[NFSPROC4_CLNT_CLOSE];\n\n\tif (calldata->arg.fmode == 0 || calldata->arg.fmode == FMODE_READ) {\n\t\t/* Close-to-open cache consistency revalidation */\n\t\tif (!nfs4_have_delegation(inode, FMODE_READ))\n\t\t\tcalldata->arg.bitmask = NFS_SERVER(inode)->cache_consistency_bitmask;\n\t\telse\n\t\t\tcalldata->arg.bitmask = NULL;\n\t}\n\n\tcalldata->arg.share_access =\n\t\tnfs4_map_atomic_open_share(NFS_SERVER(inode),\n\t\t\t\tcalldata->arg.fmode, 0);\n\n\tif (calldata->res.fattr == NULL)\n\t\tcalldata->arg.bitmask = NULL;\n\telse if (calldata->arg.bitmask == NULL)\n\t\tcalldata->res.fattr = NULL;\n\tcalldata->timestamp = jiffies;\n\tif (nfs4_setup_sequence(NFS_SERVER(inode)->nfs_client,\n\t\t\t\t&calldata->arg.seq_args,\n\t\t\t\t&calldata->res.seq_res,\n\t\t\t\ttask) != 0)\n\t\tnfs_release_seqid(calldata->arg.seqid);\n\tdprintk(\"%s: done!\\n\", __func__);\n\treturn;\nout_no_action:\n\ttask->tk_action = NULL;\nout_wait:\n\tnfs4_sequence_done(task, &calldata->res.seq_res);\n}", "project": "linux", "hash": 41045664792797314134814768070376346237, "size": 87, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431314 }, { "func": "static void icpt_operexc_on_all_vcpus(struct kvm *kvm)\n{\n\tunsigned int i;\n\tstruct kvm_vcpu *vcpu;\n\n\tkvm_for_each_vcpu(i, vcpu, kvm) {\n\t\tkvm_s390_sync_request(KVM_REQ_ICPT_OPEREXC, vcpu);\n\t}\n}", "project": "linux", "hash": 304554216738853491364830281543918304837, "size": 9, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354785 }, { "func": "bool RGWSwiftWebsiteHandler::is_index_present(const std::string& index)\n{\n rgw_obj obj(s->bucket, index);\n\n RGWObjectCtx& obj_ctx = *static_cast(s->obj_ctx);\n obj_ctx.set_atomic(obj);\n obj_ctx.set_prefetch_data(obj);\n\n RGWObjState* state = nullptr;\n if (store->get_obj_state(&obj_ctx, s->bucket_info, obj, &state, false) < 0) {\n return false;\n }\n\n /* A nonexistent object cannot be a considered as a viable index. We will\n * try to list the bucket or - if this is impossible - return an error. */\n return state->exists;\n}", "project": "ceph", "hash": 236993111256066345301687984508750387313, "size": 17, "commit_id": "f44a8ae8aa27ecef69528db9aec220f12492810e", "message": "rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name\n\nchecking for empty name avoids later assertion in RGWObjectCtx::set_atomic\n\nFixes: CVE-2021-3531\n\nReviewed-by: Casey Bodley \nSigned-off-by: Casey Bodley \n(cherry picked from commit 7196a469b4470f3c8628489df9a41ec8b00a5610)", "target": 0, "dataset": "other", "idx": 448835 }, { "func": "static void kvm_s390_vcpu_request(struct kvm_vcpu *vcpu)\n{\n\tatomic_or(PROG_REQUEST, &vcpu->arch.sie_block->prog20);\n\texit_sie(vcpu);\n}", "project": "linux", "hash": 199105773776826438361397413760957895103, "size": 5, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354525 }, { "func": "void CWebSession::UpdateLastActive() { time(&m_tmLastActive); }", "project": "znc", "hash": 289180818263277391007740414143316628921, "size": 1, "commit_id": "a4a5aeeb17d32937d8c7d743dae9a4cc755ce773", "message": "Don't let web skin name ../../../../ access files outside of usual skins directories.\n\nThanks for Jeriko One for finding and reporting this.", "target": 0, "dataset": "other", "idx": 265772 }, { "func": "UnicodeString::getBuffer(int32_t minCapacity) {\n if(minCapacity>=-1 && cloneArrayIfNeeded(minCapacity)) {\n fUnion.fFields.fLengthAndFlags|=kOpenGetBuffer;\n setZeroLength();\n return getArrayStart();\n } else {\n return nullptr;\n }\n}", "project": "icu", "hash": 291038348630379363380193554406241278432, "size": 9, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430753 }, { "func": "void trace_event_buffer_commit(struct trace_event_buffer *fbuffer)\n{\n\tif (static_key_false(&tracepoint_printk_key.key))\n\t\toutput_printk(fbuffer);\n\n\tevent_trigger_unlock_commit(fbuffer->trace_file, fbuffer->buffer,\n\t\t\t\t fbuffer->event, fbuffer->entry,\n\t\t\t\t fbuffer->flags, fbuffer->pc);\n}", "project": "linux", "hash": 123955319152810601188902738853500661917, "size": 9, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445693 }, { "func": "static apr_byte_t oidc_session_pass_tokens(request_rec *r, oidc_cfg *cfg,\n\t\toidc_session_t *session, apr_byte_t *needs_save) {\n\n\tapr_byte_t pass_headers = oidc_cfg_dir_pass_info_in_headers(r);\n\tapr_byte_t pass_envvars = oidc_cfg_dir_pass_info_in_envvars(r);\n\tapr_byte_t pass_base64url = oidc_cfg_dir_pass_info_base64url(r);\n\n\t/* set the refresh_token in the app headers/variables, if enabled for this location/directory */\n\tconst char *refresh_token = oidc_session_get_refresh_token(r, session);\n\tif ((oidc_cfg_dir_pass_refresh_token(r) != 0) && (refresh_token != NULL)) {\n\t\t/* pass it to the app in a header or environment variable */\n\t\toidc_util_set_app_info(r, OIDC_APP_INFO_REFRESH_TOKEN, refresh_token,\n\t\t\t\tOIDC_DEFAULT_HEADER_PREFIX, pass_headers, pass_envvars, pass_base64url);\n\t}\n\n\t/* set the access_token in the app headers/variables */\n\tconst char *access_token = oidc_session_get_access_token(r, session);\n\tif (access_token != NULL) {\n\t\t/* pass it to the app in a header or environment variable */\n\t\toidc_util_set_app_info(r, OIDC_APP_INFO_ACCESS_TOKEN, access_token,\n\t\t\t\tOIDC_DEFAULT_HEADER_PREFIX, pass_headers, pass_envvars, pass_base64url);\n\t}\n\n\t/* set the expiry timestamp in the app headers/variables */\n\tconst char *access_token_expires = oidc_session_get_access_token_expires(r,\n\t\t\tsession);\n\tif (access_token_expires != NULL) {\n\t\t/* pass it to the app in a header or environment variable */\n\t\toidc_util_set_app_info(r, OIDC_APP_INFO_ACCESS_TOKEN_EXP,\n\t\t\t\taccess_token_expires,\n\t\t\t\tOIDC_DEFAULT_HEADER_PREFIX, pass_headers, pass_envvars,\n\t\t\t\tpass_base64url);\n\t}\n\n\t/*\n\t * reset the session inactivity timer\n\t * but only do this once per 10% of the inactivity timeout interval (with a max to 60 seconds)\n\t * for performance reasons\n\t *\n\t * now there's a small chance that the session ends 10% (or a minute) earlier than configured/expected\n\t * cq. when there's a request after a recent save (so no update) and then no activity happens until\n\t * a request comes in just before the session should expire\n\t * (\"recent\" and \"just before\" refer to 10%-with-a-max-of-60-seconds of the inactivity interval after\n\t * the start/last-update and before the expiry of the session respectively)\n\t *\n\t * this is be deemed acceptable here because of performance gain\n\t */\n\tapr_time_t interval = apr_time_from_sec(cfg->session_inactivity_timeout);\n\tapr_time_t now = apr_time_now();\n\tapr_time_t slack = interval / 10;\n\tif (slack > apr_time_from_sec(60))\n\t\tslack = apr_time_from_sec(60);\n\tif (session->expiry - now < interval - slack) {\n\t\tsession->expiry = now + interval;\n\t\t*needs_save = TRUE;\n\t}\n\n\t/* log message about session expiry */\n\toidc_log_session_expires(r, \"session inactivity timeout\", session->expiry);\n\n\treturn TRUE;\n}", "project": "mod_auth_openidc", "hash": 35420045755229518329324809266082859883, "size": 62, "commit_id": "00c315cb0c8ab77c67be4a2ac08a71a83ac58751", "message": "avoid XSS vulnerability when using OIDCPreservePost On\n\nand supplying URLs that contain single quotes; thanks @oss-aimoto\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 381918 }, { "func": "Variant preg_grep(const String& pattern, const Array& input, int flags /* = 0 */) {\n PCRECache::Accessor accessor;\n if (!pcre_get_compiled_regex_cache(accessor, pattern.get())) {\n return preg_return_bad_regex_error(false);\n }\n const pcre_cache_entry* pce = accessor.get();\n\n int size_offsets = 0;\n int* offsets = create_offset_array(pce, size_offsets);\n if (offsets == nullptr) {\n return preg_return_internal_error(false);\n }\n SmartFreeHelper freer(offsets);\n\n const bool hackArrOutput = flags & PREG_FB_HACK_ARRAYS;\n\n /* Initialize return array */\n auto ret = hackArrOutput ? Array::CreateDict() : Array::CreateDArray();\n\n /* Go through the input array */\n bool invert = (flags & PREG_GREP_INVERT);\n pcre_extra extra;\n init_local_extra(&extra, pce->extra);\n\n for (ArrayIter iter(input); iter; ++iter) {\n String entry = iter.second().toString();\n\n /* Perform the match */\n int count = pcre_exec(pce->re, &extra, entry.data(), entry.size(),\n 0, 0, offsets, size_offsets);\n\n /* Check for too many substrings condition. */\n if (count == 0) {\n raise_warning(\"Matched, but too many substrings\");\n count = size_offsets / 3;\n } else if (count < 0 && count != PCRE_ERROR_NOMATCH) {\n if (pcre_need_log_error(count)) {\n pcre_log_error(__FUNCTION__, __LINE__, count,\n pattern.data(), pattern.size(),\n entry.data(), entry.size(),\n \"\", 0,\n flags);\n }\n // NOTE: this returns an error together with a partial result :-(\n return preg_return_pcre_error(count, std::move(ret));\n }\n\n /* If the entry fits our requirements */\n if ((count > 0 && !invert) ||\n (count == PCRE_ERROR_NOMATCH && invert)) {\n\n /* Add to return array */\n ret.set(iter.first(), entry);\n }\n }\n\n return preg_return_no_error(std::move(ret));\n}", "project": "hhvm", "hash": 314844737754389274635132124785418245381, "size": 58, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219263 }, { "func": "static void daemon_usage(enum logcode F)\n{\n print_rsync_version(F);\n\n rprintf(F,\"\\n\");\n rprintf(F,\"Usage: rsync --daemon [OPTION]...\\n\");\n rprintf(F,\" --address=ADDRESS bind to the specified address\\n\");\n rprintf(F,\" --bwlimit=RATE limit socket I/O bandwidth\\n\");\n rprintf(F,\" --config=FILE specify alternate rsyncd.conf file\\n\");\n rprintf(F,\" -M, --dparam=OVERRIDE override global daemon config parameter\\n\");\n rprintf(F,\" --no-detach do not detach from the parent\\n\");\n rprintf(F,\" --port=PORT listen on alternate port number\\n\");\n rprintf(F,\" --log-file=FILE override the \\\"log file\\\" setting\\n\");\n rprintf(F,\" --log-file-format=FMT override the \\\"log format\\\" setting\\n\");\n rprintf(F,\" --sockopts=OPTIONS specify custom TCP options\\n\");\n rprintf(F,\" -v, --verbose increase verbosity\\n\");\n rprintf(F,\" -4, --ipv4 prefer IPv4\\n\");\n rprintf(F,\" -6, --ipv6 prefer IPv6\\n\");\n rprintf(F,\" --help show this help screen\\n\");\n\n rprintf(F,\"\\n\");\n rprintf(F,\"If you were not trying to invoke rsync as a daemon, avoid using any of the\\n\");\n rprintf(F,\"daemon-specific rsync options. See also the rsyncd.conf(5) man page.\\n\");\n}", "project": "rsync", "hash": 95462930957786726342115534444014508304, "size": 24, "commit_id": "7706303828fcde524222babb2833864a4bd09e07", "message": "Ignore --protect-args when already sent by client\n\nIn parse_arguments when --protect-args is encountered the function exits\nearly. The caller is expected to check protect_args, and recall\nparse_arguments setting protect_args to 2. This patch prevents the\nclient from resetting protect_args during the second pass of\nparse_arguments. This prevents parse_arguments returning early the\nsecond time before it's able to sanitize the arguments it received.", "target": 0, "dataset": "other", "idx": 364664 }, { "func": "void Commissioner::SetState(otCommissionerState aState)\n{\n VerifyOrExit(mState != aState);\n\n otLogInfoMeshCoP(\"Commissioner State: %s -> %s\", StateToString(mState), StateToString(aState));\n\n mState = aState;\n\n if (mStateCallback)\n {\n mStateCallback(mState, mCallbackContext);\n }\n\nexit:\n return;\n}", "project": "openthread", "hash": 284182193667527349443449943940038066602, "size": 16, "commit_id": "c3a3a0c424322009fec3ab735fb20ce8f6e19e70", "message": "[commissioner] use strnlen instead of strlen (#4404)", "target": 0, "dataset": "other", "idx": 269895 }, { "func": " */\nstatic unsigned long bfq_calc_max_budget(struct bfq_data *bfqd)\n{\n\treturn (u64)bfqd->peak_rate * USEC_PER_MSEC *\n\t\tjiffies_to_msecs(bfqd->bfq_timeout)>>BFQ_RATE_SHIFT;", "project": "linux", "hash": 139690067717043065031232129119323141801, "size": 5, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453394 }, { "func": "int __kmem_cache_shrink(struct kmem_cache *s)\n{\n\tint node;\n\tint i;\n\tstruct kmem_cache_node *n;\n\tstruct page *page;\n\tstruct page *t;\n\tstruct list_head discard;\n\tstruct list_head promote[SHRINK_PROMOTE_MAX];\n\tunsigned long flags;\n\tint ret = 0;\n\n\tflush_all(s);\n\tfor_each_kmem_cache_node(s, node, n) {\n\t\tINIT_LIST_HEAD(&discard);\n\t\tfor (i = 0; i < SHRINK_PROMOTE_MAX; i++)\n\t\t\tINIT_LIST_HEAD(promote + i);\n\n\t\tspin_lock_irqsave(&n->list_lock, flags);\n\n\t\t/*\n\t\t * Build lists of slabs to discard or promote.\n\t\t *\n\t\t * Note that concurrent frees may occur while we hold the\n\t\t * list_lock. page->inuse here is the upper limit.\n\t\t */\n\t\tlist_for_each_entry_safe(page, t, &n->partial, slab_list) {\n\t\t\tint free = page->objects - page->inuse;\n\n\t\t\t/* Do not reread page->inuse */\n\t\t\tbarrier();\n\n\t\t\t/* We do not keep full slabs on the list */\n\t\t\tBUG_ON(free <= 0);\n\n\t\t\tif (free == page->objects) {\n\t\t\t\tlist_move(&page->slab_list, &discard);\n\t\t\t\tn->nr_partial--;\n\t\t\t} else if (free <= SHRINK_PROMOTE_MAX)\n\t\t\t\tlist_move(&page->slab_list, promote + free - 1);\n\t\t}\n\n\t\t/*\n\t\t * Promote the slabs filled up most to the head of the\n\t\t * partial list.\n\t\t */\n\t\tfor (i = SHRINK_PROMOTE_MAX - 1; i >= 0; i--)\n\t\t\tlist_splice(promote + i, &n->partial);\n\n\t\tspin_unlock_irqrestore(&n->list_lock, flags);\n\n\t\t/* Release empty slabs */\n\t\tlist_for_each_entry_safe(page, t, &discard, slab_list)\n\t\t\tdiscard_slab(s, page);\n\n\t\tif (slabs_node(s, node))\n\t\t\tret = 1;\n\t}\n\n\treturn ret;\n}", "project": "linux", "hash": 24360451082162814778254464464090081964, "size": 61, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280148 }, { "func": "static void nft_set_catchall_destroy(const struct nft_ctx *ctx,\n\t\t\t\t struct nft_set *set)\n{\n\tstruct nft_set_elem_catchall *catchall;\n\n\tlist_for_each_entry_rcu(catchall, &set->catchall_list, list) {\n\t\tlist_del_rcu(&catchall->list);\n\t\tnft_set_elem_destroy(set, catchall->elem, true);\n\t\tkfree_rcu(catchall);\n\t}\n}", "project": "linux", "hash": 207304843790456513321596293864628738511, "size": 11, "commit_id": "ad9f151e560b016b6ad3280b48e42fa11e1a5440", "message": "netfilter: nf_tables: initialize set before expression setup\n\nnft_set_elem_expr_alloc() needs an initialized set if expression sets on\nthe NFT_EXPR_GC flag. Move set fields initialization before expression\nsetup.\n\n[4512935.019450] ==================================================================\n[4512935.019456] BUG: KASAN: null-ptr-deref in nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019487] Read of size 8 at addr 0000000000000070 by task nft/23532\n[4512935.019494] CPU: 1 PID: 23532 Comm: nft Not tainted 5.12.0-rc4+ #48\n[...]\n[4512935.019502] Call Trace:\n[4512935.019505] dump_stack+0x89/0xb4\n[4512935.019512] ? nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019536] ? nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019560] kasan_report.cold.12+0x5f/0xd8\n[4512935.019566] ? nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019590] nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019615] nf_tables_newset+0xc7f/0x1460 [nf_tables]\n\nReported-by: syzbot+ce96ca2b1d0b37c6422d@syzkaller.appspotmail.com\nFixes: 65038428b2c6 (\"netfilter: nf_tables: allow to specify stateful expression in set definition\")\nSigned-off-by: Pablo Neira Ayuso ", "target": 0, "dataset": "other", "idx": 328370 }, { "func": "static int io_sendmsg_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)\n{\n\tstruct io_sr_msg *sr = &req->sr_msg;\n\n\tif (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))\n\t\treturn -EINVAL;\n\n\tsr->umsg = u64_to_user_ptr(READ_ONCE(sqe->addr));\n\tsr->len = READ_ONCE(sqe->len);\n\tsr->msg_flags = READ_ONCE(sqe->msg_flags) | MSG_NOSIGNAL;\n\tif (sr->msg_flags & MSG_DONTWAIT)\n\t\treq->flags |= REQ_F_NOWAIT;\n\n#ifdef CONFIG_COMPAT\n\tif (req->ctx->compat)\n\t\tsr->msg_flags |= MSG_CMSG_COMPAT;\n#endif\n\treturn 0;\n}", "project": "linux", "hash": 306634143777475103837851128031927023250, "size": 19, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338726 }, { "func": "static OPJ_BOOL opj_j2k_setup_encoding_validation(opj_j2k_t *p_j2k,\n opj_event_mgr_t * p_manager)\n{\n /* preconditions */\n assert(p_j2k != 00);\n assert(p_manager != 00);\n\n if (! opj_procedure_list_add_procedure(p_j2k->m_validation_list,\n (opj_procedure)opj_j2k_build_encoder, p_manager)) {\n return OPJ_FALSE;\n }\n if (! opj_procedure_list_add_procedure(p_j2k->m_validation_list,\n (opj_procedure)opj_j2k_encoding_validation, p_manager)) {\n return OPJ_FALSE;\n }\n\n /* DEVELOPER CORNER, add your custom validation procedure */\n if (! opj_procedure_list_add_procedure(p_j2k->m_validation_list,\n (opj_procedure)opj_j2k_mct_validation, p_manager)) {\n return OPJ_FALSE;\n }\n\n return OPJ_TRUE;\n}", "project": "openjpeg", "hash": 201418517550275030035888564297556281475, "size": 24, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357318 }, { "func": "static inline int hid_hw_output_report(struct hid_device *hdev, __u8 *buf,\n\t\t\t\t\tsize_t len)\n{\n\tif (len < 1 || len > HID_MAX_BUFFER_SIZE || !buf)\n\t\treturn -EINVAL;\n\n\tif (hdev->ll_driver->output_report)\n\t\treturn hdev->ll_driver->output_report(hdev, buf, len);\n\n\treturn -ENOSYS;\n}", "project": "linux", "hash": 109766465439897642820896858925159136151, "size": 11, "commit_id": "35556bed836f8dc07ac55f69c8d17dce3e7f0e25", "message": "HID: core: Sanitize event code and type when mapping input\n\nWhen calling into hid_map_usage(), the passed event code is\nblindly stored as is, even if it doesn't fit in the associated bitmap.\n\nThis event code can come from a variety of sources, including devices\nmasquerading as input devices, only a bit more \"programmable\".\n\nInstead of taking the event code at face value, check that it actually\nfits the corresponding bitmap, and if it doesn't:\n- spit out a warning so that we know which device is acting up\n- NULLify the bitmap pointer so that we catch unexpected uses\n\nCode paths that can make use of untrusted inputs can now check\nthat the mapping was indeed correct and bail out if not.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Marc Zyngier \nSigned-off-by: Benjamin Tissoires ", "target": 0, "dataset": "other", "idx": 458335 }, { "func": "static long fuse_dir_compat_ioctl(struct file *file, unsigned int cmd,\n\t\t\t\t unsigned long arg)\n{\n\tstruct fuse_conn *fc = get_fuse_conn(file->f_mapping->host);\n\n\tif (fc->minor < 18)\n\t\treturn -ENOTTY;\n\n\treturn fuse_ioctl_common(file, cmd, arg,\n\t\t\t\t FUSE_IOCTL_COMPAT | FUSE_IOCTL_DIR);\n}", "project": "linux", "hash": 3078155190088626888568597626181073796, "size": 11, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341919 }, { "func": " */\nstatic unsigned long bfq_smallest_from_now(void)\n{\n\treturn jiffies - MAX_JIFFY_OFFSET;", "project": "linux", "hash": 143312289691741046211604617227302471016, "size": 4, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453332 }, { "func": "int dccp_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,\n\t\t size_t len, int nonblock, int flags, int *addr_len)\n{\n\tconst struct dccp_hdr *dh;\n\tlong timeo;\n\n\tlock_sock(sk);\n\n\tif (sk->sk_state == DCCP_LISTEN) {\n\t\tlen = -ENOTCONN;\n\t\tgoto out;\n\t}\n\n\ttimeo = sock_rcvtimeo(sk, nonblock);\n\n\tdo {\n\t\tstruct sk_buff *skb = skb_peek(&sk->sk_receive_queue);\n\n\t\tif (skb == NULL)\n\t\t\tgoto verify_sock_status;\n\n\t\tdh = dccp_hdr(skb);\n\n\t\tswitch (dh->dccph_type) {\n\t\tcase DCCP_PKT_DATA:\n\t\tcase DCCP_PKT_DATAACK:\n\t\t\tgoto found_ok_skb;\n\n\t\tcase DCCP_PKT_CLOSE:\n\t\tcase DCCP_PKT_CLOSEREQ:\n\t\t\tif (!(flags & MSG_PEEK))\n\t\t\t\tdccp_finish_passive_close(sk);\n\t\t\t/* fall through */\n\t\tcase DCCP_PKT_RESET:\n\t\t\tdccp_pr_debug(\"found fin (%s) ok!\\n\",\n\t\t\t\t dccp_packet_name(dh->dccph_type));\n\t\t\tlen = 0;\n\t\t\tgoto found_fin_ok;\n\t\tdefault:\n\t\t\tdccp_pr_debug(\"packet_type=%s\\n\",\n\t\t\t\t dccp_packet_name(dh->dccph_type));\n\t\t\tsk_eat_skb(sk, skb, 0);\n\t\t}\nverify_sock_status:\n\t\tif (sock_flag(sk, SOCK_DONE)) {\n\t\t\tlen = 0;\n\t\t\tbreak;\n\t\t}\n\n\t\tif (sk->sk_err) {\n\t\t\tlen = sock_error(sk);\n\t\t\tbreak;\n\t\t}\n\n\t\tif (sk->sk_shutdown & RCV_SHUTDOWN) {\n\t\t\tlen = 0;\n\t\t\tbreak;\n\t\t}\n\n\t\tif (sk->sk_state == DCCP_CLOSED) {\n\t\t\tif (!sock_flag(sk, SOCK_DONE)) {\n\t\t\t\t/* This occurs when user tries to read\n\t\t\t\t * from never connected socket.\n\t\t\t\t */\n\t\t\t\tlen = -ENOTCONN;\n\t\t\t\tbreak;\n\t\t\t}\n\t\t\tlen = 0;\n\t\t\tbreak;\n\t\t}\n\n\t\tif (!timeo) {\n\t\t\tlen = -EAGAIN;\n\t\t\tbreak;\n\t\t}\n\n\t\tif (signal_pending(current)) {\n\t\t\tlen = sock_intr_errno(timeo);\n\t\t\tbreak;\n\t\t}\n\n\t\tsk_wait_data(sk, &timeo);\n\t\tcontinue;\n\tfound_ok_skb:\n\t\tif (len > skb->len)\n\t\t\tlen = skb->len;\n\t\telse if (len < skb->len)\n\t\t\tmsg->msg_flags |= MSG_TRUNC;\n\n\t\tif (skb_copy_datagram_iovec(skb, 0, msg->msg_iov, len)) {\n\t\t\t/* Exception. Bailout! */\n\t\t\tlen = -EFAULT;\n\t\t\tbreak;\n\t\t}\n\tfound_fin_ok:\n\t\tif (!(flags & MSG_PEEK))\n\t\t\tsk_eat_skb(sk, skb, 0);\n\t\tbreak;\n\t} while (1);\nout:\n\trelease_sock(sk);\n\treturn len;\n}", "target": 0, "cwe": [ "CWE-189" ], "project": "linux-2.6", "commit_id": "3e8a0a559c66ee9e7468195691a56fefc3589740", "hash": 109790099210463507440477945086962396475, "size": 103, "message": "dccp: change L/R must have at least one byte in the dccpsf_val field\n \nThanks to Eugene Teo for reporting this problem.\n \nSigned-off-by: Eugene Teo \nSigned-off-by: Arnaldo Carvalho de Melo \nSigned-off-by: Gerrit Renker \nSigned-off-by: David S. Miller ", "dataset": "other", "idx": 488792 }, { "func": "void tipc_node_pre_cleanup_net(struct net *exit_net)\n{\n\tstruct tipc_node *n;\n\tstruct tipc_net *tn;\n\tstruct net *tmp;\n\n\trcu_read_lock();\n\tfor_each_net_rcu(tmp) {\n\t\tif (tmp == exit_net)\n\t\t\tcontinue;\n\t\ttn = tipc_net(tmp);\n\t\tif (!tn)\n\t\t\tcontinue;\n\t\tspin_lock_bh(&tn->node_list_lock);\n\t\tlist_for_each_entry_rcu(n, &tn->node_list, list) {\n\t\t\tif (!n->peer_net)\n\t\t\t\tcontinue;\n\t\t\tif (n->peer_net != exit_net)\n\t\t\t\tcontinue;\n\t\t\ttipc_node_write_lock(n);\n\t\t\tn->peer_net = NULL;\n\t\t\tn->peer_hash_mix = 0;\n\t\t\ttipc_node_write_unlock_fast(n);\n\t\t\tbreak;\n\t\t}\n\t\tspin_unlock_bh(&tn->node_list_lock);\n\t}\n\trcu_read_unlock();\n}", "project": "linux", "hash": 190480323701289626256324417179620423434, "size": 29, "commit_id": "0217ed2848e8538bcf9172d97ed2eeb4a26041bb", "message": "tipc: better validate user input in tipc_nl_retrieve_key()\n\nBefore calling tipc_aead_key_size(ptr), we need to ensure\nwe have enough data to dereference ptr->keylen.\n\nWe probably also want to make sure tipc_aead_key_size()\nwont overflow with malicious ptr->keylen values.\n\nSyzbot reported:\n\nBUG: KMSAN: uninit-value in __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\nBUG: KMSAN: uninit-value in tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\nCPU: 0 PID: 21060 Comm: syz-executor.5 Not tainted 5.11.0-rc7-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nCall Trace:\n __dump_stack lib/dump_stack.c:79 [inline]\n dump_stack+0x21c/0x280 lib/dump_stack.c:120\n kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118\n __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197\n __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\n tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\n genl_family_rcv_msg_doit net/netlink/genetlink.c:739 [inline]\n genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]\n genl_rcv_msg+0x1319/0x1610 net/netlink/genetlink.c:800\n netlink_rcv_skb+0x6fa/0x810 net/netlink/af_netlink.c:2494\n genl_rcv+0x63/0x80 net/netlink/genetlink.c:811\n netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]\n netlink_unicast+0x11d6/0x14a0 net/netlink/af_netlink.c:1330\n netlink_sendmsg+0x1740/0x1840 net/netlink/af_netlink.c:1919\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\nRIP: 0023:0xf7f60549\nCode: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00\nRSP: 002b:00000000f555a5fc EFLAGS: 00000296 ORIG_RAX: 0000000000000172\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000200\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n\nUninit was created at:\n kmsan_save_stack_with_flags mm/kmsan/kmsan.c:121 [inline]\n kmsan_internal_poison_shadow+0x5c/0xf0 mm/kmsan/kmsan.c:104\n kmsan_slab_alloc+0x8d/0xe0 mm/kmsan/kmsan_hooks.c:76\n slab_alloc_node mm/slub.c:2907 [inline]\n __kmalloc_node_track_caller+0xa37/0x1430 mm/slub.c:4527\n __kmalloc_reserve net/core/skbuff.c:142 [inline]\n __alloc_skb+0x2f8/0xb30 net/core/skbuff.c:210\n alloc_skb include/linux/skbuff.h:1099 [inline]\n netlink_alloc_large_skb net/netlink/af_netlink.c:1176 [inline]\n netlink_sendmsg+0xdbc/0x1840 net/netlink/af_netlink.c:1894\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\n\nFixes: e1f32190cf7d (\"tipc: add support for AEAD key setting via netlink\")\nSigned-off-by: Eric Dumazet \nCc: Tuong Lien \nCc: Jon Maloy \nCc: Ying Xue \nReported-by: syzbot \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 364901 }, { "func": "static int pfkey_sockaddr_pair_size(sa_family_t family)\n{\n\treturn PFKEY_ALIGN8(pfkey_sockaddr_len(family) * 2);\n}", "project": "linux", "hash": 280346757522996321854473665338227927842, "size": 4, "commit_id": "9a564bccb78a76740ea9d75a259942df8143d02c", "message": "af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\n\nAdd __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\nto initialize the buffer of supp_skb to fix a kernel-info-leak issue.\n1) Function pfkey_register calls compose_sadb_supported to request\na sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate\na sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then\ncompose_sadb_supported treats the memory as a struct sadb_supported and\nbegins to initialize. But it just initializes the field sadb_supported_len\nand field sadb_supported_exttype without field sadb_supported_reserved.\n\nReported-by: TCS Robot \nSigned-off-by: Haimin Zhang \nSigned-off-by: Steffen Klassert ", "target": 0, "dataset": "other", "idx": 268001 }, { "func": "static void gdImageAntiAliasedApply (gdImagePtr im, int px, int py)\n{\n\tfloat p_dist, p_alpha;\n\tunsigned char opacity;\n\n\t/*\n\t * Find the perpendicular distance from point C (px, py) to the line\n\t * segment AB that is being drawn. (Adapted from an algorithm from the\n\t * comp.graphics.algorithms FAQ.)\n\t */\n\n\tint LAC_2, LBC_2;\n\n\tint Ax_Cx = im->AAL_x1 - px;\n\tint Ay_Cy = im->AAL_y1 - py;\n\n\tint Bx_Cx = im->AAL_x2 - px;\n\tint By_Cy = im->AAL_y2 - py;\n\n\t/* 2.0.13: bounds check! AA_opacity is just as capable of\n\t * overflowing as the main pixel array. Arne Jorgensen.\n\t * 2.0.14: typo fixed. 2.0.15: moved down below declarations\n\t * to satisfy non-C++ compilers.\n\t */\n\tif (!gdImageBoundsSafe(im, px, py)) {\n\t\treturn;\n\t}\n\n\t/* Get the squares of the lengths of the segemnts AC and BC. */\n\tLAC_2 = (Ax_Cx * Ax_Cx) + (Ay_Cy * Ay_Cy);\n\tLBC_2 = (Bx_Cx * Bx_Cx) + (By_Cy * By_Cy);\n\n\tif (((im->AAL_LAB_2 + LAC_2) >= LBC_2) && ((im->AAL_LAB_2 + LBC_2) >= LAC_2)) {\n\t\t/* The two angles are acute. The point lies inside the portion of the\n\t\t * plane spanned by the line segment.\n\t\t */\n\t\tp_dist = fabs ((float) ((Ay_Cy * im->AAL_Bx_Ax) - (Ax_Cx * im->AAL_By_Ay)) / im->AAL_LAB);\n\t} else {\n\t\t/* The point is past an end of the line segment. It's length from the\n\t\t * segment is the shorter of the lengths from the endpoints, but call\n\t\t * the distance -1, so as not to compute the alpha nor draw the pixel.\n\t\t */\n\t\tp_dist = -1;\n\t}\n\n\tif ((p_dist >= 0) && (p_dist <= (float) (im->thick))) {\n\t\tp_alpha = pow (1.0 - (p_dist / 1.5), 2);\n\n\t\tif (p_alpha > 0) {\n\t\t\tif (p_alpha >= 1) {\n\t\t\t\topacity = 255;\n\t\t\t} else {\n\t\t\t\topacity = (unsigned char) (p_alpha * 255.0);\n\t\t\t}\n\t\t\tif (!im->AA_polygon || (im->AA_opacity[py][px] < opacity)) {\n\t\t\t\tim->AA_opacity[py][px] = opacity;\n\t\t\t}\n\t\t}\n\t}\n}", "project": "php-src", "hash": 243068411841877551727728473444353136168, "size": 60, "commit_id": "c395c6e5d7e8df37a21265ff76e48fe75ceb5ae6", "message": "iFixed bug #72446 - Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow", "target": 0, "dataset": "other", "idx": 295154 }, { "func": "NTSTATUS change_notify_add_request(struct smb_request *req,\n\t\t\t\tuint32_t max_param,\n\t\t\t\tuint32_t filter, bool recursive,\n\t\t\t\tstruct files_struct *fsp,\n\t\t\t\tvoid (*reply_fn)(struct smb_request *req,\n\t\t\t\t\tNTSTATUS error_code,\n\t\t\t\t\tuint8_t *buf, size_t len))\n{\n\tstruct notify_change_request *request = NULL;\n\tstruct notify_mid_map *map = NULL;\n\tstruct smbd_server_connection *sconn = req->sconn;\n\n\tDEBUG(10, (\"change_notify_add_request: Adding request for %s: \"\n\t\t \"max_param = %d\\n\", fsp_str_dbg(fsp), (int)max_param));\n\n\tif (!(request = talloc(NULL, struct notify_change_request))\n\t || !(map = talloc(request, struct notify_mid_map))) {\n\t\tTALLOC_FREE(request);\n\t\treturn NT_STATUS_NO_MEMORY;\n\t}\n\n\trequest->mid_map = map;\n\tmap->req = request;\n\n\trequest->req = talloc_move(request, &req);\n\trequest->max_param = max_param;\n\trequest->filter = filter;\n\trequest->fsp = fsp;\n\trequest->reply_fn = reply_fn;\n\trequest->backend_data = NULL;\n\n\tDLIST_ADD_END(fsp->notify->requests, request);\n\n\tmap->mid = request->req->mid;\n\tDLIST_ADD(sconn->smb1.notify_mid_maps, map);\n\n\treturn NT_STATUS_OK;\n}", "project": "samba", "hash": 118583988997943985443632655499366091650, "size": 38, "commit_id": "c300a85848350635e7ddd8129b31c4d439dc0f8a", "message": "s3: smbd: Ensure change notifies can't get set unless the directory handle is open for SEC_DIR_LIST.\n\nRemove knownfail entry.\n\nCVE-2020-14318\n\nBUG: https://bugzilla.samba.org/show_bug.cgi?id=14434\n\nSigned-off-by: Jeremy Allison ", "target": 0, "dataset": "other", "idx": 279694 }, { "func": "static void ok(void) {\n printf(\"OK\\n\");\n}", "project": "redis", "hash": 316072882934220172276043921018266000798, "size": 3, "commit_id": "789f10156009b404950ad717642a9496ed887083", "message": "Fix integer overflow in intset (CVE-2021-29478)\n\nAn integer overflow bug in Redis 6.2 could be exploited to corrupt the heap and\npotentially result with remote code execution.\n\nThe vulnerability involves changing the default set-max-intset-entries\nconfiguration value, creating a large set key that consists of integer values\nand using the COPY command to duplicate it.\n\nThe integer overflow bug exists in all versions of Redis starting with 2.6,\nwhere it could result with a corrupted RDB or DUMP payload, but not exploited\nthrough COPY (which did not exist before 6.2).\n\n(cherry picked from commit 29900d4e6bccdf3691bedf0ea9a5d84863fa3592)", "target": 0, "dataset": "other", "idx": 290637 }, { "func": "int ssh_buffer_get_u32(struct ssh_buffer_struct *buffer, uint32_t *data){\n return ssh_buffer_get_data(buffer,data,sizeof(uint32_t));\n}", "project": "libssh-mirror", "hash": 285169253870957476981452766057989286867, "size": 3, "commit_id": "10b3ebbe61a7031a3dae97f05834442220447181", "message": "buffer: Reformat ssh_buffer_add_data()\n\nSigned-off-by: Andreas Schneider \nReviewed-by: Anderson Toshiyuki Sasaki \nReviewed-by: Jakub Jelen ", "target": 0, "dataset": "other", "idx": 345150 }, { "func": "static zend_bool php_openssl_pkey_init_dh(DH *dh, zval *data)\n{\n\tBIGNUM *p, *q, *g, *priv_key, *pub_key;\n\n\tOPENSSL_PKEY_SET_BN(data, p);\n\tOPENSSL_PKEY_SET_BN(data, q);\n\tOPENSSL_PKEY_SET_BN(data, g);\n\tif (!p || !g || !DH_set0_pqg(dh, p, q, g)) {\n\t\treturn 0;\n\t}\n\n\tOPENSSL_PKEY_SET_BN(data, priv_key);\n\tOPENSSL_PKEY_SET_BN(data, pub_key);\n\tif (pub_key) {\n\t\treturn DH_set0_key(dh, pub_key, priv_key);\n\t}\n\tif (priv_key) {\n\t\tpub_key = php_openssl_dh_pub_from_priv(priv_key, g, p);\n\t\tif (pub_key == NULL) {\n\t\t\treturn 0;\n\t\t}\n\t\treturn DH_set0_key(dh, pub_key, priv_key);\n\t}\n\n\t/* generate key */\n\tPHP_OPENSSL_RAND_ADD_TIME();\n\tif (!DH_generate_key(dh)) {\n\t\tphp_openssl_store_errors();\n\t\treturn 0;\n\t}\n\t/* all good */\n\treturn 1;\n}", "project": "php-src", "hash": 34444835993650806866230095251800224357, "size": 33, "commit_id": "0216630ea2815a5789a24279a1211ac398d4de79", "message": "Fix bug #79601 (Wrong ciphertext/tag in AES-CCM encryption for a 12 bytes IV)", "target": 0, "dataset": "other", "idx": 291397 }, { "func": "static int php_read_APP(const req::ptr& stream,\n unsigned int marker,\n Array& info) {\n unsigned short length;\n unsigned char markername[16];\n\n length = php_read2(stream);\n if (length < 2) {\n return 0;\n }\n length -= 2; /* length includes itself */\n\n String buffer;\n if (length == 0) {\n // avoid stream reads of length 0, they trigger a notice\n buffer = empty_string();\n } else {\n buffer = stream->read(length);\n }\n if (buffer.length() != length) {\n return 0;\n }\n\n snprintf((char*)markername, sizeof(markername), \"APP%d\", marker - M_APP0);\n\n if (!info.exists(String((const char *)markername))) {\n /* XXX we only catch the 1st tag of it's kind! */\n info.set(String((char*)markername, CopyString), buffer);\n }\n\n return 1;\n}", "project": "hhvm", "hash": 184499463972099300653437506598108667077, "size": 32, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219256 }, { "func": "void gdImageSaveAlpha (gdImagePtr im, int saveAlphaArg)\n{\n\tim->saveAlphaFlag = saveAlphaArg;\n}", "project": "php-src", "hash": 8691106071209390475984095173646345506, "size": 4, "commit_id": "c395c6e5d7e8df37a21265ff76e48fe75ceb5ae6", "message": "iFixed bug #72446 - Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow", "target": 0, "dataset": "other", "idx": 295121 }, { "func": "static int sctp_sendmsg_to_asoc(struct sctp_association *asoc,\n\t\t\t\tstruct msghdr *msg, size_t msg_len,\n\t\t\t\tstruct sctp_transport *transport,\n\t\t\t\tstruct sctp_sndrcvinfo *sinfo)\n{\n\tstruct sock *sk = asoc->base.sk;\n\tstruct sctp_sock *sp = sctp_sk(sk);\n\tstruct net *net = sock_net(sk);\n\tstruct sctp_datamsg *datamsg;\n\tbool wait_connect = false;\n\tstruct sctp_chunk *chunk;\n\tlong timeo;\n\tint err;\n\n\tif (sinfo->sinfo_stream >= asoc->stream.outcnt) {\n\t\terr = -EINVAL;\n\t\tgoto err;\n\t}\n\n\tif (unlikely(!SCTP_SO(&asoc->stream, sinfo->sinfo_stream)->ext)) {\n\t\terr = sctp_stream_init_ext(&asoc->stream, sinfo->sinfo_stream);\n\t\tif (err)\n\t\t\tgoto err;\n\t}\n\n\tif (sp->disable_fragments && msg_len > asoc->frag_point) {\n\t\terr = -EMSGSIZE;\n\t\tgoto err;\n\t}\n\n\tif (asoc->pmtu_pending) {\n\t\tif (sp->param_flags & SPP_PMTUD_ENABLE)\n\t\t\tsctp_assoc_sync_pmtu(asoc);\n\t\tasoc->pmtu_pending = 0;\n\t}\n\n\tif (sctp_wspace(asoc) < (int)msg_len)\n\t\tsctp_prsctp_prune(asoc, sinfo, msg_len - sctp_wspace(asoc));\n\n\tif (sk_under_memory_pressure(sk))\n\t\tsk_mem_reclaim(sk);\n\n\tif (sctp_wspace(asoc) <= 0 || !sk_wmem_schedule(sk, msg_len)) {\n\t\ttimeo = sock_sndtimeo(sk, msg->msg_flags & MSG_DONTWAIT);\n\t\terr = sctp_wait_for_sndbuf(asoc, &timeo, msg_len);\n\t\tif (err)\n\t\t\tgoto err;\n\t}\n\n\tif (sctp_state(asoc, CLOSED)) {\n\t\terr = sctp_primitive_ASSOCIATE(net, asoc, NULL);\n\t\tif (err)\n\t\t\tgoto err;\n\n\t\tif (asoc->ep->intl_enable) {\n\t\t\ttimeo = sock_sndtimeo(sk, 0);\n\t\t\terr = sctp_wait_for_connect(asoc, &timeo);\n\t\t\tif (err) {\n\t\t\t\terr = -ESRCH;\n\t\t\t\tgoto err;\n\t\t\t}\n\t\t} else {\n\t\t\twait_connect = true;\n\t\t}\n\n\t\tpr_debug(\"%s: we associated primitively\\n\", __func__);\n\t}\n\n\tdatamsg = sctp_datamsg_from_user(asoc, sinfo, &msg->msg_iter);\n\tif (IS_ERR(datamsg)) {\n\t\terr = PTR_ERR(datamsg);\n\t\tgoto err;\n\t}\n\n\tasoc->force_delay = !!(msg->msg_flags & MSG_MORE);\n\n\tlist_for_each_entry(chunk, &datamsg->chunks, frag_list) {\n\t\tsctp_chunk_hold(chunk);\n\t\tsctp_set_owner_w(chunk);\n\t\tchunk->transport = transport;\n\t}\n\n\terr = sctp_primitive_SEND(net, asoc, datamsg);\n\tif (err) {\n\t\tsctp_datamsg_free(datamsg);\n\t\tgoto err;\n\t}\n\n\tpr_debug(\"%s: we sent primitively\\n\", __func__);\n\n\tsctp_datamsg_put(datamsg);\n\n\tif (unlikely(wait_connect)) {\n\t\ttimeo = sock_sndtimeo(sk, msg->msg_flags & MSG_DONTWAIT);\n\t\tsctp_wait_for_connect(asoc, &timeo);\n\t}\n\n\terr = msg_len;\n\nerr:\n\treturn err;\n}", "project": "linux", "hash": 103362433712281601101135224561331491565, "size": 102, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398070 }, { "func": "int preg_replace(Variant& result,\n const Variant& pattern,\n const Variant& replacement,\n const Variant& subject,\n int limit /* = -1 */) {\n int64_t count;\n result = preg_replace_impl(pattern, replacement, subject,\n limit, &count, false, false);\n return count;\n}", "project": "hhvm", "hash": 190112111537825916347863025124726436007, "size": 10, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219537 }, { "func": "TEST(BasicFlatBufferModel, TestHandleModelWithWhileOpContainsForwardingInput) {\n const auto model_path =\n \"tensorflow/lite/testdata/while_op_with_forwarding_input.bin\";\n\n std::unique_ptr model =\n FlatBufferModel::BuildFromFile(model_path);\n ASSERT_NE(model, nullptr);\n\n tflite::ops::builtin::BuiltinOpResolver resolver;\n InterpreterBuilder builder(*model, resolver);\n std::unique_ptr interpreter;\n ASSERT_EQ(builder(&interpreter), kTfLiteOk);\n ASSERT_NE(interpreter, nullptr);\n ASSERT_EQ(interpreter->AllocateTensors(), kTfLiteOk);\n\n int32_t* tensor_data = interpreter->typed_tensor(0);\n tensor_data[0] = 20;\n\n auto tensor = interpreter->tensor(1);\n DynamicBuffer buf;\n buf.AddString(\"a\", 1);\n buf.WriteToTensor(tensor, /*new_shape=*/nullptr);\n\n ASSERT_EQ(interpreter->Invoke(), kTfLiteOk);\n}", "project": "tensorflow", "hash": 149778172559412625091812767025885306863, "size": 25, "commit_id": "c6173f5fe66cdbab74f4f869311fe6aae2ba35f4", "message": "TFLite: Error out when the graph has a recurion.\n\nRecursion is currently unsupported.\n\nPiperOrigin-RevId: 371708957\nChange-Id: I8dfad0d85cbfe08e39ae8ea7bad21254ddee5003", "target": 0, "dataset": "other", "idx": 269606 }, { "func": "TEST(BasicFlatBufferModel, TestUnsupportedRecursion) {\n const auto model_path =\n \"tensorflow/lite/testdata/unsupported_recursion.bin\";\n\n std::unique_ptr model =\n FlatBufferModel::BuildFromFile(model_path);\n ASSERT_NE(model, nullptr);\n\n tflite::ops::builtin::BuiltinOpResolver resolver;\n InterpreterBuilder builder(*model, resolver);\n std::unique_ptr interpreter;\n ASSERT_EQ(builder(&interpreter), kTfLiteOk);\n ASSERT_NE(interpreter, nullptr);\n ASSERT_NE(interpreter->AllocateTensors(), kTfLiteOk);\n}", "project": "tensorflow", "hash": 174032020806653432543125424957975132664, "size": 15, "commit_id": "c6173f5fe66cdbab74f4f869311fe6aae2ba35f4", "message": "TFLite: Error out when the graph has a recurion.\n\nRecursion is currently unsupported.\n\nPiperOrigin-RevId: 371708957\nChange-Id: I8dfad0d85cbfe08e39ae8ea7bad21254ddee5003", "target": 0, "dataset": "other", "idx": 269619 }, { "func": "void luaE_freeCI (lua_State *L) {\n CallInfo *ci = L->ci;\n CallInfo *next = ci->next;\n ci->next = NULL;\n L->nCcalls += L->nci; /* add removed elements back to 'nCcalls' */\n while ((ci = next) != NULL) {\n next = ci->next;\n luaM_free(L, ci);\n L->nci--;\n }\n L->nCcalls -= L->nci; /* adjust result */\n}", "project": "lua", "hash": 46353087241667831965012407407980233819, "size": 12, "commit_id": "a2195644d89812e5b157ce7bac35543e06db05e3", "message": "Fixed bug: invalid 'oldpc' when returning to a function\n\nThe field 'L->oldpc' is not always updated when control returns to a\nfunction; an invalid value can seg. fault when computing 'changedline'.\n(One example is an error in a finalizer; control can return to\n'luaV_execute' without executing 'luaD_poscall'.) Instead of trying to\nfix all possible corner cases, it seems safer to be resilient to invalid\nvalues for 'oldpc'. Valid but wrong values at most cause an extra call\nto a line hook.", "target": 0, "dataset": "other", "idx": 462769 }, { "func": "void glyph_cache_free(rdpGlyphCache* glyphCache)\n{\n\tif (glyphCache)\n\t{\n\t\tint i;\n\t\tGLYPH_CACHE* cache = glyphCache->glyphCache;\n\n\t\tfor (i = 0; i < 10; i++)\n\t\t{\n\t\t\tUINT32 j;\n\t\t\trdpGlyph** entries = cache[i].entries;\n\n\t\t\tif (!entries)\n\t\t\t\tcontinue;\n\n\t\t\tfor (j = 0; j < cache[i].number; j++)\n\t\t\t{\n\t\t\t\trdpGlyph* glyph = entries[j];\n\n\t\t\t\tif (glyph)\n\t\t\t\t{\n\t\t\t\t\tglyph->Free(glyphCache->context, glyph);\n\t\t\t\t\tentries[j] = NULL;\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tfree(entries);\n\t\t\tcache[i].entries = NULL;\n\t\t}\n\n\t\tif (glyphCache->fragCache.entries)\n\t\t{\n\t\t\tfor (i = 0; i < 256; i++)\n\t\t\t{\n\t\t\t\tfree(glyphCache->fragCache.entries[i].fragment);\n\t\t\t\tglyphCache->fragCache.entries[i].fragment = NULL;\n\t\t\t}\n\t\t}\n\n\t\tfree(glyphCache->fragCache.entries);\n\t\tfree(glyphCache);\n\t}\n}", "project": "FreeRDP", "hash": 130350073133737941637219233944262924689, "size": 43, "commit_id": "c0fd449ec0870b050d350d6d844b1ea6dad4bc7d", "message": "Fixed Out-of-bound read in glyph_cache_put\n\nCVE-2020-11098 thanks to @antonio-morales for finding this.", "target": 0, "dataset": "other", "idx": 432860 }, { "func": "static int kvm_hv_msr_get_crash_data(struct kvm *kvm, u32 index, u64 *pdata)\n{\n\tstruct kvm_hv *hv = to_kvm_hv(kvm);\n\tsize_t size = ARRAY_SIZE(hv->hv_crash_param);\n\n\tif (WARN_ON_ONCE(index >= size))\n\t\treturn -EINVAL;\n\n\t*pdata = hv->hv_crash_param[array_index_nospec(index, size)];\n\treturn 0;\n}", "project": "linux", "hash": 70180302856739069447007752963789230498, "size": 11, "commit_id": "919f4ebc598701670e80e31573a58f1f2d2bf918", "message": "KVM: x86: hyper-v: Fix Hyper-V context null-ptr-deref\n\nReported by syzkaller:\n\n KASAN: null-ptr-deref in range [0x0000000000000140-0x0000000000000147]\n CPU: 1 PID: 8370 Comm: syz-executor859 Not tainted 5.11.0-syzkaller #0\n RIP: 0010:synic_get arch/x86/kvm/hyperv.c:165 [inline]\n RIP: 0010:kvm_hv_set_sint_gsi arch/x86/kvm/hyperv.c:475 [inline]\n RIP: 0010:kvm_hv_irq_routing_update+0x230/0x460 arch/x86/kvm/hyperv.c:498\n Call Trace:\n kvm_set_irq_routing+0x69b/0x940 arch/x86/kvm/../../../virt/kvm/irqchip.c:223\n kvm_vm_ioctl+0x12d0/0x2800 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3959\n vfs_ioctl fs/ioctl.c:48 [inline]\n __do_sys_ioctl fs/ioctl.c:753 [inline]\n __se_sys_ioctl fs/ioctl.c:739 [inline]\n __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739\n do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nHyper-V context is lazily allocated until Hyper-V specific MSRs are accessed\nor SynIC is enabled. However, the syzkaller testcase sets irq routing table\ndirectly w/o enabling SynIC. This results in null-ptr-deref when accessing\nSynIC Hyper-V context. This patch fixes it.\n\nsyzkaller source: https://syzkaller.appspot.com/x/repro.c?x=163342ccd00000\n\nReported-by: syzbot+6987f3b2dbd9eda95f12@syzkaller.appspotmail.com\nFixes: 8f014550dfb1 (\"KVM: x86: hyper-v: Make Hyper-V emulation enablement conditional\")\nSigned-off-by: Wanpeng Li \nMessage-Id: <1614326399-5762-1-git-send-email-wanpengli@tencent.com>\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 343491 }, { "func": "void blosc2_free_ctx(blosc2_context* context) {\n release_threadpool(context);\n if (context->serial_context != NULL) {\n free_thread_context(context->serial_context);\n }\n if (context->dict_cdict != NULL) {\n#ifdef HAVE_ZSTD\n ZSTD_freeCDict(context->dict_cdict);\n#endif\n }\n if (context->dict_ddict != NULL) {\n#ifdef HAVE_ZSTD\n ZSTD_freeDDict(context->dict_ddict);\n#endif\n }\n if (context->btune != NULL) {\n btune_free(context);\n }\n if (context->prefilter != NULL) {\n my_free(context->pparams);\n }\n\n if (context->block_maskout != NULL) {\n free(context->block_maskout);\n }\n\n my_free(context);\n}", "project": "c-blosc2", "hash": 333309987100730678932855295352574517808, "size": 28, "commit_id": "c4c6470e88210afc95262c8b9fcc27e30ca043ee", "message": "Fixed asan heap buffer overflow when not enough space to write compressed block size.", "target": 0, "dataset": "other", "idx": 303087 }, { "func": "static bool kvm_has_pckmo_ecc(struct kvm *kvm)\n{\n\t/* At least one ECC subfunction must be present */\n\treturn kvm_has_pckmo_subfunc(kvm, 32) ||\n\t kvm_has_pckmo_subfunc(kvm, 33) ||\n\t kvm_has_pckmo_subfunc(kvm, 34) ||\n\t kvm_has_pckmo_subfunc(kvm, 40) ||\n\t kvm_has_pckmo_subfunc(kvm, 41);\n\n}", "project": "linux", "hash": 265264512086858195894827749838339292660, "size": 10, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354792 }, { "func": "CallResult JSObject::defineOwnPropertyInternal(\n Handle selfHandle,\n Runtime *runtime,\n SymbolID name,\n DefinePropertyFlags dpFlags,\n Handle<> valueOrAccessor,\n PropOpFlags opFlags) {\n assert(\n !opFlags.getMustExist() && \"cannot use mustExist with defineOwnProperty\");\n assert(\n !(dpFlags.setValue && dpFlags.isAccessor()) &&\n \"Cannot set both value and accessor\");\n assert(\n (dpFlags.setValue || dpFlags.isAccessor() ||\n valueOrAccessor.get().isUndefined()) &&\n \"value must be undefined when all of setValue/setSetter/setGetter are \"\n \"false\");\n#ifndef NDEBUG\n if (dpFlags.isAccessor()) {\n assert(valueOrAccessor.get().isPointer() && \"accessor must be non-empty\");\n assert(\n !dpFlags.setWritable && !dpFlags.writable &&\n \"writable must not be set with accessors\");\n }\n#endif\n\n // Is it an existing property.\n NamedPropertyDescriptor desc;\n auto pos = findProperty(selfHandle, runtime, name, desc);\n if (pos) {\n return updateOwnProperty(\n selfHandle,\n runtime,\n name,\n *pos,\n desc,\n dpFlags,\n valueOrAccessor,\n opFlags);\n }\n\n if (LLVM_UNLIKELY(\n selfHandle->flags_.lazyObject || selfHandle->flags_.proxyObject)) {\n if (selfHandle->flags_.proxyObject) {\n return JSProxy::defineOwnProperty(\n selfHandle,\n runtime,\n name.isUniqued() ? runtime->makeHandle(HermesValue::encodeStringValue(\n runtime->getStringPrimFromSymbolID(name)))\n : runtime->makeHandle(name),\n dpFlags,\n valueOrAccessor,\n opFlags);\n }\n assert(selfHandle->flags_.lazyObject && \"descriptor flags are impossible\");\n // if the property was not found and the object is lazy we need to\n // initialize it and try again.\n JSObject::initializeLazyObject(runtime, selfHandle);\n return defineOwnPropertyInternal(\n selfHandle, runtime, name, dpFlags, valueOrAccessor, opFlags);\n }\n\n return addOwnProperty(\n selfHandle, runtime, name, dpFlags, valueOrAccessor, opFlags);\n}", "project": "hermes", "hash": 21065497932904177461924516413647200910, "size": 65, "commit_id": "8cb935cd3b2321c46aa6b7ed8454d95c75a7fca0", "message": "Handle set where internalSetter and Proxy are both true\n\nSummary:\nIf putComputed is called on a proxy whose target's prototype\nis an array with a propname of 'length', then internalSetter will be\ntrue, and the receiver will be a proxy. In that case, proxy needs to\nwin; the behavior may assert or be UB otherwise.\n\nReviewed By: tmikov\n\nDifferential Revision: D23916279\n\nfbshipit-source-id: c760356d48a02ece565fb4bc1acdafd7ccad7c68", "target": 0, "dataset": "other", "idx": 259372 }, { "func": "static void print_trailer(struct kmem_cache *s, struct page *page, u8 *p)\n{\n\tunsigned int off;\t/* Offset of last byte */\n\tu8 *addr = page_address(page);\n\n\tprint_tracking(s, p);\n\n\tprint_page_info(page);\n\n\tpr_err(\"INFO: Object 0x%p @offset=%tu fp=0x%p\\n\\n\",\n\t p, p - addr, get_freepointer(s, p));\n\n\tif (s->flags & SLAB_RED_ZONE)\n\t\tprint_section(KERN_ERR, \"Redzone \", p - s->red_left_pad,\n\t\t\t s->red_left_pad);\n\telse if (p > addr + 16)\n\t\tprint_section(KERN_ERR, \"Bytes b4 \", p - 16, 16);\n\n\tprint_section(KERN_ERR, \"Object \", p,\n\t\t min_t(unsigned int, s->object_size, PAGE_SIZE));\n\tif (s->flags & SLAB_RED_ZONE)\n\t\tprint_section(KERN_ERR, \"Redzone \", p + s->object_size,\n\t\t\ts->inuse - s->object_size);\n\n\tif (s->offset)\n\t\toff = s->offset + sizeof(void *);\n\telse\n\t\toff = s->inuse;\n\n\tif (s->flags & SLAB_STORE_USER)\n\t\toff += 2 * sizeof(struct track);\n\n\toff += kasan_metadata_size(s);\n\n\tif (off != size_from_object(s))\n\t\t/* Beginning of the filler is the free pointer */\n\t\tprint_section(KERN_ERR, \"Padding \", p + off,\n\t\t\t size_from_object(s) - off);\n\n\tdump_stack();\n}", "project": "linux", "hash": 260503442673333059205175657686967068824, "size": 41, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280077 }, { "func": "\nstatic void bfq_finish_requeue_request_body(struct bfq_queue *bfqq)\n{\n\tbfqq->allocated--;\n\n\tbfq_put_queue(bfqq);", "project": "linux", "hash": 15180872770373103066820361103885384243, "size": 6, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453328 }, { "func": "void task_clear_jobctl_pending(struct task_struct *task, unsigned long mask)\n{\n\tBUG_ON(mask & ~JOBCTL_PENDING_MASK);\n\n\tif (mask & JOBCTL_STOP_PENDING)\n\t\tmask |= JOBCTL_STOP_CONSUME | JOBCTL_STOP_DEQUEUED;\n\n\ttask->jobctl &= ~mask;\n\n\tif (!(task->jobctl & JOBCTL_PENDING_MASK))\n\t\ttask_clear_jobctl_trapping(task);\n}", "project": "linux", "hash": 13107368121143510669841028043182224858, "size": 12, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375237 }, { "func": "static int mt_input_mapping(struct hid_device *hdev, struct hid_input *hi,\n\t\tstruct hid_field *field, struct hid_usage *usage,\n\t\tunsigned long **bit, int *max)\n{\n\tstruct mt_device *td = hid_get_drvdata(hdev);\n\tstruct mt_application *application;\n\tstruct mt_report_data *rdata;\n\n\trdata = mt_find_report_data(td, field->report);\n\tif (!rdata) {\n\t\thid_err(hdev, \"failed to allocate data for report\\n\");\n\t\treturn 0;\n\t}\n\n\tapplication = rdata->application;\n\n\t/*\n\t * If mtclass.export_all_inputs is not set, only map fields from\n\t * TouchScreen or TouchPad collections. We need to ignore fields\n\t * that belong to other collections such as Mouse that might have\n\t * the same GenericDesktop usages.\n\t */\n\tif (!td->mtclass.export_all_inputs &&\n\t field->application != HID_DG_TOUCHSCREEN &&\n\t field->application != HID_DG_PEN &&\n\t field->application != HID_DG_TOUCHPAD &&\n\t field->application != HID_GD_KEYBOARD &&\n\t field->application != HID_GD_SYSTEM_CONTROL &&\n\t field->application != HID_CP_CONSUMER_CONTROL &&\n\t field->application != HID_GD_WIRELESS_RADIO_CTLS &&\n\t field->application != HID_GD_SYSTEM_MULTIAXIS &&\n\t !(field->application == HID_VD_ASUS_CUSTOM_MEDIA_KEYS &&\n\t application->quirks & MT_QUIRK_ASUS_CUSTOM_UP))\n\t\treturn -1;\n\n\t/*\n\t * Some Asus keyboard+touchpad devices have the hotkeys defined in the\n\t * touchpad report descriptor. We need to treat these as an array to\n\t * map usages to input keys.\n\t */\n\tif (field->application == HID_VD_ASUS_CUSTOM_MEDIA_KEYS &&\n\t application->quirks & MT_QUIRK_ASUS_CUSTOM_UP &&\n\t (usage->hid & HID_USAGE_PAGE) == HID_UP_CUSTOM) {\n\t\tset_bit(EV_REP, hi->input->evbit);\n\t\tif (field->flags & HID_MAIN_ITEM_VARIABLE)\n\t\t\tfield->flags &= ~HID_MAIN_ITEM_VARIABLE;\n\t\tswitch (usage->hid & HID_USAGE) {\n\t\tcase 0x10: mt_map_key_clear(KEY_BRIGHTNESSDOWN);\tbreak;\n\t\tcase 0x20: mt_map_key_clear(KEY_BRIGHTNESSUP);\t\tbreak;\n\t\tcase 0x35: mt_map_key_clear(KEY_DISPLAY_OFF);\t\tbreak;\n\t\tcase 0x6b: mt_map_key_clear(KEY_F21);\t\t\tbreak;\n\t\tcase 0x6c: mt_map_key_clear(KEY_SLEEP);\t\t\tbreak;\n\t\tdefault:\n\t\t\treturn -1;\n\t\t}\n\t\treturn 1;\n\t}\n\n\tif (rdata->is_mt_collection)\n\t\treturn mt_touch_input_mapping(hdev, hi, field, usage, bit, max,\n\t\t\t\t\t application);\n\n\t/*\n\t * some egalax touchscreens have \"application == DG_TOUCHSCREEN\"\n\t * for the stylus. Overwrite the hid_input application\n\t */\n\tif (field->physical == HID_DG_STYLUS)\n\t\thi->application = HID_DG_STYLUS;\n\n\t/* let hid-core decide for the others */\n\treturn 0;\n}", "project": "linux", "hash": 60680495206940875179148294861750513164, "size": 72, "commit_id": "35556bed836f8dc07ac55f69c8d17dce3e7f0e25", "message": "HID: core: Sanitize event code and type when mapping input\n\nWhen calling into hid_map_usage(), the passed event code is\nblindly stored as is, even if it doesn't fit in the associated bitmap.\n\nThis event code can come from a variety of sources, including devices\nmasquerading as input devices, only a bit more \"programmable\".\n\nInstead of taking the event code at face value, check that it actually\nfits the corresponding bitmap, and if it doesn't:\n- spit out a warning so that we know which device is acting up\n- NULLify the bitmap pointer so that we catch unexpected uses\n\nCode paths that can make use of untrusted inputs can now check\nthat the mapping was indeed correct and bail out if not.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Marc Zyngier \nSigned-off-by: Benjamin Tissoires ", "target": 0, "dataset": "other", "idx": 458398 }, { "func": "static void nfs4_sync_open_stateid(nfs4_stateid *dst,\n\t\tstruct nfs4_state *state)\n{\n\t__be32 seqid_open;\n\tu32 dst_seqid;\n\tint seq;\n\n\tfor (;;) {\n\t\tif (!nfs4_valid_open_stateid(state))\n\t\t\tbreak;\n\t\tseq = read_seqbegin(&state->seqlock);\n\t\tif (!nfs4_state_match_open_stateid_other(state, dst)) {\n\t\t\tnfs4_stateid_copy(dst, &state->open_stateid);\n\t\t\tif (read_seqretry(&state->seqlock, seq))\n\t\t\t\tcontinue;\n\t\t\tbreak;\n\t\t}\n\t\tseqid_open = state->open_stateid.seqid;\n\t\tif (read_seqretry(&state->seqlock, seq))\n\t\t\tcontinue;\n\n\t\tdst_seqid = be32_to_cpu(dst->seqid);\n\t\tif ((s32)(dst_seqid - be32_to_cpu(seqid_open)) < 0)\n\t\t\tdst->seqid = seqid_open;\n\t\tbreak;\n\t}\n}", "project": "linux", "hash": 240136487644322906795396379700369445830, "size": 27, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431451 }, { "func": "static int ctnetlink_dump_zone_id(struct sk_buff *skb, int attrtype,\n\t\t\t\t const struct nf_conntrack_zone *zone, int dir)\n{\n\tif (zone->id == NF_CT_DEFAULT_ZONE_ID || zone->dir != dir)\n\t\treturn 0;\n\tif (nla_put_be16(skb, attrtype, htons(zone->id)))\n\t\tgoto nla_put_failure;\n\treturn 0;\n\nnla_put_failure:\n\treturn -1;\n}", "project": "linux", "hash": 47315560437790967512731712436236086323, "size": 12, "commit_id": "1cc5ef91d2ff94d2bf2de3b3585423e8a1051cb6", "message": "netfilter: ctnetlink: add a range check for l3/l4 protonum\n\nThe indexes to the nf_nat_l[34]protos arrays come from userspace. So\ncheck the tuple's family, e.g. l3num, when creating the conntrack in\norder to prevent an OOB memory access during setup. Here is an example\nkernel panic on 4.14.180 when userspace passes in an index greater than\nNFPROTO_NUMPROTO.\n\nInternal error: Oops - BUG: 0 [#1] PREEMPT SMP\nModules linked in:...\nProcess poc (pid: 5614, stack limit = 0x00000000a3933121)\nCPU: 4 PID: 5614 Comm: poc Tainted: G S W O 4.14.180-g051355490483\nHardware name: Qualcomm Technologies, Inc. SM8150 V2 PM8150 Google Inc. MSM\ntask: 000000002a3dfffe task.stack: 00000000a3933121\npc : __cfi_check_fail+0x1c/0x24\nlr : __cfi_check_fail+0x1c/0x24\n...\nCall trace:\n__cfi_check_fail+0x1c/0x24\nname_to_dev_t+0x0/0x468\nnfnetlink_parse_nat_setup+0x234/0x258\nctnetlink_parse_nat_setup+0x4c/0x228\nctnetlink_new_conntrack+0x590/0xc40\nnfnetlink_rcv_msg+0x31c/0x4d4\nnetlink_rcv_skb+0x100/0x184\nnfnetlink_rcv+0xf4/0x180\nnetlink_unicast+0x360/0x770\nnetlink_sendmsg+0x5a0/0x6a4\n___sys_sendmsg+0x314/0x46c\nSyS_sendmsg+0xb4/0x108\nel0_svc_naked+0x34/0x38\n\nThis crash is not happening since 5.4+, however, ctnetlink still\nallows for creating entries with unsupported layer 3 protocol number.\n\nFixes: c1d10adb4a521 (\"[NETFILTER]: Add ctnetlink port for nf_conntrack\")\nSigned-off-by: Will McVicker \n[pablo@netfilter.org: rebased original patch on top of nf.git]\nSigned-off-by: Pablo Neira Ayuso ", "target": 0, "dataset": "other", "idx": 394248 }, { "func": "DLLEXPORT int DLLCALL tjDecompress2(tjhandle handle,\n\tconst unsigned char *jpegBuf, unsigned long jpegSize, unsigned char *dstBuf,\n\tint width, int pitch, int height, int pixelFormat, int flags)\n{\n\tint i, retval=0; JSAMPROW *row_pointer=NULL;\n\tint jpegwidth, jpegheight, scaledw, scaledh;\n\t#ifndef JCS_EXTENSIONS\n\tunsigned char *rgbBuf=NULL;\n\tunsigned char *_dstBuf=NULL; int _pitch=0;\n\t#endif\n\n\tgetdinstance(handle);\n\tif((this->init&DECOMPRESS)==0)\n\t\t_throw(\"tjDecompress2(): Instance has not been initialized for decompression\");\n\n\tif(jpegBuf==NULL || jpegSize<=0 || dstBuf==NULL || width<0 || pitch<0\n\t\t|| height<0 || pixelFormat<0 || pixelFormat>=TJ_NUMPF)\n\t\t_throw(\"tjDecompress2(): Invalid argument\");\n\n#ifndef NO_PUTENV\n\tif(flags&TJFLAG_FORCEMMX) putenv(\"JSIMD_FORCEMMX=1\");\n\telse if(flags&TJFLAG_FORCESSE) putenv(\"JSIMD_FORCESSE=1\");\n\telse if(flags&TJFLAG_FORCESSE2) putenv(\"JSIMD_FORCESSE2=1\");\n#endif\n\n\tif(setjmp(this->jerr.setjmp_buffer))\n\t{\n\t\t/* If we get here, the JPEG code has signaled an error. */\n\t\tretval=-1; goto bailout;\n\t}\n\n\tjpeg_mem_src_tj(dinfo, jpegBuf, jpegSize);\n\tjpeg_read_header(dinfo, TRUE);\n\tif(setDecompDefaults(dinfo, pixelFormat, flags)==-1)\n\t{\n\t\tretval=-1; goto bailout;\n\t}\n\n\tif(flags&TJFLAG_FASTUPSAMPLE) dinfo->do_fancy_upsampling=FALSE;\n\n\tjpegwidth=dinfo->image_width; jpegheight=dinfo->image_height;\n\tif(width==0) width=jpegwidth;\n\tif(height==0) height=jpegheight;\n\tfor(i=0; i=NUMSF)\n\t\t_throw(\"tjDecompress2(): Could not scale down to desired image dimensions\");\n\twidth=scaledw; height=scaledh;\n\tdinfo->scale_num=sf[i].num;\n\tdinfo->scale_denom=sf[i].denom;\n\n\tjpeg_start_decompress(dinfo);\n\tif(pitch==0) pitch=dinfo->output_width*tjPixelSize[pixelFormat];\n\n\t#ifndef JCS_EXTENSIONS\n\tif(pixelFormat!=TJPF_GRAY && pixelFormat!=TJPF_CMYK &&\n\t\t(RGB_RED!=tjRedOffset[pixelFormat] ||\n\t\t\tRGB_GREEN!=tjGreenOffset[pixelFormat] ||\n\t\t\tRGB_BLUE!=tjBlueOffset[pixelFormat] ||\n\t\t\tRGB_PIXELSIZE!=tjPixelSize[pixelFormat]))\n\t{\n\t\trgbBuf=(unsigned char *)malloc(width*height*3);\n\t\tif(!rgbBuf) _throw(\"tjDecompress2(): Memory allocation failure\");\n\t\t_pitch=pitch; pitch=width*3;\n\t\t_dstBuf=dstBuf; dstBuf=rgbBuf;\n\t}\n\t#endif\n\n\tif((row_pointer=(JSAMPROW *)malloc(sizeof(JSAMPROW)\n\t\t*dinfo->output_height))==NULL)\n\t\t_throw(\"tjDecompress2(): Memory allocation failure\");\n\tif(setjmp(this->jerr.setjmp_buffer))\n\t{\n\t\t/* If we get here, the JPEG code has signaled an error. */\n\t\tretval=-1; goto bailout;\n\t}\n\tfor(i=0; i<(int)dinfo->output_height; i++)\n\t{\n\t\tif(flags&TJFLAG_BOTTOMUP)\n\t\t\trow_pointer[i]=&dstBuf[(dinfo->output_height-i-1)*pitch];\n\t\telse row_pointer[i]=&dstBuf[i*pitch];\n\t}\n\twhile(dinfo->output_scanlineoutput_height)\n\t{\n\t\tjpeg_read_scanlines(dinfo, &row_pointer[dinfo->output_scanline],\n\t\t\tdinfo->output_height-dinfo->output_scanline);\n\t}\n\tjpeg_finish_decompress(dinfo);\n\n\t#ifndef JCS_EXTENSIONS\n\tfromRGB(rgbBuf, _dstBuf, width, _pitch, height, pixelFormat);\n\t#endif\n\n\tbailout:\n\tif(dinfo->global_state>DSTATE_START) jpeg_abort_decompress(dinfo);\n\t#ifndef JCS_EXTENSIONS\n\tif(rgbBuf) free(rgbBuf);\n\t#endif\n\tif(row_pointer) free(row_pointer);\n\tif(this->jerr.warning) retval=-1;\n\treturn retval;\n}", "project": "libjpeg-turbo", "hash": 42452489155834111655557792790084317150, "size": 107, "commit_id": "dab6be4cfb2f9307b5378d2d1dc74d9080383dc2", "message": "tjDecompressToYUV*(): Fix OOB write/double free\n\n... when attempting to decompress grayscale JPEG images with sampling\nfactors != 1.\n\nFixes #387", "target": 0, "dataset": "other", "idx": 311104 }, { "func": "DLLEXPORT int DLLCALL tjDecompressHeader2(tjhandle handle,\n\tunsigned char *jpegBuf, unsigned long jpegSize, int *width, int *height,\n\tint *jpegSubsamp)\n{\n\tint jpegColorspace;\n\treturn tjDecompressHeader3(handle, jpegBuf, jpegSize, width, height,\n\t\tjpegSubsamp, &jpegColorspace);\n}", "project": "libjpeg-turbo", "hash": 115667287993398574997587387939403421762, "size": 8, "commit_id": "dab6be4cfb2f9307b5378d2d1dc74d9080383dc2", "message": "tjDecompressToYUV*(): Fix OOB write/double free\n\n... when attempting to decompress grayscale JPEG images with sampling\nfactors != 1.\n\nFixes #387", "target": 0, "dataset": "other", "idx": 311128 }, { "func": "static void autocomplete_functions (RCore *core, RLineCompletion *completion, const char* str) {\n\tr_return_if_fail (str);\n\tRListIter *iter;\n\tRAnalFunction *fcn;\n\tint n = strlen (str);\n\tr_list_foreach (core->anal->fcns, iter, fcn) {\n\t\tchar *name = r_core_anal_fcn_name (core, fcn);\n\t\tif (!strncmp (name, str, n)) {\n\t\t\tr_line_completion_push (completion, name);\n\t\t}\n\t\tfree (name);\n\t}\n}", "project": "radare2", "hash": 257178471110263415709848477931173805682, "size": 13, "commit_id": "cb8b683758edddae2d2f62e8e63a738c39f92683", "message": "Fix #16303 - c->table_query double free (#16318)", "target": 0, "dataset": "other", "idx": 232151 }, { "func": "void object_err(struct kmem_cache *s, struct page *page,\n\t\t\tu8 *object, char *reason)\n{\n\tslab_bug(s, \"%s\", reason);\n\tprint_trailer(s, page, object);\n}", "project": "linux", "hash": 137506395319502246501611094432414234258, "size": 6, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280091 }, { "func": "static int verify_not_halted(struct usbtest_dev *tdev, int ep, struct urb *urb)\n{\n\tint\tretval;\n\tu16\tstatus;\n\n\t/* shouldn't look or act halted */\n\tretval = usb_get_std_status(urb->dev, USB_RECIP_ENDPOINT, ep, &status);\n\tif (retval < 0) {\n\t\tERROR(tdev, \"ep %02x couldn't get no-halt status, %d\\n\",\n\t\t\t\tep, retval);\n\t\treturn retval;\n\t}\n\tif (status != 0) {\n\t\tERROR(tdev, \"ep %02x bogus status: %04x != 0\\n\", ep, status);\n\t\treturn -EINVAL;\n\t}\n\tretval = simple_io(tdev, urb, 1, 0, 0, __func__);\n\tif (retval != 0)\n\t\treturn -EINVAL;\n\treturn 0;\n}", "project": "linux", "hash": 187702861264136962100943021183130632597, "size": 21, "commit_id": "28ebeb8db77035e058a510ce9bd17c2b9a009dba", "message": "usb: usbtest: fix missing kfree(dev->buf) in usbtest_disconnect\n\nBUG: memory leak\nunreferenced object 0xffff888055046e00 (size 256):\n comm \"kworker/2:9\", pid 2570, jiffies 4294942129 (age 1095.500s)\n hex dump (first 32 bytes):\n 00 70 04 55 80 88 ff ff 18 bb 5a 81 ff ff ff ff .p.U......Z.....\n f5 96 78 81 ff ff ff ff 37 de 8e 81 ff ff ff ff ..x.....7.......\n backtrace:\n [<00000000d121dccf>] kmemleak_alloc_recursive\ninclude/linux/kmemleak.h:43 [inline]\n [<00000000d121dccf>] slab_post_alloc_hook mm/slab.h:586 [inline]\n [<00000000d121dccf>] slab_alloc_node mm/slub.c:2786 [inline]\n [<00000000d121dccf>] slab_alloc mm/slub.c:2794 [inline]\n [<00000000d121dccf>] kmem_cache_alloc_trace+0x15e/0x2d0 mm/slub.c:2811\n [<000000005c3c3381>] kmalloc include/linux/slab.h:555 [inline]\n [<000000005c3c3381>] usbtest_probe+0x286/0x19d0\ndrivers/usb/misc/usbtest.c:2790\n [<000000001cec6910>] usb_probe_interface+0x2bd/0x870\ndrivers/usb/core/driver.c:361\n [<000000007806c118>] really_probe+0x48d/0x8f0 drivers/base/dd.c:551\n [<00000000a3308c3e>] driver_probe_device+0xfc/0x2a0 drivers/base/dd.c:724\n [<000000003ef66004>] __device_attach_driver+0x1b6/0x240\ndrivers/base/dd.c:831\n [<00000000eee53e97>] bus_for_each_drv+0x14e/0x1e0 drivers/base/bus.c:431\n [<00000000bb0648d0>] __device_attach+0x1f9/0x350 drivers/base/dd.c:897\n [<00000000838b324a>] device_initial_probe+0x1a/0x20 drivers/base/dd.c:944\n [<0000000030d501c1>] bus_probe_device+0x1e1/0x280 drivers/base/bus.c:491\n [<000000005bd7adef>] device_add+0x131d/0x1c40 drivers/base/core.c:2504\n [<00000000a0937814>] usb_set_configuration+0xe84/0x1ab0\ndrivers/usb/core/message.c:2030\n [<00000000e3934741>] generic_probe+0x6a/0xe0 drivers/usb/core/generic.c:210\n [<0000000098ade0f1>] usb_probe_device+0x90/0xd0\ndrivers/usb/core/driver.c:266\n [<000000007806c118>] really_probe+0x48d/0x8f0 drivers/base/dd.c:551\n [<00000000a3308c3e>] driver_probe_device+0xfc/0x2a0 drivers/base/dd.c:724\n\nAcked-by: Alan Stern \nReported-by: Kyungtae Kim \nSigned-off-by: Zqiang \nLink: https://lore.kernel.org/r/20200612035210.20494-1-qiang.zhang@windriver.com\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 412271 }, { "func": "static int exec_mmap(struct mm_struct *mm)\n{\n\tstruct task_struct *tsk;\n\tstruct mm_struct *old_mm, *active_mm;\n\tint ret;\n\n\t/* Notify parent that we're no longer interested in the old VM */\n\ttsk = current;\n\told_mm = current->mm;\n\texec_mm_release(tsk, old_mm);\n\n\tret = mutex_lock_killable(&tsk->signal->exec_update_mutex);\n\tif (ret)\n\t\treturn ret;\n\n\tif (old_mm) {\n\t\tsync_mm_rss(old_mm);\n\t\t/*\n\t\t * Make sure that if there is a core dump in progress\n\t\t * for the old mm, we get out and die instead of going\n\t\t * through with the exec. We must hold mmap_sem around\n\t\t * checking core_state and changing tsk->mm.\n\t\t */\n\t\tdown_read(&old_mm->mmap_sem);\n\t\tif (unlikely(old_mm->core_state)) {\n\t\t\tup_read(&old_mm->mmap_sem);\n\t\t\tmutex_unlock(&tsk->signal->exec_update_mutex);\n\t\t\treturn -EINTR;\n\t\t}\n\t}\n\n\ttask_lock(tsk);\n\tactive_mm = tsk->active_mm;\n\tmembarrier_exec_mmap(mm);\n\ttsk->mm = mm;\n\ttsk->active_mm = mm;\n\tactivate_mm(active_mm, mm);\n\ttsk->mm->vmacache_seqnum = 0;\n\tvmacache_flush(tsk);\n\ttask_unlock(tsk);\n\tif (old_mm) {\n\t\tup_read(&old_mm->mmap_sem);\n\t\tBUG_ON(active_mm != old_mm);\n\t\tsetmax_mm_hiwater_rss(&tsk->signal->maxrss, old_mm);\n\t\tmm_update_next_owner(old_mm);\n\t\tmmput(old_mm);\n\t\treturn 0;\n\t}\n\tmmdrop(active_mm);\n\treturn 0;\n}", "project": "linux", "hash": 17535904503300523865822925492055166297, "size": 51, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375245 }, { "func": "static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *chain)\n{\n\tstruct nft_rule *rule;\n\tunsigned int alloc = 0;\n\tint i;\n\n\t/* already handled or inactive chain? */\n\tif (chain->rules_next || !nft_is_active_next(net, chain))\n\t\treturn 0;\n\n\trule = list_entry(&chain->rules, struct nft_rule, list);\n\ti = 0;\n\n\tlist_for_each_entry_continue(rule, &chain->rules, list) {\n\t\tif (nft_is_active_next(net, rule))\n\t\t\talloc++;\n\t}\n\n\tchain->rules_next = nf_tables_chain_alloc_rules(chain, alloc);\n\tif (!chain->rules_next)\n\t\treturn -ENOMEM;\n\n\tlist_for_each_entry_continue(rule, &chain->rules, list) {\n\t\tif (nft_is_active_next(net, rule))\n\t\t\tchain->rules_next[i++] = rule;\n\t}\n\n\tchain->rules_next[i] = NULL;\n\treturn 0;\n}", "project": "linux", "hash": 160159816118374056234448678241341568657, "size": 30, "commit_id": "ad9f151e560b016b6ad3280b48e42fa11e1a5440", "message": "netfilter: nf_tables: initialize set before expression setup\n\nnft_set_elem_expr_alloc() needs an initialized set if expression sets on\nthe NFT_EXPR_GC flag. Move set fields initialization before expression\nsetup.\n\n[4512935.019450] ==================================================================\n[4512935.019456] BUG: KASAN: null-ptr-deref in nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019487] Read of size 8 at addr 0000000000000070 by task nft/23532\n[4512935.019494] CPU: 1 PID: 23532 Comm: nft Not tainted 5.12.0-rc4+ #48\n[...]\n[4512935.019502] Call Trace:\n[4512935.019505] dump_stack+0x89/0xb4\n[4512935.019512] ? nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019536] ? nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019560] kasan_report.cold.12+0x5f/0xd8\n[4512935.019566] ? nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019590] nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019615] nf_tables_newset+0xc7f/0x1460 [nf_tables]\n\nReported-by: syzbot+ce96ca2b1d0b37c6422d@syzkaller.appspotmail.com\nFixes: 65038428b2c6 (\"netfilter: nf_tables: allow to specify stateful expression in set definition\")\nSigned-off-by: Pablo Neira Ayuso ", "target": 0, "dataset": "other", "idx": 328371 }, { "project": "Chrome", "commit_id": "1da0daecc540238cb473f0d6322da51d3a544244", "target": 0, "func": " void InitializeWithConfigAndStatus(const VideoDecoderConfig& config,\n PipelineStatus status) {\n EXPECT_CALL(*demuxer_, video_decoder_config())\n .WillOnce(ReturnRef(config));\n\n decoder_->Initialize(demuxer_, NewExpectedStatusCB(status),\n base::Bind(&MockStatisticsCB::OnStatistics,\n base::Unretained(&statistics_cb_)));\n\n message_loop_.RunAllPending();\n }\n", "cwe": "", "big_vul_idx": 113342, "idx": 101634, "hash": 315109784387978099933791325489358144178 }, { "func": "ring_set_paused(const struct intel_engine_cs *engine, int state)\n{\n\t/*\n\t * We inspect HWS_PREEMPT with a semaphore inside\n\t * engine->emit_fini_breadcrumb. If the dword is true,\n\t * the ring is paused as the semaphore will busywait\n\t * until the dword is false.\n\t */\n\tengine->status_page.addr[I915_GEM_HWS_PREEMPT] = state;\n\tif (state)\n\t\twmb();\n}", "project": "linux", "hash": 248898407134235592184089874189948073172, "size": 12, "commit_id": "bc8a76a152c5f9ef3b48104154a65a68a8b76946", "message": "drm/i915/gen9: Clear residual context state on context switch\n\nIntel ID: PSIRT-TA-201910-001\nCVEID: CVE-2019-14615\n\nIntel GPU Hardware prior to Gen11 does not clear EU state\nduring a context switch. This can result in information\nleakage between contexts.\n\nFor Gen8 and Gen9, hardware provides a mechanism for\nfast cleardown of the EU state, by issuing a PIPE_CONTROL\nwith bit 27 set. We can use this in a context batch buffer\nto explicitly cleardown the state on every context switch.\n\nAs this workaround is already in place for gen8, we can borrow\nthe code verbatim for Gen9.\n\nSigned-off-by: Mika Kuoppala \nSigned-off-by: Akeem G Abodunrin \nCc: Kumar Valsan Prathap \nCc: Chris Wilson \nCc: Balestrieri Francesco \nCc: Bloomfield Jon \nCc: Dutt Sudeep ", "target": 0, "dataset": "other", "idx": 281545 }, { "func": "int kvm_unmap_gfn(struct kvm_vcpu *vcpu, struct kvm_host_map *map, \n\t\t struct gfn_to_pfn_cache *cache, bool dirty, bool atomic)\n{\n\t__kvm_unmap_gfn(gfn_to_memslot(vcpu->kvm, map->gfn), map,\n\t\t\tcache, dirty, atomic);\n\treturn 0;\n}", "project": "linux", "hash": 213689833342692058828783883884105577767, "size": 7, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354516 }, { "func": "int kvm_unmap_gfn(struct kvm_vcpu *vcpu, struct kvm_host_map *map, \n\t\t struct gfn_to_pfn_cache *cache, bool dirty, bool atomic)\n{\n\t__kvm_unmap_gfn(vcpu->kvm, gfn_to_memslot(vcpu->kvm, map->gfn), map,\n\t\t\tcache, dirty, atomic);\n\treturn 0;\n}", "project": "linux", "hash": 196027887669338639849560290998315501911, "size": 7, "commit_id": "f8be156be163a052a067306417cd0ff679068c97", "message": "KVM: do not allow mapping valid but non-reference-counted pages\n\nIt's possible to create a region which maps valid but non-refcounted\npages (e.g., tail pages of non-compound higher order allocations). These\nhost pages can then be returned by gfn_to_page, gfn_to_pfn, etc., family\nof APIs, which take a reference to the page, which takes it from 0 to 1.\nWhen the reference is dropped, this will free the page incorrectly.\n\nFix this by only taking a reference on valid pages if it was non-zero,\nwhich indicates it is participating in normal refcounting (and can be\nreleased with put_page).\n\nThis addresses CVE-2021-22543.\n\nSigned-off-by: Nicholas Piggin \nTested-by: Paolo Bonzini \nCc: stable@vger.kernel.org\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 404094 }, { "func": "static int kvm_clear_stat_per_vcpu(struct kvm *kvm, size_t offset)\n{\n\tint i;\n\tstruct kvm_vcpu *vcpu;\n\n\tkvm_for_each_vcpu(i, vcpu, kvm)\n\t\t*(u64 *)((void *)vcpu + offset) = 0;\n\n\treturn 0;\n}", "project": "linux", "hash": 155383129052336713946070307517677971811, "size": 10, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354706 }, { "func": " Classifier (const char *&ptr, int size)\n {\n if (size <= 0) \n throw IEX_NAMESPACE::InputExc(\"Error uncompressing DWA data\"\n \" (truncated rule).\");\n \n {\n char suffix[Name::SIZE];\n memset (suffix, 0, Name::SIZE);\n Xdr::read (ptr, std::min(size, Name::SIZE-1), suffix);\n _suffix = std::string(suffix);\n }\n\n if (static_cast(size) < _suffix.length() + 1 + 2*Xdr::size()) \n throw IEX_NAMESPACE::InputExc(\"Error uncompressing DWA data\"\n \" (truncated rule).\");\n\n char value;\n Xdr::read (ptr, value);\n\n _cscIdx = (int)(value >> 4) - 1;\n if (_cscIdx < -1 || _cscIdx >= 3) \n throw IEX_NAMESPACE::InputExc(\"Error uncompressing DWA data\"\n \" (corrupt cscIdx rule).\");\n\n _scheme = (CompressorScheme)((value >> 2) & 3);\n if (_scheme < 0 || _scheme >= NUM_COMPRESSOR_SCHEMES) \n throw IEX_NAMESPACE::InputExc(\"Error uncompressing DWA data\"\n \" (corrupt scheme rule).\");\n\n _caseInsensitive = (value & 1 ? true : false);\n\n Xdr::read (ptr, value);\n if (value < 0 || value >= NUM_PIXELTYPES) \n throw IEX_NAMESPACE::InputExc(\"Error uncompressing DWA data\"\n \" (corrupt rule).\");\n _type = (PixelType)value;\n }", "project": "openexr", "hash": 286477158467248343403232113020885568232, "size": 38, "commit_id": "3eda5d70aba127bae9bd6bae9956fcf024b64031", "message": "fixes for DWA uncompress: sanity check unknown data reading, off-by-one error on max suffix string length\n\nSigned-off-by: Peter Hillman ", "target": 1, "dataset": "other", "idx": 210760 }, { "func": " Classifier (const char *&ptr, int size)\n {\n if (size <= 0) \n throw IEX_NAMESPACE::InputExc(\"Error uncompressing DWA data\"\n \" (truncated rule).\");\n \n {\n // maximum length of string plus one byte for terminating NULL\n char suffix[Name::SIZE+1];\n memset (suffix, 0, Name::SIZE+1);\n Xdr::read (ptr, std::min(size, Name::SIZE-1), suffix);\n _suffix = std::string(suffix);\n }\n\n if (static_cast(size) < _suffix.length() + 1 + 2*Xdr::size()) \n throw IEX_NAMESPACE::InputExc(\"Error uncompressing DWA data\"\n \" (truncated rule).\");\n\n char value;\n Xdr::read (ptr, value);\n\n _cscIdx = (int)(value >> 4) - 1;\n if (_cscIdx < -1 || _cscIdx >= 3) \n throw IEX_NAMESPACE::InputExc(\"Error uncompressing DWA data\"\n \" (corrupt cscIdx rule).\");\n\n _scheme = (CompressorScheme)((value >> 2) & 3);\n if (_scheme < 0 || _scheme >= NUM_COMPRESSOR_SCHEMES) \n throw IEX_NAMESPACE::InputExc(\"Error uncompressing DWA data\"\n \" (corrupt scheme rule).\");\n\n _caseInsensitive = (value & 1 ? true : false);\n\n Xdr::read (ptr, value);\n if (value < 0 || value >= NUM_PIXELTYPES) \n throw IEX_NAMESPACE::InputExc(\"Error uncompressing DWA data\"\n \" (corrupt rule).\");\n _type = (PixelType)value;\n }", "project": "openexr", "hash": 259403700882642134149486624904642429148, "size": 39, "commit_id": "3eda5d70aba127bae9bd6bae9956fcf024b64031", "message": "fixes for DWA uncompress: sanity check unknown data reading, off-by-one error on max suffix string length\n\nSigned-off-by: Peter Hillman ", "target": 0, "dataset": "other", "idx": 440093 }, { "func": "OPJ_SIZE_T opj_tcd_get_encoder_input_buffer_size(opj_tcd_t *p_tcd)\n{\n OPJ_UINT32 i;\n OPJ_SIZE_T l_data_size = 0;\n opj_image_comp_t * l_img_comp = 00;\n opj_tcd_tilecomp_t * l_tilec = 00;\n OPJ_UINT32 l_size_comp, l_remaining;\n\n l_tilec = p_tcd->tcd_image->tiles->comps;\n l_img_comp = p_tcd->image->comps;\n for (i = 0; i < p_tcd->image->numcomps; ++i) {\n l_size_comp = l_img_comp->prec >> 3; /*(/ 8)*/\n l_remaining = l_img_comp->prec & 7; /* (%8) */\n\n if (l_remaining) {\n ++l_size_comp;\n }\n\n if (l_size_comp == 3) {\n l_size_comp = 4;\n }\n\n l_data_size += l_size_comp * ((OPJ_SIZE_T)(l_tilec->x1 - l_tilec->x0) *\n (OPJ_SIZE_T)(l_tilec->y1 - l_tilec->y0));\n ++l_img_comp;\n ++l_tilec;\n }\n\n return l_data_size;\n}", "project": "openjpeg", "hash": 192839040079697903158200708848588910274, "size": 30, "commit_id": "15cf3d95814dc931ca0ecb132f81cb152e051bae", "message": "Encoder: grow again buffer size in opj_tcd_code_block_enc_allocate_data() (fixes #1283)", "target": 0, "dataset": "other", "idx": 359180 }, { "func": "static int fuse_verify_xattr_list(char *list, size_t size)\n{\n\tsize_t origsize = size;\n\n\twhile (size) {\n\t\tsize_t thislen = strnlen(list, size);\n\n\t\tif (!thislen || thislen == size)\n\t\t\treturn -EIO;\n\n\t\tsize -= thislen + 1;\n\t\tlist += thislen + 1;\n\t}\n\n\treturn origsize;\n}", "project": "linux", "hash": 219212144442867012704408516553891994773, "size": 16, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342020 }, { "func": "void kvm_get_kvm(struct kvm *kvm)\n{\n\trefcount_inc(&kvm->users_count);\n}", "project": "linux", "hash": 207834963729634953758844904057522468950, "size": 4, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354451 }, { "func": "static int sctp_setsockopt_connectx_old(struct sock *sk,\n\t\t\t\t\tstruct sockaddr *kaddrs,\n\t\t\t\t\tint addrs_size)\n{\n\treturn __sctp_setsockopt_connectx(sk, kaddrs, addrs_size, NULL);\n}", "project": "linux", "hash": 94484487606027500468525843917198271202, "size": 6, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398184 }, { "func": "static int input_get_disposition(struct input_dev *dev,\n\t\t\t unsigned int type, unsigned int code, int *pval)\n{\n\tint disposition = INPUT_IGNORE_EVENT;\n\tint value = *pval;\n\n\tswitch (type) {\n\n\tcase EV_SYN:\n\t\tswitch (code) {\n\t\tcase SYN_CONFIG:\n\t\t\tdisposition = INPUT_PASS_TO_ALL;\n\t\t\tbreak;\n\n\t\tcase SYN_REPORT:\n\t\t\tdisposition = INPUT_PASS_TO_HANDLERS | INPUT_FLUSH;\n\t\t\tbreak;\n\t\tcase SYN_MT_REPORT:\n\t\t\tdisposition = INPUT_PASS_TO_HANDLERS;\n\t\t\tbreak;\n\t\t}\n\t\tbreak;\n\n\tcase EV_KEY:\n\t\tif (is_event_supported(code, dev->keybit, KEY_MAX)) {\n\n\t\t\t/* auto-repeat bypasses state updates */\n\t\t\tif (value == 2) {\n\t\t\t\tdisposition = INPUT_PASS_TO_HANDLERS;\n\t\t\t\tbreak;\n\t\t\t}\n\n\t\t\tif (!!test_bit(code, dev->key) != !!value) {\n\n\t\t\t\t__change_bit(code, dev->key);\n\t\t\t\tdisposition = INPUT_PASS_TO_HANDLERS;\n\t\t\t}\n\t\t}\n\t\tbreak;\n\n\tcase EV_SW:\n\t\tif (is_event_supported(code, dev->swbit, SW_MAX) &&\n\t\t !!test_bit(code, dev->sw) != !!value) {\n\n\t\t\t__change_bit(code, dev->sw);\n\t\t\tdisposition = INPUT_PASS_TO_HANDLERS;\n\t\t}\n\t\tbreak;\n\n\tcase EV_ABS:\n\t\tif (is_event_supported(code, dev->absbit, ABS_MAX))\n\t\t\tdisposition = input_handle_abs_event(dev, code, &value);\n\n\t\tbreak;\n\n\tcase EV_REL:\n\t\tif (is_event_supported(code, dev->relbit, REL_MAX) && value)\n\t\t\tdisposition = INPUT_PASS_TO_HANDLERS;\n\n\t\tbreak;\n\n\tcase EV_MSC:\n\t\tif (is_event_supported(code, dev->mscbit, MSC_MAX))\n\t\t\tdisposition = INPUT_PASS_TO_ALL;\n\n\t\tbreak;\n\n\tcase EV_LED:\n\t\tif (is_event_supported(code, dev->ledbit, LED_MAX) &&\n\t\t !!test_bit(code, dev->led) != !!value) {\n\n\t\t\t__change_bit(code, dev->led);\n\t\t\tdisposition = INPUT_PASS_TO_ALL;\n\t\t}\n\t\tbreak;\n\n\tcase EV_SND:\n\t\tif (is_event_supported(code, dev->sndbit, SND_MAX)) {\n\n\t\t\tif (!!test_bit(code, dev->snd) != !!value)\n\t\t\t\t__change_bit(code, dev->snd);\n\t\t\tdisposition = INPUT_PASS_TO_ALL;\n\t\t}\n\t\tbreak;\n\n\tcase EV_REP:\n\t\tif (code <= REP_MAX && value >= 0 && dev->rep[code] != value) {\n\t\t\tdev->rep[code] = value;\n\t\t\tdisposition = INPUT_PASS_TO_ALL;\n\t\t}\n\t\tbreak;\n\n\tcase EV_FF:\n\t\tif (value >= 0)\n\t\t\tdisposition = INPUT_PASS_TO_ALL;\n\t\tbreak;\n\n\tcase EV_PWR:\n\t\tdisposition = INPUT_PASS_TO_ALL;\n\t\tbreak;\n\t}\n\n\t*pval = value;\n\treturn disposition;\n}", "project": "linux", "hash": 178256562105453141700802006306123785642, "size": 105, "commit_id": "cb222aed03d798fc074be55e59d9a112338ee784", "message": "Input: add safety guards to input_set_keycode()\n\nIf we happen to have a garbage in input device's keycode table with values\ntoo big we'll end up doing clear_bit() with offset way outside of our\nbitmaps, damaging other objects within an input device or even outside of\nit. Let's add sanity checks to the returned old keycodes.\n\nReported-by: syzbot+c769968809f9359b07aa@syzkaller.appspotmail.com\nReported-by: syzbot+76f3a30e88d256644c78@syzkaller.appspotmail.com\nLink: https://lore.kernel.org/r/20191207212757.GA245964@dtor-ws\nSigned-off-by: Dmitry Torokhov ", "target": 0, "dataset": "other", "idx": 353369 }, { "func": "UnicodeString::doAppend(const UChar *srcChars, int32_t srcStart, int32_t srcLength) {\n if(!isWritable() || srcLength == 0 || srcChars == NULL) {\n return *this;\n }\n\n // Perform all remaining operations relative to srcChars + srcStart.\n // From this point forward, do not use srcStart.\n srcChars += srcStart;\n\n if(srcLength < 0) {\n // get the srcLength if necessary\n if((srcLength = u_strlen(srcChars)) == 0) {\n return *this;\n }\n }\n\n int32_t oldLength = length();\n int32_t newLength = oldLength + srcLength;\n\n // Check for append onto ourself\n const UChar* oldArray = getArrayStart();\n if (isBufferWritable() &&\n oldArray < srcChars + srcLength &&\n srcChars < oldArray + oldLength) {\n // Copy into a new UnicodeString and start over\n UnicodeString copy(srcChars, srcLength);\n if (copy.isBogus()) {\n setToBogus();\n return *this;\n }\n return doAppend(copy.getArrayStart(), 0, srcLength);\n }\n\n // optimize append() onto a large-enough, owned string\n if((newLength <= getCapacity() && isBufferWritable()) ||\n cloneArrayIfNeeded(newLength, getGrowCapacity(newLength))) {\n UChar *newArray = getArrayStart();\n // Do not copy characters when\n // UChar *buffer=str.getAppendBuffer(...);\n // is followed by\n // str.append(buffer, length);\n // or\n // str.appendString(buffer, length)\n // or similar.\n if(srcChars != newArray + oldLength) {\n us_arrayCopy(srcChars, 0, newArray, oldLength, srcLength);\n }\n setLength(newLength);\n }\n return *this;\n}", "project": "icu", "hash": 78872655036842327692103499513475894622, "size": 51, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 1, "dataset": "other", "idx": 210237 }, { "func": "UnicodeString::doAppend(const UChar *srcChars, int32_t srcStart, int32_t srcLength) {\n if(!isWritable() || srcLength == 0 || srcChars == NULL) {\n return *this;\n }\n\n // Perform all remaining operations relative to srcChars + srcStart.\n // From this point forward, do not use srcStart.\n srcChars += srcStart;\n\n if(srcLength < 0) {\n // get the srcLength if necessary\n if((srcLength = u_strlen(srcChars)) == 0) {\n return *this;\n }\n }\n\n int32_t oldLength = length();\n int32_t newLength;\n if (uprv_add32_overflow(oldLength, srcLength, &newLength)) {\n setToBogus();\n return *this;\n }\n\n // Check for append onto ourself\n const UChar* oldArray = getArrayStart();\n if (isBufferWritable() &&\n oldArray < srcChars + srcLength &&\n srcChars < oldArray + oldLength) {\n // Copy into a new UnicodeString and start over\n UnicodeString copy(srcChars, srcLength);\n if (copy.isBogus()) {\n setToBogus();\n return *this;\n }\n return doAppend(copy.getArrayStart(), 0, srcLength);\n }\n\n // optimize append() onto a large-enough, owned string\n if((newLength <= getCapacity() && isBufferWritable()) ||\n cloneArrayIfNeeded(newLength, getGrowCapacity(newLength))) {\n UChar *newArray = getArrayStart();\n // Do not copy characters when\n // UChar *buffer=str.getAppendBuffer(...);\n // is followed by\n // str.append(buffer, length);\n // or\n // str.appendString(buffer, length)\n // or similar.\n if(srcChars != newArray + oldLength) {\n us_arrayCopy(srcChars, 0, newArray, oldLength, srcLength);\n }\n setLength(newLength);\n }\n return *this;\n}", "project": "icu", "hash": 202583290338277335296873764122279909646, "size": 55, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430797 }, { "func": "UnicodeString::doAppend(const UnicodeString& src, int32_t srcStart, int32_t srcLength) {\n if(srcLength == 0) {\n return *this;\n }\n\n // pin the indices to legal values\n src.pinIndices(srcStart, srcLength);\n return doAppend(src.getArrayStart(), srcStart, srcLength);\n}", "project": "icu", "hash": 65476343672826471883692374059480928952, "size": 9, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430827 }, { "func": "static int saved_cmdlines_show(struct seq_file *m, void *v)\n{\n\tchar buf[TASK_COMM_LEN];\n\tunsigned int *pid = v;\n\n\t__trace_find_cmdline(*pid, buf);\n\tseq_printf(m, \"%d %s\\n\", *pid, buf);\n\treturn 0;\n}", "project": "linux", "hash": 120512269338067258191194827618038440518, "size": 9, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445742 }, { "func": "static void sca_add_vcpu(struct kvm_vcpu *vcpu)\n{\n\tif (!kvm_s390_use_sca_entries()) {\n\t\tstruct bsca_block *sca = vcpu->kvm->arch.sca;\n\n\t\t/* we still need the basic sca for the ipte control */\n\t\tvcpu->arch.sie_block->scaoh = (__u32)(((__u64)sca) >> 32);\n\t\tvcpu->arch.sie_block->scaol = (__u32)(__u64)sca;\n\t\treturn;\n\t}\n\tread_lock(&vcpu->kvm->arch.sca_lock);\n\tif (vcpu->kvm->arch.use_esca) {\n\t\tstruct esca_block *sca = vcpu->kvm->arch.sca;\n\n\t\tsca->cpu[vcpu->vcpu_id].sda = (__u64) vcpu->arch.sie_block;\n\t\tvcpu->arch.sie_block->scaoh = (__u32)(((__u64)sca) >> 32);\n\t\tvcpu->arch.sie_block->scaol = (__u32)(__u64)sca & ~0x3fU;\n\t\tvcpu->arch.sie_block->ecb2 |= ECB2_ESCA;\n\t\tset_bit_inv(vcpu->vcpu_id, (unsigned long *) sca->mcn);\n\t} else {\n\t\tstruct bsca_block *sca = vcpu->kvm->arch.sca;\n\n\t\tsca->cpu[vcpu->vcpu_id].sda = (__u64) vcpu->arch.sie_block;\n\t\tvcpu->arch.sie_block->scaoh = (__u32)(((__u64)sca) >> 32);\n\t\tvcpu->arch.sie_block->scaol = (__u32)(__u64)sca;\n\t\tset_bit_inv(vcpu->vcpu_id, (unsigned long *) &sca->mcn);\n\t}\n\tread_unlock(&vcpu->kvm->arch.sca_lock);\n}", "project": "linux", "hash": 266179033328533719212314114114237079445, "size": 29, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354674 }, { "project": "Chrome", "commit_id": "1da0daecc540238cb473f0d6322da51d3a544244", "target": 0, "func": "void VideoRendererBase::PutCurrentFrame(scoped_refptr frame) {\n base::AutoLock auto_lock(lock_);\n\n if (pending_paint_) {\n DCHECK_EQ(current_frame_, frame);\n DCHECK(!pending_paint_with_last_available_);\n pending_paint_ = false;\n } else if (pending_paint_with_last_available_) {\n DCHECK_EQ(last_available_frame_, frame);\n DCHECK(!pending_paint_);\n pending_paint_with_last_available_ = false;\n } else {\n DCHECK(!frame);\n }\n\n frame_available_.Signal();\n if (state_ == kFlushingDecoder)\n return;\n\n if (state_ == kFlushing) {\n AttemptFlush_Locked();\n return;\n }\n\n if (state_ == kError || state_ == kStopped) {\n DoStopOrError_Locked();\n }\n}\n", "cwe": "", "big_vul_idx": 113359, "idx": 101649, "hash": 109450988269210718806358029086077593225 }, { "func": "\nstatic void io_rsrc_buf_put(struct io_ring_ctx *ctx, struct io_rsrc_put *prsrc)\n{\n\tio_buffer_unmap(ctx, &prsrc->buf);\n\tprsrc->buf = NULL;", "project": "linux", "hash": 186133365594623620475604241107609670798, "size": 5, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338529 }, { "func": "static void encode_string(struct xdr_stream *xdr, unsigned int len, const char *str)\n{\n\tWARN_ON_ONCE(xdr_stream_encode_opaque(xdr, str, len) < 0);\n}", "project": "linux", "hash": 269922258531936675924362866385052093933, "size": 4, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431553 }, { "func": "static void tty_flush_works(struct tty_struct *tty)\n{\n\tflush_work(&tty->SAK_work);\n\tflush_work(&tty->hangup_work);\n\tif (tty->link) {\n\t\tflush_work(&tty->link->SAK_work);\n\t\tflush_work(&tty->link->hangup_work);\n\t}\n}", "project": "linux", "hash": 333275949048969351472688692106845098393, "size": 9, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 326013 }, { "func": "int imap_delete_mailbox(struct Mailbox *m, char *path)\n{\n char buf[PATH_MAX + 7];\n char mbox[PATH_MAX];\n struct Url *url = url_parse(path);\n\n struct ImapAccountData *adata = imap_adata_get(m);\n imap_munge_mbox_name(adata->unicode, mbox, sizeof(mbox), url->path);\n url_free(&url);\n snprintf(buf, sizeof(buf), \"DELETE %s\", mbox);\n if (imap_exec(m->account->adata, buf, IMAP_CMD_NO_FLAGS) != IMAP_EXEC_SUCCESS)\n return -1;\n\n return 0;\n}", "project": "neomutt", "hash": 26625972112511516144646624826461668502, "size": 15, "commit_id": "9c36717a3e2af1f2c1b7242035455ec8112b4b06", "message": "imap: close connection on all failures\n\nThanks to Gabriel Salles-Loustau for spotting the problem.\n\nCo-authored-by: Kevin McCarthy ", "target": 0, "dataset": "other", "idx": 357037 }, { "func": "static int slub_cpu_dead(unsigned int cpu)\n{\n\tstruct kmem_cache *s;\n\tunsigned long flags;\n\n\tmutex_lock(&slab_mutex);\n\tlist_for_each_entry(s, &slab_caches, list) {\n\t\tlocal_irq_save(flags);\n\t\t__flush_cpu_slab(s, cpu);\n\t\tlocal_irq_restore(flags);\n\t}\n\tmutex_unlock(&slab_mutex);\n\treturn 0;\n}", "project": "linux", "hash": 49533364898241987897422171199985997109, "size": 14, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280041 }, { "func": "Status KernelAndDeviceOp::Run(\n ScopedStepContainer* step_container, const EagerKernelArgs& inputs,\n std::vector* outputs,\n CancellationManager* cancellation_manager,\n const absl::optional& remote_func_params) {\n OpKernelContext::Params params;\n params.device = device_;\n params.frame_iter = FrameAndIter(0, 0);\n params.inputs = inputs.GetTensorValues();\n params.op_kernel = kernel_.get();\n params.resource_manager = device_->resource_manager();\n params.input_alloc_attrs = &input_alloc_attrs_;\n params.output_attr_array = output_alloc_attrs_.data();\n params.function_library = flr_;\n params.slice_reader_cache = &slice_reader_cache_;\n params.rendezvous = rendezvous_;\n OpExecutionState* op_execution_state = nullptr;\n\n CancellationManager default_cancellation_manager;\n if (cancellation_manager) {\n params.cancellation_manager = cancellation_manager;\n } else if (kernel_->is_deferred()) {\n op_execution_state = new OpExecutionState;\n params.cancellation_manager = &op_execution_state->cancellation_manager;\n params.inc_num_deferred_ops_function = [op_execution_state]() {\n op_execution_state->Ref();\n };\n params.dec_num_deferred_ops_function = [op_execution_state]() {\n op_execution_state->Unref();\n };\n } else {\n params.cancellation_manager = &default_cancellation_manager;\n }\n\n params.log_memory = log_memory_;\n\n params.runner = get_runner();\n\n params.step_container =\n step_container == nullptr ? &step_container_ : step_container;\n auto step_container_cleanup = gtl::MakeCleanup([step_container, this] {\n if (step_container == nullptr) {\n this->step_container_.CleanUp();\n }\n });\n\n params.collective_executor =\n collective_executor_ ? collective_executor_->get() : nullptr;\n\n OpKernelContext context(¶ms);\n\n {\n port::ScopedFlushDenormal flush;\n port::ScopedSetRound round(FE_TONEAREST);\n // 'AnnotatedTraceMe' will trace both scheduling time on host and execution\n // time on device of the OpKernel.\n profiler::AnnotatedTraceMe activity(\n [&] { return kernel_->TraceString(context, /*verbose=*/false); },\n profiler::TraceMeLevel::kInfo);\n device_->Compute(kernel_.get(), &context);\n }\n\n // Clean up execution op_execution_state if deferred ops aren't running.\n if (op_execution_state != nullptr) {\n op_execution_state->Unref();\n }\n\n if (!context.status().ok()) return context.status();\n\n if (outputs != nullptr) {\n outputs->clear();\n for (int i = 0; i < context.num_outputs(); ++i) {\n outputs->push_back(Tensor(*context.mutable_output(i)));\n }\n }\n return Status::OK();\n}", "project": "tensorflow", "hash": 268532713607530076905202853458432555638, "size": 77, "commit_id": "da8558533d925694483d2c136a9220d6d49d843c", "message": "Fix undefined behavior in `tf.raw_ops.Switch` in eager mode.\n\nPiperOrigin-RevId: 332578058\nChange-Id: I9727571d2f21476b10d8aa27c1b7176564b76ac9", "target": 1, "dataset": "other", "idx": 198174 }, { "func": " void Run() override {\n EvalSparseHybridImpl(context, node, params, data, input, filter, bias,\n thread_start, thread_end, input_quantized,\n scaling_factors, accum_scratch, row_sums,\n input_offsets, output);\n }", "project": "tensorflow", "hash": 300630077486727347084066162016125370069, "size": 6, "commit_id": "6c0b2b70eeee588591680f5b7d5d38175fd7cdf6", "message": "[lite] add validation check for sparse fully connected\n\nPiperOrigin-RevId: 417629354\nChange-Id: If96171c4bd4f5fdb01d6368d6deab19d1c9beca7", "target": 0, "dataset": "other", "idx": 220483 }, { "func": " static void Run(const Tensor& in_x, const Tensor& in_y, bool lower,\n bool adjoint, const MatMulBCast& bcast, Tensor* out,\n int start, int limit) {\n const bool should_bcast = bcast.IsBroadcastingRequired();\n const auto& x_batch_indices = bcast.x_batch_indices();\n const auto& y_batch_indices = bcast.y_batch_indices();\n int num_bands = in_x.dim_size(1);\n int matrix_size = in_x.dim_size(2);\n\n for (int64 i = start; i < limit; ++i) {\n const int64 x_batch_index = should_bcast ? x_batch_indices[i] : i;\n const int64 y_batch_index = should_bcast ? y_batch_indices[i] : i;\n auto matrix = ConstTensorSliceToEigenMatrix(in_x, x_batch_index);\n auto rhs = ConstTensorSliceToEigenMatrix(in_y, y_batch_index);\n auto output = TensorSliceToEigenMatrix(out, i);\n // Below, we use the standard algorithm for computing a triangular solve,\n // except we band limit it.\n // Given A x = b, where A is lower triangular,\n // x_i = (b_i - sum a_ij * x_j) / a_ii, where the sum is from\n // j = 0 to i - 1.\n //\n // Now, in a banded triangular matrix, when i exceeds the band size,\n // then the sum goes from j = i - band_size to i - 1, since the other\n // elements are zero.\n //\n // Finally, given the band storage format, we'll need to change the\n // indexing.\n if (lower) {\n if (!adjoint) {\n output.row(0) = rhs.row(0) / matrix(0, 0);\n for (int i = 1; i < matrix_size; ++i) {\n if (i < num_bands) {\n output.row(i).noalias() =\n (rhs.row(i) - matrix.block(1, i, i, 1).reverse().transpose() *\n output.topRows(i)) /\n matrix(0, i);\n } else {\n output.row(i).noalias() =\n (rhs.row(i) -\n matrix.block(1, i, num_bands - 1, 1).reverse().transpose() *\n output.middleRows(i - (num_bands - 1), num_bands - 1)) /\n matrix(0, i);\n }\n }\n } else {\n // In the adjoint case, here and below, we now have an upper (lower)\n // triangular matrix, and thus need to work through with the other\n // case. We can't simply conjugate `matrix` and use the upper (lower)\n // algorithm because the band storage format for upper and lower\n // triangular matrices are different (in the lower case, we pad\n // entries on the left, and in the upper case we pad entries on the\n // right.\n output.row(matrix_size - 1) =\n rhs.row(matrix_size - 1) / eigen_conj(matrix(0, matrix_size - 1));\n for (int i = matrix_size - 1; i >= 0; --i) {\n output.row(i).noalias() = rhs.row(i);\n for (int j = i + 1; j < std::min(matrix_size, i + num_bands); ++j) {\n output.row(i).noalias() -=\n eigen_conj(matrix(j - i, j)) * output.row(j);\n }\n output.row(i) /= eigen_conj(matrix(0, i));\n }\n }\n } else {\n if (!adjoint) {\n output.row(matrix_size - 1) =\n rhs.row(matrix_size - 1) / matrix(num_bands - 1, matrix_size - 1);\n for (int i = 1; i < matrix_size; ++i) {\n int k = matrix_size - 1 - i;\n if (i < num_bands) {\n output.row(k).noalias() =\n (rhs.row(k) - matrix.block(num_bands - 1 - i, k, i, 1)\n .reverse()\n .transpose() *\n output.bottomRows(i)) /\n matrix(num_bands - 1, k);\n } else {\n output.row(k).noalias() =\n (rhs.row(k) -\n matrix.block(0, k, num_bands - 1, 1).reverse().transpose() *\n output.middleRows(k + 1, num_bands - 1)) /\n matrix(num_bands - 1, k);\n }\n }\n } else {\n output.row(0) = rhs.row(0) / eigen_conj(matrix(num_bands - 1, 0));\n for (int i = 1; i < matrix_size; ++i) {\n output.row(i).noalias() = rhs.row(i);\n for (int j = std::max(0, i - (num_bands - 1)); j < i; ++j) {\n output.row(i).noalias() -=\n eigen_conj(matrix(num_bands - 1 - (i - j), j)) *\n output.row(j);\n }\n output.row(i) /= eigen_conj(matrix(num_bands - 1, i));\n }\n }\n }\n }\n }", "project": "tensorflow", "hash": 266483617509961809418692690432771267045, "size": 99, "commit_id": "0ab290774f91a23bebe30a358fde4e53ab4876a0", "message": "Ensure validation sticks in banded_triangular_solve_op\n\nPiperOrigin-RevId: 373275480\nChange-Id: Id7717cf275b2d6fdb9441fbbe166d555182d2e79", "target": 0, "dataset": "other", "idx": 232653 }, { "func": "Status KernelAndDeviceFunc::Run(\n ScopedStepContainer* step_container, const EagerKernelArgs& inputs,\n std::vector* outputs,\n CancellationManager* cancellation_manager,\n const absl::optional& remote_func_params) {\n Notification n;\n Status status;\n RunAsync(step_container, inputs, outputs, cancellation_manager,\n remote_func_params, [&status, &n](const Status& s) {\n status = s;\n n.Notify();\n });\n n.WaitForNotification();\n return status;\n}", "project": "tensorflow", "hash": 323166118803893121534147567384837519235, "size": 15, "commit_id": "da8558533d925694483d2c136a9220d6d49d843c", "message": "Fix undefined behavior in `tf.raw_ops.Switch` in eager mode.\n\nPiperOrigin-RevId: 332578058\nChange-Id: I9727571d2f21476b10d8aa27c1b7176564b76ac9", "target": 0, "dataset": "other", "idx": 270133 }, { "func": "Status KernelAndDeviceOp::Run(\n ScopedStepContainer* step_container, const EagerKernelArgs& inputs,\n std::vector* outputs,\n CancellationManager* cancellation_manager,\n const absl::optional& remote_func_params) {\n OpKernelContext::Params params;\n params.device = device_;\n params.frame_iter = FrameAndIter(0, 0);\n params.inputs = inputs.GetTensorValues();\n params.op_kernel = kernel_.get();\n params.resource_manager = device_->resource_manager();\n params.input_alloc_attrs = &input_alloc_attrs_;\n params.output_attr_array = output_alloc_attrs_.data();\n params.function_library = flr_;\n params.slice_reader_cache = &slice_reader_cache_;\n params.rendezvous = rendezvous_;\n OpExecutionState* op_execution_state = nullptr;\n\n CancellationManager default_cancellation_manager;\n if (cancellation_manager) {\n params.cancellation_manager = cancellation_manager;\n } else if (kernel_->is_deferred()) {\n op_execution_state = new OpExecutionState;\n params.cancellation_manager = &op_execution_state->cancellation_manager;\n params.inc_num_deferred_ops_function = [op_execution_state]() {\n op_execution_state->Ref();\n };\n params.dec_num_deferred_ops_function = [op_execution_state]() {\n op_execution_state->Unref();\n };\n } else {\n params.cancellation_manager = &default_cancellation_manager;\n }\n\n params.log_memory = log_memory_;\n\n params.runner = get_runner();\n\n params.step_container =\n step_container == nullptr ? &step_container_ : step_container;\n auto step_container_cleanup = gtl::MakeCleanup([step_container, this] {\n if (step_container == nullptr) {\n this->step_container_.CleanUp();\n }\n });\n\n params.collective_executor =\n collective_executor_ ? collective_executor_->get() : nullptr;\n\n OpKernelContext context(¶ms);\n\n {\n port::ScopedFlushDenormal flush;\n port::ScopedSetRound round(FE_TONEAREST);\n // 'AnnotatedTraceMe' will trace both scheduling time on host and execution\n // time on device of the OpKernel.\n profiler::AnnotatedTraceMe activity(\n [&] { return kernel_->TraceString(context, /*verbose=*/false); },\n profiler::TraceMeLevel::kInfo);\n device_->Compute(kernel_.get(), &context);\n }\n\n // Clean up execution op_execution_state if deferred ops aren't running.\n if (op_execution_state != nullptr) {\n op_execution_state->Unref();\n }\n\n if (!context.status().ok()) return context.status();\n\n if (outputs != nullptr) {\n outputs->clear();\n for (int i = 0; i < context.num_outputs(); ++i) {\n const auto* output_tensor = context.mutable_output(i);\n if (output_tensor != nullptr) {\n outputs->push_back(Tensor(*output_tensor));\n } else {\n outputs->push_back(Tensor());\n }\n }\n }\n return Status::OK();\n}", "project": "tensorflow", "hash": 159214455117997485478071511420441997014, "size": 82, "commit_id": "da8558533d925694483d2c136a9220d6d49d843c", "message": "Fix undefined behavior in `tf.raw_ops.Switch` in eager mode.\n\nPiperOrigin-RevId: 332578058\nChange-Id: I9727571d2f21476b10d8aa27c1b7176564b76ac9", "target": 0, "dataset": "other", "idx": 270145 }, { "func": "int CServer::Run()\n{\n\t//\n\tm_PrintCBIndex = Console()->RegisterPrintCallback(Config()->m_ConsoleOutputLevel, SendRconLineAuthed, this);\n\n\t// list maps\n\tm_pMapListHeap = new CHeap();\n\tCSubdirCallbackUserdata Userdata;\n\tUserdata.m_pServer = this;\n\tstr_copy(Userdata.m_aName, \"\", sizeof(Userdata.m_aName));\n\tm_pStorage->ListDirectory(IStorage::TYPE_ALL, \"maps/\", MapListEntryCallback, &Userdata);\n\n\t// load map\n\tif(!LoadMap(Config()->m_SvMap))\n\t{\n\t\tdbg_msg(\"server\", \"failed to load map. mapname='%s'\", Config()->m_SvMap);\n\t\treturn -1;\n\t}\n\tm_MapChunksPerRequest = Config()->m_SvMapDownloadSpeed;\n\n\t// start server\n\tNETADDR BindAddr;\n\tif(Config()->m_Bindaddr[0] && net_host_lookup(Config()->m_Bindaddr, &BindAddr, NETTYPE_ALL) == 0)\n\t{\n\t\t// sweet!\n\t\tBindAddr.type = NETTYPE_ALL;\n\t\tBindAddr.port = Config()->m_SvPort;\n\t}\n\telse\n\t{\n\t\tmem_zero(&BindAddr, sizeof(BindAddr));\n\t\tBindAddr.type = NETTYPE_ALL;\n\t\tBindAddr.port = Config()->m_SvPort;\n\t}\n\n\tif(!m_NetServer.Open(BindAddr, Config(), Console(), Kernel()->RequestInterface(), &m_ServerBan,\n\t\tConfig()->m_SvMaxClients, Config()->m_SvMaxClientsPerIP, NewClientCallback, DelClientCallback, this))\n\t{\n\t\tdbg_msg(\"server\", \"couldn't open socket. port %d might already be in use\", Config()->m_SvPort);\n\t\treturn -1;\n\t}\n\n\tm_Econ.Init(Config(), Console(), &m_ServerBan);\n\n\tchar aBuf[256];\n\tstr_format(aBuf, sizeof(aBuf), \"server name is '%s'\", Config()->m_SvName);\n\tConsole()->Print(IConsole::OUTPUT_LEVEL_STANDARD, \"server\", aBuf);\n\n\tGameServer()->OnInit();\n\tstr_format(aBuf, sizeof(aBuf), \"version %s\", GameServer()->NetVersion());\n\tConsole()->Print(IConsole::OUTPUT_LEVEL_STANDARD, \"server\", aBuf);\n\tif(str_comp(GameServer()->NetVersionHashUsed(), GameServer()->NetVersionHashReal()))\n\t{\n\t\tm_pConsole->Print(IConsole::OUTPUT_LEVEL_STANDARD, \"server\", \"WARNING: netversion hash differs\");\n\t}\n\n\t// process pending commands\n\tm_pConsole->StoreCommands(false);\n\n\tif(m_GeneratedRconPassword)\n\t{\n\t\tdbg_msg(\"server\", \"+-------------------------+\");\n\t\tdbg_msg(\"server\", \"| rcon password: '%s' |\", Config()->m_SvRconPassword);\n\t\tdbg_msg(\"server\", \"+-------------------------+\");\n\t}\n\n\t// start game\n\t{\n\t\tint64 ReportTime = time_get();\n\t\tint ReportInterval = 3;\n\n\t\tm_Lastheartbeat = 0;\n\t\tm_GameStartTime = time_get();\n\n\t\twhile(m_RunServer)\n\t\t{\n\t\t\tint64 t = time_get();\n\t\t\tint NewTicks = 0;\n\n\t\t\t// load new map TODO: don't poll this\n\t\t\tif(str_comp(Config()->m_SvMap, m_aCurrentMap) != 0 || m_MapReload || m_CurrentGameTick >= 0x6FFFFFFF) //\tforce reload to make sure the ticks stay within a valid range\n\t\t\t{\n\t\t\t\tm_MapReload = 0;\n\n\t\t\t\t// load map\n\t\t\t\tif(LoadMap(Config()->m_SvMap))\n\t\t\t\t{\n\t\t\t\t\t// new map loaded\n\t\t\t\t\tbool aSpecs[MAX_CLIENTS];\n\t\t\t\t\tfor(int c = 0; c < MAX_CLIENTS; c++)\n\t\t\t\t\t\taSpecs[c] = GameServer()->IsClientSpectator(c);\n\n\t\t\t\t\tGameServer()->OnShutdown();\n\n\t\t\t\t\tfor(int c = 0; c < MAX_CLIENTS; c++)\n\t\t\t\t\t{\n\t\t\t\t\t\tif(m_aClients[c].m_State <= CClient::STATE_AUTH)\n\t\t\t\t\t\t\tcontinue;\n\n\t\t\t\t\t\tSendMap(c);\n\t\t\t\t\t\tm_aClients[c].Reset();\n\t\t\t\t\t\tm_aClients[c].m_State = aSpecs[c] ? CClient::STATE_CONNECTING_AS_SPEC : CClient::STATE_CONNECTING;\n\t\t\t\t\t}\n\n\t\t\t\t\tm_GameStartTime = time_get();\n\t\t\t\t\tm_CurrentGameTick = 0;\n\t\t\t\t\tKernel()->ReregisterInterface(GameServer());\n\t\t\t\t\tGameServer()->OnInit();\n\t\t\t\t}\n\t\t\t\telse\n\t\t\t\t{\n\t\t\t\t\tstr_format(aBuf, sizeof(aBuf), \"failed to load map. mapname='%s'\", Config()->m_SvMap);\n\t\t\t\t\tConsole()->Print(IConsole::OUTPUT_LEVEL_STANDARD, \"server\", aBuf);\n\t\t\t\t\tstr_copy(Config()->m_SvMap, m_aCurrentMap, sizeof(Config()->m_SvMap));\n\t\t\t\t}\n\t\t\t}\n\n\t\t\twhile(t > TickStartTime(m_CurrentGameTick+1))\n\t\t\t{\n\t\t\t\tm_CurrentGameTick++;\n\t\t\t\tNewTicks++;\n\n\t\t\t\t// apply new input\n\t\t\t\tfor(int c = 0; c < MAX_CLIENTS; c++)\n\t\t\t\t{\n\t\t\t\t\tif(m_aClients[c].m_State == CClient::STATE_EMPTY)\n\t\t\t\t\t\tcontinue;\n\t\t\t\t\tfor(int i = 0; i < 200; i++)\n\t\t\t\t\t{\n\t\t\t\t\t\tif(m_aClients[c].m_aInputs[i].m_GameTick == Tick())\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tif(m_aClients[c].m_State == CClient::STATE_INGAME)\n\t\t\t\t\t\t\t\tGameServer()->OnClientPredictedInput(c, m_aClients[c].m_aInputs[i].m_aData);\n\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t}\n\n\t\t\t\tGameServer()->OnTick();\n\t\t\t}\n\n\t\t\t// snap game\n\t\t\tif(NewTicks)\n\t\t\t{\n\t\t\t\tif(Config()->m_SvHighBandwidth || (m_CurrentGameTick%2) == 0)\n\t\t\t\t\tDoSnapshot();\n\n\t\t\t\tUpdateClientRconCommands();\n\t\t\t\tUpdateClientMapListEntries();\n\t\t\t}\n\n\t\t\t// master server stuff\n\t\t\tm_Register.RegisterUpdate(m_NetServer.NetType());\n\n\t\t\tPumpNetwork();\n\n\t\t\tif(ReportTime < time_get())\n\t\t\t{\n\t\t\t\tif(Config()->m_Debug)\n\t\t\t\t{\n\t\t\t\t\t/*\n\t\t\t\t\tstatic NETSTATS prev_stats;\n\t\t\t\t\tNETSTATS stats;\n\t\t\t\t\tnetserver_stats(net, &stats);\n\n\t\t\t\t\tperf_next();\n\n\t\t\t\t\tif(config.dbg_pref)\n\t\t\t\t\t\tperf_dump(&rootscope);\n\n\t\t\t\t\tdbg_msg(\"server\", \"send=%8d recv=%8d\",\n\t\t\t\t\t\t(stats.send_bytes - prev_stats.send_bytes)/reportinterval,\n\t\t\t\t\t\t(stats.recv_bytes - prev_stats.recv_bytes)/reportinterval);\n\n\t\t\t\t\tprev_stats = stats;\n\t\t\t\t\t*/\n\t\t\t\t}\n\n\t\t\t\tReportTime += time_freq()*ReportInterval;\n\t\t\t}\n\n\t\t\t// wait for incomming data\n\t\t\tm_NetServer.Wait(5);\n\t\t}\n\t}\n\t// disconnect all clients on shutdown\n\tm_NetServer.Close();\n\tm_Econ.Shutdown();\n\n\tGameServer()->OnShutdown();\n\tm_pMap->Unload();\n\n\tif(m_pCurrentMapData)\n\t{\n\t\tmem_free(m_pCurrentMapData);\n\t\tm_pCurrentMapData = 0;\n\t}\n\tif(m_pMapListHeap)\n\t{\n\t\tdelete m_pMapListHeap;\n\t\tm_pMapListHeap = 0;\n\t}\n\treturn 0;\n}", "project": "teeworlds", "hash": 322942261570114084812734868735846817779, "size": 204, "commit_id": "c68402fa7e279d42886d5951d1ea8ac2facc1ea5", "message": "changed a check", "target": 0, "dataset": "other", "idx": 381989 }, { "func": "bool WuManberReplacement::initPatterns(const Array& arr) {\n patterns.reserve(arr.size());\n for (ArrayIter iter(arr); iter; ++iter) {\n String pattern = iter.first().toString();\n if (pattern.size() == 0) { // empty string given as pattern\n patterns.clear();\n return false;\n }\n patterns.emplace_back(pattern, iter.second().toString());\n }\n\n initTables();\n\n return true;\n}", "project": "hhvm", "hash": 142581040705407361608159593189601888329, "size": 15, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219704 }, { "func": "static void virtual_xfer_breadcrumbs(struct virtual_engine *ve,\n\t\t\t\t struct intel_engine_cs *engine)\n{\n\tstruct intel_engine_cs *old = ve->siblings[0];\n\n\t/* All unattached (rq->engine == old) must already be completed */\n\n\tspin_lock(&old->breadcrumbs.irq_lock);\n\tif (!list_empty(&ve->context.signal_link)) {\n\t\tlist_move_tail(&ve->context.signal_link,\n\t\t\t &engine->breadcrumbs.signalers);\n\t\tintel_engine_queue_breadcrumbs(engine);\n\t}\n\tspin_unlock(&old->breadcrumbs.irq_lock);\n}", "project": "linux", "hash": 112540731622165366298508520178815712286, "size": 15, "commit_id": "bc8a76a152c5f9ef3b48104154a65a68a8b76946", "message": "drm/i915/gen9: Clear residual context state on context switch\n\nIntel ID: PSIRT-TA-201910-001\nCVEID: CVE-2019-14615\n\nIntel GPU Hardware prior to Gen11 does not clear EU state\nduring a context switch. This can result in information\nleakage between contexts.\n\nFor Gen8 and Gen9, hardware provides a mechanism for\nfast cleardown of the EU state, by issuing a PIPE_CONTROL\nwith bit 27 set. We can use this in a context batch buffer\nto explicitly cleardown the state on every context switch.\n\nAs this workaround is already in place for gen8, we can borrow\nthe code verbatim for Gen9.\n\nSigned-off-by: Mika Kuoppala \nSigned-off-by: Akeem G Abodunrin \nCc: Kumar Valsan Prathap \nCc: Chris Wilson \nCc: Balestrieri Francesco \nCc: Bloomfield Jon \nCc: Dutt Sudeep ", "target": 0, "dataset": "other", "idx": 281443 }, { "func": "static struct bfq_queue *\nbfq_split_bfqq(struct bfq_io_cq *bic, struct bfq_queue *bfqq)\n{\n\tbfq_log_bfqq(bfqq->bfqd, bfqq, \"splitting queue\");\n\n\tif (bfqq_process_refs(bfqq) == 1) {\n\t\tbfqq->pid = current->pid;\n\t\tbfq_clear_bfqq_coop(bfqq);\n\t\tbfq_clear_bfqq_split_coop(bfqq);\n\t\treturn bfqq;\n\t}\n\n\tbic_set_bfqq(bic, NULL, 1);\n\n\tbfq_put_cooperator(bfqq);\n\n\tbfq_release_process_ref(bfqq->bfqd, bfqq);\n\treturn NULL;", "project": "linux", "hash": 107698663793387973605252518213799893264, "size": 18, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453369 }, { "func": "static int walk_component(struct nameidata *nd, int flags)\n{\n\tstruct path path;\n\tstruct inode *inode;\n\tunsigned seq;\n\tint err;\n\t/*\n\t * \".\" and \"..\" are special - \"..\" especially so because it has\n\t * to be able to know about the current root directory and\n\t * parent relationships.\n\t */\n\tif (unlikely(nd->last_type != LAST_NORM)) {\n\t\terr = handle_dots(nd, nd->last_type);\n\t\tif (!(flags & WALK_MORE) && nd->depth)\n\t\t\tput_link(nd);\n\t\treturn err;\n\t}\n\terr = lookup_fast(nd, &path, &inode, &seq);\n\tif (unlikely(err <= 0)) {\n\t\tif (err < 0)\n\t\t\treturn err;\n\t\tpath.dentry = lookup_slow(&nd->last, nd->path.dentry,\n\t\t\t\t\t nd->flags);\n\t\tif (IS_ERR(path.dentry))\n\t\t\treturn PTR_ERR(path.dentry);\n\n\t\tpath.mnt = nd->path.mnt;\n\t\terr = follow_managed(&path, nd);\n\t\tif (unlikely(err < 0))\n\t\t\treturn err;\n\n\t\tseq = 0;\t/* we are already out of RCU mode */\n\t\tinode = d_backing_inode(path.dentry);\n\t}\n\n\treturn step_into(nd, &path, flags, inode, seq);\n}", "project": "linux", "hash": 316949720002408379195610280624148513960, "size": 37, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295301 }, { "func": "void LibRaw::identify_finetune_by_filesize(int fsize)\n{\n\n\tif (fsize == 4771840)\n\t{ // hack Nikon 3mpix: E880, E885, E990, E995;\n\t // Olympus C-3030Z\n\t\tif (!timestamp && nikon_e995())\n\t\t\tstrcpy(model, \"E995\");\n\t}\n\telse if (fsize == 2940928)\n\t{ // hack Nikon 2mpix: E2100, E2500\n\t\tif (!timestamp && !nikon_e2100())\n\t\t\tstrcpy(model, \"E2500\");\n\t}\n\telse if (fsize == 4775936)\n\t{ // hack Nikon 3mpix: E3100, E3200, E3500, E3700;\n\t // Pentax \"Optio 33WR\";\n\t // Olympus C-740UZ\n\t\tif (!timestamp)\n\t\t\tnikon_3700();\n\t}\n\telse if (fsize == 5869568)\n\t{ // hack Nikon 4mpix: E4300;\n\t // hack Minolta \"DiMAGE Z2\"\n\t\tif (!timestamp && minolta_z2())\n\t\t{\n\t\t\tmaker_index = LIBRAW_CAMERAMAKER_Minolta;\n\t\t\tstrcpy(make, \"Minolta\");\n\t\t\tstrcpy(model, \"DiMAGE Z2\");\n\t\t}\n\t}\n}", "project": "LibRaw", "hash": 137736208783605850994272129981146481709, "size": 32, "commit_id": "4feaed4dea636cee4fee010f615881ccf76a096d", "message": "limit loops to MIN(colors,4) in dng fields parser", "target": 0, "dataset": "other", "idx": 482363 }, { "func": "static int cypress_compute_slot(struct mt_application *application,\n\t\t\t\tstruct mt_usages *slot)\n{\n\tif (*slot->contactid != 0 || application->num_received == 0)\n\t\treturn *slot->contactid;\n\telse\n\t\treturn -1;\n}", "project": "linux", "hash": 68993231424897284770583897123309743362, "size": 8, "commit_id": "35556bed836f8dc07ac55f69c8d17dce3e7f0e25", "message": "HID: core: Sanitize event code and type when mapping input\n\nWhen calling into hid_map_usage(), the passed event code is\nblindly stored as is, even if it doesn't fit in the associated bitmap.\n\nThis event code can come from a variety of sources, including devices\nmasquerading as input devices, only a bit more \"programmable\".\n\nInstead of taking the event code at face value, check that it actually\nfits the corresponding bitmap, and if it doesn't:\n- spit out a warning so that we know which device is acting up\n- NULLify the bitmap pointer so that we catch unexpected uses\n\nCode paths that can make use of untrusted inputs can now check\nthat the mapping was indeed correct and bail out if not.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Marc Zyngier \nSigned-off-by: Benjamin Tissoires ", "target": 0, "dataset": "other", "idx": 458411 }, { "func": "int __hci_req_enable_ext_advertising(struct hci_request *req, u8 instance)\n{\n\tstruct hci_dev *hdev = req->hdev;\n\tstruct hci_cp_le_set_ext_adv_enable *cp;\n\tstruct hci_cp_ext_adv_set *adv_set;\n\tu8 data[sizeof(*cp) + sizeof(*adv_set) * 1];\n\tstruct adv_info *adv_instance;\n\n\tif (instance > 0) {\n\t\tadv_instance = hci_find_adv_instance(hdev, instance);\n\t\tif (!adv_instance)\n\t\t\treturn -EINVAL;\n\t} else {\n\t\tadv_instance = NULL;\n\t}\n\n\tcp = (void *) data;\n\tadv_set = (void *) cp->data;\n\n\tmemset(cp, 0, sizeof(*cp));\n\n\tcp->enable = 0x01;\n\tcp->num_of_sets = 0x01;\n\n\tmemset(adv_set, 0, sizeof(*adv_set));\n\n\tadv_set->handle = instance;\n\n\t/* Set duration per instance since controller is responsible for\n\t * scheduling it.\n\t */\n\tif (adv_instance && adv_instance->duration) {\n\t\tu16 duration = adv_instance->timeout * MSEC_PER_SEC;\n\n\t\t/* Time = N * 10 ms */\n\t\tadv_set->duration = cpu_to_le16(duration / 10);\n\t}\n\n\thci_req_add(req, HCI_OP_LE_SET_EXT_ADV_ENABLE,\n\t\t sizeof(*cp) + sizeof(*adv_set) * cp->num_of_sets,\n\t\t data);\n\n\treturn 0;\n}", "project": "linux", "hash": 320923347400668508493746772692381672463, "size": 44, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402574 }, { "func": "void GraphConstructor::PrintCycles() {\n int num_nodes = outputs_.size();\n absl::flat_hash_set unvisited;\n for (int i = 0; i < num_nodes; i++) {\n unvisited.insert(i);\n }\n while (!unvisited.empty()) {\n int cur_node = *unvisited.begin();\n // Nodes on the current branch of DFS in traversal order. This is used for\n // printing the nodes in the cycle.\n std::vector cur_branch;\n // This is just to make lookups O(1).\n // is_on_cur_branch[i] ==\n // (std::find(cur_branch.start(),\n // cur_branch.end(), i) != cur_branch.end())\n std::vector is_on_cur_branch(num_nodes, false);\n DFS(cur_node, &cur_branch, &is_on_cur_branch, &unvisited);\n }\n}", "project": "tensorflow", "hash": 79933820641019432916883805651756261767, "size": 19, "commit_id": "0cc38aaa4064fd9e79101994ce9872c6d91f816b", "message": "Prevent unitialized memory access in `GraphConstructor::MakeEdge`\n\nThe `MakeEdge` implementation assumes that there exists an output at `output_index` of `src` node and an input at `input_index` of `dst` node. However, if this is not the case this results in accessing data out of bounds. Because we are accessing an array that is a private member of a class and only in read only mode, this usually results only in unitialized memory access. However, it is reasonable to think that malicious users could manipulate these indexes to actually read data outside the class, thus resulting in information leakage and further exploits.\n\nPiperOrigin-RevId: 346343288\nChange-Id: I2127da27c2023d27f26efd39afa6c853385cab6f", "target": 0, "dataset": "other", "idx": 268320 }, { "func": "static void SFDParseMathValueRecord(FILE *sfd,int16 *value,DeviceTable **devtab) {\n getsint(sfd,value);\n *devtab = SFDReadDeviceTable(sfd,NULL);\n}", "project": "fontforge", "hash": 209799158226151510844646567717484090097, "size": 4, "commit_id": "048a91e2682c1a8936ae34dbc7bd70291ec05410", "message": "Fix for #4084 Use-after-free (heap) in the SFD_GetFontMetaData() function\nFix for #4086 NULL pointer dereference in the SFDGetSpiros() function\nFix for #4088 NULL pointer dereference in the SFD_AssignLookups() function\nAdd empty sf->fontname string if it isn't set, fixing #4089 #4090 and many\n other potential issues (many downstream calls to strlen() on the value).", "target": 0, "dataset": "other", "idx": 417843 }, { "func": "static void exif_process_APP1(image_info_type *ImageInfo, char *CharBuf,\n size_t length, size_t displacement) {\n /* Check the APP1 for Exif Identifier Code */\n char *end = CharBuf + length;\n static const\n unsigned char ExifHeader[] = {0x45, 0x78, 0x69, 0x66, 0x00, 0x00};\n CHECK_BUFFER(CharBuf+2, end, 6);\n if (length <= 8 || memcmp(CharBuf+2, ExifHeader, 6)) {\n raise_warning(\"Incorrect APP1 Exif Identifier Code\");\n return;\n }\n exif_process_TIFF_in_JPEG(ImageInfo, CharBuf + 8, length - 8,\n displacement+8);\n}", "project": "hhvm", "hash": 101055003291645465564188057890236700375, "size": 14, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219535 }, { "func": "static int _nfs4_do_setattr(struct inode *inode,\n\t\t\t struct nfs_setattrargs *arg,\n\t\t\t struct nfs_setattrres *res,\n\t\t\t const struct cred *cred,\n\t\t\t struct nfs_open_context *ctx)\n{\n\tstruct nfs_server *server = NFS_SERVER(inode);\n\tstruct rpc_message msg = {\n\t\t.rpc_proc\t= &nfs4_procedures[NFSPROC4_CLNT_SETATTR],\n\t\t.rpc_argp\t= arg,\n\t\t.rpc_resp\t= res,\n\t\t.rpc_cred\t= cred,\n\t};\n\tconst struct cred *delegation_cred = NULL;\n\tunsigned long timestamp = jiffies;\n\tbool truncate;\n\tint status;\n\n\tnfs_fattr_init(res->fattr);\n\n\t/* Servers should only apply open mode checks for file size changes */\n\ttruncate = (arg->iap->ia_valid & ATTR_SIZE) ? true : false;\n\tif (!truncate)\n\t\tgoto zero_stateid;\n\n\tif (nfs4_copy_delegation_stateid(inode, FMODE_WRITE, &arg->stateid, &delegation_cred)) {\n\t\t/* Use that stateid */\n\t} else if (ctx != NULL && ctx->state) {\n\t\tstruct nfs_lock_context *l_ctx;\n\t\tif (!nfs4_valid_open_stateid(ctx->state))\n\t\t\treturn -EBADF;\n\t\tl_ctx = nfs_get_lock_context(ctx);\n\t\tif (IS_ERR(l_ctx))\n\t\t\treturn PTR_ERR(l_ctx);\n\t\tstatus = nfs4_select_rw_stateid(ctx->state, FMODE_WRITE, l_ctx,\n\t\t\t\t\t\t&arg->stateid, &delegation_cred);\n\t\tnfs_put_lock_context(l_ctx);\n\t\tif (status == -EIO)\n\t\t\treturn -EBADF;\n\t\telse if (status == -EAGAIN)\n\t\t\tgoto zero_stateid;\n\t} else {\nzero_stateid:\n\t\tnfs4_stateid_copy(&arg->stateid, &zero_stateid);\n\t}\n\tif (delegation_cred)\n\t\tmsg.rpc_cred = delegation_cred;\n\n\tstatus = nfs4_call_sync(server->client, server, &msg, &arg->seq_args, &res->seq_res, 1);\n\n\tput_cred(delegation_cred);\n\tif (status == 0 && ctx != NULL)\n\t\trenew_lease(server, timestamp);\n\ttrace_nfs4_setattr(inode, &arg->stateid, status);\n\treturn status;\n}", "project": "linux", "hash": 270752775105572982356817209802400780389, "size": 56, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431119 }, { "func": "void wsrep_sst_auth_init (const char* value)\n{\n if (wsrep_sst_auth == value) wsrep_sst_auth = NULL;\n if (value) sst_auth_real_set (value);\n}", "project": "mysql-wsrep", "hash": 116837707653768414485896939743024133893, "size": 5, "commit_id": "4ea4b0c6a318209ac09b15aaa906c7b4a13b988c", "message": "codership/mysql-wsrep-bugs#758 Donor uses invalid SST methods", "target": 0, "dataset": "other", "idx": 454780 }, { "func": "static inline void put_link(struct nameidata *nd)\n{\n\tstruct saved *last = nd->stack + --nd->depth;\n\tdo_delayed_call(&last->done);\n\tif (!(nd->flags & LOOKUP_RCU))\n\t\tpath_put(&last->link);\n}", "project": "linux", "hash": 273017042667045706217153742088615183167, "size": 7, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295408 }, { "func": "static uint get_semi_join_select_list_index(Field *field)\n{\n uint res= UINT_MAX;\n TABLE_LIST *emb_sj_nest;\n if ((emb_sj_nest= field->table->pos_in_table_list->embedding) &&\n emb_sj_nest->sj_on_expr)\n {\n Item_in_subselect *subq_pred= emb_sj_nest->sj_subq_pred;\n st_select_lex *subq_lex= subq_pred->unit->first_select();\n if (subq_pred->left_expr->cols() == 1)\n {\n Item *sel_item= subq_lex->ref_pointer_array[0];\n if (sel_item->type() == Item::FIELD_ITEM &&\n ((Item_field*)sel_item)->field->eq(field))\n {\n res= 0;\n }\n }\n else\n {\n for (uint i= 0; i < subq_pred->left_expr->cols(); i++)\n {\n Item *sel_item= subq_lex->ref_pointer_array[i];\n if (sel_item->type() == Item::FIELD_ITEM &&\n ((Item_field*)sel_item)->field->eq(field))\n {\n res= i;\n break;\n }\n }\n }\n }\n return res;\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 61135082917874770062373502022280954414, "size": 34, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508759 }, { "func": "static int rar5_read_header(struct archive_read *a,\n struct archive_entry *entry)\n{\n\tstruct rar5* rar = get_context(a);\n\tint ret;\n\n\tif(rar->header_initialized == 0) {\n\t\tinit_header(a);\n\t\trar->header_initialized = 1;\n\t}\n\n\tif(rar->skipped_magic == 0) {\n\t\tif(ARCHIVE_OK != consume(a, rar5_signature_size)) {\n\t\t\treturn ARCHIVE_EOF;\n\t\t}\n\n\t\trar->skipped_magic = 1;\n\t}\n\n\tdo {\n\t\tret = process_base_block(a, entry);\n\t} while(ret == ARCHIVE_RETRY ||\n\t\t\t(rar->main.endarc > 0 && ret == ARCHIVE_OK));\n\n\treturn ret;\n}", "project": "libarchive", "hash": 228441162982824748552140135575066200206, "size": 26, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 0, "dataset": "other", "idx": 244711 }, { "func": "int tcp_use_frto(struct sock *sk)\n{\n\tconst struct tcp_sock *tp = tcp_sk(sk);\n\tconst struct inet_connection_sock *icsk = inet_csk(sk);\n\tstruct sk_buff *skb;\n\n\tif (!sysctl_tcp_frto)\n\t\treturn 0;\n\n\t/* MTU probe and F-RTO won't really play nicely along currently */\n\tif (icsk->icsk_mtup.probe_size)\n\t\treturn 0;\n\n\tif (tcp_is_sackfrto(tp))\n\t\treturn 1;\n\n\t/* Avoid expensive walking of rexmit queue if possible */\n\tif (tp->retrans_out > 1)\n\t\treturn 0;\n\n\tskb = tcp_write_queue_head(sk);\n\tif (tcp_skb_is_last(sk, skb))\n\t\treturn 1;\n\tskb = tcp_write_queue_next(sk, skb);\t/* Skips head */\n\ttcp_for_write_queue_from(skb, sk) {\n\t\tif (skb == tcp_send_head(sk))\n\t\t\tbreak;\n\t\tif (TCP_SKB_CB(skb)->sacked & TCPCB_RETRANS)\n\t\t\treturn 0;\n\t\t/* Short-circuit when first non-SACKed skb has been checked */\n\t\tif (!(TCP_SKB_CB(skb)->sacked & TCPCB_SACKED_ACKED))\n\t\t\tbreak;\n\t}\n\treturn 1;\n}", "project": "net-next", "hash": 89391060065369973004396270852387808826, "size": 35, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409957 }, { "func": "void __set_current_blocked(const sigset_t *newset)\n{\n\tstruct task_struct *tsk = current;\n\n\t/*\n\t * In case the signal mask hasn't changed, there is nothing we need\n\t * to do. The current->blocked shouldn't be modified by other task.\n\t */\n\tif (sigequalsets(&tsk->blocked, newset))\n\t\treturn;\n\n\tspin_lock_irq(&tsk->sighand->siglock);\n\t__set_task_blocked(tsk, newset);\n\tspin_unlock_irq(&tsk->sighand->siglock);\n}", "project": "linux", "hash": 156794713154827807846420182055712003861, "size": 15, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375289 }, { "func": "static bool checkreturn decode_field(pb_istream_t *stream, pb_wire_type_t wire_type, pb_field_iter_t *iter)\n{\n#ifdef PB_ENABLE_MALLOC\n /* When decoding an oneof field, check if there is old data that must be\n * released first. */\n if (PB_HTYPE(iter->pos->type) == PB_HTYPE_ONEOF)\n {\n if (!pb_release_union_field(stream, iter))\n return false;\n }\n#endif\n\n switch (PB_ATYPE(iter->pos->type))\n {\n case PB_ATYPE_STATIC:\n return decode_static_field(stream, wire_type, iter);\n \n case PB_ATYPE_POINTER:\n return decode_pointer_field(stream, wire_type, iter);\n \n case PB_ATYPE_CALLBACK:\n return decode_callback_field(stream, wire_type, iter);\n \n default:\n PB_RETURN_ERROR(stream, \"invalid field type\");\n }\n}", "project": "nanopb", "hash": 129405393672321976524836077982501540038, "size": 27, "commit_id": "aa9d0d1ca78d6adec3adfeecf3a706c7f9df81f2", "message": "Fix invalid free() after failed realloc() (GHSA-gcx3-7m76-287p)", "target": 0, "dataset": "other", "idx": 252491 }, { "func": "static bool checkreturn decode_field(pb_istream_t *stream, pb_wire_type_t wire_type, pb_field_iterator_t *iter)\n{\n switch (PB_ATYPE(iter->pos->type))\n {\n case PB_ATYPE_STATIC:\n return decode_static_field(stream, wire_type, iter);\n \n case PB_ATYPE_POINTER:\n return decode_pointer_field(stream, wire_type, iter);\n \n case PB_ATYPE_CALLBACK:\n return decode_callback_field(stream, wire_type, iter);\n \n default:\n PB_RETURN_ERROR(stream, \"invalid field type\");\n }\n}", "project": "nanopb", "hash": 11720523385792419475209060461722373776, "size": 17, "commit_id": "7b396821ddd06df8e39143f16e1dc0a4645b89a3", "message": "Fix invalid free() after failed realloc() (GHSA-gcx3-7m76-287p)", "target": 0, "dataset": "other", "idx": 255330 }, { "func": "static void headerSort(Header h)\n{\n if (!h->sorted) {\n\tqsort(h->index, h->indexUsed, sizeof(*h->index), indexCmp);\n\th->sorted = 1;\n }\n}", "project": "rpm", "hash": 112835713482589104548173122338141841116, "size": 7, "commit_id": "8f4b3c3cab8922a2022b9e47c71f1ecf906077ef", "message": "hdrblobInit() needs bounds checks too\n\nUsers can pass untrusted data to hdrblobInit() and it must be robust\nagainst this.", "target": 0, "dataset": "other", "idx": 318175 }, { "func": "DwaCompressor::uncompress\n (const char *inPtr,\n int inSize,\n int minY,\n const char *&outPtr)\n{\n return uncompress (inPtr,\n inSize,\n IMATH_NAMESPACE::Box2i (IMATH_NAMESPACE::V2i (_min[0], minY),\n IMATH_NAMESPACE::V2i (_max[0], minY + numScanLines() - 1)),\n outPtr);\n}", "project": "openexr", "hash": 69704761893915771999859565050465964698, "size": 12, "commit_id": "3eda5d70aba127bae9bd6bae9956fcf024b64031", "message": "fixes for DWA uncompress: sanity check unknown data reading, off-by-one error on max suffix string length\n\nSigned-off-by: Peter Hillman ", "target": 0, "dataset": "other", "idx": 440088 }, { "func": "DwaCompressor::uncompress\n (const char *inPtr,\n int inSize,\n IMATH_NAMESPACE::Box2i range,\n const char *&outPtr)\n{\n int minX = range.min.x;\n int maxX = std::min (range.max.x, _max[0]);\n int minY = range.min.y;\n int maxY = std::min (range.max.y, _max[1]);\n\n Int64 iSize = static_cast( inSize );\n Int64 headerSize = NUM_SIZES_SINGLE*sizeof(Int64);\n if (iSize < headerSize) \n {\n throw IEX_NAMESPACE::InputExc(\"Error uncompressing DWA data\"\n \"(truncated header).\");\n }\n\n // \n // Flip the counters from XDR to NATIVE\n //\n\n for (int i = 0; i < NUM_SIZES_SINGLE; ++i)\n {\n Int64 *dst = (((Int64 *)inPtr) + i);\n const char *src = (char *)(((Int64 *)inPtr) + i);\n\n Xdr::read (src, *dst);\n }\n\n //\n // Unwind all the counter info\n //\n\n const Int64 *inPtr64 = (const Int64*) inPtr;\n\n Int64 version = *(inPtr64 + VERSION);\n Int64 unknownUncompressedSize = *(inPtr64 + UNKNOWN_UNCOMPRESSED_SIZE);\n Int64 unknownCompressedSize = *(inPtr64 + UNKNOWN_COMPRESSED_SIZE);\n Int64 acCompressedSize = *(inPtr64 + AC_COMPRESSED_SIZE);\n Int64 dcCompressedSize = *(inPtr64 + DC_COMPRESSED_SIZE);\n Int64 rleCompressedSize = *(inPtr64 + RLE_COMPRESSED_SIZE);\n Int64 rleUncompressedSize = *(inPtr64 + RLE_UNCOMPRESSED_SIZE);\n Int64 rleRawSize = *(inPtr64 + RLE_RAW_SIZE);\n \n Int64 totalAcUncompressedCount = *(inPtr64 + AC_UNCOMPRESSED_COUNT); \n Int64 totalDcUncompressedCount = *(inPtr64 + DC_UNCOMPRESSED_COUNT); \n\n Int64 acCompression = *(inPtr64 + AC_COMPRESSION); \n\n Int64 compressedSize = unknownCompressedSize + \n acCompressedSize +\n dcCompressedSize +\n rleCompressedSize;\n\n const char *dataPtr = inPtr + NUM_SIZES_SINGLE * sizeof(Int64);\n\n /* Both the sum and individual sizes are checked in case of overflow. */\n if (iSize < (headerSize + compressedSize) ||\n iSize < unknownCompressedSize ||\n iSize < acCompressedSize ||\n iSize < dcCompressedSize ||\n iSize < rleCompressedSize)\n {\n throw IEX_NAMESPACE::InputExc(\"Error uncompressing DWA data\"\n \"(truncated file).\");\n }\n\n if ((SInt64)unknownUncompressedSize < 0 ||\n (SInt64)unknownCompressedSize < 0 ||\n (SInt64)acCompressedSize < 0 ||\n (SInt64)dcCompressedSize < 0 ||\n (SInt64)rleCompressedSize < 0 ||\n (SInt64)rleUncompressedSize < 0 ||\n (SInt64)rleRawSize < 0 ||\n (SInt64)totalAcUncompressedCount < 0 ||\n (SInt64)totalDcUncompressedCount < 0)\n {\n throw IEX_NAMESPACE::InputExc(\"Error uncompressing DWA data\"\n \" (corrupt header).\");\n }\n\n if (version < 2) \n initializeLegacyChannelRules();\n else\n {\n unsigned short ruleSize = 0;\n Xdr::read(dataPtr, ruleSize);\n\n if (ruleSize < 0) \n throw IEX_NAMESPACE::InputExc(\"Error uncompressing DWA data\"\n \" (corrupt header file).\");\n\n headerSize += ruleSize;\n if (iSize < headerSize + compressedSize)\n throw IEX_NAMESPACE::InputExc(\"Error uncompressing DWA data\"\n \" (truncated file).\");\n\n _channelRules.clear();\n ruleSize -= Xdr::size ();\n while (ruleSize > 0) \n {\n Classifier rule(dataPtr, ruleSize);\n \n _channelRules.push_back(rule);\n ruleSize -= rule.size();\n }\n }\n\n\n size_t outBufferSize = 0;\n initializeBuffers(outBufferSize);\n\n //\n // Allocate _outBuffer, if we haven't done so already\n //\n\n if (static_cast(_maxScanLineSize * numScanLines()) > _outBufferSize) \n {\n _outBufferSize = static_cast(_maxScanLineSize * numScanLines());\n if (_outBuffer != 0)\n delete[] _outBuffer;\n _outBuffer = new char[_maxScanLineSize * numScanLines()];\n }\n\n\n char *outBufferEnd = _outBuffer;\n\n \n //\n // Find the start of the RLE packed AC components and\n // the DC components for each channel. This will be handy \n // if you want to decode the channels in parallel later on.\n //\n\n char *packedAcBufferEnd = 0; \n\n if (_packedAcBuffer)\n packedAcBufferEnd = _packedAcBuffer;\n\n char *packedDcBufferEnd = 0;\n\n if (_packedDcBuffer)\n packedDcBufferEnd = _packedDcBuffer;\n\n //\n // UNKNOWN data is packed first, followed by the \n // Huffman-compressed AC, then the DC values, \n // and then the zlib compressed RLE data.\n //\n \n const char *compressedUnknownBuf = dataPtr;\n\n const char *compressedAcBuf = compressedUnknownBuf + \n static_cast(unknownCompressedSize);\n const char *compressedDcBuf = compressedAcBuf +\n static_cast(acCompressedSize);\n const char *compressedRleBuf = compressedDcBuf + \n static_cast(dcCompressedSize);\n\n // \n // Sanity check that the version is something we expect. Right now, \n // we can decode version 0, 1, and 2. v1 adds 'end of block' symbols\n // to the AC RLE. v2 adds channel classification rules at the \n // start of the data block.\n //\n\n if (version > 2)\n throw IEX_NAMESPACE::InputExc (\"Invalid version of compressed data block\"); \n\n setupChannelData(minX, minY, maxX, maxY);\n\n // \n // Uncompress the UNKNOWN data into _planarUncBuffer[UNKNOWN]\n //\n\n if (unknownCompressedSize > 0)\n {\n if (unknownUncompressedSize > _planarUncBufferSize[UNKNOWN]) \n {\n throw IEX_NAMESPACE::InputExc(\"Error uncompressing DWA data\"\n \"(corrupt header).\");\n }\n\n uLongf outSize = (uLongf)unknownUncompressedSize;\n\n if (Z_OK != ::uncompress\n ((Bytef *)_planarUncBuffer[UNKNOWN],\n &outSize,\n (Bytef *)compressedUnknownBuf,\n (uLong)unknownCompressedSize))\n {\n throw IEX_NAMESPACE::BaseExc(\"Error uncompressing UNKNOWN data.\");\n }\n }\n\n // \n // Uncompress the AC data into _packedAcBuffer\n //\n\n if (acCompressedSize > 0)\n {\n if (totalAcUncompressedCount*sizeof(unsigned short) > _packedAcBufferSize)\n {\n throw IEX_NAMESPACE::InputExc(\"Error uncompressing DWA data\"\n \"(corrupt header).\");\n }\n\n //\n // Don't trust the user to get it right, look in the file.\n //\n\n switch (acCompression)\n {\n case STATIC_HUFFMAN:\n\n hufUncompress\n (compressedAcBuf, \n (int)acCompressedSize, \n (unsigned short *)_packedAcBuffer, \n (int)totalAcUncompressedCount); \n\n break;\n\n case DEFLATE:\n {\n uLongf destLen =\n (int)(totalAcUncompressedCount) * sizeof (unsigned short);\n\n if (Z_OK != ::uncompress\n ((Bytef *)_packedAcBuffer,\n &destLen,\n (Bytef *)compressedAcBuf,\n (uLong)acCompressedSize))\n {\n throw IEX_NAMESPACE::InputExc (\"Data decompression (zlib) failed.\");\n }\n\n if (totalAcUncompressedCount * sizeof (unsigned short) !=\n destLen)\n {\n throw IEX_NAMESPACE::InputExc (\"AC data corrupt.\"); \n }\n }\n break;\n\n default:\n\n throw IEX_NAMESPACE::NoImplExc (\"Unknown AC Compression\");\n break;\n }\n }\n\n //\n // Uncompress the DC data into _packedDcBuffer\n //\n\n if (dcCompressedSize > 0)\n {\n if (totalDcUncompressedCount*sizeof(unsigned short) > _packedDcBufferSize)\n {\n throw IEX_NAMESPACE::InputExc(\"Error uncompressing DWA data\"\n \"(corrupt header).\");\n }\n\n if (static_cast(_zip->uncompress\n (compressedDcBuf, (int)dcCompressedSize, _packedDcBuffer))\n != totalDcUncompressedCount * sizeof (unsigned short))\n {\n throw IEX_NAMESPACE::BaseExc(\"DC data corrupt.\");\n }\n }\n\n //\n // Uncompress the RLE data into _rleBuffer, then unRLE the results\n // into _planarUncBuffer[RLE]\n //\n\n if (rleRawSize > 0)\n {\n if (rleUncompressedSize > _rleBufferSize ||\n rleRawSize > _planarUncBufferSize[RLE])\n {\n throw IEX_NAMESPACE::InputExc(\"Error uncompressing DWA data\"\n \"(corrupt header).\");\n }\n \n uLongf dstLen = (uLongf)rleUncompressedSize;\n\n if (Z_OK != ::uncompress\n ((Bytef *)_rleBuffer,\n &dstLen,\n (Bytef *)compressedRleBuf,\n (uLong)rleCompressedSize))\n {\n throw IEX_NAMESPACE::BaseExc(\"Error uncompressing RLE data.\");\n }\n\n if (dstLen != rleUncompressedSize)\n throw IEX_NAMESPACE::BaseExc(\"RLE data corrupted\");\n\n if (static_cast(rleUncompress\n ((int)rleUncompressedSize, \n (int)rleRawSize,\n (signed char *)_rleBuffer,\n _planarUncBuffer[RLE])) != rleRawSize)\n { \n throw IEX_NAMESPACE::BaseExc(\"RLE data corrupted\");\n }\n }\n\n //\n // Determine the start of each row in the output buffer\n //\n\n std::vector decodedChannels (_channelData.size());\n std::vector< std::vector > rowPtrs (_channelData.size());\n\n for (unsigned int chan = 0; chan < _channelData.size(); ++chan)\n decodedChannels[chan] = false;\n\n outBufferEnd = _outBuffer;\n\n for (int y = minY; y <= maxY; ++y)\n {\n for (unsigned int chan = 0; chan < _channelData.size(); ++chan)\n {\n ChannelData *cd = &_channelData[chan];\n\n if (IMATH_NAMESPACE::modp (y, cd->ySampling) != 0)\n continue;\n\n rowPtrs[chan].push_back (outBufferEnd);\n outBufferEnd += cd->width * OPENEXR_IMF_NAMESPACE::pixelTypeSize (cd->type);\n }\n }\n\n //\n // Setup to decode each block of 3 channels that need to\n // be handled together\n //\n\n for (unsigned int csc = 0; csc < _cscSets.size(); ++csc)\n {\n int rChan = _cscSets[csc].idx[0]; \n int gChan = _cscSets[csc].idx[1]; \n int bChan = _cscSets[csc].idx[2]; \n\n\n LossyDctDecoderCsc decoder\n (rowPtrs[rChan],\n rowPtrs[gChan],\n rowPtrs[bChan],\n packedAcBufferEnd,\n packedDcBufferEnd,\n dwaCompressorToLinear,\n _channelData[rChan].width,\n _channelData[rChan].height,\n _channelData[rChan].type,\n _channelData[gChan].type,\n _channelData[bChan].type);\n\n decoder.execute();\n\n packedAcBufferEnd +=\n decoder.numAcValuesEncoded() * sizeof (unsigned short);\n\n packedDcBufferEnd +=\n decoder.numDcValuesEncoded() * sizeof (unsigned short);\n\n decodedChannels[rChan] = true;\n decodedChannels[gChan] = true;\n decodedChannels[bChan] = true;\n }\n\n //\n // Setup to handle the remaining channels by themselves\n //\n\n for (unsigned int chan = 0; chan < _channelData.size(); ++chan)\n {\n if (decodedChannels[chan])\n continue;\n\n ChannelData *cd = &_channelData[chan];\n int pixelSize = OPENEXR_IMF_NAMESPACE::pixelTypeSize (cd->type);\n\n switch (cd->compression)\n {\n case LOSSY_DCT:\n\n //\n // Setup a single-channel lossy DCT decoder pointing\n // at the output buffer\n //\n\n {\n const unsigned short *linearLut = 0;\n\n if (!cd->pLinear)\n linearLut = dwaCompressorToLinear;\n\n LossyDctDecoder decoder\n (rowPtrs[chan],\n packedAcBufferEnd,\n packedDcBufferEnd,\n linearLut,\n cd->width,\n cd->height,\n cd->type);\n\n decoder.execute(); \n\n packedAcBufferEnd += \n decoder.numAcValuesEncoded() * sizeof (unsigned short);\n\n packedDcBufferEnd += \n decoder.numDcValuesEncoded() * sizeof (unsigned short);\n }\n\n break;\n\n case RLE:\n\n //\n // For the RLE case, the data has been un-RLE'd into\n // planarUncRleEnd[], but is still split out by bytes.\n // We need to rearrange the bytes back into the correct\n // order in the output buffer;\n //\n\n {\n int row = 0;\n\n for (int y = minY; y <= maxY; ++y)\n {\n if (IMATH_NAMESPACE::modp (y, cd->ySampling) != 0)\n continue;\n\n char *dst = rowPtrs[chan][row];\n\n if (pixelSize == 2)\n {\n interleaveByte2 (dst, \n cd->planarUncRleEnd[0],\n cd->planarUncRleEnd[1],\n cd->width);\n \n cd->planarUncRleEnd[0] += cd->width;\n cd->planarUncRleEnd[1] += cd->width;\n }\n else\n {\n for (int x = 0; x < cd->width; ++x)\n {\n for (int byte = 0; byte < pixelSize; ++byte)\n {\n *dst++ = *cd->planarUncRleEnd[byte]++;\n }\n }\n }\n\n row++;\n }\n }\n\n break;\n\n case UNKNOWN:\n\n //\n // In the UNKNOWN case, data is already in planarUncBufferEnd\n // and just needs to copied over to the output buffer\n //\n\n {\n int row = 0;\n int dstScanlineSize = cd->width * OPENEXR_IMF_NAMESPACE::pixelTypeSize (cd->type);\n\n for (int y = minY; y <= maxY; ++y)\n {\n if (IMATH_NAMESPACE::modp (y, cd->ySampling) != 0)\n continue;\n\n //\n // sanity check for buffer data lying within range\n //\n if (cd->planarUncBufferEnd + dstScanlineSize - _planarUncBuffer[UNKNOWN] > _planarUncBufferSize[UNKNOWN] )\n {\n throw Iex::InputExc(\"DWA data corrupt\");\n }\n\n memcpy (rowPtrs[chan][row],\n cd->planarUncBufferEnd,\n dstScanlineSize);\n\n cd->planarUncBufferEnd += dstScanlineSize;\n row++;\n }\n }\n\n break;\n\n default:\n\n throw IEX_NAMESPACE::NoImplExc (\"Unhandled compression scheme case\");\n break;\n }\n\n decodedChannels[chan] = true;\n }\n\n //\n // Return a ptr to _outBuffer\n //\n\n outPtr = _outBuffer;\n return (int)(outBufferEnd - _outBuffer);\n}", "project": "openexr", "hash": 29355653468693438910088642612193621634, "size": 520, "commit_id": "3eda5d70aba127bae9bd6bae9956fcf024b64031", "message": "fixes for DWA uncompress: sanity check unknown data reading, off-by-one error on max suffix string length\n\nSigned-off-by: Peter Hillman ", "target": 0, "dataset": "other", "idx": 440095 }, { "func": "new_shell_variable (name)\n const char *name;\n{\n SHELL_VAR *entry;\n\n entry = (SHELL_VAR *)xmalloc (sizeof (SHELL_VAR));\n\n entry->name = savestring (name);\n var_setvalue (entry, (char *)NULL);\n CLEAR_EXPORTSTR (entry);\n\n entry->dynamic_value = (sh_var_value_func_t *)NULL;\n entry->assign_func = (sh_var_assign_func_t *)NULL;\n\n entry->attributes = 0;\n\n /* Always assume variables are to be made at toplevel!\n make_local_variable has the responsibilty of changing the\n variable context. */\n entry->context = 0;\n\n return (entry);\n}", "project": "bash", "hash": 286919092092202120653377812586721005129, "size": 23, "commit_id": "863d31ae775d56b785dc5b0105b6d251515d81d5", "message": "commit bash-20120224 snapshot", "target": 0, "dataset": "other", "idx": 379340 }, { "func": "static enum_func_status\nphp_mysqlnd_rset_header_read(void * _packet, MYSQLND_CONN_DATA * conn TSRMLS_DC)\n{\n\tenum_func_status ret = PASS;\n\tsize_t buf_len = conn->net->cmd_buffer.length;\n\tzend_uchar *buf = (zend_uchar *) conn->net->cmd_buffer.buffer;\n\tzend_uchar *p = buf;\n\tzend_uchar *begin = buf;\n\tsize_t len;\n\tMYSQLND_PACKET_RSET_HEADER *packet= (MYSQLND_PACKET_RSET_HEADER *) _packet;\n\n\tDBG_ENTER(\"php_mysqlnd_rset_header_read\");\n\n\tPACKET_READ_HEADER_AND_BODY(packet, conn, buf, buf_len, \"resultset header\", PROT_RSET_HEADER_PACKET);\n\tBAIL_IF_NO_MORE_DATA;\n\n\t/*\n\t Don't increment. First byte is ERROR_MARKER on error, but otherwise is starting byte\n\t of encoded sequence for length.\n\t*/\n\tif (ERROR_MARKER == *p) {\n\t\t/* Error */\n\t\tp++;\n\t\tBAIL_IF_NO_MORE_DATA;\n\t\tphp_mysqlnd_read_error_from_line(p, packet->header.size - 1,\n\t\t\t\t\t\t\t\t\t\t packet->error_info.error, sizeof(packet->error_info.error),\n\t\t\t\t\t\t\t\t\t\t &packet->error_info.error_no, packet->error_info.sqlstate\n\t\t\t\t\t\t\t\t\t\t TSRMLS_CC);\n\t\tDBG_INF_FMT(\"conn->server_status=%u\", conn->upsert_status->server_status);\n\t\tDBG_RETURN(PASS);\n\t}\n\n\tpacket->field_count = php_mysqlnd_net_field_length(&p);\n\tBAIL_IF_NO_MORE_DATA;\n\n\tswitch (packet->field_count) {\n\t\tcase MYSQLND_NULL_LENGTH:\n\t\t\tDBG_INF(\"LOAD LOCAL\");\n\t\t\t/*\n\t\t\t First byte in the packet is the field count.\n\t\t\t Thus, the name is size - 1. And we add 1 for a trailing \\0.\n\t\t\t Because we have BAIL_IF_NO_MORE_DATA before the switch, we are guaranteed\n\t\t\t that packet->header.size is > 0. Which means that len can't underflow, that\n\t\t\t would lead to 0 byte allocation but 2^32 or 2^64 bytes copied.\n\t\t\t*/\n\t\t\tlen = packet->header.size - 1;\n\t\t\tpacket->info_or_local_file = mnd_emalloc(len + 1);\n\t\t\tif (packet->info_or_local_file) {\n\t\t\t\tmemcpy(packet->info_or_local_file, p, len);\n\t\t\t\tpacket->info_or_local_file[len] = '\\0';\n\t\t\t\tpacket->info_or_local_file_len = len;\n\t\t\t} else {\n\t\t\t\tSET_OOM_ERROR(*conn->error_info);\n\t\t\t\tret = FAIL;\t\n\t\t\t}\n\t\t\tbreak;\n\t\tcase 0x00:\n\t\t\tDBG_INF(\"UPSERT\");\n\t\t\tpacket->affected_rows = php_mysqlnd_net_field_length_ll(&p);\n\t\t\tBAIL_IF_NO_MORE_DATA;\n\n\t\t\tpacket->last_insert_id = php_mysqlnd_net_field_length_ll(&p);\n\t\t\tBAIL_IF_NO_MORE_DATA;\n\n\t\t\tpacket->server_status = uint2korr(p);\n\t\t\tp+=2;\n\t\t\tBAIL_IF_NO_MORE_DATA;\n\n\t\t\tpacket->warning_count = uint2korr(p);\n\t\t\tp+=2;\n\t\t\tBAIL_IF_NO_MORE_DATA;\n\t\t\t/* Check for additional textual data */\n\t\t\tif (packet->header.size > (size_t) (p - buf) && (len = php_mysqlnd_net_field_length(&p))) {\n\t\t\t\tpacket->info_or_local_file = mnd_emalloc(len + 1);\n\t\t\t\tif (packet->info_or_local_file) {\n\t\t\t\t\tmemcpy(packet->info_or_local_file, p, len);\n\t\t\t\t\tpacket->info_or_local_file[len] = '\\0';\n\t\t\t\t\tpacket->info_or_local_file_len = len;\n\t\t\t\t} else {\n\t\t\t\t\tSET_OOM_ERROR(*conn->error_info);\n\t\t\t\t\tret = FAIL;\n\t\t\t\t}\n\t\t\t}\n\t\t\tDBG_INF_FMT(\"affected_rows=%llu last_insert_id=%llu server_status=%u warning_count=%u\",\n\t\t\t\t\t\tpacket->affected_rows, packet->last_insert_id,\n\t\t\t\t\t\tpacket->server_status, packet->warning_count);\n\t\t\tbreak;\n\t\tdefault:\n\t\t\tDBG_INF(\"SELECT\");\n\t\t\t/* Result set */\n\t\t\tbreak;\n\t}\n\tBAIL_IF_NO_MORE_DATA;\n\n\tDBG_RETURN(ret);\npremature_end:\n\tDBG_ERR_FMT(\"RSET_HEADER packet %d bytes shorter than expected\", p - begin - packet->header.size);\n\tphp_error_docref(NULL TSRMLS_CC, E_WARNING, \"RSET_HEADER packet \"MYSQLND_SZ_T_SPEC\" bytes shorter than expected\",\n\t\t\t\t\t p - begin - packet->header.size);\n\tDBG_RETURN(FAIL);", "project": "php-src", "hash": 39857115302553833530425053482591755379, "size": 100, "commit_id": "28f80baf3c53e267c9ce46a2a0fadbb981585132", "message": "Fix bug #72293 - Heap overflow in mysqlnd related to BIT fields", "target": 0, "dataset": "other", "idx": 416668 }, { "func": "static inline bool io_req_needs_clean(struct io_kiocb *req)\n{\n\treturn req->flags & (REQ_F_BUFFER_SELECTED | REQ_F_NEED_CLEANUP |\n\t\t\t\tREQ_F_POLLED | REQ_F_INFLIGHT);\n}", "project": "linux", "hash": 91993115294569982908496843956499234970, "size": 5, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338687 }, { "func": "static inline hpa_t pfn_to_hpa(kvm_pfn_t pfn)\n{\n\treturn (hpa_t)pfn << PAGE_SHIFT;\n}", "project": "linux", "hash": 277151571286872225260140734985720728015, "size": 4, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354587 }, { "func": "HttpStateData::decideIfWeDoRanges (HttpRequest * request)\n{\n bool result = true;\n /* decide if we want to do Ranges ourselves\n * and fetch the whole object now)\n * We want to handle Ranges ourselves iff\n * - we can actually parse client Range specs\n * - the specs are expected to be simple enough (e.g. no out-of-order ranges)\n * - reply will be cachable\n * (If the reply will be uncachable we have to throw it away after\n * serving this request, so it is better to forward ranges to\n * the server and fetch only the requested content)\n */\n\n int64_t roffLimit = request->getRangeOffsetLimit();\n\n if (NULL == request->range || !request->flags.cachable\n || request->range->offsetLimitExceeded(roffLimit) || request->flags.connectionAuth)\n result = false;\n\n debugs(11, 8, \"decideIfWeDoRanges: range specs: \" <<\n request->range << \", cachable: \" <<\n request->flags.cachable << \"; we_do_ranges: \" << result);\n\n return result;\n}", "project": "squid", "hash": 72126056016131380424137511914551431937, "size": 26, "commit_id": "fd68382860633aca92065e6c343cfd1b12b126e7", "message": "Improve Transfer-Encoding handling (#702)\n\nReject messages containing Transfer-Encoding header with coding other\nthan chunked or identity. Squid does not support other codings.\n\nFor simplicity and security sake, also reject messages where\nTransfer-Encoding contains unnecessary complex values that are\ntechnically equivalent to \"chunked\" or \"identity\" (e.g., \",,chunked\" or\n\"identity, chunked\").\n\nRFC 7230 formally deprecated and removed identity coding, but it is\nstill used by some agents.", "target": 0, "dataset": "other", "idx": 402398 }, { "func": "static void hci_cc_write_def_link_policy(struct hci_dev *hdev,\n\t\t\t\t\t struct sk_buff *skb)\n{\n\t__u8 status = *((__u8 *) skb->data);\n\tvoid *sent;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, status);\n\n\tif (status)\n\t\treturn;\n\n\tsent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_LINK_POLICY);\n\tif (!sent)\n\t\treturn;\n\n\thdev->link_policy = get_unaligned_le16(sent);\n}", "project": "linux", "hash": 306833871819374434256426016261715125569, "size": 17, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431973 }, { "func": "int mnt_optstr_deduplicate_option(char **optstr, const char *name)\n{\n\tint rc;\n\tchar *begin = NULL, *end = NULL, *opt;\n\n\tif (!optstr || !name)\n\t\treturn -EINVAL;\n\n\topt = *optstr;\n\tdo {\n\t\tstruct libmnt_optloc ol = MNT_INIT_OPTLOC;\n\n\t\trc = mnt_optstr_locate_option(opt, name, &ol);\n\t\tif (!rc) {\n\t\t\tif (begin) {\n\t\t\t\t/* remove the previous instance */\n\t\t\t\tsize_t shift = strlen(*optstr);\n\n\t\t\t\tmnt_optstr_remove_option_at(optstr, begin, end);\n\n\t\t\t\t/* now all the offsets are not valid anymore - recount */\n\t\t\t\tshift -= strlen(*optstr);\n\t\t\t\tol.begin -= shift;\n\t\t\t\tol.end -= shift;\n\t\t\t}\n\t\t\tbegin = ol.begin;\n\t\t\tend = ol.end;\n\t\t\topt = end && *end ? end + 1 : NULL;\n\t\t}\n\t\tif (opt == NULL)\n\t\t\tbreak;\n\t} while (rc == 0 && *opt);\n\n\treturn rc < 0 ? rc : begin ? 0 : 1;\n}", "project": "util-linux", "hash": 159168135301300005213613980735673336776, "size": 35, "commit_id": "57202f5713afa2af20ffbb6ab5331481d0396f8d", "message": "libmount: fix UID check for FUSE umount [CVE-2021-3995]\n\nImproper UID check allows an unprivileged user to unmount FUSE\nfilesystems of users with similar UID.\n\nSigned-off-by: Karel Zak ", "target": 0, "dataset": "other", "idx": 410398 }, { "func": "pcre_cache_entry::~pcre_cache_entry() {\n if (extra) {\n#if PCRE_MAJOR < 8 || (PCRE_MAJOR == 8 && PCRE_MINOR < 20)\n free(extra);\n#else\n pcre_free_study(extra);\n#endif\n }\n free(subpat_names);\n pcre_free(re);\n}", "project": "hhvm", "hash": 292391701520757280080492342250365906678, "size": 11, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219092 }, { "func": "static int parallel_blosc(blosc2_context* context) {\n#ifdef BLOSC_POSIX_BARRIERS\n int rc;\n#endif\n /* Set sentinels */\n context->thread_giveup_code = 1;\n context->thread_nblock = -1;\n\n if (threads_callback) {\n threads_callback(threads_callback_data, t_blosc_do_job,\n context->nthreads, sizeof(struct thread_context), (void*) context->thread_contexts);\n }\n else {\n /* Synchronization point for all threads (wait for initialization) */\n WAIT_INIT(-1, context);\n\n /* Synchronization point for all threads (wait for finalization) */\n WAIT_FINISH(-1, context);\n }\n\n if (context->thread_giveup_code <= 0) {\n /* Compression/decompression gave up. Return error code. */\n return context->thread_giveup_code;\n }\n\n /* Return the total bytes (de-)compressed in threads */\n return (int)context->output_bytes;\n}", "project": "c-blosc2", "hash": 205191335837596693734638198433194860723, "size": 28, "commit_id": "c4c6470e88210afc95262c8b9fcc27e30ca043ee", "message": "Fixed asan heap buffer overflow when not enough space to write compressed block size.", "target": 0, "dataset": "other", "idx": 303056 }, { "func": " int save_in_field(Field *field, bool no_conversions)\n {\n field->set_notnull();\n return field->store(str_value.ptr(), str_value.length(), \n collation.collation);\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 252003437368059485468334704880269539845, "size": 6, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509191 }, { "func": " int save_in_field(Field *field, bool no_conversions)\n { return save_date_in_field(field); }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 82698766694340963424351624319661825964, "size": 2, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509456 }, { "func": " int save_in_field(Field *field, bool no_conversions)\n {\n field->set_notnull();\n return field->store_hex_hybrid(str_value.ptr(), str_value.length());\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 326047647818030060876862039864925068042, "size": 5, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509465 }, { "func": "static unsigned long mremap_to(unsigned long addr, unsigned long old_len,\n\t\tunsigned long new_addr, unsigned long new_len, bool *locked,\n\t\tunsigned long flags, struct vm_userfaultfd_ctx *uf,\n\t\tstruct list_head *uf_unmap_early,\n\t\tstruct list_head *uf_unmap)\n{\n\tstruct mm_struct *mm = current->mm;\n\tstruct vm_area_struct *vma;\n\tunsigned long ret = -EINVAL;\n\tunsigned long charged = 0;\n\tunsigned long map_flags = 0;\n\n\tif (offset_in_page(new_addr))\n\t\tgoto out;\n\n\tif (new_len > TASK_SIZE || new_addr > TASK_SIZE - new_len)\n\t\tgoto out;\n\n\t/* Ensure the old/new locations do not overlap */\n\tif (addr + old_len > new_addr && new_addr + new_len > addr)\n\t\tgoto out;\n\n\t/*\n\t * move_vma() need us to stay 4 maps below the threshold, otherwise\n\t * it will bail out at the very beginning.\n\t * That is a problem if we have already unmaped the regions here\n\t * (new_addr, and old_addr), because userspace will not know the\n\t * state of the vma's after it gets -ENOMEM.\n\t * So, to avoid such scenario we can pre-compute if the whole\n\t * operation has high chances to success map-wise.\n\t * Worst-scenario case is when both vma's (new_addr and old_addr) get\n\t * split in 3 before unmaping it.\n\t * That means 2 more maps (1 for each) to the ones we already hold.\n\t * Check whether current map count plus 2 still leads us to 4 maps below\n\t * the threshold, otherwise return -ENOMEM here to be more safe.\n\t */\n\tif ((mm->map_count + 2) >= sysctl_max_map_count - 3)\n\t\treturn -ENOMEM;\n\n\tif (flags & MREMAP_FIXED) {\n\t\tret = do_munmap(mm, new_addr, new_len, uf_unmap_early);\n\t\tif (ret)\n\t\t\tgoto out;\n\t}\n\n\tif (old_len >= new_len) {\n\t\tret = do_munmap(mm, addr+new_len, old_len - new_len, uf_unmap);\n\t\tif (ret && old_len != new_len)\n\t\t\tgoto out;\n\t\told_len = new_len;\n\t}\n\n\tvma = vma_to_resize(addr, old_len, new_len, flags, &charged);\n\tif (IS_ERR(vma)) {\n\t\tret = PTR_ERR(vma);\n\t\tgoto out;\n\t}\n\n\t/* MREMAP_DONTUNMAP expands by old_len since old_len == new_len */\n\tif (flags & MREMAP_DONTUNMAP &&\n\t\t!may_expand_vm(mm, vma->vm_flags, old_len >> PAGE_SHIFT)) {\n\t\tret = -ENOMEM;\n\t\tgoto out;\n\t}\n\n\tif (flags & MREMAP_FIXED)\n\t\tmap_flags |= MAP_FIXED;\n\n\tif (vma->vm_flags & VM_MAYSHARE)\n\t\tmap_flags |= MAP_SHARED;\n\n\tret = get_unmapped_area(vma->vm_file, new_addr, new_len, vma->vm_pgoff +\n\t\t\t\t((addr - vma->vm_start) >> PAGE_SHIFT),\n\t\t\t\tmap_flags);\n\tif (IS_ERR_VALUE(ret))\n\t\tgoto out1;\n\n\t/* We got a new mapping */\n\tif (!(flags & MREMAP_FIXED))\n\t\tnew_addr = ret;\n\n\tret = move_vma(vma, addr, old_len, new_len, new_addr, locked, flags, uf,\n\t\t uf_unmap);\n\n\tif (!(offset_in_page(ret)))\n\t\tgoto out;\n\nout1:\n\tvm_unacct_memory(charged);\n\nout:\n\treturn ret;\n}", "project": "linux", "hash": 139606462540037492111342001919111410455, "size": 93, "commit_id": "5bfea2d9b17f1034a68147a8b03b9789af5700f9", "message": "mm: Fix mremap not considering huge pmd devmap\n\nThe original code in mm/mremap.c checks huge pmd by:\n\n\t\tif (is_swap_pmd(*old_pmd) || pmd_trans_huge(*old_pmd)) {\n\nHowever, a DAX mapped nvdimm is mapped as huge page (by default) but it\nis not transparent huge page (_PAGE_PSE | PAGE_DEVMAP). This commit\nchanges the condition to include the case.\n\nThis addresses CVE-2020-10757.\n\nFixes: 5c7fb56e5e3f (\"mm, dax: dax-pmd vs thp-pmd vs hugetlbfs-pmd\")\nCc: \nReported-by: Fan Yang \nSigned-off-by: Fan Yang \nTested-by: Fan Yang \nTested-by: Dan Williams \nReviewed-by: Dan Williams \nAcked-by: Kirill A. Shutemov \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 321581 }, { "func": "void lua_datum::set_from(const lua_datum &o)\n{\n lua_pushlightuserdata(lua, this);\n o.push();\n lua_settable(lua, LUA_REGISTRYINDEX);\n lua.add_shutdown_listener(this);\n need_cleanup = true;\n}", "project": "crawl", "hash": 259475002387153574068014289011662889192, "size": 8, "commit_id": "768f60da87a3fa0b5561da5ade9309577c176d04", "message": "Disable lua bytecode loading", "target": 0, "dataset": "other", "idx": 230522 }, { "func": "static void test_cpu_buff_start(struct trace_iterator *iter)\n{\n\tstruct trace_seq *s = &iter->seq;\n\tstruct trace_array *tr = iter->tr;\n\n\tif (!(tr->trace_flags & TRACE_ITER_ANNOTATE))\n\t\treturn;\n\n\tif (!(iter->iter_flags & TRACE_FILE_ANNOTATE))\n\t\treturn;\n\n\tif (cpumask_available(iter->started) &&\n\t cpumask_test_cpu(iter->cpu, iter->started))\n\t\treturn;\n\n\tif (per_cpu_ptr(iter->trace_buffer->data, iter->cpu)->skipped_entries)\n\t\treturn;\n\n\tif (cpumask_available(iter->started))\n\t\tcpumask_set_cpu(iter->cpu, iter->started);\n\n\t/* Don't print started cpu buffer for the first entry of the trace */\n\tif (iter->idx > 1)\n\t\ttrace_seq_printf(s, \"##### CPU %u buffer started ####\\n\",\n\t\t\t\titer->cpu);\n}", "project": "linux", "hash": 218469029837597155248845160594783228002, "size": 26, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445628 }, { "func": "static char *dirpath(char *dir, const char *path){\n\tstatic char buf[SC_MAX_PATH_STRING_SIZE];\n\n\tstrlcpy(buf,dir,sizeof buf);\n\tstrlcat(buf,path,sizeof buf);\n\treturn buf;\n}", "project": "OpenSC", "hash": 45317617660328392690679961091173850097, "size": 7, "commit_id": "5df913b7f57ad89b9832555d24c08d23a534311e", "message": "tcos: Check bounds in insert_pin()\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28383", "target": 0, "dataset": "other", "idx": 243960 }, { "project": "opaque", "commit_id": "5ddda15d89f5ac82f4416208c5319ace4aecdc36", "target": 0, "func": "void ecall_external_sort(uint8_t *sort_order, size_t sort_order_length,\n uint8_t *input_rows, size_t input_rows_length,\n uint8_t **output_rows, size_t *output_rows_length) {\n // Guard against operating on arbitrary enclave memory\n assert(sgx_is_outside_enclave(input_rows, input_rows_length) == 1);\n sgx_lfence();\n\n try {\n external_sort(sort_order, sort_order_length,\n input_rows, input_rows_length,\n output_rows, output_rows_length);\n } catch (const std::runtime_error &e) {\n ocall_throw(e.what());\n }\n}", "idx": 519090, "cwe": "CWE-787", "hash": 126085665296736930714238143800920118267, "dataset": "other" }, { "func": "static OPJ_BOOL opj_j2k_write_qcd(opj_j2k_t *p_j2k,\n opj_stream_private_t *p_stream,\n opj_event_mgr_t * p_manager\n )\n{\n OPJ_UINT32 l_qcd_size, l_remaining_size;\n OPJ_BYTE * l_current_data = 00;\n\n /* preconditions */\n assert(p_j2k != 00);\n assert(p_manager != 00);\n assert(p_stream != 00);\n\n l_qcd_size = 4 + opj_j2k_get_SQcd_SQcc_size(p_j2k, p_j2k->m_current_tile_number,\n 0);\n l_remaining_size = l_qcd_size;\n\n if (l_qcd_size > p_j2k->m_specific_param.m_encoder.m_header_tile_data_size) {\n OPJ_BYTE *new_header_tile_data = (OPJ_BYTE *) opj_realloc(\n p_j2k->m_specific_param.m_encoder.m_header_tile_data, l_qcd_size);\n if (! new_header_tile_data) {\n opj_free(p_j2k->m_specific_param.m_encoder.m_header_tile_data);\n p_j2k->m_specific_param.m_encoder.m_header_tile_data = NULL;\n p_j2k->m_specific_param.m_encoder.m_header_tile_data_size = 0;\n opj_event_msg(p_manager, EVT_ERROR, \"Not enough memory to write QCD marker\\n\");\n return OPJ_FALSE;\n }\n p_j2k->m_specific_param.m_encoder.m_header_tile_data = new_header_tile_data;\n p_j2k->m_specific_param.m_encoder.m_header_tile_data_size = l_qcd_size;\n }\n\n l_current_data = p_j2k->m_specific_param.m_encoder.m_header_tile_data;\n\n opj_write_bytes(l_current_data, J2K_MS_QCD, 2); /* QCD */\n l_current_data += 2;\n\n opj_write_bytes(l_current_data, l_qcd_size - 2, 2); /* L_QCD */\n l_current_data += 2;\n\n l_remaining_size -= 4;\n\n if (! opj_j2k_write_SQcd_SQcc(p_j2k, p_j2k->m_current_tile_number, 0,\n l_current_data, &l_remaining_size, p_manager)) {\n opj_event_msg(p_manager, EVT_ERROR, \"Error writing QCD marker\\n\");\n return OPJ_FALSE;\n }\n\n if (l_remaining_size != 0) {\n opj_event_msg(p_manager, EVT_ERROR, \"Error writing QCD marker\\n\");\n return OPJ_FALSE;\n }\n\n if (opj_stream_write_data(p_stream,\n p_j2k->m_specific_param.m_encoder.m_header_tile_data, l_qcd_size,\n p_manager) != l_qcd_size) {\n return OPJ_FALSE;\n }\n\n return OPJ_TRUE;\n}", "project": "openjpeg", "hash": 106930444731918725688088930319666067769, "size": 60, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357396 }, { "project": "opaque", "commit_id": "5ddda15d89f5ac82f4416208c5319ace4aecdc36", "target": 0, "func": "JNIEXPORT jbyteArray JNICALL Java_edu_berkeley_cs_rise_opaque_execution_SGXEnclave_Filter(\n JNIEnv *env, jobject obj, jlong eid, jbyteArray condition, jbyteArray input_rows) {\n (void)obj;\n\n jboolean if_copy;\n\n size_t condition_length = (size_t) env->GetArrayLength(condition);\n uint8_t *condition_ptr = (uint8_t *) env->GetByteArrayElements(condition, &if_copy);\n\n uint32_t input_rows_length = (uint32_t) env->GetArrayLength(input_rows);\n uint8_t *input_rows_ptr = (uint8_t *) env->GetByteArrayElements(input_rows, &if_copy);\n\n uint8_t *output_rows;\n size_t output_rows_length;\n\n sgx_check(\"Filter\",\n ecall_filter(\n eid,\n condition_ptr, condition_length,\n input_rows_ptr, input_rows_length,\n &output_rows, &output_rows_length));\n\n env->ReleaseByteArrayElements(condition, (jbyte *) condition_ptr, 0);\n env->ReleaseByteArrayElements(input_rows, (jbyte *) input_rows_ptr, 0);\n\n jbyteArray ret = env->NewByteArray(output_rows_length);\n env->SetByteArrayRegion(ret, 0, output_rows_length, (jbyte *) output_rows);\n free(output_rows);\n\n return ret;\n}", "idx": 519101, "cwe": "CWE-787", "hash": 18147399596830193481677003441078764783, "dataset": "other" }, { "func": "static inline unsigned int tcp_left_out(const struct tcp_sock *tp)\n{\n\treturn tp->sacked_out + tp->lost_out;\n}", "project": "linux", "hash": 334235575309302390750800110464340755933, "size": 4, "commit_id": "bb1fceca22492109be12640d49f5ea5a544c6bb4", "message": "tcp: fix use after free in tcp_xmit_retransmit_queue()\n\nWhen tcp_sendmsg() allocates a fresh and empty skb, it puts it at the\ntail of the write queue using tcp_add_write_queue_tail()\n\nThen it attempts to copy user data into this fresh skb.\n\nIf the copy fails, we undo the work and remove the fresh skb.\n\nUnfortunately, this undo lacks the change done to tp->highest_sack and\nwe can leave a dangling pointer (to a freed skb)\n\nLater, tcp_xmit_retransmit_queue() can dereference this pointer and\naccess freed memory. For regular kernels where memory is not unmapped,\nthis might cause SACK bugs because tcp_highest_sack_seq() is buggy,\nreturning garbage instead of tp->snd_nxt, but with various debug\nfeatures like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel.\n\nThis bug was found by Marco Grassi thanks to syzkaller.\n\nFixes: 6859d49475d4 (\"[TCP]: Abstract tp->highest_sack accessing & point to next skb\")\nReported-by: Marco Grassi \nSigned-off-by: Eric Dumazet \nCc: Ilpo Järvinen \nCc: Yuchung Cheng \nCc: Neal Cardwell \nAcked-by: Neal Cardwell \nReviewed-by: Cong Wang \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 410800 }, { "func": "static void\nbfq_set_next_ioprio_data(struct bfq_queue *bfqq, struct bfq_io_cq *bic)\n{\n\tstruct task_struct *tsk = current;\n\tint ioprio_class;\n\tstruct bfq_data *bfqd = bfqq->bfqd;\n\n\tif (!bfqd)\n\t\treturn;\n\n\tioprio_class = IOPRIO_PRIO_CLASS(bic->ioprio);\n\tswitch (ioprio_class) {\n\tdefault:\n\t\tdev_err(bfqq->bfqd->queue->backing_dev_info->dev,\n\t\t\t\"bfq: bad prio class %d\\n\", ioprio_class);\n\t\t/* fall through */\n\tcase IOPRIO_CLASS_NONE:\n\t\t/*\n\t\t * No prio set, inherit CPU scheduling settings.\n\t\t */\n\t\tbfqq->new_ioprio = task_nice_ioprio(tsk);\n\t\tbfqq->new_ioprio_class = task_nice_ioclass(tsk);\n\t\tbreak;\n\tcase IOPRIO_CLASS_RT:\n\t\tbfqq->new_ioprio = IOPRIO_PRIO_DATA(bic->ioprio);\n\t\tbfqq->new_ioprio_class = IOPRIO_CLASS_RT;\n\t\tbreak;\n\tcase IOPRIO_CLASS_BE:\n\t\tbfqq->new_ioprio = IOPRIO_PRIO_DATA(bic->ioprio);\n\t\tbfqq->new_ioprio_class = IOPRIO_CLASS_BE;\n\t\tbreak;\n\tcase IOPRIO_CLASS_IDLE:\n\t\tbfqq->new_ioprio_class = IOPRIO_CLASS_IDLE;\n\t\tbfqq->new_ioprio = 7;\n\t\tbreak;\n\t}\n\n\tif (bfqq->new_ioprio >= IOPRIO_BE_NR) {\n\t\tpr_crit(\"bfq_set_next_ioprio_data: new_ioprio %d\\n\",\n\t\t\tbfqq->new_ioprio);\n\t\tbfqq->new_ioprio = IOPRIO_BE_NR;\n\t}\n\n\tbfqq->entity.new_weight = bfq_ioprio_to_weight(bfqq->new_ioprio);\n\tbfqq->entity.prio_changed = 1;", "project": "linux", "hash": 137131796583391852400278255441421229338, "size": 45, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453371 }, { "func": "static oidc_provider_t* oidc_get_provider_for_issuer(request_rec *r,\n\t\toidc_cfg *c, const char *issuer, apr_byte_t allow_discovery) {\n\n\t/* by default we'll assume that we're dealing with a single statically configured OP */\n\toidc_provider_t *provider = NULL;\n\tif (oidc_provider_static_config(r, c, &provider) == FALSE)\n\t\treturn NULL;\n\n\t/* unless a metadata directory was configured, so we'll try and get the provider settings from there */\n\tif (c->metadata_dir != NULL) {\n\n\t\t/* try and get metadata from the metadata directory for the OP that sent this response */\n\t\tif ((oidc_metadata_get(r, c, issuer, &provider, allow_discovery)\n\t\t\t\t== FALSE) || (provider == NULL)) {\n\n\t\t\t/* don't know nothing about this OP/issuer */\n\t\t\toidc_error(r, \"no provider metadata found for issuer \\\"%s\\\"\",\n\t\t\t\t\tissuer);\n\n\t\t\treturn NULL;\n\t\t}\n\t}\n\n\treturn provider;\n}", "project": "mod_auth_openidc", "hash": 332160498789468452046545211215286290908, "size": 25, "commit_id": "00c315cb0c8ab77c67be4a2ac08a71a83ac58751", "message": "avoid XSS vulnerability when using OIDCPreservePost On\n\nand supplying URLs that contain single quotes; thanks @oss-aimoto\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 381975 }, { "func": "static void io_submit_state_start(struct io_submit_state *state,\n\t\t\t\t struct io_ring_ctx *ctx, unsigned int max_ios)\n{\n\tblk_start_plug(&state->plug);\n#ifdef CONFIG_BLOCK\n\tstate->plug.nowait = true;\n#endif\n\tstate->comp.nr = 0;\n\tINIT_LIST_HEAD(&state->comp.list);\n\tstate->comp.ctx = ctx;\n\tstate->free_reqs = 0;\n\tstate->file = NULL;\n\tstate->ios_left = max_ios;\n}", "project": "linux", "hash": 197309238545837217295362420456685132728, "size": 14, "commit_id": "6d816e088c359866f9867057e04f244c608c42fe", "message": "io_uring: hold 'ctx' reference around task_work queue + execute\n\nWe're holding the request reference, but we need to go one higher\nto ensure that the ctx remains valid after the request has finished.\nIf the ring is closed with pending task_work inflight, and the\ngiven io_kiocb finishes sync during issue, then we need a reference\nto the ring itself around the task_work execution cycle.\n\nCc: stable@vger.kernel.org # v5.7+\nReported-by: syzbot+9b260fc33297966f5a8e@syzkaller.appspotmail.com\nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 456937 }, { "func": "int tty_alloc_file(struct file *file)\n{\n\tstruct tty_file_private *priv;\n\n\tpriv = kmalloc(sizeof(*priv), GFP_KERNEL);\n\tif (!priv)\n\t\treturn -ENOMEM;\n\n\tfile->private_data = priv;\n\n\treturn 0;\n}", "project": "linux", "hash": 141738029118681782210582191849316434897, "size": 12, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 325988 }, { "func": "void LibRaw::process_Sony_0x9050(uchar *buf, ushort len, unsigned long long id)\n{\n ushort lid;\n uchar s[4];\n int c;\n\n if ((ilm.CameraMount != LIBRAW_MOUNT_Sony_E) &&\n (ilm.CameraMount != LIBRAW_MOUNT_FixedLens))\n {\n if (len < 2)\n return;\n if (buf[0])\n ilm.MaxAp4CurFocal =\n my_roundf(\n libraw_powf64l(2.0f, ((float)SonySubstitution[buf[0]] / 8.0 - 1.06f) / 2.0f) *\n 10.0f) / 10.0f;\n\n if (buf[1])\n ilm.MinAp4CurFocal =\n my_roundf(\n libraw_powf64l(2.0f, ((float)SonySubstitution[buf[1]] / 8.0 - 1.06f) / 2.0f) *\n 10.0f) / 10.0f;\n }\n\n if (ilm.CameraMount != LIBRAW_MOUNT_FixedLens)\n {\n if (len <= 0x106)\n return;\n if (buf[0x3d] | buf[0x3c])\n {\n lid = SonySubstitution[buf[0x3d]] << 8 | SonySubstitution[buf[0x3c]];\n ilm.CurAp = libraw_powf64l(2.0f, ((float)lid / 256.0f - 16.0f) / 2.0f);\n }\n if (buf[0x105] &&\n (ilm.LensMount != LIBRAW_MOUNT_Canon_EF) &&\n (ilm.LensMount != LIBRAW_MOUNT_Sigma_X3F)) {\n switch (SonySubstitution[buf[0x105]]) {\n case 1:\n ilm.LensMount = LIBRAW_MOUNT_Minolta_A;\n break;\n case 2:\n ilm.LensMount = LIBRAW_MOUNT_Sony_E;\n break;\n }\n }\n if (buf[0x106]) {\n switch (SonySubstitution[buf[0x106]]) {\n case 1:\n ilm.LensFormat = LIBRAW_FORMAT_APSC;\n break;\n case 2:\n ilm.LensFormat = LIBRAW_FORMAT_FF;\n break;\n }\n }\n }\n\n if (ilm.CameraMount == LIBRAW_MOUNT_Sony_E)\n {\n if (len <= 0x108)\n return;\n parseSonyLensType2(\n SonySubstitution[buf[0x0108]], // LensType2 - Sony lens ids\n SonySubstitution[buf[0x0107]]);\n }\n\n if (len <= 0x10a)\n return;\n if ((ilm.LensID == -1) && (ilm.CameraMount == LIBRAW_MOUNT_Minolta_A) &&\n (buf[0x010a] | buf[0x0109]))\n {\n ilm.LensID = // LensType - Minolta/Sony lens ids\n SonySubstitution[buf[0x010a]] << 8 | SonySubstitution[buf[0x0109]];\n\n if ((ilm.LensID > 0x4900) && (ilm.LensID <= 0x5900))\n {\n ilm.AdapterID = 0x4900;\n ilm.LensID -= ilm.AdapterID;\n ilm.LensMount = LIBRAW_MOUNT_Sigma_X3F;\n strcpy(ilm.Adapter, \"MC-11\");\n }\n\n else if ((ilm.LensID > 0xef00) && (ilm.LensID < 0xffff) &&\n (ilm.LensID != 0xff00))\n {\n ilm.AdapterID = 0xef00;\n ilm.LensID -= ilm.AdapterID;\n ilm.LensMount = LIBRAW_MOUNT_Canon_EF;\n }\n }\n\n if ((id >= SonyID_SLT_A65) && (id <= SonyID_NEX_F3))\n {\n if (len <= 0x116)\n return;\n // \"SLT-A65\", \"SLT-A77\", \"NEX-7\", \"NEX-VG20\",\n // \"SLT-A37\", \"SLT-A57\", \"NEX-F3\", \"Lunar\"\n parseSonyLensFeatures(SonySubstitution[buf[0x115]],\n SonySubstitution[buf[0x116]]);\n }\n else if (ilm.CameraMount != LIBRAW_MOUNT_FixedLens)\n {\n if (len <= 0x117)\n return;\n parseSonyLensFeatures(SonySubstitution[buf[0x116]],\n SonySubstitution[buf[0x117]]);\n }\n\n if ((id == SonyID_ILCE_7RM2) ||\n (id == SonyID_ILCE_7SM2) ||\n (id == SonyID_ILCA_99M2) ||\n (id == SonyID_ILCE_6300) ||\n (id == SonyID_ILCE_9) ||\n (id == SonyID_ILCE_6500) ||\n (id == SonyID_ILCE_7RM3) ||\n (id == SonyID_ILCE_7M3) ||\n (id == SonyID_ILCE_6400) ||\n (id == SonyID_ILCE_7RM4) ||\n (id == SonyID_ILCE_9M2) ||\n (id == SonyID_ILCE_6600) ||\n (id == SonyID_ILCE_6100))\n {\n if (len <= 0x8d)\n return;\n unsigned long long b88 = SonySubstitution[buf[0x88]];\n unsigned long long b89 = SonySubstitution[buf[0x89]];\n unsigned long long b8a = SonySubstitution[buf[0x8a]];\n unsigned long long b8b = SonySubstitution[buf[0x8b]];\n unsigned long long b8c = SonySubstitution[buf[0x8c]];\n unsigned long long b8d = SonySubstitution[buf[0x8d]];\n sprintf(imgdata.shootinginfo.InternalBodySerial, \"%06llx\",\n (b88 << 40) + (b89 << 32) + (b8a << 24) + (b8b << 16) + (b8c << 8) +\n b8d);\n }\n else if (ilm.CameraMount == LIBRAW_MOUNT_Minolta_A)\n {\n if (len <= 0xf4)\n return;\n unsigned long long bf0 = SonySubstitution[buf[0xf0]];\n unsigned long long bf1 = SonySubstitution[buf[0xf1]];\n unsigned long long bf2 = SonySubstitution[buf[0xf2]];\n unsigned long long bf3 = SonySubstitution[buf[0xf3]];\n unsigned long long bf4 = SonySubstitution[buf[0xf4]];\n sprintf(imgdata.shootinginfo.InternalBodySerial, \"%05llx\",\n (bf0 << 32) + (bf1 << 24) + (bf2 << 16) + (bf3 << 8) + bf4);\n }\n else if ((ilm.CameraMount == LIBRAW_MOUNT_Sony_E) &&\n (id != SonyID_NEX_5N) &&\n (id != SonyID_NEX_7) &&\n (id != SonyID_NEX_VG20))\n {\n if (len <= 0x7f)\n return;\n unsigned b7c = SonySubstitution[buf[0x7c]];\n unsigned b7d = SonySubstitution[buf[0x7d]];\n unsigned b7e = SonySubstitution[buf[0x7e]];\n unsigned b7f = SonySubstitution[buf[0x7f]];\n sprintf(imgdata.shootinginfo.InternalBodySerial, \"%04x\",\n (b7c << 24) + (b7d << 16) + (b7e << 8) + b7f);\n }\n\n if ((imSony.ImageCount3_offset != 0xffff) &&\n (len >= (imSony.ImageCount3_offset + 4)))\n {\n FORC4 s[c] = SonySubstitution[buf[imSony.ImageCount3_offset + c]];\n imSony.ImageCount3 = sget4(s);\n }\n\n return;\n}", "project": "LibRaw", "hash": 238752135897875454725875870971894537594, "size": 170, "commit_id": "c243f4539233053466c1309bde606815351bee81", "message": "additional checks in parseSonySRF\n\nparseSonySR2: buffer size check", "target": 0, "dataset": "other", "idx": 394107 }, { "func": "static OPJ_BOOL opj_j2k_write_all_tile_parts(opj_j2k_t *p_j2k,\n OPJ_BYTE * p_data,\n OPJ_UINT32 * p_data_written,\n OPJ_UINT32 total_data_size,\n opj_stream_private_t *p_stream,\n struct opj_event_mgr * p_manager\n )\n{\n OPJ_UINT32 tilepartno = 0;\n OPJ_UINT32 l_nb_bytes_written = 0;\n OPJ_UINT32 l_current_nb_bytes_written;\n OPJ_UINT32 l_part_tile_size;\n OPJ_UINT32 tot_num_tp;\n OPJ_UINT32 pino;\n\n OPJ_BYTE * l_begin_data;\n opj_tcp_t *l_tcp = 00;\n opj_tcd_t * l_tcd = 00;\n opj_cp_t * l_cp = 00;\n\n l_tcd = p_j2k->m_tcd;\n l_cp = &(p_j2k->m_cp);\n l_tcp = l_cp->tcps + p_j2k->m_current_tile_number;\n\n /*Get number of tile parts*/\n tot_num_tp = opj_j2k_get_num_tp(l_cp, 0, p_j2k->m_current_tile_number);\n\n /* start writing remaining tile parts */\n ++p_j2k->m_specific_param.m_encoder.m_current_tile_part_number;\n for (tilepartno = 1; tilepartno < tot_num_tp ; ++tilepartno) {\n p_j2k->m_specific_param.m_encoder.m_current_poc_tile_part_number = tilepartno;\n l_current_nb_bytes_written = 0;\n l_part_tile_size = 0;\n l_begin_data = p_data;\n\n if (! opj_j2k_write_sot(p_j2k, p_data,\n total_data_size,\n &l_current_nb_bytes_written,\n p_stream,\n p_manager)) {\n return OPJ_FALSE;\n }\n\n l_nb_bytes_written += l_current_nb_bytes_written;\n p_data += l_current_nb_bytes_written;\n total_data_size -= l_current_nb_bytes_written;\n l_part_tile_size += l_current_nb_bytes_written;\n\n l_current_nb_bytes_written = 0;\n if (! opj_j2k_write_sod(p_j2k, l_tcd, p_data, &l_current_nb_bytes_written,\n total_data_size, p_stream, p_manager)) {\n return OPJ_FALSE;\n }\n\n p_data += l_current_nb_bytes_written;\n l_nb_bytes_written += l_current_nb_bytes_written;\n total_data_size -= l_current_nb_bytes_written;\n l_part_tile_size += l_current_nb_bytes_written;\n\n /* Writing Psot in SOT marker */\n opj_write_bytes(l_begin_data + 6, l_part_tile_size,\n 4); /* PSOT */\n\n if (OPJ_IS_CINEMA(l_cp->rsiz) || OPJ_IS_IMF(l_cp->rsiz)) {\n opj_j2k_update_tlm(p_j2k, l_part_tile_size);\n }\n\n ++p_j2k->m_specific_param.m_encoder.m_current_tile_part_number;\n }\n\n for (pino = 1; pino <= l_tcp->numpocs; ++pino) {\n l_tcd->cur_pino = pino;\n\n /*Get number of tile parts*/\n tot_num_tp = opj_j2k_get_num_tp(l_cp, pino, p_j2k->m_current_tile_number);\n for (tilepartno = 0; tilepartno < tot_num_tp ; ++tilepartno) {\n p_j2k->m_specific_param.m_encoder.m_current_poc_tile_part_number = tilepartno;\n l_current_nb_bytes_written = 0;\n l_part_tile_size = 0;\n l_begin_data = p_data;\n\n if (! opj_j2k_write_sot(p_j2k, p_data,\n total_data_size,\n &l_current_nb_bytes_written, p_stream,\n p_manager)) {\n return OPJ_FALSE;\n }\n\n l_nb_bytes_written += l_current_nb_bytes_written;\n p_data += l_current_nb_bytes_written;\n total_data_size -= l_current_nb_bytes_written;\n l_part_tile_size += l_current_nb_bytes_written;\n\n l_current_nb_bytes_written = 0;\n\n if (! opj_j2k_write_sod(p_j2k, l_tcd, p_data, &l_current_nb_bytes_written,\n total_data_size, p_stream, p_manager)) {\n return OPJ_FALSE;\n }\n\n l_nb_bytes_written += l_current_nb_bytes_written;\n p_data += l_current_nb_bytes_written;\n total_data_size -= l_current_nb_bytes_written;\n l_part_tile_size += l_current_nb_bytes_written;\n\n /* Writing Psot in SOT marker */\n opj_write_bytes(l_begin_data + 6, l_part_tile_size,\n 4); /* PSOT */\n\n if (OPJ_IS_CINEMA(l_cp->rsiz) || OPJ_IS_IMF(l_cp->rsiz)) {\n opj_j2k_update_tlm(p_j2k, l_part_tile_size);\n }\n\n ++p_j2k->m_specific_param.m_encoder.m_current_tile_part_number;\n }\n }\n\n *p_data_written = l_nb_bytes_written;\n\n return OPJ_TRUE;\n}", "project": "openjpeg", "hash": 286162879540919584009235941892875730357, "size": 121, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357358 }, { "func": "const char* blosc_cbuffer_complib(const void* cbuffer) {\n uint8_t* _src = (uint8_t*)(cbuffer); /* current pos for source buffer */\n int clibcode;\n const char* complib;\n\n /* Read the compressor format/library info */\n clibcode = (_src[2] & 0xe0) >> 5;\n complib = clibcode_to_clibname(clibcode);\n return complib;\n}", "project": "c-blosc2", "hash": 881179951925049666762562416408946701, "size": 10, "commit_id": "c4c6470e88210afc95262c8b9fcc27e30ca043ee", "message": "Fixed asan heap buffer overflow when not enough space to write compressed block size.", "target": 0, "dataset": "other", "idx": 303058 }, { "func": "static int evdev_flush(struct file *file, fl_owner_t id)\n{\n\tstruct evdev_client *client = file->private_data;\n\tstruct evdev *evdev = client->evdev;\n\tint retval;\n\n\tretval = mutex_lock_interruptible(&evdev->mutex);\n\tif (retval)\n\t\treturn retval;\n\n\tif (!evdev->exist)\n\t\tretval = -ENODEV;\n\telse\n\t\tretval = input_flush_device(&evdev->handle, file);\n\n\tmutex_unlock(&evdev->mutex);\n\treturn retval;\n}", "project": "linux", "hash": 53825190775318150400442733218785420873, "size": 18, "commit_id": "483180281f0ac60d1138710eb21f4b9961901294", "message": "Input: evdev - flush queues during EVIOCGKEY-like ioctls\n\nIf userspace requests current KEY-state, they very likely assume that no\nsuch events are pending in the output queue of the evdev device.\nOtherwise, they will parse events which they already handled via\nEVIOCGKEY(). For XKB applications this can cause irreversible keyboard\nstates if a modifier is locked multiple times because a CTRL-DOWN event is\nhandled once via EVIOCGKEY() and once from the queue via read(), even\nthough it should handle it only once.\n\nTherefore, lets do the only logical thing and flush the evdev queue\natomically during this ioctl. We only flush events that are affected by\nthe given ioctl.\n\nThis only affects boolean events like KEY, SND, SW and LED. ABS, REL and\nothers are not affected as duplicate events can be handled gracefully by\nuser-space.\n\nNote: This actually breaks semantics of the evdev ABI. However,\ninvestigations showed that userspace already expects the new semantics and\nwe end up fixing at least all XKB applications.\nAll applications that are aware of this race-condition mirror the KEY\nstate for each open-file and detect/drop duplicate events. Hence, they do\nnot care whether duplicates are posted or not and work fine with this fix.\n\nAlso note that we need proper locking to guarantee atomicity and avoid\ndead-locks. event_lock must be locked before queue_lock (see input-core).\nHowever, we can safely release event_lock while flushing the queue. This\nallows the input-core to proceed with pending events and only stop if it\nneeds our queue_lock to post new events.\nThis should guarantee that we don't block event-dispatching for too long\nwhile flushing a single event queue.\n\nSigned-off-by: David Herrmann \nAcked-by: Peter Hutterer \nSigned-off-by: Dmitry Torokhov ", "target": 0, "dataset": "other", "idx": 381723 }, { "func": "static int island_try(int x, int y, int u, int v, int *run) {\n\tint n, m, ct;\n\n\tn = x + y * ntiles_x;\n\tm = u + v * ntiles_x;\n\n\tif (tile_has_diff[n]) {\n\t\t(*run)++;\n\t} else {\n\t\t*run = 0;\n\t}\n\n\tif (tile_has_diff[n] && ! tile_has_diff[m]) {\n\t\t/* found a discontinuity */\n\n\t\tif (tile_tried[m]) {\n\t\t\treturn 0;\n\t\t} else if (*run < grow_fill) {\n\t\t\treturn 0;\n\t\t}\n\n\t\tct = copy_tiles(u, v, 1);\n\t\tif (ct < 0) return ct;\t/* fatal */\n\t}\n\treturn 1;\n}", "project": "x11vnc", "hash": 28907144647543427513667234399596898016, "size": 26, "commit_id": "69eeb9f7baa14ca03b16c9de821f9876def7a36a", "message": "scan: limit access to shared memory segments to current user", "target": 0, "dataset": "other", "idx": 360786 }, { "func": "static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct)\n{\n\tstruct nlattr *nest_secctx;\n\tint len, ret;\n\tchar *secctx;\n\n\tret = security_secid_to_secctx(ct->secmark, &secctx, &len);\n\tif (ret)\n\t\treturn 0;\n\n\tret = -1;\n\tnest_secctx = nla_nest_start(skb, CTA_SECCTX);\n\tif (!nest_secctx)\n\t\tgoto nla_put_failure;\n\n\tif (nla_put_string(skb, CTA_SECCTX_NAME, secctx))\n\t\tgoto nla_put_failure;\n\tnla_nest_end(skb, nest_secctx);\n\n\tret = 0;\nnla_put_failure:\n\tsecurity_release_secctx(secctx, len);\n\treturn ret;\n}", "project": "linux", "hash": 186439747205778937559486742337427020275, "size": 24, "commit_id": "1cc5ef91d2ff94d2bf2de3b3585423e8a1051cb6", "message": "netfilter: ctnetlink: add a range check for l3/l4 protonum\n\nThe indexes to the nf_nat_l[34]protos arrays come from userspace. So\ncheck the tuple's family, e.g. l3num, when creating the conntrack in\norder to prevent an OOB memory access during setup. Here is an example\nkernel panic on 4.14.180 when userspace passes in an index greater than\nNFPROTO_NUMPROTO.\n\nInternal error: Oops - BUG: 0 [#1] PREEMPT SMP\nModules linked in:...\nProcess poc (pid: 5614, stack limit = 0x00000000a3933121)\nCPU: 4 PID: 5614 Comm: poc Tainted: G S W O 4.14.180-g051355490483\nHardware name: Qualcomm Technologies, Inc. SM8150 V2 PM8150 Google Inc. MSM\ntask: 000000002a3dfffe task.stack: 00000000a3933121\npc : __cfi_check_fail+0x1c/0x24\nlr : __cfi_check_fail+0x1c/0x24\n...\nCall trace:\n__cfi_check_fail+0x1c/0x24\nname_to_dev_t+0x0/0x468\nnfnetlink_parse_nat_setup+0x234/0x258\nctnetlink_parse_nat_setup+0x4c/0x228\nctnetlink_new_conntrack+0x590/0xc40\nnfnetlink_rcv_msg+0x31c/0x4d4\nnetlink_rcv_skb+0x100/0x184\nnfnetlink_rcv+0xf4/0x180\nnetlink_unicast+0x360/0x770\nnetlink_sendmsg+0x5a0/0x6a4\n___sys_sendmsg+0x314/0x46c\nSyS_sendmsg+0xb4/0x108\nel0_svc_naked+0x34/0x38\n\nThis crash is not happening since 5.4+, however, ctnetlink still\nallows for creating entries with unsupported layer 3 protocol number.\n\nFixes: c1d10adb4a521 (\"[NETFILTER]: Add ctnetlink port for nf_conntrack\")\nSigned-off-by: Will McVicker \n[pablo@netfilter.org: rebased original patch on top of nf.git]\nSigned-off-by: Pablo Neira Ayuso ", "target": 0, "dataset": "other", "idx": 394172 }, { "func": "static void kiocb_end_write(struct io_kiocb *req)\n{\n\t/*\n\t * Tell lockdep we inherited freeze protection from submission\n\t * thread.\n\t */\n\tif (req->flags & REQ_F_ISREG) {\n\t\tstruct super_block *sb = file_inode(req->file)->i_sb;\n\n\t\t__sb_writers_acquired(sb, SB_FREEZE_WRITE);\n\t\tsb_end_write(sb);\n\t}\n}", "project": "linux", "hash": 315520559310571942698190111254323071758, "size": 13, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338644 }, { "func": "void CSoundFile::ProcessMIDIMacro(CHANNELINDEX nChn, bool isSmooth, const char *macro, uint8 param, PLUGINDEX plugin)\n{\n\tModChannel &chn = m_PlayState.Chn[nChn];\n\tconst ModInstrument *pIns = GetNumInstruments() ? chn.pModInstrument : nullptr;\n\n\tuint8 out[MACRO_LENGTH];\n\tuint32 outPos = 0;\t// output buffer position, which also equals the number of complete bytes\n\tconst uint8 lastZxxParam = chn.lastZxxParam;\n\tbool firstNibble = true;\n\n\tfor(uint32 pos = 0; pos < (MACRO_LENGTH - 1) && macro[pos]; pos++)\n\t{\n\t\tbool isNibble = false;\t\t// did we parse a nibble or a byte value?\n\t\tuint8 data = 0;\t\t// data that has just been parsed\n\n\t\t// Parse next macro byte... See Impulse Tracker's MIDI.TXT for detailed information on each possible character.\n\t\tif(macro[pos] >= '0' && macro[pos] <= '9')\n\t\t{\n\t\t\tisNibble = true;\n\t\t\tdata = static_cast(macro[pos] - '0');\n\t\t}\n\t\telse if(macro[pos] >= 'A' && macro[pos] <= 'F')\n\t\t{\n\t\t\tisNibble = true;\n\t\t\tdata = static_cast(macro[pos] - 'A' + 0x0A);\n\t\t} else if(macro[pos] == 'c')\n\t\t{\n\t\t\t// MIDI channel\n\t\t\tisNibble = true;\n\t\t\tdata = GetBestMidiChannel(nChn);\n\t\t} else if(macro[pos] == 'n')\n\t\t{\n\t\t\t// Last triggered note\n\t\t\tif(ModCommand::IsNote(chn.nLastNote))\n\t\t\t{\n\t\t\t\tdata = chn.nLastNote - NOTE_MIN;\n\t\t\t}\n\t\t} else if(macro[pos] == 'v')\n\t\t{\n\t\t\t// Velocity\n\t\t\t// This is \"almost\" how IT does it - apparently, IT seems to lag one row behind on global volume or channel volume changes.\n\t\t\tconst int swing = (m_playBehaviour[kITSwingBehaviour] || m_playBehaviour[kMPTOldSwingBehaviour]) ? chn.nVolSwing : 0;\n\t\t\tconst int vol = Util::muldiv((chn.nVolume + swing) * m_PlayState.m_nGlobalVolume, chn.nGlobalVol * chn.nInsVol, 1 << 20);\n\t\t\tdata = static_cast(Clamp(vol / 2, 1, 127));\n\t\t\t//data = (unsigned char)MIN((chn.nVolume * chn.nGlobalVol * m_nGlobalVolume) >> (1 + 6 + 8), 127);\n\t\t} else if(macro[pos] == 'u')\n\t\t{\n\t\t\t// Calculated volume\n\t\t\t// Same note as with velocity applies here, but apparently also for instrument / sample volumes?\n\t\t\tconst int vol = Util::muldiv(chn.nCalcVolume * m_PlayState.m_nGlobalVolume, chn.nGlobalVol * chn.nInsVol, 1 << 26);\n\t\t\tdata = static_cast(Clamp(vol / 2, 1, 127));\n\t\t\t//data = (unsigned char)MIN((chn.nCalcVolume * chn.nGlobalVol * m_nGlobalVolume) >> (7 + 6 + 8), 127);\n\t\t} else if(macro[pos] == 'x')\n\t\t{\n\t\t\t// Pan set\n\t\t\tdata = static_cast(std::min(chn.nPan / 2, 127));\n\t\t} else if(macro[pos] == 'y')\n\t\t{\n\t\t\t// Calculated pan\n\t\t\tdata = static_cast(std::min(chn.nRealPan / 2, 127));\n\t\t} else if(macro[pos] == 'a')\n\t\t{\n\t\t\t// High byte of bank select\n\t\t\tif(pIns && pIns->wMidiBank)\n\t\t\t{\n\t\t\t\tdata = static_cast(((pIns->wMidiBank - 1) >> 7) & 0x7F);\n\t\t\t}\n\t\t} else if(macro[pos] == 'b')\n\t\t{\n\t\t\t// Low byte of bank select\n\t\t\tif(pIns && pIns->wMidiBank)\n\t\t\t{\n\t\t\t\tdata = static_cast((pIns->wMidiBank - 1) & 0x7F);\n\t\t\t}\n\t\t} else if(macro[pos] == 'o')\n\t\t{\n\t\t\t// Offset (ignoring high offset)\n\t\t\tdata = static_cast((chn.oldOffset >> 8) & 0xFF);\n\t\t} else if(macro[pos] == 'h')\n\t\t{\n\t\t\t// Host channel number\n\t\t\tdata = static_cast((nChn >= GetNumChannels() ? (chn.nMasterChn - 1) : nChn) & 0x7F);\n\t\t} else if(macro[pos] == 'm')\n\t\t{\n\t\t\t// Loop direction (judging from the character, it was supposed to be loop type, though)\n\t\t\tdata = chn.dwFlags[CHN_PINGPONGFLAG] ? 1 : 0;\n\t\t} else if(macro[pos] == 'p')\n\t\t{\n\t\t\t// Program select\n\t\t\tif(pIns && pIns->nMidiProgram)\n\t\t\t{\n\t\t\t\tdata = static_cast((pIns->nMidiProgram - 1) & 0x7F);\n\t\t\t}\n\t\t} else if(macro[pos] == 'z')\n\t\t{\n\t\t\t// Zxx parameter\n\t\t\tdata = param & 0x7F;\n\t\t\tif(isSmooth && chn.lastZxxParam < 0x80\n\t\t\t\t&& (outPos < 3 || out[outPos - 3] != 0xF0 || out[outPos - 2] < 0xF0))\n\t\t\t{\n\t\t\t\t// Interpolation for external MIDI messages - interpolation for internal messages\n\t\t\t\t// is handled separately to allow for more than 7-bit granularity where it's possible\n\t\t\t\tdata = static_cast(CalculateSmoothParamChange((float)lastZxxParam, (float)data));\n\t\t\t}\n\t\t\tchn.lastZxxParam = data;\n\t\t} else if(macro[pos] == 's')\n\t\t{\n\t\t\t// SysEx Checksum (not an original Impulse Tracker macro variable, but added for convenience)\n\t\t\tuint32 startPos = outPos;\n\t\t\twhile(startPos > 0 && out[--startPos] != 0xF0);\n\t\t\tif(outPos - startPos < 5 || out[startPos] != 0xF0)\n\t\t\t{\n\t\t\t\tcontinue;\n\t\t\t}\n\t\t\tfor(uint32 p = startPos + 5; p != outPos; p++)\n\t\t\t{\n\t\t\t\tdata += out[p];\n\t\t\t}\n\t\t\tdata = (~data + 1) & 0x7F;\n\t\t} else\n\t\t{\n\t\t\t// Unrecognized byte (e.g. space char)\n\t\t\tcontinue;\n\t\t}\n\n\t\t// Append parsed data\n\t\tif(isNibble)\t// parsed a nibble (constant or 'c' variable)\n\t\t{\n\t\t\tif(firstNibble)\n\t\t\t{\n\t\t\t\tout[outPos] = data;\n\t\t\t} else\n\t\t\t{\n\t\t\t\tout[outPos] = (out[outPos] << 4) | data;\n\t\t\t\toutPos++;\n\t\t\t}\n\t\t\tfirstNibble = !firstNibble;\n\t\t} else\t\t\t// parsed a byte (variable)\n\t\t{\n\t\t\tif(!firstNibble)\t// From MIDI.TXT: '9n' is exactly the same as '09 n' or '9 n' -- so finish current byte first\n\t\t\t{\n\t\t\t\toutPos++;\n\t\t\t}\n\t\t\tout[outPos++] = data;\n\t\t\tfirstNibble = true;\n\t\t}\n\t}\n\tif(!firstNibble)\n\t{\n\t\t// Finish current byte\n\t\toutPos++;\n\t}\n\n\t// Macro string has been parsed and translated, now send the message(s)...\n\tuint32 sendPos = 0;\n\tuint8 runningStatus = 0;\n\twhile(sendPos < outPos)\n\t{\n\t\tuint32 sendLen = 0;\n\t\tif(out[sendPos] == 0xF0)\n\t\t{\n\t\t\t// SysEx start\n\t\t\tif((outPos - sendPos >= 4) && (out[sendPos + 1] == 0xF0 || out[sendPos + 1] == 0xF1))\n\t\t\t{\n\t\t\t\t// Internal macro (normal (F0F0) or extended (F0F1)), 4 bytes long\n\t\t\t\tsendLen = 4;\n\t\t\t} else\n\t\t\t{\n\t\t\t\t// SysEx message, find end of message\n\t\t\t\tfor(uint32 i = sendPos + 1; i < outPos; i++)\n\t\t\t\t{\n\t\t\t\t\tif(out[i] == 0xF7)\n\t\t\t\t\t{\n\t\t\t\t\t\t// Found end of SysEx message\n\t\t\t\t\t\tsendLen = i - sendPos + 1;\n\t\t\t\t\t\tbreak;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\tif(sendLen == 0)\n\t\t\t\t{\n\t\t\t\t\t// Didn't find end, so \"invent\" end of SysEx message\n\t\t\t\t\tout[outPos++] = 0xF7;\n\t\t\t\t\tsendLen = outPos - sendPos;\n\t\t\t\t}\n\t\t\t}\n\t\t} else if(!(out[sendPos] & 0x80))\n\t\t{\n\t\t\t// Missing status byte? Try inserting running status\n\t\t\tif(runningStatus != 0)\n\t\t\t{\n\t\t\t\tsendPos--;\n\t\t\t\tout[sendPos] = runningStatus;\n\t\t\t} else\n\t\t\t{\n\t\t\t\t// No running status to re-use; skip this byte\n\t\t\t\tsendPos++;\n\t\t\t}\n\t\t\tcontinue;\n\t\t} else\n\t\t{\n\t\t\t// Other MIDI messages\n\t\t\tsendLen = std::min(MIDIEvents::GetEventLength(out[sendPos]), outPos - sendPos);\n\t\t}\n\n\t\tif(sendLen == 0)\n\t\t{\n\t\t\tbreak;\n\t\t}\n\n\t\tif(out[sendPos] < 0xF0)\n\t\t{\n\t\t\trunningStatus = out[sendPos];\n\t\t}\n\t\tuint32 bytesSent = SendMIDIData(nChn, isSmooth, out + sendPos, sendLen, plugin);\n\t\t// If there's no error in the macro data (e.g. unrecognized internal MIDI macro), we have sendLen == bytesSent.\n\t\tif(bytesSent > 0)\n\t\t{\n\t\t\tsendPos += bytesSent;\n\t\t} else\n\t\t{\n\t\t\tsendPos += sendLen;\n\t\t}\n\t}\n}", "project": "openmpt", "hash": 313091409955790929697348185865858579525, "size": 224, "commit_id": "7ebf02af2e90f03e0dbd0e18b8b3164f372fb97c", "message": "[Fix] Possible out-of-bounds read when computing length of some IT files with pattern loops (OpenMPT: formats that are converted to IT, libopenmpt: IT/ITP/MO3), caught with afl-fuzz.\n\ngit-svn-id: https://source.openmpt.org/svn/openmpt/trunk/OpenMPT@10027 56274372-70c3-4bfc-bfc3-4c3a0b034d27", "target": 0, "dataset": "other", "idx": 255237 }, { "func": "static inline int tcp_head_timedout(const struct sock *sk)\n{\n\tconst struct tcp_sock *tp = tcp_sk(sk);\n\n\treturn tp->packets_out &&\n\t tcp_skb_timedout(sk, tcp_write_queue_head(sk));\n}", "project": "net-next", "hash": 319565740740786301765990352409645677344, "size": 7, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409876 }, { "func": "static inline struct sk_buff *tcp_write_queue_tail(const struct sock *sk)\n{\n\treturn skb_peek_tail(&sk->sk_write_queue);\n}", "project": "linux", "hash": 35154135688662885284159187727217273209, "size": 4, "commit_id": "bb1fceca22492109be12640d49f5ea5a544c6bb4", "message": "tcp: fix use after free in tcp_xmit_retransmit_queue()\n\nWhen tcp_sendmsg() allocates a fresh and empty skb, it puts it at the\ntail of the write queue using tcp_add_write_queue_tail()\n\nThen it attempts to copy user data into this fresh skb.\n\nIf the copy fails, we undo the work and remove the fresh skb.\n\nUnfortunately, this undo lacks the change done to tp->highest_sack and\nwe can leave a dangling pointer (to a freed skb)\n\nLater, tcp_xmit_retransmit_queue() can dereference this pointer and\naccess freed memory. For regular kernels where memory is not unmapped,\nthis might cause SACK bugs because tcp_highest_sack_seq() is buggy,\nreturning garbage instead of tp->snd_nxt, but with various debug\nfeatures like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel.\n\nThis bug was found by Marco Grassi thanks to syzkaller.\n\nFixes: 6859d49475d4 (\"[TCP]: Abstract tp->highest_sack accessing & point to next skb\")\nReported-by: Marco Grassi \nSigned-off-by: Eric Dumazet \nCc: Ilpo Järvinen \nCc: Yuchung Cheng \nCc: Neal Cardwell \nAcked-by: Neal Cardwell \nReviewed-by: Cong Wang \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 410787 }, { "func": "static size_t mask_bitmap4(const __u32 *bitmap, const __u32 *mask,\n\t\t__u32 *res, size_t len)\n{\n\tsize_t i;\n\t__u32 tmp;\n\n\twhile (len > 0 && (bitmap[len-1] == 0 || mask[len-1] == 0))\n\t\tlen--;\n\tfor (i = len; i-- > 0;) {\n\t\ttmp = bitmap[i] & mask[i];\n\t\tres[i] = tmp;\n\t}\n\treturn len;\n}", "project": "linux", "hash": 157398576798873843893926254220256674771, "size": 14, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431182 }, { "func": "static void ovfx2_i2c_w(struct sd *sd, u8 reg, u8 value)\n{\n\tstruct gspca_dev *gspca_dev = (struct gspca_dev *)sd;\n\tint ret;\n\n\tif (sd->gspca_dev.usb_err < 0)\n\t\treturn;\n\n\tret = usb_control_msg(sd->gspca_dev.dev,\n\t\t\tusb_sndctrlpipe(sd->gspca_dev.dev, 0),\n\t\t\t0x02,\n\t\t\tUSB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_DEVICE,\n\t\t\t(u16) value, (u16) reg, NULL, 0, 500);\n\n\tif (ret < 0) {\n\t\tgspca_err(gspca_dev, \"ovfx2_i2c_w %02x failed %d\\n\", reg, ret);\n\t\tsd->gspca_dev.usb_err = ret;\n\t}\n\n\tgspca_dbg(gspca_dev, D_USBO, \"ovfx2_i2c_w %02x %02x\\n\", reg, value);\n}", "project": "linux", "hash": 148317293758195044725932092797794853979, "size": 21, "commit_id": "998912346c0da53a6dbb71fab3a138586b596b30", "message": "media: ov519: add missing endpoint sanity checks\n\nMake sure to check that we have at least one endpoint before accessing\nthe endpoint array to avoid dereferencing a NULL-pointer on stream\nstart.\n\nNote that these sanity checks are not redundant as the driver is mixing\nlooking up altsettings by index and by number, which need not coincide.\n\nFixes: 1876bb923c98 (\"V4L/DVB (12079): gspca_ov519: add support for the ov511 bridge\")\nFixes: b282d87332f5 (\"V4L/DVB (12080): gspca_ov519: Fix ov518+ with OV7620AE (Trust spacecam 320)\")\nCc: stable # 2.6.31\nCc: Hans de Goede \nSigned-off-by: Johan Hovold \nSigned-off-by: Hans Verkuil \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 306341 }, { "func": "static void avic_vcpu_put(struct kvm_vcpu *vcpu)\n{\n\tu64 entry;\n\tstruct vcpu_svm *svm = to_svm(vcpu);\n\n\tif (!kvm_vcpu_apicv_active(vcpu))\n\t\treturn;\n\n\tentry = READ_ONCE(*(svm->avic_physical_id_cache));\n\tif (entry & AVIC_PHYSICAL_ID_ENTRY_IS_RUNNING_MASK)\n\t\tavic_update_iommu_vcpu_affinity(vcpu, -1, 0);\n\n\tentry &= ~AVIC_PHYSICAL_ID_ENTRY_IS_RUNNING_MASK;\n\tWRITE_ONCE(*(svm->avic_physical_id_cache), entry);\n}", "project": "linux", "hash": 275786450144915541847620304299253694014, "size": 15, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432542 }, { "func": "static int alloc_loc_track(struct loc_track *t, unsigned long max, gfp_t flags)\n{\n\tstruct location *l;\n\tint order;\n\n\torder = get_order(sizeof(struct location) * max);\n\n\tl = (void *)__get_free_pages(flags, order);\n\tif (!l)\n\t\treturn 0;\n\n\tif (t->count) {\n\t\tmemcpy(l, t->loc, sizeof(struct location) * t->count);\n\t\tfree_loc_track(t);\n\t}\n\tt->max = max;\n\tt->loc = l;\n\treturn 1;\n}", "project": "linux", "hash": 78617252280596201822750561807513501743, "size": 19, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280087 }, { "func": "void tty_vhangup_session(struct tty_struct *tty)\n{\n\ttty_debug_hangup(tty, \"session hangup\\n\");\n\t__tty_hangup(tty, 1);\n}", "project": "linux", "hash": 20014117925804969258585943517647621774, "size": 5, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 326046 }, { "func": "static void tcp_ofo_queue(struct sock *sk)\n{\n\tstruct tcp_sock *tp = tcp_sk(sk);\n\t__u32 dsack_high = tp->rcv_nxt;\n\tstruct sk_buff *skb;\n\n\twhile ((skb = skb_peek(&tp->out_of_order_queue)) != NULL) {\n\t\tif (after(TCP_SKB_CB(skb)->seq, tp->rcv_nxt))\n\t\t\tbreak;\n\n\t\tif (before(TCP_SKB_CB(skb)->seq, dsack_high)) {\n\t\t\t__u32 dsack = dsack_high;\n\t\t\tif (before(TCP_SKB_CB(skb)->end_seq, dsack_high))\n\t\t\t\tdsack_high = TCP_SKB_CB(skb)->end_seq;\n\t\t\ttcp_dsack_extend(sk, TCP_SKB_CB(skb)->seq, dsack);\n\t\t}\n\n\t\tif (!after(TCP_SKB_CB(skb)->end_seq, tp->rcv_nxt)) {\n\t\t\tSOCK_DEBUG(sk, \"ofo packet was already received\\n\");\n\t\t\t__skb_unlink(skb, &tp->out_of_order_queue);\n\t\t\t__kfree_skb(skb);\n\t\t\tcontinue;\n\t\t}\n\t\tSOCK_DEBUG(sk, \"ofo requeuing : rcv_next %X seq %X - %X\\n\",\n\t\t\t tp->rcv_nxt, TCP_SKB_CB(skb)->seq,\n\t\t\t TCP_SKB_CB(skb)->end_seq);\n\n\t\t__skb_unlink(skb, &tp->out_of_order_queue);\n\t\t__skb_queue_tail(&sk->sk_receive_queue, skb);\n\t\ttp->rcv_nxt = TCP_SKB_CB(skb)->end_seq;\n\t\tif (tcp_hdr(skb)->fin)\n\t\t\ttcp_fin(sk);\n\t}\n}", "project": "net-next", "hash": 211822982518987261812064170372273476974, "size": 34, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409865 }, { "func": "static int lookup_umount_fs(struct libmnt_context *cxt)\n{\n\tconst char *tgt;\n\tint rc = 0;\n\n\tassert(cxt);\n\tassert(cxt->fs);\n\n\tDBG(CXT, ul_debugobj(cxt, \"umount: lookup FS\"));\n\n\ttgt = mnt_fs_get_target(cxt->fs);\n\tif (!tgt) {\n\t\tDBG(CXT, ul_debugobj(cxt, \" undefined target\"));\n\t\treturn -EINVAL;\n\t}\n\n\t/* try get fs type by statfs() */\n\trc = lookup_umount_fs_by_statfs(cxt, tgt);\n\tif (rc <= 0)\n\t\treturn rc;\n\n\t/* get complete fs from fs entry from mountinfo */\n\trc = lookup_umount_fs_by_mountinfo(cxt, tgt);\n\tif (rc <= 0)\n\t\treturn rc;\n\n\tDBG(CXT, ul_debugobj(cxt, \" cannot find '%s'\", tgt));\n\treturn 0;\t/* this is correct! */\n}", "project": "util-linux", "hash": 228378783451965507560857284924449799915, "size": 29, "commit_id": "57202f5713afa2af20ffbb6ab5331481d0396f8d", "message": "libmount: fix UID check for FUSE umount [CVE-2021-3995]\n\nImproper UID check allows an unprivileged user to unmount FUSE\nfilesystems of users with similar UID.\n\nSigned-off-by: Karel Zak ", "target": 0, "dataset": "other", "idx": 410439 }, { "func": "ExecutionStatus Interpreter::casePutOwnByVal(\n Runtime *runtime,\n PinnedHermesValue *frameRegs,\n const Inst *ip) {\n return JSObject::defineOwnComputed(\n Handle::vmcast(&O1REG(PutOwnByVal)),\n runtime,\n Handle<>(&O3REG(PutOwnByVal)),\n ip->iPutOwnByVal.op4\n ? DefinePropertyFlags::getDefaultNewPropertyFlags()\n : DefinePropertyFlags::getNewNonEnumerableFlags(),\n Handle<>(&O2REG(PutOwnByVal)))\n .getStatus();\n}", "project": "hermes", "hash": 194322238562118201742816748868017519408, "size": 14, "commit_id": "b2021df620824627f5a8c96615edbd1eb7fdddfc", "message": "Fix CVE-2020-1914 by using NEXTINST for SaveGeneratorLong\n\nSummary:\nIf `SaveGeneratorLong` was emitted, it would accidentally jump to the\nwrong next instruction, based on how long SaveGenerator was.\n\nMake a callout function to handle the common case, and handle the dispatch\nwithin each case of the interpreter loop.\n\nFixes CVE-2020-1914\n\nReviewed By: neildhar\n\nDifferential Revision: D24024242\n\nfbshipit-source-id: 3bcb88daa740f0d50e91771a49eb212551ce8bd8", "target": 0, "dataset": "other", "idx": 295515 }, { "project": "phosphor-host-ipmid", "commit_id": "b265455a2518ece7c004b43c144199ec980fc620", "target": 0, "func": "int PasswdMgr::readPasswdFileData(std::vector& outBytes)\n{\n std::array keyBuff;\n std::ifstream keyFile(encryptKeyFileName, std::ios::in | std::ios::binary);\n if (!keyFile.is_open())\n {\n log(\"Error in opening encryption key file\");\n return -EIO;\n }\n keyFile.read(reinterpret_cast(keyBuff.data()), keyBuff.size());\n if (keyFile.fail())\n {\n log(\"Error in reading encryption key file\");\n return -EIO;\n }\n\n std::ifstream passwdFile(passwdFileName, std::ios::in | std::ios::binary);\n if (!passwdFile.is_open())\n {\n log(\"Error in opening ipmi password file\");\n return -EIO;\n }\n\n // calculate file size and read the data\n passwdFile.seekg(0, std::ios::end);\n ssize_t fileSize = passwdFile.tellg();\n passwdFile.seekg(0, std::ios::beg);\n std::vector input(fileSize);\n passwdFile.read(reinterpret_cast(input.data()), fileSize);\n if (passwdFile.fail())\n {\n log(\"Error in reading encryption key file\");\n return -EIO;\n }\n\n // verify the signature first\n MetaPassStruct* metaData = reinterpret_cast(input.data());\n if (std::strncmp(metaData->signature, META_PASSWD_SIG,\n sizeof(metaData->signature)))\n {\n log(\"Error signature mismatch in password file\");\n return -EBADMSG;\n }\n\n size_t inBytesLen = metaData->dataSize + metaData->padSize;\n // If data is empty i.e no password map then return success\n if (inBytesLen == 0)\n {\n log(\"Empty password file\");\n return 0;\n }\n\n // compute the key needed to decrypt\n std::array key;\n auto keyLen = key.size();\n if (NULL == HMAC(EVP_sha256(), keyBuff.data(), keyBuff.size(),\n input.data() + sizeof(*metaData), metaData->hashSize,\n key.data(), reinterpret_cast(&keyLen)))\n {\n log(\"Failed to create MAC for authentication\");\n return -EIO;\n }\n\n // decrypt the data\n uint8_t* iv = input.data() + sizeof(*metaData) + metaData->hashSize;\n size_t ivLen = metaData->ivSize;\n uint8_t* inBytes = iv + ivLen;\n uint8_t* mac = inBytes + inBytesLen;\n size_t macLen = metaData->macSize;\n\n size_t outBytesLen = 0;\n // Resize to actual data size\n outBytes.resize(inBytesLen + EVP_MAX_BLOCK_LENGTH);\n if (encryptDecryptData(false, EVP_aes_128_cbc(), key.data(), keyLen, iv,\n ivLen, inBytes, inBytesLen, mac, &macLen,\n outBytes.data(), &outBytesLen) != 0)\n {\n log(\"Error in decryption\");\n return -EIO;\n }\n // Resize the vector to outBytesLen\n outBytes.resize(outBytesLen);\n\n OPENSSL_cleanse(key.data(), keyLen);\n OPENSSL_cleanse(iv, ivLen);\n\n return 0;\n}", "idx": 519582, "cwe": "CWE-276", "hash": 226323164026415007449549684312522638096, "dataset": "other" }, { "func": "static int process_head_file_extra(struct archive_read* a,\n struct archive_entry* e, struct rar5* rar, ssize_t extra_data_size)\n{\n\tsize_t extra_field_size;\n\tsize_t extra_field_id = 0;\n\tint ret = ARCHIVE_FATAL;\n\tsize_t var_size;\n\n\twhile(extra_data_size > 0) {\n\t\tif(!read_var_sized(a, &extra_field_size, &var_size))\n\t\t\treturn ARCHIVE_EOF;\n\n\t\textra_data_size -= var_size;\n\t\tif(ARCHIVE_OK != consume(a, var_size)) {\n\t\t\treturn ARCHIVE_EOF;\n\t\t}\n\n\t\tif(!read_var_sized(a, &extra_field_id, &var_size))\n\t\t\treturn ARCHIVE_EOF;\n\n\t\textra_data_size -= var_size;\n\t\tif(ARCHIVE_OK != consume(a, var_size)) {\n\t\t\treturn ARCHIVE_EOF;\n\t\t}\n\n\t\tswitch(extra_field_id) {\n\t\t\tcase EX_HASH:\n\t\t\t\tret = parse_file_extra_hash(a, rar,\n\t\t\t\t &extra_data_size);\n\t\t\t\tbreak;\n\t\t\tcase EX_HTIME:\n\t\t\t\tret = parse_file_extra_htime(a, e, rar,\n\t\t\t\t &extra_data_size);\n\t\t\t\tbreak;\n\t\t\tcase EX_REDIR:\n\t\t\t\tret = parse_file_extra_redir(a, e, rar,\n\t\t\t\t &extra_data_size);\n\t\t\t\tbreak;\n\t\t\tcase EX_UOWNER:\n\t\t\t\tret = parse_file_extra_owner(a, e,\n\t\t\t\t &extra_data_size);\n\t\t\t\tbreak;\n\t\t\tcase EX_VERSION:\n\t\t\t\tret = parse_file_extra_version(a, e,\n\t\t\t\t &extra_data_size);\n\t\t\t\tbreak;\n\t\t\tcase EX_CRYPT:\n\t\t\t\t/* fallthrough */\n\t\t\tcase EX_SUBDATA:\n\t\t\t\t/* fallthrough */\n\t\t\tdefault:\n\t\t\t\t/* Skip unsupported entry. */\n\t\t\t\treturn consume(a, extra_data_size);\n\t\t}\n\t}\n\n\tif(ret != ARCHIVE_OK) {\n\t\t/* Attribute not implemented. */\n\t\treturn ret;\n\t}\n\n\treturn ARCHIVE_OK;\n}", "project": "libarchive", "hash": 77474418296614789271069966822248287256, "size": 63, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 0, "dataset": "other", "idx": 244783 }, { "func": "static ALWAYS_INLINE void do_var_dump(VariableSerializer& vs,\n const Variant& expression) {\n // manipulate maxCount to match PHP behavior\n if (!expression.isObject()) {\n vs.incMaxCount();\n }\n vs.serialize(expression, false);\n}", "project": "hhvm", "hash": 338424950894441180623912591329890041858, "size": 8, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219121 }, { "func": "static inline bool legacy_queue(struct sigpending *signals, int sig)\n{\n\treturn (sig < SIGRTMIN) && sigismember(&signals->signal, sig);\n}", "project": "linux", "hash": 195565761627822444943192700654516428039, "size": 4, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375306 }, { "func": "String stringForEachBuffered(uint32_t bufLen, const String& str, Op action) {\n StringBuffer sb(bufLen);\n auto sl = str.slice();\n const char* src = sl.begin();\n const char* end = sl.end();\n\n for (; src < end; ++src) {\n action(sb, src, end);\n }\n\n return sb.detach();\n}", "project": "hhvm", "hash": 84397717121000955625899009827102073063, "size": 12, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219646 }, { "func": "static int count_ah_combs(const struct xfrm_tmpl *t)\n{\n\tint i, sz = 0;\n\n\tfor (i = 0; ; i++) {\n\t\tconst struct xfrm_algo_desc *aalg = xfrm_aalg_get_byidx(i);\n\t\tif (!aalg)\n\t\t\tbreak;\n\t\tif (!aalg->pfkey_supported)\n\t\t\tcontinue;\n\t\tif (aalg_tmpl_set(t, aalg))\n\t\t\tsz += sizeof(struct sadb_comb);\n\t}\n\treturn sz + sizeof(struct sadb_prop);\n}", "project": "linux", "hash": 172255628053880331443477981427671961812, "size": 15, "commit_id": "9a564bccb78a76740ea9d75a259942df8143d02c", "message": "af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\n\nAdd __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\nto initialize the buffer of supp_skb to fix a kernel-info-leak issue.\n1) Function pfkey_register calls compose_sadb_supported to request\na sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate\na sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then\ncompose_sadb_supported treats the memory as a struct sadb_supported and\nbegins to initialize. But it just initializes the field sadb_supported_len\nand field sadb_supported_exttype without field sadb_supported_reserved.\n\nReported-by: TCS Robot \nSigned-off-by: Haimin Zhang \nSigned-off-by: Steffen Klassert ", "target": 0, "dataset": "other", "idx": 268053 }, { "func": "static uint8_t pfkey_proto_to_xfrm(uint8_t proto)\n{\n\treturn proto == IPSEC_PROTO_ANY ? 0 : proto;\n}", "project": "linux", "hash": 323176423020804538029486173526546804131, "size": 4, "commit_id": "9a564bccb78a76740ea9d75a259942df8143d02c", "message": "af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\n\nAdd __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\nto initialize the buffer of supp_skb to fix a kernel-info-leak issue.\n1) Function pfkey_register calls compose_sadb_supported to request\na sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate\na sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then\ncompose_sadb_supported treats the memory as a struct sadb_supported and\nbegins to initialize. But it just initializes the field sadb_supported_len\nand field sadb_supported_exttype without field sadb_supported_reserved.\n\nReported-by: TCS Robot \nSigned-off-by: Haimin Zhang \nSigned-off-by: Steffen Klassert ", "target": 0, "dataset": "other", "idx": 268000 }, { "func": "static int simple_io(\n\tstruct usbtest_dev\t*tdev,\n\tstruct urb\t\t*urb,\n\tint\t\t\titerations,\n\tint\t\t\tvary,\n\tint\t\t\texpected,\n\tconst char\t\t*label\n)\n{\n\tstruct usb_device\t*udev = urb->dev;\n\tint\t\t\tmax = urb->transfer_buffer_length;\n\tstruct completion\tcompletion;\n\tint\t\t\tretval = 0;\n\tunsigned long\t\texpire;\n\n\turb->context = &completion;\n\twhile (retval == 0 && iterations-- > 0) {\n\t\tinit_completion(&completion);\n\t\tif (usb_pipeout(urb->pipe)) {\n\t\t\tsimple_fill_buf(urb);\n\t\t\turb->transfer_flags |= URB_ZERO_PACKET;\n\t\t}\n\t\tretval = usb_submit_urb(urb, GFP_KERNEL);\n\t\tif (retval != 0)\n\t\t\tbreak;\n\n\t\texpire = msecs_to_jiffies(SIMPLE_IO_TIMEOUT);\n\t\tif (!wait_for_completion_timeout(&completion, expire)) {\n\t\t\tusb_kill_urb(urb);\n\t\t\tretval = (urb->status == -ENOENT ?\n\t\t\t\t -ETIMEDOUT : urb->status);\n\t\t} else {\n\t\t\tretval = urb->status;\n\t\t}\n\n\t\turb->dev = udev;\n\t\tif (retval == 0 && usb_pipein(urb->pipe))\n\t\t\tretval = simple_check_buf(tdev, urb);\n\n\t\tif (vary) {\n\t\t\tint\tlen = urb->transfer_buffer_length;\n\n\t\t\tlen += vary;\n\t\t\tlen %= max;\n\t\t\tif (len == 0)\n\t\t\t\tlen = (vary < max) ? vary : max;\n\t\t\turb->transfer_buffer_length = len;\n\t\t}\n\n\t\t/* FIXME if endpoint halted, clear halt (and log) */\n\t}\n\turb->transfer_buffer_length = max;\n\n\tif (expected != retval)\n\t\tdev_err(&udev->dev,\n\t\t\t\"%s failed, iterations left %d, status %d (not %d)\\n\",\n\t\t\t\tlabel, iterations, retval, expected);\n\treturn retval;\n}", "project": "linux", "hash": 40720846083602436132275784841419702538, "size": 59, "commit_id": "28ebeb8db77035e058a510ce9bd17c2b9a009dba", "message": "usb: usbtest: fix missing kfree(dev->buf) in usbtest_disconnect\n\nBUG: memory leak\nunreferenced object 0xffff888055046e00 (size 256):\n comm \"kworker/2:9\", pid 2570, jiffies 4294942129 (age 1095.500s)\n hex dump (first 32 bytes):\n 00 70 04 55 80 88 ff ff 18 bb 5a 81 ff ff ff ff .p.U......Z.....\n f5 96 78 81 ff ff ff ff 37 de 8e 81 ff ff ff ff ..x.....7.......\n backtrace:\n [<00000000d121dccf>] kmemleak_alloc_recursive\ninclude/linux/kmemleak.h:43 [inline]\n [<00000000d121dccf>] slab_post_alloc_hook mm/slab.h:586 [inline]\n [<00000000d121dccf>] slab_alloc_node mm/slub.c:2786 [inline]\n [<00000000d121dccf>] slab_alloc mm/slub.c:2794 [inline]\n [<00000000d121dccf>] kmem_cache_alloc_trace+0x15e/0x2d0 mm/slub.c:2811\n [<000000005c3c3381>] kmalloc include/linux/slab.h:555 [inline]\n [<000000005c3c3381>] usbtest_probe+0x286/0x19d0\ndrivers/usb/misc/usbtest.c:2790\n [<000000001cec6910>] usb_probe_interface+0x2bd/0x870\ndrivers/usb/core/driver.c:361\n [<000000007806c118>] really_probe+0x48d/0x8f0 drivers/base/dd.c:551\n [<00000000a3308c3e>] driver_probe_device+0xfc/0x2a0 drivers/base/dd.c:724\n [<000000003ef66004>] __device_attach_driver+0x1b6/0x240\ndrivers/base/dd.c:831\n [<00000000eee53e97>] bus_for_each_drv+0x14e/0x1e0 drivers/base/bus.c:431\n [<00000000bb0648d0>] __device_attach+0x1f9/0x350 drivers/base/dd.c:897\n [<00000000838b324a>] device_initial_probe+0x1a/0x20 drivers/base/dd.c:944\n [<0000000030d501c1>] bus_probe_device+0x1e1/0x280 drivers/base/bus.c:491\n [<000000005bd7adef>] device_add+0x131d/0x1c40 drivers/base/core.c:2504\n [<00000000a0937814>] usb_set_configuration+0xe84/0x1ab0\ndrivers/usb/core/message.c:2030\n [<00000000e3934741>] generic_probe+0x6a/0xe0 drivers/usb/core/generic.c:210\n [<0000000098ade0f1>] usb_probe_device+0x90/0xd0\ndrivers/usb/core/driver.c:266\n [<000000007806c118>] really_probe+0x48d/0x8f0 drivers/base/dd.c:551\n [<00000000a3308c3e>] driver_probe_device+0xfc/0x2a0 drivers/base/dd.c:724\n\nAcked-by: Alan Stern \nReported-by: Kyungtae Kim \nSigned-off-by: Zqiang \nLink: https://lore.kernel.org/r/20200612035210.20494-1-qiang.zhang@windriver.com\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 412241 }, { "func": "\nstatic bool io_alloc_file_tables(struct io_file_table *table, unsigned nr_files)\n{\n\tunsigned i, nr_tables = DIV_ROUND_UP(nr_files, IORING_MAX_FILES_TABLE);\n\n\ttable->files = kcalloc(nr_tables, sizeof(*table->files), GFP_KERNEL);\n\tif (!table->files)\n\t\treturn false;\n\n\tfor (i = 0; i < nr_tables; i++) {\n\t\tunsigned int this_files = min(nr_files, IORING_MAX_FILES_TABLE);\n\n\t\ttable->files[i] = kcalloc(this_files, sizeof(*table->files[i]),\n\t\t\t\t\tGFP_KERNEL);\n\t\tif (!table->files[i])\n\t\t\tbreak;\n\t\tnr_files -= this_files;\n\t}\n\n\tif (i == nr_tables)\n\t\treturn true;\n\n\tio_free_file_tables(table, nr_tables * IORING_MAX_FILES_TABLE);\n\treturn false;", "project": "linux", "hash": 213626060650877538306964405226709813981, "size": 24, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338580 }, { "func": "void kmem_cache_free(struct kmem_cache *s, void *x)\n{\n\ts = cache_from_obj(s, x);\n\tif (!s)\n\t\treturn;\n\tslab_free(s, virt_to_head_page(x), x, NULL, 1, _RET_IP_);\n\ttrace_kmem_cache_free(_RET_IP_, x);\n}", "project": "linux", "hash": 45239214892664937220140683488315718321, "size": 8, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280116 }, { "func": "static struct sp_node *sp_alloc(unsigned long start, unsigned long end,\n\t\t\t\tstruct mempolicy *pol)\n{\n\tstruct sp_node *n;\n\tstruct mempolicy *newpol;\n\n\tn = kmem_cache_alloc(sn_cache, GFP_KERNEL);\n\tif (!n)\n\t\treturn NULL;\n\n\tnewpol = mpol_dup(pol);\n\tif (IS_ERR(newpol)) {\n\t\tkmem_cache_free(sn_cache, n);\n\t\treturn NULL;\n\t}\n\tnewpol->flags |= MPOL_F_SHARED;\n\tsp_node_init(n, start, end, newpol);\n\n\treturn n;\n}", "project": "linux", "hash": 199674960195210095104079786481482663878, "size": 20, "commit_id": "aa9f7d5172fac9bf1f09e678c35e287a40a7b7dd", "message": "mm: mempolicy: require at least one nodeid for MPOL_PREFERRED\n\nUsing an empty (malformed) nodelist that is not caught during mount option\nparsing leads to a stack-out-of-bounds access.\n\nThe option string that was used was: \"mpol=prefer:,\". However,\nMPOL_PREFERRED requires a single node number, which is not being provided\nhere.\n\nAdd a check that 'nodes' is not empty after parsing for MPOL_PREFERRED's\nnodeid.\n\nFixes: 095f1fc4ebf3 (\"mempolicy: rework shmem mpol parsing and display\")\nReported-by: Entropy Moe <3ntr0py1337@gmail.com>\nReported-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nSigned-off-by: Randy Dunlap \nSigned-off-by: Andrew Morton \nTested-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nCc: Lee Schermerhorn \nLink: http://lkml.kernel.org/r/89526377-7eb6-b662-e1d8-4430928abde9@infradead.org\nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 366768 }, { "func": "static inline int d_revalidate(struct dentry *dentry, unsigned int flags)\n{\n\tif (unlikely(dentry->d_flags & DCACHE_OP_REVALIDATE))\n\t\treturn dentry->d_op->d_revalidate(dentry, flags);\n\telse\n\t\treturn 1;\n}", "project": "linux", "hash": 334584715284586635435309292205413315077, "size": 7, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295375 }, { "func": "static void nfs4_xdr_enc_open_downgrade(struct rpc_rqst *req,\n\t\t\t\t\tstruct xdr_stream *xdr,\n\t\t\t\t\tconst void *data)\n{\n\tconst struct nfs_closeargs *args = data;\n\tstruct compound_hdr hdr = {\n\t\t.minorversion = nfs4_xdr_minorversion(&args->seq_args),\n\t};\n\n\tencode_compound_hdr(xdr, req, &hdr);\n\tencode_sequence(xdr, &args->seq_args, &hdr);\n\tencode_putfh(xdr, args->fh, &hdr);\n\tif (args->lr_args)\n\t\tencode_layoutreturn(xdr, args->lr_args, &hdr);\n\tencode_open_downgrade(xdr, args, &hdr);\n\tencode_nops(&hdr);\n}", "project": "linux", "hash": 171919873347701071885120281937504657859, "size": 17, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431509 }, { "func": "void LanLinkProvider::onStart()\n{\n const QHostAddress bindAddress = m_testMode? QHostAddress::LocalHost : QHostAddress::Any;\n\n bool success = m_udpSocket.bind(bindAddress, m_udpListenPort, QUdpSocket::ShareAddress);\n if (!success) {\n QAbstractSocket::SocketError sockErr = m_udpSocket.error();\n // Refer to https://doc.qt.io/qt-5/qabstractsocket.html#SocketError-enum to decode socket error number\n QString errorMessage = QString::fromLatin1(QMetaEnum::fromType().valueToKey(sockErr));\n qCritical(KDECONNECT_CORE)\n << QLatin1String(\"Failed to bind UDP socket on port\")\n << m_udpListenPort\n << QLatin1String(\"with error\")\n << errorMessage;\n }\n Q_ASSERT(success);\n\n m_tcpPort = MIN_TCP_PORT;\n while (!m_server->listen(bindAddress, m_tcpPort)) {\n m_tcpPort++;\n if (m_tcpPort > MAX_TCP_PORT) { //No ports available?\n qCritical(KDECONNECT_CORE) << \"Error opening a port in range\" << MIN_TCP_PORT << \"-\" << MAX_TCP_PORT;\n m_tcpPort = 0;\n return;\n }\n }\n\n onNetworkChange();\n qCDebug(KDECONNECT_CORE) << \"LanLinkProvider started\";\n}", "project": "kdeconnect-kde", "hash": 52494414114513056408806531329344860224, "size": 30, "commit_id": "542d94a70c56aa386c8d4d793481ce181b0422e8", "message": "Limit number of connected sockets from unpaired devices\n\nThanks Matthias Gerstner for reporting this.", "target": 0, "dataset": "other", "idx": 227353 }, { "func": "static void encode_uint64(struct xdr_stream *xdr, u64 n)\n{\n\tWARN_ON_ONCE(xdr_stream_encode_u64(xdr, n) < 0);\n}", "project": "linux", "hash": 176914102724287624561573574662597718208, "size": 4, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 430999 }, { "func": "static int write_compression_header(blosc2_context* context,\n bool extended_header) {\n int32_t compformat;\n int dont_split;\n int dict_training = context->use_dict && (context->dict_cdict == NULL);\n\n // Set the whole header to zeros so that the reserved values are zeroed\n if (extended_header) {\n memset(context->dest, 0, BLOSC_EXTENDED_HEADER_LENGTH);\n }\n else {\n memset(context->dest, 0, BLOSC_MIN_HEADER_LENGTH);\n }\n\n /* Write version header for this block */\n context->dest[0] = BLOSC_VERSION_FORMAT;\n\n /* Write compressor format */\n compformat = -1;\n switch (context->compcode) {\n case BLOSC_BLOSCLZ:\n compformat = BLOSC_BLOSCLZ_FORMAT;\n context->dest[1] = BLOSC_BLOSCLZ_VERSION_FORMAT;\n break;\n\n#if defined(HAVE_LZ4)\n case BLOSC_LZ4:\n compformat = BLOSC_LZ4_FORMAT;\n context->dest[1] = BLOSC_LZ4_VERSION_FORMAT;\n break;\n case BLOSC_LZ4HC:\n compformat = BLOSC_LZ4HC_FORMAT;\n context->dest[1] = BLOSC_LZ4HC_VERSION_FORMAT;\n break;\n#endif /* HAVE_LZ4 */\n\n#if defined(HAVE_LIZARD)\n case BLOSC_LIZARD:\n compformat = BLOSC_LIZARD_FORMAT;\n context->dest[1] = BLOSC_LIZARD_VERSION_FORMAT;\n break;\n#endif /* HAVE_LIZARD */\n\n#if defined(HAVE_SNAPPY)\n case BLOSC_SNAPPY:\n compformat = BLOSC_SNAPPY_FORMAT;\n context->dest[1] = BLOSC_SNAPPY_VERSION_FORMAT;\n break;\n#endif /* HAVE_SNAPPY */\n\n#if defined(HAVE_ZLIB)\n case BLOSC_ZLIB:\n compformat = BLOSC_ZLIB_FORMAT;\n context->dest[1] = BLOSC_ZLIB_VERSION_FORMAT;\n break;\n#endif /* HAVE_ZLIB */\n\n#if defined(HAVE_ZSTD)\n case BLOSC_ZSTD:\n compformat = BLOSC_ZSTD_FORMAT;\n context->dest[1] = BLOSC_ZSTD_VERSION_FORMAT;\n break;\n#endif /* HAVE_ZSTD */\n\n default: {\n const char* compname;\n compname = clibcode_to_clibname(compformat);\n fprintf(stderr, \"Blosc has not been compiled with '%s' \", compname);\n fprintf(stderr, \"compression support. Please use one having it.\");\n return -5; /* signals no compression support */\n break;\n }\n }\n\n if (context->clevel == 0) {\n /* Compression level 0 means buffer to be memcpy'ed */\n context->header_flags |= (uint8_t)BLOSC_MEMCPYED;\n }\n\n if (context->sourcesize < BLOSC_MIN_BUFFERSIZE) {\n /* Buffer is too small. Try memcpy'ing. */\n context->header_flags |= (uint8_t)BLOSC_MEMCPYED;\n }\n bool memcpyed = context->header_flags & (uint8_t)BLOSC_MEMCPYED;\n\n context->dest[2] = 0; /* zeroes flags */\n context->dest[3] = (uint8_t)context->typesize;\n _sw32(context->dest + 4, (int32_t)context->sourcesize);\n _sw32(context->dest + 8, (int32_t)context->blocksize);\n if (extended_header) {\n /* Mark that we are handling an extended header */\n context->header_flags |= (BLOSC_DOSHUFFLE | BLOSC_DOBITSHUFFLE);\n /* Store filter pipeline info at the end of the header */\n uint8_t *filters = context->dest + BLOSC_MIN_HEADER_LENGTH;\n uint8_t *filters_meta = filters + 8;\n for (int i = 0; i < BLOSC2_MAX_FILTERS; i++) {\n filters[i] = context->filters[i];\n filters_meta[i] = context->filters_meta[i];\n }\n uint8_t* blosc2_flags = context->dest + 0x1F;\n *blosc2_flags = 0; // zeroes flags\n *blosc2_flags |= is_little_endian() ? 0 : BLOSC2_BIGENDIAN; // endianness\n if (dict_training || memcpyed) {\n context->bstarts = NULL;\n context->output_bytes = BLOSC_EXTENDED_HEADER_LENGTH;\n } else {\n context->bstarts = (int32_t*)(context->dest + BLOSC_EXTENDED_HEADER_LENGTH);\n context->output_bytes = BLOSC_EXTENDED_HEADER_LENGTH +\n sizeof(int32_t) * context->nblocks;\n }\n if (context->use_dict) {\n *blosc2_flags |= BLOSC2_USEDICT;\n }\n } else {\n // Regular header\n if (memcpyed) {\n context->bstarts = NULL;\n context->output_bytes = BLOSC_MIN_HEADER_LENGTH;\n } else {\n context->bstarts = (int32_t *) (context->dest + BLOSC_MIN_HEADER_LENGTH);\n context->output_bytes = BLOSC_MIN_HEADER_LENGTH +\n sizeof(int32_t) * context->nblocks;\n }\n }\n\n // when memcpyed bit is set, there is no point in dealing with others\n if (!memcpyed) {\n if (context->filter_flags & BLOSC_DOSHUFFLE) {\n /* Byte-shuffle is active */\n context->header_flags |= BLOSC_DOSHUFFLE;\n }\n\n if (context->filter_flags & BLOSC_DOBITSHUFFLE) {\n /* Bit-shuffle is active */\n context->header_flags |= BLOSC_DOBITSHUFFLE;\n }\n\n if (context->filter_flags & BLOSC_DODELTA) {\n /* Delta is active */\n context->header_flags |= BLOSC_DODELTA;\n }\n\n dont_split = !split_block(context, context->typesize,\n context->blocksize, extended_header);\n context->header_flags |= dont_split << 4; /* dont_split is in bit 4 */\n context->header_flags |= compformat << 5; /* codec starts at bit 5 */\n }\n\n // store header flags in dest\n context->dest[2] = context->header_flags;\n\n return 1;\n}", "project": "c-blosc2", "hash": 201856728996569797207716119588598363886, "size": 153, "commit_id": "c4c6470e88210afc95262c8b9fcc27e30ca043ee", "message": "Fixed asan heap buffer overflow when not enough space to write compressed block size.", "target": 0, "dataset": "other", "idx": 303065 }, { "func": "static bool regs_sipr(struct pt_regs *regs)\n{\n\tunsigned long sipr = MMCRA_SIPR;\n\n\tif (ppmu->flags & PPMU_HAS_SIER)\n\t\treturn !!(regs->dar & SIER_SIPR);\n\n\tif (ppmu->flags & PPMU_ALT_SIPR)\n\t\tsipr = POWER6_MMCRA_SIPR;\n\n\treturn !!(regs->dsisr & sipr);\n}", "project": "linux", "hash": 317636508210867351589703573159980601231, "size": 12, "commit_id": "60b7ed54a41b550d50caf7f2418db4a7e75b5bdc", "message": "powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set\n\nOn systems without any specific PMU driver support registered, running\nperf record causes Oops.\n\nThe relevant portion from call trace:\n\n BUG: Kernel NULL pointer dereference on read at 0x00000040\n Faulting instruction address: 0xc0021f0c\n Oops: Kernel access of bad area, sig: 11 [#1]\n BE PAGE_SIZE=4K PREEMPT CMPCPRO\n SAF3000 DIE NOTIFICATION\n CPU: 0 PID: 442 Comm: null_syscall Not tainted 5.13.0-rc6-s3k-dev-01645-g7649ee3d2957 #5164\n NIP: c0021f0c LR: c00e8ad8 CTR: c00d8a5c\n NIP perf_instruction_pointer+0x10/0x60\n LR perf_prepare_sample+0x344/0x674\n Call Trace:\n perf_prepare_sample+0x7c/0x674 (unreliable)\n perf_event_output_forward+0x3c/0x94\n __perf_event_overflow+0x74/0x14c\n perf_swevent_hrtimer+0xf8/0x170\n __hrtimer_run_queues.constprop.0+0x160/0x318\n hrtimer_interrupt+0x148/0x3b0\n timer_interrupt+0xc4/0x22c\n Decrementer_virt+0xb8/0xbc\n\nDuring perf record session, perf_instruction_pointer() is called to\ncapture the sample IP. This function in core-book3s accesses\nppmu->flags. If a platform specific PMU driver is not registered, ppmu\nis set to NULL and accessing its members results in a crash. Fix this\ncrash by checking if ppmu is set.\n\nFixes: 2ca13a4cc56c (\"powerpc/perf: Use regs->nip when SIAR is zero\")\nCc: stable@vger.kernel.org # v5.11+\nReported-by: Christophe Leroy \nSigned-off-by: Athira Rajeev \nTested-by: Christophe Leroy \nSigned-off-by: Michael Ellerman \nLink: https://lore.kernel.org/r/1623952506-1431-1-git-send-email-atrajeev@linux.vnet.ibm.com", "target": 0, "dataset": "other", "idx": 374723 }, { "func": "static uint build_bitmap_for_nested_joins(List *join_list, \n uint first_unused)\n{\n List_iterator li(*join_list);\n TABLE_LIST *table;\n DBUG_ENTER(\"build_bitmap_for_nested_joins\");\n while ((table= li++))\n {\n NESTED_JOIN *nested_join;\n if ((nested_join= table->nested_join))\n {\n /*\n It is guaranteed by simplify_joins() function that a nested join\n that has only one child represents a single table VIEW (and the child\n is an underlying table). We don't assign bits to such nested join\n structures because \n 1. it is redundant (a \"sequence\" of one table cannot be interleaved \n with anything)\n 2. we could run out bits in nested_join_map otherwise.\n */\n if (nested_join->n_tables != 1)\n {\n /* Don't assign bits to sj-nests */\n if (table->on_expr)\n nested_join->nj_map= (nested_join_map) 1 << first_unused++;\n first_unused= build_bitmap_for_nested_joins(&nested_join->join_list,\n first_unused);\n }\n }\n }\n DBUG_RETURN(first_unused);\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 311138576246249186654574164526538392078, "size": 32, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508750 }, { "func": "UnicodeStringTest::TestAppendable() {\n UnicodeString dest;\n SimpleAppendable app(dest);\n doTestAppendable(dest, app);\n}", "project": "icu", "hash": 256949575578178095727372950216683135309, "size": 5, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430840 }, { "func": "static inline int rq_prio(const struct i915_request *rq)\n{\n\treturn rq->sched.attr.priority;\n}", "project": "linux", "hash": 114164387313520048342027723099733241107, "size": 4, "commit_id": "bc8a76a152c5f9ef3b48104154a65a68a8b76946", "message": "drm/i915/gen9: Clear residual context state on context switch\n\nIntel ID: PSIRT-TA-201910-001\nCVEID: CVE-2019-14615\n\nIntel GPU Hardware prior to Gen11 does not clear EU state\nduring a context switch. This can result in information\nleakage between contexts.\n\nFor Gen8 and Gen9, hardware provides a mechanism for\nfast cleardown of the EU state, by issuing a PIPE_CONTROL\nwith bit 27 set. We can use this in a context batch buffer\nto explicitly cleardown the state on every context switch.\n\nAs this workaround is already in place for gen8, we can borrow\nthe code verbatim for Gen9.\n\nSigned-off-by: Mika Kuoppala \nSigned-off-by: Akeem G Abodunrin \nCc: Kumar Valsan Prathap \nCc: Chris Wilson \nCc: Balestrieri Francesco \nCc: Bloomfield Jon \nCc: Dutt Sudeep ", "target": 0, "dataset": "other", "idx": 281431 }, { "func": "switch_prio(struct intel_engine_cs *engine, const struct i915_request *rq)\n{\n\tif (list_is_last(&rq->sched.link, &engine->active.requests))\n\t\treturn INT_MIN;\n\n\treturn rq_prio(list_next_entry(rq, sched.link));\n}", "project": "linux", "hash": 52338356390899369238937077406169708000, "size": 7, "commit_id": "bc8a76a152c5f9ef3b48104154a65a68a8b76946", "message": "drm/i915/gen9: Clear residual context state on context switch\n\nIntel ID: PSIRT-TA-201910-001\nCVEID: CVE-2019-14615\n\nIntel GPU Hardware prior to Gen11 does not clear EU state\nduring a context switch. This can result in information\nleakage between contexts.\n\nFor Gen8 and Gen9, hardware provides a mechanism for\nfast cleardown of the EU state, by issuing a PIPE_CONTROL\nwith bit 27 set. We can use this in a context batch buffer\nto explicitly cleardown the state on every context switch.\n\nAs this workaround is already in place for gen8, we can borrow\nthe code verbatim for Gen9.\n\nSigned-off-by: Mika Kuoppala \nSigned-off-by: Akeem G Abodunrin \nCc: Kumar Valsan Prathap \nCc: Chris Wilson \nCc: Balestrieri Francesco \nCc: Bloomfield Jon \nCc: Dutt Sudeep ", "target": 0, "dataset": "other", "idx": 281512 }, { "func": "bool ethereum_isStandardERC20Approve(const EthereumSignTx *msg) {\n if (msg->has_to && msg->to.size == 20 && msg->value.size == 0 &&\n msg->data_initial_chunk.size == 68 &&\n memcmp(msg->data_initial_chunk.bytes,\n \"\\x09\\x5e\\xa7\\xb3\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\",\n 16) == 0) {\n return true;\n }\n return false;\n}", "project": "keepkey-firmware", "hash": 113484972788182059465236772166677265986, "size": 10, "commit_id": "e49d45594002d4d3fbc1f03488e6dfc0a0a65836", "message": "710 merge", "target": 0, "dataset": "other", "idx": 220887 }, { "func": "static void slab_fix(struct kmem_cache *s, char *fmt, ...)\n{\n\tstruct va_format vaf;\n\tva_list args;\n\n\tva_start(args, fmt);\n\tvaf.fmt = fmt;\n\tvaf.va = &args;\n\tpr_err(\"FIX %s: %pV\\n\", s->name, &vaf);\n\tva_end(args);\n}", "project": "linux", "hash": 225623538385120337375671143539719477636, "size": 11, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280138 }, { "func": "}\n\nstatic int\niscsi_if_destroy_conn(struct iscsi_transport *transport, struct iscsi_uevent *ev)\n{\n\tstruct iscsi_cls_conn *conn;\n\tunsigned long flags;\n\n\tconn = iscsi_conn_lookup(ev->u.d_conn.sid, ev->u.d_conn.cid);\n\tif (!conn)\n\t\treturn -EINVAL;\n\n\tspin_lock_irqsave(&connlock, flags);\n\tif (!list_empty(&conn->conn_list_err)) {\n\t\tspin_unlock_irqrestore(&connlock, flags);\n\t\treturn -EAGAIN;\n\t}\n\tspin_unlock_irqrestore(&connlock, flags);\n\n\tISCSI_DBG_TRANS_CONN(conn, \"Destroying transport conn\\n\");\n\n\tmutex_lock(&conn_mutex);\n\tif (transport->destroy_conn)\n\t\ttransport->destroy_conn(conn);\n\tmutex_unlock(&conn_mutex);", "project": "linux", "hash": 275679364477472868318494372783502410372, "size": 25, "commit_id": "f9dbdf97a5bd92b1a49cee3d591b55b11fd7a6d5", "message": "scsi: iscsi: Verify lengths on passthrough PDUs\n\nOpen-iSCSI sends passthrough PDUs over netlink, but the kernel should be\nverifying that the provided PDU header and data lengths fall within the\nnetlink message to prevent accessing beyond that in memory.\n\nCc: stable@vger.kernel.org\nReported-by: Adam Nichols \nReviewed-by: Lee Duncan \nReviewed-by: Mike Christie \nSigned-off-by: Chris Leech \nSigned-off-by: Martin K. Petersen ", "target": 0, "dataset": "other", "idx": 379959 }, { "func": "int headerWrite(FD_t fd, Header h, int magicp)\n{\n ssize_t nb;\n unsigned int length;\n void * uh = headerExport(h, &length);\n\n if (uh == NULL)\n\treturn 1;\n\n if (magicp == HEADER_MAGIC_YES) {\n\tnb = Fwrite(rpm_header_magic, sizeof(rpm_header_magic), 1, fd);\n\tif (nb != sizeof(rpm_header_magic))\n\t goto exit;\n }\n\n nb = Fwrite(uh, sizeof(char), length, fd);\n\nexit:\n free(uh);\n return (nb == length ? 0 : 1);\n}", "project": "rpm", "hash": 325595777581970543527952178223889610117, "size": 21, "commit_id": "8f4b3c3cab8922a2022b9e47c71f1ecf906077ef", "message": "hdrblobInit() needs bounds checks too\n\nUsers can pass untrusted data to hdrblobInit() and it must be robust\nagainst this.", "target": 0, "dataset": "other", "idx": 318198 }, { "func": "static int trace_abort(jit_State *J)\n{\n lua_State *L = J->L;\n TraceError e = LJ_TRERR_RECERR;\n TraceNo traceno;\n\n J->postproc = LJ_POST_NONE;\n lj_mcode_abort(J);\n if (tvisnumber(L->top-1))\n e = (TraceError)numberVint(L->top-1);\n if (e == LJ_TRERR_MCODELM) {\n L->top--; /* Remove error object */\n J->state = LJ_TRACE_ASM;\n return 1; /* Retry ASM with new MCode area. */\n }\n /* Penalize or blacklist starting bytecode instruction. */\n if (J->parent == 0 && !bc_isret(bc_op(J->cur.startins)))\n penalty_pc(J, &gcref(J->cur.startpt)->pt, mref(J->cur.startpc, BCIns), e);\n\n /* Is there anything to abort? */\n traceno = J->cur.traceno;\n if (traceno) {\n ptrdiff_t errobj = savestack(L, L->top-1); /* Stack may be resized. */\n J->cur.link = 0;\n J->cur.linktype = LJ_TRLINK_NONE;\n lj_vmevent_send(L, TRACE,\n TValue *frame;\n const BCIns *pc;\n GCfunc *fn;\n setstrV(L, L->top++, lj_str_newlit(L, \"abort\"));\n setintV(L->top++, traceno);\n /* Find original Lua function call to generate a better error message. */\n frame = J->L->base-1;\n pc = J->pc;\n while (!isluafunc(frame_func(frame))) {\n\tpc = (frame_iscont(frame) ? frame_contpc(frame) : frame_pc(frame)) - 1;\n\tframe = frame_prev(frame);\n }\n fn = frame_func(frame);\n setfuncV(L, L->top++, fn);\n setintV(L->top++, proto_bcpos(funcproto(fn), pc));\n copyTV(L, L->top++, restorestack(L, errobj));\n copyTV(L, L->top++, &J->errinfo);\n );\n /* Drop aborted trace after the vmevent (which may still access it). */\n setgcrefnull(J->trace[traceno]);\n if (traceno < J->freetrace)\n J->freetrace = traceno;\n J->cur.traceno = 0;\n }\n L->top--; /* Remove error object */\n if (e == LJ_TRERR_DOWNREC)\n return trace_downrec(J);\n else if (e == LJ_TRERR_MCODEAL)\n lj_trace_flushall(L);\n return 0;\n}", "project": "LuaJIT", "hash": 204901683891962519052237225064411839220, "size": 57, "commit_id": "e296f56b825c688c3530a981dc6b495d972f3d01", "message": "Call error function on rethrow after trace exit.", "target": 0, "dataset": "other", "idx": 394647 }, { "func": " VarDimArray shape() const { return shape_; }", "project": "tensorflow", "hash": 1120517723732506265693362131378889805, "size": 1, "commit_id": "8ba6fa29cd8bf9cef9b718dc31c78c73081f5b31", "message": "Fix heap-buffer-overflow issue with `tf.raw_ops.SparseSplit`.\n\nPiperOrigin-RevId: 371242872\nChange-Id: I482bb3d12602c7c3cc9446f97fb9f584bb98e9a4", "target": 0, "dataset": "other", "idx": 277010 }, { "func": "static authz_status oidc_handle_unauthorized_user24(request_rec *r) {\n\n\toidc_debug(r, \"enter\");\n\n\toidc_cfg *c = ap_get_module_config(r->server->module_config, &auth_openidc_module);\n\n\tif (apr_strnatcasecmp((const char*) ap_auth_type(r),\n\t\t\t\t\t\t OIDC_AUTH_TYPE_OPENID_OAUTH20) == 0) {\n\t\toidc_debug(r, \"setting environment variable %s to \\\"%s\\\" for usage in mod_headers\", OIDC_OAUTH_BEARER_SCOPE_ERROR, OIDC_OAUTH_BEARER_SCOPE_ERROR_VALUE);\n\t\tapr_table_set(r->subprocess_env, OIDC_OAUTH_BEARER_SCOPE_ERROR, OIDC_OAUTH_BEARER_SCOPE_ERROR_VALUE);\n\t\treturn AUTHZ_DENIED;\n\t}\n\n\t/* see if we've configured OIDCUnAutzAction for this path */\n\tswitch (oidc_dir_cfg_unautz_action(r)) {\n\t\t// TODO: document that AuthzSendForbiddenOnFailure is required to return 403 FORBIDDEN\n\t\tcase OIDC_UNAUTZ_RETURN403:\n\t\tcase OIDC_UNAUTZ_RETURN401:\n\t\t\treturn AUTHZ_DENIED;\n\t\t\tbreak;\n\t\tcase OIDC_UNAUTZ_AUTHENTICATE:\n\t\t\t/*\n\t\t\t * exception handling: if this looks like a XMLHttpRequest call we\n\t\t\t * won't redirect the user and thus avoid creating a state cookie\n\t\t\t * for a non-browser (= Javascript) call that will never return from the OP\n\t\t\t */\n\t\t\tif (oidc_is_xml_http_request(r) == TRUE)\n\t\t\t\treturn AUTHZ_DENIED;\n\t\t\tbreak;\n\t}\n\n\toidc_authenticate_user(r, c, NULL, oidc_get_current_url(r), NULL,\n\t\t\tNULL, NULL, oidc_dir_cfg_path_auth_request_params(r), oidc_dir_cfg_path_scope(r));\n\n\tconst char *location = oidc_util_hdr_out_location_get(r);\n\tif (location != NULL) {\n\t\toidc_debug(r, \"send HTML refresh with authorization redirect: %s\", location);\n\n\t\tchar *html_head =\n\t\t\t\tapr_psprintf(r->pool, \"\", location);\n\t\toidc_util_html_send(r, \"Stepup Authentication\", html_head, NULL, NULL,\n\t\t\t\tHTTP_UNAUTHORIZED);\n\t\t/*\n\t\t * a hack for Apache 2.4 to prevent it from writing its own 401 HTML document\n\t\t * text by making ap_send_error_response in http_protocol.c return early...\n\t\t */\n\t\tr->header_only = 1;\n\t}\n\n\treturn AUTHZ_DENIED;\n}", "project": "mod_auth_openidc", "hash": 317284471456342164231115998689032263581, "size": 51, "commit_id": "00c315cb0c8ab77c67be4a2ac08a71a83ac58751", "message": "avoid XSS vulnerability when using OIDCPreservePost On\n\nand supplying URLs that contain single quotes; thanks @oss-aimoto\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 381929 }, { "func": "static authz_status oidc_handle_unauthorized_user24(request_rec *r) {\n\n\toidc_debug(r, \"enter\");\n\n\toidc_cfg *c = ap_get_module_config(r->server->module_config,\n\t\t\t&auth_openidc_module);\n\n\tif (apr_strnatcasecmp((const char *) ap_auth_type(r),\n\t\t\tOIDC_AUTH_TYPE_OPENID_OAUTH20) == 0) {\n\t\toidc_oauth_return_www_authenticate(r, \"insufficient_scope\",\n\t\t\t\t\"Different scope(s) or other claims required\");\n\t\treturn AUTHZ_DENIED;\n\t}\n\n\t/* see if we've configured OIDCUnAutzAction for this path */\n\tswitch (oidc_dir_cfg_unautz_action(r)) {\n\t// TODO: document that AuthzSendForbiddenOnFailure is required to return 403 FORBIDDEN\n\tcase OIDC_UNAUTZ_RETURN403:\n\tcase OIDC_UNAUTZ_RETURN401:\n\t\treturn AUTHZ_DENIED;\n\t\tbreak;\n\tcase OIDC_UNAUTZ_AUTHENTICATE:\n\t\t/*\n\t\t * exception handling: if this looks like a XMLHttpRequest call we\n\t\t * won't redirect the user and thus avoid creating a state cookie\n\t\t * for a non-browser (= Javascript) call that will never return from the OP\n\t\t */\n\t\tif (oidc_is_xml_http_request(r) == TRUE)\n\t\t\treturn AUTHZ_DENIED;\n\t\tbreak;\n\t}\n\n\toidc_authenticate_user(r, c, NULL, oidc_get_current_url(r), NULL,\n\t\t\tNULL, NULL, oidc_dir_cfg_path_auth_request_params(r),\n\t\t\toidc_dir_cfg_path_scope(r));\n\n\tconst char *location = oidc_util_hdr_out_location_get(r);\n\tif (location != NULL) {\n\t\toidc_debug(r, \"send HTML refresh with authorization redirect: %s\",\n\t\t\t\tlocation);\n\n\t\tchar *html_head = apr_psprintf(r->pool,\n\t\t\t\t\"\",\n\t\t\t\tlocation);\n\t\toidc_util_html_send(r, \"Stepup Authentication\", html_head, NULL, NULL,\n\t\t\t\tHTTP_UNAUTHORIZED);\n\t}\n\n\treturn AUTHZ_DENIED;\n}", "project": "mod_auth_openidc", "hash": 206591065562087656945290756795659331012, "size": 50, "commit_id": "ce37080c6aea30aabae8b4a9b4eea7808445cc8e", "message": "2.4.0.2 oops\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 447686 }, { "func": "static bool compute_tsc_page_parameters(struct pvclock_vcpu_time_info *hv_clock,\n\t\t\t\t\tstruct ms_hyperv_tsc_page *tsc_ref)\n{\n\tu64 max_mul;\n\n\tif (!(hv_clock->flags & PVCLOCK_TSC_STABLE_BIT))\n\t\treturn false;\n\n\t/*\n\t * check if scale would overflow, if so we use the time ref counter\n\t * tsc_to_system_mul * 2^(tsc_shift+32) / 100 >= 2^64\n\t * tsc_to_system_mul / 100 >= 2^(32-tsc_shift)\n\t * tsc_to_system_mul >= 100 * 2^(32-tsc_shift)\n\t */\n\tmax_mul = 100ull << (32 - hv_clock->tsc_shift);\n\tif (hv_clock->tsc_to_system_mul >= max_mul)\n\t\treturn false;\n\n\t/*\n\t * Otherwise compute the scale and offset according to the formulas\n\t * derived above.\n\t */\n\ttsc_ref->tsc_scale =\n\t\tmul_u64_u32_div(1ULL << (32 + hv_clock->tsc_shift),\n\t\t\t\thv_clock->tsc_to_system_mul,\n\t\t\t\t100);\n\n\ttsc_ref->tsc_offset = hv_clock->system_time;\n\tdo_div(tsc_ref->tsc_offset, 100);\n\ttsc_ref->tsc_offset -=\n\t\tmul_u64_u64_shr(hv_clock->tsc_timestamp, tsc_ref->tsc_scale, 64);\n\treturn true;\n}", "project": "linux", "hash": 201771686007149677001976478776571234132, "size": 33, "commit_id": "919f4ebc598701670e80e31573a58f1f2d2bf918", "message": "KVM: x86: hyper-v: Fix Hyper-V context null-ptr-deref\n\nReported by syzkaller:\n\n KASAN: null-ptr-deref in range [0x0000000000000140-0x0000000000000147]\n CPU: 1 PID: 8370 Comm: syz-executor859 Not tainted 5.11.0-syzkaller #0\n RIP: 0010:synic_get arch/x86/kvm/hyperv.c:165 [inline]\n RIP: 0010:kvm_hv_set_sint_gsi arch/x86/kvm/hyperv.c:475 [inline]\n RIP: 0010:kvm_hv_irq_routing_update+0x230/0x460 arch/x86/kvm/hyperv.c:498\n Call Trace:\n kvm_set_irq_routing+0x69b/0x940 arch/x86/kvm/../../../virt/kvm/irqchip.c:223\n kvm_vm_ioctl+0x12d0/0x2800 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3959\n vfs_ioctl fs/ioctl.c:48 [inline]\n __do_sys_ioctl fs/ioctl.c:753 [inline]\n __se_sys_ioctl fs/ioctl.c:739 [inline]\n __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739\n do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nHyper-V context is lazily allocated until Hyper-V specific MSRs are accessed\nor SynIC is enabled. However, the syzkaller testcase sets irq routing table\ndirectly w/o enabling SynIC. This results in null-ptr-deref when accessing\nSynIC Hyper-V context. This patch fixes it.\n\nsyzkaller source: https://syzkaller.appspot.com/x/repro.c?x=163342ccd00000\n\nReported-by: syzbot+6987f3b2dbd9eda95f12@syzkaller.appspotmail.com\nFixes: 8f014550dfb1 (\"KVM: x86: hyper-v: Make Hyper-V emulation enablement conditional\")\nSigned-off-by: Wanpeng Li \nMessage-Id: <1614326399-5762-1-git-send-email-wanpengli@tencent.com>\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 343532 }, { "func": "proto_register_dnp3(void)\n{\n\n/* Setup list of header fields */\n static hf_register_info hf[] = {\n { &hf_dnp3_start,\n { \"Start Bytes\", \"dnp3.start\",\n FT_UINT16, BASE_HEX, NULL, 0x0,\n NULL, HFILL }\n },\n\n { &hf_dnp3_len,\n { \"Length\", \"dnp3.len\",\n FT_UINT8, BASE_DEC, NULL, 0x0,\n \"Frame Data Length\", HFILL }\n },\n\n { &hf_dnp3_ctl,\n { \"Control\", \"dnp3.ctl\",\n FT_UINT8, BASE_HEX, NULL, 0x0,\n \"Frame Control Byte\", HFILL }\n },\n\n { &hf_dnp3_ctl_prifunc,\n { \"Control Function Code\", \"dnp3.ctl.prifunc\",\n FT_UINT8, BASE_DEC, VALS(dnp3_ctl_func_pri_vals), DNP3_CTL_FUNC,\n \"Frame Control Function Code\", HFILL }\n },\n\n { &hf_dnp3_ctl_secfunc,\n { \"Control Function Code\", \"dnp3.ctl.secfunc\",\n FT_UINT8, BASE_DEC, VALS(dnp3_ctl_func_sec_vals), DNP3_CTL_FUNC,\n \"Frame Control Function Code\", HFILL }\n },\n\n { &hf_dnp3_ctlobj_code_c,\n { \"Operation Type\", \"dnp3.ctl.op\",\n FT_UINT8, BASE_DEC, VALS(dnp3_al_ctlc_code_vals), AL_OBJCTLC_CODE,\n \"Control Code, Operation Type\", HFILL }\n },\n\n { &hf_dnp3_ctlobj_code_m,\n { \"Queue / Clear Field\", \"dnp3.ctl.clr\",\n FT_UINT8, BASE_DEC, VALS(dnp3_al_ctlc_misc_vals), AL_OBJCTLC_MISC,\n \"Control Code, Clear Field\", HFILL }\n },\n\n { &hf_dnp3_ctlobj_code_tc,\n { \"Trip Control Code\", \"dnp3.ctl.trip\",\n FT_UINT8, BASE_DEC, VALS(dnp3_al_ctlc_tc_vals), AL_OBJCTLC_TC,\n \"Control Code, Trip Close Control\", HFILL }\n },\n\n { &hf_dnp3_ctl_dir,\n { \"Direction\", \"dnp3.ctl.dir\",\n FT_BOOLEAN, 8, TFS(&tfs_set_notset), DNP3_CTL_DIR,\n NULL, HFILL }\n },\n\n { &hf_dnp3_ctl_prm,\n { \"Primary\", \"dnp3.ctl.prm\",\n FT_BOOLEAN, 8, TFS(&tfs_set_notset), DNP3_CTL_PRM,\n NULL, HFILL }\n },\n\n { &hf_dnp3_ctl_fcb,\n { \"Frame Count Bit\", \"dnp3.ctl.fcb\",\n FT_BOOLEAN, 8, TFS(&tfs_set_notset), DNP3_CTL_FCB,\n NULL, HFILL }\n },\n\n { &hf_dnp3_ctl_fcv,\n { \"Frame Count Valid\", \"dnp3.ctl.fcv\",\n FT_BOOLEAN, 8, TFS(&tfs_set_notset), DNP3_CTL_FCV,\n NULL, HFILL }\n },\n\n { &hf_dnp3_ctl_dfc,\n { \"Data Flow Control\", \"dnp3.ctl.dfc\",\n FT_BOOLEAN, 8, TFS(&tfs_set_notset), DNP3_CTL_DFC,\n NULL, HFILL }\n },\n\n { &hf_dnp3_dst,\n { \"Destination\", \"dnp3.dst\",\n FT_UINT16, BASE_DEC, NULL, 0x0,\n \"Destination Address\", HFILL }\n },\n\n { &hf_dnp3_src,\n { \"Source\", \"dnp3.src\",\n FT_UINT16, BASE_DEC, NULL, 0x0,\n \"Source Address\", HFILL }\n },\n\n { &hf_dnp3_addr,\n { \"Address\", \"dnp3.addr\",\n FT_UINT16, BASE_DEC, NULL, 0x0,\n \"Source or Destination Address\", HFILL }\n },\n\n { &hf_dnp3_data_hdr_crc,\n { \"Data Link Header checksum\", \"dnp3.hdr.CRC\",\n FT_UINT16, BASE_HEX, NULL, 0x0,\n NULL, HFILL }\n },\n\n { &hf_dnp3_data_hdr_crc_status,\n { \"Data Link Header Checksum Status\", \"dnp.hdr.CRC.status\",\n FT_UINT8, BASE_NONE, VALS(proto_checksum_vals), 0x0,\n NULL, HFILL }\n },\n\n { &hf_dnp3_tr_ctl,\n { \"Transport Control\", \"dnp3.tr.ctl\",\n FT_UINT8, BASE_HEX, NULL, 0x0,\n \"Transport Layer Control Byte\", HFILL }\n },\n\n { &hf_dnp3_tr_fin,\n { \"Final\", \"dnp3.tr.fin\",\n FT_BOOLEAN, 8, TFS(&tfs_set_notset), DNP3_TR_FIN,\n NULL, HFILL }\n },\n\n { &hf_dnp3_tr_fir,\n { \"First\", \"dnp3.tr.fir\",\n FT_BOOLEAN, 8, TFS(&tfs_set_notset), DNP3_TR_FIR,\n NULL, HFILL }\n },\n\n { &hf_dnp3_tr_seq,\n { \"Sequence\", \"dnp3.tr.seq\",\n FT_UINT8, BASE_DEC, NULL, DNP3_TR_SEQ,\n \"Frame Sequence Number\", HFILL }\n },\n\n { &hf_dnp3_data_chunk,\n { \"Data Chunk\", \"dnp.data_chunk\",\n FT_BYTES, BASE_NONE, NULL, 0x0,\n NULL, HFILL }\n },\n\n { &hf_dnp3_data_chunk_len,\n { \"Data Chunk length\", \"dnp.data_chunk_len\",\n FT_UINT16, BASE_DEC, NULL, 0x0,\n NULL, HFILL }\n },\n\n { &hf_dnp3_data_chunk_crc,\n { \"Data Chunk checksum\", \"dnp.data_chunk.CRC\",\n FT_UINT16, BASE_HEX, NULL, 0x0,\n NULL, HFILL }\n },\n\n { &hf_dnp3_data_chunk_crc_status,\n { \"Data Chunk Checksum Status\", \"dnp.data_chunk.CRC.status\",\n FT_UINT8, BASE_NONE, VALS(proto_checksum_vals), 0x0,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_ctl,\n { \"Application Control\", \"dnp3.al.ctl\",\n FT_UINT8, BASE_HEX, NULL, 0x0,\n \"Application Layer Control Byte\", HFILL }\n },\n\n { &hf_dnp3_al_fir,\n { \"First\", \"dnp3.al.fir\",\n FT_BOOLEAN, 8, TFS(&tfs_set_notset), DNP3_AL_FIR,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_fin,\n { \"Final\", \"dnp3.al.fin\",\n FT_BOOLEAN, 8, TFS(&tfs_set_notset), DNP3_AL_FIN,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_con,\n { \"Confirm\", \"dnp3.al.con\",\n FT_BOOLEAN, 8, TFS(&tfs_set_notset), DNP3_AL_CON,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_uns,\n { \"Unsolicited\", \"dnp3.al.uns\",\n FT_BOOLEAN, 8, TFS(&tfs_set_notset), DNP3_AL_UNS,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_seq,\n { \"Sequence\", \"dnp3.al.seq\",\n FT_UINT8, BASE_DEC, NULL, DNP3_AL_SEQ,\n \"Frame Sequence Number\", HFILL }\n },\n\n { &hf_dnp3_al_func,\n { \"Application Layer Function Code\", \"dnp3.al.func\",\n FT_UINT8, BASE_DEC|BASE_EXT_STRING, &dnp3_al_func_vals_ext, DNP3_AL_FUNC,\n \"Application Function Code\", HFILL }\n },\n\n { &hf_dnp3_al_iin,\n { \"Internal Indications\", \"dnp3.al.iin\",\n FT_UINT16, BASE_HEX, NULL, 0x0,\n \"Application Layer IIN\", HFILL }\n },\n\n { &hf_dnp3_al_iin_bmsg,\n { \"Broadcast Msg Rx\", \"dnp3.al.iin.bmsg\",\n FT_BOOLEAN, 16, TFS(&tfs_set_notset), AL_IIN_BMSG,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_iin_cls1d,\n { \"Class 1 Data Available\", \"dnp3.al.iin.cls1d\",\n FT_BOOLEAN, 16, TFS(&tfs_set_notset), AL_IIN_CLS1D,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_iin_cls2d,\n { \"Class 2 Data Available\", \"dnp3.al.iin.cls2d\",\n FT_BOOLEAN, 16, TFS(&tfs_set_notset), AL_IIN_CLS2D,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_iin_cls3d,\n { \"Class 3 Data Available\", \"dnp3.al.iin.cls3d\",\n FT_BOOLEAN, 16, TFS(&tfs_set_notset), AL_IIN_CLS3D,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_iin_tsr,\n { \"Time Sync Required\", \"dnp3.al.iin.tsr\",\n FT_BOOLEAN, 16, TFS(&tfs_set_notset), AL_IIN_TSR,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_iin_dol,\n { \"Digital Outputs in Local\", \"dnp3.al.iin.dol\",\n FT_BOOLEAN, 16, TFS(&tfs_set_notset), AL_IIN_DOL,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_iin_dt,\n { \"Device Trouble\", \"dnp3.al.iin.dt\",\n FT_BOOLEAN, 16, TFS(&tfs_set_notset), AL_IIN_DT,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_iin_rst,\n { \"Device Restart\", \"dnp3.al.iin.rst\",\n FT_BOOLEAN, 16, TFS(&tfs_set_notset), AL_IIN_RST,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_iin_fcni,\n { \"Function Code not implemented\", \"dnp3.al.iin.fcni\",\n FT_BOOLEAN, 16, TFS(&tfs_set_notset), AL_IIN_FCNI,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_iin_obju,\n { \"Requested Objects Unknown\", \"dnp3.al.iin.obju\",\n FT_BOOLEAN, 16, TFS(&tfs_set_notset), AL_IIN_OBJU,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_iin_pioor,\n { \"Parameters Invalid or Out of Range\", \"dnp3.al.iin.pioor\",\n FT_BOOLEAN, 16, TFS(&tfs_set_notset), AL_IIN_PIOOR,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_iin_ebo,\n { \"Event Buffer Overflow\", \"dnp3.al.iin.ebo\",\n FT_BOOLEAN, 16, TFS(&tfs_set_notset), AL_IIN_EBO,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_iin_oae,\n { \"Operation Already Executing\", \"dnp3.al.iin.oae\",\n FT_BOOLEAN, 16, TFS(&tfs_set_notset), AL_IIN_OAE,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_iin_cc,\n { \"Configuration Corrupt\", \"dnp3.al.iin.cc\",\n FT_BOOLEAN, 16, TFS(&tfs_set_notset), AL_IIN_CC,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_obj,\n { \"Object\", \"dnp3.al.obj\",\n FT_UINT16, BASE_HEX|BASE_EXT_STRING, &dnp3_al_obj_vals_ext, 0x0,\n \"Application Layer Object\", HFILL }\n },\n\n { &hf_dnp3_al_objq_prefix,\n { \"Prefix Code\", \"dnp3.al.objq.prefix\",\n FT_UINT8, BASE_DEC|BASE_EXT_STRING, &dnp3_al_objq_prefix_vals_ext, AL_OBJQ_PREFIX,\n \"Object Prefix Code\", HFILL }\n },\n\n { &hf_dnp3_al_objq_range,\n { \"Range Code\", \"dnp3.al.objq.range\",\n FT_UINT8, BASE_DEC|BASE_EXT_STRING, &dnp3_al_objq_range_vals_ext, AL_OBJQ_RANGE,\n \"Object Range Specifier Code\", HFILL }\n },\n\n { &hf_dnp3_al_range_start8,\n { \"Start (8 bit)\", \"dnp3.al.range.start\",\n FT_UINT8, BASE_DEC, NULL, 0x0,\n \"Object Start Index\", HFILL }\n },\n\n { &hf_dnp3_al_range_stop8,\n { \"Stop (8 bit)\", \"dnp3.al.range.stop\",\n FT_UINT8, BASE_DEC, NULL, 0x0,\n \"Object Stop Index\", HFILL }\n },\n\n { &hf_dnp3_al_range_start16,\n { \"Start (16 bit)\", \"dnp3.al.range.start\",\n FT_UINT16, BASE_DEC, NULL, 0x0,\n \"Object Start Index\", HFILL }\n },\n\n { &hf_dnp3_al_range_stop16,\n { \"Stop (16 bit)\", \"dnp3.al.range.stop\",\n FT_UINT16, BASE_DEC, NULL, 0x0,\n \"Object Stop Index\", HFILL }\n },\n\n { &hf_dnp3_al_range_start32,\n { \"Start (32 bit)\", \"dnp3.al.range.start\",\n FT_UINT32, BASE_DEC, NULL, 0x0,\n \"Object Start Index\", HFILL }\n },\n\n { &hf_dnp3_al_range_stop32,\n { \"Stop (32 bit)\", \"dnp3.al.range.stop\",\n FT_UINT32, BASE_DEC, NULL, 0x0,\n \"Object Stop Index\", HFILL }\n },\n\n { &hf_dnp3_al_range_abs8,\n { \"Address (8 bit)\", \"dnp3.al.range.abs\",\n FT_UINT8, BASE_DEC, NULL, 0x0,\n \"Object Absolute Address\", HFILL }\n },\n\n { &hf_dnp3_al_range_abs16,\n { \"Address (16 bit)\", \"dnp3.al.range.abs\",\n FT_UINT16, BASE_DEC, NULL, 0x0,\n \"Object Absolute Address\", HFILL }\n },\n\n { &hf_dnp3_al_range_abs32,\n { \"Address (32 bit)\", \"dnp3.al.range.abs\",\n FT_UINT32, BASE_DEC, NULL, 0x0,\n \"Object Absolute Address\", HFILL }\n },\n\n { &hf_dnp3_al_range_quant8,\n { \"Quantity (8 bit)\", \"dnp3.al.range.quantity\",\n FT_UINT8, BASE_DEC, NULL, 0x0,\n \"Object Quantity\", HFILL }\n },\n\n { &hf_dnp3_al_range_quant16,\n { \"Quantity (16 bit)\", \"dnp3.al.range.quantity\",\n FT_UINT16, BASE_DEC, NULL, 0x0,\n \"Object Quantity\", HFILL }\n },\n\n { &hf_dnp3_al_range_quant32,\n { \"Quantity (32 bit)\", \"dnp3.al.range.quantity\",\n FT_UINT32, BASE_DEC, NULL, 0x0,\n \"Object Quantity\", HFILL }\n },\n\n { &hf_dnp3_al_index8,\n { \"Index (8 bit)\", \"dnp3.al.index\",\n FT_UINT8, BASE_DEC, NULL, 0x0,\n \"Object Index\", HFILL }\n },\n\n { &hf_dnp3_al_index16,\n { \"Index (16 bit)\", \"dnp3.al.index\",\n FT_UINT16, BASE_DEC, NULL, 0x0,\n \"Object Index\", HFILL }\n },\n\n { &hf_dnp3_al_index32,\n { \"Index (32 bit)\", \"dnp3.al.index\",\n FT_UINT32, BASE_DEC, NULL, 0x0,\n \"Object Index\", HFILL }\n },\n\n#if 0\n { &hf_dnp3_al_ptnum,\n { \"Object Point Number\", \"dnp3.al.ptnum\",\n FT_UINT16, BASE_DEC, NULL, 0x0,\n NULL, HFILL }\n },\n#endif\n\n { &hf_dnp3_al_size8,\n { \"Size (8 bit)\", \"dnp3.al.size\",\n FT_UINT8, BASE_DEC, NULL, 0x0,\n \"Object Size\", HFILL }\n },\n\n { &hf_dnp3_al_size16,\n { \"Size (16 bit)\", \"dnp3.al.size\",\n FT_UINT16, BASE_DEC, NULL, 0x0,\n \"Object Size\", HFILL }\n },\n\n { &hf_dnp3_al_size32,\n { \"Size (32 bit)\", \"dnp3.al.size\",\n FT_UINT32, BASE_DEC, NULL, 0x0,\n \"Object Size\", HFILL }\n },\n\n { &hf_dnp3_bocs_bit,\n { \"Commanded State\", \"dnp3.al.bocs\",\n FT_BOOLEAN, 8, TFS(&tfs_on_off), 0x80,\n \"Binary Output Commanded state\", HFILL }\n },\n\n { &hf_dnp3_al_bit,\n { \"Value (bit)\", \"dnp3.al.bit\",\n FT_BOOLEAN, 8, TFS(&tfs_on_off), 0x1,\n \"Digital Value (1 bit)\", HFILL }\n },\n\n { &hf_dnp3_al_2bit,\n { \"Value (two bit)\", \"dnp3.al.2bit\",\n FT_UINT8, BASE_DEC, NULL, 0x0,\n \"Digital Value (2 bit)\", HFILL }\n },\n\n { &hf_dnp3_al_ana16,\n { \"Value (16 bit)\", \"dnp3.al.ana.int\",\n FT_INT16, BASE_DEC, NULL, 0x0,\n \"Analog Value (16 bit)\", HFILL }\n },\n\n { &hf_dnp3_al_ana32,\n { \"Value (32 bit)\", \"dnp3.al.ana.int\",\n FT_INT32, BASE_DEC, NULL, 0x0,\n \"Analog Value (32 bit)\", HFILL }\n },\n\n { &hf_dnp3_al_anaflt,\n { \"Value (float)\", \"dnp3.al.ana.float\",\n FT_FLOAT, BASE_NONE, NULL, 0x0,\n \"Analog Value (float)\", HFILL }\n },\n\n { &hf_dnp3_al_anadbl,\n { \"Value (double)\", \"dnp3.al.ana.double\",\n FT_DOUBLE, BASE_NONE, NULL, 0x0,\n \"Analog Value (double)\", HFILL }\n },\n\n { &hf_dnp3_al_anaout16,\n { \"Output Value (16 bit)\", \"dnp3.al.anaout.int\",\n FT_INT16, BASE_DEC, NULL, 0x0,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_anaout32,\n { \"Output Value (32 bit)\", \"dnp3.al.anaout.int\",\n FT_INT32, BASE_DEC, NULL, 0x0,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_anaoutflt,\n { \"Output Value (float)\", \"dnp3.al.anaout.float\",\n FT_FLOAT, BASE_NONE, NULL, 0x0,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_anaoutdbl,\n { \"Output (double)\", \"dnp3.al.anaout.double\",\n FT_DOUBLE, BASE_NONE, NULL, 0x0,\n \"Output Value (double)\", HFILL }\n },\n\n { &hf_dnp3_al_cnt16,\n { \"Counter (16 bit)\", \"dnp3.al.cnt\",\n FT_UINT16, BASE_DEC, NULL, 0x0,\n \"Counter Value (16 bit)\", HFILL }\n },\n\n { &hf_dnp3_al_cnt32,\n { \"Counter (32 bit)\", \"dnp3.al.cnt\",\n FT_UINT32, BASE_DEC, NULL, 0x0,\n \"Counter Value (32 bit)\", HFILL }\n },\n\n { &hf_dnp3_al_ctrlstatus,\n { \"Control Status\", \"dnp3.al.ctrlstatus\",\n FT_UINT8, BASE_DEC|BASE_EXT_STRING, &dnp3_al_ctl_status_vals_ext, AL_OBJCTL_STATUS_MASK,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_file_mode,\n { \"File Control Mode\", \"dnp3.al.file.mode\",\n FT_UINT16, BASE_DEC, VALS(dnp3_al_file_mode_vals), 0x0,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_file_auth,\n { \"File Authentication Key\", \"dnp3.al.file.auth\",\n FT_UINT32, BASE_HEX, NULL, 0x0,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_file_size,\n { \"File Size\", \"dnp3.al.file.size\",\n FT_UINT32, BASE_HEX, NULL, 0x0,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_file_maxblk,\n { \"File Max Block Size\", \"dnp3.al.file.maxblock\",\n FT_UINT16, BASE_DEC, NULL, 0x0,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_file_reqID,\n { \"File Request Identifier\", \"dnp3.al.file.reqID\",\n FT_UINT16, BASE_DEC, NULL, 0x0,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_file_status,\n { \"File Control Status\", \"dnp3.al.file.status\",\n FT_UINT8, BASE_DEC|BASE_EXT_STRING, &dnp3_al_file_status_vals_ext, 0x0,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_file_handle,\n { \"File Handle\", \"dnp3.al.file.handle\",\n FT_UINT32, BASE_HEX, NULL, 0x0,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_file_blocknum,\n { \"File Block Number\", \"dnp3.al.file.blocknum\",\n FT_UINT32, BASE_HEX, NULL, 0x7fffffff,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_file_lastblock,\n { \"File Last Block\", \"dnp3.al.file.lastblock\",\n FT_BOOLEAN, 32, TFS(&tfs_set_notset), 0x80000000,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_file_data,\n { \"File Data\", \"dnp3.al.file.data\",\n FT_BYTES, BASE_NONE, NULL, 0x0,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_biq_b0,\n { \"Online\", \"dnp3.al.biq.b0\",\n FT_BOOLEAN, 8, TFS(&tfs_set_notset), AL_OBJ_BI_FLAG0,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_biq_b1,\n { \"Restart\", \"dnp3.al.biq.b1\",\n FT_BOOLEAN, 8, TFS(&tfs_set_notset), AL_OBJ_BI_FLAG1,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_biq_b2,\n { \"Comm Fail\", \"dnp3.al.biq.b2\",\n FT_BOOLEAN, 8, TFS(&tfs_set_notset), AL_OBJ_BI_FLAG2,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_biq_b3,\n { \"Remote Force\", \"dnp3.al.biq.b3\",\n FT_BOOLEAN, 8, TFS(&tfs_set_notset), AL_OBJ_BI_FLAG3,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_biq_b4,\n { \"Local Force\", \"dnp3.al.biq.b4\",\n FT_BOOLEAN, 8, TFS(&tfs_set_notset), AL_OBJ_BI_FLAG4,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_biq_b5,\n { \"Chatter Filter\", \"dnp3.al.biq.b5\",\n FT_BOOLEAN, 8, TFS(&tfs_set_notset), AL_OBJ_BI_FLAG5,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_biq_b6,\n { \"Reserved\", \"dnp3.al.biq.b6\",\n FT_BOOLEAN, 8, TFS(&tfs_set_notset), AL_OBJ_BI_FLAG6,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_biq_b7,\n { \"Point Value\", \"dnp3.al.biq.b7\",\n FT_BOOLEAN, 8, TFS(&tfs_set_notset), AL_OBJ_BI_FLAG7,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_boq_b0,\n { \"Online\", \"dnp3.al.boq.b0\",\n FT_BOOLEAN, 8, TFS(&tfs_set_notset), AL_OBJ_BO_FLAG0,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_boq_b1,\n { \"Restart\", \"dnp3.al.boq.b1\",\n FT_BOOLEAN, 8, TFS(&tfs_set_notset), AL_OBJ_BO_FLAG1,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_boq_b2,\n { \"Comm Fail\", \"dnp3.al.boq.b2\",\n FT_BOOLEAN, 8, TFS(&tfs_set_notset), AL_OBJ_BO_FLAG2,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_boq_b3,\n { \"Remote Force\", \"dnp3.al.boq.b3\",\n FT_BOOLEAN, 8, TFS(&tfs_set_notset), AL_OBJ_BO_FLAG3,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_boq_b4,\n { \"Local Force\", \"dnp3.al.boq.b4\",\n FT_BOOLEAN, 8, TFS(&tfs_set_notset), AL_OBJ_BO_FLAG4,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_boq_b5,\n { \"Reserved\", \"dnp3.al.boq.b5\",\n FT_BOOLEAN, 8, TFS(&tfs_set_notset), AL_OBJ_BO_FLAG5,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_boq_b6,\n { \"Reserved\", \"dnp3.al.boq.b6\",\n FT_BOOLEAN, 8, TFS(&tfs_set_notset), AL_OBJ_BO_FLAG6,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_boq_b7,\n { \"Point Value\", \"dnp3.al.boq.b7\",\n FT_BOOLEAN, 8, TFS(&tfs_set_notset), AL_OBJ_BO_FLAG7,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_ctrq_b0,\n { \"Online\", \"dnp3.al.ctrq.b0\",\n FT_BOOLEAN, 8, TFS(&tfs_set_notset), AL_OBJ_CTR_FLAG0,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_ctrq_b1,\n { \"Restart\", \"dnp3.al.ctrq.b1\",\n FT_BOOLEAN, 8, TFS(&tfs_set_notset), AL_OBJ_CTR_FLAG1,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_ctrq_b2,\n { \"Comm Fail\", \"dnp3.al.ctrq.b2\",\n FT_BOOLEAN, 8, TFS(&tfs_set_notset), AL_OBJ_CTR_FLAG2,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_ctrq_b3,\n { \"Remote Force\", \"dnp3.al.ctrq.b3\",\n FT_BOOLEAN, 8, TFS(&tfs_set_notset), AL_OBJ_CTR_FLAG3,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_ctrq_b4,\n { \"Local Force\", \"dnp3.al.ctrq.b4\",\n FT_BOOLEAN, 8, TFS(&tfs_set_notset), AL_OBJ_CTR_FLAG4,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_ctrq_b5,\n { \"Roll-Over\", \"dnp3.al.ctrq.b5\",\n FT_BOOLEAN, 8, TFS(&tfs_set_notset), AL_OBJ_CTR_FLAG5,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_ctrq_b6,\n { \"Discontinuity\", \"dnp3.al.ctrq.b6\",\n FT_BOOLEAN, 8, TFS(&tfs_set_notset), AL_OBJ_CTR_FLAG6,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_ctrq_b7,\n { \"Reserved\", \"dnp3.al.ctrq.b7\",\n FT_BOOLEAN, 8, TFS(&tfs_set_notset), AL_OBJ_CTR_FLAG7,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_aiq_b0,\n { \"Online\", \"dnp3.al.aiq.b0\",\n FT_BOOLEAN, 8, TFS(&tfs_set_notset), AL_OBJ_AI_FLAG0,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_aiq_b1,\n { \"Restart\", \"dnp3.al.aiq.b1\",\n FT_BOOLEAN, 8, TFS(&tfs_set_notset), AL_OBJ_AI_FLAG1,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_aiq_b2,\n { \"Comm Fail\", \"dnp3.al.aiq.b2\",\n FT_BOOLEAN, 8, TFS(&tfs_set_notset), AL_OBJ_AI_FLAG2,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_aiq_b3,\n { \"Remote Force\", \"dnp3.al.aiq.b3\",\n FT_BOOLEAN, 8, TFS(&tfs_set_notset), AL_OBJ_AI_FLAG3,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_aiq_b4,\n { \"Local Force\", \"dnp3.al.aiq.b4\",\n FT_BOOLEAN, 8, TFS(&tfs_set_notset), AL_OBJ_AI_FLAG4,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_aiq_b5,\n { \"Over-Range\", \"dnp3.al.aiq.b5\",\n FT_BOOLEAN, 8, TFS(&tfs_set_notset), AL_OBJ_AI_FLAG5,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_aiq_b6,\n { \"Reference Check\", \"dnp3.al.aiq.b6\",\n FT_BOOLEAN, 8, TFS(&tfs_set_notset), AL_OBJ_AI_FLAG6,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_aiq_b7,\n { \"Reserved\", \"dnp3.al.aiq.b7\",\n FT_BOOLEAN, 8, TFS(&tfs_set_notset), AL_OBJ_AI_FLAG7,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_aoq_b0,\n { \"Online\", \"dnp3.al.aoq.b0\",\n FT_BOOLEAN, 8, TFS(&tfs_set_notset), AL_OBJ_AO_FLAG0,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_aoq_b1,\n { \"Restart\", \"dnp3.al.aoq.b1\",\n FT_BOOLEAN, 8, TFS(&tfs_set_notset), AL_OBJ_AO_FLAG1,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_aoq_b2,\n { \"Comm Fail\", \"dnp3.al.aoq.b2\",\n FT_BOOLEAN, 8, TFS(&tfs_set_notset), AL_OBJ_AO_FLAG2,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_aoq_b3,\n { \"Remote Force\", \"dnp3.al.aoq.b3\",\n FT_BOOLEAN, 8, TFS(&tfs_set_notset), AL_OBJ_AO_FLAG3,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_aoq_b4,\n { \"Local Force\", \"dnp3.al.aoq.b4\",\n FT_BOOLEAN, 8, TFS(&tfs_set_notset), AL_OBJ_AO_FLAG4,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_aoq_b5,\n { \"Reserved\", \"dnp3.al.aoq.b5\",\n FT_BOOLEAN, 8, TFS(&tfs_set_notset), AL_OBJ_AO_FLAG5,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_aoq_b6,\n { \"Reserved\", \"dnp3.al.aoq.b6\",\n FT_BOOLEAN, 8, TFS(&tfs_set_notset), AL_OBJ_AO_FLAG6,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_aoq_b7,\n { \"Reserved\", \"dnp3.al.aoq.b7\",\n FT_BOOLEAN, 8, TFS(&tfs_set_notset), AL_OBJ_AO_FLAG7,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_timestamp,\n { \"Timestamp\", \"dnp3.al.timestamp\",\n FT_ABSOLUTE_TIME, ABSOLUTE_TIME_UTC, NULL, 0,\n \"Object Timestamp\", HFILL }\n },\n\n { &hf_dnp3_al_file_perms,\n { \"Permissions\", \"dnp3.al.file.perms\",\n FT_UINT16, BASE_OCT, NULL, 0x0,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_file_perms_read_owner,\n { \"Read permission for owner\", \"dnp3.al.file.perms.read_owner\",\n FT_BOOLEAN, 16, TFS(&tfs_yes_no), 0400,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_file_perms_write_owner,\n { \"Write permission for owner\", \"dnp3.al.file.perms.write_owner\",\n FT_BOOLEAN, 16, TFS(&tfs_yes_no), 0200,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_file_perms_exec_owner,\n { \"Execute permission for owner\", \"dnp3.al.file.perms.exec_owner\",\n FT_BOOLEAN, 16, TFS(&tfs_yes_no), 0100,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_file_perms_read_group,\n { \"Read permission for group\", \"dnp3.al.file.perms.read_group\",\n FT_BOOLEAN, 16, TFS(&tfs_yes_no), 040,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_file_perms_write_group,\n { \"Write permission for group\", \"dnp3.al.file.perms.write_group\",\n FT_BOOLEAN, 16, TFS(&tfs_yes_no), 020,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_file_perms_exec_group,\n { \"Execute permission for group\", \"dnp3.al.file.perms.exec_group\",\n FT_BOOLEAN, 16, TFS(&tfs_yes_no), 010,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_file_perms_read_world,\n { \"Read permission for world\", \"dnp3.al.file.perms.read_world\",\n FT_BOOLEAN, 16, TFS(&tfs_yes_no), 04,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_file_perms_write_world,\n { \"Write permission for world\", \"dnp3.al.file.perms.write_world\",\n FT_BOOLEAN, 16, TFS(&tfs_yes_no), 02,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_file_perms_exec_world,\n { \"Execute permission for world\", \"dnp3.al.file.perms.exec_world\",\n FT_BOOLEAN, 16, TFS(&tfs_yes_no), 01,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_rel_timestamp,\n { \"Relative Timestamp\", \"dnp3.al.reltimestamp\",\n FT_RELATIVE_TIME, BASE_NONE, NULL, 0,\n \"Object Relative Timestamp\", HFILL }\n },\n\n { &hf_dnp3_al_datatype,\n { \"Data Type\", \"dnp3.al.datatype\",\n FT_UINT8, BASE_HEX, VALS(dnp3_al_data_type_vals), 0,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_da_length,\n { \"Device Attribute Length\", \"dnp3.al.da.length\",\n FT_UINT8, BASE_DEC, NULL, 0,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_da_uint8,\n { \"Device Attribute 8-Bit Unsigned Integer Value\", \"dnp3.al.da.uint8\",\n FT_UINT8, BASE_DEC, NULL, 0,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_da_uint16,\n { \"Device Attribute 16-Bit Unsigned Integer Value\", \"dnp3.al.da.uint16\",\n FT_UINT16, BASE_DEC, NULL, 0,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_da_uint32,\n { \"Device Attribute 32-Bit Unsigned Integer Value\", \"dnp3.al.da.uint32\",\n FT_UINT32, BASE_DEC, NULL, 0,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_da_int8,\n { \"Device Attribute 8-Bit Integer Value\", \"dnp3.al.da.int8\",\n FT_INT8, BASE_DEC, NULL, 0,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_da_int16,\n { \"Device Attribute 16-Bit Integer Value\", \"dnp3.al.da.int16\",\n FT_INT16, BASE_DEC, NULL, 0,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_da_int32,\n { \"Device Attribute 32-Bit Integer Value\", \"dnp3.al.da.int32\",\n FT_INT32, BASE_DEC, NULL, 0,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_da_flt,\n { \"Device Attribute Float Value\", \"dnp3.al.da.float\",\n FT_FLOAT, BASE_NONE, NULL, 0,\n NULL, HFILL }\n },\n\n { &hf_dnp3_al_da_dbl,\n { \"Device Attribute Double Value\", \"dnp3.al.da.double\",\n FT_DOUBLE, BASE_NONE, NULL, 0,\n NULL, HFILL }\n },\n\n { &hf_al_frag_data,\n {\"DNP3.0 AL Fragment Data\", \"dnp3.al.frag_data\",\n FT_BYTES, BASE_NONE, NULL, 0x00,\n \"DNP 3.0 Application Layer Fragment Data\", HFILL }},\n\n { &hf_dnp3_fragment,\n { \"DNP 3.0 AL Fragment\", \"dnp3.al.fragment\",\n FT_FRAMENUM, BASE_NONE, NULL, 0x0,\n \"DNP 3.0 Application Layer Fragment\", HFILL }\n },\n\n { &hf_dnp3_fragments,\n { \"DNP 3.0 AL Fragments\", \"dnp3.al.fragments\",\n FT_NONE, BASE_NONE, NULL, 0x0,\n \"DNP 3.0 Application Layer Fragments\", HFILL }\n },\n\n { &hf_dnp3_fragment_overlap,\n { \"Fragment overlap\", \"dnp3.al.fragment.overlap\",\n FT_BOOLEAN, BASE_NONE, NULL, 0x0,\n \"Fragment overlaps with other fragments\", HFILL }\n },\n\n { &hf_dnp3_fragment_overlap_conflict,\n { \"Conflicting data in fragment overlap\", \"dnp3.al.fragment.overlap.conflict\",\n FT_BOOLEAN, BASE_NONE, NULL, 0x0,\n \"Overlapping fragments contained conflicting data\", HFILL }\n },\n\n { &hf_dnp3_fragment_multiple_tails,\n { \"Multiple tail fragments found\", \"dnp3.al.fragment.multipletails\",\n FT_BOOLEAN, BASE_NONE, NULL, 0x0,\n \"Several tails were found when defragmenting the packet\", HFILL }\n },\n\n { &hf_dnp3_fragment_too_long_fragment,\n { \"Fragment too long\", \"dnp3.al.fragment.toolongfragment\",\n FT_BOOLEAN, BASE_NONE, NULL, 0x0,\n \"Fragment contained data past end of packet\", HFILL }\n },\n\n { &hf_dnp3_fragment_error,\n { \"Defragmentation error\", \"dnp3.al.fragment.error\",\n FT_FRAMENUM, BASE_NONE, NULL, 0x0,\n \"Defragmentation error due to illegal fragments\", HFILL }\n },\n\n { &hf_dnp3_fragment_count,\n { \"Fragment count\", \"dnp3.al.fragment.count\",\n FT_UINT32, BASE_DEC, NULL, 0x0,\n NULL, HFILL }\n },\n\n { &hf_dnp3_fragment_reassembled_in,\n { \"Reassembled PDU In Frame\", \"dnp3.al.fragment.reassembled_in\",\n FT_FRAMENUM, BASE_NONE, NULL, 0x0,\n \"This PDU is reassembled in this frame\", HFILL }\n },\n\n { &hf_dnp3_fragment_reassembled_length,\n { \"Reassembled DNP length\", \"dnp3.al.fragment.reassembled.length\",\n FT_UINT32, BASE_DEC, NULL, 0x0,\n \"The total length of the reassembled payload\", HFILL }\n },\n /* Generated from convert_proto_tree_add_text.pl */\n { &hf_dnp3_al_point_index, { \"Point Index\", \"dnp3.al.point_index\", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }},\n { &hf_dnp3_al_da_value, { \"Value\", \"dnp3.al.da.value\", FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }},\n { &hf_dnp3_al_count, { \"Count\", \"dnp3.al.count\", FT_UINT8, BASE_DEC, NULL, 0x0, NULL, HFILL }},\n { &hf_dnp3_al_on_time, { \"On Time\", \"dnp3.al.on_time\", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }},\n { &hf_dnp3_al_off_time, { \"Off Time\", \"dnp3.al.off_time\", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }},\n { &hf_dnp3_al_time_delay, { \"Time Delay\", \"dnp3.al.time_delay\", FT_UINT16, BASE_DEC|BASE_UNIT_STRING, &units_milliseconds, 0x0, NULL, HFILL }},\n { &hf_dnp3_al_file_string_offset, { \"File String Offset\", \"dnp3.al.file_string_offset\", FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }},\n { &hf_dnp3_al_file_string_length, { \"File String Length\", \"dnp3.al.file_string_length\", FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }},\n { &hf_dnp3_al_file_name, { \"File Name\", \"dnp3.al.file_name\", FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }},\n { &hf_dnp3_al_octet_string, { \"Octet String\", \"dnp3.al.octet_string\", FT_BYTES, BASE_NONE, NULL, 0x0, NULL, HFILL }},\n { &hf_dnp3_unknown_data_chunk, { \"Unknown Data Chunk\", \"dnp3.al.unknown_data_chunk\", FT_BYTES, BASE_NONE, NULL, 0x0, NULL, HFILL }},\n\n };\n\n/* Setup protocol subtree array */\n static gint *ett[] = {\n &ett_dnp3,\n &ett_dnp3_dl,\n &ett_dnp3_dl_ctl,\n &ett_dnp3_tr_ctl,\n &ett_dnp3_dl_data,\n &ett_dnp3_dl_chunk,\n &ett_dnp3_al,\n &ett_dnp3_al_ctl,\n &ett_dnp3_al_obj_point_tcc,\n &ett_dnp3_al_iin,\n &ett_dnp3_al_obj,\n &ett_dnp3_al_obj_qualifier,\n &ett_dnp3_al_obj_range,\n &ett_dnp3_al_objdet,\n &ett_dnp3_al_obj_quality,\n &ett_dnp3_al_obj_point,\n &ett_dnp3_al_obj_point_perms,\n &ett_dnp3_fragment,\n &ett_dnp3_fragments\n };\n static ei_register_info ei[] = {\n { &ei_dnp_num_items_neg, { \"dnp3.num_items_neg\", PI_MALFORMED, PI_ERROR, \"Negative number of items\", EXPFILL }},\n { &ei_dnp_invalid_length, { \"dnp3.invalid_length\", PI_MALFORMED, PI_ERROR, \"Invalid length\", EXPFILL }},\n { &ei_dnp_iin_abnormal, { \"dnp3.iin_abnormal\", PI_PROTOCOL, PI_WARN, \"IIN Abnormality\", EXPFILL }},\n { &ei_dnp3_data_hdr_crc_incorrect, { \"dnp3.hdr.CRC.incorrect\", PI_CHECKSUM, PI_WARN, \"Data Link Header Checksum incorrect\", EXPFILL }},\n { &ei_dnp3_data_chunk_crc_incorrect, { \"dnp3.data_chunk.CRC.incorrect\", PI_CHECKSUM, PI_WARN, \"Data Chunk Checksum incorrect\", EXPFILL }},\n { &ei_dnp3_unknown_object, { \"dnp3.unknown_object\", PI_PROTOCOL, PI_WARN, \"Unknown Object\\\\Variation\", EXPFILL }},\n { &ei_dnp3_unknown_group0_variation, { \"dnp3.unknown_group0_variation\", PI_PROTOCOL, PI_WARN, \"Unknown Group 0 Variation\", EXPFILL }},\n { &ei_dnp3_num_items_invalid, { \"dnp3.num_items_invalid\", PI_MALFORMED, PI_ERROR, \"Number of items is invalid for normally empty object. Potentially malicious packet\", EXPFILL }},\n /* Generated from convert_proto_tree_add_text.pl */\n#if 0\n { &ei_dnp3_buffering_user_data_until_final_frame_is_received, { \"dnp3.buffering_user_data_until_final_frame_is_received\", PI_PROTOCOL, PI_WARN, \"Buffering User Data Until Final Frame is Received..\", EXPFILL }},\n#endif\n };\n\n module_t *dnp3_module;\n expert_module_t* expert_dnp3;\n\n reassembly_table_register(&al_reassembly_table,\n &addresses_reassembly_table_functions);\n\n/* Register the protocol name and description */\n proto_dnp3 = proto_register_protocol(\"Distributed Network Protocol 3.0\", \"DNP 3.0\", \"dnp3\");\n\n/* Register the dissector so it may be used as a User DLT payload protocol */\n dnp3_tcp_handle = register_dissector(\"dnp3.tcp\", dissect_dnp3_tcp, proto_dnp3);\n dnp3_udp_handle = register_dissector(\"dnp3.udp\", dissect_dnp3_udp, proto_dnp3);\n\n/* Required function calls to register the header fields and subtrees used */\n proto_register_field_array(proto_dnp3, hf, array_length(hf));\n proto_register_subtree_array(ett, array_length(ett));\n expert_dnp3 = expert_register_protocol(proto_dnp3);\n expert_register_field_array(expert_dnp3, ei, array_length(ei));\n\n dnp3_module = prefs_register_protocol(proto_dnp3, NULL);\n prefs_register_obsolete_preference(dnp3_module, \"heuristics\");\n prefs_register_bool_preference(dnp3_module, \"desegment\",\n \"Reassemble DNP3 messages spanning multiple TCP segments\",\n \"Whether the DNP3 dissector should reassemble messages spanning multiple TCP segments.\"\n \" To use this option, you must also enable \\\"Allow subdissectors to reassemble TCP streams\\\" in the TCP protocol settings.\",\n &dnp3_desegment);\n}", "project": "wireshark", "hash": 125148304566891267921715862202960118097, "size": 1086, "commit_id": "618661b22e34a59b21117db723d8ff91e064d4ba", "message": "dnp: plug a memory leak.\n\nIf we're throwing away the data, *throw away the data* - free it, as\nwe're not using it as the backing data for a tvbuff.", "target": 0, "dataset": "other", "idx": 335499 }, { "func": "proto_register_tcp(void)\n{\n static hf_register_info hf[] = {\n\n { &hf_tcp_srcport,\n { \"Source Port\", \"tcp.srcport\", FT_UINT16, BASE_PT_TCP, NULL, 0x0,\n NULL, HFILL }},\n\n { &hf_tcp_dstport,\n { \"Destination Port\", \"tcp.dstport\", FT_UINT16, BASE_PT_TCP, NULL, 0x0,\n NULL, HFILL }},\n\n { &hf_tcp_port,\n { \"Source or Destination Port\", \"tcp.port\", FT_UINT16, BASE_PT_TCP, NULL, 0x0,\n NULL, HFILL }},\n\n { &hf_tcp_stream,\n { \"Stream index\", \"tcp.stream\", FT_UINT32, BASE_DEC, NULL, 0x0,\n NULL, HFILL }},\n\n { &hf_tcp_seq,\n { \"Sequence number\", \"tcp.seq\", FT_UINT32, BASE_DEC, NULL, 0x0,\n NULL, HFILL }},\n\n { &hf_tcp_nxtseq,\n { \"Next sequence number\", \"tcp.nxtseq\", FT_UINT32, BASE_DEC, NULL, 0x0,\n NULL, HFILL }},\n\n { &hf_tcp_ack,\n { \"Acknowledgment number\", \"tcp.ack\", FT_UINT32, BASE_DEC, NULL, 0x0,\n NULL, HFILL }},\n\n { &hf_tcp_hdr_len,\n { \"Header Length\", \"tcp.hdr_len\", FT_UINT8, BASE_DEC, NULL, 0x0,\n NULL, HFILL }},\n\n { &hf_tcp_flags,\n { \"Flags\", \"tcp.flags\", FT_UINT16, BASE_HEX, NULL, TH_MASK,\n \"Flags (12 bits)\", HFILL }},\n\n { &hf_tcp_flags_res,\n { \"Reserved\", \"tcp.flags.res\", FT_BOOLEAN, 12, TFS(&tfs_set_notset), TH_RES,\n \"Three reserved bits (must be zero)\", HFILL }},\n\n { &hf_tcp_flags_ns,\n { \"Nonce\", \"tcp.flags.ns\", FT_BOOLEAN, 12, TFS(&tfs_set_notset), TH_NS,\n \"ECN concealment protection (RFC 3540)\", HFILL }},\n\n { &hf_tcp_flags_cwr,\n { \"Congestion Window Reduced (CWR)\", \"tcp.flags.cwr\", FT_BOOLEAN, 12, TFS(&tfs_set_notset), TH_CWR,\n NULL, HFILL }},\n\n { &hf_tcp_flags_ecn,\n { \"ECN-Echo\", \"tcp.flags.ecn\", FT_BOOLEAN, 12, TFS(&tfs_set_notset), TH_ECN,\n NULL, HFILL }},\n\n { &hf_tcp_flags_urg,\n { \"Urgent\", \"tcp.flags.urg\", FT_BOOLEAN, 12, TFS(&tfs_set_notset), TH_URG,\n NULL, HFILL }},\n\n { &hf_tcp_flags_ack,\n { \"Acknowledgment\", \"tcp.flags.ack\", FT_BOOLEAN, 12, TFS(&tfs_set_notset), TH_ACK,\n NULL, HFILL }},\n\n { &hf_tcp_flags_push,\n { \"Push\", \"tcp.flags.push\", FT_BOOLEAN, 12, TFS(&tfs_set_notset), TH_PUSH,\n NULL, HFILL }},\n\n { &hf_tcp_flags_reset,\n { \"Reset\", \"tcp.flags.reset\", FT_BOOLEAN, 12, TFS(&tfs_set_notset), TH_RST,\n NULL, HFILL }},\n\n { &hf_tcp_flags_syn,\n { \"Syn\", \"tcp.flags.syn\", FT_BOOLEAN, 12, TFS(&tfs_set_notset), TH_SYN,\n NULL, HFILL }},\n\n { &hf_tcp_flags_fin,\n { \"Fin\", \"tcp.flags.fin\", FT_BOOLEAN, 12, TFS(&tfs_set_notset), TH_FIN,\n NULL, HFILL }},\n\n { &hf_tcp_flags_str,\n { \"TCP Flags\", \"tcp.flags.str\", FT_STRING, STR_UNICODE, NULL, 0x0,\n NULL, HFILL }},\n\n { &hf_tcp_window_size_value,\n { \"Window size value\", \"tcp.window_size_value\", FT_UINT16, BASE_DEC, NULL, 0x0,\n \"The window size value from the TCP header\", HFILL }},\n\n /* 32 bits so we can present some values adjusted to window scaling */\n { &hf_tcp_window_size,\n { \"Calculated window size\", \"tcp.window_size\", FT_UINT32, BASE_DEC, NULL, 0x0,\n \"The scaled window size (if scaling has been used)\", HFILL }},\n\n { &hf_tcp_window_size_scalefactor,\n { \"Window size scaling factor\", \"tcp.window_size_scalefactor\", FT_INT32, BASE_DEC, NULL, 0x0,\n \"The window size scaling factor (-1 when unknown, -2 when no scaling is used)\", HFILL }},\n\n { &hf_tcp_checksum,\n { \"Checksum\", \"tcp.checksum\", FT_UINT16, BASE_HEX, NULL, 0x0,\n \"Details at: http://www.wireshark.org/docs/wsug_html_chunked/ChAdvChecksums.html\", HFILL }},\n\n { &hf_tcp_checksum_status,\n { \"Checksum Status\", \"tcp.checksum.status\", FT_UINT8, BASE_NONE, VALS(proto_checksum_vals), 0x0,\n NULL, HFILL }},\n\n { &hf_tcp_checksum_calculated,\n { \"Calculated Checksum\", \"tcp.checksum_calculated\", FT_UINT16, BASE_HEX, NULL, 0x0,\n \"The expected TCP checksum field as calculated from the TCP segment\", HFILL }},\n\n { &hf_tcp_analysis,\n { \"SEQ/ACK analysis\", \"tcp.analysis\", FT_NONE, BASE_NONE, NULL, 0x0,\n \"This frame has some of the TCP analysis shown\", HFILL }},\n\n { &hf_tcp_analysis_flags,\n { \"TCP Analysis Flags\", \"tcp.analysis.flags\", FT_NONE, BASE_NONE, NULL, 0x0,\n \"This frame has some of the TCP analysis flags set\", HFILL }},\n\n { &hf_tcp_analysis_duplicate_ack,\n { \"Duplicate ACK\", \"tcp.analysis.duplicate_ack\", FT_NONE, BASE_NONE, NULL, 0x0,\n \"This is a duplicate ACK\", HFILL }},\n\n { &hf_tcp_analysis_duplicate_ack_num,\n { \"Duplicate ACK #\", \"tcp.analysis.duplicate_ack_num\", FT_UINT32, BASE_DEC, NULL, 0x0,\n \"This is duplicate ACK number #\", HFILL }},\n\n { &hf_tcp_analysis_duplicate_ack_frame,\n { \"Duplicate to the ACK in frame\", \"tcp.analysis.duplicate_ack_frame\", FT_FRAMENUM, BASE_NONE, FRAMENUM_TYPE(FT_FRAMENUM_DUP_ACK), 0x0,\n \"This is a duplicate to the ACK in frame #\", HFILL }},\n\n { &hf_tcp_continuation_to,\n { \"This is a continuation to the PDU in frame\", \"tcp.continuation_to\", FT_FRAMENUM, BASE_NONE, NULL, 0x0,\n \"This is a continuation to the PDU in frame #\", HFILL }},\n\n { &hf_tcp_len,\n { \"TCP Segment Len\", \"tcp.len\", FT_UINT32, BASE_DEC, NULL, 0x0,\n NULL, HFILL}},\n\n { &hf_tcp_analysis_acks_frame,\n { \"This is an ACK to the segment in frame\", \"tcp.analysis.acks_frame\", FT_FRAMENUM, BASE_NONE, FRAMENUM_TYPE(FT_FRAMENUM_ACK), 0x0,\n \"Which previous segment is this an ACK for\", HFILL}},\n\n { &hf_tcp_analysis_bytes_in_flight,\n { \"Bytes in flight\", \"tcp.analysis.bytes_in_flight\", FT_UINT32, BASE_DEC, NULL, 0x0,\n \"How many bytes are now in flight for this connection\", HFILL}},\n\n { &hf_tcp_analysis_push_bytes_sent,\n { \"Bytes sent since last PSH flag\", \"tcp.analysis.push_bytes_sent\", FT_UINT32, BASE_DEC, NULL, 0x0,\n \"How many bytes have been sent since the last PSH flag\", HFILL}},\n\n { &hf_tcp_analysis_ack_rtt,\n { \"The RTT to ACK the segment was\", \"tcp.analysis.ack_rtt\", FT_RELATIVE_TIME, BASE_NONE, NULL, 0x0,\n \"How long time it took to ACK the segment (RTT)\", HFILL}},\n\n { &hf_tcp_analysis_first_rtt,\n { \"iRTT\", \"tcp.analysis.initial_rtt\", FT_RELATIVE_TIME, BASE_NONE, NULL, 0x0,\n \"How long it took for the SYN to ACK handshake (iRTT)\", HFILL}},\n\n { &hf_tcp_analysis_rto,\n { \"The RTO for this segment was\", \"tcp.analysis.rto\", FT_RELATIVE_TIME, BASE_NONE, NULL, 0x0,\n \"How long transmission was delayed before this segment was retransmitted (RTO)\", HFILL}},\n\n { &hf_tcp_analysis_rto_frame,\n { \"RTO based on delta from frame\", \"tcp.analysis.rto_frame\", FT_FRAMENUM, BASE_NONE, NULL, 0x0,\n \"This is the frame we measure the RTO from\", HFILL }},\n\n { &hf_tcp_urgent_pointer,\n { \"Urgent pointer\", \"tcp.urgent_pointer\", FT_UINT16, BASE_DEC, NULL, 0x0,\n NULL, HFILL }},\n\n { &hf_tcp_segment_overlap,\n { \"Segment overlap\", \"tcp.segment.overlap\", FT_BOOLEAN, BASE_NONE, NULL, 0x0,\n \"Segment overlaps with other segments\", HFILL }},\n\n { &hf_tcp_segment_overlap_conflict,\n { \"Conflicting data in segment overlap\", \"tcp.segment.overlap.conflict\", FT_BOOLEAN, BASE_NONE, NULL, 0x0,\n \"Overlapping segments contained conflicting data\", HFILL }},\n\n { &hf_tcp_segment_multiple_tails,\n { \"Multiple tail segments found\", \"tcp.segment.multipletails\", FT_BOOLEAN, BASE_NONE, NULL, 0x0,\n \"Several tails were found when reassembling the pdu\", HFILL }},\n\n { &hf_tcp_segment_too_long_fragment,\n { \"Segment too long\", \"tcp.segment.toolongfragment\", FT_BOOLEAN, BASE_NONE, NULL, 0x0,\n \"Segment contained data past end of the pdu\", HFILL }},\n\n { &hf_tcp_segment_error,\n { \"Reassembling error\", \"tcp.segment.error\", FT_FRAMENUM, BASE_NONE, NULL, 0x0,\n \"Reassembling error due to illegal segments\", HFILL }},\n\n { &hf_tcp_segment_count,\n { \"Segment count\", \"tcp.segment.count\", FT_UINT32, BASE_DEC, NULL, 0x0,\n NULL, HFILL }},\n\n { &hf_tcp_segment,\n { \"TCP Segment\", \"tcp.segment\", FT_FRAMENUM, BASE_NONE, NULL, 0x0,\n NULL, HFILL }},\n\n { &hf_tcp_segments,\n { \"Reassembled TCP Segments\", \"tcp.segments\", FT_NONE, BASE_NONE, NULL, 0x0,\n \"TCP Segments\", HFILL }},\n\n { &hf_tcp_reassembled_in,\n { \"Reassembled PDU in frame\", \"tcp.reassembled_in\", FT_FRAMENUM, BASE_NONE, NULL, 0x0,\n \"The PDU that doesn't end in this segment is reassembled in this frame\", HFILL }},\n\n { &hf_tcp_reassembled_length,\n { \"Reassembled TCP length\", \"tcp.reassembled.length\", FT_UINT32, BASE_DEC, NULL, 0x0,\n \"The total length of the reassembled payload\", HFILL }},\n\n { &hf_tcp_reassembled_data,\n { \"Reassembled TCP Data\", \"tcp.reassembled.data\", FT_BYTES, BASE_NONE, NULL, 0x0,\n \"The reassembled payload\", HFILL }},\n\n { &hf_tcp_option_kind,\n { \"Kind\", \"tcp.option_kind\", FT_UINT8,\n BASE_DEC|BASE_EXT_STRING, &tcp_option_kind_vs_ext, 0x0, \"This TCP option's kind\", HFILL }},\n\n { &hf_tcp_option_len,\n { \"Length\", \"tcp.option_len\", FT_UINT8,\n BASE_DEC, NULL, 0x0, \"Length of this TCP option in bytes (including kind and length fields)\", HFILL }},\n\n { &hf_tcp_options,\n { \"TCP Options\", \"tcp.options\", FT_BYTES,\n BASE_NONE, NULL, 0x0, NULL, HFILL }},\n\n { &hf_tcp_option_mss_val,\n { \"MSS Value\", \"tcp.options.mss_val\", FT_UINT16,\n BASE_DEC, NULL, 0x0, NULL, HFILL}},\n\n { &hf_tcp_option_wscale_shift,\n { \"Shift count\", \"tcp.options.wscale.shift\", FT_UINT8,\n BASE_DEC, NULL, 0x0, \"Logarithmically encoded power of 2 scale factor\", HFILL}},\n\n { &hf_tcp_option_wscale_multiplier,\n { \"Multiplier\", \"tcp.options.wscale.multiplier\", FT_UINT16,\n BASE_DEC, NULL, 0x0, \"Multiply segment window size by this for scaled window size\", HFILL}},\n\n { &hf_tcp_option_exp_data,\n { \"Data\", \"tcp.options.experimental.data\", FT_BYTES,\n BASE_NONE, NULL, 0x0, NULL, HFILL}},\n\n { &hf_tcp_option_exp_magic_number,\n { \"Magic Number\", \"tcp.options.experimental.magic_number\", FT_UINT16,\n BASE_HEX, NULL, 0x0, NULL, HFILL}},\n\n { &hf_tcp_option_unknown_payload,\n { \"Payload\", \"tcp.options.unknown.payload\", FT_BYTES,\n BASE_NONE, NULL, 0x0, NULL, HFILL}},\n\n { &hf_tcp_option_sack_sle,\n {\"TCP SACK Left Edge\", \"tcp.options.sack_le\", FT_UINT32,\n BASE_DEC, NULL, 0x0, NULL, HFILL}},\n\n { &hf_tcp_option_sack_sre,\n {\"TCP SACK Right Edge\", \"tcp.options.sack_re\", FT_UINT32,\n BASE_DEC, NULL, 0x0, NULL, HFILL}},\n\n { &hf_tcp_option_sack_range_count,\n { \"TCP SACK Count\", \"tcp.options.sack.count\", FT_UINT8,\n BASE_DEC, NULL, 0x0, NULL, HFILL}},\n\n { &hf_tcp_option_echo,\n { \"TCP Echo Option\", \"tcp.options.echo_value\", FT_UINT32,\n BASE_DEC, NULL, 0x0, \"TCP Sack Echo\", HFILL}},\n\n { &hf_tcp_option_timestamp_tsval,\n { \"Timestamp value\", \"tcp.options.timestamp.tsval\", FT_UINT32,\n BASE_DEC, NULL, 0x0, \"Value of sending machine's timestamp clock\", HFILL}},\n\n { &hf_tcp_option_timestamp_tsecr,\n { \"Timestamp echo reply\", \"tcp.options.timestamp.tsecr\", FT_UINT32,\n BASE_DEC, NULL, 0x0, \"Echoed timestamp from remote machine\", HFILL}},\n\n { &hf_tcp_option_mptcp_subtype,\n { \"Multipath TCP subtype\", \"tcp.options.mptcp.subtype\", FT_UINT8,\n BASE_DEC, VALS(mptcp_subtype_vs), 0xF0, NULL, HFILL}},\n\n { &hf_tcp_option_mptcp_version,\n { \"Multipath TCP version\", \"tcp.options.mptcp.version\", FT_UINT8,\n BASE_DEC, NULL, 0x0F, NULL, HFILL}},\n\n { &hf_tcp_option_mptcp_reserved,\n { \"Reserved\", \"tcp.options.mptcp.reserved\", FT_UINT16,\n BASE_HEX, NULL, 0x0FFF, NULL, HFILL}},\n\n { &hf_tcp_option_mptcp_flags,\n { \"Multipath TCP flags\", \"tcp.options.mptcp.flags\", FT_UINT8,\n BASE_HEX, NULL, 0x0, NULL, HFILL}},\n\n { &hf_tcp_option_mptcp_backup_flag,\n { \"Backup flag\", \"tcp.options.mptcp.backup.flag\", FT_UINT8,\n BASE_DEC, NULL, 0x01, NULL, HFILL}},\n\n { &hf_tcp_option_mptcp_checksum_flag,\n { \"Checksum required\", \"tcp.options.mptcp.checksumreq.flags\", FT_UINT8,\n BASE_DEC, NULL, MPTCP_CHECKSUM_MASK, NULL, HFILL}},\n\n { &hf_tcp_option_mptcp_B_flag,\n { \"Extensibility\", \"tcp.options.mptcp.extensibility.flag\", FT_UINT8,\n BASE_DEC, NULL, 0x40, NULL, HFILL}},\n\n { &hf_tcp_option_mptcp_H_flag,\n { \"Use HMAC-SHA1\", \"tcp.options.mptcp.sha1.flag\", FT_UINT8,\n BASE_DEC, NULL, 0x01, NULL, HFILL}},\n\n { &hf_tcp_option_mptcp_F_flag,\n { \"DATA_FIN\", \"tcp.options.mptcp.datafin.flag\", FT_UINT8,\n BASE_DEC, NULL, MPTCP_DSS_FLAG_DATA_FIN_PRESENT, NULL, HFILL}},\n\n { &hf_tcp_option_mptcp_m_flag,\n { \"Data Sequence Number is 8 octets\", \"tcp.options.mptcp.dseqn8.flag\", FT_UINT8,\n BASE_DEC, NULL, MPTCP_DSS_FLAG_DSN_8BYTES, NULL, HFILL}},\n\n { &hf_tcp_option_mptcp_M_flag,\n { \"Data Sequence Number, Subflow Sequence Number, Data-level Length, Checksum present\", \"tcp.options.mptcp.dseqnpresent.flag\", FT_UINT8,\n BASE_DEC, NULL, MPTCP_DSS_FLAG_MAPPING_PRESENT, NULL, HFILL}},\n\n { &hf_tcp_option_mptcp_a_flag,\n { \"Data ACK is 8 octets\", \"tcp.options.mptcp.dataack8.flag\", FT_UINT8,\n BASE_DEC, NULL, MPTCP_DSS_FLAG_DATA_ACK_8BYTES, NULL, HFILL}},\n\n { &hf_tcp_option_mptcp_A_flag,\n { \"Data ACK is present\", \"tcp.options.mptcp.dataackpresent.flag\", FT_UINT8,\n BASE_DEC, NULL, MPTCP_DSS_FLAG_DATA_ACK_PRESENT, NULL, HFILL}},\n\n { &hf_tcp_option_mptcp_reserved_flag,\n { \"Reserved\", \"tcp.options.mptcp.reserved.flag\", FT_UINT8,\n BASE_HEX, NULL, 0x3E, NULL, HFILL}},\n\n { &hf_tcp_option_mptcp_address_id,\n { \"Address ID\", \"tcp.options.mptcp.addrid\", FT_UINT8,\n BASE_DEC, NULL, 0x0, NULL, HFILL}},\n\n { &hf_tcp_option_mptcp_sender_key,\n { \"Sender's Key\", \"tcp.options.mptcp.sendkey\", FT_UINT64,\n BASE_DEC, NULL, 0x0, NULL, HFILL}},\n\n { &hf_tcp_option_mptcp_recv_key,\n { \"Receiver's Key\", \"tcp.options.mptcp.recvkey\", FT_UINT64,\n BASE_DEC, NULL, 0x0, NULL, HFILL}},\n\n { &hf_tcp_option_mptcp_recv_token,\n { \"Receiver's Token\", \"tcp.options.mptcp.recvtok\", FT_UINT32,\n BASE_DEC, NULL, 0x0, NULL, HFILL}},\n\n { &hf_tcp_option_mptcp_sender_rand,\n { \"Sender's Random Number\", \"tcp.options.mptcp.sendrand\", FT_UINT32,\n BASE_DEC, NULL, 0x0, NULL, HFILL}},\n\n { &hf_tcp_option_mptcp_sender_trunc_hmac,\n { \"Sender's Truncated HMAC\", \"tcp.options.mptcp.sendtrunchmac\", FT_UINT64,\n BASE_DEC, NULL, 0x0, NULL, HFILL}},\n\n { &hf_tcp_option_mptcp_sender_hmac,\n { \"Sender's HMAC\", \"tcp.options.mptcp.sendhmac\", FT_BYTES,\n BASE_NONE, NULL, 0x0, NULL, HFILL}},\n\n { &hf_tcp_option_mptcp_addaddr_trunc_hmac,\n { \"Truncated HMAC\", \"tcp.options.mptcp.addaddrtrunchmac\", FT_UINT64,\n BASE_DEC, NULL, 0x0, NULL, HFILL}},\n\n { &hf_tcp_option_mptcp_data_ack_raw,\n { \"Original MPTCP Data ACK\", \"tcp.options.mptcp.rawdataack\", FT_UINT64,\n BASE_DEC, NULL, 0x0, NULL, HFILL}},\n\n { &hf_tcp_option_mptcp_data_seq_no_raw,\n { \"Data Sequence Number\", \"tcp.options.mptcp.rawdataseqno\", FT_UINT64,\n BASE_DEC, NULL, 0x0, NULL, HFILL}},\n\n { &hf_tcp_option_mptcp_subflow_seq_no,\n { \"Subflow Sequence Number\", \"tcp.options.mptcp.subflowseqno\", FT_UINT32,\n BASE_DEC, NULL, 0x0, NULL, HFILL}},\n\n { &hf_tcp_option_mptcp_data_lvl_len,\n { \"Data-level Length\", \"tcp.options.mptcp.datalvllen\", FT_UINT16,\n BASE_DEC, NULL, 0x0, NULL, HFILL}},\n\n { &hf_tcp_option_mptcp_checksum,\n { \"Checksum\", \"tcp.options.mptcp.checksum\", FT_UINT16,\n BASE_HEX, NULL, 0x0, NULL, HFILL}},\n\n { &hf_tcp_option_mptcp_ipver,\n { \"IP version\", \"tcp.options.mptcp.ipver\", FT_UINT8,\n BASE_DEC, NULL, 0x0F, NULL, HFILL}},\n\n { &hf_tcp_option_mptcp_ipv4,\n { \"Advertised IPv4 Address\", \"tcp.options.mptcp.ipv4\", FT_IPv4,\n BASE_NONE, NULL, 0x0, NULL, HFILL}},\n\n { &hf_tcp_option_mptcp_ipv6,\n { \"Advertised IPv6 Address\", \"tcp.options.mptcp.ipv6\", FT_IPv6,\n BASE_NONE, NULL, 0x0, NULL, HFILL}},\n\n { &hf_tcp_option_mptcp_port,\n { \"Advertised port\", \"tcp.options.mptcp.port\", FT_UINT16,\n BASE_DEC, NULL, 0x0, NULL, HFILL}},\n\n { &hf_tcp_option_cc,\n { \"TCP CC Option\", \"tcp.options.cc_value\", FT_UINT32, BASE_DEC,\n NULL, 0x0, NULL, HFILL}},\n\n { &hf_tcp_option_md5_digest,\n { \"MD5 digest\", \"tcp.options.md5.digest\", FT_BYTES, BASE_NONE,\n NULL, 0x0, NULL, HFILL}},\n\n { &hf_tcp_option_qs_rate,\n { \"QS Rate\", \"tcp.options.qs.rate\", FT_UINT8, BASE_DEC|BASE_EXT_STRING,\n &qs_rate_vals_ext, 0x0F, NULL, HFILL}},\n\n { &hf_tcp_option_qs_ttl_diff,\n { \"QS Rate\", \"tcp.options.qs.ttl_diff\", FT_UINT8, BASE_DEC,\n NULL, 0x0, NULL, HFILL}},\n\n { &hf_tcp_option_scps_vector,\n { \"TCP SCPS Capabilities Vector\", \"tcp.options.scps.vector\",\n FT_UINT8, BASE_HEX, NULL, 0x0,\n NULL, HFILL}},\n\n { &hf_tcp_option_scps_binding,\n { \"Binding Space (Community) ID\",\n \"tcp.options.scps.binding.id\",\n FT_UINT8, BASE_DEC, NULL, 0x0,\n \"TCP SCPS Extended Binding Space (Community) ID\", HFILL}},\n\n { &hf_tcp_option_scps_binding_len,\n { \"Extended Capability Length\",\n \"tcp.options.scps.binding.len\",\n FT_UINT8, BASE_DEC, NULL, 0x0,\n \"TCP SCPS Extended Capability Length in bytes\", HFILL}},\n\n { &hf_tcp_option_snack_offset,\n { \"TCP SNACK Offset\", \"tcp.options.snack.offset\",\n FT_UINT16, BASE_DEC, NULL, 0x0,\n NULL, HFILL}},\n\n { &hf_tcp_option_snack_size,\n { \"TCP SNACK Size\", \"tcp.options.snack.size\",\n FT_UINT16, BASE_DEC, NULL, 0x0,\n NULL, HFILL}},\n\n { &hf_tcp_option_snack_le,\n { \"TCP SNACK Left Edge\", \"tcp.options.snack.le\",\n FT_UINT16, BASE_DEC, NULL, 0x0,\n NULL, HFILL}},\n\n { &hf_tcp_option_snack_re,\n { \"TCP SNACK Right Edge\", \"tcp.options.snack.re\",\n FT_UINT16, BASE_DEC, NULL, 0x0,\n NULL, HFILL}},\n\n { &hf_tcp_scpsoption_flags_bets,\n { \"Partial Reliability Capable (BETS)\",\n \"tcp.options.scpsflags.bets\", FT_BOOLEAN, 8,\n TFS(&tfs_set_notset), 0x80, NULL, HFILL }},\n\n { &hf_tcp_scpsoption_flags_snack1,\n { \"Short Form SNACK Capable (SNACK1)\",\n \"tcp.options.scpsflags.snack1\", FT_BOOLEAN, 8,\n TFS(&tfs_set_notset), 0x40, NULL, HFILL }},\n\n { &hf_tcp_scpsoption_flags_snack2,\n { \"Long Form SNACK Capable (SNACK2)\",\n \"tcp.options.scpsflags.snack2\", FT_BOOLEAN, 8,\n TFS(&tfs_set_notset), 0x20, NULL, HFILL }},\n\n { &hf_tcp_scpsoption_flags_compress,\n { \"Lossless Header Compression (COMP)\",\n \"tcp.options.scpsflags.compress\", FT_BOOLEAN, 8,\n TFS(&tfs_set_notset), 0x10, NULL, HFILL }},\n\n { &hf_tcp_scpsoption_flags_nlts,\n { \"Network Layer Timestamp (NLTS)\",\n \"tcp.options.scpsflags.nlts\", FT_BOOLEAN, 8,\n TFS(&tfs_set_notset), 0x8, NULL, HFILL }},\n\n { &hf_tcp_scpsoption_flags_reserved,\n { \"Reserved\",\n \"tcp.options.scpsflags.reserved\", FT_UINT8, BASE_DEC,\n NULL, 0x7, NULL, HFILL }},\n\n { &hf_tcp_scpsoption_connection_id,\n { \"Connection ID\",\n \"tcp.options.scps.binding\",\n FT_UINT8, BASE_DEC, NULL, 0x0,\n \"TCP SCPS Connection ID\", HFILL}},\n\n { &hf_tcp_option_user_to_granularity,\n { \"Granularity\", \"tcp.options.user_to_granularity\", FT_BOOLEAN,\n 16, TFS(&tcp_option_user_to_granularity), 0x8000, \"TCP User Timeout Granularity\", HFILL}},\n\n { &hf_tcp_option_user_to_val,\n { \"User Timeout\", \"tcp.options.user_to_val\", FT_UINT16,\n BASE_DEC, NULL, 0x7FFF, \"TCP User Timeout Value\", HFILL}},\n\n { &hf_tcp_option_rvbd_probe_type1,\n { \"Type\", \"tcp.options.rvbd.probe.type1\",\n FT_UINT8, BASE_DEC, NULL, 0xF0, NULL, HFILL }},\n\n { &hf_tcp_option_rvbd_probe_type2,\n { \"Type\", \"tcp.options.rvbd.probe.type2\",\n FT_UINT8, BASE_DEC, NULL, 0xFE, NULL, HFILL }},\n\n { &hf_tcp_option_rvbd_probe_version1,\n { \"Version\", \"tcp.options.rvbd.probe.version\",\n FT_UINT8, BASE_DEC, NULL, 0x0F, NULL, HFILL }},\n\n { &hf_tcp_option_rvbd_probe_version2,\n { \"Version\", \"tcp.options.rvbd.probe.version_raw\",\n FT_UINT8, BASE_DEC, NULL, 0x01, \"Version 2 Raw Value\", HFILL }},\n\n { &hf_tcp_option_rvbd_probe_prober,\n { \"CSH IP\", \"tcp.options.rvbd.probe.prober\",\n FT_IPv4, BASE_NONE, NULL, 0x0, NULL, HFILL }},\n\n { &hf_tcp_option_rvbd_probe_proxy,\n { \"SSH IP\", \"tcp.options.rvbd.probe.proxy.ip\",\n FT_IPv4, BASE_NONE, NULL, 0x0, NULL, HFILL }},\n\n { &hf_tcp_option_rvbd_probe_proxy_port,\n { \"SSH Port\", \"tcp.options.rvbd.probe.proxy.port\",\n FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }},\n\n { &hf_tcp_option_rvbd_probe_appli_ver,\n { \"Application Version\", \"tcp.options.rvbd.probe.appli_ver\",\n FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }},\n\n { &hf_tcp_option_rvbd_probe_client,\n { \"Client IP\", \"tcp.options.rvbd.probe.client.ip\",\n FT_IPv4, BASE_NONE, NULL, 0x0, NULL, HFILL }},\n\n { &hf_tcp_option_rvbd_probe_storeid,\n { \"CFE Store ID\", \"tcp.options.rvbd.probe.storeid\",\n FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }},\n\n { &hf_tcp_option_rvbd_probe_flags,\n { \"Probe Flags\", \"tcp.options.rvbd.probe.flags\",\n FT_UINT8, BASE_HEX, NULL, 0x0, NULL, HFILL }},\n\n { &hf_tcp_option_rvbd_probe_flag_not_cfe,\n { \"Not CFE\", \"tcp.options.rvbd.probe.flags.notcfe\",\n FT_BOOLEAN, 8, TFS(&tfs_set_notset), RVBD_FLAGS_PROBE_NCFE,\n NULL, HFILL }},\n\n { &hf_tcp_option_rvbd_probe_flag_last_notify,\n { \"Last Notify\", \"tcp.options.rvbd.probe.flags.last\",\n FT_BOOLEAN, 8, TFS(&tfs_set_notset), RVBD_FLAGS_PROBE_LAST,\n NULL, HFILL }},\n\n { &hf_tcp_option_rvbd_probe_flag_probe_cache,\n { \"Disable Probe Cache on CSH\", \"tcp.options.rvbd.probe.flags.probe\",\n FT_BOOLEAN, 8, TFS(&tfs_set_notset), RVBD_FLAGS_PROBE,\n NULL, HFILL }},\n\n { &hf_tcp_option_rvbd_probe_flag_sslcert,\n { \"SSL Enabled\", \"tcp.options.rvbd.probe.flags.ssl\",\n FT_BOOLEAN, 8, TFS(&tfs_set_notset), RVBD_FLAGS_PROBE_SSLCERT,\n NULL, HFILL }},\n\n { &hf_tcp_option_rvbd_probe_flag_server_connected,\n { \"SSH outer to server established\", \"tcp.options.rvbd.probe.flags.server\",\n FT_BOOLEAN, 8, TFS(&tfs_set_notset), RVBD_FLAGS_PROBE_SERVER,\n NULL, HFILL }},\n\n { &hf_tcp_option_rvbd_trpy_flags,\n { \"Transparency Options\", \"tcp.options.rvbd.trpy.flags\",\n FT_UINT16, BASE_HEX, NULL, 0x0, NULL, HFILL }},\n\n { &hf_tcp_option_rvbd_trpy_flag_fw_rst_probe,\n { \"Enable FW traversal feature\", \"tcp.options.rvbd.trpy.flags.fw_rst_probe\",\n FT_BOOLEAN, 16, TFS(&tfs_set_notset),\n RVBD_FLAGS_TRPY_FW_RST_PROBE,\n \"Reset state created by probe on the nexthop firewall\",\n HFILL }},\n\n { &hf_tcp_option_rvbd_trpy_flag_fw_rst_inner,\n { \"Enable Inner FW feature on All FWs\", \"tcp.options.rvbd.trpy.flags.fw_rst_inner\",\n FT_BOOLEAN, 16, TFS(&tfs_set_notset),\n RVBD_FLAGS_TRPY_FW_RST_INNER,\n \"Reset state created by transparent inner on all firewalls\"\n \" before passing connection through\",\n HFILL }},\n\n { &hf_tcp_option_rvbd_trpy_flag_fw_rst,\n { \"Enable Transparency FW feature on All FWs\", \"tcp.options.rvbd.trpy.flags.fw_rst\",\n FT_BOOLEAN, 16, TFS(&tfs_set_notset),\n RVBD_FLAGS_TRPY_FW_RST,\n \"Reset state created by probe on all firewalls before \"\n \"establishing transparent inner connection\", HFILL }},\n\n { &hf_tcp_option_rvbd_trpy_flag_chksum,\n { \"Reserved\", \"tcp.options.rvbd.trpy.flags.chksum\",\n FT_BOOLEAN, 16, TFS(&tfs_set_notset),\n RVBD_FLAGS_TRPY_CHKSUM, NULL, HFILL }},\n\n { &hf_tcp_option_rvbd_trpy_flag_oob,\n { \"Out of band connection\", \"tcp.options.rvbd.trpy.flags.oob\",\n FT_BOOLEAN, 16, TFS(&tfs_set_notset),\n RVBD_FLAGS_TRPY_OOB, NULL, HFILL }},\n\n { &hf_tcp_option_rvbd_trpy_flag_mode,\n { \"Transparency Mode\", \"tcp.options.rvbd.trpy.flags.mode\",\n FT_BOOLEAN, 16, TFS(&trpy_mode_str),\n RVBD_FLAGS_TRPY_MODE, NULL, HFILL }},\n\n { &hf_tcp_option_rvbd_trpy_src,\n { \"Src SH IP Addr\", \"tcp.options.rvbd.trpy.src.ip\",\n FT_IPv4, BASE_NONE, NULL, 0x0, NULL, HFILL }},\n\n { &hf_tcp_option_rvbd_trpy_dst,\n { \"Dst SH IP Addr\", \"tcp.options.rvbd.trpy.dst.ip\",\n FT_IPv4, BASE_NONE, NULL, 0x0, NULL, HFILL }},\n\n { &hf_tcp_option_rvbd_trpy_src_port,\n { \"Src SH Inner Port\", \"tcp.options.rvbd.trpy.src.port\",\n FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }},\n\n { &hf_tcp_option_rvbd_trpy_dst_port,\n { \"Dst SH Inner Port\", \"tcp.options.rvbd.trpy.dst.port\",\n FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }},\n\n { &hf_tcp_option_rvbd_trpy_client_port,\n { \"Out of band connection Client Port\", \"tcp.options.rvbd.trpy.client.port\",\n FT_UINT16, BASE_DEC, NULL , 0x0, NULL, HFILL }},\n\n { &hf_tcp_option_fast_open_cookie_request,\n { \"Fast Open Cookie Request\", \"tcp.options.tfo.request\", FT_NONE,\n BASE_NONE, NULL, 0x0, NULL, HFILL }},\n\n { &hf_tcp_option_fast_open_cookie,\n { \"Fast Open Cookie\", \"tcp.options.tfo.cookie\", FT_BYTES,\n BASE_NONE, NULL, 0x0, NULL, HFILL}},\n\n { &hf_tcp_pdu_time,\n { \"Time until the last segment of this PDU\", \"tcp.pdu.time\", FT_RELATIVE_TIME, BASE_NONE, NULL, 0x0,\n \"How long time has passed until the last frame of this PDU\", HFILL}},\n\n { &hf_tcp_pdu_size,\n { \"PDU Size\", \"tcp.pdu.size\", FT_UINT32, BASE_DEC, NULL, 0x0,\n \"The size of this PDU\", HFILL}},\n\n { &hf_tcp_pdu_last_frame,\n { \"Last frame of this PDU\", \"tcp.pdu.last_frame\", FT_FRAMENUM, BASE_NONE, NULL, 0x0,\n \"This is the last frame of the PDU starting in this segment\", HFILL }},\n\n { &hf_tcp_ts_relative,\n { \"Time since first frame in this TCP stream\", \"tcp.time_relative\", FT_RELATIVE_TIME, BASE_NONE, NULL, 0x0,\n \"Time relative to first frame in this TCP stream\", HFILL}},\n\n { &hf_tcp_ts_delta,\n { \"Time since previous frame in this TCP stream\", \"tcp.time_delta\", FT_RELATIVE_TIME, BASE_NONE, NULL, 0x0,\n \"Time delta from previous frame in this TCP stream\", HFILL}},\n\n { &hf_tcp_proc_src_uid,\n { \"Source process user ID\", \"tcp.proc.srcuid\", FT_UINT32, BASE_DEC, NULL, 0x0,\n NULL, HFILL}},\n\n { &hf_tcp_proc_src_pid,\n { \"Source process ID\", \"tcp.proc.srcpid\", FT_UINT32, BASE_DEC, NULL, 0x0,\n NULL, HFILL}},\n\n { &hf_tcp_proc_src_uname,\n { \"Source process user name\", \"tcp.proc.srcuname\", FT_STRING, BASE_NONE, NULL, 0x0,\n NULL, HFILL}},\n\n { &hf_tcp_proc_src_cmd,\n { \"Source process name\", \"tcp.proc.srccmd\", FT_STRING, BASE_NONE, NULL, 0x0,\n \"Source process command name\", HFILL}},\n\n { &hf_tcp_proc_dst_uid,\n { \"Destination process user ID\", \"tcp.proc.dstuid\", FT_UINT32, BASE_DEC, NULL, 0x0,\n NULL, HFILL}},\n\n { &hf_tcp_proc_dst_pid,\n { \"Destination process ID\", \"tcp.proc.dstpid\", FT_UINT32, BASE_DEC, NULL, 0x0,\n NULL, HFILL}},\n\n { &hf_tcp_proc_dst_uname,\n { \"Destination process user name\", \"tcp.proc.dstuname\", FT_STRING, BASE_NONE, NULL, 0x0,\n NULL, HFILL}},\n\n { &hf_tcp_proc_dst_cmd,\n { \"Destination process name\", \"tcp.proc.dstcmd\", FT_STRING, BASE_NONE, NULL, 0x0,\n \"Destination process command name\", HFILL}},\n\n { &hf_tcp_segment_data,\n { \"TCP segment data\", \"tcp.segment_data\", FT_BYTES, BASE_NONE, NULL, 0x0,\n \"A data segment used in reassembly of a lower-level protocol\", HFILL}},\n\n { &hf_tcp_payload,\n { \"TCP payload\", \"tcp.payload\", FT_BYTES, BASE_NONE, NULL, 0x0,\n \"The TCP payload of this packet\", HFILL}},\n\n { &hf_tcp_option_scps_binding_data,\n { \"Binding Space Data\", \"tcp.options.scps.binding.data\", FT_BYTES, BASE_NONE, NULL, 0x0,\n NULL, HFILL }},\n\n { &hf_tcp_option_rvbd_probe_reserved,\n { \"Reserved\", \"tcp.options.rvbd.probe.reserved\", FT_UINT8, BASE_HEX, NULL, 0x0,\n NULL, HFILL }},\n\n { &hf_tcp_fin_retransmission,\n { \"Retransmission of FIN from frame\", \"tcp.fin_retransmission\", FT_FRAMENUM, BASE_NONE, NULL, 0x0,\n NULL, HFILL }},\n\n { &hf_tcp_reset_cause,\n { \"Reset cause\", \"tcp.reset_cause\", FT_STRING, BASE_NONE, NULL, 0x0,\n NULL, HFILL }},\n };\n\n static gint *ett[] = {\n &ett_tcp,\n &ett_tcp_flags,\n &ett_tcp_options,\n &ett_tcp_option_timestamp,\n &ett_tcp_option_mptcp,\n &ett_tcp_option_wscale,\n &ett_tcp_option_sack,\n &ett_tcp_option_snack,\n &ett_tcp_option_scps,\n &ett_tcp_scpsoption_flags,\n &ett_tcp_option_scps_extended,\n &ett_tcp_option_user_to,\n &ett_tcp_option_exp,\n &ett_tcp_option_sack_perm,\n &ett_tcp_option_mss,\n &ett_tcp_opt_rvbd_probe,\n &ett_tcp_opt_rvbd_probe_flags,\n &ett_tcp_opt_rvbd_trpy,\n &ett_tcp_opt_rvbd_trpy_flags,\n &ett_tcp_opt_echo,\n &ett_tcp_opt_cc,\n &ett_tcp_opt_md5,\n &ett_tcp_opt_qs,\n &ett_tcp_analysis_faults,\n &ett_tcp_analysis,\n &ett_tcp_timestamps,\n &ett_tcp_segments,\n &ett_tcp_segment,\n &ett_tcp_checksum,\n &ett_tcp_process_info,\n &ett_tcp_unknown_opt,\n &ett_tcp_opt_recbound,\n &ett_tcp_opt_scpscor,\n &ett_tcp_option_other\n };\n\n static gint *mptcp_ett[] = {\n &ett_mptcp_analysis,\n &ett_mptcp_analysis_subflows\n };\n\n static const enum_val_t window_scaling_vals[] = {\n {\"not-known\", \"Not known\", WindowScaling_NotKnown},\n {\"0\", \"0 (no scaling)\", WindowScaling_0},\n {\"1\", \"1 (multiply by 2)\", WindowScaling_1},\n {\"2\", \"2 (multiply by 4)\", WindowScaling_2},\n {\"3\", \"3 (multiply by 8)\", WindowScaling_3},\n {\"4\", \"4 (multiply by 16)\", WindowScaling_4},\n {\"5\", \"5 (multiply by 32)\", WindowScaling_5},\n {\"6\", \"6 (multiply by 64)\", WindowScaling_6},\n {\"7\", \"7 (multiply by 128)\", WindowScaling_7},\n {\"8\", \"8 (multiply by 256)\", WindowScaling_8},\n {\"9\", \"9 (multiply by 512)\", WindowScaling_9},\n {\"10\", \"10 (multiply by 1024)\", WindowScaling_10},\n {\"11\", \"11 (multiply by 2048)\", WindowScaling_11},\n {\"12\", \"12 (multiply by 4096)\", WindowScaling_12},\n {\"13\", \"13 (multiply by 8192)\", WindowScaling_13},\n {\"14\", \"14 (multiply by 16384)\", WindowScaling_14},\n {NULL, NULL, -1}\n };\n\n static ei_register_info ei[] = {\n { &ei_tcp_opt_len_invalid, { \"tcp.option.len.invalid\", PI_SEQUENCE, PI_NOTE, \"Invalid length for option\", EXPFILL }},\n { &ei_tcp_analysis_retransmission, { \"tcp.analysis.retransmission\", PI_SEQUENCE, PI_NOTE, \"This frame is a (suspected) retransmission\", EXPFILL }},\n { &ei_tcp_analysis_fast_retransmission, { \"tcp.analysis.fast_retransmission\", PI_SEQUENCE, PI_NOTE, \"This frame is a (suspected) fast retransmission\", EXPFILL }},\n { &ei_tcp_analysis_spurious_retransmission, { \"tcp.analysis.spurious_retransmission\", PI_SEQUENCE, PI_NOTE, \"This frame is a (suspected) spurious retransmission\", EXPFILL }},\n { &ei_tcp_analysis_out_of_order, { \"tcp.analysis.out_of_order\", PI_SEQUENCE, PI_WARN, \"This frame is a (suspected) out-of-order segment\", EXPFILL }},\n { &ei_tcp_analysis_reused_ports, { \"tcp.analysis.reused_ports\", PI_SEQUENCE, PI_NOTE, \"A new tcp session is started with the same ports as an earlier session in this trace\", EXPFILL }},\n { &ei_tcp_analysis_lost_packet, { \"tcp.analysis.lost_segment\", PI_SEQUENCE, PI_WARN, \"Previous segment(s) not captured (common at capture start)\", EXPFILL }},\n { &ei_tcp_analysis_ack_lost_packet, { \"tcp.analysis.ack_lost_segment\", PI_SEQUENCE, PI_WARN, \"ACKed segment that wasn't captured (common at capture start)\", EXPFILL }},\n { &ei_tcp_analysis_window_update, { \"tcp.analysis.window_update\", PI_SEQUENCE, PI_CHAT, \"TCP window update\", EXPFILL }},\n { &ei_tcp_analysis_window_full, { \"tcp.analysis.window_full\", PI_SEQUENCE, PI_WARN, \"TCP window specified by the receiver is now completely full\", EXPFILL }},\n { &ei_tcp_analysis_keep_alive, { \"tcp.analysis.keep_alive\", PI_SEQUENCE, PI_NOTE, \"TCP keep-alive segment\", EXPFILL }},\n { &ei_tcp_analysis_keep_alive_ack, { \"tcp.analysis.keep_alive_ack\", PI_SEQUENCE, PI_NOTE, \"ACK to a TCP keep-alive segment\", EXPFILL }},\n { &ei_tcp_analysis_duplicate_ack, { \"tcp.analysis.duplicate_ack\", PI_SEQUENCE, PI_NOTE, \"Duplicate ACK\", EXPFILL }},\n { &ei_tcp_analysis_zero_window_probe, { \"tcp.analysis.zero_window_probe\", PI_SEQUENCE, PI_NOTE, \"TCP Zero Window Probe\", EXPFILL }},\n { &ei_tcp_analysis_zero_window, { \"tcp.analysis.zero_window\", PI_SEQUENCE, PI_WARN, \"TCP Zero Window segment\", EXPFILL }},\n { &ei_tcp_analysis_zero_window_probe_ack, { \"tcp.analysis.zero_window_probe_ack\", PI_SEQUENCE, PI_NOTE, \"ACK to a TCP Zero Window Probe\", EXPFILL }},\n { &ei_tcp_analysis_tfo_syn, { \"tcp.analysis.tfo_syn\", PI_SEQUENCE, PI_NOTE, \"TCP SYN with TFO Cookie\", EXPFILL }},\n { &ei_tcp_scps_capable, { \"tcp.analysis.zero_window_probe_ack\", PI_SEQUENCE, PI_NOTE, \"Connection establish request (SYN-ACK): SCPS Capabilities Negotiated\", EXPFILL }},\n { &ei_tcp_option_snack_sequence, { \"tcp.options.snack.sequence\", PI_SEQUENCE, PI_NOTE, \"SNACK Sequence\", EXPFILL }},\n { &ei_tcp_option_wscale_shift_invalid, { \"tcp.options.wscale.shift.invalid\", PI_PROTOCOL, PI_WARN, \"Window scale shift exceeds 14\", EXPFILL }},\n { &ei_tcp_short_segment, { \"tcp.short_segment\", PI_MALFORMED, PI_WARN, \"Short segment\", EXPFILL }},\n { &ei_tcp_ack_nonzero, { \"tcp.ack.nonzero\", PI_PROTOCOL, PI_NOTE, \"The acknowledgment number field is nonzero while the ACK flag is not set\", EXPFILL }},\n { &ei_tcp_connection_sack, { \"tcp.connection.sack\", PI_SEQUENCE, PI_CHAT, \"Connection establish acknowledge (SYN+ACK)\", EXPFILL }},\n { &ei_tcp_connection_syn, { \"tcp.connection.syn\", PI_SEQUENCE, PI_CHAT, \"Connection establish request (SYN)\", EXPFILL }},\n { &ei_tcp_connection_fin, { \"tcp.connection.fin\", PI_SEQUENCE, PI_CHAT, \"Connection finish (FIN)\", EXPFILL }},\n /* According to RFCs, RST is an indication of an error. Some applications use it\n * to terminate a connection as well, which is a misbehavior (see e.g. rfc3360)\n */\n { &ei_tcp_connection_rst, { \"tcp.connection.rst\", PI_SEQUENCE, PI_WARN, \"Connection reset (RST)\", EXPFILL }},\n { &ei_tcp_checksum_ffff, { \"tcp.checksum.ffff\", PI_CHECKSUM, PI_WARN, \"TCP Checksum 0xffff instead of 0x0000 (see RFC 1624)\", EXPFILL }},\n { &ei_tcp_checksum_bad, { \"tcp.checksum_bad.expert\", PI_CHECKSUM, PI_ERROR, \"Bad checksum\", EXPFILL }},\n { &ei_tcp_urgent_pointer_non_zero, { \"tcp.urgent_pointer.non_zero\", PI_PROTOCOL, PI_NOTE, \"The urgent pointer field is nonzero while the URG flag is not set\", EXPFILL }},\n { &ei_tcp_suboption_malformed, { \"tcp.suboption_malformed\", PI_MALFORMED, PI_ERROR, \"suboption would go past end of option\", EXPFILL }},\n { &ei_tcp_nop, { \"tcp.nop\", PI_PROTOCOL, PI_WARN, \"4 NOP in a row - a router may have removed some options\", EXPFILL }},\n { &ei_tcp_bogus_header_length, { \"tcp.bogus_header_length\", PI_PROTOCOL, PI_ERROR, \"Bogus TCP Header length\", EXPFILL }},\n };\n\n static ei_register_info mptcp_ei[] = {\n#if 0\n { &ei_mptcp_analysis_unexpected_idsn, { \"mptcp.connection.unexpected_idsn\", PI_PROTOCOL, PI_NOTE, \"Unexpected initial sequence number\", EXPFILL }},\n#endif\n { &ei_mptcp_analysis_echoed_key_mismatch, { \"mptcp.connection.echoed_key_mismatch\", PI_PROTOCOL, PI_WARN, \"The echoed key in the ACK of the MPTCP handshake does not match the key of the SYN/ACK\", EXPFILL }},\n { &ei_mptcp_analysis_missing_algorithm, { \"mptcp.connection.missing_algorithm\", PI_PROTOCOL, PI_WARN, \"No crypto algorithm specified\", EXPFILL }},\n { &ei_mptcp_analysis_unsupported_algorithm, { \"mptcp.connection.unsupported_algorithm\", PI_PROTOCOL, PI_WARN, \"Unsupported algorithm\", EXPFILL }},\n { &ei_mptcp_infinite_mapping, { \"mptcp.dss.infinite_mapping\", PI_PROTOCOL, PI_WARN, \"Fallback to infinite mapping\", EXPFILL }},\n { &ei_mptcp_mapping_missing, { \"mptcp.dss.missing_mapping\", PI_PROTOCOL, PI_WARN, \"No mapping available\", EXPFILL }},\n#if 0\n { &ei_mptcp_stream_incomplete, { \"mptcp.incomplete\", PI_PROTOCOL, PI_WARN, \"Everything was not captured\", EXPFILL }},\n { &ei_mptcp_analysis_dsn_out_of_order, { \"mptcp.analysis.dsn.out_of_order\", PI_PROTOCOL, PI_WARN, \"Out of order dsn\", EXPFILL }},\n#endif\n };\n\n static hf_register_info mptcp_hf[] = {\n { &hf_mptcp_ack,\n { \"Multipath TCP Data ACK\", \"mptcp.ack\", FT_UINT64,\n BASE_DEC, NULL, 0x0, NULL, HFILL}},\n\n { &hf_mptcp_dsn,\n { \"Data Sequence Number\", \"mptcp.dsn\", FT_UINT64, BASE_DEC, NULL, 0x0,\n \"Data Sequence Number mapped to this TCP sequence number\", HFILL}},\n\n { &hf_mptcp_rawdsn64,\n { \"Raw Data Sequence Number\", \"mptcp.rawdsn64\", FT_UINT64, BASE_DEC, NULL, 0x0,\n \"Data Sequence Number mapped to this TCP sequence number\", HFILL}},\n\n { &hf_mptcp_dss_dsn,\n { \"DSS Data Sequence Number\", \"mptcp.dss.dsn\", FT_UINT64,\n BASE_DEC, NULL, 0x0, NULL, HFILL}},\n\n { &hf_mptcp_expected_idsn,\n { \"Subflow expected IDSN\", \"mptcp.expected_idsn\", FT_UINT64,\n BASE_DEC|BASE_UNIT_STRING, &units_64bit_version, 0x0, NULL, HFILL}},\n\n { &hf_mptcp_analysis_subflows_stream_id,\n { \"List subflow Stream IDs\", \"mptcp.analysis.subflows.streamid\", FT_UINT16,\n BASE_DEC, NULL, 0x0, NULL, HFILL}},\n\n { &hf_mptcp_analysis,\n { \"MPTCP analysis\", \"mptcp.analysis\", FT_NONE, BASE_NONE, NULL, 0x0,\n \"This frame has some of the MPTCP analysis shown\", HFILL }},\n\n { &hf_mptcp_related_mapping,\n { \"Related mapping\", \"mptcp.related_mapping\", FT_FRAMENUM , BASE_NONE, NULL, 0x0,\n \"Packet in which current packet DSS mapping was sent\", HFILL }},\n\n { &hf_mptcp_reinjection_of,\n { \"Reinjection of\", \"mptcp.reinjection_of\", FT_FRAMENUM , BASE_NONE, NULL, 0x0,\n \"This is a retransmission of data sent on another subflow\", HFILL }},\n\n { &hf_mptcp_reinjected_in,\n { \"Data reinjected in\", \"mptcp.reinjected_in\", FT_FRAMENUM , BASE_NONE, NULL, 0x0,\n \"This was retransmitted on another subflow\", HFILL }},\n\n { &hf_mptcp_analysis_subflows,\n { \"TCP subflow stream id(s):\", \"mptcp.analysis.subflows\", FT_NONE, BASE_NONE, NULL, 0x0,\n \"List all TCP connections mapped to this MPTCP connection\", HFILL }},\n\n { &hf_mptcp_stream,\n { \"Stream index\", \"mptcp.stream\", FT_UINT32, BASE_DEC, NULL, 0x0,\n NULL, HFILL }},\n\n { &hf_mptcp_number_of_removed_addresses,\n { \"Number of removed addresses\", \"mptcp.rm_addr.count\", FT_UINT8,\n BASE_DEC, NULL, 0x0, NULL, HFILL}},\n\n { &hf_mptcp_expected_token,\n { \"Subflow token generated from key\", \"mptcp.expected_token\", FT_UINT32,\n BASE_DEC, NULL, 0x0, NULL, HFILL}},\n\n { &hf_mptcp_analysis_master,\n { \"Master flow\", \"mptcp.master\", FT_BOOLEAN, BASE_NONE,\n NULL, 0x0, NULL, HFILL}}\n\n };\n\n static build_valid_func tcp_da_src_values[1] = {tcp_src_value};\n static build_valid_func tcp_da_dst_values[1] = {tcp_dst_value};\n static build_valid_func tcp_da_both_values[2] = {tcp_src_value, tcp_dst_value};\n static decode_as_value_t tcp_da_values[3] = {{tcp_src_prompt, 1, tcp_da_src_values}, {tcp_dst_prompt, 1, tcp_da_dst_values}, {tcp_both_prompt, 2, tcp_da_both_values}};\n static decode_as_t tcp_da = {\"tcp\", \"Transport\", \"tcp.port\", 3, 2, tcp_da_values, \"TCP\", \"port(s) as\",\n decode_as_default_populate_list, decode_as_default_reset, decode_as_default_change, NULL};\n\n module_t *tcp_module;\n module_t *mptcp_module;\n expert_module_t* expert_tcp;\n expert_module_t* expert_mptcp;\n\n proto_tcp = proto_register_protocol(\"Transmission Control Protocol\", \"TCP\", \"tcp\");\n tcp_handle = register_dissector(\"tcp\", dissect_tcp, proto_tcp);\n proto_register_field_array(proto_tcp, hf, array_length(hf));\n proto_register_subtree_array(ett, array_length(ett));\n expert_tcp = expert_register_protocol(proto_tcp);\n expert_register_field_array(expert_tcp, ei, array_length(ei));\n\n /* subdissector code */\n subdissector_table = register_dissector_table(\"tcp.port\",\n \"TCP port\", proto_tcp, FT_UINT16, BASE_DEC);\n heur_subdissector_list = register_heur_dissector_list(\"tcp\", proto_tcp);\n tcp_option_table = register_dissector_table(\"tcp.option\",\n \"TCP Options\", proto_tcp, FT_UINT8, BASE_DEC);\n\n /* Register TCP options as their own protocols so we can get the name of the option */\n proto_tcp_option_nop = proto_register_protocol_in_name_only(\"TCP Option - No-Operation (NOP)\", \"No-Operation (NOP)\", \"tcp.options.nop\", proto_tcp, FT_BYTES);\n proto_tcp_option_eol = proto_register_protocol_in_name_only(\"TCP Option - End of Option List (EOL)\", \"End of Option List (EOL)\", \"tcp.options.eol\", proto_tcp, FT_BYTES);\n proto_tcp_option_timestamp = proto_register_protocol_in_name_only(\"TCP Option - Timestamps\", \"Timestamps\", \"tcp.options.timestamp\", proto_tcp, FT_BYTES);\n proto_tcp_option_mss = proto_register_protocol_in_name_only(\"TCP Option - Maximum segment size\", \"Maximum segment size\", \"tcp.options.mss\", proto_tcp, FT_BYTES);\n proto_tcp_option_wscale = proto_register_protocol_in_name_only(\"TCP Option - Window scale\", \"Window scale\", \"tcp.options.wscale\", proto_tcp, FT_BYTES);\n proto_tcp_option_sack_perm = proto_register_protocol_in_name_only(\"TCP Option - SACK permitted\", \"SACK permitted\", \"tcp.options.sack_perm\", proto_tcp, FT_BYTES);\n proto_tcp_option_sack = proto_register_protocol_in_name_only(\"TCP Option - SACK\", \"SACK\", \"tcp.options.sack\", proto_tcp, FT_BYTES);\n proto_tcp_option_echo = proto_register_protocol_in_name_only(\"TCP Option - Echo\", \"Echo\", \"tcp.options.echo\", proto_tcp, FT_BYTES);\n proto_tcp_option_echoreply = proto_register_protocol_in_name_only(\"TCP Option - Echo reply\", \"Echo reply\", \"tcp.options.echoreply\", proto_tcp, FT_BYTES);\n proto_tcp_option_cc = proto_register_protocol_in_name_only(\"TCP Option - CC\", \"CC\", \"tcp.options.cc\", proto_tcp, FT_BYTES);\n proto_tcp_option_cc_new = proto_register_protocol_in_name_only(\"TCP Option - CC.NEW\", \"CC.NEW\", \"tcp.options.ccnew\", proto_tcp, FT_BYTES);\n proto_tcp_option_cc_echo = proto_register_protocol_in_name_only(\"TCP Option - CC.ECHO\", \"CC.ECHO\", \"tcp.options.ccecho\", proto_tcp, FT_BYTES);\n proto_tcp_option_md5 = proto_register_protocol_in_name_only(\"TCP Option - TCP MD5 signature\", \"TCP MD5 signature\", \"tcp.options.md5\", proto_tcp, FT_BYTES);\n proto_tcp_option_scps = proto_register_protocol_in_name_only(\"TCP Option - SCPS capabilities\", \"SCPS capabilities\", \"tcp.options.scps\", proto_tcp, FT_BYTES);\n proto_tcp_option_snack = proto_register_protocol_in_name_only(\"TCP Option - Selective Negative Acknowledgment\", \"Selective Negative Acknowledgment\", \"tcp.options.snack\", proto_tcp, FT_BYTES);\n proto_tcp_option_scpsrec = proto_register_protocol_in_name_only(\"TCP Option - SCPS record boundary\", \"SCPS record boundary\", \"tcp.options.scpsrec\", proto_tcp, FT_BYTES);\n proto_tcp_option_scpscor = proto_register_protocol_in_name_only(\"TCP Option - SCPS corruption experienced\", \"SCPS corruption experienced\", \"tcp.options.scpscor\", proto_tcp, FT_BYTES);\n proto_tcp_option_qs = proto_register_protocol_in_name_only(\"TCP Option - Quick-Start\", \"Quick-Start\", \"tcp.options.qs\", proto_tcp, FT_BYTES);\n proto_tcp_option_user_to = proto_register_protocol_in_name_only(\"TCP Option - User Timeout\", \"User Timeout\", \"tcp.options.user_to\", proto_tcp, FT_BYTES);\n proto_tcp_option_tfo = proto_register_protocol_in_name_only(\"TCP Option - TCP Fast Open\", \"TCP Fast Open\", \"tcp.options.tfo\", proto_tcp, FT_BYTES);\n proto_tcp_option_rvbd_probe = proto_register_protocol_in_name_only(\"TCP Option - Riverbed Probe\", \"Riverbed Probe\", \"tcp.options.rvbd.probe\", proto_tcp, FT_BYTES);\n proto_tcp_option_rvbd_trpy = proto_register_protocol_in_name_only(\"TCP Option - Riverbed Transparency\", \"Riverbed Transparency\", \"tcp.options.rvbd.trpy\", proto_tcp, FT_BYTES);\n proto_tcp_option_exp = proto_register_protocol_in_name_only(\"TCP Option - Experimental\", \"Experimental\", \"tcp.options.experimental\", proto_tcp, FT_BYTES);\n proto_tcp_option_unknown = proto_register_protocol_in_name_only(\"TCP Option - Unknown\", \"Unknown\", \"tcp.options.unknown\", proto_tcp, FT_BYTES);\n\n register_capture_dissector_table(\"tcp.port\", \"TCP\");\n\n /* Register configuration preferences */\n tcp_module = prefs_register_protocol(proto_tcp, NULL);\n prefs_register_bool_preference(tcp_module, \"summary_in_tree\",\n \"Show TCP summary in protocol tree\",\n \"Whether the TCP summary line should be shown in the protocol tree\",\n &tcp_summary_in_tree);\n prefs_register_bool_preference(tcp_module, \"check_checksum\",\n \"Validate the TCP checksum if possible\",\n \"Whether to validate the TCP checksum or not. \"\n \"(Invalid checksums will cause reassembly, if enabled, to fail.)\",\n &tcp_check_checksum);\n prefs_register_bool_preference(tcp_module, \"desegment_tcp_streams\",\n \"Allow subdissector to reassemble TCP streams\",\n \"Whether subdissector can request TCP streams to be reassembled\",\n &tcp_desegment);\n prefs_register_bool_preference(tcp_module, \"reassemble_out_of_order\",\n \"Reassemble out-of-order segments\",\n \"Whether out-of-order segments should be buffered and reordered before passing it to a subdissector. \"\n \"To use this option you must also enable \\\"Allow subdissector to reassemble TCP streams\\\".\",\n &tcp_reassemble_out_of_order);\n prefs_register_bool_preference(tcp_module, \"analyze_sequence_numbers\",\n \"Analyze TCP sequence numbers\",\n \"Make the TCP dissector analyze TCP sequence numbers to find and flag segment retransmissions, missing segments and RTT\",\n &tcp_analyze_seq);\n prefs_register_bool_preference(tcp_module, \"relative_sequence_numbers\",\n \"Relative sequence numbers (Requires \\\"Analyze TCP sequence numbers\\\")\",\n \"Make the TCP dissector use relative sequence numbers instead of absolute ones. \"\n \"To use this option you must also enable \\\"Analyze TCP sequence numbers\\\". \",\n &tcp_relative_seq);\n prefs_register_enum_preference(tcp_module, \"default_window_scaling\",\n \"Scaling factor to use when not available from capture\",\n \"Make the TCP dissector use this scaling factor for streams where the signalled scaling factor \"\n \"is not visible in the capture\",\n &tcp_default_window_scaling, window_scaling_vals, FALSE);\n\n /* Presumably a retired, unconditional version of what has been added back with the preference above... */\n prefs_register_obsolete_preference(tcp_module, \"window_scaling\");\n\n prefs_register_bool_preference(tcp_module, \"track_bytes_in_flight\",\n \"Track number of bytes in flight\",\n \"Make the TCP dissector track the number on un-ACKed bytes of data are in flight per packet. \"\n \"To use this option you must also enable \\\"Analyze TCP sequence numbers\\\". \"\n \"This takes a lot of memory but allows you to track how much data are in flight at a time and graphing it in io-graphs\",\n &tcp_track_bytes_in_flight);\n prefs_register_bool_preference(tcp_module, \"calculate_timestamps\",\n \"Calculate conversation timestamps\",\n \"Calculate timestamps relative to the first frame and the previous frame in the tcp conversation\",\n &tcp_calculate_ts);\n prefs_register_bool_preference(tcp_module, \"try_heuristic_first\",\n \"Try heuristic sub-dissectors first\",\n \"Try to decode a packet using an heuristic sub-dissector before using a sub-dissector registered to a specific port\",\n &try_heuristic_first);\n prefs_register_bool_preference(tcp_module, \"ignore_tcp_timestamps\",\n \"Ignore TCP Timestamps in summary\",\n \"Do not place the TCP Timestamps in the summary line\",\n &tcp_ignore_timestamps);\n\n prefs_register_bool_preference(tcp_module, \"no_subdissector_on_error\",\n \"Do not call subdissectors for error packets\",\n \"Do not call any subdissectors for Retransmitted or OutOfOrder segments\",\n &tcp_no_subdissector_on_error);\n\n prefs_register_bool_preference(tcp_module, \"dissect_experimental_options_with_magic\",\n \"TCP Experimental Options with a Magic Number\",\n \"Assume TCP Experimental Options (253, 254) have a Magic Number and use it for dissection\",\n &tcp_exp_options_with_magic);\n\n prefs_register_bool_preference(tcp_module, \"display_process_info_from_ipfix\",\n \"Display process information via IPFIX\",\n \"Collect and store process information retrieved from IPFIX dissector\",\n &tcp_display_process_info);\n\n register_init_routine(tcp_init);\n reassembly_table_register(&tcp_reassembly_table,\n &addresses_ports_reassembly_table_functions);\n\n register_decode_as(&tcp_da);\n\n register_conversation_table(proto_tcp, FALSE, tcpip_conversation_packet, tcpip_hostlist_packet);\n register_conversation_filter(\"tcp\", \"TCP\", tcp_filter_valid, tcp_build_filter);\n\n register_seq_analysis(\"tcp\", \"TCP Flows\", proto_tcp, NULL, 0, tcp_seq_analysis_packet);\n\n /* considers MPTCP as a distinct protocol (even if it's a TCP option) */\n proto_mptcp = proto_register_protocol(\"Multipath Transmission Control Protocol\", \"MPTCP\", \"mptcp\");\n\n proto_register_field_array(proto_mptcp, mptcp_hf, array_length(mptcp_hf));\n proto_register_subtree_array(mptcp_ett, array_length(mptcp_ett));\n\n /* Register configuration preferences */\n mptcp_module = prefs_register_protocol(proto_mptcp, NULL);\n expert_mptcp = expert_register_protocol(proto_tcp);\n expert_register_field_array(expert_mptcp, mptcp_ei, array_length(mptcp_ei));\n\n prefs_register_bool_preference(mptcp_module, \"analyze_mptcp\",\n \"Map TCP subflows to their respective MPTCP connections\",\n \"To use this option you must also enable \\\"Analyze TCP sequence numbers\\\". \",\n &tcp_analyze_mptcp);\n\n prefs_register_bool_preference(mptcp_module, \"relative_sequence_numbers\",\n \"Display relative MPTCP sequence numbers.\",\n \"In case you don't capture the key, it will use the first DSN seen\",\n &mptcp_relative_seq);\n\n prefs_register_bool_preference(mptcp_module, \"analyze_mappings\",\n \"Deeper analysis of Data Sequence Signal (DSS)\",\n \"Scales logarithmically with the number of packets\"\n \"You need to capture the handshake for this to work.\"\n \"\\\"Map TCP subflows to their respective MPTCP connections\\\"\",\n &mptcp_analyze_mappings);\n\n prefs_register_bool_preference(mptcp_module, \"intersubflows_retransmission\",\n \"Check for data duplication across subflows\",\n \"(Greedy algorithm: Scales linearly with number of subflows and\"\n \" logarithmic scaling with number of packets)\"\n \"You need to enable DSS mapping analysis for this option to work\",\n &mptcp_intersubflows_retransmission);\n\n register_conversation_table(proto_mptcp, FALSE, mptcpip_conversation_packet, tcpip_hostlist_packet);\n register_follow_stream(proto_tcp, \"tcp_follow\", tcp_follow_conv_filter, tcp_follow_index_filter, tcp_follow_address_filter,\n tcp_port_to_display, follow_tcp_tap_listener);\n}", "project": "wireshark", "hash": 259358123016446286443481794757888777799, "size": 1063, "commit_id": "7f3fe6164a68b76d9988c4253b24d43f498f1753", "message": "TCP: do not use an unknown status when the checksum is 0xffff\n\nOtherwise it triggers an assert when adding the column as the field is\ndefined as BASE_NONE and not BASE_DEC or BASE_HEX. Thus an unknown value\n(not in proto_checksum_vals[)array) cannot be represented.\nMark the checksum as bad even if we process the packet.\nCloses #16816\n\nConflicts:\n\tepan/dissectors/packet-tcp.c", "target": 0, "dataset": "other", "idx": 385248 }, { "func": "static void autocomplete_theme(RCore *core, RLineCompletion *completion, const char *str) {\n\tr_return_if_fail (str);\n\tint len = strlen (str);\n\tchar *theme;\n\tRListIter *iter;\n\tRList *themes = r_core_list_themes (core);\n\tr_list_foreach (themes, iter, theme) {\n\t\tif (!len || !strncmp (str, theme, len)) {\n\t\t\tr_line_completion_push (completion, theme);\n\t\t}\n\t}\n\tr_list_free (themes);\n}", "project": "radare2", "hash": 213440889383104307104490937555610987948, "size": 13, "commit_id": "cb8b683758edddae2d2f62e8e63a738c39f92683", "message": "Fix #16303 - c->table_query double free (#16318)", "target": 0, "dataset": "other", "idx": 232104 }, { "func": "static int __init fuse_fs_init(void)\n{\n\tint err;\n\n\tfuse_inode_cachep = kmem_cache_create(\"fuse_inode\",\n\t\t\tsizeof(struct fuse_inode), 0,\n\t\t\tSLAB_HWCACHE_ALIGN|SLAB_ACCOUNT|SLAB_RECLAIM_ACCOUNT,\n\t\t\tfuse_inode_init_once);\n\terr = -ENOMEM;\n\tif (!fuse_inode_cachep)\n\t\tgoto out;\n\n\terr = register_fuseblk();\n\tif (err)\n\t\tgoto out2;\n\n\terr = register_filesystem(&fuse_fs_type);\n\tif (err)\n\t\tgoto out3;\n\n\treturn 0;\n\n out3:\n\tunregister_fuseblk();\n out2:\n\tkmem_cache_destroy(fuse_inode_cachep);\n out:\n\treturn err;\n}", "project": "linux", "hash": 281390415911040355136971105198365304971, "size": 29, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341949 }, { "func": "static void oidc_copy_tokens_to_request_state(request_rec *r,\n\t\toidc_session_t *session, const char **s_id_token, const char **s_claims) {\n\n\tconst char *id_token = oidc_session_get_idtoken_claims(r, session);\n\tconst char *claims = oidc_session_get_userinfo_claims(r, session);\n\n\toidc_debug(r, \"id_token=%s claims=%s\", id_token, claims);\n\n\tif (id_token != NULL) {\n\t\toidc_request_state_set(r, OIDC_REQUEST_STATE_KEY_IDTOKEN, id_token);\n\t\tif (s_id_token != NULL)\n\t\t\t*s_id_token = id_token;\n\t}\n\n\tif (claims != NULL) {\n\t\toidc_request_state_set(r, OIDC_REQUEST_STATE_KEY_CLAIMS, claims);\n\t\tif (s_claims != NULL)\n\t\t\t*s_claims = claims;\n\t}\n}", "project": "mod_auth_openidc", "hash": 103120587971721842514652745751334778547, "size": 20, "commit_id": "00c315cb0c8ab77c67be4a2ac08a71a83ac58751", "message": "avoid XSS vulnerability when using OIDCPreservePost On\n\nand supplying URLs that contain single quotes; thanks @oss-aimoto\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 381961 }, { "func": "static int io_files_update_prep(struct io_kiocb *req,\n\t\t\t\tconst struct io_uring_sqe *sqe)\n{\n\tif (unlikely(req->flags & (REQ_F_FIXED_FILE | REQ_F_BUFFER_SELECT)))\n\t\treturn -EINVAL;\n\tif (sqe->ioprio || sqe->rw_flags)\n\t\treturn -EINVAL;\n\n\treq->files_update.offset = READ_ONCE(sqe->off);\n\treq->files_update.nr_args = READ_ONCE(sqe->len);\n\tif (!req->files_update.nr_args)\n\t\treturn -EINVAL;\n\treq->files_update.arg = READ_ONCE(sqe->addr);\n\treturn 0;\n}", "project": "linux", "hash": 93122407896677623250086693907207405659, "size": 15, "commit_id": "6d816e088c359866f9867057e04f244c608c42fe", "message": "io_uring: hold 'ctx' reference around task_work queue + execute\n\nWe're holding the request reference, but we need to go one higher\nto ensure that the ctx remains valid after the request has finished.\nIf the ring is closed with pending task_work inflight, and the\ngiven io_kiocb finishes sync during issue, then we need a reference\nto the ring itself around the task_work execution cycle.\n\nCc: stable@vger.kernel.org # v5.7+\nReported-by: syzbot+9b260fc33297966f5a8e@syzkaller.appspotmail.com\nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 456935 }, { "func": "int imap_exec (IMAP_DATA* idata, const char* cmdstr, int flags)\n{\n int rc;\n\n if ((rc = cmd_start (idata, cmdstr, flags)) < 0)\n {\n cmd_handle_fatal (idata);\n return -1;\n }\n\n if (flags & IMAP_CMD_QUEUE)\n return 0;\n\n if ((flags & IMAP_CMD_POLL) &&\n (ImapPollTimeout > 0) &&\n (mutt_socket_poll (idata->conn, ImapPollTimeout)) == 0)\n {\n mutt_error (_(\"Connection to %s timed out\"), idata->conn->account.host);\n mutt_sleep (2);\n cmd_handle_fatal (idata);\n return -1;\n }\n\n do\n rc = imap_cmd_step (idata);\n while (rc == IMAP_CMD_CONTINUE);\n\n if (rc == IMAP_CMD_NO && (flags & IMAP_CMD_FAIL_OK))\n return -2;\n\n if (rc != IMAP_CMD_OK)\n {\n if ((flags & IMAP_CMD_FAIL_OK) && idata->status != IMAP_FATAL)\n return -2;\n\n dprint (1, (debugfile, \"imap_exec: command failed: %s\\n\", idata->buf));\n return -1;\n }\n\n return 0;\n}", "project": "mutt", "hash": 175056992098358086347897185131715784744, "size": 41, "commit_id": "9347b5c01dc52682cb6be11539d9b7ebceae4416", "message": "Handle NO response without message properly", "target": 0, "dataset": "other", "idx": 338010 }, { "func": "int SFAddScriptIndex(SplineFont1 *sf,uint32 *scripts,int scnt) {\n int i,j;\n struct script_record *sr;\n\n if ( scnt==0 )\n\tscripts[scnt++] = CHR('l','a','t','n');\t\t/* Need a default script preference */\n for ( i=0; iscripts[j] ) {\n\t uint32 temp = scripts[i];\n\t scripts[i] = scripts[j];\n\t scripts[j] = temp;\n\t}\n }\n\n if ( sf->sf.cidmaster ) sf = (SplineFont1 *) sf->sf.cidmaster;\n if ( sf->script_lang==NULL )\t/* It's an old sfd file */\n\tsf->script_lang = calloc(1,sizeof(struct script_record *));\n for ( i=0; sf->script_lang[i]!=NULL; ++i ) {\n\tsr = sf->script_lang[i];\n\tfor ( j=0; sr[j].script!=0 && jscript_lang = realloc(sf->script_lang,(i+2)*sizeof(struct script_record *));\n sf->script_lang[i+1] = NULL;\n sr = sf->script_lang[i] = calloc(scnt+1,sizeof(struct script_record));\n for ( j = 0; jfontname string if it isn't set, fixing #4089 #4090 and many\n other potential issues (many downstream calls to strlen() on the value).", "target": 0, "dataset": "other", "idx": 417801 }, { "func": "Header headerRead(FD_t fd, int magicp)\n{\n Header h = NULL;\n struct hdrblob_s blob;\n char *buf = NULL;\n\n if (hdrblobRead(fd, magicp, 0, 0, &blob, &buf) == RPMRC_OK)\n\thdrblobImport(&blob, 0, &h, &buf);\n\n free(buf);\n return h;\n}", "project": "rpm", "hash": 276876205315097706410070627579923130305, "size": 12, "commit_id": "8f4b3c3cab8922a2022b9e47c71f1ecf906077ef", "message": "hdrblobInit() needs bounds checks too\n\nUsers can pass untrusted data to hdrblobInit() and it must be robust\nagainst this.", "target": 0, "dataset": "other", "idx": 318171 }, { "func": "static void assemble_file(const char *fname, StrList **depend_ptr)\n{\n char *line;\n insn output_ins;\n int i;\n uint64_t prev_offset_changed;\n int64_t stall_count = 0; /* Make sure we make forward progress... */\n\n switch (cmd_sb) {\n case 16:\n break;\n case 32:\n if (!iflag_cpu_level_ok(&cmd_cpu, IF_386))\n nasm_fatal(0, \"command line: 32-bit segment size requires a higher cpu\");\n break;\n case 64:\n if (!iflag_cpu_level_ok(&cmd_cpu, IF_X86_64))\n nasm_fatal(0, \"command line: 64-bit segment size requires a higher cpu\");\n break;\n default:\n panic();\n break;\n }\n\n prev_offset_changed = nasm_limit[LIMIT_PASSES];\n for (passn = 1; pass0 <= 2; passn++) {\n pass1 = pass0 == 2 ? 2 : 1; /* 1, 1, 1, ..., 1, 2 */\n pass2 = passn > 1 ? 2 : 1; /* 1, 2, 2, ..., 2, 2 */\n /* pass0 0, 0, 0, ..., 1, 2 */\n\n globalbits = cmd_sb; /* set 'bits' to command line default */\n cpu = cmd_cpu;\n if (pass0 == 2) {\n\t lfmt->init(listname);\n } else if (passn == 1 && listname && !keep_all) {\n /* Remove the list file in case we die before the output pass */\n remove(listname);\n }\n in_absolute = false;\n global_offset_changed = 0; /* set by redefine_label */\n if (passn > 1) {\n saa_rewind(forwrefs);\n forwref = saa_rstruct(forwrefs);\n raa_free(offsets);\n offsets = raa_init();\n }\n location.segment = NO_SEG;\n location.offset = 0;\n if (passn == 1)\n location.known = true;\n ofmt->reset();\n switch_segment(ofmt->section(NULL, pass2, &globalbits));\n preproc->reset(fname, pass1, pass1 == 2 ? depend_ptr : NULL);\n\n\t/* Revert all warnings to the default state */\n\tmemcpy(warning_state, warning_state_init, sizeof warning_state);\n\n globallineno = 0;\n\n while ((line = preproc->getline())) {\n if (++globallineno > nasm_limit[LIMIT_LINES])\n nasm_fatal(0,\n \"overall line count exceeds the maximum %\"PRId64\"\\n\",\n nasm_limit[LIMIT_LINES]);\n\n /*\n * Here we parse our directives; this is not handled by the\n * main parser.\n */\n if (process_directives(line))\n goto end_of_line; /* Just do final cleanup */\n\n /* Not a directive, or even something that starts with [ */\n parse_line(pass1, line, &output_ins);\n\n if (optimizing.level > 0) {\n if (forwref != NULL && globallineno == forwref->lineno) {\n output_ins.forw_ref = true;\n do {\n output_ins.oprs[forwref->operand].opflags |= OPFLAG_FORWARD;\n forwref = saa_rstruct(forwrefs);\n } while (forwref != NULL\n && forwref->lineno == globallineno);\n } else\n output_ins.forw_ref = false;\n\n if (output_ins.forw_ref) {\n if (passn == 1) {\n for (i = 0; i < output_ins.operands; i++) {\n if (output_ins.oprs[i].opflags & OPFLAG_FORWARD) {\n struct forwrefinfo *fwinf = (struct forwrefinfo *)saa_wstruct(forwrefs);\n fwinf->lineno = globallineno;\n fwinf->operand = i;\n }\n }\n }\n }\n }\n\n /* forw_ref */\n if (output_ins.opcode == I_EQU) {\n if (!output_ins.label)\n nasm_error(ERR_NONFATAL,\n \"EQU not preceded by label\");\n\n if (output_ins.operands == 1 &&\n (output_ins.oprs[0].type & IMMEDIATE) &&\n output_ins.oprs[0].wrt == NO_SEG) {\n define_label(output_ins.label,\n output_ins.oprs[0].segment,\n output_ins.oprs[0].offset, false);\n } else if (output_ins.operands == 2\n && (output_ins.oprs[0].type & IMMEDIATE)\n && (output_ins.oprs[0].type & COLON)\n && output_ins.oprs[0].segment == NO_SEG\n && output_ins.oprs[0].wrt == NO_SEG\n && (output_ins.oprs[1].type & IMMEDIATE)\n && output_ins.oprs[1].segment == NO_SEG\n && output_ins.oprs[1].wrt == NO_SEG) {\n define_label(output_ins.label,\n output_ins.oprs[0].offset | SEG_ABS,\n output_ins.oprs[1].offset, false);\n } else {\n nasm_error(ERR_NONFATAL, \"bad syntax for EQU\");\n }\n } else { /* instruction isn't an EQU */\n int32_t n;\n\n nasm_assert(output_ins.times >= 0);\n\n for (n = 1; n <= output_ins.times; n++) {\n if (pass1 == 1) {\n int64_t l = insn_size(location.segment,\n location.offset,\n globalbits, &output_ins);\n\n /* if (using_debug_info) && output_ins.opcode != -1) */\n if (using_debug_info)\n { /* fbk 03/25/01 */\n /* this is done here so we can do debug type info */\n int32_t typeinfo =\n TYS_ELEMENTS(output_ins.operands);\n switch (output_ins.opcode) {\n case I_RESB:\n typeinfo =\n TYS_ELEMENTS(output_ins.oprs[0].offset) | TY_BYTE;\n break;\n case I_RESW:\n typeinfo =\n TYS_ELEMENTS(output_ins.oprs[0].offset) | TY_WORD;\n break;\n case I_RESD:\n typeinfo =\n TYS_ELEMENTS(output_ins.oprs[0].offset) | TY_DWORD;\n break;\n case I_RESQ:\n typeinfo =\n TYS_ELEMENTS(output_ins.oprs[0].offset) | TY_QWORD;\n break;\n case I_REST:\n typeinfo =\n TYS_ELEMENTS(output_ins.oprs[0].offset) | TY_TBYTE;\n break;\n case I_RESO:\n typeinfo =\n TYS_ELEMENTS(output_ins.oprs[0].offset) | TY_OWORD;\n break;\n case I_RESY:\n typeinfo =\n TYS_ELEMENTS(output_ins.oprs[0].offset) | TY_YWORD;\n break;\n case I_RESZ:\n typeinfo =\n TYS_ELEMENTS(output_ins.oprs[0].offset) | TY_ZWORD;\n break;\n case I_DB:\n typeinfo |= TY_BYTE;\n break;\n case I_DW:\n typeinfo |= TY_WORD;\n break;\n case I_DD:\n if (output_ins.eops_float)\n typeinfo |= TY_FLOAT;\n else\n typeinfo |= TY_DWORD;\n break;\n case I_DQ:\n typeinfo |= TY_QWORD;\n break;\n case I_DT:\n typeinfo |= TY_TBYTE;\n break;\n case I_DO:\n typeinfo |= TY_OWORD;\n break;\n case I_DY:\n typeinfo |= TY_YWORD;\n break;\n case I_DZ:\n typeinfo |= TY_ZWORD;\n break;\n default:\n typeinfo = TY_LABEL;\n break;\n }\n\n dfmt->debug_typevalue(typeinfo);\n }\n\n /*\n * For INCBIN, let the code in assemble\n * handle TIMES, so we don't have to read the\n * input file over and over.\n */\n if (l != -1) {\n increment_offset(l);\n }\n /*\n * else l == -1 => invalid instruction, which will be\n * flagged as an error on pass 2\n */\n } else {\n if (n == 2)\n lfmt->uplevel(LIST_TIMES);\n increment_offset(assemble(location.segment,\n location.offset,\n globalbits, &output_ins));\n }\n } /* not an EQU */\n }\n if (output_ins.times > 1)\n lfmt->downlevel(LIST_TIMES);\n\n cleanup_insn(&output_ins);\n\n end_of_line:\n nasm_free(line);\n } /* end while (line = preproc->getline... */\n\n if (global_offset_changed && !terminate_after_phase) {\n switch (pass0) {\n case 1:\n nasm_error(ERR_WARNING|ERR_WARN_PHASE,\n \"phase error during stabilization pass, hoping for the best\");\n break;\n\n case 2:\n nasm_error(ERR_NONFATAL,\n \"phase error during code generation pass\");\n break;\n\n default:\n /* This is normal, we'll keep going... */\n break;\n }\n }\n\n if (pass1 == 1)\n preproc->cleanup(1);\n\n /*\n * Always run at least two optimization passes (pass0 == 0);\n * things like subsections will fail miserably without that.\n * Once we commit to a stabilization pass (pass0 == 1), we can't\n * go back, and if something goes bad, we can only hope\n * that we don't end up with a phase error at the end.\n */\n if ((passn > 1 && !global_offset_changed) || pass0 > 0) {\n pass0++;\n } else if (global_offset_changed &&\n global_offset_changed < prev_offset_changed) {\n prev_offset_changed = global_offset_changed;\n stall_count = 0;\n } else {\n stall_count++;\n }\n\n if (terminate_after_phase)\n break;\n\n if ((stall_count > nasm_limit[LIMIT_STALLED]) ||\n (passn >= nasm_limit[LIMIT_PASSES])) {\n /* We get here if the labels don't converge\n * Example: FOO equ FOO + 1\n */\n nasm_error(ERR_NONFATAL,\n \"Can't find valid values for all labels \"\n \"after %\"PRId64\" passes, giving up.\", passn);\n nasm_error(ERR_NONFATAL,\n \"Possible causes: recursive EQUs, macro abuse.\");\n break;\n }\n }\n\n preproc->cleanup(0);\n lfmt->cleanup();\n if (!terminate_after_phase && opt_verbose_info) {\n /* -On and -Ov switches */\n fprintf(stdout, \"info: assembly required 1+%\"PRId64\"+1 passes\\n\",\n passn-3);\n }\n}", "project": "nasm", "hash": 308312917854211633508209765710891290112, "size": 303, "commit_id": "e996d28c70d45008085322b442b44a9224308548", "message": "labels: Don't nil dereference if no label provided\n\nAn equ without label may cause nil dereference\n\n |\tequ 0x100\n\nFixes 98578071b9d71ecaa2344dd9c185237c1765041e\n\nSigned-off-by: Cyrill Gorcunov ", "target": 1, "dataset": "other", "idx": 197360 }, { "func": "static void assemble_file(const char *fname, StrList **depend_ptr)\n{\n char *line;\n insn output_ins;\n int i;\n uint64_t prev_offset_changed;\n int64_t stall_count = 0; /* Make sure we make forward progress... */\n\n switch (cmd_sb) {\n case 16:\n break;\n case 32:\n if (!iflag_cpu_level_ok(&cmd_cpu, IF_386))\n nasm_fatal(0, \"command line: 32-bit segment size requires a higher cpu\");\n break;\n case 64:\n if (!iflag_cpu_level_ok(&cmd_cpu, IF_X86_64))\n nasm_fatal(0, \"command line: 64-bit segment size requires a higher cpu\");\n break;\n default:\n panic();\n break;\n }\n\n prev_offset_changed = nasm_limit[LIMIT_PASSES];\n for (passn = 1; pass0 <= 2; passn++) {\n pass1 = pass0 == 2 ? 2 : 1; /* 1, 1, 1, ..., 1, 2 */\n pass2 = passn > 1 ? 2 : 1; /* 1, 2, 2, ..., 2, 2 */\n /* pass0 0, 0, 0, ..., 1, 2 */\n\n globalbits = cmd_sb; /* set 'bits' to command line default */\n cpu = cmd_cpu;\n if (pass0 == 2) {\n\t lfmt->init(listname);\n } else if (passn == 1 && listname && !keep_all) {\n /* Remove the list file in case we die before the output pass */\n remove(listname);\n }\n in_absolute = false;\n global_offset_changed = 0; /* set by redefine_label */\n if (passn > 1) {\n saa_rewind(forwrefs);\n forwref = saa_rstruct(forwrefs);\n raa_free(offsets);\n offsets = raa_init();\n }\n location.segment = NO_SEG;\n location.offset = 0;\n if (passn == 1)\n location.known = true;\n ofmt->reset();\n switch_segment(ofmt->section(NULL, pass2, &globalbits));\n preproc->reset(fname, pass1, pass1 == 2 ? depend_ptr : NULL);\n\n\t/* Revert all warnings to the default state */\n\tmemcpy(warning_state, warning_state_init, sizeof warning_state);\n\n globallineno = 0;\n\n while ((line = preproc->getline())) {\n if (++globallineno > nasm_limit[LIMIT_LINES])\n nasm_fatal(0,\n \"overall line count exceeds the maximum %\"PRId64\"\\n\",\n nasm_limit[LIMIT_LINES]);\n\n /*\n * Here we parse our directives; this is not handled by the\n * main parser.\n */\n if (process_directives(line))\n goto end_of_line; /* Just do final cleanup */\n\n /* Not a directive, or even something that starts with [ */\n parse_line(pass1, line, &output_ins);\n\n if (optimizing.level > 0) {\n if (forwref != NULL && globallineno == forwref->lineno) {\n output_ins.forw_ref = true;\n do {\n output_ins.oprs[forwref->operand].opflags |= OPFLAG_FORWARD;\n forwref = saa_rstruct(forwrefs);\n } while (forwref != NULL\n && forwref->lineno == globallineno);\n } else\n output_ins.forw_ref = false;\n\n if (output_ins.forw_ref) {\n if (passn == 1) {\n for (i = 0; i < output_ins.operands; i++) {\n if (output_ins.oprs[i].opflags & OPFLAG_FORWARD) {\n struct forwrefinfo *fwinf = (struct forwrefinfo *)saa_wstruct(forwrefs);\n fwinf->lineno = globallineno;\n fwinf->operand = i;\n }\n }\n }\n }\n }\n\n /* forw_ref */\n if (output_ins.opcode == I_EQU) {\n if (!output_ins.label) {\n nasm_error(ERR_NONFATAL, \"EQU not preceded by label\");\n } else if (output_ins.operands == 1 &&\n (output_ins.oprs[0].type & IMMEDIATE) &&\n output_ins.oprs[0].wrt == NO_SEG) {\n define_label(output_ins.label,\n output_ins.oprs[0].segment,\n output_ins.oprs[0].offset, false);\n } else if (output_ins.operands == 2\n && (output_ins.oprs[0].type & IMMEDIATE)\n && (output_ins.oprs[0].type & COLON)\n && output_ins.oprs[0].segment == NO_SEG\n && output_ins.oprs[0].wrt == NO_SEG\n && (output_ins.oprs[1].type & IMMEDIATE)\n && output_ins.oprs[1].segment == NO_SEG\n && output_ins.oprs[1].wrt == NO_SEG) {\n define_label(output_ins.label,\n output_ins.oprs[0].offset | SEG_ABS,\n output_ins.oprs[1].offset, false);\n } else {\n nasm_error(ERR_NONFATAL, \"bad syntax for EQU\");\n }\n } else { /* instruction isn't an EQU */\n int32_t n;\n\n nasm_assert(output_ins.times >= 0);\n\n for (n = 1; n <= output_ins.times; n++) {\n if (pass1 == 1) {\n int64_t l = insn_size(location.segment,\n location.offset,\n globalbits, &output_ins);\n\n /* if (using_debug_info) && output_ins.opcode != -1) */\n if (using_debug_info)\n { /* fbk 03/25/01 */\n /* this is done here so we can do debug type info */\n int32_t typeinfo =\n TYS_ELEMENTS(output_ins.operands);\n switch (output_ins.opcode) {\n case I_RESB:\n typeinfo =\n TYS_ELEMENTS(output_ins.oprs[0].offset) | TY_BYTE;\n break;\n case I_RESW:\n typeinfo =\n TYS_ELEMENTS(output_ins.oprs[0].offset) | TY_WORD;\n break;\n case I_RESD:\n typeinfo =\n TYS_ELEMENTS(output_ins.oprs[0].offset) | TY_DWORD;\n break;\n case I_RESQ:\n typeinfo =\n TYS_ELEMENTS(output_ins.oprs[0].offset) | TY_QWORD;\n break;\n case I_REST:\n typeinfo =\n TYS_ELEMENTS(output_ins.oprs[0].offset) | TY_TBYTE;\n break;\n case I_RESO:\n typeinfo =\n TYS_ELEMENTS(output_ins.oprs[0].offset) | TY_OWORD;\n break;\n case I_RESY:\n typeinfo =\n TYS_ELEMENTS(output_ins.oprs[0].offset) | TY_YWORD;\n break;\n case I_RESZ:\n typeinfo =\n TYS_ELEMENTS(output_ins.oprs[0].offset) | TY_ZWORD;\n break;\n case I_DB:\n typeinfo |= TY_BYTE;\n break;\n case I_DW:\n typeinfo |= TY_WORD;\n break;\n case I_DD:\n if (output_ins.eops_float)\n typeinfo |= TY_FLOAT;\n else\n typeinfo |= TY_DWORD;\n break;\n case I_DQ:\n typeinfo |= TY_QWORD;\n break;\n case I_DT:\n typeinfo |= TY_TBYTE;\n break;\n case I_DO:\n typeinfo |= TY_OWORD;\n break;\n case I_DY:\n typeinfo |= TY_YWORD;\n break;\n case I_DZ:\n typeinfo |= TY_ZWORD;\n break;\n default:\n typeinfo = TY_LABEL;\n break;\n }\n\n dfmt->debug_typevalue(typeinfo);\n }\n\n /*\n * For INCBIN, let the code in assemble\n * handle TIMES, so we don't have to read the\n * input file over and over.\n */\n if (l != -1) {\n increment_offset(l);\n }\n /*\n * else l == -1 => invalid instruction, which will be\n * flagged as an error on pass 2\n */\n } else {\n if (n == 2)\n lfmt->uplevel(LIST_TIMES);\n increment_offset(assemble(location.segment,\n location.offset,\n globalbits, &output_ins));\n }\n } /* not an EQU */\n }\n if (output_ins.times > 1)\n lfmt->downlevel(LIST_TIMES);\n\n cleanup_insn(&output_ins);\n\n end_of_line:\n nasm_free(line);\n } /* end while (line = preproc->getline... */\n\n if (global_offset_changed && !terminate_after_phase) {\n switch (pass0) {\n case 1:\n nasm_error(ERR_WARNING|ERR_WARN_PHASE,\n \"phase error during stabilization pass, hoping for the best\");\n break;\n\n case 2:\n nasm_error(ERR_NONFATAL,\n \"phase error during code generation pass\");\n break;\n\n default:\n /* This is normal, we'll keep going... */\n break;\n }\n }\n\n if (pass1 == 1)\n preproc->cleanup(1);\n\n /*\n * Always run at least two optimization passes (pass0 == 0);\n * things like subsections will fail miserably without that.\n * Once we commit to a stabilization pass (pass0 == 1), we can't\n * go back, and if something goes bad, we can only hope\n * that we don't end up with a phase error at the end.\n */\n if ((passn > 1 && !global_offset_changed) || pass0 > 0) {\n pass0++;\n } else if (global_offset_changed &&\n global_offset_changed < prev_offset_changed) {\n prev_offset_changed = global_offset_changed;\n stall_count = 0;\n } else {\n stall_count++;\n }\n\n if (terminate_after_phase)\n break;\n\n if ((stall_count > nasm_limit[LIMIT_STALLED]) ||\n (passn >= nasm_limit[LIMIT_PASSES])) {\n /* We get here if the labels don't converge\n * Example: FOO equ FOO + 1\n */\n nasm_error(ERR_NONFATAL,\n \"Can't find valid values for all labels \"\n \"after %\"PRId64\" passes, giving up.\", passn);\n nasm_error(ERR_NONFATAL,\n \"Possible causes: recursive EQUs, macro abuse.\");\n break;\n }\n }\n\n preproc->cleanup(0);\n lfmt->cleanup();\n if (!terminate_after_phase && opt_verbose_info) {\n /* -On and -Ov switches */\n fprintf(stdout, \"info: assembly required 1+%\"PRId64\"+1 passes\\n\",\n passn-3);\n }\n}", "project": "nasm", "hash": 217297003284158501046538109816031999494, "size": 301, "commit_id": "e996d28c70d45008085322b442b44a9224308548", "message": "labels: Don't nil dereference if no label provided\n\nAn equ without label may cause nil dereference\n\n |\tequ 0x100\n\nFixes 98578071b9d71ecaa2344dd9c185237c1765041e\n\nSigned-off-by: Cyrill Gorcunov ", "target": 0, "dataset": "other", "idx": 257477 }, { "func": "evbuffer_remove_cb(struct evbuffer *buffer, evbuffer_cb_func cb, void *cbarg)\n{\n\tstruct evbuffer_cb_entry *cbent;\n\tint result = -1;\n\tEVBUFFER_LOCK(buffer);\n\tTAILQ_FOREACH(cbent, &buffer->callbacks, next) {\n\t\tif (cb == cbent->cb.cb_func && cbarg == cbent->cbarg) {\n\t\t\tresult = evbuffer_remove_cb_entry(buffer, cbent);\n\t\t\tgoto done;\n\t\t}\n\t}\ndone:\n\tEVBUFFER_UNLOCK(buffer);\n\treturn result;\n}", "project": "libevent", "hash": 111123389570810025975203851985800600555, "size": 15, "commit_id": "20d6d4458bee5d88bda1511c225c25b2d3198d6c", "message": "Fix CVE-2014-6272 in Libevent 2.0\n\nFor this fix, we need to make sure that passing too-large inputs to\nthe evbuffer functions can't make us do bad things with the heap.\n\nAlso, lower the maximum chunk size to the lower of off_t, size_t maximum.\n\nThis is necessary since otherwise we could get into an infinite loop\nif we make a chunk that 'misalign' cannot index into.", "target": 0, "dataset": "other", "idx": 346332 }, { "func": "process_request_identities(SocketEntry *e)\n{\n\tIdentity *id;\n\tstruct sshbuf *msg;\n\tint r;\n\n\tdebug2_f(\"entering\");\n\n\tif ((msg = sshbuf_new()) == NULL)\n\t\tfatal_f(\"sshbuf_new failed\");\n\tif ((r = sshbuf_put_u8(msg, SSH2_AGENT_IDENTITIES_ANSWER)) != 0 ||\n\t (r = sshbuf_put_u32(msg, idtab->nentries)) != 0)\n\t\tfatal_fr(r, \"compose\");\n\tTAILQ_FOREACH(id, &idtab->idlist, next) {\n\t\tif ((r = sshkey_puts_opts(id->key, msg, SSHKEY_SERIALIZE_INFO))\n\t\t != 0 ||\n\t\t (r = sshbuf_put_cstring(msg, id->comment)) != 0) {\n\t\t\terror_fr(r, \"compose key/comment\");\n\t\t\tcontinue;\n\t\t}\n\t}\n\tif ((r = sshbuf_put_stringb(e->output, msg)) != 0)\n\t\tfatal_fr(r, \"enqueue\");\n\tsshbuf_free(msg);\n}", "project": "openssh-portable", "hash": 88143248712688056548281430225839456832, "size": 25, "commit_id": "e04fd6dde16de1cdc5a4d9946397ff60d96568db", "message": "upstream: factor SSH_AGENT_CONSTRAIN_EXTENSION parsing into its own\n\nfunction and remove an unused variable; ok dtucker@\n\nOpenBSD-Commit-ID: e1a938657fbf7ef0ba5e73b30365734a0cc96559", "target": 0, "dataset": "other", "idx": 400197 }, { "func": "lookup_identity(struct sshkey *key)\n{\n\tIdentity *id;\n\n\tTAILQ_FOREACH(id, &idtab->idlist, next) {\n\t\tif (sshkey_equal(key, id->key))\n\t\t\treturn (id);\n\t}\n\treturn (NULL);\n}", "project": "openssh-portable", "hash": 320575934211394599754532761035061697184, "size": 10, "commit_id": "e04fd6dde16de1cdc5a4d9946397ff60d96568db", "message": "upstream: factor SSH_AGENT_CONSTRAIN_EXTENSION parsing into its own\n\nfunction and remove an unused variable; ok dtucker@\n\nOpenBSD-Commit-ID: e1a938657fbf7ef0ba5e73b30365734a0cc96559", "target": 0, "dataset": "other", "idx": 400210 }, { "func": "report_smtp_broadcast(uint64_t reqid, const char *direction, struct timeval *tv, const char *event,\n const char *format, ...)\n{\n\tva_list\t\tap;\n\tstruct dict\t*d;\n\tstruct reporters\t*tailq;\n\tstruct reporter_proc\t*rp;\n\n\tif (strcmp(\"smtp-in\", direction) == 0)\n\t\td = &report_smtp_in;\n\n\telse if (strcmp(\"smtp-out\", direction) == 0)\n\t\td = &report_smtp_out;\n\n\telse\n\t\tfatalx(\"unexpected direction: %s\", direction);\n\n\ttailq = dict_xget(d, event);\n\tTAILQ_FOREACH(rp, tailq, entries) {\n\t\tif (!lka_filter_proc_in_session(reqid, rp->name))\n\t\t\tcontinue;\n\n\t\tva_start(ap, format);\n\t\tif (io_printf(lka_proc_get_io(rp->name),\n\t\t \"report|%s|%lld.%06ld|%s|%s|%016\"PRIx64\"%s\",\n\t\t PROTOCOL_VERSION, tv->tv_sec, tv->tv_usec, direction,\n\t\t event, reqid, format[0] != '\\n' ? \"|\" : \"\") == -1 ||\n\t\t io_vprintf(lka_proc_get_io(rp->name), format, ap) == -1)\n\t\t\tfatalx(\"failed to write to processor\");\n\t\tva_end(ap);\n\t}\n}", "project": "src", "hash": 273989420158576091623736150602950080533, "size": 32, "commit_id": "6c3220444ed06b5796dedfd53a0f4becd903c0d1", "message": "smtpd's filter state machine can prematurely release resources\nleading to a crash. From gilles@", "target": 0, "dataset": "other", "idx": 421556 }, { "func": "static int tracing_set_tracer(struct trace_array *tr, const char *buf)\n{\n\tstruct tracer *t;\n#ifdef CONFIG_TRACER_MAX_TRACE\n\tbool had_max_tr;\n#endif\n\tint ret = 0;\n\n\tmutex_lock(&trace_types_lock);\n\n\tif (!ring_buffer_expanded) {\n\t\tret = __tracing_resize_ring_buffer(tr, trace_buf_size,\n\t\t\t\t\t\tRING_BUFFER_ALL_CPUS);\n\t\tif (ret < 0)\n\t\t\tgoto out;\n\t\tret = 0;\n\t}\n\n\tfor (t = trace_types; t; t = t->next) {\n\t\tif (strcmp(t->name, buf) == 0)\n\t\t\tbreak;\n\t}\n\tif (!t) {\n\t\tret = -EINVAL;\n\t\tgoto out;\n\t}\n\tif (t == tr->current_trace)\n\t\tgoto out;\n\n\t/* Some tracers won't work on kernel command line */\n\tif (system_state < SYSTEM_RUNNING && t->noboot) {\n\t\tpr_warn(\"Tracer '%s' is not allowed on command line, ignored\\n\",\n\t\t\tt->name);\n\t\tgoto out;\n\t}\n\n\t/* Some tracers are only allowed for the top level buffer */\n\tif (!trace_ok_for_array(t, tr)) {\n\t\tret = -EINVAL;\n\t\tgoto out;\n\t}\n\n\t/* If trace pipe files are being read, we can't change the tracer */\n\tif (tr->current_trace->ref) {\n\t\tret = -EBUSY;\n\t\tgoto out;\n\t}\n\n\ttrace_branch_disable();\n\n\ttr->current_trace->enabled--;\n\n\tif (tr->current_trace->reset)\n\t\ttr->current_trace->reset(tr);\n\n\t/* Current trace needs to be nop_trace before synchronize_sched */\n\ttr->current_trace = &nop_trace;\n\n#ifdef CONFIG_TRACER_MAX_TRACE\n\thad_max_tr = tr->allocated_snapshot;\n\n\tif (had_max_tr && !t->use_max_tr) {\n\t\t/*\n\t\t * We need to make sure that the update_max_tr sees that\n\t\t * current_trace changed to nop_trace to keep it from\n\t\t * swapping the buffers after we resize it.\n\t\t * The update_max_tr is called from interrupts disabled\n\t\t * so a synchronized_sched() is sufficient.\n\t\t */\n\t\tsynchronize_sched();\n\t\tfree_snapshot(tr);\n\t}\n#endif\n\n#ifdef CONFIG_TRACER_MAX_TRACE\n\tif (t->use_max_tr && !had_max_tr) {\n\t\tret = alloc_snapshot(tr);\n\t\tif (ret < 0)\n\t\t\tgoto out;\n\t}\n#endif\n\n\tif (t->init) {\n\t\tret = tracer_init(t, tr);\n\t\tif (ret)\n\t\t\tgoto out;\n\t}\n\n\ttr->current_trace = t;\n\ttr->current_trace->enabled++;\n\ttrace_branch_enable(tr);\n out:\n\tmutex_unlock(&trace_types_lock);\n\n\treturn ret;\n}", "project": "linux", "hash": 250557422293262009982705053218405272141, "size": 96, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445705 }, { "func": "static void pb_field_set_to_default(pb_field_iter_t *iter)\n{\n pb_type_t type;\n type = iter->pos->type;\n \n if (PB_LTYPE(type) == PB_LTYPE_EXTENSION)\n {\n pb_extension_t *ext = *(pb_extension_t* const *)iter->pData;\n while (ext != NULL)\n {\n pb_field_iter_t ext_iter;\n ext->found = false;\n iter_from_extension(&ext_iter, ext);\n pb_field_set_to_default(&ext_iter);\n ext = ext->next;\n }\n }\n else if (PB_ATYPE(type) == PB_ATYPE_STATIC)\n {\n bool init_data = true;\n if (PB_HTYPE(type) == PB_HTYPE_OPTIONAL && iter->pSize != iter->pData)\n {\n /* Set has_field to false. Still initialize the optional field\n * itself also. */\n *(bool*)iter->pSize = false;\n }\n else if (PB_HTYPE(type) == PB_HTYPE_REPEATED ||\n PB_HTYPE(type) == PB_HTYPE_ONEOF)\n {\n /* REPEATED: Set array count to 0, no need to initialize contents.\n ONEOF: Set which_field to 0. */\n *(pb_size_t*)iter->pSize = 0;\n init_data = false;\n }\n\n if (init_data)\n {\n if (PB_LTYPE(iter->pos->type) == PB_LTYPE_SUBMESSAGE)\n {\n /* Initialize submessage to defaults */\n pb_message_set_to_defaults((const pb_field_t *) iter->pos->ptr, iter->pData);\n }\n else if (iter->pos->ptr != NULL)\n {\n /* Initialize to default value */\n memcpy(iter->pData, iter->pos->ptr, iter->pos->data_size);\n }\n else\n {\n /* Initialize to zeros */\n memset(iter->pData, 0, iter->pos->data_size);\n }\n }\n }\n else if (PB_ATYPE(type) == PB_ATYPE_POINTER)\n {\n /* Initialize the pointer to NULL. */\n *(void**)iter->pData = NULL;\n \n /* Initialize array count to 0. */\n if (PB_HTYPE(type) == PB_HTYPE_REPEATED ||\n PB_HTYPE(type) == PB_HTYPE_ONEOF)\n {\n *(pb_size_t*)iter->pSize = 0;\n }\n }\n else if (PB_ATYPE(type) == PB_ATYPE_CALLBACK)\n {\n /* Don't overwrite callback */\n }\n}", "project": "nanopb", "hash": 35648025510811299491578117150388110768, "size": 71, "commit_id": "aa9d0d1ca78d6adec3adfeecf3a706c7f9df81f2", "message": "Fix invalid free() after failed realloc() (GHSA-gcx3-7m76-287p)", "target": 0, "dataset": "other", "idx": 252501 }, { "func": "static bool pb_field_set_to_default(pb_field_iter_t *field)\n{\n pb_type_t type;\n type = field->type;\n\n if (PB_LTYPE(type) == PB_LTYPE_EXTENSION)\n {\n pb_extension_t *ext = *(pb_extension_t* const *)field->pData;\n while (ext != NULL)\n {\n pb_field_iter_t ext_iter;\n if (pb_field_iter_begin_extension(&ext_iter, ext))\n {\n ext->found = false;\n if (!pb_message_set_to_defaults(&ext_iter))\n return false;\n }\n ext = ext->next;\n }\n }\n else if (PB_ATYPE(type) == PB_ATYPE_STATIC)\n {\n bool init_data = true;\n if (PB_HTYPE(type) == PB_HTYPE_OPTIONAL && field->pSize != NULL)\n {\n /* Set has_field to false. Still initialize the optional field\n * itself also. */\n *(bool*)field->pSize = false;\n }\n else if (PB_HTYPE(type) == PB_HTYPE_REPEATED ||\n PB_HTYPE(type) == PB_HTYPE_ONEOF)\n {\n /* REPEATED: Set array count to 0, no need to initialize contents.\n ONEOF: Set which_field to 0. */\n *(pb_size_t*)field->pSize = 0;\n init_data = false;\n }\n\n if (init_data)\n {\n if (PB_LTYPE_IS_SUBMSG(field->type) &&\n (field->submsg_desc->default_value != NULL ||\n field->submsg_desc->field_callback != NULL ||\n field->submsg_desc->submsg_info[0] != NULL))\n {\n /* Initialize submessage to defaults.\n * Only needed if it has default values\n * or callback/submessage fields. */\n pb_field_iter_t submsg_iter;\n if (pb_field_iter_begin(&submsg_iter, field->submsg_desc, field->pData))\n {\n if (!pb_message_set_to_defaults(&submsg_iter))\n return false;\n }\n }\n else\n {\n /* Initialize to zeros */\n memset(field->pData, 0, (size_t)field->data_size);\n }\n }\n }\n else if (PB_ATYPE(type) == PB_ATYPE_POINTER)\n {\n /* Initialize the pointer to NULL. */\n *(void**)field->pField = NULL;\n\n /* Initialize array count to 0. */\n if (PB_HTYPE(type) == PB_HTYPE_REPEATED ||\n PB_HTYPE(type) == PB_HTYPE_ONEOF)\n {\n *(pb_size_t*)field->pSize = 0;\n }\n }\n else if (PB_ATYPE(type) == PB_ATYPE_CALLBACK)\n {\n /* Don't overwrite callback */\n }\n\n return true;\n}", "project": "nanopb", "hash": 4478062108510786607552441218344339875, "size": 81, "commit_id": "e2f0ccf939d9f82931d085acb6df8e9a182a4261", "message": "Fix invalid free() with oneof (#647)\n\nNanopb would call free() or realloc() on an invalid\n(attacker controlled) pointer value when all the following\nconditions are true:\n\n- PB_ENABLE_MALLOC is defined at the compile time\n- Message definition contains an oneof field, and the oneof\n contains at least one pointer type field and at least one\n non-pointer type field.\n- Data being decoded first contains a non-pointer value for\n the oneof field, and later contains an overwriting pointer\n value.\n\nDepending on message layout, the bug may not be exploitable in all\ncases, but it is known to be exploitable at least with string and\nbytes fields. Actual security impact will also depend on the heap\nimplementation used.", "target": 0, "dataset": "other", "idx": 254693 }, { "func": "static int ovfx2_i2c_r(struct sd *sd, u8 reg)\n{\n\tstruct gspca_dev *gspca_dev = (struct gspca_dev *)sd;\n\tint ret;\n\n\tif (sd->gspca_dev.usb_err < 0)\n\t\treturn -1;\n\n\tret = usb_control_msg(sd->gspca_dev.dev,\n\t\t\tusb_rcvctrlpipe(sd->gspca_dev.dev, 0),\n\t\t\t0x03,\n\t\t\tUSB_DIR_IN | USB_TYPE_VENDOR | USB_RECIP_DEVICE,\n\t\t\t0, (u16) reg, sd->gspca_dev.usb_buf, 1, 500);\n\n\tif (ret >= 0) {\n\t\tret = sd->gspca_dev.usb_buf[0];\n\t\tgspca_dbg(gspca_dev, D_USBI, \"ovfx2_i2c_r %02x %02x\\n\",\n\t\t\t reg, ret);\n\t} else {\n\t\tgspca_err(gspca_dev, \"ovfx2_i2c_r %02x failed %d\\n\", reg, ret);\n\t\tsd->gspca_dev.usb_err = ret;\n\t}\n\n\treturn ret;\n}", "project": "linux", "hash": 163941965203265287115290812501226562226, "size": 25, "commit_id": "998912346c0da53a6dbb71fab3a138586b596b30", "message": "media: ov519: add missing endpoint sanity checks\n\nMake sure to check that we have at least one endpoint before accessing\nthe endpoint array to avoid dereferencing a NULL-pointer on stream\nstart.\n\nNote that these sanity checks are not redundant as the driver is mixing\nlooking up altsettings by index and by number, which need not coincide.\n\nFixes: 1876bb923c98 (\"V4L/DVB (12079): gspca_ov519: add support for the ov511 bridge\")\nFixes: b282d87332f5 (\"V4L/DVB (12080): gspca_ov519: Fix ov518+ with OV7620AE (Trust spacecam 320)\")\nCc: stable # 2.6.31\nCc: Hans de Goede \nSigned-off-by: Johan Hovold \nSigned-off-by: Hans Verkuil \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 306301 }, { "func": "static int futex_lock_pi_atomic(u32 __user *uaddr, struct futex_hash_bucket *hb,\n\t\t\t\tunion futex_key *key,\n\t\t\t\tstruct futex_pi_state **ps,\n\t\t\t\tstruct task_struct *task, int set_waiters)\n{\n\tint lock_taken, ret, ownerdied = 0;\n\tu32 uval, newval, curval;\n\nretry:\n\tret = lock_taken = 0;\n\n\t/*\n\t * To avoid races, we attempt to take the lock here again\n\t * (by doing a 0 -> TID atomic cmpxchg), while holding all\n\t * the locks. It will most likely not succeed.\n\t */\n\tnewval = task_pid_vnr(task);\n\tif (set_waiters)\n\t\tnewval |= FUTEX_WAITERS;\n\n\tcurval = cmpxchg_futex_value_locked(uaddr, 0, newval);\n\n\tif (unlikely(curval == -EFAULT))\n\t\treturn -EFAULT;\n\n\t/*\n\t * Detect deadlocks.\n\t */\n\tif ((unlikely((curval & FUTEX_TID_MASK) == task_pid_vnr(task))))\n\t\treturn -EDEADLK;\n\n\t/*\n\t * Surprise - we got the lock. Just return to userspace:\n\t */\n\tif (unlikely(!curval))\n\t\treturn 1;\n\n\tuval = curval;\n\n\t/*\n\t * Set the FUTEX_WAITERS flag, so the owner will know it has someone\n\t * to wake at the next unlock.\n\t */\n\tnewval = curval | FUTEX_WAITERS;\n\n\t/*\n\t * There are two cases, where a futex might have no owner (the\n\t * owner TID is 0): OWNER_DIED. We take over the futex in this\n\t * case. We also do an unconditional take over, when the owner\n\t * of the futex died.\n\t *\n\t * This is safe as we are protected by the hash bucket lock !\n\t */\n\tif (unlikely(ownerdied || !(curval & FUTEX_TID_MASK))) {\n\t\t/* Keep the OWNER_DIED bit */\n\t\tnewval = (curval & ~FUTEX_TID_MASK) | task_pid_vnr(task);\n\t\townerdied = 0;\n\t\tlock_taken = 1;\n\t}\n\n\tcurval = cmpxchg_futex_value_locked(uaddr, uval, newval);\n\n\tif (unlikely(curval == -EFAULT))\n\t\treturn -EFAULT;\n\tif (unlikely(curval != uval))\n\t\tgoto retry;\n\n\t/*\n\t * We took the lock due to owner died take over.\n\t */\n\tif (unlikely(lock_taken))\n\t\treturn 1;\n\n\t/*\n\t * We dont have the lock. Look up the PI state (or create it if\n\t * we are the first waiter):\n\t */\n\tret = lookup_pi_state(uval, hb, key, ps);\n\n\tif (unlikely(ret)) {\n\t\tswitch (ret) {\n\t\tcase -ESRCH:\n\t\t\t/*\n\t\t\t * No owner found for this futex. Check if the\n\t\t\t * OWNER_DIED bit is set to figure out whether\n\t\t\t * this is a robust futex or not.\n\t\t\t */\n\t\t\tif (get_futex_value_locked(&curval, uaddr))\n\t\t\t\treturn -EFAULT;\n\n\t\t\t/*\n\t\t\t * We simply start over in case of a robust\n\t\t\t * futex. The code above will take the futex\n\t\t\t * and return happy.\n\t\t\t */\n\t\t\tif (curval & FUTEX_OWNER_DIED) {\n\t\t\t\townerdied = 1;\n\t\t\t\tgoto retry;\n\t\t\t}\n\t\tdefault:\n\t\t\tbreak;\n\t\t}\n\t}\n\n\treturn ret;\n}", "target": 0, "cwe": [], "project": "linux-2.6", "commit_id": "5ecb01cfdf96c5f465192bdb2a4fd4a61a24c6cc", "hash": 194594028798189216733306841133016382206, "size": 106, "message": "futex_lock_pi() key refcnt fix\n\nThis fixes a futex key reference count bug in futex_lock_pi(),\nwhere a key's reference count is incremented twice but decremented\nonly once, causing the backing object to not be released.\n\nIf the futex is created in a temporary file in an ext3 file system,\nthis bug causes the file's inode to become an \"undead\" orphan,\nwhich causes an oops from a BUG_ON() in ext3_put_super() when the\nfile system is unmounted. glibc's test suite is known to trigger this,\nsee .\n\nThe bug is a regression from 2.6.28-git3, namely Peter Zijlstra's\n38d47c1b7075bd7ec3881141bb3629da58f88dab \"[PATCH] futex: rely on\nget_user_pages() for shared futexes\". That commit made get_futex_key()\nalso increment the reference count of the futex key, and updated its\ncallers to decrement the key's reference count before returning.\nUnfortunately the normal exit path in futex_lock_pi() wasn't corrected:\nthe reference count is incremented by get_futex_key() and queue_lock(),\nbut the normal exit path only decrements once, via unqueue_me_pi().\nThe fix is to put_futex_key() after unqueue_me_pi(), since 2.6.31\nthis is easily done by 'goto out_put_key' rather than 'goto out'.\n\nSigned-off-by: Mikael Pettersson \nAcked-by: Peter Zijlstra \nAcked-by: Darren Hart \nSigned-off-by: Thomas Gleixner \nCc: ", "dataset": "other", "idx": 492302 }, { "func": "static void tcp_urg(struct sock *sk, struct sk_buff *skb, const struct tcphdr *th)\n{\n\tstruct tcp_sock *tp = tcp_sk(sk);\n\n\t/* Check if we get a new urgent pointer - normally not. */\n\tif (th->urg)\n\t\ttcp_check_urg(sk, th);\n\n\t/* Do we wait for any urgent data? - normally not... */\n\tif (tp->urg_data == TCP_URG_NOTYET) {\n\t\tu32 ptr = tp->urg_seq - ntohl(th->seq) + (th->doff * 4) -\n\t\t\t th->syn;\n\n\t\t/* Is the urgent pointer pointing into this packet? */\n\t\tif (ptr < skb->len) {\n\t\t\tu8 tmp;\n\t\t\tif (skb_copy_bits(skb, ptr, &tmp, 1))\n\t\t\t\tBUG();\n\t\t\ttp->urg_data = TCP_URG_VALID | tmp;\n\t\t\tif (!sock_flag(sk, SOCK_DEAD))\n\t\t\t\tsk->sk_data_ready(sk, 0);\n\t\t}\n\t}\n}", "project": "net-next", "hash": 146516928245751260842076305434596965711, "size": 24, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409871 }, { "func": "static void blackout_regions(void) {\n\tint i;\n\tfor (i=0; i < blackouts; i++) {\n\t\tzero_fb(blackr[i].x1, blackr[i].y1, blackr[i].x2, blackr[i].y2);\n\t}\n}", "project": "x11vnc", "hash": 177224846372175530609057382411913835655, "size": 6, "commit_id": "69eeb9f7baa14ca03b16c9de821f9876def7a36a", "message": "scan: limit access to shared memory segments to current user", "target": 0, "dataset": "other", "idx": 360790 }, { "func": "static apr_status_t transit(h2_stream *stream, int new_state)\n{\n if (new_state == stream->state) {\n return APR_SUCCESS;\n }\n else if (new_state < 0) {\n ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, stream->session->c, \n H2_STRM_LOG(APLOGNO(03081), stream, \"invalid transition\"));\n on_state_invalid(stream);\n return APR_EINVAL;\n }\n \n ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, stream->session->c, \n H2_STRM_MSG(stream, \"transit to [%s]\"), h2_ss_str(new_state));\n stream->state = new_state;\n switch (new_state) {\n case H2_SS_IDLE:\n break;\n case H2_SS_RSVD_L:\n close_input(stream);\n break;\n case H2_SS_RSVD_R:\n break;\n case H2_SS_OPEN:\n break;\n case H2_SS_CLOSED_L:\n close_output(stream);\n break;\n case H2_SS_CLOSED_R:\n close_input(stream);\n break;\n case H2_SS_CLOSED:\n close_input(stream);\n close_output(stream);\n if (stream->out_buffer) {\n apr_brigade_cleanup(stream->out_buffer);\n }\n break;\n case H2_SS_CLEANUP:\n break;\n }\n on_state_enter(stream);\n return APR_SUCCESS;\n}", "project": "httpd", "hash": 158452661274333614275547424502350512135, "size": 44, "commit_id": "f990e5ecad40b100a8a5c7c1033c46044a9cb244", "message": "mod_htt2: fix incomplete sync with latest changes in github, adjust version number.\n\n\n\ngit-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1889119 13f79535-47bb-0310-9956-ffa450edef68", "target": 0, "dataset": "other", "idx": 284237 }, { "func": "static inline u16 kvm_read_ldt(void)\n{\n\tu16 ldt;\n\tasm(\"sldt %0\" : \"=g\"(ldt));\n\treturn ldt;\n}", "project": "kvm", "hash": 37598819852156318512216533523503032729, "size": 6, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437570 }, { "func": "static void nfs41_call_sync_done(struct rpc_task *task, void *calldata)\n{\n\tstruct nfs4_call_sync_data *data = calldata;\n\n\tnfs41_sequence_done(task, data->seq_res);\n}", "project": "linux", "hash": 301757968042790398983598528175382536140, "size": 6, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431469 }, { "func": "static void hci_cc_le_set_addr_resolution_enable(struct hci_dev *hdev,\n\t\t\t\t\t\tstruct sk_buff *skb)\n{\n\t__u8 *sent, status = *((__u8 *) skb->data);\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, status);\n\n\tif (status)\n\t\treturn;\n\n\tsent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADDR_RESOLV_ENABLE);\n\tif (!sent)\n\t\treturn;\n\n\thci_dev_lock(hdev);\n\n\tif (*sent)\n\t\thci_dev_set_flag(hdev, HCI_LL_RPA_RESOLUTION);\n\telse\n\t\thci_dev_clear_flag(hdev, HCI_LL_RPA_RESOLUTION);\n\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 37898881837336600282481134621961958459, "size": 23, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431913 }, { "func": "static void on_state_enter(h2_stream *stream) \n{\n if (stream->monitor && stream->monitor->on_state_enter) {\n stream->monitor->on_state_enter(stream->monitor->ctx, stream);\n }\n}", "project": "httpd", "hash": 284425661016703342557286807946662083524, "size": 6, "commit_id": "f990e5ecad40b100a8a5c7c1033c46044a9cb244", "message": "mod_htt2: fix incomplete sync with latest changes in github, adjust version number.\n\n\n\ngit-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1889119 13f79535-47bb-0310-9956-ffa450edef68", "target": 0, "dataset": "other", "idx": 284234 }, { "func": "extern \"C\" int64_t enc_untrusted_syscall(int sysno, ...) {\n if (!enc_is_error_handler_set()) {\n enc_set_error_handler(default_error_handler);\n }\n\n asylo::system_call::SystemCallDescriptor descriptor{sysno};\n if (!descriptor.is_valid()) {\n error_handler(\"system_call.cc: Invalid SystemCallDescriptor encountered.\");\n }\n\n // Collect the passed parameter list into an array.\n std::array parameters;\n va_list args;\n va_start(args, sysno);\n for (int i = 0; i < descriptor.parameter_count(); i++) {\n parameters[i] = va_arg(args, uint64_t);\n }\n va_end(args);\n\n // Allocate a buffer for the serialized request.\n asylo::primitives::Extent request;\n asylo::primitives::PrimitiveStatus status;\n status = asylo::system_call::SerializeRequest(sysno, parameters, &request);\n if (!status.ok()) {\n error_handler(\n \"system_call.cc: Encountered serialization error when serializing \"\n \"syscall parameters.\");\n }\n\n std::unique_ptr request_owner(request.As());\n\n // Invoke the system call dispatch callback to execute the system call.\n uint8_t *response_buffer;\n size_t response_size;\n\n if (!enc_is_syscall_dispatcher_set()) {\n error_handler(\"system_.cc: system call dispatcher not set.\");\n }\n status = global_syscall_callback(request.As(), request.size(),\n &response_buffer, &response_size);\n if (!status.ok()) {\n error_handler(\n \"system_call.cc: Callback from syscall dispatcher was unsuccessful.\");\n }\n\n std::unique_ptr response_owner(response_buffer);\n\n if (!response_buffer) {\n error_handler(\n \"system_call.cc: null response buffer received for the syscall.\");\n }\n\n // Copy outputs back into pointer parameters.\n auto response_reader =\n asylo::system_call::MessageReader({response_buffer, response_size});\n const asylo::primitives::PrimitiveStatus response_status =\n response_reader.Validate();\n if (!response_status.ok()) {\n error_handler(\n \"system_call.cc: Error deserializing response buffer into response \"\n \"reader.\");\n }\n\n for (int i = 0; i < asylo::system_call::kParameterMax; i++) {\n asylo::system_call::ParameterDescriptor parameter = descriptor.parameter(i);\n if (parameter.is_out()) {\n size_t size;\n if (parameter.is_fixed()) {\n size = parameter.size();\n } else {\n size = parameters[parameter.size()] * parameter.element_size();\n }\n const void *src = response_reader.parameter_address(i);\n void *dst = reinterpret_cast(parameters[i]);\n if (dst != nullptr) {\n memcpy(dst, src, size);\n }\n }\n }\n\n uint64_t result = response_reader.header()->result;\n if (static_cast(result) == -1) {\n int klinux_errno = response_reader.header()->error_number;\n\n // Simply having a return value of -1 from a syscall is not a necessary\n // condition that the syscall failed. Some syscalls can return -1 when\n // successful (eg., lseek). The reliable way to check for syscall failure is\n // to therefore check both return value and presence of a non-zero errno.\n if (klinux_errno != 0) {\n errno = FromkLinuxErrno(klinux_errno);\n }\n }\n return result;\n}", "project": "asylo", "hash": 130310869398981487889556909042186639572, "size": 94, "commit_id": "90d7619e9dd99bcdb6cd28c7649d741d254d9a1a", "message": "Add sysno check in MessageReader\n\nThe sysno in MessageReader is interpreted from the Message header passed\nfrom the host. A malicious Message header may provide a modified sysno\nto bypass the validation, and overwrites enclave memory. This change\nadds a check for sysno to make sure it matches the expected value.\n\nThis issue was reported by Qinkun Bao, Zhaofeng Chen, Mingshen Sun, and\nKang Li from Baidu Security.\n\nPiperOrigin-RevId: 377328054\nChange-Id: I3ff6f60694d3390f66da89d139cf7cc7b49abaea", "target": 1, "dataset": "other", "idx": 196939 }, { "func": "extern \"C\" int64_t enc_untrusted_syscall(int sysno, ...) {\n if (!enc_is_error_handler_set()) {\n enc_set_error_handler(default_error_handler);\n }\n\n asylo::system_call::SystemCallDescriptor descriptor{sysno};\n if (!descriptor.is_valid()) {\n error_handler(\"system_call.cc: Invalid SystemCallDescriptor encountered.\");\n }\n\n // Collect the passed parameter list into an array.\n std::array parameters;\n va_list args;\n va_start(args, sysno);\n for (int i = 0; i < descriptor.parameter_count(); i++) {\n parameters[i] = va_arg(args, uint64_t);\n }\n va_end(args);\n\n // Allocate a buffer for the serialized request.\n asylo::primitives::Extent request;\n asylo::primitives::PrimitiveStatus status;\n status = asylo::system_call::SerializeRequest(sysno, parameters, &request);\n if (!status.ok()) {\n error_handler(\n \"system_call.cc: Encountered serialization error when serializing \"\n \"syscall parameters.\");\n }\n\n std::unique_ptr request_owner(request.As());\n\n // Invoke the system call dispatch callback to execute the system call.\n uint8_t *response_buffer;\n size_t response_size;\n\n if (!enc_is_syscall_dispatcher_set()) {\n error_handler(\"system_.cc: system call dispatcher not set.\");\n }\n status = global_syscall_callback(request.As(), request.size(),\n &response_buffer, &response_size);\n if (!status.ok()) {\n error_handler(\n \"system_call.cc: Callback from syscall dispatcher was unsuccessful.\");\n }\n\n std::unique_ptr response_owner(response_buffer);\n\n if (!response_buffer) {\n error_handler(\n \"system_call.cc: null response buffer received for the syscall.\");\n }\n\n // Copy outputs back into pointer parameters.\n auto response_reader =\n asylo::system_call::MessageReader({response_buffer, response_size});\n if (response_reader.sysno() != sysno) {\n error_handler(\"system_call.cc: Unexpected sysno in response\");\n }\n const asylo::primitives::PrimitiveStatus response_status =\n response_reader.Validate();\n if (!response_status.ok()) {\n error_handler(\n \"system_call.cc: Error deserializing response buffer into response \"\n \"reader.\");\n }\n\n for (int i = 0; i < asylo::system_call::kParameterMax; i++) {\n asylo::system_call::ParameterDescriptor parameter = descriptor.parameter(i);\n if (parameter.is_out()) {\n size_t size;\n if (parameter.is_fixed()) {\n size = parameter.size();\n } else {\n size = parameters[parameter.size()] * parameter.element_size();\n }\n const void *src = response_reader.parameter_address(i);\n void *dst = reinterpret_cast(parameters[i]);\n if (dst != nullptr) {\n memcpy(dst, src, size);\n }\n }\n }\n\n uint64_t result = response_reader.header()->result;\n if (static_cast(result) == -1) {\n int klinux_errno = response_reader.header()->error_number;\n\n // Simply having a return value of -1 from a syscall is not a necessary\n // condition that the syscall failed. Some syscalls can return -1 when\n // successful (eg., lseek). The reliable way to check for syscall failure is\n // to therefore check both return value and presence of a non-zero errno.\n if (klinux_errno != 0) {\n errno = FromkLinuxErrno(klinux_errno);\n }\n }\n return result;\n}", "project": "asylo", "hash": 301481568949052192969768700409775374312, "size": 97, "commit_id": "90d7619e9dd99bcdb6cd28c7649d741d254d9a1a", "message": "Add sysno check in MessageReader\n\nThe sysno in MessageReader is interpreted from the Message header passed\nfrom the host. A malicious Message header may provide a modified sysno\nto bypass the validation, and overwrites enclave memory. This change\nadds a check for sysno to make sure it matches the expected value.\n\nThis issue was reported by Qinkun Bao, Zhaofeng Chen, Mingshen Sun, and\nKang Li from Baidu Security.\n\nPiperOrigin-RevId: 377328054\nChange-Id: I3ff6f60694d3390f66da89d139cf7cc7b49abaea", "target": 0, "dataset": "other", "idx": 248772 }, { "func": "static int do_unstore_file(struct archive_read* a,\n struct rar5* rar, const void** buf, size_t* size, int64_t* offset)\n{\n\tsize_t to_read;\n\tconst uint8_t* p;\n\n\tif(rar->file.bytes_remaining == 0 && rar->main.volume > 0 &&\n\t rar->generic.split_after > 0)\n\t{\n\t\tint ret;\n\n\t\trar->cstate.switch_multivolume = 1;\n\t\tret = advance_multivolume(a);\n\t\trar->cstate.switch_multivolume = 0;\n\n\t\tif(ret != ARCHIVE_OK) {\n\t\t\t/* Failed to advance to next multivolume archive\n\t\t\t * file. */\n\t\t\treturn ret;\n\t\t}\n\t}\n\n\tto_read = rar5_min(rar->file.bytes_remaining, 64 * 1024);\n\tif(to_read == 0) {\n\t\treturn ARCHIVE_EOF;\n\t}\n\n\tif(!read_ahead(a, to_read, &p)) {\n\t\tarchive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,\n\t\t \"I/O error when unstoring file\");\n\t\treturn ARCHIVE_FATAL;\n\t}\n\n\tif(ARCHIVE_OK != consume(a, to_read)) {\n\t\treturn ARCHIVE_EOF;\n\t}\n\n\tif(buf) *buf = p;\n\tif(size) *size = to_read;\n\tif(offset) *offset = rar->cstate.last_unstore_ptr;\n\n\trar->file.bytes_remaining -= to_read;\n\trar->cstate.last_unstore_ptr += to_read;\n\n\tupdate_crc(rar, p, to_read);\n\treturn ARCHIVE_OK;\n}", "project": "libarchive", "hash": 222166504600905021461549813479276406811, "size": 47, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 0, "dataset": "other", "idx": 244740 }, { "func": "int CLua::push_args(lua_State *ls, const char *format, va_list args,\n va_list *targ)\n{\n if (!format)\n {\n if (targ)\n va_copy(*targ, args);\n return 0;\n }\n\n const char *cs = strchr(format, ':');\n if (cs)\n format = cs + 1;\n\n int argc = 0;\n for (const char *run = format; *run; run++)\n {\n if (*run == '>')\n break;\n\n char argtype = *run;\n ++argc;\n switch (argtype)\n {\n case 'u': // Light userdata\n lua_pushlightuserdata(ls, va_arg(args, void*));\n break;\n case 'i':\n clua_push_item(ls, va_arg(args, item_def*));\n break;\n case 's': // String\n {\n const char *s = va_arg(args, const char *);\n if (s)\n lua_pushstring(ls, s);\n else\n lua_pushnil(ls);\n break;\n }\n case 'd': // Integer\n lua_pushnumber(ls, va_arg(args, int));\n break;\n case 'L':\n die(\"ambiguous long in Lua push_args\");\n lua_pushnumber(ls, va_arg(args, long));\n break;\n case 'b':\n lua_pushboolean(ls, va_arg(args, int));\n break;\n case 'D':\n clua_push_dgn_event(ls, va_arg(args, const dgn_event *));\n break;\n case 'm':\n clua_push_map(ls, va_arg(args, map_def *));\n break;\n case 'M':\n push_monster(ls, va_arg(args, monster*));\n break;\n case 'I':\n lua_push_moninf(ls, va_arg(args, monster_info *));\n break;\n case 'A':\n argc += push_activity_interrupt(\n ls, va_arg(args, activity_interrupt_data *));\n break;\n default:\n --argc;\n break;\n }\n }\n if (targ)\n va_copy(*targ, args);\n return argc;\n}", "project": "crawl", "hash": 75829387533579342319035576130005604927, "size": 74, "commit_id": "768f60da87a3fa0b5561da5ade9309577c176d04", "message": "Disable lua bytecode loading", "target": 0, "dataset": "other", "idx": 230468 }, { "func": "static int kvm_stat_data_get(void *data, u64 *val)\n{\n\tint r = -EFAULT;\n\tstruct kvm_stat_data *stat_data = (struct kvm_stat_data *)data;\n\n\tswitch (stat_data->dbgfs_item->kind) {\n\tcase KVM_STAT_VM:\n\t\tr = kvm_get_stat_per_vm(stat_data->kvm,\n\t\t\t\t\tstat_data->dbgfs_item->offset, val);\n\t\tbreak;\n\tcase KVM_STAT_VCPU:\n\t\tr = kvm_get_stat_per_vcpu(stat_data->kvm,\n\t\t\t\t\t stat_data->dbgfs_item->offset, val);\n\t\tbreak;\n\t}\n\n\treturn r;\n}", "project": "linux", "hash": 27545540079749133026096907966461211834, "size": 18, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354832 }, { "func": "static int on_frame_send(h2_stream_state_t state, int frame_type)\n{\n return on_frame(state, frame_type, trans_on_send, H2_ALEN(trans_on_send));\n}", "project": "httpd", "hash": 308236795239872289927575889317666981291, "size": 4, "commit_id": "f990e5ecad40b100a8a5c7c1033c46044a9cb244", "message": "mod_htt2: fix incomplete sync with latest changes in github, adjust version number.\n\n\n\ngit-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1889119 13f79535-47bb-0310-9956-ffa450edef68", "target": 0, "dataset": "other", "idx": 284259 }, { "func": "void lj_trace_flushproto(global_State *g, GCproto *pt)\n{\n while (pt->trace != 0)\n trace_flushroot(G2J(g), traceref(G2J(g), pt->trace));\n}", "project": "LuaJIT", "hash": 98784577702538901747012487329498174575, "size": 5, "commit_id": "e296f56b825c688c3530a981dc6b495d972f3d01", "message": "Call error function on rethrow after trace exit.", "target": 0, "dataset": "other", "idx": 394623 }, { "func": "static size_t cdeque_size(struct cdeque* d) {\n\treturn d->size;\n}", "project": "libarchive", "hash": 248327125740276119597552702287084592325, "size": 3, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 0, "dataset": "other", "idx": 244681 }, { "func": "#ifdef CONFIG_SLUB_DEBUG\nvoid get_slabinfo(struct kmem_cache *s, struct slabinfo *sinfo)\n{\n\tunsigned long nr_slabs = 0;\n\tunsigned long nr_objs = 0;\n\tunsigned long nr_free = 0;\n\tint node;\n\tstruct kmem_cache_node *n;\n\n\tfor_each_kmem_cache_node(s, node, n) {\n\t\tnr_slabs += node_nr_slabs(n);\n\t\tnr_objs += node_nr_objs(n);\n\t\tnr_free += count_partial(n, count_free);\n\t}\n\n\tsinfo->active_objs = nr_objs - nr_free;\n\tsinfo->num_objs = nr_objs;\n\tsinfo->active_slabs = nr_slabs;\n\tsinfo->num_slabs = nr_slabs;\n\tsinfo->objects_per_slab = oo_objects(s->oo);\n\tsinfo->cache_order = oo_order(s->oo);", "project": "linux", "hash": 90046924632493781646167896514837258542, "size": 21, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280137 }, { "func": "static void stimer_cleanup(struct kvm_vcpu_hv_stimer *stimer)\n{\n\tstruct kvm_vcpu *vcpu = hv_stimer_to_vcpu(stimer);\n\n\ttrace_kvm_hv_stimer_cleanup(hv_stimer_to_vcpu(stimer)->vcpu_id,\n\t\t\t\t stimer->index);\n\n\thrtimer_cancel(&stimer->timer);\n\tclear_bit(stimer->index,\n\t\t to_hv_vcpu(vcpu)->stimer_pending_bitmap);\n\tstimer->msg_pending = false;\n\tstimer->exp_time = 0;\n}", "project": "linux", "hash": 288630239026670431585226158385618246060, "size": 13, "commit_id": "919f4ebc598701670e80e31573a58f1f2d2bf918", "message": "KVM: x86: hyper-v: Fix Hyper-V context null-ptr-deref\n\nReported by syzkaller:\n\n KASAN: null-ptr-deref in range [0x0000000000000140-0x0000000000000147]\n CPU: 1 PID: 8370 Comm: syz-executor859 Not tainted 5.11.0-syzkaller #0\n RIP: 0010:synic_get arch/x86/kvm/hyperv.c:165 [inline]\n RIP: 0010:kvm_hv_set_sint_gsi arch/x86/kvm/hyperv.c:475 [inline]\n RIP: 0010:kvm_hv_irq_routing_update+0x230/0x460 arch/x86/kvm/hyperv.c:498\n Call Trace:\n kvm_set_irq_routing+0x69b/0x940 arch/x86/kvm/../../../virt/kvm/irqchip.c:223\n kvm_vm_ioctl+0x12d0/0x2800 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3959\n vfs_ioctl fs/ioctl.c:48 [inline]\n __do_sys_ioctl fs/ioctl.c:753 [inline]\n __se_sys_ioctl fs/ioctl.c:739 [inline]\n __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739\n do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nHyper-V context is lazily allocated until Hyper-V specific MSRs are accessed\nor SynIC is enabled. However, the syzkaller testcase sets irq routing table\ndirectly w/o enabling SynIC. This results in null-ptr-deref when accessing\nSynIC Hyper-V context. This patch fixes it.\n\nsyzkaller source: https://syzkaller.appspot.com/x/repro.c?x=163342ccd00000\n\nReported-by: syzbot+6987f3b2dbd9eda95f12@syzkaller.appspotmail.com\nFixes: 8f014550dfb1 (\"KVM: x86: hyper-v: Make Hyper-V emulation enablement conditional\")\nSigned-off-by: Wanpeng Li \nMessage-Id: <1614326399-5762-1-git-send-email-wanpengli@tencent.com>\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 343509 }, { "func": "static int verify_global_checksums(struct archive_read* a) {\n\treturn verify_checksums(a);\n}", "project": "libarchive", "hash": 322556860735932309576796083279784527015, "size": 3, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 0, "dataset": "other", "idx": 244812 }, { "func": "void get_random_bytes(void *buf, int nbytes)\n{\n\textract_entropy(&nonblocking_pool, buf, nbytes, 0, 0);\n}", "target": 0, "cwe": [ "CWE-310" ], "project": "linux-2.6", "commit_id": "8a0a9bd4db63bc45e3017bedeafbd88d0eb84d02", "hash": 321400608695862777166739845771305909820, "size": 4, "message": "random: make get_random_int() more random\n\nIt's a really simple patch that basically just open-codes the current\n\"secure_ip_id()\" call, but when open-coding it we now use a _static_\nhashing area, so that it gets updated every time.\n\nAnd to make sure somebody can't just start from the same original seed of\nall-zeroes, and then do the \"half_md4_transform()\" over and over until\nthey get the same sequence as the kernel has, each iteration also mixes in\nthe same old \"current->pid + jiffies\" we used - so we should now have a\nregular strong pseudo-number generator, but we also have one that doesn't\nhave a single seed.\n\nNote: the \"pid + jiffies\" is just meant to be a tiny tiny bit of noise. It\nhas no real meaning. It could be anything. I just picked the previous\nseed, it's just that now we keep the state in between calls and that will\nfeed into the next result, and that should make all the difference.\n\nI made that hash be a per-cpu data just to avoid cache-line ping-pong:\nhaving multiple CPU's write to the same data would be fine for randomness,\nand add yet another layer of chaos to it, but since get_random_int() is\nsupposed to be a fast interface I did it that way instead. I considered\nusing \"__raw_get_cpu_var()\" to avoid any preemption overhead while still\ngetting the hash be _mostly_ ping-pong free, but in the end good taste won\nout.\n\nSigned-off-by: Ingo Molnar \nSigned-off-by: Linus Torvalds ", "dataset": "other", "idx": 499904 }, { "func": "static void queue_request(struct intel_engine_cs *engine,\n\t\t\t struct i915_sched_node *node,\n\t\t\t int prio)\n{\n\tGEM_BUG_ON(!list_empty(&node->link));\n\tlist_add_tail(&node->link, i915_sched_lookup_priolist(engine, prio));\n}", "project": "linux", "hash": 321109221455867855706513738152715132834, "size": 7, "commit_id": "bc8a76a152c5f9ef3b48104154a65a68a8b76946", "message": "drm/i915/gen9: Clear residual context state on context switch\n\nIntel ID: PSIRT-TA-201910-001\nCVEID: CVE-2019-14615\n\nIntel GPU Hardware prior to Gen11 does not clear EU state\nduring a context switch. This can result in information\nleakage between contexts.\n\nFor Gen8 and Gen9, hardware provides a mechanism for\nfast cleardown of the EU state, by issuing a PIPE_CONTROL\nwith bit 27 set. We can use this in a context batch buffer\nto explicitly cleardown the state on every context switch.\n\nAs this workaround is already in place for gen8, we can borrow\nthe code verbatim for Gen9.\n\nSigned-off-by: Mika Kuoppala \nSigned-off-by: Akeem G Abodunrin \nCc: Kumar Valsan Prathap \nCc: Chris Wilson \nCc: Balestrieri Francesco \nCc: Bloomfield Jon \nCc: Dutt Sudeep ", "target": 0, "dataset": "other", "idx": 281461 }, { "func": "DLLEXPORT int DLLCALL tjEncodeYUV(tjhandle handle, unsigned char *srcBuf,\n\tint width, int pitch, int height, int pixelSize, unsigned char *dstBuf,\n\tint subsamp, int flags)\n{\n\treturn tjEncodeYUV2(handle, srcBuf, width, pitch, height,\n\t\tgetPixelFormat(pixelSize, flags), dstBuf, subsamp, flags);\n}", "project": "libjpeg-turbo", "hash": 19577549776927734745822612803021791624, "size": 7, "commit_id": "dab6be4cfb2f9307b5378d2d1dc74d9080383dc2", "message": "tjDecompressToYUV*(): Fix OOB write/double free\n\n... when attempting to decompress grayscale JPEG images with sampling\nfactors != 1.\n\nFixes #387", "target": 0, "dataset": "other", "idx": 311121 }, { "func": "HttpStateData::handle1xx(HttpReply *reply)\n{\n HttpReply::Pointer msg(reply); // will destroy reply if unused\n\n // one 1xx at a time: we must not be called while waiting for previous 1xx\n Must(!flags.handling1xx);\n flags.handling1xx = true;\n\n if (!request->canHandle1xx() || request->forcedBodyContinuation) {\n debugs(11, 2, \"ignoring 1xx because it is \" << (request->forcedBodyContinuation ? \"already sent\" : \"not supported by client\"));\n proceedAfter1xx();\n return;\n }\n\n#if USE_HTTP_VIOLATIONS\n // check whether the 1xx response forwarding is allowed by squid.conf\n if (Config.accessList.reply) {\n ACLFilledChecklist ch(Config.accessList.reply, originalRequest(), NULL);\n ch.al = fwd->al;\n ch.reply = reply;\n ch.syncAle(originalRequest(), nullptr);\n HTTPMSGLOCK(ch.reply);\n if (!ch.fastCheck().allowed()) { // TODO: support slow lookups?\n debugs(11, 3, HERE << \"ignoring denied 1xx\");\n proceedAfter1xx();\n return;\n }\n }\n#endif // USE_HTTP_VIOLATIONS\n\n debugs(11, 2, HERE << \"forwarding 1xx to client\");\n\n // the Sink will use this to call us back after writing 1xx to the client\n typedef NullaryMemFunT CbDialer;\n const AsyncCall::Pointer cb = JobCallback(11, 3, CbDialer, this,\n HttpStateData::proceedAfter1xx);\n CallJobHere1(11, 4, request->clientConnectionManager, ConnStateData,\n ConnStateData::sendControlMsg, HttpControlMsg(msg, cb));\n // If the call is not fired, then the Sink is gone, and HttpStateData\n // will terminate due to an aborted store entry or another similar error.\n // If we get stuck, it is not handle1xx fault if we could get stuck\n // for similar reasons without a 1xx response.\n}", "project": "squid", "hash": 60871075458953236209450177994262386915, "size": 43, "commit_id": "fd68382860633aca92065e6c343cfd1b12b126e7", "message": "Improve Transfer-Encoding handling (#702)\n\nReject messages containing Transfer-Encoding header with coding other\nthan chunked or identity. Squid does not support other codings.\n\nFor simplicity and security sake, also reject messages where\nTransfer-Encoding contains unnecessary complex values that are\ntechnically equivalent to \"chunked\" or \"identity\" (e.g., \",,chunked\" or\n\"identity, chunked\").\n\nRFC 7230 formally deprecated and removed identity coding, but it is\nstill used by some agents.", "target": 0, "dataset": "other", "idx": 402329 }, { "func": "static __poll_t hung_up_tty_poll(struct file *filp, poll_table *wait)\n{\n\treturn EPOLLIN | EPOLLOUT | EPOLLERR | EPOLLHUP | EPOLLRDNORM | EPOLLWRNORM;\n}", "project": "linux", "hash": 69249675467172577416410617510078562565, "size": 4, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 325969 }, { "func": "static void nested_prepare_vmcb_control(struct vcpu_svm *svm)\n{\n\tconst u32 mask = V_INTR_MASKING_MASK | V_GIF_ENABLE_MASK | V_GIF_MASK;\n\n\tif (nested_npt_enabled(svm))\n\t\tnested_svm_init_mmu_context(&svm->vcpu);\n\n\tsvm->vmcb->control.tsc_offset = svm->vcpu.arch.tsc_offset =\n\t\tsvm->vcpu.arch.l1_tsc_offset + svm->nested.ctl.tsc_offset;\n\n\tsvm->vmcb->control.int_ctl =\n\t\t(svm->nested.ctl.int_ctl & ~mask) |\n\t\t(svm->nested.hsave->control.int_ctl & mask);\n\n\tsvm->vmcb->control.virt_ext = svm->nested.ctl.virt_ext;\n\tsvm->vmcb->control.int_vector = svm->nested.ctl.int_vector;\n\tsvm->vmcb->control.int_state = svm->nested.ctl.int_state;\n\tsvm->vmcb->control.event_inj = svm->nested.ctl.event_inj;\n\tsvm->vmcb->control.event_inj_err = svm->nested.ctl.event_inj_err;\n\n\tsvm->vmcb->control.pause_filter_count = svm->nested.ctl.pause_filter_count;\n\tsvm->vmcb->control.pause_filter_thresh = svm->nested.ctl.pause_filter_thresh;\n\n\t/* Enter Guest-Mode */\n\tenter_guest_mode(&svm->vcpu);\n\n\t/*\n\t * Merge guest and host intercepts - must be called with vcpu in\n\t * guest-mode to take affect here\n\t */\n\trecalc_intercepts(svm);\n\n\tvmcb_mark_all_dirty(svm->vmcb);\n}", "project": "linux", "hash": 99159018443887676473399664211688385760, "size": 34, "commit_id": "a58d9166a756a0f4a6618e4f593232593d6df134", "message": "KVM: SVM: load control fields from VMCB12 before checking them\n\nAvoid races between check and use of the nested VMCB controls. This\nfor example ensures that the VMRUN intercept is always reflected to the\nnested hypervisor, instead of being processed by the host. Without this\npatch, it is possible to end up with svm->nested.hsave pointing to\nthe MSR permission bitmap for nested guests.\n\nThis bug is CVE-2021-29657.\n\nReported-by: Felix Wilhelm \nCc: stable@vger.kernel.org\nFixes: 2fcf4876ada (\"KVM: nSVM: implement on demand allocation of the nested state\")\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 376664 }, { "func": "static void free_trace_buffer(struct trace_buffer *buf)\n{\n\tif (buf->buffer) {\n\t\tring_buffer_free(buf->buffer);\n\t\tbuf->buffer = NULL;\n\t\tfree_percpu(buf->data);\n\t\tbuf->data = NULL;\n\t}\n}", "project": "linux", "hash": 43691073484487524787130292805672641775, "size": 9, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445788 }, { "func": "void ItemStackMetadata::updateToolCapabilities()\n{\n\tif (contains(TOOLCAP_KEY)) {\n\t\ttoolcaps_overridden = true;\n\t\ttoolcaps_override = ToolCapabilities();\n\t\tstd::istringstream is(getString(TOOLCAP_KEY));\n\t\ttoolcaps_override.deserializeJson(is);\n\t} else {\n\t\ttoolcaps_overridden = false;\n\t}\n}", "project": "minetest", "hash": 249032365163321944272308750198952787817, "size": 11, "commit_id": "b5956bde259faa240a81060ff4e598e25ad52dae", "message": "Sanitize ItemStack meta text", "target": 0, "dataset": "other", "idx": 279958 }, { "func": "static void tcp_send_dupack(struct sock *sk, const struct sk_buff *skb)\n{\n\tstruct tcp_sock *tp = tcp_sk(sk);\n\n\tif (TCP_SKB_CB(skb)->end_seq != TCP_SKB_CB(skb)->seq &&\n\t before(TCP_SKB_CB(skb)->seq, tp->rcv_nxt)) {\n\t\tNET_INC_STATS_BH(sock_net(sk), LINUX_MIB_DELAYEDACKLOST);\n\t\ttcp_enter_quickack_mode(sk);\n\n\t\tif (tcp_is_sack(tp) && sysctl_tcp_dsack) {\n\t\t\tu32 end_seq = TCP_SKB_CB(skb)->end_seq;\n\n\t\t\tif (after(TCP_SKB_CB(skb)->end_seq, tp->rcv_nxt))\n\t\t\t\tend_seq = tp->rcv_nxt;\n\t\t\ttcp_dsack_set(sk, TCP_SKB_CB(skb)->seq, end_seq);\n\t\t}\n\t}\n\n\ttcp_send_ack(sk);\n}", "project": "net-next", "hash": 164655539099330211911957178154105541018, "size": 20, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409901 }, { "func": "\treturn err;\n}\n\nstatic int iscsi_login_flashnode(struct iscsi_transport *transport,\n\t\t\t\t struct iscsi_uevent *ev)\n{\n\tstruct Scsi_Host *shost;\n\tstruct iscsi_bus_flash_session *fnode_sess;\n\tstruct iscsi_bus_flash_conn *fnode_conn;\n\tstruct device *dev;\n\tuint32_t idx;\n\tint err = 0;\n\n\tif (!transport->login_flashnode) {\n\t\terr = -ENOSYS;\n\t\tgoto exit_login_fnode;\n\t}\n\n\tshost = scsi_host_lookup(ev->u.login_flashnode.host_no);\n\tif (!shost) {\n\t\tpr_err(\"%s could not find host no %u\\n\",\n\t\t __func__, ev->u.login_flashnode.host_no);\n\t\terr = -ENODEV;\n\t\tgoto put_host;\n\t}\n\n\tidx = ev->u.login_flashnode.flashnode_idx;\n\tfnode_sess = iscsi_get_flashnode_by_index(shost, idx);\n\tif (!fnode_sess) {\n\t\tpr_err(\"%s could not find flashnode %u for host no %u\\n\",\n\t\t __func__, idx, ev->u.login_flashnode.host_no);\n\t\terr = -ENODEV;\n\t\tgoto put_host;\n\t}\n\n\tdev = iscsi_find_flashnode_conn(fnode_sess);\n\tif (!dev) {\n\t\terr = -ENODEV;\n\t\tgoto put_sess;\n\t}\n\n\tfnode_conn = iscsi_dev_to_flash_conn(dev);\n\terr = transport->login_flashnode(fnode_sess, fnode_conn);\n\tput_device(dev);\n\nput_sess:\n\tput_device(&fnode_sess->dev);\n\nput_host:\n\tscsi_host_put(shost);\n", "project": "linux", "hash": 21503789904227339937747424361575734366, "size": 51, "commit_id": "f9dbdf97a5bd92b1a49cee3d591b55b11fd7a6d5", "message": "scsi: iscsi: Verify lengths on passthrough PDUs\n\nOpen-iSCSI sends passthrough PDUs over netlink, but the kernel should be\nverifying that the provided PDU header and data lengths fall within the\nnetlink message to prevent accessing beyond that in memory.\n\nCc: stable@vger.kernel.org\nReported-by: Adam Nichols \nReviewed-by: Lee Duncan \nReviewed-by: Mike Christie \nSigned-off-by: Chris Leech \nSigned-off-by: Martin K. Petersen ", "target": 0, "dataset": "other", "idx": 379995 }, { "func": "FastHufDecoder::refill\n (Int64 &buffer,\n int numBits, // number of bits to refill\n Int64 &bufferBack, // the next 64-bits, to refill from\n int &bufferBackNumBits, // number of bits left in bufferBack\n const unsigned char *&currByte, // current byte in the bitstream\n int &currBitsLeft) // number of bits left in the bitsream\n{\n // \n // Refill bits into the bottom of buffer, from the top of bufferBack.\n // Always top up buffer to be completely full.\n //\n\n buffer |= bufferBack >> (64 - numBits);\n\n if (bufferBackNumBits < numBits)\n {\n numBits -= bufferBackNumBits;\n\n // \n // Refill all of bufferBack from the bitstream. Either grab\n // a full 64-bit chunk, or whatever bytes are left. If we\n // don't have 64-bits left, pad with 0's.\n //\n\n if (currBitsLeft >= 64)\n {\n bufferBack = READ64 (currByte); \n bufferBackNumBits = 64;\n currByte += sizeof (Int64);\n currBitsLeft -= 8 * sizeof (Int64);\n\n }\n else\n {\n bufferBack = 0;\n bufferBackNumBits = 64; \n\n Int64 shift = 56;\n \n while (currBitsLeft > 0)\n {\n bufferBack |= ((Int64)(*currByte)) << shift;\n\n currByte++;\n shift -= 8;\n currBitsLeft -= 8;\n }\n\n //\n // At this point, currBitsLeft might be negative, just because\n // we're subtracting whole bytes. To keep anyone from freaking\n // out, zero the counter.\n //\n\n if (currBitsLeft < 0)\n currBitsLeft = 0;\n }\n\n buffer |= bufferBack >> (64 - numBits);\n }\n \n bufferBack = bufferBack << numBits;\n bufferBackNumBits -= numBits;\n\n // \n // We can have cases where the previous shift of bufferBack is << 64 - \n // in which case no shift occurs. The bit count math still works though,\n // so if we don't have any bits left, zero out bufferBack.\n //\n\n if (bufferBackNumBits == 0)\n bufferBack = 0;\n}", "project": "openexr", "hash": 79087200757006272695816197982526818574, "size": 74, "commit_id": "c3ed4a1db1f39bf4524a644cb2af81dc8cfab33f", "message": "compute Huf codelengths using 64 bit to prevent shift overflow\n\nSigned-off-by: Peter Hillman ", "target": 0, "dataset": "other", "idx": 413444 }, { "func": "void init_h323_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask)\n{\n ndpi_set_bitmask_protocol_detection(\"H323\", ndpi_struct, detection_bitmask, *id,\n\t\t\t\t NDPI_PROTOCOL_H323,\n\t\t\t\t ndpi_search_h323,\n\t\t\t\t NDPI_SELECTION_BITMASK_PROTOCOL_TCP_OR_UDP_WITH_PAYLOAD,\n\t\t\t\t SAVE_DETECTION_BITMASK_AS_UNKNOWN,\n\t\t\t\t ADD_TO_DETECTION_BITMASK);\n\n *id += 1;\n}", "project": "nDPI", "hash": 203557753152660360302990018269682780925, "size": 11, "commit_id": "b7e666e465f138ae48ab81976726e67deed12701", "message": "Added fix to avoid potential heap buffer overflow in H.323 dissector\nModified HTTP report information to make it closer to the HTTP field names", "target": 0, "dataset": "other", "idx": 254823 }, { "func": "void CSoundFile::FineVibrato(ModChannel *p, uint32 param) const\n{\n\tif (param & 0x0F) p->nVibratoDepth = param & 0x0F;\n\tif (param & 0xF0) p->nVibratoSpeed = (param >> 4) & 0x0F;\n\tp->dwFlags.set(CHN_VIBRATO);\n\t// ST3 compatibility: Do not distinguish between vibrato types in effect memory\n\t// Test case: VibratoTypeChange.s3m\n\tif(m_playBehaviour[kST3VibratoMemory] && (param & 0x0F))\n\t{\n\t\tp->nVibratoDepth *= 4u;\n\t}\n}", "project": "openmpt", "hash": 184250301736848726540017641413673747928, "size": 12, "commit_id": "7ebf02af2e90f03e0dbd0e18b8b3164f372fb97c", "message": "[Fix] Possible out-of-bounds read when computing length of some IT files with pattern loops (OpenMPT: formats that are converted to IT, libopenmpt: IT/ITP/MO3), caught with afl-fuzz.\n\ngit-svn-id: https://source.openmpt.org/svn/openmpt/trunk/OpenMPT@10027 56274372-70c3-4bfc-bfc3-4c3a0b034d27", "target": 0, "dataset": "other", "idx": 255193 }, { "func": "void input_set_capability(struct input_dev *dev, unsigned int type, unsigned int code)\n{\n\tswitch (type) {\n\tcase EV_KEY:\n\t\t__set_bit(code, dev->keybit);\n\t\tbreak;\n\n\tcase EV_REL:\n\t\t__set_bit(code, dev->relbit);\n\t\tbreak;\n\n\tcase EV_ABS:\n\t\tinput_alloc_absinfo(dev);\n\t\tif (!dev->absinfo)\n\t\t\treturn;\n\n\t\t__set_bit(code, dev->absbit);\n\t\tbreak;\n\n\tcase EV_MSC:\n\t\t__set_bit(code, dev->mscbit);\n\t\tbreak;\n\n\tcase EV_SW:\n\t\t__set_bit(code, dev->swbit);\n\t\tbreak;\n\n\tcase EV_LED:\n\t\t__set_bit(code, dev->ledbit);\n\t\tbreak;\n\n\tcase EV_SND:\n\t\t__set_bit(code, dev->sndbit);\n\t\tbreak;\n\n\tcase EV_FF:\n\t\t__set_bit(code, dev->ffbit);\n\t\tbreak;\n\n\tcase EV_PWR:\n\t\t/* do nothing */\n\t\tbreak;\n\n\tdefault:\n\t\tpr_err(\"%s: unknown type %u (code %u)\\n\", __func__, type, code);\n\t\tdump_stack();\n\t\treturn;\n\t}\n\n\t__set_bit(type, dev->evbit);\n}", "project": "linux", "hash": 243483460354582884895933865868064269404, "size": 51, "commit_id": "cb222aed03d798fc074be55e59d9a112338ee784", "message": "Input: add safety guards to input_set_keycode()\n\nIf we happen to have a garbage in input device's keycode table with values\ntoo big we'll end up doing clear_bit() with offset way outside of our\nbitmaps, damaging other objects within an input device or even outside of\nit. Let's add sanity checks to the returned old keycodes.\n\nReported-by: syzbot+c769968809f9359b07aa@syzkaller.appspotmail.com\nReported-by: syzbot+76f3a30e88d256644c78@syzkaller.appspotmail.com\nLink: https://lore.kernel.org/r/20191207212757.GA245964@dtor-ws\nSigned-off-by: Dmitry Torokhov ", "target": 0, "dataset": "other", "idx": 353322 }, { "func": "}\n\nstatic int\niscsi_set_param(struct iscsi_transport *transport, struct iscsi_uevent *ev)\n{\n\tchar *data = (char*)ev + sizeof(*ev);\n\tstruct iscsi_cls_conn *conn;\n\tstruct iscsi_cls_session *session;\n\tint err = 0, value = 0;\n\n\tif (ev->u.set_param.len > PAGE_SIZE)\n\t\treturn -EINVAL;\n\n\tsession = iscsi_session_lookup(ev->u.set_param.sid);\n\tconn = iscsi_conn_lookup(ev->u.set_param.sid, ev->u.set_param.cid);\n\tif (!conn || !session)\n\t\treturn -EINVAL;\n\n\tswitch (ev->u.set_param.param) {\n\tcase ISCSI_PARAM_SESS_RECOVERY_TMO:\n\t\tsscanf(data, \"%d\", &value);\n\t\tif (!session->recovery_tmo_sysfs_override)\n\t\t\tsession->recovery_tmo = value;\n\t\tbreak;\n\tdefault:\n\t\terr = transport->set_param(conn, ev->u.set_param.param,\n\t\t\t\t\t data, ev->u.set_param.len);\n\t}", "project": "linux", "hash": 89338697950813937735149692091132370218, "size": 28, "commit_id": "f9dbdf97a5bd92b1a49cee3d591b55b11fd7a6d5", "message": "scsi: iscsi: Verify lengths on passthrough PDUs\n\nOpen-iSCSI sends passthrough PDUs over netlink, but the kernel should be\nverifying that the provided PDU header and data lengths fall within the\nnetlink message to prevent accessing beyond that in memory.\n\nCc: stable@vger.kernel.org\nReported-by: Adam Nichols \nReviewed-by: Lee Duncan \nReviewed-by: Mike Christie \nSigned-off-by: Chris Leech \nSigned-off-by: Martin K. Petersen ", "target": 0, "dataset": "other", "idx": 380007 }, { "func": "R_API char *r_str_dup(char *ptr, const char *string) {\n\tfree (ptr);\n\treturn r_str_new (string);\n}", "project": "radare2", "hash": 166006970073931196937266654404868760187, "size": 4, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 0, "dataset": "other", "idx": 268882 }, { "func": "static void update_bp_intercept(struct kvm_vcpu *vcpu)\n{\n\tstruct vcpu_svm *svm = to_svm(vcpu);\n\n\tclr_exception_intercept(svm, BP_VECTOR);\n\n\tif (vcpu->guest_debug & KVM_GUESTDBG_ENABLE) {\n\t\tif (vcpu->guest_debug & KVM_GUESTDBG_USE_SW_BP)\n\t\t\tset_exception_intercept(svm, BP_VECTOR);\n\t} else\n\t\tvcpu->guest_debug = 0;\n}", "project": "linux", "hash": 94691444634290258300965335197013965966, "size": 12, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432493 }, { "func": "static struct bfq_queue *\nbfq_choose_bfqq_for_injection(struct bfq_data *bfqd)\n{\n\tstruct bfq_queue *bfqq, *in_serv_bfqq = bfqd->in_service_queue;\n\tunsigned int limit = in_serv_bfqq->inject_limit;\n\t/*\n\t * If\n\t * - bfqq is not weight-raised and therefore does not carry\n\t * time-critical I/O,\n\t * or\n\t * - regardless of whether bfqq is weight-raised, bfqq has\n\t * however a long think time, during which it can absorb the\n\t * effect of an appropriate number of extra I/O requests\n\t * from other queues (see bfq_update_inject_limit for\n\t * details on the computation of this number);\n\t * then injection can be performed without restrictions.\n\t */\n\tbool in_serv_always_inject = in_serv_bfqq->wr_coeff == 1 ||\n\t\t!bfq_bfqq_has_short_ttime(in_serv_bfqq);\n\n\t/*\n\t * If\n\t * - the baseline total service time could not be sampled yet,\n\t * so the inject limit happens to be still 0, and\n\t * - a lot of time has elapsed since the plugging of I/O\n\t * dispatching started, so drive speed is being wasted\n\t * significantly;\n\t * then temporarily raise inject limit to one request.\n\t */\n\tif (limit == 0 && in_serv_bfqq->last_serv_time_ns == 0 &&\n\t bfq_bfqq_wait_request(in_serv_bfqq) &&\n\t time_is_before_eq_jiffies(bfqd->last_idling_start_jiffies +\n\t\t\t\t bfqd->bfq_slice_idle)\n\t\t)\n\t\tlimit = 1;\n\n\tif (bfqd->rq_in_driver >= limit)\n\t\treturn NULL;\n\n\t/*\n\t * Linear search of the source queue for injection; but, with\n\t * a high probability, very few steps are needed to find a\n\t * candidate queue, i.e., a queue with enough budget left for\n\t * its next request. In fact:\n\t * - BFQ dynamically updates the budget of every queue so as\n\t * to accommodate the expected backlog of the queue;\n\t * - if a queue gets all its requests dispatched as injected\n\t * service, then the queue is removed from the active list\n\t * (and re-added only if it gets new requests, but then it\n\t * is assigned again enough budget for its new backlog).\n\t */\n\tlist_for_each_entry(bfqq, &bfqd->active_list, bfqq_list)\n\t\tif (!RB_EMPTY_ROOT(&bfqq->sort_list) &&\n\t\t (in_serv_always_inject || bfqq->wr_coeff > 1) &&\n\t\t bfq_serv_to_charge(bfqq->next_rq, bfqq) <=\n\t\t bfq_bfqq_budget_left(bfqq)) {\n\t\t\t/*\n\t\t\t * Allow for only one large in-flight request\n\t\t\t * on non-rotational devices, for the\n\t\t\t * following reason. On non-rotationl drives,\n\t\t\t * large requests take much longer than\n\t\t\t * smaller requests to be served. In addition,\n\t\t\t * the drive prefers to serve large requests\n\t\t\t * w.r.t. to small ones, if it can choose. So,\n\t\t\t * having more than one large requests queued\n\t\t\t * in the drive may easily make the next first\n\t\t\t * request of the in-service queue wait for so\n\t\t\t * long to break bfqq's service guarantees. On\n\t\t\t * the bright side, large requests let the\n\t\t\t * drive reach a very high throughput, even if\n\t\t\t * there is only one in-flight large request\n\t\t\t * at a time.\n\t\t\t */\n\t\t\tif (blk_queue_nonrot(bfqd->queue) &&\n\t\t\t blk_rq_sectors(bfqq->next_rq) >=\n\t\t\t BFQQ_SECT_THR_NONROT)\n\t\t\t\tlimit = min_t(unsigned int, 1, limit);\n\t\t\telse\n\t\t\t\tlimit = in_serv_bfqq->inject_limit;\n\n\t\t\tif (bfqd->rq_in_driver < limit) {\n\t\t\t\tbfqd->rqs_injected = true;\n\t\t\t\treturn bfqq;\n\t\t\t}\n\t\t}\n\n\treturn NULL;", "project": "linux", "hash": 332084619210056061733220572199088613293, "size": 87, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453388 }, { "func": "static int test_set(struct libmnt_test *ts, int argc, char *argv[])\n{\n\tconst char *value = NULL, *name;\n\tchar *optstr;\n\tint rc;\n\n\tif (argc < 3)\n\t\treturn -EINVAL;\n\toptstr = xstrdup(argv[1]);\n\tname = argv[2];\n\n\tif (argc == 4)\n\t\tvalue = argv[3];\n\n\trc = mnt_optstr_set_option(&optstr, name, value);\n\tif (!rc)\n\t\tprintf(\"result: >%s<\\n\", optstr);\n\tfree(optstr);\n\treturn rc;\n}", "project": "util-linux", "hash": 70707047555639809074841867811208940295, "size": 20, "commit_id": "57202f5713afa2af20ffbb6ab5331481d0396f8d", "message": "libmount: fix UID check for FUSE umount [CVE-2021-3995]\n\nImproper UID check allows an unprivileged user to unmount FUSE\nfilesystems of users with similar UID.\n\nSigned-off-by: Karel Zak ", "target": 0, "dataset": "other", "idx": 410392 }, { "func": "static int tcp_parse_aligned_timestamp(struct tcp_sock *tp, const struct tcphdr *th)\n{\n\tconst __be32 *ptr = (const __be32 *)(th + 1);\n\n\tif (*ptr == htonl((TCPOPT_NOP << 24) | (TCPOPT_NOP << 16)\n\t\t\t | (TCPOPT_TIMESTAMP << 8) | TCPOLEN_TIMESTAMP)) {\n\t\ttp->rx_opt.saw_tstamp = 1;\n\t\t++ptr;\n\t\ttp->rx_opt.rcv_tsval = ntohl(*ptr);\n\t\t++ptr;\n\t\ttp->rx_opt.rcv_tsecr = ntohl(*ptr);\n\t\treturn 1;\n\t}\n\treturn 0;\n}", "project": "net-next", "hash": 198912827383991792396955206810771183247, "size": 15, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409960 }, { "func": "static uint32 GetFineLinearSlideUpTable (const CSoundFile *sndFile, uint32 i) { MPT_ASSERT(i < CountOf(FineLinearSlideDownTable)); return sndFile->m_playBehaviour[kHertzInLinearMode] ? FineLinearSlideUpTable[i] : FineLinearSlideDownTable[i]; }", "project": "openmpt", "hash": 173999332506576322062856151875938267522, "size": 1, "commit_id": "7ebf02af2e90f03e0dbd0e18b8b3164f372fb97c", "message": "[Fix] Possible out-of-bounds read when computing length of some IT files with pattern loops (OpenMPT: formats that are converted to IT, libopenmpt: IT/ITP/MO3), caught with afl-fuzz.\n\ngit-svn-id: https://source.openmpt.org/svn/openmpt/trunk/OpenMPT@10027 56274372-70c3-4bfc-bfc3-4c3a0b034d27", "target": 0, "dataset": "other", "idx": 255178 }, { "func": "void tcp_enter_cwr(struct sock *sk, const int set_ssthresh)\n{\n\tstruct tcp_sock *tp = tcp_sk(sk);\n\tconst struct inet_connection_sock *icsk = inet_csk(sk);\n\n\ttp->prior_ssthresh = 0;\n\ttp->bytes_acked = 0;\n\tif (icsk->icsk_ca_state < TCP_CA_CWR) {\n\t\ttp->undo_marker = 0;\n\t\tif (set_ssthresh)\n\t\t\ttp->snd_ssthresh = icsk->icsk_ca_ops->ssthresh(sk);\n\t\ttp->snd_cwnd = min(tp->snd_cwnd,\n\t\t\t\t tcp_packets_in_flight(tp) + 1U);\n\t\ttp->snd_cwnd_cnt = 0;\n\t\ttp->high_seq = tp->snd_nxt;\n\t\ttp->snd_cwnd_stamp = tcp_time_stamp;\n\t\tTCP_ECN_queue_cwr(tp);\n\n\t\ttcp_set_ca_state(sk, TCP_CA_CWR);\n\t}\n}", "project": "net-next", "hash": 119561743331097219014519775165682070327, "size": 21, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409858 }, { "func": "static struct sk_buff *tcp_sacktag_walk(struct sk_buff *skb, struct sock *sk,\n\t\t\t\t\tstruct tcp_sack_block *next_dup,\n\t\t\t\t\tstruct tcp_sacktag_state *state,\n\t\t\t\t\tu32 start_seq, u32 end_seq,\n\t\t\t\t\tint dup_sack_in)\n{\n\tstruct tcp_sock *tp = tcp_sk(sk);\n\tstruct sk_buff *tmp;\n\n\ttcp_for_write_queue_from(skb, sk) {\n\t\tint in_sack = 0;\n\t\tint dup_sack = dup_sack_in;\n\n\t\tif (skb == tcp_send_head(sk))\n\t\t\tbreak;\n\n\t\t/* queue is in-order => we can short-circuit the walk early */\n\t\tif (!before(TCP_SKB_CB(skb)->seq, end_seq))\n\t\t\tbreak;\n\n\t\tif ((next_dup != NULL) &&\n\t\t before(TCP_SKB_CB(skb)->seq, next_dup->end_seq)) {\n\t\t\tin_sack = tcp_match_skb_to_sack(sk, skb,\n\t\t\t\t\t\t\tnext_dup->start_seq,\n\t\t\t\t\t\t\tnext_dup->end_seq);\n\t\t\tif (in_sack > 0)\n\t\t\t\tdup_sack = 1;\n\t\t}\n\n\t\t/* skb reference here is a bit tricky to get right, since\n\t\t * shifting can eat and free both this skb and the next,\n\t\t * so not even _safe variant of the loop is enough.\n\t\t */\n\t\tif (in_sack <= 0) {\n\t\t\ttmp = tcp_shift_skb_data(sk, skb, state,\n\t\t\t\t\t\t start_seq, end_seq, dup_sack);\n\t\t\tif (tmp != NULL) {\n\t\t\t\tif (tmp != skb) {\n\t\t\t\t\tskb = tmp;\n\t\t\t\t\tcontinue;\n\t\t\t\t}\n\n\t\t\t\tin_sack = 0;\n\t\t\t} else {\n\t\t\t\tin_sack = tcp_match_skb_to_sack(sk, skb,\n\t\t\t\t\t\t\t\tstart_seq,\n\t\t\t\t\t\t\t\tend_seq);\n\t\t\t}\n\t\t}\n\n\t\tif (unlikely(in_sack < 0))\n\t\t\tbreak;\n\n\t\tif (in_sack) {\n\t\t\tTCP_SKB_CB(skb)->sacked = tcp_sacktag_one(skb, sk,\n\t\t\t\t\t\t\t\t state,\n\t\t\t\t\t\t\t\t dup_sack,\n\t\t\t\t\t\t\t\t tcp_skb_pcount(skb));\n\n\t\t\tif (!before(TCP_SKB_CB(skb)->seq,\n\t\t\t\t tcp_highest_sack_seq(tp)))\n\t\t\t\ttcp_advance_highest_sack(sk, skb);\n\t\t}\n\n\t\tstate->fack_count += tcp_skb_pcount(skb);\n\t}\n\treturn skb;\n}", "project": "net-next", "hash": 246897400009453836678899256178818964691, "size": 68, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409935 }, { "func": "static unsigned long ebb_switch_in(bool ebb, struct cpu_hw_events *cpuhw)\n{\n\tunsigned long mmcr0 = cpuhw->mmcr.mmcr0;\n\n\tif (!ebb)\n\t\tgoto out;\n\n\t/* Enable EBB and read/write to all 6 PMCs and BHRB for userspace */\n\tmmcr0 |= MMCR0_EBE | MMCR0_BHRBA | MMCR0_PMCC_U6;\n\n\t/*\n\t * Add any bits from the user MMCR0, FC or PMAO. This is compatible\n\t * with pmao_restore_workaround() because we may add PMAO but we never\n\t * clear it here.\n\t */\n\tmmcr0 |= current->thread.mmcr0;\n\n\t/*\n\t * Be careful not to set PMXE if userspace had it cleared. This is also\n\t * compatible with pmao_restore_workaround() because it has already\n\t * cleared PMXE and we leave PMAO alone.\n\t */\n\tif (!(current->thread.mmcr0 & MMCR0_PMXE))\n\t\tmmcr0 &= ~MMCR0_PMXE;\n\n\tmtspr(SPRN_SIAR, current->thread.siar);\n\tmtspr(SPRN_SIER, current->thread.sier);\n\tmtspr(SPRN_SDAR, current->thread.sdar);\n\n\t/*\n\t * Merge the kernel & user values of MMCR2. The semantics we implement\n\t * are that the user MMCR2 can set bits, ie. cause counters to freeze,\n\t * but not clear bits. If a task wants to be able to clear bits, ie.\n\t * unfreeze counters, it should not set exclude_xxx in its events and\n\t * instead manage the MMCR2 entirely by itself.\n\t */\n\tmtspr(SPRN_MMCR2, cpuhw->mmcr.mmcr2 | current->thread.mmcr2);\n\n\tif (ppmu->flags & PPMU_ARCH_31) {\n\t\tmtspr(SPRN_MMCR3, current->thread.mmcr3);\n\t\tmtspr(SPRN_SIER2, current->thread.sier2);\n\t\tmtspr(SPRN_SIER3, current->thread.sier3);\n\t}\nout:\n\treturn mmcr0;\n}", "project": "linux", "hash": 34377301430255904525364220926711902378, "size": 46, "commit_id": "60b7ed54a41b550d50caf7f2418db4a7e75b5bdc", "message": "powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set\n\nOn systems without any specific PMU driver support registered, running\nperf record causes Oops.\n\nThe relevant portion from call trace:\n\n BUG: Kernel NULL pointer dereference on read at 0x00000040\n Faulting instruction address: 0xc0021f0c\n Oops: Kernel access of bad area, sig: 11 [#1]\n BE PAGE_SIZE=4K PREEMPT CMPCPRO\n SAF3000 DIE NOTIFICATION\n CPU: 0 PID: 442 Comm: null_syscall Not tainted 5.13.0-rc6-s3k-dev-01645-g7649ee3d2957 #5164\n NIP: c0021f0c LR: c00e8ad8 CTR: c00d8a5c\n NIP perf_instruction_pointer+0x10/0x60\n LR perf_prepare_sample+0x344/0x674\n Call Trace:\n perf_prepare_sample+0x7c/0x674 (unreliable)\n perf_event_output_forward+0x3c/0x94\n __perf_event_overflow+0x74/0x14c\n perf_swevent_hrtimer+0xf8/0x170\n __hrtimer_run_queues.constprop.0+0x160/0x318\n hrtimer_interrupt+0x148/0x3b0\n timer_interrupt+0xc4/0x22c\n Decrementer_virt+0xb8/0xbc\n\nDuring perf record session, perf_instruction_pointer() is called to\ncapture the sample IP. This function in core-book3s accesses\nppmu->flags. If a platform specific PMU driver is not registered, ppmu\nis set to NULL and accessing its members results in a crash. Fix this\ncrash by checking if ppmu is set.\n\nFixes: 2ca13a4cc56c (\"powerpc/perf: Use regs->nip when SIAR is zero\")\nCc: stable@vger.kernel.org # v5.11+\nReported-by: Christophe Leroy \nSigned-off-by: Athira Rajeev \nTested-by: Christophe Leroy \nSigned-off-by: Michael Ellerman \nLink: https://lore.kernel.org/r/1623952506-1431-1-git-send-email-atrajeev@linux.vnet.ibm.com", "target": 0, "dataset": "other", "idx": 374716 }, { "func": "static unsigned long ebb_switch_in(bool ebb, struct cpu_hw_events *cpuhw)\n{\n\treturn cpuhw->mmcr.mmcr0;\n}", "project": "linux", "hash": 98077185104364019696014543206018921165, "size": 4, "commit_id": "60b7ed54a41b550d50caf7f2418db4a7e75b5bdc", "message": "powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set\n\nOn systems without any specific PMU driver support registered, running\nperf record causes Oops.\n\nThe relevant portion from call trace:\n\n BUG: Kernel NULL pointer dereference on read at 0x00000040\n Faulting instruction address: 0xc0021f0c\n Oops: Kernel access of bad area, sig: 11 [#1]\n BE PAGE_SIZE=4K PREEMPT CMPCPRO\n SAF3000 DIE NOTIFICATION\n CPU: 0 PID: 442 Comm: null_syscall Not tainted 5.13.0-rc6-s3k-dev-01645-g7649ee3d2957 #5164\n NIP: c0021f0c LR: c00e8ad8 CTR: c00d8a5c\n NIP perf_instruction_pointer+0x10/0x60\n LR perf_prepare_sample+0x344/0x674\n Call Trace:\n perf_prepare_sample+0x7c/0x674 (unreliable)\n perf_event_output_forward+0x3c/0x94\n __perf_event_overflow+0x74/0x14c\n perf_swevent_hrtimer+0xf8/0x170\n __hrtimer_run_queues.constprop.0+0x160/0x318\n hrtimer_interrupt+0x148/0x3b0\n timer_interrupt+0xc4/0x22c\n Decrementer_virt+0xb8/0xbc\n\nDuring perf record session, perf_instruction_pointer() is called to\ncapture the sample IP. This function in core-book3s accesses\nppmu->flags. If a platform specific PMU driver is not registered, ppmu\nis set to NULL and accessing its members results in a crash. Fix this\ncrash by checking if ppmu is set.\n\nFixes: 2ca13a4cc56c (\"powerpc/perf: Use regs->nip when SIAR is zero\")\nCc: stable@vger.kernel.org # v5.11+\nReported-by: Christophe Leroy \nSigned-off-by: Athira Rajeev \nTested-by: Christophe Leroy \nSigned-off-by: Michael Ellerman \nLink: https://lore.kernel.org/r/1623952506-1431-1-git-send-email-atrajeev@linux.vnet.ibm.com", "target": 0, "dataset": "other", "idx": 374718 }, { "func": "Status ConvertGraphDefToGraph(const GraphConstructorOptions& opts,\n const GraphDef& gdef, Graph* g) {\n ShapeRefiner refiner(gdef.versions().producer(), g->op_registry());\n return GraphConstructor::Construct(\n opts, gdef.node(), &gdef.versions(), &gdef.library(), g, &refiner,\n /*return_tensors=*/nullptr, /*return_nodes=*/nullptr,\n /*missing_unused_input_map_keys=*/nullptr);\n}", "project": "tensorflow", "hash": 189994220198216630586073217977344428397, "size": 8, "commit_id": "0cc38aaa4064fd9e79101994ce9872c6d91f816b", "message": "Prevent unitialized memory access in `GraphConstructor::MakeEdge`\n\nThe `MakeEdge` implementation assumes that there exists an output at `output_index` of `src` node and an input at `input_index` of `dst` node. However, if this is not the case this results in accessing data out of bounds. Because we are accessing an array that is a private member of a class and only in read only mode, this usually results only in unitialized memory access. However, it is reasonable to think that malicious users could manipulate these indexes to actually read data outside the class, thus resulting in information leakage and further exploits.\n\nPiperOrigin-RevId: 346343288\nChange-Id: I2127da27c2023d27f26efd39afa6c853385cab6f", "target": 0, "dataset": "other", "idx": 268321 }, { "func": "Status ConvertGraphDefToGraph(const GraphConstructorOptions& opts,\n GraphDef&& gdef, Graph* g) {\n ShapeRefiner refiner(gdef.versions().producer(), g->op_registry());\n return GraphConstructor::Construct(opts, std::move(gdef), g, &refiner,\n /*return_tensors=*/nullptr,\n /*return_nodes=*/nullptr,\n /*missing_unused_input_map_keys=*/nullptr);\n}", "project": "tensorflow", "hash": 54243384788735741135819379655738320, "size": 8, "commit_id": "0cc38aaa4064fd9e79101994ce9872c6d91f816b", "message": "Prevent unitialized memory access in `GraphConstructor::MakeEdge`\n\nThe `MakeEdge` implementation assumes that there exists an output at `output_index` of `src` node and an input at `input_index` of `dst` node. However, if this is not the case this results in accessing data out of bounds. Because we are accessing an array that is a private member of a class and only in read only mode, this usually results only in unitialized memory access. However, it is reasonable to think that malicious users could manipulate these indexes to actually read data outside the class, thus resulting in information leakage and further exploits.\n\nPiperOrigin-RevId: 346343288\nChange-Id: I2127da27c2023d27f26efd39afa6c853385cab6f", "target": 0, "dataset": "other", "idx": 268327 }, { "func": "AP_DECLARE(void) ap_register_errorlog_handler(apr_pool_t *p, char *tag,\n ap_errorlog_handler_fn_t *handler,\n int flags)\n{\n ap_errorlog_handler *log_struct = apr_palloc(p, sizeof(*log_struct));\n log_struct->func = handler;\n log_struct->flags = flags;\n\n apr_hash_set(errorlog_hash, tag, 1, (const void *)log_struct);\n}", "project": "httpd", "hash": 56627406182010656439906503473413106925, "size": 10, "commit_id": "4cc27823899e070268b906ca677ee838d07cf67a", "message": "core: Disallow Methods' registration at run time (.htaccess), they may be\nused only if registered at init time (httpd.conf).\n\nCalling ap_method_register() in children processes is not the right scope\nsince it won't be shared for all requests.\n\n\ngit-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1807655 13f79535-47bb-0310-9956-ffa450edef68", "target": 0, "dataset": "other", "idx": 246370 }, { "func": "void split_huge_pmd_address(struct vm_area_struct *vma, unsigned long address,\n\t\tbool freeze, struct page *page)\n{\n\tpgd_t *pgd;\n\tp4d_t *p4d;\n\tpud_t *pud;\n\tpmd_t *pmd;\n\n\tpgd = pgd_offset(vma->vm_mm, address);\n\tif (!pgd_present(*pgd))\n\t\treturn;\n\n\tp4d = p4d_offset(pgd, address);\n\tif (!p4d_present(*p4d))\n\t\treturn;\n\n\tpud = pud_offset(p4d, address);\n\tif (!pud_present(*pud))\n\t\treturn;\n\n\tpmd = pmd_offset(pud, address);\n\n\t__split_huge_pmd(vma, pmd, address, freeze, page);\n}", "project": "linux", "hash": 133782249840203620991962407367124585328, "size": 24, "commit_id": "c444eb564fb16645c172d550359cb3d75fe8a040", "message": "mm: thp: make the THP mapcount atomic against __split_huge_pmd_locked()\n\nWrite protect anon page faults require an accurate mapcount to decide\nif to break the COW or not. This is implemented in the THP path with\nreuse_swap_page() ->\npage_trans_huge_map_swapcount()/page_trans_huge_mapcount().\n\nIf the COW triggers while the other processes sharing the page are\nunder a huge pmd split, to do an accurate reading, we must ensure the\nmapcount isn't computed while it's being transferred from the head\npage to the tail pages.\n\nreuse_swap_cache() already runs serialized by the page lock, so it's\nenough to add the page lock around __split_huge_pmd_locked too, in\norder to add the missing serialization.\n\nNote: the commit in \"Fixes\" is just to facilitate the backporting,\nbecause the code before such commit didn't try to do an accurate THP\nmapcount calculation and it instead used the page_count() to decide if\nto COW or not. Both the page_count and the pin_count are THP-wide\nrefcounts, so they're inaccurate if used in\nreuse_swap_page(). Reverting such commit (besides the unrelated fix to\nthe local anon_vma assignment) would have also opened the window for\nmemory corruption side effects to certain workloads as documented in\nsuch commit header.\n\nSigned-off-by: Andrea Arcangeli \nSuggested-by: Jann Horn \nReported-by: Jann Horn \nAcked-by: Kirill A. Shutemov \nFixes: 6d0a07edd17c (\"mm: thp: calculate the mapcount correctly for THP pages during WP faults\")\nCc: stable@vger.kernel.org\nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 364128 }, { "func": "static bool synic_has_vector_auto_eoi(struct kvm_vcpu_hv_synic *synic,\n\t\t\t\t int vector)\n{\n\tint i;\n\tu64 sint_value;\n\n\tfor (i = 0; i < ARRAY_SIZE(synic->sint); i++) {\n\t\tsint_value = synic_read_sint(synic, i);\n\t\tif (synic_get_sint_vector(sint_value) == vector &&\n\t\t sint_value & HV_SYNIC_SINT_AUTO_EOI)\n\t\t\treturn true;\n\t}\n\treturn false;\n}", "project": "linux", "hash": 188499153277755724223901098626532817719, "size": 14, "commit_id": "919f4ebc598701670e80e31573a58f1f2d2bf918", "message": "KVM: x86: hyper-v: Fix Hyper-V context null-ptr-deref\n\nReported by syzkaller:\n\n KASAN: null-ptr-deref in range [0x0000000000000140-0x0000000000000147]\n CPU: 1 PID: 8370 Comm: syz-executor859 Not tainted 5.11.0-syzkaller #0\n RIP: 0010:synic_get arch/x86/kvm/hyperv.c:165 [inline]\n RIP: 0010:kvm_hv_set_sint_gsi arch/x86/kvm/hyperv.c:475 [inline]\n RIP: 0010:kvm_hv_irq_routing_update+0x230/0x460 arch/x86/kvm/hyperv.c:498\n Call Trace:\n kvm_set_irq_routing+0x69b/0x940 arch/x86/kvm/../../../virt/kvm/irqchip.c:223\n kvm_vm_ioctl+0x12d0/0x2800 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3959\n vfs_ioctl fs/ioctl.c:48 [inline]\n __do_sys_ioctl fs/ioctl.c:753 [inline]\n __se_sys_ioctl fs/ioctl.c:739 [inline]\n __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739\n do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nHyper-V context is lazily allocated until Hyper-V specific MSRs are accessed\nor SynIC is enabled. However, the syzkaller testcase sets irq routing table\ndirectly w/o enabling SynIC. This results in null-ptr-deref when accessing\nSynIC Hyper-V context. This patch fixes it.\n\nsyzkaller source: https://syzkaller.appspot.com/x/repro.c?x=163342ccd00000\n\nReported-by: syzbot+6987f3b2dbd9eda95f12@syzkaller.appspotmail.com\nFixes: 8f014550dfb1 (\"KVM: x86: hyper-v: Make Hyper-V emulation enablement conditional\")\nSigned-off-by: Wanpeng Li \nMessage-Id: <1614326399-5762-1-git-send-email-wanpengli@tencent.com>\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 343479 }, { "func": "static void opj_get_tile_dimensions(opj_image_t * l_image,\n opj_tcd_tilecomp_t * l_tilec,\n opj_image_comp_t * l_img_comp,\n OPJ_UINT32* l_size_comp,\n OPJ_UINT32* l_width,\n OPJ_UINT32* l_height,\n OPJ_UINT32* l_offset_x,\n OPJ_UINT32* l_offset_y,\n OPJ_UINT32* l_image_width,\n OPJ_UINT32* l_stride,\n OPJ_UINT32* l_tile_offset)\n{\n OPJ_UINT32 l_remaining;\n *l_size_comp = l_img_comp->prec >> 3; /* (/8) */\n l_remaining = l_img_comp->prec & 7; /* (%8) */\n if (l_remaining) {\n *l_size_comp += 1;\n }\n\n if (*l_size_comp == 3) {\n *l_size_comp = 4;\n }\n\n *l_width = (OPJ_UINT32)(l_tilec->x1 - l_tilec->x0);\n *l_height = (OPJ_UINT32)(l_tilec->y1 - l_tilec->y0);\n *l_offset_x = (OPJ_UINT32)opj_int_ceildiv((OPJ_INT32)l_image->x0,\n (OPJ_INT32)l_img_comp->dx);\n *l_offset_y = (OPJ_UINT32)opj_int_ceildiv((OPJ_INT32)l_image->y0,\n (OPJ_INT32)l_img_comp->dy);\n *l_image_width = (OPJ_UINT32)opj_int_ceildiv((OPJ_INT32)l_image->x1 -\n (OPJ_INT32)l_image->x0, (OPJ_INT32)l_img_comp->dx);\n *l_stride = *l_image_width - *l_width;\n *l_tile_offset = ((OPJ_UINT32)l_tilec->x0 - *l_offset_x) + ((\n OPJ_UINT32)l_tilec->y0 - *l_offset_y) * *l_image_width;\n}", "project": "openjpeg", "hash": 149878580513618523612743015652045520061, "size": 35, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357307 }, { "func": "inline size_t StringData::heapSize() const {\n return isFlat()\n ? isRefCounted()\n ? MemoryManager::sizeIndex2Size(m_aux16)\n : size() + kStringOverhead\n : sizeof(StringData) + sizeof(Proxy);\n}", "project": "hhvm", "hash": 82205234356571557949115377395554683205, "size": 7, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219280 }, { "func": "R_API int r_socket_flush(RSocket *s) {\n\treturn -1;\n}", "project": "radare2", "hash": 49923426658299894268175552219900782940, "size": 3, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 0, "dataset": "other", "idx": 268979 }, { "func": "R_API int r_socket_flush(RSocket *s) {\n#if HAVE_LIB_SSL\n\tif (s->is_ssl && s->bio) {\n\t\treturn BIO_flush (s->bio);\n\t}\n#endif\n\treturn true;\n}", "project": "radare2", "hash": 261716656057089127554727008321708308871, "size": 8, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 0, "dataset": "other", "idx": 269040 }, { "func": " longlong val_temporal_packed(enum_field_types f_type)\n {\n return f_type == MYSQL_TYPE_TIME ? val_time_packed() :\n val_datetime_packed();\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 110014510451003137702622200470409190940, "size": 5, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509090 }, { "func": " longlong val_temporal_packed(const Item *other)\n {\n return val_temporal_packed(field_type_for_temporal_comparison(other));\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 75904816071489869777145469384451687400, "size": 4, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509221 }, { "func": "static int key_notify_policy_expire(struct xfrm_policy *xp, const struct km_event *c)\n{\n\treturn 0;\n}", "project": "linux", "hash": 242582513157863751043721570550768468909, "size": 4, "commit_id": "9a564bccb78a76740ea9d75a259942df8143d02c", "message": "af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\n\nAdd __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\nto initialize the buffer of supp_skb to fix a kernel-info-leak issue.\n1) Function pfkey_register calls compose_sadb_supported to request\na sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate\na sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then\ncompose_sadb_supported treats the memory as a struct sadb_supported and\nbegins to initialize. But it just initializes the field sadb_supported_len\nand field sadb_supported_exttype without field sadb_supported_reserved.\n\nReported-by: TCS Robot \nSigned-off-by: Haimin Zhang \nSigned-off-by: Steffen Klassert ", "target": 0, "dataset": "other", "idx": 268060 }, { "func": "bool setup_fields(THD *thd, Ref_ptr_array ref_pointer_array,\n List &fields, enum_column_usage column_usage,\n List *sum_func_list, List *pre_fix,\n bool allow_sum_func)\n{\n Item *item;\n enum_column_usage saved_column_usage= thd->column_usage;\n nesting_map save_allow_sum_func= thd->lex->allow_sum_func;\n List_iterator it(fields);\n bool save_is_item_list_lookup;\n bool make_pre_fix= (pre_fix && (pre_fix->elements == 0));\n DBUG_ENTER(\"setup_fields\");\n DBUG_PRINT(\"enter\", (\"ref_pointer_array: %p\", ref_pointer_array.array()));\n\n thd->column_usage= column_usage;\n DBUG_PRINT(\"info\", (\"thd->column_usage: %d\", thd->column_usage));\n /*\n Followimg 2 condition always should be true (but they was added\n due to an error present only in 10.3):\n 1) nest_level shoud be 0 or positive;\n 2) nest level of all SELECTs on the same level shoud be equal first\n SELECT on this level (and each other).\n */\n DBUG_ASSERT(thd->lex->current_select->nest_level >= 0);\n DBUG_ASSERT(thd->lex->current_select->master_unit()->first_select()\n ->nest_level ==\n thd->lex->current_select->nest_level);\n if (allow_sum_func)\n thd->lex->allow_sum_func.set_bit(thd->lex->current_select->nest_level);\n thd->where= THD::DEFAULT_WHERE;\n save_is_item_list_lookup= thd->lex->current_select->is_item_list_lookup;\n thd->lex->current_select->is_item_list_lookup= 0;\n\n /*\n To prevent fail on forward lookup we fill it with zeroes,\n then if we got pointer on zero after find_item_in_list we will know\n that it is forward lookup.\n\n There is other way to solve problem: fill array with pointers to list,\n but it will be slower.\n\n TODO: remove it when (if) we made one list for allfields and\n ref_pointer_array\n */\n if (!ref_pointer_array.is_null())\n {\n DBUG_ASSERT(ref_pointer_array.size() >= fields.elements);\n memset(ref_pointer_array.array(), 0, sizeof(Item *) * fields.elements);\n }\n\n /*\n We call set_entry() there (before fix_fields() of the whole list of field\n items) because:\n 1) the list of field items has same order as in the query, and the\n Item_func_get_user_var item may go before the Item_func_set_user_var:\n SELECT @a, @a := 10 FROM t;\n 2) The entry->update_query_id value controls constantness of\n Item_func_get_user_var items, so in presence of Item_func_set_user_var\n items we have to refresh their entries before fixing of\n Item_func_get_user_var items.\n */\n List_iterator li(thd->lex->set_var_list);\n Item_func_set_user_var *var;\n while ((var= li++))\n var->set_entry(thd, FALSE);\n\n Ref_ptr_array ref= ref_pointer_array;\n thd->lex->current_select->cur_pos_in_select_list= 0;\n while ((item= it++))\n {\n if (make_pre_fix)\n pre_fix->push_back(item, thd->stmt_arena->mem_root);\n\n if (item->fix_fields_if_needed_for_scalar(thd, it.ref()))\n {\n thd->lex->current_select->is_item_list_lookup= save_is_item_list_lookup;\n thd->lex->allow_sum_func= save_allow_sum_func;\n thd->column_usage= saved_column_usage;\n DBUG_PRINT(\"info\", (\"thd->column_usage: %d\", thd->column_usage));\n DBUG_RETURN(TRUE); /* purecov: inspected */\n }\n item= *(it.ref()); // Item might have changed in fix_fields()\n if (!ref.is_null())\n {\n ref[0]= item;\n ref.pop_front();\n }\n /*\n split_sum_func() must be called for Window Function items, see\n Item_window_func::split_sum_func.\n */\n if (sum_func_list &&\n ((item->with_sum_func() && item->type() != Item::SUM_FUNC_ITEM) ||\n item->with_window_func))\n {\n item->split_sum_func(thd, ref_pointer_array, *sum_func_list,\n SPLIT_SUM_SELECT);\n }\n thd->lex->current_select->select_list_tables|= item->used_tables();\n thd->lex->used_tables|= item->used_tables();\n thd->lex->current_select->cur_pos_in_select_list++;\n }\n thd->lex->current_select->is_item_list_lookup= save_is_item_list_lookup;\n thd->lex->current_select->cur_pos_in_select_list= UNDEF_POS;\n\n thd->lex->allow_sum_func= save_allow_sum_func;\n thd->column_usage= saved_column_usage;\n DBUG_PRINT(\"info\", (\"thd->column_usage: %d\", thd->column_usage));\n DBUG_RETURN(MY_TEST(thd->is_error()));\n}", "target": 0, "cwe": [ "CWE-416" ], "project": "server", "commit_id": "0beed9b5e933f0ff79b3bb346524f7a451d14e38", "hash": 334495340346571857611594627466782296177, "size": 110, "message": "MDEV-28097 use-after-free when WHERE has subquery with an outer reference in HAVING\n\nwhen resolving WHERE and ON clauses, do not look in\nSELECT list/aliases.", "dataset": "other", "idx": 514574 }, { "func": "static void encode_nfs4_verifier(struct xdr_stream *xdr, const nfs4_verifier *verf)\n{\n\tencode_opaque_fixed(xdr, verf->data, NFS4_VERIFIER_SIZE);\n}", "project": "linux", "hash": 238988174860070983036535263907609889996, "size": 4, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431500 }, { "func": "static void my_free(void* block) {\n#if defined(_WIN32)\n _aligned_free(block);\n#else\n free(block);\n#endif /* _WIN32 */\n}", "project": "c-blosc2", "hash": 90064485921223857402302775221735144766, "size": 7, "commit_id": "c4c6470e88210afc95262c8b9fcc27e30ca043ee", "message": "Fixed asan heap buffer overflow when not enough space to write compressed block size.", "target": 0, "dataset": "other", "idx": 303110 }, { "func": "static struct task_struct * futex_find_get_task(pid_t pid)\n{\n\tstruct task_struct *p;\n\tconst struct cred *cred = current_cred(), *pcred;\n\n\trcu_read_lock();\n\tp = find_task_by_vpid(pid);\n\tif (!p) {\n\t\tp = ERR_PTR(-ESRCH);\n\t} else {\n\t\tpcred = __task_cred(p);\n\t\tif (cred->euid != pcred->euid &&\n\t\t cred->euid != pcred->uid)\n\t\t\tp = ERR_PTR(-ESRCH);\n\t\telse\n\t\t\tget_task_struct(p);\n\t}\n\n\trcu_read_unlock();\n\n\treturn p;\n}", "target": 0, "cwe": [], "project": "linux-2.6", "commit_id": "5ecb01cfdf96c5f465192bdb2a4fd4a61a24c6cc", "hash": 218331760235176625740538287736578818910, "size": 22, "message": "futex_lock_pi() key refcnt fix\n\nThis fixes a futex key reference count bug in futex_lock_pi(),\nwhere a key's reference count is incremented twice but decremented\nonly once, causing the backing object to not be released.\n\nIf the futex is created in a temporary file in an ext3 file system,\nthis bug causes the file's inode to become an \"undead\" orphan,\nwhich causes an oops from a BUG_ON() in ext3_put_super() when the\nfile system is unmounted. glibc's test suite is known to trigger this,\nsee .\n\nThe bug is a regression from 2.6.28-git3, namely Peter Zijlstra's\n38d47c1b7075bd7ec3881141bb3629da58f88dab \"[PATCH] futex: rely on\nget_user_pages() for shared futexes\". That commit made get_futex_key()\nalso increment the reference count of the futex key, and updated its\ncallers to decrement the key's reference count before returning.\nUnfortunately the normal exit path in futex_lock_pi() wasn't corrected:\nthe reference count is incremented by get_futex_key() and queue_lock(),\nbut the normal exit path only decrements once, via unqueue_me_pi().\nThe fix is to put_futex_key() after unqueue_me_pi(), since 2.6.31\nthis is easily done by 'goto out_put_key' rather than 'goto out'.\n\nSigned-off-by: Mikael Pettersson \nAcked-by: Peter Zijlstra \nAcked-by: Darren Hart \nSigned-off-by: Thomas Gleixner \nCc: ", "dataset": "other", "idx": 492300 }, { "func": "static void nap_check(int tile_cnt) {\n\ttime_t now;\n\n\tnap_diff_count += tile_cnt;\n\n\tif (! take_naps) {\n\t\treturn;\n\t}\n\n\tnow = time(NULL);\n\n\tif (screen_blank > 0) {\n\t\tint dt_ev, dt_fbu;\n\t\tstatic int ms = 0;\n\t\tif (ms == 0) {\n\t\t\tms = 2000;\n\t\t\tif (getenv(\"X11VNC_SB_FACTOR\")) {\n\t\t\t\tms = ms * atof(getenv(\"X11VNC_SB_FACTOR\"));\n\t\t\t}\n\t\t\tif (ms <= 0) {\n\t\t\t\tms = 2000;\n\t\t\t}\n\t\t}\n\n\t\t/* if no activity, pause here for a second or so. */\n\t\tdt_ev = (int) (now - last_event);\n\t\tdt_fbu = (int) (now - last_fb_bytes_sent);\n\t\tif (dt_fbu > screen_blank) {\n\t\t\t/* sleep longer for no fb requests */\n\t\t\tif (debug_tiles > 1) {\n\t\t\t\tfprintf(stderr, \"screen blank sleep1: %d ms / 16, load: %s\\n\", 2 * ms, get_load());\n\t\t\t}\n\t\t\tnap_sleep(2 * ms, 16);\n\t\t\treturn;\n\t\t}\n\t\tif (dt_ev > screen_blank) {\n\t\t\tif (debug_tiles > 1) {\n\t\t\t\tfprintf(stderr, \"screen blank sleep2: %d ms / 8, load: %s\\n\", ms, get_load());\n\t\t\t}\n\t\t\tnap_sleep(ms, 8);\n\t\t\treturn;\n\t\t}\n\t}\n\tif (naptile && nap_ok && tile_cnt < naptile) {\n\t\tint ms = napfac * waitms;\n\t\tms = ms > napmax ? napmax : ms;\n\t\tif (now - last_input <= 3) {\n\t\t\tnap_ok = 0;\n\t\t} else if (now - last_local_input <= 3) {\n\t\t\tnap_ok = 0;\n\t\t} else {\n\t\t\tif (debug_tiles > 1) {\n\t\t\t\tfprintf(stderr, \"nap_check sleep: %d ms / 1, load: %s\\n\", ms, get_load());\n\t\t\t}\n\t\t\tnap_sleep(ms, 1);\n\t\t}\n\t}\n}", "project": "x11vnc", "hash": 43464303330598964176760124461406813517, "size": 58, "commit_id": "69eeb9f7baa14ca03b16c9de821f9876def7a36a", "message": "scan: limit access to shared memory segments to current user", "target": 0, "dataset": "other", "idx": 360766 }, { "func": "unsigned short *screen_pos(struct vc_data *vc, int w_offset, int viewed)\n{\n\treturn screenpos(vc, 2 * w_offset, viewed);\n}", "project": "linux", "hash": 62011226750117080334232909543117549791, "size": 4, "commit_id": "ca4463bf8438b403596edd0ec961ca0d4fbe0220", "message": "vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console\n\nThe VT_DISALLOCATE ioctl can free a virtual console while tty_release()\nis still running, causing a use-after-free in con_shutdown(). This\noccurs because VT_DISALLOCATE considers a virtual console's\n'struct vc_data' to be unused as soon as the corresponding tty's\nrefcount hits 0. But actually it may be still being closed.\n\nFix this by making vc_data be reference-counted via the embedded\n'struct tty_port'. A newly allocated virtual console has refcount 1.\nOpening it for the first time increments the refcount to 2. Closing it\nfor the last time decrements the refcount (in tty_operations::cleanup()\nso that it happens late enough), as does VT_DISALLOCATE.\n\nReproducer:\n\t#include \n\t#include \n\t#include \n\t#include \n\n\tint main()\n\t{\n\t\tif (fork()) {\n\t\t\tfor (;;)\n\t\t\t\tclose(open(\"/dev/tty5\", O_RDWR));\n\t\t} else {\n\t\t\tint fd = open(\"/dev/tty10\", O_RDWR);\n\n\t\t\tfor (;;)\n\t\t\t\tioctl(fd, VT_DISALLOCATE, 5);\n\t\t}\n\t}\n\nKASAN report:\n\tBUG: KASAN: use-after-free in con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\tWrite of size 8 at addr ffff88806a4ec108 by task syz_vt/129\n\n\tCPU: 0 PID: 129 Comm: syz_vt Not tainted 5.6.0-rc2 #11\n\tHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20191223_100556-anatol 04/01/2014\n\tCall Trace:\n\t [...]\n\t con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\t release_tty+0xa8/0x410 drivers/tty/tty_io.c:1514\n\t tty_release_struct+0x34/0x50 drivers/tty/tty_io.c:1629\n\t tty_release+0x984/0xed0 drivers/tty/tty_io.c:1789\n\t [...]\n\n\tAllocated by task 129:\n\t [...]\n\t kzalloc include/linux/slab.h:669 [inline]\n\t vc_allocate drivers/tty/vt/vt.c:1085 [inline]\n\t vc_allocate+0x1ac/0x680 drivers/tty/vt/vt.c:1066\n\t con_install+0x4d/0x3f0 drivers/tty/vt/vt.c:3229\n\t tty_driver_install_tty drivers/tty/tty_io.c:1228 [inline]\n\t tty_init_dev+0x94/0x350 drivers/tty/tty_io.c:1341\n\t tty_open_by_driver drivers/tty/tty_io.c:1987 [inline]\n\t tty_open+0x3ca/0xb30 drivers/tty/tty_io.c:2035\n\t [...]\n\n\tFreed by task 130:\n\t [...]\n\t kfree+0xbf/0x1e0 mm/slab.c:3757\n\t vt_disallocate drivers/tty/vt/vt_ioctl.c:300 [inline]\n\t vt_ioctl+0x16dc/0x1e30 drivers/tty/vt/vt_ioctl.c:818\n\t tty_ioctl+0x9db/0x11b0 drivers/tty/tty_io.c:2660\n\t [...]\n\nFixes: 4001d7b7fc27 (\"vt: push down the tty lock so we can see what is left to tackle\")\nCc: # v3.4+\nReported-by: syzbot+522643ab5729b0421998@syzkaller.appspotmail.com\nAcked-by: Jiri Slaby \nSigned-off-by: Eric Biggers \nLink: https://lore.kernel.org/r/20200322034305.210082-2-ebiggers@kernel.org\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 437083 }, { "func": "Status UncompressElement(const CompressedElement& compressed,\n std::vector* out) {\n int num_components = compressed.component_metadata_size();\n out->clear();\n out->reserve(num_components);\n\n // Step 1: Prepare the memory that we will uncompress into.\n std::vector iov(num_components);\n // We use tstring for access to resize_uninitialized.\n std::vector tensor_proto_strs;\n // num_components is a conservative estimate. It is important to reserve\n // vector space so that the vector doesn't resize itself, which could\n // invalidate pointers to its strings' data.\n tensor_proto_strs.reserve(num_components);\n int64 total_size = 0;\n for (int i = 0; i < num_components; ++i) {\n const CompressedComponentMetadata& metadata =\n compressed.component_metadata(i);\n if (DataTypeCanUseMemcpy(metadata.dtype())) {\n out->emplace_back(metadata.dtype(), metadata.tensor_shape());\n TensorBuffer* buffer = DMAHelper::buffer(&out->back());\n if (buffer) {\n iov[i].iov_base = buffer->data();\n iov[i].iov_len = buffer->size();\n } else {\n iov[i].iov_base = nullptr;\n iov[i].iov_len = 0;\n }\n } else {\n // Allocate an empty Tensor. We will fill it out later after\n // uncompressing into the tensor_proto_str.\n out->emplace_back();\n tensor_proto_strs.emplace_back();\n tstring& tensor_proto_str = tensor_proto_strs.back();\n tensor_proto_str.resize_uninitialized(metadata.tensor_size_bytes());\n iov[i].iov_base = tensor_proto_str.mdata();\n iov[i].iov_len = tensor_proto_str.size();\n }\n total_size += iov[i].iov_len;\n }\n\n // Step 2: Uncompress into the iovec.\n const std::string& compressed_data = compressed.data();\n size_t uncompressed_size;\n if (!port::Snappy_GetUncompressedLength(\n compressed_data.data(), compressed_data.size(), &uncompressed_size)) {\n return errors::Internal(\n \"Could not get snappy uncompressed length. Compressed data size: \",\n compressed_data.size());\n }\n if (uncompressed_size != static_cast(total_size)) {\n return errors::Internal(\n \"Uncompressed size mismatch. Snappy expects \", uncompressed_size,\n \" whereas the tensor metadata suggests \", total_size);\n }\n if (!port::Snappy_UncompressToIOVec(compressed_data.data(),\n compressed_data.size(), iov.data(),\n num_components)) {\n return errors::Internal(\"Failed to perform snappy decompression.\");\n }\n\n // Step 3: Deserialize tensor proto strings to tensors.\n int tensor_proto_strs_index = 0;\n for (int i = 0; i < num_components; ++i) {\n if (DataTypeCanUseMemcpy(compressed.component_metadata(i).dtype())) {\n continue;\n }\n TensorProto tp;\n if (!tp.ParseFromString(tensor_proto_strs[tensor_proto_strs_index++])) {\n return errors::Internal(\"Could not parse TensorProto\");\n }\n if (!out->at(i).FromProto(tp)) {\n return errors::Internal(\"Could not parse Tensor\");\n }\n }\n return Status::OK();\n}", "project": "tensorflow", "hash": 74187708052422560677230716205612208756, "size": 77, "commit_id": "5dc7f6981fdaf74c8c5be41f393df705841fb7c5", "message": "Fix accessing possible nullptr in tensorflow::data::CompressElement and UncompressElement which are used in tf.data.service.\n\nPiperOrigin-RevId: 373920841\nChange-Id: Ia88d78aee09fa19bb53a0f163fd19620d0c68743", "target": 0, "dataset": "other", "idx": 246588 }, { "func": "static void ov518_configure(struct gspca_dev *gspca_dev)\n{\n\tstruct sd *sd = (struct sd *) gspca_dev;\n\n\t/* For 518 and 518+ */\n\tstatic const struct ov_regvals init_518[] = {\n\t\t{ R51x_SYS_RESET,\t0x40 },\n\t\t{ R51x_SYS_INIT,\t0xe1 },\n\t\t{ R51x_SYS_RESET,\t0x3e },\n\t\t{ R51x_SYS_INIT,\t0xe1 },\n\t\t{ R51x_SYS_RESET,\t0x00 },\n\t\t{ R51x_SYS_INIT,\t0xe1 },\n\t\t{ 0x46,\t\t\t0x00 },\n\t\t{ 0x5d,\t\t\t0x03 },\n\t};\n\n\tstatic const struct ov_regvals norm_518[] = {\n\t\t{ R51x_SYS_SNAP,\t0x02 }, /* Reset */\n\t\t{ R51x_SYS_SNAP,\t0x01 }, /* Enable */\n\t\t{ 0x31,\t\t\t0x0f },\n\t\t{ 0x5d,\t\t\t0x03 },\n\t\t{ 0x24,\t\t\t0x9f },\n\t\t{ 0x25,\t\t\t0x90 },\n\t\t{ 0x20,\t\t\t0x00 },\n\t\t{ 0x51,\t\t\t0x04 },\n\t\t{ 0x71,\t\t\t0x19 },\n\t\t{ 0x2f,\t\t\t0x80 },\n\t};\n\n\tstatic const struct ov_regvals norm_518_p[] = {\n\t\t{ R51x_SYS_SNAP,\t0x02 }, /* Reset */\n\t\t{ R51x_SYS_SNAP,\t0x01 }, /* Enable */\n\t\t{ 0x31,\t\t\t0x0f },\n\t\t{ 0x5d,\t\t\t0x03 },\n\t\t{ 0x24,\t\t\t0x9f },\n\t\t{ 0x25,\t\t\t0x90 },\n\t\t{ 0x20,\t\t\t0x60 },\n\t\t{ 0x51,\t\t\t0x02 },\n\t\t{ 0x71,\t\t\t0x19 },\n\t\t{ 0x40,\t\t\t0xff },\n\t\t{ 0x41,\t\t\t0x42 },\n\t\t{ 0x46,\t\t\t0x00 },\n\t\t{ 0x33,\t\t\t0x04 },\n\t\t{ 0x21,\t\t\t0x19 },\n\t\t{ 0x3f,\t\t\t0x10 },\n\t\t{ 0x2f,\t\t\t0x80 },\n\t};\n\n\t/* First 5 bits of custom ID reg are a revision ID on OV518 */\n\tsd->revision = reg_r(sd, R51x_SYS_CUST_ID) & 0x1f;\n\tgspca_dbg(gspca_dev, D_PROBE, \"Device revision %d\\n\", sd->revision);\n\n\twrite_regvals(sd, init_518, ARRAY_SIZE(init_518));\n\n\t/* Set LED GPIO pin to output mode */\n\treg_w_mask(sd, R518_GPIO_CTL, 0x00, 0x02);\n\n\tswitch (sd->bridge) {\n\tcase BRIDGE_OV518:\n\t\twrite_regvals(sd, norm_518, ARRAY_SIZE(norm_518));\n\t\tbreak;\n\tcase BRIDGE_OV518PLUS:\n\t\twrite_regvals(sd, norm_518_p, ARRAY_SIZE(norm_518_p));\n\t\tbreak;\n\t}\n\n\tov51x_upload_quan_tables(sd);\n\n\treg_w(sd, 0x2f, 0x80);\n}", "project": "linux", "hash": 299428862545867202976649660862820351472, "size": 70, "commit_id": "998912346c0da53a6dbb71fab3a138586b596b30", "message": "media: ov519: add missing endpoint sanity checks\n\nMake sure to check that we have at least one endpoint before accessing\nthe endpoint array to avoid dereferencing a NULL-pointer on stream\nstart.\n\nNote that these sanity checks are not redundant as the driver is mixing\nlooking up altsettings by index and by number, which need not coincide.\n\nFixes: 1876bb923c98 (\"V4L/DVB (12079): gspca_ov519: add support for the ov511 bridge\")\nFixes: b282d87332f5 (\"V4L/DVB (12080): gspca_ov519: Fix ov518+ with OV7620AE (Trust spacecam 320)\")\nCc: stable # 2.6.31\nCc: Hans de Goede \nSigned-off-by: Johan Hovold \nSigned-off-by: Hans Verkuil \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 306302 }, { "func": "rfbBool rfbSendFileTransferChunk(rfbClientPtr cl)\n{\n /* Allocate buffer for compression */\n char readBuf[sz_rfbBlockSize];\n int bytesRead=0;\n int retval=0;\n fd_set wfds;\n struct timeval tv;\n int n;\n#ifdef LIBVNCSERVER_HAVE_LIBZ\n unsigned char compBuf[sz_rfbBlockSize + 1024];\n unsigned long nMaxCompSize = sizeof(compBuf);\n int nRetC = 0;\n#endif\n\n /*\n * Don't close the client if we get into this one because \n * it is called from many places to service file transfers.\n * Note that permitFileTransfer is checked first.\n */\n if (cl->screen->permitFileTransfer != TRUE ||\n (cl->screen->getFileTransferPermission != NULL\n && cl->screen->getFileTransferPermission(cl) != TRUE)) { \n\t\treturn TRUE;\n }\n\n /* If not sending, or no file open... Return as if we sent something! */\n if ((cl->fileTransfer.fd!=-1) && (cl->fileTransfer.sending==1))\n {\n\tFD_ZERO(&wfds);\n FD_SET(cl->sock, &wfds);\n\n /* return immediately */\n\ttv.tv_sec = 0; \n\ttv.tv_usec = 0;\n\tn = select(cl->sock + 1, NULL, &wfds, NULL, &tv);\n\n\tif (n<0) {\n#ifdef WIN32\n\t errno=WSAGetLastError();\n#endif\n rfbLog(\"rfbSendFileTransferChunk() select failed: %s\\n\", strerror(errno));\n\t}\n /* We have space on the transmit queue */\n\tif (n > 0)\n\t{\n bytesRead = read(cl->fileTransfer.fd, readBuf, sz_rfbBlockSize);\n switch (bytesRead) {\n case 0:\n /*\n rfbLog(\"rfbSendFileTransferChunk(): End-Of-File Encountered\\n\");\n */\n retval = rfbSendFileTransferMessage(cl, rfbEndOfFile, 0, 0, 0, NULL);\n close(cl->fileTransfer.fd);\n cl->fileTransfer.fd = -1;\n cl->fileTransfer.sending = 0;\n cl->fileTransfer.receiving = 0;\n return retval;\n case -1:\n /* TODO : send an error msg to the client... */\n#ifdef WIN32\n\t errno=WSAGetLastError();\n#endif\n rfbLog(\"rfbSendFileTransferChunk(): %s\\n\",strerror(errno));\n retval = rfbSendFileTransferMessage(cl, rfbAbortFileTransfer, 0, 0, 0, NULL);\n close(cl->fileTransfer.fd);\n cl->fileTransfer.fd = -1;\n cl->fileTransfer.sending = 0;\n cl->fileTransfer.receiving = 0;\n return retval;\n default:\n /*\n rfbLog(\"rfbSendFileTransferChunk(): Read %d bytes\\n\", bytesRead);\n */\n if (!cl->fileTransfer.compressionEnabled)\n return rfbSendFileTransferMessage(cl, rfbFilePacket, 0, 0, bytesRead, readBuf);\n else\n {\n#ifdef LIBVNCSERVER_HAVE_LIBZ\n nRetC = compress(compBuf, &nMaxCompSize, (unsigned char *)readBuf, bytesRead);\n /*\n rfbLog(\"Compressed the packet from %d -> %d bytes\\n\", nMaxCompSize, bytesRead);\n */\n \n if ((nRetC==0) && (nMaxCompSizemm is\n\t * not visibile until then. This also enables the update\n\t * to be lockless.\n\t */\n\tset_mm_exe_file(bprm->mm, bprm->file);\n\n\t/*\n\t * Release all of the old mmap stuff\n\t */\n\tacct_arg_size(bprm, 0);\n\tretval = exec_mmap(bprm->mm);\n\tif (retval)\n\t\tgoto out;\n\n\t/*\n\t * After setting bprm->called_exec_mmap (to mark that current is\n\t * using the prepared mm now), we have nothing left of the original\n\t * process. If anything from here on returns an error, the check\n\t * in search_binary_handler() will SEGV current.\n\t */\n\tbprm->called_exec_mmap = 1;\n\tbprm->mm = NULL;\n\n#ifdef CONFIG_POSIX_TIMERS\n\texit_itimers(me->signal);\n\tflush_itimer_signals();\n#endif\n\n\t/*\n\t * Make the signal table private.\n\t */\n\tretval = unshare_sighand(me);\n\tif (retval)\n\t\tgoto out;\n\n\tset_fs(USER_DS);\n\tme->flags &= ~(PF_RANDOMIZE | PF_FORKNOEXEC | PF_KTHREAD |\n\t\t\t\t\tPF_NOFREEZE | PF_NO_SETAFFINITY);\n\tflush_thread();\n\tme->personality &= ~bprm->per_clear;\n\n\t/*\n\t * We have to apply CLOEXEC before we change whether the process is\n\t * dumpable (in setup_new_exec) to avoid a race with a process in userspace\n\t * trying to access the should-be-closed file descriptors of a process\n\t * undergoing exec(2).\n\t */\n\tdo_close_on_exec(me->files);\n\treturn 0;\n\nout:\n\treturn retval;\n}", "project": "linux", "hash": 60429253492785043075468293190667128763, "size": 66, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375157 }, { "func": "void gdImageStringUp (gdImagePtr im, gdFontPtr f, int x, int y, unsigned char *s, int color)\n{\n\tint i;\n\tint l;\n\tl = strlen ((char *) s);\n\tfor (i = 0; (i < l); i++) {\n\t\tgdImageCharUp(im, f, x, y, s[i], color);\n\t\ty -= f->w;\n\t}\n}", "project": "php-src", "hash": 252679857896930934586230299176128773483, "size": 10, "commit_id": "c395c6e5d7e8df37a21265ff76e48fe75ceb5ae6", "message": "iFixed bug #72446 - Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow", "target": 0, "dataset": "other", "idx": 295155 }, { "func": "static void __set_task_blocked(struct task_struct *tsk, const sigset_t *newset)\n{\n\tif (signal_pending(tsk) && !thread_group_empty(tsk)) {\n\t\tsigset_t newblocked;\n\t\t/* A set of now blocked but previously unblocked signals. */\n\t\tsigandnsets(&newblocked, newset, ¤t->blocked);\n\t\tretarget_shared_pending(tsk, &newblocked);\n\t}\n\ttsk->blocked = *newset;\n\trecalc_sigpending();\n}", "project": "linux", "hash": 84176743210397821928789821596483738879, "size": 11, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375288 }, { "func": " bool is_expensive() { return orig_item->is_expensive(); }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 32054293424759342512546048684601958848, "size": 1, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509115 }, { "func": " virtual bool is_expensive()\n {\n if (is_expensive_cache < 0)\n is_expensive_cache= walk(&Item::is_expensive_processor, 0, NULL);\n return MY_TEST(is_expensive_cache);\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 183749601769773920900834067797240234509, "size": 6, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509352 }, { "func": " virtual bool is_expensive()\n {\n if (value_cached)\n return false;\n return example->is_expensive();\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 245900225565503784688911920058869494905, "size": 6, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509417 }, { "func": "ALWAYS_INLINE String serialize_impl(const Variant& value,\n const SerializeOptions& opts) {\n switch (value.getType()) {\n case KindOfClass:\n case KindOfLazyClass:\n case KindOfPersistentString:\n case KindOfString: {\n auto const str =\n isStringType(value.getType()) ? value.getStringData() :\n isClassType(value.getType()) ? classToStringHelper(value.toClassVal()) :\n lazyClassToStringHelper(value.toLazyClassVal());\n auto const size = str->size();\n if (size >= RuntimeOption::MaxSerializedStringSize) {\n throw Exception(\"Size of serialized string (%ld) exceeds max\", size);\n }\n StringBuffer sb;\n sb.append(\"s:\");\n sb.append(size);\n sb.append(\":\\\"\");\n sb.append(str->data(), size);\n sb.append(\"\\\";\");\n return sb.detach();\n }\n case KindOfResource:\n return s_Res;\n\n case KindOfUninit:\n case KindOfNull:\n case KindOfBoolean:\n case KindOfInt64:\n case KindOfFunc:\n case KindOfPersistentVec:\n case KindOfVec:\n case KindOfPersistentDict:\n case KindOfDict:\n case KindOfPersistentKeyset:\n case KindOfKeyset:\n case KindOfPersistentDArray:\n case KindOfDArray:\n case KindOfPersistentVArray:\n case KindOfVArray:\n case KindOfDouble:\n case KindOfObject:\n case KindOfClsMeth:\n case KindOfRClsMeth:\n case KindOfRFunc:\n case KindOfRecord:\n break;\n }\n VariableSerializer vs(VariableSerializer::Type::Serialize);\n if (opts.keepDVArrays) vs.keepDVArrays();\n if (opts.forcePHPArrays) vs.setForcePHPArrays();\n if (opts.warnOnHackArrays) vs.setHackWarn();\n if (opts.warnOnPHPArrays) vs.setPHPWarn();\n if (opts.ignoreLateInit) vs.setIgnoreLateInit();\n if (opts.serializeProvenanceAndLegacy) vs.setSerializeProvenanceAndLegacy();\n // Keep the count so recursive calls to serialize() embed references properly.\n return vs.serialize(value, true, true);\n}", "project": "hhvm", "hash": 270478084058815027869243641839773519702, "size": 59, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219053 }, { "func": "static void tcp_ack_probe(struct sock *sk)\n{\n\tconst struct tcp_sock *tp = tcp_sk(sk);\n\tstruct inet_connection_sock *icsk = inet_csk(sk);\n\n\t/* Was it a usable window open? */\n\n\tif (!after(TCP_SKB_CB(tcp_send_head(sk))->end_seq, tcp_wnd_end(tp))) {\n\t\ticsk->icsk_backoff = 0;\n\t\tinet_csk_clear_xmit_timer(sk, ICSK_TIME_PROBE0);\n\t\t/* Socket must be waked up by subsequent tcp_data_snd_check().\n\t\t * This function is not for random using!\n\t\t */\n\t} else {\n\t\tinet_csk_reset_xmit_timer(sk, ICSK_TIME_PROBE0,\n\t\t\t\t\t min(icsk->icsk_rto << icsk->icsk_backoff, TCP_RTO_MAX),\n\t\t\t\t\t TCP_RTO_MAX);\n\t}\n}", "project": "net-next", "hash": 298675753406587049252141538809050688551, "size": 19, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409844 }, { "func": "static irqreturn_t ca8210_interrupt_handler(int irq, void *dev_id)\n{\n\tstruct ca8210_priv *priv = dev_id;\n\tint status;\n\n\tdev_dbg(&priv->spi->dev, \"irq: Interrupt occurred\\n\");\n\tdo {\n\t\tstatus = ca8210_spi_transfer(priv->spi, NULL, 0);\n\t\tif (status && (status != -EBUSY)) {\n\t\t\tdev_warn(\n\t\t\t\t&priv->spi->dev,\n\t\t\t\t\"spi read failed, returned %d\\n\",\n\t\t\t\tstatus\n\t\t\t);\n\t\t}\n\t} while (status == -EBUSY);\n\treturn IRQ_HANDLED;\n}", "project": "linux", "hash": 146351354522157353746206225049754482508, "size": 18, "commit_id": "6402939ec86eaf226c8b8ae00ed983936b164908", "message": "ieee802154: ca8210: prevent memory leak\n\nIn ca8210_probe the allocated pdata needs to be assigned to\nspi_device->dev.platform_data before calling ca8210_get_platform_data.\nOthrwise when ca8210_get_platform_data fails pdata cannot be released.\n\nSigned-off-by: Navid Emamdoost \nLink: https://lore.kernel.org/r/20190917224713.26371-1-navid.emamdoost@gmail.com\nSigned-off-by: Stefan Schmidt ", "target": 0, "dataset": "other", "idx": 408812 }, { "func": "void WebContents::WebContentsDestroyed() {\n // Give chance for guest delegate to cleanup its observers\n // since the native class is only destroyed in the next tick.\n if (guest_delegate_)\n guest_delegate_->WillDestroy();\n\n // Cleanup relationships with other parts.\n RemoveFromWeakMap();\n\n // We can not call Destroy here because we need to call Emit first, but we\n // also do not want any method to be used, so just mark as destroyed here.\n MarkDestroyed();\n\n Emit(\"destroyed\");\n\n // For guest view based on OOPIF, the WebContents is released by the embedder\n // frame, and we need to clear the reference to the memory.\n if (IsGuest() && managed_web_contents()) {\n managed_web_contents()->ReleaseWebContents();\n ResetManagedWebContents(false);\n }\n\n // Destroy the native class in next tick.\n base::ThreadTaskRunnerHandle::Get()->PostTask(FROM_HERE, GetDestroyClosure());\n}", "project": "electron", "hash": 99031276626422564276861002618021277069, "size": 25, "commit_id": "18613925610ba319da7f497b6deed85ad712c59b", "message": "refactor: wire will-navigate up to a navigation throttle instead of OpenURL (#25108)\n\n* refactor: wire will-navigate up to a navigation throttle instead of OpenURL (#25065)\r\n\r\n* refactor: wire will-navigate up to a navigation throttle instead of OpenURL\r\n\r\n* spec: add test for x-site _top navigation\r\n\r\n* chore: old code be old", "target": 0, "dataset": "other", "idx": 269785 }, { "func": "void init_tls_dissector(struct ndpi_detection_module_struct *ndpi_struct,\n\t\t\tu_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) {\n ndpi_set_bitmask_protocol_detection(\"TLS\", ndpi_struct, detection_bitmask, *id,\n\t\t\t\t NDPI_PROTOCOL_TLS,\n\t\t\t\t ndpi_search_tls_wrapper,\n\t\t\t\t NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION,\n\t\t\t\t SAVE_DETECTION_BITMASK_AS_UNKNOWN,\n\t\t\t\t ADD_TO_DETECTION_BITMASK);\n\n *id += 1;\n\n /* *************************************************** */\n\n ndpi_set_bitmask_protocol_detection(\"DTLS\", ndpi_struct, detection_bitmask, *id,\n\t\t\t\t NDPI_PROTOCOL_DTLS,\n\t\t\t\t ndpi_search_tls_wrapper,\n\t\t\t\t NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD,\n\t\t\t\t SAVE_DETECTION_BITMASK_AS_UNKNOWN,\n\t\t\t\t ADD_TO_DETECTION_BITMASK);\n\n *id += 1;\n}", "project": "nDPI", "hash": 21513968571278152176454467267024037677, "size": 22, "commit_id": "1ec621c85b9411cc611652fd57a892cfef478af3", "message": "Added further checks", "target": 0, "dataset": "other", "idx": 234083 }, { "func": "void init_tls_dissector(struct ndpi_detection_module_struct *ndpi_struct,\n\t\t\tu_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) {\n ndpi_set_bitmask_protocol_detection(\"TLS\", ndpi_struct, detection_bitmask, *id,\n\t\t\t\t NDPI_PROTOCOL_TLS,\n\t\t\t\t ndpi_search_tls_wrapper,\n\t\t\t\t NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION,\n\t\t\t\t SAVE_DETECTION_BITMASK_AS_UNKNOWN,\n\t\t\t\t ADD_TO_DETECTION_BITMASK);\n\n *id += 1;\n\n /* *************************************************** */\n\n ndpi_set_bitmask_protocol_detection(\"TLS\", ndpi_struct, detection_bitmask, *id,\n\t\t\t\t NDPI_PROTOCOL_TLS,\n\t\t\t\t ndpi_search_tls_wrapper,\n\t\t\t\t NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD,\n\t\t\t\t SAVE_DETECTION_BITMASK_AS_UNKNOWN,\n\t\t\t\t ADD_TO_DETECTION_BITMASK);\n\n *id += 1;\n}", "project": "nDPI", "hash": 128577797297297803658426319009291398513, "size": 22, "commit_id": "23594f036536468072198a57c59b6e9d63caf6ce", "message": "Fixed stack overflow caused by missing length check\n\nSigned-off-by: Toni Uhlig ", "target": 0, "dataset": "other", "idx": 265517 }, { "func": "Header headerCopyLoad(const void * uh)\n{\n /* Discards const but that's ok as we'll take a copy */\n return headerImport((void *)uh, 0, HEADERIMPORT_COPY);\n}", "project": "rpm", "hash": 194660531228595933645831135981014493850, "size": 5, "commit_id": "8f4b3c3cab8922a2022b9e47c71f1ecf906077ef", "message": "hdrblobInit() needs bounds checks too\n\nUsers can pass untrusted data to hdrblobInit() and it must be robust\nagainst this.", "target": 0, "dataset": "other", "idx": 318163 }, { "func": "int vcf_write(htsFile *fp, const bcf_hdr_t *h, bcf1_t *v)\n{\n int ret;\n fp->line.l = 0;\n if (vcf_format1(h, v, &fp->line) != 0)\n return -1;\n if ( fp->format.compression!=no_compression )\n ret = bgzf_write(fp->fp.bgzf, fp->line.s, fp->line.l);\n else\n ret = hwrite(fp->fp.hfile, fp->line.s, fp->line.l);\n\n if (fp->idx) {\n int tid;\n if ((tid = hts_idx_tbi_name(fp->idx, v->rid, bcf_seqname_safe(h, v))) < 0)\n return -1;\n\n if (hts_idx_push(fp->idx, tid, v->pos, v->pos + v->rlen, bgzf_tell(fp->fp.bgzf), 1) < 0)\n return -1;\n }\n\n return ret==fp->line.l ? 0 : -1;\n}", "project": "htslib", "hash": 141055766932032368983095950836674294064, "size": 22, "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c", "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields. It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097", "target": 0, "dataset": "other", "idx": 402253 }, { "func": "static int nfs4_lookup_root_sec(struct nfs_server *server, struct nfs_fh *fhandle,\n\t\t\t\tstruct nfs_fsinfo *info, rpc_authflavor_t flavor)\n{\n\tstruct rpc_auth_create_args auth_args = {\n\t\t.pseudoflavor = flavor,\n\t};\n\tstruct rpc_auth *auth;\n\n\tauth = rpcauth_create(&auth_args, server->client);\n\tif (IS_ERR(auth))\n\t\treturn -EACCES;\n\treturn nfs4_lookup_root(server, fhandle, info);\n}", "project": "linux", "hash": 42739887314809601536566681822155708658, "size": 13, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431399 }, { "func": "static int _nfs4_proc_statfs(struct nfs_server *server, struct nfs_fh *fhandle,\n\t\t struct nfs_fsstat *fsstat)\n{\n\tstruct nfs4_statfs_arg args = {\n\t\t.fh = fhandle,\n\t\t.bitmask = server->attr_bitmask,\n\t};\n\tstruct nfs4_statfs_res res = {\n\t\t.fsstat = fsstat,\n\t};\n\tstruct rpc_message msg = {\n\t\t.rpc_proc = &nfs4_procedures[NFSPROC4_CLNT_STATFS],\n\t\t.rpc_argp = &args,\n\t\t.rpc_resp = &res,\n\t};\n\n\tnfs_fattr_init(fsstat->fattr);\n\treturn nfs4_call_sync(server->client, server, &msg, &args.seq_args, &res.seq_res, 0);\n}", "project": "linux", "hash": 178882301653870544710850123982405408974, "size": 19, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431563 }, { "func": " void format(FormatArg& arg, Callback& cb) const {\n FormatValue(m_val.get()).format(arg, cb);\n }", "project": "hhvm", "hash": 175012982478754375769525081735413033717, "size": 3, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219728 }, { "func": "static void tcp_data_queue(struct sock *sk, struct sk_buff *skb)\n{\n\tconst struct tcphdr *th = tcp_hdr(skb);\n\tstruct tcp_sock *tp = tcp_sk(sk);\n\tint eaten = -1;\n\n\tif (TCP_SKB_CB(skb)->seq == TCP_SKB_CB(skb)->end_seq)\n\t\tgoto drop;\n\n\tskb_dst_drop(skb);\n\t__skb_pull(skb, th->doff * 4);\n\n\tTCP_ECN_accept_cwr(tp, skb);\n\n\ttp->rx_opt.dsack = 0;\n\n\t/* Queue data for delivery to the user.\n\t * Packets in sequence go to the receive queue.\n\t * Out of sequence packets to the out_of_order_queue.\n\t */\n\tif (TCP_SKB_CB(skb)->seq == tp->rcv_nxt) {\n\t\tif (tcp_receive_window(tp) == 0)\n\t\t\tgoto out_of_window;\n\n\t\t/* Ok. In sequence. In window. */\n\t\tif (tp->ucopy.task == current &&\n\t\t tp->copied_seq == tp->rcv_nxt && tp->ucopy.len &&\n\t\t sock_owned_by_user(sk) && !tp->urg_data) {\n\t\t\tint chunk = min_t(unsigned int, skb->len,\n\t\t\t\t\t tp->ucopy.len);\n\n\t\t\t__set_current_state(TASK_RUNNING);\n\n\t\t\tlocal_bh_enable();\n\t\t\tif (!skb_copy_datagram_iovec(skb, 0, tp->ucopy.iov, chunk)) {\n\t\t\t\ttp->ucopy.len -= chunk;\n\t\t\t\ttp->copied_seq += chunk;\n\t\t\t\teaten = (chunk == skb->len);\n\t\t\t\ttcp_rcv_space_adjust(sk);\n\t\t\t}\n\t\t\tlocal_bh_disable();\n\t\t}\n\n\t\tif (eaten <= 0) {\nqueue_and_out:\n\t\t\tif (eaten < 0 &&\n\t\t\t tcp_try_rmem_schedule(sk, skb->truesize))\n\t\t\t\tgoto drop;\n\n\t\t\tskb_set_owner_r(skb, sk);\n\t\t\t__skb_queue_tail(&sk->sk_receive_queue, skb);\n\t\t}\n\t\ttp->rcv_nxt = TCP_SKB_CB(skb)->end_seq;\n\t\tif (skb->len)\n\t\t\ttcp_event_data_recv(sk, skb);\n\t\tif (th->fin)\n\t\t\ttcp_fin(sk);\n\n\t\tif (!skb_queue_empty(&tp->out_of_order_queue)) {\n\t\t\ttcp_ofo_queue(sk);\n\n\t\t\t/* RFC2581. 4.2. SHOULD send immediate ACK, when\n\t\t\t * gap in queue is filled.\n\t\t\t */\n\t\t\tif (skb_queue_empty(&tp->out_of_order_queue))\n\t\t\t\tinet_csk(sk)->icsk_ack.pingpong = 0;\n\t\t}\n\n\t\tif (tp->rx_opt.num_sacks)\n\t\t\ttcp_sack_remove(tp);\n\n\t\ttcp_fast_path_check(sk);\n\n\t\tif (eaten > 0)\n\t\t\t__kfree_skb(skb);\n\t\telse if (!sock_flag(sk, SOCK_DEAD))\n\t\t\tsk->sk_data_ready(sk, 0);\n\t\treturn;\n\t}\n\n\tif (!after(TCP_SKB_CB(skb)->end_seq, tp->rcv_nxt)) {\n\t\t/* A retransmit, 2nd most common case. Force an immediate ack. */\n\t\tNET_INC_STATS_BH(sock_net(sk), LINUX_MIB_DELAYEDACKLOST);\n\t\ttcp_dsack_set(sk, TCP_SKB_CB(skb)->seq, TCP_SKB_CB(skb)->end_seq);\n\nout_of_window:\n\t\ttcp_enter_quickack_mode(sk);\n\t\tinet_csk_schedule_ack(sk);\ndrop:\n\t\t__kfree_skb(skb);\n\t\treturn;\n\t}\n\n\t/* Out of window. F.e. zero window probe. */\n\tif (!before(TCP_SKB_CB(skb)->seq, tp->rcv_nxt + tcp_receive_window(tp)))\n\t\tgoto out_of_window;\n\n\ttcp_enter_quickack_mode(sk);\n\n\tif (before(TCP_SKB_CB(skb)->seq, tp->rcv_nxt)) {\n\t\t/* Partial packet, seq < rcv_next < end_seq */\n\t\tSOCK_DEBUG(sk, \"partial packet: rcv_next %X seq %X - %X\\n\",\n\t\t\t tp->rcv_nxt, TCP_SKB_CB(skb)->seq,\n\t\t\t TCP_SKB_CB(skb)->end_seq);\n\n\t\ttcp_dsack_set(sk, TCP_SKB_CB(skb)->seq, tp->rcv_nxt);\n\n\t\t/* If window is closed, drop tail of packet. But after\n\t\t * remembering D-SACK for its head made in previous line.\n\t\t */\n\t\tif (!tcp_receive_window(tp))\n\t\t\tgoto out_of_window;\n\t\tgoto queue_and_out;\n\t}\n\n\tTCP_ECN_check_ce(tp, skb);\n\n\tif (tcp_try_rmem_schedule(sk, skb->truesize))\n\t\tgoto drop;\n\n\t/* Disable header prediction. */\n\ttp->pred_flags = 0;\n\tinet_csk_schedule_ack(sk);\n\n\tSOCK_DEBUG(sk, \"out of order segment: rcv_next %X seq %X - %X\\n\",\n\t\t tp->rcv_nxt, TCP_SKB_CB(skb)->seq, TCP_SKB_CB(skb)->end_seq);\n\n\tskb_set_owner_r(skb, sk);\n\n\tif (!skb_peek(&tp->out_of_order_queue)) {\n\t\t/* Initial out of order segment, build 1 SACK. */\n\t\tif (tcp_is_sack(tp)) {\n\t\t\ttp->rx_opt.num_sacks = 1;\n\t\t\ttp->selective_acks[0].start_seq = TCP_SKB_CB(skb)->seq;\n\t\t\ttp->selective_acks[0].end_seq =\n\t\t\t\t\t\tTCP_SKB_CB(skb)->end_seq;\n\t\t}\n\t\t__skb_queue_head(&tp->out_of_order_queue, skb);\n\t} else {\n\t\tstruct sk_buff *skb1 = skb_peek_tail(&tp->out_of_order_queue);\n\t\tu32 seq = TCP_SKB_CB(skb)->seq;\n\t\tu32 end_seq = TCP_SKB_CB(skb)->end_seq;\n\n\t\tif (seq == TCP_SKB_CB(skb1)->end_seq) {\n\t\t\t__skb_queue_after(&tp->out_of_order_queue, skb1, skb);\n\n\t\t\tif (!tp->rx_opt.num_sacks ||\n\t\t\t tp->selective_acks[0].end_seq != seq)\n\t\t\t\tgoto add_sack;\n\n\t\t\t/* Common case: data arrive in order after hole. */\n\t\t\ttp->selective_acks[0].end_seq = end_seq;\n\t\t\treturn;\n\t\t}\n\n\t\t/* Find place to insert this segment. */\n\t\twhile (1) {\n\t\t\tif (!after(TCP_SKB_CB(skb1)->seq, seq))\n\t\t\t\tbreak;\n\t\t\tif (skb_queue_is_first(&tp->out_of_order_queue, skb1)) {\n\t\t\t\tskb1 = NULL;\n\t\t\t\tbreak;\n\t\t\t}\n\t\t\tskb1 = skb_queue_prev(&tp->out_of_order_queue, skb1);\n\t\t}\n\n\t\t/* Do skb overlap to previous one? */\n\t\tif (skb1 && before(seq, TCP_SKB_CB(skb1)->end_seq)) {\n\t\t\tif (!after(end_seq, TCP_SKB_CB(skb1)->end_seq)) {\n\t\t\t\t/* All the bits are present. Drop. */\n\t\t\t\t__kfree_skb(skb);\n\t\t\t\ttcp_dsack_set(sk, seq, end_seq);\n\t\t\t\tgoto add_sack;\n\t\t\t}\n\t\t\tif (after(seq, TCP_SKB_CB(skb1)->seq)) {\n\t\t\t\t/* Partial overlap. */\n\t\t\t\ttcp_dsack_set(sk, seq,\n\t\t\t\t\t TCP_SKB_CB(skb1)->end_seq);\n\t\t\t} else {\n\t\t\t\tif (skb_queue_is_first(&tp->out_of_order_queue,\n\t\t\t\t\t\t skb1))\n\t\t\t\t\tskb1 = NULL;\n\t\t\t\telse\n\t\t\t\t\tskb1 = skb_queue_prev(\n\t\t\t\t\t\t&tp->out_of_order_queue,\n\t\t\t\t\t\tskb1);\n\t\t\t}\n\t\t}\n\t\tif (!skb1)\n\t\t\t__skb_queue_head(&tp->out_of_order_queue, skb);\n\t\telse\n\t\t\t__skb_queue_after(&tp->out_of_order_queue, skb1, skb);\n\n\t\t/* And clean segments covered by new one as whole. */\n\t\twhile (!skb_queue_is_last(&tp->out_of_order_queue, skb)) {\n\t\t\tskb1 = skb_queue_next(&tp->out_of_order_queue, skb);\n\n\t\t\tif (!after(end_seq, TCP_SKB_CB(skb1)->seq))\n\t\t\t\tbreak;\n\t\t\tif (before(end_seq, TCP_SKB_CB(skb1)->end_seq)) {\n\t\t\t\ttcp_dsack_extend(sk, TCP_SKB_CB(skb1)->seq,\n\t\t\t\t\t\t end_seq);\n\t\t\t\tbreak;\n\t\t\t}\n\t\t\t__skb_unlink(skb1, &tp->out_of_order_queue);\n\t\t\ttcp_dsack_extend(sk, TCP_SKB_CB(skb1)->seq,\n\t\t\t\t\t TCP_SKB_CB(skb1)->end_seq);\n\t\t\t__kfree_skb(skb1);\n\t\t}\n\nadd_sack:\n\t\tif (tcp_is_sack(tp))\n\t\t\ttcp_sack_new_ofo_skb(sk, seq, end_seq);\n\t}\n}", "project": "net-next", "hash": 208994624140729421691978692507714689567, "size": 215, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409945 }, { "func": "static inline u32 tcp_wnd_end(const struct tcp_sock *tp)\n{\n\treturn tp->snd_una + tp->snd_wnd;\n}", "project": "linux", "hash": 66456230419607550872660499680787998496, "size": 4, "commit_id": "bb1fceca22492109be12640d49f5ea5a544c6bb4", "message": "tcp: fix use after free in tcp_xmit_retransmit_queue()\n\nWhen tcp_sendmsg() allocates a fresh and empty skb, it puts it at the\ntail of the write queue using tcp_add_write_queue_tail()\n\nThen it attempts to copy user data into this fresh skb.\n\nIf the copy fails, we undo the work and remove the fresh skb.\n\nUnfortunately, this undo lacks the change done to tp->highest_sack and\nwe can leave a dangling pointer (to a freed skb)\n\nLater, tcp_xmit_retransmit_queue() can dereference this pointer and\naccess freed memory. For regular kernels where memory is not unmapped,\nthis might cause SACK bugs because tcp_highest_sack_seq() is buggy,\nreturning garbage instead of tp->snd_nxt, but with various debug\nfeatures like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel.\n\nThis bug was found by Marco Grassi thanks to syzkaller.\n\nFixes: 6859d49475d4 (\"[TCP]: Abstract tp->highest_sack accessing & point to next skb\")\nReported-by: Marco Grassi \nSigned-off-by: Eric Dumazet \nCc: Ilpo Järvinen \nCc: Yuchung Cheng \nCc: Neal Cardwell \nAcked-by: Neal Cardwell \nReviewed-by: Cong Wang \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 410760 }, { "func": "static int nf_tables_getrule(struct sk_buff *skb, const struct nfnl_info *info,\n\t\t\t const struct nlattr * const nla[])\n{\n\tconst struct nfgenmsg *nfmsg = nlmsg_data(info->nlh);\n\tstruct netlink_ext_ack *extack = info->extack;\n\tu8 genmask = nft_genmask_cur(info->net);\n\tint family = nfmsg->nfgen_family;\n\tconst struct nft_chain *chain;\n\tconst struct nft_rule *rule;\n\tstruct net *net = info->net;\n\tstruct nft_table *table;\n\tstruct sk_buff *skb2;\n\tint err;\n\n\tif (info->nlh->nlmsg_flags & NLM_F_DUMP) {\n\t\tstruct netlink_dump_control c = {\n\t\t\t.start= nf_tables_dump_rules_start,\n\t\t\t.dump = nf_tables_dump_rules,\n\t\t\t.done = nf_tables_dump_rules_done,\n\t\t\t.module = THIS_MODULE,\n\t\t\t.data = (void *)nla,\n\t\t};\n\n\t\treturn nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);\n\t}\n\n\ttable = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask, 0);\n\tif (IS_ERR(table)) {\n\t\tNL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);\n\t\treturn PTR_ERR(table);\n\t}\n\n\tchain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], genmask);\n\tif (IS_ERR(chain)) {\n\t\tNL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);\n\t\treturn PTR_ERR(chain);\n\t}\n\n\trule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);\n\tif (IS_ERR(rule)) {\n\t\tNL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);\n\t\treturn PTR_ERR(rule);\n\t}\n\n\tskb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);\n\tif (!skb2)\n\t\treturn -ENOMEM;\n\n\terr = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid,\n\t\t\t\t info->nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,\n\t\t\t\t family, table, chain, rule, NULL);\n\tif (err < 0)\n\t\tgoto err_fill_rule_info;\n\n\treturn nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);\n\nerr_fill_rule_info:\n\tkfree_skb(skb2);\n\treturn err;\n}", "project": "linux", "hash": 271163873748483643976304455029859319651, "size": 60, "commit_id": "ad9f151e560b016b6ad3280b48e42fa11e1a5440", "message": "netfilter: nf_tables: initialize set before expression setup\n\nnft_set_elem_expr_alloc() needs an initialized set if expression sets on\nthe NFT_EXPR_GC flag. Move set fields initialization before expression\nsetup.\n\n[4512935.019450] ==================================================================\n[4512935.019456] BUG: KASAN: null-ptr-deref in nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019487] Read of size 8 at addr 0000000000000070 by task nft/23532\n[4512935.019494] CPU: 1 PID: 23532 Comm: nft Not tainted 5.12.0-rc4+ #48\n[...]\n[4512935.019502] Call Trace:\n[4512935.019505] dump_stack+0x89/0xb4\n[4512935.019512] ? nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019536] ? nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019560] kasan_report.cold.12+0x5f/0xd8\n[4512935.019566] ? nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019590] nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019615] nf_tables_newset+0xc7f/0x1460 [nf_tables]\n\nReported-by: syzbot+ce96ca2b1d0b37c6422d@syzkaller.appspotmail.com\nFixes: 65038428b2c6 (\"netfilter: nf_tables: allow to specify stateful expression in set definition\")\nSigned-off-by: Pablo Neira Ayuso ", "target": 0, "dataset": "other", "idx": 328345 }, { "func": "static int imap_ac_add(struct Account *a, struct Mailbox *m)\n{\n struct ImapAccountData *adata = a->adata;\n\n if (!adata)\n {\n struct ConnAccount cac = { { 0 } };\n char mailbox[PATH_MAX];\n\n if (imap_parse_path(mailbox_path(m), &cac, mailbox, sizeof(mailbox)) < 0)\n return -1;\n\n adata = imap_adata_new(a);\n adata->conn = mutt_conn_new(&cac);\n if (!adata->conn)\n {\n imap_adata_free((void **) &adata);\n return -1;\n }\n\n mutt_account_hook(m->realpath);\n\n if (imap_login(adata) < 0)\n {\n imap_adata_free((void **) &adata);\n return -1;\n }\n\n a->adata = adata;\n a->adata_free = imap_adata_free;\n }\n\n if (!m->mdata)\n {\n struct Url *url = url_parse(mailbox_path(m));\n struct ImapMboxData *mdata = imap_mdata_new(adata, url->path);\n\n /* fixup path and realpath, mainly to replace / by /INBOX */\n char buf[1024];\n imap_qualify_path(buf, sizeof(buf), &adata->conn->account, mdata->name);\n mutt_buffer_strcpy(&m->pathbuf, buf);\n mutt_str_replace(&m->realpath, mailbox_path(m));\n\n m->mdata = mdata;\n m->mdata_free = imap_mdata_free;\n url_free(&url);\n }\n return 0;\n}", "project": "neomutt", "hash": 105289729712083927908249366187971864721, "size": 49, "commit_id": "9c36717a3e2af1f2c1b7242035455ec8112b4b06", "message": "imap: close connection on all failures\n\nThanks to Gabriel Salles-Loustau for spotting the problem.\n\nCo-authored-by: Kevin McCarthy ", "target": 0, "dataset": "other", "idx": 357003 }, { "func": "static OPJ_UINT32 opj_j2k_get_max_qcc_size(opj_j2k_t *p_j2k)\n{\n return opj_j2k_get_max_coc_size(p_j2k);\n}", "project": "openjpeg", "hash": 286340426242105235909729016090869287463, "size": 4, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357341 }, { "func": "static void fuse_dentry_settime(struct dentry *dentry, u64 time)\n{\n\tstruct fuse_conn *fc = get_fuse_conn_super(dentry->d_sb);\n\tbool delete = !time && fc->delete_stale;\n\t/*\n\t * Mess with DCACHE_OP_DELETE because dput() will be faster without it.\n\t * Don't care about races, either way it's just an optimization\n\t */\n\tif ((!delete && (dentry->d_flags & DCACHE_OP_DELETE)) ||\n\t (delete && !(dentry->d_flags & DCACHE_OP_DELETE))) {\n\t\tspin_lock(&dentry->d_lock);\n\t\tif (!delete)\n\t\t\tdentry->d_flags &= ~DCACHE_OP_DELETE;\n\t\telse\n\t\t\tdentry->d_flags |= DCACHE_OP_DELETE;\n\t\tspin_unlock(&dentry->d_lock);\n\t}\n\n\t__fuse_dentry_settime(dentry, time);\n}", "project": "linux", "hash": 87956599127810352192296515508622228781, "size": 20, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341977 }, { "func": "static int sctp_setsockopt_add_streams(struct sock *sk,\n\t\t\t\t struct sctp_add_streams *params,\n\t\t\t\t unsigned int optlen)\n{\n\tstruct sctp_association *asoc;\n\n\tif (optlen != sizeof(*params))\n\t\treturn -EINVAL;\n\n\tasoc = sctp_id2assoc(sk, params->sas_assoc_id);\n\tif (!asoc)\n\t\treturn -EINVAL;\n\n\treturn sctp_send_add_streams(asoc, params);\n}", "project": "linux", "hash": 44149463227296713192507242542587132627, "size": 15, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398185 }, { "func": "static inline int tcp_try_rmem_schedule(struct sock *sk, unsigned int size)\n{\n\tif (atomic_read(&sk->sk_rmem_alloc) > sk->sk_rcvbuf ||\n\t !sk_rmem_schedule(sk, size)) {\n\n\t\tif (tcp_prune_queue(sk) < 0)\n\t\t\treturn -1;\n\n\t\tif (!sk_rmem_schedule(sk, size)) {\n\t\t\tif (!tcp_prune_ofo_queue(sk))\n\t\t\t\treturn -1;\n\n\t\t\tif (!sk_rmem_schedule(sk, size))\n\t\t\t\treturn -1;\n\t\t}\n\t}\n\treturn 0;\n}", "project": "net-next", "hash": 12905631168678719843867810446095686872, "size": 18, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409920 }, { "func": "static inline int kvm_arch_vcpu_memslots_id(struct kvm_vcpu *vcpu)\n{\n\treturn 0;\n}", "project": "linux", "hash": 317898375467090663000874220370223099990, "size": 4, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354493 }, { "func": "static OPJ_BOOL opj_j2k_write_SQcd_SQcc(opj_j2k_t *p_j2k,\n OPJ_UINT32 p_tile_no,\n OPJ_UINT32 p_comp_no,\n OPJ_BYTE * p_data,\n OPJ_UINT32 * p_header_size,\n struct opj_event_mgr * p_manager)\n{\n OPJ_UINT32 l_header_size;\n OPJ_UINT32 l_band_no, l_num_bands;\n OPJ_UINT32 l_expn, l_mant;\n\n opj_cp_t *l_cp = 00;\n opj_tcp_t *l_tcp = 00;\n opj_tccp_t *l_tccp = 00;\n\n /* preconditions */\n assert(p_j2k != 00);\n assert(p_header_size != 00);\n assert(p_manager != 00);\n assert(p_data != 00);\n\n l_cp = &(p_j2k->m_cp);\n l_tcp = &l_cp->tcps[p_tile_no];\n l_tccp = &l_tcp->tccps[p_comp_no];\n\n /* preconditions again */\n assert(p_tile_no < l_cp->tw * l_cp->th);\n assert(p_comp_no < p_j2k->m_private_image->numcomps);\n\n l_num_bands = (l_tccp->qntsty == J2K_CCP_QNTSTY_SIQNT) ? 1 :\n (l_tccp->numresolutions * 3 - 2);\n\n if (l_tccp->qntsty == J2K_CCP_QNTSTY_NOQNT) {\n l_header_size = 1 + l_num_bands;\n\n if (*p_header_size < l_header_size) {\n opj_event_msg(p_manager, EVT_ERROR, \"Error writing SQcd SQcc element\\n\");\n return OPJ_FALSE;\n }\n\n opj_write_bytes(p_data, l_tccp->qntsty + (l_tccp->numgbits << 5),\n 1); /* Sqcx */\n ++p_data;\n\n for (l_band_no = 0; l_band_no < l_num_bands; ++l_band_no) {\n l_expn = (OPJ_UINT32)l_tccp->stepsizes[l_band_no].expn;\n opj_write_bytes(p_data, l_expn << 3, 1); /* SPqcx_i */\n ++p_data;\n }\n } else {\n l_header_size = 1 + 2 * l_num_bands;\n\n if (*p_header_size < l_header_size) {\n opj_event_msg(p_manager, EVT_ERROR, \"Error writing SQcd SQcc element\\n\");\n return OPJ_FALSE;\n }\n\n opj_write_bytes(p_data, l_tccp->qntsty + (l_tccp->numgbits << 5),\n 1); /* Sqcx */\n ++p_data;\n\n for (l_band_no = 0; l_band_no < l_num_bands; ++l_band_no) {\n l_expn = (OPJ_UINT32)l_tccp->stepsizes[l_band_no].expn;\n l_mant = (OPJ_UINT32)l_tccp->stepsizes[l_band_no].mant;\n\n opj_write_bytes(p_data, (l_expn << 11) + l_mant, 2); /* SPqcx_i */\n p_data += 2;\n }\n }\n\n *p_header_size = *p_header_size - l_header_size;\n\n return OPJ_TRUE;\n}", "project": "openjpeg", "hash": 308650657929155937014848226694840253961, "size": 74, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357294 }, { "func": "void kvm_hv_vcpu_uninit(struct kvm_vcpu *vcpu)\n{\n\tstruct kvm_vcpu_hv *hv_vcpu = to_hv_vcpu(vcpu);\n\tint i;\n\n\tif (!hv_vcpu)\n\t\treturn;\n\n\tfor (i = 0; i < ARRAY_SIZE(hv_vcpu->stimer); i++)\n\t\tstimer_cleanup(&hv_vcpu->stimer[i]);\n\n\tkfree(hv_vcpu);\n\tvcpu->arch.hyperv = NULL;\n}", "project": "linux", "hash": 229210670103440667332615250636106442757, "size": 14, "commit_id": "919f4ebc598701670e80e31573a58f1f2d2bf918", "message": "KVM: x86: hyper-v: Fix Hyper-V context null-ptr-deref\n\nReported by syzkaller:\n\n KASAN: null-ptr-deref in range [0x0000000000000140-0x0000000000000147]\n CPU: 1 PID: 8370 Comm: syz-executor859 Not tainted 5.11.0-syzkaller #0\n RIP: 0010:synic_get arch/x86/kvm/hyperv.c:165 [inline]\n RIP: 0010:kvm_hv_set_sint_gsi arch/x86/kvm/hyperv.c:475 [inline]\n RIP: 0010:kvm_hv_irq_routing_update+0x230/0x460 arch/x86/kvm/hyperv.c:498\n Call Trace:\n kvm_set_irq_routing+0x69b/0x940 arch/x86/kvm/../../../virt/kvm/irqchip.c:223\n kvm_vm_ioctl+0x12d0/0x2800 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3959\n vfs_ioctl fs/ioctl.c:48 [inline]\n __do_sys_ioctl fs/ioctl.c:753 [inline]\n __se_sys_ioctl fs/ioctl.c:739 [inline]\n __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739\n do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nHyper-V context is lazily allocated until Hyper-V specific MSRs are accessed\nor SynIC is enabled. However, the syzkaller testcase sets irq routing table\ndirectly w/o enabling SynIC. This results in null-ptr-deref when accessing\nSynIC Hyper-V context. This patch fixes it.\n\nsyzkaller source: https://syzkaller.appspot.com/x/repro.c?x=163342ccd00000\n\nReported-by: syzbot+6987f3b2dbd9eda95f12@syzkaller.appspotmail.com\nFixes: 8f014550dfb1 (\"KVM: x86: hyper-v: Make Hyper-V emulation enablement conditional\")\nSigned-off-by: Wanpeng Li \nMessage-Id: <1614326399-5762-1-git-send-email-wanpengli@tencent.com>\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 343512 }, { "func": "long fuse_do_ioctl(struct file *file, unsigned int cmd, unsigned long arg,\n\t\t unsigned int flags)\n{\n\tstruct fuse_file *ff = file->private_data;\n\tstruct fuse_mount *fm = ff->fm;\n\tstruct fuse_ioctl_in inarg = {\n\t\t.fh = ff->fh,\n\t\t.cmd = cmd,\n\t\t.arg = arg,\n\t\t.flags = flags\n\t};\n\tstruct fuse_ioctl_out outarg;\n\tstruct iovec *iov_page = NULL;\n\tstruct iovec *in_iov = NULL, *out_iov = NULL;\n\tunsigned int in_iovs = 0, out_iovs = 0, max_pages;\n\tsize_t in_size, out_size, c;\n\tssize_t transferred;\n\tint err, i;\n\tstruct iov_iter ii;\n\tstruct fuse_args_pages ap = {};\n\n#if BITS_PER_LONG == 32\n\tinarg.flags |= FUSE_IOCTL_32BIT;\n#else\n\tif (flags & FUSE_IOCTL_COMPAT) {\n\t\tinarg.flags |= FUSE_IOCTL_32BIT;\n#ifdef CONFIG_X86_X32\n\t\tif (in_x32_syscall())\n\t\t\tinarg.flags |= FUSE_IOCTL_COMPAT_X32;\n#endif\n\t}\n#endif\n\n\t/* assume all the iovs returned by client always fits in a page */\n\tBUILD_BUG_ON(sizeof(struct fuse_ioctl_iovec) * FUSE_IOCTL_MAX_IOV > PAGE_SIZE);\n\n\terr = -ENOMEM;\n\tap.pages = fuse_pages_alloc(fm->fc->max_pages, GFP_KERNEL, &ap.descs);\n\tiov_page = (struct iovec *) __get_free_page(GFP_KERNEL);\n\tif (!ap.pages || !iov_page)\n\t\tgoto out;\n\n\tfuse_page_descs_length_init(ap.descs, 0, fm->fc->max_pages);\n\n\t/*\n\t * If restricted, initialize IO parameters as encoded in @cmd.\n\t * RETRY from server is not allowed.\n\t */\n\tif (!(flags & FUSE_IOCTL_UNRESTRICTED)) {\n\t\tstruct iovec *iov = iov_page;\n\n\t\tiov->iov_base = (void __user *)arg;\n\n\t\tswitch (cmd) {\n\t\tcase FS_IOC_GETFLAGS:\n\t\tcase FS_IOC_SETFLAGS:\n\t\t\tiov->iov_len = sizeof(int);\n\t\t\tbreak;\n\t\tdefault:\n\t\t\tiov->iov_len = _IOC_SIZE(cmd);\n\t\t\tbreak;\n\t\t}\n\n\t\tif (_IOC_DIR(cmd) & _IOC_WRITE) {\n\t\t\tin_iov = iov;\n\t\t\tin_iovs = 1;\n\t\t}\n\n\t\tif (_IOC_DIR(cmd) & _IOC_READ) {\n\t\t\tout_iov = iov;\n\t\t\tout_iovs = 1;\n\t\t}\n\t}\n\n retry:\n\tinarg.in_size = in_size = iov_length(in_iov, in_iovs);\n\tinarg.out_size = out_size = iov_length(out_iov, out_iovs);\n\n\t/*\n\t * Out data can be used either for actual out data or iovs,\n\t * make sure there always is at least one page.\n\t */\n\tout_size = max_t(size_t, out_size, PAGE_SIZE);\n\tmax_pages = DIV_ROUND_UP(max(in_size, out_size), PAGE_SIZE);\n\n\t/* make sure there are enough buffer pages and init request with them */\n\terr = -ENOMEM;\n\tif (max_pages > fm->fc->max_pages)\n\t\tgoto out;\n\twhile (ap.num_pages < max_pages) {\n\t\tap.pages[ap.num_pages] = alloc_page(GFP_KERNEL | __GFP_HIGHMEM);\n\t\tif (!ap.pages[ap.num_pages])\n\t\t\tgoto out;\n\t\tap.num_pages++;\n\t}\n\n\n\t/* okay, let's send it to the client */\n\tap.args.opcode = FUSE_IOCTL;\n\tap.args.nodeid = ff->nodeid;\n\tap.args.in_numargs = 1;\n\tap.args.in_args[0].size = sizeof(inarg);\n\tap.args.in_args[0].value = &inarg;\n\tif (in_size) {\n\t\tap.args.in_numargs++;\n\t\tap.args.in_args[1].size = in_size;\n\t\tap.args.in_pages = true;\n\n\t\terr = -EFAULT;\n\t\tiov_iter_init(&ii, WRITE, in_iov, in_iovs, in_size);\n\t\tfor (i = 0; iov_iter_count(&ii) && !WARN_ON(i >= ap.num_pages); i++) {\n\t\t\tc = copy_page_from_iter(ap.pages[i], 0, PAGE_SIZE, &ii);\n\t\t\tif (c != PAGE_SIZE && iov_iter_count(&ii))\n\t\t\t\tgoto out;\n\t\t}\n\t}\n\n\tap.args.out_numargs = 2;\n\tap.args.out_args[0].size = sizeof(outarg);\n\tap.args.out_args[0].value = &outarg;\n\tap.args.out_args[1].size = out_size;\n\tap.args.out_pages = true;\n\tap.args.out_argvar = true;\n\n\ttransferred = fuse_simple_request(fm, &ap.args);\n\terr = transferred;\n\tif (transferred < 0)\n\t\tgoto out;\n\n\t/* did it ask for retry? */\n\tif (outarg.flags & FUSE_IOCTL_RETRY) {\n\t\tvoid *vaddr;\n\n\t\t/* no retry if in restricted mode */\n\t\terr = -EIO;\n\t\tif (!(flags & FUSE_IOCTL_UNRESTRICTED))\n\t\t\tgoto out;\n\n\t\tin_iovs = outarg.in_iovs;\n\t\tout_iovs = outarg.out_iovs;\n\n\t\t/*\n\t\t * Make sure things are in boundary, separate checks\n\t\t * are to protect against overflow.\n\t\t */\n\t\terr = -ENOMEM;\n\t\tif (in_iovs > FUSE_IOCTL_MAX_IOV ||\n\t\t out_iovs > FUSE_IOCTL_MAX_IOV ||\n\t\t in_iovs + out_iovs > FUSE_IOCTL_MAX_IOV)\n\t\t\tgoto out;\n\n\t\tvaddr = kmap_atomic(ap.pages[0]);\n\t\terr = fuse_copy_ioctl_iovec(fm->fc, iov_page, vaddr,\n\t\t\t\t\t transferred, in_iovs + out_iovs,\n\t\t\t\t\t (flags & FUSE_IOCTL_COMPAT) != 0);\n\t\tkunmap_atomic(vaddr);\n\t\tif (err)\n\t\t\tgoto out;\n\n\t\tin_iov = iov_page;\n\t\tout_iov = in_iov + in_iovs;\n\n\t\terr = fuse_verify_ioctl_iov(fm->fc, in_iov, in_iovs);\n\t\tif (err)\n\t\t\tgoto out;\n\n\t\terr = fuse_verify_ioctl_iov(fm->fc, out_iov, out_iovs);\n\t\tif (err)\n\t\t\tgoto out;\n\n\t\tgoto retry;\n\t}\n\n\terr = -EIO;\n\tif (transferred > inarg.out_size)\n\t\tgoto out;\n\n\terr = -EFAULT;\n\tiov_iter_init(&ii, READ, out_iov, out_iovs, transferred);\n\tfor (i = 0; iov_iter_count(&ii) && !WARN_ON(i >= ap.num_pages); i++) {\n\t\tc = copy_page_to_iter(ap.pages[i], 0, PAGE_SIZE, &ii);\n\t\tif (c != PAGE_SIZE && iov_iter_count(&ii))\n\t\t\tgoto out;\n\t}\n\terr = 0;\n out:\n\tfree_page((unsigned long) iov_page);\n\twhile (ap.num_pages)\n\t\t__free_page(ap.pages[--ap.num_pages]);\n\tkfree(ap.pages);\n\n\treturn err ? err : outarg.result;\n}", "project": "linux", "hash": 51835301271452884128879732748467195336, "size": 193, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342060 }, { "func": "R_API int r_sys_signal(int sig, void (*handler) (int)) {\n\tint s[2] = { sig, 0 };\n\treturn r_sys_sigaction (s, handler);\n}", "project": "radare2", "hash": 227777612556975241051620055791880081113, "size": 4, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 0, "dataset": "other", "idx": 268816 }, { "func": "static int kvm_hv_get_msr(struct kvm_vcpu *vcpu, u32 msr, u64 *pdata,\n\t\t\t bool host)\n{\n\tu64 data = 0;\n\tstruct kvm_vcpu_hv *hv_vcpu = to_hv_vcpu(vcpu);\n\n\tswitch (msr) {\n\tcase HV_X64_MSR_VP_INDEX:\n\t\tdata = hv_vcpu->vp_index;\n\t\tbreak;\n\tcase HV_X64_MSR_EOI:\n\t\treturn kvm_hv_vapic_msr_read(vcpu, APIC_EOI, pdata);\n\tcase HV_X64_MSR_ICR:\n\t\treturn kvm_hv_vapic_msr_read(vcpu, APIC_ICR, pdata);\n\tcase HV_X64_MSR_TPR:\n\t\treturn kvm_hv_vapic_msr_read(vcpu, APIC_TASKPRI, pdata);\n\tcase HV_X64_MSR_VP_ASSIST_PAGE:\n\t\tdata = hv_vcpu->hv_vapic;\n\t\tbreak;\n\tcase HV_X64_MSR_VP_RUNTIME:\n\t\tdata = current_task_runtime_100ns() + hv_vcpu->runtime_offset;\n\t\tbreak;\n\tcase HV_X64_MSR_SCONTROL:\n\tcase HV_X64_MSR_SVERSION:\n\tcase HV_X64_MSR_SIEFP:\n\tcase HV_X64_MSR_SIMP:\n\tcase HV_X64_MSR_EOM:\n\tcase HV_X64_MSR_SINT0 ... HV_X64_MSR_SINT15:\n\t\treturn synic_get_msr(to_hv_synic(vcpu), msr, pdata, host);\n\tcase HV_X64_MSR_STIMER0_CONFIG:\n\tcase HV_X64_MSR_STIMER1_CONFIG:\n\tcase HV_X64_MSR_STIMER2_CONFIG:\n\tcase HV_X64_MSR_STIMER3_CONFIG: {\n\t\tint timer_index = (msr - HV_X64_MSR_STIMER0_CONFIG)/2;\n\n\t\treturn stimer_get_config(to_hv_stimer(vcpu, timer_index),\n\t\t\t\t\t pdata);\n\t}\n\tcase HV_X64_MSR_STIMER0_COUNT:\n\tcase HV_X64_MSR_STIMER1_COUNT:\n\tcase HV_X64_MSR_STIMER2_COUNT:\n\tcase HV_X64_MSR_STIMER3_COUNT: {\n\t\tint timer_index = (msr - HV_X64_MSR_STIMER0_COUNT)/2;\n\n\t\treturn stimer_get_count(to_hv_stimer(vcpu, timer_index),\n\t\t\t\t\tpdata);\n\t}\n\tcase HV_X64_MSR_TSC_FREQUENCY:\n\t\tdata = (u64)vcpu->arch.virtual_tsc_khz * 1000;\n\t\tbreak;\n\tcase HV_X64_MSR_APIC_FREQUENCY:\n\t\tdata = APIC_BUS_FREQUENCY;\n\t\tbreak;\n\tdefault:\n\t\tvcpu_unimpl(vcpu, \"Hyper-V unhandled rdmsr: 0x%x\\n\", msr);\n\t\treturn 1;\n\t}\n\t*pdata = data;\n\treturn 0;\n}", "project": "linux", "hash": 10506309639309879991859402820820450372, "size": 60, "commit_id": "919f4ebc598701670e80e31573a58f1f2d2bf918", "message": "KVM: x86: hyper-v: Fix Hyper-V context null-ptr-deref\n\nReported by syzkaller:\n\n KASAN: null-ptr-deref in range [0x0000000000000140-0x0000000000000147]\n CPU: 1 PID: 8370 Comm: syz-executor859 Not tainted 5.11.0-syzkaller #0\n RIP: 0010:synic_get arch/x86/kvm/hyperv.c:165 [inline]\n RIP: 0010:kvm_hv_set_sint_gsi arch/x86/kvm/hyperv.c:475 [inline]\n RIP: 0010:kvm_hv_irq_routing_update+0x230/0x460 arch/x86/kvm/hyperv.c:498\n Call Trace:\n kvm_set_irq_routing+0x69b/0x940 arch/x86/kvm/../../../virt/kvm/irqchip.c:223\n kvm_vm_ioctl+0x12d0/0x2800 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3959\n vfs_ioctl fs/ioctl.c:48 [inline]\n __do_sys_ioctl fs/ioctl.c:753 [inline]\n __se_sys_ioctl fs/ioctl.c:739 [inline]\n __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739\n do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nHyper-V context is lazily allocated until Hyper-V specific MSRs are accessed\nor SynIC is enabled. However, the syzkaller testcase sets irq routing table\ndirectly w/o enabling SynIC. This results in null-ptr-deref when accessing\nSynIC Hyper-V context. This patch fixes it.\n\nsyzkaller source: https://syzkaller.appspot.com/x/repro.c?x=163342ccd00000\n\nReported-by: syzbot+6987f3b2dbd9eda95f12@syzkaller.appspotmail.com\nFixes: 8f014550dfb1 (\"KVM: x86: hyper-v: Make Hyper-V emulation enablement conditional\")\nSigned-off-by: Wanpeng Li \nMessage-Id: <1614326399-5762-1-git-send-email-wanpengli@tencent.com>\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 343537 }, { "func": "int tipc_node_xmit(struct net *net, struct sk_buff_head *list,\n\t\t u32 dnode, int selector)\n{\n\tstruct tipc_link_entry *le = NULL;\n\tstruct tipc_node *n;\n\tstruct sk_buff_head xmitq;\n\tbool node_up = false;\n\tint bearer_id;\n\tint rc;\n\n\tif (in_own_node(net, dnode)) {\n\t\ttipc_loopback_trace(net, list);\n\t\tspin_lock_init(&list->lock);\n\t\ttipc_sk_rcv(net, list);\n\t\treturn 0;\n\t}\n\n\tn = tipc_node_find(net, dnode);\n\tif (unlikely(!n)) {\n\t\t__skb_queue_purge(list);\n\t\treturn -EHOSTUNREACH;\n\t}\n\n\ttipc_node_read_lock(n);\n\tnode_up = node_is_up(n);\n\tif (node_up && n->peer_net && check_net(n->peer_net)) {\n\t\t/* xmit inner linux container */\n\t\ttipc_lxc_xmit(n->peer_net, list);\n\t\tif (likely(skb_queue_empty(list))) {\n\t\t\ttipc_node_read_unlock(n);\n\t\t\ttipc_node_put(n);\n\t\t\treturn 0;\n\t\t}\n\t}\n\n\tbearer_id = n->active_links[selector & 1];\n\tif (unlikely(bearer_id == INVALID_BEARER_ID)) {\n\t\ttipc_node_read_unlock(n);\n\t\ttipc_node_put(n);\n\t\t__skb_queue_purge(list);\n\t\treturn -EHOSTUNREACH;\n\t}\n\n\t__skb_queue_head_init(&xmitq);\n\tle = &n->links[bearer_id];\n\tspin_lock_bh(&le->lock);\n\trc = tipc_link_xmit(le->link, list, &xmitq);\n\tspin_unlock_bh(&le->lock);\n\ttipc_node_read_unlock(n);\n\n\tif (unlikely(rc == -ENOBUFS))\n\t\ttipc_node_link_down(n, bearer_id, false);\n\telse\n\t\ttipc_bearer_xmit(net, bearer_id, &xmitq, &le->maddr, n);\n\n\ttipc_node_put(n);\n\n\treturn rc;\n}", "project": "linux", "hash": 82916380957223554668633808884575837946, "size": 59, "commit_id": "0217ed2848e8538bcf9172d97ed2eeb4a26041bb", "message": "tipc: better validate user input in tipc_nl_retrieve_key()\n\nBefore calling tipc_aead_key_size(ptr), we need to ensure\nwe have enough data to dereference ptr->keylen.\n\nWe probably also want to make sure tipc_aead_key_size()\nwont overflow with malicious ptr->keylen values.\n\nSyzbot reported:\n\nBUG: KMSAN: uninit-value in __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\nBUG: KMSAN: uninit-value in tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\nCPU: 0 PID: 21060 Comm: syz-executor.5 Not tainted 5.11.0-rc7-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nCall Trace:\n __dump_stack lib/dump_stack.c:79 [inline]\n dump_stack+0x21c/0x280 lib/dump_stack.c:120\n kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118\n __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197\n __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\n tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\n genl_family_rcv_msg_doit net/netlink/genetlink.c:739 [inline]\n genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]\n genl_rcv_msg+0x1319/0x1610 net/netlink/genetlink.c:800\n netlink_rcv_skb+0x6fa/0x810 net/netlink/af_netlink.c:2494\n genl_rcv+0x63/0x80 net/netlink/genetlink.c:811\n netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]\n netlink_unicast+0x11d6/0x14a0 net/netlink/af_netlink.c:1330\n netlink_sendmsg+0x1740/0x1840 net/netlink/af_netlink.c:1919\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\nRIP: 0023:0xf7f60549\nCode: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00\nRSP: 002b:00000000f555a5fc EFLAGS: 00000296 ORIG_RAX: 0000000000000172\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000200\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n\nUninit was created at:\n kmsan_save_stack_with_flags mm/kmsan/kmsan.c:121 [inline]\n kmsan_internal_poison_shadow+0x5c/0xf0 mm/kmsan/kmsan.c:104\n kmsan_slab_alloc+0x8d/0xe0 mm/kmsan/kmsan_hooks.c:76\n slab_alloc_node mm/slub.c:2907 [inline]\n __kmalloc_node_track_caller+0xa37/0x1430 mm/slub.c:4527\n __kmalloc_reserve net/core/skbuff.c:142 [inline]\n __alloc_skb+0x2f8/0xb30 net/core/skbuff.c:210\n alloc_skb include/linux/skbuff.h:1099 [inline]\n netlink_alloc_large_skb net/netlink/af_netlink.c:1176 [inline]\n netlink_sendmsg+0xdbc/0x1840 net/netlink/af_netlink.c:1894\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\n\nFixes: e1f32190cf7d (\"tipc: add support for AEAD key setting via netlink\")\nSigned-off-by: Eric Dumazet \nCc: Tuong Lien \nCc: Jon Maloy \nCc: Ying Xue \nReported-by: syzbot \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 364918 }, { "func": "}\nEXPORT_SYMBOL_GPL(iscsi_get_discovery_parent_name);\n\nstatic int iscsi_set_flashnode_param(struct iscsi_transport *transport,\n\t\t\t\t struct iscsi_uevent *ev, uint32_t len)\n{\n\tchar *data = (char *)ev + sizeof(*ev);\n\tstruct Scsi_Host *shost;\n\tstruct iscsi_bus_flash_session *fnode_sess;\n\tstruct iscsi_bus_flash_conn *fnode_conn;\n\tstruct device *dev;\n\tuint32_t idx;\n\tint err = 0;\n\n\tif (!transport->set_flashnode_param) {\n\t\terr = -ENOSYS;\n\t\tgoto exit_set_fnode;\n\t}\n\n\tshost = scsi_host_lookup(ev->u.set_flashnode.host_no);\n\tif (!shost) {\n\t\tpr_err(\"%s could not find host no %u\\n\",\n\t\t __func__, ev->u.set_flashnode.host_no);\n\t\terr = -ENODEV;\n\t\tgoto exit_set_fnode;\n\t}\n\n\tidx = ev->u.set_flashnode.flashnode_idx;\n\tfnode_sess = iscsi_get_flashnode_by_index(shost, idx);\n\tif (!fnode_sess) {\n\t\tpr_err(\"%s could not find flashnode %u for host no %u\\n\",\n\t\t __func__, idx, ev->u.set_flashnode.host_no);\n\t\terr = -ENODEV;\n\t\tgoto put_host;\n\t}\n\n\tdev = iscsi_find_flashnode_conn(fnode_sess);\n\tif (!dev) {\n\t\terr = -ENODEV;\n\t\tgoto put_sess;\n\t}\n\n\tfnode_conn = iscsi_dev_to_flash_conn(dev);\n\terr = transport->set_flashnode_param(fnode_sess, fnode_conn, data, len);\n\tput_device(dev);\n\nput_sess:\n\tput_device(&fnode_sess->dev);\n\nput_host:\n\tscsi_host_put(shost);\n", "project": "linux", "hash": 311604622717937519034849637568139974099, "size": 52, "commit_id": "f9dbdf97a5bd92b1a49cee3d591b55b11fd7a6d5", "message": "scsi: iscsi: Verify lengths on passthrough PDUs\n\nOpen-iSCSI sends passthrough PDUs over netlink, but the kernel should be\nverifying that the provided PDU header and data lengths fall within the\nnetlink message to prevent accessing beyond that in memory.\n\nCc: stable@vger.kernel.org\nReported-by: Adam Nichols \nReviewed-by: Lee Duncan \nReviewed-by: Mike Christie \nSigned-off-by: Chris Leech \nSigned-off-by: Martin K. Petersen ", "target": 0, "dataset": "other", "idx": 379918 }, { "func": "static u32 get_acqseq(void)\n{\n\tu32 res;\n\tstatic atomic_t acqseq;\n\n\tdo {\n\t\tres = atomic_inc_return(&acqseq);\n\t} while (!res);\n\treturn res;\n}", "project": "linux", "hash": 216945776226706223870209349779159308846, "size": 10, "commit_id": "9a564bccb78a76740ea9d75a259942df8143d02c", "message": "af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\n\nAdd __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\nto initialize the buffer of supp_skb to fix a kernel-info-leak issue.\n1) Function pfkey_register calls compose_sadb_supported to request\na sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate\na sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then\ncompose_sadb_supported treats the memory as a struct sadb_supported and\nbegins to initialize. But it just initializes the field sadb_supported_len\nand field sadb_supported_exttype without field sadb_supported_reserved.\n\nReported-by: TCS Robot \nSigned-off-by: Haimin Zhang \nSigned-off-by: Steffen Klassert ", "target": 0, "dataset": "other", "idx": 267995 }, { "func": "HttpStateData::maybeReadVirginBody()\n{\n // too late to read\n if (!Comm::IsConnOpen(serverConnection) || fd_table[serverConnection->fd].closing())\n return;\n\n if (!maybeMakeSpaceAvailable(false))\n return;\n\n // XXX: get rid of the do_next_read flag\n // check for the proper reasons preventing read(2)\n if (!flags.do_next_read)\n return;\n\n flags.do_next_read = false;\n\n // must not already be waiting for read(2) ...\n assert(!Comm::MonitorsRead(serverConnection->fd));\n\n // wait for read(2) to be possible.\n typedef CommCbMemFunT Dialer;\n AsyncCall::Pointer call = JobCallback(11, 5, Dialer, this, HttpStateData::readReply);\n Comm::Read(serverConnection, call);\n}", "project": "squid", "hash": 82254620296044370236242869457990866101, "size": 24, "commit_id": "fd68382860633aca92065e6c343cfd1b12b126e7", "message": "Improve Transfer-Encoding handling (#702)\n\nReject messages containing Transfer-Encoding header with coding other\nthan chunked or identity. Squid does not support other codings.\n\nFor simplicity and security sake, also reject messages where\nTransfer-Encoding contains unnecessary complex values that are\ntechnically equivalent to \"chunked\" or \"identity\" (e.g., \",,chunked\" or\n\"identity, chunked\").\n\nRFC 7230 formally deprecated and removed identity coding, but it is\nstill used by some agents.", "target": 0, "dataset": "other", "idx": 402377 }, { "func": "static int vcpu_post_run(struct kvm_vcpu *vcpu, int exit_reason)\n{\n\tstruct mcck_volatile_info *mcck_info;\n\tstruct sie_page *sie_page;\n\n\tVCPU_EVENT(vcpu, 6, \"exit sie icptcode %d\",\n\t\t vcpu->arch.sie_block->icptcode);\n\ttrace_kvm_s390_sie_exit(vcpu, vcpu->arch.sie_block->icptcode);\n\n\tif (guestdbg_enabled(vcpu))\n\t\tkvm_s390_restore_guest_per_regs(vcpu);\n\n\tvcpu->run->s.regs.gprs[14] = vcpu->arch.sie_block->gg14;\n\tvcpu->run->s.regs.gprs[15] = vcpu->arch.sie_block->gg15;\n\n\tif (exit_reason == -EINTR) {\n\t\tVCPU_EVENT(vcpu, 3, \"%s\", \"machine check\");\n\t\tsie_page = container_of(vcpu->arch.sie_block,\n\t\t\t\t\tstruct sie_page, sie_block);\n\t\tmcck_info = &sie_page->mcck_info;\n\t\tkvm_s390_reinject_machine_check(vcpu, mcck_info);\n\t\treturn 0;\n\t}\n\n\tif (vcpu->arch.sie_block->icptcode > 0) {\n\t\tint rc = kvm_handle_sie_intercept(vcpu);\n\n\t\tif (rc != -EOPNOTSUPP)\n\t\t\treturn rc;\n\t\tvcpu->run->exit_reason = KVM_EXIT_S390_SIEIC;\n\t\tvcpu->run->s390_sieic.icptcode = vcpu->arch.sie_block->icptcode;\n\t\tvcpu->run->s390_sieic.ipa = vcpu->arch.sie_block->ipa;\n\t\tvcpu->run->s390_sieic.ipb = vcpu->arch.sie_block->ipb;\n\t\treturn -EREMOTE;\n\t} else if (exit_reason != -EFAULT) {\n\t\tvcpu->stat.exit_null++;\n\t\treturn 0;\n\t} else if (kvm_is_ucontrol(vcpu->kvm)) {\n\t\tvcpu->run->exit_reason = KVM_EXIT_S390_UCONTROL;\n\t\tvcpu->run->s390_ucontrol.trans_exc_code =\n\t\t\t\t\t\tcurrent->thread.gmap_addr;\n\t\tvcpu->run->s390_ucontrol.pgm_code = 0x10;\n\t\treturn -EREMOTE;\n\t} else if (current->thread.gmap_pfault) {\n\t\ttrace_kvm_s390_major_guest_pfault(vcpu);\n\t\tcurrent->thread.gmap_pfault = 0;\n\t\tif (kvm_arch_setup_async_pf(vcpu))\n\t\t\treturn 0;\n\t\treturn kvm_arch_fault_in_page(vcpu, current->thread.gmap_addr, 1);\n\t}\n\treturn vcpu_post_run_fault_in_sie(vcpu);\n}", "project": "linux", "hash": 206066486799899908178462447191470325294, "size": 52, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354769 }, { "func": "static void nfs4_xdr_enc_destroy_session(struct rpc_rqst *req,\n\t\t\t\t\t struct xdr_stream *xdr,\n\t\t\t\t\t const void *data)\n{\n\tconst struct nfs4_session *session = data;\n\tstruct compound_hdr hdr = {\n\t\t.minorversion = session->clp->cl_mvops->minor_version,\n\t};\n\n\tencode_compound_hdr(xdr, req, &hdr);\n\tencode_destroy_session(xdr, session, &hdr);\n\tencode_nops(&hdr);\n}", "project": "linux", "hash": 194818054589234274475983109243398570866, "size": 13, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431197 }, { "func": "static int huf_uncompress(EXRContext *s,\n EXRThreadData *td,\n GetByteContext *gb,\n uint16_t *dst, int dst_size)\n{\n int32_t im, iM;\n uint32_t nBits;\n int ret;\n\n im = bytestream2_get_le32(gb);\n iM = bytestream2_get_le32(gb);\n bytestream2_skip(gb, 4);\n nBits = bytestream2_get_le32(gb);\n if (im < 0 || im >= HUF_ENCSIZE ||\n iM < 0 || iM >= HUF_ENCSIZE)\n return AVERROR_INVALIDDATA;\n\n bytestream2_skip(gb, 4);\n\n if (!td->freq)\n td->freq = av_malloc_array(HUF_ENCSIZE, sizeof(*td->freq));\n if (!td->he)\n td->he = av_calloc(HUF_ENCSIZE, sizeof(*td->he));\n if (!td->freq || !td->he) {\n ret = AVERROR(ENOMEM);\n return ret;\n }\n\n memset(td->freq, 0, sizeof(*td->freq) * HUF_ENCSIZE);\n if ((ret = huf_unpack_enc_table(gb, im, iM, td->freq)) < 0)\n return ret;\n\n if (nBits > 8 * bytestream2_get_bytes_left(gb)) {\n ret = AVERROR_INVALIDDATA;\n return ret;\n }\n\n if ((ret = huf_build_dec_table(s, td, im, iM)) < 0)\n return ret;\n return huf_decode(&td->vlc, gb, nBits, td->run_sym, dst_size, dst);\n}", "project": "FFmpeg", "hash": 97808097754160209840255353052676835376, "size": 41, "commit_id": "26d3c81bc5ef2f8c3f09d45eaeacfb4b1139a777", "message": "avcodec/exr: More strictly check dc_count\n\nFixes: out of array access\nFixes: exr/deneme\n\nFound-by: Burak Çarıkçı \nSigned-off-by: Michael Niedermayer ", "target": 0, "dataset": "other", "idx": 262671 }, { "func": "static void vt_console_print(struct console *co, const char *b, unsigned count)\n{\n\tstruct vc_data *vc = vc_cons[fg_console].d;\n\tunsigned char c;\n\tstatic DEFINE_SPINLOCK(printing_lock);\n\tconst ushort *start;\n\tushort start_x, cnt;\n\tint kmsg_console;\n\n\t/* console busy or not yet initialized */\n\tif (!printable)\n\t\treturn;\n\tif (!spin_trylock(&printing_lock))\n\t\treturn;\n\n\tkmsg_console = vt_get_kmsg_redirect();\n\tif (kmsg_console && vc_cons_allocated(kmsg_console - 1))\n\t\tvc = vc_cons[kmsg_console - 1].d;\n\n\tif (!vc_cons_allocated(fg_console)) {\n\t\t/* impossible */\n\t\t/* printk(\"vt_console_print: tty %d not allocated ??\\n\", currcons+1); */\n\t\tgoto quit;\n\t}\n\n\tif (vc->vc_mode != KD_TEXT)\n\t\tgoto quit;\n\n\t/* undraw cursor first */\n\tif (con_is_fg(vc))\n\t\thide_cursor(vc);\n\n\tstart = (ushort *)vc->vc_pos;\n\tstart_x = vc->vc_x;\n\tcnt = 0;\n\twhile (count--) {\n\t\tc = *b++;\n\t\tif (c == 10 || c == 13 || c == 8 || vc->vc_need_wrap) {\n\t\t\tif (cnt && con_is_visible(vc))\n\t\t\t\tvc->vc_sw->con_putcs(vc, start, cnt, vc->vc_y, start_x);\n\t\t\tcnt = 0;\n\t\t\tif (c == 8) {\t\t/* backspace */\n\t\t\t\tbs(vc);\n\t\t\t\tstart = (ushort *)vc->vc_pos;\n\t\t\t\tstart_x = vc->vc_x;\n\t\t\t\tcontinue;\n\t\t\t}\n\t\t\tif (c != 13)\n\t\t\t\tlf(vc);\n\t\t\tcr(vc);\n\t\t\tstart = (ushort *)vc->vc_pos;\n\t\t\tstart_x = vc->vc_x;\n\t\t\tif (c == 10 || c == 13)\n\t\t\t\tcontinue;\n\t\t}\n\t\tvc_uniscr_putc(vc, c);\n\t\tscr_writew((vc->vc_attr << 8) + c, (unsigned short *)vc->vc_pos);\n\t\tnotify_write(vc, c);\n\t\tcnt++;\n\t\tif (vc->vc_x == vc->vc_cols - 1) {\n\t\t\tvc->vc_need_wrap = 1;\n\t\t} else {\n\t\t\tvc->vc_pos += 2;\n\t\t\tvc->vc_x++;\n\t\t}\n\t}\n\tif (cnt && con_is_visible(vc))\n\t\tvc->vc_sw->con_putcs(vc, start, cnt, vc->vc_y, start_x);\n\tset_cursor(vc);\n\tnotify_update(vc);\n\nquit:\n\tspin_unlock(&printing_lock);\n}", "project": "linux", "hash": 150100539459206160479471505762379311138, "size": 74, "commit_id": "ca4463bf8438b403596edd0ec961ca0d4fbe0220", "message": "vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console\n\nThe VT_DISALLOCATE ioctl can free a virtual console while tty_release()\nis still running, causing a use-after-free in con_shutdown(). This\noccurs because VT_DISALLOCATE considers a virtual console's\n'struct vc_data' to be unused as soon as the corresponding tty's\nrefcount hits 0. But actually it may be still being closed.\n\nFix this by making vc_data be reference-counted via the embedded\n'struct tty_port'. A newly allocated virtual console has refcount 1.\nOpening it for the first time increments the refcount to 2. Closing it\nfor the last time decrements the refcount (in tty_operations::cleanup()\nso that it happens late enough), as does VT_DISALLOCATE.\n\nReproducer:\n\t#include \n\t#include \n\t#include \n\t#include \n\n\tint main()\n\t{\n\t\tif (fork()) {\n\t\t\tfor (;;)\n\t\t\t\tclose(open(\"/dev/tty5\", O_RDWR));\n\t\t} else {\n\t\t\tint fd = open(\"/dev/tty10\", O_RDWR);\n\n\t\t\tfor (;;)\n\t\t\t\tioctl(fd, VT_DISALLOCATE, 5);\n\t\t}\n\t}\n\nKASAN report:\n\tBUG: KASAN: use-after-free in con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\tWrite of size 8 at addr ffff88806a4ec108 by task syz_vt/129\n\n\tCPU: 0 PID: 129 Comm: syz_vt Not tainted 5.6.0-rc2 #11\n\tHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20191223_100556-anatol 04/01/2014\n\tCall Trace:\n\t [...]\n\t con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\t release_tty+0xa8/0x410 drivers/tty/tty_io.c:1514\n\t tty_release_struct+0x34/0x50 drivers/tty/tty_io.c:1629\n\t tty_release+0x984/0xed0 drivers/tty/tty_io.c:1789\n\t [...]\n\n\tAllocated by task 129:\n\t [...]\n\t kzalloc include/linux/slab.h:669 [inline]\n\t vc_allocate drivers/tty/vt/vt.c:1085 [inline]\n\t vc_allocate+0x1ac/0x680 drivers/tty/vt/vt.c:1066\n\t con_install+0x4d/0x3f0 drivers/tty/vt/vt.c:3229\n\t tty_driver_install_tty drivers/tty/tty_io.c:1228 [inline]\n\t tty_init_dev+0x94/0x350 drivers/tty/tty_io.c:1341\n\t tty_open_by_driver drivers/tty/tty_io.c:1987 [inline]\n\t tty_open+0x3ca/0xb30 drivers/tty/tty_io.c:2035\n\t [...]\n\n\tFreed by task 130:\n\t [...]\n\t kfree+0xbf/0x1e0 mm/slab.c:3757\n\t vt_disallocate drivers/tty/vt/vt_ioctl.c:300 [inline]\n\t vt_ioctl+0x16dc/0x1e30 drivers/tty/vt/vt_ioctl.c:818\n\t tty_ioctl+0x9db/0x11b0 drivers/tty/tty_io.c:2660\n\t [...]\n\nFixes: 4001d7b7fc27 (\"vt: push down the tty lock so we can see what is left to tackle\")\nCc: # v3.4+\nReported-by: syzbot+522643ab5729b0421998@syzkaller.appspotmail.com\nAcked-by: Jiri Slaby \nSigned-off-by: Eric Biggers \nLink: https://lore.kernel.org/r/20200322034305.210082-2-ebiggers@kernel.org\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 437091 }, { "func": "static int input_dev_resume(struct device *dev)\n{\n\tstruct input_dev *input_dev = to_input_dev(dev);\n\n\tspin_lock_irq(&input_dev->event_lock);\n\n\t/* Restore state of LEDs and sounds, if any were active. */\n\tinput_dev_toggle(input_dev, true);\n\n\tspin_unlock_irq(&input_dev->event_lock);\n\n\treturn 0;\n}", "project": "linux", "hash": 109766239436749993926760761430265084181, "size": 13, "commit_id": "cb222aed03d798fc074be55e59d9a112338ee784", "message": "Input: add safety guards to input_set_keycode()\n\nIf we happen to have a garbage in input device's keycode table with values\ntoo big we'll end up doing clear_bit() with offset way outside of our\nbitmaps, damaging other objects within an input device or even outside of\nit. Let's add sanity checks to the returned old keycodes.\n\nReported-by: syzbot+c769968809f9359b07aa@syzkaller.appspotmail.com\nReported-by: syzbot+76f3a30e88d256644c78@syzkaller.appspotmail.com\nLink: https://lore.kernel.org/r/20191207212757.GA245964@dtor-ws\nSigned-off-by: Dmitry Torokhov ", "target": 0, "dataset": "other", "idx": 353309 }, { "func": "void lj_trace_flush(jit_State *J, TraceNo traceno)\n{\n if (traceno > 0 && traceno < J->sizetrace) {\n GCtrace *T = traceref(J, traceno);\n if (T && T->root == 0)\n trace_flushroot(J, T);\n }\n}", "project": "LuaJIT", "hash": 270363431473003699042520983466616906275, "size": 8, "commit_id": "e296f56b825c688c3530a981dc6b495d972f3d01", "message": "Call error function on rethrow after trace exit.", "target": 0, "dataset": "other", "idx": 394615 }, { "func": "int bcf_hdr_add_sample(bcf_hdr_t *h, const char *s)\n{\n return bcf_hdr_add_sample_len(h, s, 0);\n}", "project": "htslib", "hash": 220585308762728221041522435763852274928, "size": 4, "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c", "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields. It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097", "target": 0, "dataset": "other", "idx": 402200 }, { "func": "static inline int siar_valid(struct pt_regs *regs)\n{\n\treturn 1;\n}", "project": "linux", "hash": 47772919713001191812231344332908556478, "size": 4, "commit_id": "60b7ed54a41b550d50caf7f2418db4a7e75b5bdc", "message": "powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set\n\nOn systems without any specific PMU driver support registered, running\nperf record causes Oops.\n\nThe relevant portion from call trace:\n\n BUG: Kernel NULL pointer dereference on read at 0x00000040\n Faulting instruction address: 0xc0021f0c\n Oops: Kernel access of bad area, sig: 11 [#1]\n BE PAGE_SIZE=4K PREEMPT CMPCPRO\n SAF3000 DIE NOTIFICATION\n CPU: 0 PID: 442 Comm: null_syscall Not tainted 5.13.0-rc6-s3k-dev-01645-g7649ee3d2957 #5164\n NIP: c0021f0c LR: c00e8ad8 CTR: c00d8a5c\n NIP perf_instruction_pointer+0x10/0x60\n LR perf_prepare_sample+0x344/0x674\n Call Trace:\n perf_prepare_sample+0x7c/0x674 (unreliable)\n perf_event_output_forward+0x3c/0x94\n __perf_event_overflow+0x74/0x14c\n perf_swevent_hrtimer+0xf8/0x170\n __hrtimer_run_queues.constprop.0+0x160/0x318\n hrtimer_interrupt+0x148/0x3b0\n timer_interrupt+0xc4/0x22c\n Decrementer_virt+0xb8/0xbc\n\nDuring perf record session, perf_instruction_pointer() is called to\ncapture the sample IP. This function in core-book3s accesses\nppmu->flags. If a platform specific PMU driver is not registered, ppmu\nis set to NULL and accessing its members results in a crash. Fix this\ncrash by checking if ppmu is set.\n\nFixes: 2ca13a4cc56c (\"powerpc/perf: Use regs->nip when SIAR is zero\")\nCc: stable@vger.kernel.org # v5.11+\nReported-by: Christophe Leroy \nSigned-off-by: Athira Rajeev \nTested-by: Christophe Leroy \nSigned-off-by: Michael Ellerman \nLink: https://lore.kernel.org/r/1623952506-1431-1-git-send-email-atrajeev@linux.vnet.ibm.com", "target": 0, "dataset": "other", "idx": 374688 }, { "func": "static inline int siar_valid(struct pt_regs *regs)\n{\n\tunsigned long mmcra = regs->dsisr;\n\tint marked = mmcra & MMCRA_SAMPLE_ENABLE;\n\n\tif (marked) {\n\t\t/*\n\t\t * SIER[SIAR_VALID] is not set for some\n\t\t * marked events on power10 DD1, so drop\n\t\t * the check for SIER[SIAR_VALID] and return true.\n\t\t */\n\t\tif (ppmu->flags & PPMU_P10_DD1)\n\t\t\treturn 0x1;\n\t\telse if (ppmu->flags & PPMU_HAS_SIER)\n\t\t\treturn regs->dar & SIER_SIAR_VALID;\n\n\t\tif (ppmu->flags & PPMU_SIAR_VALID)\n\t\t\treturn mmcra & POWER7P_MMCRA_SIAR_VALID;\n\t}\n\n\treturn 1;\n}", "project": "linux", "hash": 50915769312367685800417265749913987029, "size": 22, "commit_id": "60b7ed54a41b550d50caf7f2418db4a7e75b5bdc", "message": "powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set\n\nOn systems without any specific PMU driver support registered, running\nperf record causes Oops.\n\nThe relevant portion from call trace:\n\n BUG: Kernel NULL pointer dereference on read at 0x00000040\n Faulting instruction address: 0xc0021f0c\n Oops: Kernel access of bad area, sig: 11 [#1]\n BE PAGE_SIZE=4K PREEMPT CMPCPRO\n SAF3000 DIE NOTIFICATION\n CPU: 0 PID: 442 Comm: null_syscall Not tainted 5.13.0-rc6-s3k-dev-01645-g7649ee3d2957 #5164\n NIP: c0021f0c LR: c00e8ad8 CTR: c00d8a5c\n NIP perf_instruction_pointer+0x10/0x60\n LR perf_prepare_sample+0x344/0x674\n Call Trace:\n perf_prepare_sample+0x7c/0x674 (unreliable)\n perf_event_output_forward+0x3c/0x94\n __perf_event_overflow+0x74/0x14c\n perf_swevent_hrtimer+0xf8/0x170\n __hrtimer_run_queues.constprop.0+0x160/0x318\n hrtimer_interrupt+0x148/0x3b0\n timer_interrupt+0xc4/0x22c\n Decrementer_virt+0xb8/0xbc\n\nDuring perf record session, perf_instruction_pointer() is called to\ncapture the sample IP. This function in core-book3s accesses\nppmu->flags. If a platform specific PMU driver is not registered, ppmu\nis set to NULL and accessing its members results in a crash. Fix this\ncrash by checking if ppmu is set.\n\nFixes: 2ca13a4cc56c (\"powerpc/perf: Use regs->nip when SIAR is zero\")\nCc: stable@vger.kernel.org # v5.11+\nReported-by: Christophe Leroy \nSigned-off-by: Athira Rajeev \nTested-by: Christophe Leroy \nSigned-off-by: Michael Ellerman \nLink: https://lore.kernel.org/r/1623952506-1431-1-git-send-email-atrajeev@linux.vnet.ibm.com", "target": 0, "dataset": "other", "idx": 374698 }, { "func": "uint32 CSoundFile::SendMIDIData(CHANNELINDEX nChn, bool isSmooth, const unsigned char *macro, uint32 macroLen, PLUGINDEX plugin)\n{\n\tif(macroLen < 1)\n\t{\n\t\treturn 0;\n\t}\n\n\tif(macro[0] == 0xFA || macro[0] == 0xFC || macro[0] == 0xFF)\n\t{\n\t\t// Start Song, Stop Song, MIDI Reset - both interpreted internally and sent to plugins\n\t\tfor(CHANNELINDEX chn = 0; chn < GetNumChannels(); chn++)\n\t\t{\n\t\t\tm_PlayState.Chn[chn].nCutOff = 0x7F;\n\t\t\tm_PlayState.Chn[chn].nResonance = 0x00;\n\t\t}\n\t}\n\n\tModChannel &chn = m_PlayState.Chn[nChn];\n\tif(macro[0] == 0xF0 && (macro[1] == 0xF0 || macro[1] == 0xF1))\n\t{\n\t\t// Internal device.\n\t\tif(macroLen < 4)\n\t\t{\n\t\t\treturn 0;\n\t\t}\n\t\tconst bool isExtended = (macro[1] == 0xF1);\n\t\tconst uint8 macroCode = macro[2];\n\t\tconst uint8 param = macro[3];\n\n\t\tif(macroCode == 0x00 && !isExtended && param < 0x80)\n\t\t{\n\t\t\t// F0.F0.00.xx: Set CutOff\n\t\t\tif(!isSmooth)\n\t\t\t{\n\t\t\t\tchn.nCutOff = param;\n\t\t\t} else\n\t\t\t{\n\t\t\t\tchn.nCutOff = Util::Round(CalculateSmoothParamChange(chn.nCutOff, param));\n\t\t\t}\n\t\t\tchn.nRestoreCutoffOnNewNote = 0;\n\t\t\tSetupChannelFilter(&chn, !chn.dwFlags[CHN_FILTER]);\n\n\t\t\treturn 4;\n\t\t} else if(macroCode == 0x01 && !isExtended && param < 0x80)\n\t\t{\n\t\t\t// F0.F0.01.xx: Set Resonance\n\t\t\tif(!isSmooth)\n\t\t\t{\n\t\t\t\tchn.nResonance = param;\n\t\t\t} else\n\t\t\t{\n\t\t\t\tchn.nResonance = (uint8)CalculateSmoothParamChange((float)chn.nResonance, (float)param);\n\t\t\t}\n\t\t\tchn.nRestoreResonanceOnNewNote = 0;\n\t\t\tSetupChannelFilter(&chn, !chn.dwFlags[CHN_FILTER]);\n\n\t\t\treturn 4;\n\t\t} else if(macroCode == 0x02 && !isExtended)\n\t\t{\n\t\t\t// F0.F0.02.xx: Set filter mode (high nibble determines filter mode)\n\t\t\tif(param < 0x20)\n\t\t\t{\n\t\t\t\tchn.nFilterMode = (param >> 4);\n\t\t\t\tSetupChannelFilter(&chn, !chn.dwFlags[CHN_FILTER]);\n\t\t\t}\n\n\t\t\treturn 4;\n#ifndef NO_PLUGINS\n\t\t} else if(macroCode == 0x03 && !isExtended)\n\t\t{\n\t\t\t// F0.F0.03.xx: Set plug dry/wet\n\t\t\tconst PLUGINDEX nPlug = (plugin != 0) ? plugin : GetBestPlugin(nChn, PrioritiseChannel, EvenIfMuted);\n\t\t\tif ((nPlug) && (nPlug <= MAX_MIXPLUGINS) && param < 0x80)\n\t\t\t{\n\t\t\t\tconst float newRatio = (0x7F - (param & 0x7F)) / 127.0f;\n\t\t\t\tif(!isSmooth)\n\t\t\t\t{\n\t\t\t\t\tm_MixPlugins[nPlug - 1].fDryRatio = newRatio;\n\t\t\t\t} else\n\t\t\t\t{\n\t\t\t\t\tm_MixPlugins[nPlug - 1].fDryRatio = CalculateSmoothParamChange(m_MixPlugins[nPlug - 1].fDryRatio, newRatio);\n\t\t\t\t}\n\t\t\t}\n\n\t\t\treturn 4;\n\t\t} else if((macroCode & 0x80) || isExtended)\n\t\t{\n\t\t\t// F0.F0.{80|n}.xx / F0.F1.n.xx: Set VST effect parameter n to xx\n\t\t\tconst PLUGINDEX nPlug = (plugin != 0) ? plugin : GetBestPlugin(nChn, PrioritiseChannel, EvenIfMuted);\n\t\t\tconst uint32 plugParam = isExtended ? (0x80 + macroCode) : (macroCode & 0x7F);\n\t\t\tif((nPlug) && (nPlug <= MAX_MIXPLUGINS))\n\t\t\t{\n\t\t\t\tIMixPlugin *pPlugin = m_MixPlugins[nPlug - 1].pMixPlugin;\n\t\t\t\tif(pPlugin && param < 0x80)\n\t\t\t\t{\n\t\t\t\t\tconst float fParam = param / 127.0f;\n\t\t\t\t\tif(!isSmooth)\n\t\t\t\t\t{\n\t\t\t\t\t\tpPlugin->SetParameter(plugParam, fParam);\n\t\t\t\t\t} else\n\t\t\t\t\t{\n\t\t\t\t\t\tpPlugin->SetParameter(plugParam, CalculateSmoothParamChange(pPlugin->GetParameter(plugParam), fParam));\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\n\t\t\treturn 4;\n#endif // NO_PLUGINS\n\t\t}\n\n\t\t// If we reach this point, the internal macro was invalid.\n\n\t} else\n\t{\n#ifndef NO_PLUGINS\n\t\t// Not an internal device. Pass on to appropriate plugin.\n\t\tconst CHANNELINDEX plugChannel = (nChn < GetNumChannels()) ? nChn + 1 : chn.nMasterChn;\n\t\tif(plugChannel > 0 && plugChannel <= GetNumChannels())\t// XXX do we need this? I guess it might be relevant for previewing notes in the pattern... Or when using this mechanism for volume/panning!\n\t\t{\n\t\t\tPLUGINDEX nPlug = 0;\n\t\t\tif(!chn.dwFlags[CHN_NOFX])\n\t\t\t{\n\t\t\t\tnPlug = (plugin != 0) ? plugin : GetBestPlugin(nChn, PrioritiseChannel, EvenIfMuted);\n\t\t\t}\n\n\t\t\tif(nPlug > 0 && nPlug <= MAX_MIXPLUGINS)\n\t\t\t{\n\t\t\t\tIMixPlugin *pPlugin = m_MixPlugins[nPlug - 1].pMixPlugin;\n\t\t\t\tif (pPlugin != nullptr)\n\t\t\t\t{\n\t\t\t\t\tif(macro[0] == 0xF0)\n\t\t\t\t\t{\n\t\t\t\t\t\tpPlugin->MidiSysexSend(macro, macroLen);\n\t\t\t\t\t} else\n\t\t\t\t\t{\n\t\t\t\t\t\tuint32 len = std::min(MIDIEvents::GetEventLength(macro[0]), macroLen);\n\t\t\t\t\t\tuint32 curData = 0;\n\t\t\t\t\t\tmemcpy(&curData, macro, len);\n\t\t\t\t\t\tpPlugin->MidiSend(curData);\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t}\n#else\n\t\tMPT_UNREFERENCED_PARAMETER(plugin);\n#endif // NO_PLUGINS\n\n\t\treturn macroLen;\n\n\t}\n\n\treturn 0;\n\n}", "project": "openmpt", "hash": 269540101046979725565441307269902461648, "size": 154, "commit_id": "7ebf02af2e90f03e0dbd0e18b8b3164f372fb97c", "message": "[Fix] Possible out-of-bounds read when computing length of some IT files with pattern loops (OpenMPT: formats that are converted to IT, libopenmpt: IT/ITP/MO3), caught with afl-fuzz.\n\ngit-svn-id: https://source.openmpt.org/svn/openmpt/trunk/OpenMPT@10027 56274372-70c3-4bfc-bfc3-4c3a0b034d27", "target": 0, "dataset": "other", "idx": 255202 }, { "func": "int intel_execlists_submission_init(struct intel_engine_cs *engine)\n{\n\tstruct intel_engine_execlists * const execlists = &engine->execlists;\n\tstruct drm_i915_private *i915 = engine->i915;\n\tstruct intel_uncore *uncore = engine->uncore;\n\tu32 base = engine->mmio_base;\n\tint ret;\n\n\tret = intel_engine_init_common(engine);\n\tif (ret)\n\t\treturn ret;\n\n\tif (intel_init_workaround_bb(engine))\n\t\t/*\n\t\t * We continue even if we fail to initialize WA batch\n\t\t * because we only expect rare glitches but nothing\n\t\t * critical to prevent us from using GPU\n\t\t */\n\t\tDRM_ERROR(\"WA batch buffer initialization failed\\n\");\n\n\tif (HAS_LOGICAL_RING_ELSQ(i915)) {\n\t\texeclists->submit_reg = uncore->regs +\n\t\t\ti915_mmio_reg_offset(RING_EXECLIST_SQ_CONTENTS(base));\n\t\texeclists->ctrl_reg = uncore->regs +\n\t\t\ti915_mmio_reg_offset(RING_EXECLIST_CONTROL(base));\n\t} else {\n\t\texeclists->submit_reg = uncore->regs +\n\t\t\ti915_mmio_reg_offset(RING_ELSP(base));\n\t}\n\n\texeclists->csb_status =\n\t\t&engine->status_page.addr[I915_HWS_CSB_BUF0_INDEX];\n\n\texeclists->csb_write =\n\t\t&engine->status_page.addr[intel_hws_csb_write_index(i915)];\n\n\tif (INTEL_GEN(i915) < 11)\n\t\texeclists->csb_size = GEN8_CSB_ENTRIES;\n\telse\n\t\texeclists->csb_size = GEN11_CSB_ENTRIES;\n\n\treset_csb_pointers(engine);\n\n\treturn 0;\n}", "project": "linux", "hash": 170883554840217452515582013419931214998, "size": 45, "commit_id": "bc8a76a152c5f9ef3b48104154a65a68a8b76946", "message": "drm/i915/gen9: Clear residual context state on context switch\n\nIntel ID: PSIRT-TA-201910-001\nCVEID: CVE-2019-14615\n\nIntel GPU Hardware prior to Gen11 does not clear EU state\nduring a context switch. This can result in information\nleakage between contexts.\n\nFor Gen8 and Gen9, hardware provides a mechanism for\nfast cleardown of the EU state, by issuing a PIPE_CONTROL\nwith bit 27 set. We can use this in a context batch buffer\nto explicitly cleardown the state on every context switch.\n\nAs this workaround is already in place for gen8, we can borrow\nthe code verbatim for Gen9.\n\nSigned-off-by: Mika Kuoppala \nSigned-off-by: Akeem G Abodunrin \nCc: Kumar Valsan Prathap \nCc: Chris Wilson \nCc: Balestrieri Francesco \nCc: Bloomfield Jon \nCc: Dutt Sudeep ", "target": 0, "dataset": "other", "idx": 281479 }, { "func": "static void tcp_verify_retransmit_hint(struct tcp_sock *tp, struct sk_buff *skb)\n{\n\tif ((tp->retransmit_skb_hint == NULL) ||\n\t before(TCP_SKB_CB(skb)->seq,\n\t\t TCP_SKB_CB(tp->retransmit_skb_hint)->seq))\n\t\ttp->retransmit_skb_hint = skb;\n\n\tif (!tp->lost_out ||\n\t after(TCP_SKB_CB(skb)->end_seq, tp->retransmit_high))\n\t\ttp->retransmit_high = TCP_SKB_CB(skb)->end_seq;\n}", "project": "net-next", "hash": 312050341380358778022891578348199494790, "size": 11, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409950 }, { "func": "int copy_snap(void) {\n\tint db = 1;\n\tchar *fbp;\n\tint i, y, block_size;\n\tdouble dt;\n\tstatic int first = 1, snapcnt = 0;\n\n\tif (raw_fb_str) {\n\t\tint read_all_at_once = 1;\n\t\tdouble start = dnow();\n\t\tif (rawfb_reset < 0) {\n\t\t\tif (getenv(\"SNAPFB_RAWFB_RESET\")) {\n\t\t\t\trawfb_reset = 1;\n\t\t\t} else {\n\t\t\t\trawfb_reset = 0;\n\t\t\t}\n\t\t}\n\t\tif (snap_fb == NULL || snap == NULL) {\n\t\t\trfbLog(\"copy_snap: rawfb mode and null snap fb\\n\"); \n\t\t\tclean_up_exit(1);\n\t\t}\n\t\tif (rawfb_reset) {\n\t\t\tinitialize_raw_fb(1);\n\t\t}\n\t\tif (raw_fb_bytes_per_line != snap->bytes_per_line) {\n\t\t\tread_all_at_once = 0;\n\t\t}\n\t\tif (raw_fb_full_str && strstr(raw_fb_full_str, \"/dev/vcsa\")) {\n\t\t\tsnap_vcsa_rawfb();\n\t\t} else if (read_all_at_once) {\n\t\t\tsnap_all_rawfb();\n\t\t} else {\n\t\t\t/* this goes line by line, XXX not working for video */\n\t\t\tcopy_raw_fb(snap, 0, 0, dpy_x, dpy_y);\n\t\t}\nif (db && snapcnt++ < 5) rfbLog(\"rawfb copy_snap took: %.5f secs\\n\", dnow() - start);\n\n\t\treturn 0;\n\t}\n\t\n\tif (! fs_factor) {\n\t\treturn 0;\n\t}\n\n\n\tif (! snap_fb || ! snap || ! snaprect) {\n\t\treturn 0;\n\t}\n\tblock_size = ((dpy_y/fs_factor) * snap->bytes_per_line);\n\n\tfbp = snap_fb;\n\ty = 0;\n\n\n\tdtime0(&dt);\n\tX_LOCK;\n\n\t/* screen may be too big for 1 shm area, so broken into fs_factor */\n\tfor (i=0; i < fs_factor; i++) {\n\t\tXRANDR_SET_TRAP_RET(-1, \"copy_snap-set\");\n\t\tcopy_image(snaprect, 0, y, 0, 0);\n\t\tXRANDR_CHK_TRAP_RET(-1, \"copy_snap-chk\");\n\n\t\tmemcpy(fbp, snaprect->data, (size_t) block_size);\n\n\t\ty += dpy_y / fs_factor;\n\t\tfbp += block_size;\n\t}\n\n\tX_UNLOCK;\n\n\tdt = dtime(&dt);\n\tif (first) {\n\t\trfbLog(\"copy_snap: time for -snapfb snapshot: %.3f sec\\n\", dt);\n\t\tfirst = 0;\n\t}\n\n\treturn 0;\n}", "project": "x11vnc", "hash": 140418049838225910213947776397656553998, "size": 79, "commit_id": "69eeb9f7baa14ca03b16c9de821f9876def7a36a", "message": "scan: limit access to shared memory segments to current user", "target": 0, "dataset": "other", "idx": 360765 }, { "func": "static int x25_accept(struct socket *sock, struct socket *newsock, int flags,\n\t\t bool kern)\n{\n\tstruct sock *sk = sock->sk;\n\tstruct sock *newsk;\n\tstruct sk_buff *skb;\n\tint rc = -EINVAL;\n\n\tif (!sk)\n\t\tgoto out;\n\n\trc = -EOPNOTSUPP;\n\tif (sk->sk_type != SOCK_SEQPACKET)\n\t\tgoto out;\n\n\tlock_sock(sk);\n\trc = -EINVAL;\n\tif (sk->sk_state != TCP_LISTEN)\n\t\tgoto out2;\n\n\trc = x25_wait_for_data(sk, sk->sk_rcvtimeo);\n\tif (rc)\n\t\tgoto out2;\n\tskb = skb_dequeue(&sk->sk_receive_queue);\n\trc = -EINVAL;\n\tif (!skb->sk)\n\t\tgoto out2;\n\tnewsk\t\t = skb->sk;\n\tsock_graft(newsk, newsock);\n\n\t/* Now attach up the new socket */\n\tskb->sk = NULL;\n\tkfree_skb(skb);\n\tsk_acceptq_removed(sk);\n\tnewsock->state = SS_CONNECTED;\n\trc = 0;\nout2:\n\trelease_sock(sk);\nout:\n\treturn rc;\n}", "project": "net", "hash": 130496028341433676583960120935346038371, "size": 41, "commit_id": "7781607938c8371d4c2b243527430241c62e39c2", "message": "net/x25: Fix null-ptr-deref caused by x25_disconnect\n\nWhen the link layer is terminating, x25->neighbour will be set to NULL\nin x25_disconnect(). As a result, it could cause null-ptr-deref bugs in\nx25_sendmsg(),x25_recvmsg() and x25_connect(). One of the bugs is\nshown below.\n\n (Thread 1) | (Thread 2)\nx25_link_terminated() | x25_recvmsg()\n x25_kill_by_neigh() | ...\n x25_disconnect() | lock_sock(sk)\n ... | ...\n x25->neighbour = NULL //(1) |\n ... | x25->neighbour->extended //(2)\n\nThe code sets NULL to x25->neighbour in position (1) and dereferences\nx25->neighbour in position (2), which could cause null-ptr-deref bug.\n\nThis patch adds lock_sock() in x25_kill_by_neigh() in order to synchronize\nwith x25_sendmsg(), x25_recvmsg() and x25_connect(). What`s more, the\nsock held by lock_sock() is not NULL, because it is extracted from x25_list\nand uses x25_list_lock to synchronize.\n\nFixes: 4becb7ee5b3d (\"net/x25: Fix x25_neigh refcnt leak when x25 disconnect\")\nSigned-off-by: Duoming Zhou \nReviewed-by: Lin Ma \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 449184 }, { "func": "static void nf_tables_commit_chain_prepare_cancel(struct net *net)\n{\n\tstruct nftables_pernet *nft_net = nft_pernet(net);\n\tstruct nft_trans *trans, *next;\n\n\tlist_for_each_entry_safe(trans, next, &nft_net->commit_list, list) {\n\t\tstruct nft_chain *chain = trans->ctx.chain;\n\n\t\tif (trans->msg_type == NFT_MSG_NEWRULE ||\n\t\t trans->msg_type == NFT_MSG_DELRULE) {\n\t\t\tkvfree(chain->rules_next);\n\t\t\tchain->rules_next = NULL;\n\t\t}\n\t}\n}", "project": "linux", "hash": 26495864722256461415404997419349736338, "size": 15, "commit_id": "ad9f151e560b016b6ad3280b48e42fa11e1a5440", "message": "netfilter: nf_tables: initialize set before expression setup\n\nnft_set_elem_expr_alloc() needs an initialized set if expression sets on\nthe NFT_EXPR_GC flag. Move set fields initialization before expression\nsetup.\n\n[4512935.019450] ==================================================================\n[4512935.019456] BUG: KASAN: null-ptr-deref in nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019487] Read of size 8 at addr 0000000000000070 by task nft/23532\n[4512935.019494] CPU: 1 PID: 23532 Comm: nft Not tainted 5.12.0-rc4+ #48\n[...]\n[4512935.019502] Call Trace:\n[4512935.019505] dump_stack+0x89/0xb4\n[4512935.019512] ? nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019536] ? nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019560] kasan_report.cold.12+0x5f/0xd8\n[4512935.019566] ? nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019590] nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019615] nf_tables_newset+0xc7f/0x1460 [nf_tables]\n\nReported-by: syzbot+ce96ca2b1d0b37c6422d@syzkaller.appspotmail.com\nFixes: 65038428b2c6 (\"netfilter: nf_tables: allow to specify stateful expression in set definition\")\nSigned-off-by: Pablo Neira Ayuso ", "target": 0, "dataset": "other", "idx": 328350 }, { "func": "inline folly::MutableStringPiece StringData::bufferSlice() {\n assertx(!isImmutable());\n return folly::MutableStringPiece{mutableData(), capacity()};\n}", "project": "hhvm", "hash": 115138555914974333825920306452335768146, "size": 4, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219333 }, { "func": " folly::MutableStringPiece bufferSlice() {\n return m_str ? m_str->bufferSlice() : folly::MutableStringPiece();\n }", "project": "hhvm", "hash": 214523854842901684068198815350430249736, "size": 3, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219745 }, { "func": "static int ac_uncompress(EXRContext *s, GetByteContext *gb, float *block)\n{\n int ret = 0, n = 1;\n\n while (n < 64) {\n uint16_t val = bytestream2_get_ne16(gb);\n\n if (val == 0xff00) {\n n = 64;\n } else if ((val >> 8) == 0xff) {\n n += val & 0xff;\n } else {\n ret = n;\n block[ff_zigzag_direct[n]] = av_int2float(half2float(val,\n s->mantissatable,\n s->exponenttable,\n s->offsettable));\n n++;\n }\n }\n\n return ret;\n}", "project": "FFmpeg", "hash": 199873059993886309598181032380750412741, "size": 23, "commit_id": "26d3c81bc5ef2f8c3f09d45eaeacfb4b1139a777", "message": "avcodec/exr: More strictly check dc_count\n\nFixes: out of array access\nFixes: exr/deneme\n\nFound-by: Burak Çarıkçı \nSigned-off-by: Michael Niedermayer ", "target": 0, "dataset": "other", "idx": 262680 }, { "func": "void CSnapIDPool::RemoveFirstTimeout()\n{\n\tint NextTimed = m_aIDs[m_FirstTimed].m_Next;\n\n\t// add it to the free list\n\tm_aIDs[m_FirstTimed].m_Next = m_FirstFree;\n\tm_aIDs[m_FirstTimed].m_State = 0;\n\tm_FirstFree = m_FirstTimed;\n\n\t// remove it from the timed list\n\tm_FirstTimed = NextTimed;\n\tif(m_FirstTimed == -1)\n\t\tm_LastTimed = -1;\n\n\tm_Usage--;\n}", "project": "teeworlds", "hash": 216163806223592536678791049684019074310, "size": 16, "commit_id": "c68402fa7e279d42886d5951d1ea8ac2facc1ea5", "message": "changed a check", "target": 0, "dataset": "other", "idx": 382017 }, { "func": "void imap_pretty_mailbox(char *path, size_t pathlen, const char *folder)\n{\n struct ConnAccount cac_target = { { 0 } };\n struct ConnAccount cac_home = { { 0 } };\n struct Url url = { 0 };\n const char *delim = NULL;\n int tlen;\n int hlen = 0;\n bool home_match = false;\n char target_mailbox[1024];\n char home_mailbox[1024];\n\n if (imap_parse_path(path, &cac_target, target_mailbox, sizeof(target_mailbox)) < 0)\n return;\n\n if (imap_path_probe(folder, NULL) != MUTT_IMAP)\n goto fallback;\n\n if (imap_parse_path(folder, &cac_home, home_mailbox, sizeof(home_mailbox)) < 0)\n goto fallback;\n\n tlen = mutt_str_len(target_mailbox);\n hlen = mutt_str_len(home_mailbox);\n\n /* check whether we can do '+' substitution */\n if (tlen && imap_account_match(&cac_home, &cac_target) &&\n mutt_strn_equal(home_mailbox, target_mailbox, hlen))\n {\n const char *const c_imap_delim_chars =\n cs_subset_string(NeoMutt->sub, \"imap_delim_chars\");\n if (hlen == 0)\n home_match = true;\n else if (c_imap_delim_chars)\n {\n for (delim = c_imap_delim_chars; *delim != '\\0'; delim++)\n if (target_mailbox[hlen] == *delim)\n home_match = true;\n }\n }\n\n /* do the '+' substitution */\n if (home_match)\n {\n *path++ = '+';\n /* copy remaining path, skipping delimiter */\n if (hlen == 0)\n hlen = -1;\n memcpy(path, target_mailbox + hlen + 1, tlen - hlen - 1);\n path[tlen - hlen - 1] = '\\0';\n return;\n }\n\nfallback:\n mutt_account_tourl(&cac_target, &url);\n url.path = target_mailbox;\n url_tostring(&url, path, pathlen, U_NO_FLAGS);\n}", "project": "neomutt", "hash": 247941266812074152883756337214968232033, "size": 57, "commit_id": "fa1db5785e5cfd9d3cd27b7571b9fe268d2ec2dc", "message": "Fix seqset iterator when it ends in a comma\n\nIf the seqset ended with a comma, the substr_end marker would be just\nbefore the trailing nul. In the next call, the loop to skip the\nmarker would iterate right past the end of string too.\n\nThe fix is simple: place the substr_end marker and skip past it\nimmediately.", "target": 0, "dataset": "other", "idx": 399266 }, { "func": "static void free_bprm(struct linux_binprm *bprm)\n{\n\tfree_arg_pages(bprm);\n\tif (bprm->cred) {\n\t\tif (bprm->called_exec_mmap)\n\t\t\tmutex_unlock(¤t->signal->exec_update_mutex);\n\t\tmutex_unlock(¤t->signal->cred_guard_mutex);\n\t\tabort_creds(bprm->cred);\n\t}\n\tif (bprm->file) {\n\t\tallow_write_access(bprm->file);\n\t\tfput(bprm->file);\n\t}\n\t/* If a binfmt changed the interp, free it. */\n\tif (bprm->interp != bprm->filename)\n\t\tkfree(bprm->interp);\n\tkfree(bprm);\n}", "project": "linux", "hash": 331339046149069036251288727780684218073, "size": 18, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375179 }, { "func": "Math_f sh_mathstdfun(const char *fname, size_t fsize, short *nargs) {\n const struct mathtab *tp;\n char c = fname[0];\n for (tp = shtab_math; *tp->fname; tp++) {\n if (*tp->fname > c) break;\n if (tp->fname[1] == c && tp->fname[fsize + 1] == 0 &&\n strncmp(&tp->fname[1], fname, fsize) == 0) {\n if (nargs) *nargs = *tp->fname;\n return tp->fnptr;\n }\n }\n return NULL;\n}", "project": "ast", "hash": 81910993265923217699834014348578207217, "size": 13, "commit_id": "c7de8b641266bac7c77942239ac659edfee9ecd2", "message": "Harden env var imports", "target": 0, "dataset": "other", "idx": 321870 }, { "func": "static void check_http_proxy(HashTable *var_table)\n{\n\tif (zend_hash_str_exists(var_table, \"HTTP_PROXY\", sizeof(\"HTTP_PROXY\")-1)) {\n\t\tchar *local_proxy = getenv(\"HTTP_PROXY\");\n\n\t\tif (!local_proxy) {\n\t\t\tzend_hash_str_del(var_table, \"HTTP_PROXY\", sizeof(\"HTTP_PROXY\")-1);\n\t\t} else {\n\t\t\tzval local_zval;\n\t\t\tZVAL_STRING(&local_zval, local_proxy);\n\t\t\tzend_hash_str_update(var_table, \"HTTP_PROXY\", sizeof(\"HTTP_PROXY\")-1, &local_zval);\n\t\t}\n\t}\n}", "project": "php-src", "hash": 259160245992093943994785937921388892840, "size": 14, "commit_id": "6559fe912661ca5ce5f0eeeb591d928451428ed0", "message": "Do not decode cookie names anymore", "target": 0, "dataset": "other", "idx": 374976 }, { "func": "static inline void tcp_clear_retrans_hints_partial(struct tcp_sock *tp)\n{\n\ttp->lost_skb_hint = NULL;\n}", "project": "linux", "hash": 132817515859003228476278833091509029526, "size": 4, "commit_id": "bb1fceca22492109be12640d49f5ea5a544c6bb4", "message": "tcp: fix use after free in tcp_xmit_retransmit_queue()\n\nWhen tcp_sendmsg() allocates a fresh and empty skb, it puts it at the\ntail of the write queue using tcp_add_write_queue_tail()\n\nThen it attempts to copy user data into this fresh skb.\n\nIf the copy fails, we undo the work and remove the fresh skb.\n\nUnfortunately, this undo lacks the change done to tp->highest_sack and\nwe can leave a dangling pointer (to a freed skb)\n\nLater, tcp_xmit_retransmit_queue() can dereference this pointer and\naccess freed memory. For regular kernels where memory is not unmapped,\nthis might cause SACK bugs because tcp_highest_sack_seq() is buggy,\nreturning garbage instead of tp->snd_nxt, but with various debug\nfeatures like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel.\n\nThis bug was found by Marco Grassi thanks to syzkaller.\n\nFixes: 6859d49475d4 (\"[TCP]: Abstract tp->highest_sack accessing & point to next skb\")\nReported-by: Marco Grassi \nSigned-off-by: Eric Dumazet \nCc: Ilpo Järvinen \nCc: Yuchung Cheng \nCc: Neal Cardwell \nAcked-by: Neal Cardwell \nReviewed-by: Cong Wang \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 410792 }, { "func": "static OPJ_BOOL opj_j2k_write_poc(opj_j2k_t *p_j2k,\n opj_stream_private_t *p_stream,\n opj_event_mgr_t * p_manager\n )\n{\n OPJ_UINT32 l_nb_comp;\n OPJ_UINT32 l_nb_poc;\n OPJ_UINT32 l_poc_size;\n OPJ_UINT32 l_written_size = 0;\n opj_tcp_t *l_tcp = 00;\n OPJ_UINT32 l_poc_room;\n\n /* preconditions */\n assert(p_j2k != 00);\n assert(p_manager != 00);\n assert(p_stream != 00);\n\n l_tcp = &p_j2k->m_cp.tcps[p_j2k->m_current_tile_number];\n l_nb_comp = p_j2k->m_private_image->numcomps;\n l_nb_poc = 1 + l_tcp->numpocs;\n\n if (l_nb_comp <= 256) {\n l_poc_room = 1;\n } else {\n l_poc_room = 2;\n }\n l_poc_size = 4 + (5 + 2 * l_poc_room) * l_nb_poc;\n\n if (l_poc_size > p_j2k->m_specific_param.m_encoder.m_header_tile_data_size) {\n OPJ_BYTE *new_header_tile_data = (OPJ_BYTE *) opj_realloc(\n p_j2k->m_specific_param.m_encoder.m_header_tile_data, l_poc_size);\n if (! new_header_tile_data) {\n opj_free(p_j2k->m_specific_param.m_encoder.m_header_tile_data);\n p_j2k->m_specific_param.m_encoder.m_header_tile_data = NULL;\n p_j2k->m_specific_param.m_encoder.m_header_tile_data_size = 0;\n opj_event_msg(p_manager, EVT_ERROR, \"Not enough memory to write POC marker\\n\");\n return OPJ_FALSE;\n }\n p_j2k->m_specific_param.m_encoder.m_header_tile_data = new_header_tile_data;\n p_j2k->m_specific_param.m_encoder.m_header_tile_data_size = l_poc_size;\n }\n\n opj_j2k_write_poc_in_memory(p_j2k,\n p_j2k->m_specific_param.m_encoder.m_header_tile_data, &l_written_size,\n p_manager);\n\n if (opj_stream_write_data(p_stream,\n p_j2k->m_specific_param.m_encoder.m_header_tile_data, l_poc_size,\n p_manager) != l_poc_size) {\n return OPJ_FALSE;\n }\n\n return OPJ_TRUE;\n}", "project": "openjpeg", "hash": 63173558118187544999475059670655492335, "size": 54, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357435 }, { "project": "Chrome", "commit_id": "ea994548ed483e234a6fadd0cbdfa10d58b75cef", "target": 0, "func": "void SoftwareFrameManager::GetCurrentFrameMailbox(\n cc::TextureMailbox* mailbox,\n scoped_ptr* callback) {\n DCHECK(HasCurrentFrame());\n *mailbox = cc::TextureMailbox(\n current_frame_->shared_memory_.get(), current_frame_->frame_size_pixels_);\n *callback = cc::SingleReleaseCallback::Create(\n base::Bind(ReleaseMailbox, current_frame_));\n}\n", "cwe": "", "big_vul_idx": 129966, "idx": 116279, "hash": 255163647214774351434012132919632674929 }, { "func": "static void hci_cc_read_clock(struct hci_dev *hdev, struct sk_buff *skb)\n{\n\tstruct hci_rp_read_clock *rp = (void *) skb->data;\n\tstruct hci_cp_read_clock *cp;\n\tstruct hci_conn *conn;\n\n\tBT_DBG(\"%s\", hdev->name);\n\n\tif (skb->len < sizeof(*rp))\n\t\treturn;\n\n\tif (rp->status)\n\t\treturn;\n\n\thci_dev_lock(hdev);\n\n\tcp = hci_sent_cmd_data(hdev, HCI_OP_READ_CLOCK);\n\tif (!cp)\n\t\tgoto unlock;\n\n\tif (cp->which == 0x00) {\n\t\thdev->clock = le32_to_cpu(rp->clock);\n\t\tgoto unlock;\n\t}\n\n\tconn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));\n\tif (conn) {\n\t\tconn->clock = le32_to_cpu(rp->clock);\n\t\tconn->clock_accuracy = le16_to_cpu(rp->accuracy);\n\t}\n\nunlock:\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 109737780344875689741084847283605768089, "size": 34, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431968 }, { "func": "static inline bool gif_set(struct vcpu_svm *svm)\n{\n\tif (vgif_enabled(svm))\n\t\treturn !!(svm->vmcb->control.int_ctl & V_GIF_MASK);\n\telse\n\t\treturn !!(svm->vcpu.arch.hflags & HF_GIF_MASK);\n}", "project": "linux", "hash": 157753224625289258459938807753387056071, "size": 7, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432458 }, { "func": "static inline bool gif_set(struct vcpu_svm *svm)\n{\n\treturn !!(svm->vcpu.arch.hflags & HF_GIF_MASK);\n}", "project": "kvm", "hash": 240672519131009394096395628205929837831, "size": 4, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437613 }, { "func": "int ssh_buffer_add_u8(struct ssh_buffer_struct *buffer,uint8_t data)\n{\n int rc;\n\n rc = ssh_buffer_add_data(buffer, &data, sizeof(uint8_t));\n if (rc < 0) {\n return -1;\n }\n\n return 0;\n}", "project": "libssh-mirror", "hash": 154239932825945099837542670693746029242, "size": 11, "commit_id": "10b3ebbe61a7031a3dae97f05834442220447181", "message": "buffer: Reformat ssh_buffer_add_data()\n\nSigned-off-by: Andreas Schneider \nReviewed-by: Anderson Toshiyuki Sasaki \nReviewed-by: Jakub Jelen ", "target": 0, "dataset": "other", "idx": 345164 }, { "func": "void __weak sigaction_compat_abi(struct k_sigaction *act,\n\t\tstruct k_sigaction *oact)\n{\n}", "project": "linux", "hash": 218926191854935585421958712353128517308, "size": 4, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375282 }, { "func": " static Status BuildRaggedFeatureReader(const Tensor& values,\n const Tensor& splits,\n FeatureReaders* features) {\n if (values.dtype() != DT_INT64 && values.dtype() != DT_STRING) {\n return errors::InvalidArgument(\"Unexpected dtype for input \",\n (features->size() + 1), \": \",\n values.dtype());\n }\n if (splits.dtype() != DT_INT64 && splits.dtype() != DT_INT32) {\n return errors::InvalidArgument(\"Unexpected row_splits.dtype for input \",\n (features->size() + 1), \": \",\n values.dtype());\n }\n if (values.dtype() == DT_INT64) {\n if (splits.dtype() == DT_INT64) {\n features->emplace_back(\n new RaggedFeatureReader(values, splits));\n } else {\n features->emplace_back(\n new RaggedFeatureReader(values, splits));\n }\n } else {\n if (splits.dtype() == DT_INT64) {\n features->emplace_back(\n new RaggedFeatureReader(values, splits));\n } else {\n features->emplace_back(\n new RaggedFeatureReader(values, splits));\n }\n }\n return Status::OK();\n }", "project": "tensorflow", "hash": 214209476061730145285457194204215185687, "size": 32, "commit_id": "44b7f486c0143f68b56c34e2d01e146ee445134a", "message": "Fix out of bounds read in `ragged_cross_op.cc`.\n\nPiperOrigin-RevId: 369757702\nChange-Id: Ie6e5d2c21513a8d56bf41fcf35960caf76e890f9", "target": 0, "dataset": "other", "idx": 230069 }, { "func": "void LibRaw::parse_exif_interop(int base)\n{\n\tunsigned entries, tag, type, len, save;\n\tchar value[4] = { 0,0,0,0 };\n\tentries = get2();\n\tINT64 fsize = ifp->size();\n\twhile (entries--)\n\t{\n\t\ttiff_get(base, &tag, &type, &len, &save);\n\n\t\tINT64 savepos = ftell(ifp);\n\t\tif (len > 8 && savepos + len > fsize * 2)\n\t\t{\n\t\t\tfseek(ifp, save, SEEK_SET); // Recover tiff-read position!!\n\t\t\tcontinue;\n\t\t}\n\n\t\tswitch (tag)\n\t\t{\n\t\tcase 0x0001: // InteropIndex\n\t\t\tfread(value, 1, MIN(4, len), ifp);\n\t\t\tif (strncmp(value, \"R98\", 3) == 0 &&\n\t\t\t\t// Canon bug, when [Canon].ColorSpace = AdobeRGB,\n\t\t\t\t// but [ExifIFD].ColorSpace = Uncalibrated and\n\t\t\t\t// [InteropIFD].InteropIndex = \"R98\"\n\t\t\t\timgdata.color.ExifColorSpace == LIBRAW_COLORSPACE_Unknown)\n\t\t\t\timgdata.color.ExifColorSpace = LIBRAW_COLORSPACE_sRGB;\n\t\t\telse if (strncmp(value, \"R03\", 3) == 0)\n\t\t\t\timgdata.color.ExifColorSpace = LIBRAW_COLORSPACE_AdobeRGB;\n\t\t\tbreak;\n\t\t}\n\t\tfseek(ifp, save, SEEK_SET);\n\t}\n}", "project": "LibRaw", "hash": 216011136766876214771031409199657299834, "size": 34, "commit_id": "55f0a0c08974b8b79ebfa7762b555a1704b25fb2", "message": "possible buffer underrun in exif parser", "target": 0, "dataset": "other", "idx": 395530 }, { "func": "UnicodeString::getCharAt(int32_t offset) const {\n return charAt(offset);\n}", "project": "icu", "hash": 302715830703093964501795884338873919986, "size": 3, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430821 }, { "func": "void Commissioner::SignalJoinerEvent(otCommissionerJoinerEvent aEvent, const Mac::ExtAddress &aJoinerId)\n{\n if (mJoinerCallback)\n {\n mJoinerCallback(aEvent, &aJoinerId, mCallbackContext);\n }\n}", "project": "openthread", "hash": 221590681938240270224384116107001009950, "size": 7, "commit_id": "c3a3a0c424322009fec3ab735fb20ce8f6e19e70", "message": "[commissioner] use strnlen instead of strlen (#4404)", "target": 0, "dataset": "other", "idx": 269896 }, { "func": "static int decode_number(struct archive_read* a, struct decode_table* table,\n const uint8_t* p, uint16_t* num)\n{\n\tint i, bits, dist;\n\tuint16_t bitfield;\n\tuint32_t pos;\n\tstruct rar5* rar = get_context(a);\n\n\tif(ARCHIVE_OK != read_bits_16(rar, p, &bitfield)) {\n\t\treturn ARCHIVE_EOF;\n\t}\n\n\tbitfield &= 0xfffe;\n\n\tif(bitfield < table->decode_len[table->quick_bits]) {\n\t\tint code = bitfield >> (16 - table->quick_bits);\n\t\tskip_bits(rar, table->quick_len[code]);\n\t\t*num = table->quick_num[code];\n\t\treturn ARCHIVE_OK;\n\t}\n\n\tbits = 15;\n\n\tfor(i = table->quick_bits + 1; i < 15; i++) {\n\t\tif(bitfield < table->decode_len[i]) {\n\t\t\tbits = i;\n\t\t\tbreak;\n\t\t}\n\t}\n\n\tskip_bits(rar, bits);\n\n\tdist = bitfield - table->decode_len[bits - 1];\n\tdist >>= (16 - bits);\n\tpos = table->decode_pos[bits] + dist;\n\n\tif(pos >= table->size)\n\t\tpos = 0;\n\n\t*num = table->decode_num[pos];\n\treturn ARCHIVE_OK;\n}", "project": "libarchive", "hash": 3969741771638207247100582416178544343, "size": 42, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 0, "dataset": "other", "idx": 244765 }, { "func": "static inline bool ep_has_wakeup_source(struct epitem *epi)\n{\n\treturn rcu_access_pointer(epi->ws) ? true : false;\n}", "project": "linux", "hash": 138993645046827862926501597034247125623, "size": 4, "commit_id": "52c479697c9b73f628140dcdfcd39ea302d05482", "message": "do_epoll_ctl(): clean the failure exits up a bit\n\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 336265 }, { "func": "static bool php_set_inet_addr(struct sockaddr_in *sin,\n const char *address,\n req::ptr sock) {\n struct in_addr tmp;\n\n if (inet_aton(address, &tmp)) {\n sin->sin_addr.s_addr = tmp.s_addr;\n } else {\n HostEnt result;\n if (!safe_gethostbyname(address, result)) {\n /* Note: < -10000 indicates a host lookup error */\n SOCKET_ERROR(sock, \"Host lookup failed\", (-10000 - result.herr));\n return false;\n }\n if (result.hostbuf.h_addrtype != AF_INET) {\n raise_warning(\"Host lookup failed: Non AF_INET domain \"\n \"returned on AF_INET socket\");\n return false;\n }\n memcpy(&(sin->sin_addr.s_addr), result.hostbuf.h_addr_list[0],\n result.hostbuf.h_length);\n }\n\n return true;\n}", "project": "hhvm", "hash": 183230794072813976640653546847452015488, "size": 25, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219149 }, { "func": "static int io_read(struct io_kiocb *req, bool force_nonblock,\n\t\t struct io_comp_state *cs)\n{\n\tstruct iovec inline_vecs[UIO_FASTIOV], *iovec = inline_vecs;\n\tstruct kiocb *kiocb = &req->rw.kiocb;\n\tstruct iov_iter iter;\n\tsize_t iov_count;\n\tssize_t io_size, ret, ret2;\n\tunsigned long nr_segs;\n\n\tret = io_import_iovec(READ, req, &iovec, &iter, !force_nonblock);\n\tif (ret < 0)\n\t\treturn ret;\n\tio_size = ret;\n\treq->result = io_size;\n\n\t/* Ensure we clear previously set non-block flag */\n\tif (!force_nonblock)\n\t\tkiocb->ki_flags &= ~IOCB_NOWAIT;\n\n\t/* If the file doesn't support async, just async punt */\n\tif (force_nonblock && !io_file_supports_async(req->file, READ))\n\t\tgoto copy_iov;\n\n\tiov_count = iov_iter_count(&iter);\n\tnr_segs = iter.nr_segs;\n\tret = rw_verify_area(READ, req->file, &kiocb->ki_pos, iov_count);\n\tif (unlikely(ret))\n\t\tgoto out_free;\n\n\tret2 = io_iter_do_read(req, &iter);\n\n\t/* Catch -EAGAIN return for forced non-blocking submission */\n\tif (!force_nonblock || (ret2 != -EAGAIN && ret2 != -EIO)) {\n\t\tkiocb_done(kiocb, ret2, cs);\n\t} else {\n\t\titer.count = iov_count;\n\t\titer.nr_segs = nr_segs;\ncopy_iov:\n\t\tret = io_setup_async_rw(req, io_size, iovec, inline_vecs,\n\t\t\t\t\t&iter);\n\t\tif (ret)\n\t\t\tgoto out_free;\n\t\t/* it's copied and will be cleaned with ->io */\n\t\tiovec = NULL;\n\t\t/* if we can retry, do so with the callbacks armed */\n\t\tif (io_rw_should_retry(req)) {\n\t\t\tret2 = io_iter_do_read(req, &iter);\n\t\t\tif (ret2 == -EIOCBQUEUED) {\n\t\t\t\tgoto out_free;\n\t\t\t} else if (ret2 != -EAGAIN) {\n\t\t\t\tkiocb_done(kiocb, ret2, cs);\n\t\t\t\tgoto out_free;\n\t\t\t}\n\t\t}\n\t\tkiocb->ki_flags &= ~IOCB_WAITQ;\n\t\treturn -EAGAIN;\n\t}\nout_free:\n\tif (iovec)\n\t\tkfree(iovec);\n\treturn ret;\n}", "project": "linux", "hash": 129446690202398030534206648129906207597, "size": 63, "commit_id": "6d816e088c359866f9867057e04f244c608c42fe", "message": "io_uring: hold 'ctx' reference around task_work queue + execute\n\nWe're holding the request reference, but we need to go one higher\nto ensure that the ctx remains valid after the request has finished.\nIf the ring is closed with pending task_work inflight, and the\ngiven io_kiocb finishes sync during issue, then we need a reference\nto the ring itself around the task_work execution cycle.\n\nCc: stable@vger.kernel.org # v5.7+\nReported-by: syzbot+9b260fc33297966f5a8e@syzkaller.appspotmail.com\nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 456956 }, { "func": "static int qqueueChkDiscardMsg(qqueue_t *pThis, int iQueueSize, void *pUsr)\n{\n\tDEFiRet;\n\trsRetVal iRetLocal;\n\tint iSeverity;\n\n\tISOBJ_TYPE_assert(pThis, qqueue);\n\tISOBJ_assert(pUsr);\n\n\tif(pThis->iDiscardMrk > 0 && iQueueSize >= pThis->iDiscardMrk) {\n\t\tiRetLocal = objGetSeverity(pUsr, &iSeverity);\n\t\tif(iRetLocal == RS_RET_OK && iSeverity >= pThis->iDiscardSeverity) {\n\t\t\tDBGOPRINT((obj_t*) pThis, \"queue nearly full (%d entries), discarded severity %d message\\n\",\n\t\t\t\t iQueueSize, iSeverity);\n\t\t\tobjDestruct(pUsr);\n\t\t\tABORT_FINALIZE(RS_RET_QUEUE_FULL);\n\t\t} else {\n\t\t\tDBGOPRINT((obj_t*) pThis, \"queue nearly full (%d entries), but could not drop msg \"\n\t\t\t\t \"(iRet: %d, severity %d)\\n\", iQueueSize, iRetLocal, iSeverity);\n\t\t}\n\t}\n\nfinalize_it:\n\tRETiRet;\n}", "project": "rsyslog", "hash": 269887736086384866791829996850137381358, "size": 25, "commit_id": "dfa88369d4ca4290db56b843f9eabdae1bfe0fd5", "message": "bugfix: memory leak when $RepeatedMsgReduction on was used\n\nbug tracker: http://bugzilla.adiscon.com/show_bug.cgi?id=225", "target": 0, "dataset": "other", "idx": 373814 }, { "func": "\nstatic void io_wq_submit_work(struct io_wq_work *work)\n{\n\tstruct io_kiocb *req = container_of(work, struct io_kiocb, work);\n\tstruct io_kiocb *timeout;\n\tint ret = 0;\n\n\ttimeout = io_prep_linked_timeout(req);\n\tif (timeout)\n\t\tio_queue_linked_timeout(timeout);\n\n\tif (work->flags & IO_WQ_WORK_CANCEL)\n\t\tret = -ECANCELED;\n\n\tif (!ret) {\n\t\tdo {\n\t\t\tret = io_issue_sqe(req, 0);\n\t\t\t/*\n\t\t\t * We can get EAGAIN for polled IO even though we're\n\t\t\t * forcing a sync submission from here, since we can't\n\t\t\t * wait for request slots on the block side.\n\t\t\t */\n\t\t\tif (ret != -EAGAIN)\n\t\t\t\tbreak;\n\t\t\tcond_resched();\n\t\t} while (1);\n\t}\n\n\t/* avoid locking problems by failing it from a clean context */\n\tif (ret) {\n\t\t/* io-wq is going to take one down */\n\t\treq_ref_get(req);\n\t\tio_req_task_queue_fail(req, ret);\n\t}", "project": "linux", "hash": 189167136047651107174468976888577035150, "size": 34, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338601 }, { "func": "\nstatic int io_sq_offload_create(struct io_ring_ctx *ctx,\n\t\t\t\tstruct io_uring_params *p)\n{\n\tint ret;\n\n\t/* Retain compatibility with failing for an invalid attach attempt */\n\tif ((ctx->flags & (IORING_SETUP_ATTACH_WQ | IORING_SETUP_SQPOLL)) ==\n\t\t\t\tIORING_SETUP_ATTACH_WQ) {\n\t\tstruct fd f;\n\n\t\tf = fdget(p->wq_fd);\n\t\tif (!f.file)\n\t\t\treturn -ENXIO;\n\t\tfdput(f);\n\t\tif (f.file->f_op != &io_uring_fops)\n\t\t\treturn -EINVAL;\n\t}\n\tif (ctx->flags & IORING_SETUP_SQPOLL) {\n\t\tstruct task_struct *tsk;\n\t\tstruct io_sq_data *sqd;\n\t\tbool attached;\n\n\t\tsqd = io_get_sq_data(p, &attached);\n\t\tif (IS_ERR(sqd)) {\n\t\t\tret = PTR_ERR(sqd);\n\t\t\tgoto err;\n\t\t}\n\n\t\tctx->sq_creds = get_current_cred();\n\t\tctx->sq_data = sqd;\n\t\tctx->sq_thread_idle = msecs_to_jiffies(p->sq_thread_idle);\n\t\tif (!ctx->sq_thread_idle)\n\t\t\tctx->sq_thread_idle = HZ;\n\n\t\tio_sq_thread_park(sqd);\n\t\tlist_add(&ctx->sqd_list, &sqd->ctx_list);\n\t\tio_sqd_update_thread_idle(sqd);\n\t\t/* don't attach to a dying SQPOLL thread, would be racy */\n\t\tret = (attached && !sqd->thread) ? -ENXIO : 0;\n\t\tio_sq_thread_unpark(sqd);\n\n\t\tif (ret < 0)\n\t\t\tgoto err;\n\t\tif (attached)\n\t\t\treturn 0;\n\n\t\tif (p->flags & IORING_SETUP_SQ_AFF) {\n\t\t\tint cpu = p->sq_thread_cpu;\n\n\t\t\tret = -EINVAL;\n\t\t\tif (cpu >= nr_cpu_ids || !cpu_online(cpu))\n\t\t\t\tgoto err_sqpoll;\n\t\t\tsqd->sq_cpu = cpu;\n\t\t} else {\n\t\t\tsqd->sq_cpu = -1;\n\t\t}\n\n\t\tsqd->task_pid = current->pid;\n\t\tsqd->task_tgid = current->tgid;\n\t\ttsk = create_io_thread(io_sq_thread, sqd, NUMA_NO_NODE);\n\t\tif (IS_ERR(tsk)) {\n\t\t\tret = PTR_ERR(tsk);\n\t\t\tgoto err_sqpoll;\n\t\t}\n\n\t\tsqd->thread = tsk;\n\t\tret = io_uring_alloc_task_context(tsk, ctx);\n\t\twake_up_new_task(tsk);\n\t\tif (ret)\n\t\t\tgoto err;\n\t} else if (p->flags & IORING_SETUP_SQ_AFF) {\n\t\t/* Can't have SQ_AFF without SQPOLL */\n\t\tret = -EINVAL;\n\t\tgoto err;\n\t}\n\n\treturn 0;\nerr_sqpoll:\n\tcomplete(&ctx->sq_data->exited);\nerr:\n\tio_sq_thread_finish(ctx);\n\treturn ret;", "project": "linux", "hash": 125596532417097192592294907126156758394, "size": 83, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338630 }, { "func": " const VersionDef* versions() const override { return &graph_def_.versions(); }", "project": "tensorflow", "hash": 173152575030326665721170678451277620729, "size": 1, "commit_id": "0cc38aaa4064fd9e79101994ce9872c6d91f816b", "message": "Prevent unitialized memory access in `GraphConstructor::MakeEdge`\n\nThe `MakeEdge` implementation assumes that there exists an output at `output_index` of `src` node and an input at `input_index` of `dst` node. However, if this is not the case this results in accessing data out of bounds. Because we are accessing an array that is a private member of a class and only in read only mode, this usually results only in unitialized memory access. However, it is reasonable to think that malicious users could manipulate these indexes to actually read data outside the class, thus resulting in information leakage and further exploits.\n\nPiperOrigin-RevId: 346343288\nChange-Id: I2127da27c2023d27f26efd39afa6c853385cab6f", "target": 0, "dataset": "other", "idx": 268328 }, { "func": " const VersionDef* versions() const override { return versions_; }", "project": "tensorflow", "hash": 35498793868835763045989186037613231347, "size": 1, "commit_id": "0cc38aaa4064fd9e79101994ce9872c6d91f816b", "message": "Prevent unitialized memory access in `GraphConstructor::MakeEdge`\n\nThe `MakeEdge` implementation assumes that there exists an output at `output_index` of `src` node and an input at `input_index` of `dst` node. However, if this is not the case this results in accessing data out of bounds. Because we are accessing an array that is a private member of a class and only in read only mode, this usually results only in unitialized memory access. However, it is reasonable to think that malicious users could manipulate these indexes to actually read data outside the class, thus resulting in information leakage and further exploits.\n\nPiperOrigin-RevId: 346343288\nChange-Id: I2127da27c2023d27f26efd39afa6c853385cab6f", "target": 0, "dataset": "other", "idx": 268330 }, { "func": "static void init_header(struct archive_read* a) {\n\ta->archive.archive_format = ARCHIVE_FORMAT_RAR_V5;\n\ta->archive.archive_format_name = \"RAR5\";\n}", "project": "libarchive", "hash": 278246593347514702206670067024623579711, "size": 4, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 0, "dataset": "other", "idx": 244716 }, { "project": "opaque", "commit_id": "5ddda15d89f5ac82f4416208c5319ace4aecdc36", "target": 0, "func": "void ecall_non_oblivious_aggregate_step1(\n uint8_t *agg_op, size_t agg_op_length,\n uint8_t *input_rows, size_t input_rows_length,\n uint8_t **first_row, size_t *first_row_length,\n uint8_t **last_group, size_t *last_group_length,\n uint8_t **last_row, size_t *last_row_length) {\n // Guard against operating on arbitrary enclave memory\n assert(sgx_is_outside_enclave(input_rows, input_rows_length) == 1);\n sgx_lfence();\n\n try {\n non_oblivious_aggregate_step1(\n agg_op, agg_op_length,\n input_rows, input_rows_length,\n first_row, first_row_length,\n last_group, last_group_length,\n last_row, last_row_length);\n } catch (const std::runtime_error &e) {\n ocall_throw(e.what());\n }\n}", "idx": 519078, "cwe": "CWE-787", "hash": 186194830513475898793310578205442778572, "dataset": "other" }, { "func": "apr_status_t h2_stream_recv_frame(h2_stream *stream, int ftype, int flags, size_t frame_len)\n{\n apr_status_t status = APR_SUCCESS;\n int new_state, eos = 0;\n\n new_state = on_frame_recv(stream->state, ftype);\n if (new_state < 0) {\n ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, stream->session->c, \n H2_STRM_MSG(stream, \"invalid frame %d recv\"), ftype);\n AP_DEBUG_ASSERT(new_state > S_XXX);\n return transit(stream, new_state);\n }\n \n switch (ftype) {\n case NGHTTP2_DATA:\n eos = (flags & NGHTTP2_FLAG_END_STREAM);\n break;\n \n case NGHTTP2_HEADERS:\n eos = (flags & NGHTTP2_FLAG_END_STREAM);\n if (stream->state == H2_SS_OPEN) {\n /* trailer HEADER */\n if (!eos) {\n h2_stream_rst(stream, H2_ERR_PROTOCOL_ERROR);\n }\n stream->in_trailer_octets += frame_len;\n }\n else {\n /* request HEADER */\n ap_assert(stream->request == NULL);\n if (stream->rtmp == NULL) {\n /* This can only happen, if the stream has received no header\n * name/value pairs at all. The latest nghttp2 version have become\n * pretty good at detecting this early. In any case, we have\n * to abort the connection here, since this is clearly a protocol error */\n return APR_EINVAL;\n }\n status = h2_stream_end_headers(stream, eos, frame_len);\n if (status != APR_SUCCESS) goto leave;\n }\n break;\n \n default:\n break;\n }\n status = transit(stream, new_state);\n if (status == APR_SUCCESS && eos) {\n status = transit(stream, on_event(stream, H2_SEV_CLOSED_R));\n }\nleave:\n return status;\n}", "project": "httpd", "hash": 917469484809948458532435918002473897, "size": 52, "commit_id": "f990e5ecad40b100a8a5c7c1033c46044a9cb244", "message": "mod_htt2: fix incomplete sync with latest changes in github, adjust version number.\n\n\n\ngit-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1889119 13f79535-47bb-0310-9956-ffa450edef68", "target": 0, "dataset": "other", "idx": 284230 }, { "func": "static long nfs4_update_delay(long *timeout)\n{\n\tlong ret;\n\tif (!timeout)\n\t\treturn NFS4_POLL_RETRY_MAX;\n\tif (*timeout <= 0)\n\t\t*timeout = NFS4_POLL_RETRY_MIN;\n\tif (*timeout > NFS4_POLL_RETRY_MAX)\n\t\t*timeout = NFS4_POLL_RETRY_MAX;\n\tret = *timeout;\n\t*timeout <<= 1;\n\treturn ret;\n}", "project": "linux", "hash": 256426779992753472739957445292342869141, "size": 13, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431422 }, { "func": "static void set_flag(struct Mailbox *m, AclFlags aclflag, int flag,\n const char *str, char *flags, size_t flsize)\n{\n if (m->rights & aclflag)\n if (flag && imap_has_flag(&imap_mdata_get(m)->flags, str))\n mutt_str_cat(flags, flsize, str);\n}", "project": "neomutt", "hash": 202997681640881036527455135041766787325, "size": 7, "commit_id": "9c36717a3e2af1f2c1b7242035455ec8112b4b06", "message": "imap: close connection on all failures\n\nThanks to Gabriel Salles-Loustau for spotting the problem.\n\nCo-authored-by: Kevin McCarthy ", "target": 0, "dataset": "other", "idx": 357009 }, { "func": "static void tcp_conservative_spur_to_response(struct tcp_sock *tp)\n{\n\ttp->snd_cwnd = min(tp->snd_cwnd, tp->snd_ssthresh);\n\ttp->snd_cwnd_cnt = 0;\n\ttp->bytes_acked = 0;\n\tTCP_ECN_queue_cwr(tp);\n\ttcp_moderate_cwnd(tp);\n}", "project": "net-next", "hash": 3468772844445631109043360050964832079, "size": 8, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409860 }, { "func": "static void set_tdp_cr3(struct kvm_vcpu *vcpu, unsigned long root)\n{\n\tstruct vcpu_svm *svm = to_svm(vcpu);\n\n\tsvm->vmcb->control.nested_cr3 = __sme_set(root);\n\tmark_dirty(svm->vmcb, VMCB_NPT);\n\n\t/* Also sync guest cr3 here in case we live migrate */\n\tsvm->vmcb->save.cr3 = kvm_read_cr3(vcpu);\n\tmark_dirty(svm->vmcb, VMCB_CR);\n}", "project": "linux", "hash": 31049353189640357901851484517696074656, "size": 11, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432644 }, { "func": "static void set_tdp_cr3(struct kvm_vcpu *vcpu, unsigned long root)\n{\n\tstruct vcpu_svm *svm = to_svm(vcpu);\n\n\tsvm->vmcb->control.nested_cr3 = root;\n\tmark_dirty(svm->vmcb, VMCB_NPT);\n\n\t/* Also sync guest cr3 here in case we live migrate */\n\tsvm->vmcb->save.cr3 = kvm_read_cr3(vcpu);\n\tmark_dirty(svm->vmcb, VMCB_CR);\n\n\tsvm_flush_tlb(vcpu);\n}", "project": "kvm", "hash": 43722266985588608248604732072511689422, "size": 13, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437621 }, { "func": "static inline int ep_events_available(struct eventpoll *ep)\n{\n\treturn !list_empty_careful(&ep->rdllist) ||\n\t\tREAD_ONCE(ep->ovflist) != EP_UNACTIVE_PTR;\n}", "project": "linux", "hash": 137834863620715718728648400731617482587, "size": 5, "commit_id": "52c479697c9b73f628140dcdfcd39ea302d05482", "message": "do_epoll_ctl(): clean the failure exits up a bit\n\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 336230 }, { "func": "apr_byte_t oidc_get_remote_user(request_rec *r, const char *claim_name,\n\t\tconst char *reg_exp, const char *replace, json_t *json,\n\t\tchar **request_user) {\n\n\t/* get the claim value from the JSON object */\n\tjson_t *username = json_object_get(json, claim_name);\n\tif ((username == NULL) || (!json_is_string(username))) {\n\t\toidc_warn(r, \"JSON object did not contain a \\\"%s\\\" string\", claim_name);\n\t\treturn FALSE;\n\t}\n\n\t*request_user = apr_pstrdup(r->pool, json_string_value(username));\n\n\tif (reg_exp != NULL) {\n\n\t\tchar *error_str = NULL;\n\n\t\tif (replace == NULL) {\n\n\t\t\tif (oidc_util_regexp_first_match(r->pool, *request_user, reg_exp,\n\t\t\t\t\trequest_user, &error_str) == FALSE) {\n\t\t\t\toidc_error(r, \"oidc_util_regexp_first_match failed: %s\",\n\t\t\t\t\t\terror_str);\n\t\t\t\t*request_user = NULL;\n\t\t\t\treturn FALSE;\n\t\t\t}\n\n\t\t} else if (oidc_util_regexp_substitute(r->pool, *request_user, reg_exp,\n\t\t\t\treplace, request_user, &error_str) == FALSE) {\n\n\t\t\toidc_error(r, \"oidc_util_regexp_substitute failed: %s\", error_str);\n\t\t\t*request_user = NULL;\n\t\t\treturn FALSE;\n\t\t}\n\n\t}\n\n\treturn TRUE;\n}", "project": "mod_auth_openidc", "hash": 83484991894114712166218461385613733854, "size": 39, "commit_id": "00c315cb0c8ab77c67be4a2ac08a71a83ac58751", "message": "avoid XSS vulnerability when using OIDCPreservePost On\n\nand supplying URLs that contain single quotes; thanks @oss-aimoto\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 381925 }, { "func": "u8 append_local_name(struct hci_dev *hdev, u8 *ptr, u8 ad_len)\n{\n\tsize_t short_len;\n\tsize_t complete_len;\n\n\t/* no space left for name (+ NULL + type + len) */\n\tif ((HCI_MAX_AD_LENGTH - ad_len) < HCI_MAX_SHORT_NAME_LENGTH + 3)\n\t\treturn ad_len;\n\n\t/* use complete name if present and fits */\n\tcomplete_len = strlen(hdev->dev_name);\n\tif (complete_len && complete_len <= HCI_MAX_SHORT_NAME_LENGTH)\n\t\treturn eir_append_data(ptr, ad_len, EIR_NAME_COMPLETE,\n\t\t\t\t hdev->dev_name, complete_len + 1);\n\n\t/* use short name if present */\n\tshort_len = strlen(hdev->short_name);\n\tif (short_len)\n\t\treturn eir_append_data(ptr, ad_len, EIR_NAME_SHORT,\n\t\t\t\t hdev->short_name, short_len + 1);\n\n\t/* use shortened full name if present, we already know that name\n\t * is longer then HCI_MAX_SHORT_NAME_LENGTH\n\t */\n\tif (complete_len) {\n\t\tu8 name[HCI_MAX_SHORT_NAME_LENGTH + 1];\n\n\t\tmemcpy(name, hdev->dev_name, HCI_MAX_SHORT_NAME_LENGTH);\n\t\tname[HCI_MAX_SHORT_NAME_LENGTH] = '\\0';\n\n\t\treturn eir_append_data(ptr, ad_len, EIR_NAME_SHORT, name,\n\t\t\t\t sizeof(name));\n\t}\n\n\treturn ad_len;\n}", "project": "linux", "hash": 330307521707745609808007281839557032237, "size": 36, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402485 }, { "func": "void kvm_release_page_dirty(struct page *page)\n{\n\tWARN_ON(is_error_page(page));\n\n\tkvm_release_pfn_dirty(page_to_pfn(page));\n}", "project": "linux", "hash": 57173664681683169340556878416317179916, "size": 6, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354734 }, { "func": "\tstatic const char* CommandStrFromMsgType(MessageType mt)\n\t{\n\t\treturn ((mt == MSG_PRIVMSG) ? \"PRIVMSG\" : \"NOTICE\");\n\t}", "project": "inspircd", "hash": 333644135204301494908557721207707221324, "size": 4, "commit_id": "4350a11c663b0d75f8119743bffb7736d87abd4d", "message": "Fix sending malformed pong messages in some cases.", "target": 0, "dataset": "other", "idx": 273241 }, { "func": "static void next_tok(string& str, string& tok, char delim)\n{\n if (str.size() == 0) {\n tok = \"\";\n return;\n }\n tok = str;\n int pos = str.find(delim);\n if (pos > 0) {\n tok = str.substr(0, pos);\n str = str.substr(pos + 1);\n } else {\n str = \"\";\n }\n}", "project": "ceph", "hash": 154604916779963234080539004163950368411, "size": 15, "commit_id": "f44a8ae8aa27ecef69528db9aec220f12492810e", "message": "rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name\n\nchecking for empty name avoids later assertion in RGWObjectCtx::set_atomic\n\nFixes: CVE-2021-3531\n\nReviewed-by: Casey Bodley \nSigned-off-by: Casey Bodley \n(cherry picked from commit 7196a469b4470f3c8628489df9a41ec8b00a5610)", "target": 0, "dataset": "other", "idx": 448782 }, { "func": "int kill_pid(struct pid *pid, int sig, int priv)\n{\n\treturn kill_pid_info(sig, __si_special(priv), pid);\n}", "project": "linux", "hash": 50625598776837042664558877799554097299, "size": 4, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375202 }, { "func": "static int __send_signal(int sig, struct kernel_siginfo *info, struct task_struct *t,\n\t\t\tenum pid_type type, bool force)\n{\n\tstruct sigpending *pending;\n\tstruct sigqueue *q;\n\tint override_rlimit;\n\tint ret = 0, result;\n\n\tassert_spin_locked(&t->sighand->siglock);\n\n\tresult = TRACE_SIGNAL_IGNORED;\n\tif (!prepare_signal(sig, t, force))\n\t\tgoto ret;\n\n\tpending = (type != PIDTYPE_PID) ? &t->signal->shared_pending : &t->pending;\n\t/*\n\t * Short-circuit ignored signals and support queuing\n\t * exactly one non-rt signal, so that we can get more\n\t * detailed information about the cause of the signal.\n\t */\n\tresult = TRACE_SIGNAL_ALREADY_PENDING;\n\tif (legacy_queue(pending, sig))\n\t\tgoto ret;\n\n\tresult = TRACE_SIGNAL_DELIVERED;\n\t/*\n\t * Skip useless siginfo allocation for SIGKILL and kernel threads.\n\t */\n\tif ((sig == SIGKILL) || (t->flags & PF_KTHREAD))\n\t\tgoto out_set;\n\n\t/*\n\t * Real-time signals must be queued if sent by sigqueue, or\n\t * some other real-time mechanism. It is implementation\n\t * defined whether kill() does so. We attempt to do so, on\n\t * the principle of least surprise, but since kill is not\n\t * allowed to fail with EAGAIN when low on memory we just\n\t * make sure at least one signal gets delivered and don't\n\t * pass on the info struct.\n\t */\n\tif (sig < SIGRTMIN)\n\t\toverride_rlimit = (is_si_special(info) || info->si_code >= 0);\n\telse\n\t\toverride_rlimit = 0;\n\n\tq = __sigqueue_alloc(sig, t, GFP_ATOMIC, override_rlimit);\n\tif (q) {\n\t\tlist_add_tail(&q->list, &pending->list);\n\t\tswitch ((unsigned long) info) {\n\t\tcase (unsigned long) SEND_SIG_NOINFO:\n\t\t\tclear_siginfo(&q->info);\n\t\t\tq->info.si_signo = sig;\n\t\t\tq->info.si_errno = 0;\n\t\t\tq->info.si_code = SI_USER;\n\t\t\tq->info.si_pid = task_tgid_nr_ns(current,\n\t\t\t\t\t\t\ttask_active_pid_ns(t));\n\t\t\trcu_read_lock();\n\t\t\tq->info.si_uid =\n\t\t\t\tfrom_kuid_munged(task_cred_xxx(t, user_ns),\n\t\t\t\t\t\t current_uid());\n\t\t\trcu_read_unlock();\n\t\t\tbreak;\n\t\tcase (unsigned long) SEND_SIG_PRIV:\n\t\t\tclear_siginfo(&q->info);\n\t\t\tq->info.si_signo = sig;\n\t\t\tq->info.si_errno = 0;\n\t\t\tq->info.si_code = SI_KERNEL;\n\t\t\tq->info.si_pid = 0;\n\t\t\tq->info.si_uid = 0;\n\t\t\tbreak;\n\t\tdefault:\n\t\t\tcopy_siginfo(&q->info, info);\n\t\t\tbreak;\n\t\t}\n\t} else if (!is_si_special(info) &&\n\t\t sig >= SIGRTMIN && info->si_code != SI_USER) {\n\t\t/*\n\t\t * Queue overflow, abort. We may abort if the\n\t\t * signal was rt and sent by user using something\n\t\t * other than kill().\n\t\t */\n\t\tresult = TRACE_SIGNAL_OVERFLOW_FAIL;\n\t\tret = -EAGAIN;\n\t\tgoto ret;\n\t} else {\n\t\t/*\n\t\t * This is a silent loss of information. We still\n\t\t * send the signal, but the *info bits are lost.\n\t\t */\n\t\tresult = TRACE_SIGNAL_LOSE_INFO;\n\t}\n\nout_set:\n\tsignalfd_notify(t, sig);\n\tsigaddset(&pending->signal, sig);\n\n\t/* Let multiprocess signals appear after on-going forks */\n\tif (type > PIDTYPE_TGID) {\n\t\tstruct multiprocess_signals *delayed;\n\t\thlist_for_each_entry(delayed, &t->signal->multiprocess, node) {\n\t\t\tsigset_t *signal = &delayed->signal;\n\t\t\t/* Can't queue both a stop and a continue signal */\n\t\t\tif (sig == SIGCONT)\n\t\t\t\tsigdelsetmask(signal, SIG_KERNEL_STOP_MASK);\n\t\t\telse if (sig_kernel_stop(sig))\n\t\t\t\tsigdelset(signal, SIGCONT);\n\t\t\tsigaddset(signal, sig);\n\t\t}\n\t}\n\n\tcomplete_signal(sig, t, type);\nret:\n\ttrace_signal_generate(sig, info, t, type != PIDTYPE_PID, result);\n\treturn ret;\n}", "project": "linux", "hash": 110654271857135102206444069593881586195, "size": 115, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375177 }, { "func": "static void drop_links(struct nameidata *nd)\n{\n\tint i = nd->depth;\n\twhile (i--) {\n\t\tstruct saved *last = nd->stack + i;\n\t\tdo_delayed_call(&last->done);\n\t\tclear_delayed_call(&last->done);\n\t}\n}", "project": "linux", "hash": 269903124713115340120594540681558521315, "size": 9, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295365 }, { "func": "bool WindowsServiceControl::isRunning()\n{\n\tif( checkService() == false )\n\t{\n\t\treturn false;\n\t}\n\n\tSERVICE_STATUS status;\n\tif( QueryServiceStatus( m_serviceHandle, &status ) )\n\t{\n\t\treturn status.dwCurrentState == SERVICE_RUNNING;\n\t}\n\n\treturn false;\n}", "project": "veyon", "hash": 103765580004009675947362074056180156382, "size": 15, "commit_id": "f231ec511b9a09f43f49b2c7bb7c60b8046276b1", "message": "WindowsServiceControl: quote service binary path\n\nFix unquoted service path vulnerability.\n\nCloses #657.", "target": 0, "dataset": "other", "idx": 241035 }, { "func": "bool ProfilerFactory::start(ProfilerKind kind,\n long flags,\n bool beginFrame /* = true */) {\n if (m_profiler != nullptr) {\n return false;\n }\n\n switch (kind) {\n case ProfilerKind::Hierarchical:\n m_profiler = req::make_raw(flags);\n break;\n case ProfilerKind::Sample:\n m_profiler = req::make_raw();\n break;\n case ProfilerKind::Trace:\n m_profiler = req::make_raw(flags);\n break;\n case ProfilerKind::Memo:\n m_profiler = req::make_raw(flags);\n break;\n case ProfilerKind::External:\n if (g_system_profiler) {\n m_profiler = g_system_profiler->getHotProfiler();\n } else if (m_external_profiler) {\n m_profiler = m_external_profiler;\n } else {\n raise_invalid_argument_warning(\n \"ProfilerFactory::setExternalProfiler() not yet called\");\n return false;\n }\n break;\n default:\n raise_invalid_argument_warning(\"level: %d\", static_cast(kind));\n return false;\n }\n if (m_profiler && m_profiler->m_successful) {\n // This will be disabled automatically when the thread completes the request\n HPHP::EventHook::Enable();\n RequestInfo::s_requestInfo->m_profiler = m_profiler;\n if (beginFrame) {\n m_profiler->beginFrame(\"main()\");\n }\n return true;\n }\n req::destroy_raw(m_profiler);\n m_profiler = nullptr;\n return false;\n}", "project": "hhvm", "hash": 126226928218100777974033176048955101968, "size": 48, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219718 }, { "func": "bool WindowsServiceControl::start()\n{\n\tif( checkService() == false )\n\t{\n\t\treturn false;\n\t}\n\n\tSERVICE_STATUS status;\n\tstatus.dwCurrentState = SERVICE_START_PENDING;\n\n\tif( StartService( m_serviceHandle, 0, nullptr ) )\n\t{\n\t\twhile( QueryServiceStatus( m_serviceHandle, &status ) )\n\t\t{\n\t\t\tif( status.dwCurrentState == SERVICE_START_PENDING )\n\t\t\t{\n\t\t\t\tSleep( 1000 );\n\t\t\t}\n\t\t\telse\n\t\t\t{\n\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\t}\n\n\tif( status.dwCurrentState != SERVICE_RUNNING )\n\t{\n\t\tvWarning() << \"service\" << m_name << \"could not be started.\";\n\t\treturn false;\n\t}\n\n\treturn true;\n}", "project": "veyon", "hash": 123712398044744177144535875924941722530, "size": 33, "commit_id": "f231ec511b9a09f43f49b2c7bb7c60b8046276b1", "message": "WindowsServiceControl: quote service binary path\n\nFix unquoted service path vulnerability.\n\nCloses #657.", "target": 0, "dataset": "other", "idx": 241032 }, { "func": "UrnState::start(HttpRequest * r, StoreEntry * e)\n{\n debugs(52, 3, \"urnStart: '\" << e->url() << \"'\" );\n entry = e;\n request = r;\n\n entry->lock(\"UrnState::start\");\n setUriResFromRequest(r);\n\n if (urlres_r == NULL)\n return;\n\n auto urlEntry = storeGetPublic(urlres, Http::METHOD_GET);\n\n if (!urlEntry || (urlEntry->hittingRequiresCollapsing() && !startCollapsingOn(*urlEntry, false))) {\n urlres_e = storeCreateEntry(urlres, urlres, RequestFlags(), Http::METHOD_GET);\n sc = storeClientListAdd(urlres_e, this);\n FwdState::Start(Comm::ConnectionPointer(), urlres_e, urlres_r.getRaw(), ale);\n if (urlEntry) {\n urlEntry->abandon(__FUNCTION__);\n urlEntry = nullptr;\n }\n } else {\n urlres_e = urlEntry;\n urlres_e->lock(\"UrnState::start\");\n sc = storeClientListAdd(urlres_e, this);\n }\n\n reqofs = 0;\n StoreIOBuffer tempBuffer;\n tempBuffer.offset = reqofs;\n tempBuffer.length = URN_REQBUF_SZ;\n tempBuffer.data = reqbuf;\n storeClientCopy(sc, urlres_e,\n tempBuffer,\n urnHandleReply,\n this);\n}", "project": "squid", "hash": 178930101574740580069522449874288925909, "size": 38, "commit_id": "47a085ff06598b64817875769022b8707a0af7db", "message": "Bug 5104: Memory leak in RFC 2169 response parsing (#778)\n\nA temporary parsing buffer was not being released when\nparsing completed.", "target": 0, "dataset": "other", "idx": 306744 }, { "func": "HttpStateData::start()\n{\n if (!sendRequest()) {\n debugs(11, 3, \"httpStart: aborted\");\n mustStop(\"HttpStateData::start failed\");\n return;\n }\n\n ++ statCounter.server.all.requests;\n ++ statCounter.server.http.requests;\n\n /*\n * We used to set the read timeout here, but not any more.\n * Now its set in httpSendComplete() after the full request,\n * including request body, has been written to the server.\n */\n}", "project": "squid", "hash": 131525201934382917173406937789146893287, "size": 17, "commit_id": "fd68382860633aca92065e6c343cfd1b12b126e7", "message": "Improve Transfer-Encoding handling (#702)\n\nReject messages containing Transfer-Encoding header with coding other\nthan chunked or identity. Squid does not support other codings.\n\nFor simplicity and security sake, also reject messages where\nTransfer-Encoding contains unnecessary complex values that are\ntechnically equivalent to \"chunked\" or \"identity\" (e.g., \",,chunked\" or\n\"identity, chunked\").\n\nRFC 7230 formally deprecated and removed identity coding, but it is\nstill used by some agents.", "target": 0, "dataset": "other", "idx": 402316 }, { "func": "STATIC signed_word GC_add_ext_descriptor(const word * bm, word nbits)\n{\n size_t nwords = divWORDSZ(nbits + WORDSZ-1);\n signed_word result;\n size_t i;\n word last_part;\n size_t extra_bits;\n DCL_LOCK_STATE;\n\n LOCK();\n while (GC_avail_descr + nwords >= GC_ed_size) {\n ext_descr * new;\n size_t new_size;\n word ed_size = GC_ed_size;\n\n if (ed_size == 0) {\n GC_ASSERT((word)&GC_ext_descriptors % sizeof(word) == 0);\n GC_push_typed_structures = GC_push_typed_structures_proc;\n UNLOCK();\n new_size = ED_INITIAL_SIZE;\n } else {\n UNLOCK();\n new_size = 2 * ed_size;\n if (new_size > MAX_ENV) return(-1);\n }\n new = (ext_descr *) GC_malloc_atomic(new_size * sizeof(ext_descr));\n if (new == 0) return(-1);\n LOCK();\n if (ed_size == GC_ed_size) {\n if (GC_avail_descr != 0) {\n BCOPY(GC_ext_descriptors, new,\n GC_avail_descr * sizeof(ext_descr));\n }\n GC_ed_size = new_size;\n GC_ext_descriptors = new;\n } /* else another thread already resized it in the meantime */\n }\n result = GC_avail_descr;\n for (i = 0; i < nwords-1; i++) {\n GC_ext_descriptors[result + i].ed_bitmap = bm[i];\n GC_ext_descriptors[result + i].ed_continued = TRUE;\n }\n last_part = bm[i];\n /* Clear irrelevant bits. */\n extra_bits = nwords * WORDSZ - nbits;\n last_part <<= extra_bits;\n last_part >>= extra_bits;\n GC_ext_descriptors[result + i].ed_bitmap = last_part;\n GC_ext_descriptors[result + i].ed_continued = FALSE;\n GC_avail_descr += nwords;\n UNLOCK();\n return(result);\n}", "project": "bdwgc", "hash": 161368463416168597858557957188357917012, "size": 53, "commit_id": "4e1a6f9d8f2a49403bbd00b8c8e5324048fb84d4", "message": "Fix calloc_explicitly_typed in case of lb*n overflow\n\n* typd_mlc.c: Include limits.h (for SIZE_MAX).\n* typd_mlc.c (GC_SIZE_MAX, GC_SQRT_SIZE_MAX): New macro (same as in\nmalloc.c).\n* typd_mlc.c (GC_calloc_explicitly_typed): Return NULL if lb * n\noverflows (same algorithm as in calloc defined in malloc.c); eliminate\nlb *= n code duplication.", "target": 0, "dataset": "other", "idx": 374062 }, { "func": "static int is_fuse_usermount(struct libmnt_context *cxt, int *errsv)\n{\n\tstruct libmnt_ns *ns_old;\n\tconst char *type = mnt_fs_get_fstype(cxt->fs);\n\tconst char *optstr;\n\tchar *user_id = NULL;\n\tsize_t sz;\n\tuid_t uid;\n\tchar uidstr[sizeof(stringify_value(ULONG_MAX))];\n\n\t*errsv = 0;\n\n\tif (!type)\n\t\treturn 0;\n\n\tif (strcmp(type, \"fuse\") != 0 &&\n\t strcmp(type, \"fuseblk\") != 0 &&\n\t strncmp(type, \"fuse.\", 5) != 0 &&\n\t strncmp(type, \"fuseblk.\", 8) != 0)\n\t\treturn 0;\n\n\t/* get user_id= from mount table */\n\toptstr = mnt_fs_get_fs_options(cxt->fs);\n\tif (!optstr)\n\t\treturn 0;\n\n\tif (mnt_optstr_get_option(optstr, \"user_id\", &user_id, &sz) != 0)\n\t\treturn 0;\n\n\tif (sz == 0 || user_id == NULL)\n\t\treturn 0;\n\n\t/* get current user */\n\tns_old = mnt_context_switch_origin_ns(cxt);\n\tif (!ns_old) {\n\t\t*errsv = -MNT_ERR_NAMESPACE;\n\t\treturn 0;\n\t}\n\n\tuid = getuid();\n\n\tif (!mnt_context_switch_ns(cxt, ns_old)) {\n\t\t*errsv = -MNT_ERR_NAMESPACE;\n\t\treturn 0;\n\t}\n\n\tsnprintf(uidstr, sizeof(uidstr), \"%lu\", (unsigned long) uid);\n\treturn strncmp(user_id, uidstr, sz) == 0;\n}", "project": "util-linux", "hash": 210310102417734751354249196559456080186, "size": 49, "commit_id": "57202f5713afa2af20ffbb6ab5331481d0396f8d", "message": "libmount: fix UID check for FUSE umount [CVE-2021-3995]\n\nImproper UID check allows an unprivileged user to unmount FUSE\nfilesystems of users with similar UID.\n\nSigned-off-by: Karel Zak ", "target": 1, "dataset": "other", "idx": 208443 }, { "func": "static int is_fuse_usermount(struct libmnt_context *cxt, int *errsv)\n{\n\tstruct libmnt_ns *ns_old;\n\tconst char *type = mnt_fs_get_fstype(cxt->fs);\n\tconst char *optstr;\n\tuid_t uid, entry_uid;\n\n\t*errsv = 0;\n\n\tif (!type)\n\t\treturn 0;\n\n\tif (strcmp(type, \"fuse\") != 0 &&\n\t strcmp(type, \"fuseblk\") != 0 &&\n\t strncmp(type, \"fuse.\", 5) != 0 &&\n\t strncmp(type, \"fuseblk.\", 8) != 0)\n\t\treturn 0;\n\n\t/* get user_id= from mount table */\n\toptstr = mnt_fs_get_fs_options(cxt->fs);\n\tif (!optstr)\n\t\treturn 0;\n\tif (mnt_optstr_get_uid(optstr, \"user_id\", &entry_uid) != 0)\n\t\treturn 0;\n\n\t/* get current user */\n\tns_old = mnt_context_switch_origin_ns(cxt);\n\tif (!ns_old) {\n\t\t*errsv = -MNT_ERR_NAMESPACE;\n\t\treturn 0;\n\t}\n\n\tuid = getuid();\n\n\tif (!mnt_context_switch_ns(cxt, ns_old)) {\n\t\t*errsv = -MNT_ERR_NAMESPACE;\n\t\treturn 0;\n\t}\n\n\treturn uid == entry_uid;\n}", "project": "util-linux", "hash": 183698717299577400492179801479311774546, "size": 41, "commit_id": "57202f5713afa2af20ffbb6ab5331481d0396f8d", "message": "libmount: fix UID check for FUSE umount [CVE-2021-3995]\n\nImproper UID check allows an unprivileged user to unmount FUSE\nfilesystems of users with similar UID.\n\nSigned-off-by: Karel Zak ", "target": 0, "dataset": "other", "idx": 410433 }, { "project": "Chrome", "commit_id": "ea994548ed483e234a6fadd0cbdfa10d58b75cef", "target": 0, "func": "void SoftwareFrameManager::SwapToNewFrameComplete(bool visible) {\n DCHECK(HasCurrentFrame());\n RendererFrameManager::GetInstance()->AddFrame(this, visible);\n}\n", "cwe": "", "big_vul_idx": 129976, "idx": 116287, "hash": 63085645613467511579516304241265140674 }, { "func": "static int php_ifd_get32s(void *Long, int motorola_intel) {\n if (motorola_intel) {\n return (((unsigned char *)Long)[0] << 24) |\n (((unsigned char *)Long)[1] << 16) |\n (((unsigned char *)Long)[2] << 8) |\n (((unsigned char *)Long)[3] << 0);\n } else {\n return (((unsigned char *)Long)[3] << 24) |\n (((unsigned char *)Long)[2] << 16) |\n (((unsigned char *)Long)[1] << 8) |\n (((unsigned char *)Long)[0] << 0);\n }\n}", "project": "hhvm", "hash": 338339218610257127219787448505799915431, "size": 13, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219355 }, { "func": "int imap_hcache_put(struct ImapMboxData *mdata, struct Email *e)\n{\n if (!mdata->hcache)\n return -1;\n\n char key[16];\n\n sprintf(key, \"/%u\", imap_edata_get(e)->uid);\n return mutt_hcache_store(mdata->hcache, key, mutt_str_len(key), e, mdata->uidvalidity);\n}", "project": "neomutt", "hash": 268784764269048971280914818176097737109, "size": 10, "commit_id": "fa1db5785e5cfd9d3cd27b7571b9fe268d2ec2dc", "message": "Fix seqset iterator when it ends in a comma\n\nIf the seqset ended with a comma, the substr_end marker would be just\nbefore the trailing nul. In the next call, the loop to skip the\nmarker would iterate right past the end of string too.\n\nThe fix is simple: place the substr_end marker and skip past it\nimmediately.", "target": 0, "dataset": "other", "idx": 399289 }, { "func": "\nstatic void bfq_request_merged(struct request_queue *q, struct request *req,\n\t\t\t enum elv_merge type)\n{\n\tif (type == ELEVATOR_FRONT_MERGE &&\n\t rb_prev(&req->rb_node) &&\n\t blk_rq_pos(req) <\n\t blk_rq_pos(container_of(rb_prev(&req->rb_node),\n\t\t\t\t struct request, rb_node))) {\n\t\tstruct bfq_queue *bfqq = bfq_init_rq(req);\n\t\tstruct bfq_data *bfqd;\n\t\tstruct request *prev, *next_rq;\n\n\t\tif (!bfqq)\n\t\t\treturn;\n\n\t\tbfqd = bfqq->bfqd;\n\n\t\t/* Reposition request in its sort_list */\n\t\telv_rb_del(&bfqq->sort_list, req);\n\t\telv_rb_add(&bfqq->sort_list, req);\n\n\t\t/* Choose next request to be served for bfqq */\n\t\tprev = bfqq->next_rq;\n\t\tnext_rq = bfq_choose_req(bfqd, bfqq->next_rq, req,\n\t\t\t\t\t bfqd->last_position);\n\t\tbfqq->next_rq = next_rq;\n\t\t/*\n\t\t * If next_rq changes, update both the queue's budget to\n\t\t * fit the new request and the queue's position in its\n\t\t * rq_pos_tree.\n\t\t */\n\t\tif (prev != bfqq->next_rq) {\n\t\t\tbfq_updated_next_req(bfqd, bfqq);\n\t\t\t/*\n\t\t\t * See comments on bfq_pos_tree_add_move() for\n\t\t\t * the unlikely().\n\t\t\t */\n\t\t\tif (unlikely(!bfqd->nonrot_with_queueing))\n\t\t\t\tbfq_pos_tree_add_move(bfqd, bfqq);\n\t\t}\n\t}", "project": "linux", "hash": 152173328468698339425013597914247302149, "size": 42, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453348 }, { "func": "static int __io_remove_buffers(struct io_ring_ctx *ctx, struct io_buffer *buf,\n\t\t\t int bgid, unsigned nbufs)\n{\n\tunsigned i = 0;\n\n\t/* shouldn't happen */\n\tif (!nbufs)\n\t\treturn 0;\n\n\t/* the head kbuf is the list itself */\n\twhile (!list_empty(&buf->list)) {\n\t\tstruct io_buffer *nxt;\n\n\t\tnxt = list_first_entry(&buf->list, struct io_buffer, list);\n\t\tlist_del(&nxt->list);\n\t\tkfree(nxt);\n\t\tif (++i == nbufs)\n\t\t\treturn i;\n\t}\n\ti++;\n\tkfree(buf);\n\txa_erase(&ctx->io_buffers, bgid);\n\n\treturn i;\n}", "project": "linux", "hash": 146729723376091926796820567461060438318, "size": 25, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338536 }, { "func": " bool basic_const_item() const { return ref && (*ref)->basic_const_item(); }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 283686305110808596882859551785549521773, "size": 1, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 508969 }, { "func": " bool basic_const_item() const { return true; }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 714728546035926743575565812727681795, "size": 1, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509007 }, { "func": " bool basic_const_item() const\n { return example && example->basic_const_item(); }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 10171740268490448519976281983384281695, "size": 2, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509358 }, { "func": "int blosc2_decompress(const void* src, int32_t srcsize, void* dest, int32_t destsize) {\n int result;\n char* envvar;\n long nthreads;\n blosc2_context *dctx;\n blosc2_dparams dparams = BLOSC2_DPARAMS_DEFAULTS;\n\n /* Check whether the library should be initialized */\n if (!g_initlib) blosc_init();\n\n /* Check for a BLOSC_NTHREADS environment variable */\n envvar = getenv(\"BLOSC_NTHREADS\");\n if (envvar != NULL) {\n nthreads = strtol(envvar, NULL, 10);\n if ((nthreads != EINVAL) && (nthreads > 0)) {\n result = blosc_set_nthreads((int)nthreads);\n if (result < 0) { return result; }\n }\n }\n\n /* Check for a BLOSC_NOLOCK environment variable. It is important\n that this should be the last env var so that it can take the\n previous ones into account */\n envvar = getenv(\"BLOSC_NOLOCK\");\n if (envvar != NULL) {\n dparams.nthreads = g_nthreads;\n dctx = blosc2_create_dctx(dparams);\n result = blosc2_decompress_ctx(dctx, src, srcsize, dest, destsize);\n blosc2_free_ctx(dctx);\n return result;\n }\n\n pthread_mutex_lock(&global_comp_mutex);\n\n result = blosc_run_decompression_with_context(\n g_global_context, src, srcsize, dest, destsize);\n\n pthread_mutex_unlock(&global_comp_mutex);\n\n return result;\n}", "project": "c-blosc2", "hash": 287116040839285561478861267325266036771, "size": 41, "commit_id": "c4c6470e88210afc95262c8b9fcc27e30ca043ee", "message": "Fixed asan heap buffer overflow when not enough space to write compressed block size.", "target": 0, "dataset": "other", "idx": 303090 }, { "func": "static void get_xref_linear_skipped(FILE *fp, xref_t *xref)\n{\n int err;\n char ch, buf[256];\n\n if (xref->start != 0)\n return;\n\n /* Special case (Linearized PDF with initial startxref at 0) */\n xref->is_linear = 1;\n\n /* Seek to %%EOF */\n if ((xref->end = get_next_eof(fp)) < 0)\n return;\n\n /* Locate the trailer */ \n err = 0; \n while (!(err = ferror(fp)) && fread(buf, 1, 8, fp))\n {\n if (strncmp(buf, \"trailer\", strlen(\"trailer\")) == 0)\n break;\n else if ((ftell(fp) - 9) < 0)\n return;\n\n fseek(fp, -9, SEEK_CUR);\n }\n\n if (err)\n return;\n\n /* If we found 'trailer' look backwards for 'xref' */\n ch = 0;\n while (SAFE_F(fp, ((ch = fgetc(fp)) != 'x')))\n if (fseek(fp, -2, SEEK_CUR) == -1)\n FAIL(\"Failed to locate an xref. This might be a corrupt PDF.\\n\");\n\n if (ch == 'x')\n {\n xref->start = ftell(fp) - 1;\n fseek(fp, -1, SEEK_CUR);\n }\n\n /* Now continue to next eof ... */\n fseek(fp, xref->start, SEEK_SET);\n}", "project": "pdfresurrect", "hash": 136210545923281865814294860090458682729, "size": 45, "commit_id": "7e35d1806e111fd28610ccc86bb33f54792ac370", "message": "Fix possible infinite loop case when looking for a trailer.\n\nThanks to chibataiki for reporting and isolating this!", "target": 0, "dataset": "other", "idx": 355604 }, { "func": "static void hci_io_capa_reply_evt(struct hci_dev *hdev, struct sk_buff *skb)\n{\n\tstruct hci_ev_io_capa_reply *ev = (void *) skb->data;\n\tstruct hci_conn *conn;\n\n\tBT_DBG(\"%s\", hdev->name);\n\n\thci_dev_lock(hdev);\n\n\tconn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);\n\tif (!conn)\n\t\tgoto unlock;\n\n\tconn->remote_cap = ev->capability;\n\tconn->remote_auth = ev->authentication;\n\nunlock:\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 238383332650562386398874276282327227892, "size": 19, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431885 }, { "func": "int vfs_whiteout(struct inode *dir, struct dentry *dentry)\n{\n\tint error = may_create(dir, dentry);\n\tif (error)\n\t\treturn error;\n\n\tif (!dir->i_op->mknod)\n\t\treturn -EPERM;\n\n\treturn dir->i_op->mknod(dir, dentry,\n\t\t\t\tS_IFCHR | WHITEOUT_MODE, WHITEOUT_DEV);\n}", "project": "linux", "hash": 215795993735837946595301598714861972189, "size": 12, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295319 }, { "func": "void CSoundFile::ApplyInstrumentPanning(ModChannel *pChn, const ModInstrument *instr, const ModSample *smp) const\n{\n\tint32 newPan = int32_min;\n\t// Default instrument panning\n\tif(instr != nullptr && instr->dwFlags[INS_SETPANNING])\n\t\tnewPan = instr->nPan;\n\t// Default sample panning\n\tif(smp != nullptr && smp->uFlags[CHN_PANNING])\n\t\tnewPan = smp->nPan;\n\n\tif(newPan != int32_min)\n\t{\n\t\tpChn->nPan = newPan;\n\t\t// IT compatibility: Sample and instrument panning overrides channel surround status.\n\t\t// Test case: SmpInsPanSurround.it\n\t\tif(m_playBehaviour[kPanOverride] && !m_SongFlags[SONG_SURROUNDPAN])\n\t\t{\n\t\t\tpChn->dwFlags.reset(CHN_SURROUND);\n\t\t}\n\t}\n}", "project": "openmpt", "hash": 54714775118496559051941873164280149212, "size": 21, "commit_id": "7ebf02af2e90f03e0dbd0e18b8b3164f372fb97c", "message": "[Fix] Possible out-of-bounds read when computing length of some IT files with pattern loops (OpenMPT: formats that are converted to IT, libopenmpt: IT/ITP/MO3), caught with afl-fuzz.\n\ngit-svn-id: https://source.openmpt.org/svn/openmpt/trunk/OpenMPT@10027 56274372-70c3-4bfc-bfc3-4c3a0b034d27", "target": 0, "dataset": "other", "idx": 255212 }, { "func": "static int fuse_readlink_page(struct inode *inode, struct page *page)\n{\n\tstruct fuse_mount *fm = get_fuse_mount(inode);\n\tstruct fuse_page_desc desc = { .length = PAGE_SIZE - 1 };\n\tstruct fuse_args_pages ap = {\n\t\t.num_pages = 1,\n\t\t.pages = &page,\n\t\t.descs = &desc,\n\t};\n\tchar *link;\n\tssize_t res;\n\n\tap.args.opcode = FUSE_READLINK;\n\tap.args.nodeid = get_node_id(inode);\n\tap.args.out_pages = true;\n\tap.args.out_argvar = true;\n\tap.args.page_zeroing = true;\n\tap.args.out_numargs = 1;\n\tap.args.out_args[0].size = desc.length;\n\tres = fuse_simple_request(fm, &ap.args);\n\n\tfuse_invalidate_atime(inode);\n\n\tif (res < 0)\n\t\treturn res;\n\n\tif (WARN_ON(res >= PAGE_SIZE))\n\t\treturn -EIO;\n\n\tlink = page_address(page);\n\tlink[res] = '\\0';\n\n\treturn 0;\n}", "project": "linux", "hash": 84821381857958771975194784682100955924, "size": 34, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342111 }, { "func": "static int check_bytes_and_report(struct kmem_cache *s, struct page *page,\n\t\t\tu8 *object, char *what,\n\t\t\tu8 *start, unsigned int value, unsigned int bytes)\n{\n\tu8 *fault;\n\tu8 *end;\n\tu8 *addr = page_address(page);\n\n\tmetadata_access_enable();\n\tfault = memchr_inv(start, value, bytes);\n\tmetadata_access_disable();\n\tif (!fault)\n\t\treturn 1;\n\n\tend = start + bytes;\n\twhile (end > fault && end[-1] == value)\n\t\tend--;\n\n\tslab_bug(s, \"%s overwritten\", what);\n\tpr_err(\"INFO: 0x%p-0x%p @offset=%tu. First byte 0x%x instead of 0x%x\\n\",\n\t\t\t\t\tfault, end - 1, fault - addr,\n\t\t\t\t\tfault[0], value);\n\tprint_trailer(s, page, object);\n\n\trestore_bytes(s, what, value, fault, end);\n\treturn 0;\n}", "project": "linux", "hash": 196156006444310578915080492800320089744, "size": 27, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280166 }, { "func": "static void nfs4_xdr_enc_fsinfo(struct rpc_rqst *req, struct xdr_stream *xdr,\n\t\t\t\tconst void *data)\n{\n\tconst struct nfs4_fsinfo_arg *args = data;\n\tstruct compound_hdr hdr = {\n\t\t.minorversion = nfs4_xdr_minorversion(&args->seq_args),\n\t};\n\n\tencode_compound_hdr(xdr, req, &hdr);\n\tencode_sequence(xdr, &args->seq_args, &hdr);\n\tencode_putfh(xdr, args->fh, &hdr);\n\tencode_fsinfo(xdr, args->bitmask, &hdr);\n\tencode_nops(&hdr);\n}", "project": "linux", "hash": 120562914908210366809598560363934080170, "size": 14, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431187 }, { "func": "HttpStateData::doneSendingRequestBody()\n{\n Client::doneSendingRequestBody();\n debugs(11,5, HERE << serverConnection);\n\n // do we need to write something after the last body byte?\n if (flags.chunked_request && finishingChunkedRequest())\n return;\n if (!flags.chunked_request && finishingBrokenPost())\n return;\n\n sendComplete();\n}", "project": "squid", "hash": 179550981925416985801234000468799719281, "size": 13, "commit_id": "fd68382860633aca92065e6c343cfd1b12b126e7", "message": "Improve Transfer-Encoding handling (#702)\n\nReject messages containing Transfer-Encoding header with coding other\nthan chunked or identity. Squid does not support other codings.\n\nFor simplicity and security sake, also reject messages where\nTransfer-Encoding contains unnecessary complex values that are\ntechnically equivalent to \"chunked\" or \"identity\" (e.g., \",,chunked\" or\n\"identity, chunked\").\n\nRFC 7230 formally deprecated and removed identity coding, but it is\nstill used by some agents.", "target": 0, "dataset": "other", "idx": 402335 }, { "func": "static void respond_string(const char *p, struct tty_port *port)\n{\n\twhile (*p) {\n\t\ttty_insert_flip_char(port, *p, 0);\n\t\tp++;\n\t}\n\ttty_schedule_flip(port);\n}", "project": "linux", "hash": 163146624120075653315541198411043619886, "size": 8, "commit_id": "ca4463bf8438b403596edd0ec961ca0d4fbe0220", "message": "vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console\n\nThe VT_DISALLOCATE ioctl can free a virtual console while tty_release()\nis still running, causing a use-after-free in con_shutdown(). This\noccurs because VT_DISALLOCATE considers a virtual console's\n'struct vc_data' to be unused as soon as the corresponding tty's\nrefcount hits 0. But actually it may be still being closed.\n\nFix this by making vc_data be reference-counted via the embedded\n'struct tty_port'. A newly allocated virtual console has refcount 1.\nOpening it for the first time increments the refcount to 2. Closing it\nfor the last time decrements the refcount (in tty_operations::cleanup()\nso that it happens late enough), as does VT_DISALLOCATE.\n\nReproducer:\n\t#include \n\t#include \n\t#include \n\t#include \n\n\tint main()\n\t{\n\t\tif (fork()) {\n\t\t\tfor (;;)\n\t\t\t\tclose(open(\"/dev/tty5\", O_RDWR));\n\t\t} else {\n\t\t\tint fd = open(\"/dev/tty10\", O_RDWR);\n\n\t\t\tfor (;;)\n\t\t\t\tioctl(fd, VT_DISALLOCATE, 5);\n\t\t}\n\t}\n\nKASAN report:\n\tBUG: KASAN: use-after-free in con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\tWrite of size 8 at addr ffff88806a4ec108 by task syz_vt/129\n\n\tCPU: 0 PID: 129 Comm: syz_vt Not tainted 5.6.0-rc2 #11\n\tHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20191223_100556-anatol 04/01/2014\n\tCall Trace:\n\t [...]\n\t con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\t release_tty+0xa8/0x410 drivers/tty/tty_io.c:1514\n\t tty_release_struct+0x34/0x50 drivers/tty/tty_io.c:1629\n\t tty_release+0x984/0xed0 drivers/tty/tty_io.c:1789\n\t [...]\n\n\tAllocated by task 129:\n\t [...]\n\t kzalloc include/linux/slab.h:669 [inline]\n\t vc_allocate drivers/tty/vt/vt.c:1085 [inline]\n\t vc_allocate+0x1ac/0x680 drivers/tty/vt/vt.c:1066\n\t con_install+0x4d/0x3f0 drivers/tty/vt/vt.c:3229\n\t tty_driver_install_tty drivers/tty/tty_io.c:1228 [inline]\n\t tty_init_dev+0x94/0x350 drivers/tty/tty_io.c:1341\n\t tty_open_by_driver drivers/tty/tty_io.c:1987 [inline]\n\t tty_open+0x3ca/0xb30 drivers/tty/tty_io.c:2035\n\t [...]\n\n\tFreed by task 130:\n\t [...]\n\t kfree+0xbf/0x1e0 mm/slab.c:3757\n\t vt_disallocate drivers/tty/vt/vt_ioctl.c:300 [inline]\n\t vt_ioctl+0x16dc/0x1e30 drivers/tty/vt/vt_ioctl.c:818\n\t tty_ioctl+0x9db/0x11b0 drivers/tty/tty_io.c:2660\n\t [...]\n\nFixes: 4001d7b7fc27 (\"vt: push down the tty lock so we can see what is left to tackle\")\nCc: # v3.4+\nReported-by: syzbot+522643ab5729b0421998@syzkaller.appspotmail.com\nAcked-by: Jiri Slaby \nSigned-off-by: Eric Biggers \nLink: https://lore.kernel.org/r/20200322034305.210082-2-ebiggers@kernel.org\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 437038 }, { "func": "static BOOL update_gdi_glyph_index(rdpContext* context, GLYPH_INDEX_ORDER* glyphIndex)\n{\n\tINT32 bkWidth = 0, bkHeight = 0, opWidth = 0, opHeight = 0;\n\n\tif (!context || !glyphIndex || !context->cache)\n\t\treturn FALSE;\n\n\tif (glyphIndex->bkRight > glyphIndex->bkLeft)\n\t\tbkWidth = glyphIndex->bkRight - glyphIndex->bkLeft + 1;\n\n\tif (glyphIndex->opRight > glyphIndex->opLeft)\n\t\topWidth = glyphIndex->opRight - glyphIndex->opLeft + 1;\n\n\tif (glyphIndex->bkBottom > glyphIndex->bkTop)\n\t\tbkHeight = glyphIndex->bkBottom - glyphIndex->bkTop + 1;\n\n\tif (glyphIndex->opBottom > glyphIndex->opTop)\n\t\topHeight = glyphIndex->opBottom - glyphIndex->opTop + 1;\n\n\treturn update_process_glyph_fragments(\n\t context, glyphIndex->data, glyphIndex->cbData, glyphIndex->cacheId, glyphIndex->ulCharInc,\n\t glyphIndex->flAccel, glyphIndex->backColor, glyphIndex->foreColor, glyphIndex->x,\n\t glyphIndex->y, glyphIndex->bkLeft, glyphIndex->bkTop, bkWidth, bkHeight, glyphIndex->opLeft,\n\t glyphIndex->opTop, opWidth, opHeight, glyphIndex->fOpRedundant);\n}", "project": "FreeRDP", "hash": 277393494453986255744622641467644295585, "size": 25, "commit_id": "c0fd449ec0870b050d350d6d844b1ea6dad4bc7d", "message": "Fixed Out-of-bound read in glyph_cache_put\n\nCVE-2020-11098 thanks to @antonio-morales for finding this.", "target": 0, "dataset": "other", "idx": 432851 }, { "func": "static inline void ov51x_stop(struct sd *sd)\n{\n\tstruct gspca_dev *gspca_dev = (struct gspca_dev *)sd;\n\n\tgspca_dbg(gspca_dev, D_STREAM, \"stopping\\n\");\n\tsd->stopped = 1;\n\tswitch (sd->bridge) {\n\tcase BRIDGE_OV511:\n\tcase BRIDGE_OV511PLUS:\n\t\treg_w(sd, R51x_SYS_RESET, 0x3d);\n\t\tbreak;\n\tcase BRIDGE_OV518:\n\tcase BRIDGE_OV518PLUS:\n\t\treg_w_mask(sd, R51x_SYS_RESET, 0x3a, 0x3a);\n\t\tbreak;\n\tcase BRIDGE_OV519:\n\t\treg_w(sd, OV519_R51_RESET1, 0x0f);\n\t\treg_w(sd, OV519_R51_RESET1, 0x00);\n\t\treg_w(sd, 0x22, 0x00);\t\t/* FRAR */\n\t\tbreak;\n\tcase BRIDGE_OVFX2:\n\t\treg_w_mask(sd, 0x0f, 0x00, 0x02);\n\t\tbreak;\n\tcase BRIDGE_W9968CF:\n\t\treg_w(sd, 0x3c, 0x0a05); /* stop USB transfer */\n\t\tbreak;\n\t}\n}", "project": "linux", "hash": 303445733595249418765019222705388262524, "size": 28, "commit_id": "998912346c0da53a6dbb71fab3a138586b596b30", "message": "media: ov519: add missing endpoint sanity checks\n\nMake sure to check that we have at least one endpoint before accessing\nthe endpoint array to avoid dereferencing a NULL-pointer on stream\nstart.\n\nNote that these sanity checks are not redundant as the driver is mixing\nlooking up altsettings by index and by number, which need not coincide.\n\nFixes: 1876bb923c98 (\"V4L/DVB (12079): gspca_ov519: add support for the ov511 bridge\")\nFixes: b282d87332f5 (\"V4L/DVB (12080): gspca_ov519: Fix ov518+ with OV7620AE (Trust spacecam 320)\")\nCc: stable # 2.6.31\nCc: Hans de Goede \nSigned-off-by: Johan Hovold \nSigned-off-by: Hans Verkuil \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 306320 }, { "func": "static bool safe_hardlink_source(struct inode *inode)\n{\n\tumode_t mode = inode->i_mode;\n\n\t/* Special files should not get pinned to the filesystem. */\n\tif (!S_ISREG(mode))\n\t\treturn false;\n\n\t/* Setuid files should not get pinned to the filesystem. */\n\tif (mode & S_ISUID)\n\t\treturn false;\n\n\t/* Executable setgid files should not get pinned to the filesystem. */\n\tif ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))\n\t\treturn false;\n\n\t/* Hardlinking to unreadable or unwritable sources is dangerous. */\n\tif (inode_permission(inode, MAY_READ | MAY_WRITE))\n\t\treturn false;\n\n\treturn true;\n}", "project": "linux", "hash": 220474585784812548519903894366147772133, "size": 22, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295366 }, { "func": "int vcf_parse(kstring_t *s, const bcf_hdr_t *h, bcf1_t *v)\n{\n int i = 0, ret = -2, overflow = 0;\n char *p, *q, *r, *t;\n kstring_t *str;\n khint_t k;\n ks_tokaux_t aux;\n\n if (!s || !h || !v || !(s->s))\n return ret;\n\n // Assumed in lots of places, but we may as well spot this early\n assert(sizeof(float) == sizeof(int32_t));\n\n bcf_clear1(v);\n str = &v->shared;\n memset(&aux, 0, sizeof(ks_tokaux_t));\n for (p = kstrtok(s->s, \"\\t\", &aux), i = 0; p; p = kstrtok(0, 0, &aux), ++i) {\n q = (char*)aux.p;\n *q = 0;\n if (i == 0) { // CHROM\n vdict_t *d = (vdict_t*)h->dict[BCF_DT_CTG];\n k = kh_get(vdict, d, p);\n if (k == kh_end(d))\n {\n hts_log_warning(\"Contig '%s' is not defined in the header. (Quick workaround: index the file with tabix.)\", p);\n v->errcode = BCF_ERR_CTG_UNDEF;\n if ((k = fix_chromosome(h, d, p)) == kh_end(d)) {\n hts_log_error(\"Could not add dummy header for contig '%s'\", p);\n v->errcode |= BCF_ERR_CTG_INVALID;\n goto err;\n }\n }\n v->rid = kh_val(d, k).id;\n } else if (i == 1) { // POS\n overflow = 0;\n v->pos = hts_str2uint(p, &p, 63, &overflow);\n if (overflow) {\n hts_log_error(\"Position value '%s' is too large\", p);\n goto err;\n } else {\n v->pos -= 1;\n }\n if (v->pos >= INT32_MAX)\n v->unpacked |= BCF_IS_64BIT;\n } else if (i == 2) { // ID\n if (strcmp(p, \".\")) bcf_enc_vchar(str, q - p, p);\n else bcf_enc_size(str, 0, BCF_BT_CHAR);\n } else if (i == 3) { // REF\n bcf_enc_vchar(str, q - p, p);\n v->n_allele = 1, v->rlen = q - p;\n } else if (i == 4) { // ALT\n if (strcmp(p, \".\")) {\n for (r = t = p;; ++r) {\n if (*r == ',' || *r == 0) {\n if (v->n_allele == UINT16_MAX) {\n hts_log_error(\"Too many ALT alleles at %s:%\"PRIhts_pos,\n bcf_seqname_safe(h,v), v->pos+1);\n v->errcode |= BCF_ERR_LIMITS;\n goto err;\n }\n bcf_enc_vchar(str, r - t, t);\n t = r + 1;\n ++v->n_allele;\n }\n if (r == q) break;\n }\n }\n } else if (i == 5) { // QUAL\n if (strcmp(p, \".\")) v->qual = atof(p);\n else bcf_float_set_missing(v->qual);\n if ( v->max_unpack && !(v->max_unpack>>1) ) goto end; // BCF_UN_STR\n } else if (i == 6) { // FILTER\n if (strcmp(p, \".\")) {\n if (vcf_parse_filter(str, h, v, p, q)) goto err;\n } else bcf_enc_vint(str, 0, 0, -1);\n if ( v->max_unpack && !(v->max_unpack>>2) ) goto end; // BCF_UN_FLT\n } else if (i == 7) { // INFO\n if (strcmp(p, \".\")) {\n if (vcf_parse_info(str, h, v, p, q)) goto err;\n }\n if ( v->max_unpack && !(v->max_unpack>>3) ) goto end;\n } else if (i == 8) {// FORMAT\n return vcf_parse_format(s, h, v, p, q) == 0 ? 0 : -2;\n }\n }\n\n end:\n ret = 0;\n\n err:\n return ret;\n}", "project": "htslib", "hash": 110374581863949199782787831247454902718, "size": 93, "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c", "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields. It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097", "target": 0, "dataset": "other", "idx": 402145 }, { "func": "\tVersion GetVersion() CXX11_OVERRIDE\n\t{\n\t\treturn Version(\"Provides the AWAY, ISON, NICK, PART, PASS, PING, PONG, QUIT, USERHOST, and USER commands\", VF_VENDOR|VF_CORE);\n\t}", "project": "inspircd", "hash": 82799496712990383950110871490651401555, "size": 4, "commit_id": "4350a11c663b0d75f8119743bffb7736d87abd4d", "message": "Fix sending malformed pong messages in some cases.", "target": 0, "dataset": "other", "idx": 273265 }, { "func": "static uint32 GetFineLinearSlideDownTable(const CSoundFile *sndFile, uint32 i) { MPT_ASSERT(i < CountOf(FineLinearSlideDownTable)); return sndFile->m_playBehaviour[kHertzInLinearMode] ? FineLinearSlideDownTable[i] : FineLinearSlideUpTable[i]; }", "project": "openmpt", "hash": 189033187464133250653020795432575227630, "size": 1, "commit_id": "7ebf02af2e90f03e0dbd0e18b8b3164f372fb97c", "message": "[Fix] Possible out-of-bounds read when computing length of some IT files with pattern loops (OpenMPT: formats that are converted to IT, libopenmpt: IT/ITP/MO3), caught with afl-fuzz.\n\ngit-svn-id: https://source.openmpt.org/svn/openmpt/trunk/OpenMPT@10027 56274372-70c3-4bfc-bfc3-4c3a0b034d27", "target": 0, "dataset": "other", "idx": 255171 }, { "func": "static void tty_write_unlock(struct tty_struct *tty)\n{\n\tmutex_unlock(&tty->atomic_write_lock);\n\twake_up_interruptible_poll(&tty->write_wait, EPOLLOUT);\n}", "project": "linux", "hash": 267140627757847146308338911673525129054, "size": 5, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 326034 }, { "func": "bool __weak kvm_arch_dy_has_pending_interrupt(struct kvm_vcpu *vcpu)\n{\n\treturn false;\n}", "project": "linux", "hash": 84611066505951072007167491531401574801, "size": 4, "commit_id": "f8be156be163a052a067306417cd0ff679068c97", "message": "KVM: do not allow mapping valid but non-reference-counted pages\n\nIt's possible to create a region which maps valid but non-refcounted\npages (e.g., tail pages of non-compound higher order allocations). These\nhost pages can then be returned by gfn_to_page, gfn_to_pfn, etc., family\nof APIs, which take a reference to the page, which takes it from 0 to 1.\nWhen the reference is dropped, this will free the page incorrectly.\n\nFix this by only taking a reference on valid pages if it was non-zero,\nwhich indicates it is participating in normal refcounting (and can be\nreleased with put_page).\n\nThis addresses CVE-2021-22543.\n\nSigned-off-by: Nicholas Piggin \nTested-by: Paolo Bonzini \nCc: stable@vger.kernel.org\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 404087 }, { "func": "string CLua::setuniqregistry()\n{\n char name[100];\n snprintf(name, sizeof name, \"__cru%u\", uniqindex++);\n lua_pushstring(state(), name);\n lua_insert(state(), -2);\n lua_settable(state(), LUA_REGISTRYINDEX);\n\n return name;\n}", "project": "crawl", "hash": 105467964735842108526537595669608519100, "size": 10, "commit_id": "768f60da87a3fa0b5561da5ade9309577c176d04", "message": "Disable lua bytecode loading", "target": 0, "dataset": "other", "idx": 230486 }, { "func": " void skipSpace() { while (isSpace(*p)) p++; }", "project": "hhvm", "hash": 129737338911493330274119148607879144583, "size": 1, "commit_id": "b3679121bb3c7017ff04b4c08402ffff5cf59b13", "message": "Fix buffer overrun in SimpleParser::handleBackslash\n\nSummary:\nIt read 4 chars, then checked for validity, but any of them could have\nbeen the end of the string, so check after each one instead.\n\nReviewed By: oulgen\n\nDifferential Revision: D19611163\n\nfbshipit-source-id: 3da0a39555cb85a93f4fd98048368f17cf37e2e4", "target": 0, "dataset": "other", "idx": 227308 }, { "func": "int join_init_read_record(JOIN_TAB *tab)\n{\n /* \n Note: the query plan tree for the below operations is constructed in\n save_agg_explain_data.\n */\n if (tab->distinct && tab->remove_duplicates()) // Remove duplicates.\n return 1;\n if (tab->filesort && tab->sort_table()) // Sort table.\n return 1;\n\n DBUG_EXECUTE_IF(\"kill_join_init_read_record\",\n tab->join->thd->set_killed(KILL_QUERY););\n if (tab->select && tab->select->quick && tab->select->quick->reset())\n {\n /* Ensures error status is propagated back to client */\n report_error(tab->table,\n tab->join->thd->killed ? HA_ERR_QUERY_INTERRUPTED : HA_ERR_OUT_OF_MEM);\n return 1;\n }\n /* make sure we won't get ER_QUERY_INTERRUPTED from any code below */\n DBUG_EXECUTE_IF(\"kill_join_init_read_record\",\n tab->join->thd->reset_killed(););\n if (!tab->preread_init_done && tab->preread_init())\n return 1;\n if (init_read_record(&tab->read_record, tab->join->thd, tab->table,\n tab->select, tab->filesort_result, 1,1, FALSE))\n return 1;\n return tab->read_record.read_record();\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 154390240152762081894687056733498361438, "size": 30, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508467 }, { "func": "void gdImageChar (gdImagePtr im, gdFontPtr f, int x, int y, int c, int color)\n{\n\tint cx, cy;\n\tint px, py;\n\tint fline;\n\tcx = 0;\n\tcy = 0;\n#ifdef CHARSET_EBCDIC\n\tc = ASC (c);\n#endif /*CHARSET_EBCDIC */\n\tif ((c < f->offset) || (c >= (f->offset + f->nchars))) {\n\t\treturn;\n\t}\n\tfline = (c - f->offset) * f->h * f->w;\n\tfor (py = y; (py < (y + f->h)); py++) {\n\t\tfor (px = x; (px < (x + f->w)); px++) {\n\t\t\tif (f->data[fline + cy * f->w + cx]) {\n\t\t\t\tgdImageSetPixel(im, px, py, color);\n\t\t\t}\n\t\t\tcx++;\n\t\t}\n\t\tcx = 0;\n\t\tcy++;\n\t}\n}", "project": "php-src", "hash": 264902445598559541068566465610396834533, "size": 25, "commit_id": "c395c6e5d7e8df37a21265ff76e48fe75ceb5ae6", "message": "iFixed bug #72446 - Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow", "target": 0, "dataset": "other", "idx": 295138 }, { "func": "static void hex2str(int val, char *str, size_t size)\n{\n if (val == -1)\n snprintf(str, size, \"*\");\n else\n snprintf(str, size, \"%x\", val);\n}", "project": "qemu", "hash": 144919874844179842698577467575026776268, "size": 7, "commit_id": "babd03fde68093482528010a5435c14ce9128e3f", "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel. However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris \nSigned-off-by: Anthony Liguori ", "target": 0, "dataset": "other", "idx": 346303 }, { "func": "static inline void tcp_set_rto(struct sock *sk)\n{\n\tconst struct tcp_sock *tp = tcp_sk(sk);\n\t/* Old crap is replaced with new one. 8)\n\t *\n\t * More seriously:\n\t * 1. If rtt variance happened to be less 50msec, it is hallucination.\n\t * It cannot be less due to utterly erratic ACK generation made\n\t * at least by solaris and freebsd. \"Erratic ACKs\" has _nothing_\n\t * to do with delayed acks, because at cwnd>2 true delack timeout\n\t * is invisible. Actually, Linux-2.4 also generates erratic\n\t * ACKs in some circumstances.\n\t */\n\tinet_csk(sk)->icsk_rto = __tcp_set_rto(tp);\n\n\t/* 2. Fixups made earlier cannot be right.\n\t * If we do not estimate RTO correctly without them,\n\t * all the algo is pure shit and should be replaced\n\t * with correct one. It is exactly, which we pretend to do.\n\t */\n\n\t/* NOTE: clamping at TCP_RTO_MIN is not required, current algo\n\t * guarantees that rto is higher.\n\t */\n\ttcp_bound_rto(sk);\n}", "project": "net-next", "hash": 232811571084310010054636653972379864084, "size": 26, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409892 }, { "func": "static int _nfs4_proc_getattr(struct nfs_server *server, struct nfs_fh *fhandle,\n\t\t\t\tstruct nfs_fattr *fattr, struct nfs4_label *label,\n\t\t\t\tstruct inode *inode)\n{\n\t__u32 bitmask[NFS4_BITMASK_SZ];\n\tstruct nfs4_getattr_arg args = {\n\t\t.fh = fhandle,\n\t\t.bitmask = bitmask,\n\t};\n\tstruct nfs4_getattr_res res = {\n\t\t.fattr = fattr,\n\t\t.label = label,\n\t\t.server = server,\n\t};\n\tstruct rpc_message msg = {\n\t\t.rpc_proc = &nfs4_procedures[NFSPROC4_CLNT_GETATTR],\n\t\t.rpc_argp = &args,\n\t\t.rpc_resp = &res,\n\t};\n\tunsigned short task_flags = 0;\n\n\t/* Is this is an attribute revalidation, subject to softreval? */\n\tif (inode && (server->flags & NFS_MOUNT_SOFTREVAL))\n\t\ttask_flags |= RPC_TASK_TIMEOUT;\n\n\tnfs4_bitmap_copy_adjust(bitmask, nfs4_bitmask(server, label), inode);\n\n\tnfs_fattr_init(fattr);\n\tnfs4_init_sequence(&args.seq_args, &res.seq_res, 0, 0);\n\treturn nfs4_do_call_sync(server->client, server, &msg,\n\t\t\t&args.seq_args, &res.seq_res, task_flags);\n}", "project": "linux", "hash": 291247858324175911251669338859316437148, "size": 32, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431128 }, { "func": "inline static int php_openssl_open_base_dir_chk(char *filename)\n{\n\tif (php_check_open_basedir(filename)) {\n\t\treturn -1;\n\t}\n\n\treturn 0;\n}", "project": "php-src", "hash": 88249683783203594848444861100908969167, "size": 8, "commit_id": "0216630ea2815a5789a24279a1211ac398d4de79", "message": "Fix bug #79601 (Wrong ciphertext/tag in AES-CCM encryption for a 12 bytes IV)", "target": 0, "dataset": "other", "idx": 291462 }, { "func": "int lua_resetthread (lua_State *L) {\n CallInfo *ci;\n int status;\n lua_lock(L);\n L->ci = ci = &L->base_ci; /* unwind CallInfo list */\n setnilvalue(s2v(L->stack)); /* 'function' entry for basic 'ci' */\n ci->func = L->stack;\n ci->callstatus = CIST_C;\n status = luaF_close(L, L->stack, CLOSEPROTECT);\n if (status != CLOSEPROTECT) /* real errors? */\n luaD_seterrorobj(L, status, L->stack + 1);\n else {\n status = LUA_OK;\n L->top = L->stack + 1;\n }\n ci->top = L->top + LUA_MINSTACK;\n L->status = status;\n lua_unlock(L);\n return status;\n}", "project": "lua", "hash": 290426749165072240816100755769075013601, "size": 20, "commit_id": "a2195644d89812e5b157ce7bac35543e06db05e3", "message": "Fixed bug: invalid 'oldpc' when returning to a function\n\nThe field 'L->oldpc' is not always updated when control returns to a\nfunction; an invalid value can seg. fault when computing 'changedline'.\n(One example is an error in a finalizer; control can return to\n'luaV_execute' without executing 'luaD_poscall'.) Instead of trying to\nfix all possible corner cases, it seems safer to be resilient to invalid\nvalues for 'oldpc'. Valid but wrong values at most cause an extra call\nto a line hook.", "target": 0, "dataset": "other", "idx": 462766 }, { "project": "Chrome", "commit_id": "957973753ec4159003ff7930d946b7e89c7e09f3", "target": 0, "func": "void BlobURLRequestJob::SetExtraRequestHeaders(\n const net::HttpRequestHeaders& headers) {\n std::string range_header;\n if (headers.GetHeader(net::HttpRequestHeaders::kRange, &range_header)) {\n std::vector ranges;\n if (net::HttpUtil::ParseRangeHeader(range_header, &ranges)) {\n if (ranges.size() == 1) {\n byte_range_set_ = true;\n byte_range_ = ranges[0];\n } else {\n NotifyFailure(net::ERR_REQUEST_RANGE_NOT_SATISFIABLE);\n }\n }\n }\n}\n", "cwe": "", "big_vul_idx": 106426, "idx": 176354, "hash": 90804293829128844160765261852623566475 }, { "func": "static int kvm_s390_get_processor_feat(struct kvm *kvm,\n\t\t\t\t struct kvm_device_attr *attr)\n{\n\tstruct kvm_s390_vm_cpu_feat data;\n\n\tbitmap_copy((unsigned long *) data.feat, kvm->arch.cpu_feat,\n\t\t KVM_S390_VM_CPU_FEAT_NR_BITS);\n\tif (copy_to_user((void __user *)attr->addr, &data, sizeof(data)))\n\t\treturn -EFAULT;\n\tVM_EVENT(kvm, 3, \"GET: guest feat: 0x%16.16llx.0x%16.16llx.0x%16.16llx\",\n\t\t\t data.feat[0],\n\t\t\t data.feat[1],\n\t\t\t data.feat[2]);\n\treturn 0;\n}", "project": "linux", "hash": 150446124215237591287744544266337095640, "size": 15, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354664 }, { "func": "int hrec_add_idx(bcf_hrec_t *hrec, int idx)\n{\n int n = hrec->nkeys + 1;\n char **tmp = (char**) realloc(hrec->keys, sizeof(char*)*n);\n if (!tmp) return -1;\n hrec->keys = tmp;\n\n tmp = (char**) realloc(hrec->vals, sizeof(char*)*n);\n if (!tmp) return -1;\n hrec->vals = tmp;\n\n hrec->keys[hrec->nkeys] = strdup(\"IDX\");\n if (!hrec->keys[hrec->nkeys]) return -1;\n\n kstring_t str = {0,0,0};\n if (kputw(idx, &str) < 0) {\n free(hrec->keys[hrec->nkeys]);\n return -1;\n }\n hrec->vals[hrec->nkeys] = str.s;\n hrec->nkeys = n;\n return 0;\n}", "project": "htslib", "hash": 38972045272085963861738583319422023153, "size": 23, "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c", "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields. It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097", "target": 0, "dataset": "other", "idx": 402225 }, { "func": "static inline void tcp_clear_all_retrans_hints(struct tcp_sock *tp)\n{\n\ttcp_clear_retrans_hints_partial(tp);\n\ttp->retransmit_skb_hint = NULL;\n}", "project": "linux", "hash": 140428808815171147885673910713002882035, "size": 5, "commit_id": "bb1fceca22492109be12640d49f5ea5a544c6bb4", "message": "tcp: fix use after free in tcp_xmit_retransmit_queue()\n\nWhen tcp_sendmsg() allocates a fresh and empty skb, it puts it at the\ntail of the write queue using tcp_add_write_queue_tail()\n\nThen it attempts to copy user data into this fresh skb.\n\nIf the copy fails, we undo the work and remove the fresh skb.\n\nUnfortunately, this undo lacks the change done to tp->highest_sack and\nwe can leave a dangling pointer (to a freed skb)\n\nLater, tcp_xmit_retransmit_queue() can dereference this pointer and\naccess freed memory. For regular kernels where memory is not unmapped,\nthis might cause SACK bugs because tcp_highest_sack_seq() is buggy,\nreturning garbage instead of tp->snd_nxt, but with various debug\nfeatures like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel.\n\nThis bug was found by Marco Grassi thanks to syzkaller.\n\nFixes: 6859d49475d4 (\"[TCP]: Abstract tp->highest_sack accessing & point to next skb\")\nReported-by: Marco Grassi \nSigned-off-by: Eric Dumazet \nCc: Ilpo Järvinen \nCc: Yuchung Cheng \nCc: Neal Cardwell \nAcked-by: Neal Cardwell \nReviewed-by: Cong Wang \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 410732 }, { "func": "static bool nfs4_read_stateid_changed(struct rpc_task *task,\n\t\tstruct nfs_pgio_args *args)\n{\n\n\tif (!nfs4_error_stateid_expired(task->tk_status) ||\n\t\tnfs4_stateid_is_current(&args->stateid,\n\t\t\t\targs->context,\n\t\t\t\targs->lock_context,\n\t\t\t\tFMODE_READ))\n\t\treturn false;\n\trpc_restart_call_prepare(task);\n\treturn true;\n}", "project": "linux", "hash": 72421942633448601476649535429006664040, "size": 13, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431203 }, { "func": "inline int FlatSize(const Dims& dims) {\n int flat_size = 1;\n for (int i = 0; i < N; ++i) {\n flat_size *= dims.sizes[i];\n }\n return flat_size;\n}", "project": "tensorflow", "hash": 290674232665981995922049954139349377111, "size": 7, "commit_id": "8ee24e7949a203d234489f9da2c5bf45a7d5157d", "message": "[tflite] Ensure `MatchingDim` does not allow buffer overflow.\n\nWe check in `MatchingDim` that both arguments have the same dimensionality, however that is a `DCHECK` only enabled if building in debug mode. Hence, it could be possible to cause buffer overflows by passing in a tensor with larger dimensions as the second argument. To fix, we now make `MatchingDim` return the minimum of the two sizes.\n\nA much better fix would be to return a status object but that requires refactoring a large part of the codebase for minor benefits.\n\nPiperOrigin-RevId: 332526127\nChange-Id: If627d0d2c80a685217b6e0d1e64b0872dbf1c5e4", "target": 0, "dataset": "other", "idx": 269177 }, { "func": " bool parseNumber(char firstChar, bool array_elem = false) {\n uint64_t x = 0;\n bool neg = false;\n const char* begin = p - 1;\n if (firstChar == '-') {\n neg = true;\n } else {\n x = firstChar - '0'; // first digit\n }\n // Parse maximal digit sequence into x (non-negative).\n while (*p >= '0' && *p <= '9') {\n x = (x * 10) + (*p - '0');\n ++p;\n }\n if (*p == '.' || *p == 'e' || *p == 'E') {\n pushDouble(zend_strtod(begin, &p));\n return true;\n }\n\n auto len = p - begin;\n\n // JSON arrays don't permit leading 0's in numbers.\n if (UNLIKELY(len > 1 && firstChar == '0' && array_elem)) {\n return false;\n }\n\n // Now 'x' is the usigned absolute value of a naively parsed integer, but\n // potentially overflowed mod 2^64.\n if (LIKELY(len < 19) || (len == 19 && firstChar <= '8')) {\n int64_t sx = x;\n pushInt64(neg ? -sx : sx);\n } else {\n parseBigInt(len);\n }\n return true;\n }", "project": "hhvm", "hash": 231331349336429983058523847580685983774, "size": 36, "commit_id": "b3679121bb3c7017ff04b4c08402ffff5cf59b13", "message": "Fix buffer overrun in SimpleParser::handleBackslash\n\nSummary:\nIt read 4 chars, then checked for validity, but any of them could have\nbeen the end of the string, so check after each one instead.\n\nReviewed By: oulgen\n\nDifferential Revision: D19611163\n\nfbshipit-source-id: 3da0a39555cb85a93f4fd98048368f17cf37e2e4", "target": 0, "dataset": "other", "idx": 227288 }, { "func": "static long kvm_s390_set_skeys(struct kvm *kvm, struct kvm_s390_skeys *args)\n{\n\tuint8_t *keys;\n\tuint64_t hva;\n\tint srcu_idx, i, r = 0;\n\tbool unlocked;\n\n\tif (args->flags != 0)\n\t\treturn -EINVAL;\n\n\t/* Enforce sane limit on memory allocation */\n\tif (args->count < 1 || args->count > KVM_S390_SKEYS_MAX)\n\t\treturn -EINVAL;\n\n\tkeys = kvmalloc_array(args->count, sizeof(uint8_t), GFP_KERNEL);\n\tif (!keys)\n\t\treturn -ENOMEM;\n\n\tr = copy_from_user(keys, (uint8_t __user *)args->skeydata_addr,\n\t\t\t sizeof(uint8_t) * args->count);\n\tif (r) {\n\t\tr = -EFAULT;\n\t\tgoto out;\n\t}\n\n\t/* Enable storage key handling for the guest */\n\tr = s390_enable_skey();\n\tif (r)\n\t\tgoto out;\n\n\ti = 0;\n\tdown_read(¤t->mm->mmap_sem);\n\tsrcu_idx = srcu_read_lock(&kvm->srcu);\n while (i < args->count) {\n\t\tunlocked = false;\n\t\thva = gfn_to_hva(kvm, args->start_gfn + i);\n\t\tif (kvm_is_error_hva(hva)) {\n\t\t\tr = -EFAULT;\n\t\t\tbreak;\n\t\t}\n\n\t\t/* Lowest order bit is reserved */\n\t\tif (keys[i] & 0x01) {\n\t\t\tr = -EINVAL;\n\t\t\tbreak;\n\t\t}\n\n\t\tr = set_guest_storage_key(current->mm, hva, keys[i], 0);\n\t\tif (r) {\n\t\t\tr = fixup_user_fault(current, current->mm, hva,\n\t\t\t\t\t FAULT_FLAG_WRITE, &unlocked);\n\t\t\tif (r)\n\t\t\t\tbreak;\n\t\t}\n\t\tif (!r)\n\t\t\ti++;\n\t}\n\tsrcu_read_unlock(&kvm->srcu, srcu_idx);\n\tup_read(¤t->mm->mmap_sem);\nout:\n\tkvfree(keys);\n\treturn r;\n}", "project": "linux", "hash": 40147245325923390088061414265166067460, "size": 63, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354565 }, { "func": "static int tcp_fast_parse_options(const struct sk_buff *skb,\n\t\t\t\t const struct tcphdr *th,\n\t\t\t\t struct tcp_sock *tp, const u8 **hvpp)\n{\n\t/* In the spirit of fast parsing, compare doff directly to constant\n\t * values. Because equality is used, short doff can be ignored here.\n\t */\n\tif (th->doff == (sizeof(*th) / 4)) {\n\t\ttp->rx_opt.saw_tstamp = 0;\n\t\treturn 0;\n\t} else if (tp->rx_opt.tstamp_ok &&\n\t\t th->doff == ((sizeof(*th) + TCPOLEN_TSTAMP_ALIGNED) / 4)) {\n\t\tif (tcp_parse_aligned_timestamp(tp, th))\n\t\t\treturn 1;\n\t}\n\ttcp_parse_options(skb, &tp->rx_opt, hvpp, 1);\n\treturn 1;\n}", "project": "net-next", "hash": 136770538735056581633826768774128936154, "size": 18, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409931 }, { "func": "static inline void copy_vmcb_control_area(struct vmcb *dst_vmcb, struct vmcb *from_vmcb)\n{\n\tstruct vmcb_control_area *dst = &dst_vmcb->control;\n\tstruct vmcb_control_area *from = &from_vmcb->control;\n\n\tdst->intercept_cr = from->intercept_cr;\n\tdst->intercept_dr = from->intercept_dr;\n\tdst->intercept_exceptions = from->intercept_exceptions;\n\tdst->intercept = from->intercept;\n\tdst->iopm_base_pa = from->iopm_base_pa;\n\tdst->msrpm_base_pa = from->msrpm_base_pa;\n\tdst->tsc_offset = from->tsc_offset;\n\tdst->asid = from->asid;\n\tdst->tlb_ctl = from->tlb_ctl;\n\tdst->int_ctl = from->int_ctl;\n\tdst->int_vector = from->int_vector;\n\tdst->int_state = from->int_state;\n\tdst->exit_code = from->exit_code;\n\tdst->exit_code_hi = from->exit_code_hi;\n\tdst->exit_info_1 = from->exit_info_1;\n\tdst->exit_info_2 = from->exit_info_2;\n\tdst->exit_int_info = from->exit_int_info;\n\tdst->exit_int_info_err = from->exit_int_info_err;\n\tdst->nested_ctl = from->nested_ctl;\n\tdst->event_inj = from->event_inj;\n\tdst->event_inj_err = from->event_inj_err;\n\tdst->nested_cr3 = from->nested_cr3;\n\tdst->virt_ext = from->virt_ext;\n\tdst->pause_filter_count = from->pause_filter_count;\n\tdst->pause_filter_thresh = from->pause_filter_thresh;\n}", "project": "linux", "hash": 23481593409122331591153738596354468694, "size": 31, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432509 }, { "func": "static inline void copy_vmcb_control_area(struct vmcb *dst_vmcb, struct vmcb *from_vmcb)\n{\n\tstruct vmcb_control_area *dst = &dst_vmcb->control;\n\tstruct vmcb_control_area *from = &from_vmcb->control;\n\n\tdst->intercept_cr = from->intercept_cr;\n\tdst->intercept_dr = from->intercept_dr;\n\tdst->intercept_exceptions = from->intercept_exceptions;\n\tdst->intercept = from->intercept;\n\tdst->iopm_base_pa = from->iopm_base_pa;\n\tdst->msrpm_base_pa = from->msrpm_base_pa;\n\tdst->tsc_offset = from->tsc_offset;\n\tdst->asid = from->asid;\n\tdst->tlb_ctl = from->tlb_ctl;\n\tdst->int_ctl = from->int_ctl;\n\tdst->int_vector = from->int_vector;\n\tdst->int_state = from->int_state;\n\tdst->exit_code = from->exit_code;\n\tdst->exit_code_hi = from->exit_code_hi;\n\tdst->exit_info_1 = from->exit_info_1;\n\tdst->exit_info_2 = from->exit_info_2;\n\tdst->exit_int_info = from->exit_int_info;\n\tdst->exit_int_info_err = from->exit_int_info_err;\n\tdst->nested_ctl = from->nested_ctl;\n\tdst->event_inj = from->event_inj;\n\tdst->event_inj_err = from->event_inj_err;\n\tdst->nested_cr3 = from->nested_cr3;\n\tdst->lbr_ctl = from->lbr_ctl;\n}", "project": "kvm", "hash": 175315272377494837483665127547246055680, "size": 29, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437554 }, { "func": "void ignore_signals(struct task_struct *t)\n{\n\tint i;\n\n\tfor (i = 0; i < _NSIG; ++i)\n\t\tt->sighand->action[i].sa.sa_handler = SIG_IGN;\n\n\tflush_signals(t);\n}", "project": "linux", "hash": 159585011124396718794549999342879827435, "size": 9, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375276 }, { "func": "static double exif_convert_any_format(void *value, int format,\n int motorola_intel) {\n int s_den;\n unsigned u_den;\n\n switch(format) {\n case TAG_FMT_SBYTE:\n return *(signed char *)value;\n case TAG_FMT_BYTE:\n return *(unsigned char *)value;\n\n case TAG_FMT_USHORT:\n return php_ifd_get16u(value, motorola_intel);\n case TAG_FMT_ULONG:\n return php_ifd_get32u(value, motorola_intel);\n\n case TAG_FMT_URATIONAL:\n u_den = php_ifd_get32u(4+(char *)value, motorola_intel);\n if (u_den == 0) {\n return 0;\n } else {\n return (double)php_ifd_get32u(value, motorola_intel) / u_den;\n }\n\n case TAG_FMT_SRATIONAL:\n s_den = php_ifd_get32s(4+(char *)value, motorola_intel);\n if (s_den == 0) {\n return 0;\n } else {\n return (double)php_ifd_get32s(value, motorola_intel) / s_den;\n }\n\n case TAG_FMT_SSHORT:\n return (signed short)php_ifd_get16u(value, motorola_intel);\n case TAG_FMT_SLONG:\n return php_ifd_get32s(value, motorola_intel);\n\n /* Not sure if this is correct (never seen float used in Exif format) */\n case TAG_FMT_SINGLE:\n return (double)*(float *)value;\n case TAG_FMT_DOUBLE:\n return *(double *)value;\n }\n return 0;\n}", "project": "hhvm", "hash": 13488945377560503584871535621345638480, "size": 45, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219774 }, { "func": "static bool is_suppressed_warning(int severity)\n{\n /* Might be a warning but suppresed explicitly */\n if (is_valid_warning(severity) && !(severity & ERR_USAGE))\n return !(warning_state[WARN_IDX(severity)] & WARN_ST_ENABLED);\n else\n return false;\n}", "project": "nasm", "hash": 323222341808328099087325288319107843141, "size": 8, "commit_id": "e996d28c70d45008085322b442b44a9224308548", "message": "labels: Don't nil dereference if no label provided\n\nAn equ without label may cause nil dereference\n\n |\tequ 0x100\n\nFixes 98578071b9d71ecaa2344dd9c185237c1765041e\n\nSigned-off-by: Cyrill Gorcunov ", "target": 0, "dataset": "other", "idx": 257484 }, { "func": "static struct device *tty_get_device(struct tty_struct *tty)\n{\n\tdev_t devt = tty_devnum(tty);\n\treturn class_find_device_by_devt(tty_class, devt);\n}", "project": "linux", "hash": 187051292846281434515838216756562678011, "size": 5, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 326022 }, { "func": "intrusive_ptr Expression::parseObject(ExpressionContext* const expCtx,\n BSONObj obj,\n const VariablesParseState& vps) {\n if (obj.isEmpty()) {\n return ExpressionObject::create(expCtx, {});\n }\n\n if (obj.firstElementFieldName()[0] == '$') {\n // Assume this is an expression like {$add: [...]}.\n return parseExpression(expCtx, obj, vps);\n }\n\n return ExpressionObject::parse(expCtx, obj, vps);\n}", "project": "mongo", "hash": 4043035446446359269787918208562869170, "size": 14, "commit_id": "1772b9a0393b55e6a280a35e8f0a1f75c014f301", "message": "SERVER-49404 Enforce additional checks in $arrayToObject", "target": 0, "dataset": "other", "idx": 370043 }, { "func": "static void idct_1d(float *blk, int step)\n{\n const float a = .5f * cosf( M_PI / 4.f);\n const float b = .5f * cosf( M_PI / 16.f);\n const float c = .5f * cosf( M_PI / 8.f);\n const float d = .5f * cosf(3.f*M_PI / 16.f);\n const float e = .5f * cosf(5.f*M_PI / 16.f);\n const float f = .5f * cosf(3.f*M_PI / 8.f);\n const float g = .5f * cosf(7.f*M_PI / 16.f);\n\n float alpha[4], beta[4], theta[4], gamma[4];\n\n alpha[0] = c * blk[2 * step];\n alpha[1] = f * blk[2 * step];\n alpha[2] = c * blk[6 * step];\n alpha[3] = f * blk[6 * step];\n\n beta[0] = b * blk[1 * step] + d * blk[3 * step] + e * blk[5 * step] + g * blk[7 * step];\n beta[1] = d * blk[1 * step] - g * blk[3 * step] - b * blk[5 * step] - e * blk[7 * step];\n beta[2] = e * blk[1 * step] - b * blk[3 * step] + g * blk[5 * step] + d * blk[7 * step];\n beta[3] = g * blk[1 * step] - e * blk[3 * step] + d * blk[5 * step] - b * blk[7 * step];\n\n theta[0] = a * (blk[0 * step] + blk[4 * step]);\n theta[3] = a * (blk[0 * step] - blk[4 * step]);\n\n theta[1] = alpha[0] + alpha[3];\n theta[2] = alpha[1] - alpha[2];\n\n gamma[0] = theta[0] + theta[1];\n gamma[1] = theta[3] + theta[2];\n gamma[2] = theta[3] - theta[2];\n gamma[3] = theta[0] - theta[1];\n\n blk[0 * step] = gamma[0] + beta[0];\n blk[1 * step] = gamma[1] + beta[1];\n blk[2 * step] = gamma[2] + beta[2];\n blk[3 * step] = gamma[3] + beta[3];\n\n blk[4 * step] = gamma[3] - beta[3];\n blk[5 * step] = gamma[2] - beta[2];\n blk[6 * step] = gamma[1] - beta[1];\n blk[7 * step] = gamma[0] - beta[0];\n}", "project": "FFmpeg", "hash": 20789914543607994500493275551909863850, "size": 43, "commit_id": "26d3c81bc5ef2f8c3f09d45eaeacfb4b1139a777", "message": "avcodec/exr: More strictly check dc_count\n\nFixes: out of array access\nFixes: exr/deneme\n\nFound-by: Burak Çarıkçı \nSigned-off-by: Michael Niedermayer ", "target": 0, "dataset": "other", "idx": 262690 }, { "func": "static int kvm_hv_get_msr_pw(struct kvm_vcpu *vcpu, u32 msr, u64 *pdata,\n\t\t\t bool host)\n{\n\tu64 data = 0;\n\tstruct kvm *kvm = vcpu->kvm;\n\tstruct kvm_hv *hv = to_kvm_hv(kvm);\n\n\tswitch (msr) {\n\tcase HV_X64_MSR_GUEST_OS_ID:\n\t\tdata = hv->hv_guest_os_id;\n\t\tbreak;\n\tcase HV_X64_MSR_HYPERCALL:\n\t\tdata = hv->hv_hypercall;\n\t\tbreak;\n\tcase HV_X64_MSR_TIME_REF_COUNT:\n\t\tdata = get_time_ref_counter(kvm);\n\t\tbreak;\n\tcase HV_X64_MSR_REFERENCE_TSC:\n\t\tdata = hv->hv_tsc_page;\n\t\tbreak;\n\tcase HV_X64_MSR_CRASH_P0 ... HV_X64_MSR_CRASH_P4:\n\t\treturn kvm_hv_msr_get_crash_data(kvm,\n\t\t\t\t\t\t msr - HV_X64_MSR_CRASH_P0,\n\t\t\t\t\t\t pdata);\n\tcase HV_X64_MSR_CRASH_CTL:\n\t\treturn kvm_hv_msr_get_crash_ctl(kvm, pdata);\n\tcase HV_X64_MSR_RESET:\n\t\tdata = 0;\n\t\tbreak;\n\tcase HV_X64_MSR_REENLIGHTENMENT_CONTROL:\n\t\tdata = hv->hv_reenlightenment_control;\n\t\tbreak;\n\tcase HV_X64_MSR_TSC_EMULATION_CONTROL:\n\t\tdata = hv->hv_tsc_emulation_control;\n\t\tbreak;\n\tcase HV_X64_MSR_TSC_EMULATION_STATUS:\n\t\tdata = hv->hv_tsc_emulation_status;\n\t\tbreak;\n\tcase HV_X64_MSR_SYNDBG_OPTIONS:\n\tcase HV_X64_MSR_SYNDBG_CONTROL ... HV_X64_MSR_SYNDBG_PENDING_BUFFER:\n\t\treturn syndbg_get_msr(vcpu, msr, pdata, host);\n\tdefault:\n\t\tvcpu_unimpl(vcpu, \"Hyper-V unhandled rdmsr: 0x%x\\n\", msr);\n\t\treturn 1;\n\t}\n\n\t*pdata = data;\n\treturn 0;\n}", "project": "linux", "hash": 46010344396565500896974355425666622327, "size": 49, "commit_id": "919f4ebc598701670e80e31573a58f1f2d2bf918", "message": "KVM: x86: hyper-v: Fix Hyper-V context null-ptr-deref\n\nReported by syzkaller:\n\n KASAN: null-ptr-deref in range [0x0000000000000140-0x0000000000000147]\n CPU: 1 PID: 8370 Comm: syz-executor859 Not tainted 5.11.0-syzkaller #0\n RIP: 0010:synic_get arch/x86/kvm/hyperv.c:165 [inline]\n RIP: 0010:kvm_hv_set_sint_gsi arch/x86/kvm/hyperv.c:475 [inline]\n RIP: 0010:kvm_hv_irq_routing_update+0x230/0x460 arch/x86/kvm/hyperv.c:498\n Call Trace:\n kvm_set_irq_routing+0x69b/0x940 arch/x86/kvm/../../../virt/kvm/irqchip.c:223\n kvm_vm_ioctl+0x12d0/0x2800 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3959\n vfs_ioctl fs/ioctl.c:48 [inline]\n __do_sys_ioctl fs/ioctl.c:753 [inline]\n __se_sys_ioctl fs/ioctl.c:739 [inline]\n __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739\n do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nHyper-V context is lazily allocated until Hyper-V specific MSRs are accessed\nor SynIC is enabled. However, the syzkaller testcase sets irq routing table\ndirectly w/o enabling SynIC. This results in null-ptr-deref when accessing\nSynIC Hyper-V context. This patch fixes it.\n\nsyzkaller source: https://syzkaller.appspot.com/x/repro.c?x=163342ccd00000\n\nReported-by: syzbot+6987f3b2dbd9eda95f12@syzkaller.appspotmail.com\nFixes: 8f014550dfb1 (\"KVM: x86: hyper-v: Make Hyper-V emulation enablement conditional\")\nSigned-off-by: Wanpeng Li \nMessage-Id: <1614326399-5762-1-git-send-email-wanpengli@tencent.com>\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 343494 }, { "func": "void kvm_arch_crypto_set_masks(struct kvm *kvm, unsigned long *apm,\n\t\t\t unsigned long *aqm, unsigned long *adm)\n{\n\tstruct kvm_s390_crypto_cb *crycb = kvm->arch.crypto.crycb;\n\n\tmutex_lock(&kvm->lock);\n\tkvm_s390_vcpu_block_all(kvm);\n\n\tswitch (kvm->arch.crypto.crycbd & CRYCB_FORMAT_MASK) {\n\tcase CRYCB_FORMAT2: /* APCB1 use 256 bits */\n\t\tmemcpy(crycb->apcb1.apm, apm, 32);\n\t\tVM_EVENT(kvm, 3, \"SET CRYCB: apm %016lx %016lx %016lx %016lx\",\n\t\t\t apm[0], apm[1], apm[2], apm[3]);\n\t\tmemcpy(crycb->apcb1.aqm, aqm, 32);\n\t\tVM_EVENT(kvm, 3, \"SET CRYCB: aqm %016lx %016lx %016lx %016lx\",\n\t\t\t aqm[0], aqm[1], aqm[2], aqm[3]);\n\t\tmemcpy(crycb->apcb1.adm, adm, 32);\n\t\tVM_EVENT(kvm, 3, \"SET CRYCB: adm %016lx %016lx %016lx %016lx\",\n\t\t\t adm[0], adm[1], adm[2], adm[3]);\n\t\tbreak;\n\tcase CRYCB_FORMAT1:\n\tcase CRYCB_FORMAT0: /* Fall through both use APCB0 */\n\t\tmemcpy(crycb->apcb0.apm, apm, 8);\n\t\tmemcpy(crycb->apcb0.aqm, aqm, 2);\n\t\tmemcpy(crycb->apcb0.adm, adm, 2);\n\t\tVM_EVENT(kvm, 3, \"SET CRYCB: apm %016lx aqm %04x adm %04x\",\n\t\t\t apm[0], *((unsigned short *)aqm),\n\t\t\t *((unsigned short *)adm));\n\t\tbreak;\n\tdefault:\t/* Can not happen */\n\t\tbreak;\n\t}\n\n\t/* recreate the shadow crycb for each vcpu */\n\tkvm_s390_sync_request_broadcast(kvm, KVM_REQ_VSIE_RESTART);\n\tkvm_s390_vcpu_unblock_all(kvm);\n\tmutex_unlock(&kvm->lock);\n}", "project": "linux", "hash": 155914074568930813146586828671446774288, "size": 38, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354540 }, { "func": " const NodeDef& get_node_def(int i) const override { return *node_defs_[i]; }", "project": "tensorflow", "hash": 198540376276973213272310525174281876087, "size": 1, "commit_id": "0cc38aaa4064fd9e79101994ce9872c6d91f816b", "message": "Prevent unitialized memory access in `GraphConstructor::MakeEdge`\n\nThe `MakeEdge` implementation assumes that there exists an output at `output_index` of `src` node and an input at `input_index` of `dst` node. However, if this is not the case this results in accessing data out of bounds. Because we are accessing an array that is a private member of a class and only in read only mode, this usually results only in unitialized memory access. However, it is reasonable to think that malicious users could manipulate these indexes to actually read data outside the class, thus resulting in information leakage and further exploits.\n\nPiperOrigin-RevId: 346343288\nChange-Id: I2127da27c2023d27f26efd39afa6c853385cab6f", "target": 0, "dataset": "other", "idx": 268351 }, { "func": " const NodeDef& get_node_def(int i) const override {\n CHECK(!is_consumed_[i])\n << \"NodeDef \" << i << \" accessed after it was consumed.\";\n return graph_def_.node(i);\n }", "project": "tensorflow", "hash": 296538501417984352860189213382199638936, "size": 5, "commit_id": "0cc38aaa4064fd9e79101994ce9872c6d91f816b", "message": "Prevent unitialized memory access in `GraphConstructor::MakeEdge`\n\nThe `MakeEdge` implementation assumes that there exists an output at `output_index` of `src` node and an input at `input_index` of `dst` node. However, if this is not the case this results in accessing data out of bounds. Because we are accessing an array that is a private member of a class and only in read only mode, this usually results only in unitialized memory access. However, it is reasonable to think that malicious users could manipulate these indexes to actually read data outside the class, thus resulting in information leakage and further exploits.\n\nPiperOrigin-RevId: 346343288\nChange-Id: I2127da27c2023d27f26efd39afa6c853385cab6f", "target": 0, "dataset": "other", "idx": 268365 }, { "func": "static int io_openat2(struct io_kiocb *req, unsigned int issue_flags)\n{\n\tstruct open_flags op;\n\tstruct file *file;\n\tbool nonblock_set;\n\tbool resolve_nonblock;\n\tint ret;\n\n\tret = build_open_flags(&req->open.how, &op);\n\tif (ret)\n\t\tgoto err;\n\tnonblock_set = op.open_flag & O_NONBLOCK;\n\tresolve_nonblock = req->open.how.resolve & RESOLVE_CACHED;\n\tif (issue_flags & IO_URING_F_NONBLOCK) {\n\t\t/*\n\t\t * Don't bother trying for O_TRUNC, O_CREAT, or O_TMPFILE open,\n\t\t * it'll always -EAGAIN\n\t\t */\n\t\tif (req->open.how.flags & (O_TRUNC | O_CREAT | O_TMPFILE))\n\t\t\treturn -EAGAIN;\n\t\top.lookup_flags |= LOOKUP_CACHED;\n\t\top.open_flag |= O_NONBLOCK;\n\t}\n\n\tret = __get_unused_fd_flags(req->open.how.flags, req->open.nofile);\n\tif (ret < 0)\n\t\tgoto err;\n\n\tfile = do_filp_open(req->open.dfd, req->open.filename, &op);\n\t/* only retry if RESOLVE_CACHED wasn't already set by application */\n\tif ((!resolve_nonblock && (issue_flags & IO_URING_F_NONBLOCK)) &&\n\t file == ERR_PTR(-EAGAIN)) {\n\t\t/*\n\t\t * We could hang on to this 'fd', but seems like marginal\n\t\t * gain for something that is now known to be a slower path.\n\t\t * So just put it, and we'll get a new one when we retry.\n\t\t */\n\t\tput_unused_fd(ret);\n\t\treturn -EAGAIN;\n\t}\n\n\tif (IS_ERR(file)) {\n\t\tput_unused_fd(ret);\n\t\tret = PTR_ERR(file);\n\t} else {\n\t\tif ((issue_flags & IO_URING_F_NONBLOCK) && !nonblock_set)\n\t\t\tfile->f_flags &= ~O_NONBLOCK;\n\t\tfsnotify_open(file);\n\t\tfd_install(ret, file);\n\t}\nerr:\n\tputname(req->open.filename);\n\treq->flags &= ~REQ_F_NEED_CLEANUP;\n\tif (ret < 0)\n\t\treq_set_fail_links(req);\n\t__io_req_complete(req, issue_flags, ret, 0);\n\treturn 0;\n}", "project": "linux", "hash": 17844383068467845492815626053444340395, "size": 58, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338676 }, { "func": "static int update_bg_scan(struct hci_request *req, unsigned long opt)\n{\n\thci_dev_lock(req->hdev);\n\t__hci_update_background_scan(req);\n\thci_dev_unlock(req->hdev);\n\treturn 0;\n}", "project": "linux", "hash": 263481163814307318740425745379120699178, "size": 7, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402512 }, { "func": "static void nfs4_xdr_enc_read(struct rpc_rqst *req, struct xdr_stream *xdr,\n\t\t\t const void *data)\n{\n\tconst struct nfs_pgio_args *args = data;\n\tstruct compound_hdr hdr = {\n\t\t.minorversion = nfs4_xdr_minorversion(&args->seq_args),\n\t};\n\n\tencode_compound_hdr(xdr, req, &hdr);\n\tencode_sequence(xdr, &args->seq_args, &hdr);\n\tencode_putfh(xdr, args->fh, &hdr);\n\tencode_read(xdr, args, &hdr);\n\n\trpc_prepare_reply_pages(req, args->pages, args->pgbase,\n\t\t\t\targs->count, hdr.replen);\n\treq->rq_rcv_buf.flags |= XDRBUF_READ;\n\tencode_nops(&hdr);\n}", "project": "linux", "hash": 151576881148038268240144906946138317830, "size": 18, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431285 }, { "func": "static int trace_die_handler(struct notifier_block *self,\n\t\t\t unsigned long val,\n\t\t\t void *data)\n{\n\tswitch (val) {\n\tcase DIE_OOPS:\n\t\tif (ftrace_dump_on_oops)\n\t\t\tftrace_dump(ftrace_dump_on_oops);\n\t\tbreak;\n\tdefault:\n\t\tbreak;\n\t}\n\treturn NOTIFY_OK;\n}", "project": "linux", "hash": 160583281211014179004010699757207648978, "size": 14, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445531 }, { "func": "static void synic_init(struct kvm_vcpu_hv_synic *synic)\n{\n\tint i;\n\n\tmemset(synic, 0, sizeof(*synic));\n\tsynic->version = HV_SYNIC_VERSION_1;\n\tfor (i = 0; i < ARRAY_SIZE(synic->sint); i++) {\n\t\tatomic64_set(&synic->sint[i], HV_SYNIC_SINT_MASKED);\n\t\tatomic_set(&synic->sint_to_gsi[i], -1);\n\t}\n}", "project": "linux", "hash": 227755418898628322872500238849635523098, "size": 11, "commit_id": "919f4ebc598701670e80e31573a58f1f2d2bf918", "message": "KVM: x86: hyper-v: Fix Hyper-V context null-ptr-deref\n\nReported by syzkaller:\n\n KASAN: null-ptr-deref in range [0x0000000000000140-0x0000000000000147]\n CPU: 1 PID: 8370 Comm: syz-executor859 Not tainted 5.11.0-syzkaller #0\n RIP: 0010:synic_get arch/x86/kvm/hyperv.c:165 [inline]\n RIP: 0010:kvm_hv_set_sint_gsi arch/x86/kvm/hyperv.c:475 [inline]\n RIP: 0010:kvm_hv_irq_routing_update+0x230/0x460 arch/x86/kvm/hyperv.c:498\n Call Trace:\n kvm_set_irq_routing+0x69b/0x940 arch/x86/kvm/../../../virt/kvm/irqchip.c:223\n kvm_vm_ioctl+0x12d0/0x2800 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3959\n vfs_ioctl fs/ioctl.c:48 [inline]\n __do_sys_ioctl fs/ioctl.c:753 [inline]\n __se_sys_ioctl fs/ioctl.c:739 [inline]\n __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739\n do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nHyper-V context is lazily allocated until Hyper-V specific MSRs are accessed\nor SynIC is enabled. However, the syzkaller testcase sets irq routing table\ndirectly w/o enabling SynIC. This results in null-ptr-deref when accessing\nSynIC Hyper-V context. This patch fixes it.\n\nsyzkaller source: https://syzkaller.appspot.com/x/repro.c?x=163342ccd00000\n\nReported-by: syzbot+6987f3b2dbd9eda95f12@syzkaller.appspotmail.com\nFixes: 8f014550dfb1 (\"KVM: x86: hyper-v: Make Hyper-V emulation enablement conditional\")\nSigned-off-by: Wanpeng Li \nMessage-Id: <1614326399-5762-1-git-send-email-wanpengli@tencent.com>\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 343520 }, { "func": "static int fuse_get_user_pages(struct fuse_args_pages *ap, struct iov_iter *ii,\n\t\t\t size_t *nbytesp, int write,\n\t\t\t unsigned int max_pages)\n{\n\tsize_t nbytes = 0; /* # bytes already packed in req */\n\tssize_t ret = 0;\n\n\t/* Special case for kernel I/O: can copy directly into the buffer */\n\tif (iov_iter_is_kvec(ii)) {\n\t\tunsigned long user_addr = fuse_get_user_addr(ii);\n\t\tsize_t frag_size = fuse_get_frag_size(ii, *nbytesp);\n\n\t\tif (write)\n\t\t\tap->args.in_args[1].value = (void *) user_addr;\n\t\telse\n\t\t\tap->args.out_args[0].value = (void *) user_addr;\n\n\t\tiov_iter_advance(ii, frag_size);\n\t\t*nbytesp = frag_size;\n\t\treturn 0;\n\t}\n\n\twhile (nbytes < *nbytesp && ap->num_pages < max_pages) {\n\t\tunsigned npages;\n\t\tsize_t start;\n\t\tret = iov_iter_get_pages(ii, &ap->pages[ap->num_pages],\n\t\t\t\t\t*nbytesp - nbytes,\n\t\t\t\t\tmax_pages - ap->num_pages,\n\t\t\t\t\t&start);\n\t\tif (ret < 0)\n\t\t\tbreak;\n\n\t\tiov_iter_advance(ii, ret);\n\t\tnbytes += ret;\n\n\t\tret += start;\n\t\tnpages = (ret + PAGE_SIZE - 1) / PAGE_SIZE;\n\n\t\tap->descs[ap->num_pages].offset = start;\n\t\tfuse_page_descs_length_init(ap->descs, ap->num_pages, npages);\n\n\t\tap->num_pages += npages;\n\t\tap->descs[ap->num_pages - 1].length -=\n\t\t\t(PAGE_SIZE - ret) & (PAGE_SIZE - 1);\n\t}\n\n\tif (write)\n\t\tap->args.in_pages = true;\n\telse\n\t\tap->args.out_pages = true;\n\n\t*nbytesp = nbytes;\n\n\treturn ret < 0 ? ret : 0;\n}", "project": "linux", "hash": 211017809283614158007786095720711736108, "size": 55, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341915 }, { "func": "Status ConvBackpropComputeDimensionsV2(\n StringPiece label, int num_spatial_dims, const TensorShape& input_shape,\n const TensorShape& filter_shape, const TensorShape& out_backprop_shape,\n const gtl::ArraySlice& dilations, const std::vector& strides,\n Padding padding, absl::Span explicit_paddings,\n TensorFormat data_format, ConvBackpropDimensions* dims) {\n // The + 2 in the following line is for the batch and feature dimensions.\n const int num_dims = num_spatial_dims + 2;\n if (input_shape.dims() != num_dims) {\n return errors::InvalidArgument(label, \": input must be \", num_dims,\n \"-dimensional\");\n }\n if (filter_shape.dims() != num_dims) {\n return errors::InvalidArgument(label, \": filter must be \", num_dims,\n \"-dimensional\");\n }\n if (out_backprop_shape.dims() != num_dims) {\n return errors::InvalidArgument(label, \": out_backprop must be \", num_dims,\n \"-dimensional\");\n }\n int batch_dim = GetTensorBatchDimIndex(num_dims, data_format);\n dims->batch_size = input_shape.dim_size(batch_dim);\n if (dims->batch_size != out_backprop_shape.dim_size(batch_dim)) {\n return errors::InvalidArgument(\n label, \": input and out_backprop must have the same batch size.\",\n \" Input batch: \", dims->batch_size,\n \", outbackprop batch: \", out_backprop_shape.dim_size(batch_dim),\n \", batch_dim: \", batch_dim);\n }\n\n int feature_dim = GetTensorFeatureDimIndex(num_dims, data_format);\n dims->in_depth = input_shape.dim_size(feature_dim);\n // The input and output feature dimensions are the second last and last\n // dimensions of the filter Tensor.\n VLOG(2) << \"input vs filter_in depth \" << dims->in_depth << \" \"\n << filter_shape.dim_size(num_dims - 2);\n if (dims->in_depth % filter_shape.dim_size(num_dims - 2)) {\n return errors::InvalidArgument(\n label, \": input depth must be evenly divisible by filter depth\");\n }\n dims->out_depth = filter_shape.dim_size(num_dims - 1);\n if (dims->out_depth != out_backprop_shape.dim_size(feature_dim)) {\n return errors::InvalidArgument(\n label, \": filter and out_backprop must have the same out_depth\");\n }\n dims->spatial_dims.resize(num_spatial_dims);\n for (int i = 0; i < num_spatial_dims; ++i) {\n int image_dim = GetTensorSpatialDimIndex(num_dims, data_format, i);\n int64 padding_before = -1, padding_after = -1;\n if (padding == EXPLICIT) {\n padding_before = explicit_paddings[2 * image_dim];\n padding_after = explicit_paddings[2 * image_dim + 1];\n }\n TF_RETURN_IF_ERROR(ConvBackpropExtractAndVerifyDimension(\n label, input_shape, filter_shape, out_backprop_shape, dilations,\n strides, padding, padding_before, padding_after, image_dim, i,\n &dims->spatial_dims[i]));\n }\n return Status::OK();\n}", "project": "tensorflow", "hash": 320799004957211890798176933281449360794, "size": 60, "commit_id": "fca9874a9b42a2134f907d2fb46ab774a831404a", "message": "Prevent another division by zero.\n\nPiperOrigin-RevId: 369338598\nChange-Id: I55471d363e401fdcf8d259670ad4eef672b731e2", "target": 1, "dataset": "other", "idx": 197183 }, { "func": "Status ConvBackpropComputeDimensionsV2(\n StringPiece label, int num_spatial_dims, const TensorShape& input_shape,\n const TensorShape& filter_shape, const TensorShape& out_backprop_shape,\n const gtl::ArraySlice& dilations, const std::vector& strides,\n Padding padding, absl::Span explicit_paddings,\n TensorFormat data_format, ConvBackpropDimensions* dims) {\n // The + 2 in the following line is for the batch and feature dimensions.\n const int num_dims = num_spatial_dims + 2;\n if (input_shape.dims() != num_dims) {\n return errors::InvalidArgument(label, \": input must be \", num_dims,\n \"-dimensional\");\n }\n if (filter_shape.dims() != num_dims) {\n return errors::InvalidArgument(label, \": filter must be \", num_dims,\n \"-dimensional\");\n }\n if (out_backprop_shape.dims() != num_dims) {\n return errors::InvalidArgument(label, \": out_backprop must be \", num_dims,\n \"-dimensional\");\n }\n int batch_dim = GetTensorBatchDimIndex(num_dims, data_format);\n dims->batch_size = input_shape.dim_size(batch_dim);\n if (dims->batch_size != out_backprop_shape.dim_size(batch_dim)) {\n return errors::InvalidArgument(\n label, \": input and out_backprop must have the same batch size.\",\n \" Input batch: \", dims->batch_size,\n \", outbackprop batch: \", out_backprop_shape.dim_size(batch_dim),\n \", batch_dim: \", batch_dim);\n }\n\n int feature_dim = GetTensorFeatureDimIndex(num_dims, data_format);\n dims->in_depth = input_shape.dim_size(feature_dim);\n // The input and output feature dimensions are the second last and last\n // dimensions of the filter Tensor.\n VLOG(2) << \"input vs filter_in depth \" << dims->in_depth << \" \"\n << filter_shape.dim_size(num_dims - 2);\n if (filter_shape.dim_size(num_dims - 2) <= 0) {\n return errors ::InvalidArgument(\n label, \": filter depth must be strictly greated than zero\");\n }\n if (dims->in_depth % filter_shape.dim_size(num_dims - 2)) {\n return errors::InvalidArgument(\n label, \": input depth must be evenly divisible by filter depth\");\n }\n dims->out_depth = filter_shape.dim_size(num_dims - 1);\n if (dims->out_depth != out_backprop_shape.dim_size(feature_dim)) {\n return errors::InvalidArgument(\n label, \": filter and out_backprop must have the same out_depth\");\n }\n dims->spatial_dims.resize(num_spatial_dims);\n for (int i = 0; i < num_spatial_dims; ++i) {\n int image_dim = GetTensorSpatialDimIndex(num_dims, data_format, i);\n int64 padding_before = -1, padding_after = -1;\n if (padding == EXPLICIT) {\n padding_before = explicit_paddings[2 * image_dim];\n padding_after = explicit_paddings[2 * image_dim + 1];\n }\n TF_RETURN_IF_ERROR(ConvBackpropExtractAndVerifyDimension(\n label, input_shape, filter_shape, out_backprop_shape, dilations,\n strides, padding, padding_before, padding_after, image_dim, i,\n &dims->spatial_dims[i]));\n }\n return Status::OK();\n}", "project": "tensorflow", "hash": 287077448679940441968460163872429604572, "size": 64, "commit_id": "fca9874a9b42a2134f907d2fb46ab774a831404a", "message": "Prevent another division by zero.\n\nPiperOrigin-RevId: 369338598\nChange-Id: I55471d363e401fdcf8d259670ad4eef672b731e2", "target": 0, "dataset": "other", "idx": 255022 }, { "func": "int x25_parse_address_block(struct sk_buff *skb,\n\t\tstruct x25_address *called_addr,\n\t\tstruct x25_address *calling_addr)\n{\n\tunsigned char len;\n\tint needed;\n\tint rc;\n\n\tif (!pskb_may_pull(skb, 1)) {\n\t\t/* packet has no address block */\n\t\trc = 0;\n\t\tgoto empty;\n\t}\n\n\tlen = *skb->data;\n\tneeded = 1 + ((len >> 4) + (len & 0x0f) + 1) / 2;\n\n\tif (!pskb_may_pull(skb, needed)) {\n\t\t/* packet is too short to hold the addresses it claims\n\t\t to hold */\n\t\trc = -1;\n\t\tgoto empty;\n\t}\n\n\treturn x25_addr_ntoa(skb->data, called_addr, calling_addr);\n\nempty:\n\t*called_addr->x25_addr = 0;\n\t*calling_addr->x25_addr = 0;\n\n\treturn rc;\n}", "project": "net", "hash": 285914114593867963073685981819543345007, "size": 32, "commit_id": "7781607938c8371d4c2b243527430241c62e39c2", "message": "net/x25: Fix null-ptr-deref caused by x25_disconnect\n\nWhen the link layer is terminating, x25->neighbour will be set to NULL\nin x25_disconnect(). As a result, it could cause null-ptr-deref bugs in\nx25_sendmsg(),x25_recvmsg() and x25_connect(). One of the bugs is\nshown below.\n\n (Thread 1) | (Thread 2)\nx25_link_terminated() | x25_recvmsg()\n x25_kill_by_neigh() | ...\n x25_disconnect() | lock_sock(sk)\n ... | ...\n x25->neighbour = NULL //(1) |\n ... | x25->neighbour->extended //(2)\n\nThe code sets NULL to x25->neighbour in position (1) and dereferences\nx25->neighbour in position (2), which could cause null-ptr-deref bug.\n\nThis patch adds lock_sock() in x25_kill_by_neigh() in order to synchronize\nwith x25_sendmsg(), x25_recvmsg() and x25_connect(). What`s more, the\nsock held by lock_sock() is not NULL, because it is extracted from x25_list\nand uses x25_list_lock to synchronize.\n\nFixes: 4becb7ee5b3d (\"net/x25: Fix x25_neigh refcnt leak when x25 disconnect\")\nSigned-off-by: Duoming Zhou \nReviewed-by: Lin Ma \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 449177 }, { "func": "void kvm_arch_vcpu_put(struct kvm_vcpu *vcpu)\n{\n\tvcpu->cpu = -1;\n\tif (vcpu->arch.cputm_enabled && !is_vcpu_idle(vcpu))\n\t\t__stop_cpu_timer_accounting(vcpu);\n\tkvm_s390_clear_cpuflags(vcpu, CPUSTAT_RUNNING);\n\tvcpu->arch.enabled_gmap = gmap_get_enabled();\n\tgmap_disable(vcpu->arch.enabled_gmap);\n\n}", "project": "linux", "hash": 58579912074519234462296053626502783609, "size": 10, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354756 }, { "func": "static int nfs4_do_open_reclaim(struct nfs_open_context *ctx, struct nfs4_state *state)\n{\n\tstruct nfs_server *server = NFS_SERVER(state->inode);\n\tstruct nfs4_exception exception = { };\n\tint err;\n\tdo {\n\t\terr = _nfs4_do_open_reclaim(ctx, state);\n\t\ttrace_nfs4_open_reclaim(ctx, 0, err);\n\t\tif (nfs4_clear_cap_atomic_open_v1(server, err, &exception))\n\t\t\tcontinue;\n\t\tif (err != -NFS4ERR_DELAY)\n\t\t\tbreak;\n\t\tnfs4_handle_exception(server, err, &exception);\n\t} while (exception.retry);\n\treturn err;\n}", "project": "linux", "hash": 6866567916681060560356256295795128464, "size": 16, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431131 }, { "func": " */\nstatic bool bfq_bfqq_is_slow(struct bfq_data *bfqd, struct bfq_queue *bfqq,\n\t\t\t\t bool compensate, enum bfqq_expiration reason,\n\t\t\t\t unsigned long *delta_ms)\n{\n\tktime_t delta_ktime;\n\tu32 delta_usecs;\n\tbool slow = BFQQ_SEEKY(bfqq); /* if delta too short, use seekyness */\n\n\tif (!bfq_bfqq_sync(bfqq))\n\t\treturn false;\n\n\tif (compensate)\n\t\tdelta_ktime = bfqd->last_idling_start;\n\telse\n\t\tdelta_ktime = ktime_get();\n\tdelta_ktime = ktime_sub(delta_ktime, bfqd->last_budget_start);\n\tdelta_usecs = ktime_to_us(delta_ktime);\n\n\t/* don't use too short time intervals */\n\tif (delta_usecs < 1000) {\n\t\tif (blk_queue_nonrot(bfqd->queue))\n\t\t\t /*\n\t\t\t * give same worst-case guarantees as idling\n\t\t\t * for seeky\n\t\t\t */\n\t\t\t*delta_ms = BFQ_MIN_TT / NSEC_PER_MSEC;\n\t\telse /* charge at least one seek */\n\t\t\t*delta_ms = bfq_slice_idle / NSEC_PER_MSEC;\n\n\t\treturn slow;\n\t}\n\n\t*delta_ms = delta_usecs / USEC_PER_MSEC;\n\n\t/*\n\t * Use only long (> 20ms) intervals to filter out excessive\n\t * spikes in service rate estimation.\n\t */\n\tif (delta_usecs > 20000) {\n\t\t/*\n\t\t * Caveat for rotational devices: processes doing I/O\n\t\t * in the slower disk zones tend to be slow(er) even\n\t\t * if not seeky. In this respect, the estimated peak\n\t\t * rate is likely to be an average over the disk\n\t\t * surface. Accordingly, to not be too harsh with\n\t\t * unlucky processes, a process is deemed slow only if\n\t\t * its rate has been lower than half of the estimated\n\t\t * peak rate.\n\t\t */\n\t\tslow = bfqq->entity.service < bfqd->bfq_max_budget / 2;\n\t}\n\n\tbfq_log_bfqq(bfqd, bfqq, \"bfq_bfqq_is_slow: slow %d\", slow);\n\n\treturn slow;", "project": "linux", "hash": 208035948625685207393315377333044549043, "size": 56, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453354 }, { "func": "bool WindowsServiceControl::setStartType( int startType )\n{\n\tif( checkService() == false || startType == InvalidStartType )\n\t{\n\t\treturn false;\n\t}\n\n\tif( ChangeServiceConfig( m_serviceHandle,\n\t\t\t\t\t\t\t SERVICE_NO_CHANGE,\t// dwServiceType\n\t\t\t\t\t\t\t static_cast( startType ),\n\t\t\t\t\t\t\t SERVICE_NO_CHANGE,\t// dwErrorControl\n\t\t\t\t\t\t\t nullptr,\t// lpBinaryPathName\n\t\t\t\t\t\t\t nullptr,\t// lpLoadOrderGroup\n\t\t\t\t\t\t\t nullptr,\t// lpdwTagId\n\t\t\t\t\t\t\t nullptr,\t// lpDependencies\n\t\t\t\t\t\t\t nullptr,\t// lpServiceStartName\n\t\t\t\t\t\t\t nullptr,\t// lpPassword\n\t\t\t\t\t\t\t nullptr\t// lpDisplayName\n\t\t\t\t\t\t\t ) == false )\n\t{\n\t\tvCritical() << qUtf8Printable( tr( \"The start type of service \\\"%1\\\" could not be changed.\" ).arg( m_name ) );\n\t\treturn false;\n\t}\n\n\treturn true;\n}", "project": "veyon", "hash": 317501293423579395075152666033620596303, "size": 26, "commit_id": "f231ec511b9a09f43f49b2c7bb7c60b8046276b1", "message": "WindowsServiceControl: quote service binary path\n\nFix unquoted service path vulnerability.\n\nCloses #657.", "target": 0, "dataset": "other", "idx": 241030 }, { "func": "void set_postjoin_aggr_write_func(JOIN_TAB *tab)\n{\n JOIN *join= tab->join;\n TABLE *table= tab->table;\n AGGR_OP *aggr= tab->aggr;\n TMP_TABLE_PARAM *tmp_tbl= tab->tmp_table_param;\n\n DBUG_ASSERT(table && aggr);\n\n if (table->group && tmp_tbl->sum_func_count && \n !tmp_tbl->precomputed_group_by)\n {\n /*\n Note for MyISAM tmp tables: if uniques is true keys won't be\n created.\n */\n if (table->s->keys && !table->s->uniques)\n {\n DBUG_PRINT(\"info\",(\"Using end_update\"));\n aggr->set_write_func(end_update);\n }\n else\n {\n DBUG_PRINT(\"info\",(\"Using end_unique_update\"));\n aggr->set_write_func(end_unique_update);\n }\n }\n else if (join->sort_and_group && !tmp_tbl->precomputed_group_by &&\n !join->sort_and_group_aggr_tab && join->tables_list &&\n join->top_join_tab_count)\n {\n DBUG_PRINT(\"info\",(\"Using end_write_group\"));\n aggr->set_write_func(end_write_group);\n join->sort_and_group_aggr_tab= tab;\n }\n else\n {\n DBUG_PRINT(\"info\",(\"Using end_write\"));\n aggr->set_write_func(end_write);\n if (tmp_tbl->precomputed_group_by)\n {\n /*\n A preceding call to create_tmp_table in the case when loose\n index scan is used guarantees that\n TMP_TABLE_PARAM::items_to_copy has enough space for the group\n by functions. It is OK here to use memcpy since we copy\n Item_sum pointers into an array of Item pointers.\n */\n memcpy(tmp_tbl->items_to_copy + tmp_tbl->func_count,\n join->sum_funcs,\n sizeof(Item*)*tmp_tbl->sum_func_count);\n tmp_tbl->items_to_copy[tmp_tbl->func_count+tmp_tbl->sum_func_count]= 0;\n }\n }\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 276143444826895200086441792222402553523, "size": 55, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508627 }, { "project": "Chrome", "commit_id": "3454ed7b88318dcd4539c6e1a50d27b0ca535686", "target": 1, "func": "base::string16 GenerateKeywordFromNavigationEntry(\n const NavigationEntry* entry,\n const std::string& accept_languages) {\n if (IsFormSubmit(entry))\n return base::string16();\n\n GURL url = entry->GetUserTypedURL();\n if (!url.is_valid()) {\n url = entry->GetURL();\n if (!url.is_valid())\n return base::string16();\n }\n \n if (!url.SchemeIs(url::kHttpScheme) || (url.path().length() > 1))\n return base::string16();\n \n return TemplateURL::GenerateKeyword(url, accept_languages);\n }\n", "cwe": "", "big_vul_idx": 185451, "idx": 6302, "hash": 186236423855654680462739638936218281309 }, { "project": "Chrome", "commit_id": "3454ed7b88318dcd4539c6e1a50d27b0ca535686", "target": 0, "func": "base::string16 GenerateKeywordFromNavigationEntry(\n const NavigationEntry* entry,\n const std::string& accept_languages) {\n if (IsFormSubmit(entry))\n return base::string16();\n\n GURL url = entry->GetUserTypedURL();\n if (!url.is_valid()) {\n url = entry->GetURL();\n if (!url.is_valid())\n return base::string16();\n }\n \n // Don't autogenerate keywords for referrers that\n // a) are anything other than HTTP/HTTPS or\n // b) have a path.\n if (!(url.SchemeIs(url::kHttpScheme) || url.SchemeIs(url::kHttpsScheme)) ||\n (url.path().length() > 1)) {\n return base::string16();\n }\n \n return TemplateURL::GenerateKeyword(url, accept_languages);\n }\n", "cwe": "", "big_vul_idx": 185451, "idx": 163389, "hash": 215967538991632573956354911036881851299 }, { "func": "\tCUser* GetNewUser(CWebSock& WebSock, CUser* pUser) {\n\t\tCSmartPtr spSession = WebSock.GetSession();\n\t\tCString sUsername = WebSock.GetParam(\"newuser\");\n\n\t\tif (sUsername.empty()) {\n\t\t\tsUsername = WebSock.GetParam(\"user\");\n\t\t}\n\n\t\tif (sUsername.empty()) {\n\t\t\tWebSock.PrintErrorPage(\"Invalid Submission [Username is required]\");\n\t\t\treturn NULL;\n\t\t}\n\n\t\tif (pUser) {\n\t\t\t/* If we are editing a user we must not change the user name */\n\t\t\tsUsername = pUser->GetUserName();\n\t\t}\n\n\t\tCString sArg = WebSock.GetParam(\"password\");\n\n\t\tif (sArg != WebSock.GetParam(\"password2\")) {\n\t\t\tWebSock.PrintErrorPage(\"Invalid Submission [Passwords do not match]\");\n\t\t\treturn NULL;\n\t\t}\n\n\t\tCUser* pNewUser = new CUser(sUsername);\n\n\t\tif (!sArg.empty()) {\n\t\t\tCString sSalt = CUtils::GetSalt();\n\t\t\tCString sHash = CUser::SaltedHash(sArg, sSalt);\n\t\t\tpNewUser->SetPass(sHash, CUser::HASH_DEFAULT, sSalt);\n\t\t}\n\n\t\tVCString vsArgs;\n\t\tunsigned int a = 0;\n\n\t\tWebSock.GetRawParam(\"allowedips\").Split(\"\\n\", vsArgs);\n\t\tif (vsArgs.size()) {\n\t\t\tfor (a = 0; a < vsArgs.size(); a++) {\n\t\t\t\tpNewUser->AddAllowedHost(vsArgs[a].Trim_n());\n\t\t\t}\n\t\t} else {\n\t\t\tpNewUser->AddAllowedHost(\"*\");\n\t\t}\n\n\t\tWebSock.GetRawParam(\"ctcpreplies\").Split(\"\\n\", vsArgs);\n\t\tfor (a = 0; a < vsArgs.size(); a++) {\n\t\t\tCString sReply = vsArgs[a].TrimRight_n(\"\\r\");\n\t\t\tpNewUser->AddCTCPReply(sReply.Token(0).Trim_n(), sReply.Token(1, true).Trim_n());\n\t\t}\n\n\t\tsArg = WebSock.GetParam(\"nick\"); if (!sArg.empty()) { pNewUser->SetNick(sArg); }\n\t\tsArg = WebSock.GetParam(\"altnick\"); if (!sArg.empty()) { pNewUser->SetAltNick(sArg); }\n\t\tsArg = WebSock.GetParam(\"statusprefix\"); if (!sArg.empty()) { pNewUser->SetStatusPrefix(sArg); }\n\t\tsArg = WebSock.GetParam(\"ident\"); if (!sArg.empty()) { pNewUser->SetIdent(sArg); }\n\t\tsArg = WebSock.GetParam(\"skin\"); if (!sArg.empty()) { pNewUser->SetSkinName(sArg); }\n\t\tsArg = WebSock.GetParam(\"realname\"); if (!sArg.empty()) { pNewUser->SetRealName(sArg); }\n\t\tsArg = WebSock.GetParam(\"quitmsg\"); if (!sArg.empty()) { pNewUser->SetQuitMsg(sArg); }\n\t\tsArg = WebSock.GetParam(\"chanmodes\"); if (!sArg.empty()) { pNewUser->SetDefaultChanModes(sArg); }\n\t\tsArg = WebSock.GetParam(\"timestampformat\"); if (!sArg.empty()) { pNewUser->SetTimestampFormat(sArg); }\n\n\t\tsArg = WebSock.GetParam(\"bindhost\");\n\t\t// To change BindHosts be admin or don't have DenySetBindHost\n\t\tif (spSession->IsAdmin() || !spSession->GetUser()->DenySetBindHost()) {\n\t\t\tCString sArg2 = WebSock.GetParam(\"dccbindhost\");\n\t\t\tif (!sArg.empty()) {\n\t\t\t\tpNewUser->SetBindHost(sArg);\n\t\t\t}\n\t\t\tif (!sArg2.empty()) {\n\t\t\t\tpNewUser->SetDCCBindHost(sArg2);\n\t\t\t}\n\n\t\t\tconst VCString& vsHosts = CZNC::Get().GetBindHosts();\n\t\t\tif (!spSession->IsAdmin() && !vsHosts.empty()) {\n\t\t\t\tVCString::const_iterator it;\n\t\t\t\tbool bFound = false;\n\t\t\t\tbool bFoundDCC = false;\n\n\t\t\t\tfor (it = vsHosts.begin(); it != vsHosts.end(); ++it) {\n\t\t\t\t\tif (sArg.Equals(*it)) {\n\t\t\t\t\t\tbFound = true;\n\t\t\t\t\t}\n\t\t\t\t\tif (sArg2.Equals(*it)) {\n\t\t\t\t\t\tbFoundDCC = true;\n\t\t\t\t\t}\n\t\t\t\t}\n\n\t\t\t\tif (!bFound) {\n\t\t\t\t\tpNewUser->SetBindHost(pUser ? pUser->GetBindHost() : \"\");\n\t\t\t\t}\n\t\t\t\tif (!bFoundDCC) {\n\t\t\t\t\tpNewUser->SetDCCBindHost(pUser ? pUser->GetDCCBindHost() : \"\");\n\t\t\t\t}\n\t\t\t}\n\t\t} else if (pUser){\n\t\t\tpNewUser->SetBindHost(pUser->GetBindHost());\n\t\t\tpNewUser->SetDCCBindHost(pUser->GetDCCBindHost());\n\t\t}\n\n\t\tsArg = WebSock.GetParam(\"bufsize\"); if (!sArg.empty()) pNewUser->SetBufferCount(sArg.ToUInt(), spSession->IsAdmin());\n\t\tif (!sArg.empty()) {\n\t\t\t// First apply the old limit in case the new one is too high\n\t\t\tif (pUser)\n\t\t\t\tpNewUser->SetBufferCount(pUser->GetBufferCount(), true);\n\t\t\tpNewUser->SetBufferCount(sArg.ToUInt(), spSession->IsAdmin());\n\t\t}\n\n\t\tpNewUser->SetSkinName(WebSock.GetParam(\"skin\"));\n\t\tpNewUser->SetAutoClearChanBuffer(WebSock.GetParam(\"autoclearchanbuffer\").ToBool());\n\t\tpNewUser->SetMultiClients(WebSock.GetParam(\"multiclients\").ToBool());\n\t\tpNewUser->SetTimestampAppend(WebSock.GetParam(\"appendtimestamp\").ToBool());\n\t\tpNewUser->SetTimestampPrepend(WebSock.GetParam(\"prependtimestamp\").ToBool());\n\t\tpNewUser->SetTimezone(WebSock.GetParam(\"timezone\"));\n\t\tpNewUser->SetJoinTries(WebSock.GetParam(\"jointries\").ToUInt());\n\n\t\tif (spSession->IsAdmin()) {\n\t\t\tpNewUser->SetDenyLoadMod(WebSock.GetParam(\"denyloadmod\").ToBool());\n\t\t\tpNewUser->SetDenySetBindHost(WebSock.GetParam(\"denysetbindhost\").ToBool());\n\t\t\tsArg = WebSock.GetParam(\"maxnetworks\"); if (!sArg.empty()) pNewUser->SetMaxNetworks(sArg.ToUInt());\n\t\t} else if (pUser) {\n\t\t\tpNewUser->SetDenyLoadMod(pUser->DenyLoadMod());\n\t\t\tpNewUser->SetDenySetBindHost(pUser->DenySetBindHost());\n\t\t\tpNewUser->SetMaxNetworks(pUser->MaxNetworks());\n\t\t}\n\n\t\t// If pUser is not NULL, we are editing an existing user.\n\t\t// Users must not be able to change their own admin flag.\n\t\tif (pUser != CZNC::Get().FindUser(WebSock.GetUser())) {\n\t\t\tpNewUser->SetAdmin(WebSock.GetParam(\"isadmin\").ToBool());\n\t\t} else if (pUser) {\n\t\t\tpNewUser->SetAdmin(pUser->IsAdmin());\n\t\t}\n\n\t\tif (spSession->IsAdmin() || (pUser && !pUser->DenyLoadMod())) {\n\t\t\tWebSock.GetParamValues(\"loadmod\", vsArgs);\n\n\t\t\t// disallow unload webadmin from itself\n\t\t\tif (CModInfo::UserModule == GetType() && pUser == CZNC::Get().FindUser(WebSock.GetUser())) {\n\t\t\t\tbool bLoadedWebadmin = false;\n\t\t\t\tfor (a = 0; a < vsArgs.size(); ++a) {\n\t\t\t\t\tCString sModName = vsArgs[a].TrimRight_n(\"\\r\");\n\t\t\t\t\tif (sModName == GetModName()) {\n\t\t\t\t\t\tbLoadedWebadmin = true;\n\t\t\t\t\t\tbreak;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\tif (!bLoadedWebadmin) {\n\t\t\t\t\tvsArgs.push_back(GetModName());\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tfor (a = 0; a < vsArgs.size(); a++) {\n\t\t\t\tCString sModRet;\n\t\t\t\tCString sModName = vsArgs[a].TrimRight_n(\"\\r\");\n\t\t\t\tCString sModLoadError;\n\n\t\t\t\tif (!sModName.empty()) {\n\t\t\t\t\tCString sArgs = WebSock.GetParam(\"modargs_\" + sModName);\n\n\t\t\t\t\ttry {\n\t\t\t\t\t\tif (!pNewUser->GetModules().LoadModule(sModName, sArgs, CModInfo::UserModule, pNewUser, NULL, sModRet)) {\n\t\t\t\t\t\t\tsModLoadError = \"Unable to load module [\" + sModName + \"] [\" + sModRet + \"]\";\n\t\t\t\t\t\t}\n\t\t\t\t\t} catch (...) {\n\t\t\t\t\t\tsModLoadError = \"Unable to load module [\" + sModName + \"] [\" + sArgs + \"]\";\n\t\t\t\t\t}\n\n\t\t\t\t\tif (!sModLoadError.empty()) {\n\t\t\t\t\t\tDEBUG(sModLoadError);\n\t\t\t\t\t\tspSession->AddError(sModLoadError);\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t} else if (pUser) {\n\t\t\tCModules& Modules = pUser->GetModules();\n\n\t\t\tfor (a = 0; a < Modules.size(); a++) {\n\t\t\t\tCString sModName = Modules[a]->GetModName();\n\t\t\t\tCString sArgs = Modules[a]->GetArgs();\n\t\t\t\tCString sModRet;\n\t\t\t\tCString sModLoadError;\n\n\t\t\t\ttry {\n\t\t\t\t\tif (!pNewUser->GetModules().LoadModule(sModName, sArgs, CModInfo::UserModule, pNewUser, NULL, sModRet)) {\n\t\t\t\t\t\tsModLoadError = \"Unable to load module [\" + sModName + \"] [\" + sModRet + \"]\";\n\t\t\t\t\t}\n\t\t\t\t} catch (...) {\n\t\t\t\t\tsModLoadError = \"Unable to load module [\" + sModName + \"]\";\n\t\t\t\t}\n\n\t\t\t\tif (!sModLoadError.empty()) {\n\t\t\t\t\tDEBUG(sModLoadError);\n\t\t\t\t\tspSession->AddError(sModLoadError);\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\treturn pNewUser;\n\t}", "project": "znc", "hash": 112430641071252289087083513148421543192, "size": 199, "commit_id": "2bd410ee5570cea127233f1133ea22f25174eb28", "message": "Fix NULL pointer dereference in webadmin.\n\nTriggerable by any non-admin, if webadmin is loaded.\n\nThe only affected version is 1.0\n\nThanks to ChauffeR (Simone Esposito) for reporting this.", "target": 0, "dataset": "other", "idx": 412192 }, { "func": "CallResult JSObject::putNamedWithReceiver_RJS(\n Handle selfHandle,\n Runtime *runtime,\n SymbolID name,\n Handle<> valueHandle,\n Handle<> receiver,\n PropOpFlags opFlags) {\n NamedPropertyDescriptor desc;\n\n // Look for the property in this object or along the prototype chain.\n JSObject *propObj = getNamedDescriptor(\n selfHandle,\n runtime,\n name,\n PropertyFlags::defaultNewNamedPropertyFlags(),\n desc);\n\n // If the property exists (or, we hit a proxy/hostobject on the way\n // up the chain)\n if (propObj) {\n // Get the simple case out of the way: If the property already\n // exists on selfHandle, is not an accessor, selfHandle and\n // receiver are the same, selfHandle is not a host\n // object/proxy/internal setter, and the property is writable,\n // just write into the same slot.\n\n if (LLVM_LIKELY(\n *selfHandle == propObj &&\n selfHandle.getHermesValue().getRaw() == receiver->getRaw() &&\n !desc.flags.accessor && !desc.flags.internalSetter &&\n !desc.flags.hostObject && !desc.flags.proxyObject &&\n desc.flags.writable)) {\n setNamedSlotValue(\n *selfHandle, runtime, desc, valueHandle.getHermesValue());\n return true;\n }\n\n if (LLVM_UNLIKELY(desc.flags.accessor)) {\n auto *accessor =\n vmcast(getNamedSlotValue(propObj, runtime, desc));\n\n // If it is a read-only accessor, fail.\n if (!accessor->setter) {\n if (opFlags.getThrowOnError()) {\n return runtime->raiseTypeError(\n TwineChar16(\"Cannot assign to property '\") +\n runtime->getIdentifierTable().getStringViewForDev(runtime, name) +\n \"' which has only a getter\");\n }\n return false;\n }\n\n // Execute the accessor on this object.\n if (accessor->setter.get(runtime)->executeCall1(\n runtime->makeHandle(accessor->setter),\n runtime,\n receiver,\n *valueHandle) == ExecutionStatus::EXCEPTION) {\n return ExecutionStatus::EXCEPTION;\n }\n return true;\n }\n\n if (LLVM_UNLIKELY(desc.flags.proxyObject)) {\n assert(\n !opFlags.getMustExist() &&\n \"MustExist cannot be used with Proxy objects\");\n CallResult setRes = JSProxy::setNamed(\n runtime->makeHandle(propObj), runtime, name, valueHandle, receiver);\n if (LLVM_UNLIKELY(setRes == ExecutionStatus::EXCEPTION)) {\n return ExecutionStatus::EXCEPTION;\n }\n if (!*setRes && opFlags.getThrowOnError()) {\n return runtime->raiseTypeError(\n TwineChar16(\"Proxy set returned false for property '\") +\n runtime->getIdentifierTable().getStringView(runtime, name) + \"'\");\n }\n return setRes;\n }\n\n if (LLVM_UNLIKELY(!desc.flags.writable)) {\n if (desc.flags.staticBuiltin) {\n return raiseErrorForOverridingStaticBuiltin(\n selfHandle, runtime, runtime->makeHandle(name));\n }\n if (opFlags.getThrowOnError()) {\n return runtime->raiseTypeError(\n TwineChar16(\"Cannot assign to read-only property '\") +\n runtime->getIdentifierTable().getStringViewForDev(runtime, name) +\n \"'\");\n }\n return false;\n }\n\n if (*selfHandle == propObj && desc.flags.internalSetter) {\n return internalSetter(\n selfHandle, runtime, name, desc, valueHandle, opFlags);\n }\n }\n\n // The property does not exist as an conventional own property on\n // this object.\n\n MutableHandle receiverHandle{runtime, *selfHandle};\n if (selfHandle.getHermesValue().getRaw() != receiver->getRaw() ||\n receiverHandle->isHostObject() || receiverHandle->isProxyObject()) {\n if (selfHandle.getHermesValue().getRaw() != receiver->getRaw()) {\n receiverHandle = dyn_vmcast(*receiver);\n }\n if (!receiverHandle) {\n return false;\n }\n\n if (getOwnNamedDescriptor(receiverHandle, runtime, name, desc)) {\n if (LLVM_UNLIKELY(desc.flags.accessor || !desc.flags.writable)) {\n return false;\n }\n\n assert(\n !receiverHandle->isHostObject() && !receiverHandle->isProxyObject() &&\n \"getOwnNamedDescriptor never sets hostObject or proxyObject flags\");\n\n setNamedSlotValue(\n *receiverHandle, runtime, desc, valueHandle.getHermesValue());\n return true;\n }\n\n // Now deal with host and proxy object cases. We need to call\n // getOwnComputedPrimitiveDescriptor because it knows how to call\n // the [[getOwnProperty]] Proxy impl if needed.\n if (LLVM_UNLIKELY(\n receiverHandle->isHostObject() ||\n receiverHandle->isProxyObject())) {\n if (receiverHandle->isHostObject()) {\n return vmcast(receiverHandle.get())\n ->set(name, *valueHandle);\n }\n ComputedPropertyDescriptor desc;\n CallResult descDefinedRes = getOwnComputedPrimitiveDescriptor(\n receiverHandle,\n runtime,\n name.isUniqued() ? runtime->makeHandle(HermesValue::encodeStringValue(\n runtime->getStringPrimFromSymbolID(name)))\n : runtime->makeHandle(name),\n IgnoreProxy::No,\n desc);\n if (LLVM_UNLIKELY(descDefinedRes == ExecutionStatus::EXCEPTION)) {\n return ExecutionStatus::EXCEPTION;\n }\n DefinePropertyFlags dpf;\n if (*descDefinedRes) {\n dpf.setValue = 1;\n } else {\n dpf = DefinePropertyFlags::getDefaultNewPropertyFlags();\n }\n return JSProxy::defineOwnProperty(\n receiverHandle, runtime, name, dpf, valueHandle, opFlags);\n }\n }\n\n // Does the caller require it to exist?\n if (LLVM_UNLIKELY(opFlags.getMustExist())) {\n return runtime->raiseReferenceError(\n TwineChar16(\"Property '\") +\n runtime->getIdentifierTable().getStringViewForDev(runtime, name) +\n \"' doesn't exist\");\n }\n\n // Add a new property.\n\n return addOwnProperty(\n receiverHandle,\n runtime,\n name,\n DefinePropertyFlags::getDefaultNewPropertyFlags(),\n valueHandle,\n opFlags);\n}", "project": "hermes", "hash": 319495934090153758233843833330931194020, "size": 178, "commit_id": "fe52854cdf6725c2eaa9e125995da76e6ceb27da", "message": "[CVE-2020-1911] Look up HostObject computed properties on the right object in the prototype chain.\n\nSummary:\nThe change in the hermes repository fixes the security vulnerability\nCVE-2020-1911. This vulnerability only affects applications which\nallow evaluation of uncontrolled, untrusted JavaScript code not\nshipped with the app, so React Native apps will generally not be affected.\n\nThis revision includes a test for the bug. The test is generic JSI\ncode, so it is included in the hermes and react-native repositories.\n\nChangelog: [Internal]\n\nReviewed By: tmikov\n\nDifferential Revision: D23322992\n\nfbshipit-source-id: 4e88c974afe1ad33a263f9cac03e9dc98d33649a", "target": 0, "dataset": "other", "idx": 230266 }, { "func": "CallResult JSObject::putNamedWithReceiver_RJS(\n Handle selfHandle,\n Runtime *runtime,\n SymbolID name,\n Handle<> valueHandle,\n Handle<> receiver,\n PropOpFlags opFlags) {\n NamedPropertyDescriptor desc;\n\n // Look for the property in this object or along the prototype chain.\n JSObject *propObj = getNamedDescriptor(\n selfHandle,\n runtime,\n name,\n PropertyFlags::defaultNewNamedPropertyFlags(),\n desc);\n\n // If the property exists (or, we hit a proxy/hostobject on the way\n // up the chain)\n if (propObj) {\n // Get the simple case out of the way: If the property already\n // exists on selfHandle, is not an accessor, selfHandle and\n // receiver are the same, selfHandle is not a host\n // object/proxy/internal setter, and the property is writable,\n // just write into the same slot.\n\n if (LLVM_LIKELY(\n *selfHandle == propObj &&\n selfHandle.getHermesValue().getRaw() == receiver->getRaw() &&\n !desc.flags.accessor && !desc.flags.internalSetter &&\n !desc.flags.hostObject && !desc.flags.proxyObject &&\n desc.flags.writable)) {\n setNamedSlotValue(\n *selfHandle, runtime, desc, valueHandle.getHermesValue());\n return true;\n }\n\n if (LLVM_UNLIKELY(desc.flags.accessor)) {\n auto *accessor =\n vmcast(getNamedSlotValue(propObj, runtime, desc));\n\n // If it is a read-only accessor, fail.\n if (!accessor->setter) {\n if (opFlags.getThrowOnError()) {\n return runtime->raiseTypeError(\n TwineChar16(\"Cannot assign to property '\") +\n runtime->getIdentifierTable().getStringViewForDev(runtime, name) +\n \"' which has only a getter\");\n }\n return false;\n }\n\n // Execute the accessor on this object.\n if (accessor->setter.get(runtime)->executeCall1(\n runtime->makeHandle(accessor->setter),\n runtime,\n receiver,\n *valueHandle) == ExecutionStatus::EXCEPTION) {\n return ExecutionStatus::EXCEPTION;\n }\n return true;\n }\n\n if (LLVM_UNLIKELY(desc.flags.proxyObject)) {\n assert(\n !opFlags.getMustExist() &&\n \"MustExist cannot be used with Proxy objects\");\n CallResult setRes = JSProxy::setNamed(\n runtime->makeHandle(propObj), runtime, name, valueHandle, receiver);\n if (LLVM_UNLIKELY(setRes == ExecutionStatus::EXCEPTION)) {\n return ExecutionStatus::EXCEPTION;\n }\n if (!*setRes && opFlags.getThrowOnError()) {\n return runtime->raiseTypeError(\n TwineChar16(\"Proxy set returned false for property '\") +\n runtime->getIdentifierTable().getStringView(runtime, name) + \"'\");\n }\n return setRes;\n }\n\n if (LLVM_UNLIKELY(!desc.flags.writable)) {\n if (desc.flags.staticBuiltin) {\n return raiseErrorForOverridingStaticBuiltin(\n selfHandle, runtime, runtime->makeHandle(name));\n }\n if (opFlags.getThrowOnError()) {\n return runtime->raiseTypeError(\n TwineChar16(\"Cannot assign to read-only property '\") +\n runtime->getIdentifierTable().getStringViewForDev(runtime, name) +\n \"'\");\n }\n return false;\n }\n\n if (*selfHandle == propObj && desc.flags.internalSetter) {\n return internalSetter(\n selfHandle, runtime, name, desc, valueHandle, opFlags);\n }\n }\n\n // The property does not exist as an conventional own property on\n // this object.\n\n MutableHandle receiverHandle{runtime, *selfHandle};\n if (selfHandle.getHermesValue().getRaw() != receiver->getRaw() ||\n receiverHandle->isHostObject() || receiverHandle->isProxyObject()) {\n if (selfHandle.getHermesValue().getRaw() != receiver->getRaw()) {\n receiverHandle = dyn_vmcast(*receiver);\n }\n if (!receiverHandle) {\n return false;\n }\n\n if (getOwnNamedDescriptor(receiverHandle, runtime, name, desc)) {\n if (LLVM_UNLIKELY(desc.flags.accessor || !desc.flags.writable)) {\n return false;\n }\n\n assert(\n !receiverHandle->isHostObject() && !receiverHandle->isProxyObject() &&\n \"getOwnNamedDescriptor never sets hostObject or proxyObject flags\");\n\n setNamedSlotValue(\n *receiverHandle, runtime, desc, valueHandle.getHermesValue());\n return true;\n }\n\n // Now deal with host and proxy object cases. We need to call\n // getOwnComputedPrimitiveDescriptor because it knows how to call\n // the [[getOwnProperty]] Proxy impl if needed.\n if (LLVM_UNLIKELY(\n receiverHandle->isHostObject() ||\n receiverHandle->isProxyObject())) {\n if (receiverHandle->isHostObject()) {\n return vmcast(receiverHandle.get())\n ->set(name, *valueHandle);\n }\n ComputedPropertyDescriptor desc;\n Handle<> nameValHandle = runtime->makeHandle(name);\n CallResult descDefinedRes = getOwnComputedPrimitiveDescriptor(\n receiverHandle, runtime, nameValHandle, IgnoreProxy::No, desc);\n if (LLVM_UNLIKELY(descDefinedRes == ExecutionStatus::EXCEPTION)) {\n return ExecutionStatus::EXCEPTION;\n }\n DefinePropertyFlags dpf;\n if (*descDefinedRes) {\n dpf.setValue = 1;\n } else {\n dpf = DefinePropertyFlags::getDefaultNewPropertyFlags();\n }\n return JSProxy::defineOwnProperty(\n receiverHandle, runtime, nameValHandle, dpf, valueHandle, opFlags);\n }\n }\n\n // Does the caller require it to exist?\n if (LLVM_UNLIKELY(opFlags.getMustExist())) {\n return runtime->raiseReferenceError(\n TwineChar16(\"Property '\") +\n runtime->getIdentifierTable().getStringViewForDev(runtime, name) +\n \"' doesn't exist\");\n }\n\n // Add a new property.\n\n return addOwnProperty(\n receiverHandle,\n runtime,\n name,\n DefinePropertyFlags::getDefaultNewPropertyFlags(),\n valueHandle,\n opFlags);\n}", "project": "hermes", "hash": 293798249856785184877903642906114102409, "size": 173, "commit_id": "8cb935cd3b2321c46aa6b7ed8454d95c75a7fca0", "message": "Handle set where internalSetter and Proxy are both true\n\nSummary:\nIf putComputed is called on a proxy whose target's prototype\nis an array with a propname of 'length', then internalSetter will be\ntrue, and the receiver will be a proxy. In that case, proxy needs to\nwin; the behavior may assert or be UB otherwise.\n\nReviewed By: tmikov\n\nDifferential Revision: D23916279\n\nfbshipit-source-id: c760356d48a02ece565fb4bc1acdafd7ccad7c68", "target": 0, "dataset": "other", "idx": 259370 }, { "func": " static Status BuildDenseFeatureReader(const Tensor& values,\n FeatureReaders* features) {\n if (values.dtype() == DT_INT64) {\n features->emplace_back(new DenseFeatureReader(values));\n } else if (values.dtype() == DT_STRING) {\n features->emplace_back(new DenseFeatureReader(values));\n } else {\n return errors::InvalidArgument(\"Unexpected dtype for input \",\n (features->size() + 1), \": \",\n values.dtype());\n }\n return Status::OK();\n }", "project": "tensorflow", "hash": 338820867445986485371219866686795413577, "size": 13, "commit_id": "44b7f486c0143f68b56c34e2d01e146ee445134a", "message": "Fix out of bounds read in `ragged_cross_op.cc`.\n\nPiperOrigin-RevId: 369757702\nChange-Id: Ie6e5d2c21513a8d56bf41fcf35960caf76e890f9", "target": 0, "dataset": "other", "idx": 230070 }, { "func": "static int64_t _intsetGetEncoded(intset *is, int pos, uint8_t enc) {\n int64_t v64;\n int32_t v32;\n int16_t v16;\n\n if (enc == INTSET_ENC_INT64) {\n memcpy(&v64,((int64_t*)is->contents)+pos,sizeof(v64));\n memrev64ifbe(&v64);\n return v64;\n } else if (enc == INTSET_ENC_INT32) {\n memcpy(&v32,((int32_t*)is->contents)+pos,sizeof(v32));\n memrev32ifbe(&v32);\n return v32;\n } else {\n memcpy(&v16,((int16_t*)is->contents)+pos,sizeof(v16));\n memrev16ifbe(&v16);\n return v16;\n }\n}", "project": "redis", "hash": 90427976541189838804171765030811969115, "size": 19, "commit_id": "789f10156009b404950ad717642a9496ed887083", "message": "Fix integer overflow in intset (CVE-2021-29478)\n\nAn integer overflow bug in Redis 6.2 could be exploited to corrupt the heap and\npotentially result with remote code execution.\n\nThe vulnerability involves changing the default set-max-intset-entries\nconfiguration value, creating a large set key that consists of integer values\nand using the COPY command to duplicate it.\n\nThe integer overflow bug exists in all versions of Redis starting with 2.6,\nwhere it could result with a corrupted RDB or DUMP payload, but not exploited\nthrough COPY (which did not exist before 6.2).\n\n(cherry picked from commit 29900d4e6bccdf3691bedf0ea9a5d84863fa3592)", "target": 0, "dataset": "other", "idx": 290632 }, { "func": "void imap_qualify_path(char *buf, size_t buflen, struct ConnAccount *cac, char *path)\n{\n struct Url url = { 0 };\n mutt_account_tourl(cac, &url);\n url.path = path;\n url_tostring(&url, buf, buflen, U_NO_FLAGS);\n}", "project": "neomutt", "hash": 193511972337652409962389250645105600397, "size": 7, "commit_id": "fa1db5785e5cfd9d3cd27b7571b9fe268d2ec2dc", "message": "Fix seqset iterator when it ends in a comma\n\nIf the seqset ended with a comma, the substr_end marker would be just\nbefore the trailing nul. In the next call, the loop to skip the\nmarker would iterate right past the end of string too.\n\nThe fix is simple: place the substr_end marker and skip past it\nimmediately.", "target": 0, "dataset": "other", "idx": 399270 }, { "func": "uint8 CSoundFile::GetBestMidiChannel(CHANNELINDEX nChn) const\n{\n\tif(nChn >= MAX_CHANNELS)\n\t{\n\t\treturn 0;\n\t}\n\n\tconst ModInstrument *ins = m_PlayState.Chn[nChn].pModInstrument;\n\tif(ins != nullptr)\n\t{\n\t\tif(ins->nMidiChannel == MidiMappedChannel)\n\t\t{\n\t\t\t// For mapped channels, return their pattern channel, modulo 16 (because there are only 16 MIDI channels)\n\t\t\treturn (m_PlayState.Chn[nChn].nMasterChn ? (m_PlayState.Chn[nChn].nMasterChn - 1) : nChn) % 16;\n\t\t} else if(ins->HasValidMIDIChannel())\n\t\t{\n\t\t\treturn (ins->nMidiChannel - 1) & 0x0F;\n\t\t}\n\t}\n\treturn 0;\n}", "project": "openmpt", "hash": 48395049976729898178881385518077660864, "size": 21, "commit_id": "7ebf02af2e90f03e0dbd0e18b8b3164f372fb97c", "message": "[Fix] Possible out-of-bounds read when computing length of some IT files with pattern loops (OpenMPT: formats that are converted to IT, libopenmpt: IT/ITP/MO3), caught with afl-fuzz.\n\ngit-svn-id: https://source.openmpt.org/svn/openmpt/trunk/OpenMPT@10027 56274372-70c3-4bfc-bfc3-4c3a0b034d27", "target": 0, "dataset": "other", "idx": 255209 }, { "func": "void tty_vhangup(struct tty_struct *tty)\n{\n\ttty_debug_hangup(tty, \"vhangup\\n\");\n\t__tty_hangup(tty, 0);\n}", "project": "linux", "hash": 107118881432681217815400913841990662923, "size": 5, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 325985 }, { "func": "static void hci_user_passkey_notify_evt(struct hci_dev *hdev,\n\t\t\t\t\tstruct sk_buff *skb)\n{\n\tstruct hci_ev_user_passkey_notify *ev = (void *) skb->data;\n\tstruct hci_conn *conn;\n\n\tBT_DBG(\"%s\", hdev->name);\n\n\tconn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);\n\tif (!conn)\n\t\treturn;\n\n\tconn->passkey_notify = __le32_to_cpu(ev->passkey);\n\tconn->passkey_entered = 0;\n\n\tif (hci_dev_test_flag(hdev, HCI_MGMT))\n\t\tmgmt_user_passkey_notify(hdev, &conn->dst, conn->type,\n\t\t\t\t\t conn->dst_type, conn->passkey_notify,\n\t\t\t\t\t conn->passkey_entered);\n}", "project": "linux", "hash": 59210472121974919199760164351910152890, "size": 20, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431872 }, { "func": "__init static int tracer_alloc_buffers(void)\n{\n\tint ring_buf_size;\n\tint ret = -ENOMEM;\n\n\t/*\n\t * Make sure we don't accidently add more trace options\n\t * than we have bits for.\n\t */\n\tBUILD_BUG_ON(TRACE_ITER_LAST_BIT > TRACE_FLAGS_MAX_SIZE);\n\n\tif (!alloc_cpumask_var(&tracing_buffer_mask, GFP_KERNEL))\n\t\tgoto out;\n\n\tif (!alloc_cpumask_var(&global_trace.tracing_cpumask, GFP_KERNEL))\n\t\tgoto out_free_buffer_mask;\n\n\t/* Only allocate trace_printk buffers if a trace_printk exists */\n\tif (__stop___trace_bprintk_fmt != __start___trace_bprintk_fmt)\n\t\t/* Must be called before global_trace.buffer is allocated */\n\t\ttrace_printk_init_buffers();\n\n\t/* To save memory, keep the ring buffer size to its minimum */\n\tif (ring_buffer_expanded)\n\t\tring_buf_size = trace_buf_size;\n\telse\n\t\tring_buf_size = 1;\n\n\tcpumask_copy(tracing_buffer_mask, cpu_possible_mask);\n\tcpumask_copy(global_trace.tracing_cpumask, cpu_all_mask);\n\n\traw_spin_lock_init(&global_trace.start_lock);\n\n\t/*\n\t * The prepare callbacks allocates some memory for the ring buffer. We\n\t * don't free the buffer if the if the CPU goes down. If we were to free\n\t * the buffer, then the user would lose any trace that was in the\n\t * buffer. The memory will be removed once the \"instance\" is removed.\n\t */\n\tret = cpuhp_setup_state_multi(CPUHP_TRACE_RB_PREPARE,\n\t\t\t\t \"trace/RB:preapre\", trace_rb_cpu_prepare,\n\t\t\t\t NULL);\n\tif (ret < 0)\n\t\tgoto out_free_cpumask;\n\t/* Used for event triggers */\n\tret = -ENOMEM;\n\ttemp_buffer = ring_buffer_alloc(PAGE_SIZE, RB_FL_OVERWRITE);\n\tif (!temp_buffer)\n\t\tgoto out_rm_hp_state;\n\n\tif (trace_create_savedcmd() < 0)\n\t\tgoto out_free_temp_buffer;\n\n\t/* TODO: make the number of buffers hot pluggable with CPUS */\n\tif (allocate_trace_buffers(&global_trace, ring_buf_size) < 0) {\n\t\tprintk(KERN_ERR \"tracer: failed to allocate ring buffer!\\n\");\n\t\tWARN_ON(1);\n\t\tgoto out_free_savedcmd;\n\t}\n\n\tif (global_trace.buffer_disabled)\n\t\ttracing_off();\n\n\tif (trace_boot_clock) {\n\t\tret = tracing_set_clock(&global_trace, trace_boot_clock);\n\t\tif (ret < 0)\n\t\t\tpr_warn(\"Trace clock %s not defined, going back to default\\n\",\n\t\t\t\ttrace_boot_clock);\n\t}\n\n\t/*\n\t * register_tracer() might reference current_trace, so it\n\t * needs to be set before we register anything. This is\n\t * just a bootstrap of current_trace anyway.\n\t */\n\tglobal_trace.current_trace = &nop_trace;\n\n\tglobal_trace.max_lock = (arch_spinlock_t)__ARCH_SPIN_LOCK_UNLOCKED;\n\n\tftrace_init_global_array_ops(&global_trace);\n\n\tinit_trace_flags_index(&global_trace);\n\n\tregister_tracer(&nop_trace);\n\n\t/* Function tracing may start here (via kernel command line) */\n\tinit_function_trace();\n\n\t/* All seems OK, enable tracing */\n\ttracing_disabled = 0;\n\n\tatomic_notifier_chain_register(&panic_notifier_list,\n\t\t\t\t &trace_panic_notifier);\n\n\tregister_die_notifier(&trace_die_notifier);\n\n\tglobal_trace.flags = TRACE_ARRAY_FL_GLOBAL;\n\n\tINIT_LIST_HEAD(&global_trace.systems);\n\tINIT_LIST_HEAD(&global_trace.events);\n\tlist_add(&global_trace.list, &ftrace_trace_arrays);\n\n\tapply_trace_boot_options();\n\n\tregister_snapshot_cmd();\n\n\treturn 0;\n\nout_free_savedcmd:\n\tfree_saved_cmdlines_buffer(savedcmd);\nout_free_temp_buffer:\n\tring_buffer_free(temp_buffer);\nout_rm_hp_state:\n\tcpuhp_remove_multi_state(CPUHP_TRACE_RB_PREPARE);\nout_free_cpumask:\n\tfree_cpumask_var(global_trace.tracing_cpumask);\nout_free_buffer_mask:\n\tfree_cpumask_var(tracing_buffer_mask);\nout:\n\treturn ret;\n}", "project": "linux", "hash": 92434229960145683259852922662993645094, "size": 121, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445606 }, { "func": "void CServer::SendServerInfo(int ClientID)\n{\n\tCMsgPacker Msg(NETMSG_SERVERINFO, true);\n\tGenerateServerInfo(&Msg, -1);\n\tif(ClientID == -1)\n\t{\n\t\tfor(int i = 0; i < MAX_CLIENTS; i++)\n\t\t{\n\t\t\tif(m_aClients[i].m_State != CClient::STATE_EMPTY)\n\t\t\t\tSendMsg(&Msg, MSGFLAG_VITAL|MSGFLAG_FLUSH, i);\n\t\t}\n\t}\n\telse if(ClientID >= 0 && ClientID < MAX_CLIENTS && m_aClients[ClientID].m_State != CClient::STATE_EMPTY)\n\t\tSendMsg(&Msg, MSGFLAG_VITAL|MSGFLAG_FLUSH, ClientID);\n}", "project": "teeworlds", "hash": 321256057271329714786800008063798070002, "size": 15, "commit_id": "c68402fa7e279d42886d5951d1ea8ac2facc1ea5", "message": "changed a check", "target": 0, "dataset": "other", "idx": 382051 }, { "func": "static int run_tracer_selftest(struct tracer *type)\n{\n\tstruct trace_array *tr = &global_trace;\n\tstruct tracer *saved_tracer = tr->current_trace;\n\tint ret;\n\n\tif (!type->selftest || tracing_selftest_disabled)\n\t\treturn 0;\n\n\t/*\n\t * If a tracer registers early in boot up (before scheduling is\n\t * initialized and such), then do not run its selftests yet.\n\t * Instead, run it a little later in the boot process.\n\t */\n\tif (!selftests_can_run)\n\t\treturn save_selftest(type);\n\n\t/*\n\t * Run a selftest on this tracer.\n\t * Here we reset the trace buffer, and set the current\n\t * tracer to be this tracer. The tracer can then run some\n\t * internal tracing to verify that everything is in order.\n\t * If we fail, we do not register this tracer.\n\t */\n\ttracing_reset_online_cpus(&tr->trace_buffer);\n\n\ttr->current_trace = type;\n\n#ifdef CONFIG_TRACER_MAX_TRACE\n\tif (type->use_max_tr) {\n\t\t/* If we expanded the buffers, make sure the max is expanded too */\n\t\tif (ring_buffer_expanded)\n\t\t\tring_buffer_resize(tr->max_buffer.buffer, trace_buf_size,\n\t\t\t\t\t RING_BUFFER_ALL_CPUS);\n\t\ttr->allocated_snapshot = true;\n\t}\n#endif\n\n\t/* the test is responsible for initializing and enabling */\n\tpr_info(\"Testing tracer %s: \", type->name);\n\tret = type->selftest(type, tr);\n\t/* the test is responsible for resetting too */\n\ttr->current_trace = saved_tracer;\n\tif (ret) {\n\t\tprintk(KERN_CONT \"FAILED!\\n\");\n\t\t/* Add the warning after printing 'FAILED' */\n\t\tWARN_ON(1);\n\t\treturn -1;\n\t}\n\t/* Only reset on passing, to avoid touching corrupted buffers */\n\ttracing_reset_online_cpus(&tr->trace_buffer);\n\n#ifdef CONFIG_TRACER_MAX_TRACE\n\tif (type->use_max_tr) {\n\t\ttr->allocated_snapshot = false;\n\n\t\t/* Shrink the max buffer again */\n\t\tif (ring_buffer_expanded)\n\t\t\tring_buffer_resize(tr->max_buffer.buffer, 1,\n\t\t\t\t\t RING_BUFFER_ALL_CPUS);\n\t}\n#endif\n\n\tprintk(KERN_CONT \"PASSED\\n\");\n\treturn 0;\n}", "project": "linux", "hash": 80099759275287783201862174407702728186, "size": 66, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445721 }, { "func": "static inline int run_tracer_selftest(struct tracer *type)\n{\n\treturn 0;\n}", "project": "linux", "hash": 229284417679074110184687436764867769793, "size": 4, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445732 }, { "func": "static long hung_up_tty_compat_ioctl(struct file *file,\n\t\t\t\t unsigned int cmd, unsigned long arg)\n{\n\treturn cmd == TIOCSPGRP ? -ENOTTY : -EIO;\n}", "project": "linux", "hash": 1038588172512372765750209420271982776, "size": 5, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 326049 }, { "func": "static void hci_cs_le_start_enc(struct hci_dev *hdev, u8 status)\n{\n\tstruct hci_cp_le_start_enc *cp;\n\tstruct hci_conn *conn;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, status);\n\n\tif (!status)\n\t\treturn;\n\n\thci_dev_lock(hdev);\n\n\tcp = hci_sent_cmd_data(hdev, HCI_OP_LE_START_ENC);\n\tif (!cp)\n\t\tgoto unlock;\n\n\tconn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));\n\tif (!conn)\n\t\tgoto unlock;\n\n\tif (conn->state != BT_CONNECTED)\n\t\tgoto unlock;\n\n\thci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);\n\thci_conn_drop(conn);\n\nunlock:\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 311989777633867679520645424455107373669, "size": 29, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431984 }, { "func": "int ScaleX(rfbScreenInfoPtr from, rfbScreenInfoPtr to, int x)\n{\n if ((from==to) || (from==NULL) || (to==NULL)) return x;\n return ((int)(((double) x / (double)from->width) * (double)to->width ));\n}", "project": "libvncserver", "hash": 339565001501091949268453535118966466058, "size": 5, "commit_id": "a6788d1da719ae006605b78d22f5a9f170b423af", "message": "libvncserver: scale: cast to 64 bit before shifting\n\nSince pixel_value is 64 bit the data type of the shift operand should\nbe 64 bit too to prevent integer overflows.", "target": 0, "dataset": "other", "idx": 296800 }, { "func": "HttpStateData::processSurrogateControl(HttpReply *reply)\n{\n if (request->flags.accelerated && reply->surrogate_control) {\n HttpHdrScTarget *sctusable = reply->surrogate_control->getMergedTarget(Config.Accel.surrogate_id);\n\n if (sctusable) {\n if (sctusable->hasNoStore() ||\n (Config.onoff.surrogate_is_remote\n && sctusable->noStoreRemote())) {\n surrogateNoStore = true;\n // Be conservative for now and make it non-shareable because\n // there is no enough information here to make the decision.\n entry->makePrivate(false);\n }\n\n /* The HttpHeader logic cannot tell if the header it's parsing is a reply to an\n * accelerated request or not...\n * Still, this is an abstraction breach. - RC\n */\n if (sctusable->hasMaxAge()) {\n if (sctusable->maxAge() < sctusable->maxStale())\n reply->expires = reply->date + sctusable->maxAge();\n else\n reply->expires = reply->date + sctusable->maxStale();\n\n /* And update the timestamps */\n entry->timestampsSet();\n }\n\n /* We ignore cache-control directives as per the Surrogate specification */\n ignoreCacheControl = true;\n\n delete sctusable;\n }\n }\n}", "project": "squid", "hash": 275938481914721525266855475207711372273, "size": 36, "commit_id": "fd68382860633aca92065e6c343cfd1b12b126e7", "message": "Improve Transfer-Encoding handling (#702)\n\nReject messages containing Transfer-Encoding header with coding other\nthan chunked or identity. Squid does not support other codings.\n\nFor simplicity and security sake, also reject messages where\nTransfer-Encoding contains unnecessary complex values that are\ntechnically equivalent to \"chunked\" or \"identity\" (e.g., \",,chunked\" or\n\"identity, chunked\").\n\nRFC 7230 formally deprecated and removed identity coding, but it is\nstill used by some agents.", "target": 0, "dataset": "other", "idx": 402327 }, { "func": " void DoRealForwardFFT(OpKernelContext* ctx, uint64* fft_shape,\n const Tensor& in, Tensor* out) {\n // Create the axes (which are always trailing).\n const auto axes = Eigen::ArrayXi::LinSpaced(FFTRank, 1, FFTRank);\n auto device = ctx->eigen_device();\n auto input = Tensor(in).flat_inner_dims();\n const auto input_dims = input.dimensions();\n\n // Slice input to fft_shape on its inner-most dimensions.\n Eigen::DSizes input_slice_sizes;\n input_slice_sizes[0] = input_dims[0];\n TensorShape temp_shape{input_dims[0]};\n for (int i = 1; i <= FFTRank; ++i) {\n input_slice_sizes[i] = fft_shape[i - 1];\n temp_shape.AddDim(fft_shape[i - 1]);\n }\n\n auto output = out->flat_inner_dims();\n const Eigen::DSizes zero_start_indices;\n\n // Compute the full FFT using a temporary tensor.\n Tensor temp;\n OP_REQUIRES_OK(ctx, ctx->allocate_temp(DataTypeToEnum::v(),\n temp_shape, &temp));\n auto full_fft = temp.flat_inner_dims();\n full_fft.device(device) =\n input.slice(zero_start_indices, input_slice_sizes)\n .template fft(axes);\n\n // Slice away the negative frequency components.\n output.device(device) =\n full_fft.slice(zero_start_indices, output.dimensions());\n }", "project": "tensorflow", "hash": 280992516761239439019736638647860473416, "size": 33, "commit_id": "31bd5026304677faa8a0b77602c6154171b9aec1", "message": "Prevent check fail in FFT\n\nPiperOrigin-RevId: 372031044\nChange-Id: I50994e3e8a5d1342d01bde80256f6bf2730ca299", "target": 1, "dataset": "other", "idx": 195958 }, { "func": " void DoRealForwardFFT(OpKernelContext* ctx, uint64* fft_shape,\n const Tensor& in, Tensor* out) {\n // Create the axes (which are always trailing).\n const auto axes = Eigen::ArrayXi::LinSpaced(FFTRank, 1, FFTRank);\n auto device = ctx->eigen_device();\n auto input = Tensor(in).flat_inner_dims();\n const auto input_dims = input.dimensions();\n\n // Slice input to fft_shape on its inner-most dimensions.\n Eigen::DSizes input_slice_sizes;\n input_slice_sizes[0] = input_dims[0];\n TensorShape temp_shape{input_dims[0]};\n for (int i = 1; i <= FFTRank; ++i) {\n input_slice_sizes[i] = fft_shape[i - 1];\n temp_shape.AddDim(fft_shape[i - 1]);\n }\n OP_REQUIRES(ctx, temp_shape.num_elements() > 0,\n errors::InvalidArgument(\"Obtained a FFT shape of 0 elements: \",\n temp_shape.DebugString()));\n\n auto output = out->flat_inner_dims();\n const Eigen::DSizes zero_start_indices;\n\n // Compute the full FFT using a temporary tensor.\n Tensor temp;\n OP_REQUIRES_OK(ctx, ctx->allocate_temp(DataTypeToEnum::v(),\n temp_shape, &temp));\n auto full_fft = temp.flat_inner_dims();\n full_fft.device(device) =\n input.slice(zero_start_indices, input_slice_sizes)\n .template fft(axes);\n\n // Slice away the negative frequency components.\n output.device(device) =\n full_fft.slice(zero_start_indices, output.dimensions());\n }", "project": "tensorflow", "hash": 309164948673975832942418971794723232104, "size": 36, "commit_id": "31bd5026304677faa8a0b77602c6154171b9aec1", "message": "Prevent check fail in FFT\n\nPiperOrigin-RevId: 372031044\nChange-Id: I50994e3e8a5d1342d01bde80256f6bf2730ca299", "target": 0, "dataset": "other", "idx": 235720 }, { "func": "static inline size_t eir_get_length(u8 *eir, size_t eir_len)\n{\n\tsize_t parsed = 0;\n\n\twhile (parsed < eir_len) {\n\t\tu8 field_len = eir[0];\n\n\t\tif (field_len == 0)\n\t\t\treturn parsed;\n\n\t\tparsed += field_len + 1;\n\t\teir += field_len + 1;\n\t}\n\n\treturn eir_len;\n}", "project": "linux", "hash": 245017047331077223995015718613917759478, "size": 16, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431950 }, { "func": "void MemFile::unzip() {\n assertx(m_len != -1);\n assertx(!m_malloced);\n assertx(m_cursor == 0);\n int len = m_len;\n char *data = gzdecode(m_data, len);\n if (data == nullptr) {\n raise_fatal_error((std::string(\"cannot unzip mem stream: \") +\n getName()).c_str());\n }\n m_data = data;\n m_malloced = true;\n m_len = len;\n}", "project": "hhvm", "hash": 313596314797816460513125178493415779720, "size": 14, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219552 }, { "func": "bool CClient::OnActionMessage(CActionMessage& Message) {\n CString sTargets = Message.GetTarget();\n\n VCString vTargets;\n sTargets.Split(\",\", vTargets, false);\n\n for (CString& sTarget : vTargets) {\n Message.SetTarget(sTarget);\n if (m_pNetwork) {\n // May be nullptr.\n Message.SetChan(m_pNetwork->FindChan(sTarget));\n }\n\n bool bContinue = false;\n NETWORKMODULECALL(OnUserActionMessage(Message), m_pUser, m_pNetwork,\n this, &bContinue);\n if (bContinue) continue;\n\n if (m_pNetwork) {\n AddBuffer(Message);\n EchoMessage(Message);\n PutIRC(Message.ToString(CMessage::ExcludePrefix |\n CMessage::ExcludeTags));\n }\n }\n\n return true;\n}", "project": "znc", "hash": 138131151713474357412267339340524501790, "size": 28, "commit_id": "d229761821da38d984a9e4098ad96842490dc001", "message": "Fix echo-message for *status\n\nClose #1705", "target": 0, "dataset": "other", "idx": 231604 }, { "func": "static void gdImageVLine(gdImagePtr im, int x, int y1, int y2, int col)\n{\n\tif (im->thick > 1) {\n\t\tint thickhalf = im->thick >> 1;\n\t\tgdImageFilledRectangle(im, x - thickhalf, y1, x + im->thick - thickhalf - 1, y2, col);\n\t} else {\n\t\tif (y2 < y1) {\n\t\t\tint t = y1;\n\t\t\ty1 = y2;\n\t\t\ty2 = t;\n\t\t}\n\n\t\tfor (;y1 <= y2; y1++) {\n\t\t\tgdImageSetPixel(im, x, y1, col);\n\t\t}\n\t}\n\treturn;\n}", "project": "php-src", "hash": 138780447413458987281538244146945166032, "size": 18, "commit_id": "c395c6e5d7e8df37a21265ff76e48fe75ceb5ae6", "message": "iFixed bug #72446 - Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow", "target": 0, "dataset": "other", "idx": 295142 }, { "func": "bool JOIN_TAB::hash_join_is_possible()\n{\n if (type != JT_REF && type != JT_EQ_REF)\n return FALSE;\n if (!is_ref_for_hash_join())\n {\n KEY *keyinfo= table->key_info + ref.key;\n return keyinfo->key_part[0].field->hash_join_is_possible();\n }\n return TRUE;\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 322708399868998233002162097328813893864, "size": 11, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508563 }, { "func": "static void f_luaopen (lua_State *L, void *ud) {\n global_State *g = G(L);\n UNUSED(ud);\n stack_init(L, L); /* init stack */\n init_registry(L, g);\n luaS_init(L);\n luaT_init(L);\n luaX_init(L);\n g->gcrunning = 1; /* allow gc */\n setnilvalue(&g->nilvalue);\n luai_userstateopen(L);\n}", "project": "lua", "hash": 104448045035355988150149797291376506416, "size": 12, "commit_id": "a2195644d89812e5b157ce7bac35543e06db05e3", "message": "Fixed bug: invalid 'oldpc' when returning to a function\n\nThe field 'L->oldpc' is not always updated when control returns to a\nfunction; an invalid value can seg. fault when computing 'changedline'.\n(One example is an error in a finalizer; control can return to\n'luaV_execute' without executing 'luaD_poscall'.) Instead of trying to\nfix all possible corner cases, it seems safer to be resilient to invalid\nvalues for 'oldpc'. Valid but wrong values at most cause an extra call\nto a line hook.", "target": 0, "dataset": "other", "idx": 462773 }, { "func": "static int detect_idkey(\n\tsc_pkcs15_card_t *p15card\n){\n\tsc_card_t *card=p15card->card;\n\tsc_path_t p;\n\n\t/* TCKEY-Applikation ? */\n\tmemset(&p, 0, sizeof(sc_path_t));\n\tp.type=SC_PATH_TYPE_DF_NAME;\n\tmemcpy(p.value, \"\\xD2\\x76\\x00\\x00\\x03\\x0C\\x01\", p.len=7);\n\tif (sc_select_file(card,&p,NULL)!=SC_SUCCESS) return 1;\n\n\tset_string(&p15card->tokeninfo->manufacturer_id, \"TeleSec GmbH\");\n\tset_string(&p15card->tokeninfo->label, \"IDKey Card\");\n\n\tinsert_cert(p15card, \"DF074331\", 0x45, 1, \"Signatur Zertifikat 1\");\n\tinsert_cert(p15card, \"DF074332\", 0x46, 1, \"Signatur Zertifikat 2\");\n\tinsert_cert(p15card, \"DF074333\", 0x47, 1, \"Signatur Zertifikat 3\");\n\tinsert_cert(p15card, \"DF084331\", 0x4B, 1, \"Verschluesselungs Zertifikat 1\");\n\tinsert_cert(p15card, \"DF084332\", 0x4C, 1, \"Verschluesselungs Zertifikat 2\");\n\tinsert_cert(p15card, \"DF084333\", 0x4D, 1, \"Verschluesselungs Zertifikat 3\");\n\t/* TODO should others come here too? */\n\n\tinsert_key(p15card, \"DF074E03\", 0x45, 0x84, 2048, 1, \"IDKey1\");\n\tinsert_key(p15card, \"DF074E04\", 0x46, 0x85, 2048, 1, \"IDKey2\");\n\tinsert_key(p15card, \"DF074E05\", 0x47, 0x86, 2048, 1, \"IDKey3\");\n\tinsert_key(p15card, \"DF074E06\", 0x48, 0x87, 2048, 1, \"IDKey4\");\n\tinsert_key(p15card, \"DF074E07\", 0x49, 0x88, 2048, 1, \"IDKey5\");\n\tinsert_key(p15card, \"DF074E08\", 0x4A, 0x89, 2048, 1, \"IDKey6\");\n\tinsert_key(p15card, \"DF084E01\", 0x4B, 0x81, 2048, 1, \"IDKey7\");\n\tinsert_key(p15card, \"DF084E02\", 0x4C, 0x82, 2048, 1, \"IDKey8\");\n\tinsert_key(p15card, \"DF084E03\", 0x4D, 0x83, 2048, 1, \"IDKey9\");\n\n\tinsert_pin(p15card, \"5000\", 1, 2, 0x00, 6, \"PIN\",\n\t\tSC_PKCS15_PIN_FLAG_CASE_SENSITIVE | SC_PKCS15_PIN_FLAG_INITIALIZED\n\t);\n\tinsert_pin(p15card, \"5001\", 2, 0, 0x01, 8, \"PUK\",\n\t\tSC_PKCS15_PIN_FLAG_CASE_SENSITIVE | SC_PKCS15_PIN_FLAG_INITIALIZED |\n\t\tSC_PKCS15_PIN_FLAG_UNBLOCKING_PIN | SC_PKCS15_PIN_FLAG_SO_PIN\n\t);\n\n\treturn 0;\n}", "project": "OpenSC", "hash": 330372380936854099126948571016569487042, "size": 43, "commit_id": "5df913b7f57ad89b9832555d24c08d23a534311e", "message": "tcos: Check bounds in insert_pin()\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28383", "target": 0, "dataset": "other", "idx": 243962 }, { "func": "static OPJ_BOOL opj_j2k_read_soc(opj_j2k_t *p_j2k,\n opj_stream_private_t *p_stream,\n opj_event_mgr_t * p_manager\n )\n{\n OPJ_BYTE l_data [2];\n OPJ_UINT32 l_marker;\n\n /* preconditions */\n assert(p_j2k != 00);\n assert(p_manager != 00);\n assert(p_stream != 00);\n\n if (opj_stream_read_data(p_stream, l_data, 2, p_manager) != 2) {\n return OPJ_FALSE;\n }\n\n opj_read_bytes(l_data, &l_marker, 2);\n if (l_marker != J2K_MS_SOC) {\n return OPJ_FALSE;\n }\n\n /* Next marker should be a SIZ marker in the main header */\n p_j2k->m_specific_param.m_decoder.m_state = J2K_STATE_MHSIZ;\n\n /* FIXME move it in a index structure included in p_j2k*/\n p_j2k->cstr_index->main_head_start = opj_stream_tell(p_stream) - 2;\n\n opj_event_msg(p_manager, EVT_INFO,\n \"Start to read j2k main header (%\" PRId64 \").\\n\",\n p_j2k->cstr_index->main_head_start);\n\n /* Add the marker to the codestream index*/\n if (OPJ_FALSE == opj_j2k_add_mhmarker(p_j2k->cstr_index, J2K_MS_SOC,\n p_j2k->cstr_index->main_head_start, 2)) {\n opj_event_msg(p_manager, EVT_ERROR, \"Not enough memory to add mh marker\\n\");\n return OPJ_FALSE;\n }\n return OPJ_TRUE;\n}", "project": "openjpeg", "hash": 146781260790724147200966091620290467913, "size": 40, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357372 }, { "func": "CallResult JSObject::getOwnComputedPrimitiveDescriptor(\n Handle selfHandle,\n Runtime *runtime,\n Handle<> nameValHandle,\n JSObject::IgnoreProxy ignoreProxy,\n ComputedPropertyDescriptor &desc) {\n SymbolID id{};\n\n return getOwnComputedPrimitiveDescriptorImpl(\n selfHandle, runtime, nameValHandle, ignoreProxy, id, desc);\n}", "project": "hermes", "hash": 97776095748888634166125088787745831758, "size": 11, "commit_id": "fe52854cdf6725c2eaa9e125995da76e6ceb27da", "message": "[CVE-2020-1911] Look up HostObject computed properties on the right object in the prototype chain.\n\nSummary:\nThe change in the hermes repository fixes the security vulnerability\nCVE-2020-1911. This vulnerability only affects applications which\nallow evaluation of uncontrolled, untrusted JavaScript code not\nshipped with the app, so React Native apps will generally not be affected.\n\nThis revision includes a test for the bug. The test is generic JSI\ncode, so it is included in the hermes and react-native repositories.\n\nChangelog: [Internal]\n\nReviewed By: tmikov\n\nDifferential Revision: D23322992\n\nfbshipit-source-id: 4e88c974afe1ad33a263f9cac03e9dc98d33649a", "target": 0, "dataset": "other", "idx": 230165 }, { "func": "static inline int io_rw_prep_async(struct io_kiocb *req, int rw,\n\t\t\t\t bool force_nonblock)\n{\n\tstruct io_async_ctx *io = req->io;\n\tstruct iov_iter iter;\n\tssize_t ret;\n\n\tio->rw.iov = io->rw.fast_iov;\n\treq->io = NULL;\n\tret = io_import_iovec(rw, req, &io->rw.iov, &iter, !force_nonblock);\n\treq->io = io;\n\tif (unlikely(ret < 0))\n\t\treturn ret;\n\n\tio_req_map_rw(req, ret, io->rw.iov, io->rw.fast_iov, &iter);\n\treturn 0;\n}", "project": "linux", "hash": 68734170556443310049952851300497540047, "size": 17, "commit_id": "6d816e088c359866f9867057e04f244c608c42fe", "message": "io_uring: hold 'ctx' reference around task_work queue + execute\n\nWe're holding the request reference, but we need to go one higher\nto ensure that the ctx remains valid after the request has finished.\nIf the ring is closed with pending task_work inflight, and the\ngiven io_kiocb finishes sync during issue, then we need a reference\nto the ring itself around the task_work execution cycle.\n\nCc: stable@vger.kernel.org # v5.7+\nReported-by: syzbot+9b260fc33297966f5a8e@syzkaller.appspotmail.com\nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 456957 }, { "func": "static bool warning_is_error(int severity)\n{\n if (is_valid_warning(severity))\n return !!(warning_state[WARN_IDX(severity)] & WARN_ST_ERROR);\n else\n return false;\n}", "project": "nasm", "hash": 14107433005493746029181364593488124770, "size": 7, "commit_id": "e996d28c70d45008085322b442b44a9224308548", "message": "labels: Don't nil dereference if no label provided\n\nAn equ without label may cause nil dereference\n\n |\tequ 0x100\n\nFixes 98578071b9d71ecaa2344dd9c185237c1765041e\n\nSigned-off-by: Cyrill Gorcunov ", "target": 0, "dataset": "other", "idx": 257487 }, { "func": "HttpStateData::maybeMakeSpaceAvailable(bool doGrow)\n{\n // how much we are allowed to buffer\n const int limitBuffer = (flags.headers_parsed ? Config.readAheadGap : Config.maxReplyHeaderSize);\n\n if (limitBuffer < 0 || inBuf.length() >= (SBuf::size_type)limitBuffer) {\n // when buffer is at or over limit already\n debugs(11, 7, \"will not read up to \" << limitBuffer << \". buffer has (\" << inBuf.length() << \"/\" << inBuf.spaceSize() << \") from \" << serverConnection);\n debugs(11, DBG_DATA, \"buffer has {\" << inBuf << \"}\");\n // Process next response from buffer\n processReply();\n return false;\n }\n\n // how much we want to read\n const size_t read_size = calcBufferSpaceToReserve(inBuf.spaceSize(), (limitBuffer - inBuf.length()));\n\n if (!read_size) {\n debugs(11, 7, \"will not read up to \" << read_size << \" into buffer (\" << inBuf.length() << \"/\" << inBuf.spaceSize() << \") from \" << serverConnection);\n return false;\n }\n\n // just report whether we could grow or not, do not actually do it\n if (doGrow)\n return (read_size >= 2);\n\n // we may need to grow the buffer\n inBuf.reserveSpace(read_size);\n debugs(11, 8, (!flags.do_next_read ? \"will not\" : \"may\") <<\n \" read up to \" << read_size << \" bytes info buf(\" << inBuf.length() << \"/\" << inBuf.spaceSize() <<\n \") from \" << serverConnection);\n\n return (inBuf.spaceSize() >= 2); // only read if there is 1+ bytes of space available\n}", "project": "squid", "hash": 122352635918867434257257884349740046326, "size": 34, "commit_id": "fd68382860633aca92065e6c343cfd1b12b126e7", "message": "Improve Transfer-Encoding handling (#702)\n\nReject messages containing Transfer-Encoding header with coding other\nthan chunked or identity. Squid does not support other codings.\n\nFor simplicity and security sake, also reject messages where\nTransfer-Encoding contains unnecessary complex values that are\ntechnically equivalent to \"chunked\" or \"identity\" (e.g., \",,chunked\" or\n\"identity, chunked\").\n\nRFC 7230 formally deprecated and removed identity coding, but it is\nstill used by some agents.", "target": 0, "dataset": "other", "idx": 402348 }, { "func": "static void tcp_reset(struct sock *sk)\n{\n\t/* We want the right error as BSD sees it (and indeed as we do). */\n\tswitch (sk->sk_state) {\n\tcase TCP_SYN_SENT:\n\t\tsk->sk_err = ECONNREFUSED;\n\t\tbreak;\n\tcase TCP_CLOSE_WAIT:\n\t\tsk->sk_err = EPIPE;\n\t\tbreak;\n\tcase TCP_CLOSE:\n\t\treturn;\n\tdefault:\n\t\tsk->sk_err = ECONNRESET;\n\t}\n\t/* This barrier is coupled with smp_rmb() in tcp_poll() */\n\tsmp_wmb();\n\n\tif (!sock_flag(sk, SOCK_DEAD))\n\t\tsk->sk_error_report(sk);\n\n\ttcp_done(sk);\n}", "project": "net-next", "hash": 250725956100456125028874927737004907594, "size": 23, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409884 }, { "func": "JSObject::checkPropertyUpdate(\n Runtime *runtime,\n const PropertyFlags currentFlags,\n DefinePropertyFlags dpFlags,\n const HermesValue curValueOrAccessor,\n Handle<> valueOrAccessor,\n PropOpFlags opFlags) {\n // 8.12.9 [5] Return true, if every field in Desc is absent.\n if (dpFlags.isEmpty())\n return std::make_pair(PropertyUpdateStatus::done, currentFlags);\n\n assert(\n (!dpFlags.isAccessor() || (!dpFlags.setWritable && !dpFlags.writable)) &&\n \"can't set both accessor and writable\");\n assert(\n !dpFlags.enableInternalSetter &&\n \"cannot change the value of internalSetter\");\n\n // 8.12.9 [6] Return true, if every field in Desc also occurs in current and\n // the value of every field in Desc is the same value as the corresponding\n // field in current when compared using the SameValue algorithm (9.12).\n // TODO: this would probably be much more efficient with bitmasks.\n if ((!dpFlags.setEnumerable ||\n dpFlags.enumerable == currentFlags.enumerable) &&\n (!dpFlags.setConfigurable ||\n dpFlags.configurable == currentFlags.configurable)) {\n if (dpFlags.isAccessor()) {\n if (currentFlags.accessor) {\n auto *curAccessor = vmcast(curValueOrAccessor);\n auto *newAccessor = vmcast(valueOrAccessor.get());\n\n if ((!dpFlags.setGetter ||\n curAccessor->getter == newAccessor->getter) &&\n (!dpFlags.setSetter ||\n curAccessor->setter == newAccessor->setter)) {\n return std::make_pair(PropertyUpdateStatus::done, currentFlags);\n }\n }\n } else {\n if (!currentFlags.accessor &&\n (!dpFlags.setValue ||\n isSameValue(curValueOrAccessor, valueOrAccessor.get())) &&\n (!dpFlags.setWritable || dpFlags.writable == currentFlags.writable)) {\n return std::make_pair(PropertyUpdateStatus::done, currentFlags);\n }\n }\n }\n\n // 8.12.9 [7]\n // If the property is not configurable, some aspects are not changeable.\n if (!currentFlags.configurable) {\n // Trying to change non-configurable to configurable?\n if (dpFlags.configurable) {\n if (opFlags.getThrowOnError()) {\n return runtime->raiseTypeError(\n \"property is not configurable\"); // TODO: better message.\n }\n return std::make_pair(PropertyUpdateStatus::failed, PropertyFlags{});\n }\n\n // Trying to change the enumerability of non-configurable property?\n if (dpFlags.setEnumerable &&\n dpFlags.enumerable != currentFlags.enumerable) {\n if (opFlags.getThrowOnError()) {\n return runtime->raiseTypeError(\n \"property is not configurable\"); // TODO: better message.\n }\n return std::make_pair(PropertyUpdateStatus::failed, PropertyFlags{});\n }\n }\n\n PropertyFlags newFlags = currentFlags;\n\n // 8.12.9 [8] If IsGenericDescriptor(Desc) is true, then no further validation\n // is required.\n if (!(dpFlags.setValue || dpFlags.setWritable || dpFlags.setGetter ||\n dpFlags.setSetter)) {\n // Do nothing\n }\n // 8.12.9 [9]\n // Changing between accessor and data descriptor?\n else if (currentFlags.accessor != dpFlags.isAccessor()) {\n if (!currentFlags.configurable) {\n if (opFlags.getThrowOnError()) {\n return runtime->raiseTypeError(\n \"property is not configurable\"); // TODO: better message.\n }\n return std::make_pair(PropertyUpdateStatus::failed, PropertyFlags{});\n }\n\n // If we change from accessor to data descriptor, Preserve the existing\n // values of the converted property’s [[Configurable]] and [[Enumerable]]\n // attributes and set the rest of the property’s attributes to their default\n // values.\n // If it's the other way around, since the accessor doesn't have the\n // [[Writable]] attribute, do nothing.\n newFlags.writable = 0;\n\n // If we are changing from accessor to non-accessor, we must set a new\n // value.\n if (!dpFlags.isAccessor())\n dpFlags.setValue = 1;\n }\n // 8.12.9 [10] if both are data descriptors.\n else if (!currentFlags.accessor) {\n if (!currentFlags.configurable) {\n if (!currentFlags.writable) {\n // If the current property is not writable, but the new one is.\n if (dpFlags.writable) {\n if (opFlags.getThrowOnError()) {\n return runtime->raiseTypeError(\n \"property is not configurable\"); // TODO: better message.\n }\n return std::make_pair(PropertyUpdateStatus::failed, PropertyFlags{});\n }\n\n // If we are setting a different value.\n if (dpFlags.setValue &&\n !isSameValue(curValueOrAccessor, valueOrAccessor.get())) {\n if (opFlags.getThrowOnError()) {\n return runtime->raiseTypeError(\n \"property is not writable\"); // TODO: better message.\n }\n return std::make_pair(PropertyUpdateStatus::failed, PropertyFlags{});\n }\n }\n }\n }\n // 8.12.9 [11] Both are accessors.\n else {\n auto *curAccessor = vmcast(curValueOrAccessor);\n auto *newAccessor = vmcast(valueOrAccessor.get());\n\n // If not configurable, make sure that nothing is changing.\n if (!currentFlags.configurable) {\n if ((dpFlags.setGetter && newAccessor->getter != curAccessor->getter) ||\n (dpFlags.setSetter && newAccessor->setter != curAccessor->setter)) {\n if (opFlags.getThrowOnError()) {\n return runtime->raiseTypeError(\n \"property is not configurable\"); // TODO: better message.\n }\n return std::make_pair(PropertyUpdateStatus::failed, PropertyFlags{});\n }\n }\n\n // If not setting the getter or the setter, re-use the current one.\n if (!dpFlags.setGetter)\n newAccessor->getter.set(\n runtime, curAccessor->getter, &runtime->getHeap());\n if (!dpFlags.setSetter)\n newAccessor->setter.set(\n runtime, curAccessor->setter, &runtime->getHeap());\n }\n\n // 8.12.9 [12] For each attribute field of Desc that is present, set the\n // correspondingly named attribute of the property named P of object O to the\n // value of the field.\n if (dpFlags.setEnumerable)\n newFlags.enumerable = dpFlags.enumerable;\n if (dpFlags.setWritable)\n newFlags.writable = dpFlags.writable;\n if (dpFlags.setConfigurable)\n newFlags.configurable = dpFlags.configurable;\n\n if (dpFlags.setValue)\n newFlags.accessor = false;\n else if (dpFlags.isAccessor())\n newFlags.accessor = true;\n else\n return std::make_pair(PropertyUpdateStatus::done, newFlags);\n\n return std::make_pair(PropertyUpdateStatus::needSet, newFlags);\n}", "project": "hermes", "hash": 187120361320406579963844764598149170534, "size": 173, "commit_id": "fe52854cdf6725c2eaa9e125995da76e6ceb27da", "message": "[CVE-2020-1911] Look up HostObject computed properties on the right object in the prototype chain.\n\nSummary:\nThe change in the hermes repository fixes the security vulnerability\nCVE-2020-1911. This vulnerability only affects applications which\nallow evaluation of uncontrolled, untrusted JavaScript code not\nshipped with the app, so React Native apps will generally not be affected.\n\nThis revision includes a test for the bug. The test is generic JSI\ncode, so it is included in the hermes and react-native repositories.\n\nChangelog: [Internal]\n\nReviewed By: tmikov\n\nDifferential Revision: D23322992\n\nfbshipit-source-id: 4e88c974afe1ad33a263f9cac03e9dc98d33649a", "target": 0, "dataset": "other", "idx": 230260 }, { "func": "int blosc_compress_context(blosc2_context* context) {\n int ntbytes = 0;\n blosc_timestamp_t last, current;\n bool memcpyed = context->header_flags & (uint8_t)BLOSC_MEMCPYED;\n\n blosc_set_timestamp(&last);\n\n if (!memcpyed) {\n /* Do the actual compression */\n ntbytes = do_job(context);\n if (ntbytes < 0) {\n return -1;\n }\n if (ntbytes == 0) {\n // Try out with a memcpy later on (last chance for fitting src buffer in dest).\n context->header_flags |= (uint8_t)BLOSC_MEMCPYED;\n memcpyed = true;\n }\n }\n\n if (memcpyed) {\n if (context->sourcesize + BLOSC_MAX_OVERHEAD > context->destsize) {\n /* We are exceeding maximum output size */\n ntbytes = 0;\n }\n else {\n context->output_bytes = BLOSC_MAX_OVERHEAD;\n ntbytes = do_job(context);\n if (ntbytes < 0) {\n return -1;\n }\n // Success! update the memcpy bit in header\n context->dest[2] = context->header_flags;\n // and clear the memcpy bit in context (for next reuse)\n context->header_flags &= ~(uint8_t)BLOSC_MEMCPYED;\n }\n }\n\n /* Set the number of compressed bytes in header */\n _sw32(context->dest + 12, ntbytes);\n\n /* Set the number of bytes in dest buffer (might be useful for btune) */\n context->destsize = ntbytes;\n\n assert(ntbytes <= context->destsize);\n\n if (context->btune != NULL) {\n blosc_set_timestamp(¤t);\n double ctime = blosc_elapsed_secs(last, current);\n btune_update(context, ctime);\n }\n\n return ntbytes;\n}", "project": "c-blosc2", "hash": 196464262517656582014342515971242438178, "size": 54, "commit_id": "c4c6470e88210afc95262c8b9fcc27e30ca043ee", "message": "Fixed asan heap buffer overflow when not enough space to write compressed block size.", "target": 0, "dataset": "other", "idx": 303118 }, { "func": "rfbBool rfbSendDirContent(rfbClientPtr cl, int length, char *buffer)\n{\n char retfilename[MAX_PATH];\n char path[MAX_PATH];\n struct stat statbuf;\n RFB_FIND_DATA win32filename;\n int nOptLen = 0, retval=0;\n#ifdef WIN32\n WIN32_FIND_DATAA winFindData;\n HANDLE findHandle;\n int pathLen, basePathLength;\n char *basePath;\n#else\n DIR *dirp=NULL;\n struct dirent *direntp=NULL;\n#endif\n\n FILEXFER_ALLOWED_OR_CLOSE_AND_RETURN(\"\", cl, FALSE);\n\n /* Client thinks we are Winblows */\n if (!rfbFilenameTranslate2UNIX(cl, buffer, path, sizeof(path)))\n return FALSE;\n\n if (DB) rfbLog(\"rfbProcessFileTransfer() rfbDirContentRequest: rfbRDirContent: \\\"%s\\\"->\\\"%s\\\"\\n\",buffer, path);\n\n#ifdef WIN32\n // Create a search string, like C:\\folder\\*\n\n pathLen = strlen(path);\n basePath = malloc(pathLen + 3);\n memcpy(basePath, path, pathLen);\n basePathLength = pathLen;\n basePath[basePathLength] = '\\\\';\n basePath[basePathLength + 1] = '*';\n basePath[basePathLength + 2] = '\\0';\n\n // Start a search\n memset(&winFindData, 0, sizeof(winFindData));\n findHandle = FindFirstFileA(path, &winFindData);\n free(basePath);\n\n if (findHandle == INVALID_HANDLE_VALUE)\n#else\n dirp=opendir(path);\n if (dirp==NULL)\n#endif\n return rfbSendFileTransferMessage(cl, rfbDirPacket, rfbADirectory, 0, 0, NULL);\n\n /* send back the path name (necessary for links) */\n if (rfbSendFileTransferMessage(cl, rfbDirPacket, rfbADirectory, 0, length, buffer)==FALSE) return FALSE;\n\n#ifdef WIN32\n while (findHandle != INVALID_HANDLE_VALUE)\n#else\n for (direntp=readdir(dirp); direntp!=NULL; direntp=readdir(dirp))\n#endif\n {\n /* get stats */\n#ifdef WIN32\n snprintf(retfilename,sizeof(retfilename),\"%s/%s\", path, winFindData.cFileName);\n#else\n snprintf(retfilename,sizeof(retfilename),\"%s/%s\", path, direntp->d_name);\n#endif\n retval = stat(retfilename, &statbuf);\n\n if (retval==0)\n {\n memset((char *)&win32filename, 0, sizeof(win32filename));\n#ifdef WIN32\n win32filename.dwFileAttributes = winFindData.dwFileAttributes;\n win32filename.ftCreationTime.dwLowDateTime = winFindData.ftCreationTime.dwLowDateTime;\n win32filename.ftCreationTime.dwHighDateTime = winFindData.ftCreationTime.dwHighDateTime;\n win32filename.ftLastAccessTime.dwLowDateTime = winFindData.ftLastAccessTime.dwLowDateTime;\n win32filename.ftLastAccessTime.dwHighDateTime = winFindData.ftLastAccessTime.dwHighDateTime;\n win32filename.ftLastWriteTime.dwLowDateTime = winFindData.ftLastWriteTime.dwLowDateTime;\n win32filename.ftLastWriteTime.dwHighDateTime = winFindData.ftLastWriteTime.dwHighDateTime;\n win32filename.nFileSizeLow = winFindData.nFileSizeLow;\n win32filename.nFileSizeHigh = winFindData.nFileSizeHigh;\n win32filename.dwReserved0 = winFindData.dwReserved0;\n win32filename.dwReserved1 = winFindData.dwReserved1;\n strcpy((char *)win32filename.cFileName, winFindData.cFileName);\n strcpy((char *)win32filename.cAlternateFileName, winFindData.cAlternateFileName);\n#else\n win32filename.dwFileAttributes = Swap32IfBE(RFB_FILE_ATTRIBUTE_NORMAL);\n if (S_ISDIR(statbuf.st_mode))\n win32filename.dwFileAttributes = Swap32IfBE(RFB_FILE_ATTRIBUTE_DIRECTORY);\n win32filename.ftCreationTime.dwLowDateTime = Swap32IfBE(statbuf.st_ctime); /* Intel Order */\n win32filename.ftCreationTime.dwHighDateTime = 0;\n win32filename.ftLastAccessTime.dwLowDateTime = Swap32IfBE(statbuf.st_atime); /* Intel Order */\n win32filename.ftLastAccessTime.dwHighDateTime = 0;\n win32filename.ftLastWriteTime.dwLowDateTime = Swap32IfBE(statbuf.st_mtime); /* Intel Order */\n win32filename.ftLastWriteTime.dwHighDateTime = 0;\n win32filename.nFileSizeLow = Swap32IfBE(statbuf.st_size); /* Intel Order */\n win32filename.nFileSizeHigh = 0;\n win32filename.dwReserved0 = 0;\n win32filename.dwReserved1 = 0;\n\n /* If this had the full path, we would need to translate to DOS format (\"C:\\\") */\n /* rfbFilenameTranslate2DOS(cl, retfilename, win32filename.cFileName); */\n strcpy((char *)win32filename.cFileName, direntp->d_name);\n#endif\n \n /* Do not show hidden files (but show how to move up the tree) */\n if ((strcmp((char *)win32filename.cFileName, \"..\")==0) || (win32filename.cFileName[0]!='.'))\n {\n nOptLen = sizeof(RFB_FIND_DATA) - MAX_PATH - 14 + strlen((char *)win32filename.cFileName);\n /*\n rfbLog(\"rfbProcessFileTransfer() rfbDirContentRequest: rfbRDirContent: Sending \\\"%s\\\"\\n\", (char *)win32filename.cFileName);\n */\n if (rfbSendFileTransferMessage(cl, rfbDirPacket, rfbADirectory, 0, nOptLen, (char *)&win32filename)==FALSE)\n {\n#ifdef WIN32\n FindClose(findHandle);\n#else\n closedir(dirp);\n#endif\n return FALSE;\n }\n }\n }\n\n#ifdef WIN32\n if (FindNextFileA(findHandle, &winFindData) == 0)\n {\n FindClose(findHandle);\n findHandle = INVALID_HANDLE_VALUE;\n }\n#endif\n }\n#ifdef WIN32\n if (findHandle != INVALID_HANDLE_VALUE)\n {\n FindClose(findHandle);\n }\n#else\n closedir(dirp);\n#endif\n /* End of the transfer */\n return rfbSendFileTransferMessage(cl, rfbDirPacket, 0, 0, 0, NULL);\n}", "project": "libvncserver", "hash": 202405023468777930503122793196925726920, "size": 140, "commit_id": "673c07a75ed844d74676f3ccdcfdc706a7052dba", "message": "libvncserver/rfbserver: fix possible divide-by-zero\n\nCloses #409", "target": 0, "dataset": "other", "idx": 295838 }, { "func": "static bool canNewPropertyBeIndexed(DefinePropertyFlags dpf) {\n return dpf.setEnumerable && dpf.enumerable && dpf.setWritable &&\n dpf.writable && dpf.setConfigurable && dpf.configurable &&\n !dpf.setSetter && !dpf.setGetter;\n}", "project": "hermes", "hash": 111337230187842701337703034102471455702, "size": 5, "commit_id": "fe52854cdf6725c2eaa9e125995da76e6ceb27da", "message": "[CVE-2020-1911] Look up HostObject computed properties on the right object in the prototype chain.\n\nSummary:\nThe change in the hermes repository fixes the security vulnerability\nCVE-2020-1911. This vulnerability only affects applications which\nallow evaluation of uncontrolled, untrusted JavaScript code not\nshipped with the app, so React Native apps will generally not be affected.\n\nThis revision includes a test for the bug. The test is generic JSI\ncode, so it is included in the hermes and react-native repositories.\n\nChangelog: [Internal]\n\nReviewed By: tmikov\n\nDifferential Revision: D23322992\n\nfbshipit-source-id: 4e88c974afe1ad33a263f9cac03e9dc98d33649a", "target": 0, "dataset": "other", "idx": 230228 }, { "func": "static inline void tcp_ack_update_rtt(struct sock *sk, const int flag,\n\t\t\t\t const s32 seq_rtt)\n{\n\tconst struct tcp_sock *tp = tcp_sk(sk);\n\t/* Note that peer MAY send zero echo. In this case it is ignored. (rfc1323) */\n\tif (tp->rx_opt.saw_tstamp && tp->rx_opt.rcv_tsecr)\n\t\ttcp_ack_saw_tstamp(sk, flag);\n\telse if (seq_rtt >= 0)\n\t\ttcp_ack_no_tstamp(sk, seq_rtt, flag);\n}", "project": "net-next", "hash": 13852231800571162970903900187023570503, "size": 10, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409900 }, { "func": "static int lizard_wrap_decompress(const char* input, size_t compressed_length,\n char* output, size_t maxout) {\n int dbytes;\n dbytes = Lizard_decompress_safe(input, output, (int)compressed_length,\n (int)maxout);\n if (dbytes < 0) {\n return 0;\n }\n return dbytes;\n}", "project": "c-blosc2", "hash": 59822695483564654787293089412082009697, "size": 10, "commit_id": "c4c6470e88210afc95262c8b9fcc27e30ca043ee", "message": "Fixed asan heap buffer overflow when not enough space to write compressed block size.", "target": 0, "dataset": "other", "idx": 303116 }, { "func": "static void free_segment_list(struct playlist *pls)\n{\n int i;\n for (i = 0; i < pls->n_segments; i++) {\n av_freep(&pls->segments[i]->key);\n av_freep(&pls->segments[i]->url);\n av_freep(&pls->segments[i]);\n }\n av_freep(&pls->segments);\n pls->n_segments = 0;\n}", "project": "FFmpeg", "hash": 28249821004878458073938945205007681310, "size": 11, "commit_id": "6959358683c7533f586c07a766acc5fe9544d8b2", "message": "avformat/hls: check segment duration value of EXTINF\n\nfix ticket: 8673\nset the default EXTINF duration to 1ms if duration is smaller than 1ms\n\nSigned-off-by: Steven Liu \n(cherry picked from commit 9dfb19baeb86a8bb02c53a441682c6e9a6e104cc)", "target": 0, "dataset": "other", "idx": 270453 }, { "func": "static int reg_r(struct sd *sd, u16 index)\n{\n\tstruct gspca_dev *gspca_dev = (struct gspca_dev *)sd;\n\tint ret;\n\tint req;\n\n\tif (sd->gspca_dev.usb_err < 0)\n\t\treturn -1;\n\n\tswitch (sd->bridge) {\n\tcase BRIDGE_OV511:\n\tcase BRIDGE_OV511PLUS:\n\t\treq = 3;\n\t\tbreak;\n\tcase BRIDGE_OVFX2:\n\t\treq = 0x0b;\n\t\tbreak;\n\tdefault:\n\t\treq = 1;\n\t}\n\n\t/* Avoid things going to fast for the bridge with a xhci host */\n\tudelay(150);\n\tret = usb_control_msg(sd->gspca_dev.dev,\n\t\t\tusb_rcvctrlpipe(sd->gspca_dev.dev, 0),\n\t\t\treq,\n\t\t\tUSB_DIR_IN | USB_TYPE_VENDOR | USB_RECIP_DEVICE,\n\t\t\t0, index, sd->gspca_dev.usb_buf, 1, 500);\n\n\tif (ret >= 0) {\n\t\tret = sd->gspca_dev.usb_buf[0];\n\t\tgspca_dbg(gspca_dev, D_USBI, \"GET %02x 0000 %04x %02x\\n\",\n\t\t\t req, index, ret);\n\t} else {\n\t\tgspca_err(gspca_dev, \"reg_r %02x failed %d\\n\", index, ret);\n\t\tsd->gspca_dev.usb_err = ret;\n\t\t/*\n\t\t * Make sure the result is zeroed to avoid uninitialized\n\t\t * values.\n\t\t */\n\t\tgspca_dev->usb_buf[0] = 0;\n\t}\n\n\treturn ret;\n}", "project": "linux", "hash": 569475711808633671785644520570368934, "size": 45, "commit_id": "998912346c0da53a6dbb71fab3a138586b596b30", "message": "media: ov519: add missing endpoint sanity checks\n\nMake sure to check that we have at least one endpoint before accessing\nthe endpoint array to avoid dereferencing a NULL-pointer on stream\nstart.\n\nNote that these sanity checks are not redundant as the driver is mixing\nlooking up altsettings by index and by number, which need not coincide.\n\nFixes: 1876bb923c98 (\"V4L/DVB (12079): gspca_ov519: add support for the ov511 bridge\")\nFixes: b282d87332f5 (\"V4L/DVB (12080): gspca_ov519: Fix ov518+ with OV7620AE (Trust spacecam 320)\")\nCc: stable # 2.6.31\nCc: Hans de Goede \nSigned-off-by: Johan Hovold \nSigned-off-by: Hans Verkuil \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 306304 }, { "func": "static int sctp_sendmsg_check_sflags(struct sctp_association *asoc,\n\t\t\t\t __u16 sflags, struct msghdr *msg,\n\t\t\t\t size_t msg_len)\n{\n\tstruct sock *sk = asoc->base.sk;\n\tstruct net *net = sock_net(sk);\n\n\tif (sctp_state(asoc, CLOSED) && sctp_style(sk, TCP))\n\t\treturn -EPIPE;\n\n\tif ((sflags & SCTP_SENDALL) && sctp_style(sk, UDP) &&\n\t !sctp_state(asoc, ESTABLISHED))\n\t\treturn 0;\n\n\tif (sflags & SCTP_EOF) {\n\t\tpr_debug(\"%s: shutting down association:%p\\n\", __func__, asoc);\n\t\tsctp_primitive_SHUTDOWN(net, asoc, NULL);\n\n\t\treturn 0;\n\t}\n\n\tif (sflags & SCTP_ABORT) {\n\t\tstruct sctp_chunk *chunk;\n\n\t\tchunk = sctp_make_abort_user(asoc, msg, msg_len);\n\t\tif (!chunk)\n\t\t\treturn -ENOMEM;\n\n\t\tpr_debug(\"%s: aborting association:%p\\n\", __func__, asoc);\n\t\tsctp_primitive_ABORT(net, asoc, chunk);\n\t\tiov_iter_revert(&msg->msg_iter, msg_len);\n\n\t\treturn 0;\n\t}\n\n\treturn 1;\n}", "project": "linux", "hash": 337075890260526485896957826139865394001, "size": 37, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398108 }, { "func": "static int kvm_debugfs_release(struct inode *inode, struct file *file)\n{\n\tstruct kvm_stat_data *stat_data = (struct kvm_stat_data *)\n\t\t\t\t\t inode->i_private;\n\n\tsimple_attr_release(inode, file);\n\tkvm_put_kvm(stat_data->kvm);\n\n\treturn 0;\n}", "project": "linux", "hash": 159280662003039523537131630041227637402, "size": 10, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354450 }, { "func": "int kvm_gfn_to_hva_cache_init(struct kvm *kvm, struct gfn_to_hva_cache *ghc,\n\t\t\t gpa_t gpa, unsigned long len)\n{\n\tstruct kvm_memslots *slots = kvm_memslots(kvm);\n\treturn __kvm_gfn_to_hva_cache_init(slots, ghc, gpa, len);\n}", "project": "linux", "hash": 46976075588374711350574590794534952877, "size": 6, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354562 }, { "func": "SAPI_API SAPI_POST_HANDLER_FUNC(php_std_post_handler)\n{\n\tzval *arr = (zval *) arg;\n\tphp_stream *s = SG(request_info).request_body;\n\tpost_var_data_t post_data;\n\n\tif (s && SUCCESS == php_stream_rewind(s)) {\n\t\tmemset(&post_data, 0, sizeof(post_data));\n\n\t\twhile (!php_stream_eof(s)) {\n\t\t\tchar buf[SAPI_POST_HANDLER_BUFSIZ] = {0};\n\t\t\tsize_t len = php_stream_read(s, buf, SAPI_POST_HANDLER_BUFSIZ);\n\n\t\t\tif (len && len != (size_t) -1) {\n\t\t\t\tsmart_str_appendl(&post_data.str, buf, len);\n\n\t\t\t\tif (SUCCESS != add_post_vars(arr, &post_data, 0)) {\n\t\t\t\t\tsmart_str_free(&post_data.str);\n\t\t\t\t\treturn;\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tif (len != SAPI_POST_HANDLER_BUFSIZ){\n\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\n\t\tif (post_data.str.s) {\n\t\t\tadd_post_vars(arr, &post_data, 1);\n\t\t\tsmart_str_free(&post_data.str);\n\t\t}\n\t}\n}", "project": "php-src", "hash": 161422039398292713107039022091934209077, "size": 33, "commit_id": "6559fe912661ca5ce5f0eeeb591d928451428ed0", "message": "Do not decode cookie names anymore", "target": 0, "dataset": "other", "idx": 374968 }, { "func": "static void hci_le_ltk_request_evt(struct hci_dev *hdev, struct sk_buff *skb)\n{\n\tstruct hci_ev_le_ltk_req *ev = (void *) skb->data;\n\tstruct hci_cp_le_ltk_reply cp;\n\tstruct hci_cp_le_ltk_neg_reply neg;\n\tstruct hci_conn *conn;\n\tstruct smp_ltk *ltk;\n\n\tBT_DBG(\"%s handle 0x%4.4x\", hdev->name, __le16_to_cpu(ev->handle));\n\n\thci_dev_lock(hdev);\n\n\tconn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));\n\tif (conn == NULL)\n\t\tgoto not_found;\n\n\tltk = hci_find_ltk(hdev, &conn->dst, conn->dst_type, conn->role);\n\tif (!ltk)\n\t\tgoto not_found;\n\n\tif (smp_ltk_is_sc(ltk)) {\n\t\t/* With SC both EDiv and Rand are set to zero */\n\t\tif (ev->ediv || ev->rand)\n\t\t\tgoto not_found;\n\t} else {\n\t\t/* For non-SC keys check that EDiv and Rand match */\n\t\tif (ev->ediv != ltk->ediv || ev->rand != ltk->rand)\n\t\t\tgoto not_found;\n\t}\n\n\tmemcpy(cp.ltk, ltk->val, ltk->enc_size);\n\tmemset(cp.ltk + ltk->enc_size, 0, sizeof(cp.ltk) - ltk->enc_size);\n\tcp.handle = cpu_to_le16(conn->handle);\n\n\tconn->pending_sec_level = smp_ltk_sec_level(ltk);\n\n\tconn->enc_key_size = ltk->enc_size;\n\n\thci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp);\n\n\t/* Ref. Bluetooth Core SPEC pages 1975 and 2004. STK is a\n\t * temporary key used to encrypt a connection following\n\t * pairing. It is used during the Encrypted Session Setup to\n\t * distribute the keys. Later, security can be re-established\n\t * using a distributed LTK.\n\t */\n\tif (ltk->type == SMP_STK) {\n\t\tset_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);\n\t\tlist_del_rcu(<k->list);\n\t\tkfree_rcu(ltk, rcu);\n\t} else {\n\t\tclear_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);\n\t}\n\n\thci_dev_unlock(hdev);\n\n\treturn;\n\nnot_found:\n\tneg.handle = ev->handle;\n\thci_send_cmd(hdev, HCI_OP_LE_LTK_NEG_REPLY, sizeof(neg), &neg);\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 317605494390920039989163749510546453524, "size": 63, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431912 }, { "func": " Item_direct_ref(THD *thd, TABLE_LIST *view_arg, Item **item,\n const char *field_name_arg,\n bool alias_name_used_arg= FALSE):\n Item_ref(thd, view_arg, item, field_name_arg,\n alias_name_used_arg)\n {}", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 84429257295408231154401802464055689342, "size": 6, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 508951 }, { "func": " Item_direct_ref(THD *thd, Name_resolution_context *context_arg, Item **item,\n const char *table_name_arg,\n const char *field_name_arg,\n bool alias_name_used_arg= FALSE):\n Item_ref(thd, context_arg, item, table_name_arg,\n field_name_arg, alias_name_used_arg)\n {}", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 24116829240214959554021563747561985359, "size": 7, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509101 }, { "func": "int BPMDetect::decimate(SAMPLETYPE *dest, const SAMPLETYPE *src, int numsamples)\r\n{\r\n int count, outcount;\r\n LONG_SAMPLETYPE out;\r\n\r\n assert(channels > 0);\r\n assert(decimateBy > 0);\r\n outcount = 0;\r\n for (count = 0; count < numsamples; count ++) \r\n {\r\n int j;\r\n\r\n // convert to mono and accumulate\r\n for (j = 0; j < channels; j ++)\r\n {\r\n decimateSum += src[j];\r\n }\r\n src += j;\r\n\r\n decimateCount ++;\r\n if (decimateCount >= decimateBy) \r\n {\r\n // Store every Nth sample only\r\n out = (LONG_SAMPLETYPE)(decimateSum / (decimateBy * channels));\r\n decimateSum = 0;\r\n decimateCount = 0;\r\n#ifdef SOUNDTOUCH_INTEGER_SAMPLES\r\n // check ranges for sure (shouldn't actually be necessary)\r\n if (out > 32767) \r\n {\r\n out = 32767;\r\n } \r\n else if (out < -32768) \r\n {\r\n out = -32768;\r\n }\r\n#endif // SOUNDTOUCH_INTEGER_SAMPLES\r\n dest[outcount] = (SAMPLETYPE)out;\r\n outcount ++;\r\n }\r\n }\r\n return outcount;\r\n}\r", "project": "soundtouch", "hash": 20932171073096531916787612510504601173, "size": 43, "commit_id": "a1c400eb2cff849c0e5f9d6916d69ffea3ad2c85", "message": "Fix issue CVE-2018-17096: Replace assert with runtime exception", "target": 0, "dataset": "other", "idx": 368104 }, { "func": "int imap_path_status(const char *path, bool queue)\n{\n struct Mailbox *m = mx_mbox_find2(path);\n\n const bool is_temp = !m;\n if (is_temp)\n {\n m = mx_path_resolve(path);\n if (!mx_mbox_ac_link(m))\n {\n mailbox_free(&m);\n return 0;\n }\n }\n\n int rc = imap_mailbox_status(m, queue);\n\n if (is_temp)\n {\n mx_ac_remove(m);\n }\n\n return rc;\n}", "project": "neomutt", "hash": 3344936611163101426980566916861397258, "size": 24, "commit_id": "9c36717a3e2af1f2c1b7242035455ec8112b4b06", "message": "imap: close connection on all failures\n\nThanks to Gabriel Salles-Loustau for spotting the problem.\n\nCo-authored-by: Kevin McCarthy ", "target": 0, "dataset": "other", "idx": 357048 }, { "func": "int imap_login(struct ImapAccountData *adata)\n{\n if (!adata)\n return -1;\n\n if (adata->state == IMAP_DISCONNECTED)\n {\n mutt_buffer_reset(&adata->cmdbuf); // purge outstanding queued commands\n imap_open_connection(adata);\n }\n if (adata->state == IMAP_CONNECTED)\n {\n if (imap_authenticate(adata) == IMAP_AUTH_SUCCESS)\n {\n adata->state = IMAP_AUTHENTICATED;\n FREE(&adata->capstr);\n if (adata->conn->ssf != 0)\n {\n mutt_debug(LL_DEBUG2, \"Communication encrypted at %d bits\\n\",\n adata->conn->ssf);\n }\n }\n else\n mutt_account_unsetpass(&adata->conn->account);\n }\n if (adata->state == IMAP_AUTHENTICATED)\n {\n /* capabilities may have changed */\n imap_exec(adata, \"CAPABILITY\", IMAP_CMD_PASS);\n\n#ifdef USE_ZLIB\n /* RFC4978 */\n if ((adata->capabilities & IMAP_CAP_COMPRESS) && C_ImapDeflate &&\n (imap_exec(adata, \"COMPRESS DEFLATE\", IMAP_CMD_PASS) == IMAP_EXEC_SUCCESS))\n {\n mutt_debug(LL_DEBUG2, \"IMAP compression is enabled on connection to %s\\n\",\n adata->conn->account.host);\n mutt_zstrm_wrap_conn(adata->conn);\n }\n#endif\n\n /* enable RFC6855, if the server supports that */\n if (C_ImapRfc5161 && (adata->capabilities & IMAP_CAP_ENABLE))\n imap_exec(adata, \"ENABLE UTF8=ACCEPT\", IMAP_CMD_QUEUE);\n\n /* enable QRESYNC. Advertising QRESYNC also means CONDSTORE\n * is supported (even if not advertised), so flip that bit. */\n if (adata->capabilities & IMAP_CAP_QRESYNC)\n {\n adata->capabilities |= IMAP_CAP_CONDSTORE;\n if (C_ImapRfc5161 && C_ImapQresync)\n imap_exec(adata, \"ENABLE QRESYNC\", IMAP_CMD_QUEUE);\n }\n\n /* get root delimiter, '/' as default */\n adata->delim = '/';\n imap_exec(adata, \"LIST \\\"\\\" \\\"\\\"\", IMAP_CMD_QUEUE);\n\n /* we may need the root delimiter before we open a mailbox */\n imap_exec(adata, NULL, IMAP_CMD_NO_FLAGS);\n\n /* select the mailbox that used to be open before disconnect */\n if (adata->mailbox)\n {\n imap_mbox_select(adata->mailbox);\n }\n }\n\n if (adata->state < IMAP_AUTHENTICATED)\n return -1;\n\n return 0;\n}", "project": "neomutt", "hash": 217214026318175132674029934924220614526, "size": 73, "commit_id": "9c36717a3e2af1f2c1b7242035455ec8112b4b06", "message": "imap: close connection on all failures\n\nThanks to Gabriel Salles-Loustau for spotting the problem.\n\nCo-authored-by: Kevin McCarthy ", "target": 0, "dataset": "other", "idx": 357017 }, { "func": "\tPrivmsg(const std::string& source, const Channel* targetchan, const std::string& text, MessageType mt = MSG_PRIVMSG, char status = 0)\n\t\t: ClientProtocol::Message(CommandStrFromMsgType(mt), source)\n\t{\n\t\tPushTargetChan(status, targetchan);\n\t\tPushParam(text);\n\t}", "project": "inspircd", "hash": 325602941306785543900716110163959416357, "size": 6, "commit_id": "4350a11c663b0d75f8119743bffb7736d87abd4d", "message": "Fix sending malformed pong messages in some cases.", "target": 0, "dataset": "other", "idx": 273219 }, { "func": "\tPrivmsg(NoCopy, User* source, const Channel* targetchan, const std::string& text, MessageType mt = MSG_PRIVMSG, char status = 0)\n\t\t: ClientProtocol::Message(CommandStrFromMsgType(mt), source)\n\t{\n\t\tPushTargetChan(status, targetchan);\n\t\tPushParamRef(text);\n\t}", "project": "inspircd", "hash": 73718029742256418414815726723171903092, "size": 6, "commit_id": "4350a11c663b0d75f8119743bffb7736d87abd4d", "message": "Fix sending malformed pong messages in some cases.", "target": 0, "dataset": "other", "idx": 273222 }, { "func": "\tPrivmsg(User* source, const Channel* targetchan, const std::string& text, MessageType mt = MSG_PRIVMSG, char status = 0)\n\t\t: ClientProtocol::Message(CommandStrFromMsgType(mt), source)\n\t{\n\t\tPushTargetChan(status, targetchan);\n\t\tPushParam(text);\n\t}", "project": "inspircd", "hash": 229310155400384033426374167701496302120, "size": 6, "commit_id": "4350a11c663b0d75f8119743bffb7736d87abd4d", "message": "Fix sending malformed pong messages in some cases.", "target": 0, "dataset": "other", "idx": 273223 }, { "func": "\tvoid PushTargetChan(char status, const Channel* targetchan)\n\t{\n\t\tif (status)\n\t\t{\n\t\t\tstd::string rawtarget(1, status);\n\t\t\trawtarget.append(targetchan->name);\n\t\t\tPushParam(rawtarget);\n\t\t}\n\t\telse\n\t\t{\n\t\t\tPushParamRef(targetchan->name);\n\t\t}\n\t}", "project": "inspircd", "hash": 18529165817057507653720347835068230503, "size": 13, "commit_id": "4350a11c663b0d75f8119743bffb7736d87abd4d", "message": "Fix sending malformed pong messages in some cases.", "target": 0, "dataset": "other", "idx": 273237 }, { "func": "\tPrivmsg(NoCopy, const std::string& source, const Channel* targetchan, const std::string& text, MessageType mt = MSG_PRIVMSG, char status = 0)\n\t\t: ClientProtocol::Message(CommandStrFromMsgType(mt), source)\n\t{\n\t\tPushTargetChan(status, targetchan);\n\t\tPushParamRef(text);\n\t}", "project": "inspircd", "hash": 6937725243312543275779473717134347006, "size": 6, "commit_id": "4350a11c663b0d75f8119743bffb7736d87abd4d", "message": "Fix sending malformed pong messages in some cases.", "target": 0, "dataset": "other", "idx": 273270 }, { "func": "static bool is_valid_guid(const char *guid) {\n\tif (!guid) {\n\t\treturn false;\n\t}\n\tsize_t i;\n\tfor (i = 0; guid[i]; i++) {\n\t\tif (!isxdigit (guid[i])) {\n\t\t\treturn false;\n\t\t}\n\t}\n\treturn i >= 33; // len of GUID and age\n}", "project": "radare2", "hash": 162244051988617727092514366263316155858, "size": 12, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 0, "dataset": "other", "idx": 269030 }, { "func": "static void __start_cpu_timer_accounting(struct kvm_vcpu *vcpu)\n{\n\tWARN_ON_ONCE(vcpu->arch.cputm_start != 0);\n\traw_write_seqcount_begin(&vcpu->arch.cputm_seqcount);\n\tvcpu->arch.cputm_start = get_tod_clock_fast();\n\traw_write_seqcount_end(&vcpu->arch.cputm_seqcount);\n}", "project": "linux", "hash": 168053735638747121147729806296541337706, "size": 7, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354561 }, { "func": "static int sctp_setsockopt_auth_chunk(struct sock *sk,\n\t\t\t\t struct sctp_authchunk *val,\n\t\t\t\t unsigned int optlen)\n{\n\tstruct sctp_endpoint *ep = sctp_sk(sk)->ep;\n\n\tif (!ep->auth_enable)\n\t\treturn -EACCES;\n\n\tif (optlen != sizeof(struct sctp_authchunk))\n\t\treturn -EINVAL;\n\n\tswitch (val->sauth_chunk) {\n\tcase SCTP_CID_INIT:\n\tcase SCTP_CID_INIT_ACK:\n\tcase SCTP_CID_SHUTDOWN_COMPLETE:\n\tcase SCTP_CID_AUTH:\n\t\treturn -EINVAL;\n\t}\n\n\t/* add this chunk id to the endpoint */\n\treturn sctp_auth_ep_add_chunkid(ep, val->sauth_chunk);\n}", "project": "linux", "hash": 322805527781193096840514551260852990153, "size": 23, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398081 }, { "func": "Header headerReload(Header h, rpmTagVal tag)\n{\n Header nh;\n unsigned int uc = 0;\n void * uh = headerExport(h, &uc);\n\n h = headerFree(h);\n if (uh == NULL)\n\treturn NULL;\n nh = headerImport(uh, uc, 0);\n if (nh == NULL) {\n\tuh = _free(uh);\n\treturn NULL;\n }\n if (ENTRY_IS_REGION(nh->index)) {\n\tif (tag == RPMTAG_HEADERSIGNATURES || tag == RPMTAG_HEADERIMMUTABLE)\n\t nh->index[0].info.tag = tag;\n }\n return nh;\n}", "project": "rpm", "hash": 232770840164490481908939122817271427476, "size": 20, "commit_id": "8f4b3c3cab8922a2022b9e47c71f1ecf906077ef", "message": "hdrblobInit() needs bounds checks too\n\nUsers can pass untrusted data to hdrblobInit() and it must be robust\nagainst this.", "target": 0, "dataset": "other", "idx": 318202 }, { "func": "static int packet_getname_spkt(struct socket *sock, struct sockaddr *uaddr,\n\t\t\t int peer)\n{\n\tstruct net_device *dev;\n\tstruct sock *sk\t= sock->sk;\n\n\tif (peer)\n\t\treturn -EOPNOTSUPP;\n\n\tuaddr->sa_family = AF_PACKET;\n\tmemset(uaddr->sa_data, 0, sizeof(uaddr->sa_data));\n\trcu_read_lock();\n\tdev = dev_get_by_index_rcu(sock_net(sk), pkt_sk(sk)->ifindex);\n\tif (dev)\n\t\tstrlcpy(uaddr->sa_data, dev->name, sizeof(uaddr->sa_data));\n\trcu_read_unlock();\n\n\treturn sizeof(*uaddr);\n}", "project": "linux", "hash": 205518709187498767406547809095508977910, "size": 19, "commit_id": "acf69c946233259ab4d64f8869d4037a198c7f06", "message": "net/packet: fix overflow in tpacket_rcv\n\nUsing tp_reserve to calculate netoff can overflow as\ntp_reserve is unsigned int and netoff is unsigned short.\n\nThis may lead to macoff receving a smaller value then\nsizeof(struct virtio_net_hdr), and if po->has_vnet_hdr\nis set, an out-of-bounds write will occur when\ncalling virtio_net_hdr_from_skb.\n\nThe bug is fixed by converting netoff to unsigned int\nand checking if it exceeds USHRT_MAX.\n\nThis addresses CVE-2020-14386\n\nFixes: 8913336a7e8d (\"packet: add PACKET_RESERVE sockopt\")\nSigned-off-by: Or Cohen \nSigned-off-by: Eric Dumazet \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 330397 }, { "func": "static void exif_thumbnail_build(image_info_type *ImageInfo) {\n size_t new_size, new_move, new_value;\n char *new_data;\n void *value_ptr;\n int i, byte_count;\n image_info_list *info_list;\n image_info_data *info_data;\n\n if (!ImageInfo->read_thumbnail || !ImageInfo->Thumbnail.offset ||\n !ImageInfo->Thumbnail.size) {\n return; /* ignore this call */\n }\n switch(ImageInfo->Thumbnail.filetype) {\n default:\n case IMAGE_FILETYPE_JPEG:\n /* done */\n break;\n case IMAGE_FILETYPE_TIFF_II:\n case IMAGE_FILETYPE_TIFF_MM:\n info_list = &ImageInfo->info_list[SECTION_THUMBNAIL];\n new_size = 8 + 2 + info_list->count * 12 + 4;\n new_value= new_size; /* offset for ifd values outside ifd directory */\n for (i=0; icount; i++) {\n info_data = &info_list->list[i];\n byte_count =\n get_php_tiff_bytes_per_format(info_data->format) * info_data->length;\n if (byte_count > 4) {\n new_size += byte_count;\n }\n }\n new_move = new_size;\n new_data = (char *)IM_REALLOC(ImageInfo->Thumbnail.data,\n ImageInfo->Thumbnail.size + new_size);\n CHECK_ALLOC(new_data, ImageInfo->Thumbnail.size + new_size);\n ImageInfo->Thumbnail.data = new_data;\n memmove(ImageInfo->Thumbnail.data + new_move,\n ImageInfo->Thumbnail.data, ImageInfo->Thumbnail.size);\n ImageInfo->Thumbnail.size += new_size;\n /* fill in data */\n if (ImageInfo->motorola_intel) {\n memmove(new_data, \"MM\\x00\\x2a\\x00\\x00\\x00\\x08\", 8);\n } else {\n memmove(new_data, \"II\\x2a\\x00\\x08\\x00\\x00\\x00\", 8);\n }\n new_data += 8;\n php_ifd_set16u(new_data, info_list->count, ImageInfo->motorola_intel);\n new_data += 2;\n for (i=0; icount; i++) {\n info_data = &info_list->list[i];\n byte_count =\n get_php_tiff_bytes_per_format(info_data->format) * info_data->length;\n if (info_data->tag==TAG_STRIP_OFFSETS ||\n info_data->tag==TAG_JPEG_INTERCHANGE_FORMAT) {\n php_ifd_set16u(new_data + 0, info_data->tag,\n ImageInfo->motorola_intel);\n php_ifd_set16u(new_data + 2, TAG_FMT_ULONG,\n ImageInfo->motorola_intel);\n php_ifd_set32u(new_data + 4, 1, ImageInfo->motorola_intel);\n php_ifd_set32u(new_data + 8, new_move, ImageInfo->motorola_intel);\n } else {\n php_ifd_set16u(new_data + 0, info_data->tag,\n ImageInfo->motorola_intel);\n php_ifd_set16u(new_data + 2, info_data->format,\n ImageInfo->motorola_intel);\n php_ifd_set32u(new_data + 4, info_data->length,\n ImageInfo->motorola_intel);\n value_ptr = exif_ifd_make_value(info_data, ImageInfo->motorola_intel);\n if (byte_count <= 4) {\n memmove(new_data+8, value_ptr, 4);\n } else {\n php_ifd_set32u(new_data+8, new_value, ImageInfo->motorola_intel);\n memmove(ImageInfo->Thumbnail.data+new_value, value_ptr, byte_count);\n new_value += byte_count;\n }\n if (value_ptr) IM_FREE(value_ptr);\n }\n new_data += 12;\n }\n memset(new_data, 0, 4); /* next ifd pointer */\n break;\n }\n}", "project": "hhvm", "hash": 90341877488892885139670563805807928187, "size": 82, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219449 }, { "func": "static bool req_need_defer(struct io_kiocb *req, u32 seq)\n{\n\tif (unlikely(req->flags & REQ_F_IO_DRAIN)) {\n\t\tstruct io_ring_ctx *ctx = req->ctx;\n\n\t\treturn seq + ctx->cq_extra != ctx->cached_cq_tail\n\t\t\t\t+ READ_ONCE(ctx->cached_cq_overflow);\n\t}\n\n\treturn false;\n}", "project": "linux", "hash": 182130951522951768250266199646590550653, "size": 11, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338669 }, { "func": "void CLua::save(writer &outf)\n{\n if (!_state)\n return;\n\n string res;\n callfn(\"c_save\", \">s\", &res);\n outf.write(res.c_str(), res.size());\n}", "project": "crawl", "hash": 21891897271992696952439215764279919149, "size": 9, "commit_id": "768f60da87a3fa0b5561da5ade9309577c176d04", "message": "Disable lua bytecode loading", "target": 0, "dataset": "other", "idx": 230487 }, { "func": "int CServer::DelClientCallback(int ClientID, const char *pReason, void *pUser)\n{\n\tCServer *pThis = (CServer *)pUser;\n\n\tchar aAddrStr[NETADDR_MAXSTRSIZE];\n\tnet_addr_str(pThis->m_NetServer.ClientAddr(ClientID), aAddrStr, sizeof(aAddrStr), true);\n\tchar aBuf[256];\n\tstr_format(aBuf, sizeof(aBuf), \"client dropped. cid=%d addr=%s reason='%s'\", ClientID, aAddrStr, pReason);\n\tpThis->Console()->Print(IConsole::OUTPUT_LEVEL_STANDARD, \"server\", aBuf);\n\n\t// notify the mod about the drop\n\tif(pThis->m_aClients[ClientID].m_State >= CClient::STATE_READY)\n\t{\n\t\tpThis->m_aClients[ClientID].m_Quitting = true;\n\t\tpThis->GameServer()->OnClientDrop(ClientID, pReason);\n\t}\n\n\tpThis->m_aClients[ClientID].m_State = CClient::STATE_EMPTY;\n\tpThis->m_aClients[ClientID].m_aName[0] = 0;\n\tpThis->m_aClients[ClientID].m_aClan[0] = 0;\n\tpThis->m_aClients[ClientID].m_Country = -1;\n\tpThis->m_aClients[ClientID].m_Authed = AUTHED_NO;\n\tpThis->m_aClients[ClientID].m_AuthTries = 0;\n\tpThis->m_aClients[ClientID].m_pRconCmdToSend = 0;\n\tpThis->m_aClients[ClientID].m_pMapListEntryToSend = 0;\n\tpThis->m_aClients[ClientID].m_NoRconNote = false;\n\tpThis->m_aClients[ClientID].m_Quitting = false;\n\tpThis->m_aClients[ClientID].m_Snapshots.PurgeAll();\n\treturn 0;\n}", "project": "teeworlds", "hash": 62786573193751251959509076616184638995, "size": 30, "commit_id": "c68402fa7e279d42886d5951d1ea8ac2facc1ea5", "message": "changed a check", "target": 0, "dataset": "other", "idx": 381978 }, { "func": "static int strlen16 (unsigned short *s)\n{\n\tint len = 0;\n\twhile (*s) {\n\t\ts++;\n\t\tlen++;\n\t}\n\treturn len;\n}", "project": "php-src", "hash": 120983527725192974095894006851500276847, "size": 9, "commit_id": "c395c6e5d7e8df37a21265ff76e48fe75ceb5ae6", "message": "iFixed bug #72446 - Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow", "target": 0, "dataset": "other", "idx": 295117 }, { "func": "static bool ep_busy_loop_end(void *p, unsigned long start_time)\n{\n\tstruct eventpoll *ep = p;\n\n\treturn ep_events_available(ep) || busy_loop_timeout(start_time);\n}", "project": "linux", "hash": 338013791244097554231733130333112340078, "size": 6, "commit_id": "52c479697c9b73f628140dcdfcd39ea302d05482", "message": "do_epoll_ctl(): clean the failure exits up a bit\n\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 336270 }, { "func": " */\nstatic bool bfq_bfqq_must_idle(struct bfq_queue *bfqq)\n{\n\treturn RB_EMPTY_ROOT(&bfqq->sort_list) && bfq_better_to_idle(bfqq);", "project": "linux", "hash": 284712703808692057146116781366738078804, "size": 4, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453375 }, { "func": "static int decode_code_length(struct rar5* rar, const uint8_t* p,\n uint16_t code)\n{\n\tint lbits, length = 2;\n\tif(code < 8) {\n\t\tlbits = 0;\n\t\tlength += code;\n\t} else {\n\t\tlbits = code / 4 - 1;\n\t\tlength += (4 | (code & 3)) << lbits;\n\t}\n\n\tif(lbits > 0) {\n\t\tint add;\n\n\t\tif(ARCHIVE_OK != read_consume_bits(rar, p, lbits, &add))\n\t\t\treturn -1;\n\n\t\tlength += add;\n\t}\n\n\treturn length;\n}", "project": "libarchive", "hash": 268534864017225312606529105115002079101, "size": 23, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 0, "dataset": "other", "idx": 244692 }, { "func": "static void convert(float y, float u, float v,\n float *b, float *g, float *r)\n{\n *r = y + 1.5747f * v;\n *g = y - 0.1873f * u - 0.4682f * v;\n *b = y + 1.8556f * u;\n}", "project": "FFmpeg", "hash": 144072938113957149309825434425862287748, "size": 7, "commit_id": "26d3c81bc5ef2f8c3f09d45eaeacfb4b1139a777", "message": "avcodec/exr: More strictly check dc_count\n\nFixes: out of array access\nFixes: exr/deneme\n\nFound-by: Burak Çarıkçı \nSigned-off-by: Michael Niedermayer ", "target": 0, "dataset": "other", "idx": 262687 }, { "func": "static int pfkey_add(struct sock *sk, struct sk_buff *skb, const struct sadb_msg *hdr, void * const *ext_hdrs)\n{\n\tstruct net *net = sock_net(sk);\n\tstruct xfrm_state *x;\n\tint err;\n\tstruct km_event c;\n\n\tx = pfkey_msg2xfrm_state(net, hdr, ext_hdrs);\n\tif (IS_ERR(x))\n\t\treturn PTR_ERR(x);\n\n\txfrm_state_hold(x);\n\tif (hdr->sadb_msg_type == SADB_ADD)\n\t\terr = xfrm_state_add(x);\n\telse\n\t\terr = xfrm_state_update(x);\n\n\txfrm_audit_state_add(x, err ? 0 : 1, true);\n\n\tif (err < 0) {\n\t\tx->km.state = XFRM_STATE_DEAD;\n\t\t__xfrm_state_put(x);\n\t\tgoto out;\n\t}\n\n\tif (hdr->sadb_msg_type == SADB_ADD)\n\t\tc.event = XFRM_MSG_NEWSA;\n\telse\n\t\tc.event = XFRM_MSG_UPDSA;\n\tc.seq = hdr->sadb_msg_seq;\n\tc.portid = hdr->sadb_msg_pid;\n\tkm_state_notify(x, &c);\nout:\n\txfrm_state_put(x);\n\treturn err;\n}", "project": "linux", "hash": 74606032168578864370997083933761061894, "size": 36, "commit_id": "9a564bccb78a76740ea9d75a259942df8143d02c", "message": "af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\n\nAdd __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\nto initialize the buffer of supp_skb to fix a kernel-info-leak issue.\n1) Function pfkey_register calls compose_sadb_supported to request\na sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate\na sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then\ncompose_sadb_supported treats the memory as a struct sadb_supported and\nbegins to initialize. But it just initializes the field sadb_supported_len\nand field sadb_supported_exttype without field sadb_supported_reserved.\n\nReported-by: TCS Robot \nSigned-off-by: Haimin Zhang \nSigned-off-by: Steffen Klassert ", "target": 0, "dataset": "other", "idx": 268084 }, { "func": "UnicodeStringTest::_testUnicodeStringHasMoreChar32Than(const UnicodeString &s, int32_t start, int32_t length, int32_t number) {\n if(s.hasMoreChar32Than(start, length, number)!=_refUnicodeStringHasMoreChar32Than(s, start, length, number)) {\n errln(\"hasMoreChar32Than(%d, %d, %d)=%hd is wrong\\n\",\n start, length, number, s.hasMoreChar32Than(start, length, number));\n }\n}", "project": "icu", "hash": 46634632811787881414665804235089150224, "size": 6, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430727 }, { "func": "static int hls_close(AVFormatContext *s)\n{\n HLSContext *c = s->priv_data;\n\n free_playlist_list(c);\n free_variant_list(c);\n free_rendition_list(c);\n\n av_dict_free(&c->avio_opts);\n\n return 0;\n}", "project": "FFmpeg", "hash": 34724727092566095697633938120151257995, "size": 12, "commit_id": "6959358683c7533f586c07a766acc5fe9544d8b2", "message": "avformat/hls: check segment duration value of EXTINF\n\nfix ticket: 8673\nset the default EXTINF duration to 1ms if duration is smaller than 1ms\n\nSigned-off-by: Steven Liu \n(cherry picked from commit 9dfb19baeb86a8bb02c53a441682c6e9a6e104cc)", "target": 0, "dataset": "other", "idx": 270454 }, { "func": "static void encode_test_stateid(struct xdr_stream *xdr,\n\t\t\t\tconst struct nfs41_test_stateid_args *args,\n\t\t\t\tstruct compound_hdr *hdr)\n{\n\tencode_op_hdr(xdr, OP_TEST_STATEID, decode_test_stateid_maxsz, hdr);\n\tencode_uint32(xdr, 1);\n\tencode_nfs4_stateid(xdr, args->stateid);\n}", "project": "linux", "hash": 151147191119206579955821825307462282955, "size": 8, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431518 }, { "func": "static bool ibs_enabled(struct kvm_vcpu *vcpu)\n{\n\treturn kvm_s390_test_cpuflags(vcpu, CPUSTAT_IBS);\n}", "project": "linux", "hash": 213964587586902100764515050898314774824, "size": 4, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354439 }, { "func": "int bcf_hdr_append(bcf_hdr_t *hdr, const char *line)\n{\n int len;\n bcf_hrec_t *hrec = bcf_hdr_parse_line(hdr, (char*) line, &len);\n if ( !hrec ) return -1;\n if (bcf_hdr_add_hrec(hdr, hrec) < 0)\n return -1;\n return 0;\n}", "project": "htslib", "hash": 47836292695460860289313881908572694728, "size": 9, "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c", "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields. It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097", "target": 0, "dataset": "other", "idx": 402159 }, { "func": "void test_lib() {\n u_int64_t processing_time_usec, setup_time_usec;\n long thread_id;\n\n#ifdef DEBUG_TRACE\n if(trace) fprintf(trace, \"Num threads: %d\\n\", num_threads);\n#endif\n\n for(thread_id = 0; thread_id < num_threads; thread_id++) {\n pcap_t *cap;\n\n#ifdef DEBUG_TRACE\n if(trace) fprintf(trace, \"Opening %s\\n\", (const u_char*)_pcap_file[thread_id]);\n#endif\n\n cap = openPcapFileOrDevice(thread_id, (const u_char*)_pcap_file[thread_id]);\n setupDetection(thread_id, cap);\n }\n\n gettimeofday(&begin, NULL);\n\n int status;\n void * thd_res;\n\n /* Running processing threads */\n for(thread_id = 0; thread_id < num_threads; thread_id++) {\n status = pthread_create(&ndpi_thread_info[thread_id].pthread, NULL, processing_thread, (void *) thread_id);\n /* check pthreade_create return value */\n if(status != 0) {\n fprintf(stderr, \"error on create %ld thread\\n\", thread_id);\n exit(-1);\n }\n }\n /* Waiting for completion */\n for(thread_id = 0; thread_id < num_threads; thread_id++) {\n status = pthread_join(ndpi_thread_info[thread_id].pthread, &thd_res);\n /* check pthreade_join return value */\n if(status != 0) {\n fprintf(stderr, \"error on join %ld thread\\n\", thread_id);\n exit(-1);\n }\n if(thd_res != NULL) {\n fprintf(stderr, \"error on returned value of %ld joined thread\\n\", thread_id);\n exit(-1);\n }\n }\n\n gettimeofday(&end, NULL);\n processing_time_usec = end.tv_sec*1000000 + end.tv_usec - (begin.tv_sec*1000000 + begin.tv_usec);\n setup_time_usec = begin.tv_sec*1000000 + begin.tv_usec - (startup_time.tv_sec*1000000 + startup_time.tv_usec);\n\n /* Printing cumulative results */\n printResults(processing_time_usec, setup_time_usec);\n\n for(thread_id = 0; thread_id < num_threads; thread_id++) {\n if(ndpi_thread_info[thread_id].workflow->pcap_handle != NULL)\n pcap_close(ndpi_thread_info[thread_id].workflow->pcap_handle);\n\n terminateDetection(thread_id);\n }\n}", "project": "nDPI", "hash": 194148203305065607291925704337741919373, "size": 61, "commit_id": "b7e666e465f138ae48ab81976726e67deed12701", "message": "Added fix to avoid potential heap buffer overflow in H.323 dissector\nModified HTTP report information to make it closer to the HTTP field names", "target": 0, "dataset": "other", "idx": 254854 }, { "func": "static bool __hci_update_interleaved_scan(struct hci_dev *hdev)\n{\n\t/* Do interleaved scan only if all of the following are true:\n\t * - There is at least one ADV monitor\n\t * - At least one pending LE connection or one device to be scanned for\n\t * - Monitor offloading is not supported\n\t * If so, we should alternate between allowlist scan and one without\n\t * any filters to save power.\n\t */\n\tbool use_interleaving = hci_is_adv_monitoring(hdev) &&\n\t\t\t\t!(list_empty(&hdev->pend_le_conns) &&\n\t\t\t\t list_empty(&hdev->pend_le_reports)) &&\n\t\t\t\thci_get_adv_monitor_offload_ext(hdev) ==\n\t\t\t\t HCI_ADV_MONITOR_EXT_NONE;\n\tbool is_interleaving = is_interleave_scanning(hdev);\n\n\tif (use_interleaving && !is_interleaving) {\n\t\tstart_interleave_scan(hdev);\n\t\tbt_dev_dbg(hdev, \"starting interleave scan\");\n\t\treturn true;\n\t}\n\n\tif (!use_interleaving && is_interleaving)\n\t\tcancel_interleave_scan(hdev);\n\n\treturn false;\n}", "project": "linux", "hash": 176613669671144076548497251052971159285, "size": 27, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402487 }, { "func": "TfLiteStatus PopulateLedgerData(const TfLiteSparsity* sparsity,\n TfLiteContext* context, uint8_t* ledger_data) {\n TF_LITE_ENSURE(context, sparsity != nullptr);\n const auto* array_segments = sparsity->dim_metadata[1].array_segments;\n const auto* array_indices = sparsity->dim_metadata[1].array_indices;\n int output_data_ptr = 0;\n\n for (int i = 0; i < array_segments->size - 1; i++) {\n int row_start = array_segments->data[i];\n int row_end = array_segments->data[i + 1];\n if (row_end - row_start > UINT8_MAX) {\n return kTfLiteError;\n }\n // Copy num of non-zero blocks in row i.\n ledger_data[output_data_ptr] = static_cast(row_end - row_start);\n output_data_ptr++;\n\n for (int j = row_start; j < row_end; j++) {\n if (array_indices->data[j] > UINT8_MAX) {\n return kTfLiteError;\n }\n // Copy indices of non-zero blocks in row i.\n ledger_data[output_data_ptr] =\n static_cast(array_indices->data[j]);\n output_data_ptr++;\n }\n }\n return kTfLiteOk;\n}", "project": "tensorflow", "hash": 230490962394482769176987065691753517507, "size": 29, "commit_id": "6c0b2b70eeee588591680f5b7d5d38175fd7cdf6", "message": "[lite] add validation check for sparse fully connected\n\nPiperOrigin-RevId: 417629354\nChange-Id: If96171c4bd4f5fdb01d6368d6deab19d1c9beca7", "target": 0, "dataset": "other", "idx": 220476 }, { "func": "static void __execlists_submission_tasklet(struct intel_engine_cs *const engine)\n{\n\tlockdep_assert_held(&engine->active.lock);\n\tif (!engine->execlists.pending[0]) {\n\t\trcu_read_lock(); /* protect peeking at execlists->active */\n\t\texeclists_dequeue(engine);\n\t\trcu_read_unlock();\n\t}\n}", "project": "linux", "hash": 65611074088865757269868890292428514593, "size": 9, "commit_id": "bc8a76a152c5f9ef3b48104154a65a68a8b76946", "message": "drm/i915/gen9: Clear residual context state on context switch\n\nIntel ID: PSIRT-TA-201910-001\nCVEID: CVE-2019-14615\n\nIntel GPU Hardware prior to Gen11 does not clear EU state\nduring a context switch. This can result in information\nleakage between contexts.\n\nFor Gen8 and Gen9, hardware provides a mechanism for\nfast cleardown of the EU state, by issuing a PIPE_CONTROL\nwith bit 27 set. We can use this in a context batch buffer\nto explicitly cleardown the state on every context switch.\n\nAs this workaround is already in place for gen8, we can borrow\nthe code verbatim for Gen9.\n\nSigned-off-by: Mika Kuoppala \nSigned-off-by: Akeem G Abodunrin \nCc: Kumar Valsan Prathap \nCc: Chris Wilson \nCc: Balestrieri Francesco \nCc: Bloomfield Jon \nCc: Dutt Sudeep ", "target": 0, "dataset": "other", "idx": 281555 }, { "func": "static int core_upgrade_handler(request_rec *r)\n{\n conn_rec *c = r->connection;\n const char *upgrade;\n\n if (c->master) {\n /* Not possible to perform an HTTP/1.1 upgrade from a slave\n * connection. */\n return DECLINED;\n }\n \n upgrade = apr_table_get(r->headers_in, \"Upgrade\");\n if (upgrade && *upgrade) {\n const char *conn = apr_table_get(r->headers_in, \"Connection\");\n if (ap_find_token(r->pool, conn, \"upgrade\")) {\n apr_array_header_t *offers = NULL;\n const char *err;\n \n err = ap_parse_token_list_strict(r->pool, upgrade, &offers, 0);\n if (err) {\n ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02910)\n \"parsing Upgrade header: %s\", err);\n return DECLINED;\n }\n \n if (offers && offers->nelts > 0) {\n const char *protocol = ap_select_protocol(c, r, NULL, offers);\n if (protocol && strcmp(protocol, ap_get_protocol(c))) {\n ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02909)\n \"Upgrade selects '%s'\", protocol);\n /* Let the client know what we are upgrading to. */\n apr_table_clear(r->headers_out);\n apr_table_setn(r->headers_out, \"Upgrade\", protocol);\n apr_table_setn(r->headers_out, \"Connection\", \"Upgrade\");\n \n r->status = HTTP_SWITCHING_PROTOCOLS;\n r->status_line = ap_get_status_line(r->status);\n ap_send_interim_response(r, 1);\n\n ap_switch_protocol(c, r, r->server, protocol);\n\n /* make sure httpd closes the connection after this */\n c->keepalive = AP_CONN_CLOSE;\n return DONE;\n }\n }\n }\n }\n else if (!c->keepalives) {\n /* first request on a master connection, if we have protocols other\n * than the current one enabled here, announce them to the\n * client. If the client is already talking a protocol with requests\n * on slave connections, leave it be. */\n const apr_array_header_t *upgrades;\n ap_get_protocol_upgrades(c, r, NULL, 0, &upgrades);\n if (upgrades && upgrades->nelts > 0) {\n char *protocols = apr_array_pstrcat(r->pool, upgrades, ',');\n apr_table_setn(r->headers_out, \"Upgrade\", protocols);\n apr_table_setn(r->headers_out, \"Connection\", \"Upgrade\");\n }\n }\n \n return DECLINED;\n}", "project": "httpd", "hash": 116568284114246520318976326267792554284, "size": 64, "commit_id": "4cc27823899e070268b906ca677ee838d07cf67a", "message": "core: Disallow Methods' registration at run time (.htaccess), they may be\nused only if registered at init time (httpd.conf).\n\nCalling ap_method_register() in children processes is not the right scope\nsince it won't be shared for all requests.\n\n\ngit-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1807655 13f79535-47bb-0310-9956-ffa450edef68", "target": 0, "dataset": "other", "idx": 246303 }, { "func": "void CSoundFile::PortamentoFineMPT(ModChannel* pChn, int param)\n{\n\t//Behavior: Divides portamento change between ticks/row. For example\n\t//if Ticks/row == 6, and param == +-6, portamento goes up/down by one tuning-dependent\n\t//fine step every tick.\n\n\tif(m_PlayState.m_nTickCount == 0)\n\t\tpChn->nOldFinePortaUpDown = 0;\n\n\tconst int tickParam = static_cast((m_PlayState.m_nTickCount + 1.0) * param / m_PlayState.m_nMusicSpeed);\n\tpChn->m_PortamentoFineSteps += (param >= 0) ? tickParam - pChn->nOldFinePortaUpDown : tickParam + pChn->nOldFinePortaUpDown;\n\tif(m_PlayState.m_nTickCount + 1 == m_PlayState.m_nMusicSpeed)\n\t\tpChn->nOldFinePortaUpDown = static_cast(mpt::abs(param));\n\telse\n\t\tpChn->nOldFinePortaUpDown = static_cast(mpt::abs(tickParam));\n\n\tpChn->m_CalculateFreq = true;\n}", "project": "openmpt", "hash": 196193987501044818451118381696318320446, "size": 18, "commit_id": "7ebf02af2e90f03e0dbd0e18b8b3164f372fb97c", "message": "[Fix] Possible out-of-bounds read when computing length of some IT files with pattern loops (OpenMPT: formats that are converted to IT, libopenmpt: IT/ITP/MO3), caught with afl-fuzz.\n\ngit-svn-id: https://source.openmpt.org/svn/openmpt/trunk/OpenMPT@10027 56274372-70c3-4bfc-bfc3-4c3a0b034d27", "target": 0, "dataset": "other", "idx": 255197 }, { "func": "lua_datum::~lua_datum()\n{\n cleanup();\n}", "project": "crawl", "hash": 301788928645789907658007395667540189513, "size": 4, "commit_id": "768f60da87a3fa0b5561da5ade9309577c176d04", "message": "Disable lua bytecode loading", "target": 0, "dataset": "other", "idx": 230506 }, { "func": "void msg_free(message_data_t *m)\n{\n if (m->data)\n\tprot_free(m->data);\n if (m->f)\n\tfclose(m->f);\n free(m->id);\n free(m->path);\n free(m->control);\n free(m->date);\n\n strarray_fini(&m->rcpt);\n\n spool_free_hdrcache(m->hdrcache);\n\n free(m);\n}", "project": "cyrus-imapd", "hash": 293745256544589301067234617522281409651, "size": 17, "commit_id": "0f8f026699829b65733c3081657b24e2174f4f4d", "message": "CVE-2011-3208 - fix buffer overflow in nntpd", "target": 0, "dataset": "other", "idx": 451906 }, { "func": "static rfbBool rectSwapIfLEAndClip(uint16_t* x,uint16_t* y,uint16_t* w,uint16_t* h,\n\t\trfbClientPtr cl)\n{\n\tint x1=Swap16IfLE(*x);\n\tint y1=Swap16IfLE(*y);\n\tint w1=Swap16IfLE(*w);\n\tint h1=Swap16IfLE(*h);\n\n\trfbScaledCorrection(cl->scaledScreen, cl->screen, &x1, &y1, &w1, &h1, \"rectSwapIfLEAndClip\");\n\t*x = x1;\n\t*y = y1;\n\t*w = w1;\n\t*h = h1;\n\n\tif(*w>cl->screen->width-*x)\n\t\t*w=cl->screen->width-*x;\n\t/* possible underflow */\n\tif(*w>cl->screen->width-*x)\n\t\treturn FALSE;\n\tif(*h>cl->screen->height-*y)\n\t\t*h=cl->screen->height-*y;\n\tif(*h>cl->screen->height-*y)\n\t\treturn FALSE;\n\n\treturn TRUE;\n}", "project": "libvncserver", "hash": 67409617865146525508000198345260167425, "size": 26, "commit_id": "673c07a75ed844d74676f3ccdcfdc706a7052dba", "message": "libvncserver/rfbserver: fix possible divide-by-zero\n\nCloses #409", "target": 0, "dataset": "other", "idx": 295841 }, { "func": "UnicodeStringTest::TestReadOnlyAlias() {\n UChar uchars[]={ 0x61, 0x62, 0 };\n UnicodeString alias(TRUE, uchars, 2);\n if(alias.length()!=2 || alias.getBuffer()!=uchars || alias.getTerminatedBuffer()!=uchars) {\n errln(\"UnicodeString read-only-aliasing constructor does not behave as expected.\");\n return;\n }\n alias.truncate(1);\n if(alias.length()!=1 || alias.getBuffer()!=uchars) {\n errln(\"UnicodeString(read-only-alias).truncate() did not preserve aliasing as expected.\");\n }\n if(alias.getTerminatedBuffer()==uchars) {\n errln(\"UnicodeString(read-only-alias).truncate().getTerminatedBuffer() \"\n \"did not allocate and copy as expected.\");\n }\n if(uchars[1]!=0x62) {\n errln(\"UnicodeString(read-only-alias).truncate().getTerminatedBuffer() \"\n \"modified the original buffer.\");\n }\n if(1!=u_strlen(alias.getTerminatedBuffer())) {\n errln(\"UnicodeString(read-only-alias).truncate().getTerminatedBuffer() \"\n \"does not return a buffer terminated at the proper length.\");\n }\n\n alias.setTo(TRUE, uchars, 2);\n if(alias.length()!=2 || alias.getBuffer()!=uchars || alias.getTerminatedBuffer()!=uchars) {\n errln(\"UnicodeString read-only-aliasing setTo() does not behave as expected.\");\n return;\n }\n alias.remove();\n if(alias.length()!=0) {\n errln(\"UnicodeString(read-only-alias).remove() did not work.\");\n }\n if(alias.getTerminatedBuffer()==uchars) {\n errln(\"UnicodeString(read-only-alias).remove().getTerminatedBuffer() \"\n \"did not un-alias as expected.\");\n }\n if(uchars[0]!=0x61) {\n errln(\"UnicodeString(read-only-alias).remove().getTerminatedBuffer() \"\n \"modified the original buffer.\");\n }\n if(0!=u_strlen(alias.getTerminatedBuffer())) {\n errln(\"UnicodeString.setTo(read-only-alias).remove().getTerminatedBuffer() \"\n \"does not return a buffer terminated at length 0.\");\n }\n\n UnicodeString longString=UNICODE_STRING_SIMPLE(\"abcdefghijklmnopqrstuvwxyz0123456789\");\n alias.setTo(FALSE, longString.getBuffer(), longString.length());\n alias.remove(0, 10);\n if(longString.compare(10, INT32_MAX, alias)!=0 || alias.getBuffer()!=longString.getBuffer()+10) {\n errln(\"UnicodeString.setTo(read-only-alias).remove(0, 10) did not preserve aliasing as expected.\");\n }\n alias.setTo(FALSE, longString.getBuffer(), longString.length());\n alias.remove(27, 99);\n if(longString.compare(0, 27, alias)!=0 || alias.getBuffer()!=longString.getBuffer()) {\n errln(\"UnicodeString.setTo(read-only-alias).remove(27, 99) did not preserve aliasing as expected.\");\n }\n alias.setTo(FALSE, longString.getBuffer(), longString.length());\n alias.retainBetween(6, 30);\n if(longString.compare(6, 24, alias)!=0 || alias.getBuffer()!=longString.getBuffer()+6) {\n errln(\"UnicodeString.setTo(read-only-alias).retainBetween(6, 30) did not preserve aliasing as expected.\");\n }\n\n UChar abc[]={ 0x61, 0x62, 0x63, 0 };\n UBool hasRVO= wrapUChars(abc).getBuffer()==abc;\n\n UnicodeString temp;\n temp.fastCopyFrom(longString.tempSubString());\n if(temp!=longString || (hasRVO && temp.getBuffer()!=longString.getBuffer())) {\n errln(\"UnicodeString.tempSubString() failed\");\n }\n temp.fastCopyFrom(longString.tempSubString(-3, 5));\n if(longString.compare(0, 5, temp)!=0 || (hasRVO && temp.getBuffer()!=longString.getBuffer())) {\n errln(\"UnicodeString.tempSubString(-3, 5) failed\");\n }\n temp.fastCopyFrom(longString.tempSubString(17));\n if(longString.compare(17, INT32_MAX, temp)!=0 || (hasRVO && temp.getBuffer()!=longString.getBuffer()+17)) {\n errln(\"UnicodeString.tempSubString(17) failed\");\n }\n temp.fastCopyFrom(longString.tempSubString(99));\n if(!temp.isEmpty()) {\n errln(\"UnicodeString.tempSubString(99) failed\");\n }\n temp.fastCopyFrom(longString.tempSubStringBetween(6));\n if(longString.compare(6, INT32_MAX, temp)!=0 || (hasRVO && temp.getBuffer()!=longString.getBuffer()+6)) {\n errln(\"UnicodeString.tempSubStringBetween(6) failed\");\n }\n temp.fastCopyFrom(longString.tempSubStringBetween(8, 18));\n if(longString.compare(8, 10, temp)!=0 || (hasRVO && temp.getBuffer()!=longString.getBuffer()+8)) {\n errln(\"UnicodeString.tempSubStringBetween(8, 18) failed\");\n }\n UnicodeString bogusString;\n bogusString.setToBogus();\n temp.fastCopyFrom(bogusString.tempSubStringBetween(8, 18));\n if(!temp.isBogus()) {\n errln(\"UnicodeString.setToBogus().tempSubStringBetween(8, 18) failed\");\n }\n}", "project": "icu", "hash": 257777112233833644148795309291003368601, "size": 98, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430830 }, { "func": "static int i2c_r(struct sd *sd, u8 reg)\n{\n\tint ret = -1;\n\n\tif (sd->sensor_reg_cache[reg] != -1)\n\t\treturn sd->sensor_reg_cache[reg];\n\n\tswitch (sd->bridge) {\n\tcase BRIDGE_OV511:\n\tcase BRIDGE_OV511PLUS:\n\t\tret = ov511_i2c_r(sd, reg);\n\t\tbreak;\n\tcase BRIDGE_OV518:\n\tcase BRIDGE_OV518PLUS:\n\tcase BRIDGE_OV519:\n\t\tret = ov518_i2c_r(sd, reg);\n\t\tbreak;\n\tcase BRIDGE_OVFX2:\n\t\tret = ovfx2_i2c_r(sd, reg);\n\t\tbreak;\n\tcase BRIDGE_W9968CF:\n\t\tret = w9968cf_i2c_r(sd, reg);\n\t\tbreak;\n\t}\n\n\tif (ret >= 0)\n\t\tsd->sensor_reg_cache[reg] = ret;\n\n\treturn ret;\n}", "project": "linux", "hash": 106442489740655367557224014803099254805, "size": 30, "commit_id": "998912346c0da53a6dbb71fab3a138586b596b30", "message": "media: ov519: add missing endpoint sanity checks\n\nMake sure to check that we have at least one endpoint before accessing\nthe endpoint array to avoid dereferencing a NULL-pointer on stream\nstart.\n\nNote that these sanity checks are not redundant as the driver is mixing\nlooking up altsettings by index and by number, which need not coincide.\n\nFixes: 1876bb923c98 (\"V4L/DVB (12079): gspca_ov519: add support for the ov511 bridge\")\nFixes: b282d87332f5 (\"V4L/DVB (12080): gspca_ov519: Fix ov518+ with OV7620AE (Trust spacecam 320)\")\nCc: stable # 2.6.31\nCc: Hans de Goede \nSigned-off-by: Johan Hovold \nSigned-off-by: Hans Verkuil \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 306332 }, { "func": "wStream* cliprdr_packet_file_contents_response_new(const CLIPRDR_FILE_CONTENTS_RESPONSE* response)\n{\n\twStream* s;\n\n\tif (!response)\n\t\treturn NULL;\n\n\ts = cliprdr_packet_new(CB_FILECONTENTS_RESPONSE, response->msgFlags, 4 + response->cbRequested);\n\n\tif (!s)\n\t\treturn NULL;\n\n\tcliprdr_write_file_contents_response(s, response);\n\treturn s;\n}", "project": "FreeRDP", "hash": 67244558931113018275091978990244193302, "size": 15, "commit_id": "b73143cf7ee5fe4cdabcbf56908aa15d8a883821", "message": "Fixed oob read in cliprdr_read_format_list", "target": 0, "dataset": "other", "idx": 388320 }, { "func": "static int copy_strings(int argc, struct user_arg_ptr argv,\n\t\t\tstruct linux_binprm *bprm)\n{\n\tstruct page *kmapped_page = NULL;\n\tchar *kaddr = NULL;\n\tunsigned long kpos = 0;\n\tint ret;\n\n\twhile (argc-- > 0) {\n\t\tconst char __user *str;\n\t\tint len;\n\t\tunsigned long pos;\n\n\t\tret = -EFAULT;\n\t\tstr = get_user_arg_ptr(argv, argc);\n\t\tif (IS_ERR(str))\n\t\t\tgoto out;\n\n\t\tlen = strnlen_user(str, MAX_ARG_STRLEN);\n\t\tif (!len)\n\t\t\tgoto out;\n\n\t\tret = -E2BIG;\n\t\tif (!valid_arg_len(bprm, len))\n\t\t\tgoto out;\n\n\t\t/* We're going to work our way backwords. */\n\t\tpos = bprm->p;\n\t\tstr += len;\n\t\tbprm->p -= len;\n#ifdef CONFIG_MMU\n\t\tif (bprm->p < bprm->argmin)\n\t\t\tgoto out;\n#endif\n\n\t\twhile (len > 0) {\n\t\t\tint offset, bytes_to_copy;\n\n\t\t\tif (fatal_signal_pending(current)) {\n\t\t\t\tret = -ERESTARTNOHAND;\n\t\t\t\tgoto out;\n\t\t\t}\n\t\t\tcond_resched();\n\n\t\t\toffset = pos % PAGE_SIZE;\n\t\t\tif (offset == 0)\n\t\t\t\toffset = PAGE_SIZE;\n\n\t\t\tbytes_to_copy = offset;\n\t\t\tif (bytes_to_copy > len)\n\t\t\t\tbytes_to_copy = len;\n\n\t\t\toffset -= bytes_to_copy;\n\t\t\tpos -= bytes_to_copy;\n\t\t\tstr -= bytes_to_copy;\n\t\t\tlen -= bytes_to_copy;\n\n\t\t\tif (!kmapped_page || kpos != (pos & PAGE_MASK)) {\n\t\t\t\tstruct page *page;\n\n\t\t\t\tpage = get_arg_page(bprm, pos, 1);\n\t\t\t\tif (!page) {\n\t\t\t\t\tret = -E2BIG;\n\t\t\t\t\tgoto out;\n\t\t\t\t}\n\n\t\t\t\tif (kmapped_page) {\n\t\t\t\t\tflush_kernel_dcache_page(kmapped_page);\n\t\t\t\t\tkunmap(kmapped_page);\n\t\t\t\t\tput_arg_page(kmapped_page);\n\t\t\t\t}\n\t\t\t\tkmapped_page = page;\n\t\t\t\tkaddr = kmap(kmapped_page);\n\t\t\t\tkpos = pos & PAGE_MASK;\n\t\t\t\tflush_arg_page(bprm, kpos, kmapped_page);\n\t\t\t}\n\t\t\tif (copy_from_user(kaddr+offset, str, bytes_to_copy)) {\n\t\t\t\tret = -EFAULT;\n\t\t\t\tgoto out;\n\t\t\t}\n\t\t}\n\t}\n\tret = 0;\nout:\n\tif (kmapped_page) {\n\t\tflush_kernel_dcache_page(kmapped_page);\n\t\tkunmap(kmapped_page);\n\t\tput_arg_page(kmapped_page);\n\t}\n\treturn ret;\n}", "project": "linux", "hash": 8556361047955779047873996536152559866, "size": 91, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375299 }, { "func": "static int SFDGetBitmapReference(FILE *sfd,BDFFont *bdf) {\n BDFChar *bc;\n BDFRefChar *ref, *head;\n int gid, rgid, xoff, yoff;\n char ch;\n\n /* 'BDFRefChar:' elements should not occur in the file before the corresponding */\n /* 'BDFChar:'. However it is possible that the glyphs they refer to are not yet */\n /* available. So we will find them later */\n if ( getint(sfd,&gid)!=1 || gid<=0 || gid >= bdf->glyphcnt || ( bc = bdf->glyphs[gid] ) == NULL )\nreturn( 0 );\n if ( getint(sfd,&rgid)!=1 || rgid<0 )\nreturn( 0 );\n if ( getint(sfd,&xoff)!=1 )\nreturn( 0 );\n if ( getint(sfd,&yoff)!=1 )\nreturn( 0 );\n while ( isspace( ch=nlgetc( sfd )) && ch!='\\r' && ch!='\\n' );\n\n ref = calloc( 1,sizeof( BDFRefChar ));\n ref->gid = rgid; ref->xoff = xoff, ref->yoff = yoff;\n if ( ch == 'S' ) ref->selected = true;\n for ( head = bc->refs; head != NULL && head->next!=NULL; head = head->next );\n if ( head == NULL ) bc->refs = ref;\n else head->next = ref;\nreturn( 1 );\n}", "project": "fontforge", "hash": 253035184711560055505407978519715055660, "size": 27, "commit_id": "048a91e2682c1a8936ae34dbc7bd70291ec05410", "message": "Fix for #4084 Use-after-free (heap) in the SFD_GetFontMetaData() function\nFix for #4086 NULL pointer dereference in the SFDGetSpiros() function\nFix for #4088 NULL pointer dereference in the SFD_AssignLookups() function\nAdd empty sf->fontname string if it isn't set, fixing #4089 #4090 and many\n other potential issues (many downstream calls to strlen() on the value).", "target": 0, "dataset": "other", "idx": 417883 }, { "func": "int last_filter(const uint8_t* filters, char cmode) {\n int last_index = -1;\n for (int i = BLOSC2_MAX_FILTERS - 1; i >= 0; i--) {\n if (!do_nothing(filters[i], cmode)) {\n last_index = i;\n }\n }\n return last_index;\n}", "project": "c-blosc2", "hash": 191363356174116558724457057100505346177, "size": 9, "commit_id": "c4c6470e88210afc95262c8b9fcc27e30ca043ee", "message": "Fixed asan heap buffer overflow when not enough space to write compressed block size.", "target": 0, "dataset": "other", "idx": 303109 }, { "func": "static inline void __mmput(struct mm_struct *mm)\n{\n\tVM_BUG_ON(atomic_read(&mm->mm_users));\n\n\tuprobe_clear_state(mm);\n\texit_aio(mm);\n\tksm_exit(mm);\n\tkhugepaged_exit(mm); /* must run before exit_mmap */\n\texit_mmap(mm);\n\tmm_put_huge_zero_page(mm);\n\tset_mm_exe_file(mm, NULL);\n\tif (!list_empty(&mm->mmlist)) {\n\t\tspin_lock(&mmlist_lock);\n\t\tlist_del(&mm->mmlist);\n\t\tspin_unlock(&mmlist_lock);\n\t}\n\tif (mm->binfmt)\n\t\tmodule_put(mm->binfmt->module);\n\tmmdrop(mm);\n}", "project": "linux", "hash": 39592708154908085649499254892034466004, "size": 20, "commit_id": "b4e00444cab4c3f3fec876dc0cccc8cbb0d1a948", "message": "fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent\n\ncurrent->group_leader->exit_signal may change during copy_process() if\ncurrent->real_parent exits.\n\nMove the assignment inside tasklist_lock to avoid the race.\n\nSigned-off-by: Eddy Wu \nAcked-by: Oleg Nesterov \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 293683 }, { "func": "static int sctp_bindx_rem(struct sock *sk, struct sockaddr *addrs, int addrcnt)\n{\n\tstruct sctp_sock *sp = sctp_sk(sk);\n\tstruct sctp_endpoint *ep = sp->ep;\n\tint cnt;\n\tstruct sctp_bind_addr *bp = &ep->base.bind_addr;\n\tint retval = 0;\n\tvoid *addr_buf;\n\tunion sctp_addr *sa_addr;\n\tstruct sctp_af *af;\n\n\tpr_debug(\"%s: sk:%p, addrs:%p, addrcnt:%d\\n\",\n\t\t __func__, sk, addrs, addrcnt);\n\n\taddr_buf = addrs;\n\tfor (cnt = 0; cnt < addrcnt; cnt++) {\n\t\t/* If the bind address list is empty or if there is only one\n\t\t * bind address, there is nothing more to be removed (we need\n\t\t * at least one address here).\n\t\t */\n\t\tif (list_empty(&bp->address_list) ||\n\t\t (sctp_list_single_entry(&bp->address_list))) {\n\t\t\tretval = -EBUSY;\n\t\t\tgoto err_bindx_rem;\n\t\t}\n\n\t\tsa_addr = addr_buf;\n\t\taf = sctp_get_af_specific(sa_addr->sa.sa_family);\n\t\tif (!af) {\n\t\t\tretval = -EINVAL;\n\t\t\tgoto err_bindx_rem;\n\t\t}\n\n\t\tif (!af->addr_valid(sa_addr, sp, NULL)) {\n\t\t\tretval = -EADDRNOTAVAIL;\n\t\t\tgoto err_bindx_rem;\n\t\t}\n\n\t\tif (sa_addr->v4.sin_port &&\n\t\t sa_addr->v4.sin_port != htons(bp->port)) {\n\t\t\tretval = -EINVAL;\n\t\t\tgoto err_bindx_rem;\n\t\t}\n\n\t\tif (!sa_addr->v4.sin_port)\n\t\t\tsa_addr->v4.sin_port = htons(bp->port);\n\n\t\t/* FIXME - There is probably a need to check if sk->sk_saddr and\n\t\t * sk->sk_rcv_addr are currently set to one of the addresses to\n\t\t * be removed. This is something which needs to be looked into\n\t\t * when we are fixing the outstanding issues with multi-homing\n\t\t * socket routing and failover schemes. Refer to comments in\n\t\t * sctp_do_bind(). -daisy\n\t\t */\n\t\tretval = sctp_del_bind_addr(bp, sa_addr);\n\n\t\taddr_buf += af->sockaddr_len;\nerr_bindx_rem:\n\t\tif (retval < 0) {\n\t\t\t/* Failed. Add the ones that has been removed back */\n\t\t\tif (cnt > 0)\n\t\t\t\tsctp_bindx_add(sk, addrs, cnt);\n\t\t\treturn retval;\n\t\t}\n\t}\n\n\treturn retval;\n}", "project": "linux", "hash": 133817580037315406826550105023411928591, "size": 68, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398052 }, { "func": "ExecutionStatus setProtoClasses(\n Runtime *runtime,\n Handle obj,\n MutableHandle &arr) {\n // Layout of a JSArray stored in the for-in cache:\n // [class(proto(obj)), class(proto(proto(obj))), ..., null, prop0, prop1, ...]\n\n if (!obj->shouldCacheForIn(runtime)) {\n arr->clear(runtime);\n return ExecutionStatus::RETURNED;\n }\n MutableHandle head(runtime, obj->getParent(runtime));\n MutableHandle<> clazz(runtime);\n GCScopeMarkerRAII marker{runtime};\n while (head.get()) {\n if (!head->shouldCacheForIn(runtime)) {\n arr->clear(runtime);\n return ExecutionStatus::RETURNED;\n }\n if (JSObject::Helper::flags(*head).lazyObject) {\n // Ensure all properties have been initialized before caching the hidden\n // class. Not doing this will result in changes to the hidden class\n // when getOwnPropertyKeys is called later.\n JSObject::initializeLazyObject(runtime, head);\n }\n clazz = HermesValue::encodeObjectValue(head->getClass(runtime));\n if (LLVM_UNLIKELY(\n BigStorage::push_back(arr, runtime, clazz) ==\n ExecutionStatus::EXCEPTION)) {\n return ExecutionStatus::EXCEPTION;\n }\n head = head->getParent(runtime);\n marker.flush();\n }\n clazz = HermesValue::encodeNullValue();\n return BigStorage::push_back(arr, runtime, clazz);\n}", "project": "hermes", "hash": 162577628354538457065305996852640222594, "size": 37, "commit_id": "fe52854cdf6725c2eaa9e125995da76e6ceb27da", "message": "[CVE-2020-1911] Look up HostObject computed properties on the right object in the prototype chain.\n\nSummary:\nThe change in the hermes repository fixes the security vulnerability\nCVE-2020-1911. This vulnerability only affects applications which\nallow evaluation of uncontrolled, untrusted JavaScript code not\nshipped with the app, so React Native apps will generally not be affected.\n\nThis revision includes a test for the bug. The test is generic JSI\ncode, so it is included in the hermes and react-native repositories.\n\nChangelog: [Internal]\n\nReviewed By: tmikov\n\nDifferential Revision: D23322992\n\nfbshipit-source-id: 4e88c974afe1ad33a263f9cac03e9dc98d33649a", "target": 0, "dataset": "other", "idx": 230214 }, { "func": "int bcf_enc_vfloat(kstring_t *s, int n, float *a)\n{\n assert(n >= 0);\n bcf_enc_size(s, n, BCF_BT_FLOAT);\n serialize_float_array(s, n, a);\n return 0; // FIXME: check for errs in this function\n}", "project": "htslib", "hash": 58974577079150654235146060830757151196, "size": 7, "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c", "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields. It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097", "target": 0, "dataset": "other", "idx": 402242 }, { "func": "static int acceptable(u_int32_t num_pkts){\n return num_pkts > 5;\n}", "project": "nDPI", "hash": 334002797466221851180054156911804734497, "size": 3, "commit_id": "b7e666e465f138ae48ab81976726e67deed12701", "message": "Added fix to avoid potential heap buffer overflow in H.323 dissector\nModified HTTP report information to make it closer to the HTTP field names", "target": 0, "dataset": "other", "idx": 254855 }, { "func": "static void hci_le_enh_conn_complete_evt(struct hci_dev *hdev,\n\t\t\t\t\t struct sk_buff *skb)\n{\n\tstruct hci_ev_le_enh_conn_complete *ev = (void *) skb->data;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, ev->status);\n\n\tle_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type,\n\t\t\t ev->role, le16_to_cpu(ev->handle),\n\t\t\t le16_to_cpu(ev->interval),\n\t\t\t le16_to_cpu(ev->latency),\n\t\t\t le16_to_cpu(ev->supervision_timeout));\n}", "project": "linux", "hash": 14138004541417597978664796161856310815, "size": 13, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431996 }, { "func": "LUA_API int lua_getinfo(lua_State *L, const char *what, lua_Debug *ar)\n{\n return lj_debug_getinfo(L, what, (lj_Debug *)ar, 0);\n}", "project": "LuaJIT", "hash": 17878920517836999573368749008809209889, "size": 4, "commit_id": "e296f56b825c688c3530a981dc6b495d972f3d01", "message": "Call error function on rethrow after trace exit.", "target": 0, "dataset": "other", "idx": 394630 }, { "func": "inline Status SparseTensor::Split(const SparseTensor& input_tensor,\n const int split_dim, const int num_split,\n std::vector* result) {\n std::vector output_indices;\n std::vector output_values;\n std::vector output_shapes;\n output_indices.reserve(num_split);\n output_values.reserve(num_split);\n output_shapes.reserve(num_split);\n\n std::vector::Matrix> output_indices_t;\n std::vector::Vec> output_values_t;\n output_indices_t.reserve(num_split);\n output_values_t.reserve(num_split);\n auto input_values_t = input_tensor.values().vec();\n auto input_indices_t = input_tensor.indices().matrix();\n\n std::vector num_values(num_split, 0);\n const int num_dim = input_tensor.shape().size();\n const int split_dim_size = input_tensor.shape()[split_dim];\n const int split_size = split_dim_size / num_split;\n\n if (!(num_split > 0 && num_split <= split_dim_size)) {\n return errors::InvalidArgument(\"num_split must be in the interval (0, \",\n split_dim_size, \"]\");\n }\n if (!(split_dim >= 0 && split_dim < num_dim)) {\n return errors::InvalidArgument(\"num_dim must be in the interval [0, \",\n num_dim, \")\");\n }\n\n const int residual = split_dim_size % num_split;\n for (int i = 0; i < input_tensor.indices().dim_size(0); ++i) {\n const int dim = input_tensor.indices().matrix()(i, split_dim);\n int slice_index = GetSliceIndex(dim, split_size, residual);\n num_values[slice_index]++;\n }\n\n for (int i = 0; i < num_split; ++i) {\n // TODO(ataei): Pass an allocator to avoid allocating large memory buffer.\n output_indices.emplace_back(DT_INT64,\n TensorShape({num_values[i], num_dim}));\n output_values.emplace_back(DataTypeToEnum::v(),\n TensorShape({num_values[i]}));\n output_shapes.emplace_back(input_tensor.shape());\n output_indices_t.emplace_back(output_indices[i].matrix());\n output_values_t.emplace_back(output_values[i].vec());\n const int size = GetSliceShape(i, split_size, residual);\n output_shapes[i].set_dim(split_dim, size);\n }\n\n std::vector values_inserted_in_slice(num_split, 0);\n for (int i = 0; i < input_tensor.indices().dim_size(0); ++i) {\n const int dim = input_indices_t(i, split_dim);\n const int slice_index = GetSliceIndex(dim, split_size, residual);\n const int slice_dim = values_inserted_in_slice[slice_index]++;\n output_values_t[slice_index](slice_dim) = input_values_t(i);\n for (int j = 0; j < num_dim; ++j) {\n const int64 original_dim = input_indices_t(i, j);\n output_indices_t[slice_index](slice_dim, j) =\n (j == split_dim)\n ? GetDimensionInSlice(original_dim, split_size, residual)\n : original_dim;\n }\n }\n\n result->clear();\n result->reserve(num_split);\n for (int i = 0; i < num_split; ++i) {\n SparseTensor tensor;\n Status create_status =\n Create(output_indices[i], output_values[i], output_shapes[i], &tensor);\n if (!create_status.ok()) {\n return create_status;\n }\n result->push_back(std::move(tensor));\n }\n return Status::OK();\n}", "project": "tensorflow", "hash": 146709249587504964012296817765190543788, "size": 79, "commit_id": "8ba6fa29cd8bf9cef9b718dc31c78c73081f5b31", "message": "Fix heap-buffer-overflow issue with `tf.raw_ops.SparseSplit`.\n\nPiperOrigin-RevId: 371242872\nChange-Id: I482bb3d12602c7c3cc9446f97fb9f584bb98e9a4", "target": 1, "dataset": "other", "idx": 198557 }, { "func": "inline Status SparseTensor::Split(const SparseTensor& input_tensor,\n const int split_dim, const int num_split,\n std::vector* result) {\n std::vector output_indices;\n std::vector output_values;\n std::vector output_shapes;\n output_indices.reserve(num_split);\n output_values.reserve(num_split);\n output_shapes.reserve(num_split);\n\n std::vector::Matrix> output_indices_t;\n std::vector::Vec> output_values_t;\n output_indices_t.reserve(num_split);\n output_values_t.reserve(num_split);\n auto input_values_t = input_tensor.values().vec();\n auto input_indices_t = input_tensor.indices().matrix();\n\n std::vector num_values(num_split, 0);\n const int num_dim = input_tensor.shape().size();\n const int split_dim_size = input_tensor.shape()[split_dim];\n const int split_size = split_dim_size / num_split;\n\n if (!(num_split > 0 && num_split <= split_dim_size)) {\n return errors::InvalidArgument(\"num_split must be in the interval (0, \",\n split_dim_size, \"]\");\n }\n if (!(split_dim >= 0 && split_dim < num_dim)) {\n return errors::InvalidArgument(\"num_dim must be in the interval [0, \",\n num_dim, \")\");\n }\n\n const int residual = split_dim_size % num_split;\n for (int i = 0; i < input_tensor.indices().dim_size(0); ++i) {\n const int dim = input_tensor.indices().matrix()(i, split_dim);\n int slice_index = GetSliceIndex(dim, split_size, residual);\n if (slice_index >= num_values.size()) {\n return errors::InvalidArgument(\"Slice index \", slice_index,\n \" is larger than num_split.\");\n }\n num_values[slice_index]++;\n }\n\n for (int i = 0; i < num_split; ++i) {\n // TODO(ataei): Pass an allocator to avoid allocating large memory buffer.\n output_indices.emplace_back(DT_INT64,\n TensorShape({num_values[i], num_dim}));\n output_values.emplace_back(DataTypeToEnum::v(),\n TensorShape({num_values[i]}));\n output_shapes.emplace_back(input_tensor.shape());\n output_indices_t.emplace_back(output_indices[i].matrix());\n output_values_t.emplace_back(output_values[i].vec());\n const int size = GetSliceShape(i, split_size, residual);\n output_shapes[i].set_dim(split_dim, size);\n }\n\n std::vector values_inserted_in_slice(num_split, 0);\n for (int i = 0; i < input_tensor.indices().dim_size(0); ++i) {\n const int dim = input_indices_t(i, split_dim);\n const int slice_index = GetSliceIndex(dim, split_size, residual);\n const int slice_dim = values_inserted_in_slice[slice_index]++;\n output_values_t[slice_index](slice_dim) = input_values_t(i);\n for (int j = 0; j < num_dim; ++j) {\n const int64 original_dim = input_indices_t(i, j);\n output_indices_t[slice_index](slice_dim, j) =\n (j == split_dim)\n ? GetDimensionInSlice(original_dim, split_size, residual)\n : original_dim;\n }\n }\n\n result->clear();\n result->reserve(num_split);\n for (int i = 0; i < num_split; ++i) {\n SparseTensor tensor;\n Status create_status =\n Create(output_indices[i], output_values[i], output_shapes[i], &tensor);\n if (!create_status.ok()) {\n return create_status;\n }\n result->push_back(std::move(tensor));\n }\n return Status::OK();\n}", "project": "tensorflow", "hash": 10706522302590550572564966482861572860, "size": 83, "commit_id": "8ba6fa29cd8bf9cef9b718dc31c78c73081f5b31", "message": "Fix heap-buffer-overflow issue with `tf.raw_ops.SparseSplit`.\n\nPiperOrigin-RevId: 371242872\nChange-Id: I482bb3d12602c7c3cc9446f97fb9f584bb98e9a4", "target": 0, "dataset": "other", "idx": 277030 }, { "func": "Variant preg_replace_impl(const Variant& pattern, const Variant& replacement,\n const Variant& subject, int limit, int64_t* count,\n bool is_callable, bool is_filter) {\n assertx(!(is_callable && is_filter));\n if (!is_callable &&\n replacement.isArray() && !pattern.isArray()) {\n raise_warning(\"Parameter mismatch, pattern is a string while \"\n \"replacement is an array\");\n return preg_return_internal_error(false);\n }\n\n int replace_count = 0;\n if (!isContainer(subject)) {\n auto ret = php_replace_in_subject(pattern, replacement, subject.toString(),\n limit, is_callable, &replace_count);\n\n if (ret.isNull()) return ret; // php_replace_in_subject already set error\n assertx(ret.isString());\n if (count) *count = replace_count;\n if (is_filter && replace_count == 0) {\n return preg_return_internal_error(init_null());\n }\n return preg_return_no_error(std::move(ret));\n }\n\n Array return_value = Array::CreateDArray();\n Array arrSubject = subject.toDArray();\n for (ArrayIter iter(arrSubject); iter; ++iter) {\n auto old_replace_count = replace_count;\n String subject_entry = iter.second().toString();\n auto ret = php_replace_in_subject(pattern, replacement, subject_entry,\n limit, is_callable, &replace_count);\n\n if (ret.isString() && (!is_filter || replace_count > old_replace_count)) {\n return_value.set(iter.first(), ret.asStrRef());\n }\n }\n if (count) *count = replace_count;\n return preg_return_no_error(std::move(return_value));\n}", "project": "hhvm", "hash": 77048129183759092070163521553414420200, "size": 40, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219249 }, { "func": "inline int RequiredBufferSizeForDims(const Dims<4>& dims) {\n return FlatSize(dims);\n}", "project": "tensorflow", "hash": 77276692963824790625538358617728746456, "size": 3, "commit_id": "8ee24e7949a203d234489f9da2c5bf45a7d5157d", "message": "[tflite] Ensure `MatchingDim` does not allow buffer overflow.\n\nWe check in `MatchingDim` that both arguments have the same dimensionality, however that is a `DCHECK` only enabled if building in debug mode. Hence, it could be possible to cause buffer overflows by passing in a tensor with larger dimensions as the second argument. To fix, we now make `MatchingDim` return the minimum of the two sizes.\n\nA much better fix would be to return a status object but that requires refactoring a large part of the codebase for minor benefits.\n\nPiperOrigin-RevId: 332526127\nChange-Id: If627d0d2c80a685217b6e0d1e64b0872dbf1c5e4", "target": 0, "dataset": "other", "idx": 269167 }, { "func": "static u8 tdme_chipinit(void *device_ref)\n{\n\tu8 status = MAC_SUCCESS;\n\tu8 sfr_address;\n\tstruct spi_device *spi = device_ref;\n\tstruct preamble_cfg_sfr pre_cfg_value = {\n\t\t.timeout_symbols = 3,\n\t\t.acquisition_symbols = 3,\n\t\t.search_symbols = 1,\n\t};\n\t/* LNA Gain Settings */\n\tstatus = tdme_setsfr_request_sync(\n\t\t1, (sfr_address = CA8210_SFR_LNAGX40),\n\t\tLNAGX40_DEFAULT_GAIN, device_ref);\n\tif (status)\n\t\tgoto finish;\n\tstatus = tdme_setsfr_request_sync(\n\t\t1, (sfr_address = CA8210_SFR_LNAGX41),\n\t\tLNAGX41_DEFAULT_GAIN, device_ref);\n\tif (status)\n\t\tgoto finish;\n\tstatus = tdme_setsfr_request_sync(\n\t\t1, (sfr_address = CA8210_SFR_LNAGX42),\n\t\tLNAGX42_DEFAULT_GAIN, device_ref);\n\tif (status)\n\t\tgoto finish;\n\tstatus = tdme_setsfr_request_sync(\n\t\t1, (sfr_address = CA8210_SFR_LNAGX43),\n\t\tLNAGX43_DEFAULT_GAIN, device_ref);\n\tif (status)\n\t\tgoto finish;\n\tstatus = tdme_setsfr_request_sync(\n\t\t1, (sfr_address = CA8210_SFR_LNAGX44),\n\t\tLNAGX44_DEFAULT_GAIN, device_ref);\n\tif (status)\n\t\tgoto finish;\n\tstatus = tdme_setsfr_request_sync(\n\t\t1, (sfr_address = CA8210_SFR_LNAGX45),\n\t\tLNAGX45_DEFAULT_GAIN, device_ref);\n\tif (status)\n\t\tgoto finish;\n\tstatus = tdme_setsfr_request_sync(\n\t\t1, (sfr_address = CA8210_SFR_LNAGX46),\n\t\tLNAGX46_DEFAULT_GAIN, device_ref);\n\tif (status)\n\t\tgoto finish;\n\tstatus = tdme_setsfr_request_sync(\n\t\t1, (sfr_address = CA8210_SFR_LNAGX47),\n\t\tLNAGX47_DEFAULT_GAIN, device_ref);\n\tif (status)\n\t\tgoto finish;\n\t/* Preamble Timing Config */\n\tstatus = tdme_setsfr_request_sync(\n\t\t1, (sfr_address = CA8210_SFR_PRECFG),\n\t\t*((u8 *)&pre_cfg_value), device_ref);\n\tif (status)\n\t\tgoto finish;\n\t/* Preamble Threshold High */\n\tstatus = tdme_setsfr_request_sync(\n\t\t1, (sfr_address = CA8210_SFR_PTHRH),\n\t\tPTHRH_DEFAULT_THRESHOLD, device_ref);\n\tif (status)\n\t\tgoto finish;\n\t/* Tx Output Power 8 dBm */\n\tstatus = tdme_setsfr_request_sync(\n\t\t0, (sfr_address = CA8210_SFR_PACFGIB),\n\t\tPACFGIB_DEFAULT_CURRENT, device_ref);\n\tif (status)\n\t\tgoto finish;\n\nfinish:\n\tif (status != MAC_SUCCESS) {\n\t\tdev_err(\n\t\t\t&spi->dev,\n\t\t\t\"failed to set sfr at %#03x, status = %#03x\\n\",\n\t\t\tsfr_address,\n\t\t\tstatus\n\t\t);\n\t}\n\treturn status;\n}", "project": "linux", "hash": 163918727339325410478929822611080625126, "size": 81, "commit_id": "6402939ec86eaf226c8b8ae00ed983936b164908", "message": "ieee802154: ca8210: prevent memory leak\n\nIn ca8210_probe the allocated pdata needs to be assigned to\nspi_device->dev.platform_data before calling ca8210_get_platform_data.\nOthrwise when ca8210_get_platform_data fails pdata cannot be released.\n\nSigned-off-by: Navid Emamdoost \nLink: https://lore.kernel.org/r/20190917224713.26371-1-navid.emamdoost@gmail.com\nSigned-off-by: Stefan Schmidt ", "target": 0, "dataset": "other", "idx": 408772 }, { "func": "static int imap_mbox_check(struct Mailbox *m)\n{\n imap_allow_reopen(m);\n int rc = imap_check_mailbox(m, false);\n /* NOTE - ctx might have been changed at this point. In particular,\n * m could be NULL. Beware. */\n imap_disallow_reopen(m);\n\n return rc;\n}", "project": "neomutt", "hash": 113586071897039988253554773734987495024, "size": 10, "commit_id": "9c36717a3e2af1f2c1b7242035455ec8112b4b06", "message": "imap: close connection on all failures\n\nThanks to Gabriel Salles-Loustau for spotting the problem.\n\nCo-authored-by: Kevin McCarthy ", "target": 0, "dataset": "other", "idx": 357022 }, { "func": "Variant preg_match(const String& pattern, const String& subject,\n Variant* matches /* = nullptr */, int flags /* = 0 */,\n int offset /* = 0 */) {\n return preg_match(pattern.get(), subject.get(), matches, flags, offset);\n}", "project": "hhvm", "hash": 72794272221445003413479981707042985260, "size": 5, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219107 }, { "func": "Variant preg_match(const StringData* pattern, const StringData* subject,\n Variant* matches /* = nullptr */, int flags /* = 0 */,\n int offset /* = 0 */) {\n return preg_match_impl(pattern, subject, matches, flags, offset, false);\n}", "project": "hhvm", "hash": 333773747634301525963386779668910874498, "size": 5, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219509 }, { "func": "bool CLua::is_managed_vm(lua_State *ls)\n{\n lua_stack_cleaner clean(ls);\n lua_pushstring(ls, \"lua_vm_is_managed\");\n lua_gettable(ls, LUA_REGISTRYINDEX);\n return lua_toboolean(ls, -1);\n}", "project": "crawl", "hash": 242142940055897622456083073141268752256, "size": 7, "commit_id": "768f60da87a3fa0b5561da5ade9309577c176d04", "message": "Disable lua bytecode loading", "target": 0, "dataset": "other", "idx": 230533 }, { "func": " bool excl_dep_on_table(table_map tab_map)\n {\n for (uint i= 0; i < arg_count; i++)\n {\n if (args[i]->const_item())\n continue;\n if (!args[i]->excl_dep_on_table(tab_map))\n return false;\n }\n return true;\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 162111185904487353071944178744593652223, "size": 11, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509175 }, { "func": " virtual bool excl_dep_on_table(table_map tab_map) { return false; }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 326626204616069018278377320095466284485, "size": 1, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509237 }, { "func": " bool excl_dep_on_table(table_map tab_map)\n { \n table_map used= used_tables();\n if (used & OUTER_REF_TABLE_BIT)\n return false;\n return (used == tab_map) || (*ref)->excl_dep_on_table(tab_map);\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 63341468618853125530109771025907211479, "size": 7, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509399 }, { "func": "unsigned Utf8Decoder::WriteUtf16(uint16_t* data,\n unsigned length) const {\n DCHECK(length > 0);\n if (length > utf16_length_) length = utf16_length_;\n // memcpy everything in buffer.\n unsigned buffer_length =\n last_byte_of_buffer_unused_ ? kBufferSize - 1 : kBufferSize;\n unsigned memcpy_length = length <= buffer_length ? length : buffer_length;\n v8::internal::MemCopy(data, buffer_, memcpy_length * sizeof(uint16_t));\n if (length <= buffer_length) return length;\n DCHECK(unbuffered_start_ != NULL);\n // Copy the rest the slow way.\n WriteUtf16Slow(unbuffered_start_, unbuffered_length_, data + buffer_length,\n length - buffer_length);\n return length;\n}", "project": "node", "hash": 58133599712798170378057486598340173226, "size": 16, "commit_id": "78b0e30954111cfaba0edbeee85450d8cbc6fdf6", "message": "deps: fix out-of-band write in utf8 decoder\n\nOriginally reported by: Kris Reeves \n\nReviewed-By: Trevor Norris ", "target": 0, "dataset": "other", "idx": 385620 }, { "project": "ardour", "commit_id": "96daa4036a425ff3f23a7dfcba57bfb0f942bec6", "target": 0, "func": "XMLNode::XMLNode(const string& n, const string& c)\n\t: _name(n)\n\t, _is_content(true)\n\t, _content(c)\n{\n\t_proplist.reserve (PROPERTY_RESERVE_COUNT);\n}", "idx": 519647, "cwe": "CWE-416", "hash": 73644774300468477366905689261692520826, "dataset": "other" }, { "project": "ardour", "commit_id": "96daa4036a425ff3f23a7dfcba57bfb0f942bec6", "target": 0, "func": "XMLNode::XMLNode(const string& n)\n\t: _name(n)\n\t, _is_content(false)\n{\n\t_proplist.reserve (PROPERTY_RESERVE_COUNT);\n}", "idx": 519656, "cwe": "CWE-416", "hash": 163145413174416527102430984877799100136, "dataset": "other" }, { "project": "ardour", "commit_id": "96daa4036a425ff3f23a7dfcba57bfb0f942bec6", "target": 0, "func": "XMLNode::XMLNode(const XMLNode& from)\n{\n\t_proplist.reserve (PROPERTY_RESERVE_COUNT);\n\t*this = from;\n}", "idx": 519666, "cwe": "CWE-416", "hash": 191444095485513730278784400279535286698, "dataset": "other" }, { "func": "static int oidc_handle_session_management_iframe_rp(request_rec *r, oidc_cfg *c,\n\t\toidc_session_t *session, const char *client_id,\n\t\tconst char *check_session_iframe) {\n\n\toidc_debug(r, \"enter\");\n\n\tconst char *java_script =\n\t\t\t\" \\n\";\n\n\t/* determine the origin for the check_session_iframe endpoint */\n\tchar *origin = apr_pstrdup(r->pool, check_session_iframe);\n\tapr_uri_t uri;\n\tapr_uri_parse(r->pool, check_session_iframe, &uri);\n\tchar *p = strstr(origin, uri.path);\n\t*p = '\\0';\n\n\t/* the element identifier for the OP iframe */\n\tconst char *op_iframe_id = \"openidc-op\";\n\n\t/* restore the OP session_state from the session */\n\tconst char *session_state = oidc_session_get_session_state(r, session);\n\tif (session_state == NULL) {\n\t\toidc_warn(r,\n\t\t\t\t\"no session_state found in the session; the OP does probably not support session management!?\");\n\t\t//return OK;\n\t}\n\n\tchar *s_poll_interval = NULL;\n\toidc_util_get_request_parameter(r, \"poll\", &s_poll_interval);\n\tint poll_interval = s_poll_interval ? strtol(s_poll_interval, NULL, 10) : 0;\n\tif ((poll_interval <= 0) || (poll_interval > 3600 * 24))\n\t\tpoll_interval = 3000;\n\n\tchar *login_uri = NULL, *error_str = NULL, *error_description = NULL;\n\toidc_util_get_request_parameter(r, \"login_uri\", &login_uri);\n\tif ((login_uri != NULL)\n\t\t\t&& (oidc_validate_redirect_url(r, c, login_uri, FALSE, &error_str,\n\t\t\t\t\t&error_description) == FALSE)) {\n\t\treturn HTTP_BAD_REQUEST;\n\t}\n\n\tconst char *redirect_uri = oidc_get_redirect_uri(r, c);\n\n\tjava_script = apr_psprintf(r->pool, java_script, origin, client_id,\n\t\t\tsession_state ? session_state : \"\", login_uri ? login_uri : \"\",\n\t\t\t\t\top_iframe_id, poll_interval, redirect_uri, redirect_uri);\n\n\treturn oidc_util_html_send(r, NULL, java_script, \"setTimer\", NULL, OK);\n}", "project": "mod_auth_openidc", "hash": 272244263896952473548121444464189585030, "size": 90, "commit_id": "00c315cb0c8ab77c67be4a2ac08a71a83ac58751", "message": "avoid XSS vulnerability when using OIDCPreservePost On\n\nand supplying URLs that contain single quotes; thanks @oss-aimoto\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 381914 }, { "func": "static int oidc_handle_session_management_iframe_rp(request_rec *r, oidc_cfg *c,\n\t\toidc_session_t *session, const char *client_id,\n\t\tconst char *check_session_iframe) {\n\n\toidc_debug(r, \"enter\");\n\n\tconst char *java_script =\n\t\t\t\" \\n\";\n\n\t/* determine the origin for the check_session_iframe endpoint */\n\tchar *origin = apr_pstrdup(r->pool, check_session_iframe);\n\tapr_uri_t uri;\n\tapr_uri_parse(r->pool, check_session_iframe, &uri);\n\tchar *p = strstr(origin, uri.path);\n\t*p = '\\0';\n\n\t/* the element identifier for the OP iframe */\n\tconst char *op_iframe_id = \"openidc-op\";\n\n\t/* restore the OP session_state from the session */\n\tconst char *session_state = oidc_session_get_session_state(r, session);\n\tif (session_state == NULL) {\n\t\toidc_warn(r,\n\t\t\t\t\"no session_state found in the session; the OP does probably not support session management!?\");\n\t\treturn OK;\n\t}\n\n\tchar *s_poll_interval = NULL;\n\toidc_util_get_request_parameter(r, \"poll\", &s_poll_interval);\n\tint poll_interval = s_poll_interval ? strtol(s_poll_interval, NULL, 10) : 0;\n\tif ((poll_interval <= 0) || (poll_interval > 3600 * 24))\n\t\tpoll_interval = 3000;\n\n\tconst char *redirect_uri = oidc_get_redirect_uri(r, c);\n\tjava_script = apr_psprintf(r->pool, java_script, origin, client_id,\n\t\t\tsession_state, op_iframe_id, poll_interval, redirect_uri,\n\t\t\tredirect_uri);\n\n\treturn oidc_util_html_send(r, NULL, java_script, \"setTimer\", NULL, OK);\n}", "project": "mod_auth_openidc", "hash": 35066222228704043412294889979326106047, "size": 74, "commit_id": "ce37080c6aea30aabae8b4a9b4eea7808445cc8e", "message": "2.4.0.2 oops\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 447716 }, { "func": "static int getNextPcapFileFromPlaylist(u_int16_t thread_id, char filename[], u_int32_t filename_len) {\n\n if(playlist_fp[thread_id] == NULL) {\n if((playlist_fp[thread_id] = fopen(_pcap_file[thread_id], \"r\")) == NULL)\n return -1;\n }\n\nnext_line:\n if(fgets(filename, filename_len, playlist_fp[thread_id])) {\n int l = strlen(filename);\n if(filename[0] == '\\0' || filename[0] == '#') goto next_line;\n if(filename[l-1] == '\\n') filename[l-1] = '\\0';\n return 0;\n } else {\n fclose(playlist_fp[thread_id]);\n playlist_fp[thread_id] = NULL;\n return -1;\n }\n}", "project": "nDPI", "hash": 69981066583983439100995924991509632938, "size": 19, "commit_id": "b7e666e465f138ae48ab81976726e67deed12701", "message": "Added fix to avoid potential heap buffer overflow in H.323 dissector\nModified HTTP report information to make it closer to the HTTP field names", "target": 0, "dataset": "other", "idx": 254807 }, { "func": "rfbBool rfbProcessFileTransfer(rfbClientPtr cl, uint8_t contentType, uint8_t contentParam, uint32_t size, uint32_t length)\n{\n char *buffer=NULL, *p=NULL;\n int retval=0;\n char filename1[MAX_PATH];\n char filename2[MAX_PATH];\n char szFileTime[MAX_PATH];\n struct stat statbuf;\n uint32_t sizeHtmp=0;\n int n=0;\n char timespec[64];\n#ifdef LIBVNCSERVER_HAVE_LIBZ\n unsigned char compBuff[sz_rfbBlockSize];\n unsigned long nRawBytes = sz_rfbBlockSize;\n int nRet = 0;\n#endif\n\n FILEXFER_ALLOWED_OR_CLOSE_AND_RETURN(\"\", cl, FALSE);\n \n /*\n rfbLog(\"rfbProcessFileTransfer(%dtype, %dparam, %dsize, %dlen)\\n\", contentType, contentParam, size, length);\n */\n\n switch (contentType) {\n case rfbDirContentRequest:\n switch (contentParam) {\n case rfbRDrivesList: /* Client requests the List of Local Drives */\n /*\n rfbLog(\"rfbProcessFileTransfer() rfbDirContentRequest: rfbRDrivesList:\\n\");\n */\n /* Format when filled : \"C:\\D:\\....Z:\\\n *\n * We replace the \"\\\" char following the drive letter and \":\"\n * with a char corresponding to the type of drive\n * We obtain something like \"C:lD:c....Z:n\\\"\n * Isn't it ugly ?\n * DRIVE_FIXED = 'l' (local?)\n * DRIVE_REMOVABLE = 'f' (floppy?)\n * DRIVE_CDROM = 'c'\n * DRIVE_REMOTE = 'n'\n */\n \n /* in unix, there are no 'drives' (We could list mount points though)\n * We fake the root as a \"C:\" for the Winblows users\n */\n filename2[0]='C';\n filename2[1]=':';\n filename2[2]='l';\n filename2[3]=0;\n filename2[4]=0;\n retval = rfbSendFileTransferMessage(cl, rfbDirPacket, rfbADrivesList, 0, 5, filename2);\n if (buffer!=NULL) free(buffer);\n return retval;\n break;\n case rfbRDirContent: /* Client requests the content of a directory */\n /*\n rfbLog(\"rfbProcessFileTransfer() rfbDirContentRequest: rfbRDirContent\\n\");\n */\n if ((buffer = rfbProcessFileTransferReadBuffer(cl, length))==NULL) return FALSE;\n retval = rfbSendDirContent(cl, length, buffer);\n if (buffer!=NULL) free(buffer);\n return retval;\n }\n break;\n\n case rfbDirPacket:\n rfbLog(\"rfbProcessFileTransfer() rfbDirPacket\\n\");\n break;\n case rfbFileAcceptHeader:\n rfbLog(\"rfbProcessFileTransfer() rfbFileAcceptHeader\\n\");\n break;\n case rfbCommandReturn:\n rfbLog(\"rfbProcessFileTransfer() rfbCommandReturn\\n\");\n break;\n case rfbFileChecksums:\n /* Destination file already exists - the viewer sends the checksums */\n rfbLog(\"rfbProcessFileTransfer() rfbFileChecksums\\n\");\n break;\n case rfbFileTransferAccess:\n rfbLog(\"rfbProcessFileTransfer() rfbFileTransferAccess\\n\");\n break;\n\n /*\n * sending from the server to the viewer\n */\n\n case rfbFileTransferRequest:\n /*\n rfbLog(\"rfbProcessFileTransfer() rfbFileTransferRequest:\\n\");\n */\n /* add some space to the end of the buffer as we will be adding a timespec to it */\n if ((buffer = rfbProcessFileTransferReadBuffer(cl, length))==NULL) return FALSE;\n /* The client requests a File */\n if (!rfbFilenameTranslate2UNIX(cl, buffer, filename1, sizeof(filename1)))\n goto fail;\n cl->fileTransfer.fd=open(filename1, O_RDONLY, 0744);\n\n /*\n */\n if (DB) rfbLog(\"rfbProcessFileTransfer() rfbFileTransferRequest(\\\"%s\\\"->\\\"%s\\\") Open: %s fd=%d\\n\", buffer, filename1, (cl->fileTransfer.fd==-1?\"Failed\":\"Success\"), cl->fileTransfer.fd);\n \n if (cl->fileTransfer.fd!=-1) {\n if (fstat(cl->fileTransfer.fd, &statbuf)!=0) {\n close(cl->fileTransfer.fd);\n cl->fileTransfer.fd=-1;\n }\n else\n {\n /* Add the File Time Stamp to the filename */\n strftime(timespec, sizeof(timespec), \"%m/%d/%Y %H:%M\",gmtime(&statbuf.st_ctime));\n buffer=realloc(buffer, length + strlen(timespec) + 2); /* comma, and Null term */\n if (buffer==NULL) {\n rfbLog(\"rfbProcessFileTransfer() rfbFileTransferRequest: Failed to malloc %d bytes\\n\", length + strlen(timespec) + 2);\n return FALSE;\n }\n strcat(buffer,\",\");\n strcat(buffer, timespec);\n length = strlen(buffer);\n if (DB) rfbLog(\"rfbProcessFileTransfer() buffer is now: \\\"%s\\\"\\n\", buffer);\n }\n }\n\n /* The viewer supports compression if size==1 */\n cl->fileTransfer.compressionEnabled = (size==1);\n\n /*\n rfbLog(\"rfbProcessFileTransfer() rfbFileTransferRequest(\\\"%s\\\"->\\\"%s\\\")%s\\n\", buffer, filename1, (size==1?\" \":\"\"));\n */\n\n /* File Size in bytes, 0xFFFFFFFF (-1) means error */\n retval = rfbSendFileTransferMessage(cl, rfbFileHeader, 0, (cl->fileTransfer.fd==-1 ? -1 : statbuf.st_size), length, buffer);\n\n if (cl->fileTransfer.fd==-1)\n {\n if (buffer!=NULL) free(buffer);\n return retval;\n }\n /* setup filetransfer stuff */\n cl->fileTransfer.fileSize = statbuf.st_size;\n cl->fileTransfer.numPackets = statbuf.st_size / sz_rfbBlockSize;\n cl->fileTransfer.receiving = 0;\n cl->fileTransfer.sending = 0; /* set when we receive a rfbFileHeader: */\n\n /* TODO: finish 64-bit file size support */\n sizeHtmp = 0; \n LOCK(cl->sendMutex);\n if (rfbWriteExact(cl, (char *)&sizeHtmp, 4) < 0) {\n rfbLogPerror(\"rfbProcessFileTransfer: write\");\n rfbCloseClient(cl);\n UNLOCK(cl->sendMutex);\n if (buffer!=NULL) free(buffer);\n return FALSE;\n }\n UNLOCK(cl->sendMutex);\n break;\n\n case rfbFileHeader:\n /* Destination file (viewer side) is ready for reception (size > 0) or not (size = -1) */\n if (size==-1) {\n rfbLog(\"rfbProcessFileTransfer() rfbFileHeader (error, aborting)\\n\");\n close(cl->fileTransfer.fd);\n cl->fileTransfer.fd=-1;\n return TRUE;\n }\n\n /*\n rfbLog(\"rfbProcessFileTransfer() rfbFileHeader (%d bytes of a file)\\n\", size);\n */\n\n /* Starts the transfer! */\n cl->fileTransfer.sending=1;\n return rfbSendFileTransferChunk(cl);\n break;\n\n\n /*\n * sending from the viewer to the server\n */\n\n case rfbFileTransferOffer:\n /* client is sending a file to us */\n /* buffer contains full path name (plus FileTime) */\n /* size contains size of the file */\n /*\n rfbLog(\"rfbProcessFileTransfer() rfbFileTransferOffer:\\n\");\n */\n if ((buffer = rfbProcessFileTransferReadBuffer(cl, length))==NULL) return FALSE;\n\n /* Parse the FileTime */\n p = strrchr(buffer, ',');\n if (p!=NULL) {\n *p = '\\0';\n strncpy(szFileTime, p+1, sizeof(szFileTime));\n szFileTime[sizeof(szFileTime)-1] = '\\x00'; /* ensure NULL terminating byte is present, even if copy overflowed */\n } else\n szFileTime[0]=0;\n\n\n\n /* Need to read in sizeHtmp */\n if ((n = rfbReadExact(cl, (char *)&sizeHtmp, 4)) <= 0) {\n if (n != 0)\n rfbLogPerror(\"rfbProcessFileTransfer: read sizeHtmp\");\n rfbCloseClient(cl);\n /* NOTE: don't forget to free(buffer) if you return early! */\n if (buffer!=NULL) free(buffer);\n return FALSE;\n }\n sizeHtmp = Swap32IfLE(sizeHtmp);\n \n if (!rfbFilenameTranslate2UNIX(cl, buffer, filename1, sizeof(filename1)))\n goto fail;\n\n /* If the file exists... We can send a rfbFileChecksums back to the client before we send an rfbFileAcceptHeader */\n /* TODO: Delta Transfer */\n\n cl->fileTransfer.fd=open(filename1, O_CREAT|O_WRONLY|O_TRUNC, 0744);\n if (DB) rfbLog(\"rfbProcessFileTransfer() rfbFileTransferOffer(\\\"%s\\\"->\\\"%s\\\") %s %s fd=%d\\n\", buffer, filename1, (cl->fileTransfer.fd==-1?\"Failed\":\"Success\"), (cl->fileTransfer.fd==-1?strerror(errno):\"\"), cl->fileTransfer.fd);\n /*\n */\n \n /* File Size in bytes, 0xFFFFFFFF (-1) means error */\n retval = rfbSendFileTransferMessage(cl, rfbFileAcceptHeader, 0, (cl->fileTransfer.fd==-1 ? -1 : 0), length, buffer);\n if (cl->fileTransfer.fd==-1) {\n free(buffer);\n return retval;\n }\n \n /* setup filetransfer stuff */\n cl->fileTransfer.fileSize = size;\n cl->fileTransfer.numPackets = size / sz_rfbBlockSize;\n cl->fileTransfer.receiving = 1;\n cl->fileTransfer.sending = 0;\n break;\n\n case rfbFilePacket:\n /*\n rfbLog(\"rfbProcessFileTransfer() rfbFilePacket:\\n\");\n */\n if ((buffer = rfbProcessFileTransferReadBuffer(cl, length))==NULL) return FALSE;\n if (cl->fileTransfer.fd!=-1) {\n /* buffer contains the contents of the file */\n if (size==0)\n retval=write(cl->fileTransfer.fd, buffer, length);\n else\n {\n#ifdef LIBVNCSERVER_HAVE_LIBZ\n /* compressed packet */\n nRet = uncompress(compBuff,&nRawBytes,(const unsigned char*)buffer, length);\n\t\tif(nRet == Z_OK)\n\t\t retval=write(cl->fileTransfer.fd, (char*)compBuff, nRawBytes);\n\t\telse\n\t\t retval = -1;\n#else\n /* Write the file out as received... */\n retval=write(cl->fileTransfer.fd, buffer, length);\n#endif\n }\n if (retval==-1)\n {\n close(cl->fileTransfer.fd);\n cl->fileTransfer.fd=-1;\n cl->fileTransfer.sending = 0;\n cl->fileTransfer.receiving = 0;\n }\n }\n break;\n\n case rfbEndOfFile:\n if (DB) rfbLog(\"rfbProcessFileTransfer() rfbEndOfFile\\n\");\n /*\n */\n if (cl->fileTransfer.fd!=-1)\n close(cl->fileTransfer.fd);\n cl->fileTransfer.fd=-1;\n cl->fileTransfer.sending = 0;\n cl->fileTransfer.receiving = 0;\n break;\n\n case rfbAbortFileTransfer:\n if (DB) rfbLog(\"rfbProcessFileTransfer() rfbAbortFileTransfer\\n\");\n /*\n */\n if (cl->fileTransfer.fd!=-1)\n {\n close(cl->fileTransfer.fd);\n cl->fileTransfer.fd=-1;\n cl->fileTransfer.sending = 0;\n cl->fileTransfer.receiving = 0;\n }\n else\n {\n /* We use this message for FileTransfer rights (<=RC18 versions)\n * The client asks for FileTransfer permission\n */\n if (contentParam == 0)\n {\n rfbLog(\"rfbProcessFileTransfer() File Transfer Permission DENIED! (Client Version <=RC18)\\n\");\n /* Old method for FileTransfer handshake perimssion (<=RC18) (Deny it)*/\n return rfbSendFileTransferMessage(cl, rfbAbortFileTransfer, 0, -1, 0, \"\");\n }\n /* New method is allowed */\n if (cl->screen->getFileTransferPermission!=NULL)\n {\n if (cl->screen->getFileTransferPermission(cl)==TRUE)\n {\n rfbLog(\"rfbProcessFileTransfer() File Transfer Permission Granted!\\n\");\n return rfbSendFileTransferMessage(cl, rfbFileTransferAccess, 0, 1 , 0, \"\"); /* Permit */\n }\n else\n {\n rfbLog(\"rfbProcessFileTransfer() File Transfer Permission DENIED!\\n\");\n return rfbSendFileTransferMessage(cl, rfbFileTransferAccess, 0, -1 , 0, \"\"); /* Deny */\n }\n }\n else\n {\n if (cl->screen->permitFileTransfer)\n {\n rfbLog(\"rfbProcessFileTransfer() File Transfer Permission Granted!\\n\");\n return rfbSendFileTransferMessage(cl, rfbFileTransferAccess, 0, 1 , 0, \"\"); /* Permit */\n }\n else\n {\n rfbLog(\"rfbProcessFileTransfer() File Transfer Permission DENIED by default!\\n\");\n return rfbSendFileTransferMessage(cl, rfbFileTransferAccess, 0, -1 , 0, \"\"); /* DEFAULT: DENY (for security) */\n }\n \n }\n }\n break;\n\n\n case rfbCommand:\n /*\n rfbLog(\"rfbProcessFileTransfer() rfbCommand:\\n\");\n */\n if ((buffer = rfbProcessFileTransferReadBuffer(cl, length))==NULL) return FALSE;\n switch (contentParam) {\n case rfbCDirCreate: /* Client requests the creation of a directory */\n if (!rfbFilenameTranslate2UNIX(cl, buffer, filename1, sizeof(filename1)))\n goto fail;\n retval = mkdir(filename1, 0755);\n if (DB) rfbLog(\"rfbProcessFileTransfer() rfbCommand: rfbCDirCreate(\\\"%s\\\"->\\\"%s\\\") %s\\n\", buffer, filename1, (retval==-1?\"Failed\":\"Success\"));\n /*\n */\n retval = rfbSendFileTransferMessage(cl, rfbCommandReturn, rfbADirCreate, retval, length, buffer);\n if (buffer!=NULL) free(buffer);\n return retval;\n case rfbCFileDelete: /* Client requests the deletion of a file */\n if (!rfbFilenameTranslate2UNIX(cl, buffer, filename1, sizeof(filename1)))\n goto fail;\n if (stat(filename1,&statbuf)==0)\n {\n if (S_ISDIR(statbuf.st_mode))\n retval = rmdir(filename1);\n else\n retval = unlink(filename1);\n }\n else retval=-1;\n retval = rfbSendFileTransferMessage(cl, rfbCommandReturn, rfbAFileDelete, retval, length, buffer);\n if (buffer!=NULL) free(buffer);\n return retval;\n case rfbCFileRename: /* Client requests the Renaming of a file/directory */\n p = strrchr(buffer, '*');\n if (p != NULL)\n {\n /* Split into 2 filenames ('*' is a seperator) */\n *p = '\\0';\n if (!rfbFilenameTranslate2UNIX(cl, buffer, filename1, sizeof(filename1)))\n goto fail;\n if (!rfbFilenameTranslate2UNIX(cl, p+1, filename2, sizeof(filename2)))\n goto fail;\n retval = rename(filename1,filename2);\n if (DB) rfbLog(\"rfbProcessFileTransfer() rfbCommand: rfbCFileRename(\\\"%s\\\"->\\\"%s\\\" -->> \\\"%s\\\"->\\\"%s\\\") %s\\n\", buffer, filename1, p+1, filename2, (retval==-1?\"Failed\":\"Success\"));\n /*\n */\n /* Restore the buffer so the reply is good */\n *p = '*';\n retval = rfbSendFileTransferMessage(cl, rfbCommandReturn, rfbAFileRename, retval, length, buffer);\n if (buffer!=NULL) free(buffer);\n return retval;\n }\n break;\n }\n \n break;\n }\n\n /* NOTE: don't forget to free(buffer) if you return early! */\n if (buffer!=NULL) free(buffer);\n return TRUE;\n\nfail:\n if (buffer!=NULL) free(buffer);\n return FALSE;\n}", "project": "libvncserver", "hash": 169655685052611340973796048812298800532, "size": 397, "commit_id": "673c07a75ed844d74676f3ccdcfdc706a7052dba", "message": "libvncserver/rfbserver: fix possible divide-by-zero\n\nCloses #409", "target": 0, "dataset": "other", "idx": 295877 }, { "func": "static void print_snapshot_help(struct seq_file *m, struct trace_iterator *iter)\n{\n\tif (iter->tr->allocated_snapshot)\n\t\tseq_puts(m, \"#\\n# * Snapshot is allocated *\\n#\\n\");\n\telse\n\t\tseq_puts(m, \"#\\n# * Snapshot is freed *\\n#\\n\");\n\n\tseq_puts(m, \"# Snapshot commands:\\n\");\n\tif (iter->cpu_file == RING_BUFFER_ALL_CPUS)\n\t\tshow_snapshot_main_help(m);\n\telse\n\t\tshow_snapshot_percpu_help(m);\n}", "project": "linux", "hash": 143897717667783649740270803859712979725, "size": 13, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445822 }, { "func": "static inline void print_snapshot_help(struct seq_file *m, struct trace_iterator *iter) { }", "project": "linux", "hash": 316401060046017934827498568064608282269, "size": 1, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445841 }, { "func": "bool JOIN::check_two_phase_optimization(THD *thd)\n{\n if (check_for_splittable_materialized())\n return true;\n return false;\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 72420690182178336047553828256883273029, "size": 6, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508748 }, { "func": "bool CClient::OnCTCPMessage(CCTCPMessage& Message) {\n CString sTargets = Message.GetTarget();\n\n VCString vTargets;\n sTargets.Split(\",\", vTargets, false);\n\n if (Message.IsReply()) {\n CString sCTCP = Message.GetText();\n if (sCTCP.Token(0) == \"VERSION\") {\n // There are 2 different scenarios:\n //\n // a) CTCP reply for VERSION is not set.\n // 1. ZNC receives CTCP VERSION from someone\n // 2. ZNC forwards CTCP VERSION to client\n // 3. Client replies with something\n // 4. ZNC adds itself to the reply\n // 5. ZNC sends the modified reply to whoever asked\n //\n // b) CTCP reply for VERSION is set.\n // 1. ZNC receives CTCP VERSION from someone\n // 2. ZNC replies with the configured reply (or just drops it if\n // empty), without forwarding anything to client\n // 3. Client does not see any CTCP request, and does not reply\n //\n // So, if user doesn't want \"via ZNC\" in CTCP VERSION reply, they\n // can set custom reply.\n //\n // See more bikeshedding at github issues #820 and #1012\n Message.SetText(sCTCP + \" via \" + CZNC::GetTag(false));\n }\n }\n\n for (CString& sTarget : vTargets) {\n Message.SetTarget(sTarget);\n if (m_pNetwork) {\n // May be nullptr.\n Message.SetChan(m_pNetwork->FindChan(sTarget));\n }\n\n bool bContinue = false;\n if (Message.IsReply()) {\n NETWORKMODULECALL(OnUserCTCPReplyMessage(Message), m_pUser,\n m_pNetwork, this, &bContinue);\n } else {\n NETWORKMODULECALL(OnUserCTCPMessage(Message), m_pUser, m_pNetwork,\n this, &bContinue);\n }\n if (bContinue) continue;\n\n if (!GetIRCSock()) {\n // Some lagmeters do a NOTICE to their own nick, ignore those.\n if (!sTarget.Equals(m_sNick))\n PutStatus(t_f(\n \"Your CTCP to {1} got lost, you are not connected to IRC!\")(\n Message.GetTarget()));\n continue;\n }\n\n if (m_pNetwork) {\n PutIRC(Message.ToString(CMessage::ExcludePrefix |\n CMessage::ExcludeTags));\n }\n }\n\n return true;\n}", "project": "znc", "hash": 320657574039479242807718468152415652233, "size": 66, "commit_id": "d229761821da38d984a9e4098ad96842490dc001", "message": "Fix echo-message for *status\n\nClose #1705", "target": 0, "dataset": "other", "idx": 231563 }, { "func": "static int ecryptfs_crypto_api_algify_cipher_name(char **algified_name,\n\t\t\t\t\t\t char *cipher_name,\n\t\t\t\t\t\t char *chaining_modifier)\n{\n\tint cipher_name_len = strlen(cipher_name);\n\tint chaining_modifier_len = strlen(chaining_modifier);\n\tint algified_name_len;\n\tint rc;\n\n\talgified_name_len = (chaining_modifier_len + cipher_name_len + 3);\n\t(*algified_name) = kmalloc(algified_name_len, GFP_KERNEL);\n\tif (!(*algified_name)) {\n\t\trc = -ENOMEM;\n\t\tgoto out;\n\t}\n\tsnprintf((*algified_name), algified_name_len, \"%s(%s)\",\n\t\t chaining_modifier, cipher_name);\n\trc = 0;\nout:\n\treturn rc;\n}", "target": 0, "cwe": [ "CWE-189" ], "project": "linux-2.6", "commit_id": "8faece5f906725c10e7a1f6caf84452abadbdc7b", "hash": 152452916213089376726682451855556973677, "size": 21, "message": "eCryptfs: Allocate a variable number of pages for file headers\n\nWhen allocating the memory used to store the eCryptfs header contents, a\nsingle, zeroed page was being allocated with get_zeroed_page().\nHowever, the size of an eCryptfs header is either PAGE_CACHE_SIZE or\nECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE (8192), whichever is larger, and is\nstored in the file's private_data->crypt_stat->num_header_bytes_at_front\nfield.\n\necryptfs_write_metadata_to_contents() was using\nnum_header_bytes_at_front to decide how many bytes should be written to\nthe lower filesystem for the file header. Unfortunately, at least 8K\nwas being written from the page, despite the chance of the single,\nzeroed page being smaller than 8K. This resulted in random areas of\nkernel memory being written between the 0x1000 and 0x1FFF bytes offsets\nin the eCryptfs file headers if PAGE_SIZE was 4K.\n\nThis patch allocates a variable number of pages, calculated with\nnum_header_bytes_at_front, and passes the number of allocated pages\nalong to ecryptfs_write_metadata_to_contents().\n\nThanks to Florian Streibelt for reporting the data leak and working with\nme to find the problem. 2.6.28 is the only kernel release with this\nvulnerability. Corresponds to CVE-2009-0787\n\nSigned-off-by: Tyler Hicks \nAcked-by: Dustin Kirkland \nReviewed-by: Eric Sandeen \nReviewed-by: Eugene Teo \nCc: Greg KH \nCc: dann frazier \nCc: Serge E. Hallyn \nCc: Florian Streibelt \nCc: stable@kernel.org\nSigned-off-by: Linus Torvalds ", "dataset": "other", "idx": 490176 }, { "func": "static int ca8210_spi_transfer(\n\tstruct spi_device *spi,\n\tconst u8 *buf,\n\tsize_t len\n)\n{\n\tint i, status = 0;\n\tstruct ca8210_priv *priv;\n\tstruct cas_control *cas_ctl;\n\n\tif (!spi) {\n\t\tpr_crit(\"NULL spi device passed to %s\\n\", __func__);\n\t\treturn -ENODEV;\n\t}\n\n\tpriv = spi_get_drvdata(spi);\n\treinit_completion(&priv->spi_transfer_complete);\n\n\tdev_dbg(&spi->dev, \"%s called\\n\", __func__);\n\n\tcas_ctl = kmalloc(sizeof(*cas_ctl), GFP_ATOMIC);\n\tif (!cas_ctl)\n\t\treturn -ENOMEM;\n\n\tcas_ctl->priv = priv;\n\tmemset(cas_ctl->tx_buf, SPI_IDLE, CA8210_SPI_BUF_SIZE);\n\tmemset(cas_ctl->tx_in_buf, SPI_IDLE, CA8210_SPI_BUF_SIZE);\n\tmemcpy(cas_ctl->tx_buf, buf, len);\n\n\tfor (i = 0; i < len; i++)\n\t\tdev_dbg(&spi->dev, \"%#03x\\n\", cas_ctl->tx_buf[i]);\n\n\tspi_message_init(&cas_ctl->msg);\n\n\tcas_ctl->transfer.tx_nbits = 1; /* 1 MOSI line */\n\tcas_ctl->transfer.rx_nbits = 1; /* 1 MISO line */\n\tcas_ctl->transfer.speed_hz = 0; /* Use device setting */\n\tcas_ctl->transfer.bits_per_word = 0; /* Use device setting */\n\tcas_ctl->transfer.tx_buf = cas_ctl->tx_buf;\n\tcas_ctl->transfer.rx_buf = cas_ctl->tx_in_buf;\n\tcas_ctl->transfer.delay_usecs = 0;\n\tcas_ctl->transfer.cs_change = 0;\n\tcas_ctl->transfer.len = sizeof(struct mac_message);\n\tcas_ctl->msg.complete = ca8210_spi_transfer_complete;\n\tcas_ctl->msg.context = cas_ctl;\n\n\tspi_message_add_tail(\n\t\t&cas_ctl->transfer,\n\t\t&cas_ctl->msg\n\t);\n\n\tstatus = spi_async(spi, &cas_ctl->msg);\n\tif (status < 0) {\n\t\tdev_crit(\n\t\t\t&spi->dev,\n\t\t\t\"status %d from spi_sync in write\\n\",\n\t\t\tstatus\n\t\t);\n\t}\n\n\treturn status;\n}", "project": "linux", "hash": 218629567941996330336605141114049569122, "size": 62, "commit_id": "6402939ec86eaf226c8b8ae00ed983936b164908", "message": "ieee802154: ca8210: prevent memory leak\n\nIn ca8210_probe the allocated pdata needs to be assigned to\nspi_device->dev.platform_data before calling ca8210_get_platform_data.\nOthrwise when ca8210_get_platform_data fails pdata cannot be released.\n\nSigned-off-by: Navid Emamdoost \nLink: https://lore.kernel.org/r/20190917224713.26371-1-navid.emamdoost@gmail.com\nSigned-off-by: Stefan Schmidt ", "target": 0, "dataset": "other", "idx": 408806 }, { "func": "static int tcp_try_undo_recovery(struct sock *sk)\n{\n\tstruct tcp_sock *tp = tcp_sk(sk);\n\n\tif (tcp_may_undo(tp)) {\n\t\tint mib_idx;\n\n\t\t/* Happy end! We did not retransmit anything\n\t\t * or our original transmission succeeded.\n\t\t */\n\t\tDBGUNDO(sk, inet_csk(sk)->icsk_ca_state == TCP_CA_Loss ? \"loss\" : \"retrans\");\n\t\ttcp_undo_cwr(sk, true);\n\t\tif (inet_csk(sk)->icsk_ca_state == TCP_CA_Loss)\n\t\t\tmib_idx = LINUX_MIB_TCPLOSSUNDO;\n\t\telse\n\t\t\tmib_idx = LINUX_MIB_TCPFULLUNDO;\n\n\t\tNET_INC_STATS_BH(sock_net(sk), mib_idx);\n\t\ttp->undo_marker = 0;\n\t}\n\tif (tp->snd_una == tp->high_seq && tcp_is_reno(tp)) {\n\t\t/* Hold old state until something *above* high_seq\n\t\t * is ACKed. For Reno it is MUST to prevent false\n\t\t * fast retransmits (RFC2582). SACK TCP is safe. */\n\t\ttcp_moderate_cwnd(tp);\n\t\treturn 1;\n\t}\n\ttcp_set_ca_state(sk, TCP_CA_Open);\n\treturn 0;\n}", "project": "net-next", "hash": 269114545429052120094938665199685627334, "size": 30, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409883 }, { "func": "static int prepare_bprm_creds(struct linux_binprm *bprm)\n{\n\tif (mutex_lock_interruptible(¤t->signal->cred_guard_mutex))\n\t\treturn -ERESTARTNOINTR;\n\n\tbprm->cred = prepare_exec_creds();\n\tif (likely(bprm->cred))\n\t\treturn 0;\n\n\tmutex_unlock(¤t->signal->cred_guard_mutex);\n\treturn -ENOMEM;\n}", "project": "linux", "hash": 339891365931346785851696001926732937376, "size": 12, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375207 }, { "func": "void LanLinkProvider::dataReceived()\n{\n QSslSocket* socket = qobject_cast(sender());\n#if QT_VERSION < QT_VERSION_CHECK(5,7,0)\n if (!socket->canReadLine())\n return;\n#else\n socket->startTransaction();\n#endif\n\n const QByteArray data = socket->readLine();\n\n qCDebug(KDECONNECT_CORE) << \"LanLinkProvider received reply:\" << data;\n\n NetworkPacket* np = new NetworkPacket(QLatin1String(\"\"));\n bool success = NetworkPacket::unserialize(data, np);\n\n#if QT_VERSION < QT_VERSION_CHECK(5,7,0)\n if (!success) {\n delete np;\n return;\n }\n#else\n if (!success) {\n delete np;\n socket->rollbackTransaction();\n return;\n }\n socket->commitTransaction();\n#endif\n\n if (np->type() != PACKET_TYPE_IDENTITY) {\n qCWarning(KDECONNECT_CORE) << \"LanLinkProvider/newConnection: Expected identity, received \" << np->type();\n delete np;\n return;\n }\n\n // Needed in \"encrypted\" if ssl is used, similar to \"tcpSocketConnected\"\n m_receivedIdentityPackets[socket].np = np;\n\n const QString& deviceId = np->get(QStringLiteral(\"deviceId\"));\n //qCDebug(KDECONNECT_CORE) << \"Handshaking done (i'm the new device)\";\n\n //This socket will now be owned by the LanDeviceLink or we don't want more data to be received, forget about it\n disconnect(socket, &QIODevice::readyRead, this, &LanLinkProvider::dataReceived);\n\n if (np->get(QStringLiteral(\"protocolVersion\")) >= MIN_VERSION_WITH_SSL_SUPPORT) {\n\n bool isDeviceTrusted = KdeConnectConfig::instance().trustedDevices().contains(deviceId);\n configureSslSocket(socket, deviceId, isDeviceTrusted);\n\n qCDebug(KDECONNECT_CORE) << \"Starting client ssl (but I'm the server TCP socket)\";\n\n connect(socket, &QSslSocket::encrypted, this, &LanLinkProvider::encrypted);\n\n if (isDeviceTrusted) {\n connect(socket, QOverload &>::of(&QSslSocket::sslErrors), this, &LanLinkProvider::sslErrors);\n }\n\n socket->startClientEncryption();\n\n } else {\n qWarning() << np->get(QStringLiteral(\"deviceName\")) << \"uses an old protocol version, this won't work\";\n //addLink(deviceId, socket, np, LanDeviceLink::Locally);\n delete m_receivedIdentityPackets.take(socket).np;\n }\n}", "project": "kdeconnect-kde", "hash": 6646800168810831871406338541725942286, "size": 67, "commit_id": "4fbd01a3d44a0bcca888c49a77ec7cfd10e113d7", "message": "Limit identity packets to 8KiB\n\nHealthy identity packages shouldn't be that big and we don't want to\nallow systems around us to send us ever humongous packages that will\njust leave us without any memory.\n\nThanks Matthias Gerstner for reporting this.", "target": 1, "dataset": "other", "idx": 198443 }, { "func": "CallResult> JSObject::getOwnPropertyKeys(\n Handle selfHandle,\n Runtime *runtime,\n OwnKeysFlags okFlags) {\n assert(\n (okFlags.getIncludeNonSymbols() || okFlags.getIncludeSymbols()) &&\n \"Can't exclude symbols and strings\");\n if (LLVM_UNLIKELY(\n selfHandle->flags_.lazyObject || selfHandle->flags_.proxyObject)) {\n if (selfHandle->flags_.proxyObject) {\n CallResult> proxyRes =\n JSProxy::ownPropertyKeys(selfHandle, runtime, okFlags);\n if (LLVM_UNLIKELY(proxyRes == ExecutionStatus::EXCEPTION)) {\n return ExecutionStatus::EXCEPTION;\n }\n return runtime->makeHandle(std::move(*proxyRes));\n }\n assert(selfHandle->flags_.lazyObject && \"descriptor flags are impossible\");\n initializeLazyObject(runtime, selfHandle);\n }\n\n auto range = getOwnIndexedRange(selfHandle.get(), runtime);\n\n // Estimate the capacity of the output array. This estimate is only\n // reasonable for the non-symbol case.\n uint32_t capacity = okFlags.getIncludeNonSymbols()\n ? (selfHandle->clazz_.get(runtime)->getNumProperties() + range.second -\n range.first)\n : 0;\n\n auto arrayRes = JSArray::create(runtime, capacity, 0);\n if (LLVM_UNLIKELY(arrayRes == ExecutionStatus::EXCEPTION)) {\n return ExecutionStatus::EXCEPTION;\n }\n auto array = runtime->makeHandle(std::move(*arrayRes));\n\n // Optional array of SymbolIDs reported via host object API\n llvh::Optional> hostObjectSymbols;\n size_t hostObjectSymbolCount = 0;\n\n // If current object is a host object we need to deduplicate its properties\n llvh::SmallSet dedupSet;\n\n // Output index.\n uint32_t index = 0;\n\n // Avoid allocating a new handle per element.\n MutableHandle<> tmpHandle{runtime};\n\n // Number of indexed properties.\n uint32_t numIndexed = 0;\n\n // Regular properties with names that are array indexes are stashed here, if\n // encountered.\n llvh::SmallVector indexNames{};\n\n // Iterate the named properties excluding those which use Symbols.\n if (okFlags.getIncludeNonSymbols()) {\n // Get host object property names\n if (LLVM_UNLIKELY(selfHandle->flags_.hostObject)) {\n assert(\n range.first == range.second &&\n \"Host objects cannot own indexed range\");\n auto hostSymbolsRes =\n vmcast(selfHandle.get())->getHostPropertyNames();\n if (hostSymbolsRes == ExecutionStatus::EXCEPTION) {\n return ExecutionStatus::EXCEPTION;\n }\n if ((hostObjectSymbolCount = (**hostSymbolsRes)->getEndIndex()) != 0) {\n Handle hostSymbols = *hostSymbolsRes;\n hostObjectSymbols = std::move(hostSymbols);\n capacity += hostObjectSymbolCount;\n }\n }\n\n // Iterate the indexed properties.\n GCScopeMarkerRAII marker{runtime};\n for (auto i = range.first; i != range.second; ++i) {\n auto res = getOwnIndexedPropertyFlags(selfHandle.get(), runtime, i);\n if (!res)\n continue;\n\n // If specified, check whether it is enumerable.\n if (!okFlags.getIncludeNonEnumerable() && !res->enumerable)\n continue;\n\n tmpHandle = HermesValue::encodeDoubleValue(i);\n JSArray::setElementAt(array, runtime, index++, tmpHandle);\n marker.flush();\n }\n\n numIndexed = index;\n\n HiddenClass::forEachProperty(\n runtime->makeHandle(selfHandle->clazz_),\n runtime,\n [runtime,\n okFlags,\n array,\n hostObjectSymbolCount,\n &index,\n &indexNames,\n &tmpHandle,\n &dedupSet](SymbolID id, NamedPropertyDescriptor desc) {\n if (!isPropertyNamePrimitive(id)) {\n return;\n }\n\n // If specified, check whether it is enumerable.\n if (!okFlags.getIncludeNonEnumerable()) {\n if (!desc.flags.enumerable)\n return;\n }\n\n // Host properties might overlap with the ones recognized by the\n // hidden class. If we're dealing with a host object then keep track\n // of hidden class properties for the deduplication purposes.\n if (LLVM_UNLIKELY(hostObjectSymbolCount > 0)) {\n dedupSet.insert(id.unsafeGetRaw());\n }\n\n // Check if this property is an integer index. If it is, we stash it\n // away to deal with it later. This check should be fast since most\n // property names don't start with a digit.\n auto propNameAsIndex = toArrayIndex(\n runtime->getIdentifierTable().getStringView(runtime, id));\n if (LLVM_UNLIKELY(propNameAsIndex)) {\n indexNames.push_back(*propNameAsIndex);\n return;\n }\n\n tmpHandle = HermesValue::encodeStringValue(\n runtime->getStringPrimFromSymbolID(id));\n JSArray::setElementAt(array, runtime, index++, tmpHandle);\n });\n\n // Iterate over HostObject properties and append them to the array. Do not\n // append duplicates.\n if (LLVM_UNLIKELY(hostObjectSymbols)) {\n for (size_t i = 0; i < hostObjectSymbolCount; ++i) {\n assert(\n (*hostObjectSymbols)->at(runtime, i).isSymbol() &&\n \"Host object needs to return array of SymbolIDs\");\n marker.flush();\n SymbolID id = (*hostObjectSymbols)->at(runtime, i).getSymbol();\n if (dedupSet.count(id.unsafeGetRaw()) == 0) {\n dedupSet.insert(id.unsafeGetRaw());\n\n assert(\n !InternalProperty::isInternal(id) &&\n \"host object returned reserved symbol\");\n auto propNameAsIndex = toArrayIndex(\n runtime->getIdentifierTable().getStringView(runtime, id));\n if (LLVM_UNLIKELY(propNameAsIndex)) {\n indexNames.push_back(*propNameAsIndex);\n continue;\n }\n tmpHandle = HermesValue::encodeStringValue(\n runtime->getStringPrimFromSymbolID(id));\n JSArray::setElementAt(array, runtime, index++, tmpHandle);\n }\n }\n }\n }\n\n // Now iterate the named properties again, including only Symbols.\n // We could iterate only once, if we chose to ignore (and disallow)\n // own properties on HostObjects, as we do with Proxies.\n if (okFlags.getIncludeSymbols()) {\n MutableHandle idHandle{runtime};\n HiddenClass::forEachProperty(\n runtime->makeHandle(selfHandle->clazz_),\n runtime,\n [runtime, okFlags, array, &index, &idHandle](\n SymbolID id, NamedPropertyDescriptor desc) {\n if (!isSymbolPrimitive(id)) {\n return;\n }\n // If specified, check whether it is enumerable.\n if (!okFlags.getIncludeNonEnumerable()) {\n if (!desc.flags.enumerable)\n return;\n }\n idHandle = id;\n JSArray::setElementAt(array, runtime, index++, idHandle);\n });\n }\n\n // The end (exclusive) of the named properties.\n uint32_t endNamed = index;\n\n // Properly set the length of the array.\n auto cr = JSArray::setLength(\n array, runtime, endNamed + indexNames.size(), PropOpFlags{});\n (void)cr;\n assert(\n cr != ExecutionStatus::EXCEPTION && *cr && \"JSArray::setLength() failed\");\n\n // If we have no index-like names, we are done.\n if (LLVM_LIKELY(indexNames.empty()))\n return array;\n\n // In the unlikely event that we encountered index-like names, we need to sort\n // them and merge them with the real indexed properties. Note that it is\n // guaranteed that there are no clashes.\n std::sort(indexNames.begin(), indexNames.end());\n\n // Also make space for the new elements by shifting all the named properties\n // to the right. First, resize the array.\n JSArray::setStorageEndIndex(array, runtime, endNamed + indexNames.size());\n\n // Shift the non-index property names. The region [numIndexed..endNamed) is\n // moved to [numIndexed+indexNames.size()..array->size()).\n // TODO: optimize this by implementing memcpy-like functionality in ArrayImpl.\n for (uint32_t last = endNamed, toLast = array->getEndIndex();\n last != numIndexed;) {\n --last;\n --toLast;\n tmpHandle = array->at(runtime, last);\n JSArray::setElementAt(array, runtime, toLast, tmpHandle);\n }\n\n // Now we need to merge the indexes in indexNames and the array\n // [0..numIndexed). We start from the end and copy the larger element from\n // either array.\n // 1+ the destination position to copy into.\n for (uint32_t toLast = numIndexed + indexNames.size(),\n indexNamesLast = indexNames.size();\n toLast != 0;) {\n if (numIndexed) {\n uint32_t a = (uint32_t)array->at(runtime, numIndexed - 1).getNumber();\n uint32_t b;\n\n if (indexNamesLast && (b = indexNames[indexNamesLast - 1]) > a) {\n tmpHandle = HermesValue::encodeDoubleValue(b);\n --indexNamesLast;\n } else {\n tmpHandle = HermesValue::encodeDoubleValue(a);\n --numIndexed;\n }\n } else {\n assert(indexNamesLast && \"prematurely ran out of source values\");\n tmpHandle =\n HermesValue::encodeDoubleValue(indexNames[indexNamesLast - 1]);\n --indexNamesLast;\n }\n\n --toLast;\n JSArray::setElementAt(array, runtime, toLast, tmpHandle);\n }\n\n return array;\n}", "project": "hermes", "hash": 159020369888309765221326526741932251210, "size": 253, "commit_id": "fe52854cdf6725c2eaa9e125995da76e6ceb27da", "message": "[CVE-2020-1911] Look up HostObject computed properties on the right object in the prototype chain.\n\nSummary:\nThe change in the hermes repository fixes the security vulnerability\nCVE-2020-1911. This vulnerability only affects applications which\nallow evaluation of uncontrolled, untrusted JavaScript code not\nshipped with the app, so React Native apps will generally not be affected.\n\nThis revision includes a test for the bug. The test is generic JSI\ncode, so it is included in the hermes and react-native repositories.\n\nChangelog: [Internal]\n\nReviewed By: tmikov\n\nDifferential Revision: D23322992\n\nfbshipit-source-id: 4e88c974afe1ad33a263f9cac03e9dc98d33649a", "target": 0, "dataset": "other", "idx": 230220 }, { "func": "static void nested_svm_nmi(struct vcpu_svm *svm)\n{\n\tsvm->vmcb->control.exit_code = SVM_EXIT_NMI;\n\tsvm->vmcb->control.exit_info_1 = 0;\n\tsvm->vmcb->control.exit_info_2 = 0;\n\n\tnested_svm_vmexit(svm);\n}", "project": "linux", "hash": 179237959878619506364815275732500961865, "size": 8, "commit_id": "a58d9166a756a0f4a6618e4f593232593d6df134", "message": "KVM: SVM: load control fields from VMCB12 before checking them\n\nAvoid races between check and use of the nested VMCB controls. This\nfor example ensures that the VMRUN intercept is always reflected to the\nnested hypervisor, instead of being processed by the host. Without this\npatch, it is possible to end up with svm->nested.hsave pointing to\nthe MSR permission bitmap for nested guests.\n\nThis bug is CVE-2021-29657.\n\nReported-by: Felix Wilhelm \nCc: stable@vger.kernel.org\nFixes: 2fcf4876ada (\"KVM: nSVM: implement on demand allocation of the nested state\")\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 376657 }, { "func": "static inline bool nested_svm_nmi(struct vcpu_svm *svm)\n{\n\tif (!is_guest_mode(&svm->vcpu))\n\t\treturn true;\n\n\tif (!(svm->nested.intercept & (1ULL << INTERCEPT_NMI)))\n\t\treturn true;\n\n\tsvm->vmcb->control.exit_code = SVM_EXIT_NMI;\n\tsvm->nested.exit_required = true;\n\n\treturn false;\n}", "project": "linux", "hash": 320075464706114824336684847157788193323, "size": 13, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432548 }, { "func": " static inline int GetSliceIndex(const int dim, const int split_size,\n const int residual) {\n DCHECK_GT(split_size, 0);\n DCHECK_GE(dim, 0);\n if (residual == 0) return dim / split_size;\n const int offset = residual * (split_size + 1);\n if (dim < offset) {\n return dim / (split_size + 1);\n } else {\n return residual + ((dim - offset) / split_size);\n }\n }", "project": "tensorflow", "hash": 322253764100012599087671360171164614707, "size": 12, "commit_id": "8ba6fa29cd8bf9cef9b718dc31c78c73081f5b31", "message": "Fix heap-buffer-overflow issue with `tf.raw_ops.SparseSplit`.\n\nPiperOrigin-RevId: 371242872\nChange-Id: I482bb3d12602c7c3cc9446f97fb9f584bb98e9a4", "target": 0, "dataset": "other", "idx": 277031 }, { "func": "static tag_table_type exif_get_tag_table(int section) {\n switch(section) {\n case SECTION_FILE: return &tag_table_IFD[0];\n case SECTION_COMPUTED: return &tag_table_IFD[0];\n case SECTION_ANY_TAG: return &tag_table_IFD[0];\n case SECTION_IFD0: return &tag_table_IFD[0];\n case SECTION_THUMBNAIL: return &tag_table_IFD[0];\n case SECTION_COMMENT: return &tag_table_IFD[0];\n case SECTION_APP0: return &tag_table_IFD[0];\n case SECTION_EXIF: return &tag_table_IFD[0];\n case SECTION_FPIX: return &tag_table_IFD[0];\n case SECTION_GPS: return &tag_table_GPS[0];\n case SECTION_INTEROP: return &tag_table_IOP[0];\n case SECTION_APP12: return &tag_table_IFD[0];\n case SECTION_WINXP: return &tag_table_IFD[0];\n }\n return &tag_table_IFD[0];\n}", "project": "hhvm", "hash": 227524875703971400149561887325123804907, "size": 18, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219422 }, { "func": "void __hci_req_update_scan_rsp_data(struct hci_request *req, u8 instance)\n{\n\tstruct hci_dev *hdev = req->hdev;\n\tu8 len;\n\n\tif (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))\n\t\treturn;\n\n\tif (ext_adv_capable(hdev)) {\n\t\tstruct hci_cp_le_set_ext_scan_rsp_data cp;\n\n\t\tmemset(&cp, 0, sizeof(cp));\n\n\t\tif (instance)\n\t\t\tlen = create_instance_scan_rsp_data(hdev, instance,\n\t\t\t\t\t\t\t cp.data);\n\t\telse\n\t\t\tlen = create_default_scan_rsp_data(hdev, cp.data);\n\n\t\tif (hdev->scan_rsp_data_len == len &&\n\t\t !memcmp(cp.data, hdev->scan_rsp_data, len))\n\t\t\treturn;\n\n\t\tmemcpy(hdev->scan_rsp_data, cp.data, sizeof(cp.data));\n\t\thdev->scan_rsp_data_len = len;\n\n\t\tcp.handle = instance;\n\t\tcp.length = len;\n\t\tcp.operation = LE_SET_ADV_DATA_OP_COMPLETE;\n\t\tcp.frag_pref = LE_SET_ADV_DATA_NO_FRAG;\n\n\t\thci_req_add(req, HCI_OP_LE_SET_EXT_SCAN_RSP_DATA, sizeof(cp),\n\t\t\t &cp);\n\t} else {\n\t\tstruct hci_cp_le_set_scan_rsp_data cp;\n\n\t\tmemset(&cp, 0, sizeof(cp));\n\n\t\tif (instance)\n\t\t\tlen = create_instance_scan_rsp_data(hdev, instance,\n\t\t\t\t\t\t\t cp.data);\n\t\telse\n\t\t\tlen = create_default_scan_rsp_data(hdev, cp.data);\n\n\t\tif (hdev->scan_rsp_data_len == len &&\n\t\t !memcmp(cp.data, hdev->scan_rsp_data, len))\n\t\t\treturn;\n\n\t\tmemcpy(hdev->scan_rsp_data, cp.data, sizeof(cp.data));\n\t\thdev->scan_rsp_data_len = len;\n\n\t\tcp.length = len;\n\n\t\thci_req_add(req, HCI_OP_LE_SET_SCAN_RSP_DATA, sizeof(cp), &cp);\n\t}\n}", "project": "linux", "hash": 89624244231967169733596746088114706470, "size": 56, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402497 }, { "func": "static int dataLength(rpm_tagtype_t type, rpm_constdata_t p, rpm_count_t count,\n\t\t\t int onDisk, rpm_constdata_t pend)\n{\n const char * s = p;\n const char * se = pend;\n int length = 0;\n\n switch (type) {\n case RPM_STRING_TYPE:\n\tif (count != 1)\n\t return -1;\n\tlength = strtaglen(s, 1, se);\n\tbreak;\n\n case RPM_STRING_ARRAY_TYPE:\n case RPM_I18NSTRING_TYPE:\n\t/* These are like RPM_STRING_TYPE, except they're *always* an array */\n\t/* Compute sum of length of all strings, including nul terminators */\n\n\tif (onDisk) {\n\t length = strtaglen(s, count, se);\n\t} else {\n\t const char ** av = (const char **)p;\n\t while (count--) {\n\t\t/* add one for null termination */\n\t\tlength += strlen(*av++) + 1;\n\t }\n\t}\n\tbreak;\n\n default:\n\tif (typeSizes[type] == -1)\n\t return -1;\n\tlength = typeSizes[(type & 0xf)] * count;\n\tif (length < 0 || (se && (s + length) > se))\n\t return -1;\n\tbreak;\n }\n\n return length;\n}", "project": "rpm", "hash": 243522870772062417763399173148620751504, "size": 41, "commit_id": "8f4b3c3cab8922a2022b9e47c71f1ecf906077ef", "message": "hdrblobInit() needs bounds checks too\n\nUsers can pass untrusted data to hdrblobInit() and it must be robust\nagainst this.", "target": 0, "dataset": "other", "idx": 318205 }, { "func": "static void set_curr_offs(int64_t l_off)\n{\n if (in_absolute)\n absolute.offset = l_off;\n else\n offsets = raa_write(offsets, location.segment, l_off);\n}", "project": "nasm", "hash": 49429045324087877183878318267796836692, "size": 7, "commit_id": "e996d28c70d45008085322b442b44a9224308548", "message": "labels: Don't nil dereference if no label provided\n\nAn equ without label may cause nil dereference\n\n |\tequ 0x100\n\nFixes 98578071b9d71ecaa2344dd9c185237c1765041e\n\nSigned-off-by: Cyrill Gorcunov ", "target": 0, "dataset": "other", "idx": 257490 }, { "func": "static OPJ_BOOL opj_tcd_code_block_enc_allocate_data(opj_tcd_cblk_enc_t *\n p_code_block)\n{\n OPJ_UINT32 l_data_size;\n\n /* +1 is needed for https://github.com/uclouvain/openjpeg/issues/835 */\n /* and actually +2 required for https://github.com/uclouvain/openjpeg/issues/982 */\n /* and +7 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 3) */\n /* and +26 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 7) */\n /* TODO: is there a theoretical upper-bound for the compressed code */\n /* block size ? */\n l_data_size = 26 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) *\n (p_code_block->y1 - p_code_block->y0) * (OPJ_INT32)sizeof(OPJ_UINT32));\n\n if (l_data_size > p_code_block->data_size) {\n if (p_code_block->data) {\n /* We refer to data - 1 since below we incremented it */\n opj_free(p_code_block->data - 1);\n }\n p_code_block->data = (OPJ_BYTE*) opj_malloc(l_data_size + 1);\n if (! p_code_block->data) {\n p_code_block->data_size = 0U;\n return OPJ_FALSE;\n }\n p_code_block->data_size = l_data_size;\n\n /* We reserve the initial byte as a fake byte to a non-FF value */\n /* and increment the data pointer, so that opj_mqc_init_enc() */\n /* can do bp = data - 1, and opj_mqc_byteout() can safely dereference */\n /* it. */\n p_code_block->data[0] = 0;\n p_code_block->data += 1; /*why +1 ?*/\n }\n return OPJ_TRUE;\n}", "project": "openjpeg", "hash": 74332118889396083730693045237215462948, "size": 35, "commit_id": "15cf3d95814dc931ca0ecb132f81cb152e051bae", "message": "Encoder: grow again buffer size in opj_tcd_code_block_enc_allocate_data() (fixes #1283)", "target": 1, "dataset": "other", "idx": 204411 }, { "func": "static OPJ_BOOL opj_tcd_code_block_enc_allocate_data(opj_tcd_cblk_enc_t *\n p_code_block)\n{\n OPJ_UINT32 l_data_size;\n\n /* +1 is needed for https://github.com/uclouvain/openjpeg/issues/835 */\n /* and actually +2 required for https://github.com/uclouvain/openjpeg/issues/982 */\n /* and +7 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 3) */\n /* and +26 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 7) */\n /* and +28 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 44) */\n /* TODO: is there a theoretical upper-bound for the compressed code */\n /* block size ? */\n l_data_size = 28 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) *\n (p_code_block->y1 - p_code_block->y0) * (OPJ_INT32)sizeof(OPJ_UINT32));\n\n if (l_data_size > p_code_block->data_size) {\n if (p_code_block->data) {\n /* We refer to data - 1 since below we incremented it */\n opj_free(p_code_block->data - 1);\n }\n p_code_block->data = (OPJ_BYTE*) opj_malloc(l_data_size + 1);\n if (! p_code_block->data) {\n p_code_block->data_size = 0U;\n return OPJ_FALSE;\n }\n p_code_block->data_size = l_data_size;\n\n /* We reserve the initial byte as a fake byte to a non-FF value */\n /* and increment the data pointer, so that opj_mqc_init_enc() */\n /* can do bp = data - 1, and opj_mqc_byteout() can safely dereference */\n /* it. */\n p_code_block->data[0] = 0;\n p_code_block->data += 1; /*why +1 ?*/\n }\n return OPJ_TRUE;\n}", "project": "openjpeg", "hash": 90613075038304196793521501973130942392, "size": 36, "commit_id": "15cf3d95814dc931ca0ecb132f81cb152e051bae", "message": "Encoder: grow again buffer size in opj_tcd_code_block_enc_allocate_data() (fixes #1283)", "target": 0, "dataset": "other", "idx": 359168 }, { "func": "gdImagePtr gdImageCrop(gdImagePtr src, const gdRectPtr crop)\n{\n\tgdImagePtr dst;\n\tint y;\n\n\t/* check size */\n\tif (crop->width<=0 || crop->height<=0) {\n\t\treturn NULL;\n\t}\n\n\t/* allocate the requested size (could be only partially filled) */\n\tif (src->trueColor) {\n\t\tdst = gdImageCreateTrueColor(crop->width, crop->height);\n\t\tgdImageSaveAlpha(dst, 1);\n\t} else {\n\t\tdst = gdImageCreate(crop->width, crop->height);\n\t\tgdImagePaletteCopy(dst, src);\n\t}\n\tif (dst == NULL) {\n\t\treturn NULL;\n\t}\n\tdst->transparent = src->transparent;\n\n\t/* check position in the src image */\n\tif (crop->x < 0 || crop->x>=src->sx || crop->y<0 || crop->y>=src->sy) {\n\t\treturn dst;\n\t}\n\n\t/* reduce size if needed */\n\tif ((src->sx - crop->width) < crop->x) {\n\t\tcrop->width = src->sx - crop->x;\n\t}\n\tif ((src->sy - crop->height) < crop->y) {\n\t\tcrop->height = src->sy - crop->y;\n\t}\n\n#if 0\nprintf(\"rect->x: %i\\nrect->y: %i\\nrect->width: %i\\nrect->height: %i\\n\", crop->x, crop->y, crop->width, crop->height);\n#endif\n\ty = crop->y;\n\tif (src->trueColor) {\n\t\tunsigned int dst_y = 0;\n\t\twhile (y < (crop->y + (crop->height - 1))) {\n\t\t\t/* TODO: replace 4 w/byte per channel||pitch once available */\n\t\t\tmemcpy(dst->tpixels[dst_y++], src->tpixels[y++] + crop->x, crop->width * 4);\n\t\t}\n\t} else {\n\t\tint x;\n\t\tfor (y = crop->y; y < (crop->y + (crop->height - 1)); y++) {\n\t\t\tfor (x = crop->x; x < (crop->x + (crop->width - 1)); x++) {\n\t\t\t\tdst->pixels[y - crop->y][x - crop->x] = src->pixels[y][x];\n\t\t\t}\n\t\t}\n\t}\n\treturn dst;\n}", "project": "php-src", "hash": 121046021861658525511228885017249088421, "size": 56, "commit_id": "af09d8b96a8aacdd7d738fec81b695c1c58368f7", "message": "Fixed Bug #66815 imagecrop(): insufficient fix for NULL defer CVE-2013-7327\n\nThis amends commit 8f4a537, which aimed to correct NULL dereference because of\nmissing check of gdImageCreateTrueColor() / gdImageCreate() return value. That\ncommit checks for negative crop rectangle width and height, but\ngdImageCreate*() can also return NULL when width * height overflows. Hence\nNULL deref is still possible, as gdImageSaveAlpha() and gdImagePaletteCopy()\nis called before dst == NULL check.\n\nThis moves NULL check to happen right after gdImageCreate*(). It also removes\nwidth and height check before gdImageCreate*(), as the same check is done by\nimage create functions (with an extra warning).\n\nFrom thoger redhat com", "target": 1, "dataset": "other", "idx": 215215 }, { "func": "gdImagePtr gdImageCrop(gdImagePtr src, const gdRectPtr crop)\n{\n\tgdImagePtr dst;\n\tint y;\n\n\t/* allocate the requested size (could be only partially filled) */\n\tif (src->trueColor) {\n\t\tdst = gdImageCreateTrueColor(crop->width, crop->height);\n\t\tif (dst == NULL) {\n\t\t\treturn NULL;\n\t\t}\n\t\tgdImageSaveAlpha(dst, 1);\n\t} else {\n\t\tdst = gdImageCreate(crop->width, crop->height);\n\t\tif (dst == NULL) {\n\t\t\treturn NULL;\n\t\t}\n\t\tgdImagePaletteCopy(dst, src);\n\t}\n\tdst->transparent = src->transparent;\n\n\t/* check position in the src image */\n\tif (crop->x < 0 || crop->x>=src->sx || crop->y<0 || crop->y>=src->sy) {\n\t\treturn dst;\n\t}\n\n\t/* reduce size if needed */\n\tif ((src->sx - crop->width) < crop->x) {\n\t\tcrop->width = src->sx - crop->x;\n\t}\n\tif ((src->sy - crop->height) < crop->y) {\n\t\tcrop->height = src->sy - crop->y;\n\t}\n\n#if 0\nprintf(\"rect->x: %i\\nrect->y: %i\\nrect->width: %i\\nrect->height: %i\\n\", crop->x, crop->y, crop->width, crop->height);\n#endif\n\ty = crop->y;\n\tif (src->trueColor) {\n\t\tunsigned int dst_y = 0;\n\t\twhile (y < (crop->y + (crop->height - 1))) {\n\t\t\t/* TODO: replace 4 w/byte per channel||pitch once available */\n\t\t\tmemcpy(dst->tpixels[dst_y++], src->tpixels[y++] + crop->x, crop->width * 4);\n\t\t}\n\t} else {\n\t\tint x;\n\t\tfor (y = crop->y; y < (crop->y + (crop->height - 1)); y++) {\n\t\t\tfor (x = crop->x; x < (crop->x + (crop->width - 1)); x++) {\n\t\t\t\tdst->pixels[y - crop->y][x - crop->x] = src->pixels[y][x];\n\t\t\t}\n\t\t}\n\t}\n\treturn dst;\n}", "project": "php-src", "hash": 211902895967623924199736087663142577675, "size": 54, "commit_id": "af09d8b96a8aacdd7d738fec81b695c1c58368f7", "message": "Fixed Bug #66815 imagecrop(): insufficient fix for NULL defer CVE-2013-7327\n\nThis amends commit 8f4a537, which aimed to correct NULL dereference because of\nmissing check of gdImageCreateTrueColor() / gdImageCreate() return value. That\ncommit checks for negative crop rectangle width and height, but\ngdImageCreate*() can also return NULL when width * height overflows. Hence\nNULL deref is still possible, as gdImageSaveAlpha() and gdImagePaletteCopy()\nis called before dst == NULL check.\n\nThis moves NULL check to happen right after gdImageCreate*(). It also removes\nwidth and height check before gdImageCreate*(), as the same check is done by\nimage create functions (with an extra warning).\n\nFrom thoger redhat com", "target": 0, "dataset": "other", "idx": 485284 }, { "func": "static size_t init_iov_iter(struct vhost_virtqueue *vq, struct iov_iter *iter,\n\t\t\t size_t hdr_size, int out)\n{\n\t/* Skip header. TODO: support TSO. */\n\tsize_t len = iov_length(vq->iov, out);\n\n\tiov_iter_init(iter, WRITE, vq->iov, out, len);\n\tiov_iter_advance(iter, hdr_size);\n\n\treturn iov_iter_count(iter);\n}", "project": "linux", "hash": 295434088159125471912771793969610643399, "size": 11, "commit_id": "42d84c8490f9f0931786f1623191fcab397c3d64", "message": "vhost: Check docket sk_family instead of call getname\n\nDoing so, we save one call to get data we already have in the struct.\n\nAlso, since there is no guarantee that getname use sockaddr_ll\nparameter beyond its size, we add a little bit of security here.\nIt should do not do beyond MAX_ADDR_LEN, but syzbot found that\nax25_getname writes more (72 bytes, the size of full_sockaddr_ax25,\nversus 20 + 32 bytes of sockaddr_ll + MAX_ADDR_LEN in syzbot repro).\n\nFixes: 3a4d5c94e9593 (\"vhost_net: a kernel-level virtio server\")\nReported-by: syzbot+f2a62d07a5198c819c7b@syzkaller.appspotmail.com\nSigned-off-by: Eugenio Pérez \nAcked-by: Michael S. Tsirkin \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 441969 }, { "func": "static int lookup_one_len_common(const char *name, struct dentry *base,\n\t\t\t\t int len, struct qstr *this)\n{\n\tthis->name = name;\n\tthis->len = len;\n\tthis->hash = full_name_hash(base, name, len);\n\tif (!len)\n\t\treturn -EACCES;\n\n\tif (unlikely(name[0] == '.')) {\n\t\tif (len < 2 || (len == 2 && name[1] == '.'))\n\t\t\treturn -EACCES;\n\t}\n\n\twhile (len--) {\n\t\tunsigned int c = *(const unsigned char *)name++;\n\t\tif (c == '/' || c == '\\0')\n\t\t\treturn -EACCES;\n\t}\n\t/*\n\t * See if the low-level filesystem might want\n\t * to use its own hash..\n\t */\n\tif (base->d_flags & DCACHE_OP_HASH) {\n\t\tint err = base->d_op->d_hash(base, this);\n\t\tif (err < 0)\n\t\t\treturn err;\n\t}\n\n\treturn inode_permission(base->d_inode, MAY_EXEC);\n}", "project": "linux", "hash": 299013593425004005822776772261938645798, "size": 31, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295297 }, { "func": "static void hci_cs_le_create_conn(struct hci_dev *hdev, u8 status)\n{\n\tstruct hci_cp_le_create_conn *cp;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, status);\n\n\t/* All connection failure handling is taken care of by the\n\t * hci_le_conn_failed function which is triggered by the HCI\n\t * request completion callbacks used for connecting.\n\t */\n\tif (status)\n\t\treturn;\n\n\tcp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CONN);\n\tif (!cp)\n\t\treturn;\n\n\thci_dev_lock(hdev);\n\n\tcs_le_create_conn(hdev, &cp->peer_addr, cp->peer_addr_type,\n\t\t\t cp->own_address_type, cp->filter_policy);\n\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 214228674614563318201494282017859362036, "size": 24, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 432023 }, { "func": "int msg_new(message_data_t **m)\n{\n message_data_t *ret = (message_data_t *) xmalloc(sizeof(message_data_t));\n\n ret->data = NULL;\n ret->f = NULL;\n ret->id = NULL;\n ret->path = NULL;\n ret->control = NULL;\n ret->size = 0;\n strarray_init(&ret->rcpt);\n ret->date = NULL;\n\n ret->hdrcache = spool_new_hdrcache();\n\n *m = ret;\n return 0;\n}", "project": "cyrus-imapd", "hash": 155278545410922204589098086599727474449, "size": 18, "commit_id": "0f8f026699829b65733c3081657b24e2174f4f4d", "message": "CVE-2011-3208 - fix buffer overflow in nntpd", "target": 0, "dataset": "other", "idx": 451894 }, { "func": "static void checkConsistency(intset *is) {\n for (uint32_t i = 0; i < (intrev32ifbe(is->length)-1); i++) {\n uint32_t encoding = intrev32ifbe(is->encoding);\n\n if (encoding == INTSET_ENC_INT16) {\n int16_t *i16 = (int16_t*)is->contents;\n assert(i16[i] < i16[i+1]);\n } else if (encoding == INTSET_ENC_INT32) {\n int32_t *i32 = (int32_t*)is->contents;\n assert(i32[i] < i32[i+1]);\n } else {\n int64_t *i64 = (int64_t*)is->contents;\n assert(i64[i] < i64[i+1]);\n }\n }\n}", "project": "redis", "hash": 50416452836078103419182837417224387385, "size": 16, "commit_id": "789f10156009b404950ad717642a9496ed887083", "message": "Fix integer overflow in intset (CVE-2021-29478)\n\nAn integer overflow bug in Redis 6.2 could be exploited to corrupt the heap and\npotentially result with remote code execution.\n\nThe vulnerability involves changing the default set-max-intset-entries\nconfiguration value, creating a large set key that consists of integer values\nand using the COPY command to duplicate it.\n\nThe integer overflow bug exists in all versions of Redis starting with 2.6,\nwhere it could result with a corrupted RDB or DUMP payload, but not exploited\nthrough COPY (which did not exist before 6.2).\n\n(cherry picked from commit 29900d4e6bccdf3691bedf0ea9a5d84863fa3592)", "target": 0, "dataset": "other", "idx": 290627 }, { "func": "static void load_nested_vmcb_control(struct vcpu_svm *svm,\n\t\t\t\t struct vmcb_control_area *control)\n{\n\tcopy_vmcb_control_area(&svm->nested.ctl, control);\n\n\t/* Copy it here because nested_svm_check_controls will check it. */\n\tsvm->nested.ctl.asid = control->asid;\n\tsvm->nested.ctl.msrpm_base_pa &= ~0x0fffULL;\n\tsvm->nested.ctl.iopm_base_pa &= ~0x0fffULL;\n}", "project": "linux", "hash": 334026893918509975626880844280248268461, "size": 10, "commit_id": "a58d9166a756a0f4a6618e4f593232593d6df134", "message": "KVM: SVM: load control fields from VMCB12 before checking them\n\nAvoid races between check and use of the nested VMCB controls. This\nfor example ensures that the VMRUN intercept is always reflected to the\nnested hypervisor, instead of being processed by the host. Without this\npatch, it is possible to end up with svm->nested.hsave pointing to\nthe MSR permission bitmap for nested guests.\n\nThis bug is CVE-2021-29657.\n\nReported-by: Felix Wilhelm \nCc: stable@vger.kernel.org\nFixes: 2fcf4876ada (\"KVM: nSVM: implement on demand allocation of the nested state\")\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 376645 }, { "func": "static int moovin(int sizemax)\n{\n long apos = ftell(g_fin);\n uint32_t atomsize;\n creator_t *old_atom = g_atom;\n int err, ret = sizemax;\n\n static creator_t mvhd[] = {\n {ATOM_NAME, \"mvhd\"},\n {0}\n };\n static creator_t trak[] = {\n {ATOM_NAME, \"trak\"},\n {ATOM_DESCENT},\n {ATOM_NAME, \"tkhd\"},\n {ATOM_NAME, \"mdia\"},\n {ATOM_DESCENT},\n {ATOM_NAME, \"mdhd\"},\n {ATOM_DATA, mdhdin},\n {ATOM_NAME, \"hdlr\"},\n {ATOM_DATA, hdlr1in},\n {ATOM_NAME, \"minf\"},\n {ATOM_DESCENT},\n {ATOM_NAME, \"smhd\"},\n {ATOM_NAME, \"dinf\"},\n {ATOM_NAME, \"stbl\"},\n {ATOM_DESCENT},\n {ATOM_NAME, \"stsd\"},\n {ATOM_DATA, stsdin},\n {ATOM_DESCENT},\n {ATOM_NAME, \"mp4a\"},\n {ATOM_DATA, mp4ain},\n {ATOM_DESCENT},\n {ATOM_NAME, \"esds\"},\n {ATOM_DATA, esdsin},\n {ATOM_ASCENT},\n {ATOM_ASCENT},\n {ATOM_NAME, \"stts\"},\n {ATOM_DATA, sttsin},\n {ATOM_NAME, \"stsc\"},\n {ATOM_NAME, \"stsz\"},\n {ATOM_DATA, stszin},\n {ATOM_NAME, \"stco\"},\n {ATOM_DATA, stcoin},\n {0}\n };\n\n g_atom = mvhd;\n atomsize = sizemax + apos - ftell(g_fin);\n if (parse(&atomsize) < 0) {\n g_atom = old_atom;\n return ERR_FAIL;\n }\n\n fseek(g_fin, apos, SEEK_SET);\n\n while (1)\n {\n //fprintf(stderr, \"TRAK\\n\");\n g_atom = trak;\n atomsize = sizemax + apos - ftell(g_fin);\n if (atomsize < 8)\n break;\n //fprintf(stderr, \"PARSE(%x)\\n\", atomsize);\n err = parse(&atomsize);\n //fprintf(stderr, \"SIZE: %x/%x\\n\", atomsize, sizemax);\n if (err >= 0)\n break;\n if (err != ERR_UNSUPPORTED) {\n ret = err;\n break;\n }\n //fprintf(stderr, \"UNSUPP\\n\");\n }\n\n g_atom = old_atom;\n return ret;\n}", "project": "faad2", "hash": 313889892672760809677528539519896953055, "size": 78, "commit_id": "1b71a6ba963d131375f5e489b3b25e36f19f3f24", "message": "fix heap-buffer-overflow in mp4read.c\n\nThis originated from an integer overflow: If mp4config.frame.ents\nwould be read-in with a value of (uint32t)(-1), it would overflow to 0\nin the size calculation for the allocation in the next line. The\nmalloc() function would then successfully return a pointer to a memory\nregion of size 0, which will cause a segfault when written to.\n\nFixes #57.", "target": 0, "dataset": "other", "idx": 221453 }, { "func": "static inline bool has_pending_signals(sigset_t *signal, sigset_t *blocked)\n{\n\tunsigned long ready;\n\tlong i;\n\n\tswitch (_NSIG_WORDS) {\n\tdefault:\n\t\tfor (i = _NSIG_WORDS, ready = 0; --i >= 0 ;)\n\t\t\tready |= signal->sig[i] &~ blocked->sig[i];\n\t\tbreak;\n\n\tcase 4: ready = signal->sig[3] &~ blocked->sig[3];\n\t\tready |= signal->sig[2] &~ blocked->sig[2];\n\t\tready |= signal->sig[1] &~ blocked->sig[1];\n\t\tready |= signal->sig[0] &~ blocked->sig[0];\n\t\tbreak;\n\n\tcase 2: ready = signal->sig[1] &~ blocked->sig[1];\n\t\tready |= signal->sig[0] &~ blocked->sig[0];\n\t\tbreak;\n\n\tcase 1: ready = signal->sig[0] &~ blocked->sig[0];\n\t}\n\treturn ready !=\t0;\n}", "project": "linux", "hash": 215563971024967888695077125598519811902, "size": 25, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375162 }, { "func": "int do_send_sig_info(int sig, struct kernel_siginfo *info, struct task_struct *p,\n\t\t\tenum pid_type type)\n{\n\tunsigned long flags;\n\tint ret = -ESRCH;\n\n\tif (lock_task_sighand(p, &flags)) {\n\t\tret = send_signal(sig, info, p, type);\n\t\tunlock_task_sighand(p, &flags);\n\t}\n\n\treturn ret;\n}", "project": "linux", "hash": 271593396316239200559566643263370481509, "size": 13, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375178 }, { "func": " Item_ref(THD *thd, Name_resolution_context *context_arg,\n const char *db_arg, const char *table_name_arg,\n const char *field_name_arg):\n Item_ident(thd, context_arg, db_arg, table_name_arg, field_name_arg),\n set_properties_only(0), ref(0), reference_trough_name(1) {}", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 338116049923313032324822453629203649397, "size": 5, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509067 }, { "func": "Status GraphConstructor::ValidateInputMapAndControlDependencies() {\n for (const auto& mapping : opts_.input_map) {\n TensorId src = mapping.first;\n TensorId dst = mapping.second;\n if (existing_nodes_.count(dst.first) == 0) {\n return errors::InvalidArgument(\n \"node '\", dst.first, \"' in input_map does not exist in graph \",\n \"(input_map entry: \", src.ToString(), \"->\", dst.ToString(), \")\");\n }\n if ((src.second == Graph::kControlSlot) !=\n (dst.second == Graph::kControlSlot)) {\n return errors::InvalidArgument(\"input_map entry \", src.ToString(), \"->\",\n dst.ToString(), \" between \",\n \"control edge and non-control edge\");\n }\n }\n for (const string& node : opts_.control_dependencies) {\n if (existing_nodes_.count(node) == 0) {\n return errors::InvalidArgument(\n \"node '\", node,\n \"' in control_dependencies does not exist in \"\n \"graph\");\n }\n }\n return Status::OK();\n}", "project": "tensorflow", "hash": 40415404366646785978904852166183819770, "size": 26, "commit_id": "0cc38aaa4064fd9e79101994ce9872c6d91f816b", "message": "Prevent unitialized memory access in `GraphConstructor::MakeEdge`\n\nThe `MakeEdge` implementation assumes that there exists an output at `output_index` of `src` node and an input at `input_index` of `dst` node. However, if this is not the case this results in accessing data out of bounds. Because we are accessing an array that is a private member of a class and only in read only mode, this usually results only in unitialized memory access. However, it is reasonable to think that malicious users could manipulate these indexes to actually read data outside the class, thus resulting in information leakage and further exploits.\n\nPiperOrigin-RevId: 346343288\nChange-Id: I2127da27c2023d27f26efd39afa6c853385cab6f", "target": 0, "dataset": "other", "idx": 268357 }, { "func": "static int grep_sha1(struct grep_opt *opt, const unsigned char *sha1, const char *name, int tree_name_len)\n{\n\tunsigned long size;\n\tchar *data;\n\tenum object_type type;\n\tchar *to_free = NULL;\n\tint hit;\n\n\tdata = read_sha1_file(sha1, &type, &size);\n\tif (!data) {\n\t\terror(\"'%s': unable to read %s\", name, sha1_to_hex(sha1));\n\t\treturn 0;\n\t}\n\tif (opt->relative && opt->prefix_length) {\n\t\tstatic char name_buf[PATH_MAX];\n\t\tchar *cp;\n\t\tint name_len = strlen(name) - opt->prefix_length + 1;\n\n\t\tif (!tree_name_len)\n\t\t\tname += opt->prefix_length;\n\t\telse {\n\t\t\tif (ARRAY_SIZE(name_buf) <= name_len)\n\t\t\t\tcp = to_free = xmalloc(name_len);\n\t\t\telse\n\t\t\t\tcp = name_buf;\n\t\t\tmemcpy(cp, name, tree_name_len);\n\t\t\tstrcpy(cp + tree_name_len,\n\t\t\t name + tree_name_len + opt->prefix_length);\n\t\t\tname = cp;\n\t\t}\n\t}\n\thit = grep_buffer(opt, name, data, size);\n\tfree(data);\n\tfree(to_free);\n\treturn hit;\n}", "project": "git", "hash": 95371693657462032066726749150265119181, "size": 36, "commit_id": "620e2bb93785ed8eb60846d94fd4753d4817c8ec", "message": "Fix buffer overflow in git-grep\n\nIf PATH_MAX on your system is smaller than any path stored in the git\nrepository, that can cause memory corruption inside of the grep_tree\nfunction used by git-grep.\n\nSigned-off-by: Dmitry Potapov \nSigned-off-by: Junio C Hamano ", "target": 0, "dataset": "other", "idx": 446043 }, { "func": "static inline bool slab_free_freelist_hook(struct kmem_cache *s,\n\t\t\t\t\t void **head, void **tail)\n{\n\n\tvoid *object;\n\tvoid *next = *head;\n\tvoid *old_tail = *tail ? *tail : *head;\n\tint rsize;\n\n\t/* Head and tail of the reconstructed freelist */\n\t*head = NULL;\n\t*tail = NULL;\n\n\tdo {\n\t\tobject = next;\n\t\tnext = get_freepointer(s, object);\n\n\t\tif (slab_want_init_on_free(s)) {\n\t\t\t/*\n\t\t\t * Clear the object and the metadata, but don't touch\n\t\t\t * the redzone.\n\t\t\t */\n\t\t\tmemset(object, 0, s->object_size);\n\t\t\trsize = (s->flags & SLAB_RED_ZONE) ? s->red_left_pad\n\t\t\t\t\t\t\t : 0;\n\t\t\tmemset((char *)object + s->inuse, 0,\n\t\t\t s->size - s->inuse - rsize);\n\n\t\t}\n\t\t/* If object's reuse doesn't have to be delayed */\n\t\tif (!slab_free_hook(s, object)) {\n\t\t\t/* Move object to the new freelist */\n\t\t\tset_freepointer(s, object, *head);\n\t\t\t*head = object;\n\t\t\tif (!*tail)\n\t\t\t\t*tail = object;\n\t\t}\n\t} while (object != old_tail);\n\n\tif (*head == *tail)\n\t\t*tail = NULL;\n\n\treturn *head != NULL;\n}", "project": "linux", "hash": 197487796989694274067690013574849773113, "size": 44, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280046 }, { "func": "static void svm_disable_lbrv(struct vcpu_svm *svm)\n{\n\tu32 *msrpm = svm->msrpm;\n\n\tsvm->vmcb->control.virt_ext &= ~LBR_CTL_ENABLE_MASK;\n\tset_msr_interception(msrpm, MSR_IA32_LASTBRANCHFROMIP, 0, 0);\n\tset_msr_interception(msrpm, MSR_IA32_LASTBRANCHTOIP, 0, 0);\n\tset_msr_interception(msrpm, MSR_IA32_LASTINTFROMIP, 0, 0);\n\tset_msr_interception(msrpm, MSR_IA32_LASTINTTOIP, 0, 0);\n}", "project": "linux", "hash": 241888754494589824595443944465678795905, "size": 10, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432497 }, { "func": "static void svm_disable_lbrv(struct vcpu_svm *svm)\n{\n\tu32 *msrpm = svm->msrpm;\n\n\tsvm->vmcb->control.lbr_ctl = 0;\n\tset_msr_interception(msrpm, MSR_IA32_LASTBRANCHFROMIP, 0, 0);\n\tset_msr_interception(msrpm, MSR_IA32_LASTBRANCHTOIP, 0, 0);\n\tset_msr_interception(msrpm, MSR_IA32_LASTINTFROMIP, 0, 0);\n\tset_msr_interception(msrpm, MSR_IA32_LASTINTTOIP, 0, 0);\n}", "project": "kvm", "hash": 106794006177564368065928146008897259225, "size": 10, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437657 }, { "func": "UnicodeStringTest::TestMiscellaneous()\n{\n UnicodeString test1(\"This is a test\");\n UnicodeString test2(\"This is a test\");\n UnicodeString test3(\"Me too!\");\n\n // test getBuffer(minCapacity) and releaseBuffer()\n test1=UnicodeString(); // make sure that it starts with its stackBuffer\n UChar *p=test1.getBuffer(20);\n if(test1.getCapacity()<20) {\n errln(\"UnicodeString::getBuffer(20).getCapacity()<20\");\n }\n\n test1.append((UChar)7); // must not be able to modify the string here\n test1.setCharAt(3, 7);\n test1.reverse();\n if( test1.length()!=0 ||\n test1.charAt(0)!=0xffff || test1.charAt(3)!=0xffff ||\n test1.getBuffer(10)!=0 || test1.getBuffer()!=0\n ) {\n errln(\"UnicodeString::getBuffer(minCapacity) allows read or write access to the UnicodeString\");\n }\n\n p[0]=1;\n p[1]=2;\n p[2]=3;\n test1.releaseBuffer(3);\n test1.append((UChar)4);\n\n if(test1.length()!=4 || test1.charAt(0)!=1 || test1.charAt(1)!=2 || test1.charAt(2)!=3 || test1.charAt(3)!=4) {\n errln(\"UnicodeString::releaseBuffer(newLength) does not properly reallow access to the UnicodeString\");\n }\n\n // test releaseBuffer() without getBuffer(minCapacity) - must not have any effect\n test1.releaseBuffer(1);\n if(test1.length()!=4 || test1.charAt(0)!=1 || test1.charAt(1)!=2 || test1.charAt(2)!=3 || test1.charAt(3)!=4) {\n errln(\"UnicodeString::releaseBuffer(newLength) without getBuffer(minCapacity) changed the UnicodeString\");\n }\n\n // test getBuffer(const)\n const UChar *q=test1.getBuffer(), *r=test1.getBuffer();\n if( test1.length()!=4 ||\n q[0]!=1 || q[1]!=2 || q[2]!=3 || q[3]!=4 ||\n r[0]!=1 || r[1]!=2 || r[2]!=3 || r[3]!=4\n ) {\n errln(\"UnicodeString::getBuffer(const) does not return a usable buffer pointer\");\n }\n\n // test releaseBuffer() with a NUL-terminated buffer\n test1.getBuffer(20)[2]=0;\n test1.releaseBuffer(); // implicit -1\n if(test1.length()!=2 || test1.charAt(0)!=1 || test1.charAt(1) !=2) {\n errln(\"UnicodeString::releaseBuffer(-1) does not properly set the length of the UnicodeString\");\n }\n\n // test releaseBuffer() with a non-NUL-terminated buffer\n p=test1.getBuffer(256);\n for(int32_t i=0; isize == 0)\n\t\treturn CDE_OUT_OF_BOUNDS;\n\n\tcdeque_pop_front_fast(d, value);\n\treturn CDE_OK;\n}", "project": "libarchive", "hash": 53412540175919616579435349697918800158, "size": 10, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 0, "dataset": "other", "idx": 244722 }, { "func": "void printCSVHeader() {\n if(!csv_fp) return;\n\n fprintf(csv_fp, \"#flow_id,protocol,first_seen,last_seen,duration,src_ip,src_port,dst_ip,dst_port,ndpi_proto_num,ndpi_proto,server_name,\");\n fprintf(csv_fp, \"benign_score,dos_slow_score,dos_goldeneye_score,dos_hulk_score,ddos_score,hearthbleed_score,ftp_patator_score,ssh_patator_score,infiltration_score,\");\n fprintf(csv_fp, \"c_to_s_pkts,c_to_s_bytes,c_to_s_goodput_bytes,s_to_c_pkts,s_to_c_bytes,s_to_c_goodput_bytes,\");\n fprintf(csv_fp, \"data_ratio,str_data_ratio,c_to_s_goodput_ratio,s_to_c_goodput_ratio,\");\n\n /* IAT (Inter Arrival Time) */\n fprintf(csv_fp, \"iat_flow_min,iat_flow_avg,iat_flow_max,iat_flow_stddev,\");\n fprintf(csv_fp, \"iat_c_to_s_min,iat_c_to_s_avg,iat_c_to_s_max,iat_c_to_s_stddev,\");\n fprintf(csv_fp, \"iat_s_to_c_min,iat_s_to_c_avg,iat_s_to_c_max,iat_s_to_c_stddev,\");\n\n /* Packet Length */\n fprintf(csv_fp, \"pktlen_c_to_s_min,pktlen_c_to_s_avg,pktlen_c_to_s_max,pktlen_c_to_s_stddev,\");\n fprintf(csv_fp, \"pktlen_s_to_c_min,pktlen_s_to_c_avg,pktlen_s_to_c_max,pktlen_s_to_c_stddev,\");\n\n /* TCP flags */\n fprintf(csv_fp, \"cwr,ece,urg,ack,psh,rst,syn,fin,\");\n\n fprintf(csv_fp, \"c_to_s_cwr,c_to_s_ece,c_to_s_urg,c_to_s_ack,c_to_s_psh,c_to_s_rst,c_to_s_syn,c_to_s_fin,\");\n\n fprintf(csv_fp, \"s_to_c_cwr,s_to_c_ece,s_to_c_urg,s_to_c_ack,s_to_c_psh,s_to_c_rst,s_to_c_syn,s_to_c_fin,\");\n\n /* TCP window */\n fprintf(csv_fp, \"c_to_s_init_win,s_to_c_init_win,\");\n\n /* Flow info */\n fprintf(csv_fp, \"client_info,server_info,\");\n fprintf(csv_fp, \"tls_version,ja3c,tls_client_unsafe,\");\n fprintf(csv_fp, \"ja3s,tls_server_unsafe,\");\n fprintf(csv_fp, \"tls_alpn,tls_supported_versions,\");\n fprintf(csv_fp, \"tls_issuerDN,tls_subjectDN,\"); \n fprintf(csv_fp, \"ssh_client_hassh,ssh_server_hassh,flow_info\");\n \n /* Joy */\n if(enable_joy_stats) {\n fprintf(csv_fp, \",byte_dist_mean,byte_dist_std,entropy,total_entropy\"); \n }\n \n fprintf(csv_fp, \"\\n\");\n}", "project": "nDPI", "hash": 318946653252589101021883157794413585517, "size": 42, "commit_id": "b7e666e465f138ae48ab81976726e67deed12701", "message": "Added fix to avoid potential heap buffer overflow in H.323 dissector\nModified HTTP report information to make it closer to the HTTP field names", "target": 0, "dataset": "other", "idx": 254860 }, { "func": "static inline int emulate_instruction(struct kvm_vcpu *vcpu,\n\t\t\tint emulation_type)\n{\n\treturn x86_emulate_instruction(vcpu, 0, emulation_type, NULL, 0);\n}", "project": "kvm", "hash": 230631867570962643990304281384190734262, "size": 5, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437649 }, { "func": "void WebContents::InitWithSessionAndOptions(\n v8::Isolate* isolate,\n std::unique_ptr owned_web_contents,\n gin::Handle session,\n const gin_helper::Dictionary& options) {\n Observe(owned_web_contents.get());\n // TODO(zcbenz): Make InitWithWebContents take unique_ptr.\n // At the time of writing we are going through a refactoring and I don't want\n // to make other people's work harder.\n InitWithWebContents(owned_web_contents.release(), session->browser_context(),\n IsGuest());\n\n managed_web_contents()->GetView()->SetDelegate(this);\n\n auto* prefs = web_contents()->GetMutableRendererPrefs();\n\n // Collect preferred languages from OS and browser process. accept_languages\n // effects HTTP header, navigator.languages, and CJK fallback font selection.\n //\n // Note that an application locale set to the browser process might be\n // different with the one set to the preference list.\n // (e.g. overridden with --lang)\n std::string accept_languages =\n g_browser_process->GetApplicationLocale() + \",\";\n for (auto const& language : electron::GetPreferredLanguages()) {\n if (language == g_browser_process->GetApplicationLocale())\n continue;\n accept_languages += language + \",\";\n }\n accept_languages.pop_back();\n prefs->accept_languages = accept_languages;\n\n#if defined(OS_LINUX) || defined(OS_WIN)\n // Update font settings.\n static const base::NoDestructor params(\n gfx::GetFontRenderParams(gfx::FontRenderParamsQuery(), nullptr));\n prefs->should_antialias_text = params->antialiasing;\n prefs->use_subpixel_positioning = params->subpixel_positioning;\n prefs->hinting = params->hinting;\n prefs->use_autohinter = params->autohinter;\n prefs->use_bitmaps = params->use_bitmaps;\n prefs->subpixel_rendering = params->subpixel_rendering;\n#endif\n\n // Honor the system's cursor blink rate settings\n if (auto interval = GetCursorBlinkInterval())\n prefs->caret_blink_interval = *interval;\n\n // Save the preferences in C++.\n new WebContentsPreferences(web_contents(), options);\n\n WebContentsPermissionHelper::CreateForWebContents(web_contents());\n SecurityStateTabHelper::CreateForWebContents(web_contents());\n InitZoomController(web_contents(), options);\n#if BUILDFLAG(ENABLE_ELECTRON_EXTENSIONS)\n extensions::ElectronExtensionWebContentsObserver::CreateForWebContents(\n web_contents());\n script_executor_.reset(new extensions::ScriptExecutor(web_contents()));\n#endif\n\n registry_.AddInterface(base::BindRepeating(&WebContents::BindElectronBrowser,\n base::Unretained(this)));\n receivers_.set_disconnect_handler(base::BindRepeating(\n &WebContents::OnElectronBrowserConnectionError, base::Unretained(this)));\n AutofillDriverFactory::CreateForWebContents(web_contents());\n\n web_contents()->SetUserAgentOverride(blink::UserAgentOverride::UserAgentOnly(\n GetBrowserContext()->GetUserAgent()),\n false);\n\n if (IsGuest()) {\n NativeWindow* owner_window = nullptr;\n if (embedder_) {\n // New WebContents's owner_window is the embedder's owner_window.\n auto* relay =\n NativeWindowRelay::FromWebContents(embedder_->web_contents());\n if (relay)\n owner_window = relay->GetNativeWindow();\n }\n if (owner_window)\n SetOwnerWindow(owner_window);\n }\n\n Init(isolate);\n AttachAsUserData(web_contents());\n}", "project": "electron", "hash": 260757392147785978746545294494553771747, "size": 86, "commit_id": "18613925610ba319da7f497b6deed85ad712c59b", "message": "refactor: wire will-navigate up to a navigation throttle instead of OpenURL (#25108)\n\n* refactor: wire will-navigate up to a navigation throttle instead of OpenURL (#25065)\r\n\r\n* refactor: wire will-navigate up to a navigation throttle instead of OpenURL\r\n\r\n* spec: add test for x-site _top navigation\r\n\r\n* chore: old code be old", "target": 0, "dataset": "other", "idx": 269783 }, { "func": "static int tcp_prune_queue(struct sock *sk)\n{\n\tstruct tcp_sock *tp = tcp_sk(sk);\n\n\tSOCK_DEBUG(sk, \"prune_queue: c=%x\\n\", tp->copied_seq);\n\n\tNET_INC_STATS_BH(sock_net(sk), LINUX_MIB_PRUNECALLED);\n\n\tif (atomic_read(&sk->sk_rmem_alloc) >= sk->sk_rcvbuf)\n\t\ttcp_clamp_window(sk);\n\telse if (tcp_memory_pressure)\n\t\ttp->rcv_ssthresh = min(tp->rcv_ssthresh, 4U * tp->advmss);\n\n\ttcp_collapse_ofo_queue(sk);\n\tif (!skb_queue_empty(&sk->sk_receive_queue))\n\t\ttcp_collapse(sk, &sk->sk_receive_queue,\n\t\t\t skb_peek(&sk->sk_receive_queue),\n\t\t\t NULL,\n\t\t\t tp->copied_seq, tp->rcv_nxt);\n\tsk_mem_reclaim(sk);\n\n\tif (atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf)\n\t\treturn 0;\n\n\t/* Collapsing did not help, destructive actions follow.\n\t * This must not ever occur. */\n\n\ttcp_prune_ofo_queue(sk);\n\n\tif (atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf)\n\t\treturn 0;\n\n\t/* If we are really being abused, tell the caller to silently\n\t * drop receive data on the floor. It will get retransmitted\n\t * and hopefully then we'll have sufficient space.\n\t */\n\tNET_INC_STATS_BH(sock_net(sk), LINUX_MIB_RCVPRUNED);\n\n\t/* Massive buffer overcommit. */\n\ttp->pred_flags = 0;\n\treturn -1;\n}", "project": "net-next", "hash": 316279370497175411616345103505456462556, "size": 42, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409874 }, { "func": " PCRECache()\n : m_kind(CacheKind::Static), m_staticCache(nullptr)\n {\n reinit(CacheKind::Static);\n }", "project": "hhvm", "hash": 303391837360079943605068128345904057812, "size": 5, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219622 }, { "func": "static void r_core_debug_syscall_hit(RCore *core) {\n\tconst char *cmdhit = r_config_get (core->config, \"cmd.onsyscall\");\n\n\tif (cmdhit && cmdhit[0] != 0) {\n\t\tr_core_cmd0 (core, cmdhit);\n\t\tr_cons_flush ();\n\t}\n}", "project": "radare2", "hash": 308981680031159867000516545281718561615, "size": 8, "commit_id": "cb8b683758edddae2d2f62e8e63a738c39f92683", "message": "Fix #16303 - c->table_query double free (#16318)", "target": 0, "dataset": "other", "idx": 232146 }, { "func": "void CAuthBase::AcceptLogin(CUser& User) {\n if (m_pSock) {\n AcceptedLogin(User);\n Invalidate();\n }\n}", "project": "znc", "hash": 331142408889811708097281693023119215852, "size": 6, "commit_id": "d229761821da38d984a9e4098ad96842490dc001", "message": "Fix echo-message for *status\n\nClose #1705", "target": 0, "dataset": "other", "idx": 231571 }, { "func": "void CClient::AcceptLogin(CUser& User) {\n m_sPass = \"\";\n m_pUser = &User;\n\n // Set our proper timeout and set back our proper timeout mode\n // (constructor set a different timeout and mode)\n SetTimeout(User.GetNoTrafficTimeout(), TMO_READ);\n\n SetSockName(\"USR::\" + m_pUser->GetUsername());\n SetEncoding(m_pUser->GetClientEncoding());\n\n if (!m_sNetwork.empty()) {\n m_pNetwork = m_pUser->FindNetwork(m_sNetwork);\n if (!m_pNetwork) {\n PutStatus(t_f(\"Network {1} doesn't exist.\")(m_sNetwork));\n }\n } else if (!m_pUser->GetNetworks().empty()) {\n // If a user didn't supply a network, and they have a network called\n // \"default\" then automatically use this network.\n m_pNetwork = m_pUser->FindNetwork(\"default\");\n // If no \"default\" network, try \"user\" network. It's for compatibility\n // with early network stuff in ZNC, which converted old configs to\n // \"user\" network.\n if (!m_pNetwork) m_pNetwork = m_pUser->FindNetwork(\"user\");\n // Otherwise, just try any network of the user.\n if (!m_pNetwork) m_pNetwork = *m_pUser->GetNetworks().begin();\n if (m_pNetwork && m_pUser->GetNetworks().size() > 1) {\n PutStatusNotice(\n t_s(\"You have several networks configured, but no network was \"\n \"specified for the connection.\"));\n PutStatusNotice(\n t_f(\"Selecting network {1}. To see list of all configured \"\n \"networks, use /znc ListNetworks\")(m_pNetwork->GetName()));\n PutStatusNotice(t_f(\n \"If you want to choose another network, use /znc JumpNetwork \"\n \", or connect to ZNC with username {1}/ \"\n \"(instead of just {1})\")(m_pUser->GetUsername()));\n }\n } else {\n PutStatusNotice(\n t_s(\"You have no networks configured. Use /znc AddNetwork \"\n \" to add one.\"));\n }\n\n SetNetwork(m_pNetwork, false);\n\n SendMotd();\n\n NETWORKMODULECALL(OnClientLogin(), m_pUser, m_pNetwork, this, NOTHING);\n}", "project": "znc", "hash": 144528265901974789607462122608233289964, "size": 50, "commit_id": "d229761821da38d984a9e4098ad96842490dc001", "message": "Fix echo-message for *status\n\nClose #1705", "target": 0, "dataset": "other", "idx": 231597 }, { "func": "static void tcp_rcv_rtt_update(struct tcp_sock *tp, u32 sample, int win_dep)\n{\n\tu32 new_sample = tp->rcv_rtt_est.rtt;\n\tlong m = sample;\n\n\tif (m == 0)\n\t\tm = 1;\n\n\tif (new_sample != 0) {\n\t\t/* If we sample in larger samples in the non-timestamp\n\t\t * case, we could grossly overestimate the RTT especially\n\t\t * with chatty applications or bulk transfer apps which\n\t\t * are stalled on filesystem I/O.\n\t\t *\n\t\t * Also, since we are only going for a minimum in the\n\t\t * non-timestamp case, we do not smooth things out\n\t\t * else with timestamps disabled convergence takes too\n\t\t * long.\n\t\t */\n\t\tif (!win_dep) {\n\t\t\tm -= (new_sample >> 3);\n\t\t\tnew_sample += m;\n\t\t} else if (m < new_sample)\n\t\t\tnew_sample = m << 3;\n\t} else {\n\t\t/* No previous measure. */\n\t\tnew_sample = m << 3;\n\t}\n\n\tif (tp->rcv_rtt_est.rtt != new_sample)\n\t\ttp->rcv_rtt_est.rtt = new_sample;\n}", "project": "net-next", "hash": 205361914788213180698619520708521445832, "size": 32, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409886 }, { "func": "std::vector CSoundFile::GetLength(enmGetLengthResetMode adjustMode, GetLengthTarget target)\n{\n\tstd::vector results;\n\tGetLengthType retval;\n\tretval.startOrder = target.startOrder;\n\tretval.startRow = target.startRow;\n\n\t// Are we trying to reach a certain pattern position?\n\tconst bool hasSearchTarget = target.mode != GetLengthTarget::NoTarget;\n\tconst bool adjustSamplePos = (adjustMode & eAdjustSamplePositions) == eAdjustSamplePositions;\n\n\tSEQUENCEINDEX sequence = target.sequence;\n\tif(sequence >= Order.GetNumSequences()) sequence = Order.GetCurrentSequenceIndex();\n\tconst ModSequence &orderList = Order(sequence);\n\n\tGetLengthMemory memory(*this);\n\tCSoundFile::PlayState &playState = *memory.state;\n\t// Temporary visited rows vector (so that GetLength() won't interfere with the player code if the module is playing at the same time)\n\tRowVisitor visitedRows(*this, sequence);\n\n\tplayState.m_nNextRow = playState.m_nRow = target.startRow;\n\tplayState.m_nNextOrder = playState.m_nCurrentOrder = target.startOrder;\n\n\t// Fast LUTs for commands that are too weird / complicated / whatever to emulate in sample position adjust mode.\n\tstd::bitset forbiddenCommands;\n\tstd::bitset forbiddenVolCommands;\n\n\tif(adjustSamplePos)\n\t{\n\t\tforbiddenCommands.set(CMD_ARPEGGIO); forbiddenCommands.set(CMD_PORTAMENTOUP);\n\t\tforbiddenCommands.set(CMD_PORTAMENTODOWN); forbiddenCommands.set(CMD_XFINEPORTAUPDOWN);\n\t\tforbiddenCommands.set(CMD_NOTESLIDEUP); forbiddenCommands.set(CMD_NOTESLIDEUPRETRIG);\n\t\tforbiddenCommands.set(CMD_NOTESLIDEDOWN); forbiddenCommands.set(CMD_NOTESLIDEDOWNRETRIG);\n\t\tforbiddenVolCommands.set(VOLCMD_PORTAUP); forbiddenVolCommands.set(VOLCMD_PORTADOWN);\n\n\t\t// Optimize away channels for which it's pointless to adjust sample positions\n\t\tfor(CHANNELINDEX i = 0; i < GetNumChannels(); i++)\n\t\t{\n\t\t\tif(ChnSettings[i].dwFlags[CHN_MUTE]) memory.chnSettings[i].ticksToRender = GetLengthMemory::IGNORE_CHANNEL;\n\t\t}\n\t\tif(target.mode == GetLengthTarget::SeekPosition && target.pos.order < orderList.size())\n\t\t{\n\t\t\t// If we know where to seek, we can directly rule out any channels on which a new note would be triggered right at the start.\n\t\t\tconst PATTERNINDEX seekPat = orderList[target.pos.order];\n\t\t\tif(Patterns.IsValidPat(seekPat) && Patterns[seekPat].IsValidRow(target.pos.row))\n\t\t\t{\n\t\t\t\tconst ModCommand *m = Patterns[seekPat].GetRow(target.pos.row);\n\t\t\t\tfor(CHANNELINDEX i = 0; i < GetNumChannels(); i++, m++)\n\t\t\t\t{\n\t\t\t\t\tif(m->note == NOTE_NOTECUT || m->note == NOTE_KEYOFF || (m->note == NOTE_FADE && GetNumInstruments())\n\t\t\t\t\t\t|| (m->IsNote() && !m->IsPortamento()))\n\t\t\t\t\t{\n\t\t\t\t\t\tmemory.chnSettings[i].ticksToRender = GetLengthMemory::IGNORE_CHANNEL;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\n\t// If samples are being synced, force them to resync if tick duration changes\n\tuint32 oldTickDuration = 0;\n\n\tfor (;;)\n\t{\n\t\t// Time target reached.\n\t\tif(target.mode == GetLengthTarget::SeekSeconds && memory.elapsedTime >= target.time)\n\t\t{\n\t\t\tretval.targetReached = true;\n\t\t\tbreak;\n\t\t}\n\n\t\tuint32 rowDelay = 0, tickDelay = 0;\n\t\tplayState.m_nRow = playState.m_nNextRow;\n\t\tplayState.m_nCurrentOrder = playState.m_nNextOrder;\n\n\t\tif(orderList.IsValidPat(playState.m_nCurrentOrder) && playState.m_nRow >= Patterns[orderList[playState.m_nCurrentOrder]].GetNumRows())\n\t\t{\n\t\t\tplayState.m_nRow = 0;\n\t\t\tif(m_playBehaviour[kFT2LoopE60Restart])\n\t\t\t{\n\t\t\t\tplayState.m_nRow = playState.m_nNextPatStartRow;\n\t\t\t\tplayState.m_nNextPatStartRow = 0;\n\t\t\t}\n\t\t\tplayState.m_nCurrentOrder = ++playState.m_nNextOrder;\n\t\t}\n\n\t\t// Check if pattern is valid\n\t\tplayState.m_nPattern = playState.m_nCurrentOrder < orderList.size() ? orderList[playState.m_nCurrentOrder] : orderList.GetInvalidPatIndex();\n\t\tbool positionJumpOnThisRow = false;\n\t\tbool patternBreakOnThisRow = false;\n\t\tbool patternLoopEndedOnThisRow = false, patternLoopStartedOnThisRow = false;\n\n\t\tif(!Patterns.IsValidPat(playState.m_nPattern) && playState.m_nPattern != orderList.GetInvalidPatIndex() && target.mode == GetLengthTarget::SeekPosition && playState.m_nCurrentOrder == target.pos.order)\n\t\t{\n\t\t\t// Early test: Target is inside +++ or non-existing pattern\n\t\t\tretval.targetReached = true;\n\t\t\tbreak;\n\t\t}\n\n\t\twhile(playState.m_nPattern >= Patterns.Size())\n\t\t{\n\t\t\t// End of song?\n\t\t\tif((playState.m_nPattern == orderList.GetInvalidPatIndex()) || (playState.m_nCurrentOrder >= orderList.size()))\n\t\t\t{\n\t\t\t\tif(playState.m_nCurrentOrder == orderList.GetRestartPos())\n\t\t\t\t\tbreak;\n\t\t\t\telse\n\t\t\t\t\tplayState.m_nCurrentOrder = orderList.GetRestartPos();\n\t\t\t} else\n\t\t\t{\n\t\t\t\tplayState.m_nCurrentOrder++;\n\t\t\t}\n\t\t\tplayState.m_nPattern = (playState.m_nCurrentOrder < orderList.size()) ? orderList[playState.m_nCurrentOrder] : orderList.GetInvalidPatIndex();\n\t\t\tplayState.m_nNextOrder = playState.m_nCurrentOrder;\n\t\t\tif((!Patterns.IsValidPat(playState.m_nPattern)) && visitedRows.IsVisited(playState.m_nCurrentOrder, 0, true))\n\t\t\t{\n\t\t\t\tif(!hasSearchTarget || !visitedRows.GetFirstUnvisitedRow(playState.m_nNextOrder, playState.m_nRow, true))\n\t\t\t\t{\n\t\t\t\t\t// We aren't searching for a specific row, or we couldn't find any more unvisited rows.\n\t\t\t\t\tbreak;\n\t\t\t\t} else\n\t\t\t\t{\n\t\t\t\t\t// We haven't found the target row yet, but we found some other unplayed row... continue searching from here.\n\t\t\t\t\tretval.duration = memory.elapsedTime;\n\t\t\t\t\tresults.push_back(retval);\n\t\t\t\t\tretval.startRow = playState.m_nRow;\n\t\t\t\t\tretval.startOrder = playState.m_nNextOrder;\n\t\t\t\t\tmemory.Reset();\n\n\t\t\t\t\tplayState.m_nCurrentOrder = playState.m_nNextOrder;\n\t\t\t\t\tplayState.m_nPattern = orderList[playState.m_nCurrentOrder];\n\t\t\t\t\tplayState.m_nNextRow = playState.m_nRow;\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\tif(playState.m_nNextOrder == ORDERINDEX_INVALID)\n\t\t{\n\t\t\t// GetFirstUnvisitedRow failed, so there is nothing more to play\n\t\t\tbreak;\n\t\t}\n\n\t\t// Skip non-existing patterns\n\t\tif(!Patterns.IsValidPat(playState.m_nPattern))\n\t\t{\n\t\t\t// If there isn't even a tune, we should probably stop here.\n\t\t\tif(playState.m_nCurrentOrder == orderList.GetRestartPos())\n\t\t\t{\n\t\t\t\tif(!hasSearchTarget || !visitedRows.GetFirstUnvisitedRow(playState.m_nNextOrder, playState.m_nRow, true))\n\t\t\t\t{\n\t\t\t\t\t// We aren't searching for a specific row, or we couldn't find any more unvisited rows.\n\t\t\t\t\tbreak;\n\t\t\t\t} else\n\t\t\t\t{\n\t\t\t\t\t// We haven't found the target row yet, but we found some other unplayed row... continue searching from here.\n\t\t\t\t\tretval.duration = memory.elapsedTime;\n\t\t\t\t\tresults.push_back(retval);\n\t\t\t\t\tretval.startRow = playState.m_nRow;\n\t\t\t\t\tretval.startOrder = playState.m_nNextOrder;\n\t\t\t\t\tmemory.Reset();\n\t\t\t\t\tplayState.m_nNextRow = playState.m_nRow;\n\t\t\t\t\tcontinue;\n\t\t\t\t}\n\t\t\t}\n\t\t\tplayState.m_nNextOrder = playState.m_nCurrentOrder + 1;\n\t\t\tcontinue;\n\t\t}\n\t\t// Should never happen\n\t\tif(playState.m_nRow >= Patterns[playState.m_nPattern].GetNumRows())\n\t\t\tplayState.m_nRow = 0;\n\n\t\t// Check whether target was reached.\n\t\tif(target.mode == GetLengthTarget::SeekPosition && playState.m_nCurrentOrder == target.pos.order && playState.m_nRow == target.pos.row)\n\t\t{\n\t\t\tretval.targetReached = true;\n\t\t\tbreak;\n\t\t}\n\n\t\tif(visitedRows.IsVisited(playState.m_nCurrentOrder, playState.m_nRow, true))\n\t\t{\n\t\t\tif(!hasSearchTarget || !visitedRows.GetFirstUnvisitedRow(playState.m_nNextOrder, playState.m_nRow, true))\n\t\t\t{\n\t\t\t\t// We aren't searching for a specific row, or we couldn't find any more unvisited rows.\n\t\t\t\tbreak;\n\t\t\t} else\n\t\t\t{\n\t\t\t\t// We haven't found the target row yet, but we found some other unplayed row... continue searching from here.\n\t\t\t\tretval.duration = memory.elapsedTime;\n\t\t\t\tresults.push_back(retval);\n\t\t\t\tretval.startRow = playState.m_nRow;\n\t\t\t\tretval.startOrder = playState.m_nNextOrder;\n\t\t\t\tmemory.Reset();\n\t\t\t\tplayState.m_nNextRow = playState.m_nRow;\n\t\t\t\tcontinue;\n\t\t\t}\n\t\t}\n\n\t\tretval.endOrder = playState.m_nCurrentOrder;\n\t\tretval.endRow = playState.m_nRow;\n\n\t\t// Update next position\n\t\tplayState.m_nNextRow = playState.m_nRow + 1;\n\n\t\t// Jumped to invalid pattern row?\n\t\tif(playState.m_nRow >= Patterns[playState.m_nPattern].GetNumRows())\n\t\t{\n\t\t\tplayState.m_nRow = 0;\n\t\t}\n\t\t// New pattern?\n\t\tif(!playState.m_nRow)\n\t\t{\n\t\t\tfor(CHANNELINDEX chn = 0; chn < GetNumChannels(); chn++)\n\t\t\t{\n\t\t\t\tmemory.chnSettings[chn].patLoop = memory.elapsedTime;\n\t\t\t\tmemory.chnSettings[chn].patLoopSmp = playState.m_lTotalSampleCount;\n\t\t\t}\n\t\t}\n\n\t\tModChannel *pChn = playState.Chn;\n\t\t\n\t\t// For various effects, we need to know first how many ticks there are in this row.\n\t\tconst ModCommand *p = Patterns[playState.m_nPattern].GetpModCommand(playState.m_nRow, 0);\n\t\tfor(CHANNELINDEX nChn = 0; nChn < GetNumChannels(); nChn++, p++)\n\t\t{\n\t\t\tif(m_playBehaviour[kST3NoMutedChannels] && ChnSettings[nChn].dwFlags[CHN_MUTE])\t// not even effects are processed on muted S3M channels\n\t\t\t\tcontinue;\n\t\t\tif(p->IsPcNote())\n\t\t\t{\n#ifndef NO_PLUGINS\n\t\t\t\tif((adjustMode & eAdjust) && p->instr > 0 && p->instr <= MAX_MIXPLUGINS)\n\t\t\t\t{\n\t\t\t\t\tmemory.plugParams[std::make_pair(p->instr, p->GetValueVolCol())] = p->GetValueEffectCol();\n\t\t\t\t}\n#endif // NO_PLUGINS\n\t\t\t\tpChn[nChn].rowCommand.Clear();\n\t\t\t\tcontinue;\n\t\t\t}\n\t\t\tpChn[nChn].rowCommand = *p;\n\t\t\tswitch(p->command)\n\t\t\t{\n\t\t\tcase CMD_SPEED:\n\t\t\t\tSetSpeed(playState, p->param);\n\t\t\t\tbreak;\n\n\t\t\tcase CMD_TEMPO:\n\t\t\t\tif(m_playBehaviour[kMODVBlankTiming])\n\t\t\t\t{\n\t\t\t\t\t// ProTracker MODs with VBlank timing: All Fxx parameters set the tick count.\n\t\t\t\t\tif(p->param != 0) SetSpeed(playState, p->param);\n\t\t\t\t}\n\t\t\t\tbreak;\n\n\t\t\tcase CMD_S3MCMDEX:\n\t\t\t\tif((p->param & 0xF0) == 0x60)\n\t\t\t\t{\n\t\t\t\t\t// Fine Pattern Delay\n\t\t\t\t\ttickDelay += (p->param & 0x0F);\n\t\t\t\t} else if((p->param & 0xF0) == 0xE0 && !rowDelay)\n\t\t\t\t{\n\t\t\t\t\t// Pattern Delay\n\t\t\t\t\tif(!(GetType() & MOD_TYPE_S3M) || (p->param & 0x0F) != 0)\n\t\t\t\t\t{\n\t\t\t\t\t\t// While Impulse Tracker *does* count S60 as a valid row delay (and thus ignores any other row delay commands on the right),\n\t\t\t\t\t\t// Scream Tracker 3 simply ignores such commands.\n\t\t\t\t\t\trowDelay = 1 + (p->param & 0x0F);\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\tbreak;\n\n\t\t\tcase CMD_MODCMDEX:\n\t\t\t\tif((p->param & 0xF0) == 0xE0)\n\t\t\t\t{\n\t\t\t\t\t// Pattern Delay\n\t\t\t\t\trowDelay = 1 + (p->param & 0x0F);\n\t\t\t\t}\n\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\t\tif(rowDelay == 0) rowDelay = 1;\n\t\tconst uint32 numTicks = (playState.m_nMusicSpeed + tickDelay) * rowDelay;\n\t\tconst uint32 nonRowTicks = numTicks - rowDelay;\n\n\t\tfor(CHANNELINDEX nChn = 0; nChn < GetNumChannels(); pChn++, nChn++) if(!pChn->rowCommand.IsEmpty())\n\t\t{\n\t\t\tif(m_playBehaviour[kST3NoMutedChannels] && ChnSettings[nChn].dwFlags[CHN_MUTE])\t// not even effects are processed on muted S3M channels\n\t\t\t\tcontinue;\n\t\t\tModCommand::COMMAND command = pChn->rowCommand.command;\n\t\t\tModCommand::PARAM param = pChn->rowCommand.param;\n\t\t\tModCommand::NOTE note = pChn->rowCommand.note;\n\n\t\t\tif (pChn->rowCommand.instr)\n\t\t\t{\n\t\t\t\tpChn->nNewIns = pChn->rowCommand.instr;\n\t\t\t\tpChn->nLastNote = NOTE_NONE;\n\t\t\t\tmemory.chnSettings[nChn].vol = 0xFF;\n\t\t\t}\n\t\t\tif (pChn->rowCommand.IsNote()) pChn->nLastNote = note;\n\n\t\t\t// Update channel panning\n\t\t\tif(pChn->rowCommand.IsNote() || pChn->rowCommand.instr)\n\t\t\t{\n\t\t\t\tSAMPLEINDEX smp = 0;\n\t\t\t\tif(GetNumInstruments())\n\t\t\t\t{\n\t\t\t\t\tModInstrument *pIns;\n\t\t\t\t\tif(pChn->nNewIns <= GetNumInstruments() && (pIns = Instruments[pChn->nNewIns]) != nullptr)\n\t\t\t\t\t{\n\t\t\t\t\t\tif(pIns->dwFlags[INS_SETPANNING])\n\t\t\t\t\t\t\tpChn->nPan = pIns->nPan;\n\t\t\t\t\t\tif(ModCommand::IsNote(note))\n\t\t\t\t\t\t\tsmp = pIns->Keyboard[note - NOTE_MIN];\n\t\t\t\t\t}\n\t\t\t\t} else\n\t\t\t\t{\n\t\t\t\t\tsmp = pChn->nNewIns;\n\t\t\t\t}\n\t\t\t\tif(smp > 0 && smp <= GetNumSamples() && Samples[smp].uFlags[CHN_PANNING])\n\t\t\t\t{\n\t\t\t\t\tpChn->nPan = Samples[smp].nPan;\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tswitch(pChn->rowCommand.volcmd)\n\t\t\t{\n\t\t\tcase VOLCMD_VOLUME:\n\t\t\t\tmemory.chnSettings[nChn].vol = pChn->rowCommand.vol;\n\t\t\t\tbreak;\n\t\t\tcase VOLCMD_VOLSLIDEUP:\n\t\t\tcase VOLCMD_VOLSLIDEDOWN:\n\t\t\t\tif(pChn->rowCommand.vol != 0)\n\t\t\t\t\tpChn->nOldVolParam = pChn->rowCommand.vol;\n\t\t\t\tbreak;\n\t\t\t}\n\n\t\t\tswitch(command)\n\t\t\t{\n\t\t\t// Position Jump\n\t\t\tcase CMD_POSITIONJUMP:\n\t\t\t\tpositionJumpOnThisRow = true;\n\t\t\t\tplayState.m_nNextOrder = static_cast(CalculateXParam(playState.m_nPattern, playState.m_nRow, nChn));\n\t\t\t\tplayState.m_nNextPatStartRow = 0; // FT2 E60 bug\n\t\t\t\t// see https://forum.openmpt.org/index.php?topic=2769.0 - FastTracker resets Dxx if Bxx is called _after_ Dxx\n\t\t\t\t// Test case: PatternJump.mod\n\t\t\t\tif(!patternBreakOnThisRow || (GetType() & (MOD_TYPE_MOD | MOD_TYPE_XM)))\n\t\t\t\t\tplayState.m_nNextRow = 0;\n\n\t\t\t\tif (adjustMode & eAdjust)\n\t\t\t\t{\n\t\t\t\t\tpChn->nPatternLoopCount = 0;\n\t\t\t\t\tpChn->nPatternLoop = 0;\n\t\t\t\t}\n\t\t\t\tbreak;\n\t\t\t// Pattern Break\n\t\t\tcase CMD_PATTERNBREAK:\n\t\t\t\t{\n\t\t\t\t\tROWINDEX row = PatternBreak(playState, nChn, param);\n\t\t\t\t\tif(row != ROWINDEX_INVALID)\n\t\t\t\t\t{\n\t\t\t\t\t\tpatternBreakOnThisRow = true;\n\t\t\t\t\t\tplayState.m_nNextRow = row;\n\n\t\t\t\t\t\tif(!positionJumpOnThisRow)\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tplayState.m_nNextOrder = playState.m_nCurrentOrder + 1;\n\t\t\t\t\t\t}\n\t\t\t\t\t\tif(adjustMode & eAdjust)\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tpChn->nPatternLoopCount = 0;\n\t\t\t\t\t\t\tpChn->nPatternLoop = 0;\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\tbreak;\n\t\t\t// Set Tempo\n\t\t\tcase CMD_TEMPO:\n\t\t\t\tif(!m_playBehaviour[kMODVBlankTiming])\n\t\t\t\t{\n\t\t\t\t\tTEMPO tempo(CalculateXParam(playState.m_nPattern, playState.m_nRow, nChn), 0);\n\t\t\t\t\tif ((adjustMode & eAdjust) && (GetType() & (MOD_TYPE_S3M | MOD_TYPE_IT | MOD_TYPE_MPT)))\n\t\t\t\t\t{\n\t\t\t\t\t\tif (tempo.GetInt()) pChn->nOldTempo = static_cast(tempo.GetInt()); else tempo.Set(pChn->nOldTempo);\n\t\t\t\t\t}\n\n\t\t\t\t\tif (tempo.GetInt() >= 0x20) playState.m_nMusicTempo = tempo;\n\t\t\t\t\telse\n\t\t\t\t\t{\n\t\t\t\t\t\t// Tempo Slide\n\t\t\t\t\t\tTEMPO tempoDiff((tempo.GetInt() & 0x0F) * nonRowTicks, 0);\n\t\t\t\t\t\tif ((tempo.GetInt() & 0xF0) == 0x10)\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tplayState.m_nMusicTempo += tempoDiff;\n\t\t\t\t\t\t} else\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tif(tempoDiff < playState.m_nMusicTempo)\n\t\t\t\t\t\t\t\tplayState.m_nMusicTempo -= tempoDiff;\n\t\t\t\t\t\t\telse\n\t\t\t\t\t\t\t\tplayState.m_nMusicTempo.Set(0);\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\n\t\t\t\t\tTEMPO tempoMin = GetModSpecifications().GetTempoMin(), tempoMax = GetModSpecifications().GetTempoMax();\n\t\t\t\t\tif(m_playBehaviour[kTempoClamp])\t// clamp tempo correctly in compatible mode\n\t\t\t\t\t{\n\t\t\t\t\t\ttempoMax.Set(255);\n\t\t\t\t\t}\n\t\t\t\t\tLimit(playState.m_nMusicTempo, tempoMin, tempoMax);\n\t\t\t\t}\n\t\t\t\tbreak;\n\n\t\t\tcase CMD_S3MCMDEX:\n\t\t\t\tswitch(param & 0xF0)\n\t\t\t\t{\n\t\t\t\tcase 0x90:\n\t\t\t\t\tif(param <= 0x91)\n\t\t\t\t\t{\n\t\t\t\t\t\tpChn->dwFlags.set(CHN_SURROUND, param == 0x91);\n\t\t\t\t\t}\n\t\t\t\t\tbreak;\n\n\t\t\t\tcase 0xA0:\n\t\t\t\t\t// High sample offset\n\t\t\t\t\tpChn->nOldHiOffset = param & 0x0F;\n\t\t\t\t\tbreak;\n\t\t\t\t\n\t\t\t\tcase 0xB0:\n\t\t\t\t\t// Pattern Loop\n\t\t\t\t\tif (param & 0x0F)\n\t\t\t\t\t{\n\t\t\t\t\t\tpatternLoopEndedOnThisRow = true;\n\t\t\t\t\t} else\n\t\t\t\t\t{\n\t\t\t\t\t\tCHANNELINDEX firstChn = nChn, lastChn = nChn;\n\t\t\t\t\t\tif(GetType() == MOD_TYPE_S3M)\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\t// ST3 has only one global loop memory.\n\t\t\t\t\t\t\tfirstChn = 0;\n\t\t\t\t\t\t\tlastChn = GetNumChannels() - 1;\n\t\t\t\t\t\t}\n\t\t\t\t\t\tfor(CHANNELINDEX c = firstChn; c <= lastChn; c++)\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tmemory.chnSettings[c].patLoop = memory.elapsedTime;\n\t\t\t\t\t\t\tmemory.chnSettings[c].patLoopSmp = playState.m_lTotalSampleCount;\n\t\t\t\t\t\t\tmemory.chnSettings[c].patLoopStart = playState.m_nRow;\n\t\t\t\t\t\t}\n\t\t\t\t\t\tpatternLoopStartedOnThisRow = true;\n\t\t\t\t\t}\n\t\t\t\t\tbreak;\n\n\t\t\t\tcase 0xF0:\n\t\t\t\t\t// Active macro\n\t\t\t\t\tpChn->nActiveMacro = param & 0x0F;\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t\tbreak;\n\n\t\t\tcase CMD_MODCMDEX:\n\t\t\t\tswitch(param & 0xF0)\n\t\t\t\t{\n\t\t\t\tcase 0x60:\n\t\t\t\t\t// Pattern Loop\n\t\t\t\t\tif (param & 0x0F)\n\t\t\t\t\t{\n\t\t\t\t\t\tplayState.m_nNextPatStartRow = memory.chnSettings[nChn].patLoopStart; // FT2 E60 bug\n\t\t\t\t\t\tpatternLoopEndedOnThisRow = true;\n\t\t\t\t\t} else\n\t\t\t\t\t{\n\t\t\t\t\t\tpatternLoopStartedOnThisRow = true;\n\t\t\t\t\t\tmemory.chnSettings[nChn].patLoop = memory.elapsedTime;\n\t\t\t\t\t\tmemory.chnSettings[nChn].patLoopSmp = playState.m_lTotalSampleCount;\n\t\t\t\t\t\tmemory.chnSettings[nChn].patLoopStart = playState.m_nRow;\n\t\t\t\t\t}\n\t\t\t\t\tbreak;\n\n\t\t\t\tcase 0xF0:\n\t\t\t\t\t// Active macro\n\t\t\t\t\tpChn->nActiveMacro = param & 0x0F;\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t\tbreak;\n\n\t\t\tcase CMD_XFINEPORTAUPDOWN:\n\t\t\t\t// ignore high offset in compatible mode\n\t\t\t\tif(((param & 0xF0) == 0xA0) && !m_playBehaviour[kFT2RestrictXCommand]) pChn->nOldHiOffset = param & 0x0F;\n\t\t\t\tbreak;\n\t\t\t}\n\n\t\t\t// The following calculations are not interesting if we just want to get the song length.\n\t\t\tif (!(adjustMode & eAdjust)) continue;\n\t\t\tswitch(command)\n\t\t\t{\n\t\t\t// Portamento Up/Down\n\t\t\tcase CMD_PORTAMENTOUP:\n\t\t\t\tif(param)\n\t\t\t\t{\n\t\t\t\t\t// FT2 compatibility: Separate effect memory for all portamento commands\n\t\t\t\t\t// Test case: Porta-LinkMem.xm\n\t\t\t\t\tif(!m_playBehaviour[kFT2PortaUpDownMemory])\n\t\t\t\t\t\tpChn->nOldPortaDown = param;\n\t\t\t\t\tpChn->nOldPortaUp = param;\n\t\t\t\t}\n\t\t\t\tbreak;\n\t\t\tcase CMD_PORTAMENTODOWN:\n\t\t\t\tif(param)\n\t\t\t\t{\n\t\t\t\t\t// FT2 compatibility: Separate effect memory for all portamento commands\n\t\t\t\t\t// Test case: Porta-LinkMem.xm\n\t\t\t\t\tif(!m_playBehaviour[kFT2PortaUpDownMemory])\n\t\t\t\t\t\tpChn->nOldPortaUp = param;\n\t\t\t\t\tpChn->nOldPortaDown = param;\n\t\t\t\t}\n\t\t\t\tbreak;\n\t\t\t// Tone-Portamento\n\t\t\tcase CMD_TONEPORTAMENTO:\n\t\t\t\tif (param) pChn->nPortamentoSlide = param << 2;\n\t\t\t\tbreak;\n\t\t\t// Offset\n\t\t\tcase CMD_OFFSET:\n\t\t\t\tif (param) pChn->oldOffset = param << 8;\n\t\t\t\tbreak;\n\t\t\t// Volume Slide\n\t\t\tcase CMD_VOLUMESLIDE:\n\t\t\tcase CMD_TONEPORTAVOL:\n\t\t\t\tif (param) pChn->nOldVolumeSlide = param;\n\t\t\t\tbreak;\n\t\t\t// Set Volume\n\t\t\tcase CMD_VOLUME:\n\t\t\t\tmemory.chnSettings[nChn].vol = param;\n\t\t\t\tbreak;\n\t\t\t// Global Volume\n\t\t\tcase CMD_GLOBALVOLUME:\n\t\t\t\tif(!(GetType() & GLOBALVOL_7BIT_FORMATS) && param < 128) param *= 2;\n\t\t\t\t// IT compatibility 16. ST3 and IT ignore out-of-range values\n\t\t\t\tif(param <= 128)\n\t\t\t\t{\n\t\t\t\t\tplayState.m_nGlobalVolume = param * 2;\n\t\t\t\t} else if(!(GetType() & (MOD_TYPE_IT | MOD_TYPE_MPT | MOD_TYPE_S3M)))\n\t\t\t\t{\n\t\t\t\t\tplayState.m_nGlobalVolume = 256;\n\t\t\t\t}\n\t\t\t\tbreak;\n\t\t\t// Global Volume Slide\n\t\t\tcase CMD_GLOBALVOLSLIDE:\n\t\t\t\tif(m_playBehaviour[kPerChannelGlobalVolSlide])\n\t\t\t\t{\n\t\t\t\t\t// IT compatibility 16. Global volume slide params are stored per channel (FT2/IT)\n\t\t\t\t\tif (param) pChn->nOldGlobalVolSlide = param; else param = pChn->nOldGlobalVolSlide;\n\t\t\t\t} else\n\t\t\t\t{\n\t\t\t\t\tif (param) playState.Chn[0].nOldGlobalVolSlide = param; else param = playState.Chn[0].nOldGlobalVolSlide;\n\t\t\t\t}\n\t\t\t\tif (((param & 0x0F) == 0x0F) && (param & 0xF0))\n\t\t\t\t{\n\t\t\t\t\tparam >>= 4;\n\t\t\t\t\tif (!(GetType() & GLOBALVOL_7BIT_FORMATS)) param <<= 1;\n\t\t\t\t\tplayState.m_nGlobalVolume += param << 1;\n\t\t\t\t} else if (((param & 0xF0) == 0xF0) && (param & 0x0F))\n\t\t\t\t{\n\t\t\t\t\tparam = (param & 0x0F) << 1;\n\t\t\t\t\tif (!(GetType() & GLOBALVOL_7BIT_FORMATS)) param <<= 1;\n\t\t\t\t\tplayState.m_nGlobalVolume -= param;\n\t\t\t\t} else if (param & 0xF0)\n\t\t\t\t{\n\t\t\t\t\tparam >>= 4;\n\t\t\t\t\tparam <<= 1;\n\t\t\t\t\tif (!(GetType() & GLOBALVOL_7BIT_FORMATS)) param <<= 1;\n\t\t\t\t\tplayState.m_nGlobalVolume += param * nonRowTicks;\n\t\t\t\t} else\n\t\t\t\t{\n\t\t\t\t\tparam = (param & 0x0F) << 1;\n\t\t\t\t\tif (!(GetType() & GLOBALVOL_7BIT_FORMATS)) param <<= 1;\n\t\t\t\t\tplayState.m_nGlobalVolume -= param * nonRowTicks;\n\t\t\t\t}\n\t\t\t\tLimit(playState.m_nGlobalVolume, 0, 256);\n\t\t\t\tbreak;\n\t\t\tcase CMD_CHANNELVOLUME:\n\t\t\t\tif (param <= 64) pChn->nGlobalVol = param;\n\t\t\t\tbreak;\n\t\t\tcase CMD_CHANNELVOLSLIDE:\n\t\t\t\t{\n\t\t\t\t\tif (param) pChn->nOldChnVolSlide = param; else param = pChn->nOldChnVolSlide;\n\t\t\t\t\tint32 volume = pChn->nGlobalVol;\n\t\t\t\t\tif((param & 0x0F) == 0x0F && (param & 0xF0))\n\t\t\t\t\t\tvolume += (param >> 4);\t\t// Fine Up\n\t\t\t\t\telse if((param & 0xF0) == 0xF0 && (param & 0x0F))\n\t\t\t\t\t\tvolume -= (param & 0x0F);\t// Fine Down\n\t\t\t\t\telse if(param & 0x0F)\t\t\t// Down\n\t\t\t\t\t\tvolume -= (param & 0x0F) * nonRowTicks;\n\t\t\t\t\telse\t\t\t\t\t\t\t// Up\n\t\t\t\t\t\tvolume += ((param & 0xF0) >> 4) * nonRowTicks;\n\t\t\t\t\tLimit(volume, 0, 64);\n\t\t\t\t\tpChn->nGlobalVol = volume;\n\t\t\t\t}\n\t\t\t\tbreak;\n\t\t\tcase CMD_PANNING8:\n\t\t\t\tPanning(pChn, param, Pan8bit);\n\t\t\t\tbreak;\n\t\t\tcase CMD_MODCMDEX:\n\t\t\t\tif(param < 0x10)\n\t\t\t\t{\n\t\t\t\t\t// LED filter\n\t\t\t\t\tfor(CHANNELINDEX chn = 0; chn < GetNumChannels(); chn++)\n\t\t\t\t\t{\n\t\t\t\t\t\tplayState.Chn[chn].dwFlags.set(CHN_AMIGAFILTER, !(param & 1));\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\tMPT_FALLTHROUGH;\n\t\t\tcase CMD_S3MCMDEX:\n\t\t\t\tif((param & 0xF0) == 0x80)\n\t\t\t\t{\n\t\t\t\t\tPanning(pChn, (param & 0x0F), Pan4bit);\n\t\t\t\t}\n\t\t\t\tbreak;\n\n\t\t\tcase CMD_VIBRATOVOL:\n\t\t\t\tif (param) pChn->nOldVolumeSlide = param;\n\t\t\t\tparam = 0;\n\t\t\t\tMPT_FALLTHROUGH;\n\t\t\tcase CMD_VIBRATO:\n\t\t\t\tVibrato(pChn, param);\n\t\t\t\tbreak;\n\t\t\tcase CMD_FINEVIBRATO:\n\t\t\t\tFineVibrato(pChn, param);\n\t\t\t\tbreak;\n\t\t\tcase CMD_TREMOLO:\n\t\t\t\tTremolo(pChn, param);\n\t\t\t\tbreak;\n\t\t\tcase CMD_PANBRELLO:\n\t\t\t\tPanbrello(pChn, param);\n\t\t\t\tbreak;\n\t\t\t}\n\n\t\t\tswitch(pChn->rowCommand.volcmd)\n\t\t\t{\n\t\t\tcase VOLCMD_PANNING:\n\t\t\t\tPanning(pChn, pChn->rowCommand.vol, Pan6bit);\n\t\t\t\tbreak;\n\n\t\t\tcase VOLCMD_VIBRATOSPEED:\n\t\t\t\t// FT2 does not automatically enable vibrato with the \"set vibrato speed\" command\n\t\t\t\tif(m_playBehaviour[kFT2VolColVibrato])\n\t\t\t\t\tpChn->nVibratoSpeed = pChn->rowCommand.vol & 0x0F;\n\t\t\t\telse\n\t\t\t\t\tVibrato(pChn, pChn->rowCommand.vol << 4);\n\t\t\t\tbreak;\n\t\t\tcase VOLCMD_VIBRATODEPTH:\n\t\t\t\tVibrato(pChn, pChn->rowCommand.vol);\n\t\t\t\tbreak;\n\t\t\t}\n\n\t\t\t// Process vibrato / tremolo / panbrello\n\t\t\tswitch(pChn->rowCommand.command)\n\t\t\t{\n\t\t\tcase CMD_VIBRATO:\n\t\t\tcase CMD_FINEVIBRATO:\n\t\t\tcase CMD_VIBRATOVOL:\n\t\t\t\tif(adjustMode & eAdjust)\n\t\t\t\t{\n\t\t\t\t\tuint32 vibTicks = ((GetType() & (MOD_TYPE_IT | MOD_TYPE_MPT)) && !m_SongFlags[SONG_ITOLDEFFECTS]) ? numTicks : nonRowTicks;\n\t\t\t\t\tuint32 inc = pChn->nVibratoSpeed * vibTicks;\n\t\t\t\t\tif(m_playBehaviour[kITVibratoTremoloPanbrello])\n\t\t\t\t\t\tinc *= 4;\n\t\t\t\t\tpChn->nVibratoPos += static_cast(inc);\n\t\t\t\t}\n\t\t\t\tbreak;\n\n\t\t\tcase CMD_TREMOLO:\n\t\t\t\tif(adjustMode & eAdjust)\n\t\t\t\t{\n\t\t\t\t\tuint32 tremTicks = ((GetType() & (MOD_TYPE_IT | MOD_TYPE_MPT)) && !m_SongFlags[SONG_ITOLDEFFECTS]) ? numTicks : nonRowTicks;\n\t\t\t\t\tuint32 inc = pChn->nTremoloSpeed * tremTicks;\n\t\t\t\t\tif(m_playBehaviour[kITVibratoTremoloPanbrello])\n\t\t\t\t\t\tinc *= 4;\n\t\t\t\t\tpChn->nTremoloPos += static_cast(inc);\n\t\t\t\t}\n\t\t\t\tbreak;\n\n\t\t\tcase CMD_PANBRELLO:\n\t\t\t\tif(adjustMode & eAdjust)\n\t\t\t\t{\n\t\t\t\t\t// Panbrello effect is permanent in compatible mode, so actually apply panbrello for the last tick of this row\n\t\t\t\t\tpChn->nPanbrelloPos += static_cast(pChn->nPanbrelloSpeed * (numTicks - 1));\n\t\t\t\t\tProcessPanbrello(pChn);\n\t\t\t\t}\n\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\n\t\t// Interpret F00 effect in XM files as \"stop song\"\n\t\tif(GetType() == MOD_TYPE_XM && playState.m_nMusicSpeed == uint16_max)\n\t\t{\n\t\t\tbreak;\n\t\t}\n\n\t\tplayState.m_nCurrentRowsPerBeat = m_nDefaultRowsPerBeat;\n\t\tif(Patterns[playState.m_nPattern].GetOverrideSignature())\n\t\t{\n\t\t\tplayState.m_nCurrentRowsPerBeat = Patterns[playState.m_nPattern].GetRowsPerBeat();\n\t\t}\n\n\t\tconst uint32 tickDuration = GetTickDuration(playState);\n\t\tconst uint32 rowDuration = tickDuration * numTicks;\n\t\tmemory.elapsedTime += static_cast(rowDuration) / static_cast(m_MixerSettings.gdwMixingFreq);\n\t\tplayState.m_lTotalSampleCount += rowDuration;\n\n\t\tif(adjustSamplePos)\n\t\t{\n\t\t\t// Super experimental and dirty sample seeking\n\t\t\tpChn = playState.Chn;\n\t\t\tfor(CHANNELINDEX nChn = 0; nChn < GetNumChannels(); pChn++, nChn++)\n\t\t\t{\n\t\t\t\tif(memory.chnSettings[nChn].ticksToRender == GetLengthMemory::IGNORE_CHANNEL)\n\t\t\t\t\tcontinue;\n\n\t\t\t\tuint32 startTick = 0;\n\t\t\t\tconst ModCommand &m = pChn->rowCommand;\n\t\t\t\tuint32 paramHi = m.param >> 4, paramLo = m.param & 0x0F;\n\t\t\t\tbool porta = m.command == CMD_TONEPORTAMENTO || m.command == CMD_TONEPORTAVOL || m.volcmd == VOLCMD_TONEPORTAMENTO;\n\t\t\t\tbool stopNote = patternLoopStartedOnThisRow;\t// It's too much trouble to keep those pattern loops in sync...\n\n\t\t\t\tif(m.instr) pChn->proTrackerOffset = 0;\n\t\t\t\tif(m.IsNote())\n\t\t\t\t{\n\t\t\t\t\tif(porta && memory.chnSettings[nChn].incChanged)\n\t\t\t\t\t{\n\t\t\t\t\t\t// If there's a portamento, the current channel increment mustn't be 0 in NoteChange()\n\t\t\t\t\t\tpChn->increment = GetChannelIncrement(pChn, pChn->nPeriod, 0);\n\t\t\t\t\t}\n\t\t\t\t\tint32 setPan = pChn->nPan;\n\t\t\t\t\tpChn->nNewNote = pChn->nLastNote;\n\t\t\t\t\tif(pChn->nNewIns != 0) InstrumentChange(pChn, pChn->nNewIns, porta);\n\t\t\t\t\tNoteChange(pChn, m.note, porta);\n\t\t\t\t\tmemory.chnSettings[nChn].incChanged = true;\n\n\t\t\t\t\tif((m.command == CMD_MODCMDEX || m.command == CMD_S3MCMDEX) && (m.param & 0xF0) == 0xD0 && paramLo < numTicks)\n\t\t\t\t\t{\n\t\t\t\t\t\tstartTick = paramLo;\n\t\t\t\t\t} else if(m.command == CMD_DELAYCUT && paramHi < numTicks)\n\t\t\t\t\t{\n\t\t\t\t\t\tstartTick = paramHi;\n\t\t\t\t\t}\n\t\t\t\t\tif(rowDelay > 1 && startTick != 0 && (GetType() & (MOD_TYPE_S3M | MOD_TYPE_IT | MOD_TYPE_MPT)))\n\t\t\t\t\t{\n\t\t\t\t\t\tstartTick += (playState.m_nMusicSpeed + tickDelay) * (rowDelay - 1);\n\t\t\t\t\t}\n\t\t\t\t\tif(!porta) memory.chnSettings[nChn].ticksToRender = 0;\n\n\t\t\t\t\t// Panning commands have to be re-applied after a note change with potential pan change.\n\t\t\t\t\tif(m.command == CMD_PANNING8\n\t\t\t\t\t\t|| ((m.command == CMD_MODCMDEX || m.command == CMD_S3MCMDEX) && paramHi == 0x8)\n\t\t\t\t\t\t|| m.volcmd == VOLCMD_PANNING)\n\t\t\t\t\t{\n\t\t\t\t\t\tpChn->nPan = setPan;\n\t\t\t\t\t}\n\n\t\t\t\t\tif(m.command == CMD_OFFSET)\n\t\t\t\t\t{\n\t\t\t\t\t\tbool isExtended = false;\n\t\t\t\t\t\tSmpLength offset = CalculateXParam(playState.m_nPattern, playState.m_nRow, nChn, &isExtended);\n\t\t\t\t\t\tif(!isExtended)\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\toffset <<= 8;\n\t\t\t\t\t\t\tif(offset == 0) offset = pChn->oldOffset;\n\t\t\t\t\t\t\toffset += static_cast(pChn->nOldHiOffset) << 16;\n\t\t\t\t\t\t}\n\t\t\t\t\t\tSampleOffset(*pChn, offset);\n\t\t\t\t\t} else if(m.command == CMD_OFFSETPERCENTAGE)\n\t\t\t\t\t{\n\t\t\t\t\t\tSampleOffset(*pChn, Util::muldiv_unsigned(pChn->nLength, m.param, 255));\n\t\t\t\t\t} else if(m.command == CMD_REVERSEOFFSET && pChn->pModSample != nullptr)\n\t\t\t\t\t{\n\t\t\t\t\t\tmemory.RenderChannel(nChn, oldTickDuration);\t// Re-sync what we've got so far\n\t\t\t\t\t\tReverseSampleOffset(*pChn, m.param);\n\t\t\t\t\t\tstartTick = playState.m_nMusicSpeed - 1;\n\t\t\t\t\t} else if(m.volcmd == VOLCMD_OFFSET)\n\t\t\t\t\t{\n\t\t\t\t\t\tif(m.vol <= CountOf(pChn->pModSample->cues) && pChn->pModSample != nullptr)\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tSmpLength offset;\n\t\t\t\t\t\t\tif(m.vol == 0)\n\t\t\t\t\t\t\t\toffset = pChn->oldOffset;\n\t\t\t\t\t\t\telse\n\t\t\t\t\t\t\t\toffset = pChn->oldOffset = pChn->pModSample->cues[m.vol - 1];\n\t\t\t\t\t\t\tSampleOffset(*pChn, offset);\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t}\n\n\t\t\t\tif(m.note == NOTE_KEYOFF || m.note == NOTE_NOTECUT || (m.note == NOTE_FADE && GetNumInstruments())\n\t\t\t\t\t|| ((m.command == CMD_MODCMDEX || m.command == CMD_S3MCMDEX) && (m.param & 0xF0) == 0xC0 && paramLo < numTicks)\n\t\t\t\t\t|| (m.command == CMD_DELAYCUT && paramLo != 0 && startTick + paramLo < numTicks))\n\t\t\t\t{\n\t\t\t\t\tstopNote = true;\n\t\t\t\t}\n\n\t\t\t\tif(m.command == CMD_VOLUME)\n\t\t\t\t{\n\t\t\t\t\tpChn->nVolume = m.param * 4;\n\t\t\t\t} else if(m.volcmd == VOLCMD_VOLUME)\n\t\t\t\t{\n\t\t\t\t\tpChn->nVolume = m.vol * 4;\n\t\t\t\t}\n\t\t\t\t\n\t\t\t\tif(pChn->pModSample && !stopNote)\n\t\t\t\t{\n\t\t\t\t\t// Check if we don't want to emulate some effect and thus stop processing.\n\t\t\t\t\tif(m.command < MAX_EFFECTS)\n\t\t\t\t\t{\n\t\t\t\t\t\tif(forbiddenCommands[m.command])\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tstopNote = true;\n\t\t\t\t\t\t} else if(m.command == CMD_MODCMDEX)\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\t// Special case: Slides using extended commands\n\t\t\t\t\t\t\tswitch(m.param & 0xF0)\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\tcase 0x10:\n\t\t\t\t\t\t\tcase 0x20:\n\t\t\t\t\t\t\t\tstopNote = true;\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\n\t\t\t\t\tif(m.volcmd < forbiddenVolCommands.size() && forbiddenVolCommands[m.volcmd])\n\t\t\t\t\t{\n\t\t\t\t\t\tstopNote = true;\n\t\t\t\t\t}\n\t\t\t\t}\n\n\t\t\t\tif(stopNote)\n\t\t\t\t{\n\t\t\t\t\tpChn->Stop();\n\t\t\t\t\tmemory.chnSettings[nChn].ticksToRender = 0;\n\t\t\t\t} else\n\t\t\t\t{\n\t\t\t\t\tif(oldTickDuration != tickDuration && oldTickDuration != 0)\n\t\t\t\t\t{\n\t\t\t\t\t\tmemory.RenderChannel(nChn, oldTickDuration);\t// Re-sync what we've got so far\n\t\t\t\t\t}\n\n\t\t\t\t\tswitch(m.command)\n\t\t\t\t\t{\n\t\t\t\t\tcase CMD_TONEPORTAVOL:\n\t\t\t\t\tcase CMD_VOLUMESLIDE:\n\t\t\t\t\tcase CMD_VIBRATOVOL:\n\t\t\t\t\t\tif(m.param || (GetType() != MOD_TYPE_MOD))\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tfor(uint32 i = 0; i < numTicks; i++)\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tpChn->isFirstTick = (i == 0);\n\t\t\t\t\t\t\t\tVolumeSlide(pChn, m.param);\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}\n\t\t\t\t\t\tbreak;\n\n\t\t\t\t\tcase CMD_MODCMDEX:\n\t\t\t\t\t\tif((m.param & 0x0F) || (GetType() & (MOD_TYPE_XM | MOD_TYPE_MT2)))\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tpChn->isFirstTick = true;\n\t\t\t\t\t\t\tswitch(m.param & 0xF0)\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\tcase 0xA0: FineVolumeUp(pChn, m.param & 0x0F, false); break;\n\t\t\t\t\t\t\tcase 0xB0: FineVolumeDown(pChn, m.param & 0x0F, false); break;\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}\n\t\t\t\t\t\tbreak;\n\n\t\t\t\t\tcase CMD_S3MCMDEX:\n\t\t\t\t\t\tif(m.param == 0x9E)\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\t// Play forward\n\t\t\t\t\t\t\tmemory.RenderChannel(nChn, oldTickDuration);\t// Re-sync what we've got so far\n\t\t\t\t\t\t\tpChn->dwFlags.reset(CHN_PINGPONGFLAG);\n\t\t\t\t\t\t} else if(m.param == 0x9F)\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\t// Reverse\n\t\t\t\t\t\t\tmemory.RenderChannel(nChn, oldTickDuration);\t// Re-sync what we've got so far\n\t\t\t\t\t\t\tpChn->dwFlags.set(CHN_PINGPONGFLAG);\n\t\t\t\t\t\t\tif(!pChn->position.GetInt() && pChn->nLength && (m.IsNote() || !pChn->dwFlags[CHN_LOOP]))\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tpChn->position.Set(pChn->nLength - 1, SamplePosition::fractMax);\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t} else if((m.param & 0xF0) == 0x70)\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\t// TODO\n\t\t\t\t\t\t\t//ExtendedS3MCommands(nChn, param);\n\t\t\t\t\t\t}\n\t\t\t\t\t\tbreak;\n\t\t\t\t\t}\n\t\t\t\t\tpChn->isFirstTick = true;\n\t\t\t\t\tswitch(m.volcmd)\n\t\t\t\t\t{\n\t\t\t\t\tcase VOLCMD_FINEVOLUP:\t\tFineVolumeUp(pChn, m.vol, m_playBehaviour[kITVolColMemory]); break;\n\t\t\t\t\tcase VOLCMD_FINEVOLDOWN:\tFineVolumeDown(pChn, m.vol, m_playBehaviour[kITVolColMemory]); break;\n\t\t\t\t\tcase VOLCMD_VOLSLIDEUP:\n\t\t\t\t\tcase VOLCMD_VOLSLIDEDOWN:\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\t// IT Compatibility: Volume column volume slides have their own memory\n\t\t\t\t\t\t\t// Test case: VolColMemory.it\n\t\t\t\t\t\t\tModCommand::VOL vol = m.vol;\n\t\t\t\t\t\t\tif(vol == 0 && m_playBehaviour[kITVolColMemory])\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tvol = pChn->nOldVolParam;\n\t\t\t\t\t\t\t\tif(vol == 0)\n\t\t\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\tif(m.volcmd == VOLCMD_VOLSLIDEUP)\n\t\t\t\t\t\t\t\tvol <<= 4;\n\t\t\t\t\t\t\tfor(uint32 i = 0; i < numTicks; i++)\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tpChn->isFirstTick = (i == 0);\n\t\t\t\t\t\t\t\tVolumeSlide(pChn, vol);\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}\n\t\t\t\t\t\tbreak;\n\t\t\t\t\t}\n\n\t\t\t\t\tif(porta)\n\t\t\t\t\t{\n\t\t\t\t\t\t// Portamento needs immediate syncing, as the pitch changes on each tick\n\t\t\t\t\t\tuint32 portaTick = memory.chnSettings[nChn].ticksToRender + startTick + 1;\n\t\t\t\t\t\tmemory.chnSettings[nChn].ticksToRender += numTicks;\n\t\t\t\t\t\tmemory.RenderChannel(nChn, tickDuration, portaTick);\n\t\t\t\t\t} else\n\t\t\t\t\t{\n\t\t\t\t\t\tmemory.chnSettings[nChn].ticksToRender += (numTicks - startTick);\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\toldTickDuration = tickDuration;\n\n\t\t// Pattern loop is not executed in FT2 if there are any position jump or pattern break commands on the same row.\n\t\t// Pattern loop is not executed in IT if there are any position jump commands on the same row.\n\t\t// Test case for FT2 exception: PatLoop-Jumps.xm, PatLoop-Various.xm\n\t\t// Test case for IT: exception: LoopBreak.it\n\t\tif(patternLoopEndedOnThisRow\n\t\t\t&& (!m_playBehaviour[kFT2PatternLoopWithJumps] || !(positionJumpOnThisRow || patternBreakOnThisRow))\n\t\t\t&& (!m_playBehaviour[kITPatternLoopWithJumps] || !positionJumpOnThisRow))\n\t\t{\n\t\t\tstd::map startTimes;\n\t\t\t// This is really just a simple estimation for nested pattern loops. It should handle cases correctly where all parallel loops start and end on the same row.\n\t\t\t// If one of them starts or ends \"in between\", it will most likely calculate a wrong duration.\n\t\t\t// For S3M files, it's also way off.\n\t\t\tpChn = playState.Chn;\n\t\t\tfor(CHANNELINDEX nChn = 0; nChn < GetNumChannels(); nChn++, pChn++)\n\t\t\t{\n\t\t\t\tModCommand::COMMAND command = pChn->rowCommand.command;\n\t\t\t\tModCommand::PARAM param = pChn->rowCommand.param;\n\t\t\t\tif((command == CMD_S3MCMDEX && param >= 0xB1 && param <= 0xBF)\n\t\t\t\t\t|| (command == CMD_MODCMDEX && param >= 0x61 && param <= 0x6F))\n\t\t\t\t{\n\t\t\t\t\tconst double start = memory.chnSettings[nChn].patLoop;\n\t\t\t\t\tif(!startTimes[start]) startTimes[start] = 1;\n\t\t\t\t\tstartTimes[start] = mpt::lcm(startTimes[start], 1 + (param & 0x0F));\n\t\t\t\t}\n\t\t\t}\n\t\t\tfor(const auto &i : startTimes)\n\t\t\t{\n\t\t\t\tmemory.elapsedTime += (memory.elapsedTime - i.first) * (double)(i.second - 1);\n\t\t\t\tfor(CHANNELINDEX nChn = 0; nChn < GetNumChannels(); nChn++, pChn++)\n\t\t\t\t{\n\t\t\t\t\tif(memory.chnSettings[nChn].patLoop == i.first)\n\t\t\t\t\t{\n\t\t\t\t\t\tplayState.m_lTotalSampleCount += (playState.m_lTotalSampleCount - memory.chnSettings[nChn].patLoopSmp) * (i.second - 1);\n\t\t\t\t\t\tif(m_playBehaviour[kITPatternLoopTargetReset] || (GetType() == MOD_TYPE_S3M))\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tmemory.chnSettings[nChn].patLoop = memory.elapsedTime;\n\t\t\t\t\t\t\tmemory.chnSettings[nChn].patLoopSmp = playState.m_lTotalSampleCount;\n\t\t\t\t\t\t\tmemory.chnSettings[nChn].patLoopStart = playState.m_nRow + 1;\n\t\t\t\t\t\t}\n\t\t\t\t\t\tbreak;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t\tif(GetType() == MOD_TYPE_IT)\n\t\t\t{\n\t\t\t\t// IT pattern loop start row update - at the end of a pattern loop, set pattern loop start to next row (for upcoming pattern loops with missing SB0)\n\t\t\t\tfor(CHANNELINDEX nChn = 0; nChn < GetNumChannels(); nChn++)\n\t\t\t\t{\n\t\t\t\t\tif((pChn->rowCommand.command == CMD_S3MCMDEX && pChn->rowCommand.param >= 0xB1 && pChn->rowCommand.param <= 0xBF))\n\t\t\t\t\t{\n\t\t\t\t\t\tmemory.chnSettings[nChn].patLoop = memory.elapsedTime;\n\t\t\t\t\t\tmemory.chnSettings[nChn].patLoopSmp = playState.m_lTotalSampleCount;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\n\t// Now advance the sample positions for sample seeking on channels that are still playing\n\tif(adjustSamplePos)\n\t{\n\t\tfor(CHANNELINDEX nChn = 0; nChn < GetNumChannels(); nChn++)\n\t\t{\n\t\t\tif(memory.chnSettings[nChn].ticksToRender != GetLengthMemory::IGNORE_CHANNEL)\n\t\t\t{\n\t\t\t\tmemory.RenderChannel(nChn, oldTickDuration);\n\t\t\t}\n\t\t}\n\t}\n\n\tif(retval.targetReached || target.mode == GetLengthTarget::NoTarget)\n\t{\n\t\tretval.lastOrder = playState.m_nCurrentOrder;\n\t\tretval.lastRow = playState.m_nRow;\n\t}\n\tretval.duration = memory.elapsedTime;\n\tresults.push_back(retval);\n\n\t// Store final variables\n\tif(adjustMode & eAdjust)\n\t{\n\t\tif(retval.targetReached || target.mode == GetLengthTarget::NoTarget)\n\t\t{\n\t\t\t// Target found, or there is no target (i.e. play whole song)...\n\t\t\tm_PlayState = std::move(playState);\n\t\t\tm_PlayState.m_nNextRow = m_PlayState.m_nRow;\n\t\t\tm_PlayState.m_nFrameDelay = m_PlayState.m_nPatternDelay = 0;\n\t\t\tm_PlayState.m_nTickCount = Util::MaxValueOfType(m_PlayState.m_nTickCount) - 1;\n\t\t\tm_PlayState.m_bPositionChanged = true;\n\t\t\tfor(CHANNELINDEX n = 0; n < GetNumChannels(); n++)\n\t\t\t{\n\t\t\t\tif(m_PlayState.Chn[n].nLastNote != NOTE_NONE)\n\t\t\t\t{\n\t\t\t\t\tm_PlayState.Chn[n].nNewNote = m_PlayState.Chn[n].nLastNote;\n\t\t\t\t}\n\t\t\t\tif(memory.chnSettings[n].vol != 0xFF && !adjustSamplePos)\n\t\t\t\t{\n\t\t\t\t\tm_PlayState.Chn[n].nVolume = std::min(memory.chnSettings[n].vol, uint8(64)) * 4;\n\t\t\t\t}\n\t\t\t}\n\n#ifndef NO_PLUGINS\n\t\t\t// If there were any PC events, update plugin parameters to their latest value.\n\t\t\tstd::bitset plugSetProgram;\n\t\t\tfor(const auto ¶m : memory.plugParams)\n\t\t\t{\n\t\t\t\tPLUGINDEX plug = param.first.first - 1;\n\t\t\t\tIMixPlugin *plugin = m_MixPlugins[plug].pMixPlugin;\n\t\t\t\tif(plugin != nullptr)\n\t\t\t\t{\n\t\t\t\t\tif(!plugSetProgram[plug])\n\t\t\t\t\t{\n\t\t\t\t\t\t// Used for bridged plugins to avoid sending out individual messages for each parameter.\n\t\t\t\t\t\tplugSetProgram.set(plug);\n\t\t\t\t\t\tplugin->BeginSetProgram();\n\t\t\t\t\t}\n\t\t\t\t\tplugin->SetParameter(param.first.second, param.second / PlugParamValue(ModCommand::maxColumnValue));\n\t\t\t\t}\n\t\t\t}\n\t\t\tif(plugSetProgram.any())\n\t\t\t{\n\t\t\t\tfor(PLUGINDEX i = 0; i < MAX_MIXPLUGINS; i++)\n\t\t\t\t{\n\t\t\t\t\tif(plugSetProgram[i])\n\t\t\t\t\t{\n\t\t\t\t\t\tm_MixPlugins[i].pMixPlugin->EndSetProgram();\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n#endif // NO_PLUGINS\n\t\t} else if(adjustMode != eAdjustOnSuccess)\n\t\t{\n\t\t\t// Target not found (e.g. when jumping to a hidden sub song), reset global variables...\n\t\t\tm_PlayState.m_nMusicSpeed = m_nDefaultSpeed;\n\t\t\tm_PlayState.m_nMusicTempo = m_nDefaultTempo;\n\t\t\tm_PlayState.m_nGlobalVolume = m_nDefaultGlobalVolume;\n\t\t}\n\t\t// When adjusting the playback status, we will also want to update the visited rows vector according to the current position.\n\t\tif(sequence != Order.GetCurrentSequenceIndex())\n\t\t{\n\t\t\tOrder.SetSequence(sequence);\n\t\t}\n\t\tvisitedSongRows.Set(visitedRows);\n\t}\n\n\treturn results;\n\n}", "project": "openmpt", "hash": 248561327453942912572700036302541191491, "size": 1079, "commit_id": "7ebf02af2e90f03e0dbd0e18b8b3164f372fb97c", "message": "[Fix] Possible out-of-bounds read when computing length of some IT files with pattern loops (OpenMPT: formats that are converted to IT, libopenmpt: IT/ITP/MO3), caught with afl-fuzz.\n\ngit-svn-id: https://source.openmpt.org/svn/openmpt/trunk/OpenMPT@10027 56274372-70c3-4bfc-bfc3-4c3a0b034d27", "target": 1, "dataset": "other", "idx": 197202 }, { "func": "std::vector CSoundFile::GetLength(enmGetLengthResetMode adjustMode, GetLengthTarget target)\n{\n\tstd::vector results;\n\tGetLengthType retval;\n\tretval.startOrder = target.startOrder;\n\tretval.startRow = target.startRow;\n\n\t// Are we trying to reach a certain pattern position?\n\tconst bool hasSearchTarget = target.mode != GetLengthTarget::NoTarget;\n\tconst bool adjustSamplePos = (adjustMode & eAdjustSamplePositions) == eAdjustSamplePositions;\n\n\tSEQUENCEINDEX sequence = target.sequence;\n\tif(sequence >= Order.GetNumSequences()) sequence = Order.GetCurrentSequenceIndex();\n\tconst ModSequence &orderList = Order(sequence);\n\n\tGetLengthMemory memory(*this);\n\tCSoundFile::PlayState &playState = *memory.state;\n\t// Temporary visited rows vector (so that GetLength() won't interfere with the player code if the module is playing at the same time)\n\tRowVisitor visitedRows(*this, sequence);\n\n\tplayState.m_nNextRow = playState.m_nRow = target.startRow;\n\tplayState.m_nNextOrder = playState.m_nCurrentOrder = target.startOrder;\n\n\t// Fast LUTs for commands that are too weird / complicated / whatever to emulate in sample position adjust mode.\n\tstd::bitset forbiddenCommands;\n\tstd::bitset forbiddenVolCommands;\n\n\tif(adjustSamplePos)\n\t{\n\t\tforbiddenCommands.set(CMD_ARPEGGIO); forbiddenCommands.set(CMD_PORTAMENTOUP);\n\t\tforbiddenCommands.set(CMD_PORTAMENTODOWN); forbiddenCommands.set(CMD_XFINEPORTAUPDOWN);\n\t\tforbiddenCommands.set(CMD_NOTESLIDEUP); forbiddenCommands.set(CMD_NOTESLIDEUPRETRIG);\n\t\tforbiddenCommands.set(CMD_NOTESLIDEDOWN); forbiddenCommands.set(CMD_NOTESLIDEDOWNRETRIG);\n\t\tforbiddenVolCommands.set(VOLCMD_PORTAUP); forbiddenVolCommands.set(VOLCMD_PORTADOWN);\n\n\t\t// Optimize away channels for which it's pointless to adjust sample positions\n\t\tfor(CHANNELINDEX i = 0; i < GetNumChannels(); i++)\n\t\t{\n\t\t\tif(ChnSettings[i].dwFlags[CHN_MUTE]) memory.chnSettings[i].ticksToRender = GetLengthMemory::IGNORE_CHANNEL;\n\t\t}\n\t\tif(target.mode == GetLengthTarget::SeekPosition && target.pos.order < orderList.size())\n\t\t{\n\t\t\t// If we know where to seek, we can directly rule out any channels on which a new note would be triggered right at the start.\n\t\t\tconst PATTERNINDEX seekPat = orderList[target.pos.order];\n\t\t\tif(Patterns.IsValidPat(seekPat) && Patterns[seekPat].IsValidRow(target.pos.row))\n\t\t\t{\n\t\t\t\tconst ModCommand *m = Patterns[seekPat].GetRow(target.pos.row);\n\t\t\t\tfor(CHANNELINDEX i = 0; i < GetNumChannels(); i++, m++)\n\t\t\t\t{\n\t\t\t\t\tif(m->note == NOTE_NOTECUT || m->note == NOTE_KEYOFF || (m->note == NOTE_FADE && GetNumInstruments())\n\t\t\t\t\t\t|| (m->IsNote() && !m->IsPortamento()))\n\t\t\t\t\t{\n\t\t\t\t\t\tmemory.chnSettings[i].ticksToRender = GetLengthMemory::IGNORE_CHANNEL;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\n\t// If samples are being synced, force them to resync if tick duration changes\n\tuint32 oldTickDuration = 0;\n\n\tfor (;;)\n\t{\n\t\t// Time target reached.\n\t\tif(target.mode == GetLengthTarget::SeekSeconds && memory.elapsedTime >= target.time)\n\t\t{\n\t\t\tretval.targetReached = true;\n\t\t\tbreak;\n\t\t}\n\n\t\tuint32 rowDelay = 0, tickDelay = 0;\n\t\tplayState.m_nRow = playState.m_nNextRow;\n\t\tplayState.m_nCurrentOrder = playState.m_nNextOrder;\n\n\t\tif(orderList.IsValidPat(playState.m_nCurrentOrder) && playState.m_nRow >= Patterns[orderList[playState.m_nCurrentOrder]].GetNumRows())\n\t\t{\n\t\t\tplayState.m_nRow = 0;\n\t\t\tif(m_playBehaviour[kFT2LoopE60Restart])\n\t\t\t{\n\t\t\t\tplayState.m_nRow = playState.m_nNextPatStartRow;\n\t\t\t\tplayState.m_nNextPatStartRow = 0;\n\t\t\t}\n\t\t\tplayState.m_nCurrentOrder = ++playState.m_nNextOrder;\n\t\t}\n\n\t\t// Check if pattern is valid\n\t\tplayState.m_nPattern = playState.m_nCurrentOrder < orderList.size() ? orderList[playState.m_nCurrentOrder] : orderList.GetInvalidPatIndex();\n\t\tbool positionJumpOnThisRow = false;\n\t\tbool patternBreakOnThisRow = false;\n\t\tbool patternLoopEndedOnThisRow = false, patternLoopStartedOnThisRow = false;\n\n\t\tif(!Patterns.IsValidPat(playState.m_nPattern) && playState.m_nPattern != orderList.GetInvalidPatIndex() && target.mode == GetLengthTarget::SeekPosition && playState.m_nCurrentOrder == target.pos.order)\n\t\t{\n\t\t\t// Early test: Target is inside +++ or non-existing pattern\n\t\t\tretval.targetReached = true;\n\t\t\tbreak;\n\t\t}\n\n\t\twhile(playState.m_nPattern >= Patterns.Size())\n\t\t{\n\t\t\t// End of song?\n\t\t\tif((playState.m_nPattern == orderList.GetInvalidPatIndex()) || (playState.m_nCurrentOrder >= orderList.size()))\n\t\t\t{\n\t\t\t\tif(playState.m_nCurrentOrder == orderList.GetRestartPos())\n\t\t\t\t\tbreak;\n\t\t\t\telse\n\t\t\t\t\tplayState.m_nCurrentOrder = orderList.GetRestartPos();\n\t\t\t} else\n\t\t\t{\n\t\t\t\tplayState.m_nCurrentOrder++;\n\t\t\t}\n\t\t\tplayState.m_nPattern = (playState.m_nCurrentOrder < orderList.size()) ? orderList[playState.m_nCurrentOrder] : orderList.GetInvalidPatIndex();\n\t\t\tplayState.m_nNextOrder = playState.m_nCurrentOrder;\n\t\t\tif((!Patterns.IsValidPat(playState.m_nPattern)) && visitedRows.IsVisited(playState.m_nCurrentOrder, 0, true))\n\t\t\t{\n\t\t\t\tif(!hasSearchTarget || !visitedRows.GetFirstUnvisitedRow(playState.m_nNextOrder, playState.m_nRow, true))\n\t\t\t\t{\n\t\t\t\t\t// We aren't searching for a specific row, or we couldn't find any more unvisited rows.\n\t\t\t\t\tbreak;\n\t\t\t\t} else\n\t\t\t\t{\n\t\t\t\t\t// We haven't found the target row yet, but we found some other unplayed row... continue searching from here.\n\t\t\t\t\tretval.duration = memory.elapsedTime;\n\t\t\t\t\tresults.push_back(retval);\n\t\t\t\t\tretval.startRow = playState.m_nRow;\n\t\t\t\t\tretval.startOrder = playState.m_nNextOrder;\n\t\t\t\t\tmemory.Reset();\n\n\t\t\t\t\tplayState.m_nCurrentOrder = playState.m_nNextOrder;\n\t\t\t\t\tplayState.m_nPattern = orderList[playState.m_nCurrentOrder];\n\t\t\t\t\tplayState.m_nNextRow = playState.m_nRow;\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\tif(playState.m_nNextOrder == ORDERINDEX_INVALID)\n\t\t{\n\t\t\t// GetFirstUnvisitedRow failed, so there is nothing more to play\n\t\t\tbreak;\n\t\t}\n\n\t\t// Skip non-existing patterns\n\t\tif(!Patterns.IsValidPat(playState.m_nPattern))\n\t\t{\n\t\t\t// If there isn't even a tune, we should probably stop here.\n\t\t\tif(playState.m_nCurrentOrder == orderList.GetRestartPos())\n\t\t\t{\n\t\t\t\tif(!hasSearchTarget || !visitedRows.GetFirstUnvisitedRow(playState.m_nNextOrder, playState.m_nRow, true))\n\t\t\t\t{\n\t\t\t\t\t// We aren't searching for a specific row, or we couldn't find any more unvisited rows.\n\t\t\t\t\tbreak;\n\t\t\t\t} else\n\t\t\t\t{\n\t\t\t\t\t// We haven't found the target row yet, but we found some other unplayed row... continue searching from here.\n\t\t\t\t\tretval.duration = memory.elapsedTime;\n\t\t\t\t\tresults.push_back(retval);\n\t\t\t\t\tretval.startRow = playState.m_nRow;\n\t\t\t\t\tretval.startOrder = playState.m_nNextOrder;\n\t\t\t\t\tmemory.Reset();\n\t\t\t\t\tplayState.m_nNextRow = playState.m_nRow;\n\t\t\t\t\tcontinue;\n\t\t\t\t}\n\t\t\t}\n\t\t\tplayState.m_nNextOrder = playState.m_nCurrentOrder + 1;\n\t\t\tcontinue;\n\t\t}\n\t\t// Should never happen\n\t\tif(playState.m_nRow >= Patterns[playState.m_nPattern].GetNumRows())\n\t\t\tplayState.m_nRow = 0;\n\n\t\t// Check whether target was reached.\n\t\tif(target.mode == GetLengthTarget::SeekPosition && playState.m_nCurrentOrder == target.pos.order && playState.m_nRow == target.pos.row)\n\t\t{\n\t\t\tretval.targetReached = true;\n\t\t\tbreak;\n\t\t}\n\n\t\tif(visitedRows.IsVisited(playState.m_nCurrentOrder, playState.m_nRow, true))\n\t\t{\n\t\t\tif(!hasSearchTarget || !visitedRows.GetFirstUnvisitedRow(playState.m_nNextOrder, playState.m_nRow, true))\n\t\t\t{\n\t\t\t\t// We aren't searching for a specific row, or we couldn't find any more unvisited rows.\n\t\t\t\tbreak;\n\t\t\t} else\n\t\t\t{\n\t\t\t\t// We haven't found the target row yet, but we found some other unplayed row... continue searching from here.\n\t\t\t\tretval.duration = memory.elapsedTime;\n\t\t\t\tresults.push_back(retval);\n\t\t\t\tretval.startRow = playState.m_nRow;\n\t\t\t\tretval.startOrder = playState.m_nNextOrder;\n\t\t\t\tmemory.Reset();\n\t\t\t\tplayState.m_nNextRow = playState.m_nRow;\n\t\t\t\tcontinue;\n\t\t\t}\n\t\t}\n\n\t\tretval.endOrder = playState.m_nCurrentOrder;\n\t\tretval.endRow = playState.m_nRow;\n\n\t\t// Update next position\n\t\tplayState.m_nNextRow = playState.m_nRow + 1;\n\n\t\t// Jumped to invalid pattern row?\n\t\tif(playState.m_nRow >= Patterns[playState.m_nPattern].GetNumRows())\n\t\t{\n\t\t\tplayState.m_nRow = 0;\n\t\t}\n\t\t// New pattern?\n\t\tif(!playState.m_nRow)\n\t\t{\n\t\t\tfor(CHANNELINDEX chn = 0; chn < GetNumChannels(); chn++)\n\t\t\t{\n\t\t\t\tmemory.chnSettings[chn].patLoop = memory.elapsedTime;\n\t\t\t\tmemory.chnSettings[chn].patLoopSmp = playState.m_lTotalSampleCount;\n\t\t\t}\n\t\t}\n\n\t\tModChannel *pChn = playState.Chn;\n\t\t\n\t\t// For various effects, we need to know first how many ticks there are in this row.\n\t\tconst ModCommand *p = Patterns[playState.m_nPattern].GetpModCommand(playState.m_nRow, 0);\n\t\tfor(CHANNELINDEX nChn = 0; nChn < GetNumChannels(); nChn++, p++)\n\t\t{\n\t\t\tif(m_playBehaviour[kST3NoMutedChannels] && ChnSettings[nChn].dwFlags[CHN_MUTE])\t// not even effects are processed on muted S3M channels\n\t\t\t\tcontinue;\n\t\t\tif(p->IsPcNote())\n\t\t\t{\n#ifndef NO_PLUGINS\n\t\t\t\tif((adjustMode & eAdjust) && p->instr > 0 && p->instr <= MAX_MIXPLUGINS)\n\t\t\t\t{\n\t\t\t\t\tmemory.plugParams[std::make_pair(p->instr, p->GetValueVolCol())] = p->GetValueEffectCol();\n\t\t\t\t}\n#endif // NO_PLUGINS\n\t\t\t\tpChn[nChn].rowCommand.Clear();\n\t\t\t\tcontinue;\n\t\t\t}\n\t\t\tpChn[nChn].rowCommand = *p;\n\t\t\tswitch(p->command)\n\t\t\t{\n\t\t\tcase CMD_SPEED:\n\t\t\t\tSetSpeed(playState, p->param);\n\t\t\t\tbreak;\n\n\t\t\tcase CMD_TEMPO:\n\t\t\t\tif(m_playBehaviour[kMODVBlankTiming])\n\t\t\t\t{\n\t\t\t\t\t// ProTracker MODs with VBlank timing: All Fxx parameters set the tick count.\n\t\t\t\t\tif(p->param != 0) SetSpeed(playState, p->param);\n\t\t\t\t}\n\t\t\t\tbreak;\n\n\t\t\tcase CMD_S3MCMDEX:\n\t\t\t\tif((p->param & 0xF0) == 0x60)\n\t\t\t\t{\n\t\t\t\t\t// Fine Pattern Delay\n\t\t\t\t\ttickDelay += (p->param & 0x0F);\n\t\t\t\t} else if((p->param & 0xF0) == 0xE0 && !rowDelay)\n\t\t\t\t{\n\t\t\t\t\t// Pattern Delay\n\t\t\t\t\tif(!(GetType() & MOD_TYPE_S3M) || (p->param & 0x0F) != 0)\n\t\t\t\t\t{\n\t\t\t\t\t\t// While Impulse Tracker *does* count S60 as a valid row delay (and thus ignores any other row delay commands on the right),\n\t\t\t\t\t\t// Scream Tracker 3 simply ignores such commands.\n\t\t\t\t\t\trowDelay = 1 + (p->param & 0x0F);\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\tbreak;\n\n\t\t\tcase CMD_MODCMDEX:\n\t\t\t\tif((p->param & 0xF0) == 0xE0)\n\t\t\t\t{\n\t\t\t\t\t// Pattern Delay\n\t\t\t\t\trowDelay = 1 + (p->param & 0x0F);\n\t\t\t\t}\n\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\t\tif(rowDelay == 0) rowDelay = 1;\n\t\tconst uint32 numTicks = (playState.m_nMusicSpeed + tickDelay) * rowDelay;\n\t\tconst uint32 nonRowTicks = numTicks - rowDelay;\n\n\t\tfor(CHANNELINDEX nChn = 0; nChn < GetNumChannels(); pChn++, nChn++) if(!pChn->rowCommand.IsEmpty())\n\t\t{\n\t\t\tif(m_playBehaviour[kST3NoMutedChannels] && ChnSettings[nChn].dwFlags[CHN_MUTE])\t// not even effects are processed on muted S3M channels\n\t\t\t\tcontinue;\n\t\t\tModCommand::COMMAND command = pChn->rowCommand.command;\n\t\t\tModCommand::PARAM param = pChn->rowCommand.param;\n\t\t\tModCommand::NOTE note = pChn->rowCommand.note;\n\n\t\t\tif (pChn->rowCommand.instr)\n\t\t\t{\n\t\t\t\tpChn->nNewIns = pChn->rowCommand.instr;\n\t\t\t\tpChn->nLastNote = NOTE_NONE;\n\t\t\t\tmemory.chnSettings[nChn].vol = 0xFF;\n\t\t\t}\n\t\t\tif (pChn->rowCommand.IsNote()) pChn->nLastNote = note;\n\n\t\t\t// Update channel panning\n\t\t\tif(pChn->rowCommand.IsNote() || pChn->rowCommand.instr)\n\t\t\t{\n\t\t\t\tSAMPLEINDEX smp = 0;\n\t\t\t\tif(GetNumInstruments())\n\t\t\t\t{\n\t\t\t\t\tModInstrument *pIns;\n\t\t\t\t\tif(pChn->nNewIns <= GetNumInstruments() && (pIns = Instruments[pChn->nNewIns]) != nullptr)\n\t\t\t\t\t{\n\t\t\t\t\t\tif(pIns->dwFlags[INS_SETPANNING])\n\t\t\t\t\t\t\tpChn->nPan = pIns->nPan;\n\t\t\t\t\t\tif(ModCommand::IsNote(note))\n\t\t\t\t\t\t\tsmp = pIns->Keyboard[note - NOTE_MIN];\n\t\t\t\t\t}\n\t\t\t\t} else\n\t\t\t\t{\n\t\t\t\t\tsmp = pChn->nNewIns;\n\t\t\t\t}\n\t\t\t\tif(smp > 0 && smp <= GetNumSamples() && Samples[smp].uFlags[CHN_PANNING])\n\t\t\t\t{\n\t\t\t\t\tpChn->nPan = Samples[smp].nPan;\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tswitch(pChn->rowCommand.volcmd)\n\t\t\t{\n\t\t\tcase VOLCMD_VOLUME:\n\t\t\t\tmemory.chnSettings[nChn].vol = pChn->rowCommand.vol;\n\t\t\t\tbreak;\n\t\t\tcase VOLCMD_VOLSLIDEUP:\n\t\t\tcase VOLCMD_VOLSLIDEDOWN:\n\t\t\t\tif(pChn->rowCommand.vol != 0)\n\t\t\t\t\tpChn->nOldVolParam = pChn->rowCommand.vol;\n\t\t\t\tbreak;\n\t\t\t}\n\n\t\t\tswitch(command)\n\t\t\t{\n\t\t\t// Position Jump\n\t\t\tcase CMD_POSITIONJUMP:\n\t\t\t\tpositionJumpOnThisRow = true;\n\t\t\t\tplayState.m_nNextOrder = static_cast(CalculateXParam(playState.m_nPattern, playState.m_nRow, nChn));\n\t\t\t\tplayState.m_nNextPatStartRow = 0; // FT2 E60 bug\n\t\t\t\t// see https://forum.openmpt.org/index.php?topic=2769.0 - FastTracker resets Dxx if Bxx is called _after_ Dxx\n\t\t\t\t// Test case: PatternJump.mod\n\t\t\t\tif(!patternBreakOnThisRow || (GetType() & (MOD_TYPE_MOD | MOD_TYPE_XM)))\n\t\t\t\t\tplayState.m_nNextRow = 0;\n\n\t\t\t\tif (adjustMode & eAdjust)\n\t\t\t\t{\n\t\t\t\t\tpChn->nPatternLoopCount = 0;\n\t\t\t\t\tpChn->nPatternLoop = 0;\n\t\t\t\t}\n\t\t\t\tbreak;\n\t\t\t// Pattern Break\n\t\t\tcase CMD_PATTERNBREAK:\n\t\t\t\t{\n\t\t\t\t\tROWINDEX row = PatternBreak(playState, nChn, param);\n\t\t\t\t\tif(row != ROWINDEX_INVALID)\n\t\t\t\t\t{\n\t\t\t\t\t\tpatternBreakOnThisRow = true;\n\t\t\t\t\t\tplayState.m_nNextRow = row;\n\n\t\t\t\t\t\tif(!positionJumpOnThisRow)\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tplayState.m_nNextOrder = playState.m_nCurrentOrder + 1;\n\t\t\t\t\t\t}\n\t\t\t\t\t\tif(adjustMode & eAdjust)\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tpChn->nPatternLoopCount = 0;\n\t\t\t\t\t\t\tpChn->nPatternLoop = 0;\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\tbreak;\n\t\t\t// Set Tempo\n\t\t\tcase CMD_TEMPO:\n\t\t\t\tif(!m_playBehaviour[kMODVBlankTiming])\n\t\t\t\t{\n\t\t\t\t\tTEMPO tempo(CalculateXParam(playState.m_nPattern, playState.m_nRow, nChn), 0);\n\t\t\t\t\tif ((adjustMode & eAdjust) && (GetType() & (MOD_TYPE_S3M | MOD_TYPE_IT | MOD_TYPE_MPT)))\n\t\t\t\t\t{\n\t\t\t\t\t\tif (tempo.GetInt()) pChn->nOldTempo = static_cast(tempo.GetInt()); else tempo.Set(pChn->nOldTempo);\n\t\t\t\t\t}\n\n\t\t\t\t\tif (tempo.GetInt() >= 0x20) playState.m_nMusicTempo = tempo;\n\t\t\t\t\telse\n\t\t\t\t\t{\n\t\t\t\t\t\t// Tempo Slide\n\t\t\t\t\t\tTEMPO tempoDiff((tempo.GetInt() & 0x0F) * nonRowTicks, 0);\n\t\t\t\t\t\tif ((tempo.GetInt() & 0xF0) == 0x10)\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tplayState.m_nMusicTempo += tempoDiff;\n\t\t\t\t\t\t} else\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tif(tempoDiff < playState.m_nMusicTempo)\n\t\t\t\t\t\t\t\tplayState.m_nMusicTempo -= tempoDiff;\n\t\t\t\t\t\t\telse\n\t\t\t\t\t\t\t\tplayState.m_nMusicTempo.Set(0);\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\n\t\t\t\t\tTEMPO tempoMin = GetModSpecifications().GetTempoMin(), tempoMax = GetModSpecifications().GetTempoMax();\n\t\t\t\t\tif(m_playBehaviour[kTempoClamp])\t// clamp tempo correctly in compatible mode\n\t\t\t\t\t{\n\t\t\t\t\t\ttempoMax.Set(255);\n\t\t\t\t\t}\n\t\t\t\t\tLimit(playState.m_nMusicTempo, tempoMin, tempoMax);\n\t\t\t\t}\n\t\t\t\tbreak;\n\n\t\t\tcase CMD_S3MCMDEX:\n\t\t\t\tswitch(param & 0xF0)\n\t\t\t\t{\n\t\t\t\tcase 0x90:\n\t\t\t\t\tif(param <= 0x91)\n\t\t\t\t\t{\n\t\t\t\t\t\tpChn->dwFlags.set(CHN_SURROUND, param == 0x91);\n\t\t\t\t\t}\n\t\t\t\t\tbreak;\n\n\t\t\t\tcase 0xA0:\n\t\t\t\t\t// High sample offset\n\t\t\t\t\tpChn->nOldHiOffset = param & 0x0F;\n\t\t\t\t\tbreak;\n\t\t\t\t\n\t\t\t\tcase 0xB0:\n\t\t\t\t\t// Pattern Loop\n\t\t\t\t\tif (param & 0x0F)\n\t\t\t\t\t{\n\t\t\t\t\t\tpatternLoopEndedOnThisRow = true;\n\t\t\t\t\t} else\n\t\t\t\t\t{\n\t\t\t\t\t\tCHANNELINDEX firstChn = nChn, lastChn = nChn;\n\t\t\t\t\t\tif(GetType() == MOD_TYPE_S3M)\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\t// ST3 has only one global loop memory.\n\t\t\t\t\t\t\tfirstChn = 0;\n\t\t\t\t\t\t\tlastChn = GetNumChannels() - 1;\n\t\t\t\t\t\t}\n\t\t\t\t\t\tfor(CHANNELINDEX c = firstChn; c <= lastChn; c++)\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tmemory.chnSettings[c].patLoop = memory.elapsedTime;\n\t\t\t\t\t\t\tmemory.chnSettings[c].patLoopSmp = playState.m_lTotalSampleCount;\n\t\t\t\t\t\t\tmemory.chnSettings[c].patLoopStart = playState.m_nRow;\n\t\t\t\t\t\t}\n\t\t\t\t\t\tpatternLoopStartedOnThisRow = true;\n\t\t\t\t\t}\n\t\t\t\t\tbreak;\n\n\t\t\t\tcase 0xF0:\n\t\t\t\t\t// Active macro\n\t\t\t\t\tpChn->nActiveMacro = param & 0x0F;\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t\tbreak;\n\n\t\t\tcase CMD_MODCMDEX:\n\t\t\t\tswitch(param & 0xF0)\n\t\t\t\t{\n\t\t\t\tcase 0x60:\n\t\t\t\t\t// Pattern Loop\n\t\t\t\t\tif (param & 0x0F)\n\t\t\t\t\t{\n\t\t\t\t\t\tplayState.m_nNextPatStartRow = memory.chnSettings[nChn].patLoopStart; // FT2 E60 bug\n\t\t\t\t\t\tpatternLoopEndedOnThisRow = true;\n\t\t\t\t\t} else\n\t\t\t\t\t{\n\t\t\t\t\t\tpatternLoopStartedOnThisRow = true;\n\t\t\t\t\t\tmemory.chnSettings[nChn].patLoop = memory.elapsedTime;\n\t\t\t\t\t\tmemory.chnSettings[nChn].patLoopSmp = playState.m_lTotalSampleCount;\n\t\t\t\t\t\tmemory.chnSettings[nChn].patLoopStart = playState.m_nRow;\n\t\t\t\t\t}\n\t\t\t\t\tbreak;\n\n\t\t\t\tcase 0xF0:\n\t\t\t\t\t// Active macro\n\t\t\t\t\tpChn->nActiveMacro = param & 0x0F;\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t\tbreak;\n\n\t\t\tcase CMD_XFINEPORTAUPDOWN:\n\t\t\t\t// ignore high offset in compatible mode\n\t\t\t\tif(((param & 0xF0) == 0xA0) && !m_playBehaviour[kFT2RestrictXCommand]) pChn->nOldHiOffset = param & 0x0F;\n\t\t\t\tbreak;\n\t\t\t}\n\n\t\t\t// The following calculations are not interesting if we just want to get the song length.\n\t\t\tif (!(adjustMode & eAdjust)) continue;\n\t\t\tswitch(command)\n\t\t\t{\n\t\t\t// Portamento Up/Down\n\t\t\tcase CMD_PORTAMENTOUP:\n\t\t\t\tif(param)\n\t\t\t\t{\n\t\t\t\t\t// FT2 compatibility: Separate effect memory for all portamento commands\n\t\t\t\t\t// Test case: Porta-LinkMem.xm\n\t\t\t\t\tif(!m_playBehaviour[kFT2PortaUpDownMemory])\n\t\t\t\t\t\tpChn->nOldPortaDown = param;\n\t\t\t\t\tpChn->nOldPortaUp = param;\n\t\t\t\t}\n\t\t\t\tbreak;\n\t\t\tcase CMD_PORTAMENTODOWN:\n\t\t\t\tif(param)\n\t\t\t\t{\n\t\t\t\t\t// FT2 compatibility: Separate effect memory for all portamento commands\n\t\t\t\t\t// Test case: Porta-LinkMem.xm\n\t\t\t\t\tif(!m_playBehaviour[kFT2PortaUpDownMemory])\n\t\t\t\t\t\tpChn->nOldPortaUp = param;\n\t\t\t\t\tpChn->nOldPortaDown = param;\n\t\t\t\t}\n\t\t\t\tbreak;\n\t\t\t// Tone-Portamento\n\t\t\tcase CMD_TONEPORTAMENTO:\n\t\t\t\tif (param) pChn->nPortamentoSlide = param << 2;\n\t\t\t\tbreak;\n\t\t\t// Offset\n\t\t\tcase CMD_OFFSET:\n\t\t\t\tif (param) pChn->oldOffset = param << 8;\n\t\t\t\tbreak;\n\t\t\t// Volume Slide\n\t\t\tcase CMD_VOLUMESLIDE:\n\t\t\tcase CMD_TONEPORTAVOL:\n\t\t\t\tif (param) pChn->nOldVolumeSlide = param;\n\t\t\t\tbreak;\n\t\t\t// Set Volume\n\t\t\tcase CMD_VOLUME:\n\t\t\t\tmemory.chnSettings[nChn].vol = param;\n\t\t\t\tbreak;\n\t\t\t// Global Volume\n\t\t\tcase CMD_GLOBALVOLUME:\n\t\t\t\tif(!(GetType() & GLOBALVOL_7BIT_FORMATS) && param < 128) param *= 2;\n\t\t\t\t// IT compatibility 16. ST3 and IT ignore out-of-range values\n\t\t\t\tif(param <= 128)\n\t\t\t\t{\n\t\t\t\t\tplayState.m_nGlobalVolume = param * 2;\n\t\t\t\t} else if(!(GetType() & (MOD_TYPE_IT | MOD_TYPE_MPT | MOD_TYPE_S3M)))\n\t\t\t\t{\n\t\t\t\t\tplayState.m_nGlobalVolume = 256;\n\t\t\t\t}\n\t\t\t\tbreak;\n\t\t\t// Global Volume Slide\n\t\t\tcase CMD_GLOBALVOLSLIDE:\n\t\t\t\tif(m_playBehaviour[kPerChannelGlobalVolSlide])\n\t\t\t\t{\n\t\t\t\t\t// IT compatibility 16. Global volume slide params are stored per channel (FT2/IT)\n\t\t\t\t\tif (param) pChn->nOldGlobalVolSlide = param; else param = pChn->nOldGlobalVolSlide;\n\t\t\t\t} else\n\t\t\t\t{\n\t\t\t\t\tif (param) playState.Chn[0].nOldGlobalVolSlide = param; else param = playState.Chn[0].nOldGlobalVolSlide;\n\t\t\t\t}\n\t\t\t\tif (((param & 0x0F) == 0x0F) && (param & 0xF0))\n\t\t\t\t{\n\t\t\t\t\tparam >>= 4;\n\t\t\t\t\tif (!(GetType() & GLOBALVOL_7BIT_FORMATS)) param <<= 1;\n\t\t\t\t\tplayState.m_nGlobalVolume += param << 1;\n\t\t\t\t} else if (((param & 0xF0) == 0xF0) && (param & 0x0F))\n\t\t\t\t{\n\t\t\t\t\tparam = (param & 0x0F) << 1;\n\t\t\t\t\tif (!(GetType() & GLOBALVOL_7BIT_FORMATS)) param <<= 1;\n\t\t\t\t\tplayState.m_nGlobalVolume -= param;\n\t\t\t\t} else if (param & 0xF0)\n\t\t\t\t{\n\t\t\t\t\tparam >>= 4;\n\t\t\t\t\tparam <<= 1;\n\t\t\t\t\tif (!(GetType() & GLOBALVOL_7BIT_FORMATS)) param <<= 1;\n\t\t\t\t\tplayState.m_nGlobalVolume += param * nonRowTicks;\n\t\t\t\t} else\n\t\t\t\t{\n\t\t\t\t\tparam = (param & 0x0F) << 1;\n\t\t\t\t\tif (!(GetType() & GLOBALVOL_7BIT_FORMATS)) param <<= 1;\n\t\t\t\t\tplayState.m_nGlobalVolume -= param * nonRowTicks;\n\t\t\t\t}\n\t\t\t\tLimit(playState.m_nGlobalVolume, 0, 256);\n\t\t\t\tbreak;\n\t\t\tcase CMD_CHANNELVOLUME:\n\t\t\t\tif (param <= 64) pChn->nGlobalVol = param;\n\t\t\t\tbreak;\n\t\t\tcase CMD_CHANNELVOLSLIDE:\n\t\t\t\t{\n\t\t\t\t\tif (param) pChn->nOldChnVolSlide = param; else param = pChn->nOldChnVolSlide;\n\t\t\t\t\tint32 volume = pChn->nGlobalVol;\n\t\t\t\t\tif((param & 0x0F) == 0x0F && (param & 0xF0))\n\t\t\t\t\t\tvolume += (param >> 4);\t\t// Fine Up\n\t\t\t\t\telse if((param & 0xF0) == 0xF0 && (param & 0x0F))\n\t\t\t\t\t\tvolume -= (param & 0x0F);\t// Fine Down\n\t\t\t\t\telse if(param & 0x0F)\t\t\t// Down\n\t\t\t\t\t\tvolume -= (param & 0x0F) * nonRowTicks;\n\t\t\t\t\telse\t\t\t\t\t\t\t// Up\n\t\t\t\t\t\tvolume += ((param & 0xF0) >> 4) * nonRowTicks;\n\t\t\t\t\tLimit(volume, 0, 64);\n\t\t\t\t\tpChn->nGlobalVol = volume;\n\t\t\t\t}\n\t\t\t\tbreak;\n\t\t\tcase CMD_PANNING8:\n\t\t\t\tPanning(pChn, param, Pan8bit);\n\t\t\t\tbreak;\n\t\t\tcase CMD_MODCMDEX:\n\t\t\t\tif(param < 0x10)\n\t\t\t\t{\n\t\t\t\t\t// LED filter\n\t\t\t\t\tfor(CHANNELINDEX chn = 0; chn < GetNumChannels(); chn++)\n\t\t\t\t\t{\n\t\t\t\t\t\tplayState.Chn[chn].dwFlags.set(CHN_AMIGAFILTER, !(param & 1));\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\tMPT_FALLTHROUGH;\n\t\t\tcase CMD_S3MCMDEX:\n\t\t\t\tif((param & 0xF0) == 0x80)\n\t\t\t\t{\n\t\t\t\t\tPanning(pChn, (param & 0x0F), Pan4bit);\n\t\t\t\t}\n\t\t\t\tbreak;\n\n\t\t\tcase CMD_VIBRATOVOL:\n\t\t\t\tif (param) pChn->nOldVolumeSlide = param;\n\t\t\t\tparam = 0;\n\t\t\t\tMPT_FALLTHROUGH;\n\t\t\tcase CMD_VIBRATO:\n\t\t\t\tVibrato(pChn, param);\n\t\t\t\tbreak;\n\t\t\tcase CMD_FINEVIBRATO:\n\t\t\t\tFineVibrato(pChn, param);\n\t\t\t\tbreak;\n\t\t\tcase CMD_TREMOLO:\n\t\t\t\tTremolo(pChn, param);\n\t\t\t\tbreak;\n\t\t\tcase CMD_PANBRELLO:\n\t\t\t\tPanbrello(pChn, param);\n\t\t\t\tbreak;\n\t\t\t}\n\n\t\t\tswitch(pChn->rowCommand.volcmd)\n\t\t\t{\n\t\t\tcase VOLCMD_PANNING:\n\t\t\t\tPanning(pChn, pChn->rowCommand.vol, Pan6bit);\n\t\t\t\tbreak;\n\n\t\t\tcase VOLCMD_VIBRATOSPEED:\n\t\t\t\t// FT2 does not automatically enable vibrato with the \"set vibrato speed\" command\n\t\t\t\tif(m_playBehaviour[kFT2VolColVibrato])\n\t\t\t\t\tpChn->nVibratoSpeed = pChn->rowCommand.vol & 0x0F;\n\t\t\t\telse\n\t\t\t\t\tVibrato(pChn, pChn->rowCommand.vol << 4);\n\t\t\t\tbreak;\n\t\t\tcase VOLCMD_VIBRATODEPTH:\n\t\t\t\tVibrato(pChn, pChn->rowCommand.vol);\n\t\t\t\tbreak;\n\t\t\t}\n\n\t\t\t// Process vibrato / tremolo / panbrello\n\t\t\tswitch(pChn->rowCommand.command)\n\t\t\t{\n\t\t\tcase CMD_VIBRATO:\n\t\t\tcase CMD_FINEVIBRATO:\n\t\t\tcase CMD_VIBRATOVOL:\n\t\t\t\tif(adjustMode & eAdjust)\n\t\t\t\t{\n\t\t\t\t\tuint32 vibTicks = ((GetType() & (MOD_TYPE_IT | MOD_TYPE_MPT)) && !m_SongFlags[SONG_ITOLDEFFECTS]) ? numTicks : nonRowTicks;\n\t\t\t\t\tuint32 inc = pChn->nVibratoSpeed * vibTicks;\n\t\t\t\t\tif(m_playBehaviour[kITVibratoTremoloPanbrello])\n\t\t\t\t\t\tinc *= 4;\n\t\t\t\t\tpChn->nVibratoPos += static_cast(inc);\n\t\t\t\t}\n\t\t\t\tbreak;\n\n\t\t\tcase CMD_TREMOLO:\n\t\t\t\tif(adjustMode & eAdjust)\n\t\t\t\t{\n\t\t\t\t\tuint32 tremTicks = ((GetType() & (MOD_TYPE_IT | MOD_TYPE_MPT)) && !m_SongFlags[SONG_ITOLDEFFECTS]) ? numTicks : nonRowTicks;\n\t\t\t\t\tuint32 inc = pChn->nTremoloSpeed * tremTicks;\n\t\t\t\t\tif(m_playBehaviour[kITVibratoTremoloPanbrello])\n\t\t\t\t\t\tinc *= 4;\n\t\t\t\t\tpChn->nTremoloPos += static_cast(inc);\n\t\t\t\t}\n\t\t\t\tbreak;\n\n\t\t\tcase CMD_PANBRELLO:\n\t\t\t\tif(adjustMode & eAdjust)\n\t\t\t\t{\n\t\t\t\t\t// Panbrello effect is permanent in compatible mode, so actually apply panbrello for the last tick of this row\n\t\t\t\t\tpChn->nPanbrelloPos += static_cast(pChn->nPanbrelloSpeed * (numTicks - 1));\n\t\t\t\t\tProcessPanbrello(pChn);\n\t\t\t\t}\n\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\n\t\t// Interpret F00 effect in XM files as \"stop song\"\n\t\tif(GetType() == MOD_TYPE_XM && playState.m_nMusicSpeed == uint16_max)\n\t\t{\n\t\t\tbreak;\n\t\t}\n\n\t\tplayState.m_nCurrentRowsPerBeat = m_nDefaultRowsPerBeat;\n\t\tif(Patterns[playState.m_nPattern].GetOverrideSignature())\n\t\t{\n\t\t\tplayState.m_nCurrentRowsPerBeat = Patterns[playState.m_nPattern].GetRowsPerBeat();\n\t\t}\n\n\t\tconst uint32 tickDuration = GetTickDuration(playState);\n\t\tconst uint32 rowDuration = tickDuration * numTicks;\n\t\tmemory.elapsedTime += static_cast(rowDuration) / static_cast(m_MixerSettings.gdwMixingFreq);\n\t\tplayState.m_lTotalSampleCount += rowDuration;\n\n\t\tif(adjustSamplePos)\n\t\t{\n\t\t\t// Super experimental and dirty sample seeking\n\t\t\tpChn = playState.Chn;\n\t\t\tfor(CHANNELINDEX nChn = 0; nChn < GetNumChannels(); pChn++, nChn++)\n\t\t\t{\n\t\t\t\tif(memory.chnSettings[nChn].ticksToRender == GetLengthMemory::IGNORE_CHANNEL)\n\t\t\t\t\tcontinue;\n\n\t\t\t\tuint32 startTick = 0;\n\t\t\t\tconst ModCommand &m = pChn->rowCommand;\n\t\t\t\tuint32 paramHi = m.param >> 4, paramLo = m.param & 0x0F;\n\t\t\t\tbool porta = m.command == CMD_TONEPORTAMENTO || m.command == CMD_TONEPORTAVOL || m.volcmd == VOLCMD_TONEPORTAMENTO;\n\t\t\t\tbool stopNote = patternLoopStartedOnThisRow;\t// It's too much trouble to keep those pattern loops in sync...\n\n\t\t\t\tif(m.instr) pChn->proTrackerOffset = 0;\n\t\t\t\tif(m.IsNote())\n\t\t\t\t{\n\t\t\t\t\tif(porta && memory.chnSettings[nChn].incChanged)\n\t\t\t\t\t{\n\t\t\t\t\t\t// If there's a portamento, the current channel increment mustn't be 0 in NoteChange()\n\t\t\t\t\t\tpChn->increment = GetChannelIncrement(pChn, pChn->nPeriod, 0);\n\t\t\t\t\t}\n\t\t\t\t\tint32 setPan = pChn->nPan;\n\t\t\t\t\tpChn->nNewNote = pChn->nLastNote;\n\t\t\t\t\tif(pChn->nNewIns != 0) InstrumentChange(pChn, pChn->nNewIns, porta);\n\t\t\t\t\tNoteChange(pChn, m.note, porta);\n\t\t\t\t\tmemory.chnSettings[nChn].incChanged = true;\n\n\t\t\t\t\tif((m.command == CMD_MODCMDEX || m.command == CMD_S3MCMDEX) && (m.param & 0xF0) == 0xD0 && paramLo < numTicks)\n\t\t\t\t\t{\n\t\t\t\t\t\tstartTick = paramLo;\n\t\t\t\t\t} else if(m.command == CMD_DELAYCUT && paramHi < numTicks)\n\t\t\t\t\t{\n\t\t\t\t\t\tstartTick = paramHi;\n\t\t\t\t\t}\n\t\t\t\t\tif(rowDelay > 1 && startTick != 0 && (GetType() & (MOD_TYPE_S3M | MOD_TYPE_IT | MOD_TYPE_MPT)))\n\t\t\t\t\t{\n\t\t\t\t\t\tstartTick += (playState.m_nMusicSpeed + tickDelay) * (rowDelay - 1);\n\t\t\t\t\t}\n\t\t\t\t\tif(!porta) memory.chnSettings[nChn].ticksToRender = 0;\n\n\t\t\t\t\t// Panning commands have to be re-applied after a note change with potential pan change.\n\t\t\t\t\tif(m.command == CMD_PANNING8\n\t\t\t\t\t\t|| ((m.command == CMD_MODCMDEX || m.command == CMD_S3MCMDEX) && paramHi == 0x8)\n\t\t\t\t\t\t|| m.volcmd == VOLCMD_PANNING)\n\t\t\t\t\t{\n\t\t\t\t\t\tpChn->nPan = setPan;\n\t\t\t\t\t}\n\n\t\t\t\t\tif(m.command == CMD_OFFSET)\n\t\t\t\t\t{\n\t\t\t\t\t\tbool isExtended = false;\n\t\t\t\t\t\tSmpLength offset = CalculateXParam(playState.m_nPattern, playState.m_nRow, nChn, &isExtended);\n\t\t\t\t\t\tif(!isExtended)\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\toffset <<= 8;\n\t\t\t\t\t\t\tif(offset == 0) offset = pChn->oldOffset;\n\t\t\t\t\t\t\toffset += static_cast(pChn->nOldHiOffset) << 16;\n\t\t\t\t\t\t}\n\t\t\t\t\t\tSampleOffset(*pChn, offset);\n\t\t\t\t\t} else if(m.command == CMD_OFFSETPERCENTAGE)\n\t\t\t\t\t{\n\t\t\t\t\t\tSampleOffset(*pChn, Util::muldiv_unsigned(pChn->nLength, m.param, 255));\n\t\t\t\t\t} else if(m.command == CMD_REVERSEOFFSET && pChn->pModSample != nullptr)\n\t\t\t\t\t{\n\t\t\t\t\t\tmemory.RenderChannel(nChn, oldTickDuration);\t// Re-sync what we've got so far\n\t\t\t\t\t\tReverseSampleOffset(*pChn, m.param);\n\t\t\t\t\t\tstartTick = playState.m_nMusicSpeed - 1;\n\t\t\t\t\t} else if(m.volcmd == VOLCMD_OFFSET)\n\t\t\t\t\t{\n\t\t\t\t\t\tif(m.vol <= CountOf(pChn->pModSample->cues) && pChn->pModSample != nullptr)\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tSmpLength offset;\n\t\t\t\t\t\t\tif(m.vol == 0)\n\t\t\t\t\t\t\t\toffset = pChn->oldOffset;\n\t\t\t\t\t\t\telse\n\t\t\t\t\t\t\t\toffset = pChn->oldOffset = pChn->pModSample->cues[m.vol - 1];\n\t\t\t\t\t\t\tSampleOffset(*pChn, offset);\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t}\n\n\t\t\t\tif(m.note == NOTE_KEYOFF || m.note == NOTE_NOTECUT || (m.note == NOTE_FADE && GetNumInstruments())\n\t\t\t\t\t|| ((m.command == CMD_MODCMDEX || m.command == CMD_S3MCMDEX) && (m.param & 0xF0) == 0xC0 && paramLo < numTicks)\n\t\t\t\t\t|| (m.command == CMD_DELAYCUT && paramLo != 0 && startTick + paramLo < numTicks))\n\t\t\t\t{\n\t\t\t\t\tstopNote = true;\n\t\t\t\t}\n\n\t\t\t\tif(m.command == CMD_VOLUME)\n\t\t\t\t{\n\t\t\t\t\tpChn->nVolume = m.param * 4;\n\t\t\t\t} else if(m.volcmd == VOLCMD_VOLUME)\n\t\t\t\t{\n\t\t\t\t\tpChn->nVolume = m.vol * 4;\n\t\t\t\t}\n\t\t\t\t\n\t\t\t\tif(pChn->pModSample && !stopNote)\n\t\t\t\t{\n\t\t\t\t\t// Check if we don't want to emulate some effect and thus stop processing.\n\t\t\t\t\tif(m.command < MAX_EFFECTS)\n\t\t\t\t\t{\n\t\t\t\t\t\tif(forbiddenCommands[m.command])\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tstopNote = true;\n\t\t\t\t\t\t} else if(m.command == CMD_MODCMDEX)\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\t// Special case: Slides using extended commands\n\t\t\t\t\t\t\tswitch(m.param & 0xF0)\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\tcase 0x10:\n\t\t\t\t\t\t\tcase 0x20:\n\t\t\t\t\t\t\t\tstopNote = true;\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\n\t\t\t\t\tif(m.volcmd < forbiddenVolCommands.size() && forbiddenVolCommands[m.volcmd])\n\t\t\t\t\t{\n\t\t\t\t\t\tstopNote = true;\n\t\t\t\t\t}\n\t\t\t\t}\n\n\t\t\t\tif(stopNote)\n\t\t\t\t{\n\t\t\t\t\tpChn->Stop();\n\t\t\t\t\tmemory.chnSettings[nChn].ticksToRender = 0;\n\t\t\t\t} else\n\t\t\t\t{\n\t\t\t\t\tif(oldTickDuration != tickDuration && oldTickDuration != 0)\n\t\t\t\t\t{\n\t\t\t\t\t\tmemory.RenderChannel(nChn, oldTickDuration);\t// Re-sync what we've got so far\n\t\t\t\t\t}\n\n\t\t\t\t\tswitch(m.command)\n\t\t\t\t\t{\n\t\t\t\t\tcase CMD_TONEPORTAVOL:\n\t\t\t\t\tcase CMD_VOLUMESLIDE:\n\t\t\t\t\tcase CMD_VIBRATOVOL:\n\t\t\t\t\t\tif(m.param || (GetType() != MOD_TYPE_MOD))\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tfor(uint32 i = 0; i < numTicks; i++)\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tpChn->isFirstTick = (i == 0);\n\t\t\t\t\t\t\t\tVolumeSlide(pChn, m.param);\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}\n\t\t\t\t\t\tbreak;\n\n\t\t\t\t\tcase CMD_MODCMDEX:\n\t\t\t\t\t\tif((m.param & 0x0F) || (GetType() & (MOD_TYPE_XM | MOD_TYPE_MT2)))\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tpChn->isFirstTick = true;\n\t\t\t\t\t\t\tswitch(m.param & 0xF0)\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\tcase 0xA0: FineVolumeUp(pChn, m.param & 0x0F, false); break;\n\t\t\t\t\t\t\tcase 0xB0: FineVolumeDown(pChn, m.param & 0x0F, false); break;\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}\n\t\t\t\t\t\tbreak;\n\n\t\t\t\t\tcase CMD_S3MCMDEX:\n\t\t\t\t\t\tif(m.param == 0x9E)\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\t// Play forward\n\t\t\t\t\t\t\tmemory.RenderChannel(nChn, oldTickDuration);\t// Re-sync what we've got so far\n\t\t\t\t\t\t\tpChn->dwFlags.reset(CHN_PINGPONGFLAG);\n\t\t\t\t\t\t} else if(m.param == 0x9F)\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\t// Reverse\n\t\t\t\t\t\t\tmemory.RenderChannel(nChn, oldTickDuration);\t// Re-sync what we've got so far\n\t\t\t\t\t\t\tpChn->dwFlags.set(CHN_PINGPONGFLAG);\n\t\t\t\t\t\t\tif(!pChn->position.GetInt() && pChn->nLength && (m.IsNote() || !pChn->dwFlags[CHN_LOOP]))\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tpChn->position.Set(pChn->nLength - 1, SamplePosition::fractMax);\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t} else if((m.param & 0xF0) == 0x70)\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\t// TODO\n\t\t\t\t\t\t\t//ExtendedS3MCommands(nChn, param);\n\t\t\t\t\t\t}\n\t\t\t\t\t\tbreak;\n\t\t\t\t\t}\n\t\t\t\t\tpChn->isFirstTick = true;\n\t\t\t\t\tswitch(m.volcmd)\n\t\t\t\t\t{\n\t\t\t\t\tcase VOLCMD_FINEVOLUP:\t\tFineVolumeUp(pChn, m.vol, m_playBehaviour[kITVolColMemory]); break;\n\t\t\t\t\tcase VOLCMD_FINEVOLDOWN:\tFineVolumeDown(pChn, m.vol, m_playBehaviour[kITVolColMemory]); break;\n\t\t\t\t\tcase VOLCMD_VOLSLIDEUP:\n\t\t\t\t\tcase VOLCMD_VOLSLIDEDOWN:\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\t// IT Compatibility: Volume column volume slides have their own memory\n\t\t\t\t\t\t\t// Test case: VolColMemory.it\n\t\t\t\t\t\t\tModCommand::VOL vol = m.vol;\n\t\t\t\t\t\t\tif(vol == 0 && m_playBehaviour[kITVolColMemory])\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tvol = pChn->nOldVolParam;\n\t\t\t\t\t\t\t\tif(vol == 0)\n\t\t\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\tif(m.volcmd == VOLCMD_VOLSLIDEUP)\n\t\t\t\t\t\t\t\tvol <<= 4;\n\t\t\t\t\t\t\tfor(uint32 i = 0; i < numTicks; i++)\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tpChn->isFirstTick = (i == 0);\n\t\t\t\t\t\t\t\tVolumeSlide(pChn, vol);\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}\n\t\t\t\t\t\tbreak;\n\t\t\t\t\t}\n\n\t\t\t\t\tif(porta)\n\t\t\t\t\t{\n\t\t\t\t\t\t// Portamento needs immediate syncing, as the pitch changes on each tick\n\t\t\t\t\t\tuint32 portaTick = memory.chnSettings[nChn].ticksToRender + startTick + 1;\n\t\t\t\t\t\tmemory.chnSettings[nChn].ticksToRender += numTicks;\n\t\t\t\t\t\tmemory.RenderChannel(nChn, tickDuration, portaTick);\n\t\t\t\t\t} else\n\t\t\t\t\t{\n\t\t\t\t\t\tmemory.chnSettings[nChn].ticksToRender += (numTicks - startTick);\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\toldTickDuration = tickDuration;\n\n\t\t// Pattern loop is not executed in FT2 if there are any position jump or pattern break commands on the same row.\n\t\t// Pattern loop is not executed in IT if there are any position jump commands on the same row.\n\t\t// Test case for FT2 exception: PatLoop-Jumps.xm, PatLoop-Various.xm\n\t\t// Test case for IT: exception: LoopBreak.it\n\t\tif(patternLoopEndedOnThisRow\n\t\t\t&& (!m_playBehaviour[kFT2PatternLoopWithJumps] || !(positionJumpOnThisRow || patternBreakOnThisRow))\n\t\t\t&& (!m_playBehaviour[kITPatternLoopWithJumps] || !positionJumpOnThisRow))\n\t\t{\n\t\t\tstd::map startTimes;\n\t\t\t// This is really just a simple estimation for nested pattern loops. It should handle cases correctly where all parallel loops start and end on the same row.\n\t\t\t// If one of them starts or ends \"in between\", it will most likely calculate a wrong duration.\n\t\t\t// For S3M files, it's also way off.\n\t\t\tpChn = playState.Chn;\n\t\t\tfor(CHANNELINDEX nChn = 0; nChn < GetNumChannels(); nChn++, pChn++)\n\t\t\t{\n\t\t\t\tModCommand::COMMAND command = pChn->rowCommand.command;\n\t\t\t\tModCommand::PARAM param = pChn->rowCommand.param;\n\t\t\t\tif((command == CMD_S3MCMDEX && param >= 0xB1 && param <= 0xBF)\n\t\t\t\t\t|| (command == CMD_MODCMDEX && param >= 0x61 && param <= 0x6F))\n\t\t\t\t{\n\t\t\t\t\tconst double start = memory.chnSettings[nChn].patLoop;\n\t\t\t\t\tif(!startTimes[start]) startTimes[start] = 1;\n\t\t\t\t\tstartTimes[start] = mpt::lcm(startTimes[start], 1 + (param & 0x0F));\n\t\t\t\t}\n\t\t\t}\n\t\t\tfor(const auto &i : startTimes)\n\t\t\t{\n\t\t\t\tmemory.elapsedTime += (memory.elapsedTime - i.first) * (double)(i.second - 1);\n\t\t\t\tfor(CHANNELINDEX nChn = 0; nChn < GetNumChannels(); nChn++, pChn++)\n\t\t\t\t{\n\t\t\t\t\tif(memory.chnSettings[nChn].patLoop == i.first)\n\t\t\t\t\t{\n\t\t\t\t\t\tplayState.m_lTotalSampleCount += (playState.m_lTotalSampleCount - memory.chnSettings[nChn].patLoopSmp) * (i.second - 1);\n\t\t\t\t\t\tif(m_playBehaviour[kITPatternLoopTargetReset] || (GetType() == MOD_TYPE_S3M))\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tmemory.chnSettings[nChn].patLoop = memory.elapsedTime;\n\t\t\t\t\t\t\tmemory.chnSettings[nChn].patLoopSmp = playState.m_lTotalSampleCount;\n\t\t\t\t\t\t\tmemory.chnSettings[nChn].patLoopStart = playState.m_nRow + 1;\n\t\t\t\t\t\t}\n\t\t\t\t\t\tbreak;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t\tif(GetType() == MOD_TYPE_IT)\n\t\t\t{\n\t\t\t\t// IT pattern loop start row update - at the end of a pattern loop, set pattern loop start to next row (for upcoming pattern loops with missing SB0)\n\t\t\t\tpChn = playState.Chn;\n\t\t\t\tfor(CHANNELINDEX nChn = 0; nChn < GetNumChannels(); nChn++, pChn++)\n\t\t\t\t{\n\t\t\t\t\tif((pChn->rowCommand.command == CMD_S3MCMDEX && pChn->rowCommand.param >= 0xB1 && pChn->rowCommand.param <= 0xBF))\n\t\t\t\t\t{\n\t\t\t\t\t\tmemory.chnSettings[nChn].patLoop = memory.elapsedTime;\n\t\t\t\t\t\tmemory.chnSettings[nChn].patLoopSmp = playState.m_lTotalSampleCount;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\n\t// Now advance the sample positions for sample seeking on channels that are still playing\n\tif(adjustSamplePos)\n\t{\n\t\tfor(CHANNELINDEX nChn = 0; nChn < GetNumChannels(); nChn++)\n\t\t{\n\t\t\tif(memory.chnSettings[nChn].ticksToRender != GetLengthMemory::IGNORE_CHANNEL)\n\t\t\t{\n\t\t\t\tmemory.RenderChannel(nChn, oldTickDuration);\n\t\t\t}\n\t\t}\n\t}\n\n\tif(retval.targetReached || target.mode == GetLengthTarget::NoTarget)\n\t{\n\t\tretval.lastOrder = playState.m_nCurrentOrder;\n\t\tretval.lastRow = playState.m_nRow;\n\t}\n\tretval.duration = memory.elapsedTime;\n\tresults.push_back(retval);\n\n\t// Store final variables\n\tif(adjustMode & eAdjust)\n\t{\n\t\tif(retval.targetReached || target.mode == GetLengthTarget::NoTarget)\n\t\t{\n\t\t\t// Target found, or there is no target (i.e. play whole song)...\n\t\t\tm_PlayState = std::move(playState);\n\t\t\tm_PlayState.m_nNextRow = m_PlayState.m_nRow;\n\t\t\tm_PlayState.m_nFrameDelay = m_PlayState.m_nPatternDelay = 0;\n\t\t\tm_PlayState.m_nTickCount = Util::MaxValueOfType(m_PlayState.m_nTickCount) - 1;\n\t\t\tm_PlayState.m_bPositionChanged = true;\n\t\t\tfor(CHANNELINDEX n = 0; n < GetNumChannels(); n++)\n\t\t\t{\n\t\t\t\tif(m_PlayState.Chn[n].nLastNote != NOTE_NONE)\n\t\t\t\t{\n\t\t\t\t\tm_PlayState.Chn[n].nNewNote = m_PlayState.Chn[n].nLastNote;\n\t\t\t\t}\n\t\t\t\tif(memory.chnSettings[n].vol != 0xFF && !adjustSamplePos)\n\t\t\t\t{\n\t\t\t\t\tm_PlayState.Chn[n].nVolume = std::min(memory.chnSettings[n].vol, uint8(64)) * 4;\n\t\t\t\t}\n\t\t\t}\n\n#ifndef NO_PLUGINS\n\t\t\t// If there were any PC events, update plugin parameters to their latest value.\n\t\t\tstd::bitset plugSetProgram;\n\t\t\tfor(const auto ¶m : memory.plugParams)\n\t\t\t{\n\t\t\t\tPLUGINDEX plug = param.first.first - 1;\n\t\t\t\tIMixPlugin *plugin = m_MixPlugins[plug].pMixPlugin;\n\t\t\t\tif(plugin != nullptr)\n\t\t\t\t{\n\t\t\t\t\tif(!plugSetProgram[plug])\n\t\t\t\t\t{\n\t\t\t\t\t\t// Used for bridged plugins to avoid sending out individual messages for each parameter.\n\t\t\t\t\t\tplugSetProgram.set(plug);\n\t\t\t\t\t\tplugin->BeginSetProgram();\n\t\t\t\t\t}\n\t\t\t\t\tplugin->SetParameter(param.first.second, param.second / PlugParamValue(ModCommand::maxColumnValue));\n\t\t\t\t}\n\t\t\t}\n\t\t\tif(plugSetProgram.any())\n\t\t\t{\n\t\t\t\tfor(PLUGINDEX i = 0; i < MAX_MIXPLUGINS; i++)\n\t\t\t\t{\n\t\t\t\t\tif(plugSetProgram[i])\n\t\t\t\t\t{\n\t\t\t\t\t\tm_MixPlugins[i].pMixPlugin->EndSetProgram();\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n#endif // NO_PLUGINS\n\t\t} else if(adjustMode != eAdjustOnSuccess)\n\t\t{\n\t\t\t// Target not found (e.g. when jumping to a hidden sub song), reset global variables...\n\t\t\tm_PlayState.m_nMusicSpeed = m_nDefaultSpeed;\n\t\t\tm_PlayState.m_nMusicTempo = m_nDefaultTempo;\n\t\t\tm_PlayState.m_nGlobalVolume = m_nDefaultGlobalVolume;\n\t\t}\n\t\t// When adjusting the playback status, we will also want to update the visited rows vector according to the current position.\n\t\tif(sequence != Order.GetCurrentSequenceIndex())\n\t\t{\n\t\t\tOrder.SetSequence(sequence);\n\t\t}\n\t\tvisitedSongRows.Set(visitedRows);\n\t}\n\n\treturn results;\n\n}", "project": "openmpt", "hash": 82247471402509974896295465140162503884, "size": 1080, "commit_id": "7ebf02af2e90f03e0dbd0e18b8b3164f372fb97c", "message": "[Fix] Possible out-of-bounds read when computing length of some IT files with pattern loops (OpenMPT: formats that are converted to IT, libopenmpt: IT/ITP/MO3), caught with afl-fuzz.\n\ngit-svn-id: https://source.openmpt.org/svn/openmpt/trunk/OpenMPT@10027 56274372-70c3-4bfc-bfc3-4c3a0b034d27", "target": 0, "dataset": "other", "idx": 255181 }, { "func": "indexEntry findEntry(Header h, rpmTagVal tag, rpm_tagtype_t type)\n{\n indexEntry entry;\n struct indexEntry_s key;\n\n if (h == NULL) return NULL;\n headerSort(h);\n\n key.info.tag = tag;\n\n entry = bsearch(&key, h->index, h->indexUsed, sizeof(*h->index), indexCmp);\n if (entry == NULL)\n\treturn NULL;\n\n if (type == RPM_NULL_TYPE)\n\treturn entry;\n\n /* look backwards */\n while (entry->info.tag == tag && entry->info.type != type &&\n\t entry > h->index) entry--;\n\n if (entry->info.tag == tag && entry->info.type == type)\n\treturn entry;\n\n return NULL;\n}", "project": "rpm", "hash": 335141889386826103350783412655255554571, "size": 26, "commit_id": "8f4b3c3cab8922a2022b9e47c71f1ecf906077ef", "message": "hdrblobInit() needs bounds checks too\n\nUsers can pass untrusted data to hdrblobInit() and it must be robust\nagainst this.", "target": 0, "dataset": "other", "idx": 318168 }, { "func": "static int unicast_flush_resp(struct sock *sk, const struct sadb_msg *ihdr)\n{\n\tstruct sk_buff *skb;\n\tstruct sadb_msg *hdr;\n\n\tskb = alloc_skb(sizeof(struct sadb_msg) + 16, GFP_ATOMIC);\n\tif (!skb)\n\t\treturn -ENOBUFS;\n\n\thdr = skb_put_data(skb, ihdr, sizeof(struct sadb_msg));\n\thdr->sadb_msg_errno = (uint8_t) 0;\n\thdr->sadb_msg_len = (sizeof(struct sadb_msg) / sizeof(uint64_t));\n\n\treturn pfkey_broadcast(skb, GFP_ATOMIC, BROADCAST_ONE, sk,\n\t\t\t sock_net(sk));\n}", "project": "linux", "hash": 86442023258242208158833910650199250934, "size": 16, "commit_id": "9a564bccb78a76740ea9d75a259942df8143d02c", "message": "af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\n\nAdd __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\nto initialize the buffer of supp_skb to fix a kernel-info-leak issue.\n1) Function pfkey_register calls compose_sadb_supported to request\na sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate\na sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then\ncompose_sadb_supported treats the memory as a struct sadb_supported and\nbegins to initialize. But it just initializes the field sadb_supported_len\nand field sadb_supported_exttype without field sadb_supported_reserved.\n\nReported-by: TCS Robot \nSigned-off-by: Haimin Zhang \nSigned-off-by: Steffen Klassert ", "target": 0, "dataset": "other", "idx": 268043 }, { "func": "bool JOIN::build_explain()\n{\n have_query_plan= QEP_AVAILABLE;\n\n /*\n explain data must be created on the Explain_query::mem_root. Because it's\n just a memroot, not an arena, explain data must not contain any Items\n */\n MEM_ROOT *old_mem_root= thd->mem_root;\n Item *old_free_list __attribute__((unused))= thd->free_list;\n thd->mem_root= thd->lex->explain->mem_root;\n bool res= save_explain_data(thd->lex->explain, false /* can overwrite */,\n need_tmp,\n !skip_sort_order && !no_order && (order || group_list),\n select_distinct);\n thd->mem_root= old_mem_root;\n DBUG_ASSERT(thd->free_list == old_free_list); // no Items were created\n if (res)\n return 1;\n\n uint select_nr= select_lex->select_number;\n JOIN_TAB *curr_tab= join_tab + exec_join_tab_cnt();\n for (uint i= 0; i < aggr_tables; i++, curr_tab++)\n {\n if (select_nr == INT_MAX)\n {\n /* this is a fake_select_lex of a union */\n select_nr= select_lex->master_unit()->first_select()->select_number;\n curr_tab->tracker= thd->lex->explain->get_union(select_nr)->\n get_tmptable_read_tracker();\n }\n else\n {\n curr_tab->tracker= thd->lex->explain->get_select(select_nr)->\n get_using_temporary_read_tracker();\n }\n }\n return 0;\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 326991764595300891178108235253009978767, "size": 39, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508751 }, { "func": "static void set_pixel_format(VncState *vs,\n int bits_per_pixel, int depth,\n int big_endian_flag, int true_color_flag,\n int red_max, int green_max, int blue_max,\n int red_shift, int green_shift, int blue_shift)\n{\n if (!true_color_flag) {\n vnc_client_error(vs);\n return;\n }\n\n switch (bits_per_pixel) {\n case 8:\n case 16:\n case 32:\n break;\n default:\n vnc_client_error(vs);\n return;\n }\n\n vs->client_pf.rmax = red_max;\n vs->client_pf.rbits = hweight_long(red_max);\n vs->client_pf.rshift = red_shift;\n vs->client_pf.rmask = red_max << red_shift;\n vs->client_pf.gmax = green_max;\n vs->client_pf.gbits = hweight_long(green_max);\n vs->client_pf.gshift = green_shift;\n vs->client_pf.gmask = green_max << green_shift;\n vs->client_pf.bmax = blue_max;\n vs->client_pf.bbits = hweight_long(blue_max);\n vs->client_pf.bshift = blue_shift;\n vs->client_pf.bmask = blue_max << blue_shift;\n vs->client_pf.bits_per_pixel = bits_per_pixel;\n vs->client_pf.bytes_per_pixel = bits_per_pixel / 8;\n vs->client_pf.depth = bits_per_pixel == 32 ? 24 : bits_per_pixel;\n vs->client_be = big_endian_flag;\n\n set_pixel_conversion(vs);\n\n graphic_hw_invalidate(vs->vd->dcl.con);\n graphic_hw_update(vs->vd->dcl.con);\n}", "project": "qemu", "hash": 209274626528158267666795461424033381853, "size": 43, "commit_id": "4c65fed8bdf96780735dbdb92a8bd0d6b6526cc3", "message": "ui: vnc: avoid floating point exception\n\nWhile sending 'SetPixelFormat' messages to a VNC server,\nthe client could set the 'red-max', 'green-max' and 'blue-max'\nvalues to be zero. This leads to a floating point exception in\nwrite_png_palette while doing frame buffer updates.\n\nReported-by: Lian Yihan \nSigned-off-by: Prasad J Pandit \nReviewed-by: Gerd Hoffmann \nSigned-off-by: Peter Maydell ", "target": 1, "dataset": "other", "idx": 202144 }, { "func": "static void set_pixel_format(VncState *vs,\n int bits_per_pixel, int depth,\n int big_endian_flag, int true_color_flag,\n int red_max, int green_max, int blue_max,\n int red_shift, int green_shift, int blue_shift)\n{\n if (!true_color_flag) {\n vnc_client_error(vs);\n return;\n }\n\n switch (bits_per_pixel) {\n case 8:\n case 16:\n case 32:\n break;\n default:\n vnc_client_error(vs);\n return;\n }\n\n vs->client_pf.rmax = red_max ? red_max : 0xFF;\n vs->client_pf.rbits = hweight_long(red_max);\n vs->client_pf.rshift = red_shift;\n vs->client_pf.rmask = red_max << red_shift;\n vs->client_pf.gmax = green_max ? green_max : 0xFF;\n vs->client_pf.gbits = hweight_long(green_max);\n vs->client_pf.gshift = green_shift;\n vs->client_pf.gmask = green_max << green_shift;\n vs->client_pf.bmax = blue_max ? blue_max : 0xFF;\n vs->client_pf.bbits = hweight_long(blue_max);\n vs->client_pf.bshift = blue_shift;\n vs->client_pf.bmask = blue_max << blue_shift;\n vs->client_pf.bits_per_pixel = bits_per_pixel;\n vs->client_pf.bytes_per_pixel = bits_per_pixel / 8;\n vs->client_pf.depth = bits_per_pixel == 32 ? 24 : bits_per_pixel;\n vs->client_be = big_endian_flag;\n\n set_pixel_conversion(vs);\n\n graphic_hw_invalidate(vs->vd->dcl.con);\n graphic_hw_update(vs->vd->dcl.con);\n}", "project": "qemu", "hash": 98211384367942618164926733929775680004, "size": 43, "commit_id": "4c65fed8bdf96780735dbdb92a8bd0d6b6526cc3", "message": "ui: vnc: avoid floating point exception\n\nWhile sending 'SetPixelFormat' messages to a VNC server,\nthe client could set the 'red-max', 'green-max' and 'blue-max'\nvalues to be zero. This leads to a floating point exception in\nwrite_png_palette while doing frame buffer updates.\n\nReported-by: Lian Yihan \nSigned-off-by: Prasad J Pandit \nReviewed-by: Gerd Hoffmann \nSigned-off-by: Peter Maydell ", "target": 0, "dataset": "other", "idx": 330516 }, { "func": "static void futex_wait_queue_me(struct futex_hash_bucket *hb, struct futex_q *q,\n\t\t\t\tstruct hrtimer_sleeper *timeout)\n{\n\t/*\n\t * The task state is guaranteed to be set before another task can\n\t * wake it. set_current_state() is implemented using set_mb() and\n\t * queue_me() calls spin_unlock() upon completion, both serializing\n\t * access to the hash list and forcing another memory barrier.\n\t */\n\tset_current_state(TASK_INTERRUPTIBLE);\n\tqueue_me(q, hb);\n\n\t/* Arm the timer */\n\tif (timeout) {\n\t\thrtimer_start_expires(&timeout->timer, HRTIMER_MODE_ABS);\n\t\tif (!hrtimer_active(&timeout->timer))\n\t\t\ttimeout->task = NULL;\n\t}\n\n\t/*\n\t * If we have been removed from the hash list, then another task\n\t * has tried to wake us, and we can skip the call to schedule().\n\t */\n\tif (likely(!plist_node_empty(&q->list))) {\n\t\t/*\n\t\t * If the timer has already expired, current will already be\n\t\t * flagged for rescheduling. Only call schedule if there\n\t\t * is no timeout, or if it has yet to expire.\n\t\t */\n\t\tif (!timeout || timeout->task)\n\t\t\tschedule();\n\t}\n\t__set_current_state(TASK_RUNNING);\n}", "target": 0, "cwe": [], "project": "linux-2.6", "commit_id": "5ecb01cfdf96c5f465192bdb2a4fd4a61a24c6cc", "hash": 170231204693315956362210575164488793119, "size": 34, "message": "futex_lock_pi() key refcnt fix\n\nThis fixes a futex key reference count bug in futex_lock_pi(),\nwhere a key's reference count is incremented twice but decremented\nonly once, causing the backing object to not be released.\n\nIf the futex is created in a temporary file in an ext3 file system,\nthis bug causes the file's inode to become an \"undead\" orphan,\nwhich causes an oops from a BUG_ON() in ext3_put_super() when the\nfile system is unmounted. glibc's test suite is known to trigger this,\nsee .\n\nThe bug is a regression from 2.6.28-git3, namely Peter Zijlstra's\n38d47c1b7075bd7ec3881141bb3629da58f88dab \"[PATCH] futex: rely on\nget_user_pages() for shared futexes\". That commit made get_futex_key()\nalso increment the reference count of the futex key, and updated its\ncallers to decrement the key's reference count before returning.\nUnfortunately the normal exit path in futex_lock_pi() wasn't corrected:\nthe reference count is incremented by get_futex_key() and queue_lock(),\nbut the normal exit path only decrements once, via unqueue_me_pi().\nThe fix is to put_futex_key() after unqueue_me_pi(), since 2.6.31\nthis is easily done by 'goto out_put_key' rather than 'goto out'.\n\nSigned-off-by: Mikael Pettersson \nAcked-by: Peter Zijlstra \nAcked-by: Darren Hart \nSigned-off-by: Thomas Gleixner \nCc: ", "dataset": "other", "idx": 492312 }, { "func": "static int usb_host_find_device(int *pbus_num, int *paddr,\n char *product_name, int product_name_size,\n const char *devname)\n{\n const char *p;\n int ret;\n FindDeviceState fs;\n\n p = strchr(devname, '.');\n if (p) {\n *pbus_num = strtoul(devname, NULL, 0);\n *paddr = strtoul(p + 1, NULL, 0);\n fs.bus_num = *pbus_num;\n fs.addr = *paddr;\n ret = usb_host_scan(&fs, usb_host_find_device_scan);\n if (ret)\n pstrcpy(product_name, product_name_size, fs.product_name);\n return 0;\n }\n\n p = strchr(devname, ':');\n if (p) {\n fs.vendor_id = strtoul(devname, NULL, 16);\n fs.product_id = strtoul(p + 1, NULL, 16);\n ret = usb_host_scan(&fs, usb_host_find_device_scan);\n if (ret) {\n *pbus_num = fs.bus_num;\n *paddr = fs.addr;\n pstrcpy(product_name, product_name_size, fs.product_name);\n return 0;\n }\n }\n return -1;\n}", "project": "qemu", "hash": 214147605578627853123606683952025042149, "size": 34, "commit_id": "babd03fde68093482528010a5435c14ce9128e3f", "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel. However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris \nSigned-off-by: Anthony Liguori ", "target": 0, "dataset": "other", "idx": 346320 }, { "func": "static int pfkey_send_notify(struct xfrm_state *x, const struct km_event *c)\n{\n\tstruct net *net = x ? xs_net(x) : c->net;\n\tstruct netns_pfkey *net_pfkey = net_generic(net, pfkey_net_id);\n\n\tif (atomic_read(&net_pfkey->socks_nr) == 0)\n\t\treturn 0;\n\n\tswitch (c->event) {\n\tcase XFRM_MSG_EXPIRE:\n\t\treturn key_notify_sa_expire(x, c);\n\tcase XFRM_MSG_DELSA:\n\tcase XFRM_MSG_NEWSA:\n\tcase XFRM_MSG_UPDSA:\n\t\treturn key_notify_sa(x, c);\n\tcase XFRM_MSG_FLUSHSA:\n\t\treturn key_notify_sa_flush(c);\n\tcase XFRM_MSG_NEWAE: /* not yet supported */\n\t\tbreak;\n\tdefault:\n\t\tpr_err(\"pfkey: Unknown SA event %d\\n\", c->event);\n\t\tbreak;\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 291691961027405287105180452623019438563, "size": 26, "commit_id": "9a564bccb78a76740ea9d75a259942df8143d02c", "message": "af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\n\nAdd __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\nto initialize the buffer of supp_skb to fix a kernel-info-leak issue.\n1) Function pfkey_register calls compose_sadb_supported to request\na sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate\na sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then\ncompose_sadb_supported treats the memory as a struct sadb_supported and\nbegins to initialize. But it just initializes the field sadb_supported_len\nand field sadb_supported_exttype without field sadb_supported_reserved.\n\nReported-by: TCS Robot \nSigned-off-by: Haimin Zhang \nSigned-off-by: Steffen Klassert ", "target": 0, "dataset": "other", "idx": 268048 }, { "func": "int64_t intsetRandom(intset *is) {\n return _intsetGet(is,rand()%intrev32ifbe(is->length));\n}", "project": "redis", "hash": 156601430830278139655477941266936907521, "size": 3, "commit_id": "789f10156009b404950ad717642a9496ed887083", "message": "Fix integer overflow in intset (CVE-2021-29478)\n\nAn integer overflow bug in Redis 6.2 could be exploited to corrupt the heap and\npotentially result with remote code execution.\n\nThe vulnerability involves changing the default set-max-intset-entries\nconfiguration value, creating a large set key that consists of integer values\nand using the COPY command to duplicate it.\n\nThe integer overflow bug exists in all versions of Redis starting with 2.6,\nwhere it could result with a corrupted RDB or DUMP payload, but not exploited\nthrough COPY (which did not exist before 6.2).\n\n(cherry picked from commit 29900d4e6bccdf3691bedf0ea9a5d84863fa3592)", "target": 0, "dataset": "other", "idx": 290641 }, { "func": "void tracing_reset_all_online_cpus(void)\n{\n\tstruct trace_array *tr;\n\n\tlist_for_each_entry(tr, &ftrace_trace_arrays, list) {\n\t\tif (!tr->clear_trace)\n\t\t\tcontinue;\n\t\ttr->clear_trace = false;\n\t\ttracing_reset_online_cpus(&tr->trace_buffer);\n#ifdef CONFIG_TRACER_MAX_TRACE\n\t\ttracing_reset_online_cpus(&tr->max_buffer);\n#endif\n\t}\n}", "project": "linux", "hash": 85101791834152395307057875288406283947, "size": 14, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445767 }, { "func": "void CServer::ConStopRecord(IConsole::IResult *pResult, void *pUser)\n{\n\t((CServer *)pUser)->m_DemoRecorder.Stop();\n}", "project": "teeworlds", "hash": 285315944889916298883521630397885178352, "size": 4, "commit_id": "c68402fa7e279d42886d5951d1ea8ac2facc1ea5", "message": "changed a check", "target": 0, "dataset": "other", "idx": 382035 }, { "func": "static inline unsigned long perf_ip_adjust(struct pt_regs *regs)\n{\n\treturn 0;\n}", "project": "linux", "hash": 220286548467142489463514349503030930862, "size": 4, "commit_id": "60b7ed54a41b550d50caf7f2418db4a7e75b5bdc", "message": "powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set\n\nOn systems without any specific PMU driver support registered, running\nperf record causes Oops.\n\nThe relevant portion from call trace:\n\n BUG: Kernel NULL pointer dereference on read at 0x00000040\n Faulting instruction address: 0xc0021f0c\n Oops: Kernel access of bad area, sig: 11 [#1]\n BE PAGE_SIZE=4K PREEMPT CMPCPRO\n SAF3000 DIE NOTIFICATION\n CPU: 0 PID: 442 Comm: null_syscall Not tainted 5.13.0-rc6-s3k-dev-01645-g7649ee3d2957 #5164\n NIP: c0021f0c LR: c00e8ad8 CTR: c00d8a5c\n NIP perf_instruction_pointer+0x10/0x60\n LR perf_prepare_sample+0x344/0x674\n Call Trace:\n perf_prepare_sample+0x7c/0x674 (unreliable)\n perf_event_output_forward+0x3c/0x94\n __perf_event_overflow+0x74/0x14c\n perf_swevent_hrtimer+0xf8/0x170\n __hrtimer_run_queues.constprop.0+0x160/0x318\n hrtimer_interrupt+0x148/0x3b0\n timer_interrupt+0xc4/0x22c\n Decrementer_virt+0xb8/0xbc\n\nDuring perf record session, perf_instruction_pointer() is called to\ncapture the sample IP. This function in core-book3s accesses\nppmu->flags. If a platform specific PMU driver is not registered, ppmu\nis set to NULL and accessing its members results in a crash. Fix this\ncrash by checking if ppmu is set.\n\nFixes: 2ca13a4cc56c (\"powerpc/perf: Use regs->nip when SIAR is zero\")\nCc: stable@vger.kernel.org # v5.11+\nReported-by: Christophe Leroy \nSigned-off-by: Athira Rajeev \nTested-by: Christophe Leroy \nSigned-off-by: Michael Ellerman \nLink: https://lore.kernel.org/r/1623952506-1431-1-git-send-email-atrajeev@linux.vnet.ibm.com", "target": 0, "dataset": "other", "idx": 374690 }, { "func": "static inline unsigned long perf_ip_adjust(struct pt_regs *regs)\n{\n\tunsigned long mmcra = regs->dsisr;\n\n\tif ((ppmu->flags & PPMU_HAS_SSLOT) && (mmcra & MMCRA_SAMPLE_ENABLE)) {\n\t\tunsigned long slot = (mmcra & MMCRA_SLOT) >> MMCRA_SLOT_SHIFT;\n\t\tif (slot > 1)\n\t\t\treturn 4 * (slot - 1);\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 181394279284147413583262453378759829771, "size": 12, "commit_id": "60b7ed54a41b550d50caf7f2418db4a7e75b5bdc", "message": "powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set\n\nOn systems without any specific PMU driver support registered, running\nperf record causes Oops.\n\nThe relevant portion from call trace:\n\n BUG: Kernel NULL pointer dereference on read at 0x00000040\n Faulting instruction address: 0xc0021f0c\n Oops: Kernel access of bad area, sig: 11 [#1]\n BE PAGE_SIZE=4K PREEMPT CMPCPRO\n SAF3000 DIE NOTIFICATION\n CPU: 0 PID: 442 Comm: null_syscall Not tainted 5.13.0-rc6-s3k-dev-01645-g7649ee3d2957 #5164\n NIP: c0021f0c LR: c00e8ad8 CTR: c00d8a5c\n NIP perf_instruction_pointer+0x10/0x60\n LR perf_prepare_sample+0x344/0x674\n Call Trace:\n perf_prepare_sample+0x7c/0x674 (unreliable)\n perf_event_output_forward+0x3c/0x94\n __perf_event_overflow+0x74/0x14c\n perf_swevent_hrtimer+0xf8/0x170\n __hrtimer_run_queues.constprop.0+0x160/0x318\n hrtimer_interrupt+0x148/0x3b0\n timer_interrupt+0xc4/0x22c\n Decrementer_virt+0xb8/0xbc\n\nDuring perf record session, perf_instruction_pointer() is called to\ncapture the sample IP. This function in core-book3s accesses\nppmu->flags. If a platform specific PMU driver is not registered, ppmu\nis set to NULL and accessing its members results in a crash. Fix this\ncrash by checking if ppmu is set.\n\nFixes: 2ca13a4cc56c (\"powerpc/perf: Use regs->nip when SIAR is zero\")\nCc: stable@vger.kernel.org # v5.11+\nReported-by: Christophe Leroy \nSigned-off-by: Athira Rajeev \nTested-by: Christophe Leroy \nSigned-off-by: Michael Ellerman \nLink: https://lore.kernel.org/r/1623952506-1431-1-git-send-email-atrajeev@linux.vnet.ibm.com", "target": 0, "dataset": "other", "idx": 374732 }, { "func": "static int ipv6_tuple_to_nlattr(struct sk_buff *skb,\n\t\t\t\tconst struct nf_conntrack_tuple *tuple)\n{\n\tif (nla_put_in6_addr(skb, CTA_IP_V6_SRC, &tuple->src.u3.in6) ||\n\t nla_put_in6_addr(skb, CTA_IP_V6_DST, &tuple->dst.u3.in6))\n\t\treturn -EMSGSIZE;\n\treturn 0;\n}", "project": "linux", "hash": 39014375025332725643127581336993350926, "size": 8, "commit_id": "1cc5ef91d2ff94d2bf2de3b3585423e8a1051cb6", "message": "netfilter: ctnetlink: add a range check for l3/l4 protonum\n\nThe indexes to the nf_nat_l[34]protos arrays come from userspace. So\ncheck the tuple's family, e.g. l3num, when creating the conntrack in\norder to prevent an OOB memory access during setup. Here is an example\nkernel panic on 4.14.180 when userspace passes in an index greater than\nNFPROTO_NUMPROTO.\n\nInternal error: Oops - BUG: 0 [#1] PREEMPT SMP\nModules linked in:...\nProcess poc (pid: 5614, stack limit = 0x00000000a3933121)\nCPU: 4 PID: 5614 Comm: poc Tainted: G S W O 4.14.180-g051355490483\nHardware name: Qualcomm Technologies, Inc. SM8150 V2 PM8150 Google Inc. MSM\ntask: 000000002a3dfffe task.stack: 00000000a3933121\npc : __cfi_check_fail+0x1c/0x24\nlr : __cfi_check_fail+0x1c/0x24\n...\nCall trace:\n__cfi_check_fail+0x1c/0x24\nname_to_dev_t+0x0/0x468\nnfnetlink_parse_nat_setup+0x234/0x258\nctnetlink_parse_nat_setup+0x4c/0x228\nctnetlink_new_conntrack+0x590/0xc40\nnfnetlink_rcv_msg+0x31c/0x4d4\nnetlink_rcv_skb+0x100/0x184\nnfnetlink_rcv+0xf4/0x180\nnetlink_unicast+0x360/0x770\nnetlink_sendmsg+0x5a0/0x6a4\n___sys_sendmsg+0x314/0x46c\nSyS_sendmsg+0xb4/0x108\nel0_svc_naked+0x34/0x38\n\nThis crash is not happening since 5.4+, however, ctnetlink still\nallows for creating entries with unsupported layer 3 protocol number.\n\nFixes: c1d10adb4a521 (\"[NETFILTER]: Add ctnetlink port for nf_conntrack\")\nSigned-off-by: Will McVicker \n[pablo@netfilter.org: rebased original patch on top of nf.git]\nSigned-off-by: Pablo Neira Ayuso ", "target": 0, "dataset": "other", "idx": 394255 }, { "func": "static void __input_release_device(struct input_handle *handle)\n{\n\tstruct input_dev *dev = handle->dev;\n\tstruct input_handle *grabber;\n\n\tgrabber = rcu_dereference_protected(dev->grab,\n\t\t\t\t\t lockdep_is_held(&dev->mutex));\n\tif (grabber == handle) {\n\t\trcu_assign_pointer(dev->grab, NULL);\n\t\t/* Make sure input_pass_event() notices that grab is gone */\n\t\tsynchronize_rcu();\n\n\t\tlist_for_each_entry(handle, &dev->h_list, d_node)\n\t\t\tif (handle->open && handle->handler->start)\n\t\t\t\thandle->handler->start(handle);\n\t}\n}", "project": "linux", "hash": 291991526608025274461480667853075516424, "size": 17, "commit_id": "cb222aed03d798fc074be55e59d9a112338ee784", "message": "Input: add safety guards to input_set_keycode()\n\nIf we happen to have a garbage in input device's keycode table with values\ntoo big we'll end up doing clear_bit() with offset way outside of our\nbitmaps, damaging other objects within an input device or even outside of\nit. Let's add sanity checks to the returned old keycodes.\n\nReported-by: syzbot+c769968809f9359b07aa@syzkaller.appspotmail.com\nReported-by: syzbot+76f3a30e88d256644c78@syzkaller.appspotmail.com\nLink: https://lore.kernel.org/r/20191207212757.GA245964@dtor-ws\nSigned-off-by: Dmitry Torokhov ", "target": 0, "dataset": "other", "idx": 353339 }, { "func": " */\nstatic void bfq_set_budget_timeout(struct bfq_data *bfqd,\n\t\t\t\t struct bfq_queue *bfqq)\n{\n\tunsigned int timeout_coeff;\n\n\tif (bfqq->wr_cur_max_time == bfqd->bfq_wr_rt_max_time)\n\t\ttimeout_coeff = 1;\n\telse\n\t\ttimeout_coeff = bfqq->entity.weight / bfqq->entity.orig_weight;\n\n\tbfqd->last_budget_start = ktime_get();\n\n\tbfqq->budget_timeout = jiffies +\n\t\tbfqd->bfq_timeout * timeout_coeff;", "project": "linux", "hash": 100243780722009551447706431055375372497, "size": 15, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453284 }, { "project": "opaque", "commit_id": "5ddda15d89f5ac82f4416208c5319ace4aecdc36", "target": 0, "func": "void ecall_project(uint8_t *condition, size_t condition_length,\n uint8_t *input_rows, size_t input_rows_length,\n uint8_t **output_rows, size_t *output_rows_length) {\n // Guard against operating on arbitrary enclave memory\n assert(sgx_is_outside_enclave(input_rows, input_rows_length) == 1);\n sgx_lfence();\n\n try {\n project(condition, condition_length,\n input_rows, input_rows_length,\n output_rows, output_rows_length);\n } catch (const std::runtime_error &e) {\n ocall_throw(e.what());\n }\n}", "idx": 519082, "cwe": "CWE-787", "hash": 90744683818138080350091439660619966478, "dataset": "other" }, { "func": "const vector& CClient::GetClients() const {\n if (m_pNetwork) {\n return m_pNetwork->GetClients();\n }\n\n return m_pUser->GetUserClients();\n}", "project": "znc", "hash": 273756844521706399683752077424351645552, "size": 7, "commit_id": "d229761821da38d984a9e4098ad96842490dc001", "message": "Fix echo-message for *status\n\nClose #1705", "target": 0, "dataset": "other", "idx": 231570 }, { "func": "static int s_show(struct seq_file *m, void *v)\n{\n\tstruct trace_iterator *iter = v;\n\tint ret;\n\n\tif (iter->ent == NULL) {\n\t\tif (iter->tr) {\n\t\t\tseq_printf(m, \"# tracer: %s\\n\", iter->trace->name);\n\t\t\tseq_puts(m, \"#\\n\");\n\t\t\ttest_ftrace_alive(m);\n\t\t}\n\t\tif (iter->snapshot && trace_empty(iter))\n\t\t\tprint_snapshot_help(m, iter);\n\t\telse if (iter->trace && iter->trace->print_header)\n\t\t\titer->trace->print_header(m);\n\t\telse\n\t\t\ttrace_default_header(m);\n\n\t} else if (iter->leftover) {\n\t\t/*\n\t\t * If we filled the seq_file buffer earlier, we\n\t\t * want to just show it now.\n\t\t */\n\t\tret = trace_print_seq(m, &iter->seq);\n\n\t\t/* ret should this time be zero, but you never know */\n\t\titer->leftover = ret;\n\n\t} else {\n\t\tprint_trace_line(iter);\n\t\tret = trace_print_seq(m, &iter->seq);\n\t\t/*\n\t\t * If we overflow the seq_file buffer, then it will\n\t\t * ask us for this data again at start up.\n\t\t * Use that instead.\n\t\t * ret is 0 if seq_file write succeeded.\n\t\t * -1 otherwise.\n\t\t */\n\t\titer->leftover = ret;\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 21855654427574320991385051475179702243, "size": 43, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445736 }, { "func": "int zap_other_threads(struct task_struct *p)\n{\n\tstruct task_struct *t = p;\n\tint count = 0;\n\n\tp->signal->group_stop_count = 0;\n\n\twhile_each_thread(p, t) {\n\t\ttask_clear_jobctl_pending(t, JOBCTL_PENDING_MASK);\n\t\tcount++;\n\n\t\t/* Don't bother with already dead threads */\n\t\tif (t->exit_state)\n\t\t\tcontinue;\n\t\tsigaddset(&t->pending.signal, SIGKILL);\n\t\tsignal_wake_up(t, 1);\n\t}\n\n\treturn count;\n}", "project": "linux", "hash": 241141183128184645732561363263741430723, "size": 20, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375255 }, { "func": "static int oidc_check_userid_openidc(request_rec *r, oidc_cfg *c) {\n\n\tif (oidc_get_redirect_uri(r, c) == NULL) {\n\t\toidc_error(r,\n\t\t\t\t\"configuration error: the authentication type is set to \\\"\" OIDC_AUTH_TYPE_OPENID_CONNECT \"\\\" but \" OIDCRedirectURI \" has not been set\");\n\t\treturn HTTP_INTERNAL_SERVER_ERROR;\n\t}\n\n\t/* check if this is a sub-request or an initial request */\n\tif (!ap_is_initial_req(r)) {\n\n\t\t/* not an initial request, try to recycle what we've already established in the main request */\n\t\tif (r->main != NULL)\n\t\t\tr->user = r->main->user;\n\t\telse if (r->prev != NULL)\n\t\t\tr->user = r->prev->user;\n\n\t\tif (r->user != NULL) {\n\n\t\t\t/* this is a sub-request and we have a session (headers will have been scrubbed and set already) */\n\t\t\toidc_debug(r,\n\t\t\t\t\t\"recycling user '%s' from initial request for sub-request\",\n\t\t\t\t\tr->user);\n\n\t\t\t/*\n\t\t\t * apparently request state can get lost in sub-requests, so let's see\n\t\t\t * if we need to restore id_token and/or claims from the session cache\n\t\t\t */\n\t\t\tconst char *s_id_token = oidc_request_state_get(r,\n\t\t\t\t\tOIDC_REQUEST_STATE_KEY_IDTOKEN);\n\t\t\tif (s_id_token == NULL) {\n\n\t\t\t\toidc_session_t *session = NULL;\n\t\t\t\toidc_session_load(r, &session);\n\n\t\t\t\toidc_copy_tokens_to_request_state(r, session, NULL, NULL);\n\n\t\t\t\t/* free resources allocated for the session */\n\t\t\t\toidc_session_free(r, session);\n\t\t\t}\n\n\t\t\t/* strip any cookies that we need to */\n\t\t\toidc_strip_cookies(r);\n\n\t\t\treturn OK;\n\t\t}\n\t\t/*\n\t\t * else: not initial request, but we could not find a session, so:\n\t\t * try to load a new session as if this were the initial request\n\t\t */\n\t}\n\n\tint rc = OK;\n\tapr_byte_t needs_save = FALSE;\n\n\t/* load the session from the request state; this will be a new \"empty\" session if no state exists */\n\toidc_session_t *session = NULL;\n\toidc_session_load(r, &session);\n\n\t/* see if the initial request is to the redirect URI; this handles potential logout too */\n\tif (oidc_util_request_matches_url(r, oidc_get_redirect_uri(r, c))) {\n\n\t\t/* handle request to the redirect_uri */\n\t\trc = oidc_handle_redirect_uri_request(r, c, session);\n\n\t\t/* free resources allocated for the session */\n\t\toidc_session_free(r, session);\n\n\t\treturn rc;\n\n\t\t/* initial request to non-redirect URI, check if we have an existing session */\n\t} else if (session->remote_user != NULL) {\n\n\t\t/* this is initial request and we already have a session */\n\t\trc = oidc_handle_existing_session(r, c, session, &needs_save);\n\t\tif (rc == OK) {\n\n\t\t\t/* check if something was updated in the session and we need to save it again */\n\t\t\tif (needs_save) {\n\t\t\t\tif (oidc_session_save(r, session, FALSE) == FALSE) {\n\t\t\t\t\toidc_warn(r, \"error saving session\");\n\t\t\t\t\trc = HTTP_INTERNAL_SERVER_ERROR;\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\t/* free resources allocated for the session */\n\t\toidc_session_free(r, session);\n\n\t\t/* strip any cookies that we need to */\n\t\toidc_strip_cookies(r);\n\n\t\treturn rc;\n\t}\n\n\t/* free resources allocated for the session */\n\toidc_session_free(r, session);\n\n\t/*\n\t * else: we have no session and it is not an authorization or\n\t * discovery response: just hit the default flow for unauthenticated users\n\t */\n\n\treturn oidc_handle_unauthenticated_user(r, c);\n}", "project": "mod_auth_openidc", "hash": 283218533163853250723110285481603472730, "size": 105, "commit_id": "00c315cb0c8ab77c67be4a2ac08a71a83ac58751", "message": "avoid XSS vulnerability when using OIDCPreservePost On\n\nand supplying URLs that contain single quotes; thanks @oss-aimoto\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 381962 }, { "func": "static int oidc_check_userid_openidc(request_rec *r, oidc_cfg *c) {\n\n\tif (oidc_get_redirect_uri(r, c) == NULL) {\n\t\toidc_error(r,\n\t\t\t\t\"configuration error: the authentication type is set to \\\"\" OIDC_AUTH_TYPE_OPENID_CONNECT \"\\\" but \" OIDCRedirectURI \" has not been set\");\n\t\treturn HTTP_INTERNAL_SERVER_ERROR;\n\t}\n\n\t/* check if this is a sub-request or an initial request */\n\tif (ap_is_initial_req(r)) {\n\n\t\tint rc = OK;\n\n\t\t/* load the session from the request state; this will be a new \"empty\" session if no state exists */\n\t\toidc_session_t *session = NULL;\n\t\toidc_session_load(r, &session);\n\n\t\t/* see if the initial request is to the redirect URI; this handles potential logout too */\n\t\tif (oidc_util_request_matches_url(r, oidc_get_redirect_uri(r, c))) {\n\n\t\t\t/* handle request to the redirect_uri */\n\t\t\trc = oidc_handle_redirect_uri_request(r, c, session);\n\n\t\t\t/* free resources allocated for the session */\n\t\t\toidc_session_free(r, session);\n\n\t\t\treturn rc;\n\n\t\t\t/* initial request to non-redirect URI, check if we have an existing session */\n\t\t} else if (session->remote_user != NULL) {\n\n\t\t\t/* this is initial request and we already have a session */\n\t\t\trc = oidc_handle_existing_session(r, c, session);\n\n\t\t\t/* free resources allocated for the session */\n\t\t\toidc_session_free(r, session);\n\n\t\t\t/* strip any cookies that we need to */\n\t\t\toidc_strip_cookies(r);\n\n\t\t\treturn rc;\n\t\t}\n\n\t\t/* free resources allocated for the session */\n\t\toidc_session_free(r, session);\n\n\t\t/*\n\t\t * else: initial request, we have no session and it is not an authorization or\n\t\t * discovery response: just hit the default flow for unauthenticated users\n\t\t */\n\t} else {\n\n\t\t/* not an initial request, try to recycle what we've already established in the main request */\n\t\tif (r->main != NULL)\n\t\t\tr->user = r->main->user;\n\t\telse if (r->prev != NULL)\n\t\t\tr->user = r->prev->user;\n\n\t\tif (r->user != NULL) {\n\n\t\t\t/* this is a sub-request and we have a session (headers will have been scrubbed and set already) */\n\t\t\toidc_debug(r,\n\t\t\t\t\t\"recycling user '%s' from initial request for sub-request\",\n\t\t\t\t\tr->user);\n\n\t\t\t/*\n\t\t\t * apparently request state can get lost in sub-requests, so let's see\n\t\t\t * if we need to restore id_token and/or claims from the session cache\n\t\t\t */\n\t\t\tconst char *s_id_token = oidc_request_state_get(r,\n\t\t\t\t\tOIDC_REQUEST_STATE_KEY_IDTOKEN);\n\t\t\tif (s_id_token == NULL) {\n\n\t\t\t\toidc_session_t *session = NULL;\n\t\t\t\toidc_session_load(r, &session);\n\n\t\t\t\toidc_copy_tokens_to_request_state(r, session, NULL, NULL);\n\n\t\t\t\t/* free resources allocated for the session */\n\t\t\t\toidc_session_free(r, session);\n\t\t\t}\n\n\t\t\t/* strip any cookies that we need to */\n\t\t\toidc_strip_cookies(r);\n\n\t\t\treturn OK;\n\t\t}\n\t\t/*\n\t\t * else: not initial request, but we could not find a session, so:\n\t\t * just hit the default flow for unauthenticated users\n\t\t */\n\t}\n\n\treturn oidc_handle_unauthenticated_user(r, c);\n}", "project": "mod_auth_openidc", "hash": 78639086697991961782756543614668399227, "size": 95, "commit_id": "ce37080c6aea30aabae8b4a9b4eea7808445cc8e", "message": "2.4.0.2 oops\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 447680 }, { "func": "static int set_uint_value(char **optstr, unsigned int num,\n\t\t\tchar *begin, char *end, char **next)\n{\n\tchar buf[40];\n\tsnprintf(buf, sizeof(buf), \"%u\", num);\n\n\tmnt_optstr_remove_option_at(optstr, begin, end);\n\treturn insert_value(optstr, begin, buf, next);\n}", "project": "util-linux", "hash": 195932562780530472717043337048710969877, "size": 9, "commit_id": "57202f5713afa2af20ffbb6ab5331481d0396f8d", "message": "libmount: fix UID check for FUSE umount [CVE-2021-3995]\n\nImproper UID check allows an unprivileged user to unmount FUSE\nfilesystems of users with similar UID.\n\nSigned-off-by: Karel Zak ", "target": 0, "dataset": "other", "idx": 410426 }, { "func": "static int fuse_direntplus_link(struct file *file,\n\t\t\t\tstruct fuse_direntplus *direntplus,\n\t\t\t\tu64 attr_version)\n{\n\tstruct fuse_entry_out *o = &direntplus->entry_out;\n\tstruct fuse_dirent *dirent = &direntplus->dirent;\n\tstruct dentry *parent = file->f_path.dentry;\n\tstruct qstr name = QSTR_INIT(dirent->name, dirent->namelen);\n\tstruct dentry *dentry;\n\tstruct dentry *alias;\n\tstruct inode *dir = d_inode(parent);\n\tstruct fuse_conn *fc;\n\tstruct inode *inode;\n\tDECLARE_WAIT_QUEUE_HEAD_ONSTACK(wq);\n\n\tif (!o->nodeid) {\n\t\t/*\n\t\t * Unlike in the case of fuse_lookup, zero nodeid does not mean\n\t\t * ENOENT. Instead, it only means the userspace filesystem did\n\t\t * not want to return attributes/handle for this entry.\n\t\t *\n\t\t * So do nothing.\n\t\t */\n\t\treturn 0;\n\t}\n\n\tif (name.name[0] == '.') {\n\t\t/*\n\t\t * We could potentially refresh the attributes of the directory\n\t\t * and its parent?\n\t\t */\n\t\tif (name.len == 1)\n\t\t\treturn 0;\n\t\tif (name.name[1] == '.' && name.len == 2)\n\t\t\treturn 0;\n\t}\n\n\tif (invalid_nodeid(o->nodeid))\n\t\treturn -EIO;\n\tif (fuse_invalid_attr(&o->attr))\n\t\treturn -EIO;\n\n\tfc = get_fuse_conn(dir);\n\n\tname.hash = full_name_hash(parent, name.name, name.len);\n\tdentry = d_lookup(parent, &name);\n\tif (!dentry) {\nretry:\n\t\tdentry = d_alloc_parallel(parent, &name, &wq);\n\t\tif (IS_ERR(dentry))\n\t\t\treturn PTR_ERR(dentry);\n\t}\n\tif (!d_in_lookup(dentry)) {\n\t\tstruct fuse_inode *fi;\n\t\tinode = d_inode(dentry);\n\t\tif (!inode ||\n\t\t get_node_id(inode) != o->nodeid ||\n\t\t ((o->attr.mode ^ inode->i_mode) & S_IFMT)) {\n\t\t\td_invalidate(dentry);\n\t\t\tdput(dentry);\n\t\t\tgoto retry;\n\t\t}\n\t\tif (fuse_is_bad(inode)) {\n\t\t\tdput(dentry);\n\t\t\treturn -EIO;\n\t\t}\n\n\t\tfi = get_fuse_inode(inode);\n\t\tspin_lock(&fi->lock);\n\t\tfi->nlookup++;\n\t\tspin_unlock(&fi->lock);\n\n\t\tforget_all_cached_acls(inode);\n\t\tfuse_change_attributes(inode, &o->attr,\n\t\t\t\t entry_attr_timeout(o),\n\t\t\t\t attr_version);\n\t\t/*\n\t\t * The other branch comes via fuse_iget()\n\t\t * which bumps nlookup inside\n\t\t */\n\t} else {\n\t\tinode = fuse_iget(dir->i_sb, o->nodeid, o->generation,\n\t\t\t\t &o->attr, entry_attr_timeout(o),\n\t\t\t\t attr_version);\n\t\tif (!inode)\n\t\t\tinode = ERR_PTR(-ENOMEM);\n\n\t\talias = d_splice_alias(inode, dentry);\n\t\td_lookup_done(dentry);\n\t\tif (alias) {\n\t\t\tdput(dentry);\n\t\t\tdentry = alias;\n\t\t}\n\t\tif (IS_ERR(dentry))\n\t\t\treturn PTR_ERR(dentry);\n\t}\n\tif (fc->readdirplus_auto)\n\t\tset_bit(FUSE_I_INIT_RDPLUS, &get_fuse_inode(inode)->state);\n\tfuse_change_entry_timeout(dentry, o);\n\n\tdput(dentry);\n\treturn 0;\n}", "project": "linux", "hash": 208118323146732601099998422368130039845, "size": 103, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342157 }, { "func": "static int fuse_verify_ioctl_iov(struct fuse_conn *fc, struct iovec *iov,\n\t\t\t\t size_t count)\n{\n\tsize_t n;\n\tu32 max = fc->max_pages << PAGE_SHIFT;\n\n\tfor (n = 0; n < count; n++, iov++) {\n\t\tif (iov->iov_len > (size_t) max)\n\t\t\treturn -ENOMEM;\n\t\tmax -= iov->iov_len;\n\t}\n\treturn 0;\n}", "project": "linux", "hash": 282803932636725029505004599991790852397, "size": 13, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341994 }, { "func": "static int active_scan(struct hci_request *req, unsigned long opt)\n{\n\tuint16_t interval = opt;\n\tstruct hci_dev *hdev = req->hdev;\n\tu8 own_addr_type;\n\t/* White list is not used for discovery */\n\tu8 filter_policy = 0x00;\n\t/* Discovery doesn't require controller address resolution */\n\tbool addr_resolv = false;\n\tint err;\n\n\tbt_dev_dbg(hdev, \"\");\n\n\t/* If controller is scanning, it means the background scanning is\n\t * running. Thus, we should temporarily stop it in order to set the\n\t * discovery scanning parameters.\n\t */\n\tif (hci_dev_test_flag(hdev, HCI_LE_SCAN)) {\n\t\thci_req_add_le_scan_disable(req, false);\n\t\tcancel_interleave_scan(hdev);\n\t}\n\n\t/* All active scans will be done with either a resolvable private\n\t * address (when privacy feature has been enabled) or non-resolvable\n\t * private address.\n\t */\n\terr = hci_update_random_address(req, true, scan_use_rpa(hdev),\n\t\t\t\t\t&own_addr_type);\n\tif (err < 0)\n\t\town_addr_type = ADDR_LE_DEV_PUBLIC;\n\n\thci_req_start_scan(req, LE_SCAN_ACTIVE, interval,\n\t\t\t hdev->le_scan_window_discovery, own_addr_type,\n\t\t\t filter_policy, addr_resolv);\n\treturn 0;\n}", "project": "linux", "hash": 91649076512018531696212817761941079762, "size": 36, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402566 }, { "func": "static int nfs4_delay_killable(long *timeout)\n{\n\tmight_sleep();\n\n\tfreezable_schedule_timeout_killable_unsafe(\n\t\tnfs4_update_delay(timeout));\n\tif (!__fatal_signal_pending(current))\n\t\treturn 0;\n\treturn -EINTR;\n}", "project": "linux", "hash": 295670688480749074164783286195714149834, "size": 10, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431060 }, { "func": "static int kvm_mmu_notifier_clear_flush_young(struct mmu_notifier *mn,\n\t\t\t\t\t struct mm_struct *mm,\n\t\t\t\t\t unsigned long start,\n\t\t\t\t\t unsigned long end)\n{\n\tstruct kvm *kvm = mmu_notifier_to_kvm(mn);\n\tint young, idx;\n\n\tidx = srcu_read_lock(&kvm->srcu);\n\tspin_lock(&kvm->mmu_lock);\n\n\tyoung = kvm_age_hva(kvm, start, end);\n\tif (young)\n\t\tkvm_flush_remote_tlbs(kvm);\n\n\tspin_unlock(&kvm->mmu_lock);\n\tsrcu_read_unlock(&kvm->srcu, idx);\n\n\treturn young;\n}", "project": "linux", "hash": 141808860010889140023564053612906061787, "size": 20, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354640 }, { "func": "static int kvm_mmu_notifier_clear_flush_young(struct mmu_notifier *mn,\n\t\t\t\t\t struct mm_struct *mm,\n\t\t\t\t\t unsigned long start,\n\t\t\t\t\t unsigned long end)\n{\n\ttrace_kvm_age_hva(start, end);\n\n\treturn kvm_handle_hva_range(mn, start, end, __pte(0), kvm_age_gfn);\n}", "project": "linux", "hash": 145314285255893027769723429026204007509, "size": 9, "commit_id": "f8be156be163a052a067306417cd0ff679068c97", "message": "KVM: do not allow mapping valid but non-reference-counted pages\n\nIt's possible to create a region which maps valid but non-refcounted\npages (e.g., tail pages of non-compound higher order allocations). These\nhost pages can then be returned by gfn_to_page, gfn_to_pfn, etc., family\nof APIs, which take a reference to the page, which takes it from 0 to 1.\nWhen the reference is dropped, this will free the page incorrectly.\n\nFix this by only taking a reference on valid pages if it was non-zero,\nwhich indicates it is participating in normal refcounting (and can be\nreleased with put_page).\n\nThis addresses CVE-2021-22543.\n\nSigned-off-by: Nicholas Piggin \nTested-by: Paolo Bonzini \nCc: stable@vger.kernel.org\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 404075 }, { "func": "int tipc_nl_node_flush_key(struct sk_buff *skb, struct genl_info *info)\n{\n\tint err;\n\n\trtnl_lock();\n\terr = __tipc_nl_node_flush_key(skb, info);\n\trtnl_unlock();\n\n\treturn err;\n}", "project": "linux", "hash": 236741902596802097845272123872123339700, "size": 10, "commit_id": "0217ed2848e8538bcf9172d97ed2eeb4a26041bb", "message": "tipc: better validate user input in tipc_nl_retrieve_key()\n\nBefore calling tipc_aead_key_size(ptr), we need to ensure\nwe have enough data to dereference ptr->keylen.\n\nWe probably also want to make sure tipc_aead_key_size()\nwont overflow with malicious ptr->keylen values.\n\nSyzbot reported:\n\nBUG: KMSAN: uninit-value in __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\nBUG: KMSAN: uninit-value in tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\nCPU: 0 PID: 21060 Comm: syz-executor.5 Not tainted 5.11.0-rc7-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nCall Trace:\n __dump_stack lib/dump_stack.c:79 [inline]\n dump_stack+0x21c/0x280 lib/dump_stack.c:120\n kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118\n __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197\n __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\n tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\n genl_family_rcv_msg_doit net/netlink/genetlink.c:739 [inline]\n genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]\n genl_rcv_msg+0x1319/0x1610 net/netlink/genetlink.c:800\n netlink_rcv_skb+0x6fa/0x810 net/netlink/af_netlink.c:2494\n genl_rcv+0x63/0x80 net/netlink/genetlink.c:811\n netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]\n netlink_unicast+0x11d6/0x14a0 net/netlink/af_netlink.c:1330\n netlink_sendmsg+0x1740/0x1840 net/netlink/af_netlink.c:1919\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\nRIP: 0023:0xf7f60549\nCode: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00\nRSP: 002b:00000000f555a5fc EFLAGS: 00000296 ORIG_RAX: 0000000000000172\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000200\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n\nUninit was created at:\n kmsan_save_stack_with_flags mm/kmsan/kmsan.c:121 [inline]\n kmsan_internal_poison_shadow+0x5c/0xf0 mm/kmsan/kmsan.c:104\n kmsan_slab_alloc+0x8d/0xe0 mm/kmsan/kmsan_hooks.c:76\n slab_alloc_node mm/slub.c:2907 [inline]\n __kmalloc_node_track_caller+0xa37/0x1430 mm/slub.c:4527\n __kmalloc_reserve net/core/skbuff.c:142 [inline]\n __alloc_skb+0x2f8/0xb30 net/core/skbuff.c:210\n alloc_skb include/linux/skbuff.h:1099 [inline]\n netlink_alloc_large_skb net/netlink/af_netlink.c:1176 [inline]\n netlink_sendmsg+0xdbc/0x1840 net/netlink/af_netlink.c:1894\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\n\nFixes: e1f32190cf7d (\"tipc: add support for AEAD key setting via netlink\")\nSigned-off-by: Eric Dumazet \nCc: Tuong Lien \nCc: Jon Maloy \nCc: Ying Xue \nReported-by: syzbot \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 364927 }, { "func": "bool JOIN::inject_cond_into_where(Item *injected_cond)\n{\n Item *where_item= injected_cond;\n List *and_args= NULL;\n if (conds && conds->type() == Item::COND_ITEM &&\n ((Item_cond*) conds)->functype() == Item_func::COND_AND_FUNC)\n {\n and_args= ((Item_cond*) conds)->argument_list();\n if (cond_equal)\n and_args->disjoin((List *) &cond_equal->current_level);\n }\n\n where_item= and_items(thd, conds, where_item);\n if (where_item->fix_fields_if_needed(thd, 0))\n return true;\n thd->change_item_tree(&select_lex->where, where_item);\n select_lex->where->top_level_item();\n conds= select_lex->where;\n\n if (and_args && cond_equal)\n {\n and_args= ((Item_cond*) conds)->argument_list();\n List_iterator li(cond_equal->current_level);\n Item_equal *elem;\n while ((elem= li++))\n {\n and_args->push_back(elem, thd->mem_root);\n }\n }\n\n return false;\n\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 215978353915558275020321040919665071403, "size": 33, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508719 }, { "func": "static int oidc_handle_logout_backchannel(request_rec *r, oidc_cfg *cfg) {\n\n\toidc_debug(r, \"enter\");\n\n\tconst char *logout_token = NULL;\n\toidc_jwt_t *jwt = NULL;\n\toidc_jose_error_t err;\n\toidc_jwk_t *jwk = NULL;\n\toidc_provider_t *provider = NULL;\n\tchar *sid = NULL, *uuid = NULL;\n\toidc_session_t session;\n\tint rc = HTTP_BAD_REQUEST;\n\n\tapr_table_t *params = apr_table_make(r->pool, 8);\n\tif (oidc_util_read_post_params(r, params, FALSE, NULL) == FALSE) {\n\t\toidc_error(r,\n\t\t\t\t\"could not read POST-ed parameters to the logout endpoint\");\n\t\tgoto out;\n\t}\n\n\tlogout_token = apr_table_get(params, OIDC_PROTO_LOGOUT_TOKEN);\n\tif (logout_token == NULL) {\n\t\toidc_error(r,\n\t\t\t\t\"backchannel lggout endpoint was called but could not find a parameter named \\\"%s\\\"\",\n\t\t\t\tOIDC_PROTO_LOGOUT_TOKEN);\n\t\tgoto out;\n\t}\n\n\t// TODO: jwk symmetric key based on provider\n\n\tif (oidc_jwt_parse(r->pool, logout_token, &jwt,\n\t\t\toidc_util_merge_symmetric_key(r->pool, cfg->private_keys, NULL),\n\t\t\t&err) == FALSE) {\n\t\toidc_error(r, \"oidc_jwt_parse failed: %s\", oidc_jose_e2s(r->pool, err));\n\t\tgoto out;\n\t}\n\n\tprovider = oidc_get_provider_for_issuer(r, cfg, jwt->payload.iss, FALSE);\n\tif (provider == NULL) {\n\t\toidc_error(r, \"no provider found for issuer: %s\", jwt->payload.iss);\n\t\tgoto out;\n\t}\n\n\t// TODO: destroy the JWK used for decryption\n\n\tjwk = NULL;\n\tif (oidc_util_create_symmetric_key(r, provider->client_secret, 0,\n\t\t\tNULL, TRUE, &jwk) == FALSE)\n\t\treturn FALSE;\n\n\toidc_jwks_uri_t jwks_uri = { provider->jwks_uri,\n\t\t\tprovider->jwks_refresh_interval, provider->ssl_validate_server };\n\tif (oidc_proto_jwt_verify(r, cfg, jwt, &jwks_uri,\n\t\t\toidc_util_merge_symmetric_key(r->pool, NULL, jwk),\n\t\t\tprovider->id_token_signed_response_alg) == FALSE) {\n\n\t\toidc_error(r, \"id_token signature could not be validated, aborting\");\n\t\tgoto out;\n\t}\n\n\t// oidc_proto_validate_idtoken would try and require a token binding cnf\n\t// if the policy is set to \"required\", so don't use that here\n\tif (oidc_proto_validate_jwt(r, jwt,\n\t\t\tprovider->validate_issuer ? provider->issuer : NULL, FALSE, FALSE,\n\t\t\t\t\tprovider->idtoken_iat_slack,\n\t\t\t\t\tOIDC_TOKEN_BINDING_POLICY_DISABLED) == FALSE)\n\t\tgoto out;\n\n\t/* verify the \"aud\" and \"azp\" values */\n\tif (oidc_proto_validate_aud_and_azp(r, cfg, provider, &jwt->payload)\n\t\t\t== FALSE)\n\t\tgoto out;\n\n\tjson_t *events = json_object_get(jwt->payload.value.json,\n\t\t\tOIDC_CLAIM_EVENTS);\n\tif (events == NULL) {\n\t\toidc_error(r, \"\\\"%s\\\" claim could not be found in logout token\",\n\t\t\t\tOIDC_CLAIM_EVENTS);\n\t\tgoto out;\n\t}\n\n\tjson_t *blogout = json_object_get(events, OIDC_EVENTS_BLOGOUT_KEY);\n\tif (!json_is_object(blogout)) {\n\t\toidc_error(r, \"\\\"%s\\\" object could not be found in \\\"%s\\\" claim\",\n\t\t\t\tOIDC_EVENTS_BLOGOUT_KEY, OIDC_CLAIM_EVENTS);\n\t\tgoto out;\n\t}\n\n\tchar *nonce = NULL;\n\toidc_json_object_get_string(r->pool, jwt->payload.value.json,\n\t\t\tOIDC_CLAIM_NONCE, &nonce, NULL);\n\tif (nonce != NULL) {\n\t\toidc_error(r,\n\t\t\t\t\"rejecting logout request/token since it contains a \\\"%s\\\" claim\",\n\t\t\t\tOIDC_CLAIM_NONCE);\n\t\tgoto out;\n\t}\n\n\tchar *jti = NULL;\n\toidc_json_object_get_string(r->pool, jwt->payload.value.json,\n\t\t\tOIDC_CLAIM_JTI, &jti, NULL);\n\tif (jti != NULL) {\n\t\tchar *replay = NULL;\n\t\toidc_cache_get_jti(r, jti, &replay);\n\t\tif (replay != NULL) {\n\t\t\toidc_error(r,\n\t\t\t\t\t\"the \\\"%s\\\" value (%s) passed in logout token was found in the cache already; possible replay attack!?\",\n\t\t\t\t\tOIDC_CLAIM_JTI, jti);\n\t\t\tgoto out;\n\t\t}\n\t}\n\n\t/* jti cache duration is the configured replay prevention window for token issuance plus 10 seconds for safety */\n\tapr_time_t jti_cache_duration = apr_time_from_sec(\n\t\t\tprovider->idtoken_iat_slack * 2 + 10);\n\n\t/* store it in the cache for the calculated duration */\n\toidc_cache_set_jti(r, jti, jti, apr_time_now() + jti_cache_duration);\n\n\toidc_json_object_get_string(r->pool, jwt->payload.value.json,\n\t\t\tOIDC_CLAIM_EVENTS, &sid, NULL);\n\n\t// TODO: by-spec we should cater for the fact that \"sid\" has been provided\n\t// in the id_token returned in the authentication request, but \"sub\"\n\t// is used in the logout token but that requires a 2nd entry in the\n\t// cache and a separate session \"sub\" member, ugh; we'll just assume\n\t// that is \"sid\" is specified in the id_token, the OP will actually use\n\t// this for logout\n\t// (and probably call us multiple times or the same sub if needed)\n\n\toidc_json_object_get_string(r->pool, jwt->payload.value.json,\n\t\t\tOIDC_CLAIM_SID, &sid, NULL);\n\tif (sid == NULL)\n\t\tsid = jwt->payload.sub;\n\n\tif (sid == NULL) {\n\t\toidc_error(r, \"no \\\"sub\\\" and no \\\"sid\\\" claim found in logout token\");\n\t\tgoto out;\n\t}\n\n\t// TODO: when dealing with sub instead of a true sid, we'll be killing all sessions for\n\t// a specific user, across hosts that share the *same* cache backend\n\t// if those hosts haven't been configured with a different OIDCCryptoPassphrase\n\t// - perhaps that's even acceptable since non-memory caching is encrypted by default\n\t// and memory-based caching doesn't suffer from this (different shm segments)?\n\t// - it will result in 400 errors returned from backchannel logout calls to the other hosts...\n\n\tsid = oidc_make_sid_iss_unique(r, sid, provider->issuer);\n\toidc_cache_get_sid(r, sid, &uuid);\n\tif (uuid == NULL) {\n\t\toidc_error(r,\n\t\t\t\t\"could not find session based on sid/sub provided in logout token: %s\",\n\t\t\t\tsid);\n\t\t// return HTTP 200 according to (new?) spec and terminate early\n\t\t// to avoid Apache returning auth/authz error 500 for the redirect URI\n\t\trc = DONE;\n\t\tgoto out;\n\t}\n\n\t// revoke tokens if we can get a handle on those\n\tif (cfg->session_type != OIDC_SESSION_TYPE_CLIENT_COOKIE) {\n\t\tif (oidc_session_load_cache_by_uuid(r, cfg, uuid, &session) != FALSE)\n\t\t\tif (oidc_session_extract(r, &session) != FALSE)\n\t\t\t\toidc_revoke_tokens(r, cfg, &session);\n\t}\n\n\t// clear the session cache\n\toidc_cache_set_sid(r, sid, NULL, 0);\n\toidc_cache_set_session(r, uuid, NULL, 0);\n\n\t// terminate with DONE instead of OK\n\t// to avoid Apache returning auth/authz error 500 for the redirect URI\n\trc = DONE;\n\nout:\n\n\tif (jwk != NULL) {\n\t\toidc_jwk_destroy(jwk);\n\t\tjwk = NULL;\n\n\t}\n\tif (jwt != NULL) {\n\t\toidc_jwt_destroy(jwt);\n\t\tjwt = NULL;\n\t}\n\n\toidc_util_hdr_err_out_add(r, OIDC_HTTP_HDR_CACHE_CONTROL,\n\t\t\t\"no-cache, no-store\");\n\toidc_util_hdr_err_out_add(r, OIDC_HTTP_HDR_PRAGMA, \"no-cache\");\n\n\treturn rc;\n}", "project": "mod_auth_openidc", "hash": 75961893777197879329193332189943926164, "size": 192, "commit_id": "00c315cb0c8ab77c67be4a2ac08a71a83ac58751", "message": "avoid XSS vulnerability when using OIDCPreservePost On\n\nand supplying URLs that contain single quotes; thanks @oss-aimoto\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 381923 }, { "func": "static int oidc_handle_logout_backchannel(request_rec *r, oidc_cfg *cfg) {\n\n\toidc_debug(r, \"enter\");\n\n\tconst char *logout_token = NULL;\n\toidc_jwt_t *jwt = NULL;\n\toidc_jose_error_t err;\n\toidc_jwk_t *jwk = NULL;\n\toidc_provider_t *provider = NULL;\n\tchar *sid = NULL, *uuid = NULL;\n\toidc_session_t session;\n\tint rc = HTTP_BAD_REQUEST;\n\n\tapr_table_t *params = apr_table_make(r->pool, 8);\n\tif (oidc_util_read_post_params(r, params, FALSE, NULL) == FALSE) {\n\t\toidc_error(r,\n\t\t\t\t\"could not read POST-ed parameters to the logout endpoint\");\n\t\tgoto out;\n\t}\n\n\tlogout_token = apr_table_get(params, OIDC_PROTO_LOGOUT_TOKEN);\n\tif (logout_token == NULL) {\n\t\toidc_error(r,\n\t\t\t\t\"backchannel lggout endpoint was called but could not find a parameter named \\\"%s\\\"\",\n\t\t\t\tOIDC_PROTO_LOGOUT_TOKEN);\n\t\tgoto out;\n\t}\n\n\t// TODO: jwk symmetric key based on provider\n\t// TODO: share more code with regular id_token validation and unsolicited state\n\n\tif (oidc_jwt_parse(r->pool, logout_token, &jwt,\n\t\t\toidc_util_merge_symmetric_key(r->pool, cfg->private_keys, NULL),\n\t\t\t&err) == FALSE) {\n\t\toidc_error(r, \"oidc_jwt_parse failed: %s\", oidc_jose_e2s(r->pool, err));\n\t\tgoto out;\n\t}\n\n\tprovider = oidc_get_provider_for_issuer(r, cfg, jwt->payload.iss, FALSE);\n\tif (provider == NULL) {\n\t\toidc_error(r, \"no provider found for issuer: %s\", jwt->payload.iss);\n\t\tgoto out;\n\t}\n\n\t// TODO: destroy the JWK used for decryption\n\n\tjwk = NULL;\n\tif (oidc_util_create_symmetric_key(r, provider->client_secret, 0,\n\t\t\tNULL, TRUE, &jwk) == FALSE)\n\t\treturn FALSE;\n\n\toidc_jwks_uri_t jwks_uri = { provider->jwks_uri,\n\t\t\tprovider->jwks_refresh_interval, provider->ssl_validate_server };\n\tif (oidc_proto_jwt_verify(r, cfg, jwt, &jwks_uri,\n\t\t\toidc_util_merge_symmetric_key(r->pool, NULL, jwk)) == FALSE) {\n\n\t\toidc_error(r, \"id_token signature could not be validated, aborting\");\n\t\tgoto out;\n\t}\n\n\t// oidc_proto_validate_idtoken would try and require a token binding cnf\n\t// if the policy is set to \"required\", so don't use that here\n\n\tif (oidc_proto_validate_jwt(r, jwt, provider->issuer, FALSE, FALSE,\n\t\t\tprovider->idtoken_iat_slack,\n\t\t\tOIDC_TOKEN_BINDING_POLICY_DISABLED) == FALSE)\n\t\tgoto out;\n\n\t/* verify the \"aud\" and \"azp\" values */\n\tif (oidc_proto_validate_aud_and_azp(r, cfg, provider,\n\t\t\t&jwt->payload) == FALSE)\n\t\tgoto out;\n\n\tjson_t *events = json_object_get(jwt->payload.value.json,\n\t\t\tOIDC_CLAIM_EVENTS);\n\tif (events == NULL) {\n\t\toidc_error(r, \"\\\"%s\\\" claim could not be found in logout token\",\n\t\t\t\tOIDC_CLAIM_EVENTS);\n\t\tgoto out;\n\t}\n\n\tjson_t *blogout = json_object_get(events, OIDC_EVENTS_BLOGOUT_KEY);\n\tif (!json_is_object(blogout)) {\n\t\toidc_error(r, \"\\\"%s\\\" object could not be found in \\\"%s\\\" claim\",\n\t\t\t\tOIDC_EVENTS_BLOGOUT_KEY, OIDC_CLAIM_EVENTS);\n\t\tgoto out;\n\t}\n\n\tchar *nonce = NULL;\n\toidc_json_object_get_string(r->pool, jwt->payload.value.json,\n\t\t\tOIDC_CLAIM_NONCE, &nonce, NULL);\n\tif (nonce != NULL) {\n\t\toidc_error(r,\n\t\t\t\t\"rejecting logout request/token since it contains a \\\"%s\\\" claim\",\n\t\t\t\tOIDC_CLAIM_NONCE);\n\t\tgoto out;\n\t}\n\n\tchar *jti = NULL;\n\toidc_json_object_get_string(r->pool, jwt->payload.value.json,\n\t\t\tOIDC_CLAIM_JTI, &jti, NULL);\n\tif (jti != NULL) {\n\t\tchar *replay = NULL;\n\t\toidc_cache_get_jti(r, jti, &replay);\n\t\tif (replay != NULL) {\n\t\t\toidc_error(r,\n\t\t\t\t\t\"the \\\"%s\\\" value (%s) passed in logout token was found in the cache already; possible replay attack!?\",\n\t\t\t\t\tOIDC_CLAIM_JTI, jti);\n\t\t\tgoto out;\n\t\t}\n\t}\n\n\t/* jti cache duration is the configured replay prevention window for token issuance plus 10 seconds for safety */\n\tapr_time_t jti_cache_duration = apr_time_from_sec(\n\t\t\tprovider->idtoken_iat_slack * 2 + 10);\n\n\t/* store it in the cache for the calculated duration */\n\toidc_cache_set_jti(r, jti, jti, apr_time_now() + jti_cache_duration);\n\n\toidc_json_object_get_string(r->pool, jwt->payload.value.json,\n\t\t\tOIDC_CLAIM_EVENTS, &sid, NULL);\n\n\t// TODO: by-spec we should cater for the fact that \"sid\" has been provided\n\t// in the id_token returned in the authentication request, but \"sub\"\n\t// is used in the logout token but that requires a 2nd entry in the\n\t// cache and a separate session \"sub\" member, ugh; we'll just assume\n\t// that is \"sid\" is specified in the id_token, the OP will actually use\n\t// this for logout\n\t// (and probably call us multiple times or the same sub if needed)\n\n\toidc_json_object_get_string(r->pool, jwt->payload.value.json,\n\t\t\tOIDC_CLAIM_SID, &sid, NULL);\n\tif (sid == NULL)\n\t\tsid = jwt->payload.sub;\n\n\tif (sid == NULL) {\n\t\toidc_error(r, \"no \\\"sub\\\" and no \\\"sid\\\" claim found in logout token\");\n\t\tgoto out;\n\t}\n\n\t// TODO: when dealing with sub instead of a true sid, we'll be killing all sessions for\n\t// a specific user, across hosts that share the *same* cache backend\n\t// if those hosts haven't been configured with a different OIDCCryptoPassphrase\n\t// - perhaps that's even acceptable since non-memory caching is encrypted by default\n\t// and memory-based caching doesn't suffer from this (different shm segments)?\n\t// - it will result in 400 errors returned from backchannel logout calls to the other hosts...\n\n\tsid = oidc_make_sid_iss_unique(r, sid, provider->issuer);\n\toidc_cache_get_sid(r, sid, &uuid);\n\tif (uuid == NULL) {\n\t\toidc_error(r,\n\t\t\t\t\"could not find session based on sid/sub provided in logout token: %s\",\n\t\t\t\tsid);\n\t\tgoto out;\n\t}\n\n\t// revoke tokens if we can get a handle on those\n\tif (cfg->session_type != OIDC_SESSION_TYPE_CLIENT_COOKIE) {\n\t\tif (oidc_session_load_cache_by_uuid(r, cfg, uuid, &session) != FALSE)\n\t\t\tif (oidc_session_extract(r, &session) != FALSE)\n\t\t\t\toidc_revoke_tokens(r, cfg, &session);\n\t}\n\n\t// clear the session cache\n\toidc_cache_set_sid(r, sid, NULL, 0);\n\toidc_cache_set_session(r, uuid, NULL, 0);\n\n\trc = OK;\n\nout:\n\n\tif (jwk != NULL) {\n\t\toidc_jwk_destroy(jwk);\n\t\tjwk = NULL;\n\n\t}\n\tif (jwt != NULL) {\n\t\toidc_jwt_destroy(jwt);\n\t\tjwt = NULL;\n\t}\n\n\treturn rc;\n}", "project": "mod_auth_openidc", "hash": 297979592496130766523532140378277642857, "size": 183, "commit_id": "ce37080c6aea30aabae8b4a9b4eea7808445cc8e", "message": "2.4.0.2 oops\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 447692 }, { "func": "void *kmem_cache_alloc_node(struct kmem_cache *s, gfp_t gfpflags, int node)\n{\n\tvoid *ret = slab_alloc_node(s, gfpflags, node, _RET_IP_);\n\n\ttrace_kmem_cache_alloc_node(_RET_IP_, ret,\n\t\t\t\t s->object_size, s->size, gfpflags, node);\n\n\treturn ret;\n}", "project": "linux", "hash": 92103615608772172738579047247885047969, "size": 9, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280206 }, { "func": "R_API bool r_socket_connect(RSocket *s, const char *host, const char *port, int proto, unsigned int timeout) {\n\tr_return_val_if_fail (s, false);\n#if __WINDOWS__\n#define gai_strerror gai_strerrorA\n\tstruct sockaddr_in sa;\n\tWSADATA wsadata;\n\n\tif (WSAStartup (MAKEWORD (1, 1), &wsadata) == SOCKET_ERROR) {\n\t\teprintf (\"Error creating socket.\");\n\t\treturn false;\n\t}\n#endif\n\tint ret;\n\tstruct addrinfo hints = { 0 };\n\tstruct addrinfo *res, *rp;\n\tif (!proto) {\n\t\tproto = R_SOCKET_PROTO_TCP;\n\t}\n#if __UNIX__\n\tr_sys_signal (SIGPIPE, SIG_IGN);\n#endif\n\tif (proto == R_SOCKET_PROTO_UNIX) {\n#if __UNIX__\n\t\tif (!__connect_unix (s, host)) {\n\t\t\treturn false;\n\t\t}\n#endif\n\t} else {\n\t\thints.ai_family = AF_UNSPEC; /* Allow IPv4 or IPv6 */\n\t\thints.ai_protocol = proto;\n\t\tint gai = getaddrinfo (host, port, &hints, &res);\n\t\tif (gai != 0) {\n\t\t\teprintf (\"r_socket_connect: Error in getaddrinfo: %s (%s:%s)\\n\",\n\t\t\t\tgai_strerror (gai), host, port);\n\t\t\treturn false;\n\t\t}\n\t\tfor (rp = res; rp != NULL; rp = rp->ai_next) {\n\t\t\tint flag = 1;\n\n\t\t\ts->fd = socket (rp->ai_family, rp->ai_socktype, rp->ai_protocol);\n\t\t\tif (s->fd == -1) {\n\t\t\t\tperror (\"socket\");\n\t\t\t\tcontinue;\n\t\t\t}\n\t\t\tret = setsockopt (s->fd, IPPROTO_TCP, TCP_NODELAY, &flag, sizeof (flag));\n\t\t\tif (ret < 0) {\n\t\t\t\tperror (\"setsockopt\");\n\t\t\t\tclose (s->fd);\n\t\t\t\ts->fd = -1;\n\t\t\t\tcontinue;\n\t\t\t}\n\n\t\t\tr_socket_block_time (s, 0, 0, 0);\n\t\t\tret = connect (s->fd, rp->ai_addr, rp->ai_addrlen);\n\n\t\t\tif (ret == 0) {\n\t\t\t\tfreeaddrinfo (res);\n\t\t\t\treturn true;\n\t\t\t}\n\t\t\tif (errno == EINPROGRESS) {\n\t\t\t\tstruct timeval tv = {timeout, 0};\n\t\t\t\tfd_set wfds;\n\t\t\t\tFD_ZERO (&wfds);\n\t\t\t\tFD_SET (s->fd, &wfds);\n\n\t\t\t\tif ((ret = select (s->fd + 1, NULL, &wfds, NULL, &tv)) != -1) {\n\t\t\t\t\tif (r_socket_is_connected (s)) {\n\t\t\t\t\t\tfreeaddrinfo (res);\n\t\t\t\t\t\tgoto success;\n\t\t\t\t\t}\n\t\t\t\t} else {\n\t\t\t\t\tperror (\"connect\");\n\t\t\t\t}\n\t\t\t}\n\t\t\tr_socket_close (s);\n\t\t}\n\t\tfreeaddrinfo (res);\n\t\tif (!rp) {\n\t\t\teprintf (\"Could not resolve address '%s' or failed to connect\\n\", host);\n\t\t\treturn false;\n\t\t}\n\t}\nsuccess:\n#if HAVE_LIB_SSL\n\tif (s->is_ssl) {\n\t\ts->ctx = SSL_CTX_new (SSLv23_client_method ());\n\t\tif (!s->ctx) {\n\t\t\tr_socket_close (s);\n\t\t\treturn false;\n\t\t}\n\t\ts->sfd = SSL_new (s->ctx);\n\t\tSSL_set_fd (s->sfd, s->fd);\n\t\tint ret = SSL_connect (s->sfd);\n\t\tif (ret != 1) {\n\t\t\tint error = SSL_get_error (s->sfd, ret);\n\t\t\tint tries = 10;\n\t\t\twhile (tries && ret && (error == SSL_ERROR_WANT_READ || error == SSL_ERROR_WANT_WRITE)) {\n\t\t\t\tstruct timeval tv = {1, 0};\n\t\t\t\tfd_set rfds, wfds;\n\t\t\t\tFD_ZERO (&rfds);\n\t\t\t\tFD_ZERO (&wfds);\n\t\t\t\tif (error == SSL_ERROR_WANT_READ) {\n\t\t\t\t\tFD_SET (s->fd, &rfds);\n\t\t\t\t} else {\n\t\t\t\t\tFD_SET (s->fd, &wfds);\n\t\t\t\t}\n\t\t\t\tif ((ret = select (s->fd + 1, &rfds, &wfds, NULL, &tv)) < 1) {\n\t\t\t\t\tr_socket_close (s);\n\t\t\t\t\treturn false;\n\t\t\t\t}\n\t\t\t\tret = SSL_connect (s->sfd);\n\t\t\t\tif (ret == 1) {\n\t\t\t\t\treturn true;\n\t\t\t\t}\n\t\t\t\terror = SSL_get_error (s->sfd, ret);\n\t\t\t\ttries--;\n\t\t\t}\n\t\t\tr_socket_close (s);\n\t\t\treturn false;\n\t\t}\n\t}\n#endif\n\treturn true;\n}", "project": "radare2", "hash": 297573451477756091809216346426819989553, "size": 124, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 0, "dataset": "other", "idx": 268893 }, { "func": "static inline bool req_ref_sub_and_test(struct io_kiocb *req, int refs)\n{\n\tWARN_ON_ONCE(req_ref_zero_or_close_to_overflow(req));\n\treturn atomic_sub_and_test(refs, &req->refs);\n}", "project": "linux", "hash": 229276124106624811745091863563025030384, "size": 5, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338552 }, { "func": "static int oidc_target_link_uri_matches_configuration(request_rec *r,\n\t\toidc_cfg *cfg, const char *target_link_uri) {\n\n\tapr_uri_t o_uri;\n\tapr_uri_parse(r->pool, target_link_uri, &o_uri);\n\tif (o_uri.hostname == NULL) {\n\t\toidc_error(r,\n\t\t\t\t\"could not parse the \\\"target_link_uri\\\" (%s) in to a valid URL: aborting.\",\n\t\t\t\ttarget_link_uri);\n\t\treturn FALSE;\n\t}\n\n\tapr_uri_t r_uri;\n\tapr_uri_parse(r->pool, oidc_get_redirect_uri(r, cfg), &r_uri);\n\n\tif (cfg->cookie_domain == NULL) {\n\t\t/* cookie_domain set: see if the target_link_uri matches the redirect_uri host (because the session cookie will be set host-wide) */\n\t\tif (apr_strnatcmp(o_uri.hostname, r_uri.hostname) != 0) {\n\t\t\tchar *p = strstr(o_uri.hostname, r_uri.hostname);\n\t\t\tif ((p == NULL) || (apr_strnatcmp(r_uri.hostname, p) != 0)) {\n\t\t\t\toidc_error(r,\n\t\t\t\t\t\t\"the URL hostname (%s) of the configured \" OIDCRedirectURI \" does not match the URL hostname of the \\\"target_link_uri\\\" (%s): aborting to prevent an open redirect.\",\n\t\t\t\t\t\tr_uri.hostname, o_uri.hostname);\n\t\t\t\treturn FALSE;\n\t\t\t}\n\t\t}\n\t} else {\n\t\t/* cookie_domain set: see if the target_link_uri is within the cookie_domain */\n\t\tchar *p = strstr(o_uri.hostname, cfg->cookie_domain);\n\t\tif ((p == NULL) || (apr_strnatcmp(cfg->cookie_domain, p) != 0)) {\n\t\t\toidc_error(r,\n\t\t\t\t\t\"the domain (%s) configured in \" OIDCCookieDomain \" does not match the URL hostname (%s) of the \\\"target_link_uri\\\" (%s): aborting to prevent an open redirect.\",\n\t\t\t\t\tcfg->cookie_domain, o_uri.hostname, target_link_uri);\n\t\t\treturn FALSE;\n\t\t}\n\t}\n\n\t/* see if the cookie_path setting matches the target_link_uri path */\n\tchar *cookie_path = oidc_cfg_dir_cookie_path(r);\n\tif (cookie_path != NULL) {\n\t\tchar *p = (o_uri.path != NULL) ? strstr(o_uri.path, cookie_path) : NULL;\n\t\tif ((p == NULL) || (p != o_uri.path)) {\n\t\t\toidc_error(r,\n\t\t\t\t\t\"the path (%s) configured in \" OIDCCookiePath \" does not match the URL path (%s) of the \\\"target_link_uri\\\" (%s): aborting to prevent an open redirect.\",\n\t\t\t\t\tcfg->cookie_domain, o_uri.path, target_link_uri);\n\t\t\treturn FALSE;\n\t\t} else if (strlen(o_uri.path) > strlen(cookie_path)) {\n\t\t\tint n = strlen(cookie_path);\n\t\t\tif (cookie_path[n - 1] == OIDC_CHAR_FORWARD_SLASH)\n\t\t\t\tn--;\n\t\t\tif (o_uri.path[n] != OIDC_CHAR_FORWARD_SLASH) {\n\t\t\t\toidc_error(r,\n\t\t\t\t\t\t\"the path (%s) configured in \" OIDCCookiePath \" does not match the URL path (%s) of the \\\"target_link_uri\\\" (%s): aborting to prevent an open redirect.\",\n\t\t\t\t\t\tcfg->cookie_domain, o_uri.path, target_link_uri);\n\t\t\t\treturn FALSE;\n\t\t\t}\n\t\t}\n\t}\n\treturn TRUE;\n}", "project": "mod_auth_openidc", "hash": 334084043826084140917622321513659646628, "size": 60, "commit_id": "00c315cb0c8ab77c67be4a2ac08a71a83ac58751", "message": "avoid XSS vulnerability when using OIDCPreservePost On\n\nand supplying URLs that contain single quotes; thanks @oss-aimoto\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 381968 }, { "project": "Chrome", "commit_id": "1da0daecc540238cb473f0d6322da51d3a544244", "target": 0, "func": " void InitializeDecoderSuccessfully() {\n decoder_->Initialize(\n NULL, NewExpectedStatusCB(PIPELINE_OK), NewStatisticsCB());\n message_loop_.RunAllPending();\n }\n", "cwe": "", "big_vul_idx": 113330, "idx": 101622, "hash": 160108223388241819649647985729443324781 }, { "func": "std::string getFilterConfig(bool use_local_jwks) {\n return getAuthFilterConfig(ExampleConfig, use_local_jwks);\n}", "project": "envoy", "hash": 32449710500981254022518420946046349523, "size": 3, "commit_id": "9371333230b1a6e1be2eccf4868771e11af6253a", "message": "CVE-2021-43824\n\njwt_atuhn: fixed the crash when a CONNECT request is sent to JWT filter\nconfigured with regex match.\n\nSigned-off-by: Yan Avlasov ", "target": 0, "dataset": "other", "idx": 246619 }, { "func": "void SparseFillEmptyRowsOpImpl(OpKernelContext* context,\n AsyncOpKernel::DoneCallback done = nullptr) {\n // Note that setting this empty lambda as the default parameter value directly\n // can cause strange compiler/linker errors, so we do it like this instead.\n if (!done) {\n done = [] {};\n }\n\n const int kIndicesInput = 0;\n const int kValuesInput = 1;\n const int kDenseShapeInput = 2;\n const int kDefaultValueInput = 3;\n\n const Tensor& indices_t = context->input(kIndicesInput);\n const Tensor& values_t = context->input(kValuesInput);\n const Tensor& dense_shape_t = context->input(kDenseShapeInput);\n const Tensor& default_value_t = context->input(kDefaultValueInput);\n\n OP_REQUIRES_ASYNC(\n context, TensorShapeUtils::IsVector(dense_shape_t.shape()),\n errors::InvalidArgument(\"dense_shape must be a vector, saw: \",\n dense_shape_t.shape().DebugString()),\n done);\n OP_REQUIRES_ASYNC(context, TensorShapeUtils::IsMatrix(indices_t.shape()),\n errors::InvalidArgument(\"indices must be a matrix, saw: \",\n indices_t.shape().DebugString()),\n done);\n OP_REQUIRES_ASYNC(context, TensorShapeUtils::IsVector(values_t.shape()),\n errors::InvalidArgument(\"values must be a vector, saw: \",\n values_t.shape().DebugString()),\n done);\n OP_REQUIRES_ASYNC(\n context, TensorShapeUtils::IsScalar(default_value_t.shape()),\n errors::InvalidArgument(\"default_value must be a scalar, saw: \",\n default_value_t.shape().DebugString()),\n done);\n // TODO(ebrevdo): add shape checks between values, indices,\n // dense_shape. Also add check that dense rank > 0.\n\n using FunctorType = functor::SparseFillEmptyRows;\n OP_REQUIRES_OK_ASYNC(context,\n FunctorType()(context, default_value_t, indices_t,\n values_t, dense_shape_t, done),\n done);\n}", "project": "tensorflow", "hash": 25957290097876197179751003263353962696, "size": 45, "commit_id": "faa76f39014ed3b5e2c158593b1335522e573c7f", "message": "Fix heap-buffer-overflow issue with `tf.raw_ops.SparseFillEmptyRows`.\n\nPiperOrigin-RevId: 372009178\nChange-Id: Ia1a9e9691ecaa072f32fb39a0887b2aabd399210", "target": 1, "dataset": "other", "idx": 196287 }, { "func": "static Variant new_socket_connect(const HostURL &hosturl, double timeout,\n const req::ptr& streamctx,\n Variant& errnum, Variant& errstr) {\n int domain = AF_UNSPEC;\n int type = SOCK_STREAM;\n auto const& scheme = hosturl.getScheme();\n req::ptr sock;\n req::ptr sslsock;\n std::string sockerr;\n int error;\n\n if (scheme == \"udp\" || scheme == \"udg\") {\n type = SOCK_DGRAM;\n }\n\n if (scheme == \"unix\" || scheme == \"udg\") {\n domain = AF_UNIX;\n }\n\n int fd = -1;\n if (domain == AF_UNIX) {\n sockaddr_storage sa_storage;\n struct sockaddr *sa_ptr;\n size_t sa_size;\n\n fd = socket(domain, type, 0);\n sock = req::make(\n fd, domain, hosturl.getHost().c_str(), hosturl.getPort(),\n 0, empty_string_ref, false);\n\n if (!set_sockaddr(sa_storage, sock, hosturl.getHost(),\n hosturl.getPort(), sa_ptr, sa_size)) {\n // set_sockaddr raises its own warning on failure\n return false;\n }\n if (connect_with_timeout(fd, sa_ptr, sa_size, timeout,\n hosturl, sockerr, error) != 0) {\n SOCKET_ERROR(sock, sockerr.c_str(), error);\n errnum = sock->getLastError();\n errstr = HHVM_FN(socket_strerror)(sock->getLastError());\n return false;\n }\n } else {\n struct addrinfo hints;\n memset(&hints, 0, sizeof(hints));\n hints.ai_family = domain;\n hints.ai_socktype = type;\n\n auto port = folly::to(hosturl.getPort());\n auto host = hosturl.getHost();\n\n struct addrinfo *aiHead;\n int errcode = getaddrinfo(host.c_str(), port.c_str(), &hints, &aiHead);\n if (errcode != 0) {\n errstr = String(gai_strerror(errcode), CopyString);\n return false;\n }\n SCOPE_EXIT { freeaddrinfo(aiHead); };\n\n for (struct addrinfo *ai = aiHead; ai != nullptr; ai = ai->ai_next) {\n domain = ai->ai_family;\n fd = socket(domain, ai->ai_socktype, ai->ai_protocol);\n if (fd == -1) {\n continue;\n }\n\n if (connect_with_timeout(fd, ai->ai_addr, ai->ai_addrlen, timeout,\n hosturl, sockerr, error) == 0) {\n break;\n }\n close(fd);\n fd = -1;\n }\n\n sslsock = SSLSocket::Create(fd, domain, hosturl, timeout, streamctx, false);\n if (sslsock) {\n sock = sslsock;\n } else {\n sock = req::make(fd,\n domain,\n hosturl.getHost().c_str(),\n hosturl.getPort(),\n 0,\n empty_string_ref,\n false);\n }\n }\n\n if (!sock->valid()) {\n SOCKET_ERROR(sock,\n sockerr.empty() ? \"unable to create socket\" : sockerr.c_str(), error);\n errnum = sock->getLastError();\n errstr = HHVM_FN(socket_strerror)(sock->getLastError());\n return false;\n }\n\n if (sslsock && !sslsock->onConnect()) {\n raise_warning(\"Failed to enable crypto\");\n return false;\n }\n\n return Variant(std::move(sock));\n}", "project": "hhvm", "hash": 233362502255304721802592629087797481285, "size": 103, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219305 }, { "func": "\nstatic void bfq_exit_queue(struct elevator_queue *e)\n{\n\tstruct bfq_data *bfqd = e->elevator_data;\n\tstruct bfq_queue *bfqq, *n;\n\n\thrtimer_cancel(&bfqd->idle_slice_timer);\n\n\tspin_lock_irq(&bfqd->lock);\n\tlist_for_each_entry_safe(bfqq, n, &bfqd->idle_list, bfqq_list)\n\t\tbfq_deactivate_bfqq(bfqd, bfqq, false, false);\n\tspin_unlock_irq(&bfqd->lock);\n\n\thrtimer_cancel(&bfqd->idle_slice_timer);\n\n\t/* release oom-queue reference to root group */\n\tbfqg_and_blkg_put(bfqd->root_group);\n\n#ifdef CONFIG_BFQ_GROUP_IOSCHED\n\tblkcg_deactivate_policy(bfqd->queue, &blkcg_policy_bfq);\n#else\n\tspin_lock_irq(&bfqd->lock);\n\tbfq_put_async_queues(bfqd, bfqd->root_group);\n\tkfree(bfqd->root_group);\n\tspin_unlock_irq(&bfqd->lock);\n#endif\n\n\tkfree(bfqd);", "project": "linux", "hash": 130665974121228192765876764004486011398, "size": 28, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453339 }, { "func": "static int ctnetlink_exp_dump_mask(struct sk_buff *skb,\n\t\t\t\t const struct nf_conntrack_tuple *tuple,\n\t\t\t\t const struct nf_conntrack_tuple_mask *mask)\n{\n\tconst struct nf_conntrack_l4proto *l4proto;\n\tstruct nf_conntrack_tuple m;\n\tstruct nlattr *nest_parms;\n\tint ret;\n\n\tmemset(&m, 0xFF, sizeof(m));\n\tmemcpy(&m.src.u3, &mask->src.u3, sizeof(m.src.u3));\n\tm.src.u.all = mask->src.u.all;\n\tm.dst.protonum = tuple->dst.protonum;\n\n\tnest_parms = nla_nest_start(skb, CTA_EXPECT_MASK);\n\tif (!nest_parms)\n\t\tgoto nla_put_failure;\n\n\trcu_read_lock();\n\tret = ctnetlink_dump_tuples_ip(skb, &m);\n\tif (ret >= 0) {\n\t\tl4proto = nf_ct_l4proto_find(tuple->dst.protonum);\n\t\tret = ctnetlink_dump_tuples_proto(skb, &m, l4proto);\n\t}\n\trcu_read_unlock();\n\n\tif (unlikely(ret < 0))\n\t\tgoto nla_put_failure;\n\n\tnla_nest_end(skb, nest_parms);\n\n\treturn 0;\n\nnla_put_failure:\n\treturn -1;\n}", "project": "linux", "hash": 57341541006715237275340976713533589923, "size": 36, "commit_id": "1cc5ef91d2ff94d2bf2de3b3585423e8a1051cb6", "message": "netfilter: ctnetlink: add a range check for l3/l4 protonum\n\nThe indexes to the nf_nat_l[34]protos arrays come from userspace. So\ncheck the tuple's family, e.g. l3num, when creating the conntrack in\norder to prevent an OOB memory access during setup. Here is an example\nkernel panic on 4.14.180 when userspace passes in an index greater than\nNFPROTO_NUMPROTO.\n\nInternal error: Oops - BUG: 0 [#1] PREEMPT SMP\nModules linked in:...\nProcess poc (pid: 5614, stack limit = 0x00000000a3933121)\nCPU: 4 PID: 5614 Comm: poc Tainted: G S W O 4.14.180-g051355490483\nHardware name: Qualcomm Technologies, Inc. SM8150 V2 PM8150 Google Inc. MSM\ntask: 000000002a3dfffe task.stack: 00000000a3933121\npc : __cfi_check_fail+0x1c/0x24\nlr : __cfi_check_fail+0x1c/0x24\n...\nCall trace:\n__cfi_check_fail+0x1c/0x24\nname_to_dev_t+0x0/0x468\nnfnetlink_parse_nat_setup+0x234/0x258\nctnetlink_parse_nat_setup+0x4c/0x228\nctnetlink_new_conntrack+0x590/0xc40\nnfnetlink_rcv_msg+0x31c/0x4d4\nnetlink_rcv_skb+0x100/0x184\nnfnetlink_rcv+0xf4/0x180\nnetlink_unicast+0x360/0x770\nnetlink_sendmsg+0x5a0/0x6a4\n___sys_sendmsg+0x314/0x46c\nSyS_sendmsg+0xb4/0x108\nel0_svc_naked+0x34/0x38\n\nThis crash is not happening since 5.4+, however, ctnetlink still\nallows for creating entries with unsupported layer 3 protocol number.\n\nFixes: c1d10adb4a521 (\"[NETFILTER]: Add ctnetlink port for nf_conntrack\")\nSigned-off-by: Will McVicker \n[pablo@netfilter.org: rebased original patch on top of nf.git]\nSigned-off-by: Pablo Neira Ayuso ", "target": 0, "dataset": "other", "idx": 394267 }, { "func": "void SFDFixupRefs(SplineFont *sf) {\n int i, isv;\n RefChar *refs, *rnext, *rprev;\n /*int isautorecovery = sf->changed;*/\n KernPair *kp, *prev, *next;\n EncMap *map = sf->map;\n int layer;\n int k,l;\n SplineFont *cidmaster = sf, *ksf;\n\n k = 1;\n if ( sf->subfontcnt!=0 )\n\tsf = sf->subfonts[0];\n\n ff_progress_change_line2(_(\"Interpreting Glyphs\"));\n for (;;) {\n\tfor ( i=0; iglyphcnt; ++i ) if ( sf->glyphs[i]!=NULL ) {\n\t SplineChar *sc = sf->glyphs[i];\n\t /* A changed character is one that has just been recovered */\n\t /* unchanged characters will already have been fixed up */\n\t /* Er... maybe not. If the character being recovered is refered to */\n\t /* by another character then we need to fix up that other char too*/\n\t /*if ( isautorecovery && !sc->changed )*/\n\t/*continue;*/\n\t for ( layer = 0; layerlayer_cnt; ++layer ) {\n\t\trprev = NULL;\n\t\tfor ( refs = sc->layers[layer].refs; refs!=NULL; refs=rnext ) {\n\t\t rnext = refs->next;\n\t\t if ( refs->encoded ) {\t\t/* Old sfd format */\n\t\t\tif ( refs->orig_posencmax && map->map[refs->orig_pos]!=-1 )\n\t\t\t refs->orig_pos = map->map[refs->orig_pos];\n\t\t\telse\n\t\t\t refs->orig_pos = sf->glyphcnt;\n\t\t\trefs->encoded = false;\n\t\t }\n\t\t if ( refs->orig_posglyphcnt && refs->orig_pos>=0 )\n\t\t\trefs->sc = sf->glyphs[refs->orig_pos];\n\t\t if ( refs->sc!=NULL ) {\n\t\t\trefs->unicode_enc = refs->sc->unicodeenc;\n\t\t\trefs->adobe_enc = getAdobeEnc(refs->sc->name);\n\t\t\trprev = refs;\n\t\t\tif ( refs->use_my_metrics ) {\n\t\t\t if ( sc->width != refs->sc->width ) {\n\t\t\t\tLogError(_(\"Bad sfd file. Glyph %s has width %d even though it should be\\n bound to the width of %s which is %d.\\n\"),\n\t\t\t\t\tsc->name, sc->width, refs->sc->name, refs->sc->width );\n\t\t\t\tsc->width = refs->sc->width;\n\t\t\t }\n\t\t\t}\n\t\t } else {\n\t\t\tRefCharFree(refs);\n\t\t\tif ( rprev!=NULL )\n\t\t\t rprev->next = rnext;\n\t\t\telse\n\t\t\t sc->layers[layer].refs = rnext;\n\t\t }\n\t\t}\n\t }\n\t /* In old sfd files we used a peculiar idiom to represent a multiply */\n\t /* encoded glyph. Fix it up now. Remove the fake glyph and adjust the*/\n\t /* map */\n\t /*if ( isautorecovery && !sc->changed )*/\n\t/*continue;*/\n\t for ( isv=0; isv<2; ++isv ) {\n\t\tfor ( prev = NULL, kp=isv?sc->vkerns : sc->kerns; kp!=NULL; kp=next ) {\n\t\t int index = (intpt) (kp->sc);\n\n\t\t next = kp->next;\n\t\t // be impotent if the reference is already to the correct location\n if ( !kp->kcid ) {\t/* It's encoded (old sfds), else orig */\n if ( index>=map->encmax || map->map[index]==-1 )\n index = sf->glyphcnt;\n else\n index = map->map[index];\n }\n kp->kcid = false;\n ksf = sf;\n if ( cidmaster!=sf ) {\n for ( l=0; lsubfontcnt; ++l ) {\n ksf = cidmaster->subfonts[l];\n if ( indexglyphcnt && ksf->glyphs[index]!=NULL )\n break;\n }\n }\n if ( index>=ksf->glyphcnt || ksf->glyphs[index]==NULL ) {\n IError( \"Bad kerning information in glyph %s\\n\", sc->name );\n kp->sc = NULL;\n } else {\n kp->sc = ksf->glyphs[index];\n }\n\n\t\t if ( kp->sc!=NULL )\n\t\t\tprev = kp;\n\t\t else{\n\t\t\tif ( prev!=NULL )\n\t\t\t prev->next = next;\n\t\t\telse if ( isv )\n\t\t\t sc->vkerns = next;\n\t\t\telse\n\t\t\t sc->kerns = next;\n\t\t\tchunkfree(kp,sizeof(KernPair));\n\t\t }\n\t\t}\n\t }\n\t if ( SCDuplicate(sc)!=sc ) {\n\t\tSplineChar *base = SCDuplicate(sc);\n\t\tint orig = sc->orig_pos, enc = sf->map->backmap[orig], uni = sc->unicodeenc;\n\t\tSplineCharFree(sc);\n\t\tsf->glyphs[i]=NULL;\n\t\tsf->map->backmap[orig] = -1;\n\t\tsf->map->map[enc] = base->orig_pos;\n\t\tAltUniAdd(base,uni);\n\t }\n\t}\n\tfor ( i=0; iglyphcnt; ++i ) if ( sf->glyphs[i]!=NULL ) {\n\t SplineChar *sc = sf->glyphs[i];\n\t for ( layer=0; layerlayer_cnt; ++layer ) {\n\t\tfor ( refs = sf->glyphs[i]->layers[layer].refs; refs!=NULL; refs=refs->next ) {\n\t\t SFDFixupRef(sf->glyphs[i],refs,layer);\n\t\t}\n\t }\n\t ff_progress_next();\n\t}\n\tif ( sf->cidmaster==NULL )\n\t for ( i=sf->glyphcnt-1; i>=0 && sf->glyphs[i]==NULL; --i )\n\t\tsf->glyphcnt = i;\n\tif ( k>=cidmaster->subfontcnt )\n break;\n\tsf = cidmaster->subfonts[k++];\n }\n}", "project": "fontforge", "hash": 4942669271345712028462695450940309424, "size": 130, "commit_id": "048a91e2682c1a8936ae34dbc7bd70291ec05410", "message": "Fix for #4084 Use-after-free (heap) in the SFD_GetFontMetaData() function\nFix for #4086 NULL pointer dereference in the SFDGetSpiros() function\nFix for #4088 NULL pointer dereference in the SFD_AssignLookups() function\nAdd empty sf->fontname string if it isn't set, fixing #4089 #4090 and many\n other potential issues (many downstream calls to strlen() on the value).", "target": 0, "dataset": "other", "idx": 417878 }, { "func": "FastHufDecoder::decode\n (const unsigned char *src,\n int numSrcBits,\n unsigned short *dst, \n int numDstElems)\n{\n if (numSrcBits < 128)\n throw IEX_NAMESPACE::InputExc (\"Error choosing Huffman decoder implementation \"\n \"(insufficient number of bits).\");\n\n //\n // Current position (byte/bit) in the src data stream\n // (after the first buffer fill)\n //\n\n const unsigned char *currByte = src + 2 * sizeof (Int64);\n\n numSrcBits -= 8 * 2 * sizeof (Int64);\n\n //\n // 64-bit buffer holding the current bits in the stream\n //\n\n Int64 buffer = READ64 (src); \n int bufferNumBits = 64;\n\n //\n // 64-bit buffer holding the next bits in the stream\n //\n\n Int64 bufferBack = READ64 ((src + sizeof (Int64))); \n int bufferBackNumBits = 64;\n\n int dstIdx = 0;\n\n while (dstIdx < numDstElems)\n {\n int codeLen;\n int symbol;\n\n //\n // Test if we can be table accelerated. If so, directly\n // lookup the output symbol. Otherwise, we need to fall\n // back to searching for the code.\n //\n // If we're doing table lookups, we don't really need\n // a re-filled buffer, so long as we have TABLE_LOOKUP_BITS\n // left. But for a search, we do need a refilled table.\n //\n\n if (_tableMin <= buffer)\n {\n int tableIdx = buffer >> (64 - TABLE_LOOKUP_BITS);\n\n // \n // For invalid codes, _tableCodeLen[] should return 0. This\n // will cause the decoder to get stuck in the current spot\n // until we run out of elements, then barf that the codestream\n // is bad. So we don't need to stick a condition like\n // if (codeLen > _maxCodeLength) in this inner.\n //\n\n codeLen = _tableCodeLen[tableIdx];\n symbol = _tableSymbol[tableIdx];\n }\n else\n {\n if (bufferNumBits < 64)\n {\n refill (buffer,\n 64 - bufferNumBits,\n bufferBack,\n bufferBackNumBits,\n currByte,\n numSrcBits);\n\n bufferNumBits = 64;\n }\n\n // \n // Brute force search: \n // Find the smallest length where _ljBase[length] <= buffer\n //\n\n codeLen = TABLE_LOOKUP_BITS + 1;\n\n while (_ljBase[codeLen] > buffer && codeLen <= _maxCodeLength)\n codeLen++;\n\n if (codeLen > _maxCodeLength)\n {\n throw IEX_NAMESPACE::InputExc (\"Huffman decode error \"\n \"(Decoded an invalid symbol).\");\n }\n\n Int64 id = _ljOffset[codeLen] + (buffer >> (64 - codeLen));\n if (id < static_cast(_numSymbols))\n {\n symbol = _idToSymbol[id];\n }\n else\n {\n throw IEX_NAMESPACE::InputExc (\"Huffman decode error \"\n \"(Decoded an invalid symbol).\");\n }\n }\n\n //\n // Shift over bit stream, and update the bit count in the buffer\n //\n\n buffer = buffer << codeLen;\n bufferNumBits -= codeLen;\n\n //\n // If we recieved a RLE symbol (_rleSymbol), then we need\n // to read ahead 8 bits to know how many times to repeat\n // the previous symbol. Need to ensure we at least have\n // 8 bits of data in the buffer\n //\n\n if (symbol == _rleSymbol)\n {\n if (bufferNumBits < 8)\n {\n refill (buffer,\n 64 - bufferNumBits,\n bufferBack,\n bufferBackNumBits,\n currByte,\n numSrcBits);\n\n bufferNumBits = 64;\n }\n\n int rleCount = buffer >> 56;\n\n if (dstIdx < 1)\n {\n throw IEX_NAMESPACE::InputExc (\"Huffman decode error (RLE code \"\n \"with no previous symbol).\");\n }\n\n if (dstIdx + rleCount > numDstElems)\n {\n throw IEX_NAMESPACE::InputExc (\"Huffman decode error (Symbol run \"\n \"beyond expected output buffer length).\");\n }\n\n if (rleCount <= 0) \n {\n throw IEX_NAMESPACE::InputExc(\"Huffman decode error\"\n \" (Invalid RLE length)\");\n }\n\n for (int i = 0; i < rleCount; ++i)\n dst[dstIdx + i] = dst[dstIdx - 1];\n\n dstIdx += rleCount;\n\n buffer = buffer << 8;\n bufferNumBits -= 8;\n }\n else\n {\n dst[dstIdx] = symbol;\n dstIdx++;\n }\n\n //\n // refill bit stream buffer if we're below the number of \n // bits needed for a table lookup\n //\n\n if (bufferNumBits < TABLE_LOOKUP_BITS)\n {\n refill (buffer,\n 64 - bufferNumBits,\n bufferBack,\n bufferBackNumBits,\n currByte,\n numSrcBits);\n\n bufferNumBits = 64;\n }\n }\n\n if (numSrcBits != 0)\n {\n throw IEX_NAMESPACE::InputExc (\"Huffman decode error (Compressed data remains \"\n \"after filling expected output buffer).\");\n }\n}", "project": "openexr", "hash": 307877920882410765510628882921659932311, "size": 193, "commit_id": "c3ed4a1db1f39bf4524a644cb2af81dc8cfab33f", "message": "compute Huf codelengths using 64 bit to prevent shift overflow\n\nSigned-off-by: Peter Hillman ", "target": 0, "dataset": "other", "idx": 413447 }, { "func": "static void input_pass_event(struct input_dev *dev,\n\t\t\t unsigned int type, unsigned int code, int value)\n{\n\tstruct input_value vals[] = { { type, code, value } };\n\n\tinput_pass_values(dev, vals, ARRAY_SIZE(vals));\n}", "project": "linux", "hash": 131049711521956545094729422291708361391, "size": 7, "commit_id": "cb222aed03d798fc074be55e59d9a112338ee784", "message": "Input: add safety guards to input_set_keycode()\n\nIf we happen to have a garbage in input device's keycode table with values\ntoo big we'll end up doing clear_bit() with offset way outside of our\nbitmaps, damaging other objects within an input device or even outside of\nit. Let's add sanity checks to the returned old keycodes.\n\nReported-by: syzbot+c769968809f9359b07aa@syzkaller.appspotmail.com\nReported-by: syzbot+76f3a30e88d256644c78@syzkaller.appspotmail.com\nLink: https://lore.kernel.org/r/20191207212757.GA245964@dtor-ws\nSigned-off-by: Dmitry Torokhov ", "target": 0, "dataset": "other", "idx": 353364 }, { "func": "static int init_cache_random_seq(struct kmem_cache *s)\n{\n\tunsigned int count = oo_objects(s->oo);\n\tint err;\n\n\t/* Bailout if already initialised */\n\tif (s->random_seq)\n\t\treturn 0;\n\n\terr = cache_random_seq_create(s, count, GFP_KERNEL);\n\tif (err) {\n\t\tpr_err(\"SLUB: Unable to initialize free list for %s\\n\",\n\t\t\ts->name);\n\t\treturn err;\n\t}\n\n\t/* Transform to an offset on the set of pages */\n\tif (s->random_seq) {\n\t\tunsigned int i;\n\n\t\tfor (i = 0; i < count; i++)\n\t\t\ts->random_seq[i] *= s->size;\n\t}\n\treturn 0;\n}", "project": "linux", "hash": 6075266951060645368335953274688210281, "size": 25, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280019 }, { "func": "static inline int init_cache_random_seq(struct kmem_cache *s)\n{\n\treturn 0;\n}", "project": "linux", "hash": 321360499504733056075433950899083328040, "size": 4, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280101 }, { "func": "OPJ_BOOL opj_tcd_init(opj_tcd_t *p_tcd,\n opj_image_t * p_image,\n opj_cp_t * p_cp,\n opj_thread_pool_t* p_tp)\n{\n p_tcd->image = p_image;\n p_tcd->cp = p_cp;\n\n p_tcd->tcd_image->tiles = (opj_tcd_tile_t *) opj_calloc(1,\n sizeof(opj_tcd_tile_t));\n if (! p_tcd->tcd_image->tiles) {\n return OPJ_FALSE;\n }\n\n p_tcd->tcd_image->tiles->comps = (opj_tcd_tilecomp_t *) opj_calloc(\n p_image->numcomps, sizeof(opj_tcd_tilecomp_t));\n if (! p_tcd->tcd_image->tiles->comps) {\n return OPJ_FALSE;\n }\n\n p_tcd->tcd_image->tiles->numcomps = p_image->numcomps;\n p_tcd->tp_pos = p_cp->m_specific_param.m_enc.m_tp_pos;\n p_tcd->thread_pool = p_tp;\n\n return OPJ_TRUE;\n}", "project": "openjpeg", "hash": 102488625647419660272057529779004584652, "size": 26, "commit_id": "15cf3d95814dc931ca0ecb132f81cb152e051bae", "message": "Encoder: grow again buffer size in opj_tcd_code_block_enc_allocate_data() (fixes #1283)", "target": 0, "dataset": "other", "idx": 359153 }, { "func": "static bool sig_task_ignored(struct task_struct *t, int sig, bool force)\n{\n\tvoid __user *handler;\n\n\thandler = sig_handler(t, sig);\n\n\t/* SIGKILL and SIGSTOP may not be sent to the global init */\n\tif (unlikely(is_global_init(t) && sig_kernel_only(sig)))\n\t\treturn true;\n\n\tif (unlikely(t->signal->flags & SIGNAL_UNKILLABLE) &&\n\t handler == SIG_DFL && !(force && sig_kernel_only(sig)))\n\t\treturn true;\n\n\t/* Only allow kernel generated signals to this kthread */\n\tif (unlikely((t->flags & PF_KTHREAD) &&\n\t\t (handler == SIG_KTHREAD_KERNEL) && !force))\n\t\treturn true;\n\n\treturn sig_handler_ignored(handler, sig);\n}", "project": "linux", "hash": 45970298868599490285749911149303942827, "size": 21, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375325 }, { "func": "void gdImageAALine (gdImagePtr im, int x1, int y1, int x2, int y2, int col)\n{\n\t/* keep them as 32bits */\n\tlong x, y, inc;\n\tlong dx, dy,tmp;\n\n\tif (y1 < 0 && y2 < 0) {\n\t\treturn;\n\t}\n\tif (y1 < 0) {\n\t\tx1 += (y1 * (x1 - x2)) / (y2 - y1);\n\t\ty1 = 0;\n\t}\n\tif (y2 < 0) {\n\t\tx2 += (y2 * (x1 - x2)) / (y2 - y1);\n\t\ty2 = 0;\n\t}\n\n\t/* bottom edge */\n\tif (y1 >= im->sy && y2 >= im->sy) {\n\t\treturn;\n\t}\n\tif (y1 >= im->sy) {\n\t\tx1 -= ((im->sy - y1) * (x1 - x2)) / (y2 - y1);\n\t\ty1 = im->sy - 1;\n\t}\n\tif (y2 >= im->sy) {\n\t\tx2 -= ((im->sy - y2) * (x1 - x2)) / (y2 - y1);\n\t\ty2 = im->sy - 1;\n\t}\n\n\t/* left edge */\n\tif (x1 < 0 && x2 < 0) {\n\t\treturn;\n\t}\n\tif (x1 < 0) {\n\t\ty1 += (x1 * (y1 - y2)) / (x2 - x1);\n\t\tx1 = 0;\n\t}\n\tif (x2 < 0) {\n\t\ty2 += (x2 * (y1 - y2)) / (x2 - x1);\n\t\tx2 = 0;\n\t}\n\t/* right edge */\n\tif (x1 >= im->sx && x2 >= im->sx) {\n\t\treturn;\n\t}\n\tif (x1 >= im->sx) {\n\t\ty1 -= ((im->sx - x1) * (y1 - y2)) / (x2 - x1);\n\t\tx1 = im->sx - 1;\n\t}\n\tif (x2 >= im->sx) {\n\t\ty2 -= ((im->sx - x2) * (y1 - y2)) / (x2 - x1);\n\t\tx2 = im->sx - 1;\n\t}\n\n\tdx = x2 - x1;\n\tdy = y2 - y1;\n\n\tif (dx == 0 && dy == 0) {\n\t\treturn;\n\t}\n\tif (abs(dx) > abs(dy)) {\n\t\tif (dx < 0) {\n\t\t\ttmp = x1;\n\t\t\tx1 = x2;\n\t\t\tx2 = tmp;\n\t\t\ttmp = y1;\n\t\t\ty1 = y2;\n\t\t\ty2 = tmp;\n\t\t\tdx = x2 - x1;\n\t\t\tdy = y2 - y1;\n\t\t}\n\t\tx = x1 << 16;\n\t\ty = y1 << 16;\n\t\tinc = (dy * 65536) / dx;\n\t\twhile ((x >> 16) <= x2) {\n\t\t\tgdImageSetAAPixelColor(im, x >> 16, y >> 16, col, (y >> 8) & 0xFF);\n\t\t\tif ((y >> 16) + 1 < im->sy) {\n\t\t\t\tgdImageSetAAPixelColor(im, x >> 16, (y >> 16) + 1,col, (~y >> 8) & 0xFF);\n\t\t\t}\n\t\t\tx += (1 << 16);\n\t\t\ty += inc;\n\t\t}\n\t} else {\n\t\tif (dy < 0) {\n\t\t\ttmp = x1;\n\t\t\tx1 = x2;\n\t\t\tx2 = tmp;\n\t\t\ttmp = y1;\n\t\t\ty1 = y2;\n\t\t\ty2 = tmp;\n\t\t\tdx = x2 - x1;\n\t\t\tdy = y2 - y1;\n\t\t}\n\t\tx = x1 << 16;\n\t\ty = y1 << 16;\n\t\tinc = (dx * 65536) / dy;\n\t\twhile ((y>>16) <= y2) {\n\t\t\tgdImageSetAAPixelColor(im, x >> 16, y >> 16, col, (x >> 8) & 0xFF);\n\t\t\tif ((x >> 16) + 1 < im->sx) {\n\t\t\t\tgdImageSetAAPixelColor(im, (x >> 16) + 1, (y >> 16),col, (~x >> 8) & 0xFF);\n\t\t\t}\n\t\t\tx += inc;\n\t\t\ty += (1<<16);\n\t\t}\n\t}\n}", "project": "php-src", "hash": 88241849846254278738107698997779765695, "size": 108, "commit_id": "c395c6e5d7e8df37a21265ff76e48fe75ceb5ae6", "message": "iFixed bug #72446 - Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow", "target": 0, "dataset": "other", "idx": 295120 }, { "func": "int ecryptfs_init_crypt_ctx(struct ecryptfs_crypt_stat *crypt_stat)\n{\n\tchar *full_alg_name;\n\tint rc = -EINVAL;\n\n\tif (!crypt_stat->cipher) {\n\t\tecryptfs_printk(KERN_ERR, \"No cipher specified\\n\");\n\t\tgoto out;\n\t}\n\tecryptfs_printk(KERN_DEBUG,\n\t\t\t\"Initializing cipher [%s]; strlen = [%d]; \"\n\t\t\t\"key_size_bits = [%d]\\n\",\n\t\t\tcrypt_stat->cipher, (int)strlen(crypt_stat->cipher),\n\t\t\tcrypt_stat->key_size << 3);\n\tif (crypt_stat->tfm) {\n\t\trc = 0;\n\t\tgoto out;\n\t}\n\tmutex_lock(&crypt_stat->cs_tfm_mutex);\n\trc = ecryptfs_crypto_api_algify_cipher_name(&full_alg_name,\n\t\t\t\t\t\t crypt_stat->cipher, \"cbc\");\n\tif (rc)\n\t\tgoto out_unlock;\n\tcrypt_stat->tfm = crypto_alloc_blkcipher(full_alg_name, 0,\n\t\t\t\t\t\t CRYPTO_ALG_ASYNC);\n\tkfree(full_alg_name);\n\tif (IS_ERR(crypt_stat->tfm)) {\n\t\trc = PTR_ERR(crypt_stat->tfm);\n\t\tecryptfs_printk(KERN_ERR, \"cryptfs: init_crypt_ctx(): \"\n\t\t\t\t\"Error initializing cipher [%s]\\n\",\n\t\t\t\tcrypt_stat->cipher);\n\t\tgoto out_unlock;\n\t}\n\tcrypto_blkcipher_set_flags(crypt_stat->tfm, CRYPTO_TFM_REQ_WEAK_KEY);\n\trc = 0;\nout_unlock:\n\tmutex_unlock(&crypt_stat->cs_tfm_mutex);\nout:\n\treturn rc;\n}", "target": 0, "cwe": [ "CWE-189" ], "project": "linux-2.6", "commit_id": "8faece5f906725c10e7a1f6caf84452abadbdc7b", "hash": 5995539926338790567107160842907798946, "size": 40, "message": "eCryptfs: Allocate a variable number of pages for file headers\n\nWhen allocating the memory used to store the eCryptfs header contents, a\nsingle, zeroed page was being allocated with get_zeroed_page().\nHowever, the size of an eCryptfs header is either PAGE_CACHE_SIZE or\nECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE (8192), whichever is larger, and is\nstored in the file's private_data->crypt_stat->num_header_bytes_at_front\nfield.\n\necryptfs_write_metadata_to_contents() was using\nnum_header_bytes_at_front to decide how many bytes should be written to\nthe lower filesystem for the file header. Unfortunately, at least 8K\nwas being written from the page, despite the chance of the single,\nzeroed page being smaller than 8K. This resulted in random areas of\nkernel memory being written between the 0x1000 and 0x1FFF bytes offsets\nin the eCryptfs file headers if PAGE_SIZE was 4K.\n\nThis patch allocates a variable number of pages, calculated with\nnum_header_bytes_at_front, and passes the number of allocated pages\nalong to ecryptfs_write_metadata_to_contents().\n\nThanks to Florian Streibelt for reporting the data leak and working with\nme to find the problem. 2.6.28 is the only kernel release with this\nvulnerability. Corresponds to CVE-2009-0787\n\nSigned-off-by: Tyler Hicks \nAcked-by: Dustin Kirkland \nReviewed-by: Eric Sandeen \nReviewed-by: Eugene Teo \nCc: Greg KH \nCc: dann frazier \nCc: Serge E. Hallyn \nCc: Florian Streibelt \nCc: stable@kernel.org\nSigned-off-by: Linus Torvalds ", "dataset": "other", "idx": 490169 }, { "func": "static void nfs4_xdr_enc_delegreturn(struct rpc_rqst *req,\n\t\t\t\t struct xdr_stream *xdr,\n\t\t\t\t const void *data)\n{\n\tconst struct nfs4_delegreturnargs *args = data;\n\tstruct compound_hdr hdr = {\n\t\t.minorversion = nfs4_xdr_minorversion(&args->seq_args),\n\t};\n\n\tencode_compound_hdr(xdr, req, &hdr);\n\tencode_sequence(xdr, &args->seq_args, &hdr);\n\tencode_putfh(xdr, args->fhandle, &hdr);\n\tif (args->lr_args)\n\t\tencode_layoutreturn(xdr, args->lr_args, &hdr);\n\tif (args->bitmask)\n\t\tencode_getfattr(xdr, args->bitmask, &hdr);\n\tencode_delegreturn(xdr, args->stateid, &hdr);\n\tencode_nops(&hdr);\n}", "project": "linux", "hash": 260024894707927110795422432372587501702, "size": 19, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431503 }, { "func": "gdImagePtr gdImageCreateFromXpm (char *filename)\n{\n\tXpmInfo info;\n\tXpmImage image;\n\tint i, j, k, number;\n\tchar buf[5];\n\tgdImagePtr im = 0;\n\tint *pointer;\n\tint red = 0, green = 0, blue = 0;\n\tint *colors;\n\tint ret;\n\n\tret = XpmReadFileToXpmImage(filename, &image, &info);\n\tif (ret != XpmSuccess) {\n\t\treturn 0;\n\t}\n\n\tif (!(im = gdImageCreate(image.width, image.height))) {\n\t\tgoto done;\n\t}\n\n\tnumber = image.ncolors;\n\tcolors = (int *) safe_emalloc(number, sizeof(int), 0);\n\tfor (i = 0; i < number; i++) {\n\t\tswitch (strlen (image.colorTable[i].c_color)) {\n\t\t\tcase 4:\n\t\t\t\tbuf[1] = '\\0';\n\t\t\t\tbuf[0] = image.colorTable[i].c_color[1];\n\t\t\t\tred = strtol(buf, NULL, 16);\n\n\t\t\t\tbuf[0] = image.colorTable[i].c_color[2];\n\t\t\t\tgreen = strtol(buf, NULL, 16);\n\n\t\t\t\tbuf[0] = image.colorTable[i].c_color[3];\n\t\t\t\tblue = strtol(buf, NULL, 16);\n\t\t\t\tbreak;\n\n\t\t\tcase 7:\n\t\t\t\tbuf[2] = '\\0';\n\t\t\t\tbuf[0] = image.colorTable[i].c_color[1];\n\t\t\t\tbuf[1] = image.colorTable[i].c_color[2];\n\t\t\t\tred = strtol(buf, NULL, 16);\n\n\t\t\t\tbuf[0] = image.colorTable[i].c_color[3];\n\t\t\t\tbuf[1] = image.colorTable[i].c_color[4];\n\t\t\t\tgreen = strtol(buf, NULL, 16);\n\n\t\t\t\tbuf[0] = image.colorTable[i].c_color[5];\n\t\t\t\tbuf[1] = image.colorTable[i].c_color[6];\n\t\t\t\tblue = strtol(buf, NULL, 16);\n\t\t\t\tbreak;\n\n\t\t\tcase 10:\n\t\t\t\tbuf[3] = '\\0';\n\t\t\t\tbuf[0] = image.colorTable[i].c_color[1];\n\t\t\t\tbuf[1] = image.colorTable[i].c_color[2];\n\t\t\t\tbuf[2] = image.colorTable[i].c_color[3];\n\t\t\t\tred = strtol(buf, NULL, 16);\n\t\t\t\tred /= 64;\n\n\t\t\t\tbuf[0] = image.colorTable[i].c_color[4];\n\t\t\t\tbuf[1] = image.colorTable[i].c_color[5];\n\t\t\t\tbuf[2] = image.colorTable[i].c_color[6];\n\t\t\t\tgreen = strtol(buf, NULL, 16);\n\t\t\t\tgreen /= 64;\n\n\t\t\t\tbuf[0] = image.colorTable[i].c_color[7];\n\t\t\t\tbuf[1] = image.colorTable[i].c_color[8];\n\t\t\t\tbuf[2] = image.colorTable[i].c_color[9];\n\t\t\t\tblue = strtol(buf, NULL, 16);\n\t\t\t\tblue /= 64;\n\t\t\t\tbreak;\n\n\t\t\tcase 13:\n\t\t\t\tbuf[4] = '\\0';\n\t\t\t\tbuf[0] = image.colorTable[i].c_color[1];\n\t\t\t\tbuf[1] = image.colorTable[i].c_color[2];\n\t\t\t\tbuf[2] = image.colorTable[i].c_color[3];\n\t\t\t\tbuf[3] = image.colorTable[i].c_color[4];\n\t\t\t\tred = strtol(buf, NULL, 16);\n\t\t\t\tred /= 256;\n\n\t\t\t\tbuf[0] = image.colorTable[i].c_color[5];\n\t\t\t\tbuf[1] = image.colorTable[i].c_color[6];\n\t\t\t\tbuf[2] = image.colorTable[i].c_color[7];\n\t\t\t\tbuf[3] = image.colorTable[i].c_color[8];\n\t\t\t\tgreen = strtol(buf, NULL, 16);\n\t\t\t\tgreen /= 256;\n\n\t\t\t\tbuf[0] = image.colorTable[i].c_color[9];\n\t\t\t\tbuf[1] = image.colorTable[i].c_color[10];\n\t\t\t\tbuf[2] = image.colorTable[i].c_color[11];\n\t\t\t\tbuf[3] = image.colorTable[i].c_color[12];\n\t\t\t\tblue = strtol(buf, NULL, 16);\n\t\t\t\tblue /= 256;\n\t\t\t\tbreak;\n\t\t}\n\n\n\t\tcolors[i] = gdImageColorResolve(im, red, green, blue);\n\t}\n\n\tpointer = (int *) image.data;\n\tfor (i = 0; i < image.height; i++) {\n\t\tfor (j = 0; j < image.width; j++) {\n\t\t\tk = *pointer++;\n\t\t\tgdImageSetPixel(im, j, i, colors[k]);\n\t\t}\n\t}\n\n\tgdFree(colors);\n done:\n\tXpmFreeXpmImage(&image);\n\tXpmFreeXpmInfo(&info);\n\treturn im;\n}", "project": "php-src", "hash": 52478760808659547393823496374843686575, "size": 116, "commit_id": "cf4753691dc55999373d1c576f62ecb298723420", "message": "Fixed Bug #66901 php-gd 'c_color' NULL pointer dereference\n\nUpstream https://bitbucket.org/libgd/gd-libgd/commits/463c3bd09bfe8e924e19acad7a2a6af16953a704\n\nNotice: this fix don't manage monochrome/monovisual values\nbut just fix the security issue CVE-2014-2497\nfailing when trying to load such an image", "target": 1, "dataset": "other", "idx": 200525 }, { "func": "gdImagePtr gdImageCreateFromXpm (char *filename)\n{\n\tXpmInfo info;\n\tXpmImage image;\n\tint i, j, k, number;\n\tchar buf[5];\n\tgdImagePtr im = 0;\n\tint *pointer;\n\tint red = 0, green = 0, blue = 0;\n\tint *colors;\n\tint ret;\n\n\tret = XpmReadFileToXpmImage(filename, &image, &info);\n\tif (ret != XpmSuccess) {\n\t\treturn 0;\n\t}\n\tnumber = image.ncolors;\n\tfor(i = 0; i < number; i++) {\n\t\tif (!image.colorTable[i].c_color) {\n\t\t\tgoto done;\n\t\t}\n\t}\n\n\tif (!(im = gdImageCreate(image.width, image.height))) {\n\t\tgoto done;\n\t}\n\n\tcolors = (int *) safe_emalloc(number, sizeof(int), 0);\n\tfor (i = 0; i < number; i++) {\n\t\tswitch (strlen (image.colorTable[i].c_color)) {\n\t\t\tcase 4:\n\t\t\t\tbuf[1] = '\\0';\n\t\t\t\tbuf[0] = image.colorTable[i].c_color[1];\n\t\t\t\tred = strtol(buf, NULL, 16);\n\n\t\t\t\tbuf[0] = image.colorTable[i].c_color[2];\n\t\t\t\tgreen = strtol(buf, NULL, 16);\n\n\t\t\t\tbuf[0] = image.colorTable[i].c_color[3];\n\t\t\t\tblue = strtol(buf, NULL, 16);\n\t\t\t\tbreak;\n\n\t\t\tcase 7:\n\t\t\t\tbuf[2] = '\\0';\n\t\t\t\tbuf[0] = image.colorTable[i].c_color[1];\n\t\t\t\tbuf[1] = image.colorTable[i].c_color[2];\n\t\t\t\tred = strtol(buf, NULL, 16);\n\n\t\t\t\tbuf[0] = image.colorTable[i].c_color[3];\n\t\t\t\tbuf[1] = image.colorTable[i].c_color[4];\n\t\t\t\tgreen = strtol(buf, NULL, 16);\n\n\t\t\t\tbuf[0] = image.colorTable[i].c_color[5];\n\t\t\t\tbuf[1] = image.colorTable[i].c_color[6];\n\t\t\t\tblue = strtol(buf, NULL, 16);\n\t\t\t\tbreak;\n\n\t\t\tcase 10:\n\t\t\t\tbuf[3] = '\\0';\n\t\t\t\tbuf[0] = image.colorTable[i].c_color[1];\n\t\t\t\tbuf[1] = image.colorTable[i].c_color[2];\n\t\t\t\tbuf[2] = image.colorTable[i].c_color[3];\n\t\t\t\tred = strtol(buf, NULL, 16);\n\t\t\t\tred /= 64;\n\n\t\t\t\tbuf[0] = image.colorTable[i].c_color[4];\n\t\t\t\tbuf[1] = image.colorTable[i].c_color[5];\n\t\t\t\tbuf[2] = image.colorTable[i].c_color[6];\n\t\t\t\tgreen = strtol(buf, NULL, 16);\n\t\t\t\tgreen /= 64;\n\n\t\t\t\tbuf[0] = image.colorTable[i].c_color[7];\n\t\t\t\tbuf[1] = image.colorTable[i].c_color[8];\n\t\t\t\tbuf[2] = image.colorTable[i].c_color[9];\n\t\t\t\tblue = strtol(buf, NULL, 16);\n\t\t\t\tblue /= 64;\n\t\t\t\tbreak;\n\n\t\t\tcase 13:\n\t\t\t\tbuf[4] = '\\0';\n\t\t\t\tbuf[0] = image.colorTable[i].c_color[1];\n\t\t\t\tbuf[1] = image.colorTable[i].c_color[2];\n\t\t\t\tbuf[2] = image.colorTable[i].c_color[3];\n\t\t\t\tbuf[3] = image.colorTable[i].c_color[4];\n\t\t\t\tred = strtol(buf, NULL, 16);\n\t\t\t\tred /= 256;\n\n\t\t\t\tbuf[0] = image.colorTable[i].c_color[5];\n\t\t\t\tbuf[1] = image.colorTable[i].c_color[6];\n\t\t\t\tbuf[2] = image.colorTable[i].c_color[7];\n\t\t\t\tbuf[3] = image.colorTable[i].c_color[8];\n\t\t\t\tgreen = strtol(buf, NULL, 16);\n\t\t\t\tgreen /= 256;\n\n\t\t\t\tbuf[0] = image.colorTable[i].c_color[9];\n\t\t\t\tbuf[1] = image.colorTable[i].c_color[10];\n\t\t\t\tbuf[2] = image.colorTable[i].c_color[11];\n\t\t\t\tbuf[3] = image.colorTable[i].c_color[12];\n\t\t\t\tblue = strtol(buf, NULL, 16);\n\t\t\t\tblue /= 256;\n\t\t\t\tbreak;\n\t\t}\n\n\n\t\tcolors[i] = gdImageColorResolve(im, red, green, blue);\n\t}\n\n\tpointer = (int *) image.data;\n\tfor (i = 0; i < image.height; i++) {\n\t\tfor (j = 0; j < image.width; j++) {\n\t\t\tk = *pointer++;\n\t\t\tgdImageSetPixel(im, j, i, colors[k]);\n\t\t}\n\t}\n\n\tgdFree(colors);\n done:\n\tXpmFreeXpmImage(&image);\n\tXpmFreeXpmInfo(&info);\n\treturn im;\n}", "project": "php-src", "hash": 108615700401399758911645753719088620741, "size": 121, "commit_id": "cf4753691dc55999373d1c576f62ecb298723420", "message": "Fixed Bug #66901 php-gd 'c_color' NULL pointer dereference\n\nUpstream https://bitbucket.org/libgd/gd-libgd/commits/463c3bd09bfe8e924e19acad7a2a6af16953a704\n\nNotice: this fix don't manage monochrome/monovisual values\nbut just fix the security issue CVE-2014-2497\nfailing when trying to load such an image", "target": 0, "dataset": "other", "idx": 304857 }, { "func": "static int nm_interception(struct vcpu_svm *svm)\n{\n\tsvm_fpu_activate(&svm->vcpu);\n\treturn 1;\n}", "project": "kvm", "hash": 321417041716434083349897302980666075537, "size": 5, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437656 }, { "func": "static void reload_tss(struct kvm_vcpu *vcpu)\n{\n\tint cpu = raw_smp_processor_id();\n\n\tstruct svm_cpu_data *sd = per_cpu(svm_data, cpu);\n\tsd->tss_desc->type = 9; /* available 32/64-bit TSS */\n\tload_TR_desc();\n}", "project": "linux", "hash": 293219018784152317197648111932672944443, "size": 8, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432540 }, { "func": "void kvm_vcpu_on_spin(struct kvm_vcpu *me, bool yield_to_kernel_mode)\n{\n\tstruct kvm *kvm = me->kvm;\n\tstruct kvm_vcpu *vcpu;\n\tint last_boosted_vcpu = me->kvm->last_boosted_vcpu;\n\tint yielded = 0;\n\tint try = 3;\n\tint pass;\n\tint i;\n\n\tkvm_vcpu_set_in_spin_loop(me, true);\n\t/*\n\t * We boost the priority of a VCPU that is runnable but not\n\t * currently running, because it got preempted by something\n\t * else and called schedule in __vcpu_run. Hopefully that\n\t * VCPU is holding the lock that we need and will release it.\n\t * We approximate round-robin by starting at the last boosted VCPU.\n\t */\n\tfor (pass = 0; pass < 2 && !yielded && try; pass++) {\n\t\tkvm_for_each_vcpu(i, vcpu, kvm) {\n\t\t\tif (!pass && i <= last_boosted_vcpu) {\n\t\t\t\ti = last_boosted_vcpu;\n\t\t\t\tcontinue;\n\t\t\t} else if (pass && i > last_boosted_vcpu)\n\t\t\t\tbreak;\n\t\t\tif (!READ_ONCE(vcpu->ready))\n\t\t\t\tcontinue;\n\t\t\tif (vcpu == me)\n\t\t\t\tcontinue;\n\t\t\tif (swait_active(&vcpu->wq) && !vcpu_dy_runnable(vcpu))\n\t\t\t\tcontinue;\n\t\t\tif (READ_ONCE(vcpu->preempted) && yield_to_kernel_mode &&\n\t\t\t\t!kvm_arch_vcpu_in_kernel(vcpu))\n\t\t\t\tcontinue;\n\t\t\tif (!kvm_vcpu_eligible_for_directed_yield(vcpu))\n\t\t\t\tcontinue;\n\n\t\t\tyielded = kvm_vcpu_yield_to(vcpu);\n\t\t\tif (yielded > 0) {\n\t\t\t\tkvm->last_boosted_vcpu = i;\n\t\t\t\tbreak;\n\t\t\t} else if (yielded < 0) {\n\t\t\t\ttry--;\n\t\t\t\tif (!try)\n\t\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\t}\n\tkvm_vcpu_set_in_spin_loop(me, false);\n\n\t/* Ensure vcpu is not eligible during next spinloop */\n\tkvm_vcpu_set_dy_eligible(me, false);\n}", "project": "linux", "hash": 255222761543029574451932003753066898311, "size": 53, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354484 }, { "func": "void kvm_vcpu_on_spin(struct kvm_vcpu *me, bool yield_to_kernel_mode)\n{\n\tstruct kvm *kvm = me->kvm;\n\tstruct kvm_vcpu *vcpu;\n\tint last_boosted_vcpu = me->kvm->last_boosted_vcpu;\n\tint yielded = 0;\n\tint try = 3;\n\tint pass;\n\tint i;\n\n\tkvm_vcpu_set_in_spin_loop(me, true);\n\t/*\n\t * We boost the priority of a VCPU that is runnable but not\n\t * currently running, because it got preempted by something\n\t * else and called schedule in __vcpu_run. Hopefully that\n\t * VCPU is holding the lock that we need and will release it.\n\t * We approximate round-robin by starting at the last boosted VCPU.\n\t */\n\tfor (pass = 0; pass < 2 && !yielded && try; pass++) {\n\t\tkvm_for_each_vcpu(i, vcpu, kvm) {\n\t\t\tif (!pass && i <= last_boosted_vcpu) {\n\t\t\t\ti = last_boosted_vcpu;\n\t\t\t\tcontinue;\n\t\t\t} else if (pass && i > last_boosted_vcpu)\n\t\t\t\tbreak;\n\t\t\tif (!READ_ONCE(vcpu->ready))\n\t\t\t\tcontinue;\n\t\t\tif (vcpu == me)\n\t\t\t\tcontinue;\n\t\t\tif (rcuwait_active(&vcpu->wait) &&\n\t\t\t !vcpu_dy_runnable(vcpu))\n\t\t\t\tcontinue;\n\t\t\tif (READ_ONCE(vcpu->preempted) && yield_to_kernel_mode &&\n\t\t\t !kvm_arch_dy_has_pending_interrupt(vcpu) &&\n\t\t\t !kvm_arch_vcpu_in_kernel(vcpu))\n\t\t\t\tcontinue;\n\t\t\tif (!kvm_vcpu_eligible_for_directed_yield(vcpu))\n\t\t\t\tcontinue;\n\n\t\t\tyielded = kvm_vcpu_yield_to(vcpu);\n\t\t\tif (yielded > 0) {\n\t\t\t\tkvm->last_boosted_vcpu = i;\n\t\t\t\tbreak;\n\t\t\t} else if (yielded < 0) {\n\t\t\t\ttry--;\n\t\t\t\tif (!try)\n\t\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\t}\n\tkvm_vcpu_set_in_spin_loop(me, false);\n\n\t/* Ensure vcpu is not eligible during next spinloop */\n\tkvm_vcpu_set_dy_eligible(me, false);\n}", "project": "linux", "hash": 248068340230248820095414437891164249846, "size": 55, "commit_id": "f8be156be163a052a067306417cd0ff679068c97", "message": "KVM: do not allow mapping valid but non-reference-counted pages\n\nIt's possible to create a region which maps valid but non-refcounted\npages (e.g., tail pages of non-compound higher order allocations). These\nhost pages can then be returned by gfn_to_page, gfn_to_pfn, etc., family\nof APIs, which take a reference to the page, which takes it from 0 to 1.\nWhen the reference is dropped, this will free the page incorrectly.\n\nFix this by only taking a reference on valid pages if it was non-zero,\nwhich indicates it is participating in normal refcounting (and can be\nreleased with put_page).\n\nThis addresses CVE-2021-22543.\n\nSigned-off-by: Nicholas Piggin \nTested-by: Paolo Bonzini \nCc: stable@vger.kernel.org\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 404088 }, { "func": "static int use_data(struct rar5* rar, const void** buf, size_t* size,\n int64_t* offset)\n{\n\tint i;\n\n\tfor(i = 0; i < rar5_countof(rar->cstate.dready); i++) {\n\t\tstruct data_ready *d = &rar->cstate.dready[i];\n\n\t\tif(d->used) {\n\t\t\tif(buf) *buf = d->buf;\n\t\t\tif(size) *size = d->size;\n\t\t\tif(offset) *offset = d->offset;\n\n\t\t\td->used = 0;\n\t\t\treturn ARCHIVE_OK;\n\t\t}\n\t}\n\n\treturn ARCHIVE_RETRY;\n}", "project": "libarchive", "hash": 329976063591734558416344605376855808406, "size": 20, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 0, "dataset": "other", "idx": 244806 }, { "func": "static int fuse_readdir_uncached(struct file *file, struct dir_context *ctx)\n{\n\tint plus;\n\tssize_t res;\n\tstruct page *page;\n\tstruct inode *inode = file_inode(file);\n\tstruct fuse_mount *fm = get_fuse_mount(inode);\n\tstruct fuse_io_args ia = {};\n\tstruct fuse_args_pages *ap = &ia.ap;\n\tstruct fuse_page_desc desc = { .length = PAGE_SIZE };\n\tu64 attr_version = 0;\n\tbool locked;\n\n\tpage = alloc_page(GFP_KERNEL);\n\tif (!page)\n\t\treturn -ENOMEM;\n\n\tplus = fuse_use_readdirplus(inode, ctx);\n\tap->args.out_pages = true;\n\tap->num_pages = 1;\n\tap->pages = &page;\n\tap->descs = &desc;\n\tif (plus) {\n\t\tattr_version = fuse_get_attr_version(fm->fc);\n\t\tfuse_read_args_fill(&ia, file, ctx->pos, PAGE_SIZE,\n\t\t\t\t FUSE_READDIRPLUS);\n\t} else {\n\t\tfuse_read_args_fill(&ia, file, ctx->pos, PAGE_SIZE,\n\t\t\t\t FUSE_READDIR);\n\t}\n\tlocked = fuse_lock_inode(inode);\n\tres = fuse_simple_request(fm, &ap->args);\n\tfuse_unlock_inode(inode, locked);\n\tif (res >= 0) {\n\t\tif (!res) {\n\t\t\tstruct fuse_file *ff = file->private_data;\n\n\t\t\tif (ff->open_flags & FOPEN_CACHE_DIR)\n\t\t\t\tfuse_readdir_cache_end(file, ctx->pos);\n\t\t} else if (plus) {\n\t\t\tres = parse_dirplusfile(page_address(page), res,\n\t\t\t\t\t\tfile, ctx, attr_version);\n\t\t} else {\n\t\t\tres = parse_dirfile(page_address(page), res, file,\n\t\t\t\t\t ctx);\n\t\t}\n\t}\n\n\t__free_page(page);\n\tfuse_invalidate_atime(inode);\n\treturn res;\n}", "project": "linux", "hash": 336311848941941583458401212992329702641, "size": 52, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341938 }, { "func": "static void pfkey_insert(struct sock *sk)\n{\n\tstruct net *net = sock_net(sk);\n\tstruct netns_pfkey *net_pfkey = net_generic(net, pfkey_net_id);\n\n\tmutex_lock(&pfkey_mutex);\n\tsk_add_node_rcu(sk, &net_pfkey->table);\n\tmutex_unlock(&pfkey_mutex);\n}", "project": "linux", "hash": 39797835591487277309300569993641508251, "size": 9, "commit_id": "9a564bccb78a76740ea9d75a259942df8143d02c", "message": "af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\n\nAdd __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\nto initialize the buffer of supp_skb to fix a kernel-info-leak issue.\n1) Function pfkey_register calls compose_sadb_supported to request\na sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate\na sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then\ncompose_sadb_supported treats the memory as a struct sadb_supported and\nbegins to initialize. But it just initializes the field sadb_supported_len\nand field sadb_supported_exttype without field sadb_supported_reserved.\n\nReported-by: TCS Robot \nSigned-off-by: Haimin Zhang \nSigned-off-by: Steffen Klassert ", "target": 0, "dataset": "other", "idx": 268005 }, { "func": "static void cursor_report(struct vc_data *vc, struct tty_struct *tty)\n{\n\tchar buf[40];\n\n\tsprintf(buf, \"\\033[%d;%dR\", vc->vc_y + (vc->vc_decom ? vc->vc_top + 1 : 1), vc->vc_x + 1);\n\trespond_string(buf, tty->port);\n}", "project": "linux", "hash": 313117586422034788172613682302460562004, "size": 7, "commit_id": "ca4463bf8438b403596edd0ec961ca0d4fbe0220", "message": "vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console\n\nThe VT_DISALLOCATE ioctl can free a virtual console while tty_release()\nis still running, causing a use-after-free in con_shutdown(). This\noccurs because VT_DISALLOCATE considers a virtual console's\n'struct vc_data' to be unused as soon as the corresponding tty's\nrefcount hits 0. But actually it may be still being closed.\n\nFix this by making vc_data be reference-counted via the embedded\n'struct tty_port'. A newly allocated virtual console has refcount 1.\nOpening it for the first time increments the refcount to 2. Closing it\nfor the last time decrements the refcount (in tty_operations::cleanup()\nso that it happens late enough), as does VT_DISALLOCATE.\n\nReproducer:\n\t#include \n\t#include \n\t#include \n\t#include \n\n\tint main()\n\t{\n\t\tif (fork()) {\n\t\t\tfor (;;)\n\t\t\t\tclose(open(\"/dev/tty5\", O_RDWR));\n\t\t} else {\n\t\t\tint fd = open(\"/dev/tty10\", O_RDWR);\n\n\t\t\tfor (;;)\n\t\t\t\tioctl(fd, VT_DISALLOCATE, 5);\n\t\t}\n\t}\n\nKASAN report:\n\tBUG: KASAN: use-after-free in con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\tWrite of size 8 at addr ffff88806a4ec108 by task syz_vt/129\n\n\tCPU: 0 PID: 129 Comm: syz_vt Not tainted 5.6.0-rc2 #11\n\tHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20191223_100556-anatol 04/01/2014\n\tCall Trace:\n\t [...]\n\t con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\t release_tty+0xa8/0x410 drivers/tty/tty_io.c:1514\n\t tty_release_struct+0x34/0x50 drivers/tty/tty_io.c:1629\n\t tty_release+0x984/0xed0 drivers/tty/tty_io.c:1789\n\t [...]\n\n\tAllocated by task 129:\n\t [...]\n\t kzalloc include/linux/slab.h:669 [inline]\n\t vc_allocate drivers/tty/vt/vt.c:1085 [inline]\n\t vc_allocate+0x1ac/0x680 drivers/tty/vt/vt.c:1066\n\t con_install+0x4d/0x3f0 drivers/tty/vt/vt.c:3229\n\t tty_driver_install_tty drivers/tty/tty_io.c:1228 [inline]\n\t tty_init_dev+0x94/0x350 drivers/tty/tty_io.c:1341\n\t tty_open_by_driver drivers/tty/tty_io.c:1987 [inline]\n\t tty_open+0x3ca/0xb30 drivers/tty/tty_io.c:2035\n\t [...]\n\n\tFreed by task 130:\n\t [...]\n\t kfree+0xbf/0x1e0 mm/slab.c:3757\n\t vt_disallocate drivers/tty/vt/vt_ioctl.c:300 [inline]\n\t vt_ioctl+0x16dc/0x1e30 drivers/tty/vt/vt_ioctl.c:818\n\t tty_ioctl+0x9db/0x11b0 drivers/tty/tty_io.c:2660\n\t [...]\n\nFixes: 4001d7b7fc27 (\"vt: push down the tty lock so we can see what is left to tackle\")\nCc: # v3.4+\nReported-by: syzbot+522643ab5729b0421998@syzkaller.appspotmail.com\nAcked-by: Jiri Slaby \nSigned-off-by: Eric Biggers \nLink: https://lore.kernel.org/r/20200322034305.210082-2-ebiggers@kernel.org\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 437080 }, { "func": "void kvm_set_pfn_dirty(kvm_pfn_t pfn)\n{\n\tif (!kvm_is_reserved_pfn(pfn) && !kvm_is_zone_device_pfn(pfn))\n\t\tSetPageDirty(pfn_to_page(pfn));\n}", "project": "linux", "hash": 253608931270764366851054518704117409241, "size": 5, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354757 }, { "func": "static void stack_init (lua_State *L1, lua_State *L) {\n int i; CallInfo *ci;\n /* initialize stack array */\n L1->stack = luaM_newvector(L, BASIC_STACK_SIZE, StackValue);\n L1->stacksize = BASIC_STACK_SIZE;\n for (i = 0; i < BASIC_STACK_SIZE; i++)\n setnilvalue(s2v(L1->stack + i)); /* erase new stack */\n L1->top = L1->stack;\n L1->stack_last = L1->stack + L1->stacksize - EXTRA_STACK;\n /* initialize first ci */\n ci = &L1->base_ci;\n ci->next = ci->previous = NULL;\n ci->callstatus = CIST_C;\n ci->func = L1->top;\n ci->u.c.k = NULL;\n ci->nresults = 0;\n setnilvalue(s2v(L1->top)); /* 'function' entry for this 'ci' */\n L1->top++;\n ci->top = L1->top + LUA_MINSTACK;\n L1->ci = ci;\n}", "project": "lua", "hash": 41986554005736420430554139845486687465, "size": 21, "commit_id": "a2195644d89812e5b157ce7bac35543e06db05e3", "message": "Fixed bug: invalid 'oldpc' when returning to a function\n\nThe field 'L->oldpc' is not always updated when control returns to a\nfunction; an invalid value can seg. fault when computing 'changedline'.\n(One example is an error in a finalizer; control can return to\n'luaV_execute' without executing 'luaD_poscall'.) Instead of trying to\nfix all possible corner cases, it seems safer to be resilient to invalid\nvalues for 'oldpc'. Valid but wrong values at most cause an extra call\nto a line hook.", "target": 0, "dataset": "other", "idx": 462776 }, { "func": " static inline ShapeArray UndefinedOrder(const VarDimArray shape) {\n return ShapeArray(shape.size(), -1);\n }", "project": "tensorflow", "hash": 150553775001821010337400666023454344108, "size": 3, "commit_id": "8ba6fa29cd8bf9cef9b718dc31c78c73081f5b31", "message": "Fix heap-buffer-overflow issue with `tf.raw_ops.SparseSplit`.\n\nPiperOrigin-RevId: 371242872\nChange-Id: I482bb3d12602c7c3cc9446f97fb9f584bb98e9a4", "target": 0, "dataset": "other", "idx": 277026 }, { "func": "MatchExpression::ExpressionOptimizerFunc InMatchExpression::getOptimizer() const {\n return [](std::unique_ptr expression) -> std::unique_ptr {\n // NOTE: We do not recursively call optimize() on the RegexMatchExpression children in the\n // _regexes list. We assume that optimize() on a RegexMatchExpression is a no-op.\n\n auto& regexList = static_cast(*expression)._regexes;\n auto& equalitySet = static_cast(*expression)._equalitySet;\n auto collator = static_cast(*expression).getCollator();\n if (regexList.size() == 1 && equalitySet.empty()) {\n // Simplify IN of exactly one regex to be a regex match.\n auto& childRe = regexList.front();\n invariant(!childRe->getTag());\n\n auto simplifiedExpression = stdx::make_unique(\n expression->path(), childRe->getString(), childRe->getFlags());\n if (expression->getTag()) {\n simplifiedExpression->setTag(expression->getTag()->clone());\n }\n return std::move(simplifiedExpression);\n } else if (equalitySet.size() == 1 && regexList.empty()) {\n // Simplify IN of exactly one equality to be an EqualityMatchExpression.\n auto simplifiedExpression = stdx::make_unique(\n expression->path(), *(equalitySet.begin()));\n simplifiedExpression->setCollator(collator);\n if (expression->getTag()) {\n simplifiedExpression->setTag(expression->getTag()->clone());\n }\n\n return std::move(simplifiedExpression);\n }\n\n return expression;\n };\n}", "project": "mongo", "hash": 263709540218190975591817422126635411982, "size": 34, "commit_id": "64095239f41e9f3841d8be9088347db56d35c891", "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions", "target": 0, "dataset": "other", "idx": 422586 }, { "func": "static void skip_bits(struct rar5* rar, int bits) {\n\tconst int new_bits = rar->bits.bit_addr + bits;\n\trar->bits.in_addr += new_bits >> 3;\n\trar->bits.bit_addr = new_bits & 7;\n}", "project": "libarchive", "hash": 190095821597747987104398430281998944850, "size": 5, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 0, "dataset": "other", "idx": 244789 }, { "func": "static int _clua_loadfile(lua_State *ls)\n{\n const char *file = luaL_checkstring(ls, 1);\n if (!file)\n return 0;\n\n const int err = CLua::loadfile(ls, file, !CLua::is_managed_vm(ls));\n if (err)\n {\n const int place = lua_gettop(ls);\n lua_pushnil(ls);\n lua_insert(ls, place);\n return 2;\n }\n return 1;\n}", "project": "crawl", "hash": 227999537874571136876729235162736395256, "size": 16, "commit_id": "768f60da87a3fa0b5561da5ade9309577c176d04", "message": "Disable lua bytecode loading", "target": 0, "dataset": "other", "idx": 230504 }, { "func": "static u8 create_default_scan_rsp_data(struct hci_dev *hdev, u8 *ptr)\n{\n\tu8 scan_rsp_len = 0;\n\n\tif (hdev->appearance) {\n\t\tscan_rsp_len = append_appearance(hdev, ptr, scan_rsp_len);\n\t}\n\n\treturn append_local_name(hdev, ptr, scan_rsp_len);\n}", "project": "linux", "hash": 291623206477600342885825082616549213738, "size": 10, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402567 }, { "func": "bool __kmem_cache_empty(struct kmem_cache *s)\n{\n\tint node;\n\tstruct kmem_cache_node *n;\n\n\tfor_each_kmem_cache_node(s, node, n)\n\t\tif (n->nr_partial || slabs_node(s, node))\n\t\t\treturn false;\n\treturn true;\n}", "project": "linux", "hash": 77641957925023580207831768835368376060, "size": 10, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280212 }, { "func": "static int my_find_msgid(char *msgid, char **mailbox, uint32_t *uid)\n{\n struct findrock frock = { NULL, 0 };\n\n duplicate_find(msgid, &find_cb, &frock);\n\n if (!frock.mailbox) return 0;\n\n if (mailbox) {\n\tif (!frock.mailbox[0]) return 0;\n\t*mailbox = (char *) frock.mailbox;\n }\n if (uid) {\n\tif (!frock.uid) return 0;\n\t*uid = frock.uid;\n }\n\n return 1;\n}", "project": "cyrus-imapd", "hash": 250803890843158448545366759605848044053, "size": 19, "commit_id": "0f8f026699829b65733c3081657b24e2174f4f4d", "message": "CVE-2011-3208 - fix buffer overflow in nntpd", "target": 0, "dataset": "other", "idx": 451912 }, { "func": "static bool move_normal_pmd(struct vm_area_struct *vma, unsigned long old_addr,\n\t\t unsigned long new_addr, unsigned long old_end,\n\t\t pmd_t *old_pmd, pmd_t *new_pmd)\n{\n\tspinlock_t *old_ptl, *new_ptl;\n\tstruct mm_struct *mm = vma->vm_mm;\n\tpmd_t pmd;\n\n\tif ((old_addr & ~PMD_MASK) || (new_addr & ~PMD_MASK)\n\t || old_end - old_addr < PMD_SIZE)\n\t\treturn false;\n\n\t/*\n\t * The destination pmd shouldn't be established, free_pgtables()\n\t * should have release it.\n\t */\n\tif (WARN_ON(!pmd_none(*new_pmd)))\n\t\treturn false;\n\n\t/*\n\t * We don't have to worry about the ordering of src and dst\n\t * ptlocks because exclusive mmap_sem prevents deadlock.\n\t */\n\told_ptl = pmd_lock(vma->vm_mm, old_pmd);\n\tnew_ptl = pmd_lockptr(mm, new_pmd);\n\tif (new_ptl != old_ptl)\n\t\tspin_lock_nested(new_ptl, SINGLE_DEPTH_NESTING);\n\n\t/* Clear the pmd */\n\tpmd = *old_pmd;\n\tpmd_clear(old_pmd);\n\n\tVM_BUG_ON(!pmd_none(*new_pmd));\n\n\t/* Set the new pmd */\n\tset_pmd_at(mm, new_addr, new_pmd, pmd);\n\tflush_tlb_range(vma, old_addr, old_addr + PMD_SIZE);\n\tif (new_ptl != old_ptl)\n\t\tspin_unlock(new_ptl);\n\tspin_unlock(old_ptl);\n\n\treturn true;\n}", "project": "linux", "hash": 104171276417226656718085150013894412018, "size": 43, "commit_id": "5bfea2d9b17f1034a68147a8b03b9789af5700f9", "message": "mm: Fix mremap not considering huge pmd devmap\n\nThe original code in mm/mremap.c checks huge pmd by:\n\n\t\tif (is_swap_pmd(*old_pmd) || pmd_trans_huge(*old_pmd)) {\n\nHowever, a DAX mapped nvdimm is mapped as huge page (by default) but it\nis not transparent huge page (_PAGE_PSE | PAGE_DEVMAP). This commit\nchanges the condition to include the case.\n\nThis addresses CVE-2020-10757.\n\nFixes: 5c7fb56e5e3f (\"mm, dax: dax-pmd vs thp-pmd vs hugetlbfs-pmd\")\nCc: \nReported-by: Fan Yang \nSigned-off-by: Fan Yang \nTested-by: Fan Yang \nTested-by: Dan Williams \nReviewed-by: Dan Williams \nAcked-by: Kirill A. Shutemov \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 321583 }, { "func": "static void update_db_bp_intercept(struct kvm_vcpu *vcpu)\n{\n\tstruct vcpu_svm *svm = to_svm(vcpu);\n\n\tclr_exception_intercept(svm, DB_VECTOR);\n\tclr_exception_intercept(svm, BP_VECTOR);\n\n\tif (svm->nmi_singlestep)\n\t\tset_exception_intercept(svm, DB_VECTOR);\n\n\tif (vcpu->guest_debug & KVM_GUESTDBG_ENABLE) {\n\t\tif (vcpu->guest_debug &\n\t\t (KVM_GUESTDBG_SINGLESTEP | KVM_GUESTDBG_USE_HW_BP))\n\t\t\tset_exception_intercept(svm, DB_VECTOR);\n\t\tif (vcpu->guest_debug & KVM_GUESTDBG_USE_SW_BP)\n\t\t\tset_exception_intercept(svm, BP_VECTOR);\n\t} else\n\t\tvcpu->guest_debug = 0;\n}", "project": "kvm", "hash": 217164103412973819306483804413023908030, "size": 19, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437590 }, { "func": "UnicodeStringTest::TestUTF32() {\n // Input string length US_STACKBUF_SIZE to cause overflow of the\n // initially chosen fStackBuffer due to supplementary characters.\n static const UChar32 utf32[] = {\n 0x41, 0xd900, 0x61, 0xdc00, -1, 0x110000, 0x5a, 0x50000, 0x7a,\n 0x10000, 0x20000, 0xe0000, 0x10ffff\n };\n static const UChar expected_utf16[] = {\n 0x41, 0xfffd, 0x61, 0xfffd, 0xfffd, 0xfffd, 0x5a, 0xd900, 0xdc00, 0x7a,\n 0xd800, 0xdc00, 0xd840, 0xdc00, 0xdb40, 0xdc00, 0xdbff, 0xdfff\n };\n UnicodeString from32 = UnicodeString::fromUTF32(utf32, UPRV_LENGTHOF(utf32));\n UnicodeString expected(FALSE, expected_utf16, UPRV_LENGTHOF(expected_utf16));\n if(from32 != expected) {\n errln(\"UnicodeString::fromUTF32() did not create the expected string.\");\n }\n\n static const UChar utf16[] = {\n 0x41, 0xd900, 0x61, 0xdc00, 0x5a, 0xd900, 0xdc00, 0x7a, 0xd800, 0xdc00, 0xdbff, 0xdfff\n };\n static const UChar32 expected_utf32[] = {\n 0x41, 0xfffd, 0x61, 0xfffd, 0x5a, 0x50000, 0x7a, 0x10000, 0x10ffff\n };\n UChar32 result32[16];\n UErrorCode errorCode = U_ZERO_ERROR;\n int32_t length32 =\n UnicodeString(FALSE, utf16, UPRV_LENGTHOF(utf16)).\n toUTF32(result32, UPRV_LENGTHOF(result32), errorCode);\n if( length32 != UPRV_LENGTHOF(expected_utf32) ||\n 0 != uprv_memcmp(result32, expected_utf32, length32*4) ||\n result32[length32] != 0\n ) {\n errln(\"UnicodeString::toUTF32() did not create the expected string.\");\n }\n}", "project": "icu", "hash": 235624572396472929500475518058434879687, "size": 35, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430859 }, { "func": "static bool checkreturn pb_decode_inner(pb_istream_t *stream, const pb_msgdesc_t *fields, void *dest_struct, unsigned int flags)\n{\n uint32_t extension_range_start = 0;\n pb_extension_t *extensions = NULL;\n\n /* 'fixed_count_field' and 'fixed_count_size' track position of a repeated fixed\n * count field. This can only handle _one_ repeated fixed count field that\n * is unpacked and unordered among other (non repeated fixed count) fields.\n */\n pb_size_t fixed_count_field = PB_SIZE_MAX;\n pb_size_t fixed_count_size = 0;\n pb_size_t fixed_count_total_size = 0;\n\n pb_fields_seen_t fields_seen = {{0, 0}};\n const uint32_t allbits = ~(uint32_t)0;\n pb_field_iter_t iter;\n\n if (pb_field_iter_begin(&iter, fields, dest_struct))\n {\n if ((flags & PB_DECODE_NOINIT) == 0)\n {\n if (!pb_message_set_to_defaults(&iter))\n PB_RETURN_ERROR(stream, \"failed to set defaults\");\n }\n }\n\n while (stream->bytes_left)\n {\n uint32_t tag;\n pb_wire_type_t wire_type;\n bool eof;\n\n if (!pb_decode_tag(stream, &wire_type, &tag, &eof))\n {\n if (eof)\n break;\n else\n return false;\n }\n\n if (tag == 0)\n {\n if (flags & PB_DECODE_NULLTERMINATED)\n {\n break;\n }\n else\n {\n PB_RETURN_ERROR(stream, \"zero tag\");\n }\n }\n\n if (!pb_field_iter_find(&iter, tag) || PB_LTYPE(iter.type) == PB_LTYPE_EXTENSION)\n {\n /* No match found, check if it matches an extension. */\n if (extension_range_start == 0)\n {\n if (pb_field_iter_find_extension(&iter))\n {\n extensions = *(pb_extension_t* const *)iter.pData;\n extension_range_start = iter.tag;\n }\n\n if (!extensions)\n {\n extension_range_start = (uint32_t)-1;\n }\n }\n\n if (tag >= extension_range_start)\n {\n size_t pos = stream->bytes_left;\n\n if (!decode_extension(stream, tag, wire_type, extensions))\n return false;\n\n if (pos != stream->bytes_left)\n {\n /* The field was handled */\n continue;\n }\n }\n\n /* No match found, skip data */\n if (!pb_skip_field(stream, wire_type))\n return false;\n continue;\n }\n\n /* If a repeated fixed count field was found, get size from\n * 'fixed_count_field' as there is no counter contained in the struct.\n */\n if (PB_HTYPE(iter.type) == PB_HTYPE_REPEATED && iter.pSize == &iter.array_size)\n {\n if (fixed_count_field != iter.index) {\n /* If the new fixed count field does not match the previous one,\n * check that the previous one is NULL or that it finished\n * receiving all the expected data.\n */\n if (fixed_count_field != PB_SIZE_MAX &&\n fixed_count_size != fixed_count_total_size)\n {\n PB_RETURN_ERROR(stream, \"wrong size for fixed count field\");\n }\n\n fixed_count_field = iter.index;\n fixed_count_size = 0;\n fixed_count_total_size = iter.array_size;\n }\n\n iter.pSize = &fixed_count_size;\n }\n\n if (PB_HTYPE(iter.type) == PB_HTYPE_REQUIRED\n && iter.required_field_index < PB_MAX_REQUIRED_FIELDS)\n {\n uint32_t tmp = ((uint32_t)1 << (iter.required_field_index & 31));\n fields_seen.bitfield[iter.required_field_index >> 5] |= tmp;\n }\n\n if (!decode_field(stream, wire_type, &iter))\n return false;\n }\n\n /* Check that all elements of the last decoded fixed count field were present. */\n if (fixed_count_field != PB_SIZE_MAX &&\n fixed_count_size != fixed_count_total_size)\n {\n PB_RETURN_ERROR(stream, \"wrong size for fixed count field\");\n }\n\n /* Check that all required fields were present. */\n {\n pb_size_t req_field_count = iter.descriptor->required_field_count;\n\n if (req_field_count > 0)\n {\n pb_size_t i;\n\n if (req_field_count > PB_MAX_REQUIRED_FIELDS)\n req_field_count = PB_MAX_REQUIRED_FIELDS;\n\n /* Check the whole words */\n for (i = 0; i < (req_field_count >> 5); i++)\n {\n if (fields_seen.bitfield[i] != allbits)\n PB_RETURN_ERROR(stream, \"missing required field\");\n }\n\n /* Check the remaining bits (if any) */\n if ((req_field_count & 31) != 0)\n {\n if (fields_seen.bitfield[req_field_count >> 5] !=\n (allbits >> (uint_least8_t)(32 - (req_field_count & 31))))\n {\n PB_RETURN_ERROR(stream, \"missing required field\");\n }\n }\n }\n }\n\n return true;\n}", "project": "nanopb", "hash": 267504497951637033429542935010494502748, "size": 163, "commit_id": "e2f0ccf939d9f82931d085acb6df8e9a182a4261", "message": "Fix invalid free() with oneof (#647)\n\nNanopb would call free() or realloc() on an invalid\n(attacker controlled) pointer value when all the following\nconditions are true:\n\n- PB_ENABLE_MALLOC is defined at the compile time\n- Message definition contains an oneof field, and the oneof\n contains at least one pointer type field and at least one\n non-pointer type field.\n- Data being decoded first contains a non-pointer value for\n the oneof field, and later contains an overwriting pointer\n value.\n\nDepending on message layout, the bug may not be exploitable in all\ncases, but it is known to be exploitable at least with string and\nbytes fields. Actual security impact will also depend on the heap\nimplementation used.", "target": 0, "dataset": "other", "idx": 254695 }, { "func": "static struct sock *sco_sock_alloc(struct net *net, struct socket *sock,\n\t\t\t\t int proto, gfp_t prio, int kern)\n{\n\tstruct sock *sk;\n\n\tsk = sk_alloc(net, PF_BLUETOOTH, prio, &sco_proto, kern);\n\tif (!sk)\n\t\treturn NULL;\n\n\tsock_init_data(sock, sk);\n\tINIT_LIST_HEAD(&bt_sk(sk)->accept_q);\n\n\tsk->sk_destruct = sco_sock_destruct;\n\tsk->sk_sndtimeo = SCO_CONN_TIMEOUT;\n\n\tsock_reset_flag(sk, SOCK_ZAPPED);\n\n\tsk->sk_protocol = proto;\n\tsk->sk_state = BT_OPEN;\n\n\tsco_pi(sk)->setting = BT_VOICE_CVSD_16BIT;\n\n\ttimer_setup(&sk->sk_timer, sco_sock_timeout, 0);\n\n\tbt_sock_link(&sco_sk_list, sk);\n\treturn sk;\n}", "project": "linux", "hash": 283767360505104773447436558597081023711, "size": 27, "commit_id": "f6b8c6b5543983e9de29dc14716bfa4eb3f157c4", "message": "Bluetooth: sco: Fix crash when using BT_SNDMTU/BT_RCVMTU option\n\nThis commit add the invalid check for connected socket, without it will\ncauses the following crash due to sco_pi(sk)->conn being NULL:\n\nKASAN: null-ptr-deref in range [0x0000000000000050-0x0000000000000057]\nCPU: 3 PID: 4284 Comm: test_sco Not tainted 5.10.0-rc3+ #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1 04/01/2014\nRIP: 0010:sco_sock_getsockopt+0x45d/0x8e0\nCode: 48 c1 ea 03 80 3c 02 00 0f 85 ca 03 00 00 49 8b 9d f8 04 00 00 48 b8 00\n 00 00 00 00 fc ff df 48 8d 7b 50 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84\n c0 74 08 3c 03 0f 8e b5 03 00 00 8b 43 50 48 8b 0c\nRSP: 0018:ffff88801bb17d88 EFLAGS: 00010206\nRAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff83a4ecdf\nRDX: 000000000000000a RSI: ffffc90002fce000 RDI: 0000000000000050\nRBP: 1ffff11003762fb4 R08: 0000000000000001 R09: ffff88810e1008c0\nR10: ffffffffbd695dcf R11: fffffbfff7ad2bb9 R12: 0000000000000000\nR13: ffff888018ff1000 R14: dffffc0000000000 R15: 000000000000000d\nFS: 00007fb4f76c1700(0000) GS:ffff88811af80000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00005555e3b7a938 CR3: 00000001117be001 CR4: 0000000000770ee0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nPKRU: 55555554\nCall Trace:\n ? sco_skb_put_cmsg+0x80/0x80\n ? sco_skb_put_cmsg+0x80/0x80\n __sys_getsockopt+0x12a/0x220\n ? __ia32_sys_setsockopt+0x150/0x150\n ? syscall_enter_from_user_mode+0x18/0x50\n ? rcu_read_lock_bh_held+0xb0/0xb0\n __x64_sys_getsockopt+0xba/0x150\n ? syscall_enter_from_user_mode+0x1d/0x50\n do_syscall_64+0x33/0x40\n entry_SYSCALL_64_after_hwframe+0x44/0xa9\n\nFixes: 0fc1a726f897 (\"Bluetooth: sco: new getsockopt options BT_SNDMTU/BT_RCVMTU\")\nReported-by: Hulk Robot \nSigned-off-by: Wei Yongjun \nReviewed-by: Luiz Augusto Von Dentz \nSigned-off-by: Marcel Holtmann \nSigned-off-by: Johan Hedberg ", "target": 0, "dataset": "other", "idx": 477345 }, { "func": "void CSoundFile::VolumeSlide(ModChannel *pChn, ModCommand::PARAM param)\n{\n\tif (param)\n\t\tpChn->nOldVolumeSlide = param;\n\telse\n\t\tparam = pChn->nOldVolumeSlide;\n\n\tif((GetType() & (MOD_TYPE_MOD | MOD_TYPE_XM | MOD_TYPE_MT2 | MOD_TYPE_MED | MOD_TYPE_DIGI | MOD_TYPE_STP | MOD_TYPE_DTM)))\n\t{\n\t\t// MOD / XM nibble priority\n\t\tif((param & 0xF0) != 0)\n\t\t{\n\t\t\tparam &= 0xF0;\n\t\t} else\n\t\t{\n\t\t\tparam &= 0x0F;\n\t\t}\n\t}\n\n\tint newvolume = pChn->nVolume;\n\tif(!(GetType() & (MOD_TYPE_MOD | MOD_TYPE_XM | MOD_TYPE_AMF0 | MOD_TYPE_MED | MOD_TYPE_DIGI)))\n\t{\n\t\tif ((param & 0x0F) == 0x0F) //Fine upslide or slide -15\n\t\t{\n\t\t\tif (param & 0xF0) //Fine upslide\n\t\t\t{\n\t\t\t\tFineVolumeUp(pChn, (param >> 4), false);\n\t\t\t\treturn;\n\t\t\t} else //Slide -15\n\t\t\t{\n\t\t\t\tif(pChn->isFirstTick && !m_SongFlags[SONG_FASTVOLSLIDES])\n\t\t\t\t{\n\t\t\t\t\tnewvolume -= 0x0F * 4;\n\t\t\t\t}\n\t\t\t}\n\t\t} else\n\t\tif ((param & 0xF0) == 0xF0) //Fine downslide or slide +15\n\t\t{\n\t\t\tif (param & 0x0F) //Fine downslide\n\t\t\t{\n\t\t\t\tFineVolumeDown(pChn, (param & 0x0F), false);\n\t\t\t\treturn;\n\t\t\t} else //Slide +15\n\t\t\t{\n\t\t\t\tif(pChn->isFirstTick && !m_SongFlags[SONG_FASTVOLSLIDES])\n\t\t\t\t{\n\t\t\t\t\tnewvolume += 0x0F * 4;\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\tif(!pChn->isFirstTick || m_SongFlags[SONG_FASTVOLSLIDES] || (m_PlayState.m_nMusicSpeed == 1 && GetType() == MOD_TYPE_DBM))\n\t{\n\t\t// IT compatibility: Ignore slide commands with both nibbles set.\n\t\tif (param & 0x0F)\n\t\t{\n\t\t\tif(!(GetType() & (MOD_TYPE_IT | MOD_TYPE_MPT)) || (param & 0xF0) == 0)\n\t\t\t\tnewvolume -= (int)((param & 0x0F) * 4);\n\t\t}\n\t\telse\n\t\t{\n\t\t\tnewvolume += (int)((param & 0xF0) >> 2);\n\t\t}\n\t\tif (GetType() == MOD_TYPE_MOD) pChn->dwFlags.set(CHN_FASTVOLRAMP);\n\t}\n\tnewvolume = Clamp(newvolume, 0, 256);\n\n\tpChn->nVolume = newvolume;\n}", "project": "openmpt", "hash": 268894399659290381350596560716542245758, "size": 69, "commit_id": "7ebf02af2e90f03e0dbd0e18b8b3164f372fb97c", "message": "[Fix] Possible out-of-bounds read when computing length of some IT files with pattern loops (OpenMPT: formats that are converted to IT, libopenmpt: IT/ITP/MO3), caught with afl-fuzz.\n\ngit-svn-id: https://source.openmpt.org/svn/openmpt/trunk/OpenMPT@10027 56274372-70c3-4bfc-bfc3-4c3a0b034d27", "target": 0, "dataset": "other", "idx": 255210 }, { "func": "static void free_slab(struct kmem_cache *s, struct page *page)\n{\n\tif (unlikely(s->flags & SLAB_TYPESAFE_BY_RCU)) {\n\t\tcall_rcu(&page->rcu_head, rcu_free_slab);\n\t} else\n\t\t__free_slab(s, page);\n}", "project": "linux", "hash": 142160585868099866818125961248978159644, "size": 7, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280216 }, { "func": "static void sendsuboption(struct Curl_easy *data, int option)\n{\n ssize_t bytes_written;\n int err;\n unsigned short x, y;\n unsigned char *uc1, *uc2;\n struct TELNET *tn = data->req.p.telnet;\n struct connectdata *conn = data->conn;\n\n switch(option) {\n case CURL_TELOPT_NAWS:\n /* We prepare data to be sent */\n CURL_SB_CLEAR(tn);\n CURL_SB_ACCUM(tn, CURL_IAC);\n CURL_SB_ACCUM(tn, CURL_SB);\n CURL_SB_ACCUM(tn, CURL_TELOPT_NAWS);\n /* We must deal either with little or big endian processors */\n /* Window size must be sent according to the 'network order' */\n x = htons(tn->subopt_wsx);\n y = htons(tn->subopt_wsy);\n uc1 = (unsigned char *)&x;\n uc2 = (unsigned char *)&y;\n CURL_SB_ACCUM(tn, uc1[0]);\n CURL_SB_ACCUM(tn, uc1[1]);\n CURL_SB_ACCUM(tn, uc2[0]);\n CURL_SB_ACCUM(tn, uc2[1]);\n\n CURL_SB_ACCUM(tn, CURL_IAC);\n CURL_SB_ACCUM(tn, CURL_SE);\n CURL_SB_TERM(tn);\n /* data suboption is now ready */\n\n printsub(data, '>', (unsigned char *)tn->subbuffer + 2,\n CURL_SB_LEN(tn)-2);\n\n /* we send the header of the suboption... */\n bytes_written = swrite(conn->sock[FIRSTSOCKET], tn->subbuffer, 3);\n if(bytes_written < 0) {\n err = SOCKERRNO;\n failf(data, \"Sending data failed (%d)\", err);\n }\n /* ... then the window size with the send_telnet_data() function\n to deal with 0xFF cases ... */\n send_telnet_data(data, (char *)tn->subbuffer + 3, 4);\n /* ... and the footer */\n bytes_written = swrite(conn->sock[FIRSTSOCKET], tn->subbuffer + 7, 2);\n if(bytes_written < 0) {\n err = SOCKERRNO;\n failf(data, \"Sending data failed (%d)\", err);\n }\n break;\n }\n}", "project": "curl", "hash": 328033818543348188629866426530317672167, "size": 53, "commit_id": "39ce47f219b09c380b81f89fe54ac586c8db6bde", "message": "telnet: check sscanf() for correct number of matches\n\nCVE-2021-22898\n\nBug: https://curl.se/docs/CVE-2021-22898.html", "target": 0, "dataset": "other", "idx": 481495 }, { "func": "static inline int bcf1_sync_id(bcf1_t *line, kstring_t *str)\n{\n // single typed string\n if ( line->d.id && strcmp(line->d.id, \".\") ) {\n return bcf_enc_vchar(str, strlen(line->d.id), line->d.id);\n } else {\n return bcf_enc_size(str, 0, BCF_BT_CHAR);\n }\n}", "project": "htslib", "hash": 306648706225411926791585811441533836357, "size": 9, "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c", "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields. It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097", "target": 0, "dataset": "other", "idx": 402204 }, { "func": "PHPAPI void php_register_variable_safe(char *var, char *strval, size_t str_len, zval *track_vars_array)\n{\n\tzval new_entry;\n\tassert(strval != NULL);\n\n\t/* Prepare value */\n\tif (str_len == 0) {\n\t\tZVAL_EMPTY_STRING(&new_entry);\n\t} else if (str_len == 1) {\n\t\tZVAL_INTERNED_STR(&new_entry, ZSTR_CHAR((zend_uchar)*strval));\n\t} else {\n\t\tZVAL_NEW_STR(&new_entry, zend_string_init(strval, str_len, 0));\n\t}\n\tphp_register_variable_ex(var, &new_entry, track_vars_array);\n}", "project": "php-src", "hash": 178291308261430611054614688047856765241, "size": 15, "commit_id": "6559fe912661ca5ce5f0eeeb591d928451428ed0", "message": "Do not decode cookie names anymore", "target": 0, "dataset": "other", "idx": 374961 }, { "func": "static inline void kvm_vcpu_set_in_spin_loop(struct kvm_vcpu *vcpu, bool val)\n{\n}", "project": "linux", "hash": 54226240298529025285339491927882569521, "size": 3, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354443 }, { "func": "static inline void kvm_vcpu_set_in_spin_loop(struct kvm_vcpu *vcpu, bool val)\n{\n\tvcpu->spin_loop.in_spin_loop = val;\n}", "project": "linux", "hash": 51281505183075072116042175988548394390, "size": 4, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354456 }, { "func": "}\n\nstatic int\niscsi_if_get_stats(struct iscsi_transport *transport, struct nlmsghdr *nlh)\n{\n\tstruct iscsi_uevent *ev = nlmsg_data(nlh);\n\tstruct iscsi_stats *stats;\n\tstruct sk_buff *skbstat;\n\tstruct iscsi_cls_conn *conn;\n\tstruct nlmsghdr\t*nlhstat;\n\tstruct iscsi_uevent *evstat;\n\tstruct iscsi_internal *priv;\n\tint len = nlmsg_total_size(sizeof(*ev) +\n\t\t\t\t sizeof(struct iscsi_stats) +\n\t\t\t\t sizeof(struct iscsi_stats_custom) *\n\t\t\t\t ISCSI_STATS_CUSTOM_MAX);\n\tint err = 0;\n\n\tpriv = iscsi_if_transport_lookup(transport);\n\tif (!priv)\n\t\treturn -EINVAL;\n\n\tconn = iscsi_conn_lookup(ev->u.get_stats.sid, ev->u.get_stats.cid);\n\tif (!conn)\n\t\treturn -EEXIST;\n\n\tdo {\n\t\tint actual_size;\n\n\t\tskbstat = alloc_skb(len, GFP_ATOMIC);\n\t\tif (!skbstat) {\n\t\t\tiscsi_cls_conn_printk(KERN_ERR, conn, \"can not \"\n\t\t\t\t\t \"deliver stats: OOM\\n\");\n\t\t\treturn -ENOMEM;\n\t\t}\n\n\t\tnlhstat = __nlmsg_put(skbstat, 0, 0, 0,\n\t\t\t\t (len - sizeof(*nlhstat)), 0);\n\t\tevstat = nlmsg_data(nlhstat);\n\t\tmemset(evstat, 0, sizeof(*evstat));\n\t\tevstat->transport_handle = iscsi_handle(conn->transport);\n\t\tevstat->type = nlh->nlmsg_type;\n\t\tevstat->u.get_stats.cid =\n\t\t\tev->u.get_stats.cid;\n\t\tevstat->u.get_stats.sid =\n\t\t\tev->u.get_stats.sid;\n\t\tstats = (struct iscsi_stats *)\n\t\t\t((char*)evstat + sizeof(*evstat));\n\t\tmemset(stats, 0, sizeof(*stats));\n\n\t\ttransport->get_stats(conn, stats);\n\t\tactual_size = nlmsg_total_size(sizeof(struct iscsi_uevent) +\n\t\t\t\t\t sizeof(struct iscsi_stats) +\n\t\t\t\t\t sizeof(struct iscsi_stats_custom) *\n\t\t\t\t\t stats->custom_length);\n\t\tactual_size -= sizeof(*nlhstat);\n\t\tactual_size = nlmsg_msg_size(actual_size);\n\t\tskb_trim(skbstat, NLMSG_ALIGN(actual_size));\n\t\tnlhstat->nlmsg_len = actual_size;\n\n\t\terr = iscsi_multicast_skb(skbstat, ISCSI_NL_GRP_ISCSID,\n\t\t\t\t\t GFP_ATOMIC);\n\t} while (err < 0 && err != -ECONNREFUSED);", "project": "linux", "hash": 63640461566216171652807791981086400964, "size": 63, "commit_id": "f9dbdf97a5bd92b1a49cee3d591b55b11fd7a6d5", "message": "scsi: iscsi: Verify lengths on passthrough PDUs\n\nOpen-iSCSI sends passthrough PDUs over netlink, but the kernel should be\nverifying that the provided PDU header and data lengths fall within the\nnetlink message to prevent accessing beyond that in memory.\n\nCc: stable@vger.kernel.org\nReported-by: Adam Nichols \nReviewed-by: Lee Duncan \nReviewed-by: Mike Christie \nSigned-off-by: Chris Leech \nSigned-off-by: Martin K. Petersen ", "target": 0, "dataset": "other", "idx": 380013 }, { "func": "static int run_delta_filter(struct rar5* rar, struct filter_info* flt) {\n\tint i;\n\tssize_t dest_pos, src_pos = 0;\n\n\tfor(i = 0; i < flt->channels; i++) {\n\t\tuint8_t prev_byte = 0;\n\t\tfor(dest_pos = i;\n\t\t\t\tdest_pos < flt->block_length;\n\t\t\t\tdest_pos += flt->channels)\n\t\t{\n\t\t\tuint8_t byte;\n\n\t\t\tbyte = rar->cstate.window_buf[\n\t\t\t (rar->cstate.solid_offset + flt->block_start +\n\t\t\t src_pos) & rar->cstate.window_mask];\n\n\t\t\tprev_byte -= byte;\n\t\t\trar->cstate.filtered_buf[dest_pos] = prev_byte;\n\t\t\tsrc_pos++;\n\t\t}\n\t}\n\n\treturn ARCHIVE_OK;\n}", "project": "libarchive", "hash": 310515643157295661951238133746006614901, "size": 24, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 0, "dataset": "other", "idx": 244687 }, { "func": "void hci_request_cancel_all(struct hci_dev *hdev)\n{\n\thci_req_sync_cancel(hdev, ENODEV);\n\n\tcancel_work_sync(&hdev->discov_update);\n\tcancel_work_sync(&hdev->bg_scan_update);\n\tcancel_work_sync(&hdev->scan_update);\n\tcancel_work_sync(&hdev->connectable_update);\n\tcancel_work_sync(&hdev->discoverable_update);\n\tcancel_delayed_work_sync(&hdev->discov_off);\n\tcancel_delayed_work_sync(&hdev->le_scan_disable);\n\tcancel_delayed_work_sync(&hdev->le_scan_restart);\n\n\tif (hdev->adv_instance_timeout) {\n\t\tcancel_delayed_work_sync(&hdev->adv_instance_expire);\n\t\thdev->adv_instance_timeout = 0;\n\t}\n\n\tcancel_interleave_scan(hdev);\n}", "project": "linux", "hash": 171965169655778347103818112763628904322, "size": 20, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402515 }, { "func": "static int path_count_inc(int nests)\n{\n\t/* Allow an arbitrary number of depth 1 paths */\n\tif (nests == 0)\n\t\treturn 0;\n\n\tif (++path_count[nests] > path_limits[nests])\n\t\treturn -1;\n\treturn 0;\n}", "project": "linux", "hash": 19589870338120602719450393539553820015, "size": 10, "commit_id": "52c479697c9b73f628140dcdfcd39ea302d05482", "message": "do_epoll_ctl(): clean the failure exits up a bit\n\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 336268 }, { "func": "static inline bool is_error_page(struct page *page)\n{\n\treturn IS_ERR(page);\n}", "project": "linux", "hash": 306252362159540195793973793344004343112, "size": 4, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354805 }, { "func": " Item_cache_str(THD *thd, const Item *item):\n Item_cache(thd, item->field_type()), value(0),\n is_varbinary(item->type() == FIELD_ITEM &&\n Item_cache_str::field_type() == MYSQL_TYPE_VARCHAR &&\n !((const Item_field *) item)->field->has_charset())\n {\n collation.set(const_cast(item->collation));\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 180665176342864348538466501477458298455, "size": 8, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509248 }, { "func": "static int sctp_getsockopt_local_addrs(struct sock *sk, int len,\n\t\t\t\t char __user *optval, int __user *optlen)\n{\n\tstruct sctp_bind_addr *bp;\n\tstruct sctp_association *asoc;\n\tint cnt = 0;\n\tstruct sctp_getaddrs getaddrs;\n\tstruct sctp_sockaddr_entry *addr;\n\tvoid __user *to;\n\tunion sctp_addr temp;\n\tstruct sctp_sock *sp = sctp_sk(sk);\n\tint addrlen;\n\tint err = 0;\n\tsize_t space_left;\n\tint bytes_copied = 0;\n\tvoid *addrs;\n\tvoid *buf;\n\n\tif (len < sizeof(struct sctp_getaddrs))\n\t\treturn -EINVAL;\n\n\tif (copy_from_user(&getaddrs, optval, sizeof(struct sctp_getaddrs)))\n\t\treturn -EFAULT;\n\n\t/*\n\t * For UDP-style sockets, id specifies the association to query.\n\t * If the id field is set to the value '0' then the locally bound\n\t * addresses are returned without regard to any particular\n\t * association.\n\t */\n\tif (0 == getaddrs.assoc_id) {\n\t\tbp = &sctp_sk(sk)->ep->base.bind_addr;\n\t} else {\n\t\tasoc = sctp_id2assoc(sk, getaddrs.assoc_id);\n\t\tif (!asoc)\n\t\t\treturn -EINVAL;\n\t\tbp = &asoc->base.bind_addr;\n\t}\n\n\tto = optval + offsetof(struct sctp_getaddrs, addrs);\n\tspace_left = len - offsetof(struct sctp_getaddrs, addrs);\n\n\taddrs = kmalloc(space_left, GFP_USER | __GFP_NOWARN);\n\tif (!addrs)\n\t\treturn -ENOMEM;\n\n\t/* If the endpoint is bound to 0.0.0.0 or ::0, get the valid\n\t * addresses from the global local address list.\n\t */\n\tif (sctp_list_single_entry(&bp->address_list)) {\n\t\taddr = list_entry(bp->address_list.next,\n\t\t\t\t struct sctp_sockaddr_entry, list);\n\t\tif (sctp_is_any(sk, &addr->a)) {\n\t\t\tcnt = sctp_copy_laddrs(sk, bp->port, addrs,\n\t\t\t\t\t\tspace_left, &bytes_copied);\n\t\t\tif (cnt < 0) {\n\t\t\t\terr = cnt;\n\t\t\t\tgoto out;\n\t\t\t}\n\t\t\tgoto copy_getaddrs;\n\t\t}\n\t}\n\n\tbuf = addrs;\n\t/* Protection on the bound address list is not needed since\n\t * in the socket option context we hold a socket lock and\n\t * thus the bound address list can't change.\n\t */\n\tlist_for_each_entry(addr, &bp->address_list, list) {\n\t\tmemcpy(&temp, &addr->a, sizeof(temp));\n\t\taddrlen = sctp_get_pf_specific(sk->sk_family)\n\t\t\t ->addr_to_user(sp, &temp);\n\t\tif (space_left < addrlen) {\n\t\t\terr = -ENOMEM; /*fixme: right error?*/\n\t\t\tgoto out;\n\t\t}\n\t\tmemcpy(buf, &temp, addrlen);\n\t\tbuf += addrlen;\n\t\tbytes_copied += addrlen;\n\t\tcnt++;\n\t\tspace_left -= addrlen;\n\t}\n\ncopy_getaddrs:\n\tif (copy_to_user(to, addrs, bytes_copied)) {\n\t\terr = -EFAULT;\n\t\tgoto out;\n\t}\n\tif (put_user(cnt, &((struct sctp_getaddrs __user *)optval)->addr_num)) {\n\t\terr = -EFAULT;\n\t\tgoto out;\n\t}\n\t/* XXX: We should have accounted for sizeof(struct sctp_getaddrs) too,\n\t * but we can't change it anymore.\n\t */\n\tif (put_user(bytes_copied, optlen))\n\t\terr = -EFAULT;\nout:\n\tkfree(addrs);\n\treturn err;\n}", "project": "linux", "hash": 231305319926449505306836780494372982176, "size": 101, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398127 }, { "func": "struct file *do_filp_open(int dfd, struct filename *pathname,\n\t\tconst struct open_flags *op)\n{\n\tstruct nameidata nd;\n\tint flags = op->lookup_flags;\n\tstruct file *filp;\n\n\tset_nameidata(&nd, dfd, pathname);\n\tfilp = path_openat(&nd, op, flags | LOOKUP_RCU);\n\tif (unlikely(filp == ERR_PTR(-ECHILD)))\n\t\tfilp = path_openat(&nd, op, flags);\n\tif (unlikely(filp == ERR_PTR(-ESTALE)))\n\t\tfilp = path_openat(&nd, op, flags | LOOKUP_REVAL);\n\trestore_nameidata();\n\treturn filp;\n}", "project": "linux", "hash": 214770240809311185269725741607185421075, "size": 16, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295342 }, { "func": "static void set_nameidata(struct nameidata *p, int dfd, struct filename *name)\n{\n\tstruct nameidata *old = current->nameidata;\n\tp->stack = p->internal;\n\tp->dfd = dfd;\n\tp->name = name;\n\tp->total_link_count = old ? old->total_link_count : 0;\n\tp->saved = old;\n\tcurrent->nameidata = p;\n}", "project": "linux", "hash": 232739807044757288297664241754578331711, "size": 10, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295401 }, { "func": "void tty_unregister_device(struct tty_driver *driver, unsigned index)\n{\n\tdevice_destroy(tty_class,\n\t\tMKDEV(driver->major, driver->minor_start) + index);\n\tif (!(driver->flags & TTY_DRIVER_DYNAMIC_ALLOC)) {\n\t\tcdev_del(driver->cdevs[index]);\n\t\tdriver->cdevs[index] = NULL;\n\t}\n}", "project": "linux", "hash": 274152111554635190820340790548429261451, "size": 9, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 326007 }, { "func": "int ssh_buffer_allocate_size(struct ssh_buffer_struct *buffer,\n uint32_t len)\n{\n buffer_verify(buffer);\n\n if (buffer->allocated < len) {\n if (buffer->pos > 0) {\n buffer_shift(buffer);\n }\n if (realloc_buffer(buffer, len) < 0) {\n return -1;\n }\n }\n\n buffer_verify(buffer);\n\n return 0;\n}", "project": "libssh-mirror", "hash": 105364497752376545055297269942445257558, "size": 18, "commit_id": "10b3ebbe61a7031a3dae97f05834442220447181", "message": "buffer: Reformat ssh_buffer_add_data()\n\nSigned-off-by: Andreas Schneider \nReviewed-by: Anderson Toshiyuki Sasaki \nReviewed-by: Jakub Jelen ", "target": 0, "dataset": "other", "idx": 345159 }, { "func": "static int pipe_do_remove(struct sock *sk)\n{\n\tstruct pep_sock *pn = pep_sk(sk);\n\tstruct pnpipehdr *ph;\n\tstruct sk_buff *skb;\n\n\tskb = pep_alloc_skb(sk, NULL, 0, GFP_KERNEL);\n\tif (!skb)\n\t\treturn -ENOMEM;\n\n\tph = pnp_hdr(skb);\n\tph->utid = 0;\n\tph->message_id = PNS_PIPE_REMOVE_REQ;\n\tph->pipe_handle = pn->pipe_handle;\n\tph->data0 = PAD;\n\treturn pn_skb_send(sk, skb, NULL);\n}", "project": "linux", "hash": 274288692581120781572121323929710480059, "size": 17, "commit_id": "bcd0f93353326954817a4f9fa55ec57fb38acbb0", "message": "phonet: refcount leak in pep_sock_accep\n\nsock_hold(sk) is invoked in pep_sock_accept(), but __sock_put(sk) is not\ninvoked in subsequent failure branches(pep_accept_conn() != 0).\n\nSigned-off-by: Hangyu Hua \nLink: https://lore.kernel.org/r/20211209082839.33985-1-hbh25y@gmail.com\nSigned-off-by: Jakub Kicinski ", "target": 0, "dataset": "other", "idx": 224809 }, { "func": " */\nstatic inline int io_uring_add_task_file(struct io_ring_ctx *ctx)\n{\n\tstruct io_uring_task *tctx = current->io_uring;\n\n\tif (likely(tctx && tctx->last == ctx))\n\t\treturn 0;\n\treturn __io_uring_add_task_file(ctx);", "project": "linux", "hash": 294681125208930204923422150240688292499, "size": 8, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338657 }, { "func": "void CServer::SendRconLine(int ClientID, const char *pLine)\n{\n\tCMsgPacker Msg(NETMSG_RCON_LINE, true);\n\tMsg.AddString(pLine, 512);\n\tSendMsg(&Msg, MSGFLAG_VITAL, ClientID);\n}", "project": "teeworlds", "hash": 130070554775637080557519797824805481801, "size": 6, "commit_id": "c68402fa7e279d42886d5951d1ea8ac2facc1ea5", "message": "changed a check", "target": 0, "dataset": "other", "idx": 382040 }, { "func": " inline int32_t Dims(int i) const {\n TFLITE_DCHECK_GE(i, 0);\n TFLITE_DCHECK_LT(i, size_);\n return size_ > kMaxSmallSize ? dims_pointer_[i] : dims_[i];\n }", "project": "tensorflow", "hash": 261762772535595947875955540357903708285, "size": 5, "commit_id": "8ee24e7949a203d234489f9da2c5bf45a7d5157d", "message": "[tflite] Ensure `MatchingDim` does not allow buffer overflow.\n\nWe check in `MatchingDim` that both arguments have the same dimensionality, however that is a `DCHECK` only enabled if building in debug mode. Hence, it could be possible to cause buffer overflows by passing in a tensor with larger dimensions as the second argument. To fix, we now make `MatchingDim` return the minimum of the two sizes.\n\nA much better fix would be to return a status object but that requires refactoring a large part of the codebase for minor benefits.\n\nPiperOrigin-RevId: 332526127\nChange-Id: If627d0d2c80a685217b6e0d1e64b0872dbf1c5e4", "target": 0, "dataset": "other", "idx": 269187 }, { "func": "static inline int event2poltype(int event)\n{\n\tswitch (event) {\n\tcase XFRM_MSG_DELPOLICY:\n\t\treturn SADB_X_SPDDELETE;\n\tcase XFRM_MSG_NEWPOLICY:\n\t\treturn SADB_X_SPDADD;\n\tcase XFRM_MSG_UPDPOLICY:\n\t\treturn SADB_X_SPDUPDATE;\n\tcase XFRM_MSG_POLEXPIRE:\n\t//\treturn SADB_X_SPDEXPIRE;\n\tdefault:\n\t\tpr_err(\"pfkey: Unknown policy event %d\\n\", event);\n\t\tbreak;\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 125410932659641228864231448706210261651, "size": 18, "commit_id": "9a564bccb78a76740ea9d75a259942df8143d02c", "message": "af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\n\nAdd __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\nto initialize the buffer of supp_skb to fix a kernel-info-leak issue.\n1) Function pfkey_register calls compose_sadb_supported to request\na sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate\na sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then\ncompose_sadb_supported treats the memory as a struct sadb_supported and\nbegins to initialize. But it just initializes the field sadb_supported_len\nand field sadb_supported_exttype without field sadb_supported_reserved.\n\nReported-by: TCS Robot \nSigned-off-by: Haimin Zhang \nSigned-off-by: Steffen Klassert ", "target": 0, "dataset": "other", "idx": 268073 }, { "func": "\nstatic int io_issue_sqe(struct io_kiocb *req, unsigned int issue_flags)\n{\n\tstruct io_ring_ctx *ctx = req->ctx;\n\tconst struct cred *creds = NULL;\n\tint ret;\n\n\tif (req->work.creds && req->work.creds != current_cred())\n\t\tcreds = override_creds(req->work.creds);\n\n\tswitch (req->opcode) {\n\tcase IORING_OP_NOP:\n\t\tret = io_nop(req, issue_flags);\n\t\tbreak;\n\tcase IORING_OP_READV:\n\tcase IORING_OP_READ_FIXED:\n\tcase IORING_OP_READ:\n\t\tret = io_read(req, issue_flags);\n\t\tbreak;\n\tcase IORING_OP_WRITEV:\n\tcase IORING_OP_WRITE_FIXED:\n\tcase IORING_OP_WRITE:\n\t\tret = io_write(req, issue_flags);\n\t\tbreak;\n\tcase IORING_OP_FSYNC:\n\t\tret = io_fsync(req, issue_flags);\n\t\tbreak;\n\tcase IORING_OP_POLL_ADD:\n\t\tret = io_poll_add(req, issue_flags);\n\t\tbreak;\n\tcase IORING_OP_POLL_REMOVE:\n\t\tret = io_poll_update(req, issue_flags);\n\t\tbreak;\n\tcase IORING_OP_SYNC_FILE_RANGE:\n\t\tret = io_sync_file_range(req, issue_flags);\n\t\tbreak;\n\tcase IORING_OP_SENDMSG:\n\t\tret = io_sendmsg(req, issue_flags);\n\t\tbreak;\n\tcase IORING_OP_SEND:\n\t\tret = io_send(req, issue_flags);\n\t\tbreak;\n\tcase IORING_OP_RECVMSG:\n\t\tret = io_recvmsg(req, issue_flags);\n\t\tbreak;\n\tcase IORING_OP_RECV:\n\t\tret = io_recv(req, issue_flags);\n\t\tbreak;\n\tcase IORING_OP_TIMEOUT:\n\t\tret = io_timeout(req, issue_flags);\n\t\tbreak;\n\tcase IORING_OP_TIMEOUT_REMOVE:\n\t\tret = io_timeout_remove(req, issue_flags);\n\t\tbreak;\n\tcase IORING_OP_ACCEPT:\n\t\tret = io_accept(req, issue_flags);\n\t\tbreak;\n\tcase IORING_OP_CONNECT:\n\t\tret = io_connect(req, issue_flags);\n\t\tbreak;\n\tcase IORING_OP_ASYNC_CANCEL:\n\t\tret = io_async_cancel(req, issue_flags);\n\t\tbreak;\n\tcase IORING_OP_FALLOCATE:\n\t\tret = io_fallocate(req, issue_flags);\n\t\tbreak;\n\tcase IORING_OP_OPENAT:\n\t\tret = io_openat(req, issue_flags);\n\t\tbreak;\n\tcase IORING_OP_CLOSE:\n\t\tret = io_close(req, issue_flags);\n\t\tbreak;\n\tcase IORING_OP_FILES_UPDATE:\n\t\tret = io_files_update(req, issue_flags);\n\t\tbreak;\n\tcase IORING_OP_STATX:\n\t\tret = io_statx(req, issue_flags);\n\t\tbreak;\n\tcase IORING_OP_FADVISE:\n\t\tret = io_fadvise(req, issue_flags);\n\t\tbreak;\n\tcase IORING_OP_MADVISE:\n\t\tret = io_madvise(req, issue_flags);\n\t\tbreak;\n\tcase IORING_OP_OPENAT2:\n\t\tret = io_openat2(req, issue_flags);\n\t\tbreak;\n\tcase IORING_OP_EPOLL_CTL:\n\t\tret = io_epoll_ctl(req, issue_flags);\n\t\tbreak;\n\tcase IORING_OP_SPLICE:\n\t\tret = io_splice(req, issue_flags);\n\t\tbreak;\n\tcase IORING_OP_PROVIDE_BUFFERS:\n\t\tret = io_provide_buffers(req, issue_flags);\n\t\tbreak;\n\tcase IORING_OP_REMOVE_BUFFERS:\n\t\tret = io_remove_buffers(req, issue_flags);\n\t\tbreak;\n\tcase IORING_OP_TEE:\n\t\tret = io_tee(req, issue_flags);\n\t\tbreak;\n\tcase IORING_OP_SHUTDOWN:\n\t\tret = io_shutdown(req, issue_flags);\n\t\tbreak;\n\tcase IORING_OP_RENAMEAT:\n\t\tret = io_renameat(req, issue_flags);\n\t\tbreak;\n\tcase IORING_OP_UNLINKAT:\n\t\tret = io_unlinkat(req, issue_flags);\n\t\tbreak;\n\tdefault:\n\t\tret = -EINVAL;\n\t\tbreak;\n\t}\n\n\tif (creds)\n\t\trevert_creds(creds);\n\n\tif (ret)\n\t\treturn ret;\n\n\t/* If the op doesn't have a file, we're not polling for it */\n\tif ((ctx->flags & IORING_SETUP_IOPOLL) && req->file) {\n\t\tconst bool in_async = io_wq_current_is_worker();\n\n\t\t/* workqueue context doesn't hold uring_lock, grab it now */\n\t\tif (in_async)\n\t\t\tmutex_lock(&ctx->uring_lock);\n\n\t\tio_iopoll_req_issued(req, in_async);\n\n\t\tif (in_async)\n\t\t\tmutex_unlock(&ctx->uring_lock);\n\t}\n\n\treturn 0;", "project": "linux", "hash": 236042774413402019435780967252525131715, "size": 137, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338616 }, { "func": "static int vhost_net_rx_peek_head_len(struct vhost_net *net, struct sock *sk,\n\t\t\t\t bool *busyloop_intr)\n{\n\tstruct vhost_net_virtqueue *rnvq = &net->vqs[VHOST_NET_VQ_RX];\n\tstruct vhost_net_virtqueue *tnvq = &net->vqs[VHOST_NET_VQ_TX];\n\tstruct vhost_virtqueue *rvq = &rnvq->vq;\n\tstruct vhost_virtqueue *tvq = &tnvq->vq;\n\tint len = peek_head_len(rnvq, sk);\n\n\tif (!len && rvq->busyloop_timeout) {\n\t\t/* Flush batched heads first */\n\t\tvhost_net_signal_used(rnvq);\n\t\t/* Both tx vq and rx socket were polled here */\n\t\tvhost_net_busy_poll(net, rvq, tvq, busyloop_intr, true);\n\n\t\tlen = peek_head_len(rnvq, sk);\n\t}\n\n\treturn len;\n}", "project": "linux", "hash": 263345628278886386470575552778549045304, "size": 20, "commit_id": "42d84c8490f9f0931786f1623191fcab397c3d64", "message": "vhost: Check docket sk_family instead of call getname\n\nDoing so, we save one call to get data we already have in the struct.\n\nAlso, since there is no guarantee that getname use sockaddr_ll\nparameter beyond its size, we add a little bit of security here.\nIt should do not do beyond MAX_ADDR_LEN, but syzbot found that\nax25_getname writes more (72 bytes, the size of full_sockaddr_ax25,\nversus 20 + 32 bytes of sockaddr_ll + MAX_ADDR_LEN in syzbot repro).\n\nFixes: 3a4d5c94e9593 (\"vhost_net: a kernel-level virtio server\")\nReported-by: syzbot+f2a62d07a5198c819c7b@syzkaller.appspotmail.com\nSigned-off-by: Eugenio Pérez \nAcked-by: Michael S. Tsirkin \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 441967 }, { "func": "UBool Replaceable::hasMetaData() const {\n return TRUE;\n}", "project": "icu", "hash": 70952473032715182638914392475748826388, "size": 3, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430762 }, { "func": "UBool UnicodeString::hasMetaData() const {\n return FALSE;\n}", "project": "icu", "hash": 212098520714376965006909699780859027375, "size": 3, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430853 }, { "func": "static inline int TCP_ECN_rcv_ecn_echo(const struct tcp_sock *tp, const struct tcphdr *th)\n{\n\tif (th->ece && !th->syn && (tp->ecn_flags & TCP_ECN_OK))\n\t\treturn 1;\n\treturn 0;\n}", "project": "net-next", "hash": 74355838170518117730297443827800514831, "size": 6, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409864 }, { "func": "static int do_sigtimedwait(const sigset_t *which, kernel_siginfo_t *info,\n\t\t const struct timespec64 *ts)\n{\n\tktime_t *to = NULL, timeout = KTIME_MAX;\n\tstruct task_struct *tsk = current;\n\tsigset_t mask = *which;\n\tint sig, ret = 0;\n\n\tif (ts) {\n\t\tif (!timespec64_valid(ts))\n\t\t\treturn -EINVAL;\n\t\ttimeout = timespec64_to_ktime(*ts);\n\t\tto = &timeout;\n\t}\n\n\t/*\n\t * Invert the set of allowed signals to get those we want to block.\n\t */\n\tsigdelsetmask(&mask, sigmask(SIGKILL) | sigmask(SIGSTOP));\n\tsignotset(&mask);\n\n\tspin_lock_irq(&tsk->sighand->siglock);\n\tsig = dequeue_signal(tsk, &mask, info);\n\tif (!sig && timeout) {\n\t\t/*\n\t\t * None ready, temporarily unblock those we're interested\n\t\t * while we are sleeping in so that we'll be awakened when\n\t\t * they arrive. Unblocking is always fine, we can avoid\n\t\t * set_current_blocked().\n\t\t */\n\t\ttsk->real_blocked = tsk->blocked;\n\t\tsigandsets(&tsk->blocked, &tsk->blocked, &mask);\n\t\trecalc_sigpending();\n\t\tspin_unlock_irq(&tsk->sighand->siglock);\n\n\t\t__set_current_state(TASK_INTERRUPTIBLE);\n\t\tret = freezable_schedule_hrtimeout_range(to, tsk->timer_slack_ns,\n\t\t\t\t\t\t\t HRTIMER_MODE_REL);\n\t\tspin_lock_irq(&tsk->sighand->siglock);\n\t\t__set_task_blocked(tsk, &tsk->real_blocked);\n\t\tsigemptyset(&tsk->real_blocked);\n\t\tsig = dequeue_signal(tsk, &mask, info);\n\t}\n\tspin_unlock_irq(&tsk->sighand->siglock);\n\n\tif (sig)\n\t\treturn sig;\n\treturn ret ? -EINTR : -EAGAIN;\n}", "project": "linux", "hash": 258874734766496858544461811367895864613, "size": 49, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375236 }, { "func": "static void core_insert_filter(request_rec *r)\n{\n core_dir_config *conf = (core_dir_config *)\n ap_get_core_module_config(r->per_dir_config);\n const char *filter, *filters = conf->output_filters;\n\n if (filters) {\n while (*filters && (filter = ap_getword(r->pool, &filters, ';'))) {\n ap_add_output_filter(filter, NULL, r, r->connection);\n }\n }\n\n filters = conf->input_filters;\n if (filters) {\n while (*filters && (filter = ap_getword(r->pool, &filters, ';'))) {\n ap_add_input_filter(filter, NULL, r, r->connection);\n }\n }\n}", "project": "httpd", "hash": 28662928963420979923054230331023976830, "size": 19, "commit_id": "4cc27823899e070268b906ca677ee838d07cf67a", "message": "core: Disallow Methods' registration at run time (.htaccess), they may be\nused only if registered at init time (httpd.conf).\n\nCalling ap_method_register() in children processes is not the right scope\nsince it won't be shared for all requests.\n\n\ngit-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1807655 13f79535-47bb-0310-9956-ffa450edef68", "target": 0, "dataset": "other", "idx": 246327 }, { "func": "static int __packet_get_status(const struct packet_sock *po, void *frame)\n{\n\tunion tpacket_uhdr h;\n\n\tsmp_rmb();\n\n\th.raw = frame;\n\tswitch (po->tp_version) {\n\tcase TPACKET_V1:\n\t\tflush_dcache_page(pgv_to_page(&h.h1->tp_status));\n\t\treturn h.h1->tp_status;\n\tcase TPACKET_V2:\n\t\tflush_dcache_page(pgv_to_page(&h.h2->tp_status));\n\t\treturn h.h2->tp_status;\n\tcase TPACKET_V3:\n\t\tflush_dcache_page(pgv_to_page(&h.h3->tp_status));\n\t\treturn h.h3->tp_status;\n\tdefault:\n\t\tWARN(1, \"TPACKET version not supported.\\n\");\n\t\tBUG();\n\t\treturn 0;\n\t}\n}", "project": "linux", "hash": 272867725130685805350865589376882793023, "size": 23, "commit_id": "acf69c946233259ab4d64f8869d4037a198c7f06", "message": "net/packet: fix overflow in tpacket_rcv\n\nUsing tp_reserve to calculate netoff can overflow as\ntp_reserve is unsigned int and netoff is unsigned short.\n\nThis may lead to macoff receving a smaller value then\nsizeof(struct virtio_net_hdr), and if po->has_vnet_hdr\nis set, an out-of-bounds write will occur when\ncalling virtio_net_hdr_from_skb.\n\nThe bug is fixed by converting netoff to unsigned int\nand checking if it exceeds USHRT_MAX.\n\nThis addresses CVE-2020-14386\n\nFixes: 8913336a7e8d (\"packet: add PACKET_RESERVE sockopt\")\nSigned-off-by: Or Cohen \nSigned-off-by: Eric Dumazet \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 330383 }, { "func": "static void hci_le_conn_update_complete_evt(struct hci_dev *hdev,\n\t\t\t\t\t struct sk_buff *skb)\n{\n\tstruct hci_ev_le_conn_update_complete *ev = (void *) skb->data;\n\tstruct hci_conn *conn;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, ev->status);\n\n\tif (ev->status)\n\t\treturn;\n\n\thci_dev_lock(hdev);\n\n\tconn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));\n\tif (conn) {\n\t\tconn->le_conn_interval = le16_to_cpu(ev->interval);\n\t\tconn->le_conn_latency = le16_to_cpu(ev->latency);\n\t\tconn->le_supv_timeout = le16_to_cpu(ev->supervision_timeout);\n\t}\n\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 166716324105071798761041379738845005803, "size": 22, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431915 }, { "func": "int blosc_decompress(const void* src, void* dest, size_t destsize) {\n return blosc2_decompress(src, INT32_MAX, dest, (int32_t)destsize);\n}", "project": "c-blosc2", "hash": 166917483261891806414035829511838892354, "size": 3, "commit_id": "c4c6470e88210afc95262c8b9fcc27e30ca043ee", "message": "Fixed asan heap buffer overflow when not enough space to write compressed block size.", "target": 0, "dataset": "other", "idx": 303054 }, { "func": "Variant preg_split(const String& pattern, const String& subject,\n int limit /* = -1 */, int flags /* = 0 */) {\n PCRECache::Accessor accessor;\n if (!pcre_get_compiled_regex_cache(accessor, pattern.get())) {\n return preg_return_bad_regex_error(false);\n }\n const pcre_cache_entry* pce = accessor.get();\n\n int no_empty = flags & PREG_SPLIT_NO_EMPTY;\n bool delim_capture = flags & PREG_SPLIT_DELIM_CAPTURE;\n bool offset_capture = flags & PREG_SPLIT_OFFSET_CAPTURE;\n\n if (limit == 0) {\n limit = -1;\n }\n\n int size_offsets = 0;\n int* offsets = create_offset_array(pce, size_offsets);\n SmartFreeHelper offsetsFreer(offsets);\n if (offsets == nullptr) {\n return preg_return_internal_error(false);\n }\n\n /* Start at the beginning of the string */\n int start_offset = 0;\n int next_offset = 0;\n const char* last_match = subject.data();\n pcre_extra extra;\n init_local_extra(&extra, pce->extra);\n\n const bool hackArrOutput = flags & PREG_FB_HACK_ARRAYS;\n\n // Get next piece if no limit or limit not yet reached and something matched\n Array result = hackArrOutput ? Array::CreateDict() : Array::CreateDArray();\n int g_notempty = 0; /* If the match should not be empty */\n int utf8_check = 0;\n PCRECache::Accessor bump_accessor;\n const pcre_cache_entry* bump_pce = nullptr; /* instance for empty matches */\n while ((limit == -1 || limit > 1)) {\n int count = pcre_exec(pce->re, &extra, subject.data(), subject.size(),\n start_offset, g_notempty | utf8_check,\n offsets, size_offsets);\n\n /* Subsequent calls to pcre_exec don't need to bother with the\n * utf8 validity check: if the subject isn't valid, the first\n * call to pcre_exec will have failed, and as long as we only\n * set start_offset to known character boundaries we won't\n * supply an invalid offset. */\n utf8_check = PCRE_NO_UTF8_CHECK;\n\n /* Check for too many substrings condition. */\n if (count == 0) {\n raise_warning(\"Matched, but too many substrings\");\n count = size_offsets / 3;\n }\n\n /* If something matched */\n if (count > 0 && offsets[1] >= offsets[0]) {\n if (!no_empty || subject.data() + offsets[0] != last_match) {\n auto const length = subject.data() + offsets[0] - last_match;\n auto const match = String(last_match, length, CopyString);\n auto const value = offset_capture\n ? Variant(str_offset_pair(match, next_offset, hackArrOutput))\n : Variant(match);\n assertx(result->isVectorData());\n result.set(safe_cast(result.size()), value);\n\n /* One less left to do */\n if (limit != -1) limit--;\n }\n\n last_match = subject.data() + offsets[1];\n next_offset = offsets[1];\n\n if (delim_capture) {\n int i, match_len;\n for (i = 1; i < count; i++) {\n match_len = offsets[(i<<1)+1] - offsets[i<<1];\n /* If we have matched a delimiter */\n if (!no_empty || match_len > 0) {\n auto const match = subject.substr(offsets[i<<1], match_len);\n auto const value = offset_capture\n ? Variant(str_offset_pair(match, offsets[i<<1], hackArrOutput))\n : Variant(match);\n assertx(result->isVectorData());\n result.set(safe_cast(result.size()), value);\n }\n }\n }\n } else if (count == PCRE_ERROR_NOMATCH) {\n /* If we previously set PCRE_NOTEMPTY after a null match,\n this is not necessarily the end. We need to advance\n the start offset, and continue. Fudge the offset values\n to achieve this, unless we're already at the end of the string. */\n if (g_notempty != 0 && start_offset < subject.size()) {\n if (pce->compile_options & PCRE_UTF8) {\n if (bump_pce == nullptr) {\n auto const DEBUG_ONLY ok = pcre_get_compiled_regex_cache(\n bump_accessor, s_OneUnicodeCharPattern.get());\n assertx(ok);\n bump_pce = bump_accessor.get();\n }\n pcre_extra bump_extra;\n init_local_extra(&bump_extra, bump_pce->extra);\n count = pcre_exec(bump_pce->re, &bump_extra, subject.data(),\n subject.size(), start_offset,\n utf8_check, offsets, size_offsets);\n if (count < 1) {\n raise_warning(\"Unknown error\");\n offsets[0] = start_offset;\n offsets[1] = start_offset + 1;\n if (pcre_need_log_error(count)) {\n pcre_log_error(__FUNCTION__, __LINE__, count,\n pattern.data(), pattern.size(),\n subject.data(), subject.size(),\n \"\", 0,\n limit, flags, start_offset);\n }\n }\n } else {\n offsets[0] = start_offset;\n offsets[1] = start_offset + 1;\n }\n } else\n break;\n } else {\n if (pcre_need_log_error(count)) {\n pcre_log_error(__FUNCTION__, __LINE__, count,\n pattern.data(), pattern.size(),\n subject.data(), subject.size(),\n \"\", 0,\n limit, flags, start_offset, g_notempty);\n }\n // NOTE: this returns an error together with a partial result :-(\n start_offset = last_match - subject.data(); /* offset might have\n * been incremented,\n * but without further\n * successful matches */\n if (!no_empty || start_offset < subject.size()) {\n auto const match = subject.substr(start_offset);\n auto const value = offset_capture\n ? Variant(str_offset_pair(match, start_offset, hackArrOutput))\n : Variant(match);\n assertx(result->isVectorData());\n result.set(safe_cast(result.size()), value);\n }\n return preg_return_pcre_error(count, std::move(result));\n }\n\n /* If we have matched an empty string, mimic what Perl's /g options does.\n This turns out to be rather cunning. First we set PCRE_NOTEMPTY and try\n the match again at the same point. If this fails (picked up above) we\n advance to the next character. */\n g_notempty = (offsets[1] == offsets[0])? PCRE_NOTEMPTY | PCRE_ANCHORED : 0;\n\n /* Advance to the position right after the last full match */\n start_offset = offsets[1];\n }\n\n start_offset = last_match - subject.data(); /* offset might have\n * been incremented,\n * but without further\n * successful matches */\n if (!no_empty || start_offset < subject.size()) {\n auto const match = subject.substr(start_offset);\n auto const value = offset_capture\n ? Variant(str_offset_pair(match, start_offset, hackArrOutput))\n : Variant(match);\n assertx(result->isVectorData());\n result.set(safe_cast(result.size()), value);\n }\n\n return preg_return_no_error(std::move(result));\n}", "project": "hhvm", "hash": 267150769725290049073191045049038455661, "size": 174, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219663 }, { "func": "static void kvm_destroy_vm_debugfs(struct kvm *kvm)\n{\n\tint i;\n\n\tif (!kvm->debugfs_dentry)\n\t\treturn;\n\n\tdebugfs_remove_recursive(kvm->debugfs_dentry);\n\n\tif (kvm->debugfs_stat_data) {\n\t\tfor (i = 0; i < kvm_debugfs_num_entries; i++)\n\t\t\tkfree(kvm->debugfs_stat_data[i]);\n\t\tkfree(kvm->debugfs_stat_data);\n\t}\n}", "project": "linux", "hash": 338712316999273900407933028641897101544, "size": 15, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354483 }, { "func": "UnicodeString::setTo(UChar *buffer,\n int32_t buffLength,\n int32_t buffCapacity) {\n if(fUnion.fFields.fLengthAndFlags & kOpenGetBuffer) {\n // do not modify a string that has an \"open\" getBuffer(minCapacity)\n return *this;\n }\n\n if(buffer == NULL) {\n // treat as an empty string, do not alias\n releaseArray();\n setToEmpty();\n return *this;\n }\n\n if(buffLength < -1 || buffCapacity < 0 || buffLength > buffCapacity) {\n setToBogus();\n return *this;\n } else if(buffLength == -1) {\n // buffLength = u_strlen(buff); but do not look beyond buffCapacity\n const UChar *p = buffer, *limit = buffer + buffCapacity;\n while(p != limit && *p != 0) {\n ++p;\n }\n buffLength = (int32_t)(p - buffer);\n }\n\n releaseArray();\n\n fUnion.fFields.fLengthAndFlags = kWritableAlias;\n setArray(buffer, buffLength, buffCapacity);\n return *this;\n}", "project": "icu", "hash": 136438764415255536120595383751037544482, "size": 33, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430736 }, { "func": "UnicodeString::setTo(UBool isTerminated,\n ConstChar16Ptr textPtr,\n int32_t textLength)\n{\n if(fUnion.fFields.fLengthAndFlags & kOpenGetBuffer) {\n // do not modify a string that has an \"open\" getBuffer(minCapacity)\n return *this;\n }\n\n const UChar *text = textPtr;\n if(text == NULL) {\n // treat as an empty string, do not alias\n releaseArray();\n setToEmpty();\n return *this;\n }\n\n if( textLength < -1 ||\n (textLength == -1 && !isTerminated) ||\n (textLength >= 0 && isTerminated && text[textLength] != 0)\n ) {\n setToBogus();\n return *this;\n }\n\n releaseArray();\n\n if(textLength == -1) {\n // text is terminated, or else it would have failed the above test\n textLength = u_strlen(text);\n }\n fUnion.fFields.fLengthAndFlags = kReadonlyAlias;\n setArray((UChar *)text, textLength, isTerminated ? textLength + 1 : textLength);\n return *this;\n}", "project": "icu", "hash": 104741357154355199996659729956925628100, "size": 35, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430814 }, { "func": "static bool adv_cur_instance_is_scannable(struct hci_dev *hdev)\n{\n\treturn adv_instance_is_scannable(hdev, hdev->cur_adv_instance);\n}", "project": "linux", "hash": 125927981172331288670568256205429507349, "size": 4, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402577 }, { "func": "static void boxes_check(size_t b,size_t m)\n{\n if ( b > m ) {\n#ifdef EXIV2_DEBUG_MESSAGES\n std::cout << \"Exiv2::Jp2Image::readMetadata box maximum exceeded\" << std::endl;\n#endif\n throw Error(kerCorruptedMetadata);\n }\n}", "project": "exiv2", "hash": 327642298921079288855591320652402363607, "size": 9, "commit_id": "f9308839198aca5e68a65194f151a1de92398f54", "message": "Better bounds checking in Jp2Image::encodeJp2Header()", "target": 0, "dataset": "other", "idx": 409136 }, { "func": "UnicodeString::countChar32(int32_t start, int32_t length) const {\n pinIndices(start, length);\n // if(isBogus()) then fArray==0 and start==0 - u_countChar32() checks for NULL\n return u_countChar32(getArrayStart()+start, length);\n}", "project": "icu", "hash": 3739006231853787760806834965361262986, "size": 5, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430778 }, { "func": "UnicodeString::hasMoreChar32Than(int32_t start, int32_t length, int32_t number) const {\n pinIndices(start, length);\n // if(isBogus()) then fArray==0 and start==0 - u_strHasMoreChar32Than() checks for NULL\n return u_strHasMoreChar32Than(getArrayStart()+start, length, number);\n}", "project": "icu", "hash": 335432556712158374597206328291083251003, "size": 5, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430816 }, { "func": "UnicodeString::toUTF8(int32_t start, int32_t len,\n char *target, int32_t capacity) const {\n pinIndices(start, len);\n int32_t length8;\n UErrorCode errorCode = U_ZERO_ERROR;\n u_strToUTF8WithSub(target, capacity, &length8,\n getBuffer() + start, len,\n 0xFFFD, // Standard substitution character.\n NULL, // Don't care about number of substitutions.\n &errorCode);\n return length8;\n}", "project": "icu", "hash": 175982085106389850515973259507060832849, "size": 12, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430862 }, { "func": "void vcpu_put(struct kvm_vcpu *vcpu)\n{\n\tpreempt_disable();\n\tkvm_arch_vcpu_put(vcpu);\n\tpreempt_notifier_unregister(&vcpu->preempt_notifier);\n\t__this_cpu_write(kvm_running_vcpu, NULL);\n\tpreempt_enable();\n}", "project": "linux", "hash": 33788259686935957705524168706985693198, "size": 8, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354749 }, { "func": "static int syndbg_set_msr(struct kvm_vcpu *vcpu, u32 msr, u64 data, bool host)\n{\n\tstruct kvm_hv_syndbg *syndbg = to_hv_syndbg(vcpu);\n\n\tif (!kvm_hv_is_syndbg_enabled(vcpu) && !host)\n\t\treturn 1;\n\n\ttrace_kvm_hv_syndbg_set_msr(vcpu->vcpu_id,\n\t\t\t\t to_hv_vcpu(vcpu)->vp_index, msr, data);\n\tswitch (msr) {\n\tcase HV_X64_MSR_SYNDBG_CONTROL:\n\t\tsyndbg->control.control = data;\n\t\tif (!host)\n\t\t\tsyndbg_exit(vcpu, msr);\n\t\tbreak;\n\tcase HV_X64_MSR_SYNDBG_STATUS:\n\t\tsyndbg->control.status = data;\n\t\tbreak;\n\tcase HV_X64_MSR_SYNDBG_SEND_BUFFER:\n\t\tsyndbg->control.send_page = data;\n\t\tbreak;\n\tcase HV_X64_MSR_SYNDBG_RECV_BUFFER:\n\t\tsyndbg->control.recv_page = data;\n\t\tbreak;\n\tcase HV_X64_MSR_SYNDBG_PENDING_BUFFER:\n\t\tsyndbg->control.pending_page = data;\n\t\tif (!host)\n\t\t\tsyndbg_exit(vcpu, msr);\n\t\tbreak;\n\tcase HV_X64_MSR_SYNDBG_OPTIONS:\n\t\tsyndbg->options = data;\n\t\tbreak;\n\tdefault:\n\t\tbreak;\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 134641491484978317184666386819654975575, "size": 38, "commit_id": "919f4ebc598701670e80e31573a58f1f2d2bf918", "message": "KVM: x86: hyper-v: Fix Hyper-V context null-ptr-deref\n\nReported by syzkaller:\n\n KASAN: null-ptr-deref in range [0x0000000000000140-0x0000000000000147]\n CPU: 1 PID: 8370 Comm: syz-executor859 Not tainted 5.11.0-syzkaller #0\n RIP: 0010:synic_get arch/x86/kvm/hyperv.c:165 [inline]\n RIP: 0010:kvm_hv_set_sint_gsi arch/x86/kvm/hyperv.c:475 [inline]\n RIP: 0010:kvm_hv_irq_routing_update+0x230/0x460 arch/x86/kvm/hyperv.c:498\n Call Trace:\n kvm_set_irq_routing+0x69b/0x940 arch/x86/kvm/../../../virt/kvm/irqchip.c:223\n kvm_vm_ioctl+0x12d0/0x2800 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3959\n vfs_ioctl fs/ioctl.c:48 [inline]\n __do_sys_ioctl fs/ioctl.c:753 [inline]\n __se_sys_ioctl fs/ioctl.c:739 [inline]\n __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739\n do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nHyper-V context is lazily allocated until Hyper-V specific MSRs are accessed\nor SynIC is enabled. However, the syzkaller testcase sets irq routing table\ndirectly w/o enabling SynIC. This results in null-ptr-deref when accessing\nSynIC Hyper-V context. This patch fixes it.\n\nsyzkaller source: https://syzkaller.appspot.com/x/repro.c?x=163342ccd00000\n\nReported-by: syzbot+6987f3b2dbd9eda95f12@syzkaller.appspotmail.com\nFixes: 8f014550dfb1 (\"KVM: x86: hyper-v: Make Hyper-V emulation enablement conditional\")\nSigned-off-by: Wanpeng Li \nMessage-Id: <1614326399-5762-1-git-send-email-wanpengli@tencent.com>\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 343530 }, { "func": "static void __init resiliency_test(void)\n{\n\tu8 *p;\n\tint type = KMALLOC_NORMAL;\n\n\tBUILD_BUG_ON(KMALLOC_MIN_SIZE > 16 || KMALLOC_SHIFT_HIGH < 10);\n\n\tpr_err(\"SLUB resiliency testing\\n\");\n\tpr_err(\"-----------------------\\n\");\n\tpr_err(\"A. Corruption after allocation\\n\");\n\n\tp = kzalloc(16, GFP_KERNEL);\n\tp[16] = 0x12;\n\tpr_err(\"\\n1. kmalloc-16: Clobber Redzone/next pointer 0x12->0x%p\\n\\n\",\n\t p + 16);\n\n\tvalidate_slab_cache(kmalloc_caches[type][4]);\n\n\t/* Hmmm... The next two are dangerous */\n\tp = kzalloc(32, GFP_KERNEL);\n\tp[32 + sizeof(void *)] = 0x34;\n\tpr_err(\"\\n2. kmalloc-32: Clobber next pointer/next slab 0x34 -> -0x%p\\n\",\n\t p);\n\tpr_err(\"If allocated object is overwritten then not detectable\\n\\n\");\n\n\tvalidate_slab_cache(kmalloc_caches[type][5]);\n\tp = kzalloc(64, GFP_KERNEL);\n\tp += 64 + (get_cycles() & 0xff) * sizeof(void *);\n\t*p = 0x56;\n\tpr_err(\"\\n3. kmalloc-64: corrupting random byte 0x56->0x%p\\n\",\n\t p);\n\tpr_err(\"If allocated object is overwritten then not detectable\\n\\n\");\n\tvalidate_slab_cache(kmalloc_caches[type][6]);\n\n\tpr_err(\"\\nB. Corruption after free\\n\");\n\tp = kzalloc(128, GFP_KERNEL);\n\tkfree(p);\n\t*p = 0x78;\n\tpr_err(\"1. kmalloc-128: Clobber first word 0x78->0x%p\\n\\n\", p);\n\tvalidate_slab_cache(kmalloc_caches[type][7]);\n\n\tp = kzalloc(256, GFP_KERNEL);\n\tkfree(p);\n\tp[50] = 0x9a;\n\tpr_err(\"\\n2. kmalloc-256: Clobber 50th byte 0x9a->0x%p\\n\\n\", p);\n\tvalidate_slab_cache(kmalloc_caches[type][8]);\n\n\tp = kzalloc(512, GFP_KERNEL);\n\tkfree(p);\n\tp[512] = 0xab;\n\tpr_err(\"\\n3. kmalloc-512: Clobber redzone 0xab->0x%p\\n\\n\", p);\n\tvalidate_slab_cache(kmalloc_caches[type][9]);\n}", "project": "linux", "hash": 10001647746290675846259530376646593336, "size": 53, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280192 }, { "func": "static void resiliency_test(void) {};", "project": "linux", "hash": 224239867760390717069108187317838891983, "size": 1, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280248 }, { "func": "static void hci_cc_le_set_adv_enable(struct hci_dev *hdev, struct sk_buff *skb)\n{\n\t__u8 *sent, status = *((__u8 *) skb->data);\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, status);\n\n\tif (status)\n\t\treturn;\n\n\tsent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_ENABLE);\n\tif (!sent)\n\t\treturn;\n\n\thci_dev_lock(hdev);\n\n\t/* If we're doing connection initiation as peripheral. Set a\n\t * timeout in case something goes wrong.\n\t */\n\tif (*sent) {\n\t\tstruct hci_conn *conn;\n\n\t\thci_dev_set_flag(hdev, HCI_LE_ADV);\n\n\t\tconn = hci_lookup_le_connect(hdev);\n\t\tif (conn)\n\t\t\tqueue_delayed_work(hdev->workqueue,\n\t\t\t\t\t &conn->le_conn_timeout,\n\t\t\t\t\t conn->conn_timeout);\n\t} else {\n\t\thci_dev_clear_flag(hdev, HCI_LE_ADV);\n\t}\n\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 336673653881877146599323671952916224150, "size": 34, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 432021 }, { "func": "static void kvm_hv_hypercall_set_result(struct kvm_vcpu *vcpu, u64 result)\n{\n\tbool longmode;\n\n\tlongmode = is_64_bit_mode(vcpu);\n\tif (longmode)\n\t\tkvm_rax_write(vcpu, result);\n\telse {\n\t\tkvm_rdx_write(vcpu, result >> 32);\n\t\tkvm_rax_write(vcpu, result & 0xffffffff);\n\t}\n}", "project": "linux", "hash": 147994013316021494948227583678613385348, "size": 12, "commit_id": "919f4ebc598701670e80e31573a58f1f2d2bf918", "message": "KVM: x86: hyper-v: Fix Hyper-V context null-ptr-deref\n\nReported by syzkaller:\n\n KASAN: null-ptr-deref in range [0x0000000000000140-0x0000000000000147]\n CPU: 1 PID: 8370 Comm: syz-executor859 Not tainted 5.11.0-syzkaller #0\n RIP: 0010:synic_get arch/x86/kvm/hyperv.c:165 [inline]\n RIP: 0010:kvm_hv_set_sint_gsi arch/x86/kvm/hyperv.c:475 [inline]\n RIP: 0010:kvm_hv_irq_routing_update+0x230/0x460 arch/x86/kvm/hyperv.c:498\n Call Trace:\n kvm_set_irq_routing+0x69b/0x940 arch/x86/kvm/../../../virt/kvm/irqchip.c:223\n kvm_vm_ioctl+0x12d0/0x2800 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3959\n vfs_ioctl fs/ioctl.c:48 [inline]\n __do_sys_ioctl fs/ioctl.c:753 [inline]\n __se_sys_ioctl fs/ioctl.c:739 [inline]\n __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739\n do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nHyper-V context is lazily allocated until Hyper-V specific MSRs are accessed\nor SynIC is enabled. However, the syzkaller testcase sets irq routing table\ndirectly w/o enabling SynIC. This results in null-ptr-deref when accessing\nSynIC Hyper-V context. This patch fixes it.\n\nsyzkaller source: https://syzkaller.appspot.com/x/repro.c?x=163342ccd00000\n\nReported-by: syzbot+6987f3b2dbd9eda95f12@syzkaller.appspotmail.com\nFixes: 8f014550dfb1 (\"KVM: x86: hyper-v: Make Hyper-V emulation enablement conditional\")\nSigned-off-by: Wanpeng Li \nMessage-Id: <1614326399-5762-1-git-send-email-wanpengli@tencent.com>\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 343505 }, { "func": "static void prompt_sec(RCore *r, char *s, size_t maxlen) {\n\tconst RBinSection *sec = r_bin_get_section_at (r_bin_cur_object (r->bin), r->offset, true);\n\tif (!sec) {\n\t\treturn;\n\t}\n\tr_str_ncpy (s, sec->name, maxlen - 2);\n\tstrcat (s, \":\");\n}", "project": "radare2", "hash": 302012267862440555312358674606849180866, "size": 8, "commit_id": "cb8b683758edddae2d2f62e8e63a738c39f92683", "message": "Fix #16303 - c->table_query double free (#16318)", "target": 0, "dataset": "other", "idx": 232157 }, { "func": "static void dump_ah_combs(struct sk_buff *skb, const struct xfrm_tmpl *t)\n{\n\tstruct sadb_prop *p;\n\tint i;\n\n\tp = skb_put(skb, sizeof(struct sadb_prop));\n\tp->sadb_prop_len = sizeof(struct sadb_prop)/8;\n\tp->sadb_prop_exttype = SADB_EXT_PROPOSAL;\n\tp->sadb_prop_replay = 32;\n\tmemset(p->sadb_prop_reserved, 0, sizeof(p->sadb_prop_reserved));\n\n\tfor (i = 0; ; i++) {\n\t\tconst struct xfrm_algo_desc *aalg = xfrm_aalg_get_byidx(i);\n\t\tif (!aalg)\n\t\t\tbreak;\n\n\t\tif (!aalg->pfkey_supported)\n\t\t\tcontinue;\n\n\t\tif (aalg_tmpl_set(t, aalg) && aalg->available) {\n\t\t\tstruct sadb_comb *c;\n\t\t\tc = skb_put_zero(skb, sizeof(struct sadb_comb));\n\t\t\tp->sadb_prop_len += sizeof(struct sadb_comb)/8;\n\t\t\tc->sadb_comb_auth = aalg->desc.sadb_alg_id;\n\t\t\tc->sadb_comb_auth_minbits = aalg->desc.sadb_alg_minbits;\n\t\t\tc->sadb_comb_auth_maxbits = aalg->desc.sadb_alg_maxbits;\n\t\t\tc->sadb_comb_hard_addtime = 24*60*60;\n\t\t\tc->sadb_comb_soft_addtime = 20*60*60;\n\t\t\tc->sadb_comb_hard_usetime = 8*60*60;\n\t\t\tc->sadb_comb_soft_usetime = 7*60*60;\n\t\t}\n\t}\n}", "project": "linux", "hash": 198980826846583752898755110157192831086, "size": 33, "commit_id": "9a564bccb78a76740ea9d75a259942df8143d02c", "message": "af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\n\nAdd __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\nto initialize the buffer of supp_skb to fix a kernel-info-leak issue.\n1) Function pfkey_register calls compose_sadb_supported to request\na sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate\na sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then\ncompose_sadb_supported treats the memory as a struct sadb_supported and\nbegins to initialize. But it just initializes the field sadb_supported_len\nand field sadb_supported_exttype without field sadb_supported_reserved.\n\nReported-by: TCS Robot \nSigned-off-by: Haimin Zhang \nSigned-off-by: Steffen Klassert ", "target": 0, "dataset": "other", "idx": 268050 }, { "func": "bool wsrep_sst_auth_update (sys_var *self, THD* thd, enum_var_type type)\n{\n return sst_auth_real_set (wsrep_sst_auth);\n}", "project": "mysql-wsrep", "hash": 293509099709066827297089729940431748782, "size": 4, "commit_id": "4ea4b0c6a318209ac09b15aaa906c7b4a13b988c", "message": "codership/mysql-wsrep-bugs#758 Donor uses invalid SST methods", "target": 0, "dataset": "other", "idx": 454800 }, { "func": "static void layoutEthereumData(const uint8_t *data, uint32_t len,\n uint32_t total_len, char *out_str,\n size_t out_str_len) {\n char hexdata[3][17];\n char summary[20];\n uint32_t printed = 0;\n for (int i = 0; i < 3; i++) {\n uint32_t linelen = len - printed;\n if (linelen > 8) {\n linelen = 8;\n }\n data2hex(data, linelen, hexdata[i]);\n data += linelen;\n printed += linelen;\n }\n\n strcpy(summary, \"... bytes\");\n char *p = summary + 11;\n uint32_t number = total_len;\n while (number > 0) {\n *p-- = '0' + number % 10;\n number = number / 10;\n }\n char *summarystart = summary;\n if (total_len == printed) summarystart = summary + 4;\n\n if ((uint32_t)snprintf(out_str, out_str_len, \"%s%s\\n%s%s\", hexdata[0],\n hexdata[1], hexdata[2], summarystart) >= out_str_len) {\n /*error detected. Clear the buffer */\n memset(out_str, 0, out_str_len);\n }\n}", "project": "keepkey-firmware", "hash": 220917536683186647392808634351585899358, "size": 32, "commit_id": "e49d45594002d4d3fbc1f03488e6dfc0a0a65836", "message": "710 merge", "target": 0, "dataset": "other", "idx": 220874 }, { "func": "static void sctp_for_each_rx_skb(struct sctp_association *asoc, struct sock *sk,\n\t\t\t\t void (*cb)(struct sk_buff *, struct sock *))\n\n{\n\tstruct sk_buff *skb, *tmp;\n\n\tsctp_skb_for_each(skb, &asoc->ulpq.lobby, tmp)\n\t\tcb(skb, sk);\n\n\tsctp_skb_for_each(skb, &asoc->ulpq.reasm, tmp)\n\t\tcb(skb, sk);\n\n\tsctp_skb_for_each(skb, &asoc->ulpq.reasm_uo, tmp)\n\t\tcb(skb, sk);\n}", "project": "linux", "hash": 179146996212271183963425045575556726758, "size": 15, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398210 }, { "func": "void opj_tcd_marker_info_destroy(opj_tcd_marker_info_t *p_tcd_marker_info)\n{\n if (p_tcd_marker_info) {\n opj_free(p_tcd_marker_info->p_packet_size);\n }\n}", "project": "openjpeg", "hash": 68555396057440488001789259767265514569, "size": 6, "commit_id": "15cf3d95814dc931ca0ecb132f81cb152e051bae", "message": "Encoder: grow again buffer size in opj_tcd_code_block_enc_allocate_data() (fixes #1283)", "target": 0, "dataset": "other", "idx": 359162 }, { "func": "bool pb_decode_fixed64(pb_istream_t *stream, void *dest)\n{\n pb_byte_t bytes[8];\n\n if (!pb_read(stream, bytes, 8))\n return false;\n \n *(uint64_t*)dest = ((uint64_t)bytes[0] << 0) |\n ((uint64_t)bytes[1] << 8) |\n ((uint64_t)bytes[2] << 16) |\n ((uint64_t)bytes[3] << 24) |\n ((uint64_t)bytes[4] << 32) |\n ((uint64_t)bytes[5] << 40) |\n ((uint64_t)bytes[6] << 48) |\n ((uint64_t)bytes[7] << 56);\n \n return true;\n}", "project": "nanopb", "hash": 57728436523825887621982808406594064588, "size": 18, "commit_id": "aa9d0d1ca78d6adec3adfeecf3a706c7f9df81f2", "message": "Fix invalid free() after failed realloc() (GHSA-gcx3-7m76-287p)", "target": 0, "dataset": "other", "idx": 252522 }, { "func": "bool pb_decode_fixed64(pb_istream_t *stream, void *dest)\n{\n #ifdef __BIG_ENDIAN__\n uint8_t *bytes = (uint8_t*)dest;\n uint8_t lebytes[8];\n \n if (!pb_read(stream, lebytes, 8))\n return false;\n \n bytes[0] = lebytes[7];\n bytes[1] = lebytes[6];\n bytes[2] = lebytes[5];\n bytes[3] = lebytes[4];\n bytes[4] = lebytes[3];\n bytes[5] = lebytes[2];\n bytes[6] = lebytes[1];\n bytes[7] = lebytes[0];\n return true;\n #else\n return pb_read(stream, (uint8_t*)dest, 8);\n #endif \n}", "project": "nanopb", "hash": 324346997929209250572885924031535965367, "size": 22, "commit_id": "7b396821ddd06df8e39143f16e1dc0a4645b89a3", "message": "Fix invalid free() after failed realloc() (GHSA-gcx3-7m76-287p)", "target": 0, "dataset": "other", "idx": 255345 }, { "func": "R_API int r_core_prompt(RCore *r, int sync) {\n\tchar line[4096];\n\n\tint rnv = r->num->value;\n\tset_prompt (r);\n\tint ret = r_cons_fgets (line, sizeof (line), 0, NULL);\n\tif (ret == -2) {\n\t\treturn R_CORE_CMD_EXIT; // ^D\n\t}\n\tif (ret == -1) {\n\t\treturn false; // FD READ ERROR\n\t}\n\tr->num->value = rnv;\n\tif (sync) {\n\t\treturn r_core_prompt_exec (r);\n\t}\n\tfree (r->cmdqueue);\n\tr->cmdqueue = strdup (line);\n if (r->scr_gadgets && *line && *line != 'q') {\n r_core_cmd0 (r, \"pg\");\n }\n\tr->num->value = r->rc;\n\treturn true;\n}", "project": "radare2", "hash": 286895601732844389542546176106762964534, "size": 24, "commit_id": "cb8b683758edddae2d2f62e8e63a738c39f92683", "message": "Fix #16303 - c->table_query double free (#16318)", "target": 0, "dataset": "other", "idx": 232111 }, { "func": "static int _nfs4_proc_fs_locations(struct rpc_clnt *client, struct inode *dir,\n\t\t\t\t const struct qstr *name,\n\t\t\t\t struct nfs4_fs_locations *fs_locations,\n\t\t\t\t struct page *page)\n{\n\tstruct nfs_server *server = NFS_SERVER(dir);\n\tu32 bitmask[3];\n\tstruct nfs4_fs_locations_arg args = {\n\t\t.dir_fh = NFS_FH(dir),\n\t\t.name = name,\n\t\t.page = page,\n\t\t.bitmask = bitmask,\n\t};\n\tstruct nfs4_fs_locations_res res = {\n\t\t.fs_locations = fs_locations,\n\t};\n\tstruct rpc_message msg = {\n\t\t.rpc_proc = &nfs4_procedures[NFSPROC4_CLNT_FS_LOCATIONS],\n\t\t.rpc_argp = &args,\n\t\t.rpc_resp = &res,\n\t};\n\tint status;\n\n\tdprintk(\"%s: start\\n\", __func__);\n\n\tbitmask[0] = nfs4_fattr_bitmap[0] | FATTR4_WORD0_FS_LOCATIONS;\n\tbitmask[1] = nfs4_fattr_bitmap[1];\n\n\t/* Ask for the fileid of the absent filesystem if mounted_on_fileid\n\t * is not supported */\n\tif (NFS_SERVER(dir)->attr_bitmask[1] & FATTR4_WORD1_MOUNTED_ON_FILEID)\n\t\tbitmask[0] &= ~FATTR4_WORD0_FILEID;\n\telse\n\t\tbitmask[1] &= ~FATTR4_WORD1_MOUNTED_ON_FILEID;\n\n\tnfs_fattr_init(&fs_locations->fattr);\n\tfs_locations->server = server;\n\tfs_locations->nlocations = 0;\n\tstatus = nfs4_call_sync(client, server, &msg, &args.seq_args, &res.seq_res, 0);\n\tdprintk(\"%s: returned status = %d\\n\", __func__, status);\n\treturn status;\n}", "project": "linux", "hash": 168734344578787345635909539095707039032, "size": 42, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 430968 }, { "func": "void WebContents::RenderViewDeleted(content::RenderViewHost* render_view_host) {\n // This event is necessary for tracking any states with respect to\n // intermediate render view hosts aka speculative render view hosts. Currently\n // used by object-registry.js to ref count remote objects.\n Emit(\"render-view-deleted\", render_view_host->GetProcess()->GetID());\n\n if (-1 == currently_committed_process_id_ ||\n render_view_host->GetProcess()->GetID() ==\n currently_committed_process_id_) {\n currently_committed_process_id_ = -1;\n\n // When the RVH that has been deleted is the current RVH it means that the\n // the web contents are being closed. This is communicated by this event.\n // Currently tracked by guest-window-manager.js to destroy the\n // BrowserWindow.\n Emit(\"current-render-view-deleted\",\n render_view_host->GetProcess()->GetID());\n }\n}", "project": "electron", "hash": 192139389627798367361011897609378853933, "size": 19, "commit_id": "18613925610ba319da7f497b6deed85ad712c59b", "message": "refactor: wire will-navigate up to a navigation throttle instead of OpenURL (#25108)\n\n* refactor: wire will-navigate up to a navigation throttle instead of OpenURL (#25065)\r\n\r\n* refactor: wire will-navigate up to a navigation throttle instead of OpenURL\r\n\r\n* spec: add test for x-site _top navigation\r\n\r\n* chore: old code be old", "target": 0, "dataset": "other", "idx": 269746 }, { "func": "static void *__slab_alloc(struct kmem_cache *s, gfp_t gfpflags, int node,\n\t\t\t unsigned long addr, struct kmem_cache_cpu *c)\n{\n\tvoid *p;\n\tunsigned long flags;\n\n\tlocal_irq_save(flags);\n#ifdef CONFIG_PREEMPTION\n\t/*\n\t * We may have been preempted and rescheduled on a different\n\t * cpu before disabling interrupts. Need to reload cpu area\n\t * pointer.\n\t */\n\tc = this_cpu_ptr(s->cpu_slab);\n#endif\n\n\tp = ___slab_alloc(s, gfpflags, node, addr, c);\n\tlocal_irq_restore(flags);\n\treturn p;\n}", "project": "linux", "hash": 104851650859666263052593293999166156450, "size": 20, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280126 }, { "func": "int kvm_read_guest_page(struct kvm *kvm, gfn_t gfn, void *data, int offset,\n\t\t\tint len)\n{\n\tstruct kvm_memory_slot *slot = gfn_to_memslot(kvm, gfn);\n\n\treturn __kvm_read_guest_page(slot, gfn, data, offset, len);\n}", "project": "linux", "hash": 123033996292392822263579782131699598481, "size": 7, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354539 }, { "func": "static bool io_rw_should_retry(struct io_kiocb *req)\n{\n\tstruct kiocb *kiocb = &req->rw.kiocb;\n\tint ret;\n\n\t/* never retry for NOWAIT, we just complete with -EAGAIN */\n\tif (req->flags & REQ_F_NOWAIT)\n\t\treturn false;\n\n\t/* already tried, or we're doing O_DIRECT */\n\tif (kiocb->ki_flags & (IOCB_DIRECT | IOCB_WAITQ))\n\t\treturn false;\n\t/*\n\t * just use poll if we can, and don't attempt if the fs doesn't\n\t * support callback based unlocks\n\t */\n\tif (file_can_poll(req->file) || !(req->file->f_mode & FMODE_BUF_RASYNC))\n\t\treturn false;\n\n\t/*\n\t * If request type doesn't require req->io to defer in general,\n\t * we need to allocate it here\n\t */\n\tif (!req->io && __io_alloc_async_ctx(req))\n\t\treturn false;\n\n\tret = kiocb_wait_page_queue_init(kiocb, &req->io->rw.wpq,\n\t\t\t\t\t\tio_async_buf_func, req);\n\tif (!ret) {\n\t\tio_get_req_task(req);\n\t\treturn true;\n\t}\n\n\treturn false;\n}", "project": "linux", "hash": 67300470271842113400981977635119760312, "size": 35, "commit_id": "6d816e088c359866f9867057e04f244c608c42fe", "message": "io_uring: hold 'ctx' reference around task_work queue + execute\n\nWe're holding the request reference, but we need to go one higher\nto ensure that the ctx remains valid after the request has finished.\nIf the ring is closed with pending task_work inflight, and the\ngiven io_kiocb finishes sync during issue, then we need a reference\nto the ring itself around the task_work execution cycle.\n\nCc: stable@vger.kernel.org # v5.7+\nReported-by: syzbot+9b260fc33297966f5a8e@syzkaller.appspotmail.com\nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 456913 }, { "func": "\nstatic int __io_sqe_files_update(struct io_ring_ctx *ctx,\n\t\t\t\t struct io_uring_rsrc_update2 *up,\n\t\t\t\t unsigned nr_args)\n{\n\tu64 __user *tags = u64_to_user_ptr(up->tags);\n\t__s32 __user *fds = u64_to_user_ptr(up->data);\n\tstruct io_rsrc_data *data = ctx->file_data;\n\tstruct io_fixed_file *file_slot;\n\tstruct file *file;\n\tint fd, i, err = 0;\n\tunsigned int done;\n\tbool needs_switch = false;\n\n\tif (!ctx->file_data)\n\t\treturn -ENXIO;\n\tif (up->offset + nr_args > ctx->nr_user_files)\n\t\treturn -EINVAL;\n\n\tfor (done = 0; done < nr_args; done++) {\n\t\tu64 tag = 0;\n\n\t\tif ((tags && copy_from_user(&tag, &tags[done], sizeof(tag))) ||\n\t\t copy_from_user(&fd, &fds[done], sizeof(fd))) {\n\t\t\terr = -EFAULT;\n\t\t\tbreak;\n\t\t}\n\t\tif ((fd == IORING_REGISTER_FILES_SKIP || fd == -1) && tag) {\n\t\t\terr = -EINVAL;\n\t\t\tbreak;\n\t\t}\n\t\tif (fd == IORING_REGISTER_FILES_SKIP)\n\t\t\tcontinue;\n\n\t\ti = array_index_nospec(up->offset + done, ctx->nr_user_files);\n\t\tfile_slot = io_fixed_file_slot(&ctx->file_table, i);\n\n\t\tif (file_slot->file_ptr) {\n\t\t\tfile = (struct file *)(file_slot->file_ptr & FFS_MASK);\n\t\t\terr = io_queue_rsrc_removal(data, up->offset + done,\n\t\t\t\t\t\t ctx->rsrc_node, file);\n\t\t\tif (err)\n\t\t\t\tbreak;\n\t\t\tfile_slot->file_ptr = 0;\n\t\t\tneeds_switch = true;\n\t\t}\n\t\tif (fd != -1) {\n\t\t\tfile = fget(fd);\n\t\t\tif (!file) {\n\t\t\t\terr = -EBADF;\n\t\t\t\tbreak;\n\t\t\t}\n\t\t\t/*\n\t\t\t * Don't allow io_uring instances to be registered. If\n\t\t\t * UNIX isn't enabled, then this causes a reference\n\t\t\t * cycle and this instance can never get freed. If UNIX\n\t\t\t * is enabled we'll handle it just fine, but there's\n\t\t\t * still no point in allowing a ring fd as it doesn't\n\t\t\t * support regular read/write anyway.\n\t\t\t */\n\t\t\tif (file->f_op == &io_uring_fops) {\n\t\t\t\tfput(file);\n\t\t\t\terr = -EBADF;\n\t\t\t\tbreak;\n\t\t\t}\n\t\t\tdata->tags[up->offset + done] = tag;\n\t\t\tio_fixed_file_set(file_slot, file);\n\t\t\terr = io_sqe_file_register(ctx, file, i);\n\t\t\tif (err) {\n\t\t\t\tfile_slot->file_ptr = 0;\n\t\t\t\tfput(file);\n\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\t}\n\n\tif (needs_switch)\n\t\tio_rsrc_node_switch(ctx, data);\n\treturn done ? done : err;", "project": "linux", "hash": 227154123884941670225545069692554722710, "size": 79, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338594 }, { "func": "static int __io_sqe_files_update(struct io_ring_ctx *ctx,\n\t\t\t\t struct io_uring_files_update *up,\n\t\t\t\t unsigned nr_args)\n{\n\tstruct fixed_file_data *data = ctx->file_data;\n\tstruct fixed_file_ref_node *ref_node;\n\tstruct file *file;\n\t__s32 __user *fds;\n\tint fd, i, err;\n\t__u32 done;\n\tbool needs_switch = false;\n\n\tif (check_add_overflow(up->offset, nr_args, &done))\n\t\treturn -EOVERFLOW;\n\tif (done > ctx->nr_user_files)\n\t\treturn -EINVAL;\n\n\tref_node = alloc_fixed_file_ref_node(ctx);\n\tif (IS_ERR(ref_node))\n\t\treturn PTR_ERR(ref_node);\n\n\tdone = 0;\n\tfds = u64_to_user_ptr(up->fds);\n\twhile (nr_args) {\n\t\tstruct fixed_file_table *table;\n\t\tunsigned index;\n\n\t\terr = 0;\n\t\tif (copy_from_user(&fd, &fds[done], sizeof(fd))) {\n\t\t\terr = -EFAULT;\n\t\t\tbreak;\n\t\t}\n\t\ti = array_index_nospec(up->offset, ctx->nr_user_files);\n\t\ttable = &ctx->file_data->table[i >> IORING_FILE_TABLE_SHIFT];\n\t\tindex = i & IORING_FILE_TABLE_MASK;\n\t\tif (table->files[index]) {\n\t\t\tfile = io_file_from_index(ctx, index);\n\t\t\terr = io_queue_file_removal(data, file);\n\t\t\tif (err)\n\t\t\t\tbreak;\n\t\t\ttable->files[index] = NULL;\n\t\t\tneeds_switch = true;\n\t\t}\n\t\tif (fd != -1) {\n\t\t\tfile = fget(fd);\n\t\t\tif (!file) {\n\t\t\t\terr = -EBADF;\n\t\t\t\tbreak;\n\t\t\t}\n\t\t\t/*\n\t\t\t * Don't allow io_uring instances to be registered. If\n\t\t\t * UNIX isn't enabled, then this causes a reference\n\t\t\t * cycle and this instance can never get freed. If UNIX\n\t\t\t * is enabled we'll handle it just fine, but there's\n\t\t\t * still no point in allowing a ring fd as it doesn't\n\t\t\t * support regular read/write anyway.\n\t\t\t */\n\t\t\tif (file->f_op == &io_uring_fops) {\n\t\t\t\tfput(file);\n\t\t\t\terr = -EBADF;\n\t\t\t\tbreak;\n\t\t\t}\n\t\t\ttable->files[index] = file;\n\t\t\terr = io_sqe_file_register(ctx, file, i);\n\t\t\tif (err) {\n\t\t\t\tfput(file);\n\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\t\tnr_args--;\n\t\tdone++;\n\t\tup->offset++;\n\t}\n\n\tif (needs_switch) {\n\t\tpercpu_ref_kill(data->cur_refs);\n\t\tspin_lock(&data->lock);\n\t\tlist_add(&ref_node->node, &data->ref_list);\n\t\tdata->cur_refs = &ref_node->refs;\n\t\tspin_unlock(&data->lock);\n\t\tpercpu_ref_get(&ctx->file_data->refs);\n\t} else\n\t\tdestroy_fixed_file_ref_node(ref_node);\n\n\treturn done ? done : err;\n}", "project": "linux", "hash": 220335872271370511160777428071064038031, "size": 86, "commit_id": "6d816e088c359866f9867057e04f244c608c42fe", "message": "io_uring: hold 'ctx' reference around task_work queue + execute\n\nWe're holding the request reference, but we need to go one higher\nto ensure that the ctx remains valid after the request has finished.\nIf the ring is closed with pending task_work inflight, and the\ngiven io_kiocb finishes sync during issue, then we need a reference\nto the ring itself around the task_work execution cycle.\n\nCc: stable@vger.kernel.org # v5.7+\nReported-by: syzbot+9b260fc33297966f5a8e@syzkaller.appspotmail.com\nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 456910 }, { "func": "static void kvm_free_memslots(struct kvm *kvm, struct kvm_memslots *slots)\n{\n\tstruct kvm_memory_slot *memslot;\n\n\tif (!slots)\n\t\treturn;\n\n\tkvm_for_each_memslot(memslot, slots)\n\t\tkvm_free_memslot(kvm, memslot);\n\n\tkvfree(slots);\n}", "project": "linux", "hash": 236472832489500437118723000823561072654, "size": 12, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354623 }, { "func": "static inline int ip_select_ttl(struct inet_sock *inet, struct dst_entry *dst)\n{\n\tint ttl = inet->uc_ttl;\n\n\tif (ttl < 0)\n\t\tttl = ip4_dst_hoplimit(dst);\n\treturn ttl;\n}", "project": "net", "hash": 339083586898687920312839742649812107621, "size": 8, "commit_id": "85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa", "message": "udp: consistently apply ufo or fragmentation\n\nWhen iteratively building a UDP datagram with MSG_MORE and that\ndatagram exceeds MTU, consistently choose UFO or fragmentation.\n\nOnce skb_is_gso, always apply ufo. Conversely, once a datagram is\nsplit across multiple skbs, do not consider ufo.\n\nSendpage already maintains the first invariant, only add the second.\nIPv6 does not have a sendpage implementation to modify.\n\nA gso skb must have a partial checksum, do not follow sk_no_check_tx\nin udp_send_skb.\n\nFound by syzkaller.\n\nFixes: e89e9cf539a2 (\"[IPv4/IPv6]: UFO Scatter-gather approach\")\nReported-by: Andrey Konovalov \nSigned-off-by: Willem de Bruijn \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 468946 }, { "func": "static int ctnetlink_dump_id(struct sk_buff *skb, const struct nf_conn *ct)\n{\n\t__be32 id = (__force __be32)nf_ct_get_id(ct);\n\n\tif (nla_put_be32(skb, CTA_ID, id))\n\t\tgoto nla_put_failure;\n\treturn 0;\n\nnla_put_failure:\n\treturn -1;\n}", "project": "linux", "hash": 129194066358626090113396020131325569049, "size": 11, "commit_id": "1cc5ef91d2ff94d2bf2de3b3585423e8a1051cb6", "message": "netfilter: ctnetlink: add a range check for l3/l4 protonum\n\nThe indexes to the nf_nat_l[34]protos arrays come from userspace. So\ncheck the tuple's family, e.g. l3num, when creating the conntrack in\norder to prevent an OOB memory access during setup. Here is an example\nkernel panic on 4.14.180 when userspace passes in an index greater than\nNFPROTO_NUMPROTO.\n\nInternal error: Oops - BUG: 0 [#1] PREEMPT SMP\nModules linked in:...\nProcess poc (pid: 5614, stack limit = 0x00000000a3933121)\nCPU: 4 PID: 5614 Comm: poc Tainted: G S W O 4.14.180-g051355490483\nHardware name: Qualcomm Technologies, Inc. SM8150 V2 PM8150 Google Inc. MSM\ntask: 000000002a3dfffe task.stack: 00000000a3933121\npc : __cfi_check_fail+0x1c/0x24\nlr : __cfi_check_fail+0x1c/0x24\n...\nCall trace:\n__cfi_check_fail+0x1c/0x24\nname_to_dev_t+0x0/0x468\nnfnetlink_parse_nat_setup+0x234/0x258\nctnetlink_parse_nat_setup+0x4c/0x228\nctnetlink_new_conntrack+0x590/0xc40\nnfnetlink_rcv_msg+0x31c/0x4d4\nnetlink_rcv_skb+0x100/0x184\nnfnetlink_rcv+0xf4/0x180\nnetlink_unicast+0x360/0x770\nnetlink_sendmsg+0x5a0/0x6a4\n___sys_sendmsg+0x314/0x46c\nSyS_sendmsg+0xb4/0x108\nel0_svc_naked+0x34/0x38\n\nThis crash is not happening since 5.4+, however, ctnetlink still\nallows for creating entries with unsupported layer 3 protocol number.\n\nFixes: c1d10adb4a521 (\"[NETFILTER]: Add ctnetlink port for nf_conntrack\")\nSigned-off-by: Will McVicker \n[pablo@netfilter.org: rebased original patch on top of nf.git]\nSigned-off-by: Pablo Neira Ayuso ", "target": 0, "dataset": "other", "idx": 394254 }, { "func": " const Type_handler *type_handler() const\n {\n return get_handler_by_field_type(field_type());\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 61459481357699048891863444611043767708, "size": 4, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509068 }, { "func": "static inline void ep_reset_busy_poll_napi_id(struct eventpoll *ep)\n{\n\tif (ep->napi_id)\n\t\tep->napi_id = 0;\n}", "project": "linux", "hash": 167119098958427176080831915303792900616, "size": 5, "commit_id": "52c479697c9b73f628140dcdfcd39ea302d05482", "message": "do_epoll_ctl(): clean the failure exits up a bit\n\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 336286 }, { "func": "static inline void ep_reset_busy_poll_napi_id(struct eventpoll *ep)\n{\n}", "project": "linux", "hash": 309518091143799946291546931736544653947, "size": 3, "commit_id": "52c479697c9b73f628140dcdfcd39ea302d05482", "message": "do_epoll_ctl(): clean the failure exits up a bit\n\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 336290 }, { "func": "static int tiocgpgrp(struct tty_struct *tty, struct tty_struct *real_tty, pid_t __user *p)\n{\n\tstruct pid *pid;\n\tint ret;\n\t/*\n\t * (tty == real_tty) is a cheap way of\n\t * testing if the tty is NOT a master pty.\n\t */\n\tif (tty == real_tty && current->signal->tty != real_tty)\n\t\treturn -ENOTTY;\n\tpid = tty_get_pgrp(real_tty);\n\tret = put_user(pid_vnr(pid), p);\n\tput_pid(pid);\n\treturn ret;\n}", "project": "linux", "hash": 201785473830237215971999257983547182988, "size": 15, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 326038 }, { "func": "ssize_t ProtocolV1::write_message(Message *m, bufferlist &bl, bool more) {\n FUNCTRACE(cct);\n ceph_assert(connection->center->in_thread());\n m->set_seq(++out_seq);\n\n if (messenger->crcflags & MSG_CRC_HEADER) {\n m->calc_header_crc();\n }\n\n ceph_msg_header &header = m->get_header();\n ceph_msg_footer &footer = m->get_footer();\n\n // TODO: let sign_message could be reentry?\n // Now that we have all the crcs calculated, handle the\n // digital signature for the message, if the AsyncConnection has session\n // security set up. Some session security options do not\n // actually calculate and check the signature, but they should\n // handle the calls to sign_message and check_signature. PLR\n if (session_security.get() == NULL) {\n ldout(cct, 20) << __func__ << \" no session security\" << dendl;\n } else {\n if (session_security->sign_message(m)) {\n ldout(cct, 20) << __func__ << \" failed to sign m=\" << m\n << \"): sig = \" << footer.sig << dendl;\n } else {\n ldout(cct, 20) << __func__ << \" signed m=\" << m\n << \"): sig = \" << footer.sig << dendl;\n }\n }\n\n connection->outgoing_bl.append(CEPH_MSGR_TAG_MSG);\n connection->outgoing_bl.append((char *)&header, sizeof(header));\n\n ldout(cct, 20) << __func__ << \" sending message type=\" << header.type\n << \" src \" << entity_name_t(header.src)\n << \" front=\" << header.front_len << \" data=\" << header.data_len\n << \" off \" << header.data_off << dendl;\n\n if ((bl.length() <= ASYNC_COALESCE_THRESHOLD) && (bl.get_num_buffers() > 1)) {\n for (const auto &pb : bl.buffers()) {\n connection->outgoing_bl.append((char *)pb.c_str(), pb.length());\n }\n } else {\n connection->outgoing_bl.claim_append(bl);\n }\n\n // send footer; if receiver doesn't support signatures, use the old footer\n // format\n ceph_msg_footer_old old_footer;\n if (connection->has_feature(CEPH_FEATURE_MSG_AUTH)) {\n connection->outgoing_bl.append((char *)&footer, sizeof(footer));\n } else {\n if (messenger->crcflags & MSG_CRC_HEADER) {\n old_footer.front_crc = footer.front_crc;\n old_footer.middle_crc = footer.middle_crc;\n } else {\n old_footer.front_crc = old_footer.middle_crc = 0;\n }\n old_footer.data_crc =\n messenger->crcflags & MSG_CRC_DATA ? footer.data_crc : 0;\n old_footer.flags = footer.flags;\n connection->outgoing_bl.append((char *)&old_footer, sizeof(old_footer));\n }\n\n m->trace.event(\"async writing message\");\n ldout(cct, 20) << __func__ << \" sending \" << m->get_seq() << \" \" << m\n << dendl;\n ssize_t total_send_size = connection->outgoing_bl.length();\n ssize_t rc = connection->_try_send(more);\n if (rc < 0) {\n ldout(cct, 1) << __func__ << \" error sending \" << m << \", \"\n << cpp_strerror(rc) << dendl;\n } else {\n connection->logger->inc(\n l_msgr_send_bytes, total_send_size - connection->outgoing_bl.length());\n ldout(cct, 10) << __func__ << \" sending \" << m\n << (rc ? \" continuely.\" : \" done.\") << dendl;\n }\n\n#if defined(WITH_EVENTTRACE)\n if (m->get_type() == CEPH_MSG_OSD_OP)\n OID_EVENT_TRACE_WITH_MSG(m, \"SEND_MSG_OSD_OP_END\", false);\n else if (m->get_type() == CEPH_MSG_OSD_OPREPLY)\n OID_EVENT_TRACE_WITH_MSG(m, \"SEND_MSG_OSD_OPREPLY_END\", false);\n#endif\n m->put();\n\n return rc;\n}", "project": "ceph", "hash": 243298484203080719966287486449963366282, "size": 89, "commit_id": "bafdfec8f974f1a3f7d404bcfd0a4cfad784937d", "message": "msg/async/ProtocolV1: resurrect \"implement cephx_*require_version options\"\n\nThis was added in commit 9bcbc2a3621f (\"mon,msg: implement\ncephx_*_require_version options\") and inadvertently dropped in\ncommit e6f043f7d2dc (\"msgr/async: huge refactoring of protocol V1\").\nAs a result, service daemons don't enforce cephx_require_version\nand cephx_cluster_require_version options and connections without\nCEPH_FEATURE_CEPHX_V2 are allowed through.\n\n(cephx_service_require_version enforcement was brought back a\nyear later in commit 321548010578 (\"mon/MonClient: skip CEPHX_V2\nchallenge if client doesn't support it\"), although the peer gets\nTAG_BADAUTHORIZER instead of TAG_FEATURES.)\n\nResurrect the original behaviour: all cephx_*require_version\noptions are enforced and the peer gets TAG_FEATURES, signifying\nthat it is missing a required feature.\n\nSigned-off-by: Ilya Dryomov \n(cherry picked from commit 6f5c4152ca2c6423e665cde2196c6301f76043a2)", "target": 0, "dataset": "other", "idx": 356899 }, { "func": "static int avic_incomplete_ipi_interception(struct vcpu_svm *svm)\n{\n\tu32 icrh = svm->vmcb->control.exit_info_1 >> 32;\n\tu32 icrl = svm->vmcb->control.exit_info_1;\n\tu32 id = svm->vmcb->control.exit_info_2 >> 32;\n\tu32 index = svm->vmcb->control.exit_info_2 & 0xFF;\n\tstruct kvm_lapic *apic = svm->vcpu.arch.apic;\n\n\ttrace_kvm_avic_incomplete_ipi(svm->vcpu.vcpu_id, icrh, icrl, id, index);\n\n\tswitch (id) {\n\tcase AVIC_IPI_FAILURE_INVALID_INT_TYPE:\n\t\t/*\n\t\t * AVIC hardware handles the generation of\n\t\t * IPIs when the specified Message Type is Fixed\n\t\t * (also known as fixed delivery mode) and\n\t\t * the Trigger Mode is edge-triggered. The hardware\n\t\t * also supports self and broadcast delivery modes\n\t\t * specified via the Destination Shorthand(DSH)\n\t\t * field of the ICRL. Logical and physical APIC ID\n\t\t * formats are supported. All other IPI types cause\n\t\t * a #VMEXIT, which needs to emulated.\n\t\t */\n\t\tkvm_lapic_reg_write(apic, APIC_ICR2, icrh);\n\t\tkvm_lapic_reg_write(apic, APIC_ICR, icrl);\n\t\tbreak;\n\tcase AVIC_IPI_FAILURE_TARGET_NOT_RUNNING: {\n\t\tint i;\n\t\tstruct kvm_vcpu *vcpu;\n\t\tstruct kvm *kvm = svm->vcpu.kvm;\n\t\tstruct kvm_lapic *apic = svm->vcpu.arch.apic;\n\n\t\t/*\n\t\t * At this point, we expect that the AVIC HW has already\n\t\t * set the appropriate IRR bits on the valid target\n\t\t * vcpus. So, we just need to kick the appropriate vcpu.\n\t\t */\n\t\tkvm_for_each_vcpu(i, vcpu, kvm) {\n\t\t\tbool m = kvm_apic_match_dest(vcpu, apic,\n\t\t\t\t\t\t icrl & APIC_SHORT_MASK,\n\t\t\t\t\t\t GET_APIC_DEST_FIELD(icrh),\n\t\t\t\t\t\t icrl & APIC_DEST_MASK);\n\n\t\t\tif (m && !avic_vcpu_is_running(vcpu))\n\t\t\t\tkvm_vcpu_wake_up(vcpu);\n\t\t}\n\t\tbreak;\n\t}\n\tcase AVIC_IPI_FAILURE_INVALID_TARGET:\n\t\tWARN_ONCE(1, \"Invalid IPI target: index=%u, vcpu=%d, icr=%#0x:%#0x\\n\",\n\t\t\t index, svm->vcpu.vcpu_id, icrh, icrl);\n\t\tbreak;\n\tcase AVIC_IPI_FAILURE_INVALID_BACKING_PAGE:\n\t\tWARN_ONCE(1, \"Invalid backing page\\n\");\n\t\tbreak;\n\tdefault:\n\t\tpr_err(\"Unknown IPI interception\\n\");\n\t}\n\n\treturn 1;\n}", "project": "linux", "hash": 280512249278353609690056261642488442170, "size": 61, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432474 }, { "func": "int kvm_write_guest_page(struct kvm *kvm, gfn_t gfn,\n\t\t\t const void *data, int offset, int len)\n{\n\tstruct kvm_memory_slot *slot = gfn_to_memslot(kvm, gfn);\n\n\treturn __kvm_write_guest_page(slot, gfn, data, offset, len);\n}", "project": "linux", "hash": 147636933891849584559988373099547625917, "size": 7, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354715 }, { "func": "int kvm_write_guest_page(struct kvm *kvm, gfn_t gfn,\n\t\t\t const void *data, int offset, int len)\n{\n\tstruct kvm_memory_slot *slot = gfn_to_memslot(kvm, gfn);\n\n\treturn __kvm_write_guest_page(kvm, slot, gfn, data, offset, len);\n}", "project": "linux", "hash": 34938520675658138286757090716977238768, "size": 7, "commit_id": "f8be156be163a052a067306417cd0ff679068c97", "message": "KVM: do not allow mapping valid but non-reference-counted pages\n\nIt's possible to create a region which maps valid but non-refcounted\npages (e.g., tail pages of non-compound higher order allocations). These\nhost pages can then be returned by gfn_to_page, gfn_to_pfn, etc., family\nof APIs, which take a reference to the page, which takes it from 0 to 1.\nWhen the reference is dropped, this will free the page incorrectly.\n\nFix this by only taking a reference on valid pages if it was non-zero,\nwhich indicates it is participating in normal refcounting (and can be\nreleased with put_page).\n\nThis addresses CVE-2021-22543.\n\nSigned-off-by: Nicholas Piggin \nTested-by: Paolo Bonzini \nCc: stable@vger.kernel.org\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 404062 }, { "func": "static bool checkreturn pb_dec_fixed64(pb_istream_t *stream, const pb_field_t *field, void *dest)\n{\n PB_UNUSED(field);\n#ifndef PB_WITHOUT_64BIT\n return pb_decode_fixed64(stream, dest);\n#else\n PB_UNUSED(dest);\n PB_RETURN_ERROR(stream, \"no 64bit support\");\n#endif\n}", "project": "nanopb", "hash": 140038457641135739228948220183372824600, "size": 10, "commit_id": "aa9d0d1ca78d6adec3adfeecf3a706c7f9df81f2", "message": "Fix invalid free() after failed realloc() (GHSA-gcx3-7m76-287p)", "target": 0, "dataset": "other", "idx": 252512 }, { "func": "static bool checkreturn pb_dec_fixed64(pb_istream_t *stream, const pb_field_t *field, void *dest)\n{\n UNUSED(field);\n return pb_decode_fixed64(stream, dest);\n}", "project": "nanopb", "hash": 129444075382271250827734357236110083505, "size": 5, "commit_id": "7b396821ddd06df8e39143f16e1dc0a4645b89a3", "message": "Fix invalid free() after failed realloc() (GHSA-gcx3-7m76-287p)", "target": 0, "dataset": "other", "idx": 255315 }, { "func": "static inline int calculate_order(unsigned int size)\n{\n\tunsigned int order;\n\tunsigned int min_objects;\n\tunsigned int max_objects;\n\n\t/*\n\t * Attempt to find best configuration for a slab. This\n\t * works by first attempting to generate a layout with\n\t * the best configuration and backing off gradually.\n\t *\n\t * First we increase the acceptable waste in a slab. Then\n\t * we reduce the minimum objects required in a slab.\n\t */\n\tmin_objects = slub_min_objects;\n\tif (!min_objects)\n\t\tmin_objects = 4 * (fls(nr_cpu_ids) + 1);\n\tmax_objects = order_objects(slub_max_order, size);\n\tmin_objects = min(min_objects, max_objects);\n\n\twhile (min_objects > 1) {\n\t\tunsigned int fraction;\n\n\t\tfraction = 16;\n\t\twhile (fraction >= 4) {\n\t\t\torder = slab_order(size, min_objects,\n\t\t\t\t\tslub_max_order, fraction);\n\t\t\tif (order <= slub_max_order)\n\t\t\t\treturn order;\n\t\t\tfraction /= 2;\n\t\t}\n\t\tmin_objects--;\n\t}\n\n\t/*\n\t * We were unable to place multiple objects in a slab. Now\n\t * lets see if we can place a single object there.\n\t */\n\torder = slab_order(size, 1, slub_max_order, 1);\n\tif (order <= slub_max_order)\n\t\treturn order;\n\n\t/*\n\t * Doh this slab cannot be placed using slub_max_order.\n\t */\n\torder = slab_order(size, 1, MAX_ORDER, 1);\n\tif (order < MAX_ORDER)\n\t\treturn order;\n\treturn -ENOSYS;\n}", "project": "linux", "hash": 275961735797856204948322970375379895277, "size": 50, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280258 }, { "func": " bool parseRawString(int* len) {\n assertx(p[-1] == '\"'); // SimpleParser only handles \"-quoted strings\n *len = 0;\n auto const charTop = reinterpret_cast(top);\n for (signed char ch = *p++; ch != '\\\"'; ch = *p++) {\n charTop[(*len)++] = ch; // overwritten later if `ch == '\\\\'`\n if (ch < ' ') {\n // `ch < ' '` catches null and also non-ASCII (since signed char)\n return false;\n } else if (ch == '\\\\') {\n if (!handleBackslash(charTop[*len - 1])) return false;\n }\n }\n return true;\n }", "project": "hhvm", "hash": 253915940503714972147536537316792822182, "size": 15, "commit_id": "b3679121bb3c7017ff04b4c08402ffff5cf59b13", "message": "Fix buffer overrun in SimpleParser::handleBackslash\n\nSummary:\nIt read 4 chars, then checked for validity, but any of them could have\nbeen the end of the string, so check after each one instead.\n\nReviewed By: oulgen\n\nDifferential Revision: D19611163\n\nfbshipit-source-id: 3da0a39555cb85a93f4fd98048368f17cf37e2e4", "target": 0, "dataset": "other", "idx": 227286 }, { "func": "R_API void r_core_free(RCore *c) {\n\tif (c) {\n\t\tr_core_fini (c);\n\t\tfree (c);\n\t}\n}", "project": "radare2", "hash": 13581345302626885184685352337686871766, "size": 6, "commit_id": "cb8b683758edddae2d2f62e8e63a738c39f92683", "message": "Fix #16303 - c->table_query double free (#16318)", "target": 0, "dataset": "other", "idx": 232191 }, { "func": "static int key_notify_policy(struct xfrm_policy *xp, int dir, const struct km_event *c)\n{\n\tstruct sk_buff *out_skb;\n\tstruct sadb_msg *out_hdr;\n\tint err;\n\n\tout_skb = pfkey_xfrm_policy2msg_prep(xp);\n\tif (IS_ERR(out_skb))\n\t\treturn PTR_ERR(out_skb);\n\n\terr = pfkey_xfrm_policy2msg(out_skb, xp, dir);\n\tif (err < 0) {\n\t\tkfree_skb(out_skb);\n\t\treturn err;\n\t}\n\n\tout_hdr = (struct sadb_msg *) out_skb->data;\n\tout_hdr->sadb_msg_version = PF_KEY_V2;\n\n\tif (c->data.byid && c->event == XFRM_MSG_DELPOLICY)\n\t\tout_hdr->sadb_msg_type = SADB_X_SPDDELETE2;\n\telse\n\t\tout_hdr->sadb_msg_type = event2poltype(c->event);\n\tout_hdr->sadb_msg_errno = 0;\n\tout_hdr->sadb_msg_seq = c->seq;\n\tout_hdr->sadb_msg_pid = c->portid;\n\tpfkey_broadcast(out_skb, GFP_ATOMIC, BROADCAST_ALL, NULL, xp_net(xp));\n\treturn 0;\n\n}", "project": "linux", "hash": 135472269305513909948571420532996250084, "size": 30, "commit_id": "9a564bccb78a76740ea9d75a259942df8143d02c", "message": "af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\n\nAdd __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\nto initialize the buffer of supp_skb to fix a kernel-info-leak issue.\n1) Function pfkey_register calls compose_sadb_supported to request\na sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate\na sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then\ncompose_sadb_supported treats the memory as a struct sadb_supported and\nbegins to initialize. But it just initializes the field sadb_supported_len\nand field sadb_supported_exttype without field sadb_supported_reserved.\n\nReported-by: TCS Robot \nSigned-off-by: Haimin Zhang \nSigned-off-by: Steffen Klassert ", "target": 0, "dataset": "other", "idx": 268031 }, { "func": "static int unshare_fs(unsigned long unshare_flags, struct fs_struct **new_fsp)\n{\n\tstruct fs_struct *fs = current->fs;\n\n\tif (!(unshare_flags & CLONE_FS) || !fs)\n\t\treturn 0;\n\n\t/* don't need lock here; in the worst case we'll do useless copy */\n\tif (fs->users == 1)\n\t\treturn 0;\n\n\t*new_fsp = copy_fs_struct(fs);\n\tif (!*new_fsp)\n\t\treturn -ENOMEM;\n\n\treturn 0;\n}", "project": "linux", "hash": 121888276421048066662259648220883467105, "size": 17, "commit_id": "b4e00444cab4c3f3fec876dc0cccc8cbb0d1a948", "message": "fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent\n\ncurrent->group_leader->exit_signal may change during copy_process() if\ncurrent->real_parent exits.\n\nMove the assignment inside tasklist_lock to avoid the race.\n\nSigned-off-by: Eddy Wu \nAcked-by: Oleg Nesterov \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 293646 }, { "func": "static OPJ_BOOL opj_tcd_t1_decode(opj_tcd_t *p_tcd, opj_event_mgr_t *p_manager)\n{\n OPJ_UINT32 compno;\n opj_tcd_tile_t * l_tile = p_tcd->tcd_image->tiles;\n opj_tcd_tilecomp_t* l_tile_comp = l_tile->comps;\n opj_tccp_t * l_tccp = p_tcd->tcp->tccps;\n volatile OPJ_BOOL ret = OPJ_TRUE;\n OPJ_BOOL check_pterm = OPJ_FALSE;\n opj_mutex_t* p_manager_mutex = NULL;\n\n p_manager_mutex = opj_mutex_create();\n\n /* Only enable PTERM check if we decode all layers */\n if (p_tcd->tcp->num_layers_to_decode == p_tcd->tcp->numlayers &&\n (l_tccp->cblksty & J2K_CCP_CBLKSTY_PTERM) != 0) {\n check_pterm = OPJ_TRUE;\n }\n\n for (compno = 0; compno < l_tile->numcomps;\n ++compno, ++l_tile_comp, ++l_tccp) {\n if (p_tcd->used_component != NULL && !p_tcd->used_component[compno]) {\n continue;\n }\n\n opj_t1_decode_cblks(p_tcd, &ret, l_tile_comp, l_tccp,\n p_manager, p_manager_mutex, check_pterm);\n if (!ret) {\n break;\n }\n }\n\n opj_thread_pool_wait_completion(p_tcd->thread_pool, 0);\n if (p_manager_mutex) {\n opj_mutex_destroy(p_manager_mutex);\n }\n return ret;\n}", "project": "openjpeg", "hash": 180710351442681909294039460964485266320, "size": 37, "commit_id": "15cf3d95814dc931ca0ecb132f81cb152e051bae", "message": "Encoder: grow again buffer size in opj_tcd_code_block_enc_allocate_data() (fixes #1283)", "target": 0, "dataset": "other", "idx": 359178 }, { "func": "static inline unsigned long next_tid(unsigned long tid)\n{\n\treturn tid + TID_STEP;\n}", "project": "linux", "hash": 37367977744548198722626352106589279045, "size": 4, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280183 }, { "func": "int fuse_flush_times(struct inode *inode, struct fuse_file *ff)\n{\n\tstruct fuse_mount *fm = get_fuse_mount(inode);\n\tFUSE_ARGS(args);\n\tstruct fuse_setattr_in inarg;\n\tstruct fuse_attr_out outarg;\n\n\tmemset(&inarg, 0, sizeof(inarg));\n\tmemset(&outarg, 0, sizeof(outarg));\n\n\tinarg.valid = FATTR_MTIME;\n\tinarg.mtime = inode->i_mtime.tv_sec;\n\tinarg.mtimensec = inode->i_mtime.tv_nsec;\n\tif (fm->fc->minor >= 23) {\n\t\tinarg.valid |= FATTR_CTIME;\n\t\tinarg.ctime = inode->i_ctime.tv_sec;\n\t\tinarg.ctimensec = inode->i_ctime.tv_nsec;\n\t}\n\tif (ff) {\n\t\tinarg.valid |= FATTR_FH;\n\t\tinarg.fh = ff->fh;\n\t}\n\tfuse_setattr_fill(fm->fc, &args, inode, &inarg, &outarg);\n\n\treturn fuse_simple_request(fm, &args);\n}", "project": "linux", "hash": 134577190432432968731906448994785314136, "size": 26, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341953 }, { "func": "static ssize_t dw_spi_show_regs(struct file *file, char __user *user_buf,\n\t\tsize_t count, loff_t *ppos)\n{\n\tstruct dw_spi *dws = file->private_data;\n\tchar *buf;\n\tu32 len = 0;\n\tssize_t ret;\n\n\tbuf = kzalloc(SPI_REGS_BUFSIZE, GFP_KERNEL);\n\tif (!buf)\n\t\treturn 0;\n\n\tlen += scnprintf(buf + len, SPI_REGS_BUFSIZE - len,\n\t\t\t\"%s registers:\\n\", dev_name(&dws->master->dev));\n\tlen += scnprintf(buf + len, SPI_REGS_BUFSIZE - len,\n\t\t\t\"=================================\\n\");\n\tlen += scnprintf(buf + len, SPI_REGS_BUFSIZE - len,\n\t\t\t\"CTRL0: \\t\\t0x%08x\\n\", dw_readl(dws, DW_SPI_CTRL0));\n\tlen += scnprintf(buf + len, SPI_REGS_BUFSIZE - len,\n\t\t\t\"CTRL1: \\t\\t0x%08x\\n\", dw_readl(dws, DW_SPI_CTRL1));\n\tlen += scnprintf(buf + len, SPI_REGS_BUFSIZE - len,\n\t\t\t\"SSIENR: \\t0x%08x\\n\", dw_readl(dws, DW_SPI_SSIENR));\n\tlen += scnprintf(buf + len, SPI_REGS_BUFSIZE - len,\n\t\t\t\"SER: \\t\\t0x%08x\\n\", dw_readl(dws, DW_SPI_SER));\n\tlen += scnprintf(buf + len, SPI_REGS_BUFSIZE - len,\n\t\t\t\"BAUDR: \\t\\t0x%08x\\n\", dw_readl(dws, DW_SPI_BAUDR));\n\tlen += scnprintf(buf + len, SPI_REGS_BUFSIZE - len,\n\t\t\t\"TXFTLR: \\t0x%08x\\n\", dw_readl(dws, DW_SPI_TXFLTR));\n\tlen += scnprintf(buf + len, SPI_REGS_BUFSIZE - len,\n\t\t\t\"RXFTLR: \\t0x%08x\\n\", dw_readl(dws, DW_SPI_RXFLTR));\n\tlen += scnprintf(buf + len, SPI_REGS_BUFSIZE - len,\n\t\t\t\"TXFLR: \\t\\t0x%08x\\n\", dw_readl(dws, DW_SPI_TXFLR));\n\tlen += scnprintf(buf + len, SPI_REGS_BUFSIZE - len,\n\t\t\t\"RXFLR: \\t\\t0x%08x\\n\", dw_readl(dws, DW_SPI_RXFLR));\n\tlen += scnprintf(buf + len, SPI_REGS_BUFSIZE - len,\n\t\t\t\"SR: \\t\\t0x%08x\\n\", dw_readl(dws, DW_SPI_SR));\n\tlen += scnprintf(buf + len, SPI_REGS_BUFSIZE - len,\n\t\t\t\"IMR: \\t\\t0x%08x\\n\", dw_readl(dws, DW_SPI_IMR));\n\tlen += scnprintf(buf + len, SPI_REGS_BUFSIZE - len,\n\t\t\t\"ISR: \\t\\t0x%08x\\n\", dw_readl(dws, DW_SPI_ISR));\n\tlen += scnprintf(buf + len, SPI_REGS_BUFSIZE - len,\n\t\t\t\"DMACR: \\t\\t0x%08x\\n\", dw_readl(dws, DW_SPI_DMACR));\n\tlen += scnprintf(buf + len, SPI_REGS_BUFSIZE - len,\n\t\t\t\"DMATDLR: \\t0x%08x\\n\", dw_readl(dws, DW_SPI_DMATDLR));\n\tlen += scnprintf(buf + len, SPI_REGS_BUFSIZE - len,\n\t\t\t\"DMARDLR: \\t0x%08x\\n\", dw_readl(dws, DW_SPI_DMARDLR));\n\tlen += scnprintf(buf + len, SPI_REGS_BUFSIZE - len,\n\t\t\t\"=================================\\n\");\n\n\tret = simple_read_from_buffer(user_buf, count, ppos, buf, len);\n\tkfree(buf);\n\treturn ret;\n}", "project": "linux", "hash": 222479444409437784427276329312968417554, "size": 53, "commit_id": "19b61392c5a852b4e8a0bf35aecb969983c5932d", "message": "spi: spi-dw: Add lock protect dw_spi rx/tx to prevent concurrent calls\n\ndw_spi_irq() and dw_spi_transfer_one concurrent calls.\n\nI find a panic in dw_writer(): txw = *(u8 *)(dws->tx), when dw->tx==null,\ndw->len==4, and dw->tx_end==1.\n\nWhen tpm driver's message overtime dw_spi_irq() and dw_spi_transfer_one\nmay concurrent visit dw_spi, so I think dw_spi structure lack of protection.\n\nOtherwise dw_spi_transfer_one set dw rx/tx buffer and then open irq,\nstore dw rx/tx instructions and other cores handle irq load dw rx/tx\ninstructions may out of order.\n\n\t[ 1025.321302] Call trace:\n\t...\n\t[ 1025.321319] __crash_kexec+0x98/0x148\n\t[ 1025.321323] panic+0x17c/0x314\n\t[ 1025.321329] die+0x29c/0x2e8\n\t[ 1025.321334] die_kernel_fault+0x68/0x78\n\t[ 1025.321337] __do_kernel_fault+0x90/0xb0\n\t[ 1025.321346] do_page_fault+0x88/0x500\n\t[ 1025.321347] do_translation_fault+0xa8/0xb8\n\t[ 1025.321349] do_mem_abort+0x68/0x118\n\t[ 1025.321351] el1_da+0x20/0x8c\n\t[ 1025.321362] dw_writer+0xc8/0xd0\n\t[ 1025.321364] interrupt_transfer+0x60/0x110\n\t[ 1025.321365] dw_spi_irq+0x48/0x70\n\t...\n\nSigned-off-by: wuxu.wu \nLink: https://lore.kernel.org/r/1577849981-31489-1-git-send-email-wuxu.wu@huawei.com\nSigned-off-by: Mark Brown ", "target": 0, "dataset": "other", "idx": 462450 }, { "func": "UnicodeStringTest::TestSearching()\n{\n UnicodeString test1(\"test test ttest tetest testesteststt\");\n UnicodeString test2(\"test\");\n UChar testChar = 0x74;\n \n UChar32 testChar32 = 0x20402;\n UChar testData[]={\n // 0 1 2 3 4 5 6 7\n 0xd841, 0xdc02, 0x0071, 0xdc02, 0xd841, 0x0071, 0xd841, 0xdc02,\n\n // 8 9 10 11 12 13 14 15\n 0x0071, 0x0072, 0xd841, 0xdc02, 0x0071, 0xd841, 0xdc02, 0x0071,\n\n // 16 17 18 19\n 0xdc02, 0xd841, 0x0073, 0x0000\n };\n UnicodeString test3(testData);\n UnicodeString test4(testChar32);\n\n uint16_t occurrences = 0;\n int32_t startPos = 0;\n for ( ;\n startPos != -1 && startPos < test1.length();\n (startPos = test1.indexOf(test2, startPos)) != -1 ? (++occurrences, startPos += 4) : 0)\n ;\n if (occurrences != 6)\n errln(UnicodeString(\"indexOf failed: expected to find 6 occurrences, found \") + occurrences);\n\n for ( occurrences = 0, startPos = 10;\n startPos != -1 && startPos < test1.length();\n (startPos = test1.indexOf(test2, startPos)) != -1 ? (++occurrences, startPos += 4) : 0)\n ;\n if (occurrences != 4)\n errln(UnicodeString(\"indexOf with starting offset failed: \"\n \"expected to find 4 occurrences, found \") + occurrences);\n\n int32_t endPos = 28;\n for ( occurrences = 0, startPos = 5;\n startPos != -1 && startPos < test1.length();\n (startPos = test1.indexOf(test2, startPos, endPos - startPos)) != -1 ? (++occurrences, startPos += 4) : 0)\n ;\n if (occurrences != 4)\n errln(UnicodeString(\"indexOf with starting and ending offsets failed: \"\n \"expected to find 4 occurrences, found \") + occurrences);\n\n //using UChar32 string\n for ( startPos=0, occurrences=0;\n startPos != -1 && startPos < test3.length();\n (startPos = test3.indexOf(test4, startPos)) != -1 ? (++occurrences, startPos += 2) : 0)\n ;\n if (occurrences != 4)\n errln((UnicodeString)\"indexOf failed: expected to find 4 occurrences, found \" + occurrences);\n\n for ( startPos=10, occurrences=0;\n startPos != -1 && startPos < test3.length();\n (startPos = test3.indexOf(test4, startPos)) != -1 ? (++occurrences, startPos += 2) : 0)\n ;\n if (occurrences != 2)\n errln(UnicodeString(\"indexOf failed: expected to find 2 occurrences, found \") + occurrences);\n //---\n\n for ( occurrences = 0, startPos = 0;\n startPos != -1 && startPos < test1.length();\n (startPos = test1.indexOf(testChar, startPos)) != -1 ? (++occurrences, startPos += 1) : 0)\n ;\n if (occurrences != 16)\n errln(UnicodeString(\"indexOf with character failed: \"\n \"expected to find 16 occurrences, found \") + occurrences);\n\n for ( occurrences = 0, startPos = 10;\n startPos != -1 && startPos < test1.length();\n (startPos = test1.indexOf(testChar, startPos)) != -1 ? (++occurrences, startPos += 1) : 0)\n ;\n if (occurrences != 12)\n errln(UnicodeString(\"indexOf with character & start offset failed: \"\n \"expected to find 12 occurrences, found \") + occurrences);\n\n for ( occurrences = 0, startPos = 5, endPos = 28;\n startPos != -1 && startPos < test1.length();\n (startPos = test1.indexOf(testChar, startPos, endPos - startPos)) != -1 ? (++occurrences, startPos += 1) : 0)\n ;\n if (occurrences != 10)\n errln(UnicodeString(\"indexOf with character & start & end offsets failed: \"\n \"expected to find 10 occurrences, found \") + occurrences);\n\n //testing for UChar32\n UnicodeString subString;\n for( occurrences =0, startPos=0; startPos < test3.length(); startPos +=1){\n subString.append(test3, startPos, test3.length());\n if(subString.indexOf(testChar32) != -1 ){\n ++occurrences;\n }\n subString.remove();\n }\n if (occurrences != 14)\n errln((UnicodeString)\"indexOf failed: expected to find 14 occurrences, found \" + occurrences);\n\n for ( occurrences = 0, startPos = 0;\n startPos != -1 && startPos < test3.length();\n (startPos = test3.indexOf(testChar32, startPos)) != -1 ? (++occurrences, startPos += 1) : 0)\n ;\n if (occurrences != 4)\n errln((UnicodeString)\"indexOf failed: expected to find 4 occurrences, found \" + occurrences);\n \n endPos=test3.length();\n for ( occurrences = 0, startPos = 5;\n startPos != -1 && startPos < test3.length();\n (startPos = test3.indexOf(testChar32, startPos, endPos - startPos)) != -1 ? (++occurrences, startPos += 1) : 0)\n ;\n if (occurrences != 3)\n errln((UnicodeString)\"indexOf with character & start & end offsets failed: expected to find 2 occurrences, found \" + occurrences);\n //---\n\n if(test1.lastIndexOf(test2)!=29) {\n errln(\"test1.lastIndexOf(test2)!=29\");\n }\n\n if(test1.lastIndexOf(test2, 15)!=29 || test1.lastIndexOf(test2, 29)!=29 || test1.lastIndexOf(test2, 30)!=-1) {\n errln(\"test1.lastIndexOf(test2, start) failed\");\n }\n\n for ( occurrences = 0, startPos = 32;\n startPos != -1;\n (startPos = test1.lastIndexOf(test2, 5, startPos - 5)) != -1 ? ++occurrences : 0)\n ;\n if (occurrences != 4)\n errln(UnicodeString(\"lastIndexOf with starting and ending offsets failed: \"\n \"expected to find 4 occurrences, found \") + occurrences);\n\n for ( occurrences = 0, startPos = 32;\n startPos != -1;\n (startPos = test1.lastIndexOf(testChar, 5, startPos - 5)) != -1 ? ++occurrences : 0)\n ;\n if (occurrences != 11)\n errln(UnicodeString(\"lastIndexOf with character & start & end offsets failed: \"\n \"expected to find 11 occurrences, found \") + occurrences);\n\n //testing UChar32\n startPos=test3.length();\n for ( occurrences = 0;\n startPos != -1;\n (startPos = test3.lastIndexOf(testChar32, 5, startPos - 5)) != -1 ? ++occurrences : 0)\n ;\n if (occurrences != 3)\n errln((UnicodeString)\"lastIndexOf with character & start & end offsets failed: expected to find 3 occurrences, found \" + occurrences);\n\n\n for ( occurrences = 0, endPos = test3.length(); endPos > 0; endPos -= 1){\n subString.remove();\n subString.append(test3, 0, endPos);\n if(subString.lastIndexOf(testChar32) != -1 ){\n ++occurrences;\n }\n }\n if (occurrences != 18)\n errln((UnicodeString)\"indexOf failed: expected to find 18 occurrences, found \" + occurrences);\n //---\n\n // test that indexOf(UChar32) and lastIndexOf(UChar32)\n // do not find surrogate code points when they are part of matched pairs\n // (= part of supplementary code points)\n // Jitterbug 1542\n if(test3.indexOf((UChar32)0xd841) != 4 || test3.indexOf((UChar32)0xdc02) != 3) {\n errln(\"error: UnicodeString::indexOf(UChar32 surrogate) finds a partial supplementary code point\");\n }\n if( UnicodeString(test3, 0, 17).lastIndexOf((UChar)0xd841, 0) != 4 ||\n UnicodeString(test3, 0, 17).lastIndexOf((UChar32)0xd841, 2) != 4 ||\n test3.lastIndexOf((UChar32)0xd841, 0, 17) != 4 || test3.lastIndexOf((UChar32)0xdc02, 0, 17) != 16\n ) {\n errln(\"error: UnicodeString::lastIndexOf(UChar32 surrogate) finds a partial supplementary code point\");\n }\n}", "project": "icu", "hash": 127019489473420131604181273938187311094, "size": 173, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430800 }, { "func": "static void hci_cc_le_set_random_addr(struct hci_dev *hdev, struct sk_buff *skb)\n{\n\t__u8 status = *((__u8 *) skb->data);\n\tbdaddr_t *sent;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, status);\n\n\tif (status)\n\t\treturn;\n\n\tsent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_RANDOM_ADDR);\n\tif (!sent)\n\t\treturn;\n\n\thci_dev_lock(hdev);\n\n\tbacpy(&hdev->random_addr, sent);\n\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 175219246599509147231955127578313276016, "size": 20, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 432018 }, { "func": "static void mt_set_modes(struct hid_device *hdev, enum latency_mode latency,\n\t\t\t bool surface_switch, bool button_switch)\n{\n\tstruct hid_report_enum *rep_enum;\n\tstruct hid_report *rep;\n\tstruct hid_usage *usage;\n\tint i, j;\n\tbool update_report;\n\tbool inputmode_found = false;\n\n\trep_enum = &hdev->report_enum[HID_FEATURE_REPORT];\n\tlist_for_each_entry(rep, &rep_enum->report_list, list) {\n\t\tupdate_report = false;\n\n\t\tfor (i = 0; i < rep->maxfield; i++) {\n\t\t\t/* Ignore if report count is out of bounds. */\n\t\t\tif (rep->field[i]->report_count < 1)\n\t\t\t\tcontinue;\n\n\t\t\tfor (j = 0; j < rep->field[i]->maxusage; j++) {\n\t\t\t\tusage = &rep->field[i]->usage[j];\n\n\t\t\t\tif (mt_need_to_apply_feature(hdev,\n\t\t\t\t\t\t\t rep->field[i],\n\t\t\t\t\t\t\t usage,\n\t\t\t\t\t\t\t latency,\n\t\t\t\t\t\t\t surface_switch,\n\t\t\t\t\t\t\t button_switch,\n\t\t\t\t\t\t\t &inputmode_found))\n\t\t\t\t\tupdate_report = true;\n\t\t\t}\n\t\t}\n\n\t\tif (update_report)\n\t\t\thid_hw_request(hdev, rep, HID_REQ_SET_REPORT);\n\t}\n}", "project": "linux", "hash": 273086913591019203410569575541612164542, "size": 37, "commit_id": "35556bed836f8dc07ac55f69c8d17dce3e7f0e25", "message": "HID: core: Sanitize event code and type when mapping input\n\nWhen calling into hid_map_usage(), the passed event code is\nblindly stored as is, even if it doesn't fit in the associated bitmap.\n\nThis event code can come from a variety of sources, including devices\nmasquerading as input devices, only a bit more \"programmable\".\n\nInstead of taking the event code at face value, check that it actually\nfits the corresponding bitmap, and if it doesn't:\n- spit out a warning so that we know which device is acting up\n- NULLify the bitmap pointer so that we catch unexpected uses\n\nCode paths that can make use of untrusted inputs can now check\nthat the mapping was indeed correct and bail out if not.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Marc Zyngier \nSigned-off-by: Benjamin Tissoires ", "target": 0, "dataset": "other", "idx": 458366 }, { "func": "static int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)\n{\n\tdh->p = p;\n\tdh->q = q;\n\tdh->g = g;\n\n\treturn 1;\n}", "project": "php-src", "hash": 330154893856425411991570337818953827034, "size": 8, "commit_id": "0216630ea2815a5789a24279a1211ac398d4de79", "message": "Fix bug #79601 (Wrong ciphertext/tag in AES-CCM encryption for a 12 bytes IV)", "target": 0, "dataset": "other", "idx": 291441 }, { "func": "static int match_filter(const struct USBAutoFilter *f1, \n const struct USBAutoFilter *f2)\n{\n return f1->bus_num == f2->bus_num &&\n f1->addr == f2->addr &&\n f1->vendor_id == f2->vendor_id &&\n f1->product_id == f2->product_id;\n}", "project": "qemu", "hash": 271556861695605188212716725655024089871, "size": 8, "commit_id": "babd03fde68093482528010a5435c14ce9128e3f", "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel. However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris \nSigned-off-by: Anthony Liguori ", "target": 0, "dataset": "other", "idx": 346288 }, { "func": " void restore_to_before_no_rows_in_result()\n {\n (*ref)->restore_to_before_no_rows_in_result();\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 304664313616823339272706098233530056672, "size": 4, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509332 }, { "func": " virtual void restore_to_before_no_rows_in_result() {}", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 134071811809109463852722655035871800591, "size": 1, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509446 }, { "func": "static int invlpg_interception(struct vcpu_svm *svm)\n{\n\tif (!static_cpu_has(X86_FEATURE_DECODEASSISTS))\n\t\treturn kvm_emulate_instruction(&svm->vcpu, 0);\n\n\tkvm_mmu_invlpg(&svm->vcpu, svm->vmcb->control.exit_info_1);\n\treturn kvm_skip_emulated_instruction(&svm->vcpu);\n}", "project": "linux", "hash": 110279057855577467963959349271795133647, "size": 8, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432627 }, { "func": "static int invlpg_interception(struct vcpu_svm *svm)\n{\n\tif (!static_cpu_has(X86_FEATURE_DECODEASSISTS))\n\t\treturn emulate_instruction(&svm->vcpu, 0) == EMULATE_DONE;\n\n\tkvm_mmu_invlpg(&svm->vcpu, svm->vmcb->control.exit_info_1);\n\tskip_emulated_instruction(&svm->vcpu);\n\treturn 1;\n}", "project": "kvm", "hash": 109337018132998033744510449299951690498, "size": 9, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437614 }, { "func": "unsigned long change_prot_numa(struct vm_area_struct *vma,\n\t\t\tunsigned long addr, unsigned long end)\n{\n\tint nr_updated;\n\n\tnr_updated = change_protection(vma, addr, end, PAGE_NONE, 0, 1);\n\tif (nr_updated)\n\t\tcount_vm_numa_events(NUMA_PTE_UPDATES, nr_updated);\n\n\treturn nr_updated;\n}", "project": "linux", "hash": 181736994731605076076567532662385823288, "size": 11, "commit_id": "aa9f7d5172fac9bf1f09e678c35e287a40a7b7dd", "message": "mm: mempolicy: require at least one nodeid for MPOL_PREFERRED\n\nUsing an empty (malformed) nodelist that is not caught during mount option\nparsing leads to a stack-out-of-bounds access.\n\nThe option string that was used was: \"mpol=prefer:,\". However,\nMPOL_PREFERRED requires a single node number, which is not being provided\nhere.\n\nAdd a check that 'nodes' is not empty after parsing for MPOL_PREFERRED's\nnodeid.\n\nFixes: 095f1fc4ebf3 (\"mempolicy: rework shmem mpol parsing and display\")\nReported-by: Entropy Moe <3ntr0py1337@gmail.com>\nReported-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nSigned-off-by: Randy Dunlap \nSigned-off-by: Andrew Morton \nTested-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nCc: Lee Schermerhorn \nLink: http://lkml.kernel.org/r/89526377-7eb6-b662-e1d8-4430928abde9@infradead.org\nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 366743 }, { "func": "static unsigned long change_prot_numa(struct vm_area_struct *vma,\n\t\t\tunsigned long addr, unsigned long end)\n{\n\treturn 0;\n}", "project": "linux", "hash": 121719249094102505118868620759044212485, "size": 5, "commit_id": "aa9f7d5172fac9bf1f09e678c35e287a40a7b7dd", "message": "mm: mempolicy: require at least one nodeid for MPOL_PREFERRED\n\nUsing an empty (malformed) nodelist that is not caught during mount option\nparsing leads to a stack-out-of-bounds access.\n\nThe option string that was used was: \"mpol=prefer:,\". However,\nMPOL_PREFERRED requires a single node number, which is not being provided\nhere.\n\nAdd a check that 'nodes' is not empty after parsing for MPOL_PREFERRED's\nnodeid.\n\nFixes: 095f1fc4ebf3 (\"mempolicy: rework shmem mpol parsing and display\")\nReported-by: Entropy Moe <3ntr0py1337@gmail.com>\nReported-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nSigned-off-by: Randy Dunlap \nSigned-off-by: Andrew Morton \nTested-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nCc: Lee Schermerhorn \nLink: http://lkml.kernel.org/r/89526377-7eb6-b662-e1d8-4430928abde9@infradead.org\nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 366778 }, { "func": "static void print_track(const char *s, struct track *t, unsigned long pr_time)\n{\n\tif (!t->addr)\n\t\treturn;\n\n\tpr_err(\"INFO: %s in %pS age=%lu cpu=%u pid=%d\\n\",\n\t s, (void *)t->addr, pr_time - t->when, t->cpu, t->pid);\n#ifdef CONFIG_STACKTRACE\n\t{\n\t\tint i;\n\t\tfor (i = 0; i < TRACK_ADDRS_COUNT; i++)\n\t\t\tif (t->addrs[i])\n\t\t\t\tpr_err(\"\\t%pS\\n\", (void *)t->addrs[i]);\n\t\t\telse\n\t\t\t\tbreak;\n\t}\n#endif\n}", "project": "linux", "hash": 272962665060617739668055858749655160554, "size": 18, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280168 }, { "func": "static int svm_pre_enter_smm(struct kvm_vcpu *vcpu, char *smstate)\n{\n\tstruct vcpu_svm *svm = to_svm(vcpu);\n\tint ret;\n\n\tif (is_guest_mode(vcpu)) {\n\t\t/* FED8h - SVM Guest */\n\t\tput_smstate(u64, smstate, 0x7ed8, 1);\n\t\t/* FEE0h - SVM Guest VMCB Physical Address */\n\t\tput_smstate(u64, smstate, 0x7ee0, svm->nested.vmcb);\n\n\t\tsvm->vmcb->save.rax = vcpu->arch.regs[VCPU_REGS_RAX];\n\t\tsvm->vmcb->save.rsp = vcpu->arch.regs[VCPU_REGS_RSP];\n\t\tsvm->vmcb->save.rip = vcpu->arch.regs[VCPU_REGS_RIP];\n\n\t\tret = nested_svm_vmexit(svm);\n\t\tif (ret)\n\t\t\treturn ret;\n\t}\n\treturn 0;\n}", "project": "linux", "hash": 205022643007912321609905890836422110453, "size": 21, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432579 }, { "func": "static rpmRC hdrblobVerifyRegion(rpmTagVal regionTag, int exact_size,\n\t\t\thdrblob blob, char **buf)\n{\n rpmRC rc = RPMRC_FAIL;\n struct entryInfo_s trailer, einfo;\n unsigned char * regionEnd = NULL;\n\n /* Check that we have at least on tag */\n if (blob->il < 1) {\n\trasprintf(buf, _(\"region: no tags\"));\n\tgoto exit;\n }\n\n /* Convert the 1st tag element. */\n ei2h(blob->pe, &einfo);\n\n if (!regionTag && (einfo.tag == RPMTAG_HEADERSIGNATURES ||\n\t\t einfo.tag == RPMTAG_HEADERIMMUTABLE ||\n\t\t einfo.tag == RPMTAG_HEADERIMAGE)) {\n\tregionTag = einfo.tag;\n }\n\n /* Is there an immutable header region tag? */\n if (!(einfo.tag == regionTag)) {\n\trc = RPMRC_NOTFOUND;\n\tgoto exit;\n }\n\n /* Is the region tag sane? */\n if (!(einfo.type == REGION_TAG_TYPE && einfo.count == REGION_TAG_COUNT)) {\n\trasprintf(buf,\n\t\t_(\"region tag: BAD, tag %d type %d offset %d count %d\"),\n\t\teinfo.tag, einfo.type, einfo.offset, einfo.count);\n\tgoto exit;\n }\n\n /* Is the trailer within the data area? */\n if (hdrchkRange(blob->dl, einfo.offset + REGION_TAG_COUNT)) {\n\trasprintf(buf,\n\t\t_(\"region offset: BAD, tag %d type %d offset %d count %d\"),\n\t\teinfo.tag, einfo.type, einfo.offset, einfo.count);\n\tgoto exit;\n }\n\n /* Is there an immutable header region tag trailer? */\n memset(&trailer, 0, sizeof(trailer));\n regionEnd = blob->dataStart + einfo.offset;\n /* regionEnd is not guaranteed to be aligned */\n (void) memcpy(&trailer, regionEnd, REGION_TAG_COUNT);\n blob->rdl = einfo.offset + REGION_TAG_COUNT;\n\n ei2h(&trailer, &einfo);\n /* Some old packages have HEADERIMAGE in signature region trailer, fix up */\n if (regionTag == RPMTAG_HEADERSIGNATURES && einfo.tag == RPMTAG_HEADERIMAGE)\n\teinfo.tag = RPMTAG_HEADERSIGNATURES;\n if (!(einfo.tag == regionTag &&\n\t einfo.type == REGION_TAG_TYPE && einfo.count == REGION_TAG_COUNT))\n {\n\trasprintf(buf,\n\t\t_(\"region trailer: BAD, tag %d type %d offset %d count %d\"),\n\t\teinfo.tag, einfo.type, einfo.offset, einfo.count);\n\tgoto exit;\n }\n\n /*\n * Trailer offset is negative and has a special meaning. Be sure to negate\n * *after* the division, so the negation cannot overflow. The parentheses\n * around the division are required!\n *\n * Thankfully, the modulus operator works fine on negative numbers.\n */\n blob->ril = -(einfo.offset/sizeof(*blob->pe));\n /* Does the region actually fit within the header? */\n if ((einfo.offset % sizeof(*blob->pe)) || hdrchkRange(blob->il, blob->ril) ||\n\t\t\t\t\thdrchkRange(blob->dl, blob->rdl)) {\n\trasprintf(buf, _(\"region %d size: BAD, ril %d il %d rdl %d dl %d\"),\n\t\t\tregionTag, blob->ril, blob->il, blob->rdl, blob->dl);\n\tgoto exit;\n }\n\n /* In package files region size is expected to match header size. */\n if (exact_size && !(blob->il == blob->ril && blob->dl == blob->rdl)) {\n\trasprintf(buf,\n\t\t_(\"region %d: tag number mismatch il %d ril %d dl %d rdl %d\\n\"),\n\t\tregionTag, blob->il, blob->ril, blob->dl, blob->rdl);\n\tgoto exit;\n }\n\n blob->regionTag = regionTag;\n rc = RPMRC_OK;\n\nexit:\n return rc;\n}", "project": "rpm", "hash": 285956192041074994647135163681636811902, "size": 94, "commit_id": "8f4b3c3cab8922a2022b9e47c71f1ecf906077ef", "message": "hdrblobInit() needs bounds checks too\n\nUsers can pass untrusted data to hdrblobInit() and it must be robust\nagainst this.", "target": 0, "dataset": "other", "idx": 318176 }, { "func": "int vfs_rename(struct inode *old_dir, struct dentry *old_dentry,\n\t struct inode *new_dir, struct dentry *new_dentry,\n\t struct inode **delegated_inode, unsigned int flags)\n{\n\tint error;\n\tbool is_dir = d_is_dir(old_dentry);\n\tstruct inode *source = old_dentry->d_inode;\n\tstruct inode *target = new_dentry->d_inode;\n\tbool new_is_dir = false;\n\tunsigned max_links = new_dir->i_sb->s_max_links;\n\tstruct name_snapshot old_name;\n\n\tif (source == target)\n\t\treturn 0;\n\n\terror = may_delete(old_dir, old_dentry, is_dir);\n\tif (error)\n\t\treturn error;\n\n\tif (!target) {\n\t\terror = may_create(new_dir, new_dentry);\n\t} else {\n\t\tnew_is_dir = d_is_dir(new_dentry);\n\n\t\tif (!(flags & RENAME_EXCHANGE))\n\t\t\terror = may_delete(new_dir, new_dentry, is_dir);\n\t\telse\n\t\t\terror = may_delete(new_dir, new_dentry, new_is_dir);\n\t}\n\tif (error)\n\t\treturn error;\n\n\tif (!old_dir->i_op->rename)\n\t\treturn -EPERM;\n\n\t/*\n\t * If we are going to change the parent - check write permissions,\n\t * we'll need to flip '..'.\n\t */\n\tif (new_dir != old_dir) {\n\t\tif (is_dir) {\n\t\t\terror = inode_permission(source, MAY_WRITE);\n\t\t\tif (error)\n\t\t\t\treturn error;\n\t\t}\n\t\tif ((flags & RENAME_EXCHANGE) && new_is_dir) {\n\t\t\terror = inode_permission(target, MAY_WRITE);\n\t\t\tif (error)\n\t\t\t\treturn error;\n\t\t}\n\t}\n\n\terror = security_inode_rename(old_dir, old_dentry, new_dir, new_dentry,\n\t\t\t\t flags);\n\tif (error)\n\t\treturn error;\n\n\ttake_dentry_name_snapshot(&old_name, old_dentry);\n\tdget(new_dentry);\n\tif (!is_dir || (flags & RENAME_EXCHANGE))\n\t\tlock_two_nondirectories(source, target);\n\telse if (target)\n\t\tinode_lock(target);\n\n\terror = -EBUSY;\n\tif (is_local_mountpoint(old_dentry) || is_local_mountpoint(new_dentry))\n\t\tgoto out;\n\n\tif (max_links && new_dir != old_dir) {\n\t\terror = -EMLINK;\n\t\tif (is_dir && !new_is_dir && new_dir->i_nlink >= max_links)\n\t\t\tgoto out;\n\t\tif ((flags & RENAME_EXCHANGE) && !is_dir && new_is_dir &&\n\t\t old_dir->i_nlink >= max_links)\n\t\t\tgoto out;\n\t}\n\tif (!is_dir) {\n\t\terror = try_break_deleg(source, delegated_inode);\n\t\tif (error)\n\t\t\tgoto out;\n\t}\n\tif (target && !new_is_dir) {\n\t\terror = try_break_deleg(target, delegated_inode);\n\t\tif (error)\n\t\t\tgoto out;\n\t}\n\terror = old_dir->i_op->rename(old_dir, old_dentry,\n\t\t\t\t new_dir, new_dentry, flags);\n\tif (error)\n\t\tgoto out;\n\n\tif (!(flags & RENAME_EXCHANGE) && target) {\n\t\tif (is_dir) {\n\t\t\tshrink_dcache_parent(new_dentry);\n\t\t\ttarget->i_flags |= S_DEAD;\n\t\t}\n\t\tdont_mount(new_dentry);\n\t\tdetach_mounts(new_dentry);\n\t}\n\tif (!(old_dir->i_sb->s_type->fs_flags & FS_RENAME_DOES_D_MOVE)) {\n\t\tif (!(flags & RENAME_EXCHANGE))\n\t\t\td_move(old_dentry, new_dentry);\n\t\telse\n\t\t\td_exchange(old_dentry, new_dentry);\n\t}\nout:\n\tif (!is_dir || (flags & RENAME_EXCHANGE))\n\t\tunlock_two_nondirectories(source, target);\n\telse if (target)\n\t\tinode_unlock(target);\n\tdput(new_dentry);\n\tif (!error) {\n\t\tfsnotify_move(old_dir, new_dir, &old_name.name, is_dir,\n\t\t\t !(flags & RENAME_EXCHANGE) ? target : NULL, old_dentry);\n\t\tif (flags & RENAME_EXCHANGE) {\n\t\t\tfsnotify_move(new_dir, old_dir, &old_dentry->d_name,\n\t\t\t\t new_is_dir, NULL, new_dentry);\n\t\t}\n\t}\n\trelease_dentry_name_snapshot(&old_name);\n\n\treturn error;\n}", "project": "linux", "hash": 22550093787671497345527159651880841459, "size": 123, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295406 }, { "func": "static void hci_clock_offset_evt(struct hci_dev *hdev, struct sk_buff *skb)\n{\n\tstruct hci_ev_clock_offset *ev = (void *) skb->data;\n\tstruct hci_conn *conn;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, ev->status);\n\n\thci_dev_lock(hdev);\n\n\tconn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));\n\tif (conn && !ev->status) {\n\t\tstruct inquiry_entry *ie;\n\n\t\tie = hci_inquiry_cache_lookup(hdev, &conn->dst);\n\t\tif (ie) {\n\t\t\tie->data.clock_offset = ev->clock_offset;\n\t\t\tie->timestamp = jiffies;\n\t\t}\n\t}\n\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 118325302844011167530050283810667546971, "size": 22, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431921 }, { "func": "OPJ_BOOL opj_tcd_copy_tile_data(opj_tcd_t *p_tcd,\n OPJ_BYTE * p_src,\n OPJ_SIZE_T p_src_length)\n{\n OPJ_UINT32 i;\n OPJ_SIZE_T j;\n OPJ_SIZE_T l_data_size = 0;\n opj_image_comp_t * l_img_comp = 00;\n opj_tcd_tilecomp_t * l_tilec = 00;\n OPJ_UINT32 l_size_comp, l_remaining;\n OPJ_SIZE_T l_nb_elem;\n\n l_data_size = opj_tcd_get_encoder_input_buffer_size(p_tcd);\n if (l_data_size != p_src_length) {\n return OPJ_FALSE;\n }\n\n l_tilec = p_tcd->tcd_image->tiles->comps;\n l_img_comp = p_tcd->image->comps;\n for (i = 0; i < p_tcd->image->numcomps; ++i) {\n l_size_comp = l_img_comp->prec >> 3; /*(/ 8)*/\n l_remaining = l_img_comp->prec & 7; /* (%8) */\n l_nb_elem = (OPJ_SIZE_T)(l_tilec->x1 - l_tilec->x0) *\n (OPJ_SIZE_T)(l_tilec->y1 - l_tilec->y0);\n\n if (l_remaining) {\n ++l_size_comp;\n }\n\n if (l_size_comp == 3) {\n l_size_comp = 4;\n }\n\n switch (l_size_comp) {\n case 1: {\n OPJ_CHAR * l_src_ptr = (OPJ_CHAR *) p_src;\n OPJ_INT32 * l_dest_ptr = l_tilec->data;\n\n if (l_img_comp->sgnd) {\n for (j = 0; j < l_nb_elem; ++j) {\n *(l_dest_ptr++) = (OPJ_INT32)(*(l_src_ptr++));\n }\n } else {\n for (j = 0; j < l_nb_elem; ++j) {\n *(l_dest_ptr++) = (*(l_src_ptr++)) & 0xff;\n }\n }\n\n p_src = (OPJ_BYTE*) l_src_ptr;\n }\n break;\n case 2: {\n OPJ_INT32 * l_dest_ptr = l_tilec->data;\n OPJ_INT16 * l_src_ptr = (OPJ_INT16 *) p_src;\n\n if (l_img_comp->sgnd) {\n for (j = 0; j < l_nb_elem; ++j) {\n *(l_dest_ptr++) = (OPJ_INT32)(*(l_src_ptr++));\n }\n } else {\n for (j = 0; j < l_nb_elem; ++j) {\n *(l_dest_ptr++) = (*(l_src_ptr++)) & 0xffff;\n }\n }\n\n p_src = (OPJ_BYTE*) l_src_ptr;\n }\n break;\n case 4: {\n OPJ_INT32 * l_src_ptr = (OPJ_INT32 *) p_src;\n OPJ_INT32 * l_dest_ptr = l_tilec->data;\n\n for (j = 0; j < l_nb_elem; ++j) {\n *(l_dest_ptr++) = (OPJ_INT32)(*(l_src_ptr++));\n }\n\n p_src = (OPJ_BYTE*) l_src_ptr;\n }\n break;\n }\n\n ++l_img_comp;\n ++l_tilec;\n }\n\n return OPJ_TRUE;\n}", "project": "openjpeg", "hash": 97034839869858598486225520892354076881, "size": 87, "commit_id": "15cf3d95814dc931ca0ecb132f81cb152e051bae", "message": "Encoder: grow again buffer size in opj_tcd_code_block_enc_allocate_data() (fixes #1283)", "target": 0, "dataset": "other", "idx": 359187 }, { "func": "OPJ_BOOL opj_tcd_copy_tile_data(opj_tcd_t *p_tcd,\n OPJ_BYTE * p_src,\n OPJ_SIZE_T p_src_length)\n{\n OPJ_UINT32 i;\n OPJ_SIZE_T j;\n OPJ_SIZE_T l_data_size = 0;\n opj_image_comp_t * l_img_comp = 00;\n opj_tcd_tilecomp_t * l_tilec = 00;\n OPJ_UINT32 l_size_comp, l_remaining;\n OPJ_SIZE_T l_nb_elem;\n\n l_data_size = opj_tcd_get_encoded_tile_size(p_tcd);\n if (l_data_size != p_src_length) {\n return OPJ_FALSE;\n }\n\n l_tilec = p_tcd->tcd_image->tiles->comps;\n l_img_comp = p_tcd->image->comps;\n for (i = 0; i < p_tcd->image->numcomps; ++i) {\n l_size_comp = l_img_comp->prec >> 3; /*(/ 8)*/\n l_remaining = l_img_comp->prec & 7; /* (%8) */\n l_nb_elem = (OPJ_SIZE_T)(l_tilec->x1 - l_tilec->x0) *\n (OPJ_SIZE_T)(l_tilec->y1 - l_tilec->y0);\n\n if (l_remaining) {\n ++l_size_comp;\n }\n\n if (l_size_comp == 3) {\n l_size_comp = 4;\n }\n\n switch (l_size_comp) {\n case 1: {\n OPJ_CHAR * l_src_ptr = (OPJ_CHAR *) p_src;\n OPJ_INT32 * l_dest_ptr = l_tilec->data;\n\n if (l_img_comp->sgnd) {\n for (j = 0; j < l_nb_elem; ++j) {\n *(l_dest_ptr++) = (OPJ_INT32)(*(l_src_ptr++));\n }\n } else {\n for (j = 0; j < l_nb_elem; ++j) {\n *(l_dest_ptr++) = (*(l_src_ptr++)) & 0xff;\n }\n }\n\n p_src = (OPJ_BYTE*) l_src_ptr;\n }\n break;\n case 2: {\n OPJ_INT32 * l_dest_ptr = l_tilec->data;\n OPJ_INT16 * l_src_ptr = (OPJ_INT16 *) p_src;\n\n if (l_img_comp->sgnd) {\n for (j = 0; j < l_nb_elem; ++j) {\n *(l_dest_ptr++) = (OPJ_INT32)(*(l_src_ptr++));\n }\n } else {\n for (j = 0; j < l_nb_elem; ++j) {\n *(l_dest_ptr++) = (*(l_src_ptr++)) & 0xffff;\n }\n }\n\n p_src = (OPJ_BYTE*) l_src_ptr;\n }\n break;\n case 4: {\n OPJ_INT32 * l_src_ptr = (OPJ_INT32 *) p_src;\n OPJ_INT32 * l_dest_ptr = l_tilec->data;\n\n for (j = 0; j < l_nb_elem; ++j) {\n *(l_dest_ptr++) = (OPJ_INT32)(*(l_src_ptr++));\n }\n\n p_src = (OPJ_BYTE*) l_src_ptr;\n }\n break;\n }\n\n ++l_img_comp;\n ++l_tilec;\n }\n\n return OPJ_TRUE;\n}", "project": "openjpeg", "hash": 293275894479008990778913206316127077514, "size": 87, "commit_id": "05f9b91e60debda0e83977e5e63b2e66486f7074", "message": "opj_tcd_init_tile(): avoid integer overflow\n\nThat could lead to later assertion failures.\n\nFixes #1231 / CVE-2020-8112", "target": 0, "dataset": "other", "idx": 451985 }, { "func": "static void fuse_setattr_fill(struct fuse_conn *fc, struct fuse_args *args,\n\t\t\t struct inode *inode,\n\t\t\t struct fuse_setattr_in *inarg_p,\n\t\t\t struct fuse_attr_out *outarg_p)\n{\n\targs->opcode = FUSE_SETATTR;\n\targs->nodeid = get_node_id(inode);\n\targs->in_numargs = 1;\n\targs->in_args[0].size = sizeof(*inarg_p);\n\targs->in_args[0].value = inarg_p;\n\targs->out_numargs = 1;\n\targs->out_args[0].size = sizeof(*outarg_p);\n\targs->out_args[0].value = outarg_p;\n}", "project": "linux", "hash": 121468823918103141344439084629966769120, "size": 14, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342103 }, { "func": "static int blosc_c(struct thread_context* thread_context, int32_t bsize,\n int32_t leftoverblock, int32_t ntbytes, int32_t maxbytes,\n const uint8_t* src, const int32_t offset, uint8_t* dest,\n uint8_t* tmp, uint8_t* tmp2) {\n blosc2_context* context = thread_context->parent_context;\n int dont_split = (context->header_flags & 0x10) >> 4;\n int dict_training = context->use_dict && context->dict_cdict == NULL;\n int32_t j, neblock, nstreams;\n int32_t cbytes; /* number of compressed bytes in split */\n int32_t ctbytes = 0; /* number of compressed bytes in block */\n int64_t maxout;\n int32_t typesize = context->typesize;\n const char* compname;\n int accel;\n const uint8_t* _src;\n uint8_t *_tmp = tmp, *_tmp2 = tmp2;\n uint8_t *_tmp3 = thread_context->tmp4;\n int last_filter_index = last_filter(context->filters, 'c');\n bool memcpyed = context->header_flags & (uint8_t)BLOSC_MEMCPYED;\n\n if (last_filter_index >= 0 || context->prefilter != NULL) {\n /* Apply the filter pipeline just for the prefilter */\n if (memcpyed && context->prefilter != NULL) {\n // We only need the prefilter output\n _src = pipeline_c(thread_context, bsize, src, offset, dest, _tmp2, _tmp3);\n\n if (_src == NULL) {\n return -9; // signals a problem with the filter pipeline\n }\n return bsize;\n }\n /* Apply regular filter pipeline */\n _src = pipeline_c(thread_context, bsize, src, offset, _tmp, _tmp2, _tmp3);\n\n if (_src == NULL) {\n return -9; // signals a problem with the filter pipeline\n }\n } else {\n _src = src + offset;\n }\n\n assert(context->clevel > 0);\n\n /* Calculate acceleration for different compressors */\n accel = get_accel(context);\n\n /* The number of compressed data streams for this block */\n if (!dont_split && !leftoverblock && !dict_training) {\n nstreams = (int32_t)typesize;\n }\n else {\n nstreams = 1;\n }\n neblock = bsize / nstreams;\n for (j = 0; j < nstreams; j++) {\n if (!dict_training) {\n dest += sizeof(int32_t);\n ntbytes += sizeof(int32_t);\n ctbytes += sizeof(int32_t);\n }\n\n // See if we have a run here\n const uint8_t* ip = (uint8_t*)_src + j * neblock;\n const uint8_t* ipbound = (uint8_t*)_src + (j + 1) * neblock;\n if (get_run(ip, ipbound)) {\n // A run. Encode the repeated byte as a negative length in the length of the split.\n int32_t value = _src[j * neblock];\n _sw32(dest - 4, -value);\n continue;\n }\n\n maxout = neblock;\n #if defined(HAVE_SNAPPY)\n if (context->compcode == BLOSC_SNAPPY) {\n maxout = (int32_t)snappy_max_compressed_length((size_t)neblock);\n }\n #endif /* HAVE_SNAPPY */\n if (ntbytes + maxout > maxbytes) {\n /* avoid buffer * overrun */\n maxout = (int64_t)maxbytes - (int64_t)ntbytes;\n if (maxout <= 0) {\n return 0; /* non-compressible block */\n }\n }\n if (dict_training) {\n // We are in the build dict state, so don't compress\n // TODO: copy only a percentage for sampling\n memcpy(dest, _src + j * neblock, (unsigned int)neblock);\n cbytes = (int32_t)neblock;\n }\n else if (context->compcode == BLOSC_BLOSCLZ) {\n cbytes = blosclz_compress(context->clevel, _src + j * neblock,\n (int)neblock, dest, (int)maxout);\n }\n #if defined(HAVE_LZ4)\n else if (context->compcode == BLOSC_LZ4) {\n void *hash_table = NULL;\n #ifdef HAVE_IPP\n hash_table = (void*)thread_context->lz4_hash_table;\n #endif\n cbytes = lz4_wrap_compress((char*)_src + j * neblock, (size_t)neblock,\n (char*)dest, (size_t)maxout, accel, hash_table);\n }\n else if (context->compcode == BLOSC_LZ4HC) {\n cbytes = lz4hc_wrap_compress((char*)_src + j * neblock, (size_t)neblock,\n (char*)dest, (size_t)maxout, context->clevel);\n }\n #endif /* HAVE_LZ4 */\n #if defined(HAVE_LIZARD)\n else if (context->compcode == BLOSC_LIZARD) {\n cbytes = lizard_wrap_compress((char*)_src + j * neblock, (size_t)neblock,\n (char*)dest, (size_t)maxout, accel);\n }\n #endif /* HAVE_LIZARD */\n #if defined(HAVE_SNAPPY)\n else if (context->compcode == BLOSC_SNAPPY) {\n cbytes = snappy_wrap_compress((char*)_src + j * neblock, (size_t)neblock,\n (char*)dest, (size_t)maxout);\n }\n #endif /* HAVE_SNAPPY */\n #if defined(HAVE_ZLIB)\n else if (context->compcode == BLOSC_ZLIB) {\n cbytes = zlib_wrap_compress((char*)_src + j * neblock, (size_t)neblock,\n (char*)dest, (size_t)maxout, context->clevel);\n }\n #endif /* HAVE_ZLIB */\n #if defined(HAVE_ZSTD)\n else if (context->compcode == BLOSC_ZSTD) {\n cbytes = zstd_wrap_compress(thread_context,\n (char*)_src + j * neblock, (size_t)neblock,\n (char*)dest, (size_t)maxout, context->clevel);\n }\n #endif /* HAVE_ZSTD */\n\n else {\n blosc_compcode_to_compname(context->compcode, &compname);\n fprintf(stderr, \"Blosc has not been compiled with '%s' \", compname);\n fprintf(stderr, \"compression support. Please use one having it.\");\n return -5; /* signals no compression support */\n }\n\n if (cbytes > maxout) {\n /* Buffer overrun caused by compression (should never happen) */\n return -1;\n }\n if (cbytes < 0) {\n /* cbytes should never be negative */\n return -2;\n }\n if (!dict_training) {\n if (cbytes == 0 || cbytes == neblock) {\n /* The compressor has been unable to compress data at all. */\n /* Before doing the copy, check that we are not running into a\n buffer overflow. */\n if ((ntbytes + neblock) > maxbytes) {\n return 0; /* Non-compressible data */\n }\n memcpy(dest, _src + j * neblock, (unsigned int)neblock);\n cbytes = neblock;\n }\n _sw32(dest - 4, cbytes);\n }\n dest += cbytes;\n ntbytes += cbytes;\n ctbytes += cbytes;\n } /* Closes j < nstreams */\n\n //printf(\"c%d\", ctbytes);\n return ctbytes;\n}", "project": "c-blosc2", "hash": 33213175756612861371893504542614898630, "size": 170, "commit_id": "c4c6470e88210afc95262c8b9fcc27e30ca043ee", "message": "Fixed asan heap buffer overflow when not enough space to write compressed block size.", "target": 1, "dataset": "other", "idx": 200450 }, { "func": "static int blosc_c(struct thread_context* thread_context, int32_t bsize,\n int32_t leftoverblock, int32_t ntbytes, int32_t destsize,\n const uint8_t* src, const int32_t offset, uint8_t* dest,\n uint8_t* tmp, uint8_t* tmp2) {\n blosc2_context* context = thread_context->parent_context;\n int dont_split = (context->header_flags & 0x10) >> 4;\n int dict_training = context->use_dict && context->dict_cdict == NULL;\n int32_t j, neblock, nstreams;\n int32_t cbytes; /* number of compressed bytes in split */\n int32_t ctbytes = 0; /* number of compressed bytes in block */\n int64_t maxout;\n int32_t typesize = context->typesize;\n const char* compname;\n int accel;\n const uint8_t* _src;\n uint8_t *_tmp = tmp, *_tmp2 = tmp2;\n uint8_t *_tmp3 = thread_context->tmp4;\n int last_filter_index = last_filter(context->filters, 'c');\n bool memcpyed = context->header_flags & (uint8_t)BLOSC_MEMCPYED;\n\n if (last_filter_index >= 0 || context->prefilter != NULL) {\n /* Apply the filter pipeline just for the prefilter */\n if (memcpyed && context->prefilter != NULL) {\n // We only need the prefilter output\n _src = pipeline_c(thread_context, bsize, src, offset, dest, _tmp2, _tmp3);\n\n if (_src == NULL) {\n return -9; // signals a problem with the filter pipeline\n }\n return bsize;\n }\n /* Apply regular filter pipeline */\n _src = pipeline_c(thread_context, bsize, src, offset, _tmp, _tmp2, _tmp3);\n\n if (_src == NULL) {\n return -9; // signals a problem with the filter pipeline\n }\n } else {\n _src = src + offset;\n }\n\n assert(context->clevel > 0);\n\n /* Calculate acceleration for different compressors */\n accel = get_accel(context);\n\n /* The number of compressed data streams for this block */\n if (!dont_split && !leftoverblock && !dict_training) {\n nstreams = (int32_t)typesize;\n }\n else {\n nstreams = 1;\n }\n neblock = bsize / nstreams;\n for (j = 0; j < nstreams; j++) {\n if (!dict_training) {\n dest += sizeof(int32_t);\n ntbytes += sizeof(int32_t);\n ctbytes += sizeof(int32_t);\n }\n\n // See if we have a run here\n const uint8_t* ip = (uint8_t*)_src + j * neblock;\n const uint8_t* ipbound = (uint8_t*)_src + (j + 1) * neblock;\n if (get_run(ip, ipbound)) {\n // A run. Encode the repeated byte as a negative length in the length of the split.\n int32_t value = _src[j * neblock];\n if (ntbytes > destsize) {\n /* Not enough space to write out compressed block size */\n return -1;\n }\n _sw32(dest - 4, -value);\n continue;\n }\n\n maxout = neblock;\n #if defined(HAVE_SNAPPY)\n if (context->compcode == BLOSC_SNAPPY) {\n maxout = (int32_t)snappy_max_compressed_length((size_t)neblock);\n }\n #endif /* HAVE_SNAPPY */\n if (ntbytes + maxout > destsize) {\n /* avoid buffer * overrun */\n maxout = (int64_t)destsize - (int64_t)ntbytes;\n if (maxout <= 0) {\n return 0; /* non-compressible block */\n }\n }\n if (dict_training) {\n // We are in the build dict state, so don't compress\n // TODO: copy only a percentage for sampling\n memcpy(dest, _src + j * neblock, (unsigned int)neblock);\n cbytes = (int32_t)neblock;\n }\n else if (context->compcode == BLOSC_BLOSCLZ) {\n cbytes = blosclz_compress(context->clevel, _src + j * neblock,\n (int)neblock, dest, (int)maxout);\n }\n #if defined(HAVE_LZ4)\n else if (context->compcode == BLOSC_LZ4) {\n void *hash_table = NULL;\n #ifdef HAVE_IPP\n hash_table = (void*)thread_context->lz4_hash_table;\n #endif\n cbytes = lz4_wrap_compress((char*)_src + j * neblock, (size_t)neblock,\n (char*)dest, (size_t)maxout, accel, hash_table);\n }\n else if (context->compcode == BLOSC_LZ4HC) {\n cbytes = lz4hc_wrap_compress((char*)_src + j * neblock, (size_t)neblock,\n (char*)dest, (size_t)maxout, context->clevel);\n }\n #endif /* HAVE_LZ4 */\n #if defined(HAVE_LIZARD)\n else if (context->compcode == BLOSC_LIZARD) {\n cbytes = lizard_wrap_compress((char*)_src + j * neblock, (size_t)neblock,\n (char*)dest, (size_t)maxout, accel);\n }\n #endif /* HAVE_LIZARD */\n #if defined(HAVE_SNAPPY)\n else if (context->compcode == BLOSC_SNAPPY) {\n cbytes = snappy_wrap_compress((char*)_src + j * neblock, (size_t)neblock,\n (char*)dest, (size_t)maxout);\n }\n #endif /* HAVE_SNAPPY */\n #if defined(HAVE_ZLIB)\n else if (context->compcode == BLOSC_ZLIB) {\n cbytes = zlib_wrap_compress((char*)_src + j * neblock, (size_t)neblock,\n (char*)dest, (size_t)maxout, context->clevel);\n }\n #endif /* HAVE_ZLIB */\n #if defined(HAVE_ZSTD)\n else if (context->compcode == BLOSC_ZSTD) {\n cbytes = zstd_wrap_compress(thread_context,\n (char*)_src + j * neblock, (size_t)neblock,\n (char*)dest, (size_t)maxout, context->clevel);\n }\n #endif /* HAVE_ZSTD */\n\n else {\n blosc_compcode_to_compname(context->compcode, &compname);\n fprintf(stderr, \"Blosc has not been compiled with '%s' \", compname);\n fprintf(stderr, \"compression support. Please use one having it.\");\n return -5; /* signals no compression support */\n }\n\n if (cbytes > maxout) {\n /* Buffer overrun caused by compression (should never happen) */\n return -1;\n }\n if (cbytes < 0) {\n /* cbytes should never be negative */\n return -2;\n }\n if (!dict_training) {\n if (cbytes == 0 || cbytes == neblock) {\n /* The compressor has been unable to compress data at all. */\n /* Before doing the copy, check that we are not running into a\n buffer overflow. */\n if ((ntbytes + neblock) > destsize) {\n return 0; /* Non-compressible data */\n }\n memcpy(dest, _src + j * neblock, (unsigned int)neblock);\n cbytes = neblock;\n }\n _sw32(dest - 4, cbytes);\n }\n dest += cbytes;\n ntbytes += cbytes;\n ctbytes += cbytes;\n } /* Closes j < nstreams */\n\n //printf(\"c%d\", ctbytes);\n return ctbytes;\n}", "project": "c-blosc2", "hash": 111230234594530939158768630350968281026, "size": 174, "commit_id": "c4c6470e88210afc95262c8b9fcc27e30ca043ee", "message": "Fixed asan heap buffer overflow when not enough space to write compressed block size.", "target": 0, "dataset": "other", "idx": 303085 }, { "func": "static unsigned long active_preempt_timeout(struct intel_engine_cs *engine)\n{\n\tstruct i915_request *rq;\n\n\trq = last_active(&engine->execlists);\n\tif (!rq)\n\t\treturn 0;\n\n\t/* Force a fast reset for terminated contexts (ignoring sysfs!) */\n\tif (unlikely(i915_gem_context_is_banned(rq->gem_context)))\n\t\treturn 1;\n\n\treturn READ_ONCE(engine->props.preempt_timeout_ms);\n}", "project": "linux", "hash": 80664572344202026600274586457181662845, "size": 14, "commit_id": "bc8a76a152c5f9ef3b48104154a65a68a8b76946", "message": "drm/i915/gen9: Clear residual context state on context switch\n\nIntel ID: PSIRT-TA-201910-001\nCVEID: CVE-2019-14615\n\nIntel GPU Hardware prior to Gen11 does not clear EU state\nduring a context switch. This can result in information\nleakage between contexts.\n\nFor Gen8 and Gen9, hardware provides a mechanism for\nfast cleardown of the EU state, by issuing a PIPE_CONTROL\nwith bit 27 set. We can use this in a context batch buffer\nto explicitly cleardown the state on every context switch.\n\nAs this workaround is already in place for gen8, we can borrow\nthe code verbatim for Gen9.\n\nSigned-off-by: Mika Kuoppala \nSigned-off-by: Akeem G Abodunrin \nCc: Kumar Valsan Prathap \nCc: Chris Wilson \nCc: Balestrieri Francesco \nCc: Bloomfield Jon \nCc: Dutt Sudeep ", "target": 0, "dataset": "other", "idx": 281445 }, { "func": "\nstatic void bfq_exit_icq(struct io_cq *icq)\n{\n\tstruct bfq_io_cq *bic = icq_to_bic(icq);\n\n\tbfq_exit_icq_bfqq(bic, true);\n\tbfq_exit_icq_bfqq(bic, false);", "project": "linux", "hash": 83725968742078566702572557357317512423, "size": 7, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453399 }, { "func": "static inline struct sk_buff *tcp_write_queue_head(const struct sock *sk)\n{\n\treturn skb_peek(&sk->sk_write_queue);\n}", "project": "linux", "hash": 120713882901846037958963784620785632704, "size": 4, "commit_id": "bb1fceca22492109be12640d49f5ea5a544c6bb4", "message": "tcp: fix use after free in tcp_xmit_retransmit_queue()\n\nWhen tcp_sendmsg() allocates a fresh and empty skb, it puts it at the\ntail of the write queue using tcp_add_write_queue_tail()\n\nThen it attempts to copy user data into this fresh skb.\n\nIf the copy fails, we undo the work and remove the fresh skb.\n\nUnfortunately, this undo lacks the change done to tp->highest_sack and\nwe can leave a dangling pointer (to a freed skb)\n\nLater, tcp_xmit_retransmit_queue() can dereference this pointer and\naccess freed memory. For regular kernels where memory is not unmapped,\nthis might cause SACK bugs because tcp_highest_sack_seq() is buggy,\nreturning garbage instead of tp->snd_nxt, but with various debug\nfeatures like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel.\n\nThis bug was found by Marco Grassi thanks to syzkaller.\n\nFixes: 6859d49475d4 (\"[TCP]: Abstract tp->highest_sack accessing & point to next skb\")\nReported-by: Marco Grassi \nSigned-off-by: Eric Dumazet \nCc: Ilpo Järvinen \nCc: Yuchung Cheng \nCc: Neal Cardwell \nAcked-by: Neal Cardwell \nReviewed-by: Cong Wang \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 410728 }, { "func": "int blosc_getitem(const void* src, int start, int nitems, void* dest) {\n uint8_t* _src = (uint8_t*)(src);\n blosc2_context context;\n int result;\n\n uint8_t version = _src[0]; /* blosc format version */\n if (version > BLOSC_VERSION_FORMAT) {\n /* Version from future */\n return -1;\n }\n\n /* Minimally populate the context */\n memset(&context, 0, sizeof(blosc2_context));\n context.src = src;\n context.dest = dest;\n context.typesize = (uint8_t)_src[3];\n context.blocksize = sw32_(_src + 8);\n context.header_flags = *(_src + 2);\n context.filter_flags = get_filter_flags(context.header_flags, context.typesize);\n context.schunk = g_schunk;\n context.nthreads = 1; // force a serial decompression; fixes #95\n context.serial_context = create_thread_context(&context, 0);\n\n /* Call the actual getitem function */\n result = _blosc_getitem(&context, src, INT32_MAX, start, nitems, dest);\n\n /* Release resources */\n free_thread_context(context.serial_context);\n return result;\n}", "project": "c-blosc2", "hash": 247812207632096568188323365113016834770, "size": 30, "commit_id": "c4c6470e88210afc95262c8b9fcc27e30ca043ee", "message": "Fixed asan heap buffer overflow when not enough space to write compressed block size.", "target": 0, "dataset": "other", "idx": 303062 }, { "func": "void trace_buffered_event_disable(void)\n{\n\tint cpu;\n\n\tWARN_ON_ONCE(!mutex_is_locked(&event_mutex));\n\n\tif (WARN_ON_ONCE(!trace_buffered_event_ref))\n\t\treturn;\n\n\tif (--trace_buffered_event_ref)\n\t\treturn;\n\n\tpreempt_disable();\n\t/* For each CPU, set the buffer as used. */\n\tsmp_call_function_many(tracing_buffer_mask,\n\t\t\t disable_trace_buffered_event, NULL, 1);\n\tpreempt_enable();\n\n\t/* Wait for all current users to finish */\n\tsynchronize_sched();\n\n\tfor_each_tracing_cpu(cpu) {\n\t\tfree_page((unsigned long)per_cpu(trace_buffered_event, cpu));\n\t\tper_cpu(trace_buffered_event, cpu) = NULL;\n\t}\n\t/*\n\t * Make sure trace_buffered_event is NULL before clearing\n\t * trace_buffered_event_cnt.\n\t */\n\tsmp_wmb();\n\n\tpreempt_disable();\n\t/* Do the work on each cpu */\n\tsmp_call_function_many(tracing_buffer_mask,\n\t\t\t enable_trace_buffered_event, NULL, 1);\n\tpreempt_enable();\n}", "project": "linux", "hash": 22551064815726404231546983161208413549, "size": 37, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445581 }, { "func": "static void nfs4_layoutreturn_release(void *calldata)\n{\n\tstruct nfs4_layoutreturn *lrp = calldata;\n\tstruct pnfs_layout_hdr *lo = lrp->args.layout;\n\n\tdprintk(\"--> %s\\n\", __func__);\n\tpnfs_layoutreturn_free_lsegs(lo, &lrp->args.stateid, &lrp->args.range,\n\t\t\tlrp->res.lrs_present ? &lrp->res.stateid : NULL);\n\tnfs4_sequence_free_slot(&lrp->res.seq_res);\n\tif (lrp->ld_private.ops && lrp->ld_private.ops->free)\n\t\tlrp->ld_private.ops->free(&lrp->ld_private);\n\tpnfs_put_layout_hdr(lrp->args.layout);\n\tnfs_iput_and_deactive(lrp->inode);\n\tput_cred(lrp->cred);\n\tkfree(calldata);\n\tdprintk(\"<-- %s\\n\", __func__);\n}", "project": "linux", "hash": 186313375187856379735919417108017875312, "size": 17, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431078 }, { "func": "void imap_munge_mbox_name(bool unicode, char *dest, size_t dlen, const char *src)\n{\n char *buf = mutt_str_dup(src);\n imap_utf_encode(unicode, &buf);\n\n imap_quote_string(dest, dlen, buf, false);\n\n FREE(&buf);\n}", "project": "neomutt", "hash": 331779400947477410769112688885899700479, "size": 9, "commit_id": "fa1db5785e5cfd9d3cd27b7571b9fe268d2ec2dc", "message": "Fix seqset iterator when it ends in a comma\n\nIf the seqset ended with a comma, the substr_end marker would be just\nbefore the trailing nul. In the next call, the loop to skip the\nmarker would iterate right past the end of string too.\n\nThe fix is simple: place the substr_end marker and skip past it\nimmediately.", "target": 0, "dataset": "other", "idx": 399264 }, { "func": "static int tracing_snapshot_open(struct inode *inode, struct file *file)\n{\n\tstruct trace_array *tr = inode->i_private;\n\tstruct trace_iterator *iter;\n\tstruct seq_file *m;\n\tint ret = 0;\n\n\tif (trace_array_get(tr) < 0)\n\t\treturn -ENODEV;\n\n\tif (file->f_mode & FMODE_READ) {\n\t\titer = __tracing_open(inode, file, true);\n\t\tif (IS_ERR(iter))\n\t\t\tret = PTR_ERR(iter);\n\t} else {\n\t\t/* Writes still need the seq_file to hold the private data */\n\t\tret = -ENOMEM;\n\t\tm = kzalloc(sizeof(*m), GFP_KERNEL);\n\t\tif (!m)\n\t\t\tgoto out;\n\t\titer = kzalloc(sizeof(*iter), GFP_KERNEL);\n\t\tif (!iter) {\n\t\t\tkfree(m);\n\t\t\tgoto out;\n\t\t}\n\t\tret = 0;\n\n\t\titer->tr = tr;\n\t\titer->trace_buffer = &tr->max_buffer;\n\t\titer->cpu_file = tracing_get_cpu(inode);\n\t\tm->private = iter;\n\t\tfile->private_data = m;\n\t}\nout:\n\tif (ret < 0)\n\t\ttrace_array_put(tr);\n\n\treturn ret;\n}", "project": "linux", "hash": 308718107890146758291696091061083468207, "size": 39, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445674 }, { "func": "static int compname_to_clibcode(const char* compname) {\n if (strcmp(compname, BLOSC_BLOSCLZ_COMPNAME) == 0)\n return BLOSC_BLOSCLZ_LIB;\n if (strcmp(compname, BLOSC_LZ4_COMPNAME) == 0)\n return BLOSC_LZ4_LIB;\n if (strcmp(compname, BLOSC_LZ4HC_COMPNAME) == 0)\n return BLOSC_LZ4_LIB;\n if (strcmp(compname, BLOSC_LIZARD_COMPNAME) == 0)\n return BLOSC_LIZARD_LIB;\n if (strcmp(compname, BLOSC_SNAPPY_COMPNAME) == 0)\n return BLOSC_SNAPPY_LIB;\n if (strcmp(compname, BLOSC_ZLIB_COMPNAME) == 0)\n return BLOSC_ZLIB_LIB;\n if (strcmp(compname, BLOSC_ZSTD_COMPNAME) == 0)\n return BLOSC_ZSTD_LIB;\n return -1;\n}", "project": "c-blosc2", "hash": 225405536703558181495835991195308092323, "size": 17, "commit_id": "c4c6470e88210afc95262c8b9fcc27e30ca043ee", "message": "Fixed asan heap buffer overflow when not enough space to write compressed block size.", "target": 0, "dataset": "other", "idx": 303102 }, { "project": "Chrome", "commit_id": "1da0daecc540238cb473f0d6322da51d3a544244", "target": 0, "func": " void EnterDecodingState() {\n VideoDecoder::DecoderStatus status;\n scoped_refptr video_frame;\n DecodeSingleFrame(i_frame_buffer_, &status, &video_frame);\n\n EXPECT_EQ(status, VideoDecoder::kOk);\n ASSERT_TRUE(video_frame);\n EXPECT_FALSE(video_frame->IsEndOfStream());\n }\n", "cwe": "", "big_vul_idx": 113338, "idx": 101630, "hash": 222868199612595091534769361734257694423 }, { "func": "static void tcp_undo_spur_to_response(struct sock *sk, int flag)\n{\n\tif (flag & FLAG_ECE)\n\t\ttcp_ratehalving_spur_to_response(sk);\n\telse\n\t\ttcp_undo_cwr(sk, true);\n}", "project": "net-next", "hash": 264189266465905647761494363159166399319, "size": 7, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409868 }, { "func": "int mnt_optstr_fix_uid(char **optstr, char *value, size_t valsz, char **next)\n{\n\tchar *end;\n\n\tif (!optstr || !*optstr || !value || !valsz)\n\t\treturn -EINVAL;\n\n\tDBG(CXT, ul_debug(\"fixing uid\"));\n\n\tend = value + valsz;\n\n\tif (valsz == 7 && !strncmp(value, \"useruid\", 7) &&\n\t (*(value + 7) == ',' || !*(value + 7)))\n\t\treturn set_uint_value(optstr, getuid(), value, end, next);\n\n\tif (!isdigit(*value)) {\n\t\tuid_t id;\n\t\tint rc;\n\t\tchar *p = strndup(value, valsz);\n\t\tif (!p)\n\t\t\treturn -ENOMEM;\n\t\trc = mnt_get_uid(p, &id);\n\t\tfree(p);\n\n\t\tif (!rc)\n\t\t\treturn set_uint_value(optstr, id, value, end, next);\n\t}\n\n\tif (next) {\n\t\t/* no change, let's keep the original value */\n\t\t*next = value + valsz;\n\t\tif (**next == ',')\n\t\t\t(*next)++;\n\t}\n\n\treturn 0;\n}", "project": "util-linux", "hash": 73615280917402309617351603864824619138, "size": 37, "commit_id": "57202f5713afa2af20ffbb6ab5331481d0396f8d", "message": "libmount: fix UID check for FUSE umount [CVE-2021-3995]\n\nImproper UID check allows an unprivileged user to unmount FUSE\nfilesystems of users with similar UID.\n\nSigned-off-by: Karel Zak ", "target": 0, "dataset": "other", "idx": 410424 }, { "func": "static void hci_le_remote_conn_param_req_evt(struct hci_dev *hdev,\n\t\t\t\t\t struct sk_buff *skb)\n{\n\tstruct hci_ev_le_remote_conn_param_req *ev = (void *) skb->data;\n\tstruct hci_cp_le_conn_param_req_reply cp;\n\tstruct hci_conn *hcon;\n\tu16 handle, min, max, latency, timeout;\n\n\thandle = le16_to_cpu(ev->handle);\n\tmin = le16_to_cpu(ev->interval_min);\n\tmax = le16_to_cpu(ev->interval_max);\n\tlatency = le16_to_cpu(ev->latency);\n\ttimeout = le16_to_cpu(ev->timeout);\n\n\thcon = hci_conn_hash_lookup_handle(hdev, handle);\n\tif (!hcon || hcon->state != BT_CONNECTED)\n\t\treturn send_conn_param_neg_reply(hdev, handle,\n\t\t\t\t\t\t HCI_ERROR_UNKNOWN_CONN_ID);\n\n\tif (hci_check_conn_params(min, max, latency, timeout))\n\t\treturn send_conn_param_neg_reply(hdev, handle,\n\t\t\t\t\t\t HCI_ERROR_INVALID_LL_PARAMS);\n\n\tif (hcon->role == HCI_ROLE_MASTER) {\n\t\tstruct hci_conn_params *params;\n\t\tu8 store_hint;\n\n\t\thci_dev_lock(hdev);\n\n\t\tparams = hci_conn_params_lookup(hdev, &hcon->dst,\n\t\t\t\t\t\thcon->dst_type);\n\t\tif (params) {\n\t\t\tparams->conn_min_interval = min;\n\t\t\tparams->conn_max_interval = max;\n\t\t\tparams->conn_latency = latency;\n\t\t\tparams->supervision_timeout = timeout;\n\t\t\tstore_hint = 0x01;\n\t\t} else{\n\t\t\tstore_hint = 0x00;\n\t\t}\n\n\t\thci_dev_unlock(hdev);\n\n\t\tmgmt_new_conn_param(hdev, &hcon->dst, hcon->dst_type,\n\t\t\t\t store_hint, min, max, latency, timeout);\n\t}\n\n\tcp.handle = ev->handle;\n\tcp.interval_min = ev->interval_min;\n\tcp.interval_max = ev->interval_max;\n\tcp.latency = ev->latency;\n\tcp.timeout = ev->timeout;\n\tcp.min_ce_len = 0;\n\tcp.max_ce_len = 0;\n\n\thci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_REPLY, sizeof(cp), &cp);\n}", "project": "linux", "hash": 168871432745814783427421561387874539912, "size": 57, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431990 }, { "func": "static inline void kvm_free_irq_routing(struct kvm *kvm) {}", "project": "linux", "hash": 336479418170642901312911450869622814546, "size": 1, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354518 }, { "func": " enum Item_result cast_to_int_type() const { return STRING_RESULT; }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 304801269217390429803129922185571207424, "size": 1, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 508942 }, { "func": " virtual Item_result cast_to_int_type() const { return cmp_type(); }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 87188430854663764295539088719992093381, "size": 1, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509139 }, { "func": " Item_result cast_to_int_type() const\n {\n return field->cmp_type();\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 193159118432436242239433182407686992845, "size": 4, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509240 }, { "func": "ssize_t fuse_listxattr(struct dentry *entry, char *list, size_t size)\n{\n\tstruct inode *inode = d_inode(entry);\n\tstruct fuse_mount *fm = get_fuse_mount(inode);\n\tFUSE_ARGS(args);\n\tstruct fuse_getxattr_in inarg;\n\tstruct fuse_getxattr_out outarg;\n\tssize_t ret;\n\n\tif (fuse_is_bad(inode))\n\t\treturn -EIO;\n\n\tif (!fuse_allow_current_process(fm->fc))\n\t\treturn -EACCES;\n\n\tif (fm->fc->no_listxattr)\n\t\treturn -EOPNOTSUPP;\n\n\tmemset(&inarg, 0, sizeof(inarg));\n\tinarg.size = size;\n\targs.opcode = FUSE_LISTXATTR;\n\targs.nodeid = get_node_id(inode);\n\targs.in_numargs = 1;\n\targs.in_args[0].size = sizeof(inarg);\n\targs.in_args[0].value = &inarg;\n\t/* This is really two different operations rolled into one */\n\targs.out_numargs = 1;\n\tif (size) {\n\t\targs.out_argvar = true;\n\t\targs.out_args[0].size = size;\n\t\targs.out_args[0].value = list;\n\t} else {\n\t\targs.out_args[0].size = sizeof(outarg);\n\t\targs.out_args[0].value = &outarg;\n\t}\n\tret = fuse_simple_request(fm, &args);\n\tif (!ret && !size)\n\t\tret = min_t(ssize_t, outarg.size, XATTR_LIST_MAX);\n\tif (ret > 0 && size)\n\t\tret = fuse_verify_xattr_list(list, ret);\n\tif (ret == -ENOSYS) {\n\t\tfm->fc->no_listxattr = 1;\n\t\tret = -EOPNOTSUPP;\n\t}\n\treturn ret;\n}", "project": "linux", "hash": 98510687387293629575707417882213781970, "size": 46, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342163 }, { "project": "Chrome", "commit_id": "957973753ec4159003ff7930d946b7e89c7e09f3", "target": 0, "func": "void BlobURLRequestJob::DidRead(int result) {\n if (result < 0) {\n NotifyFailure(net::ERR_FAILED);\n return;\n }\n SetStatus(net::URLRequestStatus()); // Clear the IO_PENDING status\n\n AdvanceBytesRead(result);\n\n if (!read_buf_remaining_bytes_) {\n int bytes_read = ReadCompleted();\n NotifyReadComplete(bytes_read);\n return;\n }\n\n int bytes_read = 0;\n if (ReadLoop(&bytes_read))\n NotifyReadComplete(bytes_read);\n}\n", "cwe": "", "big_vul_idx": 106410, "idx": 95563, "hash": 281842097220724841268513846741502178180 }, { "func": "static int ca8210_dev_com_init(struct ca8210_priv *priv)\n{\n\tpriv->mlme_workqueue = alloc_ordered_workqueue(\n\t\t\"MLME work queue\",\n\t\tWQ_UNBOUND\n\t);\n\tif (!priv->mlme_workqueue) {\n\t\tdev_crit(&priv->spi->dev, \"alloc of mlme_workqueue failed!\\n\");\n\t\treturn -ENOMEM;\n\t}\n\n\tpriv->irq_workqueue = alloc_ordered_workqueue(\n\t\t\"ca8210 irq worker\",\n\t\tWQ_UNBOUND\n\t);\n\tif (!priv->irq_workqueue) {\n\t\tdev_crit(&priv->spi->dev, \"alloc of irq_workqueue failed!\\n\");\n\t\treturn -ENOMEM;\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 83989726731854243514267006764232301721, "size": 22, "commit_id": "6402939ec86eaf226c8b8ae00ed983936b164908", "message": "ieee802154: ca8210: prevent memory leak\n\nIn ca8210_probe the allocated pdata needs to be assigned to\nspi_device->dev.platform_data before calling ca8210_get_platform_data.\nOthrwise when ca8210_get_platform_data fails pdata cannot be released.\n\nSigned-off-by: Navid Emamdoost \nLink: https://lore.kernel.org/r/20190917224713.26371-1-navid.emamdoost@gmail.com\nSigned-off-by: Stefan Schmidt ", "target": 0, "dataset": "other", "idx": 408813 }, { "func": "int ecryptfs_write_metadata(struct dentry *ecryptfs_dentry)\n{\n\tstruct ecryptfs_crypt_stat *crypt_stat =\n\t\t&ecryptfs_inode_to_private(ecryptfs_dentry->d_inode)->crypt_stat;\n\tunsigned int order;\n\tchar *virt;\n\tsize_t virt_len;\n\tsize_t size = 0;\n\tint rc = 0;\n\n\tif (likely(crypt_stat->flags & ECRYPTFS_ENCRYPTED)) {\n\t\tif (!(crypt_stat->flags & ECRYPTFS_KEY_VALID)) {\n\t\t\tprintk(KERN_ERR \"Key is invalid; bailing out\\n\");\n\t\t\trc = -EINVAL;\n\t\t\tgoto out;\n\t\t}\n\t} else {\n\t\tprintk(KERN_WARNING \"%s: Encrypted flag not set\\n\",\n\t\t __func__);\n\t\trc = -EINVAL;\n\t\tgoto out;\n\t}\n\tvirt_len = crypt_stat->num_header_bytes_at_front;\n\torder = get_order(virt_len);\n\t/* Released in this function */\n\tvirt = (char *)ecryptfs_get_zeroed_pages(GFP_KERNEL, order);\n\tif (!virt) {\n\t\tprintk(KERN_ERR \"%s: Out of memory\\n\", __func__);\n\t\trc = -ENOMEM;\n\t\tgoto out;\n\t}\n\trc = ecryptfs_write_headers_virt(virt, virt_len, &size, crypt_stat,\n\t\t\t\t\t ecryptfs_dentry);\n\tif (unlikely(rc)) {\n\t\tprintk(KERN_ERR \"%s: Error whilst writing headers; rc = [%d]\\n\",\n\t\t __func__, rc);\n\t\tgoto out_free;\n\t}\n\tif (crypt_stat->flags & ECRYPTFS_METADATA_IN_XATTR)\n\t\trc = ecryptfs_write_metadata_to_xattr(ecryptfs_dentry, virt,\n\t\t\t\t\t\t size);\n\telse\n\t\trc = ecryptfs_write_metadata_to_contents(ecryptfs_dentry, virt,\n\t\t\t\t\t\t\t virt_len);\n\tif (rc) {\n\t\tprintk(KERN_ERR \"%s: Error writing metadata out to lower file; \"\n\t\t \"rc = [%d]\\n\", __func__, rc);\n\t\tgoto out_free;\n\t}\nout_free:\n\tfree_pages((unsigned long)virt, order);\nout:\n\treturn rc;\n}", "target": 0, "cwe": [ "CWE-189" ], "project": "linux-2.6", "commit_id": "8faece5f906725c10e7a1f6caf84452abadbdc7b", "hash": 339090540925365852461763147576134807745, "size": 54, "message": "eCryptfs: Allocate a variable number of pages for file headers\n\nWhen allocating the memory used to store the eCryptfs header contents, a\nsingle, zeroed page was being allocated with get_zeroed_page().\nHowever, the size of an eCryptfs header is either PAGE_CACHE_SIZE or\nECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE (8192), whichever is larger, and is\nstored in the file's private_data->crypt_stat->num_header_bytes_at_front\nfield.\n\necryptfs_write_metadata_to_contents() was using\nnum_header_bytes_at_front to decide how many bytes should be written to\nthe lower filesystem for the file header. Unfortunately, at least 8K\nwas being written from the page, despite the chance of the single,\nzeroed page being smaller than 8K. This resulted in random areas of\nkernel memory being written between the 0x1000 and 0x1FFF bytes offsets\nin the eCryptfs file headers if PAGE_SIZE was 4K.\n\nThis patch allocates a variable number of pages, calculated with\nnum_header_bytes_at_front, and passes the number of allocated pages\nalong to ecryptfs_write_metadata_to_contents().\n\nThanks to Florian Streibelt for reporting the data leak and working with\nme to find the problem. 2.6.28 is the only kernel release with this\nvulnerability. Corresponds to CVE-2009-0787\n\nSigned-off-by: Tyler Hicks \nAcked-by: Dustin Kirkland \nReviewed-by: Eric Sandeen \nReviewed-by: Eugene Teo \nCc: Greg KH \nCc: dann frazier \nCc: Serge E. Hallyn \nCc: Florian Streibelt \nCc: stable@kernel.org\nSigned-off-by: Linus Torvalds ", "dataset": "other", "idx": 490152 }, { "func": "static inline void TCP_ECN_withdraw_cwr(struct tcp_sock *tp)\n{\n\ttp->ecn_flags &= ~TCP_ECN_DEMAND_CWR;\n}", "project": "net-next", "hash": 97330365826518132407440228347420416329, "size": 4, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409891 }, { "func": "static void sctp_wake_up_waiters(struct sock *sk,\n\t\t\t\t struct sctp_association *asoc)\n{\n\tstruct sctp_association *tmp = asoc;\n\n\t/* We do accounting for the sndbuf space per association,\n\t * so we only need to wake our own association.\n\t */\n\tif (asoc->ep->sndbuf_policy)\n\t\treturn __sctp_write_space(asoc);\n\n\t/* If association goes down and is just flushing its\n\t * outq, then just normally notify others.\n\t */\n\tif (asoc->base.dead)\n\t\treturn sctp_write_space(sk);\n\n\t/* Accounting for the sndbuf space is per socket, so we\n\t * need to wake up others, try to be fair and in case of\n\t * other associations, let them have a go first instead\n\t * of just doing a sctp_write_space() call.\n\t *\n\t * Note that we reach sctp_wake_up_waiters() only when\n\t * associations free up queued chunks, thus we are under\n\t * lock and the list of associations on a socket is\n\t * guaranteed not to change.\n\t */\n\tfor (tmp = list_next_entry(tmp, asocs); 1;\n\t tmp = list_next_entry(tmp, asocs)) {\n\t\t/* Manually skip the head element. */\n\t\tif (&tmp->asocs == &((sctp_sk(sk))->ep->asocs))\n\t\t\tcontinue;\n\t\t/* Wake up association. */\n\t\t__sctp_write_space(tmp);\n\t\t/* We've reached the end. */\n\t\tif (tmp == asoc)\n\t\t\tbreak;\n\t}\n}", "project": "linux", "hash": 188004656955354833754315345887294683361, "size": 39, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398156 }, { "func": "static int sctp_getsockopt_context(struct sock *sk, int len,\n\t\t\t\t char __user *optval, int __user *optlen)\n{\n\tstruct sctp_assoc_value params;\n\tstruct sctp_association *asoc;\n\n\tif (len < sizeof(struct sctp_assoc_value))\n\t\treturn -EINVAL;\n\n\tlen = sizeof(struct sctp_assoc_value);\n\n\tif (copy_from_user(¶ms, optval, len))\n\t\treturn -EFAULT;\n\n\tasoc = sctp_id2assoc(sk, params.assoc_id);\n\tif (!asoc && params.assoc_id != SCTP_FUTURE_ASSOC &&\n\t sctp_style(sk, UDP))\n\t\treturn -EINVAL;\n\n\tparams.assoc_value = asoc ? asoc->default_rcv_context\n\t\t\t\t : sctp_sk(sk)->default_rcv_context;\n\n\tif (put_user(len, optlen))\n\t\treturn -EFAULT;\n\tif (copy_to_user(optval, ¶ms, len))\n\t\treturn -EFAULT;\n\n\treturn 0;\n}", "project": "linux", "hash": 154502094013788037010096823053151961671, "size": 29, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398160 }, { "func": "static void free_playlist_list(HLSContext *c)\n{\n int i;\n for (i = 0; i < c->n_playlists; i++) {\n struct playlist *pls = c->playlists[i];\n free_segment_list(pls);\n free_init_section_list(pls);\n av_freep(&pls->renditions);\n av_freep(&pls->id3_buf);\n av_dict_free(&pls->id3_initial);\n ff_id3v2_free_extra_meta(&pls->id3_deferred_extra);\n av_freep(&pls->init_sec_buf);\n av_free_packet(&pls->pkt);\n av_freep(&pls->pb.buffer);\n if (pls->input)\n ffurl_close(pls->input);\n if (pls->ctx) {\n pls->ctx->pb = NULL;\n avformat_close_input(&pls->ctx);\n }\n av_free(pls);\n }\n av_freep(&c->playlists);\n av_freep(&c->cookies);\n av_freep(&c->user_agent);\n c->n_playlists = 0;\n}", "project": "FFmpeg", "hash": 306013886805255298948188951421838241123, "size": 27, "commit_id": "6959358683c7533f586c07a766acc5fe9544d8b2", "message": "avformat/hls: check segment duration value of EXTINF\n\nfix ticket: 8673\nset the default EXTINF duration to 1ms if duration is smaller than 1ms\n\nSigned-off-by: Steven Liu \n(cherry picked from commit 9dfb19baeb86a8bb02c53a441682c6e9a6e104cc)", "target": 0, "dataset": "other", "idx": 270442 }, { "func": "void gdImageFilledArc (gdImagePtr im, int cx, int cy, int w, int h, int s, int e, int color, int style)\n{\n\tgdPoint pts[3];\n\tint i;\n\tint lx = 0, ly = 0;\n\tint fx = 0, fy = 0;\n\n\n if ((s % 360) == (e % 360)) {\n\t\ts = 0; e = 360;\n\t} else {\n\t\tif (s > 360) {\n\t\t\ts = s % 360;\n\t\t}\n\n\t\tif (e > 360) {\n\t\t\te = e % 360;\n\t\t}\n\n\t\twhile (s < 0) {\n\t\t\ts += 360;\n\t\t}\n\n\t\twhile (e < s) {\n\t\t\te += 360;\n\t\t}\n\t\tif (s == e) {\n\t\t\ts = 0; e = 360;\n\t\t}\n\t}\n\n\tfor (i = s; i <= e; i++) {\n\t\tint x, y;\n\t\tx = ((long) gdCosT[i % 360] * (long) w / (2 * 1024)) + cx;\n\t\ty = ((long) gdSinT[i % 360] * (long) h / (2 * 1024)) + cy;\n\t\tif (i != s) {\n\t\t\tif (!(style & gdChord)) {\n\t\t\t\tif (style & gdNoFill) {\n\t\t\t\t\tgdImageLine(im, lx, ly, x, y, color);\n\t\t\t\t} else {\n\t\t\t\t\t/* This is expensive! */\n\t\t\t\t\tpts[0].x = lx;\n\t\t\t\t\tpts[0].y = ly;\n\t\t\t\t\tpts[1].x = x;\n\t\t\t\t\tpts[1].y = y;\n\t\t\t\t\tpts[2].x = cx;\n\t\t\t\t\tpts[2].y = cy;\n\t\t\t\t\tgdImageFilledPolygon(im, pts, 3, color);\n\t\t\t\t}\n\t\t\t}\n\t\t} else {\n\t\t\tfx = x;\n\t\t\tfy = y;\n\t\t}\n\t\tlx = x;\n\t\tly = y;\n\t}\n\tif (style & gdChord) {\n\t\tif (style & gdNoFill) {\n\t\t\tif (style & gdEdged) {\n\t\t\t\tgdImageLine(im, cx, cy, lx, ly, color);\n\t\t\t\tgdImageLine(im, cx, cy, fx, fy, color);\n\t\t\t}\n\t\t\tgdImageLine(im, fx, fy, lx, ly, color);\n\t\t} else {\n\t\t\tpts[0].x = fx;\n\t\t\tpts[0].y = fy;\n\t\t\tpts[1].x = lx;\n\t\t\tpts[1].y = ly;\n\t\t\tpts[2].x = cx;\n\t\t\tpts[2].y = cy;\n\t\t\tgdImageFilledPolygon(im, pts, 3, color);\n\t\t}\n\t} else {\n\t\tif (style & gdNoFill) {\n\t\t\tif (style & gdEdged) {\n\t\t\t\tgdImageLine(im, cx, cy, lx, ly, color);\n\t\t\t\tgdImageLine(im, cx, cy, fx, fy, color);\n\t\t\t}\n\t\t}\n\t}\n}", "project": "php-src", "hash": 152990386191768977002866739497965707712, "size": 82, "commit_id": "c395c6e5d7e8df37a21265ff76e48fe75ceb5ae6", "message": "iFixed bug #72446 - Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow", "target": 0, "dataset": "other", "idx": 295135 }, { "func": "static void SFDParseVertexKern(FILE *sfd, struct mathkernvertex *vertex) {\n int i,ch;\n\n getint(sfd,&vertex->cnt);\n vertex->mkd = calloc(vertex->cnt,sizeof(struct mathkerndata));\n for ( i=0; icnt; ++i ) {\n\tSFDParseMathValueRecord(sfd,&vertex->mkd[i].height,&vertex->mkd[i].height_adjusts);\n\twhile ( (ch=nlgetc(sfd))==' ' );\n\tif ( ch!=EOF && ch!=',' )\n\t ungetc(ch,sfd);\n\tSFDParseMathValueRecord(sfd,&vertex->mkd[i].kern,&vertex->mkd[i].kern_adjusts);\n }\n}", "project": "fontforge", "hash": 109781527908155914621021252282621661431, "size": 13, "commit_id": "048a91e2682c1a8936ae34dbc7bd70291ec05410", "message": "Fix for #4084 Use-after-free (heap) in the SFD_GetFontMetaData() function\nFix for #4086 NULL pointer dereference in the SFDGetSpiros() function\nFix for #4088 NULL pointer dereference in the SFD_AssignLookups() function\nAdd empty sf->fontname string if it isn't set, fixing #4089 #4090 and many\n other potential issues (many downstream calls to strlen() on the value).", "target": 0, "dataset": "other", "idx": 417928 }, { "project": "Chrome", "commit_id": "6834289784ed45b5524de0fb7ef43ae283b0d6d3", "target": 0, "func": "MediaElementAudioSourceNode::MediaElementAudioSourceNode(AudioContext* context, HTMLMediaElement* mediaElement)\n : AudioSourceNode(NodeTypeMediaElementAudioSource, context, context->sampleRate())\n , m_mediaElement(mediaElement)\n , m_sourceNumberOfChannels(0)\n , m_sourceSampleRate(0)\n{\n addOutput(AudioNodeOutput::create(this, 2));\n\n initialize();\n}\n", "cwe": "", "big_vul_idx": 139702, "idx": 124850, "hash": 93728383996824815802761136439523359081 }, { "func": "int tipc_node_dump(struct tipc_node *n, bool more, char *buf)\n{\n\tint i = 0;\n\tsize_t sz = (more) ? NODE_LMAX : NODE_LMIN;\n\n\tif (!n) {\n\t\ti += scnprintf(buf, sz, \"node data: (null)\\n\");\n\t\treturn i;\n\t}\n\n\ti += scnprintf(buf, sz, \"node data: %x\", n->addr);\n\ti += scnprintf(buf + i, sz - i, \" %x\", n->state);\n\ti += scnprintf(buf + i, sz - i, \" %d\", n->active_links[0]);\n\ti += scnprintf(buf + i, sz - i, \" %d\", n->active_links[1]);\n\ti += scnprintf(buf + i, sz - i, \" %x\", n->action_flags);\n\ti += scnprintf(buf + i, sz - i, \" %u\", n->failover_sent);\n\ti += scnprintf(buf + i, sz - i, \" %u\", n->sync_point);\n\ti += scnprintf(buf + i, sz - i, \" %d\", n->link_cnt);\n\ti += scnprintf(buf + i, sz - i, \" %u\", n->working_links);\n\ti += scnprintf(buf + i, sz - i, \" %x\", n->capabilities);\n\ti += scnprintf(buf + i, sz - i, \" %lu\\n\", n->keepalive_intv);\n\n\tif (!more)\n\t\treturn i;\n\n\ti += scnprintf(buf + i, sz - i, \"link_entry[0]:\\n\");\n\ti += scnprintf(buf + i, sz - i, \" mtu: %u\\n\", n->links[0].mtu);\n\ti += scnprintf(buf + i, sz - i, \" media: \");\n\ti += tipc_media_addr_printf(buf + i, sz - i, &n->links[0].maddr);\n\ti += scnprintf(buf + i, sz - i, \"\\n\");\n\ti += tipc_link_dump(n->links[0].link, TIPC_DUMP_NONE, buf + i);\n\ti += scnprintf(buf + i, sz - i, \" inputq: \");\n\ti += tipc_list_dump(&n->links[0].inputq, false, buf + i);\n\n\ti += scnprintf(buf + i, sz - i, \"link_entry[1]:\\n\");\n\ti += scnprintf(buf + i, sz - i, \" mtu: %u\\n\", n->links[1].mtu);\n\ti += scnprintf(buf + i, sz - i, \" media: \");\n\ti += tipc_media_addr_printf(buf + i, sz - i, &n->links[1].maddr);\n\ti += scnprintf(buf + i, sz - i, \"\\n\");\n\ti += tipc_link_dump(n->links[1].link, TIPC_DUMP_NONE, buf + i);\n\ti += scnprintf(buf + i, sz - i, \" inputq: \");\n\ti += tipc_list_dump(&n->links[1].inputq, false, buf + i);\n\n\ti += scnprintf(buf + i, sz - i, \"bclink:\\n \");\n\ti += tipc_link_dump(n->bc_entry.link, TIPC_DUMP_NONE, buf + i);\n\n\treturn i;\n}", "project": "linux", "hash": 79544820396826564798487282407522178778, "size": 48, "commit_id": "0217ed2848e8538bcf9172d97ed2eeb4a26041bb", "message": "tipc: better validate user input in tipc_nl_retrieve_key()\n\nBefore calling tipc_aead_key_size(ptr), we need to ensure\nwe have enough data to dereference ptr->keylen.\n\nWe probably also want to make sure tipc_aead_key_size()\nwont overflow with malicious ptr->keylen values.\n\nSyzbot reported:\n\nBUG: KMSAN: uninit-value in __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\nBUG: KMSAN: uninit-value in tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\nCPU: 0 PID: 21060 Comm: syz-executor.5 Not tainted 5.11.0-rc7-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nCall Trace:\n __dump_stack lib/dump_stack.c:79 [inline]\n dump_stack+0x21c/0x280 lib/dump_stack.c:120\n kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118\n __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197\n __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\n tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\n genl_family_rcv_msg_doit net/netlink/genetlink.c:739 [inline]\n genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]\n genl_rcv_msg+0x1319/0x1610 net/netlink/genetlink.c:800\n netlink_rcv_skb+0x6fa/0x810 net/netlink/af_netlink.c:2494\n genl_rcv+0x63/0x80 net/netlink/genetlink.c:811\n netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]\n netlink_unicast+0x11d6/0x14a0 net/netlink/af_netlink.c:1330\n netlink_sendmsg+0x1740/0x1840 net/netlink/af_netlink.c:1919\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\nRIP: 0023:0xf7f60549\nCode: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00\nRSP: 002b:00000000f555a5fc EFLAGS: 00000296 ORIG_RAX: 0000000000000172\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000200\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n\nUninit was created at:\n kmsan_save_stack_with_flags mm/kmsan/kmsan.c:121 [inline]\n kmsan_internal_poison_shadow+0x5c/0xf0 mm/kmsan/kmsan.c:104\n kmsan_slab_alloc+0x8d/0xe0 mm/kmsan/kmsan_hooks.c:76\n slab_alloc_node mm/slub.c:2907 [inline]\n __kmalloc_node_track_caller+0xa37/0x1430 mm/slub.c:4527\n __kmalloc_reserve net/core/skbuff.c:142 [inline]\n __alloc_skb+0x2f8/0xb30 net/core/skbuff.c:210\n alloc_skb include/linux/skbuff.h:1099 [inline]\n netlink_alloc_large_skb net/netlink/af_netlink.c:1176 [inline]\n netlink_sendmsg+0xdbc/0x1840 net/netlink/af_netlink.c:1894\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\n\nFixes: e1f32190cf7d (\"tipc: add support for AEAD key setting via netlink\")\nSigned-off-by: Eric Dumazet \nCc: Tuong Lien \nCc: Jon Maloy \nCc: Ying Xue \nReported-by: syzbot \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 364973 }, { "func": "static int execute_decode_slices(H264Context *h, int context_count)\n{\n AVCodecContext *const avctx = h->avctx;\n H264Context *hx;\n int i;\n\n av_assert0(h->mb_y < h->mb_height);\n\n if (h->avctx->hwaccel ||\n h->avctx->codec->capabilities & CODEC_CAP_HWACCEL_VDPAU)\n return 0;\n if (context_count == 1) {\n return decode_slice(avctx, &h);\n } else {\n av_assert0(context_count > 0);\n for (i = 1; i < context_count; i++) {\n hx = h->thread_context[i];\n if (CONFIG_ERROR_RESILIENCE) {\n hx->er.error_count = 0;\n }\n hx->x264_build = h->x264_build;\n }\n\n avctx->execute(avctx, decode_slice, h->thread_context,\n NULL, context_count, sizeof(void *));\n\n /* pull back stuff from slices to master context */\n hx = h->thread_context[context_count - 1];\n h->mb_x = hx->mb_x;\n h->mb_y = hx->mb_y;\n h->droppable = hx->droppable;\n h->picture_structure = hx->picture_structure;\n if (CONFIG_ERROR_RESILIENCE) {\n for (i = 1; i < context_count; i++)\n h->er.error_count += h->thread_context[i]->er.error_count;\n }\n }\n\n return 0;\n}", "project": "FFmpeg", "hash": 270886298238122639954975428282393170327, "size": 40, "commit_id": "8a3b85f3a7952c54a2c36ba1797f7e0cde9f85aa", "message": "avcodec/h264: update current_sps & sps->new only after the whole slice header decoder and init code finished\n\nThis avoids them being cleared before the full initialization finished\n\nFixes out of array read\nFixes: asan_heap-oob_f0c5e6_7071_cov_1605985132_mov_h264_aac__Demo_FlagOfOurFathers.mov\nFound-by: Mateusz \"j00ru\" Jurczyk and Gynvael Coldwind\nSigned-off-by: Michael Niedermayer ", "target": 0, "dataset": "other", "idx": 270126 }, { "func": "static u32 intel_lr_indirect_ctx_offset(const struct intel_engine_cs *engine)\n{\n\tu32 indirect_ctx_offset;\n\n\tswitch (INTEL_GEN(engine->i915)) {\n\tdefault:\n\t\tMISSING_CASE(INTEL_GEN(engine->i915));\n\t\t/* fall through */\n\tcase 12:\n\t\tindirect_ctx_offset =\n\t\t\tGEN12_CTX_RCS_INDIRECT_CTX_OFFSET_DEFAULT;\n\t\tbreak;\n\tcase 11:\n\t\tindirect_ctx_offset =\n\t\t\tGEN11_CTX_RCS_INDIRECT_CTX_OFFSET_DEFAULT;\n\t\tbreak;\n\tcase 10:\n\t\tindirect_ctx_offset =\n\t\t\tGEN10_CTX_RCS_INDIRECT_CTX_OFFSET_DEFAULT;\n\t\tbreak;\n\tcase 9:\n\t\tindirect_ctx_offset =\n\t\t\tGEN9_CTX_RCS_INDIRECT_CTX_OFFSET_DEFAULT;\n\t\tbreak;\n\tcase 8:\n\t\tindirect_ctx_offset =\n\t\t\tGEN8_CTX_RCS_INDIRECT_CTX_OFFSET_DEFAULT;\n\t\tbreak;\n\t}\n\n\treturn indirect_ctx_offset;\n}", "project": "linux", "hash": 236671334119639860367753272871380560745, "size": 32, "commit_id": "bc8a76a152c5f9ef3b48104154a65a68a8b76946", "message": "drm/i915/gen9: Clear residual context state on context switch\n\nIntel ID: PSIRT-TA-201910-001\nCVEID: CVE-2019-14615\n\nIntel GPU Hardware prior to Gen11 does not clear EU state\nduring a context switch. This can result in information\nleakage between contexts.\n\nFor Gen8 and Gen9, hardware provides a mechanism for\nfast cleardown of the EU state, by issuing a PIPE_CONTROL\nwith bit 27 set. We can use this in a context batch buffer\nto explicitly cleardown the state on every context switch.\n\nAs this workaround is already in place for gen8, we can borrow\nthe code verbatim for Gen9.\n\nSigned-off-by: Mika Kuoppala \nSigned-off-by: Akeem G Abodunrin \nCc: Kumar Valsan Prathap \nCc: Chris Wilson \nCc: Balestrieri Francesco \nCc: Bloomfield Jon \nCc: Dutt Sudeep ", "target": 0, "dataset": "other", "idx": 281454 }, { "func": "\nstatic void io_ring_exit_work(struct work_struct *work)\n{\n\tstruct io_ring_ctx *ctx = container_of(work, struct io_ring_ctx, exit_work);\n\tunsigned long timeout = jiffies + HZ * 60 * 5;\n\tstruct io_tctx_exit exit;\n\tstruct io_tctx_node *node;\n\tint ret;\n\n\t/*\n\t * If we're doing polled IO and end up having requests being\n\t * submitted async (out-of-line), then completions can come in while\n\t * we're waiting for refs to drop. We need to reap these manually,\n\t * as nobody else will be looking for them.\n\t */\n\tdo {\n\t\tio_uring_try_cancel_requests(ctx, NULL, NULL);\n\t\tif (ctx->sq_data) {\n\t\t\tstruct io_sq_data *sqd = ctx->sq_data;\n\t\t\tstruct task_struct *tsk;\n\n\t\t\tio_sq_thread_park(sqd);\n\t\t\ttsk = sqd->thread;\n\t\t\tif (tsk && tsk->io_uring && tsk->io_uring->io_wq)\n\t\t\t\tio_wq_cancel_cb(tsk->io_uring->io_wq,\n\t\t\t\t\t\tio_cancel_ctx_cb, ctx, true);\n\t\t\tio_sq_thread_unpark(sqd);\n\t\t}\n\n\t\tWARN_ON_ONCE(time_after(jiffies, timeout));\n\t} while (!wait_for_completion_timeout(&ctx->ref_comp, HZ/20));\n\n\tinit_completion(&exit.completion);\n\tinit_task_work(&exit.task_work, io_tctx_exit_cb);\n\texit.ctx = ctx;\n\t/*\n\t * Some may use context even when all refs and requests have been put,\n\t * and they are free to do so while still holding uring_lock or\n\t * completion_lock, see __io_req_task_submit(). Apart from other work,\n\t * this lock/unlock section also waits them to finish.\n\t */\n\tmutex_lock(&ctx->uring_lock);\n\twhile (!list_empty(&ctx->tctx_list)) {\n\t\tWARN_ON_ONCE(time_after(jiffies, timeout));\n\n\t\tnode = list_first_entry(&ctx->tctx_list, struct io_tctx_node,\n\t\t\t\t\tctx_node);\n\t\t/* don't spin on a single task if cancellation failed */\n\t\tlist_rotate_left(&ctx->tctx_list);\n\t\tret = task_work_add(node->task, &exit.task_work, TWA_SIGNAL);\n\t\tif (WARN_ON_ONCE(ret))\n\t\t\tcontinue;\n\t\twake_up_process(node->task);\n\n\t\tmutex_unlock(&ctx->uring_lock);\n\t\twait_for_completion(&exit.completion);\n\t\tmutex_lock(&ctx->uring_lock);\n\t}\n\tmutex_unlock(&ctx->uring_lock);\n\tspin_lock_irq(&ctx->completion_lock);\n\tspin_unlock_irq(&ctx->completion_lock);\n\n\tio_ring_ctx_free(ctx);", "project": "linux", "hash": 223163377018280727170544422570274168483, "size": 63, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338608 }, { "func": "static void io_ring_exit_work(struct work_struct *work)\n{\n\tstruct io_ring_ctx *ctx = container_of(work, struct io_ring_ctx,\n\t\t\t\t\t exit_work);\n\n\t/*\n\t * If we're doing polled IO and end up having requests being\n\t * submitted async (out-of-line), then completions can come in while\n\t * we're waiting for refs to drop. We need to reap these manually,\n\t * as nobody else will be looking for them.\n\t */\n\tdo {\n\t\tif (ctx->rings)\n\t\t\tio_cqring_overflow_flush(ctx, true);\n\t\tio_iopoll_try_reap_events(ctx);\n\t} while (!wait_for_completion_timeout(&ctx->ref_comp, HZ/20));\n\tio_ring_ctx_free(ctx);\n}", "project": "linux", "hash": 297492576461752666025459748025088355012, "size": 18, "commit_id": "6d816e088c359866f9867057e04f244c608c42fe", "message": "io_uring: hold 'ctx' reference around task_work queue + execute\n\nWe're holding the request reference, but we need to go one higher\nto ensure that the ctx remains valid after the request has finished.\nIf the ring is closed with pending task_work inflight, and the\ngiven io_kiocb finishes sync during issue, then we need a reference\nto the ring itself around the task_work execution cycle.\n\nCc: stable@vger.kernel.org # v5.7+\nReported-by: syzbot+9b260fc33297966f5a8e@syzkaller.appspotmail.com\nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 456925 }, { "func": " void Compute(OpKernelContext* ctx) override {\n const Tensor& in0 = ctx->input(0);\n const Tensor& in1 = ctx->input(1);\n\n ValidateInputTensors(ctx, in0, in1);\n\n MatMulBCast bcast(in0.shape().dim_sizes(), in1.shape().dim_sizes());\n OP_REQUIRES(\n ctx, bcast.IsValid(),\n errors::InvalidArgument(\n \"In[0] and In[1] must have compatible batch dimensions: \",\n in0.shape().DebugString(), \" vs. \", in1.shape().DebugString()));\n\n TensorShape out_shape = bcast.output_batch_shape();\n auto batch_size = bcast.output_batch_size();\n auto d0 = in0.dim_size(in0.dims() - 2); // Band size.\n auto d1 = in0.dim_size(in0.dims() - 1);\n Tensor in0_reshaped;\n OP_REQUIRES(\n ctx,\n in0_reshaped.CopyFrom(in0, TensorShape({bcast.x_batch_size(), d0, d1})),\n errors::Internal(\"Failed to reshape In[0] from \",\n in0.shape().DebugString()));\n auto d2 = in1.dim_size(in1.dims() - 2);\n auto d3 = in1.dim_size(in1.dims() - 1);\n Tensor in1_reshaped;\n OP_REQUIRES(\n ctx,\n in1_reshaped.CopyFrom(in1, TensorShape({bcast.y_batch_size(), d2, d3})),\n errors::Internal(\"Failed to reshape In[1] from \",\n in1.shape().DebugString()));\n OP_REQUIRES(ctx, d1 == d2,\n errors::InvalidArgument(\n \"In[0] mismatch In[1] shape: \", d1, \" vs. \", d2, \": \",\n in0.shape().DebugString(), \" \", in1.shape().DebugString(),\n \" \", lower_, \" \", adjoint_));\n out_shape.AddDim(d1);\n out_shape.AddDim(d3);\n Tensor* out = nullptr;\n OP_REQUIRES_OK(ctx, ctx->allocate_output(0, out_shape, &out));\n if (out->NumElements() == 0) {\n return;\n }\n Tensor out_reshaped;\n OP_REQUIRES(ctx,\n out_reshaped.CopyFrom(*out, TensorShape({batch_size, d1, d3})),\n errors::Internal(\"Failed to reshape output from \",\n out->shape().DebugString()));\n LaunchBatchBandedTriangularSolve::Launch(\n ctx, in0_reshaped, in1_reshaped, adjoint_, lower_, bcast,\n &out_reshaped);\n }", "project": "tensorflow", "hash": 129370171757238809505094793708920834743, "size": 52, "commit_id": "0ab290774f91a23bebe30a358fde4e53ab4876a0", "message": "Ensure validation sticks in banded_triangular_solve_op\n\nPiperOrigin-RevId: 373275480\nChange-Id: Id7717cf275b2d6fdb9441fbbe166d555182d2e79", "target": 1, "dataset": "other", "idx": 195754 }, { "func": " void Compute(OpKernelContext* context) override {\n const float in_min = context->input(2).flat()(0);\n const float in_max = context->input(3).flat()(0);\n\n ImageResizerState st(align_corners_, false);\n st.ValidateAndCreateOutput(context);\n\n if (!context->status().ok()) return;\n\n // Return if the output is empty.\n if (st.output->NumElements() == 0) return;\n\n typename TTypes::ConstTensor image_data(\n context->input(0).tensor());\n typename TTypes::Tensor output_data(st.output->tensor());\n\n ResizeBilinear(image_data, st.height_scale, st.width_scale, in_min,\n in_max, half_pixel_centers_, &output_data);\n Tensor* out_min = nullptr;\n OP_REQUIRES_OK(context, context->allocate_output(1, {}, &out_min));\n out_min->flat()(0) = in_min;\n\n Tensor* out_max = nullptr;\n OP_REQUIRES_OK(context, context->allocate_output(2, {}, &out_max));\n out_max->flat()(0) = in_max;\n }", "project": "tensorflow", "hash": 327227610424235160739799447249420118357, "size": 26, "commit_id": "f6c40f0c6cbf00d46c7717a26419f2062f2f8694", "message": "Validate min and max arguments to `QuantizedResizeBilinear`.\n\nPiperOrigin-RevId: 369765091\nChange-Id: I33be8b78273ab7d08b97541692fe05cb7f94963a", "target": 1, "dataset": "other", "idx": 196673 }, { "func": " void Compute(OpKernelContext* context) override {\n const auto& input = context->input(0);\n auto flat_in = input.flat();\n\n int fixed_length;\n const auto& length_input = context->input(1);\n OP_REQUIRES(context, TensorShapeUtils::IsScalar(length_input.shape()),\n errors::InvalidArgument(\"k must be scalar, got shape \",\n length_input.shape().DebugString()));\n fixed_length = length_input.scalar()();\n\n OP_REQUIRES(\n context, fixed_length % sizeof(T) == 0,\n errors::InvalidArgument(\n \"fixed_length (\", fixed_length,\n \") must be a multiple of the size of out_type (\", sizeof(T), \")\"));\n\n OP_REQUIRES(context, fixed_length > 0,\n errors::InvalidArgument(\"fixed_length (\", fixed_length,\n \") must be greater than zero.\"));\n\n int width = fixed_length / sizeof(T);\n\n TensorShape out_shape = input.shape();\n out_shape.AddDim(width);\n Tensor* output_tensor = nullptr;\n OP_REQUIRES_OK(\n context, context->allocate_output(\"output\", out_shape, &output_tensor));\n\n if (flat_in.size() == 0) { // Empty input\n return;\n }\n\n auto out = output_tensor->flat_inner_dims();\n T* out_data = out.data();\n\n // Forcibly clear memory - we're going to copy variable length strings in,\n // and need to ensure that if we don't write to byte N when we copy, that\n // we're not getting random data.\n memset(out_data, 0, fixed_length * flat_in.size());\n\n // If the data is already in the host's byte order, or if the width of the\n // output type is a single byte (meaning the ordering doesn't matter), we\n // can copy the memory directly.\n if (!convert_data_endianness_ || sizeof(T) == 1) {\n for (int64 i = 0; i < flat_in.size(); ++i) {\n const T* in_data = reinterpret_cast(flat_in(i).data());\n\n if (flat_in(i).size() > fixed_length) {\n memcpy(out_data, in_data, fixed_length);\n } else {\n memcpy(out_data, in_data, flat_in(i).size());\n }\n out_data += fixed_length;\n }\n } else {\n // Otherwise, the data is not in the host's byte order, and rather than a\n // direct copy, we need to reverse the byte ordering of each element.\n for (int64 i = 0; i < flat_in.size(); ++i) {\n const char* in_data_bytes =\n reinterpret_cast(flat_in(i).data());\n char* out_data_bytes = reinterpret_cast(out_data);\n const char* p_in = in_data_bytes;\n char* p_out = out_data_bytes;\n for (; p_in < in_data_bytes + fixed_length;\n p_in += sizeof(T), p_out += sizeof(T)) {\n std::reverse_copy(p_in, p_in + sizeof(T), p_out);\n }\n out_data += fixed_length;\n }\n }\n }", "project": "tensorflow", "hash": 146552813611946796478012198860441040266, "size": 72, "commit_id": "698e01511f62a3c185754db78ebce0eee1f0184d", "message": "Fix `tf.io.decode_raw` bugs and update documentation.\n\nFixes cases where specifying `fixed_length` resulted in data loss and even segfault and corruption of the Python interpreter. The fix is subtle but needed due to pointer arithmetic rules.\n\nMakes sure that `fixed_length` does not change the output when present but not needed.\n\nEliminates needless copy and cast in the main codepath.\n\nPiperOrigin-RevId: 371322725\nChange-Id: I514ef67a2961c86422f69d05122d31615e87896c", "target": 1, "dataset": "other", "idx": 196739 }, { "func": " void Compute(OpKernelContext* ctx) override {\n const Tensor& indices_tensor = ctx->input(0);\n OP_REQUIRES(ctx,\n TensorShapeUtils::IsVector(indices_tensor.shape()) ||\n TensorShapeUtils::IsScalar(indices_tensor.shape()),\n errors::InvalidArgument(\n \"The indices can only be scalar or vector, got \\\"\",\n indices_tensor.shape().DebugString(), \"\\\"\"));\n\n const Tensor& dims_tensor = ctx->input(1);\n OP_REQUIRES(\n ctx, TensorShapeUtils::IsVector(dims_tensor.shape()),\n errors::InvalidArgument(\"The indices can only be 1-D, got \\\"\",\n dims_tensor.shape().DebugString(), \"\\\"\"));\n\n auto dims = dims_tensor.vec();\n\n // Chek to make sure indices is not out of boundary\n Eigen::Tensor dims_prod_eigen = dims.prod();\n Tidx dims_prod = dims_prod_eigen();\n const Tidx* indices = indices_tensor.flat().data();\n int64 size = indices_tensor.NumElements();\n bool check = std::all_of(indices, indices + size,\n [&](Tidx index) { return index < dims_prod; });\n OP_REQUIRES(ctx, check,\n errors::InvalidArgument(\"index is out of bound as with dims\"));\n\n Eigen::array reverse({true});\n\n Tensor strides_tensor;\n OP_REQUIRES_OK(ctx,\n ctx->allocate_temp(DataTypeToEnum::value,\n TensorShape({dims_tensor.NumElements()}),\n &strides_tensor));\n\n auto strides = strides_tensor.vec();\n strides = dims.reverse(reverse)\n .scan(0, Eigen::internal::ProdReducer(), false)\n .reverse(reverse);\n\n Tensor strides_shifted_tensor;\n OP_REQUIRES_OK(ctx,\n ctx->allocate_temp(DataTypeToEnum::value,\n TensorShape({dims_tensor.NumElements()}),\n &strides_shifted_tensor));\n\n auto strides_shifted = strides_shifted_tensor.vec();\n strides_shifted = dims.reverse(reverse)\n .scan(0, Eigen::internal::ProdReducer(), true)\n .reverse(reverse);\n\n Tensor* output_tensor = nullptr;\n if (TensorShapeUtils::IsScalar(indices_tensor.shape())) {\n OP_REQUIRES_OK(\n ctx, ctx->allocate_output(0, TensorShape({dims_tensor.NumElements()}),\n &output_tensor));\n\n auto output = output_tensor->vec();\n\n output = output.constant(indices_tensor.scalar()());\n output = output.binaryExpr(strides, mod_op()) / strides_shifted;\n } else {\n OP_REQUIRES_OK(\n ctx, ctx->allocate_output(0,\n TensorShape({dims_tensor.NumElements(),\n indices_tensor.NumElements()}),\n &output_tensor));\n\n auto output = output_tensor->matrix();\n\n Eigen::array reshape{\n {static_cast(dims_tensor.NumElements()), 1}};\n Eigen::array bcast(\n {1, static_cast(indices_tensor.NumElements())});\n Eigen::array indices_reshape{\n {1, static_cast(indices_tensor.NumElements())}};\n Eigen::array indices_bcast(\n {static_cast(dims_tensor.NumElements()), 1});\n\n output = indices_tensor.vec()\n .reshape(indices_reshape)\n .broadcast(indices_bcast);\n output = output.binaryExpr(strides.reshape(reshape).broadcast(bcast),\n mod_op()) /\n strides_shifted.reshape(reshape).broadcast(bcast);\n }\n }", "project": "tensorflow", "hash": 264158770569740569963092041338700970996, "size": 87, "commit_id": "a776040a5e7ebf76eeb7eb923bf1ae417dd4d233", "message": "Disallow dims input of 0 in tf.raw_ops.UnravelIndex\n\nPiperOrigin-RevId: 384284198\nChange-Id: Ia1804ef1aec57b4d857ea507e6891bcccde18e9b", "target": 1, "dataset": "other", "idx": 196763 }, { "func": "void UncompressElementOp::Compute(OpKernelContext* ctx) {\n Tensor tensor = ctx->input(0);\n const Variant& variant = tensor.scalar()();\n const CompressedElement* compressed = variant.get();\n\n std::vector components;\n OP_REQUIRES_OK(ctx, UncompressElement(*compressed, &components));\n OP_REQUIRES(ctx, components.size() == output_types_.size(),\n errors::FailedPrecondition(\"Expected \", output_types_.size(),\n \" outputs from uncompress, but got \",\n components.size()));\n for (int i = 0; i < components.size(); ++i) {\n OP_REQUIRES(\n ctx, components[i].dtype() == output_types_[i],\n errors::FailedPrecondition(\"Expected a tensor of type \",\n DataTypeString(output_types_[i]),\n \" but got a tensor of type \",\n DataTypeString(components[i].dtype())));\n ctx->set_output(i, components[i]);\n }\n}", "project": "tensorflow", "hash": 123137112005180251715591720813780418586, "size": 21, "commit_id": "7bdf50bb4f5c54a4997c379092888546c97c3ebd", "message": "Ensure non-empty compressed input in tf.raw_ops.UncompressElement\n\nPiperOrigin-RevId: 383955815\nChange-Id: I072a84fd02738dd2f51b3f42836ed80067dba4a8", "target": 1, "dataset": "other", "idx": 196811 }, { "func": " void Compute(OpKernelContext* context) override {\n const Tensor& tensor_in = context->input(0);\n const Tensor& tensor_out = context->input(1);\n const Tensor& out_grad_backprop = context->input(2);\n\n // For maxpooling3d, tensor_in should have 5 dimensions.\n OP_REQUIRES(context, tensor_in.dims() == 5,\n errors::InvalidArgument(\"tensor_in must be 5-dimensional\"));\n OP_REQUIRES(context, tensor_out.dims() == 5,\n errors::InvalidArgument(\"tensor_out must be 5-dimensional\"));\n // For maxpooling3d, out_grad_backprop should have 5 dimensions.\n OP_REQUIRES(\n context, out_grad_backprop.dims() == 5,\n errors::InvalidArgument(\"out_grad_backprop must be 5-dimensional\"));\n\n Pool3dParameters params{context, ksize_, stride_,\n padding_, data_format_, tensor_in.shape()};\n\n Tensor* output = nullptr;\n OP_REQUIRES_OK(context, context->forward_input_or_allocate_output(\n {2}, 0, tensor_out.shape(), &output));\n\n LaunchMaxPooling3dGradGradOp::launch(\n context, params, tensor_in, tensor_out, out_grad_backprop, output);\n }", "project": "tensorflow", "hash": 72289082634613742526739889639765896346, "size": 25, "commit_id": "a3d9f9be9ac2296615644061b40cefcee341dcc4", "message": "Add missing validation to pooling_ops_3d\n\nPiperOrigin-RevId: 372218727\nChange-Id: I6b9ed4266aa7286c02f1f230d7bea922c1be547e", "target": 1, "dataset": "other", "idx": 196896 }, { "func": " void Compute(OpKernelContext* context) override {\n const Tensor& tensor_in = context->input(0);\n const Tensor& tensor_out = context->input(1);\n const Tensor& out_grad_backprop = context->input(2);\n\n // For maxpooling3d, tensor_in should have 5 dimensions.\n OP_REQUIRES(context, tensor_in.dims() == 5,\n errors::InvalidArgument(\"tensor_in must be 5-dimensional\"));\n OP_REQUIRES(context, tensor_out.dims() == 5,\n errors::InvalidArgument(\"tensor_out must be 5-dimensional\"));\n // For maxpooling3d, out_grad_backprop should have 5 dimensions.\n OP_REQUIRES(\n context, out_grad_backprop.dims() == 5,\n errors::InvalidArgument(\"out_grad_backprop must be 5-dimensional\"));\n\n Pool3dParameters params{context, ksize_, stride_,\n padding_, data_format_, tensor_in.shape()};\n\n Tensor* output = nullptr;\n OP_REQUIRES_OK(context, context->forward_input_or_allocate_output(\n {2}, 0, tensor_out.shape(), &output));\n\n // Given access patterns in LaunchMaxPooling3dGradGradOp, these tensors must\n // have elements.\n OP_REQUIRES(context, tensor_in.NumElements() > 0,\n errors::InvalidArgument(\"received empty tensor tensor_in: \",\n tensor_in.DebugString()));\n OP_REQUIRES(context, tensor_out.NumElements() > 0,\n errors::InvalidArgument(\"received empty tensor tensor_out: \",\n tensor_out.DebugString()));\n OP_REQUIRES(\n context, out_grad_backprop.NumElements() > 0,\n errors::InvalidArgument(\"received empty tensor out_grad_backprop: \",\n out_grad_backprop.DebugString()));\n\n LaunchMaxPooling3dGradGradOp::launch(\n context, params, tensor_in, tensor_out, out_grad_backprop, output);\n }", "project": "tensorflow", "hash": 93004229093993137097759980110686062671, "size": 38, "commit_id": "63c6a29d0f2d692b247f7bf81f8732d6442fad09", "message": "Add missing validation, prevent heap OOB\n\nPiperOrigin-RevId: 372246723\nChange-Id: I1a454a643810e77d7d14821b342098c56a09fbbf", "target": 1, "dataset": "other", "idx": 197063 }, { "func": " void Compute(OpKernelContext* ctx) override {\n const Tensor& input = ctx->input(0);\n const float input_min_float = ctx->input(1).flat()(0);\n const float input_max_float = ctx->input(2).flat()(0);\n Tensor* output_min = nullptr;\n OP_REQUIRES_OK(ctx, ctx->allocate_output(0, TensorShape({}), &output_min));\n Tensor* output_max = nullptr;\n OP_REQUIRES_OK(ctx, ctx->allocate_output(1, TensorShape({}), &output_max));\n\n qint32 used_min_quantized;\n qint32 used_max_quantized;\n CalculateUsedRange(input, &used_min_quantized, &used_max_quantized);\n\n // We want to make sure that the minimum is no larger than zero, so that the\n // convolution operation can run efficiently.\n const float used_min_float = std::min(\n 0.0f,\n QuantizedToFloat(used_min_quantized, input_min_float, input_max_float));\n const float used_max_float =\n QuantizedToFloat(used_max_quantized, input_min_float, input_max_float);\n\n output_min->flat().setConstant(used_min_float);\n output_max->flat().setConstant(used_max_float);\n }", "project": "tensorflow", "hash": 11062965309142515619891321633938443899, "size": 24, "commit_id": "ef0c008ee84bad91ec6725ddc42091e19a30cf0e", "message": "Fix out of bound read in requantization_range_op.cc\n\nPiperOrigin-RevId: 372129031\nChange-Id: Ie684ab98a3840c5186ead3eafffc0e0ed0e8030d", "target": 1, "dataset": "other", "idx": 197575 }, { "func": " void Compute(OpKernelContext* context) override {\n const Tensor& input = context->input(0);\n const float input_min = context->input(1).flat()(0);\n const float input_max = context->input(2).flat()(0);\n const Tensor& mean = context->input(3);\n const float mean_min = context->input(4).flat()(0);\n const float mean_max = context->input(5).flat()(0);\n const Tensor& var = context->input(6);\n const float var_min = context->input(7).flat()(0);\n const float var_max = context->input(8).flat()(0);\n const Tensor& beta = context->input(9);\n const float beta_min = context->input(10).flat()(0);\n const float beta_max = context->input(11).flat()(0);\n const Tensor& gamma = context->input(12);\n const float gamma_min = context->input(13).flat()(0);\n const float gamma_max = context->input(14).flat()(0);\n\n OP_REQUIRES(context, input.dims() == 4,\n errors::InvalidArgument(\"input must be 4-dimensional\",\n input.shape().DebugString()));\n OP_REQUIRES(context, mean.dims() == 1,\n errors::InvalidArgument(\"mean must be 1-dimensional\",\n mean.shape().DebugString()));\n OP_REQUIRES(context, var.dims() == 1,\n errors::InvalidArgument(\"var must be 1-dimensional\",\n var.shape().DebugString()));\n OP_REQUIRES(context, beta.dims() == 1,\n errors::InvalidArgument(\"beta must be 1-dimensional\",\n beta.shape().DebugString()));\n OP_REQUIRES(context, gamma.dims() == 1,\n errors::InvalidArgument(\"gamma must be 1-dimensional\",\n gamma.shape().DebugString()));\n\n Tensor* output = nullptr;\n OP_REQUIRES_OK(context,\n context->allocate_output(0, input.shape(), &output));\n float output_min;\n float output_max;\n FixedPointBatchNorm(input, input_min, input_max, mean, mean_min,\n mean_max, var, var_min, var_max, beta, beta_min,\n beta_max, gamma, gamma_min, gamma_max,\n variance_epsilon_, scale_after_normalization_,\n output, &output_min, &output_max);\n\n Tensor* output_min_tensor = nullptr;\n OP_REQUIRES_OK(context,\n context->allocate_output(1, {}, &output_min_tensor));\n output_min_tensor->flat()(0) = output_min;\n\n Tensor* output_max_tensor = nullptr;\n OP_REQUIRES_OK(context,\n context->allocate_output(2, {}, &output_max_tensor));\n output_max_tensor->flat()(0) = output_max;\n }", "project": "tensorflow", "hash": 39891708146580454794486373109005381550, "size": 54, "commit_id": "d6ed5bcfe1dcab9e85a4d39931bd18d99018e75b", "message": "Add missing validation in `QuantizedBatchNormWithGlobalNormalization`\n\nPiperOrigin-RevId: 370123451\nChange-Id: Id234d6dab1ec21230bb8e503dba30f899af87f33", "target": 1, "dataset": "other", "idx": 197761 }, { "func": " void Compute(OpKernelContext* ctx) override {\n // This call processes inputs 1 and 2 to write output 0.\n ReshapeOp::Compute(ctx);\n\n const float input_min_float = ctx->input(2).flat()(0);\n const float input_max_float = ctx->input(3).flat()(0);\n Tensor* output_min = nullptr;\n OP_REQUIRES_OK(ctx, ctx->allocate_output(1, TensorShape({}), &output_min));\n output_min->flat()(0) = input_min_float;\n\n Tensor* output_max = nullptr;\n OP_REQUIRES_OK(ctx, ctx->allocate_output(2, TensorShape({}), &output_max));\n output_max->flat()(0) = input_max_float;\n }", "project": "tensorflow", "hash": 138415375282410567846030933274549860111, "size": 14, "commit_id": "a324ac84e573fba362a5e53d4e74d5de6729933e", "message": "Validate arguments to `QuantizedReshape`.\n\nEnsure that validations from `Reshape` also terminate `QuantizedReshape` on failure.\n\nPiperOrigin-RevId: 369775421\nChange-Id: If8c5342267aceea65b7cb83a4b183304886f1ce8", "target": 1, "dataset": "other", "idx": 198140 }, { "func": " void Compute(OpKernelContext* ctx) override {\n const Tensor& handle = ctx->input(0);\n const string& name = handle.scalar()();\n Tensor val;\n auto session_state = ctx->session_state();\n OP_REQUIRES(ctx, session_state != nullptr,\n errors::FailedPrecondition(\n \"GetSessionTensor called on null session state\"));\n OP_REQUIRES_OK(ctx, session_state->GetTensor(name, &val));\n ctx->set_output(0, val);\n }", "project": "tensorflow", "hash": 259044981987645932037936595311494596008, "size": 11, "commit_id": "48305e8ffe5246d67570b64096a96f8e315a7281", "message": "Fix tf.raw_ops.GetSessionTensor vulnerability with invalid handle.\n\nCheck that input is actually a scalar before treating it as such.\n\nPiperOrigin-RevId: 445218701", "target": 1, "dataset": "other", "idx": 198363 }, { "func": " void Compute(OpKernelContext* context) override {\n OpInputList ragged_values_list;\n OpInputList ragged_splits_list;\n OpInputList sparse_indices_list;\n OpInputList sparse_values_list;\n OpInputList sparse_shape_list;\n OpInputList dense_list;\n OP_REQUIRES_OK(context,\n context->input_list(\"ragged_values\", &ragged_values_list));\n OP_REQUIRES_OK(\n context, context->input_list(\"ragged_row_splits\", &ragged_splits_list));\n OP_REQUIRES_OK(context,\n context->input_list(\"sparse_indices\", &sparse_indices_list));\n OP_REQUIRES_OK(context,\n context->input_list(\"sparse_values\", &sparse_values_list));\n OP_REQUIRES_OK(context,\n context->input_list(\"sparse_shape\", &sparse_shape_list));\n OP_REQUIRES_OK(context, context->input_list(\"dense_inputs\", &dense_list));\n OP_REQUIRES_OK(context,\n ValidateInput(ragged_values_list, ragged_splits_list,\n sparse_indices_list, sparse_values_list,\n sparse_shape_list, dense_list));\n\n int64 batch_size =\n CalculateBatchSize(ragged_splits_list, sparse_shape_list, dense_list);\n\n FeatureReaders features;\n OP_REQUIRES_OK(context,\n BuildFeatureReaders(ragged_values_list, ragged_splits_list,\n sparse_indices_list, sparse_values_list,\n dense_list, batch_size, &features));\n\n Tensor* values_out;\n Tensor* row_splits_out;\n OP_REQUIRES_OK(context, BuildOutputTensors(features, batch_size, context,\n &values_out, &row_splits_out));\n\n std::unique_ptr output_writer = MakeOutputWriter(\n features, num_buckets_, hash_key_, row_splits_out, values_out);\n\n auto do_work = [&output_writer](int64 begin, int64 end) {\n output_writer->WriteOutputSlice(begin, end);\n };\n\n // TODO(edloper): optimize cost_per_batch\n const int cost_per_batch = 5000 * ragged_values_list.size();\n auto thread_pool =\n context->device()->tensorflow_cpu_worker_threads()->workers;\n thread_pool->ParallelFor(batch_size, cost_per_batch, do_work);\n }", "project": "tensorflow", "hash": 306122951706858250296792720562443241033, "size": 50, "commit_id": "44b7f486c0143f68b56c34e2d01e146ee445134a", "message": "Fix out of bounds read in `ragged_cross_op.cc`.\n\nPiperOrigin-RevId: 369757702\nChange-Id: Ie6e5d2c21513a8d56bf41fcf35960caf76e890f9", "target": 0, "dataset": "other", "idx": 230065 }, { "func": " void Compute(OpKernelContext* ctx) override {\n const Tensor& in0 = ctx->input(0);\n const Tensor& in1 = ctx->input(1);\n\n ValidateInputTensors(ctx, in0, in1);\n if (!ctx->status().ok()) return;\n\n MatMulBCast bcast(in0.shape().dim_sizes(), in1.shape().dim_sizes());\n OP_REQUIRES(\n ctx, bcast.IsValid(),\n errors::InvalidArgument(\n \"In[0] and In[1] must have compatible batch dimensions: \",\n in0.shape().DebugString(), \" vs. \", in1.shape().DebugString()));\n\n TensorShape out_shape = bcast.output_batch_shape();\n auto batch_size = bcast.output_batch_size();\n auto d0 = in0.dim_size(in0.dims() - 2); // Band size.\n auto d1 = in0.dim_size(in0.dims() - 1);\n Tensor in0_reshaped;\n OP_REQUIRES(\n ctx,\n in0_reshaped.CopyFrom(in0, TensorShape({bcast.x_batch_size(), d0, d1})),\n errors::Internal(\"Failed to reshape In[0] from \",\n in0.shape().DebugString()));\n auto d2 = in1.dim_size(in1.dims() - 2);\n auto d3 = in1.dim_size(in1.dims() - 1);\n Tensor in1_reshaped;\n OP_REQUIRES(\n ctx,\n in1_reshaped.CopyFrom(in1, TensorShape({bcast.y_batch_size(), d2, d3})),\n errors::Internal(\"Failed to reshape In[1] from \",\n in1.shape().DebugString()));\n OP_REQUIRES(ctx, d1 == d2,\n errors::InvalidArgument(\n \"In[0] mismatch In[1] shape: \", d1, \" vs. \", d2, \": \",\n in0.shape().DebugString(), \" \", in1.shape().DebugString(),\n \" \", lower_, \" \", adjoint_));\n out_shape.AddDim(d1);\n out_shape.AddDim(d3);\n Tensor* out = nullptr;\n OP_REQUIRES_OK(ctx, ctx->allocate_output(0, out_shape, &out));\n if (out->NumElements() == 0) {\n return;\n }\n Tensor out_reshaped;\n OP_REQUIRES(ctx,\n out_reshaped.CopyFrom(*out, TensorShape({batch_size, d1, d3})),\n errors::Internal(\"Failed to reshape output from \",\n out->shape().DebugString()));\n LaunchBatchBandedTriangularSolve::Launch(\n ctx, in0_reshaped, in1_reshaped, adjoint_, lower_, bcast,\n &out_reshaped);\n }", "project": "tensorflow", "hash": 126900769494079489680653992675879726552, "size": 53, "commit_id": "0ab290774f91a23bebe30a358fde4e53ab4876a0", "message": "Ensure validation sticks in banded_triangular_solve_op\n\nPiperOrigin-RevId: 373275480\nChange-Id: Id7717cf275b2d6fdb9441fbbe166d555182d2e79", "target": 0, "dataset": "other", "idx": 232648 }, { "func": " void Compute(OpKernelContext* context) override {\n SparseFillEmptyRowsOpImpl(context);\n }", "project": "tensorflow", "hash": 61113189019726310392901134364789889336, "size": 3, "commit_id": "faa76f39014ed3b5e2c158593b1335522e573c7f", "message": "Fix heap-buffer-overflow issue with `tf.raw_ops.SparseFillEmptyRows`.\n\nPiperOrigin-RevId: 372009178\nChange-Id: Ia1a9e9691ecaa072f32fb39a0887b2aabd399210", "target": 0, "dataset": "other", "idx": 238032 }, { "func": " void Compute(OpKernelContext* context) override {\n const Tensor* reverse_index_map_t;\n const Tensor* grad_values_t;\n OP_REQUIRES_OK(context,\n context->input(\"reverse_index_map\", &reverse_index_map_t));\n OP_REQUIRES_OK(context, context->input(\"grad_values\", &grad_values_t));\n\n OP_REQUIRES(\n context, TensorShapeUtils::IsVector(reverse_index_map_t->shape()),\n errors::InvalidArgument(\"reverse_index_map must be a vector, saw: \",\n reverse_index_map_t->shape().DebugString()));\n OP_REQUIRES(context, TensorShapeUtils::IsVector(grad_values_t->shape()),\n errors::InvalidArgument(\"grad_values must be a vector, saw: \",\n grad_values_t->shape().DebugString()));\n\n const auto reverse_index_map = reverse_index_map_t->vec();\n const auto grad_values = grad_values_t->vec();\n\n const Tindex N = reverse_index_map_t->shape().dim_size(0);\n\n Tensor* d_values_t;\n OP_REQUIRES_OK(context, context->allocate_output(\n \"d_values\", TensorShape({N}), &d_values_t));\n auto d_values = d_values_t->vec();\n Tensor* d_default_value_t;\n OP_REQUIRES_OK(context,\n context->allocate_output(\"d_default_value\", TensorShape({}),\n &d_default_value_t));\n auto d_default_value = d_default_value_t->scalar();\n\n OP_REQUIRES_OK(context,\n functor::SparseFillEmptyRowsGrad()(\n context, reverse_index_map, grad_values, d_values,\n d_default_value));\n }", "project": "tensorflow", "hash": 334434992890131969871821470933489689837, "size": 35, "commit_id": "faa76f39014ed3b5e2c158593b1335522e573c7f", "message": "Fix heap-buffer-overflow issue with `tf.raw_ops.SparseFillEmptyRows`.\n\nPiperOrigin-RevId: 372009178\nChange-Id: Ia1a9e9691ecaa072f32fb39a0887b2aabd399210", "target": 0, "dataset": "other", "idx": 238034 }, { "func": " void Compute(OpKernelContext* context) override {\n const Tensor& input_sizes = context->input(0);\n const Tensor& filter = context->input(1);\n const Tensor& out_backprop = context->input(2);\n\n TensorShape input_shape;\n OP_REQUIRES_OK(context,\n Conv2DBackpropComputeInputShape(input_sizes, filter.shape(),\n out_backprop.shape(),\n data_format_, &input_shape));\n\n Tensor* in_backprop = nullptr;\n OP_REQUIRES_OK(context,\n context->allocate_output(0, input_shape, &in_backprop));\n\n // If there is nothing to compute, return.\n if (input_shape.num_elements() == 0) {\n return;\n }\n\n // For now we take the stride from the second and third dimensions only (we\n // do not support striding on the batch or depth dimension).\n const int stride_rows = GetTensorDim(strides_, data_format_, 'H');\n const int stride_cols = GetTensorDim(strides_, data_format_, 'W');\n const int dilation_rows = GetTensorDim(dilations_, data_format_, 'H');\n const int dilation_cols = GetTensorDim(dilations_, data_format_, 'W');\n\n VLOG(2) << \"Conv2DBackpropInput:\"\n << \" input: \" << input_shape.DebugString()\n << \" filter:\" << filter.shape().DebugString()\n << \" out_backprop: \" << out_backprop.shape().DebugString()\n << \" strides: [\" << stride_rows << \", \" << stride_cols << \"]\"\n << \" dilations: [\" << dilation_rows << \", \" << dilation_cols << \"]\";\n\n LaunchConv2DBackpropInputOp launch;\n launch(context, use_cudnn_, cudnn_use_autotune_, out_backprop, filter,\n dilation_rows, dilation_cols, stride_rows, stride_cols, padding_,\n explicit_paddings_, in_backprop, data_format_);\n }", "project": "tensorflow", "hash": 208516028975173644423190655285040158254, "size": 39, "commit_id": "2be2cdf3a123e231b16f766aa0e27d56b4606535", "message": "Prevent yet another division by zero\n\nPiperOrigin-RevId: 369343977\nChange-Id: I1a60da4cf512e60fd91e069c16e026544632fe7f", "target": 0, "dataset": "other", "idx": 241533 }, { "func": " void Compute(OpKernelContext* context) override {\n const auto& in_min_tensor = context->input(2);\n OP_REQUIRES(context, TensorShapeUtils::IsScalar(in_min_tensor.shape()),\n errors::InvalidArgument(\"min must be a scalar\"));\n const float in_min = in_min_tensor.flat()(0);\n const auto& in_max_tensor = context->input(3);\n OP_REQUIRES(context, TensorShapeUtils::IsScalar(in_max_tensor.shape()),\n errors::InvalidArgument(\"max must be a scalar\"));\n const float in_max = in_max_tensor.flat()(0);\n\n ImageResizerState st(align_corners_, false);\n st.ValidateAndCreateOutput(context);\n\n if (!context->status().ok()) return;\n\n // Return if the output is empty.\n if (st.output->NumElements() == 0) return;\n\n typename TTypes::ConstTensor image_data(\n context->input(0).tensor());\n typename TTypes::Tensor output_data(st.output->tensor());\n\n ResizeBilinear(image_data, st.height_scale, st.width_scale, in_min,\n in_max, half_pixel_centers_, &output_data);\n Tensor* out_min = nullptr;\n OP_REQUIRES_OK(context, context->allocate_output(1, {}, &out_min));\n out_min->flat()(0) = in_min;\n\n Tensor* out_max = nullptr;\n OP_REQUIRES_OK(context, context->allocate_output(2, {}, &out_max));\n out_max->flat()(0) = in_max;\n }", "project": "tensorflow", "hash": 230635596964007868338231930811957784418, "size": 32, "commit_id": "f6c40f0c6cbf00d46c7717a26419f2062f2f8694", "message": "Validate min and max arguments to `QuantizedResizeBilinear`.\n\nPiperOrigin-RevId: 369765091\nChange-Id: I33be8b78273ab7d08b97541692fe05cb7f94963a", "target": 0, "dataset": "other", "idx": 242186 }, { "func": " void Compute(OpKernelContext* context) override {\n const auto& input = context->input(0);\n auto flat_in = input.flat();\n\n int fixed_length;\n const auto& length_input = context->input(1);\n OP_REQUIRES(context, TensorShapeUtils::IsScalar(length_input.shape()),\n errors::InvalidArgument(\"k must be scalar, got shape \",\n length_input.shape().DebugString()));\n fixed_length = length_input.scalar()();\n\n OP_REQUIRES(\n context, fixed_length % sizeof(T) == 0,\n errors::InvalidArgument(\n \"fixed_length (\", fixed_length,\n \") must be a multiple of the size of out_type (\", sizeof(T), \")\"));\n\n OP_REQUIRES(context, fixed_length > 0,\n errors::InvalidArgument(\"fixed_length (\", fixed_length,\n \") must be greater than zero.\"));\n\n int width = fixed_length / sizeof(T);\n\n TensorShape out_shape = input.shape();\n out_shape.AddDim(width);\n Tensor* output_tensor = nullptr;\n OP_REQUIRES_OK(\n context, context->allocate_output(\"output\", out_shape, &output_tensor));\n\n if (flat_in.size() == 0) { // Empty input\n return;\n }\n\n auto out = output_tensor->flat_inner_dims();\n T* out_data = out.data();\n\n // Forcibly clear memory - we're going to copy variable length strings in,\n // and need to ensure that if we don't write to byte N when we copy, that\n // we're not getting random data.\n memset(out_data, 0, fixed_length * flat_in.size());\n\n // If the data is already in the host's byte order, or if the width of the\n // output type is a single byte (meaning the ordering doesn't matter), we\n // can copy the memory directly.\n if (!convert_data_endianness_ || sizeof(T) == 1) {\n for (int64 i = 0; i < flat_in.size(); ++i) {\n const auto to_copy =\n std::min(flat_in(i).size(), static_cast(fixed_length));\n memcpy(out_data, flat_in(i).data(), to_copy);\n // Note: increase out_data by width since it's already of type T* so\n // each shift amount is implicitly multiplied by sizeof(T) according to\n // pointer arithmetic rules.\n out_data += width;\n }\n } else {\n // Otherwise, the data is not in the host's byte order, and rather than a\n // direct copy, we need to reverse the byte ordering of each element.\n for (int64 i = 0; i < flat_in.size(); ++i) {\n const char* in_data_bytes =\n reinterpret_cast(flat_in(i).data());\n char* out_data_bytes = reinterpret_cast(out_data);\n const char* p_in = in_data_bytes;\n char* p_out = out_data_bytes;\n for (; p_in < in_data_bytes + fixed_length;\n p_in += sizeof(T), p_out += sizeof(T)) {\n std::reverse_copy(p_in, p_in + sizeof(T), p_out);\n }\n // Note: increase out_data by width since it's already of type T* so\n // each shift amount is implicitly multiplied by sizeof(T) according to\n // pointer arithmetic rules.\n out_data += width;\n }\n }\n }", "project": "tensorflow", "hash": 126932864429790550515712824205640725368, "size": 74, "commit_id": "698e01511f62a3c185754db78ebce0eee1f0184d", "message": "Fix `tf.io.decode_raw` bugs and update documentation.\n\nFixes cases where specifying `fixed_length` resulted in data loss and even segfault and corruption of the Python interpreter. The fix is subtle but needed due to pointer arithmetic rules.\n\nMakes sure that `fixed_length` does not change the output when present but not needed.\n\nEliminates needless copy and cast in the main codepath.\n\nPiperOrigin-RevId: 371322725\nChange-Id: I514ef67a2961c86422f69d05122d31615e87896c", "target": 0, "dataset": "other", "idx": 243619 }, { "func": " void Compute(OpKernelContext* ctx) override {\n const Tensor& indices_tensor = ctx->input(0);\n OP_REQUIRES(ctx,\n TensorShapeUtils::IsVector(indices_tensor.shape()) ||\n TensorShapeUtils::IsScalar(indices_tensor.shape()),\n errors::InvalidArgument(\n \"The indices can only be scalar or vector, got \\\"\",\n indices_tensor.shape().DebugString(), \"\\\"\"));\n\n const Tensor& dims_tensor = ctx->input(1);\n OP_REQUIRES(\n ctx, TensorShapeUtils::IsVector(dims_tensor.shape()),\n errors::InvalidArgument(\"The indices can only be 1-D, got \\\"\",\n dims_tensor.shape().DebugString(), \"\\\"\"));\n\n auto dims = dims_tensor.vec();\n // Make sure dims does not contain a zero\n for (int i = 0; i < dims.size(); i++) {\n OP_REQUIRES(\n ctx, dims(i) != 0,\n errors::InvalidArgument(\"Input dims cannot contain a dim of zero, \"\n \"but dims contains zero at index \",\n i));\n }\n\n // Chek to make sure indices is not out of boundary\n Eigen::Tensor dims_prod_eigen = dims.prod();\n Tidx dims_prod = dims_prod_eigen();\n const Tidx* indices = indices_tensor.flat().data();\n int64 size = indices_tensor.NumElements();\n bool check = std::all_of(indices, indices + size,\n [&](Tidx index) { return index < dims_prod; });\n OP_REQUIRES(ctx, check,\n errors::InvalidArgument(\"index is out of bound as with dims\"));\n\n Eigen::array reverse({true});\n\n Tensor strides_tensor;\n OP_REQUIRES_OK(ctx,\n ctx->allocate_temp(DataTypeToEnum::value,\n TensorShape({dims_tensor.NumElements()}),\n &strides_tensor));\n\n auto strides = strides_tensor.vec();\n strides = dims.reverse(reverse)\n .scan(0, Eigen::internal::ProdReducer(), false)\n .reverse(reverse);\n\n Tensor strides_shifted_tensor;\n OP_REQUIRES_OK(ctx,\n ctx->allocate_temp(DataTypeToEnum::value,\n TensorShape({dims_tensor.NumElements()}),\n &strides_shifted_tensor));\n\n auto strides_shifted = strides_shifted_tensor.vec();\n strides_shifted = dims.reverse(reverse)\n .scan(0, Eigen::internal::ProdReducer(), true)\n .reverse(reverse);\n\n Tensor* output_tensor = nullptr;\n if (TensorShapeUtils::IsScalar(indices_tensor.shape())) {\n OP_REQUIRES_OK(\n ctx, ctx->allocate_output(0, TensorShape({dims_tensor.NumElements()}),\n &output_tensor));\n\n auto output = output_tensor->vec();\n\n output = output.constant(indices_tensor.scalar()());\n output = output.binaryExpr(strides, mod_op()) / strides_shifted;\n } else {\n OP_REQUIRES_OK(\n ctx, ctx->allocate_output(0,\n TensorShape({dims_tensor.NumElements(),\n indices_tensor.NumElements()}),\n &output_tensor));\n\n auto output = output_tensor->matrix();\n\n Eigen::array reshape{\n {static_cast(dims_tensor.NumElements()), 1}};\n Eigen::array bcast(\n {1, static_cast(indices_tensor.NumElements())});\n Eigen::array indices_reshape{\n {1, static_cast(indices_tensor.NumElements())}};\n Eigen::array indices_bcast(\n {static_cast(dims_tensor.NumElements()), 1});\n\n output = indices_tensor.vec()\n .reshape(indices_reshape)\n .broadcast(indices_bcast);\n output = output.binaryExpr(strides.reshape(reshape).broadcast(bcast),\n mod_op()) /\n strides_shifted.reshape(reshape).broadcast(bcast);\n }\n }", "project": "tensorflow", "hash": 190979480133558515936234630943195362228, "size": 95, "commit_id": "a776040a5e7ebf76eeb7eb923bf1ae417dd4d233", "message": "Disallow dims input of 0 in tf.raw_ops.UnravelIndex\n\nPiperOrigin-RevId: 384284198\nChange-Id: Ia1804ef1aec57b4d857ea507e6891bcccde18e9b", "target": 0, "dataset": "other", "idx": 243980 }, { "func": " void Compute(OpKernelContext* ctx) override {\n const Tensor& input = ctx->input(0);\n\n Tensor* output = nullptr;\n OP_REQUIRES_OK(ctx, ctx->allocate_output(0, input.shape(), &output));\n\n // One global scale.\n Tensor input_min_tensor(DataTypeToEnum::value, TensorShape());\n Tensor input_max_tensor(DataTypeToEnum::value, TensorShape());\n // Initialize the tensors with the values in the Attrs.\n input_min_tensor.template scalar()() = static_cast(input_min_);\n input_max_tensor.template scalar()() = static_cast(input_max_);\n\n functor::QuantizeAndDequantizeOneScaleFunctor functor;\n functor(ctx->eigen_device(), input.flat(), signed_input_,\n num_bits_, range_given_, &input_min_tensor, &input_max_tensor,\n ROUND_HALF_TO_EVEN, /*narrow_range=*/false, output->flat());\n }", "project": "tensorflow", "hash": 34025787901370453152773493086761626349, "size": 18, "commit_id": "eccb7ec454e6617738554a255d77f08e60ee0808", "message": "Prevent segfault in `quantize_and_dequantize`\n\nFixes #42105.\n\nIf `tf.quantization.quantize_and_dequantize` is called with `axis` argument pointing to outside of the input tensor, we obtain a `CHECK` fail which then aborts the application/interpreter. This change adds a condition check and returns a `Status` instead of crashing.\n\nPiperOrigin-RevId: 337972243\nChange-Id: I71ec32c00a87266e364fb017f0ad5dfd3e23542f", "target": 0, "dataset": "other", "idx": 245427 }, { "func": " void Compute(OpKernelContext* context) override {\n const Tensor& tensor_in = context->input(0);\n const Tensor& tensor_out = context->input(1);\n const Tensor& out_backprop = context->input(2);\n\n // For maxpooling, tensor_in should have 4 dimensions.\n OP_REQUIRES(context, tensor_in.dims() == 4,\n errors::InvalidArgument(\"tensor_in must be 4-dimensional\"));\n OP_REQUIRES(context, tensor_out.dims() == 4,\n errors::InvalidArgument(\"tensor_out must be 4-dimensional\"));\n // For maxpooling, out_backprop should have 4 dimensions.\n OP_REQUIRES(context, out_backprop.dims() == 4,\n errors::InvalidArgument(\"out_backprop must be 4-dimensional\"));\n\n const TensorShape& output_shape = tensor_in.shape();\n\n Tensor tensor_out_dup;\n OP_REQUIRES_OK(context, context->forward_input_or_allocate_temp(\n {1}, DataTypeToEnum::v(), tensor_out.shape(),\n &tensor_out_dup));\n Tensor tensor_out_arg_max;\n OP_REQUIRES_OK(context, context->allocate_temp(DataTypeToEnum::v(),\n tensor_out.shape(),\n &tensor_out_arg_max));\n std::vector ksize = ksize_;\n std::vector stride = stride_;\n if (context->num_inputs() == 5) {\n const Tensor& tensor_ksize = context->input(3);\n auto value_ksize = tensor_ksize.flat();\n ksize.resize(tensor_ksize.shape().num_elements());\n std::copy_n(&value_ksize(0), ksize.size(), ksize.begin());\n\n const Tensor& tensor_stride = context->input(4);\n auto value_stride = tensor_stride.flat();\n stride.resize(tensor_stride.shape().num_elements());\n std::copy_n(&value_stride(0), stride.size(), stride.begin());\n }\n\n OP_REQUIRES(context, ksize.size() == 4,\n errors::InvalidArgument(\"Sliding window ksize field must \"\n \"specify 4 dimensions\"));\n OP_REQUIRES(context, stride.size() == 4,\n errors::InvalidArgument(\"Sliding window strides field must \"\n \"specify 4 dimensions\"));\n OP_REQUIRES(context, ksize[0] == 1 && stride[0] == 1,\n errors::Unimplemented(\n \"Pooling is not yet supported on the batch dimension.\"));\n OP_REQUIRES(\n context, ksize[3] == 1 && stride[3] == 1,\n errors::Unimplemented(\n \"MaxPoolingGrad is not yet supported on the depth dimension.\"));\n\n PoolParameters params{context,\n ksize,\n stride,\n padding_,\n explicit_paddings_,\n FORMAT_NHWC,\n tensor_in.shape()};\n if (!context->status().ok()) {\n return;\n }\n\n Tensor* output = nullptr;\n OP_REQUIRES_OK(context, context->forward_input_or_allocate_output(\n {0}, 0, output_shape, &output));\n\n SpatialMaxPoolWithArgMaxHelper(\n context, &tensor_out_dup, &tensor_out_arg_max, output, tensor_in,\n out_backprop, params, true);\n }", "project": "tensorflow", "hash": 1259697087984322030755290114637808058, "size": 71, "commit_id": "dcd7867de0fea4b72a2b34bd41eb74548dc23886", "message": "Fix heap buffer overflow\n\nPiperOrigin-RevId: 372132844\nChange-Id: Idef9895efaf145f2b1c23d31983601ec980cd5e4", "target": 0, "dataset": "other", "idx": 245441 }, { "func": " void Compute(OpKernelContext* context) override {\n const Tensor& tensor_in = context->input(0);\n const Tensor& tensor_out = context->input(1);\n const Tensor& out_grad_backprop = context->input(2);\n\n // For maxpooling, tensor_in should have 4 dimensions.\n OP_REQUIRES(context, tensor_in.dims() == 4,\n errors::InvalidArgument(\"tensor_in must be 4-dimensional 4\"));\n OP_REQUIRES(context, tensor_out.dims() == 4,\n errors::InvalidArgument(\"tensor_out must be 4-dimensional\"));\n // For maxpooling, out_grad_backprop should have 4 dimensions.\n OP_REQUIRES(\n context, out_grad_backprop.dims() == 4,\n errors::InvalidArgument(\"out_grad_backprop must be 4-dimensional\"));\n\n Tensor* output = nullptr;\n OP_REQUIRES_OK(context,\n context->allocate_output(0, tensor_out.shape(), &output));\n\n std::vector ksize = ksize_;\n std::vector stride = stride_;\n if (context->num_inputs() == 5) {\n const Tensor& tensor_ksize = context->input(3);\n auto value_ksize = tensor_ksize.flat();\n ksize.resize(tensor_ksize.shape().num_elements());\n std::copy_n(&value_ksize(0), ksize.size(), ksize.begin());\n\n const Tensor& tensor_stride = context->input(4);\n auto value_stride = tensor_stride.flat();\n stride.resize(tensor_stride.shape().num_elements());\n std::copy_n(&value_stride(0), stride.size(), stride.begin());\n }\n\n OP_REQUIRES(context, ksize.size() == 4,\n errors::InvalidArgument(\"Sliding window ksize field must \"\n \"specify 4 dimensions\"));\n OP_REQUIRES(context, stride.size() == 4,\n errors::InvalidArgument(\"Sliding window strides field must \"\n \"specify 4 dimensions\"));\n const int32 ksize_n = GetTensorDim(ksize, data_format_, 'N');\n const int32 stride_n = GetTensorDim(stride, data_format_, 'N');\n OP_REQUIRES(context, ksize_n == 1 && stride_n == 1,\n errors::Unimplemented(\n \"Pooling is not yet supported on the batch dimension.\"));\n\n PoolParameters params{context,\n ksize,\n stride,\n padding_,\n /*explicit_paddings=*/{},\n data_format_,\n tensor_in.shape()};\n\n functor::MaxPoolGradBackwardNoMask()(\n data_format_, tensor_in.flat().data(), tensor_out.flat().data(),\n params.tensor_in_batch, params.out_height, params.out_width,\n params.depth, params.tensor_in_rows, params.tensor_in_cols,\n params.window_rows, params.window_cols, params.row_stride,\n params.col_stride, params.pad_top, params.pad_left,\n out_grad_backprop.flat().data(), output->flat().data(),\n context->eigen_device());\n }", "project": "tensorflow", "hash": 276921285693291560843607117891880092399, "size": 62, "commit_id": "dcd7867de0fea4b72a2b34bd41eb74548dc23886", "message": "Fix heap buffer overflow\n\nPiperOrigin-RevId: 372132844\nChange-Id: Idef9895efaf145f2b1c23d31983601ec980cd5e4", "target": 0, "dataset": "other", "idx": 245446 }, { "func": "void CompressElementOp::Compute(OpKernelContext* ctx) {\n std::vector components;\n for (size_t i = 0; i < ctx->num_inputs(); ++i) {\n components.push_back(ctx->input(i));\n }\n CompressedElement compressed;\n OP_REQUIRES_OK(ctx, CompressElement(components, &compressed));\n\n Tensor* output;\n OP_REQUIRES_OK(ctx, ctx->allocate_output(0, TensorShape({}), &output));\n output->scalar()() = std::move(compressed);\n}", "project": "tensorflow", "hash": 266998914184654062428687573824344068131, "size": 12, "commit_id": "7bdf50bb4f5c54a4997c379092888546c97c3ebd", "message": "Ensure non-empty compressed input in tf.raw_ops.UncompressElement\n\nPiperOrigin-RevId: 383955815\nChange-Id: I072a84fd02738dd2f51b3f42836ed80067dba4a8", "target": 0, "dataset": "other", "idx": 245639 }, { "func": "void UncompressElementOp::Compute(OpKernelContext* ctx) {\n Tensor tensor = ctx->input(0);\n const Variant& variant = tensor.scalar()();\n const CompressedElement* compressed = variant.get();\n OP_REQUIRES(\n ctx, compressed != nullptr,\n errors::InvalidArgument(\n \"Input does not contain a compressed element. Instead got tensor \",\n tensor.DebugString()));\n\n std::vector components;\n OP_REQUIRES_OK(ctx, UncompressElement(*compressed, &components));\n OP_REQUIRES(ctx, components.size() == output_types_.size(),\n errors::FailedPrecondition(\"Expected \", output_types_.size(),\n \" outputs from uncompress, but got \",\n components.size()));\n for (int i = 0; i < components.size(); ++i) {\n OP_REQUIRES(\n ctx, components[i].dtype() == output_types_[i],\n errors::FailedPrecondition(\"Expected a tensor of type \",\n DataTypeString(output_types_[i]),\n \" but got a tensor of type \",\n DataTypeString(components[i].dtype())));\n ctx->set_output(i, components[i]);\n }\n}", "project": "tensorflow", "hash": 63230142722208908504743697445986676990, "size": 26, "commit_id": "7bdf50bb4f5c54a4997c379092888546c97c3ebd", "message": "Ensure non-empty compressed input in tf.raw_ops.UncompressElement\n\nPiperOrigin-RevId: 383955815\nChange-Id: I072a84fd02738dd2f51b3f42836ed80067dba4a8", "target": 0, "dataset": "other", "idx": 245642 }, { "func": " void Compute(OpKernelContext* ctx) override {\n const Tensor& input = ctx->input(0);\n OP_REQUIRES(ctx, ctx->input(1).NumElements() > 0,\n errors::InvalidArgument(\"Input min must not be empty.\"));\n OP_REQUIRES(ctx, ctx->input(2).NumElements() > 0,\n errors::InvalidArgument(\"Input max must not be empty.\"));\n const float input_min_float = ctx->input(1).flat()(0);\n const float input_max_float = ctx->input(2).flat()(0);\n Tensor* output_min = nullptr;\n OP_REQUIRES_OK(ctx, ctx->allocate_output(0, TensorShape({}), &output_min));\n Tensor* output_max = nullptr;\n OP_REQUIRES_OK(ctx, ctx->allocate_output(1, TensorShape({}), &output_max));\n\n qint32 used_min_quantized;\n qint32 used_max_quantized;\n CalculateUsedRange(input, &used_min_quantized, &used_max_quantized);\n\n // We want to make sure that the minimum is no larger than zero, so that the\n // convolution operation can run efficiently.\n const float used_min_float = std::min(\n 0.0f,\n QuantizedToFloat(used_min_quantized, input_min_float, input_max_float));\n const float used_max_float =\n QuantizedToFloat(used_max_quantized, input_min_float, input_max_float);\n\n output_min->flat().setConstant(used_min_float);\n output_max->flat().setConstant(used_max_float);\n }", "project": "tensorflow", "hash": 249104404907249387447027842196733553165, "size": 28, "commit_id": "ef0c008ee84bad91ec6725ddc42091e19a30cf0e", "message": "Fix out of bound read in requantization_range_op.cc\n\nPiperOrigin-RevId: 372129031\nChange-Id: Ie684ab98a3840c5186ead3eafffc0e0ed0e8030d", "target": 0, "dataset": "other", "idx": 261456 }, { "func": " void Compute(OpKernelContext* ctx) override {\n const Tensor& shape = ctx->input(0);\n const Tensor& minval = ctx->input(1);\n const Tensor& maxval = ctx->input(2);\n OP_REQUIRES(ctx, TensorShapeUtils::IsScalar(minval.shape()),\n errors::InvalidArgument(\"minval must be 0-D, got shape \",\n minval.shape().DebugString()));\n OP_REQUIRES(ctx, TensorShapeUtils::IsScalar(maxval.shape()),\n errors::InvalidArgument(\"maxval must be 0-D, got shape \",\n maxval.shape().DebugString()));\n\n // Allocate output, and exit early if possible\n Tensor* output;\n OP_REQUIRES_OK(ctx, AllocateOutputWithShape(ctx, shape, 0, &output));\n if (output->NumElements() == 0) return;\n\n // Verify that minval < maxval. This check intentionally happens after the\n // early exit for empty output. Zero impossible things are fine.\n IntType lo = minval.scalar()();\n IntType hi = maxval.scalar()();\n OP_REQUIRES(\n ctx, lo < hi,\n errors::InvalidArgument(\"Need minval < maxval, got \", lo, \" >= \", hi));\n\n // Build distribution\n typedef random::UniformDistribution\n Distribution;\n Distribution dist(lo, hi);\n\n auto output_flat = output->flat();\n functor::FillPhiloxRandom()(\n ctx, ctx->eigen_device(), /*key=*/nullptr, /*counter=*/nullptr,\n // Multiplier 256 is the same as in FillPhiloxRandomTask; do not change\n // it just here.\n generator_.ReserveRandomOutputs(output_flat.size(), 256),\n output_flat.data(), output_flat.size(), dist);\n }", "project": "tensorflow", "hash": 103209914401159723002855671760349932672, "size": 37, "commit_id": "27b417360cbd671ef55915e4bb6bb06af8b8a832", "message": "Prevent `int64` to `int` truncation in `Shard` API usage.\n\nThe function argument in `Shard` must be a function of two `int64` arguments. However, we are passing in a function with two `int` arguments. Thus, for large workloads, these arguments get truncated from positive `int64` values to negative `int` ones, resulting in a buffer out of bounds write.\n\nPiperOrigin-RevId: 332557334\nChange-Id: I236c9a2e7f53580e520571da8ba941a3aa9fa0b5", "target": 0, "dataset": "other", "idx": 262652 }, { "func": " void Compute(OpKernelContext* ctx) override {\n const Tensor& shape = ctx->input(0);\n Tensor* output;\n OP_REQUIRES_OK(ctx, AllocateOutputWithShape(ctx, shape, 0, &output));\n auto output_flat = output->flat();\n functor::FillPhiloxRandom()(\n ctx, ctx->eigen_device(), /*key=*/nullptr, /*counter=*/nullptr,\n // Multiplier 256 is the same as in FillPhiloxRandomTask; do not change\n // it just here.\n generator_.ReserveRandomOutputs(output_flat.size(), 256),\n output_flat.data(), output_flat.size(), Distribution());\n }", "project": "tensorflow", "hash": 51978480194539791534696528426089801800, "size": 12, "commit_id": "27b417360cbd671ef55915e4bb6bb06af8b8a832", "message": "Prevent `int64` to `int` truncation in `Shard` API usage.\n\nThe function argument in `Shard` must be a function of two `int64` arguments. However, we are passing in a function with two `int` arguments. Thus, for large workloads, these arguments get truncated from positive `int64` values to negative `int` ones, resulting in a buffer out of bounds write.\n\nPiperOrigin-RevId: 332557334\nChange-Id: I236c9a2e7f53580e520571da8ba941a3aa9fa0b5", "target": 0, "dataset": "other", "idx": 262655 }, { "func": " void Compute(OpKernelContext* context) override {\n const Tensor& input = context->input(0);\n const auto& input_min_tensor = context->input(1);\n OP_REQUIRES(context, input_min_tensor.NumElements() == 1,\n errors::InvalidArgument(\"input_min must have 1 element\"));\n const float input_min = input_min_tensor.flat()(0);\n const auto& input_max_tensor = context->input(2);\n OP_REQUIRES(context, input_max_tensor.NumElements() == 1,\n errors::InvalidArgument(\"input_max must have 1 element\"));\n const float input_max = input_max_tensor.flat()(0);\n const Tensor& mean = context->input(3);\n const auto& mean_min_tensor = context->input(4);\n OP_REQUIRES(context, mean_min_tensor.NumElements() == 1,\n errors::InvalidArgument(\"mean_min must have 1 element\"));\n const float mean_min = mean_min_tensor.flat()(0);\n const auto& mean_max_tensor = context->input(5);\n OP_REQUIRES(context, mean_max_tensor.NumElements() == 1,\n errors::InvalidArgument(\"mean_max must have 1 element\"));\n const float mean_max = mean_max_tensor.flat()(0);\n const Tensor& var = context->input(6);\n const auto& var_min_tensor = context->input(7);\n OP_REQUIRES(context, var_min_tensor.NumElements() == 1,\n errors::InvalidArgument(\"var_min must have 1 element\"));\n const float var_min = var_min_tensor.flat()(0);\n const auto& var_max_tensor = context->input(8);\n OP_REQUIRES(context, var_max_tensor.NumElements() == 1,\n errors::InvalidArgument(\"var_max must have 1 element\"));\n const float var_max = var_max_tensor.flat()(0);\n const Tensor& beta = context->input(9);\n const auto& beta_min_tensor = context->input(10);\n OP_REQUIRES(context, beta_min_tensor.NumElements() == 1,\n errors::InvalidArgument(\"beta_min must have 1 element\"));\n const float beta_min = beta_min_tensor.flat()(0);\n const auto& beta_max_tensor = context->input(11);\n OP_REQUIRES(context, beta_max_tensor.NumElements() == 1,\n errors::InvalidArgument(\"beta_max must have 1 element\"));\n const float beta_max = beta_max_tensor.flat()(0);\n const Tensor& gamma = context->input(12);\n const auto& gamma_min_tensor = context->input(13);\n OP_REQUIRES(context, gamma_min_tensor.NumElements() == 1,\n errors::InvalidArgument(\"gamma_min must have 1 element\"));\n const float gamma_min = gamma_min_tensor.flat()(0);\n const auto& gamma_max_tensor = context->input(14);\n OP_REQUIRES(context, gamma_max_tensor.NumElements() == 1,\n errors::InvalidArgument(\"gamma_max must have 1 element\"));\n const float gamma_max = gamma_max_tensor.flat()(0);\n\n OP_REQUIRES(context, input.dims() == 4,\n errors::InvalidArgument(\"input must be 4-dimensional\",\n input.shape().DebugString()));\n OP_REQUIRES(context, mean.dims() == 1,\n errors::InvalidArgument(\"mean must be 1-dimensional\",\n mean.shape().DebugString()));\n OP_REQUIRES(context, var.dims() == 1,\n errors::InvalidArgument(\"var must be 1-dimensional\",\n var.shape().DebugString()));\n OP_REQUIRES(context, beta.dims() == 1,\n errors::InvalidArgument(\"beta must be 1-dimensional\",\n beta.shape().DebugString()));\n OP_REQUIRES(context, gamma.dims() == 1,\n errors::InvalidArgument(\"gamma must be 1-dimensional\",\n gamma.shape().DebugString()));\n OP_REQUIRES(context, mean.NumElements() > 1,\n errors::InvalidArgument(\"Must have at least a mean value\",\n gamma.shape().DebugString()));\n OP_REQUIRES(context, mean.NumElements() > 1,\n errors::InvalidArgument(\"Must have at least a mean value\"));\n const auto last_dim = input.shape().dims() - 1;\n OP_REQUIRES(context,\n mean.shape().dim_size(0) == input.shape().dim_size(last_dim),\n errors::InvalidArgument(\"Must provide as many means as the \"\n \"last dimension of the input tensor: \",\n mean.shape().DebugString(), \" vs. \",\n input.shape().DebugString()));\n OP_REQUIRES(\n context, mean.shape().dim_size(0) == var.shape().dim_size(0),\n errors::InvalidArgument(\n \"Mean and variance tensors must have the same shape: \",\n mean.shape().DebugString(), \" vs. \", var.shape().DebugString()));\n OP_REQUIRES(\n context, mean.shape().dim_size(0) == beta.shape().dim_size(0),\n errors::InvalidArgument(\n \"Mean and beta tensors must have the same shape: \",\n mean.shape().DebugString(), \" vs. \", beta.shape().DebugString()));\n OP_REQUIRES(\n context, mean.shape().dim_size(0) == gamma.shape().dim_size(0),\n errors::InvalidArgument(\n \"Mean and gamma tensors must have the same shape: \",\n mean.shape().DebugString(), \" vs. \", gamma.shape().DebugString()));\n\n Tensor* output = nullptr;\n OP_REQUIRES_OK(context,\n context->allocate_output(0, input.shape(), &output));\n float output_min;\n float output_max;\n FixedPointBatchNorm(input, input_min, input_max, mean, mean_min,\n mean_max, var, var_min, var_max, beta, beta_min,\n beta_max, gamma, gamma_min, gamma_max,\n variance_epsilon_, scale_after_normalization_,\n output, &output_min, &output_max);\n\n Tensor* output_min_tensor = nullptr;\n OP_REQUIRES_OK(context,\n context->allocate_output(1, {}, &output_min_tensor));\n output_min_tensor->flat()(0) = output_min;\n\n Tensor* output_max_tensor = nullptr;\n OP_REQUIRES_OK(context,\n context->allocate_output(2, {}, &output_max_tensor));\n output_max_tensor->flat()(0) = output_max;\n }", "project": "tensorflow", "hash": 115913159429277562366456709982634610677, "size": 111, "commit_id": "d6ed5bcfe1dcab9e85a4d39931bd18d99018e75b", "message": "Add missing validation in `QuantizedBatchNormWithGlobalNormalization`\n\nPiperOrigin-RevId: 370123451\nChange-Id: Id234d6dab1ec21230bb8e503dba30f899af87f33", "target": 0, "dataset": "other", "idx": 263524 }, { "func": " void Compute(OpKernelContext* ctx) override {\n // This call processes inputs 1 and 2 to write output 0.\n ReshapeOp::Compute(ctx);\n if (!ctx->status().ok()) {\n return;\n }\n\n const auto& input_min_float_tensor = ctx->input(2);\n const auto& input_min_float_shape = input_min_float_tensor.shape();\n OP_REQUIRES(ctx,\n TensorShapeUtils::IsScalar(input_min_float_shape) ||\n (TensorShapeUtils::IsVector(input_min_float_shape) &&\n (input_min_float_shape.dim_size(0) == 1)),\n errors::InvalidArgument(\n \"input_min must be a scalar or a vector of 1 element\"));\n const float input_min_float = input_min_float_tensor.flat()(0);\n const auto& input_max_float_tensor = ctx->input(3);\n const auto& input_max_float_shape = input_max_float_tensor.shape();\n OP_REQUIRES(ctx,\n TensorShapeUtils::IsScalar(input_max_float_shape) ||\n (TensorShapeUtils::IsVector(input_max_float_shape) &&\n (input_max_float_shape.dim_size(0) == 1)),\n errors::InvalidArgument(\n \"input_max must be a scalar or a vector of 1 element\"));\n const float input_max_float = input_max_float_tensor.flat()(0);\n\n Tensor* output_min = nullptr;\n OP_REQUIRES_OK(ctx, ctx->allocate_output(1, TensorShape({}), &output_min));\n output_min->flat()(0) = input_min_float;\n\n Tensor* output_max = nullptr;\n OP_REQUIRES_OK(ctx, ctx->allocate_output(2, TensorShape({}), &output_max));\n output_max->flat()(0) = input_max_float;\n }", "project": "tensorflow", "hash": 159137396648765332305552157383255155319, "size": 34, "commit_id": "a324ac84e573fba362a5e53d4e74d5de6729933e", "message": "Validate arguments to `QuantizedReshape`.\n\nEnsure that validations from `Reshape` also terminate `QuantizedReshape` on failure.\n\nPiperOrigin-RevId: 369775421\nChange-Id: If8c5342267aceea65b7cb83a4b183304886f1ce8", "target": 0, "dataset": "other", "idx": 269702 }, { "func": " static Status Compute(OpKernelContext* context,\n const typename TTypes::ConstTensor& in,\n const typename TTypes::ConstTensor& weights,\n typename TTypes::Tensor& out,\n const Tidx num_bins) {\n const int num_rows = out.dimension(0);\n const int num_cols = in.dimension(1);\n ThreadPool* thread_pool =\n context->device()->tensorflow_cpu_worker_threads()->workers;\n thread_pool->ParallelForWithWorkerId(\n num_rows, 8 /* cost */,\n [&](int64 start_row, int64 end_row, int64 worker_id) {\n for (int64 i = start_row; i < end_row; ++i) {\n for (int64 j = 0; j < num_cols; ++j) {\n Tidx value = in(i, j);\n if (value < num_bins) {\n if (binary_output) {\n out(i, value) = T(1);\n } else {\n if (weights.size()) {\n out(i, value) += weights(i, j);\n } else {\n out(i, value) += T(1);\n }\n }\n }\n }\n }\n });\n return Status::OK();\n }", "project": "tensorflow", "hash": 216228505448865660754366966261133939168, "size": 31, "commit_id": "eebb96c2830d48597d055d247c0e9aebaea94cd5", "message": "Fix an invalid address vulnerability in `tf.raw_ops.RaggedBincount`.\n\nPiperOrigin-RevId: 368293153\nChange-Id: I4b4e493d3fd05e7dc55a55de3a041a80a4f275c3", "target": 0, "dataset": "other", "idx": 270170 }, { "func": " void Compute(OpKernelContext* ctx) override {\n const Tensor& arr_t = ctx->input(0);\n const Tensor& size_tensor = ctx->input(1);\n OP_REQUIRES(ctx, size_tensor.dims() == 0,\n errors::InvalidArgument(\"Shape must be rank 0 but is rank \",\n size_tensor.dims()));\n int32 size = size_tensor.scalar()();\n OP_REQUIRES(\n ctx, size >= 0,\n errors::InvalidArgument(\"size (\", size, \") must be non-negative\"));\n\n const Tensor& weights_t = ctx->input(2);\n const auto arr = arr_t.flat();\n const auto weights = weights_t.flat();\n Tensor* output_t;\n OP_REQUIRES_OK(ctx,\n ctx->allocate_output(0, TensorShape({size}), &output_t));\n auto output = output_t->flat();\n OP_REQUIRES_OK(ctx,\n functor::BincountFunctor::Compute(\n ctx, arr, weights, output, size));\n }", "project": "tensorflow", "hash": 277810767022288028199225177991825722440, "size": 22, "commit_id": "eebb96c2830d48597d055d247c0e9aebaea94cd5", "message": "Fix an invalid address vulnerability in `tf.raw_ops.RaggedBincount`.\n\nPiperOrigin-RevId: 368293153\nChange-Id: I4b4e493d3fd05e7dc55a55de3a041a80a4f275c3", "target": 0, "dataset": "other", "idx": 270175 }, { "func": " static Status Compute(OpKernelContext* context,\n const typename TTypes::ConstTensor& arr,\n const typename TTypes::ConstTensor& weights,\n typename TTypes::Tensor& output,\n const Tidx num_bins) {\n Tensor all_nonneg_t;\n TF_RETURN_IF_ERROR(context->allocate_temp(\n DT_BOOL, TensorShape({}), &all_nonneg_t, AllocatorAttributes()));\n all_nonneg_t.scalar().device(context->eigen_cpu_device()) =\n (arr >= Tidx(0)).all();\n if (!all_nonneg_t.scalar()()) {\n return errors::InvalidArgument(\"Input arr must be non-negative!\");\n }\n\n // Allocate partial output bin sums for each worker thread. Worker ids in\n // ParallelForWithWorkerId range from 0 to NumThreads() inclusive.\n ThreadPool* thread_pool =\n context->device()->tensorflow_cpu_worker_threads()->workers;\n const int64 num_threads = thread_pool->NumThreads() + 1;\n Tensor partial_bins_t;\n TF_RETURN_IF_ERROR(context->allocate_temp(\n DataTypeToEnum::value, TensorShape({num_threads, num_bins}),\n &partial_bins_t));\n auto partial_bins = partial_bins_t.matrix();\n partial_bins.setZero();\n thread_pool->ParallelForWithWorkerId(\n arr.size(), 8 /* cost */,\n [&](int64 start_ind, int64 limit_ind, int64 worker_id) {\n for (int64 i = start_ind; i < limit_ind; i++) {\n Tidx value = arr(i);\n if (value < num_bins) {\n if (weights.size()) {\n partial_bins(worker_id, value) += weights(i);\n } else {\n // Complex numbers don't support \"++\".\n partial_bins(worker_id, value) += T(1);\n }\n }\n }\n });\n\n // Sum the partial bins along the 0th axis.\n Eigen::array reduce_dim({0});\n output.device(context->eigen_cpu_device()) = partial_bins.sum(reduce_dim);\n return Status::OK();\n }", "project": "tensorflow", "hash": 205567020549010084013978364866484274030, "size": 46, "commit_id": "eebb96c2830d48597d055d247c0e9aebaea94cd5", "message": "Fix an invalid address vulnerability in `tf.raw_ops.RaggedBincount`.\n\nPiperOrigin-RevId: 368293153\nChange-Id: I4b4e493d3fd05e7dc55a55de3a041a80a4f275c3", "target": 0, "dataset": "other", "idx": 270176 }, { "func": " static Status Compute(OpKernelContext* context,\n const typename TTypes::ConstTensor& arr,\n const typename TTypes::ConstTensor& weights,\n typename TTypes::Tensor& output,\n const Tidx num_bins) {\n Tensor all_nonneg_t;\n TF_RETURN_IF_ERROR(context->allocate_temp(\n DT_BOOL, TensorShape({}), &all_nonneg_t, AllocatorAttributes()));\n all_nonneg_t.scalar().device(context->eigen_cpu_device()) =\n (arr >= Tidx(0)).all();\n if (!all_nonneg_t.scalar()()) {\n return errors::InvalidArgument(\"Input arr must be non-negative!\");\n }\n\n // Allocate partial output bin sums for each worker thread. Worker ids in\n // ParallelForWithWorkerId range from 0 to NumThreads() inclusive.\n ThreadPool* thread_pool =\n context->device()->tensorflow_cpu_worker_threads()->workers;\n const int64 num_threads = thread_pool->NumThreads() + 1;\n Tensor partial_bins_t;\n TF_RETURN_IF_ERROR(context->allocate_temp(\n DT_BOOL, TensorShape({num_threads, num_bins}), &partial_bins_t));\n auto partial_bins = partial_bins_t.matrix();\n partial_bins.setZero();\n thread_pool->ParallelForWithWorkerId(\n arr.size(), 8 /* cost */,\n [&](int64 start_ind, int64 limit_ind, int64 worker_id) {\n for (int64 i = start_ind; i < limit_ind; i++) {\n Tidx value = arr(i);\n if (value < num_bins) {\n partial_bins(worker_id, value) = true;\n }\n }\n });\n\n // Sum the partial bins along the 0th axis.\n Eigen::array reduce_dim({0});\n output.device(context->eigen_cpu_device()) =\n partial_bins.any(reduce_dim).cast();\n return Status::OK();\n }", "project": "tensorflow", "hash": 243152964418099158327802868972106390051, "size": 41, "commit_id": "eebb96c2830d48597d055d247c0e9aebaea94cd5", "message": "Fix an invalid address vulnerability in `tf.raw_ops.RaggedBincount`.\n\nPiperOrigin-RevId: 368293153\nChange-Id: I4b4e493d3fd05e7dc55a55de3a041a80a4f275c3", "target": 0, "dataset": "other", "idx": 270177 }, { "func": " void Compute(OpKernelContext* context) override {\n const Tensor* input_indices;\n const Tensor* input_values;\n const Tensor* input_shape;\n SparseTensorsMap* map;\n\n OP_REQUIRES_OK(context, context->input(\"sparse_indices\", &input_indices));\n OP_REQUIRES_OK(context, context->input(\"sparse_values\", &input_values));\n OP_REQUIRES_OK(context, context->input(\"sparse_shape\", &input_shape));\n OP_REQUIRES_OK(context, GetMap(context, true /* is_writing */, &map));\n\n OP_REQUIRES(context, TensorShapeUtils::IsMatrix(input_indices->shape()),\n errors::InvalidArgument(\n \"Input indices should be a matrix but received shape \",\n input_indices->shape().DebugString()));\n\n OP_REQUIRES(context, TensorShapeUtils::IsVector(input_values->shape()),\n errors::InvalidArgument(\n \"Input values should be a vector but received shape \",\n input_values->shape().DebugString()));\n\n OP_REQUIRES(context, TensorShapeUtils::IsVector(input_shape->shape()),\n errors::InvalidArgument(\n \"Input shape should be a vector but received shape \",\n input_shape->shape().DebugString()));\n\n TensorShape input_shape_object;\n OP_REQUIRES_OK(context,\n TensorShapeUtils::MakeShape(input_shape->vec().data(),\n input_shape->NumElements(),\n &input_shape_object));\n SparseTensor st;\n OP_REQUIRES_OK(context, SparseTensor::Create(*input_indices, *input_values,\n input_shape_object, &st));\n int64 handle;\n OP_REQUIRES_OK(context, map->AddSparseTensor(context, st, &handle));\n\n Tensor sparse_handle(DT_INT64, TensorShape({}));\n auto sparse_handle_t = sparse_handle.scalar();\n\n sparse_handle_t() = handle;\n\n context->set_output(0, sparse_handle);\n }", "project": "tensorflow", "hash": 193556345523394611751008178600089660042, "size": 44, "commit_id": "69c68ecbb24dff3fa0e46da0d16c821a2dd22d7c", "message": "Fix overflow CHECK issue with `tf.raw_ops.AddManySparseToTensorsMap`.\n\nPiperOrigin-RevId: 369492969\nChange-Id: I1d70d6c0c92e3d7a25bc3b3aa2a0c0ac9688bf81", "target": 0, "dataset": "other", "idx": 270286 }, { "func": "\nstatic void io_free_file_tables(struct io_file_table *table, unsigned nr_files)\n{\n\tunsigned i, nr_tables = DIV_ROUND_UP(nr_files, IORING_MAX_FILES_TABLE);\n\n\tfor (i = 0; i < nr_tables; i++)\n\t\tkfree(table->files[i]);\n\tkfree(table->files);\n\ttable->files = NULL;", "project": "linux", "hash": 239584053858057769123239514149003126387, "size": 9, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338656 }, { "project": "opaque", "commit_id": "5ddda15d89f5ac82f4416208c5319ace4aecdc36", "target": 0, "func": "sgx_status_t ecall_enclave_init_ra(int b_pse, sgx_ra_context_t *p_context) {\n try {\n return enclave_init_ra(b_pse, p_context);\n } catch (const std::runtime_error &e) {\n ocall_throw(e.what());\n return SGX_ERROR_UNEXPECTED;\n }\n}", "idx": 519077, "cwe": "CWE-787", "hash": 96752967503191513622133004236785658383, "dataset": "other" }, { "func": "static void setcolors(struct gspca_dev *gspca_dev, s32 val)\n{\n\tstruct sd *sd = (struct sd *) gspca_dev;\n\tstatic const struct ov_i2c_regvals colors_7660[][6] = {\n\t\t{{0x4f, 0x28}, {0x50, 0x2a}, {0x51, 0x02}, {0x52, 0x0a},\n\t\t {0x53, 0x19}, {0x54, 0x23}},\n\t\t{{0x4f, 0x47}, {0x50, 0x4a}, {0x51, 0x03}, {0x52, 0x11},\n\t\t {0x53, 0x2c}, {0x54, 0x3e}},\n\t\t{{0x4f, 0x66}, {0x50, 0x6b}, {0x51, 0x05}, {0x52, 0x19},\n\t\t {0x53, 0x40}, {0x54, 0x59}},\n\t\t{{0x4f, 0x84}, {0x50, 0x8b}, {0x51, 0x06}, {0x52, 0x20},\n\t\t {0x53, 0x53}, {0x54, 0x73}},\n\t\t{{0x4f, 0xa3}, {0x50, 0xab}, {0x51, 0x08}, {0x52, 0x28},\n\t\t {0x53, 0x66}, {0x54, 0x8e}},\n\t};\n\n\tswitch (sd->sensor) {\n\tcase SEN_OV8610:\n\tcase SEN_OV7610:\n\tcase SEN_OV76BE:\n\tcase SEN_OV6620:\n\tcase SEN_OV6630:\n\tcase SEN_OV66308AF:\n\t\ti2c_w(sd, OV7610_REG_SAT, val);\n\t\tbreak;\n\tcase SEN_OV7620:\n\tcase SEN_OV7620AE:\n\t\t/* Use UV gamma control instead. Bits 0 & 7 are reserved. */\n/*\t\trc = ov_i2c_write(sd->dev, 0x62, (val >> 9) & 0x7e);\n\t\tif (rc < 0)\n\t\t\tgoto out; */\n\t\ti2c_w(sd, OV7610_REG_SAT, val);\n\t\tbreak;\n\tcase SEN_OV7640:\n\tcase SEN_OV7648:\n\t\ti2c_w(sd, OV7610_REG_SAT, val & 0xf0);\n\t\tbreak;\n\tcase SEN_OV7660:\n\t\twrite_i2c_regvals(sd, colors_7660[val],\n\t\t\t\t\tARRAY_SIZE(colors_7660[0]));\n\t\tbreak;\n\tcase SEN_OV7670:\n\t\t/* supported later once I work out how to do it\n\t\t * transparently fail now! */\n\t\t/* set REG_COM13 values for UV sat auto mode */\n\t\tbreak;\n\t}\n}", "project": "linux", "hash": 90853089188659144284658983630787500516, "size": 48, "commit_id": "998912346c0da53a6dbb71fab3a138586b596b30", "message": "media: ov519: add missing endpoint sanity checks\n\nMake sure to check that we have at least one endpoint before accessing\nthe endpoint array to avoid dereferencing a NULL-pointer on stream\nstart.\n\nNote that these sanity checks are not redundant as the driver is mixing\nlooking up altsettings by index and by number, which need not coincide.\n\nFixes: 1876bb923c98 (\"V4L/DVB (12079): gspca_ov519: add support for the ov511 bridge\")\nFixes: b282d87332f5 (\"V4L/DVB (12080): gspca_ov519: Fix ov518+ with OV7620AE (Trust spacecam 320)\")\nCc: stable # 2.6.31\nCc: Hans de Goede \nSigned-off-by: Johan Hovold \nSigned-off-by: Hans Verkuil \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 306330 }, { "func": "PLUGINDEX CSoundFile::GetChannelPlugin(CHANNELINDEX nChn, PluginMutePriority respectMutes) const\n{\n\tconst ModChannel &channel = m_PlayState.Chn[nChn];\n\n\tPLUGINDEX nPlugin;\n\tif((respectMutes == RespectMutes && channel.dwFlags[CHN_MUTE]) || channel.dwFlags[CHN_NOFX])\n\t{\n\t\tnPlugin = 0;\n\t} else\n\t{\n\t\t// If it looks like this is an NNA channel, we need to find the master channel.\n\t\t// This ensures we pick up the right ChnSettings.\n\t\t// NB: nMasterChn == 0 means no master channel, so we need to -1 to get correct index.\n\t\tif (nChn >= m_nChannels && channel.nMasterChn > 0)\n\t\t{\n\t\t\tnChn = channel.nMasterChn - 1;\n\t\t}\n\n\t\tif(nChn < MAX_BASECHANNELS)\n\t\t{\n\t\t\tnPlugin = ChnSettings[nChn].nMixPlugin;\n\t\t} else\n\t\t{\n\t\t\tnPlugin = 0;\n\t\t}\n\t}\n\treturn nPlugin;\n}", "project": "openmpt", "hash": 304084774628115324961399848205570473215, "size": 28, "commit_id": "7ebf02af2e90f03e0dbd0e18b8b3164f372fb97c", "message": "[Fix] Possible out-of-bounds read when computing length of some IT files with pattern loops (OpenMPT: formats that are converted to IT, libopenmpt: IT/ITP/MO3), caught with afl-fuzz.\n\ngit-svn-id: https://source.openmpt.org/svn/openmpt/trunk/OpenMPT@10027 56274372-70c3-4bfc-bfc3-4c3a0b034d27", "target": 0, "dataset": "other", "idx": 255211 }, { "func": "static apr_byte_t oidc_refresh_claims_from_userinfo_endpoint(request_rec *r,\n\t\toidc_cfg *cfg, oidc_session_t *session) {\n\n\toidc_provider_t *provider = NULL;\n\tconst char *claims = NULL;\n\tconst char *access_token = NULL;\n\tchar *userinfo_jwt = NULL;\n\n\t/* get the current provider info */\n\tif (oidc_get_provider_from_session(r, cfg, session, &provider) == FALSE)\n\t\treturn FALSE;\n\n\t/* see if we can do anything here, i.e. we have a userinfo endpoint and a refresh interval is configured */\n\tapr_time_t interval = apr_time_from_sec(\n\t\t\tprovider->userinfo_refresh_interval);\n\n\toidc_debug(r, \"userinfo_endpoint=%s, interval=%d\",\n\t\t\tprovider->userinfo_endpoint_url,\n\t\t\tprovider->userinfo_refresh_interval);\n\n\tif ((provider->userinfo_endpoint_url != NULL) && (interval > 0)) {\n\n\t\t/* get the last refresh timestamp from the session info */\n\t\tapr_time_t last_refresh = oidc_session_get_userinfo_last_refresh(r,\n\t\t\t\tsession);\n\n\t\toidc_debug(r, \"refresh needed in: %\" APR_TIME_T_FMT \" seconds\",\n\t\t\t\tapr_time_sec(last_refresh + interval - apr_time_now()));\n\n\t\t/* see if we need to refresh again */\n\t\tif (last_refresh + interval < apr_time_now()) {\n\n\t\t\t/* get the current access token */\n\t\t\taccess_token = oidc_session_get_access_token(r, session);\n\n\t\t\t/* retrieve the current claims */\n\t\t\tclaims = oidc_retrieve_claims_from_userinfo_endpoint(r, cfg,\n\t\t\t\t\tprovider, access_token, session, NULL, &userinfo_jwt);\n\n\t\t\t/* store claims resolved from userinfo endpoint */\n\t\t\toidc_store_userinfo_claims(r, cfg, session, provider, claims,\n\t\t\t\t\tuserinfo_jwt);\n\n\t\t\t/* indicated something changed */\n\t\t\treturn TRUE;\n\t\t}\n\t}\n\treturn FALSE;\n}", "project": "mod_auth_openidc", "hash": 66373051391530327244513781919580084982, "size": 49, "commit_id": "00c315cb0c8ab77c67be4a2ac08a71a83ac58751", "message": "avoid XSS vulnerability when using OIDCPreservePost On\n\nand supplying URLs that contain single quotes; thanks @oss-aimoto\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 381915 }, { "func": "static void take_rmap_locks(struct vm_area_struct *vma)\n{\n\tif (vma->vm_file)\n\t\ti_mmap_lock_write(vma->vm_file->f_mapping);\n\tif (vma->anon_vma)\n\t\tanon_vma_lock_write(vma->anon_vma);\n}", "project": "linux", "hash": 11317210392963605694231497406348227204, "size": 7, "commit_id": "5bfea2d9b17f1034a68147a8b03b9789af5700f9", "message": "mm: Fix mremap not considering huge pmd devmap\n\nThe original code in mm/mremap.c checks huge pmd by:\n\n\t\tif (is_swap_pmd(*old_pmd) || pmd_trans_huge(*old_pmd)) {\n\nHowever, a DAX mapped nvdimm is mapped as huge page (by default) but it\nis not transparent huge page (_PAGE_PSE | PAGE_DEVMAP). This commit\nchanges the condition to include the case.\n\nThis addresses CVE-2020-10757.\n\nFixes: 5c7fb56e5e3f (\"mm, dax: dax-pmd vs thp-pmd vs hugetlbfs-pmd\")\nCc: \nReported-by: Fan Yang \nSigned-off-by: Fan Yang \nTested-by: Fan Yang \nTested-by: Dan Williams \nReviewed-by: Dan Williams \nAcked-by: Kirill A. Shutemov \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 321577 }, { "func": "static __init int svm_hardware_setup(void)\n{\n\tint cpu;\n\tstruct page *iopm_pages;\n\tvoid *iopm_va;\n\tint r;\n\n\tiopm_pages = alloc_pages(GFP_KERNEL, IOPM_ALLOC_ORDER);\n\n\tif (!iopm_pages)\n\t\treturn -ENOMEM;\n\n\tiopm_va = page_address(iopm_pages);\n\tmemset(iopm_va, 0xff, PAGE_SIZE * (1 << IOPM_ALLOC_ORDER));\n\tiopm_base = page_to_pfn(iopm_pages) << PAGE_SHIFT;\n\n\tinit_msrpm_offsets();\n\n\tif (boot_cpu_has(X86_FEATURE_NX))\n\t\tkvm_enable_efer_bits(EFER_NX);\n\n\tif (boot_cpu_has(X86_FEATURE_FXSR_OPT))\n\t\tkvm_enable_efer_bits(EFER_FFXSR);\n\n\tif (boot_cpu_has(X86_FEATURE_TSCRATEMSR)) {\n\t\tkvm_has_tsc_control = true;\n\t\tkvm_max_tsc_scaling_ratio = TSC_RATIO_MAX;\n\t\tkvm_tsc_scaling_ratio_frac_bits = 32;\n\t}\n\n\t/* Check for pause filtering support */\n\tif (!boot_cpu_has(X86_FEATURE_PAUSEFILTER)) {\n\t\tpause_filter_count = 0;\n\t\tpause_filter_thresh = 0;\n\t} else if (!boot_cpu_has(X86_FEATURE_PFTHRESHOLD)) {\n\t\tpause_filter_thresh = 0;\n\t}\n\n\tif (nested) {\n\t\tprintk(KERN_INFO \"kvm: Nested Virtualization enabled\\n\");\n\t\tkvm_enable_efer_bits(EFER_SVME | EFER_LMSLE);\n\t}\n\n\tif (sev) {\n\t\tif (boot_cpu_has(X86_FEATURE_SEV) &&\n\t\t IS_ENABLED(CONFIG_KVM_AMD_SEV)) {\n\t\t\tr = sev_hardware_setup();\n\t\t\tif (r)\n\t\t\t\tsev = false;\n\t\t} else {\n\t\t\tsev = false;\n\t\t}\n\t}\n\n\tsvm_adjust_mmio_mask();\n\n\tfor_each_possible_cpu(cpu) {\n\t\tr = svm_cpu_init(cpu);\n\t\tif (r)\n\t\t\tgoto err;\n\t}\n\n\tif (!boot_cpu_has(X86_FEATURE_NPT))\n\t\tnpt_enabled = false;\n\n\tif (npt_enabled && !npt) {\n\t\tprintk(KERN_INFO \"kvm: Nested Paging disabled\\n\");\n\t\tnpt_enabled = false;\n\t}\n\n\tif (npt_enabled) {\n\t\tprintk(KERN_INFO \"kvm: Nested Paging enabled\\n\");\n\t\tkvm_enable_tdp();\n\t} else\n\t\tkvm_disable_tdp();\n\n\tif (nrips) {\n\t\tif (!boot_cpu_has(X86_FEATURE_NRIPS))\n\t\t\tnrips = false;\n\t}\n\n\tif (avic) {\n\t\tif (!npt_enabled ||\n\t\t !boot_cpu_has(X86_FEATURE_AVIC) ||\n\t\t !IS_ENABLED(CONFIG_X86_LOCAL_APIC)) {\n\t\t\tavic = false;\n\t\t} else {\n\t\t\tpr_info(\"AVIC enabled\\n\");\n\n\t\t\tamd_iommu_register_ga_log_notifier(&avic_ga_log_notifier);\n\t\t}\n\t}\n\n\tif (vls) {\n\t\tif (!npt_enabled ||\n\t\t !boot_cpu_has(X86_FEATURE_V_VMSAVE_VMLOAD) ||\n\t\t !IS_ENABLED(CONFIG_X86_64)) {\n\t\t\tvls = false;\n\t\t} else {\n\t\t\tpr_info(\"Virtual VMLOAD VMSAVE supported\\n\");\n\t\t}\n\t}\n\n\tif (vgif) {\n\t\tif (!boot_cpu_has(X86_FEATURE_VGIF))\n\t\t\tvgif = false;\n\t\telse\n\t\t\tpr_info(\"Virtual GIF supported\\n\");\n\t}\n\n\treturn 0;\n\nerr:\n\t__free_pages(iopm_pages, IOPM_ALLOC_ORDER);\n\tiopm_base = 0;\n\treturn r;\n}", "project": "linux", "hash": 158104502696532963625445649285716255394, "size": 117, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432526 }, { "func": "static __init int svm_hardware_setup(void)\n{\n\tint cpu;\n\tstruct page *iopm_pages;\n\tvoid *iopm_va;\n\tint r;\n\n\tiopm_pages = alloc_pages(GFP_KERNEL, IOPM_ALLOC_ORDER);\n\n\tif (!iopm_pages)\n\t\treturn -ENOMEM;\n\n\tiopm_va = page_address(iopm_pages);\n\tmemset(iopm_va, 0xff, PAGE_SIZE * (1 << IOPM_ALLOC_ORDER));\n\tiopm_base = page_to_pfn(iopm_pages) << PAGE_SHIFT;\n\n\tinit_msrpm_offsets();\n\n\tif (boot_cpu_has(X86_FEATURE_NX))\n\t\tkvm_enable_efer_bits(EFER_NX);\n\n\tif (boot_cpu_has(X86_FEATURE_FXSR_OPT))\n\t\tkvm_enable_efer_bits(EFER_FFXSR);\n\n\tif (boot_cpu_has(X86_FEATURE_TSCRATEMSR)) {\n\t\tu64 max;\n\n\t\tkvm_has_tsc_control = true;\n\n\t\t/*\n\t\t * Make sure the user can only configure tsc_khz values that\n\t\t * fit into a signed integer.\n\t\t * A min value is not calculated needed because it will always\n\t\t * be 1 on all machines and a value of 0 is used to disable\n\t\t * tsc-scaling for the vcpu.\n\t\t */\n\t\tmax = min(0x7fffffffULL, __scale_tsc(tsc_khz, TSC_RATIO_MAX));\n\n\t\tkvm_max_guest_tsc_khz = max;\n\t}\n\n\tif (nested) {\n\t\tprintk(KERN_INFO \"kvm: Nested Virtualization enabled\\n\");\n\t\tkvm_enable_efer_bits(EFER_SVME | EFER_LMSLE);\n\t}\n\n\tfor_each_possible_cpu(cpu) {\n\t\tr = svm_cpu_init(cpu);\n\t\tif (r)\n\t\t\tgoto err;\n\t}\n\n\tif (!boot_cpu_has(X86_FEATURE_NPT))\n\t\tnpt_enabled = false;\n\n\tif (npt_enabled && !npt) {\n\t\tprintk(KERN_INFO \"kvm: Nested Paging disabled\\n\");\n\t\tnpt_enabled = false;\n\t}\n\n\tif (npt_enabled) {\n\t\tprintk(KERN_INFO \"kvm: Nested Paging enabled\\n\");\n\t\tkvm_enable_tdp();\n\t} else\n\t\tkvm_disable_tdp();\n\n\treturn 0;\n\nerr:\n\t__free_pages(iopm_pages, IOPM_ALLOC_ORDER);\n\tiopm_base = 0;\n\treturn r;\n}", "project": "kvm", "hash": 154691550347368689139439515341361026077, "size": 73, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437600 }, { "func": "static int unlink_simple(struct usbtest_dev *dev, int pipe, int len)\n{\n\tint\t\t\tretval = 0;\n\n\t/* test sync and async paths */\n\tretval = unlink1(dev, pipe, len, 1);\n\tif (!retval)\n\t\tretval = unlink1(dev, pipe, len, 0);\n\treturn retval;\n}", "project": "linux", "hash": 314723508748247317318029000487635444860, "size": 10, "commit_id": "28ebeb8db77035e058a510ce9bd17c2b9a009dba", "message": "usb: usbtest: fix missing kfree(dev->buf) in usbtest_disconnect\n\nBUG: memory leak\nunreferenced object 0xffff888055046e00 (size 256):\n comm \"kworker/2:9\", pid 2570, jiffies 4294942129 (age 1095.500s)\n hex dump (first 32 bytes):\n 00 70 04 55 80 88 ff ff 18 bb 5a 81 ff ff ff ff .p.U......Z.....\n f5 96 78 81 ff ff ff ff 37 de 8e 81 ff ff ff ff ..x.....7.......\n backtrace:\n [<00000000d121dccf>] kmemleak_alloc_recursive\ninclude/linux/kmemleak.h:43 [inline]\n [<00000000d121dccf>] slab_post_alloc_hook mm/slab.h:586 [inline]\n [<00000000d121dccf>] slab_alloc_node mm/slub.c:2786 [inline]\n [<00000000d121dccf>] slab_alloc mm/slub.c:2794 [inline]\n [<00000000d121dccf>] kmem_cache_alloc_trace+0x15e/0x2d0 mm/slub.c:2811\n [<000000005c3c3381>] kmalloc include/linux/slab.h:555 [inline]\n [<000000005c3c3381>] usbtest_probe+0x286/0x19d0\ndrivers/usb/misc/usbtest.c:2790\n [<000000001cec6910>] usb_probe_interface+0x2bd/0x870\ndrivers/usb/core/driver.c:361\n [<000000007806c118>] really_probe+0x48d/0x8f0 drivers/base/dd.c:551\n [<00000000a3308c3e>] driver_probe_device+0xfc/0x2a0 drivers/base/dd.c:724\n [<000000003ef66004>] __device_attach_driver+0x1b6/0x240\ndrivers/base/dd.c:831\n [<00000000eee53e97>] bus_for_each_drv+0x14e/0x1e0 drivers/base/bus.c:431\n [<00000000bb0648d0>] __device_attach+0x1f9/0x350 drivers/base/dd.c:897\n [<00000000838b324a>] device_initial_probe+0x1a/0x20 drivers/base/dd.c:944\n [<0000000030d501c1>] bus_probe_device+0x1e1/0x280 drivers/base/bus.c:491\n [<000000005bd7adef>] device_add+0x131d/0x1c40 drivers/base/core.c:2504\n [<00000000a0937814>] usb_set_configuration+0xe84/0x1ab0\ndrivers/usb/core/message.c:2030\n [<00000000e3934741>] generic_probe+0x6a/0xe0 drivers/usb/core/generic.c:210\n [<0000000098ade0f1>] usb_probe_device+0x90/0xd0\ndrivers/usb/core/driver.c:266\n [<000000007806c118>] really_probe+0x48d/0x8f0 drivers/base/dd.c:551\n [<00000000a3308c3e>] driver_probe_device+0xfc/0x2a0 drivers/base/dd.c:724\n\nAcked-by: Alan Stern \nReported-by: Kyungtae Kim \nSigned-off-by: Zqiang \nLink: https://lore.kernel.org/r/20200612035210.20494-1-qiang.zhang@windriver.com\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 412282 }, { "func": " Item_cache_str_for_nullif(THD *thd, const Item *item)\n :Item_cache_str(thd, item)\n { }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 274295641310808307430540869779644049060, "size": 3, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509096 }, { "func": "int DeliverSignal(int linux_signum, int linux_sigcode) {\n absl::optional signum = FromkLinuxSignalNumber(linux_signum);\n if (!signum) {\n return 1;\n }\n siginfo_t info;\n info.si_signo = *signum;\n info.si_code = linux_sigcode;\n SignalManager *signal_manager = SignalManager::GetInstance();\n const sigset_t mask = signal_manager->GetSignalMask();\n\n // If the signal is blocked and still passed into the enclave. The signal\n // masks inside the enclave is out of sync with the untrusted signal mask.\n if (sigismember(&mask, *signum)) {\n return -1;\n }\n signal_manager->HandleSignal(*signum, &info, /*ucontext=*/nullptr);\n return 0;\n}", "project": "asylo", "hash": 167019675184240351901152052360429422135, "size": 19, "commit_id": "53ed5d8fd8118ced1466e509606dd2f473707a5c", "message": "Store untrusted output pointer in enclave\n\nValidate the pointer after it's stored in enclave to avoid unexpected\nmodifications after it's validated.\n\nPiperOrigin-RevId: 365648810\nChange-Id: I3079128040c142e86bab8255b07d03562a6fcb61", "target": 0, "dataset": "other", "idx": 232055 }, { "func": "int DeliverSignal(int linux_signum, int linux_sigcode) {\n int signum = FromkLinuxSignalNumber(linux_signum);\n if (signum < 0) {\n return 1;\n }\n siginfo_t info;\n info.si_signo = signum;\n info.si_code = linux_sigcode;\n SignalManager *signal_manager = SignalManager::GetInstance();\n const sigset_t mask = signal_manager->GetSignalMask();\n\n // If the signal is blocked and still passed into the enclave. The signal\n // masks inside the enclave is out of sync with the untrusted signal mask.\n if (sigismember(&mask, signum)) {\n return -1;\n }\n signal_manager->HandleSignal(signum, &info, /*ucontext=*/nullptr);\n return 0;\n}", "project": "asylo", "hash": 103824029319281260646923684442861116062, "size": 19, "commit_id": "83036fd841d33baa7e039f842d131aa7881fdcc2", "message": "Verify UntrustedCall output is outside enclave\n\nPiperOrigin-RevId: 333781703\nChange-Id: I9df55c04dc8b04f4bf0bda8e68cc32bca81b933a", "target": 0, "dataset": "other", "idx": 246051 }, { "func": "nosy_poll(struct file *file, poll_table *pt)\n{\n\tstruct client *client = file->private_data;\n\t__poll_t ret = 0;\n\n\tpoll_wait(file, &client->buffer.wait, pt);\n\n\tif (atomic_read(&client->buffer.size) > 0)\n\t\tret = EPOLLIN | EPOLLRDNORM;\n\n\tif (list_empty(&client->lynx->link))\n\t\tret |= EPOLLHUP;\n\n\treturn ret;\n}", "project": "linux", "hash": 301019110787988031607147216224425357582, "size": 15, "commit_id": "829933ef05a951c8ff140e814656d73e74915faf", "message": "firewire: nosy: Fix a use-after-free bug in nosy_ioctl()\n\nFor each device, the nosy driver allocates a pcilynx structure.\nA use-after-free might happen in the following scenario:\n\n 1. Open nosy device for the first time and call ioctl with command\n NOSY_IOC_START, then a new client A will be malloced and added to\n doubly linked list.\n 2. Open nosy device for the second time and call ioctl with command\n NOSY_IOC_START, then a new client B will be malloced and added to\n doubly linked list.\n 3. Call ioctl with command NOSY_IOC_START for client A, then client A\n will be readded to the doubly linked list. Now the doubly linked\n list is messed up.\n 4. Close the first nosy device and nosy_release will be called. In\n nosy_release, client A will be unlinked and freed.\n 5. Close the second nosy device, and client A will be referenced,\n resulting in UAF.\n\nThe root cause of this bug is that the element in the doubly linked list\nis reentered into the list.\n\nFix this bug by adding a check before inserting a client. If a client\nis already in the linked list, don't insert it.\n\nThe following KASAN report reveals it:\n\n BUG: KASAN: use-after-free in nosy_release+0x1ea/0x210\n Write of size 8 at addr ffff888102ad7360 by task poc\n CPU: 3 PID: 337 Comm: poc Not tainted 5.12.0-rc5+ #6\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014\n Call Trace:\n nosy_release+0x1ea/0x210\n __fput+0x1e2/0x840\n task_work_run+0xe8/0x180\n exit_to_user_mode_prepare+0x114/0x120\n syscall_exit_to_user_mode+0x1d/0x40\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\n Allocated by task 337:\n nosy_open+0x154/0x4d0\n misc_open+0x2ec/0x410\n chrdev_open+0x20d/0x5a0\n do_dentry_open+0x40f/0xe80\n path_openat+0x1cf9/0x37b0\n do_filp_open+0x16d/0x390\n do_sys_openat2+0x11d/0x360\n __x64_sys_open+0xfd/0x1a0\n do_syscall_64+0x33/0x40\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\n Freed by task 337:\n kfree+0x8f/0x210\n nosy_release+0x158/0x210\n __fput+0x1e2/0x840\n task_work_run+0xe8/0x180\n exit_to_user_mode_prepare+0x114/0x120\n syscall_exit_to_user_mode+0x1d/0x40\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\n The buggy address belongs to the object at ffff888102ad7300 which belongs to the cache kmalloc-128 of size 128\n The buggy address is located 96 bytes inside of 128-byte region [ffff888102ad7300, ffff888102ad7380)\n\n[ Modified to use 'list_empty()' inside proper lock - Linus ]\n\nLink: https://lore.kernel.org/lkml/1617433116-5930-1-git-send-email-zheyuma97@gmail.com/\nReported-and-tested-by: 马哲宇 (Zheyu Ma) \nSigned-off-by: Zheyu Ma \nCc: Greg Kroah-Hartman \nCc: Stefan Richter \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 279637 }, { "func": "random_poll(struct file *file, poll_table * wait)\n{\n\tunsigned int mask;\n\n\tpoll_wait(file, &random_read_wait, wait);\n\tpoll_wait(file, &random_write_wait, wait);\n\tmask = 0;\n\tif (input_pool.entropy_count >= random_read_wakeup_thresh)\n\t\tmask |= POLLIN | POLLRDNORM;\n\tif (input_pool.entropy_count < random_write_wakeup_thresh)\n\t\tmask |= POLLOUT | POLLWRNORM;\n\treturn mask;\n}", "target": 0, "cwe": [ "CWE-310" ], "project": "linux-2.6", "commit_id": "8a0a9bd4db63bc45e3017bedeafbd88d0eb84d02", "hash": 151874002357283255648516380788167331087, "size": 13, "message": "random: make get_random_int() more random\n\nIt's a really simple patch that basically just open-codes the current\n\"secure_ip_id()\" call, but when open-coding it we now use a _static_\nhashing area, so that it gets updated every time.\n\nAnd to make sure somebody can't just start from the same original seed of\nall-zeroes, and then do the \"half_md4_transform()\" over and over until\nthey get the same sequence as the kernel has, each iteration also mixes in\nthe same old \"current->pid + jiffies\" we used - so we should now have a\nregular strong pseudo-number generator, but we also have one that doesn't\nhave a single seed.\n\nNote: the \"pid + jiffies\" is just meant to be a tiny tiny bit of noise. It\nhas no real meaning. It could be anything. I just picked the previous\nseed, it's just that now we keep the state in between calls and that will\nfeed into the next result, and that should make all the difference.\n\nI made that hash be a per-cpu data just to avoid cache-line ping-pong:\nhaving multiple CPU's write to the same data would be fine for randomness,\nand add yet another layer of chaos to it, but since get_random_int() is\nsupposed to be a fast interface I did it that way instead. I considered\nusing \"__raw_get_cpu_var()\" to avoid any preemption overhead while still\ngetting the hash be _mostly_ ping-pong free, but in the end good taste won\nout.\n\nSigned-off-by: Ingo Molnar \nSigned-off-by: Linus Torvalds ", "dataset": "other", "idx": 499901 }, { "func": "enum_func_status\nphp_mysqlnd_rowp_read_text_protocol_zval(MYSQLND_MEMORY_POOL_CHUNK * row_buffer, zval ** fields,\n\t\t\t\t\t\t\t\t\tunsigned int field_count, const MYSQLND_FIELD * fields_metadata,\n\t\t\t\t\t\t\t\t\tzend_bool as_int_or_float, MYSQLND_STATS * stats TSRMLS_DC)\n{\n\tenum_func_status ret;\n\tDBG_ENTER(\"php_mysqlnd_rowp_read_text_protocol_zval\");\n\tret = php_mysqlnd_rowp_read_text_protocol_aux(row_buffer, fields, field_count, fields_metadata, as_int_or_float, FALSE, stats TSRMLS_CC);\n\tDBG_RETURN(ret);", "project": "php-src", "hash": 207528902787957047315609579838678848090, "size": 9, "commit_id": "28f80baf3c53e267c9ce46a2a0fadbb981585132", "message": "Fix bug #72293 - Heap overflow in mysqlnd related to BIT fields", "target": 0, "dataset": "other", "idx": 416674 }, { "func": "int mnt_optstr_remove_option_at(char **optstr, char *begin, char *end)\n{\n\tsize_t sz;\n\n\tif (!optstr || !begin || !end)\n\t\treturn -EINVAL;\n\n\tif ((begin == *optstr || *(begin - 1) == ',') && *end == ',')\n\t\tend++;\n\n\tsz = strlen(end);\n\n\tmemmove(begin, end, sz + 1);\n\tif (!*begin && (begin > *optstr) && *(begin - 1) == ',')\n\t\t*(begin - 1) = '\\0';\n\n\treturn 0;\n}", "project": "util-linux", "hash": 241082039641657119355591376665889159788, "size": 18, "commit_id": "57202f5713afa2af20ffbb6ab5331481d0396f8d", "message": "libmount: fix UID check for FUSE umount [CVE-2021-3995]\n\nImproper UID check allows an unprivileged user to unmount FUSE\nfilesystems of users with similar UID.\n\nSigned-off-by: Karel Zak ", "target": 0, "dataset": "other", "idx": 410403 }, { "func": "void CClient::ParsePass(const CString& sAuthLine) {\n // [user[@identifier][/network]:]password\n\n const size_t uColon = sAuthLine.find(\":\");\n if (uColon != CString::npos) {\n m_sPass = sAuthLine.substr(uColon + 1);\n\n ParseUser(sAuthLine.substr(0, uColon));\n } else {\n m_sPass = sAuthLine;\n }\n}", "project": "znc", "hash": 290495138454703042714770461206835962137, "size": 12, "commit_id": "d229761821da38d984a9e4098ad96842490dc001", "message": "Fix echo-message for *status\n\nClose #1705", "target": 0, "dataset": "other", "idx": 231550 }, { "func": "static inline void sysfs_slab_remove(struct kmem_cache *s) { }", "project": "linux", "hash": 220536911648418161778133221153967320519, "size": 1, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280127 }, { "func": "\nstatic void sysfs_slab_remove(struct kmem_cache *s)\n{\n\tif (slab_state < FULL)\n\t\t/*\n\t\t * Sysfs has not been setup yet so no need to remove the\n\t\t * cache from sysfs.\n\t\t */\n\t\treturn;\n\n\tkobject_get(&s->kobj);\n\tschedule_work(&s->kobj_remove_work);", "project": "linux", "hash": 44029553144222624407584162885366233223, "size": 12, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280228 }, { "func": "PHP_FUNCTION(openssl_get_cert_locations)\n{\n\tarray_init(return_value);\n\n\tadd_assoc_string(return_value, \"default_cert_file\", (char *) X509_get_default_cert_file());\n\tadd_assoc_string(return_value, \"default_cert_file_env\", (char *) X509_get_default_cert_file_env());\n\tadd_assoc_string(return_value, \"default_cert_dir\", (char *) X509_get_default_cert_dir());\n\tadd_assoc_string(return_value, \"default_cert_dir_env\", (char *) X509_get_default_cert_dir_env());\n\tadd_assoc_string(return_value, \"default_private_dir\", (char *) X509_get_default_private_dir());\n\tadd_assoc_string(return_value, \"default_default_cert_area\", (char *) X509_get_default_cert_area());\n\tadd_assoc_string(return_value, \"ini_cafile\",\n\t\tzend_ini_string(\"openssl.cafile\", sizeof(\"openssl.cafile\")-1, 0));\n\tadd_assoc_string(return_value, \"ini_capath\",\n\t\tzend_ini_string(\"openssl.capath\", sizeof(\"openssl.capath\")-1, 0));\n}", "project": "php-src", "hash": 58816268503910709706392781456981008353, "size": 15, "commit_id": "0216630ea2815a5789a24279a1211ac398d4de79", "message": "Fix bug #79601 (Wrong ciphertext/tag in AES-CCM encryption for a 12 bytes IV)", "target": 0, "dataset": "other", "idx": 291405 }, { "func": "static const opj_dec_memory_marker_handler_t * opj_j2k_get_marker_handler(\n OPJ_UINT32 p_id)\n{\n const opj_dec_memory_marker_handler_t *e;\n for (e = j2k_memory_marker_handler_tab; e->id != 0; ++e) {\n if (e->id == p_id) {\n break; /* we find a handler corresponding to the marker ID*/\n }\n }\n return e;\n}", "project": "openjpeg", "hash": 189633264922193969221635708008692119218, "size": 11, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357332 }, { "func": "/* Must be called with bfqq != NULL */\nstatic void bfq_bfqq_end_wr(struct bfq_queue *bfqq)\n{\n\tif (bfq_bfqq_busy(bfqq))\n\t\tbfqq->bfqd->wr_busy_queues--;\n\tbfqq->wr_coeff = 1;\n\tbfqq->wr_cur_max_time = 0;\n\tbfqq->last_wr_start_finish = jiffies;\n\t/*\n\t * Trigger a weight change on the next invocation of\n\t * __bfq_entity_update_weight_prio.\n\t */\n\tbfqq->entity.prio_changed = 1;", "project": "linux", "hash": 48109608924822960568552139300552479469, "size": 13, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453282 }, { "func": "struct iscsi_iface *\niscsi_create_iface(struct Scsi_Host *shost, struct iscsi_transport *transport,\n\t\t uint32_t iface_type, uint32_t iface_num, int dd_size)\n{\n\tstruct iscsi_iface *iface;\n\tint err;\n\n\tiface = kzalloc(sizeof(*iface) + dd_size, GFP_KERNEL);\n\tif (!iface)\n\t\treturn NULL;\n\n\tiface->transport = transport;\n\tiface->iface_type = iface_type;\n\tiface->iface_num = iface_num;\n\tiface->dev.release = iscsi_iface_release;\n\tiface->dev.class = &iscsi_iface_class;\n\t/* parent reference released in iscsi_iface_release */\n\tiface->dev.parent = get_device(&shost->shost_gendev);\n\tif (iface_type == ISCSI_IFACE_TYPE_IPV4)\n\t\tdev_set_name(&iface->dev, \"ipv4-iface-%u-%u\", shost->host_no,\n\t\t\t iface_num);\n\telse\n\t\tdev_set_name(&iface->dev, \"ipv6-iface-%u-%u\", shost->host_no,\n\t\t\t iface_num);\n\n\terr = device_register(&iface->dev);\n\tif (err)\n\t\tgoto free_iface;\n\n\terr = sysfs_create_group(&iface->dev.kobj, &iscsi_iface_group);\n\tif (err)\n\t\tgoto unreg_iface;\n\n\tif (dd_size)\n\t\tiface->dd_data = &iface[1];\n\treturn iface;\n\nunreg_iface:\n\tdevice_unregister(&iface->dev);\n\treturn NULL;\n\nfree_iface:\n\tput_device(iface->dev.parent);\n\tkfree(iface);\n\treturn NULL;", "project": "linux", "hash": 120370014213326432773022774965768078154, "size": 45, "commit_id": "f9dbdf97a5bd92b1a49cee3d591b55b11fd7a6d5", "message": "scsi: iscsi: Verify lengths on passthrough PDUs\n\nOpen-iSCSI sends passthrough PDUs over netlink, but the kernel should be\nverifying that the provided PDU header and data lengths fall within the\nnetlink message to prevent accessing beyond that in memory.\n\nCc: stable@vger.kernel.org\nReported-by: Adam Nichols \nReviewed-by: Lee Duncan \nReviewed-by: Mike Christie \nSigned-off-by: Chris Leech \nSigned-off-by: Martin K. Petersen ", "target": 0, "dataset": "other", "idx": 380022 }, { "func": "bfad_im_get_stats(struct Scsi_Host *shost)\n{\n\tstruct bfad_im_port_s *im_port =\n\t\t\t(struct bfad_im_port_s *) shost->hostdata[0];\n\tstruct bfad_s *bfad = im_port->bfad;\n\tstruct bfad_hal_comp fcomp;\n\tunion bfa_port_stats_u *fcstats;\n\tstruct fc_host_statistics *hstats;\n\tbfa_status_t rc;\n\tunsigned long flags;\n\n\tfcstats = kzalloc(sizeof(union bfa_port_stats_u), GFP_KERNEL);\n\tif (fcstats == NULL)\n\t\treturn NULL;\n\n\thstats = &bfad->link_stats;\n\tinit_completion(&fcomp.comp);\n\tspin_lock_irqsave(&bfad->bfad_lock, flags);\n\tmemset(hstats, 0, sizeof(struct fc_host_statistics));\n\trc = bfa_port_get_stats(BFA_FCPORT(&bfad->bfa),\n\t\t\t\tfcstats, bfad_hcb_comp, &fcomp);\n\tspin_unlock_irqrestore(&bfad->bfad_lock, flags);\n\tif (rc != BFA_STATUS_OK)\n\t\treturn NULL;\n\n\twait_for_completion(&fcomp.comp);\n\n\t/* Fill the fc_host_statistics structure */\n\thstats->seconds_since_last_reset = fcstats->fc.secs_reset;\n\thstats->tx_frames = fcstats->fc.tx_frames;\n\thstats->tx_words = fcstats->fc.tx_words;\n\thstats->rx_frames = fcstats->fc.rx_frames;\n\thstats->rx_words = fcstats->fc.rx_words;\n\thstats->lip_count = fcstats->fc.lip_count;\n\thstats->nos_count = fcstats->fc.nos_count;\n\thstats->error_frames = fcstats->fc.error_frames;\n\thstats->dumped_frames = fcstats->fc.dropped_frames;\n\thstats->link_failure_count = fcstats->fc.link_failures;\n\thstats->loss_of_sync_count = fcstats->fc.loss_of_syncs;\n\thstats->loss_of_signal_count = fcstats->fc.loss_of_signals;\n\thstats->prim_seq_protocol_err_count = fcstats->fc.primseq_errs;\n\thstats->invalid_crc_count = fcstats->fc.invalid_crcs;\n\n\tkfree(fcstats);\n\treturn hstats;\n}", "project": "linux", "hash": 276831105069953521205119097095926483692, "size": 46, "commit_id": "0e62395da2bd5166d7c9e14cbc7503b256a34cb0", "message": "scsi: bfa: release allocated memory in case of error\n\nIn bfad_im_get_stats if bfa_port_get_stats fails, allocated memory needs to\nbe released.\n\nLink: https://lore.kernel.org/r/20190910234417.22151-1-navid.emamdoost@gmail.com\nSigned-off-by: Navid Emamdoost \nSigned-off-by: Martin K. Petersen ", "target": 1, "dataset": "other", "idx": 210708 }, { "func": "static bool prepare_signal(int sig, struct task_struct *p, bool force)\n{\n\tstruct signal_struct *signal = p->signal;\n\tstruct task_struct *t;\n\tsigset_t flush;\n\n\tif (signal->flags & (SIGNAL_GROUP_EXIT | SIGNAL_GROUP_COREDUMP)) {\n\t\tif (!(signal->flags & SIGNAL_GROUP_EXIT))\n\t\t\treturn sig == SIGKILL;\n\t\t/*\n\t\t * The process is in the middle of dying, nothing to do.\n\t\t */\n\t} else if (sig_kernel_stop(sig)) {\n\t\t/*\n\t\t * This is a stop signal. Remove SIGCONT from all queues.\n\t\t */\n\t\tsiginitset(&flush, sigmask(SIGCONT));\n\t\tflush_sigqueue_mask(&flush, &signal->shared_pending);\n\t\tfor_each_thread(p, t)\n\t\t\tflush_sigqueue_mask(&flush, &t->pending);\n\t} else if (sig == SIGCONT) {\n\t\tunsigned int why;\n\t\t/*\n\t\t * Remove all stop signals from all queues, wake all threads.\n\t\t */\n\t\tsiginitset(&flush, SIG_KERNEL_STOP_MASK);\n\t\tflush_sigqueue_mask(&flush, &signal->shared_pending);\n\t\tfor_each_thread(p, t) {\n\t\t\tflush_sigqueue_mask(&flush, &t->pending);\n\t\t\ttask_clear_jobctl_pending(t, JOBCTL_STOP_PENDING);\n\t\t\tif (likely(!(t->ptrace & PT_SEIZED)))\n\t\t\t\twake_up_state(t, __TASK_STOPPED);\n\t\t\telse\n\t\t\t\tptrace_trap_notify(t);\n\t\t}\n\n\t\t/*\n\t\t * Notify the parent with CLD_CONTINUED if we were stopped.\n\t\t *\n\t\t * If we were in the middle of a group stop, we pretend it\n\t\t * was already finished, and then continued. Since SIGCHLD\n\t\t * doesn't queue we report only CLD_STOPPED, as if the next\n\t\t * CLD_CONTINUED was dropped.\n\t\t */\n\t\twhy = 0;\n\t\tif (signal->flags & SIGNAL_STOP_STOPPED)\n\t\t\twhy |= SIGNAL_CLD_CONTINUED;\n\t\telse if (signal->group_stop_count)\n\t\t\twhy |= SIGNAL_CLD_STOPPED;\n\n\t\tif (why) {\n\t\t\t/*\n\t\t\t * The first thread which returns from do_signal_stop()\n\t\t\t * will take ->siglock, notice SIGNAL_CLD_MASK, and\n\t\t\t * notify its parent. See get_signal().\n\t\t\t */\n\t\t\tsignal_set_stop_flags(signal, why | SIGNAL_STOP_CONTINUED);\n\t\t\tsignal->group_stop_count = 0;\n\t\t\tsignal->group_exit_code = 0;\n\t\t}\n\t}\n\n\treturn !sig_ignored(p, sig, force);\n}", "project": "linux", "hash": 304865530281473127302621440981897506278, "size": 64, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375309 }, { "func": "static int nfs41_sequence_handle_errors(struct rpc_task *task, struct nfs_client *clp)\n{\n\tswitch(task->tk_status) {\n\tcase -NFS4ERR_DELAY:\n\t\trpc_delay(task, NFS4_POLL_RETRY_MAX);\n\t\treturn -EAGAIN;\n\tdefault:\n\t\tnfs4_schedule_lease_recovery(clp);\n\t}\n\treturn 0;\n}", "project": "linux", "hash": 220609002557115619564845527957087801727, "size": 11, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431253 }, { "func": " static Value parseStringToOID(ExpressionContext* const expCtx, Value inputValue) {\n try {\n return Value(OID::createFromString(inputValue.getStringData()));\n } catch (const DBException& ex) {\n // Rethrow any caught exception as a conversion failure such that 'onError' is evaluated\n // and returned.\n uasserted(ErrorCodes::ConversionFailure,\n str::stream() << \"Failed to parse objectId '\" << inputValue.getString()\n << \"' in $convert with no onError value: \" << ex.reason());\n }\n }", "project": "mongo", "hash": 108848218806316108142339379743453051225, "size": 11, "commit_id": "1772b9a0393b55e6a280a35e8f0a1f75c014f301", "message": "SERVER-49404 Enforce additional checks in $arrayToObject", "target": 0, "dataset": "other", "idx": 370084 }, { "func": "static inline u32 tcp_rto_min(struct sock *sk)\n{\n\tconst struct dst_entry *dst = __sk_dst_get(sk);\n\tu32 rto_min = TCP_RTO_MIN;\n\n\tif (dst && dst_metric_locked(dst, RTAX_RTO_MIN))\n\t\trto_min = dst_metric_rtt(dst, RTAX_RTO_MIN);\n\treturn rto_min;\n}", "project": "linux", "hash": 275999268412597728926568734181673526717, "size": 9, "commit_id": "bb1fceca22492109be12640d49f5ea5a544c6bb4", "message": "tcp: fix use after free in tcp_xmit_retransmit_queue()\n\nWhen tcp_sendmsg() allocates a fresh and empty skb, it puts it at the\ntail of the write queue using tcp_add_write_queue_tail()\n\nThen it attempts to copy user data into this fresh skb.\n\nIf the copy fails, we undo the work and remove the fresh skb.\n\nUnfortunately, this undo lacks the change done to tp->highest_sack and\nwe can leave a dangling pointer (to a freed skb)\n\nLater, tcp_xmit_retransmit_queue() can dereference this pointer and\naccess freed memory. For regular kernels where memory is not unmapped,\nthis might cause SACK bugs because tcp_highest_sack_seq() is buggy,\nreturning garbage instead of tp->snd_nxt, but with various debug\nfeatures like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel.\n\nThis bug was found by Marco Grassi thanks to syzkaller.\n\nFixes: 6859d49475d4 (\"[TCP]: Abstract tp->highest_sack accessing & point to next skb\")\nReported-by: Marco Grassi \nSigned-off-by: Eric Dumazet \nCc: Ilpo Järvinen \nCc: Yuchung Cheng \nCc: Neal Cardwell \nAcked-by: Neal Cardwell \nReviewed-by: Cong Wang \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 410799 }, { "func": "TEST_P(JSITest, JSErrorDoesNotInfinitelyRecurse) {\n Value globalError = rt.global().getProperty(rt, \"Error\");\n rt.global().setProperty(rt, \"Error\", Value::undefined());\n try {\n rt.global().getPropertyAsFunction(rt, \"NotAFunction\");\n FAIL() << \"expected exception\";\n } catch (const JSError& ex) {\n EXPECT_EQ(\n ex.getMessage(),\n \"callGlobalFunction: JS global property 'Error' is undefined, \"\n \"expected a Function (while raising getPropertyAsObject: \"\n \"property 'NotAFunction' is undefined, expected an Object)\");\n }\n\n // If Error is missing, this is fundamentally a problem with JS code\n // messing up the global object, so it should present in JS code as\n // a catchable string. Not an Error (because that's broken), or as\n // a C++ failure.\n\n auto fails = [](Runtime& rt, const Value&, const Value*, size_t) -> Value {\n return rt.global().getPropertyAsObject(rt, \"NotAProperty\");\n };\n EXPECT_EQ(\n function(\"function (f) { try { f(); return 'undefined'; }\"\n \"catch (e) { return typeof e; } }\")\n .call(\n rt,\n Function::createFromHostFunction(\n rt, PropNameID::forAscii(rt, \"fails\"), 0, fails))\n .getString(rt)\n .utf8(rt),\n \"string\");\n\n rt.global().setProperty(rt, \"Error\", globalError);\n}", "project": "hermes", "hash": 206918118310145533480939973037790055800, "size": 35, "commit_id": "fe52854cdf6725c2eaa9e125995da76e6ceb27da", "message": "[CVE-2020-1911] Look up HostObject computed properties on the right object in the prototype chain.\n\nSummary:\nThe change in the hermes repository fixes the security vulnerability\nCVE-2020-1911. This vulnerability only affects applications which\nallow evaluation of uncontrolled, untrusted JavaScript code not\nshipped with the app, so React Native apps will generally not be affected.\n\nThis revision includes a test for the bug. The test is generic JSI\ncode, so it is included in the hermes and react-native repositories.\n\nChangelog: [Internal]\n\nReviewed By: tmikov\n\nDifferential Revision: D23322992\n\nfbshipit-source-id: 4e88c974afe1ad33a263f9cac03e9dc98d33649a", "target": 0, "dataset": "other", "idx": 230155 }, { "func": "TEST_P(JSITest, PreparedJavaScriptSourceTest) {\n rt.evaluateJavaScript(std::make_unique(\"var q = 0;\"), \"\");\n auto prep = rt.prepareJavaScript(std::make_unique(\"q++;\"), \"\");\n EXPECT_EQ(rt.global().getProperty(rt, \"q\").getNumber(), 0);\n rt.evaluatePreparedJavaScript(prep);\n EXPECT_EQ(rt.global().getProperty(rt, \"q\").getNumber(), 1);\n rt.evaluatePreparedJavaScript(prep);\n EXPECT_EQ(rt.global().getProperty(rt, \"q\").getNumber(), 2);\n}", "project": "hermes", "hash": 261810362154030441269777948872546071614, "size": 9, "commit_id": "fe52854cdf6725c2eaa9e125995da76e6ceb27da", "message": "[CVE-2020-1911] Look up HostObject computed properties on the right object in the prototype chain.\n\nSummary:\nThe change in the hermes repository fixes the security vulnerability\nCVE-2020-1911. This vulnerability only affects applications which\nallow evaluation of uncontrolled, untrusted JavaScript code not\nshipped with the app, so React Native apps will generally not be affected.\n\nThis revision includes a test for the bug. The test is generic JSI\ncode, so it is included in the hermes and react-native repositories.\n\nChangelog: [Internal]\n\nReviewed By: tmikov\n\nDifferential Revision: D23322992\n\nfbshipit-source-id: 4e88c974afe1ad33a263f9cac03e9dc98d33649a", "target": 0, "dataset": "other", "idx": 230167 }, { "func": "TEST_P(JSITest, PropNameIDTest) {\n // This is a little weird to test, because it doesn't really exist\n // in JS yet. All I can do is create them, compare them, and\n // receive one as an argument to a HostObject.\n\n PropNameID quux = PropNameID::forAscii(rt, \"quux1\", 4);\n PropNameID movedQuux = std::move(quux);\n EXPECT_EQ(movedQuux.utf8(rt), \"quux\");\n movedQuux = PropNameID::forAscii(rt, \"quux2\");\n EXPECT_EQ(movedQuux.utf8(rt), \"quux2\");\n PropNameID copiedQuux = PropNameID(rt, movedQuux);\n EXPECT_TRUE(PropNameID::compare(rt, movedQuux, copiedQuux));\n\n EXPECT_TRUE(PropNameID::compare(rt, movedQuux, movedQuux));\n EXPECT_TRUE(PropNameID::compare(\n rt, movedQuux, PropNameID::forAscii(rt, std::string(\"quux2\"))));\n EXPECT_FALSE(PropNameID::compare(\n rt, movedQuux, PropNameID::forAscii(rt, std::string(\"foo\"))));\n uint8_t utf8[] = {0xF0, 0x9F, 0x86, 0x97};\n PropNameID utf8PropNameID = PropNameID::forUtf8(rt, utf8, sizeof(utf8));\n EXPECT_EQ(utf8PropNameID.utf8(rt), u8\"\\U0001F197\");\n EXPECT_TRUE(PropNameID::compare(\n rt, utf8PropNameID, PropNameID::forUtf8(rt, utf8, sizeof(utf8))));\n PropNameID nonUtf8PropNameID = PropNameID::forUtf8(rt, \"meow\");\n EXPECT_TRUE(PropNameID::compare(\n rt, nonUtf8PropNameID, PropNameID::forAscii(rt, \"meow\")));\n EXPECT_EQ(nonUtf8PropNameID.utf8(rt), \"meow\");\n PropNameID strPropNameID =\n PropNameID::forString(rt, String::createFromAscii(rt, \"meow\"));\n EXPECT_TRUE(PropNameID::compare(rt, nonUtf8PropNameID, strPropNameID));\n\n auto names = PropNameID::names(\n rt, \"Ala\", std::string(\"ma\"), PropNameID::forAscii(rt, \"kota\"));\n EXPECT_EQ(names.size(), 3);\n EXPECT_TRUE(\n PropNameID::compare(rt, names[0], PropNameID::forAscii(rt, \"Ala\")));\n EXPECT_TRUE(\n PropNameID::compare(rt, names[1], PropNameID::forAscii(rt, \"ma\")));\n EXPECT_TRUE(\n PropNameID::compare(rt, names[2], PropNameID::forAscii(rt, \"kota\")));\n}", "project": "hermes", "hash": 185280071459409158694048259705388854208, "size": 41, "commit_id": "fe52854cdf6725c2eaa9e125995da76e6ceb27da", "message": "[CVE-2020-1911] Look up HostObject computed properties on the right object in the prototype chain.\n\nSummary:\nThe change in the hermes repository fixes the security vulnerability\nCVE-2020-1911. This vulnerability only affects applications which\nallow evaluation of uncontrolled, untrusted JavaScript code not\nshipped with the app, so React Native apps will generally not be affected.\n\nThis revision includes a test for the bug. The test is generic JSI\ncode, so it is included in the hermes and react-native repositories.\n\nChangelog: [Internal]\n\nReviewed By: tmikov\n\nDifferential Revision: D23322992\n\nfbshipit-source-id: 4e88c974afe1ad33a263f9cac03e9dc98d33649a", "target": 0, "dataset": "other", "idx": 230205 }, { "func": "TEST_P(JSITest, RuntimeTest) {\n auto v = rt.evaluateJavaScript(std::make_unique(\"1\"), \"\");\n EXPECT_EQ(v.getNumber(), 1);\n\n rt.evaluateJavaScript(std::make_unique(\"x = 1\"), \"\");\n EXPECT_EQ(rt.global().getProperty(rt, \"x\").getNumber(), 1);\n}", "project": "hermes", "hash": 188986993291325443922836530282069985159, "size": 7, "commit_id": "fe52854cdf6725c2eaa9e125995da76e6ceb27da", "message": "[CVE-2020-1911] Look up HostObject computed properties on the right object in the prototype chain.\n\nSummary:\nThe change in the hermes repository fixes the security vulnerability\nCVE-2020-1911. This vulnerability only affects applications which\nallow evaluation of uncontrolled, untrusted JavaScript code not\nshipped with the app, so React Native apps will generally not be affected.\n\nThis revision includes a test for the bug. The test is generic JSI\ncode, so it is included in the hermes and react-native repositories.\n\nChangelog: [Internal]\n\nReviewed By: tmikov\n\nDifferential Revision: D23322992\n\nfbshipit-source-id: 4e88c974afe1ad33a263f9cac03e9dc98d33649a", "target": 0, "dataset": "other", "idx": 230216 }, { "func": "TEST_P(JSITest, JSErrorsCanBeConstructedWithStack) {\n auto err = JSError(rt, \"message\", \"stack\");\n EXPECT_EQ(err.getMessage(), \"message\");\n EXPECT_EQ(err.getStack(), \"stack\");\n}", "project": "hermes", "hash": 52349518197101875292722733944226654112, "size": 5, "commit_id": "fe52854cdf6725c2eaa9e125995da76e6ceb27da", "message": "[CVE-2020-1911] Look up HostObject computed properties on the right object in the prototype chain.\n\nSummary:\nThe change in the hermes repository fixes the security vulnerability\nCVE-2020-1911. This vulnerability only affects applications which\nallow evaluation of uncontrolled, untrusted JavaScript code not\nshipped with the app, so React Native apps will generally not be affected.\n\nThis revision includes a test for the bug. The test is generic JSI\ncode, so it is included in the hermes and react-native repositories.\n\nChangelog: [Internal]\n\nReviewed By: tmikov\n\nDifferential Revision: D23322992\n\nfbshipit-source-id: 4e88c974afe1ad33a263f9cac03e9dc98d33649a", "target": 0, "dataset": "other", "idx": 230248 }, { "func": "static int __init set_trace_boot_options(char *str)\n{\n\tstrlcpy(trace_boot_options_buf, str, MAX_TRACER_SIZE);\n\treturn 0;\n}", "project": "linux", "hash": 84334999641545002797559807940275058332, "size": 5, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445790 }, { "func": "HttpStateData::processReplyBody()\n{\n if (!flags.headers_parsed) {\n flags.do_next_read = true;\n maybeReadVirginBody();\n return;\n }\n\n#if USE_ADAPTATION\n debugs(11,5, HERE << \"adaptationAccessCheckPending=\" << adaptationAccessCheckPending);\n if (adaptationAccessCheckPending)\n return;\n\n#endif\n\n /*\n * At this point the reply headers have been parsed and consumed.\n * That means header content has been removed from readBuf and\n * it contains only body data.\n */\n if (entry->isAccepting()) {\n if (flags.chunked) {\n if (!decodeAndWriteReplyBody()) {\n flags.do_next_read = false;\n serverComplete();\n return;\n }\n } else\n writeReplyBody();\n }\n\n // storing/sending methods like earlier adaptOrFinalizeReply() or\n // above writeReplyBody() may release/abort the store entry.\n if (EBIT_TEST(entry->flags, ENTRY_ABORTED)) {\n // TODO: In some cases (e.g., 304), we should keep persistent conn open.\n // Detect end-of-reply (and, hence, pool our idle pconn) earlier (ASAP).\n abortTransaction(\"store entry aborted while storing reply\");\n return;\n } else\n switch (persistentConnStatus()) {\n case INCOMPLETE_MSG: {\n debugs(11, 5, \"processReplyBody: INCOMPLETE_MSG from \" << serverConnection);\n /* Wait for more data or EOF condition */\n AsyncCall::Pointer nil;\n if (flags.keepalive_broken) {\n commSetConnTimeout(serverConnection, 10, nil);\n } else {\n commSetConnTimeout(serverConnection, Config.Timeout.read, nil);\n }\n\n flags.do_next_read = true;\n }\n break;\n\n case COMPLETE_PERSISTENT_MSG: {\n debugs(11, 5, \"processReplyBody: COMPLETE_PERSISTENT_MSG from \" << serverConnection);\n\n // TODO: Remove serverConnectionSaved but preserve exception safety.\n\n commUnsetConnTimeout(serverConnection);\n flags.do_next_read = false;\n\n comm_remove_close_handler(serverConnection->fd, closeHandler);\n closeHandler = NULL;\n\n Ip::Address client_addr; // XXX: Remove as unused. Why was it added?\n if (request->flags.spoofClientIp)\n client_addr = request->client_addr;\n\n auto serverConnectionSaved = serverConnection;\n fwd->unregister(serverConnection);\n serverConnection = nullptr;\n\n bool ispinned = false; // TODO: Rename to isOrShouldBePinned\n if (request->flags.pinned) {\n ispinned = true;\n } else if (request->flags.connectionAuth && request->flags.authSent) {\n ispinned = true;\n }\n\n if (ispinned) {\n if (request->clientConnectionManager.valid()) {\n CallJobHere1(11, 4, request->clientConnectionManager,\n ConnStateData,\n notePinnedConnectionBecameIdle,\n ConnStateData::PinnedIdleContext(serverConnectionSaved, request));\n } else {\n // must not pool/share ispinned connections, even orphaned ones\n serverConnectionSaved->close();\n }\n } else {\n fwd->pconnPush(serverConnectionSaved, request->url.host());\n }\n\n serverComplete();\n return;\n }\n\n case COMPLETE_NONPERSISTENT_MSG:\n debugs(11, 5, \"processReplyBody: COMPLETE_NONPERSISTENT_MSG from \" << serverConnection);\n if (flags.chunked && !lastChunk)\n entry->lengthWentBad(\"missing last-chunk\");\n\n serverComplete();\n return;\n }\n\n maybeReadVirginBody();\n}", "project": "squid", "hash": 224031886204175678349622289411223218446, "size": 109, "commit_id": "fd68382860633aca92065e6c343cfd1b12b126e7", "message": "Improve Transfer-Encoding handling (#702)\n\nReject messages containing Transfer-Encoding header with coding other\nthan chunked or identity. Squid does not support other codings.\n\nFor simplicity and security sake, also reject messages where\nTransfer-Encoding contains unnecessary complex values that are\ntechnically equivalent to \"chunked\" or \"identity\" (e.g., \",,chunked\" or\n\"identity, chunked\").\n\nRFC 7230 formally deprecated and removed identity coding, but it is\nstill used by some agents.", "target": 0, "dataset": "other", "idx": 402334 }, { "func": "static void set_error_response(h2_stream *stream, int http_status)\n{\n if (!h2_stream_is_ready(stream)) {\n stream->rtmp->http_status = http_status;\n }\n}", "project": "httpd", "hash": 172068702792085315081162612263931698574, "size": 6, "commit_id": "f990e5ecad40b100a8a5c7c1033c46044a9cb244", "message": "mod_htt2: fix incomplete sync with latest changes in github, adjust version number.\n\n\n\ngit-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1889119 13f79535-47bb-0310-9956-ffa450edef68", "target": 1, "dataset": "other", "idx": 198837 }, { "func": "static void set_error_response(h2_stream *stream, int http_status)\n{\n if (!h2_stream_is_ready(stream) && stream->rtmp) {\n stream->rtmp->http_status = http_status;\n }\n}", "project": "httpd", "hash": 163842922705465616802565387268745890925, "size": 6, "commit_id": "f990e5ecad40b100a8a5c7c1033c46044a9cb244", "message": "mod_htt2: fix incomplete sync with latest changes in github, adjust version number.\n\n\n\ngit-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1889119 13f79535-47bb-0310-9956-ffa450edef68", "target": 0, "dataset": "other", "idx": 284266 }, { "func": "static int insert_pin(\n\tsc_pkcs15_card_t *p15card,\n\tconst char *path,\n\tunsigned char id,\n\tunsigned char auth_id,\n\tunsigned char pin_reference,\n\tint min_length,\n\tconst char *label,\n\tint pin_flags\n){\n\tsc_card_t *card=p15card->card;\n\tsc_context_t *ctx=p15card->card->ctx;\n\tsc_file_t *f = NULL;\n\tstruct sc_pkcs15_auth_info pin_info;\n\tstruct sc_pkcs15_object pin_obj;\n\tint r;\n\n\tmemset(&pin_info, 0, sizeof(pin_info));\n\tpin_info.auth_id.len = 1;\n\tpin_info.auth_id.value[0] = id;\n\tpin_info.auth_type = SC_PKCS15_PIN_AUTH_TYPE_PIN;\n\tpin_info.attrs.pin.reference = pin_reference;\n\tpin_info.attrs.pin.flags = pin_flags;\n\tpin_info.attrs.pin.type = SC_PKCS15_PIN_TYPE_ASCII_NUMERIC;\n\tpin_info.attrs.pin.min_length = min_length;\n\tpin_info.attrs.pin.stored_length = 16;\n\tpin_info.attrs.pin.max_length = 16;\n\tpin_info.attrs.pin.pad_char = '\\0';\n\tpin_info.logged_in = SC_PIN_STATE_UNKNOWN;\n\tsc_format_path(path, &pin_info.path);\n\n\tmemset(&pin_obj, 0, sizeof(pin_obj));\n\tstrlcpy(pin_obj.label, label, sizeof(pin_obj.label));\n\tpin_obj.flags = SC_PKCS15_CO_FLAG_MODIFIABLE | SC_PKCS15_CO_FLAG_PRIVATE;\n\tpin_obj.auth_id.len = auth_id ? 0 : 1;\n\tpin_obj.auth_id.value[0] = auth_id;\n\n\tif(card->type == SC_CARD_TYPE_TCOS_V3) {\n\t\tunsigned char buf[256];\n\t\tint i, rec_no=0;\n\t\tif (pin_info.path.len >= 2) {\n\t\t\tpin_info.path.len -= 2;\n\t\t}\n\t\tsc_append_file_id(&pin_info.path, 0x5049);\n\t\tif (sc_select_file(card, &pin_info.path, NULL) != SC_SUCCESS) {\n\t\t\tsc_log(ctx, \n\t\t\t\t\"Select(%s) failed\\n\",\n\t\t\t\tsc_print_path(&pin_info.path));\n\t\t\treturn 1;\n\t\t}\n\t\tsc_log(ctx, \n\t\t\t\"Searching for PIN-Ref %02X\\n\", pin_reference);\n\t\twhile ((r = sc_read_record(card, ++rec_no, buf, sizeof(buf), SC_RECORD_BY_REC_NR)) > 0) {\n\t\t\tint found = 0, fbz = -1;\n\t\t\tif (buf[0] != 0xA0)\n\t\t\t\tcontinue;\n\t\t\tfor (i = 2; i < buf[1] + 2; i += 2 + buf[i + 1]) {\n\t\t\t\tif (buf[i] == 0x83 && buf[i + 1] == 1 && buf[i + 2] == pin_reference) {\n\t\t\t\t\t++found;\n\t\t\t\t}\n\t\t\t\tif (buf[i] == 0x90) {\n\t\t\t\t\tfbz = buf[i + 1 + buf[i + 1]];\n\t\t\t\t}\n\t\t\t}\n\t\t\tif (found) {\n\t\t\t\tpin_info.tries_left = fbz;\n\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\t\tif (r <= 0) {\n\t\t\tsc_log(ctx, \"No EF_PWDD-Record found\\n\");\n\t\t\treturn 1;\n\t\t}\n\t} else {\n\t\tif (sc_select_file(card, &pin_info.path, &f) != SC_SUCCESS\n\t\t\t \t|| !f->prop_attr || f->prop_attr_len < 4){\n\t\t\tsc_log(ctx, \"Select(%s) failed\\n\", path);\n\t\t\tsc_file_free(f);\n\t\t\treturn 1;\n\t\t}\n\t\tpin_info.tries_left = f->prop_attr[3];\n\t\tsc_file_free(f);\n\t}\n\n\tr=sc_pkcs15emu_add_pin_obj(p15card, &pin_obj, &pin_info);\n\tif(r!=SC_SUCCESS){\n\t\tsc_log(ctx, \"sc_pkcs15emu_add_pin_obj(%s) failed\\n\", path);\n\t\treturn 4;\n\t}\n\tsc_log(ctx, \"%s: OK, FBZ=%d\\n\", path, pin_info.tries_left);\n\treturn 0;\n}", "project": "OpenSC", "hash": 106837843557221778698667602114311306154, "size": 92, "commit_id": "5df913b7f57ad89b9832555d24c08d23a534311e", "message": "tcos: Check bounds in insert_pin()\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28383", "target": 1, "dataset": "other", "idx": 196754 }, { "func": "static int insert_pin(\n\tsc_pkcs15_card_t *p15card,\n\tconst char *path,\n\tunsigned char id,\n\tunsigned char auth_id,\n\tunsigned char pin_reference,\n\tint min_length,\n\tconst char *label,\n\tint pin_flags\n){\n\tsc_card_t *card=p15card->card;\n\tsc_context_t *ctx=p15card->card->ctx;\n\tsc_file_t *f = NULL;\n\tstruct sc_pkcs15_auth_info pin_info;\n\tstruct sc_pkcs15_object pin_obj;\n\tint r;\n\n\tmemset(&pin_info, 0, sizeof(pin_info));\n\tpin_info.auth_id.len = 1;\n\tpin_info.auth_id.value[0] = id;\n\tpin_info.auth_type = SC_PKCS15_PIN_AUTH_TYPE_PIN;\n\tpin_info.attrs.pin.reference = pin_reference;\n\tpin_info.attrs.pin.flags = pin_flags;\n\tpin_info.attrs.pin.type = SC_PKCS15_PIN_TYPE_ASCII_NUMERIC;\n\tpin_info.attrs.pin.min_length = min_length;\n\tpin_info.attrs.pin.stored_length = 16;\n\tpin_info.attrs.pin.max_length = 16;\n\tpin_info.attrs.pin.pad_char = '\\0';\n\tpin_info.logged_in = SC_PIN_STATE_UNKNOWN;\n\tsc_format_path(path, &pin_info.path);\n\n\tmemset(&pin_obj, 0, sizeof(pin_obj));\n\tstrlcpy(pin_obj.label, label, sizeof(pin_obj.label));\n\tpin_obj.flags = SC_PKCS15_CO_FLAG_MODIFIABLE | SC_PKCS15_CO_FLAG_PRIVATE;\n\tpin_obj.auth_id.len = auth_id ? 0 : 1;\n\tpin_obj.auth_id.value[0] = auth_id;\n\n\tif(card->type == SC_CARD_TYPE_TCOS_V3) {\n\t\tunsigned char buf[256];\n\t\tint i, rec_no=0;\n\t\tif (pin_info.path.len >= 2) {\n\t\t\tpin_info.path.len -= 2;\n\t\t}\n\t\tsc_append_file_id(&pin_info.path, 0x5049);\n\t\tif (sc_select_file(card, &pin_info.path, NULL) != SC_SUCCESS) {\n\t\t\tsc_log(ctx, \n\t\t\t\t\"Select(%s) failed\\n\",\n\t\t\t\tsc_print_path(&pin_info.path));\n\t\t\treturn 1;\n\t\t}\n\t\tsc_log(ctx, \n\t\t\t\"Searching for PIN-Ref %02X\\n\", pin_reference);\n\t\twhile ((r = sc_read_record(card, ++rec_no, buf, sizeof(buf), SC_RECORD_BY_REC_NR)) > 0) {\n\t\t\tint found = 0, fbz = -1;\n\t\t\tif (r < 2 || buf[0] != 0xA0)\n\t\t\t\tcontinue;\n\t\t\tfor (i = 2; i < buf[1] + 2 && (i + 2) < r; i += 2 + buf[i + 1]) {\n\t\t\t\tif (buf[i] == 0x83 && buf[i + 1] == 1 && buf[i + 2] == pin_reference) {\n\t\t\t\t\t++found;\n\t\t\t\t}\n\t\t\t\tif (buf[i] == 0x90 && (i + 1 + buf[i + 1]) < r) {\n\t\t\t\t\tfbz = buf[i + 1 + buf[i + 1]];\n\t\t\t\t}\n\t\t\t}\n\t\t\tif (found) {\n\t\t\t\tpin_info.tries_left = fbz;\n\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\t\tif (r <= 0) {\n\t\t\tsc_log(ctx, \"No EF_PWDD-Record found\\n\");\n\t\t\treturn 1;\n\t\t}\n\t} else {\n\t\tif (sc_select_file(card, &pin_info.path, &f) != SC_SUCCESS\n\t\t\t \t|| !f->prop_attr || f->prop_attr_len < 4){\n\t\t\tsc_log(ctx, \"Select(%s) failed\\n\", path);\n\t\t\tsc_file_free(f);\n\t\t\treturn 1;\n\t\t}\n\t\tpin_info.tries_left = f->prop_attr[3];\n\t\tsc_file_free(f);\n\t}\n\n\tr=sc_pkcs15emu_add_pin_obj(p15card, &pin_obj, &pin_info);\n\tif(r!=SC_SUCCESS){\n\t\tsc_log(ctx, \"sc_pkcs15emu_add_pin_obj(%s) failed\\n\", path);\n\t\treturn 4;\n\t}\n\tsc_log(ctx, \"%s: OK, FBZ=%d\\n\", path, pin_info.tries_left);\n\treturn 0;\n}", "project": "OpenSC", "hash": 53450176173982244017827403871002445488, "size": 92, "commit_id": "5df913b7f57ad89b9832555d24c08d23a534311e", "message": "tcos: Check bounds in insert_pin()\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28383", "target": 0, "dataset": "other", "idx": 243958 }, { "func": "static int insert_pin(\n\tsc_pkcs15_card_t *p15card,\n\tconst char *path,\n\tunsigned char id,\n\tunsigned char auth_id,\n\tunsigned char pin_reference,\n\tint min_length,\n\tconst char *label,\n\tint pin_flags\n){\n\tsc_card_t *card=p15card->card;\n\tsc_context_t *ctx=p15card->card->ctx;\n\tsc_file_t *f = NULL;\n\tstruct sc_pkcs15_auth_info pin_info;\n\tstruct sc_pkcs15_object pin_obj;\n\tint r;\n\n\tmemset(&pin_info, 0, sizeof(pin_info));\n\tpin_info.auth_id.len = 1;\n\tpin_info.auth_id.value[0] = id;\n\tpin_info.auth_type = SC_PKCS15_PIN_AUTH_TYPE_PIN;\n\tpin_info.attrs.pin.reference = pin_reference;\n\tpin_info.attrs.pin.flags = pin_flags;\n\tpin_info.attrs.pin.type = SC_PKCS15_PIN_TYPE_ASCII_NUMERIC;\n\tpin_info.attrs.pin.min_length = min_length;\n\tpin_info.attrs.pin.stored_length = 16;\n\tpin_info.attrs.pin.max_length = 16;\n\tpin_info.attrs.pin.pad_char = '\\0';\n\tpin_info.logged_in = SC_PIN_STATE_UNKNOWN;\n\tsc_format_path(path, &pin_info.path);\n\n\tmemset(&pin_obj, 0, sizeof(pin_obj));\n\tstrlcpy(pin_obj.label, label, sizeof(pin_obj.label));\n\tpin_obj.flags = SC_PKCS15_CO_FLAG_MODIFIABLE | SC_PKCS15_CO_FLAG_PRIVATE;\n\tpin_obj.auth_id.len = auth_id ? 0 : 1;\n\tpin_obj.auth_id.value[0] = auth_id;\n\n\tif(card->type==SC_CARD_TYPE_TCOS_V3){\n\t\tunsigned char buf[256];\n\t\tint i, rec_no=0;\n\t\tif(pin_info.path.len>=2) pin_info.path.len-=2;\n\t\tsc_append_file_id(&pin_info.path, 0x5049);\n\t\tif(sc_select_file(card, &pin_info.path, NULL)!=SC_SUCCESS){\n\t\t\tsc_log(ctx, \n\t\t\t\t\"Select(%s) failed\\n\",\n\t\t\t\tsc_print_path(&pin_info.path));\n\t\t\treturn 1;\n\t\t}\n\t\tsc_log(ctx, \n\t\t\t\"Searching for PIN-Ref %02X\\n\", pin_reference);\n\t\twhile((r=sc_read_record(card, ++rec_no, buf, sizeof(buf), SC_RECORD_BY_REC_NR))>0){\n\t\t\tint found=0, fbz=-1;\n\t\t\tif(buf[0]!=0xA0) continue;\n\t\t\tfor(i=2;iprop_attr || f->prop_attr_len < 4){\n\t\t\tsc_log(ctx, \"Select(%s) failed\\n\", path);\n\t\t\tsc_file_free(f);\n\t\t\treturn 1;\n\t\t}\n\t\tpin_info.tries_left=f->prop_attr[3];\n\t\tsc_file_free(f);\n\t}\n\n\tr=sc_pkcs15emu_add_pin_obj(p15card, &pin_obj, &pin_info);\n\tif(r!=SC_SUCCESS){\n\t\tsc_log(ctx, \"sc_pkcs15emu_add_pin_obj(%s) failed\\n\", path);\n\t\treturn 4;\n\t}\n\tsc_log(ctx, \"%s: OK, FBZ=%d\\n\", path, pin_info.tries_left);\n\treturn 0;\n}", "project": "OpenSC", "hash": 976335053101857493646475028791431093, "size": 83, "commit_id": "78cdab949f098ad7e593d853229fccf57d749d0c", "message": "tcos: prevent out of bounds read\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27719", "target": 0, "dataset": "other", "idx": 250043 }, { "func": "}\n\nstatic int\niscsi_set_path(struct iscsi_transport *transport, struct iscsi_uevent *ev)\n{\n\tstruct Scsi_Host *shost;\n\tstruct iscsi_path *params;\n\tint err;\n\n\tif (!transport->set_path)\n\t\treturn -ENOSYS;\n\n\tshost = scsi_host_lookup(ev->u.set_path.host_no);\n\tif (!shost) {\n\t\tprintk(KERN_ERR \"set path could not find host no %u\\n\",\n\t\t ev->u.set_path.host_no);\n\t\treturn -ENODEV;\n\t}\n\n\tparams = (struct iscsi_path *)((char *)ev + sizeof(*ev));\n\terr = transport->set_path(shost, params);\n", "project": "linux", "hash": 272925631916991135358790037992257105316, "size": 22, "commit_id": "f9dbdf97a5bd92b1a49cee3d591b55b11fd7a6d5", "message": "scsi: iscsi: Verify lengths on passthrough PDUs\n\nOpen-iSCSI sends passthrough PDUs over netlink, but the kernel should be\nverifying that the provided PDU header and data lengths fall within the\nnetlink message to prevent accessing beyond that in memory.\n\nCc: stable@vger.kernel.org\nReported-by: Adam Nichols \nReviewed-by: Lee Duncan \nReviewed-by: Mike Christie \nSigned-off-by: Chris Leech \nSigned-off-by: Martin K. Petersen ", "target": 0, "dataset": "other", "idx": 379974 }, { "func": "int gdImageColorAllocateAlpha (gdImagePtr im, int r, int g, int b, int a)\n{\n\tint i;\n\tint ct = (-1);\n\tif (im->trueColor) {\n\t\treturn gdTrueColorAlpha(r, g, b, a);\n\t}\n\tfor (i = 0; i < im->colorsTotal; i++) {\n\t\tif (im->open[i]) {\n\t\t\tct = i;\n\t\t\tbreak;\n\t\t}\n\t}\n\tif (ct == (-1)) {\n\t\tct = im->colorsTotal;\n\t\tif (ct == gdMaxColors) {\n\t\t\treturn -1;\n\t\t}\n\t\tim->colorsTotal++;\n\t}\n\tim->red[ct] = r;\n\tim->green[ct] = g;\n\tim->blue[ct] = b;\n\tim->alpha[ct] = a;\n\tim->open[ct] = 0;\n\n\treturn ct;\n}", "project": "php-src", "hash": 327391666288773642127998737022373410636, "size": 28, "commit_id": "c395c6e5d7e8df37a21265ff76e48fe75ceb5ae6", "message": "iFixed bug #72446 - Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow", "target": 0, "dataset": "other", "idx": 295176 }, { "func": "static int _nfs4_proc_pathconf(struct nfs_server *server, struct nfs_fh *fhandle,\n\t\tstruct nfs_pathconf *pathconf)\n{\n\tstruct nfs4_pathconf_arg args = {\n\t\t.fh = fhandle,\n\t\t.bitmask = server->attr_bitmask,\n\t};\n\tstruct nfs4_pathconf_res res = {\n\t\t.pathconf = pathconf,\n\t};\n\tstruct rpc_message msg = {\n\t\t.rpc_proc = &nfs4_procedures[NFSPROC4_CLNT_PATHCONF],\n\t\t.rpc_argp = &args,\n\t\t.rpc_resp = &res,\n\t};\n\n\t/* None of the pathconf attributes are mandatory to implement */\n\tif ((args.bitmask[0] & nfs4_pathconf_bitmap[0]) == 0) {\n\t\tmemset(pathconf, 0, sizeof(*pathconf));\n\t\treturn 0;\n\t}\n\n\tnfs_fattr_init(pathconf->fattr);\n\treturn nfs4_call_sync(server->client, server, &msg, &args.seq_args, &res.seq_res, 0);\n}", "project": "linux", "hash": 146293222919429404783647269824049171155, "size": 25, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431138 }, { "func": "static int ca8210_set_hw_addr_filt(\n\tstruct ieee802154_hw *hw,\n\tstruct ieee802154_hw_addr_filt *filt,\n\tunsigned long changed\n)\n{\n\tu8 status = 0;\n\tstruct ca8210_priv *priv = hw->priv;\n\n\tif (changed & IEEE802154_AFILT_PANID_CHANGED) {\n\t\tstatus = mlme_set_request_sync(\n\t\t\tMAC_PAN_ID,\n\t\t\t0,\n\t\t\t2,\n\t\t\t&filt->pan_id, priv->spi\n\t\t);\n\t\tif (status) {\n\t\t\tdev_err(\n\t\t\t\t&priv->spi->dev,\n\t\t\t\t\"error setting pan id, MLME-SET.confirm status = %d\",\n\t\t\t\tstatus\n\t\t\t);\n\t\t\treturn link_to_linux_err(status);\n\t\t}\n\t}\n\tif (changed & IEEE802154_AFILT_SADDR_CHANGED) {\n\t\tstatus = mlme_set_request_sync(\n\t\t\tMAC_SHORT_ADDRESS,\n\t\t\t0,\n\t\t\t2,\n\t\t\t&filt->short_addr, priv->spi\n\t\t);\n\t\tif (status) {\n\t\t\tdev_err(\n\t\t\t\t&priv->spi->dev,\n\t\t\t\t\"error setting short address, MLME-SET.confirm status = %d\",\n\t\t\t\tstatus\n\t\t\t);\n\t\t\treturn link_to_linux_err(status);\n\t\t}\n\t}\n\tif (changed & IEEE802154_AFILT_IEEEADDR_CHANGED) {\n\t\tstatus = mlme_set_request_sync(\n\t\t\tNS_IEEE_ADDRESS,\n\t\t\t0,\n\t\t\t8,\n\t\t\t&filt->ieee_addr,\n\t\t\tpriv->spi\n\t\t);\n\t\tif (status) {\n\t\t\tdev_err(\n\t\t\t\t&priv->spi->dev,\n\t\t\t\t\"error setting ieee address, MLME-SET.confirm status = %d\",\n\t\t\t\tstatus\n\t\t\t);\n\t\t\treturn link_to_linux_err(status);\n\t\t}\n\t}\n\t/* TODO: Should use MLME_START to set coord bit? */\n\treturn 0;\n}", "project": "linux", "hash": 291656240739710602730738959100376118999, "size": 61, "commit_id": "6402939ec86eaf226c8b8ae00ed983936b164908", "message": "ieee802154: ca8210: prevent memory leak\n\nIn ca8210_probe the allocated pdata needs to be assigned to\nspi_device->dev.platform_data before calling ca8210_get_platform_data.\nOthrwise when ca8210_get_platform_data fails pdata cannot be released.\n\nSigned-off-by: Navid Emamdoost \nLink: https://lore.kernel.org/r/20190917224713.26371-1-navid.emamdoost@gmail.com\nSigned-off-by: Stefan Schmidt ", "target": 0, "dataset": "other", "idx": 408818 }, { "func": "static void decode_block(uint8_t *src, uint8_t *dest, unsigned size,\n uint32_t key, uint32_t *key_ptr,\n int align)\n{\n unsigned s = size;\n char tmp[4];\n int a2;\n\n if (!size)\n return;\n\n align &= 3;\n a2 = (4 - align) & 3;\n\n if (align) {\n uint32_t tmpkey = *key_ptr - key;\n if (a2 > s) {\n a2 = s;\n avpriv_request_sample(NULL, \"tiny aligned block\");\n }\n memcpy(tmp + align, src, a2);\n xor_block(tmp, tmp, 4, key, &tmpkey);\n memcpy(dest, tmp + align, a2);\n s -= a2;\n }\n\n if (s >= 4) {\n xor_block(src + a2, dest + a2, s & ~3,\n key, key_ptr);\n s &= 3;\n }\n\n if (s) {\n size -= s;\n memcpy(tmp, src + size, s);\n xor_block(&tmp, &tmp, 4, key, key_ptr);\n memcpy(dest + size, tmp, s);\n }\n}", "project": "FFmpeg", "hash": 5573562816272039525247888972519584816, "size": 39, "commit_id": "27a99e2c7d450fef15594671eef4465c8a166bd7", "message": "avformat/vividas: improve extradata packing checks in track_header()\n\nFixes: out of array accesses\nFixes: 26622/clusterfuzz-testcase-minimized-ffmpeg_dem_VIVIDAS_fuzzer-6581200338288640\n\nFound-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg\nSigned-off-by: Michael Niedermayer ", "target": 0, "dataset": "other", "idx": 244423 }, { "func": "static int decode_block(AVCodecContext *avctx, void *tdata,\n int jobnr, int threadnr)\n{\n EXRContext *s = avctx->priv_data;\n AVFrame *const p = s->picture;\n EXRThreadData *td = &s->thread_data[threadnr];\n const uint8_t *channel_buffer[4] = { 0 };\n const uint8_t *buf = s->buf;\n uint64_t line_offset, uncompressed_size;\n uint8_t *ptr;\n uint32_t data_size;\n int line, col = 0;\n uint64_t tile_x, tile_y, tile_level_x, tile_level_y;\n const uint8_t *src;\n int step = s->desc->flags & AV_PIX_FMT_FLAG_FLOAT ? 4 : 2 * s->desc->nb_components;\n int bxmin = 0, axmax = 0, window_xoffset = 0;\n int window_xmin, window_xmax, window_ymin, window_ymax;\n int data_xoffset, data_yoffset, data_window_offset, xsize, ysize;\n int i, x, buf_size = s->buf_size;\n int c, rgb_channel_count;\n float one_gamma = 1.0f / s->gamma;\n avpriv_trc_function trc_func = avpriv_get_trc_function_from_trc(s->apply_trc_type);\n int ret;\n\n line_offset = AV_RL64(s->gb.buffer + jobnr * 8);\n\n if (s->is_tile) {\n if (buf_size < 20 || line_offset > buf_size - 20)\n return AVERROR_INVALIDDATA;\n\n src = buf + line_offset + 20;\n if (s->is_multipart)\n src += 4;\n\n tile_x = AV_RL32(src - 20);\n tile_y = AV_RL32(src - 16);\n tile_level_x = AV_RL32(src - 12);\n tile_level_y = AV_RL32(src - 8);\n\n data_size = AV_RL32(src - 4);\n if (data_size <= 0 || data_size > buf_size - line_offset - 20)\n return AVERROR_INVALIDDATA;\n\n if (tile_level_x || tile_level_y) { /* tile level, is not the full res level */\n avpriv_report_missing_feature(s->avctx, \"Subres tile before full res tile\");\n return AVERROR_PATCHWELCOME;\n }\n\n if (tile_x && s->tile_attr.xSize + (int64_t)FFMAX(s->xmin, 0) >= INT_MAX / tile_x )\n return AVERROR_INVALIDDATA;\n if (tile_y && s->tile_attr.ySize + (int64_t)FFMAX(s->ymin, 0) >= INT_MAX / tile_y )\n return AVERROR_INVALIDDATA;\n\n line = s->ymin + s->tile_attr.ySize * tile_y;\n col = s->tile_attr.xSize * tile_x;\n\n if (line < s->ymin || line > s->ymax ||\n s->xmin + col < s->xmin || s->xmin + col > s->xmax)\n return AVERROR_INVALIDDATA;\n\n td->ysize = FFMIN(s->tile_attr.ySize, s->ydelta - tile_y * s->tile_attr.ySize);\n td->xsize = FFMIN(s->tile_attr.xSize, s->xdelta - tile_x * s->tile_attr.xSize);\n\n if (td->xsize * (uint64_t)s->current_channel_offset > INT_MAX)\n return AVERROR_INVALIDDATA;\n\n td->channel_line_size = td->xsize * s->current_channel_offset;/* uncompress size of one line */\n uncompressed_size = td->channel_line_size * (uint64_t)td->ysize;/* uncompress size of the block */\n } else {\n if (buf_size < 8 || line_offset > buf_size - 8)\n return AVERROR_INVALIDDATA;\n\n src = buf + line_offset + 8;\n if (s->is_multipart)\n src += 4;\n line = AV_RL32(src - 8);\n\n if (line < s->ymin || line > s->ymax)\n return AVERROR_INVALIDDATA;\n\n data_size = AV_RL32(src - 4);\n if (data_size <= 0 || data_size > buf_size - line_offset - 8)\n return AVERROR_INVALIDDATA;\n\n td->ysize = FFMIN(s->scan_lines_per_block, s->ymax - line + 1); /* s->ydelta - line ?? */\n td->xsize = s->xdelta;\n\n if (td->xsize * (uint64_t)s->current_channel_offset > INT_MAX)\n return AVERROR_INVALIDDATA;\n\n td->channel_line_size = td->xsize * s->current_channel_offset;/* uncompress size of one line */\n uncompressed_size = td->channel_line_size * (uint64_t)td->ysize;/* uncompress size of the block */\n\n if ((s->compression == EXR_RAW && (data_size != uncompressed_size ||\n line_offset > buf_size - uncompressed_size)) ||\n (s->compression != EXR_RAW && (data_size > uncompressed_size ||\n line_offset > buf_size - data_size))) {\n return AVERROR_INVALIDDATA;\n }\n }\n\n window_xmin = FFMIN(avctx->width, FFMAX(0, s->xmin + col));\n window_xmax = FFMIN(avctx->width, FFMAX(0, s->xmin + col + td->xsize));\n window_ymin = FFMIN(avctx->height, FFMAX(0, line ));\n window_ymax = FFMIN(avctx->height, FFMAX(0, line + td->ysize));\n xsize = window_xmax - window_xmin;\n ysize = window_ymax - window_ymin;\n\n /* tile or scanline not visible skip decoding */\n if (xsize <= 0 || ysize <= 0)\n return 0;\n\n /* is the first tile or is a scanline */\n if(col == 0) {\n window_xmin = 0;\n /* pixels to add at the left of the display window */\n window_xoffset = FFMAX(0, s->xmin);\n /* bytes to add at the left of the display window */\n bxmin = window_xoffset * step;\n }\n\n /* is the last tile or is a scanline */\n if(col + td->xsize == s->xdelta) {\n window_xmax = avctx->width;\n /* bytes to add at the right of the display window */\n axmax = FFMAX(0, (avctx->width - (s->xmax + 1))) * step;\n }\n\n if (data_size < uncompressed_size || s->is_tile) { /* td->tmp is use for tile reorganization */\n av_fast_padded_malloc(&td->tmp, &td->tmp_size, uncompressed_size);\n if (!td->tmp)\n return AVERROR(ENOMEM);\n }\n\n if (data_size < uncompressed_size) {\n av_fast_padded_malloc(&td->uncompressed_data,\n &td->uncompressed_size, uncompressed_size + 64);/* Force 64 padding for AVX2 reorder_pixels dst */\n\n if (!td->uncompressed_data)\n return AVERROR(ENOMEM);\n\n ret = AVERROR_INVALIDDATA;\n switch (s->compression) {\n case EXR_ZIP1:\n case EXR_ZIP16:\n ret = zip_uncompress(s, src, data_size, uncompressed_size, td);\n break;\n case EXR_PIZ:\n ret = piz_uncompress(s, src, data_size, uncompressed_size, td);\n break;\n case EXR_PXR24:\n ret = pxr24_uncompress(s, src, data_size, uncompressed_size, td);\n break;\n case EXR_RLE:\n ret = rle_uncompress(s, src, data_size, uncompressed_size, td);\n break;\n case EXR_B44:\n case EXR_B44A:\n ret = b44_uncompress(s, src, data_size, uncompressed_size, td);\n break;\n case EXR_DWAA:\n case EXR_DWAB:\n ret = dwa_uncompress(s, src, data_size, uncompressed_size, td);\n break;\n }\n if (ret < 0) {\n av_log(avctx, AV_LOG_ERROR, \"decode_block() failed.\\n\");\n return ret;\n }\n src = td->uncompressed_data;\n }\n\n /* offsets to crop data outside display window */\n data_xoffset = FFABS(FFMIN(0, s->xmin + col)) * (s->pixel_type == EXR_HALF ? 2 : 4);\n data_yoffset = FFABS(FFMIN(0, line));\n data_window_offset = (data_yoffset * td->channel_line_size) + data_xoffset;\n\n if (!s->is_luma) {\n channel_buffer[0] = src + (td->xsize * s->channel_offsets[0]) + data_window_offset;\n channel_buffer[1] = src + (td->xsize * s->channel_offsets[1]) + data_window_offset;\n channel_buffer[2] = src + (td->xsize * s->channel_offsets[2]) + data_window_offset;\n rgb_channel_count = 3;\n } else { /* put y data in the first channel_buffer */\n channel_buffer[0] = src + (td->xsize * s->channel_offsets[1]) + data_window_offset;\n rgb_channel_count = 1;\n }\n if (s->channel_offsets[3] >= 0)\n channel_buffer[3] = src + (td->xsize * s->channel_offsets[3]) + data_window_offset;\n\n if (s->desc->flags & AV_PIX_FMT_FLAG_FLOAT) {\n /* todo: change this when a floating point pixel format with luma with alpha is implemented */\n int channel_count = s->channel_offsets[3] >= 0 ? 4 : rgb_channel_count;\n if (s->is_luma) {\n channel_buffer[1] = channel_buffer[0];\n channel_buffer[2] = channel_buffer[0];\n }\n\n for (c = 0; c < channel_count; c++) {\n int plane = s->desc->comp[c].plane;\n ptr = p->data[plane] + window_ymin * p->linesize[plane] + (window_xmin * 4);\n\n for (i = 0; i < ysize; i++, ptr += p->linesize[plane]) {\n const uint8_t *src;\n union av_intfloat32 *ptr_x;\n\n src = channel_buffer[c];\n ptr_x = (union av_intfloat32 *)ptr;\n\n // Zero out the start if xmin is not 0\n memset(ptr_x, 0, bxmin);\n ptr_x += window_xoffset;\n\n if (s->pixel_type == EXR_FLOAT ||\n s->compression == EXR_DWAA ||\n s->compression == EXR_DWAB) {\n // 32-bit\n union av_intfloat32 t;\n if (trc_func && c < 3) {\n for (x = 0; x < xsize; x++) {\n t.i = bytestream_get_le32(&src);\n t.f = trc_func(t.f);\n *ptr_x++ = t;\n }\n } else if (one_gamma != 1.f) {\n for (x = 0; x < xsize; x++) {\n t.i = bytestream_get_le32(&src);\n if (t.f > 0.0f && c < 3) /* avoid negative values */\n t.f = powf(t.f, one_gamma);\n *ptr_x++ = t;\n }\n } else {\n for (x = 0; x < xsize; x++) {\n t.i = bytestream_get_le32(&src);\n *ptr_x++ = t;\n }\n }\n } else if (s->pixel_type == EXR_HALF) {\n // 16-bit\n if (c < 3 || !trc_func) {\n for (x = 0; x < xsize; x++) {\n *ptr_x++ = s->gamma_table[bytestream_get_le16(&src)];\n }\n } else {\n for (x = 0; x < xsize; x++) {\n ptr_x[0].i = half2float(bytestream_get_le16(&src),\n s->mantissatable,\n s->exponenttable,\n s->offsettable);\n ptr_x++;\n }\n }\n }\n\n // Zero out the end if xmax+1 is not w\n memset(ptr_x, 0, axmax);\n channel_buffer[c] += td->channel_line_size;\n }\n }\n } else {\n\n av_assert1(s->pixel_type == EXR_UINT);\n ptr = p->data[0] + window_ymin * p->linesize[0] + (window_xmin * s->desc->nb_components * 2);\n\n for (i = 0; i < ysize; i++, ptr += p->linesize[0]) {\n\n const uint8_t * a;\n const uint8_t *rgb[3];\n uint16_t *ptr_x;\n\n for (c = 0; c < rgb_channel_count; c++) {\n rgb[c] = channel_buffer[c];\n }\n\n if (channel_buffer[3])\n a = channel_buffer[3];\n\n ptr_x = (uint16_t *) ptr;\n\n // Zero out the start if xmin is not 0\n memset(ptr_x, 0, bxmin);\n ptr_x += window_xoffset * s->desc->nb_components;\n\n for (x = 0; x < xsize; x++) {\n for (c = 0; c < rgb_channel_count; c++) {\n *ptr_x++ = bytestream_get_le32(&rgb[c]) >> 16;\n }\n\n if (channel_buffer[3])\n *ptr_x++ = bytestream_get_le32(&a) >> 16;\n }\n\n // Zero out the end if xmax+1 is not w\n memset(ptr_x, 0, axmax);\n\n channel_buffer[0] += td->channel_line_size;\n channel_buffer[1] += td->channel_line_size;\n channel_buffer[2] += td->channel_line_size;\n if (channel_buffer[3])\n channel_buffer[3] += td->channel_line_size;\n }\n }\n\n return 0;\n}", "project": "FFmpeg", "hash": 301334367618255423828978014207741940057, "size": 304, "commit_id": "26d3c81bc5ef2f8c3f09d45eaeacfb4b1139a777", "message": "avcodec/exr: More strictly check dc_count\n\nFixes: out of array access\nFixes: exr/deneme\n\nFound-by: Burak Çarıkçı \nSigned-off-by: Michael Niedermayer ", "target": 0, "dataset": "other", "idx": 262675 }, { "func": "static int hidinput_setup_battery(struct hid_device *dev, unsigned report_type,\n\t\t\t\t struct hid_field *field)\n{\n\treturn 0;\n}", "project": "linux", "hash": 325980479648708216684315060680565626828, "size": 5, "commit_id": "35556bed836f8dc07ac55f69c8d17dce3e7f0e25", "message": "HID: core: Sanitize event code and type when mapping input\n\nWhen calling into hid_map_usage(), the passed event code is\nblindly stored as is, even if it doesn't fit in the associated bitmap.\n\nThis event code can come from a variety of sources, including devices\nmasquerading as input devices, only a bit more \"programmable\".\n\nInstead of taking the event code at face value, check that it actually\nfits the corresponding bitmap, and if it doesn't:\n- spit out a warning so that we know which device is acting up\n- NULLify the bitmap pointer so that we catch unexpected uses\n\nCode paths that can make use of untrusted inputs can now check\nthat the mapping was indeed correct and bail out if not.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Marc Zyngier \nSigned-off-by: Benjamin Tissoires ", "target": 0, "dataset": "other", "idx": 458339 }, { "func": "static int hidinput_setup_battery(struct hid_device *dev, unsigned report_type, struct hid_field *field)\n{\n\tstruct power_supply_desc *psy_desc;\n\tstruct power_supply_config psy_cfg = { .drv_data = dev, };\n\tunsigned quirks;\n\ts32 min, max;\n\tint error;\n\n\tif (dev->battery)\n\t\treturn 0;\t/* already initialized? */\n\n\tquirks = find_battery_quirk(dev);\n\n\thid_dbg(dev, \"device %x:%x:%x %d quirks %d\\n\",\n\t\tdev->bus, dev->vendor, dev->product, dev->version, quirks);\n\n\tif (quirks & HID_BATTERY_QUIRK_IGNORE)\n\t\treturn 0;\n\n\tpsy_desc = kzalloc(sizeof(*psy_desc), GFP_KERNEL);\n\tif (!psy_desc)\n\t\treturn -ENOMEM;\n\n\tpsy_desc->name = kasprintf(GFP_KERNEL, \"hid-%s-battery\",\n\t\t\t\t strlen(dev->uniq) ?\n\t\t\t\t\tdev->uniq : dev_name(&dev->dev));\n\tif (!psy_desc->name) {\n\t\terror = -ENOMEM;\n\t\tgoto err_free_mem;\n\t}\n\n\tpsy_desc->type = POWER_SUPPLY_TYPE_BATTERY;\n\tpsy_desc->properties = hidinput_battery_props;\n\tpsy_desc->num_properties = ARRAY_SIZE(hidinput_battery_props);\n\tpsy_desc->use_for_apm = 0;\n\tpsy_desc->get_property = hidinput_get_battery_property;\n\n\tmin = field->logical_minimum;\n\tmax = field->logical_maximum;\n\n\tif (quirks & HID_BATTERY_QUIRK_PERCENT) {\n\t\tmin = 0;\n\t\tmax = 100;\n\t}\n\n\tif (quirks & HID_BATTERY_QUIRK_FEATURE)\n\t\treport_type = HID_FEATURE_REPORT;\n\n\tdev->battery_min = min;\n\tdev->battery_max = max;\n\tdev->battery_report_type = report_type;\n\tdev->battery_report_id = field->report->id;\n\n\t/*\n\t * Stylus is normally not connected to the device and thus we\n\t * can't query the device and get meaningful battery strength.\n\t * We have to wait for the device to report it on its own.\n\t */\n\tdev->battery_avoid_query = report_type == HID_INPUT_REPORT &&\n\t\t\t\t field->physical == HID_DG_STYLUS;\n\n\tdev->battery = power_supply_register(&dev->dev, psy_desc, &psy_cfg);\n\tif (IS_ERR(dev->battery)) {\n\t\terror = PTR_ERR(dev->battery);\n\t\thid_warn(dev, \"can't register power supply: %d\\n\", error);\n\t\tgoto err_free_name;\n\t}\n\n\tpower_supply_powers(dev->battery, &dev->dev);\n\treturn 0;\n\nerr_free_name:\n\tkfree(psy_desc->name);\nerr_free_mem:\n\tkfree(psy_desc);\n\tdev->battery = NULL;\n\treturn error;\n}", "project": "linux", "hash": 264867689079525446435681783890199701869, "size": 78, "commit_id": "35556bed836f8dc07ac55f69c8d17dce3e7f0e25", "message": "HID: core: Sanitize event code and type when mapping input\n\nWhen calling into hid_map_usage(), the passed event code is\nblindly stored as is, even if it doesn't fit in the associated bitmap.\n\nThis event code can come from a variety of sources, including devices\nmasquerading as input devices, only a bit more \"programmable\".\n\nInstead of taking the event code at face value, check that it actually\nfits the corresponding bitmap, and if it doesn't:\n- spit out a warning so that we know which device is acting up\n- NULLify the bitmap pointer so that we catch unexpected uses\n\nCode paths that can make use of untrusted inputs can now check\nthat the mapping was indeed correct and bail out if not.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Marc Zyngier \nSigned-off-by: Benjamin Tissoires ", "target": 0, "dataset": "other", "idx": 458342 }, { "func": " Item_return_int(THD *thd, const char *name_arg, uint length,\n\t\t enum_field_types field_type_arg, longlong value_arg= 0):\n Item_int(thd, name_arg, value_arg, length), int_field_type(field_type_arg)\n {\n unsigned_flag=1;\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 156878094022832421897160937135367339164, "size": 6, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509186 }, { "func": "static void tipc_node_mcast_rcv(struct tipc_node *n)\n{\n\tstruct tipc_bclink_entry *be = &n->bc_entry;\n\n\t/* 'arrvq' is under inputq2's lock protection */\n\tspin_lock_bh(&be->inputq2.lock);\n\tspin_lock_bh(&be->inputq1.lock);\n\tskb_queue_splice_tail_init(&be->inputq1, &be->arrvq);\n\tspin_unlock_bh(&be->inputq1.lock);\n\tspin_unlock_bh(&be->inputq2.lock);\n\ttipc_sk_mcast_rcv(n->net, &be->arrvq, &be->inputq2);\n}", "project": "linux", "hash": 308157590777822238548997077590921389091, "size": 12, "commit_id": "0217ed2848e8538bcf9172d97ed2eeb4a26041bb", "message": "tipc: better validate user input in tipc_nl_retrieve_key()\n\nBefore calling tipc_aead_key_size(ptr), we need to ensure\nwe have enough data to dereference ptr->keylen.\n\nWe probably also want to make sure tipc_aead_key_size()\nwont overflow with malicious ptr->keylen values.\n\nSyzbot reported:\n\nBUG: KMSAN: uninit-value in __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\nBUG: KMSAN: uninit-value in tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\nCPU: 0 PID: 21060 Comm: syz-executor.5 Not tainted 5.11.0-rc7-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nCall Trace:\n __dump_stack lib/dump_stack.c:79 [inline]\n dump_stack+0x21c/0x280 lib/dump_stack.c:120\n kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118\n __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197\n __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\n tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\n genl_family_rcv_msg_doit net/netlink/genetlink.c:739 [inline]\n genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]\n genl_rcv_msg+0x1319/0x1610 net/netlink/genetlink.c:800\n netlink_rcv_skb+0x6fa/0x810 net/netlink/af_netlink.c:2494\n genl_rcv+0x63/0x80 net/netlink/genetlink.c:811\n netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]\n netlink_unicast+0x11d6/0x14a0 net/netlink/af_netlink.c:1330\n netlink_sendmsg+0x1740/0x1840 net/netlink/af_netlink.c:1919\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\nRIP: 0023:0xf7f60549\nCode: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00\nRSP: 002b:00000000f555a5fc EFLAGS: 00000296 ORIG_RAX: 0000000000000172\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000200\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n\nUninit was created at:\n kmsan_save_stack_with_flags mm/kmsan/kmsan.c:121 [inline]\n kmsan_internal_poison_shadow+0x5c/0xf0 mm/kmsan/kmsan.c:104\n kmsan_slab_alloc+0x8d/0xe0 mm/kmsan/kmsan_hooks.c:76\n slab_alloc_node mm/slub.c:2907 [inline]\n __kmalloc_node_track_caller+0xa37/0x1430 mm/slub.c:4527\n __kmalloc_reserve net/core/skbuff.c:142 [inline]\n __alloc_skb+0x2f8/0xb30 net/core/skbuff.c:210\n alloc_skb include/linux/skbuff.h:1099 [inline]\n netlink_alloc_large_skb net/netlink/af_netlink.c:1176 [inline]\n netlink_sendmsg+0xdbc/0x1840 net/netlink/af_netlink.c:1894\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\n\nFixes: e1f32190cf7d (\"tipc: add support for AEAD key setting via netlink\")\nSigned-off-by: Eric Dumazet \nCc: Tuong Lien \nCc: Jon Maloy \nCc: Ying Xue \nReported-by: syzbot \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 364923 }, { "func": "static bool copy_blobs(Field **ptr)\n{\n for (; *ptr ; ptr++)\n {\n if ((*ptr)->flags & BLOB_FLAG)\n if (((Field_blob *) (*ptr))->copy())\n\treturn 1;\t\t\t\t// Error\n }\n return 0;\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 82278544047482172817657318101126150979, "size": 10, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508500 }, { "func": "static inline u32 perf_flags_from_msr(struct pt_regs *regs)\n{\n\tif (regs->msr & MSR_PR)\n\t\treturn PERF_RECORD_MISC_USER;\n\tif ((regs->msr & MSR_HV) && freeze_events_kernel != MMCR0_FCHV)\n\t\treturn PERF_RECORD_MISC_HYPERVISOR;\n\treturn PERF_RECORD_MISC_KERNEL;\n}", "project": "linux", "hash": 307851660071047829526692626960821726669, "size": 8, "commit_id": "60b7ed54a41b550d50caf7f2418db4a7e75b5bdc", "message": "powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set\n\nOn systems without any specific PMU driver support registered, running\nperf record causes Oops.\n\nThe relevant portion from call trace:\n\n BUG: Kernel NULL pointer dereference on read at 0x00000040\n Faulting instruction address: 0xc0021f0c\n Oops: Kernel access of bad area, sig: 11 [#1]\n BE PAGE_SIZE=4K PREEMPT CMPCPRO\n SAF3000 DIE NOTIFICATION\n CPU: 0 PID: 442 Comm: null_syscall Not tainted 5.13.0-rc6-s3k-dev-01645-g7649ee3d2957 #5164\n NIP: c0021f0c LR: c00e8ad8 CTR: c00d8a5c\n NIP perf_instruction_pointer+0x10/0x60\n LR perf_prepare_sample+0x344/0x674\n Call Trace:\n perf_prepare_sample+0x7c/0x674 (unreliable)\n perf_event_output_forward+0x3c/0x94\n __perf_event_overflow+0x74/0x14c\n perf_swevent_hrtimer+0xf8/0x170\n __hrtimer_run_queues.constprop.0+0x160/0x318\n hrtimer_interrupt+0x148/0x3b0\n timer_interrupt+0xc4/0x22c\n Decrementer_virt+0xb8/0xbc\n\nDuring perf record session, perf_instruction_pointer() is called to\ncapture the sample IP. This function in core-book3s accesses\nppmu->flags. If a platform specific PMU driver is not registered, ppmu\nis set to NULL and accessing its members results in a crash. Fix this\ncrash by checking if ppmu is set.\n\nFixes: 2ca13a4cc56c (\"powerpc/perf: Use regs->nip when SIAR is zero\")\nCc: stable@vger.kernel.org # v5.11+\nReported-by: Christophe Leroy \nSigned-off-by: Athira Rajeev \nTested-by: Christophe Leroy \nSigned-off-by: Michael Ellerman \nLink: https://lore.kernel.org/r/1623952506-1431-1-git-send-email-atrajeev@linux.vnet.ibm.com", "target": 0, "dataset": "other", "idx": 374719 }, { "func": "static void hci_cc_write_encrypt_mode(struct hci_dev *hdev, struct sk_buff *skb)\n{\n\t__u8 status = *((__u8 *) skb->data);\n\t__u8 param;\n\tvoid *sent;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, status);\n\n\tif (status)\n\t\treturn;\n\n\tsent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_ENCRYPT_MODE);\n\tif (!sent)\n\t\treturn;\n\n\tparam = *((__u8 *) sent);\n\n\tif (param)\n\t\tset_bit(HCI_ENCRYPT, &hdev->flags);\n\telse\n\t\tclear_bit(HCI_ENCRYPT, &hdev->flags);\n}", "project": "linux", "hash": 239294746249494755693510814613916170407, "size": 22, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431964 }, { "func": "static void __split_huge_zero_page_pmd(struct vm_area_struct *vma,\n\t\tunsigned long haddr, pmd_t *pmd)\n{\n\tstruct mm_struct *mm = vma->vm_mm;\n\tpgtable_t pgtable;\n\tpmd_t _pmd;\n\tint i;\n\n\t/*\n\t * Leave pmd empty until pte is filled note that it is fine to delay\n\t * notification until mmu_notifier_invalidate_range_end() as we are\n\t * replacing a zero pmd write protected page with a zero pte write\n\t * protected page.\n\t *\n\t * See Documentation/vm/mmu_notifier.rst\n\t */\n\tpmdp_huge_clear_flush(vma, haddr, pmd);\n\n\tpgtable = pgtable_trans_huge_withdraw(mm, pmd);\n\tpmd_populate(mm, &_pmd, pgtable);\n\n\tfor (i = 0; i < HPAGE_PMD_NR; i++, haddr += PAGE_SIZE) {\n\t\tpte_t *pte, entry;\n\t\tentry = pfn_pte(my_zero_pfn(haddr), vma->vm_page_prot);\n\t\tentry = pte_mkspecial(entry);\n\t\tpte = pte_offset_map(&_pmd, haddr);\n\t\tVM_BUG_ON(!pte_none(*pte));\n\t\tset_pte_at(mm, haddr, pte, entry);\n\t\tpte_unmap(pte);\n\t}\n\tsmp_wmb(); /* make pte visible before pmd */\n\tpmd_populate(mm, pmd, pgtable);\n}", "project": "linux", "hash": 167667627358408620716613873405738708940, "size": 33, "commit_id": "c444eb564fb16645c172d550359cb3d75fe8a040", "message": "mm: thp: make the THP mapcount atomic against __split_huge_pmd_locked()\n\nWrite protect anon page faults require an accurate mapcount to decide\nif to break the COW or not. This is implemented in the THP path with\nreuse_swap_page() ->\npage_trans_huge_map_swapcount()/page_trans_huge_mapcount().\n\nIf the COW triggers while the other processes sharing the page are\nunder a huge pmd split, to do an accurate reading, we must ensure the\nmapcount isn't computed while it's being transferred from the head\npage to the tail pages.\n\nreuse_swap_cache() already runs serialized by the page lock, so it's\nenough to add the page lock around __split_huge_pmd_locked too, in\norder to add the missing serialization.\n\nNote: the commit in \"Fixes\" is just to facilitate the backporting,\nbecause the code before such commit didn't try to do an accurate THP\nmapcount calculation and it instead used the page_count() to decide if\nto COW or not. Both the page_count and the pin_count are THP-wide\nrefcounts, so they're inaccurate if used in\nreuse_swap_page(). Reverting such commit (besides the unrelated fix to\nthe local anon_vma assignment) would have also opened the window for\nmemory corruption side effects to certain workloads as documented in\nsuch commit header.\n\nSigned-off-by: Andrea Arcangeli \nSuggested-by: Jann Horn \nReported-by: Jann Horn \nAcked-by: Kirill A. Shutemov \nFixes: 6d0a07edd17c (\"mm: thp: calculate the mapcount correctly for THP pages during WP faults\")\nCc: stable@vger.kernel.org\nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 364191 }, { "func": "static void tcp_clear_retrans_partial(struct tcp_sock *tp)\n{\n\ttp->retrans_out = 0;\n\ttp->lost_out = 0;\n\n\ttp->undo_marker = 0;\n\ttp->undo_retrans = 0;\n}", "project": "net-next", "hash": 158344179486566960822105753279255072153, "size": 8, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409847 }, { "func": "bool CWebSock::OnLogin(const CString& sUser, const CString& sPass,\n bool bBasic) {\n DEBUG(\"=================== CWebSock::OnLogin(), basic auth? \"\n << std::boolalpha << bBasic);\n m_spAuth = std::make_shared(this, sUser, sPass, bBasic);\n\n // Some authentication module could need some time, block this socket\n // until then. CWebAuth will UnPauseRead().\n PauseRead();\n CZNC::Get().AuthUser(m_spAuth);\n\n // If CWebAuth already set this, don't change it.\n return IsLoggedIn();\n}", "project": "znc", "hash": 183306826899786647620772251680313214811, "size": 14, "commit_id": "a4a5aeeb17d32937d8c7d743dae9a4cc755ce773", "message": "Don't let web skin name ../../../../ access files outside of usual skins directories.\n\nThanks for Jeriko One for finding and reporting this.", "target": 0, "dataset": "other", "idx": 265769 }, { "func": "const char *h2_stream_state_str(h2_stream *stream) \n{\n return h2_ss_str(stream->state);\n}", "project": "httpd", "hash": 336368397962881884107635726693509779694, "size": 4, "commit_id": "f990e5ecad40b100a8a5c7c1033c46044a9cb244", "message": "mod_htt2: fix incomplete sync with latest changes in github, adjust version number.\n\n\n\ngit-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1889119 13f79535-47bb-0310-9956-ffa450edef68", "target": 0, "dataset": "other", "idx": 284233 }, { "func": "void _php_import_environment_variables(zval *array_ptr)\n{\n\tchar buf[128];\n\tchar **env, *p, *t = buf;\n\tsize_t alloc_size = sizeof(buf);\n\tunsigned long nlen; /* ptrdiff_t is not portable */\n\n\tfor (env = environ; env != NULL && *env != NULL; env++) {\n\t\tp = strchr(*env, '=');\n\t\tif (!p) {\t\t\t\t/* malformed entry? */\n\t\t\tcontinue;\n\t\t}\n\t\tnlen = p - *env;\n\t\tif (nlen >= alloc_size) {\n\t\t\talloc_size = nlen + 64;\n\t\t\tt = (t == buf ? emalloc(alloc_size): erealloc(t, alloc_size));\n\t\t}\n\t\tmemcpy(t, *env, nlen);\n\t\tt[nlen] = '\\0';\n\t\tphp_register_variable(t, p + 1, array_ptr);\n\t}\n\tif (t != buf && t != NULL) {\n\t\tefree(t);\n\t}\n}", "project": "php-src", "hash": 183779829798899847416085226631109880807, "size": 25, "commit_id": "6559fe912661ca5ce5f0eeeb591d928451428ed0", "message": "Do not decode cookie names anymore", "target": 0, "dataset": "other", "idx": 374971 }, { "func": "static int sctp_copy_laddrs(struct sock *sk, __u16 port, void *to,\n\t\t\t size_t space_left, int *bytes_copied)\n{\n\tstruct sctp_sockaddr_entry *addr;\n\tunion sctp_addr temp;\n\tint cnt = 0;\n\tint addrlen;\n\tstruct net *net = sock_net(sk);\n\n\trcu_read_lock();\n\tlist_for_each_entry_rcu(addr, &net->sctp.local_addr_list, list) {\n\t\tif (!addr->valid)\n\t\t\tcontinue;\n\n\t\tif ((PF_INET == sk->sk_family) &&\n\t\t (AF_INET6 == addr->a.sa.sa_family))\n\t\t\tcontinue;\n\t\tif ((PF_INET6 == sk->sk_family) &&\n\t\t inet_v6_ipv6only(sk) &&\n\t\t (AF_INET == addr->a.sa.sa_family))\n\t\t\tcontinue;\n\t\tmemcpy(&temp, &addr->a, sizeof(temp));\n\t\tif (!temp.v4.sin_port)\n\t\t\ttemp.v4.sin_port = htons(port);\n\n\t\taddrlen = sctp_get_pf_specific(sk->sk_family)\n\t\t\t ->addr_to_user(sctp_sk(sk), &temp);\n\n\t\tif (space_left < addrlen) {\n\t\t\tcnt = -ENOMEM;\n\t\t\tbreak;\n\t\t}\n\t\tmemcpy(to, &temp, addrlen);\n\n\t\tto += addrlen;\n\t\tcnt++;\n\t\tspace_left -= addrlen;\n\t\t*bytes_copied += addrlen;\n\t}\n\trcu_read_unlock();\n\n\treturn cnt;\n}", "project": "linux", "hash": 312315000186063156170367202151427926725, "size": 43, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398198 }, { "func": "\nstatic void io_rsrc_node_switch(struct io_ring_ctx *ctx,\n\t\t\t\tstruct io_rsrc_data *data_to_kill)\n{\n\tWARN_ON_ONCE(!ctx->rsrc_backup_node);\n\tWARN_ON_ONCE(data_to_kill && !ctx->rsrc_node);\n\n\tif (data_to_kill) {\n\t\tstruct io_rsrc_node *rsrc_node = ctx->rsrc_node;\n\n\t\trsrc_node->rsrc_data = data_to_kill;\n\t\tio_rsrc_ref_lock(ctx);\n\t\tlist_add_tail(&rsrc_node->node, &ctx->rsrc_ref_list);\n\t\tio_rsrc_ref_unlock(ctx);\n\n\t\tatomic_inc(&data_to_kill->refs);\n\t\tpercpu_ref_kill(&rsrc_node->refs);\n\t\tctx->rsrc_node = NULL;\n\t}\n\n\tif (!ctx->rsrc_node) {\n\t\tctx->rsrc_node = ctx->rsrc_backup_node;\n\t\tctx->rsrc_backup_node = NULL;\n\t}", "project": "linux", "hash": 252102489337426802523081645456952007698, "size": 24, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338593 }, { "func": "bool cond_is_datetime_is_null(Item *cond)\n{\n if (cond->type() == Item::FUNC_ITEM &&\n ((Item_func*) cond)->functype() == Item_func::ISNULL_FUNC)\n {\n return ((Item_func_isnull*) cond)->arg_is_datetime_notnull_field();\n }\n return false;\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 3933408599222017165662650110784266764, "size": 9, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508739 }, { "func": "static int fault_in_user_writeable(u32 __user *uaddr)\n{\n\tstruct mm_struct *mm = current->mm;\n\tint ret;\n\n\tdown_read(&mm->mmap_sem);\n\tret = get_user_pages(current, mm, (unsigned long)uaddr,\n\t\t\t 1, 1, 0, NULL, NULL);\n\tup_read(&mm->mmap_sem);\n\n\treturn ret < 0 ? ret : 0;\n}", "target": 0, "cwe": [], "project": "linux-2.6", "commit_id": "5ecb01cfdf96c5f465192bdb2a4fd4a61a24c6cc", "hash": 38768573150625649132638947447000086214, "size": 12, "message": "futex_lock_pi() key refcnt fix\n\nThis fixes a futex key reference count bug in futex_lock_pi(),\nwhere a key's reference count is incremented twice but decremented\nonly once, causing the backing object to not be released.\n\nIf the futex is created in a temporary file in an ext3 file system,\nthis bug causes the file's inode to become an \"undead\" orphan,\nwhich causes an oops from a BUG_ON() in ext3_put_super() when the\nfile system is unmounted. glibc's test suite is known to trigger this,\nsee .\n\nThe bug is a regression from 2.6.28-git3, namely Peter Zijlstra's\n38d47c1b7075bd7ec3881141bb3629da58f88dab \"[PATCH] futex: rely on\nget_user_pages() for shared futexes\". That commit made get_futex_key()\nalso increment the reference count of the futex key, and updated its\ncallers to decrement the key's reference count before returning.\nUnfortunately the normal exit path in futex_lock_pi() wasn't corrected:\nthe reference count is incremented by get_futex_key() and queue_lock(),\nbut the normal exit path only decrements once, via unqueue_me_pi().\nThe fix is to put_futex_key() after unqueue_me_pi(), since 2.6.31\nthis is easily done by 'goto out_put_key' rather than 'goto out'.\n\nSigned-off-by: Mikael Pettersson \nAcked-by: Peter Zijlstra \nAcked-by: Darren Hart \nSigned-off-by: Thomas Gleixner \nCc: ", "dataset": "other", "idx": 492316 }, { "func": "EXPORT_SYMBOL_GPL(iscsi_ping_comp_event);\n\nstatic int\niscsi_if_send_reply(u32 portid, int type, void *payload, int size)\n{\n\tstruct sk_buff\t*skb;\n\tstruct nlmsghdr\t*nlh;\n\tint len = nlmsg_total_size(size);\n\n\tskb = alloc_skb(len, GFP_ATOMIC);\n\tif (!skb) {\n\t\tprintk(KERN_ERR \"Could not allocate skb to send reply.\\n\");\n\t\treturn -ENOMEM;\n\t}\n\n\tnlh = __nlmsg_put(skb, 0, 0, type, (len - sizeof(*nlh)), 0);", "project": "linux", "hash": 150888655835956495059546314051666127565, "size": 16, "commit_id": "f9dbdf97a5bd92b1a49cee3d591b55b11fd7a6d5", "message": "scsi: iscsi: Verify lengths on passthrough PDUs\n\nOpen-iSCSI sends passthrough PDUs over netlink, but the kernel should be\nverifying that the provided PDU header and data lengths fall within the\nnetlink message to prevent accessing beyond that in memory.\n\nCc: stable@vger.kernel.org\nReported-by: Adam Nichols \nReviewed-by: Lee Duncan \nReviewed-by: Mike Christie \nSigned-off-by: Chris Leech \nSigned-off-by: Martin K. Petersen ", "target": 0, "dataset": "other", "idx": 379911 }, { "func": "static int snappy_wrap_compress(const char* input, size_t input_length,\n char* output, size_t maxout) {\n snappy_status status;\n size_t cl = maxout;\n status = snappy_compress(input, input_length, output, &cl);\n if (status != SNAPPY_OK) {\n return 0;\n }\n return (int)cl;\n}", "project": "c-blosc2", "hash": 278726202789329974786188865742742370144, "size": 10, "commit_id": "c4c6470e88210afc95262c8b9fcc27e30ca043ee", "message": "Fixed asan heap buffer overflow when not enough space to write compressed block size.", "target": 0, "dataset": "other", "idx": 303067 }, { "func": "static void nfs4_zap_acl_attr(struct inode *inode)\n{\n\tnfs4_set_cached_acl(inode, NULL);\n}", "project": "linux", "hash": 156248822474773881434718358367485301137, "size": 4, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431590 }, { "func": "void imap_hcache_close(struct ImapMboxData *mdata)\n{\n if (!mdata->hcache)\n return;\n\n mutt_hcache_close(mdata->hcache);\n mdata->hcache = NULL;\n}", "project": "neomutt", "hash": 163509708863398297158952717594910440327, "size": 8, "commit_id": "fa1db5785e5cfd9d3cd27b7571b9fe268d2ec2dc", "message": "Fix seqset iterator when it ends in a comma\n\nIf the seqset ended with a comma, the substr_end marker would be just\nbefore the trailing nul. In the next call, the loop to skip the\nmarker would iterate right past the end of string too.\n\nThe fix is simple: place the substr_end marker and skip past it\nimmediately.", "target": 0, "dataset": "other", "idx": 399296 }, { "func": "static void sp_free(struct sp_node *n)\n{\n\tmpol_put(n->policy);\n\tkmem_cache_free(sn_cache, n);\n}", "project": "linux", "hash": 249028943914446545315669299593752973786, "size": 5, "commit_id": "aa9f7d5172fac9bf1f09e678c35e287a40a7b7dd", "message": "mm: mempolicy: require at least one nodeid for MPOL_PREFERRED\n\nUsing an empty (malformed) nodelist that is not caught during mount option\nparsing leads to a stack-out-of-bounds access.\n\nThe option string that was used was: \"mpol=prefer:,\". However,\nMPOL_PREFERRED requires a single node number, which is not being provided\nhere.\n\nAdd a check that 'nodes' is not empty after parsing for MPOL_PREFERRED's\nnodeid.\n\nFixes: 095f1fc4ebf3 (\"mempolicy: rework shmem mpol parsing and display\")\nReported-by: Entropy Moe <3ntr0py1337@gmail.com>\nReported-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nSigned-off-by: Randy Dunlap \nSigned-off-by: Andrew Morton \nTested-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nCc: Lee Schermerhorn \nLink: http://lkml.kernel.org/r/89526377-7eb6-b662-e1d8-4430928abde9@infradead.org\nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 366797 }, { "func": "static int generate_binlog_opt_val(char** ret)\n{\n DBUG_ASSERT(ret);\n *ret= NULL;\n if (opt_bin_log && gtid_mode > 0)\n {\n assert(opt_bin_logname);\n *ret= my_strdup(opt_bin_logname, MYF(0));\n }\n else\n {\n *ret= my_strdup(\"\", MYF(0));\n }\n if (!*ret) return -ENOMEM;\n return 0;\n}", "project": "mysql-wsrep", "hash": 15046383289133769414141590913167997880, "size": 16, "commit_id": "4ea4b0c6a318209ac09b15aaa906c7b4a13b988c", "message": "codership/mysql-wsrep-bugs#758 Donor uses invalid SST methods", "target": 0, "dataset": "other", "idx": 454814 }, { "func": "static void hci_cc_le_set_scan_enable(struct hci_dev *hdev,\n\t\t\t\t struct sk_buff *skb)\n{\n\tstruct hci_cp_le_set_scan_enable *cp;\n\t__u8 status = *((__u8 *) skb->data);\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, status);\n\n\tif (status)\n\t\treturn;\n\n\tcp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_ENABLE);\n\tif (!cp)\n\t\treturn;\n\n\tle_set_scan_enable_complete(hdev, cp->enable);\n}", "project": "linux", "hash": 210981835378418454690627037631102158324, "size": 17, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431945 }, { "func": "static void cmd_parse_search (IMAP_DATA* idata, const char* s)\n{\n unsigned int uid;\n HEADER *h;\n\n dprint (2, (debugfile, \"Handling SEARCH\\n\"));\n\n while ((s = imap_next_word ((char*)s)) && *s != '\\0')\n {\n if (mutt_atoui (s, &uid) < 0)\n continue;\n h = (HEADER *)int_hash_find (idata->uid_hash, uid);\n if (h)\n h->matched = 1;\n }\n}", "project": "mutt", "hash": 245057301920381999639247332725886872669, "size": 16, "commit_id": "9347b5c01dc52682cb6be11539d9b7ebceae4416", "message": "Handle NO response without message properly", "target": 0, "dataset": "other", "idx": 338017 }, { "func": "\nstatic int io_timeout_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe,\n\t\t\t bool is_timeout_link)\n{\n\tstruct io_timeout_data *data;\n\tunsigned flags;\n\tu32 off = READ_ONCE(sqe->off);\n\n\tif (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))\n\t\treturn -EINVAL;\n\tif (sqe->ioprio || sqe->buf_index || sqe->len != 1)\n\t\treturn -EINVAL;\n\tif (off && is_timeout_link)\n\t\treturn -EINVAL;\n\tflags = READ_ONCE(sqe->timeout_flags);\n\tif (flags & ~IORING_TIMEOUT_ABS)\n\t\treturn -EINVAL;\n\n\treq->timeout.off = off;\n\n\tif (!req->async_data && io_alloc_async_data(req))\n\t\treturn -ENOMEM;\n\n\tdata = req->async_data;\n\tdata->req = req;\n\n\tif (get_timespec64(&data->ts, u64_to_user_ptr(sqe->addr)))\n\t\treturn -EFAULT;\n\n\tdata->mode = io_translate_timeout_mode(flags);\n\thrtimer_init(&data->timer, CLOCK_MONOTONIC, data->mode);\n\tif (is_timeout_link)\n\t\tio_req_track_inflight(req);\n\treturn 0;", "project": "linux", "hash": 103930328167990939994536307268328246712, "size": 34, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338527 }, { "func": "static int sctp_getsockopt_pf_expose(struct sock *sk, int len,\n\t\t\t\t char __user *optval,\n\t\t\t\t int __user *optlen)\n{\n\tstruct sctp_assoc_value params;\n\tstruct sctp_association *asoc;\n\tint retval = -EFAULT;\n\n\tif (len < sizeof(params)) {\n\t\tretval = -EINVAL;\n\t\tgoto out;\n\t}\n\n\tlen = sizeof(params);\n\tif (copy_from_user(¶ms, optval, len))\n\t\tgoto out;\n\n\tasoc = sctp_id2assoc(sk, params.assoc_id);\n\tif (!asoc && params.assoc_id != SCTP_FUTURE_ASSOC &&\n\t sctp_style(sk, UDP)) {\n\t\tretval = -EINVAL;\n\t\tgoto out;\n\t}\n\n\tparams.assoc_value = asoc ? asoc->pf_expose\n\t\t\t\t : sctp_sk(sk)->pf_expose;\n\n\tif (put_user(len, optlen))\n\t\tgoto out;\n\n\tif (copy_to_user(optval, ¶ms, len))\n\t\tgoto out;\n\n\tretval = 0;\n\nout:\n\treturn retval;\n}", "project": "linux", "hash": 73469158946381275456471837282287609446, "size": 38, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398056 }, { "func": "static bool regs_sihv(struct pt_regs *regs)\n{\n\tunsigned long sihv = MMCRA_SIHV;\n\n\tif (ppmu->flags & PPMU_HAS_SIER)\n\t\treturn !!(regs->dar & SIER_SIHV);\n\n\tif (ppmu->flags & PPMU_ALT_SIPR)\n\t\tsihv = POWER6_MMCRA_SIHV;\n\n\treturn !!(regs->dsisr & sihv);\n}", "project": "linux", "hash": 66589172766747796834496990283337128145, "size": 12, "commit_id": "60b7ed54a41b550d50caf7f2418db4a7e75b5bdc", "message": "powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set\n\nOn systems without any specific PMU driver support registered, running\nperf record causes Oops.\n\nThe relevant portion from call trace:\n\n BUG: Kernel NULL pointer dereference on read at 0x00000040\n Faulting instruction address: 0xc0021f0c\n Oops: Kernel access of bad area, sig: 11 [#1]\n BE PAGE_SIZE=4K PREEMPT CMPCPRO\n SAF3000 DIE NOTIFICATION\n CPU: 0 PID: 442 Comm: null_syscall Not tainted 5.13.0-rc6-s3k-dev-01645-g7649ee3d2957 #5164\n NIP: c0021f0c LR: c00e8ad8 CTR: c00d8a5c\n NIP perf_instruction_pointer+0x10/0x60\n LR perf_prepare_sample+0x344/0x674\n Call Trace:\n perf_prepare_sample+0x7c/0x674 (unreliable)\n perf_event_output_forward+0x3c/0x94\n __perf_event_overflow+0x74/0x14c\n perf_swevent_hrtimer+0xf8/0x170\n __hrtimer_run_queues.constprop.0+0x160/0x318\n hrtimer_interrupt+0x148/0x3b0\n timer_interrupt+0xc4/0x22c\n Decrementer_virt+0xb8/0xbc\n\nDuring perf record session, perf_instruction_pointer() is called to\ncapture the sample IP. This function in core-book3s accesses\nppmu->flags. If a platform specific PMU driver is not registered, ppmu\nis set to NULL and accessing its members results in a crash. Fix this\ncrash by checking if ppmu is set.\n\nFixes: 2ca13a4cc56c (\"powerpc/perf: Use regs->nip when SIAR is zero\")\nCc: stable@vger.kernel.org # v5.11+\nReported-by: Christophe Leroy \nSigned-off-by: Athira Rajeev \nTested-by: Christophe Leroy \nSigned-off-by: Michael Ellerman \nLink: https://lore.kernel.org/r/1623952506-1431-1-git-send-email-atrajeev@linux.vnet.ibm.com", "target": 0, "dataset": "other", "idx": 374731 }, { "func": "static int io_req_task_work_add(struct io_kiocb *req)\n{\n\tstruct task_struct *tsk = req->task;\n\tstruct io_uring_task *tctx = tsk->io_uring;\n\tenum task_work_notify_mode notify;\n\tstruct io_wq_work_node *node, *prev;\n\tunsigned long flags;\n\tint ret = 0;\n\n\tif (unlikely(tsk->flags & PF_EXITING))\n\t\treturn -ESRCH;\n\n\tWARN_ON_ONCE(!tctx);\n\n\tspin_lock_irqsave(&tctx->task_lock, flags);\n\twq_list_add_tail(&req->io_task_work.node, &tctx->task_list);\n\tspin_unlock_irqrestore(&tctx->task_lock, flags);\n\n\t/* task_work already pending, we're done */\n\tif (test_bit(0, &tctx->task_state) ||\n\t test_and_set_bit(0, &tctx->task_state))\n\t\treturn 0;\n\n\t/*\n\t * SQPOLL kernel thread doesn't need notification, just a wakeup. For\n\t * all other cases, use TWA_SIGNAL unconditionally to ensure we're\n\t * processing task_work. There's no reliable way to tell if TWA_RESUME\n\t * will do the job.\n\t */\n\tnotify = (req->ctx->flags & IORING_SETUP_SQPOLL) ? TWA_NONE : TWA_SIGNAL;\n\n\tif (!task_work_add(tsk, &tctx->task_work, notify)) {\n\t\twake_up_process(tsk);\n\t\treturn 0;\n\t}\n\n\t/*\n\t * Slow path - we failed, find and delete work. if the work is not\n\t * in the list, it got run and we're fine.\n\t */\n\tspin_lock_irqsave(&tctx->task_lock, flags);\n\twq_list_for_each(node, prev, &tctx->task_list) {\n\t\tif (&req->io_task_work.node == node) {\n\t\t\twq_list_del(&tctx->task_list, node, prev);\n\t\t\tret = 1;\n\t\t\tbreak;\n\t\t}\n\t}\n\tspin_unlock_irqrestore(&tctx->task_lock, flags);\n\tclear_bit(0, &tctx->task_state);\n\treturn ret;\n}", "project": "linux", "hash": 42378283250073681386324813723631475023, "size": 52, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338540 }, { "func": "static int io_req_task_work_add(struct io_kiocb *req, struct callback_head *cb)\n{\n\tstruct task_struct *tsk = req->task;\n\tstruct io_ring_ctx *ctx = req->ctx;\n\tint ret, notify;\n\n\t/*\n\t * SQPOLL kernel thread doesn't need notification, just a wakeup. For\n\t * all other cases, use TWA_SIGNAL unconditionally to ensure we're\n\t * processing task_work. There's no reliable way to tell if TWA_RESUME\n\t * will do the job.\n\t */\n\tnotify = 0;\n\tif (!(ctx->flags & IORING_SETUP_SQPOLL))\n\t\tnotify = TWA_SIGNAL;\n\n\tret = task_work_add(tsk, cb, notify);\n\tif (!ret)\n\t\twake_up_process(tsk);\n\n\treturn ret;\n}", "project": "linux", "hash": 10258691534190025174666216604392156113, "size": 22, "commit_id": "6d816e088c359866f9867057e04f244c608c42fe", "message": "io_uring: hold 'ctx' reference around task_work queue + execute\n\nWe're holding the request reference, but we need to go one higher\nto ensure that the ctx remains valid after the request has finished.\nIf the ring is closed with pending task_work inflight, and the\ngiven io_kiocb finishes sync during issue, then we need a reference\nto the ring itself around the task_work execution cycle.\n\nCc: stable@vger.kernel.org # v5.7+\nReported-by: syzbot+9b260fc33297966f5a8e@syzkaller.appspotmail.com\nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 456926 }, { "func": "static int parse_tables(struct archive_read* a, struct rar5* rar,\n const uint8_t* p)\n{\n\tint ret, value, i, w, idx = 0;\n\tuint8_t bit_length[HUFF_BC],\n\t\ttable[HUFF_TABLE_SIZE],\n\t\tnibble_mask = 0xF0,\n\t\tnibble_shift = 4;\n\n\tenum { ESCAPE = 15 };\n\n\t/* The data for table generation is compressed using a simple RLE-like\n\t * algorithm when storing zeroes, so we need to unpack it first. */\n\tfor(w = 0, i = 0; w < HUFF_BC;) {\n\t\tif(i >= rar->cstate.cur_block_size) {\n\t\t\t/* Truncated data, can't continue. */\n\t\t\tarchive_set_error(&a->archive,\n\t\t\t ARCHIVE_ERRNO_FILE_FORMAT,\n\t\t\t \"Truncated data in huffman tables\");\n\t\t\treturn ARCHIVE_FATAL;\n\t\t}\n\n\t\tvalue = (p[i] & nibble_mask) >> nibble_shift;\n\n\t\tif(nibble_mask == 0x0F)\n\t\t\t++i;\n\n\t\tnibble_mask ^= 0xFF;\n\t\tnibble_shift ^= 4;\n\n\t\t/* Values smaller than 15 is data, so we write it directly.\n\t\t * Value 15 is a flag telling us that we need to unpack more\n\t\t * bytes. */\n\t\tif(value == ESCAPE) {\n\t\t\tvalue = (p[i] & nibble_mask) >> nibble_shift;\n\t\t\tif(nibble_mask == 0x0F)\n\t\t\t\t++i;\n\t\t\tnibble_mask ^= 0xFF;\n\t\t\tnibble_shift ^= 4;\n\n\t\t\tif(value == 0) {\n\t\t\t\t/* We sometimes need to write the actual value\n\t\t\t\t * of 15, so this case handles that. */\n\t\t\t\tbit_length[w++] = ESCAPE;\n\t\t\t} else {\n\t\t\t\tint k;\n\n\t\t\t\t/* Fill zeroes. */\n\t\t\t\tfor(k = 0; (k < value + 2) && (w < HUFF_BC);\n\t\t\t\t k++) {\n\t\t\t\t\tbit_length[w++] = 0;\n\t\t\t\t}\n\t\t\t}\n\t\t} else {\n\t\t\tbit_length[w++] = value;\n\t\t}\n\t}\n\n\trar->bits.in_addr = i;\n\trar->bits.bit_addr = nibble_shift ^ 4;\n\n\tret = create_decode_tables(bit_length, &rar->cstate.bd, HUFF_BC);\n\tif(ret != ARCHIVE_OK) {\n\t\tarchive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,\n\t\t \"Decoding huffman tables failed\");\n\t\treturn ARCHIVE_FATAL;\n\t}\n\n\tfor(i = 0; i < HUFF_TABLE_SIZE;) {\n\t\tuint16_t num;\n\n\t\tif((rar->bits.in_addr + 6) >= rar->cstate.cur_block_size) {\n\t\t\t/* Truncated data, can't continue. */\n\t\t\tarchive_set_error(&a->archive,\n\t\t\t ARCHIVE_ERRNO_FILE_FORMAT,\n\t\t\t \"Truncated data in huffman tables (#2)\");\n\t\t\treturn ARCHIVE_FATAL;\n\t\t}\n\n\t\tret = decode_number(a, &rar->cstate.bd, p, &num);\n\t\tif(ret != ARCHIVE_OK) {\n\t\t\tarchive_set_error(&a->archive,\n\t\t\t ARCHIVE_ERRNO_FILE_FORMAT,\n\t\t\t \"Decoding huffman tables failed\");\n\t\t\treturn ARCHIVE_FATAL;\n\t\t}\n\n\t\tif(num < 16) {\n\t\t\t/* 0..15: store directly */\n\t\t\ttable[i] = (uint8_t) num;\n\t\t\ti++;\n\t\t} else if(num < 18) {\n\t\t\t/* 16..17: repeat previous code */\n\t\t\tuint16_t n;\n\n\t\t\tif(ARCHIVE_OK != read_bits_16(rar, p, &n))\n\t\t\t\treturn ARCHIVE_EOF;\n\n\t\t\tif(num == 16) {\n\t\t\t\tn >>= 13;\n\t\t\t\tn += 3;\n\t\t\t\tskip_bits(rar, 3);\n\t\t\t} else {\n\t\t\t\tn >>= 9;\n\t\t\t\tn += 11;\n\t\t\t\tskip_bits(rar, 7);\n\t\t\t}\n\n\t\t\tif(i > 0) {\n\t\t\t\twhile(n-- > 0 && i < HUFF_TABLE_SIZE) {\n\t\t\t\t\ttable[i] = table[i - 1];\n\t\t\t\t\ti++;\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\tarchive_set_error(&a->archive,\n\t\t\t\t ARCHIVE_ERRNO_FILE_FORMAT,\n\t\t\t\t \"Unexpected error when decoding \"\n\t\t\t\t \"huffman tables\");\n\t\t\t\treturn ARCHIVE_FATAL;\n\t\t\t}\n\t\t} else {\n\t\t\t/* other codes: fill with zeroes `n` times */\n\t\t\tuint16_t n;\n\n\t\t\tif(ARCHIVE_OK != read_bits_16(rar, p, &n))\n\t\t\t\treturn ARCHIVE_EOF;\n\n\t\t\tif(num == 18) {\n\t\t\t\tn >>= 13;\n\t\t\t\tn += 3;\n\t\t\t\tskip_bits(rar, 3);\n\t\t\t} else {\n\t\t\t\tn >>= 9;\n\t\t\t\tn += 11;\n\t\t\t\tskip_bits(rar, 7);\n\t\t\t}\n\n\t\t\twhile(n-- > 0 && i < HUFF_TABLE_SIZE)\n\t\t\t\ttable[i++] = 0;\n\t\t}\n\t}\n\n\tret = create_decode_tables(&table[idx], &rar->cstate.ld, HUFF_NC);\n\tif(ret != ARCHIVE_OK) {\n\t\tarchive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,\n\t\t \"Failed to create literal table\");\n\t\treturn ARCHIVE_FATAL;\n\t}\n\n\tidx += HUFF_NC;\n\n\tret = create_decode_tables(&table[idx], &rar->cstate.dd, HUFF_DC);\n\tif(ret != ARCHIVE_OK) {\n\t\tarchive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,\n\t\t \"Failed to create distance table\");\n\t\treturn ARCHIVE_FATAL;\n\t}\n\n\tidx += HUFF_DC;\n\n\tret = create_decode_tables(&table[idx], &rar->cstate.ldd, HUFF_LDC);\n\tif(ret != ARCHIVE_OK) {\n\t\tarchive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,\n\t\t \"Failed to create lower bits of distances table\");\n\t\treturn ARCHIVE_FATAL;\n\t}\n\n\tidx += HUFF_LDC;\n\n\tret = create_decode_tables(&table[idx], &rar->cstate.rd, HUFF_RC);\n\tif(ret != ARCHIVE_OK) {\n\t\tarchive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,\n\t\t \"Failed to create repeating distances table\");\n\t\treturn ARCHIVE_FATAL;\n\t}\n\n\treturn ARCHIVE_OK;\n}", "project": "libarchive", "hash": 314170838578279844322062713550455777679, "size": 178, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 0, "dataset": "other", "idx": 244719 }, { "func": "static int opj_j2k_get_default_thread_count()\n{\n const char* num_threads_str = getenv(\"OPJ_NUM_THREADS\");\n int num_cpus;\n int num_threads;\n\n if (num_threads_str == NULL || !opj_has_thread_support()) {\n return 0;\n }\n num_cpus = opj_get_num_cpus();\n if (strcmp(num_threads_str, \"ALL_CPUS\") == 0) {\n return num_cpus;\n }\n if (num_cpus == 0) {\n num_cpus = 32;\n }\n num_threads = atoi(num_threads_str);\n if (num_threads < 0) {\n num_threads = 0;\n } else if (num_threads > 2 * num_cpus) {\n num_threads = 2 * num_cpus;\n }\n return num_threads;\n}", "project": "openjpeg", "hash": 4117467979993468636627915307933637729, "size": 24, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357422 }, { "func": "int headerMod(Header h, rpmtd td)\n{\n indexEntry entry;\n rpm_data_t oldData;\n rpm_data_t data;\n int length = 0;\n\n /* First find the tag */\n entry = findEntry(h, td->tag, td->type);\n if (!entry)\n\treturn 0;\n\n data = grabData(td->type, td->data, td->count, &length);\n if (data == NULL)\n\treturn 0;\n\n /* make sure entry points to the first occurrence of this tag */\n while (entry > h->index && (entry - 1)->info.tag == td->tag) \n\tentry--;\n\n /* free after we've grabbed the new data in case the two are intertwined;\n that's a bad idea but at least we won't break */\n oldData = entry->data;\n\n entry->info.count = td->count;\n entry->info.type = td->type;\n entry->data = data;\n entry->length = length;\n\n if (ENTRY_IN_REGION(entry)) {\n\tentry->info.offset = 0;\n } else\n\tfree(oldData);\n\n return 1;\n}", "project": "rpm", "hash": 275524741791490694424814830964428046732, "size": 36, "commit_id": "8f4b3c3cab8922a2022b9e47c71f1ecf906077ef", "message": "hdrblobInit() needs bounds checks too\n\nUsers can pass untrusted data to hdrblobInit() and it must be robust\nagainst this.", "target": 0, "dataset": "other", "idx": 318151 }, { "func": "static void nfs4_xdr_enc_setclientid_confirm(struct rpc_rqst *req,\n\t\t\t\t\t struct xdr_stream *xdr,\n\t\t\t\t\t const void *data)\n{\n\tconst struct nfs4_setclientid_res *arg = data;\n\tstruct compound_hdr hdr = {\n\t\t.nops\t= 0,\n\t};\n\n\tencode_compound_hdr(xdr, req, &hdr);\n\tencode_setclientid_confirm(xdr, arg, &hdr);\n\tencode_nops(&hdr);\n}", "project": "linux", "hash": 187557492339355879209459479306716702404, "size": 13, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 430961 }, { "func": "unsigned headerSizeof(Header h, int magicp)\n{\n indexEntry entry;\n unsigned int size = 0;\n int i;\n\n if (h == NULL)\n\treturn size;\n\n headerSort(h);\n\n if (magicp == HEADER_MAGIC_YES)\n\tsize += sizeof(rpm_header_magic);\n\n size += 2 * sizeof(int32_t);\t/* count of index entries */\n\n for (i = 0, entry = h->index; i < h->indexUsed; i++, entry++) {\n\t/* Regions go in as is ... */\n if (ENTRY_IS_REGION(entry)) {\n\t size += entry->length;\n\t /* Reserve space for legacy region tag + data */\n\t if (i == 0 && (h->flags & HEADERFLAG_LEGACY))\n\t\tsize += sizeof(struct entryInfo_s) + entry->info.count;\n\t continue;\n }\n\n\t/* ... and region elements are skipped. */\n\tif (entry->info.offset < 0)\n\t continue;\n\n\t/* Alignment */\n\tsize += alignDiff(entry->info.type, size);\n\n\tsize += sizeof(struct entryInfo_s) + entry->length;\n }\n\n return size;\n}", "project": "rpm", "hash": 71903330668013146512874746138152246853, "size": 38, "commit_id": "8f4b3c3cab8922a2022b9e47c71f1ecf906077ef", "message": "hdrblobInit() needs bounds checks too\n\nUsers can pass untrusted data to hdrblobInit() and it must be robust\nagainst this.", "target": 0, "dataset": "other", "idx": 318199 }, { "project": "ardour", "commit_id": "96daa4036a425ff3f23a7dfcba57bfb0f942bec6", "target": 0, "func": "XMLNode::remove_node_and_delete(const string& n, const string& propname, const string& val)\n{\n\tfor (XMLNodeIterator i = _children.begin(); i != _children.end(); ++i) {\n\t\tif ((*i)->name() == n) {\n\t\t\tXMLProperty const * prop = (*i)->property (propname);\n\t\t\tif (prop && prop->value() == val) {\n\t\t\t\tdelete *i;\n\t\t\t\t_children.erase (i);\n\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\t}\n}", "idx": 519673, "cwe": "CWE-416", "hash": 264883023455007706112827383290303102653, "dataset": "other" }, { "func": "static void hci_cc_read_local_version(struct hci_dev *hdev, struct sk_buff *skb)\n{\n\tstruct hci_rp_read_local_version *rp = (void *) skb->data;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, rp->status);\n\n\tif (rp->status)\n\t\treturn;\n\n\tif (hci_dev_test_flag(hdev, HCI_SETUP) ||\n\t hci_dev_test_flag(hdev, HCI_CONFIG)) {\n\t\thdev->hci_ver = rp->hci_ver;\n\t\thdev->hci_rev = __le16_to_cpu(rp->hci_rev);\n\t\thdev->lmp_ver = rp->lmp_ver;\n\t\thdev->manufacturer = __le16_to_cpu(rp->manufacturer);\n\t\thdev->lmp_subver = __le16_to_cpu(rp->lmp_subver);\n\t}\n}", "project": "linux", "hash": 232159823677038796002171417617305761597, "size": 18, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431937 }, { "func": "static bool check_selective_cr0_intercepted(struct vcpu_svm *svm,\n\t\t\t\t\t unsigned long val)\n{\n\tunsigned long cr0 = svm->vcpu.arch.cr0;\n\tbool ret = false;\n\tu64 intercept;\n\n\tintercept = svm->nested.intercept;\n\n\tif (!is_guest_mode(&svm->vcpu) ||\n\t (!(intercept & (1ULL << INTERCEPT_SELECTIVE_CR0))))\n\t\treturn false;\n\n\tcr0 &= ~SVM_CR0_SELECTIVE_MASK;\n\tval &= ~SVM_CR0_SELECTIVE_MASK;\n\n\tif (cr0 ^ val) {\n\t\tsvm->vmcb->control.exit_code = SVM_EXIT_CR0_SEL_WRITE;\n\t\tret = (nested_svm_exit_handled(svm) == NESTED_EXIT_DONE);\n\t}\n\n\treturn ret;\n}", "project": "linux", "hash": 38248748357108118203217101764472791733, "size": 23, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432434 }, { "func": "bool check_selective_cr0_intercepted(struct vcpu_svm *svm, unsigned long val)\n{\n\tunsigned long cr0 = svm->vcpu.arch.cr0;\n\tbool ret = false;\n\tu64 intercept;\n\n\tintercept = svm->nested.intercept;\n\n\tif (!is_guest_mode(&svm->vcpu) ||\n\t (!(intercept & (1ULL << INTERCEPT_SELECTIVE_CR0))))\n\t\treturn false;\n\n\tcr0 &= ~SVM_CR0_SELECTIVE_MASK;\n\tval &= ~SVM_CR0_SELECTIVE_MASK;\n\n\tif (cr0 ^ val) {\n\t\tsvm->vmcb->control.exit_code = SVM_EXIT_CR0_SEL_WRITE;\n\t\tret = (nested_svm_exit_handled(svm) == NESTED_EXIT_DONE);\n\t}\n\n\treturn ret;\n}", "project": "kvm", "hash": 304270419313634700915699388102685217274, "size": 22, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437584 }, { "func": "static int kvm_s390_vm_get_migration(struct kvm *kvm,\n\t\t\t\t struct kvm_device_attr *attr)\n{\n\tu64 mig = kvm->arch.migration_mode;\n\n\tif (attr->attr != KVM_S390_VM_MIGRATION_STATUS)\n\t\treturn -ENXIO;\n\n\tif (copy_to_user((void __user *)attr->addr, &mig, sizeof(mig)))\n\t\treturn -EFAULT;\n\treturn 0;\n}", "project": "linux", "hash": 76726695578150764521909905258975770972, "size": 12, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354577 }, { "func": "static int tiocsctty(struct tty_struct *tty, struct file *file, int arg)\n{\n\tint ret = 0;\n\n\ttty_lock(tty);\n\tread_lock(&tasklist_lock);\n\n\tif (current->signal->leader && (task_session(current) == tty->session))\n\t\tgoto unlock;\n\n\t/*\n\t * The process must be a session leader and\n\t * not have a controlling tty already.\n\t */\n\tif (!current->signal->leader || current->signal->tty) {\n\t\tret = -EPERM;\n\t\tgoto unlock;\n\t}\n\n\tif (tty->session) {\n\t\t/*\n\t\t * This tty is already the controlling\n\t\t * tty for another session group!\n\t\t */\n\t\tif (arg == 1 && capable(CAP_SYS_ADMIN)) {\n\t\t\t/*\n\t\t\t * Steal it away\n\t\t\t */\n\t\t\tsession_clear_tty(tty->session);\n\t\t} else {\n\t\t\tret = -EPERM;\n\t\t\tgoto unlock;\n\t\t}\n\t}\n\n\t/* See the comment in tty_open_proc_set_tty(). */\n\tif ((file->f_mode & FMODE_READ) == 0 && !capable(CAP_SYS_ADMIN)) {\n\t\tret = -EPERM;\n\t\tgoto unlock;\n\t}\n\n\tproc_set_tty(tty);\nunlock:\n\tread_unlock(&tasklist_lock);\n\ttty_unlock(tty);\n\treturn ret;\n}", "project": "linux", "hash": 146446025411608923863591159384703810240, "size": 47, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 325978 }, { "func": "static void sctp_wfree(struct sk_buff *skb)\n{\n\tstruct sctp_chunk *chunk = skb_shinfo(skb)->destructor_arg;\n\tstruct sctp_association *asoc = chunk->asoc;\n\tstruct sock *sk = asoc->base.sk;\n\n\tsk_mem_uncharge(sk, skb->truesize);\n\tsk->sk_wmem_queued -= skb->truesize + sizeof(struct sctp_chunk);\n\tasoc->sndbuf_used -= skb->truesize + sizeof(struct sctp_chunk);\n\tWARN_ON(refcount_sub_and_test(sizeof(struct sctp_chunk),\n\t\t\t\t &sk->sk_wmem_alloc));\n\n\tif (chunk->shkey) {\n\t\tstruct sctp_shared_key *shkey = chunk->shkey;\n\n\t\t/* refcnt == 2 and !list_empty mean after this release, it's\n\t\t * not being used anywhere, and it's time to notify userland\n\t\t * that this shkey can be freed if it's been deactivated.\n\t\t */\n\t\tif (shkey->deactivated && !list_empty(&shkey->key_list) &&\n\t\t refcount_read(&shkey->refcnt) == 2) {\n\t\t\tstruct sctp_ulpevent *ev;\n\n\t\t\tev = sctp_ulpevent_make_authkey(asoc, shkey->key_id,\n\t\t\t\t\t\t\tSCTP_AUTH_FREE_KEY,\n\t\t\t\t\t\t\tGFP_KERNEL);\n\t\t\tif (ev)\n\t\t\t\tasoc->stream.si->enqueue_event(&asoc->ulpq, ev);\n\t\t}\n\t\tsctp_auth_shkey_release(chunk->shkey);\n\t}\n\n\tsock_wfree(skb);\n\tsctp_wake_up_waiters(sk, asoc);\n\n\tsctp_association_put(asoc);\n}", "project": "linux", "hash": 87017588104613765364807395341778868280, "size": 37, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398212 }, { "func": "static void process_response_file(const char *file, int pass)\n{\n char str[2048];\n FILE *f = nasm_open_read(file, NF_TEXT);\n if (!f) {\n perror(file);\n exit(-1);\n }\n while (fgets(str, sizeof str, f)) {\n process_args(str, pass);\n }\n fclose(f);\n}", "project": "nasm", "hash": 331232146011840446968740440857032787304, "size": 13, "commit_id": "e996d28c70d45008085322b442b44a9224308548", "message": "labels: Don't nil dereference if no label provided\n\nAn equ without label may cause nil dereference\n\n |\tequ 0x100\n\nFixes 98578071b9d71ecaa2344dd9c185237c1765041e\n\nSigned-off-by: Cyrill Gorcunov ", "target": 0, "dataset": "other", "idx": 257486 }, { "func": "static fmode_t _nfs4_ctx_to_accessmode(const struct nfs_open_context *ctx)\n{\n\t return ctx->mode & (FMODE_READ|FMODE_WRITE|FMODE_EXEC);\n}", "project": "linux", "hash": 132521087188267707647721421859354456054, "size": 4, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431270 }, { "func": "static int __kvm_io_bus_read(struct kvm_vcpu *vcpu, struct kvm_io_bus *bus,\n\t\t\t struct kvm_io_range *range, void *val)\n{\n\tint idx;\n\n\tidx = kvm_io_bus_get_first_dev(bus, range->addr, range->len);\n\tif (idx < 0)\n\t\treturn -EOPNOTSUPP;\n\n\twhile (idx < bus->dev_count &&\n\t\tkvm_io_bus_cmp(range, &bus->range[idx]) == 0) {\n\t\tif (!kvm_iodevice_read(vcpu, bus->range[idx].dev, range->addr,\n\t\t\t\t range->len, val))\n\t\t\treturn idx;\n\t\tidx++;\n\t}\n\n\treturn -EOPNOTSUPP;\n}", "project": "linux", "hash": 47148872763496290278110237996802855646, "size": 19, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354758 }, { "func": "static void hci_chan_selected_evt(struct hci_dev *hdev, struct sk_buff *skb)\n{\n\tstruct hci_ev_channel_selected *ev = (void *)skb->data;\n\tstruct hci_conn *hcon;\n\n\tBT_DBG(\"%s handle 0x%2.2x\", hdev->name, ev->phy_handle);\n\n\tskb_pull(skb, sizeof(*ev));\n\n\thcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);\n\tif (!hcon)\n\t\treturn;\n\n\tamp_read_loc_assoc_final_data(hdev, hcon);\n}", "project": "linux", "hash": 184635959084642699209872179785297250255, "size": 15, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431998 }, { "func": "static bool checkreturn default_extension_decoder(pb_istream_t *stream,\n pb_extension_t *extension, uint32_t tag, pb_wire_type_t wire_type)\n{\n const pb_field_t *field = (const pb_field_t*)extension->type->arg;\n pb_field_iter_t iter;\n \n if (field->tag != tag)\n return true;\n \n iter_from_extension(&iter, extension);\n extension->found = true;\n return decode_field(stream, wire_type, &iter);\n}", "project": "nanopb", "hash": 267829164045436661525515528768497079486, "size": 13, "commit_id": "aa9d0d1ca78d6adec3adfeecf3a706c7f9df81f2", "message": "Fix invalid free() after failed realloc() (GHSA-gcx3-7m76-287p)", "target": 0, "dataset": "other", "idx": 252524 }, { "func": "static bool checkreturn default_extension_decoder(pb_istream_t *stream,\n pb_extension_t *extension, uint32_t tag, pb_wire_type_t wire_type)\n{\n pb_field_iter_t iter;\n\n if (!pb_field_iter_begin_extension(&iter, extension))\n PB_RETURN_ERROR(stream, \"invalid extension\");\n\n if (iter.tag != tag || !iter.message)\n return true;\n\n extension->found = true;\n return decode_field(stream, wire_type, &iter);\n}", "project": "nanopb", "hash": 11254080342580972187022387993477879183, "size": 14, "commit_id": "e2f0ccf939d9f82931d085acb6df8e9a182a4261", "message": "Fix invalid free() with oneof (#647)\n\nNanopb would call free() or realloc() on an invalid\n(attacker controlled) pointer value when all the following\nconditions are true:\n\n- PB_ENABLE_MALLOC is defined at the compile time\n- Message definition contains an oneof field, and the oneof\n contains at least one pointer type field and at least one\n non-pointer type field.\n- Data being decoded first contains a non-pointer value for\n the oneof field, and later contains an overwriting pointer\n value.\n\nDepending on message layout, the bug may not be exploitable in all\ncases, but it is known to be exploitable at least with string and\nbytes fields. Actual security impact will also depend on the heap\nimplementation used.", "target": 0, "dataset": "other", "idx": 254700 }, { "func": "static bool checkreturn default_extension_decoder(pb_istream_t *stream,\n pb_extension_t *extension, uint32_t tag, pb_wire_type_t wire_type)\n{\n const pb_field_t *field = (const pb_field_t*)extension->type->arg;\n pb_field_iterator_t iter;\n \n if (field->tag != tag)\n return true;\n \n iter_from_extension(&iter, extension);\n return decode_field(stream, wire_type, &iter);\n}", "project": "nanopb", "hash": 111789839032569039973788095199445794510, "size": 12, "commit_id": "7b396821ddd06df8e39143f16e1dc0a4645b89a3", "message": "Fix invalid free() after failed realloc() (GHSA-gcx3-7m76-287p)", "target": 0, "dataset": "other", "idx": 255333 }, { "func": "static int calculate_sizes(struct kmem_cache *s, int forced_order)\n{\n\tslab_flags_t flags = s->flags;\n\tunsigned int size = s->object_size;\n\tunsigned int order;\n\n\t/*\n\t * Round up object size to the next word boundary. We can only\n\t * place the free pointer at word boundaries and this determines\n\t * the possible location of the free pointer.\n\t */\n\tsize = ALIGN(size, sizeof(void *));\n\n#ifdef CONFIG_SLUB_DEBUG\n\t/*\n\t * Determine if we can poison the object itself. If the user of\n\t * the slab may touch the object after free or before allocation\n\t * then we should never poison the object itself.\n\t */\n\tif ((flags & SLAB_POISON) && !(flags & SLAB_TYPESAFE_BY_RCU) &&\n\t\t\t!s->ctor)\n\t\ts->flags |= __OBJECT_POISON;\n\telse\n\t\ts->flags &= ~__OBJECT_POISON;\n\n\n\t/*\n\t * If we are Redzoning then check if there is some space between the\n\t * end of the object and the free pointer. If not then add an\n\t * additional word to have some bytes to store Redzone information.\n\t */\n\tif ((flags & SLAB_RED_ZONE) && size == s->object_size)\n\t\tsize += sizeof(void *);\n#endif\n\n\t/*\n\t * With that we have determined the number of bytes in actual use\n\t * by the object. This is the potential offset to the free pointer.\n\t */\n\ts->inuse = size;\n\n\tif (((flags & (SLAB_TYPESAFE_BY_RCU | SLAB_POISON)) ||\n\t\ts->ctor)) {\n\t\t/*\n\t\t * Relocate free pointer after the object if it is not\n\t\t * permitted to overwrite the first word of the object on\n\t\t * kmem_cache_free.\n\t\t *\n\t\t * This is the case if we do RCU, have a constructor or\n\t\t * destructor or are poisoning the objects.\n\t\t */\n\t\ts->offset = size;\n\t\tsize += sizeof(void *);\n\t}\n\n#ifdef CONFIG_SLUB_DEBUG\n\tif (flags & SLAB_STORE_USER)\n\t\t/*\n\t\t * Need to store information about allocs and frees after\n\t\t * the object.\n\t\t */\n\t\tsize += 2 * sizeof(struct track);\n#endif\n\n\tkasan_cache_create(s, &size, &s->flags);\n#ifdef CONFIG_SLUB_DEBUG\n\tif (flags & SLAB_RED_ZONE) {\n\t\t/*\n\t\t * Add some empty padding so that we can catch\n\t\t * overwrites from earlier objects rather than let\n\t\t * tracking information or the free pointer be\n\t\t * corrupted if a user writes before the start\n\t\t * of the object.\n\t\t */\n\t\tsize += sizeof(void *);\n\n\t\ts->red_left_pad = sizeof(void *);\n\t\ts->red_left_pad = ALIGN(s->red_left_pad, s->align);\n\t\tsize += s->red_left_pad;\n\t}\n#endif\n\n\t/*\n\t * SLUB stores one object immediately after another beginning from\n\t * offset 0. In order to align the objects we have to simply size\n\t * each object to conform to the alignment.\n\t */\n\tsize = ALIGN(size, s->align);\n\ts->size = size;\n\tif (forced_order >= 0)\n\t\torder = forced_order;\n\telse\n\t\torder = calculate_order(size);\n\n\tif ((int)order < 0)\n\t\treturn 0;\n\n\ts->allocflags = 0;\n\tif (order)\n\t\ts->allocflags |= __GFP_COMP;\n\n\tif (s->flags & SLAB_CACHE_DMA)\n\t\ts->allocflags |= GFP_DMA;\n\n\tif (s->flags & SLAB_CACHE_DMA32)\n\t\ts->allocflags |= GFP_DMA32;\n\n\tif (s->flags & SLAB_RECLAIM_ACCOUNT)\n\t\ts->allocflags |= __GFP_RECLAIMABLE;\n\n\t/*\n\t * Determine the number of objects per slab\n\t */\n\ts->oo = oo_make(order, size);\n\ts->min = oo_make(get_order(size), size);\n\tif (oo_objects(s->oo) > oo_objects(s->max))\n\t\ts->max = s->oo;\n\n\treturn !!oo_objects(s->oo);\n}", "project": "linux", "hash": 185464267933970260609024202641224951525, "size": 120, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280275 }, { "func": "static int rawsock_create(struct net *net, struct socket *sock,\n\t\t\t const struct nfc_protocol *nfc_proto, int kern)\n{\n\tstruct sock *sk;\n\n\tpr_debug(\"sock=%p\\n\", sock);\n\n\tif ((sock->type != SOCK_SEQPACKET) && (sock->type != SOCK_RAW))\n\t\treturn -ESOCKTNOSUPPORT;\n\n\tif (sock->type == SOCK_RAW)\n\t\tsock->ops = &rawsock_raw_ops;\n\telse\n\t\tsock->ops = &rawsock_ops;\n\n\tsk = sk_alloc(net, PF_NFC, GFP_ATOMIC, nfc_proto->proto, kern);\n\tif (!sk)\n\t\treturn -ENOMEM;\n\n\tsock_init_data(sock, sk);\n\tsk->sk_protocol = nfc_proto->id;\n\tsk->sk_destruct = rawsock_destruct;\n\tsock->state = SS_UNCONNECTED;\n\tif (sock->type == SOCK_RAW)\n\t\tnfc_sock_link(&raw_sk_list, sk);\n\telse {\n\t\tINIT_WORK(&nfc_rawsock(sk)->tx_work, rawsock_tx_work);\n\t\tnfc_rawsock(sk)->tx_work_scheduled = false;\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 76158006236225806046621099350006167099, "size": 32, "commit_id": "26896f01467a28651f7a536143fe5ac8449d4041", "message": "net/nfc/rawsock.c: add CAP_NET_RAW check.\n\nWhen creating a raw AF_NFC socket, CAP_NET_RAW needs to be checked first.\n\nSigned-off-by: Qingyu Li \nSigned-off-by: David S. Miller ", "target": 1, "dataset": "other", "idx": 201423 }, { "func": "static int rawsock_create(struct net *net, struct socket *sock,\n\t\t\t const struct nfc_protocol *nfc_proto, int kern)\n{\n\tstruct sock *sk;\n\n\tpr_debug(\"sock=%p\\n\", sock);\n\n\tif ((sock->type != SOCK_SEQPACKET) && (sock->type != SOCK_RAW))\n\t\treturn -ESOCKTNOSUPPORT;\n\n\tif (sock->type == SOCK_RAW) {\n\t\tif (!capable(CAP_NET_RAW))\n\t\t\treturn -EPERM;\n\t\tsock->ops = &rawsock_raw_ops;\n\t} else {\n\t\tsock->ops = &rawsock_ops;\n\t}\n\n\tsk = sk_alloc(net, PF_NFC, GFP_ATOMIC, nfc_proto->proto, kern);\n\tif (!sk)\n\t\treturn -ENOMEM;\n\n\tsock_init_data(sock, sk);\n\tsk->sk_protocol = nfc_proto->id;\n\tsk->sk_destruct = rawsock_destruct;\n\tsock->state = SS_UNCONNECTED;\n\tif (sock->type == SOCK_RAW)\n\t\tnfc_sock_link(&raw_sk_list, sk);\n\telse {\n\t\tINIT_WORK(&nfc_rawsock(sk)->tx_work, rawsock_tx_work);\n\t\tnfc_rawsock(sk)->tx_work_scheduled = false;\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 284654099723487976419252796131361945863, "size": 35, "commit_id": "26896f01467a28651f7a536143fe5ac8449d4041", "message": "net/nfc/rawsock.c: add CAP_NET_RAW check.\n\nWhen creating a raw AF_NFC socket, CAP_NET_RAW needs to be checked first.\n\nSigned-off-by: Qingyu Li \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 319215 }, { "func": "inline bool StringData::isImmutable() const {\n return !isRefCounted() || isProxy();\n}", "project": "hhvm", "hash": 253212323327960780672923261631064638974, "size": 3, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219570 }, { "func": "static void core_dump_config(apr_pool_t *p, server_rec *s)\n{\n core_server_config *sconf = ap_get_core_module_config(s->module_config);\n apr_file_t *out = NULL;\n const char *tmp;\n const char **defines;\n int i;\n if (!ap_exists_config_define(\"DUMP_RUN_CFG\"))\n return;\n\n apr_file_open_stdout(&out, p);\n apr_file_printf(out, \"ServerRoot: \\\"%s\\\"\\n\", ap_server_root);\n tmp = ap_server_root_relative(p, sconf->ap_document_root);\n apr_file_printf(out, \"Main DocumentRoot: \\\"%s\\\"\\n\", tmp);\n if (s->error_fname[0] != '|' && s->errorlog_provider == NULL)\n tmp = ap_server_root_relative(p, s->error_fname);\n else\n tmp = s->error_fname;\n apr_file_printf(out, \"Main ErrorLog: \\\"%s\\\"\\n\", tmp);\n if (ap_scoreboard_fname) {\n tmp = ap_runtime_dir_relative(p, ap_scoreboard_fname);\n apr_file_printf(out, \"ScoreBoardFile: \\\"%s\\\"\\n\", tmp);\n }\n ap_dump_mutexes(p, s, out);\n ap_mpm_dump_pidfile(p, out);\n\n defines = (const char **)ap_server_config_defines->elts;\n for (i = 0; i < ap_server_config_defines->nelts; i++) {\n const char *name = defines[i];\n const char *val = NULL;\n if (server_config_defined_vars)\n val = apr_table_get(server_config_defined_vars, name);\n if (val)\n apr_file_printf(out, \"Define: %s=%s\\n\", name, val);\n else\n apr_file_printf(out, \"Define: %s\\n\", name);\n }\n}", "project": "httpd", "hash": 277669511162792993012644123549639928400, "size": 38, "commit_id": "4cc27823899e070268b906ca677ee838d07cf67a", "message": "core: Disallow Methods' registration at run time (.htaccess), they may be\nused only if registered at init time (httpd.conf).\n\nCalling ap_method_register() in children processes is not the right scope\nsince it won't be shared for all requests.\n\n\ngit-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1807655 13f79535-47bb-0310-9956-ffa450edef68", "target": 0, "dataset": "other", "idx": 246313 }, { "func": "uint8_t *bcf_fmt_sized_array(kstring_t *s, uint8_t *ptr)\n{\n int x, type;\n x = bcf_dec_size(ptr, &ptr, &type);\n bcf_fmt_array(s, x, type, ptr);\n return ptr + (x << bcf_type_shift[type]);\n}", "project": "htslib", "hash": 195337770150778095771527324823063377438, "size": 7, "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c", "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields. It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097", "target": 0, "dataset": "other", "idx": 402139 }, { "func": "int bcf_fmt_array(kstring_t *s, int n, int type, void *data)\n{\n int j = 0;\n uint32_t e = 0;\n if (n == 0) {\n return kputc('.', s) >= 0 ? 0 : -1;\n }\n if (type == BCF_BT_CHAR)\n {\n char *p = (char*)data;\n for (j = 0; j < n && *p; ++j, ++p)\n {\n if ( *p==bcf_str_missing ) e |= kputc('.', s) < 0;\n else e |= kputc(*p, s) < 0;\n }\n }\n else\n {\n #define BRANCH(type_t, convert, is_missing, is_vector_end, kprint) { \\\n uint8_t *p = (uint8_t *) data; \\\n for (j=0; jnet;\n\tu32 addr = 0;\n\tu32 flags = n->action_flags;\n\tu32 link_id = 0;\n\tu32 bearer_id;\n\tstruct list_head *publ_list;\n\n\tif (likely(!flags)) {\n\t\twrite_unlock_bh(&n->lock);\n\t\treturn;\n\t}\n\n\taddr = n->addr;\n\tlink_id = n->link_id;\n\tbearer_id = link_id & 0xffff;\n\tpubl_list = &n->publ_list;\n\n\tn->action_flags &= ~(TIPC_NOTIFY_NODE_DOWN | TIPC_NOTIFY_NODE_UP |\n\t\t\t TIPC_NOTIFY_LINK_DOWN | TIPC_NOTIFY_LINK_UP);\n\n\twrite_unlock_bh(&n->lock);\n\n\tif (flags & TIPC_NOTIFY_NODE_DOWN)\n\t\ttipc_publ_notify(net, publ_list, addr, n->capabilities);\n\n\tif (flags & TIPC_NOTIFY_NODE_UP)\n\t\ttipc_named_node_up(net, addr, n->capabilities);\n\n\tif (flags & TIPC_NOTIFY_LINK_UP) {\n\t\ttipc_mon_peer_up(net, addr, bearer_id);\n\t\ttipc_nametbl_publish(net, TIPC_LINK_STATE, addr, addr,\n\t\t\t\t TIPC_NODE_SCOPE, link_id, link_id);\n\t}\n\tif (flags & TIPC_NOTIFY_LINK_DOWN) {\n\t\ttipc_mon_peer_down(net, addr, bearer_id);\n\t\ttipc_nametbl_withdraw(net, TIPC_LINK_STATE, addr,\n\t\t\t\t addr, link_id);\n\t}\n}", "project": "linux", "hash": 326656340971105484372451909165356998778, "size": 41, "commit_id": "0217ed2848e8538bcf9172d97ed2eeb4a26041bb", "message": "tipc: better validate user input in tipc_nl_retrieve_key()\n\nBefore calling tipc_aead_key_size(ptr), we need to ensure\nwe have enough data to dereference ptr->keylen.\n\nWe probably also want to make sure tipc_aead_key_size()\nwont overflow with malicious ptr->keylen values.\n\nSyzbot reported:\n\nBUG: KMSAN: uninit-value in __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\nBUG: KMSAN: uninit-value in tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\nCPU: 0 PID: 21060 Comm: syz-executor.5 Not tainted 5.11.0-rc7-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nCall Trace:\n __dump_stack lib/dump_stack.c:79 [inline]\n dump_stack+0x21c/0x280 lib/dump_stack.c:120\n kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118\n __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197\n __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\n tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\n genl_family_rcv_msg_doit net/netlink/genetlink.c:739 [inline]\n genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]\n genl_rcv_msg+0x1319/0x1610 net/netlink/genetlink.c:800\n netlink_rcv_skb+0x6fa/0x810 net/netlink/af_netlink.c:2494\n genl_rcv+0x63/0x80 net/netlink/genetlink.c:811\n netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]\n netlink_unicast+0x11d6/0x14a0 net/netlink/af_netlink.c:1330\n netlink_sendmsg+0x1740/0x1840 net/netlink/af_netlink.c:1919\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\nRIP: 0023:0xf7f60549\nCode: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00\nRSP: 002b:00000000f555a5fc EFLAGS: 00000296 ORIG_RAX: 0000000000000172\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000200\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n\nUninit was created at:\n kmsan_save_stack_with_flags mm/kmsan/kmsan.c:121 [inline]\n kmsan_internal_poison_shadow+0x5c/0xf0 mm/kmsan/kmsan.c:104\n kmsan_slab_alloc+0x8d/0xe0 mm/kmsan/kmsan_hooks.c:76\n slab_alloc_node mm/slub.c:2907 [inline]\n __kmalloc_node_track_caller+0xa37/0x1430 mm/slub.c:4527\n __kmalloc_reserve net/core/skbuff.c:142 [inline]\n __alloc_skb+0x2f8/0xb30 net/core/skbuff.c:210\n alloc_skb include/linux/skbuff.h:1099 [inline]\n netlink_alloc_large_skb net/netlink/af_netlink.c:1176 [inline]\n netlink_sendmsg+0xdbc/0x1840 net/netlink/af_netlink.c:1894\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\n\nFixes: e1f32190cf7d (\"tipc: add support for AEAD key setting via netlink\")\nSigned-off-by: Eric Dumazet \nCc: Tuong Lien \nCc: Jon Maloy \nCc: Ying Xue \nReported-by: syzbot \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 364932 }, { "func": "static int sctp_setsockopt_disable_fragments(struct sock *sk, int *val,\n\t\t\t\t\t unsigned int optlen)\n{\n\tif (optlen < sizeof(int))\n\t\treturn -EINVAL;\n\tsctp_sk(sk)->disable_fragments = (*val == 0) ? 0 : 1;\n\treturn 0;\n}", "project": "linux", "hash": 155599591912888535962545278919458670775, "size": 8, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398166 }, { "func": "static void push_window_data(struct archive_read* a, struct rar5* rar,\n int64_t idx_begin, int64_t idx_end)\n{\n\tpush_data(a, rar, rar->cstate.window_buf, idx_begin, idx_end);\n}", "project": "libarchive", "hash": 202406727020162381810639570107270338047, "size": 5, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 0, "dataset": "other", "idx": 244686 }, { "func": "static void svm_queue_exception(struct kvm_vcpu *vcpu)\n{\n\tstruct vcpu_svm *svm = to_svm(vcpu);\n\tunsigned nr = vcpu->arch.exception.nr;\n\tbool has_error_code = vcpu->arch.exception.has_error_code;\n\tbool reinject = vcpu->arch.exception.injected;\n\tu32 error_code = vcpu->arch.exception.error_code;\n\n\t/*\n\t * If we are within a nested VM we'd better #VMEXIT and let the guest\n\t * handle the exception\n\t */\n\tif (!reinject &&\n\t nested_svm_check_exception(svm, nr, has_error_code, error_code))\n\t\treturn;\n\n\tkvm_deliver_exception_payload(&svm->vcpu);\n\n\tif (nr == BP_VECTOR && !nrips) {\n\t\tunsigned long rip, old_rip = kvm_rip_read(&svm->vcpu);\n\n\t\t/*\n\t\t * For guest debugging where we have to reinject #BP if some\n\t\t * INT3 is guest-owned:\n\t\t * Emulate nRIP by moving RIP forward. Will fail if injection\n\t\t * raises a fault that is not intercepted. Still better than\n\t\t * failing in all cases.\n\t\t */\n\t\t(void)skip_emulated_instruction(&svm->vcpu);\n\t\trip = kvm_rip_read(&svm->vcpu);\n\t\tsvm->int3_rip = rip + svm->vmcb->save.cs.base;\n\t\tsvm->int3_injected = rip - old_rip;\n\t}\n\n\tsvm->vmcb->control.event_inj = nr\n\t\t| SVM_EVTINJ_VALID\n\t\t| (has_error_code ? SVM_EVTINJ_VALID_ERR : 0)\n\t\t| SVM_EVTINJ_TYPE_EXEPT;\n\tsvm->vmcb->control.event_inj_err = error_code;\n}", "project": "linux", "hash": 5589653655912771243933701879854720015, "size": 40, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432575 }, { "func": "static void svm_queue_exception(struct kvm_vcpu *vcpu, unsigned nr,\n\t\t\t\tbool has_error_code, u32 error_code,\n\t\t\t\tbool reinject)\n{\n\tstruct vcpu_svm *svm = to_svm(vcpu);\n\n\t/*\n\t * If we are within a nested VM we'd better #VMEXIT and let the guest\n\t * handle the exception\n\t */\n\tif (!reinject &&\n\t nested_svm_check_exception(svm, nr, has_error_code, error_code))\n\t\treturn;\n\n\tif (nr == BP_VECTOR && !static_cpu_has(X86_FEATURE_NRIPS)) {\n\t\tunsigned long rip, old_rip = kvm_rip_read(&svm->vcpu);\n\n\t\t/*\n\t\t * For guest debugging where we have to reinject #BP if some\n\t\t * INT3 is guest-owned:\n\t\t * Emulate nRIP by moving RIP forward. Will fail if injection\n\t\t * raises a fault that is not intercepted. Still better than\n\t\t * failing in all cases.\n\t\t */\n\t\tskip_emulated_instruction(&svm->vcpu);\n\t\trip = kvm_rip_read(&svm->vcpu);\n\t\tsvm->int3_rip = rip + svm->vmcb->save.cs.base;\n\t\tsvm->int3_injected = rip - old_rip;\n\t}\n\n\tsvm->vmcb->control.event_inj = nr\n\t\t| SVM_EVTINJ_VALID\n\t\t| (has_error_code ? SVM_EVTINJ_VALID_ERR : 0)\n\t\t| SVM_EVTINJ_TYPE_EXEPT;\n\tsvm->vmcb->control.event_inj_err = error_code;\n}", "project": "kvm", "hash": 9646475564102347269578337024977530297, "size": 36, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437553 }, { "func": "UntrustedCacheMalloc::~UntrustedCacheMalloc() {\n while (!buffer_pool_.empty()) {\n PushToFreeList(buffer_pool_.top());\n buffer_pool_.pop();\n }\n\n // Free remaining elements in the free_list_.\n // The free_list_ object and the struct FreeList member buffers are destroyed\n // when the unique pointers referencing them go out of scope.\n if (free_list_->count > 0) {\n primitives::DeAllocateUntrustedBuffers(free_list_->buffers.get(),\n free_list_->count);\n }\n is_destroyed_ = true;\n}", "project": "asylo", "hash": 80195755475129920046446210101110970052, "size": 15, "commit_id": "a47ef55db2337d29de19c50cd29b0deb2871d31c", "message": "Fix vulnerability in UntrustedCacheMalloc\n\nThe pointer array is stored in untrusted memory, so we cannot trust the\nvalue even after validation. We should validate the pointer is pointing\nto untrusted memory after it's stored inside the enclave.\n\nPiperOrigin-RevId: 358474391\nChange-Id: I63cf6c251bdaf1b491dbf06cc0dcf77f7b141756", "target": 0, "dataset": "other", "idx": 264761 }, { "func": "Status GetPyArrayDescrForTensor(const TF_Tensor* tensor,\n PyArray_Descr** descr) {\n if (TF_TensorType(tensor) == TF_RESOURCE) {\n PyObject* field = PyTuple_New(3);\n#if PY_MAJOR_VERSION < 3\n PyTuple_SetItem(field, 0, PyBytes_FromString(\"resource\"));\n#else\n PyTuple_SetItem(field, 0, PyUnicode_FromString(\"resource\"));\n#endif\n PyTuple_SetItem(field, 1, PyArray_TypeObjectFromType(NPY_UBYTE));\n PyTuple_SetItem(field, 2, PyLong_FromLong(1));\n PyObject* fields = PyList_New(1);\n PyList_SetItem(fields, 0, field);\n int convert_result = PyArray_DescrConverter(fields, descr);\n Py_CLEAR(field);\n Py_CLEAR(fields);\n if (convert_result != 1) {\n return errors::Internal(\"Failed to create numpy array description for \",\n \"TF_RESOURCE-type tensor\");\n }\n } else {\n int type_num = -1;\n TF_RETURN_IF_ERROR(\n TF_DataType_to_PyArray_TYPE(TF_TensorType(tensor), &type_num));\n *descr = PyArray_DescrFromType(type_num);\n }\n\n return Status::OK();\n}", "project": "tensorflow", "hash": 122033321364629261543349983713525487614, "size": 29, "commit_id": "030af767d357d1b4088c4a25c72cb3906abac489", "message": "Fix `tf.raw_ops.ResourceCountUpTo` null pointer dereference.\n\nPiperOrigin-RevId: 368294347\nChange-Id: I2c16fbfc9b4966c402c3d8e311f0d665a9c852d8", "target": 0, "dataset": "other", "idx": 232663 }, { "func": "WebContents::WebContents(v8::Isolate* isolate,\n std::unique_ptr web_contents,\n Type type)\n : content::WebContentsObserver(web_contents.get()),\n type_(type),\n weak_factory_(this) {\n DCHECK(type != Type::REMOTE)\n << \"Can't take ownership of a remote WebContents\";\n auto session = Session::CreateFrom(isolate, GetBrowserContext());\n session_.Reset(isolate, session.ToV8());\n InitWithSessionAndOptions(isolate, std::move(web_contents), session,\n gin::Dictionary::CreateEmpty(isolate));\n}", "project": "electron", "hash": 300695576489063112714294309955403585994, "size": 13, "commit_id": "18613925610ba319da7f497b6deed85ad712c59b", "message": "refactor: wire will-navigate up to a navigation throttle instead of OpenURL (#25108)\n\n* refactor: wire will-navigate up to a navigation throttle instead of OpenURL (#25065)\r\n\r\n* refactor: wire will-navigate up to a navigation throttle instead of OpenURL\r\n\r\n* spec: add test for x-site _top navigation\r\n\r\n* chore: old code be old", "target": 0, "dataset": "other", "idx": 269709 }, { "func": "WebContents::WebContents(v8::Isolate* isolate,\n const gin_helper::Dictionary& options)\n : weak_factory_(this) {\n // Read options.\n options.Get(\"backgroundThrottling\", &background_throttling_);\n\n // Get type\n options.Get(\"type\", &type_);\n\n#if BUILDFLAG(ENABLE_OSR)\n bool b = false;\n if (options.Get(options::kOffscreen, &b) && b)\n type_ = Type::OFF_SCREEN;\n#endif\n\n // Init embedder earlier\n options.Get(\"embedder\", &embedder_);\n\n // Whether to enable DevTools.\n options.Get(\"devTools\", &enable_devtools_);\n\n // BrowserViews are not attached to a window initially so they should start\n // off as hidden. This is also important for compositor recycling. See:\n // https://github.com/electron/electron/pull/21372\n bool initially_shown = type_ != Type::BROWSER_VIEW;\n options.Get(options::kShow, &initially_shown);\n\n // Obtain the session.\n std::string partition;\n gin::Handle session;\n if (options.Get(\"session\", &session) && !session.IsEmpty()) {\n } else if (options.Get(\"partition\", &partition)) {\n session = Session::FromPartition(isolate, partition);\n } else {\n // Use the default session if not specified.\n session = Session::FromPartition(isolate, \"\");\n }\n session_.Reset(isolate, session.ToV8());\n\n std::unique_ptr web_contents;\n if (IsGuest()) {\n scoped_refptr site_instance =\n content::SiteInstance::CreateForURL(session->browser_context(),\n GURL(\"chrome-guest://fake-host\"));\n content::WebContents::CreateParams params(session->browser_context(),\n site_instance);\n guest_delegate_ =\n std::make_unique(embedder_->web_contents(), this);\n params.guest_delegate = guest_delegate_.get();\n\n#if BUILDFLAG(ENABLE_OSR)\n if (embedder_ && embedder_->IsOffScreen()) {\n auto* view = new OffScreenWebContentsView(\n false,\n base::BindRepeating(&WebContents::OnPaint, base::Unretained(this)));\n params.view = view;\n params.delegate_view = view;\n\n web_contents = content::WebContents::Create(params);\n view->SetWebContents(web_contents.get());\n } else {\n#endif\n web_contents = content::WebContents::Create(params);\n#if BUILDFLAG(ENABLE_OSR)\n }\n } else if (IsOffScreen()) {\n bool transparent = false;\n options.Get(\"transparent\", &transparent);\n\n content::WebContents::CreateParams params(session->browser_context());\n auto* view = new OffScreenWebContentsView(\n transparent,\n base::BindRepeating(&WebContents::OnPaint, base::Unretained(this)));\n params.view = view;\n params.delegate_view = view;\n\n web_contents = content::WebContents::Create(params);\n view->SetWebContents(web_contents.get());\n#endif\n } else {\n content::WebContents::CreateParams params(session->browser_context());\n params.initially_hidden = !initially_shown;\n web_contents = content::WebContents::Create(params);\n }\n\n InitWithSessionAndOptions(isolate, std::move(web_contents), session, options);\n}", "project": "electron", "hash": 328108887489990308461136340558210631361, "size": 87, "commit_id": "18613925610ba319da7f497b6deed85ad712c59b", "message": "refactor: wire will-navigate up to a navigation throttle instead of OpenURL (#25108)\n\n* refactor: wire will-navigate up to a navigation throttle instead of OpenURL (#25065)\r\n\r\n* refactor: wire will-navigate up to a navigation throttle instead of OpenURL\r\n\r\n* spec: add test for x-site _top navigation\r\n\r\n* chore: old code be old", "target": 0, "dataset": "other", "idx": 269739 }, { "func": "WebContents::WebContents(v8::Isolate* isolate,\n content::WebContents* web_contents)\n : content::WebContentsObserver(web_contents),\n type_(Type::REMOTE),\n weak_factory_(this) {\n auto session = Session::CreateFrom(isolate, GetBrowserContext());\n session_.Reset(isolate, session.ToV8());\n\n web_contents->SetUserAgentOverride(blink::UserAgentOverride::UserAgentOnly(\n GetBrowserContext()->GetUserAgent()),\n false);\n Init(isolate);\n AttachAsUserData(web_contents);\n InitZoomController(web_contents, gin::Dictionary::CreateEmpty(isolate));\n#if BUILDFLAG(ENABLE_ELECTRON_EXTENSIONS)\n extensions::ElectronExtensionWebContentsObserver::CreateForWebContents(\n web_contents);\n script_executor_.reset(new extensions::ScriptExecutor(web_contents));\n#endif\n registry_.AddInterface(base::BindRepeating(&WebContents::BindElectronBrowser,\n base::Unretained(this)));\n receivers_.set_disconnect_handler(base::BindRepeating(\n &WebContents::OnElectronBrowserConnectionError, base::Unretained(this)));\n}", "project": "electron", "hash": 168392926701150647309265220805737782587, "size": 24, "commit_id": "18613925610ba319da7f497b6deed85ad712c59b", "message": "refactor: wire will-navigate up to a navigation throttle instead of OpenURL (#25108)\n\n* refactor: wire will-navigate up to a navigation throttle instead of OpenURL (#25065)\r\n\r\n* refactor: wire will-navigate up to a navigation throttle instead of OpenURL\r\n\r\n* spec: add test for x-site _top navigation\r\n\r\n* chore: old code be old", "target": 0, "dataset": "other", "idx": 269790 }, { "func": "static int unlink_queued(struct usbtest_dev *dev, int pipe, unsigned num,\n\t\tunsigned size)\n{\n\tstruct queued_ctx\tctx;\n\tstruct usb_device\t*udev = testdev_to_usbdev(dev);\n\tvoid\t\t\t*buf;\n\tdma_addr_t\t\tbuf_dma;\n\tint\t\t\ti;\n\tint\t\t\tretval = -ENOMEM;\n\n\tinit_completion(&ctx.complete);\n\tatomic_set(&ctx.pending, 1);\t/* One more than the actual value */\n\tctx.num = num;\n\tctx.status = 0;\n\n\tbuf = usb_alloc_coherent(udev, size, GFP_KERNEL, &buf_dma);\n\tif (!buf)\n\t\treturn retval;\n\tmemset(buf, 0, size);\n\n\t/* Allocate and init the urbs we'll queue */\n\tctx.urbs = kcalloc(num, sizeof(struct urb *), GFP_KERNEL);\n\tif (!ctx.urbs)\n\t\tgoto free_buf;\n\tfor (i = 0; i < num; i++) {\n\t\tctx.urbs[i] = usb_alloc_urb(0, GFP_KERNEL);\n\t\tif (!ctx.urbs[i])\n\t\t\tgoto free_urbs;\n\t\tusb_fill_bulk_urb(ctx.urbs[i], udev, pipe, buf, size,\n\t\t\t\tunlink_queued_callback, &ctx);\n\t\tctx.urbs[i]->transfer_dma = buf_dma;\n\t\tctx.urbs[i]->transfer_flags = URB_NO_TRANSFER_DMA_MAP;\n\n\t\tif (usb_pipeout(ctx.urbs[i]->pipe)) {\n\t\t\tsimple_fill_buf(ctx.urbs[i]);\n\t\t\tctx.urbs[i]->transfer_flags |= URB_ZERO_PACKET;\n\t\t}\n\t}\n\n\t/* Submit all the URBs and then unlink URBs num - 4 and num - 2. */\n\tfor (i = 0; i < num; i++) {\n\t\tatomic_inc(&ctx.pending);\n\t\tretval = usb_submit_urb(ctx.urbs[i], GFP_KERNEL);\n\t\tif (retval != 0) {\n\t\t\tdev_err(&dev->intf->dev, \"submit urbs[%d] fail %d\\n\",\n\t\t\t\t\ti, retval);\n\t\t\tatomic_dec(&ctx.pending);\n\t\t\tctx.status = retval;\n\t\t\tbreak;\n\t\t}\n\t}\n\tif (i == num) {\n\t\tusb_unlink_urb(ctx.urbs[num - 4]);\n\t\tusb_unlink_urb(ctx.urbs[num - 2]);\n\t} else {\n\t\twhile (--i >= 0)\n\t\t\tusb_unlink_urb(ctx.urbs[i]);\n\t}\n\n\tif (atomic_dec_and_test(&ctx.pending))\t\t/* The extra count */\n\t\tcomplete(&ctx.complete);\n\twait_for_completion(&ctx.complete);\n\tretval = ctx.status;\n\n free_urbs:\n\tfor (i = 0; i < num; i++)\n\t\tusb_free_urb(ctx.urbs[i]);\n\tkfree(ctx.urbs);\n free_buf:\n\tusb_free_coherent(udev, size, buf, buf_dma);\n\treturn retval;\n}", "project": "linux", "hash": 41004979396866766209146052399731801336, "size": 72, "commit_id": "28ebeb8db77035e058a510ce9bd17c2b9a009dba", "message": "usb: usbtest: fix missing kfree(dev->buf) in usbtest_disconnect\n\nBUG: memory leak\nunreferenced object 0xffff888055046e00 (size 256):\n comm \"kworker/2:9\", pid 2570, jiffies 4294942129 (age 1095.500s)\n hex dump (first 32 bytes):\n 00 70 04 55 80 88 ff ff 18 bb 5a 81 ff ff ff ff .p.U......Z.....\n f5 96 78 81 ff ff ff ff 37 de 8e 81 ff ff ff ff ..x.....7.......\n backtrace:\n [<00000000d121dccf>] kmemleak_alloc_recursive\ninclude/linux/kmemleak.h:43 [inline]\n [<00000000d121dccf>] slab_post_alloc_hook mm/slab.h:586 [inline]\n [<00000000d121dccf>] slab_alloc_node mm/slub.c:2786 [inline]\n [<00000000d121dccf>] slab_alloc mm/slub.c:2794 [inline]\n [<00000000d121dccf>] kmem_cache_alloc_trace+0x15e/0x2d0 mm/slub.c:2811\n [<000000005c3c3381>] kmalloc include/linux/slab.h:555 [inline]\n [<000000005c3c3381>] usbtest_probe+0x286/0x19d0\ndrivers/usb/misc/usbtest.c:2790\n [<000000001cec6910>] usb_probe_interface+0x2bd/0x870\ndrivers/usb/core/driver.c:361\n [<000000007806c118>] really_probe+0x48d/0x8f0 drivers/base/dd.c:551\n [<00000000a3308c3e>] driver_probe_device+0xfc/0x2a0 drivers/base/dd.c:724\n [<000000003ef66004>] __device_attach_driver+0x1b6/0x240\ndrivers/base/dd.c:831\n [<00000000eee53e97>] bus_for_each_drv+0x14e/0x1e0 drivers/base/bus.c:431\n [<00000000bb0648d0>] __device_attach+0x1f9/0x350 drivers/base/dd.c:897\n [<00000000838b324a>] device_initial_probe+0x1a/0x20 drivers/base/dd.c:944\n [<0000000030d501c1>] bus_probe_device+0x1e1/0x280 drivers/base/bus.c:491\n [<000000005bd7adef>] device_add+0x131d/0x1c40 drivers/base/core.c:2504\n [<00000000a0937814>] usb_set_configuration+0xe84/0x1ab0\ndrivers/usb/core/message.c:2030\n [<00000000e3934741>] generic_probe+0x6a/0xe0 drivers/usb/core/generic.c:210\n [<0000000098ade0f1>] usb_probe_device+0x90/0xd0\ndrivers/usb/core/driver.c:266\n [<000000007806c118>] really_probe+0x48d/0x8f0 drivers/base/dd.c:551\n [<00000000a3308c3e>] driver_probe_device+0xfc/0x2a0 drivers/base/dd.c:724\n\nAcked-by: Alan Stern \nReported-by: Kyungtae Kim \nSigned-off-by: Zqiang \nLink: https://lore.kernel.org/r/20200612035210.20494-1-qiang.zhang@windriver.com\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 412276 }, { "func": "static int tiocgetd(struct tty_struct *tty, int __user *p)\n{\n\tstruct tty_ldisc *ld;\n\tint ret;\n\n\tld = tty_ldisc_ref_wait(tty);\n\tif (!ld)\n\t\treturn -EIO;\n\tret = put_user(ld->ops->num, p);\n\ttty_ldisc_deref(ld);\n\treturn ret;\n}", "project": "linux", "hash": 65645759068093762309456311157776285989, "size": 12, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 325987 }, { "func": "void j2k_destroy_cstr_index(opj_codestream_index_t *p_cstr_ind)\n{\n if (p_cstr_ind) {\n\n if (p_cstr_ind->marker) {\n opj_free(p_cstr_ind->marker);\n p_cstr_ind->marker = NULL;\n }\n\n if (p_cstr_ind->tile_index) {\n OPJ_UINT32 it_tile = 0;\n\n for (it_tile = 0; it_tile < p_cstr_ind->nb_of_tiles; it_tile++) {\n\n if (p_cstr_ind->tile_index[it_tile].packet_index) {\n opj_free(p_cstr_ind->tile_index[it_tile].packet_index);\n p_cstr_ind->tile_index[it_tile].packet_index = NULL;\n }\n\n if (p_cstr_ind->tile_index[it_tile].tp_index) {\n opj_free(p_cstr_ind->tile_index[it_tile].tp_index);\n p_cstr_ind->tile_index[it_tile].tp_index = NULL;\n }\n\n if (p_cstr_ind->tile_index[it_tile].marker) {\n opj_free(p_cstr_ind->tile_index[it_tile].marker);\n p_cstr_ind->tile_index[it_tile].marker = NULL;\n\n }\n }\n\n opj_free(p_cstr_ind->tile_index);\n p_cstr_ind->tile_index = NULL;\n }\n\n opj_free(p_cstr_ind);\n }\n}", "project": "openjpeg", "hash": 107089124101738730465796062298035429659, "size": 38, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357344 }, { "func": "void CClient::PutClient(const CString& sLine) {\n PutClient(CMessage(sLine));\n}", "project": "znc", "hash": 335269760661285105596758998950726287337, "size": 3, "commit_id": "d229761821da38d984a9e4098ad96842490dc001", "message": "Fix echo-message for *status\n\nClose #1705", "target": 0, "dataset": "other", "idx": 231574 }, { "func": "bool CClient::PutClient(const CMessage& Message) {\n if (!m_bAwayNotify && Message.GetType() == CMessage::Type::Away) {\n return false;\n } else if (!m_bAccountNotify &&\n Message.GetType() == CMessage::Type::Account) {\n return false;\n }\n\n CMessage Msg(Message);\n\n const CIRCSock* pIRCSock = GetIRCSock();\n if (pIRCSock) {\n if (Msg.GetType() == CMessage::Type::Numeric) {\n unsigned int uCode = Msg.As().GetCode();\n\n if (uCode == 352) { // RPL_WHOREPLY\n if (!m_bNamesx && pIRCSock->HasNamesx()) {\n // The server has NAMESX, but the client doesn't, so we need\n // to remove extra prefixes\n CString sNick = Msg.GetParam(6);\n if (sNick.size() > 1 && pIRCSock->IsPermChar(sNick[1])) {\n CString sNewNick = sNick;\n size_t pos =\n sNick.find_first_not_of(pIRCSock->GetPerms());\n if (pos >= 2 && pos != CString::npos) {\n sNewNick = sNick[0] + sNick.substr(pos);\n }\n Msg.SetParam(6, sNewNick);\n }\n }\n } else if (uCode == 353) { // RPL_NAMES\n if ((!m_bNamesx && pIRCSock->HasNamesx()) ||\n (!m_bUHNames && pIRCSock->HasUHNames())) {\n // The server has either UHNAMES or NAMESX, but the client\n // is missing either or both\n CString sNicks = Msg.GetParam(3);\n VCString vsNicks;\n sNicks.Split(\" \", vsNicks, false);\n\n for (CString& sNick : vsNicks) {\n if (sNick.empty()) break;\n\n if (!m_bNamesx && pIRCSock->HasNamesx() &&\n pIRCSock->IsPermChar(sNick[0])) {\n // The server has NAMESX, but the client doesn't, so\n // we just use the first perm char\n size_t pos =\n sNick.find_first_not_of(pIRCSock->GetPerms());\n if (pos >= 2 && pos != CString::npos) {\n sNick = sNick[0] + sNick.substr(pos);\n }\n }\n\n if (!m_bUHNames && pIRCSock->HasUHNames()) {\n // The server has UHNAMES, but the client doesn't,\n // so we strip away ident and host\n sNick = sNick.Token(0, false, \"!\");\n }\n }\n\n Msg.SetParam(\n 3, CString(\" \").Join(vsNicks.begin(), vsNicks.end()));\n }\n }\n } else if (Msg.GetType() == CMessage::Type::Join) {\n if (!m_bExtendedJoin && pIRCSock->HasExtendedJoin()) {\n Msg.SetParams({Msg.As().GetTarget()});\n }\n }\n }\n\n MCString mssTags;\n\n for (const auto& it : Msg.GetTags()) {\n if (IsTagEnabled(it.first)) {\n mssTags[it.first] = it.second;\n }\n }\n\n if (HasServerTime()) {\n // If the server didn't set the time tag, manually set it\n mssTags.emplace(\"time\", CUtils::FormatServerTime(Msg.GetTime()));\n }\n\n Msg.SetTags(mssTags);\n Msg.SetClient(this);\n Msg.SetNetwork(m_pNetwork);\n\n bool bReturn = false;\n NETWORKMODULECALL(OnSendToClientMessage(Msg), m_pUser, m_pNetwork, this,\n &bReturn);\n if (bReturn) return false;\n\n return PutClientRaw(Msg.ToString());\n}", "project": "znc", "hash": 221297508750695825415577330448931184173, "size": 95, "commit_id": "d229761821da38d984a9e4098ad96842490dc001", "message": "Fix echo-message for *status\n\nClose #1705", "target": 0, "dataset": "other", "idx": 231606 }, { "func": "static void CvtOldMacFeature(PST1 *pst) {\n int i;\n\n if ( pst->macfeature )\nreturn;\n for ( i=0; formertags[i].feature!=-1 ; ++i ) {\n\tif ( pst->tag == formertags[i].tag ) {\n\t pst->macfeature = true;\n\t pst->tag = (formertags[i].feature<<16) | formertags[i].setting;\nreturn;\n\t}\n }\n}", "project": "fontforge", "hash": 250133126462933346392891471650165177971, "size": 13, "commit_id": "048a91e2682c1a8936ae34dbc7bd70291ec05410", "message": "Fix for #4084 Use-after-free (heap) in the SFD_GetFontMetaData() function\nFix for #4086 NULL pointer dereference in the SFDGetSpiros() function\nFix for #4088 NULL pointer dereference in the SFD_AssignLookups() function\nAdd empty sf->fontname string if it isn't set, fixing #4089 #4090 and many\n other potential issues (many downstream calls to strlen() on the value).", "target": 0, "dataset": "other", "idx": 417893 }, { "func": "static inline int _bcf1_sync_alleles(const bcf_hdr_t *hdr, bcf1_t *line, int nals)\n{\n line->d.shared_dirty |= BCF1_DIRTY_ALS;\n\n line->n_allele = nals;\n hts_expand(char*, line->n_allele, line->d.m_allele, line->d.allele);\n\n char *als = line->d.als;\n int n = 0;\n while (nd.allele[n] = als;\n while ( *als ) als++;\n als++;\n n++;\n }\n\n // Update REF length. Note that END is 1-based while line->pos 0-based\n bcf_info_t *end_info = bcf_get_info(hdr,line,\"END\");\n if ( end_info )\n {\n if ( end_info->type==BCF_HT_INT && end_info->v1.i==bcf_int32_missing ) end_info = NULL;\n else if ( end_info->type==BCF_HT_LONG && end_info->v1.i==bcf_int64_missing ) end_info = NULL;\n }\n if ( end_info && end_info->v1.i > line->pos )\n line->rlen = end_info->v1.i - line->pos;\n else if ( nals > 0 )\n line->rlen = strlen(line->d.allele[0]);\n else\n line->rlen = 0;\n\n return 0;\n}", "project": "htslib", "hash": 12261321972986449366804762846350423406, "size": 33, "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c", "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields. It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097", "target": 0, "dataset": "other", "idx": 402257 }, { "func": "static int __init fuse_init(void)\n{\n\tint res;\n\n\tpr_info(\"init (API version %i.%i)\\n\",\n\t\tFUSE_KERNEL_VERSION, FUSE_KERNEL_MINOR_VERSION);\n\n\tINIT_LIST_HEAD(&fuse_conn_list);\n\tres = fuse_fs_init();\n\tif (res)\n\t\tgoto err;\n\n\tres = fuse_dev_init();\n\tif (res)\n\t\tgoto err_fs_cleanup;\n\n\tres = fuse_sysfs_init();\n\tif (res)\n\t\tgoto err_dev_cleanup;\n\n\tres = fuse_ctl_init();\n\tif (res)\n\t\tgoto err_sysfs_cleanup;\n\n\tsanitize_global_limit(&max_user_bgreq);\n\tsanitize_global_limit(&max_user_congthresh);\n\n\treturn 0;\n\n err_sysfs_cleanup:\n\tfuse_sysfs_cleanup();\n err_dev_cleanup:\n\tfuse_dev_cleanup();\n err_fs_cleanup:\n\tfuse_fs_cleanup();\n err:\n\treturn res;\n}", "project": "linux", "hash": 271195981065832211437705693026410355841, "size": 38, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342118 }, { "func": "static void hci_cc_exit_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb)\n{\n\t__u8 status = *((__u8 *) skb->data);\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, status);\n\n\tif (status)\n\t\treturn;\n\n\thci_dev_clear_flag(hdev, HCI_PERIODIC_INQ);\n\n\thci_conn_check_pending(hdev);\n}", "project": "linux", "hash": 181033599381452527731985225170288504285, "size": 13, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431898 }, { "func": "static char *input_devnode(struct device *dev, umode_t *mode)\n{\n\treturn kasprintf(GFP_KERNEL, \"input/%s\", dev_name(dev));\n}", "project": "linux", "hash": 268577944778987745039473797029536084007, "size": 4, "commit_id": "cb222aed03d798fc074be55e59d9a112338ee784", "message": "Input: add safety guards to input_set_keycode()\n\nIf we happen to have a garbage in input device's keycode table with values\ntoo big we'll end up doing clear_bit() with offset way outside of our\nbitmaps, damaging other objects within an input device or even outside of\nit. Let's add sanity checks to the returned old keycodes.\n\nReported-by: syzbot+c769968809f9359b07aa@syzkaller.appspotmail.com\nReported-by: syzbot+76f3a30e88d256644c78@syzkaller.appspotmail.com\nLink: https://lore.kernel.org/r/20191207212757.GA245964@dtor-ws\nSigned-off-by: Dmitry Torokhov ", "target": 0, "dataset": "other", "idx": 353333 }, { "func": "int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)\n{\n\tint rc;\n\n\tif (kvm_run->immediate_exit)\n\t\treturn -EINTR;\n\n\tif (kvm_run->kvm_valid_regs & ~KVM_SYNC_S390_VALID_FIELDS ||\n\t kvm_run->kvm_dirty_regs & ~KVM_SYNC_S390_VALID_FIELDS)\n\t\treturn -EINVAL;\n\n\tvcpu_load(vcpu);\n\n\tif (guestdbg_exit_pending(vcpu)) {\n\t\tkvm_s390_prepare_debug_exit(vcpu);\n\t\trc = 0;\n\t\tgoto out;\n\t}\n\n\tkvm_sigset_activate(vcpu);\n\n\t/*\n\t * no need to check the return value of vcpu_start as it can only have\n\t * an error for protvirt, but protvirt means user cpu state\n\t */\n\tif (!kvm_s390_user_cpu_state_ctrl(vcpu->kvm)) {\n\t\tkvm_s390_vcpu_start(vcpu);\n\t} else if (is_vcpu_stopped(vcpu)) {\n\t\tpr_err_ratelimited(\"can't run stopped vcpu %d\\n\",\n\t\t\t\t vcpu->vcpu_id);\n\t\trc = -EINVAL;\n\t\tgoto out;\n\t}\n\n\tsync_regs(vcpu, kvm_run);\n\tenable_cpu_timer_accounting(vcpu);\n\n\tmight_fault();\n\trc = __vcpu_run(vcpu);\n\n\tif (signal_pending(current) && !rc) {\n\t\tkvm_run->exit_reason = KVM_EXIT_INTR;\n\t\trc = -EINTR;\n\t}\n\n\tif (guestdbg_exit_pending(vcpu) && !rc) {\n\t\tkvm_s390_prepare_debug_exit(vcpu);\n\t\trc = 0;\n\t}\n\n\tif (rc == -EREMOTE) {\n\t\t/* userspace support is needed, kvm_run has been prepared */\n\t\trc = 0;\n\t}\n\n\tdisable_cpu_timer_accounting(vcpu);\n\tstore_regs(vcpu, kvm_run);\n\n\tkvm_sigset_deactivate(vcpu);\n\n\tvcpu->stat.exit_userspace++;\nout:\n\tvcpu_put(vcpu);\n\treturn rc;\n}", "project": "linux", "hash": 271708153605902704068313639230315650256, "size": 65, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354644 }, { "func": "void LanLinkProvider::onNetworkChange()\n{\n if (m_combineBroadcastsTimer.isActive()) {\n qCDebug(KDECONNECT_CORE) << \"Preventing duplicate broadcasts\";\n return;\n }\n m_combineBroadcastsTimer.start();\n}", "project": "kdeconnect-kde", "hash": 307087430527077686789945860494600516816, "size": 8, "commit_id": "542d94a70c56aa386c8d4d793481ce181b0422e8", "message": "Limit number of connected sockets from unpaired devices\n\nThanks Matthias Gerstner for reporting this.", "target": 0, "dataset": "other", "idx": 227373 }, { "func": "static long kvm_s390_guest_memsida_op(struct kvm_vcpu *vcpu,\n\t\t\t\t struct kvm_s390_mem_op *mop)\n{\n\tint r, srcu_idx;\n\n\tsrcu_idx = srcu_read_lock(&vcpu->kvm->srcu);\n\n\tswitch (mop->op) {\n\tcase KVM_S390_MEMOP_LOGICAL_READ:\n\tcase KVM_S390_MEMOP_LOGICAL_WRITE:\n\t\tr = kvm_s390_guest_mem_op(vcpu, mop);\n\t\tbreak;\n\tcase KVM_S390_MEMOP_SIDA_READ:\n\tcase KVM_S390_MEMOP_SIDA_WRITE:\n\t\t/* we are locked against sida going away by the vcpu->mutex */\n\t\tr = kvm_s390_guest_sida_op(vcpu, mop);\n\t\tbreak;\n\tdefault:\n\t\tr = -EINVAL;\n\t}\n\n\tsrcu_read_unlock(&vcpu->kvm->srcu, srcu_idx);\n\treturn r;\n}", "project": "linux", "hash": 203054348298259641791859757654802472171, "size": 24, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354655 }, { "func": "\n\nstatic int\niscsi_if_recv_msg(struct sk_buff *skb, struct nlmsghdr *nlh, uint32_t *group)\n{\n\tint err = 0;\n\tu32 portid;\n\tstruct iscsi_uevent *ev = nlmsg_data(nlh);\n\tstruct iscsi_transport *transport = NULL;\n\tstruct iscsi_internal *priv;\n\tstruct iscsi_cls_session *session;\n\tstruct iscsi_cls_conn *conn;\n\tstruct iscsi_endpoint *ep = NULL;\n\n\tif (!netlink_capable(skb, CAP_SYS_ADMIN))\n\t\treturn -EPERM;\n\n\tif (nlh->nlmsg_type == ISCSI_UEVENT_PATH_UPDATE)\n\t\t*group = ISCSI_NL_GRP_UIP;\n\telse\n\t\t*group = ISCSI_NL_GRP_ISCSID;\n\n\tpriv = iscsi_if_transport_lookup(iscsi_ptr(ev->transport_handle));\n\tif (!priv)\n\t\treturn -EINVAL;\n\ttransport = priv->iscsi_transport;\n\n\tif (!try_module_get(transport->owner))\n\t\treturn -EINVAL;\n\n\tportid = NETLINK_CB(skb).portid;\n\n\tswitch (nlh->nlmsg_type) {\n\tcase ISCSI_UEVENT_CREATE_SESSION:\n\t\terr = iscsi_if_create_session(priv, ep, ev,\n\t\t\t\t\t portid,\n\t\t\t\t\t ev->u.c_session.initial_cmdsn,\n\t\t\t\t\t ev->u.c_session.cmds_max,\n\t\t\t\t\t ev->u.c_session.queue_depth);\n\t\tbreak;\n\tcase ISCSI_UEVENT_CREATE_BOUND_SESSION:\n\t\tep = iscsi_lookup_endpoint(ev->u.c_bound_session.ep_handle);\n\t\tif (!ep) {\n\t\t\terr = -EINVAL;\n\t\t\tbreak;\n\t\t}\n\n\t\terr = iscsi_if_create_session(priv, ep, ev,\n\t\t\t\t\tportid,\n\t\t\t\t\tev->u.c_bound_session.initial_cmdsn,\n\t\t\t\t\tev->u.c_bound_session.cmds_max,\n\t\t\t\t\tev->u.c_bound_session.queue_depth);\n\t\tbreak;\n\tcase ISCSI_UEVENT_DESTROY_SESSION:\n\t\tsession = iscsi_session_lookup(ev->u.d_session.sid);\n\t\tif (!session)\n\t\t\terr = -EINVAL;\n\t\telse if (iscsi_session_has_conns(ev->u.d_session.sid))\n\t\t\terr = -EBUSY;\n\t\telse\n\t\t\ttransport->destroy_session(session);\n\t\tbreak;\n\tcase ISCSI_UEVENT_DESTROY_SESSION_ASYNC:\n\t\tsession = iscsi_session_lookup(ev->u.d_session.sid);\n\t\tif (!session)\n\t\t\terr = -EINVAL;\n\t\telse if (iscsi_session_has_conns(ev->u.d_session.sid))\n\t\t\terr = -EBUSY;\n\t\telse {\n\t\t\tunsigned long flags;\n\n\t\t\t/* Prevent this session from being found again */\n\t\t\tspin_lock_irqsave(&sesslock, flags);\n\t\t\tlist_del_init(&session->sess_list);\n\t\t\tspin_unlock_irqrestore(&sesslock, flags);\n\n\t\t\tqueue_work(iscsi_destroy_workq, &session->destroy_work);\n\t\t}\n\t\tbreak;\n\tcase ISCSI_UEVENT_UNBIND_SESSION:\n\t\tsession = iscsi_session_lookup(ev->u.d_session.sid);\n\t\tif (session)\n\t\t\tscsi_queue_work(iscsi_session_to_shost(session),\n\t\t\t\t\t&session->unbind_work);\n\t\telse\n\t\t\terr = -EINVAL;\n\t\tbreak;\n\tcase ISCSI_UEVENT_CREATE_CONN:\n\t\terr = iscsi_if_create_conn(transport, ev);\n\t\tbreak;\n\tcase ISCSI_UEVENT_DESTROY_CONN:\n\t\terr = iscsi_if_destroy_conn(transport, ev);\n\t\tbreak;\n\tcase ISCSI_UEVENT_BIND_CONN:\n\t\tsession = iscsi_session_lookup(ev->u.b_conn.sid);\n\t\tconn = iscsi_conn_lookup(ev->u.b_conn.sid, ev->u.b_conn.cid);\n\n\t\tif (conn && conn->ep)\n\t\t\tiscsi_if_ep_disconnect(transport, conn->ep->id);\n\n\t\tif (!session || !conn) {\n\t\t\terr = -EINVAL;\n\t\t\tbreak;\n\t\t}\n\n\t\tmutex_lock(&conn_mutex);\n\t\tev->r.retcode =\ttransport->bind_conn(session, conn,\n\t\t\t\t\t\tev->u.b_conn.transport_eph,\n\t\t\t\t\t\tev->u.b_conn.is_leading);\n\t\tmutex_unlock(&conn_mutex);\n\n\t\tif (ev->r.retcode || !transport->ep_connect)\n\t\t\tbreak;\n\n\t\tep = iscsi_lookup_endpoint(ev->u.b_conn.transport_eph);\n\t\tif (ep) {\n\t\t\tep->conn = conn;\n\n\t\t\tmutex_lock(&conn->ep_mutex);\n\t\t\tconn->ep = ep;\n\t\t\tmutex_unlock(&conn->ep_mutex);\n\t\t} else\n\t\t\tiscsi_cls_conn_printk(KERN_ERR, conn,\n\t\t\t\t\t \"Could not set ep conn \"\n\t\t\t\t\t \"binding\\n\");\n\t\tbreak;\n\tcase ISCSI_UEVENT_SET_PARAM:\n\t\terr = iscsi_set_param(transport, ev);\n\t\tbreak;\n\tcase ISCSI_UEVENT_START_CONN:\n\t\tconn = iscsi_conn_lookup(ev->u.start_conn.sid, ev->u.start_conn.cid);\n\t\tif (conn) {\n\t\t\tmutex_lock(&conn_mutex);\n\t\t\tev->r.retcode = transport->start_conn(conn);\n\t\t\tif (!ev->r.retcode)\n\t\t\t\tconn->state = ISCSI_CONN_UP;\n\t\t\tmutex_unlock(&conn_mutex);\n\t\t}\n\t\telse\n\t\t\terr = -EINVAL;\n\t\tbreak;\n\tcase ISCSI_UEVENT_STOP_CONN:\n\t\tconn = iscsi_conn_lookup(ev->u.stop_conn.sid, ev->u.stop_conn.cid);\n\t\tif (conn)\n\t\t\tiscsi_if_stop_conn(conn, ev->u.stop_conn.flag);\n\t\telse\n\t\t\terr = -EINVAL;\n\t\tbreak;\n\tcase ISCSI_UEVENT_SEND_PDU:\n\t\tconn = iscsi_conn_lookup(ev->u.send_pdu.sid, ev->u.send_pdu.cid);\n\t\tif (conn) {\n\t\t\tmutex_lock(&conn_mutex);\n\t\t\tev->r.retcode =\ttransport->send_pdu(conn,\n\t\t\t\t(struct iscsi_hdr*)((char*)ev + sizeof(*ev)),\n\t\t\t\t(char*)ev + sizeof(*ev) + ev->u.send_pdu.hdr_size,\n\t\t\t\tev->u.send_pdu.data_size);\n\t\t\tmutex_unlock(&conn_mutex);\n\t\t}\n\t\telse\n\t\t\terr = -EINVAL;\n\t\tbreak;\n\tcase ISCSI_UEVENT_GET_STATS:\n\t\terr = iscsi_if_get_stats(transport, nlh);\n\t\tbreak;\n\tcase ISCSI_UEVENT_TRANSPORT_EP_CONNECT:\n\tcase ISCSI_UEVENT_TRANSPORT_EP_POLL:\n\tcase ISCSI_UEVENT_TRANSPORT_EP_DISCONNECT:\n\tcase ISCSI_UEVENT_TRANSPORT_EP_CONNECT_THROUGH_HOST:\n\t\terr = iscsi_if_transport_ep(transport, ev, nlh->nlmsg_type);\n\t\tbreak;\n\tcase ISCSI_UEVENT_TGT_DSCVR:\n\t\terr = iscsi_tgt_dscvr(transport, ev);\n\t\tbreak;\n\tcase ISCSI_UEVENT_SET_HOST_PARAM:\n\t\terr = iscsi_set_host_param(transport, ev);\n\t\tbreak;\n\tcase ISCSI_UEVENT_PATH_UPDATE:\n\t\terr = iscsi_set_path(transport, ev);\n\t\tbreak;\n\tcase ISCSI_UEVENT_SET_IFACE_PARAMS:\n\t\terr = iscsi_set_iface_params(transport, ev,\n\t\t\t\t\t nlmsg_attrlen(nlh, sizeof(*ev)));\n\t\tbreak;\n\tcase ISCSI_UEVENT_PING:\n\t\terr = iscsi_send_ping(transport, ev);\n\t\tbreak;\n\tcase ISCSI_UEVENT_GET_CHAP:\n\t\terr = iscsi_get_chap(transport, nlh);\n\t\tbreak;\n\tcase ISCSI_UEVENT_DELETE_CHAP:\n\t\terr = iscsi_delete_chap(transport, ev);\n\t\tbreak;\n\tcase ISCSI_UEVENT_SET_FLASHNODE_PARAMS:\n\t\terr = iscsi_set_flashnode_param(transport, ev,\n\t\t\t\t\t\tnlmsg_attrlen(nlh,\n\t\t\t\t\t\t\t sizeof(*ev)));\n\t\tbreak;\n\tcase ISCSI_UEVENT_NEW_FLASHNODE:\n\t\terr = iscsi_new_flashnode(transport, ev,\n\t\t\t\t\t nlmsg_attrlen(nlh, sizeof(*ev)));\n\t\tbreak;\n\tcase ISCSI_UEVENT_DEL_FLASHNODE:\n\t\terr = iscsi_del_flashnode(transport, ev);\n\t\tbreak;\n\tcase ISCSI_UEVENT_LOGIN_FLASHNODE:\n\t\terr = iscsi_login_flashnode(transport, ev);\n\t\tbreak;\n\tcase ISCSI_UEVENT_LOGOUT_FLASHNODE:\n\t\terr = iscsi_logout_flashnode(transport, ev);\n\t\tbreak;\n\tcase ISCSI_UEVENT_LOGOUT_FLASHNODE_SID:\n\t\terr = iscsi_logout_flashnode_sid(transport, ev);\n\t\tbreak;\n\tcase ISCSI_UEVENT_SET_CHAP:\n\t\terr = iscsi_set_chap(transport, ev,\n\t\t\t\t nlmsg_attrlen(nlh, sizeof(*ev)));\n\t\tbreak;\n\tcase ISCSI_UEVENT_GET_HOST_STATS:\n\t\terr = iscsi_get_host_stats(transport, nlh);\n\t\tbreak;\n\tdefault:\n\t\terr = -ENOSYS;\n\t\tbreak;\n\t}\n", "project": "linux", "hash": 165207676572058765527022757443722292191, "size": 225, "commit_id": "f9dbdf97a5bd92b1a49cee3d591b55b11fd7a6d5", "message": "scsi: iscsi: Verify lengths on passthrough PDUs\n\nOpen-iSCSI sends passthrough PDUs over netlink, but the kernel should be\nverifying that the provided PDU header and data lengths fall within the\nnetlink message to prevent accessing beyond that in memory.\n\nCc: stable@vger.kernel.org\nReported-by: Adam Nichols \nReviewed-by: Lee Duncan \nReviewed-by: Mike Christie \nSigned-off-by: Chris Leech \nSigned-off-by: Martin K. Petersen ", "target": 1, "dataset": "other", "idx": 206293 }, { "func": "\n\nstatic int\niscsi_if_recv_msg(struct sk_buff *skb, struct nlmsghdr *nlh, uint32_t *group)\n{\n\tint err = 0;\n\tu32 portid;\n\tu32 pdu_len;\n\tstruct iscsi_uevent *ev = nlmsg_data(nlh);\n\tstruct iscsi_transport *transport = NULL;\n\tstruct iscsi_internal *priv;\n\tstruct iscsi_cls_session *session;\n\tstruct iscsi_cls_conn *conn;\n\tstruct iscsi_endpoint *ep = NULL;\n\n\tif (!netlink_capable(skb, CAP_SYS_ADMIN))\n\t\treturn -EPERM;\n\n\tif (nlh->nlmsg_type == ISCSI_UEVENT_PATH_UPDATE)\n\t\t*group = ISCSI_NL_GRP_UIP;\n\telse\n\t\t*group = ISCSI_NL_GRP_ISCSID;\n\n\tpriv = iscsi_if_transport_lookup(iscsi_ptr(ev->transport_handle));\n\tif (!priv)\n\t\treturn -EINVAL;\n\ttransport = priv->iscsi_transport;\n\n\tif (!try_module_get(transport->owner))\n\t\treturn -EINVAL;\n\n\tportid = NETLINK_CB(skb).portid;\n\n\tswitch (nlh->nlmsg_type) {\n\tcase ISCSI_UEVENT_CREATE_SESSION:\n\t\terr = iscsi_if_create_session(priv, ep, ev,\n\t\t\t\t\t portid,\n\t\t\t\t\t ev->u.c_session.initial_cmdsn,\n\t\t\t\t\t ev->u.c_session.cmds_max,\n\t\t\t\t\t ev->u.c_session.queue_depth);\n\t\tbreak;\n\tcase ISCSI_UEVENT_CREATE_BOUND_SESSION:\n\t\tep = iscsi_lookup_endpoint(ev->u.c_bound_session.ep_handle);\n\t\tif (!ep) {\n\t\t\terr = -EINVAL;\n\t\t\tbreak;\n\t\t}\n\n\t\terr = iscsi_if_create_session(priv, ep, ev,\n\t\t\t\t\tportid,\n\t\t\t\t\tev->u.c_bound_session.initial_cmdsn,\n\t\t\t\t\tev->u.c_bound_session.cmds_max,\n\t\t\t\t\tev->u.c_bound_session.queue_depth);\n\t\tbreak;\n\tcase ISCSI_UEVENT_DESTROY_SESSION:\n\t\tsession = iscsi_session_lookup(ev->u.d_session.sid);\n\t\tif (!session)\n\t\t\terr = -EINVAL;\n\t\telse if (iscsi_session_has_conns(ev->u.d_session.sid))\n\t\t\terr = -EBUSY;\n\t\telse\n\t\t\ttransport->destroy_session(session);\n\t\tbreak;\n\tcase ISCSI_UEVENT_DESTROY_SESSION_ASYNC:\n\t\tsession = iscsi_session_lookup(ev->u.d_session.sid);\n\t\tif (!session)\n\t\t\terr = -EINVAL;\n\t\telse if (iscsi_session_has_conns(ev->u.d_session.sid))\n\t\t\terr = -EBUSY;\n\t\telse {\n\t\t\tunsigned long flags;\n\n\t\t\t/* Prevent this session from being found again */\n\t\t\tspin_lock_irqsave(&sesslock, flags);\n\t\t\tlist_del_init(&session->sess_list);\n\t\t\tspin_unlock_irqrestore(&sesslock, flags);\n\n\t\t\tqueue_work(iscsi_destroy_workq, &session->destroy_work);\n\t\t}\n\t\tbreak;\n\tcase ISCSI_UEVENT_UNBIND_SESSION:\n\t\tsession = iscsi_session_lookup(ev->u.d_session.sid);\n\t\tif (session)\n\t\t\tscsi_queue_work(iscsi_session_to_shost(session),\n\t\t\t\t\t&session->unbind_work);\n\t\telse\n\t\t\terr = -EINVAL;\n\t\tbreak;\n\tcase ISCSI_UEVENT_CREATE_CONN:\n\t\terr = iscsi_if_create_conn(transport, ev);\n\t\tbreak;\n\tcase ISCSI_UEVENT_DESTROY_CONN:\n\t\terr = iscsi_if_destroy_conn(transport, ev);\n\t\tbreak;\n\tcase ISCSI_UEVENT_BIND_CONN:\n\t\tsession = iscsi_session_lookup(ev->u.b_conn.sid);\n\t\tconn = iscsi_conn_lookup(ev->u.b_conn.sid, ev->u.b_conn.cid);\n\n\t\tif (conn && conn->ep)\n\t\t\tiscsi_if_ep_disconnect(transport, conn->ep->id);\n\n\t\tif (!session || !conn) {\n\t\t\terr = -EINVAL;\n\t\t\tbreak;\n\t\t}\n\n\t\tmutex_lock(&conn_mutex);\n\t\tev->r.retcode =\ttransport->bind_conn(session, conn,\n\t\t\t\t\t\tev->u.b_conn.transport_eph,\n\t\t\t\t\t\tev->u.b_conn.is_leading);\n\t\tmutex_unlock(&conn_mutex);\n\n\t\tif (ev->r.retcode || !transport->ep_connect)\n\t\t\tbreak;\n\n\t\tep = iscsi_lookup_endpoint(ev->u.b_conn.transport_eph);\n\t\tif (ep) {\n\t\t\tep->conn = conn;\n\n\t\t\tmutex_lock(&conn->ep_mutex);\n\t\t\tconn->ep = ep;\n\t\t\tmutex_unlock(&conn->ep_mutex);\n\t\t} else\n\t\t\tiscsi_cls_conn_printk(KERN_ERR, conn,\n\t\t\t\t\t \"Could not set ep conn \"\n\t\t\t\t\t \"binding\\n\");\n\t\tbreak;\n\tcase ISCSI_UEVENT_SET_PARAM:\n\t\terr = iscsi_set_param(transport, ev);\n\t\tbreak;\n\tcase ISCSI_UEVENT_START_CONN:\n\t\tconn = iscsi_conn_lookup(ev->u.start_conn.sid, ev->u.start_conn.cid);\n\t\tif (conn) {\n\t\t\tmutex_lock(&conn_mutex);\n\t\t\tev->r.retcode = transport->start_conn(conn);\n\t\t\tif (!ev->r.retcode)\n\t\t\t\tconn->state = ISCSI_CONN_UP;\n\t\t\tmutex_unlock(&conn_mutex);\n\t\t}\n\t\telse\n\t\t\terr = -EINVAL;\n\t\tbreak;\n\tcase ISCSI_UEVENT_STOP_CONN:\n\t\tconn = iscsi_conn_lookup(ev->u.stop_conn.sid, ev->u.stop_conn.cid);\n\t\tif (conn)\n\t\t\tiscsi_if_stop_conn(conn, ev->u.stop_conn.flag);\n\t\telse\n\t\t\terr = -EINVAL;\n\t\tbreak;\n\tcase ISCSI_UEVENT_SEND_PDU:\n\t\tpdu_len = nlh->nlmsg_len - sizeof(*nlh) - sizeof(*ev);\n\n\t\tif ((ev->u.send_pdu.hdr_size > pdu_len) ||\n\t\t (ev->u.send_pdu.data_size > (pdu_len - ev->u.send_pdu.hdr_size))) {\n\t\t\terr = -EINVAL;\n\t\t\tbreak;\n\t\t}\n\n\t\tconn = iscsi_conn_lookup(ev->u.send_pdu.sid, ev->u.send_pdu.cid);\n\t\tif (conn) {\n\t\t\tmutex_lock(&conn_mutex);\n\t\t\tev->r.retcode =\ttransport->send_pdu(conn,\n\t\t\t\t(struct iscsi_hdr*)((char*)ev + sizeof(*ev)),\n\t\t\t\t(char*)ev + sizeof(*ev) + ev->u.send_pdu.hdr_size,\n\t\t\t\tev->u.send_pdu.data_size);\n\t\t\tmutex_unlock(&conn_mutex);\n\t\t}\n\t\telse\n\t\t\terr = -EINVAL;\n\t\tbreak;\n\tcase ISCSI_UEVENT_GET_STATS:\n\t\terr = iscsi_if_get_stats(transport, nlh);\n\t\tbreak;\n\tcase ISCSI_UEVENT_TRANSPORT_EP_CONNECT:\n\tcase ISCSI_UEVENT_TRANSPORT_EP_POLL:\n\tcase ISCSI_UEVENT_TRANSPORT_EP_DISCONNECT:\n\tcase ISCSI_UEVENT_TRANSPORT_EP_CONNECT_THROUGH_HOST:\n\t\terr = iscsi_if_transport_ep(transport, ev, nlh->nlmsg_type);\n\t\tbreak;\n\tcase ISCSI_UEVENT_TGT_DSCVR:\n\t\terr = iscsi_tgt_dscvr(transport, ev);\n\t\tbreak;\n\tcase ISCSI_UEVENT_SET_HOST_PARAM:\n\t\terr = iscsi_set_host_param(transport, ev);\n\t\tbreak;\n\tcase ISCSI_UEVENT_PATH_UPDATE:\n\t\terr = iscsi_set_path(transport, ev);\n\t\tbreak;\n\tcase ISCSI_UEVENT_SET_IFACE_PARAMS:\n\t\terr = iscsi_set_iface_params(transport, ev,\n\t\t\t\t\t nlmsg_attrlen(nlh, sizeof(*ev)));\n\t\tbreak;\n\tcase ISCSI_UEVENT_PING:\n\t\terr = iscsi_send_ping(transport, ev);\n\t\tbreak;\n\tcase ISCSI_UEVENT_GET_CHAP:\n\t\terr = iscsi_get_chap(transport, nlh);\n\t\tbreak;\n\tcase ISCSI_UEVENT_DELETE_CHAP:\n\t\terr = iscsi_delete_chap(transport, ev);\n\t\tbreak;\n\tcase ISCSI_UEVENT_SET_FLASHNODE_PARAMS:\n\t\terr = iscsi_set_flashnode_param(transport, ev,\n\t\t\t\t\t\tnlmsg_attrlen(nlh,\n\t\t\t\t\t\t\t sizeof(*ev)));\n\t\tbreak;\n\tcase ISCSI_UEVENT_NEW_FLASHNODE:\n\t\terr = iscsi_new_flashnode(transport, ev,\n\t\t\t\t\t nlmsg_attrlen(nlh, sizeof(*ev)));\n\t\tbreak;\n\tcase ISCSI_UEVENT_DEL_FLASHNODE:\n\t\terr = iscsi_del_flashnode(transport, ev);\n\t\tbreak;\n\tcase ISCSI_UEVENT_LOGIN_FLASHNODE:\n\t\terr = iscsi_login_flashnode(transport, ev);\n\t\tbreak;\n\tcase ISCSI_UEVENT_LOGOUT_FLASHNODE:\n\t\terr = iscsi_logout_flashnode(transport, ev);\n\t\tbreak;\n\tcase ISCSI_UEVENT_LOGOUT_FLASHNODE_SID:\n\t\terr = iscsi_logout_flashnode_sid(transport, ev);\n\t\tbreak;\n\tcase ISCSI_UEVENT_SET_CHAP:\n\t\terr = iscsi_set_chap(transport, ev,\n\t\t\t\t nlmsg_attrlen(nlh, sizeof(*ev)));\n\t\tbreak;\n\tcase ISCSI_UEVENT_GET_HOST_STATS:\n\t\terr = iscsi_get_host_stats(transport, nlh);\n\t\tbreak;\n\tdefault:\n\t\terr = -ENOSYS;\n\t\tbreak;\n\t}\n", "project": "linux", "hash": 290280226689808529758982123621457114455, "size": 234, "commit_id": "f9dbdf97a5bd92b1a49cee3d591b55b11fd7a6d5", "message": "scsi: iscsi: Verify lengths on passthrough PDUs\n\nOpen-iSCSI sends passthrough PDUs over netlink, but the kernel should be\nverifying that the provided PDU header and data lengths fall within the\nnetlink message to prevent accessing beyond that in memory.\n\nCc: stable@vger.kernel.org\nReported-by: Adam Nichols \nReviewed-by: Lee Duncan \nReviewed-by: Mike Christie \nSigned-off-by: Chris Leech \nSigned-off-by: Martin K. Petersen ", "target": 0, "dataset": "other", "idx": 380003 }, { "func": "Value arrayElemAt(const ExpressionNary* self, Value array, Value indexArg) {\n if (array.nullish() || indexArg.nullish()) {\n return Value(BSONNULL);\n }\n\n size_t arity = self->getOperandList().size();\n uassert(28689,\n str::stream() << self->getOpName() << \"'s \"\n << (arity == 1 ? \"argument\" : \"first argument\")\n << \" must be an array, but is \" << typeName(array.getType()),\n array.isArray());\n uassert(28690,\n str::stream() << self->getOpName() << \"'s second argument must be a numeric value,\"\n << \" but is \" << typeName(indexArg.getType()),\n indexArg.numeric());\n uassert(28691,\n str::stream() << self->getOpName() << \"'s second argument must be representable as\"\n << \" a 32-bit integer: \" << indexArg.coerceToDouble(),\n indexArg.integral());\n\n long long i = indexArg.coerceToLong();\n if (i < 0 && static_cast(std::abs(i)) > array.getArrayLength()) {\n // Positive indices that are too large are handled automatically by Value.\n return Value();\n } else if (i < 0) {\n // Index from the back of the array.\n i = array.getArrayLength() + i;\n }\n const size_t index = static_cast(i);\n return array[index];\n}", "project": "mongo", "hash": 4342512510434972431533399651958260797, "size": 31, "commit_id": "1772b9a0393b55e6a280a35e8f0a1f75c014f301", "message": "SERVER-49404 Enforce additional checks in $arrayToObject", "target": 0, "dataset": "other", "idx": 370040 }, { "func": "bool hci_req_stop_discovery(struct hci_request *req)\n{\n\tstruct hci_dev *hdev = req->hdev;\n\tstruct discovery_state *d = &hdev->discovery;\n\tstruct hci_cp_remote_name_req_cancel cp;\n\tstruct inquiry_entry *e;\n\tbool ret = false;\n\n\tbt_dev_dbg(hdev, \"state %u\", hdev->discovery.state);\n\n\tif (d->state == DISCOVERY_FINDING || d->state == DISCOVERY_STOPPING) {\n\t\tif (test_bit(HCI_INQUIRY, &hdev->flags))\n\t\t\thci_req_add(req, HCI_OP_INQUIRY_CANCEL, 0, NULL);\n\n\t\tif (hci_dev_test_flag(hdev, HCI_LE_SCAN)) {\n\t\t\tcancel_delayed_work(&hdev->le_scan_disable);\n\t\t\thci_req_add_le_scan_disable(req, false);\n\t\t}\n\n\t\tret = true;\n\t} else {\n\t\t/* Passive scanning */\n\t\tif (hci_dev_test_flag(hdev, HCI_LE_SCAN)) {\n\t\t\thci_req_add_le_scan_disable(req, false);\n\t\t\tret = true;\n\t\t}\n\t}\n\n\t/* No further actions needed for LE-only discovery */\n\tif (d->type == DISCOV_TYPE_LE)\n\t\treturn ret;\n\n\tif (d->state == DISCOVERY_RESOLVING || d->state == DISCOVERY_STOPPING) {\n\t\te = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY,\n\t\t\t\t\t\t NAME_PENDING);\n\t\tif (!e)\n\t\t\treturn ret;\n\n\t\tbacpy(&cp.bdaddr, &e->data.bdaddr);\n\t\thci_req_add(req, HCI_OP_REMOTE_NAME_REQ_CANCEL, sizeof(cp),\n\t\t\t &cp);\n\t\tret = true;\n\t}\n\n\treturn ret;\n}", "project": "linux", "hash": 129361254806109508915041953404911584861, "size": 46, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402568 }, { "func": "void tcp_enter_loss(struct sock *sk, int how)\n{\n\tconst struct inet_connection_sock *icsk = inet_csk(sk);\n\tstruct tcp_sock *tp = tcp_sk(sk);\n\tstruct sk_buff *skb;\n\n\t/* Reduce ssthresh if it has not yet been made inside this window. */\n\tif (icsk->icsk_ca_state <= TCP_CA_Disorder || tp->snd_una == tp->high_seq ||\n\t (icsk->icsk_ca_state == TCP_CA_Loss && !icsk->icsk_retransmits)) {\n\t\ttp->prior_ssthresh = tcp_current_ssthresh(sk);\n\t\ttp->snd_ssthresh = icsk->icsk_ca_ops->ssthresh(sk);\n\t\ttcp_ca_event(sk, CA_EVENT_LOSS);\n\t}\n\ttp->snd_cwnd\t = 1;\n\ttp->snd_cwnd_cnt = 0;\n\ttp->snd_cwnd_stamp = tcp_time_stamp;\n\n\ttp->bytes_acked = 0;\n\ttcp_clear_retrans_partial(tp);\n\n\tif (tcp_is_reno(tp))\n\t\ttcp_reset_reno_sack(tp);\n\n\tif (!how) {\n\t\t/* Push undo marker, if it was plain RTO and nothing\n\t\t * was retransmitted. */\n\t\ttp->undo_marker = tp->snd_una;\n\t} else {\n\t\ttp->sacked_out = 0;\n\t\ttp->fackets_out = 0;\n\t}\n\ttcp_clear_all_retrans_hints(tp);\n\n\ttcp_for_write_queue(skb, sk) {\n\t\tif (skb == tcp_send_head(sk))\n\t\t\tbreak;\n\n\t\tif (TCP_SKB_CB(skb)->sacked & TCPCB_RETRANS)\n\t\t\ttp->undo_marker = 0;\n\t\tTCP_SKB_CB(skb)->sacked &= (~TCPCB_TAGBITS)|TCPCB_SACKED_ACKED;\n\t\tif (!(TCP_SKB_CB(skb)->sacked&TCPCB_SACKED_ACKED) || how) {\n\t\t\tTCP_SKB_CB(skb)->sacked &= ~TCPCB_SACKED_ACKED;\n\t\t\tTCP_SKB_CB(skb)->sacked |= TCPCB_LOST;\n\t\t\ttp->lost_out += tcp_skb_pcount(skb);\n\t\t\ttp->retransmit_high = TCP_SKB_CB(skb)->end_seq;\n\t\t}\n\t}\n\ttcp_verify_left_out(tp);\n\n\ttp->reordering = min_t(unsigned int, tp->reordering,\n\t\t\t sysctl_tcp_reordering);\n\ttcp_set_ca_state(sk, TCP_CA_Loss);\n\ttp->high_seq = tp->snd_nxt;\n\tTCP_ECN_queue_cwr(tp);\n\t/* Abort F-RTO algorithm if one is in progress */\n\ttp->frto_counter = 0;\n}", "project": "net-next", "hash": 105040551570075172250770556227911414614, "size": 57, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409904 }, { "func": "CString CWebSock::GetSkinName() {\n std::shared_ptr spSession = GetSession();\n\n if (spSession->IsLoggedIn() &&\n !spSession->GetUser()->GetSkinName().empty()) {\n return spSession->GetUser()->GetSkinName();\n }\n\n return CZNC::Get().GetSkinName();\n}", "project": "znc", "hash": 108184849666973069577367019475239470832, "size": 10, "commit_id": "a4a5aeeb17d32937d8c7d743dae9a4cc755ce773", "message": "Don't let web skin name ../../../../ access files outside of usual skins directories.\n\nThanks for Jeriko One for finding and reporting this.", "target": 0, "dataset": "other", "idx": 265806 }, { "func": "void gdImageCopyMergeGray (gdImagePtr dst, gdImagePtr src, int dstX, int dstY, int srcX, int srcY, int w, int h, int pct)\n{\n\tint c, dc;\n\tint x, y;\n\tint tox, toy;\n\tint ncR, ncG, ncB;\n\tfloat g;\n\ttoy = dstY;\n\n\tfor (y = srcY; (y < (srcY + h)); y++) {\n\t\ttox = dstX;\n\t\tfor (x = srcX; (x < (srcX + w)); x++) {\n\t\t\tint nc;\n\t\t\tc = gdImageGetPixel (src, x, y);\n\t\t\t/* Added 7/24/95: support transparent copies */\n\t\t\tif (gdImageGetTransparent(src) == c) {\n\t\t\t\ttox++;\n\t\t\t\tcontinue;\n\t\t\t}\n\n\t\t\t/*\n\t\t\t * If it's the same image, mapping is NOT trivial since we\n\t\t\t * merge with greyscale target, but if pct is 100, the grey\n\t\t\t * value is not used, so it becomes trivial. pjw 2.0.12.\n\t\t\t */\n\t\t\tif (dst == src && pct == 100) {\n\t\t\t\tnc = c;\n\t\t\t} else {\n\t\t\t\tdc = gdImageGetPixel(dst, tox, toy);\n\t\t\t\tg = (0.29900f * gdImageRed(dst, dc)) + (0.58700f * gdImageGreen(dst, dc)) + (0.11400f * gdImageBlue(dst, dc));\n\n\t\t\t\tncR = (int)(gdImageRed (src, c) * (pct / 100.0f) + g * ((100 - pct) / 100.0));\n\t\t\t\tncG = (int)(gdImageGreen (src, c) * (pct / 100.0f) + g * ((100 - pct) / 100.0));\n\t\t\t\tncB = (int)(gdImageBlue (src, c) * (pct / 100.0f) + g * ((100 - pct) / 100.0));\n\n\n\t\t\t\t/* First look for an exact match */\n\t\t\t\tnc = gdImageColorExact(dst, ncR, ncG, ncB);\n\t\t\t\tif (nc == (-1)) {\n\t\t\t\t\t/* No, so try to allocate it */\n\t\t\t\t\tnc = gdImageColorAllocate(dst, ncR, ncG, ncB);\n\t\t\t\t\t/* If we're out of colors, go for the closest color */\n\t\t\t\t\tif (nc == (-1)) {\n\t\t\t\t\t\tnc = gdImageColorClosest(dst, ncR, ncG, ncB);\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t\tgdImageSetPixel(dst, tox, toy, nc);\n\t\t\ttox++;\n\t\t}\n\t\ttoy++;\n\t}\n}", "project": "php-src", "hash": 50499315330315232731246590453759189905, "size": 53, "commit_id": "c395c6e5d7e8df37a21265ff76e48fe75ceb5ae6", "message": "iFixed bug #72446 - Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow", "target": 0, "dataset": "other", "idx": 295124 }, { "func": "int ecryptfs_compute_root_iv(struct ecryptfs_crypt_stat *crypt_stat)\n{\n\tint rc = 0;\n\tchar dst[MD5_DIGEST_SIZE];\n\n\tBUG_ON(crypt_stat->iv_bytes > MD5_DIGEST_SIZE);\n\tBUG_ON(crypt_stat->iv_bytes <= 0);\n\tif (!(crypt_stat->flags & ECRYPTFS_KEY_VALID)) {\n\t\trc = -EINVAL;\n\t\tecryptfs_printk(KERN_WARNING, \"Session key not valid; \"\n\t\t\t\t\"cannot generate root IV\\n\");\n\t\tgoto out;\n\t}\n\trc = ecryptfs_calculate_md5(dst, crypt_stat, crypt_stat->key,\n\t\t\t\t crypt_stat->key_size);\n\tif (rc) {\n\t\tecryptfs_printk(KERN_WARNING, \"Error attempting to compute \"\n\t\t\t\t\"MD5 while generating root IV\\n\");\n\t\tgoto out;\n\t}\n\tmemcpy(crypt_stat->root_iv, dst, crypt_stat->iv_bytes);\nout:\n\tif (rc) {\n\t\tmemset(crypt_stat->root_iv, 0, crypt_stat->iv_bytes);\n\t\tcrypt_stat->flags |= ECRYPTFS_SECURITY_WARNING;\n\t}\n\treturn rc;\n}", "target": 0, "cwe": [ "CWE-189" ], "project": "linux-2.6", "commit_id": "8faece5f906725c10e7a1f6caf84452abadbdc7b", "hash": 274578348851116562009328478790108260018, "size": 28, "message": "eCryptfs: Allocate a variable number of pages for file headers\n\nWhen allocating the memory used to store the eCryptfs header contents, a\nsingle, zeroed page was being allocated with get_zeroed_page().\nHowever, the size of an eCryptfs header is either PAGE_CACHE_SIZE or\nECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE (8192), whichever is larger, and is\nstored in the file's private_data->crypt_stat->num_header_bytes_at_front\nfield.\n\necryptfs_write_metadata_to_contents() was using\nnum_header_bytes_at_front to decide how many bytes should be written to\nthe lower filesystem for the file header. Unfortunately, at least 8K\nwas being written from the page, despite the chance of the single,\nzeroed page being smaller than 8K. This resulted in random areas of\nkernel memory being written between the 0x1000 and 0x1FFF bytes offsets\nin the eCryptfs file headers if PAGE_SIZE was 4K.\n\nThis patch allocates a variable number of pages, calculated with\nnum_header_bytes_at_front, and passes the number of allocated pages\nalong to ecryptfs_write_metadata_to_contents().\n\nThanks to Florian Streibelt for reporting the data leak and working with\nme to find the problem. 2.6.28 is the only kernel release with this\nvulnerability. Corresponds to CVE-2009-0787\n\nSigned-off-by: Tyler Hicks \nAcked-by: Dustin Kirkland \nReviewed-by: Eric Sandeen \nReviewed-by: Eugene Teo \nCc: Greg KH \nCc: dann frazier \nCc: Serge E. Hallyn \nCc: Florian Streibelt \nCc: stable@kernel.org\nSigned-off-by: Linus Torvalds ", "dataset": "other", "idx": 490186 }, { "func": "Status GraphConstructor::ValidateColocationConstraints(\n const NodeDef& node_def) {\n if (!opts_.validate_colocation_constraints || !opts_.importing)\n return Status::OK();\n const auto iter = node_def.attr().find(kColocationAttrName);\n if (iter == node_def.attr().end()) return Status::OK();\n for (const string& c : iter->second.list().s()) {\n StringPiece s(c);\n if (absl::ConsumePrefix(&s, kColocationGroupPrefix) &&\n gdef_nodes_.find(s) == gdef_nodes_.end()) {\n return errors::InvalidArgument(\n \"Node '\", node_def.name(),\n \"' expects to be colocated with unknown node '\", s, \"'\");\n }\n }\n return Status::OK();\n}", "project": "tensorflow", "hash": 3958623541053772023913496911140760415, "size": 17, "commit_id": "0cc38aaa4064fd9e79101994ce9872c6d91f816b", "message": "Prevent unitialized memory access in `GraphConstructor::MakeEdge`\n\nThe `MakeEdge` implementation assumes that there exists an output at `output_index` of `src` node and an input at `input_index` of `dst` node. However, if this is not the case this results in accessing data out of bounds. Because we are accessing an array that is a private member of a class and only in read only mode, this usually results only in unitialized memory access. However, it is reasonable to think that malicious users could manipulate these indexes to actually read data outside the class, thus resulting in information leakage and further exploits.\n\nPiperOrigin-RevId: 346343288\nChange-Id: I2127da27c2023d27f26efd39afa6c853385cab6f", "target": 0, "dataset": "other", "idx": 268362 }, { "func": "static int fuse_do_getattr(struct inode *inode, struct kstat *stat,\n\t\t\t struct file *file)\n{\n\tint err;\n\tstruct fuse_getattr_in inarg;\n\tstruct fuse_attr_out outarg;\n\tstruct fuse_mount *fm = get_fuse_mount(inode);\n\tFUSE_ARGS(args);\n\tu64 attr_version;\n\n\tattr_version = fuse_get_attr_version(fm->fc);\n\n\tmemset(&inarg, 0, sizeof(inarg));\n\tmemset(&outarg, 0, sizeof(outarg));\n\t/* Directories have separate file-handle space */\n\tif (file && S_ISREG(inode->i_mode)) {\n\t\tstruct fuse_file *ff = file->private_data;\n\n\t\tinarg.getattr_flags |= FUSE_GETATTR_FH;\n\t\tinarg.fh = ff->fh;\n\t}\n\targs.opcode = FUSE_GETATTR;\n\targs.nodeid = get_node_id(inode);\n\targs.in_numargs = 1;\n\targs.in_args[0].size = sizeof(inarg);\n\targs.in_args[0].value = &inarg;\n\targs.out_numargs = 1;\n\targs.out_args[0].size = sizeof(outarg);\n\targs.out_args[0].value = &outarg;\n\terr = fuse_simple_request(fm, &args);\n\tif (!err) {\n\t\tif (fuse_invalid_attr(&outarg.attr) ||\n\t\t (inode->i_mode ^ outarg.attr.mode) & S_IFMT) {\n\t\t\tmake_bad_inode(inode);\n\t\t\terr = -EIO;\n\t\t} else {\n\t\t\tfuse_change_attributes(inode, &outarg.attr,\n\t\t\t\t\t attr_timeout(&outarg),\n\t\t\t\t\t attr_version);\n\t\t\tif (stat)\n\t\t\t\tfuse_fillattr(inode, &outarg.attr, stat);\n\t\t}\n\t}\n\treturn err;\n}", "project": "linux", "hash": 66305836614615397501498682867266125877, "size": 45, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 1, "dataset": "other", "idx": 202842 }, { "func": "static int fuse_do_getattr(struct inode *inode, struct kstat *stat,\n\t\t\t struct file *file)\n{\n\tint err;\n\tstruct fuse_getattr_in inarg;\n\tstruct fuse_attr_out outarg;\n\tstruct fuse_mount *fm = get_fuse_mount(inode);\n\tFUSE_ARGS(args);\n\tu64 attr_version;\n\n\tattr_version = fuse_get_attr_version(fm->fc);\n\n\tmemset(&inarg, 0, sizeof(inarg));\n\tmemset(&outarg, 0, sizeof(outarg));\n\t/* Directories have separate file-handle space */\n\tif (file && S_ISREG(inode->i_mode)) {\n\t\tstruct fuse_file *ff = file->private_data;\n\n\t\tinarg.getattr_flags |= FUSE_GETATTR_FH;\n\t\tinarg.fh = ff->fh;\n\t}\n\targs.opcode = FUSE_GETATTR;\n\targs.nodeid = get_node_id(inode);\n\targs.in_numargs = 1;\n\targs.in_args[0].size = sizeof(inarg);\n\targs.in_args[0].value = &inarg;\n\targs.out_numargs = 1;\n\targs.out_args[0].size = sizeof(outarg);\n\targs.out_args[0].value = &outarg;\n\terr = fuse_simple_request(fm, &args);\n\tif (!err) {\n\t\tif (fuse_invalid_attr(&outarg.attr) ||\n\t\t (inode->i_mode ^ outarg.attr.mode) & S_IFMT) {\n\t\t\tfuse_make_bad(inode);\n\t\t\terr = -EIO;\n\t\t} else {\n\t\t\tfuse_change_attributes(inode, &outarg.attr,\n\t\t\t\t\t attr_timeout(&outarg),\n\t\t\t\t\t attr_version);\n\t\t\tif (stat)\n\t\t\t\tfuse_fillattr(inode, &outarg.attr, stat);\n\t\t}\n\t}\n\treturn err;\n}", "project": "linux", "hash": 207137391981469494967408362501142420848, "size": 45, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342120 }, { "project": "Chrome", "commit_id": "327585cb0eab0859518643a2d00917081f7e7645", "target": 0, "func": "unsigned long WebGraphicsContext3DDefaultImpl::getError()\n{\n if (m_syntheticErrors.size() > 0) {\n ListHashSet::iterator iter = m_syntheticErrors.begin();\n unsigned long err = *iter;\n m_syntheticErrors.remove(iter);\n return err;\n }\n\n makeContextCurrent();\n return glGetError();\n}\n", "cwe": "", "big_vul_idx": 98999, "idx": 89056, "hash": 145731958671207858624541973329552715590 }, { "func": "void fuse_conn_init(struct fuse_conn *fc, struct fuse_mount *fm,\n\t\t struct user_namespace *user_ns,\n\t\t const struct fuse_iqueue_ops *fiq_ops, void *fiq_priv)\n{\n\tmemset(fc, 0, sizeof(*fc));\n\tspin_lock_init(&fc->lock);\n\tspin_lock_init(&fc->bg_lock);\n\tinit_rwsem(&fc->killsb);\n\trefcount_set(&fc->count, 1);\n\tatomic_set(&fc->dev_count, 1);\n\tinit_waitqueue_head(&fc->blocked_waitq);\n\tfuse_iqueue_init(&fc->iq, fiq_ops, fiq_priv);\n\tINIT_LIST_HEAD(&fc->bg_queue);\n\tINIT_LIST_HEAD(&fc->entry);\n\tINIT_LIST_HEAD(&fc->devices);\n\tatomic_set(&fc->num_waiting, 0);\n\tfc->max_background = FUSE_DEFAULT_MAX_BACKGROUND;\n\tfc->congestion_threshold = FUSE_DEFAULT_CONGESTION_THRESHOLD;\n\tatomic64_set(&fc->khctr, 0);\n\tfc->polled_files = RB_ROOT;\n\tfc->blocked = 0;\n\tfc->initialized = 0;\n\tfc->connected = 1;\n\tatomic64_set(&fc->attr_version, 1);\n\tget_random_bytes(&fc->scramble_key, sizeof(fc->scramble_key));\n\tfc->pid_ns = get_pid_ns(task_active_pid_ns(current));\n\tfc->user_ns = get_user_ns(user_ns);\n\tfc->max_pages = FUSE_DEFAULT_MAX_PAGES_PER_REQ;\n\n\tINIT_LIST_HEAD(&fc->mounts);\n\tlist_add(&fm->fc_entry, &fc->mounts);\n\tfm->fc = fc;\n}", "project": "linux", "hash": 38405970370148227770893208507086470405, "size": 33, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342007 }, { "func": "int RGWPostObj_ObjStore_S3::get_tags()\n{\n string tags_str;\n if (part_str(parts, \"tagging\", &tags_str)) {\n RGWXMLParser parser;\n if (!parser.init()){\n ldout(s->cct, 0) << \"Couldn't init RGWObjTags XML parser\" << dendl;\n err_msg = \"Server couldn't process the request\";\n return -EINVAL; // TODO: This class of errors in rgw code should be a 5XX error\n }\n if (!parser.parse(tags_str.c_str(), tags_str.size(), 1)) {\n ldout(s->cct,0 ) << \"Invalid Tagging XML\" << dendl;\n err_msg = \"Invalid Tagging XML\";\n return -EINVAL;\n }\n\n RGWObjTagging_S3 tagging;\n\n try {\n RGWXMLDecoder::decode_xml(\"Tagging\", tagging, &parser);\n } catch (RGWXMLDecoder::err& err) {\n ldout(s->cct, 5) << \"Malformed tagging request: \" << err << dendl;\n return -EINVAL;\n }\n\n RGWObjTags obj_tags;\n int r = tagging.rebuild(obj_tags);\n if (r < 0)\n return r;\n\n bufferlist tags_bl;\n obj_tags.encode(tags_bl);\n ldout(s->cct, 20) << \"Read \" << obj_tags.count() << \"tags\" << dendl;\n attrs[RGW_ATTR_TAGS] = tags_bl;\n }\n\n\n return 0;\n}", "project": "ceph", "hash": 188651860907282456173340028574168123494, "size": 39, "commit_id": "fce0b267446d6f3f631bb4680ebc3527bbbea002", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 333826 }, { "func": "static int pep_ioctl(struct sock *sk, int cmd, unsigned long arg)\n{\n\tstruct pep_sock *pn = pep_sk(sk);\n\tint answ;\n\tint ret = -ENOIOCTLCMD;\n\n\tswitch (cmd) {\n\tcase SIOCINQ:\n\t\tif (sk->sk_state == TCP_LISTEN) {\n\t\t\tret = -EINVAL;\n\t\t\tbreak;\n\t\t}\n\n\t\tlock_sock(sk);\n\t\tif (sock_flag(sk, SOCK_URGINLINE) &&\n\t\t !skb_queue_empty(&pn->ctrlreq_queue))\n\t\t\tansw = skb_peek(&pn->ctrlreq_queue)->len;\n\t\telse if (!skb_queue_empty(&sk->sk_receive_queue))\n\t\t\tansw = skb_peek(&sk->sk_receive_queue)->len;\n\t\telse\n\t\t\tansw = 0;\n\t\trelease_sock(sk);\n\t\tret = put_user(answ, (int __user *)arg);\n\t\tbreak;\n\n\tcase SIOCPNENABLEPIPE:\n\t\tlock_sock(sk);\n\t\tif (sk->sk_state == TCP_SYN_SENT)\n\t\t\tret = -EBUSY;\n\t\telse if (sk->sk_state == TCP_ESTABLISHED)\n\t\t\tret = -EISCONN;\n\t\telse\n\t\t\tret = pep_sock_enable(sk, NULL, 0);\n\t\trelease_sock(sk);\n\t\tbreak;\n\t}\n\n\treturn ret;\n}", "project": "linux", "hash": 146093838371467048886263420238093964264, "size": 39, "commit_id": "bcd0f93353326954817a4f9fa55ec57fb38acbb0", "message": "phonet: refcount leak in pep_sock_accep\n\nsock_hold(sk) is invoked in pep_sock_accept(), but __sock_put(sk) is not\ninvoked in subsequent failure branches(pep_accept_conn() != 0).\n\nSigned-off-by: Hangyu Hua \nLink: https://lore.kernel.org/r/20211209082839.33985-1-hbh25y@gmail.com\nSigned-off-by: Jakub Kicinski ", "target": 0, "dataset": "other", "idx": 224802 }, { "func": "static int rlp_calculate_length(int length, uint8_t firstbyte) {\n if (length == 1 && firstbyte <= 0x7f) {\n return 1;\n } else if (length <= 55) {\n return 1 + length;\n } else if (length <= 0xff) {\n return 2 + length;\n } else if (length <= 0xffff) {\n return 3 + length;\n } else {\n return 4 + length;\n }\n}", "project": "keepkey-firmware", "hash": 161324022325636259357213067104687948784, "size": 13, "commit_id": "e49d45594002d4d3fbc1f03488e6dfc0a0a65836", "message": "710 merge", "target": 0, "dataset": "other", "idx": 220898 }, { "func": "static int verify_mfa(RGWRados *store, RGWUserInfo *user, const string& mfa_str, bool *verified)\n{\n vector params;\n get_str_vec(mfa_str, \" \", params);\n\n if (params.size() != 2) {\n ldout(store->ctx(), 5) << \"NOTICE: invalid mfa string provided: \" << mfa_str << dendl;\n return -EINVAL;\n }\n\n string& serial = params[0];\n string& pin = params[1];\n\n auto i = user->mfa_ids.find(serial);\n if (i == user->mfa_ids.end()) {\n ldout(store->ctx(), 5) << \"NOTICE: user does not have mfa device with serial=\" << serial << dendl;\n return -EACCES;\n }\n\n int ret = store->check_mfa(user->user_id, serial, pin);\n if (ret < 0) {\n ldout(store->ctx(), 20) << \"NOTICE: failed to check MFA, serial=\" << serial << dendl;\n return -EACCES;\n }\n\n *verified = true;\n\n return 0;\n}", "project": "ceph", "hash": 237525300637791341753317523862056486650, "size": 29, "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 281248 }, { "func": "static void io_req_task_work_add_fallback(struct io_kiocb *req,\n\t\t\t\t\t task_work_func_t cb)\n{\n\tinit_task_work(&req->task_work, cb);\n\tio_task_work_add_head(&req->ctx->exit_task_work, &req->task_work);\n}", "project": "linux", "hash": 237930129557357046190833117086747331389, "size": 6, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338709 }, { "func": "void LJ_FASTCALL lj_trace_hot(jit_State *J, const BCIns *pc)\n{\n /* Note: pc is the interpreter bytecode PC here. It's offset by 1. */\n ERRNO_SAVE\n /* Reset hotcount. */\n hotcount_set(J2GG(J), pc, J->param[JIT_P_hotloop]*HOTCOUNT_LOOP);\n /* Only start a new trace if not recording or inside __gc call or vmevent. */\n if (J->state == LJ_TRACE_IDLE &&\n !(J2G(J)->hookmask & (HOOK_GC|HOOK_VMEVENT))) {\n J->parent = 0; /* Root trace. */\n J->exitno = 0;\n J->state = LJ_TRACE_START;\n lj_trace_ins(J, pc-1);\n }\n ERRNO_RESTORE\n}", "project": "LuaJIT", "hash": 60562917409057167653995485011375566828, "size": 16, "commit_id": "e296f56b825c688c3530a981dc6b495d972f3d01", "message": "Call error function on rethrow after trace exit.", "target": 0, "dataset": "other", "idx": 394621 }, { "func": "CLua::~CLua()\n{\n // Copy the listener vector, because listeners may remove\n // themselves from the listener list when we notify them of a\n // shutdown.\n const vector slisteners = shutdown_listeners;\n for (lua_shutdown_listener *listener : slisteners)\n listener->shutdown(*this);\n shutting_down = true;\n if (_state)\n lua_close(_state);\n}", "project": "crawl", "hash": 261447294790446610740031762777736345320, "size": 12, "commit_id": "768f60da87a3fa0b5561da5ade9309577c176d04", "message": "Disable lua bytecode loading", "target": 0, "dataset": "other", "idx": 230490 }, { "func": "Utf8DecoderBase::Utf8DecoderBase()\n : unbuffered_start_(NULL),\n unbuffered_length_(0),\n utf16_length_(0),\n last_byte_of_buffer_unused_(false) {}", "project": "node", "hash": 5077134365210757662933430907028022838, "size": 5, "commit_id": "78b0e30954111cfaba0edbeee85450d8cbc6fdf6", "message": "deps: fix out-of-band write in utf8 decoder\n\nOriginally reported by: Kris Reeves \n\nReviewed-By: Trevor Norris ", "target": 0, "dataset": "other", "idx": 385608 }, { "func": "Utf8DecoderBase::Utf8DecoderBase(uint16_t* buffer,\n unsigned buffer_length,\n const uint8_t* stream,\n unsigned stream_length) {\n Reset(buffer, buffer_length, stream, stream_length);\n}", "project": "node", "hash": 249484625451872358086267011148381931919, "size": 6, "commit_id": "78b0e30954111cfaba0edbeee85450d8cbc6fdf6", "message": "deps: fix out-of-band write in utf8 decoder\n\nOriginally reported by: Kris Reeves \n\nReviewed-By: Trevor Norris ", "target": 0, "dataset": "other", "idx": 385630 }, { "func": "int do_execve_file(struct file *file, void *__argv, void *__envp)\n{\n\tstruct user_arg_ptr argv = { .ptr.native = __argv };\n\tstruct user_arg_ptr envp = { .ptr.native = __envp };\n\n\treturn __do_execve_file(AT_FDCWD, NULL, argv, envp, 0, file);\n}", "project": "linux", "hash": 24041874008538961092075473000035639628, "size": 7, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375273 }, { "func": "otError Commissioner::SendKeepAlive(void)\n{\n otError error = OT_ERROR_NONE;\n Coap::Message * message = NULL;\n Ip6::MessageInfo messageInfo;\n StateTlv state;\n CommissionerSessionIdTlv sessionId;\n\n VerifyOrExit((message = NewMeshCoPMessage(Get())) != NULL, error = OT_ERROR_NO_BUFS);\n\n SuccessOrExit(error = message->Init(OT_COAP_TYPE_CONFIRMABLE, OT_COAP_CODE_POST, OT_URI_PATH_LEADER_KEEP_ALIVE));\n SuccessOrExit(error = message->SetPayloadMarker());\n\n state.Init();\n state.SetState(mState == OT_COMMISSIONER_STATE_ACTIVE ? StateTlv::kAccept : StateTlv::kReject);\n SuccessOrExit(error = message->AppendTlv(state));\n\n sessionId.Init();\n sessionId.SetCommissionerSessionId(mSessionId);\n SuccessOrExit(error = message->AppendTlv(sessionId));\n\n messageInfo.SetSockAddr(Get().GetMeshLocal16());\n SuccessOrExit(error = Get().GetLeaderAloc(messageInfo.GetPeerAddr()));\n messageInfo.SetPeerPort(kCoapUdpPort);\n SuccessOrExit(error = Get().SendMessage(*message, messageInfo,\n Commissioner::HandleLeaderKeepAliveResponse, this));\n\n otLogInfoMeshCoP(\"sent keep alive\");\n\nexit:\n\n if (error != OT_ERROR_NONE && message != NULL)\n {\n message->Free();\n }\n\n return error;\n}", "project": "openthread", "hash": 145343622293617486037999633605243304782, "size": 38, "commit_id": "c3a3a0c424322009fec3ab735fb20ce8f6e19e70", "message": "[commissioner] use strnlen instead of strlen (#4404)", "target": 0, "dataset": "other", "idx": 269904 }, { "func": "int pdf_load_xrefs(FILE *fp, pdf_t *pdf)\n{\n int i, ver, is_linear;\n long pos, pos_count;\n char x, *c, buf[256];\n \n c = NULL;\n\n /* Count number of xrefs */\n pdf->n_xrefs = 0;\n fseek(fp, 0, SEEK_SET);\n while (get_next_eof(fp) >= 0)\n ++pdf->n_xrefs;\n\n if (!pdf->n_xrefs)\n return 0;\n\n /* Load in the start/end positions */\n fseek(fp, 0, SEEK_SET);\n pdf->xrefs = safe_calloc(sizeof(xref_t) * pdf->n_xrefs);\n ver = 1;\n for (i=0; in_xrefs; i++)\n {\n /* Seek to %%EOF */\n if ((pos = get_next_eof(fp)) < 0)\n break;\n\n /* Set and increment the version */\n pdf->xrefs[i].version = ver++;\n\n /* Rewind until we find end of \"startxref\" */\n pos_count = 0;\n while (SAFE_F(fp, ((x = fgetc(fp)) != 'f')))\n fseek(fp, pos - (++pos_count), SEEK_SET);\n \n /* Suck in end of \"startxref\" to start of %%EOF */\n if (pos_count >= sizeof(buf)) {\n FAIL(\"Failed to locate the startxref token. \"\n \"This might be a corrupt PDF.\\n\");\n }\n memset(buf, 0, sizeof(buf));\n SAFE_E(fread(buf, 1, pos_count, fp), pos_count,\n \"Failed to read startxref.\\n\");\n c = buf;\n while (*c == ' ' || *c == '\\n' || *c == '\\r')\n ++c;\n \n /* xref start position */\n pdf->xrefs[i].start = atol(c);\n\n /* If xref is 0 handle linear xref table */\n if (pdf->xrefs[i].start == 0)\n get_xref_linear_skipped(fp, &pdf->xrefs[i]);\n\n /* Non-linear, normal operation, so just find the end of the xref */\n else\n {\n /* xref end position */\n pos = ftell(fp);\n fseek(fp, pdf->xrefs[i].start, SEEK_SET);\n pdf->xrefs[i].end = get_next_eof(fp);\n\n /* Look for next EOF and xref data */\n fseek(fp, pos, SEEK_SET);\n }\n\n /* Check validity */\n if (!is_valid_xref(fp, pdf, &pdf->xrefs[i]))\n {\n is_linear = pdf->xrefs[i].is_linear;\n memset(&pdf->xrefs[i], 0, sizeof(xref_t));\n pdf->xrefs[i].is_linear = is_linear;\n rewind(fp);\n get_next_eof(fp);\n continue;\n }\n\n /* Load the entries from the xref */\n load_xref_entries(fp, &pdf->xrefs[i]);\n }\n\n /* Now we have all xref tables, if this is linearized, we need\n * to make adjustments so that things spit out properly\n */\n if (pdf->xrefs[0].is_linear)\n resolve_linearized_pdf(pdf);\n\n /* Ok now we have all xref data. Go through those versions of the \n * PDF and try to obtain creator information\n */\n load_creator(fp, pdf);\n\n return pdf->n_xrefs;\n}", "project": "pdfresurrect", "hash": 310606410843839004927169601781520358601, "size": 94, "commit_id": "7e35d1806e111fd28610ccc86bb33f54792ac370", "message": "Fix possible infinite loop case when looking for a trailer.\n\nThanks to chibataiki for reporting and isolating this!", "target": 0, "dataset": "other", "idx": 355603 }, { "func": "int CLua::return_count(lua_State *ls, const char *format)\n{\n UNUSED(ls);\n\n if (!format)\n return 0;\n\n const char *gs = strchr(format, '>');\n if (gs)\n return strlen(gs + 1);\n\n const char *cs = strchr(format, ':');\n if (cs && isdigit(*format))\n {\n char *es = nullptr;\n int ci = strtol(format, &es, 10);\n // We're capping return at 10 here, which is arbitrary, but avoids\n // blowing the stack.\n if (ci < 0)\n ci = 0;\n else if (ci > 10)\n ci = 10;\n return ci;\n }\n return 0;\n}", "project": "crawl", "hash": 153603964404598988550408684234424160137, "size": 26, "commit_id": "768f60da87a3fa0b5561da5ade9309577c176d04", "message": "Disable lua bytecode loading", "target": 0, "dataset": "other", "idx": 230520 }, { "func": "send_sig(int sig, struct task_struct *p, int priv)\n{\n\treturn send_sig_info(sig, __si_special(priv), p);\n}", "project": "linux", "hash": 13995079112084388177933015425396784991, "size": 4, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375136 }, { "func": "int send_sig_info(int sig, struct kernel_siginfo *info, struct task_struct *p)\n{\n\t/*\n\t * Make sure legacy kernel users don't send in bad values\n\t * (normal paths check this in check_kill_permission).\n\t */\n\tif (!valid_signal(sig))\n\t\treturn -EINVAL;\n\n\treturn do_send_sig_info(sig, info, p, PIDTYPE_PID);\n}", "project": "linux", "hash": 128116240244634906630955739480814660363, "size": 11, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375154 }, { "func": "filename_mountpoint(int dfd, struct filename *name, struct path *path,\n\t\t\tunsigned int flags)\n{\n\tstruct nameidata nd;\n\tint error;\n\tif (IS_ERR(name))\n\t\treturn PTR_ERR(name);\n\tset_nameidata(&nd, dfd, name);\n\terror = path_mountpoint(&nd, flags | LOOKUP_RCU, path);\n\tif (unlikely(error == -ECHILD))\n\t\terror = path_mountpoint(&nd, flags, path);\n\tif (unlikely(error == -ESTALE))\n\t\terror = path_mountpoint(&nd, flags | LOOKUP_REVAL, path);\n\tif (likely(!error))\n\t\taudit_inode(name, path->dentry, AUDIT_INODE_NOEVAL);\n\trestore_nameidata();\n\tputname(name);\n\treturn error;\n}", "project": "linux", "hash": 263455148169506361268874550154192848940, "size": 19, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295392 }, { "func": "nfs4_proc_create(struct inode *dir, struct dentry *dentry, struct iattr *sattr,\n\t\t int flags)\n{\n\tstruct nfs_server *server = NFS_SERVER(dir);\n\tstruct nfs4_label l, *ilabel = NULL;\n\tstruct nfs_open_context *ctx;\n\tstruct nfs4_state *state;\n\tint status = 0;\n\n\tctx = alloc_nfs_open_context(dentry, FMODE_READ, NULL);\n\tif (IS_ERR(ctx))\n\t\treturn PTR_ERR(ctx);\n\n\tilabel = nfs4_label_init_security(dir, dentry, sattr, &l);\n\n\tif (!(server->attr_bitmask[2] & FATTR4_WORD2_MODE_UMASK))\n\t\tsattr->ia_mode &= ~current_umask();\n\tstate = nfs4_do_open(dir, ctx, flags, sattr, ilabel, NULL);\n\tif (IS_ERR(state)) {\n\t\tstatus = PTR_ERR(state);\n\t\tgoto out;\n\t}\nout:\n\tnfs4_label_release_security(ilabel);\n\tput_nfs_open_context(ctx);\n\treturn status;\n}", "project": "linux", "hash": 321465931519755641455616327035116443593, "size": 27, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431339 }, { "func": "static bool checkreturn pb_dec_submessage(pb_istream_t *stream, const pb_field_t *field, void *dest)\n{\n bool status;\n pb_istream_t substream;\n const pb_field_t* submsg_fields = (const pb_field_t*)field->ptr;\n \n if (!pb_make_string_substream(stream, &substream))\n return false;\n \n if (field->ptr == NULL)\n PB_RETURN_ERROR(stream, \"invalid field descriptor\");\n \n /* New array entries need to be initialized, while required and optional\n * submessages have already been initialized in the top-level pb_decode. */\n if (PB_HTYPE(field->type) == PB_HTYPE_REPEATED)\n status = pb_decode(&substream, submsg_fields, dest);\n else\n status = pb_decode_noinit(&substream, submsg_fields, dest);\n \n if (!pb_close_string_substream(stream, &substream))\n return false;\n return status;\n}", "project": "nanopb", "hash": 38010786344834307320711711914133924569, "size": 23, "commit_id": "aa9d0d1ca78d6adec3adfeecf3a706c7f9df81f2", "message": "Fix invalid free() after failed realloc() (GHSA-gcx3-7m76-287p)", "target": 0, "dataset": "other", "idx": 252492 }, { "func": "static bool checkreturn pb_dec_submessage(pb_istream_t *stream, const pb_field_iter_t *field)\n{\n bool status = true;\n bool submsg_consumed = false;\n pb_istream_t substream;\n\n if (!pb_make_string_substream(stream, &substream))\n return false;\n \n if (field->submsg_desc == NULL)\n PB_RETURN_ERROR(stream, \"invalid field descriptor\");\n \n /* Submessages can have a separate message-level callback that is called\n * before decoding the message. Typically it is used to set callback fields\n * inside oneofs. */\n if (PB_LTYPE(field->type) == PB_LTYPE_SUBMSG_W_CB && field->pSize != NULL)\n {\n /* Message callback is stored right before pSize. */\n pb_callback_t *callback = (pb_callback_t*)field->pSize - 1;\n if (callback->funcs.decode)\n {\n status = callback->funcs.decode(&substream, field, &callback->arg);\n\n if (substream.bytes_left == 0)\n {\n submsg_consumed = true;\n }\n }\n }\n\n /* Now decode the submessage contents */\n if (status && !submsg_consumed)\n {\n unsigned int flags = 0;\n\n /* Static required/optional fields are already initialized by top-level\n * pb_decode(), no need to initialize them again. */\n if (PB_ATYPE(field->type) == PB_ATYPE_STATIC &&\n PB_HTYPE(field->type) != PB_HTYPE_REPEATED)\n {\n flags = PB_DECODE_NOINIT;\n }\n\n status = pb_decode_inner(&substream, field->submsg_desc, field->pData, flags);\n }\n \n if (!pb_close_string_substream(stream, &substream))\n return false;\n\n return status;\n}", "project": "nanopb", "hash": 237402193480934094941404542685464986825, "size": 51, "commit_id": "e2f0ccf939d9f82931d085acb6df8e9a182a4261", "message": "Fix invalid free() with oneof (#647)\n\nNanopb would call free() or realloc() on an invalid\n(attacker controlled) pointer value when all the following\nconditions are true:\n\n- PB_ENABLE_MALLOC is defined at the compile time\n- Message definition contains an oneof field, and the oneof\n contains at least one pointer type field and at least one\n non-pointer type field.\n- Data being decoded first contains a non-pointer value for\n the oneof field, and later contains an overwriting pointer\n value.\n\nDepending on message layout, the bug may not be exploitable in all\ncases, but it is known to be exploitable at least with string and\nbytes fields. Actual security impact will also depend on the heap\nimplementation used.", "target": 0, "dataset": "other", "idx": 254701 }, { "func": "static bool checkreturn pb_dec_submessage(pb_istream_t *stream, const pb_field_t *field, void *dest)\n{\n bool status;\n pb_istream_t substream;\n const pb_field_t* submsg_fields = (const pb_field_t*)field->ptr;\n \n if (!pb_make_string_substream(stream, &substream))\n return false;\n \n if (field->ptr == NULL)\n PB_RETURN_ERROR(stream, \"invalid field descriptor\");\n \n /* New array entries need to be initialized, while required and optional\n * submessages have already been initialized in the top-level pb_decode. */\n if (PB_HTYPE(field->type) == PB_HTYPE_REPEATED)\n status = pb_decode(&substream, submsg_fields, dest);\n else\n status = pb_decode_noinit(&substream, submsg_fields, dest);\n \n pb_close_string_substream(stream, &substream);\n return status;\n}", "project": "nanopb", "hash": 333412819899212025693136915607797518231, "size": 22, "commit_id": "7b396821ddd06df8e39143f16e1dc0a4645b89a3", "message": "Fix invalid free() after failed realloc() (GHSA-gcx3-7m76-287p)", "target": 0, "dataset": "other", "idx": 255340 }, { "func": "static OPJ_BOOL opj_j2k_copy_default_tcp_and_create_tcd(opj_j2k_t * p_j2k,\n opj_stream_private_t *p_stream,\n opj_event_mgr_t * p_manager\n )\n{\n opj_tcp_t * l_tcp = 00;\n opj_tcp_t * l_default_tcp = 00;\n OPJ_UINT32 l_nb_tiles;\n OPJ_UINT32 i, j;\n opj_tccp_t *l_current_tccp = 00;\n OPJ_UINT32 l_tccp_size;\n OPJ_UINT32 l_mct_size;\n opj_image_t * l_image;\n OPJ_UINT32 l_mcc_records_size, l_mct_records_size;\n opj_mct_data_t * l_src_mct_rec, *l_dest_mct_rec;\n opj_simple_mcc_decorrelation_data_t * l_src_mcc_rec, *l_dest_mcc_rec;\n OPJ_UINT32 l_offset;\n\n /* preconditions */\n assert(p_j2k != 00);\n assert(p_stream != 00);\n assert(p_manager != 00);\n\n OPJ_UNUSED(p_stream);\n\n l_image = p_j2k->m_private_image;\n l_nb_tiles = p_j2k->m_cp.th * p_j2k->m_cp.tw;\n l_tcp = p_j2k->m_cp.tcps;\n l_tccp_size = l_image->numcomps * (OPJ_UINT32)sizeof(opj_tccp_t);\n l_default_tcp = p_j2k->m_specific_param.m_decoder.m_default_tcp;\n l_mct_size = l_image->numcomps * l_image->numcomps * (OPJ_UINT32)sizeof(\n OPJ_FLOAT32);\n\n /* For each tile */\n for (i = 0; i < l_nb_tiles; ++i) {\n /* keep the tile-compo coding parameters pointer of the current tile coding parameters*/\n l_current_tccp = l_tcp->tccps;\n /*Copy default coding parameters into the current tile coding parameters*/\n memcpy(l_tcp, l_default_tcp, sizeof(opj_tcp_t));\n /* Initialize some values of the current tile coding parameters*/\n l_tcp->cod = 0;\n l_tcp->ppt = 0;\n l_tcp->ppt_data = 00;\n l_tcp->m_current_tile_part_number = -1;\n /* Remove memory not owned by this tile in case of early error return. */\n l_tcp->m_mct_decoding_matrix = 00;\n l_tcp->m_nb_max_mct_records = 0;\n l_tcp->m_mct_records = 00;\n l_tcp->m_nb_max_mcc_records = 0;\n l_tcp->m_mcc_records = 00;\n /* Reconnect the tile-compo coding parameters pointer to the current tile coding parameters*/\n l_tcp->tccps = l_current_tccp;\n\n /* Get the mct_decoding_matrix of the dflt_tile_cp and copy them into the current tile cp*/\n if (l_default_tcp->m_mct_decoding_matrix) {\n l_tcp->m_mct_decoding_matrix = (OPJ_FLOAT32*)opj_malloc(l_mct_size);\n if (! l_tcp->m_mct_decoding_matrix) {\n return OPJ_FALSE;\n }\n memcpy(l_tcp->m_mct_decoding_matrix, l_default_tcp->m_mct_decoding_matrix,\n l_mct_size);\n }\n\n /* Get the mct_record of the dflt_tile_cp and copy them into the current tile cp*/\n l_mct_records_size = l_default_tcp->m_nb_max_mct_records * (OPJ_UINT32)sizeof(\n opj_mct_data_t);\n l_tcp->m_mct_records = (opj_mct_data_t*)opj_malloc(l_mct_records_size);\n if (! l_tcp->m_mct_records) {\n return OPJ_FALSE;\n }\n memcpy(l_tcp->m_mct_records, l_default_tcp->m_mct_records, l_mct_records_size);\n\n /* Copy the mct record data from dflt_tile_cp to the current tile*/\n l_src_mct_rec = l_default_tcp->m_mct_records;\n l_dest_mct_rec = l_tcp->m_mct_records;\n\n for (j = 0; j < l_default_tcp->m_nb_mct_records; ++j) {\n\n if (l_src_mct_rec->m_data) {\n\n l_dest_mct_rec->m_data = (OPJ_BYTE*) opj_malloc(l_src_mct_rec->m_data_size);\n if (! l_dest_mct_rec->m_data) {\n return OPJ_FALSE;\n }\n memcpy(l_dest_mct_rec->m_data, l_src_mct_rec->m_data,\n l_src_mct_rec->m_data_size);\n }\n\n ++l_src_mct_rec;\n ++l_dest_mct_rec;\n /* Update with each pass to free exactly what has been allocated on early return. */\n l_tcp->m_nb_max_mct_records += 1;\n }\n\n /* Get the mcc_record of the dflt_tile_cp and copy them into the current tile cp*/\n l_mcc_records_size = l_default_tcp->m_nb_max_mcc_records * (OPJ_UINT32)sizeof(\n opj_simple_mcc_decorrelation_data_t);\n l_tcp->m_mcc_records = (opj_simple_mcc_decorrelation_data_t*) opj_malloc(\n l_mcc_records_size);\n if (! l_tcp->m_mcc_records) {\n return OPJ_FALSE;\n }\n memcpy(l_tcp->m_mcc_records, l_default_tcp->m_mcc_records, l_mcc_records_size);\n l_tcp->m_nb_max_mcc_records = l_default_tcp->m_nb_max_mcc_records;\n\n /* Copy the mcc record data from dflt_tile_cp to the current tile*/\n l_src_mcc_rec = l_default_tcp->m_mcc_records;\n l_dest_mcc_rec = l_tcp->m_mcc_records;\n\n for (j = 0; j < l_default_tcp->m_nb_max_mcc_records; ++j) {\n\n if (l_src_mcc_rec->m_decorrelation_array) {\n l_offset = (OPJ_UINT32)(l_src_mcc_rec->m_decorrelation_array -\n l_default_tcp->m_mct_records);\n l_dest_mcc_rec->m_decorrelation_array = l_tcp->m_mct_records + l_offset;\n }\n\n if (l_src_mcc_rec->m_offset_array) {\n l_offset = (OPJ_UINT32)(l_src_mcc_rec->m_offset_array -\n l_default_tcp->m_mct_records);\n l_dest_mcc_rec->m_offset_array = l_tcp->m_mct_records + l_offset;\n }\n\n ++l_src_mcc_rec;\n ++l_dest_mcc_rec;\n }\n\n /* Copy all the dflt_tile_compo_cp to the current tile cp */\n memcpy(l_current_tccp, l_default_tcp->tccps, l_tccp_size);\n\n /* Move to next tile cp*/\n ++l_tcp;\n }\n\n /* Create the current tile decoder*/\n p_j2k->m_tcd = opj_tcd_create(OPJ_TRUE);\n if (! p_j2k->m_tcd) {\n return OPJ_FALSE;\n }\n\n if (!opj_tcd_init(p_j2k->m_tcd, l_image, &(p_j2k->m_cp), p_j2k->m_tp)) {\n opj_tcd_destroy(p_j2k->m_tcd);\n p_j2k->m_tcd = 00;\n opj_event_msg(p_manager, EVT_ERROR, \"Cannot decode tile, memory error\\n\");\n return OPJ_FALSE;\n }\n\n return OPJ_TRUE;\n}", "project": "openjpeg", "hash": 222841167885639922504468183623934868694, "size": 149, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357371 }, { "func": "static void do_tty_hangup(struct work_struct *work)\n{\n\tstruct tty_struct *tty =\n\t\tcontainer_of(work, struct tty_struct, hangup_work);\n\n\t__tty_hangup(tty, 0);\n}", "project": "linux", "hash": 35596762882264937340536579903958772116, "size": 7, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 325980 }, { "func": " TypedValue asTypedValue() const {\n assertx(m_str);\n return make_tv(m_str.get());\n }", "project": "hhvm", "hash": 285003369393530453759468986073356725622, "size": 4, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219143 }, { "func": " Item_insert_value(THD *thd, Name_resolution_context *context_arg, Item *a)\n :Item_field(thd, context_arg, (const char *)NULL, (const char *)NULL,\n (const char *)NULL),\n arg(a) {}", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 7681298216031655221082153282909459144, "size": 4, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509127 }, { "func": "TfLiteStatus Subgraph::AddNodeWithParameters(\n const std::vector& inputs, const std::vector& outputs,\n const std::vector& intermediates, const char* init_data,\n size_t init_data_size, void* builtin_data,\n const TfLiteRegistration* registration, int* node_index) {\n std::unique_ptr builtin_data_deleter(builtin_data,\n free);\n if (state_ == kStateInvokableAndImmutable) {\n ReportError(\"AddNodeWithParameters is disallowed when graph is immutable.\");\n return kTfLiteError;\n }\n state_ = kStateUninvokable;\n\n TF_LITE_ENSURE_OK(&context_, CheckTensorIndices(\"node inputs\", inputs.data(),\n inputs.size()));\n TF_LITE_ENSURE_OK(\n &context_,\n CheckTensorIndices(\"node outputs\", outputs.data(), outputs.size()));\n\n int new_node_index = nodes_and_registration_.size();\n if (node_index) *node_index = new_node_index;\n nodes_and_registration_.resize(nodes_and_registration_.size() + 1);\n auto& node_and_reg = nodes_and_registration_.back();\n TfLiteNode& node = node_and_reg.first;\n if (node.inputs) TfLiteIntArrayFree(node.inputs);\n if (node.outputs) TfLiteIntArrayFree(node.outputs);\n if (node.intermediates) TfLiteIntArrayFree(node.intermediates);\n if (node.temporaries) TfLiteIntArrayFree(node.temporaries);\n\n // NOTE, here we are not using move semantics yet, since our internal\n // representation isn't std::vector, but in the future we would like to avoid\n // copies, so we want the interface to take r-value references now.\n node.inputs = ConvertVectorToTfLiteIntArray(inputs);\n node.outputs = ConvertVectorToTfLiteIntArray(outputs);\n node.intermediates = ConvertVectorToTfLiteIntArray(intermediates);\n node.temporaries = TfLiteIntArrayCreate(0);\n if (init_data) {\n node.user_data = OpInit(*registration, init_data, init_data_size);\n } else {\n node.user_data = OpInit(\n *registration, static_cast(builtin_data_deleter.get()), 0);\n }\n\n node.builtin_data = builtin_data_deleter.release();\n // TODO(ycling): Filling `custom_initial_data` and `custom_initial_data_size`\n // properly for nodes generated by ReplaceNodeSubsetsWithDelegateKernels.\n\n if (registration->builtin_code == BuiltinOperator_CUSTOM) {\n // When it's a CUSTOM op, the `custom_options` field in the Flatbuffer\n // `Operator` table is passed in.\n node.custom_initial_data = init_data;\n node.custom_initial_data_size = init_data_size;\n } else {\n node.custom_initial_data = nullptr;\n node.custom_initial_data_size = 0;\n }\n\n node.delegate = nullptr;\n // Copying of registration is required to support unresolved custom ops.\n node_and_reg.second = *registration;\n execution_plan_.push_back(new_node_index);\n return kTfLiteOk;\n}", "project": "tensorflow", "hash": 235526692593501681283256977461713389749, "size": 63, "commit_id": "d58c96946b2880991d63d1dacacb32f0a4dfa453", "message": "[tflite] Ensure inputs and outputs don't overlap.\n\nIf a model uses the same tensor for both an input and an output then this can result in data loss and memory corruption. This should not happen.\n\nPiperOrigin-RevId: 332522916\nChange-Id: If0905b142415a9dfceaf2d181872f2a8fb88f48a", "target": 1, "dataset": "other", "idx": 197665 }, { "func": "static kvm_pfn_t hva_to_pfn(unsigned long addr, bool atomic, bool *async,\n\t\t\tbool write_fault, bool *writable)\n{\n\tstruct vm_area_struct *vma;\n\tkvm_pfn_t pfn = 0;\n\tint npages, r;\n\n\t/* we can do it either atomically or asynchronously, not both */\n\tBUG_ON(atomic && async);\n\n\tif (hva_to_pfn_fast(addr, write_fault, writable, &pfn))\n\t\treturn pfn;\n\n\tif (atomic)\n\t\treturn KVM_PFN_ERR_FAULT;\n\n\tnpages = hva_to_pfn_slow(addr, async, write_fault, writable, &pfn);\n\tif (npages == 1)\n\t\treturn pfn;\n\n\tdown_read(¤t->mm->mmap_sem);\n\tif (npages == -EHWPOISON ||\n\t (!async && check_user_page_hwpoison(addr))) {\n\t\tpfn = KVM_PFN_ERR_HWPOISON;\n\t\tgoto exit;\n\t}\n\nretry:\n\tvma = find_vma_intersection(current->mm, addr, addr + 1);\n\n\tif (vma == NULL)\n\t\tpfn = KVM_PFN_ERR_FAULT;\n\telse if (vma->vm_flags & (VM_IO | VM_PFNMAP)) {\n\t\tr = hva_to_pfn_remapped(vma, addr, async, write_fault, writable, &pfn);\n\t\tif (r == -EAGAIN)\n\t\t\tgoto retry;\n\t\tif (r < 0)\n\t\t\tpfn = KVM_PFN_ERR_FAULT;\n\t} else {\n\t\tif (async && vma_is_valid(vma, write_fault))\n\t\t\t*async = true;\n\t\tpfn = KVM_PFN_ERR_FAULT;\n\t}\nexit:\n\tup_read(¤t->mm->mmap_sem);\n\treturn pfn;\n}", "project": "linux", "hash": 247609173231047992496012532333543741425, "size": 47, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354603 }, { "func": "static kvm_pfn_t hva_to_pfn(unsigned long addr, bool atomic, bool *async,\n\t\t\tbool write_fault, bool *writable)\n{\n\tstruct vm_area_struct *vma;\n\tkvm_pfn_t pfn = 0;\n\tint npages, r;\n\n\t/* we can do it either atomically or asynchronously, not both */\n\tBUG_ON(atomic && async);\n\n\tif (hva_to_pfn_fast(addr, write_fault, writable, &pfn))\n\t\treturn pfn;\n\n\tif (atomic)\n\t\treturn KVM_PFN_ERR_FAULT;\n\n\tnpages = hva_to_pfn_slow(addr, async, write_fault, writable, &pfn);\n\tif (npages == 1)\n\t\treturn pfn;\n\n\tmmap_read_lock(current->mm);\n\tif (npages == -EHWPOISON ||\n\t (!async && check_user_page_hwpoison(addr))) {\n\t\tpfn = KVM_PFN_ERR_HWPOISON;\n\t\tgoto exit;\n\t}\n\nretry:\n\tvma = find_vma_intersection(current->mm, addr, addr + 1);\n\n\tif (vma == NULL)\n\t\tpfn = KVM_PFN_ERR_FAULT;\n\telse if (vma->vm_flags & (VM_IO | VM_PFNMAP)) {\n\t\tr = hva_to_pfn_remapped(vma, addr, async, write_fault, writable, &pfn);\n\t\tif (r == -EAGAIN)\n\t\t\tgoto retry;\n\t\tif (r < 0)\n\t\t\tpfn = KVM_PFN_ERR_FAULT;\n\t} else {\n\t\tif (async && vma_is_valid(vma, write_fault))\n\t\t\t*async = true;\n\t\tpfn = KVM_PFN_ERR_FAULT;\n\t}\nexit:\n\tmmap_read_unlock(current->mm);\n\treturn pfn;\n}", "project": "linux", "hash": 305837684821454545436806797812315360263, "size": 47, "commit_id": "f8be156be163a052a067306417cd0ff679068c97", "message": "KVM: do not allow mapping valid but non-reference-counted pages\n\nIt's possible to create a region which maps valid but non-refcounted\npages (e.g., tail pages of non-compound higher order allocations). These\nhost pages can then be returned by gfn_to_page, gfn_to_pfn, etc., family\nof APIs, which take a reference to the page, which takes it from 0 to 1.\nWhen the reference is dropped, this will free the page incorrectly.\n\nFix this by only taking a reference on valid pages if it was non-zero,\nwhich indicates it is participating in normal refcounting (and can be\nreleased with put_page).\n\nThis addresses CVE-2021-22543.\n\nSigned-off-by: Nicholas Piggin \nTested-by: Paolo Bonzini \nCc: stable@vger.kernel.org\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 404051 }, { "func": "static int ctnetlink_dump_info(struct sk_buff *skb, struct nf_conn *ct)\n{\n\tif (ctnetlink_dump_status(skb, ct) < 0 ||\n\t ctnetlink_dump_mark(skb, ct) < 0 ||\n\t ctnetlink_dump_secctx(skb, ct) < 0 ||\n\t ctnetlink_dump_id(skb, ct) < 0 ||\n\t ctnetlink_dump_use(skb, ct) < 0 ||\n\t ctnetlink_dump_master(skb, ct) < 0)\n\t\treturn -1;\n\n\tif (!test_bit(IPS_OFFLOAD_BIT, &ct->status) &&\n\t (ctnetlink_dump_timeout(skb, ct) < 0 ||\n\t ctnetlink_dump_protoinfo(skb, ct) < 0))\n\t\treturn -1;\n\n\treturn 0;\n}", "project": "linux", "hash": 161569521276675292417046035108896632351, "size": 17, "commit_id": "1cc5ef91d2ff94d2bf2de3b3585423e8a1051cb6", "message": "netfilter: ctnetlink: add a range check for l3/l4 protonum\n\nThe indexes to the nf_nat_l[34]protos arrays come from userspace. So\ncheck the tuple's family, e.g. l3num, when creating the conntrack in\norder to prevent an OOB memory access during setup. Here is an example\nkernel panic on 4.14.180 when userspace passes in an index greater than\nNFPROTO_NUMPROTO.\n\nInternal error: Oops - BUG: 0 [#1] PREEMPT SMP\nModules linked in:...\nProcess poc (pid: 5614, stack limit = 0x00000000a3933121)\nCPU: 4 PID: 5614 Comm: poc Tainted: G S W O 4.14.180-g051355490483\nHardware name: Qualcomm Technologies, Inc. SM8150 V2 PM8150 Google Inc. MSM\ntask: 000000002a3dfffe task.stack: 00000000a3933121\npc : __cfi_check_fail+0x1c/0x24\nlr : __cfi_check_fail+0x1c/0x24\n...\nCall trace:\n__cfi_check_fail+0x1c/0x24\nname_to_dev_t+0x0/0x468\nnfnetlink_parse_nat_setup+0x234/0x258\nctnetlink_parse_nat_setup+0x4c/0x228\nctnetlink_new_conntrack+0x590/0xc40\nnfnetlink_rcv_msg+0x31c/0x4d4\nnetlink_rcv_skb+0x100/0x184\nnfnetlink_rcv+0xf4/0x180\nnetlink_unicast+0x360/0x770\nnetlink_sendmsg+0x5a0/0x6a4\n___sys_sendmsg+0x314/0x46c\nSyS_sendmsg+0xb4/0x108\nel0_svc_naked+0x34/0x38\n\nThis crash is not happening since 5.4+, however, ctnetlink still\nallows for creating entries with unsupported layer 3 protocol number.\n\nFixes: c1d10adb4a521 (\"[NETFILTER]: Add ctnetlink port for nf_conntrack\")\nSigned-off-by: Will McVicker \n[pablo@netfilter.org: rebased original patch on top of nf.git]\nSigned-off-by: Pablo Neira Ayuso ", "target": 0, "dataset": "other", "idx": 394176 }, { "project": "Chrome", "commit_id": "1da0daecc540238cb473f0d6322da51d3a544244", "target": 0, "func": "VideoRendererBase::~VideoRendererBase() {\n base::AutoLock auto_lock(lock_);\n DCHECK(state_ == kUninitialized || state_ == kStopped) << state_;\n }\n", "cwe": "", "big_vul_idx": 113365, "idx": 101654, "hash": 181299905172171206522373087815565082445 }, { "func": "static int on_map(h2_stream_state_t state, int map[H2_SS_MAX])\n{\n int op = map[state];\n switch (op) {\n case S_XXX:\n case S_ERR:\n return op;\n case S_NOP:\n return state;\n default:\n return op-1;\n }\n}", "project": "httpd", "hash": 36262192325334251083115807022635051948, "size": 13, "commit_id": "f990e5ecad40b100a8a5c7c1033c46044a9cb244", "message": "mod_htt2: fix incomplete sync with latest changes in github, adjust version number.\n\n\n\ngit-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1889119 13f79535-47bb-0310-9956-ffa450edef68", "target": 0, "dataset": "other", "idx": 284239 }, { "func": "void tipc_node_check_dest(struct net *net, u32 addr,\n\t\t\t u8 *peer_id, struct tipc_bearer *b,\n\t\t\t u16 capabilities, u32 signature, u32 hash_mixes,\n\t\t\t struct tipc_media_addr *maddr,\n\t\t\t bool *respond, bool *dupl_addr)\n{\n\tstruct tipc_node *n;\n\tstruct tipc_link *l, *snd_l;\n\tstruct tipc_link_entry *le;\n\tbool addr_match = false;\n\tbool sign_match = false;\n\tbool link_up = false;\n\tbool accept_addr = false;\n\tbool reset = true;\n\tchar *if_name;\n\tunsigned long intv;\n\tu16 session;\n\n\t*dupl_addr = false;\n\t*respond = false;\n\n\tn = tipc_node_create(net, addr, peer_id, capabilities, hash_mixes,\n\t\t\t false);\n\tif (!n)\n\t\treturn;\n\n\ttipc_node_write_lock(n);\n\tif (unlikely(!n->bc_entry.link)) {\n\t\tsnd_l = tipc_bc_sndlink(net);\n\t\tif (!tipc_link_bc_create(net, tipc_own_addr(net),\n\t\t\t\t\t addr, peer_id, U16_MAX,\n\t\t\t\t\t tipc_link_min_win(snd_l),\n\t\t\t\t\t tipc_link_max_win(snd_l),\n\t\t\t\t\t n->capabilities,\n\t\t\t\t\t &n->bc_entry.inputq1,\n\t\t\t\t\t &n->bc_entry.namedq, snd_l,\n\t\t\t\t\t &n->bc_entry.link)) {\n\t\t\tpr_warn(\"Broadcast rcv link creation failed, no mem\\n\");\n\t\t\ttipc_node_write_unlock_fast(n);\n\t\t\ttipc_node_put(n);\n\t\t\treturn;\n\t\t}\n\t}\n\n\tle = &n->links[b->identity];\n\n\t/* Prepare to validate requesting node's signature and media address */\n\tl = le->link;\n\tlink_up = l && tipc_link_is_up(l);\n\taddr_match = l && !memcmp(&le->maddr, maddr, sizeof(*maddr));\n\tsign_match = (signature == n->signature);\n\n\t/* These three flags give us eight permutations: */\n\n\tif (sign_match && addr_match && link_up) {\n\t\t/* All is fine. Do nothing. */\n\t\treset = false;\n\t\t/* Peer node is not a container/local namespace */\n\t\tif (!n->peer_hash_mix)\n\t\t\tn->peer_hash_mix = hash_mixes;\n\t} else if (sign_match && addr_match && !link_up) {\n\t\t/* Respond. The link will come up in due time */\n\t\t*respond = true;\n\t} else if (sign_match && !addr_match && link_up) {\n\t\t/* Peer has changed i/f address without rebooting.\n\t\t * If so, the link will reset soon, and the next\n\t\t * discovery will be accepted. So we can ignore it.\n\t\t * It may also be an cloned or malicious peer having\n\t\t * chosen the same node address and signature as an\n\t\t * existing one.\n\t\t * Ignore requests until the link goes down, if ever.\n\t\t */\n\t\t*dupl_addr = true;\n\t} else if (sign_match && !addr_match && !link_up) {\n\t\t/* Peer link has changed i/f address without rebooting.\n\t\t * It may also be a cloned or malicious peer; we can't\n\t\t * distinguish between the two.\n\t\t * The signature is correct, so we must accept.\n\t\t */\n\t\taccept_addr = true;\n\t\t*respond = true;\n\t} else if (!sign_match && addr_match && link_up) {\n\t\t/* Peer node rebooted. Two possibilities:\n\t\t * - Delayed re-discovery; this link endpoint has already\n\t\t * reset and re-established contact with the peer, before\n\t\t * receiving a discovery message from that node.\n\t\t * (The peer happened to receive one from this node first).\n\t\t * - The peer came back so fast that our side has not\n\t\t * discovered it yet. Probing from this side will soon\n\t\t * reset the link, since there can be no working link\n\t\t * endpoint at the peer end, and the link will re-establish.\n\t\t * Accept the signature, since it comes from a known peer.\n\t\t */\n\t\tn->signature = signature;\n\t} else if (!sign_match && addr_match && !link_up) {\n\t\t/* The peer node has rebooted.\n\t\t * Accept signature, since it is a known peer.\n\t\t */\n\t\tn->signature = signature;\n\t\t*respond = true;\n\t} else if (!sign_match && !addr_match && link_up) {\n\t\t/* Peer rebooted with new address, or a new/duplicate peer.\n\t\t * Ignore until the link goes down, if ever.\n\t\t */\n\t\t*dupl_addr = true;\n\t} else if (!sign_match && !addr_match && !link_up) {\n\t\t/* Peer rebooted with new address, or it is a new peer.\n\t\t * Accept signature and address.\n\t\t */\n\t\tn->signature = signature;\n\t\taccept_addr = true;\n\t\t*respond = true;\n\t}\n\n\tif (!accept_addr)\n\t\tgoto exit;\n\n\t/* Now create new link if not already existing */\n\tif (!l) {\n\t\tif (n->link_cnt == 2)\n\t\t\tgoto exit;\n\n\t\tif_name = strchr(b->name, ':') + 1;\n\t\tget_random_bytes(&session, sizeof(u16));\n\t\tif (!tipc_link_create(net, if_name, b->identity, b->tolerance,\n\t\t\t\t b->net_plane, b->mtu, b->priority,\n\t\t\t\t b->min_win, b->max_win, session,\n\t\t\t\t tipc_own_addr(net), addr, peer_id,\n\t\t\t\t n->capabilities,\n\t\t\t\t tipc_bc_sndlink(n->net), n->bc_entry.link,\n\t\t\t\t &le->inputq,\n\t\t\t\t &n->bc_entry.namedq, &l)) {\n\t\t\t*respond = false;\n\t\t\tgoto exit;\n\t\t}\n\t\ttrace_tipc_link_reset(l, TIPC_DUMP_ALL, \"link created!\");\n\t\ttipc_link_reset(l);\n\t\ttipc_link_fsm_evt(l, LINK_RESET_EVT);\n\t\tif (n->state == NODE_FAILINGOVER)\n\t\t\ttipc_link_fsm_evt(l, LINK_FAILOVER_BEGIN_EVT);\n\t\tle->link = l;\n\t\tn->link_cnt++;\n\t\ttipc_node_calculate_timer(n, l);\n\t\tif (n->link_cnt == 1) {\n\t\t\tintv = jiffies + msecs_to_jiffies(n->keepalive_intv);\n\t\t\tif (!mod_timer(&n->timer, intv))\n\t\t\t\ttipc_node_get(n);\n\t\t}\n\t}\n\tmemcpy(&le->maddr, maddr, sizeof(*maddr));\nexit:\n\ttipc_node_write_unlock(n);\n\tif (reset && l && !tipc_link_is_reset(l))\n\t\ttipc_node_link_down(n, b->identity, false);\n\ttipc_node_put(n);\n}", "project": "linux", "hash": 79688352044863319404474968917851392725, "size": 156, "commit_id": "0217ed2848e8538bcf9172d97ed2eeb4a26041bb", "message": "tipc: better validate user input in tipc_nl_retrieve_key()\n\nBefore calling tipc_aead_key_size(ptr), we need to ensure\nwe have enough data to dereference ptr->keylen.\n\nWe probably also want to make sure tipc_aead_key_size()\nwont overflow with malicious ptr->keylen values.\n\nSyzbot reported:\n\nBUG: KMSAN: uninit-value in __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\nBUG: KMSAN: uninit-value in tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\nCPU: 0 PID: 21060 Comm: syz-executor.5 Not tainted 5.11.0-rc7-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nCall Trace:\n __dump_stack lib/dump_stack.c:79 [inline]\n dump_stack+0x21c/0x280 lib/dump_stack.c:120\n kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118\n __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197\n __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\n tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\n genl_family_rcv_msg_doit net/netlink/genetlink.c:739 [inline]\n genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]\n genl_rcv_msg+0x1319/0x1610 net/netlink/genetlink.c:800\n netlink_rcv_skb+0x6fa/0x810 net/netlink/af_netlink.c:2494\n genl_rcv+0x63/0x80 net/netlink/genetlink.c:811\n netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]\n netlink_unicast+0x11d6/0x14a0 net/netlink/af_netlink.c:1330\n netlink_sendmsg+0x1740/0x1840 net/netlink/af_netlink.c:1919\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\nRIP: 0023:0xf7f60549\nCode: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00\nRSP: 002b:00000000f555a5fc EFLAGS: 00000296 ORIG_RAX: 0000000000000172\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000200\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n\nUninit was created at:\n kmsan_save_stack_with_flags mm/kmsan/kmsan.c:121 [inline]\n kmsan_internal_poison_shadow+0x5c/0xf0 mm/kmsan/kmsan.c:104\n kmsan_slab_alloc+0x8d/0xe0 mm/kmsan/kmsan_hooks.c:76\n slab_alloc_node mm/slub.c:2907 [inline]\n __kmalloc_node_track_caller+0xa37/0x1430 mm/slub.c:4527\n __kmalloc_reserve net/core/skbuff.c:142 [inline]\n __alloc_skb+0x2f8/0xb30 net/core/skbuff.c:210\n alloc_skb include/linux/skbuff.h:1099 [inline]\n netlink_alloc_large_skb net/netlink/af_netlink.c:1176 [inline]\n netlink_sendmsg+0xdbc/0x1840 net/netlink/af_netlink.c:1894\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\n\nFixes: e1f32190cf7d (\"tipc: add support for AEAD key setting via netlink\")\nSigned-off-by: Eric Dumazet \nCc: Tuong Lien \nCc: Jon Maloy \nCc: Ying Xue \nReported-by: syzbot \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 364961 }, { "func": " double val_real_from_item(Item *item)\n {\n DBUG_ASSERT(fixed == 1);\n double value= item->val_real();\n null_value= item->null_value;\n return value;\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 119795198104333664303048123874752748230, "size": 7, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509249 }, { "func": "void gdImageCopyResampled (gdImagePtr dst, gdImagePtr src, int dstX, int dstY, int srcX, int srcY, int dstW, int dstH, int srcW, int srcH)\n{\n\tint x, y;\n\tdouble sy1, sy2, sx1, sx2;\n\n\tif (!dst->trueColor) {\n\t\tgdImageCopyResized (dst, src, dstX, dstY, srcX, srcY, dstW, dstH, srcW, srcH);\n\t\treturn;\n\t}\n\tfor (y = dstY; (y < dstY + dstH); y++) {\n\t\tsy1 = ((double) y - (double) dstY) * (double) srcH / (double) dstH;\n\t\tsy2 = ((double) (y + 1) - (double) dstY) * (double) srcH / (double) dstH;\n\t\tfor (x = dstX; (x < dstX + dstW); x++) {\n\t\t\tdouble sx, sy;\n\t\t\tdouble spixels = 0;\n\t\t\tdouble red = 0.0, green = 0.0, blue = 0.0, alpha = 0.0;\n\t\t\tdouble alpha_factor, alpha_sum = 0.0, contrib_sum = 0.0;\n\t\t\tsx1 = ((double) x - (double) dstX) * (double) srcW / dstW;\n\t\t\tsx2 = ((double) (x + 1) - (double) dstX) * (double) srcW / dstW;\n\t\t\tsy = sy1;\n\t\t\tdo {\n\t\t\t\tdouble yportion;\n\t\t\t\tif (floor_cast(sy) == floor_cast(sy1)) {\n\t\t\t\t\typortion = 1.0f - (sy - floor_cast(sy));\n\t\t\t\t\tif (yportion > sy2 - sy1) {\n\t\t\t\t\t\typortion = sy2 - sy1;\n\t\t\t\t\t}\n\t\t\t\t\tsy = floor_cast(sy);\n\t\t\t\t} else if (sy == floorf(sy2)) {\n\t\t\t\t\typortion = sy2 - floor_cast(sy2);\n\t\t\t\t} else {\n\t\t\t\t\typortion = 1.0f;\n\t\t\t\t}\n\t\t\t\tsx = sx1;\n\t\t\t\tdo {\n\t\t\t\t\tdouble xportion;\n\t\t\t\t\tdouble pcontribution;\n\t\t\t\t\tint p;\n\t\t\t\t\tif (floorf(sx) == floor_cast(sx1)) {\n\t\t\t\t\t\txportion = 1.0f - (sx - floor_cast(sx));\n\t\t\t\t\t\tif (xportion > sx2 - sx1) {\n\t\t\t\t\t\t\txportion = sx2 - sx1;\n\t\t\t\t\t\t}\n\t\t\t\t\t\tsx = floor_cast(sx);\n\t\t\t\t\t} else if (sx == floorf(sx2)) {\n\t\t\t\t\t\txportion = sx2 - floor_cast(sx2);\n\t\t\t\t\t} else {\n\t\t\t\t\t\txportion = 1.0f;\n\t\t\t\t\t}\n\t\t\t\t\tpcontribution = xportion * yportion;\n\t\t\t\t\tp = gdImageGetTrueColorPixel(src, (int) sx + srcX, (int) sy + srcY);\n\n\t\t\t\t\talpha_factor = ((gdAlphaMax - gdTrueColorGetAlpha(p))) * pcontribution;\n\t\t\t\t\tred += gdTrueColorGetRed (p) * alpha_factor;\n\t\t\t\t\tgreen += gdTrueColorGetGreen (p) * alpha_factor;\n\t\t\t\t\tblue += gdTrueColorGetBlue (p) * alpha_factor;\n\t\t\t\t\talpha += gdTrueColorGetAlpha (p) * pcontribution;\n\t\t\t\t\talpha_sum += alpha_factor;\n\t\t\t\t\tcontrib_sum += pcontribution;\n\t\t\t\t\tspixels += xportion * yportion;\n\t\t\t\t\tsx += 1.0f;\n\t\t\t\t}\n\t\t\t\twhile (sx < sx2);\n\n\t\t\t\tsy += 1.0f;\n\t\t\t}\n\n\t\t\twhile (sy < sy2);\n\n\t\t\tif (spixels != 0.0f) {\n\t\t\t\tred /= spixels;\n\t\t\t\tgreen /= spixels;\n\t\t\t\tblue /= spixels;\n\t\t\t\talpha /= spixels;\n\t\t\t\talpha += 0.5;\n\t\t\t}\n\t\t\tif ( alpha_sum != 0.0f) {\n\t\t\t\tif( contrib_sum != 0.0f) {\n\t\t\t\t\talpha_sum /= contrib_sum;\n\t\t\t\t}\n\t\t\t\tred /= alpha_sum;\n\t\t\t\tgreen /= alpha_sum;\n\t\t\t\tblue /= alpha_sum;\n\t\t\t}\n\t\t\t/* Clamping to allow for rounding errors above */\n\t\t\tif (red > 255.0f) {\n\t\t\t\tred = 255.0f;\n\t\t\t}\n\t\t\tif (green > 255.0f) {\n\t\t\t\tgreen = 255.0f;\n\t\t\t}\n\t\t\tif (blue > 255.0f) {\n\t\t\t\tblue = 255.0f;\n\t\t\t}\n\t\t\tif (alpha > gdAlphaMax) {\n\t\t\t\talpha = gdAlphaMax;\n\t\t\t}\n\t\t\tgdImageSetPixel(dst, x, y, gdTrueColorAlpha ((int) red, (int) green, (int) blue, (int) alpha));\n\t\t}\n\t}\n}", "project": "php-src", "hash": 266928980402027741134271471033167681912, "size": 101, "commit_id": "c395c6e5d7e8df37a21265ff76e48fe75ceb5ae6", "message": "iFixed bug #72446 - Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow", "target": 0, "dataset": "other", "idx": 295119 }, { "func": " Status ValidateInput(const OpInputList& ragged_values_list,\n const OpInputList& ragged_splits_list,\n const OpInputList& sparse_indices_list,\n const OpInputList& sparse_values_list,\n const OpInputList& sparse_shape_list,\n const OpInputList& dense_list) {\n const auto num_ragged = ragged_values_list.size();\n const auto num_sparse = sparse_indices_list.size();\n\n // Validate tensor shapes.\n for (int i = 0; i < num_ragged; ++i) {\n if (!TensorShapeUtils::IsVector(ragged_values_list[i].shape())) {\n return errors::InvalidArgument(\n \"tf.ragged.cross only supports inputs with rank=2.\");\n }\n if (!TensorShapeUtils::IsVector(ragged_splits_list[i].shape()) ||\n (ragged_splits_list[i].NumElements() == 0)) {\n return errors::InvalidArgument(\"Invalid RaggedTensor\");\n }\n }\n for (int i = 0; i < num_sparse; ++i) {\n if (!TensorShapeUtils::IsMatrix(sparse_indices_list[i].shape()) ||\n !TensorShapeUtils::IsVector(sparse_values_list[i].shape()) ||\n !TensorShapeUtils::IsVector(sparse_shape_list[i].shape())) {\n return errors::InvalidArgument(\"Invalid SparseTensor \", i);\n }\n if (sparse_shape_list[i].NumElements() != 2) {\n return errors::InvalidArgument(\n \"tf.ragged.cross only supports inputs with rank=2.\");\n }\n }\n for (int i = 0; i < dense_list.size(); ++i) {\n if (!TensorShapeUtils::IsMatrix(dense_list[i].shape())) {\n return errors::InvalidArgument(\n \"tf.ragged.cross only supports inputs with rank=2.\");\n }\n }\n\n // Check that batch sizes are consistent.\n int64 batch_size =\n CalculateBatchSize(ragged_splits_list, sparse_shape_list, dense_list);\n for (int i = 0; i < num_ragged; ++i) {\n if (ragged_splits_list[i].NumElements() - 1 != batch_size) {\n return errors::InvalidArgument(\n \"inputs must all have the same batch dimension size.\");\n }\n }\n for (int i = 0; i < num_sparse; ++i) {\n if (sparse_shape_list[i].flat()(0) != batch_size) {\n return errors::InvalidArgument(\n \"inputs must all have the same batch dimension size.\");\n }\n }\n for (int i = 0; i < dense_list.size(); ++i) {\n if (dense_list[i].dim_size(0) != batch_size) {\n return errors::InvalidArgument(\n \"inputs must all have the same batch dimension size.\");\n }\n }\n\n return Status::OK();\n }", "project": "tensorflow", "hash": 113149565017364437109387355364610376379, "size": 62, "commit_id": "44b7f486c0143f68b56c34e2d01e146ee445134a", "message": "Fix out of bounds read in `ragged_cross_op.cc`.\n\nPiperOrigin-RevId: 369757702\nChange-Id: Ie6e5d2c21513a8d56bf41fcf35960caf76e890f9", "target": 0, "dataset": "other", "idx": 230071 }, { "func": "serialize_list(const char *varname, struct list_members *members)\n{\n struct list_member *lm, *next;\n size_t len, result_size;\n char *result;\n debug_decl(serialize_list, SUDOERS_DEBUG_PLUGIN);\n\n result_size = strlen(varname) + 1;\n SLIST_FOREACH(lm, members, entries) {\n\tresult_size += strlen(lm->value) + 1;\n }\n if ((result = malloc(result_size)) == NULL)\n\tgoto bad;\n /* No need to check len for overflow here. */\n len = strlcpy(result, varname, result_size);\n result[len++] = '=';\n result[len] = '\\0';\n SLIST_FOREACH_SAFE(lm, members, entries, next) {\n\tlen = strlcat(result, lm->value, result_size);\n\tif (len + (next != NULL) >= result_size) {\n\t sudo_warnx(U_(\"internal error, %s overflow\"), __func__);\n\t goto bad;\n\t}\n\tif (next != NULL) {\n\t result[len++] = ',';\n\t result[len] = '\\0';\n\t}\n }\n debug_return_str(result);\nbad:\n free(result);\n debug_return_str(NULL);\n}", "project": "sudo", "hash": 50801834158996303846321833981923367397, "size": 33, "commit_id": "c4d384082fdbc8406cf19e08d05db4cded920a55", "message": "Add sudoedit flag checks in plugin that are consistent with front-end.\nDon't assume the sudo front-end is sending reasonable mode flags.\nThese checks need to be kept consistent between the sudo front-end\nand the sudoers plugin.", "target": 0, "dataset": "other", "idx": 356725 }, { "func": "void fuse_invalidate_attr(struct inode *inode)\n{\n\tfuse_invalidate_attr_mask(inode, STATX_BASIC_STATS);\n}", "project": "linux", "hash": 285516509573841586066938605082998494344, "size": 4, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341904 }, { "func": "opj_tcd_marker_info_t* opj_tcd_marker_info_create(OPJ_BOOL need_PLT)\n{\n opj_tcd_marker_info_t *l_tcd_marker_info =\n (opj_tcd_marker_info_t*) opj_calloc(1, sizeof(opj_tcd_marker_info_t));\n if (!l_tcd_marker_info) {\n return NULL;\n }\n\n l_tcd_marker_info->need_PLT = need_PLT;\n\n return l_tcd_marker_info;\n}", "project": "openjpeg", "hash": 201499095659642165159745336615368932025, "size": 12, "commit_id": "15cf3d95814dc931ca0ecb132f81cb152e051bae", "message": "Encoder: grow again buffer size in opj_tcd_code_block_enc_allocate_data() (fixes #1283)", "target": 0, "dataset": "other", "idx": 359189 }, { "func": "void CSoundFile::NoteCut(CHANNELINDEX nChn, uint32 nTick, bool cutSample)\n{\n\tif (m_PlayState.m_nTickCount == nTick)\n\t{\n\t\tModChannel *pChn = &m_PlayState.Chn[nChn];\n\t\tif(cutSample)\n\t\t{\n\t\t\tpChn->increment.Set(0);\n\t\t\tpChn->nFadeOutVol = 0;\n\t\t\tpChn->dwFlags.set(CHN_NOTEFADE);\n\t\t} else\n\t\t{\n\t\t\tpChn->nVolume = 0;\n\t\t}\n\t\tpChn->dwFlags.set(CHN_FASTVOLRAMP);\n\n\t\t// instro sends to a midi chan\n\t\tSendMIDINote(nChn, /*pChn->nNote+*/NOTE_MAX_SPECIAL, 0);\n\t}\n}", "project": "openmpt", "hash": 37939583736314378863744728772149110349, "size": 20, "commit_id": "7ebf02af2e90f03e0dbd0e18b8b3164f372fb97c", "message": "[Fix] Possible out-of-bounds read when computing length of some IT files with pattern loops (OpenMPT: formats that are converted to IT, libopenmpt: IT/ITP/MO3), caught with afl-fuzz.\n\ngit-svn-id: https://source.openmpt.org/svn/openmpt/trunk/OpenMPT@10027 56274372-70c3-4bfc-bfc3-4c3a0b034d27", "target": 0, "dataset": "other", "idx": 255213 }, { "func": "int tipc_nl_node_dump_link(struct sk_buff *skb, struct netlink_callback *cb)\n{\n\tstruct net *net = sock_net(skb->sk);\n\tstruct nlattr **attrs = genl_dumpit_info(cb)->attrs;\n\tstruct nlattr *link[TIPC_NLA_LINK_MAX + 1];\n\tstruct tipc_net *tn = net_generic(net, tipc_net_id);\n\tstruct tipc_node *node;\n\tstruct tipc_nl_msg msg;\n\tu32 prev_node = cb->args[0];\n\tu32 prev_link = cb->args[1];\n\tint done = cb->args[2];\n\tbool bc_link = cb->args[3];\n\tint err;\n\n\tif (done)\n\t\treturn 0;\n\n\tif (!prev_node) {\n\t\t/* Check if broadcast-receiver links dumping is needed */\n\t\tif (attrs && attrs[TIPC_NLA_LINK]) {\n\t\t\terr = nla_parse_nested_deprecated(link,\n\t\t\t\t\t\t\t TIPC_NLA_LINK_MAX,\n\t\t\t\t\t\t\t attrs[TIPC_NLA_LINK],\n\t\t\t\t\t\t\t tipc_nl_link_policy,\n\t\t\t\t\t\t\t NULL);\n\t\t\tif (unlikely(err))\n\t\t\t\treturn err;\n\t\t\tif (unlikely(!link[TIPC_NLA_LINK_BROADCAST]))\n\t\t\t\treturn -EINVAL;\n\t\t\tbc_link = true;\n\t\t}\n\t}\n\n\tmsg.skb = skb;\n\tmsg.portid = NETLINK_CB(cb->skb).portid;\n\tmsg.seq = cb->nlh->nlmsg_seq;\n\n\trcu_read_lock();\n\tif (prev_node) {\n\t\tnode = tipc_node_find(net, prev_node);\n\t\tif (!node) {\n\t\t\t/* We never set seq or call nl_dump_check_consistent()\n\t\t\t * this means that setting prev_seq here will cause the\n\t\t\t * consistence check to fail in the netlink callback\n\t\t\t * handler. Resulting in the last NLMSG_DONE message\n\t\t\t * having the NLM_F_DUMP_INTR flag set.\n\t\t\t */\n\t\t\tcb->prev_seq = 1;\n\t\t\tgoto out;\n\t\t}\n\t\ttipc_node_put(node);\n\n\t\tlist_for_each_entry_continue_rcu(node, &tn->node_list,\n\t\t\t\t\t\t list) {\n\t\t\ttipc_node_read_lock(node);\n\t\t\terr = __tipc_nl_add_node_links(net, &msg, node,\n\t\t\t\t\t\t &prev_link, bc_link);\n\t\t\ttipc_node_read_unlock(node);\n\t\t\tif (err)\n\t\t\t\tgoto out;\n\n\t\t\tprev_node = node->addr;\n\t\t}\n\t} else {\n\t\terr = tipc_nl_add_bc_link(net, &msg, tn->bcl);\n\t\tif (err)\n\t\t\tgoto out;\n\n\t\tlist_for_each_entry_rcu(node, &tn->node_list, list) {\n\t\t\ttipc_node_read_lock(node);\n\t\t\terr = __tipc_nl_add_node_links(net, &msg, node,\n\t\t\t\t\t\t &prev_link, bc_link);\n\t\t\ttipc_node_read_unlock(node);\n\t\t\tif (err)\n\t\t\t\tgoto out;\n\n\t\t\tprev_node = node->addr;\n\t\t}\n\t}\n\tdone = 1;\nout:\n\trcu_read_unlock();\n\n\tcb->args[0] = prev_node;\n\tcb->args[1] = prev_link;\n\tcb->args[2] = done;\n\tcb->args[3] = bc_link;\n\n\treturn skb->len;\n}", "project": "linux", "hash": 200687478918726075090921140239862079770, "size": 90, "commit_id": "0217ed2848e8538bcf9172d97ed2eeb4a26041bb", "message": "tipc: better validate user input in tipc_nl_retrieve_key()\n\nBefore calling tipc_aead_key_size(ptr), we need to ensure\nwe have enough data to dereference ptr->keylen.\n\nWe probably also want to make sure tipc_aead_key_size()\nwont overflow with malicious ptr->keylen values.\n\nSyzbot reported:\n\nBUG: KMSAN: uninit-value in __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\nBUG: KMSAN: uninit-value in tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\nCPU: 0 PID: 21060 Comm: syz-executor.5 Not tainted 5.11.0-rc7-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nCall Trace:\n __dump_stack lib/dump_stack.c:79 [inline]\n dump_stack+0x21c/0x280 lib/dump_stack.c:120\n kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118\n __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197\n __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\n tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\n genl_family_rcv_msg_doit net/netlink/genetlink.c:739 [inline]\n genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]\n genl_rcv_msg+0x1319/0x1610 net/netlink/genetlink.c:800\n netlink_rcv_skb+0x6fa/0x810 net/netlink/af_netlink.c:2494\n genl_rcv+0x63/0x80 net/netlink/genetlink.c:811\n netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]\n netlink_unicast+0x11d6/0x14a0 net/netlink/af_netlink.c:1330\n netlink_sendmsg+0x1740/0x1840 net/netlink/af_netlink.c:1919\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\nRIP: 0023:0xf7f60549\nCode: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00\nRSP: 002b:00000000f555a5fc EFLAGS: 00000296 ORIG_RAX: 0000000000000172\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000200\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n\nUninit was created at:\n kmsan_save_stack_with_flags mm/kmsan/kmsan.c:121 [inline]\n kmsan_internal_poison_shadow+0x5c/0xf0 mm/kmsan/kmsan.c:104\n kmsan_slab_alloc+0x8d/0xe0 mm/kmsan/kmsan_hooks.c:76\n slab_alloc_node mm/slub.c:2907 [inline]\n __kmalloc_node_track_caller+0xa37/0x1430 mm/slub.c:4527\n __kmalloc_reserve net/core/skbuff.c:142 [inline]\n __alloc_skb+0x2f8/0xb30 net/core/skbuff.c:210\n alloc_skb include/linux/skbuff.h:1099 [inline]\n netlink_alloc_large_skb net/netlink/af_netlink.c:1176 [inline]\n netlink_sendmsg+0xdbc/0x1840 net/netlink/af_netlink.c:1894\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\n\nFixes: e1f32190cf7d (\"tipc: add support for AEAD key setting via netlink\")\nSigned-off-by: Eric Dumazet \nCc: Tuong Lien \nCc: Jon Maloy \nCc: Ying Xue \nReported-by: syzbot \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 364947 }, { "func": "static void __enable_ibs_on_vcpu(struct kvm_vcpu *vcpu)\n{\n\tif (!sclp.has_ibs)\n\t\treturn;\n\tkvm_check_request(KVM_REQ_DISABLE_IBS, vcpu);\n\tkvm_s390_sync_request(KVM_REQ_ENABLE_IBS, vcpu);\n}", "project": "linux", "hash": 67395073646921230424550077500107001881, "size": 7, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354617 }, { "func": "static void connectable_update_work(struct work_struct *work)\n{\n\tstruct hci_dev *hdev = container_of(work, struct hci_dev,\n\t\t\t\t\t connectable_update);\n\tu8 status;\n\n\thci_req_sync(hdev, connectable_update, 0, HCI_CMD_TIMEOUT, &status);\n\tmgmt_set_connectable_complete(hdev, status);\n}", "project": "linux", "hash": 58390929864338645214943325887204770602, "size": 9, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402541 }, { "func": "static int can_open_delegated(struct nfs_delegation *delegation, fmode_t fmode,\n\t\tenum open_claim_type4 claim)\n{\n\tif (delegation == NULL)\n\t\treturn 0;\n\tif ((delegation->type & fmode) != fmode)\n\t\treturn 0;\n\tswitch (claim) {\n\tcase NFS4_OPEN_CLAIM_NULL:\n\tcase NFS4_OPEN_CLAIM_FH:\n\t\tbreak;\n\tcase NFS4_OPEN_CLAIM_PREVIOUS:\n\t\tif (!test_bit(NFS_DELEGATION_NEED_RECLAIM, &delegation->flags))\n\t\t\tbreak;\n\t\t/* Fall through */\n\tdefault:\n\t\treturn 0;\n\t}\n\tnfs_mark_delegation_referenced(delegation);\n\treturn 1;\n}", "project": "linux", "hash": 201855306938076326174718991572069031554, "size": 21, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431552 }, { "func": "double table_multi_eq_cond_selectivity(JOIN *join, uint idx, JOIN_TAB *s,\n table_map rem_tables, uint keyparts,\n uint16 *ref_keyuse_steps)\n{\n double sel= 1.0;\n COND_EQUAL *cond_equal= join->cond_equal;\n\n if (!cond_equal || !cond_equal->current_level.elements)\n return sel;\n\n if (!s->keyuse)\n return sel;\n\n Item_equal *item_equal;\n List_iterator_fast it(cond_equal->current_level);\n TABLE *table= s->table;\n table_map table_bit= table->map;\n POSITION *pos= &join->positions[idx];\n \n while ((item_equal= it++))\n { \n /* \n Check whether we need to take into account the selectivity of\n multiple equality item_equal. If this is the case multiply\n the current value of sel by this selectivity\n */\n table_map used_tables= item_equal->used_tables();\n if (!(used_tables & table_bit))\n continue;\n if (item_equal->get_const())\n continue;\n\n bool adjust_sel= FALSE;\n Item_equal_fields_iterator fi(*item_equal);\n while((fi++) && !adjust_sel)\n {\n Field *fld= fi.get_curr_field();\n if (fld->table->map != table_bit)\n continue;\n if (pos->key == 0)\n adjust_sel= TRUE;\n else\n {\n uint i;\n KEYUSE *keyuse= pos->key;\n uint key= keyuse->key;\n for (i= 0; i < keyparts; i++)\n\t{\n if (i > 0)\n keyuse+= ref_keyuse_steps[i-1];\n uint fldno;\n if (is_hash_join_key_no(key))\n\t fldno= keyuse->keypart;\n else\n fldno= table->key_info[key].key_part[i].fieldnr - 1; \n if (fld->field_index == fldno)\n break;\n }\n keyuse= pos->key;\n\n if (i == keyparts)\n\t{\n /* \n Field fld is included in multiple equality item_equal\n and is not a part of the ref key.\n The selectivity of the multiple equality must be taken\n into account unless one of the ref arguments is\n equal to fld. \n\t */\n adjust_sel= TRUE;\n for (uint j= 0; j < keyparts && adjust_sel; j++)\n\t {\n if (j > 0)\n keyuse+= ref_keyuse_steps[j-1]; \n Item *ref_item= keyuse->val;\n\t if (ref_item->real_item()->type() == Item::FIELD_ITEM)\n\t {\n Item_field *field_item= (Item_field *) (ref_item->real_item());\n if (item_equal->contains(field_item->field))\n adjust_sel= FALSE; \n\t }\n }\n } \n }\n }\n if (adjust_sel)\n {\n /* \n If ref == 0 and there are no fields in the multiple equality\n item_equal that belong to the tables joined prior to s\n then the selectivity of multiple equality will be set to 1.0.\n */\n double eq_fld_sel= 1.0;\n fi.rewind();\n while ((fi++))\n {\n double curr_eq_fld_sel;\n Field *fld= fi.get_curr_field();\n if (!(fld->table->map & ~(table_bit | rem_tables)))\n continue;\n curr_eq_fld_sel= get_column_avg_frequency(fld) /\n fld->table->stat_records();\n if (curr_eq_fld_sel < 1.0)\n set_if_bigger(eq_fld_sel, curr_eq_fld_sel);\n }\n sel*= eq_fld_sel;\n }\n } \n return sel;\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 178711522008032909909297984212849146386, "size": 110, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508509 }, { "func": "static inline void add_full(struct kmem_cache *s, struct kmem_cache_node *n,\n\t\t\t\t\tstruct page *page) {}", "project": "linux", "hash": 5842719082675149240698768255055048471, "size": 2, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280156 }, { "func": "static void add_full(struct kmem_cache *s,\n\tstruct kmem_cache_node *n, struct page *page)\n{\n\tif (!(s->flags & SLAB_STORE_USER))\n\t\treturn;\n\n\tlockdep_assert_held(&n->list_lock);\n\tlist_add(&page->slab_list, &n->full);\n}", "project": "linux", "hash": 323883662156119568227880550342763183988, "size": 9, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280254 }, { "func": "static int futex_lock_pi(u32 __user *uaddr, int fshared,\n\t\t\t int detect, ktime_t *time, int trylock)\n{\n\tstruct hrtimer_sleeper timeout, *to = NULL;\n\tstruct futex_hash_bucket *hb;\n\tstruct futex_q q;\n\tint res, ret;\n\n\tif (refill_pi_state_cache())\n\t\treturn -ENOMEM;\n\n\tif (time) {\n\t\tto = &timeout;\n\t\thrtimer_init_on_stack(&to->timer, CLOCK_REALTIME,\n\t\t\t\t HRTIMER_MODE_ABS);\n\t\thrtimer_init_sleeper(to, current);\n\t\thrtimer_set_expires(&to->timer, *time);\n\t}\n\n\tq.pi_state = NULL;\n\tq.rt_waiter = NULL;\n\tq.requeue_pi_key = NULL;\nretry:\n\tq.key = FUTEX_KEY_INIT;\n\tret = get_futex_key(uaddr, fshared, &q.key);\n\tif (unlikely(ret != 0))\n\t\tgoto out;\n\nretry_private:\n\thb = queue_lock(&q);\n\n\tret = futex_lock_pi_atomic(uaddr, hb, &q.key, &q.pi_state, current, 0);\n\tif (unlikely(ret)) {\n\t\tswitch (ret) {\n\t\tcase 1:\n\t\t\t/* We got the lock. */\n\t\t\tret = 0;\n\t\t\tgoto out_unlock_put_key;\n\t\tcase -EFAULT:\n\t\t\tgoto uaddr_faulted;\n\t\tcase -EAGAIN:\n\t\t\t/*\n\t\t\t * Task is exiting and we just wait for the\n\t\t\t * exit to complete.\n\t\t\t */\n\t\t\tqueue_unlock(&q, hb);\n\t\t\tput_futex_key(fshared, &q.key);\n\t\t\tcond_resched();\n\t\t\tgoto retry;\n\t\tdefault:\n\t\t\tgoto out_unlock_put_key;\n\t\t}\n\t}\n\n\t/*\n\t * Only actually queue now that the atomic ops are done:\n\t */\n\tqueue_me(&q, hb);\n\n\tWARN_ON(!q.pi_state);\n\t/*\n\t * Block on the PI mutex:\n\t */\n\tif (!trylock)\n\t\tret = rt_mutex_timed_lock(&q.pi_state->pi_mutex, to, 1);\n\telse {\n\t\tret = rt_mutex_trylock(&q.pi_state->pi_mutex);\n\t\t/* Fixup the trylock return value: */\n\t\tret = ret ? 0 : -EWOULDBLOCK;\n\t}\n\n\tspin_lock(q.lock_ptr);\n\t/*\n\t * Fixup the pi_state owner and possibly acquire the lock if we\n\t * haven't already.\n\t */\n\tres = fixup_owner(uaddr, fshared, &q, !ret);\n\t/*\n\t * If fixup_owner() returned an error, proprogate that. If it acquired\n\t * the lock, clear our -ETIMEDOUT or -EINTR.\n\t */\n\tif (res)\n\t\tret = (res < 0) ? res : 0;\n\n\t/*\n\t * If fixup_owner() faulted and was unable to handle the fault, unlock\n\t * it and return the fault to userspace.\n\t */\n\tif (ret && (rt_mutex_owner(&q.pi_state->pi_mutex) == current))\n\t\trt_mutex_unlock(&q.pi_state->pi_mutex);\n\n\t/* Unqueue and drop the lock */\n\tunqueue_me_pi(&q);\n\n\tgoto out;\n\nout_unlock_put_key:\n\tqueue_unlock(&q, hb);\n\nout_put_key:\n\tput_futex_key(fshared, &q.key);\nout:\n\tif (to)\n\t\tdestroy_hrtimer_on_stack(&to->timer);\n\treturn ret != -EINTR ? ret : -ERESTARTNOINTR;\n\nuaddr_faulted:\n\tqueue_unlock(&q, hb);\n\n\tret = fault_in_user_writeable(uaddr);\n\tif (ret)\n\t\tgoto out_put_key;\n\n\tif (!fshared)\n\t\tgoto retry_private;\n\n\tput_futex_key(fshared, &q.key);\n\tgoto retry;\n}", "target": 1, "cwe": [], "project": "linux-2.6", "commit_id": "5ecb01cfdf96c5f465192bdb2a4fd4a61a24c6cc", "hash": 229495631557006192714814605323704821133, "size": 119, "message": "futex_lock_pi() key refcnt fix\n\nThis fixes a futex key reference count bug in futex_lock_pi(),\nwhere a key's reference count is incremented twice but decremented\nonly once, causing the backing object to not be released.\n\nIf the futex is created in a temporary file in an ext3 file system,\nthis bug causes the file's inode to become an \"undead\" orphan,\nwhich causes an oops from a BUG_ON() in ext3_put_super() when the\nfile system is unmounted. glibc's test suite is known to trigger this,\nsee .\n\nThe bug is a regression from 2.6.28-git3, namely Peter Zijlstra's\n38d47c1b7075bd7ec3881141bb3629da58f88dab \"[PATCH] futex: rely on\nget_user_pages() for shared futexes\". That commit made get_futex_key()\nalso increment the reference count of the futex key, and updated its\ncallers to decrement the key's reference count before returning.\nUnfortunately the normal exit path in futex_lock_pi() wasn't corrected:\nthe reference count is incremented by get_futex_key() and queue_lock(),\nbut the normal exit path only decrements once, via unqueue_me_pi().\nThe fix is to put_futex_key() after unqueue_me_pi(), since 2.6.31\nthis is easily done by 'goto out_put_key' rather than 'goto out'.\n\nSigned-off-by: Mikael Pettersson \nAcked-by: Peter Zijlstra \nAcked-by: Darren Hart \nSigned-off-by: Thomas Gleixner \nCc: ", "dataset": "other", "idx": 215572 }, { "func": "static int futex_lock_pi(u32 __user *uaddr, int fshared,\n\t\t\t int detect, ktime_t *time, int trylock)\n{\n\tstruct hrtimer_sleeper timeout, *to = NULL;\n\tstruct futex_hash_bucket *hb;\n\tstruct futex_q q;\n\tint res, ret;\n\n\tif (refill_pi_state_cache())\n\t\treturn -ENOMEM;\n\n\tif (time) {\n\t\tto = &timeout;\n\t\thrtimer_init_on_stack(&to->timer, CLOCK_REALTIME,\n\t\t\t\t HRTIMER_MODE_ABS);\n\t\thrtimer_init_sleeper(to, current);\n\t\thrtimer_set_expires(&to->timer, *time);\n\t}\n\n\tq.pi_state = NULL;\n\tq.rt_waiter = NULL;\n\tq.requeue_pi_key = NULL;\nretry:\n\tq.key = FUTEX_KEY_INIT;\n\tret = get_futex_key(uaddr, fshared, &q.key);\n\tif (unlikely(ret != 0))\n\t\tgoto out;\n\nretry_private:\n\thb = queue_lock(&q);\n\n\tret = futex_lock_pi_atomic(uaddr, hb, &q.key, &q.pi_state, current, 0);\n\tif (unlikely(ret)) {\n\t\tswitch (ret) {\n\t\tcase 1:\n\t\t\t/* We got the lock. */\n\t\t\tret = 0;\n\t\t\tgoto out_unlock_put_key;\n\t\tcase -EFAULT:\n\t\t\tgoto uaddr_faulted;\n\t\tcase -EAGAIN:\n\t\t\t/*\n\t\t\t * Task is exiting and we just wait for the\n\t\t\t * exit to complete.\n\t\t\t */\n\t\t\tqueue_unlock(&q, hb);\n\t\t\tput_futex_key(fshared, &q.key);\n\t\t\tcond_resched();\n\t\t\tgoto retry;\n\t\tdefault:\n\t\t\tgoto out_unlock_put_key;\n\t\t}\n\t}\n\n\t/*\n\t * Only actually queue now that the atomic ops are done:\n\t */\n\tqueue_me(&q, hb);\n\n\tWARN_ON(!q.pi_state);\n\t/*\n\t * Block on the PI mutex:\n\t */\n\tif (!trylock)\n\t\tret = rt_mutex_timed_lock(&q.pi_state->pi_mutex, to, 1);\n\telse {\n\t\tret = rt_mutex_trylock(&q.pi_state->pi_mutex);\n\t\t/* Fixup the trylock return value: */\n\t\tret = ret ? 0 : -EWOULDBLOCK;\n\t}\n\n\tspin_lock(q.lock_ptr);\n\t/*\n\t * Fixup the pi_state owner and possibly acquire the lock if we\n\t * haven't already.\n\t */\n\tres = fixup_owner(uaddr, fshared, &q, !ret);\n\t/*\n\t * If fixup_owner() returned an error, proprogate that. If it acquired\n\t * the lock, clear our -ETIMEDOUT or -EINTR.\n\t */\n\tif (res)\n\t\tret = (res < 0) ? res : 0;\n\n\t/*\n\t * If fixup_owner() faulted and was unable to handle the fault, unlock\n\t * it and return the fault to userspace.\n\t */\n\tif (ret && (rt_mutex_owner(&q.pi_state->pi_mutex) == current))\n\t\trt_mutex_unlock(&q.pi_state->pi_mutex);\n\n\t/* Unqueue and drop the lock */\n\tunqueue_me_pi(&q);\n\n\tgoto out_put_key;\n\nout_unlock_put_key:\n\tqueue_unlock(&q, hb);\n\nout_put_key:\n\tput_futex_key(fshared, &q.key);\nout:\n\tif (to)\n\t\tdestroy_hrtimer_on_stack(&to->timer);\n\treturn ret != -EINTR ? ret : -ERESTARTNOINTR;\n\nuaddr_faulted:\n\tqueue_unlock(&q, hb);\n\n\tret = fault_in_user_writeable(uaddr);\n\tif (ret)\n\t\tgoto out_put_key;\n\n\tif (!fshared)\n\t\tgoto retry_private;\n\n\tput_futex_key(fshared, &q.key);\n\tgoto retry;\n}", "target": 0, "cwe": [], "project": "linux-2.6", "commit_id": "5ecb01cfdf96c5f465192bdb2a4fd4a61a24c6cc", "hash": 243045543915221577830247168819573698971, "size": 119, "message": "futex_lock_pi() key refcnt fix\n\nThis fixes a futex key reference count bug in futex_lock_pi(),\nwhere a key's reference count is incremented twice but decremented\nonly once, causing the backing object to not be released.\n\nIf the futex is created in a temporary file in an ext3 file system,\nthis bug causes the file's inode to become an \"undead\" orphan,\nwhich causes an oops from a BUG_ON() in ext3_put_super() when the\nfile system is unmounted. glibc's test suite is known to trigger this,\nsee .\n\nThe bug is a regression from 2.6.28-git3, namely Peter Zijlstra's\n38d47c1b7075bd7ec3881141bb3629da58f88dab \"[PATCH] futex: rely on\nget_user_pages() for shared futexes\". That commit made get_futex_key()\nalso increment the reference count of the futex key, and updated its\ncallers to decrement the key's reference count before returning.\nUnfortunately the normal exit path in futex_lock_pi() wasn't corrected:\nthe reference count is incremented by get_futex_key() and queue_lock(),\nbut the normal exit path only decrements once, via unqueue_me_pi().\nThe fix is to put_futex_key() after unqueue_me_pi(), since 2.6.31\nthis is easily done by 'goto out_put_key' rather than 'goto out'.\n\nSigned-off-by: Mikael Pettersson \nAcked-by: Peter Zijlstra \nAcked-by: Darren Hart \nSigned-off-by: Thomas Gleixner \nCc: ", "dataset": "other", "idx": 492307 }, { "func": "static void process_init_limits(struct fuse_conn *fc, struct fuse_init_out *arg)\n{\n\tint cap_sys_admin = capable(CAP_SYS_ADMIN);\n\n\tif (arg->minor < 13)\n\t\treturn;\n\n\tsanitize_global_limit(&max_user_bgreq);\n\tsanitize_global_limit(&max_user_congthresh);\n\n\tspin_lock(&fc->bg_lock);\n\tif (arg->max_background) {\n\t\tfc->max_background = arg->max_background;\n\n\t\tif (!cap_sys_admin && fc->max_background > max_user_bgreq)\n\t\t\tfc->max_background = max_user_bgreq;\n\t}\n\tif (arg->congestion_threshold) {\n\t\tfc->congestion_threshold = arg->congestion_threshold;\n\n\t\tif (!cap_sys_admin &&\n\t\t fc->congestion_threshold > max_user_congthresh)\n\t\t\tfc->congestion_threshold = max_user_congthresh;\n\t}\n\tspin_unlock(&fc->bg_lock);\n}", "project": "linux", "hash": 291324178330971860027379451267385227918, "size": 26, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341963 }, { "func": "static int sctp_setsockopt_active_key(struct sock *sk,\n\t\t\t\t struct sctp_authkeyid *val,\n\t\t\t\t unsigned int optlen)\n{\n\tstruct sctp_endpoint *ep = sctp_sk(sk)->ep;\n\tstruct sctp_association *asoc;\n\tint ret = 0;\n\n\tif (optlen != sizeof(struct sctp_authkeyid))\n\t\treturn -EINVAL;\n\n\tasoc = sctp_id2assoc(sk, val->scact_assoc_id);\n\tif (!asoc && val->scact_assoc_id > SCTP_ALL_ASSOC &&\n\t sctp_style(sk, UDP))\n\t\treturn -EINVAL;\n\n\tif (asoc)\n\t\treturn sctp_auth_set_active_key(ep, asoc, val->scact_keynumber);\n\n\tif (sctp_style(sk, TCP))\n\t\tval->scact_assoc_id = SCTP_FUTURE_ASSOC;\n\n\tif (val->scact_assoc_id == SCTP_FUTURE_ASSOC ||\n\t val->scact_assoc_id == SCTP_ALL_ASSOC) {\n\t\tret = sctp_auth_set_active_key(ep, asoc, val->scact_keynumber);\n\t\tif (ret)\n\t\t\treturn ret;\n\t}\n\n\tif (val->scact_assoc_id == SCTP_CURRENT_ASSOC ||\n\t val->scact_assoc_id == SCTP_ALL_ASSOC) {\n\t\tlist_for_each_entry(asoc, &ep->asocs, asocs) {\n\t\t\tint res = sctp_auth_set_active_key(ep, asoc,\n\t\t\t\t\t\t\t val->scact_keynumber);\n\n\t\t\tif (res && !ret)\n\t\t\t\tret = res;\n\t\t}\n\t}\n\n\treturn ret;\n}", "project": "linux", "hash": 5288539997690669540968825233240912611, "size": 42, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398114 }, { "func": "void WebContents::MessageTo(bool internal,\n bool send_to_all,\n int32_t web_contents_id,\n const std::string& channel,\n blink::CloneableMessage arguments) {\n TRACE_EVENT1(\"electron\", \"WebContents::MessageTo\", \"channel\", channel);\n auto* web_contents = gin_helper::TrackableObject::FromWeakMapID(\n isolate(), web_contents_id);\n\n if (web_contents) {\n web_contents->SendIPCMessageWithSender(internal, send_to_all, channel,\n std::move(arguments), ID());\n }\n}", "project": "electron", "hash": 241947584870242124615075600541801691063, "size": 14, "commit_id": "18613925610ba319da7f497b6deed85ad712c59b", "message": "refactor: wire will-navigate up to a navigation throttle instead of OpenURL (#25108)\n\n* refactor: wire will-navigate up to a navigation throttle instead of OpenURL (#25065)\r\n\r\n* refactor: wire will-navigate up to a navigation throttle instead of OpenURL\r\n\r\n* spec: add test for x-site _top navigation\r\n\r\n* chore: old code be old", "target": 0, "dataset": "other", "idx": 269777 }, { "func": "static void hci_cc_set_ext_adv_param(struct hci_dev *hdev, struct sk_buff *skb)\n{\n\tstruct hci_rp_le_set_ext_adv_params *rp = (void *) skb->data;\n\tstruct hci_cp_le_set_ext_adv_params *cp;\n\tstruct adv_info *adv_instance;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, rp->status);\n\n\tif (rp->status)\n\t\treturn;\n\n\tcp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_PARAMS);\n\tif (!cp)\n\t\treturn;\n\n\thci_dev_lock(hdev);\n\thdev->adv_addr_type = cp->own_addr_type;\n\tif (!hdev->cur_adv_instance) {\n\t\t/* Store in hdev for instance 0 */\n\t\thdev->adv_tx_power = rp->tx_power;\n\t} else {\n\t\tadv_instance = hci_find_adv_instance(hdev,\n\t\t\t\t\t\t hdev->cur_adv_instance);\n\t\tif (adv_instance)\n\t\t\tadv_instance->tx_power = rp->tx_power;\n\t}\n\t/* Update adv data as tx power is known now */\n\thci_req_update_adv_data(hdev, hdev->cur_adv_instance);\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 156112640263705744727131185329545193611, "size": 30, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431871 }, { "func": "void deinit_pdb_downloader(SPDBDownloader *pd) {\n\tR_FREE (pd->opt->dbg_file);\n\tR_FREE (pd->opt->guid);\n\tR_FREE (pd->opt->symbol_server);\n\tR_FREE (pd->opt->user_agent);\n\tR_FREE (pd->opt->symbol_store_path);\n\tR_FREE (pd->opt);\n\tpd->download = 0;\n}", "project": "radare2", "hash": 244043505298766134733956977022331598482, "size": 9, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 0, "dataset": "other", "idx": 269023 }, { "func": "static struct page *new_slab(struct kmem_cache *s, gfp_t flags, int node)\n{\n\tif (unlikely(flags & GFP_SLAB_BUG_MASK)) {\n\t\tgfp_t invalid_mask = flags & GFP_SLAB_BUG_MASK;\n\t\tflags &= ~GFP_SLAB_BUG_MASK;\n\t\tpr_warn(\"Unexpected gfp: %#x (%pGg). Fixing up to gfp: %#x (%pGg). Fix your code!\\n\",\n\t\t\t\tinvalid_mask, &invalid_mask, flags, &flags);\n\t\tdump_stack();\n\t}\n\n\treturn allocate_slab(s,\n\t\tflags & (GFP_RECLAIM_MASK | GFP_CONSTRAINT_MASK), node);\n}", "project": "linux", "hash": 179111328652460297176332639517965402878, "size": 13, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280139 }, { "func": "struct dentry *trace_create_file(const char *name,\n\t\t\t\t umode_t mode,\n\t\t\t\t struct dentry *parent,\n\t\t\t\t void *data,\n\t\t\t\t const struct file_operations *fops)\n{\n\tstruct dentry *ret;\n\n\tret = tracefs_create_file(name, mode, parent, data, fops);\n\tif (!ret)\n\t\tpr_warn(\"Could not create tracefs '%s' entry\\n\", name);\n\n\treturn ret;\n}", "project": "linux", "hash": 106568356846526270086841831741421849635, "size": 14, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445630 }, { "func": "void WebContents::OpenDevTools(gin_helper::Arguments* args) {\n if (type_ == Type::REMOTE)\n return;\n\n if (!enable_devtools_)\n return;\n\n std::string state;\n if (type_ == Type::WEB_VIEW || !owner_window()) {\n state = \"detach\";\n }\n bool activate = true;\n if (args && args->Length() == 1) {\n gin_helper::Dictionary options;\n if (args->GetNext(&options)) {\n options.Get(\"mode\", &state);\n options.Get(\"activate\", &activate);\n }\n }\n managed_web_contents()->SetDockState(state);\n managed_web_contents()->ShowDevTools(activate);\n}", "project": "electron", "hash": 246200634180849222719430138536655817575, "size": 22, "commit_id": "18613925610ba319da7f497b6deed85ad712c59b", "message": "refactor: wire will-navigate up to a navigation throttle instead of OpenURL (#25108)\n\n* refactor: wire will-navigate up to a navigation throttle instead of OpenURL (#25065)\r\n\r\n* refactor: wire will-navigate up to a navigation throttle instead of OpenURL\r\n\r\n* spec: add test for x-site _top navigation\r\n\r\n* chore: old code be old", "target": 0, "dataset": "other", "idx": 269740 }, { "func": "static int get_swift_account_settings(req_state * const s,\n RGWRados * const store,\n RGWAccessControlPolicy_SWIFTAcct * const policy,\n bool * const has_policy)\n{\n *has_policy = false;\n\n const char * const acl_attr = s->info.env->get(\"HTTP_X_ACCOUNT_ACCESS_CONTROL\");\n if (acl_attr) {\n RGWAccessControlPolicy_SWIFTAcct swift_acct_policy(s->cct);\n const bool r = swift_acct_policy.create(store,\n s->user->user_id,\n s->user->display_name,\n string(acl_attr));\n if (r != true) {\n return -EINVAL;\n }\n\n *policy = swift_acct_policy;\n *has_policy = true;\n }\n\n return 0;\n}", "project": "ceph", "hash": 173860213732039318917277899349437789377, "size": 24, "commit_id": "f44a8ae8aa27ecef69528db9aec220f12492810e", "message": "rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name\n\nchecking for empty name avoids later assertion in RGWObjectCtx::set_atomic\n\nFixes: CVE-2021-3531\n\nReviewed-by: Casey Bodley \nSigned-off-by: Casey Bodley \n(cherry picked from commit 7196a469b4470f3c8628489df9a41ec8b00a5610)", "target": 0, "dataset": "other", "idx": 448826 }, { "func": "TEST(ExistsMatchExpression, MatchesScalar) {\n ExistsMatchExpression exists(\"a\");\n ASSERT(exists.matchesBSON(BSON(\"a\" << 1), NULL));\n ASSERT(exists.matchesBSON(BSON(\"a\" << BSONNULL), NULL));\n ASSERT(!exists.matchesBSON(BSON(\"b\" << 1), NULL));\n}", "project": "mongo", "hash": 56554947109169368577634033134920174108, "size": 6, "commit_id": "64095239f41e9f3841d8be9088347db56d35c891", "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions", "target": 0, "dataset": "other", "idx": 422533 }, { "func": "TEST(ExistsMatchExpression, ElemMatchKey) {\n ExistsMatchExpression exists(\"a.b\");\n MatchDetails details;\n details.requestElemMatchKey();\n ASSERT(!exists.matchesBSON(BSON(\"a\" << 1), &details));\n ASSERT(!details.hasElemMatchKey());\n ASSERT(exists.matchesBSON(BSON(\"a\" << BSON(\"b\" << 6)), &details));\n ASSERT(!details.hasElemMatchKey());\n ASSERT(exists.matchesBSON(BSON(\"a\" << BSON_ARRAY(2 << BSON(\"b\" << 7))), &details));\n ASSERT(details.hasElemMatchKey());\n ASSERT_EQUALS(\"1\", details.elemMatchKey());\n}", "project": "mongo", "hash": 321660508875093162826351910538357108391, "size": 12, "commit_id": "64095239f41e9f3841d8be9088347db56d35c891", "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions", "target": 0, "dataset": "other", "idx": 422545 }, { "func": "TEST(ExistsMatchExpression, MatchesElement) {\n BSONObj existsInt = BSON(\"a\" << 5);\n BSONObj existsNull = BSON(\"a\" << BSONNULL);\n BSONObj doesntExist = BSONObj();\n ExistsMatchExpression exists(\"\");\n ASSERT(exists.matchesSingleElement(existsInt.firstElement()));\n ASSERT(exists.matchesSingleElement(existsNull.firstElement()));\n ASSERT(!exists.matchesSingleElement(doesntExist.firstElement()));\n}", "project": "mongo", "hash": 121233325893532172555821738335032755702, "size": 9, "commit_id": "64095239f41e9f3841d8be9088347db56d35c891", "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions", "target": 0, "dataset": "other", "idx": 422571 }, { "func": "TEST(ExistsMatchExpression, MatchesArray) {\n ExistsMatchExpression exists(\"a\");\n ASSERT(exists.matchesBSON(BSON(\"a\" << BSON_ARRAY(4 << 5.5)), NULL));\n}", "project": "mongo", "hash": 318613994206560962932551987158988460099, "size": 4, "commit_id": "64095239f41e9f3841d8be9088347db56d35c891", "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions", "target": 0, "dataset": "other", "idx": 422658 }, { "func": "bool move_huge_pmd(struct vm_area_struct *vma, unsigned long old_addr,\n\t\t unsigned long new_addr, unsigned long old_end,\n\t\t pmd_t *old_pmd, pmd_t *new_pmd)\n{\n\tspinlock_t *old_ptl, *new_ptl;\n\tpmd_t pmd;\n\tstruct mm_struct *mm = vma->vm_mm;\n\tbool force_flush = false;\n\n\tif ((old_addr & ~HPAGE_PMD_MASK) ||\n\t (new_addr & ~HPAGE_PMD_MASK) ||\n\t old_end - old_addr < HPAGE_PMD_SIZE)\n\t\treturn false;\n\n\t/*\n\t * The destination pmd shouldn't be established, free_pgtables()\n\t * should have release it.\n\t */\n\tif (WARN_ON(!pmd_none(*new_pmd))) {\n\t\tVM_BUG_ON(pmd_trans_huge(*new_pmd));\n\t\treturn false;\n\t}\n\n\t/*\n\t * We don't have to worry about the ordering of src and dst\n\t * ptlocks because exclusive mmap_sem prevents deadlock.\n\t */\n\told_ptl = __pmd_trans_huge_lock(old_pmd, vma);\n\tif (old_ptl) {\n\t\tnew_ptl = pmd_lockptr(mm, new_pmd);\n\t\tif (new_ptl != old_ptl)\n\t\t\tspin_lock_nested(new_ptl, SINGLE_DEPTH_NESTING);\n\t\tpmd = pmdp_huge_get_and_clear(mm, old_addr, old_pmd);\n\t\tif (pmd_present(pmd))\n\t\t\tforce_flush = true;\n\t\tVM_BUG_ON(!pmd_none(*new_pmd));\n\n\t\tif (pmd_move_must_withdraw(new_ptl, old_ptl, vma)) {\n\t\t\tpgtable_t pgtable;\n\t\t\tpgtable = pgtable_trans_huge_withdraw(mm, old_pmd);\n\t\t\tpgtable_trans_huge_deposit(mm, new_pmd, pgtable);\n\t\t}\n\t\tpmd = move_soft_dirty_pmd(pmd);\n\t\tset_pmd_at(mm, new_addr, new_pmd, pmd);\n\t\tif (force_flush)\n\t\t\tflush_tlb_range(vma, old_addr, old_addr + PMD_SIZE);\n\t\tif (new_ptl != old_ptl)\n\t\t\tspin_unlock(new_ptl);\n\t\tspin_unlock(old_ptl);\n\t\treturn true;\n\t}\n\treturn false;\n}", "project": "linux", "hash": 254831724685580053316410624301478936783, "size": 53, "commit_id": "c444eb564fb16645c172d550359cb3d75fe8a040", "message": "mm: thp: make the THP mapcount atomic against __split_huge_pmd_locked()\n\nWrite protect anon page faults require an accurate mapcount to decide\nif to break the COW or not. This is implemented in the THP path with\nreuse_swap_page() ->\npage_trans_huge_map_swapcount()/page_trans_huge_mapcount().\n\nIf the COW triggers while the other processes sharing the page are\nunder a huge pmd split, to do an accurate reading, we must ensure the\nmapcount isn't computed while it's being transferred from the head\npage to the tail pages.\n\nreuse_swap_cache() already runs serialized by the page lock, so it's\nenough to add the page lock around __split_huge_pmd_locked too, in\norder to add the missing serialization.\n\nNote: the commit in \"Fixes\" is just to facilitate the backporting,\nbecause the code before such commit didn't try to do an accurate THP\nmapcount calculation and it instead used the page_count() to decide if\nto COW or not. Both the page_count and the pin_count are THP-wide\nrefcounts, so they're inaccurate if used in\nreuse_swap_page(). Reverting such commit (besides the unrelated fix to\nthe local anon_vma assignment) would have also opened the window for\nmemory corruption side effects to certain workloads as documented in\nsuch commit header.\n\nSigned-off-by: Andrea Arcangeli \nSuggested-by: Jann Horn \nReported-by: Jann Horn \nAcked-by: Kirill A. Shutemov \nFixes: 6d0a07edd17c (\"mm: thp: calculate the mapcount correctly for THP pages during WP faults\")\nCc: stable@vger.kernel.org\nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 364142 }, { "func": "static inline int is_si_special(const struct kernel_siginfo *info)\n{\n\treturn info <= SEND_SIG_PRIV;\n}", "project": "linux", "hash": 15471751107203061760556386423049277053, "size": 4, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375239 }, { "func": "static int vc_do_resize(struct tty_struct *tty, struct vc_data *vc,\n\t\t\t\tunsigned int cols, unsigned int lines)\n{\n\tunsigned long old_origin, new_origin, new_scr_end, rlth, rrem, err = 0;\n\tunsigned long end;\n\tunsigned int old_rows, old_row_size, first_copied_row;\n\tunsigned int new_cols, new_rows, new_row_size, new_screen_size;\n\tunsigned int user;\n\tunsigned short *newscreen;\n\tstruct uni_screen *new_uniscr = NULL;\n\n\tWARN_CONSOLE_UNLOCKED();\n\n\tif (!vc)\n\t\treturn -ENXIO;\n\n\tuser = vc->vc_resize_user;\n\tvc->vc_resize_user = 0;\n\n\tif (cols > VC_RESIZE_MAXCOL || lines > VC_RESIZE_MAXROW)\n\t\treturn -EINVAL;\n\n\tnew_cols = (cols ? cols : vc->vc_cols);\n\tnew_rows = (lines ? lines : vc->vc_rows);\n\tnew_row_size = new_cols << 1;\n\tnew_screen_size = new_row_size * new_rows;\n\n\tif (new_cols == vc->vc_cols && new_rows == vc->vc_rows)\n\t\treturn 0;\n\n\tif (new_screen_size > (4 << 20))\n\t\treturn -EINVAL;\n\tnewscreen = kzalloc(new_screen_size, GFP_USER);\n\tif (!newscreen)\n\t\treturn -ENOMEM;\n\n\tif (get_vc_uniscr(vc)) {\n\t\tnew_uniscr = vc_uniscr_alloc(new_cols, new_rows);\n\t\tif (!new_uniscr) {\n\t\t\tkfree(newscreen);\n\t\t\treturn -ENOMEM;\n\t\t}\n\t}\n\n\tif (vc_is_sel(vc))\n\t\tclear_selection();\n\n\told_rows = vc->vc_rows;\n\told_row_size = vc->vc_size_row;\n\n\terr = resize_screen(vc, new_cols, new_rows, user);\n\tif (err) {\n\t\tkfree(newscreen);\n\t\tkfree(new_uniscr);\n\t\treturn err;\n\t}\n\n\tvc->vc_rows = new_rows;\n\tvc->vc_cols = new_cols;\n\tvc->vc_size_row = new_row_size;\n\tvc->vc_screenbuf_size = new_screen_size;\n\n\trlth = min(old_row_size, new_row_size);\n\trrem = new_row_size - rlth;\n\told_origin = vc->vc_origin;\n\tnew_origin = (long) newscreen;\n\tnew_scr_end = new_origin + new_screen_size;\n\n\tif (vc->vc_y > new_rows) {\n\t\tif (old_rows - vc->vc_y < new_rows) {\n\t\t\t/*\n\t\t\t * Cursor near the bottom, copy contents from the\n\t\t\t * bottom of buffer\n\t\t\t */\n\t\t\tfirst_copied_row = (old_rows - new_rows);\n\t\t} else {\n\t\t\t/*\n\t\t\t * Cursor is in no man's land, copy 1/2 screenful\n\t\t\t * from the top and bottom of cursor position\n\t\t\t */\n\t\t\tfirst_copied_row = (vc->vc_y - new_rows/2);\n\t\t}\n\t\told_origin += first_copied_row * old_row_size;\n\t} else\n\t\tfirst_copied_row = 0;\n\tend = old_origin + old_row_size * min(old_rows, new_rows);\n\n\tvc_uniscr_copy_area(new_uniscr, new_cols, new_rows,\n\t\t\t get_vc_uniscr(vc), rlth/2, first_copied_row,\n\t\t\t min(old_rows, new_rows));\n\tvc_uniscr_set(vc, new_uniscr);\n\n\tupdate_attr(vc);\n\n\twhile (old_origin < end) {\n\t\tscr_memcpyw((unsigned short *) new_origin,\n\t\t\t (unsigned short *) old_origin, rlth);\n\t\tif (rrem)\n\t\t\tscr_memsetw((void *)(new_origin + rlth),\n\t\t\t\t vc->vc_video_erase_char, rrem);\n\t\told_origin += old_row_size;\n\t\tnew_origin += new_row_size;\n\t}\n\tif (new_scr_end > new_origin)\n\t\tscr_memsetw((void *)new_origin, vc->vc_video_erase_char,\n\t\t\t new_scr_end - new_origin);\n\tkfree(vc->vc_screenbuf);\n\tvc->vc_screenbuf = newscreen;\n\tvc->vc_screenbuf_size = new_screen_size;\n\tset_origin(vc);\n\n\t/* do part of a reset_terminal() */\n\tvc->vc_top = 0;\n\tvc->vc_bottom = vc->vc_rows;\n\tgotoxy(vc, vc->vc_x, vc->vc_y);\n\tsave_cur(vc);\n\n\tif (tty) {\n\t\t/* Rewrite the requested winsize data with the actual\n\t\t resulting sizes */\n\t\tstruct winsize ws;\n\t\tmemset(&ws, 0, sizeof(ws));\n\t\tws.ws_row = vc->vc_rows;\n\t\tws.ws_col = vc->vc_cols;\n\t\tws.ws_ypixel = vc->vc_scan_lines;\n\t\ttty_do_resize(tty, &ws);\n\t}\n\n\tif (con_is_visible(vc))\n\t\tupdate_screen(vc);\n\tvt_event_post(VT_EVENT_RESIZE, vc->vc_num, vc->vc_num);\n\tnotify_update(vc);\n\treturn err;\n}", "project": "linux", "hash": 271617432935712558846108145918209666877, "size": 134, "commit_id": "ca4463bf8438b403596edd0ec961ca0d4fbe0220", "message": "vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console\n\nThe VT_DISALLOCATE ioctl can free a virtual console while tty_release()\nis still running, causing a use-after-free in con_shutdown(). This\noccurs because VT_DISALLOCATE considers a virtual console's\n'struct vc_data' to be unused as soon as the corresponding tty's\nrefcount hits 0. But actually it may be still being closed.\n\nFix this by making vc_data be reference-counted via the embedded\n'struct tty_port'. A newly allocated virtual console has refcount 1.\nOpening it for the first time increments the refcount to 2. Closing it\nfor the last time decrements the refcount (in tty_operations::cleanup()\nso that it happens late enough), as does VT_DISALLOCATE.\n\nReproducer:\n\t#include \n\t#include \n\t#include \n\t#include \n\n\tint main()\n\t{\n\t\tif (fork()) {\n\t\t\tfor (;;)\n\t\t\t\tclose(open(\"/dev/tty5\", O_RDWR));\n\t\t} else {\n\t\t\tint fd = open(\"/dev/tty10\", O_RDWR);\n\n\t\t\tfor (;;)\n\t\t\t\tioctl(fd, VT_DISALLOCATE, 5);\n\t\t}\n\t}\n\nKASAN report:\n\tBUG: KASAN: use-after-free in con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\tWrite of size 8 at addr ffff88806a4ec108 by task syz_vt/129\n\n\tCPU: 0 PID: 129 Comm: syz_vt Not tainted 5.6.0-rc2 #11\n\tHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20191223_100556-anatol 04/01/2014\n\tCall Trace:\n\t [...]\n\t con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\t release_tty+0xa8/0x410 drivers/tty/tty_io.c:1514\n\t tty_release_struct+0x34/0x50 drivers/tty/tty_io.c:1629\n\t tty_release+0x984/0xed0 drivers/tty/tty_io.c:1789\n\t [...]\n\n\tAllocated by task 129:\n\t [...]\n\t kzalloc include/linux/slab.h:669 [inline]\n\t vc_allocate drivers/tty/vt/vt.c:1085 [inline]\n\t vc_allocate+0x1ac/0x680 drivers/tty/vt/vt.c:1066\n\t con_install+0x4d/0x3f0 drivers/tty/vt/vt.c:3229\n\t tty_driver_install_tty drivers/tty/tty_io.c:1228 [inline]\n\t tty_init_dev+0x94/0x350 drivers/tty/tty_io.c:1341\n\t tty_open_by_driver drivers/tty/tty_io.c:1987 [inline]\n\t tty_open+0x3ca/0xb30 drivers/tty/tty_io.c:2035\n\t [...]\n\n\tFreed by task 130:\n\t [...]\n\t kfree+0xbf/0x1e0 mm/slab.c:3757\n\t vt_disallocate drivers/tty/vt/vt_ioctl.c:300 [inline]\n\t vt_ioctl+0x16dc/0x1e30 drivers/tty/vt/vt_ioctl.c:818\n\t tty_ioctl+0x9db/0x11b0 drivers/tty/tty_io.c:2660\n\t [...]\n\nFixes: 4001d7b7fc27 (\"vt: push down the tty lock so we can see what is left to tackle\")\nCc: # v3.4+\nReported-by: syzbot+522643ab5729b0421998@syzkaller.appspotmail.com\nAcked-by: Jiri Slaby \nSigned-off-by: Eric Biggers \nLink: https://lore.kernel.org/r/20200322034305.210082-2-ebiggers@kernel.org\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 437061 }, { "func": "bool task_set_jobctl_pending(struct task_struct *task, unsigned long mask)\n{\n\tBUG_ON(mask & ~(JOBCTL_PENDING_MASK | JOBCTL_STOP_CONSUME |\n\t\t\tJOBCTL_STOP_SIGMASK | JOBCTL_TRAPPING));\n\tBUG_ON((mask & JOBCTL_TRAPPING) && !(mask & JOBCTL_PENDING_MASK));\n\n\tif (unlikely(fatal_signal_pending(task) || (task->flags & PF_EXITING)))\n\t\treturn false;\n\n\tif (mask & JOBCTL_STOP_SIGMASK)\n\t\ttask->jobctl &= ~JOBCTL_STOP_SIGMASK;\n\n\ttask->jobctl |= mask;\n\treturn true;\n}", "project": "linux", "hash": 250296911768914676265247520573357224175, "size": 15, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375258 }, { "func": "void CServer::DemoRecorder_HandleAutoStart()\n{\n\tif(Config()->m_SvAutoDemoRecord)\n\t{\n\t\tm_DemoRecorder.Stop();\n\t\tchar aFilename[128];\n\t\tchar aDate[20];\n\t\tstr_timestamp(aDate, sizeof(aDate));\n\t\tstr_format(aFilename, sizeof(aFilename), \"demos/%s_%s.demo\", \"auto/autorecord\", aDate);\n\t\tm_DemoRecorder.Start(Storage(), m_pConsole, aFilename, GameServer()->NetVersion(), m_aCurrentMap, m_CurrentMapSha256, m_CurrentMapCrc, \"server\");\n\t\tif(Config()->m_SvAutoDemoMax)\n\t\t{\n\t\t\t// clean up auto recorded demos\n\t\t\tCFileCollection AutoDemos;\n\t\t\tAutoDemos.Init(Storage(), \"demos/server\", \"autorecord\", \".demo\", Config()->m_SvAutoDemoMax);\n\t\t}\n\t}\n}", "project": "teeworlds", "hash": 28327978235769239699416250696901546274, "size": 18, "commit_id": "c68402fa7e279d42886d5951d1ea8ac2facc1ea5", "message": "changed a check", "target": 0, "dataset": "other", "idx": 381979 }, { "func": "void fuse_send_init(struct fuse_mount *fm)\n{\n\tstruct fuse_init_args *ia;\n\n\tia = kzalloc(sizeof(*ia), GFP_KERNEL | __GFP_NOFAIL);\n\n\tia->in.major = FUSE_KERNEL_VERSION;\n\tia->in.minor = FUSE_KERNEL_MINOR_VERSION;\n\tia->in.max_readahead = fm->sb->s_bdi->ra_pages * PAGE_SIZE;\n\tia->in.flags |=\n\t\tFUSE_ASYNC_READ | FUSE_POSIX_LOCKS | FUSE_ATOMIC_O_TRUNC |\n\t\tFUSE_EXPORT_SUPPORT | FUSE_BIG_WRITES | FUSE_DONT_MASK |\n\t\tFUSE_SPLICE_WRITE | FUSE_SPLICE_MOVE | FUSE_SPLICE_READ |\n\t\tFUSE_FLOCK_LOCKS | FUSE_HAS_IOCTL_DIR | FUSE_AUTO_INVAL_DATA |\n\t\tFUSE_DO_READDIRPLUS | FUSE_READDIRPLUS_AUTO | FUSE_ASYNC_DIO |\n\t\tFUSE_WRITEBACK_CACHE | FUSE_NO_OPEN_SUPPORT |\n\t\tFUSE_PARALLEL_DIROPS | FUSE_HANDLE_KILLPRIV | FUSE_POSIX_ACL |\n\t\tFUSE_ABORT_ERROR | FUSE_MAX_PAGES | FUSE_CACHE_SYMLINKS |\n\t\tFUSE_NO_OPENDIR_SUPPORT | FUSE_EXPLICIT_INVAL_DATA |\n\t\tFUSE_HANDLE_KILLPRIV_V2;\n#ifdef CONFIG_FUSE_DAX\n\tif (fm->fc->dax)\n\t\tia->in.flags |= FUSE_MAP_ALIGNMENT;\n#endif\n\tif (fm->fc->auto_submounts)\n\t\tia->in.flags |= FUSE_SUBMOUNTS;\n\n\tia->args.opcode = FUSE_INIT;\n\tia->args.in_numargs = 1;\n\tia->args.in_args[0].size = sizeof(ia->in);\n\tia->args.in_args[0].value = &ia->in;\n\tia->args.out_numargs = 1;\n\t/* Variable length argument used for backward compatibility\n\t with interface version < 7.5. Rest of init_out is zeroed\n\t by do_get_request(), so a short reply is not a problem */\n\tia->args.out_argvar = true;\n\tia->args.out_args[0].size = sizeof(ia->out);\n\tia->args.out_args[0].value = &ia->out;\n\tia->args.force = true;\n\tia->args.nocreds = true;\n\tia->args.end = process_init_reply;\n\n\tif (fuse_simple_background(fm, &ia->args, GFP_KERNEL) != 0)\n\t\tprocess_init_reply(fm, &ia->args, -ENOTCONN);\n}", "project": "linux", "hash": 281724066482890809671284900740423370772, "size": 45, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342057 }, { "func": "static void ov_hires_configure(struct sd *sd)\n{\n\tstruct gspca_dev *gspca_dev = (struct gspca_dev *)sd;\n\tint high, low;\n\n\tif (sd->bridge != BRIDGE_OVFX2) {\n\t\tgspca_err(gspca_dev, \"error hires sensors only supported with ovfx2\\n\");\n\t\treturn;\n\t}\n\n\tgspca_dbg(gspca_dev, D_PROBE, \"starting ov hires configuration\\n\");\n\n\t/* Detect sensor (sub)type */\n\thigh = i2c_r(sd, 0x0a);\n\tlow = i2c_r(sd, 0x0b);\n\t/* info(\"%x, %x\", high, low); */\n\tswitch (high) {\n\tcase 0x96:\n\t\tswitch (low) {\n\t\tcase 0x40:\n\t\t\tgspca_dbg(gspca_dev, D_PROBE, \"Sensor is a OV2610\\n\");\n\t\t\tsd->sensor = SEN_OV2610;\n\t\t\treturn;\n\t\tcase 0x41:\n\t\t\tgspca_dbg(gspca_dev, D_PROBE, \"Sensor is a OV2610AE\\n\");\n\t\t\tsd->sensor = SEN_OV2610AE;\n\t\t\treturn;\n\t\tcase 0xb1:\n\t\t\tgspca_dbg(gspca_dev, D_PROBE, \"Sensor is a OV9600\\n\");\n\t\t\tsd->sensor = SEN_OV9600;\n\t\t\treturn;\n\t\t}\n\t\tbreak;\n\tcase 0x36:\n\t\tif ((low & 0x0f) == 0x00) {\n\t\t\tgspca_dbg(gspca_dev, D_PROBE, \"Sensor is a OV3610\\n\");\n\t\t\tsd->sensor = SEN_OV3610;\n\t\t\treturn;\n\t\t}\n\t\tbreak;\n\t}\n\tgspca_err(gspca_dev, \"Error unknown sensor type: %02x%02x\\n\",\n\t\t high, low);\n}", "project": "linux", "hash": 190624558234375869912823676047226302263, "size": 44, "commit_id": "998912346c0da53a6dbb71fab3a138586b596b30", "message": "media: ov519: add missing endpoint sanity checks\n\nMake sure to check that we have at least one endpoint before accessing\nthe endpoint array to avoid dereferencing a NULL-pointer on stream\nstart.\n\nNote that these sanity checks are not redundant as the driver is mixing\nlooking up altsettings by index and by number, which need not coincide.\n\nFixes: 1876bb923c98 (\"V4L/DVB (12079): gspca_ov519: add support for the ov511 bridge\")\nFixes: b282d87332f5 (\"V4L/DVB (12080): gspca_ov519: Fix ov518+ with OV7620AE (Trust spacecam 320)\")\nCc: stable # 2.6.31\nCc: Hans de Goede \nSigned-off-by: Johan Hovold \nSigned-off-by: Hans Verkuil \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 306346 }, { "func": "static int sctp_setsockopt_connectx(struct sock *sk,\n\t\t\t\t struct sockaddr *kaddrs,\n\t\t\t\t int addrs_size)\n{\n\tsctp_assoc_t assoc_id = 0;\n\tint err = 0;\n\n\terr = __sctp_setsockopt_connectx(sk, kaddrs, addrs_size, &assoc_id);\n\n\tif (err)\n\t\treturn err;\n\telse\n\t\treturn assoc_id;\n}", "project": "linux", "hash": 180893566005489251896055740797287447759, "size": 14, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398130 }, { "func": "DLLEXPORT unsigned long DLLCALL tjBufSizeYUV2(int width, int pad, int height,\n\tint subsamp)\n{\n\tint retval=0, nc, i;\n\n\tif(subsamp<0 || subsamp>=NUMSUBOPT)\n\t\t_throw(\"tjBufSizeYUV2(): Invalid argument\");\n\n\tnc=(subsamp==TJSAMP_GRAY? 1:3);\n\tfor(i=0; idev.platform_data;\n\tstruct ca8210_priv *priv = spi_get_drvdata(spi);\n\tlong status;\n\n\tgpio_set_value(pdata->gpio_reset, 0);\n\treinit_completion(&priv->ca8210_is_awake);\n\tmsleep(ms);\n\tgpio_set_value(pdata->gpio_reset, 1);\n\tpriv->promiscuous = false;\n\n\t/* Wait until wakeup indication seen */\n\tstatus = wait_for_completion_interruptible_timeout(\n\t\t&priv->ca8210_is_awake,\n\t\tmsecs_to_jiffies(CA8210_SYNC_TIMEOUT)\n\t);\n\tif (status == 0) {\n\t\tdev_crit(\n\t\t\t&spi->dev,\n\t\t\t\"Fatal: No wakeup from ca8210 after reset!\\n\"\n\t\t);\n\t}\n\n\tdev_dbg(&spi->dev, \"Reset the device\\n\");\n}", "project": "linux", "hash": 196853650152864148692293636136368572317, "size": 26, "commit_id": "6402939ec86eaf226c8b8ae00ed983936b164908", "message": "ieee802154: ca8210: prevent memory leak\n\nIn ca8210_probe the allocated pdata needs to be assigned to\nspi_device->dev.platform_data before calling ca8210_get_platform_data.\nOthrwise when ca8210_get_platform_data fails pdata cannot be released.\n\nSigned-off-by: Navid Emamdoost \nLink: https://lore.kernel.org/r/20190917224713.26371-1-navid.emamdoost@gmail.com\nSigned-off-by: Stefan Schmidt ", "target": 0, "dataset": "other", "idx": 408797 }, { "func": "void mm_put_huge_zero_page(struct mm_struct *mm)\n{\n\tif (test_bit(MMF_HUGE_ZERO_PAGE, &mm->flags))\n\t\tput_huge_zero_page();\n}", "project": "linux", "hash": 246585535907947223334875658915108004552, "size": 5, "commit_id": "c444eb564fb16645c172d550359cb3d75fe8a040", "message": "mm: thp: make the THP mapcount atomic against __split_huge_pmd_locked()\n\nWrite protect anon page faults require an accurate mapcount to decide\nif to break the COW or not. This is implemented in the THP path with\nreuse_swap_page() ->\npage_trans_huge_map_swapcount()/page_trans_huge_mapcount().\n\nIf the COW triggers while the other processes sharing the page are\nunder a huge pmd split, to do an accurate reading, we must ensure the\nmapcount isn't computed while it's being transferred from the head\npage to the tail pages.\n\nreuse_swap_cache() already runs serialized by the page lock, so it's\nenough to add the page lock around __split_huge_pmd_locked too, in\norder to add the missing serialization.\n\nNote: the commit in \"Fixes\" is just to facilitate the backporting,\nbecause the code before such commit didn't try to do an accurate THP\nmapcount calculation and it instead used the page_count() to decide if\nto COW or not. Both the page_count and the pin_count are THP-wide\nrefcounts, so they're inaccurate if used in\nreuse_swap_page(). Reverting such commit (besides the unrelated fix to\nthe local anon_vma assignment) would have also opened the window for\nmemory corruption side effects to certain workloads as documented in\nsuch commit header.\n\nSigned-off-by: Andrea Arcangeli \nSuggested-by: Jann Horn \nReported-by: Jann Horn \nAcked-by: Kirill A. Shutemov \nFixes: 6d0a07edd17c (\"mm: thp: calculate the mapcount correctly for THP pages during WP faults\")\nCc: stable@vger.kernel.org\nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 364171 }, { "func": "static rpmRC hdrblobVerifyInfo(hdrblob blob, char **emsg)\n{\n struct entryInfo_s info;\n int i, len = 0;\n int32_t end = 0;\n const char *ds = (const char *) blob->dataStart;\n int32_t il = (blob->regionTag) ? blob->il-1 : blob->il;\n entryInfo pe = (blob->regionTag) ? blob->pe+1 : blob->pe;\n /* Can't typecheck signature header tags, sigh */\n int typechk = (blob->regionTag == RPMTAG_HEADERIMMUTABLE ||\n\t\t blob->regionTag == RPMTAG_HEADERIMAGE);\n\n for (i = 0; i < il; i++) {\n\tei2h(&pe[i], &info);\n\n\t/* Previous data must not overlap */\n\tif (end > info.offset)\n\t goto err;\n\n\tif (hdrchkTag(info.tag))\n\t goto err;\n\tif (hdrchkType(info.type))\n\t goto err;\n\tif (hdrchkCount(info.count))\n\t goto err;\n\tif (hdrchkAlign(info.type, info.offset))\n\t goto err;\n\tif (hdrchkRange(blob->dl, info.offset))\n\t goto err;\n\tif (typechk && hdrchkTagType(info.tag, info.type))\n\t goto err;\n\n\t/* Verify the data actually fits */\n\tlen = dataLength(info.type, ds + info.offset,\n\t\t\t info.count, 1, ds + blob->dl);\n\tif (hdrchkRange(blob->dl - info.offset, len))\n\t goto err;\n\tend = info.offset + len;\n\tif (blob->regionTag) {\n\t /*\n\t * Verify that the data does not overlap the region trailer. The\n\t * region trailer is skipped by this loop, so the other checks\n\t * don’t catch this case.\n\t */\n\t if (end > blob->rdl - REGION_TAG_COUNT && info.offset < blob->rdl)\n\t\tgoto err;\n\t}\n }\n return 0; /* Everything ok */\n\nerr:\n if (emsg) {\n\trasprintf(emsg,\n\t\t _(\"tag[%d]: BAD, tag %d type %d offset %d count %d len %d\"),\n\t\t i, info.tag, info.type, info.offset, info.count, len);\n }\n return i + 1;\n}", "project": "rpm", "hash": 3555737894688449767375324226841226633, "size": 58, "commit_id": "8f4b3c3cab8922a2022b9e47c71f1ecf906077ef", "message": "hdrblobInit() needs bounds checks too\n\nUsers can pass untrusted data to hdrblobInit() and it must be robust\nagainst this.", "target": 0, "dataset": "other", "idx": 318169 }, { "func": " const Tensor& values() const { return vals_; }", "project": "tensorflow", "hash": 145323876934768054294545772202910168703, "size": 1, "commit_id": "8ba6fa29cd8bf9cef9b718dc31c78c73081f5b31", "message": "Fix heap-buffer-overflow issue with `tf.raw_ops.SparseSplit`.\n\nPiperOrigin-RevId: 371242872\nChange-Id: I482bb3d12602c7c3cc9446f97fb9f584bb98e9a4", "target": 0, "dataset": "other", "idx": 277024 }, { "func": "static void nfs4_xdr_enc_layoutcommit(struct rpc_rqst *req,\n\t\t\t\t struct xdr_stream *xdr,\n\t\t\t\t const void *priv)\n{\n\tconst struct nfs4_layoutcommit_args *args = priv;\n\tstruct nfs4_layoutcommit_data *data =\n\t\tcontainer_of(args, struct nfs4_layoutcommit_data, args);\n\tstruct compound_hdr hdr = {\n\t\t.minorversion = nfs4_xdr_minorversion(&args->seq_args),\n\t};\n\n\tencode_compound_hdr(xdr, req, &hdr);\n\tencode_sequence(xdr, &args->seq_args, &hdr);\n\tencode_putfh(xdr, NFS_FH(args->inode), &hdr);\n\tencode_layoutcommit(xdr, data->args.inode, args, &hdr);\n\tencode_getfattr(xdr, args->bitmask, &hdr);\n\tencode_nops(&hdr);\n}", "project": "linux", "hash": 264806374945249523486475019101401080123, "size": 18, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431454 }, { "func": "static void DH_get0_pqg(const DH *dh, const BIGNUM **p, const BIGNUM **q, const BIGNUM **g)\n{\n\t*p = dh->p;\n\t*q = dh->q;\n\t*g = dh->g;\n}", "project": "php-src", "hash": 243342847349870717530917143119596595024, "size": 6, "commit_id": "0216630ea2815a5789a24279a1211ac398d4de79", "message": "Fix bug #79601 (Wrong ciphertext/tag in AES-CCM encryption for a 12 bytes IV)", "target": 0, "dataset": "other", "idx": 291420 }, { "project": "Chrome", "commit_id": "6834289784ed45b5524de0fb7ef43ae283b0d6d3", "target": 0, "func": "void AudioContext::derefFinishedSourceNodes()\n{\n ASSERT(isGraphOwner());\n ASSERT(isAudioThread());\n for (unsigned i = 0; i < m_finishedNodes.size(); i++)\n derefNode(m_finishedNodes[i]);\n\n m_finishedNodes.clear();\n}\n", "cwe": "", "big_vul_idx": 139651, "idx": 124801, "hash": 22062719852828167957056868412206116284 }, { "func": "static int get_accel(const blosc2_context* context) {\n int clevel = context->clevel;\n\n if (context->compcode == BLOSC_LZ4) {\n /* This acceleration setting based on discussions held in:\n * https://groups.google.com/forum/#!topic/lz4c/zosy90P8MQw\n */\n return (10 - clevel);\n }\n else if (context->compcode == BLOSC_LIZARD) {\n /* Lizard currently accepts clevels from 10 to 49 */\n switch (clevel) {\n case 1 :\n return 10;\n case 2 :\n return 10;\n case 3 :\n return 10;\n case 4 :\n return 10;\n case 5 :\n return 20;\n case 6 :\n return 20;\n case 7 :\n return 20;\n case 8 :\n return 41;\n case 9 :\n return 41;\n default :\n break;\n }\n }\n return 1;\n}", "project": "c-blosc2", "hash": 170454251407928948746738721053201080313, "size": 36, "commit_id": "c4c6470e88210afc95262c8b9fcc27e30ca043ee", "message": "Fixed asan heap buffer overflow when not enough space to write compressed block size.", "target": 0, "dataset": "other", "idx": 303117 }, { "func": "static void add_assoc_image_info(Array &value, bool sub_array,\n image_info_type *image_info,\n int section_index) {\n char buffer[64], *val, *name, uname[64];\n int i, ap, l, b, idx=0, unknown=0;\n image_info_value *info_value;\n image_info_data *info_data;\n Array tmp;\n Array *tmpi = &tmp;\n Array array;\n\n if (image_info->info_list[section_index].count) {\n if (!sub_array) {\n tmpi = &value;\n }\n\n for(i=0; iinfo_list[section_index].count; i++) {\n info_data = &image_info->info_list[section_index].list[i];\n info_value = &info_data->value;\n if (!(name = info_data->name)) {\n snprintf(uname, sizeof(uname), \"%d\", unknown++);\n name = uname;\n }\n if (info_data->length==0) {\n tmpi->set(String(name, CopyString), uninit_null());\n } else {\n switch (info_data->format) {\n default:\n /* Standard says more types possible but skip them...\n * but allow users to handle data if they know how to\n * So not return but use type UNDEFINED\n * return;\n */\n case TAG_FMT_BYTE:\n case TAG_FMT_SBYTE:\n case TAG_FMT_UNDEFINED:\n if (!info_value->s) {\n tmpi->set(String(name, CopyString), \"\");\n } else {\n tmpi->set(String(name, CopyString),\n String(info_value->s, info_data->length, CopyString));\n }\n break;\n\n case TAG_FMT_STRING:\n if (!(val = info_value->s)) {\n val = \"\";\n }\n if (section_index==SECTION_COMMENT) {\n tmpi->set(idx++, String(val, CopyString));\n } else {\n tmpi->set(String(name, CopyString), String(val, CopyString));\n }\n break;\n\n case TAG_FMT_URATIONAL:\n case TAG_FMT_SRATIONAL:\n /*case TAG_FMT_BYTE:\n case TAG_FMT_SBYTE:*/\n case TAG_FMT_USHORT:\n case TAG_FMT_SSHORT:\n case TAG_FMT_SINGLE:\n case TAG_FMT_DOUBLE:\n case TAG_FMT_ULONG:\n case TAG_FMT_SLONG:\n /* now the rest, first see if it becomes an array */\n if ((l = info_data->length) > 1) {\n array.clear();\n }\n for(ap=0; ap1) {\n info_value = &info_data->value.list[ap];\n }\n switch (info_data->format) {\n case TAG_FMT_BYTE:\n if (l>1) {\n info_value = &info_data->value;\n for (b=0;bs[b]));\n }\n break;\n }\n case TAG_FMT_USHORT:\n case TAG_FMT_ULONG:\n if (l==1) {\n tmpi->set(String(name, CopyString), (int)info_value->u);\n } else {\n array.set(ap, (int)info_value->u);\n }\n break;\n\n case TAG_FMT_URATIONAL:\n snprintf(buffer, sizeof(buffer), \"%u/%u\",\n info_value->ur.num, info_value->ur.den);\n if (l==1) {\n tmpi->set(String(name, CopyString),\n String(buffer, CopyString));\n } else {\n array.set(ap, String(buffer, CopyString));\n }\n break;\n\n case TAG_FMT_SBYTE:\n if (l>1) {\n info_value = &info_data->value;\n for (b=0;bs[b]);\n }\n break;\n }\n case TAG_FMT_SSHORT:\n case TAG_FMT_SLONG:\n if (l==1) {\n tmpi->set(String(name, CopyString), info_value->i);\n } else {\n array.set(ap, info_value->i);\n }\n break;\n\n case TAG_FMT_SRATIONAL:\n snprintf(buffer, sizeof(buffer), \"%i/%i\",\n info_value->sr.num, info_value->sr.den);\n if (l==1) {\n tmpi->set(String(name, CopyString),\n String(buffer, CopyString));\n } else {\n array.set(ap, String(buffer, CopyString));\n }\n break;\n\n case TAG_FMT_SINGLE:\n if (l==1) {\n tmpi->set(String(name, CopyString), info_value->f);\n } else {\n array.set(ap, info_value->f);\n }\n break;\n\n case TAG_FMT_DOUBLE:\n if (l==1) {\n tmpi->set(String(name, CopyString), info_value->d);\n } else {\n array.set(ap, info_value->d);\n }\n break;\n }\n info_value = &info_data->value.list[ap];\n }\n if (l>1) {\n tmpi->set(String(name, CopyString), array);\n }\n break;\n }\n }\n }\n if (sub_array) {\n value.set(exif_get_sectionname(section_index), tmp);\n }\n }\n}", "project": "hhvm", "hash": 334352871062857566340486325877605132562, "size": 160, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219815 }, { "func": "static int fuse_dentry_delete(const struct dentry *dentry)\n{\n\treturn time_before64(fuse_dentry_time(dentry), get_jiffies_64());\n}", "project": "linux", "hash": 157637742357114128603450181572335654264, "size": 4, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342084 }, { "func": "/* Returns true if we found and killed one or more timeouts */\nstatic bool io_kill_timeouts(struct io_ring_ctx *ctx, struct task_struct *tsk,\n\t\t\t struct files_struct *files)\n{\n\tstruct io_kiocb *req, *tmp;\n\tint canceled = 0;\n\n\tspin_lock_irq(&ctx->completion_lock);\n\tlist_for_each_entry_safe(req, tmp, &ctx->timeout_list, timeout.list) {\n\t\tif (io_match_task(req, tsk, files)) {\n\t\t\tio_kill_timeout(req, -ECANCELED);\n\t\t\tcanceled++;\n\t\t}\n\t}\n\tif (canceled != 0)\n\t\tio_commit_cqring(ctx);\n\tspin_unlock_irq(&ctx->completion_lock);\n\tif (canceled != 0)\n\t\tio_cqring_ev_posted(ctx);\n\treturn canceled != 0;", "project": "linux", "hash": 41587236789657575293874866579153580385, "size": 20, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338715 }, { "func": "static void io_kill_timeouts(struct io_ring_ctx *ctx)\n{\n\tstruct io_kiocb *req, *tmp;\n\n\tspin_lock_irq(&ctx->completion_lock);\n\tlist_for_each_entry_safe(req, tmp, &ctx->timeout_list, timeout.list)\n\t\tio_kill_timeout(req);\n\tspin_unlock_irq(&ctx->completion_lock);\n}", "project": "linux", "hash": 241643583078585873264872443618973615230, "size": 9, "commit_id": "6d816e088c359866f9867057e04f244c608c42fe", "message": "io_uring: hold 'ctx' reference around task_work queue + execute\n\nWe're holding the request reference, but we need to go one higher\nto ensure that the ctx remains valid after the request has finished.\nIf the ring is closed with pending task_work inflight, and the\ngiven io_kiocb finishes sync during issue, then we need a reference\nto the ring itself around the task_work execution cycle.\n\nCc: stable@vger.kernel.org # v5.7+\nReported-by: syzbot+9b260fc33297966f5a8e@syzkaller.appspotmail.com\nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 456917 }, { "func": "static void rcu_free_slab(struct rcu_head *h)\n{\n\tstruct page *page = container_of(h, struct page, rcu_head);\n\n\t__free_slab(page->slab_cache, page);\n}", "project": "linux", "hash": 320231587197290544449788628801211935297, "size": 6, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280153 }, { "func": " String substr(int start, int length = StringData::MaxSize) const {\n return String::attach(\n m_str ? m_str->substr(start, length) : staticEmptyString());\n }", "project": "hhvm", "hash": 95419555854359161081959121376866632883, "size": 4, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219508 }, { "func": " static String attach(StringData* sd) {\n return String(sd, NoIncRef{});\n }", "project": "hhvm", "hash": 147349248540664409450532944447577877969, "size": 3, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219591 }, { "func": "static int ctnetlink_dump_master(struct sk_buff *skb, const struct nf_conn *ct)\n{\n\tstruct nlattr *nest_parms;\n\n\tif (!(ct->status & IPS_EXPECTED))\n\t\treturn 0;\n\n\tnest_parms = nla_nest_start(skb, CTA_TUPLE_MASTER);\n\tif (!nest_parms)\n\t\tgoto nla_put_failure;\n\tif (ctnetlink_dump_tuples(skb, master_tuple(ct)) < 0)\n\t\tgoto nla_put_failure;\n\tnla_nest_end(skb, nest_parms);\n\n\treturn 0;\n\nnla_put_failure:\n\treturn -1;\n}", "project": "linux", "hash": 226398039679316482273808697873562288678, "size": 19, "commit_id": "1cc5ef91d2ff94d2bf2de3b3585423e8a1051cb6", "message": "netfilter: ctnetlink: add a range check for l3/l4 protonum\n\nThe indexes to the nf_nat_l[34]protos arrays come from userspace. So\ncheck the tuple's family, e.g. l3num, when creating the conntrack in\norder to prevent an OOB memory access during setup. Here is an example\nkernel panic on 4.14.180 when userspace passes in an index greater than\nNFPROTO_NUMPROTO.\n\nInternal error: Oops - BUG: 0 [#1] PREEMPT SMP\nModules linked in:...\nProcess poc (pid: 5614, stack limit = 0x00000000a3933121)\nCPU: 4 PID: 5614 Comm: poc Tainted: G S W O 4.14.180-g051355490483\nHardware name: Qualcomm Technologies, Inc. SM8150 V2 PM8150 Google Inc. MSM\ntask: 000000002a3dfffe task.stack: 00000000a3933121\npc : __cfi_check_fail+0x1c/0x24\nlr : __cfi_check_fail+0x1c/0x24\n...\nCall trace:\n__cfi_check_fail+0x1c/0x24\nname_to_dev_t+0x0/0x468\nnfnetlink_parse_nat_setup+0x234/0x258\nctnetlink_parse_nat_setup+0x4c/0x228\nctnetlink_new_conntrack+0x590/0xc40\nnfnetlink_rcv_msg+0x31c/0x4d4\nnetlink_rcv_skb+0x100/0x184\nnfnetlink_rcv+0xf4/0x180\nnetlink_unicast+0x360/0x770\nnetlink_sendmsg+0x5a0/0x6a4\n___sys_sendmsg+0x314/0x46c\nSyS_sendmsg+0xb4/0x108\nel0_svc_naked+0x34/0x38\n\nThis crash is not happening since 5.4+, however, ctnetlink still\nallows for creating entries with unsupported layer 3 protocol number.\n\nFixes: c1d10adb4a521 (\"[NETFILTER]: Add ctnetlink port for nf_conntrack\")\nSigned-off-by: Will McVicker \n[pablo@netfilter.org: rebased original patch on top of nf.git]\nSigned-off-by: Pablo Neira Ayuso ", "target": 0, "dataset": "other", "idx": 394231 }, { "func": "int kvm_arch_vcpu_should_kick(struct kvm_vcpu *vcpu)\n{\n\t/* kvm common code refers to this, but never calls it */\n\tBUG();\n\treturn 0;\n}", "project": "linux", "hash": 288335627925954483602197313463501804218, "size": 6, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354595 }, { "func": "static int halt_interception(struct vcpu_svm *svm)\n{\n\treturn kvm_emulate_halt(&svm->vcpu);\n}", "project": "linux", "hash": 119751845253188862633995247125005194029, "size": 4, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432625 }, { "func": "static int halt_interception(struct vcpu_svm *svm)\n{\n\tsvm->next_rip = kvm_rip_read(&svm->vcpu) + 1;\n\tskip_emulated_instruction(&svm->vcpu);\n\treturn kvm_emulate_halt(&svm->vcpu);\n}", "project": "kvm", "hash": 173817345073356408239369306146345388852, "size": 6, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437635 }, { "func": "static int kmem_cache_open(struct kmem_cache *s, slab_flags_t flags)\n{\n\ts->flags = kmem_cache_flags(s->size, flags, s->name, s->ctor);\n#ifdef CONFIG_SLAB_FREELIST_HARDENED\n\ts->random = get_random_long();\n#endif\n\n\tif (!calculate_sizes(s, -1))\n\t\tgoto error;\n\tif (disable_higher_order_debug) {\n\t\t/*\n\t\t * Disable debugging flags that store metadata if the min slab\n\t\t * order increased.\n\t\t */\n\t\tif (get_order(s->size) > get_order(s->object_size)) {\n\t\t\ts->flags &= ~DEBUG_METADATA_FLAGS;\n\t\t\ts->offset = 0;\n\t\t\tif (!calculate_sizes(s, -1))\n\t\t\t\tgoto error;\n\t\t}\n\t}\n\n#if defined(CONFIG_HAVE_CMPXCHG_DOUBLE) && \\\n defined(CONFIG_HAVE_ALIGNED_STRUCT_PAGE)\n\tif (system_has_cmpxchg_double() && (s->flags & SLAB_NO_CMPXCHG) == 0)\n\t\t/* Enable fast mode */\n\t\ts->flags |= __CMPXCHG_DOUBLE;\n#endif\n\n\t/*\n\t * The larger the object size is, the more pages we want on the partial\n\t * list to avoid pounding the page allocator excessively.\n\t */\n\tset_min_partial(s, ilog2(s->size) / 2);\n\n\tset_cpu_partial(s);\n\n#ifdef CONFIG_NUMA\n\ts->remote_node_defrag_ratio = 1000;\n#endif\n\n\t/* Initialize the pre-computed randomized freelist if slab is up */\n\tif (slab_state >= UP) {\n\t\tif (init_cache_random_seq(s))\n\t\t\tgoto error;\n\t}\n\n\tif (!init_kmem_cache_nodes(s))\n\t\tgoto error;\n\n\tif (alloc_kmem_cache_cpus(s))\n\t\treturn 0;\n\n\tfree_kmem_cache_nodes(s);\nerror:\n\treturn -EINVAL;\n}", "project": "linux", "hash": 192451677188650544030902713551883632240, "size": 57, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280075 }, { "func": "Variant preg_match_all(const String& pattern, const String& subject,\n Variant* matches /* = nullptr */,\n int flags /* = 0 */, int offset /* = 0 */) {\n return preg_match_all(pattern.get(), subject.get(), matches, flags, offset);\n}", "project": "hhvm", "hash": 236093780292558679855471762344355231518, "size": 5, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219300 }, { "func": "Variant preg_match_all(const StringData* pattern, const StringData* subject,\n Variant* matches /* = nullptr */,\n int flags /* = 0 */, int offset /* = 0 */) {\n return preg_match_impl(pattern, subject, matches, flags, offset, true);\n}", "project": "hhvm", "hash": 47213403152913530282313499473604294976, "size": 5, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219700 }, { "func": "TEST_F(ZNCTest, FixCVE20149403) {\n auto znc = Run();\n auto ircd = ConnectIRCd();\n ircd.Write(\":server 001 nick :Hello\");\n ircd.Write(\":server 005 nick CHANTYPES=# :supports\");\n ircd.Write(\":server PING :1\");\n ircd.ReadUntil(\"PONG 1\");\n\n QNetworkRequest request;\n request.setRawHeader(\"Authorization\",\n \"Basic \" + QByteArray(\"user:hunter2\").toBase64());\n request.setUrl(QUrl(\"http://127.0.0.1:12345/mods/global/webadmin/addchan\"));\n HttpPost(request, {\n {\"user\", \"user\"},\n {\"network\", \"test\"},\n {\"submitted\", \"1\"},\n {\"name\", \"znc\"},\n {\"enabled\", \"1\"},\n });\n EXPECT_THAT(HttpPost(request,\n {\n {\"user\", \"user\"},\n {\"network\", \"test\"},\n {\"submitted\", \"1\"},\n {\"name\", \"znc\"},\n {\"enabled\", \"1\"},\n })\n ->readAll()\n .toStdString(),\n HasSubstr(\"Channel [#znc] already exists\"));\n}", "project": "znc", "hash": 103106242428507052017290399385194450280, "size": 31, "commit_id": "d229761821da38d984a9e4098ad96842490dc001", "message": "Fix echo-message for *status\n\nClose #1705", "target": 0, "dataset": "other", "idx": 231584 }, { "func": "static inline void io_put_file(struct file *file)\n{\n\tif (file)\n\t\tfput(file);\n}", "project": "linux", "hash": 266467858259491227536573145569210681741, "size": 5, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338725 }, { "func": "static OPJ_BOOL opj_tcd_rate_allocate_encode(opj_tcd_t *p_tcd,\n OPJ_BYTE * p_dest_data,\n OPJ_UINT32 p_max_dest_size,\n opj_codestream_info_t *p_cstr_info,\n opj_event_mgr_t *p_manager)\n{\n opj_cp_t * l_cp = p_tcd->cp;\n OPJ_UINT32 l_nb_written = 0;\n\n if (p_cstr_info) {\n p_cstr_info->index_write = 0;\n }\n\n if (l_cp->m_specific_param.m_enc.m_disto_alloc ||\n l_cp->m_specific_param.m_enc.m_fixed_quality) {\n /* fixed_quality */\n /* Normal Rate/distortion allocation */\n if (! opj_tcd_rateallocate(p_tcd, p_dest_data, &l_nb_written, p_max_dest_size,\n p_cstr_info, p_manager)) {\n return OPJ_FALSE;\n }\n } else {\n /* Fixed layer allocation */\n opj_tcd_rateallocate_fixed(p_tcd);\n }\n\n return OPJ_TRUE;\n}", "project": "openjpeg", "hash": 269413881064740225045024516774639321793, "size": 28, "commit_id": "15cf3d95814dc931ca0ecb132f81cb152e051bae", "message": "Encoder: grow again buffer size in opj_tcd_code_block_enc_allocate_data() (fixes #1283)", "target": 0, "dataset": "other", "idx": 359167 }, { "func": "int rtnl_wilddump_request(struct rtnl_handle *rth, int family, int type)\n{\n\treturn rtnl_wilddump_req_filter(rth, family, type, RTEXT_FILTER_VF);\n}", "project": "iproute2", "hash": 60722705002991010963201591383057007227, "size": 4, "commit_id": "b45e300024bb0936a41821ad75117dc08b65669f", "message": "libnetlink: don't return error on success\n\nChange to error handling broke normal code.\n\nFixes: c60389e4f9ea (\"libnetlink: fix leak and using unused memory on error\")\nReported-by: David Ahern \nSigned-off-by: Stephen Hemminger ", "target": 0, "dataset": "other", "idx": 318212 }, { "func": "static inline int kvm_io_bus_cmp(const struct kvm_io_range *r1,\n\t\t\t\t const struct kvm_io_range *r2)\n{\n\tgpa_t addr1 = r1->addr;\n\tgpa_t addr2 = r2->addr;\n\n\tif (addr1 < addr2)\n\t\treturn -1;\n\n\t/* If r2->len == 0, match the exact address. If r2->len != 0,\n\t * accept any overlapping write. Any order is acceptable for\n\t * overlapping ranges, because kvm_io_bus_get_first_dev ensures\n\t * we process all of them.\n\t */\n\tif (r2->len) {\n\t\taddr1 += r1->len;\n\t\taddr2 += r2->len;\n\t}\n\n\tif (addr1 > addr2)\n\t\treturn 1;\n\n\treturn 0;\n}", "project": "linux", "hash": 71074892189070359180027622163539739946, "size": 24, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354486 }, { "func": "static void DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key)\n{\n\t*pub_key = dh->pub_key;\n\t*priv_key = dh->priv_key;\n}", "project": "php-src", "hash": 171815208174870029179075748262148494363, "size": 5, "commit_id": "0216630ea2815a5789a24279a1211ac398d4de79", "message": "Fix bug #79601 (Wrong ciphertext/tag in AES-CCM encryption for a 12 bytes IV)", "target": 0, "dataset": "other", "idx": 291436 }, { "func": "static int __kvm_gfn_to_hva_cache_init(struct kvm_memslots *slots,\n\t\t\t\t struct gfn_to_hva_cache *ghc,\n\t\t\t\t gpa_t gpa, unsigned long len)\n{\n\tint offset = offset_in_page(gpa);\n\tgfn_t start_gfn = gpa >> PAGE_SHIFT;\n\tgfn_t end_gfn = (gpa + len - 1) >> PAGE_SHIFT;\n\tgfn_t nr_pages_needed = end_gfn - start_gfn + 1;\n\tgfn_t nr_pages_avail;\n\n\t/* Update ghc->generation before performing any error checks. */\n\tghc->generation = slots->generation;\n\n\tif (start_gfn > end_gfn) {\n\t\tghc->hva = KVM_HVA_ERR_BAD;\n\t\treturn -EINVAL;\n\t}\n\n\t/*\n\t * If the requested region crosses two memslots, we still\n\t * verify that the entire region is valid here.\n\t */\n\tfor ( ; start_gfn <= end_gfn; start_gfn += nr_pages_avail) {\n\t\tghc->memslot = __gfn_to_memslot(slots, start_gfn);\n\t\tghc->hva = gfn_to_hva_many(ghc->memslot, start_gfn,\n\t\t\t\t\t &nr_pages_avail);\n\t\tif (kvm_is_error_hva(ghc->hva))\n\t\t\treturn -EFAULT;\n\t}\n\n\t/* Use the slow path for cross page reads and writes. */\n\tif (nr_pages_needed == 1)\n\t\tghc->hva += offset;\n\telse\n\t\tghc->memslot = NULL;\n\n\tghc->gpa = gpa;\n\tghc->len = len;\n\treturn 0;\n}", "project": "linux", "hash": 146824188447859860066400763256971000066, "size": 40, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354500 }, { "func": "CString CClient::GetNick(bool bAllowIRCNick) const {\n CString sRet;\n\n const CIRCSock* pSock = GetIRCSock();\n if (bAllowIRCNick && pSock && pSock->IsAuthed()) {\n sRet = pSock->GetNick();\n }\n\n return (sRet.empty()) ? m_sNick : sRet;\n}", "project": "znc", "hash": 231732353704912565068577944785843048463, "size": 10, "commit_id": "d229761821da38d984a9e4098ad96842490dc001", "message": "Fix echo-message for *status\n\nClose #1705", "target": 0, "dataset": "other", "idx": 231599 }, { "func": "DwaCompressor::compressTile\n (const char *inPtr,\n int inSize,\n IMATH_NAMESPACE::Box2i range,\n const char *&outPtr)\n{\n return compress (inPtr, inSize, range, outPtr);\n}", "project": "openexr", "hash": 299803763907199052372368772632420475955, "size": 8, "commit_id": "3eda5d70aba127bae9bd6bae9956fcf024b64031", "message": "fixes for DWA uncompress: sanity check unknown data reading, off-by-one error on max suffix string length\n\nSigned-off-by: Peter Hillman ", "target": 0, "dataset": "other", "idx": 440086 }, { "func": " [[nodiscard]] Guard add(Connection& conn) {\n std::lock_guard lock{mutex};\n connections.push_back(conn);\n return Guard{this, &conn};\n }", "project": "ceph", "hash": 42235213232199075490000281416517989308, "size": 5, "commit_id": "ff72c50a2c43c57aead933eb4903ad1ca6d1748a", "message": "rgw: improve beast\n\nAvoid leaking connections that had partially-consumed\nclient data on unexpected disconnect.\n\nResolves CVE-2020-1700 (moderate impact flaw).\n\nFixes: https://tracker.ceph.com/issues/42531\n\nSigned-off-by: Or Friedmann \nSigned-off-by: Matt Benjamin ", "target": 0, "dataset": "other", "idx": 384537 }, { "func": "bool Virtual_tmp_table::add(List &field_list)\n{\n /* Create all fields and calculate the total length of record */\n Spvar_definition *cdef; /* column definition */\n List_iterator_fast it(field_list);\n DBUG_ENTER(\"Virtual_tmp_table::add\");\n while ((cdef= it++))\n {\n Field *tmp;\n if (!(tmp= cdef->make_field(s, in_use->mem_root, 0,\n (uchar*) (f_maybe_null(cdef->pack_flag) ? \"\" : 0),\n f_maybe_null(cdef->pack_flag) ? 1 : 0,\n &cdef->field_name)))\n DBUG_RETURN(true);\n add(tmp);\n }\n DBUG_RETURN(false);\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 107944149480994106741543958530358113002, "size": 18, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508472 }, { "func": "static int copyTdEntry(const indexEntry entry, rpmtd td, headerGetFlags flags)\n{\n rpm_count_t count = entry->info.count;\n int rc = 1;\t\t/* XXX 1 on success. */\n /* ALLOC overrides MINMEM */\n int allocMem = flags & HEADERGET_ALLOC;\n int minMem = allocMem ? 0 : flags & HEADERGET_MINMEM;\n int argvArray = (flags & HEADERGET_ARGV) ? 1 : 0;\n\n assert(td != NULL);\n td->flags = RPMTD_IMMUTABLE;\n switch (entry->info.type) {\n case RPM_BIN_TYPE:\n\t/*\n\t * XXX This only works for\n\t * XXX \t\"sealed\" HEADER_IMMUTABLE/HEADER_SIGNATURES/HEADER_IMAGE.\n\t * XXX This will *not* work for unsealed legacy HEADER_IMAGE (i.e.\n\t * XXX a legacy header freshly read, but not yet unloaded to the rpmdb).\n\t */\n\tif (ENTRY_IS_REGION(entry)) {\n\t int32_t * ei = ((int32_t *)entry->data) - 2;\n\t entryInfo pe = (entryInfo) (ei + 2);\n\t unsigned char * dataStart = (unsigned char *) (pe + ntohl(ei[0]));\n\t int32_t rdl = -entry->info.offset;\t/* negative offset */\n\t int32_t ril = rdl/sizeof(*pe);\n\n\t rdl = entry->rdlen;\n\t count = 2 * sizeof(*ei) + (ril * sizeof(*pe)) + rdl;\n\t if (entry->info.tag == RPMTAG_HEADERIMAGE) {\n\t\tril -= 1;\n\t\tpe += 1;\n\t } else {\n\t\tcount += REGION_TAG_COUNT;\n\t\trdl += REGION_TAG_COUNT;\n\t }\n\n\t td->data = xmalloc(count);\n\t ei = (int32_t *) td->data;\n\t ei[0] = htonl(ril);\n\t ei[1] = htonl(rdl);\n\n\t pe = (entryInfo) memcpy(ei + 2, pe, (ril * sizeof(*pe)));\n\n\t dataStart = (unsigned char *) memcpy(pe + ril, dataStart, rdl);\n\n\t rc = regionSwab(NULL, ril, 0, pe, dataStart, dataStart + rdl, 0, 0);\n\t /* don't return data on failure */\n\t if (rc < 0) {\n\t\ttd->data = _free(td->data);\n\t }\n\t /* XXX 1 on success. */\n\t rc = (rc < 0) ? 0 : 1;\n\t} else {\n\t td->data = (!minMem\n\t\t? memcpy(xmalloc(count), entry->data, count)\n\t\t: entry->data);\n\t}\n\tbreak;\n case RPM_STRING_TYPE:\n\t/* simple string, but fallthrough if its actually an array */\n\tif (count == 1 && !argvArray) {\n\t td->data = allocMem ? xstrdup(entry->data) : entry->data;\n\t break;\n\t}\n case RPM_STRING_ARRAY_TYPE:\n case RPM_I18NSTRING_TYPE:\n {\tconst char ** ptrEntry;\n\tint tableSize = (count + argvArray) * sizeof(char *);\n\tchar * t;\n\tint i;\n\n\tif (minMem) {\n\t td->data = xmalloc(tableSize);\n\t ptrEntry = (const char **) td->data;\n\t t = entry->data;\n\t} else {\n\t t = xmalloc(tableSize + entry->length);\n\t td->data = (void *)t;\n\t ptrEntry = (const char **) td->data;\n\t t += tableSize;\n\t memcpy(t, entry->data, entry->length);\n\t}\n\tfor (i = 0; i < count; i++) {\n\t *ptrEntry++ = t;\n\t t = strchr(t, 0);\n\t t++;\n\t}\n\tif (argvArray) {\n\t *ptrEntry = NULL;\n\t td->flags |= RPMTD_ARGV;\n\t}\n }\tbreak;\n case RPM_CHAR_TYPE:\n case RPM_INT8_TYPE:\n case RPM_INT16_TYPE:\n case RPM_INT32_TYPE:\n case RPM_INT64_TYPE:\n\tif (allocMem) {\n\t td->data = xmalloc(entry->length);\n\t memcpy(td->data, entry->data, entry->length);\n\t} else {\n\t td->data = entry->data;\n\t}\n\tbreak;\n default:\n\t/* WTH? Don't mess with unknown data types... */\n\trc = 0;\n\ttd->data = NULL;\n\tbreak;\n }\n td->type = entry->info.type;\n td->count = count;\n td->size = entry->length;\n\n if (td->data && entry->data != td->data) {\n\ttd->flags |= RPMTD_ALLOCED;\n }\n\n return rc;\n}", "project": "rpm", "hash": 167070564964622662386257379834750144302, "size": 120, "commit_id": "8f4b3c3cab8922a2022b9e47c71f1ecf906077ef", "message": "hdrblobInit() needs bounds checks too\n\nUsers can pass untrusted data to hdrblobInit() and it must be robust\nagainst this.", "target": 0, "dataset": "other", "idx": 318186 }, { "func": "bool WebContents::IsGuest() const {\n return type_ == Type::WEB_VIEW;\n}", "project": "electron", "hash": 280318045356322370895778970196133607616, "size": 3, "commit_id": "18613925610ba319da7f497b6deed85ad712c59b", "message": "refactor: wire will-navigate up to a navigation throttle instead of OpenURL (#25108)\n\n* refactor: wire will-navigate up to a navigation throttle instead of OpenURL (#25065)\r\n\r\n* refactor: wire will-navigate up to a navigation throttle instead of OpenURL\r\n\r\n* spec: add test for x-site _top navigation\r\n\r\n* chore: old code be old", "target": 0, "dataset": "other", "idx": 269767 }, { "func": "int bcf_update_alleles(const bcf_hdr_t *hdr, bcf1_t *line, const char **alleles, int nals)\n{\n if ( !(line->unpacked & BCF_UN_STR) ) bcf_unpack(line, BCF_UN_STR);\n kstring_t tmp = {0,0,0};\n char *free_old = NULL;\n\n // If the supplied alleles are not pointers to line->d.als, the existing block can be reused.\n int i;\n for (i=0; i=line->d.als && alleles[i]d.als+line->d.m_als ) break;\n if ( i==nals )\n {\n // all alleles point elsewhere, reuse the existing block\n tmp.l = 0; tmp.s = line->d.als; tmp.m = line->d.m_als;\n }\n else\n free_old = line->d.als;\n\n for (i=0; id.als = tmp.s; line->d.m_als = tmp.m;\n free(free_old);\n return _bcf1_sync_alleles(hdr,line,nals);\n}", "project": "htslib", "hash": 247281612308677193902341804731354920568, "size": 27, "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c", "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields. It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097", "target": 0, "dataset": "other", "idx": 402244 }, { "func": "static bool can_merge_ctx(const struct intel_context *prev,\n\t\t\t const struct intel_context *next)\n{\n\tif (prev != next)\n\t\treturn false;\n\n\tif (ctx_single_port_submission(prev))\n\t\treturn false;\n\n\treturn true;\n}", "project": "linux", "hash": 62048898674784547626356293763672374191, "size": 11, "commit_id": "bc8a76a152c5f9ef3b48104154a65a68a8b76946", "message": "drm/i915/gen9: Clear residual context state on context switch\n\nIntel ID: PSIRT-TA-201910-001\nCVEID: CVE-2019-14615\n\nIntel GPU Hardware prior to Gen11 does not clear EU state\nduring a context switch. This can result in information\nleakage between contexts.\n\nFor Gen8 and Gen9, hardware provides a mechanism for\nfast cleardown of the EU state, by issuing a PIPE_CONTROL\nwith bit 27 set. We can use this in a context batch buffer\nto explicitly cleardown the state on every context switch.\n\nAs this workaround is already in place for gen8, we can borrow\nthe code verbatim for Gen9.\n\nSigned-off-by: Mika Kuoppala \nSigned-off-by: Akeem G Abodunrin \nCc: Kumar Valsan Prathap \nCc: Chris Wilson \nCc: Balestrieri Francesco \nCc: Bloomfield Jon \nCc: Dutt Sudeep ", "target": 0, "dataset": "other", "idx": 281480 }, { "func": "void propagate_new_equalities(THD *thd, Item *cond,\n List *new_equalities,\n COND_EQUAL *inherited,\n bool *is_simplifiable_cond)\n{\n if (cond->type() == Item::COND_ITEM)\n {\n bool and_level= ((Item_cond*) cond)->functype() == Item_func::COND_AND_FUNC;\n if (and_level)\n {\n Item_cond_and *cond_and= (Item_cond_and *) cond; \n List *cond_equalities= &cond_and->m_cond_equal.current_level;\n cond_and->m_cond_equal.upper_levels= inherited;\n if (!cond_equalities->is_empty() && cond_equalities != new_equalities)\n {\n Item_equal *equal_item;\n List_iterator it(*new_equalities);\n\twhile ((equal_item= it++))\n\t{\n equal_item->merge_into_list(thd, cond_equalities, true, true);\n }\n List_iterator ei(*cond_equalities);\n while ((equal_item= ei++))\n\t{\n if (equal_item->const_item() && !equal_item->val_int())\n\t {\n *is_simplifiable_cond= true;\n return;\n }\n }\n }\n }\n\n Item *item;\n List_iterator li(*((Item_cond*) cond)->argument_list());\n while ((item= li++))\n {\n COND_EQUAL *new_inherited= and_level && item->type() == Item::COND_ITEM ?\n &((Item_cond_and *) cond)->m_cond_equal :\n inherited;\n propagate_new_equalities(thd, item, new_equalities, new_inherited,\n is_simplifiable_cond);\n }\n }\n else if (cond->type() == Item::FUNC_ITEM && \n ((Item_cond*) cond)->functype() == Item_func::MULT_EQUAL_FUNC)\n {\n Item_equal *equal_item;\n List_iterator it(*new_equalities);\n Item_equal *equality= (Item_equal *) cond;\n equality->upper_levels= inherited;\n while ((equal_item= it++))\n {\n equality->merge_with_check(thd, equal_item, true);\n }\n if (equality->const_item() && !equality->val_int())\n *is_simplifiable_cond= true;\n }\n else\n {\n cond= cond->propagate_equal_fields(thd,\n Item::Context_boolean(), inherited);\n cond->update_used_tables();\n } \n} ", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 319405398039826598047674114599799629281, "size": 65, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508684 }, { "func": "\nstatic int io_sqe_files_unregister(struct io_ring_ctx *ctx)\n{\n\tint ret;\n\n\tif (!ctx->file_data)\n\t\treturn -ENXIO;\n\tret = io_rsrc_ref_quiesce(ctx->file_data, ctx);\n\tif (!ret)\n\t\t__io_sqe_files_unregister(ctx);\n\treturn ret;", "project": "linux", "hash": 334765014786439107425407256961565921868, "size": 11, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338564 }, { "func": " */\nstatic bool bfq_asymmetric_scenario(struct bfq_data *bfqd,\n\t\t\t\t struct bfq_queue *bfqq)\n{\n\tbool smallest_weight = bfqq &&\n\t\tbfqq->weight_counter &&\n\t\tbfqq->weight_counter ==\n\t\tcontainer_of(\n\t\t\trb_first_cached(&bfqd->queue_weights_tree),\n\t\t\tstruct bfq_weight_counter,\n\t\t\tweights_node);\n\n\t/*\n\t * For queue weights to differ, queue_weights_tree must contain\n\t * at least two nodes.\n\t */\n\tbool varied_queue_weights = !smallest_weight &&\n\t\t!RB_EMPTY_ROOT(&bfqd->queue_weights_tree.rb_root) &&\n\t\t(bfqd->queue_weights_tree.rb_root.rb_node->rb_left ||\n\t\t bfqd->queue_weights_tree.rb_root.rb_node->rb_right);\n\n\tbool multiple_classes_busy =\n\t\t(bfqd->busy_queues[0] && bfqd->busy_queues[1]) ||\n\t\t(bfqd->busy_queues[0] && bfqd->busy_queues[2]) ||\n\t\t(bfqd->busy_queues[1] && bfqd->busy_queues[2]);\n\n\treturn varied_queue_weights || multiple_classes_busy\n#ifdef CONFIG_BFQ_GROUP_IOSCHED\n\t || bfqd->num_groups_with_pending_reqs > 0\n#endif\n\t\t;", "project": "linux", "hash": 235319323146394198799255901292565175028, "size": 31, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453296 }, { "func": "static void fuse_writepage_free(struct fuse_writepage_args *wpa)\n{\n\tstruct fuse_args_pages *ap = &wpa->ia.ap;\n\tint i;\n\n\tfor (i = 0; i < ap->num_pages; i++)\n\t\t__free_page(ap->pages[i]);\n\n\tif (wpa->ia.ff)\n\t\tfuse_file_put(wpa->ia.ff, false, false);\n\n\tkfree(ap->pages);\n\tkfree(wpa);\n}", "project": "linux", "hash": 291398329835079454999464414523691392905, "size": 14, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341916 }, { "func": "static void hci_keypress_notify_evt(struct hci_dev *hdev, struct sk_buff *skb)\n{\n\tstruct hci_ev_keypress_notify *ev = (void *) skb->data;\n\tstruct hci_conn *conn;\n\n\tBT_DBG(\"%s\", hdev->name);\n\n\tconn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);\n\tif (!conn)\n\t\treturn;\n\n\tswitch (ev->type) {\n\tcase HCI_KEYPRESS_STARTED:\n\t\tconn->passkey_entered = 0;\n\t\treturn;\n\n\tcase HCI_KEYPRESS_ENTERED:\n\t\tconn->passkey_entered++;\n\t\tbreak;\n\n\tcase HCI_KEYPRESS_ERASED:\n\t\tconn->passkey_entered--;\n\t\tbreak;\n\n\tcase HCI_KEYPRESS_CLEARED:\n\t\tconn->passkey_entered = 0;\n\t\tbreak;\n\n\tcase HCI_KEYPRESS_COMPLETED:\n\t\treturn;\n\t}\n\n\tif (hci_dev_test_flag(hdev, HCI_MGMT))\n\t\tmgmt_user_passkey_notify(hdev, &conn->dst, conn->type,\n\t\t\t\t\t conn->dst_type, conn->passkey_notify,\n\t\t\t\t\t conn->passkey_entered);\n}", "project": "linux", "hash": 168478325647714795212972901595718612168, "size": 37, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 432008 }, { "func": "static void nasm_verror_gnu(int severity, const char *fmt, va_list ap)\n{\n const char *currentfile = NULL;\n int32_t lineno = 0;\n\n if (is_suppressed_warning(severity))\n return;\n\n if (!(severity & ERR_NOFILE)) {\n\tsrc_get(&lineno, ¤tfile);\n if (!currentfile || (severity & ERR_TOPFILE)) {\n currentfile = inname[0] ? inname : outname[0] ? outname : NULL;\n lineno = 0;\n }\n }\n\n if (!skip_this_pass(severity)) {\n if (!lineno)\n fprintf(error_file, \"%s:\", currentfile ? currentfile : \"nasm\");\n else\n fprintf(error_file, \"%s:%\"PRId32\": \", currentfile, lineno);\n }\n\n nasm_verror_common(severity, fmt, ap);\n}", "project": "nasm", "hash": 150514961635693473239185111278385516691, "size": 25, "commit_id": "e996d28c70d45008085322b442b44a9224308548", "message": "labels: Don't nil dereference if no label provided\n\nAn equ without label may cause nil dereference\n\n |\tequ 0x100\n\nFixes 98578071b9d71ecaa2344dd9c185237c1765041e\n\nSigned-off-by: Cyrill Gorcunov ", "target": 0, "dataset": "other", "idx": 257488 }, { "func": "my_bool STDCALL mysql_more_results(MYSQL *mysql)\n{\n return(test(mysql->server_status & SERVER_MORE_RESULTS_EXIST));\n}", "project": "mariadb-connector-c", "hash": 141783597142571085214984289718516406726, "size": 4, "commit_id": "2759b87d72926b7c9b5426437a7c8dd15ff57945", "message": "sanity checks for client-supplied OK packet content\n\nreported by Matthias Kaiser, Apple Information Security", "target": 0, "dataset": "other", "idx": 429728 }, { "func": "int vfs_symlink(struct inode *dir, struct dentry *dentry, const char *oldname)\n{\n\tint error = may_create(dir, dentry);\n\n\tif (error)\n\t\treturn error;\n\n\tif (!dir->i_op->symlink)\n\t\treturn -EPERM;\n\n\terror = security_inode_symlink(dir, dentry, oldname);\n\tif (error)\n\t\treturn error;\n\n\terror = dir->i_op->symlink(dir, dentry, oldname);\n\tif (!error)\n\t\tfsnotify_create(dir, dentry);\n\treturn error;\n}", "project": "linux", "hash": 216443829402114682361568704476405992907, "size": 19, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295335 }, { "func": "\nstatic void io_ring_ctx_free(struct io_ring_ctx *ctx)\n{\n\tio_sq_thread_finish(ctx);\n\n\tif (ctx->mm_account) {\n\t\tmmdrop(ctx->mm_account);\n\t\tctx->mm_account = NULL;\n\t}\n\n\tmutex_lock(&ctx->uring_lock);\n\tif (io_wait_rsrc_data(ctx->buf_data))\n\t\t__io_sqe_buffers_unregister(ctx);\n\tif (io_wait_rsrc_data(ctx->file_data))\n\t\t__io_sqe_files_unregister(ctx);\n\tif (ctx->rings)\n\t\t__io_cqring_overflow_flush(ctx, true);\n\tmutex_unlock(&ctx->uring_lock);\n\tio_eventfd_unregister(ctx);\n\tio_destroy_buffers(ctx);\n\tif (ctx->sq_creds)\n\t\tput_cred(ctx->sq_creds);\n\n\t/* there are no registered resources left, nobody uses it */\n\tif (ctx->rsrc_node)\n\t\tio_rsrc_node_destroy(ctx->rsrc_node);\n\tif (ctx->rsrc_backup_node)\n\t\tio_rsrc_node_destroy(ctx->rsrc_backup_node);\n\tflush_delayed_work(&ctx->rsrc_put_work);\n\n\tWARN_ON_ONCE(!list_empty(&ctx->rsrc_ref_list));\n\tWARN_ON_ONCE(!llist_empty(&ctx->rsrc_put_llist));\n\n#if defined(CONFIG_UNIX)\n\tif (ctx->ring_sock) {\n\t\tctx->ring_sock->file = NULL; /* so that iput() is called */\n\t\tsock_release(ctx->ring_sock);\n\t}\n#endif\n\n\tio_mem_free(ctx->rings);\n\tio_mem_free(ctx->sq_sqes);\n\n\tpercpu_ref_exit(&ctx->refs);\n\tfree_uid(ctx->user);\n\tio_req_caches_free(ctx);\n\tif (ctx->hash_map)\n\t\tio_wq_put_hash(ctx->hash_map);\n\tkfree(ctx->cancel_hash);\n\tkfree(ctx->dummy_ubuf);\n\tkfree(ctx);", "project": "linux", "hash": 36206128765897049246234269758324409161, "size": 51, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338679 }, { "func": "static void io_ring_ctx_free(struct io_ring_ctx *ctx)\n{\n\tio_finish_async(ctx);\n\tio_sqe_buffer_unregister(ctx);\n\tif (ctx->sqo_mm) {\n\t\tmmdrop(ctx->sqo_mm);\n\t\tctx->sqo_mm = NULL;\n\t}\n\n\tio_sqe_files_unregister(ctx);\n\tio_eventfd_unregister(ctx);\n\tio_destroy_buffers(ctx);\n\tidr_destroy(&ctx->personality_idr);\n\n#if defined(CONFIG_UNIX)\n\tif (ctx->ring_sock) {\n\t\tctx->ring_sock->file = NULL; /* so that iput() is called */\n\t\tsock_release(ctx->ring_sock);\n\t}\n#endif\n\n\tio_mem_free(ctx->rings);\n\tio_mem_free(ctx->sq_sqes);\n\n\tpercpu_ref_exit(&ctx->refs);\n\tfree_uid(ctx->user);\n\tput_cred(ctx->creds);\n\tkfree(ctx->cancel_hash);\n\tkmem_cache_free(req_cachep, ctx->fallback_req);\n\tkfree(ctx);\n}", "project": "linux", "hash": 18918141032199835801882786584488167384, "size": 31, "commit_id": "6d816e088c359866f9867057e04f244c608c42fe", "message": "io_uring: hold 'ctx' reference around task_work queue + execute\n\nWe're holding the request reference, but we need to go one higher\nto ensure that the ctx remains valid after the request has finished.\nIf the ring is closed with pending task_work inflight, and the\ngiven io_kiocb finishes sync during issue, then we need a reference\nto the ring itself around the task_work execution cycle.\n\nCc: stable@vger.kernel.org # v5.7+\nReported-by: syzbot+9b260fc33297966f5a8e@syzkaller.appspotmail.com\nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 456944 }, { "func": "static void io_task_work_add_head(struct callback_head **work_head,\n\t\t\t\t struct callback_head *task_work)\n{\n\tstruct callback_head *head;\n\n\tdo {\n\t\thead = READ_ONCE(*work_head);\n\t\ttask_work->next = head;\n\t} while (cmpxchg(work_head, head, task_work) != head);\n}", "project": "linux", "hash": 314762939782526150350809662427649194829, "size": 10, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338624 }, { "func": "Pl_AES_PDF::~Pl_AES_PDF()\n{\n}", "project": "qpdf", "hash": 305551610420163778034780559964985148193, "size": 3, "commit_id": "dc92574c10f3e2516ec6445b88c5d584f40df4e5", "message": "Fix some pipelines to be safe if downstream write fails (fuzz issue 28262)", "target": 0, "dataset": "other", "idx": 458320 }, { "func": "static void encode_getfattr_open(struct xdr_stream *xdr, const u32 *bitmask,\n\t\t\t\t const u32 *open_bitmap,\n\t\t\t\t struct compound_hdr *hdr)\n{\n\tencode_getattr(xdr, open_bitmap, bitmask, 3, hdr);\n}", "project": "linux", "hash": 133101073192433231034682583983449012209, "size": 6, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431501 }, { "func": "inline TfLiteStatus CheckTypes(TfLiteContext* context,\n const TfLiteTensor* input,\n const TfLiteTensor* filter,\n const TfLiteTensor* bias, TfLiteTensor* output,\n TfLiteFullyConnectedParams* params) {\n const bool is_quantized =\n ((filter->type == kTfLiteUInt8) || (filter->type == kTfLiteInt8));\n const bool is_hybrid = is_quantized && (input->type == kTfLiteFloat32);\n const bool is_shuffled =\n is_quantized && (params->weights_format ==\n kTfLiteFullyConnectedWeightsFormatShuffled4x16Int8);\n\n // optional bias tensor.\n const bool is_optional_bias_float = !bias || (bias->type == kTfLiteFloat32);\n const bool is_optional_bias_int =\n !bias || (bias->type == kTfLiteInt32) || (bias->type == kTfLiteInt64);\n\n if (is_quantized) {\n if (is_shuffled) {\n TF_LITE_ENSURE_TYPES_EQ(context, input->type, kTfLiteUInt8);\n TF_LITE_ENSURE_TYPES_EQ(context, filter->type, kTfLiteUInt8);\n TF_LITE_ENSURE_TYPES_EQ(context, output->type, kTfLiteInt16);\n TF_LITE_ENSURE_EQ(context, is_optional_bias_int, true);\n } else if (is_hybrid) {\n TF_LITE_ENSURE_TYPES_EQ(context, input->type, kTfLiteFloat32);\n TF_LITE_ENSURE_TYPES_EQ(context, output->type, kTfLiteFloat32);\n TF_LITE_ENSURE_EQ(context, is_optional_bias_float, true);\n } else {\n TF_LITE_ENSURE(context, input->type == kTfLiteUInt8 ||\n input->type == kTfLiteInt8 ||\n input->type == kTfLiteInt16);\n TF_LITE_ENSURE(context, output->type == kTfLiteUInt8 ||\n output->type == kTfLiteInt8 ||\n output->type == kTfLiteInt16);\n TF_LITE_ENSURE_EQ(context, is_optional_bias_int, true);\n }\n } else {\n // Only float32 is supported currently\n TF_LITE_ENSURE_TYPES_EQ(context, input->type, kTfLiteFloat32);\n TF_LITE_ENSURE_TYPES_EQ(context, output->type, kTfLiteFloat32);\n TF_LITE_ENSURE_TYPES_EQ(context, filter->type, kTfLiteFloat32);\n TF_LITE_ENSURE_EQ(context, is_optional_bias_float, true);\n }\n\n return kTfLiteOk;\n}", "project": "tensorflow", "hash": 90840067903229483823334530956397671224, "size": 46, "commit_id": "6c0b2b70eeee588591680f5b7d5d38175fd7cdf6", "message": "[lite] add validation check for sparse fully connected\n\nPiperOrigin-RevId: 417629354\nChange-Id: If96171c4bd4f5fdb01d6368d6deab19d1c9beca7", "target": 0, "dataset": "other", "idx": 220474 }, { "func": " void used_tables_and_const_cache_join(const Item *item)\n {\n used_tables_cache|= item->used_tables();\n const_item_cache&= item->const_item();\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 269458023074538713698184823361987313123, "size": 5, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509261 }, { "func": "static void ov511_i2c_w(struct sd *sd, u8 reg, u8 value)\n{\n\tstruct gspca_dev *gspca_dev = (struct gspca_dev *)sd;\n\tint rc, retries;\n\n\tgspca_dbg(gspca_dev, D_USBO, \"ov511_i2c_w %02x %02x\\n\", reg, value);\n\n\t/* Three byte write cycle */\n\tfor (retries = 6; ; ) {\n\t\t/* Select camera register */\n\t\treg_w(sd, R51x_I2C_SADDR_3, reg);\n\n\t\t/* Write \"value\" to I2C data port of OV511 */\n\t\treg_w(sd, R51x_I2C_DATA, value);\n\n\t\t/* Initiate 3-byte write cycle */\n\t\treg_w(sd, R511_I2C_CTL, 0x01);\n\n\t\tdo {\n\t\t\trc = reg_r(sd, R511_I2C_CTL);\n\t\t} while (rc > 0 && ((rc & 1) == 0)); /* Retry until idle */\n\n\t\tif (rc < 0)\n\t\t\treturn;\n\n\t\tif ((rc & 2) == 0) /* Ack? */\n\t\t\tbreak;\n\t\tif (--retries < 0) {\n\t\t\tgspca_dbg(gspca_dev, D_USBO, \"i2c write retries exhausted\\n\");\n\t\t\treturn;\n\t\t}\n\t}\n}", "project": "linux", "hash": 315245518809356792575032846132952262193, "size": 33, "commit_id": "998912346c0da53a6dbb71fab3a138586b596b30", "message": "media: ov519: add missing endpoint sanity checks\n\nMake sure to check that we have at least one endpoint before accessing\nthe endpoint array to avoid dereferencing a NULL-pointer on stream\nstart.\n\nNote that these sanity checks are not redundant as the driver is mixing\nlooking up altsettings by index and by number, which need not coincide.\n\nFixes: 1876bb923c98 (\"V4L/DVB (12079): gspca_ov519: add support for the ov511 bridge\")\nFixes: b282d87332f5 (\"V4L/DVB (12080): gspca_ov519: Fix ov518+ with OV7620AE (Trust spacecam 320)\")\nCc: stable # 2.6.31\nCc: Hans de Goede \nSigned-off-by: Johan Hovold \nSigned-off-by: Hans Verkuil \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 306334 }, { "func": "static ssize_t __fuse_copy_file_range(struct file *file_in, loff_t pos_in,\n\t\t\t\t struct file *file_out, loff_t pos_out,\n\t\t\t\t size_t len, unsigned int flags)\n{\n\tstruct fuse_file *ff_in = file_in->private_data;\n\tstruct fuse_file *ff_out = file_out->private_data;\n\tstruct inode *inode_in = file_inode(file_in);\n\tstruct inode *inode_out = file_inode(file_out);\n\tstruct fuse_inode *fi_out = get_fuse_inode(inode_out);\n\tstruct fuse_mount *fm = ff_in->fm;\n\tstruct fuse_conn *fc = fm->fc;\n\tFUSE_ARGS(args);\n\tstruct fuse_copy_file_range_in inarg = {\n\t\t.fh_in = ff_in->fh,\n\t\t.off_in = pos_in,\n\t\t.nodeid_out = ff_out->nodeid,\n\t\t.fh_out = ff_out->fh,\n\t\t.off_out = pos_out,\n\t\t.len = len,\n\t\t.flags = flags\n\t};\n\tstruct fuse_write_out outarg;\n\tssize_t err;\n\t/* mark unstable when write-back is not used, and file_out gets\n\t * extended */\n\tbool is_unstable = (!fc->writeback_cache) &&\n\t\t\t ((pos_out + len) > inode_out->i_size);\n\n\tif (fc->no_copy_file_range)\n\t\treturn -EOPNOTSUPP;\n\n\tif (file_inode(file_in)->i_sb != file_inode(file_out)->i_sb)\n\t\treturn -EXDEV;\n\n\tinode_lock(inode_in);\n\terr = fuse_writeback_range(inode_in, pos_in, pos_in + len - 1);\n\tinode_unlock(inode_in);\n\tif (err)\n\t\treturn err;\n\n\tinode_lock(inode_out);\n\n\terr = file_modified(file_out);\n\tif (err)\n\t\tgoto out;\n\n\t/*\n\t * Write out dirty pages in the destination file before sending the COPY\n\t * request to userspace. After the request is completed, truncate off\n\t * pages (including partial ones) from the cache that have been copied,\n\t * since these contain stale data at that point.\n\t *\n\t * This should be mostly correct, but if the COPY writes to partial\n\t * pages (at the start or end) and the parts not covered by the COPY are\n\t * written through a memory map after calling fuse_writeback_range(),\n\t * then these partial page modifications will be lost on truncation.\n\t *\n\t * It is unlikely that someone would rely on such mixed style\n\t * modifications. Yet this does give less guarantees than if the\n\t * copying was performed with write(2).\n\t *\n\t * To fix this a i_mmap_sem style lock could be used to prevent new\n\t * faults while the copy is ongoing.\n\t */\n\terr = fuse_writeback_range(inode_out, pos_out, pos_out + len - 1);\n\tif (err)\n\t\tgoto out;\n\n\tif (is_unstable)\n\t\tset_bit(FUSE_I_SIZE_UNSTABLE, &fi_out->state);\n\n\targs.opcode = FUSE_COPY_FILE_RANGE;\n\targs.nodeid = ff_in->nodeid;\n\targs.in_numargs = 1;\n\targs.in_args[0].size = sizeof(inarg);\n\targs.in_args[0].value = &inarg;\n\targs.out_numargs = 1;\n\targs.out_args[0].size = sizeof(outarg);\n\targs.out_args[0].value = &outarg;\n\terr = fuse_simple_request(fm, &args);\n\tif (err == -ENOSYS) {\n\t\tfc->no_copy_file_range = 1;\n\t\terr = -EOPNOTSUPP;\n\t}\n\tif (err)\n\t\tgoto out;\n\n\ttruncate_inode_pages_range(inode_out->i_mapping,\n\t\t\t\t ALIGN_DOWN(pos_out, PAGE_SIZE),\n\t\t\t\t ALIGN(pos_out + outarg.size, PAGE_SIZE) - 1);\n\n\tif (fc->writeback_cache) {\n\t\tfuse_write_update_size(inode_out, pos_out + outarg.size);\n\t\tfile_update_time(file_out);\n\t}\n\n\tfuse_invalidate_attr(inode_out);\n\n\terr = outarg.size;\nout:\n\tif (is_unstable)\n\t\tclear_bit(FUSE_I_SIZE_UNSTABLE, &fi_out->state);\n\n\tinode_unlock(inode_out);\n\tfile_accessed(file_in);\n\n\treturn err;\n}", "project": "linux", "hash": 101530334017907564553922488847172235947, "size": 108, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342009 }, { "func": "static void deleteReceivers(struct receiver *rcvrs) {\n struct receiver *current, *tmp;\n\n HASH_ITER(hh, rcvrs, current, tmp) {\n HASH_DEL(rcvrs, current);\n free(current);\n }\n}", "project": "nDPI", "hash": 225020593481689538055914808146715584900, "size": 8, "commit_id": "b7e666e465f138ae48ab81976726e67deed12701", "message": "Added fix to avoid potential heap buffer overflow in H.323 dissector\nModified HTTP report information to make it closer to the HTTP field names", "target": 0, "dataset": "other", "idx": 254836 }, { "func": "static int usb_host_auto_del(const char *spec)\n{\n struct USBAutoFilter *pf = usb_auto_filter;\n struct USBAutoFilter **prev = &usb_auto_filter;\n struct USBAutoFilter filter;\n\n if (parse_filter(spec, &filter) < 0)\n return -1;\n\n while (pf) {\n if (match_filter(pf, &filter)) {\n dprintf(\"husb: removed auto filter: bus_num %d addr %d vid %d pid %d\\n\",\n\t pf->bus_num, pf->addr, pf->vendor_id, pf->product_id);\n\n *prev = pf->next;\n\n\t if (!usb_auto_filter) {\n /* No more filters. Stop scanning. */\n qemu_del_timer(usb_auto_timer);\n qemu_free_timer(usb_auto_timer);\n }\n\n return 0;\n }\n\n prev = &pf->next;\n pf = pf->next;\n }\n\n return -1;\n}", "project": "qemu", "hash": 22135166173228692276330409481482051071, "size": 31, "commit_id": "babd03fde68093482528010a5435c14ce9128e3f", "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel. However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris \nSigned-off-by: Anthony Liguori ", "target": 0, "dataset": "other", "idx": 346296 }, { "func": "inline int FlatSizeSkipDim(const RuntimeShape& shape, int skip_dim) {\n const int dims_count = shape.DimensionsCount();\n TFLITE_DCHECK(skip_dim >= 0 && skip_dim < dims_count);\n const auto* dims_data = shape.DimsData();\n int flat_size = 1;\n for (int i = 0; i < dims_count; ++i) {\n flat_size *= (i == skip_dim) ? 1 : dims_data[i];\n }\n return flat_size;\n}", "project": "tensorflow", "hash": 73648588453231725314899301770144248270, "size": 10, "commit_id": "8ee24e7949a203d234489f9da2c5bf45a7d5157d", "message": "[tflite] Ensure `MatchingDim` does not allow buffer overflow.\n\nWe check in `MatchingDim` that both arguments have the same dimensionality, however that is a `DCHECK` only enabled if building in debug mode. Hence, it could be possible to cause buffer overflows by passing in a tensor with larger dimensions as the second argument. To fix, we now make `MatchingDim` return the minimum of the two sizes.\n\nA much better fix would be to return a status object but that requires refactoring a large part of the codebase for minor benefits.\n\nPiperOrigin-RevId: 332526127\nChange-Id: If627d0d2c80a685217b6e0d1e64b0872dbf1c5e4", "target": 0, "dataset": "other", "idx": 269150 }, { "func": "inline int FlatSizeSkipDim(const Dims& dims, int skip_dim) {\n TFLITE_DCHECK(skip_dim >= 0 && skip_dim < N);\n int flat_size = 1;\n for (int i = 0; i < N; ++i) {\n flat_size *= (i == skip_dim) ? 1 : dims.sizes[i];\n }\n return flat_size;\n}", "project": "tensorflow", "hash": 164495818922639854678014772462598728845, "size": 8, "commit_id": "8ee24e7949a203d234489f9da2c5bf45a7d5157d", "message": "[tflite] Ensure `MatchingDim` does not allow buffer overflow.\n\nWe check in `MatchingDim` that both arguments have the same dimensionality, however that is a `DCHECK` only enabled if building in debug mode. Hence, it could be possible to cause buffer overflows by passing in a tensor with larger dimensions as the second argument. To fix, we now make `MatchingDim` return the minimum of the two sizes.\n\nA much better fix would be to return a status object but that requires refactoring a large part of the codebase for minor benefits.\n\nPiperOrigin-RevId: 332526127\nChange-Id: If627d0d2c80a685217b6e0d1e64b0872dbf1c5e4", "target": 0, "dataset": "other", "idx": 269175 }, { "func": " bool agg_arg_charsets_for_comparison(CHARSET_INFO **cs, Item **a, Item **b)\n {\n DTCollation tmp;\n if (tmp.set((*a)->collation, (*b)->collation, MY_COLL_CMP_CONV) ||\n tmp.derivation == DERIVATION_NONE)\n {\n my_error(ER_CANT_AGGREGATE_2COLLATIONS,MYF(0),\n (*a)->collation.collation->name,\n (*a)->collation.derivation_name(),\n (*b)->collation.collation->name,\n (*b)->collation.derivation_name(),\n func_name());\n return true;\n }\n if (agg_item_set_converter(tmp, func_name(),\n a, 1, MY_COLL_CMP_CONV, 1) ||\n agg_item_set_converter(tmp, func_name(),\n b, 1, MY_COLL_CMP_CONV, 1))\n return true;\n *cs= tmp.collation;\n return false;\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 25617252509431302118915938112887577027, "size": 22, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 508974 }, { "func": " bool agg_arg_charsets_for_comparison(DTCollation &c,\n Item **items, uint nitems,\n int item_sep= 1)\n {\n uint flags= MY_COLL_ALLOW_SUPERSET_CONV |\n MY_COLL_ALLOW_COERCIBLE_CONV |\n MY_COLL_DISALLOW_NONE;\n return agg_arg_charsets(c, items, nitems, flags, item_sep);\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 237106355422144165093957363408666668143, "size": 9, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509457 }, { "func": "static void con_flush(struct vc_data *vc, unsigned long draw_from,\n\t\tunsigned long draw_to, int *draw_x)\n{\n\tif (*draw_x < 0)\n\t\treturn;\n\n\tvc->vc_sw->con_putcs(vc, (u16 *)draw_from,\n\t\t\t(u16 *)draw_to - (u16 *)draw_from, vc->vc_y, *draw_x);\n\t*draw_x = -1;\n}", "project": "linux", "hash": 37163782504220547495599581638905678046, "size": 10, "commit_id": "ca4463bf8438b403596edd0ec961ca0d4fbe0220", "message": "vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console\n\nThe VT_DISALLOCATE ioctl can free a virtual console while tty_release()\nis still running, causing a use-after-free in con_shutdown(). This\noccurs because VT_DISALLOCATE considers a virtual console's\n'struct vc_data' to be unused as soon as the corresponding tty's\nrefcount hits 0. But actually it may be still being closed.\n\nFix this by making vc_data be reference-counted via the embedded\n'struct tty_port'. A newly allocated virtual console has refcount 1.\nOpening it for the first time increments the refcount to 2. Closing it\nfor the last time decrements the refcount (in tty_operations::cleanup()\nso that it happens late enough), as does VT_DISALLOCATE.\n\nReproducer:\n\t#include \n\t#include \n\t#include \n\t#include \n\n\tint main()\n\t{\n\t\tif (fork()) {\n\t\t\tfor (;;)\n\t\t\t\tclose(open(\"/dev/tty5\", O_RDWR));\n\t\t} else {\n\t\t\tint fd = open(\"/dev/tty10\", O_RDWR);\n\n\t\t\tfor (;;)\n\t\t\t\tioctl(fd, VT_DISALLOCATE, 5);\n\t\t}\n\t}\n\nKASAN report:\n\tBUG: KASAN: use-after-free in con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\tWrite of size 8 at addr ffff88806a4ec108 by task syz_vt/129\n\n\tCPU: 0 PID: 129 Comm: syz_vt Not tainted 5.6.0-rc2 #11\n\tHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20191223_100556-anatol 04/01/2014\n\tCall Trace:\n\t [...]\n\t con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\t release_tty+0xa8/0x410 drivers/tty/tty_io.c:1514\n\t tty_release_struct+0x34/0x50 drivers/tty/tty_io.c:1629\n\t tty_release+0x984/0xed0 drivers/tty/tty_io.c:1789\n\t [...]\n\n\tAllocated by task 129:\n\t [...]\n\t kzalloc include/linux/slab.h:669 [inline]\n\t vc_allocate drivers/tty/vt/vt.c:1085 [inline]\n\t vc_allocate+0x1ac/0x680 drivers/tty/vt/vt.c:1066\n\t con_install+0x4d/0x3f0 drivers/tty/vt/vt.c:3229\n\t tty_driver_install_tty drivers/tty/tty_io.c:1228 [inline]\n\t tty_init_dev+0x94/0x350 drivers/tty/tty_io.c:1341\n\t tty_open_by_driver drivers/tty/tty_io.c:1987 [inline]\n\t tty_open+0x3ca/0xb30 drivers/tty/tty_io.c:2035\n\t [...]\n\n\tFreed by task 130:\n\t [...]\n\t kfree+0xbf/0x1e0 mm/slab.c:3757\n\t vt_disallocate drivers/tty/vt/vt_ioctl.c:300 [inline]\n\t vt_ioctl+0x16dc/0x1e30 drivers/tty/vt/vt_ioctl.c:818\n\t tty_ioctl+0x9db/0x11b0 drivers/tty/tty_io.c:2660\n\t [...]\n\nFixes: 4001d7b7fc27 (\"vt: push down the tty lock so we can see what is left to tackle\")\nCc: # v3.4+\nReported-by: syzbot+522643ab5729b0421998@syzkaller.appspotmail.com\nAcked-by: Jiri Slaby \nSigned-off-by: Eric Biggers \nLink: https://lore.kernel.org/r/20200322034305.210082-2-ebiggers@kernel.org\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 437081 }, { "func": "static int monitor_interception(struct vcpu_svm *svm)\n{\n\tprintk_once(KERN_WARNING \"kvm: MONITOR instruction emulated as NOP!\\n\");\n\treturn nop_interception(svm);\n}", "project": "linux", "hash": 189762884360453919198903460005663366137, "size": 5, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432390 }, { "func": "static int oidc_discovery(request_rec *r, oidc_cfg *cfg) {\n\n\toidc_debug(r, \"enter\");\n\n\t/* obtain the URL we're currently accessing, to be stored in the state/session */\n\tchar *current_url = oidc_get_current_url(r);\n\tconst char *method = oidc_original_request_method(r, cfg, FALSE);\n\n\t/* generate CSRF token */\n\tchar *csrf = NULL;\n\tif (oidc_proto_generate_nonce(r, &csrf, 8) == FALSE)\n\t\treturn HTTP_INTERNAL_SERVER_ERROR;\n\n\tchar *path_scopes = oidc_dir_cfg_path_scope(r);\n\tchar *path_auth_request_params = oidc_dir_cfg_path_auth_request_params(r);\n\n\tchar *discover_url = oidc_cfg_dir_discover_url(r);\n\t/* see if there's an external discovery page configured */\n\tif (discover_url != NULL) {\n\n\t\t/* yes, assemble the parameters for external discovery */\n\t\tchar *url = apr_psprintf(r->pool, \"%s%s%s=%s&%s=%s&%s=%s&%s=%s\",\n\t\t\t\tdiscover_url,\n\t\t\t\tstrchr(discover_url, OIDC_CHAR_QUERY) != NULL ?\n\t\t\t\t\t\tOIDC_STR_AMP :\n\t\t\t\t\t\tOIDC_STR_QUERY,\n\t\t\t\t\t\tOIDC_DISC_RT_PARAM, oidc_util_escape_string(r, current_url),\n\t\t\t\t\t\tOIDC_DISC_RM_PARAM, method,\n\t\t\t\t\t\tOIDC_DISC_CB_PARAM,\n\t\t\t\t\t\toidc_util_escape_string(r, oidc_get_redirect_uri(r, cfg)),\n\t\t\t\t\t\tOIDC_CSRF_NAME, oidc_util_escape_string(r, csrf));\n\n\t\tif (path_scopes != NULL)\n\t\t\turl = apr_psprintf(r->pool, \"%s&%s=%s\", url, OIDC_DISC_SC_PARAM,\n\t\t\t\t\toidc_util_escape_string(r, path_scopes));\n\t\tif (path_auth_request_params != NULL)\n\t\t\turl = apr_psprintf(r->pool, \"%s&%s=%s\", url, OIDC_DISC_AR_PARAM,\n\t\t\t\t\toidc_util_escape_string(r, path_auth_request_params));\n\n\t\t/* log what we're about to do */\n\t\toidc_debug(r, \"redirecting to external discovery page: %s\", url);\n\n\t\t/* set CSRF cookie */\n\t\toidc_util_set_cookie(r, OIDC_CSRF_NAME, csrf, -1,\n\t\t\t\tOIDC_COOKIE_SAMESITE_STRICT(cfg, r));\n\n\t\t/* see if we need to preserve POST parameters through Javascript/HTML5 storage */\n\t\tif (oidc_post_preserve_javascript(r, url, NULL, NULL) == TRUE)\n\t\t\treturn OK;\n\n\t\t/* do the actual redirect to an external discovery page */\n\t\toidc_util_hdr_out_location_set(r, url);\n\n\t\treturn HTTP_MOVED_TEMPORARILY;\n\t}\n\n\t/* get a list of all providers configured in the metadata directory */\n\tapr_array_header_t *arr = NULL;\n\tif (oidc_metadata_list(r, cfg, &arr) == FALSE)\n\t\treturn oidc_util_html_send_error(r, cfg->error_template,\n\t\t\t\t\"Configuration Error\",\n\t\t\t\t\"No configured providers found, contact your administrator\",\n\t\t\t\tHTTP_UNAUTHORIZED);\n\n\t/* assemble a where-are-you-from IDP discovery HTML page */\n\tconst char *s = \"\t\t\t

Select your OpenID Connect Identity Provider

\\n\";\n\n\t/* list all configured providers in there */\n\tint i;\n\tfor (i = 0; i < arr->nelts; i++) {\n\n\t\tconst char *issuer = ((const char**) arr->elts)[i];\n\t\t// TODO: html escape (especially & character)\n\n\t\tchar *href = apr_psprintf(r->pool,\n\t\t\t\t\"%s?%s=%s&%s=%s&%s=%s&%s=%s\",\n\t\t\t\toidc_get_redirect_uri(r, cfg), OIDC_DISC_OP_PARAM,\n\t\t\t\toidc_util_escape_string(r, issuer),\n\t\t\t\tOIDC_DISC_RT_PARAM, oidc_util_escape_string(r, current_url),\n\t\t\t\tOIDC_DISC_RM_PARAM, method,\n\t\t\t\tOIDC_CSRF_NAME, csrf);\n\n\t\tif (path_scopes != NULL)\n\t\t\thref = apr_psprintf(r->pool, \"%s&%s=%s\", href,\n\t\t\t\t\tOIDC_DISC_SC_PARAM, oidc_util_escape_string(r, path_scopes));\n\t\tif (path_auth_request_params != NULL)\n\t\t\thref = apr_psprintf(r->pool, \"%s&%s=%s\", href,\n\t\t\t\t\tOIDC_DISC_AR_PARAM,\n\t\t\t\t\toidc_util_escape_string(r, path_auth_request_params));\n\n\t\tchar *display =\n\t\t\t\t(strstr(issuer, \"https://\") == NULL) ?\n\t\t\t\t\t\tapr_pstrdup(r->pool, issuer) :\n\t\t\t\t\t\tapr_pstrdup(r->pool, issuer + strlen(\"https://\"));\n\n\t\t/* strip port number */\n\t\t//char *p = strstr(display, \":\");\n\t\t//if (p != NULL) *p = '\\0';\n\t\t/* point back to the redirect_uri, where the selection is handled, with an IDP selection and return_to URL */\n\t\ts = apr_psprintf(r->pool, \"%s\\n\", s, href,\n\t\t\t\tdisplay);\n\t}\n\n\t/* add an option to enter an account or issuer name for dynamic OP discovery */\n\ts = apr_psprintf(r->pool, \"%s
\\n\", s,\n\t\t\toidc_get_redirect_uri(r, cfg));\n\ts = apr_psprintf(r->pool,\n\t\t\t\"%s

\\n\", s,\n\t\t\tOIDC_DISC_RT_PARAM, current_url);\n\ts = apr_psprintf(r->pool,\n\t\t\t\"%s

\\n\", s,\n\t\t\tOIDC_DISC_RM_PARAM, method);\n\ts = apr_psprintf(r->pool,\n\t\t\t\"%s

\\n\", s,\n\t\t\tOIDC_CSRF_NAME, csrf);\n\n\tif (path_scopes != NULL)\n\t\ts = apr_psprintf(r->pool,\n\t\t\t\t\"%s

\\n\", s,\n\t\t\t\tOIDC_DISC_SC_PARAM, path_scopes);\n\tif (path_auth_request_params != NULL)\n\t\ts = apr_psprintf(r->pool,\n\t\t\t\t\"%s

\\n\", s,\n\t\t\t\tOIDC_DISC_AR_PARAM, path_auth_request_params);\n\n\ts =\n\t\t\tapr_psprintf(r->pool,\n\t\t\t\t\t\"%s

Or enter your account name (eg. "mike@seed.gluu.org", or an IDP identifier (eg. "mitreid.org"):

\\n\",\n\t\t\t\t\ts);\n\ts = apr_psprintf(r->pool,\n\t\t\t\"%s

\\n\", s,\n\t\t\tOIDC_DISC_OP_PARAM, \"\");\n\ts = apr_psprintf(r->pool,\n\t\t\t\"%s

\\n\", s);\n\ts = apr_psprintf(r->pool, \"%s
\\n\", s);\n\n\toidc_util_set_cookie(r, OIDC_CSRF_NAME, csrf, -1,\n\t\t\tOIDC_COOKIE_SAMESITE_STRICT(cfg, r));\n\n\tchar *javascript = NULL, *javascript_method = NULL;\n\tchar *html_head =\n\t\t\t\"\";\n\tif (oidc_post_preserve_javascript(r, NULL, &javascript, &javascript_method)\n\t\t\t== TRUE)\n\t\thtml_head = apr_psprintf(r->pool, \"%s%s\", html_head, javascript);\n\n\t/* now send the HTML contents to the user agent */\n\treturn oidc_util_html_send(r, \"OpenID Connect Provider Discovery\",\n\t\t\thtml_head, javascript_method, s, OK);\n}", "project": "mod_auth_openidc", "hash": 64567087043034972001042794379587187944, "size": 150, "commit_id": "00c315cb0c8ab77c67be4a2ac08a71a83ac58751", "message": "avoid XSS vulnerability when using OIDCPreservePost On\n\nand supplying URLs that contain single quotes; thanks @oss-aimoto\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 381944 }, { "func": "static int oidc_discovery(request_rec *r, oidc_cfg *cfg) {\n\n\toidc_debug(r, \"enter\");\n\n\t/* obtain the URL we're currently accessing, to be stored in the state/session */\n\tchar *current_url = oidc_get_current_url(r);\n\tconst char *method = oidc_original_request_method(r, cfg, FALSE);\n\n\t/* generate CSRF token */\n\tchar *csrf = NULL;\n\tif (oidc_proto_generate_nonce(r, &csrf, 8) == FALSE)\n\t\treturn HTTP_INTERNAL_SERVER_ERROR;\n\n\tchar *path_scopes = oidc_dir_cfg_path_scope(r);\n\tchar *path_auth_request_params = oidc_dir_cfg_path_auth_request_params(r);\n\n\tchar *discover_url = oidc_cfg_dir_discover_url(r);\n\t/* see if there's an external discovery page configured */\n\tif (discover_url != NULL) {\n\n\t\t/* yes, assemble the parameters for external discovery */\n\t\tchar *url = apr_psprintf(r->pool, \"%s%s%s=%s&%s=%s&%s=%s&%s=%s\",\n\t\t\t\tdiscover_url,\n\t\t\t\tstrchr(discover_url, OIDC_CHAR_QUERY) != NULL ?\n\t\t\t\t\t\tOIDC_STR_AMP :\n\t\t\t\t\t\tOIDC_STR_QUERY,\n\t\t\t\t\t\tOIDC_DISC_RT_PARAM, oidc_util_escape_string(r, current_url),\n\t\t\t\t\t\tOIDC_DISC_RM_PARAM, method,\n\t\t\t\t\t\tOIDC_DISC_CB_PARAM,\n\t\t\t\t\t\toidc_util_escape_string(r, oidc_get_redirect_uri(r, cfg)),\n\t\t\t\t\t\tOIDC_CSRF_NAME, oidc_util_escape_string(r, csrf));\n\n\t\tif (path_scopes != NULL)\n\t\t\turl = apr_psprintf(r->pool, \"%s&%s=%s\", url, OIDC_DISC_SC_PARAM,\n\t\t\t\t\toidc_util_escape_string(r, path_scopes));\n\t\tif (path_auth_request_params != NULL)\n\t\t\turl = apr_psprintf(r->pool, \"%s&%s=%s\", url, OIDC_DISC_AR_PARAM,\n\t\t\t\t\toidc_util_escape_string(r, path_auth_request_params));\n\n\t\t/* log what we're about to do */\n\t\toidc_debug(r, \"redirecting to external discovery page: %s\", url);\n\n\t\t/* set CSRF cookie */\n\t\toidc_util_set_cookie(r, OIDC_CSRF_NAME, csrf, -1,\n\t\t\t\tcfg->cookie_same_site ?\n\t\t\t\t\t\tOIDC_COOKIE_EXT_SAME_SITE_STRICT :\n\t\t\t\t\t\tNULL);\n\n\t\t/* see if we need to preserve POST parameters through Javascript/HTML5 storage */\n\t\tif (oidc_post_preserve_javascript(r, url, NULL, NULL) == TRUE)\n\t\t\treturn OK;\n\n\t\t/* do the actual redirect to an external discovery page */\n\t\toidc_util_hdr_out_location_set(r, url);\n\n\t\treturn HTTP_MOVED_TEMPORARILY;\n\t}\n\n\t/* get a list of all providers configured in the metadata directory */\n\tapr_array_header_t *arr = NULL;\n\tif (oidc_metadata_list(r, cfg, &arr) == FALSE)\n\t\treturn oidc_util_html_send_error(r, cfg->error_template,\n\t\t\t\t\"Configuration Error\",\n\t\t\t\t\"No configured providers found, contact your administrator\",\n\t\t\t\tHTTP_UNAUTHORIZED);\n\n\t/* assemble a where-are-you-from IDP discovery HTML page */\n\tconst char *s = \"\t\t\t

Select your OpenID Connect Identity Provider

\\n\";\n\n\t/* list all configured providers in there */\n\tint i;\n\tfor (i = 0; i < arr->nelts; i++) {\n\n\t\tconst char *issuer = ((const char**) arr->elts)[i];\n\t\t// TODO: html escape (especially & character)\n\n\t\tchar *href = apr_psprintf(r->pool,\n\t\t\t\t\"%s?%s=%s&%s=%s&%s=%s&%s=%s\",\n\t\t\t\toidc_get_redirect_uri(r, cfg), OIDC_DISC_OP_PARAM,\n\t\t\t\toidc_util_escape_string(r, issuer),\n\t\t\t\tOIDC_DISC_RT_PARAM, oidc_util_escape_string(r, current_url),\n\t\t\t\tOIDC_DISC_RM_PARAM, method,\n\t\t\t\tOIDC_CSRF_NAME, csrf);\n\n\t\tif (path_scopes != NULL)\n\t\t\thref = apr_psprintf(r->pool, \"%s&%s=%s\", href,\n\t\t\t\t\tOIDC_DISC_SC_PARAM, oidc_util_escape_string(r, path_scopes));\n\t\tif (path_auth_request_params != NULL)\n\t\t\thref = apr_psprintf(r->pool, \"%s&%s=%s\", href,\n\t\t\t\t\tOIDC_DISC_AR_PARAM,\n\t\t\t\t\toidc_util_escape_string(r, path_auth_request_params));\n\n\t\tchar *display =\n\t\t\t\t(strstr(issuer, \"https://\") == NULL) ?\n\t\t\t\t\t\tapr_pstrdup(r->pool, issuer) :\n\t\t\t\t\t\tapr_pstrdup(r->pool, issuer + strlen(\"https://\"));\n\n\t\t/* strip port number */\n\t\t//char *p = strstr(display, \":\");\n\t\t//if (p != NULL) *p = '\\0';\n\t\t/* point back to the redirect_uri, where the selection is handled, with an IDP selection and return_to URL */\n\t\ts = apr_psprintf(r->pool, \"%s

%s

\\n\", s, href,\n\t\t\t\tdisplay);\n\t}\n\n\t/* add an option to enter an account or issuer name for dynamic OP discovery */\n\ts = apr_psprintf(r->pool, \"%s
\\n\", s,\n\t\t\toidc_get_redirect_uri(r, cfg));\n\ts = apr_psprintf(r->pool,\n\t\t\t\"%s

\\n\", s,\n\t\t\tOIDC_DISC_RT_PARAM, current_url);\n\ts = apr_psprintf(r->pool,\n\t\t\t\"%s

\\n\", s,\n\t\t\tOIDC_DISC_RM_PARAM, method);\n\ts = apr_psprintf(r->pool,\n\t\t\t\"%s

\\n\", s,\n\t\t\tOIDC_CSRF_NAME, csrf);\n\n\tif (path_scopes != NULL)\n\t\ts = apr_psprintf(r->pool,\n\t\t\t\t\"%s

\\n\", s,\n\t\t\t\tOIDC_DISC_SC_PARAM, path_scopes);\n\tif (path_auth_request_params != NULL)\n\t\ts = apr_psprintf(r->pool,\n\t\t\t\t\"%s

\\n\", s,\n\t\t\t\tOIDC_DISC_AR_PARAM, path_auth_request_params);\n\n\ts =\n\t\t\tapr_psprintf(r->pool,\n\t\t\t\t\t\"%s

Or enter your account name (eg. "mike@seed.gluu.org", or an IDP identifier (eg. "mitreid.org"):

\\n\",\n\t\t\t\t\ts);\n\ts = apr_psprintf(r->pool,\n\t\t\t\"%s

\\n\", s,\n\t\t\tOIDC_DISC_OP_PARAM, \"\");\n\ts = apr_psprintf(r->pool,\n\t\t\t\"%s

\\n\", s);\n\ts = apr_psprintf(r->pool, \"%s
\\n\", s);\n\n\toidc_util_set_cookie(r, OIDC_CSRF_NAME, csrf, -1,\n\t\t\tcfg->cookie_same_site ? OIDC_COOKIE_EXT_SAME_SITE_STRICT : NULL);\n\n\tchar *javascript = NULL, *javascript_method = NULL;\n\tchar *html_head =\n\t\t\t\"\";\n\tif (oidc_post_preserve_javascript(r, NULL, &javascript,\n\t\t\t&javascript_method) == TRUE)\n\t\thtml_head = apr_psprintf(r->pool, \"%s%s\", html_head, javascript);\n\n\t/* now send the HTML contents to the user agent */\n\treturn oidc_util_html_send(r, \"OpenID Connect Provider Discovery\",\n\t\t\thtml_head, javascript_method, s, OK);\n}", "project": "mod_auth_openidc", "hash": 222468214005578414596883853749875010344, "size": 152, "commit_id": "ce37080c6aea30aabae8b4a9b4eea7808445cc8e", "message": "2.4.0.2 oops\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 447685 }, { "func": "int kvm_clear_guest(struct kvm *kvm, gpa_t gpa, unsigned long len)\n{\n\tgfn_t gfn = gpa >> PAGE_SHIFT;\n\tint seg;\n\tint offset = offset_in_page(gpa);\n\tint ret;\n\n\twhile ((seg = next_segment(len, offset)) != 0) {\n\t\tret = kvm_clear_guest_page(kvm, gfn, offset, seg);\n\t\tif (ret < 0)\n\t\t\treturn ret;\n\t\toffset = 0;\n\t\tlen -= seg;\n\t\t++gfn;\n\t}\n\treturn 0;\n}", "project": "linux", "hash": 336849056307501806586829626234930942391, "size": 17, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354742 }, { "func": "int kvm_clear_guest(struct kvm *kvm, gpa_t gpa, unsigned long len)\n{\n\tconst void *zero_page = (const void *) __va(page_to_phys(ZERO_PAGE(0)));\n\tgfn_t gfn = gpa >> PAGE_SHIFT;\n\tint seg;\n\tint offset = offset_in_page(gpa);\n\tint ret;\n\n\twhile ((seg = next_segment(len, offset)) != 0) {\n\t\tret = kvm_write_guest_page(kvm, gfn, zero_page, offset, len);\n\t\tif (ret < 0)\n\t\t\treturn ret;\n\t\toffset = 0;\n\t\tlen -= seg;\n\t\t++gfn;\n\t}\n\treturn 0;\n}", "project": "linux", "hash": 85662005199719765041381472245676379961, "size": 18, "commit_id": "f8be156be163a052a067306417cd0ff679068c97", "message": "KVM: do not allow mapping valid but non-reference-counted pages\n\nIt's possible to create a region which maps valid but non-refcounted\npages (e.g., tail pages of non-compound higher order allocations). These\nhost pages can then be returned by gfn_to_page, gfn_to_pfn, etc., family\nof APIs, which take a reference to the page, which takes it from 0 to 1.\nWhen the reference is dropped, this will free the page incorrectly.\n\nFix this by only taking a reference on valid pages if it was non-zero,\nwhich indicates it is participating in normal refcounting (and can be\nreleased with put_page).\n\nThis addresses CVE-2021-22543.\n\nSigned-off-by: Nicholas Piggin \nTested-by: Paolo Bonzini \nCc: stable@vger.kernel.org\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 404101 }, { "func": "static OPJ_BOOL opj_j2k_setup_decoding_validation(opj_j2k_t *p_j2k,\n opj_event_mgr_t * p_manager)\n{\n /* preconditions*/\n assert(p_j2k != 00);\n assert(p_manager != 00);\n\n if (! opj_procedure_list_add_procedure(p_j2k->m_validation_list,\n (opj_procedure)opj_j2k_build_decoder, p_manager)) {\n return OPJ_FALSE;\n }\n if (! opj_procedure_list_add_procedure(p_j2k->m_validation_list,\n (opj_procedure)opj_j2k_decoding_validation, p_manager)) {\n return OPJ_FALSE;\n }\n\n /* DEVELOPER CORNER, add your custom validation procedure */\n return OPJ_TRUE;\n}", "project": "openjpeg", "hash": 148516134742156293182094326980527490226, "size": 19, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357388 }, { "func": "static inline void metadata_access_disable(void)\n{\n\tkasan_enable_current();\n}", "project": "linux", "hash": 286083286865715814595764626884276622900, "size": 4, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280160 }, { "func": "void tty_write_message(struct tty_struct *tty, char *msg)\n{\n\tif (tty) {\n\t\tmutex_lock(&tty->atomic_write_lock);\n\t\ttty_lock(tty);\n\t\tif (tty->ops->write && tty->count > 0)\n\t\t\ttty->ops->write(tty, msg, strlen(msg));\n\t\ttty_unlock(tty);\n\t\ttty_write_unlock(tty);\n\t}\n\treturn;\n}", "project": "linux", "hash": 64189419983342353329479805345268346035, "size": 12, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 326062 }, { "func": "int next_signal(struct sigpending *pending, sigset_t *mask)\n{\n\tunsigned long i, *s, *m, x;\n\tint sig = 0;\n\n\ts = pending->signal.sig;\n\tm = mask->sig;\n\n\t/*\n\t * Handle the first word specially: it contains the\n\t * synchronous signals that need to be dequeued first.\n\t */\n\tx = *s &~ *m;\n\tif (x) {\n\t\tif (x & SYNCHRONOUS_MASK)\n\t\t\tx &= SYNCHRONOUS_MASK;\n\t\tsig = ffz(~x) + 1;\n\t\treturn sig;\n\t}\n\n\tswitch (_NSIG_WORDS) {\n\tdefault:\n\t\tfor (i = 1; i < _NSIG_WORDS; ++i) {\n\t\t\tx = *++s &~ *++m;\n\t\t\tif (!x)\n\t\t\t\tcontinue;\n\t\t\tsig = ffz(~x) + i*_NSIG_BPW + 1;\n\t\t\tbreak;\n\t\t}\n\t\tbreak;\n\n\tcase 2:\n\t\tx = s[1] &~ m[1];\n\t\tif (!x)\n\t\t\tbreak;\n\t\tsig = ffz(~x) + _NSIG_BPW + 1;\n\t\tbreak;\n\n\tcase 1:\n\t\t/* Nothing to do */\n\t\tbreak;\n\t}\n\n\treturn sig;\n}", "project": "linux", "hash": 185751234349438040043785091014676772200, "size": 45, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375182 }, { "func": "int mnt_match_options(const char *optstr, const char *pattern)\n{\n\tchar *name, *pat = (char *) pattern;\n\tchar *buf, *patval;\n\tsize_t namesz = 0, patvalsz = 0;\n\tint match = 1;\n\n\tif (!pattern && !optstr)\n\t\treturn 1;\n\tif (!pattern)\n\t\treturn 0;\n\n\tbuf = malloc(strlen(pattern) + 1);\n\tif (!buf)\n\t\treturn 0;\n\n\t/* walk on pattern string\n\t */\n\twhile (match && !mnt_optstr_next_option(&pat, &name, &namesz,\n\t\t\t\t\t\t&patval, &patvalsz)) {\n\t\tchar *val;\n\t\tsize_t sz;\n\t\tint no = 0, rc;\n\n\t\tif (*name == '+')\n\t\t\tname++, namesz--;\n\t\telse if ((no = (startswith(name, \"no\") != NULL)))\n\t\t\tname += 2, namesz -= 2;\n\n\t\txstrncpy(buf, name, namesz + 1);\n\n\t\trc = mnt_optstr_get_option(optstr, buf, &val, &sz);\n\n\t\t/* check also value (if the pattern is \"foo=value\") */\n\t\tif (rc == 0 && patvalsz > 0 &&\n\t\t (patvalsz != sz || strncmp(patval, val, sz) != 0))\n\t\t\trc = 1;\n\n\t\tswitch (rc) {\n\t\tcase 0:\t\t/* found */\n\t\t\tmatch = no == 0 ? 1 : 0;\n\t\t\tbreak;\n\t\tcase 1:\t\t/* not found */\n\t\t\tmatch = no == 1 ? 1 : 0;\n\t\t\tbreak;\n\t\tdefault:\t/* parse error */\n\t\t\tmatch = 0;\n\t\t\tbreak;\n\t\t}\n\n\t}\n\n\tfree(buf);\n\treturn match;\n}", "project": "util-linux", "hash": 33899877013615015382399564628674520862, "size": 55, "commit_id": "57202f5713afa2af20ffbb6ab5331481d0396f8d", "message": "libmount: fix UID check for FUSE umount [CVE-2021-3995]\n\nImproper UID check allows an unprivileged user to unmount FUSE\nfilesystems of users with similar UID.\n\nSigned-off-by: Karel Zak ", "target": 0, "dataset": "other", "idx": 410418 }, { "func": "static OPJ_BOOL opj_tcd_mct_decode(opj_tcd_t *p_tcd, opj_event_mgr_t *p_manager)\n{\n opj_tcd_tile_t * l_tile = p_tcd->tcd_image->tiles;\n opj_tcp_t * l_tcp = p_tcd->tcp;\n opj_tcd_tilecomp_t * l_tile_comp = l_tile->comps;\n OPJ_SIZE_T l_samples;\n OPJ_UINT32 i;\n\n if (l_tcp->mct == 0 || p_tcd->used_component != NULL) {\n return OPJ_TRUE;\n }\n\n if (p_tcd->whole_tile_decoding) {\n opj_tcd_resolution_t* res_comp0 = l_tile->comps[0].resolutions +\n l_tile_comp->minimum_num_resolutions - 1;\n\n /* A bit inefficient: we process more data than needed if */\n /* resno_decoded < l_tile_comp->minimum_num_resolutions-1, */\n /* but we would need to take into account a stride then */\n l_samples = (OPJ_SIZE_T)(res_comp0->x1 - res_comp0->x0) *\n (OPJ_SIZE_T)(res_comp0->y1 - res_comp0->y0);\n if (l_tile->numcomps >= 3) {\n if (l_tile_comp->minimum_num_resolutions !=\n l_tile->comps[1].minimum_num_resolutions ||\n l_tile_comp->minimum_num_resolutions !=\n l_tile->comps[2].minimum_num_resolutions) {\n opj_event_msg(p_manager, EVT_ERROR,\n \"Tiles don't all have the same dimension. Skip the MCT step.\\n\");\n return OPJ_FALSE;\n }\n }\n if (l_tile->numcomps >= 3) {\n opj_tcd_resolution_t* res_comp1 = l_tile->comps[1].resolutions +\n l_tile_comp->minimum_num_resolutions - 1;\n opj_tcd_resolution_t* res_comp2 = l_tile->comps[2].resolutions +\n l_tile_comp->minimum_num_resolutions - 1;\n /* testcase 1336.pdf.asan.47.376 */\n if (p_tcd->image->comps[0].resno_decoded !=\n p_tcd->image->comps[1].resno_decoded ||\n p_tcd->image->comps[0].resno_decoded !=\n p_tcd->image->comps[2].resno_decoded ||\n (OPJ_SIZE_T)(res_comp1->x1 - res_comp1->x0) *\n (OPJ_SIZE_T)(res_comp1->y1 - res_comp1->y0) != l_samples ||\n (OPJ_SIZE_T)(res_comp2->x1 - res_comp2->x0) *\n (OPJ_SIZE_T)(res_comp2->y1 - res_comp2->y0) != l_samples) {\n opj_event_msg(p_manager, EVT_ERROR,\n \"Tiles don't all have the same dimension. Skip the MCT step.\\n\");\n return OPJ_FALSE;\n }\n }\n } else {\n opj_tcd_resolution_t* res_comp0 = l_tile->comps[0].resolutions +\n p_tcd->image->comps[0].resno_decoded;\n\n l_samples = (OPJ_SIZE_T)(res_comp0->win_x1 - res_comp0->win_x0) *\n (OPJ_SIZE_T)(res_comp0->win_y1 - res_comp0->win_y0);\n if (l_tile->numcomps >= 3) {\n opj_tcd_resolution_t* res_comp1 = l_tile->comps[1].resolutions +\n p_tcd->image->comps[1].resno_decoded;\n opj_tcd_resolution_t* res_comp2 = l_tile->comps[2].resolutions +\n p_tcd->image->comps[2].resno_decoded;\n /* testcase 1336.pdf.asan.47.376 */\n if (p_tcd->image->comps[0].resno_decoded !=\n p_tcd->image->comps[1].resno_decoded ||\n p_tcd->image->comps[0].resno_decoded !=\n p_tcd->image->comps[2].resno_decoded ||\n (OPJ_SIZE_T)(res_comp1->win_x1 - res_comp1->win_x0) *\n (OPJ_SIZE_T)(res_comp1->win_y1 - res_comp1->win_y0) != l_samples ||\n (OPJ_SIZE_T)(res_comp2->win_x1 - res_comp2->win_x0) *\n (OPJ_SIZE_T)(res_comp2->win_y1 - res_comp2->win_y0) != l_samples) {\n opj_event_msg(p_manager, EVT_ERROR,\n \"Tiles don't all have the same dimension. Skip the MCT step.\\n\");\n return OPJ_FALSE;\n }\n }\n }\n\n if (l_tile->numcomps >= 3) {\n if (l_tcp->mct == 2) {\n OPJ_BYTE ** l_data;\n\n if (! l_tcp->m_mct_decoding_matrix) {\n return OPJ_TRUE;\n }\n\n l_data = (OPJ_BYTE **) opj_malloc(l_tile->numcomps * sizeof(OPJ_BYTE*));\n if (! l_data) {\n return OPJ_FALSE;\n }\n\n for (i = 0; i < l_tile->numcomps; ++i) {\n if (p_tcd->whole_tile_decoding) {\n l_data[i] = (OPJ_BYTE*) l_tile_comp->data;\n } else {\n l_data[i] = (OPJ_BYTE*) l_tile_comp->data_win;\n }\n ++l_tile_comp;\n }\n\n if (! opj_mct_decode_custom(/* MCT data */\n (OPJ_BYTE*) l_tcp->m_mct_decoding_matrix,\n /* size of components */\n l_samples,\n /* components */\n l_data,\n /* nb of components (i.e. size of pData) */\n l_tile->numcomps,\n /* tells if the data is signed */\n p_tcd->image->comps->sgnd)) {\n opj_free(l_data);\n return OPJ_FALSE;\n }\n\n opj_free(l_data);\n } else {\n if (l_tcp->tccps->qmfbid == 1) {\n if (p_tcd->whole_tile_decoding) {\n opj_mct_decode(l_tile->comps[0].data,\n l_tile->comps[1].data,\n l_tile->comps[2].data,\n l_samples);\n } else {\n opj_mct_decode(l_tile->comps[0].data_win,\n l_tile->comps[1].data_win,\n l_tile->comps[2].data_win,\n l_samples);\n }\n } else {\n if (p_tcd->whole_tile_decoding) {\n opj_mct_decode_real((OPJ_FLOAT32*)l_tile->comps[0].data,\n (OPJ_FLOAT32*)l_tile->comps[1].data,\n (OPJ_FLOAT32*)l_tile->comps[2].data,\n l_samples);\n } else {\n opj_mct_decode_real((OPJ_FLOAT32*)l_tile->comps[0].data_win,\n (OPJ_FLOAT32*)l_tile->comps[1].data_win,\n (OPJ_FLOAT32*)l_tile->comps[2].data_win,\n l_samples);\n }\n }\n }\n } else {\n opj_event_msg(p_manager, EVT_ERROR,\n \"Number of components (%d) is inconsistent with a MCT. Skip the MCT step.\\n\",\n l_tile->numcomps);\n }\n\n return OPJ_TRUE;\n}", "project": "openjpeg", "hash": 299269082355992101416204707403954035669, "size": 149, "commit_id": "15cf3d95814dc931ca0ecb132f81cb152e051bae", "message": "Encoder: grow again buffer size in opj_tcd_code_block_enc_allocate_data() (fixes #1283)", "target": 0, "dataset": "other", "idx": 359191 }, { "func": "CtPtr ProtocolV1::handle_message_footer(char *buffer, int r) {\n ldout(cct, 20) << __func__ << \" r=\" << r << dendl;\n\n if (r < 0) {\n ldout(cct, 1) << __func__ << \" read footer data error \" << dendl;\n return _fault();\n }\n\n ceph_msg_footer footer;\n ceph_msg_footer_old old_footer;\n\n if (connection->has_feature(CEPH_FEATURE_MSG_AUTH)) {\n footer = *((ceph_msg_footer *)buffer);\n } else {\n old_footer = *((ceph_msg_footer_old *)buffer);\n footer.front_crc = old_footer.front_crc;\n footer.middle_crc = old_footer.middle_crc;\n footer.data_crc = old_footer.data_crc;\n footer.sig = 0;\n footer.flags = old_footer.flags;\n }\n\n int aborted = (footer.flags & CEPH_MSG_FOOTER_COMPLETE) == 0;\n ldout(cct, 10) << __func__ << \" aborted = \" << aborted << dendl;\n if (aborted) {\n ldout(cct, 0) << __func__ << \" got \" << front.length() << \" + \"\n << middle.length() << \" + \" << data.length()\n << \" byte message.. ABORTED\" << dendl;\n return _fault();\n }\n\n ldout(cct, 20) << __func__ << \" got \" << front.length() << \" + \"\n << middle.length() << \" + \" << data.length() << \" byte message\"\n << dendl;\n Message *message = decode_message(cct, messenger->crcflags, current_header,\n footer, front, middle, data, connection);\n if (!message) {\n ldout(cct, 1) << __func__ << \" decode message failed \" << dendl;\n return _fault();\n }\n\n //\n // Check the signature if one should be present. A zero return indicates\n // success. PLR\n //\n\n if (session_security.get() == NULL) {\n ldout(cct, 10) << __func__ << \" no session security set\" << dendl;\n } else {\n if (session_security->check_message_signature(message)) {\n ldout(cct, 0) << __func__ << \" Signature check failed\" << dendl;\n message->put();\n return _fault();\n }\n }\n message->set_byte_throttler(connection->policy.throttler_bytes);\n message->set_message_throttler(connection->policy.throttler_messages);\n\n // store reservation size in message, so we don't get confused\n // by messages entering the dispatch queue through other paths.\n message->set_dispatch_throttle_size(cur_msg_size);\n\n message->set_recv_stamp(recv_stamp);\n message->set_throttle_stamp(throttle_stamp);\n message->set_recv_complete_stamp(ceph_clock_now());\n\n // check received seq#. if it is old, drop the message.\n // note that incoming messages may skip ahead. this is convenient for the\n // client side queueing because messages can't be renumbered, but the (kernel)\n // client will occasionally pull a message out of the sent queue to send\n // elsewhere. in that case it doesn't matter if we \"got\" it or not.\n uint64_t cur_seq = in_seq;\n if (message->get_seq() <= cur_seq) {\n ldout(cct, 0) << __func__ << \" got old message \" << message->get_seq()\n << \" <= \" << cur_seq << \" \" << message << \" \" << *message\n << \", discarding\" << dendl;\n message->put();\n if (connection->has_feature(CEPH_FEATURE_RECONNECT_SEQ) &&\n cct->_conf->ms_die_on_old_message) {\n ceph_assert(0 == \"old msgs despite reconnect_seq feature\");\n }\n return nullptr;\n }\n if (message->get_seq() > cur_seq + 1) {\n ldout(cct, 0) << __func__ << \" missed message? skipped from seq \"\n << cur_seq << \" to \" << message->get_seq() << dendl;\n if (cct->_conf->ms_die_on_skipped_message) {\n ceph_assert(0 == \"skipped incoming seq\");\n }\n }\n\n#if defined(WITH_EVENTTRACE)\n if (message->get_type() == CEPH_MSG_OSD_OP ||\n message->get_type() == CEPH_MSG_OSD_OPREPLY) {\n utime_t ltt_processed_stamp = ceph_clock_now();\n double usecs_elapsed =\n ((double)(ltt_processed_stamp.to_nsec() - recv_stamp.to_nsec())) / 1000;\n ostringstream buf;\n if (message->get_type() == CEPH_MSG_OSD_OP)\n OID_ELAPSED_WITH_MSG(message, usecs_elapsed, \"TIME_TO_DECODE_OSD_OP\",\n false);\n else\n OID_ELAPSED_WITH_MSG(message, usecs_elapsed, \"TIME_TO_DECODE_OSD_OPREPLY\",\n false);\n }\n#endif\n\n // note last received message.\n in_seq = message->get_seq();\n ldout(cct, 5) << \" rx \" << message->get_source() << \" seq \"\n << message->get_seq() << \" \" << message << \" \" << *message\n << dendl;\n\n bool need_dispatch_writer = false;\n if (!connection->policy.lossy) {\n ack_left++;\n need_dispatch_writer = true;\n }\n\n state = OPENED;\n\n ceph::mono_time fast_dispatch_time;\n\n if (connection->is_blackhole()) {\n ldout(cct, 10) << __func__ << \" blackhole \" << *message << dendl;\n message->put();\n goto out;\n }\n\n connection->logger->inc(l_msgr_recv_messages);\n connection->logger->inc(\n l_msgr_recv_bytes,\n cur_msg_size + sizeof(ceph_msg_header) + sizeof(ceph_msg_footer));\n\n messenger->ms_fast_preprocess(message);\n fast_dispatch_time = ceph::mono_clock::now();\n connection->logger->tinc(l_msgr_running_recv_time,\n\t\t\t fast_dispatch_time - connection->recv_start_time);\n if (connection->delay_state) {\n double delay_period = 0;\n if (rand() % 10000 < cct->_conf->ms_inject_delay_probability * 10000.0) {\n delay_period =\n cct->_conf->ms_inject_delay_max * (double)(rand() % 10000) / 10000.0;\n ldout(cct, 1) << \"queue_received will delay after \"\n << (ceph_clock_now() + delay_period) << \" on \" << message\n << \" \" << *message << dendl;\n }\n connection->delay_state->queue(delay_period, message);\n } else if (messenger->ms_can_fast_dispatch(message)) {\n connection->lock.unlock();\n connection->dispatch_queue->fast_dispatch(message);\n connection->recv_start_time = ceph::mono_clock::now();\n connection->logger->tinc(l_msgr_running_fast_dispatch_time,\n connection->recv_start_time - fast_dispatch_time);\n connection->lock.lock();\n } else {\n connection->dispatch_queue->enqueue(message, message->get_priority(),\n connection->conn_id);\n }\n\n out:\n // clean up local buffer references\n data_buf.clear();\n front.clear();\n middle.clear();\n data.clear();\n\n if (need_dispatch_writer && connection->is_connected()) {\n connection->center->dispatch_event_external(connection->write_handler);\n }\n\n return CONTINUE(wait_message);\n}", "project": "ceph", "hash": 183352044799684566932184452050258043772, "size": 173, "commit_id": "bafdfec8f974f1a3f7d404bcfd0a4cfad784937d", "message": "msg/async/ProtocolV1: resurrect \"implement cephx_*require_version options\"\n\nThis was added in commit 9bcbc2a3621f (\"mon,msg: implement\ncephx_*_require_version options\") and inadvertently dropped in\ncommit e6f043f7d2dc (\"msgr/async: huge refactoring of protocol V1\").\nAs a result, service daemons don't enforce cephx_require_version\nand cephx_cluster_require_version options and connections without\nCEPH_FEATURE_CEPHX_V2 are allowed through.\n\n(cephx_service_require_version enforcement was brought back a\nyear later in commit 321548010578 (\"mon/MonClient: skip CEPHX_V2\nchallenge if client doesn't support it\"), although the peer gets\nTAG_BADAUTHORIZER instead of TAG_FEATURES.)\n\nResurrect the original behaviour: all cephx_*require_version\noptions are enforced and the peer gets TAG_FEATURES, signifying\nthat it is missing a required feature.\n\nSigned-off-by: Ilya Dryomov \n(cherry picked from commit 6f5c4152ca2c6423e665cde2196c6301f76043a2)", "target": 0, "dataset": "other", "idx": 356881 }, { "func": " void save_in_result_field(bool no_conversions) { }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 276565341824912882006675353516937162422, "size": 1, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 508934 }, { "func": " void save_in_result_field(bool no_conversions)\n {\n if (check_null_ref())\n result_field->set_null();\n else\n Item_direct_ref::save_in_result_field(no_conversions);\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 202104226794426254626451472837788193575, "size": 7, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509134 }, { "func": " void save_in_result_field(bool no_conversions)\n {\n save_val(result_field);\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 220377210082982161578337277076445290049, "size": 4, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509375 }, { "func": " void save_in_result_field(bool no_conversions)\n {\n outer_ref->save_org_in_field(result_field, NULL);\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 237760213427856587740633212969440010085, "size": 4, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509405 }, { "func": "static int trace_panic_handler(struct notifier_block *this,\n\t\t\t unsigned long event, void *unused)\n{\n\tif (ftrace_dump_on_oops)\n\t\tftrace_dump(ftrace_dump_on_oops);\n\treturn NOTIFY_OK;\n}", "project": "linux", "hash": 107229760400801172809721649674680123950, "size": 7, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445805 }, { "func": "static void hci_pscan_rep_mode_evt(struct hci_dev *hdev, struct sk_buff *skb)\n{\n\tstruct hci_ev_pscan_rep_mode *ev = (void *) skb->data;\n\tstruct inquiry_entry *ie;\n\n\tBT_DBG(\"%s\", hdev->name);\n\n\thci_dev_lock(hdev);\n\n\tie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);\n\tif (ie) {\n\t\tie->data.pscan_rep_mode = ev->pscan_rep_mode;\n\t\tie->timestamp = jiffies;\n\t}\n\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 224340518158437616015118782599787625512, "size": 17, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431986 }, { "func": "static int tracing_release(struct inode *inode, struct file *file)\n{\n\tstruct trace_array *tr = inode->i_private;\n\tstruct seq_file *m = file->private_data;\n\tstruct trace_iterator *iter;\n\tint cpu;\n\n\tif (!(file->f_mode & FMODE_READ)) {\n\t\ttrace_array_put(tr);\n\t\treturn 0;\n\t}\n\n\t/* Writes do not use seq_file */\n\titer = m->private;\n\tmutex_lock(&trace_types_lock);\n\n\tfor_each_tracing_cpu(cpu) {\n\t\tif (iter->buffer_iter[cpu])\n\t\t\tring_buffer_read_finish(iter->buffer_iter[cpu]);\n\t}\n\n\tif (iter->trace && iter->trace->close)\n\t\titer->trace->close(iter);\n\n\tif (!iter->snapshot)\n\t\t/* reenable tracing if it was previously enabled */\n\t\ttracing_start_tr(tr);\n\n\t__trace_array_put(tr);\n\n\tmutex_unlock(&trace_types_lock);\n\n\tmutex_destroy(&iter->mutex);\n\tfree_cpumask_var(iter->started);\n\tkfree(iter->trace);\n\tkfree(iter->buffer_iter);\n\tseq_release_private(inode, file);\n\n\treturn 0;\n}", "project": "linux", "hash": 207701076210710836108385882725534139847, "size": 40, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445666 }, { "func": "static int php_skip_variable(const req::ptr& stream) {\n off_t length = (unsigned int)php_read2(stream);\n\n if (length < 2) {\n return 0;\n }\n length = length - 2;\n stream->seek(length, SEEK_CUR);\n return 1;\n}", "project": "hhvm", "hash": 43554970900338987578850479620069646767, "size": 10, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219382 }, { "func": " Item_datetime(THD *thd): Item_int(thd, 0) { unsigned_flag=0; }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 270490725437128250155349863663190746461, "size": 1, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509466 }, { "func": "static void r_core_setenv (RCore *core) {\n\tchar *e = r_sys_getenv (\"PATH\");\n\tchar *h = r_str_home (R2_HOME_BIN);\n\tchar *n = r_str_newf (\"%s%s%s\", h, R_SYS_ENVSEP, e);\n\tr_sys_setenv (\"PATH\", n);\n\tfree (n);\n\tfree (h);\n\tfree (e);\n}", "project": "radare2", "hash": 149600607102652809303766810071868490854, "size": 9, "commit_id": "cb8b683758edddae2d2f62e8e63a738c39f92683", "message": "Fix #16303 - c->table_query double free (#16318)", "target": 0, "dataset": "other", "idx": 232128 }, { "func": "static int read_u64(struct archive_read* a, uint64_t* pvalue) {\n\tconst uint8_t* p;\n\tif(!read_ahead(a, 8, &p))\n\t\treturn 0;\n\n\t*pvalue = archive_le64dec(p);\n\treturn ARCHIVE_OK == consume(a, 8) ? 1 : 0;\n}", "project": "libarchive", "hash": 150458993587591236997625889858824756283, "size": 8, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 0, "dataset": "other", "idx": 244746 }, { "func": "static inline int synic_get_sint_vector(u64 sint_value)\n{\n\tif (sint_value & HV_SYNIC_SINT_MASKED)\n\t\treturn -1;\n\treturn sint_value & HV_SYNIC_SINT_VECTOR_MASK;\n}", "project": "linux", "hash": 202426489172536446123148600253929031219, "size": 6, "commit_id": "919f4ebc598701670e80e31573a58f1f2d2bf918", "message": "KVM: x86: hyper-v: Fix Hyper-V context null-ptr-deref\n\nReported by syzkaller:\n\n KASAN: null-ptr-deref in range [0x0000000000000140-0x0000000000000147]\n CPU: 1 PID: 8370 Comm: syz-executor859 Not tainted 5.11.0-syzkaller #0\n RIP: 0010:synic_get arch/x86/kvm/hyperv.c:165 [inline]\n RIP: 0010:kvm_hv_set_sint_gsi arch/x86/kvm/hyperv.c:475 [inline]\n RIP: 0010:kvm_hv_irq_routing_update+0x230/0x460 arch/x86/kvm/hyperv.c:498\n Call Trace:\n kvm_set_irq_routing+0x69b/0x940 arch/x86/kvm/../../../virt/kvm/irqchip.c:223\n kvm_vm_ioctl+0x12d0/0x2800 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3959\n vfs_ioctl fs/ioctl.c:48 [inline]\n __do_sys_ioctl fs/ioctl.c:753 [inline]\n __se_sys_ioctl fs/ioctl.c:739 [inline]\n __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739\n do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nHyper-V context is lazily allocated until Hyper-V specific MSRs are accessed\nor SynIC is enabled. However, the syzkaller testcase sets irq routing table\ndirectly w/o enabling SynIC. This results in null-ptr-deref when accessing\nSynIC Hyper-V context. This patch fixes it.\n\nsyzkaller source: https://syzkaller.appspot.com/x/repro.c?x=163342ccd00000\n\nReported-by: syzbot+6987f3b2dbd9eda95f12@syzkaller.appspotmail.com\nFixes: 8f014550dfb1 (\"KVM: x86: hyper-v: Make Hyper-V emulation enablement conditional\")\nSigned-off-by: Wanpeng Li \nMessage-Id: <1614326399-5762-1-git-send-email-wanpengli@tencent.com>\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 343500 }, { "func": "long kvm_arch_dev_ioctl(struct file *filp,\n\t\t\tunsigned int ioctl, unsigned long arg)\n{\n\tif (ioctl == KVM_S390_ENABLE_SIE)\n\t\treturn s390_enable_sie();\n\treturn -EINVAL;\n}", "project": "linux", "hash": 237290385343765920625443815599211102215, "size": 7, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354507 }, { "func": "static int tcp_clean_rtx_queue(struct sock *sk, int prior_fackets,\n\t\t\t u32 prior_snd_una)\n{\n\tstruct tcp_sock *tp = tcp_sk(sk);\n\tconst struct inet_connection_sock *icsk = inet_csk(sk);\n\tstruct sk_buff *skb;\n\tu32 now = tcp_time_stamp;\n\tint fully_acked = 1;\n\tint flag = 0;\n\tu32 pkts_acked = 0;\n\tu32 reord = tp->packets_out;\n\tu32 prior_sacked = tp->sacked_out;\n\ts32 seq_rtt = -1;\n\ts32 ca_seq_rtt = -1;\n\tktime_t last_ackt = net_invalid_timestamp();\n\n\twhile ((skb = tcp_write_queue_head(sk)) && skb != tcp_send_head(sk)) {\n\t\tstruct tcp_skb_cb *scb = TCP_SKB_CB(skb);\n\t\tu32 acked_pcount;\n\t\tu8 sacked = scb->sacked;\n\n\t\t/* Determine how many packets and what bytes were acked, tso and else */\n\t\tif (after(scb->end_seq, tp->snd_una)) {\n\t\t\tif (tcp_skb_pcount(skb) == 1 ||\n\t\t\t !after(tp->snd_una, scb->seq))\n\t\t\t\tbreak;\n\n\t\t\tacked_pcount = tcp_tso_acked(sk, skb);\n\t\t\tif (!acked_pcount)\n\t\t\t\tbreak;\n\n\t\t\tfully_acked = 0;\n\t\t} else {\n\t\t\tacked_pcount = tcp_skb_pcount(skb);\n\t\t}\n\n\t\tif (sacked & TCPCB_RETRANS) {\n\t\t\tif (sacked & TCPCB_SACKED_RETRANS)\n\t\t\t\ttp->retrans_out -= acked_pcount;\n\t\t\tflag |= FLAG_RETRANS_DATA_ACKED;\n\t\t\tca_seq_rtt = -1;\n\t\t\tseq_rtt = -1;\n\t\t\tif ((flag & FLAG_DATA_ACKED) || (acked_pcount > 1))\n\t\t\t\tflag |= FLAG_NONHEAD_RETRANS_ACKED;\n\t\t} else {\n\t\t\tca_seq_rtt = now - scb->when;\n\t\t\tlast_ackt = skb->tstamp;\n\t\t\tif (seq_rtt < 0) {\n\t\t\t\tseq_rtt = ca_seq_rtt;\n\t\t\t}\n\t\t\tif (!(sacked & TCPCB_SACKED_ACKED))\n\t\t\t\treord = min(pkts_acked, reord);\n\t\t}\n\n\t\tif (sacked & TCPCB_SACKED_ACKED)\n\t\t\ttp->sacked_out -= acked_pcount;\n\t\tif (sacked & TCPCB_LOST)\n\t\t\ttp->lost_out -= acked_pcount;\n\n\t\ttp->packets_out -= acked_pcount;\n\t\tpkts_acked += acked_pcount;\n\n\t\t/* Initial outgoing SYN's get put onto the write_queue\n\t\t * just like anything else we transmit. It is not\n\t\t * true data, and if we misinform our callers that\n\t\t * this ACK acks real data, we will erroneously exit\n\t\t * connection startup slow start one packet too\n\t\t * quickly. This is severely frowned upon behavior.\n\t\t */\n\t\tif (!(scb->tcp_flags & TCPHDR_SYN)) {\n\t\t\tflag |= FLAG_DATA_ACKED;\n\t\t} else {\n\t\t\tflag |= FLAG_SYN_ACKED;\n\t\t\ttp->retrans_stamp = 0;\n\t\t}\n\n\t\tif (!fully_acked)\n\t\t\tbreak;\n\n\t\ttcp_unlink_write_queue(skb, sk);\n\t\tsk_wmem_free_skb(sk, skb);\n\t\ttp->scoreboard_skb_hint = NULL;\n\t\tif (skb == tp->retransmit_skb_hint)\n\t\t\ttp->retransmit_skb_hint = NULL;\n\t\tif (skb == tp->lost_skb_hint)\n\t\t\ttp->lost_skb_hint = NULL;\n\t}\n\n\tif (likely(between(tp->snd_up, prior_snd_una, tp->snd_una)))\n\t\ttp->snd_up = tp->snd_una;\n\n\tif (skb && (TCP_SKB_CB(skb)->sacked & TCPCB_SACKED_ACKED))\n\t\tflag |= FLAG_SACK_RENEGING;\n\n\tif (flag & FLAG_ACKED) {\n\t\tconst struct tcp_congestion_ops *ca_ops\n\t\t\t= inet_csk(sk)->icsk_ca_ops;\n\n\t\tif (unlikely(icsk->icsk_mtup.probe_size &&\n\t\t\t !after(tp->mtu_probe.probe_seq_end, tp->snd_una))) {\n\t\t\ttcp_mtup_probe_success(sk);\n\t\t}\n\n\t\ttcp_ack_update_rtt(sk, flag, seq_rtt);\n\t\ttcp_rearm_rto(sk);\n\n\t\tif (tcp_is_reno(tp)) {\n\t\t\ttcp_remove_reno_sacks(sk, pkts_acked);\n\t\t} else {\n\t\t\tint delta;\n\n\t\t\t/* Non-retransmitted hole got filled? That's reordering */\n\t\t\tif (reord < prior_fackets)\n\t\t\t\ttcp_update_reordering(sk, tp->fackets_out - reord, 0);\n\n\t\t\tdelta = tcp_is_fack(tp) ? pkts_acked :\n\t\t\t\t\t\t prior_sacked - tp->sacked_out;\n\t\t\ttp->lost_cnt_hint -= min(tp->lost_cnt_hint, delta);\n\t\t}\n\n\t\ttp->fackets_out -= min(pkts_acked, tp->fackets_out);\n\n\t\tif (ca_ops->pkts_acked) {\n\t\t\ts32 rtt_us = -1;\n\n\t\t\t/* Is the ACK triggering packet unambiguous? */\n\t\t\tif (!(flag & FLAG_RETRANS_DATA_ACKED)) {\n\t\t\t\t/* High resolution needed and available? */\n\t\t\t\tif (ca_ops->flags & TCP_CONG_RTT_STAMP &&\n\t\t\t\t !ktime_equal(last_ackt,\n\t\t\t\t\t\t net_invalid_timestamp()))\n\t\t\t\t\trtt_us = ktime_us_delta(ktime_get_real(),\n\t\t\t\t\t\t\t\tlast_ackt);\n\t\t\t\telse if (ca_seq_rtt >= 0)\n\t\t\t\t\trtt_us = jiffies_to_usecs(ca_seq_rtt);\n\t\t\t}\n\n\t\t\tca_ops->pkts_acked(sk, pkts_acked, rtt_us);\n\t\t}\n\t}\n\n#if FASTRETRANS_DEBUG > 0\n\tWARN_ON((int)tp->sacked_out < 0);\n\tWARN_ON((int)tp->lost_out < 0);\n\tWARN_ON((int)tp->retrans_out < 0);\n\tif (!tp->packets_out && tcp_is_sack(tp)) {\n\t\ticsk = inet_csk(sk);\n\t\tif (tp->lost_out) {\n\t\t\tprintk(KERN_DEBUG \"Leak l=%u %d\\n\",\n\t\t\t tp->lost_out, icsk->icsk_ca_state);\n\t\t\ttp->lost_out = 0;\n\t\t}\n\t\tif (tp->sacked_out) {\n\t\t\tprintk(KERN_DEBUG \"Leak s=%u %d\\n\",\n\t\t\t tp->sacked_out, icsk->icsk_ca_state);\n\t\t\ttp->sacked_out = 0;\n\t\t}\n\t\tif (tp->retrans_out) {\n\t\t\tprintk(KERN_DEBUG \"Leak r=%u %d\\n\",\n\t\t\t tp->retrans_out, icsk->icsk_ca_state);\n\t\t\ttp->retrans_out = 0;\n\t\t}\n\t}\n#endif\n\treturn flag;\n}", "project": "net-next", "hash": 194505832772857357432953669281440916118, "size": 166, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409839 }, { "func": "static void nfs4_xdr_enc_getattr(struct rpc_rqst *req, struct xdr_stream *xdr,\n\t\t\t\t const void *data)\n{\n\tconst struct nfs4_getattr_arg *args = data;\n\tstruct compound_hdr hdr = {\n\t\t.minorversion = nfs4_xdr_minorversion(&args->seq_args),\n\t};\n\n\tencode_compound_hdr(xdr, req, &hdr);\n\tencode_sequence(xdr, &args->seq_args, &hdr);\n\tencode_putfh(xdr, args->fh, &hdr);\n\tencode_getfattr(xdr, args->bitmask, &hdr);\n\tencode_nops(&hdr);\n}", "project": "linux", "hash": 89088249044053983471846455895666388024, "size": 14, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431042 }, { "func": "CallResult JSObject::internalSetter(\n Handle selfHandle,\n Runtime *runtime,\n SymbolID name,\n NamedPropertyDescriptor /*desc*/,\n Handle<> value,\n PropOpFlags opFlags) {\n if (vmisa(selfHandle.get())) {\n if (name == Predefined::getSymbolID(Predefined::length)) {\n return JSArray::setLength(\n Handle::vmcast(selfHandle), runtime, value, opFlags);\n }\n }\n\n llvm_unreachable(\"unhandled property in Object::internalSetter()\");\n}", "project": "hermes", "hash": 272294434154808077931814575596472534447, "size": 16, "commit_id": "fe52854cdf6725c2eaa9e125995da76e6ceb27da", "message": "[CVE-2020-1911] Look up HostObject computed properties on the right object in the prototype chain.\n\nSummary:\nThe change in the hermes repository fixes the security vulnerability\nCVE-2020-1911. This vulnerability only affects applications which\nallow evaluation of uncontrolled, untrusted JavaScript code not\nshipped with the app, so React Native apps will generally not be affected.\n\nThis revision includes a test for the bug. The test is generic JSI\ncode, so it is included in the hermes and react-native repositories.\n\nChangelog: [Internal]\n\nReviewed By: tmikov\n\nDifferential Revision: D23322992\n\nfbshipit-source-id: 4e88c974afe1ad33a263f9cac03e9dc98d33649a", "target": 0, "dataset": "other", "idx": 230184 }, { "func": "static void load_creator_from_old_format(\n FILE *fp,\n xref_t *xref,\n const char *buf,\n size_t buf_size)\n{\n int i, n_eles, length, is_escaped, obj_id;\n char *c, *ascii, *start, *s, *saved_buf_search, *obj;\n size_t obj_size;\n pdf_creator_t *info;\n\n info = new_creator(&n_eles);\n\n /* Mark the end of buf, so that we do not crawl past it */\n if (buf_size < 1) return;\n const char *buf_end = buf + buf_size - 1;\n\n /* Treat 'end' as either the end of 'buf' or the end of 'obj'. Obj is if\n * the creator element (e.g., ModDate, Producer, etc) is an object and not\n * part of 'buf'.\n */\n const char *end = buf_end;\n\n for (i=0; i= buf_end) {\n FAIL(\"Failed to locate space, likely a corrupt PDF.\");\n }\n\n /* If looking at the start of a pdf token, we have gone too far */\n if (*c == '/')\n continue;\n\n /* If the value is a number and not a '(' then the data is located in\n * an object we need to fetch, and not inline\n */\n obj = saved_buf_search = NULL;\n obj_size = 0;\n end = buf_end; /* Init to be the buffer, this might not be an obj. */\n if (isdigit(*c))\n {\n obj_id = atoi(c);\n saved_buf_search = c;\n s = saved_buf_search;\n\n obj = get_object(fp, obj_id, xref, &obj_size, NULL);\n end = obj + obj_size;\n c = obj;\n\n /* Iterate to '(' */\n while (c && (*c != '(') && (c < end))\n ++c;\n if (c >= end) {\n FAIL(\"Failed to locate a '(' character. \"\n \"This might be a corrupt PDF.\\n\");\n }\n\n /* Advance the search to the next token */\n while (s && (*s == '/') && (s < buf_end))\n ++s;\n if (s >= buf_end) {\n FAIL(\"Failed to locate a '/' character. \"\n \"This might be a corrupt PDF.\\n\");\n }\n saved_buf_search = s;\n }\n \n /* Find the end of the value */\n start = c;\n length = is_escaped = 0;\n while (c && ((*c != '\\r') && (*c != '\\n') && (*c != '<')))\n {\n /* Bail out if we see an un-escaped ')' closing character */\n if (!is_escaped && (*c == ')'))\n break;\n else if (*c == '\\\\')\n is_escaped = 1;\n else\n is_escaped = 0;\n ++c;\n ++length;\n if (c > end) {\n FAIL(\"Failed to locate the end of a value. \"\n \"This might be a corrupt PDF.\\n\");\n }\n }\n\n if (length == 0)\n continue;\n\n /* Add 1 to length so it gets the closing ')' when we copy */\n if (length)\n length += 1;\n length = (length > KV_MAX_VALUE_LENGTH) ? KV_MAX_VALUE_LENGTH : length;\n strncpy(info[i].value, start, length);\n info[i].value[KV_MAX_VALUE_LENGTH - 1] = '\\0';\n\n /* Restore where we were searching from */\n if (saved_buf_search)\n {\n /* Release memory from get_object() called earlier */\n free(obj);\n c = saved_buf_search;\n }\n } /* For all creation information tags */\n\n /* Go through the values and convert if encoded */\n for (i = 0; i < n_eles; ++i) {\n const size_t val_str_len = strnlen(info[i].value, KV_MAX_VALUE_LENGTH);\n if ((ascii = decode_text_string(info[i].value, val_str_len))) {\n strncpy(info[i].value, ascii, val_str_len);\n free(ascii);\n }\n }\n\n xref->creator = info;\n xref->n_creator_entries = n_eles;\n}", "project": "pdfresurrect", "hash": 140589812648370314014757434554024844104, "size": 125, "commit_id": "7e35d1806e111fd28610ccc86bb33f54792ac370", "message": "Fix possible infinite loop case when looking for a trailer.\n\nThanks to chibataiki for reporting and isolating this!", "target": 0, "dataset": "other", "idx": 355590 }, { "func": "static int pfkey_error(const struct sadb_msg *orig, int err, struct sock *sk)\n{\n\tstruct sk_buff *skb = alloc_skb(sizeof(struct sadb_msg) + 16, GFP_KERNEL);\n\tstruct sadb_msg *hdr;\n\n\tif (!skb)\n\t\treturn -ENOBUFS;\n\n\t/* Woe be to the platform trying to support PFKEY yet\n\t * having normal errnos outside the 1-255 range, inclusive.\n\t */\n\terr = -err;\n\tif (err == ERESTARTSYS ||\n\t err == ERESTARTNOHAND ||\n\t err == ERESTARTNOINTR)\n\t\terr = EINTR;\n\tif (err >= 512)\n\t\terr = EINVAL;\n\tBUG_ON(err <= 0 || err >= 256);\n\n\thdr = skb_put(skb, sizeof(struct sadb_msg));\n\tpfkey_hdr_dup(hdr, orig);\n\thdr->sadb_msg_errno = (uint8_t) err;\n\thdr->sadb_msg_len = (sizeof(struct sadb_msg) /\n\t\t\t sizeof(uint64_t));\n\n\tpfkey_broadcast(skb, GFP_KERNEL, BROADCAST_ONE, sk, sock_net(sk));\n\n\treturn 0;\n}", "project": "linux", "hash": 285437063722099605281796711501391142768, "size": 30, "commit_id": "9a564bccb78a76740ea9d75a259942df8143d02c", "message": "af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\n\nAdd __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\nto initialize the buffer of supp_skb to fix a kernel-info-leak issue.\n1) Function pfkey_register calls compose_sadb_supported to request\na sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate\na sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then\ncompose_sadb_supported treats the memory as a struct sadb_supported and\nbegins to initialize. But it just initializes the field sadb_supported_len\nand field sadb_supported_exttype without field sadb_supported_reserved.\n\nReported-by: TCS Robot \nSigned-off-by: Haimin Zhang \nSigned-off-by: Steffen Klassert ", "target": 0, "dataset": "other", "idx": 268059 }, { "func": "Status GraphConstructor::Convert() {\n // Import functions before adding nodes, since imported nodes may refer to\n // functions\n if (library()) {\n // TODO(b/135705010): Add rvalue overloads into the function library, to\n // avoid unnecessarily copying `*library()` here.\n TF_RETURN_IF_ERROR(g_->AddFunctionLibrary(*library()));\n }\n\n std::vector inputs;\n int processed = 0;\n\n std::vector input_already_exists;\n\n // Process the NodeDefs in topological order.\n // (InitFromEdges() sets this up by filling in ready_ with nodes that have no\n // inputs, pending_counts_ with the number of inputs for each node and\n // outputs_ with the outputs of each node).\n while (!ready_.empty()) {\n int o = *ready_.begin();\n ready_.erase(ready_.begin());\n ++processed;\n inputs.clear();\n bool has_data_back_edge = false;\n\n NodeDef node_def = consume_node_def(o);\n\n // input_already_exists[i] is true iff the i-th input of the node we're\n // importing refers to a preexisting node in g_ (i.e. input[i] existed prior\n // to importing node_defs_). Conversely, input_already_exists[i] is false\n // iff the input refers to a node in node_defs_.\n input_already_exists.clear();\n input_already_exists.resize(node_def.input_size(), false);\n\n ssize_t string_intern_table_index = -1;\n\n if (opts_.importing) {\n // Intern the original node name, so that we can use a StringPiece of the\n // name to index gdef_nodes_.\n string_intern_table_index = string_intern_table_.size();\n string_intern_table_.push_back(node_def.name());\n\n if (opts_.skip_mapped_nodes) {\n bool is_node_mapped = false;\n TF_RETURN_IF_ERROR(IsNodeFullyMapped(node_def, &is_node_mapped));\n if (is_node_mapped) {\n // Skip this node after updating pending_count_ for outputs\n UpdatePendingCountAndReady(o, IsNextIteration(node_def));\n continue;\n }\n }\n\n if (!opts_.input_map.empty()) {\n // Note that input_already_exists can shrink here\n RemapNodeDefInputs(&node_def, &input_already_exists);\n }\n if (!opts_.control_dependencies.empty()) {\n // Note that input_already_exists can grow here\n AddControlDependencies(&node_def, &input_already_exists);\n }\n if (!opts_.default_device.empty() && node_def.device().empty()) {\n node_def.set_device(opts_.default_device);\n }\n }\n\n DCHECK_EQ(node_def.input_size(), input_already_exists.size());\n TF_RETURN_IF_ERROR(ValidateColocationConstraints(node_def));\n for (int i = 0; i < node_def.input_size(); ++i) {\n TensorId tensor_id = ParseTensorName(node_def.input(i));\n Node* src_node;\n int src_index;\n\n if (!input_already_exists[i]) {\n // Locate input in newly-imported nodes\n auto iter = gdef_nodes_.find(tensor_id.node());\n DCHECK(iter != gdef_nodes_.end()) << tensor_id.node();\n src_node = iter->second.node;\n src_index = tensor_id.index();\n if (src_node == nullptr) has_data_back_edge = true;\n } else {\n // Input refers to preexistng node in graph\n auto iter = existing_nodes_.find(tensor_id.node());\n DCHECK(iter != existing_nodes_.end()) << tensor_id.node();\n src_node = iter->second;\n src_index = tensor_id.index();\n }\n\n if (src_node != nullptr && src_index >= src_node->num_outputs()) {\n std::ostringstream out;\n out << \"Node '\" << node_def.name() << \"': Connecting to invalid output \"\n << tensor_id.index() << \" of source node \" << tensor_id.node()\n << \" which has \" << src_node->num_outputs() << \" outputs.\";\n\n if (src_node->type_string() == \"If\" ||\n src_node->type_string() == \"StatelessIf\" ||\n src_node->type_string() == \"While\" ||\n src_node->type_string() == \"StatelessWhile\") {\n out << \" Try using \"\n << \"tf.compat.v1.experimental.output_all_intermediates(True).\";\n }\n return errors::InvalidArgument(out.str());\n }\n\n inputs.emplace_back(string(tensor_id.node()), src_node, src_index);\n }\n\n if (has_data_back_edge && !IsMerge(node_def)) {\n return errors::InvalidArgument(\n \"Node '\", node_def.name(),\n \"' had a back edge, but only Merge nodes can have back edges.\");\n }\n\n Node* node;\n if (opts_.importing) {\n if (!prefix_.empty()) {\n AddPrefixToNodeDef(input_already_exists, &node_def);\n }\n // Note: no need to uniquify names if the prefix already guarantees\n // uniqueness\n if (opts_.uniquify_names && (prefix_.empty() || !opts_.uniquify_prefix)) {\n UniquifyNames(input_already_exists, &node_def);\n }\n }\n\n if (opts_.importing) {\n TF_RETURN_IF_ERROR(ModifyNodeDefForImport(&node_def));\n } else {\n const OpDef* op_def;\n TF_RETURN_IF_ERROR(\n g_->op_registry()->LookUpOpDef(node_def.op(), &op_def));\n if (opts_.add_default_attributes) {\n AddDefaultsToNodeDef(*op_def, &node_def);\n }\n if (opts_.validate_nodes) {\n TF_RETURN_IF_ERROR(ValidateNodeDef(node_def, *op_def));\n }\n }\n\n TF_RETURN_IF_ERROR(MakeNode(std::move(node_def), &node));\n\n if (opts_.importing) {\n // Use interned original node name so StringPiece remains valid.\n DCHECK_GE(string_intern_table_index, 0);\n gdef_nodes_[string_intern_table_[string_intern_table_index]].node = node;\n } else {\n DCHECK_EQ(string_intern_table_index, -1);\n gdef_nodes_[node->name()].node = node;\n }\n\n // Remove duplicate control inputs before adding edges to the graph. It\n // will allow us to skip expensive duplicates check in 'AddControlEdge'.\n auto first_control = absl::c_find_if(inputs, &InputInfo::IsControlInput);\n auto first_control_copy = first_control;\n std::sort(first_control, inputs.end(), &InputInfo::CompareName);\n inputs.erase(\n std::unique(first_control_copy, inputs.end(), &InputInfo::IsSameName),\n inputs.end());\n\n // Add edges from inputs to *node to the graph.\n for (size_t i = 0; i < inputs.size(); ++i) {\n if (inputs[i].node == nullptr) {\n // Record this back edge, which will be added after all nodes\n // are created.\n back_edges_.emplace_back(inputs[i].name, inputs[i].index, node, i);\n } else if (inputs[i].index == Graph::kControlSlot) {\n g_->AddControlEdge(inputs[i].node, node, kDoNotCheckDuplicates);\n } else {\n TF_RETURN_IF_ERROR(MakeEdge(inputs[i].node, inputs[i].index, node, i));\n }\n }\n\n TF_RETURN_IF_ERROR(ValidateShape(node));\n\n // Update pending_count_ for outputs.\n UpdatePendingCountAndReady(o, node->IsNextIteration());\n }\n\n if (processed < node_def_count()) {\n LOG(WARNING) << \"IN \" << __func__ << \" \" << (node_def_count() - processed)\n << \" NODES IN A CYCLE\";\n for (int64 i = 0; i < node_def_count(); i++) {\n if (pending_count_[i] != 0) {\n LOG(WARNING) << \"PENDING: \" << SummarizeNodeDef(get_node_def(i))\n << \" WITH PENDING COUNT = \" << pending_count_[i];\n }\n }\n PrintCycles();\n return errors::InvalidArgument(node_def_count() - processed,\n \" nodes in a cycle\");\n }\n\n return Status::OK();\n}", "project": "tensorflow", "hash": 199276818933550488537576661125167273788, "size": 193, "commit_id": "0cc38aaa4064fd9e79101994ce9872c6d91f816b", "message": "Prevent unitialized memory access in `GraphConstructor::MakeEdge`\n\nThe `MakeEdge` implementation assumes that there exists an output at `output_index` of `src` node and an input at `input_index` of `dst` node. However, if this is not the case this results in accessing data out of bounds. Because we are accessing an array that is a private member of a class and only in read only mode, this usually results only in unitialized memory access. However, it is reasonable to think that malicious users could manipulate these indexes to actually read data outside the class, thus resulting in information leakage and further exploits.\n\nPiperOrigin-RevId: 346343288\nChange-Id: I2127da27c2023d27f26efd39afa6c853385cab6f", "target": 0, "dataset": "other", "idx": 268352 }, { "func": "int Ecma262Canonicalize::Convert(uchar c,\n uchar n,\n uchar* result,\n bool* allow_caching_ptr) {\n int chunk_index = c >> 13;\n switch (chunk_index) {\n case 0: return LookupMapping(kEcma262CanonicalizeTable0,\n kEcma262CanonicalizeTable0Size,\n kEcma262CanonicalizeMultiStrings0,\n c,\n n,\n result,\n allow_caching_ptr);\n case 1: return LookupMapping(kEcma262CanonicalizeTable1,\n kEcma262CanonicalizeTable1Size,\n kEcma262CanonicalizeMultiStrings1,\n c,\n n,\n result,\n allow_caching_ptr);\n case 5: return LookupMapping(kEcma262CanonicalizeTable5,\n kEcma262CanonicalizeTable5Size,\n kEcma262CanonicalizeMultiStrings5,\n c,\n n,\n result,\n allow_caching_ptr);\n case 7: return LookupMapping(kEcma262CanonicalizeTable7,\n kEcma262CanonicalizeTable7Size,\n kEcma262CanonicalizeMultiStrings7,\n c,\n n,\n result,\n allow_caching_ptr);\n default: return 0;\n }\n}", "project": "node", "hash": 110250552837939214674525381251151073069, "size": 37, "commit_id": "78b0e30954111cfaba0edbeee85450d8cbc6fdf6", "message": "deps: fix out-of-band write in utf8 decoder\n\nOriginally reported by: Kris Reeves \n\nReviewed-By: Trevor Norris ", "target": 0, "dataset": "other", "idx": 385611 }, { "func": "int ToLowercase::Convert(uchar c,\n uchar n,\n uchar* result,\n bool* allow_caching_ptr) {\n int chunk_index = c >> 13;\n switch (chunk_index) {\n case 0: return LookupMapping(kToLowercaseTable0,\n kToLowercaseTable0Size,\n kToLowercaseMultiStrings0,\n c,\n n,\n result,\n allow_caching_ptr);\n case 1: return LookupMapping(kToLowercaseTable1,\n kToLowercaseTable1Size,\n kToLowercaseMultiStrings1,\n c,\n n,\n result,\n allow_caching_ptr);\n case 5: return LookupMapping(kToLowercaseTable5,\n kToLowercaseTable5Size,\n kToLowercaseMultiStrings5,\n c,\n n,\n result,\n allow_caching_ptr);\n case 7: return LookupMapping(kToLowercaseTable7,\n kToLowercaseTable7Size,\n kToLowercaseMultiStrings7,\n c,\n n,\n result,\n allow_caching_ptr);\n default: return 0;\n }\n}", "project": "node", "hash": 202987229771068876462476744547381056849, "size": 37, "commit_id": "78b0e30954111cfaba0edbeee85450d8cbc6fdf6", "message": "deps: fix out-of-band write in utf8 decoder\n\nOriginally reported by: Kris Reeves \n\nReviewed-By: Trevor Norris ", "target": 0, "dataset": "other", "idx": 385613 }, { "func": "int Ecma262UnCanonicalize::Convert(uchar c,\n uchar n,\n uchar* result,\n bool* allow_caching_ptr) {\n int chunk_index = c >> 13;\n switch (chunk_index) {\n case 0: return LookupMapping(kEcma262UnCanonicalizeTable0,\n kEcma262UnCanonicalizeTable0Size,\n kEcma262UnCanonicalizeMultiStrings0,\n c,\n n,\n result,\n allow_caching_ptr);\n case 1: return LookupMapping(kEcma262UnCanonicalizeTable1,\n kEcma262UnCanonicalizeTable1Size,\n kEcma262UnCanonicalizeMultiStrings1,\n c,\n n,\n result,\n allow_caching_ptr);\n case 5: return LookupMapping(kEcma262UnCanonicalizeTable5,\n kEcma262UnCanonicalizeTable5Size,\n kEcma262UnCanonicalizeMultiStrings5,\n c,\n n,\n result,\n allow_caching_ptr);\n case 7: return LookupMapping(kEcma262UnCanonicalizeTable7,\n kEcma262UnCanonicalizeTable7Size,\n kEcma262UnCanonicalizeMultiStrings7,\n c,\n n,\n result,\n allow_caching_ptr);\n default: return 0;\n }\n}", "project": "node", "hash": 184240368047978841460044340530007454459, "size": 37, "commit_id": "78b0e30954111cfaba0edbeee85450d8cbc6fdf6", "message": "deps: fix out-of-band write in utf8 decoder\n\nOriginally reported by: Kris Reeves \n\nReviewed-By: Trevor Norris ", "target": 0, "dataset": "other", "idx": 385618 }, { "func": "int CanonicalizationRange::Convert(uchar c,\n uchar n,\n uchar* result,\n bool* allow_caching_ptr) {\n int chunk_index = c >> 13;\n switch (chunk_index) {\n case 0: return LookupMapping(kCanonicalizationRangeTable0,\n kCanonicalizationRangeTable0Size,\n kCanonicalizationRangeMultiStrings0,\n c,\n n,\n result,\n allow_caching_ptr);\n case 1: return LookupMapping(kCanonicalizationRangeTable1,\n kCanonicalizationRangeTable1Size,\n kCanonicalizationRangeMultiStrings1,\n c,\n n,\n result,\n allow_caching_ptr);\n case 7: return LookupMapping(kCanonicalizationRangeTable7,\n kCanonicalizationRangeTable7Size,\n kCanonicalizationRangeMultiStrings7,\n c,\n n,\n result,\n allow_caching_ptr);\n default: return 0;\n }\n}", "project": "node", "hash": 132812430758228658050623516052203454673, "size": 30, "commit_id": "78b0e30954111cfaba0edbeee85450d8cbc6fdf6", "message": "deps: fix out-of-band write in utf8 decoder\n\nOriginally reported by: Kris Reeves \n\nReviewed-By: Trevor Norris ", "target": 0, "dataset": "other", "idx": 385626 }, { "func": "int ToUppercase::Convert(uchar c,\n uchar n,\n uchar* result,\n bool* allow_caching_ptr) {\n int chunk_index = c >> 13;\n switch (chunk_index) {\n case 0: return LookupMapping(kToUppercaseTable0,\n kToUppercaseTable0Size,\n kToUppercaseMultiStrings0,\n c,\n n,\n result,\n allow_caching_ptr);\n case 1: return LookupMapping(kToUppercaseTable1,\n kToUppercaseTable1Size,\n kToUppercaseMultiStrings1,\n c,\n n,\n result,\n allow_caching_ptr);\n case 5: return LookupMapping(kToUppercaseTable5,\n kToUppercaseTable5Size,\n kToUppercaseMultiStrings5,\n c,\n n,\n result,\n allow_caching_ptr);\n case 7: return LookupMapping(kToUppercaseTable7,\n kToUppercaseTable7Size,\n kToUppercaseMultiStrings7,\n c,\n n,\n result,\n allow_caching_ptr);\n default: return 0;\n }\n}", "project": "node", "hash": 121616215170603816520932611886771998637, "size": 37, "commit_id": "78b0e30954111cfaba0edbeee85450d8cbc6fdf6", "message": "deps: fix out-of-band write in utf8 decoder\n\nOriginally reported by: Kris Reeves \n\nReviewed-By: Trevor Norris ", "target": 0, "dataset": "other", "idx": 385640 }, { "func": "String stringToCaseFirst(const String& str, OpTo tocase, OpIs iscase) {\n if (str.empty() || iscase(str[0])) {\n return str;\n }\n\n String ret(str, CopyString);\n char* first = ret.get()->mutableData();\n\n *first = tocase(*first);\n return ret;\n}", "project": "hhvm", "hash": 100127758125667277693373687461200059656, "size": 11, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219895 }, { "func": "void stop_tty(struct tty_struct *tty)\n{\n\tunsigned long flags;\n\n\tspin_lock_irqsave(&tty->flow_lock, flags);\n\t__stop_tty(tty);\n\tspin_unlock_irqrestore(&tty->flow_lock, flags);\n}", "project": "linux", "hash": 186562401564169354611974052027794990816, "size": 8, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 326018 }, { "func": "static int insert_cert(\n\tsc_pkcs15_card_t *p15card,\n\tconst char *path,\n\tunsigned char id,\n\tint writable,\n\tconst char *label\n){\n\tsc_card_t *card=p15card->card;\n\tsc_context_t *ctx=p15card->card->ctx;\n\tstruct sc_pkcs15_cert_info cert_info;\n\tstruct sc_pkcs15_object cert_obj;\n\tunsigned char cert[20];\n\tint r;\n\n\tmemset(&cert_info, 0, sizeof(cert_info));\n\tcert_info.id.len = 1;\n\tcert_info.id.value[0] = id;\n\tcert_info.authority = 0;\n\tsc_format_path(path, &cert_info.path);\n\n\tmemset(&cert_obj, 0, sizeof(cert_obj));\n\tstrlcpy(cert_obj.label, label, sizeof(cert_obj.label));\n\tcert_obj.flags = writable ? SC_PKCS15_CO_FLAG_MODIFIABLE : 0;\n\n\tif(sc_select_file(card, &cert_info.path, NULL)!=SC_SUCCESS){\n\t\tsc_log(ctx, \n\t\t\t\"Select(%s) failed\\n\", path);\n\t\treturn 1;\n\t}\n\tif(sc_read_binary(card, 0, cert, sizeof(cert), 0)<0){\n\t\tsc_log(ctx, \n\t\t\t\"ReadBinary(%s) failed\\n\", path);\n\t\treturn 2;\n\t}\n\tif(cert[0]!=0x30 || cert[1]!=0x82){\n\t\tsc_log(ctx, \n\t\t\t\"Invalid Cert: %02X:%02X:...\\n\", cert[0], cert[1]);\n\t\treturn 3;\n\t}\n\n\t/* some certificates are prefixed by an OID */\n\tif(cert[4]==0x06 && cert[5]<10 && cert[6+cert[5]]==0x30 && cert[7+cert[5]]==0x82){\n\t\tcert_info.path.index=6+cert[5];\n\t\tcert_info.path.count=(cert[8+cert[5]]<<8) + cert[9+cert[5]] + 4;\n\t} else {\n\t\tcert_info.path.index=0;\n\t\tcert_info.path.count=(cert[2]<<8) + cert[3] + 4;\n\t}\n\n\tr=sc_pkcs15emu_add_x509_cert(p15card, &cert_obj, &cert_info);\n\tif(r!=SC_SUCCESS){\n\t\tsc_log(ctx, \"sc_pkcs15emu_add_x509_cert(%s) failed\\n\", path);\n\t\treturn 4;\n\t}\n\tsc_log(ctx, \"%s: OK, Index=%d, Count=%d\\n\", path, cert_info.path.index, cert_info.path.count);\n\treturn 0;\n}", "project": "OpenSC", "hash": 130037227492581800390692102614923889708, "size": 57, "commit_id": "5df913b7f57ad89b9832555d24c08d23a534311e", "message": "tcos: Check bounds in insert_pin()\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28383", "target": 0, "dataset": "other", "idx": 243959 }, { "func": "static int kvm_arch_vcpu_ioctl_set_one_reg(struct kvm_vcpu *vcpu,\n\t\t\t\t\t struct kvm_one_reg *reg)\n{\n\tint r = -EINVAL;\n\t__u64 val;\n\n\tswitch (reg->id) {\n\tcase KVM_REG_S390_TODPR:\n\t\tr = get_user(vcpu->arch.sie_block->todpr,\n\t\t\t (u32 __user *)reg->addr);\n\t\tbreak;\n\tcase KVM_REG_S390_EPOCHDIFF:\n\t\tr = get_user(vcpu->arch.sie_block->epoch,\n\t\t\t (u64 __user *)reg->addr);\n\t\tbreak;\n\tcase KVM_REG_S390_CPU_TIMER:\n\t\tr = get_user(val, (u64 __user *)reg->addr);\n\t\tif (!r)\n\t\t\tkvm_s390_set_cpu_timer(vcpu, val);\n\t\tbreak;\n\tcase KVM_REG_S390_CLOCK_COMP:\n\t\tr = get_user(vcpu->arch.sie_block->ckc,\n\t\t\t (u64 __user *)reg->addr);\n\t\tbreak;\n\tcase KVM_REG_S390_PFTOKEN:\n\t\tr = get_user(vcpu->arch.pfault_token,\n\t\t\t (u64 __user *)reg->addr);\n\t\tif (vcpu->arch.pfault_token == KVM_S390_PFAULT_TOKEN_INVALID)\n\t\t\tkvm_clear_async_pf_completion_queue(vcpu);\n\t\tbreak;\n\tcase KVM_REG_S390_PFCOMPARE:\n\t\tr = get_user(vcpu->arch.pfault_compare,\n\t\t\t (u64 __user *)reg->addr);\n\t\tbreak;\n\tcase KVM_REG_S390_PFSELECT:\n\t\tr = get_user(vcpu->arch.pfault_select,\n\t\t\t (u64 __user *)reg->addr);\n\t\tbreak;\n\tcase KVM_REG_S390_PP:\n\t\tr = get_user(vcpu->arch.sie_block->pp,\n\t\t\t (u64 __user *)reg->addr);\n\t\tbreak;\n\tcase KVM_REG_S390_GBEA:\n\t\tr = get_user(vcpu->arch.sie_block->gbea,\n\t\t\t (u64 __user *)reg->addr);\n\t\tbreak;\n\tdefault:\n\t\tbreak;\n\t}\n\n\treturn r;\n}", "project": "linux", "hash": 298103342985581998094596970289393319004, "size": 52, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354721 }, { "func": "static inline u32 tcp_cwnd_min(const struct sock *sk)\n{\n\tconst struct tcp_congestion_ops *ca_ops = inet_csk(sk)->icsk_ca_ops;\n\n\treturn ca_ops->min_cwnd ? ca_ops->min_cwnd(sk) : tcp_sk(sk)->snd_ssthresh;\n}", "project": "net-next", "hash": 150964790900979148097909017657015820060, "size": 6, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409869 }, { "func": "static int tracing_trace_options_open(struct inode *inode, struct file *file)\n{\n\tstruct trace_array *tr = inode->i_private;\n\tint ret;\n\n\tif (tracing_disabled)\n\t\treturn -ENODEV;\n\n\tif (trace_array_get(tr) < 0)\n\t\treturn -ENODEV;\n\n\tret = single_open(file, tracing_trace_options_show, inode->i_private);\n\tif (ret < 0)\n\t\ttrace_array_put(tr);\n\n\treturn ret;\n}", "project": "linux", "hash": 3002899497672409467674432084669969465, "size": 17, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445724 }, { "func": "static void nfs4_set_cached_acl(struct inode *inode, struct nfs4_cached_acl *acl)\n{\n\tstruct nfs_inode *nfsi = NFS_I(inode);\n\n\tspin_lock(&inode->i_lock);\n\tkfree(nfsi->nfs4_acl);\n\tnfsi->nfs4_acl = acl;\n\tspin_unlock(&inode->i_lock);\n}", "project": "linux", "hash": 260618497353495976586373397108863873653, "size": 9, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431313 }, { "func": "static inline void pfkey_hdr_dup(struct sadb_msg *new,\n\t\t\t\t const struct sadb_msg *orig)\n{\n\t*new = *orig;\n}", "project": "linux", "hash": 48119209857676656330597692496254776839, "size": 5, "commit_id": "9a564bccb78a76740ea9d75a259942df8143d02c", "message": "af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\n\nAdd __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\nto initialize the buffer of supp_skb to fix a kernel-info-leak issue.\n1) Function pfkey_register calls compose_sadb_supported to request\na sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate\na sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then\ncompose_sadb_supported treats the memory as a struct sadb_supported and\nbegins to initialize. But it just initializes the field sadb_supported_len\nand field sadb_supported_exttype without field sadb_supported_reserved.\n\nReported-by: TCS Robot \nSigned-off-by: Haimin Zhang \nSigned-off-by: Steffen Klassert ", "target": 0, "dataset": "other", "idx": 268023 }, { "func": "static void lf(struct vc_data *vc)\n{\n \t/* don't scroll if above bottom of scrolling region, or\n\t * if below scrolling region\n\t */\n \tif (vc->vc_y + 1 == vc->vc_bottom)\n\t\tcon_scroll(vc, vc->vc_top, vc->vc_bottom, SM_UP, 1);\n\telse if (vc->vc_y < vc->vc_rows - 1) {\n\t \tvc->vc_y++;\n\t\tvc->vc_pos += vc->vc_size_row;\n\t}\n\tvc->vc_need_wrap = 0;\n\tnotify_write(vc, '\\n');\n}", "project": "linux", "hash": 257905713520674634534230572931786410819, "size": 14, "commit_id": "ca4463bf8438b403596edd0ec961ca0d4fbe0220", "message": "vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console\n\nThe VT_DISALLOCATE ioctl can free a virtual console while tty_release()\nis still running, causing a use-after-free in con_shutdown(). This\noccurs because VT_DISALLOCATE considers a virtual console's\n'struct vc_data' to be unused as soon as the corresponding tty's\nrefcount hits 0. But actually it may be still being closed.\n\nFix this by making vc_data be reference-counted via the embedded\n'struct tty_port'. A newly allocated virtual console has refcount 1.\nOpening it for the first time increments the refcount to 2. Closing it\nfor the last time decrements the refcount (in tty_operations::cleanup()\nso that it happens late enough), as does VT_DISALLOCATE.\n\nReproducer:\n\t#include \n\t#include \n\t#include \n\t#include \n\n\tint main()\n\t{\n\t\tif (fork()) {\n\t\t\tfor (;;)\n\t\t\t\tclose(open(\"/dev/tty5\", O_RDWR));\n\t\t} else {\n\t\t\tint fd = open(\"/dev/tty10\", O_RDWR);\n\n\t\t\tfor (;;)\n\t\t\t\tioctl(fd, VT_DISALLOCATE, 5);\n\t\t}\n\t}\n\nKASAN report:\n\tBUG: KASAN: use-after-free in con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\tWrite of size 8 at addr ffff88806a4ec108 by task syz_vt/129\n\n\tCPU: 0 PID: 129 Comm: syz_vt Not tainted 5.6.0-rc2 #11\n\tHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20191223_100556-anatol 04/01/2014\n\tCall Trace:\n\t [...]\n\t con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\t release_tty+0xa8/0x410 drivers/tty/tty_io.c:1514\n\t tty_release_struct+0x34/0x50 drivers/tty/tty_io.c:1629\n\t tty_release+0x984/0xed0 drivers/tty/tty_io.c:1789\n\t [...]\n\n\tAllocated by task 129:\n\t [...]\n\t kzalloc include/linux/slab.h:669 [inline]\n\t vc_allocate drivers/tty/vt/vt.c:1085 [inline]\n\t vc_allocate+0x1ac/0x680 drivers/tty/vt/vt.c:1066\n\t con_install+0x4d/0x3f0 drivers/tty/vt/vt.c:3229\n\t tty_driver_install_tty drivers/tty/tty_io.c:1228 [inline]\n\t tty_init_dev+0x94/0x350 drivers/tty/tty_io.c:1341\n\t tty_open_by_driver drivers/tty/tty_io.c:1987 [inline]\n\t tty_open+0x3ca/0xb30 drivers/tty/tty_io.c:2035\n\t [...]\n\n\tFreed by task 130:\n\t [...]\n\t kfree+0xbf/0x1e0 mm/slab.c:3757\n\t vt_disallocate drivers/tty/vt/vt_ioctl.c:300 [inline]\n\t vt_ioctl+0x16dc/0x1e30 drivers/tty/vt/vt_ioctl.c:818\n\t tty_ioctl+0x9db/0x11b0 drivers/tty/tty_io.c:2660\n\t [...]\n\nFixes: 4001d7b7fc27 (\"vt: push down the tty lock so we can see what is left to tackle\")\nCc: # v3.4+\nReported-by: syzbot+522643ab5729b0421998@syzkaller.appspotmail.com\nAcked-by: Jiri Slaby \nSigned-off-by: Eric Biggers \nLink: https://lore.kernel.org/r/20200322034305.210082-2-ebiggers@kernel.org\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 437088 }, { "func": "static void hci_inquiry_result_evt(struct hci_dev *hdev, struct sk_buff *skb)\n{\n\tstruct inquiry_data data;\n\tstruct inquiry_info *info = (void *) (skb->data + 1);\n\tint num_rsp = *((__u8 *) skb->data);\n\n\tBT_DBG(\"%s num_rsp %d\", hdev->name, num_rsp);\n\n\tif (!num_rsp)\n\t\treturn;\n\n\tif (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))\n\t\treturn;\n\n\thci_dev_lock(hdev);\n\n\tfor (; num_rsp; num_rsp--, info++) {\n\t\tu32 flags;\n\n\t\tbacpy(&data.bdaddr, &info->bdaddr);\n\t\tdata.pscan_rep_mode\t= info->pscan_rep_mode;\n\t\tdata.pscan_period_mode\t= info->pscan_period_mode;\n\t\tdata.pscan_mode\t\t= info->pscan_mode;\n\t\tmemcpy(data.dev_class, info->dev_class, 3);\n\t\tdata.clock_offset\t= info->clock_offset;\n\t\tdata.rssi\t\t= HCI_RSSI_INVALID;\n\t\tdata.ssp_mode\t\t= 0x00;\n\n\t\tflags = hci_inquiry_cache_update(hdev, &data, false);\n\n\t\tmgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,\n\t\t\t\t info->dev_class, HCI_RSSI_INVALID,\n\t\t\t\t flags, NULL, 0, NULL, 0);\n\t}\n\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 338785930670924893642332672615304671375, "size": 37, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 432000 }, { "func": "TEST_P(PerRouteIntegrationTest, PerRouteConfigDisabled) {\n // per-route config has disabled flag.\n PerRouteConfig per_route;\n per_route.set_disabled(true);\n // Use a normal filter config that requires jwt_auth.\n setup(ExampleConfig, per_route);\n\n codec_client_ = makeHttpConnection(lookupPort(\"http\"));\n\n // So the request without a JWT token is OK.\n auto response = codec_client_->makeHeaderOnlyRequest(Http::TestRequestHeaderMapImpl{\n {\":method\", \"GET\"},\n {\":path\", \"/\"},\n {\":scheme\", \"http\"},\n {\":authority\", \"host\"},\n });\n\n waitForNextUpstreamRequest();\n upstream_request_->encodeHeaders(Http::TestResponseHeaderMapImpl{{\":status\", \"200\"}}, true);\n\n ASSERT_TRUE(response->waitForEndStream());\n ASSERT_TRUE(response->complete());\n EXPECT_EQ(\"200\", response->headers().getStatusValue());\n}", "project": "envoy", "hash": 127647983052324183631126423828966612714, "size": 24, "commit_id": "9371333230b1a6e1be2eccf4868771e11af6253a", "message": "CVE-2021-43824\n\njwt_atuhn: fixed the crash when a CONNECT request is sent to JWT filter\nconfigured with regex match.\n\nSigned-off-by: Yan Avlasov ", "target": 0, "dataset": "other", "idx": 246596 }, { "func": "TEST_P(PerRouteIntegrationTest, PerRouteConfigOK) {\n // A config with a requirement_map\n const std::string filter_conf = R\"(\n providers:\n example_provider:\n issuer: https://example.com\n audiences:\n - example_service\n requirement_map:\n abc:\n provider_name: \"example_provider\"\n)\";\n\n // Per-route config with correct requirement_name\n PerRouteConfig per_route;\n per_route.set_requirement_name(\"abc\");\n setup(filter_conf, per_route);\n\n codec_client_ = makeHttpConnection(lookupPort(\"http\"));\n\n // So the request with a JWT token is OK.\n auto response = codec_client_->makeHeaderOnlyRequest(Http::TestRequestHeaderMapImpl{\n {\":method\", \"GET\"},\n {\":path\", \"/\"},\n {\":scheme\", \"http\"},\n {\":authority\", \"host\"},\n {\"Authorization\", \"Bearer \" + std::string(GoodToken)},\n });\n\n waitForNextUpstreamRequest();\n upstream_request_->encodeHeaders(Http::TestResponseHeaderMapImpl{{\":status\", \"200\"}}, true);\n\n ASSERT_TRUE(response->waitForEndStream());\n ASSERT_TRUE(response->complete());\n EXPECT_EQ(\"200\", response->headers().getStatusValue());\n\n // A request with missing token is rejected.\n auto response1 = codec_client_->makeHeaderOnlyRequest(Http::TestRequestHeaderMapImpl{\n {\":method\", \"GET\"},\n {\":path\", \"/\"},\n {\":scheme\", \"http\"},\n {\":authority\", \"host\"},\n });\n\n ASSERT_TRUE(response1->waitForEndStream());\n ASSERT_TRUE(response1->complete());\n EXPECT_EQ(\"401\", response1->headers().getStatusValue());\n}", "project": "envoy", "hash": 11325188768667372423469883085812212951, "size": 48, "commit_id": "9371333230b1a6e1be2eccf4868771e11af6253a", "message": "CVE-2021-43824\n\njwt_atuhn: fixed the crash when a CONNECT request is sent to JWT filter\nconfigured with regex match.\n\nSigned-off-by: Yan Avlasov ", "target": 0, "dataset": "other", "idx": 246599 }, { "func": " void setup(const std::string& filter_config, const PerRouteConfig& per_route) {\n config_helper_.prependFilter(getAuthFilterConfig(filter_config, true));\n\n config_helper_.addConfigModifier(\n [per_route](\n envoy::extensions::filters::network::http_connection_manager::v3::HttpConnectionManager&\n hcm) {\n auto* virtual_host = hcm.mutable_route_config()->mutable_virtual_hosts(0);\n auto& per_route_any =\n (*virtual_host->mutable_routes(0)\n ->mutable_typed_per_filter_config())[\"envoy.filters.http.jwt_authn\"];\n per_route_any.PackFrom(per_route);\n });\n\n initialize();\n }", "project": "envoy", "hash": 15383401918072483945934155640311541676, "size": 16, "commit_id": "9371333230b1a6e1be2eccf4868771e11af6253a", "message": "CVE-2021-43824\n\njwt_atuhn: fixed the crash when a CONNECT request is sent to JWT filter\nconfigured with regex match.\n\nSigned-off-by: Yan Avlasov ", "target": 0, "dataset": "other", "idx": 246609 }, { "func": "TEST_P(PerRouteIntegrationTest, PerRouteConfigWrongRequireName) {\n // A config with a requirement_map\n const std::string filter_conf = R\"(\n providers:\n example_provider:\n issuer: https://example.com\n audiences:\n - example_service\n requirement_map:\n abc:\n provider_name: \"example_provider\"\n)\";\n\n // Per-route config has a wrong requirement_name.\n PerRouteConfig per_route;\n per_route.set_requirement_name(\"wrong-requirement-name\");\n setup(filter_conf, per_route);\n\n codec_client_ = makeHttpConnection(lookupPort(\"http\"));\n\n // So the request with a good Jwt token is rejected.\n auto response = codec_client_->makeHeaderOnlyRequest(Http::TestRequestHeaderMapImpl{\n {\":method\", \"GET\"},\n {\":path\", \"/\"},\n {\":scheme\", \"http\"},\n {\":authority\", \"host\"},\n {\"Authorization\", \"Bearer \" + std::string(GoodToken)},\n });\n\n ASSERT_TRUE(response->waitForEndStream());\n ASSERT_TRUE(response->complete());\n EXPECT_EQ(\"403\", response->headers().getStatusValue());\n}", "project": "envoy", "hash": 263417079722950323911146572448851780354, "size": 33, "commit_id": "9371333230b1a6e1be2eccf4868771e11af6253a", "message": "CVE-2021-43824\n\njwt_atuhn: fixed the crash when a CONNECT request is sent to JWT filter\nconfigured with regex match.\n\nSigned-off-by: Yan Avlasov ", "target": 0, "dataset": "other", "idx": 246629 }, { "func": " bool setup(THD *thd, Item *item)\n {\n if (Item_cache_int::setup(thd, item))\n return true;\n set_if_smaller(decimals, TIME_SECOND_PART_DIGITS);\n return false;\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 122469759490102137847020647008305896309, "size": 7, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509110 }, { "func": " virtual bool setup(THD *thd, Item *item)\n {\n example= item;\n Type_std_attributes::set(item);\n if (item->type() == FIELD_ITEM)\n cached_field= ((Item_field *)item)->field;\n return 0;\n };", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 116891185256053668207624454148171551719, "size": 8, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509440 }, { "func": "static void autocomplete_default(R_NULLABLE RCore *core, RLineCompletion *completion, RLineBuffer *buf) {\n\tRCoreAutocomplete *a = core ? core->autocomplete : NULL;\n\tint i;\n\tif (a) {\n\t\tfor (i = 0; i < a->n_subcmds; i++) {\n\t\t\tif (buf->data[0] == 0 || !strncmp (a->subcmds[i]->cmd, buf->data, a->subcmds[i]->length)) {\n\t\t\t\tr_line_completion_push (completion, a->subcmds[i]->cmd);\n\t\t\t}\n\t\t}\n\t} else {\n\t\tfor (i = 0; i < radare_argc && radare_argv[i]; i++) {\n\t\t\tint length = strlen (radare_argv[i]);\n\t\t\tif (!strncmp (radare_argv[i], buf->data, length)) {\n\t\t\t\tr_line_completion_push (completion, radare_argv[i]);\n\t\t\t}\n\t\t}\n\t}\n}", "project": "radare2", "hash": 97358085966720799681585432468827502477, "size": 18, "commit_id": "cb8b683758edddae2d2f62e8e63a738c39f92683", "message": "Fix #16303 - c->table_query double free (#16318)", "target": 0, "dataset": "other", "idx": 232180 }, { "func": "static void nfs4_xdr_enc_secinfo_no_name(struct rpc_rqst *req,\n\t\t\t\t\tstruct xdr_stream *xdr,\n\t\t\t\t\tconst void *data)\n{\n\tconst struct nfs41_secinfo_no_name_args *args = data;\n\tstruct compound_hdr hdr = {\n\t\t.minorversion = nfs4_xdr_minorversion(&args->seq_args),\n\t};\n\n\tencode_compound_hdr(xdr, req, &hdr);\n\tencode_sequence(xdr, &args->seq_args, &hdr);\n\tencode_putrootfh(xdr, &hdr);\n\tencode_secinfo_no_name(xdr, args, &hdr);\n\tencode_nops(&hdr);\n}", "project": "linux", "hash": 55374748132631750208418812049305840004, "size": 15, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431038 }, { "func": "bool open_table(THD *thd, TABLE_LIST *table_list, Open_table_context *ot_ctx)\n{\n TABLE *table;\n const char *key;\n uint\tkey_length;\n const char *alias= table_list->alias.str;\n uint flags= ot_ctx->get_flags();\n MDL_ticket *mdl_ticket;\n TABLE_SHARE *share;\n uint gts_flags;\n bool from_share= false;\n#ifdef WITH_PARTITION_STORAGE_ENGINE\n int part_names_error=0;\n#endif\n DBUG_ENTER(\"open_table\");\n\n /*\n The table must not be opened already. The table can be pre-opened for\n some statements if it is a temporary table.\n\n open_temporary_table() must be used to open temporary tables.\n */\n DBUG_ASSERT(!table_list->table);\n\n /* an open table operation needs a lot of the stack space */\n if (check_stack_overrun(thd, STACK_MIN_SIZE_FOR_OPEN, (uchar *)&alias))\n DBUG_RETURN(TRUE);\n\n if (!(flags & MYSQL_OPEN_IGNORE_KILLED) && thd->killed)\n {\n thd->send_kill_message();\n DBUG_RETURN(TRUE);\n }\n\n /*\n Check if we're trying to take a write lock in a read only transaction.\n\n Note that we allow write locks on log tables as otherwise logging\n to general/slow log would be disabled in read only transactions.\n */\n if (table_list->mdl_request.is_write_lock_request() &&\n thd->tx_read_only &&\n !(flags & (MYSQL_LOCK_LOG_TABLE | MYSQL_OPEN_HAS_MDL_LOCK)))\n {\n my_error(ER_CANT_EXECUTE_IN_READ_ONLY_TRANSACTION, MYF(0));\n DBUG_RETURN(true);\n }\n\n if (!table_list->db.str)\n {\n my_error(ER_NO_DB_ERROR, MYF(0));\n DBUG_RETURN(true);\n }\n\n key_length= get_table_def_key(table_list, &key);\n\n /*\n If we're in pre-locked or LOCK TABLES mode, let's try to find the\n requested table in the list of pre-opened and locked tables. If the\n table is not there, return an error - we can't open not pre-opened\n tables in pre-locked/LOCK TABLES mode.\n TODO: move this block into a separate function.\n */\n if (thd->locked_tables_mode &&\n ! (flags & MYSQL_OPEN_GET_NEW_TABLE))\n {\t\t\t\t\t\t// Using table locks\n TABLE *best_table= 0;\n int best_distance= INT_MIN;\n for (table=thd->open_tables; table ; table=table->next)\n {\n if (table->s->table_cache_key.length == key_length &&\n\t !memcmp(table->s->table_cache_key.str, key, key_length))\n {\n if (!my_strcasecmp(system_charset_info, table->alias.c_ptr(), alias) &&\n table->query_id != thd->query_id && /* skip tables already used */\n (thd->locked_tables_mode == LTM_LOCK_TABLES ||\n table->query_id == 0))\n {\n int distance= ((int) table->reginfo.lock_type -\n (int) table_list->lock_type);\n\n /*\n Find a table that either has the exact lock type requested,\n or has the best suitable lock. In case there is no locked\n table that has an equal or higher lock than requested,\n we us the closest matching lock to be able to produce an error\n message about wrong lock mode on the table. The best_table\n is changed if bd < 0 <= d or bd < d < 0 or 0 <= d < bd.\n\n distance < 0 - No suitable lock found\n distance > 0 - we have lock mode higher then we require\n distance == 0 - we have lock mode exactly which we need\n */\n if ((best_distance < 0 && distance > best_distance) ||\n (distance >= 0 && distance < best_distance))\n {\n best_distance= distance;\n best_table= table;\n if (best_distance == 0)\n {\n /*\n We have found a perfect match and can finish iterating\n through open tables list. Check for table use conflict\n between calling statement and SP/trigger is done in\n lock_tables().\n */\n break;\n }\n }\n }\n }\n }\n if (best_table)\n {\n table= best_table;\n table->query_id= thd->query_id;\n table->init(thd, table_list);\n DBUG_PRINT(\"info\",(\"Using locked table\"));\n#ifdef WITH_PARTITION_STORAGE_ENGINE\n part_names_error= set_partitions_as_used(table_list, table);\n#endif\n goto reset;\n }\n\n if (is_locked_view(thd, table_list))\n {\n if (table_list->sequence)\n {\n my_error(ER_NOT_SEQUENCE, MYF(0), table_list->db.str, table_list->alias.str);\n DBUG_RETURN(true);\n }\n DBUG_RETURN(FALSE); // VIEW\n }\n\n /*\n No table in the locked tables list. In case of explicit LOCK TABLES\n this can happen if a user did not include the table into the list.\n In case of pre-locked mode locked tables list is generated automatically,\n so we may only end up here if the table did not exist when\n locked tables list was created.\n */\n if (thd->locked_tables_mode == LTM_PRELOCKED)\n my_error(ER_NO_SUCH_TABLE, MYF(0), table_list->db.str, table_list->alias.str);\n else\n my_error(ER_TABLE_NOT_LOCKED, MYF(0), alias);\n DBUG_RETURN(TRUE);\n }\n\n /*\n Non pre-locked/LOCK TABLES mode, and the table is not temporary.\n This is the normal use case.\n */\n\n if (! (flags & MYSQL_OPEN_HAS_MDL_LOCK))\n {\n if (open_table_get_mdl_lock(thd, ot_ctx, &table_list->mdl_request,\n flags, &mdl_ticket) ||\n mdl_ticket == NULL)\n {\n DEBUG_SYNC(thd, \"before_open_table_wait_refresh\");\n DBUG_RETURN(TRUE);\n }\n DEBUG_SYNC(thd, \"after_open_table_mdl_shared\");\n }\n else\n {\n /*\n Grab reference to the MDL lock ticket that was acquired\n by the caller.\n */\n mdl_ticket= table_list->mdl_request.ticket;\n }\n\n if (table_list->open_strategy == TABLE_LIST::OPEN_IF_EXISTS)\n {\n if (!ha_table_exists(thd, &table_list->db, &table_list->table_name))\n DBUG_RETURN(FALSE);\n }\n else if (table_list->open_strategy == TABLE_LIST::OPEN_STUB)\n DBUG_RETURN(FALSE);\n\n /* Table exists. Let us try to open it. */\n\n if (table_list->i_s_requested_object & OPEN_TABLE_ONLY)\n gts_flags= GTS_TABLE;\n else if (table_list->i_s_requested_object & OPEN_VIEW_ONLY)\n gts_flags= GTS_VIEW;\n else\n gts_flags= GTS_TABLE | GTS_VIEW;\n\nretry_share:\n\n share= tdc_acquire_share(thd, table_list, gts_flags, &table);\n\n if (unlikely(!share))\n {\n /*\n Hide \"Table doesn't exist\" errors if the table belongs to a view.\n The check for thd->is_error() is necessary to not push an\n unwanted error in case the error was already silenced.\n @todo Rework the alternative ways to deal with ER_NO_SUCH TABLE.\n */\n if (thd->is_error())\n {\n if (table_list->parent_l)\n {\n thd->clear_error();\n my_error(ER_WRONG_MRG_TABLE, MYF(0));\n }\n else if (table_list->belong_to_view)\n {\n TABLE_LIST *view= table_list->belong_to_view;\n thd->clear_error();\n my_error(ER_VIEW_INVALID, MYF(0),\n view->view_db.str, view->view_name.str);\n }\n }\n DBUG_RETURN(TRUE);\n }\n\n /*\n Check if this TABLE_SHARE-object corresponds to a view. Note, that there is\n no need to check TABLE_SHARE::tdc.flushed as we do for regular tables,\n because view shares are always up to date.\n */\n if (share->is_view)\n {\n /*\n If parent_l of the table_list is non null then a merge table\n has this view as child table, which is not supported.\n */\n if (table_list->parent_l)\n {\n my_error(ER_WRONG_MRG_TABLE, MYF(0));\n goto err_lock;\n }\n if (table_list->sequence)\n {\n my_error(ER_NOT_SEQUENCE, MYF(0), table_list->db.str,\n table_list->alias.str);\n goto err_lock;\n }\n /*\n This table is a view. Validate its metadata version: in particular,\n that it was a view when the statement was prepared.\n */\n if (check_and_update_table_version(thd, table_list, share))\n goto err_lock;\n\n /* Open view */\n if (mysql_make_view(thd, share, table_list, false))\n goto err_lock;\n\n /* TODO: Don't free this */\n tdc_release_share(share);\n\n DBUG_ASSERT(table_list->view);\n\n DBUG_RETURN(FALSE);\n }\n\n#ifdef WITH_WSREP\n if (!((flags & MYSQL_OPEN_IGNORE_FLUSH) ||\n (thd->wsrep_applier)))\n#else\n if (!(flags & MYSQL_OPEN_IGNORE_FLUSH))\n#endif\n {\n if (share->tdc->flushed)\n {\n DBUG_PRINT(\"info\", (\"Found old share version: %lld current: %lld\",\n share->tdc->version, tdc_refresh_version()));\n /*\n We already have an MDL lock. But we have encountered an old\n version of table in the table definition cache which is possible\n when someone changes the table version directly in the cache\n without acquiring a metadata lock (e.g. this can happen during\n \"rolling\" FLUSH TABLE(S)).\n Release our reference to share, wait until old version of\n share goes away and then try to get new version of table share.\n */\n if (table)\n tc_release_table(table);\n else\n tdc_release_share(share);\n\n MDL_deadlock_handler mdl_deadlock_handler(ot_ctx);\n bool wait_result;\n\n thd->push_internal_handler(&mdl_deadlock_handler);\n wait_result= tdc_wait_for_old_version(thd, table_list->db.str,\n table_list->table_name.str,\n ot_ctx->get_timeout(),\n mdl_ticket->get_deadlock_weight());\n thd->pop_internal_handler();\n\n if (wait_result)\n DBUG_RETURN(TRUE);\n\n goto retry_share;\n }\n\n if (thd->open_tables && thd->open_tables->s->tdc->flushed)\n {\n /*\n If the version changes while we're opening the tables,\n we have to back off, close all the tables opened-so-far,\n and try to reopen them. Note: refresh_version is currently\n changed only during FLUSH TABLES.\n */\n if (table)\n tc_release_table(table);\n else\n tdc_release_share(share);\n (void)ot_ctx->request_backoff_action(Open_table_context::OT_REOPEN_TABLES,\n NULL);\n DBUG_RETURN(TRUE);\n }\n }\n\n if (table)\n {\n DBUG_ASSERT(table->file != NULL);\n MYSQL_REBIND_TABLE(table->file);\n#ifdef WITH_PARTITION_STORAGE_ENGINE\n part_names_error= set_partitions_as_used(table_list, table);\n#endif\n }\n else\n {\n enum open_frm_error error;\n /* make a new table */\n if (!(table=(TABLE*) my_malloc(sizeof(*table),MYF(MY_WME))))\n goto err_lock;\n\n error= open_table_from_share(thd, share, &table_list->alias,\n HA_OPEN_KEYFILE | HA_TRY_READ_ONLY,\n EXTRA_RECORD,\n thd->open_options, table, FALSE,\n IF_PARTITIONING(table_list->partition_names,0));\n\n if (unlikely(error))\n {\n my_free(table);\n\n if (error == OPEN_FRM_DISCOVER)\n (void) ot_ctx->request_backoff_action(Open_table_context::OT_DISCOVER,\n table_list);\n else if (share->crashed)\n {\n if (!(flags & MYSQL_OPEN_IGNORE_REPAIR))\n (void) ot_ctx->request_backoff_action(Open_table_context::OT_REPAIR,\n table_list);\n else\n table_list->crashed= 1; /* Mark that table was crashed */\n }\n goto err_lock;\n }\n if (open_table_entry_fini(thd, share, table))\n {\n closefrm(table);\n my_free(table);\n goto err_lock;\n }\n\n /* Add table to the share's used tables list. */\n tc_add_table(thd, table);\n from_share= true;\n }\n\n if (!(flags & MYSQL_OPEN_HAS_MDL_LOCK) &&\n table->s->table_category < TABLE_CATEGORY_INFORMATION)\n {\n /*\n We are not under LOCK TABLES and going to acquire write-lock/\n modify the base table. We need to acquire protection against\n global read lock until end of this statement in order to have\n this statement blocked by active FLUSH TABLES WITH READ LOCK.\n\n We don't need to acquire this protection under LOCK TABLES as\n such protection already acquired at LOCK TABLES time and\n not released until UNLOCK TABLES.\n\n We don't block statements which modify only temporary tables\n as these tables are not preserved by any form of\n backup which uses FLUSH TABLES WITH READ LOCK.\n\n TODO: The fact that we sometimes acquire protection against\n GRL only when we encounter table to be write-locked\n slightly increases probability of deadlock.\n This problem will be solved once Alik pushes his\n temporary table refactoring patch and we can start\n pre-acquiring metadata locks at the beggining of\n open_tables() call.\n */\n enum enum_mdl_type mdl_type= MDL_BACKUP_DML;\n\n if (table->s->table_category != TABLE_CATEGORY_USER)\n mdl_type= MDL_BACKUP_SYS_DML;\n else if (table->s->online_backup)\n mdl_type= MDL_BACKUP_TRANS_DML;\n\n if (table_list->mdl_request.is_write_lock_request() &&\n ! (flags & (MYSQL_OPEN_IGNORE_GLOBAL_READ_LOCK |\n MYSQL_OPEN_FORCE_SHARED_MDL |\n MYSQL_OPEN_FORCE_SHARED_HIGH_PRIO_MDL |\n MYSQL_OPEN_SKIP_SCOPED_MDL_LOCK)) &&\n ! ot_ctx->has_protection_against_grl(mdl_type))\n {\n MDL_request protection_request;\n MDL_deadlock_handler mdl_deadlock_handler(ot_ctx);\n\n if (thd->has_read_only_protection())\n {\n MYSQL_UNBIND_TABLE(table->file);\n tc_release_table(table);\n DBUG_RETURN(TRUE);\n }\n\n protection_request.init(MDL_key::BACKUP, \"\", \"\", mdl_type,\n MDL_STATEMENT);\n\n /*\n Install error handler which if possible will convert deadlock error\n into request to back-off and restart process of opening tables.\n */\n thd->push_internal_handler(&mdl_deadlock_handler);\n bool result= thd->mdl_context.acquire_lock(&protection_request,\n ot_ctx->get_timeout());\n thd->pop_internal_handler();\n\n if (result)\n {\n MYSQL_UNBIND_TABLE(table->file);\n tc_release_table(table);\n DBUG_RETURN(TRUE);\n }\n\n ot_ctx->set_has_protection_against_grl(mdl_type);\n }\n }\n\n table->mdl_ticket= mdl_ticket;\n table->reginfo.lock_type=TL_READ;\t\t/* Assume read */\n\n table->init(thd, table_list);\n\n table->next= thd->open_tables;\t\t/* Link into simple list */\n thd->set_open_tables(table);\n\n reset:\n /*\n Check that there is no reference to a condition from an earlier query\n (cf. Bug#58553). \n */\n DBUG_ASSERT(table->file->pushed_cond == NULL);\n table_list->updatable= 1; // It is not derived table nor non-updatable VIEW\n table_list->table= table;\n\n if (!from_share && table->vcol_fix_expr(thd))\n DBUG_RETURN(true);\n\n#ifdef WITH_PARTITION_STORAGE_ENGINE\n if (unlikely(table->part_info))\n {\n /* Partitions specified were incorrect.*/\n if (part_names_error)\n {\n table->file->print_error(part_names_error, MYF(0));\n DBUG_RETURN(true);\n }\n }\n else if (table_list->partition_names)\n {\n /* Don't allow PARTITION () clause on a nonpartitioned table */\n my_error(ER_PARTITION_CLAUSE_ON_NONPARTITIONED, MYF(0));\n DBUG_RETURN(true);\n }\n#endif\n if (table_list->sequence && table->s->table_type != TABLE_TYPE_SEQUENCE)\n {\n my_error(ER_NOT_SEQUENCE, MYF(0), table_list->db.str, table_list->alias.str);\n DBUG_RETURN(true);\n }\n\n DBUG_RETURN(FALSE);\n\nerr_lock:\n tdc_release_share(share);\n\n DBUG_PRINT(\"exit\", (\"failed\"));\n DBUG_RETURN(TRUE);\n}", "target": 0, "cwe": [ "CWE-416" ], "project": "server", "commit_id": "0beed9b5e933f0ff79b3bb346524f7a451d14e38", "hash": 14332031484127143652763834135901673120, "size": 493, "message": "MDEV-28097 use-after-free when WHERE has subquery with an outer reference in HAVING\n\nwhen resolving WHERE and ON clauses, do not look in\nSELECT list/aliases.", "dataset": "other", "idx": 514561 }, { "func": "static void i2c_w(struct sd *sd, u8 reg, u8 value)\n{\n\tif (sd->sensor_reg_cache[reg] == value)\n\t\treturn;\n\n\tswitch (sd->bridge) {\n\tcase BRIDGE_OV511:\n\tcase BRIDGE_OV511PLUS:\n\t\tov511_i2c_w(sd, reg, value);\n\t\tbreak;\n\tcase BRIDGE_OV518:\n\tcase BRIDGE_OV518PLUS:\n\tcase BRIDGE_OV519:\n\t\tov518_i2c_w(sd, reg, value);\n\t\tbreak;\n\tcase BRIDGE_OVFX2:\n\t\tovfx2_i2c_w(sd, reg, value);\n\t\tbreak;\n\tcase BRIDGE_W9968CF:\n\t\tw9968cf_i2c_w(sd, reg, value);\n\t\tbreak;\n\t}\n\n\tif (sd->gspca_dev.usb_err >= 0) {\n\t\t/* Up on sensor reset empty the register cache */\n\t\tif (reg == 0x12 && (value & 0x80))\n\t\t\tmemset(sd->sensor_reg_cache, -1,\n\t\t\t\tsizeof(sd->sensor_reg_cache));\n\t\telse\n\t\t\tsd->sensor_reg_cache[reg] = value;\n\t}\n}", "project": "linux", "hash": 144074390607384371664130669381744892251, "size": 32, "commit_id": "998912346c0da53a6dbb71fab3a138586b596b30", "message": "media: ov519: add missing endpoint sanity checks\n\nMake sure to check that we have at least one endpoint before accessing\nthe endpoint array to avoid dereferencing a NULL-pointer on stream\nstart.\n\nNote that these sanity checks are not redundant as the driver is mixing\nlooking up altsettings by index and by number, which need not coincide.\n\nFixes: 1876bb923c98 (\"V4L/DVB (12079): gspca_ov519: add support for the ov511 bridge\")\nFixes: b282d87332f5 (\"V4L/DVB (12080): gspca_ov519: Fix ov518+ with OV7620AE (Trust spacecam 320)\")\nCc: stable # 2.6.31\nCc: Hans de Goede \nSigned-off-by: Johan Hovold \nSigned-off-by: Hans Verkuil \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 306326 }, { "func": "int kvm_s390_vcpu_stop(struct kvm_vcpu *vcpu)\n{\n\tint i, online_vcpus, r = 0, started_vcpus = 0;\n\tstruct kvm_vcpu *started_vcpu = NULL;\n\n\tif (is_vcpu_stopped(vcpu))\n\t\treturn 0;\n\n\ttrace_kvm_s390_vcpu_start_stop(vcpu->vcpu_id, 0);\n\t/* Only one cpu at a time may enter/leave the STOPPED state. */\n\tspin_lock(&vcpu->kvm->arch.start_stop_lock);\n\tonline_vcpus = atomic_read(&vcpu->kvm->online_vcpus);\n\n\t/* Let's tell the UV that we want to change into the stopped state */\n\tif (kvm_s390_pv_cpu_is_protected(vcpu)) {\n\t\tr = kvm_s390_pv_set_cpu_state(vcpu, PV_CPU_STATE_STP);\n\t\tif (r) {\n\t\t\tspin_unlock(&vcpu->kvm->arch.start_stop_lock);\n\t\t\treturn r;\n\t\t}\n\t}\n\n\t/* SIGP STOP and SIGP STOP AND STORE STATUS has been fully processed */\n\tkvm_s390_clear_stop_irq(vcpu);\n\n\tkvm_s390_set_cpuflags(vcpu, CPUSTAT_STOPPED);\n\t__disable_ibs_on_vcpu(vcpu);\n\n\tfor (i = 0; i < online_vcpus; i++) {\n\t\tif (!is_vcpu_stopped(vcpu->kvm->vcpus[i])) {\n\t\t\tstarted_vcpus++;\n\t\t\tstarted_vcpu = vcpu->kvm->vcpus[i];\n\t\t}\n\t}\n\n\tif (started_vcpus == 1) {\n\t\t/*\n\t\t * As we only have one VCPU left, we want to enable the\n\t\t * IBS facility for that VCPU to speed it up.\n\t\t */\n\t\t__enable_ibs_on_vcpu(started_vcpu);\n\t}\n\n\tspin_unlock(&vcpu->kvm->arch.start_stop_lock);\n\treturn 0;\n}", "project": "linux", "hash": 250567911132339968093082247521372083613, "size": 46, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354431 }, { "func": "void hidinput_hid_event(struct hid_device *hid, struct hid_field *field, struct hid_usage *usage, __s32 value)\n{\n\tstruct input_dev *input;\n\tunsigned *quirks = &hid->quirks;\n\n\tif (!usage->type)\n\t\treturn;\n\n\tif (usage->type == EV_PWR) {\n\t\thidinput_update_battery(hid, value);\n\t\treturn;\n\t}\n\n\tif (!field->hidinput)\n\t\treturn;\n\n\tinput = field->hidinput->input;\n\n\tif (usage->hat_min < usage->hat_max || usage->hat_dir) {\n\t\tint hat_dir = usage->hat_dir;\n\t\tif (!hat_dir)\n\t\t\that_dir = (value - usage->hat_min) * 8 / (usage->hat_max - usage->hat_min + 1) + 1;\n\t\tif (hat_dir < 0 || hat_dir > 8) hat_dir = 0;\n\t\tinput_event(input, usage->type, usage->code , hid_hat_to_axis[hat_dir].x);\n\t\tinput_event(input, usage->type, usage->code + 1, hid_hat_to_axis[hat_dir].y);\n\t\treturn;\n\t}\n\n\tif (usage->hid == (HID_UP_DIGITIZER | 0x003c)) { /* Invert */\n\t\t*quirks = value ? (*quirks | HID_QUIRK_INVERT) : (*quirks & ~HID_QUIRK_INVERT);\n\t\treturn;\n\t}\n\n\tif (usage->hid == (HID_UP_DIGITIZER | 0x0032)) { /* InRange */\n\t\tif (value) {\n\t\t\tinput_event(input, usage->type, (*quirks & HID_QUIRK_INVERT) ? BTN_TOOL_RUBBER : usage->code, 1);\n\t\t\treturn;\n\t\t}\n\t\tinput_event(input, usage->type, usage->code, 0);\n\t\tinput_event(input, usage->type, BTN_TOOL_RUBBER, 0);\n\t\treturn;\n\t}\n\n\tif (usage->hid == (HID_UP_DIGITIZER | 0x0030) && (*quirks & HID_QUIRK_NOTOUCH)) { /* Pressure */\n\t\tint a = field->logical_minimum;\n\t\tint b = field->logical_maximum;\n\t\tinput_event(input, EV_KEY, BTN_TOUCH, value > a + ((b - a) >> 3));\n\t}\n\n\tif (usage->hid == (HID_UP_PID | 0x83UL)) { /* Simultaneous Effects Max */\n\t\tdbg_hid(\"Maximum Effects - %d\\n\",value);\n\t\treturn;\n\t}\n\n\tif (usage->hid == (HID_UP_PID | 0x7fUL)) {\n\t\tdbg_hid(\"PID Pool Report\\n\");\n\t\treturn;\n\t}\n\n\tif ((usage->type == EV_KEY) && (usage->code == 0)) /* Key 0 is \"unassigned\", not KEY_UNKNOWN */\n\t\treturn;\n\n\tif ((usage->type == EV_REL) && (usage->code == REL_WHEEL_HI_RES ||\n\t\t\t\t\tusage->code == REL_HWHEEL_HI_RES)) {\n\t\thidinput_handle_scroll(usage, input, value);\n\t\treturn;\n\t}\n\n\tif ((usage->type == EV_ABS) && (field->flags & HID_MAIN_ITEM_RELATIVE) &&\n\t\t\t(usage->code == ABS_VOLUME)) {\n\t\tint count = abs(value);\n\t\tint direction = value > 0 ? KEY_VOLUMEUP : KEY_VOLUMEDOWN;\n\t\tint i;\n\n\t\tfor (i = 0; i < count; i++) {\n\t\t\tinput_event(input, EV_KEY, direction, 1);\n\t\t\tinput_sync(input);\n\t\t\tinput_event(input, EV_KEY, direction, 0);\n\t\t\tinput_sync(input);\n\t\t}\n\t\treturn;\n\t}\n\n\t/*\n\t * Ignore out-of-range values as per HID specification,\n\t * section 5.10 and 6.2.25, when NULL state bit is present.\n\t * When it's not, clamp the value to match Microsoft's input\n\t * driver as mentioned in \"Required HID usages for digitizers\":\n\t * https://msdn.microsoft.com/en-us/library/windows/hardware/dn672278(v=vs.85).asp\n\t *\n\t * The logical_minimum < logical_maximum check is done so that we\n\t * don't unintentionally discard values sent by devices which\n\t * don't specify logical min and max.\n\t */\n\tif ((field->flags & HID_MAIN_ITEM_VARIABLE) &&\n\t (field->logical_minimum < field->logical_maximum)) {\n\t\tif (field->flags & HID_MAIN_ITEM_NULL_STATE &&\n\t\t (value < field->logical_minimum ||\n\t\t value > field->logical_maximum)) {\n\t\t\tdbg_hid(\"Ignoring out-of-range value %x\\n\", value);\n\t\t\treturn;\n\t\t}\n\t\tvalue = clamp(value,\n\t\t\t field->logical_minimum,\n\t\t\t field->logical_maximum);\n\t}\n\n\t/*\n\t * Ignore reports for absolute data if the data didn't change. This is\n\t * not only an optimization but also fixes 'dead' key reports. Some\n\t * RollOver implementations for localized keys (like BACKSLASH/PIPE; HID\n\t * 0x31 and 0x32) report multiple keys, even though a localized keyboard\n\t * can only have one of them physically available. The 'dead' keys\n\t * report constant 0. As all map to the same keycode, they'd confuse\n\t * the input layer. If we filter the 'dead' keys on the HID level, we\n\t * skip the keycode translation and only forward real events.\n\t */\n\tif (!(field->flags & (HID_MAIN_ITEM_RELATIVE |\n\t HID_MAIN_ITEM_BUFFERED_BYTE)) &&\n\t\t\t (field->flags & HID_MAIN_ITEM_VARIABLE) &&\n\t usage->usage_index < field->maxusage &&\n\t value == field->value[usage->usage_index])\n\t\treturn;\n\n\t/* report the usage code as scancode if the key status has changed */\n\tif (usage->type == EV_KEY &&\n\t (!test_bit(usage->code, input->key)) == value)\n\t\tinput_event(input, EV_MSC, MSC_SCAN, usage->hid);\n\n\tinput_event(input, usage->type, usage->code, value);\n\n\tif ((field->flags & HID_MAIN_ITEM_RELATIVE) &&\n\t usage->type == EV_KEY && value) {\n\t\tinput_sync(input);\n\t\tinput_event(input, usage->type, usage->code, 0);\n\t}\n}", "project": "linux", "hash": 110044816881449299157376075154886884179, "size": 137, "commit_id": "35556bed836f8dc07ac55f69c8d17dce3e7f0e25", "message": "HID: core: Sanitize event code and type when mapping input\n\nWhen calling into hid_map_usage(), the passed event code is\nblindly stored as is, even if it doesn't fit in the associated bitmap.\n\nThis event code can come from a variety of sources, including devices\nmasquerading as input devices, only a bit more \"programmable\".\n\nInstead of taking the event code at face value, check that it actually\nfits the corresponding bitmap, and if it doesn't:\n- spit out a warning so that we know which device is acting up\n- NULLify the bitmap pointer so that we catch unexpected uses\n\nCode paths that can make use of untrusted inputs can now check\nthat the mapping was indeed correct and bail out if not.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Marc Zyngier \nSigned-off-by: Benjamin Tissoires ", "target": 0, "dataset": "other", "idx": 458373 }, { "func": "static bool __io_file_supports_async(struct file *file, int rw)\n{\n\tumode_t mode = file_inode(file)->i_mode;\n\n\tif (S_ISBLK(mode)) {\n\t\tif (IS_ENABLED(CONFIG_BLOCK) &&\n\t\t io_bdev_nowait(I_BDEV(file->f_mapping->host)))\n\t\t\treturn true;\n\t\treturn false;\n\t}\n\tif (S_ISCHR(mode) || S_ISSOCK(mode))\n\t\treturn true;\n\tif (S_ISREG(mode)) {\n\t\tif (IS_ENABLED(CONFIG_BLOCK) &&\n\t\t io_bdev_nowait(file->f_inode->i_sb->s_bdev) &&\n\t\t file->f_op != &io_uring_fops)\n\t\t\treturn true;\n\t\treturn false;\n\t}\n\n\t/* any ->read/write should understand O_NONBLOCK */\n\tif (file->f_flags & O_NONBLOCK)\n\t\treturn true;\n\n\tif (!(file->f_mode & FMODE_NOWAIT))\n\t\treturn false;\n\n\tif (rw == READ)\n\t\treturn file->f_op->read_iter != NULL;\n\n\treturn file->f_op->write_iter != NULL;\n}", "project": "linux", "hash": 289629584920959598862988204711215833950, "size": 32, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338668 }, { "func": "bool test_r_str_tokenize(void) {\n\t//XXX r_str_word0 doesn't work on \"hello world\" to\n\t// tokenize into [\"hello\", \"world\"]\n\tchar* hi = strdup (\"hello world\");\n\tint r = r_str_word_set0 (hi);\n\tmu_assert_eq (r, 2, \"tokenize hello world\");\n\tconst char* hello = r_str_word_get0 (hi, 0);\n\tconst char* world = r_str_word_get0 (hi, 1);\n\tmu_assert_streq (hello, \"hello\", \"first string in split\");\n\tmu_assert_streq (world, \"world\", \"second string in split\");\n\tfree (hi);\n\tmu_end;\n}", "project": "radare2", "hash": 166858119402747884959993984644004558742, "size": 13, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 0, "dataset": "other", "idx": 268836 }, { "func": "static int sctp_setsockopt_reset_streams(struct sock *sk,\n\t\t\t\t\t struct sctp_reset_streams *params,\n\t\t\t\t\t unsigned int optlen)\n{\n\tstruct sctp_association *asoc;\n\n\tif (optlen < sizeof(*params))\n\t\treturn -EINVAL;\n\t/* srs_number_streams is u16, so optlen can't be bigger than this. */\n\toptlen = min_t(unsigned int, optlen, USHRT_MAX +\n\t\t\t\t\t sizeof(__u16) * sizeof(*params));\n\n\tif (params->srs_number_streams * sizeof(__u16) >\n\t optlen - sizeof(*params))\n\t\treturn -EINVAL;\n\n\tasoc = sctp_id2assoc(sk, params->srs_assoc_id);\n\tif (!asoc)\n\t\treturn -EINVAL;\n\n\treturn sctp_send_reset_streams(asoc, params);\n}", "project": "linux", "hash": 199401459435357724326940659431089833868, "size": 22, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398215 }, { "func": "static int open_group(char *name, int has_prefix, struct backend **ret,\n\t\t int *postable /* used for LIST ACTIVE only */)\n{\n char mailboxname[MAX_MAILBOX_BUFFER];\n int r = 0;\n struct mboxlist_entry *mbentry = NULL;\n struct backend *backend_next = NULL;\n\n /* close local group */\n if (group_state) \n\tindex_close(&group_state);\n\n if (!has_prefix) {\n\tsnprintf(mailboxname, sizeof(mailboxname), \"%s%s\", newsprefix, name);\n\tname = mailboxname;\n }\n\n if (!r) r = mlookup(name, &mbentry);\n\n if (!r && mbentry->acl) {\n\tint myrights = cyrus_acl_myrights(nntp_authstate, mbentry->acl);\n\n\tif (postable) *postable = myrights & ACL_POST;\n\tif (!postable && /* allow limited 'r' for LIST ACTIVE */\n\t !(myrights & ACL_READ)) {\n\t r = (myrights & ACL_LOOKUP) ?\n\t\tIMAP_PERMISSION_DENIED : IMAP_MAILBOX_NONEXISTENT;\n\t}\n }\n\n if (r) {\n\tmboxlist_entry_free(&mbentry);\n\treturn r;\n }\n\n if (mbentry->server) {\n\t/* remote group */\n\tbackend_next = proxy_findserver(mbentry->server, &nntp_protocol,\n\t\t\t\t\tnntp_userid ? nntp_userid : \"anonymous\",\n\t\t\t\t\t&backend_cached, &backend_current,\n\t\t\t\t\tNULL, nntp_in);\n\tmboxlist_entry_free(&mbentry);\n\tif (!backend_next) return IMAP_SERVER_UNAVAILABLE;\n\n\t*ret = backend_next;\n }\n else {\n\t/* local group */\n\tstruct index_init init;\n\n\tmboxlist_entry_free(&mbentry);\n\tmemset(&init, 0, sizeof(struct index_init));\n\tinit.userid = nntp_userid;\n\tinit.authstate = nntp_authstate;\n\tr = index_open(name, &init, &group_state);\n\tif (r) return r;\n\n\tif (ret) *ret = NULL;\n }\n\n syslog(LOG_DEBUG, \"open: user %s opened %s\",\n\t nntp_userid ? nntp_userid : \"anonymous\", name);\n\n return 0;\n}", "project": "cyrus-imapd", "hash": 172448827519332304500565600117968012140, "size": 65, "commit_id": "0f8f026699829b65733c3081657b24e2174f4f4d", "message": "CVE-2011-3208 - fix buffer overflow in nntpd", "target": 0, "dataset": "other", "idx": 451910 }, { "func": "static __poll_t ep_send_events_proc(struct eventpoll *ep, struct list_head *head,\n\t\t\t void *priv)\n{\n\tstruct ep_send_events_data *esed = priv;\n\t__poll_t revents;\n\tstruct epitem *epi, *tmp;\n\tstruct epoll_event __user *uevent = esed->events;\n\tstruct wakeup_source *ws;\n\tpoll_table pt;\n\n\tinit_poll_funcptr(&pt, NULL);\n\tesed->res = 0;\n\n\t/*\n\t * We can loop without lock because we are passed a task private list.\n\t * Items cannot vanish during the loop because ep_scan_ready_list() is\n\t * holding \"mtx\" during this call.\n\t */\n\tlockdep_assert_held(&ep->mtx);\n\n\tlist_for_each_entry_safe(epi, tmp, head, rdllink) {\n\t\tif (esed->res >= esed->maxevents)\n\t\t\tbreak;\n\n\t\t/*\n\t\t * Activate ep->ws before deactivating epi->ws to prevent\n\t\t * triggering auto-suspend here (in case we reactive epi->ws\n\t\t * below).\n\t\t *\n\t\t * This could be rearranged to delay the deactivation of epi->ws\n\t\t * instead, but then epi->ws would temporarily be out of sync\n\t\t * with ep_is_linked().\n\t\t */\n\t\tws = ep_wakeup_source(epi);\n\t\tif (ws) {\n\t\t\tif (ws->active)\n\t\t\t\t__pm_stay_awake(ep->ws);\n\t\t\t__pm_relax(ws);\n\t\t}\n\n\t\tlist_del_init(&epi->rdllink);\n\n\t\t/*\n\t\t * If the event mask intersect the caller-requested one,\n\t\t * deliver the event to userspace. Again, ep_scan_ready_list()\n\t\t * is holding ep->mtx, so no operations coming from userspace\n\t\t * can change the item.\n\t\t */\n\t\trevents = ep_item_poll(epi, &pt, 1);\n\t\tif (!revents)\n\t\t\tcontinue;\n\n\t\tif (__put_user(revents, &uevent->events) ||\n\t\t __put_user(epi->event.data, &uevent->data)) {\n\t\t\tlist_add(&epi->rdllink, head);\n\t\t\tep_pm_stay_awake(epi);\n\t\t\tif (!esed->res)\n\t\t\t\tesed->res = -EFAULT;\n\t\t\treturn 0;\n\t\t}\n\t\tesed->res++;\n\t\tuevent++;\n\t\tif (epi->event.events & EPOLLONESHOT)\n\t\t\tepi->event.events &= EP_PRIVATE_BITS;\n\t\telse if (!(epi->event.events & EPOLLET)) {\n\t\t\t/*\n\t\t\t * If this file has been added with Level\n\t\t\t * Trigger mode, we need to insert back inside\n\t\t\t * the ready list, so that the next call to\n\t\t\t * epoll_wait() will check again the events\n\t\t\t * availability. At this point, no one can insert\n\t\t\t * into ep->rdllist besides us. The epoll_ctl()\n\t\t\t * callers are locked out by\n\t\t\t * ep_scan_ready_list() holding \"mtx\" and the\n\t\t\t * poll callback will queue them in ep->ovflist.\n\t\t\t */\n\t\t\tlist_add_tail(&epi->rdllink, &ep->rdllist);\n\t\t\tep_pm_stay_awake(epi);\n\t\t}\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 191345780156540751524572671800303695154, "size": 83, "commit_id": "52c479697c9b73f628140dcdfcd39ea302d05482", "message": "do_epoll_ctl(): clean the failure exits up a bit\n\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 336254 }, { "func": "static ssize_t fuse_file_write_iter(struct kiocb *iocb, struct iov_iter *from)\n{\n\tstruct file *file = iocb->ki_filp;\n\tstruct fuse_file *ff = file->private_data;\n\tstruct inode *inode = file_inode(file);\n\n\tif (fuse_is_bad(inode))\n\t\treturn -EIO;\n\n\tif (FUSE_IS_DAX(inode))\n\t\treturn fuse_dax_write_iter(iocb, from);\n\n\tif (!(ff->open_flags & FOPEN_DIRECT_IO))\n\t\treturn fuse_cache_write_iter(iocb, from);\n\telse\n\t\treturn fuse_direct_write_iter(iocb, from);\n}", "project": "linux", "hash": 214575392397660153688517692209115029928, "size": 17, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342125 }, { "func": "static int trace_module_notify(struct notifier_block *self,\n\t\t\t unsigned long val, void *data)\n{\n\tstruct module *mod = data;\n\n\tswitch (val) {\n\tcase MODULE_STATE_COMING:\n\t\ttrace_module_add_evals(mod);\n\t\tbreak;\n\tcase MODULE_STATE_GOING:\n\t\ttrace_module_remove_evals(mod);\n\t\tbreak;\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 263412469112006242201147577751885467295, "size": 16, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445825 }, { "func": "static inline void clr_dr_intercepts(struct vcpu_svm *svm)\n{\n\tstruct vmcb *vmcb = get_host_vmcb(svm);\n\n\tvmcb->control.intercept_dr = 0;\n\n\trecalc_intercepts(svm);\n}", "project": "linux", "hash": 68632674660841474693844532842522048336, "size": 8, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432531 }, { "func": "static bool _nfs4_is_integrity_protected(struct nfs_client *clp)\n{\n\trpc_authflavor_t flavor = clp->cl_rpcclient->cl_auth->au_flavor;\n\treturn (flavor == RPC_AUTH_GSS_KRB5I) || (flavor == RPC_AUTH_GSS_KRB5P);\n}", "project": "linux", "hash": 287018434656688230898763072894316569259, "size": 5, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 430967 }, { "func": " */\nvoid bfq_schedule_dispatch(struct bfq_data *bfqd)\n{\n\tif (bfqd->queued != 0) {\n\t\tbfq_log(bfqd, \"schedule dispatch\");\n\t\tblk_mq_run_hw_queues(bfqd->queue, true);\n\t}", "project": "linux", "hash": 109804499312470244740321199460152688542, "size": 7, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453361 }, { "func": "static zend_bool php_auto_globals_create_request(zend_string *name)\n{\n\tzval form_variables;\n\tunsigned char _gpc_flags[3] = {0, 0, 0};\n\tchar *p;\n\n\tarray_init(&form_variables);\n\n\tif (PG(request_order) != NULL) {\n\t\tp = PG(request_order);\n\t} else {\n\t\tp = PG(variables_order);\n\t}\n\n\tfor (; p && *p; p++) {\n\t\tswitch (*p) {\n\t\t\tcase 'g':\n\t\t\tcase 'G':\n\t\t\t\tif (!_gpc_flags[0]) {\n\t\t\t\t\tphp_autoglobal_merge(Z_ARRVAL(form_variables), Z_ARRVAL(PG(http_globals)[TRACK_VARS_GET]));\n\t\t\t\t\t_gpc_flags[0] = 1;\n\t\t\t\t}\n\t\t\t\tbreak;\n\t\t\tcase 'p':\n\t\t\tcase 'P':\n\t\t\t\tif (!_gpc_flags[1]) {\n\t\t\t\t\tphp_autoglobal_merge(Z_ARRVAL(form_variables), Z_ARRVAL(PG(http_globals)[TRACK_VARS_POST]));\n\t\t\t\t\t_gpc_flags[1] = 1;\n\t\t\t\t}\n\t\t\t\tbreak;\n\t\t\tcase 'c':\n\t\t\tcase 'C':\n\t\t\t\tif (!_gpc_flags[2]) {\n\t\t\t\t\tphp_autoglobal_merge(Z_ARRVAL(form_variables), Z_ARRVAL(PG(http_globals)[TRACK_VARS_COOKIE]));\n\t\t\t\t\t_gpc_flags[2] = 1;\n\t\t\t\t}\n\t\t\t\tbreak;\n\t\t}\n\t}\n\n\tzend_hash_update(&EG(symbol_table), name, &form_variables);\n\treturn 0;\n}", "project": "php-src", "hash": 224698421117884240013835643692969039617, "size": 43, "commit_id": "6559fe912661ca5ce5f0eeeb591d928451428ed0", "message": "Do not decode cookie names anymore", "target": 0, "dataset": "other", "idx": 374964 }, { "func": "static struct kmem_cache * __init bootstrap(struct kmem_cache *static_cache)\n{\n\tint node;\n\tstruct kmem_cache *s = kmem_cache_zalloc(kmem_cache, GFP_NOWAIT);\n\tstruct kmem_cache_node *n;\n\n\tmemcpy(s, static_cache, kmem_cache->object_size);\n\n\t/*\n\t * This runs very early, and only the boot processor is supposed to be\n\t * up. Even if it weren't true, IRQs are not up so we couldn't fire\n\t * IPIs around.\n\t */\n\t__flush_cpu_slab(s, smp_processor_id());\n\tfor_each_kmem_cache_node(s, node, n) {\n\t\tstruct page *p;\n\n\t\tlist_for_each_entry(p, &n->partial, slab_list)\n\t\t\tp->slab_cache = s;\n\n#ifdef CONFIG_SLUB_DEBUG\n\t\tlist_for_each_entry(p, &n->full, slab_list)\n\t\t\tp->slab_cache = s;\n#endif\n\t}\n\tslab_init_memcg_params(s);\n\tlist_add(&s->list, &slab_caches);\n\tmemcg_link_cache(s, NULL);\n\treturn s;\n}", "project": "linux", "hash": 243424367798695442273824025234433535219, "size": 30, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280060 }, { "func": "static int create_new_entry(struct fuse_mount *fm, struct fuse_args *args,\n\t\t\t struct inode *dir, struct dentry *entry,\n\t\t\t umode_t mode)\n{\n\tstruct fuse_entry_out outarg;\n\tstruct inode *inode;\n\tstruct dentry *d;\n\tint err;\n\tstruct fuse_forget_link *forget;\n\n\tif (fuse_is_bad(dir))\n\t\treturn -EIO;\n\n\tforget = fuse_alloc_forget();\n\tif (!forget)\n\t\treturn -ENOMEM;\n\n\tmemset(&outarg, 0, sizeof(outarg));\n\targs->nodeid = get_node_id(dir);\n\targs->out_numargs = 1;\n\targs->out_args[0].size = sizeof(outarg);\n\targs->out_args[0].value = &outarg;\n\terr = fuse_simple_request(fm, args);\n\tif (err)\n\t\tgoto out_put_forget_req;\n\n\terr = -EIO;\n\tif (invalid_nodeid(outarg.nodeid) || fuse_invalid_attr(&outarg.attr))\n\t\tgoto out_put_forget_req;\n\n\tif ((outarg.attr.mode ^ mode) & S_IFMT)\n\t\tgoto out_put_forget_req;\n\n\tinode = fuse_iget(dir->i_sb, outarg.nodeid, outarg.generation,\n\t\t\t &outarg.attr, entry_attr_timeout(&outarg), 0);\n\tif (!inode) {\n\t\tfuse_queue_forget(fm->fc, forget, outarg.nodeid, 1);\n\t\treturn -ENOMEM;\n\t}\n\tkfree(forget);\n\n\td_drop(entry);\n\td = d_splice_alias(inode, entry);\n\tif (IS_ERR(d))\n\t\treturn PTR_ERR(d);\n\n\tif (d) {\n\t\tfuse_change_entry_timeout(d, &outarg);\n\t\tdput(d);\n\t} else {\n\t\tfuse_change_entry_timeout(entry, &outarg);\n\t}\n\tfuse_dir_changed(dir);\n\treturn 0;\n\n out_put_forget_req:\n\tkfree(forget);\n\treturn err;\n}", "project": "linux", "hash": 272701739879093711116846535897952272483, "size": 59, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342127 }, { "func": "static void free_tty_struct(struct tty_struct *tty)\n{\n\ttty_ldisc_deinit(tty);\n\tput_device(tty->dev);\n\tkfree(tty->write_buf);\n\ttty->magic = 0xDEADDEAD;\n\tkfree(tty);\n}", "project": "linux", "hash": 106749945323752300455553156572244529269, "size": 8, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 326072 }, { "func": "static int _nfs4_proc_link(struct inode *inode, struct inode *dir, const struct qstr *name)\n{\n\tstruct nfs_server *server = NFS_SERVER(inode);\n\t__u32 bitmask[NFS4_BITMASK_SZ];\n\tstruct nfs4_link_arg arg = {\n\t\t.fh = NFS_FH(inode),\n\t\t.dir_fh = NFS_FH(dir),\n\t\t.name = name,\n\t\t.bitmask = bitmask,\n\t};\n\tstruct nfs4_link_res res = {\n\t\t.server = server,\n\t\t.label = NULL,\n\t};\n\tstruct rpc_message msg = {\n\t\t.rpc_proc = &nfs4_procedures[NFSPROC4_CLNT_LINK],\n\t\t.rpc_argp = &arg,\n\t\t.rpc_resp = &res,\n\t};\n\tint status = -ENOMEM;\n\n\tres.fattr = nfs_alloc_fattr();\n\tif (res.fattr == NULL)\n\t\tgoto out;\n\n\tres.label = nfs4_label_alloc(server, GFP_KERNEL);\n\tif (IS_ERR(res.label)) {\n\t\tstatus = PTR_ERR(res.label);\n\t\tgoto out;\n\t}\n\n\tnfs4_inode_make_writeable(inode);\n\tnfs4_bitmap_copy_adjust_setattr(bitmask, nfs4_bitmask(server, res.label), inode);\n\n\tstatus = nfs4_call_sync(server->client, server, &msg, &arg.seq_args, &res.seq_res, 1);\n\tif (!status) {\n\t\tnfs4_update_changeattr(dir, &res.cinfo, res.fattr->time_start,\n\t\t\t\t NFS_INO_INVALID_DATA);\n\t\tstatus = nfs_post_op_update_inode(inode, res.fattr);\n\t\tif (!status)\n\t\t\tnfs_setsecurity(inode, res.fattr, res.label);\n\t}\n\n\n\tnfs4_label_free(res.label);\n\nout:\n\tnfs_free_fattr(res.fattr);\n\treturn status;\n}", "project": "linux", "hash": 293933530424619093030910293277413133340, "size": 50, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431340 }, { "func": "int64_t MemFile::writeImpl(const char* /*buffer*/, int64_t /*length*/) {\n raise_fatal_error((std::string(\"cannot write a mem stream: \") +\n getName()).c_str());\n}", "project": "hhvm", "hash": 27063503020824855225399342460797504171, "size": 4, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219689 }, { "func": "static int tcp_match_skb_to_sack(struct sock *sk, struct sk_buff *skb,\n\t\t\t\t u32 start_seq, u32 end_seq)\n{\n\tint in_sack, err;\n\tunsigned int pkt_len;\n\tunsigned int mss;\n\n\tin_sack = !after(start_seq, TCP_SKB_CB(skb)->seq) &&\n\t\t !before(end_seq, TCP_SKB_CB(skb)->end_seq);\n\n\tif (tcp_skb_pcount(skb) > 1 && !in_sack &&\n\t after(TCP_SKB_CB(skb)->end_seq, start_seq)) {\n\t\tmss = tcp_skb_mss(skb);\n\t\tin_sack = !after(start_seq, TCP_SKB_CB(skb)->seq);\n\n\t\tif (!in_sack) {\n\t\t\tpkt_len = start_seq - TCP_SKB_CB(skb)->seq;\n\t\t\tif (pkt_len < mss)\n\t\t\t\tpkt_len = mss;\n\t\t} else {\n\t\t\tpkt_len = end_seq - TCP_SKB_CB(skb)->seq;\n\t\t\tif (pkt_len < mss)\n\t\t\t\treturn -EINVAL;\n\t\t}\n\n\t\t/* Round if necessary so that SACKs cover only full MSSes\n\t\t * and/or the remaining small portion (if present)\n\t\t */\n\t\tif (pkt_len > mss) {\n\t\t\tunsigned int new_len = (pkt_len / mss) * mss;\n\t\t\tif (!in_sack && new_len < pkt_len) {\n\t\t\t\tnew_len += mss;\n\t\t\t\tif (new_len > skb->len)\n\t\t\t\t\treturn 0;\n\t\t\t}\n\t\t\tpkt_len = new_len;\n\t\t}\n\t\terr = tcp_fragment(sk, skb, pkt_len, mss);\n\t\tif (err < 0)\n\t\t\treturn err;\n\t}\n\n\treturn in_sack;\n}", "project": "net-next", "hash": 286040697899757486163706564004311663493, "size": 44, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409866 }, { "func": "static int irda_accept(struct socket *sock, struct socket *newsock, int flags)\n{\n\tstruct sock *sk = sock->sk;\n\tstruct irda_sock *new, *self = irda_sk(sk);\n\tstruct sock *newsk;\n\tstruct sk_buff *skb;\n\tint err;\n\n\tIRDA_DEBUG(2, \"%s()\\n\", __func__);\n\n\terr = irda_create(sock_net(sk), newsock, sk->sk_protocol);\n\tif (err)\n\t\treturn err;\n\n\tif (sock->state != SS_UNCONNECTED)\n\t\treturn -EINVAL;\n\n\tif ((sk = sock->sk) == NULL)\n\t\treturn -EINVAL;\n\n\tif ((sk->sk_type != SOCK_STREAM) && (sk->sk_type != SOCK_SEQPACKET) &&\n\t (sk->sk_type != SOCK_DGRAM))\n\t\treturn -EOPNOTSUPP;\n\n\tif (sk->sk_state != TCP_LISTEN)\n\t\treturn -EINVAL;\n\n\t/*\n\t *\tThe read queue this time is holding sockets ready to use\n\t *\thooked into the SABM we saved\n\t */\n\n\t/*\n\t * We can perform the accept only if there is incoming data\n\t * on the listening socket.\n\t * So, we will block the caller until we receive any data.\n\t * If the caller was waiting on select() or poll() before\n\t * calling us, the data is waiting for us ;-)\n\t * Jean II\n\t */\n\twhile (1) {\n\t\tskb = skb_dequeue(&sk->sk_receive_queue);\n\t\tif (skb)\n\t\t\tbreak;\n\n\t\t/* Non blocking operation */\n\t\tif (flags & O_NONBLOCK)\n\t\t\treturn -EWOULDBLOCK;\n\n\t\terr = wait_event_interruptible(*(sk->sk_sleep),\n\t\t\t\t\tskb_peek(&sk->sk_receive_queue));\n\t\tif (err)\n\t\t\treturn err;\n\t}\n\n\tnewsk = newsock->sk;\n\tif (newsk == NULL)\n\t\treturn -EIO;\n\n\tnewsk->sk_state = TCP_ESTABLISHED;\n\n\tnew = irda_sk(newsk);\n\n\t/* Now attach up the new socket */\n\tnew->tsap = irttp_dup(self->tsap, new);\n\tif (!new->tsap) {\n\t\tIRDA_DEBUG(0, \"%s(), dup failed!\\n\", __func__);\n\t\tkfree_skb(skb);\n\t\treturn -1;\n\t}\n\n\tnew->stsap_sel = new->tsap->stsap_sel;\n\tnew->dtsap_sel = new->tsap->dtsap_sel;\n\tnew->saddr = irttp_get_saddr(new->tsap);\n\tnew->daddr = irttp_get_daddr(new->tsap);\n\n\tnew->max_sdu_size_tx = self->max_sdu_size_tx;\n\tnew->max_sdu_size_rx = self->max_sdu_size_rx;\n\tnew->max_data_size = self->max_data_size;\n\tnew->max_header_size = self->max_header_size;\n\n\tmemcpy(&new->qos_tx, &self->qos_tx, sizeof(struct qos_info));\n\n\t/* Clean up the original one to keep it in listen state */\n\tirttp_listen(self->tsap);\n\n\tkfree_skb(skb);\n\tsk->sk_ack_backlog--;\n\n\tnewsock->state = SS_CONNECTED;\n\n\tirda_connect_response(new);\n\n\treturn 0;\n}", "target": 0, "cwe": [ "CWE-200" ], "project": "linux-2.6", "commit_id": "09384dfc76e526c3993c09c42e016372dc9dd22c", "hash": 140166879824155578723405779017631282870, "size": 95, "message": "irda: Fix irda_getname() leak\n\nirda_getname() can leak kernel memory to user.\n\nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "dataset": "other", "idx": 490853 }, { "func": "static int nfs4_lock_expired(struct nfs4_state *state, struct file_lock *request)\n{\n\tstruct nfs_server *server = NFS_SERVER(state->inode);\n\tstruct nfs4_exception exception = {\n\t\t.inode = state->inode,\n\t};\n\tint err;\n\n\terr = nfs4_set_lock_state(state, request);\n\tif (err != 0)\n\t\treturn err;\n\tif (!recover_lost_locks) {\n\t\tset_bit(NFS_LOCK_LOST, &request->fl_u.nfs4_fl.owner->ls_flags);\n\t\treturn 0;\n\t}\n\tdo {\n\t\tif (test_bit(NFS_DELEGATED_STATE, &state->flags) != 0)\n\t\t\treturn 0;\n\t\terr = _nfs4_do_setlk(state, F_SETLK, request, NFS_LOCK_EXPIRED);\n\t\tswitch (err) {\n\t\tdefault:\n\t\t\tgoto out;\n\t\tcase -NFS4ERR_GRACE:\n\t\tcase -NFS4ERR_DELAY:\n\t\t\tnfs4_handle_exception(server, err, &exception);\n\t\t\terr = 0;\n\t\t}\n\t} while (exception.retry);\nout:\n\treturn err;\n}", "project": "linux", "hash": 61792718385826314076417892443499805977, "size": 31, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431125 }, { "func": "static int kvm_mmu_notifier_invalidate_range_start(struct mmu_notifier *mn,\n\t\t\t\t\tconst struct mmu_notifier_range *range)\n{\n\tstruct kvm *kvm = mmu_notifier_to_kvm(mn);\n\tint need_tlb_flush = 0, idx;\n\tint ret;\n\n\tidx = srcu_read_lock(&kvm->srcu);\n\tspin_lock(&kvm->mmu_lock);\n\t/*\n\t * The count increase must become visible at unlock time as no\n\t * spte can be established without taking the mmu_lock and\n\t * count is also read inside the mmu_lock critical section.\n\t */\n\tkvm->mmu_notifier_count++;\n\tneed_tlb_flush = kvm_unmap_hva_range(kvm, range->start, range->end);\n\tneed_tlb_flush |= kvm->tlbs_dirty;\n\t/* we've to flush the tlb before the pages can be freed */\n\tif (need_tlb_flush)\n\t\tkvm_flush_remote_tlbs(kvm);\n\n\tspin_unlock(&kvm->mmu_lock);\n\n\tret = kvm_arch_mmu_notifier_invalidate_range(kvm, range->start,\n\t\t\t\t\trange->end,\n\t\t\t\t\tmmu_notifier_range_blockable(range));\n\n\tsrcu_read_unlock(&kvm->srcu, idx);\n\n\treturn ret;\n}", "project": "linux", "hash": 102877323950761860215473015993997979900, "size": 31, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354575 }, { "func": "static int kvm_mmu_notifier_invalidate_range_start(struct mmu_notifier *mn,\n\t\t\t\t\tconst struct mmu_notifier_range *range)\n{\n\tstruct kvm *kvm = mmu_notifier_to_kvm(mn);\n\tconst struct kvm_hva_range hva_range = {\n\t\t.start\t\t= range->start,\n\t\t.end\t\t= range->end,\n\t\t.pte\t\t= __pte(0),\n\t\t.handler\t= kvm_unmap_gfn_range,\n\t\t.on_lock\t= kvm_inc_notifier_count,\n\t\t.flush_on_ret\t= true,\n\t\t.may_block\t= mmu_notifier_range_blockable(range),\n\t};\n\n\ttrace_kvm_unmap_hva_range(range->start, range->end);\n\n\t__kvm_handle_hva_range(kvm, &hva_range);\n\n\treturn 0;\n}", "project": "linux", "hash": 87067257004418213931716529328789865891, "size": 20, "commit_id": "f8be156be163a052a067306417cd0ff679068c97", "message": "KVM: do not allow mapping valid but non-reference-counted pages\n\nIt's possible to create a region which maps valid but non-refcounted\npages (e.g., tail pages of non-compound higher order allocations). These\nhost pages can then be returned by gfn_to_page, gfn_to_pfn, etc., family\nof APIs, which take a reference to the page, which takes it from 0 to 1.\nWhen the reference is dropped, this will free the page incorrectly.\n\nFix this by only taking a reference on valid pages if it was non-zero,\nwhich indicates it is participating in normal refcounting (and can be\nreleased with put_page).\n\nThis addresses CVE-2021-22543.\n\nSigned-off-by: Nicholas Piggin \nTested-by: Paolo Bonzini \nCc: stable@vger.kernel.org\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 404045 }, { "func": "static int pipe_handler_send_created_ind(struct sock *sk)\n{\n\tstruct pep_sock *pn = pep_sk(sk);\n\tu8 data[4] = {\n\t\tPN_PIPE_SB_NEGOTIATED_FC, pep_sb_size(2),\n\t\tpn->tx_fc, pn->rx_fc,\n\t};\n\n\treturn pep_indicate(sk, PNS_PIPE_CREATED_IND, 1 /* sub-blocks */,\n\t\t\t\tdata, 4, GFP_ATOMIC);\n}", "project": "linux", "hash": 1552945969609577446320616354301938544, "size": 11, "commit_id": "bcd0f93353326954817a4f9fa55ec57fb38acbb0", "message": "phonet: refcount leak in pep_sock_accep\n\nsock_hold(sk) is invoked in pep_sock_accept(), but __sock_put(sk) is not\ninvoked in subsequent failure branches(pep_accept_conn() != 0).\n\nSigned-off-by: Hangyu Hua \nLink: https://lore.kernel.org/r/20211209082839.33985-1-hbh25y@gmail.com\nSigned-off-by: Jakub Kicinski ", "target": 0, "dataset": "other", "idx": 224801 }, { "func": "static int ecryptfs_process_flags(struct ecryptfs_crypt_stat *crypt_stat,\n\t\t\t\t char *page_virt, int *bytes_read)\n{\n\tint rc = 0;\n\tint i;\n\tu32 flags;\n\n\tflags = get_unaligned_be32(page_virt);\n\tfor (i = 0; i < ((sizeof(ecryptfs_flag_map)\n\t\t\t / sizeof(struct ecryptfs_flag_map_elem))); i++)\n\t\tif (flags & ecryptfs_flag_map[i].file_flag) {\n\t\t\tcrypt_stat->flags |= ecryptfs_flag_map[i].local_flag;\n\t\t} else\n\t\t\tcrypt_stat->flags &= ~(ecryptfs_flag_map[i].local_flag);\n\t/* Version is in top 8 bits of the 32-bit flag vector */\n\tcrypt_stat->file_version = ((flags >> 24) & 0xFF);\n\t(*bytes_read) = 4;\n\treturn rc;\n}", "target": 0, "cwe": [ "CWE-189" ], "project": "linux-2.6", "commit_id": "8faece5f906725c10e7a1f6caf84452abadbdc7b", "hash": 151897965923840859178688217131868144432, "size": 19, "message": "eCryptfs: Allocate a variable number of pages for file headers\n\nWhen allocating the memory used to store the eCryptfs header contents, a\nsingle, zeroed page was being allocated with get_zeroed_page().\nHowever, the size of an eCryptfs header is either PAGE_CACHE_SIZE or\nECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE (8192), whichever is larger, and is\nstored in the file's private_data->crypt_stat->num_header_bytes_at_front\nfield.\n\necryptfs_write_metadata_to_contents() was using\nnum_header_bytes_at_front to decide how many bytes should be written to\nthe lower filesystem for the file header. Unfortunately, at least 8K\nwas being written from the page, despite the chance of the single,\nzeroed page being smaller than 8K. This resulted in random areas of\nkernel memory being written between the 0x1000 and 0x1FFF bytes offsets\nin the eCryptfs file headers if PAGE_SIZE was 4K.\n\nThis patch allocates a variable number of pages, calculated with\nnum_header_bytes_at_front, and passes the number of allocated pages\nalong to ecryptfs_write_metadata_to_contents().\n\nThanks to Florian Streibelt for reporting the data leak and working with\nme to find the problem. 2.6.28 is the only kernel release with this\nvulnerability. Corresponds to CVE-2009-0787\n\nSigned-off-by: Tyler Hicks \nAcked-by: Dustin Kirkland \nReviewed-by: Eric Sandeen \nReviewed-by: Eugene Teo \nCc: Greg KH \nCc: dann frazier \nCc: Serge E. Hallyn \nCc: Florian Streibelt \nCc: stable@kernel.org\nSigned-off-by: Linus Torvalds ", "dataset": "other", "idx": 490164 }, { "func": "static void preinit_thread (lua_State *L, global_State *g) {\n G(L) = g;\n L->stack = NULL;\n L->ci = NULL;\n L->nci = 0;\n L->stacksize = 0;\n L->twups = L; /* thread has no upvalues */\n L->errorJmp = NULL;\n L->hook = NULL;\n L->hookmask = 0;\n L->basehookcount = 0;\n L->allowhook = 1;\n resethookcount(L);\n L->openupval = NULL;\n L->status = LUA_OK;\n L->errfunc = 0;\n L->oldpc = 0;\n}", "project": "lua", "hash": 164646565292939718334678123110123149596, "size": 18, "commit_id": "a2195644d89812e5b157ce7bac35543e06db05e3", "message": "Fixed bug: invalid 'oldpc' when returning to a function\n\nThe field 'L->oldpc' is not always updated when control returns to a\nfunction; an invalid value can seg. fault when computing 'changedline'.\n(One example is an error in a finalizer; control can return to\n'luaV_execute' without executing 'luaD_poscall'.) Instead of trying to\nfix all possible corner cases, it seems safer to be resilient to invalid\nvalues for 'oldpc'. Valid but wrong values at most cause an extra call\nto a line hook.", "target": 0, "dataset": "other", "idx": 462781 }, { "func": "static inline int pfkey_xfrm_policy2sec_ctx_size(const struct xfrm_policy *xp)\n{\n\tstruct xfrm_sec_ctx *xfrm_ctx = xp->security;\n\n\tif (xfrm_ctx) {\n\t\tint len = sizeof(struct sadb_x_sec_ctx);\n\t\tlen += xfrm_ctx->ctx_len;\n\t\treturn PFKEY_ALIGN8(len);\n\t}\n\treturn 0;\n}", "project": "linux", "hash": 131141268331122684276329198234855599049, "size": 11, "commit_id": "9a564bccb78a76740ea9d75a259942df8143d02c", "message": "af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\n\nAdd __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\nto initialize the buffer of supp_skb to fix a kernel-info-leak issue.\n1) Function pfkey_register calls compose_sadb_supported to request\na sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate\na sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then\ncompose_sadb_supported treats the memory as a struct sadb_supported and\nbegins to initialize. But it just initializes the field sadb_supported_len\nand field sadb_supported_exttype without field sadb_supported_reserved.\n\nReported-by: TCS Robot \nSigned-off-by: Haimin Zhang \nSigned-off-by: Steffen Klassert ", "target": 0, "dataset": "other", "idx": 268094 }, { "func": "int xdr_reserve_space_vec(struct xdr_stream *xdr, struct kvec *vec, size_t nbytes)\n{\n\tint thislen;\n\tint v = 0;\n\t__be32 *p;\n\n\t/*\n\t * svcrdma requires every READ payload to start somewhere\n\t * in xdr->pages.\n\t */\n\tif (xdr->iov == xdr->buf->head) {\n\t\txdr->iov = NULL;\n\t\txdr->end = xdr->p;\n\t}\n\n\twhile (nbytes) {\n\t\tthislen = xdr->buf->page_len % PAGE_SIZE;\n\t\tthislen = min_t(size_t, nbytes, PAGE_SIZE - thislen);\n\n\t\tp = xdr_reserve_space(xdr, thislen);\n\t\tif (!p)\n\t\t\treturn -EIO;\n\n\t\tvec[v].iov_base = p;\n\t\tvec[v].iov_len = thislen;\n\t\tv++;\n\t\tnbytes -= thislen;\n\t}\n\n\treturn v;\n}", "project": "linux", "hash": 257110566272729032722627592235018584068, "size": 31, "commit_id": "6d1c0f3d28f98ea2736128ed3e46821496dc3a8c", "message": "sunrpc: Avoid a KASAN slab-out-of-bounds bug in xdr_set_page_base()\n\nThis seems to happen fairly easily during READ_PLUS testing on NFS v4.2.\nI found that we could end up accessing xdr->buf->pages[pgnr] with a pgnr\ngreater than the number of pages in the array. So let's just return\nearly if we're setting base to a point at the end of the page data and\nlet xdr_set_tail_base() handle setting up the buffer pointers instead.\n\nSigned-off-by: Anna Schumaker \nFixes: 8d86e373b0ef (\"SUNRPC: Clean up helpers xdr_set_iov() and xdr_set_page_base()\")\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 481086 }, { "func": "static void fuse_io_free(struct fuse_io_args *ia)\n{\n\tkfree(ia->ap.pages);\n\tkfree(ia);\n}", "project": "linux", "hash": 249876672562214831945057308792751644628, "size": 5, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342137 }, { "func": "static OPJ_BOOL opj_tcd_dc_level_shift_encode(opj_tcd_t *p_tcd)\n{\n OPJ_UINT32 compno;\n opj_tcd_tilecomp_t * l_tile_comp = 00;\n opj_tccp_t * l_tccp = 00;\n opj_image_comp_t * l_img_comp = 00;\n opj_tcd_tile_t * l_tile;\n OPJ_SIZE_T l_nb_elem, i;\n OPJ_INT32 * l_current_ptr;\n\n l_tile = p_tcd->tcd_image->tiles;\n l_tile_comp = l_tile->comps;\n l_tccp = p_tcd->tcp->tccps;\n l_img_comp = p_tcd->image->comps;\n\n for (compno = 0; compno < l_tile->numcomps; compno++) {\n l_current_ptr = l_tile_comp->data;\n l_nb_elem = (OPJ_SIZE_T)(l_tile_comp->x1 - l_tile_comp->x0) *\n (OPJ_SIZE_T)(l_tile_comp->y1 - l_tile_comp->y0);\n\n if (l_tccp->qmfbid == 1) {\n for (i = 0; i < l_nb_elem; ++i) {\n *l_current_ptr -= l_tccp->m_dc_level_shift ;\n ++l_current_ptr;\n }\n } else {\n for (i = 0; i < l_nb_elem; ++i) {\n *((OPJ_FLOAT32 *) l_current_ptr) = (OPJ_FLOAT32)(*l_current_ptr -\n l_tccp->m_dc_level_shift);\n ++l_current_ptr;\n }\n }\n\n ++l_img_comp;\n ++l_tccp;\n ++l_tile_comp;\n }\n\n return OPJ_TRUE;\n}", "project": "openjpeg", "hash": 332323967673786686347263908564393296526, "size": 40, "commit_id": "15cf3d95814dc931ca0ecb132f81cb152e051bae", "message": "Encoder: grow again buffer size in opj_tcd_code_block_enc_allocate_data() (fixes #1283)", "target": 0, "dataset": "other", "idx": 359170 }, { "func": "int ScaleY(rfbScreenInfoPtr from, rfbScreenInfoPtr to, int y)\n{\n if ((from==to) || (from==NULL) || (to==NULL)) return y;\n return ((int)(((double) y / (double)from->height) * (double)to->height ));\n}", "project": "libvncserver", "hash": 128955871089225073447209908327298038157, "size": 5, "commit_id": "a6788d1da719ae006605b78d22f5a9f170b423af", "message": "libvncserver: scale: cast to 64 bit before shifting\n\nSince pixel_value is 64 bit the data type of the shift operand should\nbe 64 bit too to prevent integer overflows.", "target": 0, "dataset": "other", "idx": 296795 }, { "func": "static const char *cfgget(RCore *core, const char *k) {\n\treturn r_config_get (core->config, k);\n}", "project": "radare2", "hash": 247812460101615479028658012515937758913, "size": 3, "commit_id": "cb8b683758edddae2d2f62e8e63a738c39f92683", "message": "Fix #16303 - c->table_query double free (#16318)", "target": 0, "dataset": "other", "idx": 232112 }, { "func": "int group_send_sig_info(int sig, struct kernel_siginfo *info,\n\t\t\tstruct task_struct *p, enum pid_type type)\n{\n\tint ret;\n\n\trcu_read_lock();\n\tret = check_kill_permission(sig, info, p);\n\trcu_read_unlock();\n\n\tif (!ret && sig)\n\t\tret = do_send_sig_info(sig, info, p, type);\n\n\treturn ret;\n}", "project": "linux", "hash": 64072624073814875542760401138025934919, "size": 14, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375217 }, { "func": "static int key_notify_sa(struct xfrm_state *x, const struct km_event *c)\n{\n\tstruct sk_buff *skb;\n\tstruct sadb_msg *hdr;\n\n\tskb = pfkey_xfrm_state2msg(x);\n\n\tif (IS_ERR(skb))\n\t\treturn PTR_ERR(skb);\n\n\thdr = (struct sadb_msg *) skb->data;\n\thdr->sadb_msg_version = PF_KEY_V2;\n\thdr->sadb_msg_type = event2keytype(c->event);\n\thdr->sadb_msg_satype = pfkey_proto2satype(x->id.proto);\n\thdr->sadb_msg_errno = 0;\n\thdr->sadb_msg_reserved = 0;\n\thdr->sadb_msg_seq = c->seq;\n\thdr->sadb_msg_pid = c->portid;\n\n\tpfkey_broadcast(skb, GFP_ATOMIC, BROADCAST_ALL, NULL, xs_net(x));\n\n\treturn 0;\n}", "project": "linux", "hash": 88317552066035951915866154548321881392, "size": 23, "commit_id": "9a564bccb78a76740ea9d75a259942df8143d02c", "message": "af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\n\nAdd __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\nto initialize the buffer of supp_skb to fix a kernel-info-leak issue.\n1) Function pfkey_register calls compose_sadb_supported to request\na sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate\na sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then\ncompose_sadb_supported treats the memory as a struct sadb_supported and\nbegins to initialize. But it just initializes the field sadb_supported_len\nand field sadb_supported_exttype without field sadb_supported_reserved.\n\nReported-by: TCS Robot \nSigned-off-by: Haimin Zhang \nSigned-off-by: Steffen Klassert ", "target": 0, "dataset": "other", "idx": 268029 }, { "func": "static void fuse_release_end(struct fuse_mount *fm, struct fuse_args *args,\n\t\t\t int error)\n{\n\tstruct fuse_release_args *ra = container_of(args, typeof(*ra), args);\n\n\tiput(ra->inode);\n\tkfree(ra);\n}", "project": "linux", "hash": 177514039467147174559033787556256906936, "size": 8, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342086 }, { "func": "static bool download_and_write(SPDBDownloaderOpt *opt, const char *file) {\n\tchar *dir = r_str_newf (\"%s%s%s%s%s\",\n\t\topt->symbol_store_path, R_SYS_DIR,\n\t\topt->dbg_file, R_SYS_DIR,\n\t\topt->guid);\n\tif (!r_sys_mkdirp (dir)) {\n\t\tfree (dir);\n\t\treturn false;\n\t}\n\tchar *url = r_str_newf (\"%s/%s/%s/%s\", opt->symbol_server, opt->dbg_file, opt->guid, file);\n\tint len;\n\tchar *file_buf = r_socket_http_get (url, NULL, &len);\n\tfree (url);\n\tif (!len || R_STR_ISEMPTY (file_buf)) {\n\t\tfree (dir);\n\t\tfree (file_buf);\n\t\treturn false;\n\t}\n\tchar *path = r_str_newf (\"%s%s%s\", dir, R_SYS_DIR, opt->dbg_file);\n\tFILE *f = fopen (path, \"wb\");\n\tif (f) {\n\t\tfwrite (file_buf, sizeof (char), (size_t)len, f);\n\t\tfclose (f);\n\t}\n\tfree (dir);\n\tfree (path);\n\tfree (file_buf);\n\treturn true;\n}", "project": "radare2", "hash": 221582431853521626529186119010810053468, "size": 29, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 0, "dataset": "other", "idx": 268907 }, { "func": "void CClient::PutModule(const CString& sModule, const CString& sLine) {\n if (!m_pUser) {\n return;\n }\n\n DEBUG(\"(\" << GetFullName()\n << \") ZNC -> CLI [:\" + m_pUser->GetStatusPrefix() +\n ((sModule.empty()) ? \"status\" : sModule) +\n \"!znc@znc.in PRIVMSG \" << GetNick() << \" :\" << sLine\n << \"]\");\n\n VCString vsLines;\n sLine.Split(\"\\n\", vsLines);\n for (const CString& s : vsLines) {\n Write(\":\" + m_pUser->GetStatusPrefix() +\n ((sModule.empty()) ? \"status\" : sModule) +\n \"!znc@znc.in PRIVMSG \" + GetNick() + \" :\" + s + \"\\r\\n\");\n }\n}", "project": "znc", "hash": 238957158817259484474552253337896967615, "size": 19, "commit_id": "d229761821da38d984a9e4098ad96842490dc001", "message": "Fix echo-message for *status\n\nClose #1705", "target": 0, "dataset": "other", "idx": 231538 }, { "func": "static void __perf_event_interrupt(struct pt_regs *regs)\n{\n\tint i, j;\n\tstruct cpu_hw_events *cpuhw = this_cpu_ptr(&cpu_hw_events);\n\tstruct perf_event *event;\n\tint found, active;\n\n\tif (cpuhw->n_limited)\n\t\tfreeze_limited_counters(cpuhw, mfspr(SPRN_PMC5),\n\t\t\t\t\tmfspr(SPRN_PMC6));\n\n\tperf_read_regs(regs);\n\n\t/* Read all the PMCs since we'll need them a bunch of times */\n\tfor (i = 0; i < ppmu->n_counter; ++i)\n\t\tcpuhw->pmcs[i] = read_pmc(i + 1);\n\n\t/* Try to find what caused the IRQ */\n\tfound = 0;\n\tfor (i = 0; i < ppmu->n_counter; ++i) {\n\t\tif (!pmc_overflow(cpuhw->pmcs[i]))\n\t\t\tcontinue;\n\t\tif (is_limited_pmc(i + 1))\n\t\t\tcontinue; /* these won't generate IRQs */\n\t\t/*\n\t\t * We've found one that's overflowed. For active\n\t\t * counters we need to log this. For inactive\n\t\t * counters, we need to reset it anyway\n\t\t */\n\t\tfound = 1;\n\t\tactive = 0;\n\t\tfor (j = 0; j < cpuhw->n_events; ++j) {\n\t\t\tevent = cpuhw->event[j];\n\t\t\tif (event->hw.idx == (i + 1)) {\n\t\t\t\tactive = 1;\n\t\t\t\trecord_and_restart(event, cpuhw->pmcs[i], regs);\n\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\t\tif (!active)\n\t\t\t/* reset non active counters that have overflowed */\n\t\t\twrite_pmc(i + 1, 0);\n\t}\n\tif (!found && pvr_version_is(PVR_POWER7)) {\n\t\t/* check active counters for special buggy p7 overflow */\n\t\tfor (i = 0; i < cpuhw->n_events; ++i) {\n\t\t\tevent = cpuhw->event[i];\n\t\t\tif (!event->hw.idx || is_limited_pmc(event->hw.idx))\n\t\t\t\tcontinue;\n\t\t\tif (pmc_overflow_power7(cpuhw->pmcs[event->hw.idx - 1])) {\n\t\t\t\t/* event has overflowed in a buggy way*/\n\t\t\t\tfound = 1;\n\t\t\t\trecord_and_restart(event,\n\t\t\t\t\t\t cpuhw->pmcs[event->hw.idx - 1],\n\t\t\t\t\t\t regs);\n\t\t\t}\n\t\t}\n\t}\n\tif (unlikely(!found) && !arch_irq_disabled_regs(regs))\n\t\tprintk_ratelimited(KERN_WARNING \"Can't find PMC that caused IRQ\\n\");\n\n\t/*\n\t * Reset MMCR0 to its normal value. This will set PMXE and\n\t * clear FC (freeze counters) and PMAO (perf mon alert occurred)\n\t * and thus allow interrupts to occur again.\n\t * XXX might want to use MSR.PM to keep the events frozen until\n\t * we get back out of this interrupt.\n\t */\n\twrite_mmcr0(cpuhw, cpuhw->mmcr.mmcr0);\n\n\t/* Clear the cpuhw->pmcs */\n\tmemset(&cpuhw->pmcs, 0, sizeof(cpuhw->pmcs));\n\n}", "project": "linux", "hash": 332718363225687934570639653343370756999, "size": 74, "commit_id": "60b7ed54a41b550d50caf7f2418db4a7e75b5bdc", "message": "powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set\n\nOn systems without any specific PMU driver support registered, running\nperf record causes Oops.\n\nThe relevant portion from call trace:\n\n BUG: Kernel NULL pointer dereference on read at 0x00000040\n Faulting instruction address: 0xc0021f0c\n Oops: Kernel access of bad area, sig: 11 [#1]\n BE PAGE_SIZE=4K PREEMPT CMPCPRO\n SAF3000 DIE NOTIFICATION\n CPU: 0 PID: 442 Comm: null_syscall Not tainted 5.13.0-rc6-s3k-dev-01645-g7649ee3d2957 #5164\n NIP: c0021f0c LR: c00e8ad8 CTR: c00d8a5c\n NIP perf_instruction_pointer+0x10/0x60\n LR perf_prepare_sample+0x344/0x674\n Call Trace:\n perf_prepare_sample+0x7c/0x674 (unreliable)\n perf_event_output_forward+0x3c/0x94\n __perf_event_overflow+0x74/0x14c\n perf_swevent_hrtimer+0xf8/0x170\n __hrtimer_run_queues.constprop.0+0x160/0x318\n hrtimer_interrupt+0x148/0x3b0\n timer_interrupt+0xc4/0x22c\n Decrementer_virt+0xb8/0xbc\n\nDuring perf record session, perf_instruction_pointer() is called to\ncapture the sample IP. This function in core-book3s accesses\nppmu->flags. If a platform specific PMU driver is not registered, ppmu\nis set to NULL and accessing its members results in a crash. Fix this\ncrash by checking if ppmu is set.\n\nFixes: 2ca13a4cc56c (\"powerpc/perf: Use regs->nip when SIAR is zero\")\nCc: stable@vger.kernel.org # v5.11+\nReported-by: Christophe Leroy \nSigned-off-by: Athira Rajeev \nTested-by: Christophe Leroy \nSigned-off-by: Michael Ellerman \nLink: https://lore.kernel.org/r/1623952506-1431-1-git-send-email-atrajeev@linux.vnet.ibm.com", "target": 0, "dataset": "other", "idx": 374705 }, { "func": "static int contains_ecryptfs_marker(char *data)\n{\n\tu32 m_1, m_2;\n\n\tm_1 = get_unaligned_be32(data);\n\tm_2 = get_unaligned_be32(data + 4);\n\tif ((m_1 ^ MAGIC_ECRYPTFS_MARKER) == m_2)\n\t\treturn 1;\n\tecryptfs_printk(KERN_DEBUG, \"m_1 = [0x%.8x]; m_2 = [0x%.8x]; \"\n\t\t\t\"MAGIC_ECRYPTFS_MARKER = [0x%.8x]\\n\", m_1, m_2,\n\t\t\tMAGIC_ECRYPTFS_MARKER);\n\tecryptfs_printk(KERN_DEBUG, \"(m_1 ^ MAGIC_ECRYPTFS_MARKER) = \"\n\t\t\t\"[0x%.8x]\\n\", (m_1 ^ MAGIC_ECRYPTFS_MARKER));\n\treturn 0;\n}", "target": 0, "cwe": [ "CWE-189" ], "project": "linux-2.6", "commit_id": "8faece5f906725c10e7a1f6caf84452abadbdc7b", "hash": 80626994802813428025929770879204272777, "size": 15, "message": "eCryptfs: Allocate a variable number of pages for file headers\n\nWhen allocating the memory used to store the eCryptfs header contents, a\nsingle, zeroed page was being allocated with get_zeroed_page().\nHowever, the size of an eCryptfs header is either PAGE_CACHE_SIZE or\nECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE (8192), whichever is larger, and is\nstored in the file's private_data->crypt_stat->num_header_bytes_at_front\nfield.\n\necryptfs_write_metadata_to_contents() was using\nnum_header_bytes_at_front to decide how many bytes should be written to\nthe lower filesystem for the file header. Unfortunately, at least 8K\nwas being written from the page, despite the chance of the single,\nzeroed page being smaller than 8K. This resulted in random areas of\nkernel memory being written between the 0x1000 and 0x1FFF bytes offsets\nin the eCryptfs file headers if PAGE_SIZE was 4K.\n\nThis patch allocates a variable number of pages, calculated with\nnum_header_bytes_at_front, and passes the number of allocated pages\nalong to ecryptfs_write_metadata_to_contents().\n\nThanks to Florian Streibelt for reporting the data leak and working with\nme to find the problem. 2.6.28 is the only kernel release with this\nvulnerability. Corresponds to CVE-2009-0787\n\nSigned-off-by: Tyler Hicks \nAcked-by: Dustin Kirkland \nReviewed-by: Eric Sandeen \nReviewed-by: Eugene Teo \nCc: Greg KH \nCc: dann frazier \nCc: Serge E. Hallyn \nCc: Florian Streibelt \nCc: stable@kernel.org\nSigned-off-by: Linus Torvalds ", "dataset": "other", "idx": 490202 }, { "func": "PHPAPI void php_build_argv(char *s, zval *track_vars_array)\n{\n\tzval arr, argc, tmp;\n\tint count = 0;\n\tchar *ss, *space;\n\n\tif (!(SG(request_info).argc || track_vars_array)) {\n\t\treturn;\n\t}\n\n\tarray_init(&arr);\n\n\t/* Prepare argv */\n\tif (SG(request_info).argc) { /* are we in cli sapi? */\n\t\tint i;\n\t\tfor (i = 0; i < SG(request_info).argc; i++) {\n\t\t\tZVAL_STRING(&tmp, SG(request_info).argv[i]);\n\t\t\tif (zend_hash_next_index_insert(Z_ARRVAL(arr), &tmp) == NULL) {\n\t\t\t\tzend_string_free(Z_STR(tmp));\n\t\t\t}\n\t\t}\n\t} else \tif (s && *s) {\n\t\tss = s;\n\t\twhile (ss) {\n\t\t\tspace = strchr(ss, '+');\n\t\t\tif (space) {\n\t\t\t\t*space = '\\0';\n\t\t\t}\n\t\t\t/* auto-type */\n\t\t\tZVAL_STRING(&tmp, ss);\n\t\t\tcount++;\n\t\t\tif (zend_hash_next_index_insert(Z_ARRVAL(arr), &tmp) == NULL) {\n\t\t\t\tzend_string_free(Z_STR(tmp));\n\t\t\t}\n\t\t\tif (space) {\n\t\t\t\t*space = '+';\n\t\t\t\tss = space + 1;\n\t\t\t} else {\n\t\t\t\tss = space;\n\t\t\t}\n\t\t}\n\t}\n\n\t/* prepare argc */\n\tif (SG(request_info).argc) {\n\t\tZVAL_LONG(&argc, SG(request_info).argc);\n\t} else {\n\t\tZVAL_LONG(&argc, count);\n\t}\n\n\tif (SG(request_info).argc) {\n\t\tZ_ADDREF(arr);\n\t\tzend_hash_str_update(&EG(symbol_table), \"argv\", sizeof(\"argv\")-1, &arr);\n\t\tzend_hash_str_add(&EG(symbol_table), \"argc\", sizeof(\"argc\")-1, &argc);\n\t}\n\tif (track_vars_array && Z_TYPE_P(track_vars_array) == IS_ARRAY) {\n\t\tZ_ADDREF(arr);\n\t\tzend_hash_str_update(Z_ARRVAL_P(track_vars_array), \"argv\", sizeof(\"argv\")-1, &arr);\n\t\tzend_hash_str_update(Z_ARRVAL_P(track_vars_array), \"argc\", sizeof(\"argc\")-1, &argc);\n\t}\n\tzval_ptr_dtor_nogc(&arr);\n}", "project": "php-src", "hash": 94307240860713052992873101981713359611, "size": 62, "commit_id": "6559fe912661ca5ce5f0eeeb591d928451428ed0", "message": "Do not decode cookie names anymore", "target": 0, "dataset": "other", "idx": 374967 }, { "func": "static OPJ_BOOL opj_j2k_compare_SQcd_SQcc(opj_j2k_t *p_j2k,\n OPJ_UINT32 p_tile_no, OPJ_UINT32 p_first_comp_no, OPJ_UINT32 p_second_comp_no)\n{\n opj_cp_t *l_cp = NULL;\n opj_tcp_t *l_tcp = NULL;\n opj_tccp_t *l_tccp0 = NULL;\n opj_tccp_t *l_tccp1 = NULL;\n OPJ_UINT32 l_band_no, l_num_bands;\n\n /* preconditions */\n assert(p_j2k != 00);\n\n l_cp = &(p_j2k->m_cp);\n l_tcp = &l_cp->tcps[p_tile_no];\n l_tccp0 = &l_tcp->tccps[p_first_comp_no];\n l_tccp1 = &l_tcp->tccps[p_second_comp_no];\n\n if (l_tccp0->qntsty != l_tccp1->qntsty) {\n return OPJ_FALSE;\n }\n if (l_tccp0->numgbits != l_tccp1->numgbits) {\n return OPJ_FALSE;\n }\n if (l_tccp0->qntsty == J2K_CCP_QNTSTY_SIQNT) {\n l_num_bands = 1U;\n } else {\n l_num_bands = l_tccp0->numresolutions * 3U - 2U;\n if (l_num_bands != (l_tccp1->numresolutions * 3U - 2U)) {\n return OPJ_FALSE;\n }\n }\n\n for (l_band_no = 0; l_band_no < l_num_bands; ++l_band_no) {\n if (l_tccp0->stepsizes[l_band_no].expn != l_tccp1->stepsizes[l_band_no].expn) {\n return OPJ_FALSE;\n }\n }\n if (l_tccp0->qntsty != J2K_CCP_QNTSTY_NOQNT) {\n for (l_band_no = 0; l_band_no < l_num_bands; ++l_band_no) {\n if (l_tccp0->stepsizes[l_band_no].mant != l_tccp1->stepsizes[l_band_no].mant) {\n return OPJ_FALSE;\n }\n }\n }\n return OPJ_TRUE;\n}", "project": "openjpeg", "hash": 50614159199566195880300627785279183506, "size": 46, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357395 }, { "func": "static unsigned nfs4_exclusive_attrset(struct nfs4_opendata *opendata,\n\t\t\t\tstruct iattr *sattr, struct nfs4_label **label)\n{\n\tconst __u32 *bitmask = opendata->o_arg.server->exclcreat_bitmask;\n\t__u32 attrset[3];\n\tunsigned ret;\n\tunsigned i;\n\n\tfor (i = 0; i < ARRAY_SIZE(attrset); i++) {\n\t\tattrset[i] = opendata->o_res.attrset[i];\n\t\tif (opendata->o_arg.createmode == NFS4_CREATE_EXCLUSIVE4_1)\n\t\t\tattrset[i] &= ~bitmask[i];\n\t}\n\n\tret = (opendata->o_arg.createmode == NFS4_CREATE_EXCLUSIVE) ?\n\t\tsattr->ia_valid : 0;\n\n\tif ((attrset[1] & (FATTR4_WORD1_TIME_ACCESS|FATTR4_WORD1_TIME_ACCESS_SET))) {\n\t\tif (sattr->ia_valid & ATTR_ATIME_SET)\n\t\t\tret |= ATTR_ATIME_SET;\n\t\telse\n\t\t\tret |= ATTR_ATIME;\n\t}\n\n\tif ((attrset[1] & (FATTR4_WORD1_TIME_MODIFY|FATTR4_WORD1_TIME_MODIFY_SET))) {\n\t\tif (sattr->ia_valid & ATTR_MTIME_SET)\n\t\t\tret |= ATTR_MTIME_SET;\n\t\telse\n\t\t\tret |= ATTR_MTIME;\n\t}\n\n\tif (!(attrset[2] & FATTR4_WORD2_SECURITY_LABEL))\n\t\t*label = NULL;\n\treturn ret;\n}", "project": "linux", "hash": 218798810213554724363171900463561337742, "size": 35, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431178 }, { "func": "\nstatic void io_sqd_update_thread_idle(struct io_sq_data *sqd)\n{\n\tstruct io_ring_ctx *ctx;\n\tunsigned sq_thread_idle = 0;\n\n\tlist_for_each_entry(ctx, &sqd->ctx_list, sqd_list)\n\t\tsq_thread_idle = max(sq_thread_idle, ctx->sq_thread_idle);\n\tsqd->sq_thread_idle = sq_thread_idle;", "project": "linux", "hash": 181991843127295484303304036519791019259, "size": 9, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338704 }, { "func": "static OPJ_BOOL opj_j2k_compare_coc(opj_j2k_t *p_j2k,\n OPJ_UINT32 p_first_comp_no, OPJ_UINT32 p_second_comp_no)\n{\n opj_cp_t *l_cp = NULL;\n opj_tcp_t *l_tcp = NULL;\n\n /* preconditions */\n assert(p_j2k != 00);\n\n l_cp = &(p_j2k->m_cp);\n l_tcp = &l_cp->tcps[p_j2k->m_current_tile_number];\n\n if (l_tcp->tccps[p_first_comp_no].csty != l_tcp->tccps[p_second_comp_no].csty) {\n return OPJ_FALSE;\n }\n\n\n return opj_j2k_compare_SPCod_SPCoc(p_j2k, p_j2k->m_current_tile_number,\n p_first_comp_no, p_second_comp_no);\n}", "project": "openjpeg", "hash": 134284881056796925800415108804795467445, "size": 20, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357321 }, { "func": "void visitSFDFragment( FILE *sfd, SplineFont *sf,\n\t\t visitSFDFragmentFunc ufunc, void* udata )\n{\n int eof;\n char tok[2000];\n while ( 1 ) {\n\tif ( (eof = getname(sfd,tok))!=1 ) {\n\t if ( eof==-1 )\n\t\tbreak;\n\t geteol(sfd,tok);\n\t continue;\n\t}\n\n\tufunc( sfd, tok, sf, udata );\n }\n}", "project": "fontforge", "hash": 255744226061221023750168371512013022295, "size": 16, "commit_id": "048a91e2682c1a8936ae34dbc7bd70291ec05410", "message": "Fix for #4084 Use-after-free (heap) in the SFD_GetFontMetaData() function\nFix for #4086 NULL pointer dereference in the SFDGetSpiros() function\nFix for #4088 NULL pointer dereference in the SFD_AssignLookups() function\nAdd empty sf->fontname string if it isn't set, fixing #4089 #4090 and many\n other potential issues (many downstream calls to strlen() on the value).", "target": 0, "dataset": "other", "idx": 417865 }, { "func": "void SFD_AssignLookups(SplineFont1 *sf) {\n PST1 *pst, *pst2;\n int isv;\n KernPair1 *kp, *kp2;\n KernClass1 *kc, *kc2;\n FPST1 *fpst;\n ASM1 *sm;\n AnchorClass1 *ac, *ac2;\n int gid, gid2, cnt, i, k, isgpos;\n SplineFont1 *subsf;\n SplineChar *sc, *sc2;\n OTLookup *otl, **all;\n struct lookup_subtable *sub;\n\n /* Fix up some gunk from really old versions of the sfd format */\n SFDCleanupAnchorClasses(&sf->sf);\n if ( sf->sf.uni_interp==ui_unset && sf->sf.map!=NULL )\n\tsf->sf.uni_interp = interp_from_encoding(sf->sf.map->enc,ui_none);\n\n /* Fixup for an old bug */\n if ( sf->sf.pfminfo.os2_winascent < sf->sf.ascent/4 && !sf->sf.pfminfo.winascent_add ) {\n\tsf->sf.pfminfo.winascent_add = true;\n\tsf->sf.pfminfo.os2_winascent = 0;\n\tsf->sf.pfminfo.windescent_add = true;\n\tsf->sf.pfminfo.os2_windescent = 0;\n }\n\n /* First handle the PSTs, no complications here */\n k=0;\n do {\n\tsubsf = sf->sf.subfontcnt==0 ? sf : (SplineFont1 *) (sf->sf.subfonts[k]);\n\tfor ( gid=0; gidsf.glyphcnt; ++gid ) if ( (sc=subsf->sf.glyphs[gid])!=NULL ) {\n\t for ( pst = (PST1 *) (sc->possub); pst!=NULL; pst = (PST1*) (pst->pst.next) ) {\n\t\tif ( pst->pst.type == pst_lcaret || pst->pst.subtable!=NULL )\n\t continue;\t\t/* Nothing to do, or already done */\n\t\totl = CreateLookup(sf,pst->tag,pst->script_lang_index,pst->flags,pst->pst.type);\n\t\tsub = CreateSubtable(otl,sf);\n\t\t/* There might be another PST with the same flags on this glyph */\n\t\t/* And we must fixup the current pst */\n\t\tfor ( pst2=pst ; pst2!=NULL; pst2 = (PST1 *) (pst2->pst.next) ) {\n\t\t if ( pst2->tag==pst->tag &&\n\t\t\t pst2->script_lang_index==pst->script_lang_index &&\n\t\t\t pst2->flags==pst->flags &&\n\t\t\t pst2->pst.type==pst->pst.type )\n\t\t\tpst2->pst.subtable = sub;\n\t\t}\n\t\tfor ( gid2=gid+1; gid2sf.glyphcnt; ++gid2 ) if ( (sc2=subsf->sf.glyphs[gid2])!=NULL ) {\n\t\t for ( pst2 = (PST1 *) (sc2->possub); pst2!=NULL; pst2 = (PST1 *) (pst2->pst.next) ) {\n\t\t\tif ( pst2->tag==pst->tag &&\n\t\t\t\tpst2->script_lang_index==pst->script_lang_index &&\n\t\t\t\tpst2->flags==pst->flags &&\n\t\t\t\tpst2->pst.type==pst->pst.type )\n\t\t\t pst2->pst.subtable = sub;\n\t\t }\n\t\t}\n\t }\n\t}\n\t++k;\n } while ( ksf.subfontcnt );\n\n\t/* Now kerns. May need to merge kernclasses to kernpair lookups (different subtables, of course */\n for ( isv=0; isv<2; ++isv ) {\n\tk=0;\n\tdo {\n\t subsf = sf->sf.subfontcnt==0 ? sf : (SplineFont1 *) (sf->sf.subfonts[k]);\n\t for ( gid=0; gidsf.glyphcnt; ++gid ) if ( (sc=subsf->sf.glyphs[gid])!=NULL ) {\n\t\tfor ( kp = (KernPair1 *) (isv ? sc->vkerns : sc->kerns); kp!=NULL; kp = (KernPair1 *) (kp->kp.next) ) {\n\t\t if ( kp->kp.subtable!=NULL )\n\t\tcontinue;\t\t/* already done */\n\t\t otl = CreateLookup(sf,isv ? CHR('v','k','r','n') : CHR('k','e','r','n'),\n\t\t\t kp->sli,kp->flags,pst_pair);\n\t\t sub = CreateSubtable(otl,sf);\n\t\t /* There might be another kp with the same flags on this glyph */\n\t\t /* And we must fixup the current kp */\n\t\t for ( kp2=kp ; kp2!=NULL; kp2 = (KernPair1 *) (kp2->kp.next) ) {\n\t\t\tif ( kp2->sli==kp->sli && kp2->flags==kp->flags )\n\t\t\t kp2->kp.subtable = sub;\n\t\t }\n\t\t for ( gid2=gid+1; gid2sf.glyphcnt; ++gid2 ) if ( (sc2=subsf->sf.glyphs[gid2])!=NULL ) {\n\t\t\tfor ( kp2 = (KernPair1 *) (isv ? sc2->vkerns : sc2->kerns); kp2!=NULL; kp2 = (KernPair1 *) (kp2->kp.next) ) {\n\t\t\t if ( kp2->sli==kp->sli && kp2->flags==kp->flags )\n\t\t\t\tkp2->kp.subtable = sub;\n\t\t\t}\n\t\t }\n\t\t /* And there might be a kerning class... */\n\t\t for ( kc=(KernClass1 *) (isv ? sf->sf.vkerns : sf->sf.kerns); kc!=NULL;\n\t\t\t kc = (KernClass1 *) (kc->kc.next) ) {\n\t\t\tif ( kc->sli == kp->sli && kc->flags == kp->flags && kc->kc.subtable==NULL) {\n\t\t\t sub = CreateSubtable(otl,sf);\n\t\t\t sub->per_glyph_pst_or_kern = false;\n\t\t\t sub->kc = &kc->kc;\n\t\t\t kc->kc.subtable = sub;\n\t\t\t}\n\t\t }\n\t\t}\n\t }\n\t ++k;\n\t} while ( ksf.subfontcnt );\n\t/* Or there might be a kerning class all by its lonesome */\n\tfor ( kc=(KernClass1 *) (isv ? sf->sf.vkerns : sf->sf.kerns); kc!=NULL;\n\t\tkc = (KernClass1 *) (kc->kc.next) ) {\n\t if ( kc->kc.subtable==NULL) {\n\t\totl = CreateLookup(sf,isv ? CHR('v','k','r','n') : CHR('k','e','r','n'),\n\t\t\tkc->sli,kc->flags,pst_pair);\n\t\tfor ( kc2=kc; kc2!=NULL; kc2=(KernClass1 *) (kc2->kc.next) ) {\n\t\t if ( kc->sli == kc2->sli && kc->flags == kc2->flags && kc2->kc.subtable==NULL) {\n\t\t\tsub = CreateSubtable(otl,sf);\n\t\t\tsub->per_glyph_pst_or_kern = false;\n\t\t\tsub->kc = &kc2->kc;\n\t\t\tkc2->kc.subtable = sub;\n\t\t }\n\t\t}\n\t }\n\t}\n }\n\n /* Every FPST and ASM lives in its own lookup with one subtable */\n /* But the old format refered to nested lookups by tag, and now we refer */\n /* to the lookup itself, so fix that up */\n for ( fpst=(FPST1 *) sf->sf.possub; fpst!=NULL; fpst=((FPST1 *) fpst->fpst.next) ) {\n\totl = CreateLookup(sf,fpst->tag, fpst->script_lang_index,\n\t\tfpst->flags,fpst->fpst.type);\n\tsub = CreateSubtable(otl,sf);\n\tsub->per_glyph_pst_or_kern = false;\n\tsub->fpst = &fpst->fpst;\n\tfpst->fpst.subtable = sub;\n\tFPSTReplaceTagsWithLookups(&fpst->fpst,sf);\n }\n for ( sm=(ASM1 *) sf->sf.sm; sm!=NULL; sm=((ASM1 *) sm->sm.next) ) {\n\totl = CreateMacLookup(sf,sm);\n\tsub = CreateSubtable(otl,sf);\n\tsub->per_glyph_pst_or_kern = false;\n\tsub->sm = &sm->sm;\n\tsm->sm.subtable = sub;\n\tif ( sm->sm.type==asm_context )\n\t ASMReplaceTagsWithLookups(&sm->sm,sf);\n }\n\n /* We retained the old nested feature tags so we could do the above conversion */\n /* of tag to lookup. Get rid of them now */\n for ( isgpos=0; isgpos<2; ++isgpos ) {\n\tfor ( otl = isgpos ? sf->sf.gpos_lookups : sf->sf.gsub_lookups ;\n\t\totl != NULL; otl=otl->next ) {\n\t if ( otl->features!=NULL && otl->features->scripts==NULL ) {\n\t\tchunkfree(otl->features,sizeof(FeatureScriptLangList));\n\t\totl->features = NULL;\n\t }\n\t}\n }\n\n /* Anchor classes are complicated, because I foolishly failed to distinguish */\n /* between mark to base and mark to ligature classes. So one AC might have */\n /* both. If so we need to turn it into two ACs, and have separate lookups */\n /* for each */\n for ( ac=(AnchorClass1 *) (sf->sf.anchor); ac!=NULL; ac=(AnchorClass1 *) ac->ac.next ) {\n\tACHasBaseLig(sf,ac);\n\tif ( ac->has_ligatures && !ac->has_bases )\n\t ac->ac.type = act_mklg;\n\telse if ( ac->has_ligatures && ac->has_bases )\n\t ACDisassociateLigatures(sf,ac);\n }\n for ( ac=(AnchorClass1 *) (sf->sf.anchor); ac!=NULL; ac=(AnchorClass1 *) ac->ac.next ) {\n\tif ( ac->ac.subtable==NULL ) {\n\t otl = CreateACLookup(sf,ac);\n\t sub = CreateSubtable(otl,sf);\n\t for ( ac2=ac; ac2!=NULL; ac2 = (AnchorClass1 *) ac2->ac.next ) {\n\t\tif ( ac2->feature_tag == ac->feature_tag &&\n\t\t\tac2->script_lang_index == ac->script_lang_index &&\n\t\t\tac2->flags == ac->flags &&\n\t\t\tac2->ac.type == ac->ac.type &&\n\t\t\tac2->merge_with == ac->merge_with )\n\t\t ac2->ac.subtable = sub;\n\t }\n\t}\n }\n\n /* Now I want to order the gsub lookups. I shan't bother with the gpos */\n /* lookups because I didn't before */\n for ( otl=sf->sf.gsub_lookups, cnt=0; otl!=NULL; otl=otl->next, ++cnt );\n if ( cnt!=0 ) {\n\tall = malloc(cnt*sizeof(OTLookup *));\n\tfor ( otl=sf->sf.gsub_lookups, cnt=0; otl!=NULL; otl=otl->next, ++cnt ) {\n\t all[cnt] = otl;\n\t otl->lookup_index = GSubOrder(sf,otl->features);\n\t}\n\tqsort(all,cnt,sizeof(OTLookup *),order_lookups);\n\tsf->sf.gsub_lookups = all[0];\n\tfor ( i=1; inext = all[i];\n\tall[cnt-1]->next = NULL;\n\tfree( all );\n }\n\n for ( isgpos=0; isgpos<2; ++isgpos ) {\n\tfor ( otl = isgpos ? sf->sf.gpos_lookups : sf->sf.gsub_lookups , cnt=0;\n\t\totl!=NULL; otl = otl->next ) {\n\t otl->lookup_index = cnt++;\n\t NameOTLookup(otl,&sf->sf);\n\t}\n }\n}", "project": "fontforge", "hash": 201341204564660268971525900344651077968, "size": 201, "commit_id": "048a91e2682c1a8936ae34dbc7bd70291ec05410", "message": "Fix for #4084 Use-after-free (heap) in the SFD_GetFontMetaData() function\nFix for #4086 NULL pointer dereference in the SFDGetSpiros() function\nFix for #4088 NULL pointer dereference in the SFD_AssignLookups() function\nAdd empty sf->fontname string if it isn't set, fixing #4089 #4090 and many\n other potential issues (many downstream calls to strlen() on the value).", "target": 0, "dataset": "other", "idx": 417816 }, { "func": "int JOIN::rollup_send_data(uint idx)\n{\n uint i;\n for (i= send_group_parts ; i-- > idx ; )\n {\n int res= 0;\n /* Get reference pointers to sum functions in place */\n copy_ref_ptr_array(ref_ptrs, rollup.ref_pointer_arrays[i]);\n if ((!having || having->val_int()))\n {\n if (send_records < unit->select_limit_cnt && do_send_rows &&\n\t (res= result->send_data(rollup.fields[i])) > 0)\n\treturn 1;\n if (!res)\n send_records++;\n }\n }\n /* Restore ref_pointer_array */\n set_items_ref_array(current_ref_ptrs);\n return 0;\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 162625776353823463422382255523439133955, "size": 21, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508576 }, { "func": "static void io_req_task_queue_fail(struct io_kiocb *req, int ret)\n{\n\treq->result = ret;\n\treq->task_work.func = io_req_task_cancel;\n\n\tif (unlikely(io_req_task_work_add(req)))\n\t\tio_req_task_work_add_fallback(req, io_req_task_cancel);\n}", "project": "linux", "hash": 42359399737670732608617790953915580134, "size": 8, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338621 }, { "func": "static unsigned int luai_makeseed (lua_State *L) {\n char buff[3 * sizeof(size_t)];\n unsigned int h = cast_uint(time(NULL));\n int p = 0;\n addbuff(buff, p, L); /* heap variable */\n addbuff(buff, p, &h); /* local variable */\n addbuff(buff, p, &lua_newstate); /* public function */\n lua_assert(p == sizeof(buff));\n return luaS_hash(buff, p, h, 1);\n}", "project": "lua", "hash": 167179031554599521079176560286456340152, "size": 10, "commit_id": "a2195644d89812e5b157ce7bac35543e06db05e3", "message": "Fixed bug: invalid 'oldpc' when returning to a function\n\nThe field 'L->oldpc' is not always updated when control returns to a\nfunction; an invalid value can seg. fault when computing 'changedline'.\n(One example is an error in a finalizer; control can return to\n'luaV_execute' without executing 'luaD_poscall'.) Instead of trying to\nfix all possible corner cases, it seems safer to be resilient to invalid\nvalues for 'oldpc'. Valid but wrong values at most cause an extra call\nto a line hook.", "target": 0, "dataset": "other", "idx": 462779 }, { "func": "void imap_allow_reopen(struct Mailbox *m)\n{\n struct ImapAccountData *adata = imap_adata_get(m);\n struct ImapMboxData *mdata = imap_mdata_get(m);\n if (!adata || !adata->mailbox || (adata->mailbox != m) || !mdata)\n return;\n mdata->reopen |= IMAP_REOPEN_ALLOW;\n}", "project": "neomutt", "hash": 289118837093222371531273685472768720798, "size": 8, "commit_id": "fa1db5785e5cfd9d3cd27b7571b9fe268d2ec2dc", "message": "Fix seqset iterator when it ends in a comma\n\nIf the seqset ended with a comma, the substr_end marker would be just\nbefore the trailing nul. In the next call, the loop to skip the\nmarker would iterate right past the end of string too.\n\nThe fix is simple: place the substr_end marker and skip past it\nimmediately.", "target": 0, "dataset": "other", "idx": 399294 }, { "func": "static inline int fetch_robust_entry(struct robust_list __user **entry,\n\t\t\t\t struct robust_list __user * __user *head,\n\t\t\t\t int *pi)\n{\n\tunsigned long uentry;\n\n\tif (get_user(uentry, (unsigned long __user *)head))\n\t\treturn -EFAULT;\n\n\t*entry = (void __user *)(uentry & ~1UL);\n\t*pi = uentry & 1;\n\n\treturn 0;\n}", "target": 0, "cwe": [], "project": "linux-2.6", "commit_id": "5ecb01cfdf96c5f465192bdb2a4fd4a61a24c6cc", "hash": 329347022912509082258234240434684309120, "size": 14, "message": "futex_lock_pi() key refcnt fix\n\nThis fixes a futex key reference count bug in futex_lock_pi(),\nwhere a key's reference count is incremented twice but decremented\nonly once, causing the backing object to not be released.\n\nIf the futex is created in a temporary file in an ext3 file system,\nthis bug causes the file's inode to become an \"undead\" orphan,\nwhich causes an oops from a BUG_ON() in ext3_put_super() when the\nfile system is unmounted. glibc's test suite is known to trigger this,\nsee .\n\nThe bug is a regression from 2.6.28-git3, namely Peter Zijlstra's\n38d47c1b7075bd7ec3881141bb3629da58f88dab \"[PATCH] futex: rely on\nget_user_pages() for shared futexes\". That commit made get_futex_key()\nalso increment the reference count of the futex key, and updated its\ncallers to decrement the key's reference count before returning.\nUnfortunately the normal exit path in futex_lock_pi() wasn't corrected:\nthe reference count is incremented by get_futex_key() and queue_lock(),\nbut the normal exit path only decrements once, via unqueue_me_pi().\nThe fix is to put_futex_key() after unqueue_me_pi(), since 2.6.31\nthis is easily done by 'goto out_put_key' rather than 'goto out'.\n\nSigned-off-by: Mikael Pettersson \nAcked-by: Peter Zijlstra \nAcked-by: Darren Hart \nSigned-off-by: Thomas Gleixner \nCc: ", "dataset": "other", "idx": 492306 }, { "func": "static enum print_line_t print_bin_fmt(struct trace_iterator *iter)\n{\n\tstruct trace_array *tr = iter->tr;\n\tstruct trace_seq *s = &iter->seq;\n\tstruct trace_entry *entry;\n\tstruct trace_event *event;\n\n\tentry = iter->ent;\n\n\tif (tr->trace_flags & TRACE_ITER_CONTEXT_INFO) {\n\t\tSEQ_PUT_FIELD(s, entry->pid);\n\t\tSEQ_PUT_FIELD(s, iter->cpu);\n\t\tSEQ_PUT_FIELD(s, iter->ts);\n\t\tif (trace_seq_has_overflowed(s))\n\t\t\treturn TRACE_TYPE_PARTIAL_LINE;\n\t}\n\n\tevent = ftrace_find_event(entry->type);\n\treturn event ? event->funcs->binary(iter, 0, event) :\n\t\tTRACE_TYPE_HANDLED;\n}", "project": "linux", "hash": 137984387389272433971798470984444915649, "size": 21, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445731 }, { "func": "JOIN::prepare(TABLE_LIST *tables_init,\n\t uint wild_num, COND *conds_init, uint og_num,\n\t ORDER *order_init, bool skip_order_by,\n ORDER *group_init, Item *having_init,\n\t ORDER *proc_param_init, SELECT_LEX *select_lex_arg,\n\t SELECT_LEX_UNIT *unit_arg)\n{\n DBUG_ENTER(\"JOIN::prepare\");\n\n // to prevent double initialization on EXPLAIN\n if (optimization_state != JOIN::NOT_OPTIMIZED)\n DBUG_RETURN(0);\n\n conds= conds_init;\n order= order_init;\n group_list= group_init;\n having= having_init;\n proc_param= proc_param_init;\n tables_list= tables_init;\n select_lex= select_lex_arg;\n select_lex->join= this;\n join_list= &select_lex->top_join_list;\n union_part= unit_arg->is_unit_op();\n\n // simple check that we got usable conds\n dbug_print_item(conds);\n\n if (select_lex->handle_derived(thd->lex, DT_PREPARE))\n DBUG_RETURN(-1);\n\n thd->lex->current_select->context_analysis_place= NO_MATTER;\n thd->lex->current_select->is_item_list_lookup= 1;\n /*\n If we have already executed SELECT, then it have not sense to prevent\n its table from update (see unique_table())\n Affects only materialized derived tables.\n */\n /* Check that all tables, fields, conds and order are ok */\n if (!(select_options & OPTION_SETUP_TABLES_DONE) &&\n setup_tables_and_check_access(thd, &select_lex->context, join_list,\n tables_list, select_lex->leaf_tables,\n FALSE, SELECT_ACL, SELECT_ACL, FALSE))\n DBUG_RETURN(-1);\n\n /* System Versioning: handle FOR SYSTEM_TIME clause. */\n if (select_lex->vers_setup_conds(thd, tables_list) < 0)\n DBUG_RETURN(-1);\n\n /*\n TRUE if the SELECT list mixes elements with and without grouping,\n and there is no GROUP BY clause. Mixing non-aggregated fields with\n aggregate functions in the SELECT list is a MySQL extenstion that\n is allowed only if the ONLY_FULL_GROUP_BY sql mode is not set.\n */\n mixed_implicit_grouping= false;\n if ((~thd->variables.sql_mode & MODE_ONLY_FULL_GROUP_BY) &&\n select_lex->with_sum_func && !group_list)\n {\n List_iterator_fast select_it(fields_list);\n Item *select_el; /* Element of the SELECT clause, can be an expression. */\n bool found_field_elem= false;\n bool found_sum_func_elem= false;\n\n while ((select_el= select_it++))\n {\n if (select_el->with_sum_func)\n found_sum_func_elem= true;\n if (select_el->with_field)\n found_field_elem= true;\n if (found_sum_func_elem && found_field_elem)\n {\n mixed_implicit_grouping= true;\n break;\n }\n }\n }\n\n table_count= select_lex->leaf_tables.elements;\n\n TABLE_LIST *tbl;\n List_iterator_fast li(select_lex->leaf_tables);\n while ((tbl= li++))\n {\n /*\n If the query uses implicit grouping where the select list contains both\n aggregate functions and non-aggregate fields, any non-aggregated field\n may produce a NULL value. Set all fields of each table as nullable before\n semantic analysis to take into account this change of nullability.\n\n Note: this loop doesn't touch tables inside merged semi-joins, because\n subquery-to-semijoin conversion has not been done yet. This is intended.\n */\n if (mixed_implicit_grouping && tbl->table)\n tbl->table->maybe_null= 1;\n }\n \n uint real_og_num= og_num;\n if (skip_order_by && \n select_lex != select_lex->master_unit()->global_parameters())\n real_og_num+= select_lex->order_list.elements;\n\n DBUG_ASSERT(select_lex->hidden_bit_fields == 0);\n if (setup_wild(thd, tables_list, fields_list, &all_fields, wild_num,\n &select_lex->hidden_bit_fields))\n DBUG_RETURN(-1);\n if (select_lex->setup_ref_array(thd, real_og_num))\n DBUG_RETURN(-1);\n\n ref_ptrs= ref_ptr_array_slice(0);\n \n enum_parsing_place save_place=\n thd->lex->current_select->context_analysis_place;\n thd->lex->current_select->context_analysis_place= SELECT_LIST;\n if (setup_fields(thd, ref_ptrs, fields_list, MARK_COLUMNS_READ,\n &all_fields, &select_lex->pre_fix, 1))\n DBUG_RETURN(-1);\n thd->lex->current_select->context_analysis_place= save_place;\n\n if (setup_without_group(thd, ref_ptrs, tables_list,\n select_lex->leaf_tables, fields_list,\n all_fields, &conds, order, group_list,\n select_lex->window_specs,\n select_lex->window_funcs,\n &hidden_group_fields,\n &select_lex->select_n_reserved))\n DBUG_RETURN(-1);\n\n /*\n Permanently remove redundant parts from the query if\n 1) This is a subquery\n 2) This is the first time this query is optimized (since the\n transformation is permanent\n 3) Not normalizing a view. Removal should take place when a\n query involving a view is optimized, not when the view\n is created\n */\n if (select_lex->master_unit()->item && // 1)\n select_lex->first_cond_optimization && // 2)\n !thd->lex->is_view_context_analysis()) // 3)\n {\n remove_redundant_subquery_clauses(select_lex);\n }\n\n /* Resolve the ORDER BY that was skipped, then remove it. */\n if (skip_order_by && select_lex !=\n select_lex->master_unit()->global_parameters())\n {\n nesting_map save_allow_sum_func= thd->lex->allow_sum_func;\n thd->lex->allow_sum_func.set_bit(select_lex->nest_level);\n thd->where= \"order clause\";\n for (ORDER *order= select_lex->order_list.first; order; order= order->next)\n {\n /* Don't add the order items to all fields. Just resolve them to ensure\n the query is valid, we'll drop them immediately after. */\n if (find_order_in_list(thd, ref_ptrs, tables_list, order,\n fields_list, all_fields, false, false, false))\n DBUG_RETURN(-1);\n }\n thd->lex->allow_sum_func= save_allow_sum_func;\n select_lex->order_list.empty();\n }\n\n if (having)\n {\n nesting_map save_allow_sum_func= thd->lex->allow_sum_func;\n thd->where=\"having clause\";\n thd->lex->allow_sum_func.set_bit(select_lex_arg->nest_level);\n select_lex->having_fix_field= 1;\n /*\n Wrap alone field in HAVING clause in case it will be outer field\n of subquery which need persistent pointer on it, but having\n could be changed by optimizer\n */\n if (having->type() == Item::REF_ITEM &&\n ((Item_ref *)having)->ref_type() == Item_ref::REF)\n wrap_ident(thd, &having);\n bool having_fix_rc= having->fix_fields_if_needed_for_bool(thd, &having);\n select_lex->having_fix_field= 0;\n\n if (unlikely(having_fix_rc || thd->is_error()))\n DBUG_RETURN(-1);\t\t\t\t/* purecov: inspected */\n thd->lex->allow_sum_func= save_allow_sum_func;\n\n if (having->with_window_func)\n {\n my_error(ER_WRONG_PLACEMENT_OF_WINDOW_FUNCTION, MYF(0));\n DBUG_RETURN(-1); \n }\n }\n\n /*\n After setting up window functions, we may have discovered additional\n used tables from the PARTITION BY and ORDER BY list. Update all items\n that contain window functions.\n */\n if (select_lex->have_window_funcs())\n {\n List_iterator_fast it(select_lex->item_list);\n Item *item;\n while ((item= it++))\n {\n if (item->with_window_func)\n item->update_used_tables();\n }\n }\n\n With_clause *with_clause=select_lex->get_with_clause();\n if (with_clause && with_clause->prepare_unreferenced_elements(thd))\n DBUG_RETURN(1);\n\n With_element *with_elem= select_lex->get_with_element();\n if (with_elem &&\n select_lex->check_unrestricted_recursive(\n thd->variables.only_standard_compliant_cte))\n DBUG_RETURN(-1);\n if (!(select_lex->changed_elements & TOUCHED_SEL_COND))\n select_lex->check_subqueries_with_recursive_references();\n \n int res= check_and_do_in_subquery_rewrites(this);\n\n select_lex->fix_prepare_information(thd, &conds, &having);\n \n if (res)\n DBUG_RETURN(res);\n\n if (order)\n {\n bool real_order= FALSE;\n ORDER *ord;\n for (ord= order; ord; ord= ord->next)\n {\n Item *item= *ord->item;\n /*\n Disregard sort order if there's only \n zero length NOT NULL fields (e.g. {VAR}CHAR(0) NOT NULL\") or\n zero length NOT NULL string functions there.\n Such tuples don't contain any data to sort.\n */\n if (!real_order &&\n /* Not a zero length NOT NULL field */\n ((item->type() != Item::FIELD_ITEM ||\n ((Item_field *) item)->field->maybe_null() ||\n ((Item_field *) item)->field->sort_length()) &&\n /* AND not a zero length NOT NULL string function. */\n (item->type() != Item::FUNC_ITEM ||\n item->maybe_null ||\n item->result_type() != STRING_RESULT ||\n item->max_length)))\n real_order= TRUE;\n\n if ((item->with_sum_func && item->type() != Item::SUM_FUNC_ITEM) ||\n item->with_window_func)\n item->split_sum_func(thd, ref_ptrs, all_fields, SPLIT_SUM_SELECT);\n }\n if (!real_order)\n order= NULL;\n }\n\n if (having && having->with_sum_func)\n having->split_sum_func2(thd, ref_ptrs, all_fields,\n &having, SPLIT_SUM_SKIP_REGISTERED);\n if (select_lex->inner_sum_func_list)\n {\n Item_sum *end=select_lex->inner_sum_func_list;\n Item_sum *item_sum= end; \n do\n { \n item_sum= item_sum->next;\n item_sum->split_sum_func2(thd, ref_ptrs,\n all_fields, item_sum->ref_by, 0);\n } while (item_sum != end);\n }\n\n if (select_lex->inner_refs_list.elements &&\n fix_inner_refs(thd, all_fields, select_lex, ref_ptrs))\n DBUG_RETURN(-1);\n\n if (group_list)\n {\n /*\n Because HEAP tables can't index BIT fields we need to use an\n additional hidden field for grouping because later it will be\n converted to a LONG field. Original field will remain of the\n BIT type and will be returned to a client.\n */\n for (ORDER *ord= group_list; ord; ord= ord->next)\n {\n if ((*ord->item)->type() == Item::FIELD_ITEM &&\n (*ord->item)->field_type() == MYSQL_TYPE_BIT)\n {\n Item_field *field= new (thd->mem_root) Item_field(thd, *(Item_field**)ord->item);\n if (!field)\n DBUG_RETURN(-1);\n int el= all_fields.elements;\n ref_ptrs[el]= field;\n all_fields.push_front(field, thd->mem_root);\n ord->item= &ref_ptrs[el];\n }\n }\n }\n\n /*\n Check if there are references to un-aggregated columns when computing \n aggregate functions with implicit grouping (there is no GROUP BY).\n */\n if (thd->variables.sql_mode & MODE_ONLY_FULL_GROUP_BY && !group_list &&\n !(select_lex->master_unit()->item &&\n select_lex->master_unit()->item->is_in_predicate() &&\n ((Item_in_subselect*)select_lex->master_unit()->item)->\n test_set_strategy(SUBS_MAXMIN_INJECTED)) &&\n select_lex->non_agg_field_used() &&\n select_lex->agg_func_used())\n {\n my_message(ER_MIX_OF_GROUP_FUNC_AND_FIELDS,\n ER_THD(thd, ER_MIX_OF_GROUP_FUNC_AND_FIELDS), MYF(0));\n DBUG_RETURN(-1);\n }\n {\n /* Caclulate the number of groups */\n send_group_parts= 0;\n for (ORDER *group_tmp= group_list ; group_tmp ; group_tmp= group_tmp->next)\n send_group_parts++;\n }\n \n procedure= setup_procedure(thd, proc_param, result, fields_list, &error);\n if (unlikely(error))\n goto err;\t\t\t\t\t/* purecov: inspected */\n if (procedure)\n {\n if (setup_new_fields(thd, fields_list, all_fields,\n\t\t\t procedure->param_fields))\n\tgoto err;\t\t\t\t/* purecov: inspected */\n if (procedure->group)\n {\n if (!test_if_subpart(procedure->group,group_list))\n {\t\t\t\t\t\t/* purecov: inspected */\n\tmy_message(ER_DIFF_GROUPS_PROC, ER_THD(thd, ER_DIFF_GROUPS_PROC),\n MYF(0)); /* purecov: inspected */\n\tgoto err;\t\t\t\t/* purecov: inspected */\n }\n }\n if (order && (procedure->flags & PROC_NO_SORT))\n {\t\t\t\t\t\t/* purecov: inspected */\n my_message(ER_ORDER_WITH_PROC, ER_THD(thd, ER_ORDER_WITH_PROC),\n MYF(0)); /* purecov: inspected */\n goto err;\t\t\t\t\t/* purecov: inspected */\n }\n if (thd->lex->derived_tables)\n {\n /*\n Queries with derived tables and PROCEDURE are not allowed.\n Many of such queries are disallowed grammatically, but there\n are still some complex cases:\n SELECT 1 FROM (SELECT 1) a PROCEDURE ANALYSE()\n */\n my_error(ER_WRONG_USAGE, MYF(0), \"PROCEDURE\", \n thd->lex->derived_tables & DERIVED_VIEW ?\n \"view\" : \"subquery\"); \n goto err;\n }\n if (thd->lex->sql_command != SQLCOM_SELECT)\n {\n // EXPLAIN SELECT * FROM t1 PROCEDURE ANALYSE()\n my_error(ER_WRONG_USAGE, MYF(0), \"PROCEDURE\", \"non-SELECT\");\n goto err;\n }\n }\n\n if (!procedure && result && result->prepare(fields_list, unit_arg))\n goto err;\t\t\t\t\t/* purecov: inspected */\n\n unit= unit_arg;\n if (prepare_stage2())\n goto err;\n\n DBUG_RETURN(0); // All OK\n\nerr:\n delete procedure; /* purecov: inspected */\n procedure= 0;\n DBUG_RETURN(-1); /* purecov: inspected */\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 293423937205807651995540721736714139051, "size": 382, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508753 }, { "func": "static int fuse_symlink(struct inode *dir, struct dentry *entry,\n\t\t\tconst char *link)\n{\n\tstruct fuse_mount *fm = get_fuse_mount(dir);\n\tunsigned len = strlen(link) + 1;\n\tFUSE_ARGS(args);\n\n\targs.opcode = FUSE_SYMLINK;\n\targs.in_numargs = 2;\n\targs.in_args[0].size = entry->d_name.len + 1;\n\targs.in_args[0].value = entry->d_name.name;\n\targs.in_args[1].size = len;\n\targs.in_args[1].value = link;\n\treturn create_new_entry(fm, &args, dir, entry, S_IFLNK);\n}", "project": "linux", "hash": 188037796708748260228216224909904136498, "size": 15, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342096 }, { "func": "void lua_text_pattern::post_pattern(string &pat, string &fn) const\n{\n pat.erase(0, pat.find_first_not_of(\" \\t\\n\\r\"));\n\n fn += \" pmatch([[\";\n fn += pat;\n fn += \"]], text, false) \";\n\n pat.clear();\n}", "project": "crawl", "hash": 188189094462944358934712751356263607053, "size": 10, "commit_id": "768f60da87a3fa0b5561da5ade9309577c176d04", "message": "Disable lua bytecode loading", "target": 0, "dataset": "other", "idx": 230503 }, { "func": "TEST_P(JSITest, JSErrorsArePropagatedNicely) {\n unsigned callsBeforeError = 5;\n\n Function sometimesThrows = function(\n \"function sometimesThrows(shouldThrow, callback) {\"\n \" if (shouldThrow) {\"\n \" throw Error('Omg, what a nasty exception')\"\n \" }\"\n \" callback(callback);\"\n \"}\");\n\n Function callback = Function::createFromHostFunction(\n rt,\n PropNameID::forAscii(rt, \"callback\"),\n 0,\n [&sometimesThrows, &callsBeforeError](\n Runtime& rt, const Value& thisVal, const Value* args, size_t count) {\n return sometimesThrows.call(rt, --callsBeforeError == 0, args[0]);\n });\n\n try {\n sometimesThrows.call(rt, false, callback);\n } catch (JSError& error) {\n EXPECT_EQ(error.getMessage(), \"Omg, what a nasty exception\");\n EXPECT_EQ(countOccurences(\"sometimesThrows\", error.getStack()), 6);\n\n // system JSC JSI does not implement host function names\n // EXPECT_EQ(countOccurences(\"callback\", error.getStack(rt)), 5);\n }\n}", "project": "hermes", "hash": 66745240857151646635370441896910764717, "size": 30, "commit_id": "fe52854cdf6725c2eaa9e125995da76e6ceb27da", "message": "[CVE-2020-1911] Look up HostObject computed properties on the right object in the prototype chain.\n\nSummary:\nThe change in the hermes repository fixes the security vulnerability\nCVE-2020-1911. This vulnerability only affects applications which\nallow evaluation of uncontrolled, untrusted JavaScript code not\nshipped with the app, so React Native apps will generally not be affected.\n\nThis revision includes a test for the bug. The test is generic JSI\ncode, so it is included in the hermes and react-native repositories.\n\nChangelog: [Internal]\n\nReviewed By: tmikov\n\nDifferential Revision: D23322992\n\nfbshipit-source-id: 4e88c974afe1ad33a263f9cac03e9dc98d33649a", "target": 0, "dataset": "other", "idx": 230227 }, { "func": "static int mbind_range(struct mm_struct *mm, unsigned long start,\n\t\t unsigned long end, struct mempolicy *new_pol)\n{\n\tstruct vm_area_struct *next;\n\tstruct vm_area_struct *prev;\n\tstruct vm_area_struct *vma;\n\tint err = 0;\n\tpgoff_t pgoff;\n\tunsigned long vmstart;\n\tunsigned long vmend;\n\n\tvma = find_vma(mm, start);\n\tVM_BUG_ON(!vma);\n\n\tprev = vma->vm_prev;\n\tif (start > vma->vm_start)\n\t\tprev = vma;\n\n\tfor (; vma && vma->vm_start < end; prev = vma, vma = next) {\n\t\tnext = vma->vm_next;\n\t\tvmstart = max(start, vma->vm_start);\n\t\tvmend = min(end, vma->vm_end);\n\n\t\tif (mpol_equal(vma_policy(vma), new_pol))\n\t\t\tcontinue;\n\n\t\tpgoff = vma->vm_pgoff +\n\t\t\t((vmstart - vma->vm_start) >> PAGE_SHIFT);\n\t\tprev = vma_merge(mm, prev, vmstart, vmend, vma->vm_flags,\n\t\t\t\t vma->anon_vma, vma->vm_file, pgoff,\n\t\t\t\t new_pol, vma->vm_userfaultfd_ctx);\n\t\tif (prev) {\n\t\t\tvma = prev;\n\t\t\tnext = vma->vm_next;\n\t\t\tif (mpol_equal(vma_policy(vma), new_pol))\n\t\t\t\tcontinue;\n\t\t\t/* vma_merge() joined vma && vma->next, case 8 */\n\t\t\tgoto replace;\n\t\t}\n\t\tif (vma->vm_start != vmstart) {\n\t\t\terr = split_vma(vma->vm_mm, vma, vmstart, 1);\n\t\t\tif (err)\n\t\t\t\tgoto out;\n\t\t}\n\t\tif (vma->vm_end != vmend) {\n\t\t\terr = split_vma(vma->vm_mm, vma, vmend, 0);\n\t\t\tif (err)\n\t\t\t\tgoto out;\n\t\t}\n replace:\n\t\terr = vma_replace_policy(vma, new_pol);\n\t\tif (err)\n\t\t\tgoto out;\n\t}\n\n out:\n\treturn err;\n}", "project": "linux", "hash": 160869024029638812577236869982617147182, "size": 58, "commit_id": "aa9f7d5172fac9bf1f09e678c35e287a40a7b7dd", "message": "mm: mempolicy: require at least one nodeid for MPOL_PREFERRED\n\nUsing an empty (malformed) nodelist that is not caught during mount option\nparsing leads to a stack-out-of-bounds access.\n\nThe option string that was used was: \"mpol=prefer:,\". However,\nMPOL_PREFERRED requires a single node number, which is not being provided\nhere.\n\nAdd a check that 'nodes' is not empty after parsing for MPOL_PREFERRED's\nnodeid.\n\nFixes: 095f1fc4ebf3 (\"mempolicy: rework shmem mpol parsing and display\")\nReported-by: Entropy Moe <3ntr0py1337@gmail.com>\nReported-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nSigned-off-by: Randy Dunlap \nSigned-off-by: Andrew Morton \nTested-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nCc: Lee Schermerhorn \nLink: http://lkml.kernel.org/r/89526377-7eb6-b662-e1d8-4430928abde9@infradead.org\nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 366769 }, { "func": "static int nfs4_proc_rename_done(struct rpc_task *task, struct inode *old_dir,\n\t\t\t\t struct inode *new_dir)\n{\n\tstruct nfs_renamedata *data = task->tk_calldata;\n\tstruct nfs_renameres *res = &data->res;\n\n\tif (!nfs4_sequence_done(task, &res->seq_res))\n\t\treturn 0;\n\tif (nfs4_async_handle_error(task, res->server, NULL, &data->timeout) == -EAGAIN)\n\t\treturn 0;\n\n\tif (task->tk_status == 0) {\n\t\tif (new_dir != old_dir) {\n\t\t\t/* Note: If we moved a directory, nlink will change */\n\t\t\tnfs4_update_changeattr(old_dir, &res->old_cinfo,\n\t\t\t\t\tres->old_fattr->time_start,\n\t\t\t\t\tNFS_INO_INVALID_OTHER |\n\t\t\t\t\t NFS_INO_INVALID_DATA);\n\t\t\tnfs4_update_changeattr(new_dir, &res->new_cinfo,\n\t\t\t\t\tres->new_fattr->time_start,\n\t\t\t\t\tNFS_INO_INVALID_OTHER |\n\t\t\t\t\t NFS_INO_INVALID_DATA);\n\t\t} else\n\t\t\tnfs4_update_changeattr(old_dir, &res->old_cinfo,\n\t\t\t\t\tres->old_fattr->time_start,\n\t\t\t\t\tNFS_INO_INVALID_DATA);\n\t}\n\treturn 1;\n}", "project": "linux", "hash": 33984411856307496667540410839264096220, "size": 29, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431614 }, { "func": "static unsigned php_ifd_get32u(void *Long, int motorola_intel) {\n return (unsigned)php_ifd_get32s(Long, motorola_intel) & 0xffffffff;\n}", "project": "hhvm", "hash": 188974581851554200370561289948916360394, "size": 3, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219504 }, { "func": "static int nfs4_handle_delegation_recall_error(struct nfs_server *server, struct nfs4_state *state, const nfs4_stateid *stateid, struct file_lock *fl, int err)\n{\n\tswitch (err) {\n\t\tdefault:\n\t\t\tprintk(KERN_ERR \"NFS: %s: unhandled error \"\n\t\t\t\t\t\"%d.\\n\", __func__, err);\n\t\tcase 0:\n\t\tcase -ENOENT:\n\t\tcase -EAGAIN:\n\t\tcase -ESTALE:\n\t\tcase -ETIMEDOUT:\n\t\t\tbreak;\n\t\tcase -NFS4ERR_BADSESSION:\n\t\tcase -NFS4ERR_BADSLOT:\n\t\tcase -NFS4ERR_BAD_HIGH_SLOT:\n\t\tcase -NFS4ERR_CONN_NOT_BOUND_TO_SESSION:\n\t\tcase -NFS4ERR_DEADSESSION:\n\t\t\treturn -EAGAIN;\n\t\tcase -NFS4ERR_STALE_CLIENTID:\n\t\tcase -NFS4ERR_STALE_STATEID:\n\t\t\t/* Don't recall a delegation if it was lost */\n\t\t\tnfs4_schedule_lease_recovery(server->nfs_client);\n\t\t\treturn -EAGAIN;\n\t\tcase -NFS4ERR_MOVED:\n\t\t\tnfs4_schedule_migration_recovery(server);\n\t\t\treturn -EAGAIN;\n\t\tcase -NFS4ERR_LEASE_MOVED:\n\t\t\tnfs4_schedule_lease_moved_recovery(server->nfs_client);\n\t\t\treturn -EAGAIN;\n\t\tcase -NFS4ERR_DELEG_REVOKED:\n\t\tcase -NFS4ERR_ADMIN_REVOKED:\n\t\tcase -NFS4ERR_EXPIRED:\n\t\tcase -NFS4ERR_BAD_STATEID:\n\t\tcase -NFS4ERR_OPENMODE:\n\t\t\tnfs_inode_find_state_and_recover(state->inode,\n\t\t\t\t\tstateid);\n\t\t\tnfs4_schedule_stateid_recovery(server, state);\n\t\t\treturn -EAGAIN;\n\t\tcase -NFS4ERR_DELAY:\n\t\tcase -NFS4ERR_GRACE:\n\t\t\tssleep(1);\n\t\t\treturn -EAGAIN;\n\t\tcase -ENOMEM:\n\t\tcase -NFS4ERR_DENIED:\n\t\t\tif (fl) {\n\t\t\t\tstruct nfs4_lock_state *lsp = fl->fl_u.nfs4_fl.owner;\n\t\t\t\tif (lsp)\n\t\t\t\t\tset_bit(NFS_LOCK_LOST, &lsp->ls_flags);\n\t\t\t}\n\t\t\treturn 0;\n\t}\n\treturn err;\n}", "project": "linux", "hash": 80427974515706358322267742987016265640, "size": 53, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431016 }, { "func": "static inline int tcp_full_space(const struct sock *sk)\n{\n\treturn tcp_win_from_space(sk->sk_rcvbuf);\n}", "project": "linux", "hash": 338563156170903273390163741829918326944, "size": 4, "commit_id": "bb1fceca22492109be12640d49f5ea5a544c6bb4", "message": "tcp: fix use after free in tcp_xmit_retransmit_queue()\n\nWhen tcp_sendmsg() allocates a fresh and empty skb, it puts it at the\ntail of the write queue using tcp_add_write_queue_tail()\n\nThen it attempts to copy user data into this fresh skb.\n\nIf the copy fails, we undo the work and remove the fresh skb.\n\nUnfortunately, this undo lacks the change done to tp->highest_sack and\nwe can leave a dangling pointer (to a freed skb)\n\nLater, tcp_xmit_retransmit_queue() can dereference this pointer and\naccess freed memory. For regular kernels where memory is not unmapped,\nthis might cause SACK bugs because tcp_highest_sack_seq() is buggy,\nreturning garbage instead of tp->snd_nxt, but with various debug\nfeatures like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel.\n\nThis bug was found by Marco Grassi thanks to syzkaller.\n\nFixes: 6859d49475d4 (\"[TCP]: Abstract tp->highest_sack accessing & point to next skb\")\nReported-by: Marco Grassi \nSigned-off-by: Eric Dumazet \nCc: Ilpo Järvinen \nCc: Yuchung Cheng \nCc: Neal Cardwell \nAcked-by: Neal Cardwell \nReviewed-by: Cong Wang \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 410763 }, { "func": "void gdImagePolygon (gdImagePtr im, gdPointPtr p, int n, int c)\n{\n\tint i;\n\tint lx, ly;\n\ttypedef void (*image_line)(gdImagePtr im, int x1, int y1, int x2, int y2, int color);\n\timage_line draw_line;\n\n\tif (n <= 0) {\n\t\treturn;\n\t}\n\n\t/* Let it be known that we are drawing a polygon so that the opacity\n\t * mask doesn't get cleared after each line.\n\t */\n\tif (c == gdAntiAliased) {\n\t\tim->AA_polygon = 1;\n\t}\n\n\tif ( im->antialias) {\n\t\tdraw_line = gdImageAALine;\n\t} else {\n\t\tdraw_line = gdImageLine;\n\t}\n\tlx = p->x;\n\tly = p->y;\n\tdraw_line(im, lx, ly, p[n - 1].x, p[n - 1].y, c);\n\tfor (i = 1; i < n; i++) {\n\t\tp++;\n\t\tdraw_line(im, lx, ly, p->x, p->y, c);\n\t\tlx = p->x;\n\t\tly = p->y;\n\t}\n\n\tif (c == gdAntiAliased) {\n\t\tim->AA_polygon = 0;\n\t\tgdImageAABlend(im);\n\t}\n}", "project": "php-src", "hash": 267302351505100474745825051112450577520, "size": 38, "commit_id": "c395c6e5d7e8df37a21265ff76e48fe75ceb5ae6", "message": "iFixed bug #72446 - Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow", "target": 0, "dataset": "other", "idx": 295173 }, { "func": "static size_t socket_slurp(RSocket *s, RBuffer *buf) {\n\tsize_t i;\n\tif (r_socket_ready (s, 1, 0) != 1) {\n\t\treturn 0;\n\t}\n\tr_socket_block_time (s, 1, 0, 1000);\n\tfor (i = 0; i < SOCKET_HTTP_MAX_HEADER_LENGTH; i += 1) {\n\t\tut8 c;\n\t\tint olen = r_socket_read_block (s, &c, 1);\n\t\tif (olen != 1) {\n\t\t\tr_buf_append_bytes (buf, (ut8 *)\"\", 1);\n\t\t\tbreak;\n\t\t}\n\t\tr_buf_append_bytes (buf, &c, 1);\n\t}\n\treturn i;\n}", "project": "radare2", "hash": 134678020621069326094673134891252701456, "size": 17, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 0, "dataset": "other", "idx": 268965 }, { "func": "void requeue_pi_wake_futex(struct futex_q *q, union futex_key *key,\n\t\t\t struct futex_hash_bucket *hb)\n{\n\tget_futex_key_refs(key);\n\tq->key = *key;\n\n\tWARN_ON(plist_node_empty(&q->list));\n\tplist_del(&q->list, &q->list.plist);\n\n\tWARN_ON(!q->rt_waiter);\n\tq->rt_waiter = NULL;\n\n\tq->lock_ptr = &hb->lock;\n#ifdef CONFIG_DEBUG_PI_LIST\n\tq->list.plist.spinlock = &hb->lock;\n#endif\n\n\twake_up_state(q->task, TASK_NORMAL);\n}", "target": 0, "cwe": [], "project": "linux-2.6", "commit_id": "5ecb01cfdf96c5f465192bdb2a4fd4a61a24c6cc", "hash": 290002128733315045448537367887125653649, "size": 19, "message": "futex_lock_pi() key refcnt fix\n\nThis fixes a futex key reference count bug in futex_lock_pi(),\nwhere a key's reference count is incremented twice but decremented\nonly once, causing the backing object to not be released.\n\nIf the futex is created in a temporary file in an ext3 file system,\nthis bug causes the file's inode to become an \"undead\" orphan,\nwhich causes an oops from a BUG_ON() in ext3_put_super() when the\nfile system is unmounted. glibc's test suite is known to trigger this,\nsee .\n\nThe bug is a regression from 2.6.28-git3, namely Peter Zijlstra's\n38d47c1b7075bd7ec3881141bb3629da58f88dab \"[PATCH] futex: rely on\nget_user_pages() for shared futexes\". That commit made get_futex_key()\nalso increment the reference count of the futex key, and updated its\ncallers to decrement the key's reference count before returning.\nUnfortunately the normal exit path in futex_lock_pi() wasn't corrected:\nthe reference count is incremented by get_futex_key() and queue_lock(),\nbut the normal exit path only decrements once, via unqueue_me_pi().\nThe fix is to put_futex_key() after unqueue_me_pi(), since 2.6.31\nthis is easily done by 'goto out_put_key' rather than 'goto out'.\n\nSigned-off-by: Mikael Pettersson \nAcked-by: Peter Zijlstra \nAcked-by: Darren Hart \nSigned-off-by: Thomas Gleixner \nCc: ", "dataset": "other", "idx": 492290 }, { "func": "static void input_cleanse_bitmasks(struct input_dev *dev)\n{\n\tINPUT_CLEANSE_BITMASK(dev, KEY, key);\n\tINPUT_CLEANSE_BITMASK(dev, REL, rel);\n\tINPUT_CLEANSE_BITMASK(dev, ABS, abs);\n\tINPUT_CLEANSE_BITMASK(dev, MSC, msc);\n\tINPUT_CLEANSE_BITMASK(dev, LED, led);\n\tINPUT_CLEANSE_BITMASK(dev, SND, snd);\n\tINPUT_CLEANSE_BITMASK(dev, FF, ff);\n\tINPUT_CLEANSE_BITMASK(dev, SW, sw);\n}", "project": "linux", "hash": 195430458653928990729892664771064046058, "size": 11, "commit_id": "cb222aed03d798fc074be55e59d9a112338ee784", "message": "Input: add safety guards to input_set_keycode()\n\nIf we happen to have a garbage in input device's keycode table with values\ntoo big we'll end up doing clear_bit() with offset way outside of our\nbitmaps, damaging other objects within an input device or even outside of\nit. Let's add sanity checks to the returned old keycodes.\n\nReported-by: syzbot+c769968809f9359b07aa@syzkaller.appspotmail.com\nReported-by: syzbot+76f3a30e88d256644c78@syzkaller.appspotmail.com\nLink: https://lore.kernel.org/r/20191207212757.GA245964@dtor-ws\nSigned-off-by: Dmitry Torokhov ", "target": 0, "dataset": "other", "idx": 353356 }, { "func": "int __hci_req_disable_ext_adv_instance(struct hci_request *req, u8 instance)\n{\n\tstruct hci_dev *hdev = req->hdev;\n\tstruct hci_cp_le_set_ext_adv_enable *cp;\n\tstruct hci_cp_ext_adv_set *adv_set;\n\tu8 data[sizeof(*cp) + sizeof(*adv_set) * 1];\n\tu8 req_size;\n\n\t/* If request specifies an instance that doesn't exist, fail */\n\tif (instance > 0 && !hci_find_adv_instance(hdev, instance))\n\t\treturn -EINVAL;\n\n\tmemset(data, 0, sizeof(data));\n\n\tcp = (void *)data;\n\tadv_set = (void *)cp->data;\n\n\t/* Instance 0x00 indicates all advertising instances will be disabled */\n\tcp->num_of_sets = !!instance;\n\tcp->enable = 0x00;\n\n\tadv_set->handle = instance;\n\n\treq_size = sizeof(*cp) + sizeof(*adv_set) * cp->num_of_sets;\n\thci_req_add(req, HCI_OP_LE_SET_EXT_ADV_ENABLE, req_size, data);\n\n\treturn 0;\n}", "project": "linux", "hash": 211614557175057943650955429017994000089, "size": 28, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402478 }, { "func": "uint32_t ssh_buffer_get_data(struct ssh_buffer_struct *buffer, void *data, uint32_t len)\n{\n int rc;\n\n /*\n * Check for a integer overflow first, then check if not enough data is in\n * the buffer.\n */\n rc = ssh_buffer_validate_length(buffer, len);\n if (rc != SSH_OK) {\n return 0;\n }\n memcpy(data,buffer->data+buffer->pos,len);\n buffer->pos+=len;\n return len; /* no yet support for partial reads (is it really needed ?? ) */\n}", "project": "libssh-mirror", "hash": 197260229580642222783088017595517538535, "size": 16, "commit_id": "10b3ebbe61a7031a3dae97f05834442220447181", "message": "buffer: Reformat ssh_buffer_add_data()\n\nSigned-off-by: Andreas Schneider \nReviewed-by: Anderson Toshiyuki Sasaki \nReviewed-by: Jakub Jelen ", "target": 0, "dataset": "other", "idx": 345155 }, { "func": "static void nfs41_delegation_recover_stateid(struct nfs4_state *state)\n{\n\tnfs4_stateid tmp;\n\n\tif (test_bit(NFS_DELEGATED_STATE, &state->flags) &&\n\t nfs4_copy_delegation_stateid(state->inode, state->state,\n\t\t\t\t&tmp, NULL) &&\n\t nfs4_stateid_match_other(&state->stateid, &tmp))\n\t\tnfs_state_set_delegation(state, &tmp, state->state);\n\telse\n\t\tnfs_state_clear_delegation(state);\n}", "project": "linux", "hash": 307450430595424110410966818991504533738, "size": 12, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431061 }, { "func": "int hci_req_resume_adv_instances(struct hci_dev *hdev)\n{\n\tstruct hci_request req;\n\n\thci_req_init(&req, hdev);\n\t__hci_req_resume_adv_instances(&req);\n\n\treturn hci_req_run(&req, NULL);\n}", "project": "linux", "hash": 308404684342305528767756868003579857963, "size": 9, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402500 }, { "func": "static int pfkey_dump(struct sock *sk, struct sk_buff *skb, const struct sadb_msg *hdr, void * const *ext_hdrs)\n{\n\tu8 proto;\n\tstruct xfrm_address_filter *filter = NULL;\n\tstruct pfkey_sock *pfk = pfkey_sk(sk);\n\n\tmutex_lock(&pfk->dump_lock);\n\tif (pfk->dump.dump != NULL) {\n\t\tmutex_unlock(&pfk->dump_lock);\n\t\treturn -EBUSY;\n\t}\n\n\tproto = pfkey_satype2proto(hdr->sadb_msg_satype);\n\tif (proto == 0) {\n\t\tmutex_unlock(&pfk->dump_lock);\n\t\treturn -EINVAL;\n\t}\n\n\tif (ext_hdrs[SADB_X_EXT_FILTER - 1]) {\n\t\tstruct sadb_x_filter *xfilter = ext_hdrs[SADB_X_EXT_FILTER - 1];\n\n\t\tif ((xfilter->sadb_x_filter_splen >=\n\t\t\t(sizeof(xfrm_address_t) << 3)) ||\n\t\t (xfilter->sadb_x_filter_dplen >=\n\t\t\t(sizeof(xfrm_address_t) << 3))) {\n\t\t\tmutex_unlock(&pfk->dump_lock);\n\t\t\treturn -EINVAL;\n\t\t}\n\t\tfilter = kmalloc(sizeof(*filter), GFP_KERNEL);\n\t\tif (filter == NULL) {\n\t\t\tmutex_unlock(&pfk->dump_lock);\n\t\t\treturn -ENOMEM;\n\t\t}\n\n\t\tmemcpy(&filter->saddr, &xfilter->sadb_x_filter_saddr,\n\t\t sizeof(xfrm_address_t));\n\t\tmemcpy(&filter->daddr, &xfilter->sadb_x_filter_daddr,\n\t\t sizeof(xfrm_address_t));\n\t\tfilter->family = xfilter->sadb_x_filter_family;\n\t\tfilter->splen = xfilter->sadb_x_filter_splen;\n\t\tfilter->dplen = xfilter->sadb_x_filter_dplen;\n\t}\n\n\tpfk->dump.msg_version = hdr->sadb_msg_version;\n\tpfk->dump.msg_portid = hdr->sadb_msg_pid;\n\tpfk->dump.dump = pfkey_dump_sa;\n\tpfk->dump.done = pfkey_dump_sa_done;\n\txfrm_state_walk_init(&pfk->dump.u.state, proto, filter);\n\tmutex_unlock(&pfk->dump_lock);\n\n\treturn pfkey_do_dump(pfk);\n}", "project": "linux", "hash": 168557773369909122860383544814807769447, "size": 52, "commit_id": "9a564bccb78a76740ea9d75a259942df8143d02c", "message": "af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\n\nAdd __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\nto initialize the buffer of supp_skb to fix a kernel-info-leak issue.\n1) Function pfkey_register calls compose_sadb_supported to request\na sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate\na sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then\ncompose_sadb_supported treats the memory as a struct sadb_supported and\nbegins to initialize. But it just initializes the field sadb_supported_len\nand field sadb_supported_exttype without field sadb_supported_reserved.\n\nReported-by: TCS Robot \nSigned-off-by: Haimin Zhang \nSigned-off-by: Steffen Klassert ", "target": 0, "dataset": "other", "idx": 268039 }, { "func": "int imap_subscribe(char *path, bool subscribe)\n{\n struct ImapAccountData *adata = NULL;\n struct ImapMboxData *mdata = NULL;\n char buf[2048];\n struct Buffer err;\n\n if (imap_adata_find(path, &adata, &mdata) < 0)\n return -1;\n\n if (subscribe)\n mutt_message(_(\"Subscribing to %s...\"), mdata->name);\n else\n mutt_message(_(\"Unsubscribing from %s...\"), mdata->name);\n\n snprintf(buf, sizeof(buf), \"%sSUBSCRIBE %s\", subscribe ? \"\" : \"UN\", mdata->munge_name);\n\n if (imap_exec(adata, buf, IMAP_CMD_NO_FLAGS) != IMAP_EXEC_SUCCESS)\n {\n imap_mdata_free((void *) &mdata);\n return -1;\n }\n\n if (C_ImapCheckSubscribed)\n {\n char mbox[1024];\n mutt_buffer_init(&err);\n err.dsize = 256;\n err.data = mutt_mem_malloc(err.dsize);\n size_t len = snprintf(mbox, sizeof(mbox), \"%smailboxes \", subscribe ? \"\" : \"un\");\n imap_quote_string(mbox + len, sizeof(mbox) - len, path, true);\n if (mutt_parse_rc_line(mbox, &err))\n mutt_debug(LL_DEBUG1, \"Error adding subscribed mailbox: %s\\n\", err.data);\n FREE(&err.data);\n }\n\n if (subscribe)\n mutt_message(_(\"Subscribed to %s\"), mdata->name);\n else\n mutt_message(_(\"Unsubscribed from %s\"), mdata->name);\n imap_mdata_free((void *) &mdata);\n return 0;\n}", "project": "neomutt", "hash": 256457622245572746347365069219023908278, "size": 43, "commit_id": "9c36717a3e2af1f2c1b7242035455ec8112b4b06", "message": "imap: close connection on all failures\n\nThanks to Gabriel Salles-Loustau for spotting the problem.\n\nCo-authored-by: Kevin McCarthy ", "target": 0, "dataset": "other", "idx": 357021 }, { "func": "static void encode_lock(struct xdr_stream *xdr, const struct nfs_lock_args *args, struct compound_hdr *hdr)\n{\n\t__be32 *p;\n\n\tencode_op_hdr(xdr, OP_LOCK, decode_lock_maxsz, hdr);\n\tp = reserve_space(xdr, 28);\n\t*p++ = cpu_to_be32(nfs4_lock_type(args->fl, args->block));\n\t*p++ = cpu_to_be32(args->reclaim);\n\tp = xdr_encode_hyper(p, args->fl->fl_start);\n\tp = xdr_encode_hyper(p, nfs4_lock_length(args->fl));\n\t*p = cpu_to_be32(args->new_lock_owner);\n\tif (args->new_lock_owner){\n\t\tencode_nfs4_seqid(xdr, args->open_seqid);\n\t\tencode_nfs4_stateid(xdr, &args->open_stateid);\n\t\tencode_nfs4_seqid(xdr, args->lock_seqid);\n\t\tencode_lockowner(xdr, &args->lock_owner);\n\t}\n\telse {\n\t\tencode_nfs4_stateid(xdr, &args->lock_stateid);\n\t\tencode_nfs4_seqid(xdr, args->lock_seqid);\n\t}\n}", "project": "linux", "hash": 38235006931563752783969815287152442342, "size": 22, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431039 }, { "func": "static unsigned long kvm_s390_next_dirty_cmma(struct kvm_memslots *slots,\n\t\t\t\t\t unsigned long cur_gfn)\n{\n\tint slotidx = gfn_to_memslot_approx(slots, cur_gfn);\n\tstruct kvm_memory_slot *ms = slots->memslots + slotidx;\n\tunsigned long ofs = cur_gfn - ms->base_gfn;\n\n\tif (ms->base_gfn + ms->npages <= cur_gfn) {\n\t\tslotidx--;\n\t\t/* If we are above the highest slot, wrap around */\n\t\tif (slotidx < 0)\n\t\t\tslotidx = slots->used_slots - 1;\n\n\t\tms = slots->memslots + slotidx;\n\t\tofs = 0;\n\t}\n\tofs = find_next_bit(kvm_second_dirty_bitmap(ms), ms->npages, ofs);\n\twhile ((slotidx > 0) && (ofs >= ms->npages)) {\n\t\tslotidx--;\n\t\tms = slots->memslots + slotidx;\n\t\tofs = find_next_bit(kvm_second_dirty_bitmap(ms), ms->npages, 0);\n\t}\n\treturn ms->base_gfn + ofs;\n}", "project": "linux", "hash": 252000329411510164907856004317215368813, "size": 24, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354604 }, { "func": "static int parse_file_extra_redir(struct archive_read* a,\n struct archive_entry* e, struct rar5* rar, ssize_t* extra_data_size)\n{\n\tuint64_t value_size = 0;\n\tsize_t target_size = 0;\n\tchar target_utf8_buf[MAX_NAME_IN_BYTES];\n\tconst uint8_t* p;\n\n\tif(!read_var(a, &rar->file.redir_type, &value_size))\n\t\treturn ARCHIVE_EOF;\n\tif(ARCHIVE_OK != consume(a, (int64_t)value_size))\n\t\treturn ARCHIVE_EOF;\n\t*extra_data_size -= value_size;\n\n\tif(!read_var(a, &rar->file.redir_flags, &value_size))\n\t\treturn ARCHIVE_EOF;\n\tif(ARCHIVE_OK != consume(a, (int64_t)value_size))\n\t\treturn ARCHIVE_EOF;\n\t*extra_data_size -= value_size;\n\n\tif(!read_var_sized(a, &target_size, NULL))\n\t\treturn ARCHIVE_EOF;\n\t*extra_data_size -= target_size + 1;\n\n\tif(!read_ahead(a, target_size, &p))\n\t\treturn ARCHIVE_EOF;\n\n\tif(target_size > (MAX_NAME_IN_CHARS - 1)) {\n\t\tarchive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,\n\t\t \"Link target is too long\");\n\t\treturn ARCHIVE_FATAL;\n\t}\n\n\tif(target_size == 0) {\n\t\tarchive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,\n\t\t \"No link target specified\");\n\t\treturn ARCHIVE_FATAL;\n\t}\n\n\tmemcpy(target_utf8_buf, p, target_size);\n\ttarget_utf8_buf[target_size] = 0;\n\n\tif(ARCHIVE_OK != consume(a, (int64_t)target_size))\n\t\treturn ARCHIVE_EOF;\n\n\tswitch(rar->file.redir_type) {\n\t\tcase REDIR_TYPE_UNIXSYMLINK:\n\t\tcase REDIR_TYPE_WINSYMLINK:\n\t\t\tarchive_entry_set_filetype(e, AE_IFLNK);\n\t\t\tarchive_entry_update_symlink_utf8(e, target_utf8_buf);\n\t\t\tif (rar->file.redir_flags & REDIR_SYMLINK_IS_DIR) {\n\t\t\t\tarchive_entry_set_symlink_type(e,\n\t\t\t\t\tAE_SYMLINK_TYPE_DIRECTORY);\n\t\t\t} else {\n\t\t\t\tarchive_entry_set_symlink_type(e,\n\t\t\t\tAE_SYMLINK_TYPE_FILE);\n\t\t\t}\n\t\t\tbreak;\n\n\t\tcase REDIR_TYPE_HARDLINK:\n\t\t\tarchive_entry_set_filetype(e, AE_IFREG);\n\t\t\tarchive_entry_update_hardlink_utf8(e, target_utf8_buf);\n\t\t\tbreak;\n\n\t\tdefault:\n\t\t\t/* Unknown redir type, skip it. */\n\t\t\tbreak;\n\t}\n\treturn ARCHIVE_OK;\n}", "project": "libarchive", "hash": 135941611702905572057177070999058064355, "size": 70, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 0, "dataset": "other", "idx": 244801 }, { "func": "static void nasm_verror_vc(int severity, const char *fmt, va_list ap)\n{\n const char *currentfile = NULL;\n int32_t lineno = 0;\n\n if (is_suppressed_warning(severity))\n return;\n\n if (!(severity & ERR_NOFILE))\n src_get(&lineno, ¤tfile);\n\n if (!skip_this_pass(severity)) {\n if (currentfile) {\n\t fprintf(error_file, \"%s(%\"PRId32\") : \", currentfile, lineno);\n\t} else {\n\t fputs(\"nasm: \", error_file);\n\t}\n }\n\n nasm_verror_common(severity, fmt, ap);\n}", "project": "nasm", "hash": 155829824160768526745428736219622115382, "size": 21, "commit_id": "e996d28c70d45008085322b442b44a9224308548", "message": "labels: Don't nil dereference if no label provided\n\nAn equ without label may cause nil dereference\n\n |\tequ 0x100\n\nFixes 98578071b9d71ecaa2344dd9c185237c1765041e\n\nSigned-off-by: Cyrill Gorcunov ", "target": 0, "dataset": "other", "idx": 257481 }, { "func": "static void FPSTReplaceTagsWithLookups(FPST *fpst,SplineFont1 *sf) {\n int i,j,k;\n\n if ( fpst->type == pst_reversesub )\nreturn;\n for ( i=0; irule_cnt; ++i ) {\n\tfor ( j=0; jrules[i].lookup_cnt; ++j ) {\n\t OTLookup *otl = FindNestedLookupByTag(sf,(uint32) (intpt) (fpst->rules[i].lookups[j].lookup) );\n\t if ( otl!=NULL )\n\t\tfpst->rules[i].lookups[j].lookup = otl;\n\t else {\n\t\tfor ( k=j+1; krules[i].lookup_cnt; ++k )\n\t\t fpst->rules[i].lookups[k-1] = fpst->rules[i].lookups[k];\n\t\t--fpst->rules[i].lookup_cnt;\n\t }\n\t}\n }\n}", "project": "fontforge", "hash": 122237897040918021212457465630386293258, "size": 18, "commit_id": "048a91e2682c1a8936ae34dbc7bd70291ec05410", "message": "Fix for #4084 Use-after-free (heap) in the SFD_GetFontMetaData() function\nFix for #4086 NULL pointer dereference in the SFDGetSpiros() function\nFix for #4088 NULL pointer dereference in the SFD_AssignLookups() function\nAdd empty sf->fontname string if it isn't set, fixing #4089 #4090 and many\n other potential issues (many downstream calls to strlen() on the value).", "target": 0, "dataset": "other", "idx": 417909 }, { "func": "static int exif_process_string(char **result, char *value,\n size_t byte_count) {\n /* we cannot use strlcpy - here the problem is that we cannot use strlen to\n * determin length of string and we cannot use strlcpy with len=byte_count+1\n * because then we might get into an EXCEPTION if we exceed an allocated\n * memory page...so we use php_strnlen in conjunction with memcpy and add\n * the NUL char.\n */\n if ((byte_count=php_strnlen(value, byte_count)) > 0) {\n return exif_process_undefined(result, value, byte_count);\n }\n PHP_STRNDUP((*result), \"\", 1); /* force empty string */\n if (*result) return byte_count+1;\n return 0;\n}", "project": "hhvm", "hash": 316638917906688550505483577904275779355, "size": 15, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219881 }, { "func": "\nstatic int __init slab_sysfs_init(void)\n{\n\tstruct kmem_cache *s;\n\tint err;\n\n\tmutex_lock(&slab_mutex);\n\n\tslab_kset = kset_create_and_add(\"slab\", &slab_uevent_ops, kernel_kobj);\n\tif (!slab_kset) {\n\t\tmutex_unlock(&slab_mutex);\n\t\tpr_err(\"Cannot register slab subsystem.\\n\");\n\t\treturn -ENOSYS;\n\t}\n\n\tslab_state = FULL;\n\n\tlist_for_each_entry(s, &slab_caches, list) {\n\t\terr = sysfs_slab_add(s);\n\t\tif (err)\n\t\t\tpr_err(\"SLUB: Unable to add boot slab %s to sysfs\\n\",\n\t\t\t s->name);\n\t}\n\n\twhile (alias_list) {\n\t\tstruct saved_alias *al = alias_list;\n\n\t\talias_list = alias_list->next;\n\t\terr = sysfs_slab_alias(al->s, al->name);\n\t\tif (err)\n\t\t\tpr_err(\"SLUB: Unable to add boot slab alias %s to sysfs\\n\",\n\t\t\t al->name);\n\t\tkfree(al);\n\t}\n\n\tmutex_unlock(&slab_mutex);\n\tresiliency_test();\n\treturn 0;", "project": "linux", "hash": 88355015751121218613755566475576473472, "size": 38, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280233 }, { "func": "static inline bool tcp_checksum_complete(struct sk_buff *skb)\n{\n\treturn !skb_csum_unnecessary(skb) &&\n\t\t__tcp_checksum_complete(skb);\n}", "project": "linux", "hash": 288175112398844059167728613358172955182, "size": 5, "commit_id": "bb1fceca22492109be12640d49f5ea5a544c6bb4", "message": "tcp: fix use after free in tcp_xmit_retransmit_queue()\n\nWhen tcp_sendmsg() allocates a fresh and empty skb, it puts it at the\ntail of the write queue using tcp_add_write_queue_tail()\n\nThen it attempts to copy user data into this fresh skb.\n\nIf the copy fails, we undo the work and remove the fresh skb.\n\nUnfortunately, this undo lacks the change done to tp->highest_sack and\nwe can leave a dangling pointer (to a freed skb)\n\nLater, tcp_xmit_retransmit_queue() can dereference this pointer and\naccess freed memory. For regular kernels where memory is not unmapped,\nthis might cause SACK bugs because tcp_highest_sack_seq() is buggy,\nreturning garbage instead of tp->snd_nxt, but with various debug\nfeatures like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel.\n\nThis bug was found by Marco Grassi thanks to syzkaller.\n\nFixes: 6859d49475d4 (\"[TCP]: Abstract tp->highest_sack accessing & point to next skb\")\nReported-by: Marco Grassi \nSigned-off-by: Eric Dumazet \nCc: Ilpo Järvinen \nCc: Yuchung Cheng \nCc: Neal Cardwell \nAcked-by: Neal Cardwell \nReviewed-by: Cong Wang \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 410735 }, { "func": "static ut64 bbSize(RAnalFunction *fcn, ut64 addr) {\n\tRListIter *iter;\n\tRAnalBlock *bb;\n\tr_list_foreach (fcn->bbs, iter, bb) {\n\t\tif (R_BETWEEN (bb->addr, addr, bb->addr + bb->size - 1)) {\n\t\t\treturn bb->size;\n\t\t}\n\t}\n\treturn 0;\n}", "project": "radare2", "hash": 182718246293373246423776874490786899089, "size": 10, "commit_id": "cb8b683758edddae2d2f62e8e63a738c39f92683", "message": "Fix #16303 - c->table_query double free (#16318)", "target": 0, "dataset": "other", "idx": 232175 }, { "func": "\tvirtual bool OnWebRequest(CWebSock& WebSock, const CString& sPageName, CTemplate& Tmpl) {\n\t\tCSmartPtr spSession = WebSock.GetSession();\n\n\t\tif (sPageName == \"settings\") {\n\t\t\t// Admin Check\n\t\t\tif (!spSession->IsAdmin()) {\n\t\t\t\treturn false;\n\t\t\t}\n\n\t\t\treturn SettingsPage(WebSock, Tmpl);\n\t\t} else if (sPageName == \"adduser\") {\n\t\t\t// Admin Check\n\t\t\tif (!spSession->IsAdmin()) {\n\t\t\t\treturn false;\n\t\t\t}\n\n\t\t\treturn UserPage(WebSock, Tmpl);\n\t\t} else if (sPageName == \"addnetwork\") {\n\t\t\tCUser* pUser = SafeGetUserFromParam(WebSock);\n\n\t\t\t// Admin||Self Check\n\t\t\tif (!spSession->IsAdmin() && (!spSession->GetUser() || spSession->GetUser() != pUser)) {\n\t\t\t\treturn false;\n\t\t\t}\n\n\t\t\tif (pUser) {\n\t\t\t\treturn NetworkPage(WebSock, Tmpl, pUser);\n\t\t\t}\n\n\t\t\tWebSock.PrintErrorPage(\"No such username\");\n\t\t\treturn true;\n\t\t} else if (sPageName == \"editnetwork\") {\n\t\t\tCIRCNetwork* pNetwork = SafeGetNetworkFromParam(WebSock);\n\n\t\t\t// Admin||Self Check\n\t\t\tif (!spSession->IsAdmin() && (!spSession->GetUser() || spSession->GetUser() != pNetwork->GetUser())) {\n\t\t\t\treturn false;\n\t\t\t}\n\n\t\t\tif (!pNetwork) {\n\t\t\t\tWebSock.PrintErrorPage(\"No such username or network\");\n\t\t\t\treturn true;\n\t\t\t}\n\n\t\t\treturn NetworkPage(WebSock, Tmpl, pNetwork->GetUser(), pNetwork);\n\n\t\t} else if (sPageName == \"delnetwork\") {\n\t\t\tCString sUser = WebSock.GetParam(\"user\");\n\t\t\tif (sUser.empty() && !WebSock.IsPost()) {\n\t\t\t\tsUser = WebSock.GetParam(\"user\", false);\n\t\t\t}\n\n\t\t\tCUser* pUser = CZNC::Get().FindUser(sUser);\n\n\t\t\t// Admin||Self Check\n\t\t\tif (!spSession->IsAdmin() && (!spSession->GetUser() || spSession->GetUser() != pUser)) {\n\t\t\t\treturn false;\n\t\t\t}\n\n\t\t\treturn DelNetwork(WebSock, pUser, Tmpl);\n\t\t} else if (sPageName == \"editchan\") {\n\t\t\tCIRCNetwork* pNetwork = SafeGetNetworkFromParam(WebSock);\n\n\t\t\t// Admin||Self Check\n\t\t\tif (!spSession->IsAdmin() && (!spSession->GetUser() || spSession->GetUser() != pNetwork->GetUser())) {\n\t\t\t\treturn false;\n\t\t\t}\n\n\t\t\tif (!pNetwork) {\n\t\t\t\tWebSock.PrintErrorPage(\"No such username or network\");\n\t\t\t\treturn true;\n\t\t\t}\n\n\t\t\tCString sChan = WebSock.GetParam(\"name\");\n\t\t\tif(sChan.empty() && !WebSock.IsPost()) {\n\t\t\t\tsChan = WebSock.GetParam(\"name\", false);\n\t\t\t}\n\t\t\tCChan* pChan = pNetwork->FindChan(sChan);\n\t\t\tif (!pChan) {\n\t\t\t\tWebSock.PrintErrorPage(\"No such channel\");\n\t\t\t\treturn true;\n\t\t\t}\n\n\t\t\treturn ChanPage(WebSock, Tmpl, pNetwork, pChan);\n\t\t} else if (sPageName == \"addchan\") {\n\t\t\tCIRCNetwork* pNetwork = SafeGetNetworkFromParam(WebSock);\n\n\t\t\t// Admin||Self Check\n\t\t\tif (!spSession->IsAdmin() && (!spSession->GetUser() || spSession->GetUser() != pNetwork->GetUser())) {\n\t\t\t\treturn false;\n\t\t\t}\n\n\t\t\tif (pNetwork) {\n\t\t\t\treturn ChanPage(WebSock, Tmpl, pNetwork);\n\t\t\t}\n\n\t\t\tWebSock.PrintErrorPage(\"No such username or network\");\n\t\t\treturn true;\n\t\t} else if (sPageName == \"delchan\") {\n\t\t\tCIRCNetwork* pNetwork = SafeGetNetworkFromParam(WebSock);\n\n\t\t\t// Admin||Self Check\n\t\t\tif (!spSession->IsAdmin() && (!spSession->GetUser() || spSession->GetUser() != pNetwork->GetUser())) {\n\t\t\t\treturn false;\n\t\t\t}\n\n\t\t\tif (pNetwork) {\n\t\t\t\treturn DelChan(WebSock, pNetwork);\n\t\t\t}\n\n\t\t\tWebSock.PrintErrorPage(\"No such username or network\");\n\t\t\treturn true;\n\t\t} else if (sPageName == \"deluser\") {\n\t\t\tif (!spSession->IsAdmin()) {\n\t\t\t\treturn false;\n\t\t\t}\n\n\t\t\tif (!WebSock.IsPost()) {\n\t\t\t\t// Show the \"Are you sure?\" page:\n\n\t\t\t\tCString sUser = WebSock.GetParam(\"user\", false);\n\t\t\t\tCUser* pUser = CZNC::Get().FindUser(sUser);\n\n\t\t\t\tif (!pUser) {\n\t\t\t\t\tWebSock.PrintErrorPage(\"No such username\");\n\t\t\t\t\treturn true;\n\t\t\t\t}\n\n\t\t\t\tTmpl.SetFile(\"del_user.tmpl\");\n\t\t\t\tTmpl[\"Username\"] = sUser;\n\t\t\t\treturn true;\n\t\t\t}\n\n\t\t\t// The \"Are you sure?\" page has been submitted with \"Yes\",\n\t\t\t// so we actually delete the user now:\n\n\t\t\tCString sUser = WebSock.GetParam(\"user\");\n\t\t\tCUser* pUser = CZNC::Get().FindUser(sUser);\n\n\t\t\tif (pUser && pUser == spSession->GetUser()) {\n\t\t\t\tWebSock.PrintErrorPage(\"Please don't delete yourself, suicide is not the answer!\");\n\t\t\t\treturn true;\n\t\t\t} else if (CZNC::Get().DeleteUser(sUser)) {\n\t\t\t\tWebSock.Redirect(\"listusers\");\n\t\t\t\treturn true;\n\t\t\t}\n\n\t\t\tWebSock.PrintErrorPage(\"No such username\");\n\t\t\treturn true;\n\t\t} else if (sPageName == \"edituser\") {\n\t\t\tCString sUserName = SafeGetUserNameParam(WebSock);\n\t\t\tCUser* pUser = CZNC::Get().FindUser(sUserName);\n\n\t\t\tif(!pUser) {\n\t\t\t\tif(sUserName.empty()) {\n\t\t\t\t\tpUser = spSession->GetUser();\n\t\t\t\t} // else: the \"no such user\" message will be printed.\n\t\t\t}\n\n\t\t\t// Admin||Self Check\n\t\t\tif (!spSession->IsAdmin() && (!spSession->GetUser() || spSession->GetUser() != pUser)) {\n\t\t\t\treturn false;\n\t\t\t}\n\n\t\t\tif (pUser) {\n\t\t\t\treturn UserPage(WebSock, Tmpl, pUser);\n\t\t\t}\n\n\t\t\tWebSock.PrintErrorPage(\"No such username\");\n\t\t\treturn true;\n\t\t} else if (sPageName == \"listusers\" && spSession->IsAdmin()) {\n\t\t\treturn ListUsersPage(WebSock, Tmpl);\n\t\t} else if (sPageName == \"traffic\" && spSession->IsAdmin()) {\n\t\t\treturn TrafficPage(WebSock, Tmpl);\n\t\t} else if (sPageName == \"index\") {\n\t\t\treturn true;\n\t\t} else if (sPageName == \"add_listener\") {\n\t\t\t// Admin Check\n\t\t\tif (!spSession->IsAdmin()) {\n\t\t\t\treturn false;\n\t\t\t}\n\n\t\t\treturn AddListener(WebSock, Tmpl);\n\t\t} else if (sPageName == \"del_listener\") {\n\t\t\t// Admin Check\n\t\t\tif (!spSession->IsAdmin()) {\n\t\t\t\treturn false;\n\t\t\t}\n\n\t\t\treturn DelListener(WebSock, Tmpl);\n\t\t}\n\n\t\treturn false;\n\t}", "project": "znc", "hash": 50774394320194138082713750457902206771, "size": 194, "commit_id": "2bd410ee5570cea127233f1133ea22f25174eb28", "message": "Fix NULL pointer dereference in webadmin.\n\nTriggerable by any non-admin, if webadmin is loaded.\n\nThe only affected version is 1.0\n\nThanks to ChauffeR (Simone Esposito) for reporting this.", "target": 1, "dataset": "other", "idx": 208526 }, { "func": "static int sctp_getsockopt_delayed_ack(struct sock *sk, int len,\n\t\t\t\t\t char __user *optval,\n\t\t\t\t\t int __user *optlen)\n{\n\tstruct sctp_sack_info params;\n\tstruct sctp_association *asoc = NULL;\n\tstruct sctp_sock *sp = sctp_sk(sk);\n\n\tif (len >= sizeof(struct sctp_sack_info)) {\n\t\tlen = sizeof(struct sctp_sack_info);\n\n\t\tif (copy_from_user(¶ms, optval, len))\n\t\t\treturn -EFAULT;\n\t} else if (len == sizeof(struct sctp_assoc_value)) {\n\t\tpr_warn_ratelimited(DEPRECATED\n\t\t\t\t \"%s (pid %d) \"\n\t\t\t\t \"Use of struct sctp_assoc_value in delayed_ack socket option.\\n\"\n\t\t\t\t \"Use struct sctp_sack_info instead\\n\",\n\t\t\t\t current->comm, task_pid_nr(current));\n\t\tif (copy_from_user(¶ms, optval, len))\n\t\t\treturn -EFAULT;\n\t} else\n\t\treturn -EINVAL;\n\n\t/* Get association, if sack_assoc_id != SCTP_FUTURE_ASSOC and the\n\t * socket is a one to many style socket, and an association\n\t * was not found, then the id was invalid.\n\t */\n\tasoc = sctp_id2assoc(sk, params.sack_assoc_id);\n\tif (!asoc && params.sack_assoc_id != SCTP_FUTURE_ASSOC &&\n\t sctp_style(sk, UDP))\n\t\treturn -EINVAL;\n\n\tif (asoc) {\n\t\t/* Fetch association values. */\n\t\tif (asoc->param_flags & SPP_SACKDELAY_ENABLE) {\n\t\t\tparams.sack_delay = jiffies_to_msecs(asoc->sackdelay);\n\t\t\tparams.sack_freq = asoc->sackfreq;\n\n\t\t} else {\n\t\t\tparams.sack_delay = 0;\n\t\t\tparams.sack_freq = 1;\n\t\t}\n\t} else {\n\t\t/* Fetch socket values. */\n\t\tif (sp->param_flags & SPP_SACKDELAY_ENABLE) {\n\t\t\tparams.sack_delay = sp->sackdelay;\n\t\t\tparams.sack_freq = sp->sackfreq;\n\t\t} else {\n\t\t\tparams.sack_delay = 0;\n\t\t\tparams.sack_freq = 1;\n\t\t}\n\t}\n\n\tif (copy_to_user(optval, ¶ms, len))\n\t\treturn -EFAULT;\n\n\tif (put_user(len, optlen))\n\t\treturn -EFAULT;\n\n\treturn 0;\n}", "project": "linux", "hash": 117943265339002245185088676656458282172, "size": 62, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398061 }, { "func": "int kvm_arch_vcpu_ioctl_translate(struct kvm_vcpu *vcpu,\n\t\t\t\t struct kvm_translation *tr)\n{\n\treturn -EINVAL; /* not implemented yet */\n}", "project": "linux", "hash": 75753052308380320980880614968732384783, "size": 5, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354649 }, { "func": "int nfs4_proc_fs_locations(struct rpc_clnt *client, struct inode *dir,\n\t\t\t const struct qstr *name,\n\t\t\t struct nfs4_fs_locations *fs_locations,\n\t\t\t struct page *page)\n{\n\tstruct nfs4_exception exception = {\n\t\t.interruptible = true,\n\t};\n\tint err;\n\tdo {\n\t\terr = _nfs4_proc_fs_locations(client, dir, name,\n\t\t\t\tfs_locations, page);\n\t\ttrace_nfs4_get_fs_locations(dir, name, err);\n\t\terr = nfs4_handle_exception(NFS_SERVER(dir), err,\n\t\t\t\t&exception);\n\t} while (exception.retry);\n\treturn err;\n}", "project": "linux", "hash": 247797901649994035949086827441989808583, "size": 18, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431204 }, { "func": "static int setDecodeDefaults(struct jpeg_decompress_struct *dinfo,\n\tint pixelFormat, int subsamp, int flags)\n{\n\tint i;\n\n\tdinfo->scale_num=dinfo->scale_denom=1;\n\n\tif(subsamp==TJSAMP_GRAY)\n\t{\n\t\tdinfo->num_components=dinfo->comps_in_scan=1;\n\t\tdinfo->jpeg_color_space=JCS_GRAYSCALE;\n\t}\n\telse\n\t{\n\t\tdinfo->num_components=dinfo->comps_in_scan=3;\n\t\tdinfo->jpeg_color_space=JCS_YCbCr;\n\t}\n\n\tdinfo->comp_info=(jpeg_component_info *)\n\t\t(*dinfo->mem->alloc_small)((j_common_ptr)dinfo, JPOOL_IMAGE,\n\t\t\tdinfo->num_components*sizeof(jpeg_component_info));\n\n\tfor(i=0; inum_components; i++)\n\t{\n\t\tjpeg_component_info *compptr=&dinfo->comp_info[i];\n\t\tcompptr->h_samp_factor=(i==0)? tjMCUWidth[subsamp]/8:1;\n\t\tcompptr->v_samp_factor=(i==0)? tjMCUHeight[subsamp]/8:1;\n\t\tcompptr->component_index=i;\n\t\tcompptr->component_id=i+1;\n\t\tcompptr->quant_tbl_no=compptr->dc_tbl_no=compptr->ac_tbl_no=\n\t\t\t(i==0)? 0:1;\n\t\tdinfo->cur_comp_info[i]=compptr;\n\t}\n\tdinfo->data_precision=8;\n\tfor(i=0; i<2; i++)\n\t{\n\t\tif(dinfo->quant_tbl_ptrs[i]==NULL)\n\t\t\tdinfo->quant_tbl_ptrs[i]=jpeg_alloc_quant_table((j_common_ptr)dinfo);\n\t}\n\n\treturn 0;\n}", "project": "libjpeg-turbo", "hash": 327488033034239577132756620326571552086, "size": 42, "commit_id": "dab6be4cfb2f9307b5378d2d1dc74d9080383dc2", "message": "tjDecompressToYUV*(): Fix OOB write/double free\n\n... when attempting to decompress grayscale JPEG images with sampling\nfactors != 1.\n\nFixes #387", "target": 0, "dataset": "other", "idx": 311129 }, { "project": "Chrome", "commit_id": "6834289784ed45b5524de0fb7ef43ae283b0d6d3", "target": 0, "func": "void AudioContext::updateChangedChannelCountMode()\n{\n ASSERT(isGraphOwner());\n\n for (HashSet::iterator k = m_deferredCountModeChange.begin(); k != m_deferredCountModeChange.end(); ++k)\n (*k)->updateChannelCountMode();\n\n m_deferredCountModeChange.clear();\n }\n", "cwe": "", "big_vul_idx": 139698, "idx": 124846, "hash": 23680052793590958149094159462951291198 }, { "func": "static int io_provide_buffers(struct io_kiocb *req, unsigned int issue_flags)\n{\n\tstruct io_provide_buf *p = &req->pbuf;\n\tstruct io_ring_ctx *ctx = req->ctx;\n\tstruct io_buffer *head, *list;\n\tint ret = 0;\n\tbool force_nonblock = issue_flags & IO_URING_F_NONBLOCK;\n\n\tio_ring_submit_lock(ctx, !force_nonblock);\n\n\tlockdep_assert_held(&ctx->uring_lock);\n\n\tlist = head = xa_load(&ctx->io_buffers, p->bgid);\n\n\tret = io_add_buffers(p, &head);\n\tif (ret >= 0 && !list) {\n\t\tret = xa_insert(&ctx->io_buffers, p->bgid, head, GFP_KERNEL);\n\t\tif (ret < 0)\n\t\t\t__io_remove_buffers(ctx, head, p->bgid, -1U);\n\t}\n\tif (ret < 0)\n\t\treq_set_fail_links(req);\n\t/* complete before unlock, IOPOLL may need the lock */\n\t__io_req_complete(req, issue_flags, ret, 0);\n\tio_ring_submit_unlock(ctx, !force_nonblock);\n\treturn 0;\n}", "project": "linux", "hash": 79896909987168774261923715058051168897, "size": 27, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338712 }, { "func": "static void exif_process_TIFF_in_JPEG(image_info_type *ImageInfo,\n char *CharBuf, size_t length,\n size_t displacement) {\n char *end = CharBuf + length;\n unsigned exif_value_2a, offset_of_ifd;\n\n /* set the thumbnail stuff to nothing so we can test to see if\n they get set up */\n CHECK_BUFFER(CharBuf, end, 2);\n if (memcmp(CharBuf, \"II\", 2) == 0) {\n ImageInfo->motorola_intel = 0;\n } else if (memcmp(CharBuf, \"MM\", 2) == 0) {\n ImageInfo->motorola_intel = 1;\n } else {\n raise_warning(\"Invalid TIFF a lignment marker\");\n return;\n }\n\n /* Check the next two values for correctness. */\n CHECK_BUFFER(CharBuf+4, end, 4);\n exif_value_2a = php_ifd_get16u(CharBuf+2, ImageInfo->motorola_intel);\n offset_of_ifd = php_ifd_get32u(CharBuf+4, ImageInfo->motorola_intel);\n if ( exif_value_2a != 0x2a || offset_of_ifd < 0x08) {\n raise_warning(\"Invalid TIFF start (1)\");\n return;\n }\n\n if (offset_of_ifd > length) {\n raise_warning(\"Invalid IFD start\");\n return;\n }\n\n ImageInfo->sections_found |= FOUND_IFD0;\n /* First directory starts at offset 8. Offsets starts at 0. */\n exif_process_IFD_in_JPEG(ImageInfo, CharBuf+offset_of_ifd,\n CharBuf, end, length/* -14*/, displacement,\n SECTION_IFD0);\n\n /* Compute the CCD width, in milimeters. */\n if (ImageInfo->FocalplaneXRes != 0) {\n ImageInfo->CCDWidth = (float)(ImageInfo->ExifImageWidth *\n ImageInfo->FocalplaneUnits / ImageInfo->FocalplaneXRes);\n }\n}", "project": "hhvm", "hash": 269876434396640148450101125790349246136, "size": 44, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219587 }, { "func": "static int do_nothing(request_rec *r) { return OK; }", "project": "httpd", "hash": 2522767275843066999831560317438669902, "size": 1, "commit_id": "4cc27823899e070268b906ca677ee838d07cf67a", "message": "core: Disallow Methods' registration at run time (.htaccess), they may be\nused only if registered at init time (httpd.conf).\n\nCalling ap_method_register() in children processes is not the right scope\nsince it won't be shared for all requests.\n\n\ngit-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1807655 13f79535-47bb-0310-9956-ffa450edef68", "target": 0, "dataset": "other", "idx": 246307 }, { "func": "int do_nothing(int8_t filter, char cmode) {\n if (cmode == 'c') {\n return (filter == BLOSC_NOFILTER);\n } else {\n // TRUNC_PREC do not have to be applied during decompression\n return ((filter == BLOSC_NOFILTER) || (filter == BLOSC_TRUNC_PREC));\n }\n}", "project": "c-blosc2", "hash": 63439851569530813488960542361444365409, "size": 8, "commit_id": "c4c6470e88210afc95262c8b9fcc27e30ca043ee", "message": "Fixed asan heap buffer overflow when not enough space to write compressed block size.", "target": 0, "dataset": "other", "idx": 303126 }, { "func": "int ip_send_skb(struct net *net, struct sk_buff *skb)\n{\n\tint err;\n\n\terr = ip_local_out(net, skb->sk, skb);\n\tif (err) {\n\t\tif (err > 0)\n\t\t\terr = net_xmit_errno(err);\n\t\tif (err)\n\t\t\tIP_INC_STATS(net, IPSTATS_MIB_OUTDISCARDS);\n\t}\n\n\treturn err;\n}", "project": "net", "hash": 294878768499661103285931329948117026490, "size": 14, "commit_id": "85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa", "message": "udp: consistently apply ufo or fragmentation\n\nWhen iteratively building a UDP datagram with MSG_MORE and that\ndatagram exceeds MTU, consistently choose UFO or fragmentation.\n\nOnce skb_is_gso, always apply ufo. Conversely, once a datagram is\nsplit across multiple skbs, do not consider ufo.\n\nSendpage already maintains the first invariant, only add the second.\nIPv6 does not have a sendpage implementation to modify.\n\nA gso skb must have a partial checksum, do not follow sk_no_check_tx\nin udp_send_skb.\n\nFound by syzkaller.\n\nFixes: e89e9cf539a2 (\"[IPv4/IPv6]: UFO Scatter-gather approach\")\nReported-by: Andrey Konovalov \nSigned-off-by: Willem de Bruijn \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 468983 }, { "func": "void CServer::ConLogout(IConsole::IResult *pResult, void *pUser)\n{\n\tCServer *pServer = (CServer *)pUser;\n\n\tif(pServer->m_RconClientID >= 0 && pServer->m_RconClientID < MAX_CLIENTS &&\n\t\tpServer->m_aClients[pServer->m_RconClientID].m_State != CServer::CClient::STATE_EMPTY)\n\t{\n\t\tCMsgPacker Msg(NETMSG_RCON_AUTH_OFF, true);\n\t\tpServer->SendMsg(&Msg, MSGFLAG_VITAL, pServer->m_RconClientID);\n\n\t\tpServer->m_aClients[pServer->m_RconClientID].m_Authed = AUTHED_NO;\n\t\tpServer->m_aClients[pServer->m_RconClientID].m_AuthTries = 0;\n\t\tpServer->m_aClients[pServer->m_RconClientID].m_pRconCmdToSend = 0;\n\t\tpServer->m_aClients[pServer->m_RconClientID].m_pMapListEntryToSend = 0;\n\t\tpServer->SendRconLine(pServer->m_RconClientID, \"Logout successful.\");\n\t\tchar aBuf[32];\n\t\tstr_format(aBuf, sizeof(aBuf), \"ClientID=%d logged out\", pServer->m_RconClientID);\n\t\tpServer->Console()->Print(IConsole::OUTPUT_LEVEL_STANDARD, \"server\", aBuf);\n\t}\n}", "project": "teeworlds", "hash": 151191772446852985471701817332827655816, "size": 20, "commit_id": "c68402fa7e279d42886d5951d1ea8ac2facc1ea5", "message": "changed a check", "target": 0, "dataset": "other", "idx": 382006 }, { "func": "static int download(struct SPDBDownloader *pd) {\n\tSPDBDownloaderOpt *opt = pd->opt;\n\tchar *curl_cmd = NULL;\n\tchar *extractor_cmd = NULL;\n\tchar *abspath_to_archive = NULL;\n\tchar *abspath_to_file = NULL;\n\tchar *archive_name = NULL;\n\tsize_t archive_name_len = 0;\n\tchar *symbol_store_path = NULL;\n\tchar *dbg_file = NULL;\n\tchar *guid = NULL;\n\tchar *archive_name_escaped = NULL;\n\tchar *user_agent = NULL;\n\tchar *symbol_server = NULL;\n\n\tint res = 0;\n\tint cmd_ret;\n\tif (!opt->dbg_file || !*opt->dbg_file) {\n\t\t// no pdb debug file\n\t\treturn 0;\n\t}\n\tif (!checkCurl ()) {\n\t\treturn 0;\n\t}\n\t// dbg_file len is > 0\n\tarchive_name_len = strlen (opt->dbg_file);\n\tarchive_name = malloc (archive_name_len + 1);\n\tif (!archive_name) {\n\t\treturn 0;\n\t}\n\tmemcpy (archive_name, opt->dbg_file, archive_name_len + 1);\n\tarchive_name[archive_name_len - 1] = '_';\n\tsymbol_store_path = r_str_escape (opt->symbol_store_path);\n\tdbg_file = r_str_escape (opt->dbg_file);\n\tguid = r_str_escape (opt->guid);\n\tarchive_name_escaped = r_str_escape (archive_name);\n\tuser_agent = r_str_escape (opt->user_agent);\n\tsymbol_server = r_str_escape (opt->symbol_server);\n\n\tabspath_to_archive = r_str_newf (\"%s%s%s%s%s%s%s\",\n\t\t\t symbol_store_path, R_SYS_DIR,\n\t\t\t dbg_file, R_SYS_DIR,\n\t\t\t guid, R_SYS_DIR,\n\t\t\t archive_name_escaped);\n\n\tabspath_to_file = strdup (abspath_to_archive);\n\tabspath_to_file[strlen (abspath_to_file) - 1] = 'b';\n\tif (r_file_exists (abspath_to_file)) {\n\t\teprintf (\"File already downloaded.\\n\");\n\t\tR_FREE (user_agent);\n\t\tR_FREE (abspath_to_archive);\n\t\tR_FREE (archive_name_escaped);\n\t\tR_FREE (symbol_store_path);\n\t\tR_FREE (dbg_file);\n\t\tR_FREE (guid);\n\t\tR_FREE (archive_name);\n\t\tR_FREE (abspath_to_file);\n\t\tR_FREE (symbol_server);\n\t\treturn 1;\n\t}\n\n\tif (checkExtract () || opt->extract == 0) {\n\t\tres = 1;\n\n\t\tcurl_cmd = r_str_newf (\"curl -sfLA \\\"%s\\\" \\\"%s/%s/%s/%s\\\" --create-dirs -o \\\"%s\\\"\",\n\t\t user_agent,\n\t\t symbol_server,\n\t\t\t\t\t\t\t dbg_file,\n\t\t\t\t\t\t\t guid,\n\t\t archive_name_escaped,\n\t\t abspath_to_archive);\n#if __WINDOWS__\n\t\tconst char *cabextractor = \"expand\";\n\t\tconst char *format = \"%s %s %s\";\n\n\t\t// extractor_cmd -> %1 %2 %3\n\t\t// %1 - 'expand'\n\t\t// %2 - absolute path to archive\n\t\t// %3 - absolute path to file that will be dearchive\n\t\textractor_cmd = r_str_newf (format, cabextractor,\n\t\t\tabspath_to_archive, abspath_to_file);\n#else\n\t\tconst char *cabextractor = \"cabextract\";\n\t\tconst char *format = \"%s -d \\\"%s\\\" \\\"%s\\\"\";\n\t\tchar *abspath_to_dir = r_file_dirname (abspath_to_archive);\n\t\t// cabextract -d %1 %2\n\t\t// %1 - path to directory where to extract all files from cab archive\n\t\t// %2 - absolute path to cab archive\n\t\textractor_cmd = r_str_newf (format, cabextractor, abspath_to_dir, abspath_to_archive);\n\t\tR_FREE (abspath_to_dir);\n#endif\n\t\teprintf (\"Attempting to download compressed pdb in %s\\n\", abspath_to_archive);\n\t\tif ((cmd_ret = r_sys_cmd (curl_cmd) != 0)) {\n\t\t\teprintf(\"curl exited with error %d\\n\", cmd_ret);\n\t\t\tres = 0;\n\t\t}\n\t\teprintf (\"Attempting to decompress pdb\\n\");\n\t\tif (opt->extract > 0) {\n\t\t\tif (res && ((cmd_ret = r_sys_cmd (extractor_cmd)) != 0)) {\n\t\t\t\teprintf (\"cab extractor exited with error %d\\n\", cmd_ret);\n\t\t\t\tres = 0;\n\t\t\t}\n\t\t\tr_file_rm (abspath_to_archive);\n\t\t}\n\t\tR_FREE (curl_cmd);\n\t}\n\tif (res == 0) {\n\t\teprintf (\"Falling back to uncompressed pdb\\n\");\n\t\tres = 1;\n\n\t\tarchive_name_escaped[strlen (archive_name_escaped) - 1] = 'b';\n\n\t\tcurl_cmd = r_str_newf (\"curl -sfLA \\\"%s\\\" \\\"%s/%s/%s/%s\\\" --create-dirs -o \\\"%s\\\"\",\n\t\t opt->user_agent,\n\t\t opt->symbol_server,\n\t\t opt->dbg_file,\n\t\t opt->guid,\n\t\t archive_name_escaped,\n\t\t abspath_to_file);\n\t\teprintf (\"Attempting to download uncompressed pdb in %s\\n\", abspath_to_file);\n\t\tif ((cmd_ret = r_sys_cmd (curl_cmd) != 0)) {\n\t\t\teprintf(\"curl exited with error %d\\n\", cmd_ret);\n\t\t\tres = 0;\n\t\t}\n\t\tR_FREE (curl_cmd);\n\t}\n\tR_FREE (abspath_to_archive);\n\tR_FREE (abspath_to_file);\n\tR_FREE (archive_name);\n\tR_FREE (extractor_cmd);\n\tR_FREE (symbol_store_path);\n\tR_FREE (dbg_file);\n\tR_FREE (guid);\n\tR_FREE (archive_name_escaped);\n\tR_FREE (user_agent);\n\tR_FREE (symbol_server);\n\treturn res;\n}", "project": "radare2", "hash": 235350912544331798088834006772646860216, "size": 138, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 1, "dataset": "other", "idx": 198095 }, { "func": "static int download(struct SPDBDownloader *pd) {\n\tSPDBDownloaderOpt *opt = pd->opt;\n\tint res = 0;\n\tint cmd_ret;\n\n\tif (!opt->dbg_file || !*opt->dbg_file) {\n\t\t// no pdb debug file\n\t\treturn 0;\n\t}\n\n\tchar *abspath_to_file = r_str_newf (\"%s%s%s%s%s%s%s\",\n\t\topt->symbol_store_path, R_SYS_DIR,\n\t\topt->dbg_file, R_SYS_DIR,\n\t\topt->guid, R_SYS_DIR,\n\t\topt->dbg_file);\n\n\tif (r_file_exists (abspath_to_file)) {\n\t\teprintf (\"File already downloaded.\\n\");\n\t\tfree (abspath_to_file);\n\t\treturn 1;\n\t}\n\n\tif (checkExtract () || opt->extract == 0) {\n\t\tchar *extractor_cmd = NULL;\n\t\tchar *archive_name = strdup (opt->dbg_file);\n\t\tarchive_name[strlen (archive_name) - 1] = '_';\n\t\tchar *abspath_to_archive = r_str_newf (\"%s%s%s%s%s%s%s\",\n\t\t\topt->symbol_store_path, R_SYS_DIR,\n\t\t\topt->dbg_file, R_SYS_DIR,\n\t\t\topt->guid, R_SYS_DIR,\n\t\t\tarchive_name);\n\n\t\teprintf (\"Attempting to download compressed pdb in %s\\n\", abspath_to_archive);\n\t\tchar *abs_arch_esc = r_str_escape_sh (abspath_to_archive);\n#if __WINDOWS__\n\t\tchar *abs_file_esc = r_str_escape_sh (abspath_to_file);\n\t\t// expand %1 %2\n\t\t// %1 - absolute path to archive\n\t\t// %2 - absolute path to file that will be dearchive\n\t\textractor_cmd = r_str_newf (\"expand \\\"%s\\\" \\\"%s\\\"\", abs_arch_esc, abs_file_esc);\n\t\tfree (abs_file_esc);\n#else\n\t\tchar *abspath_to_dir = r_file_dirname (abspath_to_archive);\n\t\tchar *abs_dir_esc = r_str_escape_sh (abspath_to_dir);\n\t\t// cabextract -d %1 %2\n\t\t// %1 - path to directory where to extract all files from cab archive\n\t\t// %2 - absolute path to cab archive\n\t\textractor_cmd = r_str_newf (\"cabextract -d \\\"%s\\\" \\\"%s\\\"\", abs_arch_esc, abs_dir_esc);\n\t\tfree (abs_dir_esc);\n\t\tfree (abspath_to_dir);\n#endif\n\t\tfree (abs_arch_esc);\n\t\tres = download_and_write (opt, archive_name);\n\n\t\tif (opt->extract > 0 && res) {\n\t\t\teprintf (\"Attempting to decompress pdb\\n\");\n\t\t\tif (res && ((cmd_ret = r_sys_cmd (extractor_cmd)) != 0)) {\n\t\t\t\teprintf (\"cab extractor exited with error %d\\n\", cmd_ret);\n\t\t\t\tres = 0;\n\t\t\t}\n\t\t\tr_file_rm (abspath_to_archive);\n\t\t}\n\t\tfree (archive_name);\n\t\tfree (abspath_to_archive);\n\t}\n\tif (res == 0) {\n\t\teprintf (\"Falling back to uncompressed pdb\\n\");\n\t\teprintf (\"Attempting to download uncompressed pdb in %s\\n\", abspath_to_file);\n\t\tres = download_and_write (opt, opt->dbg_file);\n\t}\n\tfree (abspath_to_file);\n\treturn res;\n}", "project": "radare2", "hash": 284642675192813296779193504141476552469, "size": 73, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 0, "dataset": "other", "idx": 268829 }, { "func": " Status AddSparseTensor(OpKernelContext* ctx, const SparseTensor& sp,\n int64* handle) {\n PersistentTensor persistent_ix;\n Tensor* ix;\n TF_RETURN_IF_ERROR(ctx->allocate_persistent(\n sp.indices().dtype(), sp.indices().shape(), &persistent_ix, &ix));\n *ix = sp.indices();\n\n PersistentTensor persistent_values;\n Tensor* values;\n TF_RETURN_IF_ERROR(ctx->allocate_persistent(sp.indices().dtype(),\n sp.indices().shape(),\n &persistent_values, &values));\n *values = sp.values();\n {\n mutex_lock l(mu_);\n int64 unique_st_handle = counter_++; // increment is guarded on purpose\n sp_tensors_[unique_st_handle] = PersistentSparseTensor{\n persistent_ix, persistent_values,\n gtl::InlinedVector(sp.shape().begin(), sp.shape().end())};\n *handle = unique_st_handle;\n }\n return Status::OK();\n }", "project": "tensorflow", "hash": 30803675794617386067054441351124235579, "size": 24, "commit_id": "69c68ecbb24dff3fa0e46da0d16c821a2dd22d7c", "message": "Fix overflow CHECK issue with `tf.raw_ops.AddManySparseToTensorsMap`.\n\nPiperOrigin-RevId: 369492969\nChange-Id: I1d70d6c0c92e3d7a25bc3b3aa2a0c0ac9688bf81", "target": 0, "dataset": "other", "idx": 270288 }, { "func": "static int exec_helper(struct libmnt_context *cxt)\n{\n\tchar *namespace = NULL;\n\tstruct libmnt_ns *ns_tgt = mnt_context_get_target_ns(cxt);\n\tint rc;\n\tpid_t pid;\n\n\tassert(cxt);\n\tassert(cxt->fs);\n\tassert(cxt->helper);\n\tassert((cxt->flags & MNT_FL_MOUNTFLAGS_MERGED));\n\tassert(cxt->helper_exec_status == 1);\n\n\tif (mnt_context_is_fake(cxt)) {\n\t\tDBG(CXT, ul_debugobj(cxt, \"fake mode: does not execute helper\"));\n\t\tcxt->helper_exec_status = rc = 0;\n\t\treturn rc;\n\t}\n\n\tif (ns_tgt->fd != -1\n\t && asprintf(&namespace, \"/proc/%i/fd/%i\",\n\t\t\tgetpid(), ns_tgt->fd) == -1) {\n\t\treturn -ENOMEM;\n\t}\n\n\tDBG_FLUSH;\n\n\tpid = fork();\n\tswitch (pid) {\n\tcase 0:\n\t{\n\t\tconst char *args[12], *type;\n\t\tint i = 0;\n\n\t\tif (drop_permissions() != 0)\n\t\t\t_exit(EXIT_FAILURE);\n\n\t\tif (!mnt_context_switch_origin_ns(cxt))\n\t\t\t_exit(EXIT_FAILURE);\n\n\t\ttype = mnt_fs_get_fstype(cxt->fs);\n\n\t\targs[i++] = cxt->helper;\t\t\t/* 1 */\n\t\targs[i++] = mnt_fs_get_target(cxt->fs);\t\t/* 2 */\n\n\t\tif (mnt_context_is_nomtab(cxt))\n\t\t\targs[i++] = \"-n\";\t\t\t/* 3 */\n\t\tif (mnt_context_is_lazy(cxt))\n\t\t\targs[i++] = \"-l\";\t\t\t/* 4 */\n\t\tif (mnt_context_is_force(cxt))\n\t\t\targs[i++] = \"-f\";\t\t\t/* 5 */\n\t\tif (mnt_context_is_verbose(cxt))\n\t\t\targs[i++] = \"-v\";\t\t\t/* 6 */\n\t\tif (mnt_context_is_rdonly_umount(cxt))\n\t\t\targs[i++] = \"-r\";\t\t\t/* 7 */\n\t\tif (type\n\t\t && strchr(type, '.')\n\t\t && !endswith(cxt->helper, type)) {\n\t\t\targs[i++] = \"-t\";\t\t\t/* 8 */\n\t\t\targs[i++] = type;\t\t\t/* 9 */\n\t\t}\n\t\tif (namespace) {\n\t\t\targs[i++] = \"-N\";\t\t\t/* 10 */\n\t\t\targs[i++] = namespace;\t\t\t/* 11 */\n\t\t}\n\n\t\targs[i] = NULL;\t\t\t\t\t/* 12 */\n\t\tfor (i = 0; args[i]; i++)\n\t\t\tDBG(CXT, ul_debugobj(cxt, \"argv[%d] = \\\"%s\\\"\",\n\t\t\t\t\t\t\ti, args[i]));\n\t\tDBG_FLUSH;\n\t\texecv(cxt->helper, (char * const *) args);\n\t\t_exit(EXIT_FAILURE);\n\t}\n\tdefault:\n\t{\n\t\tint st;\n\n\t\tif (waitpid(pid, &st, 0) == (pid_t) -1) {\n\t\t\tcxt->helper_status = -1;\n\t\t\trc = -errno;\n\t\t} else {\n\t\t\tcxt->helper_status = WIFEXITED(st) ? WEXITSTATUS(st) : -1;\n\t\t\tcxt->helper_exec_status = rc = 0;\n\t\t}\n\t\tDBG(CXT, ul_debugobj(cxt, \"%s executed [status=%d, rc=%d%s]\",\n\t\t\t\tcxt->helper,\n\t\t\t\tcxt->helper_status, rc,\n\t\t\t\trc ? \" waitpid failed\" : \"\"));\n\t\tbreak;\n\t}\n\n\tcase -1:\n\t\tcxt->helper_exec_status = rc = -errno;\n\t\tDBG(CXT, ul_debugobj(cxt, \"fork() failed\"));\n\t\tbreak;\n\t}\n\n\tfree(namespace);\n\treturn rc;\n}", "project": "util-linux", "hash": 280534115998260826853954689732805262711, "size": 101, "commit_id": "57202f5713afa2af20ffbb6ab5331481d0396f8d", "message": "libmount: fix UID check for FUSE umount [CVE-2021-3995]\n\nImproper UID check allows an unprivileged user to unmount FUSE\nfilesystems of users with similar UID.\n\nSigned-off-by: Karel Zak ", "target": 0, "dataset": "other", "idx": 410421 }, { "func": "bool JOIN::rollup_make_fields(List &fields_arg, List &sel_fields,\n\t\t\t Item_sum ***func)\n{\n List_iterator_fast it(fields_arg);\n Item *first_field= sel_fields.head();\n uint level;\n\n /*\n Create field lists for the different levels\n\n The idea here is to have a separate field list for each rollup level to\n avoid all runtime checks of which columns should be NULL.\n\n The list is stored in reverse order to get sum function in such an order\n in func that it makes it easy to reset them with init_sum_functions()\n\n Assuming: SELECT a, b, c SUM(b) FROM t1 GROUP BY a,b WITH ROLLUP\n\n rollup.fields[0] will contain list where a,b,c is NULL\n rollup.fields[1] will contain list where b,c is NULL\n ...\n rollup.ref_pointer_array[#] points to fields for rollup.fields[#]\n ...\n sum_funcs_end[0] points to all sum functions\n sum_funcs_end[1] points to all sum functions, except grand totals\n ...\n */\n\n for (level=0 ; level < send_group_parts ; level++)\n {\n uint i;\n uint pos= send_group_parts - level -1;\n bool real_fields= 0;\n Item *item;\n List_iterator new_it(rollup.fields[pos]);\n Ref_ptr_array ref_array_start= rollup.ref_pointer_arrays[pos];\n ORDER *start_group;\n\n /* Point to first hidden field */\n uint ref_array_ix= fields_arg.elements-1;\n\n\n /* Remember where the sum functions ends for the previous level */\n sum_funcs_end[pos+1]= *func;\n\n /* Find the start of the group for this level */\n for (i= 0, start_group= group_list ;\n\t i++ < pos ;\n\t start_group= start_group->next)\n ;\n\n it.rewind();\n while ((item= it++))\n {\n if (item == first_field)\n {\n\treal_fields= 1;\t\t\t\t// End of hidden fields\n\tref_array_ix= 0;\n }\n\n if (item->type() == Item::SUM_FUNC_ITEM && !item->const_item() &&\n (!((Item_sum*) item)->depended_from() ||\n ((Item_sum *)item)->depended_from() == select_lex))\n \n {\n\t/*\n\t This is a top level summary function that must be replaced with\n\t a sum function that is reset for this level.\n\n\t NOTE: This code creates an object which is not that nice in a\n\t sub select. Fortunately it's not common to have rollup in\n\t sub selects.\n\t*/\n\titem= item->copy_or_same(thd);\n\t((Item_sum*) item)->make_unique();\n\t*(*func)= (Item_sum*) item;\n\t(*func)++;\n }\n else \n {\n\t/* Check if this is something that is part of this group by */\n\tORDER *group_tmp;\n\tfor (group_tmp= start_group, i= pos ;\n group_tmp ; group_tmp= group_tmp->next, i++)\n\t{\n if (*group_tmp->item == item)\n\t {\n\t /*\n\t This is an element that is used by the GROUP BY and should be\n\t set to NULL in this level\n\t */\n Item_null_result *null_item= new (thd->mem_root) Item_null_result(thd);\n if (!null_item)\n return 1;\n\t item->maybe_null= 1;\t\t// Value will be null sometimes\n null_item->result_field= item->get_tmp_table_field();\n item= null_item;\n\t break;\n\t }\n\t}\n }\n ref_array_start[ref_array_ix]= item;\n if (real_fields)\n {\n\t(void) new_it++;\t\t\t// Point to next item\n\tnew_it.replace(item);\t\t\t// Replace previous\n\tref_array_ix++;\n }\n else\n\tref_array_ix--;\n }\n }\n sum_funcs_end[0]= *func;\t\t\t// Point to last function\n return 0;\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 3224998071330216432137876691656826983, "size": 115, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508655 }, { "func": "static int vcpu_pre_run(struct kvm_vcpu *vcpu)\n{\n\tint rc, cpuflags;\n\n\t/*\n\t * On s390 notifications for arriving pages will be delivered directly\n\t * to the guest but the house keeping for completed pfaults is\n\t * handled outside the worker.\n\t */\n\tkvm_check_async_pf_completion(vcpu);\n\n\tvcpu->arch.sie_block->gg14 = vcpu->run->s.regs.gprs[14];\n\tvcpu->arch.sie_block->gg15 = vcpu->run->s.regs.gprs[15];\n\n\tif (need_resched())\n\t\tschedule();\n\n\tif (test_cpu_flag(CIF_MCCK_PENDING))\n\t\ts390_handle_mcck();\n\n\tif (!kvm_is_ucontrol(vcpu->kvm)) {\n\t\trc = kvm_s390_deliver_pending_interrupts(vcpu);\n\t\tif (rc)\n\t\t\treturn rc;\n\t}\n\n\trc = kvm_s390_handle_requests(vcpu);\n\tif (rc)\n\t\treturn rc;\n\n\tif (guestdbg_enabled(vcpu)) {\n\t\tkvm_s390_backup_guest_per_regs(vcpu);\n\t\tkvm_s390_patch_guest_per_regs(vcpu);\n\t}\n\n\tclear_bit(vcpu->vcpu_id, vcpu->kvm->arch.gisa_int.kicked_mask);\n\n\tvcpu->arch.sie_block->icptcode = 0;\n\tcpuflags = atomic_read(&vcpu->arch.sie_block->cpuflags);\n\tVCPU_EVENT(vcpu, 6, \"entering sie flags %x\", cpuflags);\n\ttrace_kvm_s390_sie_enter(vcpu, cpuflags);\n\n\treturn 0;\n}", "project": "linux", "hash": 13837560684249820960306557177360214419, "size": 44, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354475 }, { "func": "static void hci_cc_write_link_policy(struct hci_dev *hdev, struct sk_buff *skb)\n{\n\tstruct hci_rp_write_link_policy *rp = (void *) skb->data;\n\tstruct hci_conn *conn;\n\tvoid *sent;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, rp->status);\n\n\tif (rp->status)\n\t\treturn;\n\n\tsent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LINK_POLICY);\n\tif (!sent)\n\t\treturn;\n\n\thci_dev_lock(hdev);\n\n\tconn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));\n\tif (conn)\n\t\tconn->link_policy = get_unaligned_le16(sent + 2);\n\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 44877685182343124565004387960060515864, "size": 23, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431946 }, { "func": "bool kvm_make_vcpus_request_mask(struct kvm *kvm, unsigned int req,\n\t\t\t\t unsigned long *vcpu_bitmap, cpumask_var_t tmp)\n{\n\tint i, cpu, me;\n\tstruct kvm_vcpu *vcpu;\n\tbool called;\n\n\tme = get_cpu();\n\n\tkvm_for_each_vcpu(i, vcpu, kvm) {\n\t\tif (vcpu_bitmap && !test_bit(i, vcpu_bitmap))\n\t\t\tcontinue;\n\n\t\tkvm_make_request(req, vcpu);\n\t\tcpu = vcpu->cpu;\n\n\t\tif (!(req & KVM_REQUEST_NO_WAKEUP) && kvm_vcpu_wake_up(vcpu))\n\t\t\tcontinue;\n\n\t\tif (tmp != NULL && cpu != -1 && cpu != me &&\n\t\t kvm_request_needs_ipi(vcpu, req))\n\t\t\t__cpumask_set_cpu(cpu, tmp);\n\t}\n\n\tcalled = kvm_kick_many_cpus(tmp, !!(req & KVM_REQUEST_WAIT));\n\tput_cpu();\n\n\treturn called;\n}", "project": "linux", "hash": 129378580553976608604450014184047072401, "size": 29, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354558 }, { "func": "bool kvm_make_vcpus_request_mask(struct kvm *kvm, unsigned int req,\n\t\t\t\t struct kvm_vcpu *except,\n\t\t\t\t unsigned long *vcpu_bitmap, cpumask_var_t tmp)\n{\n\tint i, cpu, me;\n\tstruct kvm_vcpu *vcpu;\n\tbool called;\n\n\tme = get_cpu();\n\n\tkvm_for_each_vcpu(i, vcpu, kvm) {\n\t\tif ((vcpu_bitmap && !test_bit(i, vcpu_bitmap)) ||\n\t\t vcpu == except)\n\t\t\tcontinue;\n\n\t\tkvm_make_request(req, vcpu);\n\t\tcpu = vcpu->cpu;\n\n\t\tif (!(req & KVM_REQUEST_NO_WAKEUP) && kvm_vcpu_wake_up(vcpu))\n\t\t\tcontinue;\n\n\t\tif (tmp != NULL && cpu != -1 && cpu != me &&\n\t\t kvm_request_needs_ipi(vcpu, req))\n\t\t\t__cpumask_set_cpu(cpu, tmp);\n\t}\n\n\tcalled = kvm_kick_many_cpus(tmp, !!(req & KVM_REQUEST_WAIT));\n\tput_cpu();\n\n\treturn called;\n}", "project": "linux", "hash": 50917115830907196502471440857336337629, "size": 31, "commit_id": "f8be156be163a052a067306417cd0ff679068c97", "message": "KVM: do not allow mapping valid but non-reference-counted pages\n\nIt's possible to create a region which maps valid but non-refcounted\npages (e.g., tail pages of non-compound higher order allocations). These\nhost pages can then be returned by gfn_to_page, gfn_to_pfn, etc., family\nof APIs, which take a reference to the page, which takes it from 0 to 1.\nWhen the reference is dropped, this will free the page incorrectly.\n\nFix this by only taking a reference on valid pages if it was non-zero,\nwhich indicates it is participating in normal refcounting (and can be\nreleased with put_page).\n\nThis addresses CVE-2021-22543.\n\nSigned-off-by: Nicholas Piggin \nTested-by: Paolo Bonzini \nCc: stable@vger.kernel.org\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 404059 }, { "func": "int sctp_do_peeloff(struct sock *sk, sctp_assoc_t id, struct socket **sockp)\n{\n\tstruct sctp_association *asoc = sctp_id2assoc(sk, id);\n\tstruct sctp_sock *sp = sctp_sk(sk);\n\tstruct socket *sock;\n\tint err = 0;\n\n\t/* Do not peel off from one netns to another one. */\n\tif (!net_eq(current->nsproxy->net_ns, sock_net(sk)))\n\t\treturn -EINVAL;\n\n\tif (!asoc)\n\t\treturn -EINVAL;\n\n\t/* An association cannot be branched off from an already peeled-off\n\t * socket, nor is this supported for tcp style sockets.\n\t */\n\tif (!sctp_style(sk, UDP))\n\t\treturn -EINVAL;\n\n\t/* Create a new socket. */\n\terr = sock_create(sk->sk_family, SOCK_SEQPACKET, IPPROTO_SCTP, &sock);\n\tif (err < 0)\n\t\treturn err;\n\n\tsctp_copy_sock(sock->sk, sk, asoc);\n\n\t/* Make peeled-off sockets more like 1-1 accepted sockets.\n\t * Set the daddr and initialize id to something more random and also\n\t * copy over any ip options.\n\t */\n\tsp->pf->to_sk_daddr(&asoc->peer.primary_addr, sk);\n\tsp->pf->copy_ip_options(sk, sock->sk);\n\n\t/* Populate the fields of the newsk from the oldsk and migrate the\n\t * asoc to the newsk.\n\t */\n\terr = sctp_sock_migrate(sk, sock->sk, asoc,\n\t\t\t\tSCTP_SOCKET_UDP_HIGH_BANDWIDTH);\n\tif (err) {\n\t\tsock_release(sock);\n\t\tsock = NULL;\n\t}\n\n\t*sockp = sock;\n\n\treturn err;\n}", "project": "linux", "hash": 23955866236702044584563635053423128603, "size": 48, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398187 }, { "func": "static long kvm_vcpu_ioctl(struct file *filp,\n\t\t\t unsigned int ioctl, unsigned long arg)\n{\n\tstruct kvm_vcpu *vcpu = filp->private_data;\n\tvoid __user *argp = (void __user *)arg;\n\tint r;\n\tstruct kvm_fpu *fpu = NULL;\n\tstruct kvm_sregs *kvm_sregs = NULL;\n\n\tif (vcpu->kvm->mm != current->mm)\n\t\treturn -EIO;\n\n\tif (unlikely(_IOC_TYPE(ioctl) != KVMIO))\n\t\treturn -EINVAL;\n\n\t/*\n\t * Some architectures have vcpu ioctls that are asynchronous to vcpu\n\t * execution; mutex_lock() would break them.\n\t */\n\tr = kvm_arch_vcpu_async_ioctl(filp, ioctl, arg);\n\tif (r != -ENOIOCTLCMD)\n\t\treturn r;\n\n\tif (mutex_lock_killable(&vcpu->mutex))\n\t\treturn -EINTR;\n\tswitch (ioctl) {\n\tcase KVM_RUN: {\n\t\tstruct pid *oldpid;\n\t\tr = -EINVAL;\n\t\tif (arg)\n\t\t\tgoto out;\n\t\toldpid = rcu_access_pointer(vcpu->pid);\n\t\tif (unlikely(oldpid != task_pid(current))) {\n\t\t\t/* The thread running this VCPU changed. */\n\t\t\tstruct pid *newpid;\n\n\t\t\tr = kvm_arch_vcpu_run_pid_change(vcpu);\n\t\t\tif (r)\n\t\t\t\tbreak;\n\n\t\t\tnewpid = get_task_pid(current, PIDTYPE_PID);\n\t\t\trcu_assign_pointer(vcpu->pid, newpid);\n\t\t\tif (oldpid)\n\t\t\t\tsynchronize_rcu();\n\t\t\tput_pid(oldpid);\n\t\t}\n\t\tr = kvm_arch_vcpu_ioctl_run(vcpu, vcpu->run);\n\t\ttrace_kvm_userspace_exit(vcpu->run->exit_reason, r);\n\t\tbreak;\n\t}\n\tcase KVM_GET_REGS: {\n\t\tstruct kvm_regs *kvm_regs;\n\n\t\tr = -ENOMEM;\n\t\tkvm_regs = kzalloc(sizeof(struct kvm_regs), GFP_KERNEL_ACCOUNT);\n\t\tif (!kvm_regs)\n\t\t\tgoto out;\n\t\tr = kvm_arch_vcpu_ioctl_get_regs(vcpu, kvm_regs);\n\t\tif (r)\n\t\t\tgoto out_free1;\n\t\tr = -EFAULT;\n\t\tif (copy_to_user(argp, kvm_regs, sizeof(struct kvm_regs)))\n\t\t\tgoto out_free1;\n\t\tr = 0;\nout_free1:\n\t\tkfree(kvm_regs);\n\t\tbreak;\n\t}\n\tcase KVM_SET_REGS: {\n\t\tstruct kvm_regs *kvm_regs;\n\n\t\tr = -ENOMEM;\n\t\tkvm_regs = memdup_user(argp, sizeof(*kvm_regs));\n\t\tif (IS_ERR(kvm_regs)) {\n\t\t\tr = PTR_ERR(kvm_regs);\n\t\t\tgoto out;\n\t\t}\n\t\tr = kvm_arch_vcpu_ioctl_set_regs(vcpu, kvm_regs);\n\t\tkfree(kvm_regs);\n\t\tbreak;\n\t}\n\tcase KVM_GET_SREGS: {\n\t\tkvm_sregs = kzalloc(sizeof(struct kvm_sregs),\n\t\t\t\t GFP_KERNEL_ACCOUNT);\n\t\tr = -ENOMEM;\n\t\tif (!kvm_sregs)\n\t\t\tgoto out;\n\t\tr = kvm_arch_vcpu_ioctl_get_sregs(vcpu, kvm_sregs);\n\t\tif (r)\n\t\t\tgoto out;\n\t\tr = -EFAULT;\n\t\tif (copy_to_user(argp, kvm_sregs, sizeof(struct kvm_sregs)))\n\t\t\tgoto out;\n\t\tr = 0;\n\t\tbreak;\n\t}\n\tcase KVM_SET_SREGS: {\n\t\tkvm_sregs = memdup_user(argp, sizeof(*kvm_sregs));\n\t\tif (IS_ERR(kvm_sregs)) {\n\t\t\tr = PTR_ERR(kvm_sregs);\n\t\t\tkvm_sregs = NULL;\n\t\t\tgoto out;\n\t\t}\n\t\tr = kvm_arch_vcpu_ioctl_set_sregs(vcpu, kvm_sregs);\n\t\tbreak;\n\t}\n\tcase KVM_GET_MP_STATE: {\n\t\tstruct kvm_mp_state mp_state;\n\n\t\tr = kvm_arch_vcpu_ioctl_get_mpstate(vcpu, &mp_state);\n\t\tif (r)\n\t\t\tgoto out;\n\t\tr = -EFAULT;\n\t\tif (copy_to_user(argp, &mp_state, sizeof(mp_state)))\n\t\t\tgoto out;\n\t\tr = 0;\n\t\tbreak;\n\t}\n\tcase KVM_SET_MP_STATE: {\n\t\tstruct kvm_mp_state mp_state;\n\n\t\tr = -EFAULT;\n\t\tif (copy_from_user(&mp_state, argp, sizeof(mp_state)))\n\t\t\tgoto out;\n\t\tr = kvm_arch_vcpu_ioctl_set_mpstate(vcpu, &mp_state);\n\t\tbreak;\n\t}\n\tcase KVM_TRANSLATE: {\n\t\tstruct kvm_translation tr;\n\n\t\tr = -EFAULT;\n\t\tif (copy_from_user(&tr, argp, sizeof(tr)))\n\t\t\tgoto out;\n\t\tr = kvm_arch_vcpu_ioctl_translate(vcpu, &tr);\n\t\tif (r)\n\t\t\tgoto out;\n\t\tr = -EFAULT;\n\t\tif (copy_to_user(argp, &tr, sizeof(tr)))\n\t\t\tgoto out;\n\t\tr = 0;\n\t\tbreak;\n\t}\n\tcase KVM_SET_GUEST_DEBUG: {\n\t\tstruct kvm_guest_debug dbg;\n\n\t\tr = -EFAULT;\n\t\tif (copy_from_user(&dbg, argp, sizeof(dbg)))\n\t\t\tgoto out;\n\t\tr = kvm_arch_vcpu_ioctl_set_guest_debug(vcpu, &dbg);\n\t\tbreak;\n\t}\n\tcase KVM_SET_SIGNAL_MASK: {\n\t\tstruct kvm_signal_mask __user *sigmask_arg = argp;\n\t\tstruct kvm_signal_mask kvm_sigmask;\n\t\tsigset_t sigset, *p;\n\n\t\tp = NULL;\n\t\tif (argp) {\n\t\t\tr = -EFAULT;\n\t\t\tif (copy_from_user(&kvm_sigmask, argp,\n\t\t\t\t\t sizeof(kvm_sigmask)))\n\t\t\t\tgoto out;\n\t\t\tr = -EINVAL;\n\t\t\tif (kvm_sigmask.len != sizeof(sigset))\n\t\t\t\tgoto out;\n\t\t\tr = -EFAULT;\n\t\t\tif (copy_from_user(&sigset, sigmask_arg->sigset,\n\t\t\t\t\t sizeof(sigset)))\n\t\t\t\tgoto out;\n\t\t\tp = &sigset;\n\t\t}\n\t\tr = kvm_vcpu_ioctl_set_sigmask(vcpu, p);\n\t\tbreak;\n\t}\n\tcase KVM_GET_FPU: {\n\t\tfpu = kzalloc(sizeof(struct kvm_fpu), GFP_KERNEL_ACCOUNT);\n\t\tr = -ENOMEM;\n\t\tif (!fpu)\n\t\t\tgoto out;\n\t\tr = kvm_arch_vcpu_ioctl_get_fpu(vcpu, fpu);\n\t\tif (r)\n\t\t\tgoto out;\n\t\tr = -EFAULT;\n\t\tif (copy_to_user(argp, fpu, sizeof(struct kvm_fpu)))\n\t\t\tgoto out;\n\t\tr = 0;\n\t\tbreak;\n\t}\n\tcase KVM_SET_FPU: {\n\t\tfpu = memdup_user(argp, sizeof(*fpu));\n\t\tif (IS_ERR(fpu)) {\n\t\t\tr = PTR_ERR(fpu);\n\t\t\tfpu = NULL;\n\t\t\tgoto out;\n\t\t}\n\t\tr = kvm_arch_vcpu_ioctl_set_fpu(vcpu, fpu);\n\t\tbreak;\n\t}\n\tdefault:\n\t\tr = kvm_arch_vcpu_ioctl(filp, ioctl, arg);\n\t}\nout:\n\tmutex_unlock(&vcpu->mutex);\n\tkfree(fpu);\n\tkfree(kvm_sregs);\n\treturn r;\n}", "project": "linux", "hash": 198535569190290454057504721514745343030, "size": 207, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354532 }, { "func": "static long kvm_vcpu_ioctl(struct file *filp,\n\t\t\t unsigned int ioctl, unsigned long arg)\n{\n\tstruct kvm_vcpu *vcpu = filp->private_data;\n\tvoid __user *argp = (void __user *)arg;\n\tint r;\n\tstruct kvm_fpu *fpu = NULL;\n\tstruct kvm_sregs *kvm_sregs = NULL;\n\n\tif (vcpu->kvm->mm != current->mm)\n\t\treturn -EIO;\n\n\tif (unlikely(_IOC_TYPE(ioctl) != KVMIO))\n\t\treturn -EINVAL;\n\n\t/*\n\t * Some architectures have vcpu ioctls that are asynchronous to vcpu\n\t * execution; mutex_lock() would break them.\n\t */\n\tr = kvm_arch_vcpu_async_ioctl(filp, ioctl, arg);\n\tif (r != -ENOIOCTLCMD)\n\t\treturn r;\n\n\tif (mutex_lock_killable(&vcpu->mutex))\n\t\treturn -EINTR;\n\tswitch (ioctl) {\n\tcase KVM_RUN: {\n\t\tstruct pid *oldpid;\n\t\tr = -EINVAL;\n\t\tif (arg)\n\t\t\tgoto out;\n\t\toldpid = rcu_access_pointer(vcpu->pid);\n\t\tif (unlikely(oldpid != task_pid(current))) {\n\t\t\t/* The thread running this VCPU changed. */\n\t\t\tstruct pid *newpid;\n\n\t\t\tr = kvm_arch_vcpu_run_pid_change(vcpu);\n\t\t\tif (r)\n\t\t\t\tbreak;\n\n\t\t\tnewpid = get_task_pid(current, PIDTYPE_PID);\n\t\t\trcu_assign_pointer(vcpu->pid, newpid);\n\t\t\tif (oldpid)\n\t\t\t\tsynchronize_rcu();\n\t\t\tput_pid(oldpid);\n\t\t}\n\t\tr = kvm_arch_vcpu_ioctl_run(vcpu);\n\t\ttrace_kvm_userspace_exit(vcpu->run->exit_reason, r);\n\t\tbreak;\n\t}\n\tcase KVM_GET_REGS: {\n\t\tstruct kvm_regs *kvm_regs;\n\n\t\tr = -ENOMEM;\n\t\tkvm_regs = kzalloc(sizeof(struct kvm_regs), GFP_KERNEL_ACCOUNT);\n\t\tif (!kvm_regs)\n\t\t\tgoto out;\n\t\tr = kvm_arch_vcpu_ioctl_get_regs(vcpu, kvm_regs);\n\t\tif (r)\n\t\t\tgoto out_free1;\n\t\tr = -EFAULT;\n\t\tif (copy_to_user(argp, kvm_regs, sizeof(struct kvm_regs)))\n\t\t\tgoto out_free1;\n\t\tr = 0;\nout_free1:\n\t\tkfree(kvm_regs);\n\t\tbreak;\n\t}\n\tcase KVM_SET_REGS: {\n\t\tstruct kvm_regs *kvm_regs;\n\n\t\tkvm_regs = memdup_user(argp, sizeof(*kvm_regs));\n\t\tif (IS_ERR(kvm_regs)) {\n\t\t\tr = PTR_ERR(kvm_regs);\n\t\t\tgoto out;\n\t\t}\n\t\tr = kvm_arch_vcpu_ioctl_set_regs(vcpu, kvm_regs);\n\t\tkfree(kvm_regs);\n\t\tbreak;\n\t}\n\tcase KVM_GET_SREGS: {\n\t\tkvm_sregs = kzalloc(sizeof(struct kvm_sregs),\n\t\t\t\t GFP_KERNEL_ACCOUNT);\n\t\tr = -ENOMEM;\n\t\tif (!kvm_sregs)\n\t\t\tgoto out;\n\t\tr = kvm_arch_vcpu_ioctl_get_sregs(vcpu, kvm_sregs);\n\t\tif (r)\n\t\t\tgoto out;\n\t\tr = -EFAULT;\n\t\tif (copy_to_user(argp, kvm_sregs, sizeof(struct kvm_sregs)))\n\t\t\tgoto out;\n\t\tr = 0;\n\t\tbreak;\n\t}\n\tcase KVM_SET_SREGS: {\n\t\tkvm_sregs = memdup_user(argp, sizeof(*kvm_sregs));\n\t\tif (IS_ERR(kvm_sregs)) {\n\t\t\tr = PTR_ERR(kvm_sregs);\n\t\t\tkvm_sregs = NULL;\n\t\t\tgoto out;\n\t\t}\n\t\tr = kvm_arch_vcpu_ioctl_set_sregs(vcpu, kvm_sregs);\n\t\tbreak;\n\t}\n\tcase KVM_GET_MP_STATE: {\n\t\tstruct kvm_mp_state mp_state;\n\n\t\tr = kvm_arch_vcpu_ioctl_get_mpstate(vcpu, &mp_state);\n\t\tif (r)\n\t\t\tgoto out;\n\t\tr = -EFAULT;\n\t\tif (copy_to_user(argp, &mp_state, sizeof(mp_state)))\n\t\t\tgoto out;\n\t\tr = 0;\n\t\tbreak;\n\t}\n\tcase KVM_SET_MP_STATE: {\n\t\tstruct kvm_mp_state mp_state;\n\n\t\tr = -EFAULT;\n\t\tif (copy_from_user(&mp_state, argp, sizeof(mp_state)))\n\t\t\tgoto out;\n\t\tr = kvm_arch_vcpu_ioctl_set_mpstate(vcpu, &mp_state);\n\t\tbreak;\n\t}\n\tcase KVM_TRANSLATE: {\n\t\tstruct kvm_translation tr;\n\n\t\tr = -EFAULT;\n\t\tif (copy_from_user(&tr, argp, sizeof(tr)))\n\t\t\tgoto out;\n\t\tr = kvm_arch_vcpu_ioctl_translate(vcpu, &tr);\n\t\tif (r)\n\t\t\tgoto out;\n\t\tr = -EFAULT;\n\t\tif (copy_to_user(argp, &tr, sizeof(tr)))\n\t\t\tgoto out;\n\t\tr = 0;\n\t\tbreak;\n\t}\n\tcase KVM_SET_GUEST_DEBUG: {\n\t\tstruct kvm_guest_debug dbg;\n\n\t\tr = -EFAULT;\n\t\tif (copy_from_user(&dbg, argp, sizeof(dbg)))\n\t\t\tgoto out;\n\t\tr = kvm_arch_vcpu_ioctl_set_guest_debug(vcpu, &dbg);\n\t\tbreak;\n\t}\n\tcase KVM_SET_SIGNAL_MASK: {\n\t\tstruct kvm_signal_mask __user *sigmask_arg = argp;\n\t\tstruct kvm_signal_mask kvm_sigmask;\n\t\tsigset_t sigset, *p;\n\n\t\tp = NULL;\n\t\tif (argp) {\n\t\t\tr = -EFAULT;\n\t\t\tif (copy_from_user(&kvm_sigmask, argp,\n\t\t\t\t\t sizeof(kvm_sigmask)))\n\t\t\t\tgoto out;\n\t\t\tr = -EINVAL;\n\t\t\tif (kvm_sigmask.len != sizeof(sigset))\n\t\t\t\tgoto out;\n\t\t\tr = -EFAULT;\n\t\t\tif (copy_from_user(&sigset, sigmask_arg->sigset,\n\t\t\t\t\t sizeof(sigset)))\n\t\t\t\tgoto out;\n\t\t\tp = &sigset;\n\t\t}\n\t\tr = kvm_vcpu_ioctl_set_sigmask(vcpu, p);\n\t\tbreak;\n\t}\n\tcase KVM_GET_FPU: {\n\t\tfpu = kzalloc(sizeof(struct kvm_fpu), GFP_KERNEL_ACCOUNT);\n\t\tr = -ENOMEM;\n\t\tif (!fpu)\n\t\t\tgoto out;\n\t\tr = kvm_arch_vcpu_ioctl_get_fpu(vcpu, fpu);\n\t\tif (r)\n\t\t\tgoto out;\n\t\tr = -EFAULT;\n\t\tif (copy_to_user(argp, fpu, sizeof(struct kvm_fpu)))\n\t\t\tgoto out;\n\t\tr = 0;\n\t\tbreak;\n\t}\n\tcase KVM_SET_FPU: {\n\t\tfpu = memdup_user(argp, sizeof(*fpu));\n\t\tif (IS_ERR(fpu)) {\n\t\t\tr = PTR_ERR(fpu);\n\t\t\tfpu = NULL;\n\t\t\tgoto out;\n\t\t}\n\t\tr = kvm_arch_vcpu_ioctl_set_fpu(vcpu, fpu);\n\t\tbreak;\n\t}\n\tdefault:\n\t\tr = kvm_arch_vcpu_ioctl(filp, ioctl, arg);\n\t}\nout:\n\tmutex_unlock(&vcpu->mutex);\n\tkfree(fpu);\n\tkfree(kvm_sregs);\n\treturn r;\n}", "project": "linux", "hash": 245213788029612476210875665933055847073, "size": 206, "commit_id": "f8be156be163a052a067306417cd0ff679068c97", "message": "KVM: do not allow mapping valid but non-reference-counted pages\n\nIt's possible to create a region which maps valid but non-refcounted\npages (e.g., tail pages of non-compound higher order allocations). These\nhost pages can then be returned by gfn_to_page, gfn_to_pfn, etc., family\nof APIs, which take a reference to the page, which takes it from 0 to 1.\nWhen the reference is dropped, this will free the page incorrectly.\n\nFix this by only taking a reference on valid pages if it was non-zero,\nwhich indicates it is participating in normal refcounting (and can be\nreleased with put_page).\n\nThis addresses CVE-2021-22543.\n\nSigned-off-by: Nicholas Piggin \nTested-by: Paolo Bonzini \nCc: stable@vger.kernel.org\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 404055 }, { "func": "void CSoundFile::UpdateS3MEffectMemory(ModChannel *pChn, ModCommand::PARAM param) const\n{\n\tpChn->nOldVolumeSlide = param;\t// Dxy / Kxy / Lxy\n\tpChn->nOldPortaUp = param;\t\t// Exx / Fxx\n\tpChn->nOldPortaDown = param;\t// Exx / Fxx\n\tpChn->nTremorParam = param;\t\t// Ixy\n\tpChn->nArpeggio = param;\t\t// Jxy\n\tpChn->nRetrigParam = param;\t\t// Qxy\n\tpChn->nTremoloDepth = (param & 0x0F) << 2;\t// Rxy\n\tpChn->nTremoloSpeed = (param >> 4) & 0x0F;\t// Rxy\n\t// Sxy is not handled here.\n}", "project": "openmpt", "hash": 175042045306799783013452965860268932757, "size": 12, "commit_id": "7ebf02af2e90f03e0dbd0e18b8b3164f372fb97c", "message": "[Fix] Possible out-of-bounds read when computing length of some IT files with pattern loops (OpenMPT: formats that are converted to IT, libopenmpt: IT/ITP/MO3), caught with afl-fuzz.\n\ngit-svn-id: https://source.openmpt.org/svn/openmpt/trunk/OpenMPT@10027 56274372-70c3-4bfc-bfc3-4c3a0b034d27", "target": 0, "dataset": "other", "idx": 255231 }, { "func": "\nstatic void bfq_init_bfqq(struct bfq_data *bfqd, struct bfq_queue *bfqq,\n\t\t\t struct bfq_io_cq *bic, pid_t pid, int is_sync)\n{\n\tRB_CLEAR_NODE(&bfqq->entity.rb_node);\n\tINIT_LIST_HEAD(&bfqq->fifo);\n\tINIT_HLIST_NODE(&bfqq->burst_list_node);\n\tINIT_HLIST_NODE(&bfqq->woken_list_node);\n\tINIT_HLIST_HEAD(&bfqq->woken_list);\n\n\tbfqq->ref = 0;\n\tbfqq->bfqd = bfqd;\n\n\tif (bic)\n\t\tbfq_set_next_ioprio_data(bfqq, bic);\n\n\tif (is_sync) {\n\t\t/*\n\t\t * No need to mark as has_short_ttime if in\n\t\t * idle_class, because no device idling is performed\n\t\t * for queues in idle class\n\t\t */\n\t\tif (!bfq_class_idle(bfqq))\n\t\t\t/* tentatively mark as has_short_ttime */\n\t\t\tbfq_mark_bfqq_has_short_ttime(bfqq);\n\t\tbfq_mark_bfqq_sync(bfqq);\n\t\tbfq_mark_bfqq_just_created(bfqq);\n\t} else\n\t\tbfq_clear_bfqq_sync(bfqq);\n\n\t/* set end request to minus infinity from now */\n\tbfqq->ttime.last_end_request = ktime_get_ns() + 1;\n\n\tbfq_mark_bfqq_IO_bound(bfqq);\n\n\tbfqq->pid = pid;\n\n\t/* Tentative initial value to trade off between thr and lat */\n\tbfqq->max_budget = (2 * bfq_max_budget(bfqd)) / 3;\n\tbfqq->budget_timeout = bfq_smallest_from_now();\n\n\tbfqq->wr_coeff = 1;\n\tbfqq->last_wr_start_finish = jiffies;\n\tbfqq->wr_start_at_switch_to_srt = bfq_smallest_from_now();\n\tbfqq->split_time = bfq_smallest_from_now();\n\n\t/*\n\t * To not forget the possibly high bandwidth consumed by a\n\t * process/queue in the recent past,\n\t * bfq_bfqq_softrt_next_start() returns a value at least equal\n\t * to the current value of bfqq->soft_rt_next_start (see\n\t * comments on bfq_bfqq_softrt_next_start). Set\n\t * soft_rt_next_start to now, to mean that bfqq has consumed\n\t * no bandwidth so far.\n\t */\n\tbfqq->soft_rt_next_start = jiffies;\n\n\t/* first request is almost certainly seeky */\n\tbfqq->seek_history = 1;", "project": "linux", "hash": 323763936282812781314080550161776110028, "size": 59, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453377 }, { "func": "CairoFont::~CairoFont() {\n FT_Done_Face (face);\n gfree(codeToGID);\n}", "project": "poppler", "hash": 201468297247214016630921422946462050, "size": 4, "commit_id": "1a531dcfee1c6fc79a414c38cbe7327fbf9a59d8", "message": "Fix a crash with invalid embedded fonts", "target": 0, "dataset": "other", "idx": 421891 }, { "func": "static int nfs4_proc_lookup(struct inode *dir, struct dentry *dentry,\n\t\t\t struct nfs_fh *fhandle, struct nfs_fattr *fattr,\n\t\t\t struct nfs4_label *label)\n{\n\tint status;\n\tstruct rpc_clnt *client = NFS_CLIENT(dir);\n\n\tstatus = nfs4_proc_lookup_common(&client, dir, dentry, fhandle, fattr, label);\n\tif (client != NFS_CLIENT(dir)) {\n\t\trpc_shutdown_client(client);\n\t\tnfs_fixup_secinfo_attributes(fattr);\n\t}\n\treturn status;\n}", "project": "linux", "hash": 130426534996720153495369981163349944147, "size": 14, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431312 }, { "func": "void LibRaw::process_Sony_0x9400(uchar *buf, ushort len, unsigned long long id)\n{\n\n uchar s[4];\n int c;\n uchar bufx = buf[0];\n\n if (((bufx == 0x23) || (bufx == 0x24) || (bufx == 0x26) || (bufx == 0x28)) &&\n (len >= 0x1f))\n { // 0x9400 'c' version\n\n if ((id == SonyID_ILCE_9) ||\n (id == SonyID_ILCE_7RM3) ||\n (id == SonyID_ILCE_7M3) ||\n (id == SonyID_DSC_RX10M4) ||\n (id == SonyID_DSC_RX100M6) ||\n (id == SonyID_DSC_HX99) ||\n (id == SonyID_DSC_RX100M5A) ||\n (id == SonyID_ILCE_6400) ||\n (id == SonyID_DSC_RX0M2) ||\n (id == SonyID_DSC_RX100M7) ||\n (id == SonyID_ILCE_7RM4) ||\n (id == SonyID_ILCE_9M2) ||\n (id == SonyID_ILCE_6600) ||\n (id == SonyID_ILCE_6100))\n {\n imSony.ShotNumberSincePowerUp = SonySubstitution[buf[0x0a]];\n }\n else\n {\n FORC4 s[c] = SonySubstitution[buf[0x0a + c]];\n imSony.ShotNumberSincePowerUp = sget4(s);\n }\n\n imSony.Sony0x9400_version = 0xc;\n\n imSony.Sony0x9400_ReleaseMode2 = SonySubstitution[buf[0x09]];\n\n FORC4 s[c] = SonySubstitution[buf[0x12 + c]];\n imSony.Sony0x9400_SequenceImageNumber = sget4(s);\n\n imSony.Sony0x9400_SequenceLength1 = SonySubstitution[buf[0x16]]; // shots\n\n FORC4 s[c] = SonySubstitution[buf[0x1a + c]];\n imSony.Sony0x9400_SequenceFileNumber = sget4(s);\n\n imSony.Sony0x9400_SequenceLength2 = SonySubstitution[buf[0x1e]]; // files\n }\n\n else if ((bufx == 0x0c) && (len >= 0x1f))\n { // 0x9400 'b' version\n imSony.Sony0x9400_version = 0xb;\n\n FORC4 s[c] = SonySubstitution[buf[0x08 + c]];\n imSony.Sony0x9400_SequenceImageNumber = sget4(s);\n\n FORC4 s[c] = SonySubstitution[buf[0x0c + c]];\n imSony.Sony0x9400_SequenceFileNumber = sget4(s);\n\n imSony.Sony0x9400_ReleaseMode2 = SonySubstitution[buf[0x10]];\n\n imSony.Sony0x9400_SequenceLength1 = SonySubstitution[buf[0x1e]];\n }\n\n else if ((bufx == 0x0a) && (len >= 0x23))\n { // 0x9400 'a' version\n imSony.Sony0x9400_version = 0xa;\n\n FORC4 s[c] = SonySubstitution[buf[0x08 + c]];\n imSony.Sony0x9400_SequenceImageNumber = sget4(s);\n\n FORC4 s[c] = SonySubstitution[buf[0x0c + c]];\n imSony.Sony0x9400_SequenceFileNumber = sget4(s);\n\n imSony.Sony0x9400_ReleaseMode2 = SonySubstitution[buf[0x10]];\n\n imSony.Sony0x9400_SequenceLength1 = SonySubstitution[buf[0x22]];\n }\n\n else\n return;\n}", "project": "LibRaw", "hash": 323759542568243098823218143817735274025, "size": 82, "commit_id": "c243f4539233053466c1309bde606815351bee81", "message": "additional checks in parseSonySRF\n\nparseSonySR2: buffer size check", "target": 0, "dataset": "other", "idx": 394111 }, { "func": "static int queue_pages_hugetlb(pte_t *pte, unsigned long hmask,\n\t\t\t unsigned long addr, unsigned long end,\n\t\t\t struct mm_walk *walk)\n{\n\tint ret = 0;\n#ifdef CONFIG_HUGETLB_PAGE\n\tstruct queue_pages *qp = walk->private;\n\tunsigned long flags = (qp->flags & MPOL_MF_VALID);\n\tstruct page *page;\n\tspinlock_t *ptl;\n\tpte_t entry;\n\n\tptl = huge_pte_lock(hstate_vma(walk->vma), walk->mm, pte);\n\tentry = huge_ptep_get(pte);\n\tif (!pte_present(entry))\n\t\tgoto unlock;\n\tpage = pte_page(entry);\n\tif (!queue_pages_required(page, qp))\n\t\tgoto unlock;\n\n\tif (flags == MPOL_MF_STRICT) {\n\t\t/*\n\t\t * STRICT alone means only detecting misplaced page and no\n\t\t * need to further check other vma.\n\t\t */\n\t\tret = -EIO;\n\t\tgoto unlock;\n\t}\n\n\tif (!vma_migratable(walk->vma)) {\n\t\t/*\n\t\t * Must be STRICT with MOVE*, otherwise .test_walk() have\n\t\t * stopped walking current vma.\n\t\t * Detecting misplaced page but allow migrating pages which\n\t\t * have been queued.\n\t\t */\n\t\tret = 1;\n\t\tgoto unlock;\n\t}\n\n\t/* With MPOL_MF_MOVE, we migrate only unshared hugepage. */\n\tif (flags & (MPOL_MF_MOVE_ALL) ||\n\t (flags & MPOL_MF_MOVE && page_mapcount(page) == 1)) {\n\t\tif (!isolate_huge_page(page, qp->pagelist) &&\n\t\t\t(flags & MPOL_MF_STRICT))\n\t\t\t/*\n\t\t\t * Failed to isolate page but allow migrating pages\n\t\t\t * which have been queued.\n\t\t\t */\n\t\t\tret = 1;\n\t}\nunlock:\n\tspin_unlock(ptl);\n#else\n\tBUG();\n#endif\n\treturn ret;\n}", "project": "linux", "hash": 104164086646339548354718394715046576120, "size": 58, "commit_id": "aa9f7d5172fac9bf1f09e678c35e287a40a7b7dd", "message": "mm: mempolicy: require at least one nodeid for MPOL_PREFERRED\n\nUsing an empty (malformed) nodelist that is not caught during mount option\nparsing leads to a stack-out-of-bounds access.\n\nThe option string that was used was: \"mpol=prefer:,\". However,\nMPOL_PREFERRED requires a single node number, which is not being provided\nhere.\n\nAdd a check that 'nodes' is not empty after parsing for MPOL_PREFERRED's\nnodeid.\n\nFixes: 095f1fc4ebf3 (\"mempolicy: rework shmem mpol parsing and display\")\nReported-by: Entropy Moe <3ntr0py1337@gmail.com>\nReported-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nSigned-off-by: Randy Dunlap \nSigned-off-by: Andrew Morton \nTested-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nCc: Lee Schermerhorn \nLink: http://lkml.kernel.org/r/89526377-7eb6-b662-e1d8-4430928abde9@infradead.org\nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 366803 }, { "func": "static void nfs4_init_boot_verifier(const struct nfs_client *clp,\n\t\t\t\t nfs4_verifier *bootverf)\n{\n\t__be32 verf[2];\n\n\tif (test_bit(NFS4CLNT_PURGE_STATE, &clp->cl_state)) {\n\t\t/* An impossible timestamp guarantees this value\n\t\t * will never match a generated boot time. */\n\t\tverf[0] = cpu_to_be32(U32_MAX);\n\t\tverf[1] = cpu_to_be32(U32_MAX);\n\t} else {\n\t\tstruct nfs_net *nn = net_generic(clp->cl_net, nfs_net_id);\n\t\tu64 ns = ktime_to_ns(nn->boot_time);\n\n\t\tverf[0] = cpu_to_be32(ns >> 32);\n\t\tverf[1] = cpu_to_be32(ns);\n\t}\n\tmemcpy(bootverf->data, verf, sizeof(bootverf->data));\n}", "project": "linux", "hash": 244936934993843841001943046955736357313, "size": 19, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431189 }, { "func": "static int may_open(const struct path *path, int acc_mode, int flag)\n{\n\tstruct dentry *dentry = path->dentry;\n\tstruct inode *inode = dentry->d_inode;\n\tint error;\n\n\tif (!inode)\n\t\treturn -ENOENT;\n\n\tswitch (inode->i_mode & S_IFMT) {\n\tcase S_IFLNK:\n\t\treturn -ELOOP;\n\tcase S_IFDIR:\n\t\tif (acc_mode & MAY_WRITE)\n\t\t\treturn -EISDIR;\n\t\tbreak;\n\tcase S_IFBLK:\n\tcase S_IFCHR:\n\t\tif (!may_open_dev(path))\n\t\t\treturn -EACCES;\n\t\t/*FALLTHRU*/\n\tcase S_IFIFO:\n\tcase S_IFSOCK:\n\t\tflag &= ~O_TRUNC;\n\t\tbreak;\n\t}\n\n\terror = inode_permission(inode, MAY_OPEN | acc_mode);\n\tif (error)\n\t\treturn error;\n\n\t/*\n\t * An append-only file must be opened in append mode for writing.\n\t */\n\tif (IS_APPEND(inode)) {\n\t\tif ((flag & O_ACCMODE) != O_RDONLY && !(flag & O_APPEND))\n\t\t\treturn -EPERM;\n\t\tif (flag & O_TRUNC)\n\t\t\treturn -EPERM;\n\t}\n\n\t/* O_NOATIME can only be set by the owner or superuser */\n\tif (flag & O_NOATIME && !inode_owner_or_capable(inode))\n\t\treturn -EPERM;\n\n\treturn 0;\n}", "project": "linux", "hash": 230976218273249802316360247041273770177, "size": 47, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295357 }, { "func": "static bool mt_need_to_apply_feature(struct hid_device *hdev,\n\t\t\t\t struct hid_field *field,\n\t\t\t\t struct hid_usage *usage,\n\t\t\t\t enum latency_mode latency,\n\t\t\t\t bool surface_switch,\n\t\t\t\t bool button_switch,\n\t\t\t\t bool *inputmode_found)\n{\n\tstruct mt_device *td = hid_get_drvdata(hdev);\n\tstruct mt_class *cls = &td->mtclass;\n\tstruct hid_report *report = field->report;\n\tunsigned int index = usage->usage_index;\n\tchar *buf;\n\tu32 report_len;\n\tint max;\n\n\tswitch (usage->hid) {\n\tcase HID_DG_INPUTMODE:\n\t\t/*\n\t\t * Some elan panels wrongly declare 2 input mode features,\n\t\t * and silently ignore when we set the value in the second\n\t\t * field. Skip the second feature and hope for the best.\n\t\t */\n\t\tif (*inputmode_found)\n\t\t\treturn false;\n\n\t\tif (cls->quirks & MT_QUIRK_FORCE_GET_FEATURE) {\n\t\t\treport_len = hid_report_len(report);\n\t\t\tbuf = hid_alloc_report_buf(report, GFP_KERNEL);\n\t\t\tif (!buf) {\n\t\t\t\thid_err(hdev,\n\t\t\t\t\t\"failed to allocate buffer for report\\n\");\n\t\t\t\treturn false;\n\t\t\t}\n\t\t\thid_hw_raw_request(hdev, report->id, buf, report_len,\n\t\t\t\t\t HID_FEATURE_REPORT,\n\t\t\t\t\t HID_REQ_GET_REPORT);\n\t\t\tkfree(buf);\n\t\t}\n\n\t\tfield->value[index] = td->inputmode_value;\n\t\t*inputmode_found = true;\n\t\treturn true;\n\n\tcase HID_DG_CONTACTMAX:\n\t\tif (cls->maxcontacts) {\n\t\t\tmax = min_t(int, field->logical_maximum,\n\t\t\t\t cls->maxcontacts);\n\t\t\tif (field->value[index] != max) {\n\t\t\t\tfield->value[index] = max;\n\t\t\t\treturn true;\n\t\t\t}\n\t\t}\n\t\tbreak;\n\n\tcase HID_DG_LATENCYMODE:\n\t\tfield->value[index] = latency;\n\t\treturn true;\n\n\tcase HID_DG_SURFACESWITCH:\n\t\tfield->value[index] = surface_switch;\n\t\treturn true;\n\n\tcase HID_DG_BUTTONSWITCH:\n\t\tfield->value[index] = button_switch;\n\t\treturn true;\n\t}\n\n\treturn false; /* no need to update the report */\n}", "project": "linux", "hash": 266461234126958799668586647554469395402, "size": 70, "commit_id": "35556bed836f8dc07ac55f69c8d17dce3e7f0e25", "message": "HID: core: Sanitize event code and type when mapping input\n\nWhen calling into hid_map_usage(), the passed event code is\nblindly stored as is, even if it doesn't fit in the associated bitmap.\n\nThis event code can come from a variety of sources, including devices\nmasquerading as input devices, only a bit more \"programmable\".\n\nInstead of taking the event code at face value, check that it actually\nfits the corresponding bitmap, and if it doesn't:\n- spit out a warning so that we know which device is acting up\n- NULLify the bitmap pointer so that we catch unexpected uses\n\nCode paths that can make use of untrusted inputs can now check\nthat the mapping was indeed correct and bail out if not.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Marc Zyngier \nSigned-off-by: Benjamin Tissoires ", "target": 0, "dataset": "other", "idx": 458338 }, { "func": "static void nested_svm_unmap(struct page *page)\n{\n\tkunmap(page);\n\tkvm_release_page_dirty(page);\n}", "project": "kvm", "hash": 186054227744588982797601497531271051016, "size": 5, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437640 }, { "func": "static inline void encode_claim_previous(struct xdr_stream *xdr, fmode_t type)\n{\n\t__be32 *p;\n\n\tp = reserve_space(xdr, 4);\n\t*p = cpu_to_be32(NFS4_OPEN_CLAIM_PREVIOUS);\n\tencode_delegation_type(xdr, type);\n}", "project": "linux", "hash": 268960571393444692065148380652714828424, "size": 8, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431024 }, { "func": "static Variant php_mcrypt_do_crypt(const String& cipher, const String& key,\n const String& data, const String& mode,\n const String& iv, bool dencrypt,\n char *name) {\n MCRYPT td = mcrypt_module_open((char*)cipher.data(),\n (char*)MCG(algorithms_dir).data(),\n (char*)mode.data(),\n (char*)MCG(modes_dir).data());\n if (td == MCRYPT_FAILED) {\n MCRYPT_OPEN_MODULE_FAILED(name);\n return false;\n }\n\n /* Checking for key-length */\n int max_key_length = mcrypt_enc_get_key_size(td);\n if (key.size() > max_key_length) {\n raise_warning(\"Size of key is too large for this algorithm\");\n }\n int count;\n int *key_length_sizes = mcrypt_enc_get_supported_key_sizes(td, &count);\n int use_key_length;\n char *key_s = nullptr;\n if (count == 0 && key_length_sizes == nullptr) { // all lengths 1 - k_l_s = OK\n use_key_length = key.size();\n key_s = (char*)malloc(use_key_length);\n memcpy(key_s, key.data(), use_key_length);\n } else if (count == 1) { /* only m_k_l = OK */\n key_s = (char*)malloc(key_length_sizes[0]);\n memset(key_s, 0, key_length_sizes[0]);\n memcpy(key_s, key.data(), MIN(key.size(), key_length_sizes[0]));\n use_key_length = key_length_sizes[0];\n } else { /* determine smallest supported key > length of requested key */\n use_key_length = max_key_length; /* start with max key length */\n for (int i = 0; i < count; i++) {\n if (key_length_sizes[i] >= key.size() &&\n key_length_sizes[i] < use_key_length) {\n use_key_length = key_length_sizes[i];\n }\n }\n key_s = (char*)malloc(use_key_length);\n memset(key_s, 0, use_key_length);\n memcpy(key_s, key.data(), MIN(key.size(), use_key_length));\n }\n mcrypt_free(key_length_sizes);\n\n /* Check IV */\n char *iv_s = nullptr;\n int iv_size = mcrypt_enc_get_iv_size(td);\n\n /* IV is required */\n if (mcrypt_enc_mode_has_iv(td) == 1) {\n if (!iv.empty()) {\n if (iv_size != iv.size()) {\n raise_warning(\"%s(): The IV parameter must be as long as \"\n \"the blocksize\", name);\n } else {\n iv_s = (char*)malloc(iv_size + 1);\n memcpy(iv_s, iv.data(), iv_size);\n }\n } else {\n raise_warning(\"%s(): The IV parameter must be as long as \"\n \"the blocksize\", name);\n iv_s = (char*)malloc(iv_size + 1);\n memset(iv_s, 0, iv_size + 1);\n }\n }\n\n int block_size;\n unsigned long int data_size;\n String s;\n char *data_s;\n /* Check blocksize */\n if (mcrypt_enc_is_block_mode(td) == 1) { /* It's a block algorithm */\n block_size = mcrypt_enc_get_block_size(td);\n data_size = (((data.size() - 1) / block_size) + 1) * block_size;\n s = String(data_size, ReserveString);\n data_s = (char*)s.mutableData();\n memset(data_s, 0, data_size);\n memcpy(data_s, data.data(), data.size());\n } else { /* It's not a block algorithm */\n data_size = data.size();\n s = String(data_size, ReserveString);\n data_s = (char*)s.mutableData();\n memcpy(data_s, data.data(), data.size());\n }\n\n if (mcrypt_generic_init(td, key_s, use_key_length, iv_s) < 0) {\n raise_warning(\"Mcrypt initialisation failed\");\n return false;\n }\n if (dencrypt) {\n mdecrypt_generic(td, data_s, data_size);\n } else {\n mcrypt_generic(td, data_s, data_size);\n }\n\n /* freeing vars */\n mcrypt_generic_end(td);\n if (key_s != nullptr) {\n free(key_s);\n }\n if (iv_s != nullptr) {\n free(iv_s);\n }\n s.setSize(data_size);\n return s;\n}", "project": "hhvm", "hash": 137819725445491919949000071559406078297, "size": 107, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219234 }, { "func": "static inline void hid_set_drvdata(struct hid_device *hdev, void *data)\n{\n\tdev_set_drvdata(&hdev->dev, data);\n}", "project": "linux", "hash": 279571511450759791409387696635675819024, "size": 4, "commit_id": "35556bed836f8dc07ac55f69c8d17dce3e7f0e25", "message": "HID: core: Sanitize event code and type when mapping input\n\nWhen calling into hid_map_usage(), the passed event code is\nblindly stored as is, even if it doesn't fit in the associated bitmap.\n\nThis event code can come from a variety of sources, including devices\nmasquerading as input devices, only a bit more \"programmable\".\n\nInstead of taking the event code at face value, check that it actually\nfits the corresponding bitmap, and if it doesn't:\n- spit out a warning so that we know which device is acting up\n- NULLify the bitmap pointer so that we catch unexpected uses\n\nCode paths that can make use of untrusted inputs can now check\nthat the mapping was indeed correct and bail out if not.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Marc Zyngier \nSigned-off-by: Benjamin Tissoires ", "target": 0, "dataset": "other", "idx": 458359 }, { "func": "\nstatic void bfq_exit_icq_bfqq(struct bfq_io_cq *bic, bool is_sync)\n{\n\tstruct bfq_queue *bfqq = bic_to_bfqq(bic, is_sync);\n\tstruct bfq_data *bfqd;\n\n\tif (bfqq)\n\t\tbfqd = bfqq->bfqd; /* NULL if scheduler already exited */\n\n\tif (bfqq && bfqd) {\n\t\tunsigned long flags;\n\n\t\tspin_lock_irqsave(&bfqd->lock, flags);\n\t\tbfqq->bic = NULL;\n\t\tbfq_exit_bfqq(bfqd, bfqq);\n\t\tbic_set_bfqq(bic, NULL, is_sync);\n\t\tspin_unlock_irqrestore(&bfqd->lock, flags);\n\t}", "project": "linux", "hash": 324382333858071840629381229871675730922, "size": 18, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453304 }, { "func": "static void tcp_fixup_rcvbuf(struct sock *sk)\n{\n\tu32 mss = tcp_sk(sk)->advmss;\n\tu32 icwnd = TCP_DEFAULT_INIT_RCVWND;\n\tint rcvmem;\n\n\t/* Limit to 10 segments if mss <= 1460,\n\t * or 14600/mss segments, with a minimum of two segments.\n\t */\n\tif (mss > 1460)\n\t\ticwnd = max_t(u32, (1460 * TCP_DEFAULT_INIT_RCVWND) / mss, 2);\n\n\trcvmem = SKB_TRUESIZE(mss + MAX_TCP_HEADER);\n\twhile (tcp_win_from_space(rcvmem) < mss)\n\t\trcvmem += 128;\n\n\trcvmem *= icwnd;\n\n\tif (sk->sk_rcvbuf < rcvmem)\n\t\tsk->sk_rcvbuf = min(rcvmem, sysctl_tcp_rmem[2]);\n}", "project": "net-next", "hash": 239436317860819948262372021939236215114, "size": 21, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409875 }, { "func": "static inline bool tcp_paws_check(const struct tcp_options_received *rx_opt,\n\t\t\t\t int paws_win)\n{\n\tif ((s32)(rx_opt->ts_recent - rx_opt->rcv_tsval) <= paws_win)\n\t\treturn true;\n\tif (unlikely(get_seconds() >= rx_opt->ts_recent_stamp + TCP_PAWS_24DAYS))\n\t\treturn true;\n\t/*\n\t * Some OSes send SYN and SYNACK messages with tsval=0 tsecr=0,\n\t * then following tcp messages have valid values. Ignore 0 value,\n\t * or else 'negative' tsval might forbid us to accept their packets.\n\t */\n\tif (!rx_opt->ts_recent)\n\t\treturn true;\n\treturn false;\n}", "project": "linux", "hash": 273529685859931281846261720695628973168, "size": 16, "commit_id": "bb1fceca22492109be12640d49f5ea5a544c6bb4", "message": "tcp: fix use after free in tcp_xmit_retransmit_queue()\n\nWhen tcp_sendmsg() allocates a fresh and empty skb, it puts it at the\ntail of the write queue using tcp_add_write_queue_tail()\n\nThen it attempts to copy user data into this fresh skb.\n\nIf the copy fails, we undo the work and remove the fresh skb.\n\nUnfortunately, this undo lacks the change done to tp->highest_sack and\nwe can leave a dangling pointer (to a freed skb)\n\nLater, tcp_xmit_retransmit_queue() can dereference this pointer and\naccess freed memory. For regular kernels where memory is not unmapped,\nthis might cause SACK bugs because tcp_highest_sack_seq() is buggy,\nreturning garbage instead of tp->snd_nxt, but with various debug\nfeatures like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel.\n\nThis bug was found by Marco Grassi thanks to syzkaller.\n\nFixes: 6859d49475d4 (\"[TCP]: Abstract tp->highest_sack accessing & point to next skb\")\nReported-by: Marco Grassi \nSigned-off-by: Eric Dumazet \nCc: Ilpo Järvinen \nCc: Yuchung Cheng \nCc: Neal Cardwell \nAcked-by: Neal Cardwell \nReviewed-by: Cong Wang \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 410747 }, { "func": "static bool checkreturn decode_extension(pb_istream_t *stream,\n uint32_t tag, pb_wire_type_t wire_type, pb_extension_t *extension)\n{\n size_t pos = stream->bytes_left;\n \n while (extension != NULL && pos == stream->bytes_left)\n {\n bool status;\n if (extension->type->decode)\n status = extension->type->decode(stream, extension, tag, wire_type);\n else\n status = default_extension_decoder(stream, extension, tag, wire_type);\n\n if (!status)\n return false;\n \n extension = extension->next;\n }\n \n return true;\n}", "project": "nanopb", "hash": 225116914994178657691448121519111705595, "size": 21, "commit_id": "e2f0ccf939d9f82931d085acb6df8e9a182a4261", "message": "Fix invalid free() with oneof (#647)\n\nNanopb would call free() or realloc() on an invalid\n(attacker controlled) pointer value when all the following\nconditions are true:\n\n- PB_ENABLE_MALLOC is defined at the compile time\n- Message definition contains an oneof field, and the oneof\n contains at least one pointer type field and at least one\n non-pointer type field.\n- Data being decoded first contains a non-pointer value for\n the oneof field, and later contains an overwriting pointer\n value.\n\nDepending on message layout, the bug may not be exploitable in all\ncases, but it is known to be exploitable at least with string and\nbytes fields. Actual security impact will also depend on the heap\nimplementation used.", "target": 0, "dataset": "other", "idx": 254694 }, { "func": "static bool checkreturn decode_extension(pb_istream_t *stream,\n uint32_t tag, pb_wire_type_t wire_type, pb_field_iterator_t *iter)\n{\n pb_extension_t *extension = *(pb_extension_t* const *)iter->pData;\n size_t pos = stream->bytes_left;\n \n while (extension != NULL && pos == stream->bytes_left)\n {\n bool status;\n if (extension->type->decode)\n status = extension->type->decode(stream, extension, tag, wire_type);\n else\n status = default_extension_decoder(stream, extension, tag, wire_type);\n\n if (!status)\n return false;\n \n extension = extension->next;\n }\n \n return true;\n}", "project": "nanopb", "hash": 112007314370158213623327354312072742349, "size": 22, "commit_id": "7b396821ddd06df8e39143f16e1dc0a4645b89a3", "message": "Fix invalid free() after failed realloc() (GHSA-gcx3-7m76-287p)", "target": 0, "dataset": "other", "idx": 255325 }, { "func": "static inline bool php_openssl_config_check_syntax\n(const char *section_label, const char *config_filename, const char *section,\n LHASH_OF(CONF_VALUE) *config) {\n#else\nstatic inline bool php_openssl_config_check_syntax\n(const char *section_label, const char *config_filename, const char *section,\n LHASH *config) {\n#endif\n\n X509V3_CTX ctx;\n X509V3_set_ctx_test(&ctx);\n X509V3_set_conf_lhash(&ctx, config);\n if (!X509V3_EXT_add_conf(config, &ctx, (char*)section, nullptr)) {\n raise_warning(\"Error loading %s section %s of %s\",\n section_label, section, config_filename);\n return false;\n }\n return true;\n}\n\nconst StaticString\n s_config(\"config\"),\n s_config_section_name(\"config_section_name\"),\n s_digest_alg(\"digest_alg\"),\n s_x509_extensions(\"x509_extensions\"),\n s_req_extensions(\"req_extensions\"),\n s_private_key_bits(\"private_key_bits\"),\n s_private_key_type(\"private_key_type\"),\n s_encrypt_key(\"encrypt_key\"),\n s_curve_name(\"curve_name\");\n\nstatic bool php_openssl_parse_config(struct php_x509_request *req,\n const Array& args,\n std::vector &strings) {\n req->config_filename =\n read_string(args, s_config, default_ssl_conf_filename, strings);\n req->section_name =\n read_string(args, s_config_section_name, \"req\", strings);\n req->global_config = CONF_load(nullptr, default_ssl_conf_filename, nullptr);\n req->req_config = CONF_load(nullptr, req->config_filename, nullptr);\n if (req->req_config == nullptr) {\n return false;\n }\n\n /* read in the oids */\n char *str = CONF_get_string(req->req_config, nullptr, \"oid_file\");\n if (str) {\n BIO *oid_bio = BIO_new_file(str, \"r\");\n if (oid_bio) {\n OBJ_create_objects(oid_bio);\n BIO_free(oid_bio);\n }\n }\n if (!add_oid_section(req)) {\n return false;\n }\n\n req->digest_name =\n read_string(args, s_digest_alg,\n CONF_get_string(req->req_config, req->section_name,\n \"default_md\"),\n strings);\n\n req->extensions_section =\n read_string(args, s_x509_extensions,\n CONF_get_string(req->req_config, req->section_name,\n \"x509_extensions\"),\n strings);\n\n req->request_extensions_section =\n read_string(args, s_req_extensions,\n CONF_get_string(req->req_config, req->section_name,\n \"req_extensions\"),\n strings);\n\n req->priv_key_bits =\n read_integer(args, s_private_key_bits,\n CONF_get_number(req->req_config, req->section_name,\n \"default_bits\"));\n\n req->priv_key_type =\n read_integer(args, s_private_key_type, OPENSSL_KEYTYPE_DEFAULT);\n\n if (args.exists(s_encrypt_key)) {\n bool value = args[s_encrypt_key].toBoolean();\n req->priv_key_encrypt = value ? 1 : 0;\n } else {\n str = CONF_get_string(req->req_config, req->section_name,\n \"encrypt_rsa_key\");\n if (str == nullptr) {\n str = CONF_get_string(req->req_config, req->section_name, \"encrypt_key\");\n }\n if (str && strcmp(str, \"no\") == 0) {\n req->priv_key_encrypt = 0;\n } else {\n req->priv_key_encrypt = 1;\n }\n }\n\n /* digest alg */\n if (req->digest_name == nullptr) {\n req->digest_name = CONF_get_string(req->req_config, req->section_name,\n \"default_md\");\n }\n if (req->digest_name) {\n req->digest = req->md_alg = EVP_get_digestbyname(req->digest_name);\n }\n if (req->md_alg == nullptr) {\n req->md_alg = req->digest = EVP_sha256();\n }\n\n#ifdef HAVE_EVP_PKEY_EC\n /* set the ec group curve name */\n req->curve_name = NID_undef;\n if (args.exists(s_curve_name)) {\n auto const curve_name = args[s_curve_name].toString();\n req->curve_name = OBJ_sn2nid(curve_name.data());\n if (req->curve_name == NID_undef) {\n raise_warning(\n \"Unknown elliptic curve (short) name %s\",\n curve_name.data()\n );\n return false;\n }\n }\n#endif\n\n if (req->extensions_section &&\n !php_openssl_config_check_syntax\n (\"extensions_section\", req->config_filename, req->extensions_section,\n req->req_config)) {\n return false;\n }\n\n /* set the string mask */\n str = CONF_get_string(req->req_config, req->section_name, \"string_mask\");\n if (str && !ASN1_STRING_set_default_mask_asc(str)) {\n raise_warning(\"Invalid global string mask setting %s\", str);\n return false;\n }\n\n if (req->request_extensions_section &&\n !php_openssl_config_check_syntax\n (\"request_extensions_section\", req->config_filename,\n req->request_extensions_section, req->req_config)) {\n return false;\n }\n\n return true;\n}\n\nstatic void php_openssl_dispose_config(struct php_x509_request *req) {\n if (req->global_config) {\n CONF_free(req->global_config);\n req->global_config = nullptr;\n }\n if (req->req_config) {\n CONF_free(req->req_config);\n req->req_config = nullptr;\n }\n}\n\nstatic STACK_OF(X509) *load_all_certs_from_file(const char *certfile) {\n STACK_OF(X509_INFO) *sk = nullptr;\n STACK_OF(X509) *stack = nullptr, *ret = nullptr;\n BIO *in = nullptr;\n X509_INFO *xi;\n\n if (!(stack = sk_X509_new_null())) {\n raise_warning(\"memory allocation failure\");\n goto end;\n }\n\n if (!(in = BIO_new_file(certfile, \"r\"))) {\n raise_warning(\"error opening the file, %s\", certfile);\n sk_X509_free(stack);\n goto end;\n }\n\n /* This loads from a file, a stack of x509/crl/pkey sets */\n if (!(sk = PEM_X509_INFO_read_bio(in, nullptr, nullptr, nullptr))) {\n raise_warning(\"error reading the file, %s\", certfile);\n sk_X509_free(stack);\n goto end;\n }\n\n /* scan over it and pull out the certs */\n while (sk_X509_INFO_num(sk)) {\n xi = sk_X509_INFO_shift(sk);\n if (xi->x509 != nullptr) {\n sk_X509_push(stack, xi->x509);\n xi->x509 = nullptr;\n }\n X509_INFO_free(xi);\n }\n if (!sk_X509_num(stack)) {\n raise_warning(\"no certificates in file, %s\", certfile);\n sk_X509_free(stack);\n goto end;\n }\n ret = stack;\n\nend:\n BIO_free(in);\n sk_X509_INFO_free(sk);\n\n return ret;\n}\n\n/**\n * calist is an array containing file and directory names. create a\n * certificate store and add those certs to it for use in verification.\n */\nstatic X509_STORE *setup_verify(const Array& calist) {\n X509_STORE *store = X509_STORE_new();\n if (store == nullptr) {\n return nullptr;\n }\n\n X509_LOOKUP *dir_lookup, *file_lookup;\n int ndirs = 0, nfiles = 0;\n for (ArrayIter iter(calist); iter; ++iter) {\n String item = iter.second().toString();\n\n struct stat sb;\n if (stat(item.data(), &sb) == -1) {\n raise_warning(\"unable to stat %s\", item.data());\n continue;\n }\n\n if ((sb.st_mode & S_IFREG) == S_IFREG) {\n file_lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());\n if (file_lookup == nullptr ||\n !X509_LOOKUP_load_file(file_lookup, item.data(),\n X509_FILETYPE_PEM)) {\n raise_warning(\"error loading file %s\", item.data());\n } else {\n nfiles++;\n }\n file_lookup = nullptr;\n } else {\n dir_lookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir());\n if (dir_lookup == nullptr ||\n !X509_LOOKUP_add_dir(dir_lookup, item.data(), X509_FILETYPE_PEM)) {\n raise_warning(\"error loading directory %s\", item.data());\n } else {\n ndirs++;\n }\n dir_lookup = nullptr;\n }\n }\n if (nfiles == 0) {\n file_lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());\n if (file_lookup) {\n X509_LOOKUP_load_file(file_lookup, nullptr, X509_FILETYPE_DEFAULT);\n }\n }\n if (ndirs == 0) {\n dir_lookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir());\n if (dir_lookup) {\n X509_LOOKUP_add_dir(dir_lookup, nullptr, X509_FILETYPE_DEFAULT);\n }\n }\n return store;\n}\n\n///////////////////////////////////////////////////////////////////////////////\n\nstatic bool add_entries(X509_NAME *subj, const Array& items) {\n for (ArrayIter iter(items); iter; ++iter) {\n auto const index = iter.first().toString();\n auto const item = iter.second().toString();\n int nid = OBJ_txt2nid(index.data());\n if (nid != NID_undef) {\n if (!X509_NAME_add_entry_by_NID(subj, nid, MBSTRING_ASC,\n (unsigned char*)item.data(),\n -1, -1, 0)) {\n raise_warning(\"dn: add_entry_by_NID %d -> %s (failed)\",\n nid, item.data());\n return false;\n }\n } else {\n raise_warning(\"dn: %s is not a recognized name\", index.data());\n }\n }\n return true;\n}\n\nstatic bool php_openssl_make_REQ(struct php_x509_request *req, X509_REQ *csr,\n const Array& dn, const Array& attribs) {\n char *dn_sect = CONF_get_string(req->req_config, req->section_name,\n \"distinguished_name\");\n if (dn_sect == nullptr) return false;\n\n STACK_OF(CONF_VALUE) *dn_sk = CONF_get_section(req->req_config, dn_sect);\n if (dn_sk == nullptr) return false;\n\n char *attr_sect = CONF_get_string(req->req_config, req->section_name,\n \"attributes\");\n STACK_OF(CONF_VALUE) *attr_sk = nullptr;\n if (attr_sect) {\n attr_sk = CONF_get_section(req->req_config, attr_sect);\n if (attr_sk == nullptr) {\n return false;\n }\n }\n\n /* setup the version number: version 1 */\n if (X509_REQ_set_version(csr, 0L)) {\n X509_NAME *subj = X509_REQ_get_subject_name(csr);\n if (!add_entries(subj, dn)) return false;\n\n /* Finally apply defaults from config file */\n for (int i = 0; i < sk_CONF_VALUE_num(dn_sk); i++) {\n CONF_VALUE *v = sk_CONF_VALUE_value(dn_sk, i);\n char *type = v->name;\n\n int len = strlen(type);\n if (len < (int)sizeof(\"_default\")) {\n continue;\n }\n len -= sizeof(\"_default\") - 1;\n if (strcmp(\"_default\", type + len) != 0) {\n continue;\n }\n if (len > 200) {\n len = 200;\n }\n char buffer[200 + 1]; /*200 + \\0 !*/\n memcpy(buffer, type, len);\n buffer[len] = '\\0';\n type = buffer;\n\n /* Skip past any leading X. X: X, etc to allow for multiple instances */\n for (char *str = type; *str; str++) {\n if (*str == ':' || *str == ',' || *str == '.') {\n str++;\n if (*str) {\n type = str;\n }\n break;\n }\n }\n /* if it is already set, skip this */\n int nid = OBJ_txt2nid(type);\n if (X509_NAME_get_index_by_NID(subj, nid, -1) >= 0) {\n continue;\n }\n if (!X509_NAME_add_entry_by_txt(subj, type, MBSTRING_ASC,\n (unsigned char*)v->value, -1, -1, 0)) {\n raise_warning(\"add_entry_by_txt %s -> %s (failed)\", type, v->value);\n return false;\n }\n if (!X509_NAME_entry_count(subj)) {\n raise_warning(\"no objects specified in config file\");\n return false;\n }\n }\n\n if (!add_entries(subj, attribs)) return false;\n\n if (attr_sk) {\n for (int i = 0; i < sk_CONF_VALUE_num(attr_sk); i++) {\n CONF_VALUE *v = sk_CONF_VALUE_value(attr_sk, i);\n /* if it is already set, skip this */\n int nid = OBJ_txt2nid(v->name);\n if (X509_REQ_get_attr_by_NID(csr, nid, -1) >= 0) {\n continue;\n }\n if (!X509_REQ_add1_attr_by_txt(csr, v->name, MBSTRING_ASC,\n (unsigned char*)v->value, -1)) {\n /**\n * hzhao: mismatched version of conf file may have attributes that\n * are not recognizable, and I don't think it should be treated as\n * fatal errors.\n */\n Logger::Verbose(\"add1_attr_by_txt %s -> %s (failed)\", v->name,\n v->value);\n // return false;\n }\n }\n }\n }\n\n X509_REQ_set_pubkey(csr, req->priv_key);\n return true;\n}\n\nbool HHVM_FUNCTION(openssl_csr_export_to_file, const Variant& csr,\n const String& outfilename,\n bool notext /* = true */) {\n auto pcsr = CSRequest::Get(csr);\n if (!pcsr) return false;\n\n BIO *bio_out = BIO_new_file((char*)outfilename.data(), \"w\");\n if (bio_out == nullptr) {\n raise_warning(\"error opening file %s\", outfilename.data());\n return false;\n }\n\n if (!notext) {\n X509_REQ_print(bio_out, pcsr->csr());\n }\n PEM_write_bio_X509_REQ(bio_out, pcsr->csr());\n BIO_free(bio_out);\n return true;\n}\n\nbool HHVM_FUNCTION(openssl_csr_export, const Variant& csr, Variant& out,\n bool notext /* = true */) {\n auto pcsr = CSRequest::Get(csr);\n if (!pcsr) return false;\n\n BIO *bio_out = BIO_new(BIO_s_mem());\n if (!notext) {\n X509_REQ_print(bio_out, pcsr->csr());\n }\n\n if (PEM_write_bio_X509_REQ(bio_out, pcsr->csr())) {\n BUF_MEM *bio_buf;\n BIO_get_mem_ptr(bio_out, &bio_buf);\n out = String((char*)bio_buf->data, bio_buf->length, CopyString);\n BIO_free(bio_out);\n return true;\n }\n\n BIO_free(bio_out);\n return false;\n}\n\nVariant HHVM_FUNCTION(openssl_csr_get_public_key, const Variant& csr) {\n auto pcsr = CSRequest::Get(csr);\n if (!pcsr) return false;\n\n auto input_csr = pcsr->csr();\n\n#if OPENSSL_VERSION_NUMBER >= 0x10100000\n /* Due to changes in OpenSSL 1.1 related to locking when decoding CSR,\n * the pub key is not changed after assigning. It means if we pass\n * a private key, it will be returned including the private part.\n * If we duplicate it, then we get just the public part which is\n * the same behavior as for OpenSSL 1.0 */\n input_csr = X509_REQ_dup(input_csr);\n /* We need to free the CSR as it was duplicated */\n SCOPE_EXIT { X509_REQ_free(input_csr); };\n#endif\n auto pubkey = X509_REQ_get_pubkey(input_csr);\n if (!pubkey) return false;\n return Variant(req::make(pubkey));\n}\n\nVariant HHVM_FUNCTION(openssl_csr_get_subject, const Variant& csr,\n bool use_shortnames /* = true */) {\n auto pcsr = CSRequest::Get(csr);\n if (!pcsr) return false;\n\n X509_NAME *subject = X509_REQ_get_subject_name(pcsr->csr());\n Array ret = Array::CreateDArray();\n add_assoc_name_entry(ret, nullptr, subject, use_shortnames);\n return ret;\n}\n\nVariant HHVM_FUNCTION(openssl_csr_new,\n const Variant& dn, Variant& privkey,\n const Variant& configargs /* = uninit_variant */,\n const Variant& extraattribs /* = uninit_variant */) {\n Variant ret = false;\n struct php_x509_request req;\n memset(&req, 0, sizeof(req));\n\n req::ptr okey;\n X509_REQ *csr = nullptr;\n std::vector strings;\n if (php_openssl_parse_config(&req, configargs.toArray(), strings)) {\n /* Generate or use a private key */\n if (!privkey.isNull()) {\n okey = Key::Get(privkey, false);\n if (okey) {\n req.priv_key = okey->m_key;\n }\n }\n if (req.priv_key == nullptr) {\n req.generatePrivateKey();\n if (req.priv_key) {\n okey = req::make(req.priv_key);\n }\n }\n if (req.priv_key == nullptr) {\n raise_warning(\"Unable to generate a private key\");\n } else {\n csr = X509_REQ_new();\n if (csr && php_openssl_make_REQ(&req, csr, dn.toArray(),\n extraattribs.toArray())) {\n X509V3_CTX ext_ctx;\n X509V3_set_ctx(&ext_ctx, nullptr, nullptr, csr, nullptr, 0);\n X509V3_set_conf_lhash(&ext_ctx, req.req_config);\n\n /* Add extensions */\n if (req.request_extensions_section &&\n !X509V3_EXT_REQ_add_conf(req.req_config, &ext_ctx,\n (char*)req.request_extensions_section,\n csr)) {\n raise_warning(\"Error loading extension section %s\",\n req.request_extensions_section);\n } else {\n ret = true;\n if (X509_REQ_sign(csr, req.priv_key, req.digest)) {\n ret = req::make(csr);\n csr = nullptr;\n } else {\n raise_warning(\"Error signing request\");\n }\n\n privkey = Variant(okey);\n }\n }\n }\n }\n if (csr) {\n X509_REQ_free(csr);\n }\n php_openssl_dispose_config(&req);\n return ret;\n}\n\nVariant HHVM_FUNCTION(openssl_csr_sign, const Variant& csr,\n const Variant& cacert,\n const Variant& priv_key, int days,\n const Variant& configargs /* = null */,\n int serial /* = 0 */) {\n auto pcsr = CSRequest::Get(csr);\n if (!pcsr) return false;\n\n req::ptr ocert;\n if (!cacert.isNull()) {\n ocert = Certificate::Get(cacert);\n if (!ocert) {\n raise_warning(\"cannot get cert from parameter 2\");\n return false;\n }\n }\n auto okey = Key::Get(priv_key, false);\n if (!okey) {\n raise_warning(\"cannot get private key from parameter 3\");\n return false;\n }\n X509 *cert = nullptr;\n if (ocert) {\n cert = ocert->m_cert;\n }\n EVP_PKEY *pkey = okey->m_key;\n if (cert && !X509_check_private_key(cert, pkey)) {\n raise_warning(\"private key does not correspond to signing cert\");\n return false;\n }\n\n req::ptr onewcert;\n struct php_x509_request req;\n memset(&req, 0, sizeof(req));\n Variant ret = false;\n std::vector strings;\n if (!php_openssl_parse_config(&req, configargs.toArray(), strings)) {\n goto cleanup;\n }\n\n /* Check that the request matches the signature */\n EVP_PKEY *key;\n key = X509_REQ_get_pubkey(pcsr->csr());\n if (key == nullptr) {\n raise_warning(\"error unpacking public key\");\n goto cleanup;\n }\n int i;\n i = X509_REQ_verify(pcsr->csr(), key);\n if (i < 0) {\n raise_warning(\"Signature verification problems\");\n goto cleanup;\n }\n if (i == 0) {\n raise_warning(\"Signature did not match the certificate request\");\n goto cleanup;\n }\n\n /* Now we can get on with it */\n X509 *new_cert;\n new_cert = X509_new();\n if (new_cert == nullptr) {\n raise_warning(\"No memory\");\n goto cleanup;\n }\n onewcert = req::make(new_cert);\n /* Version 3 cert */\n if (!X509_set_version(new_cert, 2)) {\n goto cleanup;\n }\n ASN1_INTEGER_set(X509_get_serialNumber(new_cert), serial);\n X509_set_subject_name(new_cert, X509_REQ_get_subject_name(pcsr->csr()));\n\n if (cert == nullptr) {\n cert = new_cert;\n }\n if (!X509_set_issuer_name(new_cert, X509_get_subject_name(cert))) {\n goto cleanup;\n }\n X509_gmtime_adj(X509_get_notBefore(new_cert), 0);\n X509_gmtime_adj(X509_get_notAfter(new_cert), (long)60 * 60 * 24 * days);\n i = X509_set_pubkey(new_cert, key);\n if (!i) {\n goto cleanup;\n }\n if (req.extensions_section) {\n X509V3_CTX ctx;\n X509V3_set_ctx(&ctx, cert, new_cert, pcsr->csr(), nullptr, 0);\n X509V3_set_conf_lhash(&ctx, req.req_config);\n if (!X509V3_EXT_add_conf(req.req_config, &ctx, (char*)req.extensions_section,\n new_cert)) {\n goto cleanup;\n }\n }\n\n /* Now sign it */\n if (!X509_sign(new_cert, pkey, req.digest)) {\n raise_warning(\"failed to sign it\");\n goto cleanup;\n }\n\n /* Succeeded; lets return the cert */\n ret = onewcert;\n\n cleanup:\n php_openssl_dispose_config(&req);\n return ret;\n}\n\nVariant HHVM_FUNCTION(openssl_error_string) {\n char buf[512];\n unsigned long val = ERR_get_error();\n if (val) {\n return String(ERR_error_string(val, buf), CopyString);\n }\n return false;\n}\n\n\nbool HHVM_FUNCTION(openssl_open, const String& sealed_data, Variant& open_data,\n const String& env_key,\n const Variant& priv_key_id,\n const String& method, /* = null_string */\n const String& iv /* = null_string */) {\n const EVP_CIPHER *cipher_type;\n if (method.empty()) {\n cipher_type = EVP_rc4();\n } else {\n cipher_type = EVP_get_cipherbyname(method.c_str());\n if (!cipher_type) {\n raise_warning(\"Unknown cipher algorithm\");\n return false;\n }\n }\n\n auto okey = Key::Get(priv_key_id, false);\n if (!okey) {\n raise_warning(\"unable to coerce parameter 4 into a private key\");\n return false;\n }\n EVP_PKEY *pkey = okey->m_key;\n\n const unsigned char *iv_buf = nullptr;\n int iv_len = EVP_CIPHER_iv_length(cipher_type);\n if (iv_len > 0) {\n if (iv.empty()) {\n raise_warning(\n \"Cipher algorithm requires an IV to be supplied as a sixth parameter\");\n return false;\n }\n if (iv.length() != iv_len) {\n raise_warning(\"IV length is invalid\");\n return false;\n }\n iv_buf = reinterpret_cast(iv.c_str());\n }\n\n String s = String(sealed_data.size(), ReserveString);\n unsigned char *buf = (unsigned char *)s.mutableData();\n\n EVP_CIPHER_CTX* ctx = EVP_CIPHER_CTX_new();\n if (ctx == nullptr) {\n raise_warning(\"Failed to allocate an EVP_CIPHER_CTX object\");\n return false;\n }\n SCOPE_EXIT {\n EVP_CIPHER_CTX_free(ctx);\n };\n int len1, len2;\n if (!EVP_OpenInit(\n ctx,\n cipher_type,\n (unsigned char*)env_key.data(),\n env_key.size(),\n iv_buf,\n pkey) ||\n !EVP_OpenUpdate(\n ctx,\n buf,\n &len1,\n (unsigned char*)sealed_data.data(),\n sealed_data.size()) ||\n !EVP_OpenFinal(ctx, buf + len1, &len2) || len1 + len2 == 0) {\n return false;\n }\n open_data = s.setSize(len1 + len2);\n return true;\n}\n\nstatic STACK_OF(X509) *php_array_to_X509_sk(const Variant& certs) {\n STACK_OF(X509) *pcerts = sk_X509_new_null();\n Array arrCerts;\n if (certs.isArray()) {\n arrCerts = certs.toArray();\n } else {\n arrCerts.append(certs);\n }\n for (ArrayIter iter(arrCerts); iter; ++iter) {\n auto ocert = Certificate::Get(iter.second());\n if (!ocert) {\n break;\n }\n sk_X509_push(pcerts, ocert->m_cert);\n }\n return pcerts;\n}\n\nconst StaticString\n s_friendly_name(\"friendly_name\"),\n s_extracerts(\"extracerts\");\n\nstatic bool\nopenssl_pkcs12_export_impl(const Variant& x509, BIO *bio_out,\n const Variant& priv_key, const String& pass,\n const Variant& args /* = uninit_variant */) {\n auto ocert = Certificate::Get(x509);\n if (!ocert) {\n raise_warning(\"cannot get cert from parameter 1\");\n return false;\n }\n auto okey = Key::Get(priv_key, false);\n if (!okey) {\n raise_warning(\"cannot get private key from parameter 3\");\n return false;\n }\n X509 *cert = ocert->m_cert;\n EVP_PKEY *key = okey->m_key;\n if (cert && !X509_check_private_key(cert, key)) {\n raise_warning(\"private key does not correspond to cert\");\n return false;\n }\n\n Array arrArgs = args.toArray();\n\n String friendly_name;\n if (arrArgs.exists(s_friendly_name)) {\n friendly_name = arrArgs[s_friendly_name].toString();\n }\n\n STACK_OF(X509) *ca = nullptr;\n if (arrArgs.exists(s_extracerts)) {\n ca = php_array_to_X509_sk(arrArgs[s_extracerts]);\n }\n\n PKCS12 *p12 = PKCS12_create\n ((char*)pass.data(),\n (char*)(friendly_name.empty() ? nullptr : friendly_name.data()),\n key, cert, ca, 0, 0, 0, 0, 0);\n\n assertx(bio_out);\n bool ret = i2d_PKCS12_bio(bio_out, p12);\n PKCS12_free(p12);\n sk_X509_free(ca);\n return ret;\n}\n\nbool HHVM_FUNCTION(openssl_pkcs12_export_to_file, const Variant& x509,\n const String& filename,\n const Variant& priv_key,\n const String& pass,\n const Variant& args /* = uninit_variant */) {\n BIO *bio_out = BIO_new_file(filename.data(), \"w\");\n if (bio_out == nullptr) {\n raise_warning(\"error opening file %s\", filename.data());\n return false;\n }\n bool ret = openssl_pkcs12_export_impl(x509, bio_out, priv_key, pass, args);\n BIO_free(bio_out);\n return ret;\n}\n\nbool HHVM_FUNCTION(openssl_pkcs12_export, const Variant& x509, Variant& out,\n const Variant& priv_key,\n const String& pass,\n const Variant& args /* = uninit_variant */) {\n BIO *bio_out = BIO_new(BIO_s_mem());\n bool ret = openssl_pkcs12_export_impl(x509, bio_out, priv_key, pass, args);\n if (ret) {\n BUF_MEM *bio_buf;\n BIO_get_mem_ptr(bio_out, &bio_buf);\n out = String((char*)bio_buf->data, bio_buf->length, CopyString);\n }\n BIO_free(bio_out);\n return ret;\n}\n\nconst StaticString\n s_cert(\"cert\"),\n s_pkey(\"pkey\");\n\nbool HHVM_FUNCTION(openssl_pkcs12_read, const String& pkcs12, Variant& certs,\n const String& pass) {\n bool ret = false;\n PKCS12 *p12 = nullptr;\n\n BIO *bio_in = BIO_new(BIO_s_mem());\n if (!BIO_write(bio_in, pkcs12.data(), pkcs12.size())) {\n goto cleanup;\n }\n\n if (d2i_PKCS12_bio(bio_in, &p12)) {\n EVP_PKEY *pkey = nullptr;\n X509 *cert = nullptr;\n STACK_OF(X509) *ca = nullptr;\n if (PKCS12_parse(p12, pass.data(), &pkey, &cert, &ca)) {\n Variant vcerts = Array::CreateDArray();\n SCOPE_EXIT {\n certs = vcerts;\n };\n BIO *bio_out = nullptr;\n if (cert) {\n bio_out = BIO_new(BIO_s_mem());\n if (PEM_write_bio_X509(bio_out, cert)) {\n BUF_MEM *bio_buf;\n BIO_get_mem_ptr(bio_out, &bio_buf);\n vcerts.asArrRef().set(s_cert,\n String((char*)bio_buf->data, bio_buf->length, CopyString));\n }\n BIO_free(bio_out);\n }\n\n if (pkey) {\n bio_out = BIO_new(BIO_s_mem());\n if (PEM_write_bio_PrivateKey(bio_out, pkey, nullptr, nullptr, 0, 0, nullptr)) {\n BUF_MEM *bio_buf;\n BIO_get_mem_ptr(bio_out, &bio_buf);\n vcerts.asArrRef().set(s_pkey,\n String((char*)bio_buf->data, bio_buf->length, CopyString));\n }\n BIO_free(bio_out);\n }\n\n if (ca) {\n Array extracerts;\n for (X509 *aCA = sk_X509_pop(ca); aCA; aCA = sk_X509_pop(ca)) {\n bio_out = BIO_new(BIO_s_mem());\n if (PEM_write_bio_X509(bio_out, aCA)) {\n BUF_MEM *bio_buf;\n BIO_get_mem_ptr(bio_out, &bio_buf);\n extracerts.append(String((char*)bio_buf->data, bio_buf->length,\n CopyString));\n }\n BIO_free(bio_out);\n X509_free(aCA);\n }\n sk_X509_free(ca);\n vcerts.asArrRef().set(s_extracerts, extracerts);\n }\n ret = true;\n PKCS12_free(p12);\n }\n }\n\n cleanup:\n if (bio_in) {\n BIO_free(bio_in);\n }\n\n return ret;\n}\n\nbool HHVM_FUNCTION(openssl_pkcs7_decrypt, const String& infilename,\n const String& outfilename,\n const Variant& recipcert,\n const Variant& recipkey /* = uninit_variant */) {\n bool ret = false;\n BIO *in = nullptr, *out = nullptr, *datain = nullptr;\n PKCS7 *p7 = nullptr;\n req::ptr okey;\n\n auto ocert = Certificate::Get(recipcert);\n if (!ocert) {\n raise_warning(\"unable to coerce parameter 3 to x509 cert\");\n goto clean_exit;\n }\n\n okey = Key::Get(recipkey.isNull() ? recipcert : recipkey, false);\n if (!okey) {\n raise_warning(\"unable to get private key\");\n goto clean_exit;\n }\n\n in = BIO_new_file(infilename.data(), \"r\");\n if (in == nullptr) {\n raise_warning(\"error opening the file, %s\", infilename.data());\n goto clean_exit;\n }\n out = BIO_new_file(outfilename.data(), \"w\");\n if (out == nullptr) {\n raise_warning(\"error opening the file, %s\", outfilename.data());\n goto clean_exit;\n }\n\n p7 = SMIME_read_PKCS7(in, &datain);\n if (p7 == nullptr) {\n goto clean_exit;\n }\n assertx(okey->m_key);\n assertx(ocert->m_cert);\n if (PKCS7_decrypt(p7, okey->m_key, ocert->m_cert, out, PKCS7_DETACHED)) {\n ret = true;\n }\n\n clean_exit:\n PKCS7_free(p7);\n BIO_free(datain);\n BIO_free(in);\n BIO_free(out);\n\n return ret;\n}\n\nstatic void print_headers(BIO *outfile, const Array& headers) {\n if (!headers.isNull()) {\n if (headers->isVectorData()) {\n for (ArrayIter iter(headers); iter; ++iter) {\n BIO_printf(outfile, \"%s\\n\", iter.second().toString().data());\n }\n } else {\n for (ArrayIter iter(headers); iter; ++iter) {\n BIO_printf(outfile, \"%s: %s\\n\", iter.first().toString().data(),\n iter.second().toString().data());\n }\n }\n }\n}\n\nbool HHVM_FUNCTION(openssl_pkcs7_encrypt, const String& infilename,\n const String& outfilename,\n const Variant& recipcerts,\n const Array& headers,\n int flags /* = 0 */,\n int cipherid /* = k_OPENSSL_CIPHER_RC2_40 */) {\n bool ret = false;\n BIO *infile = nullptr, *outfile = nullptr;\n STACK_OF(X509) *precipcerts = nullptr;\n PKCS7 *p7 = nullptr;\n const EVP_CIPHER *cipher = nullptr;\n\n infile = BIO_new_file(infilename.data(), (flags & PKCS7_BINARY) ? \"rb\" : \"r\");\n if (infile == nullptr) {\n raise_warning(\"error opening the file, %s\", infilename.data());\n goto clean_exit;\n }\n outfile = BIO_new_file(outfilename.data(), \"w\");\n if (outfile == nullptr) {\n raise_warning(\"error opening the file, %s\", outfilename.data());\n goto clean_exit;\n }\n\n precipcerts = php_array_to_X509_sk(recipcerts);\n\n /* sanity check the cipher */\n switch (cipherid) {\n#ifndef OPENSSL_NO_RC2\n case PHP_OPENSSL_CIPHER_RC2_40: cipher = EVP_rc2_40_cbc(); break;\n case PHP_OPENSSL_CIPHER_RC2_64: cipher = EVP_rc2_64_cbc(); break;\n case PHP_OPENSSL_CIPHER_RC2_128: cipher = EVP_rc2_cbc(); break;\n#endif\n#ifndef OPENSSL_NO_DES\n case PHP_OPENSSL_CIPHER_DES: cipher = EVP_des_cbc(); break;\n case PHP_OPENSSL_CIPHER_3DES: cipher = EVP_des_ede3_cbc(); break;\n#endif\n default:\n raise_warning(\"Invalid cipher type `%d'\", cipherid);\n goto clean_exit;\n }\n if (cipher == nullptr) {\n raise_warning(\"Failed to get cipher\");\n goto clean_exit;\n }\n\n p7 = PKCS7_encrypt(precipcerts, infile, (EVP_CIPHER*)cipher, flags);\n if (p7 == nullptr) goto clean_exit;\n\n print_headers(outfile, headers);\n (void)BIO_reset(infile);\n SMIME_write_PKCS7(outfile, p7, infile, flags);\n ret = true;\n\n clean_exit:\n PKCS7_free(p7);\n BIO_free(infile);\n BIO_free(outfile);\n sk_X509_free(precipcerts);\n return ret;\n}\n\nbool HHVM_FUNCTION(openssl_pkcs7_sign, const String& infilename,\n const String& outfilename,\n const Variant& signcert,\n const Variant& privkey,\n const Variant& headers,\n int flags /* = k_PKCS7_DETACHED */,\n const String& extracerts /* = null_string */) {\n bool ret = false;\n STACK_OF(X509) *others = nullptr;\n BIO *infile = nullptr, *outfile = nullptr;\n PKCS7 *p7 = nullptr;\n req::ptr okey;\n req::ptr ocert;\n\n if (!extracerts.empty()) {\n others = load_all_certs_from_file(extracerts.data());\n if (others == nullptr) {\n goto clean_exit;\n }\n }\n\n okey = Key::Get(privkey, false);\n if (!okey) {\n raise_warning(\"error getting private key\");\n goto clean_exit;\n }\n EVP_PKEY *key;\n key = okey->m_key;\n\n ocert = Certificate::Get(signcert);\n if (!ocert) {\n raise_warning(\"error getting cert\");\n goto clean_exit;\n }\n X509 *cert;\n cert = ocert->m_cert;\n\n infile = BIO_new_file(infilename.data(), (flags & PKCS7_BINARY) ? \"rb\" : \"r\");\n if (infile == nullptr) {\n raise_warning(\"error opening input file %s!\", infilename.data());\n goto clean_exit;\n }\n\n outfile = BIO_new_file(outfilename.data(), \"w\");\n if (outfile == nullptr) {\n raise_warning(\"error opening output file %s!\", outfilename.data());\n goto clean_exit;\n }\n\n p7 = PKCS7_sign(cert, key, others, infile, flags);\n if (p7 == nullptr) {\n raise_warning(\"error creating PKCS7 structure!\");\n goto clean_exit;\n }\n\n print_headers(outfile, headers.toArray());\n (void)BIO_reset(infile);\n SMIME_write_PKCS7(outfile, p7, infile, flags);\n ret = true;\n\n clean_exit:\n PKCS7_free(p7);\n BIO_free(infile);\n BIO_free(outfile);\n if (others) {\n sk_X509_pop_free(others, X509_free);\n }\n\n return ret;\n}\n\nstatic int pkcs7_ignore_expiration(int ok, X509_STORE_CTX *ctx) {\n if (ok) {\n return ok;\n }\n int error = X509_STORE_CTX_get_error(ctx);\n if (error == X509_V_ERR_CERT_HAS_EXPIRED) {\n // ignore cert expirations\n Logger::Verbose(\"Ignoring cert expiration\");\n return 1;\n }\n return ok;\n}\n\n/**\n * NOTE: when ignore_cert_expiration is true, a custom certificate validation\n * callback is set up. Please be aware of this if you modify the function to\n * allow other certificate validation behaviors\n */\nVariant openssl_pkcs7_verify_core(\n const String& filename,\n int flags,\n const Variant& voutfilename /* = null_string */,\n const Variant& vcainfo /* = null_array */,\n const Variant& vextracerts /* = null_string */,\n const Variant& vcontent /* = null_string */,\n bool ignore_cert_expiration\n) {\n Variant ret = -1;\n X509_STORE *store = nullptr;\n BIO *in = nullptr;\n PKCS7 *p7 = nullptr;\n BIO *datain = nullptr;\n BIO *dataout = nullptr;\n\n auto cainfo = vcainfo.toArray();\n auto extracerts = vextracerts.toString();\n auto content = vcontent.toString();\n\n STACK_OF(X509) *others = nullptr;\n if (!extracerts.empty()) {\n others = load_all_certs_from_file(extracerts.data());\n if (others == nullptr) {\n goto clean_exit;\n }\n }\n\n flags = flags & ~PKCS7_DETACHED;\n\n store = setup_verify(cainfo);\n if (!store) {\n goto clean_exit;\n }\n if (ignore_cert_expiration) {\n#if (OPENSSL_VERSION_NUMBER >= 0x10000000)\n // make sure no other callback is specified\n #if OPENSSL_VERSION_NUMBER >= 0x10100000L\n assertx(!X509_STORE_get_verify_cb(store));\n #else\n assertx(!store->verify_cb);\n #endif\n // ignore expired certs\n X509_STORE_set_verify_cb(store, pkcs7_ignore_expiration);\n#else\n always_assert(false);\n#endif\n }\n in = BIO_new_file(filename.data(), (flags & PKCS7_BINARY) ? \"rb\" : \"r\");\n if (in == nullptr) {\n raise_warning(\"error opening the file, %s\", filename.data());\n goto clean_exit;\n }\n\n p7 = SMIME_read_PKCS7(in, &datain);\n if (p7 == nullptr) {\n goto clean_exit;\n }\n\n if (!content.empty()) {\n dataout = BIO_new_file(content.data(), \"w\");\n if (dataout == nullptr) {\n raise_warning(\"error opening the file, %s\", content.data());\n goto clean_exit;\n }\n }\n\n if (PKCS7_verify(p7, others, store, datain, dataout, flags)) {\n ret = true;\n auto outfilename = voutfilename.toString();\n if (!outfilename.empty()) {\n BIO *certout = BIO_new_file(outfilename.data(), \"w\");\n if (certout) {\n STACK_OF(X509) *signers = PKCS7_get0_signers(p7, nullptr, flags);\n for (int i = 0; i < sk_X509_num(signers); i++) {\n PEM_write_bio_X509(certout, sk_X509_value(signers, i));\n }\n BIO_free(certout);\n sk_X509_free(signers);\n } else {\n raise_warning(\"signature OK, but cannot open %s for writing\",\n outfilename.data());\n ret = -1;\n }\n }\n goto clean_exit;\n } else {\n ret = false;\n }\n\n clean_exit:\n X509_STORE_free(store);\n BIO_free(datain);\n BIO_free(in);\n BIO_free(dataout);\n PKCS7_free(p7);\n sk_X509_pop_free(others, X509_free);\n\n return ret;\n}\n\nVariant HHVM_FUNCTION(openssl_pkcs7_verify, const String& filename, int flags,\n const Variant& voutfilename /* = null_string */,\n const Variant& vcainfo /* = null_array */,\n const Variant& vextracerts /* = null_string */,\n const Variant& vcontent /* = null_string */) {\n return openssl_pkcs7_verify_core(filename, flags, voutfilename, vcainfo,\n vextracerts, vcontent, false);\n}\n\nstatic bool\nopenssl_pkey_export_impl(const Variant& key, BIO *bio_out,\n const String& passphrase /* = null_string */,\n const Variant& configargs /* = uninit_variant */) {\n auto okey = Key::Get(key, false, passphrase.data());\n if (!okey) {\n raise_warning(\"cannot get key from parameter 1\");\n return false;\n }\n EVP_PKEY *pkey = okey->m_key;\n\n struct php_x509_request req;\n memset(&req, 0, sizeof(req));\n std::vector strings;\n bool ret = false;\n if (php_openssl_parse_config(&req, configargs.toArray(), strings)) {\n const EVP_CIPHER *cipher;\n if (!passphrase.empty() && req.priv_key_encrypt) {\n cipher = (EVP_CIPHER *)EVP_des_ede3_cbc();\n } else {\n cipher = nullptr;\n }\n assertx(bio_out);\n\n switch (EVP_PKEY_id(pkey)) {\n#ifdef HAVE_EVP_PKEY_EC\n case EVP_PKEY_EC:\n ret = PEM_write_bio_ECPrivateKey(bio_out, EVP_PKEY_get0_EC_KEY(pkey),\n cipher,\n (unsigned char *)passphrase.data(),\n passphrase.size(),\n nullptr,\n nullptr);\n break;\n#endif\n default:\n ret = PEM_write_bio_PrivateKey(bio_out, pkey, cipher,\n (unsigned char *)passphrase.data(),\n passphrase.size(), nullptr, nullptr);\n break;\n }\n }\n php_openssl_dispose_config(&req);\n return ret;\n}\n\nbool HHVM_FUNCTION(openssl_pkey_export_to_file, const Variant& key,\n const String& outfilename,\n const String& passphrase /* = null_string */,\n const Variant& configargs /* = uninit_variant */) {\n BIO *bio_out = BIO_new_file(outfilename.data(), \"w\");\n if (bio_out == nullptr) {\n raise_warning(\"error opening the file, %s\", outfilename.data());\n return false;\n }\n bool ret = openssl_pkey_export_impl(key, bio_out, passphrase, configargs);\n BIO_free(bio_out);\n return ret;\n}\n\nbool HHVM_FUNCTION(openssl_pkey_export, const Variant& key, Variant& out,\n const String& passphrase /* = null_string */,\n const Variant& configargs /* = uninit_variant */) {\n BIO *bio_out = BIO_new(BIO_s_mem());\n bool ret = openssl_pkey_export_impl(key, bio_out, passphrase, configargs);\n if (ret) {\n char *bio_mem_ptr;\n long bio_mem_len = BIO_get_mem_data(bio_out, &bio_mem_ptr);\n out = String(bio_mem_ptr, bio_mem_len, CopyString);\n }\n BIO_free(bio_out);\n return ret;\n}\n\nconst StaticString\n s_bits(\"bits\"),\n s_key(\"key\"),\n s_type(\"type\"),\n s_name(\"name\"),\n s_hash(\"hash\"),\n s_version(\"version\"),\n s_serialNumber(\"serialNumber\"),\n s_signatureAlgorithm(\"signatureAlgorithm\"),\n s_validFrom(\"validFrom\"),\n s_validTo(\"validTo\"),\n s_validFrom_time_t(\"validFrom_time_t\"),\n s_validTo_time_t(\"validTo_time_t\"),\n s_alias(\"alias\"),\n s_purposes(\"purposes\"),\n s_extensions(\"extensions\"),\n s_rsa(\"rsa\"),\n s_dsa(\"dsa\"),\n s_dh(\"dh\"),\n s_ec(\"ec\"),\n s_n(\"n\"),\n s_e(\"e\"),\n s_d(\"d\"),\n s_p(\"p\"),\n s_q(\"q\"),\n s_g(\"g\"),\n s_x(\"x\"),\n s_y(\"y\"),\n s_dmp1(\"dmp1\"),\n s_dmq1(\"dmq1\"),\n s_iqmp(\"iqmp\"),\n s_priv_key(\"priv_key\"),\n s_pub_key(\"pub_key\"),\n s_curve_oid(\"curve_oid\");\n\nstatic void add_bignum_as_string(Array &arr,\n StaticString key,\n const BIGNUM *bn) {\n if (!bn) {\n return;\n }\n int num_bytes = BN_num_bytes(bn);\n String str{size_t(num_bytes), ReserveString};\n BN_bn2bin(bn, (unsigned char*)str.mutableData());\n str.setSize(num_bytes);\n arr.set(key, std::move(str));\n}\n\nArray HHVM_FUNCTION(openssl_pkey_get_details, const Resource& key) {\n EVP_PKEY *pkey = cast(key)->m_key;\n BIO *out = BIO_new(BIO_s_mem());\n PEM_write_bio_PUBKEY(out, pkey);\n char *pbio;\n unsigned int pbio_len = BIO_get_mem_data(out, &pbio);\n\n auto ret = make_darray(\n s_bits, EVP_PKEY_bits(pkey),\n s_key, String(pbio, pbio_len, CopyString)\n );\n long ktype = -1;\n\n auto details = Array::CreateDArray();\n switch (EVP_PKEY_id(pkey)) {\n case EVP_PKEY_RSA:\n case EVP_PKEY_RSA2:\n {\n ktype = OPENSSL_KEYTYPE_RSA;\n RSA *rsa = EVP_PKEY_get0_RSA(pkey);\n assertx(rsa);\n const BIGNUM *n, *e, *d, *p, *q, *dmp1, *dmq1, *iqmp;\n RSA_get0_key(rsa, &n, &e, &d);\n RSA_get0_factors(rsa, &p, &q);\n RSA_get0_crt_params(rsa, &dmp1, &dmq1, &iqmp);\n add_bignum_as_string(details, s_n, n);\n add_bignum_as_string(details, s_e, e);\n add_bignum_as_string(details, s_d, d);\n add_bignum_as_string(details, s_p, p);\n add_bignum_as_string(details, s_q, q);\n add_bignum_as_string(details, s_dmp1, dmp1);\n add_bignum_as_string(details, s_dmq1, dmq1);\n add_bignum_as_string(details, s_iqmp, iqmp);\n ret.set(s_rsa, details);\n break;\n }\n case EVP_PKEY_DSA:\n case EVP_PKEY_DSA2:\n case EVP_PKEY_DSA3:\n case EVP_PKEY_DSA4:\n {\n ktype = OPENSSL_KEYTYPE_DSA;\n DSA *dsa = EVP_PKEY_get0_DSA(pkey);\n assertx(dsa);\n const BIGNUM *p, *q, *g, *pub_key, *priv_key;\n DSA_get0_pqg(dsa, &p, &q, &g);\n DSA_get0_key(dsa, &pub_key, &priv_key);\n add_bignum_as_string(details, s_p, p);\n add_bignum_as_string(details, s_q, q);\n add_bignum_as_string(details, s_g, g);\n add_bignum_as_string(details, s_priv_key, priv_key);\n add_bignum_as_string(details, s_pub_key, pub_key);\n ret.set(s_dsa, details);\n break;\n }\n case EVP_PKEY_DH:\n {\n ktype = OPENSSL_KEYTYPE_DH;\n DH *dh = EVP_PKEY_get0_DH(pkey);\n assertx(dh);\n const BIGNUM *p, *q, *g, *pub_key, *priv_key;\n DH_get0_pqg(dh, &p, &q, &g);\n DH_get0_key(dh, &pub_key, &priv_key);\n add_bignum_as_string(details, s_p, p);\n add_bignum_as_string(details, s_g, g);\n add_bignum_as_string(details, s_priv_key, priv_key);\n add_bignum_as_string(details, s_pub_key, pub_key);\n ret.set(s_dh, details);\n break;\n }\n#ifdef HAVE_EVP_PKEY_EC\n case EVP_PKEY_EC:\n {\n ktype = OPENSSL_KEYTYPE_EC;\n auto const ec = EVP_PKEY_get0_EC_KEY(pkey);\n assertx(ec);\n\n auto const ec_group = EC_KEY_get0_group(ec);\n auto const nid = EC_GROUP_get_curve_name(ec_group);\n if (nid == NID_undef) {\n break;\n }\n\n auto const crv_sn = OBJ_nid2sn(nid);\n if (crv_sn != nullptr) {\n details.set(s_curve_name, String(crv_sn, CopyString));\n }\n\n auto const obj = OBJ_nid2obj(nid);\n if (obj != nullptr) {\n SCOPE_EXIT {\n ASN1_OBJECT_free(obj);\n };\n char oir_buf[256];\n OBJ_obj2txt(oir_buf, sizeof(oir_buf) - 1, obj, 1);\n details.set(s_curve_oid, String(oir_buf, CopyString));\n }\n\n auto x = BN_new();\n auto y = BN_new();\n SCOPE_EXIT {\n BN_free(x);\n BN_free(y);\n };\n auto const pub = EC_KEY_get0_public_key(ec);\n if (EC_POINT_get_affine_coordinates_GFp(ec_group, pub, x, y, nullptr)) {\n add_bignum_as_string(details, s_x, x);\n add_bignum_as_string(details, s_y, y);\n }\n\n auto d = BN_dup(EC_KEY_get0_private_key(ec));\n SCOPE_EXIT {\n BN_free(d);\n };\n if (d != nullptr) {\n add_bignum_as_string(details, s_d, d);\n }\n\n ret.set(s_ec, details);\n }\n break;\n#endif\n }\n ret.set(s_type, ktype);\n BIO_free(out);\n return ret;\n}\n\nVariant HHVM_FUNCTION(openssl_pkey_get_private, const Variant& key,\n const String& passphrase /* = null_string */) {\n return toVariant(Key::Get(key, false, passphrase.data()));\n}\n\nVariant HHVM_FUNCTION(openssl_pkey_get_public, const Variant& certificate) {\n return toVariant(Key::Get(certificate, true));\n}\n\nVariant HHVM_FUNCTION(openssl_pkey_new,\n const Variant& configargs /* = uninit_variant */) {\n struct php_x509_request req;\n memset(&req, 0, sizeof(req));\n SCOPE_EXIT {\n php_openssl_dispose_config(&req);\n };\n\n std::vector strings;\n if (php_openssl_parse_config(&req, configargs.toArray(), strings) &&\n req.generatePrivateKey()) {\n return Resource(req::make(req.priv_key));\n } else {\n return false;\n }\n}\n\nbool HHVM_FUNCTION(openssl_private_decrypt, const String& data,\n Variant& decrypted,\n const Variant& key,\n int padding /* = k_OPENSSL_PKCS1_PADDING */) {\n auto okey = Key::Get(key, false);\n if (!okey) {\n raise_warning(\"key parameter is not a valid private key\");\n return false;\n }\n EVP_PKEY *pkey = okey->m_key;\n int cryptedlen = EVP_PKEY_size(pkey);\n String s = String(cryptedlen, ReserveString);\n unsigned char *cryptedbuf = (unsigned char *)s.mutableData();\n\n int successful = 0;\n switch (EVP_PKEY_id(pkey)) {\n case EVP_PKEY_RSA:\n case EVP_PKEY_RSA2:\n cryptedlen = RSA_private_decrypt(data.size(),\n (unsigned char *)data.data(),\n cryptedbuf,\n EVP_PKEY_get0_RSA(pkey),\n padding);\n if (cryptedlen != -1) {\n successful = 1;\n }\n break;\n\n default:\n raise_warning(\"key type not supported\");\n }\n\n if (successful) {\n decrypted = s.setSize(cryptedlen);\n return true;\n }\n\n return false;\n}\n\nbool HHVM_FUNCTION(openssl_private_encrypt, const String& data,\n Variant& crypted,\n const Variant& key,\n int padding /* = k_OPENSSL_PKCS1_PADDING */) {\n auto okey = Key::Get(key, false);\n if (!okey) {\n raise_warning(\"key param is not a valid private key\");\n return false;\n }\n EVP_PKEY *pkey = okey->m_key;\n int cryptedlen = EVP_PKEY_size(pkey);\n String s = String(cryptedlen, ReserveString);\n unsigned char *cryptedbuf = (unsigned char *)s.mutableData();\n\n int successful = 0;\n switch (EVP_PKEY_id(pkey)) {\n case EVP_PKEY_RSA:\n case EVP_PKEY_RSA2:\n successful = (RSA_private_encrypt(data.size(),\n (unsigned char *)data.data(),\n cryptedbuf,\n EVP_PKEY_get0_RSA(pkey),\n padding) == cryptedlen);\n break;\n default:\n raise_warning(\"key type not supported\");\n }\n\n if (successful) {\n crypted = s.setSize(cryptedlen);\n return true;\n }\n\n return false;\n}\n\nbool HHVM_FUNCTION(openssl_public_decrypt, const String& data,\n Variant& decrypted,\n const Variant& key,\n int padding /* = k_OPENSSL_PKCS1_PADDING */) {\n auto okey = Key::Get(key, true);\n if (!okey) {\n raise_warning(\"key parameter is not a valid public key\");\n return false;\n }\n EVP_PKEY *pkey = okey->m_key;\n int cryptedlen = EVP_PKEY_size(pkey);\n String s = String(cryptedlen, ReserveString);\n unsigned char *cryptedbuf = (unsigned char *)s.mutableData();\n\n int successful = 0;\n switch (EVP_PKEY_id(pkey)) {\n case EVP_PKEY_RSA:\n case EVP_PKEY_RSA2:\n cryptedlen = RSA_public_decrypt(data.size(),\n (unsigned char *)data.data(),\n cryptedbuf,\n EVP_PKEY_get0_RSA(pkey),\n padding);\n if (cryptedlen != -1) {\n successful = 1;\n }\n break;\n\n default:\n raise_warning(\"key type not supported\");\n }\n\n if (successful) {\n decrypted = s.setSize(cryptedlen);\n return true;\n }\n\n return false;\n}\n\nbool HHVM_FUNCTION(openssl_public_encrypt, const String& data,\n Variant& crypted,\n const Variant& key,\n int padding /* = k_OPENSSL_PKCS1_PADDING */) {\n auto okey = Key::Get(key, true);\n if (!okey) {\n raise_warning(\"key parameter is not a valid public key\");\n return false;\n }\n EVP_PKEY *pkey = okey->m_key;\n int cryptedlen = EVP_PKEY_size(pkey);\n String s = String(cryptedlen, ReserveString);\n unsigned char *cryptedbuf = (unsigned char *)s.mutableData();\n\n int successful = 0;\n switch (EVP_PKEY_id(pkey)) {\n case EVP_PKEY_RSA:\n case EVP_PKEY_RSA2:\n successful = (RSA_public_encrypt(data.size(),\n (unsigned char *)data.data(),\n cryptedbuf,\n EVP_PKEY_get0_RSA(pkey),\n padding) == cryptedlen);\n break;\n default:\n raise_warning(\"key type not supported\");\n }\n\n if (successful) {\n crypted = s.setSize(cryptedlen);\n return true;\n }\n\n return false;\n}\n\nVariant HHVM_FUNCTION(openssl_seal, const String& data, Variant& sealed_data,\n Variant& env_keys,\n const Array& pub_key_ids,\n const String& method,\n Variant& iv) {\n int nkeys = pub_key_ids.size();\n if (nkeys == 0) {\n raise_warning(\"Fourth argument to openssl_seal() must be \"\n \"a non-empty array\");\n return false;\n }\n\n const EVP_CIPHER *cipher_type;\n if (method.empty()) {\n cipher_type = EVP_rc4();\n } else {\n cipher_type = EVP_get_cipherbyname(method.c_str());\n if (!cipher_type) {\n raise_warning(\"Unknown cipher algorithm\");\n return false;\n }\n }\n\n int iv_len = EVP_CIPHER_iv_length(cipher_type);\n unsigned char *iv_buf = nullptr;\n String iv_s;\n if (iv_len > 0) {\n iv_s = String(iv_len, ReserveString);\n iv_buf = (unsigned char*)iv_s.mutableData();\n\n if (!RAND_bytes(iv_buf, iv_len)) {\n raise_warning(\"Could not generate an IV.\");\n return false;\n }\n }\n\n EVP_PKEY **pkeys = (EVP_PKEY**)malloc(nkeys * sizeof(*pkeys));\n int *eksl = (int*)malloc(nkeys * sizeof(*eksl));\n unsigned char **eks = (unsigned char **)malloc(nkeys * sizeof(*eks));\n memset(eks, 0, sizeof(*eks) * nkeys);\n\n // holder is needed to make sure none of the Keys get deleted prematurely.\n // The pkeys array points to elements inside of Keys returned from Key::Get()\n // which may be newly allocated and have no other owners.\n std::vector> holder;\n\n /* get the public keys we are using to seal this data */\n bool ret = true;\n int i = 0;\n String s;\n unsigned char* buf = nullptr;\n EVP_CIPHER_CTX* ctx = nullptr;\n for (ArrayIter iter(pub_key_ids); iter; ++iter, ++i) {\n auto okey = Key::Get(iter.second(), true);\n if (!okey) {\n raise_warning(\"not a public key (%dth member of pubkeys)\", i + 1);\n ret = false;\n goto clean_exit;\n }\n holder.push_back(okey);\n pkeys[i] = okey->m_key;\n eks[i] = (unsigned char *)malloc(EVP_PKEY_size(pkeys[i]) + 1);\n }\n\n ctx = EVP_CIPHER_CTX_new();\n if (ctx == nullptr) {\n raise_warning(\"Failed to allocate an EVP_CIPHER_CTX object\");\n ret = false;\n goto clean_exit;\n }\n if (!EVP_EncryptInit_ex(ctx, cipher_type, nullptr, nullptr, nullptr)) {\n ret = false;\n goto clean_exit;\n }\n\n int len1, len2;\n\n s = String(data.size() + EVP_CIPHER_CTX_block_size(ctx), ReserveString);\n buf = (unsigned char *)s.mutableData();\n if (EVP_SealInit(ctx, cipher_type, eks, eksl, iv_buf, pkeys, nkeys) <= 0 ||\n !EVP_SealUpdate(ctx, buf, &len1, (unsigned char*)data.data(), data.size()) ||\n !EVP_SealFinal(ctx, buf + len1, &len2)) {\n ret = false;\n goto clean_exit;\n }\n\n if (len1 + len2 > 0) {\n sealed_data = s.setSize(len1 + len2);\n\n auto ekeys = Array::CreateVArray();\n for (i = 0; i < nkeys; i++) {\n eks[i][eksl[i]] = '\\0';\n ekeys.append(String((char*)eks[i], eksl[i], AttachString));\n eks[i] = nullptr;\n }\n env_keys = ekeys;\n }\n\n clean_exit:\n for (i = 0; i < nkeys; i++) {\n if (eks[i]) free(eks[i]);\n }\n free(eks);\n free(eksl);\n free(pkeys);\n\n if (iv_buf != nullptr) {\n if (ret) {\n iv = iv_s.setSize(iv_len);\n }\n }\n if (ctx != nullptr) {\n EVP_CIPHER_CTX_free(ctx);\n }\n\n if (ret) return len1 + len2;\n return false;\n}\n\nstatic const EVP_MD *php_openssl_get_evp_md_from_algo(long algo) {\n switch (algo) {\n case OPENSSL_ALGO_SHA1: return EVP_sha1();\n case OPENSSL_ALGO_MD5: return EVP_md5();\n case OPENSSL_ALGO_MD4: return EVP_md4();\n#ifdef HAVE_OPENSSL_MD2_H\n case OPENSSL_ALGO_MD2: return EVP_md2();\n#endif\n#if OPENSSL_VERSION_NUMBER < 0x10100000L\n case OPENSSL_ALGO_DSS1: return EVP_dss1();\n#endif\n#if OPENSSL_VERSION_NUMBER >= 0x0090708fL\n case OPENSSL_ALGO_SHA224: return EVP_sha224();\n case OPENSSL_ALGO_SHA256: return EVP_sha256();\n case OPENSSL_ALGO_SHA384: return EVP_sha384();\n case OPENSSL_ALGO_SHA512: return EVP_sha512();\n case OPENSSL_ALGO_RMD160: return EVP_ripemd160();\n#endif\n }\n return nullptr;\n}\n\nbool HHVM_FUNCTION(openssl_sign, const String& data, Variant& signature,\n const Variant& priv_key_id,\n const Variant& signature_alg /* = k_OPENSSL_ALGO_SHA1 */) {\n auto okey = Key::Get(priv_key_id, false);\n if (!okey) {\n raise_warning(\"supplied key param cannot be coerced into a private key\");\n return false;\n }\n\n const EVP_MD *mdtype = nullptr;\n if (signature_alg.isInteger()) {\n mdtype = php_openssl_get_evp_md_from_algo(signature_alg.toInt64Val());\n } else if (signature_alg.isString()) {\n mdtype = EVP_get_digestbyname(signature_alg.toString().data());\n }\n\n if (!mdtype) {\n raise_warning(\"Unknown signature algorithm.\");\n return false;\n }\n\n EVP_PKEY *pkey = okey->m_key;\n int siglen = EVP_PKEY_size(pkey);\n String s = String(siglen, ReserveString);\n unsigned char *sigbuf = (unsigned char *)s.mutableData();\n\n EVP_MD_CTX *md_ctx = EVP_MD_CTX_new();\n SCOPE_EXIT {\n EVP_MD_CTX_free(md_ctx);\n };\n EVP_SignInit(md_ctx, mdtype);\n EVP_SignUpdate(md_ctx, (unsigned char *)data.data(), data.size());\n if (EVP_SignFinal(md_ctx, sigbuf, (unsigned int *)&siglen, pkey)) {\n signature = s.setSize(siglen);\n return true;\n }\n return false;\n}\n\nVariant HHVM_FUNCTION(openssl_verify, const String& data,\n const String& signature,\n const Variant& pub_key_id,\n const Variant& signature_alg /* = k_OPENSSL_ALGO_SHA1 */) {\n int err;\n const EVP_MD *mdtype = nullptr;\n\n if (signature_alg.isInteger()) {\n mdtype = php_openssl_get_evp_md_from_algo(signature_alg.toInt64Val());\n } else if (signature_alg.isString()) {\n mdtype = EVP_get_digestbyname(signature_alg.toString().data());\n }\n\n if (!mdtype) {\n raise_warning(\"Unknown signature algorithm.\");\n return false;\n }\n\n auto okey = Key::Get(pub_key_id, true);\n if (!okey) {\n raise_warning(\"supplied key param cannot be coerced into a public key\");\n return false;\n }\n\n EVP_MD_CTX *md_ctx = EVP_MD_CTX_new();\n SCOPE_EXIT {\n EVP_MD_CTX_free(md_ctx);\n };\n EVP_VerifyInit(md_ctx, mdtype);\n EVP_VerifyUpdate(md_ctx, (unsigned char*)data.data(), data.size());\n err = EVP_VerifyFinal(md_ctx, (unsigned char *)signature.data(),\n signature.size(), okey->m_key);\n return err;\n}\n\nbool HHVM_FUNCTION(openssl_x509_check_private_key, const Variant& cert,\n const Variant& key) {\n auto ocert = Certificate::Get(cert);\n if (!ocert) {\n return false;\n }\n auto okey = Key::Get(key, false);\n if (!okey) {\n return false;\n }\n return X509_check_private_key(ocert->m_cert, okey->m_key);\n}\n\nstatic int check_cert(X509_STORE *ctx, X509 *x, STACK_OF(X509) *untrustedchain,\n int purpose) {\n X509_STORE_CTX *csc = X509_STORE_CTX_new();\n if (csc == nullptr) {\n raise_warning(\"memory allocation failure\");\n return 0;\n }\n X509_STORE_CTX_init(csc, ctx, x, untrustedchain);\n\n if (purpose >= 0) {\n X509_STORE_CTX_set_purpose(csc, purpose);\n }\n\n int ret = X509_verify_cert(csc);\n X509_STORE_CTX_free(csc);\n return ret;\n}\n\nVariant HHVM_FUNCTION(openssl_x509_checkpurpose, const Variant& x509cert,\n int purpose,\n const Array& cainfo /* = null_array */,\n const String& untrustedfile /* = null_string */) {\n int ret = -1;\n STACK_OF(X509) *untrustedchain = nullptr;\n X509_STORE *pcainfo = nullptr;\n req::ptr ocert;\n\n if (!untrustedfile.empty()) {\n untrustedchain = load_all_certs_from_file(untrustedfile.data());\n if (untrustedchain == nullptr) {\n goto clean_exit;\n }\n }\n\n pcainfo = setup_verify(cainfo);\n if (pcainfo == nullptr) {\n goto clean_exit;\n }\n\n ocert = Certificate::Get(x509cert);\n if (!ocert) {\n raise_warning(\"cannot get cert from parameter 1\");\n return false;\n }\n X509 *cert;\n cert = ocert->m_cert;\n assertx(cert);\n\n ret = check_cert(pcainfo, cert, untrustedchain, purpose);\n\n clean_exit:\n if (pcainfo) {\n X509_STORE_free(pcainfo);\n }\n if (untrustedchain) {\n sk_X509_pop_free(untrustedchain, X509_free);\n }\n return ret == 1 ? true : ret == 0 ? false : -1;\n}\n\nstatic bool openssl_x509_export_impl(const Variant& x509, BIO *bio_out,\n bool notext /* = true */) {\n auto ocert = Certificate::Get(x509);\n if (!ocert) {\n raise_warning(\"cannot get cert from parameter 1\");\n return false;\n }\n X509 *cert = ocert->m_cert;\n assertx(cert);\n\n assertx(bio_out);\n if (!notext) {\n X509_print(bio_out, cert);\n }\n return PEM_write_bio_X509(bio_out, cert);\n}\n\nbool HHVM_FUNCTION(openssl_x509_export_to_file, const Variant& x509,\n const String& outfilename,\n bool notext /* = true */) {\n BIO *bio_out = BIO_new_file((char*)outfilename.data(), \"w\");\n if (bio_out == nullptr) {\n raise_warning(\"error opening file %s\", outfilename.data());\n return false;\n }\n bool ret = openssl_x509_export_impl(x509, bio_out, notext);\n BIO_free(bio_out);\n return ret;\n}\n\nbool HHVM_FUNCTION(openssl_x509_export, const Variant& x509, Variant& output,\n bool notext /* = true */) {\n BIO *bio_out = BIO_new(BIO_s_mem());\n bool ret = openssl_x509_export_impl(x509, bio_out, notext);\n if (ret) {\n BUF_MEM *bio_buf;\n BIO_get_mem_ptr(bio_out, &bio_buf);\n output = String(bio_buf->data, bio_buf->length, CopyString);\n }\n BIO_free(bio_out);\n return ret;\n}\n\n/**\n * This is how the time string is formatted:\n *\n * snprintf(p, sizeof(p), \"%02d%02d%02d%02d%02d%02dZ\",ts->tm_year%100,\n * ts->tm_mon+1,ts->tm_mday,ts->tm_hour,ts->tm_min,ts->tm_sec);\n */\nstatic time_t asn1_time_to_time_t(ASN1_UTCTIME *timestr) {\n\n auto const timestr_type = ASN1_STRING_type(timestr);\n\n if (timestr_type != V_ASN1_UTCTIME && timestr_type != V_ASN1_GENERALIZEDTIME) {\n raise_warning(\"illegal ASN1 data type for timestamp\");\n return (time_t)-1;\n }\n\n auto const timestr_len = (size_t)ASN1_STRING_length(timestr);\n\n // Binary safety\n if (timestr_len != strlen((char*)ASN1_STRING_data(timestr))) {\n raise_warning(\"illegal length in timestamp\");\n return (time_t)-1;\n }\n\n if (timestr_len < 13 && timestr_len != 11) {\n raise_warning(\"unable to parse time string %s correctly\",\n timestr->data);\n return (time_t)-1;\n }\n\n if (timestr_type == V_ASN1_GENERALIZEDTIME && timestr_len < 15) {\n raise_warning(\"unable to parse time string %s correctly\", timestr->data);\n return (time_t)-1;\n }\n\n char *strbuf = strdup((char*)timestr->data);\n\n struct tm thetime;\n memset(&thetime, 0, sizeof(thetime));\n\n /* we work backwards so that we can use atoi more easily */\n char *thestr = strbuf + ASN1_STRING_length(timestr) - 3;\n if (ASN1_STRING_length(timestr) == 11) {\n thetime.tm_sec = 0;\n } else {\n thetime.tm_sec = atoi(thestr); *thestr = '\\0'; thestr -= 2;\n }\n thetime.tm_min = atoi(thestr); *thestr = '\\0'; thestr -= 2;\n thetime.tm_hour = atoi(thestr); *thestr = '\\0'; thestr -= 2;\n thetime.tm_mday = atoi(thestr); *thestr = '\\0'; thestr -= 2;\n thetime.tm_mon = atoi(thestr)-1; *thestr = '\\0';\n\n if (ASN1_STRING_type(timestr) == V_ASN1_UTCTIME) {\n thestr -= 2;\n thetime.tm_year = atoi(thestr);\n if (thetime.tm_year < 68) {\n thetime.tm_year += 100;\n }\n } else if (ASN1_STRING_type(timestr) == V_ASN1_GENERALIZEDTIME) {\n thestr -= 4;\n thetime.tm_year = atoi(thestr) - 1900;\n }\n\n thetime.tm_isdst = -1;\n time_t ret = mktime(&thetime);\n\n long gmadjust = 0;\n#if HAVE_TM_GMTOFF\n gmadjust = thetime.tm_gmtoff;\n#elif defined(_MSC_VER)\n TIME_ZONE_INFORMATION inf;\n GetTimeZoneInformation(&inf);\n gmadjust = thetime.tm_isdst ? inf.DaylightBias : inf.StandardBias;\n#else\n /**\n * If correcting for daylight savings time, we set the adjustment to\n * the value of timezone - 3600 seconds. Otherwise, we need to overcorrect\n * and set the adjustment to the main timezone + 3600 seconds.\n */\n gmadjust = -(thetime.tm_isdst ?\n (long)timezone - 3600 : (long)timezone);\n#endif\n /* no adjustment for UTC */\n if (timezone) ret += gmadjust;\n free(strbuf);\n return ret;\n}\n\n/* Special handling of subjectAltName, see CVE-2013-4073\n * Christian Heimes\n */\n\nstatic int openssl_x509v3_subjectAltName(BIO *bio, X509_EXTENSION *extension)\n{\n GENERAL_NAMES *names;\n const X509V3_EXT_METHOD *method = nullptr;\n long i, length, num;\n const unsigned char *p;\n\n method = X509V3_EXT_get(extension);\n if (method == nullptr) {\n return -1;\n }\n\n const auto data = X509_EXTENSION_get_data(extension);\n p = data->data;\n length = data->length;\n if (method->it) {\n names = (GENERAL_NAMES*)(ASN1_item_d2i(nullptr, &p, length,\n ASN1_ITEM_ptr(method->it)));\n } else {\n names = (GENERAL_NAMES*)(method->d2i(nullptr, &p, length));\n }\n if (names == nullptr) {\n return -1;\n }\n\n num = sk_GENERAL_NAME_num(names);\n for (i = 0; i < num; i++) {\n GENERAL_NAME *name;\n ASN1_STRING *as;\n name = sk_GENERAL_NAME_value(names, i);\n switch (name->type) {\n case GEN_EMAIL:\n BIO_puts(bio, \"email:\");\n as = name->d.rfc822Name;\n BIO_write(bio, ASN1_STRING_data(as),\n ASN1_STRING_length(as));\n break;\n case GEN_DNS:\n BIO_puts(bio, \"DNS:\");\n as = name->d.dNSName;\n BIO_write(bio, ASN1_STRING_data(as),\n ASN1_STRING_length(as));\n break;\n case GEN_URI:\n BIO_puts(bio, \"URI:\");\n as = name->d.uniformResourceIdentifier;\n BIO_write(bio, ASN1_STRING_data(as),\n ASN1_STRING_length(as));\n break;\n default:\n /* use builtin print for GEN_OTHERNAME, GEN_X400,\n * GEN_EDIPARTY, GEN_DIRNAME, GEN_IPADD and GEN_RID\n */\n GENERAL_NAME_print(bio, name);\n }\n /* trailing ', ' except for last element */\n if (i < (num - 1)) {\n BIO_puts(bio, \", \");\n }\n }\n sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free);\n\n return 0;\n}\nVariant HHVM_FUNCTION(openssl_x509_parse, const Variant& x509cert,\n bool shortnames /* = true */) {\n auto ocert = Certificate::Get(x509cert);\n if (!ocert) {\n return false;\n }\n X509 *cert = ocert->m_cert;\n assertx(cert);\n\n auto ret = Array::CreateDArray();\n const auto sn = X509_get_subject_name(cert);\n if (sn) {\n ret.set(s_name, String(X509_NAME_oneline(sn, nullptr, 0), CopyString));\n }\n add_assoc_name_entry(ret, \"subject\", sn, shortnames);\n /* hash as used in CA directories to lookup cert by subject name */\n {\n char buf[32];\n snprintf(buf, sizeof(buf), \"%08lx\", X509_subject_name_hash(cert));\n ret.set(s_hash, String(buf, CopyString));\n }\n\n add_assoc_name_entry(ret, \"issuer\", X509_get_issuer_name(cert), shortnames);\n ret.set(s_version, X509_get_version(cert));\n\n ret.set(s_serialNumber, String\n (i2s_ASN1_INTEGER(nullptr, X509_get_serialNumber(cert)), AttachString));\n // Adding Signature Algorithm\n BIO *bio_out = BIO_new(BIO_s_mem());\n SCOPE_EXIT { BIO_free(bio_out); };\n if (i2a_ASN1_OBJECT(bio_out, X509_get0_tbs_sigalg(cert)->algorithm) > 0) {\n BUF_MEM *bio_buf;\n BIO_get_mem_ptr(bio_out, &bio_buf);\n ret.set(s_signatureAlgorithm,\n String((char*)bio_buf->data, bio_buf->length, CopyString));\n }\n\n ASN1_STRING *str = X509_get_notBefore(cert);\n ret.set(s_validFrom, String((char*)str->data, str->length, CopyString));\n str = X509_get_notAfter(cert);\n ret.set(s_validTo, String((char*)str->data, str->length, CopyString));\n ret.set(s_validFrom_time_t, asn1_time_to_time_t(X509_get_notBefore(cert)));\n ret.set(s_validTo_time_t, asn1_time_to_time_t(X509_get_notAfter(cert)));\n\n char *tmpstr = (char *)X509_alias_get0(cert, nullptr);\n if (tmpstr) {\n ret.set(s_alias, String(tmpstr, CopyString));\n }\n\n /* NOTE: the purposes are added as integer keys - the keys match up to\n the X509_PURPOSE_SSL_XXX defines in x509v3.h */\n {\n Array subitem;\n for (int i = 0; i < X509_PURPOSE_get_count(); i++) {\n X509_PURPOSE *purp = X509_PURPOSE_get0(i);\n int id = X509_PURPOSE_get_id(purp);\n char * pname = shortnames ? X509_PURPOSE_get0_sname(purp) :\n X509_PURPOSE_get0_name(purp);\n auto subsub = make_varray(\n (bool)X509_check_purpose(cert, id, 0),\n (bool)X509_check_purpose(cert, id, 1),\n String(pname, CopyString)\n );\n subitem.set(id, std::move(subsub));\n }\n ret.set(s_purposes, subitem);\n }\n {\n auto subitem = Array::CreateDArray();\n for (int i = 0; i < X509_get_ext_count(cert); i++) {\n int nid;\n X509_EXTENSION *extension = X509_get_ext(cert, i);\n char *extname;\n char buf[256];\n nid = OBJ_obj2nid(X509_EXTENSION_get_object(extension));\n if (nid != NID_undef) {\n extname = (char*)OBJ_nid2sn(OBJ_obj2nid\n (X509_EXTENSION_get_object(extension)));\n } else {\n OBJ_obj2txt(buf, sizeof(buf)-1, X509_EXTENSION_get_object(extension),\n 1);\n extname = buf;\n }\n BIO *bio_out = BIO_new(BIO_s_mem());\n if (nid == NID_subject_alt_name) {\n if (openssl_x509v3_subjectAltName(bio_out, extension) == 0) {\n BUF_MEM *bio_buf;\n BIO_get_mem_ptr(bio_out, &bio_buf);\n subitem.set(String(extname, CopyString),\n String((char*)bio_buf->data,\n bio_buf->length,\n CopyString));\n } else {\n BIO_free(bio_out);\n return false;\n }\n } else if (X509V3_EXT_print(bio_out, extension, 0, 0)) {\n BUF_MEM *bio_buf;\n BIO_get_mem_ptr(bio_out, &bio_buf);\n subitem.set(String(extname, CopyString),\n String((char*)bio_buf->data, bio_buf->length, CopyString));\n } else {\n str = X509_EXTENSION_get_data(extension);\n subitem.set(String(extname, CopyString),\n String((char*)str->data, str->length, CopyString));\n }\n BIO_free(bio_out);\n }\n ret.set(s_extensions, subitem);\n }\n\n return ret;\n}\n\nVariant HHVM_FUNCTION(openssl_x509_read, const Variant& x509certdata) {\n auto ocert = Certificate::Get(x509certdata);\n if (!ocert) {\n raise_warning(\"supplied parameter cannot be coerced into \"\n \"an X509 certificate!\");\n return false;\n }\n return Variant(ocert);\n}\n\nVariant HHVM_FUNCTION(openssl_random_pseudo_bytes, int length,\n bool& crypto_strong) {\n if (length <= 0) {\n return false;\n }\n\n unsigned char *buffer = nullptr;\n\n String s = String(length, ReserveString);\n buffer = (unsigned char *)s.mutableData();\n\n if (RAND_bytes(buffer, length) <= 0) {\n crypto_strong = false;\n return false;\n } else {\n crypto_strong = true;\n s.setSize(length);\n return s;\n }\n}\n\nVariant HHVM_FUNCTION(openssl_cipher_iv_length, const String& method) {\n if (method.empty()) {\n raise_warning(\"Unknown cipher algorithm\");\n return false;\n }\n\n const EVP_CIPHER *cipher_type = EVP_get_cipherbyname(method.c_str());\n if (!cipher_type) {\n raise_warning(\"Unknown cipher algorithm\");\n return false;\n }\n\n return EVP_CIPHER_iv_length(cipher_type);\n}\n\n/* Cipher mode info */\nstruct php_openssl_cipher_mode {\n /* Whether this mode uses authenticated encryption. True, for example, with\n the GCM and CCM modes */\n bool is_aead;\n /* Whether this mode is a 'single run aead', meaning that DecryptFinal doesn't\n get called. For example, CCM mode is a single run aead mode. */\n bool is_single_run_aead;\n /* The OpenSSL flag to get the computed tag, if this mode is aead. */\n int aead_get_tag_flag;\n /* The OpenSSL flag to set the computed tag, if this mode is aead. */\n int aead_set_tag_flag;\n /* The OpenSSL flag to set the IV length, if this mode is aead */\n int aead_ivlen_flag;\n};\n\n// initialize a php_openssl_cipher_mode corresponding to an EVP_CIPHER.\nstatic php_openssl_cipher_mode php_openssl_load_cipher_mode(\n const EVP_CIPHER* cipher_type) {\n php_openssl_cipher_mode mode = {};\n switch (EVP_CIPHER_mode(cipher_type)) {\n#ifdef EVP_CIPH_GCM_MODE\n case EVP_CIPH_GCM_MODE:\n mode.is_aead = true;\n mode.is_single_run_aead = false;\n mode.aead_get_tag_flag = EVP_CTRL_GCM_GET_TAG;\n mode.aead_set_tag_flag = EVP_CTRL_GCM_SET_TAG;\n mode.aead_ivlen_flag = EVP_CTRL_GCM_SET_IVLEN;\n break;\n#endif\n#ifdef EVP_CIPH_CCM_MODE\n case EVP_CIPH_CCM_MODE:\n mode.is_aead = true;\n mode.is_single_run_aead = true;\n mode.aead_get_tag_flag = EVP_CTRL_CCM_GET_TAG;\n mode.aead_set_tag_flag = EVP_CTRL_CCM_SET_TAG;\n mode.aead_ivlen_flag = EVP_CTRL_CCM_SET_IVLEN;\n break;\n#endif\n default:\n break;\n }\n return mode;\n}\n\nstatic bool php_openssl_validate_iv(\n String piv,\n int iv_required_len,\n String& out,\n EVP_CIPHER_CTX* cipher_ctx,\n const php_openssl_cipher_mode* mode) {\n if (cipher_ctx == nullptr || mode == nullptr) {\n return false;\n }\n\n /* Best case scenario, user behaved */\n if (piv.size() == iv_required_len) {\n out = std::move(piv);\n return true;\n }\n\n if (mode->is_aead) {\n if (EVP_CIPHER_CTX_ctrl(\n cipher_ctx, mode->aead_ivlen_flag, piv.size(), nullptr) != 1) {\n raise_warning(\n \"Setting of IV length for AEAD mode failed, the expected length is \"\n \"%d bytes\",\n iv_required_len);\n return false;\n }\n out = std::move(piv);\n return true;\n }\n\n String s = String(iv_required_len, ReserveString);\n char* iv_new = s.mutableData();\n memset(iv_new, 0, iv_required_len);\n\n if (piv.size() <= 0) {\n /* BC behavior */\n s.setSize(iv_required_len);\n out = std::move(s);\n return true;\n }\n\n if (piv.size() < iv_required_len) {\n raise_warning(\"IV passed is only %ld bytes long, cipher \"\n \"expects an IV of precisely %d bytes, padding with \\\\0\",\n piv.size(), iv_required_len);\n memcpy(iv_new, piv.data(), piv.size());\n s.setSize(iv_required_len);\n out = std::move(s);\n return true;\n }\n\n raise_warning(\"IV passed is %ld bytes long which is longer than the %d \"\n \"expected by selected cipher, truncating\", piv.size(),\n iv_required_len);\n memcpy(iv_new, piv.data(), iv_required_len);\n s.setSize(iv_required_len);\n out = std::move(s);\n return true;\n}\n\nnamespace {\n\nVariant openssl_encrypt_impl(const String& data,\n const String& method,\n const String& password,\n int options,\n const String& iv,\n Variant* tag_out,\n const String& aad,\n int tag_length) {\n const EVP_CIPHER *cipher_type = EVP_get_cipherbyname(method.c_str());\n if (!cipher_type) {\n raise_warning(\"Unknown cipher algorithm\");\n return false;\n }\n\n EVP_CIPHER_CTX* cipher_ctx = EVP_CIPHER_CTX_new();\n if (!cipher_ctx) {\n raise_warning(\"Failed to create cipher context\");\n return false;\n }\n\n SCOPE_EXIT {\n EVP_CIPHER_CTX_free(cipher_ctx);\n };\n\n php_openssl_cipher_mode mode = php_openssl_load_cipher_mode(cipher_type);\n\n if (mode.is_aead && !tag_out) {\n raise_warning(\"Must call openssl_encrypt_with_tag when using an AEAD cipher\");\n return false;\n }\n\n int keylen = EVP_CIPHER_key_length(cipher_type);\n String key = password;\n\n /*\n * older openssl libraries can assert if the passed in password length is\n * less than keylen\n */\n if (keylen > password.size()) {\n String s = String(keylen, ReserveString);\n char *keybuf = s.mutableData();\n memset(keybuf, 0, keylen);\n memcpy(keybuf, password.data(), password.size());\n key = s.setSize(keylen);\n }\n\n int max_iv_len = EVP_CIPHER_iv_length(cipher_type);\n if (iv.size() <= 0 && max_iv_len > 0 && !mode.is_aead) {\n raise_warning(\"Using an empty Initialization Vector (iv) is potentially \"\n \"insecure and not recommended\");\n }\n\n int result_len = 0;\n int outlen = data.size() + EVP_CIPHER_block_size(cipher_type);\n String rv = String(outlen, ReserveString);\n unsigned char *outbuf = (unsigned char*)rv.mutableData();\n\n EVP_EncryptInit_ex(cipher_ctx, cipher_type, nullptr, nullptr, nullptr);\n\n String new_iv;\n // we do this after EncryptInit because validate_iv changes cipher_ctx for\n // aead modes (must be initialized first).\n if (!php_openssl_validate_iv(\n std::move(iv), max_iv_len, new_iv, cipher_ctx, &mode)) {\n return false;\n }\n\n // set the tag length for CCM mode/other modes that require tag lengths to\n // be set.\n if (mode.is_single_run_aead &&\n !EVP_CIPHER_CTX_ctrl(\n cipher_ctx, mode.aead_set_tag_flag, tag_length, nullptr)) {\n raise_warning(\"Setting tag length failed\");\n return false;\n }\n if (password.size() > keylen) {\n EVP_CIPHER_CTX_set_key_length(cipher_ctx, password.size());\n }\n EVP_EncryptInit_ex(\n cipher_ctx,\n nullptr,\n nullptr,\n (unsigned char*)key.data(),\n (unsigned char*)new_iv.data());\n if (options & k_OPENSSL_ZERO_PADDING) {\n EVP_CIPHER_CTX_set_padding(cipher_ctx, 0);\n }\n\n // for single run aeads like CCM, we need to provide the length of the\n // plaintext before providing AAD or ciphertext.\n if (mode.is_single_run_aead &&\n !EVP_EncryptUpdate(\n cipher_ctx, nullptr, &result_len, nullptr, data.size())) {\n raise_warning(\"Setting of data length failed\");\n return false;\n }\n\n // set up aad:\n if (mode.is_aead &&\n !EVP_EncryptUpdate(\n cipher_ctx,\n nullptr,\n &result_len,\n (unsigned char*)aad.data(),\n aad.size())) {\n raise_warning(\"Setting of additional application data failed\");\n return false;\n }\n\n // OpenSSL before 0.9.8i asserts with size < 0\n if (data.size() >= 0) {\n EVP_EncryptUpdate(cipher_ctx, outbuf, &result_len,\n (unsigned char *)data.data(), data.size());\n }\n\n outlen = result_len;\n\n if (EVP_EncryptFinal_ex(\n cipher_ctx, (unsigned char*)outbuf + result_len, &result_len)) {\n outlen += result_len;\n rv.setSize(outlen);\n // Get tag if possible\n if (mode.is_aead) {\n String tagrv = String(tag_length, ReserveString);\n if (EVP_CIPHER_CTX_ctrl(\n cipher_ctx,\n mode.aead_get_tag_flag,\n tag_length,\n tagrv.mutableData()) == 1) {\n tagrv.setSize(tag_length);\n assertx(tag_out);\n *tag_out = tagrv;\n } else {\n raise_warning(\"Retrieving authentication tag failed\");\n return false;\n }\n } else if (tag_out) {\n raise_warning(\n \"The authenticated tag cannot be provided for cipher that does not\"\n \" support AEAD\");\n }\n // Return encrypted data\n if (options & k_OPENSSL_RAW_DATA) {\n return rv;\n } else {\n return StringUtil::Base64Encode(rv);\n }\n }\n return false;\n}\n\n} // anonymous namespace\n\nVariant HHVM_FUNCTION(openssl_encrypt,\n const String& data,\n const String& method,\n const String& password,\n int options /* = 0 */,\n const String& iv /* = null_string */,\n const String& aad /* = null_string */,\n int tag_length /* = 16 */) {\n return openssl_encrypt_impl(data, method, password, options, iv,\n nullptr, aad, tag_length);\n}\n\nVariant HHVM_FUNCTION(openssl_encrypt_with_tag,\n const String& data,\n const String& method,\n const String& password,\n int options,\n const String& iv,\n Variant& tag_out,\n const String& aad /* = null_string */,\n int tag_length /* = 16 */) {\n return openssl_encrypt_impl(data, method, password, options, iv,\n &tag_out, aad, tag_length);\n}\n\nVariant HHVM_FUNCTION(openssl_decrypt, const String& data, const String& method,\n const String& password,\n int options /* = 0 */,\n const String& iv /* = null_string */,\n const String& tag /* = null_string */,\n const String& aad /* = null_string */) {\n const EVP_CIPHER *cipher_type = EVP_get_cipherbyname(method.c_str());\n if (!cipher_type) {\n raise_warning(\"Unknown cipher algorithm\");\n return false;\n }\n\n EVP_CIPHER_CTX* cipher_ctx = EVP_CIPHER_CTX_new();\n if (!cipher_ctx) {\n raise_warning(\"Failed to create cipher context\");\n return false;\n }\n\n SCOPE_EXIT {\n EVP_CIPHER_CTX_free(cipher_ctx);\n };\n\n php_openssl_cipher_mode mode = php_openssl_load_cipher_mode(cipher_type);\n\n String decoded_data = data;\n\n if (!(options & k_OPENSSL_RAW_DATA)) {\n decoded_data = StringUtil::Base64Decode(data);\n }\n\n int keylen = EVP_CIPHER_key_length(cipher_type);\n String key = password;\n\n /*\n * older openssl libraries can assert if the passed in password length is\n * less than keylen\n */\n if (keylen > password.size()) {\n String s = String(keylen, ReserveString);\n char *keybuf = s.mutableData();\n memset(keybuf, 0, keylen);\n memcpy(keybuf, password.data(), password.size());\n key = s.setSize(keylen);\n }\n\n int result_len = 0;\n int outlen = decoded_data.size() + EVP_CIPHER_block_size(cipher_type);\n String rv = String(outlen, ReserveString);\n unsigned char *outbuf = (unsigned char*)rv.mutableData();\n\n EVP_DecryptInit_ex(cipher_ctx, cipher_type, nullptr, nullptr, nullptr);\n\n String new_iv;\n // we do this after DecryptInit because validate_iv changes cipher_ctx for\n // aead modes (must be initialized first).\n if (!php_openssl_validate_iv(\n std::move(iv),\n EVP_CIPHER_iv_length(cipher_type),\n new_iv,\n cipher_ctx,\n &mode)) {\n return false;\n }\n\n // set the tag if required:\n if (tag.size() > 0) {\n if (!mode.is_aead) {\n raise_warning(\n \"The tag is being ignored because the cipher method does not\"\n \" support AEAD\");\n } else if (!EVP_CIPHER_CTX_ctrl(\n cipher_ctx,\n mode.aead_set_tag_flag,\n tag.size(),\n (unsigned char*)tag.data())) {\n raise_warning(\"Setting tag for AEAD cipher decryption failed\");\n return false;\n }\n } else {\n if (mode.is_aead) {\n raise_warning(\"A tag should be provided when using AEAD mode\");\n return false;\n }\n }\n if (password.size() > keylen) {\n EVP_CIPHER_CTX_set_key_length(cipher_ctx, password.size());\n }\n EVP_DecryptInit_ex(\n cipher_ctx,\n nullptr,\n nullptr,\n (unsigned char*)key.data(),\n (unsigned char*)new_iv.data());\n if (options & k_OPENSSL_ZERO_PADDING) {\n EVP_CIPHER_CTX_set_padding(cipher_ctx, 0);\n }\n\n // for single run aeads like CCM, we need to provide the length of the\n // ciphertext before providing AAD or ciphertext.\n if (mode.is_single_run_aead &&\n !EVP_DecryptUpdate(\n cipher_ctx, nullptr, &result_len, nullptr, decoded_data.size())) {\n raise_warning(\"Setting of data length failed\");\n return false;\n }\n\n // set up aad:\n if (mode.is_aead &&\n !EVP_DecryptUpdate(\n cipher_ctx,\n nullptr,\n &result_len,\n (unsigned char*)aad.data(),\n aad.size())) {\n raise_warning(\"Setting of additional application data failed\");\n return false;\n }\n\n if (!EVP_DecryptUpdate(\n cipher_ctx,\n outbuf,\n &result_len,\n (unsigned char*)decoded_data.data(),\n decoded_data.size())) {\n return false;\n }\n outlen = result_len;\n\n // if is_single_run_aead is enabled, DecryptFinal shouldn't be called.\n // if something went wrong in this case, we would've caught it at\n // DecryptUpdate.\n if (mode.is_single_run_aead ||\n EVP_DecryptFinal_ex(\n cipher_ctx, (unsigned char*)outbuf + result_len, &result_len)) {\n // don't want to do this if is_single_run_aead was enabled, since we didn't\n // make a call to EVP_DecryptFinal.\n if (!mode.is_single_run_aead) {\n outlen += result_len;\n }\n rv.setSize(outlen);\n return rv;\n } else {\n return false;\n }\n}\n\nVariant HHVM_FUNCTION(openssl_digest, const String& data, const String& method,\n bool raw_output /* = false */) {\n const EVP_MD *mdtype = EVP_get_digestbyname(method.c_str());\n\n if (!mdtype) {\n raise_warning(\"Unknown signature algorithm\");\n return false;\n }\n int siglen = EVP_MD_size(mdtype);\n String rv = String(siglen, ReserveString);\n unsigned char *sigbuf = (unsigned char *)rv.mutableData();\n EVP_MD_CTX *md_ctx = EVP_MD_CTX_new();\n SCOPE_EXIT {\n EVP_MD_CTX_free(md_ctx);\n };\n\n EVP_DigestInit(md_ctx, mdtype);\n\n EVP_DigestUpdate(md_ctx, (unsigned char *)data.data(), data.size());\n if (EVP_DigestFinal(md_ctx, (unsigned char *)sigbuf, (unsigned int *)&siglen)) {\n if (raw_output) {\n rv.setSize(siglen);\n return rv;\n } else {\n char* digest_str = string_bin2hex((char*)sigbuf, siglen);\n return String(digest_str, AttachString);\n }\n } else {\n return false;\n }\n}\n\nstatic void openssl_add_method_or_alias(const OBJ_NAME *name, void *arg)\n{\n Array *ret = (Array*)arg;\n ret->append(String((char *)name->name, CopyString));\n}\n\nstatic void openssl_add_method(const OBJ_NAME *name, void *arg)\n{\n if (name->alias == 0) {\n Array *ret = (Array*)arg;\n ret->append(String((char *)name->name, CopyString));\n }\n}\n\nArray HHVM_FUNCTION(openssl_get_cipher_methods, bool aliases /* = false */) {\n Array ret = Array::CreateVArray();\n OBJ_NAME_do_all_sorted(OBJ_NAME_TYPE_CIPHER_METH,\n aliases ? openssl_add_method_or_alias: openssl_add_method,\n &ret);\n return ret;\n}\n\nVariant HHVM_FUNCTION(openssl_get_curve_names) {\n#ifdef HAVE_EVP_PKEY_EC\n const size_t len = EC_get_builtin_curves(nullptr, 0);\n std::unique_ptr curves(new EC_builtin_curve[len]);\n if (!EC_get_builtin_curves(curves.get(), len)) {\n return false;\n }\n\n VArrayInit ret(len);\n for (size_t i = 0; i < len; ++i) {\n auto const sname = OBJ_nid2sn(curves[i].nid);\n if (sname != nullptr) {\n ret.append(String(sname, CopyString));\n }\n }\n\n return ret.toArray();\n#else\n return false;\n#endif\n}\n\nArray HHVM_FUNCTION(openssl_get_md_methods, bool aliases /* = false */) {\n Array ret = Array::CreateVArray();\n OBJ_NAME_do_all_sorted(OBJ_NAME_TYPE_MD_METH,\n aliases ? openssl_add_method_or_alias: openssl_add_method,\n &ret);\n return ret;\n}\n\n/////////////////////////////////////////////////////////////////////////////\n\nconst StaticString s_OPENSSL_VERSION_TEXT(\"OPENSSL_VERSION_TEXT\");\n\nstruct opensslExtension final : Extension {\n opensslExtension() : Extension(\"openssl\") {}\n void moduleInit() override {\n HHVM_RC_INT(OPENSSL_RAW_DATA, k_OPENSSL_RAW_DATA);\n HHVM_RC_INT(OPENSSL_ZERO_PADDING, k_OPENSSL_ZERO_PADDING);\n HHVM_RC_INT(OPENSSL_NO_PADDING, k_OPENSSL_NO_PADDING);\n HHVM_RC_INT(OPENSSL_PKCS1_OAEP_PADDING, k_OPENSSL_PKCS1_OAEP_PADDING);\n HHVM_RC_INT(OPENSSL_SSLV23_PADDING, k_OPENSSL_SSLV23_PADDING);\n HHVM_RC_INT(OPENSSL_PKCS1_PADDING, k_OPENSSL_PKCS1_PADDING);\n\n HHVM_RC_INT_SAME(OPENSSL_ALGO_SHA1);\n HHVM_RC_INT_SAME(OPENSSL_ALGO_MD5);\n HHVM_RC_INT_SAME(OPENSSL_ALGO_MD4);\n#ifdef HAVE_OPENSSL_MD2_H\n HHVM_RC_INT_SAME(OPENSSL_ALGO_MD2);\n#endif\n HHVM_RC_INT_SAME(OPENSSL_ALGO_DSS1);\n HHVM_RC_INT_SAME(OPENSSL_ALGO_SHA224);\n HHVM_RC_INT_SAME(OPENSSL_ALGO_SHA256);\n HHVM_RC_INT_SAME(OPENSSL_ALGO_SHA384);\n HHVM_RC_INT_SAME(OPENSSL_ALGO_SHA512);\n HHVM_RC_INT_SAME(OPENSSL_ALGO_RMD160);\n\n HHVM_RC_INT(OPENSSL_CIPHER_RC2_40, PHP_OPENSSL_CIPHER_RC2_40);\n HHVM_RC_INT(OPENSSL_CIPHER_RC2_128, PHP_OPENSSL_CIPHER_RC2_128);\n HHVM_RC_INT(OPENSSL_CIPHER_RC2_64, PHP_OPENSSL_CIPHER_RC2_64);\n HHVM_RC_INT(OPENSSL_CIPHER_DES, PHP_OPENSSL_CIPHER_DES);\n HHVM_RC_INT(OPENSSL_CIPHER_3DES, PHP_OPENSSL_CIPHER_3DES);\n\n HHVM_RC_INT_SAME(OPENSSL_KEYTYPE_RSA);\n HHVM_RC_INT_SAME(OPENSSL_KEYTYPE_DSA);\n HHVM_RC_INT_SAME(OPENSSL_KEYTYPE_DH);\n#ifdef HAVE_EVP_PKEY_EC\n HHVM_RC_INT_SAME(OPENSSL_KEYTYPE_EC);\n#endif\n\n HHVM_RC_INT_SAME(OPENSSL_VERSION_NUMBER);\n\n HHVM_RC_INT_SAME(PKCS7_TEXT);\n HHVM_RC_INT_SAME(PKCS7_NOCERTS);\n HHVM_RC_INT_SAME(PKCS7_NOSIGS);\n HHVM_RC_INT_SAME(PKCS7_NOCHAIN);\n HHVM_RC_INT_SAME(PKCS7_NOINTERN);\n HHVM_RC_INT_SAME(PKCS7_NOVERIFY);\n HHVM_RC_INT_SAME(PKCS7_DETACHED);\n HHVM_RC_INT_SAME(PKCS7_BINARY);\n HHVM_RC_INT_SAME(PKCS7_NOATTR);\n\n HHVM_RC_STR_SAME(OPENSSL_VERSION_TEXT);\n\n HHVM_RC_INT_SAME(X509_PURPOSE_SSL_CLIENT);\n HHVM_RC_INT_SAME(X509_PURPOSE_SSL_SERVER);\n HHVM_RC_INT_SAME(X509_PURPOSE_NS_SSL_SERVER);\n HHVM_RC_INT_SAME(X509_PURPOSE_SMIME_SIGN);\n HHVM_RC_INT_SAME(X509_PURPOSE_SMIME_ENCRYPT);\n HHVM_RC_INT_SAME(X509_PURPOSE_CRL_SIGN);\n#ifdef X509_PURPOSE_ANY\n HHVM_RC_INT_SAME(X509_PURPOSE_ANY);\n#endif\n\n HHVM_FE(openssl_csr_export_to_file);\n HHVM_FE(openssl_csr_export);\n HHVM_FE(openssl_csr_get_public_key);\n HHVM_FE(openssl_csr_get_subject);\n HHVM_FE(openssl_csr_new);\n HHVM_FE(openssl_csr_sign);\n HHVM_FE(openssl_error_string);\n HHVM_FE(openssl_open);\n HHVM_FE(openssl_pkcs12_export_to_file);\n HHVM_FE(openssl_pkcs12_export);\n HHVM_FE(openssl_pkcs12_read);\n HHVM_FE(openssl_pkcs7_decrypt);\n HHVM_FE(openssl_pkcs7_encrypt);\n HHVM_FE(openssl_pkcs7_sign);\n HHVM_FE(openssl_pkcs7_verify);\n HHVM_FE(openssl_pkey_export_to_file);\n HHVM_FE(openssl_pkey_export);\n HHVM_FE(openssl_pkey_get_details);\n HHVM_FE(openssl_pkey_get_private);\n HHVM_FE(openssl_pkey_get_public);\n HHVM_FE(openssl_pkey_new);\n HHVM_FE(openssl_private_decrypt);\n HHVM_FE(openssl_private_encrypt);\n HHVM_FE(openssl_public_decrypt);\n HHVM_FE(openssl_public_encrypt);\n HHVM_FE(openssl_seal);\n HHVM_FE(openssl_sign);\n HHVM_FE(openssl_verify);\n HHVM_FE(openssl_x509_check_private_key);\n HHVM_FE(openssl_x509_checkpurpose);\n HHVM_FE(openssl_x509_export_to_file);\n HHVM_FE(openssl_x509_export);\n HHVM_FE(openssl_x509_parse);\n HHVM_FE(openssl_x509_read);\n HHVM_FE(openssl_random_pseudo_bytes);\n HHVM_FE(openssl_cipher_iv_length);\n HHVM_FE(openssl_encrypt);\n HHVM_FE(openssl_encrypt_with_tag);\n HHVM_FE(openssl_decrypt);\n HHVM_FE(openssl_digest);\n HHVM_FE(openssl_get_cipher_methods);\n HHVM_FE(openssl_get_curve_names);\n HHVM_FE(openssl_get_md_methods);\n\n loadSystemlib();\n }\n} s_openssl_extension;\n\n///////////////////////////////////////////////////////////////////////////////\n}", "project": "hhvm", "hash": 15247673495806370629838546024510271456, "size": 2914, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219563 }, { "func": "static inline int php_openssl_config_check_syntax(const char * section_label, const char * config_filename, const char * section, LHASH_OF(CONF_VALUE) * config) /* {{{ */\n{\n\tX509V3_CTX ctx;\n\n\tX509V3_set_ctx_test(&ctx);\n\tX509V3_set_conf_lhash(&ctx, config);\n\tif (!X509V3_EXT_add_conf(config, &ctx, (char *)section, NULL)) {\n\t\tphp_openssl_store_errors();\n\t\tphp_error_docref(NULL, E_WARNING, \"Error loading %s section %s of %s\",\n\t\t\t\tsection_label,\n\t\t\t\tsection,\n\t\t\t\tconfig_filename);\n\t\treturn FAILURE;\n\t}\n\treturn SUCCESS;\n}", "project": "php-src", "hash": 170546953231719796020156927142127444397, "size": 16, "commit_id": "0216630ea2815a5789a24279a1211ac398d4de79", "message": "Fix bug #79601 (Wrong ciphertext/tag in AES-CCM encryption for a 12 bytes IV)", "target": 0, "dataset": "other", "idx": 291459 }, { "func": "static void send_negotiation(struct Curl_easy *data, int cmd, int option)\n{\n unsigned char buf[3];\n ssize_t bytes_written;\n struct connectdata *conn = data->conn;\n\n buf[0] = CURL_IAC;\n buf[1] = (unsigned char)cmd;\n buf[2] = (unsigned char)option;\n\n bytes_written = swrite(conn->sock[FIRSTSOCKET], buf, 3);\n if(bytes_written < 0) {\n int err = SOCKERRNO;\n failf(data,\"Sending data failed (%d)\",err);\n }\n\n printoption(data, \"SENT\", cmd, option);\n}", "project": "curl", "hash": 270897425364619141532666474789844958700, "size": 18, "commit_id": "39ce47f219b09c380b81f89fe54ac586c8db6bde", "message": "telnet: check sscanf() for correct number of matches\n\nCVE-2021-22898\n\nBug: https://curl.se/docs/CVE-2021-22898.html", "target": 0, "dataset": "other", "idx": 481500 }, { "func": "int headerDel(Header h, rpmTagVal tag)\n{\n indexEntry last = h->index + h->indexUsed;\n indexEntry entry, first;\n int ne;\n\n entry = findEntry(h, tag, RPM_NULL_TYPE);\n if (!entry) return 1;\n\n /* Make sure entry points to the first occurrence of this tag. */\n while (entry > h->index && (entry - 1)->info.tag == tag) \n\tentry--;\n\n /* Free data for tags being removed. */\n for (first = entry; first < last; first++) {\n\trpm_data_t data;\n\tif (first->info.tag != tag)\n\t break;\n\tdata = first->data;\n\tfirst->data = NULL;\n\tfirst->length = 0;\n\tif (ENTRY_IN_REGION(first))\n\t continue;\n\tfree(data);\n }\n\n ne = (first - entry);\n if (ne > 0) {\n\th->indexUsed -= ne;\n\tne = last - first;\n\tif (ne > 0)\n\t memmove(entry, first, (ne * sizeof(*entry)));\n }\n\n return 0;\n}", "project": "rpm", "hash": 183957755141022123243839575233323500237, "size": 36, "commit_id": "8f4b3c3cab8922a2022b9e47c71f1ecf906077ef", "message": "hdrblobInit() needs bounds checks too\n\nUsers can pass untrusted data to hdrblobInit() and it must be robust\nagainst this.", "target": 0, "dataset": "other", "idx": 318160 }, { "project": "Chrome", "commit_id": "957973753ec4159003ff7930d946b7e89c7e09f3", "target": 1, "func": "void BlobURLRequestJob::HeadersCompleted(int status_code,\n const std::string& status_text) {\n std::string status(\"HTTP/1.1 \");\n status.append(base::IntToString(status_code));\n status.append(\" \");\n status.append(status_text);\n status.append(\"\\0\\0\", 2);\n net::HttpResponseHeaders* headers = new net::HttpResponseHeaders(status);\n\n if (status_code == kHTTPOk || status_code == kHTTPPartialContent) {\n std::string content_length_header(net::HttpRequestHeaders::kContentLength);\n content_length_header.append(\": \");\n content_length_header.append(base::Int64ToString(remaining_bytes_));\n headers->AddHeader(content_length_header);\n if (!blob_data_->content_type().empty()) {\n std::string content_type_header(net::HttpRequestHeaders::kContentType);\n content_type_header.append(\": \");\n content_type_header.append(blob_data_->content_type());\n headers->AddHeader(content_type_header);\n }\n if (!blob_data_->content_disposition().empty()) {\n std::string content_disposition_header(\"Content-Disposition: \");\n content_disposition_header.append(blob_data_->content_disposition());\n headers->AddHeader(content_disposition_header);\n }\n }\n\n response_info_.reset(new net::HttpResponseInfo());\n response_info_->headers = headers;\n \n set_expected_content_size(remaining_bytes_);\n NotifyHeadersComplete();\n headers_set_ = true;\n }\n", "cwe": "", "big_vul_idx": 184078, "idx": 5090, "hash": 51880020148550996395351781253705371372 }, { "func": " Item_hex_hybrid(THD *thd): Item_hex_constant(thd) {}", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 134749982190116740039959217145979767575, "size": 1, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509199 }, { "func": "static int set_global_limit(const char *val, const struct kernel_param *kp)\n{\n\tint rv;\n\n\trv = param_set_uint(val, kp);\n\tif (rv)\n\t\treturn rv;\n\n\tsanitize_global_limit((unsigned *)kp->arg);\n\n\treturn 0;\n}", "project": "linux", "hash": 17033158454852753616627228685868885058, "size": 12, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342013 }, { "func": "static int pep_enableresp_rcv(struct sock *sk, struct sk_buff *skb)\n{\n\tstruct pnpipehdr *hdr = pnp_hdr(skb);\n\n\tif (hdr->error_code != PN_PIPE_NO_ERROR)\n\t\treturn -ECONNREFUSED;\n\n\treturn pep_indicate(sk, PNS_PIPE_ENABLED_IND, 0 /* sub-blocks */,\n\t\tNULL, 0, GFP_ATOMIC);\n\n}", "project": "linux", "hash": 96963517743138389737363167985358530269, "size": 11, "commit_id": "bcd0f93353326954817a4f9fa55ec57fb38acbb0", "message": "phonet: refcount leak in pep_sock_accep\n\nsock_hold(sk) is invoked in pep_sock_accept(), but __sock_put(sk) is not\ninvoked in subsequent failure branches(pep_accept_conn() != 0).\n\nSigned-off-by: Hangyu Hua \nLink: https://lore.kernel.org/r/20211209082839.33985-1-hbh25y@gmail.com\nSigned-off-by: Jakub Kicinski ", "target": 0, "dataset": "other", "idx": 224807 }, { "func": "int tipc_nl_node_dump(struct sk_buff *skb, struct netlink_callback *cb)\n{\n\tint err;\n\tstruct net *net = sock_net(skb->sk);\n\tstruct tipc_net *tn = net_generic(net, tipc_net_id);\n\tint done = cb->args[0];\n\tint last_addr = cb->args[1];\n\tstruct tipc_node *node;\n\tstruct tipc_nl_msg msg;\n\n\tif (done)\n\t\treturn 0;\n\n\tmsg.skb = skb;\n\tmsg.portid = NETLINK_CB(cb->skb).portid;\n\tmsg.seq = cb->nlh->nlmsg_seq;\n\n\trcu_read_lock();\n\tif (last_addr) {\n\t\tnode = tipc_node_find(net, last_addr);\n\t\tif (!node) {\n\t\t\trcu_read_unlock();\n\t\t\t/* We never set seq or call nl_dump_check_consistent()\n\t\t\t * this means that setting prev_seq here will cause the\n\t\t\t * consistence check to fail in the netlink callback\n\t\t\t * handler. Resulting in the NLMSG_DONE message having\n\t\t\t * the NLM_F_DUMP_INTR flag set if the node state\n\t\t\t * changed while we released the lock.\n\t\t\t */\n\t\t\tcb->prev_seq = 1;\n\t\t\treturn -EPIPE;\n\t\t}\n\t\ttipc_node_put(node);\n\t}\n\n\tlist_for_each_entry_rcu(node, &tn->node_list, list) {\n\t\tif (node->preliminary)\n\t\t\tcontinue;\n\t\tif (last_addr) {\n\t\t\tif (node->addr == last_addr)\n\t\t\t\tlast_addr = 0;\n\t\t\telse\n\t\t\t\tcontinue;\n\t\t}\n\n\t\ttipc_node_read_lock(node);\n\t\terr = __tipc_nl_add_node(&msg, node);\n\t\tif (err) {\n\t\t\tlast_addr = node->addr;\n\t\t\ttipc_node_read_unlock(node);\n\t\t\tgoto out;\n\t\t}\n\n\t\ttipc_node_read_unlock(node);\n\t}\n\tdone = 1;\nout:\n\tcb->args[0] = done;\n\tcb->args[1] = last_addr;\n\trcu_read_unlock();\n\n\treturn skb->len;\n}", "project": "linux", "hash": 235086260974313006983606433949931443799, "size": 63, "commit_id": "0217ed2848e8538bcf9172d97ed2eeb4a26041bb", "message": "tipc: better validate user input in tipc_nl_retrieve_key()\n\nBefore calling tipc_aead_key_size(ptr), we need to ensure\nwe have enough data to dereference ptr->keylen.\n\nWe probably also want to make sure tipc_aead_key_size()\nwont overflow with malicious ptr->keylen values.\n\nSyzbot reported:\n\nBUG: KMSAN: uninit-value in __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\nBUG: KMSAN: uninit-value in tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\nCPU: 0 PID: 21060 Comm: syz-executor.5 Not tainted 5.11.0-rc7-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nCall Trace:\n __dump_stack lib/dump_stack.c:79 [inline]\n dump_stack+0x21c/0x280 lib/dump_stack.c:120\n kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118\n __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197\n __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\n tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\n genl_family_rcv_msg_doit net/netlink/genetlink.c:739 [inline]\n genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]\n genl_rcv_msg+0x1319/0x1610 net/netlink/genetlink.c:800\n netlink_rcv_skb+0x6fa/0x810 net/netlink/af_netlink.c:2494\n genl_rcv+0x63/0x80 net/netlink/genetlink.c:811\n netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]\n netlink_unicast+0x11d6/0x14a0 net/netlink/af_netlink.c:1330\n netlink_sendmsg+0x1740/0x1840 net/netlink/af_netlink.c:1919\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\nRIP: 0023:0xf7f60549\nCode: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00\nRSP: 002b:00000000f555a5fc EFLAGS: 00000296 ORIG_RAX: 0000000000000172\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000200\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n\nUninit was created at:\n kmsan_save_stack_with_flags mm/kmsan/kmsan.c:121 [inline]\n kmsan_internal_poison_shadow+0x5c/0xf0 mm/kmsan/kmsan.c:104\n kmsan_slab_alloc+0x8d/0xe0 mm/kmsan/kmsan_hooks.c:76\n slab_alloc_node mm/slub.c:2907 [inline]\n __kmalloc_node_track_caller+0xa37/0x1430 mm/slub.c:4527\n __kmalloc_reserve net/core/skbuff.c:142 [inline]\n __alloc_skb+0x2f8/0xb30 net/core/skbuff.c:210\n alloc_skb include/linux/skbuff.h:1099 [inline]\n netlink_alloc_large_skb net/netlink/af_netlink.c:1176 [inline]\n netlink_sendmsg+0xdbc/0x1840 net/netlink/af_netlink.c:1894\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\n\nFixes: e1f32190cf7d (\"tipc: add support for AEAD key setting via netlink\")\nSigned-off-by: Eric Dumazet \nCc: Tuong Lien \nCc: Jon Maloy \nCc: Ying Xue \nReported-by: syzbot \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 364909 }, { "func": "void CLua::init_throttle()\n{\n if (!managed_vm)\n return;\n\n if (!crawl_state.throttle)\n return;\n\n if (throttle_unit_lines <= 0)\n throttle_unit_lines = 500;\n\n if (throttle_sleep_start < 1)\n throttle_sleep_start = 1;\n\n if (throttle_sleep_end < throttle_sleep_start)\n throttle_sleep_end = throttle_sleep_start;\n\n if (!mixed_call_depth)\n {\n lua_sethook(_state, _clua_throttle_hook,\n LUA_MASKCOUNT, throttle_unit_lines);\n throttle_sleep_ms = 0;\n n_throttle_sleeps = 0;\n }\n}", "project": "crawl", "hash": 245014092957995093589931046969896792234, "size": 25, "commit_id": "768f60da87a3fa0b5561da5ade9309577c176d04", "message": "Disable lua bytecode loading", "target": 0, "dataset": "other", "idx": 230539 }, { "func": "static void power_pmu_enable(struct pmu *pmu)\n{\n\tstruct perf_event *event;\n\tstruct cpu_hw_events *cpuhw;\n\tunsigned long flags;\n\tlong i;\n\tunsigned long val, mmcr0;\n\ts64 left;\n\tunsigned int hwc_index[MAX_HWEVENTS];\n\tint n_lim;\n\tint idx;\n\tbool ebb;\n\n\tif (!ppmu)\n\t\treturn;\n\tlocal_irq_save(flags);\n\n\tcpuhw = this_cpu_ptr(&cpu_hw_events);\n\tif (!cpuhw->disabled)\n\t\tgoto out;\n\n\tif (cpuhw->n_events == 0) {\n\t\tppc_set_pmu_inuse(0);\n\t\tgoto out;\n\t}\n\n\tcpuhw->disabled = 0;\n\n\t/*\n\t * EBB requires an exclusive group and all events must have the EBB\n\t * flag set, or not set, so we can just check a single event. Also we\n\t * know we have at least one event.\n\t */\n\tebb = is_ebb_event(cpuhw->event[0]);\n\n\t/*\n\t * If we didn't change anything, or only removed events,\n\t * no need to recalculate MMCR* settings and reset the PMCs.\n\t * Just reenable the PMU with the current MMCR* settings\n\t * (possibly updated for removal of events).\n\t */\n\tif (!cpuhw->n_added) {\n\t\tmtspr(SPRN_MMCRA, cpuhw->mmcr.mmcra & ~MMCRA_SAMPLE_ENABLE);\n\t\tmtspr(SPRN_MMCR1, cpuhw->mmcr.mmcr1);\n\t\tif (ppmu->flags & PPMU_ARCH_31)\n\t\t\tmtspr(SPRN_MMCR3, cpuhw->mmcr.mmcr3);\n\t\tgoto out_enable;\n\t}\n\n\t/*\n\t * Clear all MMCR settings and recompute them for the new set of events.\n\t */\n\tmemset(&cpuhw->mmcr, 0, sizeof(cpuhw->mmcr));\n\n\tif (ppmu->compute_mmcr(cpuhw->events, cpuhw->n_events, hwc_index,\n\t\t\t &cpuhw->mmcr, cpuhw->event, ppmu->flags)) {\n\t\t/* shouldn't ever get here */\n\t\tprintk(KERN_ERR \"oops compute_mmcr failed\\n\");\n\t\tgoto out;\n\t}\n\n\tif (!(ppmu->flags & PPMU_ARCH_207S)) {\n\t\t/*\n\t\t * Add in MMCR0 freeze bits corresponding to the attr.exclude_*\n\t\t * bits for the first event. We have already checked that all\n\t\t * events have the same value for these bits as the first event.\n\t\t */\n\t\tevent = cpuhw->event[0];\n\t\tif (event->attr.exclude_user)\n\t\t\tcpuhw->mmcr.mmcr0 |= MMCR0_FCP;\n\t\tif (event->attr.exclude_kernel)\n\t\t\tcpuhw->mmcr.mmcr0 |= freeze_events_kernel;\n\t\tif (event->attr.exclude_hv)\n\t\t\tcpuhw->mmcr.mmcr0 |= MMCR0_FCHV;\n\t}\n\n\t/*\n\t * Write the new configuration to MMCR* with the freeze\n\t * bit set and set the hardware events to their initial values.\n\t * Then unfreeze the events.\n\t */\n\tppc_set_pmu_inuse(1);\n\tmtspr(SPRN_MMCRA, cpuhw->mmcr.mmcra & ~MMCRA_SAMPLE_ENABLE);\n\tmtspr(SPRN_MMCR1, cpuhw->mmcr.mmcr1);\n\tmtspr(SPRN_MMCR0, (cpuhw->mmcr.mmcr0 & ~(MMCR0_PMC1CE | MMCR0_PMCjCE))\n\t\t\t\t| MMCR0_FC);\n\tif (ppmu->flags & PPMU_ARCH_207S)\n\t\tmtspr(SPRN_MMCR2, cpuhw->mmcr.mmcr2);\n\n\tif (ppmu->flags & PPMU_ARCH_31)\n\t\tmtspr(SPRN_MMCR3, cpuhw->mmcr.mmcr3);\n\n\t/*\n\t * Read off any pre-existing events that need to move\n\t * to another PMC.\n\t */\n\tfor (i = 0; i < cpuhw->n_events; ++i) {\n\t\tevent = cpuhw->event[i];\n\t\tif (event->hw.idx && event->hw.idx != hwc_index[i] + 1) {\n\t\t\tpower_pmu_read(event);\n\t\t\twrite_pmc(event->hw.idx, 0);\n\t\t\tevent->hw.idx = 0;\n\t\t}\n\t}\n\n\t/*\n\t * Initialize the PMCs for all the new and moved events.\n\t */\n\tcpuhw->n_limited = n_lim = 0;\n\tfor (i = 0; i < cpuhw->n_events; ++i) {\n\t\tevent = cpuhw->event[i];\n\t\tif (event->hw.idx)\n\t\t\tcontinue;\n\t\tidx = hwc_index[i] + 1;\n\t\tif (is_limited_pmc(idx)) {\n\t\t\tcpuhw->limited_counter[n_lim] = event;\n\t\t\tcpuhw->limited_hwidx[n_lim] = idx;\n\t\t\t++n_lim;\n\t\t\tcontinue;\n\t\t}\n\n\t\tif (ebb)\n\t\t\tval = local64_read(&event->hw.prev_count);\n\t\telse {\n\t\t\tval = 0;\n\t\t\tif (event->hw.sample_period) {\n\t\t\t\tleft = local64_read(&event->hw.period_left);\n\t\t\t\tif (left < 0x80000000L)\n\t\t\t\t\tval = 0x80000000L - left;\n\t\t\t}\n\t\t\tlocal64_set(&event->hw.prev_count, val);\n\t\t}\n\n\t\tevent->hw.idx = idx;\n\t\tif (event->hw.state & PERF_HES_STOPPED)\n\t\t\tval = 0;\n\t\twrite_pmc(idx, val);\n\n\t\tperf_event_update_userpage(event);\n\t}\n\tcpuhw->n_limited = n_lim;\n\tcpuhw->mmcr.mmcr0 |= MMCR0_PMXE | MMCR0_FCECE;\n\n out_enable:\n\tpmao_restore_workaround(ebb);\n\n\tmmcr0 = ebb_switch_in(ebb, cpuhw);\n\n\tmb();\n\tif (cpuhw->bhrb_users)\n\t\tppmu->config_bhrb(cpuhw->bhrb_filter);\n\n\twrite_mmcr0(cpuhw, mmcr0);\n\n\t/*\n\t * Enable instruction sampling if necessary\n\t */\n\tif (cpuhw->mmcr.mmcra & MMCRA_SAMPLE_ENABLE) {\n\t\tmb();\n\t\tmtspr(SPRN_MMCRA, cpuhw->mmcr.mmcra);\n\t}\n\n out:\n\n\tlocal_irq_restore(flags);\n}", "project": "linux", "hash": 7060485132294449523455594851566471826, "size": 166, "commit_id": "60b7ed54a41b550d50caf7f2418db4a7e75b5bdc", "message": "powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set\n\nOn systems without any specific PMU driver support registered, running\nperf record causes Oops.\n\nThe relevant portion from call trace:\n\n BUG: Kernel NULL pointer dereference on read at 0x00000040\n Faulting instruction address: 0xc0021f0c\n Oops: Kernel access of bad area, sig: 11 [#1]\n BE PAGE_SIZE=4K PREEMPT CMPCPRO\n SAF3000 DIE NOTIFICATION\n CPU: 0 PID: 442 Comm: null_syscall Not tainted 5.13.0-rc6-s3k-dev-01645-g7649ee3d2957 #5164\n NIP: c0021f0c LR: c00e8ad8 CTR: c00d8a5c\n NIP perf_instruction_pointer+0x10/0x60\n LR perf_prepare_sample+0x344/0x674\n Call Trace:\n perf_prepare_sample+0x7c/0x674 (unreliable)\n perf_event_output_forward+0x3c/0x94\n __perf_event_overflow+0x74/0x14c\n perf_swevent_hrtimer+0xf8/0x170\n __hrtimer_run_queues.constprop.0+0x160/0x318\n hrtimer_interrupt+0x148/0x3b0\n timer_interrupt+0xc4/0x22c\n Decrementer_virt+0xb8/0xbc\n\nDuring perf record session, perf_instruction_pointer() is called to\ncapture the sample IP. This function in core-book3s accesses\nppmu->flags. If a platform specific PMU driver is not registered, ppmu\nis set to NULL and accessing its members results in a crash. Fix this\ncrash by checking if ppmu is set.\n\nFixes: 2ca13a4cc56c (\"powerpc/perf: Use regs->nip when SIAR is zero\")\nCc: stable@vger.kernel.org # v5.11+\nReported-by: Christophe Leroy \nSigned-off-by: Athira Rajeev \nTested-by: Christophe Leroy \nSigned-off-by: Michael Ellerman \nLink: https://lore.kernel.org/r/1623952506-1431-1-git-send-email-atrajeev@linux.vnet.ibm.com", "target": 0, "dataset": "other", "idx": 374739 }, { "func": "static CURLcode check_telnet_options(struct Curl_easy *data)\n{\n struct curl_slist *head;\n struct curl_slist *beg;\n char option_keyword[128] = \"\";\n char option_arg[256] = \"\";\n struct TELNET *tn = data->req.p.telnet;\n struct connectdata *conn = data->conn;\n CURLcode result = CURLE_OK;\n int binary_option;\n\n /* Add the user name as an environment variable if it\n was given on the command line */\n if(conn->bits.user_passwd) {\n msnprintf(option_arg, sizeof(option_arg), \"USER,%s\", conn->user);\n beg = curl_slist_append(tn->telnet_vars, option_arg);\n if(!beg) {\n curl_slist_free_all(tn->telnet_vars);\n tn->telnet_vars = NULL;\n return CURLE_OUT_OF_MEMORY;\n }\n tn->telnet_vars = beg;\n tn->us_preferred[CURL_TELOPT_NEW_ENVIRON] = CURL_YES;\n }\n\n for(head = data->set.telnet_options; head; head = head->next) {\n if(sscanf(head->data, \"%127[^= ]%*[ =]%255s\",\n option_keyword, option_arg) == 2) {\n\n /* Terminal type */\n if(strcasecompare(option_keyword, \"TTYPE\")) {\n strncpy(tn->subopt_ttype, option_arg, 31);\n tn->subopt_ttype[31] = 0; /* String termination */\n tn->us_preferred[CURL_TELOPT_TTYPE] = CURL_YES;\n continue;\n }\n\n /* Display variable */\n if(strcasecompare(option_keyword, \"XDISPLOC\")) {\n strncpy(tn->subopt_xdisploc, option_arg, 127);\n tn->subopt_xdisploc[127] = 0; /* String termination */\n tn->us_preferred[CURL_TELOPT_XDISPLOC] = CURL_YES;\n continue;\n }\n\n /* Environment variable */\n if(strcasecompare(option_keyword, \"NEW_ENV\")) {\n beg = curl_slist_append(tn->telnet_vars, option_arg);\n if(!beg) {\n result = CURLE_OUT_OF_MEMORY;\n break;\n }\n tn->telnet_vars = beg;\n tn->us_preferred[CURL_TELOPT_NEW_ENVIRON] = CURL_YES;\n continue;\n }\n\n /* Window Size */\n if(strcasecompare(option_keyword, \"WS\")) {\n if(sscanf(option_arg, \"%hu%*[xX]%hu\",\n &tn->subopt_wsx, &tn->subopt_wsy) == 2)\n tn->us_preferred[CURL_TELOPT_NAWS] = CURL_YES;\n else {\n failf(data, \"Syntax error in telnet option: %s\", head->data);\n result = CURLE_TELNET_OPTION_SYNTAX;\n break;\n }\n continue;\n }\n\n /* To take care or not of the 8th bit in data exchange */\n if(strcasecompare(option_keyword, \"BINARY\")) {\n binary_option = atoi(option_arg);\n if(binary_option != 1) {\n tn->us_preferred[CURL_TELOPT_BINARY] = CURL_NO;\n tn->him_preferred[CURL_TELOPT_BINARY] = CURL_NO;\n }\n continue;\n }\n\n failf(data, \"Unknown telnet option %s\", head->data);\n result = CURLE_UNKNOWN_OPTION;\n break;\n }\n failf(data, \"Syntax error in telnet option: %s\", head->data);\n result = CURLE_TELNET_OPTION_SYNTAX;\n break;\n }\n\n if(result) {\n curl_slist_free_all(tn->telnet_vars);\n tn->telnet_vars = NULL;\n }\n\n return result;\n}", "project": "curl", "hash": 164862506818416155415442652087535422123, "size": 96, "commit_id": "39ce47f219b09c380b81f89fe54ac586c8db6bde", "message": "telnet: check sscanf() for correct number of matches\n\nCVE-2021-22898\n\nBug: https://curl.se/docs/CVE-2021-22898.html", "target": 0, "dataset": "other", "idx": 481496 }, { "func": "int bcf_hdr_combine(bcf_hdr_t *dst, const bcf_hdr_t *src)\n{\n int i, ndst_ori = dst->nhrec, need_sync = 0, ret = 0, res;\n for (i=0; inhrec; i++)\n {\n if ( src->hrec[i]->type==BCF_HL_GEN && src->hrec[i]->value )\n {\n int j;\n for (j=0; jhrec[j]->type!=BCF_HL_GEN ) continue;\n\n // Checking only the key part of generic lines, otherwise\n // the VCFs are too verbose. Should we perhaps add a flag\n // to bcf_hdr_combine() and make this optional?\n if ( !strcmp(src->hrec[i]->key,dst->hrec[j]->key) ) break;\n }\n if ( j>=ndst_ori ) {\n res = bcf_hdr_add_hrec(dst, bcf_hrec_dup(src->hrec[i]));\n if (res < 0) return -1;\n need_sync += res;\n }\n }\n else if ( src->hrec[i]->type==BCF_HL_STR )\n {\n // NB: we are ignoring fields without ID\n int j = bcf_hrec_find_key(src->hrec[i],\"ID\");\n if ( j>=0 )\n {\n bcf_hrec_t *rec = bcf_hdr_get_hrec(dst, src->hrec[i]->type, \"ID\", src->hrec[i]->vals[j], src->hrec[i]->key);\n if ( !rec ) {\n res = bcf_hdr_add_hrec(dst, bcf_hrec_dup(src->hrec[i]));\n if (res < 0) return -1;\n need_sync += res;\n }\n }\n }\n else\n {\n int j = bcf_hrec_find_key(src->hrec[i],\"ID\");\n assert( j>=0 ); // this should always be true for valid VCFs\n\n bcf_hrec_t *rec = bcf_hdr_get_hrec(dst, src->hrec[i]->type, \"ID\", src->hrec[i]->vals[j], NULL);\n if ( !rec ) {\n res = bcf_hdr_add_hrec(dst, bcf_hrec_dup(src->hrec[i]));\n if (res < 0) return -1;\n need_sync += res;\n } else if ( src->hrec[i]->type==BCF_HL_INFO || src->hrec[i]->type==BCF_HL_FMT )\n {\n // Check that both records are of the same type. The bcf_hdr_id2length\n // macro cannot be used here because dst header is not synced yet.\n vdict_t *d_src = (vdict_t*)src->dict[BCF_DT_ID];\n vdict_t *d_dst = (vdict_t*)dst->dict[BCF_DT_ID];\n khint_t k_src = kh_get(vdict, d_src, src->hrec[i]->vals[0]);\n khint_t k_dst = kh_get(vdict, d_dst, src->hrec[i]->vals[0]);\n if ( (kh_val(d_src,k_src).info[rec->type]>>8 & 0xf) != (kh_val(d_dst,k_dst).info[rec->type]>>8 & 0xf) )\n {\n hts_log_warning(\"Trying to combine \\\"%s\\\" tag definitions of different lengths\",\n src->hrec[i]->vals[0]);\n ret |= 1;\n }\n if ( (kh_val(d_src,k_src).info[rec->type]>>4 & 0xf) != (kh_val(d_dst,k_dst).info[rec->type]>>4 & 0xf) )\n {\n hts_log_warning(\"Trying to combine \\\"%s\\\" tag definitions of different types\",\n src->hrec[i]->vals[0]);\n ret |= 1;\n }\n }\n }\n }\n if ( need_sync ) {\n if (bcf_hdr_sync(dst) < 0) return -1;\n }\n return ret;\n}", "project": "htslib", "hash": 128888832548019499794218548734858510486, "size": 75, "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c", "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields. It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097", "target": 0, "dataset": "other", "idx": 402218 }, { "func": "static void nfs4_write_cached_acl(struct inode *inode, struct page **pages, size_t pgbase, size_t acl_len)\n{\n\tstruct nfs4_cached_acl *acl;\n\tsize_t buflen = sizeof(*acl) + acl_len;\n\n\tif (buflen <= PAGE_SIZE) {\n\t\tacl = kmalloc(buflen, GFP_KERNEL);\n\t\tif (acl == NULL)\n\t\t\tgoto out;\n\t\tacl->cached = 1;\n\t\t_copy_from_pages(acl->data, pages, pgbase, acl_len);\n\t} else {\n\t\tacl = kmalloc(sizeof(*acl), GFP_KERNEL);\n\t\tif (acl == NULL)\n\t\t\tgoto out;\n\t\tacl->cached = 0;\n\t}\n\tacl->len = acl_len;\nout:\n\tnfs4_set_cached_acl(inode, acl);\n}", "project": "linux", "hash": 71706367715119999848142249968021047045, "size": 21, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431139 }, { "func": "static void encode_exchange_id(struct xdr_stream *xdr,\n\t\t\t const struct nfs41_exchange_id_args *args,\n\t\t\t struct compound_hdr *hdr)\n{\n\t__be32 *p;\n\tchar impl_name[IMPL_NAME_LIMIT];\n\tint len = 0;\n\n\tencode_op_hdr(xdr, OP_EXCHANGE_ID, decode_exchange_id_maxsz, hdr);\n\tencode_nfs4_verifier(xdr, &args->verifier);\n\n\tencode_string(xdr, strlen(args->client->cl_owner_id),\n\t\t\targs->client->cl_owner_id);\n\n\tencode_uint32(xdr, args->flags);\n\tencode_uint32(xdr, args->state_protect.how);\n\n\tswitch (args->state_protect.how) {\n\tcase SP4_NONE:\n\t\tbreak;\n\tcase SP4_MACH_CRED:\n\t\tencode_op_map(xdr, &args->state_protect.enforce);\n\t\tencode_op_map(xdr, &args->state_protect.allow);\n\t\tbreak;\n\tdefault:\n\t\tWARN_ON_ONCE(1);\n\t\tbreak;\n\t}\n\n\tif (send_implementation_id &&\n\t sizeof(CONFIG_NFS_V4_1_IMPLEMENTATION_ID_DOMAIN) > 1 &&\n\t sizeof(CONFIG_NFS_V4_1_IMPLEMENTATION_ID_DOMAIN)\n\t\t<= sizeof(impl_name) + 1)\n\t\tlen = snprintf(impl_name, sizeof(impl_name), \"%s %s %s %s\",\n\t\t\t utsname()->sysname, utsname()->release,\n\t\t\t utsname()->version, utsname()->machine);\n\n\tif (len > 0) {\n\t\tencode_uint32(xdr, 1);\t/* implementation id array length=1 */\n\n\t\tencode_string(xdr,\n\t\t\tsizeof(CONFIG_NFS_V4_1_IMPLEMENTATION_ID_DOMAIN) - 1,\n\t\t\tCONFIG_NFS_V4_1_IMPLEMENTATION_ID_DOMAIN);\n\t\tencode_string(xdr, len, impl_name);\n\t\t/* just send zeros for nii_date - the date is in nii_name */\n\t\tp = reserve_space(xdr, 12);\n\t\tp = xdr_encode_hyper(p, 0);\n\t\t*p = cpu_to_be32(0);\n\t} else\n\t\tencode_uint32(xdr, 0);\t/* implementation id array length=0 */\n}", "project": "linux", "hash": 22501743242508690891184455646485667643, "size": 51, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431046 }, { "func": "static int deliver(message_data_t *msg)\n{\n int n, r = 0, myrights;\n char *rcpt = NULL;\n unsigned long uid;\n struct body *body = NULL;\n struct dest *dlist = NULL;\n duplicate_key_t dkey = {msg->id, NULL, msg->date};\n\n /* check ACLs of all mailboxes */\n for (n = 0; n < msg->rcpt.count; n++) {\n\tstruct mboxlist_entry *mbentry = NULL;\n\trcpt = msg->rcpt.data[n];\n\tdkey.to = rcpt;\n\n\t/* look it up */\n\tr = mlookup(rcpt, &mbentry);\n\tif (r) return IMAP_MAILBOX_NONEXISTENT;\n\n\tif (!(mbentry->acl && (myrights = cyrus_acl_myrights(nntp_authstate, mbentry->acl)) &&\n\t (myrights & ACL_POST))) {\n\t mboxlist_entry_free(&mbentry);\n\t return IMAP_PERMISSION_DENIED;\n\t}\n\n\tif (mbentry->server) {\n\t /* remote group */\n\t proxy_adddest(&dlist, NULL, 0, mbentry->server, \"\");\n\t}\n\telse {\n\t /* local group */\n\t struct appendstate as;\n\n\t if (msg->id && \n\t\tduplicate_check(&dkey)) {\n\t\t/* duplicate message */\n\t\tduplicate_log(&dkey, \"nntp delivery\");\n\t\tcontinue;\n\t }\n\n\t r = append_setup(&as, rcpt, nntp_userid, nntp_authstate,\n\t\t\t ACL_POST, 0, NULL, 0);\n\n\t if (!r) {\n\t\tprot_rewind(msg->data);\n\t\tif (stage) {\n\t\t r = append_fromstage(&as, &body, stage, 0,\n\t\t\t\t\t NULL, !singleinstance,\n\t\t\t\t\t /*annotations*/NULL);\n\t\t} else {\n\t\t /* XXX should never get here */\n\t\t r = append_fromstream(&as, &body, msg->data, msg->size, 0,\n\t\t\t\t\t (const char **) NULL, 0);\n\t\t}\n\t\tif (r || ( msg->id && duplicate_check(&dkey) ) ) { \n\t\t append_abort(&as);\n \n\t\t if (!r) {\n\t\t\t/* duplicate message */\n\t\t\tduplicate_log(&dkey, \"nntp delivery\");\n\t\t\tcontinue;\n\t\t } \n\t\t} \n\t\telse { \n\t\t r = append_commit(&as, NULL, &uid, NULL, NULL);\n\t\t}\n\t }\n\n\t if (!r && msg->id)\n\t\tduplicate_mark(&dkey, time(NULL), uid);\n\n\t if (r) {\n\t\tmboxlist_entry_free(&mbentry);\n\t\treturn r;\n\t }\n\t}\n\tmboxlist_entry_free(&mbentry);\n }\n\n if (body) {\n\tmessage_free_body(body);\n\tfree(body);\n }\n\n if (dlist) {\n\tstruct dest *d;\n\n\t/* run the txns */\n\tr = deliver_remote(msg, dlist);\n\n\t/* free the destination list */\n\td = dlist;\n\twhile (d) {\n\t struct dest *nextd = d->next;\n\t free(d);\n\t d = nextd;\n\t}\n }\n\n return r;\n}", "project": "cyrus-imapd", "hash": 107720156134896105236007851562104311316, "size": 101, "commit_id": "0f8f026699829b65733c3081657b24e2174f4f4d", "message": "CVE-2011-3208 - fix buffer overflow in nntpd", "target": 0, "dataset": "other", "idx": 451899 }, { "func": "static OPJ_BOOL opj_j2k_write_sot(opj_j2k_t *p_j2k,\n OPJ_BYTE * p_data,\n OPJ_UINT32 total_data_size,\n OPJ_UINT32 * p_data_written,\n const opj_stream_private_t *p_stream,\n opj_event_mgr_t * p_manager\n )\n{\n /* preconditions */\n assert(p_j2k != 00);\n assert(p_manager != 00);\n assert(p_stream != 00);\n\n OPJ_UNUSED(p_stream);\n\n if (total_data_size < 12) {\n opj_event_msg(p_manager, EVT_ERROR,\n \"Not enough bytes in output buffer to write SOT marker\\n\");\n return OPJ_FALSE;\n }\n\n opj_write_bytes(p_data, J2K_MS_SOT,\n 2); /* SOT */\n p_data += 2;\n\n opj_write_bytes(p_data, 10,\n 2); /* Lsot */\n p_data += 2;\n\n opj_write_bytes(p_data, p_j2k->m_current_tile_number,\n 2); /* Isot */\n p_data += 2;\n\n /* Psot */\n p_data += 4;\n\n opj_write_bytes(p_data,\n p_j2k->m_specific_param.m_encoder.m_current_tile_part_number,\n 1); /* TPsot */\n ++p_data;\n\n opj_write_bytes(p_data,\n p_j2k->m_cp.tcps[p_j2k->m_current_tile_number].m_nb_tile_parts,\n 1); /* TNsot */\n ++p_data;\n\n /* UniPG>> */\n#ifdef USE_JPWL\n /* update markers struct */\n /*\n OPJ_BOOL res = j2k_add_marker(p_j2k->cstr_info, J2K_MS_SOT, p_j2k->sot_start, len + 2);\n */\n assert(0 && \"TODO\");\n#endif /* USE_JPWL */\n\n * p_data_written = 12;\n\n return OPJ_TRUE;\n}", "project": "openjpeg", "hash": 41128334198375191042630322665423722184, "size": 59, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357309 }, { "func": "static char *unclosed_directive(cmd_parms *cmd)\n{\n return apr_pstrcat(cmd->pool, cmd->cmd->name,\n \"> directive missing closing '>'\", NULL);\n}", "project": "httpd", "hash": 45756894100791249648735306742712389632, "size": 5, "commit_id": "4cc27823899e070268b906ca677ee838d07cf67a", "message": "core: Disallow Methods' registration at run time (.htaccess), they may be\nused only if registered at init time (httpd.conf).\n\nCalling ap_method_register() in children processes is not the right scope\nsince it won't be shared for all requests.\n\n\ngit-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1807655 13f79535-47bb-0310-9956-ffa450edef68", "target": 0, "dataset": "other", "idx": 246244 }, { "func": "static char *missing_container_arg(cmd_parms *cmd)\n{\n return apr_pstrcat(cmd->pool, cmd->cmd->name,\n \"> directive requires additional arguments\", NULL);\n}", "project": "httpd", "hash": 168495821128980720107227628236778411941, "size": 5, "commit_id": "4cc27823899e070268b906ca677ee838d07cf67a", "message": "core: Disallow Methods' registration at run time (.htaccess), they may be\nused only if registered at init time (httpd.conf).\n\nCalling ap_method_register() in children processes is not the right scope\nsince it won't be shared for all requests.\n\n\ngit-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1807655 13f79535-47bb-0310-9956-ffa450edef68", "target": 0, "dataset": "other", "idx": 246310 }, { "func": " */\nstatic void bfq_dispatch_remove(struct request_queue *q, struct request *rq)\n{\n\tstruct bfq_queue *bfqq = RQ_BFQQ(rq);\n\n\t/*\n\t * For consistency, the next instruction should have been\n\t * executed after removing the request from the queue and\n\t * dispatching it. We execute instead this instruction before\n\t * bfq_remove_request() (and hence introduce a temporary\n\t * inconsistency), for efficiency. In fact, should this\n\t * dispatch occur for a non in-service bfqq, this anticipated\n\t * increment prevents two counters related to bfqq->dispatched\n\t * from risking to be, first, uselessly decremented, and then\n\t * incremented again when the (new) value of bfqq->dispatched\n\t * happens to be taken into account.\n\t */\n\tbfqq->dispatched++;\n\tbfq_update_peak_rate(q->elevator->elevator_data, rq);\n\n\tbfq_remove_request(q, rq);", "project": "linux", "hash": 264092195223578182636693388759833103722, "size": 21, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453396 }, { "func": "static void __disable_ibs_on_all_vcpus(struct kvm *kvm)\n{\n\tunsigned int i;\n\tstruct kvm_vcpu *vcpu;\n\n\tkvm_for_each_vcpu(i, vcpu, kvm) {\n\t\t__disable_ibs_on_vcpu(vcpu);\n\t}\n}", "project": "linux", "hash": 129235241755899918613379319498133617150, "size": 9, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354824 }, { "func": "static u64 normal_pmc_alternative(u64 ev, unsigned long flags)\n{\n\tu64 alt[MAX_EVENT_ALTERNATIVES];\n\tint n;\n\n\tflags &= ~(PPMU_LIMITED_PMC_OK | PPMU_LIMITED_PMC_REQD);\n\tn = ppmu->get_alternatives(ev, flags, alt);\n\tif (!n)\n\t\treturn 0;\n\treturn alt[0];\n}", "project": "linux", "hash": 264104912698908767919733267744193209092, "size": 11, "commit_id": "60b7ed54a41b550d50caf7f2418db4a7e75b5bdc", "message": "powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set\n\nOn systems without any specific PMU driver support registered, running\nperf record causes Oops.\n\nThe relevant portion from call trace:\n\n BUG: Kernel NULL pointer dereference on read at 0x00000040\n Faulting instruction address: 0xc0021f0c\n Oops: Kernel access of bad area, sig: 11 [#1]\n BE PAGE_SIZE=4K PREEMPT CMPCPRO\n SAF3000 DIE NOTIFICATION\n CPU: 0 PID: 442 Comm: null_syscall Not tainted 5.13.0-rc6-s3k-dev-01645-g7649ee3d2957 #5164\n NIP: c0021f0c LR: c00e8ad8 CTR: c00d8a5c\n NIP perf_instruction_pointer+0x10/0x60\n LR perf_prepare_sample+0x344/0x674\n Call Trace:\n perf_prepare_sample+0x7c/0x674 (unreliable)\n perf_event_output_forward+0x3c/0x94\n __perf_event_overflow+0x74/0x14c\n perf_swevent_hrtimer+0xf8/0x170\n __hrtimer_run_queues.constprop.0+0x160/0x318\n hrtimer_interrupt+0x148/0x3b0\n timer_interrupt+0xc4/0x22c\n Decrementer_virt+0xb8/0xbc\n\nDuring perf record session, perf_instruction_pointer() is called to\ncapture the sample IP. This function in core-book3s accesses\nppmu->flags. If a platform specific PMU driver is not registered, ppmu\nis set to NULL and accessing its members results in a crash. Fix this\ncrash by checking if ppmu is set.\n\nFixes: 2ca13a4cc56c (\"powerpc/perf: Use regs->nip when SIAR is zero\")\nCc: stable@vger.kernel.org # v5.11+\nReported-by: Christophe Leroy \nSigned-off-by: Athira Rajeev \nTested-by: Christophe Leroy \nSigned-off-by: Michael Ellerman \nLink: https://lore.kernel.org/r/1623952506-1431-1-git-send-email-atrajeev@linux.vnet.ibm.com", "target": 0, "dataset": "other", "idx": 374707 }, { "func": "void gp_workers_free(struct gp_workers *w)\n{\n struct gp_thread *t;\n void *retval;\n\n /* ======> POOL LOCK */\n pthread_mutex_lock(&w->lock);\n\n w->shutdown = true;\n\n /* <====== POOL LOCK */\n pthread_mutex_unlock(&w->lock);\n\n /* we do not run the following operations within\n * the lock, or deadlocks may arise for threads\n * that are just finishing doing some work */\n\n /* we guarantee nobody is touching these lists by\n * preventing workers from touching the free/busy\n * lists when a 'shutdown' is in progress */\n\n while (w->free_list) {\n /* pick threads one by one */\n t = w->free_list;\n LIST_DEL(w->free_list, t);\n\n /* wake up threads, then join them */\n /* ======> COND_MUTEX */\n pthread_mutex_lock(&t->cond_mutex);\n pthread_cond_signal(&t->cond_wakeup);\n /* <====== COND_MUTEX */\n pthread_mutex_unlock(&t->cond_mutex);\n\n pthread_join(t->tid, &retval);\n\n pthread_mutex_destroy(&t->cond_mutex);\n pthread_cond_destroy(&t->cond_wakeup);\n free(t);\n }\n\n /* do the same with the busy list */\n while (w->busy_list) {\n /* pick threads one by one */\n t = w->busy_list;\n LIST_DEL(w->free_list, t);\n\n /* wake up threads, then join them */\n /* ======> COND_MUTEX */\n pthread_mutex_lock(&t->cond_mutex);\n pthread_cond_signal(&t->cond_wakeup);\n /* <====== COND_MUTEX */\n pthread_mutex_unlock(&t->cond_mutex);\n\n pthread_join(t->tid, &retval);\n\n pthread_mutex_destroy(&t->cond_mutex);\n pthread_cond_destroy(&t->cond_wakeup);\n free(t);\n }\n\n close(w->sig_pipe[0]);\n close(w->sig_pipe[1]);\n\n pthread_mutex_destroy(&w->lock);\n\n free(w);\n}", "project": "gssproxy", "hash": 119745688426823835982378156300206324729, "size": 67, "commit_id": "cb761412e299ef907f22cd7c4146d50c8a792003", "message": "Unlock cond_mutex before pthread exit in gp_worker_main()\n\nSigned-off-by: GuiYao \n[rharwood@redhat.com: whitespace, tweak commit message]\nReviewed-by: Robbie Harwood ", "target": 0, "dataset": "other", "idx": 382875 }, { "func": "int bcf_get_format_string(const bcf_hdr_t *hdr, bcf1_t *line, const char *tag, char ***dst, int *ndst)\n{\n int i,tag_id = bcf_hdr_id2int(hdr, BCF_DT_ID, tag);\n if ( !bcf_hdr_idinfo_exists(hdr,BCF_HL_FMT,tag_id) ) return -1; // no such FORMAT field in the header\n if ( bcf_hdr_id2type(hdr,BCF_HL_FMT,tag_id)!=BCF_HT_STR ) return -2; // expected different type\n\n if ( !(line->unpacked & BCF_UN_FMT) ) bcf_unpack(line, BCF_UN_FMT);\n\n for (i=0; in_fmt; i++)\n if ( line->d.fmt[i].id==tag_id ) break;\n if ( i==line->n_fmt ) return -3; // the tag is not present in this record\n bcf_fmt_t *fmt = &line->d.fmt[i];\n if ( !fmt->p ) return -3; // the tag was marked for removal\n\n int nsmpl = bcf_hdr_nsamples(hdr);\n if ( !*dst )\n {\n *dst = (char**) malloc(sizeof(char*)*nsmpl);\n if ( !*dst ) return -4; // could not alloc\n (*dst)[0] = NULL;\n }\n int n = (fmt->n+1)*nsmpl;\n if ( *ndst < n )\n {\n (*dst)[0] = realloc((*dst)[0], n);\n if ( !(*dst)[0] ) return -4; // could not alloc\n *ndst = n;\n }\n for (i=0; ip + i*fmt->n;\n uint8_t *tmp = (uint8_t*)(*dst)[0] + i*(fmt->n+1);\n memcpy(tmp,src,fmt->n);\n tmp[fmt->n] = 0;\n (*dst)[i] = (char*) tmp;\n }\n return n;\n}", "project": "htslib", "hash": 266829559832835568327355424884372304292, "size": 38, "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c", "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields. It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097", "target": 0, "dataset": "other", "idx": 402254 }, { "func": "R_API void r_socket_printf(RSocket *s, const char *fmt, ...) {\n\tchar buf[BUFFER_SIZE];\n\tva_list ap;\n\tif (s->fd != R_INVALID_SOCKET) {\n\t\tva_start (ap, fmt);\n\t\tvsnprintf (buf, BUFFER_SIZE, fmt, ap);\n\t\tr_socket_write (s, buf, strlen (buf));\n\t\tva_end (ap);\n\t}\n}", "project": "radare2", "hash": 35142324024251896097432446041090045902, "size": 10, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 0, "dataset": "other", "idx": 268852 }, { "func": "R_API void r_socket_printf(RSocket *s, const char *fmt, ...) {\n\t/* nothing here */\n}", "project": "radare2", "hash": 209634103815545705242575777531701226441, "size": 3, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 0, "dataset": "other", "idx": 268899 }, { "func": "static void io_sq_thread_unpark(struct io_sq_data *sqd)\n\t__releases(&sqd->lock)\n{\n\tWARN_ON_ONCE(sqd->thread == current);\n\n\t/*\n\t * Do the dance but not conditional clear_bit() because it'd race with\n\t * other threads incrementing park_pending and setting the bit.\n\t */\n\tclear_bit(IO_SQ_THREAD_SHOULD_PARK, &sqd->state);\n\tif (atomic_dec_return(&sqd->park_pending))\n\t\tset_bit(IO_SQ_THREAD_SHOULD_PARK, &sqd->state);\n\tmutex_unlock(&sqd->lock);", "project": "linux", "hash": 302449059452838607237014404559709292327, "size": 13, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338714 }, { "func": "static bool nfs4_mode_match_open_stateid(struct nfs4_state *state,\n\t\tfmode_t fmode)\n{\n\tswitch(fmode & (FMODE_READ|FMODE_WRITE)) {\n\tcase FMODE_READ|FMODE_WRITE:\n\t\treturn state->n_rdwr != 0;\n\tcase FMODE_WRITE:\n\t\treturn state->n_wronly != 0;\n\tcase FMODE_READ:\n\t\treturn state->n_rdonly != 0;\n\t}\n\tWARN_ON_ONCE(1);\n\treturn false;\n}", "project": "linux", "hash": 293547533544019072052474459852985239428, "size": 14, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431356 }, { "func": "static inline int alloc_consistency_checks(struct kmem_cache *s,\n\t\t\t\t\tstruct page *page, void *object)\n{\n\tif (!check_slab(s, page))\n\t\treturn 0;\n\n\tif (!check_valid_pointer(s, page, object)) {\n\t\tobject_err(s, page, object, \"Freelist Pointer check fails\");\n\t\treturn 0;\n\t}\n\n\tif (!check_object(s, page, object, SLUB_RED_INACTIVE))\n\t\treturn 0;\n\n\treturn 1;\n}", "project": "linux", "hash": 291314068003866728787713824685260074524, "size": 16, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280189 }, { "func": "void tty_release_struct(struct tty_struct *tty, int idx)\n{\n\t/*\n\t * Ask the line discipline code to release its structures\n\t */\n\ttty_ldisc_release(tty);\n\n\t/* Wait for pending work before tty destruction commmences */\n\ttty_flush_works(tty);\n\n\ttty_debug_hangup(tty, \"freeing structure\\n\");\n\t/*\n\t * The release_tty function takes care of the details of clearing\n\t * the slots and preserving the termios structure.\n\t */\n\tmutex_lock(&tty_mutex);\n\trelease_tty(tty, idx);\n\tmutex_unlock(&tty_mutex);\n}", "project": "linux", "hash": 122857818429965762190254870452338228157, "size": 19, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 326037 }, { "func": "static int alloc_snapshot(struct trace_array *tr)\n{\n\tint ret;\n\n\tif (!tr->allocated_snapshot) {\n\n\t\t/* allocate spare buffer */\n\t\tret = resize_buffer_duplicate_size(&tr->max_buffer,\n\t\t\t\t &tr->trace_buffer, RING_BUFFER_ALL_CPUS);\n\t\tif (ret < 0)\n\t\t\treturn ret;\n\n\t\ttr->allocated_snapshot = true;\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 301350570574128020385727100793091932053, "size": 17, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445785 }, { "func": "static int test_dedup(struct libmnt_test *ts, int argc, char *argv[])\n{\n\tconst char *name;\n\tchar *optstr;\n\tint rc;\n\n\tif (argc < 3)\n\t\treturn -EINVAL;\n\toptstr = xstrdup(argv[1]);\n\tname = argv[2];\n\n\trc = mnt_optstr_deduplicate_option(&optstr, name);\n\tif (!rc)\n\t\tprintf(\"result: >%s<\\n\", optstr);\n\tfree(optstr);\n\treturn rc;\n}", "project": "util-linux", "hash": 179250661395341519596194590544676372031, "size": 17, "commit_id": "57202f5713afa2af20ffbb6ab5331481d0396f8d", "message": "libmount: fix UID check for FUSE umount [CVE-2021-3995]\n\nImproper UID check allows an unprivileged user to unmount FUSE\nfilesystems of users with similar UID.\n\nSigned-off-by: Karel Zak ", "target": 0, "dataset": "other", "idx": 410422 }, { "func": "static void mt_touch_report(struct hid_device *hid,\n\t\t\t struct mt_report_data *rdata)\n{\n\tstruct mt_device *td = hid_get_drvdata(hid);\n\tstruct hid_report *report = rdata->report;\n\tstruct mt_application *app = rdata->application;\n\tstruct hid_field *field;\n\tstruct input_dev *input;\n\tstruct mt_usages *slot;\n\tbool first_packet;\n\tunsigned count;\n\tint r, n;\n\tint scantime = 0;\n\tint contact_count = -1;\n\n\t/* sticky fingers release in progress, abort */\n\tif (test_and_set_bit(MT_IO_FLAGS_RUNNING, &td->mt_io_flags))\n\t\treturn;\n\n\tscantime = *app->scantime;\n\tapp->timestamp = mt_compute_timestamp(app, scantime);\n\tif (app->raw_cc != DEFAULT_ZERO)\n\t\tcontact_count = *app->raw_cc;\n\n\t/*\n\t * Includes multi-packet support where subsequent\n\t * packets are sent with zero contactcount.\n\t */\n\tif (contact_count >= 0) {\n\t\t/*\n\t\t * For Win8 PTPs the first packet (td->num_received == 0) may\n\t\t * have a contactcount of 0 if there only is a button event.\n\t\t * We double check that this is not a continuation packet\n\t\t * of a possible multi-packet frame be checking that the\n\t\t * timestamp has changed.\n\t\t */\n\t\tif ((app->quirks & MT_QUIRK_WIN8_PTP_BUTTONS) &&\n\t\t app->num_received == 0 &&\n\t\t app->prev_scantime != scantime)\n\t\t\tapp->num_expected = contact_count;\n\t\t/* A non 0 contact count always indicates a first packet */\n\t\telse if (contact_count)\n\t\t\tapp->num_expected = contact_count;\n\t}\n\tapp->prev_scantime = scantime;\n\n\tfirst_packet = app->num_received == 0;\n\n\tinput = report->field[0]->hidinput->input;\n\n\tlist_for_each_entry(slot, &app->mt_usages, list) {\n\t\tif (!mt_process_slot(td, input, app, slot))\n\t\t\tapp->num_received++;\n\t}\n\n\tfor (r = 0; r < report->maxfield; r++) {\n\t\tfield = report->field[r];\n\t\tcount = field->report_count;\n\n\t\tif (!(HID_MAIN_ITEM_VARIABLE & field->flags))\n\t\t\tcontinue;\n\n\t\tfor (n = 0; n < count; n++)\n\t\t\tmt_process_mt_event(hid, app, field,\n\t\t\t\t\t &field->usage[n], field->value[n],\n\t\t\t\t\t first_packet);\n\t}\n\n\tif (app->num_received >= app->num_expected)\n\t\tmt_sync_frame(td, app, input);\n\n\t/*\n\t * Windows 8 specs says 2 things:\n\t * - once a contact has been reported, it has to be reported in each\n\t * subsequent report\n\t * - the report rate when fingers are present has to be at least\n\t * the refresh rate of the screen, 60 or 120 Hz\n\t *\n\t * I interprete this that the specification forces a report rate of\n\t * at least 60 Hz for a touchscreen to be certified.\n\t * Which means that if we do not get a report whithin 16 ms, either\n\t * something wrong happens, either the touchscreen forgets to send\n\t * a release. Taking a reasonable margin allows to remove issues\n\t * with USB communication or the load of the machine.\n\t *\n\t * Given that Win 8 devices are forced to send a release, this will\n\t * only affect laggish machines and the ones that have a firmware\n\t * defect.\n\t */\n\tif (app->quirks & MT_QUIRK_STICKY_FINGERS) {\n\t\tif (test_bit(MT_IO_FLAGS_PENDING_SLOTS, &td->mt_io_flags))\n\t\t\tmod_timer(&td->release_timer,\n\t\t\t\t jiffies + msecs_to_jiffies(100));\n\t\telse\n\t\t\tdel_timer(&td->release_timer);\n\t}\n\n\tclear_bit(MT_IO_FLAGS_RUNNING, &td->mt_io_flags);\n}", "project": "linux", "hash": 335866732454154902684355269795238082800, "size": 99, "commit_id": "35556bed836f8dc07ac55f69c8d17dce3e7f0e25", "message": "HID: core: Sanitize event code and type when mapping input\n\nWhen calling into hid_map_usage(), the passed event code is\nblindly stored as is, even if it doesn't fit in the associated bitmap.\n\nThis event code can come from a variety of sources, including devices\nmasquerading as input devices, only a bit more \"programmable\".\n\nInstead of taking the event code at face value, check that it actually\nfits the corresponding bitmap, and if it doesn't:\n- spit out a warning so that we know which device is acting up\n- NULLify the bitmap pointer so that we catch unexpected uses\n\nCode paths that can make use of untrusted inputs can now check\nthat the mapping was indeed correct and bail out if not.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Marc Zyngier \nSigned-off-by: Benjamin Tissoires ", "target": 0, "dataset": "other", "idx": 458414 }, { "func": "static int hci_resolve_name(struct hci_dev *hdev,\n\t\t\t\t struct inquiry_entry *e)\n{\n\tstruct hci_cp_remote_name_req cp;\n\n\tmemset(&cp, 0, sizeof(cp));\n\n\tbacpy(&cp.bdaddr, &e->data.bdaddr);\n\tcp.pscan_rep_mode = e->data.pscan_rep_mode;\n\tcp.pscan_mode = e->data.pscan_mode;\n\tcp.clock_offset = e->data.clock_offset;\n\n\treturn hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);\n}", "project": "linux", "hash": 286932721305975638154049153226626940763, "size": 14, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431940 }, { "func": "ConnStateData::afterClientRead()\n{\n#if USE_OPENSSL\n if (parsingTlsHandshake) {\n parseTlsHandshake();\n return;\n }\n#endif\n\n /* Process next request */\n if (pipeline.empty())\n fd_note(clientConnection->fd, \"Reading next request\");\n\n if (!clientParseRequests()) {\n if (!isOpen())\n return;\n /*\n * If the client here is half closed and we failed\n * to parse a request, close the connection.\n * The above check with connFinishedWithConn() only\n * succeeds _if_ the buffer is empty which it won't\n * be if we have an incomplete request.\n * XXX: This duplicates ConnStateData::kick\n */\n if (pipeline.empty() && commIsHalfClosed(clientConnection->fd)) {\n debugs(33, 5, clientConnection << \": half-closed connection, no completed request parsed, connection closing.\");\n clientConnection->close();\n return;\n }\n }\n\n if (!isOpen())\n return;\n\n clientAfterReadingRequests();\n}", "project": "squid", "hash": 232176935247118780118746298465348163844, "size": 36, "commit_id": "fd68382860633aca92065e6c343cfd1b12b126e7", "message": "Improve Transfer-Encoding handling (#702)\n\nReject messages containing Transfer-Encoding header with coding other\nthan chunked or identity. Squid does not support other codings.\n\nFor simplicity and security sake, also reject messages where\nTransfer-Encoding contains unnecessary complex values that are\ntechnically equivalent to \"chunked\" or \"identity\" (e.g., \",,chunked\" or\n\"identity, chunked\").\n\nRFC 7230 formally deprecated and removed identity coding, but it is\nstill used by some agents.", "target": 0, "dataset": "other", "idx": 402338 }, { "func": "static void intel_engine_context_out(struct intel_engine_cs *engine)\n{\n\tunsigned long flags;\n\n\tif (READ_ONCE(engine->stats.enabled) == 0)\n\t\treturn;\n\n\twrite_seqlock_irqsave(&engine->stats.lock, flags);\n\n\tif (engine->stats.enabled > 0) {\n\t\tktime_t last;\n\n\t\tif (engine->stats.active && --engine->stats.active == 0) {\n\t\t\t/*\n\t\t\t * Decrement the active context count and in case GPU\n\t\t\t * is now idle add up to the running total.\n\t\t\t */\n\t\t\tlast = ktime_sub(ktime_get(), engine->stats.start);\n\n\t\t\tengine->stats.total = ktime_add(engine->stats.total,\n\t\t\t\t\t\t\tlast);\n\t\t} else if (engine->stats.active == 0) {\n\t\t\t/*\n\t\t\t * After turning on engine stats, context out might be\n\t\t\t * the first event in which case we account from the\n\t\t\t * time stats gathering was turned on.\n\t\t\t */\n\t\t\tlast = ktime_sub(ktime_get(), engine->stats.enabled_at);\n\n\t\t\tengine->stats.total = ktime_add(engine->stats.total,\n\t\t\t\t\t\t\tlast);\n\t\t}\n\t}\n\n\twrite_sequnlock_irqrestore(&engine->stats.lock, flags);\n}", "project": "linux", "hash": 119120162927602398808111792926342698465, "size": 36, "commit_id": "bc8a76a152c5f9ef3b48104154a65a68a8b76946", "message": "drm/i915/gen9: Clear residual context state on context switch\n\nIntel ID: PSIRT-TA-201910-001\nCVEID: CVE-2019-14615\n\nIntel GPU Hardware prior to Gen11 does not clear EU state\nduring a context switch. This can result in information\nleakage between contexts.\n\nFor Gen8 and Gen9, hardware provides a mechanism for\nfast cleardown of the EU state, by issuing a PIPE_CONTROL\nwith bit 27 set. We can use this in a context batch buffer\nto explicitly cleardown the state on every context switch.\n\nAs this workaround is already in place for gen8, we can borrow\nthe code verbatim for Gen9.\n\nSigned-off-by: Mika Kuoppala \nSigned-off-by: Akeem G Abodunrin \nCc: Kumar Valsan Prathap \nCc: Chris Wilson \nCc: Balestrieri Francesco \nCc: Bloomfield Jon \nCc: Dutt Sudeep ", "target": 0, "dataset": "other", "idx": 281501 }, { "project": "phosphor-host-ipmid", "commit_id": "b265455a2518ece7c004b43c144199ec980fc620", "target": 0, "func": "int PasswdMgr::encryptDecryptData(bool doEncrypt, const EVP_CIPHER* cipher,\n uint8_t* key, size_t keyLen, uint8_t* iv,\n size_t ivLen, uint8_t* inBytes,\n size_t inBytesLen, uint8_t* mac,\n size_t* macLen, unsigned char* outBytes,\n size_t* outBytesLen)\n{\n if (cipher == NULL || key == NULL || iv == NULL || inBytes == NULL ||\n outBytes == NULL || mac == NULL || inBytesLen == 0 ||\n (size_t)EVP_CIPHER_key_length(cipher) > keyLen ||\n (size_t)EVP_CIPHER_iv_length(cipher) > ivLen)\n {\n log(\"Error Invalid Inputs\");\n return -EINVAL;\n }\n\n if (!doEncrypt)\n {\n // verify MAC before decrypting the data.\n std::array calMac;\n size_t calMacLen = calMac.size();\n // calculate MAC for the encrypted message.\n if (NULL == HMAC(EVP_sha256(), key, keyLen, inBytes, inBytesLen,\n calMac.data(),\n reinterpret_cast(&calMacLen)))\n {\n log(\"Error: Failed to calculate MAC\");\n return -EIO;\n }\n if (!((calMacLen == *macLen) &&\n (std::memcmp(calMac.data(), mac, calMacLen) == 0)))\n {\n log(\"Authenticated message doesn't match\");\n return -EBADMSG;\n }\n }\n\n std::unique_ptr ctx(\n EVP_CIPHER_CTX_new(), ::EVP_CIPHER_CTX_free);\n EVP_CIPHER_CTX_set_padding(ctx.get(), 1);\n\n // Set key & IV\n int retval = EVP_CipherInit_ex(ctx.get(), cipher, NULL, key, iv,\n static_cast(doEncrypt));\n if (!retval)\n {\n log(\"EVP_CipherInit_ex failed\",\n entry(\"RET_VAL=%d\", retval));\n return -EIO;\n }\n\n int outLen = 0, outEVPLen = 0;\n if ((retval = EVP_CipherUpdate(ctx.get(), outBytes + outLen, &outEVPLen,\n inBytes, inBytesLen)))\n {\n outLen += outEVPLen;\n if ((retval =\n EVP_CipherFinal(ctx.get(), outBytes + outLen, &outEVPLen)))\n {\n outLen += outEVPLen;\n *outBytesLen = outLen;\n }\n else\n {\n log(\"EVP_CipherFinal fails\",\n entry(\"RET_VAL=%d\", retval));\n return -EIO;\n }\n }\n else\n {\n log(\"EVP_CipherUpdate fails\",\n entry(\"RET_VAL=%d\", retval));\n return -EIO;\n }\n\n if (doEncrypt)\n {\n // Create MAC for the encrypted message\n if (NULL == HMAC(EVP_sha256(), key, keyLen, outBytes, *outBytesLen, mac,\n reinterpret_cast(macLen)))\n {\n log(\"Failed to create authentication\");\n return -EIO;\n }\n }\n return 0;\n}", "idx": 519580, "cwe": "CWE-276", "hash": 203013682869903855842362629530040211752, "dataset": "other" }, { "func": "static int fuse_file_flock(struct file *file, int cmd, struct file_lock *fl)\n{\n\tstruct inode *inode = file_inode(file);\n\tstruct fuse_conn *fc = get_fuse_conn(inode);\n\tint err;\n\n\tif (fc->no_flock) {\n\t\terr = locks_lock_file_wait(file, fl);\n\t} else {\n\t\tstruct fuse_file *ff = file->private_data;\n\n\t\t/* emulate flock with POSIX locks */\n\t\tff->flock = true;\n\t\terr = fuse_setlk(file, fl, 1);\n\t}\n\n\treturn err;\n}", "project": "linux", "hash": 271620671962347154449423478677089606485, "size": 18, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342122 }, { "func": "static bool fuse_pages_realloc(struct fuse_fill_wb_data *data)\n{\n\tstruct fuse_args_pages *ap = &data->wpa->ia.ap;\n\tstruct fuse_conn *fc = get_fuse_conn(data->inode);\n\tstruct page **pages;\n\tstruct fuse_page_desc *descs;\n\tunsigned int npages = min_t(unsigned int,\n\t\t\t\t max_t(unsigned int, data->max_pages * 2,\n\t\t\t\t\t FUSE_DEFAULT_MAX_PAGES_PER_REQ),\n\t\t\t\t fc->max_pages);\n\tWARN_ON(npages <= data->max_pages);\n\n\tpages = fuse_pages_alloc(npages, GFP_NOFS, &descs);\n\tif (!pages)\n\t\treturn false;\n\n\tmemcpy(pages, ap->pages, sizeof(struct page *) * ap->num_pages);\n\tmemcpy(descs, ap->descs, sizeof(struct fuse_page_desc) * ap->num_pages);\n\tkfree(ap->pages);\n\tap->pages = pages;\n\tap->descs = descs;\n\tdata->max_pages = npages;\n\n\treturn true;\n}", "project": "linux", "hash": 127142627174381854768131129543378314329, "size": 25, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342004 }, { "func": "static void nfs4_xdr_enc_reclaim_complete(struct rpc_rqst *req,\n\t\t\t\t\t struct xdr_stream *xdr,\n\t\t\t\t\t const void *data)\n{\n\tconst struct nfs41_reclaim_complete_args *args = data;\n\tstruct compound_hdr hdr = {\n\t\t.minorversion = nfs4_xdr_minorversion(&args->seq_args)\n\t};\n\n\tencode_compound_hdr(xdr, req, &hdr);\n\tencode_sequence(xdr, &args->seq_args, &hdr);\n\tencode_reclaim_complete(xdr, args, &hdr);\n\tencode_nops(&hdr);\n}", "project": "linux", "hash": 152950129089163291520547684801931616128, "size": 14, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431235 }, { "project": "ardour", "commit_id": "96daa4036a425ff3f23a7dfcba57bfb0f942bec6", "target": 0, "func": "XMLNode::clear_lists ()\n{\n\tXMLNodeIterator curchild;\n\tXMLPropertyIterator curprop;\n\n\t_selected_children.clear ();\n\n\tfor (curchild = _children.begin(); curchild != _children.end(); ++curchild) {\n\t\tdelete *curchild;\n\t}\n\n\t_children.clear ();\n\n\tfor (curprop = _proplist.begin(); curprop != _proplist.end(); ++curprop) {\n\t\tdelete *curprop;\n\t}\n\n\t_proplist.clear ();\n}", "idx": 519657, "cwe": "CWE-416", "hash": 213824031528414501645779780699001987796, "dataset": "other" }, { "func": "void tcp_valid_rtt_meas(struct sock *sk, u32 seq_rtt)\n{\n\ttcp_rtt_estimator(sk, seq_rtt);\n\ttcp_set_rto(sk);\n\tinet_csk(sk)->icsk_backoff = 0;\n}", "project": "net-next", "hash": 131297491015361423559002265089353736373, "size": 6, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409878 }, { "func": "UnicodeString::UnicodeString(const char *src, int32_t length, EInvariant) {\n fUnion.fFields.fLengthAndFlags = kShortString;\n if(src==NULL) {\n // treat as an empty string\n } else {\n if(length<0) {\n length=(int32_t)uprv_strlen(src);\n }\n if(cloneArrayIfNeeded(length, length, FALSE)) {\n u_charsToUChars(src, getArrayStart(), length);\n setLength(length);\n } else {\n setToBogus();\n }\n }\n}", "project": "icu", "hash": 74452377220579825831671277637881229749, "size": 16, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430724 }, { "func": "UnicodeString::UnicodeString(UBool isTerminated,\n ConstChar16Ptr textPtr,\n int32_t textLength) {\n fUnion.fFields.fLengthAndFlags = kReadonlyAlias;\n const UChar *text = textPtr;\n if(text == NULL) {\n // treat as an empty string, do not alias\n setToEmpty();\n } else if(textLength < -1 ||\n (textLength == -1 && !isTerminated) ||\n (textLength >= 0 && isTerminated && text[textLength] != 0)\n ) {\n setToBogus();\n } else {\n if(textLength == -1) {\n // text is terminated, or else it would have failed the above test\n textLength = u_strlen(text);\n }\n setArray(const_cast(text), textLength,\n isTerminated ? textLength + 1 : textLength);\n }\n}", "project": "icu", "hash": 154738034328721553298186459124581495075, "size": 22, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430728 }, { "func": " UnicodeString(const char * /*src*/, int32_t length, enum EInvariant /*inv*/\n) : i(length) {}", "project": "icu", "hash": 282240541066510972069818796426643578730, "size": 2, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430730 }, { "func": "UnicodeString::UnicodeString(const char *codepageData) {\n fUnion.fFields.fLengthAndFlags = kShortString;\n if(codepageData != 0) {\n setToUTF8(codepageData);\n }\n}", "project": "icu", "hash": 17315992184560731815210968417207880589, "size": 6, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430737 }, { "func": "UnicodeString::UnicodeString(const UnicodeString& that,\n int32_t srcStart,\n int32_t srcLength) {\n fUnion.fFields.fLengthAndFlags = kShortString;\n setTo(that, srcStart, srcLength);\n}", "project": "icu", "hash": 72822052552283077149069876730430549961, "size": 6, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430746 }, { "func": "UnicodeString::UnicodeString(const UnicodeString& that,\n int32_t srcStart) {\n fUnion.fFields.fLengthAndFlags = kShortString;\n setTo(that, srcStart);\n}", "project": "icu", "hash": 87852276168107430067935853572194436880, "size": 5, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430750 }, { "func": "UnicodeString::clone() const {\n return new UnicodeString(*this);\n}", "project": "icu", "hash": 328961983544034138910304703416353503175, "size": 3, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430773 }, { "func": "UnicodeString::UnicodeString(const UChar *text,\n int32_t textLength) {\n fUnion.fFields.fLengthAndFlags = kShortString;\n doAppend(text, 0, textLength);\n}", "project": "icu", "hash": 66565920288529769255286573647740813273, "size": 5, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430775 }, { "func": "UnicodeString::UnicodeString(int32_t capacity, UChar32 c, int32_t count) {\n fUnion.fFields.fLengthAndFlags = 0;\n if(count <= 0 || (uint32_t)c > 0x10ffff) {\n // just allocate and do not do anything else\n allocate(capacity);\n } else if(c <= 0xffff) {\n int32_t length = count;\n if(capacity < length) {\n capacity = length;\n }\n if(allocate(capacity)) {\n UChar *array = getArrayStart();\n UChar unit = (UChar)c;\n for(int32_t i = 0; i < length; ++i) {\n array[i] = unit;\n }\n setLength(length);\n }\n } else { // supplementary code point, write surrogate pairs\n if(count > (INT32_MAX / 2)) {\n // We would get more than 2G UChars.\n allocate(capacity);\n return;\n }\n int32_t length = count * 2;\n if(capacity < length) {\n capacity = length;\n }\n if(allocate(capacity)) {\n UChar *array = getArrayStart();\n UChar lead = U16_LEAD(c);\n UChar trail = U16_TRAIL(c);\n for(int32_t i = 0; i < length; i += 2) {\n array[i] = lead;\n array[i + 1] = trail;\n }\n setLength(length);\n }\n }\n}", "project": "icu", "hash": 16925462953984900965087531359591424224, "size": 40, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430779 }, { "func": "UnicodeString::UnicodeString(UChar ch) {\n fUnion.fFields.fLengthAndFlags = kLength1 | kShortString;\n fUnion.fStackFields.fBuffer[0] = ch;\n}", "project": "icu", "hash": 290203878726837901574095796914469719608, "size": 4, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430781 }, { "func": "UnicodeString::UnicodeString(UChar32 ch) {\n fUnion.fFields.fLengthAndFlags = kShortString;\n int32_t i = 0;\n UBool isError = FALSE;\n U16_APPEND(fUnion.fStackFields.fBuffer, i, US_STACKBUF_SIZE, ch, isError);\n // We test isError so that the compiler does not complain that we don't.\n // If isError then i==0 which is what we want anyway.\n if(!isError) {\n setShortLength(i);\n }\n}", "project": "icu", "hash": 14808520252780373472862745918837138905, "size": 11, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430783 }, { "func": " UnicodeString(UBool /*isTerminated*/, const UChar * /*text*/, int32_t textLength) : i(textLength) {(void)i;}", "project": "icu", "hash": 177647147837677277829692111981875632882, "size": 1, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430799 }, { "func": "UnicodeString::UnicodeString(const char *codepageData, int32_t dataLength) {\n fUnion.fFields.fLengthAndFlags = kShortString;\n // if there's nothing to convert, do nothing\n if(codepageData == 0 || dataLength == 0 || dataLength < -1) {\n return;\n }\n if(dataLength == -1) {\n dataLength = (int32_t)uprv_strlen(codepageData);\n }\n setToUTF8(StringPiece(codepageData, dataLength));\n}", "project": "icu", "hash": 336073958493481584978342077077010334179, "size": 11, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430801 }, { "func": " UnicodeString() : i(1) {}", "project": "icu", "hash": 9694376419906043220329467780144047009, "size": 1, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430820 }, { "func": "UnicodeString::UnicodeString(UChar *buff,\n int32_t buffLength,\n int32_t buffCapacity) {\n fUnion.fFields.fLengthAndFlags = kWritableAlias;\n if(buff == NULL) {\n // treat as an empty string, do not alias\n setToEmpty();\n } else if(buffLength < -1 || buffCapacity < 0 || buffLength > buffCapacity) {\n setToBogus();\n } else {\n if(buffLength == -1) {\n // fLength = u_strlen(buff); but do not look beyond buffCapacity\n const UChar *p = buff, *limit = buff + buffCapacity;\n while(p != limit && *p != 0) {\n ++p;\n }\n buffLength = (int32_t)(p - buff);\n }\n setArray(buff, buffLength, buffCapacity);\n }\n}", "project": "icu", "hash": 206253156096467873690329063173819496856, "size": 21, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430829 }, { "func": "UnicodeString::UnicodeString(const UnicodeString& that) {\n fUnion.fFields.fLengthAndFlags = kShortString;\n copyFrom(that);\n}", "project": "icu", "hash": 160018128923162210524695863653342757573, "size": 4, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430839 }, { "func": "operator+ (const UnicodeString &s1, const UnicodeString &s2) {\n return\n UnicodeString(s1.length()+s2.length()+1, (UChar32)0, 0).\n append(s1).\n append(s2);\n}", "project": "icu", "hash": 294587303330751474945026285103297840631, "size": 6, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430846 }, { "func": "UnicodeString::UnicodeString(const UChar *text) {\n fUnion.fFields.fLengthAndFlags = kShortString;\n doAppend(text, 0, -1);\n}", "project": "icu", "hash": 224213452899178542524532803911602256328, "size": 4, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430850 }, { "func": "static u8 get_service_classes(struct hci_dev *hdev)\n{\n\tstruct bt_uuid *uuid;\n\tu8 val = 0;\n\n\tlist_for_each_entry(uuid, &hdev->uuids, list)\n\t\tval |= uuid->svc_hint;\n\n\treturn val;\n}", "project": "linux", "hash": 21687391474964033859147449997593939498, "size": 10, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402570 }, { "func": "static inline struct rar5* get_context(struct archive_read* a) {\n\treturn (struct rar5*) a->format->data;\n}", "project": "libarchive", "hash": 108778234300248641553221207368531649038, "size": 3, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 0, "dataset": "other", "idx": 244732 }, { "func": "UnicodeStringTest::TestReverse()\n{\n UnicodeString test(\"backwards words say to used I\");\n\n test.reverse();\n test.reverse(2, 4);\n test.reverse(7, 2);\n test.reverse(10, 3);\n test.reverse(14, 5);\n test.reverse(20, 9);\n\n if (test != \"I used to say words backwards\")\n errln(\"reverse() failed: Expected \\\"I used to say words backwards\\\",\\n got \\\"\"\n + test + \"\\\"\");\n\n test=UNICODE_STRING(\"\\\\U0002f999\\\\U0001d15f\\\\u00c4\\\\u1ed0\", 32).unescape();\n test.reverse();\n if(test.char32At(0)!=0x1ed0 || test.char32At(1)!=0xc4 || test.char32At(2)!=0x1d15f || test.char32At(4)!=0x2f999) {\n errln(\"reverse() failed with supplementary characters\");\n }\n\n // Test case for ticket #8091:\n // UnicodeString::reverse() failed to see a lead surrogate in the middle of\n // an odd-length string that contains no other lead surrogates.\n test=UNICODE_STRING_SIMPLE(\"ab\\\\U0001F4A9e\").unescape();\n UnicodeString expected=UNICODE_STRING_SIMPLE(\"e\\\\U0001F4A9ba\").unescape();\n test.reverse();\n if(test!=expected) {\n errln(\"reverse() failed with only lead surrogate in the middle\");\n }\n}", "project": "icu", "hash": 115891552564454775797531519275685399152, "size": 31, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430835 }, { "func": "void CSoundFile::SetTempo(TEMPO param, bool setFromUI)\n{\n\tconst CModSpecifications &specs = GetModSpecifications();\n\n\t// Anything lower than the minimum tempo is considered to be a tempo slide\n\tconst TEMPO minTempo = (GetType() == MOD_TYPE_MDL) ? TEMPO(1, 0) : TEMPO(32, 0);\n\n\tif(setFromUI)\n\t{\n\t\t// Set tempo from UI - ignore slide commands and such.\n\t\tm_PlayState.m_nMusicTempo = Clamp(param, specs.GetTempoMin(), specs.GetTempoMax());\n\t} else if(param >= minTempo && m_SongFlags[SONG_FIRSTTICK] == !m_playBehaviour[kMODTempoOnSecondTick])\n\t{\n\t\t// ProTracker sets the tempo after the first tick.\n\t\t// Note: The case of one tick per row is handled in ProcessRow() instead.\n\t\t// Test case: TempoChange.mod\n\t\tm_PlayState.m_nMusicTempo = std::min(param, specs.GetTempoMax());\n\t} else if(param < minTempo && !m_SongFlags[SONG_FIRSTTICK])\n\t{\n\t\t// Tempo Slide\n\t\tTEMPO tempDiff(param.GetInt() & 0x0F, 0);\n\t\tif((param.GetInt() & 0xF0) == 0x10)\n\t\t\tm_PlayState.m_nMusicTempo += tempDiff;\n\t\telse\n\t\t\tm_PlayState.m_nMusicTempo -= tempDiff;\n\n\t\tTEMPO tempoMin = specs.GetTempoMin(), tempoMax = specs.GetTempoMax();\n\t\tif(m_playBehaviour[kTempoClamp])\t// clamp tempo correctly in compatible mode\n\t\t{\n\t\t\ttempoMax.Set(255);\n\t\t}\n\t\tLimit(m_PlayState.m_nMusicTempo, tempoMin, tempoMax);\n\t}\n}", "project": "openmpt", "hash": 167718407895348847382870884655573534969, "size": 34, "commit_id": "7ebf02af2e90f03e0dbd0e18b8b3164f372fb97c", "message": "[Fix] Possible out-of-bounds read when computing length of some IT files with pattern loops (OpenMPT: formats that are converted to IT, libopenmpt: IT/ITP/MO3), caught with afl-fuzz.\n\ngit-svn-id: https://source.openmpt.org/svn/openmpt/trunk/OpenMPT@10027 56274372-70c3-4bfc-bfc3-4c3a0b034d27", "target": 0, "dataset": "other", "idx": 255220 }, { "func": "static int svm_pre_leave_smm(struct kvm_vcpu *vcpu, const char *smstate)\n{\n\tstruct vcpu_svm *svm = to_svm(vcpu);\n\tstruct vmcb *nested_vmcb;\n\tstruct kvm_host_map map;\n\tu64 guest;\n\tu64 vmcb;\n\n\tguest = GET_SMSTATE(u64, smstate, 0x7ed8);\n\tvmcb = GET_SMSTATE(u64, smstate, 0x7ee0);\n\n\tif (guest) {\n\t\tif (kvm_vcpu_map(&svm->vcpu, gpa_to_gfn(vmcb), &map) == -EINVAL)\n\t\t\treturn 1;\n\t\tnested_vmcb = map.hva;\n\t\tenter_svm_guest_mode(svm, vmcb, nested_vmcb, &map);\n\t}\n\treturn 0;\n}", "project": "linux", "hash": 306430386760142143086763191496737524815, "size": 19, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432628 }, { "func": "static void hci_le_phy_update_evt(struct hci_dev *hdev, struct sk_buff *skb)\n{\n\tstruct hci_ev_le_phy_update_complete *ev = (void *) skb->data;\n\tstruct hci_conn *conn;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, ev->status);\n\n\tif (!ev->status)\n\t\treturn;\n\n\thci_dev_lock(hdev);\n\n\tconn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));\n\tif (!conn)\n\t\tgoto unlock;\n\n\tconn->le_tx_phy = ev->tx_phy;\n\tconn->le_rx_phy = ev->rx_phy;\n\nunlock:\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 223301064331502133722347887580970494288, "size": 22, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431932 }, { "func": "bool JOIN_TAB::save_explain_data(Explain_table_access *eta,\n table_map prefix_tables, \n bool distinct_arg, JOIN_TAB *first_top_tab)\n{\n int quick_type;\n CHARSET_INFO *cs= system_charset_info;\n THD *thd= join->thd;\n TABLE_LIST *table_list= table->pos_in_table_list;\n QUICK_SELECT_I *cur_quick= NULL;\n my_bool key_read;\n char table_name_buffer[SAFE_NAME_LEN];\n KEY *key_info= 0;\n uint key_len= 0;\n quick_type= -1;\n\n explain_plan= eta;\n eta->key.clear();\n eta->quick_info= NULL;\n\n SQL_SELECT *tab_select;\n /* \n We assume that if this table does pre-sorting, then it doesn't do filtering\n with SQL_SELECT.\n */\n DBUG_ASSERT(!(select && filesort));\n tab_select= (filesort)? filesort->select : select;\n\n if (filesort)\n {\n if (!(eta->pre_join_sort=\n new (thd->mem_root) Explain_aggr_filesort(thd->mem_root,\n thd->lex->analyze_stmt,\n filesort)))\n return 1;\n }\n \n tracker= &eta->tracker;\n jbuf_tracker= &eta->jbuf_tracker;\n\n /* Enable the table access time tracker only for \"ANALYZE stmt\" */\n if (thd->lex->analyze_stmt)\n table->file->set_time_tracker(&eta->op_tracker);\n\n /* No need to save id and select_type here, they are kept in Explain_select */\n\n /* table */\n if (table->derived_select_number)\n {\n /* Derived table name generation */\n size_t len= my_snprintf(table_name_buffer, sizeof(table_name_buffer)-1,\n \"\",\n table->derived_select_number);\n eta->table_name.copy(table_name_buffer, len, cs);\n }\n else if (bush_children)\n {\n JOIN_TAB *ctab= bush_children->start;\n /* table */\n size_t len= my_snprintf(table_name_buffer,\n sizeof(table_name_buffer)-1,\n \"\", \n ctab->emb_sj_nest->sj_subq_pred->get_identifier());\n eta->table_name.copy(table_name_buffer, len, cs);\n }\n else\n {\n TABLE_LIST *real_table= table->pos_in_table_list;\n /*\n When multi-table UPDATE/DELETE does updates/deletes to a VIEW, the view\n is merged in a certain particular way (grep for DT_MERGE_FOR_INSERT).\n\n As a result, view's underlying tables have $tbl->pos_in_table_list={view}.\n We don't want to print view name in EXPLAIN, we want underlying table's\n alias (like specified in the view definition).\n */\n if (real_table->merged_for_insert)\n {\n TABLE_LIST *view_child= real_table->view->select_lex.table_list.first;\n for (;view_child; view_child= view_child->next_local)\n {\n if (view_child->table == table)\n {\n real_table= view_child;\n break;\n }\n }\n }\n eta->table_name.copy(real_table->alias.str, real_table->alias.length, cs);\n }\n\n /* \"partitions\" column */\n {\n#ifdef WITH_PARTITION_STORAGE_ENGINE\n partition_info *part_info;\n if (!table->derived_select_number && \n (part_info= table->part_info))\n { //TODO: all thd->mem_root here should be fixed\n make_used_partitions_str(thd->mem_root, part_info, &eta->used_partitions,\n eta->used_partitions_list);\n eta->used_partitions_set= true;\n }\n else\n eta->used_partitions_set= false;\n#else\n /* just produce empty column if partitioning is not compiled in */\n eta->used_partitions_set= false;\n#endif\n }\n\n /* \"type\" column */\n enum join_type tab_type= type;\n if ((type == JT_ALL || type == JT_HASH) &&\n tab_select && tab_select->quick && use_quick != 2)\n {\n cur_quick= tab_select->quick;\n quick_type= cur_quick->get_type();\n if ((quick_type == QUICK_SELECT_I::QS_TYPE_INDEX_MERGE) ||\n (quick_type == QUICK_SELECT_I::QS_TYPE_INDEX_INTERSECT) ||\n (quick_type == QUICK_SELECT_I::QS_TYPE_ROR_INTERSECT) ||\n (quick_type == QUICK_SELECT_I::QS_TYPE_ROR_UNION))\n tab_type= type == JT_ALL ? JT_INDEX_MERGE : JT_HASH_INDEX_MERGE;\n else\n tab_type= type == JT_ALL ? JT_RANGE : JT_HASH_RANGE;\n }\n eta->type= tab_type;\n\n /* Build \"possible_keys\" value */\n // psergey-todo: why does this use thd MEM_ROOT??? Doesn't this \n // break ANALYZE ? thd->mem_root will be freed, and after that we will\n // attempt to print the query plan?\n if (append_possible_keys(thd->mem_root, eta->possible_keys, table, keys))\n return 1;\n // psergey-todo: ^ check for error return code \n\n /* Build \"key\", \"key_len\", and \"ref\" */\n if (tab_type == JT_NEXT)\n {\n key_info= table->key_info+index;\n key_len= key_info->key_length;\n }\n else if (ref.key_parts)\n {\n key_info= get_keyinfo_by_key_no(ref.key);\n key_len= ref.key_length;\n }\n \n /*\n In STRAIGHT_JOIN queries, there can be join tabs with JT_CONST type\n that still have quick selects.\n */\n if (tab_select && tab_select->quick && tab_type != JT_CONST)\n {\n if (!(eta->quick_info= tab_select->quick->get_explain(thd->mem_root)))\n return 1;\n }\n\n if (key_info) /* 'index' or 'ref' access */\n {\n eta->key.set(thd->mem_root, key_info, key_len);\n\n if (ref.key_parts && tab_type != JT_FT)\n {\n store_key **key_ref= ref.key_copy;\n for (uint kp= 0; kp < ref.key_parts; kp++)\n {\n if ((key_part_map(1) << kp) & ref.const_ref_part_map)\n {\n if (!(eta->ref_list.append_str(thd->mem_root, \"const\")))\n return 1;\n /*\n create_ref_for_key() handles keypart=const equalities as follows:\n - non-EXPLAIN execution will copy the \"const\" to lookup tuple\n immediately and will not add an element to ref.key_copy\n - EXPLAIN will put an element into ref.key_copy. Since we've\n just printed \"const\" for it, we should skip it here\n */\n if (thd->lex->describe)\n key_ref++;\n }\n else\n {\n if (!(eta->ref_list.append_str(thd->mem_root, (*key_ref)->name())))\n return 1;\n key_ref++;\n }\n }\n }\n }\n\n if (tab_type == JT_HASH_NEXT) /* full index scan + hash join */\n {\n eta->hash_next_key.set(thd->mem_root, \n & table->key_info[index], \n table->key_info[index].key_length);\n // psergey-todo: ^ is the above correct? are we necessarily joining on all\n // columns?\n }\n\n if (!key_info)\n {\n if (table_list && /* SJM bushes don't have table_list */\n table_list->schema_table &&\n table_list->schema_table->i_s_requested_object & OPTIMIZE_I_S_TABLE)\n {\n IS_table_read_plan *is_table_read_plan= table_list->is_table_read_plan;\n const char *tmp_buff;\n int f_idx;\n StringBuffer<64> key_name_buf;\n if (is_table_read_plan->trivial_show_command ||\n is_table_read_plan->has_db_lookup_value())\n {\n /* The \"key\" has the name of the column referring to the database */\n f_idx= table_list->schema_table->idx_field1;\n tmp_buff= table_list->schema_table->fields_info[f_idx].field_name;\n key_name_buf.append(tmp_buff, strlen(tmp_buff), cs);\n } \n if (is_table_read_plan->trivial_show_command ||\n is_table_read_plan->has_table_lookup_value())\n {\n if (is_table_read_plan->trivial_show_command ||\n is_table_read_plan->has_db_lookup_value())\n key_name_buf.append(',');\n\n f_idx= table_list->schema_table->idx_field2;\n tmp_buff= table_list->schema_table->fields_info[f_idx].field_name;\n key_name_buf.append(tmp_buff, strlen(tmp_buff), cs);\n }\n\n if (key_name_buf.length())\n eta->key.set_pseudo_key(thd->mem_root, key_name_buf.c_ptr_safe());\n }\n }\n \n /* \"rows\" */\n if (table_list /* SJM bushes don't have table_list */ &&\n table_list->schema_table)\n {\n /* I_S tables have rows=extra=NULL */\n eta->rows_set= false;\n eta->filtered_set= false;\n }\n else\n {\n ha_rows examined_rows= get_examined_rows();\n\n eta->rows_set= true;\n eta->rows= examined_rows;\n\n /* \"filtered\" */\n float f= 0.0; \n if (examined_rows)\n {\n double pushdown_cond_selectivity= cond_selectivity;\n if (pushdown_cond_selectivity == 1.0)\n f= (float) (100.0 * records_read / examined_rows);\n else\n f= (float) (100.0 * pushdown_cond_selectivity);\n }\n set_if_smaller(f, 100.0);\n eta->filtered_set= true;\n eta->filtered= f;\n }\n\n /* Build \"Extra\" field and save it */\n key_read= table->file->keyread_enabled();\n if ((tab_type == JT_NEXT || tab_type == JT_CONST) &&\n table->covering_keys.is_set(index))\n key_read=1;\n if (quick_type == QUICK_SELECT_I::QS_TYPE_ROR_INTERSECT &&\n !((QUICK_ROR_INTERSECT_SELECT*)cur_quick)->need_to_fetch_row)\n key_read=1;\n \n if (info)\n {\n eta->push_extra(info);\n }\n else if (packed_info & TAB_INFO_HAVE_VALUE)\n {\n if (packed_info & TAB_INFO_USING_INDEX)\n eta->push_extra(ET_USING_INDEX);\n if (packed_info & TAB_INFO_USING_WHERE)\n eta->push_extra(ET_USING_WHERE);\n if (packed_info & TAB_INFO_FULL_SCAN_ON_NULL)\n eta->push_extra(ET_FULL_SCAN_ON_NULL_KEY);\n }\n else\n {\n uint keyno= MAX_KEY;\n if (ref.key_parts)\n keyno= ref.key;\n else if (tab_select && cur_quick)\n keyno = cur_quick->index;\n\n if (keyno != MAX_KEY && keyno == table->file->pushed_idx_cond_keyno &&\n table->file->pushed_idx_cond)\n {\n eta->push_extra(ET_USING_INDEX_CONDITION);\n eta->pushed_index_cond= table->file->pushed_idx_cond;\n }\n else if (cache_idx_cond)\n {\n eta->push_extra(ET_USING_INDEX_CONDITION_BKA);\n eta->pushed_index_cond= cache_idx_cond;\n }\n\n if (quick_type == QUICK_SELECT_I::QS_TYPE_ROR_UNION || \n quick_type == QUICK_SELECT_I::QS_TYPE_ROR_INTERSECT ||\n quick_type == QUICK_SELECT_I::QS_TYPE_INDEX_INTERSECT ||\n quick_type == QUICK_SELECT_I::QS_TYPE_INDEX_MERGE)\n {\n eta->push_extra(ET_USING);\n }\n if (tab_select)\n {\n if (use_quick == 2)\n {\n eta->push_extra(ET_RANGE_CHECKED_FOR_EACH_RECORD);\n eta->range_checked_fer= new (thd->mem_root) Explain_range_checked_fer;\n if (eta->range_checked_fer)\n eta->range_checked_fer->\n append_possible_keys_stat(thd->mem_root, table, keys);\n }\n else if (tab_select->cond ||\n (cache_select && cache_select->cond))\n {\n const COND *pushed_cond= table->file->pushed_cond;\n\n if ((table->file->ha_table_flags() &\n HA_CAN_TABLE_CONDITION_PUSHDOWN) &&\n pushed_cond)\n {\n eta->push_extra(ET_USING_WHERE_WITH_PUSHED_CONDITION);\n }\n else\n {\n eta->where_cond= tab_select->cond;\n eta->cache_cond= cache_select? cache_select->cond : NULL;\n eta->push_extra(ET_USING_WHERE);\n }\n }\n }\n if (table_list /* SJM bushes don't have table_list */ &&\n table_list->schema_table &&\n table_list->schema_table->i_s_requested_object & OPTIMIZE_I_S_TABLE)\n {\n if (!table_list->table_open_method)\n eta->push_extra(ET_SKIP_OPEN_TABLE);\n else if (table_list->table_open_method == OPEN_FRM_ONLY)\n eta->push_extra(ET_OPEN_FRM_ONLY);\n else\n eta->push_extra(ET_OPEN_FULL_TABLE);\n /* psergey-note: the following has a bug.*/\n if (table_list->is_table_read_plan->trivial_show_command ||\n (table_list->is_table_read_plan->has_db_lookup_value() &&\n table_list->is_table_read_plan->has_table_lookup_value()))\n eta->push_extra(ET_SCANNED_0_DATABASES);\n else if (table_list->is_table_read_plan->has_db_lookup_value() ||\n table_list->is_table_read_plan->has_table_lookup_value())\n eta->push_extra(ET_SCANNED_1_DATABASE);\n else\n eta->push_extra(ET_SCANNED_ALL_DATABASES);\n }\n if (key_read)\n {\n if (quick_type == QUICK_SELECT_I::QS_TYPE_GROUP_MIN_MAX)\n {\n QUICK_GROUP_MIN_MAX_SELECT *qgs= \n (QUICK_GROUP_MIN_MAX_SELECT *) tab_select->quick;\n eta->push_extra(ET_USING_INDEX_FOR_GROUP_BY);\n eta->loose_scan_is_scanning= qgs->loose_scan_is_scanning();\n }\n else\n eta->push_extra(ET_USING_INDEX);\n }\n if (table->reginfo.not_exists_optimize)\n eta->push_extra(ET_NOT_EXISTS);\n\n if (quick_type == QUICK_SELECT_I::QS_TYPE_RANGE)\n {\n explain_append_mrr_info((QUICK_RANGE_SELECT*)(tab_select->quick),\n &eta->mrr_type);\n if (eta->mrr_type.length() > 0)\n eta->push_extra(ET_USING_MRR);\n }\n\n if (shortcut_for_distinct)\n eta->push_extra(ET_DISTINCT);\n\n if (loosescan_match_tab)\n {\n eta->push_extra(ET_LOOSESCAN);\n }\n\n if (first_weedout_table)\n {\n eta->start_dups_weedout= true;\n eta->push_extra(ET_START_TEMPORARY);\n }\n if (check_weed_out_table)\n {\n eta->push_extra(ET_END_TEMPORARY);\n eta->end_dups_weedout= true;\n }\n\n else if (do_firstmatch)\n {\n if (do_firstmatch == /*join->join_tab*/ first_top_tab - 1)\n eta->push_extra(ET_FIRST_MATCH);\n else\n {\n eta->push_extra(ET_FIRST_MATCH);\n TABLE *prev_table=do_firstmatch->table;\n if (prev_table->derived_select_number)\n {\n char namebuf[NAME_LEN];\n /* Derived table name generation */\n size_t len= my_snprintf(namebuf, sizeof(namebuf)-1,\n \"\",\n prev_table->derived_select_number);\n eta->firstmatch_table_name.append(namebuf, len);\n }\n else\n eta->firstmatch_table_name.append(&prev_table->pos_in_table_list->alias);\n }\n }\n\n for (uint part= 0; part < ref.key_parts; part++)\n {\n if (ref.cond_guards[part])\n {\n eta->push_extra(ET_FULL_SCAN_ON_NULL_KEY);\n eta->full_scan_on_null_key= true;\n break;\n }\n }\n\n if (cache)\n {\n eta->push_extra(ET_USING_JOIN_BUFFER);\n if (cache->save_explain_data(&eta->bka_type))\n return 1;\n }\n }\n\n /* \n In case this is a derived table, here we remember the number of \n subselect that used to produce it.\n */\n if (!(table_list && table_list->is_with_table_recursive_reference()))\n eta->derived_select_number= table->derived_select_number;\n\n /* The same for non-merged semi-joins */\n eta->non_merged_sjm_number = get_non_merged_semijoin_select();\n\n return 0;\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 270542732256725975444645771793599569772, "size": 456, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508441 }, { "func": "bool JOIN::save_explain_data(Explain_query *output, bool can_overwrite,\n bool need_tmp_table, bool need_order, \n bool distinct)\n{\n /*\n If there is SELECT in this statement with the same number it must be the\n same SELECT\n */\n DBUG_SLOW_ASSERT(select_lex->select_number == UINT_MAX ||\n select_lex->select_number == INT_MAX ||\n !output ||\n !output->get_select(select_lex->select_number) ||\n output->get_select(select_lex->select_number)->select_lex ==\n select_lex);\n\n if (select_lex->select_number != UINT_MAX && \n select_lex->select_number != INT_MAX /* this is not a UNION's \"fake select */ && \n have_query_plan != JOIN::QEP_NOT_PRESENT_YET && \n have_query_plan != JOIN::QEP_DELETED && // this happens when there was \n // no QEP ever, but then\n //cleanup() is called multiple times\n output && // for \"SET\" command in SPs.\n (can_overwrite? true: !output->get_select(select_lex->select_number)))\n {\n const char *message= NULL;\n if (!table_count || !tables_list || zero_result_cause)\n {\n /* It's a degenerate join */\n message= zero_result_cause ? zero_result_cause : \"No tables used\";\n }\n return save_explain_data_intern(thd->lex->explain, need_tmp_table, need_order,\n distinct, message);\n }\n \n /*\n Can have join_tab==NULL for degenerate cases (e.g. SELECT .. UNION ... SELECT LIMIT 0)\n */\n if (select_lex == select_lex->master_unit()->fake_select_lex && join_tab)\n {\n /* \n This is fake_select_lex. It has no query plan, but we need to set up a\n tracker for ANALYZE \n */\n uint nr= select_lex->master_unit()->first_select()->select_number;\n Explain_union *eu= output->get_union(nr);\n explain= &eu->fake_select_lex_explain;\n join_tab[0].tracker= eu->get_fake_select_lex_tracker();\n for (uint i=0 ; i < exec_join_tab_cnt() + aggr_tables; i++)\n {\n if (join_tab[i].filesort)\n {\n if (!(join_tab[i].filesort->tracker=\n new Filesort_tracker(thd->lex->analyze_stmt)))\n return 1;\n }\n }\n }\n return 0;\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 254445523745590527937761941138211488940, "size": 59, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508536 }, { "func": "\treturn err;\n}\n\nstatic int iscsi_delete_chap(struct iscsi_transport *transport,\n\t\t\t struct iscsi_uevent *ev)\n{\n\tstruct Scsi_Host *shost;\n\tint err = 0;\n\n\tif (!transport->delete_chap)\n\t\treturn -ENOSYS;\n\n\tshost = scsi_host_lookup(ev->u.delete_chap.host_no);\n\tif (!shost) {\n\t\tprintk(KERN_ERR \"%s could not find host no %u\\n\",\n\t\t __func__, ev->u.delete_chap.host_no);\n\t\treturn -ENODEV;\n\t}\n\n\terr = transport->delete_chap(shost, ev->u.delete_chap.chap_tbl_idx);", "project": "linux", "hash": 34503458765734594046335403219545653652, "size": 20, "commit_id": "f9dbdf97a5bd92b1a49cee3d591b55b11fd7a6d5", "message": "scsi: iscsi: Verify lengths on passthrough PDUs\n\nOpen-iSCSI sends passthrough PDUs over netlink, but the kernel should be\nverifying that the provided PDU header and data lengths fall within the\nnetlink message to prevent accessing beyond that in memory.\n\nCc: stable@vger.kernel.org\nReported-by: Adam Nichols \nReviewed-by: Lee Duncan \nReviewed-by: Mike Christie \nSigned-off-by: Chris Leech \nSigned-off-by: Martin K. Petersen ", "target": 0, "dataset": "other", "idx": 379941 }, { "func": "void sctp_put_port(struct sock *sk)\n{\n\tlocal_bh_disable();\n\t__sctp_put_port(sk);\n\tlocal_bh_enable();\n}", "project": "linux", "hash": 101676663746547757828209364736447044196, "size": 6, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398196 }, { "func": "PHPAPI int php_hash_environment(void)\n{\n\tmemset(PG(http_globals), 0, sizeof(PG(http_globals)));\n\tzend_activate_auto_globals();\n\tif (PG(register_argc_argv)) {\n\t\tphp_build_argv(SG(request_info).query_string, &PG(http_globals)[TRACK_VARS_SERVER]);\n\t}\n\treturn SUCCESS;\n}", "project": "php-src", "hash": 60384801046993015820906442383353315593, "size": 9, "commit_id": "6559fe912661ca5ce5f0eeeb591d928451428ed0", "message": "Do not decode cookie names anymore", "target": 0, "dataset": "other", "idx": 374977 }, { "func": "static void usage(void)\n{\n fputs(\"type `nasm -h' for help\\n\", error_file);\n}", "project": "nasm", "hash": 240378752697523170215675684682908095720, "size": 4, "commit_id": "e996d28c70d45008085322b442b44a9224308548", "message": "labels: Don't nil dereference if no label provided\n\nAn equ without label may cause nil dereference\n\n |\tequ 0x100\n\nFixes 98578071b9d71ecaa2344dd9c185237c1765041e\n\nSigned-off-by: Cyrill Gorcunov ", "target": 0, "dataset": "other", "idx": 257466 }, { "func": "void usage(enum logcode F)\n{\n print_rsync_version(F);\n\n rprintf(F,\"\\n\");\n rprintf(F,\"rsync is a file transfer program capable of efficient remote update\\n\");\n rprintf(F,\"via a fast differencing algorithm.\\n\");\n\n rprintf(F,\"\\n\");\n rprintf(F,\"Usage: rsync [OPTION]... SRC [SRC]... DEST\\n\");\n rprintf(F,\" or rsync [OPTION]... SRC [SRC]... [USER@]HOST:DEST\\n\");\n rprintf(F,\" or rsync [OPTION]... SRC [SRC]... [USER@]HOST::DEST\\n\");\n rprintf(F,\" or rsync [OPTION]... SRC [SRC]... rsync://[USER@]HOST[:PORT]/DEST\\n\");\n rprintf(F,\" or rsync [OPTION]... [USER@]HOST:SRC [DEST]\\n\");\n rprintf(F,\" or rsync [OPTION]... [USER@]HOST::SRC [DEST]\\n\");\n rprintf(F,\" or rsync [OPTION]... rsync://[USER@]HOST[:PORT]/SRC [DEST]\\n\");\n rprintf(F,\"The ':' usages connect via remote shell, while '::' & 'rsync://' usages connect\\n\");\n rprintf(F,\"to an rsync daemon, and require SRC or DEST to start with a module name.\\n\");\n rprintf(F,\"\\n\");\n rprintf(F,\"Options\\n\");\n rprintf(F,\" -v, --verbose increase verbosity\\n\");\n rprintf(F,\" --info=FLAGS fine-grained informational verbosity\\n\");\n rprintf(F,\" --debug=FLAGS fine-grained debug verbosity\\n\");\n rprintf(F,\" --msgs2stderr special output handling for debugging\\n\");\n rprintf(F,\" -q, --quiet suppress non-error messages\\n\");\n rprintf(F,\" --no-motd suppress daemon-mode MOTD (see manpage caveat)\\n\");\n rprintf(F,\" -c, --checksum skip based on checksum, not mod-time & size\\n\");\n rprintf(F,\" -a, --archive archive mode; equals -rlptgoD (no -H,-A,-X)\\n\");\n rprintf(F,\" --no-OPTION turn off an implied OPTION (e.g. --no-D)\\n\");\n rprintf(F,\" -r, --recursive recurse into directories\\n\");\n rprintf(F,\" -R, --relative use relative path names\\n\");\n rprintf(F,\" --no-implied-dirs don't send implied dirs with --relative\\n\");\n rprintf(F,\" -b, --backup make backups (see --suffix & --backup-dir)\\n\");\n rprintf(F,\" --backup-dir=DIR make backups into hierarchy based in DIR\\n\");\n rprintf(F,\" --suffix=SUFFIX set backup suffix (default %s w/o --backup-dir)\\n\",BACKUP_SUFFIX);\n rprintf(F,\" -u, --update skip files that are newer on the receiver\\n\");\n rprintf(F,\" --inplace update destination files in-place (SEE MAN PAGE)\\n\");\n rprintf(F,\" --append append data onto shorter files\\n\");\n rprintf(F,\" --append-verify like --append, but with old data in file checksum\\n\");\n rprintf(F,\" -d, --dirs transfer directories without recursing\\n\");\n rprintf(F,\" -l, --links copy symlinks as symlinks\\n\");\n rprintf(F,\" -L, --copy-links transform symlink into referent file/dir\\n\");\n rprintf(F,\" --copy-unsafe-links only \\\"unsafe\\\" symlinks are transformed\\n\");\n rprintf(F,\" --safe-links ignore symlinks that point outside the source tree\\n\");\n rprintf(F,\" --munge-links munge symlinks to make them safer (but unusable)\\n\");\n rprintf(F,\" -k, --copy-dirlinks transform symlink to a dir into referent dir\\n\");\n rprintf(F,\" -K, --keep-dirlinks treat symlinked dir on receiver as dir\\n\");\n rprintf(F,\" -H, --hard-links preserve hard links\\n\");\n rprintf(F,\" -p, --perms preserve permissions\\n\");\n rprintf(F,\" -E, --executability preserve the file's executability\\n\");\n rprintf(F,\" --chmod=CHMOD affect file and/or directory permissions\\n\");\n#ifdef SUPPORT_ACLS\n rprintf(F,\" -A, --acls preserve ACLs (implies --perms)\\n\");\n#endif\n#ifdef SUPPORT_XATTRS\n rprintf(F,\" -X, --xattrs preserve extended attributes\\n\");\n#endif\n rprintf(F,\" -o, --owner preserve owner (super-user only)\\n\");\n rprintf(F,\" -g, --group preserve group\\n\");\n rprintf(F,\" --devices preserve device files (super-user only)\\n\");\n rprintf(F,\" --specials preserve special files\\n\");\n rprintf(F,\" -D same as --devices --specials\\n\");\n rprintf(F,\" -t, --times preserve modification times\\n\");\n rprintf(F,\" -O, --omit-dir-times omit directories from --times\\n\");\n rprintf(F,\" -J, --omit-link-times omit symlinks from --times\\n\");\n rprintf(F,\" --super receiver attempts super-user activities\\n\");\n#ifdef SUPPORT_XATTRS\n rprintf(F,\" --fake-super store/recover privileged attrs using xattrs\\n\");\n#endif\n rprintf(F,\" -S, --sparse turn sequences of nulls into sparse blocks\\n\");\n#ifdef SUPPORT_PREALLOCATION\n rprintf(F,\" --preallocate allocate dest files before writing them\\n\");\n#else\n rprintf(F,\" --preallocate pre-allocate dest files on remote receiver\\n\");\n#endif\n rprintf(F,\" -n, --dry-run perform a trial run with no changes made\\n\");\n rprintf(F,\" -W, --whole-file copy files whole (without delta-xfer algorithm)\\n\");\n rprintf(F,\" --checksum-choice=STR choose the checksum algorithms\\n\");\n rprintf(F,\" -x, --one-file-system don't cross filesystem boundaries\\n\");\n rprintf(F,\" -B, --block-size=SIZE force a fixed checksum block-size\\n\");\n rprintf(F,\" -e, --rsh=COMMAND specify the remote shell to use\\n\");\n rprintf(F,\" --rsync-path=PROGRAM specify the rsync to run on the remote machine\\n\");\n rprintf(F,\" --existing skip creating new files on receiver\\n\");\n rprintf(F,\" --ignore-existing skip updating files that already exist on receiver\\n\");\n rprintf(F,\" --remove-source-files sender removes synchronized files (non-dirs)\\n\");\n rprintf(F,\" --del an alias for --delete-during\\n\");\n rprintf(F,\" --delete delete extraneous files from destination dirs\\n\");\n rprintf(F,\" --delete-before receiver deletes before transfer, not during\\n\");\n rprintf(F,\" --delete-during receiver deletes during the transfer\\n\");\n rprintf(F,\" --delete-delay find deletions during, delete after\\n\");\n rprintf(F,\" --delete-after receiver deletes after transfer, not during\\n\");\n rprintf(F,\" --delete-excluded also delete excluded files from destination dirs\\n\");\n rprintf(F,\" --ignore-missing-args ignore missing source args without error\\n\");\n rprintf(F,\" --delete-missing-args delete missing source args from destination\\n\");\n rprintf(F,\" --ignore-errors delete even if there are I/O errors\\n\");\n rprintf(F,\" --force force deletion of directories even if not empty\\n\");\n rprintf(F,\" --max-delete=NUM don't delete more than NUM files\\n\");\n rprintf(F,\" --max-size=SIZE don't transfer any file larger than SIZE\\n\");\n rprintf(F,\" --min-size=SIZE don't transfer any file smaller than SIZE\\n\");\n rprintf(F,\" --partial keep partially transferred files\\n\");\n rprintf(F,\" --partial-dir=DIR put a partially transferred file into DIR\\n\");\n rprintf(F,\" --delay-updates put all updated files into place at transfer's end\\n\");\n rprintf(F,\" -m, --prune-empty-dirs prune empty directory chains from the file-list\\n\");\n rprintf(F,\" --numeric-ids don't map uid/gid values by user/group name\\n\");\n rprintf(F,\" --usermap=STRING custom username mapping\\n\");\n rprintf(F,\" --groupmap=STRING custom groupname mapping\\n\");\n rprintf(F,\" --chown=USER:GROUP simple username/groupname mapping\\n\");\n rprintf(F,\" --timeout=SECONDS set I/O timeout in seconds\\n\");\n rprintf(F,\" --contimeout=SECONDS set daemon connection timeout in seconds\\n\");\n rprintf(F,\" -I, --ignore-times don't skip files that match in size and mod-time\\n\");\n rprintf(F,\" -M, --remote-option=OPTION send OPTION to the remote side only\\n\");\n rprintf(F,\" --size-only skip files that match in size\\n\");\n rprintf(F,\" -@, --modify-window=NUM set the accuracy for mod-time comparisons\\n\");\n rprintf(F,\" -T, --temp-dir=DIR create temporary files in directory DIR\\n\");\n rprintf(F,\" -y, --fuzzy find similar file for basis if no dest file\\n\");\n rprintf(F,\" --compare-dest=DIR also compare destination files relative to DIR\\n\");\n rprintf(F,\" --copy-dest=DIR ... and include copies of unchanged files\\n\");\n rprintf(F,\" --link-dest=DIR hardlink to files in DIR when unchanged\\n\");\n rprintf(F,\" -z, --compress compress file data during the transfer\\n\");\n rprintf(F,\" --compress-level=NUM explicitly set compression level\\n\");\n rprintf(F,\" --skip-compress=LIST skip compressing files with a suffix in LIST\\n\");\n rprintf(F,\" -C, --cvs-exclude auto-ignore files the same way CVS does\\n\");\n rprintf(F,\" -f, --filter=RULE add a file-filtering RULE\\n\");\n rprintf(F,\" -F same as --filter='dir-merge /.rsync-filter'\\n\");\n rprintf(F,\" repeated: --filter='- .rsync-filter'\\n\");\n rprintf(F,\" --exclude=PATTERN exclude files matching PATTERN\\n\");\n rprintf(F,\" --exclude-from=FILE read exclude patterns from FILE\\n\");\n rprintf(F,\" --include=PATTERN don't exclude files matching PATTERN\\n\");\n rprintf(F,\" --include-from=FILE read include patterns from FILE\\n\");\n rprintf(F,\" --files-from=FILE read list of source-file names from FILE\\n\");\n rprintf(F,\" -0, --from0 all *-from/filter files are delimited by 0s\\n\");\n rprintf(F,\" -s, --protect-args no space-splitting; only wildcard special-chars\\n\");\n rprintf(F,\" --address=ADDRESS bind address for outgoing socket to daemon\\n\");\n rprintf(F,\" --port=PORT specify double-colon alternate port number\\n\");\n rprintf(F,\" --sockopts=OPTIONS specify custom TCP options\\n\");\n rprintf(F,\" --blocking-io use blocking I/O for the remote shell\\n\");\n rprintf(F,\" --stats give some file-transfer stats\\n\");\n rprintf(F,\" -8, --8-bit-output leave high-bit chars unescaped in output\\n\");\n rprintf(F,\" -h, --human-readable output numbers in a human-readable format\\n\");\n rprintf(F,\" --progress show progress during transfer\\n\");\n rprintf(F,\" -P same as --partial --progress\\n\");\n rprintf(F,\" -i, --itemize-changes output a change-summary for all updates\\n\");\n rprintf(F,\" --out-format=FORMAT output updates using the specified FORMAT\\n\");\n rprintf(F,\" --log-file=FILE log what we're doing to the specified FILE\\n\");\n rprintf(F,\" --log-file-format=FMT log updates using the specified FMT\\n\");\n rprintf(F,\" --password-file=FILE read daemon-access password from FILE\\n\");\n rprintf(F,\" --list-only list the files instead of copying them\\n\");\n rprintf(F,\" --bwlimit=RATE limit socket I/O bandwidth\\n\");\n#ifdef HAVE_SETVBUF\n rprintf(F,\" --outbuf=N|L|B set output buffering to None, Line, or Block\\n\");\n#endif\n rprintf(F,\" --write-batch=FILE write a batched update to FILE\\n\");\n rprintf(F,\" --only-write-batch=FILE like --write-batch but w/o updating destination\\n\");\n rprintf(F,\" --read-batch=FILE read a batched update from FILE\\n\");\n rprintf(F,\" --protocol=NUM force an older protocol version to be used\\n\");\n#ifdef ICONV_OPTION\n rprintf(F,\" --iconv=CONVERT_SPEC request charset conversion of filenames\\n\");\n#endif\n rprintf(F,\" --checksum-seed=NUM set block/file checksum seed (advanced)\\n\");\n rprintf(F,\" -4, --ipv4 prefer IPv4\\n\");\n rprintf(F,\" -6, --ipv6 prefer IPv6\\n\");\n rprintf(F,\" --version print version number\\n\");\n rprintf(F,\"(-h) --help show this help (-h is --help only if used alone)\\n\");\n\n rprintf(F,\"\\n\");\n rprintf(F,\"Use \\\"rsync --daemon --help\\\" to see the daemon-mode command-line options.\\n\");\n rprintf(F,\"Please see the rsync(1) and rsyncd.conf(5) man pages for full documentation.\\n\");\n rprintf(F,\"See http://rsync.samba.org/ for updates, bug reports, and answers\\n\");\n}", "project": "rsync", "hash": 173820506340783719747608564557579366368, "size": 169, "commit_id": "7706303828fcde524222babb2833864a4bd09e07", "message": "Ignore --protect-args when already sent by client\n\nIn parse_arguments when --protect-args is encountered the function exits\nearly. The caller is expected to check protect_args, and recall\nparse_arguments setting protect_args to 2. This patch prevents the\nclient from resetting protect_args during the second pass of\nparse_arguments. This prevents parse_arguments returning early the\nsecond time before it's able to sanitize the arguments it received.", "target": 0, "dataset": "other", "idx": 364679 }, { "func": "void usage()\n{\n\tprintf(\"Converting from BIND .private-key format to PKCS#8 key file format.\\n\");\n\tprintf(\"Usage: softhsm2-keyconv [OPTIONS]\\n\");\n\tprintf(\"Options:\\n\");\n\tprintf(\" -h Shows this help screen.\\n\");\n\tprintf(\" --help Shows this help screen.\\n\");\n\tprintf(\" --in The path to the input file.\\n\");\n\tprintf(\" --out The path to the output file.\\n\");\n\tprintf(\" --pin To encrypt PKCS#8 file. Optional.\\n\");\n\tprintf(\" -v Show version info.\\n\");\n\tprintf(\" --version Show version info.\\n\");\n}", "project": "SoftHSMv2", "hash": 139037372687810174522741332172596121123, "size": 13, "commit_id": "492447cd4a2be449e99fb9ad2519ea3277aaad28", "message": "SUPPORT-136: softhsm2-keyconv creates files with sensitive material in insecure way.", "target": 0, "dataset": "other", "idx": 452353 }, { "func": "static void usage(int v)\n{\n fprintf(stderr, use, CmdName);\n exit(v);\n}", "target": 0, "cwe": [ "CWE-476" ], "project": "graphviz", "commit_id": "839085f8026afd6f6920a0c31ad2a9d880d97932", "hash": 173058257554267021494519902632105654008, "size": 5, "message": "attempted fix for null pointer deference on malformed input", "dataset": "other", "idx": 505478 }, { "project": "Chrome", "commit_id": "ea994548ed483e234a6fadd0cbdfa10d58b75cef", "target": 0, "func": "SoftwareFrameManager::~SoftwareFrameManager() {\n DiscardCurrentFrame();\n}\n", "cwe": "", "big_vul_idx": 129978, "idx": 116289, "hash": 181877543383418935737835700062781375663 }, { "func": "static bool is_advertising_allowed(struct hci_dev *hdev, bool connectable)\n{\n\t/* If there is no connection we are OK to advertise. */\n\tif (hci_conn_num(hdev, LE_LINK) == 0)\n\t\treturn true;\n\n\t/* Check le_states if there is any connection in slave role. */\n\tif (hdev->conn_hash.le_num_slave > 0) {\n\t\t/* Slave connection state and non connectable mode bit 20. */\n\t\tif (!connectable && !(hdev->le_states[2] & 0x10))\n\t\t\treturn false;\n\n\t\t/* Slave connection state and connectable mode bit 38\n\t\t * and scannable bit 21.\n\t\t */\n\t\tif (connectable && (!(hdev->le_states[4] & 0x40) ||\n\t\t\t\t !(hdev->le_states[2] & 0x20)))\n\t\t\treturn false;\n\t}\n\n\t/* Check le_states if there is any connection in master role. */\n\tif (hci_conn_num(hdev, LE_LINK) != hdev->conn_hash.le_num_slave) {\n\t\t/* Master connection state and non connectable mode bit 18. */\n\t\tif (!connectable && !(hdev->le_states[2] & 0x02))\n\t\t\treturn false;\n\n\t\t/* Master connection state and connectable mode bit 35 and\n\t\t * scannable 19.\n\t\t */\n\t\tif (connectable && (!(hdev->le_states[4] & 0x08) ||\n\t\t\t\t !(hdev->le_states[2] & 0x08)))\n\t\t\treturn false;\n\t}\n\n\treturn true;\n}", "project": "linux", "hash": 248250406039220229451218833674534462163, "size": 36, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402499 }, { "func": "static void ca8210_test_interface_clear(struct ca8210_priv *priv)\n{\n\tstruct ca8210_test *test = &priv->test;\n\n\tdebugfs_remove(test->ca8210_dfs_spi_int);\n\tkfifo_free(&test->up_fifo);\n\tdev_info(&priv->spi->dev, \"Test interface removed\\n\");\n}", "project": "linux", "hash": 311159098130930471798904390148580514078, "size": 8, "commit_id": "6402939ec86eaf226c8b8ae00ed983936b164908", "message": "ieee802154: ca8210: prevent memory leak\n\nIn ca8210_probe the allocated pdata needs to be assigned to\nspi_device->dev.platform_data before calling ca8210_get_platform_data.\nOthrwise when ca8210_get_platform_data fails pdata cannot be released.\n\nSigned-off-by: Navid Emamdoost \nLink: https://lore.kernel.org/r/20190917224713.26371-1-navid.emamdoost@gmail.com\nSigned-off-by: Stefan Schmidt ", "target": 0, "dataset": "other", "idx": 408779 }, { "func": "static int io_async_buf_func(struct wait_queue_entry *wait, unsigned mode,\n\t\t\t int sync, void *arg)\n{\n\tstruct wait_page_queue *wpq;\n\tstruct io_kiocb *req = wait->private;\n\tstruct wait_page_key *key = arg;\n\n\twpq = container_of(wait, struct wait_page_queue, wait);\n\n\tif (!wake_page_match(wpq, key))\n\t\treturn 0;\n\n\treq->rw.kiocb.ki_flags &= ~IOCB_WAITQ;\n\tlist_del_init(&wait->entry);\n\n\t/* submit ref gets dropped, acquire a new one */\n\treq_ref_get(req);\n\tio_req_task_queue(req);\n\treturn 1;\n}", "project": "linux", "hash": 6221662746254172704396815171942267095, "size": 20, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338577 }, { "func": "static int io_async_buf_func(struct wait_queue_entry *wait, unsigned mode,\n\t\t\t int sync, void *arg)\n{\n\tstruct wait_page_queue *wpq;\n\tstruct io_kiocb *req = wait->private;\n\tstruct wait_page_key *key = arg;\n\tint ret;\n\n\twpq = container_of(wait, struct wait_page_queue, wait);\n\n\tif (!wake_page_match(wpq, key))\n\t\treturn 0;\n\n\tlist_del_init(&wait->entry);\n\n\tinit_task_work(&req->task_work, io_req_task_submit);\n\tpercpu_ref_get(&req->ctx->refs);\n\n\t/* submit ref gets dropped, acquire a new one */\n\trefcount_inc(&req->refs);\n\tret = io_req_task_work_add(req, &req->task_work);\n\tif (unlikely(ret)) {\n\t\tstruct task_struct *tsk;\n\n\t\t/* queue just for cancelation */\n\t\tinit_task_work(&req->task_work, io_req_task_cancel);\n\t\ttsk = io_wq_get_task(req->ctx->io_wq);\n\t\ttask_work_add(tsk, &req->task_work, 0);\n\t\twake_up_process(tsk);\n\t}\n\treturn 1;\n}", "project": "linux", "hash": 213286259433910936380944775512077254612, "size": 32, "commit_id": "6d816e088c359866f9867057e04f244c608c42fe", "message": "io_uring: hold 'ctx' reference around task_work queue + execute\n\nWe're holding the request reference, but we need to go one higher\nto ensure that the ctx remains valid after the request has finished.\nIf the ring is closed with pending task_work inflight, and the\ngiven io_kiocb finishes sync during issue, then we need a reference\nto the ring itself around the task_work execution cycle.\n\nCc: stable@vger.kernel.org # v5.7+\nReported-by: syzbot+9b260fc33297966f5a8e@syzkaller.appspotmail.com\nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 456906 }, { "func": "void imap_unmunge_mbox_name(bool unicode, char *s)\n{\n imap_unquote_string(s);\n\n char *buf = mutt_str_dup(s);\n if (buf)\n {\n imap_utf_decode(unicode, &buf);\n strncpy(s, buf, strlen(s));\n }\n\n FREE(&buf);\n}", "project": "neomutt", "hash": 58324281325222231928955986593183385403, "size": 13, "commit_id": "fa1db5785e5cfd9d3cd27b7571b9fe268d2ec2dc", "message": "Fix seqset iterator when it ends in a comma\n\nIf the seqset ended with a comma, the substr_end marker would be just\nbefore the trailing nul. In the next call, the loop to skip the\nmarker would iterate right past the end of string too.\n\nThe fix is simple: place the substr_end marker and skip past it\nimmediately.", "target": 0, "dataset": "other", "idx": 399285 }, { "func": "static void collect_signal(int sig, struct sigpending *list, kernel_siginfo_t *info,\n\t\t\t bool *resched_timer)\n{\n\tstruct sigqueue *q, *first = NULL;\n\n\t/*\n\t * Collect the siginfo appropriate to this signal. Check if\n\t * there is another siginfo for the same signal.\n\t*/\n\tlist_for_each_entry(q, &list->list, list) {\n\t\tif (q->info.si_signo == sig) {\n\t\t\tif (first)\n\t\t\t\tgoto still_pending;\n\t\t\tfirst = q;\n\t\t}\n\t}\n\n\tsigdelset(&list->signal, sig);\n\n\tif (first) {\nstill_pending:\n\t\tlist_del_init(&first->list);\n\t\tcopy_siginfo(info, &first->info);\n\n\t\t*resched_timer =\n\t\t\t(first->flags & SIGQUEUE_PREALLOC) &&\n\t\t\t(info->si_code == SI_TIMER) &&\n\t\t\t(info->si_sys_private);\n\n\t\t__sigqueue_free(first);\n\t} else {\n\t\t/*\n\t\t * Ok, it wasn't in the queue. This must be\n\t\t * a fast-pathed signal or we must have been\n\t\t * out of queue space. So zero out the info.\n\t\t */\n\t\tclear_siginfo(info);\n\t\tinfo->si_signo = sig;\n\t\tinfo->si_errno = 0;\n\t\tinfo->si_code = SI_USER;\n\t\tinfo->si_pid = 0;\n\t\tinfo->si_uid = 0;\n\t}\n}", "project": "linux", "hash": 242384130263043713462527575180754650785, "size": 44, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375143 }, { "func": "static void set_ov_sensor_window(struct sd *sd)\n{\n\tstruct gspca_dev *gspca_dev;\n\tint qvga, crop;\n\tint hwsbase, hwebase, vwsbase, vwebase, hwscale, vwscale;\n\n\t/* mode setup is fully handled in mode_init_ov_sensor_regs for these */\n\tswitch (sd->sensor) {\n\tcase SEN_OV2610:\n\tcase SEN_OV2610AE:\n\tcase SEN_OV3610:\n\tcase SEN_OV7670:\n\tcase SEN_OV9600:\n\t\tmode_init_ov_sensor_regs(sd);\n\t\treturn;\n\tcase SEN_OV7660:\n\t\tov519_set_mode(sd);\n\t\tov519_set_fr(sd);\n\t\treturn;\n\t}\n\n\tgspca_dev = &sd->gspca_dev;\n\tqvga = gspca_dev->cam.cam_mode[gspca_dev->curr_mode].priv & 1;\n\tcrop = gspca_dev->cam.cam_mode[gspca_dev->curr_mode].priv & 2;\n\n\t/* The different sensor ICs handle setting up of window differently.\n\t * IF YOU SET IT WRONG, YOU WILL GET ALL ZERO ISOC DATA FROM OV51x!! */\n\tswitch (sd->sensor) {\n\tcase SEN_OV8610:\n\t\thwsbase = 0x1e;\n\t\thwebase = 0x1e;\n\t\tvwsbase = 0x02;\n\t\tvwebase = 0x02;\n\t\tbreak;\n\tcase SEN_OV7610:\n\tcase SEN_OV76BE:\n\t\thwsbase = 0x38;\n\t\thwebase = 0x3a;\n\t\tvwsbase = vwebase = 0x05;\n\t\tbreak;\n\tcase SEN_OV6620:\n\tcase SEN_OV6630:\n\tcase SEN_OV66308AF:\n\t\thwsbase = 0x38;\n\t\thwebase = 0x3a;\n\t\tvwsbase = 0x05;\n\t\tvwebase = 0x06;\n\t\tif (sd->sensor == SEN_OV66308AF && qvga)\n\t\t\t/* HDG: this fixes U and V getting swapped */\n\t\t\thwsbase++;\n\t\tif (crop) {\n\t\t\thwsbase += 8;\n\t\t\thwebase += 8;\n\t\t\tvwsbase += 11;\n\t\t\tvwebase += 11;\n\t\t}\n\t\tbreak;\n\tcase SEN_OV7620:\n\tcase SEN_OV7620AE:\n\t\thwsbase = 0x2f;\t\t/* From 7620.SET (spec is wrong) */\n\t\thwebase = 0x2f;\n\t\tvwsbase = vwebase = 0x05;\n\t\tbreak;\n\tcase SEN_OV7640:\n\tcase SEN_OV7648:\n\t\thwsbase = 0x1a;\n\t\thwebase = 0x1a;\n\t\tvwsbase = vwebase = 0x03;\n\t\tbreak;\n\tdefault:\n\t\treturn;\n\t}\n\n\tswitch (sd->sensor) {\n\tcase SEN_OV6620:\n\tcase SEN_OV6630:\n\tcase SEN_OV66308AF:\n\t\tif (qvga) {\t\t/* QCIF */\n\t\t\thwscale = 0;\n\t\t\tvwscale = 0;\n\t\t} else {\t\t/* CIF */\n\t\t\thwscale = 1;\n\t\t\tvwscale = 1;\t/* The datasheet says 0;\n\t\t\t\t\t * it's wrong */\n\t\t}\n\t\tbreak;\n\tcase SEN_OV8610:\n\t\tif (qvga) {\t\t/* QSVGA */\n\t\t\thwscale = 1;\n\t\t\tvwscale = 1;\n\t\t} else {\t\t/* SVGA */\n\t\t\thwscale = 2;\n\t\t\tvwscale = 2;\n\t\t}\n\t\tbreak;\n\tdefault:\t\t\t/* SEN_OV7xx0 */\n\t\tif (qvga) {\t\t/* QVGA */\n\t\t\thwscale = 1;\n\t\t\tvwscale = 0;\n\t\t} else {\t\t/* VGA */\n\t\t\thwscale = 2;\n\t\t\tvwscale = 1;\n\t\t}\n\t}\n\n\tmode_init_ov_sensor_regs(sd);\n\n\ti2c_w(sd, 0x17, hwsbase);\n\ti2c_w(sd, 0x18, hwebase + (sd->sensor_width >> hwscale));\n\ti2c_w(sd, 0x19, vwsbase);\n\ti2c_w(sd, 0x1a, vwebase + (sd->sensor_height >> vwscale));\n}", "project": "linux", "hash": 323303267024588781362216928004920784272, "size": 112, "commit_id": "998912346c0da53a6dbb71fab3a138586b596b30", "message": "media: ov519: add missing endpoint sanity checks\n\nMake sure to check that we have at least one endpoint before accessing\nthe endpoint array to avoid dereferencing a NULL-pointer on stream\nstart.\n\nNote that these sanity checks are not redundant as the driver is mixing\nlooking up altsettings by index and by number, which need not coincide.\n\nFixes: 1876bb923c98 (\"V4L/DVB (12079): gspca_ov519: add support for the ov511 bridge\")\nFixes: b282d87332f5 (\"V4L/DVB (12080): gspca_ov519: Fix ov518+ with OV7620AE (Trust spacecam 320)\")\nCc: stable # 2.6.31\nCc: Hans de Goede \nSigned-off-by: Johan Hovold \nSigned-off-by: Hans Verkuil \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 306311 }, { "func": "static int trace_save_cmdline(struct task_struct *tsk)\n{\n\tunsigned pid, idx;\n\n\t/* treat recording of idle task as a success */\n\tif (!tsk->pid)\n\t\treturn 1;\n\n\tif (unlikely(tsk->pid > PID_MAX_DEFAULT))\n\t\treturn 0;\n\n\t/*\n\t * It's not the end of the world if we don't get\n\t * the lock, but we also don't want to spin\n\t * nor do we want to disable interrupts,\n\t * so if we miss here, then better luck next time.\n\t */\n\tif (!arch_spin_trylock(&trace_cmdline_lock))\n\t\treturn 0;\n\n\tidx = savedcmd->map_pid_to_cmdline[tsk->pid];\n\tif (idx == NO_CMDLINE_MAP) {\n\t\tidx = (savedcmd->cmdline_idx + 1) % savedcmd->cmdline_num;\n\n\t\t/*\n\t\t * Check whether the cmdline buffer at idx has a pid\n\t\t * mapped. We are going to overwrite that entry so we\n\t\t * need to clear the map_pid_to_cmdline. Otherwise we\n\t\t * would read the new comm for the old pid.\n\t\t */\n\t\tpid = savedcmd->map_cmdline_to_pid[idx];\n\t\tif (pid != NO_CMDLINE_MAP)\n\t\t\tsavedcmd->map_pid_to_cmdline[pid] = NO_CMDLINE_MAP;\n\n\t\tsavedcmd->map_cmdline_to_pid[idx] = tsk->pid;\n\t\tsavedcmd->map_pid_to_cmdline[tsk->pid] = idx;\n\n\t\tsavedcmd->cmdline_idx = idx;\n\t}\n\n\tset_cmdline(idx, tsk->comm);\n\n\tarch_spin_unlock(&trace_cmdline_lock);\n\n\treturn 1;\n}", "project": "linux", "hash": 46457958242564708290002023824358323457, "size": 46, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445590 }, { "func": "static inline bool kmem_cache_has_cpu_partial(struct kmem_cache *s)\n{\n#ifdef CONFIG_SLUB_CPU_PARTIAL\n\treturn !kmem_cache_debug(s);\n#else\n\treturn false;\n#endif\n}", "project": "linux", "hash": 17170438470693589404122356342568052666, "size": 8, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280276 }, { "func": "static int pfkey_get(struct sock *sk, struct sk_buff *skb, const struct sadb_msg *hdr, void * const *ext_hdrs)\n{\n\tstruct net *net = sock_net(sk);\n\t__u8 proto;\n\tstruct sk_buff *out_skb;\n\tstruct sadb_msg *out_hdr;\n\tstruct xfrm_state *x;\n\n\tif (!ext_hdrs[SADB_EXT_SA-1] ||\n\t !present_and_same_family(ext_hdrs[SADB_EXT_ADDRESS_SRC-1],\n\t\t\t\t ext_hdrs[SADB_EXT_ADDRESS_DST-1]))\n\t\treturn -EINVAL;\n\n\tx = pfkey_xfrm_state_lookup(net, hdr, ext_hdrs);\n\tif (x == NULL)\n\t\treturn -ESRCH;\n\n\tout_skb = pfkey_xfrm_state2msg(x);\n\tproto = x->id.proto;\n\txfrm_state_put(x);\n\tif (IS_ERR(out_skb))\n\t\treturn PTR_ERR(out_skb);\n\n\tout_hdr = (struct sadb_msg *) out_skb->data;\n\tout_hdr->sadb_msg_version = hdr->sadb_msg_version;\n\tout_hdr->sadb_msg_type = SADB_GET;\n\tout_hdr->sadb_msg_satype = pfkey_proto2satype(proto);\n\tout_hdr->sadb_msg_errno = 0;\n\tout_hdr->sadb_msg_reserved = 0;\n\tout_hdr->sadb_msg_seq = hdr->sadb_msg_seq;\n\tout_hdr->sadb_msg_pid = hdr->sadb_msg_pid;\n\tpfkey_broadcast(out_skb, GFP_ATOMIC, BROADCAST_ONE, sk, sock_net(sk));\n\n\treturn 0;\n}", "project": "linux", "hash": 87477625358047604109179701761784153324, "size": 35, "commit_id": "9a564bccb78a76740ea9d75a259942df8143d02c", "message": "af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\n\nAdd __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\nto initialize the buffer of supp_skb to fix a kernel-info-leak issue.\n1) Function pfkey_register calls compose_sadb_supported to request\na sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate\na sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then\ncompose_sadb_supported treats the memory as a struct sadb_supported and\nbegins to initialize. But it just initializes the field sadb_supported_len\nand field sadb_supported_exttype without field sadb_supported_reserved.\n\nReported-by: TCS Robot \nSigned-off-by: Haimin Zhang \nSigned-off-by: Steffen Klassert ", "target": 0, "dataset": "other", "idx": 268002 }, { "func": "static void __sctp_write_space(struct sctp_association *asoc)\n{\n\tstruct sock *sk = asoc->base.sk;\n\n\tif (sctp_wspace(asoc) <= 0)\n\t\treturn;\n\n\tif (waitqueue_active(&asoc->wait))\n\t\twake_up_interruptible(&asoc->wait);\n\n\tif (sctp_writeable(sk)) {\n\t\tstruct socket_wq *wq;\n\n\t\trcu_read_lock();\n\t\twq = rcu_dereference(sk->sk_wq);\n\t\tif (wq) {\n\t\t\tif (waitqueue_active(&wq->wait))\n\t\t\t\twake_up_interruptible(&wq->wait);\n\n\t\t\t/* Note that we try to include the Async I/O support\n\t\t\t * here by modeling from the current TCP/UDP code.\n\t\t\t * We have not tested with it yet.\n\t\t\t */\n\t\t\tif (!(sk->sk_shutdown & SEND_SHUTDOWN))\n\t\t\t\tsock_wake_async(wq, SOCK_WAKE_SPACE, POLL_OUT);\n\t\t}\n\t\trcu_read_unlock();\n\t}\n}", "project": "linux", "hash": 288405887165748810640008006655387584294, "size": 29, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398102 }, { "func": "int getname(FILE *sfd, char *tokbuf) {\n int ch;\n\n while ( isspace(ch = nlgetc(sfd)));\n ungetc(ch,sfd);\nreturn( getprotectedname(sfd,tokbuf));\n}", "project": "fontforge", "hash": 146063342873872312866972894210424261896, "size": 7, "commit_id": "048a91e2682c1a8936ae34dbc7bd70291ec05410", "message": "Fix for #4084 Use-after-free (heap) in the SFD_GetFontMetaData() function\nFix for #4086 NULL pointer dereference in the SFDGetSpiros() function\nFix for #4088 NULL pointer dereference in the SFD_AssignLookups() function\nAdd empty sf->fontname string if it isn't set, fixing #4089 #4090 and many\n other potential issues (many downstream calls to strlen() on the value).", "target": 0, "dataset": "other", "idx": 417773 }, { "func": "static struct pattern *SFDParsePattern(FILE *sfd,char *tok) {\n struct pattern *pat = chunkalloc(sizeof(struct pattern));\n int ch;\n\n getname(sfd,tok);\n pat->pattern = copy(tok);\n\n getreal(sfd,&pat->width);\n while ( isspace(ch=nlgetc(sfd)));\n if ( ch!=';' ) ungetc(ch,sfd);\n getreal(sfd,&pat->height);\n\n while ( isspace(ch=nlgetc(sfd)));\n if ( ch!='[' ) ungetc(ch,sfd);\n getreal(sfd,&pat->transform[0]);\n getreal(sfd,&pat->transform[1]);\n getreal(sfd,&pat->transform[2]);\n getreal(sfd,&pat->transform[3]);\n getreal(sfd,&pat->transform[4]);\n getreal(sfd,&pat->transform[5]);\n while ( isspace(ch=nlgetc(sfd)));\n if ( ch!=']' ) ungetc(ch,sfd);\nreturn( pat );\n}", "project": "fontforge", "hash": 330813908873309633206360331043317293362, "size": 24, "commit_id": "048a91e2682c1a8936ae34dbc7bd70291ec05410", "message": "Fix for #4084 Use-after-free (heap) in the SFD_GetFontMetaData() function\nFix for #4086 NULL pointer dereference in the SFDGetSpiros() function\nFix for #4088 NULL pointer dereference in the SFD_AssignLookups() function\nAdd empty sf->fontname string if it isn't set, fixing #4089 #4090 and many\n other potential issues (many downstream calls to strlen() on the value).", "target": 0, "dataset": "other", "idx": 417922 }, { "func": "static OPJ_BOOL opj_tcd_is_whole_tilecomp_decoding(opj_tcd_t *p_tcd,\n OPJ_UINT32 compno)\n{\n opj_tcd_tilecomp_t* tilec = &(p_tcd->tcd_image->tiles->comps[compno]);\n opj_image_comp_t* image_comp = &(p_tcd->image->comps[compno]);\n /* Compute the intersection of the area of interest, expressed in tile coordinates */\n /* with the tile coordinates */\n OPJ_UINT32 tcx0 = opj_uint_max(\n (OPJ_UINT32)tilec->x0,\n opj_uint_ceildiv(p_tcd->win_x0, image_comp->dx));\n OPJ_UINT32 tcy0 = opj_uint_max(\n (OPJ_UINT32)tilec->y0,\n opj_uint_ceildiv(p_tcd->win_y0, image_comp->dy));\n OPJ_UINT32 tcx1 = opj_uint_min(\n (OPJ_UINT32)tilec->x1,\n opj_uint_ceildiv(p_tcd->win_x1, image_comp->dx));\n OPJ_UINT32 tcy1 = opj_uint_min(\n (OPJ_UINT32)tilec->y1,\n opj_uint_ceildiv(p_tcd->win_y1, image_comp->dy));\n\n OPJ_UINT32 shift = tilec->numresolutions - tilec->minimum_num_resolutions;\n /* Tolerate small margin within the reduced resolution factor to consider if */\n /* the whole tile path must be taken */\n return (tcx0 >= (OPJ_UINT32)tilec->x0 &&\n tcy0 >= (OPJ_UINT32)tilec->y0 &&\n tcx1 <= (OPJ_UINT32)tilec->x1 &&\n tcy1 <= (OPJ_UINT32)tilec->y1 &&\n (shift >= 32 ||\n (((tcx0 - (OPJ_UINT32)tilec->x0) >> shift) == 0 &&\n ((tcy0 - (OPJ_UINT32)tilec->y0) >> shift) == 0 &&\n (((OPJ_UINT32)tilec->x1 - tcx1) >> shift) == 0 &&\n (((OPJ_UINT32)tilec->y1 - tcy1) >> shift) == 0)));\n}", "project": "openjpeg", "hash": 185231016852801553345451428291880722904, "size": 33, "commit_id": "15cf3d95814dc931ca0ecb132f81cb152e051bae", "message": "Encoder: grow again buffer size in opj_tcd_code_block_enc_allocate_data() (fixes #1283)", "target": 0, "dataset": "other", "idx": 359159 }, { "func": "int fuse_reverse_inval_entry(struct fuse_conn *fc, u64 parent_nodeid,\n\t\t\t u64 child_nodeid, struct qstr *name)\n{\n\tint err = -ENOTDIR;\n\tstruct inode *parent;\n\tstruct dentry *dir;\n\tstruct dentry *entry;\n\n\tparent = fuse_ilookup(fc, parent_nodeid, NULL);\n\tif (!parent)\n\t\treturn -ENOENT;\n\n\tinode_lock(parent);\n\tif (!S_ISDIR(parent->i_mode))\n\t\tgoto unlock;\n\n\terr = -ENOENT;\n\tdir = d_find_alias(parent);\n\tif (!dir)\n\t\tgoto unlock;\n\n\tname->hash = full_name_hash(dir, name->name, name->len);\n\tentry = d_lookup(dir, name);\n\tdput(dir);\n\tif (!entry)\n\t\tgoto unlock;\n\n\tfuse_dir_changed(parent);\n\tfuse_invalidate_entry(entry);\n\n\tif (child_nodeid != 0 && d_really_is_positive(entry)) {\n\t\tinode_lock(d_inode(entry));\n\t\tif (get_node_id(d_inode(entry)) != child_nodeid) {\n\t\t\terr = -ENOENT;\n\t\t\tgoto badentry;\n\t\t}\n\t\tif (d_mountpoint(entry)) {\n\t\t\terr = -EBUSY;\n\t\t\tgoto badentry;\n\t\t}\n\t\tif (d_is_dir(entry)) {\n\t\t\tshrink_dcache_parent(entry);\n\t\t\tif (!simple_empty(entry)) {\n\t\t\t\terr = -ENOTEMPTY;\n\t\t\t\tgoto badentry;\n\t\t\t}\n\t\t\td_inode(entry)->i_flags |= S_DEAD;\n\t\t}\n\t\tdont_mount(entry);\n\t\tclear_nlink(d_inode(entry));\n\t\terr = 0;\n badentry:\n\t\tinode_unlock(d_inode(entry));\n\t\tif (!err)\n\t\t\td_delete(entry);\n\t} else {\n\t\terr = 0;\n\t}\n\tdput(entry);\n\n unlock:\n\tinode_unlock(parent);\n\tiput(parent);\n\treturn err;\n}", "project": "linux", "hash": 118672967812612436678839054939279987501, "size": 65, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342097 }, { "func": "void add_disk_randomness(struct gendisk *disk)\n{\n\tif (!disk || !disk->random)\n\t\treturn;\n\t/* first major is 1, so we get >= 0x200 here */\n\tDEBUG_ENT(\"disk event %d:%d\\n\",\n\t\t MAJOR(disk_devt(disk)), MINOR(disk_devt(disk)));\n\n\tadd_timer_randomness(disk->random, 0x100 + disk_devt(disk));\n}", "target": 0, "cwe": [ "CWE-310" ], "project": "linux-2.6", "commit_id": "8a0a9bd4db63bc45e3017bedeafbd88d0eb84d02", "hash": 53822123564992029658511854159221202743, "size": 10, "message": "random: make get_random_int() more random\n\nIt's a really simple patch that basically just open-codes the current\n\"secure_ip_id()\" call, but when open-coding it we now use a _static_\nhashing area, so that it gets updated every time.\n\nAnd to make sure somebody can't just start from the same original seed of\nall-zeroes, and then do the \"half_md4_transform()\" over and over until\nthey get the same sequence as the kernel has, each iteration also mixes in\nthe same old \"current->pid + jiffies\" we used - so we should now have a\nregular strong pseudo-number generator, but we also have one that doesn't\nhave a single seed.\n\nNote: the \"pid + jiffies\" is just meant to be a tiny tiny bit of noise. It\nhas no real meaning. It could be anything. I just picked the previous\nseed, it's just that now we keep the state in between calls and that will\nfeed into the next result, and that should make all the difference.\n\nI made that hash be a per-cpu data just to avoid cache-line ping-pong:\nhaving multiple CPU's write to the same data would be fine for randomness,\nand add yet another layer of chaos to it, but since get_random_int() is\nsupposed to be a fast interface I did it that way instead. I considered\nusing \"__raw_get_cpu_var()\" to avoid any preemption overhead while still\ngetting the hash be _mostly_ ping-pong free, but in the end good taste won\nout.\n\nSigned-off-by: Ingo Molnar \nSigned-off-by: Linus Torvalds ", "dataset": "other", "idx": 499898 }, { "func": "struct kvm_vcpu *kvm_get_running_vcpu(void)\n{\n\tstruct kvm_vcpu *vcpu;\n\n\tpreempt_disable();\n\tvcpu = __this_cpu_read(kvm_running_vcpu);\n\tpreempt_enable();\n\n\treturn vcpu;\n}", "project": "linux", "hash": 202514698253317325193740067547409242101, "size": 10, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354611 }, { "func": "static void packet_rcv_try_clear_pressure(struct packet_sock *po)\n{\n\tif (READ_ONCE(po->pressure) &&\n\t __packet_rcv_has_room(po, NULL) == ROOM_NORMAL)\n\t\tWRITE_ONCE(po->pressure, 0);\n}", "project": "linux", "hash": 39675407795925427765316209759526279269, "size": 6, "commit_id": "acf69c946233259ab4d64f8869d4037a198c7f06", "message": "net/packet: fix overflow in tpacket_rcv\n\nUsing tp_reserve to calculate netoff can overflow as\ntp_reserve is unsigned int and netoff is unsigned short.\n\nThis may lead to macoff receving a smaller value then\nsizeof(struct virtio_net_hdr), and if po->has_vnet_hdr\nis set, an out-of-bounds write will occur when\ncalling virtio_net_hdr_from_skb.\n\nThe bug is fixed by converting netoff to unsigned int\nand checking if it exceeds USHRT_MAX.\n\nThis addresses CVE-2020-14386\n\nFixes: 8913336a7e8d (\"packet: add PACKET_RESERVE sockopt\")\nSigned-off-by: Or Cohen \nSigned-off-by: Eric Dumazet \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 330421 }, { "func": "int headerIsSourceHeuristic(Header h)\n{\n indexEntry entry = findEntry(h, RPMTAG_DIRNAMES, RPM_STRING_ARRAY_TYPE);\n return entry && entry->info.count == 1 && entry->data && !*(const char *)entry->data;\n}", "project": "rpm", "hash": 250815022850615476957342754045605692373, "size": 5, "commit_id": "8f4b3c3cab8922a2022b9e47c71f1ecf906077ef", "message": "hdrblobInit() needs bounds checks too\n\nUsers can pass untrusted data to hdrblobInit() and it must be robust\nagainst this.", "target": 0, "dataset": "other", "idx": 318164 }, { "func": " StreamIO(CephContext *cct, Stream& stream, rgw::asio::parser_type& parser,\n spawn::yield_context yield,\n parse_buffer& buffer, bool is_ssl,\n const tcp::endpoint& local_endpoint,\n const tcp::endpoint& remote_endpoint)\n : ClientIO(parser, is_ssl, local_endpoint, remote_endpoint),\n cct(cct), stream(stream), yield(yield), buffer(buffer)\n {}", "project": "ceph", "hash": 235945860587570234035233102114746447939, "size": 8, "commit_id": "ff72c50a2c43c57aead933eb4903ad1ca6d1748a", "message": "rgw: improve beast\n\nAvoid leaking connections that had partially-consumed\nclient data on unexpected disconnect.\n\nResolves CVE-2020-1700 (moderate impact flaw).\n\nFixes: https://tracker.ceph.com/issues/42531\n\nSigned-off-by: Or Friedmann \nSigned-off-by: Matt Benjamin ", "target": 0, "dataset": "other", "idx": 384546 }, { "func": "}\n\nstatic int\niscsi_set_host_param(struct iscsi_transport *transport,\n\t\t struct iscsi_uevent *ev)\n{\n\tchar *data = (char*)ev + sizeof(*ev);\n\tstruct Scsi_Host *shost;\n\tint err;\n\n\tif (!transport->set_host_param)\n\t\treturn -ENOSYS;\n\n\tif (ev->u.set_host_param.len > PAGE_SIZE)\n\t\treturn -EINVAL;\n\n\tshost = scsi_host_lookup(ev->u.set_host_param.host_no);\n\tif (!shost) {\n\t\tprintk(KERN_ERR \"set_host_param could not find host no %u\\n\",\n\t\t ev->u.set_host_param.host_no);\n\t\treturn -ENODEV;\n\t}\n\n\terr = transport->set_host_param(shost, ev->u.set_host_param.param,\n\t\t\t\t\tdata, ev->u.set_host_param.len);", "project": "linux", "hash": 148430883573796400301724732189478139366, "size": 25, "commit_id": "f9dbdf97a5bd92b1a49cee3d591b55b11fd7a6d5", "message": "scsi: iscsi: Verify lengths on passthrough PDUs\n\nOpen-iSCSI sends passthrough PDUs over netlink, but the kernel should be\nverifying that the provided PDU header and data lengths fall within the\nnetlink message to prevent accessing beyond that in memory.\n\nCc: stable@vger.kernel.org\nReported-by: Adam Nichols \nReviewed-by: Lee Duncan \nReviewed-by: Mike Christie \nSigned-off-by: Chris Leech \nSigned-off-by: Martin K. Petersen ", "target": 0, "dataset": "other", "idx": 379946 }, { "func": "static void tcp_rearm_rto(struct sock *sk)\n{\n\tconst struct tcp_sock *tp = tcp_sk(sk);\n\n\tif (!tp->packets_out) {\n\t\tinet_csk_clear_xmit_timer(sk, ICSK_TIME_RETRANS);\n\t} else {\n\t\tinet_csk_reset_xmit_timer(sk, ICSK_TIME_RETRANS,\n\t\t\t\t\t inet_csk(sk)->icsk_rto, TCP_RTO_MAX);\n\t}\n}", "project": "net-next", "hash": 147533694829834968949723233455614244563, "size": 11, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409923 }, { "func": "AGGR_OP::prepare_tmp_table()\n{\n TABLE *table= join_tab->table;\n JOIN *join= join_tab->join;\n int rc= 0;\n\n if (!join_tab->table->is_created())\n {\n if (instantiate_tmp_table(table, join_tab->tmp_table_param->keyinfo,\n join_tab->tmp_table_param->start_recinfo,\n &join_tab->tmp_table_param->recinfo,\n join->select_options))\n return true;\n (void) table->file->extra(HA_EXTRA_WRITE_CACHE);\n }\n /* If it wasn't already, start index scan for grouping using table index. */\n if (!table->file->inited && table->group &&\n join_tab->tmp_table_param->sum_func_count && table->s->keys)\n rc= table->file->ha_index_init(0, 0);\n else\n {\n /* Start index scan in scanning mode */\n rc= table->file->ha_rnd_init(true);\n }\n if (rc)\n {\n table->file->print_error(rc, MYF(0));\n return true;\n }\n return false;\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 193570086104890522563890741792234543871, "size": 31, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508434 }, { "func": "void LanLinkProvider::newConnection()\n{\n qCDebug(KDECONNECT_CORE) << \"LanLinkProvider newConnection\";\n\n while (m_server->hasPendingConnections()) {\n QSslSocket* socket = m_server->nextPendingConnection();\n configureSocket(socket);\n //This socket is still managed by us (and child of the QTcpServer), if\n //it disconnects before we manage to pass it to a LanDeviceLink, it's\n //our responsibility to delete it. We do so with this connection.\n connect(socket, &QAbstractSocket::disconnected,\n socket, &QObject::deleteLater);\n connect(socket, &QIODevice::readyRead,\n this, &LanLinkProvider::dataReceived);\n\n QTimer* timer = new QTimer(socket);\n timer->setSingleShot(true);\n timer->setInterval(1000);\n connect(socket, &QSslSocket::encrypted,\n timer, &QObject::deleteLater);\n connect(timer, &QTimer::timeout, socket, [socket] {\n qCWarning(KDECONNECT_CORE) << \"LanLinkProvider/newConnection: Host timed out without sending any identity.\" << socket->peerAddress();\n socket->disconnectFromHost();\n });\n timer->start();\n }\n}", "project": "kdeconnect-kde", "hash": 43019477145798608292160952999637495862, "size": 27, "commit_id": "542d94a70c56aa386c8d4d793481ce181b0422e8", "message": "Limit number of connected sockets from unpaired devices\n\nThanks Matthias Gerstner for reporting this.", "target": 0, "dataset": "other", "idx": 227358 }, { "func": "static int kvm_s390_get_mem_control(struct kvm *kvm, struct kvm_device_attr *attr)\n{\n\tint ret;\n\n\tswitch (attr->attr) {\n\tcase KVM_S390_VM_MEM_LIMIT_SIZE:\n\t\tret = 0;\n\t\tVM_EVENT(kvm, 3, \"QUERY: max guest memory: %lu bytes\",\n\t\t\t kvm->arch.mem_limit);\n\t\tif (put_user(kvm->arch.mem_limit, (u64 __user *)attr->addr))\n\t\t\tret = -EFAULT;\n\t\tbreak;\n\tdefault:\n\t\tret = -ENXIO;\n\t\tbreak;\n\t}\n\treturn ret;\n}", "project": "linux", "hash": 220743323109606244339442452285260714238, "size": 18, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354787 }, { "func": "static int pfkey_spddump(struct sock *sk, struct sk_buff *skb, const struct sadb_msg *hdr, void * const *ext_hdrs)\n{\n\tstruct pfkey_sock *pfk = pfkey_sk(sk);\n\n\tmutex_lock(&pfk->dump_lock);\n\tif (pfk->dump.dump != NULL) {\n\t\tmutex_unlock(&pfk->dump_lock);\n\t\treturn -EBUSY;\n\t}\n\n\tpfk->dump.msg_version = hdr->sadb_msg_version;\n\tpfk->dump.msg_portid = hdr->sadb_msg_pid;\n\tpfk->dump.dump = pfkey_dump_sp;\n\tpfk->dump.done = pfkey_dump_sp_done;\n\txfrm_policy_walk_init(&pfk->dump.u.policy, XFRM_POLICY_TYPE_MAIN);\n\tmutex_unlock(&pfk->dump_lock);\n\n\treturn pfkey_do_dump(pfk);\n}", "project": "linux", "hash": 110792589510060307534213039613875138260, "size": 19, "commit_id": "9a564bccb78a76740ea9d75a259942df8143d02c", "message": "af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\n\nAdd __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\nto initialize the buffer of supp_skb to fix a kernel-info-leak issue.\n1) Function pfkey_register calls compose_sadb_supported to request\na sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate\na sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then\ncompose_sadb_supported treats the memory as a struct sadb_supported and\nbegins to initialize. But it just initializes the field sadb_supported_len\nand field sadb_supported_exttype without field sadb_supported_reserved.\n\nReported-by: TCS Robot \nSigned-off-by: Haimin Zhang \nSigned-off-by: Steffen Klassert ", "target": 0, "dataset": "other", "idx": 268069 }, { "func": "R_API ut8* r_socket_slurp(RSocket *s, int *len) {\n\treturn NULL;\n}", "project": "radare2", "hash": 161267827103329642841555674279909878864, "size": 3, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 0, "dataset": "other", "idx": 268807 }, { "func": "R_API ut8* r_socket_slurp(RSocket *s, int *len) {\n\tint blockSize = 4096;\n\tut8 *ptr, *buf = malloc (blockSize);\n\tif (!buf) {\n\t\treturn NULL;\n\t}\n\tint copied = 0;\n\tif (len) {\n\t\t*len = 0;\n\t}\n\tfor (;;) {\n\t\tint rc = r_socket_read (s, buf + copied, blockSize);\n\t\tif (rc > 0) {\n\t\t\tcopied += rc;\n\t\t}\n\t\tptr = realloc (buf, copied + blockSize);\n\t\tif (!ptr) {\n\t\t\tbreak;\n\t\t}\n\t\tbuf = ptr;\n\t\tif (rc < 1) {\n\t\t\tbreak;\n\t\t}\n\t}\n\tif (copied == 0) {\n\t\tR_FREE (buf);\n\t}\n\tif (len) {\n\t\t*len = copied;\n\t}\n\treturn buf;\n}", "project": "radare2", "hash": 295971544552692115024446690630322876662, "size": 32, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 0, "dataset": "other", "idx": 268909 }, { "func": "static inline unsigned long buffer_offset(void *buf)\n{\n\treturn (unsigned long)buf & (ARCH_KMALLOC_MINALIGN - 1);\n}", "project": "linux", "hash": 122687442595894609329731718194726731002, "size": 4, "commit_id": "28ebeb8db77035e058a510ce9bd17c2b9a009dba", "message": "usb: usbtest: fix missing kfree(dev->buf) in usbtest_disconnect\n\nBUG: memory leak\nunreferenced object 0xffff888055046e00 (size 256):\n comm \"kworker/2:9\", pid 2570, jiffies 4294942129 (age 1095.500s)\n hex dump (first 32 bytes):\n 00 70 04 55 80 88 ff ff 18 bb 5a 81 ff ff ff ff .p.U......Z.....\n f5 96 78 81 ff ff ff ff 37 de 8e 81 ff ff ff ff ..x.....7.......\n backtrace:\n [<00000000d121dccf>] kmemleak_alloc_recursive\ninclude/linux/kmemleak.h:43 [inline]\n [<00000000d121dccf>] slab_post_alloc_hook mm/slab.h:586 [inline]\n [<00000000d121dccf>] slab_alloc_node mm/slub.c:2786 [inline]\n [<00000000d121dccf>] slab_alloc mm/slub.c:2794 [inline]\n [<00000000d121dccf>] kmem_cache_alloc_trace+0x15e/0x2d0 mm/slub.c:2811\n [<000000005c3c3381>] kmalloc include/linux/slab.h:555 [inline]\n [<000000005c3c3381>] usbtest_probe+0x286/0x19d0\ndrivers/usb/misc/usbtest.c:2790\n [<000000001cec6910>] usb_probe_interface+0x2bd/0x870\ndrivers/usb/core/driver.c:361\n [<000000007806c118>] really_probe+0x48d/0x8f0 drivers/base/dd.c:551\n [<00000000a3308c3e>] driver_probe_device+0xfc/0x2a0 drivers/base/dd.c:724\n [<000000003ef66004>] __device_attach_driver+0x1b6/0x240\ndrivers/base/dd.c:831\n [<00000000eee53e97>] bus_for_each_drv+0x14e/0x1e0 drivers/base/bus.c:431\n [<00000000bb0648d0>] __device_attach+0x1f9/0x350 drivers/base/dd.c:897\n [<00000000838b324a>] device_initial_probe+0x1a/0x20 drivers/base/dd.c:944\n [<0000000030d501c1>] bus_probe_device+0x1e1/0x280 drivers/base/bus.c:491\n [<000000005bd7adef>] device_add+0x131d/0x1c40 drivers/base/core.c:2504\n [<00000000a0937814>] usb_set_configuration+0xe84/0x1ab0\ndrivers/usb/core/message.c:2030\n [<00000000e3934741>] generic_probe+0x6a/0xe0 drivers/usb/core/generic.c:210\n [<0000000098ade0f1>] usb_probe_device+0x90/0xd0\ndrivers/usb/core/driver.c:266\n [<000000007806c118>] really_probe+0x48d/0x8f0 drivers/base/dd.c:551\n [<00000000a3308c3e>] driver_probe_device+0xfc/0x2a0 drivers/base/dd.c:724\n\nAcked-by: Alan Stern \nReported-by: Kyungtae Kim \nSigned-off-by: Zqiang \nLink: https://lore.kernel.org/r/20200612035210.20494-1-qiang.zhang@windriver.com\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 412255 }, { "func": "int CLua::loadstring(const char *s, const char *context)\n{\n return loadbuffer(s, strlen(s), context);\n}", "project": "crawl", "hash": 73809041003391208312201710890296056753, "size": 4, "commit_id": "768f60da87a3fa0b5561da5ade9309577c176d04", "message": "Disable lua bytecode loading", "target": 0, "dataset": "other", "idx": 230526 }, { "func": "void rotate_fb(int x1, int y1, int x2, int y2) {\n\tint x, y, xn, yn, r_x1, r_y1, r_x2, r_y2, Bpp = bpp/8;\n\tint fbl = rfb_bytes_per_line;\n\tint rbl = rot_bytes_per_line;\n\tint Dx, Dy;\n\tchar *src, *dst;\n\tchar *src_0 = rfb_fb;\n\tchar *dst_0 = rot_fb;\n\n\tif (! rotating || ! rot_fb) {\n\t\treturn;\n\t}\n\n\tif (scaling) {\n\t\tDx = scaled_x;\n\t\tDy = scaled_y;\n\t} else {\n\t\tDx = dpy_x;\n\t\tDy = dpy_y;\n\t}\n\trotate_coords(x1, y1, &r_x1, &r_y1, -1, -1);\n\trotate_coords(x2, y2, &r_x2, &r_y2, -1, -1);\n\n\tdst = rot_fb;\n\n\tif (rotating == ROTATE_X) {\n\t\tfor (y = y1; y < y2; y++) {\n\t\t\tfor (x = x1; x < x2; x++) {\n\t\t\t\txn = Dx - x - 1;\n\t\t\t\tyn = y;\n\t\t\t\tROT_COPY\n\t\t\t}\n\t\t}\n\t} else if (rotating == ROTATE_Y) {\n\t\tfor (y = y1; y < y2; y++) {\n\t\t\tfor (x = x1; x < x2; x++) {\n\t\t\t\txn = x;\n\t\t\t\tyn = Dy - y - 1;\n\t\t\t\tROT_COPY\n\t\t\t}\n\t\t}\n\t} else if (rotating == ROTATE_XY) {\n\t\tfor (y = y1; y < y2; y++) {\n\t\t\tfor (x = x1; x < x2; x++) {\n\t\t\t\txn = Dx - x - 1;\n\t\t\t\tyn = Dy - y - 1;\n\t\t\t\tROT_COPY\n\t\t\t}\n\t\t}\n\t} else if (rotating == ROTATE_90) {\n\t\tfor (y = y1; y < y2; y++) {\n\t\t\tfor (x = x1; x < x2; x++) {\n\t\t\t\txn = Dy - y - 1;\n\t\t\t\tyn = x;\n\t\t\t\tROT_COPY\n\t\t\t}\n\t\t}\n\t} else if (rotating == ROTATE_90X) {\n\t\tfor (y = y1; y < y2; y++) {\n\t\t\tfor (x = x1; x < x2; x++) {\n\t\t\t\txn = y;\n\t\t\t\tyn = x;\n\t\t\t\tROT_COPY\n\t\t\t}\n\t\t}\n\t} else if (rotating == ROTATE_90Y) {\n\t\tfor (y = y1; y < y2; y++) {\n\t\t\tfor (x = x1; x < x2; x++) {\n\t\t\t\txn = Dy - y - 1;\n\t\t\t\tyn = Dx - x - 1;\n\t\t\t\tROT_COPY\n\t\t\t}\n\t\t}\n\t} else if (rotating == ROTATE_270) {\n\t\tfor (y = y1; y < y2; y++) {\n\t\t\tfor (x = x1; x < x2; x++) {\n\t\t\t\txn = y;\n\t\t\t\tyn = Dx - x - 1;\n\t\t\t\tROT_COPY\n\t\t\t}\n\t\t}\n\t}\n}", "project": "x11vnc", "hash": 6566391532345983019642541931721053306, "size": 83, "commit_id": "69eeb9f7baa14ca03b16c9de821f9876def7a36a", "message": "scan: limit access to shared memory segments to current user", "target": 0, "dataset": "other", "idx": 360771 }, { "func": "static void tty_driver_remove_tty(struct tty_driver *driver, struct tty_struct *tty)\n{\n\tif (driver->ops->remove)\n\t\tdriver->ops->remove(driver, tty);\n\telse\n\t\tdriver->ttys[tty->index] = NULL;\n}", "project": "linux", "hash": 49161201128004607794432212826307408158, "size": 7, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 326029 }, { "func": "int imap_hcache_del(struct ImapMboxData *mdata, unsigned int uid)\n{\n if (!mdata->hcache)\n return -1;\n\n char key[16];\n\n sprintf(key, \"/%u\", uid);\n return mutt_hcache_delete_record(mdata->hcache, key, mutt_str_len(key));\n}", "project": "neomutt", "hash": 192335755884499411351489245278713324470, "size": 10, "commit_id": "fa1db5785e5cfd9d3cd27b7571b9fe268d2ec2dc", "message": "Fix seqset iterator when it ends in a comma\n\nIf the seqset ended with a comma, the substr_end marker would be just\nbefore the trailing nul. In the next call, the loop to skip the\nmarker would iterate right past the end of string too.\n\nThe fix is simple: place the substr_end marker and skip past it\nimmediately.", "target": 0, "dataset": "other", "idx": 399263 }, { "func": "static void init_unpack(struct rar5* rar) {\n\trar->file.calculated_crc32 = 0;\n\tinit_window_mask(rar);\n\n\tfree(rar->cstate.window_buf);\n\tfree(rar->cstate.filtered_buf);\n\n\tif(rar->cstate.window_size > 0) {\n\t\trar->cstate.window_buf = calloc(1, rar->cstate.window_size);\n\t\trar->cstate.filtered_buf = calloc(1, rar->cstate.window_size);\n\t} else {\n\t\trar->cstate.window_buf = NULL;\n\t\trar->cstate.filtered_buf = NULL;\n\t}\n\n\trar->cstate.write_ptr = 0;\n\trar->cstate.last_write_ptr = 0;\n\n\tmemset(&rar->cstate.bd, 0, sizeof(rar->cstate.bd));\n\tmemset(&rar->cstate.ld, 0, sizeof(rar->cstate.ld));\n\tmemset(&rar->cstate.dd, 0, sizeof(rar->cstate.dd));\n\tmemset(&rar->cstate.ldd, 0, sizeof(rar->cstate.ldd));\n\tmemset(&rar->cstate.rd, 0, sizeof(rar->cstate.rd));\n}", "project": "libarchive", "hash": 229067083937238039230395185942203296317, "size": 24, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 0, "dataset": "other", "idx": 244714 }, { "func": "\nstatic void io_init_poll_iocb(struct io_poll_iocb *poll, __poll_t events,\n\t\t\t wait_queue_func_t wake_func)\n{\n\tpoll->head = NULL;\n\tpoll->done = false;\n\tpoll->canceled = false;\n#define IO_POLL_UNMASK\t(EPOLLERR|EPOLLHUP|EPOLLNVAL|EPOLLRDHUP)\n\t/* mask in events that we always want/need */\n\tpoll->events = events | IO_POLL_UNMASK;\n\tINIT_LIST_HEAD(&poll->wait.entry);\n\tinit_waitqueue_func_entry(&poll->wait, wake_func);", "project": "linux", "hash": 81277376950578254529930445047623910221, "size": 12, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338640 }, { "project": "Chrome", "commit_id": "327585cb0eab0859518643a2d00917081f7e7645", "target": 0, "func": "WebString WebGraphicsContext3DDefaultImpl::getProgramInfoLog(WebGLId program)\n{\n makeContextCurrent();\n GLint logLength;\n glGetProgramiv(program, GL_INFO_LOG_LENGTH, &logLength);\n if (!logLength)\n return WebString();\n GLchar* log = 0;\n if (!tryFastMalloc(logLength * sizeof(GLchar)).getValue(log))\n return WebString();\n GLsizei returnedLogLength;\n glGetProgramInfoLog(program, logLength, &returnedLogLength, log);\n ASSERT(logLength == returnedLogLength + 1);\n WebString res = WebString::fromUTF8(log, returnedLogLength);\n fastFree(log);\n return res;\n}\n", "cwe": "", "big_vul_idx": 99003, "idx": 89060, "hash": 226766160954730642086994529028578395630 }, { "func": "void f_phprof_enable(int flags /* = 0 */) {\n if (RuntimeOption::EnableHotProfiler) {\n s_profiler_factory->start(ProfilerKind::Hierarchical, flags);\n }\n}", "project": "hhvm", "hash": 209450352295633978994558412182786192943, "size": 5, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219777 }, { "func": "static bool __hidinput_change_resolution_multipliers(struct hid_device *hid,\n\t\tstruct hid_report *report, bool use_logical_max)\n{\n\tstruct hid_usage *usage;\n\tbool update_needed = false;\n\tbool get_report_completed = false;\n\tint i, j;\n\n\tif (report->maxfield == 0)\n\t\treturn false;\n\n\tfor (i = 0; i < report->maxfield; i++) {\n\t\t__s32 value = use_logical_max ?\n\t\t\t report->field[i]->logical_maximum :\n\t\t\t report->field[i]->logical_minimum;\n\n\t\t/* There is no good reason for a Resolution\n\t\t * Multiplier to have a count other than 1.\n\t\t * Ignore that case.\n\t\t */\n\t\tif (report->field[i]->report_count != 1)\n\t\t\tcontinue;\n\n\t\tfor (j = 0; j < report->field[i]->maxusage; j++) {\n\t\t\tusage = &report->field[i]->usage[j];\n\n\t\t\tif (usage->hid != HID_GD_RESOLUTION_MULTIPLIER)\n\t\t\t\tcontinue;\n\n\t\t\t/*\n\t\t\t * If we have more than one feature within this\n\t\t\t * report we need to fill in the bits from the\n\t\t\t * others before we can overwrite the ones for the\n\t\t\t * Resolution Multiplier.\n\t\t\t *\n\t\t\t * But if we're not allowed to read from the device,\n\t\t\t * we just bail. Such a device should not exist\n\t\t\t * anyway.\n\t\t\t */\n\t\t\tif (!get_report_completed && report->maxfield > 1) {\n\t\t\t\tif (hid->quirks & HID_QUIRK_NO_INIT_REPORTS)\n\t\t\t\t\treturn update_needed;\n\n\t\t\t\thid_hw_request(hid, report, HID_REQ_GET_REPORT);\n\t\t\t\thid_hw_wait(hid);\n\t\t\t\tget_report_completed = true;\n\t\t\t}\n\n\t\t\treport->field[i]->value[j] = value;\n\t\t\tupdate_needed = true;\n\t\t}\n\t}\n\n\treturn update_needed;\n}", "project": "linux", "hash": 97529187655286517840801971777114445521, "size": 55, "commit_id": "35556bed836f8dc07ac55f69c8d17dce3e7f0e25", "message": "HID: core: Sanitize event code and type when mapping input\n\nWhen calling into hid_map_usage(), the passed event code is\nblindly stored as is, even if it doesn't fit in the associated bitmap.\n\nThis event code can come from a variety of sources, including devices\nmasquerading as input devices, only a bit more \"programmable\".\n\nInstead of taking the event code at face value, check that it actually\nfits the corresponding bitmap, and if it doesn't:\n- spit out a warning so that we know which device is acting up\n- NULLify the bitmap pointer so that we catch unexpected uses\n\nCode paths that can make use of untrusted inputs can now check\nthat the mapping was indeed correct and bail out if not.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Marc Zyngier \nSigned-off-by: Benjamin Tissoires ", "target": 0, "dataset": "other", "idx": 458392 }, { "func": "static int ca8210_set_channel(\n\tstruct ieee802154_hw *hw,\n\tu8 page,\n\tu8 channel\n)\n{\n\tu8 status;\n\tstruct ca8210_priv *priv = hw->priv;\n\n\tstatus = mlme_set_request_sync(\n\t\tPHY_CURRENT_CHANNEL,\n\t\t0,\n\t\t1,\n\t\t&channel,\n\t\tpriv->spi\n\t);\n\tif (status) {\n\t\tdev_err(\n\t\t\t&priv->spi->dev,\n\t\t\t\"error setting channel, MLME-SET.confirm status = %d\\n\",\n\t\t\tstatus\n\t\t);\n\t}\n\treturn link_to_linux_err(status);\n}", "project": "linux", "hash": 143807504980780219847362121384408798016, "size": 25, "commit_id": "6402939ec86eaf226c8b8ae00ed983936b164908", "message": "ieee802154: ca8210: prevent memory leak\n\nIn ca8210_probe the allocated pdata needs to be assigned to\nspi_device->dev.platform_data before calling ca8210_get_platform_data.\nOthrwise when ca8210_get_platform_data fails pdata cannot be released.\n\nSigned-off-by: Navid Emamdoost \nLink: https://lore.kernel.org/r/20190917224713.26371-1-navid.emamdoost@gmail.com\nSigned-off-by: Stefan Schmidt ", "target": 0, "dataset": "other", "idx": 408816 }, { "func": "\nstatic ssize_t bfq_max_budget_store(struct elevator_queue *e,\n\t\t\t\t const char *page, size_t count)\n{\n\tstruct bfq_data *bfqd = e->elevator_data;\n\tunsigned long __data;\n\tint ret;\n\n\tret = bfq_var_store(&__data, (page));\n\tif (ret)\n\t\treturn ret;\n\n\tif (__data == 0)\n\t\tbfqd->bfq_max_budget = bfq_calc_max_budget(bfqd);\n\telse {\n\t\tif (__data > INT_MAX)\n\t\t\t__data = INT_MAX;\n\t\tbfqd->bfq_max_budget = __data;\n\t}\n\n\tbfqd->bfq_user_max_budget = __data;\n\n\treturn count;", "project": "linux", "hash": 234927668096319622075283394744268055411, "size": 23, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453321 }, { "func": "static void hci_cc_write_page_scan_type(struct hci_dev *hdev,\n\t\t\t\t\tstruct sk_buff *skb)\n{\n\tu8 status = *((u8 *) skb->data);\n\tu8 *type;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, status);\n\n\tif (status)\n\t\treturn;\n\n\ttype = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_TYPE);\n\tif (type)\n\t\thdev->page_scan_type = *type;\n}", "project": "linux", "hash": 5182260269550822632470738524785996411, "size": 15, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431991 }, { "func": "enum MailboxType imap_path_probe(const char *path, const struct stat *st)\n{\n if (mutt_istr_startswith(path, \"imap://\"))\n return MUTT_IMAP;\n\n if (mutt_istr_startswith(path, \"imaps://\"))\n return MUTT_IMAP;\n\n return MUTT_UNKNOWN;\n}", "project": "neomutt", "hash": 87880263982239186203266744800818395509, "size": 10, "commit_id": "9c36717a3e2af1f2c1b7242035455ec8112b4b06", "message": "imap: close connection on all failures\n\nThanks to Gabriel Salles-Loustau for spotting the problem.\n\nCo-authored-by: Kevin McCarthy ", "target": 0, "dataset": "other", "idx": 357014 }, { "func": "u64 fuse_lock_owner_id(struct fuse_conn *fc, fl_owner_t id)\n{\n\tu32 *k = fc->scramble_key;\n\tu64 v = (unsigned long) id;\n\tu32 v0 = v;\n\tu32 v1 = v >> 32;\n\tu32 sum = 0;\n\tint i;\n\n\tfor (i = 0; i < 32; i++) {\n\t\tv0 += ((v1 << 4 ^ v1 >> 5) + v1) ^ (sum + k[sum & 3]);\n\t\tsum += 0x9E3779B9;\n\t\tv1 += ((v0 << 4 ^ v0 >> 5) + v0) ^ (sum + k[sum>>11 & 3]);\n\t}\n\n\treturn (u64) v0 + ((u64) v1 << 32);\n}", "project": "linux", "hash": 173925341494590583485830818015844829859, "size": 17, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342025 }, { "func": "bool WindowsServiceControl::install( const QString& filePath, const QString& displayName )\n{\n\tm_serviceHandle = CreateService(\n\t\t\t\tm_serviceManager,\t\t// SCManager database\n\t\t\t\tWindowsCoreFunctions::toConstWCharArray( m_name ),\t// name of service\n\t\t\t\tWindowsCoreFunctions::toConstWCharArray( displayName ),// name to display\n\t\t\t\tSERVICE_ALL_ACCESS,\t// desired access\n\t\t\t\tSERVICE_WIN32_OWN_PROCESS,\n\t\t\t\t// service type\n\t\t\t\tSERVICE_AUTO_START,\t// start type\n\t\t\t\tSERVICE_ERROR_NORMAL,\t// error control type\n\t\t\t\tWindowsCoreFunctions::toConstWCharArray( filePath ),\t\t// service's binary\n\t\t\t\tnullptr,\t\t\t// no load ordering group\n\t\t\t\tnullptr,\t\t\t// no tag identifier\n\t\t\t\tL\"Tcpip\\0RpcSs\\0\\0\",\t\t// dependencies\n\t\t\t\tnullptr,\t\t\t// LocalSystem account\n\t\t\t\tnullptr );\t\t\t// no password\n\n\tif( m_serviceHandle == nullptr )\n\t{\n\t\tconst auto error = GetLastError();\n\t\tif( error == ERROR_SERVICE_EXISTS )\n\t\t{\n\t\t\tvCritical() << qUtf8Printable( tr( \"The service \\\"%1\\\" is already installed.\" ).arg( m_name ) );\n\t\t}\n\t\telse\n\t\t{\n\t\t\tvCritical() << qUtf8Printable( tr( \"The service \\\"%1\\\" could not be installed.\" ).arg( m_name ) );\n\t\t}\n\n\t\treturn false;\n\t}\n\n\tSC_ACTION serviceActions;\n\tserviceActions.Delay = 10000;\n\tserviceActions.Type = SC_ACTION_RESTART;\n\n\tSERVICE_FAILURE_ACTIONS serviceFailureActions;\n\tserviceFailureActions.dwResetPeriod = 0;\n\tserviceFailureActions.lpRebootMsg = nullptr;\n\tserviceFailureActions.lpCommand = nullptr;\n\tserviceFailureActions.lpsaActions = &serviceActions;\n\tserviceFailureActions.cActions = 1;\n\tChangeServiceConfig2( m_serviceHandle, SERVICE_CONFIG_FAILURE_ACTIONS, &serviceFailureActions );\n\n\t// Everything went fine\n\tvInfo() << qUtf8Printable( tr( \"The service \\\"%1\\\" has been installed successfully.\" ).arg( m_name ) );\n\n\treturn true;\n}", "project": "veyon", "hash": 215268809291038026293397703676241296444, "size": 50, "commit_id": "f231ec511b9a09f43f49b2c7bb7c60b8046276b1", "message": "WindowsServiceControl: quote service binary path\n\nFix unquoted service path vulnerability.\n\nCloses #657.", "target": 1, "dataset": "other", "idx": 196610 }, { "func": "bool WindowsServiceControl::install( const QString& filePath, const QString& displayName )\n{\n\tconst auto binaryPath = QStringLiteral(\"\\\"%1\\\"\").arg( QString( filePath ).replace( QLatin1Char('\"'), QString() ) );\n\n\tm_serviceHandle = CreateService(\n\t\t\t\tm_serviceManager,\t\t// SCManager database\n\t\t\t\tWindowsCoreFunctions::toConstWCharArray( m_name ),\t// name of service\n\t\t\t\tWindowsCoreFunctions::toConstWCharArray( displayName ),// name to display\n\t\t\t\tSERVICE_ALL_ACCESS,\t// desired access\n\t\t\t\tSERVICE_WIN32_OWN_PROCESS,\n\t\t\t\t// service type\n\t\t\t\tSERVICE_AUTO_START,\t// start type\n\t\t\t\tSERVICE_ERROR_NORMAL,\t// error control type\n\t\t\t\tWindowsCoreFunctions::toConstWCharArray( binaryPath ),\t\t// service's binary\n\t\t\t\tnullptr,\t\t\t// no load ordering group\n\t\t\t\tnullptr,\t\t\t// no tag identifier\n\t\t\t\tL\"Tcpip\\0RpcSs\\0\\0\",\t\t// dependencies\n\t\t\t\tnullptr,\t\t\t// LocalSystem account\n\t\t\t\tnullptr );\t\t\t// no password\n\n\tif( m_serviceHandle == nullptr )\n\t{\n\t\tconst auto error = GetLastError();\n\t\tif( error == ERROR_SERVICE_EXISTS )\n\t\t{\n\t\t\tvCritical() << qUtf8Printable( tr( \"The service \\\"%1\\\" is already installed.\" ).arg( m_name ) );\n\t\t}\n\t\telse\n\t\t{\n\t\t\tvCritical() << qUtf8Printable( tr( \"The service \\\"%1\\\" could not be installed.\" ).arg( m_name ) );\n\t\t}\n\n\t\treturn false;\n\t}\n\n\tSC_ACTION serviceActions;\n\tserviceActions.Delay = 10000;\n\tserviceActions.Type = SC_ACTION_RESTART;\n\n\tSERVICE_FAILURE_ACTIONS serviceFailureActions;\n\tserviceFailureActions.dwResetPeriod = 0;\n\tserviceFailureActions.lpRebootMsg = nullptr;\n\tserviceFailureActions.lpCommand = nullptr;\n\tserviceFailureActions.lpsaActions = &serviceActions;\n\tserviceFailureActions.cActions = 1;\n\tChangeServiceConfig2( m_serviceHandle, SERVICE_CONFIG_FAILURE_ACTIONS, &serviceFailureActions );\n\n\t// Everything went fine\n\tvInfo() << qUtf8Printable( tr( \"The service \\\"%1\\\" has been installed successfully.\" ).arg( m_name ) );\n\n\treturn true;\n}", "project": "veyon", "hash": 54175189195648828986613730583176708145, "size": 52, "commit_id": "f231ec511b9a09f43f49b2c7bb7c60b8046276b1", "message": "WindowsServiceControl: quote service binary path\n\nFix unquoted service path vulnerability.\n\nCloses #657.", "target": 0, "dataset": "other", "idx": 241036 }, { "func": "static int kvm_mmu_notifier_clear_young(struct mmu_notifier *mn,\n\t\t\t\t\tstruct mm_struct *mm,\n\t\t\t\t\tunsigned long start,\n\t\t\t\t\tunsigned long end)\n{\n\tstruct kvm *kvm = mmu_notifier_to_kvm(mn);\n\tint young, idx;\n\n\tidx = srcu_read_lock(&kvm->srcu);\n\tspin_lock(&kvm->mmu_lock);\n\t/*\n\t * Even though we do not flush TLB, this will still adversely\n\t * affect performance on pre-Haswell Intel EPT, where there is\n\t * no EPT Access Bit to clear so that we have to tear down EPT\n\t * tables instead. If we find this unacceptable, we can always\n\t * add a parameter to kvm_age_hva so that it effectively doesn't\n\t * do anything on clear_young.\n\t *\n\t * Also note that currently we never issue secondary TLB flushes\n\t * from clear_young, leaving this job up to the regular system\n\t * cadence. If we find this inaccurate, we might come up with a\n\t * more sophisticated heuristic later.\n\t */\n\tyoung = kvm_age_hva(kvm, start, end);\n\tspin_unlock(&kvm->mmu_lock);\n\tsrcu_read_unlock(&kvm->srcu, idx);\n\n\treturn young;\n}", "project": "linux", "hash": 98415859645318397161469033663926021593, "size": 29, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354438 }, { "func": "static int kvm_mmu_notifier_clear_young(struct mmu_notifier *mn,\n\t\t\t\t\tstruct mm_struct *mm,\n\t\t\t\t\tunsigned long start,\n\t\t\t\t\tunsigned long end)\n{\n\ttrace_kvm_age_hva(start, end);\n\n\t/*\n\t * Even though we do not flush TLB, this will still adversely\n\t * affect performance on pre-Haswell Intel EPT, where there is\n\t * no EPT Access Bit to clear so that we have to tear down EPT\n\t * tables instead. If we find this unacceptable, we can always\n\t * add a parameter to kvm_age_hva so that it effectively doesn't\n\t * do anything on clear_young.\n\t *\n\t * Also note that currently we never issue secondary TLB flushes\n\t * from clear_young, leaving this job up to the regular system\n\t * cadence. If we find this inaccurate, we might come up with a\n\t * more sophisticated heuristic later.\n\t */\n\treturn kvm_handle_hva_range_no_flush(mn, start, end, kvm_age_gfn);\n}", "project": "linux", "hash": 217348278772285909950147045469757078137, "size": 22, "commit_id": "f8be156be163a052a067306417cd0ff679068c97", "message": "KVM: do not allow mapping valid but non-reference-counted pages\n\nIt's possible to create a region which maps valid but non-refcounted\npages (e.g., tail pages of non-compound higher order allocations). These\nhost pages can then be returned by gfn_to_page, gfn_to_pfn, etc., family\nof APIs, which take a reference to the page, which takes it from 0 to 1.\nWhen the reference is dropped, this will free the page incorrectly.\n\nFix this by only taking a reference on valid pages if it was non-zero,\nwhich indicates it is participating in normal refcounting (and can be\nreleased with put_page).\n\nThis addresses CVE-2021-22543.\n\nSigned-off-by: Nicholas Piggin \nTested-by: Paolo Bonzini \nCc: stable@vger.kernel.org\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 404074 }, { "func": " bool walk_args(Item_processor processor, bool walk_subquery, void *arg)\n {\n for (uint i= 0; i < arg_count; i++)\n {\n if (args[i]->walk(processor, walk_subquery, arg))\n return true;\n }\n return false;\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 96438192880099656200345411459081106275, "size": 9, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509301 }, { "func": "static int pfkey_xfrm_policy2msg(struct sk_buff *skb, const struct xfrm_policy *xp, int dir)\n{\n\tstruct sadb_msg *hdr;\n\tstruct sadb_address *addr;\n\tstruct sadb_lifetime *lifetime;\n\tstruct sadb_x_policy *pol;\n\tstruct sadb_x_sec_ctx *sec_ctx;\n\tstruct xfrm_sec_ctx *xfrm_ctx;\n\tint i;\n\tint size;\n\tint sockaddr_size = pfkey_sockaddr_size(xp->family);\n\tint socklen = pfkey_sockaddr_len(xp->family);\n\n\tsize = pfkey_xfrm_policy2msg_size(xp);\n\n\t/* call should fill header later */\n\thdr = skb_put(skb, sizeof(struct sadb_msg));\n\tmemset(hdr, 0, size);\t/* XXX do we need this ? */\n\n\t/* src address */\n\taddr = skb_put(skb, sizeof(struct sadb_address) + sockaddr_size);\n\taddr->sadb_address_len =\n\t\t(sizeof(struct sadb_address)+sockaddr_size)/\n\t\t\tsizeof(uint64_t);\n\taddr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;\n\taddr->sadb_address_proto = pfkey_proto_from_xfrm(xp->selector.proto);\n\taddr->sadb_address_prefixlen = xp->selector.prefixlen_s;\n\taddr->sadb_address_reserved = 0;\n\tif (!pfkey_sockaddr_fill(&xp->selector.saddr,\n\t\t\t\t xp->selector.sport,\n\t\t\t\t (struct sockaddr *) (addr + 1),\n\t\t\t\t xp->family))\n\t\tBUG();\n\n\t/* dst address */\n\taddr = skb_put(skb, sizeof(struct sadb_address) + sockaddr_size);\n\taddr->sadb_address_len =\n\t\t(sizeof(struct sadb_address)+sockaddr_size)/\n\t\t\tsizeof(uint64_t);\n\taddr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;\n\taddr->sadb_address_proto = pfkey_proto_from_xfrm(xp->selector.proto);\n\taddr->sadb_address_prefixlen = xp->selector.prefixlen_d;\n\taddr->sadb_address_reserved = 0;\n\n\tpfkey_sockaddr_fill(&xp->selector.daddr, xp->selector.dport,\n\t\t\t (struct sockaddr *) (addr + 1),\n\t\t\t xp->family);\n\n\t/* hard time */\n\tlifetime = skb_put(skb, sizeof(struct sadb_lifetime));\n\tlifetime->sadb_lifetime_len =\n\t\tsizeof(struct sadb_lifetime)/sizeof(uint64_t);\n\tlifetime->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;\n\tlifetime->sadb_lifetime_allocations = _X2KEY(xp->lft.hard_packet_limit);\n\tlifetime->sadb_lifetime_bytes = _X2KEY(xp->lft.hard_byte_limit);\n\tlifetime->sadb_lifetime_addtime = xp->lft.hard_add_expires_seconds;\n\tlifetime->sadb_lifetime_usetime = xp->lft.hard_use_expires_seconds;\n\t/* soft time */\n\tlifetime = skb_put(skb, sizeof(struct sadb_lifetime));\n\tlifetime->sadb_lifetime_len =\n\t\tsizeof(struct sadb_lifetime)/sizeof(uint64_t);\n\tlifetime->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT;\n\tlifetime->sadb_lifetime_allocations = _X2KEY(xp->lft.soft_packet_limit);\n\tlifetime->sadb_lifetime_bytes = _X2KEY(xp->lft.soft_byte_limit);\n\tlifetime->sadb_lifetime_addtime = xp->lft.soft_add_expires_seconds;\n\tlifetime->sadb_lifetime_usetime = xp->lft.soft_use_expires_seconds;\n\t/* current time */\n\tlifetime = skb_put(skb, sizeof(struct sadb_lifetime));\n\tlifetime->sadb_lifetime_len =\n\t\tsizeof(struct sadb_lifetime)/sizeof(uint64_t);\n\tlifetime->sadb_lifetime_exttype = SADB_EXT_LIFETIME_CURRENT;\n\tlifetime->sadb_lifetime_allocations = xp->curlft.packets;\n\tlifetime->sadb_lifetime_bytes = xp->curlft.bytes;\n\tlifetime->sadb_lifetime_addtime = xp->curlft.add_time;\n\tlifetime->sadb_lifetime_usetime = xp->curlft.use_time;\n\n\tpol = skb_put(skb, sizeof(struct sadb_x_policy));\n\tpol->sadb_x_policy_len = sizeof(struct sadb_x_policy)/sizeof(uint64_t);\n\tpol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;\n\tpol->sadb_x_policy_type = IPSEC_POLICY_DISCARD;\n\tif (xp->action == XFRM_POLICY_ALLOW) {\n\t\tif (xp->xfrm_nr)\n\t\t\tpol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;\n\t\telse\n\t\t\tpol->sadb_x_policy_type = IPSEC_POLICY_NONE;\n\t}\n\tpol->sadb_x_policy_dir = dir+1;\n\tpol->sadb_x_policy_reserved = 0;\n\tpol->sadb_x_policy_id = xp->index;\n\tpol->sadb_x_policy_priority = xp->priority;\n\n\tfor (i=0; ixfrm_nr; i++) {\n\t\tconst struct xfrm_tmpl *t = xp->xfrm_vec + i;\n\t\tstruct sadb_x_ipsecrequest *rq;\n\t\tint req_size;\n\t\tint mode;\n\n\t\treq_size = sizeof(struct sadb_x_ipsecrequest);\n\t\tif (t->mode == XFRM_MODE_TUNNEL) {\n\t\t\tsocklen = pfkey_sockaddr_len(t->encap_family);\n\t\t\treq_size += socklen * 2;\n\t\t} else {\n\t\t\tsize -= 2*socklen;\n\t\t}\n\t\trq = skb_put(skb, req_size);\n\t\tpol->sadb_x_policy_len += req_size/8;\n\t\tmemset(rq, 0, sizeof(*rq));\n\t\trq->sadb_x_ipsecrequest_len = req_size;\n\t\trq->sadb_x_ipsecrequest_proto = t->id.proto;\n\t\tif ((mode = pfkey_mode_from_xfrm(t->mode)) < 0)\n\t\t\treturn -EINVAL;\n\t\trq->sadb_x_ipsecrequest_mode = mode;\n\t\trq->sadb_x_ipsecrequest_level = IPSEC_LEVEL_REQUIRE;\n\t\tif (t->reqid)\n\t\t\trq->sadb_x_ipsecrequest_level = IPSEC_LEVEL_UNIQUE;\n\t\tif (t->optional)\n\t\t\trq->sadb_x_ipsecrequest_level = IPSEC_LEVEL_USE;\n\t\trq->sadb_x_ipsecrequest_reqid = t->reqid;\n\n\t\tif (t->mode == XFRM_MODE_TUNNEL) {\n\t\t\tu8 *sa = (void *)(rq + 1);\n\t\t\tpfkey_sockaddr_fill(&t->saddr, 0,\n\t\t\t\t\t (struct sockaddr *)sa,\n\t\t\t\t\t t->encap_family);\n\t\t\tpfkey_sockaddr_fill(&t->id.daddr, 0,\n\t\t\t\t\t (struct sockaddr *) (sa + socklen),\n\t\t\t\t\t t->encap_family);\n\t\t}\n\t}\n\n\t/* security context */\n\tif ((xfrm_ctx = xp->security)) {\n\t\tint ctx_size = pfkey_xfrm_policy2sec_ctx_size(xp);\n\n\t\tsec_ctx = skb_put(skb, ctx_size);\n\t\tsec_ctx->sadb_x_sec_len = ctx_size / sizeof(uint64_t);\n\t\tsec_ctx->sadb_x_sec_exttype = SADB_X_EXT_SEC_CTX;\n\t\tsec_ctx->sadb_x_ctx_doi = xfrm_ctx->ctx_doi;\n\t\tsec_ctx->sadb_x_ctx_alg = xfrm_ctx->ctx_alg;\n\t\tsec_ctx->sadb_x_ctx_len = xfrm_ctx->ctx_len;\n\t\tmemcpy(sec_ctx + 1, xfrm_ctx->ctx_str,\n\t\t xfrm_ctx->ctx_len);\n\t}\n\n\thdr->sadb_msg_len = size / sizeof(uint64_t);\n\thdr->sadb_msg_reserved = refcount_read(&xp->refcnt);\n\n\treturn 0;\n}", "project": "linux", "hash": 142087220272590385702449037513716029290, "size": 149, "commit_id": "9a564bccb78a76740ea9d75a259942df8143d02c", "message": "af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\n\nAdd __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\nto initialize the buffer of supp_skb to fix a kernel-info-leak issue.\n1) Function pfkey_register calls compose_sadb_supported to request\na sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate\na sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then\ncompose_sadb_supported treats the memory as a struct sadb_supported and\nbegins to initialize. But it just initializes the field sadb_supported_len\nand field sadb_supported_exttype without field sadb_supported_reserved.\n\nReported-by: TCS Robot \nSigned-off-by: Haimin Zhang \nSigned-off-by: Steffen Klassert ", "target": 0, "dataset": "other", "idx": 268075 }, { "func": "static int ca8210_set_cca_mode(\n\tstruct ieee802154_hw *hw,\n\tconst struct wpan_phy_cca *cca\n)\n{\n\tu8 status;\n\tu8 cca_mode;\n\tstruct ca8210_priv *priv = hw->priv;\n\n\tcca_mode = cca->mode & 3;\n\tif (cca_mode == 3 && cca->opt == NL802154_CCA_OPT_ENERGY_CARRIER_OR) {\n\t\t/* cca_mode 0 == CS OR ED, 3 == CS AND ED */\n\t\tcca_mode = 0;\n\t}\n\tstatus = mlme_set_request_sync(\n\t\tPHY_CCA_MODE,\n\t\t0,\n\t\t1,\n\t\t&cca_mode,\n\t\tpriv->spi\n\t);\n\tif (status) {\n\t\tdev_err(\n\t\t\t&priv->spi->dev,\n\t\t\t\"error setting cca mode, MLME-SET.confirm status = %d\",\n\t\t\tstatus\n\t\t);\n\t}\n\treturn link_to_linux_err(status);\n}", "project": "linux", "hash": 5259838164014448530792306168047181975, "size": 30, "commit_id": "6402939ec86eaf226c8b8ae00ed983936b164908", "message": "ieee802154: ca8210: prevent memory leak\n\nIn ca8210_probe the allocated pdata needs to be assigned to\nspi_device->dev.platform_data before calling ca8210_get_platform_data.\nOthrwise when ca8210_get_platform_data fails pdata cannot be released.\n\nSigned-off-by: Navid Emamdoost \nLink: https://lore.kernel.org/r/20190917224713.26371-1-navid.emamdoost@gmail.com\nSigned-off-by: Stefan Schmidt ", "target": 0, "dataset": "other", "idx": 408787 }, { "func": "unsigned long perf_misc_flags(struct pt_regs *regs)\n{\n\tu32 flags = perf_get_misc_flags(regs);\n\n\tif (flags)\n\t\treturn flags;\n\treturn user_mode(regs) ? PERF_RECORD_MISC_USER :\n\t\tPERF_RECORD_MISC_KERNEL;\n}", "project": "linux", "hash": 289925206949806159651833503048172207166, "size": 9, "commit_id": "60b7ed54a41b550d50caf7f2418db4a7e75b5bdc", "message": "powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set\n\nOn systems without any specific PMU driver support registered, running\nperf record causes Oops.\n\nThe relevant portion from call trace:\n\n BUG: Kernel NULL pointer dereference on read at 0x00000040\n Faulting instruction address: 0xc0021f0c\n Oops: Kernel access of bad area, sig: 11 [#1]\n BE PAGE_SIZE=4K PREEMPT CMPCPRO\n SAF3000 DIE NOTIFICATION\n CPU: 0 PID: 442 Comm: null_syscall Not tainted 5.13.0-rc6-s3k-dev-01645-g7649ee3d2957 #5164\n NIP: c0021f0c LR: c00e8ad8 CTR: c00d8a5c\n NIP perf_instruction_pointer+0x10/0x60\n LR perf_prepare_sample+0x344/0x674\n Call Trace:\n perf_prepare_sample+0x7c/0x674 (unreliable)\n perf_event_output_forward+0x3c/0x94\n __perf_event_overflow+0x74/0x14c\n perf_swevent_hrtimer+0xf8/0x170\n __hrtimer_run_queues.constprop.0+0x160/0x318\n hrtimer_interrupt+0x148/0x3b0\n timer_interrupt+0xc4/0x22c\n Decrementer_virt+0xb8/0xbc\n\nDuring perf record session, perf_instruction_pointer() is called to\ncapture the sample IP. This function in core-book3s accesses\nppmu->flags. If a platform specific PMU driver is not registered, ppmu\nis set to NULL and accessing its members results in a crash. Fix this\ncrash by checking if ppmu is set.\n\nFixes: 2ca13a4cc56c (\"powerpc/perf: Use regs->nip when SIAR is zero\")\nCc: stable@vger.kernel.org # v5.11+\nReported-by: Christophe Leroy \nSigned-off-by: Athira Rajeev \nTested-by: Christophe Leroy \nSigned-off-by: Michael Ellerman \nLink: https://lore.kernel.org/r/1623952506-1431-1-git-send-email-atrajeev@linux.vnet.ibm.com", "target": 0, "dataset": "other", "idx": 374687 }, { "func": "DLLEXPORT int tjPlaneWidth(int componentID, int width, int subsamp)\n{\n\tint pw, nc, retval=0;\n\n\tif(width<1 || subsamp<0 || subsamp>=TJ_NUMSAMP)\n\t\t_throw(\"tjPlaneWidth(): Invalid argument\");\n\tnc=(subsamp==TJSAMP_GRAY? 1:3);\n\tif(componentID<0 || componentID>=nc)\n\t\t_throw(\"tjPlaneWidth(): Invalid argument\");\n\n\tpw=PAD(width, tjMCUWidth[subsamp]/8);\n\tif(componentID==0)\n\t\tretval=pw;\n\telse\n\t\tretval=pw*8/tjMCUWidth[subsamp];\n\n\tbailout:\n\treturn retval;\n}", "project": "libjpeg-turbo", "hash": 136939125404021309469641042286431122567, "size": 19, "commit_id": "dab6be4cfb2f9307b5378d2d1dc74d9080383dc2", "message": "tjDecompressToYUV*(): Fix OOB write/double free\n\n... when attempting to decompress grayscale JPEG images with sampling\nfactors != 1.\n\nFixes #387", "target": 0, "dataset": "other", "idx": 311105 }, { "func": "static apr_status_t ap_session_get(request_rec * r, session_rec * z,\n const char *key, const char **value)\n{\n if (!z) {\n apr_status_t rv;\n rv = ap_session_load(r, &z);\n if (APR_SUCCESS != rv) {\n return rv;\n }\n }\n if (z && z->entries) {\n *value = apr_table_get(z->entries, key);\n }\n\n return OK;\n}", "project": "httpd", "hash": 7815691307927056759438359473661194330, "size": 16, "commit_id": "7e09dd714fc62c08c5b0319ed7b9702594faf49b", "message": "mod_session: account for the '&' in identity_concat().\n\ngit-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887052 13f79535-47bb-0310-9956-ffa450edef68", "target": 0, "dataset": "other", "idx": 389211 }, { "func": "\nstatic void io_uring_clean_tctx(struct io_uring_task *tctx)\n{\n\tstruct io_tctx_node *node;\n\tunsigned long index;\n\n\txa_for_each(&tctx->xa, index, node)\n\t\tio_uring_del_task_file(index);\n\tif (tctx->io_wq) {\n\t\tio_wq_put_and_exit(tctx->io_wq);\n\t\ttctx->io_wq = NULL;\n\t}", "project": "linux", "hash": 76800558371673220154072181436772925246, "size": 12, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338683 }, { "func": "static void set_timeslice(struct intel_engine_cs *engine)\n{\n\tif (!intel_engine_has_timeslices(engine))\n\t\treturn;\n\n\tset_timer_ms(&engine->execlists.timer, active_timeslice(engine));\n}", "project": "linux", "hash": 106111572086751829855311181157283424841, "size": 7, "commit_id": "bc8a76a152c5f9ef3b48104154a65a68a8b76946", "message": "drm/i915/gen9: Clear residual context state on context switch\n\nIntel ID: PSIRT-TA-201910-001\nCVEID: CVE-2019-14615\n\nIntel GPU Hardware prior to Gen11 does not clear EU state\nduring a context switch. This can result in information\nleakage between contexts.\n\nFor Gen8 and Gen9, hardware provides a mechanism for\nfast cleardown of the EU state, by issuing a PIPE_CONTROL\nwith bit 27 set. We can use this in a context batch buffer\nto explicitly cleardown the state on every context switch.\n\nAs this workaround is already in place for gen8, we can borrow\nthe code verbatim for Gen9.\n\nSigned-off-by: Mika Kuoppala \nSigned-off-by: Akeem G Abodunrin \nCc: Kumar Valsan Prathap \nCc: Chris Wilson \nCc: Balestrieri Francesco \nCc: Bloomfield Jon \nCc: Dutt Sudeep ", "target": 0, "dataset": "other", "idx": 281452 }, { "func": " Item_blob(THD *thd, const char *name_arg, uint length):\n Item_partition_func_safe_string(thd, name_arg, (uint) strlen(name_arg), &my_charset_bin)\n { max_length= length; }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 172275057475946138897164329208984385541, "size": 3, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509202 }, { "func": "static int ca8210_test_check_upstream(u8 *buf, void *device_ref)\n{\n\tint ret;\n\tu8 response[CA8210_SPI_BUF_SIZE];\n\n\tif (buf[0] == SPI_MLME_SET_REQUEST) {\n\t\tret = tdme_checkpibattribute(buf[2], buf[4], buf + 5);\n\t\tif (ret) {\n\t\t\tresponse[0] = SPI_MLME_SET_CONFIRM;\n\t\t\tresponse[1] = 3;\n\t\t\tresponse[2] = MAC_INVALID_PARAMETER;\n\t\t\tresponse[3] = buf[2];\n\t\t\tresponse[4] = buf[3];\n\t\t\tif (cascoda_api_upstream)\n\t\t\t\tcascoda_api_upstream(response, 5, device_ref);\n\t\t\treturn ret;\n\t\t}\n\t}\n\tif (buf[0] == SPI_MLME_ASSOCIATE_REQUEST) {\n\t\treturn tdme_channelinit(buf[2], device_ref);\n\t} else if (buf[0] == SPI_MLME_START_REQUEST) {\n\t\treturn tdme_channelinit(buf[4], device_ref);\n\t} else if (\n\t\t(buf[0] == SPI_MLME_SET_REQUEST) &&\n\t\t(buf[2] == PHY_CURRENT_CHANNEL)\n\t) {\n\t\treturn tdme_channelinit(buf[5], device_ref);\n\t} else if (\n\t\t(buf[0] == SPI_TDME_SET_REQUEST) &&\n\t\t(buf[2] == TDME_CHANNEL)\n\t) {\n\t\treturn tdme_channelinit(buf[4], device_ref);\n\t} else if (\n\t\t(CA8210_MAC_WORKAROUNDS) &&\n\t\t(buf[0] == SPI_MLME_RESET_REQUEST) &&\n\t\t(buf[2] == 1)\n\t) {\n\t\t/* reset COORD Bit for Channel Filtering as Coordinator */\n\t\treturn tdme_setsfr_request_sync(\n\t\t\t0,\n\t\t\tCA8210_SFR_MACCON,\n\t\t\t0,\n\t\t\tdevice_ref\n\t\t);\n\t}\n\treturn 0;\n} /* End of EVBMECheckSerialCommand() */", "project": "linux", "hash": 332354931024690725180702131865764258874, "size": 47, "commit_id": "6402939ec86eaf226c8b8ae00ed983936b164908", "message": "ieee802154: ca8210: prevent memory leak\n\nIn ca8210_probe the allocated pdata needs to be assigned to\nspi_device->dev.platform_data before calling ca8210_get_platform_data.\nOthrwise when ca8210_get_platform_data fails pdata cannot be released.\n\nSigned-off-by: Navid Emamdoost \nLink: https://lore.kernel.org/r/20190917224713.26371-1-navid.emamdoost@gmail.com\nSigned-off-by: Stefan Schmidt ", "target": 0, "dataset": "other", "idx": 408768 }, { "func": "static int sctp_setsockopt_auth_key(struct sock *sk,\n\t\t\t\t struct sctp_authkey *authkey,\n\t\t\t\t unsigned int optlen)\n{\n\tstruct sctp_endpoint *ep = sctp_sk(sk)->ep;\n\tstruct sctp_association *asoc;\n\tint ret = -EINVAL;\n\n\tif (optlen <= sizeof(struct sctp_authkey))\n\t\treturn -EINVAL;\n\t/* authkey->sca_keylength is u16, so optlen can't be bigger than\n\t * this.\n\t */\n\toptlen = min_t(unsigned int, optlen, USHRT_MAX + sizeof(*authkey));\n\n\tif (authkey->sca_keylength > optlen - sizeof(*authkey))\n\t\tgoto out;\n\n\tasoc = sctp_id2assoc(sk, authkey->sca_assoc_id);\n\tif (!asoc && authkey->sca_assoc_id > SCTP_ALL_ASSOC &&\n\t sctp_style(sk, UDP))\n\t\tgoto out;\n\n\tif (asoc) {\n\t\tret = sctp_auth_set_key(ep, asoc, authkey);\n\t\tgoto out;\n\t}\n\n\tif (sctp_style(sk, TCP))\n\t\tauthkey->sca_assoc_id = SCTP_FUTURE_ASSOC;\n\n\tif (authkey->sca_assoc_id == SCTP_FUTURE_ASSOC ||\n\t authkey->sca_assoc_id == SCTP_ALL_ASSOC) {\n\t\tret = sctp_auth_set_key(ep, asoc, authkey);\n\t\tif (ret)\n\t\t\tgoto out;\n\t}\n\n\tret = 0;\n\n\tif (authkey->sca_assoc_id == SCTP_CURRENT_ASSOC ||\n\t authkey->sca_assoc_id == SCTP_ALL_ASSOC) {\n\t\tlist_for_each_entry(asoc, &ep->asocs, asocs) {\n\t\t\tint res = sctp_auth_set_key(ep, asoc, authkey);\n\n\t\t\tif (res && !ret)\n\t\t\t\tret = res;\n\t\t}\n\t}\n\nout:\n\tmemzero_explicit(authkey, optlen);\n\treturn ret;\n}", "project": "linux", "hash": 146773964769194503786584056646622990132, "size": 54, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398162 }, { "func": "void LibRaw::ljpeg_end(struct jhead *jh)\n{\n int c;\n FORC4 if (jh->free[c]) free(jh->free[c]);\n free(jh->row);\n}", "project": "LibRaw", "hash": 102294906394315538765666918250350298414, "size": 6, "commit_id": "a6937d4046a7c4742b683a04c8564605fd9be4fb", "message": "more room for ljpeg row", "target": 0, "dataset": "other", "idx": 319429 }, { "func": "\tbool UserPage(CWebSock& WebSock, CTemplate& Tmpl, CUser* pUser = NULL) {\n\t\tCSmartPtr spSession = WebSock.GetSession();\n\t\tTmpl.SetFile(\"add_edit_user.tmpl\");\n\n\t\tif (!WebSock.GetParam(\"submitted\").ToUInt()) {\n\t\t\tCString sAllowedHosts, sServers, sChans, sCTCPReplies;\n\n\t\t\tif (pUser) {\n\t\t\t\tTmpl[\"Action\"] = \"edituser\";\n\t\t\t\tTmpl[\"Title\"] = \"Edit User [\" + pUser->GetUserName() + \"]\";\n\t\t\t\tTmpl[\"Edit\"] = \"true\";\n\t\t\t} else {\n\t\t\t\tCString sUsername = WebSock.GetParam(\"clone\", false);\n\t\t\t\tpUser = CZNC::Get().FindUser(sUsername);\n\n\t\t\t\tif (pUser) {\n\t\t\t\t\tTmpl[\"Title\"] = \"Clone User [\" + pUser->GetUserName() + \"]\";\n\t\t\t\t\tTmpl[\"Clone\"] = \"true\";\n\t\t\t\t\tTmpl[\"CloneUsername\"] = pUser->GetUserName();\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tTmpl[\"ImAdmin\"] = CString(spSession->IsAdmin());\n\n\t\t\tif (pUser) {\n\t\t\t\tTmpl[\"Username\"] = pUser->GetUserName();\n\t\t\t\tTmpl[\"Nick\"] = pUser->GetNick();\n\t\t\t\tTmpl[\"AltNick\"] = pUser->GetAltNick();\n\t\t\t\tTmpl[\"StatusPrefix\"] = pUser->GetStatusPrefix();\n\t\t\t\tTmpl[\"Ident\"] = pUser->GetIdent();\n\t\t\t\tTmpl[\"RealName\"] = pUser->GetRealName();\n\t\t\t\tTmpl[\"QuitMsg\"] = pUser->GetQuitMsg();\n\t\t\t\tTmpl[\"DefaultChanModes\"] = pUser->GetDefaultChanModes();\n\t\t\t\tTmpl[\"BufferCount\"] = CString(pUser->GetBufferCount());\n\t\t\t\tTmpl[\"TimestampFormat\"] = pUser->GetTimestampFormat();\n\t\t\t\tTmpl[\"Timezone\"] = pUser->GetTimezone();\n\t\t\t\tTmpl[\"JoinTries\"] = CString(pUser->JoinTries());\n\t\t\t\tTmpl[\"MaxNetworks\"] = CString(pUser->MaxNetworks());\n\n\t\t\t\tconst set& ssAllowedHosts = pUser->GetAllowedHosts();\n\t\t\t\tfor (set::const_iterator it = ssAllowedHosts.begin(); it != ssAllowedHosts.end(); ++it) {\n\t\t\t\t\tCTemplate& l = Tmpl.AddRow(\"AllowedHostLoop\");\n\t\t\t\t\tl[\"Host\"] = *it;\n\t\t\t\t}\n\n\t\t\t\tconst vector& vNetworks = pUser->GetNetworks();\n\t\t\t\tfor (unsigned int a = 0; a < vNetworks.size(); a++) {\n\t\t\t\t\tCTemplate& l = Tmpl.AddRow(\"NetworkLoop\");\n\t\t\t\t\tl[\"Name\"] = vNetworks[a]->GetName();\n\t\t\t\t\tl[\"Username\"] = pUser->GetUserName();\n\t\t\t\t\tl[\"Clients\"] = CString(vNetworks[a]->GetClients().size());\n\t\t\t\t\tl[\"IRCNick\"] = vNetworks[a]->GetIRCNick().GetNick();\n\t\t\t\t\tCServer* pServer = vNetworks[a]->GetCurrentServer();\n\t\t\t\t\tif (pServer) {\n\t\t\t\t\t\tl[\"Server\"] = pServer->GetName();\n\t\t\t\t\t}\n\t\t\t\t}\n\n\t\t\t\tconst MCString& msCTCPReplies = pUser->GetCTCPReplies();\n\t\t\t\tfor (MCString::const_iterator it2 = msCTCPReplies.begin(); it2 != msCTCPReplies.end(); ++it2) {\n\t\t\t\t\tCTemplate& l = Tmpl.AddRow(\"CTCPLoop\");\n\t\t\t\t\tl[\"CTCP\"] = it2->first + \" \" + it2->second;\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\tTmpl[\"Action\"] = \"adduser\";\n\t\t\t\tTmpl[\"Title\"] = \"Add User\";\n\t\t\t\tTmpl[\"StatusPrefix\"] = \"*\";\n\t\t\t}\n\n\t\t\tSCString ssTimezones = CUtils::GetTimezones();\n\t\t\tfor (SCString::iterator i = ssTimezones.begin(); i != ssTimezones.end(); ++i) {\n\t\t\t\tCTemplate& l = Tmpl.AddRow(\"TZLoop\");\n\t\t\t\tl[\"TZ\"] = *i;\n\t\t\t}\n\n\t\t\t// To change BindHosts be admin or don't have DenySetBindHost\n\t\t\tif (spSession->IsAdmin() || !spSession->GetUser()->DenySetBindHost()) {\n\t\t\t\tTmpl[\"BindHostEdit\"] = \"true\";\n\t\t\t\tconst VCString& vsBindHosts = CZNC::Get().GetBindHosts();\n\t\t\t\tif (vsBindHosts.empty()) {\n\t\t\t\t\tif (pUser) {\n\t\t\t\t\t\tTmpl[\"BindHost\"] = pUser->GetBindHost();\n\t\t\t\t\t\tTmpl[\"DCCBindHost\"] = pUser->GetDCCBindHost();\n\t\t\t\t\t}\n\t\t\t\t} else {\n\t\t\t\t\tbool bFoundBindHost = false;\n\t\t\t\t\tbool bFoundDCCBindHost = false;\n\t\t\t\t\tfor (unsigned int b = 0; b < vsBindHosts.size(); b++) {\n\t\t\t\t\t\tconst CString& sBindHost = vsBindHosts[b];\n\t\t\t\t\t\tCTemplate& l = Tmpl.AddRow(\"BindHostLoop\");\n\t\t\t\t\t\tCTemplate& k = Tmpl.AddRow(\"DCCBindHostLoop\");\n\n\t\t\t\t\t\tl[\"BindHost\"] = sBindHost;\n\t\t\t\t\t\tk[\"BindHost\"] = sBindHost;\n\n\t\t\t\t\t\tif (pUser && pUser->GetBindHost() == sBindHost) {\n\t\t\t\t\t\t\tl[\"Checked\"] = \"true\";\n\t\t\t\t\t\t\tbFoundBindHost = true;\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\tif (pUser && pUser->GetDCCBindHost() == sBindHost) {\n\t\t\t\t\t\t\tk[\"Checked\"] = \"true\";\n\t\t\t\t\t\t\tbFoundDCCBindHost = true;\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\n\t\t\t\t\t// If our current bindhost is not in the global list...\n\t\t\t\t\tif (pUser && !bFoundBindHost && !pUser->GetBindHost().empty()) {\n\t\t\t\t\t\tCTemplate& l = Tmpl.AddRow(\"BindHostLoop\");\n\n\t\t\t\t\t\tl[\"BindHost\"] = pUser->GetBindHost();\n\t\t\t\t\t\tl[\"Checked\"] = \"true\";\n\t\t\t\t\t}\n\t\t\t\t\tif (pUser && !bFoundDCCBindHost && !pUser->GetDCCBindHost().empty()) {\n\t\t\t\t\t\tCTemplate& l = Tmpl.AddRow(\"DCCBindHostLoop\");\n\n\t\t\t\t\t\tl[\"BindHost\"] = pUser->GetDCCBindHost();\n\t\t\t\t\t\tl[\"Checked\"] = \"true\";\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tvector vDirs;\n\t\t\tWebSock.GetAvailSkins(vDirs);\n\n\t\t\tfor (unsigned int d = 0; d < vDirs.size(); d++) {\n\t\t\t\tconst CString& SubDir = vDirs[d];\n\t\t\t\tCTemplate& l = Tmpl.AddRow(\"SkinLoop\");\n\t\t\t\tl[\"Name\"] = SubDir;\n\n\t\t\t\tif (pUser && SubDir == pUser->GetSkinName()) {\n\t\t\t\t\tl[\"Checked\"] = \"true\";\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tset ssUserMods;\n\t\t\tCZNC::Get().GetModules().GetAvailableMods(ssUserMods);\n\n\t\t\tfor (set::iterator it = ssUserMods.begin(); it != ssUserMods.end(); ++it) {\n\t\t\t\tconst CModInfo& Info = *it;\n\t\t\t\tCTemplate& l = Tmpl.AddRow(\"ModuleLoop\");\n\n\t\t\t\tl[\"Name\"] = Info.GetName();\n\t\t\t\tl[\"Description\"] = Info.GetDescription();\n\t\t\t\tl[\"Wiki\"] = Info.GetWikiPage();\n\t\t\t\tl[\"HasArgs\"] = CString(Info.GetHasArgs());\n\t\t\t\tl[\"ArgsHelpText\"] = Info.GetArgsHelpText();\n\n\t\t\t\tCModule *pModule = NULL;\n\t\t\t\tif (pUser)\n\t\t\t\t\tpModule = pUser->GetModules().FindModule(Info.GetName());\n\t\t\t\tif (pModule) {\n\t\t\t\t\tl[\"Checked\"] = \"true\";\n\t\t\t\t\tl[\"Args\"] = pModule->GetArgs();\n\t\t\t\t\tif (CModInfo::UserModule == GetType() && Info.GetName() == GetModName()) {\n\t\t\t\t\t\tl[\"Disabled\"] = \"true\";\n\t\t\t\t\t}\n\t\t\t\t}\n\n\t\t\t\tif (!spSession->IsAdmin() && pUser && pUser->DenyLoadMod()) {\n\t\t\t\t\tl[\"Disabled\"] = \"true\";\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tCTemplate& o1 = Tmpl.AddRow(\"OptionLoop\");\n\t\t\to1[\"Name\"] = \"autoclearchanbuffer\";\n\t\t\to1[\"DisplayName\"] = \"Auto Clear Chan Buffer\";\n\t\t\to1[\"Tooltip\"] = \"Automatically Clear Channel Buffer After Playback (the default value for new channels)\";\n\t\t\tif (!pUser || pUser->AutoClearChanBuffer()) { o1[\"Checked\"] = \"true\"; }\n\n\t\t\t/* o2 used to be auto cycle which was removed */\n\n\t\t\tCTemplate& o4 = Tmpl.AddRow(\"OptionLoop\");\n\t\t\to4[\"Name\"] = \"multiclients\";\n\t\t\to4[\"DisplayName\"] = \"Multi Clients\";\n\t\t\tif (!pUser || pUser->MultiClients()) { o4[\"Checked\"] = \"true\"; }\n\n\t\t\tCTemplate& o7 = Tmpl.AddRow(\"OptionLoop\");\n\t\t\to7[\"Name\"] = \"appendtimestamp\";\n\t\t\to7[\"DisplayName\"] = \"Append Timestamps\";\n\t\t\tif (pUser && pUser->GetTimestampAppend()) { o7[\"Checked\"] = \"true\"; }\n\n\t\t\tCTemplate& o8 = Tmpl.AddRow(\"OptionLoop\");\n\t\t\to8[\"Name\"] = \"prependtimestamp\";\n\t\t\to8[\"DisplayName\"] = \"Prepend Timestamps\";\n\t\t\tif (pUser && pUser->GetTimestampPrepend()) { o8[\"Checked\"] = \"true\"; }\n\n\t\t\tif (spSession->IsAdmin()) {\n\t\t\t\tCTemplate& o9 = Tmpl.AddRow(\"OptionLoop\");\n\t\t\t\to9[\"Name\"] = \"denyloadmod\";\n\t\t\t\to9[\"DisplayName\"] = \"Deny LoadMod\";\n\t\t\t\tif (pUser && pUser->DenyLoadMod()) { o9[\"Checked\"] = \"true\"; }\n\n\t\t\t\tCTemplate& o10 = Tmpl.AddRow(\"OptionLoop\");\n\t\t\t\to10[\"Name\"] = \"isadmin\";\n\t\t\t\to10[\"DisplayName\"] = \"Admin\";\n\t\t\t\tif (pUser && pUser->IsAdmin()) { o10[\"Checked\"] = \"true\"; }\n\t\t\t\tif (pUser && pUser == CZNC::Get().FindUser(WebSock.GetUser())) { o10[\"Disabled\"] = \"true\"; }\n\n\t\t\t\tCTemplate& o11 = Tmpl.AddRow(\"OptionLoop\");\n\t\t\t\to11[\"Name\"] = \"denysetbindhost\";\n\t\t\t\to11[\"DisplayName\"] = \"Deny SetBindHost\";\n\t\t\t\tif (pUser && pUser->DenySetBindHost()) { o11[\"Checked\"] = \"true\"; }\n\t\t\t}\n\n\t\t\tFOR_EACH_MODULE(i, pUser) {\n\t\t\t\tCTemplate& mod = Tmpl.AddRow(\"EmbeddedModuleLoop\");\n\t\t\t\tmod.insert(Tmpl.begin(), Tmpl.end());\n\t\t\t\tmod[\"WebadminAction\"] = \"display\";\n\t\t\t\tif ((*i)->OnEmbeddedWebRequest(WebSock, \"webadmin/user\", mod)) {\n\t\t\t\t\tmod[\"Embed\"] = WebSock.FindTmpl(*i, \"WebadminUser.tmpl\");\n\t\t\t\t\tmod[\"ModName\"] = (*i)->GetModName();\n\t\t\t\t}\n\t\t\t}\n\n\t\t\treturn true;\n\t\t}\n\n\t\t/* If pUser is NULL, we are adding a user, else we are editing this one */\n\n\t\tCString sUsername = WebSock.GetParam(\"user\");\n\t\tif (!pUser && CZNC::Get().FindUser(sUsername)) {\n\t\t\tWebSock.PrintErrorPage(\"Invalid Submission [User \" + sUsername + \" already exists]\");\n\t\t\treturn true;\n\t\t}\n\n\t\tCUser* pNewUser = GetNewUser(WebSock, pUser);\n\t\tif (!pNewUser) {\n\t\t\tWebSock.PrintErrorPage(\"Invalid user settings\");\n\t\t\treturn true;\n\t\t}\n\n\t\tCString sErr;\n\t\tCString sAction;\n\n\t\tif (!pUser) {\n\t\t\tCString sClone = WebSock.GetParam(\"clone\");\n\t\t\tif (CUser *pCloneUser = CZNC::Get().FindUser(sClone)) {\n\t\t\t\tpNewUser->CloneNetworks(*pCloneUser);\n\t\t\t}\n\n\t\t\t// Add User Submission\n\t\t\tif (!CZNC::Get().AddUser(pNewUser, sErr)) {\n\t\t\t\tdelete pNewUser;\n\t\t\t\tWebSock.PrintErrorPage(\"Invalid submission [\" + sErr + \"]\");\n\t\t\t\treturn true;\n\t\t\t}\n\n\t\t\tpUser = pNewUser;\n\t\t\tsAction = \"added\";\n\t\t} else {\n\t\t\t// Edit User Submission\n\t\t\tif (!pUser->Clone(*pNewUser, sErr, false)) {\n\t\t\t\tdelete pNewUser;\n\t\t\t\tWebSock.PrintErrorPage(\"Invalid Submission [\" + sErr + \"]\");\n\t\t\t\treturn true;\n\t\t\t}\n\n\t\t\tdelete pNewUser;\n\t\t\tsAction = \"edited\";\n\t\t}\n\n\t\tCTemplate TmplMod;\n\t\tTmplMod[\"Username\"] = sUsername;\n\t\tTmplMod[\"WebadminAction\"] = \"change\";\n\t\tFOR_EACH_MODULE(it, pUser) {\n\t\t\t(*it)->OnEmbeddedWebRequest(WebSock, \"webadmin/user\", TmplMod);\n\t\t}\n\n\t\tif (!CZNC::Get().WriteConfig()) {\n\t\t\tWebSock.PrintErrorPage(\"User \" + sAction + \", but config was not written\");\n\t\t\treturn true;\n\t\t}\n\n\t\tif (!spSession->IsAdmin()) {\n\t\t\tWebSock.Redirect(\"edituser\");\n\t\t} else {\n\t\t\tWebSock.Redirect(\"listusers\");\n\t\t}\n\n\t\t/* we don't want the template to be printed while we redirect */\n\t\treturn false;\n\t}", "project": "znc", "hash": 321034902172324297817233162373136224397, "size": 283, "commit_id": "2bd410ee5570cea127233f1133ea22f25174eb28", "message": "Fix NULL pointer dereference in webadmin.\n\nTriggerable by any non-admin, if webadmin is loaded.\n\nThe only affected version is 1.0\n\nThanks to ChauffeR (Simone Esposito) for reporting this.", "target": 0, "dataset": "other", "idx": 412191 }, { "func": "static int pipe_handler_request(struct sock *sk, u8 id, u8 code,\n\t\t\t\tconst void *data, int len)\n{\n\tstruct pep_sock *pn = pep_sk(sk);\n\tstruct pnpipehdr *ph;\n\tstruct sk_buff *skb;\n\n\tskb = pep_alloc_skb(sk, data, len, GFP_KERNEL);\n\tif (!skb)\n\t\treturn -ENOMEM;\n\n\tph = pnp_hdr(skb);\n\tph->utid = id; /* whatever */\n\tph->message_id = id;\n\tph->pipe_handle = pn->pipe_handle;\n\tph->error_code = code;\n\treturn pn_skb_send(sk, skb, NULL);\n}", "project": "linux", "hash": 265719610421548571991345775066718820802, "size": 18, "commit_id": "bcd0f93353326954817a4f9fa55ec57fb38acbb0", "message": "phonet: refcount leak in pep_sock_accep\n\nsock_hold(sk) is invoked in pep_sock_accept(), but __sock_put(sk) is not\ninvoked in subsequent failure branches(pep_accept_conn() != 0).\n\nSigned-off-by: Hangyu Hua \nLink: https://lore.kernel.org/r/20211209082839.33985-1-hbh25y@gmail.com\nSigned-off-by: Jakub Kicinski ", "target": 0, "dataset": "other", "idx": 224821 }, { "func": "static void\nbfq_merge_bfqqs(struct bfq_data *bfqd, struct bfq_io_cq *bic,\n\t\tstruct bfq_queue *bfqq, struct bfq_queue *new_bfqq)\n{\n\tbfq_log_bfqq(bfqd, bfqq, \"merging with queue %lu\",\n\t\t(unsigned long)new_bfqq->pid);\n\t/* Save weight raising and idle window of the merged queues */\n\tbfq_bfqq_save_state(bfqq);\n\tbfq_bfqq_save_state(new_bfqq);\n\tif (bfq_bfqq_IO_bound(bfqq))\n\t\tbfq_mark_bfqq_IO_bound(new_bfqq);\n\tbfq_clear_bfqq_IO_bound(bfqq);\n\n\t/*\n\t * If bfqq is weight-raised, then let new_bfqq inherit\n\t * weight-raising. To reduce false positives, neglect the case\n\t * where bfqq has just been created, but has not yet made it\n\t * to be weight-raised (which may happen because EQM may merge\n\t * bfqq even before bfq_add_request is executed for the first\n\t * time for bfqq). Handling this case would however be very\n\t * easy, thanks to the flag just_created.\n\t */\n\tif (new_bfqq->wr_coeff == 1 && bfqq->wr_coeff > 1) {\n\t\tnew_bfqq->wr_coeff = bfqq->wr_coeff;\n\t\tnew_bfqq->wr_cur_max_time = bfqq->wr_cur_max_time;\n\t\tnew_bfqq->last_wr_start_finish = bfqq->last_wr_start_finish;\n\t\tnew_bfqq->wr_start_at_switch_to_srt =\n\t\t\tbfqq->wr_start_at_switch_to_srt;\n\t\tif (bfq_bfqq_busy(new_bfqq))\n\t\t\tbfqd->wr_busy_queues++;\n\t\tnew_bfqq->entity.prio_changed = 1;\n\t}\n\n\tif (bfqq->wr_coeff > 1) { /* bfqq has given its wr to new_bfqq */\n\t\tbfqq->wr_coeff = 1;\n\t\tbfqq->entity.prio_changed = 1;\n\t\tif (bfq_bfqq_busy(bfqq))\n\t\t\tbfqd->wr_busy_queues--;\n\t}\n\n\tbfq_log_bfqq(bfqd, new_bfqq, \"merge_bfqqs: wr_busy %d\",\n\t\t bfqd->wr_busy_queues);\n\n\t/*\n\t * Merge queues (that is, let bic redirect its requests to new_bfqq)\n\t */\n\tbic_set_bfqq(bic, new_bfqq, 1);\n\tbfq_mark_bfqq_coop(new_bfqq);\n\t/*\n\t * new_bfqq now belongs to at least two bics (it is a shared queue):\n\t * set new_bfqq->bic to NULL. bfqq either:\n\t * - does not belong to any bic any more, and hence bfqq->bic must\n\t * be set to NULL, or\n\t * - is a queue whose owning bics have already been redirected to a\n\t * different queue, hence the queue is destined to not belong to\n\t * any bic soon and bfqq->bic is already NULL (therefore the next\n\t * assignment causes no harm).\n\t */\n\tnew_bfqq->bic = NULL;\n\t/*\n\t * If the queue is shared, the pid is the pid of one of the associated\n\t * processes. Which pid depends on the exact sequence of merge events\n\t * the queue underwent. So printing such a pid is useless and confusing\n\t * because it reports a random pid between those of the associated\n\t * processes.\n\t * We mark such a queue with a pid -1, and then print SHARED instead of\n\t * a pid in logging messages.\n\t */\n\tnew_bfqq->pid = -1;\n\tbfqq->bic = NULL;\n\tbfq_release_process_ref(bfqd, bfqq);", "project": "linux", "hash": 161511078296408993847408651265550472582, "size": 71, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453318 }, { "func": "int x25_rx_call_request(struct sk_buff *skb, struct x25_neigh *nb,\n\t\t\tunsigned int lci)\n{\n\tstruct sock *sk;\n\tstruct sock *make;\n\tstruct x25_sock *makex25;\n\tstruct x25_address source_addr, dest_addr;\n\tstruct x25_facilities facilities;\n\tstruct x25_dte_facilities dte_facilities;\n\tint len, addr_len, rc;\n\n\t/*\n\t *\tRemove the LCI and frame type.\n\t */\n\tskb_pull(skb, X25_STD_MIN_LEN);\n\n\t/*\n\t *\tExtract the X.25 addresses and convert them to ASCII strings,\n\t *\tand remove them.\n\t *\n\t *\tAddress block is mandatory in call request packets\n\t */\n\taddr_len = x25_parse_address_block(skb, &source_addr, &dest_addr);\n\tif (addr_len <= 0)\n\t\tgoto out_clear_request;\n\tskb_pull(skb, addr_len);\n\n\t/*\n\t *\tGet the length of the facilities, skip past them for the moment\n\t *\tget the call user data because this is needed to determine\n\t *\tthe correct listener\n\t *\n\t *\tFacilities length is mandatory in call request packets\n\t */\n\tif (!pskb_may_pull(skb, 1))\n\t\tgoto out_clear_request;\n\tlen = skb->data[0] + 1;\n\tif (!pskb_may_pull(skb, len))\n\t\tgoto out_clear_request;\n\tskb_pull(skb,len);\n\n\t/*\n\t *\tEnsure that the amount of call user data is valid.\n\t */\n\tif (skb->len > X25_MAX_CUD_LEN)\n\t\tgoto out_clear_request;\n\n\t/*\n\t *\tGet all the call user data so it can be used in\n\t *\tx25_find_listener and skb_copy_from_linear_data up ahead.\n\t */\n\tif (!pskb_may_pull(skb, skb->len))\n\t\tgoto out_clear_request;\n\n\t/*\n\t *\tFind a listener for the particular address/cud pair.\n\t */\n\tsk = x25_find_listener(&source_addr,skb);\n\tskb_push(skb,len);\n\n\tif (sk != NULL && sk_acceptq_is_full(sk)) {\n\t\tgoto out_sock_put;\n\t}\n\n\t/*\n\t *\tWe dont have any listeners for this incoming call.\n\t *\tTry forwarding it.\n\t */\n\tif (sk == NULL) {\n\t\tskb_push(skb, addr_len + X25_STD_MIN_LEN);\n\t\tif (sysctl_x25_forward &&\n\t\t\t\tx25_forward_call(&dest_addr, nb, skb, lci) > 0)\n\t\t{\n\t\t\t/* Call was forwarded, dont process it any more */\n\t\t\tkfree_skb(skb);\n\t\t\trc = 1;\n\t\t\tgoto out;\n\t\t} else {\n\t\t\t/* No listeners, can't forward, clear the call */\n\t\t\tgoto out_clear_request;\n\t\t}\n\t}\n\n\t/*\n\t *\tTry to reach a compromise on the requested facilities.\n\t */\n\tlen = x25_negotiate_facilities(skb, sk, &facilities, &dte_facilities);\n\tif (len == -1)\n\t\tgoto out_sock_put;\n\n\t/*\n\t * current neighbour/link might impose additional limits\n\t * on certain facilities\n\t */\n\n\tx25_limit_facilities(&facilities, nb);\n\n\t/*\n\t *\tTry to create a new socket.\n\t */\n\tmake = x25_make_new(sk);\n\tif (!make)\n\t\tgoto out_sock_put;\n\n\t/*\n\t *\tRemove the facilities\n\t */\n\tskb_pull(skb, len);\n\n\tskb->sk = make;\n\tmake->sk_state = TCP_ESTABLISHED;\n\n\tmakex25 = x25_sk(make);\n\tmakex25->lci = lci;\n\tmakex25->dest_addr = dest_addr;\n\tmakex25->source_addr = source_addr;\n\tx25_neigh_hold(nb);\n\tmakex25->neighbour = nb;\n\tmakex25->facilities = facilities;\n\tmakex25->dte_facilities= dte_facilities;\n\tmakex25->vc_facil_mask = x25_sk(sk)->vc_facil_mask;\n\t/* ensure no reverse facil on accept */\n\tmakex25->vc_facil_mask &= ~X25_MASK_REVERSE;\n\t/* ensure no calling address extension on accept */\n\tmakex25->vc_facil_mask &= ~X25_MASK_CALLING_AE;\n\tmakex25->cudmatchlength = x25_sk(sk)->cudmatchlength;\n\n\t/* Normally all calls are accepted immediately */\n\tif (test_bit(X25_ACCPT_APPRV_FLAG, &makex25->flags)) {\n\t\tx25_write_internal(make, X25_CALL_ACCEPTED);\n\t\tmakex25->state = X25_STATE_3;\n\t} else {\n\t\tmakex25->state = X25_STATE_5;\n\t}\n\n\t/*\n\t *\tIncoming Call User Data.\n\t */\n\tskb_copy_from_linear_data(skb, makex25->calluserdata.cuddata, skb->len);\n\tmakex25->calluserdata.cudlength = skb->len;\n\n\tsk_acceptq_added(sk);\n\n\tx25_insert_socket(make);\n\n\tskb_queue_head(&sk->sk_receive_queue, skb);\n\n\tx25_start_heartbeat(make);\n\n\tif (!sock_flag(sk, SOCK_DEAD))\n\t\tsk->sk_data_ready(sk);\n\trc = 1;\n\tsock_put(sk);\nout:\n\treturn rc;\nout_sock_put:\n\tsock_put(sk);\nout_clear_request:\n\trc = 0;\n\tx25_transmit_clear_request(nb, lci, 0x01);\n\tgoto out;\n}", "project": "net", "hash": 290030182882622747093544209836043741299, "size": 162, "commit_id": "7781607938c8371d4c2b243527430241c62e39c2", "message": "net/x25: Fix null-ptr-deref caused by x25_disconnect\n\nWhen the link layer is terminating, x25->neighbour will be set to NULL\nin x25_disconnect(). As a result, it could cause null-ptr-deref bugs in\nx25_sendmsg(),x25_recvmsg() and x25_connect(). One of the bugs is\nshown below.\n\n (Thread 1) | (Thread 2)\nx25_link_terminated() | x25_recvmsg()\n x25_kill_by_neigh() | ...\n x25_disconnect() | lock_sock(sk)\n ... | ...\n x25->neighbour = NULL //(1) |\n ... | x25->neighbour->extended //(2)\n\nThe code sets NULL to x25->neighbour in position (1) and dereferences\nx25->neighbour in position (2), which could cause null-ptr-deref bug.\n\nThis patch adds lock_sock() in x25_kill_by_neigh() in order to synchronize\nwith x25_sendmsg(), x25_recvmsg() and x25_connect(). What`s more, the\nsock held by lock_sock() is not NULL, because it is extracted from x25_list\nand uses x25_list_lock to synchronize.\n\nFixes: 4becb7ee5b3d (\"net/x25: Fix x25_neigh refcnt leak when x25 disconnect\")\nSigned-off-by: Duoming Zhou \nReviewed-by: Lin Ma \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 449163 }, { "func": "static void kvm_cache_gfn_to_pfn(struct kvm_memory_slot *slot, gfn_t gfn,\n\t\t\t\t struct gfn_to_pfn_cache *cache, u64 gen)\n{\n\tkvm_release_pfn(cache->pfn, cache->dirty, cache);\n\n\tcache->pfn = gfn_to_pfn_memslot(slot, gfn);\n\tcache->gfn = gfn;\n\tcache->dirty = false;\n\tcache->generation = gen;\n}", "project": "linux", "hash": 205576509702659724295762204693821713541, "size": 10, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354722 }, { "func": "otError Commissioner::SetProvisioningUrl(const char *aProvisioningUrl)\n{\n otError error = OT_ERROR_NONE;\n uint8_t len;\n\n if (aProvisioningUrl == NULL)\n {\n mProvisioningUrl[0] = '\\0';\n ExitNow();\n }\n\n len = static_cast(strnlen(aProvisioningUrl, sizeof(mProvisioningUrl)));\n\n VerifyOrExit(len < sizeof(mProvisioningUrl), error = OT_ERROR_INVALID_ARGS);\n\n memcpy(mProvisioningUrl, aProvisioningUrl, len);\n mProvisioningUrl[len] = '\\0';\n\nexit:\n return error;\n}", "project": "openthread", "hash": 2149409332635082548273281164398757525, "size": 21, "commit_id": "c3a3a0c424322009fec3ab735fb20ce8f6e19e70", "message": "[commissioner] use strnlen instead of strlen (#4404)", "target": 0, "dataset": "other", "idx": 269867 }, { "func": "static int __tty_fasync(int fd, struct file *filp, int on)\n{\n\tstruct tty_struct *tty = file_tty(filp);\n\tunsigned long flags;\n\tint retval = 0;\n\n\tif (tty_paranoia_check(tty, file_inode(filp), \"tty_fasync\"))\n\t\tgoto out;\n\n\tretval = fasync_helper(fd, filp, on, &tty->fasync);\n\tif (retval <= 0)\n\t\tgoto out;\n\n\tif (on) {\n\t\tenum pid_type type;\n\t\tstruct pid *pid;\n\n\t\tspin_lock_irqsave(&tty->ctrl_lock, flags);\n\t\tif (tty->pgrp) {\n\t\t\tpid = tty->pgrp;\n\t\t\ttype = PIDTYPE_PGID;\n\t\t} else {\n\t\t\tpid = task_pid(current);\n\t\t\ttype = PIDTYPE_TGID;\n\t\t}\n\t\tget_pid(pid);\n\t\tspin_unlock_irqrestore(&tty->ctrl_lock, flags);\n\t\t__f_setown(filp, pid, type, 0);\n\t\tput_pid(pid);\n\t\tretval = 0;\n\t}\nout:\n\treturn retval;\n}", "project": "linux", "hash": 227156900260468449747090598886855788296, "size": 34, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 326068 }, { "func": "static void __sigqueue_free(struct sigqueue *q)\n{\n\tif (q->flags & SIGQUEUE_PREALLOC)\n\t\treturn;\n\tatomic_dec(&q->user->sigpending);\n\tfree_uid(q->user);\n\tkmem_cache_free(sigqueue_cachep, q);\n}", "project": "linux", "hash": 102044275924742161137475144322863141034, "size": 8, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375212 }, { "func": "static void cdeque_pop_front_fast(struct cdeque* d, void** value) {\n\t*value = (void*) d->arr[d->beg_pos];\n\td->beg_pos = (d->beg_pos + 1) & d->cap_mask;\n\td->size--;\n}", "project": "libarchive", "hash": 340196831080045273762824958852731879568, "size": 5, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 0, "dataset": "other", "idx": 244684 }, { "func": "void bcf_hdr_check_sanity(bcf_hdr_t *hdr)\n{\n static int PL_warned = 0, GL_warned = 0;\n\n if ( !PL_warned )\n {\n int id = bcf_hdr_id2int(hdr, BCF_DT_ID, \"PL\");\n if ( bcf_hdr_idinfo_exists(hdr,BCF_HL_FMT,id) && bcf_hdr_id2length(hdr,BCF_HL_FMT,id)!=BCF_VL_G )\n {\n hts_log_warning(\"PL should be declared as Number=G\");\n PL_warned = 1;\n }\n }\n if ( !GL_warned )\n {\n int id = bcf_hdr_id2int(hdr, BCF_DT_ID, \"GL\");\n if ( bcf_hdr_idinfo_exists(hdr,BCF_HL_FMT,id) && bcf_hdr_id2length(hdr,BCF_HL_FMT,id)!=BCF_VL_G )\n {\n hts_log_warning(\"GL should be declared as Number=G\");\n GL_warned = 1;\n }\n }\n}", "project": "htslib", "hash": 53691948438672085278572821351227505563, "size": 23, "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c", "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields. It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097", "target": 0, "dataset": "other", "idx": 402203 }, { "func": "int CServerBan::BanExt(T *pBanPool, const typename T::CDataType *pData, int Seconds, const char *pReason)\n{\n\t// validate address\n\tif(Server()->m_RconClientID >= 0 && Server()->m_RconClientID < MAX_CLIENTS &&\n\t\tServer()->m_aClients[Server()->m_RconClientID].m_State != CServer::CClient::STATE_EMPTY)\n\t{\n\t\tif(NetMatch(pData, Server()->m_NetServer.ClientAddr(Server()->m_RconClientID)))\n\t\t{\n\t\t\tConsole()->Print(IConsole::OUTPUT_LEVEL_STANDARD, \"net_ban\", \"ban error (you can't ban yourself)\");\n\t\t\treturn -1;\n\t\t}\n\n\t\tfor(int i = 0; i < MAX_CLIENTS; ++i)\n\t\t{\n\t\t\tif(i == Server()->m_RconClientID || Server()->m_aClients[i].m_State == CServer::CClient::STATE_EMPTY)\n\t\t\t\tcontinue;\n\n\t\t\tif(Server()->m_aClients[i].m_Authed >= Server()->m_RconAuthLevel && NetMatch(pData, Server()->m_NetServer.ClientAddr(i)))\n\t\t\t{\n\t\t\t\tConsole()->Print(IConsole::OUTPUT_LEVEL_STANDARD, \"net_ban\", \"ban error (command denied)\");\n\t\t\t\treturn -1;\n\t\t\t}\n\t\t}\n\t}\n\telse if(Server()->m_RconClientID == IServer::RCON_CID_VOTE)\n\t{\n\t\tfor(int i = 0; i < MAX_CLIENTS; ++i)\n\t\t{\n\t\t\tif(Server()->m_aClients[i].m_State == CServer::CClient::STATE_EMPTY)\n\t\t\t\tcontinue;\n\n\t\t\tif(Server()->m_aClients[i].m_Authed != CServer::AUTHED_NO && NetMatch(pData, Server()->m_NetServer.ClientAddr(i)))\n\t\t\t{\n\t\t\t\tConsole()->Print(IConsole::OUTPUT_LEVEL_STANDARD, \"net_ban\", \"ban error (command denied)\");\n\t\t\t\treturn -1;\n\t\t\t}\n\t\t}\n\t}\n\n\tint Result = Ban(pBanPool, pData, Seconds, pReason);\n\tif(Result != 0)\n\t\treturn Result;\n\n\t// drop banned clients\n\ttypename T::CDataType Data = *pData;\n\tfor(int i = 0; i < MAX_CLIENTS; ++i)\n\t{\n\t\tif(Server()->m_aClients[i].m_State == CServer::CClient::STATE_EMPTY)\n\t\t\tcontinue;\n\n\t\tif(NetMatch(&Data, Server()->m_NetServer.ClientAddr(i)))\n\t\t{\n\t\t\tCNetHash NetHash(&Data);\n\t\t\tchar aBuf[256];\n\t\t\tMakeBanInfo(pBanPool->Find(&Data, &NetHash), aBuf, sizeof(aBuf), MSGTYPE_PLAYER);\n\t\t\tServer()->m_NetServer.Drop(i, aBuf);\n\t\t}\n\t}\n\n\treturn Result;\n}", "project": "teeworlds", "hash": 263120090096632193211263461463692072801, "size": 61, "commit_id": "c68402fa7e279d42886d5951d1ea8ac2facc1ea5", "message": "changed a check", "target": 0, "dataset": "other", "idx": 382048 }, { "func": "int kmem_cache_alloc_bulk(struct kmem_cache *s, gfp_t flags, size_t size,\n\t\t\t void **p)\n{\n\tstruct kmem_cache_cpu *c;\n\tint i;\n\n\t/* memcg and kmem_cache debug support */\n\ts = slab_pre_alloc_hook(s, flags);\n\tif (unlikely(!s))\n\t\treturn false;\n\t/*\n\t * Drain objects in the per cpu slab, while disabling local\n\t * IRQs, which protects against PREEMPT and interrupts\n\t * handlers invoking normal fastpath.\n\t */\n\tlocal_irq_disable();\n\tc = this_cpu_ptr(s->cpu_slab);\n\n\tfor (i = 0; i < size; i++) {\n\t\tvoid *object = c->freelist;\n\n\t\tif (unlikely(!object)) {\n\t\t\t/*\n\t\t\t * Invoking slow path likely have side-effect\n\t\t\t * of re-populating per CPU c->freelist\n\t\t\t */\n\t\t\tp[i] = ___slab_alloc(s, flags, NUMA_NO_NODE,\n\t\t\t\t\t _RET_IP_, c);\n\t\t\tif (unlikely(!p[i]))\n\t\t\t\tgoto error;\n\n\t\t\tc = this_cpu_ptr(s->cpu_slab);\n\t\t\tmaybe_wipe_obj_freeptr(s, p[i]);\n\n\t\t\tcontinue; /* goto for-loop */\n\t\t}\n\t\tc->freelist = get_freepointer(s, object);\n\t\tp[i] = object;\n\t\tmaybe_wipe_obj_freeptr(s, p[i]);\n\t}\n\tc->tid = next_tid(c->tid);\n\tlocal_irq_enable();\n\n\t/* Clear memory outside IRQ disabled fastpath loop */\n\tif (unlikely(slab_want_init_on_alloc(flags, s))) {\n\t\tint j;\n\n\t\tfor (j = 0; j < i; j++)\n\t\t\tmemset(p[j], 0, s->object_size);\n\t}\n\n\t/* memcg and kmem_cache debug support */\n\tslab_post_alloc_hook(s, flags, size, p);\n\treturn i;\nerror:\n\tlocal_irq_enable();\n\tslab_post_alloc_hook(s, flags, i, p);\n\t__kmem_cache_free_bulk(s, i, p);\n\treturn 0;\n}", "project": "linux", "hash": 124517195750956527135706940064747760759, "size": 60, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 1, "dataset": "other", "idx": 198668 }, { "func": "int kmem_cache_alloc_bulk(struct kmem_cache *s, gfp_t flags, size_t size,\n\t\t\t void **p)\n{\n\tstruct kmem_cache_cpu *c;\n\tint i;\n\n\t/* memcg and kmem_cache debug support */\n\ts = slab_pre_alloc_hook(s, flags);\n\tif (unlikely(!s))\n\t\treturn false;\n\t/*\n\t * Drain objects in the per cpu slab, while disabling local\n\t * IRQs, which protects against PREEMPT and interrupts\n\t * handlers invoking normal fastpath.\n\t */\n\tlocal_irq_disable();\n\tc = this_cpu_ptr(s->cpu_slab);\n\n\tfor (i = 0; i < size; i++) {\n\t\tvoid *object = c->freelist;\n\n\t\tif (unlikely(!object)) {\n\t\t\t/*\n\t\t\t * We may have removed an object from c->freelist using\n\t\t\t * the fastpath in the previous iteration; in that case,\n\t\t\t * c->tid has not been bumped yet.\n\t\t\t * Since ___slab_alloc() may reenable interrupts while\n\t\t\t * allocating memory, we should bump c->tid now.\n\t\t\t */\n\t\t\tc->tid = next_tid(c->tid);\n\n\t\t\t/*\n\t\t\t * Invoking slow path likely have side-effect\n\t\t\t * of re-populating per CPU c->freelist\n\t\t\t */\n\t\t\tp[i] = ___slab_alloc(s, flags, NUMA_NO_NODE,\n\t\t\t\t\t _RET_IP_, c);\n\t\t\tif (unlikely(!p[i]))\n\t\t\t\tgoto error;\n\n\t\t\tc = this_cpu_ptr(s->cpu_slab);\n\t\t\tmaybe_wipe_obj_freeptr(s, p[i]);\n\n\t\t\tcontinue; /* goto for-loop */\n\t\t}\n\t\tc->freelist = get_freepointer(s, object);\n\t\tp[i] = object;\n\t\tmaybe_wipe_obj_freeptr(s, p[i]);\n\t}\n\tc->tid = next_tid(c->tid);\n\tlocal_irq_enable();\n\n\t/* Clear memory outside IRQ disabled fastpath loop */\n\tif (unlikely(slab_want_init_on_alloc(flags, s))) {\n\t\tint j;\n\n\t\tfor (j = 0; j < i; j++)\n\t\t\tmemset(p[j], 0, s->object_size);\n\t}\n\n\t/* memcg and kmem_cache debug support */\n\tslab_post_alloc_hook(s, flags, size, p);\n\treturn i;\nerror:\n\tlocal_irq_enable();\n\tslab_post_alloc_hook(s, flags, i, p);\n\t__kmem_cache_free_bulk(s, i, p);\n\treturn 0;\n}", "project": "linux", "hash": 286573245831184637475846363298679212083, "size": 69, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280052 }, { "func": "static char *php_strndup_impl(const char* s, uint32_t length\n#ifdef IM_MEMORY_CHECK\n, int ln\n#endif\n ) {\n char *p;\n\n#ifdef IM_MEMORY_CHECK\n p = (char *)s_ima->imMalloc((length+1), ln);\n#else\n p = (char *)s_ima->imMalloc((length+1));\n#endif\n CHECK_ALLOC_R(p, length+1, nullptr);\n memcpy(p, s, length);\n p[length] = 0;\n return p;\n}", "project": "hhvm", "hash": 304194902248046208030325002422741029193, "size": 17, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219268 }, { "func": "static struct gfxinfo *php_handle_wbmp(const req::ptr& stream) {\n struct gfxinfo *result =\n (struct gfxinfo *)IM_CALLOC(1, sizeof(struct gfxinfo));\n CHECK_ALLOC_R(result, (sizeof(struct gfxinfo)), nullptr);\n\n if (!php_get_wbmp(stream, &result, 0)) {\n IM_FREE(result);\n return nullptr;\n }\n\n return result;\n}", "project": "hhvm", "hash": 130050890646170858040178498698435991201, "size": 12, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219269 }, { "func": "static int hphp_gdImageConvolution(gdImagePtr src, float filter[3][3],\n float filter_div, float offset) {\n int x, y, i, j, new_a;\n float new_r, new_g, new_b;\n int new_pxl, pxl=0;\n gdImagePtr srcback;\n\n if (src==nullptr) {\n return 0;\n }\n\n /* We need the orinal image with each safe neoghb. pixel */\n srcback = gdImageCreateTrueColor (src->sx, src->sy);\n gdImageCopy(srcback, src,0,0,0,0,src->sx,src->sy);\n\n if (srcback==nullptr) {\n return 0;\n }\n\n for ( y=0; ysy; y++) {\n for(x=0; xsx; x++) {\n new_r = new_g = new_b = 0;\n new_a = gdImageAlpha(srcback, pxl);\n\n for (j=0; j<3; j++) {\n int yv = std::min(std::max(y - 1 + j, 0), src->sy - 1);\n for (i=0; i<3; i++) {\n pxl = gdImageGetPixel(srcback, std::min(std::max(x - 1 + i, 0),\n src->sx - 1), yv);\n new_r += (float)gdImageRed(srcback, pxl) * filter[j][i];\n new_g += (float)gdImageGreen(srcback, pxl) * filter[j][i];\n new_b += (float)gdImageBlue(srcback, pxl) * filter[j][i];\n }\n }\n\n new_r = (new_r/filter_div)+offset;\n new_g = (new_g/filter_div)+offset;\n new_b = (new_b/filter_div)+offset;\n\n new_r = (new_r > 255.0f)? 255.0f : ((new_r < 0.0f)? 0.0f:new_r);\n new_g = (new_g > 255.0f)? 255.0f : ((new_g < 0.0f)? 0.0f:new_g);\n new_b = (new_b > 255.0f)? 255.0f : ((new_b < 0.0f)? 0.0f:new_b);\n\n new_pxl = gdImageColorAllocateAlpha(src, (int)new_r, (int)new_g,\n (int)new_b, new_a);\n if (new_pxl == -1) {\n new_pxl = gdImageColorClosestAlpha(src, (int)new_r, (int)new_g,\n (int)new_b, new_a);\n }\n gdImageSetPixel (src, x, y, new_pxl);\n }\n }\n gdImageDestroy(srcback);\n return 1;\n}", "project": "hhvm", "hash": 249778776207971002500981848990037379350, "size": 55, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219399 }, { "func": "Pl_AES_PDF::Pl_AES_PDF(char const* identifier, Pipeline* next,\n\t\t bool encrypt, unsigned char const* key,\n size_t key_bytes) :\n Pipeline(identifier, next),\n crypto(QPDFCryptoProvider::getImpl()),\n encrypt(encrypt),\n cbc_mode(true),\n first(true),\n offset(0),\n key_bytes(key_bytes),\n use_zero_iv(false),\n use_specified_iv(false),\n disable_padding(false)\n{\n this->key = std::unique_ptr(\n new unsigned char[key_bytes],\n std::default_delete());\n std::memcpy(this->key.get(), key, key_bytes);\n std::memset(this->inbuf, 0, this->buf_size);\n std::memset(this->outbuf, 0, this->buf_size);\n std::memset(this->cbc_block, 0, this->buf_size);\n}", "project": "qpdf", "hash": 9754709228470819699011407725104200145, "size": 22, "commit_id": "dc92574c10f3e2516ec6445b88c5d584f40df4e5", "message": "Fix some pipelines to be safe if downstream write fails (fuzz issue 28262)", "target": 0, "dataset": "other", "idx": 458325 }, { "func": "h2_stream *h2_stream_create(int id, apr_pool_t *pool, h2_session *session,\n h2_stream_monitor *monitor, int initiated_on)\n{\n h2_stream *stream = apr_pcalloc(pool, sizeof(h2_stream));\n \n stream->id = id;\n stream->initiated_on = initiated_on;\n stream->created = apr_time_now();\n stream->state = H2_SS_IDLE;\n stream->pool = pool;\n stream->session = session;\n stream->monitor = monitor;\n stream->max_mem = session->max_stream_mem;\n \n#ifdef H2_NG2_LOCAL_WIN_SIZE\n stream->in_window_size = \n nghttp2_session_get_stream_local_window_size(\n stream->session->ngh2, stream->id);\n#endif\n\n ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, session->c, \n H2_STRM_LOG(APLOGNO(03082), stream, \"created\"));\n on_state_enter(stream);\n return stream;\n}", "project": "httpd", "hash": 187489115983345148613935746897153820344, "size": 25, "commit_id": "f990e5ecad40b100a8a5c7c1033c46044a9cb244", "message": "mod_htt2: fix incomplete sync with latest changes in github, adjust version number.\n\n\n\ngit-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1889119 13f79535-47bb-0310-9956-ffa450edef68", "target": 0, "dataset": "other", "idx": 284240 }, { "func": "static void parseOptions(int argc, char **argv) {\n int option_idx = 0, do_capture = 0;\n char *__pcap_file = NULL, *bind_mask = NULL;\n int thread_id, opt;\n#ifdef linux\n u_int num_cores = sysconf(_SC_NPROCESSORS_ONLN);\n#endif\n\n#ifdef DEBUG_TRACE\n trace = fopen(\"/tmp/ndpiReader.log\", \"a\");\n\n if(trace) fprintf(trace, \" #### %s #### \\n\", __FUNCTION__);\n#endif\n\n#ifdef USE_DPDK\n {\n int ret = rte_eal_init(argc, argv);\n\n if(ret < 0)\n rte_exit(EXIT_FAILURE, \"Error with EAL initialization\\n\");\n\n argc -= ret, argv += ret;\n }\n#endif\n\n while((opt = getopt_long(argc, argv, \"e:c:C:df:g:i:hp:P:l:s:tv:V:n:Jrp:w:q0123:456:7:89:m:T:U:\",\n\t\t\t longopts, &option_idx)) != EOF) {\n#ifdef DEBUG_TRACE\n if(trace) fprintf(trace, \" #### -%c [%s] #### \\n\", opt, optarg ? optarg : \"\");\n#endif\n\n switch (opt) {\n case 'd':\n enable_protocol_guess = 0;\n break;\n\n case 'e':\n human_readeable_string_len = atoi(optarg);\n break;\n\n case 'i':\n case '3':\n _pcap_file[0] = optarg;\n break;\n\n case 'm':\n pcap_analysis_duration = atol(optarg);\n break;\n\n case 'f':\n case '6':\n bpfFilter = optarg;\n break;\n\n case 'g':\n bind_mask = optarg;\n break;\n\n case 'l':\n num_loops = atoi(optarg);\n break;\n\n case 'n':\n num_threads = atoi(optarg);\n break;\n\n case 'p':\n _protoFilePath = optarg;\n break;\n\n case 'c':\n _customCategoryFilePath = optarg;\n break;\n\n case 'C':\n if((csv_fp = fopen(optarg, \"w\")) == NULL)\n\tprintf(\"Unable to write on CSV file %s\\n\", optarg);\n break;\n\n case 's':\n capture_for = atoi(optarg);\n capture_until = capture_for + time(NULL);\n break;\n\n case 't':\n decode_tunnels = 1;\n break;\n\n case 'r':\n printf(\"ndpiReader - nDPI (%s)\\n\", ndpi_revision());\n exit(0);\n\n case 'v':\n verbose = atoi(optarg);\n break;\n\n case 'V':\n nDPI_LogLevel = atoi(optarg);\n if(nDPI_LogLevel < 0) nDPI_LogLevel = 0;\n if(nDPI_LogLevel > 3) {\n\tnDPI_LogLevel = 3;\n\t_debug_protocols = strdup(\"all\");\n }\n break;\n\n case 'h':\n help(1);\n break;\n\n case 'J':\n enable_joy_stats = 1;\n break;\n\n case 'P':\n {\n\tint _min_pattern_len, _max_pattern_len,\n\t _max_num_packets_per_flow, _max_packet_payload_dissection,\n\t _max_num_reported_top_payloads;\n\n\tenable_payload_analyzer = 1;\n\tif(sscanf(optarg, \"%d:%d:%d:%d:%d\", &_min_pattern_len, &_max_pattern_len,\n\t\t &_max_num_packets_per_flow,\n\t\t &_max_packet_payload_dissection,\n\t\t &_max_num_reported_top_payloads) == 5) {\n\t min_pattern_len = _min_pattern_len, max_pattern_len = _max_pattern_len;\n\t max_num_packets_per_flow = _max_num_packets_per_flow, max_packet_payload_dissection = _max_packet_payload_dissection;\n\t max_num_reported_top_payloads = _max_num_reported_top_payloads;\n\t if(min_pattern_len > max_pattern_len) min_pattern_len = max_pattern_len;\n\t if(min_pattern_len < 2) min_pattern_len = 2;\n\t if(max_pattern_len > 16) max_pattern_len = 16;\n\t if(max_num_packets_per_flow == 0) max_num_packets_per_flow = 1;\n\t if(max_packet_payload_dissection < 4) max_packet_payload_dissection = 4;\n\t if(max_num_reported_top_payloads == 0) max_num_reported_top_payloads = 1;\n\t} else {\n\t printf(\"Invalid -P format. Ignored\\n\");\n\t help(0);\n\t}\n }\n break;\n\n case 'w':\n results_path = strdup(optarg);\n if((results_file = fopen(results_path, \"w\")) == NULL) {\n\tprintf(\"Unable to write in file %s: quitting\\n\", results_path);\n\treturn;\n }\n break;\n\n case 'q':\n quiet_mode = 1;\n nDPI_LogLevel = 0;\n break;\n\n /* Extcap */\n case '0':\n extcap_interfaces();\n break;\n\n case '1':\n printf(\"extcap {version=%s}\\n\", ndpi_revision());\n break;\n\n case '2':\n extcap_dlts();\n break;\n\n case '4':\n extcap_config();\n break;\n\n case '5':\n do_capture = 1;\n break;\n\n case '7':\n extcap_capture_fifo = strdup(optarg);\n break;\n\n case '8':\n nDPI_LogLevel = NDPI_LOG_DEBUG_EXTRA;\n _debug_protocols = strdup(\"all\");\n break;\n\n case '9':\n extcap_packet_filter = ndpi_get_proto_by_name(ndpi_info_mod, optarg);\n if(extcap_packet_filter == NDPI_PROTOCOL_UNKNOWN) extcap_packet_filter = atoi(optarg);\n break;\n\n case 257:\n _debug_protocols = strdup(optarg);\n break;\n\n case 'T':\n max_num_tcp_dissected_pkts = atoi(optarg);\n if(max_num_tcp_dissected_pkts < 3) max_num_tcp_dissected_pkts = 3;\n break;\n\n case 'U':\n max_num_udp_dissected_pkts = atoi(optarg);\n if(max_num_udp_dissected_pkts < 3) max_num_udp_dissected_pkts = 3;\n break;\n\n default:\n help(0);\n break;\n }\n }\n\n if(_pcap_file[0] == NULL)\n help(0);\n\n if(csv_fp)\n printCSVHeader();\n\n#ifndef USE_DPDK\n if(strchr(_pcap_file[0], ',')) { /* multiple ingress interfaces */\n num_threads = 0; /* setting number of threads = number of interfaces */\n __pcap_file = strtok(_pcap_file[0], \",\");\n while(__pcap_file != NULL && num_threads < MAX_NUM_READER_THREADS) {\n _pcap_file[num_threads++] = __pcap_file;\n __pcap_file = strtok(NULL, \",\");\n }\n } else {\n if(num_threads > MAX_NUM_READER_THREADS) num_threads = MAX_NUM_READER_THREADS;\n for(thread_id = 1; thread_id < num_threads; thread_id++)\n _pcap_file[thread_id] = _pcap_file[0];\n }\n\n#ifdef linux\n for(thread_id = 0; thread_id < num_threads; thread_id++)\n core_affinity[thread_id] = -1;\n\n if(num_cores > 1 && bind_mask != NULL) {\n char *core_id = strtok(bind_mask, \":\");\n thread_id = 0;\n while(core_id != NULL && thread_id < num_threads) {\n core_affinity[thread_id++] = atoi(core_id) % num_cores;\n core_id = strtok(NULL, \":\");\n }\n }\n#endif\n#endif\n\n#ifdef DEBUG_TRACE\n if(trace) fclose(trace);\n#endif\n}", "project": "nDPI", "hash": 231768981798040853346402277528731145955, "size": 247, "commit_id": "b7e666e465f138ae48ab81976726e67deed12701", "message": "Added fix to avoid potential heap buffer overflow in H.323 dissector\nModified HTTP report information to make it closer to the HTTP field names", "target": 0, "dataset": "other", "idx": 254862 }, { "func": "int fuse_do_open(struct fuse_mount *fm, u64 nodeid, struct file *file,\n\t\t bool isdir)\n{\n\tstruct fuse_conn *fc = fm->fc;\n\tstruct fuse_file *ff;\n\tint opcode = isdir ? FUSE_OPENDIR : FUSE_OPEN;\n\n\tff = fuse_file_alloc(fm);\n\tif (!ff)\n\t\treturn -ENOMEM;\n\n\tff->fh = 0;\n\t/* Default for no-open */\n\tff->open_flags = FOPEN_KEEP_CACHE | (isdir ? FOPEN_CACHE_DIR : 0);\n\tif (isdir ? !fc->no_opendir : !fc->no_open) {\n\t\tstruct fuse_open_out outarg;\n\t\tint err;\n\n\t\terr = fuse_send_open(fm, nodeid, file, opcode, &outarg);\n\t\tif (!err) {\n\t\t\tff->fh = outarg.fh;\n\t\t\tff->open_flags = outarg.open_flags;\n\n\t\t} else if (err != -ENOSYS) {\n\t\t\tfuse_file_free(ff);\n\t\t\treturn err;\n\t\t} else {\n\t\t\tif (isdir)\n\t\t\t\tfc->no_opendir = 1;\n\t\t\telse\n\t\t\t\tfc->no_open = 1;\n\t\t}\n\t}\n\n\tif (isdir)\n\t\tff->open_flags &= ~FOPEN_DIRECT_IO;\n\n\tff->nodeid = nodeid;\n\tfile->private_data = ff;\n\n\treturn 0;\n}", "project": "linux", "hash": 327740223392774608937701953397261824330, "size": 42, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341902 }, { "func": "static __always_inline unsigned long *sparse_set_to_vcpu_mask(\n\tstruct kvm *kvm, u64 *sparse_banks, u64 valid_bank_mask,\n\tu64 *vp_bitmap, unsigned long *vcpu_bitmap)\n{\n\tstruct kvm_hv *hv = to_kvm_hv(kvm);\n\tstruct kvm_vcpu *vcpu;\n\tint i, bank, sbank = 0;\n\n\tmemset(vp_bitmap, 0,\n\t KVM_HV_MAX_SPARSE_VCPU_SET_BITS * sizeof(*vp_bitmap));\n\tfor_each_set_bit(bank, (unsigned long *)&valid_bank_mask,\n\t\t\t KVM_HV_MAX_SPARSE_VCPU_SET_BITS)\n\t\tvp_bitmap[bank] = sparse_banks[sbank++];\n\n\tif (likely(!atomic_read(&hv->num_mismatched_vp_indexes))) {\n\t\t/* for all vcpus vp_index == vcpu_idx */\n\t\treturn (unsigned long *)vp_bitmap;\n\t}\n\n\tbitmap_zero(vcpu_bitmap, KVM_MAX_VCPUS);\n\tkvm_for_each_vcpu(i, vcpu, kvm) {\n\t\tif (test_bit(kvm_hv_get_vpindex(vcpu), (unsigned long *)vp_bitmap))\n\t\t\t__set_bit(i, vcpu_bitmap);\n\t}\n\treturn vcpu_bitmap;\n}", "project": "linux", "hash": 166541980291822220699548537607110935127, "size": 26, "commit_id": "919f4ebc598701670e80e31573a58f1f2d2bf918", "message": "KVM: x86: hyper-v: Fix Hyper-V context null-ptr-deref\n\nReported by syzkaller:\n\n KASAN: null-ptr-deref in range [0x0000000000000140-0x0000000000000147]\n CPU: 1 PID: 8370 Comm: syz-executor859 Not tainted 5.11.0-syzkaller #0\n RIP: 0010:synic_get arch/x86/kvm/hyperv.c:165 [inline]\n RIP: 0010:kvm_hv_set_sint_gsi arch/x86/kvm/hyperv.c:475 [inline]\n RIP: 0010:kvm_hv_irq_routing_update+0x230/0x460 arch/x86/kvm/hyperv.c:498\n Call Trace:\n kvm_set_irq_routing+0x69b/0x940 arch/x86/kvm/../../../virt/kvm/irqchip.c:223\n kvm_vm_ioctl+0x12d0/0x2800 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3959\n vfs_ioctl fs/ioctl.c:48 [inline]\n __do_sys_ioctl fs/ioctl.c:753 [inline]\n __se_sys_ioctl fs/ioctl.c:739 [inline]\n __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739\n do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nHyper-V context is lazily allocated until Hyper-V specific MSRs are accessed\nor SynIC is enabled. However, the syzkaller testcase sets irq routing table\ndirectly w/o enabling SynIC. This results in null-ptr-deref when accessing\nSynIC Hyper-V context. This patch fixes it.\n\nsyzkaller source: https://syzkaller.appspot.com/x/repro.c?x=163342ccd00000\n\nReported-by: syzbot+6987f3b2dbd9eda95f12@syzkaller.appspotmail.com\nFixes: 8f014550dfb1 (\"KVM: x86: hyper-v: Make Hyper-V emulation enablement conditional\")\nSigned-off-by: Wanpeng Li \nMessage-Id: <1614326399-5762-1-git-send-email-wanpengli@tencent.com>\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 343471 }, { "func": "static u64 get_time_ref_counter(struct kvm *kvm)\n{\n\tstruct kvm_hv *hv = to_kvm_hv(kvm);\n\tstruct kvm_vcpu *vcpu;\n\tu64 tsc;\n\n\t/*\n\t * The guest has not set up the TSC page or the clock isn't\n\t * stable, fall back to get_kvmclock_ns.\n\t */\n\tif (!hv->tsc_ref.tsc_sequence)\n\t\treturn div_u64(get_kvmclock_ns(kvm), 100);\n\n\tvcpu = kvm_get_vcpu(kvm, 0);\n\ttsc = kvm_read_l1_tsc(vcpu, rdtsc());\n\treturn mul_u64_u64_shr(tsc, hv->tsc_ref.tsc_scale, 64)\n\t\t+ hv->tsc_ref.tsc_offset;\n}", "project": "linux", "hash": 229734852198461748774799761205148343912, "size": 18, "commit_id": "919f4ebc598701670e80e31573a58f1f2d2bf918", "message": "KVM: x86: hyper-v: Fix Hyper-V context null-ptr-deref\n\nReported by syzkaller:\n\n KASAN: null-ptr-deref in range [0x0000000000000140-0x0000000000000147]\n CPU: 1 PID: 8370 Comm: syz-executor859 Not tainted 5.11.0-syzkaller #0\n RIP: 0010:synic_get arch/x86/kvm/hyperv.c:165 [inline]\n RIP: 0010:kvm_hv_set_sint_gsi arch/x86/kvm/hyperv.c:475 [inline]\n RIP: 0010:kvm_hv_irq_routing_update+0x230/0x460 arch/x86/kvm/hyperv.c:498\n Call Trace:\n kvm_set_irq_routing+0x69b/0x940 arch/x86/kvm/../../../virt/kvm/irqchip.c:223\n kvm_vm_ioctl+0x12d0/0x2800 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3959\n vfs_ioctl fs/ioctl.c:48 [inline]\n __do_sys_ioctl fs/ioctl.c:753 [inline]\n __se_sys_ioctl fs/ioctl.c:739 [inline]\n __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739\n do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nHyper-V context is lazily allocated until Hyper-V specific MSRs are accessed\nor SynIC is enabled. However, the syzkaller testcase sets irq routing table\ndirectly w/o enabling SynIC. This results in null-ptr-deref when accessing\nSynIC Hyper-V context. This patch fixes it.\n\nsyzkaller source: https://syzkaller.appspot.com/x/repro.c?x=163342ccd00000\n\nReported-by: syzbot+6987f3b2dbd9eda95f12@syzkaller.appspotmail.com\nFixes: 8f014550dfb1 (\"KVM: x86: hyper-v: Make Hyper-V emulation enablement conditional\")\nSigned-off-by: Wanpeng Li \nMessage-Id: <1614326399-5762-1-git-send-email-wanpengli@tencent.com>\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 343517 }, { "func": "static int __set_tracer_option(struct trace_array *tr,\n\t\t\t struct tracer_flags *tracer_flags,\n\t\t\t struct tracer_opt *opts, int neg)\n{\n\tstruct tracer *trace = tracer_flags->trace;\n\tint ret;\n\n\tret = trace->set_flag(tr, tracer_flags->val, opts->bit, !neg);\n\tif (ret)\n\t\treturn ret;\n\n\tif (neg)\n\t\ttracer_flags->val &= ~opts->bit;\n\telse\n\t\ttracer_flags->val |= opts->bit;\n\treturn 0;\n}", "project": "linux", "hash": 334079108303293753746065182892487381510, "size": 17, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445766 }, { "func": "static void gprinter_cleanup(void)\n{\n\tif (major) {\n\t\tunregister_chrdev_region(MKDEV(major, 0), minors);\n\t\tmajor = minors = 0;\n\t}\n\tclass_destroy(usb_gadget_class);\n\tusb_gadget_class = NULL;\n}", "project": "linux", "hash": 154299547391631780524352550762385618985, "size": 9, "commit_id": "e8d5f92b8d30bb4ade76494490c3c065e12411b1", "message": "usb: gadget: function: printer: fix use-after-free in __lock_acquire\n\nFix this by increase object reference count.\n\nBUG: KASAN: use-after-free in __lock_acquire+0x3fd4/0x4180\nkernel/locking/lockdep.c:3831\nRead of size 8 at addr ffff8880683b0018 by task syz-executor.0/3377\n\nCPU: 1 PID: 3377 Comm: syz-executor.0 Not tainted 5.6.11 #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011\nCall Trace:\n __dump_stack lib/dump_stack.c:77 [inline]\n dump_stack+0xce/0x128 lib/dump_stack.c:118\n print_address_description.constprop.4+0x21/0x3c0 mm/kasan/report.c:374\n __kasan_report+0x131/0x1b0 mm/kasan/report.c:506\n kasan_report+0x12/0x20 mm/kasan/common.c:641\n __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135\n __lock_acquire+0x3fd4/0x4180 kernel/locking/lockdep.c:3831\n lock_acquire+0x127/0x350 kernel/locking/lockdep.c:4488\n __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]\n _raw_spin_lock_irqsave+0x35/0x50 kernel/locking/spinlock.c:159\n printer_ioctl+0x4a/0x110 drivers/usb/gadget/function/f_printer.c:723\n vfs_ioctl fs/ioctl.c:47 [inline]\n ksys_ioctl+0xfb/0x130 fs/ioctl.c:763\n __do_sys_ioctl fs/ioctl.c:772 [inline]\n __se_sys_ioctl fs/ioctl.c:770 [inline]\n __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:770\n do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294\n entry_SYSCALL_64_after_hwframe+0x49/0xbe\nRIP: 0033:0x4531a9\nCode: ed 60 fc ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48\n89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d\n01 f0 ff ff 0f 83 bb 60 fc ff c3 66 2e 0f 1f 84 00 00 00 00\nRSP: 002b:00007fd14ad72c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 000000000073bfa8 RCX: 00000000004531a9\nRDX: fffffffffffffff9 RSI: 000000000000009e RDI: 0000000000000003\nRBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 00000000004bbd61\nR13: 00000000004d0a98 R14: 00007fd14ad736d4 R15: 00000000ffffffff\n\nAllocated by task 2393:\n save_stack+0x21/0x90 mm/kasan/common.c:72\n set_track mm/kasan/common.c:80 [inline]\n __kasan_kmalloc.constprop.3+0xa7/0xd0 mm/kasan/common.c:515\n kasan_kmalloc+0x9/0x10 mm/kasan/common.c:529\n kmem_cache_alloc_trace+0xfa/0x2d0 mm/slub.c:2813\n kmalloc include/linux/slab.h:555 [inline]\n kzalloc include/linux/slab.h:669 [inline]\n gprinter_alloc+0xa1/0x870 drivers/usb/gadget/function/f_printer.c:1416\n usb_get_function+0x58/0xc0 drivers/usb/gadget/functions.c:61\n config_usb_cfg_link+0x1ed/0x3e0 drivers/usb/gadget/configfs.c:444\n configfs_symlink+0x527/0x11d0 fs/configfs/symlink.c:202\n vfs_symlink+0x33d/0x5b0 fs/namei.c:4201\n do_symlinkat+0x11b/0x1d0 fs/namei.c:4228\n __do_sys_symlinkat fs/namei.c:4242 [inline]\n __se_sys_symlinkat fs/namei.c:4239 [inline]\n __x64_sys_symlinkat+0x73/0xb0 fs/namei.c:4239\n do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294\n entry_SYSCALL_64_after_hwframe+0x49/0xbe\n\nFreed by task 3368:\n save_stack+0x21/0x90 mm/kasan/common.c:72\n set_track mm/kasan/common.c:80 [inline]\n kasan_set_free_info mm/kasan/common.c:337 [inline]\n __kasan_slab_free+0x135/0x190 mm/kasan/common.c:476\n kasan_slab_free+0xe/0x10 mm/kasan/common.c:485\n slab_free_hook mm/slub.c:1444 [inline]\n slab_free_freelist_hook mm/slub.c:1477 [inline]\n slab_free mm/slub.c:3034 [inline]\n kfree+0xf7/0x410 mm/slub.c:3995\n gprinter_free+0x49/0xd0 drivers/usb/gadget/function/f_printer.c:1353\n usb_put_function+0x38/0x50 drivers/usb/gadget/functions.c:87\n config_usb_cfg_unlink+0x2db/0x3b0 drivers/usb/gadget/configfs.c:485\n configfs_unlink+0x3b9/0x7f0 fs/configfs/symlink.c:250\n vfs_unlink+0x287/0x570 fs/namei.c:4073\n do_unlinkat+0x4f9/0x620 fs/namei.c:4137\n __do_sys_unlink fs/namei.c:4184 [inline]\n __se_sys_unlink fs/namei.c:4182 [inline]\n __x64_sys_unlink+0x42/0x50 fs/namei.c:4182\n do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294\n entry_SYSCALL_64_after_hwframe+0x49/0xbe\n\nThe buggy address belongs to the object at ffff8880683b0000\n which belongs to the cache kmalloc-1k of size 1024\nThe buggy address is located 24 bytes inside of\n 1024-byte region [ffff8880683b0000, ffff8880683b0400)\nThe buggy address belongs to the page:\npage:ffffea0001a0ec00 refcount:1 mapcount:0 mapping:ffff88806c00e300\nindex:0xffff8880683b1800 compound_mapcount: 0\nflags: 0x100000000010200(slab|head)\nraw: 0100000000010200 0000000000000000 0000000600000001 ffff88806c00e300\nraw: ffff8880683b1800 000000008010000a 00000001ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\n\nReported-by: Kyungtae Kim \nSigned-off-by: Zqiang \nSigned-off-by: Felipe Balbi ", "target": 0, "dataset": "other", "idx": 389357 }, { "func": "R_API int r_str_replace_ch(char *s, char a, char b, bool global) {\n\tint ret = 0;\n\tchar *o = s;\n\tif (!s || a == b) {\n\t\treturn 0;\n\t}\n\tfor (; *o; s++, o++) {\n\t\tif (*o == a) {\n\t\t\tret++;\n\t\t\tif (b) {\n\t\t\t\t*s = b;\n\t\t\t} else {\n\t\t\t\t/* remove char */\n\t\t\t\ts--;\n\t\t\t}\n\t\t\tif (!global) {\n\t\t\t\treturn 1;\n\t\t\t}\n\t\t} else {\n\t\t\t*s = *o;\n\t\t}\n\t}\n\t*s = 0;\n\treturn ret;\n}", "project": "radare2", "hash": 124396551129468062090204960972180556549, "size": 25, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 0, "dataset": "other", "idx": 269050 }, { "func": "static int tracing_single_release_tr(struct inode *inode, struct file *file)\n{\n\tstruct trace_array *tr = inode->i_private;\n\n\ttrace_array_put(tr);\n\n\treturn single_release(inode, file);\n}", "project": "linux", "hash": 182060738512915322932438437333277360161, "size": 8, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445820 }, { "func": "void CSoundFile::Panning(ModChannel *pChn, uint32 param, PanningType panBits) const\n{\n\t// No panning in ProTracker mode\n\tif(m_playBehaviour[kMODIgnorePanning])\n\t{\n\t\treturn;\n\t}\n\t// IT Compatibility (and other trackers as well): panning disables surround (unless panning in rear channels is enabled, which is not supported by the original trackers anyway)\n\tif (!m_SongFlags[SONG_SURROUNDPAN] && (panBits == Pan8bit || m_playBehaviour[kPanOverride]))\n\t{\n\t\tpChn->dwFlags.reset(CHN_SURROUND);\n\t}\n\tif(panBits == Pan4bit)\n\t{\n\t\t// 0...15 panning\n\t\tpChn->nPan = (param * 256 + 8) / 15;\n\t} else if(panBits == Pan6bit)\n\t{\n\t\t// 0...64 panning\n\t\tif(param > 64) param = 64;\n\t\tpChn->nPan = param * 4;\n\t} else\n\t{\n\t\tif(!(GetType() & (MOD_TYPE_S3M | MOD_TYPE_DSM | MOD_TYPE_AMF | MOD_TYPE_MTM)))\n\t\t{\n\t\t\t// Real 8-bit panning\n\t\t\tpChn->nPan = param;\n\t\t} else\n\t\t{\n\t\t\t// 7-bit panning + surround\n\t\t\tif(param <= 0x80)\n\t\t\t{\n\t\t\t\tpChn->nPan = param << 1;\n\t\t\t} else if(param == 0xA4)\n\t\t\t{\n\t\t\t\tpChn->dwFlags.set(CHN_SURROUND);\n\t\t\t\tpChn->nPan = 0x80;\n\t\t\t}\n\t\t}\n\t}\n\n\tpChn->dwFlags.set(CHN_FASTVOLRAMP);\n\tpChn->nRestorePanOnNewNote = 0;\n\t//IT compatibility 20. Set pan overrides random pan\n\tif(m_playBehaviour[kPanOverride])\n\t{\n\t\tpChn->nPanSwing = 0;\n\t\tpChn->nPanbrelloOffset = 0;\n\t}\n}", "project": "openmpt", "hash": 163059669476821170349569882651665781178, "size": 50, "commit_id": "7ebf02af2e90f03e0dbd0e18b8b3164f372fb97c", "message": "[Fix] Possible out-of-bounds read when computing length of some IT files with pattern loops (OpenMPT: formats that are converted to IT, libopenmpt: IT/ITP/MO3), caught with afl-fuzz.\n\ngit-svn-id: https://source.openmpt.org/svn/openmpt/trunk/OpenMPT@10027 56274372-70c3-4bfc-bfc3-4c3a0b034d27", "target": 0, "dataset": "other", "idx": 255222 }, { "func": "void CLua::print_stack()\n{\n struct lua_Debug dbg;\n int i = 0;\n lua_State *L = state();\n\n fprintf(stderr, \"\\n\");\n while (lua_getstack(L, i++, &dbg) == 1)\n {\n lua_getinfo(L, \"lnuS\", &dbg);\n\n char* file = strrchr(dbg.short_src, '/');\n if (file == nullptr)\n file = dbg.short_src;\n else\n file++;\n\n fprintf(stderr, \"%s, function %s, line %d\\n\", file,\n dbg.name, dbg.currentline);\n }\n\n fprintf(stderr, \"\\n\");\n}", "project": "crawl", "hash": 122262958426680339644797654390249614635, "size": 23, "commit_id": "768f60da87a3fa0b5561da5ade9309577c176d04", "message": "Disable lua bytecode loading", "target": 0, "dataset": "other", "idx": 230491 }, { "func": "static void layoutEthereumFee(const uint8_t *value, uint32_t value_len,\n const uint8_t *gas_price, uint32_t gas_price_len,\n const uint8_t *gas_limit, uint32_t gas_limit_len,\n bool is_token, char *out_str,\n size_t out_str_len) {\n bignum256 val, gas;\n uint8_t pad_val[32];\n char tx_value[32];\n char gas_value[32];\n\n memzero(tx_value, sizeof(tx_value));\n memzero(gas_value, sizeof(gas_value));\n\n memset(pad_val, 0, sizeof(pad_val));\n memcpy(pad_val + (32 - gas_price_len), gas_price, gas_price_len);\n bn_read_be(pad_val, &val);\n\n memset(pad_val, 0, sizeof(pad_val));\n memcpy(pad_val + (32 - gas_limit_len), gas_limit, gas_limit_len);\n bn_read_be(pad_val, &gas);\n bn_multiply(&val, &gas, &secp256k1.prime);\n\n ethereumFormatAmount(&gas, NULL, chain_id, gas_value, sizeof(gas_value));\n\n memset(pad_val, 0, sizeof(pad_val));\n memcpy(pad_val + (32 - value_len), value, value_len);\n bn_read_be(pad_val, &val);\n\n if (bn_is_zero(&val)) {\n strcpy(tx_value, is_token ? _(\"the tokens\") : _(\"the message\"));\n } else {\n ethereumFormatAmount(&val, NULL, chain_id, tx_value, sizeof(tx_value));\n }\n\n if ((uint32_t)snprintf(\n out_str, out_str_len,\n _(\"Send %s from your wallet, paying up to %s for gas?\"), tx_value,\n gas_value) >= out_str_len) {\n /*error detected. Clear the buffer */\n memset(out_str, 0, out_str_len);\n }\n}", "project": "keepkey-firmware", "hash": 180370056768606411054260438494030915860, "size": 42, "commit_id": "e49d45594002d4d3fbc1f03488e6dfc0a0a65836", "message": "710 merge", "target": 0, "dataset": "other", "idx": 220878 }, { "func": " bool toBoolean() const { return m_str ? m_str->toBoolean() : false;}", "project": "hhvm", "hash": 237392371446088024664938369758349075157, "size": 1, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219838 }, { "func": "CallResult> JSObject::getPrototypeOf(\n PseudoHandle selfHandle,\n Runtime *runtime) {\n if (LLVM_LIKELY(!selfHandle->isProxyObject())) {\n return createPseudoHandle(selfHandle->getParent(runtime));\n }\n\n return JSProxy::getPrototypeOf(\n runtime->makeHandle(std::move(selfHandle)), runtime);\n}", "project": "hermes", "hash": 251656254857026873079283850011831136921, "size": 10, "commit_id": "fe52854cdf6725c2eaa9e125995da76e6ceb27da", "message": "[CVE-2020-1911] Look up HostObject computed properties on the right object in the prototype chain.\n\nSummary:\nThe change in the hermes repository fixes the security vulnerability\nCVE-2020-1911. This vulnerability only affects applications which\nallow evaluation of uncontrolled, untrusted JavaScript code not\nshipped with the app, so React Native apps will generally not be affected.\n\nThis revision includes a test for the bug. The test is generic JSI\ncode, so it is included in the hermes and react-native repositories.\n\nChangelog: [Internal]\n\nReviewed By: tmikov\n\nDifferential Revision: D23322992\n\nfbshipit-source-id: 4e88c974afe1ad33a263f9cac03e9dc98d33649a", "target": 0, "dataset": "other", "idx": 230194 }, { "func": "static void del_from_white_list(struct hci_request *req, bdaddr_t *bdaddr,\n\t\t\t\tu8 bdaddr_type)\n{\n\tstruct hci_cp_le_del_from_white_list cp;\n\n\tcp.bdaddr_type = bdaddr_type;\n\tbacpy(&cp.bdaddr, bdaddr);\n\n\tbt_dev_dbg(req->hdev, \"Remove %pMR (0x%x) from whitelist\", &cp.bdaddr,\n\t\t cp.bdaddr_type);\n\thci_req_add(req, HCI_OP_LE_DEL_FROM_WHITE_LIST, sizeof(cp), &cp);\n\n\tif (use_ll_privacy(req->hdev) &&\n\t hci_dev_test_flag(req->hdev, HCI_ENABLE_LL_PRIVACY)) {\n\t\tstruct smp_irk *irk;\n\n\t\tirk = hci_find_irk_by_addr(req->hdev, bdaddr, bdaddr_type);\n\t\tif (irk) {\n\t\t\tstruct hci_cp_le_del_from_resolv_list cp;\n\n\t\t\tcp.bdaddr_type = bdaddr_type;\n\t\t\tbacpy(&cp.bdaddr, bdaddr);\n\n\t\t\thci_req_add(req, HCI_OP_LE_DEL_FROM_RESOLV_LIST,\n\t\t\t\t sizeof(cp), &cp);\n\t\t}\n\t}\n}", "project": "linux", "hash": 69929923061923361193449897913752057400, "size": 28, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402489 }, { "func": "void walk_process_tree(struct task_struct *top, proc_visitor visitor, void *data)\n{\n\tstruct task_struct *leader, *parent, *child;\n\tint res;\n\n\tread_lock(&tasklist_lock);\n\tleader = top = top->group_leader;\ndown:\n\tfor_each_thread(leader, parent) {\n\t\tlist_for_each_entry(child, &parent->children, sibling) {\n\t\t\tres = visitor(child, data);\n\t\t\tif (res) {\n\t\t\t\tif (res < 0)\n\t\t\t\t\tgoto out;\n\t\t\t\tleader = child;\n\t\t\t\tgoto down;\n\t\t\t}\nup:\n\t\t\t;\n\t\t}\n\t}\n\n\tif (leader != top) {\n\t\tchild = leader;\n\t\tparent = child->real_parent;\n\t\tleader = parent->group_leader;\n\t\tgoto up;\n\t}\nout:\n\tread_unlock(&tasklist_lock);\n}", "project": "linux", "hash": 245492329778332367110516890046901221199, "size": 31, "commit_id": "b4e00444cab4c3f3fec876dc0cccc8cbb0d1a948", "message": "fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent\n\ncurrent->group_leader->exit_signal may change during copy_process() if\ncurrent->real_parent exits.\n\nMove the assignment inside tasklist_lock to avoid the race.\n\nSigned-off-by: Eddy Wu \nAcked-by: Oleg Nesterov \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 293669 }, { "func": "static inline int bcf1_sync_info(bcf1_t *line, kstring_t *str)\n{\n // pairs of typed vectors\n int i, irm = -1, e = 0;\n for (i=0; in_info; i++)\n {\n bcf_info_t *info = &line->d.info[i];\n if ( !info->vptr )\n {\n // marked for removal\n if ( irm < 0 ) irm = i;\n continue;\n }\n e |= kputsn_(info->vptr - info->vptr_off, info->vptr_len + info->vptr_off, str) < 0;\n if ( irm >=0 )\n {\n bcf_info_t tmp = line->d.info[irm]; line->d.info[irm] = line->d.info[i]; line->d.info[i] = tmp;\n while ( irm<=i && line->d.info[irm].vptr ) irm++;\n }\n }\n if ( irm>=0 ) line->n_info = irm;\n return e == 0 ? 0 : -1;\n}", "project": "htslib", "hash": 338362621538277664209284911333881709568, "size": 23, "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c", "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields. It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097", "target": 0, "dataset": "other", "idx": 402144 }, { "func": "static int detect_unicard(\n\tsc_pkcs15_card_t *p15card\n){\n\tif(!insert_cert(p15card,\"41004352\", 0x45, 1, \"Zertifikat 1\")){\n\t\tset_string(&p15card->tokeninfo->manufacturer_id, \"JLU Giessen\");\n\t\tset_string(&p15card->tokeninfo->label, \"JLU Giessen Card\");\n\n\t\tinsert_cert(p15card,\"41004353\", 0x46, 1, \"Zertifikat 2\");\n\t\tinsert_cert(p15card,\"41004354\", 0x47, 1, \"Zertifikat 3\");\n\t\tinsert_key(p15card,\"41005103\", 0x45, 0x83, 1024, 1, \"Schluessel 1\");\n\t\tinsert_key(p15card,\"41005104\", 0x46, 0x84, 1024, 1, \"Schluessel 2\");\n\t\tinsert_key(p15card,\"41005105\", 0x47, 0x85, 1024, 1, \"Schluessel 3\");\n\n\t} else if(!insert_cert(p15card,\"41014352\", 0x45, 1, \"Zertifikat 1\")){\n\t\tset_string(&p15card->tokeninfo->manufacturer_id, \"TU Darmstadt\");\n\t\tset_string(&p15card->tokeninfo->label, \"TUD Card\");\n\n\t\tinsert_cert(p15card,\"41014353\", 0x46, 1, \"Zertifikat 2\");\n\t\tinsert_cert(p15card,\"41014354\", 0x47, 1, \"Zertifikat 3\");\n\t\tinsert_key(p15card,\"41015103\", 0x45, 0x83, 1024, 1, \"Schluessel 1\");\n\t\tinsert_key(p15card,\"41015104\", 0x46, 0x84, 1024, 1, \"Schluessel 2\");\n\t\tinsert_key(p15card,\"41015105\", 0x47, 0x85, 1024, 1, \"Schluessel 3\");\n\n\t} else return 1;\n\n\tinsert_pin(p15card,\"5000\", 1, 2, 0x00, 6, \"PIN\",\n\t\tSC_PKCS15_PIN_FLAG_CASE_SENSITIVE | SC_PKCS15_PIN_FLAG_INITIALIZED\n\t);\n\tinsert_pin(p15card,\"5008\", 2, 0, 0x01, 8, \"PUK\",\n\t\tSC_PKCS15_PIN_FLAG_CASE_SENSITIVE | SC_PKCS15_PIN_FLAG_INITIALIZED |\n\t\tSC_PKCS15_PIN_FLAG_UNBLOCKING_PIN | SC_PKCS15_PIN_FLAG_SO_PIN\n\t);\n\n\treturn 0;\n}", "project": "OpenSC", "hash": 183119369333532062706578380289665457783, "size": 35, "commit_id": "5df913b7f57ad89b9832555d24c08d23a534311e", "message": "tcos: Check bounds in insert_pin()\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28383", "target": 0, "dataset": "other", "idx": 243964 }, { "func": "static void encode_access(struct xdr_stream *xdr, u32 access, struct compound_hdr *hdr)\n{\n\tencode_op_hdr(xdr, OP_ACCESS, decode_access_maxsz, hdr);\n\tencode_uint32(xdr, access);\n}", "project": "linux", "hash": 90499828349741126972260778760162208265, "size": 5, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431538 }, { "project": "opaque", "commit_id": "5ddda15d89f5ac82f4416208c5319ace4aecdc36", "target": 0, "func": "void ecall_encrypt(uint8_t *plaintext, uint32_t plaintext_length,\n uint8_t *ciphertext, uint32_t cipher_length) {\n // Guard against encrypting or overwriting enclave memory\n assert(sgx_is_outside_enclave(plaintext, plaintext_length) == 1);\n assert(sgx_is_outside_enclave(ciphertext, cipher_length) == 1);\n sgx_lfence();\n\n try {\n // IV (12 bytes) + ciphertext + mac (16 bytes)\n assert(cipher_length >= plaintext_length + SGX_AESGCM_IV_SIZE + SGX_AESGCM_MAC_SIZE);\n (void)cipher_length;\n (void)plaintext_length;\n encrypt(plaintext, plaintext_length, ciphertext);\n } catch (const std::runtime_error &e) {\n ocall_throw(e.what());\n }\n}", "idx": 519060, "cwe": "CWE-787", "hash": 201522111211776754553401913503649037484, "dataset": "other" }, { "func": "void rfbScaledCorrection(rfbScreenInfoPtr from, rfbScreenInfoPtr to, int *x, int *y, int *w, int *h, const char *function)\n{\n double x1,y1,w1,h1, x2, y2, w2, h2;\n double scaleW = ((double) to->width) / ((double) from->width);\n double scaleH = ((double) to->height) / ((double) from->height);\n\n\n /*\n * rfbLog(\"rfbScaledCorrection(%p -> %p, %dx%d->%dx%d (%dXx%dY-%dWx%dH)\\n\",\n * from, to, from->width, from->height, to->width, to->height, *x, *y, *w, *h);\n */\n\n /* If it's the original framebuffer... */\n if (from==to) return;\n\n x1 = ((double) *x) * scaleW;\n y1 = ((double) *y) * scaleH;\n w1 = ((double) *w) * scaleW;\n h1 = ((double) *h) * scaleH;\n\n\n /*cast from double to int is same as \"*x = floor(x1);\" */\n x2 = FLOOR(x1);\n y2 = FLOOR(y1);\n\n /* include into W and H the jitter of scaling X and Y */\n w2 = CEIL(w1 + ( x1 - x2 ));\n h2 = CEIL(h1 + ( y1 - y2 ));\n\n /*\n * rfbLog(\"%s (%dXx%dY-%dWx%dH -> %fXx%fY-%fWx%fH) {%dWx%dH -> %dWx%dH}\\n\",\n * function, *x, *y, *w, *h, x2, y2, w2, h2,\n * from->width, from->height, to->width, to->height);\n */\n\n /* simulate ceil() without math library */\n *x = (int)x2;\n *y = (int)y2;\n *w = (int)w2;\n *h = (int)h2;\n\n /* Small changes for a thumbnail may be scaled to zero */\n if (*w==0) (*w)++;\n if (*h==0) (*h)++;\n /* scaling from small to big may overstep the size a bit */\n if (*x+*w > to->width) *w=to->width - *x;\n if (*y+*h > to->height) *h=to->height - *y;\n}", "project": "libvncserver", "hash": 292163297209230047231629812603997487673, "size": 48, "commit_id": "a6788d1da719ae006605b78d22f5a9f170b423af", "message": "libvncserver: scale: cast to 64 bit before shifting\n\nSince pixel_value is 64 bit the data type of the shift operand should\nbe 64 bit too to prevent integer overflows.", "target": 0, "dataset": "other", "idx": 296802 }, { "func": "intrusive_ptr Expression::parseExpression(ExpressionContext* const expCtx,\n BSONObj obj,\n const VariablesParseState& vps) {\n uassert(15983,\n str::stream() << \"An object representing an expression must have exactly one \"\n \"field: \"\n << obj.toString(),\n obj.nFields() == 1);\n\n // Look up the parser associated with the expression name.\n const char* opName = obj.firstElementFieldName();\n auto it = parserMap.find(opName);\n uassert(ErrorCodes::InvalidPipelineOperator,\n str::stream() << \"Unrecognized expression '\" << opName << \"'\",\n it != parserMap.end());\n\n // Make sure we are allowed to use this expression under the current feature compatibility\n // version.\n auto& entry = it->second;\n uassert(ErrorCodes::QueryFeatureNotAllowed,\n // We would like to include the current version and the required minimum version in this\n // error message, but using FeatureCompatibilityVersion::toString() would introduce a\n // dependency cycle (see SERVER-31968).\n str::stream() << opName\n << \" is not allowed in the current feature compatibility version. See \"\n << feature_compatibility_version_documentation::kCompatibilityLink\n << \" for more information.\",\n !expCtx->maxFeatureCompatibilityVersion || !entry.requiredMinVersion ||\n (*entry.requiredMinVersion <= *expCtx->maxFeatureCompatibilityVersion));\n return entry.parser(expCtx, obj.firstElement(), vps);\n}", "project": "mongo", "hash": 117797382056711715141066738597948991691, "size": 31, "commit_id": "1772b9a0393b55e6a280a35e8f0a1f75c014f301", "message": "SERVER-49404 Enforce additional checks in $arrayToObject", "target": 0, "dataset": "other", "idx": 370079 }, { "func": "bool CClient::PutClientRaw(const CString& sLine) {\n CString sCopy = sLine;\n bool bReturn = false;\n NETWORKMODULECALL(OnSendToClient(sCopy, *this), m_pUser, m_pNetwork, this,\n &bReturn);\n if (bReturn) return false;\n\n DEBUG(\"(\" << GetFullName() << \") ZNC -> CLI [\"\n << CDebug::Filter(sCopy) << \"]\");\n Write(sCopy + \"\\r\\n\");\n return true;\n}", "project": "znc", "hash": 309878425904325754932283527610621579842, "size": 12, "commit_id": "d229761821da38d984a9e4098ad96842490dc001", "message": "Fix echo-message for *status\n\nClose #1705", "target": 0, "dataset": "other", "idx": 231577 }, { "func": "void CClient::StatusCTCP(const CString& sLine) {\n CString sCommand = sLine.Token(0);\n\n if (sCommand.Equals(\"PING\")) {\n PutStatusNotice(\"\\001PING \" + sLine.Token(1, true) + \"\\001\");\n } else if (sCommand.Equals(\"VERSION\")) {\n PutStatusNotice(\"\\001VERSION \" + CZNC::GetTag() + \"\\001\");\n }\n}", "project": "znc", "hash": 175382018808511138139831508629818572278, "size": 9, "commit_id": "d229761821da38d984a9e4098ad96842490dc001", "message": "Fix echo-message for *status\n\nClose #1705", "target": 0, "dataset": "other", "idx": 231536 }, { "func": "void CClientAuth::AcceptedLogin(CUser& User) {\n if (m_pClient) {\n m_pClient->AcceptLogin(User);\n }\n}", "project": "znc", "hash": 46189277144488033214760989693723433247, "size": 5, "commit_id": "d229761821da38d984a9e4098ad96842490dc001", "message": "Fix echo-message for *status\n\nClose #1705", "target": 0, "dataset": "other", "idx": 231593 }, { "func": "void CWebAuth::AcceptedLogin(CUser& User) {\n if (m_pWebSock) {\n std::shared_ptr spSession = m_pWebSock->GetSession();\n\n spSession->SetUser(&User);\n\n m_pWebSock->SetLoggedIn(true);\n m_pWebSock->UnPauseRead();\n if (m_bBasic) {\n m_pWebSock->ReadLine(\"\");\n } else {\n m_pWebSock->Redirect(\"/?cookie_check=true\");\n }\n\n DEBUG(\"Successful login attempt ==> USER [\" + User.GetUserName() +\n \"] ==> SESSION [\" + spSession->GetId() + \"]\");\n }\n}", "project": "znc", "hash": 85086532495196296075916419966487271518, "size": 18, "commit_id": "a4a5aeeb17d32937d8c7d743dae9a4cc755ce773", "message": "Don't let web skin name ../../../../ access files outside of usual skins directories.\n\nThanks for Jeriko One for finding and reporting this.", "target": 0, "dataset": "other", "idx": 265802 }, { "func": "static void __disable_cpu_timer_accounting(struct kvm_vcpu *vcpu)\n{\n\tWARN_ON_ONCE(!vcpu->arch.cputm_enabled);\n\t__stop_cpu_timer_accounting(vcpu);\n\tvcpu->arch.cputm_enabled = false;\n}", "project": "linux", "hash": 178059269580137526987605993390932207197, "size": 6, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354426 }, { "project": "Chrome", "commit_id": "87190165c55bcf3eecd8824dd8d083f5e3236552", "target": 0, "func": "void AudioManagerBase::ShutdownOnAudioThread() {\n AudioOutputDispatchersMap::iterator it = output_dispatchers_.begin();\n for (; it != output_dispatchers_.end(); ++it) {\n scoped_refptr& dispatcher = (*it).second;\n if (dispatcher) {\n dispatcher->Shutdown();\n DCHECK(dispatcher->HasOneRef()) << \"AudioOutputProxies are still alive\";\n dispatcher = NULL;\n }\n }\n\n output_dispatchers_.clear();\n}\n", "cwe": "", "big_vul_idx": 113851, "idx": 102051, "hash": 162625899391716260774970020489777981715 }, { "func": "static inline void *get_freepointer(struct kmem_cache *s, void *object)\n{\n\treturn freelist_dereference(s, object + s->offset);\n}", "project": "linux", "hash": 313766290786549964674055223838636049011, "size": 4, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280218 }, { "func": "static inline bool sig_handler_ignored(void __user *handler, int sig)\n{\n\t/* Is it explicitly or implicitly ignored? */\n\treturn handler == SIG_IGN ||\n\t (handler == SIG_DFL && sig_kernel_ignore(sig));\n}", "project": "linux", "hash": 3940218698048722419522167274885560508, "size": 6, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375318 }, { "func": "void v4l_printk_ioctl(const char *prefix, unsigned int cmd)\n{\n\tconst char *dir, *type;\n\n\tif (prefix)\n\t\tprintk(KERN_DEBUG \"%s: \", prefix);\n\n\tswitch (_IOC_TYPE(cmd)) {\n\tcase 'd':\n\t\ttype = \"v4l2_int\";\n\t\tbreak;\n\tcase 'V':\n\t\tif (_IOC_NR(cmd) >= V4L2_IOCTLS) {\n\t\t\ttype = \"v4l2\";\n\t\t\tbreak;\n\t\t}\n\t\tpr_cont(\"%s\", v4l2_ioctls[_IOC_NR(cmd)].name);\n\t\treturn;\n\tdefault:\n\t\ttype = \"unknown\";\n\t\tbreak;\n\t}\n\n\tswitch (_IOC_DIR(cmd)) {\n\tcase _IOC_NONE: dir = \"--\"; break;\n\tcase _IOC_READ: dir = \"r-\"; break;\n\tcase _IOC_WRITE: dir = \"-w\"; break;\n\tcase _IOC_READ | _IOC_WRITE: dir = \"rw\"; break;\n\tdefault: dir = \"*ERR*\"; break;\n\t}\n\tpr_cont(\"%s ioctl '%c', dir=%s, #%d (0x%08x)\",\n\t\ttype, _IOC_TYPE(cmd), dir, _IOC_NR(cmd), cmd);\n}", "project": "linux", "hash": 166251571484524620578334753899667890219, "size": 33, "commit_id": "fb18802a338b36f675a388fc03d2aa504a0d0899", "message": "media: v4l: ioctl: Fix memory leak in video_usercopy\n\nWhen an IOCTL with argument size larger than 128 that also used array\narguments were handled, two memory allocations were made but alas, only\nthe latter one of them was released. This happened because there was only\na single local variable to hold such a temporary allocation.\n\nFix this by adding separate variables to hold the pointers to the\ntemporary allocations.\n\nReported-by: Arnd Bergmann \nReported-by: syzbot+1115e79c8df6472c612b@syzkaller.appspotmail.com\nFixes: d14e6d76ebf7 (\"[media] v4l: Add multi-planar ioctl handling code\")\nCc: stable@vger.kernel.org\nSigned-off-by: Sakari Ailus \nAcked-by: Arnd Bergmann \nAcked-by: Hans Verkuil \nReviewed-by: Laurent Pinchart \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 381502 }, { "func": "rfbBool rfbFilenameTranslate2UNIX(rfbClientPtr cl, /* in */ char *path, /* out */ char *unixPath, size_t unixPathMaxLen)\n{\n int x;\n char *home=NULL;\n\n FILEXFER_ALLOWED_OR_CLOSE_AND_RETURN(\"\", cl, FALSE);\n\n /*\n * Do not use strncpy() - truncating the file name would probably have undesirable side effects\n * Instead check if destination buffer is big enough\n */\n if (strlen(path) >= unixPathMaxLen)\n return FALSE;\n\n /* C: */\n if (path[0]=='C' && path[1]==':')\n strcpy(unixPath, &path[2]);\n else\n {\n home = getenv(\"HOME\");\n if (home!=NULL)\n {\n /* Re-check buffer size */\n if ((strlen(path) + strlen(home) + 1) >= unixPathMaxLen)\n return FALSE;\n\n strcpy(unixPath, home);\n strcat(unixPath,\"/\");\n strcat(unixPath, path);\n }\n else\n strcpy(unixPath, path);\n }\n for (x=0;xflags & LOOKUP_RCU)) {\n\t\tdput(nd->path.dentry);\n\t\tif (nd->path.mnt != path->mnt)\n\t\t\tmntput(nd->path.mnt);\n\t}\n\tnd->path.mnt = path->mnt;\n\tnd->path.dentry = path->dentry;\n}", "project": "linux", "hash": 265521906965519209969053171034224590706, "size": 11, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295320 }, { "func": "void TrustedPrimitives::UntrustedLocalFree(void *ptr) noexcept {\n CHECK_OCALL(ocall_untrusted_local_free(ptr));\n}", "project": "asylo", "hash": 17828195739606987400548486847065963861, "size": 3, "commit_id": "53ed5d8fd8118ced1466e509606dd2f473707a5c", "message": "Store untrusted output pointer in enclave\n\nValidate the pointer after it's stored in enclave to avoid unexpected\nmodifications after it's validated.\n\nPiperOrigin-RevId: 365648810\nChange-Id: I3079128040c142e86bab8255b07d03562a6fcb61", "target": 0, "dataset": "other", "idx": 232065 }, { "func": "void **AllocateUntrustedBuffers(size_t count, size_t size) {\n void **buffers;\n CHECK_OCALL(ocall_enc_untrusted_allocate_buffers(\n &buffers, static_cast(count), static_cast(size)));\n if (!buffers || !TrustedPrimitives::IsOutsideEnclave(buffers, size)) {\n TrustedPrimitives::BestEffortAbort(\n \"allocated buffers (for use by UntrustedCacheMalloc) found to not be \"\n \"in untrusted memory.\");\n }\n return buffers;\n}", "project": "asylo", "hash": 164701099620221883388521637130731649998, "size": 11, "commit_id": "53ed5d8fd8118ced1466e509606dd2f473707a5c", "message": "Store untrusted output pointer in enclave\n\nValidate the pointer after it's stored in enclave to avoid unexpected\nmodifications after it's validated.\n\nPiperOrigin-RevId: 365648810\nChange-Id: I3079128040c142e86bab8255b07d03562a6fcb61", "target": 0, "dataset": "other", "idx": 232070 }, { "func": "int ecryptfs_read_and_validate_header_region(char *data,\n\t\t\t\t\t struct inode *ecryptfs_inode)\n{\n\tstruct ecryptfs_crypt_stat *crypt_stat =\n\t\t&(ecryptfs_inode_to_private(ecryptfs_inode)->crypt_stat);\n\tint rc;\n\n\tif (crypt_stat->extent_size == 0)\n\t\tcrypt_stat->extent_size = ECRYPTFS_DEFAULT_EXTENT_SIZE;\n\trc = ecryptfs_read_lower(data, 0, crypt_stat->extent_size,\n\t\t\t\t ecryptfs_inode);\n\tif (rc) {\n\t\tprintk(KERN_ERR \"%s: Error reading header region; rc = [%d]\\n\",\n\t\t __func__, rc);\n\t\tgoto out;\n\t}\n\tif (!contains_ecryptfs_marker(data + ECRYPTFS_FILE_SIZE_BYTES)) {\n\t\trc = -EINVAL;\n\t}\nout:\n\treturn rc;\n}", "target": 0, "cwe": [ "CWE-189" ], "project": "linux-2.6", "commit_id": "8faece5f906725c10e7a1f6caf84452abadbdc7b", "hash": 93437273771504708213372178727364238436, "size": 22, "message": "eCryptfs: Allocate a variable number of pages for file headers\n\nWhen allocating the memory used to store the eCryptfs header contents, a\nsingle, zeroed page was being allocated with get_zeroed_page().\nHowever, the size of an eCryptfs header is either PAGE_CACHE_SIZE or\nECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE (8192), whichever is larger, and is\nstored in the file's private_data->crypt_stat->num_header_bytes_at_front\nfield.\n\necryptfs_write_metadata_to_contents() was using\nnum_header_bytes_at_front to decide how many bytes should be written to\nthe lower filesystem for the file header. Unfortunately, at least 8K\nwas being written from the page, despite the chance of the single,\nzeroed page being smaller than 8K. This resulted in random areas of\nkernel memory being written between the 0x1000 and 0x1FFF bytes offsets\nin the eCryptfs file headers if PAGE_SIZE was 4K.\n\nThis patch allocates a variable number of pages, calculated with\nnum_header_bytes_at_front, and passes the number of allocated pages\nalong to ecryptfs_write_metadata_to_contents().\n\nThanks to Florian Streibelt for reporting the data leak and working with\nme to find the problem. 2.6.28 is the only kernel release with this\nvulnerability. Corresponds to CVE-2009-0787\n\nSigned-off-by: Tyler Hicks \nAcked-by: Dustin Kirkland \nReviewed-by: Eric Sandeen \nReviewed-by: Eugene Teo \nCc: Greg KH \nCc: dann frazier \nCc: Serge E. Hallyn \nCc: Florian Streibelt \nCc: stable@kernel.org\nSigned-off-by: Linus Torvalds ", "dataset": "other", "idx": 490160 }, { "func": "static void exif_iif_add_str(image_info_type *image_info,\n int section_index, char *name, char *value) {\n image_info_data *info_data;\n image_info_data *list;\n\n if (value) {\n size_t realloc_size = (image_info->info_list[section_index].count+1) *\n sizeof(image_info_data);\n list = (image_info_data *)\n IM_REALLOC(image_info->info_list[section_index].list, realloc_size);\n CHECK_ALLOC(list, realloc_size);\n image_info->info_list[section_index].list = list;\n info_data = &image_info->info_list[section_index].\n list[image_info->info_list[section_index].count];\n memset(info_data, 0, sizeof(image_info_data));\n info_data->tag = (unsigned short)TAG_NONE;\n info_data->format = TAG_FMT_STRING;\n info_data->length = 1;\n PHP_STRDUP(info_data->name, name);\n // TODO\n // if (PG(magic_quotes_runtime)) {\n // info_data->value.s = php_addslashes(value, strlen(value), nullptr, 0);\n // } else {\n PHP_STRDUP(info_data->value.s, value);\n image_info->sections_found |= 1<info_list[section_index].count++;\n }\n}", "project": "hhvm", "hash": 165597420186063637993289813845479862554, "size": 28, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219237 }, { "func": "HttpStateData::haveParsedReplyHeaders()\n{\n Client::haveParsedReplyHeaders();\n\n Ctx ctx = ctx_enter(entry->mem_obj->urlXXX());\n HttpReply *rep = finalReply();\n const Http::StatusCode statusCode = rep->sline.status();\n\n entry->timestampsSet();\n\n /* Check if object is cacheable or not based on reply code */\n debugs(11, 3, \"HTTP CODE: \" << statusCode);\n\n if (StoreEntry *oldEntry = findPreviouslyCachedEntry(entry)) {\n oldEntry->lock(\"HttpStateData::haveParsedReplyHeaders\");\n sawDateGoBack = rep->olderThan(oldEntry->getReply());\n oldEntry->unlock(\"HttpStateData::haveParsedReplyHeaders\");\n }\n\n if (neighbors_do_private_keys && !sawDateGoBack)\n httpMaybeRemovePublic(entry, rep->sline.status());\n\n bool varyFailure = false;\n if (rep->header.has(Http::HdrType::VARY)\n#if X_ACCELERATOR_VARY\n || rep->header.has(Http::HdrType::HDR_X_ACCELERATOR_VARY)\n#endif\n ) {\n const SBuf vary(httpMakeVaryMark(request, rep));\n\n if (vary.isEmpty()) {\n // TODO: check whether such responses are shareable.\n // Do not share for now.\n entry->makePrivate(false);\n if (fwd->reforwardableStatus(rep->sline.status()))\n EBIT_SET(entry->flags, ENTRY_FWD_HDR_WAIT);\n varyFailure = true;\n } else {\n entry->mem_obj->vary_headers = vary;\n\n // RFC 7231 section 7.1.4\n // Vary:* can be cached, but has mandatory revalidation\n static const SBuf asterisk(\"*\");\n if (vary == asterisk)\n EBIT_SET(entry->flags, ENTRY_REVALIDATE_ALWAYS);\n }\n }\n\n if (!varyFailure) {\n /*\n * If its not a reply that we will re-forward, then\n * allow the client to get it.\n */\n if (fwd->reforwardableStatus(rep->sline.status()))\n EBIT_SET(entry->flags, ENTRY_FWD_HDR_WAIT);\n\n ReuseDecision decision(entry, statusCode);\n\n switch (reusableReply(decision)) {\n\n case ReuseDecision::reuseNot:\n entry->makePrivate(false);\n break;\n\n case ReuseDecision::cachePositively:\n if (!entry->makePublic()) {\n decision.make(ReuseDecision::doNotCacheButShare, \"public key creation error\");\n entry->makePrivate(true);\n }\n break;\n\n case ReuseDecision::cacheNegatively:\n if (!entry->cacheNegatively()) {\n decision.make(ReuseDecision::doNotCacheButShare, \"public key creation error\");\n entry->makePrivate(true);\n }\n break;\n\n case ReuseDecision::doNotCacheButShare:\n entry->makePrivate(true);\n break;\n\n default:\n assert(0);\n break;\n }\n debugs(11, 3, \"decided: \" << decision);\n }\n\n if (!ignoreCacheControl) {\n if (rep->cache_control) {\n // We are required to revalidate on many conditions.\n // For security reasons we do so even if storage was caused by refresh_pattern ignore-* option\n\n // CC:must-revalidate or CC:proxy-revalidate\n const bool ccMustRevalidate = (rep->cache_control->hasProxyRevalidate() || rep->cache_control->hasMustRevalidate());\n\n // CC:no-cache (only if there are no parameters)\n const bool ccNoCacheNoParams = rep->cache_control->hasNoCacheWithoutParameters();\n\n // CC:s-maxage=N\n const bool ccSMaxAge = rep->cache_control->hasSMaxAge();\n\n // CC:private (yes, these can sometimes be stored)\n const bool ccPrivate = rep->cache_control->hasPrivate();\n\n if (ccNoCacheNoParams || ccPrivate)\n EBIT_SET(entry->flags, ENTRY_REVALIDATE_ALWAYS);\n else if (ccMustRevalidate || ccSMaxAge)\n EBIT_SET(entry->flags, ENTRY_REVALIDATE_STALE);\n }\n#if USE_HTTP_VIOLATIONS // response header Pragma::no-cache is undefined in HTTP\n else {\n // Expensive calculation. So only do it IF the CC: header is not present.\n\n /* HACK: Pragma: no-cache in _replies_ is not documented in HTTP,\n * but servers like \"Active Imaging Webcast/2.0\" sure do use it */\n if (rep->header.has(Http::HdrType::PRAGMA) &&\n rep->header.hasListMember(Http::HdrType::PRAGMA,\"no-cache\",','))\n EBIT_SET(entry->flags, ENTRY_REVALIDATE_ALWAYS);\n }\n#endif\n }\n\n#if HEADERS_LOG\n headersLog(1, 0, request->method, rep);\n\n#endif\n\n ctx_exit(ctx);\n}", "project": "squid", "hash": 138027442123220361385059426060376319052, "size": 131, "commit_id": "fd68382860633aca92065e6c343cfd1b12b126e7", "message": "Improve Transfer-Encoding handling (#702)\n\nReject messages containing Transfer-Encoding header with coding other\nthan chunked or identity. Squid does not support other codings.\n\nFor simplicity and security sake, also reject messages where\nTransfer-Encoding contains unnecessary complex values that are\ntechnically equivalent to \"chunked\" or \"identity\" (e.g., \",,chunked\" or\n\"identity, chunked\").\n\nRFC 7230 formally deprecated and removed identity coding, but it is\nstill used by some agents.", "target": 0, "dataset": "other", "idx": 402386 }, { "func": "int fuse_write_inode(struct inode *inode, struct writeback_control *wbc)\n{\n\tstruct fuse_conn *fc = get_fuse_conn(inode);\n\tstruct fuse_inode *fi = get_fuse_inode(inode);\n\tstruct fuse_file *ff;\n\tint err;\n\n\tff = __fuse_write_file_get(fc, fi);\n\terr = fuse_flush_times(inode, ff);\n\tif (ff)\n\t\tfuse_file_put(ff, false, false);\n\n\treturn err;\n}", "project": "linux", "hash": 88481065657293239541066826584649326380, "size": 14, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342003 }, { "func": "\t__releases(&pkc->blk_fill_in_prog_lock)\n{\n\tstruct tpacket_kbdq_core *pkc = GET_PBDQC_FROM_RB(rb);\n\n\tread_unlock(&pkc->blk_fill_in_prog_lock);\n}", "project": "linux", "hash": 333743125062611214849186561550910022211, "size": 6, "commit_id": "acf69c946233259ab4d64f8869d4037a198c7f06", "message": "net/packet: fix overflow in tpacket_rcv\n\nUsing tp_reserve to calculate netoff can overflow as\ntp_reserve is unsigned int and netoff is unsigned short.\n\nThis may lead to macoff receving a smaller value then\nsizeof(struct virtio_net_hdr), and if po->has_vnet_hdr\nis set, an out-of-bounds write will occur when\ncalling virtio_net_hdr_from_skb.\n\nThe bug is fixed by converting netoff to unsigned int\nand checking if it exceeds USHRT_MAX.\n\nThis addresses CVE-2020-14386\n\nFixes: 8913336a7e8d (\"packet: add PACKET_RESERVE sockopt\")\nSigned-off-by: Or Cohen \nSigned-off-by: Eric Dumazet \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 330384 }, { "func": " void waitForJwksResponse(const std::string& status, const std::string& jwks_body) {\n AssertionResult result =\n fake_upstreams_[1]->waitForHttpConnection(*dispatcher_, fake_jwks_connection_);\n RELEASE_ASSERT(result, result.message());\n result = fake_jwks_connection_->waitForNewStream(*dispatcher_, jwks_request_);\n RELEASE_ASSERT(result, result.message());\n result = jwks_request_->waitForEndStream(*dispatcher_);\n RELEASE_ASSERT(result, result.message());\n\n Http::TestResponseHeaderMapImpl response_headers{{\":status\", status}};\n jwks_request_->encodeHeaders(response_headers, false);\n Buffer::OwnedImpl response_data1(jwks_body);\n jwks_request_->encodeData(response_data1, true);\n }", "project": "envoy", "hash": 184203407688702380081169299179122171588, "size": 14, "commit_id": "9371333230b1a6e1be2eccf4868771e11af6253a", "message": "CVE-2021-43824\n\njwt_atuhn: fixed the crash when a CONNECT request is sent to JWT filter\nconfigured with regex match.\n\nSigned-off-by: Yan Avlasov ", "target": 0, "dataset": "other", "idx": 246618 }, { "func": "static void snap_vcsa_rawfb(void) {\n\tint n;\n\tchar *dst;\n\tchar buf[32];\n\tint i, len, del;\n\tunsigned char rows, cols, xpos, ypos;\n\tstatic int prev_rows = -1, prev_cols = -1;\n\tstatic unsigned char prev_xpos = -1, prev_ypos = -1;\n\tstatic char *vcsabuf = NULL;\n\tstatic char *vcsabuf0 = NULL;\n\tstatic unsigned int color_tab[16];\n\tstatic int Cw = 8, Ch = 16;\n\tstatic int db = -1, first = 1;\n\tint created = 0;\n\trfbScreenInfo s;\n\trfbScreenInfoPtr fake_screen = &s;\n\tint Bpp = raw_fb_native_bpp / 8;\n\n\tif (db < 0) {\n\t\tif (getenv(\"X11VNC_DEBUG_VCSA\")) {\n\t\t\tdb = atoi(getenv(\"X11VNC_DEBUG_VCSA\"));\n\t\t} else {\n\t\t\tdb = 0;\n\t\t}\n\t}\n\n\tif (first) {\n\t\tunsigned int rm = raw_fb_native_red_mask;\n\t\tunsigned int gm = raw_fb_native_green_mask;\n\t\tunsigned int bm = raw_fb_native_blue_mask;\n\t\tunsigned int rs = raw_fb_native_red_shift;\n\t\tunsigned int gs = raw_fb_native_green_shift;\n\t\tunsigned int bs = raw_fb_native_blue_shift;\n\t\tunsigned int rx = raw_fb_native_red_max;\n\t\tunsigned int gx = raw_fb_native_green_max;\n\t\tunsigned int bx = raw_fb_native_blue_max;\n\n\t\tfor (i=0; i < 16; i++) {\n\t\t\tint r = console_cmap[3*i+0];\n\t\t\tint g = console_cmap[3*i+1];\n\t\t\tint b = console_cmap[3*i+2];\n\t\t\tr = rx * r / 255;\n\t\t\tg = gx * g / 255;\n\t\t\tb = bx * b / 255;\n\t\t\tcolor_tab[i] = (r << rs) | (g << gs) | (b << bs);\n\t\t\tif (db) fprintf(stderr, \"cmap[%02d] 0x%08x %04d %04d %04d\\n\", i, color_tab[i], r, g, b); \n\t\t\tif (i != 0 && getenv(\"RAWFB_VCSA_BW\")) {\n\t\t\t\tcolor_tab[i] = rm | gm | bm;\n\t\t\t}\n\t\t}\n\t}\n\tfirst = 0;\n\n\tlseek(raw_fb_fd, 0, SEEK_SET);\n\tlen = 4;\n\tdel = 0;\n\tmemset(buf, 0, sizeof(buf));\n\twhile (len > 0) {\n\t\tn = read(raw_fb_fd, buf + del, len);\n\t\tif (n > 0) {\n\t\t\tdel += n;\n\t\t\tlen -= n;\n\t\t} else if (n == 0) {\n\t\t\tbreak;\n\t\t} else if (errno != EINTR && errno != EAGAIN) {\n\t\t\tbreak;\n\t\t}\n\t}\n\n\trows = (unsigned char) buf[0];\n\tcols = (unsigned char) buf[1];\n\txpos = (unsigned char) buf[2];\n\typos = (unsigned char) buf[3];\n\n\tif (db) fprintf(stderr, \"rows=%d cols=%d xpos=%d ypos=%d Bpp=%d\\n\", rows, cols, xpos, ypos, Bpp);\n\tif (rows == 0 || cols == 0) {\n\t\tusleep(100 * 1000);\n\t\treturn;\n\t}\n\n\tif (vcsabuf == NULL || prev_rows != rows || prev_cols != cols) {\n\t\tif (vcsabuf) {\n\t\t\tfree(vcsabuf);\n\t\t\tfree(vcsabuf0);\n\t\t}\n\t\tvcsabuf = (char *) calloc(2 * rows * cols, 1);\n\t\tvcsabuf0 = (char *) calloc(2 * rows * cols, 1);\n\t\tcreated = 1;\n\n\t\tif (prev_rows != -1 && prev_cols != -1) {\n\t\t\tdo_new_fb(1);\n\t\t}\n\n\t\tprev_rows = rows;\n\t\tprev_cols = cols;\n\t}\n\n\tif (!rfbEndianTest) {\n\t\tunsigned char tc = rows;\n\t\trows = cols;\n\t\tcols = tc;\n\n\t\ttc = xpos;\n\t\txpos = ypos;\n\t\typos = tc;\n\t}\n\n\tlen = 2 * rows * cols;\n\tdel = 0;\n\tmemset(vcsabuf, 0, len);\n\twhile (len > 0) {\n\t\tn = read(raw_fb_fd, vcsabuf + del, len);\n\t\tif (n > 0) {\n\t\t\tdel += n;\n\t\t\tlen -= n;\n\t\t} else if (n == 0) {\n\t\t\tbreak;\n\t\t} else if (errno != EINTR && errno != EAGAIN) {\n\t\t\tbreak;\n\t\t}\n\t}\n\n\tfake_screen->frameBuffer = snap->data;\n\tfake_screen->paddedWidthInBytes = snap->bytes_per_line;\n\tfake_screen->serverFormat.bitsPerPixel = raw_fb_native_bpp;\n\tfake_screen->width = snap->width;\n\tfake_screen->height = snap->height;\n\n\tfor (i=0; i < rows * cols; i++) {\n\t\tint ix, iy, x, y, w, h;\n\t\tunsigned char chr = 0;\n\t\tunsigned char attr;\n\t\tunsigned int fore, back;\n\t\tunsigned short *usp;\n\t\tunsigned int *uip;\n\t\tchr = (unsigned char) vcsabuf[2*i];\n\t\tattr = vcsabuf[2*i+1];\n\n\t\tiy = i / cols;\n\t\tix = i - iy * cols;\n\n\t\tif (ix == prev_xpos && iy == prev_ypos) {\n\t\t\t;\n\t\t} else if (ix == xpos && iy == ypos) {\n\t\t\t;\n\t\t} else if (!created && chr == vcsabuf0[2*i] && attr == vcsabuf0[2*i+1]) {\n\t\t\tcontinue;\n\t\t}\n\n\t\tif (!rfbEndianTest) {\n\t\t\tunsigned char tc = chr;\n\t\t\tchr = attr;\n\t\t\tattr = tc;\n\t\t}\n\n\t\ty = iy * Ch;\n\t\tx = ix * Cw;\n\t\tdst = snap->data + y * snap->bytes_per_line + x * Bpp;\n\n\t\tfore = color_tab[attr & 0xf];\n\t\tback = color_tab[(attr >> 4) & 0x7];\n\n\t\tif (ix == xpos && iy == ypos) {\n\t\t\tunsigned int ti = fore;\n\t\t\tfore = back;\n\t\t\tback = ti;\n\t\t}\n\n\t\tfor (h = 0; h < Ch; h++) {\n\t\t\tif (Bpp == 1) {\n\t\t\t\tmemset(dst, back, Cw);\n\t\t\t} else if (Bpp == 2) {\n\t\t\t\tfor (w = 0; w < Cw; w++) {\n\t\t\t\t\tusp = (unsigned short *) (dst + w*Bpp); \n\t\t\t\t\t*usp = (unsigned short) back;\n\t\t\t\t}\n\t\t\t} else if (Bpp == 4) {\n\t\t\t\tfor (w = 0; w < Cw; w++) {\n\t\t\t\t\tuip = (unsigned int *) (dst + w*Bpp); \n\t\t\t\t\t*uip = (unsigned int) back;\n\t\t\t\t}\n\t\t\t}\n\t\t\tdst += snap->bytes_per_line;\n\t\t}\n\t\trfbDrawChar(fake_screen, &default8x16Font, x, y + Ch, chr, fore);\n\t}\n\tmemcpy(vcsabuf0, vcsabuf, 2 * rows * cols); \n\tprev_xpos = xpos;\n\tprev_ypos = ypos;\n}", "project": "x11vnc", "hash": 112576021905253000854291598410046234709, "size": 190, "commit_id": "69eeb9f7baa14ca03b16c9de821f9876def7a36a", "message": "scan: limit access to shared memory segments to current user", "target": 0, "dataset": "other", "idx": 360759 }, { "func": "bool JOIN::rollup_process_const_fields()\n{\n ORDER *group_tmp;\n Item *item;\n List_iterator it(all_fields);\n\n for (group_tmp= group_list; group_tmp; group_tmp= group_tmp->next)\n {\n if (!(*group_tmp->item)->const_item())\n continue;\n while ((item= it++))\n {\n if (*group_tmp->item == item)\n {\n Item* new_item= new (thd->mem_root) Item_func_rollup_const(thd, item);\n if (!new_item)\n return 1;\n new_item->fix_fields(thd, (Item **) 0);\n thd->change_item_tree(it.ref(), new_item);\n for (ORDER *tmp= group_tmp; tmp; tmp= tmp->next)\n {\n if (*tmp->item == item)\n thd->change_item_tree(tmp->item, new_item);\n }\n break;\n }\n }\n it.rewind();\n }\n return 0;\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 719000443929974137016152525286845127, "size": 31, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508418 }, { "func": "const char* blosc_get_compressor(void)\n{\n const char* compname;\n blosc_compcode_to_compname(g_compressor, &compname);\n\n return compname;\n}", "project": "c-blosc2", "hash": 287408362959344967246982589719835301321, "size": 7, "commit_id": "c4c6470e88210afc95262c8b9fcc27e30ca043ee", "message": "Fixed asan heap buffer overflow when not enough space to write compressed block size.", "target": 0, "dataset": "other", "idx": 303078 }, { "func": "static void fuse_fs_cleanup(void)\n{\n\tunregister_filesystem(&fuse_fs_type);\n\tunregister_fuseblk();\n\n\t/*\n\t * Make sure all delayed rcu free inodes are flushed before we\n\t * destroy cache.\n\t */\n\trcu_barrier();\n\tkmem_cache_destroy(fuse_inode_cachep);\n}", "project": "linux", "hash": 300002568721424451282284000344948883359, "size": 12, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342063 }, { "func": "JOIN_TAB::sort_table()\n{\n int rc;\n DBUG_PRINT(\"info\",(\"Sorting for index\"));\n THD_STAGE_INFO(join->thd, stage_creating_sort_index);\n DBUG_ASSERT(join->ordered_index_usage != (filesort->order == join->order ?\n JOIN::ordered_index_order_by :\n JOIN::ordered_index_group_by));\n rc= create_sort_index(join->thd, join, this, NULL);\n return (rc != 0);\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 216210842590939688284322157882202731465, "size": 11, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508581 }, { "func": "static inline void status_report(struct tty_struct *tty)\n{\n\trespond_string(\"\\033[0n\", tty->port);\t/* Terminal ok */\n}", "project": "linux", "hash": 266175589563341703097236396549956926432, "size": 4, "commit_id": "ca4463bf8438b403596edd0ec961ca0d4fbe0220", "message": "vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console\n\nThe VT_DISALLOCATE ioctl can free a virtual console while tty_release()\nis still running, causing a use-after-free in con_shutdown(). This\noccurs because VT_DISALLOCATE considers a virtual console's\n'struct vc_data' to be unused as soon as the corresponding tty's\nrefcount hits 0. But actually it may be still being closed.\n\nFix this by making vc_data be reference-counted via the embedded\n'struct tty_port'. A newly allocated virtual console has refcount 1.\nOpening it for the first time increments the refcount to 2. Closing it\nfor the last time decrements the refcount (in tty_operations::cleanup()\nso that it happens late enough), as does VT_DISALLOCATE.\n\nReproducer:\n\t#include \n\t#include \n\t#include \n\t#include \n\n\tint main()\n\t{\n\t\tif (fork()) {\n\t\t\tfor (;;)\n\t\t\t\tclose(open(\"/dev/tty5\", O_RDWR));\n\t\t} else {\n\t\t\tint fd = open(\"/dev/tty10\", O_RDWR);\n\n\t\t\tfor (;;)\n\t\t\t\tioctl(fd, VT_DISALLOCATE, 5);\n\t\t}\n\t}\n\nKASAN report:\n\tBUG: KASAN: use-after-free in con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\tWrite of size 8 at addr ffff88806a4ec108 by task syz_vt/129\n\n\tCPU: 0 PID: 129 Comm: syz_vt Not tainted 5.6.0-rc2 #11\n\tHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20191223_100556-anatol 04/01/2014\n\tCall Trace:\n\t [...]\n\t con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\t release_tty+0xa8/0x410 drivers/tty/tty_io.c:1514\n\t tty_release_struct+0x34/0x50 drivers/tty/tty_io.c:1629\n\t tty_release+0x984/0xed0 drivers/tty/tty_io.c:1789\n\t [...]\n\n\tAllocated by task 129:\n\t [...]\n\t kzalloc include/linux/slab.h:669 [inline]\n\t vc_allocate drivers/tty/vt/vt.c:1085 [inline]\n\t vc_allocate+0x1ac/0x680 drivers/tty/vt/vt.c:1066\n\t con_install+0x4d/0x3f0 drivers/tty/vt/vt.c:3229\n\t tty_driver_install_tty drivers/tty/tty_io.c:1228 [inline]\n\t tty_init_dev+0x94/0x350 drivers/tty/tty_io.c:1341\n\t tty_open_by_driver drivers/tty/tty_io.c:1987 [inline]\n\t tty_open+0x3ca/0xb30 drivers/tty/tty_io.c:2035\n\t [...]\n\n\tFreed by task 130:\n\t [...]\n\t kfree+0xbf/0x1e0 mm/slab.c:3757\n\t vt_disallocate drivers/tty/vt/vt_ioctl.c:300 [inline]\n\t vt_ioctl+0x16dc/0x1e30 drivers/tty/vt/vt_ioctl.c:818\n\t tty_ioctl+0x9db/0x11b0 drivers/tty/tty_io.c:2660\n\t [...]\n\nFixes: 4001d7b7fc27 (\"vt: push down the tty lock so we can see what is left to tackle\")\nCc: # v3.4+\nReported-by: syzbot+522643ab5729b0421998@syzkaller.appspotmail.com\nAcked-by: Jiri Slaby \nSigned-off-by: Eric Biggers \nLink: https://lore.kernel.org/r/20200322034305.210082-2-ebiggers@kernel.org\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 437073 }, { "func": "\nstatic void bfq_update_bfqq_wr_on_rq_arrival(struct bfq_data *bfqd,\n\t\t\t\t\t struct bfq_queue *bfqq,\n\t\t\t\t\t unsigned int old_wr_coeff,\n\t\t\t\t\t bool wr_or_deserves_wr,\n\t\t\t\t\t bool interactive,\n\t\t\t\t\t bool in_burst,\n\t\t\t\t\t bool soft_rt)\n{\n\tif (old_wr_coeff == 1 && wr_or_deserves_wr) {\n\t\t/* start a weight-raising period */\n\t\tif (interactive) {\n\t\t\tbfqq->service_from_wr = 0;\n\t\t\tbfqq->wr_coeff = bfqd->bfq_wr_coeff;\n\t\t\tbfqq->wr_cur_max_time = bfq_wr_duration(bfqd);\n\t\t} else {\n\t\t\t/*\n\t\t\t * No interactive weight raising in progress\n\t\t\t * here: assign minus infinity to\n\t\t\t * wr_start_at_switch_to_srt, to make sure\n\t\t\t * that, at the end of the soft-real-time\n\t\t\t * weight raising periods that is starting\n\t\t\t * now, no interactive weight-raising period\n\t\t\t * may be wrongly considered as still in\n\t\t\t * progress (and thus actually started by\n\t\t\t * mistake).\n\t\t\t */\n\t\t\tbfqq->wr_start_at_switch_to_srt =\n\t\t\t\tbfq_smallest_from_now();\n\t\t\tbfqq->wr_coeff = bfqd->bfq_wr_coeff *\n\t\t\t\tBFQ_SOFTRT_WEIGHT_FACTOR;\n\t\t\tbfqq->wr_cur_max_time =\n\t\t\t\tbfqd->bfq_wr_rt_max_time;\n\t\t}\n\n\t\t/*\n\t\t * If needed, further reduce budget to make sure it is\n\t\t * close to bfqq's backlog, so as to reduce the\n\t\t * scheduling-error component due to a too large\n\t\t * budget. Do not care about throughput consequences,\n\t\t * but only about latency. Finally, do not assign a\n\t\t * too small budget either, to avoid increasing\n\t\t * latency by causing too frequent expirations.\n\t\t */\n\t\tbfqq->entity.budget = min_t(unsigned long,\n\t\t\t\t\t bfqq->entity.budget,\n\t\t\t\t\t 2 * bfq_min_budget(bfqd));\n\t} else if (old_wr_coeff > 1) {\n\t\tif (interactive) { /* update wr coeff and duration */\n\t\t\tbfqq->wr_coeff = bfqd->bfq_wr_coeff;\n\t\t\tbfqq->wr_cur_max_time = bfq_wr_duration(bfqd);\n\t\t} else if (in_burst)\n\t\t\tbfqq->wr_coeff = 1;\n\t\telse if (soft_rt) {\n\t\t\t/*\n\t\t\t * The application is now or still meeting the\n\t\t\t * requirements for being deemed soft rt. We\n\t\t\t * can then correctly and safely (re)charge\n\t\t\t * the weight-raising duration for the\n\t\t\t * application with the weight-raising\n\t\t\t * duration for soft rt applications.\n\t\t\t *\n\t\t\t * In particular, doing this recharge now, i.e.,\n\t\t\t * before the weight-raising period for the\n\t\t\t * application finishes, reduces the probability\n\t\t\t * of the following negative scenario:\n\t\t\t * 1) the weight of a soft rt application is\n\t\t\t * raised at startup (as for any newly\n\t\t\t * created application),\n\t\t\t * 2) since the application is not interactive,\n\t\t\t * at a certain time weight-raising is\n\t\t\t * stopped for the application,\n\t\t\t * 3) at that time the application happens to\n\t\t\t * still have pending requests, and hence\n\t\t\t * is destined to not have a chance to be\n\t\t\t * deemed soft rt before these requests are\n\t\t\t * completed (see the comments to the\n\t\t\t * function bfq_bfqq_softrt_next_start()\n\t\t\t * for details on soft rt detection),\n\t\t\t * 4) these pending requests experience a high\n\t\t\t * latency because the application is not\n\t\t\t * weight-raised while they are pending.\n\t\t\t */\n\t\t\tif (bfqq->wr_cur_max_time !=\n\t\t\t\tbfqd->bfq_wr_rt_max_time) {\n\t\t\t\tbfqq->wr_start_at_switch_to_srt =\n\t\t\t\t\tbfqq->last_wr_start_finish;\n\n\t\t\t\tbfqq->wr_cur_max_time =\n\t\t\t\t\tbfqd->bfq_wr_rt_max_time;\n\t\t\t\tbfqq->wr_coeff = bfqd->bfq_wr_coeff *\n\t\t\t\t\tBFQ_SOFTRT_WEIGHT_FACTOR;\n\t\t\t}\n\t\t\tbfqq->last_wr_start_finish = jiffies;\n\t\t}\n\t}", "project": "linux", "hash": 22112429613834361810034388731132672213, "size": 96, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453331 }, { "project": "Chrome", "commit_id": "957973753ec4159003ff7930d946b7e89c7e09f3", "target": 0, "func": "void BlobURLRequestJob::AdvanceItem() {\n CloseStream();\n\n item_index_++;\n current_item_offset_ = 0;\n}\n", "cwe": "", "big_vul_idx": 106405, "idx": 95559, "hash": 311444363125923374501451205487823379385 }, { "func": "static int cdeque_front(struct cdeque* d, void** value) {\n\tif(d->size > 0) {\n\t\tcdeque_front_fast(d, value);\n\t\treturn CDE_OK;\n\t} else\n\t\treturn CDE_OUT_OF_BOUNDS;\n}", "project": "libarchive", "hash": 209247854267929288985034699541987456539, "size": 7, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 0, "dataset": "other", "idx": 244733 }, { "func": "static int ip_setup_cork(struct sock *sk, struct inet_cork *cork,\n\t\t\t struct ipcm_cookie *ipc, struct rtable **rtp)\n{\n\tstruct ip_options_rcu *opt;\n\tstruct rtable *rt;\n\n\t/*\n\t * setup for corking.\n\t */\n\topt = ipc->opt;\n\tif (opt) {\n\t\tif (!cork->opt) {\n\t\t\tcork->opt = kmalloc(sizeof(struct ip_options) + 40,\n\t\t\t\t\t sk->sk_allocation);\n\t\t\tif (unlikely(!cork->opt))\n\t\t\t\treturn -ENOBUFS;\n\t\t}\n\t\tmemcpy(cork->opt, &opt->opt, sizeof(struct ip_options) + opt->opt.optlen);\n\t\tcork->flags |= IPCORK_OPT;\n\t\tcork->addr = ipc->addr;\n\t}\n\trt = *rtp;\n\tif (unlikely(!rt))\n\t\treturn -EFAULT;\n\t/*\n\t * We steal reference to this route, caller should not release it\n\t */\n\t*rtp = NULL;\n\tcork->fragsize = ip_sk_use_pmtu(sk) ?\n\t\t\t dst_mtu(&rt->dst) : rt->dst.dev->mtu;\n\tcork->dst = &rt->dst;\n\tcork->length = 0;\n\tcork->ttl = ipc->ttl;\n\tcork->tos = ipc->tos;\n\tcork->priority = ipc->priority;\n\tcork->tx_flags = ipc->tx_flags;\n\n\treturn 0;\n}", "project": "net", "hash": 75670877657082926996430698611025858589, "size": 39, "commit_id": "85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa", "message": "udp: consistently apply ufo or fragmentation\n\nWhen iteratively building a UDP datagram with MSG_MORE and that\ndatagram exceeds MTU, consistently choose UFO or fragmentation.\n\nOnce skb_is_gso, always apply ufo. Conversely, once a datagram is\nsplit across multiple skbs, do not consider ufo.\n\nSendpage already maintains the first invariant, only add the second.\nIPv6 does not have a sendpage implementation to modify.\n\nA gso skb must have a partial checksum, do not follow sk_no_check_tx\nin udp_send_skb.\n\nFound by syzkaller.\n\nFixes: e89e9cf539a2 (\"[IPv4/IPv6]: UFO Scatter-gather approach\")\nReported-by: Andrey Konovalov \nSigned-off-by: Willem de Bruijn \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 469008 }, { "func": "static u8 tcp_sacktag_one(const struct sk_buff *skb, struct sock *sk,\n\t\t\t struct tcp_sacktag_state *state,\n\t\t\t int dup_sack, int pcount)\n{\n\tstruct tcp_sock *tp = tcp_sk(sk);\n\tu8 sacked = TCP_SKB_CB(skb)->sacked;\n\tint fack_count = state->fack_count;\n\n\t/* Account D-SACK for retransmitted packet. */\n\tif (dup_sack && (sacked & TCPCB_RETRANS)) {\n\t\tif (tp->undo_marker && tp->undo_retrans &&\n\t\t after(TCP_SKB_CB(skb)->end_seq, tp->undo_marker))\n\t\t\ttp->undo_retrans--;\n\t\tif (sacked & TCPCB_SACKED_ACKED)\n\t\t\tstate->reord = min(fack_count, state->reord);\n\t}\n\n\t/* Nothing to do; acked frame is about to be dropped (was ACKed). */\n\tif (!after(TCP_SKB_CB(skb)->end_seq, tp->snd_una))\n\t\treturn sacked;\n\n\tif (!(sacked & TCPCB_SACKED_ACKED)) {\n\t\tif (sacked & TCPCB_SACKED_RETRANS) {\n\t\t\t/* If the segment is not tagged as lost,\n\t\t\t * we do not clear RETRANS, believing\n\t\t\t * that retransmission is still in flight.\n\t\t\t */\n\t\t\tif (sacked & TCPCB_LOST) {\n\t\t\t\tsacked &= ~(TCPCB_LOST|TCPCB_SACKED_RETRANS);\n\t\t\t\ttp->lost_out -= pcount;\n\t\t\t\ttp->retrans_out -= pcount;\n\t\t\t}\n\t\t} else {\n\t\t\tif (!(sacked & TCPCB_RETRANS)) {\n\t\t\t\t/* New sack for not retransmitted frame,\n\t\t\t\t * which was in hole. It is reordering.\n\t\t\t\t */\n\t\t\t\tif (before(TCP_SKB_CB(skb)->seq,\n\t\t\t\t\t tcp_highest_sack_seq(tp)))\n\t\t\t\t\tstate->reord = min(fack_count,\n\t\t\t\t\t\t\t state->reord);\n\n\t\t\t\t/* SACK enhanced F-RTO (RFC4138; Appendix B) */\n\t\t\t\tif (!after(TCP_SKB_CB(skb)->end_seq, tp->frto_highmark))\n\t\t\t\t\tstate->flag |= FLAG_ONLY_ORIG_SACKED;\n\t\t\t}\n\n\t\t\tif (sacked & TCPCB_LOST) {\n\t\t\t\tsacked &= ~TCPCB_LOST;\n\t\t\t\ttp->lost_out -= pcount;\n\t\t\t}\n\t\t}\n\n\t\tsacked |= TCPCB_SACKED_ACKED;\n\t\tstate->flag |= FLAG_DATA_SACKED;\n\t\ttp->sacked_out += pcount;\n\n\t\tfack_count += pcount;\n\n\t\t/* Lost marker hint past SACKed? Tweak RFC3517 cnt */\n\t\tif (!tcp_is_fack(tp) && (tp->lost_skb_hint != NULL) &&\n\t\t before(TCP_SKB_CB(skb)->seq,\n\t\t\t TCP_SKB_CB(tp->lost_skb_hint)->seq))\n\t\t\ttp->lost_cnt_hint += pcount;\n\n\t\tif (fack_count > tp->fackets_out)\n\t\t\ttp->fackets_out = fack_count;\n\t}\n\n\t/* D-SACK. We can detect redundant retransmission in S|R and plain R\n\t * frames and clear it. undo_retrans is decreased above, L|R frames\n\t * are accounted above as well.\n\t */\n\tif (dup_sack && (sacked & TCPCB_SACKED_RETRANS)) {\n\t\tsacked &= ~TCPCB_SACKED_RETRANS;\n\t\ttp->retrans_out -= pcount;\n\t}\n\n\treturn sacked;\n}", "project": "net-next", "hash": 197871548106891964597393978106035465706, "size": 80, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409893 }, { "func": "void signal_setup_done(int failed, struct ksignal *ksig, int stepping)\n{\n\tif (failed)\n\t\tforce_sigsegv(ksig->sig);\n\telse\n\t\tsignal_delivered(ksig, stepping);\n}", "project": "linux", "hash": 27231068308077548461817295387084118003, "size": 7, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375184 }, { "func": "static void restore_nameidata(void)\n{\n\tstruct nameidata *now = current->nameidata, *old = now->saved;\n\n\tcurrent->nameidata = old;\n\tif (old)\n\t\told->total_link_count = now->total_link_count;\n\tif (now->stack != now->internal)\n\t\tkfree(now->stack);\n}", "project": "linux", "hash": 4195424050895586173635011518195349526, "size": 10, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295328 }, { "func": "static int proc_do_uuid(ctl_table *table, int write, struct file *filp,\n\t\t\tvoid __user *buffer, size_t *lenp, loff_t *ppos)\n{\n\tctl_table fake_table;\n\tunsigned char buf[64], tmp_uuid[16], *uuid;\n\n\tuuid = table->data;\n\tif (!uuid) {\n\t\tuuid = tmp_uuid;\n\t\tuuid[8] = 0;\n\t}\n\tif (uuid[8] == 0)\n\t\tgenerate_random_uuid(uuid);\n\n\tsprintf(buf, \"%02x%02x%02x%02x-%02x%02x-%02x%02x-%02x%02x-\"\n\t\t\"%02x%02x%02x%02x%02x%02x\",\n\t\tuuid[0], uuid[1], uuid[2], uuid[3],\n\t\tuuid[4], uuid[5], uuid[6], uuid[7],\n\t\tuuid[8], uuid[9], uuid[10], uuid[11],\n\t\tuuid[12], uuid[13], uuid[14], uuid[15]);\n\tfake_table.data = buf;\n\tfake_table.maxlen = sizeof(buf);\n\n\treturn proc_dostring(&fake_table, write, filp, buffer, lenp, ppos);\n}", "target": 0, "cwe": [ "CWE-310" ], "project": "linux-2.6", "commit_id": "8a0a9bd4db63bc45e3017bedeafbd88d0eb84d02", "hash": 144146377664895146348627820662132367124, "size": 25, "message": "random: make get_random_int() more random\n\nIt's a really simple patch that basically just open-codes the current\n\"secure_ip_id()\" call, but when open-coding it we now use a _static_\nhashing area, so that it gets updated every time.\n\nAnd to make sure somebody can't just start from the same original seed of\nall-zeroes, and then do the \"half_md4_transform()\" over and over until\nthey get the same sequence as the kernel has, each iteration also mixes in\nthe same old \"current->pid + jiffies\" we used - so we should now have a\nregular strong pseudo-number generator, but we also have one that doesn't\nhave a single seed.\n\nNote: the \"pid + jiffies\" is just meant to be a tiny tiny bit of noise. It\nhas no real meaning. It could be anything. I just picked the previous\nseed, it's just that now we keep the state in between calls and that will\nfeed into the next result, and that should make all the difference.\n\nI made that hash be a per-cpu data just to avoid cache-line ping-pong:\nhaving multiple CPU's write to the same data would be fine for randomness,\nand add yet another layer of chaos to it, but since get_random_int() is\nsupposed to be a fast interface I did it that way instead. I considered\nusing \"__raw_get_cpu_var()\" to avoid any preemption overhead while still\ngetting the hash be _mostly_ ping-pong free, but in the end good taste won\nout.\n\nSigned-off-by: Ingo Molnar \nSigned-off-by: Linus Torvalds ", "dataset": "other", "idx": 499908 }, { "func": "static int zipfileFindFunction(\n sqlite3_vtab *pVtab, /* Virtual table handle */\n int nArg, /* Number of SQL function arguments */\n const char *zName, /* Name of SQL function */\n void (**pxFunc)(sqlite3_context*,int,sqlite3_value**), /* OUT: Result */\n void **ppArg /* OUT: User data for *pxFunc */\n){\n if( sqlite3_stricmp(\"zipfile_cds\", zName)==0 ){\n *pxFunc = zipfileFunctionCds;\n *ppArg = (void*)pVtab;\n return 1;\n }\n return 0;\n}", "project": "sqlite", "hash": 191546582274371998734820044010993919146, "size": 14, "commit_id": "54d501092d88c0cf89bec4279951f548fb0b8618", "message": "Fix the zipfile extension so that INSERT works even if the pathname of\nthe file being inserted is a NULL. Bug discovered by the\nYongheng and Rui fuzzer.\n\nFossilOrigin-Name: a80f84b511231204658304226de3e075a55afc2e3f39ac063716f7a57f585c06", "target": 0, "dataset": "other", "idx": 293140 }, { "func": "void tty_wakeup(struct tty_struct *tty)\n{\n\tstruct tty_ldisc *ld;\n\n\tif (test_bit(TTY_DO_WRITE_WAKEUP, &tty->flags)) {\n\t\tld = tty_ldisc_ref(tty);\n\t\tif (ld) {\n\t\t\tif (ld->ops->write_wakeup)\n\t\t\t\tld->ops->write_wakeup(tty);\n\t\t\ttty_ldisc_deref(ld);\n\t\t}\n\t}\n\twake_up_interruptible_poll(&tty->write_wait, EPOLLOUT);\n}", "project": "linux", "hash": 73879414417169573971914850031541207618, "size": 14, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 326031 }, { "func": "static int parse_block_header(struct archive_read* a, const uint8_t* p,\n ssize_t* block_size, struct compressed_block_header* hdr)\n{\n\tuint8_t calculated_cksum;\n\tmemcpy(hdr, p, sizeof(struct compressed_block_header));\n\n\tif(bf_byte_count(hdr) > 2) {\n\t\tarchive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,\n\t\t \"Unsupported block header size (was %d, max is 2)\",\n\t\t bf_byte_count(hdr));\n\t\treturn ARCHIVE_FATAL;\n\t}\n\n\t/* This should probably use bit reader interface in order to be more\n\t * future-proof. */\n\t*block_size = 0;\n\tswitch(bf_byte_count(hdr)) {\n\t\t/* 1-byte block size */\n\t\tcase 0:\n\t\t\t*block_size = *(const uint8_t*) &p[2];\n\t\t\tbreak;\n\n\t\t/* 2-byte block size */\n\t\tcase 1:\n\t\t\t*block_size = archive_le16dec(&p[2]);\n\t\t\tbreak;\n\n\t\t/* 3-byte block size */\n\t\tcase 2:\n\t\t\t*block_size = archive_le32dec(&p[2]);\n\t\t\t*block_size &= 0x00FFFFFF;\n\t\t\tbreak;\n\n\t\t/* Other block sizes are not supported. This case is not\n\t\t * reached, because we have an 'if' guard before the switch\n\t\t * that makes sure of it. */\n\t\tdefault:\n\t\t\treturn ARCHIVE_FATAL;\n\t}\n\n\t/* Verify the block header checksum. 0x5A is a magic value and is\n\t * always * constant. */\n\tcalculated_cksum = 0x5A\n\t ^ (uint8_t) hdr->block_flags_u8\n\t ^ (uint8_t) *block_size\n\t ^ (uint8_t) (*block_size >> 8)\n\t ^ (uint8_t) (*block_size >> 16);\n\n\tif(calculated_cksum != hdr->block_cksum) {\n\t\tarchive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,\n\t\t \"Block checksum error: got 0x%x, expected 0x%x\",\n\t\t hdr->block_cksum, calculated_cksum);\n\n\t\treturn ARCHIVE_FATAL;\n\t}\n\n\treturn ARCHIVE_OK;\n}", "project": "libarchive", "hash": 132177704956456566095619621710903490069, "size": 58, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 0, "dataset": "other", "idx": 244762 }, { "func": "int gp_workers_init(struct gssproxy_ctx *gpctx)\n{\n struct gp_workers *w;\n struct gp_thread *t;\n pthread_attr_t attr;\n verto_ev *ev;\n int vflags;\n int ret;\n int i;\n\n w = calloc(1, sizeof(struct gp_workers));\n if (!w) {\n return ENOMEM;\n }\n w->gpctx = gpctx;\n\n /* init global queue mutex */\n ret = pthread_mutex_init(&w->lock, NULL);\n if (ret) {\n free(w);\n return ENOMEM;\n }\n\n if (gpctx->config->num_workers > 0) {\n w->num_threads = gpctx->config->num_workers;\n } else {\n w->num_threads = DEFAULT_WORKER_THREADS_NUM;\n }\n\n /* make thread joinable (portability) */\n pthread_attr_init(&attr);\n pthread_attr_setdetachstate(&attr, PTHREAD_CREATE_JOINABLE);\n\n /* init all workers */\n for (i = 0; i < w->num_threads; i++) {\n t = calloc(1, sizeof(struct gp_thread));\n if (!t) {\n ret = -1;\n goto done;\n }\n t->pool = w;\n ret = pthread_cond_init(&t->cond_wakeup, NULL);\n if (ret) {\n free(t);\n goto done;\n }\n ret = pthread_mutex_init(&t->cond_mutex, NULL);\n if (ret) {\n free(t);\n goto done;\n }\n ret = pthread_create(&t->tid, &attr, gp_worker_main, t);\n if (ret) {\n free(t);\n goto done;\n }\n LIST_ADD(w->free_list, t);\n }\n\n /* add wakeup pipe, so that threads can hand back replies to the\n * dispatcher */\n ret = pipe2(w->sig_pipe, O_NONBLOCK | O_CLOEXEC);\n if (ret == -1) {\n goto done;\n }\n\n vflags = VERTO_EV_FLAG_PERSIST | VERTO_EV_FLAG_IO_READ;\n ev = verto_add_io(gpctx->vctx, vflags, gp_handle_reply, w->sig_pipe[0]);\n if (!ev) {\n ret = -1;\n goto done;\n }\n verto_set_private(ev, w, NULL);\n\n gpctx->workers = w;\n ret = 0;\n\ndone:\n if (ret) {\n gp_workers_free(w);\n }\n return ret;\n}", "project": "gssproxy", "hash": 158598623376153981848649415628778264726, "size": 83, "commit_id": "cb761412e299ef907f22cd7c4146d50c8a792003", "message": "Unlock cond_mutex before pthread exit in gp_worker_main()\n\nSigned-off-by: GuiYao \n[rharwood@redhat.com: whitespace, tweak commit message]\nReviewed-by: Robbie Harwood ", "target": 0, "dataset": "other", "idx": 382870 }, { "func": "static int nfs4_open_expired(struct nfs4_state_owner *sp, struct nfs4_state *state)\n{\n\tstruct nfs_open_context *ctx;\n\tint ret;\n\n\tctx = nfs4_state_find_open_context(state);\n\tif (IS_ERR(ctx))\n\t\treturn -EAGAIN;\n\tret = nfs4_do_open_expired(ctx, state);\n\tput_nfs_open_context(ctx);\n\treturn ret;\n}", "project": "linux", "hash": 212942428982722035212940948041697999474, "size": 12, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431598 }, { "func": "int kvm_arch_vcpu_ioctl_get_fpu(struct kvm_vcpu *vcpu, struct kvm_fpu *fpu)\n{\n\tvcpu_load(vcpu);\n\n\t/* make sure we have the latest values */\n\tsave_fpu_regs();\n\tif (MACHINE_HAS_VX)\n\t\tconvert_vx_to_fp((freg_t *) fpu->fprs,\n\t\t\t\t (__vector128 *) vcpu->run->s.regs.vrs);\n\telse\n\t\tmemcpy(fpu->fprs, vcpu->run->s.regs.fprs, sizeof(fpu->fprs));\n\tfpu->fpc = vcpu->run->s.regs.fpc;\n\n\tvcpu_put(vcpu);\n\treturn 0;\n}", "project": "linux", "hash": 163384429405321084172656203535418440288, "size": 16, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354427 }, { "func": "parseinclude(struct scanner *s, struct environment *env, bool newscope)\n{\n\tstruct evalstring *str;\n\tstruct string *path;\n\n\tstr = scanstring(s, true);\n\tif (!str)\n\t\tscanerror(s, \"expected include path\");\n\tscannewline(s);\n\tpath = enveval(env, str);\n\n\tif (newscope)\n\t\tenv = mkenv(env);\n\tparse(path->s, env);\n\tfree(path);\n}", "project": "samurai", "hash": 276329112181489726985514100498361073367, "size": 16, "commit_id": "d2af3bc375e2a77139c3a28d6128c60cd8d08655", "message": "parse: Check for non-empty command/rspfile/rspfile_content\n\nThis matches ninja behavior and prevents the possibility of a rule\nwith an empty (NULL) command string.\n\nFixes #68.", "target": 0, "dataset": "other", "idx": 411964 }, { "func": "static bool checkreturn pb_dec_fixed_length_bytes(pb_istream_t *stream, const pb_field_t *field, void *dest)\n{\n uint32_t size;\n\n if (!pb_decode_varint32(stream, &size))\n return false;\n\n if (size > PB_SIZE_MAX)\n PB_RETURN_ERROR(stream, \"bytes overflow\");\n\n if (size == 0)\n {\n /* As a special case, treat empty bytes string as all zeros for fixed_length_bytes. */\n memset(dest, 0, field->data_size);\n return true;\n }\n\n if (size != field->data_size)\n PB_RETURN_ERROR(stream, \"incorrect fixed length bytes size\");\n\n return pb_read(stream, (pb_byte_t*)dest, field->data_size);\n}", "project": "nanopb", "hash": 331529550204506051779276830938669996580, "size": 22, "commit_id": "aa9d0d1ca78d6adec3adfeecf3a706c7f9df81f2", "message": "Fix invalid free() after failed realloc() (GHSA-gcx3-7m76-287p)", "target": 0, "dataset": "other", "idx": 252507 }, { "func": "ScanLineInputFile::~ScanLineInputFile ()\n{\n if (!_data->memoryMapped)\n {\n for (size_t i = 0; i < _data->lineBuffers.size(); i++)\n {\n EXRFreeAligned(_data->lineBuffers[i]->buffer);\n }\n }\n \n\n //\n // ScanLineInputFile should never delete the stream,\n // because it does not own the stream.\n // We just delete the Mutex here.\n //\n if (_data->partNumber == -1)\n delete _streamData;\n\n delete _data;\n}", "project": "openexr", "hash": 118094573201410522491355336405188355731, "size": 21, "commit_id": "bc88cdb6c97fbf5bc5d11ad8ca55306da931283a", "message": "sanity check ScanlineInput bytesPerLine instead of lineOffset size (#863)\n\nSigned-off-by: Peter Hillman \r\n\r\nCo-authored-by: Cary Phillips ", "target": 0, "dataset": "other", "idx": 446293 }, { "func": "static int pep_recvmsg(struct sock *sk, struct msghdr *msg, size_t len,\n\t\t int noblock, int flags, int *addr_len)\n{\n\tstruct sk_buff *skb;\n\tint err;\n\n\tif (flags & ~(MSG_OOB|MSG_PEEK|MSG_TRUNC|MSG_DONTWAIT|MSG_WAITALL|\n\t\t\tMSG_NOSIGNAL|MSG_CMSG_COMPAT))\n\t\treturn -EOPNOTSUPP;\n\n\tif (unlikely(1 << sk->sk_state & (TCPF_LISTEN | TCPF_CLOSE)))\n\t\treturn -ENOTCONN;\n\n\tif ((flags & MSG_OOB) || sock_flag(sk, SOCK_URGINLINE)) {\n\t\t/* Dequeue and acknowledge control request */\n\t\tstruct pep_sock *pn = pep_sk(sk);\n\n\t\tif (flags & MSG_PEEK)\n\t\t\treturn -EOPNOTSUPP;\n\t\tskb = skb_dequeue(&pn->ctrlreq_queue);\n\t\tif (skb) {\n\t\t\tpep_ctrlreq_error(sk, skb, PN_PIPE_NO_ERROR,\n\t\t\t\t\t\tGFP_KERNEL);\n\t\t\tmsg->msg_flags |= MSG_OOB;\n\t\t\tgoto copy;\n\t\t}\n\t\tif (flags & MSG_OOB)\n\t\t\treturn -EINVAL;\n\t}\n\n\tskb = skb_recv_datagram(sk, flags, noblock, &err);\n\tlock_sock(sk);\n\tif (skb == NULL) {\n\t\tif (err == -ENOTCONN && sk->sk_state == TCP_CLOSE_WAIT)\n\t\t\terr = -ECONNRESET;\n\t\trelease_sock(sk);\n\t\treturn err;\n\t}\n\n\tif (sk->sk_state == TCP_ESTABLISHED)\n\t\tpipe_grant_credits(sk, GFP_KERNEL);\n\trelease_sock(sk);\ncopy:\n\tmsg->msg_flags |= MSG_EOR;\n\tif (skb->len > len)\n\t\tmsg->msg_flags |= MSG_TRUNC;\n\telse\n\t\tlen = skb->len;\n\n\terr = skb_copy_datagram_msg(skb, 0, msg, len);\n\tif (!err)\n\t\terr = (flags & MSG_TRUNC) ? skb->len : len;\n\n\tskb_free_datagram(sk, skb);\n\treturn err;\n}", "project": "linux", "hash": 162506202277949363469867485858195796725, "size": 56, "commit_id": "bcd0f93353326954817a4f9fa55ec57fb38acbb0", "message": "phonet: refcount leak in pep_sock_accep\n\nsock_hold(sk) is invoked in pep_sock_accept(), but __sock_put(sk) is not\ninvoked in subsequent failure branches(pep_accept_conn() != 0).\n\nSigned-off-by: Hangyu Hua \nLink: https://lore.kernel.org/r/20211209082839.33985-1-hbh25y@gmail.com\nSigned-off-by: Jakub Kicinski ", "target": 0, "dataset": "other", "idx": 224793 }, { "func": "static int parse_file_extra_htime(struct archive_read* a,\n struct archive_entry* e, struct rar5* rar, ssize_t* extra_data_size)\n{\n\tchar unix_time = 0;\n\tsize_t flags = 0;\n\tsize_t value_len;\n\n\tenum HTIME_FLAGS {\n\t\tIS_UNIX = 0x01,\n\t\tHAS_MTIME = 0x02,\n\t\tHAS_CTIME = 0x04,\n\t\tHAS_ATIME = 0x08,\n\t\tHAS_UNIX_NS = 0x10,\n\t};\n\n\tif(!read_var_sized(a, &flags, &value_len))\n\t\treturn ARCHIVE_EOF;\n\n\t*extra_data_size -= value_len;\n\tif(ARCHIVE_OK != consume(a, value_len)) {\n\t\treturn ARCHIVE_EOF;\n\t}\n\n\tunix_time = flags & IS_UNIX;\n\n\tif(flags & HAS_MTIME) {\n\t\tparse_htime_item(a, unix_time, &rar->file.e_mtime,\n\t\t extra_data_size);\n\t\tarchive_entry_set_mtime(e, rar->file.e_mtime, 0);\n\t}\n\n\tif(flags & HAS_CTIME) {\n\t\tparse_htime_item(a, unix_time, &rar->file.e_ctime,\n\t\t extra_data_size);\n\t\tarchive_entry_set_ctime(e, rar->file.e_ctime, 0);\n\t}\n\n\tif(flags & HAS_ATIME) {\n\t\tparse_htime_item(a, unix_time, &rar->file.e_atime,\n\t\t extra_data_size);\n\t\tarchive_entry_set_atime(e, rar->file.e_atime, 0);\n\t}\n\n\tif(flags & HAS_UNIX_NS) {\n\t\tif(!read_u32(a, &rar->file.e_unix_ns))\n\t\t\treturn ARCHIVE_EOF;\n\n\t\t*extra_data_size -= 4;\n\t}\n\n\treturn ARCHIVE_OK;\n}", "project": "libarchive", "hash": 52190365830715976760152369113393116710, "size": 52, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 0, "dataset": "other", "idx": 244710 }, { "func": "static inline int ep_is_linked(struct epitem *epi)\n{\n\treturn !list_empty(&epi->rdllink);\n}", "project": "linux", "hash": 55149884212324404625658607346910517140, "size": 4, "commit_id": "52c479697c9b73f628140dcdfcd39ea302d05482", "message": "do_epoll_ctl(): clean the failure exits up a bit\n\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 336263 }, { "func": "inline bool SparseTensor::ValidateAndInitializeToDense(Tensor* out,\n bool initialize) {\n DCHECK_EQ(DataTypeToEnum::v(), dtype())\n << \"ToDense requested with the wrong datatype\";\n\n DCHECK_EQ(out->shape().dims(), dims_)\n << \"Incompatible dimensions between SparseTensor and output\";\n\n DCHECK_EQ(out->dtype(), DataTypeToEnum::v())\n << \"Output must be type: \" << DataTypeToEnum::v()\n << \" but got: \" << out->dtype();\n\n // Make sure the dense output is the same rank and has room\n // to hold the SparseTensor.\n const auto& out_shape = out->shape();\n if (shape_.size() != out_shape.dims()) return false;\n for (int d = 0; d < shape_.size(); ++d) {\n if (shape_[d] > out_shape.dim_size(d)) return false;\n }\n\n if (initialize) {\n auto out_t = out->flat();\n out_t.setConstant(T());\n }\n\n return true;\n}", "project": "tensorflow", "hash": 81283102741742745231957330569739481517, "size": 27, "commit_id": "8ba6fa29cd8bf9cef9b718dc31c78c73081f5b31", "message": "Fix heap-buffer-overflow issue with `tf.raw_ops.SparseSplit`.\n\nPiperOrigin-RevId: 371242872\nChange-Id: I482bb3d12602c7c3cc9446f97fb9f584bb98e9a4", "target": 0, "dataset": "other", "idx": 277006 }, { "func": "void tracing_stop(void)\n{\n\tstruct ring_buffer *buffer;\n\tunsigned long flags;\n\n\traw_spin_lock_irqsave(&global_trace.start_lock, flags);\n\tif (global_trace.stop_count++)\n\t\tgoto out;\n\n\t/* Prevent the buffers from switching */\n\tarch_spin_lock(&global_trace.max_lock);\n\n\tbuffer = global_trace.trace_buffer.buffer;\n\tif (buffer)\n\t\tring_buffer_record_disable(buffer);\n\n#ifdef CONFIG_TRACER_MAX_TRACE\n\tbuffer = global_trace.max_buffer.buffer;\n\tif (buffer)\n\t\tring_buffer_record_disable(buffer);\n#endif\n\n\tarch_spin_unlock(&global_trace.max_lock);\n\n out:\n\traw_spin_unlock_irqrestore(&global_trace.start_lock, flags);\n}", "project": "linux", "hash": 191521756748611242049143002338419603671, "size": 27, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445580 }, { "func": "bool CLua::calltopfn(lua_State *ls, const char *params, va_list args,\n int retc, va_list *copyto)\n{\n // We guarantee to remove the function from the stack\n int argc = push_args(ls, params, args, copyto);\n if (retc == -1)\n retc = return_count(ls, params);\n lua_call_throttle strangler(this);\n int err = lua_pcall(ls, argc, retc, 0);\n set_error(err, ls);\n return !err;\n}", "project": "crawl", "hash": 194052271981261754909203844176429784651, "size": 12, "commit_id": "768f60da87a3fa0b5561da5ade9309577c176d04", "message": "Disable lua bytecode loading", "target": 0, "dataset": "other", "idx": 230470 }, { "func": "static void vhost_net_busy_poll(struct vhost_net *net,\n\t\t\t\tstruct vhost_virtqueue *rvq,\n\t\t\t\tstruct vhost_virtqueue *tvq,\n\t\t\t\tbool *busyloop_intr,\n\t\t\t\tbool poll_rx)\n{\n\tunsigned long busyloop_timeout;\n\tunsigned long endtime;\n\tstruct socket *sock;\n\tstruct vhost_virtqueue *vq = poll_rx ? tvq : rvq;\n\n\t/* Try to hold the vq mutex of the paired virtqueue. We can't\n\t * use mutex_lock() here since we could not guarantee a\n\t * consistenet lock ordering.\n\t */\n\tif (!mutex_trylock(&vq->mutex))\n\t\treturn;\n\n\tvhost_disable_notify(&net->dev, vq);\n\tsock = rvq->private_data;\n\n\tbusyloop_timeout = poll_rx ? rvq->busyloop_timeout:\n\t\t\t\t tvq->busyloop_timeout;\n\n\tpreempt_disable();\n\tendtime = busy_clock() + busyloop_timeout;\n\n\twhile (vhost_can_busy_poll(endtime)) {\n\t\tif (vhost_has_work(&net->dev)) {\n\t\t\t*busyloop_intr = true;\n\t\t\tbreak;\n\t\t}\n\n\t\tif ((sock_has_rx_data(sock) &&\n\t\t !vhost_vq_avail_empty(&net->dev, rvq)) ||\n\t\t !vhost_vq_avail_empty(&net->dev, tvq))\n\t\t\tbreak;\n\n\t\tcpu_relax();\n\t}\n\n\tpreempt_enable();\n\n\tif (poll_rx || sock_has_rx_data(sock))\n\t\tvhost_net_busy_poll_try_queue(net, vq);\n\telse if (!poll_rx) /* On tx here, sock has no rx data. */\n\t\tvhost_enable_notify(&net->dev, rvq);\n\n\tmutex_unlock(&vq->mutex);\n}", "project": "linux", "hash": 260664298696531191097495400148326411118, "size": 50, "commit_id": "42d84c8490f9f0931786f1623191fcab397c3d64", "message": "vhost: Check docket sk_family instead of call getname\n\nDoing so, we save one call to get data we already have in the struct.\n\nAlso, since there is no guarantee that getname use sockaddr_ll\nparameter beyond its size, we add a little bit of security here.\nIt should do not do beyond MAX_ADDR_LEN, but syzbot found that\nax25_getname writes more (72 bytes, the size of full_sockaddr_ax25,\nversus 20 + 32 bytes of sockaddr_ll + MAX_ADDR_LEN in syzbot repro).\n\nFixes: 3a4d5c94e9593 (\"vhost_net: a kernel-level virtio server\")\nReported-by: syzbot+f2a62d07a5198c819c7b@syzkaller.appspotmail.com\nSigned-off-by: Eugenio Pérez \nAcked-by: Michael S. Tsirkin \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 441980 }, { "func": "static void tcp_ack_saw_tstamp(struct sock *sk, int flag)\n{\n\t/* RTTM Rule: A TSecr value received in a segment is used to\n\t * update the averaged RTT measurement only if the segment\n\t * acknowledges some new data, i.e., only if it advances the\n\t * left edge of the send window.\n\t *\n\t * See draft-ietf-tcplw-high-performance-00, section 3.3.\n\t * 1998/04/10 Andrey V. Savochkin \n\t *\n\t * Changed: reset backoff as soon as we see the first valid sample.\n\t * If we do not, we get strongly overestimated rto. With timestamps\n\t * samples are accepted even from very old segments: f.e., when rtt=1\n\t * increases to 8, we retransmit 5 times and after 8 seconds delayed\n\t * answer arrives rto becomes 120 seconds! If at least one of segments\n\t * in window is lost... Voila.\t \t\t\t--ANK (010210)\n\t */\n\tstruct tcp_sock *tp = tcp_sk(sk);\n\n\ttcp_valid_rtt_meas(sk, tcp_time_stamp - tp->rx_opt.rcv_tsecr);\n}", "project": "net-next", "hash": 3822220329521998064369549488525770256, "size": 21, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409895 }, { "func": "static void enable_cpu_timer_accounting(struct kvm_vcpu *vcpu)\n{\n\tpreempt_disable(); /* protect from TOD sync and vcpu_load/put */\n\t__enable_cpu_timer_accounting(vcpu);\n\tpreempt_enable();\n}", "project": "linux", "hash": 206416942770440147674047217582106048131, "size": 6, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354606 }, { "func": "OPJ_BOOL opj_j2k_decode(opj_j2k_t * p_j2k,\n opj_stream_private_t * p_stream,\n opj_image_t * p_image,\n opj_event_mgr_t * p_manager)\n{\n if (!p_image) {\n return OPJ_FALSE;\n }\n\n /* Heuristics to detect sequence opj_read_header(), opj_set_decoded_resolution_factor() */\n /* and finally opj_decode_image() without manual setting of comps[].factor */\n /* We could potentially always execute it, if we don't allow people to do */\n /* opj_read_header(), modify x0,y0,x1,y1 of returned image an call opj_decode_image() */\n if (p_j2k->m_cp.m_specific_param.m_dec.m_reduce > 0 &&\n p_j2k->m_private_image != NULL &&\n p_j2k->m_private_image->numcomps > 0 &&\n p_j2k->m_private_image->comps[0].factor ==\n p_j2k->m_cp.m_specific_param.m_dec.m_reduce &&\n p_image->numcomps > 0 &&\n p_image->comps[0].factor == 0 &&\n /* Don't mess with image dimension if the user has allocated it */\n p_image->comps[0].data == NULL) {\n OPJ_UINT32 it_comp;\n\n /* Update the comps[].factor member of the output image with the one */\n /* of m_reduce */\n for (it_comp = 0; it_comp < p_image->numcomps; ++it_comp) {\n p_image->comps[it_comp].factor = p_j2k->m_cp.m_specific_param.m_dec.m_reduce;\n }\n if (!opj_j2k_update_image_dimensions(p_image, p_manager)) {\n return OPJ_FALSE;\n }\n }\n\n if (p_j2k->m_output_image == NULL) {\n p_j2k->m_output_image = opj_image_create0();\n if (!(p_j2k->m_output_image)) {\n return OPJ_FALSE;\n }\n }\n opj_copy_image_header(p_image, p_j2k->m_output_image);\n\n /* customization of the decoding */\n if (!opj_j2k_setup_decoding(p_j2k, p_manager)) {\n return OPJ_FALSE;\n }\n\n /* Decode the codestream */\n if (! opj_j2k_exec(p_j2k, p_j2k->m_procedure_list, p_stream, p_manager)) {\n opj_image_destroy(p_j2k->m_private_image);\n p_j2k->m_private_image = NULL;\n return OPJ_FALSE;\n }\n\n /* Move data and copy one information from codec to output image*/\n return opj_j2k_move_data_from_codec_to_output_image(p_j2k, p_image);\n}", "project": "openjpeg", "hash": 295795131060423848126454040971913324099, "size": 57, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357279 }, { "func": " void pushArrayData(ArrayData* data) {\n auto const tv = top++;\n tv->m_type = data->toDataType();\n tv->m_data.parr = data;\n assertx(IMPLIES(arrprov::arrayWantsTag(data), arrprov::getTag(data)));\n }", "project": "hhvm", "hash": 17165751775902333662458717559051505083, "size": 6, "commit_id": "b3679121bb3c7017ff04b4c08402ffff5cf59b13", "message": "Fix buffer overrun in SimpleParser::handleBackslash\n\nSummary:\nIt read 4 chars, then checked for validity, but any of them could have\nbeen the end of the string, so check after each one instead.\n\nReviewed By: oulgen\n\nDifferential Revision: D19611163\n\nfbshipit-source-id: 3da0a39555cb85a93f4fd98048368f17cf37e2e4", "target": 0, "dataset": "other", "idx": 227309 }, { "func": "static int sctp_setsockopt_pr_supported(struct sock *sk,\n\t\t\t\t\tstruct sctp_assoc_value *params,\n\t\t\t\t\tunsigned int optlen)\n{\n\tstruct sctp_association *asoc;\n\n\tif (optlen != sizeof(*params))\n\t\treturn -EINVAL;\n\n\tasoc = sctp_id2assoc(sk, params->assoc_id);\n\tif (!asoc && params->assoc_id != SCTP_FUTURE_ASSOC &&\n\t sctp_style(sk, UDP))\n\t\treturn -EINVAL;\n\n\tsctp_sk(sk)->ep->prsctp_enable = !!params->assoc_value;\n\n\treturn 0;\n}", "project": "linux", "hash": 316403230185490666335969175364137564461, "size": 18, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398091 }, { "func": "UnicodeStringTest::TestWCharPointers() {\n#if U_SIZEOF_WCHAR_T==2\n static const wchar_t carr[] = { 0x61, 0x62, 0x63, 0 };\n wchar_t arr[4];\n\n UnicodeString expected(u\"abc\");\n assertEquals(\"abc from pointer\", expected, UnicodeString(carr));\n assertEquals(\"abc from pointer+length\", expected, UnicodeString(carr, 3));\n assertEquals(\"abc from read-only-alias pointer\", expected, UnicodeString(TRUE, carr, 3));\n\n UnicodeString alias(arr, 0, 4);\n alias.append(u'a').append(u'b').append(u'c');\n assertEquals(\"abc from writable alias\", expected, alias);\n assertEquals(\"buffer=abc from writable alias\", expected, UnicodeString(arr, 3));\n\n UErrorCode errorCode = U_ZERO_ERROR;\n int32_t length = UnicodeString(u\"def\").extract(arr, 4, errorCode);\n assertSuccess(WHERE, errorCode);\n assertEquals(\"def from extract()\", UnicodeString(u\"def\"), UnicodeString(arr, length));\n#endif\n}", "project": "icu", "hash": 251340757197362525323495445368584290023, "size": 21, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430812 }, { "func": "static void kvm_vcpu_init(struct kvm_vcpu *vcpu, struct kvm *kvm, unsigned id)\n{\n\tmutex_init(&vcpu->mutex);\n\tvcpu->cpu = -1;\n\tvcpu->kvm = kvm;\n\tvcpu->vcpu_id = id;\n\tvcpu->pid = NULL;\n\tinit_swait_queue_head(&vcpu->wq);\n\tkvm_async_pf_vcpu_init(vcpu);\n\n\tvcpu->pre_pcpu = -1;\n\tINIT_LIST_HEAD(&vcpu->blocked_vcpu_list);\n\n\tkvm_vcpu_set_in_spin_loop(vcpu, false);\n\tkvm_vcpu_set_dy_eligible(vcpu, false);\n\tvcpu->preempted = false;\n\tvcpu->ready = false;\n\tpreempt_notifier_init(&vcpu->preempt_notifier, &kvm_preempt_ops);\n}", "project": "linux", "hash": 71324060916552842268504982005906050814, "size": 19, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354680 }, { "func": "static void kvm_vcpu_init(struct kvm_vcpu *vcpu, struct kvm *kvm, unsigned id)\n{\n\tmutex_init(&vcpu->mutex);\n\tvcpu->cpu = -1;\n\tvcpu->kvm = kvm;\n\tvcpu->vcpu_id = id;\n\tvcpu->pid = NULL;\n\trcuwait_init(&vcpu->wait);\n\tkvm_async_pf_vcpu_init(vcpu);\n\n\tvcpu->pre_pcpu = -1;\n\tINIT_LIST_HEAD(&vcpu->blocked_vcpu_list);\n\n\tkvm_vcpu_set_in_spin_loop(vcpu, false);\n\tkvm_vcpu_set_dy_eligible(vcpu, false);\n\tvcpu->preempted = false;\n\tvcpu->ready = false;\n\tpreempt_notifier_init(&vcpu->preempt_notifier, &kvm_preempt_ops);\n}", "project": "linux", "hash": 173385969525743142386643735009096766969, "size": 19, "commit_id": "f8be156be163a052a067306417cd0ff679068c97", "message": "KVM: do not allow mapping valid but non-reference-counted pages\n\nIt's possible to create a region which maps valid but non-refcounted\npages (e.g., tail pages of non-compound higher order allocations). These\nhost pages can then be returned by gfn_to_page, gfn_to_pfn, etc., family\nof APIs, which take a reference to the page, which takes it from 0 to 1.\nWhen the reference is dropped, this will free the page incorrectly.\n\nFix this by only taking a reference on valid pages if it was non-zero,\nwhich indicates it is participating in normal refcounting (and can be\nreleased with put_page).\n\nThis addresses CVE-2021-22543.\n\nSigned-off-by: Nicholas Piggin \nTested-by: Paolo Bonzini \nCc: stable@vger.kernel.org\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 404110 }, { "func": "static void hci_cc_role_discovery(struct hci_dev *hdev, struct sk_buff *skb)\n{\n\tstruct hci_rp_role_discovery *rp = (void *) skb->data;\n\tstruct hci_conn *conn;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, rp->status);\n\n\tif (rp->status)\n\t\treturn;\n\n\thci_dev_lock(hdev);\n\n\tconn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));\n\tif (conn)\n\t\tconn->role = rp->role;\n\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 125167701549348242036020050594407195421, "size": 18, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 432009 }, { "func": "static int nfs4_xattr_get_nfs4_label(const struct xattr_handler *handler,\n\t\t\t\t struct dentry *unused, struct inode *inode,\n\t\t\t\t const char *key, void *buf, size_t buflen)\n{\n\tif (security_ismaclabel(key))\n\t\treturn nfs4_get_security_label(inode, buf, buflen);\n\treturn -EOPNOTSUPP;\n}", "project": "linux", "hash": 300718667297935161477412385395981705497, "size": 8, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431150 }, { "func": "static int _nfs4_open_and_get_state(struct nfs4_opendata *opendata,\n\t\tint flags, struct nfs_open_context *ctx)\n{\n\tstruct nfs4_state_owner *sp = opendata->owner;\n\tstruct nfs_server *server = sp->so_server;\n\tstruct dentry *dentry;\n\tstruct nfs4_state *state;\n\tfmode_t acc_mode = _nfs4_ctx_to_accessmode(ctx);\n\tstruct inode *dir = d_inode(opendata->dir);\n\tunsigned long dir_verifier;\n\tunsigned int seq;\n\tint ret;\n\n\tseq = raw_seqcount_begin(&sp->so_reclaim_seqcount);\n\tdir_verifier = nfs_save_change_attribute(dir);\n\n\tret = _nfs4_proc_open(opendata, ctx);\n\tif (ret != 0)\n\t\tgoto out;\n\n\tstate = _nfs4_opendata_to_nfs4_state(opendata);\n\tret = PTR_ERR(state);\n\tif (IS_ERR(state))\n\t\tgoto out;\n\tctx->state = state;\n\tif (server->caps & NFS_CAP_POSIX_LOCK)\n\t\tset_bit(NFS_STATE_POSIX_LOCKS, &state->flags);\n\tif (opendata->o_res.rflags & NFS4_OPEN_RESULT_MAY_NOTIFY_LOCK)\n\t\tset_bit(NFS_STATE_MAY_NOTIFY_LOCK, &state->flags);\n\n\tdentry = opendata->dentry;\n\tif (d_really_is_negative(dentry)) {\n\t\tstruct dentry *alias;\n\t\td_drop(dentry);\n\t\talias = d_exact_alias(dentry, state->inode);\n\t\tif (!alias)\n\t\t\talias = d_splice_alias(igrab(state->inode), dentry);\n\t\t/* d_splice_alias() can't fail here - it's a non-directory */\n\t\tif (alias) {\n\t\t\tdput(ctx->dentry);\n\t\t\tctx->dentry = dentry = alias;\n\t\t}\n\t}\n\n\tswitch(opendata->o_arg.claim) {\n\tdefault:\n\t\tbreak;\n\tcase NFS4_OPEN_CLAIM_NULL:\n\tcase NFS4_OPEN_CLAIM_DELEGATE_CUR:\n\tcase NFS4_OPEN_CLAIM_DELEGATE_PREV:\n\t\tif (!opendata->rpc_done)\n\t\t\tbreak;\n\t\tif (opendata->o_res.delegation_type != 0)\n\t\t\tdir_verifier = nfs_save_change_attribute(dir);\n\t\tnfs_set_verifier(dentry, dir_verifier);\n\t}\n\n\t/* Parse layoutget results before we check for access */\n\tpnfs_parse_lgopen(state->inode, opendata->lgp, ctx);\n\n\tret = nfs4_opendata_access(sp->so_cred, opendata, state,\n\t\t\tacc_mode, flags);\n\tif (ret != 0)\n\t\tgoto out;\n\n\tif (d_inode(dentry) == state->inode) {\n\t\tnfs_inode_attach_open_context(ctx);\n\t\tif (read_seqcount_retry(&sp->so_reclaim_seqcount, seq))\n\t\t\tnfs4_schedule_stateid_recovery(server, state);\n\t}\n\nout:\n\tif (!opendata->cancelled)\n\t\tnfs4_sequence_free_slot(&opendata->o_res.seq_res);\n\treturn ret;\n}", "project": "linux", "hash": 88488132374394764092745245531070845992, "size": 76, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431077 }, { "func": "static int huf_decode(VLC *vlc, GetByteContext *gb, int nbits, int run_sym,\n int no, uint16_t *out)\n{\n GetBitContext gbit;\n int oe = 0;\n\n init_get_bits(&gbit, gb->buffer, nbits);\n while (get_bits_left(&gbit) > 0 && oe < no) {\n uint16_t x = get_vlc2(&gbit, vlc->table, 12, 3);\n\n if (x == run_sym) {\n int run = get_bits(&gbit, 8);\n uint16_t fill;\n\n if (oe == 0 || oe + run > no)\n return AVERROR_INVALIDDATA;\n\n fill = out[oe - 1];\n\n while (run-- > 0)\n out[oe++] = fill;\n } else {\n out[oe++] = x;\n }\n }\n\n return 0;\n}", "project": "FFmpeg", "hash": 96374039110415559257291860802359758919, "size": 28, "commit_id": "26d3c81bc5ef2f8c3f09d45eaeacfb4b1139a777", "message": "avcodec/exr: More strictly check dc_count\n\nFixes: out of array access\nFixes: exr/deneme\n\nFound-by: Burak Çarıkçı \nSigned-off-by: Michael Niedermayer ", "target": 0, "dataset": "other", "idx": 262678 }, { "func": " bool get_date(MYSQL_TIME *ltime, ulonglong fuzzydate)\n {\n if (check_null_ref())\n {\n bzero((char*) ltime,sizeof(*ltime));\n return 1;\n }\n return Item_direct_ref::get_date(ltime, fuzzydate);\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 221748593945202915465189916557010659319, "size": 9, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509309 }, { "func": " bool get_date(MYSQL_TIME *ltime, ulonglong fuzzy_date)\n {\n *ltime= cached_time;\n return (null_value= false);\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 132281319086868714334496373853534641346, "size": 5, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509326 }, { "func": "bool f_imageistruecolor(const Resource& image) {\n gdImagePtr im = get_valid_image_resource(image);\n if (!im) return false;\n return im->trueColor;\n}", "project": "hhvm", "hash": 259752885365964708926055682456893598274, "size": 5, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219182 }, { "func": "int tracer_init(struct tracer *t, struct trace_array *tr)\n{\n\ttracing_reset_online_cpus(&tr->trace_buffer);\n\treturn t->init(tr);\n}", "project": "linux", "hash": 182518761726192535242531970039058436945, "size": 5, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445802 }, { "func": "int check_nthreads(blosc2_context* context) {\n if (context->nthreads <= 0) {\n fprintf(stderr, \"Error. nthreads must be a positive integer\");\n return -1;\n }\n\n if (context->new_nthreads != context->nthreads) {\n if (context->nthreads > 1) {\n release_threadpool(context);\n }\n context->nthreads = context->new_nthreads;\n }\n if (context->new_nthreads > 1 && context->threads_started == 0) {\n init_threadpool(context);\n }\n\n return context->nthreads;\n}", "project": "c-blosc2", "hash": 267822791331476793736529639109679638916, "size": 18, "commit_id": "c4c6470e88210afc95262c8b9fcc27e30ca043ee", "message": "Fixed asan heap buffer overflow when not enough space to write compressed block size.", "target": 0, "dataset": "other", "idx": 303088 }, { "func": "void free_thread_context(struct thread_context* thread_context) {\n destroy_thread_context(thread_context);\n my_free(thread_context);\n}", "project": "c-blosc2", "hash": 307044102310577073385406719199733336342, "size": 4, "commit_id": "c4c6470e88210afc95262c8b9fcc27e30ca043ee", "message": "Fixed asan heap buffer overflow when not enough space to write compressed block size.", "target": 0, "dataset": "other", "idx": 303084 }, { "project": "Chrome", "commit_id": "1da0daecc540238cb473f0d6322da51d3a544244", "target": 0, "func": " void Initialize() {\n EXPECT_CALL(*this, FrameReady(media::VideoDecoder::kOk, _));\n decoder_->Read(read_cb_);\n\n EXPECT_CALL(*vc_manager_, AddDevice(_, _))\n .WillOnce(Return(vc_impl_.get()));\n int buffer_count = 1;\n EXPECT_CALL(*vc_impl_, StartCapture(capture_client(), _))\n .Times(1)\n .WillOnce(CreateDataBufferFromCapture(capture_client(),\n vc_impl_.get(),\n buffer_count));\n EXPECT_CALL(*vc_impl_, FeedBuffer(_))\n .Times(buffer_count)\n .WillRepeatedly(DeleteDataBuffer());\n\n decoder_->Initialize(NULL,\n media::NewExpectedStatusCB(media::PIPELINE_OK),\n NewStatisticsCB());\n message_loop_->RunAllPending();\n }\n", "cwe": "", "big_vul_idx": 113323, "idx": 101616, "hash": 247639671081800614137395276502060921736 }, { "project": "Chrome", "commit_id": "1da0daecc540238cb473f0d6322da51d3a544244", "target": 0, "func": " void Initialize() {\n InitializeWithConfig(config_);\n }\n", "cwe": "", "big_vul_idx": 113341, "idx": 101633, "hash": 148444245232898596114698148537512233869 }, { "project": "Chrome", "commit_id": "1da0daecc540238cb473f0d6322da51d3a544244", "target": 0, "func": "void VideoRendererBase::Initialize(const scoped_refptr& decoder,\n const PipelineStatusCB& status_cb,\n const StatisticsCB& statistics_cb,\n const TimeCB& time_cb) {\n base::AutoLock auto_lock(lock_);\n DCHECK(decoder);\n DCHECK(!status_cb.is_null());\n DCHECK(!statistics_cb.is_null());\n DCHECK(!time_cb.is_null());\n DCHECK_EQ(kUninitialized, state_);\n decoder_ = decoder;\n\n statistics_cb_ = statistics_cb;\n time_cb_ = time_cb;\n\n host()->SetNaturalVideoSize(decoder_->natural_size());\n\n state_ = kFlushed;\n\n set_opaque_cb_.Run(!decoder->HasAlpha());\n set_opaque_cb_.Reset();\n\n if (!base::PlatformThread::Create(0, this, &thread_)) {\n NOTREACHED() << \"Video thread creation failed\";\n state_ = kError;\n status_cb.Run(PIPELINE_ERROR_INITIALIZATION_FAILED);\n return;\n }\n\n#if defined(OS_WIN)\n ::SetThreadPriority(thread_, THREAD_PRIORITY_ABOVE_NORMAL);\n#endif // defined(OS_WIN)\n status_cb.Run(PIPELINE_OK);\n}\n", "cwe": "", "big_vul_idx": 113354, "idx": 101644, "hash": 125654977169550053918320077554523588691 }, { "func": "void Initialize(v8::Local exports,\n v8::Local unused,\n v8::Local context,\n void* priv) {\n v8::Isolate* isolate = context->GetIsolate();\n gin_helper::Dictionary dict(isolate, exports);\n dict.Set(\"WebContents\", WebContents::GetConstructor(isolate)\n ->GetFunction(context)\n .ToLocalChecked());\n dict.SetMethod(\"create\", &WebContents::Create);\n dict.SetMethod(\"fromId\", &WebContents::FromWeakMapID);\n dict.SetMethod(\"getAllWebContents\", &WebContents::GetAll);\n}", "project": "electron", "hash": 280594609188521383089948128321769067648, "size": 13, "commit_id": "18613925610ba319da7f497b6deed85ad712c59b", "message": "refactor: wire will-navigate up to a navigation throttle instead of OpenURL (#25108)\n\n* refactor: wire will-navigate up to a navigation throttle instead of OpenURL (#25065)\r\n\r\n* refactor: wire will-navigate up to a navigation throttle instead of OpenURL\r\n\r\n* spec: add test for x-site _top navigation\r\n\r\n* chore: old code be old", "target": 0, "dataset": "other", "idx": 269719 }, { "func": "static bool create_ref_for_key(JOIN *join, JOIN_TAB *j,\n KEYUSE *org_keyuse, bool allow_full_scan, \n table_map used_tables)\n{\n uint keyparts, length, key;\n TABLE *table;\n KEY *keyinfo;\n KEYUSE *keyuse= org_keyuse;\n bool ftkey= (keyuse->keypart == FT_KEYPART);\n THD *thd= join->thd;\n DBUG_ENTER(\"create_ref_for_key\");\n\n /* Use best key from find_best */\n table= j->table;\n key= keyuse->key;\n if (!is_hash_join_key_no(key))\n keyinfo= table->key_info+key;\n else\n {\n if (create_hj_key_for_table(join, j, org_keyuse, used_tables))\n DBUG_RETURN(TRUE);\n keyinfo= j->hj_key;\n }\n\n if (ftkey)\n {\n Item_func_match *ifm=(Item_func_match *)keyuse->val;\n\n length=0;\n keyparts=1;\n ifm->join_key=1;\n }\n else\n {\n keyparts=length=0;\n uint found_part_ref_or_null= 0;\n /*\n Calculate length for the used key\n Stop if there is a missing key part or when we find second key_part\n with KEY_OPTIMIZE_REF_OR_NULL\n */\n do\n {\n if (!(~used_tables & keyuse->used_tables) &&\n (!keyuse->validity_ref || *keyuse->validity_ref) &&\n\t j->keyuse_is_valid_for_access_in_chosen_plan(join, keyuse))\n {\n if (are_tables_local(j, keyuse->val->used_tables()))\n {\n if ((is_hash_join_key_no(key) && keyuse->keypart != NO_KEYPART) ||\n (!is_hash_join_key_no(key) && keyparts == keyuse->keypart &&\n !(found_part_ref_or_null & keyuse->optimize)))\n {\n length+= keyinfo->key_part[keyparts].store_length;\n keyparts++;\n found_part_ref_or_null|= keyuse->optimize & ~KEY_OPTIMIZE_EQ;\n }\n }\n }\n keyuse++;\n } while (keyuse->table == table && keyuse->key == key);\n\n if (!keyparts && allow_full_scan)\n {\n /* It's a LooseIndexScan strategy scanning whole index */\n j->type= JT_ALL;\n j->index= key;\n DBUG_RETURN(FALSE);\n }\n\n DBUG_ASSERT(length > 0);\n DBUG_ASSERT(keyparts != 0);\n } /* not ftkey */\n \n /* set up fieldref */\n j->ref.key_parts= keyparts;\n j->ref.key_length= length;\n j->ref.key= (int) key;\n if (!(j->ref.key_buff= (uchar*) thd->calloc(ALIGN_SIZE(length)*2)) ||\n !(j->ref.key_copy= (store_key**) thd->alloc((sizeof(store_key*) *\n\t\t\t\t\t\t (keyparts+1)))) ||\n !(j->ref.items=(Item**) thd->alloc(sizeof(Item*)*keyparts)) ||\n !(j->ref.cond_guards= (bool**) thd->alloc(sizeof(uint*)*keyparts)))\n {\n DBUG_RETURN(TRUE);\n }\n j->ref.key_buff2=j->ref.key_buff+ALIGN_SIZE(length);\n j->ref.key_err=1;\n j->ref.has_record= FALSE;\n j->ref.null_rejecting= 0;\n j->ref.disable_cache= FALSE;\n j->ref.null_ref_part= NO_REF_PART;\n j->ref.const_ref_part_map= 0;\n j->ref.uses_splitting= FALSE;\n keyuse=org_keyuse;\n\n store_key **ref_key= j->ref.key_copy;\n uchar *key_buff=j->ref.key_buff, *null_ref_key= 0;\n uint null_ref_part= NO_REF_PART;\n bool keyuse_uses_no_tables= TRUE;\n uint not_null_keyparts= 0;\n if (ftkey)\n {\n j->ref.items[0]=((Item_func*)(keyuse->val))->key_item();\n /* Predicates pushed down into subquery can't be used FT access */\n j->ref.cond_guards[0]= NULL;\n if (keyuse->used_tables)\n DBUG_RETURN(TRUE); // not supported yet. SerG\n\n j->type=JT_FT;\n }\n else\n {\n uint i;\n for (i=0 ; i < keyparts ; keyuse++,i++)\n {\n while (((~used_tables) & keyuse->used_tables) ||\n (keyuse->validity_ref && !(*keyuse->validity_ref)) ||\n\t !j->keyuse_is_valid_for_access_in_chosen_plan(join, keyuse) ||\n keyuse->keypart == NO_KEYPART ||\n\t (keyuse->keypart != \n (is_hash_join_key_no(key) ?\n keyinfo->key_part[i].field->field_index : i)) || \n !are_tables_local(j, keyuse->val->used_tables())) \n\t keyuse++; \t/* Skip other parts */ \n\n uint maybe_null= MY_TEST(keyinfo->key_part[i].null_bit);\n j->ref.items[i]=keyuse->val;\t\t// Save for cond removal\n j->ref.cond_guards[i]= keyuse->cond_guard;\n\n if (!keyuse->val->maybe_null || keyuse->null_rejecting)\n not_null_keyparts++;\n /*\n Set ref.null_rejecting to true only if we are going to inject a\n \"keyuse->val IS NOT NULL\" predicate.\n */\n Item *real= (keyuse->val)->real_item();\n if (keyuse->null_rejecting && (real->type() == Item::FIELD_ITEM) &&\n ((Item_field*)real)->field->maybe_null())\n j->ref.null_rejecting|= (key_part_map)1 << i;\n\n keyuse_uses_no_tables= keyuse_uses_no_tables && !keyuse->used_tables;\n j->ref.uses_splitting |= (keyuse->validity_ref != NULL);\n /*\n We don't want to compute heavy expressions in EXPLAIN, an example would\n select * from t1 where t1.key=(select thats very heavy);\n\n (select thats very heavy) => is a constant here\n eg: (select avg(order_cost) from orders) => constant but expensive\n */\n if (!keyuse->val->used_tables() && !thd->lex->describe)\n {\t\t\t\t\t// Compare against constant\n store_key_item tmp(thd,\n keyinfo->key_part[i].field,\n key_buff + maybe_null,\n maybe_null ? key_buff : 0,\n keyinfo->key_part[i].length,\n keyuse->val,\n FALSE);\n if (unlikely(thd->is_fatal_error))\n DBUG_RETURN(TRUE);\n tmp.copy();\n j->ref.const_ref_part_map |= key_part_map(1) << i ;\n }\n else\n {\n *ref_key++= get_store_key(thd,\n keyuse,join->const_table_map,\n &keyinfo->key_part[i],\n key_buff, maybe_null);\n if (!keyuse->val->used_tables())\n j->ref.const_ref_part_map |= key_part_map(1) << i ;\n }\n /*\n\tRemember if we are going to use REF_OR_NULL\n\tBut only if field _really_ can be null i.e. we force JT_REF\n\tinstead of JT_REF_OR_NULL in case if field can't be null\n */\n if ((keyuse->optimize & KEY_OPTIMIZE_REF_OR_NULL) && maybe_null)\n {\n\tnull_ref_key= key_buff;\n null_ref_part= i;\n }\n key_buff+= keyinfo->key_part[i].store_length;\n }\n } /* not ftkey */\n *ref_key=0;\t\t\t\t// end_marker\n if (j->type == JT_FT)\n DBUG_RETURN(0);\n ulong key_flags= j->table->actual_key_flags(keyinfo);\n if (j->type == JT_CONST)\n j->table->const_table= 1;\n else if (!((keyparts == keyinfo->user_defined_key_parts &&\n (\n (key_flags & (HA_NOSAME | HA_NULL_PART_KEY)) == HA_NOSAME ||\n /* Unique key and all keyparts are NULL rejecting */\n ((key_flags & HA_NOSAME) && keyparts == not_null_keyparts)\n )) ||\n /* true only for extended keys */\n (keyparts > keyinfo->user_defined_key_parts &&\n MY_TEST(key_flags & HA_EXT_NOSAME) &&\n keyparts == keyinfo->ext_key_parts)\n ) ||\n null_ref_key)\n {\n /* Must read with repeat */\n j->type= null_ref_key ? JT_REF_OR_NULL : JT_REF;\n j->ref.null_ref_key= null_ref_key;\n j->ref.null_ref_part= null_ref_part;\n }\n else if (keyuse_uses_no_tables)\n {\n /*\n This happen if we are using a constant expression in the ON part\n of an LEFT JOIN.\n SELECT * FROM a LEFT JOIN b ON b.key=30\n Here we should not mark the table as a 'const' as a field may\n have a 'normal' value or a NULL value.\n */\n j->type=JT_CONST;\n }\n else\n j->type=JT_EQ_REF;\n\n j->read_record.unlock_row= (j->type == JT_EQ_REF)? \n join_read_key_unlock_row : rr_unlock_row; \n DBUG_RETURN(0);\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 90529961878130105488153995864719825698, "size": 228, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508461 }, { "func": "static enum print_line_t print_trace_fmt(struct trace_iterator *iter)\n{\n\tstruct trace_array *tr = iter->tr;\n\tstruct trace_seq *s = &iter->seq;\n\tunsigned long sym_flags = (tr->trace_flags & TRACE_ITER_SYM_MASK);\n\tstruct trace_entry *entry;\n\tstruct trace_event *event;\n\n\tentry = iter->ent;\n\n\ttest_cpu_buff_start(iter);\n\n\tevent = ftrace_find_event(entry->type);\n\n\tif (tr->trace_flags & TRACE_ITER_CONTEXT_INFO) {\n\t\tif (iter->iter_flags & TRACE_FILE_LAT_FMT)\n\t\t\ttrace_print_lat_context(iter);\n\t\telse\n\t\t\ttrace_print_context(iter);\n\t}\n\n\tif (trace_seq_has_overflowed(s))\n\t\treturn TRACE_TYPE_PARTIAL_LINE;\n\n\tif (event)\n\t\treturn event->funcs->trace(iter, sym_flags, event);\n\n\ttrace_seq_printf(s, \"Unknown type %d\\n\", entry->type);\n\n\treturn trace_handle_return(s);\n}", "project": "linux", "hash": 298628334520626131905156409842199013754, "size": 31, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445691 }, { "func": "static void fuse_readahead(struct readahead_control *rac)\n{\n\tstruct inode *inode = rac->mapping->host;\n\tstruct fuse_conn *fc = get_fuse_conn(inode);\n\tunsigned int i, max_pages, nr_pages = 0;\n\n\tif (fuse_is_bad(inode))\n\t\treturn;\n\n\tmax_pages = min_t(unsigned int, fc->max_pages,\n\t\t\tfc->max_read / PAGE_SIZE);\n\n\tfor (;;) {\n\t\tstruct fuse_io_args *ia;\n\t\tstruct fuse_args_pages *ap;\n\n\t\tnr_pages = readahead_count(rac) - nr_pages;\n\t\tif (nr_pages > max_pages)\n\t\t\tnr_pages = max_pages;\n\t\tif (nr_pages == 0)\n\t\t\tbreak;\n\t\tia = fuse_io_alloc(NULL, nr_pages);\n\t\tif (!ia)\n\t\t\treturn;\n\t\tap = &ia->ap;\n\t\tnr_pages = __readahead_batch(rac, ap->pages, nr_pages);\n\t\tfor (i = 0; i < nr_pages; i++) {\n\t\t\tfuse_wait_on_page_writeback(inode,\n\t\t\t\t\t\t readahead_index(rac) + i);\n\t\t\tap->descs[i].length = PAGE_SIZE;\n\t\t}\n\t\tap->num_pages = nr_pages;\n\t\tfuse_send_readpages(ia, rac->file);\n\t}\n}", "project": "linux", "hash": 14698929803452259346569666100921492374, "size": 35, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342104 }, { "func": " enum_field_types field_type_for_temporal_comparison(const Item *other) const\n {\n if (cmp_type() == TIME_RESULT)\n {\n if (other->cmp_type() == TIME_RESULT)\n return Field::field_type_merge(field_type(), other->field_type());\n else\n return field_type();\n }\n else\n {\n if (other->cmp_type() == TIME_RESULT)\n return other->field_type();\n DBUG_ASSERT(0); // Two non-temporal data types, we should not get to here\n return MYSQL_TYPE_DATETIME;\n }\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 108793612182775606711685775131105450177, "size": 17, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509448 }, { "func": "void disable_trace_on_warning(void)\n{\n\tif (__disable_trace_on_warning)\n\t\ttracing_off();\n}", "project": "linux", "hash": 134669305512603926699487718541779413542, "size": 5, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445680 }, { "func": "void invert_screen(struct vc_data *vc, int offset, int count, int viewed)\n{\n\tunsigned short *p;\n\n\tWARN_CONSOLE_UNLOCKED();\n\n\tcount /= 2;\n\tp = screenpos(vc, offset, viewed);\n\tif (vc->vc_sw->con_invert_region) {\n\t\tvc->vc_sw->con_invert_region(vc, p, count);\n\t} else {\n\t\tu16 *q = p;\n\t\tint cnt = count;\n\t\tu16 a;\n\n\t\tif (!vc->vc_can_do_color) {\n\t\t\twhile (cnt--) {\n\t\t\t a = scr_readw(q);\n\t\t\t a ^= 0x0800;\n\t\t\t scr_writew(a, q);\n\t\t\t q++;\n\t\t\t}\n\t\t} else if (vc->vc_hi_font_mask == 0x100) {\n\t\t\twhile (cnt--) {\n\t\t\t\ta = scr_readw(q);\n\t\t\t\ta = ((a) & 0x11ff) | (((a) & 0xe000) >> 4) | (((a) & 0x0e00) << 4);\n\t\t\t\tscr_writew(a, q);\n\t\t\t\tq++;\n\t\t\t}\n\t\t} else {\n\t\t\twhile (cnt--) {\n\t\t\t\ta = scr_readw(q);\n\t\t\t\ta = ((a) & 0x88ff) | (((a) & 0x7000) >> 4) | (((a) & 0x0700) << 4);\n\t\t\t\tscr_writew(a, q);\n\t\t\t\tq++;\n\t\t\t}\n\t\t}\n\t}\n\n\tif (con_should_update(vc))\n\t\tdo_update_region(vc, (unsigned long) p, count);\n\tnotify_update(vc);\n}", "project": "linux", "hash": 242387077566602534552697730742664871454, "size": 43, "commit_id": "ca4463bf8438b403596edd0ec961ca0d4fbe0220", "message": "vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console\n\nThe VT_DISALLOCATE ioctl can free a virtual console while tty_release()\nis still running, causing a use-after-free in con_shutdown(). This\noccurs because VT_DISALLOCATE considers a virtual console's\n'struct vc_data' to be unused as soon as the corresponding tty's\nrefcount hits 0. But actually it may be still being closed.\n\nFix this by making vc_data be reference-counted via the embedded\n'struct tty_port'. A newly allocated virtual console has refcount 1.\nOpening it for the first time increments the refcount to 2. Closing it\nfor the last time decrements the refcount (in tty_operations::cleanup()\nso that it happens late enough), as does VT_DISALLOCATE.\n\nReproducer:\n\t#include \n\t#include \n\t#include \n\t#include \n\n\tint main()\n\t{\n\t\tif (fork()) {\n\t\t\tfor (;;)\n\t\t\t\tclose(open(\"/dev/tty5\", O_RDWR));\n\t\t} else {\n\t\t\tint fd = open(\"/dev/tty10\", O_RDWR);\n\n\t\t\tfor (;;)\n\t\t\t\tioctl(fd, VT_DISALLOCATE, 5);\n\t\t}\n\t}\n\nKASAN report:\n\tBUG: KASAN: use-after-free in con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\tWrite of size 8 at addr ffff88806a4ec108 by task syz_vt/129\n\n\tCPU: 0 PID: 129 Comm: syz_vt Not tainted 5.6.0-rc2 #11\n\tHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20191223_100556-anatol 04/01/2014\n\tCall Trace:\n\t [...]\n\t con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\t release_tty+0xa8/0x410 drivers/tty/tty_io.c:1514\n\t tty_release_struct+0x34/0x50 drivers/tty/tty_io.c:1629\n\t tty_release+0x984/0xed0 drivers/tty/tty_io.c:1789\n\t [...]\n\n\tAllocated by task 129:\n\t [...]\n\t kzalloc include/linux/slab.h:669 [inline]\n\t vc_allocate drivers/tty/vt/vt.c:1085 [inline]\n\t vc_allocate+0x1ac/0x680 drivers/tty/vt/vt.c:1066\n\t con_install+0x4d/0x3f0 drivers/tty/vt/vt.c:3229\n\t tty_driver_install_tty drivers/tty/tty_io.c:1228 [inline]\n\t tty_init_dev+0x94/0x350 drivers/tty/tty_io.c:1341\n\t tty_open_by_driver drivers/tty/tty_io.c:1987 [inline]\n\t tty_open+0x3ca/0xb30 drivers/tty/tty_io.c:2035\n\t [...]\n\n\tFreed by task 130:\n\t [...]\n\t kfree+0xbf/0x1e0 mm/slab.c:3757\n\t vt_disallocate drivers/tty/vt/vt_ioctl.c:300 [inline]\n\t vt_ioctl+0x16dc/0x1e30 drivers/tty/vt/vt_ioctl.c:818\n\t tty_ioctl+0x9db/0x11b0 drivers/tty/tty_io.c:2660\n\t [...]\n\nFixes: 4001d7b7fc27 (\"vt: push down the tty lock so we can see what is left to tackle\")\nCc: # v3.4+\nReported-by: syzbot+522643ab5729b0421998@syzkaller.appspotmail.com\nAcked-by: Jiri Slaby \nSigned-off-by: Eric Biggers \nLink: https://lore.kernel.org/r/20200322034305.210082-2-ebiggers@kernel.org\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 437074 }, { "func": "static int ep_send_events(struct eventpoll *ep,\n\t\t\t struct epoll_event __user *events, int maxevents)\n{\n\tstruct ep_send_events_data esed;\n\n\tesed.maxevents = maxevents;\n\tesed.events = events;\n\n\tep_scan_ready_list(ep, ep_send_events_proc, &esed, 0, false);\n\treturn esed.res;\n}", "project": "linux", "hash": 195169289185819503941034431709603449996, "size": 11, "commit_id": "52c479697c9b73f628140dcdfcd39ea302d05482", "message": "do_epoll_ctl(): clean the failure exits up a bit\n\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 336243 }, { "func": "static int nfs4_proc_link(struct inode *inode, struct inode *dir, const struct qstr *name)\n{\n\tstruct nfs4_exception exception = {\n\t\t.interruptible = true,\n\t};\n\tint err;\n\tdo {\n\t\terr = nfs4_handle_exception(NFS_SERVER(inode),\n\t\t\t\t_nfs4_proc_link(inode, dir, name),\n\t\t\t\t&exception);\n\t} while (exception.retry);\n\treturn err;\n}", "project": "linux", "hash": 70309068819627468470920362246464418490, "size": 13, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431200 }, { "func": "static int grow_islands(void) {\n\tint x, y, n, run;\n\tint diffs = 0, ct;\n\n\t/*\n\t * n.b. the way we scan here should keep an extension going,\n\t * and so also fill in gaps effectively...\n\t */\n\n\t/* left to right: */\n\tfor (y=0; y < ntiles_y; y++) {\n\t\trun = 0;\n\t\tfor (x=0; x <= ntiles_x - 2; x++) {\n\t\t\tct = island_try(x, y, x+1, y, &run);\n\t\t\tif (ct < 0) return ct;\t/* fatal */\n\t\t}\n\t}\n\t/* right to left: */\n\tfor (y=0; y < ntiles_y; y++) {\n\t\trun = 0;\n\t\tfor (x = ntiles_x - 1; x >= 1; x--) {\n\t\t\tct = island_try(x, y, x-1, y, &run);\n\t\t\tif (ct < 0) return ct;\t/* fatal */\n\t\t}\n\t}\n\tfor (n=0; n < ntiles; n++) {\n\t\tif (tile_has_diff[n]) {\n\t\t\tdiffs++;\n\t\t}\n\t}\n\treturn diffs;\n}", "project": "x11vnc", "hash": 208858332240621368616632917819965462331, "size": 32, "commit_id": "69eeb9f7baa14ca03b16c9de821f9876def7a36a", "message": "scan: limit access to shared memory segments to current user", "target": 0, "dataset": "other", "idx": 360775 }, { "func": "R_API char* r_str_highlight(char *str, const char *word, const char *color, const char *color_reset) {\n\tif (!str || !*str) {\n\t\treturn NULL;\n\t}\n\tut32 i = 0, j = 0, to_copy;\n\tchar *start = str;\n\tut32 l_str = strlen (str);\n\tut32 l_reset = strlen (color_reset);\n\tut32 l_color = color? strlen (color): 0;\n\tif (!color) {\n\t\treturn strdup (str);\n\t}\n\tif (!word || !*word) {\n\t\treturn r_str_newf (\"%s%s%s\", color, str, color_reset);\n\t}\n\tut32 l_word = strlen (word);\n\t// XXX don't use static buffers\n\tchar o[1024] = {0};\n\twhile (start && (start < str + l_str)) {\n\t\tint copied = 0;\n\t\t// find first letter\n\t\tstart = strchr_skip_color_codes (str + i, *word);\n\t\tif (start) {\n\t\t\tto_copy = start - (str + i);\n\t\t\tif (to_copy + j + 1 > sizeof (o)) {\n\t\t\t\t// XXX. no limits\n\t\t\t\tbreak;\n\t\t\t}\n\t\t\tstrncpy (o + j, str + i, to_copy);\n\t\t\ti += to_copy;\n\t\t\tj += to_copy;\n\t\t\tif (!strncmp_skip_color_codes (start, word, l_word)) {\n\t\t\t\tif (j + strlen (color) >= sizeof (o)) {\n\t\t\t\t\t// XXX. no limits\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t\tstrcpy (o + j, color);\n\t\t\t\tj += l_color;\n\t\t\t\tif (j + l_word >= sizeof (o)) {\n\t\t\t\t\t// XXX. no limits\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t\tcopied = strncpy_with_color_codes (o + j, str + i, l_word);\n\t\t\t\ti += copied;\n\t\t\t\tj += copied;\n\t\t\t\tif (j + strlen (color_reset) >= sizeof (o)) {\n\t\t\t\t\t// XXX. no limits\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t\tstrcpy (o + j, color_reset);\n\t\t\t\tj += l_reset;\n\t\t\t} else {\n\t\t\t\to[j++] = str[i++];\n\t\t\t}\n\t\t} else {\n\t\t\tif (j + strlen (str + i) >= sizeof (o)) {\n\t\t\t\tbreak;\n\t\t\t}\n\t\t\tstrcpy (o + j, str + i);\n\t\t\tbreak;\n\t\t}\n\t}\n\treturn strdup (o);\n}", "project": "radare2", "hash": 337729516635353930402578838534092934610, "size": 64, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 0, "dataset": "other", "idx": 269090 }, { "func": "static int ep_create_wakeup_source(struct epitem *epi)\n{\n\tconst char *name;\n\tstruct wakeup_source *ws;\n\n\tif (!epi->ep->ws) {\n\t\tepi->ep->ws = wakeup_source_register(NULL, \"eventpoll\");\n\t\tif (!epi->ep->ws)\n\t\t\treturn -ENOMEM;\n\t}\n\n\tname = epi->ffd.file->f_path.dentry->d_name.name;\n\tws = wakeup_source_register(NULL, name);\n\n\tif (!ws)\n\t\treturn -ENOMEM;\n\trcu_assign_pointer(epi->ws, ws);\n\n\treturn 0;\n}", "project": "linux", "hash": 95756428136076513680377200086611425730, "size": 20, "commit_id": "52c479697c9b73f628140dcdfcd39ea302d05482", "message": "do_epoll_ctl(): clean the failure exits up a bit\n\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 336226 }, { "project": "Chrome", "commit_id": "123e68f88fd0ed4f7447ba81148f9b619b947c47", "target": 1, "func": "File* DataObjectItem::GetAsFile() const {\n if (Kind() != kFileKind)\n return nullptr;\n\n if (source_ == kInternalSource) {\n if (file_)\n return file_.Get();\n DCHECK(shared_buffer_);\n return nullptr;\n }\n\n DCHECK_EQ(source_, kClipboardSource);\n if (GetType() == kMimeTypeImagePng) {\n SkBitmap bitmap = SystemClipboard::GetInstance().ReadImage(\n mojom::ClipboardBuffer::kStandard);\n\n SkPixmap pixmap;\n bitmap.peekPixels(&pixmap);\n \n Vector png_data;\n SkPngEncoder::Options options;\n options.fZLibLevel = 1; // Fastest compression.\n if (!ImageEncoder::Encode(&png_data, pixmap, options))\n return nullptr;\n \n auto data = std::make_unique();\n data->SetContentType(kMimeTypeImagePng);\n data->AppendBytes(png_data.data(), png_data.size());\n const uint64_t length = data->length();\n auto blob = BlobDataHandle::Create(std::move(data), length);\n return File::Create(\"image.png\", base::Time::Now().ToDoubleT() * 1000.0,\n std::move(blob));\n }\n\n return nullptr;\n}\n", "cwe": "", "big_vul_idx": 183613, "idx": 4678, "hash": 302659875351380439224615645999140556334 }, { "project": "Chrome", "commit_id": "123e68f88fd0ed4f7447ba81148f9b619b947c47", "target": 0, "func": "File* DataObjectItem::GetAsFile() const {\n if (Kind() != kFileKind)\n return nullptr;\n\n if (source_ == kInternalSource) {\n if (file_)\n return file_.Get();\n DCHECK(shared_buffer_);\n return nullptr;\n }\n\n DCHECK_EQ(source_, kClipboardSource);\n if (GetType() == kMimeTypeImagePng) {\n SkBitmap bitmap = SystemClipboard::GetInstance().ReadImage(\n mojom::ClipboardBuffer::kStandard);\n\n SkPixmap pixmap;\n bitmap.peekPixels(&pixmap);\n \n // Set encoding options to favor speed over size.\n SkPngEncoder::Options options;\n options.fZLibLevel = 1;\n options.fFilterFlags = SkPngEncoder::FilterFlag::kNone;\n\n Vector png_data;\n if (!ImageEncoder::Encode(&png_data, pixmap, options))\n return nullptr;\n \n auto data = std::make_unique();\n data->SetContentType(kMimeTypeImagePng);\n data->AppendBytes(png_data.data(), png_data.size());\n const uint64_t length = data->length();\n auto blob = BlobDataHandle::Create(std::move(data), length);\n return File::Create(\"image.png\", base::Time::Now().ToDoubleT() * 1000.0,\n std::move(blob));\n }\n\n return nullptr;\n}\n", "cwe": "", "big_vul_idx": 183613, "idx": 161816, "hash": 99565885850033950966117426207956082917 }, { "func": "static u32 cmpxchg_futex_value_locked(u32 __user *uaddr, u32 uval, u32 newval)\n{\n\tu32 curval;\n\n\tpagefault_disable();\n\tcurval = futex_atomic_cmpxchg_inatomic(uaddr, uval, newval);\n\tpagefault_enable();\n\n\treturn curval;\n}", "target": 0, "cwe": [], "project": "linux-2.6", "commit_id": "5ecb01cfdf96c5f465192bdb2a4fd4a61a24c6cc", "hash": 45340732479448226101094214526829384660, "size": 10, "message": "futex_lock_pi() key refcnt fix\n\nThis fixes a futex key reference count bug in futex_lock_pi(),\nwhere a key's reference count is incremented twice but decremented\nonly once, causing the backing object to not be released.\n\nIf the futex is created in a temporary file in an ext3 file system,\nthis bug causes the file's inode to become an \"undead\" orphan,\nwhich causes an oops from a BUG_ON() in ext3_put_super() when the\nfile system is unmounted. glibc's test suite is known to trigger this,\nsee .\n\nThe bug is a regression from 2.6.28-git3, namely Peter Zijlstra's\n38d47c1b7075bd7ec3881141bb3629da58f88dab \"[PATCH] futex: rely on\nget_user_pages() for shared futexes\". That commit made get_futex_key()\nalso increment the reference count of the futex key, and updated its\ncallers to decrement the key's reference count before returning.\nUnfortunately the normal exit path in futex_lock_pi() wasn't corrected:\nthe reference count is incremented by get_futex_key() and queue_lock(),\nbut the normal exit path only decrements once, via unqueue_me_pi().\nThe fix is to put_futex_key() after unqueue_me_pi(), since 2.6.31\nthis is easily done by 'goto out_put_key' rather than 'goto out'.\n\nSigned-off-by: Mikael Pettersson \nAcked-by: Peter Zijlstra \nAcked-by: Darren Hart \nSigned-off-by: Thomas Gleixner \nCc: ", "dataset": "other", "idx": 492297 }, { "func": "static void create_eir(struct hci_dev *hdev, u8 *data)\n{\n\tu8 *ptr = data;\n\tsize_t name_len;\n\n\tname_len = strlen(hdev->dev_name);\n\n\tif (name_len > 0) {\n\t\t/* EIR Data type */\n\t\tif (name_len > 48) {\n\t\t\tname_len = 48;\n\t\t\tptr[1] = EIR_NAME_SHORT;\n\t\t} else\n\t\t\tptr[1] = EIR_NAME_COMPLETE;\n\n\t\t/* EIR Data length */\n\t\tptr[0] = name_len + 1;\n\n\t\tmemcpy(ptr + 2, hdev->dev_name, name_len);\n\n\t\tptr += (name_len + 2);\n\t}\n\n\tif (hdev->inq_tx_power != HCI_TX_POWER_INVALID) {\n\t\tptr[0] = 2;\n\t\tptr[1] = EIR_TX_POWER;\n\t\tptr[2] = (u8) hdev->inq_tx_power;\n\n\t\tptr += 3;\n\t}\n\n\tif (hdev->devid_source > 0) {\n\t\tptr[0] = 9;\n\t\tptr[1] = EIR_DEVICE_ID;\n\n\t\tput_unaligned_le16(hdev->devid_source, ptr + 2);\n\t\tput_unaligned_le16(hdev->devid_vendor, ptr + 4);\n\t\tput_unaligned_le16(hdev->devid_product, ptr + 6);\n\t\tput_unaligned_le16(hdev->devid_version, ptr + 8);\n\n\t\tptr += 10;\n\t}\n\n\tptr = create_uuid16_list(hdev, ptr, HCI_MAX_EIR_LENGTH - (ptr - data));\n\tptr = create_uuid32_list(hdev, ptr, HCI_MAX_EIR_LENGTH - (ptr - data));\n\tptr = create_uuid128_list(hdev, ptr, HCI_MAX_EIR_LENGTH - (ptr - data));\n}", "project": "linux", "hash": 32951550670231327422447344707592910451, "size": 47, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402496 }, { "func": "static void nfs40_call_sync_done(struct rpc_task *task, void *calldata)\n{\n\tstruct nfs4_call_sync_data *data = calldata;\n\tnfs4_sequence_done(task, data->seq_res);\n}", "project": "linux", "hash": 217707911301341800657166750116213207218, "size": 5, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431348 }, { "func": "static int sctp_setsockopt_maxseg(struct sock *sk,\n\t\t\t\t struct sctp_assoc_value *params,\n\t\t\t\t unsigned int optlen)\n{\n\tstruct sctp_sock *sp = sctp_sk(sk);\n\tstruct sctp_association *asoc;\n\tsctp_assoc_t assoc_id;\n\tint val;\n\n\tif (optlen == sizeof(int)) {\n\t\tpr_warn_ratelimited(DEPRECATED\n\t\t\t\t \"%s (pid %d) \"\n\t\t\t\t \"Use of int in maxseg socket option.\\n\"\n\t\t\t\t \"Use struct sctp_assoc_value instead\\n\",\n\t\t\t\t current->comm, task_pid_nr(current));\n\t\tassoc_id = SCTP_FUTURE_ASSOC;\n\t\tval = *(int *)params;\n\t} else if (optlen == sizeof(struct sctp_assoc_value)) {\n\t\tassoc_id = params->assoc_id;\n\t\tval = params->assoc_value;\n\t} else {\n\t\treturn -EINVAL;\n\t}\n\n\tasoc = sctp_id2assoc(sk, assoc_id);\n\tif (!asoc && assoc_id != SCTP_FUTURE_ASSOC &&\n\t sctp_style(sk, UDP))\n\t\treturn -EINVAL;\n\n\tif (val) {\n\t\tint min_len, max_len;\n\t\t__u16 datasize = asoc ? sctp_datachk_len(&asoc->stream) :\n\t\t\t\t sizeof(struct sctp_data_chunk);\n\n\t\tmin_len = sctp_min_frag_point(sp, datasize);\n\t\tmax_len = SCTP_MAX_CHUNK_LEN - datasize;\n\n\t\tif (val < min_len || val > max_len)\n\t\t\treturn -EINVAL;\n\t}\n\n\tif (asoc) {\n\t\tasoc->user_frag = val;\n\t\tsctp_assoc_update_frag_point(asoc);\n\t} else {\n\t\tsp->user_frag = val;\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 119904249932686431203357432358199680094, "size": 50, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398104 }, { "func": "static int effective_prio(const struct i915_request *rq)\n{\n\tint prio = rq_prio(rq);\n\n\t/*\n\t * If this request is special and must not be interrupted at any\n\t * cost, so be it. Note we are only checking the most recent request\n\t * in the context and so may be masking an earlier vip request. It\n\t * is hoped that under the conditions where nopreempt is used, this\n\t * will not matter (i.e. all requests to that context will be\n\t * nopreempt for as long as desired).\n\t */\n\tif (i915_request_has_nopreempt(rq))\n\t\tprio = I915_PRIORITY_UNPREEMPTABLE;\n\n\t/*\n\t * On unwinding the active request, we give it a priority bump\n\t * if it has completed waiting on any semaphore. If we know that\n\t * the request has already started, we can prevent an unwanted\n\t * preempt-to-idle cycle by taking that into account now.\n\t */\n\tif (__i915_request_has_started(rq))\n\t\tprio |= I915_PRIORITY_NOSEMAPHORE;\n\n\t/* Restrict mere WAIT boosts from triggering preemption */\n\tBUILD_BUG_ON(__NO_PREEMPTION & ~I915_PRIORITY_MASK); /* only internal */\n\treturn prio | __NO_PREEMPTION;\n}", "project": "linux", "hash": 266994231800143356002842435234872893049, "size": 28, "commit_id": "bc8a76a152c5f9ef3b48104154a65a68a8b76946", "message": "drm/i915/gen9: Clear residual context state on context switch\n\nIntel ID: PSIRT-TA-201910-001\nCVEID: CVE-2019-14615\n\nIntel GPU Hardware prior to Gen11 does not clear EU state\nduring a context switch. This can result in information\nleakage between contexts.\n\nFor Gen8 and Gen9, hardware provides a mechanism for\nfast cleardown of the EU state, by issuing a PIPE_CONTROL\nwith bit 27 set. We can use this in a context batch buffer\nto explicitly cleardown the state on every context switch.\n\nAs this workaround is already in place for gen8, we can borrow\nthe code verbatim for Gen9.\n\nSigned-off-by: Mika Kuoppala \nSigned-off-by: Akeem G Abodunrin \nCc: Kumar Valsan Prathap \nCc: Chris Wilson \nCc: Balestrieri Francesco \nCc: Bloomfield Jon \nCc: Dutt Sudeep ", "target": 0, "dataset": "other", "idx": 281560 }, { "func": "static void encode_close(struct xdr_stream *xdr, const struct nfs_closeargs *arg, struct compound_hdr *hdr)\n{\n\tencode_op_hdr(xdr, OP_CLOSE, decode_close_maxsz, hdr);\n\tencode_nfs4_seqid(xdr, arg->seqid);\n\tencode_nfs4_stateid(xdr, &arg->stateid);\n}", "project": "linux", "hash": 235980859654951537579440374868201735483, "size": 6, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431166 }, { "func": " SparseTensor(const SparseTensor& other)\n : SparseTensor(other.ix_, other.vals_, other.shape_, other.order_) {}", "project": "tensorflow", "hash": 117261012974741425707735532357173805799, "size": 2, "commit_id": "8ba6fa29cd8bf9cef9b718dc31c78c73081f5b31", "message": "Fix heap-buffer-overflow issue with `tf.raw_ops.SparseSplit`.\n\nPiperOrigin-RevId: 371242872\nChange-Id: I482bb3d12602c7c3cc9446f97fb9f584bb98e9a4", "target": 0, "dataset": "other", "idx": 277015 }, { "func": " SparseTensor(SparseTensor&& other)\n : SparseTensor(std::move(other.ix_), std::move(other.vals_),\n std::move(other.shape_), std::move(other.order_)) {}", "project": "tensorflow", "hash": 138105255733106752628272041392245307706, "size": 3, "commit_id": "8ba6fa29cd8bf9cef9b718dc31c78c73081f5b31", "message": "Fix heap-buffer-overflow issue with `tf.raw_ops.SparseSplit`.\n\nPiperOrigin-RevId: 371242872\nChange-Id: I482bb3d12602c7c3cc9446f97fb9f584bb98e9a4", "target": 0, "dataset": "other", "idx": 277019 }, { "func": " SparseTensor(Tensor ix, Tensor vals, const TensorShape& shape)\n : SparseTensor(std::move(ix), std::move(vals), TensorShapeToVector(shape),\n UndefinedOrder(TensorShapeToVector(shape))) {}", "project": "tensorflow", "hash": 253217668228030500111299208931811096634, "size": 3, "commit_id": "8ba6fa29cd8bf9cef9b718dc31c78c73081f5b31", "message": "Fix heap-buffer-overflow issue with `tf.raw_ops.SparseSplit`.\n\nPiperOrigin-RevId: 371242872\nChange-Id: I482bb3d12602c7c3cc9446f97fb9f584bb98e9a4", "target": 0, "dataset": "other", "idx": 277022 }, { "func": " SparseTensor(Tensor ix, Tensor vals, const TensorShape& shape,\n const VarDimArray order)\n : SparseTensor(std::move(ix), std::move(vals), TensorShapeToVector(shape),\n order) {}", "project": "tensorflow", "hash": 83889607141929648987261626150369511851, "size": 4, "commit_id": "8ba6fa29cd8bf9cef9b718dc31c78c73081f5b31", "message": "Fix heap-buffer-overflow issue with `tf.raw_ops.SparseSplit`.\n\nPiperOrigin-RevId: 371242872\nChange-Id: I482bb3d12602c7c3cc9446f97fb9f584bb98e9a4", "target": 0, "dataset": "other", "idx": 277028 }, { "func": " SparseTensor() : dims_(0) {}", "project": "tensorflow", "hash": 45818061583497520754495224703025033772, "size": 1, "commit_id": "8ba6fa29cd8bf9cef9b718dc31c78c73081f5b31", "message": "Fix heap-buffer-overflow issue with `tf.raw_ops.SparseSplit`.\n\nPiperOrigin-RevId: 371242872\nChange-Id: I482bb3d12602c7c3cc9446f97fb9f584bb98e9a4", "target": 0, "dataset": "other", "idx": 277029 }, { "func": " SparseTensor(Tensor ix, Tensor vals, const VarDimArray shape)\n : SparseTensor(std::move(ix), std::move(vals), shape,\n UndefinedOrder(shape)) {}", "project": "tensorflow", "hash": 166083385806572267566871901870651750974, "size": 3, "commit_id": "8ba6fa29cd8bf9cef9b718dc31c78c73081f5b31", "message": "Fix heap-buffer-overflow issue with `tf.raw_ops.SparseSplit`.\n\nPiperOrigin-RevId: 371242872\nChange-Id: I482bb3d12602c7c3cc9446f97fb9f584bb98e9a4", "target": 0, "dataset": "other", "idx": 277033 }, { "func": "inline static void appendchar(char **buffer, int *pos, int *size, char add) {\n if ((*pos + 1) >= *size) {\n *size <<= 1;\n *buffer = (char*)realloc(*buffer, *size);\n }\n (*buffer)[(*pos)++] = add;\n}", "project": "hhvm", "hash": 118798233530765126476742605906101774515, "size": 7, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219739 }, { "func": "static void restore_cur(struct vc_data *vc)\n{\n\tgotoxy(vc, vc->vc_saved_x, vc->vc_saved_y);\n\tvc->vc_intensity\t= vc->vc_s_intensity;\n\tvc->vc_italic\t\t= vc->vc_s_italic;\n\tvc->vc_underline\t= vc->vc_s_underline;\n\tvc->vc_blink\t\t= vc->vc_s_blink;\n\tvc->vc_reverse\t\t= vc->vc_s_reverse;\n\tvc->vc_charset\t\t= vc->vc_s_charset;\n\tvc->vc_color\t\t= vc->vc_s_color;\n\tvc->vc_G0_charset\t= vc->vc_saved_G0;\n\tvc->vc_G1_charset\t= vc->vc_saved_G1;\n\tvc->vc_translate\t= set_translate(vc->vc_charset ? vc->vc_G1_charset : vc->vc_G0_charset, vc);\n\tupdate_attr(vc);\n\tvc->vc_need_wrap = 0;\n}", "project": "linux", "hash": 336656553779822997262409685091509301322, "size": 16, "commit_id": "ca4463bf8438b403596edd0ec961ca0d4fbe0220", "message": "vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console\n\nThe VT_DISALLOCATE ioctl can free a virtual console while tty_release()\nis still running, causing a use-after-free in con_shutdown(). This\noccurs because VT_DISALLOCATE considers a virtual console's\n'struct vc_data' to be unused as soon as the corresponding tty's\nrefcount hits 0. But actually it may be still being closed.\n\nFix this by making vc_data be reference-counted via the embedded\n'struct tty_port'. A newly allocated virtual console has refcount 1.\nOpening it for the first time increments the refcount to 2. Closing it\nfor the last time decrements the refcount (in tty_operations::cleanup()\nso that it happens late enough), as does VT_DISALLOCATE.\n\nReproducer:\n\t#include \n\t#include \n\t#include \n\t#include \n\n\tint main()\n\t{\n\t\tif (fork()) {\n\t\t\tfor (;;)\n\t\t\t\tclose(open(\"/dev/tty5\", O_RDWR));\n\t\t} else {\n\t\t\tint fd = open(\"/dev/tty10\", O_RDWR);\n\n\t\t\tfor (;;)\n\t\t\t\tioctl(fd, VT_DISALLOCATE, 5);\n\t\t}\n\t}\n\nKASAN report:\n\tBUG: KASAN: use-after-free in con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\tWrite of size 8 at addr ffff88806a4ec108 by task syz_vt/129\n\n\tCPU: 0 PID: 129 Comm: syz_vt Not tainted 5.6.0-rc2 #11\n\tHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20191223_100556-anatol 04/01/2014\n\tCall Trace:\n\t [...]\n\t con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\t release_tty+0xa8/0x410 drivers/tty/tty_io.c:1514\n\t tty_release_struct+0x34/0x50 drivers/tty/tty_io.c:1629\n\t tty_release+0x984/0xed0 drivers/tty/tty_io.c:1789\n\t [...]\n\n\tAllocated by task 129:\n\t [...]\n\t kzalloc include/linux/slab.h:669 [inline]\n\t vc_allocate drivers/tty/vt/vt.c:1085 [inline]\n\t vc_allocate+0x1ac/0x680 drivers/tty/vt/vt.c:1066\n\t con_install+0x4d/0x3f0 drivers/tty/vt/vt.c:3229\n\t tty_driver_install_tty drivers/tty/tty_io.c:1228 [inline]\n\t tty_init_dev+0x94/0x350 drivers/tty/tty_io.c:1341\n\t tty_open_by_driver drivers/tty/tty_io.c:1987 [inline]\n\t tty_open+0x3ca/0xb30 drivers/tty/tty_io.c:2035\n\t [...]\n\n\tFreed by task 130:\n\t [...]\n\t kfree+0xbf/0x1e0 mm/slab.c:3757\n\t vt_disallocate drivers/tty/vt/vt_ioctl.c:300 [inline]\n\t vt_ioctl+0x16dc/0x1e30 drivers/tty/vt/vt_ioctl.c:818\n\t tty_ioctl+0x9db/0x11b0 drivers/tty/tty_io.c:2660\n\t [...]\n\nFixes: 4001d7b7fc27 (\"vt: push down the tty lock so we can see what is left to tackle\")\nCc: # v3.4+\nReported-by: syzbot+522643ab5729b0421998@syzkaller.appspotmail.com\nAcked-by: Jiri Slaby \nSigned-off-by: Eric Biggers \nLink: https://lore.kernel.org/r/20200322034305.210082-2-ebiggers@kernel.org\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 437075 }, { "func": "static void load_creator_from_buf(\n FILE *fp,\n xref_t *xref,\n const char *buf,\n size_t buf_size)\n{\n int is_xml;\n char *c;\n\n if (!buf)\n return;\n\n /* Check to see if this is xml or old-school */\n if ((c = strstr(buf, \"/Type\")))\n while (*c && !isspace(*c))\n ++c;\n\n /* Probably \"Metadata\" */\n is_xml = 0;\n if (c && (*c == 'M'))\n is_xml = 1;\n\n /* Is the buffer XML(PDF 1.4+) or old format? */\n if (is_xml)\n load_creator_from_xml(xref, buf);\n else\n load_creator_from_old_format(fp, xref, buf, buf_size);\n}", "project": "pdfresurrect", "hash": 273447647166697037222872713871344791237, "size": 28, "commit_id": "7e35d1806e111fd28610ccc86bb33f54792ac370", "message": "Fix possible infinite loop case when looking for a trailer.\n\nThanks to chibataiki for reporting and isolating this!", "target": 0, "dataset": "other", "idx": 355586 }, { "func": "static int pfkey_promisc(struct sock *sk, struct sk_buff *skb, const struct sadb_msg *hdr, void * const *ext_hdrs)\n{\n\tstruct pfkey_sock *pfk = pfkey_sk(sk);\n\tint satype = hdr->sadb_msg_satype;\n\tbool reset_errno = false;\n\n\tif (hdr->sadb_msg_len == (sizeof(*hdr) / sizeof(uint64_t))) {\n\t\treset_errno = true;\n\t\tif (satype != 0 && satype != 1)\n\t\t\treturn -EINVAL;\n\t\tpfk->promisc = satype;\n\t}\n\tif (reset_errno && skb_cloned(skb))\n\t\tskb = skb_copy(skb, GFP_KERNEL);\n\telse\n\t\tskb = skb_clone(skb, GFP_KERNEL);\n\n\tif (reset_errno && skb) {\n\t\tstruct sadb_msg *new_hdr = (struct sadb_msg *) skb->data;\n\t\tnew_hdr->sadb_msg_errno = 0;\n\t}\n\n\tpfkey_broadcast(skb, GFP_KERNEL, BROADCAST_ALL, NULL, sock_net(sk));\n\treturn 0;\n}", "project": "linux", "hash": 116156764433670429729636717094036519219, "size": 25, "commit_id": "9a564bccb78a76740ea9d75a259942df8143d02c", "message": "af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\n\nAdd __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\nto initialize the buffer of supp_skb to fix a kernel-info-leak issue.\n1) Function pfkey_register calls compose_sadb_supported to request\na sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate\na sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then\ncompose_sadb_supported treats the memory as a struct sadb_supported and\nbegins to initialize. But it just initializes the field sadb_supported_len\nand field sadb_supported_exttype without field sadb_supported_reserved.\n\nReported-by: TCS Robot \nSigned-off-by: Haimin Zhang \nSigned-off-by: Steffen Klassert ", "target": 0, "dataset": "other", "idx": 268021 }, { "func": "int nfs4_proc_get_lease_time(struct nfs_client *clp, struct nfs_fsinfo *fsinfo)\n{\n\tstruct nfs4_get_lease_time_args args;\n\tstruct nfs4_get_lease_time_res res = {\n\t\t.lr_fsinfo = fsinfo,\n\t};\n\tstruct nfs4_get_lease_time_data data = {\n\t\t.args = &args,\n\t\t.res = &res,\n\t\t.clp = clp,\n\t};\n\tstruct rpc_message msg = {\n\t\t.rpc_proc = &nfs4_procedures[NFSPROC4_CLNT_GET_LEASE_TIME],\n\t\t.rpc_argp = &args,\n\t\t.rpc_resp = &res,\n\t};\n\tstruct rpc_task_setup task_setup = {\n\t\t.rpc_client = clp->cl_rpcclient,\n\t\t.rpc_message = &msg,\n\t\t.callback_ops = &nfs4_get_lease_time_ops,\n\t\t.callback_data = &data,\n\t\t.flags = RPC_TASK_TIMEOUT,\n\t};\n\n\tnfs4_init_sequence(&args.la_seq_args, &res.lr_seq_res, 0, 1);\n\treturn nfs4_call_sync_custom(&task_setup);\n}", "project": "linux", "hash": 28606307915017284242804291400261397925, "size": 27, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 430959 }, { "func": "static int imap_status(struct ImapAccountData *adata, struct ImapMboxData *mdata, bool queue)\n{\n char *uidvalidity_flag = NULL;\n char cmd[2048];\n\n if (!adata || !mdata)\n return -1;\n\n /* Don't issue STATUS on the selected mailbox, it will be NOOPed or\n * IDLEd elsewhere.\n * adata->mailbox may be NULL for connections other than the current\n * mailbox's. */\n if (adata->mailbox && (adata->mailbox->mdata == mdata))\n {\n adata->mailbox->has_new = false;\n return mdata->messages;\n }\n\n if (adata->capabilities & IMAP_CAP_IMAP4REV1)\n uidvalidity_flag = \"UIDVALIDITY\";\n else if (adata->capabilities & IMAP_CAP_STATUS)\n uidvalidity_flag = \"UID-VALIDITY\";\n else\n {\n mutt_debug(LL_DEBUG2, \"Server doesn't support STATUS\\n\");\n return -1;\n }\n\n snprintf(cmd, sizeof(cmd), \"STATUS %s (UIDNEXT %s UNSEEN RECENT MESSAGES)\",\n mdata->munge_name, uidvalidity_flag);\n\n int rc = imap_exec(adata, cmd, queue ? IMAP_CMD_QUEUE : IMAP_CMD_NO_FLAGS | IMAP_CMD_POLL);\n if (rc < 0)\n {\n mutt_debug(LL_DEBUG1, \"Error queueing command\\n\");\n return rc;\n }\n return mdata->messages;\n}", "project": "neomutt", "hash": 6433022380352890220421756407017260407, "size": 39, "commit_id": "9c36717a3e2af1f2c1b7242035455ec8112b4b06", "message": "imap: close connection on all failures\n\nThanks to Gabriel Salles-Loustau for spotting the problem.\n\nCo-authored-by: Kevin McCarthy ", "target": 0, "dataset": "other", "idx": 357028 }, { "func": "static void copy_filename(const char **dst, const char *src, const char *what)\n{\n if (*dst)\n nasm_fatal(0, \"more than one %s file specified: %s\\n\", what, src);\n\n *dst = nasm_strdup(src);\n}", "project": "nasm", "hash": 317578214951809138535537559299566257374, "size": 7, "commit_id": "e996d28c70d45008085322b442b44a9224308548", "message": "labels: Don't nil dereference if no label provided\n\nAn equ without label may cause nil dereference\n\n |\tequ 0x100\n\nFixes 98578071b9d71ecaa2344dd9c185237c1765041e\n\nSigned-off-by: Cyrill Gorcunov ", "target": 0, "dataset": "other", "idx": 257478 }, { "func": "static int tracing_set_clock(struct trace_array *tr, const char *clockstr)\n{\n\tint i;\n\n\tfor (i = 0; i < ARRAY_SIZE(trace_clocks); i++) {\n\t\tif (strcmp(trace_clocks[i].name, clockstr) == 0)\n\t\t\tbreak;\n\t}\n\tif (i == ARRAY_SIZE(trace_clocks))\n\t\treturn -EINVAL;\n\n\tmutex_lock(&trace_types_lock);\n\n\ttr->clock_id = i;\n\n\tring_buffer_set_clock(tr->trace_buffer.buffer, trace_clocks[i].func);\n\n\t/*\n\t * New clock may not be consistent with the previous clock.\n\t * Reset the buffer so that it doesn't have incomparable timestamps.\n\t */\n\ttracing_reset_online_cpus(&tr->trace_buffer);\n\n#ifdef CONFIG_TRACER_MAX_TRACE\n\tif (tr->max_buffer.buffer)\n\t\tring_buffer_set_clock(tr->max_buffer.buffer, trace_clocks[i].func);\n\ttracing_reset_online_cpus(&tr->max_buffer);\n#endif\n\n\tmutex_unlock(&trace_types_lock);\n\n\treturn 0;\n}", "project": "linux", "hash": 185196093418554447543405172811329104130, "size": 33, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445637 }, { "func": "void kvm_get_pfn(kvm_pfn_t pfn)\n{\n\tif (!kvm_is_reserved_pfn(pfn))\n\t\tget_page(pfn_to_page(pfn));\n}", "project": "linux", "hash": 315074522996929011912748759303770790855, "size": 5, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354618 }, { "func": "static void save_hint(hint_t hint, int loc) {\n\t/* simply copy it to the global array for later use. */\n\thint_list[loc].x = hint.x;\n\thint_list[loc].y = hint.y;\n\thint_list[loc].w = hint.w;\n\thint_list[loc].h = hint.h;\n}", "project": "x11vnc", "hash": 266419663726792728215681926716154370824, "size": 7, "commit_id": "69eeb9f7baa14ca03b16c9de821f9876def7a36a", "message": "scan: limit access to shared memory segments to current user", "target": 0, "dataset": "other", "idx": 360784 }, { "func": "static void kvm_mmu_notifier_change_pte(struct mmu_notifier *mn,\n\t\t\t\t\tstruct mm_struct *mm,\n\t\t\t\t\tunsigned long address,\n\t\t\t\t\tpte_t pte)\n{\n\tstruct kvm *kvm = mmu_notifier_to_kvm(mn);\n\tint idx;\n\n\tidx = srcu_read_lock(&kvm->srcu);\n\tspin_lock(&kvm->mmu_lock);\n\tkvm->mmu_notifier_seq++;\n\n\tif (kvm_set_spte_hva(kvm, address, pte))\n\t\tkvm_flush_remote_tlbs(kvm);\n\n\tspin_unlock(&kvm->mmu_lock);\n\tsrcu_read_unlock(&kvm->srcu, idx);\n}", "project": "linux", "hash": 302224753421648534258023875129236351491, "size": 18, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354710 }, { "func": "static void kvm_mmu_notifier_change_pte(struct mmu_notifier *mn,\n\t\t\t\t\tstruct mm_struct *mm,\n\t\t\t\t\tunsigned long address,\n\t\t\t\t\tpte_t pte)\n{\n\tstruct kvm *kvm = mmu_notifier_to_kvm(mn);\n\n\ttrace_kvm_set_spte_hva(address);\n\n\t/*\n\t * .change_pte() must be surrounded by .invalidate_range_{start,end}(),\n\t * and so always runs with an elevated notifier count. This obviates\n\t * the need to bump the sequence count.\n\t */\n\tWARN_ON_ONCE(!kvm->mmu_notifier_count);\n\n\tkvm_handle_hva_range(mn, address, address + 1, pte, kvm_set_spte_gfn);\n}", "project": "linux", "hash": 252588814870217335980712489022650320727, "size": 18, "commit_id": "f8be156be163a052a067306417cd0ff679068c97", "message": "KVM: do not allow mapping valid but non-reference-counted pages\n\nIt's possible to create a region which maps valid but non-refcounted\npages (e.g., tail pages of non-compound higher order allocations). These\nhost pages can then be returned by gfn_to_page, gfn_to_pfn, etc., family\nof APIs, which take a reference to the page, which takes it from 0 to 1.\nWhen the reference is dropped, this will free the page incorrectly.\n\nFix this by only taking a reference on valid pages if it was non-zero,\nwhich indicates it is participating in normal refcounting (and can be\nreleased with put_page).\n\nThis addresses CVE-2021-22543.\n\nSigned-off-by: Nicholas Piggin \nTested-by: Paolo Bonzini \nCc: stable@vger.kernel.org\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 404076 }, { "project": "Chrome", "commit_id": "123e68f88fd0ed4f7447ba81148f9b619b947c47", "target": 0, "func": "String DataObjectItem::GetAsString() const {\n DCHECK_EQ(kind_, kStringKind);\n\n if (source_ == kInternalSource)\n return data_;\n\n DCHECK_EQ(source_, kClipboardSource);\n\n String data;\n if (type_ == kMimeTypeTextPlain) {\n data = SystemClipboard::GetInstance().ReadPlainText();\n } else if (type_ == kMimeTypeTextRTF) {\n data = SystemClipboard::GetInstance().ReadRTF();\n } else if (type_ == kMimeTypeTextHTML) {\n KURL ignored_source_url;\n unsigned ignored;\n data = SystemClipboard::GetInstance().ReadHTML(ignored_source_url, ignored,\n ignored);\n } else {\n data = SystemClipboard::GetInstance().ReadCustomData(type_);\n }\n\n return SystemClipboard::GetInstance().SequenceNumber() == sequence_number_\n ? data\n : String();\n}\n", "cwe": "", "big_vul_idx": 100149, "idx": 175679, "hash": 137453808645224391932315983759622382595 }, { "func": "static int tty_fasync(int fd, struct file *filp, int on)\n{\n\tstruct tty_struct *tty = file_tty(filp);\n\tint retval = -ENOTTY;\n\n\ttty_lock(tty);\n\tif (!tty_hung_up_p(filp))\n\t\tretval = __tty_fasync(fd, filp, on);\n\ttty_unlock(tty);\n\n\treturn retval;\n}", "project": "linux", "hash": 289072774852913388669710044959484135853, "size": 12, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 325992 }, { "func": "ssize_t Freadall(FD_t fd, void * buf, ssize_t size)\n{\n ssize_t total = 0;\n ssize_t nb = 0;\n char * bufp = buf;\n\n while (total < size) {\n\tnb = Fread(bufp, 1, size - total, fd);\n\n\tif (nb == 0 || (nb < 0 && !RETRY_ERROR(errno))) {\n\t total = nb;\n\t break;\n\t}\n\n\tif (nb > 0) {\n\t bufp += nb;\n\t total += nb;\n\t}\n }\n\n return total;\n}", "project": "rpm", "hash": 14817645475252563611291686717791260121, "size": 22, "commit_id": "8f4b3c3cab8922a2022b9e47c71f1ecf906077ef", "message": "hdrblobInit() needs bounds checks too\n\nUsers can pass untrusted data to hdrblobInit() and it must be robust\nagainst this.", "target": 0, "dataset": "other", "idx": 318162 }, { "func": "void tcp_enter_frto(struct sock *sk)\n{\n\tconst struct inet_connection_sock *icsk = inet_csk(sk);\n\tstruct tcp_sock *tp = tcp_sk(sk);\n\tstruct sk_buff *skb;\n\n\tif ((!tp->frto_counter && icsk->icsk_ca_state <= TCP_CA_Disorder) ||\n\t tp->snd_una == tp->high_seq ||\n\t ((icsk->icsk_ca_state == TCP_CA_Loss || tp->frto_counter) &&\n\t !icsk->icsk_retransmits)) {\n\t\ttp->prior_ssthresh = tcp_current_ssthresh(sk);\n\t\t/* Our state is too optimistic in ssthresh() call because cwnd\n\t\t * is not reduced until tcp_enter_frto_loss() when previous F-RTO\n\t\t * recovery has not yet completed. Pattern would be this: RTO,\n\t\t * Cumulative ACK, RTO (2xRTO for the same segment does not end\n\t\t * up here twice).\n\t\t * RFC4138 should be more specific on what to do, even though\n\t\t * RTO is quite unlikely to occur after the first Cumulative ACK\n\t\t * due to back-off and complexity of triggering events ...\n\t\t */\n\t\tif (tp->frto_counter) {\n\t\t\tu32 stored_cwnd;\n\t\t\tstored_cwnd = tp->snd_cwnd;\n\t\t\ttp->snd_cwnd = 2;\n\t\t\ttp->snd_ssthresh = icsk->icsk_ca_ops->ssthresh(sk);\n\t\t\ttp->snd_cwnd = stored_cwnd;\n\t\t} else {\n\t\t\ttp->snd_ssthresh = icsk->icsk_ca_ops->ssthresh(sk);\n\t\t}\n\t\t/* ... in theory, cong.control module could do \"any tricks\" in\n\t\t * ssthresh(), which means that ca_state, lost bits and lost_out\n\t\t * counter would have to be faked before the call occurs. We\n\t\t * consider that too expensive, unlikely and hacky, so modules\n\t\t * using these in ssthresh() must deal these incompatibility\n\t\t * issues if they receives CA_EVENT_FRTO and frto_counter != 0\n\t\t */\n\t\ttcp_ca_event(sk, CA_EVENT_FRTO);\n\t}\n\n\ttp->undo_marker = tp->snd_una;\n\ttp->undo_retrans = 0;\n\n\tskb = tcp_write_queue_head(sk);\n\tif (TCP_SKB_CB(skb)->sacked & TCPCB_RETRANS)\n\t\ttp->undo_marker = 0;\n\tif (TCP_SKB_CB(skb)->sacked & TCPCB_SACKED_RETRANS) {\n\t\tTCP_SKB_CB(skb)->sacked &= ~TCPCB_SACKED_RETRANS;\n\t\ttp->retrans_out -= tcp_skb_pcount(skb);\n\t}\n\ttcp_verify_left_out(tp);\n\n\t/* Too bad if TCP was application limited */\n\ttp->snd_cwnd = min(tp->snd_cwnd, tcp_packets_in_flight(tp) + 1);\n\n\t/* Earlier loss recovery underway (see RFC4138; Appendix B).\n\t * The last condition is necessary at least in tp->frto_counter case.\n\t */\n\tif (tcp_is_sackfrto(tp) && (tp->frto_counter ||\n\t ((1 << icsk->icsk_ca_state) & (TCPF_CA_Recovery|TCPF_CA_Loss))) &&\n\t after(tp->high_seq, tp->snd_una)) {\n\t\ttp->frto_highmark = tp->high_seq;\n\t} else {\n\t\ttp->frto_highmark = tp->snd_nxt;\n\t}\n\ttcp_set_ca_state(sk, TCP_CA_Disorder);\n\ttp->high_seq = tp->snd_nxt;\n\ttp->frto_counter = 1;\n}", "project": "net-next", "hash": 239114010263774297015035980138129027006, "size": 68, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409932 }, { "func": "LUALIB_API void luaL_traceback (lua_State *L, lua_State *L1, const char *msg,\n\t\t\t\tint level)\n{\n int top = (int)(L->top - L->base);\n int lim = TRACEBACK_LEVELS1;\n lua_Debug ar;\n if (msg) lua_pushfstring(L, \"%s\\n\", msg);\n lua_pushliteral(L, \"stack traceback:\");\n while (lua_getstack(L1, level++, &ar)) {\n GCfunc *fn;\n if (level > lim) {\n if (!lua_getstack(L1, level + TRACEBACK_LEVELS2, &ar)) {\n\tlevel--;\n } else {\n\tlua_pushliteral(L, \"\\n\\t...\");\n\tlua_getstack(L1, -10, &ar);\n\tlevel = ar.i_ci - TRACEBACK_LEVELS2;\n }\n lim = 2147483647;\n continue;\n }\n lua_getinfo(L1, \"Snlf\", &ar);\n fn = funcV(L1->top-1); L1->top--;\n if (isffunc(fn) && !*ar.namewhat)\n lua_pushfstring(L, \"\\n\\t[builtin#%d]:\", fn->c.ffid);\n else\n lua_pushfstring(L, \"\\n\\t%s:\", ar.short_src);\n if (ar.currentline > 0)\n lua_pushfstring(L, \"%d:\", ar.currentline);\n if (*ar.namewhat) {\n lua_pushfstring(L, \" in function \" LUA_QS, ar.name);\n } else {\n if (*ar.what == 'm') {\n\tlua_pushliteral(L, \" in main chunk\");\n } else if (*ar.what == 'C') {\n\tlua_pushfstring(L, \" at %p\", fn->c.f);\n } else {\n\tlua_pushfstring(L, \" in function <%s:%d>\",\n\t\t\tar.short_src, ar.linedefined);\n }\n }\n if ((int)(L->top - L->base) - top >= 15)\n lua_concat(L, (int)(L->top - L->base) - top);\n }\n lua_concat(L, (int)(L->top - L->base) - top);\n}", "project": "LuaJIT", "hash": 195069116083678996033828094519629312602, "size": 46, "commit_id": "e296f56b825c688c3530a981dc6b495d972f3d01", "message": "Call error function on rethrow after trace exit.", "target": 0, "dataset": "other", "idx": 394650 }, { "func": "DLLEXPORT int DLLCALL tjDecompressToYUV2(tjhandle handle,\n\tconst unsigned char *jpegBuf, unsigned long jpegSize, unsigned char *dstBuf,\n\tint width, int pad, int height, int flags)\n{\n\tunsigned char *dstPlanes[3];\n\tint pw0, ph0, strides[3], retval=-1, jpegSubsamp=-1;\n\tint i, jpegwidth, jpegheight, scaledw, scaledh;\n\n\tgetdinstance(handle);\n\n\tif(jpegBuf==NULL || jpegSize<=0 || dstBuf==NULL || width<0 || pad<1\n\t\t|| !isPow2(pad) || height<0)\n\t\t_throw(\"tjDecompressToYUV2(): Invalid argument\");\n\n\tif(setjmp(this->jerr.setjmp_buffer))\n\t{\n\t\t/* If we get here, the JPEG code has signaled an error. */\n\t\treturn -1;\n\t}\n\n\tjpeg_mem_src_tj(dinfo, jpegBuf, jpegSize);\n\tjpeg_read_header(dinfo, TRUE);\n\tjpegSubsamp=getSubsamp(dinfo);\n\tif(jpegSubsamp<0)\n\t\t_throw(\"tjDecompressToYUV2(): Could not determine subsampling type for JPEG image\");\n\n\tjpegwidth=dinfo->image_width; jpegheight=dinfo->image_height;\n\tif(width==0) width=jpegwidth;\n\tif(height==0) height=jpegheight;\n\n\tfor(i=0; i=NUMSF)\n\t\t_throw(\"tjDecompressToYUV2(): Could not scale down to desired image dimensions\");\n\n\tpw0=tjPlaneWidth(0, width, jpegSubsamp);\n\tph0=tjPlaneHeight(0, height, jpegSubsamp);\n\tdstPlanes[0]=dstBuf;\n\tstrides[0]=PAD(pw0, pad);\n\tif(jpegSubsamp==TJSAMP_GRAY)\n\t{\n\t\tstrides[1]=strides[2]=0;\n\t\tdstPlanes[1]=dstPlanes[2]=NULL;\n\t}\n\telse\n\t{\n\t\tint pw1=tjPlaneWidth(1, width, jpegSubsamp);\n\t\tint ph1=tjPlaneHeight(1, height, jpegSubsamp);\n\t\tstrides[1]=strides[2]=PAD(pw1, pad);\n\t\tdstPlanes[1]=dstPlanes[0]+strides[0]*ph0;\n\t\tdstPlanes[2]=dstPlanes[1]+strides[1]*ph1;\n\t}\n\n\tthis->headerRead=1;\n\treturn tjDecompressToYUVPlanes(handle, jpegBuf, jpegSize, dstPlanes, width,\n\t\tstrides, height, flags);\n\n\tbailout:\n\treturn retval;\n\n}", "project": "libjpeg-turbo", "hash": 207300770970394364500495643613204449006, "size": 66, "commit_id": "dab6be4cfb2f9307b5378d2d1dc74d9080383dc2", "message": "tjDecompressToYUV*(): Fix OOB write/double free\n\n... when attempting to decompress grayscale JPEG images with sampling\nfactors != 1.\n\nFixes #387", "target": 0, "dataset": "other", "idx": 311106 }, { "func": "static inline void perf_read_regs(struct pt_regs *regs)\n{\n\tunsigned long mmcra = mfspr(SPRN_MMCRA);\n\tint marked = mmcra & MMCRA_SAMPLE_ENABLE;\n\tint use_siar;\n\n\tregs->dsisr = mmcra;\n\n\tif (ppmu->flags & PPMU_HAS_SIER)\n\t\tregs->dar = mfspr(SPRN_SIER);\n\n\t/*\n\t * If this isn't a PMU exception (eg a software event) the SIAR is\n\t * not valid. Use pt_regs.\n\t *\n\t * If it is a marked event use the SIAR.\n\t *\n\t * If the PMU doesn't update the SIAR for non marked events use\n\t * pt_regs.\n\t *\n\t * If the PMU has HV/PR flags then check to see if they\n\t * place the exception in userspace. If so, use pt_regs. In\n\t * continuous sampling mode the SIAR and the PMU exception are\n\t * not synchronised, so they may be many instructions apart.\n\t * This can result in confusing backtraces. We still want\n\t * hypervisor samples as well as samples in the kernel with\n\t * interrupts off hence the userspace check.\n\t */\n\tif (TRAP(regs) != INTERRUPT_PERFMON)\n\t\tuse_siar = 0;\n\telse if ((ppmu->flags & PPMU_NO_SIAR))\n\t\tuse_siar = 0;\n\telse if (marked)\n\t\tuse_siar = 1;\n\telse if ((ppmu->flags & PPMU_NO_CONT_SAMPLING))\n\t\tuse_siar = 0;\n\telse if (!(ppmu->flags & PPMU_NO_SIPR) && regs_sipr(regs))\n\t\tuse_siar = 0;\n\telse\n\t\tuse_siar = 1;\n\n\tregs->result = use_siar;\n}", "project": "linux", "hash": 233287529106332291207773322203908177382, "size": 43, "commit_id": "60b7ed54a41b550d50caf7f2418db4a7e75b5bdc", "message": "powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set\n\nOn systems without any specific PMU driver support registered, running\nperf record causes Oops.\n\nThe relevant portion from call trace:\n\n BUG: Kernel NULL pointer dereference on read at 0x00000040\n Faulting instruction address: 0xc0021f0c\n Oops: Kernel access of bad area, sig: 11 [#1]\n BE PAGE_SIZE=4K PREEMPT CMPCPRO\n SAF3000 DIE NOTIFICATION\n CPU: 0 PID: 442 Comm: null_syscall Not tainted 5.13.0-rc6-s3k-dev-01645-g7649ee3d2957 #5164\n NIP: c0021f0c LR: c00e8ad8 CTR: c00d8a5c\n NIP perf_instruction_pointer+0x10/0x60\n LR perf_prepare_sample+0x344/0x674\n Call Trace:\n perf_prepare_sample+0x7c/0x674 (unreliable)\n perf_event_output_forward+0x3c/0x94\n __perf_event_overflow+0x74/0x14c\n perf_swevent_hrtimer+0xf8/0x170\n __hrtimer_run_queues.constprop.0+0x160/0x318\n hrtimer_interrupt+0x148/0x3b0\n timer_interrupt+0xc4/0x22c\n Decrementer_virt+0xb8/0xbc\n\nDuring perf record session, perf_instruction_pointer() is called to\ncapture the sample IP. This function in core-book3s accesses\nppmu->flags. If a platform specific PMU driver is not registered, ppmu\nis set to NULL and accessing its members results in a crash. Fix this\ncrash by checking if ppmu is set.\n\nFixes: 2ca13a4cc56c (\"powerpc/perf: Use regs->nip when SIAR is zero\")\nCc: stable@vger.kernel.org # v5.11+\nReported-by: Christophe Leroy \nSigned-off-by: Athira Rajeev \nTested-by: Christophe Leroy \nSigned-off-by: Michael Ellerman \nLink: https://lore.kernel.org/r/1623952506-1431-1-git-send-email-atrajeev@linux.vnet.ibm.com", "target": 0, "dataset": "other", "idx": 374717 }, { "func": "static inline void perf_read_regs(struct pt_regs *regs)\n{\n\tregs->result = 0;\n}", "project": "linux", "hash": 177670805538257401397676201154102652285, "size": 4, "commit_id": "60b7ed54a41b550d50caf7f2418db4a7e75b5bdc", "message": "powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set\n\nOn systems without any specific PMU driver support registered, running\nperf record causes Oops.\n\nThe relevant portion from call trace:\n\n BUG: Kernel NULL pointer dereference on read at 0x00000040\n Faulting instruction address: 0xc0021f0c\n Oops: Kernel access of bad area, sig: 11 [#1]\n BE PAGE_SIZE=4K PREEMPT CMPCPRO\n SAF3000 DIE NOTIFICATION\n CPU: 0 PID: 442 Comm: null_syscall Not tainted 5.13.0-rc6-s3k-dev-01645-g7649ee3d2957 #5164\n NIP: c0021f0c LR: c00e8ad8 CTR: c00d8a5c\n NIP perf_instruction_pointer+0x10/0x60\n LR perf_prepare_sample+0x344/0x674\n Call Trace:\n perf_prepare_sample+0x7c/0x674 (unreliable)\n perf_event_output_forward+0x3c/0x94\n __perf_event_overflow+0x74/0x14c\n perf_swevent_hrtimer+0xf8/0x170\n __hrtimer_run_queues.constprop.0+0x160/0x318\n hrtimer_interrupt+0x148/0x3b0\n timer_interrupt+0xc4/0x22c\n Decrementer_virt+0xb8/0xbc\n\nDuring perf record session, perf_instruction_pointer() is called to\ncapture the sample IP. This function in core-book3s accesses\nppmu->flags. If a platform specific PMU driver is not registered, ppmu\nis set to NULL and accessing its members results in a crash. Fix this\ncrash by checking if ppmu is set.\n\nFixes: 2ca13a4cc56c (\"powerpc/perf: Use regs->nip when SIAR is zero\")\nCc: stable@vger.kernel.org # v5.11+\nReported-by: Christophe Leroy \nSigned-off-by: Athira Rajeev \nTested-by: Christophe Leroy \nSigned-off-by: Michael Ellerman \nLink: https://lore.kernel.org/r/1623952506-1431-1-git-send-email-atrajeev@linux.vnet.ibm.com", "target": 0, "dataset": "other", "idx": 374720 }, { "func": "static enum_func_status\nphp_mysqlnd_read_row_ex(MYSQLND_CONN_DATA * conn, MYSQLND_MEMORY_POOL * result_set_memory_pool,\n\t\t\t\t\t\tMYSQLND_MEMORY_POOL_CHUNK ** buffer,\n\t\t\t\t\t\tsize_t * data_size, zend_bool persistent_alloc,\n\t\t\t\t\t\tunsigned int prealloc_more_bytes TSRMLS_DC)\n{\n\tenum_func_status ret = PASS;\n\tMYSQLND_PACKET_HEADER header;\n\tzend_uchar * p = NULL;\n\tzend_bool first_iteration = TRUE;\n\n\tDBG_ENTER(\"php_mysqlnd_read_row_ex\");\n\n\t/*\n\t To ease the process the server splits everything in packets up to 2^24 - 1.\n\t Even in the case the payload is evenly divisible by this value, the last\n\t packet will be empty, namely 0 bytes. Thus, we can read every packet and ask\n\t for next one if they have 2^24 - 1 sizes. But just read the header of a\n\t zero-length byte, don't read the body, there is no such.\n\t*/\n\n\t*data_size = prealloc_more_bytes;\n\twhile (1) {\n\t\tif (FAIL == mysqlnd_read_header(conn->net, &header, conn->stats, conn->error_info TSRMLS_CC)) {\n\t\t\tret = FAIL;\n\t\t\tbreak;\n\t\t}\n\n\t\t*data_size += header.size;\n\n\t\tif (first_iteration) {\n\t\t\tfirst_iteration = FALSE;\n\t\t\t/*\n\t\t\t We need a trailing \\0 for the last string, in case of text-mode,\n\t\t\t to be able to implement read-only variables. Thus, we add + 1.\n\t\t\t*/\n\t\t\t*buffer = result_set_memory_pool->get_chunk(result_set_memory_pool, *data_size + 1 TSRMLS_CC);\n\t\t\tif (!*buffer) {\n\t\t\t\tret = FAIL;\n\t\t\t\tbreak;\n\t\t\t}\n\t\t\tp = (*buffer)->ptr;\n\t\t} else if (!first_iteration) {\n\t\t\t/* Empty packet after MYSQLND_MAX_PACKET_SIZE packet. That's ok, break */\n\t\t\tif (!header.size) {\n\t\t\t\tbreak;\n\t\t\t}\n\n\t\t\t/*\n\t\t\t We have to realloc the buffer.\n\n\t\t\t We need a trailing \\0 for the last string, in case of text-mode,\n\t\t\t to be able to implement read-only variables.\n\t\t\t*/\n\t\t\tif (FAIL == (*buffer)->resize_chunk((*buffer), *data_size + 1 TSRMLS_CC)) {\n\t\t\t\tSET_OOM_ERROR(*conn->error_info);\n\t\t\t\tret = FAIL;\n\t\t\t\tbreak;\n\t\t\t}\n\t\t\t/* The position could have changed, recalculate */\n\t\t\tp = (*buffer)->ptr + (*data_size - header.size);\n\t\t}\n\n\t\tif (PASS != (ret = conn->net->data->m.receive_ex(conn->net, p, header.size, conn->stats, conn->error_info TSRMLS_CC))) {\n\t\t\tDBG_ERR(\"Empty row packet body\");\n\t\t\tphp_error(E_WARNING, \"Empty row packet body\");\n\t\t\tbreak;\n\t\t}\n\n\t\tif (header.size < MYSQLND_MAX_PACKET_SIZE) {\n\t\t\tbreak;\n\t\t}\n\t}\n\tif (ret == FAIL && *buffer) {\n\t\t(*buffer)->free_chunk((*buffer) TSRMLS_CC);\n\t\t*buffer = NULL;\n\t}\n\t*data_size -= prealloc_more_bytes;\n\tDBG_RETURN(ret);", "project": "php-src", "hash": 188014738384381887399072595865581914558, "size": 79, "commit_id": "28f80baf3c53e267c9ce46a2a0fadbb981585132", "message": "Fix bug #72293 - Heap overflow in mysqlnd related to BIT fields", "target": 0, "dataset": "other", "idx": 416639 }, { "func": "int bcf_hdr_id2int(const bcf_hdr_t *h, int which, const char *id)\n{\n khint_t k;\n vdict_t *d = (vdict_t*)h->dict[which];\n k = kh_get(vdict, d, id);\n return k == kh_end(d)? -1 : kh_val(d, k).id;\n}", "project": "htslib", "hash": 137920505284981817188689764198877758550, "size": 7, "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c", "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields. It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097", "target": 0, "dataset": "other", "idx": 402150 }, { "func": "static void print_func_help_header(struct trace_buffer *buf, struct seq_file *m,\n\t\t\t\t unsigned int flags)\n{\n\tbool tgid = flags & TRACE_ITER_RECORD_TGID;\n\n\tprint_event_info(buf, m);\n\n\tseq_printf(m, \"# TASK-PID CPU# %s TIMESTAMP FUNCTION\\n\", tgid ? \"TGID \" : \"\");\n\tseq_printf(m, \"# | | | %s | |\\n\",\t tgid ? \" | \" : \"\");\n}", "project": "linux", "hash": 126416934766589439485033440226744444430, "size": 10, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445556 }, { "func": "static void svm_vcpu_load(struct kvm_vcpu *vcpu, int cpu)\n{\n\tstruct vcpu_svm *svm = to_svm(vcpu);\n\tstruct svm_cpu_data *sd = per_cpu(svm_data, cpu);\n\tint i;\n\n\tif (unlikely(cpu != vcpu->cpu)) {\n\t\tsvm->asid_generation = 0;\n\t\tmark_all_dirty(svm->vmcb);\n\t}\n\n#ifdef CONFIG_X86_64\n\trdmsrl(MSR_GS_BASE, to_svm(vcpu)->host.gs_base);\n#endif\n\tsavesegment(fs, svm->host.fs);\n\tsavesegment(gs, svm->host.gs);\n\tsvm->host.ldt = kvm_read_ldt();\n\n\tfor (i = 0; i < NR_HOST_SAVE_USER_MSRS; i++)\n\t\trdmsrl(host_save_user_msrs[i], svm->host_user_msrs[i]);\n\n\tif (static_cpu_has(X86_FEATURE_TSCRATEMSR)) {\n\t\tu64 tsc_ratio = vcpu->arch.tsc_scaling_ratio;\n\t\tif (tsc_ratio != __this_cpu_read(current_tsc_ratio)) {\n\t\t\t__this_cpu_write(current_tsc_ratio, tsc_ratio);\n\t\t\twrmsrl(MSR_AMD64_TSC_RATIO, tsc_ratio);\n\t\t}\n\t}\n\t/* This assumes that the kernel never uses MSR_TSC_AUX */\n\tif (static_cpu_has(X86_FEATURE_RDTSCP))\n\t\twrmsrl(MSR_TSC_AUX, svm->tsc_aux);\n\n\tif (sd->current_vmcb != svm->vmcb) {\n\t\tsd->current_vmcb = svm->vmcb;\n\t\tindirect_branch_prediction_barrier();\n\t}\n\tavic_vcpu_load(vcpu, cpu);\n}", "project": "linux", "hash": 111803228406890165682549269212518034222, "size": 38, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432618 }, { "func": "static void svm_vcpu_load(struct kvm_vcpu *vcpu, int cpu)\n{\n\tstruct vcpu_svm *svm = to_svm(vcpu);\n\tint i;\n\n\tif (unlikely(cpu != vcpu->cpu)) {\n\t\tsvm->asid_generation = 0;\n\t\tmark_all_dirty(svm->vmcb);\n\t}\n\n#ifdef CONFIG_X86_64\n\trdmsrl(MSR_GS_BASE, to_svm(vcpu)->host.gs_base);\n#endif\n\tsavesegment(fs, svm->host.fs);\n\tsavesegment(gs, svm->host.gs);\n\tsvm->host.ldt = kvm_read_ldt();\n\n\tfor (i = 0; i < NR_HOST_SAVE_USER_MSRS; i++)\n\t\trdmsrl(host_save_user_msrs[i], svm->host_user_msrs[i]);\n\n\tif (static_cpu_has(X86_FEATURE_TSCRATEMSR) &&\n\t svm->tsc_ratio != __this_cpu_read(current_tsc_ratio)) {\n\t\t__this_cpu_write(current_tsc_ratio, svm->tsc_ratio);\n\t\twrmsrl(MSR_AMD64_TSC_RATIO, svm->tsc_ratio);\n\t}\n}", "project": "kvm", "hash": 260699778152496424367431913747040057926, "size": 26, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437560 }, { "func": "static void iscsi_iface_release(struct device *dev)\n{\n\tstruct iscsi_iface *iface = iscsi_dev_to_iface(dev);\n\tstruct device *parent = iface->dev.parent;\n\n\tkfree(iface);\n\tput_device(parent);\n}", "project": "linux", "hash": 192299124687703483628920369334833407855, "size": 8, "commit_id": "f9dbdf97a5bd92b1a49cee3d591b55b11fd7a6d5", "message": "scsi: iscsi: Verify lengths on passthrough PDUs\n\nOpen-iSCSI sends passthrough PDUs over netlink, but the kernel should be\nverifying that the provided PDU header and data lengths fall within the\nnetlink message to prevent accessing beyond that in memory.\n\nCc: stable@vger.kernel.org\nReported-by: Adam Nichols \nReviewed-by: Lee Duncan \nReviewed-by: Mike Christie \nSigned-off-by: Chris Leech \nSigned-off-by: Martin K. Petersen ", "target": 0, "dataset": "other", "idx": 379947 }, { "func": "static void add_softcursor(struct vc_data *vc)\n{\n\tint i = scr_readw((u16 *) vc->vc_pos);\n\tu32 type = vc->vc_cursor_type;\n\n\tif (! (type & 0x10)) return;\n\tif (softcursor_original != -1) return;\n\tsoftcursor_original = i;\n\ti |= ((type >> 8) & 0xff00 );\n\ti ^= ((type) & 0xff00 );\n\tif ((type & 0x20) && ((softcursor_original & 0x7000) == (i & 0x7000))) i ^= 0x7000;\n\tif ((type & 0x40) && ((i & 0x700) == ((i & 0x7000) >> 4))) i ^= 0x0700;\n\tscr_writew(i, (u16 *) vc->vc_pos);\n\tif (con_should_update(vc))\n\t\tvc->vc_sw->con_putc(vc, i, vc->vc_y, vc->vc_x);\n}", "project": "linux", "hash": 16873524303530494098261853869115837826, "size": 16, "commit_id": "ca4463bf8438b403596edd0ec961ca0d4fbe0220", "message": "vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console\n\nThe VT_DISALLOCATE ioctl can free a virtual console while tty_release()\nis still running, causing a use-after-free in con_shutdown(). This\noccurs because VT_DISALLOCATE considers a virtual console's\n'struct vc_data' to be unused as soon as the corresponding tty's\nrefcount hits 0. But actually it may be still being closed.\n\nFix this by making vc_data be reference-counted via the embedded\n'struct tty_port'. A newly allocated virtual console has refcount 1.\nOpening it for the first time increments the refcount to 2. Closing it\nfor the last time decrements the refcount (in tty_operations::cleanup()\nso that it happens late enough), as does VT_DISALLOCATE.\n\nReproducer:\n\t#include \n\t#include \n\t#include \n\t#include \n\n\tint main()\n\t{\n\t\tif (fork()) {\n\t\t\tfor (;;)\n\t\t\t\tclose(open(\"/dev/tty5\", O_RDWR));\n\t\t} else {\n\t\t\tint fd = open(\"/dev/tty10\", O_RDWR);\n\n\t\t\tfor (;;)\n\t\t\t\tioctl(fd, VT_DISALLOCATE, 5);\n\t\t}\n\t}\n\nKASAN report:\n\tBUG: KASAN: use-after-free in con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\tWrite of size 8 at addr ffff88806a4ec108 by task syz_vt/129\n\n\tCPU: 0 PID: 129 Comm: syz_vt Not tainted 5.6.0-rc2 #11\n\tHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20191223_100556-anatol 04/01/2014\n\tCall Trace:\n\t [...]\n\t con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\t release_tty+0xa8/0x410 drivers/tty/tty_io.c:1514\n\t tty_release_struct+0x34/0x50 drivers/tty/tty_io.c:1629\n\t tty_release+0x984/0xed0 drivers/tty/tty_io.c:1789\n\t [...]\n\n\tAllocated by task 129:\n\t [...]\n\t kzalloc include/linux/slab.h:669 [inline]\n\t vc_allocate drivers/tty/vt/vt.c:1085 [inline]\n\t vc_allocate+0x1ac/0x680 drivers/tty/vt/vt.c:1066\n\t con_install+0x4d/0x3f0 drivers/tty/vt/vt.c:3229\n\t tty_driver_install_tty drivers/tty/tty_io.c:1228 [inline]\n\t tty_init_dev+0x94/0x350 drivers/tty/tty_io.c:1341\n\t tty_open_by_driver drivers/tty/tty_io.c:1987 [inline]\n\t tty_open+0x3ca/0xb30 drivers/tty/tty_io.c:2035\n\t [...]\n\n\tFreed by task 130:\n\t [...]\n\t kfree+0xbf/0x1e0 mm/slab.c:3757\n\t vt_disallocate drivers/tty/vt/vt_ioctl.c:300 [inline]\n\t vt_ioctl+0x16dc/0x1e30 drivers/tty/vt/vt_ioctl.c:818\n\t tty_ioctl+0x9db/0x11b0 drivers/tty/tty_io.c:2660\n\t [...]\n\nFixes: 4001d7b7fc27 (\"vt: push down the tty lock so we can see what is left to tackle\")\nCc: # v3.4+\nReported-by: syzbot+522643ab5729b0421998@syzkaller.appspotmail.com\nAcked-by: Jiri Slaby \nSigned-off-by: Eric Biggers \nLink: https://lore.kernel.org/r/20200322034305.210082-2-ebiggers@kernel.org\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 437071 }, { "func": "uint64_t\nphp_mysqlnd_net_field_length_ll(zend_uchar **packet)\n{\n\tregister zend_uchar *p= (zend_uchar *)*packet;\n\n\tif (*p < 251) {\n\t\t(*packet)++;\n\t\treturn (uint64_t) *p;\n\t}\n\n\tswitch (*p) {\n\t\tcase 251:\n\t\t\t(*packet)++;\n\t\t\treturn (uint64_t) MYSQLND_NULL_LENGTH;\n\t\tcase 252:\n\t\t\t(*packet) += 3;\n\t\t\treturn (uint64_t) uint2korr(p + 1);\n\t\tcase 253:\n\t\t\t(*packet) += 4;\n\t\t\treturn (uint64_t) uint3korr(p + 1);\n\t\tdefault:\n\t\t\t(*packet) += 9;\n\t\t\treturn (uint64_t) uint8korr(p + 1);\n\t}", "project": "php-src", "hash": 193666873636472283020892577151779457158, "size": 24, "commit_id": "28f80baf3c53e267c9ce46a2a0fadbb981585132", "message": "Fix bug #72293 - Heap overflow in mysqlnd related to BIT fields", "target": 0, "dataset": "other", "idx": 416658 }, { "func": "static void hci_conn_request_evt(struct hci_dev *hdev, struct sk_buff *skb)\n{\n\tstruct hci_ev_conn_request *ev = (void *) skb->data;\n\tint mask = hdev->link_mode;\n\tstruct inquiry_entry *ie;\n\tstruct hci_conn *conn;\n\t__u8 flags = 0;\n\n\tBT_DBG(\"%s bdaddr %pMR type 0x%x\", hdev->name, &ev->bdaddr,\n\t ev->link_type);\n\n\tmask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ev->link_type,\n\t\t\t\t &flags);\n\n\tif (!(mask & HCI_LM_ACCEPT)) {\n\t\thci_reject_conn(hdev, &ev->bdaddr);\n\t\treturn;\n\t}\n\n\tif (hci_bdaddr_list_lookup(&hdev->blacklist, &ev->bdaddr,\n\t\t\t\t BDADDR_BREDR)) {\n\t\thci_reject_conn(hdev, &ev->bdaddr);\n\t\treturn;\n\t}\n\n\t/* Require HCI_CONNECTABLE or a whitelist entry to accept the\n\t * connection. These features are only touched through mgmt so\n\t * only do the checks if HCI_MGMT is set.\n\t */\n\tif (hci_dev_test_flag(hdev, HCI_MGMT) &&\n\t !hci_dev_test_flag(hdev, HCI_CONNECTABLE) &&\n\t !hci_bdaddr_list_lookup_with_flags(&hdev->whitelist, &ev->bdaddr,\n\t\t\t\t\t BDADDR_BREDR)) {\n\t\thci_reject_conn(hdev, &ev->bdaddr);\n\t\treturn;\n\t}\n\n\t/* Connection accepted */\n\n\thci_dev_lock(hdev);\n\n\tie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);\n\tif (ie)\n\t\tmemcpy(ie->data.dev_class, ev->dev_class, 3);\n\n\tconn = hci_conn_hash_lookup_ba(hdev, ev->link_type,\n\t\t\t&ev->bdaddr);\n\tif (!conn) {\n\t\tconn = hci_conn_add(hdev, ev->link_type, &ev->bdaddr,\n\t\t\t\t HCI_ROLE_SLAVE);\n\t\tif (!conn) {\n\t\t\tbt_dev_err(hdev, \"no memory for new connection\");\n\t\t\thci_dev_unlock(hdev);\n\t\t\treturn;\n\t\t}\n\t}\n\n\tmemcpy(conn->dev_class, ev->dev_class, 3);\n\n\thci_dev_unlock(hdev);\n\n\tif (ev->link_type == ACL_LINK ||\n\t (!(flags & HCI_PROTO_DEFER) && !lmp_esco_capable(hdev))) {\n\t\tstruct hci_cp_accept_conn_req cp;\n\t\tconn->state = BT_CONNECT;\n\n\t\tbacpy(&cp.bdaddr, &ev->bdaddr);\n\n\t\tif (lmp_rswitch_capable(hdev) && (mask & HCI_LM_MASTER))\n\t\t\tcp.role = 0x00; /* Become master */\n\t\telse\n\t\t\tcp.role = 0x01; /* Remain slave */\n\n\t\thci_send_cmd(hdev, HCI_OP_ACCEPT_CONN_REQ, sizeof(cp), &cp);\n\t} else if (!(flags & HCI_PROTO_DEFER)) {\n\t\tstruct hci_cp_accept_sync_conn_req cp;\n\t\tconn->state = BT_CONNECT;\n\n\t\tbacpy(&cp.bdaddr, &ev->bdaddr);\n\t\tcp.pkt_type = cpu_to_le16(conn->pkt_type);\n\n\t\tcp.tx_bandwidth = cpu_to_le32(0x00001f40);\n\t\tcp.rx_bandwidth = cpu_to_le32(0x00001f40);\n\t\tcp.max_latency = cpu_to_le16(0xffff);\n\t\tcp.content_format = cpu_to_le16(hdev->voice_setting);\n\t\tcp.retrans_effort = 0xff;\n\n\t\thci_send_cmd(hdev, HCI_OP_ACCEPT_SYNC_CONN_REQ, sizeof(cp),\n\t\t\t &cp);\n\t} else {\n\t\tconn->state = BT_CONNECT2;\n\t\thci_connect_cfm(conn, 0);\n\t}\n}", "project": "linux", "hash": 11630026313033935790856758020310294339, "size": 94, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 432034 }, { "func": " static inline int GetDimensionInSlice(const int dim, const int split_size,\n const int residual) {\n DCHECK_GT(split_size, 0);\n DCHECK_GE(dim, 0);\n if (residual == 0) return dim % split_size;\n const int offset = residual * (split_size + 1);\n if (dim < offset) {\n return dim % (split_size + 1);\n } else {\n return (dim - offset) % split_size;\n }\n }", "project": "tensorflow", "hash": 115440559154104486051092223068774729841, "size": 12, "commit_id": "8ba6fa29cd8bf9cef9b718dc31c78c73081f5b31", "message": "Fix heap-buffer-overflow issue with `tf.raw_ops.SparseSplit`.\n\nPiperOrigin-RevId: 371242872\nChange-Id: I482bb3d12602c7c3cc9446f97fb9f584bb98e9a4", "target": 0, "dataset": "other", "idx": 277011 }, { "func": "static int check_kill_permission(int sig, struct kernel_siginfo *info,\n\t\t\t\t struct task_struct *t)\n{\n\tstruct pid *sid;\n\tint error;\n\n\tif (!valid_signal(sig))\n\t\treturn -EINVAL;\n\n\tif (!si_fromuser(info))\n\t\treturn 0;\n\n\terror = audit_signal_info(sig, t); /* Let audit system see the signal */\n\tif (error)\n\t\treturn error;\n\n\tif (!same_thread_group(current, t) &&\n\t !kill_ok_by_cred(t)) {\n\t\tswitch (sig) {\n\t\tcase SIGCONT:\n\t\t\tsid = task_session(t);\n\t\t\t/*\n\t\t\t * We don't return the error if sid == NULL. The\n\t\t\t * task was unhashed, the caller must notice this.\n\t\t\t */\n\t\t\tif (!sid || sid == task_session(current))\n\t\t\t\tbreak;\n\t\t\t/* fall through */\n\t\tdefault:\n\t\t\treturn -EPERM;\n\t\t}\n\t}\n\n\treturn security_task_kill(t, info, sig, NULL);\n}", "project": "linux", "hash": 91227278621405312618247960737264201002, "size": 35, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375190 }, { "func": "static void imap_logout(struct ImapAccountData *adata)\n{\n /* we set status here to let imap_handle_untagged know we _expect_ to\n * receive a bye response (so it doesn't freak out and close the conn) */\n if (adata->state == IMAP_DISCONNECTED)\n {\n return;\n }\n\n adata->status = IMAP_BYE;\n imap_cmd_start(adata, \"LOGOUT\");\n if ((C_ImapPollTimeout <= 0) || (mutt_socket_poll(adata->conn, C_ImapPollTimeout) != 0))\n {\n while (imap_cmd_step(adata) == IMAP_RES_CONTINUE)\n ; // do nothing\n }\n mutt_socket_close(adata->conn);\n adata->state = IMAP_DISCONNECTED;\n}", "project": "neomutt", "hash": 221937993890056002021660812828845886063, "size": 19, "commit_id": "9c36717a3e2af1f2c1b7242035455ec8112b4b06", "message": "imap: close connection on all failures\n\nThanks to Gabriel Salles-Loustau for spotting the problem.\n\nCo-authored-by: Kevin McCarthy ", "target": 0, "dataset": "other", "idx": 357040 }, { "func": "bool fuse_write_update_size(struct inode *inode, loff_t pos)\n{\n\tstruct fuse_conn *fc = get_fuse_conn(inode);\n\tstruct fuse_inode *fi = get_fuse_inode(inode);\n\tbool ret = false;\n\n\tspin_lock(&fi->lock);\n\tfi->attr_version = atomic64_inc_return(&fc->attr_version);\n\tif (pos > inode->i_size) {\n\t\ti_size_write(inode, pos);\n\t\tret = true;\n\t}\n\tspin_unlock(&fi->lock);\n\n\treturn ret;\n}", "project": "linux", "hash": 222262658567487670654214841318682547902, "size": 16, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341988 }, { "func": "static int io_fadvise(struct io_kiocb *req, unsigned int issue_flags)\n{\n\tstruct io_fadvise *fa = &req->fadvise;\n\tint ret;\n\n\tif (issue_flags & IO_URING_F_NONBLOCK) {\n\t\tswitch (fa->advice) {\n\t\tcase POSIX_FADV_NORMAL:\n\t\tcase POSIX_FADV_RANDOM:\n\t\tcase POSIX_FADV_SEQUENTIAL:\n\t\t\tbreak;\n\t\tdefault:\n\t\t\treturn -EAGAIN;\n\t\t}\n\t}\n\n\tret = vfs_fadvise(req->file, fa->offset, fa->len, fa->advice);\n\tif (ret < 0)\n\t\treq_set_fail_links(req);\n\t__io_req_complete(req, issue_flags, ret, 0);\n\treturn 0;\n}", "project": "linux", "hash": 137609246023374655065193347989127115449, "size": 22, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338628 }, { "func": "static void tracing_start_tr(struct trace_array *tr)\n{\n\tstruct ring_buffer *buffer;\n\tunsigned long flags;\n\n\tif (tracing_disabled)\n\t\treturn;\n\n\t/* If global, we need to also start the max tracer */\n\tif (tr->flags & TRACE_ARRAY_FL_GLOBAL)\n\t\treturn tracing_start();\n\n\traw_spin_lock_irqsave(&tr->start_lock, flags);\n\n\tif (--tr->stop_count) {\n\t\tif (tr->stop_count < 0) {\n\t\t\t/* Someone screwed up their debugging */\n\t\t\tWARN_ON_ONCE(1);\n\t\t\ttr->stop_count = 0;\n\t\t}\n\t\tgoto out;\n\t}\n\n\tbuffer = tr->trace_buffer.buffer;\n\tif (buffer)\n\t\tring_buffer_record_enable(buffer);\n\n out:\n\traw_spin_unlock_irqrestore(&tr->start_lock, flags);\n}", "project": "linux", "hash": 69955367069327616287724065822825871001, "size": 30, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445564 }, { "func": "static int sd_g_volatile_ctrl(struct v4l2_ctrl *ctrl)\n{\n\tstruct gspca_dev *gspca_dev =\n\t\tcontainer_of(ctrl->handler, struct gspca_dev, ctrl_handler);\n\tstruct sd *sd = (struct sd *)gspca_dev;\n\n\tgspca_dev->usb_err = 0;\n\n\tswitch (ctrl->id) {\n\tcase V4L2_CID_AUTOGAIN:\n\t\tgspca_dev->exposure->val = i2c_r(sd, 0x10);\n\t\tbreak;\n\t}\n\treturn 0;\n}", "project": "linux", "hash": 125390540515994226998936798950322002281, "size": 15, "commit_id": "998912346c0da53a6dbb71fab3a138586b596b30", "message": "media: ov519: add missing endpoint sanity checks\n\nMake sure to check that we have at least one endpoint before accessing\nthe endpoint array to avoid dereferencing a NULL-pointer on stream\nstart.\n\nNote that these sanity checks are not redundant as the driver is mixing\nlooking up altsettings by index and by number, which need not coincide.\n\nFixes: 1876bb923c98 (\"V4L/DVB (12079): gspca_ov519: add support for the ov511 bridge\")\nFixes: b282d87332f5 (\"V4L/DVB (12080): gspca_ov519: Fix ov518+ with OV7620AE (Trust spacecam 320)\")\nCc: stable # 2.6.31\nCc: Hans de Goede \nSigned-off-by: Johan Hovold \nSigned-off-by: Hans Verkuil \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 306309 }, { "func": "static int piz_uncompress(EXRContext *s, const uint8_t *src, int ssize,\n int dsize, EXRThreadData *td)\n{\n GetByteContext gb;\n uint16_t maxval, min_non_zero, max_non_zero;\n uint16_t *ptr;\n uint16_t *tmp = (uint16_t *)td->tmp;\n uint16_t *out;\n uint16_t *in;\n int ret, i, j;\n int pixel_half_size;/* 1 for half, 2 for float and uint32 */\n EXRChannel *channel;\n int tmp_offset;\n\n if (!td->bitmap)\n td->bitmap = av_malloc(BITMAP_SIZE);\n if (!td->lut)\n td->lut = av_malloc(1 << 17);\n if (!td->bitmap || !td->lut) {\n av_freep(&td->bitmap);\n av_freep(&td->lut);\n return AVERROR(ENOMEM);\n }\n\n bytestream2_init(&gb, src, ssize);\n min_non_zero = bytestream2_get_le16(&gb);\n max_non_zero = bytestream2_get_le16(&gb);\n\n if (max_non_zero >= BITMAP_SIZE)\n return AVERROR_INVALIDDATA;\n\n memset(td->bitmap, 0, FFMIN(min_non_zero, BITMAP_SIZE));\n if (min_non_zero <= max_non_zero)\n bytestream2_get_buffer(&gb, td->bitmap + min_non_zero,\n max_non_zero - min_non_zero + 1);\n memset(td->bitmap + max_non_zero + 1, 0, BITMAP_SIZE - max_non_zero - 1);\n\n maxval = reverse_lut(td->bitmap, td->lut);\n\n bytestream2_skip(&gb, 4);\n ret = huf_uncompress(s, td, &gb, tmp, dsize / sizeof(uint16_t));\n if (ret)\n return ret;\n\n ptr = tmp;\n for (i = 0; i < s->nb_channels; i++) {\n channel = &s->channels[i];\n\n if (channel->pixel_type == EXR_HALF)\n pixel_half_size = 1;\n else\n pixel_half_size = 2;\n\n for (j = 0; j < pixel_half_size; j++)\n wav_decode(ptr + j, td->xsize, pixel_half_size, td->ysize,\n td->xsize * pixel_half_size, maxval);\n ptr += td->xsize * td->ysize * pixel_half_size;\n }\n\n apply_lut(td->lut, tmp, dsize / sizeof(uint16_t));\n\n out = (uint16_t *)td->uncompressed_data;\n for (i = 0; i < td->ysize; i++) {\n tmp_offset = 0;\n for (j = 0; j < s->nb_channels; j++) {\n channel = &s->channels[j];\n if (channel->pixel_type == EXR_HALF)\n pixel_half_size = 1;\n else\n pixel_half_size = 2;\n\n in = tmp + tmp_offset * td->xsize * td->ysize + i * td->xsize * pixel_half_size;\n tmp_offset += pixel_half_size;\n\n#if HAVE_BIGENDIAN\n s->bbdsp.bswap16_buf(out, in, td->xsize * pixel_half_size);\n#else\n memcpy(out, in, td->xsize * 2 * pixel_half_size);\n#endif\n out += td->xsize * pixel_half_size;\n }\n }\n\n return 0;\n}", "project": "FFmpeg", "hash": 30763397291474696223656338916928488502, "size": 85, "commit_id": "26d3c81bc5ef2f8c3f09d45eaeacfb4b1139a777", "message": "avcodec/exr: More strictly check dc_count\n\nFixes: out of array access\nFixes: exr/deneme\n\nFound-by: Burak Çarıkçı \nSigned-off-by: Michael Niedermayer ", "target": 0, "dataset": "other", "idx": 262677 }, { "func": "static int advance_multivolume(struct archive_read* a) {\n\tint lret;\n\tstruct rar5* rar = get_context(a);\n\n\t/* A small state machine that will skip unnecessary data, needed to\n\t * switch from one multivolume to another. Such skipping is needed if\n\t * we want to be an stream-oriented (instead of file-oriented)\n\t * unpacker.\n\t *\n\t * The state machine starts with `rar->main.endarc` == 0. It also\n\t * assumes that current stream pointer points to some base block\n\t * header.\n\t *\n\t * The `endarc` field is being set when the base block parsing\n\t * function encounters the 'end of archive' marker.\n\t */\n\n\twhile(1) {\n\t\tif(rar->main.endarc == 1) {\n\t\t\tint looping = 1;\n\n\t\t\trar->main.endarc = 0;\n\n\t\t\twhile(looping) {\n\t\t\t\tlret = skip_base_block(a);\n\t\t\t\tswitch(lret) {\n\t\t\t\t\tcase ARCHIVE_RETRY:\n\t\t\t\t\t\t/* Continue looping. */\n\t\t\t\t\t\tbreak;\n\t\t\t\t\tcase ARCHIVE_OK:\n\t\t\t\t\t\t/* Break loop. */\n\t\t\t\t\t\tlooping = 0;\n\t\t\t\t\t\tbreak;\n\t\t\t\t\tdefault:\n\t\t\t\t\t\t/* Forward any errors to the\n\t\t\t\t\t\t * caller. */\n\t\t\t\t\t\treturn lret;\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tbreak;\n\t\t} else {\n\t\t\t/* Skip current base block. In order to properly skip\n\t\t\t * it, we really need to simply parse it and discard\n\t\t\t * the results. */\n\n\t\t\tlret = skip_base_block(a);\n\t\t\tif(lret == ARCHIVE_FATAL || lret == ARCHIVE_FAILED)\n\t\t\t\treturn lret;\n\n\t\t\t/* The `skip_base_block` function tells us if we\n\t\t\t * should continue with skipping, or we should stop\n\t\t\t * skipping. We're trying to skip everything up to\n\t\t\t * a base FILE block. */\n\n\t\t\tif(lret != ARCHIVE_RETRY) {\n\t\t\t\t/* If there was an error during skipping, or we\n\t\t\t\t * have just skipped a FILE base block... */\n\n\t\t\t\tif(rar->main.endarc == 0) {\n\t\t\t\t\treturn lret;\n\t\t\t\t} else {\n\t\t\t\t\tcontinue;\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\n\treturn ARCHIVE_OK;\n}", "project": "libarchive", "hash": 198770447808783449929675412400519963251, "size": 70, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 0, "dataset": "other", "idx": 244729 }, { "func": "static inline int sysfs_slab_add(struct kmem_cache *s) { return 0; }", "project": "linux", "hash": 196656021293005530116927946898533360874, "size": 1, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280219 }, { "func": "\nstatic int sysfs_slab_add(struct kmem_cache *s)\n{\n\tint err;\n\tconst char *name;\n\tstruct kset *kset = cache_kset(s);\n\tint unmergeable = slab_unmergeable(s);\n\n\tINIT_WORK(&s->kobj_remove_work, sysfs_slab_remove_workfn);\n\n\tif (!kset) {\n\t\tkobject_init(&s->kobj, &slab_ktype);\n\t\treturn 0;\n\t}\n\n\tif (!unmergeable && disable_higher_order_debug &&\n\t\t\t(slub_debug & DEBUG_METADATA_FLAGS))\n\t\tunmergeable = 1;\n\n\tif (unmergeable) {\n\t\t/*\n\t\t * Slabcache can never be merged so we can use the name proper.\n\t\t * This is typically the case for debug situations. In that\n\t\t * case we can catch duplicate names easily.\n\t\t */\n\t\tsysfs_remove_link(&slab_kset->kobj, s->name);\n\t\tname = s->name;\n\t} else {\n\t\t/*\n\t\t * Create a unique name for the slab as a target\n\t\t * for the symlinks.\n\t\t */\n\t\tname = create_unique_id(s);\n\t}\n\n\ts->kobj.kset = kset;\n\terr = kobject_init_and_add(&s->kobj, &slab_ktype, NULL, \"%s\", name);\n\tif (err)\n\t\tgoto out;\n\n\terr = sysfs_create_group(&s->kobj, &slab_attr_group);\n\tif (err)\n\t\tgoto out_del_kobj;\n\n#ifdef CONFIG_MEMCG\n\tif (is_root_cache(s) && memcg_sysfs_enabled) {\n\t\ts->memcg_kset = kset_create_and_add(\"cgroup\", NULL, &s->kobj);\n\t\tif (!s->memcg_kset) {\n\t\t\terr = -ENOMEM;\n\t\t\tgoto out_del_kobj;\n\t\t}\n\t}\n#endif\n\n\tkobject_uevent(&s->kobj, KOBJ_ADD);\n\tif (!unmergeable) {\n\t\t/* Setup first alias */\n\t\tsysfs_slab_alias(s, s->name);\n\t}\nout:\n\tif (!unmergeable)\n\t\tkfree(name);\n\treturn err;\nout_del_kobj:\n\tkobject_del(&s->kobj);\n\tgoto out;", "project": "linux", "hash": 197473210539311495622424382745753993935, "size": 66, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280227 }, { "func": "int nfs4_proc_layoutreturn(struct nfs4_layoutreturn *lrp, bool sync)\n{\n\tstruct rpc_task *task;\n\tstruct rpc_message msg = {\n\t\t.rpc_proc = &nfs4_procedures[NFSPROC4_CLNT_LAYOUTRETURN],\n\t\t.rpc_argp = &lrp->args,\n\t\t.rpc_resp = &lrp->res,\n\t\t.rpc_cred = lrp->cred,\n\t};\n\tstruct rpc_task_setup task_setup_data = {\n\t\t.rpc_client = NFS_SERVER(lrp->args.inode)->client,\n\t\t.rpc_message = &msg,\n\t\t.callback_ops = &nfs4_layoutreturn_call_ops,\n\t\t.callback_data = lrp,\n\t};\n\tint status = 0;\n\n\tnfs4_state_protect(NFS_SERVER(lrp->args.inode)->nfs_client,\n\t\t\tNFS_SP4_MACH_CRED_PNFS_CLEANUP,\n\t\t\t&task_setup_data.rpc_client, &msg);\n\n\tdprintk(\"--> %s\\n\", __func__);\n\tif (!sync) {\n\t\tlrp->inode = nfs_igrab_and_active(lrp->args.inode);\n\t\tif (!lrp->inode) {\n\t\t\tnfs4_layoutreturn_release(lrp);\n\t\t\treturn -EAGAIN;\n\t\t}\n\t\ttask_setup_data.flags |= RPC_TASK_ASYNC;\n\t}\n\tnfs4_init_sequence(&lrp->args.seq_args, &lrp->res.seq_res, 1, 0);\n\ttask = rpc_run_task(&task_setup_data);\n\tif (IS_ERR(task))\n\t\treturn PTR_ERR(task);\n\tif (sync)\n\t\tstatus = task->tk_status;\n\ttrace_nfs4_layoutreturn(lrp->args.inode, &lrp->args.stateid, status);\n\tdprintk(\"<-- %s status=%d\\n\", __func__, status);\n\trpc_put_task(task);\n\treturn status;\n}", "project": "linux", "hash": 320068410029454112973376665014022187084, "size": 41, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431536 }, { "func": "Status GraphConstructor::ValidateShape(Node* node) {\n if (!opts_.importing || !opts_.validate_shape) return Status::OK();\n TF_RETURN_IF_ERROR(refiner_->AddNode(node));\n // For nodes with the _output_shapes attribute, override the shape.\n std::vector shape_attrs;\n const char* kAttrName = \"_output_shapes\";\n if (!TryGetNodeAttr(node->attrs(), kAttrName, &shape_attrs)) {\n // No _output_shapes attribute, the AddNode call above was sufficient.\n return Status::OK();\n }\n auto* ic = refiner_->GetContext(node);\n DCHECK(ic != nullptr)\n << \"ShapeRefiner::AddNode() should have created the InferenceContext\";\n if (shape_attrs.size() < node->num_outputs()) {\n return errors::InvalidArgument(\n \"Node '\", node->name(), \"' has \", node->num_outputs(),\n \" outputs but the \", kAttrName, \" attribute specifies shapes for \",\n shape_attrs.size(), \" outputs\");\n }\n // NOTE(skyewm): we don't raise an error here because some users depend on\n // this behavior, even though it's unsafe.\n // TODO(b/74619486): raise an error.\n if (shape_attrs.size() > node->num_outputs()) {\n LOG(WARNING) << \"Node '\" << node->name() << \"' has \" << node->num_outputs()\n << \" outputs but the \" << kAttrName\n << \" attribute specifies shapes for \" << shape_attrs.size()\n << \" outputs. Output shapes may be inaccurate.\";\n }\n for (int i = 0; i < node->num_outputs(); ++i) {\n const TensorShapeProto& p = *shape_attrs[i];\n shape_inference::ShapeHandle h;\n Status s = ic->MakeShapeFromShapeProto(p, &h);\n if (!s.ok()) {\n return errors::InvalidArgument(\"Node '\", node->name(), \" has an invalid \",\n kAttrName, \" attribute (shape #\", i,\n \" error:'\", s.error_message(), \"'\");\n }\n s = refiner_->SetShape(node, i, h);\n if (!s.ok()) {\n return errors::InvalidArgument(\n \"Node '\", node->name(), \"' has an \", kAttrName,\n \" attribute inconsistent with the GraphDef for output #\", i, \": \",\n s.error_message());\n }\n }\n node->ClearAttr(kAttrName);\n return Status::OK();\n}", "project": "tensorflow", "hash": 121694217256727356654603239211650976202, "size": 48, "commit_id": "0cc38aaa4064fd9e79101994ce9872c6d91f816b", "message": "Prevent unitialized memory access in `GraphConstructor::MakeEdge`\n\nThe `MakeEdge` implementation assumes that there exists an output at `output_index` of `src` node and an input at `input_index` of `dst` node. However, if this is not the case this results in accessing data out of bounds. Because we are accessing an array that is a private member of a class and only in read only mode, this usually results only in unitialized memory access. However, it is reasonable to think that malicious users could manipulate these indexes to actually read data outside the class, thus resulting in information leakage and further exploits.\n\nPiperOrigin-RevId: 346343288\nChange-Id: I2127da27c2023d27f26efd39afa6c853385cab6f", "target": 0, "dataset": "other", "idx": 268348 }, { "func": "UnicodeString::getTerminatedBuffer() {\n if(!isWritable()) {\n return nullptr;\n }\n UChar *array = getArrayStart();\n int32_t len = length();\n if(len < getCapacity()) {\n if(fUnion.fFields.fLengthAndFlags & kBufferIsReadonly) {\n // If lengspca_dev.usb_err < 0)\n\t\treturn -1;\n\n\t/* Avoid things going to fast for the bridge with a xhci host */\n\tudelay(150);\n\tret = usb_control_msg(sd->gspca_dev.dev,\n\t\t\tusb_rcvctrlpipe(sd->gspca_dev.dev, 0),\n\t\t\t1,\t\t\t/* REQ_IO */\n\t\t\tUSB_DIR_IN | USB_TYPE_VENDOR | USB_RECIP_DEVICE,\n\t\t\t0, index, sd->gspca_dev.usb_buf, 8, 500);\n\n\tif (ret >= 0) {\n\t\tret = sd->gspca_dev.usb_buf[0];\n\t} else {\n\t\tgspca_err(gspca_dev, \"reg_r8 %02x failed %d\\n\", index, ret);\n\t\tsd->gspca_dev.usb_err = ret;\n\t\t/*\n\t\t * Make sure the buffer is zeroed to avoid uninitialized\n\t\t * values.\n\t\t */\n\t\tmemset(gspca_dev->usb_buf, 0, 8);\n\t}\n\n\treturn ret;\n}", "project": "linux", "hash": 44266627548694322563586923329001012213, "size": 31, "commit_id": "998912346c0da53a6dbb71fab3a138586b596b30", "message": "media: ov519: add missing endpoint sanity checks\n\nMake sure to check that we have at least one endpoint before accessing\nthe endpoint array to avoid dereferencing a NULL-pointer on stream\nstart.\n\nNote that these sanity checks are not redundant as the driver is mixing\nlooking up altsettings by index and by number, which need not coincide.\n\nFixes: 1876bb923c98 (\"V4L/DVB (12079): gspca_ov519: add support for the ov511 bridge\")\nFixes: b282d87332f5 (\"V4L/DVB (12080): gspca_ov519: Fix ov518+ with OV7620AE (Trust spacecam 320)\")\nCc: stable # 2.6.31\nCc: Hans de Goede \nSigned-off-by: Johan Hovold \nSigned-off-by: Hans Verkuil \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 306285 }, { "func": "static __always_inline void slab_free(struct kmem_cache *s, struct page *page,\n\t\t\t\t void *head, void *tail, int cnt,\n\t\t\t\t unsigned long addr)\n{\n\t/*\n\t * With KASAN enabled slab_free_freelist_hook modifies the freelist\n\t * to remove objects, whose reuse must be delayed.\n\t */\n\tif (slab_free_freelist_hook(s, &head, &tail))\n\t\tdo_slab_free(s, page, head, tail, cnt, addr);\n}", "project": "linux", "hash": 35293423629008396879365311200926193668, "size": 11, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280054 }, { "func": "static enum_func_status\nmysqlnd_read_header(MYSQLND_NET * net, MYSQLND_PACKET_HEADER * header,\n\t\t\t\t\tMYSQLND_STATS * conn_stats, MYSQLND_ERROR_INFO * error_info TSRMLS_DC)\n{\n\tzend_uchar buffer[MYSQLND_HEADER_SIZE];\n\n\tDBG_ENTER(mysqlnd_read_header_name);\n\tDBG_INF_FMT(\"compressed=%u\", net->data->compressed);\n\tif (FAIL == net->data->m.receive_ex(net, buffer, MYSQLND_HEADER_SIZE, conn_stats, error_info TSRMLS_CC)) {\n\t\tDBG_RETURN(FAIL);\n\t}\n\n\theader->size = uint3korr(buffer);\n\theader->packet_no = uint1korr(buffer + 3);\n\n#ifdef MYSQLND_DUMP_HEADER_N_BODY\n\tDBG_INF_FMT(\"HEADER: prot_packet_no=%u size=%3u\", header->packet_no, header->size);\n#endif\n\tMYSQLND_INC_CONN_STATISTIC_W_VALUE2(conn_stats,\n\t\t\t\t\t\t\tSTAT_PROTOCOL_OVERHEAD_IN, MYSQLND_HEADER_SIZE,\n\t\t\t\t\t\t\tSTAT_PACKETS_RECEIVED, 1);\n\n\tif (net->data->compressed || net->packet_no == header->packet_no) {\n\t\t/*\n\t\t Have to increase the number, so we can send correct number back. It will\n\t\t round at 255 as this is unsigned char. The server needs this for simple\n\t\t flow control checking.\n\t\t*/\n\t\tnet->packet_no++;\n\t\tDBG_RETURN(PASS);\n\t}\n\n\tDBG_ERR_FMT(\"Logical link: packets out of order. Expected %u received %u. Packet size=\"MYSQLND_SZ_T_SPEC,\n\t\t\t\tnet->packet_no, header->packet_no, header->size);\n\n\tphp_error(E_WARNING, \"Packets out of order. Expected %u received %u. Packet size=\"MYSQLND_SZ_T_SPEC,\n\t\t\t net->packet_no, header->packet_no, header->size);\n\tDBG_RETURN(FAIL);", "project": "php-src", "hash": 172845456354744846479631460559613545779, "size": 38, "commit_id": "28f80baf3c53e267c9ce46a2a0fadbb981585132", "message": "Fix bug #72293 - Heap overflow in mysqlnd related to BIT fields", "target": 0, "dataset": "other", "idx": 416656 }, { "func": "\tvoid InitFromNumeric(const ::Numeric::Numeric& numeric)\n\t{\n\t\tInitCommand(numeric.GetNumeric());\n\t\tfor (std::vector::const_iterator i = numeric.GetParams().begin(); i != numeric.GetParams().end(); ++i)\n\t\t\tPushParamRef(*i);\n\t}", "project": "inspircd", "hash": 252917300415494474648528112320186277158, "size": 6, "commit_id": "4350a11c663b0d75f8119743bffb7736d87abd4d", "message": "Fix sending malformed pong messages in some cases.", "target": 0, "dataset": "other", "idx": 273261 }, { "func": "static void pfkey_terminate_dump(struct pfkey_sock *pfk)\n{\n\tif (pfk->dump.dump) {\n\t\tif (pfk->dump.skb) {\n\t\t\tkfree_skb(pfk->dump.skb);\n\t\t\tpfk->dump.skb = NULL;\n\t\t}\n\t\tpfk->dump.done(pfk);\n\t\tpfk->dump.dump = NULL;\n\t\tpfk->dump.done = NULL;\n\t}\n}", "project": "linux", "hash": 182802613757591409637271395994425833233, "size": 12, "commit_id": "9a564bccb78a76740ea9d75a259942df8143d02c", "message": "af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\n\nAdd __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\nto initialize the buffer of supp_skb to fix a kernel-info-leak issue.\n1) Function pfkey_register calls compose_sadb_supported to request\na sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate\na sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then\ncompose_sadb_supported treats the memory as a struct sadb_supported and\nbegins to initialize. But it just initializes the field sadb_supported_len\nand field sadb_supported_exttype without field sadb_supported_reserved.\n\nReported-by: TCS Robot \nSigned-off-by: Haimin Zhang \nSigned-off-by: Steffen Klassert ", "target": 0, "dataset": "other", "idx": 268099 }, { "func": "void task_clear_jobctl_trapping(struct task_struct *task)\n{\n\tif (unlikely(task->jobctl & JOBCTL_TRAPPING)) {\n\t\ttask->jobctl &= ~JOBCTL_TRAPPING;\n\t\tsmp_mb();\t/* advised by wake_up_bit() */\n\t\twake_up_bit(&task->jobctl, JOBCTL_TRAPPING_BIT);\n\t}\n}", "project": "linux", "hash": 66912035191533974060913060181218265657, "size": 8, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375317 }, { "func": "void hci_req_sync_cancel(struct hci_dev *hdev, int err)\n{\n\tbt_dev_dbg(hdev, \"err 0x%2.2x\", err);\n\n\tif (hdev->req_status == HCI_REQ_PEND) {\n\t\thdev->req_result = err;\n\t\thdev->req_status = HCI_REQ_CANCELED;\n\t\twake_up_interruptible(&hdev->req_wait_q);\n\t}\n}", "project": "linux", "hash": 269171317728762741063486188969301141309, "size": 10, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402546 }, { "func": "static inline void respond_ID(struct tty_struct *tty)\n{\n\trespond_string(VT102ID, tty->port);\n}", "project": "linux", "hash": 242048631905638195198005965030911053629, "size": 4, "commit_id": "ca4463bf8438b403596edd0ec961ca0d4fbe0220", "message": "vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console\n\nThe VT_DISALLOCATE ioctl can free a virtual console while tty_release()\nis still running, causing a use-after-free in con_shutdown(). This\noccurs because VT_DISALLOCATE considers a virtual console's\n'struct vc_data' to be unused as soon as the corresponding tty's\nrefcount hits 0. But actually it may be still being closed.\n\nFix this by making vc_data be reference-counted via the embedded\n'struct tty_port'. A newly allocated virtual console has refcount 1.\nOpening it for the first time increments the refcount to 2. Closing it\nfor the last time decrements the refcount (in tty_operations::cleanup()\nso that it happens late enough), as does VT_DISALLOCATE.\n\nReproducer:\n\t#include \n\t#include \n\t#include \n\t#include \n\n\tint main()\n\t{\n\t\tif (fork()) {\n\t\t\tfor (;;)\n\t\t\t\tclose(open(\"/dev/tty5\", O_RDWR));\n\t\t} else {\n\t\t\tint fd = open(\"/dev/tty10\", O_RDWR);\n\n\t\t\tfor (;;)\n\t\t\t\tioctl(fd, VT_DISALLOCATE, 5);\n\t\t}\n\t}\n\nKASAN report:\n\tBUG: KASAN: use-after-free in con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\tWrite of size 8 at addr ffff88806a4ec108 by task syz_vt/129\n\n\tCPU: 0 PID: 129 Comm: syz_vt Not tainted 5.6.0-rc2 #11\n\tHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20191223_100556-anatol 04/01/2014\n\tCall Trace:\n\t [...]\n\t con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\t release_tty+0xa8/0x410 drivers/tty/tty_io.c:1514\n\t tty_release_struct+0x34/0x50 drivers/tty/tty_io.c:1629\n\t tty_release+0x984/0xed0 drivers/tty/tty_io.c:1789\n\t [...]\n\n\tAllocated by task 129:\n\t [...]\n\t kzalloc include/linux/slab.h:669 [inline]\n\t vc_allocate drivers/tty/vt/vt.c:1085 [inline]\n\t vc_allocate+0x1ac/0x680 drivers/tty/vt/vt.c:1066\n\t con_install+0x4d/0x3f0 drivers/tty/vt/vt.c:3229\n\t tty_driver_install_tty drivers/tty/tty_io.c:1228 [inline]\n\t tty_init_dev+0x94/0x350 drivers/tty/tty_io.c:1341\n\t tty_open_by_driver drivers/tty/tty_io.c:1987 [inline]\n\t tty_open+0x3ca/0xb30 drivers/tty/tty_io.c:2035\n\t [...]\n\n\tFreed by task 130:\n\t [...]\n\t kfree+0xbf/0x1e0 mm/slab.c:3757\n\t vt_disallocate drivers/tty/vt/vt_ioctl.c:300 [inline]\n\t vt_ioctl+0x16dc/0x1e30 drivers/tty/vt/vt_ioctl.c:818\n\t tty_ioctl+0x9db/0x11b0 drivers/tty/tty_io.c:2660\n\t [...]\n\nFixes: 4001d7b7fc27 (\"vt: push down the tty lock so we can see what is left to tackle\")\nCc: # v3.4+\nReported-by: syzbot+522643ab5729b0421998@syzkaller.appspotmail.com\nAcked-by: Jiri Slaby \nSigned-off-by: Eric Biggers \nLink: https://lore.kernel.org/r/20200322034305.210082-2-ebiggers@kernel.org\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 437057 }, { "func": "int kvm_io_bus_write(struct kvm_vcpu *vcpu, enum kvm_bus bus_idx, gpa_t addr,\n\t\t int len, const void *val)\n{\n\tstruct kvm_io_bus *bus;\n\tstruct kvm_io_range range;\n\tint r;\n\n\trange = (struct kvm_io_range) {\n\t\t.addr = addr,\n\t\t.len = len,\n\t};\n\n\tbus = srcu_dereference(vcpu->kvm->buses[bus_idx], &vcpu->kvm->srcu);\n\tif (!bus)\n\t\treturn -ENOMEM;\n\tr = __kvm_io_bus_write(vcpu, bus, &range, val);\n\treturn r < 0 ? r : 0;\n}", "project": "linux", "hash": 80229426457246389741772809173065887522, "size": 18, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354549 }, { "func": "\nstatic void bfq_reset_rate_computation(struct bfq_data *bfqd,\n\t\t\t\t struct request *rq)\n{\n\tif (rq != NULL) { /* new rq dispatch now, reset accordingly */\n\t\tbfqd->last_dispatch = bfqd->first_dispatch = ktime_get_ns();\n\t\tbfqd->peak_rate_samples = 1;\n\t\tbfqd->sequential_samples = 0;\n\t\tbfqd->tot_sectors_dispatched = bfqd->last_rq_max_size =\n\t\t\tblk_rq_sectors(rq);\n\t} else /* no new rq dispatched, just reset the number of samples */\n\t\tbfqd->peak_rate_samples = 0; /* full re-init on next disp. */\n\n\tbfq_log(bfqd,\n\t\t\"reset_rate_computation at end, sample %u/%u tot_sects %llu\",\n\t\tbfqd->peak_rate_samples, bfqd->sequential_samples,\n\t\tbfqd->tot_sectors_dispatched);", "project": "linux", "hash": 280561005105989318589033212168485796997, "size": 17, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453336 }, { "func": "static int php_vspprintf(char **pbuf, size_t max_len,\n const char *fmt, ...) {\n va_list arglist;\n char *buf;\n va_start(arglist, fmt);\n int len = vspprintf_ap(&buf, max_len, fmt, arglist);\n if (buf) {\n#ifdef IM_MEMORY_CHECK\n *pbuf = php_strndup_impl(buf, len, __LINE__);\n#else\n *pbuf = php_strndup_impl(buf, len);\n#endif\n free(buf);\n }\n va_end(arglist);\n return len;\n}", "project": "hhvm", "hash": 42146740317457200121666657648136294509, "size": 17, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219706 }, { "func": "int kvm_io_bus_write_cookie(struct kvm_vcpu *vcpu, enum kvm_bus bus_idx,\n\t\t\t gpa_t addr, int len, const void *val, long cookie)\n{\n\tstruct kvm_io_bus *bus;\n\tstruct kvm_io_range range;\n\n\trange = (struct kvm_io_range) {\n\t\t.addr = addr,\n\t\t.len = len,\n\t};\n\n\tbus = srcu_dereference(vcpu->kvm->buses[bus_idx], &vcpu->kvm->srcu);\n\tif (!bus)\n\t\treturn -ENOMEM;\n\n\t/* First try the device referenced by cookie. */\n\tif ((cookie >= 0) && (cookie < bus->dev_count) &&\n\t (kvm_io_bus_cmp(&range, &bus->range[cookie]) == 0))\n\t\tif (!kvm_iodevice_write(vcpu, bus->range[cookie].dev, addr, len,\n\t\t\t\t\tval))\n\t\t\treturn cookie;\n\n\t/*\n\t * cookie contained garbage; fall back to search and return the\n\t * correct cookie value.\n\t */\n\treturn __kvm_io_bus_write(vcpu, bus, &range, val);\n}", "project": "linux", "hash": 130587054268248538506395675204428027291, "size": 28, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354777 }, { "func": "void tty_driver_kref_put(struct tty_driver *driver)\n{\n\tkref_put(&driver->kref, destruct_tty_driver);\n}", "project": "linux", "hash": 160672756554975842299885607953933555499, "size": 4, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 326003 }, { "func": "static inline bool __cmpxchg_double_slab(struct kmem_cache *s, struct page *page,\n\t\tvoid *freelist_old, unsigned long counters_old,\n\t\tvoid *freelist_new, unsigned long counters_new,\n\t\tconst char *n)\n{\n\tVM_BUG_ON(!irqs_disabled());\n#if defined(CONFIG_HAVE_CMPXCHG_DOUBLE) && \\\n defined(CONFIG_HAVE_ALIGNED_STRUCT_PAGE)\n\tif (s->flags & __CMPXCHG_DOUBLE) {\n\t\tif (cmpxchg_double(&page->freelist, &page->counters,\n\t\t\t\t freelist_old, counters_old,\n\t\t\t\t freelist_new, counters_new))\n\t\t\treturn true;\n\t} else\n#endif\n\t{\n\t\tslab_lock(page);\n\t\tif (page->freelist == freelist_old &&\n\t\t\t\t\tpage->counters == counters_old) {\n\t\t\tpage->freelist = freelist_new;\n\t\t\tpage->counters = counters_new;\n\t\t\tslab_unlock(page);\n\t\t\treturn true;\n\t\t}\n\t\tslab_unlock(page);\n\t}\n\n\tcpu_relax();\n\tstat(s, CMPXCHG_DOUBLE_FAIL);\n\n#ifdef SLUB_DEBUG_CMPXCHG\n\tpr_info(\"%s %s: cmpxchg double redo \", n, s->name);\n#endif\n\n\treturn false;\n}", "project": "linux", "hash": 73548202461744182683414604277156195725, "size": 36, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280051 }, { "func": "static OPJ_BOOL opj_j2k_setup_end_compress(opj_j2k_t *p_j2k,\n opj_event_mgr_t * p_manager)\n{\n /* preconditions */\n assert(p_j2k != 00);\n assert(p_manager != 00);\n\n /* DEVELOPER CORNER, insert your custom procedures */\n if (! opj_procedure_list_add_procedure(p_j2k->m_procedure_list,\n (opj_procedure)opj_j2k_write_eoc, p_manager)) {\n return OPJ_FALSE;\n }\n\n if (OPJ_IS_CINEMA(p_j2k->m_cp.rsiz) || OPJ_IS_IMF(p_j2k->m_cp.rsiz)) {\n if (! opj_procedure_list_add_procedure(p_j2k->m_procedure_list,\n (opj_procedure)opj_j2k_write_updated_tlm, p_manager)) {\n return OPJ_FALSE;\n }\n }\n\n if (! opj_procedure_list_add_procedure(p_j2k->m_procedure_list,\n (opj_procedure)opj_j2k_write_epc, p_manager)) {\n return OPJ_FALSE;\n }\n if (! opj_procedure_list_add_procedure(p_j2k->m_procedure_list,\n (opj_procedure)opj_j2k_end_encoding, p_manager)) {\n return OPJ_FALSE;\n }\n if (! opj_procedure_list_add_procedure(p_j2k->m_procedure_list,\n (opj_procedure)opj_j2k_destroy_header_memory, p_manager)) {\n return OPJ_FALSE;\n }\n return OPJ_TRUE;\n}", "project": "openjpeg", "hash": 44464591666661544632923815777113770754, "size": 34, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357288 }, { "func": "HttpStateData::processReplyHeader()\n{\n /** Creates a blank header. If this routine is made incremental, this will not do */\n\n /* NP: all exit points to this function MUST call ctx_exit(ctx) */\n Ctx ctx = ctx_enter(entry->mem_obj->urlXXX());\n\n debugs(11, 3, \"processReplyHeader: key '\" << entry->getMD5Text() << \"'\");\n\n assert(!flags.headers_parsed);\n\n if (!inBuf.length()) {\n ctx_exit(ctx);\n return;\n }\n\n /* Attempt to parse the first line; this will define where the protocol, status, reason-phrase and header begin */\n {\n if (hp == NULL)\n hp = new Http1::ResponseParser;\n\n bool parsedOk = hp->parse(inBuf);\n\n // sync the buffers after parsing.\n inBuf = hp->remaining();\n\n if (hp->needsMoreData()) {\n if (eof) { // no more data coming\n /* Bug 2879: Replies may terminate with \\r\\n then EOF instead of \\r\\n\\r\\n.\n * We also may receive truncated responses.\n * Ensure here that we have at minimum two \\r\\n when EOF is seen.\n */\n inBuf.append(\"\\r\\n\\r\\n\", 4);\n // retry the parse\n parsedOk = hp->parse(inBuf);\n // sync the buffers after parsing.\n inBuf = hp->remaining();\n } else {\n debugs(33, 5, \"Incomplete response, waiting for end of response headers\");\n ctx_exit(ctx);\n return;\n }\n }\n\n if (!parsedOk) {\n // unrecoverable parsing error\n // TODO: Use Raw! XXX: inBuf no longer has the [beginning of the] malformed header.\n debugs(11, 3, \"Non-HTTP-compliant header:\\n---------\\n\" << inBuf << \"\\n----------\");\n flags.headers_parsed = true;\n HttpReply *newrep = new HttpReply;\n newrep->sline.set(Http::ProtocolVersion(), hp->parseStatusCode);\n setVirginReply(newrep);\n ctx_exit(ctx);\n return;\n }\n }\n\n /* We know the whole response is in parser now */\n debugs(11, 2, \"HTTP Server \" << serverConnection);\n debugs(11, 2, \"HTTP Server RESPONSE:\\n---------\\n\" <<\n hp->messageProtocol() << \" \" << hp->messageStatus() << \" \" << hp->reasonPhrase() << \"\\n\" <<\n hp->mimeHeader() <<\n \"----------\");\n\n // reset payload tracking to begin after message headers\n payloadSeen = inBuf.length();\n\n HttpReply *newrep = new HttpReply;\n // XXX: RFC 7230 indicates we MAY ignore the reason phrase,\n // and use an empty string on unknown status.\n // We do that now to avoid performance regression from using SBuf::c_str()\n newrep->sline.set(Http::ProtocolVersion(1,1), hp->messageStatus() /* , hp->reasonPhrase() */);\n newrep->sline.protocol = newrep->sline.version.protocol = hp->messageProtocol().protocol;\n newrep->sline.version.major = hp->messageProtocol().major;\n newrep->sline.version.minor = hp->messageProtocol().minor;\n\n // parse headers\n if (!newrep->parseHeader(*hp)) {\n // XXX: when Http::ProtocolVersion is a function, remove this hack. just set with messageProtocol()\n newrep->sline.set(Http::ProtocolVersion(), Http::scInvalidHeader);\n newrep->sline.version.protocol = hp->messageProtocol().protocol;\n newrep->sline.version.major = hp->messageProtocol().major;\n newrep->sline.version.minor = hp->messageProtocol().minor;\n debugs(11, 2, \"error parsing response headers mime block\");\n }\n\n // done with Parser, now process using the HttpReply\n hp = NULL;\n\n newrep->sources |= request->url.getScheme() == AnyP::PROTO_HTTPS ? HttpMsg::srcHttps : HttpMsg::srcHttp;\n\n newrep->removeStaleWarnings();\n\n if (newrep->sline.protocol == AnyP::PROTO_HTTP && newrep->sline.status() >= 100 && newrep->sline.status() < 200) {\n handle1xx(newrep);\n ctx_exit(ctx);\n return;\n }\n\n flags.chunked = false;\n if (newrep->sline.protocol == AnyP::PROTO_HTTP && newrep->header.chunked()) {\n flags.chunked = true;\n httpChunkDecoder = new Http1::TeChunkedParser;\n }\n\n if (!peerSupportsConnectionPinning())\n request->flags.connectionAuthDisabled = true;\n\n HttpReply *vrep = setVirginReply(newrep);\n flags.headers_parsed = true;\n\n keepaliveAccounting(vrep);\n\n checkDateSkew(vrep);\n\n processSurrogateControl (vrep);\n\n request->hier.peer_reply_status = newrep->sline.status();\n\n ctx_exit(ctx);\n}", "project": "squid", "hash": 201567388183972979855318593429513052063, "size": 121, "commit_id": "fd68382860633aca92065e6c343cfd1b12b126e7", "message": "Improve Transfer-Encoding handling (#702)\n\nReject messages containing Transfer-Encoding header with coding other\nthan chunked or identity. Squid does not support other codings.\n\nFor simplicity and security sake, also reject messages where\nTransfer-Encoding contains unnecessary complex values that are\ntechnically equivalent to \"chunked\" or \"identity\" (e.g., \",,chunked\" or\n\"identity, chunked\").\n\nRFC 7230 formally deprecated and removed identity coding, but it is\nstill used by some agents.", "target": 0, "dataset": "other", "idx": 402364 }, { "func": "static void hci_pkt_type_change_evt(struct hci_dev *hdev, struct sk_buff *skb)\n{\n\tstruct hci_ev_pkt_type_change *ev = (void *) skb->data;\n\tstruct hci_conn *conn;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, ev->status);\n\n\thci_dev_lock(hdev);\n\n\tconn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));\n\tif (conn && !ev->status)\n\t\tconn->pkt_type = __le16_to_cpu(ev->pkt_type);\n\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 241157193263480836375554903650262207510, "size": 15, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431925 }, { "func": "HttpStateData::truncateVirginBody()\n{\n assert(flags.headers_parsed);\n\n HttpReply *vrep = virginReply();\n int64_t clen = -1;\n if (!vrep->expectingBody(request->method, clen) || clen < 0)\n return; // no body or a body of unknown size, including chunked\n\n if (payloadSeen - payloadTruncated <= clen)\n return; // we did not read too much or already took care of the extras\n\n if (const int64_t extras = payloadSeen - payloadTruncated - clen) {\n // server sent more that the advertised content length\n debugs(11, 5, \"payloadSeen=\" << payloadSeen <<\n \" clen=\" << clen << '/' << vrep->content_length <<\n \" trucated=\" << payloadTruncated << '+' << extras);\n\n inBuf.chop(0, inBuf.length() - extras);\n payloadTruncated += extras;\n }\n}", "project": "squid", "hash": 35697935312542317480859132811773670432, "size": 22, "commit_id": "fd68382860633aca92065e6c343cfd1b12b126e7", "message": "Improve Transfer-Encoding handling (#702)\n\nReject messages containing Transfer-Encoding header with coding other\nthan chunked or identity. Squid does not support other codings.\n\nFor simplicity and security sake, also reject messages where\nTransfer-Encoding contains unnecessary complex values that are\ntechnically equivalent to \"chunked\" or \"identity\" (e.g., \",,chunked\" or\n\"identity, chunked\").\n\nRFC 7230 formally deprecated and removed identity coding, but it is\nstill used by some agents.", "target": 0, "dataset": "other", "idx": 402310 }, { "func": "static int kvm_s390_peek_cmma(struct kvm *kvm, struct kvm_s390_cmma_log *args,\n\t\t\t u8 *res, unsigned long bufsize)\n{\n\tunsigned long pgstev, hva, cur_gfn = args->start_gfn;\n\n\targs->count = 0;\n\twhile (args->count < bufsize) {\n\t\thva = gfn_to_hva(kvm, cur_gfn);\n\t\t/*\n\t\t * We return an error if the first value was invalid, but we\n\t\t * return successfully if at least one value was copied.\n\t\t */\n\t\tif (kvm_is_error_hva(hva))\n\t\t\treturn args->count ? 0 : -EFAULT;\n\t\tif (get_pgste(kvm->mm, hva, &pgstev) < 0)\n\t\t\tpgstev = 0;\n\t\tres[args->count++] = (pgstev >> 24) & 0x43;\n\t\tcur_gfn++;\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 112598914995560620655012997449496377948, "size": 22, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354523 }, { "func": "static void setautogain(struct gspca_dev *gspca_dev, s32 val)\n{\n\tstruct sd *sd = (struct sd *) gspca_dev;\n\n\ti2c_w_mask(sd, 0x13, val ? 0x05 : 0x00, 0x05);\n}", "project": "linux", "hash": 201847218580452013553993803463541177166, "size": 6, "commit_id": "998912346c0da53a6dbb71fab3a138586b596b30", "message": "media: ov519: add missing endpoint sanity checks\n\nMake sure to check that we have at least one endpoint before accessing\nthe endpoint array to avoid dereferencing a NULL-pointer on stream\nstart.\n\nNote that these sanity checks are not redundant as the driver is mixing\nlooking up altsettings by index and by number, which need not coincide.\n\nFixes: 1876bb923c98 (\"V4L/DVB (12079): gspca_ov519: add support for the ov511 bridge\")\nFixes: b282d87332f5 (\"V4L/DVB (12080): gspca_ov519: Fix ov518+ with OV7620AE (Trust spacecam 320)\")\nCc: stable # 2.6.31\nCc: Hans de Goede \nSigned-off-by: Johan Hovold \nSigned-off-by: Hans Verkuil \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 306322 }, { "func": "SYSCALL_DEFINE1(rmdir, const char __user *, pathname)\n{\n\treturn do_rmdir(AT_FDCWD, pathname);\n}", "project": "linux", "hash": 143643412687331745162814190768892446222, "size": 4, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295300 }, { "func": "long do_rmdir(int dfd, const char __user *pathname)\n{\n\tint error = 0;\n\tstruct filename *name;\n\tstruct dentry *dentry;\n\tstruct path path;\n\tstruct qstr last;\n\tint type;\n\tunsigned int lookup_flags = 0;\nretry:\n\tname = filename_parentat(dfd, getname(pathname), lookup_flags,\n\t\t\t\t&path, &last, &type);\n\tif (IS_ERR(name))\n\t\treturn PTR_ERR(name);\n\n\tswitch (type) {\n\tcase LAST_DOTDOT:\n\t\terror = -ENOTEMPTY;\n\t\tgoto exit1;\n\tcase LAST_DOT:\n\t\terror = -EINVAL;\n\t\tgoto exit1;\n\tcase LAST_ROOT:\n\t\terror = -EBUSY;\n\t\tgoto exit1;\n\t}\n\n\terror = mnt_want_write(path.mnt);\n\tif (error)\n\t\tgoto exit1;\n\n\tinode_lock_nested(path.dentry->d_inode, I_MUTEX_PARENT);\n\tdentry = __lookup_hash(&last, path.dentry, lookup_flags);\n\terror = PTR_ERR(dentry);\n\tif (IS_ERR(dentry))\n\t\tgoto exit2;\n\tif (!dentry->d_inode) {\n\t\terror = -ENOENT;\n\t\tgoto exit3;\n\t}\n\terror = security_path_rmdir(&path, dentry);\n\tif (error)\n\t\tgoto exit3;\n\terror = vfs_rmdir(path.dentry->d_inode, dentry);\nexit3:\n\tdput(dentry);\nexit2:\n\tinode_unlock(path.dentry->d_inode);\n\tmnt_drop_write(path.mnt);\nexit1:\n\tpath_put(&path);\n\tputname(name);\n\tif (retry_estale(error, lookup_flags)) {\n\t\tlookup_flags |= LOOKUP_REVAL;\n\t\tgoto retry;\n\t}\n\treturn error;\n}", "project": "linux", "hash": 284661636964904796797978434438054831864, "size": 58, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295402 }, { "func": "void blosc_destroy(void) {\n /* Return if Blosc is not initialized */\n if (!g_initlib) return;\n\n g_initlib = 0;\n release_threadpool(g_global_context);\n if (g_global_context->serial_context != NULL) {\n free_thread_context(g_global_context->serial_context);\n }\n my_free(g_global_context);\n pthread_mutex_destroy(&global_comp_mutex);\n}", "project": "c-blosc2", "hash": 4924168554629192740271417593672289810, "size": 12, "commit_id": "c4c6470e88210afc95262c8b9fcc27e30ca043ee", "message": "Fixed asan heap buffer overflow when not enough space to write compressed block size.", "target": 0, "dataset": "other", "idx": 303120 }, { "func": "int RGWHandler_REST_S3::init_from_header(struct req_state* s,\n\t\t\t\t\tint default_formatter,\n\t\t\t\t\tbool configurable_format)\n{\n string req;\n string first;\n\n const char *req_name = s->relative_uri.c_str();\n const char *p;\n\n if (*req_name == '?') {\n p = req_name;\n } else {\n p = s->info.request_params.c_str();\n }\n\n s->info.args.set(p);\n s->info.args.parse();\n\n /* must be called after the args parsing */\n int ret = allocate_formatter(s, default_formatter, configurable_format);\n if (ret < 0)\n return ret;\n\n if (*req_name != '/')\n return 0;\n\n req_name++;\n\n if (!*req_name)\n return 0;\n\n req = req_name;\n int pos = req.find('/');\n if (pos >= 0) {\n first = req.substr(0, pos);\n } else {\n first = req;\n }\n\n /*\n * XXX The intent of the check for empty is apparently to let the bucket\n * name from DNS to be set ahead. However, we currently take the DNS\n * bucket and re-insert it into URL in rgw_rest.cc:RGWREST::preprocess().\n * So, this check is meaningless.\n *\n * Rather than dropping this, the code needs to be changed into putting\n * the bucket (and its tenant) from DNS and Host: header (HTTP_HOST)\n * into req_status.bucket_name directly.\n */\n if (s->init_state.url_bucket.empty()) {\n // Save bucket to tide us over until token is parsed.\n s->init_state.url_bucket = first;\n if (pos >= 0) {\n string encoded_obj_str = req.substr(pos+1);\n s->object = rgw_obj_key(encoded_obj_str, s->info.args.get(\"versionId\"));\n }\n } else {\n s->object = rgw_obj_key(req_name, s->info.args.get(\"versionId\"));\n }\n return 0;\n}", "project": "ceph", "hash": 318823448849759058690080166238614176635, "size": 62, "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 281326 }, { "func": "int RGWHandler_REST_SWIFT::init_from_header(struct req_state* const s,\n const std::string& frontend_prefix)\n{\n string req;\n string first;\n\n s->prot_flags |= RGW_REST_SWIFT;\n\n char reqbuf[frontend_prefix.length() + s->decoded_uri.length() + 1];\n sprintf(reqbuf, \"%s%s\", frontend_prefix.c_str(), s->decoded_uri.c_str());\n const char *req_name = reqbuf;\n\n const char *p;\n\n if (*req_name == '?') {\n p = req_name;\n } else {\n p = s->info.request_params.c_str();\n }\n\n s->info.args.set(p);\n s->info.args.parse();\n\n /* Skip the leading slash of URL hierarchy. */\n if (req_name[0] != '/') {\n return 0;\n } else {\n req_name++;\n }\n\n if ('\\0' == req_name[0]) {\n return g_conf()->rgw_swift_url_prefix == \"/\" ? -ERR_BAD_URL : 0;\n }\n\n req = req_name;\n\n size_t pos = req.find('/');\n if (std::string::npos != pos && g_conf()->rgw_swift_url_prefix != \"/\") {\n bool cut_url = g_conf()->rgw_swift_url_prefix.length();\n first = req.substr(0, pos);\n\n if (first.compare(g_conf()->rgw_swift_url_prefix) == 0) {\n if (cut_url) {\n /* Rewind to the \"v1/...\" part. */\n next_tok(req, first, '/');\n }\n }\n } else if (req.compare(g_conf()->rgw_swift_url_prefix) == 0) {\n s->formatter = new RGWFormatter_Plain;\n return -ERR_BAD_URL;\n } else {\n first = req;\n }\n\n std::string tenant_path;\n if (! g_conf()->rgw_swift_tenant_name.empty()) {\n tenant_path = \"/AUTH_\";\n tenant_path.append(g_conf()->rgw_swift_tenant_name);\n }\n\n /* verify that the request_uri conforms with what's expected */\n char buf[g_conf()->rgw_swift_url_prefix.length() + 16 + tenant_path.length()];\n int blen;\n if (g_conf()->rgw_swift_url_prefix == \"/\") {\n blen = sprintf(buf, \"/v1%s\", tenant_path.c_str());\n } else {\n blen = sprintf(buf, \"/%s/v1%s\",\n g_conf()->rgw_swift_url_prefix.c_str(), tenant_path.c_str());\n }\n\n if (strncmp(reqbuf, buf, blen) != 0) {\n return -ENOENT;\n }\n\n int ret = allocate_formatter(s, RGW_FORMAT_PLAIN, true);\n if (ret < 0)\n return ret;\n\n string ver;\n\n next_tok(req, ver, '/');\n\n if (!tenant_path.empty() || g_conf()->rgw_swift_account_in_url) {\n string account_name;\n next_tok(req, account_name, '/');\n\n /* Erase all pre-defined prefixes like \"AUTH_\" or \"KEY_\". */\n const vector skipped_prefixes = { \"AUTH_\", \"KEY_\" };\n\n for (const auto pfx : skipped_prefixes) {\n const size_t comp_len = min(account_name.length(), pfx.length());\n if (account_name.compare(0, comp_len, pfx) == 0) {\n /* Prefix is present. Drop it. */\n account_name = account_name.substr(comp_len);\n break;\n }\n }\n\n if (account_name.empty()) {\n return -ERR_PRECONDITION_FAILED;\n } else {\n s->account_name = account_name;\n }\n }\n\n next_tok(req, first, '/');\n\n dout(10) << \"ver=\" << ver << \" first=\" << first << \" req=\" << req << dendl;\n if (first.size() == 0)\n return 0;\n\n s->info.effective_uri = \"/\" + first;\n\n // Save bucket to tide us over until token is parsed.\n s->init_state.url_bucket = first;\n\n if (req.size()) {\n s->object =\n rgw_obj_key(req, s->info.env->get(\"HTTP_X_OBJECT_VERSION_ID\", \"\")); /* rgw swift extension */\n s->info.effective_uri.append(\"/\" + s->object.name);\n }\n\n return 0;\n}", "project": "ceph", "hash": 160464439385052818665068505119721651260, "size": 124, "commit_id": "f44a8ae8aa27ecef69528db9aec220f12492810e", "message": "rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name\n\nchecking for empty name avoids later assertion in RGWObjectCtx::set_atomic\n\nFixes: CVE-2021-3531\n\nReviewed-by: Casey Bodley \nSigned-off-by: Casey Bodley \n(cherry picked from commit 7196a469b4470f3c8628489df9a41ec8b00a5610)", "target": 0, "dataset": "other", "idx": 448814 }, { "func": "static int pep_sock_enable(struct sock *sk, struct sockaddr *addr, int len)\n{\n\tint err;\n\n\terr = pipe_handler_request(sk, PNS_PEP_ENABLE_REQ, PAD,\n\t\t\t\tNULL, 0);\n\tif (err)\n\t\treturn err;\n\n\tsk->sk_state = TCP_SYN_SENT;\n\n\treturn 0;\n}", "project": "linux", "hash": 22457643969779605588669132923343671537, "size": 13, "commit_id": "bcd0f93353326954817a4f9fa55ec57fb38acbb0", "message": "phonet: refcount leak in pep_sock_accep\n\nsock_hold(sk) is invoked in pep_sock_accept(), but __sock_put(sk) is not\ninvoked in subsequent failure branches(pep_accept_conn() != 0).\n\nSigned-off-by: Hangyu Hua \nLink: https://lore.kernel.org/r/20211209082839.33985-1-hbh25y@gmail.com\nSigned-off-by: Jakub Kicinski ", "target": 0, "dataset": "other", "idx": 224794 }, { "func": "static void mark_hint(hint_t hint) {\n\tint x = hint.x;\t\n\tint y = hint.y;\t\n\tint w = hint.w;\t\n\tint h = hint.h;\t\n\n\tmark_rect_as_modified(x, y, x + w, y + h, 0);\n}", "project": "x11vnc", "hash": 91993548335458761226350192030336623156, "size": 8, "commit_id": "69eeb9f7baa14ca03b16c9de821f9876def7a36a", "message": "scan: limit access to shared memory segments to current user", "target": 0, "dataset": "other", "idx": 360782 }, { "func": "static enum print_line_t print_raw_fmt(struct trace_iterator *iter)\n{\n\tstruct trace_array *tr = iter->tr;\n\tstruct trace_seq *s = &iter->seq;\n\tstruct trace_entry *entry;\n\tstruct trace_event *event;\n\n\tentry = iter->ent;\n\n\tif (tr->trace_flags & TRACE_ITER_CONTEXT_INFO)\n\t\ttrace_seq_printf(s, \"%d %d %llu \",\n\t\t\t\t entry->pid, iter->cpu, iter->ts);\n\n\tif (trace_seq_has_overflowed(s))\n\t\treturn TRACE_TYPE_PARTIAL_LINE;\n\n\tevent = ftrace_find_event(entry->type);\n\tif (event)\n\t\treturn event->funcs->raw(iter, 0, event);\n\n\ttrace_seq_printf(s, \"%d ?\\n\", entry->type);\n\n\treturn trace_handle_return(s);\n}", "project": "linux", "hash": 319649122290488335123087697834983287051, "size": 24, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445544 }, { "func": "static u64 buffer_ftrace_now(struct trace_buffer *buf, int cpu)\n{\n\tu64 ts;\n\n\t/* Early boot up does not have a buffer yet */\n\tif (!buf->buffer)\n\t\treturn trace_clock_local();\n\n\tts = ring_buffer_time_stamp(buf->buffer, cpu);\n\tring_buffer_normalize_time_stamp(buf->buffer, cpu, &ts);\n\n\treturn ts;\n}", "project": "linux", "hash": 281677481596289804693393792540787196084, "size": 13, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445759 }, { "func": "static void init_ppgtt_reg_state(u32 *regs, const struct i915_ppgtt *ppgtt)\n{\n\tif (i915_vm_is_4lvl(&ppgtt->vm)) {\n\t\t/* 64b PPGTT (48bit canonical)\n\t\t * PDP0_DESCRIPTOR contains the base address to PML4 and\n\t\t * other PDP Descriptors are ignored.\n\t\t */\n\t\tASSIGN_CTX_PML4(ppgtt, regs);\n\t} else {\n\t\tASSIGN_CTX_PDP(ppgtt, regs, 3);\n\t\tASSIGN_CTX_PDP(ppgtt, regs, 2);\n\t\tASSIGN_CTX_PDP(ppgtt, regs, 1);\n\t\tASSIGN_CTX_PDP(ppgtt, regs, 0);\n\t}\n}", "project": "linux", "hash": 275237769818273981904162592812661517564, "size": 15, "commit_id": "bc8a76a152c5f9ef3b48104154a65a68a8b76946", "message": "drm/i915/gen9: Clear residual context state on context switch\n\nIntel ID: PSIRT-TA-201910-001\nCVEID: CVE-2019-14615\n\nIntel GPU Hardware prior to Gen11 does not clear EU state\nduring a context switch. This can result in information\nleakage between contexts.\n\nFor Gen8 and Gen9, hardware provides a mechanism for\nfast cleardown of the EU state, by issuing a PIPE_CONTROL\nwith bit 27 set. We can use this in a context batch buffer\nto explicitly cleardown the state on every context switch.\n\nAs this workaround is already in place for gen8, we can borrow\nthe code verbatim for Gen9.\n\nSigned-off-by: Mika Kuoppala \nSigned-off-by: Akeem G Abodunrin \nCc: Kumar Valsan Prathap \nCc: Chris Wilson \nCc: Balestrieri Francesco \nCc: Bloomfield Jon \nCc: Dutt Sudeep ", "target": 0, "dataset": "other", "idx": 281414 }, { "func": "DLLEXPORT unsigned long DLLCALL tjBufSizeYUV(int width, int height,\n\tint subsamp)\n{\n\treturn tjBufSizeYUV2(width, 4, height, subsamp);\n}", "project": "libjpeg-turbo", "hash": 328443660481080366759161071044194022859, "size": 5, "commit_id": "dab6be4cfb2f9307b5378d2d1dc74d9080383dc2", "message": "tjDecompressToYUV*(): Fix OOB write/double free\n\n... when attempting to decompress grayscale JPEG images with sampling\nfactors != 1.\n\nFixes #387", "target": 0, "dataset": "other", "idx": 311134 }, { "func": "static int sctp_setsockopt_default_send_param(struct sock *sk,\n\t\t\t\t\t struct sctp_sndrcvinfo *info,\n\t\t\t\t\t unsigned int optlen)\n{\n\tstruct sctp_sock *sp = sctp_sk(sk);\n\tstruct sctp_association *asoc;\n\n\tif (optlen != sizeof(*info))\n\t\treturn -EINVAL;\n\tif (info->sinfo_flags &\n\t ~(SCTP_UNORDERED | SCTP_ADDR_OVER |\n\t SCTP_ABORT | SCTP_EOF))\n\t\treturn -EINVAL;\n\n\tasoc = sctp_id2assoc(sk, info->sinfo_assoc_id);\n\tif (!asoc && info->sinfo_assoc_id > SCTP_ALL_ASSOC &&\n\t sctp_style(sk, UDP))\n\t\treturn -EINVAL;\n\n\tif (asoc) {\n\t\tasoc->default_stream = info->sinfo_stream;\n\t\tasoc->default_flags = info->sinfo_flags;\n\t\tasoc->default_ppid = info->sinfo_ppid;\n\t\tasoc->default_context = info->sinfo_context;\n\t\tasoc->default_timetolive = info->sinfo_timetolive;\n\n\t\treturn 0;\n\t}\n\n\tif (sctp_style(sk, TCP))\n\t\tinfo->sinfo_assoc_id = SCTP_FUTURE_ASSOC;\n\n\tif (info->sinfo_assoc_id == SCTP_FUTURE_ASSOC ||\n\t info->sinfo_assoc_id == SCTP_ALL_ASSOC) {\n\t\tsp->default_stream = info->sinfo_stream;\n\t\tsp->default_flags = info->sinfo_flags;\n\t\tsp->default_ppid = info->sinfo_ppid;\n\t\tsp->default_context = info->sinfo_context;\n\t\tsp->default_timetolive = info->sinfo_timetolive;\n\t}\n\n\tif (info->sinfo_assoc_id == SCTP_CURRENT_ASSOC ||\n\t info->sinfo_assoc_id == SCTP_ALL_ASSOC) {\n\t\tlist_for_each_entry(asoc, &sp->ep->asocs, asocs) {\n\t\t\tasoc->default_stream = info->sinfo_stream;\n\t\t\tasoc->default_flags = info->sinfo_flags;\n\t\t\tasoc->default_ppid = info->sinfo_ppid;\n\t\t\tasoc->default_context = info->sinfo_context;\n\t\t\tasoc->default_timetolive = info->sinfo_timetolive;\n\t\t}\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 244490635775802707828909379915327216842, "size": 54, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398176 }, { "func": "int bcf_update_alleles_str(const bcf_hdr_t *hdr, bcf1_t *line, const char *alleles_string)\n{\n if ( !(line->unpacked & BCF_UN_STR) ) bcf_unpack(line, BCF_UN_STR);\n kstring_t tmp;\n tmp.l = 0; tmp.s = line->d.als; tmp.m = line->d.m_als;\n kputs(alleles_string, &tmp);\n line->d.als = tmp.s; line->d.m_als = tmp.m;\n\n int nals = 1;\n char *t = line->d.als;\n while (*t)\n {\n if ( *t==',' ) { *t = 0; nals++; }\n t++;\n }\n return _bcf1_sync_alleles(hdr, line, nals);\n}", "project": "htslib", "hash": 305808105335196793651091328032798478885, "size": 17, "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c", "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields. It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097", "target": 0, "dataset": "other", "idx": 402158 }, { "func": "static int tracing_snapshot_release(struct inode *inode, struct file *file)\n{\n\tstruct seq_file *m = file->private_data;\n\tint ret;\n\n\tret = tracing_release(inode, file);\n\n\tif (file->f_mode & FMODE_READ)\n\t\treturn ret;\n\n\t/* If write only, the seq_file is just a stub */\n\tif (m)\n\t\tkfree(m->private);\n\tkfree(m);\n\n\treturn 0;\n}", "project": "linux", "hash": 217982019417116822784948174959298595740, "size": 17, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445821 }, { "func": "static int verify_key_len(const void *p)\n{\n\tconst struct sadb_key *key = p;\n\n\tif (sadb_key_len(key) > key->sadb_key_len)\n\t\treturn -EINVAL;\n\n\treturn 0;\n}", "project": "linux", "hash": 85604317215792579719276125414011803206, "size": 9, "commit_id": "9a564bccb78a76740ea9d75a259942df8143d02c", "message": "af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\n\nAdd __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\nto initialize the buffer of supp_skb to fix a kernel-info-leak issue.\n1) Function pfkey_register calls compose_sadb_supported to request\na sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate\na sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then\ncompose_sadb_supported treats the memory as a struct sadb_supported and\nbegins to initialize. But it just initializes the field sadb_supported_len\nand field sadb_supported_exttype without field sadb_supported_reserved.\n\nReported-by: TCS Robot \nSigned-off-by: Haimin Zhang \nSigned-off-by: Steffen Klassert ", "target": 0, "dataset": "other", "idx": 268076 }, { "func": "LUA_API int lua_getstack(lua_State *L, int level, lua_Debug *ar)\n{\n int size;\n cTValue *frame = lj_debug_frame(L, level, &size);\n if (frame) {\n ar->i_ci = (size << 16) + (int)(frame - tvref(L->stack));\n return 1;\n } else {\n ar->i_ci = level - size;\n return 0;\n }\n}", "project": "LuaJIT", "hash": 9333986647354767480611228137695764267, "size": 12, "commit_id": "e296f56b825c688c3530a981dc6b495d972f3d01", "message": "Call error function on rethrow after trace exit.", "target": 0, "dataset": "other", "idx": 394652 }, { "func": "static int kvm_s390_set_processor_feat(struct kvm *kvm,\n\t\t\t\t struct kvm_device_attr *attr)\n{\n\tstruct kvm_s390_vm_cpu_feat data;\n\n\tif (copy_from_user(&data, (void __user *)attr->addr, sizeof(data)))\n\t\treturn -EFAULT;\n\tif (!bitmap_subset((unsigned long *) data.feat,\n\t\t\t kvm_s390_available_cpu_feat,\n\t\t\t KVM_S390_VM_CPU_FEAT_NR_BITS))\n\t\treturn -EINVAL;\n\n\tmutex_lock(&kvm->lock);\n\tif (kvm->created_vcpus) {\n\t\tmutex_unlock(&kvm->lock);\n\t\treturn -EBUSY;\n\t}\n\tbitmap_copy(kvm->arch.cpu_feat, (unsigned long *) data.feat,\n\t\t KVM_S390_VM_CPU_FEAT_NR_BITS);\n\tmutex_unlock(&kvm->lock);\n\tVM_EVENT(kvm, 3, \"SET: guest feat: 0x%16.16llx.0x%16.16llx.0x%16.16llx\",\n\t\t\t data.feat[0],\n\t\t\t data.feat[1],\n\t\t\t data.feat[2]);\n\treturn 0;\n}", "project": "linux", "hash": 255670400128262258246155405279981934210, "size": 26, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354592 }, { "func": "UnicodeString::setCharAt(int32_t offset,\n UChar c)\n{\n int32_t len = length();\n if(cloneArrayIfNeeded() && len > 0) {\n if(offset < 0) {\n offset = 0;\n } else if(offset >= len) {\n offset = len - 1;\n }\n\n getArrayStart()[offset] = c;\n }\n return *this;\n}", "project": "icu", "hash": 67042792744617086086850201620503748011, "size": 15, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430860 }, { "func": "String stringForEach(uint32_t len, const String& str, Op action) {\n String ret = mutate ? str : String(len, ReserveString);\n\n auto srcSlice = str.slice();\n\n const char* src = srcSlice.begin();\n const char* end = srcSlice.end();\n\n char* dst = ret.mutableData();\n\n for (; src != end; ++src, ++dst) {\n *dst = action(*src);\n }\n\n if (!mutate) ret.setSize(len);\n return ret;\n}", "project": "hhvm", "hash": 304757926457620391704464859557622428216, "size": 17, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219582 }, { "func": "static int sctp_getsockopt_hmac_ident(struct sock *sk, int len,\n\t\t\t\t char __user *optval, int __user *optlen)\n{\n\tstruct sctp_endpoint *ep = sctp_sk(sk)->ep;\n\tstruct sctp_hmacalgo __user *p = (void __user *)optval;\n\tstruct sctp_hmac_algo_param *hmacs;\n\t__u16 data_len = 0;\n\tu32 num_idents;\n\tint i;\n\n\tif (!ep->auth_enable)\n\t\treturn -EACCES;\n\n\thmacs = ep->auth_hmacs_list;\n\tdata_len = ntohs(hmacs->param_hdr.length) -\n\t\t sizeof(struct sctp_paramhdr);\n\n\tif (len < sizeof(struct sctp_hmacalgo) + data_len)\n\t\treturn -EINVAL;\n\n\tlen = sizeof(struct sctp_hmacalgo) + data_len;\n\tnum_idents = data_len / sizeof(u16);\n\n\tif (put_user(len, optlen))\n\t\treturn -EFAULT;\n\tif (put_user(num_idents, &p->shmac_num_idents))\n\t\treturn -EFAULT;\n\tfor (i = 0; i < num_idents; i++) {\n\t\t__u16 hmacid = ntohs(hmacs->hmac_ids[i]);\n\n\t\tif (copy_to_user(&p->shmac_idents[i], &hmacid, sizeof(__u16)))\n\t\t\treturn -EFAULT;\n\t}\n\treturn 0;\n}", "project": "linux", "hash": 312906508624063014389443996843438153451, "size": 35, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398100 }, { "func": "static int svm_cpu_init(int cpu)\n{\n\tstruct svm_cpu_data *sd;\n\tint r;\n\n\tsd = kzalloc(sizeof(struct svm_cpu_data), GFP_KERNEL);\n\tif (!sd)\n\t\treturn -ENOMEM;\n\tsd->cpu = cpu;\n\tr = -ENOMEM;\n\tsd->save_area = alloc_page(GFP_KERNEL);\n\tif (!sd->save_area)\n\t\tgoto err_1;\n\n\tif (svm_sev_enabled()) {\n\t\tr = -ENOMEM;\n\t\tsd->sev_vmcbs = kmalloc_array(max_sev_asid + 1,\n\t\t\t\t\t sizeof(void *),\n\t\t\t\t\t GFP_KERNEL);\n\t\tif (!sd->sev_vmcbs)\n\t\t\tgoto err_1;\n\t}\n\n\tper_cpu(svm_data, cpu) = sd;\n\n\treturn 0;\n\nerr_1:\n\tkfree(sd);\n\treturn r;\n\n}", "project": "linux", "hash": 19969613992103226668284025200331411815, "size": 32, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 1, "dataset": "other", "idx": 210296 }, { "func": "static int svm_cpu_init(int cpu)\n{\n\tstruct svm_cpu_data *sd;\n\n\tsd = kzalloc(sizeof(struct svm_cpu_data), GFP_KERNEL);\n\tif (!sd)\n\t\treturn -ENOMEM;\n\tsd->cpu = cpu;\n\tsd->save_area = alloc_page(GFP_KERNEL);\n\tif (!sd->save_area)\n\t\tgoto free_cpu_data;\n\n\tif (svm_sev_enabled()) {\n\t\tsd->sev_vmcbs = kmalloc_array(max_sev_asid + 1,\n\t\t\t\t\t sizeof(void *),\n\t\t\t\t\t GFP_KERNEL);\n\t\tif (!sd->sev_vmcbs)\n\t\t\tgoto free_save_area;\n\t}\n\n\tper_cpu(svm_data, cpu) = sd;\n\n\treturn 0;\n\nfree_save_area:\n\t__free_page(sd->save_area);\nfree_cpu_data:\n\tkfree(sd);\n\treturn -ENOMEM;\n\n}", "project": "linux", "hash": 183067082748724995934254062159834476787, "size": 31, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432423 }, { "func": "static int svm_cpu_init(int cpu)\n{\n\tstruct svm_cpu_data *sd;\n\tint r;\n\n\tsd = kzalloc(sizeof(struct svm_cpu_data), GFP_KERNEL);\n\tif (!sd)\n\t\treturn -ENOMEM;\n\tsd->cpu = cpu;\n\tsd->save_area = alloc_page(GFP_KERNEL);\n\tr = -ENOMEM;\n\tif (!sd->save_area)\n\t\tgoto err_1;\n\n\tper_cpu(svm_data, cpu) = sd;\n\n\treturn 0;\n\nerr_1:\n\tkfree(sd);\n\treturn r;\n\n}", "project": "kvm", "hash": 320150520897988062955574928527717994202, "size": 23, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437574 }, { "func": "static bool checkreturn pb_dec_bytes(pb_istream_t *stream, const pb_field_t *field, void *dest)\n{\n uint32_t size;\n size_t alloc_size;\n pb_bytes_array_t *bdest;\n \n if (!pb_decode_varint32(stream, &size))\n return false;\n \n if (size > PB_SIZE_MAX)\n PB_RETURN_ERROR(stream, \"bytes overflow\");\n \n alloc_size = PB_BYTES_ARRAY_T_ALLOCSIZE(size);\n if (size > alloc_size)\n PB_RETURN_ERROR(stream, \"size too large\");\n \n if (PB_ATYPE(field->type) == PB_ATYPE_POINTER)\n {\n#ifndef PB_ENABLE_MALLOC\n PB_RETURN_ERROR(stream, \"no malloc support\");\n#else\n if (!allocate_field(stream, dest, alloc_size, 1))\n return false;\n bdest = *(pb_bytes_array_t**)dest;\n#endif\n }\n else\n {\n if (alloc_size > field->data_size)\n PB_RETURN_ERROR(stream, \"bytes overflow\");\n bdest = (pb_bytes_array_t*)dest;\n }\n\n bdest->size = (pb_size_t)size;\n return pb_read(stream, bdest->bytes, size);\n}", "project": "nanopb", "hash": 112075376225029583480864505636959730093, "size": 36, "commit_id": "aa9d0d1ca78d6adec3adfeecf3a706c7f9df81f2", "message": "Fix invalid free() after failed realloc() (GHSA-gcx3-7m76-287p)", "target": 0, "dataset": "other", "idx": 252517 }, { "func": "static bool checkreturn pb_dec_bytes(pb_istream_t *stream, const pb_field_t *field, void *dest)\n{\n uint32_t size;\n size_t alloc_size;\n pb_bytes_array_t *bdest;\n \n if (!pb_decode_varint32(stream, &size))\n return false;\n \n alloc_size = PB_BYTES_ARRAY_T_ALLOCSIZE(size);\n if (size > alloc_size)\n PB_RETURN_ERROR(stream, \"size too large\");\n \n if (PB_ATYPE(field->type) == PB_ATYPE_POINTER)\n {\n#ifndef PB_ENABLE_MALLOC\n PB_RETURN_ERROR(stream, \"no malloc support\");\n#else\n if (!allocate_field(stream, dest, alloc_size, 1))\n return false;\n bdest = *(pb_bytes_array_t**)dest;\n#endif\n }\n else\n {\n if (alloc_size > field->data_size)\n PB_RETURN_ERROR(stream, \"bytes overflow\");\n bdest = (pb_bytes_array_t*)dest;\n }\n \n bdest->size = size;\n\n return pb_read(stream, bdest->bytes, size);\n}", "project": "nanopb", "hash": 176527985300012123623209243129181224526, "size": 34, "commit_id": "7b396821ddd06df8e39143f16e1dc0a4645b89a3", "message": "Fix invalid free() after failed realloc() (GHSA-gcx3-7m76-287p)", "target": 0, "dataset": "other", "idx": 255335 }, { "func": "static ssize_t order_store(struct kmem_cache *s,\n\t\t\t\tconst char *buf, size_t length)\n{\n\tunsigned int order;\n\tint err;\n\n\terr = kstrtouint(buf, 10, &order);\n\tif (err)\n\t\treturn err;\n\n\tif (order > slub_max_order || order < slub_min_order)\n\t\treturn -EINVAL;\n\n\tcalculate_sizes(s, order);\n\treturn length;\n}", "project": "linux", "hash": 163976712007808687343637190501147870514, "size": 16, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280057 }, { "func": "bool zx_confirmZxLiquidTx(uint32_t data_total, const EthereumSignTx *msg) {\n (void)data_total;\n const TokenType *token;\n char constr1[40], constr2[40], *arStr = \"\";\n uint8_t *tokenAddress, *deadlineBytes;\n bignum256 tokenAmount, tokenMinAmount, ethMinAmount;\n uint64_t deadline;\n\n if (isAddLiquidityEthCall(msg)) {\n arStr = \"uniswap add liquidity\";\n } else if (isRemoveLiquidityEthCall(msg)) {\n arStr = \"uniswap remove liquidity\";\n } else {\n return false;\n }\n\n tokenAddress = (uint8_t *)(msg->data_initial_chunk.bytes + 4 + 32 - 20);\n token = tokenByChainAddress(msg->chain_id, tokenAddress);\n bn_from_bytes(msg->data_initial_chunk.bytes + 4 + 32, 32, &tokenAmount);\n bn_from_bytes(msg->data_initial_chunk.bytes + 4 + 2*32, 32, &tokenMinAmount);\n bn_from_bytes(msg->data_initial_chunk.bytes + 4 + 3*32, 32, ðMinAmount);\n deadlineBytes = (uint8_t *)(msg->data_initial_chunk.bytes + 4 + 6*32 - 8);\n deadline = ((uint64_t)deadlineBytes[0] << 8*7) |\n ((uint64_t)deadlineBytes[1] << 8*6) |\n ((uint64_t)deadlineBytes[2] << 8*5) |\n ((uint64_t)deadlineBytes[3] << 8*4) |\n ((uint64_t)deadlineBytes[4] << 8*3) |\n ((uint64_t)deadlineBytes[5] << 8*2) |\n ((uint64_t)deadlineBytes[6] << 8*1) |\n ((uint64_t)deadlineBytes[7]);\n \n char tokbuf[32];\n ethereumFormatAmount(&tokenAmount, token, msg->chain_id, tokbuf, sizeof(tokbuf));\n snprintf(constr1, 32, \"%s\", tokbuf);\n ethereumFormatAmount(&tokenMinAmount, token, msg->chain_id, tokbuf, sizeof(tokbuf));\n snprintf(constr2, 32, \"%s\", tokbuf);\n confirm(ButtonRequestType_ButtonRequest_ConfirmOutput, arStr,\n \"%s\\nMinimum %s\", constr1, constr2);\n if (!confirmFromAccountMatch(msg, arStr)) {\n return false;\n }\n \n ethereumFormatAmount(ðMinAmount, NULL, msg->chain_id, tokbuf, sizeof(tokbuf));\n snprintf(constr1, 32, \"%s\", tokbuf);\n confirm(ButtonRequestType_ButtonRequest_ConfirmOutput, arStr,\n \"Minimum %s\", constr1);\n\n confirm(ButtonRequestType_ButtonRequest_ConfirmOutput, arStr,\n \"Deadline %s\", ctime((const time_t *)&deadline));\n \n return true;\n}", "project": "keepkey-firmware", "hash": 331642616408547414998462311649658066117, "size": 52, "commit_id": "e49d45594002d4d3fbc1f03488e6dfc0a0a65836", "message": "710 merge", "target": 0, "dataset": "other", "idx": 220891 }, { "func": "void ProtocolV1::write_event() {\n ldout(cct, 10) << __func__ << dendl;\n ssize_t r = 0;\n\n connection->write_lock.lock();\n if (can_write == WriteStatus::CANWRITE) {\n if (keepalive) {\n append_keepalive_or_ack();\n keepalive = false;\n }\n\n auto start = ceph::mono_clock::now();\n bool more;\n do {\n bufferlist data;\n Message *m = _get_next_outgoing(&data);\n if (!m) {\n break;\n }\n\n if (!connection->policy.lossy) {\n // put on sent list\n sent.push_back(m);\n m->get();\n }\n more = !out_q.empty();\n connection->write_lock.unlock();\n\n // send_message or requeue messages may not encode message\n if (!data.length()) {\n prepare_send_message(connection->get_features(), m, data);\n }\n\n if (m->queue_start != ceph::mono_time()) {\n connection->logger->tinc(l_msgr_send_messages_queue_lat,\n\t\t\t\t ceph::mono_clock::now() - m->queue_start);\n }\n\n r = write_message(m, data, more);\n\n connection->write_lock.lock();\n if (r == 0) {\n ;\n } else if (r < 0) {\n ldout(cct, 1) << __func__ << \" send msg failed\" << dendl;\n break;\n } else if (r > 0) {\n\t// Outbound message in-progress, thread will be re-awoken\n\t// when the outbound socket is writeable again\n\tbreak;\n }\n } while (can_write == WriteStatus::CANWRITE);\n write_in_progress = false;\n connection->write_lock.unlock();\n\n // if r > 0 mean data still lefted, so no need _try_send.\n if (r == 0) {\n uint64_t left = ack_left;\n if (left) {\n ceph_le64 s;\n s = in_seq;\n connection->outgoing_bl.append(CEPH_MSGR_TAG_ACK);\n connection->outgoing_bl.append((char *)&s, sizeof(s));\n ldout(cct, 10) << __func__ << \" try send msg ack, acked \" << left\n << \" messages\" << dendl;\n ack_left -= left;\n left = ack_left;\n r = connection->_try_send(left);\n } else if (is_queued()) {\n r = connection->_try_send();\n }\n }\n\n connection->logger->tinc(l_msgr_running_send_time,\n ceph::mono_clock::now() - start);\n if (r < 0) {\n ldout(cct, 1) << __func__ << \" send msg failed\" << dendl;\n connection->lock.lock();\n fault();\n connection->lock.unlock();\n return;\n }\n } else {\n write_in_progress = false;\n connection->write_lock.unlock();\n connection->lock.lock();\n connection->write_lock.lock();\n if (state == STANDBY && !connection->policy.server && is_queued()) {\n ldout(cct, 10) << __func__ << \" policy.server is false\" << dendl;\n connection->_connect();\n } else if (connection->cs && state != NONE && state != CLOSED &&\n state != START_CONNECT) {\n r = connection->_try_send();\n if (r < 0) {\n ldout(cct, 1) << __func__ << \" send outcoming bl failed\" << dendl;\n connection->write_lock.unlock();\n fault();\n connection->lock.unlock();\n return;\n }\n }\n connection->write_lock.unlock();\n connection->lock.unlock();\n }\n}", "project": "ceph", "hash": 114277670004312865929577413322302997870, "size": 105, "commit_id": "bafdfec8f974f1a3f7d404bcfd0a4cfad784937d", "message": "msg/async/ProtocolV1: resurrect \"implement cephx_*require_version options\"\n\nThis was added in commit 9bcbc2a3621f (\"mon,msg: implement\ncephx_*_require_version options\") and inadvertently dropped in\ncommit e6f043f7d2dc (\"msgr/async: huge refactoring of protocol V1\").\nAs a result, service daemons don't enforce cephx_require_version\nand cephx_cluster_require_version options and connections without\nCEPH_FEATURE_CEPHX_V2 are allowed through.\n\n(cephx_service_require_version enforcement was brought back a\nyear later in commit 321548010578 (\"mon/MonClient: skip CEPHX_V2\nchallenge if client doesn't support it\"), although the peer gets\nTAG_BADAUTHORIZER instead of TAG_FEATURES.)\n\nResurrect the original behaviour: all cephx_*require_version\noptions are enforced and the peer gets TAG_FEATURES, signifying\nthat it is missing a required feature.\n\nSigned-off-by: Ilya Dryomov \n(cherry picked from commit 6f5c4152ca2c6423e665cde2196c6301f76043a2)", "target": 0, "dataset": "other", "idx": 356889 }, { "func": "void hci_req_init(struct hci_request *req, struct hci_dev *hdev)\n{\n\tskb_queue_head_init(&req->cmd_q);\n\treq->hdev = hdev;\n\treq->err = 0;\n}", "project": "linux", "hash": 301447510789294222882998091322329889699, "size": 6, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402545 }, { "func": "static inline u64 fuse_dentry_time(const struct dentry *entry)\n{\n\treturn (u64)entry->d_fsdata;\n}", "project": "linux", "hash": 245227159557742336724127564146343222221, "size": 4, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341906 }, { "func": "static inline u64 fuse_dentry_time(const struct dentry *entry)\n{\n\treturn ((union fuse_dentry *) entry->d_fsdata)->time;\n}", "project": "linux", "hash": 107768380328241904325310661002616894594, "size": 4, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341959 }, { "func": "void gdImageFillToBorder (gdImagePtr im, int x, int y, int border, int color)\n{\n\tint lastBorder;\n\t/* Seek left */\n\tint leftLimit = -1, rightLimit;\n\tint i, restoreAlphaBlending = 0;\n\n\tif (border < 0) {\n\t\t/* Refuse to fill to a non-solid border */\n\t\treturn;\n\t}\n\n\trestoreAlphaBlending = im->alphaBlendingFlag;\n\tim->alphaBlendingFlag = 0;\n\n\tif (x >= im->sx) {\n\t\tx = im->sx - 1;\n\t} else if (x < 0) {\n\t\tx = 0;\n\t}\n\tif (y >= im->sy) {\n\t\ty = im->sy - 1;\n\t} else if (y < 0) {\n\t\ty = 0;\n\t}\n\n\tfor (i = x; i >= 0; i--) {\n\t\tif (gdImageGetPixel(im, i, y) == border) {\n\t\t\tbreak;\n\t\t}\n\t\tgdImageSetPixel(im, i, y, color);\n\t\tleftLimit = i;\n\t}\n\tif (leftLimit == -1) {\n\t\tim->alphaBlendingFlag = restoreAlphaBlending;\n\t\treturn;\n\t}\n\t/* Seek right */\n\trightLimit = x;\n\tfor (i = (x + 1); i < im->sx; i++) {\n\t\tif (gdImageGetPixel(im, i, y) == border) {\n\t\t\tbreak;\n\t\t}\n\t\tgdImageSetPixel(im, i, y, color);\n\t\trightLimit = i;\n\t}\n\t/* Look at lines above and below and start paints */\n\t/* Above */\n\tif (y > 0) {\n\t\tlastBorder = 1;\n\t\tfor (i = leftLimit; i <= rightLimit; i++) {\n\t\t\tint c = gdImageGetPixel(im, i, y - 1);\n\t\t\tif (lastBorder) {\n\t\t\t\tif ((c != border) && (c != color)) {\n\t\t\t\t\tgdImageFillToBorder(im, i, y - 1, border, color);\n\t\t\t\t\tlastBorder = 0;\n\t\t\t\t}\n\t\t\t} else if ((c == border) || (c == color)) {\n\t\t\t\tlastBorder = 1;\n\t\t\t}\n\t\t}\n\t}\n\n\t/* Below */\n\tif (y < ((im->sy) - 1)) {\n\t\tlastBorder = 1;\n\t\tfor (i = leftLimit; i <= rightLimit; i++) {\n\t\t\tint c = gdImageGetPixel(im, i, y + 1);\n\n\t\t\tif (lastBorder) {\n\t\t\t\tif ((c != border) && (c != color)) {\n\t\t\t\t\tgdImageFillToBorder(im, i, y + 1, border, color);\n\t\t\t\t\tlastBorder = 0;\n\t\t\t\t}\n\t\t\t} else if ((c == border) || (c == color)) {\n\t\t\t\tlastBorder = 1;\n\t\t\t}\n\t\t}\n\t}\n\tim->alphaBlendingFlag = restoreAlphaBlending;\n}", "project": "php-src", "hash": 6007855307838391667240909260497002267, "size": 81, "commit_id": "c395c6e5d7e8df37a21265ff76e48fe75ceb5ae6", "message": "iFixed bug #72446 - Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow", "target": 0, "dataset": "other", "idx": 295133 }, { "func": "static OPJ_UINT32 opj_j2k_get_specific_header_sizes(opj_j2k_t *p_j2k)\n{\n OPJ_UINT32 l_nb_bytes = 0;\n OPJ_UINT32 l_nb_comps;\n OPJ_UINT32 l_coc_bytes, l_qcc_bytes;\n\n l_nb_comps = p_j2k->m_private_image->numcomps - 1;\n l_nb_bytes += opj_j2k_get_max_toc_size(p_j2k);\n\n if (!(OPJ_IS_CINEMA(p_j2k->m_cp.rsiz))) {\n l_coc_bytes = opj_j2k_get_max_coc_size(p_j2k);\n l_nb_bytes += l_nb_comps * l_coc_bytes;\n\n l_qcc_bytes = opj_j2k_get_max_qcc_size(p_j2k);\n l_nb_bytes += l_nb_comps * l_qcc_bytes;\n }\n\n l_nb_bytes += opj_j2k_get_max_poc_size(p_j2k);\n\n if (p_j2k->m_specific_param.m_encoder.m_PLT) {\n /* Reserve space for PLT markers */\n\n OPJ_UINT32 i;\n const opj_cp_t * l_cp = &(p_j2k->m_cp);\n OPJ_UINT32 l_max_packet_count = 0;\n for (i = 0; i < l_cp->th * l_cp->tw; ++i) {\n l_max_packet_count = opj_uint_max(l_max_packet_count,\n opj_get_encoding_packet_count(p_j2k->m_private_image, l_cp, i));\n }\n /* Minimum 6 bytes per PLT marker, and at a minimum (taking a pessimistic */\n /* estimate of 4 bytes for a packet size), one can write */\n /* (65536-6) / 4 = 16382 paquet sizes per PLT marker */\n p_j2k->m_specific_param.m_encoder.m_reserved_bytes_for_PLT =\n 6 * opj_uint_ceildiv(l_max_packet_count, 16382);\n /* Maximum 5 bytes per packet to encode a full UINT32 */\n p_j2k->m_specific_param.m_encoder.m_reserved_bytes_for_PLT +=\n l_nb_bytes += 5 * l_max_packet_count;\n p_j2k->m_specific_param.m_encoder.m_reserved_bytes_for_PLT += 1;\n l_nb_bytes += p_j2k->m_specific_param.m_encoder.m_reserved_bytes_for_PLT;\n }\n\n /*** DEVELOPER CORNER, Add room for your headers ***/\n\n return l_nb_bytes;\n}", "project": "openjpeg", "hash": 196658131252953316429752837842298098274, "size": 45, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357376 }, { "func": "void LibRaw::process_Sony_0x0116(uchar *buf, ushort len, unsigned long long id)\n{\n int i = 0;\n\n if (((id == SonyID_DSLR_A900) ||\n (id == SonyID_DSLR_A900_APSC) ||\n (id == SonyID_DSLR_A850) ||\n (id == SonyID_DSLR_A850_APSC)) &&\n (len >= 2))\n i = 1;\n else if ((id >= SonyID_DSLR_A550) && (len >= 3))\n i = 2;\n else\n return;\n\n imCommon.BatteryTemperature = (float)(buf[i] - 32) / 1.8f;\n}", "project": "LibRaw", "hash": 11669846482309766866988451801339034590, "size": 17, "commit_id": "c243f4539233053466c1309bde606815351bee81", "message": "additional checks in parseSonySRF\n\nparseSonySR2: buffer size check", "target": 0, "dataset": "other", "idx": 394110 }, { "func": "static void encode_fsinfo(struct xdr_stream *xdr, const u32* bitmask, struct compound_hdr *hdr)\n{\n\tencode_getattr(xdr, nfs4_fsinfo_bitmap, bitmask,\n\t\t\tARRAY_SIZE(nfs4_fsinfo_bitmap), hdr);\n}", "project": "linux", "hash": 57297534129633233912384466482955524527, "size": 5, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431293 }, { "func": "static int sctp_getsockopt_paddr_thresholds(struct sock *sk,\n\t\t\t\t\t char __user *optval, int len,\n\t\t\t\t\t int __user *optlen, bool v2)\n{\n\tstruct sctp_paddrthlds_v2 val;\n\tstruct sctp_transport *trans;\n\tstruct sctp_association *asoc;\n\tint min;\n\n\tmin = v2 ? sizeof(val) : sizeof(struct sctp_paddrthlds);\n\tif (len < min)\n\t\treturn -EINVAL;\n\tlen = min;\n\tif (copy_from_user(&val, optval, len))\n\t\treturn -EFAULT;\n\n\tif (!sctp_is_any(sk, (const union sctp_addr *)&val.spt_address)) {\n\t\ttrans = sctp_addr_id2transport(sk, &val.spt_address,\n\t\t\t\t\t val.spt_assoc_id);\n\t\tif (!trans)\n\t\t\treturn -ENOENT;\n\n\t\tval.spt_pathmaxrxt = trans->pathmaxrxt;\n\t\tval.spt_pathpfthld = trans->pf_retrans;\n\t\tval.spt_pathcpthld = trans->ps_retrans;\n\n\t\tgoto out;\n\t}\n\n\tasoc = sctp_id2assoc(sk, val.spt_assoc_id);\n\tif (!asoc && val.spt_assoc_id != SCTP_FUTURE_ASSOC &&\n\t sctp_style(sk, UDP))\n\t\treturn -EINVAL;\n\n\tif (asoc) {\n\t\tval.spt_pathpfthld = asoc->pf_retrans;\n\t\tval.spt_pathmaxrxt = asoc->pathmaxrxt;\n\t\tval.spt_pathcpthld = asoc->ps_retrans;\n\t} else {\n\t\tstruct sctp_sock *sp = sctp_sk(sk);\n\n\t\tval.spt_pathpfthld = sp->pf_retrans;\n\t\tval.spt_pathmaxrxt = sp->pathmaxrxt;\n\t\tval.spt_pathcpthld = sp->ps_retrans;\n\t}\n\nout:\n\tif (put_user(len, optlen) || copy_to_user(optval, &val, len))\n\t\treturn -EFAULT;\n\n\treturn 0;\n}", "project": "linux", "hash": 295897380947011432954397489914866357589, "size": 52, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398199 }, { "func": "static void ca8210_mlme_reset_worker(struct work_struct *work)\n{\n\tstruct work_priv_container *wpc = container_of(\n\t\twork,\n\t\tstruct work_priv_container,\n\t\twork\n\t);\n\tstruct ca8210_priv *priv = wpc->priv;\n\n\tmlme_reset_request_sync(0, priv->spi);\n\tkfree(wpc);\n}", "project": "linux", "hash": 148748704443016608537631059760615590951, "size": 12, "commit_id": "6402939ec86eaf226c8b8ae00ed983936b164908", "message": "ieee802154: ca8210: prevent memory leak\n\nIn ca8210_probe the allocated pdata needs to be assigned to\nspi_device->dev.platform_data before calling ca8210_get_platform_data.\nOthrwise when ca8210_get_platform_data fails pdata cannot be released.\n\nSigned-off-by: Navid Emamdoost \nLink: https://lore.kernel.org/r/20190917224713.26371-1-navid.emamdoost@gmail.com\nSigned-off-by: Stefan Schmidt ", "target": 0, "dataset": "other", "idx": 408811 }, { "func": "static int ctnetlink_dump_mark(struct sk_buff *skb, const struct nf_conn *ct)\n{\n\tif (nla_put_be32(skb, CTA_MARK, htonl(ct->mark)))\n\t\tgoto nla_put_failure;\n\treturn 0;\n\nnla_put_failure:\n\treturn -1;\n}", "project": "linux", "hash": 68012107400762734188774491112039489728, "size": 9, "commit_id": "1cc5ef91d2ff94d2bf2de3b3585423e8a1051cb6", "message": "netfilter: ctnetlink: add a range check for l3/l4 protonum\n\nThe indexes to the nf_nat_l[34]protos arrays come from userspace. So\ncheck the tuple's family, e.g. l3num, when creating the conntrack in\norder to prevent an OOB memory access during setup. Here is an example\nkernel panic on 4.14.180 when userspace passes in an index greater than\nNFPROTO_NUMPROTO.\n\nInternal error: Oops - BUG: 0 [#1] PREEMPT SMP\nModules linked in:...\nProcess poc (pid: 5614, stack limit = 0x00000000a3933121)\nCPU: 4 PID: 5614 Comm: poc Tainted: G S W O 4.14.180-g051355490483\nHardware name: Qualcomm Technologies, Inc. SM8150 V2 PM8150 Google Inc. MSM\ntask: 000000002a3dfffe task.stack: 00000000a3933121\npc : __cfi_check_fail+0x1c/0x24\nlr : __cfi_check_fail+0x1c/0x24\n...\nCall trace:\n__cfi_check_fail+0x1c/0x24\nname_to_dev_t+0x0/0x468\nnfnetlink_parse_nat_setup+0x234/0x258\nctnetlink_parse_nat_setup+0x4c/0x228\nctnetlink_new_conntrack+0x590/0xc40\nnfnetlink_rcv_msg+0x31c/0x4d4\nnetlink_rcv_skb+0x100/0x184\nnfnetlink_rcv+0xf4/0x180\nnetlink_unicast+0x360/0x770\nnetlink_sendmsg+0x5a0/0x6a4\n___sys_sendmsg+0x314/0x46c\nSyS_sendmsg+0xb4/0x108\nel0_svc_naked+0x34/0x38\n\nThis crash is not happening since 5.4+, however, ctnetlink still\nallows for creating entries with unsupported layer 3 protocol number.\n\nFixes: c1d10adb4a521 (\"[NETFILTER]: Add ctnetlink port for nf_conntrack\")\nSigned-off-by: Will McVicker \n[pablo@netfilter.org: rebased original patch on top of nf.git]\nSigned-off-by: Pablo Neira Ayuso ", "target": 0, "dataset": "other", "idx": 394216 }, { "func": "void mutt_seqset_iterator_free(struct SeqsetIterator **ptr)\n{\n if (!ptr || !*ptr)\n return;\n\n struct SeqsetIterator *iter = *ptr;\n FREE(&iter->full_seqset);\n FREE(ptr);\n}", "project": "neomutt", "hash": 263427924187361527485864908860951915717, "size": 9, "commit_id": "fa1db5785e5cfd9d3cd27b7571b9fe268d2ec2dc", "message": "Fix seqset iterator when it ends in a comma\n\nIf the seqset ended with a comma, the substr_end marker would be just\nbefore the trailing nul. In the next call, the loop to skip the\nmarker would iterate right past the end of string too.\n\nThe fix is simple: place the substr_end marker and skip past it\nimmediately.", "target": 0, "dataset": "other", "idx": 399278 }, { "func": "static int io_close(struct io_kiocb *req, unsigned int issue_flags)\n{\n\tstruct files_struct *files = current->files;\n\tstruct io_close *close = &req->close;\n\tstruct fdtable *fdt;\n\tstruct file *file = NULL;\n\tint ret = -EBADF;\n\n\tspin_lock(&files->file_lock);\n\tfdt = files_fdtable(files);\n\tif (close->fd >= fdt->max_fds) {\n\t\tspin_unlock(&files->file_lock);\n\t\tgoto err;\n\t}\n\tfile = fdt->fd[close->fd];\n\tif (!file || file->f_op == &io_uring_fops) {\n\t\tspin_unlock(&files->file_lock);\n\t\tfile = NULL;\n\t\tgoto err;\n\t}\n\n\t/* if the file has a flush method, be safe and punt to async */\n\tif (file->f_op->flush && (issue_flags & IO_URING_F_NONBLOCK)) {\n\t\tspin_unlock(&files->file_lock);\n\t\treturn -EAGAIN;\n\t}\n\n\tret = __close_fd_get_file(close->fd, &file);\n\tspin_unlock(&files->file_lock);\n\tif (ret < 0) {\n\t\tif (ret == -ENOENT)\n\t\t\tret = -EBADF;\n\t\tgoto err;\n\t}\n\n\t/* No ->flush() or already async, safely close from here */\n\tret = filp_close(file, current->files);\nerr:\n\tif (ret < 0)\n\t\treq_set_fail_links(req);\n\tif (file)\n\t\tfput(file);\n\t__io_req_complete(req, issue_flags, ret, 0);\n\treturn 0;\n}", "project": "linux", "hash": 26003346612792215707847609337423260470, "size": 45, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338602 }, { "func": "static int rsi_mac80211_start(struct ieee80211_hw *hw)\n{\n\tstruct rsi_hw *adapter = hw->priv;\n\tstruct rsi_common *common = adapter->priv;\n\n\trsi_dbg(ERR_ZONE, \"===> Interface UP <===\\n\");\n\tmutex_lock(&common->mutex);\n\tif (common->hibernate_resume) {\n\t\tcommon->reinit_hw = true;\n\t\tadapter->host_intf_ops->reinit_device(adapter);\n\t\twait_for_completion(&adapter->priv->wlan_init_completion);\n\t}\n\tcommon->iface_down = false;\n\twiphy_rfkill_start_polling(hw->wiphy);\n\trsi_send_rx_filter_frame(common, 0);\n\tmutex_unlock(&common->mutex);\n\n\treturn 0;\n}", "project": "linux", "hash": 279781368071047748321528357607282025374, "size": 19, "commit_id": "abd39c6ded9db53aa44c2540092bdd5fb6590fa8", "message": "rsi: add fix for crash during assertions\n\nObserved crash in some scenarios when assertion has occurred,\nthis is because hw structure is freed and is tried to get\naccessed in some functions where null check is already\npresent. So, avoided the crash by making the hw to NULL after\nfreeing.\n\nSigned-off-by: Sanjay Konduri \nSigned-off-by: Sushant Kumar Mishra \nSigned-off-by: Kalle Valo ", "target": 0, "dataset": "other", "idx": 461661 }, { "func": "static void tipc_node_link_down(struct tipc_node *n, int bearer_id, bool delete)\n{\n\tstruct tipc_link_entry *le = &n->links[bearer_id];\n\tstruct tipc_media_addr *maddr = NULL;\n\tstruct tipc_link *l = le->link;\n\tint old_bearer_id = bearer_id;\n\tstruct sk_buff_head xmitq;\n\n\tif (!l)\n\t\treturn;\n\n\t__skb_queue_head_init(&xmitq);\n\n\ttipc_node_write_lock(n);\n\tif (!tipc_link_is_establishing(l)) {\n\t\t__tipc_node_link_down(n, &bearer_id, &xmitq, &maddr);\n\t} else {\n\t\t/* Defuse pending tipc_node_link_up() */\n\t\ttipc_link_reset(l);\n\t\ttipc_link_fsm_evt(l, LINK_RESET_EVT);\n\t}\n\tif (delete) {\n\t\tkfree(l);\n\t\tle->link = NULL;\n\t\tn->link_cnt--;\n\t}\n\ttrace_tipc_node_link_down(n, true, \"node link down or deleted!\");\n\ttipc_node_write_unlock(n);\n\tif (delete)\n\t\ttipc_mon_remove_peer(n->net, n->addr, old_bearer_id);\n\tif (!skb_queue_empty(&xmitq))\n\t\ttipc_bearer_xmit(n->net, bearer_id, &xmitq, maddr, n);\n\ttipc_sk_rcv(n->net, &le->inputq);\n}", "project": "linux", "hash": 242321290111522194334374623451389579341, "size": 34, "commit_id": "0217ed2848e8538bcf9172d97ed2eeb4a26041bb", "message": "tipc: better validate user input in tipc_nl_retrieve_key()\n\nBefore calling tipc_aead_key_size(ptr), we need to ensure\nwe have enough data to dereference ptr->keylen.\n\nWe probably also want to make sure tipc_aead_key_size()\nwont overflow with malicious ptr->keylen values.\n\nSyzbot reported:\n\nBUG: KMSAN: uninit-value in __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\nBUG: KMSAN: uninit-value in tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\nCPU: 0 PID: 21060 Comm: syz-executor.5 Not tainted 5.11.0-rc7-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nCall Trace:\n __dump_stack lib/dump_stack.c:79 [inline]\n dump_stack+0x21c/0x280 lib/dump_stack.c:120\n kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118\n __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197\n __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\n tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\n genl_family_rcv_msg_doit net/netlink/genetlink.c:739 [inline]\n genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]\n genl_rcv_msg+0x1319/0x1610 net/netlink/genetlink.c:800\n netlink_rcv_skb+0x6fa/0x810 net/netlink/af_netlink.c:2494\n genl_rcv+0x63/0x80 net/netlink/genetlink.c:811\n netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]\n netlink_unicast+0x11d6/0x14a0 net/netlink/af_netlink.c:1330\n netlink_sendmsg+0x1740/0x1840 net/netlink/af_netlink.c:1919\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\nRIP: 0023:0xf7f60549\nCode: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00\nRSP: 002b:00000000f555a5fc EFLAGS: 00000296 ORIG_RAX: 0000000000000172\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000200\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n\nUninit was created at:\n kmsan_save_stack_with_flags mm/kmsan/kmsan.c:121 [inline]\n kmsan_internal_poison_shadow+0x5c/0xf0 mm/kmsan/kmsan.c:104\n kmsan_slab_alloc+0x8d/0xe0 mm/kmsan/kmsan_hooks.c:76\n slab_alloc_node mm/slub.c:2907 [inline]\n __kmalloc_node_track_caller+0xa37/0x1430 mm/slub.c:4527\n __kmalloc_reserve net/core/skbuff.c:142 [inline]\n __alloc_skb+0x2f8/0xb30 net/core/skbuff.c:210\n alloc_skb include/linux/skbuff.h:1099 [inline]\n netlink_alloc_large_skb net/netlink/af_netlink.c:1176 [inline]\n netlink_sendmsg+0xdbc/0x1840 net/netlink/af_netlink.c:1894\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\n\nFixes: e1f32190cf7d (\"tipc: add support for AEAD key setting via netlink\")\nSigned-off-by: Eric Dumazet \nCc: Tuong Lien \nCc: Jon Maloy \nCc: Ying Xue \nReported-by: syzbot \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 364931 }, { "func": "void kvm_put_kvm(struct kvm *kvm)\n{\n\tif (refcount_dec_and_test(&kvm->users_count))\n\t\tkvm_destroy_vm(kvm);\n}", "project": "linux", "hash": 313247762713446310307631879444791955151, "size": 5, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354432 }, { "func": "\nstatic void bfq_remove_request(struct request_queue *q,\n\t\t\t struct request *rq)\n{\n\tstruct bfq_queue *bfqq = RQ_BFQQ(rq);\n\tstruct bfq_data *bfqd = bfqq->bfqd;\n\tconst int sync = rq_is_sync(rq);\n\n\tif (bfqq->next_rq == rq) {\n\t\tbfqq->next_rq = bfq_find_next_rq(bfqd, bfqq, rq);\n\t\tbfq_updated_next_req(bfqd, bfqq);\n\t}\n\n\tif (rq->queuelist.prev != &rq->queuelist)\n\t\tlist_del_init(&rq->queuelist);\n\tbfqq->queued[sync]--;\n\tbfqd->queued--;\n\telv_rb_del(&bfqq->sort_list, rq);\n\n\telv_rqhash_del(q, rq);\n\tif (q->last_merge == rq)\n\t\tq->last_merge = NULL;\n\n\tif (RB_EMPTY_ROOT(&bfqq->sort_list)) {\n\t\tbfqq->next_rq = NULL;\n\n\t\tif (bfq_bfqq_busy(bfqq) && bfqq != bfqd->in_service_queue) {\n\t\t\tbfq_del_bfqq_busy(bfqd, bfqq, false);\n\t\t\t/*\n\t\t\t * bfqq emptied. In normal operation, when\n\t\t\t * bfqq is empty, bfqq->entity.service and\n\t\t\t * bfqq->entity.budget must contain,\n\t\t\t * respectively, the service received and the\n\t\t\t * budget used last time bfqq emptied. These\n\t\t\t * facts do not hold in this case, as at least\n\t\t\t * this last removal occurred while bfqq is\n\t\t\t * not in service. To avoid inconsistencies,\n\t\t\t * reset both bfqq->entity.service and\n\t\t\t * bfqq->entity.budget, if bfqq has still a\n\t\t\t * process that may issue I/O requests to it.\n\t\t\t */\n\t\t\tbfqq->entity.budget = bfqq->entity.service = 0;\n\t\t}\n\n\t\t/*\n\t\t * Remove queue from request-position tree as it is empty.\n\t\t */\n\t\tif (bfqq->pos_root) {\n\t\t\trb_erase(&bfqq->pos_node, bfqq->pos_root);\n\t\t\tbfqq->pos_root = NULL;\n\t\t}\n\t} else {\n\t\t/* see comments on bfq_pos_tree_add_move() for the unlikely() */\n\t\tif (unlikely(!bfqd->nonrot_with_queueing))\n\t\t\tbfq_pos_tree_add_move(bfqd, bfqq);\n\t}\n\n\tif (rq->cmd_flags & REQ_META)\n\t\tbfqq->meta_pending--;\n", "project": "linux", "hash": 168498632095918274182258483110845422270, "size": 60, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453294 }, { "func": "void CLua::vfnreturns(const char *format, va_list args)\n{\n lua_State *ls = _state;\n int nrets = return_count(ls, format);\n int sp = -nrets - 1;\n\n const char *gs = strchr(format, '>');\n if (gs)\n format = gs + 1;\n else if ((gs = strchr(format, ':')))\n format = gs + 1;\n\n for (const char *run = format; *run; ++run)\n {\n char argtype = *run;\n ++sp;\n switch (argtype)\n {\n case 'u':\n if (lua_islightuserdata(ls, sp))\n *(va_arg(args, void**)) = lua_touserdata(ls, sp);\n break;\n case 'd':\n if (lua_isnumber(ls, sp))\n *(va_arg(args, int*)) = luaL_safe_checkint(ls, sp);\n break;\n case 'b':\n *(va_arg(args, bool *)) = lua_toboolean(ls, sp);\n break;\n case 's':\n {\n const char *s = lua_tostring(ls, sp);\n if (s)\n *(va_arg(args, string *)) = s;\n break;\n }\n default:\n break;\n }\n\n }\n // Pop args off the stack\n lua_pop(ls, nrets);\n}", "project": "crawl", "hash": 25416394409691468570423958279326120068, "size": 44, "commit_id": "768f60da87a3fa0b5561da5ade9309577c176d04", "message": "Disable lua bytecode loading", "target": 0, "dataset": "other", "idx": 230523 }, { "func": " explicit UrnState(const AccessLogEntry::Pointer &anAle): ale(anAle) {}", "project": "squid", "hash": 28749220965295323393631195831183811184, "size": 1, "commit_id": "47a085ff06598b64817875769022b8707a0af7db", "message": "Bug 5104: Memory leak in RFC 2169 response parsing (#778)\n\nA temporary parsing buffer was not being released when\nparsing completed.", "target": 0, "dataset": "other", "idx": 306752 }, { "func": "static size_t account(struct entropy_store *r, size_t nbytes, int min,\n\t\t int reserved)\n{\n\tunsigned long flags;\n\n\t/* Hold lock while accounting */\n\tspin_lock_irqsave(&r->lock, flags);\n\n\tBUG_ON(r->entropy_count > r->poolinfo->POOLBITS);\n\tDEBUG_ENT(\"trying to extract %d bits from %s\\n\",\n\t\t nbytes * 8, r->name);\n\n\t/* Can we pull enough? */\n\tif (r->entropy_count / 8 < min + reserved) {\n\t\tnbytes = 0;\n\t} else {\n\t\t/* If limited, never pull more than available */\n\t\tif (r->limit && nbytes + reserved >= r->entropy_count / 8)\n\t\t\tnbytes = r->entropy_count/8 - reserved;\n\n\t\tif (r->entropy_count / 8 >= nbytes + reserved)\n\t\t\tr->entropy_count -= nbytes*8;\n\t\telse\n\t\t\tr->entropy_count = reserved;\n\n\t\tif (r->entropy_count < random_write_wakeup_thresh) {\n\t\t\twake_up_interruptible(&random_write_wait);\n\t\t\tkill_fasync(&fasync, SIGIO, POLL_OUT);\n\t\t}\n\t}\n\n\tDEBUG_ENT(\"debiting %d entropy credits from %s%s\\n\",\n\t\t nbytes * 8, r->name, r->limit ? \"\" : \" (unlimited)\");\n\n\tspin_unlock_irqrestore(&r->lock, flags);\n\n\treturn nbytes;\n}", "target": 0, "cwe": [ "CWE-310" ], "project": "linux-2.6", "commit_id": "8a0a9bd4db63bc45e3017bedeafbd88d0eb84d02", "hash": 179636751036391628386328231221316737450, "size": 38, "message": "random: make get_random_int() more random\n\nIt's a really simple patch that basically just open-codes the current\n\"secure_ip_id()\" call, but when open-coding it we now use a _static_\nhashing area, so that it gets updated every time.\n\nAnd to make sure somebody can't just start from the same original seed of\nall-zeroes, and then do the \"half_md4_transform()\" over and over until\nthey get the same sequence as the kernel has, each iteration also mixes in\nthe same old \"current->pid + jiffies\" we used - so we should now have a\nregular strong pseudo-number generator, but we also have one that doesn't\nhave a single seed.\n\nNote: the \"pid + jiffies\" is just meant to be a tiny tiny bit of noise. It\nhas no real meaning. It could be anything. I just picked the previous\nseed, it's just that now we keep the state in between calls and that will\nfeed into the next result, and that should make all the difference.\n\nI made that hash be a per-cpu data just to avoid cache-line ping-pong:\nhaving multiple CPU's write to the same data would be fine for randomness,\nand add yet another layer of chaos to it, but since get_random_int() is\nsupposed to be a fast interface I did it that way instead. I considered\nusing \"__raw_get_cpu_var()\" to avoid any preemption overhead while still\ngetting the hash be _mostly_ ping-pong free, but in the end good taste won\nout.\n\nSigned-off-by: Ingo Molnar \nSigned-off-by: Linus Torvalds ", "dataset": "other", "idx": 499890 }, { "func": "inline SparseTensor SparseTensor::Slice(const SparseTensor& input_tensor,\n const gtl::ArraySlice& start,\n const gtl::ArraySlice& size) {\n TensorShape output_shape(input_tensor.shape());\n\n const int dims = input_tensor.dims();\n for (int dim = 0; dim < dims; dim++) {\n // Determine the size of the result; if the selected slice goes beyond the\n // input boundary, the result will correspond to the size of the overlap\n // between the input and the selected slice.\n const int64 input_size = output_shape.dim_size(dim);\n const int64 start_index = start[dim];\n const int64 slice_size = size[dim];\n if (start_index + slice_size < input_size) {\n // The entire selection is within input boundaries.\n output_shape.set_dim(dim, slice_size);\n } else if (start_index < input_size) {\n // The selection starts within input boundaries, but goes beyond them.\n output_shape.set_dim(dim, input_size - start_index);\n } else {\n // The selection is entirely out of input boundaries.\n output_shape.set_dim(dim, 0);\n }\n }\n\n auto input_indices_t = input_tensor.indices().matrix();\n auto input_values_t = input_tensor.values().vec();\n\n // Find the number of indices that fall inside start and size.\n int count = 0;\n for (int i = 0; i < input_tensor.indices().dim_size(0); i++) {\n // The following will check to see if an input is within the\n // range specified by start and size.\n // The for loop below iterates through all dimensions. In case\n // the index falls outside of the start and size at any dimension,\n // it will be considered as a \"no hit\" (hit = false). In this\n // case, it will not be counted as the index that fall inside\n // the range specified by start and size.\n bool hit = true;\n for (int dim = 0; dim < dims; dim++) {\n if (!(start[dim] <= input_indices_t(i, dim) &&\n input_indices_t(i, dim) < start[dim] + size[dim])) {\n hit = false;\n break;\n }\n }\n if (!hit) {\n continue;\n }\n count++;\n }\n\n Tensor output_values(DataTypeToEnum::v(), TensorShape({count}));\n Tensor output_indices(DT_INT64, TensorShape({count, dims}));\n\n auto output_values_t = output_values.vec();\n auto output_indices_t = output_indices.matrix();\n\n // Obtain the output indices that fall inside start and size.\n int index = 0;\n for (int i = 0; i < input_tensor.indices().dim_size(0) && index < count;\n i++) {\n // The logic here is similar as the above except that the above\n // only count the number of indices while here we actually generate\n // the output.\n bool hit = true;\n for (int dim = 0; dim < dims; dim++) {\n if (!(start[dim] <= input_indices_t(i, dim) &&\n input_indices_t(i, dim) < start[dim] + size[dim])) {\n hit = false;\n break;\n }\n }\n if (!hit) {\n continue;\n }\n output_values_t(index) = input_values_t(i);\n for (int dim = 0; dim < dims; dim++) {\n output_indices_t(index, dim) = input_indices_t(i, dim) - start[dim];\n }\n index++;\n }\n\n return SparseTensor(output_indices, output_values, output_shape);\n}", "project": "tensorflow", "hash": 269136375804930049750109773684118941108, "size": 85, "commit_id": "8ba6fa29cd8bf9cef9b718dc31c78c73081f5b31", "message": "Fix heap-buffer-overflow issue with `tf.raw_ops.SparseSplit`.\n\nPiperOrigin-RevId: 371242872\nChange-Id: I482bb3d12602c7c3cc9446f97fb9f584bb98e9a4", "target": 0, "dataset": "other", "idx": 277013 }, { "func": "static void oidc_authz_get_claims_and_idtoken(request_rec *r, json_t **claims,\n\t\tjson_t **id_token) {\n\n\tconst char *s_claims = oidc_request_state_get(r,\n\t\t\tOIDC_REQUEST_STATE_KEY_CLAIMS);\n\tif (s_claims != NULL)\n\t\toidc_util_decode_json_object(r, s_claims, claims);\n\n\tconst char *s_id_token = oidc_request_state_get(r,\n\t\t\tOIDC_REQUEST_STATE_KEY_IDTOKEN);\n\tif (s_id_token != NULL)\n\t\toidc_util_decode_json_object(r, s_id_token, id_token);\n}", "project": "mod_auth_openidc", "hash": 101379001893518655667997945446129896717, "size": 13, "commit_id": "00c315cb0c8ab77c67be4a2ac08a71a83ac58751", "message": "avoid XSS vulnerability when using OIDCPreservePost On\n\nand supplying URLs that contain single quotes; thanks @oss-aimoto\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 381917 }, { "func": "static inline int kvm_memslot_move_forward(struct kvm_memslots *slots,\n\t\t\t\t\t struct kvm_memory_slot *memslot,\n\t\t\t\t\t int start)\n{\n\tstruct kvm_memory_slot *mslots = slots->memslots;\n\tint i;\n\n\tfor (i = start; i > 0; i--) {\n\t\tif (memslot->base_gfn < mslots[i - 1].base_gfn)\n\t\t\tbreak;\n\n\t\tWARN_ON_ONCE(memslot->base_gfn == mslots[i - 1].base_gfn);\n\n\t\t/* Shift the next memslot back one and update its index. */\n\t\tmslots[i] = mslots[i - 1];\n\t\tslots->id_to_index[mslots[i].id] = i;\n\t}\n\treturn i;\n}", "project": "linux", "hash": 167386861902915410291401430762018554771, "size": 19, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354506 }, { "func": "static void copy_seccomp(struct task_struct *p)\n{\n#ifdef CONFIG_SECCOMP\n\t/*\n\t * Must be called with sighand->lock held, which is common to\n\t * all threads in the group. Holding cred_guard_mutex is not\n\t * needed because this new task is not yet running and cannot\n\t * be racing exec.\n\t */\n\tassert_spin_locked(¤t->sighand->siglock);\n\n\t/* Ref-count the new filter user, and assign it. */\n\tget_seccomp_filter(current);\n\tp->seccomp = current->seccomp;\n\n\t/*\n\t * Explicitly enable no_new_privs here in case it got set\n\t * between the task_struct being duplicated and holding the\n\t * sighand lock. The seccomp state and nnp must be in sync.\n\t */\n\tif (task_no_new_privs(current))\n\t\ttask_set_no_new_privs(p);\n\n\t/*\n\t * If the parent gained a seccomp mode after copying thread\n\t * flags and between before we held the sighand lock, we have\n\t * to manually enable the seccomp thread flag here.\n\t */\n\tif (p->seccomp.mode != SECCOMP_MODE_DISABLED)\n\t\tset_tsk_thread_flag(p, TIF_SECCOMP);\n#endif\n}", "project": "linux", "hash": 176809812245332881374349843237273929119, "size": 32, "commit_id": "b4e00444cab4c3f3fec876dc0cccc8cbb0d1a948", "message": "fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent\n\ncurrent->group_leader->exit_signal may change during copy_process() if\ncurrent->real_parent exits.\n\nMove the assignment inside tasklist_lock to avoid the race.\n\nSigned-off-by: Eddy Wu \nAcked-by: Oleg Nesterov \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 293719 }, { "func": "static bool checkExtract() {\n#if __WINDOWS__\n\tif (r_sys_cmd (\"expand -? >nul\") != 0) {\n\t\treturn false;\n\t}\n#else\n\tif (r_sys_cmd (\"cabextract -v > /dev/null\") != 0) {\n\t\treturn false;\n\t}\n#endif\n\treturn true;\n}", "project": "radare2", "hash": 284833997981454485010406222878364587581, "size": 12, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 0, "dataset": "other", "idx": 268925 }, { "func": "int copy_screen(void) {\n\tchar *fbp;\n\tint i, y, block_size;\n\n\tif (! fs_factor) {\n\t\treturn 0;\n\t}\n\tif (debug_tiles) fprintf(stderr, \"copy_screen\\n\");\n\n\tif (unixpw_in_progress) return 0;\n\n\n\tif (! main_fb) {\n\t\treturn 0;\n\t}\n\n\tblock_size = ((dpy_y/fs_factor) * main_bytes_per_line);\n\n\tfbp = main_fb;\n\ty = 0;\n\n\tX_LOCK;\n\n\t/* screen may be too big for 1 shm area, so broken into fs_factor */\n\tfor (i=0; i < fs_factor; i++) {\n\t\tXRANDR_SET_TRAP_RET(-1, \"copy_screen-set\");\n\t\tcopy_image(fullscreen, 0, y, 0, 0);\n\t\tXRANDR_CHK_TRAP_RET(-1, \"copy_screen-chk\");\n\n\t\tmemcpy(fbp, fullscreen->data, (size_t) block_size);\n\n\t\ty += dpy_y / fs_factor;\n\t\tfbp += block_size;\n\t}\n\n\tX_UNLOCK;\n\n\tif (blackouts) {\n\t\tblackout_regions();\n\t}\n\n\tmark_rect_as_modified(0, 0, dpy_x, dpy_y, 0);\n\treturn 0;\n}", "project": "x11vnc", "hash": 63389055161149072482344406455908727968, "size": 44, "commit_id": "69eeb9f7baa14ca03b16c9de821f9876def7a36a", "message": "scan: limit access to shared memory segments to current user", "target": 0, "dataset": "other", "idx": 360776 }, { "func": "bool CWebSock::AddModLoop(const CString& sLoopName, CModule& Module,\n CTemplate* pTemplate) {\n if (!pTemplate) {\n pTemplate = &m_Template;\n }\n\n CString sTitle(Module.GetWebMenuTitle());\n\n if (!sTitle.empty() && (IsLoggedIn() || (!Module.WebRequiresLogin() &&\n !Module.WebRequiresAdmin())) &&\n (GetSession()->IsAdmin() || !Module.WebRequiresAdmin())) {\n CTemplate& Row = pTemplate->AddRow(sLoopName);\n bool bActiveModule = false;\n\n Row[\"ModName\"] = Module.GetModName();\n Row[\"ModPath\"] = Module.GetWebPath();\n Row[\"Title\"] = sTitle;\n\n if (m_sModName == Module.GetModName()) {\n CString sModuleType = GetPath().Token(1, false, \"/\");\n if (sModuleType == \"global\" &&\n Module.GetType() == CModInfo::GlobalModule) {\n bActiveModule = true;\n } else if (sModuleType == \"user\" &&\n Module.GetType() == CModInfo::UserModule) {\n bActiveModule = true;\n } else if (sModuleType == \"network\" &&\n Module.GetType() == CModInfo::NetworkModule) {\n CIRCNetwork* Network = Module.GetNetwork();\n if (Network) {\n CString sNetworkName = GetPath().Token(2, false, \"/\");\n if (sNetworkName == Network->GetName()) {\n bActiveModule = true;\n }\n } else {\n bActiveModule = true;\n }\n }\n }\n\n if (bActiveModule) {\n Row[\"Active\"] = \"true\";\n }\n\n if (Module.GetUser()) {\n Row[\"Username\"] = Module.GetUser()->GetUserName();\n }\n\n VWebSubPages& vSubPages = Module.GetSubPages();\n\n for (TWebSubPage& SubPage : vSubPages) {\n // bActive is whether or not the current url matches this subpage\n // (params will be checked below)\n bool bActive = (m_sModName == Module.GetModName() &&\n m_sPage == SubPage->GetName() && bActiveModule);\n\n if (SubPage->RequiresAdmin() && !GetSession()->IsAdmin()) {\n // Don't add admin-only subpages to requests from non-admin\n // users\n continue;\n }\n\n CTemplate& SubRow = Row.AddRow(\"SubPageLoop\");\n\n SubRow[\"ModName\"] = Module.GetModName();\n SubRow[\"ModPath\"] = Module.GetWebPath();\n SubRow[\"PageName\"] = SubPage->GetName();\n SubRow[\"Title\"] = SubPage->GetTitle().empty() ? SubPage->GetName()\n : SubPage->GetTitle();\n\n CString& sParams = SubRow[\"Params\"];\n\n const VPair& vParams = SubPage->GetParams();\n for (const pair& ssNV : vParams) {\n if (!sParams.empty()) {\n sParams += \"&\";\n }\n\n if (!ssNV.first.empty()) {\n if (!ssNV.second.empty()) {\n sParams += ssNV.first.Escape_n(CString::EURL);\n sParams += \"=\";\n sParams += ssNV.second.Escape_n(CString::EURL);\n }\n\n if (bActive && GetParam(ssNV.first, false) != ssNV.second) {\n bActive = false;\n }\n }\n }\n\n if (bActive) {\n SubRow[\"Active\"] = \"true\";\n }\n }\n\n return true;\n }\n\n return false;\n}", "project": "znc", "hash": 191324885440562240688193309983372213805, "size": 101, "commit_id": "a4a5aeeb17d32937d8c7d743dae9a4cc755ce773", "message": "Don't let web skin name ../../../../ access files outside of usual skins directories.\n\nThanks for Jeriko One for finding and reporting this.", "target": 0, "dataset": "other", "idx": 265790 }, { "func": "static OPJ_BOOL opj_j2k_post_write_tile(opj_j2k_t * p_j2k,\n opj_stream_private_t *p_stream,\n opj_event_mgr_t * p_manager)\n{\n OPJ_UINT32 l_nb_bytes_written;\n OPJ_BYTE * l_current_data = 00;\n OPJ_UINT32 l_tile_size = 0;\n OPJ_UINT32 l_available_data;\n\n /* preconditions */\n assert(p_j2k->m_specific_param.m_encoder.m_encoded_tile_data);\n\n l_tile_size = p_j2k->m_specific_param.m_encoder.m_encoded_tile_size;\n l_available_data = l_tile_size;\n l_current_data = p_j2k->m_specific_param.m_encoder.m_encoded_tile_data;\n\n l_nb_bytes_written = 0;\n if (! opj_j2k_write_first_tile_part(p_j2k, l_current_data, &l_nb_bytes_written,\n l_available_data, p_stream, p_manager)) {\n return OPJ_FALSE;\n }\n l_current_data += l_nb_bytes_written;\n l_available_data -= l_nb_bytes_written;\n\n l_nb_bytes_written = 0;\n if (! opj_j2k_write_all_tile_parts(p_j2k, l_current_data, &l_nb_bytes_written,\n l_available_data, p_stream, p_manager)) {\n return OPJ_FALSE;\n }\n\n l_available_data -= l_nb_bytes_written;\n l_nb_bytes_written = l_tile_size - l_available_data;\n\n if (opj_stream_write_data(p_stream,\n p_j2k->m_specific_param.m_encoder.m_encoded_tile_data,\n l_nb_bytes_written, p_manager) != l_nb_bytes_written) {\n return OPJ_FALSE;\n }\n\n ++p_j2k->m_current_tile_number;\n\n return OPJ_TRUE;\n}", "project": "openjpeg", "hash": 215374413429251760372843085314878757889, "size": 43, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357401 }, { "func": "void LibRaw::process_Sony_0x9403(uchar *buf, ushort len)\n{\n if (len < 6)\n return;\n uchar bufx = SonySubstitution[buf[4]];\n if ((bufx == 0x00) || (bufx == 0x94))\n return;\n\n imCommon.SensorTemperature = (float)((short)SonySubstitution[buf[5]]);\n\n return;\n}", "project": "LibRaw", "hash": 304694096629049868220503525979138888709, "size": 12, "commit_id": "c243f4539233053466c1309bde606815351bee81", "message": "additional checks in parseSonySRF\n\nparseSonySR2: buffer size check", "target": 0, "dataset": "other", "idx": 394099 }, { "func": "static bool io_cqring_overflow_flush(struct io_ring_ctx *ctx, bool force)\n{\n\tbool ret = true;\n\n\tif (test_bit(0, &ctx->cq_check_overflow)) {\n\t\t/* iopoll syncs against uring_lock, not completion_lock */\n\t\tif (ctx->flags & IORING_SETUP_IOPOLL)\n\t\t\tmutex_lock(&ctx->uring_lock);\n\t\tret = __io_cqring_overflow_flush(ctx, force);\n\t\tif (ctx->flags & IORING_SETUP_IOPOLL)\n\t\t\tmutex_unlock(&ctx->uring_lock);\n\t}\n\n\treturn ret;\n}", "project": "linux", "hash": 100541916095742067574822858620247896021, "size": 15, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338535 }, { "func": "static bool io_cqring_overflow_flush(struct io_ring_ctx *ctx, bool force)\n{\n\tstruct io_rings *rings = ctx->rings;\n\tstruct io_uring_cqe *cqe;\n\tstruct io_kiocb *req;\n\tunsigned long flags;\n\tLIST_HEAD(list);\n\n\tif (!force) {\n\t\tif (list_empty_careful(&ctx->cq_overflow_list))\n\t\t\treturn true;\n\t\tif ((ctx->cached_cq_tail - READ_ONCE(rings->cq.head) ==\n\t\t rings->cq_ring_entries))\n\t\t\treturn false;\n\t}\n\n\tspin_lock_irqsave(&ctx->completion_lock, flags);\n\n\t/* if force is set, the ring is going away. always drop after that */\n\tif (force)\n\t\tctx->cq_overflow_flushed = 1;\n\n\tcqe = NULL;\n\twhile (!list_empty(&ctx->cq_overflow_list)) {\n\t\tcqe = io_get_cqring(ctx);\n\t\tif (!cqe && !force)\n\t\t\tbreak;\n\n\t\treq = list_first_entry(&ctx->cq_overflow_list, struct io_kiocb,\n\t\t\t\t\t\tcompl.list);\n\t\tlist_move(&req->compl.list, &list);\n\t\treq->flags &= ~REQ_F_OVERFLOW;\n\t\tif (cqe) {\n\t\t\tWRITE_ONCE(cqe->user_data, req->user_data);\n\t\t\tWRITE_ONCE(cqe->res, req->result);\n\t\t\tWRITE_ONCE(cqe->flags, req->compl.cflags);\n\t\t} else {\n\t\t\tWRITE_ONCE(ctx->rings->cq_overflow,\n\t\t\t\tatomic_inc_return(&ctx->cached_cq_overflow));\n\t\t}\n\t}\n\n\tio_commit_cqring(ctx);\n\tio_cqring_mark_overflow(ctx);\n\n\tspin_unlock_irqrestore(&ctx->completion_lock, flags);\n\tio_cqring_ev_posted(ctx);\n\n\twhile (!list_empty(&list)) {\n\t\treq = list_first_entry(&list, struct io_kiocb, compl.list);\n\t\tlist_del(&req->compl.list);\n\t\tio_put_req(req);\n\t}\n\n\treturn cqe != NULL;\n}", "project": "linux", "hash": 300443060209737058995531362709589619205, "size": 56, "commit_id": "6d816e088c359866f9867057e04f244c608c42fe", "message": "io_uring: hold 'ctx' reference around task_work queue + execute\n\nWe're holding the request reference, but we need to go one higher\nto ensure that the ctx remains valid after the request has finished.\nIf the ring is closed with pending task_work inflight, and the\ngiven io_kiocb finishes sync during issue, then we need a reference\nto the ring itself around the task_work execution cycle.\n\nCc: stable@vger.kernel.org # v5.7+\nReported-by: syzbot+9b260fc33297966f5a8e@syzkaller.appspotmail.com\nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 456918 }, { "func": "static int handle_exit(struct kvm_vcpu *vcpu,\n\tenum exit_fastpath_completion exit_fastpath)\n{\n\tstruct vcpu_svm *svm = to_svm(vcpu);\n\tstruct kvm_run *kvm_run = vcpu->run;\n\tu32 exit_code = svm->vmcb->control.exit_code;\n\n\ttrace_kvm_exit(exit_code, vcpu, KVM_ISA_SVM);\n\n\tif (!is_cr_intercept(svm, INTERCEPT_CR0_WRITE))\n\t\tvcpu->arch.cr0 = svm->vmcb->save.cr0;\n\tif (npt_enabled)\n\t\tvcpu->arch.cr3 = svm->vmcb->save.cr3;\n\n\tif (unlikely(svm->nested.exit_required)) {\n\t\tnested_svm_vmexit(svm);\n\t\tsvm->nested.exit_required = false;\n\n\t\treturn 1;\n\t}\n\n\tif (is_guest_mode(vcpu)) {\n\t\tint vmexit;\n\n\t\ttrace_kvm_nested_vmexit(svm->vmcb->save.rip, exit_code,\n\t\t\t\t\tsvm->vmcb->control.exit_info_1,\n\t\t\t\t\tsvm->vmcb->control.exit_info_2,\n\t\t\t\t\tsvm->vmcb->control.exit_int_info,\n\t\t\t\t\tsvm->vmcb->control.exit_int_info_err,\n\t\t\t\t\tKVM_ISA_SVM);\n\n\t\tvmexit = nested_svm_exit_special(svm);\n\n\t\tif (vmexit == NESTED_EXIT_CONTINUE)\n\t\t\tvmexit = nested_svm_exit_handled(svm);\n\n\t\tif (vmexit == NESTED_EXIT_DONE)\n\t\t\treturn 1;\n\t}\n\n\tsvm_complete_interrupts(svm);\n\n\tif (svm->vmcb->control.exit_code == SVM_EXIT_ERR) {\n\t\tkvm_run->exit_reason = KVM_EXIT_FAIL_ENTRY;\n\t\tkvm_run->fail_entry.hardware_entry_failure_reason\n\t\t\t= svm->vmcb->control.exit_code;\n\t\tdump_vmcb(vcpu);\n\t\treturn 0;\n\t}\n\n\tif (is_external_interrupt(svm->vmcb->control.exit_int_info) &&\n\t exit_code != SVM_EXIT_EXCP_BASE + PF_VECTOR &&\n\t exit_code != SVM_EXIT_NPF && exit_code != SVM_EXIT_TASK_SWITCH &&\n\t exit_code != SVM_EXIT_INTR && exit_code != SVM_EXIT_NMI)\n\t\tprintk(KERN_ERR \"%s: unexpected exit_int_info 0x%x \"\n\t\t \"exit_code 0x%x\\n\",\n\t\t __func__, svm->vmcb->control.exit_int_info,\n\t\t exit_code);\n\n\tif (exit_fastpath == EXIT_FASTPATH_SKIP_EMUL_INS) {\n\t\tkvm_skip_emulated_instruction(vcpu);\n\t\treturn 1;\n\t} else if (exit_code >= ARRAY_SIZE(svm_exit_handlers)\n\t || !svm_exit_handlers[exit_code]) {\n\t\tvcpu_unimpl(vcpu, \"svm: unexpected exit reason 0x%x\\n\", exit_code);\n\t\tdump_vmcb(vcpu);\n\t\tvcpu->run->exit_reason = KVM_EXIT_INTERNAL_ERROR;\n\t\tvcpu->run->internal.suberror =\n\t\t\tKVM_INTERNAL_ERROR_UNEXPECTED_EXIT_REASON;\n\t\tvcpu->run->internal.ndata = 1;\n\t\tvcpu->run->internal.data[0] = exit_code;\n\t\treturn 0;\n\t}\n\n#ifdef CONFIG_RETPOLINE\n\tif (exit_code == SVM_EXIT_MSR)\n\t\treturn msr_interception(svm);\n\telse if (exit_code == SVM_EXIT_VINTR)\n\t\treturn interrupt_window_interception(svm);\n\telse if (exit_code == SVM_EXIT_INTR)\n\t\treturn intr_interception(svm);\n\telse if (exit_code == SVM_EXIT_HLT)\n\t\treturn halt_interception(svm);\n\telse if (exit_code == SVM_EXIT_NPF)\n\t\treturn npf_interception(svm);\n#endif\n\treturn svm_exit_handlers[exit_code](svm);\n}", "project": "linux", "hash": 82158920893967427661973505822364336455, "size": 88, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432449 }, { "func": "static int handle_exit(struct kvm_vcpu *vcpu)\n{\n\tstruct vcpu_svm *svm = to_svm(vcpu);\n\tstruct kvm_run *kvm_run = vcpu->run;\n\tu32 exit_code = svm->vmcb->control.exit_code;\n\n\tif (!is_cr_intercept(svm, INTERCEPT_CR0_WRITE))\n\t\tvcpu->arch.cr0 = svm->vmcb->save.cr0;\n\tif (npt_enabled)\n\t\tvcpu->arch.cr3 = svm->vmcb->save.cr3;\n\n\tif (unlikely(svm->nested.exit_required)) {\n\t\tnested_svm_vmexit(svm);\n\t\tsvm->nested.exit_required = false;\n\n\t\treturn 1;\n\t}\n\n\tif (is_guest_mode(vcpu)) {\n\t\tint vmexit;\n\n\t\ttrace_kvm_nested_vmexit(svm->vmcb->save.rip, exit_code,\n\t\t\t\t\tsvm->vmcb->control.exit_info_1,\n\t\t\t\t\tsvm->vmcb->control.exit_info_2,\n\t\t\t\t\tsvm->vmcb->control.exit_int_info,\n\t\t\t\t\tsvm->vmcb->control.exit_int_info_err,\n\t\t\t\t\tKVM_ISA_SVM);\n\n\t\tvmexit = nested_svm_exit_special(svm);\n\n\t\tif (vmexit == NESTED_EXIT_CONTINUE)\n\t\t\tvmexit = nested_svm_exit_handled(svm);\n\n\t\tif (vmexit == NESTED_EXIT_DONE)\n\t\t\treturn 1;\n\t}\n\n\tsvm_complete_interrupts(svm);\n\n\tif (svm->vmcb->control.exit_code == SVM_EXIT_ERR) {\n\t\tkvm_run->exit_reason = KVM_EXIT_FAIL_ENTRY;\n\t\tkvm_run->fail_entry.hardware_entry_failure_reason\n\t\t\t= svm->vmcb->control.exit_code;\n\t\tpr_err(\"KVM: FAILED VMRUN WITH VMCB:\\n\");\n\t\tdump_vmcb(vcpu);\n\t\treturn 0;\n\t}\n\n\tif (is_external_interrupt(svm->vmcb->control.exit_int_info) &&\n\t exit_code != SVM_EXIT_EXCP_BASE + PF_VECTOR &&\n\t exit_code != SVM_EXIT_NPF && exit_code != SVM_EXIT_TASK_SWITCH &&\n\t exit_code != SVM_EXIT_INTR && exit_code != SVM_EXIT_NMI)\n\t\tprintk(KERN_ERR \"%s: unexpected exit_int_info 0x%x \"\n\t\t \"exit_code 0x%x\\n\",\n\t\t __func__, svm->vmcb->control.exit_int_info,\n\t\t exit_code);\n\n\tif (exit_code >= ARRAY_SIZE(svm_exit_handlers)\n\t || !svm_exit_handlers[exit_code]) {\n\t\tkvm_run->exit_reason = KVM_EXIT_UNKNOWN;\n\t\tkvm_run->hw.hardware_exit_reason = exit_code;\n\t\treturn 0;\n\t}\n\n\treturn svm_exit_handlers[exit_code](svm);\n}", "project": "kvm", "hash": 244840301930403842857453281867150636843, "size": 66, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437654 }, { "func": "wStream* cliprdr_packet_new(UINT16 msgType, UINT16 msgFlags, UINT32 dataLen)\n{\n\twStream* s;\n\ts = Stream_New(NULL, dataLen + 8);\n\n\tif (!s)\n\t{\n\t\tWLog_ERR(TAG, \"Stream_New failed!\");\n\t\treturn NULL;\n\t}\n\n\tStream_Write_UINT16(s, msgType);\n\tStream_Write_UINT16(s, msgFlags);\n\t/* Write actual length after the entire packet has been constructed. */\n\tStream_Seek(s, 4);\n\treturn s;\n}", "project": "FreeRDP", "hash": 169611421424831396023757431217125492958, "size": 17, "commit_id": "b73143cf7ee5fe4cdabcbf56908aa15d8a883821", "message": "Fixed oob read in cliprdr_read_format_list", "target": 0, "dataset": "other", "idx": 388312 }, { "func": "static void tipc_node_read_unlock(struct tipc_node *n)\n{\n\tread_unlock_bh(&n->lock);\n}", "project": "linux", "hash": 101645187702350142264728011179945119966, "size": 4, "commit_id": "0217ed2848e8538bcf9172d97ed2eeb4a26041bb", "message": "tipc: better validate user input in tipc_nl_retrieve_key()\n\nBefore calling tipc_aead_key_size(ptr), we need to ensure\nwe have enough data to dereference ptr->keylen.\n\nWe probably also want to make sure tipc_aead_key_size()\nwont overflow with malicious ptr->keylen values.\n\nSyzbot reported:\n\nBUG: KMSAN: uninit-value in __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\nBUG: KMSAN: uninit-value in tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\nCPU: 0 PID: 21060 Comm: syz-executor.5 Not tainted 5.11.0-rc7-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nCall Trace:\n __dump_stack lib/dump_stack.c:79 [inline]\n dump_stack+0x21c/0x280 lib/dump_stack.c:120\n kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118\n __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197\n __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\n tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\n genl_family_rcv_msg_doit net/netlink/genetlink.c:739 [inline]\n genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]\n genl_rcv_msg+0x1319/0x1610 net/netlink/genetlink.c:800\n netlink_rcv_skb+0x6fa/0x810 net/netlink/af_netlink.c:2494\n genl_rcv+0x63/0x80 net/netlink/genetlink.c:811\n netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]\n netlink_unicast+0x11d6/0x14a0 net/netlink/af_netlink.c:1330\n netlink_sendmsg+0x1740/0x1840 net/netlink/af_netlink.c:1919\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\nRIP: 0023:0xf7f60549\nCode: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00\nRSP: 002b:00000000f555a5fc EFLAGS: 00000296 ORIG_RAX: 0000000000000172\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000200\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n\nUninit was created at:\n kmsan_save_stack_with_flags mm/kmsan/kmsan.c:121 [inline]\n kmsan_internal_poison_shadow+0x5c/0xf0 mm/kmsan/kmsan.c:104\n kmsan_slab_alloc+0x8d/0xe0 mm/kmsan/kmsan_hooks.c:76\n slab_alloc_node mm/slub.c:2907 [inline]\n __kmalloc_node_track_caller+0xa37/0x1430 mm/slub.c:4527\n __kmalloc_reserve net/core/skbuff.c:142 [inline]\n __alloc_skb+0x2f8/0xb30 net/core/skbuff.c:210\n alloc_skb include/linux/skbuff.h:1099 [inline]\n netlink_alloc_large_skb net/netlink/af_netlink.c:1176 [inline]\n netlink_sendmsg+0xdbc/0x1840 net/netlink/af_netlink.c:1894\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\n\nFixes: e1f32190cf7d (\"tipc: add support for AEAD key setting via netlink\")\nSigned-off-by: Eric Dumazet \nCc: Tuong Lien \nCc: Jon Maloy \nCc: Ying Xue \nReported-by: syzbot \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 364958 }, { "func": "void putname(struct filename *name)\n{\n\tBUG_ON(name->refcnt <= 0);\n\n\tif (--name->refcnt > 0)\n\t\treturn;\n\n\tif (name->name != name->iname) {\n\t\t__putname(name->name);\n\t\tkfree(name);\n\t} else\n\t\t__putname(name);\n}", "project": "linux", "hash": 141597764093877344855436074339320404729, "size": 13, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295318 }, { "func": "int bcf_unpack(bcf1_t *b, int which)\n{\n if ( !b->shared.l ) return 0; // Building a new BCF record from scratch\n uint8_t *ptr = (uint8_t*)b->shared.s, *ptr_ori;\n int i;\n bcf_dec_t *d = &b->d;\n if (which & BCF_UN_FLT) which |= BCF_UN_STR;\n if (which & BCF_UN_INFO) which |= BCF_UN_SHR;\n if ((which&BCF_UN_STR) && !(b->unpacked&BCF_UN_STR))\n {\n kstring_t tmp;\n\n // ID\n tmp.l = 0; tmp.s = d->id; tmp.m = d->m_id;\n ptr_ori = ptr;\n ptr = bcf_fmt_sized_array(&tmp, ptr);\n b->unpack_size[0] = ptr - ptr_ori;\n kputc('\\0', &tmp);\n d->id = tmp.s; d->m_id = tmp.m;\n\n // REF and ALT are in a single block (d->als) and d->alleles are pointers into this block\n hts_expand(char*, b->n_allele, d->m_allele, d->allele); // NM: hts_expand() is a macro\n tmp.l = 0; tmp.s = d->als; tmp.m = d->m_als;\n ptr_ori = ptr;\n char *o = \"\";\n for (i = 0; i < b->n_allele; ++i) {\n d->allele[i] = o + tmp.l;\n ptr = bcf_fmt_sized_array(&tmp, ptr);\n kputc('\\0', &tmp);\n }\n b->unpack_size[1] = ptr - ptr_ori;\n d->als = tmp.s; d->m_als = tmp.m;\n\n for (i = 0; i < b->n_allele; ++i)\n d->allele[i] = d->als + (d->allele[i]-o);\n b->unpacked |= BCF_UN_STR;\n }\n if ((which&BCF_UN_FLT) && !(b->unpacked&BCF_UN_FLT)) { // FILTER\n ptr = (uint8_t*)b->shared.s + b->unpack_size[0] + b->unpack_size[1];\n ptr_ori = ptr;\n if (*ptr>>4) {\n int type;\n d->n_flt = bcf_dec_size(ptr, &ptr, &type);\n hts_expand(int, d->n_flt, d->m_flt, d->flt);\n for (i = 0; i < d->n_flt; ++i)\n d->flt[i] = bcf_dec_int1(ptr, type, &ptr);\n } else ++ptr, d->n_flt = 0;\n b->unpack_size[2] = ptr - ptr_ori;\n b->unpacked |= BCF_UN_FLT;\n }\n if ((which&BCF_UN_INFO) && !(b->unpacked&BCF_UN_INFO)) { // INFO\n ptr = (uint8_t*)b->shared.s + b->unpack_size[0] + b->unpack_size[1] + b->unpack_size[2];\n hts_expand(bcf_info_t, b->n_info, d->m_info, d->info);\n for (i = 0; i < d->m_info; ++i) d->info[i].vptr_free = 0;\n for (i = 0; i < b->n_info; ++i)\n ptr = bcf_unpack_info_core1(ptr, &d->info[i]);\n b->unpacked |= BCF_UN_INFO;\n }\n if ((which&BCF_UN_FMT) && b->n_sample && !(b->unpacked&BCF_UN_FMT)) { // FORMAT\n ptr = (uint8_t*)b->indiv.s;\n hts_expand(bcf_fmt_t, b->n_fmt, d->m_fmt, d->fmt);\n for (i = 0; i < d->m_fmt; ++i) d->fmt[i].p_free = 0;\n for (i = 0; i < b->n_fmt; ++i)\n ptr = bcf_unpack_fmt_core1(ptr, b->n_sample, &d->fmt[i]);\n b->unpacked |= BCF_UN_FMT;\n }\n return 0;\n}", "project": "htslib", "hash": 120150854041332859186056212970452216208, "size": 68, "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c", "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields. It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097", "target": 0, "dataset": "other", "idx": 402178 }, { "func": "static void __tipc_node_link_down(struct tipc_node *n, int *bearer_id,\n\t\t\t\t struct sk_buff_head *xmitq,\n\t\t\t\t struct tipc_media_addr **maddr)\n{\n\tstruct tipc_link_entry *le = &n->links[*bearer_id];\n\tint *slot0 = &n->active_links[0];\n\tint *slot1 = &n->active_links[1];\n\tint i, highest = 0, prio;\n\tstruct tipc_link *l, *_l, *tnl;\n\n\tl = n->links[*bearer_id].link;\n\tif (!l || tipc_link_is_reset(l))\n\t\treturn;\n\n\tn->working_links--;\n\tn->action_flags |= TIPC_NOTIFY_LINK_DOWN;\n\tn->link_id = tipc_link_id(l);\n\n\ttipc_bearer_remove_dest(n->net, *bearer_id, n->addr);\n\n\tpr_debug(\"Lost link <%s> on network plane %c\\n\",\n\t\t tipc_link_name(l), tipc_link_plane(l));\n\n\t/* Select new active link if any available */\n\t*slot0 = INVALID_BEARER_ID;\n\t*slot1 = INVALID_BEARER_ID;\n\tfor (i = 0; i < MAX_BEARERS; i++) {\n\t\t_l = n->links[i].link;\n\t\tif (!_l || !tipc_link_is_up(_l))\n\t\t\tcontinue;\n\t\tif (_l == l)\n\t\t\tcontinue;\n\t\tprio = tipc_link_prio(_l);\n\t\tif (prio < highest)\n\t\t\tcontinue;\n\t\tif (prio > highest) {\n\t\t\thighest = prio;\n\t\t\t*slot0 = i;\n\t\t\t*slot1 = i;\n\t\t\tcontinue;\n\t\t}\n\t\t*slot1 = i;\n\t}\n\n\tif (!node_is_up(n)) {\n\t\tif (tipc_link_peer_is_down(l))\n\t\t\ttipc_node_fsm_evt(n, PEER_LOST_CONTACT_EVT);\n\t\ttipc_node_fsm_evt(n, SELF_LOST_CONTACT_EVT);\n\t\ttrace_tipc_link_reset(l, TIPC_DUMP_ALL, \"link down!\");\n\t\ttipc_link_fsm_evt(l, LINK_RESET_EVT);\n\t\ttipc_link_reset(l);\n\t\ttipc_link_build_reset_msg(l, xmitq);\n\t\t*maddr = &n->links[*bearer_id].maddr;\n\t\tnode_lost_contact(n, &le->inputq);\n\t\ttipc_bcast_dec_bearer_dst_cnt(n->net, *bearer_id);\n\t\treturn;\n\t}\n\ttipc_bcast_dec_bearer_dst_cnt(n->net, *bearer_id);\n\n\t/* There is still a working link => initiate failover */\n\t*bearer_id = n->active_links[0];\n\ttnl = n->links[*bearer_id].link;\n\ttipc_link_fsm_evt(tnl, LINK_SYNCH_END_EVT);\n\ttipc_node_fsm_evt(n, NODE_SYNCH_END_EVT);\n\tn->sync_point = tipc_link_rcv_nxt(tnl) + (U16_MAX / 2 - 1);\n\ttipc_link_tnl_prepare(l, tnl, FAILOVER_MSG, xmitq);\n\ttrace_tipc_link_reset(l, TIPC_DUMP_ALL, \"link down -> failover!\");\n\ttipc_link_reset(l);\n\ttipc_link_fsm_evt(l, LINK_RESET_EVT);\n\ttipc_link_fsm_evt(l, LINK_FAILOVER_BEGIN_EVT);\n\ttipc_node_fsm_evt(n, NODE_FAILOVER_BEGIN_EVT);\n\t*maddr = &n->links[*bearer_id].maddr;\n}", "project": "linux", "hash": 113452664600187875726772609239088751816, "size": 73, "commit_id": "0217ed2848e8538bcf9172d97ed2eeb4a26041bb", "message": "tipc: better validate user input in tipc_nl_retrieve_key()\n\nBefore calling tipc_aead_key_size(ptr), we need to ensure\nwe have enough data to dereference ptr->keylen.\n\nWe probably also want to make sure tipc_aead_key_size()\nwont overflow with malicious ptr->keylen values.\n\nSyzbot reported:\n\nBUG: KMSAN: uninit-value in __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\nBUG: KMSAN: uninit-value in tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\nCPU: 0 PID: 21060 Comm: syz-executor.5 Not tainted 5.11.0-rc7-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nCall Trace:\n __dump_stack lib/dump_stack.c:79 [inline]\n dump_stack+0x21c/0x280 lib/dump_stack.c:120\n kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118\n __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197\n __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\n tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\n genl_family_rcv_msg_doit net/netlink/genetlink.c:739 [inline]\n genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]\n genl_rcv_msg+0x1319/0x1610 net/netlink/genetlink.c:800\n netlink_rcv_skb+0x6fa/0x810 net/netlink/af_netlink.c:2494\n genl_rcv+0x63/0x80 net/netlink/genetlink.c:811\n netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]\n netlink_unicast+0x11d6/0x14a0 net/netlink/af_netlink.c:1330\n netlink_sendmsg+0x1740/0x1840 net/netlink/af_netlink.c:1919\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\nRIP: 0023:0xf7f60549\nCode: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00\nRSP: 002b:00000000f555a5fc EFLAGS: 00000296 ORIG_RAX: 0000000000000172\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000200\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n\nUninit was created at:\n kmsan_save_stack_with_flags mm/kmsan/kmsan.c:121 [inline]\n kmsan_internal_poison_shadow+0x5c/0xf0 mm/kmsan/kmsan.c:104\n kmsan_slab_alloc+0x8d/0xe0 mm/kmsan/kmsan_hooks.c:76\n slab_alloc_node mm/slub.c:2907 [inline]\n __kmalloc_node_track_caller+0xa37/0x1430 mm/slub.c:4527\n __kmalloc_reserve net/core/skbuff.c:142 [inline]\n __alloc_skb+0x2f8/0xb30 net/core/skbuff.c:210\n alloc_skb include/linux/skbuff.h:1099 [inline]\n netlink_alloc_large_skb net/netlink/af_netlink.c:1176 [inline]\n netlink_sendmsg+0xdbc/0x1840 net/netlink/af_netlink.c:1894\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\n\nFixes: e1f32190cf7d (\"tipc: add support for AEAD key setting via netlink\")\nSigned-off-by: Eric Dumazet \nCc: Tuong Lien \nCc: Jon Maloy \nCc: Ying Xue \nReported-by: syzbot \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 364914 }, { "func": "inline void StringData::invalidateHash() {\n assertx(!isImmutable());\n assertx(!hasMultipleRefs());\n m_hash = 0;\n assertx(checkSane());\n}", "project": "hhvm", "hash": 116546826213538509183517231663515525553, "size": 6, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219370 }, { "func": "int TfLiteIntArrayGetSizeInBytes(int size) {\n static TfLiteIntArray dummy;\n return sizeof(dummy) + sizeof(dummy.data[0]) * size;\n}", "project": "tensorflow", "hash": 318392206259349772892979529034970050749, "size": 4, "commit_id": "7c8cc4ec69cd348e44ad6a2699057ca88faad3e5", "message": "Fix a dangerous integer overflow and a malloc of negative size.\n\nPiperOrigin-RevId: 371254154\nChange-Id: I250a98a3df26328770167025670235a963a72da0", "target": 0, "dataset": "other", "idx": 259046 }, { "func": "static int fuse_mknod(struct inode *dir, struct dentry *entry, umode_t mode,\n\t\t dev_t rdev)\n{\n\tstruct fuse_mknod_in inarg;\n\tstruct fuse_mount *fm = get_fuse_mount(dir);\n\tFUSE_ARGS(args);\n\n\tif (!fm->fc->dont_mask)\n\t\tmode &= ~current_umask();\n\n\tmemset(&inarg, 0, sizeof(inarg));\n\tinarg.mode = mode;\n\tinarg.rdev = new_encode_dev(rdev);\n\tinarg.umask = current_umask();\n\targs.opcode = FUSE_MKNOD;\n\targs.in_numargs = 2;\n\targs.in_args[0].size = sizeof(inarg);\n\targs.in_args[0].value = &inarg;\n\targs.in_args[1].size = entry->d_name.len + 1;\n\targs.in_args[1].value = entry->d_name.name;\n\treturn create_new_entry(fm, &args, dir, entry, mode);\n}", "project": "linux", "hash": 199401639727017536401566644975020744678, "size": 22, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342130 }, { "func": "static int tty_tiocgserial(struct tty_struct *tty, struct serial_struct __user *ss)\n{\n\tstruct serial_struct v;\n\tint err;\n\n\tmemset(&v, 0, sizeof(v));\n\tif (!tty->ops->get_serial)\n\t\treturn -ENOTTY;\n\terr = tty->ops->get_serial(tty, &v);\n\tif (!err && copy_to_user(ss, &v, sizeof(v)))\n\t\terr = -EFAULT;\n\treturn err;\n}", "project": "linux", "hash": 186863894085631264111585269536400117107, "size": 13, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 326008 }, { "func": "static int pep_do_rcv(struct sock *sk, struct sk_buff *skb)\n{\n\tstruct pep_sock *pn = pep_sk(sk);\n\tstruct sock *sknode;\n\tstruct pnpipehdr *hdr;\n\tstruct sockaddr_pn dst;\n\tu8 pipe_handle;\n\n\tif (!pskb_may_pull(skb, sizeof(*hdr)))\n\t\tgoto drop;\n\n\thdr = pnp_hdr(skb);\n\tpipe_handle = hdr->pipe_handle;\n\tif (pipe_handle == PN_PIPE_INVALID_HANDLE)\n\t\tgoto drop;\n\n\tpn_skb_get_dst_sockaddr(skb, &dst);\n\n\t/* Look for an existing pipe handle */\n\tsknode = pep_find_pipe(&pn->hlist, &dst, pipe_handle);\n\tif (sknode)\n\t\treturn sk_receive_skb(sknode, skb, 1);\n\n\tswitch (hdr->message_id) {\n\tcase PNS_PEP_CONNECT_REQ:\n\t\tif (sk->sk_state != TCP_LISTEN || sk_acceptq_is_full(sk)) {\n\t\t\tpep_reject_conn(sk, skb, PN_PIPE_ERR_PEP_IN_USE,\n\t\t\t\t\tGFP_ATOMIC);\n\t\t\tbreak;\n\t\t}\n\t\tskb_queue_head(&sk->sk_receive_queue, skb);\n\t\tsk_acceptq_added(sk);\n\t\tif (!sock_flag(sk, SOCK_DEAD))\n\t\t\tsk->sk_data_ready(sk);\n\t\treturn NET_RX_SUCCESS;\n\n\tcase PNS_PEP_DISCONNECT_REQ:\n\t\tpep_reply(sk, skb, PN_PIPE_NO_ERROR, NULL, 0, GFP_ATOMIC);\n\t\tbreak;\n\n\tcase PNS_PEP_CTRL_REQ:\n\t\tpep_ctrlreq_error(sk, skb, PN_PIPE_INVALID_HANDLE, GFP_ATOMIC);\n\t\tbreak;\n\n\tcase PNS_PEP_RESET_REQ:\n\tcase PNS_PEP_ENABLE_REQ:\n\tcase PNS_PEP_DISABLE_REQ:\n\t\t/* invalid handle is not even allowed here! */\n\t\tbreak;\n\n\tdefault:\n\t\tif ((1 << sk->sk_state)\n\t\t\t\t& ~(TCPF_CLOSE|TCPF_LISTEN|TCPF_CLOSE_WAIT))\n\t\t\t/* actively connected socket */\n\t\t\treturn pipe_handler_do_rcv(sk, skb);\n\t}\ndrop:\n\tkfree_skb(skb);\n\treturn NET_RX_SUCCESS;\n}", "project": "linux", "hash": 89567974515857817545423588234708018937, "size": 60, "commit_id": "bcd0f93353326954817a4f9fa55ec57fb38acbb0", "message": "phonet: refcount leak in pep_sock_accep\n\nsock_hold(sk) is invoked in pep_sock_accept(), but __sock_put(sk) is not\ninvoked in subsequent failure branches(pep_accept_conn() != 0).\n\nSigned-off-by: Hangyu Hua \nLink: https://lore.kernel.org/r/20211209082839.33985-1-hbh25y@gmail.com\nSigned-off-by: Jakub Kicinski ", "target": 0, "dataset": "other", "idx": 224795 }, { "func": "static void autocomplete_sdb (RCore *core, RLineCompletion *completion, const char *str) {\n\tr_return_if_fail (core && completion && str);\n\tchar *pipe = strchr (str, '>');\n\tSdb *sdb = core->sdb;\n\tchar *lpath = NULL, *p1 = NULL, *out = NULL, *p2 = NULL;\n\tchar *cur_pos = NULL, *cur_cmd = NULL, *next_cmd = NULL;\n\tchar *temp_cmd = NULL, *temp_pos = NULL, *key = NULL;\n\tif (pipe) {\n\t\tstr = r_str_trim_head_ro (pipe + 1);\n\t}\n\tlpath = r_str_new (str);\n\tp1 = strchr (lpath, '/');\n\tif (p1) {\n\t\t*p1 = 0;\n\t\tchar *ns = p1 + 1;\n\t\tp2 = strchr (ns, '/');\n\t\tif (!p2) { // anal/m\n\t\t\tchar *tmp = p1 + 1;\n\t\t\tint n = strlen (tmp);\n\t\t\tout = sdb_querys (sdb, NULL, 0, \"anal/**\");\n\t\t\tif (!out) {\n\t\t\t\treturn;\n\t\t\t}\n\t\t\twhile (*out) {\n\t\t\t\tcur_pos = strchr (out, '\\n');\n\t\t\t\tif (!cur_pos) {\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t\tcur_cmd = r_str_ndup (out, cur_pos - out);\n\t\t\t\tif (!strncmp (tmp, cur_cmd, n)) {\n\t\t\t\t\tchar *cmplt = r_str_newf (\"anal/%s/\", cur_cmd);\n\t\t\t\t\tr_line_completion_push (completion, cmplt);\n\t\t\t\t\tfree (cmplt);\n\t\t\t\t}\n\t\t\t\tout += cur_pos - out + 1;\n\t\t\t}\n\n\t\t} else { // anal/meta/*\n\t\t\tchar *tmp = p2 + 1;\n\t\t\tint n = strlen (tmp);\n\t\t\tchar *spltr = strchr (ns, '/');\n\t\t\t*spltr = 0;\n\t\t\tnext_cmd = r_str_newf (\"anal/%s/*\", ns);\n\t\t\tout = sdb_querys (sdb, NULL, 0, next_cmd);\n\t\t\tif (!out) {\n\t\t\t\tfree (lpath);\n\t\t\t\treturn;\n\t\t\t}\n\t\t\twhile (*out) {\n\t\t\t\ttemp_pos = strchr (out, '\\n');\n\t\t\t\tif (!temp_pos) {\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t\ttemp_cmd = r_str_ndup (out, temp_pos - out); // contains the key=value pair\n\t\t\t\tkey = strchr (temp_cmd, '=');\n\t\t\t\t*key = 0;\n\t\t\t\tif (!strncmp (tmp, temp_cmd, n)) {\n\t\t\t\t\tchar *cmplt = r_str_newf (\"anal/%s/%s\", ns, temp_cmd);\n\t\t\t\t\tr_line_completion_push (completion, cmplt);\n\t\t\t\t\tfree (cmplt);\n\t\t\t\t}\n\t\t\t\tout += temp_pos - out + 1;\n\t\t\t}\n\t\t}\n\t} else {\n\t\tint n = strlen (lpath);\n\t\tif (!strncmp (lpath, \"anal\", n)) {\n\t\t\tr_line_completion_push (completion, \"anal/\");\n\t\t}\n\t}\n}", "project": "radare2", "hash": 72895700341703861669517426425226992276, "size": 71, "commit_id": "cb8b683758edddae2d2f62e8e63a738c39f92683", "message": "Fix #16303 - c->table_query double free (#16318)", "target": 0, "dataset": "other", "idx": 232133 }, { "func": "static void fanout_release_data(struct packet_fanout *f)\n{\n\tswitch (f->type) {\n\tcase PACKET_FANOUT_CBPF:\n\tcase PACKET_FANOUT_EBPF:\n\t\t__fanout_set_data_bpf(f, NULL);\n\t}\n}", "project": "linux", "hash": 256728171660834566234168240933608294321, "size": 8, "commit_id": "acf69c946233259ab4d64f8869d4037a198c7f06", "message": "net/packet: fix overflow in tpacket_rcv\n\nUsing tp_reserve to calculate netoff can overflow as\ntp_reserve is unsigned int and netoff is unsigned short.\n\nThis may lead to macoff receving a smaller value then\nsizeof(struct virtio_net_hdr), and if po->has_vnet_hdr\nis set, an out-of-bounds write will occur when\ncalling virtio_net_hdr_from_skb.\n\nThe bug is fixed by converting netoff to unsigned int\nand checking if it exceeds USHRT_MAX.\n\nThis addresses CVE-2020-14386\n\nFixes: 8913336a7e8d (\"packet: add PACKET_RESERVE sockopt\")\nSigned-off-by: Or Cohen \nSigned-off-by: Eric Dumazet \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 330377 }, { "func": "static void execlists_submit_request(struct i915_request *request)\n{\n\tstruct intel_engine_cs *engine = request->engine;\n\tunsigned long flags;\n\n\t/* Will be called from irq-context when using foreign fences. */\n\tspin_lock_irqsave(&engine->active.lock, flags);\n\n\tqueue_request(engine, &request->sched, rq_prio(request));\n\n\tGEM_BUG_ON(RB_EMPTY_ROOT(&engine->execlists.queue.rb_root));\n\tGEM_BUG_ON(list_empty(&request->sched.link));\n\n\tsubmit_queue(engine, request);\n\n\tspin_unlock_irqrestore(&engine->active.lock, flags);\n}", "project": "linux", "hash": 50827458707027472115249130199905276308, "size": 17, "commit_id": "bc8a76a152c5f9ef3b48104154a65a68a8b76946", "message": "drm/i915/gen9: Clear residual context state on context switch\n\nIntel ID: PSIRT-TA-201910-001\nCVEID: CVE-2019-14615\n\nIntel GPU Hardware prior to Gen11 does not clear EU state\nduring a context switch. This can result in information\nleakage between contexts.\n\nFor Gen8 and Gen9, hardware provides a mechanism for\nfast cleardown of the EU state, by issuing a PIPE_CONTROL\nwith bit 27 set. We can use this in a context batch buffer\nto explicitly cleardown the state on every context switch.\n\nAs this workaround is already in place for gen8, we can borrow\nthe code verbatim for Gen9.\n\nSigned-off-by: Mika Kuoppala \nSigned-off-by: Akeem G Abodunrin \nCc: Kumar Valsan Prathap \nCc: Chris Wilson \nCc: Balestrieri Francesco \nCc: Bloomfield Jon \nCc: Dutt Sudeep ", "target": 0, "dataset": "other", "idx": 281460 }, { "func": "ClientHttpRequest::updateCounters()\n{\n clientUpdateStatCounters(logType);\n\n if (request->errType != ERR_NONE)\n ++ statCounter.client_http.errors;\n\n clientUpdateStatHistCounters(logType,\n tvSubMsec(al->cache.start_time, current_time));\n\n clientUpdateHierCounters(&request->hier);\n}", "project": "squid", "hash": 160131877555312281963164357465440584725, "size": 12, "commit_id": "fd68382860633aca92065e6c343cfd1b12b126e7", "message": "Improve Transfer-Encoding handling (#702)\n\nReject messages containing Transfer-Encoding header with coding other\nthan chunked or identity. Squid does not support other codings.\n\nFor simplicity and security sake, also reject messages where\nTransfer-Encoding contains unnecessary complex values that are\ntechnically equivalent to \"chunked\" or \"identity\" (e.g., \",,chunked\" or\n\"identity, chunked\").\n\nRFC 7230 formally deprecated and removed identity coding, but it is\nstill used by some agents.", "target": 0, "dataset": "other", "idx": 402352 }, { "func": "CtPtr ProtocolV1::replace(const AsyncConnectionRef& existing,\n ceph_msg_connect_reply &reply,\n bufferlist &authorizer_reply) {\n ldout(cct, 10) << __func__ << \" accept replacing \" << existing << dendl;\n\n connection->inject_delay();\n if (existing->policy.lossy) {\n // disconnect from the Connection\n ldout(cct, 1) << __func__ << \" replacing on lossy channel, failing existing\"\n << dendl;\n existing->protocol->stop();\n existing->dispatch_queue->queue_reset(existing.get());\n } else {\n ceph_assert(can_write == WriteStatus::NOWRITE);\n existing->write_lock.lock();\n\n ProtocolV1 *exproto = dynamic_cast(existing->protocol.get());\n\n // reset the in_seq if this is a hard reset from peer,\n // otherwise we respect our original connection's value\n if (is_reset_from_peer) {\n exproto->is_reset_from_peer = true;\n }\n\n connection->center->delete_file_event(connection->cs.fd(),\n EVENT_READABLE | EVENT_WRITABLE);\n\n if (existing->delay_state) {\n existing->delay_state->flush();\n ceph_assert(!connection->delay_state);\n }\n exproto->reset_recv_state();\n\n exproto->connect_msg.features = connect_msg.features;\n\n auto temp_cs = std::move(connection->cs);\n EventCenter *new_center = connection->center;\n Worker *new_worker = connection->worker;\n // avoid _stop shutdown replacing socket\n // queue a reset on the new connection, which we're dumping for the old\n stop();\n\n connection->dispatch_queue->queue_reset(connection);\n ldout(messenger->cct, 1)\n << __func__ << \" stop myself to swap existing\" << dendl;\n exproto->can_write = WriteStatus::REPLACING;\n exproto->replacing = true;\n exproto->write_in_progress = false;\n existing->state_offset = 0;\n // avoid previous thread modify event\n exproto->state = NONE;\n existing->state = AsyncConnection::STATE_NONE;\n // Discard existing prefetch buffer in `recv_buf`\n existing->recv_start = existing->recv_end = 0;\n // there shouldn't exist any buffer\n ceph_assert(connection->recv_start == connection->recv_end);\n\n auto deactivate_existing = std::bind(\n [existing, new_worker, new_center, exproto, reply,\n authorizer_reply](ConnectedSocket &cs) mutable {\n // we need to delete time event in original thread\n {\n std::lock_guard l(existing->lock);\n existing->write_lock.lock();\n exproto->requeue_sent();\n existing->outgoing_bl.clear();\n existing->open_write = false;\n existing->write_lock.unlock();\n if (exproto->state == NONE) {\n existing->shutdown_socket();\n existing->cs = std::move(cs);\n existing->worker->references--;\n new_worker->references++;\n existing->logger = new_worker->get_perf_counter();\n existing->worker = new_worker;\n existing->center = new_center;\n if (existing->delay_state)\n existing->delay_state->set_center(new_center);\n } else if (exproto->state == CLOSED) {\n auto back_to_close =\n std::bind([](ConnectedSocket &cs) mutable { cs.close(); },\n std::move(cs));\n new_center->submit_to(new_center->get_id(),\n std::move(back_to_close), true);\n return;\n } else {\n ceph_abort();\n }\n }\n\n // Before changing existing->center, it may already exists some\n // events in existing->center's queue. Then if we mark down\n // `existing`, it will execute in another thread and clean up\n // connection. Previous event will result in segment fault\n auto transfer_existing = [existing, exproto, reply,\n authorizer_reply]() mutable {\n std::lock_guard l(existing->lock);\n if (exproto->state == CLOSED) return;\n ceph_assert(exproto->state == NONE);\n\n // we have called shutdown_socket above\n ceph_assert(existing->last_tick_id == 0);\n // restart timer since we are going to re-build connection\n existing->last_connect_started = ceph::coarse_mono_clock::now();\n existing->last_tick_id = existing->center->create_time_event(\n existing->connect_timeout_us, existing->tick_handler);\n existing->state = AsyncConnection::STATE_CONNECTION_ESTABLISHED;\n exproto->state = ACCEPTING;\n\n existing->center->create_file_event(\n existing->cs.fd(), EVENT_READABLE, existing->read_handler);\n reply.global_seq = exproto->peer_global_seq;\n exproto->run_continuation(exproto->send_connect_message_reply(\n CEPH_MSGR_TAG_RETRY_GLOBAL, reply, authorizer_reply));\n };\n if (existing->center->in_thread())\n transfer_existing();\n else\n existing->center->submit_to(existing->center->get_id(),\n std::move(transfer_existing), true);\n },\n std::move(temp_cs));\n\n existing->center->submit_to(existing->center->get_id(),\n std::move(deactivate_existing), true);\n existing->write_lock.unlock();\n existing->lock.unlock();\n return nullptr;\n }\n existing->lock.unlock();\n\n return open(reply, authorizer_reply);\n}", "project": "ceph", "hash": 89874337930523524879673058310173528294, "size": 133, "commit_id": "bafdfec8f974f1a3f7d404bcfd0a4cfad784937d", "message": "msg/async/ProtocolV1: resurrect \"implement cephx_*require_version options\"\n\nThis was added in commit 9bcbc2a3621f (\"mon,msg: implement\ncephx_*_require_version options\") and inadvertently dropped in\ncommit e6f043f7d2dc (\"msgr/async: huge refactoring of protocol V1\").\nAs a result, service daemons don't enforce cephx_require_version\nand cephx_cluster_require_version options and connections without\nCEPH_FEATURE_CEPHX_V2 are allowed through.\n\n(cephx_service_require_version enforcement was brought back a\nyear later in commit 321548010578 (\"mon/MonClient: skip CEPHX_V2\nchallenge if client doesn't support it\"), although the peer gets\nTAG_BADAUTHORIZER instead of TAG_FEATURES.)\n\nResurrect the original behaviour: all cephx_*require_version\noptions are enforced and the peer gets TAG_FEATURES, signifying\nthat it is missing a required feature.\n\nSigned-off-by: Ilya Dryomov \n(cherry picked from commit 6f5c4152ca2c6423e665cde2196c6301f76043a2)", "target": 0, "dataset": "other", "idx": 356897 }, { "func": "UnicodeString::replace(int32_t start,\n int32_t _length,\n UChar32 srcChar) {\n UChar buffer[U16_MAX_LENGTH];\n int32_t count = 0;\n UBool isError = FALSE;\n U16_APPEND(buffer, count, U16_MAX_LENGTH, srcChar, isError);\n // We test isError so that the compiler does not complain that we don't.\n // If isError (srcChar is not a valid code point) then count==0 which means\n // we remove the source segment rather than replacing it with srcChar.\n return doReplace(start, _length, buffer, 0, isError ? 0 : count);\n}", "project": "icu", "hash": 295245800748217890906835830615056031193, "size": 12, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430870 }, { "func": "static void fuse_advise_use_readdirplus(struct inode *dir)\n{\n\tstruct fuse_inode *fi = get_fuse_inode(dir);\n\n\tset_bit(FUSE_I_ADVISE_RDPLUS, &fi->state);\n}", "project": "linux", "hash": 21077673511695728464491374691584435440, "size": 6, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342015 }, { "project": "Chrome", "commit_id": "6834289784ed45b5524de0fb7ef43ae283b0d6d3", "target": 0, "func": "void AudioContext::handlePostRenderTasks()\n{\n ASSERT(isAudioThread());\n\n if (tryLock()) {\n updateChangedChannelCountMode();\n\n handleDeferredAudioNodeTasks();\n\n derefFinishedSourceNodes();\n\n handleDirtyAudioSummingJunctions();\n handleDirtyAudioNodeOutputs();\n\n updateAutomaticPullNodes();\n resolvePromisesForSuspend();\n\n unlock();\n }\n}\n", "cwe": "", "big_vul_idx": 139660, "idx": 124810, "hash": 121248220088021544151380991319835829075 }, { "func": "static const EVP_CIPHER * php_openssl_get_evp_cipher_from_algo(zend_long algo) { /* {{{ */\n\tswitch (algo) {\n#ifndef OPENSSL_NO_RC2\n\t\tcase PHP_OPENSSL_CIPHER_RC2_40:\n\t\t\treturn EVP_rc2_40_cbc();\n\t\t\tbreak;\n\t\tcase PHP_OPENSSL_CIPHER_RC2_64:\n\t\t\treturn EVP_rc2_64_cbc();\n\t\t\tbreak;\n\t\tcase PHP_OPENSSL_CIPHER_RC2_128:\n\t\t\treturn EVP_rc2_cbc();\n\t\t\tbreak;\n#endif\n\n#ifndef OPENSSL_NO_DES\n\t\tcase PHP_OPENSSL_CIPHER_DES:\n\t\t\treturn EVP_des_cbc();\n\t\t\tbreak;\n\t\tcase PHP_OPENSSL_CIPHER_3DES:\n\t\t\treturn EVP_des_ede3_cbc();\n\t\t\tbreak;\n#endif\n\n#ifndef OPENSSL_NO_AES\n\t\tcase PHP_OPENSSL_CIPHER_AES_128_CBC:\n\t\t\treturn EVP_aes_128_cbc();\n\t\t\tbreak;\n\t\tcase PHP_OPENSSL_CIPHER_AES_192_CBC:\n\t\t\treturn EVP_aes_192_cbc();\n\t\t\tbreak;\n\t\tcase PHP_OPENSSL_CIPHER_AES_256_CBC:\n\t\t\treturn EVP_aes_256_cbc();\n\t\t\tbreak;\n#endif\n\n\n\t\tdefault:\n\t\t\treturn NULL;\n\t\t\tbreak;\n\t}\n}", "project": "php-src", "hash": 77161791277396004057304636344083455382, "size": 41, "commit_id": "0216630ea2815a5789a24279a1211ac398d4de79", "message": "Fix bug #79601 (Wrong ciphertext/tag in AES-CCM encryption for a 12 bytes IV)", "target": 0, "dataset": "other", "idx": 291442 }, { "func": "static int tcp_is_sackfrto(const struct tcp_sock *tp)\n{\n\treturn (sysctl_tcp_frto == 0x2) && !tcp_is_reno(tp);\n}", "project": "net-next", "hash": 249464223274128055402290962471262304589, "size": 4, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409943 }, { "func": "static void mmput_async_fn(struct work_struct *work)\n{\n\tstruct mm_struct *mm = container_of(work, struct mm_struct,\n\t\t\t\t\t async_put_work);\n\n\t__mmput(mm);\n}", "project": "linux", "hash": 65972828440610261091676383008042774002, "size": 7, "commit_id": "b4e00444cab4c3f3fec876dc0cccc8cbb0d1a948", "message": "fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent\n\ncurrent->group_leader->exit_signal may change during copy_process() if\ncurrent->real_parent exits.\n\nMove the assignment inside tasklist_lock to avoid the race.\n\nSigned-off-by: Eddy Wu \nAcked-by: Oleg Nesterov \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 293729 }, { "func": "Status GraphConstructor::BuildNodeIndex() {\n // Validate the node names and add them to gdef_nodes_ and gdef_prefixes_.\n for (int n = 0; n < node_def_count(); ++n) {\n const NodeDef& node_def = get_node_def(n);\n if (!IsValidNodeName(node_def.name(), opts_.allow_internal_ops)) {\n return errors::InvalidArgument(\n \"Node '\", node_def.name(),\n \"': Node name contains invalid characters\");\n }\n if (!gdef_nodes_\n .insert(std::make_pair(StringPiece(node_def.name()), NodeInfo(n)))\n .second) {\n return errors::InvalidArgument(\"Node '\", node_def.name(),\n \"' is not unique\");\n }\n // Validate the operation's type.\n if (node_def.op().empty()) {\n return errors::InvalidArgument(\"Node '\", node_def.name(),\n \"' does not specify an operation\");\n }\n if (opts_.expect_device_spec && node_def.device().empty()) {\n return errors::InvalidArgument(\"Node '\", node_def.name(),\n \"' is missing a device specification\");\n }\n if (IsMerge(node_def)) {\n merge_node_indices_.insert(n);\n }\n // Validate control edges at end\n bool in_control_dependence = false;\n for (int i = 0; i < node_def.input_size(); ++i) {\n StringPiece input_name = node_def.input(i);\n if (!input_name.empty() && absl::StartsWith(input_name, \"^\")) {\n in_control_dependence = true;\n } else if (in_control_dependence) {\n return errors::InvalidArgument(\n \"Node '\", node_def.name(),\n \"': Control dependencies must come after regular dependencies\");\n }\n }\n // Update gdef_prefixes_.\n AddPrefixes(node_def.name(), &gdef_prefixes_);\n }\n return Status::OK();\n}", "project": "tensorflow", "hash": 21374661454168782130492807250805104562, "size": 44, "commit_id": "0cc38aaa4064fd9e79101994ce9872c6d91f816b", "message": "Prevent unitialized memory access in `GraphConstructor::MakeEdge`\n\nThe `MakeEdge` implementation assumes that there exists an output at `output_index` of `src` node and an input at `input_index` of `dst` node. However, if this is not the case this results in accessing data out of bounds. Because we are accessing an array that is a private member of a class and only in read only mode, this usually results only in unitialized memory access. However, it is reasonable to think that malicious users could manipulate these indexes to actually read data outside the class, thus resulting in information leakage and further exploits.\n\nPiperOrigin-RevId: 346343288\nChange-Id: I2127da27c2023d27f26efd39afa6c853385cab6f", "target": 0, "dataset": "other", "idx": 268332 }, { "func": "static int nfs4_proc_readlink(struct inode *inode, struct page *page,\n\t\tunsigned int pgbase, unsigned int pglen)\n{\n\tstruct nfs4_exception exception = {\n\t\t.interruptible = true,\n\t};\n\tint err;\n\tdo {\n\t\terr = _nfs4_proc_readlink(inode, page, pgbase, pglen);\n\t\ttrace_nfs4_readlink(inode, err);\n\t\terr = nfs4_handle_exception(NFS_SERVER(inode), err,\n\t\t\t\t&exception);\n\t} while (exception.retry);\n\treturn err;\n}", "project": "linux", "hash": 307193218452885811901200993521471945374, "size": 15, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431254 }, { "func": "static void le_scan_restart_work(struct work_struct *work)\n{\n\tstruct hci_dev *hdev = container_of(work, struct hci_dev,\n\t\t\t\t\t le_scan_restart.work);\n\tunsigned long timeout, duration, scan_start, now;\n\tu8 status;\n\n\tbt_dev_dbg(hdev, \"\");\n\n\thci_req_sync(hdev, le_scan_restart, 0, HCI_CMD_TIMEOUT, &status);\n\tif (status) {\n\t\tbt_dev_err(hdev, \"failed to restart LE scan: status %d\",\n\t\t\t status);\n\t\treturn;\n\t}\n\n\thci_dev_lock(hdev);\n\n\tif (!test_bit(HCI_QUIRK_STRICT_DUPLICATE_FILTER, &hdev->quirks) ||\n\t !hdev->discovery.scan_start)\n\t\tgoto unlock;\n\n\t/* When the scan was started, hdev->le_scan_disable has been queued\n\t * after duration from scan_start. During scan restart this job\n\t * has been canceled, and we need to queue it again after proper\n\t * timeout, to make sure that scan does not run indefinitely.\n\t */\n\tduration = hdev->discovery.scan_duration;\n\tscan_start = hdev->discovery.scan_start;\n\tnow = jiffies;\n\tif (now - scan_start <= duration) {\n\t\tint elapsed;\n\n\t\tif (now >= scan_start)\n\t\t\telapsed = now - scan_start;\n\t\telse\n\t\t\telapsed = ULONG_MAX - scan_start + now;\n\n\t\ttimeout = duration - elapsed;\n\t} else {\n\t\ttimeout = 0;\n\t}\n\n\tqueue_delayed_work(hdev->req_workqueue,\n\t\t\t &hdev->le_scan_disable, timeout);\n\nunlock:\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 94105557287814800542988234164239362219, "size": 49, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402490 }, { "func": "static int avic_init_vcpu(struct vcpu_svm *svm)\n{\n\tint ret;\n\n\tif (!kvm_vcpu_apicv_active(&svm->vcpu))\n\t\treturn 0;\n\n\tret = avic_init_backing_page(&svm->vcpu);\n\tif (ret)\n\t\treturn ret;\n\n\tINIT_LIST_HEAD(&svm->ir_list);\n\tspin_lock_init(&svm->ir_list_lock);\n\tsvm->dfr_reg = APIC_DFR_FLAT;\n\n\treturn ret;\n}", "project": "linux", "hash": 272945942652187299463722555639691575346, "size": 17, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432602 }, { "func": " int MemIo::seek(int64 offset, Position pos )\n {\n int64 newIdx = 0;\n\n switch (pos) {\n case BasicIo::cur:\n newIdx = p_->idx_ + offset;\n break;\n case BasicIo::beg:\n newIdx = offset;\n break;\n case BasicIo::end:\n newIdx = p_->size_ + offset;\n break;\n }\n\n if (newIdx < 0)\n return 1;\n\n p_->idx_ = static_cast(newIdx); //not very sure about this. need more test!! - note by Shawn fly2xj@gmail.com //TODO\n p_->eof_ = false;\n return 0;\n }", "project": "exiv2", "hash": 299218834992083440493543625582483690654, "size": 23, "commit_id": "bd0afe0390439b2c424d881c8c6eb0c5624e31d9", "message": "Add bounds check to MemIo::seek(). (#944)\n\n- Regression test for missing bounds check in MemIo::seek()\r\n- Add bounds check to MemIo::seek(), this fixes CVE-2019-13504", "target": 1, "dataset": "other", "idx": 204868 }, { "func": "bool MemFile::seek(int64_t offset, int whence /* = SEEK_SET */) {\n assertx(m_len != -1);\n if (whence == SEEK_CUR) {\n if (offset >= 0 && offset < bufferedLen()) {\n setReadPosition(getReadPosition() + offset);\n setPosition(getPosition() + offset);\n return true;\n }\n offset += getPosition();\n whence = SEEK_SET;\n }\n\n // invalidate the current buffer\n setWritePosition(0);\n setReadPosition(0);\n if (whence == SEEK_SET) {\n if (offset < 0) return false;\n m_cursor = offset;\n } else if (whence == SEEK_END) {\n if (m_len + offset < 0) return false;\n m_cursor = m_len + offset;\n } else {\n return false;\n }\n setPosition(m_cursor);\n return true;\n}", "project": "hhvm", "hash": 339868365115902892248185368633612685513, "size": 27, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219209 }, { "func": " int FileIo::seek(int64 offset, Position pos )\n {\n assert(p_->fp_ != 0);\n\n int fileSeek = 0;\n switch (pos) {\n case BasicIo::cur: fileSeek = SEEK_CUR; break;\n case BasicIo::beg: fileSeek = SEEK_SET; break;\n case BasicIo::end: fileSeek = SEEK_END; break;\n }\n\n if (p_->switchMode(Impl::opSeek) != 0) return 1;\n#ifdef _WIN64\n return _fseeki64(p_->fp_, offset, fileSeek);\n#else\n return std::fseek(p_->fp_,static_cast(offset), fileSeek);\n#endif\n }", "project": "exiv2", "hash": 259361170707400175619786807588980665873, "size": 18, "commit_id": "bd0afe0390439b2c424d881c8c6eb0c5624e31d9", "message": "Add bounds check to MemIo::seek(). (#944)\n\n- Regression test for missing bounds check in MemIo::seek()\r\n- Add bounds check to MemIo::seek(), this fixes CVE-2019-13504", "target": 0, "dataset": "other", "idx": 367059 }, { "func": " int RemoteIo::seek(int64 offset, Position pos)\n {\n assert(p_->isMalloced_);\n int64 newIdx = 0;\n\n switch (pos) {\n case BasicIo::cur:\n newIdx = static_cast(p_->idx_) + offset;\n break;\n case BasicIo::beg:\n newIdx = offset;\n break;\n case BasicIo::end:\n newIdx = static_cast(p_->size_) + offset;\n break;\n }\n\n // #1198. Don't return 1 when asked to seek past EOF. Stay calm and set eof_\n // if (newIdx < 0 || newIdx > (long) p_->size_) return 1;\n p_->idx_ = static_cast(newIdx);\n p_->eof_ = newIdx > static_cast(p_->size_);\n if (p_->idx_ > p_->size_)\n p_->idx_ = p_->size_;\n return 0;\n }", "project": "exiv2", "hash": 105195626684587709469165781902329489563, "size": 25, "commit_id": "bd0afe0390439b2c424d881c8c6eb0c5624e31d9", "message": "Add bounds check to MemIo::seek(). (#944)\n\n- Regression test for missing bounds check in MemIo::seek()\r\n- Add bounds check to MemIo::seek(), this fixes CVE-2019-13504", "target": 0, "dataset": "other", "idx": 367063 }, { "func": " int MemIo::seek(int64 offset, Position pos )\n {\n int64 newIdx = 0;\n\n switch (pos) {\n case BasicIo::cur:\n newIdx = p_->idx_ + offset;\n break;\n case BasicIo::beg:\n newIdx = offset;\n break;\n case BasicIo::end:\n newIdx = p_->size_ + offset;\n break;\n }\n\n if (newIdx < 0)\n return 1;\n\n if (static_cast(newIdx) > p_->size_) {\n p_->eof_ = true;\n return 1;\n }\n\n p_->idx_ = static_cast(newIdx);\n p_->eof_ = false;\n return 0;\n }", "project": "exiv2", "hash": 109191990002104936880753982885886945308, "size": 28, "commit_id": "bd0afe0390439b2c424d881c8c6eb0c5624e31d9", "message": "Add bounds check to MemIo::seek(). (#944)\n\n- Regression test for missing bounds check in MemIo::seek()\r\n- Add bounds check to MemIo::seek(), this fixes CVE-2019-13504", "target": 0, "dataset": "other", "idx": 367064 }, { "func": "static inline void trace_insert_eval_map_file(struct module *mod,\n\t\t\t struct trace_eval_map **start, int len) { }", "project": "linux", "hash": 160129314103310214077594025823453296716, "size": 2, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445764 }, { "func": "static int sock_has_rx_data(struct socket *sock)\n{\n\tif (unlikely(!sock))\n\t\treturn 0;\n\n\tif (sock->ops->peek_len)\n\t\treturn sock->ops->peek_len(sock);\n\n\treturn skb_queue_empty(&sock->sk->sk_receive_queue);\n}", "project": "linux", "hash": 183907729524626930527755436132193214555, "size": 10, "commit_id": "42d84c8490f9f0931786f1623191fcab397c3d64", "message": "vhost: Check docket sk_family instead of call getname\n\nDoing so, we save one call to get data we already have in the struct.\n\nAlso, since there is no guarantee that getname use sockaddr_ll\nparameter beyond its size, we add a little bit of security here.\nIt should do not do beyond MAX_ADDR_LEN, but syzbot found that\nax25_getname writes more (72 bytes, the size of full_sockaddr_ax25,\nversus 20 + 32 bytes of sockaddr_ll + MAX_ADDR_LEN in syzbot repro).\n\nFixes: 3a4d5c94e9593 (\"vhost_net: a kernel-level virtio server\")\nReported-by: syzbot+f2a62d07a5198c819c7b@syzkaller.appspotmail.com\nSigned-off-by: Eugenio Pérez \nAcked-by: Michael S. Tsirkin \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 441986 }, { "func": "static void hidinput_cleanup_hidinput(struct hid_device *hid,\n\t\tstruct hid_input *hidinput)\n{\n\tstruct hid_report *report;\n\tint i, k;\n\n\tlist_del(&hidinput->list);\n\tinput_free_device(hidinput->input);\n\tkfree(hidinput->name);\n\n\tfor (k = HID_INPUT_REPORT; k <= HID_OUTPUT_REPORT; k++) {\n\t\tif (k == HID_OUTPUT_REPORT &&\n\t\t\thid->quirks & HID_QUIRK_SKIP_OUTPUT_REPORTS)\n\t\t\tcontinue;\n\n\t\tlist_for_each_entry(report, &hid->report_enum[k].report_list,\n\t\t\t\t list) {\n\n\t\t\tfor (i = 0; i < report->maxfield; i++)\n\t\t\t\tif (report->field[i]->hidinput == hidinput)\n\t\t\t\t\treport->field[i]->hidinput = NULL;\n\t\t}\n\t}\n\n\tkfree(hidinput);\n}", "project": "linux", "hash": 67516985298095975204130515747521258373, "size": 26, "commit_id": "35556bed836f8dc07ac55f69c8d17dce3e7f0e25", "message": "HID: core: Sanitize event code and type when mapping input\n\nWhen calling into hid_map_usage(), the passed event code is\nblindly stored as is, even if it doesn't fit in the associated bitmap.\n\nThis event code can come from a variety of sources, including devices\nmasquerading as input devices, only a bit more \"programmable\".\n\nInstead of taking the event code at face value, check that it actually\nfits the corresponding bitmap, and if it doesn't:\n- spit out a warning so that we know which device is acting up\n- NULLify the bitmap pointer so that we catch unexpected uses\n\nCode paths that can make use of untrusted inputs can now check\nthat the mapping was indeed correct and bail out if not.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Marc Zyngier \nSigned-off-by: Benjamin Tissoires ", "target": 0, "dataset": "other", "idx": 458355 }, { "func": "\nstatic int io_poll_add(struct io_kiocb *req, unsigned int issue_flags)\n{\n\tstruct io_poll_iocb *poll = &req->poll;\n\tstruct io_ring_ctx *ctx = req->ctx;\n\tstruct io_poll_table ipt;\n\t__poll_t mask;\n\n\tipt.pt._qproc = io_poll_queue_proc;\n\n\tmask = __io_arm_poll_handler(req, &req->poll, &ipt, poll->events,\n\t\t\t\t\tio_poll_wake);\n\n\tif (mask) { /* no async, we'd stolen it */\n\t\tipt.error = 0;\n\t\tio_poll_complete(req, mask);\n\t}\n\tspin_unlock_irq(&ctx->completion_lock);\n\n\tif (mask) {\n\t\tio_cqring_ev_posted(ctx);\n\t\tif (poll->events & EPOLLONESHOT)\n\t\t\tio_put_req(req);\n\t}\n\treturn ipt.error;", "project": "linux", "hash": 269930780312076988692605571218532506938, "size": 25, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338578 }, { "func": " void parseBigInt(int len) {\n assertx(*p > '9' || *p < '0'); // Aleady read maximal digit sequence.\n errno = 0;\n const int64_t sx = strtoll(p - len, nullptr, 10);\n if (errno == ERANGE) {\n const double dval = zend_strtod(p - len, nullptr);\n assertx(dval == floor(dval));\n pushDouble(dval);\n } else {\n pushInt64(sx);\n }\n }", "project": "hhvm", "hash": 258722166562374038017628711026922135277, "size": 12, "commit_id": "b3679121bb3c7017ff04b4c08402ffff5cf59b13", "message": "Fix buffer overrun in SimpleParser::handleBackslash\n\nSummary:\nIt read 4 chars, then checked for validity, but any of them could have\nbeen the end of the string, so check after each one instead.\n\nReviewed By: oulgen\n\nDifferential Revision: D19611163\n\nfbshipit-source-id: 3da0a39555cb85a93f4fd98048368f17cf37e2e4", "target": 0, "dataset": "other", "idx": 227302 }, { "func": "}\n\nstatic int\niscsi_set_iface_params(struct iscsi_transport *transport,\n\t\t struct iscsi_uevent *ev, uint32_t len)\n{\n\tchar *data = (char *)ev + sizeof(*ev);\n\tstruct Scsi_Host *shost;\n\tint err;\n\n\tif (!transport->set_iface_param)\n\t\treturn -ENOSYS;\n\n\tshost = scsi_host_lookup(ev->u.set_iface_params.host_no);\n\tif (!shost) {\n\t\tprintk(KERN_ERR \"set_iface_params could not find host no %u\\n\",\n\t\t ev->u.set_iface_params.host_no);\n\t\treturn -ENODEV;\n\t}\n\n\terr = transport->set_iface_param(shost, data, len);", "project": "linux", "hash": 229633561836303389442389426071619148738, "size": 21, "commit_id": "f9dbdf97a5bd92b1a49cee3d591b55b11fd7a6d5", "message": "scsi: iscsi: Verify lengths on passthrough PDUs\n\nOpen-iSCSI sends passthrough PDUs over netlink, but the kernel should be\nverifying that the provided PDU header and data lengths fall within the\nnetlink message to prevent accessing beyond that in memory.\n\nCc: stable@vger.kernel.org\nReported-by: Adam Nichols \nReviewed-by: Lee Duncan \nReviewed-by: Mike Christie \nSigned-off-by: Chris Leech \nSigned-off-by: Martin K. Petersen ", "target": 0, "dataset": "other", "idx": 379935 }, { "func": "static long kvm_s390_guest_sida_op(struct kvm_vcpu *vcpu,\n\t\t\t\t struct kvm_s390_mem_op *mop)\n{\n\tvoid __user *uaddr = (void __user *)mop->buf;\n\tint r = 0;\n\n\tif (mop->flags || !mop->size)\n\t\treturn -EINVAL;\n\tif (mop->size + mop->sida_offset < mop->size)\n\t\treturn -EINVAL;\n\tif (mop->size + mop->sida_offset > sida_size(vcpu->arch.sie_block))\n\t\treturn -E2BIG;\n\n\tswitch (mop->op) {\n\tcase KVM_S390_MEMOP_SIDA_READ:\n\t\tif (copy_to_user(uaddr, (void *)(sida_origin(vcpu->arch.sie_block) +\n\t\t\t\t mop->sida_offset), mop->size))\n\t\t\tr = -EFAULT;\n\n\t\tbreak;\n\tcase KVM_S390_MEMOP_SIDA_WRITE:\n\t\tif (copy_from_user((void *)(sida_origin(vcpu->arch.sie_block) +\n\t\t\t\t mop->sida_offset), uaddr, mop->size))\n\t\t\tr = -EFAULT;\n\t\tbreak;\n\t}\n\treturn r;\n}", "project": "linux", "hash": 116578996635341926095341912300218848070, "size": 28, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354537 }, { "func": "static int fuse_dir_fsync(struct file *file, loff_t start, loff_t end,\n\t\t\t int datasync)\n{\n\tstruct inode *inode = file->f_mapping->host;\n\tstruct fuse_conn *fc = get_fuse_conn(inode);\n\tint err;\n\n\tif (fuse_is_bad(inode))\n\t\treturn -EIO;\n\n\tif (fc->no_fsyncdir)\n\t\treturn 0;\n\n\tinode_lock(inode);\n\terr = fuse_fsync_common(file, start, end, datasync, FUSE_FSYNCDIR);\n\tif (err == -ENOSYS) {\n\t\tfc->no_fsyncdir = 1;\n\t\terr = 0;\n\t}\n\tinode_unlock(inode);\n\n\treturn err;\n}", "project": "linux", "hash": 315715407571172843346913103397197839889, "size": 23, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342162 }, { "func": "static void get_policy_nodemask(struct mempolicy *p, nodemask_t *nodes)\n{\n\tnodes_clear(*nodes);\n\tif (p == &default_policy)\n\t\treturn;\n\n\tswitch (p->mode) {\n\tcase MPOL_BIND:\n\t\t/* Fall through */\n\tcase MPOL_INTERLEAVE:\n\t\t*nodes = p->v.nodes;\n\t\tbreak;\n\tcase MPOL_PREFERRED:\n\t\tif (!(p->flags & MPOL_F_LOCAL))\n\t\t\tnode_set(p->v.preferred_node, *nodes);\n\t\t/* else return empty node mask for local allocation */\n\t\tbreak;\n\tdefault:\n\t\tBUG();\n\t}\n}", "project": "linux", "hash": 273919848846004418777028935546459451654, "size": 21, "commit_id": "aa9f7d5172fac9bf1f09e678c35e287a40a7b7dd", "message": "mm: mempolicy: require at least one nodeid for MPOL_PREFERRED\n\nUsing an empty (malformed) nodelist that is not caught during mount option\nparsing leads to a stack-out-of-bounds access.\n\nThe option string that was used was: \"mpol=prefer:,\". However,\nMPOL_PREFERRED requires a single node number, which is not being provided\nhere.\n\nAdd a check that 'nodes' is not empty after parsing for MPOL_PREFERRED's\nnodeid.\n\nFixes: 095f1fc4ebf3 (\"mempolicy: rework shmem mpol parsing and display\")\nReported-by: Entropy Moe <3ntr0py1337@gmail.com>\nReported-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nSigned-off-by: Randy Dunlap \nSigned-off-by: Andrew Morton \nTested-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nCc: Lee Schermerhorn \nLink: http://lkml.kernel.org/r/89526377-7eb6-b662-e1d8-4430928abde9@infradead.org\nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 366747 }, { "func": "static void feedpeer(char *peer, message_data_t *msg)\n{\n char *user, *pass, *host, *port, *wild, *path, *s;\n int oldform = 0;\n struct wildmat *wmat = NULL, *w;\n int len, err, n, feed = 1;\n struct addrinfo hints, *res, *res0;\n int sock = -1;\n struct protstream *pin, *pout;\n char buf[4096];\n int body = 0, skip;\n\n /* parse the peer */\n user = pass = host = port = wild = NULL;\n if ((wild = strrchr(peer, '/')))\n\t*wild++ = '\\0';\n else if ((wild = strrchr(peer, ':')) &&\n\t strcspn(wild, \"!*?,.\") != strlen(wild)) {\n\t*wild++ = '\\0';\n\thost = peer;\n\toldform = 1;\n }\n if (!oldform) {\n\tif ((host = strchr(peer, '@'))) {\n\t *host++ = '\\0';\n\t user = peer;\n\t if ((pass = strchr(user, ':'))) *pass++ = '\\0';\n\t}\n\telse\n\t host = peer;\n\n\tif ((port = strchr(host, ':'))) *port++ = '\\0';\n }\n\n /* check path to see if this message came through our peer */\n len = strlen(host);\n path = msg->path;\n while (path && (s = strchr(path, '!'))) {\n\tif ((s - path) == len && !strncmp(path, host, len)) {\n\t return;\n\t}\n\tpath = s + 1;\n }\n\n /* check newsgroups against wildmat to see if we should feed it */\n if (wild && *wild) {\n\twmat = split_wildmats(wild);\n\n\tfeed = 0;\n\tfor (n = 0; n < msg->rcpt.count; n++) {\n\t /* see if the newsgroup matches one of our wildmats */\n\t w = wmat;\n\t while (w->pat &&\n\t\t wildmat(msg->rcpt.data[n], w->pat) != 1) {\n\t\tw++;\n\t }\n\n\t if (w->pat) {\n\t\t/* we have a match, check to see what kind of match */\n\t\tif (!w->not) {\n\t\t /* positive match, ok to feed, keep checking */\n\t\t feed = 1;\n\t\t}\n\t\telse if (w->not < 0) {\n\t\t /* absolute negative match, do not feed */\n\t\t feed = 0;\n\t\t break;\n\t\t}\n\t\telse {\n\t\t /* negative match, keep checking */\n\t\t}\n\t }\n\t else {\n\t\t/* no match, keep checking */\n\t }\n\t}\n\n\tfree_wildmats(wmat);\n }\n\n if (!feed) return;\n \n memset(&hints, 0, sizeof(hints));\n hints.ai_family = AF_UNSPEC;\n hints.ai_socktype = SOCK_STREAM;\n hints.ai_protocol = 0;\n if (!port || !*port) port = \"119\";\n if ((err = getaddrinfo(host, port, &hints, &res0)) != 0) {\n\tsyslog(LOG_ERR, \"getaddrinfo(%s, %s) failed: %m\", host, port);\n\treturn;\n }\n\n for (res = res0; res; res = res->ai_next) {\n\tif ((sock = socket(res->ai_family, res->ai_socktype,\n\t\t\t res->ai_protocol)) < 0)\n\t continue;\n\tif (connect(sock, res->ai_addr, res->ai_addrlen) >= 0)\n\t break;\n\tclose(sock);\n\tsock = -1;\n }\n freeaddrinfo(res0);\n if(sock < 0) {\n\tsyslog(LOG_ERR, \"connect(%s:%s) failed: %m\", host, port);\n\treturn;\n }\n \n pin = prot_new(sock, 0);\n pout = prot_new(sock, 1);\n prot_setflushonread(pin, pout);\n\n /* read the initial greeting */\n if (!prot_fgets(buf, sizeof(buf), pin) || strncmp(\"200\", buf, 3)) {\n\tsyslog(LOG_ERR, \"peer doesn't allow posting\");\n\tgoto quit;\n }\n\n if (user) {\n\t/* change to reader mode - not always necessary, so ignore result */\n\tprot_printf(pout, \"MODE READER\\r\\n\");\n\tprot_fgets(buf, sizeof(buf), pin);\n\n\tif (*user) {\n\t /* authenticate to peer */\n\t /* XXX this should be modified to support SASL and STARTTLS */\n\n\t prot_printf(pout, \"AUTHINFO USER %s\\r\\n\", user);\n\t if (!prot_fgets(buf, sizeof(buf), pin)) {\n\t\tsyslog(LOG_ERR, \"AUTHINFO USER terminated abnormally\");\n\t\tgoto quit;\n\t }\n\t else if (!strncmp(\"381\", buf, 3)) {\n\t\t/* password required */\n\t\tif (!pass) {\n\t\t syslog(LOG_ERR, \"need password for AUTHINFO PASS\");\n\t\t goto quit;\n\t\t}\n\n\t\tprot_printf(pout, \"AUTHINFO PASS %s\\r\\n\", pass);\n\t\tif (!prot_fgets(buf, sizeof(buf), pin)) {\n\t\t syslog(LOG_ERR, \"AUTHINFO PASS terminated abnormally\");\n\t\t goto quit;\n\t\t}\n\t }\n\n\t if (strncmp(\"281\", buf, 3)) {\n\t\t/* auth failed */\n\t\tsyslog(LOG_ERR, \"authentication failed\");\n\t\tgoto quit;\n\t }\n\t}\n\n\t/* tell the peer we want to post */\n\tprot_printf(pout, \"POST\\r\\n\");\n\tprot_flush(pout);\n\n\tif (!prot_fgets(buf, sizeof(buf), pin) || strncmp(\"340\", buf, 3)) {\n\t syslog(LOG_ERR, \"peer doesn't allow posting\");\n\t goto quit;\n\t}\n }\n else {\n\t/* tell the peer about our new article */\n\tprot_printf(pout, \"IHAVE %s\\r\\n\", msg->id);\n\tprot_flush(pout);\n\n\tif (!prot_fgets(buf, sizeof(buf), pin) || strncmp(\"335\", buf, 3)) {\n\t syslog(LOG_ERR, \"peer doesn't want article %s\", msg->id);\n\t goto quit;\n\t}\n }\n\n /* send the article */\n rewind(msg->f);\n while (fgets(buf, sizeof(buf), msg->f)) {\n\tif (!body && buf[0] == '\\r' && buf[1] == '\\n') {\n\t /* blank line between header and body */\n\t body = 1;\n\t}\n\n\tskip = 0;\n\tif (!body) {\n\t if (!strncasecmp(buf, \"Reply-To:\", 9)) {\n\t\t/* strip any post addresses, skip if becomes empty */\n\t\tif (!strip_post_addresses(buf+9)) skip = 1;\n\t }\n\t}\n\n\tif (!skip && buf[0] == '.') prot_putc('.', pout);\n\tdo {\n\t if (!skip) prot_printf(pout, \"%s\", buf);\n\t} while (buf[strlen(buf)-1] != '\\n' &&\n\t\t fgets(buf, sizeof(buf), msg->f));\n }\n\n /* Protect against messages not ending in CRLF */\n if (buf[strlen(buf)-1] != '\\n') prot_printf(pout, \"\\r\\n\");\n\n prot_printf(pout, \".\\r\\n\");\n\n if (!prot_fgets(buf, sizeof(buf), pin) || strncmp(\"2\", buf, 1)) {\n\tsyslog(LOG_ERR, \"article %s transfer to peer failed\", msg->id);\n }\n\n quit:\n prot_printf(pout, \"QUIT\\r\\n\");\n prot_flush(pout);\n\n prot_fgets(buf, sizeof(buf), pin);\n\n /* Flush the incoming buffer */\n prot_NONBLOCK(pin);\n prot_fill(pin);\n\n /* close/free socket & prot layer */\n close(sock);\n \n prot_free(pin);\n prot_free(pout);\n\n return;\n}", "project": "cyrus-imapd", "hash": 271896924819504568802037652933896317245, "size": 222, "commit_id": "0f8f026699829b65733c3081657b24e2174f4f4d", "message": "CVE-2011-3208 - fix buffer overflow in nntpd", "target": 0, "dataset": "other", "idx": 451896 }, { "func": "void LibRaw::setSonyBodyFeatures(unsigned long long id)\n{\n ushort idx;\n static const struct\n {\n ushort scf[11];\n /*\n scf[0] camera id\n scf[1] camera format\n scf[2] camera mount: Minolta A, Sony E, fixed,\n scf[3] camera type: DSLR, NEX, SLT, ILCE, ILCA, DSC\n scf[4] lens mount\n scf[5] tag 0x2010 group (0 if not used)\n scf[6] offset of Sony ISO in 0x2010 table, 0xffff if not valid\n scf[7] offset of ShutterCount3 in 0x9050 table, 0xffff if not valid\n scf[8] offset of MeteringMode in 0x2010 table, 0xffff if not valid\n scf[9] offset of ExposureProgram in 0x2010 table, 0xffff if not valid\n scf[10] offset of ReleaseMode2 in 0x2010 table, 0xffff if not valid\n */\n } SonyCamFeatures[] = {\n {SonyID_DSLR_A100, LIBRAW_FORMAT_APSC, LIBRAW_MOUNT_Minolta_A, LIBRAW_SONY_DSLR, 0,\n 0, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},\n {SonyID_DSLR_A900, LIBRAW_FORMAT_FF, LIBRAW_MOUNT_Minolta_A, LIBRAW_SONY_DSLR, 0, 0,\n 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},\n {SonyID_DSLR_A700, LIBRAW_FORMAT_APSC, LIBRAW_MOUNT_Minolta_A, LIBRAW_SONY_DSLR, 0,\n 0, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},\n {SonyID_DSLR_A200, LIBRAW_FORMAT_APSC, LIBRAW_MOUNT_Minolta_A, LIBRAW_SONY_DSLR, 0,\n 0, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},\n {SonyID_DSLR_A350, LIBRAW_FORMAT_APSC, LIBRAW_MOUNT_Minolta_A, LIBRAW_SONY_DSLR, 0,\n 0, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},\n {SonyID_DSLR_A300, LIBRAW_FORMAT_APSC, LIBRAW_MOUNT_Minolta_A, LIBRAW_SONY_DSLR, 0,\n 0, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},\n {SonyID_DSLR_A900, LIBRAW_FORMAT_APSC, LIBRAW_MOUNT_Minolta_A, LIBRAW_SONY_DSLR, 0,\n 0, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},\n {SonyID_DSLR_A380, LIBRAW_FORMAT_APSC, LIBRAW_MOUNT_Minolta_A, LIBRAW_SONY_DSLR, 0,\n 0, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},\n {SonyID_DSLR_A330, LIBRAW_FORMAT_APSC, LIBRAW_MOUNT_Minolta_A, LIBRAW_SONY_DSLR, 0,\n 0, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},\n {SonyID_DSLR_A230, LIBRAW_FORMAT_APSC, LIBRAW_MOUNT_Minolta_A, LIBRAW_SONY_DSLR, 0,\n 0, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},\n {SonyID_DSLR_A290, LIBRAW_FORMAT_APSC, LIBRAW_MOUNT_Minolta_A, LIBRAW_SONY_DSLR, 0,\n 0, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},\n {0x10b, 0, 0, 0, 0, 0, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},\n {0x10c, 0, 0, 0, 0, 0, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},\n {SonyID_DSLR_A850, LIBRAW_FORMAT_FF, LIBRAW_MOUNT_Minolta_A, LIBRAW_SONY_DSLR, 0, 0,\n 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},\n {SonyID_DSLR_A850, LIBRAW_FORMAT_APSC, LIBRAW_MOUNT_Minolta_A, LIBRAW_SONY_DSLR, 0,\n 0, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},\n {0x10f, 0, 0, 0, 0, 0, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},\n {0x110, 0, 0, 0, 0, 0, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},\n {SonyID_DSLR_A550, LIBRAW_FORMAT_APSC, LIBRAW_MOUNT_Minolta_A, LIBRAW_SONY_DSLR, 0,\n 0, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},\n {SonyID_DSLR_A500, LIBRAW_FORMAT_APSC, LIBRAW_MOUNT_Minolta_A, LIBRAW_SONY_DSLR, 0,\n 0, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},\n {SonyID_DSLR_A450, LIBRAW_FORMAT_APSC, LIBRAW_MOUNT_Minolta_A, LIBRAW_SONY_DSLR, 0,\n 0, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},\n {0x114, 0, 0, 0, 0, 0, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},\n {0x115, 0, 0, 0, 0, 0, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},\n {SonyID_NEX_5, LIBRAW_FORMAT_APSC, LIBRAW_MOUNT_Sony_E, LIBRAW_SONY_NEX, 0, 0,\n 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},\n {SonyID_NEX_3, LIBRAW_FORMAT_APSC, LIBRAW_MOUNT_Sony_E, LIBRAW_SONY_NEX, 0, 0,\n 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},\n {SonyID_SLT_A33, LIBRAW_FORMAT_APSC, LIBRAW_MOUNT_Minolta_A, LIBRAW_SONY_SLT, 0, 0,\n 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},\n {SonyID_SLT_A55, LIBRAW_FORMAT_APSC, LIBRAW_MOUNT_Minolta_A, LIBRAW_SONY_SLT, 0, 0,\n 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},\n {SonyID_DSLR_A560, LIBRAW_FORMAT_APSC, LIBRAW_MOUNT_Minolta_A, LIBRAW_SONY_DSLR, 0,\n 0, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},\n {SonyID_DSLR_A580, LIBRAW_FORMAT_APSC, LIBRAW_MOUNT_Minolta_A, LIBRAW_SONY_DSLR, 0,\n 0, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},\n {SonyID_NEX_C3, LIBRAW_FORMAT_APSC, LIBRAW_MOUNT_Sony_E, LIBRAW_SONY_NEX, 0, 0,\n 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},\n {SonyID_SLT_A35, LIBRAW_FORMAT_APSC, LIBRAW_MOUNT_Minolta_A, LIBRAW_SONY_SLT, 0, 0,\n 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},\n {SonyID_SLT_A65, LIBRAW_FORMAT_APSC, LIBRAW_MOUNT_Minolta_A, LIBRAW_SONY_SLT, 0, 2,\n 0x1218, 0x01bd, 0x1178, 0x1179, 0x112c},\n {SonyID_SLT_A77, LIBRAW_FORMAT_APSC, LIBRAW_MOUNT_Minolta_A, LIBRAW_SONY_SLT, 0, 2,\n 0x1218, 0x01bd, 0x1178, 0x1179, 0x112c},\n {SonyID_NEX_5N, LIBRAW_FORMAT_APSC, LIBRAW_MOUNT_Sony_E, LIBRAW_SONY_NEX, 0, 1,\n 0x113e, 0x01bd, 0x1174, 0x1175, 0x112c},\n {SonyID_NEX_7, LIBRAW_FORMAT_APSC, LIBRAW_MOUNT_Sony_E, LIBRAW_SONY_NEX, 0, 2,\n 0x1218, 0x01bd, 0x1178, 0x1179, 0x112c},\n {SonyID_NEX_VG20, LIBRAW_FORMAT_APSC, LIBRAW_MOUNT_Sony_E, LIBRAW_SONY_NEX, 0, 2,\n 0x1218, 0x01bd, 0x1178, 0x1179, 0x112c},\n {SonyID_SLT_A37, LIBRAW_FORMAT_APSC, LIBRAW_MOUNT_Minolta_A, LIBRAW_SONY_SLT, 0, 3,\n 0x11f4, 0x01bd, 0x1154, 0x1155, 0x1108},\n {SonyID_SLT_A57, LIBRAW_FORMAT_APSC, LIBRAW_MOUNT_Minolta_A, LIBRAW_SONY_SLT, 0, 3,\n 0x11f4, 0x01bd, 0x1154, 0x1155, 0x1108},\n {SonyID_NEX_F3, LIBRAW_FORMAT_APSC, LIBRAW_MOUNT_Sony_E, LIBRAW_SONY_NEX, 0, 3,\n 0x11f4, 0x01bd, 0x1154, 0x1155, 0x1108},\n {SonyID_SLT_A99, LIBRAW_FORMAT_FF, LIBRAW_MOUNT_Minolta_A, LIBRAW_SONY_SLT, 0, 5,\n 0x1254, 0x01aa, 0x11ac, 0x11ad, 0x1160},\n {SonyID_NEX_6, LIBRAW_FORMAT_APSC, LIBRAW_MOUNT_Sony_E, LIBRAW_SONY_NEX, 0, 5,\n 0x1254, 0x01aa, 0x11ac, 0x11ad, 0x1160},\n {SonyID_NEX_5R, LIBRAW_FORMAT_APSC, LIBRAW_MOUNT_Sony_E, LIBRAW_SONY_NEX, 0, 5,\n 0x1254, 0x01aa, 0x11ac, 0x11ad, 0x1160},\n {SonyID_DSC_RX100, LIBRAW_FORMAT_1INCH, LIBRAW_MOUNT_FixedLens, LIBRAW_SONY_DSC,\n LIBRAW_MOUNT_FixedLens, 5, 0x1254, 0xffff, 0x11ac, 0x11ad, 0x1160},\n {SonyID_DSC_RX1, LIBRAW_FORMAT_FF, LIBRAW_MOUNT_FixedLens, LIBRAW_SONY_DSC,\n LIBRAW_MOUNT_FixedLens, 5, 0x1258, 0xffff, 0x11ac, 0x11ad, 0x1160},\n {SonyID_NEX_VG900, LIBRAW_FORMAT_FF, LIBRAW_MOUNT_Sony_E, LIBRAW_SONY_NEX, 0, 5,\n 0x1254, 0x01aa, 0x11ac, 0x11ad, 0x1160},\n {SonyID_NEX_VG30, LIBRAW_FORMAT_APSC, LIBRAW_MOUNT_Sony_E, LIBRAW_SONY_NEX, 0, 5,\n 0x1254, 0x01aa, 0x11ac, 0x11ad, 0x1160},\n {0x12d, 0, 0, 0, 0, 0, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},\n {SonyID_ILCE_3000, LIBRAW_FORMAT_APSC, LIBRAW_MOUNT_Sony_E, LIBRAW_SONY_ILCE, 0, 5,\n 0x1280, 0x01aa, 0x11ac, 0x11ad, 0x1160},\n {SonyID_SLT_A58, LIBRAW_FORMAT_APSC, LIBRAW_MOUNT_Minolta_A, LIBRAW_SONY_SLT, 0, 5,\n 0x1280, 0x01aa, 0x11ac, 0x11ad, 0x1160},\n {0x130, 0, 0, 0, 0, 0, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},\n {SonyID_NEX_3N, LIBRAW_FORMAT_APSC, LIBRAW_MOUNT_Sony_E, LIBRAW_SONY_NEX, 0, 5,\n 0x1280, 0x01aa, 0x11ac, 0x11ad, 0x1160},\n {SonyID_ILCE_7, LIBRAW_FORMAT_FF, LIBRAW_MOUNT_Sony_E, LIBRAW_SONY_ILCE, 0, 7,\n 0x0344, 0xffff, 0x025c, 0x025d, 0x0210},\n {SonyID_NEX_5T, LIBRAW_FORMAT_APSC, LIBRAW_MOUNT_Sony_E, LIBRAW_SONY_NEX, 0, 5,\n 0x1254, 0x01aa, 0x11ac, 0x11ad, 0x1160},\n {SonyID_DSC_RX100M2, LIBRAW_FORMAT_1INCH, LIBRAW_MOUNT_FixedLens, LIBRAW_SONY_DSC,\n LIBRAW_MOUNT_FixedLens, 6, 0x113c, 0xffff, 0x1064, 0x1065, 0x1018},\n {SonyID_DSC_RX10, LIBRAW_FORMAT_1INCH, LIBRAW_MOUNT_FixedLens, LIBRAW_SONY_DSC,\n LIBRAW_MOUNT_FixedLens, 7, 0x0344, 0xffff, 0x025c, 0x025d, 0x0210},\n {SonyID_DSC_RX1R, LIBRAW_FORMAT_FF, LIBRAW_MOUNT_FixedLens, LIBRAW_SONY_DSC,\n LIBRAW_MOUNT_FixedLens, 5, 0x1258, 0xffff, 0x11ac, 0x11ad, 0x1160},\n {SonyID_ILCE_7R, LIBRAW_FORMAT_FF, LIBRAW_MOUNT_Sony_E, LIBRAW_SONY_ILCE, 0, 7,\n 0x0344, 0xffff, 0x025c, 0x025d, 0x0210},\n {SonyID_ILCE_6000, LIBRAW_FORMAT_APSC, LIBRAW_MOUNT_Sony_E, LIBRAW_SONY_ILCE, 0, 7,\n 0x0344, 0xffff, 0x025c, 0x025d, 0x0210},\n {SonyID_ILCE_5000, LIBRAW_FORMAT_APSC, LIBRAW_MOUNT_Sony_E, LIBRAW_SONY_ILCE, 0, 7,\n 0x0344, 0x01aa, 0x025c, 0x025d, 0x0210},\n {0x13a, 0, 0, 0, 0, 0, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},\n {0x13b, 0, 0, 0, 0, 0, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},\n {0x13c, 0, 0, 0, 0, 0, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},\n {SonyID_DSC_RX100M3, LIBRAW_FORMAT_1INCH, LIBRAW_MOUNT_FixedLens, LIBRAW_SONY_DSC,\n LIBRAW_MOUNT_FixedLens, 7, 0x0344, 0xffff, 0x025c, 0x025d, 0x0210},\n {SonyID_ILCE_7S, LIBRAW_FORMAT_FF, LIBRAW_MOUNT_Sony_E, LIBRAW_SONY_ILCE, 0, 7,\n 0x0344, 0xffff, 0x025c, 0x025d, 0x0210},\n {SonyID_ILCA_77M2, LIBRAW_FORMAT_APSC, LIBRAW_MOUNT_Minolta_A, LIBRAW_SONY_ILCA, 0,\n 7, 0x0344, 0x01a0, 0x025c, 0x025d, 0x0210},\n {0x140, 0, 0, 0, 0, 0, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},\n {0x141, 0, 0, 0, 0, 0, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},\n {0x142, 0, 0, 0, 0, 0, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},\n {0x143, 0, 0, 0, 0, 0, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},\n {0x144, 0, 0, 0, 0, 0, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},\n {0x145, 0, 0, 0, 0, 0, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},\n {0x146, 0, 0, 0, 0, 0, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},\n {0x147, 0, 0, 0, 0, 0, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},\n {0x148, 0, 0, 0, 0, 0, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},\n {0x149, 0, 0, 0, 0, 0, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},\n {0x14a, 0, 0, 0, 0, 0, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},\n {0x14b, 0, 0, 0, 0, 0, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},\n {0x14c, 0, 0, 0, 0, 0, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},\n {0x14d, 0, 0, 0, 0, 0, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},\n {0x14e, 0, 0, 0, 0, 0, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},\n {0x14f, 0, 0, 0, 0, 0, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},\n {0x150, 0, 0, 0, 0, 0, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},\n {0x151, 0, 0, 0, 0, 0, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},\n {0x152, 0, 0, 0, 0, 0, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},\n {SonyID_ILCE_5100, LIBRAW_FORMAT_APSC, LIBRAW_MOUNT_Sony_E, LIBRAW_SONY_ILCE, 0, 7,\n 0x0344, 0x01a0, 0x025c, 0x025d, 0x0210},\n {SonyID_ILCE_7M2, LIBRAW_FORMAT_FF, LIBRAW_MOUNT_Sony_E, LIBRAW_SONY_ILCE, 0, 7,\n 0x0344, 0xffff, 0x025c, 0x025d, 0x0210},\n {SonyID_DSC_RX100M4, LIBRAW_FORMAT_1INCH, LIBRAW_MOUNT_FixedLens, LIBRAW_SONY_DSC,\n LIBRAW_MOUNT_FixedLens, 8, 0x0346, 0xffff, 0x025c, 0x025d, 0x0210},\n {SonyID_DSC_RX10M2, LIBRAW_FORMAT_1INCH, LIBRAW_MOUNT_FixedLens, LIBRAW_SONY_DSC,\n LIBRAW_MOUNT_FixedLens, 8, 0x0346, 0xffff, 0x025c, 0x025d, 0x0210},\n {0x157, 0, 0, 0, 0, 0, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},\n {SonyID_DSC_RX1RM2, LIBRAW_FORMAT_FF, LIBRAW_MOUNT_FixedLens, LIBRAW_SONY_DSC,\n LIBRAW_MOUNT_FixedLens, 8, 0x0346, 0xffff, 0x025c, 0x025d, 0x0210},\n {0x159, 0, 0, 0, 0, 0, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},\n {SonyID_ILCE_QX1, LIBRAW_FORMAT_APSC, LIBRAW_MOUNT_Sony_E, LIBRAW_SONY_ILCE, 0, 7,\n 0x0344, 0x01a0, 0x025c, 0x025d, 0x0210},\n {SonyID_ILCE_7RM2, LIBRAW_FORMAT_FF, LIBRAW_MOUNT_Sony_E, LIBRAW_SONY_ILCE, 0, 8,\n 0x0346, 0x01cb, 0x025c, 0x025d, 0x0210},\n {0x15c, 0, 0, 0, 0, 0, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},\n {0x15d, 0, 0, 0, 0, 0, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},\n {SonyID_ILCE_7SM2, LIBRAW_FORMAT_FF, LIBRAW_MOUNT_Sony_E, LIBRAW_SONY_ILCE, 0, 8,\n 0x0346, 0x01cb, 0x025c, 0x025d, 0x0210},\n {0x15f, 0, 0, 0, 0, 0, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},\n {0x160, 0, 0, 0, 0, 0, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},\n {SonyID_ILCA_68, LIBRAW_FORMAT_APSC, LIBRAW_MOUNT_Minolta_A, LIBRAW_SONY_ILCA, 0,\n 7, 0x0344, 0x01a0, 0x025c, 0x025d, 0x0210},\n {SonyID_ILCA_99M2, LIBRAW_FORMAT_FF, LIBRAW_MOUNT_Minolta_A, LIBRAW_SONY_ILCA, 0, 8,\n 0x0346, 0x01cd, 0x025c, 0x025d, 0x0210},\n {SonyID_DSC_RX10M3, LIBRAW_FORMAT_1INCH, LIBRAW_MOUNT_FixedLens, LIBRAW_SONY_DSC,\n LIBRAW_MOUNT_FixedLens, 8, 0x0346, 0xffff, 0x025c, 0x025d, 0x0210},\n {SonyID_DSC_RX100M5, LIBRAW_FORMAT_1INCH, LIBRAW_MOUNT_FixedLens, LIBRAW_SONY_DSC,\n LIBRAW_MOUNT_FixedLens, 8, 0x0346, 0xffff, 0x025c, 0x025d, 0x0210},\n {SonyID_ILCE_6300, LIBRAW_FORMAT_APSC, LIBRAW_MOUNT_Sony_E, LIBRAW_SONY_ILCE, 0, 8,\n 0x0346, 0x01cd, 0x025c, 0x025d, 0x0210},\n {SonyID_ILCE_9, LIBRAW_FORMAT_FF, LIBRAW_MOUNT_Sony_E, LIBRAW_SONY_ILCE, 0, 9,\n 0x0320, 0x019f, 0x024b, 0x024c, 0x0208},\n {0x167, 0, 0, 0, 0, 0, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},\n {SonyID_ILCE_6500, LIBRAW_FORMAT_APSC, LIBRAW_MOUNT_Sony_E, LIBRAW_SONY_ILCE, 0, 8,\n 0x0346, 0x01cd, 0x025c, 0x025d, 0x0210},\n {0x169, 0, 0, 0, 0, 0, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},\n {SonyID_ILCE_7RM3, LIBRAW_FORMAT_FF, LIBRAW_MOUNT_Sony_E, LIBRAW_SONY_ILCE, 0, 9,\n 0x0320, 0x019f, 0x024b, 0x024c, 0x0208},\n {SonyID_ILCE_7M3, LIBRAW_FORMAT_FF, LIBRAW_MOUNT_Sony_E, LIBRAW_SONY_ILCE, 0, 9,\n 0x0320, 0x019f, 0x024b, 0x024c, 0x0208},\n {SonyID_DSC_RX0, LIBRAW_FORMAT_1INCH, LIBRAW_MOUNT_FixedLens, LIBRAW_SONY_DSC,\n LIBRAW_MOUNT_FixedLens, 8, 0x0346, 0xffff, 0x025c, 0x025d, 0x0210},\n {SonyID_DSC_RX10M4, LIBRAW_FORMAT_1INCH, LIBRAW_MOUNT_FixedLens, LIBRAW_SONY_DSC,\n LIBRAW_MOUNT_FixedLens, 9, 0x0320, 0xffff, 0x024b, 0x024c, 0x0208},\n {SonyID_DSC_RX100M6, LIBRAW_FORMAT_1INCH, LIBRAW_MOUNT_FixedLens, LIBRAW_SONY_DSC,\n LIBRAW_MOUNT_FixedLens, 9, 0x0320, 0xffff, 0x024b, 0x024c, 0x0208},\n {SonyID_DSC_HX99, LIBRAW_FORMAT_1div2p3INCH, LIBRAW_MOUNT_FixedLens,\n LIBRAW_SONY_DSC, LIBRAW_MOUNT_FixedLens, 9, 0x0320, 0xffff, 0x024b,\n 0x024c, 0x0208},\n {0x170, 0, 0, 0, 0, 0, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},\n {SonyID_DSC_RX100M5A, LIBRAW_FORMAT_1INCH, LIBRAW_MOUNT_FixedLens, LIBRAW_SONY_DSC,\n LIBRAW_MOUNT_FixedLens, 9, 0x0320, 0xffff, 0x024b, 0x024c, 0x0208},\n {0x172, 0, 0, 0, 0, 0, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},\n {SonyID_ILCE_6400, LIBRAW_FORMAT_APSC, LIBRAW_MOUNT_Sony_E, LIBRAW_SONY_ILCE, 0, 9,\n 0x0320, 0x019f, 0x024b, 0x024c, 0x0208},\n {SonyID_DSC_RX0M2, LIBRAW_FORMAT_1INCH, LIBRAW_MOUNT_FixedLens, LIBRAW_SONY_DSC,\n LIBRAW_MOUNT_FixedLens, 9, 0x0320, 0xffff, 0x024b, 0x024c, 0x0208},\n {0x175, 0, 0, 0, 0, 0, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},\n {SonyID_DSC_RX100M7, LIBRAW_FORMAT_1INCH, LIBRAW_MOUNT_FixedLens, LIBRAW_SONY_DSC,\n LIBRAW_MOUNT_FixedLens, 9, 0x0320, 0xffff, 0x024b, 0x024c, 0x0208},\n {SonyID_ILCE_7RM4, LIBRAW_FORMAT_FF, LIBRAW_MOUNT_Sony_E, LIBRAW_SONY_ILCE, 0, 9,\n 0x0320, 0x019f, 0x024b, 0x024c, 0x0208},\n {SonyID_ILCE_9M2, LIBRAW_FORMAT_FF, LIBRAW_MOUNT_Sony_E, LIBRAW_SONY_ILCE, 0, 9,\n 0x0320, 0x019f, 0x024b, 0x024c, 0x0208},\n {0x179, 0, 0, 0, 0, 0, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},\n {SonyID_ILCE_6600, LIBRAW_FORMAT_APSC, LIBRAW_MOUNT_Sony_E, LIBRAW_SONY_ILCE, 0, 9,\n 0x0320, 0x019f, 0x024b, 0x024c, 0x0208},\n {SonyID_ILCE_6100, LIBRAW_FORMAT_APSC, LIBRAW_MOUNT_Sony_E, LIBRAW_SONY_ILCE, 0, 9,\n 0x0320, 0x019f, 0x024b, 0x024c, 0x0208},\n\n };\n ilm.CamID = id;\n\n if (id == SonyID_DSC_R1)\n {\n ilm.CameraMount = ilm.LensMount = LIBRAW_MOUNT_FixedLens;\n imSony.CameraType = LIBRAW_SONY_DSC;\n imSony.group2010 = 0;\n imSony.real_iso_offset = 0xffff;\n imSony.ImageCount3_offset = 0xffff;\n return;\n }\n else\n idx = id - 0x100ULL;\n\n if ((idx >= 0) && (idx < sizeof SonyCamFeatures / sizeof *SonyCamFeatures))\n {\n if (!SonyCamFeatures[idx].scf[2])\n return;\n ilm.CameraFormat = SonyCamFeatures[idx].scf[1];\n ilm.CameraMount = SonyCamFeatures[idx].scf[2];\n imSony.CameraType = SonyCamFeatures[idx].scf[3];\n if (SonyCamFeatures[idx].scf[4])\n ilm.LensMount = SonyCamFeatures[idx].scf[4];\n imSony.group2010 = SonyCamFeatures[idx].scf[5];\n imSony.real_iso_offset = SonyCamFeatures[idx].scf[6];\n imSony.ImageCount3_offset = SonyCamFeatures[idx].scf[7];\n imSony.MeteringMode_offset = SonyCamFeatures[idx].scf[8];\n imSony.ExposureProgram_offset = SonyCamFeatures[idx].scf[9];\n imSony.ReleaseMode2_offset = SonyCamFeatures[idx].scf[10];\n }\n\n char *sbstr = strstr(software, \" v\");\n if (sbstr != NULL)\n {\n sbstr += 2;\n imSony.firmware = atof(sbstr);\n\n if ((id == SonyID_ILCE_7) ||\n (id == SonyID_ILCE_7R))\n {\n if (imSony.firmware < 1.2f)\n imSony.ImageCount3_offset = 0x01aa;\n else\n imSony.ImageCount3_offset = 0x01c0;\n }\n else if (id == SonyID_ILCE_6000)\n {\n if (imSony.firmware < 2.0f)\n imSony.ImageCount3_offset = 0x01aa;\n else\n imSony.ImageCount3_offset = 0x01c0;\n }\n else if ((id == SonyID_ILCE_7S) ||\n (id == SonyID_ILCE_7M2))\n {\n if (imSony.firmware < 1.2f)\n imSony.ImageCount3_offset = 0x01a0;\n else\n imSony.ImageCount3_offset = 0x01b6;\n }\n }\n}", "project": "LibRaw", "hash": 38380566261412413930259813507260360083, "size": 291, "commit_id": "c243f4539233053466c1309bde606815351bee81", "message": "additional checks in parseSonySRF\n\nparseSonySR2: buffer size check", "target": 0, "dataset": "other", "idx": 394103 }, { "func": "static int ctnetlink_dump_use(struct sk_buff *skb, const struct nf_conn *ct)\n{\n\tif (nla_put_be32(skb, CTA_USE, htonl(atomic_read(&ct->ct_general.use))))\n\t\tgoto nla_put_failure;\n\treturn 0;\n\nnla_put_failure:\n\treturn -1;\n}", "project": "linux", "hash": 75810492712609653533144642509198162408, "size": 9, "commit_id": "1cc5ef91d2ff94d2bf2de3b3585423e8a1051cb6", "message": "netfilter: ctnetlink: add a range check for l3/l4 protonum\n\nThe indexes to the nf_nat_l[34]protos arrays come from userspace. So\ncheck the tuple's family, e.g. l3num, when creating the conntrack in\norder to prevent an OOB memory access during setup. Here is an example\nkernel panic on 4.14.180 when userspace passes in an index greater than\nNFPROTO_NUMPROTO.\n\nInternal error: Oops - BUG: 0 [#1] PREEMPT SMP\nModules linked in:...\nProcess poc (pid: 5614, stack limit = 0x00000000a3933121)\nCPU: 4 PID: 5614 Comm: poc Tainted: G S W O 4.14.180-g051355490483\nHardware name: Qualcomm Technologies, Inc. SM8150 V2 PM8150 Google Inc. MSM\ntask: 000000002a3dfffe task.stack: 00000000a3933121\npc : __cfi_check_fail+0x1c/0x24\nlr : __cfi_check_fail+0x1c/0x24\n...\nCall trace:\n__cfi_check_fail+0x1c/0x24\nname_to_dev_t+0x0/0x468\nnfnetlink_parse_nat_setup+0x234/0x258\nctnetlink_parse_nat_setup+0x4c/0x228\nctnetlink_new_conntrack+0x590/0xc40\nnfnetlink_rcv_msg+0x31c/0x4d4\nnetlink_rcv_skb+0x100/0x184\nnfnetlink_rcv+0xf4/0x180\nnetlink_unicast+0x360/0x770\nnetlink_sendmsg+0x5a0/0x6a4\n___sys_sendmsg+0x314/0x46c\nSyS_sendmsg+0xb4/0x108\nel0_svc_naked+0x34/0x38\n\nThis crash is not happening since 5.4+, however, ctnetlink still\nallows for creating entries with unsupported layer 3 protocol number.\n\nFixes: c1d10adb4a521 (\"[NETFILTER]: Add ctnetlink port for nf_conntrack\")\nSigned-off-by: Will McVicker \n[pablo@netfilter.org: rebased original patch on top of nf.git]\nSigned-off-by: Pablo Neira Ayuso ", "target": 0, "dataset": "other", "idx": 394222 }, { "func": " */\nstatic bool idling_needed_for_service_guarantees(struct bfq_data *bfqd,\n\t\t\t\t\t\t struct bfq_queue *bfqq)\n{\n\t/* No point in idling for bfqq if it won't get requests any longer */\n\tif (unlikely(!bfqq_process_refs(bfqq)))\n\t\treturn false;\n\n\treturn (bfqq->wr_coeff > 1 &&\n\t\t(bfqd->wr_busy_queues <\n\t\t bfq_tot_busy_queues(bfqd) ||\n\t\t bfqd->rq_in_driver >=\n\t\t bfqq->dispatched + 4)) ||\n\t\tbfq_asymmetric_scenario(bfqd, bfqq);", "project": "linux", "hash": 189349725221167530645410399088589400995, "size": 14, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453309 }, { "func": "bool GraphConstructor::NameExistsInGraphDef(StringPiece name) {\n if (gdef_nodes_.find(name) != gdef_nodes_.end()) return true;\n if (gdef_prefixes_.find(name) != gdef_prefixes_.end()) return true;\n return false;\n}", "project": "tensorflow", "hash": 1411453061872678390283577988888381723, "size": 5, "commit_id": "0cc38aaa4064fd9e79101994ce9872c6d91f816b", "message": "Prevent unitialized memory access in `GraphConstructor::MakeEdge`\n\nThe `MakeEdge` implementation assumes that there exists an output at `output_index` of `src` node and an input at `input_index` of `dst` node. However, if this is not the case this results in accessing data out of bounds. Because we are accessing an array that is a private member of a class and only in read only mode, this usually results only in unitialized memory access. However, it is reasonable to think that malicious users could manipulate these indexes to actually read data outside the class, thus resulting in information leakage and further exploits.\n\nPiperOrigin-RevId: 346343288\nChange-Id: I2127da27c2023d27f26efd39afa6c853385cab6f", "target": 0, "dataset": "other", "idx": 268326 }, { "func": "nfs4_init_callback_netid(const struct nfs_client *clp, char *buf, size_t len)\n{\n\tif (strchr(clp->cl_ipaddr, ':') != NULL)\n\t\treturn scnprintf(buf, len, \"tcp6\");\n\telse\n\t\treturn scnprintf(buf, len, \"tcp\");\n}", "project": "linux", "hash": 256435488034552205333488966178601675361, "size": 7, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431012 }, { "func": " Item_basic_value(THD *thd): Item(thd) {}", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 49330525314546238574113717527813636318, "size": 1, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509046 }, { "func": "static String copy_and_clear(UncheckedBuffer &buf) {\n auto ret = buf.size() > 0 ? buf.copy() : empty_string();\n buf.clear();\n return ret;\n}", "project": "hhvm", "hash": 206554525467648342291558042673202778287, "size": 5, "commit_id": "b3679121bb3c7017ff04b4c08402ffff5cf59b13", "message": "Fix buffer overrun in SimpleParser::handleBackslash\n\nSummary:\nIt read 4 chars, then checked for validity, but any of them could have\nbeen the end of the string, so check after each one instead.\n\nReviewed By: oulgen\n\nDifferential Revision: D19611163\n\nfbshipit-source-id: 3da0a39555cb85a93f4fd98048368f17cf37e2e4", "target": 0, "dataset": "other", "idx": 227294 }, { "func": "static void cmd_parse_myrights (IMAP_DATA* idata, const char* s)\n{\n dprint (2, (debugfile, \"Handling MYRIGHTS\\n\"));\n\n s = imap_next_word ((char*)s);\n s = imap_next_word ((char*)s);\n\n /* zero out current rights set */\n memset (idata->ctx->rights, 0, sizeof (idata->ctx->rights));\n\n while (*s && !isspace((unsigned char) *s))\n {\n switch (*s) \n {\n case 'l':\n\tmutt_bit_set (idata->ctx->rights, MUTT_ACL_LOOKUP);\n\tbreak;\n case 'r':\n\tmutt_bit_set (idata->ctx->rights, MUTT_ACL_READ);\n\tbreak;\n case 's':\n\tmutt_bit_set (idata->ctx->rights, MUTT_ACL_SEEN);\n\tbreak;\n case 'w':\n\tmutt_bit_set (idata->ctx->rights, MUTT_ACL_WRITE);\n\tbreak;\n case 'i':\n\tmutt_bit_set (idata->ctx->rights, MUTT_ACL_INSERT);\n\tbreak;\n case 'p':\n\tmutt_bit_set (idata->ctx->rights, MUTT_ACL_POST);\n\tbreak;\n case 'a':\n\tmutt_bit_set (idata->ctx->rights, MUTT_ACL_ADMIN);\n\tbreak;\n case 'k':\n\tmutt_bit_set (idata->ctx->rights, MUTT_ACL_CREATE);\n break;\n case 'x':\n mutt_bit_set (idata->ctx->rights, MUTT_ACL_DELMX);\n break;\n case 't':\n\tmutt_bit_set (idata->ctx->rights, MUTT_ACL_DELETE);\n break;\n case 'e':\n mutt_bit_set (idata->ctx->rights, MUTT_ACL_EXPUNGE);\n break;\n\n /* obsolete rights */\n case 'c':\n\tmutt_bit_set (idata->ctx->rights, MUTT_ACL_CREATE);\n mutt_bit_set (idata->ctx->rights, MUTT_ACL_DELMX);\n\tbreak;\n case 'd':\n\tmutt_bit_set (idata->ctx->rights, MUTT_ACL_DELETE);\n mutt_bit_set (idata->ctx->rights, MUTT_ACL_EXPUNGE);\n\tbreak;\n default:\n dprint(1, (debugfile, \"Unknown right: %c\\n\", *s));\n }\n s++;\n }\n}", "project": "mutt", "hash": 177474551163908522861497519572889874845, "size": 63, "commit_id": "9347b5c01dc52682cb6be11539d9b7ebceae4416", "message": "Handle NO response without message properly", "target": 0, "dataset": "other", "idx": 338028 }, { "func": "static inline int sadb_key_len(const struct sadb_key *key)\n{\n\tint key_bytes = DIV_ROUND_UP(key->sadb_key_bits, 8);\n\n\treturn DIV_ROUND_UP(sizeof(struct sadb_key) + key_bytes,\n\t\t\t sizeof(uint64_t));\n}", "project": "linux", "hash": 264448469598330220053367933046600017835, "size": 7, "commit_id": "9a564bccb78a76740ea9d75a259942df8143d02c", "message": "af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\n\nAdd __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\nto initialize the buffer of supp_skb to fix a kernel-info-leak issue.\n1) Function pfkey_register calls compose_sadb_supported to request\na sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate\na sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then\ncompose_sadb_supported treats the memory as a struct sadb_supported and\nbegins to initialize. But it just initializes the field sadb_supported_len\nand field sadb_supported_exttype without field sadb_supported_reserved.\n\nReported-by: TCS Robot \nSigned-off-by: Haimin Zhang \nSigned-off-by: Steffen Klassert ", "target": 0, "dataset": "other", "idx": 268095 }, { "func": "CString CWebSock::GetCSRFCheck() {\n std::shared_ptr pSession = GetSession();\n return pSession->GetId().MD5();\n}", "project": "znc", "hash": 176708831176984582817930168041889621770, "size": 4, "commit_id": "a4a5aeeb17d32937d8c7d743dae9a4cc755ce773", "message": "Don't let web skin name ../../../../ access files outside of usual skins directories.\n\nThanks for Jeriko One for finding and reporting this.", "target": 0, "dataset": "other", "idx": 265807 }, { "func": "void kvm_vcpu_kick(struct kvm_vcpu *vcpu)\n{\n\tint me;\n\tint cpu = vcpu->cpu;\n\n\tif (kvm_vcpu_wake_up(vcpu))\n\t\treturn;\n\n\tme = get_cpu();\n\tif (cpu != me && (unsigned)cpu < nr_cpu_ids && cpu_online(cpu))\n\t\tif (kvm_arch_vcpu_should_kick(vcpu))\n\t\t\tsmp_send_reschedule(cpu);\n\tput_cpu();\n}", "project": "linux", "hash": 48483928849115800583394156701298364055, "size": 14, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354425 }, { "func": "static void fuse_aio_complete(struct fuse_io_priv *io, int err, ssize_t pos)\n{\n\tint left;\n\n\tspin_lock(&io->lock);\n\tif (err)\n\t\tio->err = io->err ? : err;\n\telse if (pos >= 0 && (io->bytes < 0 || pos < io->bytes))\n\t\tio->bytes = pos;\n\n\tleft = --io->reqs;\n\tif (!left && io->blocking)\n\t\tcomplete(io->done);\n\tspin_unlock(&io->lock);\n\n\tif (!left && !io->blocking) {\n\t\tssize_t res = fuse_get_res_by_io(io);\n\n\t\tif (res >= 0) {\n\t\t\tstruct inode *inode = file_inode(io->iocb->ki_filp);\n\t\t\tstruct fuse_conn *fc = get_fuse_conn(inode);\n\t\t\tstruct fuse_inode *fi = get_fuse_inode(inode);\n\n\t\t\tspin_lock(&fi->lock);\n\t\t\tfi->attr_version = atomic64_inc_return(&fc->attr_version);\n\t\t\tspin_unlock(&fi->lock);\n\t\t}\n\n\t\tio->iocb->ki_complete(io->iocb, res, 0);\n\t}\n\n\tkref_put(&io->refcnt, fuse_io_release);\n}", "project": "linux", "hash": 8088370606004699946406955072815968274, "size": 33, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341993 }, { "func": "static void execlists_submit_ports(struct intel_engine_cs *engine)\n{\n\tstruct intel_engine_execlists *execlists = &engine->execlists;\n\tunsigned int n;\n\n\tGEM_BUG_ON(!assert_pending_valid(execlists, \"submit\"));\n\n\t/*\n\t * We can skip acquiring intel_runtime_pm_get() here as it was taken\n\t * on our behalf by the request (see i915_gem_mark_busy()) and it will\n\t * not be relinquished until the device is idle (see\n\t * i915_gem_idle_work_handler()). As a precaution, we make sure\n\t * that all ELSP are drained i.e. we have processed the CSB,\n\t * before allowing ourselves to idle and calling intel_runtime_pm_put().\n\t */\n\tGEM_BUG_ON(!intel_engine_pm_is_awake(engine));\n\n\t/*\n\t * ELSQ note: the submit queue is not cleared after being submitted\n\t * to the HW so we need to make sure we always clean it up. This is\n\t * currently ensured by the fact that we always write the same number\n\t * of elsq entries, keep this in mind before changing the loop below.\n\t */\n\tfor (n = execlists_num_ports(execlists); n--; ) {\n\t\tstruct i915_request *rq = execlists->pending[n];\n\n\t\twrite_desc(execlists,\n\t\t\t rq ? execlists_update_context(rq) : 0,\n\t\t\t n);\n\t}\n\n\t/* we need to manually load the submit queue */\n\tif (execlists->ctrl_reg)\n\t\twritel(EL_CTRL_LOAD, execlists->ctrl_reg);\n}", "project": "linux", "hash": 307330708202684707500437026900662655517, "size": 35, "commit_id": "bc8a76a152c5f9ef3b48104154a65a68a8b76946", "message": "drm/i915/gen9: Clear residual context state on context switch\n\nIntel ID: PSIRT-TA-201910-001\nCVEID: CVE-2019-14615\n\nIntel GPU Hardware prior to Gen11 does not clear EU state\nduring a context switch. This can result in information\nleakage between contexts.\n\nFor Gen8 and Gen9, hardware provides a mechanism for\nfast cleardown of the EU state, by issuing a PIPE_CONTROL\nwith bit 27 set. We can use this in a context batch buffer\nto explicitly cleardown the state on every context switch.\n\nAs this workaround is already in place for gen8, we can borrow\nthe code verbatim for Gen9.\n\nSigned-off-by: Mika Kuoppala \nSigned-off-by: Akeem G Abodunrin \nCc: Kumar Valsan Prathap \nCc: Chris Wilson \nCc: Balestrieri Francesco \nCc: Bloomfield Jon \nCc: Dutt Sudeep ", "target": 0, "dataset": "other", "idx": 281422 }, { "func": "static void tcp_sack_remove(struct tcp_sock *tp)\n{\n\tstruct tcp_sack_block *sp = &tp->selective_acks[0];\n\tint num_sacks = tp->rx_opt.num_sacks;\n\tint this_sack;\n\n\t/* Empty ofo queue, hence, all the SACKs are eaten. Clear. */\n\tif (skb_queue_empty(&tp->out_of_order_queue)) {\n\t\ttp->rx_opt.num_sacks = 0;\n\t\treturn;\n\t}\n\n\tfor (this_sack = 0; this_sack < num_sacks;) {\n\t\t/* Check if the start of the sack is covered by RCV.NXT. */\n\t\tif (!before(tp->rcv_nxt, sp->start_seq)) {\n\t\t\tint i;\n\n\t\t\t/* RCV.NXT must cover all the block! */\n\t\t\tWARN_ON(before(tp->rcv_nxt, sp->end_seq));\n\n\t\t\t/* Zap this SACK, by moving forward any other SACKS. */\n\t\t\tfor (i=this_sack+1; i < num_sacks; i++)\n\t\t\t\ttp->selective_acks[i-1] = tp->selective_acks[i];\n\t\t\tnum_sacks--;\n\t\t\tcontinue;\n\t\t}\n\t\tthis_sack++;\n\t\tsp++;\n\t}\n\ttp->rx_opt.num_sacks = num_sacks;\n}", "project": "net-next", "hash": 164420354727457602500139275162521389054, "size": 31, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409853 }, { "func": "static ssize_t __fuse_direct_read(struct fuse_io_priv *io,\n\t\t\t\t struct iov_iter *iter,\n\t\t\t\t loff_t *ppos)\n{\n\tssize_t res;\n\tstruct inode *inode = file_inode(io->iocb->ki_filp);\n\n\tres = fuse_direct_io(io, iter, ppos, 0);\n\n\tfuse_invalidate_atime(inode);\n\n\treturn res;\n}", "project": "linux", "hash": 320341709102379099017145209203753271718, "size": 13, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342142 }, { "func": "bool vers_select_conds_t::init_from_sysvar(THD *thd)\n{\n vers_asof_timestamp_t &in= thd->variables.vers_asof_timestamp;\n type= (vers_system_time_t) in.type;\n delete_history= false;\n start.unit= VERS_TIMESTAMP;\n if (type != SYSTEM_TIME_UNSPECIFIED && type != SYSTEM_TIME_ALL)\n {\n DBUG_ASSERT(type == SYSTEM_TIME_AS_OF);\n MYSQL_TIME ltime;\n thd->variables.time_zone->gmt_sec_to_TIME(<ime, in.unix_time);\n ltime.second_part = in.second_part;\n\n start.item= new (thd->mem_root)\n Item_datetime_literal(thd, <ime, TIME_SECOND_PART_DIGITS);\n if (!start.item)\n return true;\n }\n else\n start.item= NULL;\n end.empty();\n return false;\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 303226065442231812328652673650900734959, "size": 23, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508437 }, { "func": "static inline void set_cmdline(int idx, const char *cmdline)\n{\n\tmemcpy(get_saved_cmdlines(idx), cmdline, TASK_COMM_LEN);\n}", "project": "linux", "hash": 196747732466750168560450966043641346228, "size": 4, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445599 }, { "func": "int enc_untrusted_sys_futex_wake(int32_t *futex, int32_t num) {\n if (!TrustedPrimitives::IsOutsideEnclave(futex, sizeof(int32_t))) {\n TrustedPrimitives::BestEffortAbort(\n \"enc_untrusted_sys_futex_wake: futex word should be in untrusted \"\n \"local memory.\");\n }\n\n MessageWriter input;\n MessageReader output;\n input.Push(reinterpret_cast(futex));\n input.Push(num);\n const auto status = NonSystemCallDispatcher(\n ::asylo::host_call::kSysFutexWakeHandler, &input, &output);\n CheckStatusAndParamCount(status, output, \"enc_untrusted_sys_futex_wake\", 2);\n int result = output.next();\n int klinux_errno = output.next();\n if (result == -1) {\n errno = FromkLinuxErrorNumber(klinux_errno);\n }\n return result;\n}", "project": "asylo", "hash": 284043461598042888763196263126399646548, "size": 21, "commit_id": "a37fb6a0e7daf30134dbbf357c9a518a1026aa02", "message": "Check untrusted queue is in outside enclave\n\nPiperOrigin-RevId: 333370935\nChange-Id: Ic3f15d5db1302d95c7cb199b44172474fecb81ca", "target": 0, "dataset": "other", "idx": 231076 }, { "func": "ssize_t redirected_tty_write(struct file *file, const char __user *buf,\n\t\t\t\t\t\tsize_t count, loff_t *ppos)\n{\n\tstruct file *p = NULL;\n\n\tspin_lock(&redirect_lock);\n\tif (redirect)\n\t\tp = get_file(redirect);\n\tspin_unlock(&redirect_lock);\n\n\tif (p) {\n\t\tssize_t res;\n\t\tres = vfs_write(p, buf, count, &p->f_pos);\n\t\tfput(p);\n\t\treturn res;\n\t}\n\treturn tty_write(file, buf, count, ppos);\n}", "project": "linux", "hash": 69541097901304079841390770848568988203, "size": 18, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 325963 }, { "func": "void TrustedPrimitives::BestEffortAbort(const char *message) {\n DebugPuts(message);\n delete UntrustedCacheMalloc::Instance();\n enc_reject_entries();\n MarkEnclaveAborted();\n abort();\n}", "project": "asylo", "hash": 309587042737323708674199657272226024753, "size": 7, "commit_id": "53ed5d8fd8118ced1466e509606dd2f473707a5c", "message": "Store untrusted output pointer in enclave\n\nValidate the pointer after it's stored in enclave to avoid unexpected\nmodifications after it's validated.\n\nPiperOrigin-RevId: 365648810\nChange-Id: I3079128040c142e86bab8255b07d03562a6fcb61", "target": 0, "dataset": "other", "idx": 232054 }, { "project": "ardour", "commit_id": "96daa4036a425ff3f23a7dfcba57bfb0f942bec6", "target": 0, "func": "XMLNode::add_content(const string& c)\n{\n\tif (c.empty ()) {\n\t\t/* this would add a \"\" child, leading to invalid XML.\n\t\t * Also in XML, empty string content is equivalent to no content.\n\t\t */\n\t\treturn NULL;\n\t}\n\treturn add_child_copy(XMLNode (string(), c));\n}", "idx": 519672, "cwe": "CWE-416", "hash": 287916708108400555602943135513188202049, "dataset": "other" }, { "func": "authz_status oidc_authz_checker_claims_expr(request_rec *r, const char *require_args, const void *parsed_require_args) {\n\treturn oidc_authz_checker(r, require_args, parsed_require_args, oidc_authz_match_claims_expr);\n}", "project": "mod_auth_openidc", "hash": 277330069628329539506865150663978185651, "size": 3, "commit_id": "00c315cb0c8ab77c67be4a2ac08a71a83ac58751", "message": "avoid XSS vulnerability when using OIDCPreservePost On\n\nand supplying URLs that contain single quotes; thanks @oss-aimoto\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 381913 }, { "func": " */\nstatic void __bfq_bfqq_recalc_budget(struct bfq_data *bfqd,\n\t\t\t\t struct bfq_queue *bfqq,\n\t\t\t\t enum bfqq_expiration reason)\n{\n\tstruct request *next_rq;\n\tint budget, min_budget;\n\n\tmin_budget = bfq_min_budget(bfqd);\n\n\tif (bfqq->wr_coeff == 1)\n\t\tbudget = bfqq->max_budget;\n\telse /*\n\t * Use a constant, low budget for weight-raised queues,\n\t * to help achieve a low latency. Keep it slightly higher\n\t * than the minimum possible budget, to cause a little\n\t * bit fewer expirations.\n\t */\n\t\tbudget = 2 * min_budget;\n\n\tbfq_log_bfqq(bfqd, bfqq, \"recalc_budg: last budg %d, budg left %d\",\n\t\tbfqq->entity.budget, bfq_bfqq_budget_left(bfqq));\n\tbfq_log_bfqq(bfqd, bfqq, \"recalc_budg: last max_budg %d, min budg %d\",\n\t\tbudget, bfq_min_budget(bfqd));\n\tbfq_log_bfqq(bfqd, bfqq, \"recalc_budg: sync %d, seeky %d\",\n\t\tbfq_bfqq_sync(bfqq), BFQQ_SEEKY(bfqd->in_service_queue));\n\n\tif (bfq_bfqq_sync(bfqq) && bfqq->wr_coeff == 1) {\n\t\tswitch (reason) {\n\t\t/*\n\t\t * Caveat: in all the following cases we trade latency\n\t\t * for throughput.\n\t\t */\n\t\tcase BFQQE_TOO_IDLE:\n\t\t\t/*\n\t\t\t * This is the only case where we may reduce\n\t\t\t * the budget: if there is no request of the\n\t\t\t * process still waiting for completion, then\n\t\t\t * we assume (tentatively) that the timer has\n\t\t\t * expired because the batch of requests of\n\t\t\t * the process could have been served with a\n\t\t\t * smaller budget. Hence, betting that\n\t\t\t * process will behave in the same way when it\n\t\t\t * becomes backlogged again, we reduce its\n\t\t\t * next budget. As long as we guess right,\n\t\t\t * this budget cut reduces the latency\n\t\t\t * experienced by the process.\n\t\t\t *\n\t\t\t * However, if there are still outstanding\n\t\t\t * requests, then the process may have not yet\n\t\t\t * issued its next request just because it is\n\t\t\t * still waiting for the completion of some of\n\t\t\t * the still outstanding ones. So in this\n\t\t\t * subcase we do not reduce its budget, on the\n\t\t\t * contrary we increase it to possibly boost\n\t\t\t * the throughput, as discussed in the\n\t\t\t * comments to the BUDGET_TIMEOUT case.\n\t\t\t */\n\t\t\tif (bfqq->dispatched > 0) /* still outstanding reqs */\n\t\t\t\tbudget = min(budget * 2, bfqd->bfq_max_budget);\n\t\t\telse {\n\t\t\t\tif (budget > 5 * min_budget)\n\t\t\t\t\tbudget -= 4 * min_budget;\n\t\t\t\telse\n\t\t\t\t\tbudget = min_budget;\n\t\t\t}\n\t\t\tbreak;\n\t\tcase BFQQE_BUDGET_TIMEOUT:\n\t\t\t/*\n\t\t\t * We double the budget here because it gives\n\t\t\t * the chance to boost the throughput if this\n\t\t\t * is not a seeky process (and has bumped into\n\t\t\t * this timeout because of, e.g., ZBR).\n\t\t\t */\n\t\t\tbudget = min(budget * 2, bfqd->bfq_max_budget);\n\t\t\tbreak;\n\t\tcase BFQQE_BUDGET_EXHAUSTED:\n\t\t\t/*\n\t\t\t * The process still has backlog, and did not\n\t\t\t * let either the budget timeout or the disk\n\t\t\t * idling timeout expire. Hence it is not\n\t\t\t * seeky, has a short thinktime and may be\n\t\t\t * happy with a higher budget too. So\n\t\t\t * definitely increase the budget of this good\n\t\t\t * candidate to boost the disk throughput.\n\t\t\t */\n\t\t\tbudget = min(budget * 4, bfqd->bfq_max_budget);\n\t\t\tbreak;\n\t\tcase BFQQE_NO_MORE_REQUESTS:\n\t\t\t/*\n\t\t\t * For queues that expire for this reason, it\n\t\t\t * is particularly important to keep the\n\t\t\t * budget close to the actual service they\n\t\t\t * need. Doing so reduces the timestamp\n\t\t\t * misalignment problem described in the\n\t\t\t * comments in the body of\n\t\t\t * __bfq_activate_entity. In fact, suppose\n\t\t\t * that a queue systematically expires for\n\t\t\t * BFQQE_NO_MORE_REQUESTS and presents a\n\t\t\t * new request in time to enjoy timestamp\n\t\t\t * back-shifting. The larger the budget of the\n\t\t\t * queue is with respect to the service the\n\t\t\t * queue actually requests in each service\n\t\t\t * slot, the more times the queue can be\n\t\t\t * reactivated with the same virtual finish\n\t\t\t * time. It follows that, even if this finish\n\t\t\t * time is pushed to the system virtual time\n\t\t\t * to reduce the consequent timestamp\n\t\t\t * misalignment, the queue unjustly enjoys for\n\t\t\t * many re-activations a lower finish time\n\t\t\t * than all newly activated queues.\n\t\t\t *\n\t\t\t * The service needed by bfqq is measured\n\t\t\t * quite precisely by bfqq->entity.service.\n\t\t\t * Since bfqq does not enjoy device idling,\n\t\t\t * bfqq->entity.service is equal to the number\n\t\t\t * of sectors that the process associated with\n\t\t\t * bfqq requested to read/write before waiting\n\t\t\t * for request completions, or blocking for\n\t\t\t * other reasons.\n\t\t\t */\n\t\t\tbudget = max_t(int, bfqq->entity.service, min_budget);\n\t\t\tbreak;\n\t\tdefault:\n\t\t\treturn;\n\t\t}\n\t} else if (!bfq_bfqq_sync(bfqq)) {\n\t\t/*\n\t\t * Async queues get always the maximum possible\n\t\t * budget, as for them we do not care about latency\n\t\t * (in addition, their ability to dispatch is limited\n\t\t * by the charging factor).\n\t\t */\n\t\tbudget = bfqd->bfq_max_budget;\n\t}\n\n\tbfqq->max_budget = budget;\n\n\tif (bfqd->budgets_assigned >= bfq_stats_min_budgets &&\n\t !bfqd->bfq_user_max_budget)\n\t\tbfqq->max_budget = min(bfqq->max_budget, bfqd->bfq_max_budget);\n\n\t/*\n\t * If there is still backlog, then assign a new budget, making\n\t * sure that it is large enough for the next request. Since\n\t * the finish time of bfqq must be kept in sync with the\n\t * budget, be sure to call __bfq_bfqq_expire() *after* this\n\t * update.\n\t *\n\t * If there is no backlog, then no need to update the budget;\n\t * it will be updated on the arrival of a new request.\n\t */\n\tnext_rq = bfqq->next_rq;\n\tif (next_rq)\n\t\tbfqq->entity.budget = max_t(unsigned long, bfqq->max_budget,\n\t\t\t\t\t bfq_serv_to_charge(next_rq, bfqq));\n\n\tbfq_log_bfqq(bfqd, bfqq, \"head sect: %u, new budget %d\",\n\t\t\tnext_rq ? blk_rq_sectors(next_rq) : 0,\n\t\t\tbfqq->entity.budget);", "project": "linux", "hash": 273275928741895157517431245501833247451, "size": 160, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453316 }, { "func": "static int _nfs4_proc_getlk(struct nfs4_state *state, int cmd, struct file_lock *request)\n{\n\tstruct inode *inode = state->inode;\n\tstruct nfs_server *server = NFS_SERVER(inode);\n\tstruct nfs_client *clp = server->nfs_client;\n\tstruct nfs_lockt_args arg = {\n\t\t.fh = NFS_FH(inode),\n\t\t.fl = request,\n\t};\n\tstruct nfs_lockt_res res = {\n\t\t.denied = request,\n\t};\n\tstruct rpc_message msg = {\n\t\t.rpc_proc\t= &nfs4_procedures[NFSPROC4_CLNT_LOCKT],\n\t\t.rpc_argp\t= &arg,\n\t\t.rpc_resp\t= &res,\n\t\t.rpc_cred\t= state->owner->so_cred,\n\t};\n\tstruct nfs4_lock_state *lsp;\n\tint status;\n\n\targ.lock_owner.clientid = clp->cl_clientid;\n\tstatus = nfs4_set_lock_state(state, request);\n\tif (status != 0)\n\t\tgoto out;\n\tlsp = request->fl_u.nfs4_fl.owner;\n\targ.lock_owner.id = lsp->ls_seqid.owner_id;\n\targ.lock_owner.s_dev = server->s_dev;\n\tstatus = nfs4_call_sync(server->client, server, &msg, &arg.seq_args, &res.seq_res, 1);\n\tswitch (status) {\n\t\tcase 0:\n\t\t\trequest->fl_type = F_UNLCK;\n\t\t\tbreak;\n\t\tcase -NFS4ERR_DENIED:\n\t\t\tstatus = 0;\n\t}\n\trequest->fl_ops->fl_release_private(request);\n\trequest->fl_ops = NULL;\nout:\n\treturn status;\n}", "project": "linux", "hash": 228709424418870921524377230467602793787, "size": 41, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431575 }, { "func": "static int kvm_s390_vm_has_attr(struct kvm *kvm, struct kvm_device_attr *attr)\n{\n\tint ret;\n\n\tswitch (attr->group) {\n\tcase KVM_S390_VM_MEM_CTRL:\n\t\tswitch (attr->attr) {\n\t\tcase KVM_S390_VM_MEM_ENABLE_CMMA:\n\t\tcase KVM_S390_VM_MEM_CLR_CMMA:\n\t\t\tret = sclp.has_cmma ? 0 : -ENXIO;\n\t\t\tbreak;\n\t\tcase KVM_S390_VM_MEM_LIMIT_SIZE:\n\t\t\tret = 0;\n\t\t\tbreak;\n\t\tdefault:\n\t\t\tret = -ENXIO;\n\t\t\tbreak;\n\t\t}\n\t\tbreak;\n\tcase KVM_S390_VM_TOD:\n\t\tswitch (attr->attr) {\n\t\tcase KVM_S390_VM_TOD_LOW:\n\t\tcase KVM_S390_VM_TOD_HIGH:\n\t\t\tret = 0;\n\t\t\tbreak;\n\t\tdefault:\n\t\t\tret = -ENXIO;\n\t\t\tbreak;\n\t\t}\n\t\tbreak;\n\tcase KVM_S390_VM_CPU_MODEL:\n\t\tswitch (attr->attr) {\n\t\tcase KVM_S390_VM_CPU_PROCESSOR:\n\t\tcase KVM_S390_VM_CPU_MACHINE:\n\t\tcase KVM_S390_VM_CPU_PROCESSOR_FEAT:\n\t\tcase KVM_S390_VM_CPU_MACHINE_FEAT:\n\t\tcase KVM_S390_VM_CPU_MACHINE_SUBFUNC:\n\t\tcase KVM_S390_VM_CPU_PROCESSOR_SUBFUNC:\n\t\t\tret = 0;\n\t\t\tbreak;\n\t\tdefault:\n\t\t\tret = -ENXIO;\n\t\t\tbreak;\n\t\t}\n\t\tbreak;\n\tcase KVM_S390_VM_CRYPTO:\n\t\tswitch (attr->attr) {\n\t\tcase KVM_S390_VM_CRYPTO_ENABLE_AES_KW:\n\t\tcase KVM_S390_VM_CRYPTO_ENABLE_DEA_KW:\n\t\tcase KVM_S390_VM_CRYPTO_DISABLE_AES_KW:\n\t\tcase KVM_S390_VM_CRYPTO_DISABLE_DEA_KW:\n\t\t\tret = 0;\n\t\t\tbreak;\n\t\tcase KVM_S390_VM_CRYPTO_ENABLE_APIE:\n\t\tcase KVM_S390_VM_CRYPTO_DISABLE_APIE:\n\t\t\tret = ap_instructions_available() ? 0 : -ENXIO;\n\t\t\tbreak;\n\t\tdefault:\n\t\t\tret = -ENXIO;\n\t\t\tbreak;\n\t\t}\n\t\tbreak;\n\tcase KVM_S390_VM_MIGRATION:\n\t\tret = 0;\n\t\tbreak;\n\tdefault:\n\t\tret = -ENXIO;\n\t\tbreak;\n\t}\n\n\treturn ret;\n}", "project": "linux", "hash": 135943800332090760027833022065464205686, "size": 72, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354496 }, { "func": "MagickExport Image *WaveImage(const Image *image,const double amplitude,\n const double wave_length,const PixelInterpolateMethod method,\n ExceptionInfo *exception)\n{\n#define WaveImageTag \"Wave/Image\"\n\n CacheView\n *canvas_image_view,\n *wave_view;\n\n float\n *sine_map;\n\n Image\n *canvas_image,\n *wave_image;\n\n MagickBooleanType\n status;\n\n MagickOffsetType\n progress;\n\n ssize_t\n i;\n\n ssize_t\n y;\n\n /*\n Initialize wave image attributes.\n */\n assert(image != (Image *) NULL);\n assert(image->signature == MagickCoreSignature);\n if (image->debug != MagickFalse)\n (void) LogMagickEvent(TraceEvent,GetMagickModule(),\"%s\",image->filename);\n assert(exception != (ExceptionInfo *) NULL);\n assert(exception->signature == MagickCoreSignature);\n canvas_image=CloneImage(image,0,0,MagickTrue,exception);\n if (canvas_image == (Image *) NULL)\n return((Image *) NULL);\n if ((canvas_image->alpha_trait == UndefinedPixelTrait) &&\n (canvas_image->background_color.alpha != OpaqueAlpha))\n (void) SetImageAlpha(canvas_image,OpaqueAlpha,exception);\n wave_image=CloneImage(canvas_image,canvas_image->columns,(size_t)\n (canvas_image->rows+2.0*fabs(amplitude)),MagickTrue,exception);\n if (wave_image == (Image *) NULL)\n {\n canvas_image=DestroyImage(canvas_image);\n return((Image *) NULL);\n }\n if (SetImageStorageClass(wave_image,DirectClass,exception) == MagickFalse)\n {\n canvas_image=DestroyImage(canvas_image);\n wave_image=DestroyImage(wave_image);\n return((Image *) NULL);\n }\n /*\n Allocate sine map.\n */\n sine_map=(float *) AcquireQuantumMemory((size_t) wave_image->columns,\n sizeof(*sine_map));\n if (sine_map == (float *) NULL)\n {\n canvas_image=DestroyImage(canvas_image);\n wave_image=DestroyImage(wave_image);\n ThrowImageException(ResourceLimitError,\"MemoryAllocationFailed\");\n }\n for (i=0; i < (ssize_t) wave_image->columns; i++)\n sine_map[i]=(float) fabs(amplitude)+amplitude*sin((double)\n ((2.0*MagickPI*i)/wave_length));\n /*\n Wave image.\n */\n status=MagickTrue;\n progress=0;\n canvas_image_view=AcquireVirtualCacheView(canvas_image,exception);\n wave_view=AcquireAuthenticCacheView(wave_image,exception);\n (void) SetCacheViewVirtualPixelMethod(canvas_image_view,\n BackgroundVirtualPixelMethod);\n#if defined(MAGICKCORE_OPENMP_SUPPORT)\n #pragma omp parallel for schedule(static) shared(progress,status) \\\n magick_number_threads(canvas_image,wave_image,wave_image->rows,1)\n#endif\n for (y=0; y < (ssize_t) wave_image->rows; y++)\n {\n const Quantum\n *magick_restrict p;\n\n Quantum\n *magick_restrict q;\n\n ssize_t\n x;\n\n if (status == MagickFalse)\n continue;\n p=GetCacheViewVirtualPixels(canvas_image_view,0,y,canvas_image->columns,1,\n exception);\n q=QueueCacheViewAuthenticPixels(wave_view,0,y,wave_image->columns,1,\n exception);\n if ((p == (const Quantum *) NULL) || (q == (Quantum *) NULL))\n {\n status=MagickFalse;\n continue;\n }\n for (x=0; x < (ssize_t) wave_image->columns; x++)\n {\n status=InterpolatePixelChannels(canvas_image,canvas_image_view,\n wave_image,method,(double) x,(double) (y-sine_map[x]),q,exception);\n if (status == MagickFalse)\n break;\n p+=GetPixelChannels(canvas_image);\n q+=GetPixelChannels(wave_image);\n }\n if (SyncCacheViewAuthenticPixels(wave_view,exception) == MagickFalse)\n status=MagickFalse;\n if (image->progress_monitor != (MagickProgressMonitor) NULL)\n {\n MagickBooleanType\n proceed;\n\n#if defined(MAGICKCORE_OPENMP_SUPPORT)\n #pragma omp atomic\n#endif\n progress++;\n proceed=SetImageProgress(canvas_image,WaveImageTag,progress,\n canvas_image->rows);\n if (proceed == MagickFalse)\n status=MagickFalse;\n }\n }\n wave_view=DestroyCacheView(wave_view);\n canvas_image_view=DestroyCacheView(canvas_image_view);\n canvas_image=DestroyImage(canvas_image);\n sine_map=(float *) RelinquishMagickMemory(sine_map);\n if (status == MagickFalse)\n wave_image=DestroyImage(wave_image);\n return(wave_image);\n}", "project": "ImageMagick", "hash": 109616764411189885332816110905608229061, "size": 140, "commit_id": "94174beff065cb5683d09d79e992c3ebbdead311", "message": "https://github.com/ImageMagick/ImageMagick/issues/3296", "target": 1, "dataset": "other", "idx": 202140 }, { "func": "MagickExport Image *WaveImage(const Image *image,const double amplitude,\n const double wave_length,ExceptionInfo *exception)\n{\n#define WaveImageTag \"Wave/Image\"\n\n CacheView\n *image_view,\n *wave_view;\n\n float\n *sine_map;\n\n Image\n *wave_image;\n\n MagickBooleanType\n status;\n\n MagickOffsetType\n progress;\n\n MagickPixelPacket\n zero;\n\n ssize_t\n i;\n\n ssize_t\n y;\n\n /*\n Initialize wave image attributes.\n */\n assert(image != (Image *) NULL);\n assert(image->signature == MagickCoreSignature);\n if (image->debug != MagickFalse)\n (void) LogMagickEvent(TraceEvent,GetMagickModule(),\"%s\",image->filename);\n assert(exception != (ExceptionInfo *) NULL);\n assert(exception->signature == MagickCoreSignature);\n wave_image=CloneImage(image,image->columns,(size_t) (image->rows+2.0*\n fabs(amplitude)),MagickTrue,exception);\n if (wave_image == (Image *) NULL)\n return((Image *) NULL);\n if (SetImageStorageClass(wave_image,DirectClass) == MagickFalse)\n {\n InheritException(exception,&wave_image->exception);\n wave_image=DestroyImage(wave_image);\n return((Image *) NULL);\n }\n if (wave_image->background_color.opacity != OpaqueOpacity)\n wave_image->matte=MagickTrue;\n /*\n Allocate sine map.\n */\n sine_map=(float *) AcquireQuantumMemory((size_t) wave_image->columns,\n sizeof(*sine_map));\n if (sine_map == (float *) NULL)\n {\n wave_image=DestroyImage(wave_image);\n ThrowImageException(ResourceLimitError,\"MemoryAllocationFailed\");\n }\n for (i=0; i < (ssize_t) wave_image->columns; i++)\n sine_map[i]=(float) fabs(amplitude)+amplitude*sin((double)\n ((2.0*MagickPI*i)/wave_length));\n /*\n Wave image.\n */\n status=MagickTrue;\n progress=0;\n GetMagickPixelPacket(wave_image,&zero);\n image_view=AcquireVirtualCacheView(image,exception);\n wave_view=AcquireAuthenticCacheView(wave_image,exception);\n (void) SetCacheViewVirtualPixelMethod(image_view,\n BackgroundVirtualPixelMethod);\n#if defined(MAGICKCORE_OPENMP_SUPPORT)\n #pragma omp parallel for schedule(static) shared(progress,status) \\\n magick_number_threads(image,wave_image,wave_image->rows,1)\n#endif\n for (y=0; y < (ssize_t) wave_image->rows; y++)\n {\n MagickPixelPacket\n pixel;\n\n IndexPacket\n *magick_restrict indexes;\n\n PixelPacket\n *magick_restrict q;\n\n ssize_t\n x;\n\n if (status == MagickFalse)\n continue;\n q=QueueCacheViewAuthenticPixels(wave_view,0,y,wave_image->columns,1,\n exception);\n if (q == (PixelPacket *) NULL)\n {\n status=MagickFalse;\n continue;\n }\n indexes=GetCacheViewAuthenticIndexQueue(wave_view);\n pixel=zero;\n for (x=0; x < (ssize_t) wave_image->columns; x++)\n {\n status=InterpolateMagickPixelPacket(image,image_view,\n UndefinedInterpolatePixel,(double) x,(double) (y-sine_map[x]),&pixel,\n exception);\n if (status == MagickFalse)\n break;\n SetPixelPacket(wave_image,&pixel,q,indexes+x);\n q++;\n }\n if (SyncCacheViewAuthenticPixels(wave_view,exception) == MagickFalse)\n status=MagickFalse;\n if (image->progress_monitor != (MagickProgressMonitor) NULL)\n {\n MagickBooleanType\n proceed;\n\n#if defined(MAGICKCORE_OPENMP_SUPPORT)\n #pragma omp atomic\n#endif\n progress++;\n proceed=SetImageProgress(image,WaveImageTag,progress,image->rows);\n if (proceed == MagickFalse)\n status=MagickFalse;\n }\n }\n wave_view=DestroyCacheView(wave_view);\n image_view=DestroyCacheView(image_view);\n sine_map=(float *) RelinquishMagickMemory(sine_map);\n if (status == MagickFalse)\n wave_image=DestroyImage(wave_image);\n return(wave_image);\n}", "project": "ImageMagick6", "hash": 151042824862097823118767733345259035764, "size": 136, "commit_id": "f1e68d22d1b35459421710587a0dcbab6900b51f", "message": "https://github.com/ImageMagick/ImageMagick/issues/3296", "target": 1, "dataset": "other", "idx": 206717 }, { "func": "static MagickPixelPacket **DestroyPixelThreadSet(const Image *images,\n MagickPixelPacket **pixels)\n{\n ssize_t\n i;\n\n size_t\n rows;\n\n assert(pixels != (MagickPixelPacket **) NULL);\n rows=MagickMax(GetImageListLength(images),\n (size_t) GetMagickResourceLimit(ThreadResource));\n for (i=0; i < (ssize_t) rows; i++)\n if (pixels[i] != (MagickPixelPacket *) NULL)\n pixels[i]=(MagickPixelPacket *) RelinquishMagickMemory(pixels[i]);\n pixels=(MagickPixelPacket **) RelinquishMagickMemory(pixels);\n return(pixels);\n}", "project": "ImageMagick6", "hash": 24896332256168976293191272049319897684, "size": 18, "commit_id": "072d7b10dbe74d1cf4ec0d008990c1a28c076f9e", "message": "https://github.com/ImageMagick/ImageMagick/issues/3332", "target": 0, "dataset": "other", "idx": 279656 }, { "func": "MagickExport Image *PolynomialImageChannel(const Image *images,\n const ChannelType channel,const size_t number_terms,const double *terms,\n ExceptionInfo *exception)\n{\n#define PolynomialImageTag \"Polynomial/Image\"\n\n CacheView\n *polynomial_view;\n\n Image\n *image;\n\n MagickBooleanType\n status;\n\n MagickOffsetType\n progress;\n\n MagickPixelPacket\n **magick_restrict polynomial_pixels,\n zero;\n\n ssize_t\n y;\n\n assert(images != (Image *) NULL);\n assert(images->signature == MagickCoreSignature);\n if (images->debug != MagickFalse)\n (void) LogMagickEvent(TraceEvent,GetMagickModule(),\"%s\",images->filename);\n assert(exception != (ExceptionInfo *) NULL);\n assert(exception->signature == MagickCoreSignature);\n image=AcquireImageCanvas(images,exception);\n if (image == (Image *) NULL)\n return((Image *) NULL);\n if (SetImageStorageClass(image,DirectClass) == MagickFalse)\n {\n InheritException(exception,&image->exception);\n image=DestroyImage(image);\n return((Image *) NULL);\n }\n polynomial_pixels=AcquirePixelThreadSet(images);\n if (polynomial_pixels == (MagickPixelPacket **) NULL)\n {\n image=DestroyImage(image);\n (void) ThrowMagickException(exception,GetMagickModule(),\n ResourceLimitError,\"MemoryAllocationFailed\",\"`%s'\",images->filename);\n return((Image *) NULL);\n }\n /*\n Polynomial image pixels.\n */\n status=MagickTrue;\n progress=0;\n GetMagickPixelPacket(images,&zero);\n polynomial_view=AcquireAuthenticCacheView(image,exception);\n#if defined(MAGICKCORE_OPENMP_SUPPORT)\n #pragma omp parallel for schedule(static) shared(progress,status) \\\n magick_number_threads(image,image,image->rows,1)\n#endif\n for (y=0; y < (ssize_t) image->rows; y++)\n {\n CacheView\n *image_view;\n\n const Image\n *next;\n\n const int\n id = GetOpenMPThreadId();\n\n IndexPacket\n *magick_restrict polynomial_indexes;\n\n MagickPixelPacket\n *polynomial_pixel;\n\n PixelPacket\n *magick_restrict q;\n\n ssize_t\n i,\n x;\n\n size_t\n number_images;\n\n if (status == MagickFalse)\n continue;\n q=QueueCacheViewAuthenticPixels(polynomial_view,0,y,image->columns,1,\n exception);\n if (q == (PixelPacket *) NULL)\n {\n status=MagickFalse;\n continue;\n }\n polynomial_indexes=GetCacheViewAuthenticIndexQueue(polynomial_view);\n polynomial_pixel=polynomial_pixels[id];\n for (x=0; x < (ssize_t) image->columns; x++)\n polynomial_pixel[x]=zero;\n next=images;\n number_images=GetImageListLength(images);\n for (i=0; i < (ssize_t) number_images; i++)\n {\n const IndexPacket\n *indexes;\n\n const PixelPacket\n *p;\n\n if (i >= (ssize_t) number_terms)\n break;\n image_view=AcquireVirtualCacheView(next,exception);\n p=GetCacheViewVirtualPixels(image_view,0,y,image->columns,1,exception);\n if (p == (const PixelPacket *) NULL)\n {\n image_view=DestroyCacheView(image_view);\n break;\n }\n indexes=GetCacheViewVirtualIndexQueue(image_view);\n for (x=0; x < (ssize_t) image->columns; x++)\n {\n double\n coefficient,\n degree;\n\n coefficient=terms[i << 1];\n degree=terms[(i << 1)+1];\n if ((channel & RedChannel) != 0)\n polynomial_pixel[x].red+=coefficient*pow(QuantumScale*p->red,degree);\n if ((channel & GreenChannel) != 0)\n polynomial_pixel[x].green+=coefficient*pow(QuantumScale*p->green,\n degree);\n if ((channel & BlueChannel) != 0)\n polynomial_pixel[x].blue+=coefficient*pow(QuantumScale*p->blue,\n degree);\n if ((channel & OpacityChannel) != 0)\n polynomial_pixel[x].opacity+=coefficient*pow(QuantumScale*\n (QuantumRange-p->opacity),degree);\n if (((channel & IndexChannel) != 0) &&\n (image->colorspace == CMYKColorspace))\n polynomial_pixel[x].index+=coefficient*pow(QuantumScale*indexes[x],\n degree);\n p++;\n }\n image_view=DestroyCacheView(image_view);\n next=GetNextImageInList(next);\n }\n for (x=0; x < (ssize_t) image->columns; x++)\n {\n SetPixelRed(q,ClampToQuantum(QuantumRange*polynomial_pixel[x].red));\n SetPixelGreen(q,ClampToQuantum(QuantumRange*polynomial_pixel[x].green));\n SetPixelBlue(q,ClampToQuantum(QuantumRange*polynomial_pixel[x].blue));\n if (image->matte == MagickFalse)\n SetPixelOpacity(q,ClampToQuantum(QuantumRange-QuantumRange*\n polynomial_pixel[x].opacity));\n else\n SetPixelAlpha(q,ClampToQuantum(QuantumRange-QuantumRange*\n polynomial_pixel[x].opacity));\n if (image->colorspace == CMYKColorspace)\n SetPixelIndex(polynomial_indexes+x,ClampToQuantum(QuantumRange*\n polynomial_pixel[x].index));\n q++;\n }\n if (SyncCacheViewAuthenticPixels(polynomial_view,exception) == MagickFalse)\n status=MagickFalse;\n if (images->progress_monitor != (MagickProgressMonitor) NULL)\n {\n MagickBooleanType\n proceed;\n\n proceed=SetImageProgress(images,PolynomialImageTag,progress++,\n image->rows);\n if (proceed == MagickFalse)\n status=MagickFalse;\n }\n }\n polynomial_view=DestroyCacheView(polynomial_view);\n polynomial_pixels=DestroyPixelThreadSet(images,polynomial_pixels);\n if (status == MagickFalse)\n image=DestroyImage(image);\n return(image);\n}", "project": "ImageMagick6", "hash": 104823737313691056035142176991377332698, "size": 182, "commit_id": "072d7b10dbe74d1cf4ec0d008990c1a28c076f9e", "message": "https://github.com/ImageMagick/ImageMagick/issues/3332", "target": 0, "dataset": "other", "idx": 279661 }, { "func": "static PixelList **DestroyPixelListThreadSet(PixelList **pixel_list)\n{\n ssize_t\n i;\n\n assert(pixel_list != (PixelList **) NULL);\n for (i=0; i < (ssize_t) GetMagickResourceLimit(ThreadResource); i++)\n if (pixel_list[i] != (PixelList *) NULL)\n pixel_list[i]=DestroyPixelList(pixel_list[i]);\n pixel_list=(PixelList **) RelinquishMagickMemory(pixel_list);\n return(pixel_list);\n}", "project": "ImageMagick6", "hash": 180101797986233647044007163301968565714, "size": 12, "commit_id": "072d7b10dbe74d1cf4ec0d008990c1a28c076f9e", "message": "https://github.com/ImageMagick/ImageMagick/issues/3332", "target": 0, "dataset": "other", "idx": 279664 }, { "func": "static Image *DrawClippingMask(Image *image,const DrawInfo *draw_info,\n const char *id,const char *clip_path,ExceptionInfo *exception)\n{\n DrawInfo\n *clone_info;\n\n Image\n *clip_mask;\n\n MagickStatusType\n status;\n\n /*\n Draw a clip path.\n */\n assert(image != (Image *) NULL);\n assert(image->signature == MagickCoreSignature);\n if (image->debug != MagickFalse)\n (void) LogMagickEvent(TraceEvent,GetMagickModule(),\"%s\",image->filename);\n assert(draw_info != (const DrawInfo *) NULL);\n clip_mask=AcquireImage((const ImageInfo *) NULL);\n status=SetImageExtent(clip_mask,image->columns,image->rows);\n if (status == MagickFalse)\n return(DestroyImage(clip_mask));\n status=SetImageClipMask(image,(Image *) NULL);\n status=QueryColorCompliance(\"#0000\",AllCompliance,\n &clip_mask->background_color,exception);\n clip_mask->background_color.opacity=(Quantum) TransparentOpacity;\n status=SetImageBackgroundColor(clip_mask);\n if (image->debug != MagickFalse)\n (void) LogMagickEvent(DrawEvent,GetMagickModule(),\"\\nbegin clip-path %s\",\n id);\n clone_info=CloneDrawInfo((ImageInfo *) NULL,draw_info);\n (void) CloneString(&clone_info->primitive,clip_path);\n status=QueryColorCompliance(\"#ffffff\",AllCompliance,&clone_info->fill,\n exception);\n if (clone_info->clip_mask != (char *) NULL)\n clone_info->clip_mask=DestroyString(clone_info->clip_mask);\n (void) QueryColorCompliance(\"#00000000\",AllCompliance,&clone_info->stroke,\n exception);\n clone_info->stroke_width=0.0;\n clone_info->opacity=OpaqueOpacity;\n clone_info->clip_path=MagickTrue;\n status=RenderMVGContent(clip_mask,clone_info,0);\n clone_info=DestroyDrawInfo(clone_info);\n status&=SeparateImageChannel(clip_mask,TrueAlphaChannel);\n if (draw_info->compliance != SVGCompliance)\n status&=NegateImage(clip_mask,MagickFalse);\n if (status == MagickFalse)\n clip_mask=DestroyImage(clip_mask);\n if (image->debug != MagickFalse)\n (void) LogMagickEvent(DrawEvent,GetMagickModule(),\"end clip-path\");\n return(clip_mask);\n}", "project": "ImageMagick6", "hash": 238712327789853703383075597268950458827, "size": 54, "commit_id": "9a94877f7823b0b8a41d50638dd105229d91fa89", "message": "https://github.com/ImageMagick/ImageMagick/issues/3339", "target": 0, "dataset": "other", "idx": 316667 }, { "func": "MagickExport DrawInfo *DestroyDrawInfo(DrawInfo *draw_info)\n{\n assert(draw_info != (DrawInfo *) NULL);\n if (draw_info->debug != MagickFalse)\n (void) LogMagickEvent(TraceEvent,GetMagickModule(),\"...\");\n assert(draw_info->signature == MagickCoreSignature);\n if (draw_info->id != (char *) NULL)\n draw_info->id=DestroyString(draw_info->id);\n if (draw_info->primitive != (char *) NULL)\n draw_info->primitive=DestroyString(draw_info->primitive);\n if (draw_info->text != (char *) NULL)\n draw_info->text=DestroyString(draw_info->text);\n if (draw_info->geometry != (char *) NULL)\n draw_info->geometry=DestroyString(draw_info->geometry);\n if (draw_info->tile != (Image *) NULL)\n draw_info->tile=DestroyImage(draw_info->tile);\n if (draw_info->fill_pattern != (Image *) NULL)\n draw_info->fill_pattern=DestroyImage(draw_info->fill_pattern);\n if (draw_info->stroke_pattern != (Image *) NULL)\n draw_info->stroke_pattern=DestroyImage(draw_info->stroke_pattern);\n if (draw_info->font != (char *) NULL)\n draw_info->font=DestroyString(draw_info->font);\n if (draw_info->metrics != (char *) NULL)\n draw_info->metrics=DestroyString(draw_info->metrics);\n if (draw_info->family != (char *) NULL)\n draw_info->family=DestroyString(draw_info->family);\n if (draw_info->encoding != (char *) NULL)\n draw_info->encoding=DestroyString(draw_info->encoding);\n if (draw_info->density != (char *) NULL)\n draw_info->density=DestroyString(draw_info->density);\n if (draw_info->server_name != (char *) NULL)\n draw_info->server_name=(char *)\n RelinquishMagickMemory(draw_info->server_name);\n if (draw_info->dash_pattern != (double *) NULL)\n draw_info->dash_pattern=(double *) RelinquishMagickMemory(\n draw_info->dash_pattern);\n if (draw_info->gradient.stops != (StopInfo *) NULL)\n draw_info->gradient.stops=(StopInfo *) RelinquishMagickMemory(\n draw_info->gradient.stops);\n if (draw_info->clip_mask != (char *) NULL)\n draw_info->clip_mask=DestroyString(draw_info->clip_mask);\n if (draw_info->clipping_mask != (Image *) NULL)\n draw_info->clipping_mask=DestroyImage(draw_info->clipping_mask);\n if (draw_info->composite_mask != (Image *) NULL)\n draw_info->composite_mask=DestroyImage(draw_info->composite_mask);\n draw_info->signature=(~MagickCoreSignature);\n draw_info=(DrawInfo *) RelinquishMagickMemory(draw_info);\n return(draw_info);\n}", "project": "ImageMagick6", "hash": 325457032162482293548506268392096398532, "size": 49, "commit_id": "9a94877f7823b0b8a41d50638dd105229d91fa89", "message": "https://github.com/ImageMagick/ImageMagick/issues/3339", "target": 0, "dataset": "other", "idx": 316672 }, { "func": "static Image *DrawCompositeMask(Image *image,const DrawInfo *draw_info,\n const char *id,const char *mask_path,ExceptionInfo *exception)\n{\n Image\n *composite_mask;\n\n DrawInfo\n *clone_info;\n\n MagickStatusType\n status;\n\n /*\n Draw a mask path.\n */\n assert(image != (Image *) NULL);\n assert(image->signature == MagickCoreSignature);\n if (image->debug != MagickFalse)\n (void) LogMagickEvent(TraceEvent,GetMagickModule(),\"%s\",image->filename);\n assert(draw_info != (const DrawInfo *) NULL);\n composite_mask=AcquireImage((const ImageInfo *) NULL);\n status=SetImageExtent(composite_mask,image->columns,image->rows);\n if (status == MagickFalse)\n return(DestroyImage(composite_mask));\n status=SetImageMask(image,(Image *) NULL);\n status=QueryColorCompliance(\"#0000\",AllCompliance,\n &composite_mask->background_color,exception);\n composite_mask->background_color.opacity=(Quantum) TransparentOpacity;\n (void) SetImageBackgroundColor(composite_mask);\n if (image->debug != MagickFalse)\n (void) LogMagickEvent(DrawEvent,GetMagickModule(),\"\\nbegin mask-path %s\",\n id);\n clone_info=CloneDrawInfo((ImageInfo *) NULL,draw_info);\n (void) CloneString(&clone_info->primitive,mask_path);\n status=QueryColorCompliance(\"#ffffff\",AllCompliance,&clone_info->fill,\n exception);\n status=QueryColorCompliance(\"#00000000\",AllCompliance,&clone_info->stroke,\n exception);\n clone_info->stroke_width=0.0;\n clone_info->opacity=OpaqueOpacity;\n status=RenderMVGContent(composite_mask,clone_info,0);\n clone_info=DestroyDrawInfo(clone_info);\n status&=SeparateImageChannel(composite_mask,TrueAlphaChannel);\n status&=NegateImage(composite_mask,MagickFalse);\n if (status == MagickFalse)\n composite_mask=DestroyImage(composite_mask);\n if (image->debug != MagickFalse)\n (void) LogMagickEvent(DrawEvent,GetMagickModule(),\"end mask-path\");\n return(composite_mask);\n}", "project": "ImageMagick6", "hash": 211110562140460971669188687562236110688, "size": 50, "commit_id": "9a94877f7823b0b8a41d50638dd105229d91fa89", "message": "https://github.com/ImageMagick/ImageMagick/issues/3339", "target": 0, "dataset": "other", "idx": 316675 }, { "func": "MagickExport Image *VignetteImage(const Image *image,const double radius,\n const double sigma,const ssize_t x,const ssize_t y,ExceptionInfo *exception)\n{\n char\n ellipse[MagickPathExtent];\n\n DrawInfo\n *draw_info;\n\n Image\n *canvas,\n *blur_image,\n *oval_image,\n *vignette_image;\n\n assert(image != (Image *) NULL);\n assert(image->signature == MagickCoreSignature);\n if (image->debug != MagickFalse)\n (void) LogMagickEvent(TraceEvent,GetMagickModule(),\"%s\",image->filename);\n assert(exception != (ExceptionInfo *) NULL);\n assert(exception->signature == MagickCoreSignature);\n canvas=CloneImage(image,0,0,MagickTrue,exception);\n if (canvas == (Image *) NULL)\n return((Image *) NULL);\n if (SetImageStorageClass(canvas,DirectClass,exception) == MagickFalse)\n {\n canvas=DestroyImage(canvas);\n return((Image *) NULL);\n }\n canvas->alpha_trait=BlendPixelTrait;\n oval_image=CloneImage(canvas,canvas->columns,canvas->rows,MagickTrue,\n exception);\n if (oval_image == (Image *) NULL)\n {\n canvas=DestroyImage(canvas);\n return((Image *) NULL);\n }\n (void) QueryColorCompliance(\"#000000\",AllCompliance,\n &oval_image->background_color,exception);\n (void) SetImageBackgroundColor(oval_image,exception);\n draw_info=CloneDrawInfo((const ImageInfo *) NULL,(const DrawInfo *) NULL);\n (void) QueryColorCompliance(\"#ffffff\",AllCompliance,&draw_info->fill,\n exception);\n (void) QueryColorCompliance(\"#ffffff\",AllCompliance,&draw_info->stroke,\n exception);\n (void) FormatLocaleString(ellipse,MagickPathExtent,\"ellipse %g,%g,%g,%g,\"\n \"0.0,360.0\",image->columns/2.0,image->rows/2.0,image->columns/2.0-x,\n image->rows/2.0-y);\n draw_info->primitive=AcquireString(ellipse);\n (void) DrawImage(oval_image,draw_info,exception);\n draw_info=DestroyDrawInfo(draw_info);\n blur_image=BlurImage(oval_image,radius,sigma,exception);\n oval_image=DestroyImage(oval_image);\n if (blur_image == (Image *) NULL)\n {\n canvas=DestroyImage(canvas);\n return((Image *) NULL);\n }\n blur_image->alpha_trait=UndefinedPixelTrait;\n (void) CompositeImage(canvas,blur_image,IntensityCompositeOp,MagickTrue,\n 0,0,exception);\n blur_image=DestroyImage(blur_image);\n vignette_image=MergeImageLayers(canvas,FlattenLayer,exception);\n canvas=DestroyImage(canvas);\n if (vignette_image != (Image *) NULL)\n (void) TransformImageColorspace(vignette_image,image->colorspace,exception);\n return(vignette_image);\n}", "project": "ImageMagick", "hash": 257744412298667816903454355187115188542, "size": 68, "commit_id": "94174beff065cb5683d09d79e992c3ebbdead311", "message": "https://github.com/ImageMagick/ImageMagick/issues/3296", "target": 0, "dataset": "other", "idx": 330261 }, { "func": "MagickExport Image *SepiaToneImage(const Image *image,const double threshold,\n ExceptionInfo *exception)\n{\n#define SepiaToneImageTag \"SepiaTone/Image\"\n\n CacheView\n *image_view,\n *sepia_view;\n\n Image\n *sepia_image;\n\n MagickBooleanType\n status;\n\n MagickOffsetType\n progress;\n\n ssize_t\n y;\n\n /*\n Initialize sepia-toned image attributes.\n */\n assert(image != (const Image *) NULL);\n assert(image->signature == MagickCoreSignature);\n if (image->debug != MagickFalse)\n (void) LogMagickEvent(TraceEvent,GetMagickModule(),\"%s\",image->filename);\n assert(exception != (ExceptionInfo *) NULL);\n assert(exception->signature == MagickCoreSignature);\n sepia_image=CloneImage(image,0,0,MagickTrue,exception);\n if (sepia_image == (Image *) NULL)\n return((Image *) NULL);\n if (SetImageStorageClass(sepia_image,DirectClass,exception) == MagickFalse)\n {\n sepia_image=DestroyImage(sepia_image);\n return((Image *) NULL);\n }\n /*\n Tone each row of the image.\n */\n status=MagickTrue;\n progress=0;\n image_view=AcquireVirtualCacheView(image,exception);\n sepia_view=AcquireAuthenticCacheView(sepia_image,exception);\n#if defined(MAGICKCORE_OPENMP_SUPPORT)\n #pragma omp parallel for schedule(static) shared(progress,status) \\\n magick_number_threads(image,sepia_image,image->rows,1)\n#endif\n for (y=0; y < (ssize_t) image->rows; y++)\n {\n const Quantum\n *magick_restrict p;\n\n ssize_t\n x;\n\n Quantum\n *magick_restrict q;\n\n if (status == MagickFalse)\n continue;\n p=GetCacheViewVirtualPixels(image_view,0,y,image->columns,1,exception);\n q=GetCacheViewAuthenticPixels(sepia_view,0,y,sepia_image->columns,1,\n exception);\n if ((p == (const Quantum *) NULL) || (q == (Quantum *) NULL))\n {\n status=MagickFalse;\n continue;\n }\n for (x=0; x < (ssize_t) image->columns; x++)\n {\n double\n intensity,\n tone;\n\n intensity=GetPixelIntensity(image,p);\n tone=intensity > threshold ? (double) QuantumRange : intensity+\n (double) QuantumRange-threshold;\n SetPixelRed(sepia_image,ClampToQuantum(tone),q);\n tone=intensity > (7.0*threshold/6.0) ? (double) QuantumRange :\n intensity+(double) QuantumRange-7.0*threshold/6.0;\n SetPixelGreen(sepia_image,ClampToQuantum(tone),q);\n tone=intensity < (threshold/6.0) ? 0 : intensity-threshold/6.0;\n SetPixelBlue(sepia_image,ClampToQuantum(tone),q);\n tone=threshold/7.0;\n if ((double) GetPixelGreen(image,q) < tone)\n SetPixelGreen(sepia_image,ClampToQuantum(tone),q);\n if ((double) GetPixelBlue(image,q) < tone)\n SetPixelBlue(sepia_image,ClampToQuantum(tone),q);\n SetPixelAlpha(sepia_image,GetPixelAlpha(image,p),q);\n p+=GetPixelChannels(image);\n q+=GetPixelChannels(sepia_image);\n }\n if (SyncCacheViewAuthenticPixels(sepia_view,exception) == MagickFalse)\n status=MagickFalse;\n if (image->progress_monitor != (MagickProgressMonitor) NULL)\n {\n MagickBooleanType\n proceed;\n\n#if defined(MAGICKCORE_OPENMP_SUPPORT)\n #pragma omp atomic\n#endif\n progress++;\n proceed=SetImageProgress(image,SepiaToneImageTag,progress,image->rows);\n if (proceed == MagickFalse)\n status=MagickFalse;\n }\n }\n sepia_view=DestroyCacheView(sepia_view);\n image_view=DestroyCacheView(image_view);\n (void) NormalizeImage(sepia_image,exception);\n (void) ContrastImage(sepia_image,MagickTrue,exception);\n if (status == MagickFalse)\n sepia_image=DestroyImage(sepia_image);\n return(sepia_image);\n}", "project": "ImageMagick", "hash": 61523303264998880344861652776788445027, "size": 118, "commit_id": "94174beff065cb5683d09d79e992c3ebbdead311", "message": "https://github.com/ImageMagick/ImageMagick/issues/3296", "target": 0, "dataset": "other", "idx": 330263 }, { "func": "MagickExport Image *CharcoalImage(const Image *image,const double radius,\n const double sigma,ExceptionInfo *exception)\n{\n Image\n *charcoal_image,\n *edge_image;\n\n MagickBooleanType\n status;\n\n assert(image != (Image *) NULL);\n assert(image->signature == MagickCoreSignature);\n if (image->debug != MagickFalse)\n (void) LogMagickEvent(TraceEvent,GetMagickModule(),\"%s\",image->filename);\n assert(exception != (ExceptionInfo *) NULL);\n assert(exception->signature == MagickCoreSignature);\n edge_image=EdgeImage(image,radius,exception);\n if (edge_image == (Image *) NULL)\n return((Image *) NULL);\n edge_image->alpha_trait=UndefinedPixelTrait;\n charcoal_image=(Image *) NULL;\n status=ClampImage(edge_image,exception);\n if (status != MagickFalse)\n charcoal_image=BlurImage(edge_image,radius,sigma,exception);\n edge_image=DestroyImage(edge_image);\n if (charcoal_image == (Image *) NULL)\n return((Image *) NULL);\n status=NormalizeImage(charcoal_image,exception);\n if (status != MagickFalse)\n status=NegateImage(charcoal_image,MagickFalse,exception);\n if (status != MagickFalse)\n status=GrayscaleImage(charcoal_image,image->intensity,exception);\n if (status == MagickFalse)\n charcoal_image=DestroyImage(charcoal_image);\n return(charcoal_image);\n}", "project": "ImageMagick", "hash": 248587493201210013104246733726879920959, "size": 36, "commit_id": "94174beff065cb5683d09d79e992c3ebbdead311", "message": "https://github.com/ImageMagick/ImageMagick/issues/3296", "target": 0, "dataset": "other", "idx": 330265 }, { "func": "MagickExport Image *PolaroidImage(const Image *image,const DrawInfo *draw_info,\n const char *caption,const double angle,const PixelInterpolateMethod method,\n ExceptionInfo *exception)\n{\n Image\n *bend_image,\n *caption_image,\n *flop_image,\n *picture_image,\n *polaroid_image,\n *rotate_image,\n *trim_image;\n\n size_t\n height;\n\n ssize_t\n quantum;\n\n /*\n Simulate a Polaroid picture.\n */\n assert(image != (Image *) NULL);\n assert(image->signature == MagickCoreSignature);\n if (image->debug != MagickFalse)\n (void) LogMagickEvent(TraceEvent,GetMagickModule(),\"%s\",image->filename);\n assert(exception != (ExceptionInfo *) NULL);\n assert(exception->signature == MagickCoreSignature);\n quantum=(ssize_t) MagickMax(MagickMax((double) image->columns,(double)\n image->rows)/25.0,10.0);\n height=image->rows+2*quantum;\n caption_image=(Image *) NULL;\n if (caption != (const char *) NULL)\n {\n char\n *text;\n\n /*\n Generate caption image.\n */\n caption_image=CloneImage(image,image->columns,1,MagickTrue,exception);\n if (caption_image == (Image *) NULL)\n return((Image *) NULL);\n text=InterpretImageProperties((ImageInfo *) NULL,(Image *) image,caption,\n exception);\n if (text != (char *) NULL)\n {\n char\n geometry[MagickPathExtent];\n\n DrawInfo\n *annotate_info;\n\n MagickBooleanType\n status;\n\n ssize_t\n count;\n\n TypeMetric\n metrics;\n\n annotate_info=CloneDrawInfo((const ImageInfo *) NULL,draw_info);\n (void) CloneString(&annotate_info->text,text);\n count=FormatMagickCaption(caption_image,annotate_info,MagickTrue,\n &metrics,&text,exception);\n status=SetImageExtent(caption_image,image->columns,(size_t)\n ((count+1)*(metrics.ascent-metrics.descent)+0.5),exception);\n if (status == MagickFalse)\n caption_image=DestroyImage(caption_image);\n else\n {\n caption_image->background_color=image->border_color;\n (void) SetImageBackgroundColor(caption_image,exception);\n (void) CloneString(&annotate_info->text,text);\n (void) FormatLocaleString(geometry,MagickPathExtent,\"+0+%.20g\",\n metrics.ascent);\n if (annotate_info->gravity == UndefinedGravity)\n (void) CloneString(&annotate_info->geometry,AcquireString(\n geometry));\n (void) AnnotateImage(caption_image,annotate_info,exception);\n height+=caption_image->rows;\n }\n annotate_info=DestroyDrawInfo(annotate_info);\n text=DestroyString(text);\n }\n }\n picture_image=CloneImage(image,image->columns+2*quantum,height,MagickTrue,\n exception);\n if (picture_image == (Image *) NULL)\n {\n if (caption_image != (Image *) NULL)\n caption_image=DestroyImage(caption_image);\n return((Image *) NULL);\n }\n picture_image->background_color=image->border_color;\n (void) SetImageBackgroundColor(picture_image,exception);\n (void) CompositeImage(picture_image,image,OverCompositeOp,MagickTrue,quantum,\n quantum,exception);\n if (caption_image != (Image *) NULL)\n {\n (void) CompositeImage(picture_image,caption_image,OverCompositeOp,\n MagickTrue,quantum,(ssize_t) (image->rows+3*quantum/2),exception);\n caption_image=DestroyImage(caption_image);\n }\n (void) QueryColorCompliance(\"none\",AllCompliance,\n &picture_image->background_color,exception);\n (void) SetImageAlphaChannel(picture_image,OpaqueAlphaChannel,exception);\n rotate_image=RotateImage(picture_image,90.0,exception);\n picture_image=DestroyImage(picture_image);\n if (rotate_image == (Image *) NULL)\n return((Image *) NULL);\n picture_image=rotate_image;\n bend_image=WaveImage(picture_image,0.01*picture_image->rows,2.0*\n picture_image->columns,method,exception);\n picture_image=DestroyImage(picture_image);\n if (bend_image == (Image *) NULL)\n return((Image *) NULL);\n picture_image=bend_image;\n rotate_image=RotateImage(picture_image,-90.0,exception);\n picture_image=DestroyImage(picture_image);\n if (rotate_image == (Image *) NULL)\n return((Image *) NULL);\n picture_image=rotate_image;\n picture_image->background_color=image->background_color;\n polaroid_image=ShadowImage(picture_image,80.0,2.0,quantum/3,quantum/3,\n exception);\n if (polaroid_image == (Image *) NULL)\n {\n picture_image=DestroyImage(picture_image);\n return(picture_image);\n }\n flop_image=FlopImage(polaroid_image,exception);\n polaroid_image=DestroyImage(polaroid_image);\n if (flop_image == (Image *) NULL)\n {\n picture_image=DestroyImage(picture_image);\n return(picture_image);\n }\n polaroid_image=flop_image;\n (void) CompositeImage(polaroid_image,picture_image,OverCompositeOp,\n MagickTrue,(ssize_t) (-0.01*picture_image->columns/2.0),0L,exception);\n picture_image=DestroyImage(picture_image);\n (void) QueryColorCompliance(\"none\",AllCompliance,\n &polaroid_image->background_color,exception);\n rotate_image=RotateImage(polaroid_image,angle,exception);\n polaroid_image=DestroyImage(polaroid_image);\n if (rotate_image == (Image *) NULL)\n return((Image *) NULL);\n polaroid_image=rotate_image;\n trim_image=TrimImage(polaroid_image,exception);\n polaroid_image=DestroyImage(polaroid_image);\n if (trim_image == (Image *) NULL)\n return((Image *) NULL);\n polaroid_image=trim_image;\n return(polaroid_image);\n}", "project": "ImageMagick", "hash": 213008144721535397150930461021825594569, "size": 157, "commit_id": "94174beff065cb5683d09d79e992c3ebbdead311", "message": "https://github.com/ImageMagick/ImageMagick/issues/3296", "target": 0, "dataset": "other", "idx": 330268 }, { "func": "MagickExport Image *BlueShiftImage(const Image *image,const double factor,\n ExceptionInfo *exception)\n{\n#define BlueShiftImageTag \"BlueShift/Image\"\n\n CacheView\n *image_view,\n *shift_view;\n\n Image\n *shift_image;\n\n MagickBooleanType\n status;\n\n MagickOffsetType\n progress;\n\n ssize_t\n y;\n\n /*\n Allocate blue shift image.\n */\n assert(image != (const Image *) NULL);\n assert(image->signature == MagickCoreSignature);\n if (image->debug != MagickFalse)\n (void) LogMagickEvent(TraceEvent,GetMagickModule(),\"%s\",image->filename);\n assert(exception != (ExceptionInfo *) NULL);\n assert(exception->signature == MagickCoreSignature);\n shift_image=CloneImage(image,0,0,MagickTrue,exception);\n if (shift_image == (Image *) NULL)\n return((Image *) NULL);\n if (SetImageStorageClass(shift_image,DirectClass,exception) == MagickFalse)\n {\n shift_image=DestroyImage(shift_image);\n return((Image *) NULL);\n }\n /*\n Blue-shift DirectClass image.\n */\n status=MagickTrue;\n progress=0;\n image_view=AcquireVirtualCacheView(image,exception);\n shift_view=AcquireAuthenticCacheView(shift_image,exception);\n#if defined(MAGICKCORE_OPENMP_SUPPORT)\n #pragma omp parallel for schedule(static) shared(progress,status) \\\n magick_number_threads(image,shift_image,image->rows,1)\n#endif\n for (y=0; y < (ssize_t) image->rows; y++)\n {\n MagickBooleanType\n sync;\n\n PixelInfo\n pixel;\n\n Quantum\n quantum;\n\n const Quantum\n *magick_restrict p;\n\n ssize_t\n x;\n\n Quantum\n *magick_restrict q;\n\n if (status == MagickFalse)\n continue;\n p=GetCacheViewVirtualPixels(image_view,0,y,image->columns,1,exception);\n q=QueueCacheViewAuthenticPixels(shift_view,0,y,shift_image->columns,1,\n exception);\n if ((p == (const Quantum *) NULL) || (q == (Quantum *) NULL))\n {\n status=MagickFalse;\n continue;\n }\n for (x=0; x < (ssize_t) image->columns; x++)\n {\n quantum=GetPixelRed(image,p);\n if (GetPixelGreen(image,p) < quantum)\n quantum=GetPixelGreen(image,p);\n if (GetPixelBlue(image,p) < quantum)\n quantum=GetPixelBlue(image,p);\n pixel.red=0.5*(GetPixelRed(image,p)+factor*quantum);\n pixel.green=0.5*(GetPixelGreen(image,p)+factor*quantum);\n pixel.blue=0.5*(GetPixelBlue(image,p)+factor*quantum);\n quantum=GetPixelRed(image,p);\n if (GetPixelGreen(image,p) > quantum)\n quantum=GetPixelGreen(image,p);\n if (GetPixelBlue(image,p) > quantum)\n quantum=GetPixelBlue(image,p);\n pixel.red=0.5*(pixel.red+factor*quantum);\n pixel.green=0.5*(pixel.green+factor*quantum);\n pixel.blue=0.5*(pixel.blue+factor*quantum);\n SetPixelRed(shift_image,ClampToQuantum(pixel.red),q);\n SetPixelGreen(shift_image,ClampToQuantum(pixel.green),q);\n SetPixelBlue(shift_image,ClampToQuantum(pixel.blue),q);\n p+=GetPixelChannels(image);\n q+=GetPixelChannels(shift_image);\n }\n sync=SyncCacheViewAuthenticPixels(shift_view,exception);\n if (sync == MagickFalse)\n status=MagickFalse;\n if (image->progress_monitor != (MagickProgressMonitor) NULL)\n {\n MagickBooleanType\n proceed;\n\n#if defined(MAGICKCORE_OPENMP_SUPPORT)\n #pragma omp atomic\n#endif\n progress++;\n proceed=SetImageProgress(image,BlueShiftImageTag,progress,image->rows);\n if (proceed == MagickFalse)\n status=MagickFalse;\n }\n }\n image_view=DestroyCacheView(image_view);\n shift_view=DestroyCacheView(shift_view);\n if (status == MagickFalse)\n shift_image=DestroyImage(shift_image);\n return(shift_image);\n}", "project": "ImageMagick", "hash": 181515126469789053121171365057540211809, "size": 126, "commit_id": "94174beff065cb5683d09d79e992c3ebbdead311", "message": "https://github.com/ImageMagick/ImageMagick/issues/3296", "target": 0, "dataset": "other", "idx": 330269 }, { "func": "MagickExport Image *AddNoiseImage(const Image *image,const NoiseType noise_type,\n const double attenuate,ExceptionInfo *exception)\n{\n#define AddNoiseImageTag \"AddNoise/Image\"\n\n CacheView\n *image_view,\n *noise_view;\n\n Image\n *noise_image;\n\n MagickBooleanType\n status;\n\n MagickOffsetType\n progress;\n\n RandomInfo\n **magick_restrict random_info;\n\n ssize_t\n y;\n\n#if defined(MAGICKCORE_OPENMP_SUPPORT)\n unsigned long\n key;\n#endif\n\n /*\n Initialize noise image attributes.\n */\n assert(image != (const Image *) NULL);\n assert(image->signature == MagickCoreSignature);\n if (image->debug != MagickFalse)\n (void) LogMagickEvent(TraceEvent,GetMagickModule(),\"%s\",image->filename);\n assert(exception != (ExceptionInfo *) NULL);\n assert(exception->signature == MagickCoreSignature);\n#if defined(MAGICKCORE_OPENCL_SUPPORT)\n noise_image=AccelerateAddNoiseImage(image,noise_type,attenuate,exception);\n if (noise_image != (Image *) NULL)\n return(noise_image);\n#endif\n noise_image=CloneImage(image,0,0,MagickTrue,exception);\n if (noise_image == (Image *) NULL)\n return((Image *) NULL);\n if (SetImageStorageClass(noise_image,DirectClass,exception) == MagickFalse)\n {\n noise_image=DestroyImage(noise_image);\n return((Image *) NULL);\n }\n /*\n Add noise in each row.\n */\n status=MagickTrue;\n progress=0;\n random_info=AcquireRandomInfoThreadSet();\n image_view=AcquireVirtualCacheView(image,exception);\n noise_view=AcquireAuthenticCacheView(noise_image,exception);\n#if defined(MAGICKCORE_OPENMP_SUPPORT)\n key=GetRandomSecretKey(random_info[0]);\n #pragma omp parallel for schedule(static) shared(progress,status) \\\n magick_number_threads(image,noise_image,image->rows,key == ~0UL)\n#endif\n for (y=0; y < (ssize_t) image->rows; y++)\n {\n const int\n id = GetOpenMPThreadId();\n\n MagickBooleanType\n sync;\n\n const Quantum\n *magick_restrict p;\n\n ssize_t\n x;\n\n Quantum\n *magick_restrict q;\n\n if (status == MagickFalse)\n continue;\n p=GetCacheViewVirtualPixels(image_view,0,y,image->columns,1,exception);\n q=QueueCacheViewAuthenticPixels(noise_view,0,y,noise_image->columns,1,\n exception);\n if ((p == (const Quantum *) NULL) || (q == (Quantum *) NULL))\n {\n status=MagickFalse;\n continue;\n }\n for (x=0; x < (ssize_t) image->columns; x++)\n {\n ssize_t\n i;\n\n for (i=0; i < (ssize_t) GetPixelChannels(image); i++)\n {\n PixelChannel channel = GetPixelChannelChannel(image,i);\n PixelTrait traits = GetPixelChannelTraits(image,channel);\n PixelTrait noise_traits=GetPixelChannelTraits(noise_image,channel);\n if ((traits == UndefinedPixelTrait) ||\n (noise_traits == UndefinedPixelTrait))\n continue;\n if ((noise_traits & CopyPixelTrait) != 0)\n {\n SetPixelChannel(noise_image,channel,p[i],q);\n continue;\n }\n SetPixelChannel(noise_image,channel,ClampToQuantum(\n GenerateDifferentialNoise(random_info[id],p[i],noise_type,attenuate)),\n q);\n }\n p+=GetPixelChannels(image);\n q+=GetPixelChannels(noise_image);\n }\n sync=SyncCacheViewAuthenticPixels(noise_view,exception);\n if (sync == MagickFalse)\n status=MagickFalse;\n if (image->progress_monitor != (MagickProgressMonitor) NULL)\n {\n MagickBooleanType\n proceed;\n\n#if defined(MAGICKCORE_OPENMP_SUPPORT)\n #pragma omp atomic\n#endif\n progress++;\n proceed=SetImageProgress(image,AddNoiseImageTag,progress,image->rows);\n if (proceed == MagickFalse)\n status=MagickFalse;\n }\n }\n noise_view=DestroyCacheView(noise_view);\n image_view=DestroyCacheView(image_view);\n random_info=DestroyRandomInfoThreadSet(random_info);\n if (status == MagickFalse)\n noise_image=DestroyImage(noise_image);\n return(noise_image);\n}", "project": "ImageMagick", "hash": 24985136654170202190201710282084384723, "size": 140, "commit_id": "94174beff065cb5683d09d79e992c3ebbdead311", "message": "https://github.com/ImageMagick/ImageMagick/issues/3296", "target": 0, "dataset": "other", "idx": 330270 }, { "func": "MagickExport Image *WaveImage(const Image *image,const double amplitude,\n const double wave_length,const PixelInterpolateMethod method,\n ExceptionInfo *exception)\n{\n#define WaveImageTag \"Wave/Image\"\n\n CacheView\n *canvas_image_view,\n *wave_view;\n\n float\n *sine_map;\n\n Image\n *canvas_image,\n *wave_image;\n\n MagickBooleanType\n status;\n\n MagickOffsetType\n progress;\n\n ssize_t\n i;\n\n ssize_t\n y;\n\n /*\n Initialize wave image attributes.\n */\n assert(image != (Image *) NULL);\n assert(image->signature == MagickCoreSignature);\n if (image->debug != MagickFalse)\n (void) LogMagickEvent(TraceEvent,GetMagickModule(),\"%s\",image->filename);\n assert(exception != (ExceptionInfo *) NULL);\n assert(exception->signature == MagickCoreSignature);\n canvas_image=CloneImage(image,0,0,MagickTrue,exception);\n if (canvas_image == (Image *) NULL)\n return((Image *) NULL);\n if ((canvas_image->alpha_trait == UndefinedPixelTrait) &&\n (canvas_image->background_color.alpha != OpaqueAlpha))\n (void) SetImageAlpha(canvas_image,OpaqueAlpha,exception);\n wave_image=CloneImage(canvas_image,canvas_image->columns,(size_t)\n (canvas_image->rows+2.0*fabs(amplitude)),MagickTrue,exception);\n if (wave_image == (Image *) NULL)\n {\n canvas_image=DestroyImage(canvas_image);\n return((Image *) NULL);\n }\n if (SetImageStorageClass(wave_image,DirectClass,exception) == MagickFalse)\n {\n canvas_image=DestroyImage(canvas_image);\n wave_image=DestroyImage(wave_image);\n return((Image *) NULL);\n }\n /*\n Allocate sine map.\n */\n sine_map=(float *) AcquireQuantumMemory((size_t) wave_image->columns,\n sizeof(*sine_map));\n if (sine_map == (float *) NULL)\n {\n canvas_image=DestroyImage(canvas_image);\n wave_image=DestroyImage(wave_image);\n ThrowImageException(ResourceLimitError,\"MemoryAllocationFailed\");\n }\n for (i=0; i < (ssize_t) wave_image->columns; i++)\n sine_map[i]=(float) fabs(amplitude)+amplitude*sin((double)\n ((2.0*MagickPI*i)*PerceptibleReciprocal(wave_length)));\n /*\n Wave image.\n */\n status=MagickTrue;\n progress=0;\n canvas_image_view=AcquireVirtualCacheView(canvas_image,exception);\n wave_view=AcquireAuthenticCacheView(wave_image,exception);\n (void) SetCacheViewVirtualPixelMethod(canvas_image_view,\n BackgroundVirtualPixelMethod);\n#if defined(MAGICKCORE_OPENMP_SUPPORT)\n #pragma omp parallel for schedule(static) shared(progress,status) \\\n magick_number_threads(canvas_image,wave_image,wave_image->rows,1)\n#endif\n for (y=0; y < (ssize_t) wave_image->rows; y++)\n {\n const Quantum\n *magick_restrict p;\n\n Quantum\n *magick_restrict q;\n\n ssize_t\n x;\n\n if (status == MagickFalse)\n continue;\n p=GetCacheViewVirtualPixels(canvas_image_view,0,y,canvas_image->columns,1,\n exception);\n q=QueueCacheViewAuthenticPixels(wave_view,0,y,wave_image->columns,1,\n exception);\n if ((p == (const Quantum *) NULL) || (q == (Quantum *) NULL))\n {\n status=MagickFalse;\n continue;\n }\n for (x=0; x < (ssize_t) wave_image->columns; x++)\n {\n status=InterpolatePixelChannels(canvas_image,canvas_image_view,\n wave_image,method,(double) x,(double) (y-sine_map[x]),q,exception);\n if (status == MagickFalse)\n break;\n p+=GetPixelChannels(canvas_image);\n q+=GetPixelChannels(wave_image);\n }\n if (SyncCacheViewAuthenticPixels(wave_view,exception) == MagickFalse)\n status=MagickFalse;\n if (image->progress_monitor != (MagickProgressMonitor) NULL)\n {\n MagickBooleanType\n proceed;\n\n#if defined(MAGICKCORE_OPENMP_SUPPORT)\n #pragma omp atomic\n#endif\n progress++;\n proceed=SetImageProgress(canvas_image,WaveImageTag,progress,\n canvas_image->rows);\n if (proceed == MagickFalse)\n status=MagickFalse;\n }\n }\n wave_view=DestroyCacheView(wave_view);\n canvas_image_view=DestroyCacheView(canvas_image_view);\n canvas_image=DestroyImage(canvas_image);\n sine_map=(float *) RelinquishMagickMemory(sine_map);\n if (status == MagickFalse)\n wave_image=DestroyImage(wave_image);\n return(wave_image);\n}", "project": "ImageMagick", "hash": 295514983873945565860327311775528409590, "size": 140, "commit_id": "94174beff065cb5683d09d79e992c3ebbdead311", "message": "https://github.com/ImageMagick/ImageMagick/issues/3296", "target": 0, "dataset": "other", "idx": 330274 }, { "func": "MagickExport Image *StereoAnaglyphImage(const Image *left_image,\n const Image *right_image,const ssize_t x_offset,const ssize_t y_offset,\n ExceptionInfo *exception)\n{\n#define StereoImageTag \"Stereo/Image\"\n\n const Image\n *image;\n\n Image\n *stereo_image;\n\n MagickBooleanType\n status;\n\n ssize_t\n y;\n\n assert(left_image != (const Image *) NULL);\n assert(left_image->signature == MagickCoreSignature);\n if (left_image->debug != MagickFalse)\n (void) LogMagickEvent(TraceEvent,GetMagickModule(),\"%s\",\n left_image->filename);\n assert(right_image != (const Image *) NULL);\n assert(right_image->signature == MagickCoreSignature);\n assert(exception != (ExceptionInfo *) NULL);\n assert(exception->signature == MagickCoreSignature);\n image=left_image;\n if ((left_image->columns != right_image->columns) ||\n (left_image->rows != right_image->rows))\n ThrowImageException(ImageError,\"LeftAndRightImageSizesDiffer\");\n /*\n Initialize stereo image attributes.\n */\n stereo_image=CloneImage(left_image,left_image->columns,left_image->rows,\n MagickTrue,exception);\n if (stereo_image == (Image *) NULL)\n return((Image *) NULL);\n if (SetImageStorageClass(stereo_image,DirectClass,exception) == MagickFalse)\n {\n stereo_image=DestroyImage(stereo_image);\n return((Image *) NULL);\n }\n (void) SetImageColorspace(stereo_image,sRGBColorspace,exception);\n /*\n Copy left image to red channel and right image to blue channel.\n */\n status=MagickTrue;\n for (y=0; y < (ssize_t) stereo_image->rows; y++)\n {\n const Quantum\n *magick_restrict p,\n *magick_restrict q;\n\n ssize_t\n x;\n\n Quantum\n *magick_restrict r;\n\n p=GetVirtualPixels(left_image,-x_offset,y-y_offset,image->columns,1,\n exception);\n q=GetVirtualPixels(right_image,0,y,right_image->columns,1,exception);\n r=QueueAuthenticPixels(stereo_image,0,y,stereo_image->columns,1,exception);\n if ((p == (const Quantum *) NULL) || (q == (Quantum *) NULL) ||\n (r == (Quantum *) NULL))\n break;\n for (x=0; x < (ssize_t) stereo_image->columns; x++)\n {\n SetPixelRed(stereo_image,GetPixelRed(left_image,p),r);\n SetPixelGreen(stereo_image,GetPixelGreen(right_image,q),r);\n SetPixelBlue(stereo_image,GetPixelBlue(right_image,q),r);\n if ((GetPixelAlphaTraits(stereo_image) & CopyPixelTrait) != 0)\n SetPixelAlpha(stereo_image,(GetPixelAlpha(left_image,p)+\n GetPixelAlpha(right_image,q))/2,r);\n p+=GetPixelChannels(left_image);\n q+=GetPixelChannels(right_image);\n r+=GetPixelChannels(stereo_image);\n }\n if (SyncAuthenticPixels(stereo_image,exception) == MagickFalse)\n break;\n if (image->progress_monitor != (MagickProgressMonitor) NULL)\n {\n MagickBooleanType\n proceed;\n\n proceed=SetImageProgress(image,StereoImageTag,(MagickOffsetType) y,\n stereo_image->rows);\n if (proceed == MagickFalse)\n status=MagickFalse;\n }\n }\n if (status == MagickFalse)\n stereo_image=DestroyImage(stereo_image);\n return(stereo_image);\n}", "project": "ImageMagick", "hash": 33614501955153792984609083578350004104, "size": 96, "commit_id": "94174beff065cb5683d09d79e992c3ebbdead311", "message": "https://github.com/ImageMagick/ImageMagick/issues/3296", "target": 0, "dataset": "other", "idx": 330278 }, { "func": "MagickExport Image *SwirlImage(const Image *image,double degrees,\n const PixelInterpolateMethod method,ExceptionInfo *exception)\n{\n#define SwirlImageTag \"Swirl/Image\"\n\n CacheView\n *canvas_view,\n *interpolate_view,\n *swirl_view;\n\n double\n radius;\n\n Image\n *canvas_image,\n *swirl_image;\n\n MagickBooleanType\n status;\n\n MagickOffsetType\n progress;\n\n PointInfo\n center,\n scale;\n\n ssize_t\n y;\n\n /*\n Initialize swirl image attributes.\n */\n assert(image != (const Image *) NULL);\n assert(image->signature == MagickCoreSignature);\n if (image->debug != MagickFalse)\n (void) LogMagickEvent(TraceEvent,GetMagickModule(),\"%s\",image->filename);\n assert(exception != (ExceptionInfo *) NULL);\n assert(exception->signature == MagickCoreSignature);\n canvas_image=CloneImage(image,0,0,MagickTrue,exception);\n if (canvas_image == (Image *) NULL)\n return((Image *) NULL);\n swirl_image=CloneImage(canvas_image,0,0,MagickTrue,exception);\n if (swirl_image == (Image *) NULL)\n {\n canvas_image=DestroyImage(canvas_image);\n return((Image *) NULL);\n }\n if (SetImageStorageClass(swirl_image,DirectClass,exception) == MagickFalse)\n {\n canvas_image=DestroyImage(canvas_image);\n swirl_image=DestroyImage(swirl_image);\n return((Image *) NULL);\n }\n if (swirl_image->background_color.alpha_trait != UndefinedPixelTrait)\n (void) SetImageAlphaChannel(swirl_image,OnAlphaChannel,exception);\n /*\n Compute scaling factor.\n */\n center.x=(double) canvas_image->columns/2.0;\n center.y=(double) canvas_image->rows/2.0;\n radius=MagickMax(center.x,center.y);\n scale.x=1.0;\n scale.y=1.0;\n if (canvas_image->columns > canvas_image->rows)\n scale.y=(double) canvas_image->columns/(double) canvas_image->rows;\n else\n if (canvas_image->columns < canvas_image->rows)\n scale.x=(double) canvas_image->rows/(double) canvas_image->columns;\n degrees=(double) DegreesToRadians(degrees);\n /*\n Swirl image.\n */\n status=MagickTrue;\n progress=0;\n canvas_view=AcquireVirtualCacheView(canvas_image,exception);\n interpolate_view=AcquireVirtualCacheView(image,exception);\n swirl_view=AcquireAuthenticCacheView(swirl_image,exception);\n#if defined(MAGICKCORE_OPENMP_SUPPORT)\n #pragma omp parallel for schedule(static) shared(progress,status) \\\n magick_number_threads(canvas_image,swirl_image,canvas_image->rows,1)\n#endif\n for (y=0; y < (ssize_t) canvas_image->rows; y++)\n {\n double\n distance;\n\n PointInfo\n delta;\n\n const Quantum\n *magick_restrict p;\n\n ssize_t\n x;\n\n Quantum\n *magick_restrict q;\n\n if (status == MagickFalse)\n continue;\n p=GetCacheViewVirtualPixels(canvas_view,0,y,canvas_image->columns,1,\n exception);\n q=QueueCacheViewAuthenticPixels(swirl_view,0,y,swirl_image->columns,1,\n exception);\n if ((p == (const Quantum *) NULL) || (q == (Quantum *) NULL))\n {\n status=MagickFalse;\n continue;\n }\n delta.y=scale.y*(double) (y-center.y);\n for (x=0; x < (ssize_t) canvas_image->columns; x++)\n {\n /*\n Determine if the pixel is within an ellipse.\n */\n delta.x=scale.x*(double) (x-center.x);\n distance=delta.x*delta.x+delta.y*delta.y;\n if (distance >= (radius*radius))\n {\n ssize_t\n i;\n\n for (i=0; i < (ssize_t) GetPixelChannels(canvas_image); i++)\n {\n PixelChannel channel = GetPixelChannelChannel(canvas_image,i);\n PixelTrait traits = GetPixelChannelTraits(canvas_image,channel);\n PixelTrait swirl_traits = GetPixelChannelTraits(swirl_image,\n channel);\n if ((traits == UndefinedPixelTrait) ||\n (swirl_traits == UndefinedPixelTrait))\n continue;\n SetPixelChannel(swirl_image,channel,p[i],q);\n }\n }\n else\n {\n double\n cosine,\n factor,\n sine;\n\n /*\n Swirl the pixel.\n */\n factor=1.0-sqrt((double) distance)/radius;\n sine=sin((double) (degrees*factor*factor));\n cosine=cos((double) (degrees*factor*factor));\n status=InterpolatePixelChannels(canvas_image,interpolate_view,\n swirl_image,method,((cosine*delta.x-sine*delta.y)/scale.x+center.x),\n (double) ((sine*delta.x+cosine*delta.y)/scale.y+center.y),q,\n exception);\n if (status == MagickFalse)\n break;\n }\n p+=GetPixelChannels(canvas_image);\n q+=GetPixelChannels(swirl_image);\n }\n if (SyncCacheViewAuthenticPixels(swirl_view,exception) == MagickFalse)\n status=MagickFalse;\n if (canvas_image->progress_monitor != (MagickProgressMonitor) NULL)\n {\n MagickBooleanType\n proceed;\n\n#if defined(MAGICKCORE_OPENMP_SUPPORT)\n #pragma omp atomic\n#endif\n progress++;\n proceed=SetImageProgress(canvas_image,SwirlImageTag,progress,\n canvas_image->rows);\n if (proceed == MagickFalse)\n status=MagickFalse;\n }\n }\n swirl_view=DestroyCacheView(swirl_view);\n interpolate_view=DestroyCacheView(interpolate_view);\n canvas_view=DestroyCacheView(canvas_view);\n canvas_image=DestroyImage(canvas_image);\n if (status == MagickFalse)\n swirl_image=DestroyImage(swirl_image);\n return(swirl_image);\n}", "project": "ImageMagick", "hash": 73541914192565138885065020371551583097, "size": 183, "commit_id": "94174beff065cb5683d09d79e992c3ebbdead311", "message": "https://github.com/ImageMagick/ImageMagick/issues/3296", "target": 0, "dataset": "other", "idx": 330280 }, { "func": "char *vnc_display_local_addr(const char *id)\n{\n VncDisplay *vs = vnc_display_find(id);\n\n assert(vs);\n return vnc_socket_local_addr(\"%s:%s\", vs->lsock);\n}", "project": "qemu", "hash": 252896514035138793230479603676051675402, "size": 7, "commit_id": "4c65fed8bdf96780735dbdb92a8bd0d6b6526cc3", "message": "ui: vnc: avoid floating point exception\n\nWhile sending 'SetPixelFormat' messages to a VNC server,\nthe client could set the 'red-max', 'green-max' and 'blue-max'\nvalues to be zero. This leads to a floating point exception in\nwrite_png_palette while doing frame buffer updates.\n\nReported-by: Lian Yihan \nSigned-off-by: Prasad J Pandit \nReviewed-by: Gerd Hoffmann \nSigned-off-by: Peter Maydell ", "target": 0, "dataset": "other", "idx": 330504 }, { "func": "repodata_add_dirstr(Repodata *data, Id solvid, Id keyname, Id dir, const char *str)\n{\n Id stroff;\n int l;\n\n assert(dir);\n l = strlen(str) + 1;\n data->attrdata = solv_extend(data->attrdata, data->attrdatalen, l, 1, REPODATA_ATTRDATA_BLOCK);\n memcpy(data->attrdata + data->attrdatalen, str, l);\n stroff = data->attrdatalen;\n data->attrdatalen += l;\n\n#if 0\nfprintf(stderr, \"repodata_add_dirstr %d %d %s (%d)\\n\", solvid, dir, str, data->attriddatalen);\n#endif\n repodata_add_array(data, solvid, keyname, REPOKEY_TYPE_DIRSTRARRAY, 2);\n data->attriddata[data->attriddatalen++] = dir;\n data->attriddata[data->attriddatalen++] = stroff;\n data->attriddata[data->attriddatalen++] = 0;\n}", "project": "libsolv", "hash": 125441181324434503594919685125009351562, "size": 20, "commit_id": "fdb9c9c03508990e4583046b590c30d958f272da", "message": "repodata_schema2id: fix heap-buffer-overflow in memcmp\n\nWhen the length of last schema in data->schemadata is\nless than length of input schema, we got a read overflow\nin asan test.\n\nSigned-off-by: Zhipeng Xie ", "target": 0, "dataset": "other", "idx": 333114 }, { "func": "repodata_add_dirnumnum(Repodata *data, Id solvid, Id keyname, Id dir, Id num, Id num2)\n{\n assert(dir);\n#if 0\nfprintf(stderr, \"repodata_add_dirnumnum %d %d %d %d (%d)\\n\", solvid, dir, num, num2, data->attriddatalen);\n#endif\n repodata_add_array(data, solvid, keyname, REPOKEY_TYPE_DIRNUMNUMARRAY, 3);\n data->attriddata[data->attriddatalen++] = dir;\n data->attriddata[data->attriddatalen++] = num;\n data->attriddata[data->attriddatalen++] = num2;\n data->attriddata[data->attriddatalen++] = 0;\n}", "project": "libsolv", "hash": 39418608797829406144083362009037044569, "size": 12, "commit_id": "fdb9c9c03508990e4583046b590c30d958f272da", "message": "repodata_schema2id: fix heap-buffer-overflow in memcmp\n\nWhen the length of last schema in data->schemadata is\nless than length of input schema, we got a read overflow\nin asan test.\n\nSigned-off-by: Zhipeng Xie ", "target": 0, "dataset": "other", "idx": 333153 }, { "func": "MagickExport Image *CompareImagesLayers(const Image *image,\n const LayerMethod method,ExceptionInfo *exception)\n{\n Image\n *image_a,\n *image_b,\n *layers;\n\n RectangleInfo\n *bounds;\n\n register const Image\n *next;\n\n register ssize_t\n i;\n\n assert(image != (const Image *) NULL);\n assert(image->signature == MagickCoreSignature);\n if (image->debug != MagickFalse)\n (void) LogMagickEvent(TraceEvent,GetMagickModule(),\"%s\",image->filename);\n assert(exception != (ExceptionInfo *) NULL);\n assert(exception->signature == MagickCoreSignature);\n assert((method == CompareAnyLayer) ||\n (method == CompareClearLayer) ||\n (method == CompareOverlayLayer));\n /*\n Allocate bounds memory.\n */\n next=GetFirstImageInList(image);\n bounds=(RectangleInfo *) AcquireQuantumMemory((size_t)\n GetImageListLength(next),sizeof(*bounds));\n if (bounds == (RectangleInfo *) NULL)\n ThrowImageException(ResourceLimitError,\"MemoryAllocationFailed\");\n /*\n Set up first comparision images.\n */\n image_a=CloneImage(next,next->page.width,next->page.height,\n MagickTrue,exception);\n if (image_a == (Image *) NULL)\n {\n bounds=(RectangleInfo *) RelinquishMagickMemory(bounds);\n return((Image *) NULL);\n }\n image_a->background_color.alpha_trait=BlendPixelTrait;\n image_a->background_color.alpha=(MagickRealType) TransparentAlpha;\n (void) SetImageBackgroundColor(image_a,exception);\n image_a->page=next->page;\n image_a->page.x=0;\n image_a->page.y=0;\n (void) CompositeImage(image_a,next,CopyCompositeOp,MagickTrue,next->page.x,\n next->page.y,exception);\n /*\n Compute the bounding box of changes for the later images\n */\n i=0;\n next=GetNextImageInList(next);\n for ( ; next != (const Image *) NULL; next=GetNextImageInList(next))\n {\n image_b=CloneImage(image_a,0,0,MagickTrue,exception);\n if (image_b == (Image *) NULL)\n {\n image_a=DestroyImage(image_a);\n bounds=(RectangleInfo *) RelinquishMagickMemory(bounds);\n return((Image *) NULL);\n }\n image_b->background_color.alpha_trait=BlendPixelTrait;\n (void) CompositeImage(image_a,next,CopyCompositeOp,MagickTrue,next->page.x,\n next->page.y,exception);\n bounds[i]=CompareImagesBounds(image_b,image_a,method,exception);\n image_b=DestroyImage(image_b);\n i++;\n }\n image_a=DestroyImage(image_a);\n /*\n Clone first image in sequence.\n */\n next=GetFirstImageInList(image);\n layers=CloneImage(next,0,0,MagickTrue,exception);\n if (layers == (Image *) NULL)\n {\n bounds=(RectangleInfo *) RelinquishMagickMemory(bounds);\n return((Image *) NULL);\n }\n layers->background_color.alpha_trait=BlendPixelTrait;\n /*\n Deconstruct the image sequence.\n */\n i=0;\n next=GetNextImageInList(next);\n for ( ; next != (const Image *) NULL; next=GetNextImageInList(next))\n {\n if ((bounds[i].x == -1) && (bounds[i].y == -1) &&\n (bounds[i].width == 1) && (bounds[i].height == 1))\n {\n /*\n An empty frame is returned from CompareImageBounds(), which means the\n current frame is identical to the previous frame.\n */\n i++;\n continue;\n }\n image_a=CloneImage(next,0,0,MagickTrue,exception);\n if (image_a == (Image *) NULL)\n break;\n image_a->background_color.alpha_trait=BlendPixelTrait;\n image_b=CropImage(image_a,&bounds[i],exception);\n image_a=DestroyImage(image_a);\n if (image_b == (Image *) NULL)\n break;\n AppendImageToList(&layers,image_b);\n i++;\n }\n bounds=(RectangleInfo *) RelinquishMagickMemory(bounds);\n if (next != (Image *) NULL)\n {\n layers=DestroyImageList(layers);\n return((Image *) NULL);\n }\n return(GetFirstImageInList(layers));\n}", "project": "ImageMagick", "hash": 172951605797226380663058668510862320506, "size": 121, "commit_id": "ef59bd764f88d893f1219fee8ba696a5d3f8c1c4", "message": "There is a Division by Zero in function OptimizeLayerFrames (#2743)\n\nin file MagickCore/layer.c. cur->ticks_per_seconds can be zero\r\nwith a crafted input argument *image. This is similar to\r\nCVE-2019-13454.", "target": 0, "dataset": "other", "idx": 338498 }, { "func": "p11_rpc_message_parse (p11_rpc_message *msg,\n p11_rpc_message_type type)\n{\n\tconst unsigned char *val;\n\tsize_t len;\n\tuint32_t call_id;\n\n\tassert (msg != NULL);\n\tassert (msg->input != NULL);\n\n\tmsg->parsed = 0;\n\n\t/* Pull out the call identifier */\n\tif (!p11_rpc_buffer_get_uint32 (msg->input, &msg->parsed, &call_id)) {\n\t\tp11_message (\"invalid message: couldn't read call identifier\");\n\t\treturn false;\n\t}\n\n\tmsg->signature = msg->sigverify = NULL;\n\n\t/* The call id and signature */\n\tif (call_id >= P11_RPC_CALL_MAX ||\n\t (type == P11_RPC_REQUEST && call_id == P11_RPC_CALL_ERROR)) {\n\t\tp11_message (\"invalid message: bad call id: %d\", call_id);\n\t\treturn false;\n\t}\n\tif (type == P11_RPC_REQUEST)\n\t\tmsg->signature = p11_rpc_calls[call_id].request;\n\telse if (type == P11_RPC_RESPONSE)\n\t\tmsg->signature = p11_rpc_calls[call_id].response;\n\telse\n\t\tassert_not_reached ();\n\tassert (msg->signature != NULL);\n\tmsg->call_id = call_id;\n\tmsg->call_type = type;\n\tmsg->sigverify = msg->signature;\n\n\t/* Verify the incoming signature */\n\tif (!p11_rpc_buffer_get_byte_array (msg->input, &msg->parsed, &val, &len) ||\n\t /* This can happen if the length header == 0xffffffff */\n\t val == NULL) {\n\t\tp11_message (\"invalid message: couldn't read signature\");\n\t\treturn false;\n\t}\n\n\tif ((strlen (msg->signature) != len) || (memcmp (val, msg->signature, len) != 0)) {\n\t\tp11_message (\"invalid message: signature doesn't match\");\n\t\treturn false;\n\t}\n\n\treturn true;\n}", "project": "p11-kit", "hash": 138578882259483622570195843948240696140, "size": 52, "commit_id": "69d751ca9df9ac101adfb1e5aa7e83e3358106ba", "message": "Fix bounds check in p11_rpc_buffer_get_byte_array\n\nThis bounds check should be using off, not *offset, because it has been\nadvanced four bytes from reading a uint32 earlier in the function.\nAdditionally, the pointer that is returned is computed using off, not\n*offset.", "target": 0, "dataset": "other", "idx": 349458 }, { "func": "p11_rpc_message_write_attribute_array (p11_rpc_message *msg,\n CK_ATTRIBUTE_PTR arr,\n CK_ULONG num)\n{\n\tCK_ULONG i;\n\n\tassert (num == 0 || arr != NULL);\n\tassert (msg != NULL);\n\tassert (msg->output != NULL);\n\n\t/* Make sure this is in the right order */\n\tassert (!msg->signature || p11_rpc_message_verify_part (msg, \"aA\"));\n\n\t/* Write the number of items */\n\tp11_rpc_buffer_add_uint32 (msg->output, num);\n\n\tfor (i = 0; i < num; ++i)\n\t\tp11_rpc_buffer_add_attribute (msg->output, &(arr[i]));\n\n\treturn !p11_buffer_failed (msg->output);\n}", "project": "p11-kit", "hash": 187747980861330189972041528344877064882, "size": 21, "commit_id": "69d751ca9df9ac101adfb1e5aa7e83e3358106ba", "message": "Fix bounds check in p11_rpc_buffer_get_byte_array\n\nThis bounds check should be using off, not *offset, because it has been\nadvanced four bytes from reading a uint32 earlier in the function.\nAdditionally, the pointer that is returned is computed using off, not\n*offset.", "target": 0, "dataset": "other", "idx": 349461 }, { "func": "p11_rpc_message_read_byte (p11_rpc_message *msg,\n CK_BYTE *val)\n{\n\tassert (msg != NULL);\n\tassert (msg->input != NULL);\n\n\t/* Make sure this is in the right order */\n\tassert (!msg->signature || p11_rpc_message_verify_part (msg, \"y\"));\n\treturn p11_rpc_buffer_get_byte (msg->input, &msg->parsed, val);\n}", "project": "p11-kit", "hash": 32408019675568317433555436977556112516, "size": 10, "commit_id": "69d751ca9df9ac101adfb1e5aa7e83e3358106ba", "message": "Fix bounds check in p11_rpc_buffer_get_byte_array\n\nThis bounds check should be using off, not *offset, because it has been\nadvanced four bytes from reading a uint32 earlier in the function.\nAdditionally, the pointer that is returned is computed using off, not\n*offset.", "target": 0, "dataset": "other", "idx": 349462 }, { "func": "p11_rpc_message_write_byte_buffer (p11_rpc_message *msg,\n CK_ULONG count)\n{\n\tassert (msg != NULL);\n\tassert (msg->output != NULL);\n\n\t/* Make sure this is in the right order */\n\tassert (!msg->signature || p11_rpc_message_verify_part (msg, \"fy\"));\n\tp11_rpc_buffer_add_uint32 (msg->output, count);\n\treturn !p11_buffer_failed (msg->output);\n}", "project": "p11-kit", "hash": 88330509090438054126021900193440885166, "size": 11, "commit_id": "69d751ca9df9ac101adfb1e5aa7e83e3358106ba", "message": "Fix bounds check in p11_rpc_buffer_get_byte_array\n\nThis bounds check should be using off, not *offset, because it has been\nadvanced four bytes from reading a uint32 earlier in the function.\nAdditionally, the pointer that is returned is computed using off, not\n*offset.", "target": 0, "dataset": "other", "idx": 349465 }, { "func": "p11_rpc_message_write_version (p11_rpc_message *msg,\n CK_VERSION *version)\n{\n\tassert (msg != NULL);\n\tassert (msg->output != NULL);\n\tassert (version != NULL);\n\n\t/* Check that we're supposed to have this at this point */\n\tassert (!msg->signature || p11_rpc_message_verify_part (msg, \"v\"));\n\n\tp11_rpc_buffer_add_byte (msg->output, version->major);\n\tp11_rpc_buffer_add_byte (msg->output, version->minor);\n\n\treturn !p11_buffer_failed (msg->output);\n}", "project": "p11-kit", "hash": 34931099803563772531116964453733433215, "size": 15, "commit_id": "69d751ca9df9ac101adfb1e5aa7e83e3358106ba", "message": "Fix bounds check in p11_rpc_buffer_get_byte_array\n\nThis bounds check should be using off, not *offset, because it has been\nadvanced four bytes from reading a uint32 earlier in the function.\nAdditionally, the pointer that is returned is computed using off, not\n*offset.", "target": 0, "dataset": "other", "idx": 349472 }, { "func": "p11_rpc_message_alloc_extra (p11_rpc_message *msg,\n size_t length)\n{\n\tvoid **data;\n\n\tassert (msg != NULL);\n\n\tif (length > 0x7fffffff)\n\t\treturn NULL;\n\n\tassert (msg->output->frealloc != NULL);\n\tdata = (msg->output->frealloc) (NULL, sizeof (void *) + length);\n\tif (data == NULL)\n\t\treturn NULL;\n\n\t/* Munch up the memory to help catch bugs */\n\tmemset (data, 0xff, sizeof (void *) + length);\n\n\t/* Store pointer to next allocated block at beginning */\n\t*data = msg->extra;\n\tmsg->extra = data;\n\n\t/* Data starts after first pointer */\n\treturn (void *)(data + 1);\n}", "project": "p11-kit", "hash": 82723926950714486300927210711938514899, "size": 25, "commit_id": "69d751ca9df9ac101adfb1e5aa7e83e3358106ba", "message": "Fix bounds check in p11_rpc_buffer_get_byte_array\n\nThis bounds check should be using off, not *offset, because it has been\nadvanced four bytes from reading a uint32 earlier in the function.\nAdditionally, the pointer that is returned is computed using off, not\n*offset.", "target": 0, "dataset": "other", "idx": 349475 }, { "func": "p11_rpc_message_read_ulong (p11_rpc_message *msg,\n CK_ULONG *val)\n{\n\tuint64_t v;\n\n\tassert (msg != NULL);\n\tassert (msg->input != NULL);\n\n\t/* Make sure this is in the right order */\n\tassert (!msg->signature || p11_rpc_message_verify_part (msg, \"u\"));\n\n\tif (!p11_rpc_buffer_get_uint64 (msg->input, &msg->parsed, &v))\n\t\treturn false;\n\tif (val)\n\t\t*val = (CK_ULONG)v;\n\treturn true;\n}", "project": "p11-kit", "hash": 213989862097682977483011742556095788232, "size": 17, "commit_id": "69d751ca9df9ac101adfb1e5aa7e83e3358106ba", "message": "Fix bounds check in p11_rpc_buffer_get_byte_array\n\nThis bounds check should be using off, not *offset, because it has been\nadvanced four bytes from reading a uint32 earlier in the function.\nAdditionally, the pointer that is returned is computed using off, not\n*offset.", "target": 0, "dataset": "other", "idx": 349476 }, { "func": "p11_rpc_message_write_ulong_buffer (p11_rpc_message *msg,\n CK_ULONG count)\n{\n\tassert (msg != NULL);\n\tassert (msg->output != NULL);\n\n\t/* Make sure this is in the right order */\n\tassert (!msg->signature || p11_rpc_message_verify_part (msg, \"fu\"));\n\tp11_rpc_buffer_add_uint32 (msg->output, count);\n\treturn !p11_buffer_failed (msg->output);\n}", "project": "p11-kit", "hash": 263199580443913920262750132860513194081, "size": 11, "commit_id": "69d751ca9df9ac101adfb1e5aa7e83e3358106ba", "message": "Fix bounds check in p11_rpc_buffer_get_byte_array\n\nThis bounds check should be using off, not *offset, because it has been\nadvanced four bytes from reading a uint32 earlier in the function.\nAdditionally, the pointer that is returned is computed using off, not\n*offset.", "target": 0, "dataset": "other", "idx": 349492 }, { "func": "p11_rpc_message_write_space_string (p11_rpc_message *msg,\n CK_UTF8CHAR *data,\n CK_ULONG length)\n{\n\tassert (msg != NULL);\n\tassert (msg->output != NULL);\n\tassert (data != NULL);\n\tassert (length != 0);\n\n\tassert (!msg->signature || p11_rpc_message_verify_part (msg, \"s\"));\n\n\tp11_rpc_buffer_add_byte_array (msg->output, data, length);\n\treturn !p11_buffer_failed (msg->output);\n}", "project": "p11-kit", "hash": 273917658127588745042954471078211814132, "size": 14, "commit_id": "69d751ca9df9ac101adfb1e5aa7e83e3358106ba", "message": "Fix bounds check in p11_rpc_buffer_get_byte_array\n\nThis bounds check should be using off, not *offset, because it has been\nadvanced four bytes from reading a uint32 earlier in the function.\nAdditionally, the pointer that is returned is computed using off, not\n*offset.", "target": 0, "dataset": "other", "idx": 349494 }, { "func": "p11_rpc_message_write_byte (p11_rpc_message *msg,\n CK_BYTE val)\n{\n\tassert (msg != NULL);\n\tassert (msg->output != NULL);\n\n\t/* Make sure this is in the right order */\n\tassert (!msg->signature || p11_rpc_message_verify_part (msg, \"y\"));\n\tp11_rpc_buffer_add_byte (msg->output, val);\n\treturn !p11_buffer_failed (msg->output);\n}", "project": "p11-kit", "hash": 157538501611187180217402442592815717801, "size": 11, "commit_id": "69d751ca9df9ac101adfb1e5aa7e83e3358106ba", "message": "Fix bounds check in p11_rpc_buffer_get_byte_array\n\nThis bounds check should be using off, not *offset, because it has been\nadvanced four bytes from reading a uint32 earlier in the function.\nAdditionally, the pointer that is returned is computed using off, not\n*offset.", "target": 0, "dataset": "other", "idx": 349501 }, { "func": "p11_rpc_message_write_zero_string (p11_rpc_message *msg,\n CK_UTF8CHAR *string)\n{\n\tassert (msg != NULL);\n\tassert (msg->output != NULL);\n\tassert (string != NULL);\n\n\tassert (!msg->signature || p11_rpc_message_verify_part (msg, \"z\"));\n\n\tp11_rpc_buffer_add_byte_array (msg->output, string,\n\t string ? strlen ((char *)string) : 0);\n\treturn !p11_buffer_failed (msg->output);\n}", "project": "p11-kit", "hash": 226863307798783055901327351736095704499, "size": 13, "commit_id": "69d751ca9df9ac101adfb1e5aa7e83e3358106ba", "message": "Fix bounds check in p11_rpc_buffer_get_byte_array\n\nThis bounds check should be using off, not *offset, because it has been\nadvanced four bytes from reading a uint32 earlier in the function.\nAdditionally, the pointer that is returned is computed using off, not\n*offset.", "target": 0, "dataset": "other", "idx": 349512 }, { "func": "p11_rpc_message_read_version (p11_rpc_message *msg,\n CK_VERSION *version)\n{\n\tassert (msg != NULL);\n\tassert (msg->input != NULL);\n\tassert (version != NULL);\n\n\t/* Check that we're supposed to have this at this point */\n\tassert (!msg->signature || p11_rpc_message_verify_part (msg, \"v\"));\n\n\treturn p11_rpc_buffer_get_byte (msg->input, &msg->parsed, &version->major) &&\n\t p11_rpc_buffer_get_byte (msg->input, &msg->parsed, &version->minor);\n}", "project": "p11-kit", "hash": 211113852544178464959720876939141379437, "size": 13, "commit_id": "69d751ca9df9ac101adfb1e5aa7e83e3358106ba", "message": "Fix bounds check in p11_rpc_buffer_get_byte_array\n\nThis bounds check should be using off, not *offset, because it has been\nadvanced four bytes from reading a uint32 earlier in the function.\nAdditionally, the pointer that is returned is computed using off, not\n*offset.", "target": 0, "dataset": "other", "idx": 349515 }, { "func": "p11_rpc_message_write_ulong (p11_rpc_message *msg,\n CK_ULONG val)\n{\n\tassert (msg != NULL);\n\tassert (msg->output != NULL);\n\n\t/* Make sure this is in the right order */\n\tassert (!msg->signature || p11_rpc_message_verify_part (msg, \"u\"));\n\tp11_rpc_buffer_add_uint64 (msg->output, val);\n\treturn !p11_buffer_failed (msg->output);\n}", "project": "p11-kit", "hash": 234886308177609160302641074981807585478, "size": 11, "commit_id": "69d751ca9df9ac101adfb1e5aa7e83e3358106ba", "message": "Fix bounds check in p11_rpc_buffer_get_byte_array\n\nThis bounds check should be using off, not *offset, because it has been\nadvanced four bytes from reading a uint32 earlier in the function.\nAdditionally, the pointer that is returned is computed using off, not\n*offset.", "target": 0, "dataset": "other", "idx": 349519 }, { "func": "header_http_match(VRT_CTX, const struct http *hp, unsigned u, VCL_REGEX re,\n const char *hdr)\n{\n\tconst char *start;\n\tunsigned l;\n\n\tassert(hdr);\n\tassert(hp);\n\n\tTcheck(hp->hd[u]);\n\tif (hp->hd[u].b == NULL)\n\t\treturn (0);\n\n\tl = hdr[0];\n\n\tif (!header_http_IsHdr(&hp->hd[u], hdr))\n\t\treturn (0);\n\n\tif (re == NULL)\n\t\treturn (1);\n\n\tstart = hp->hd[u].b + l;\n\twhile (*start != '\\0' && *start == ' ')\n\t\tstart++;\n\n\tif (!*start)\n\t\treturn (0);\n\tif (VRT_re_match(ctx, start, re))\n\t\treturn (1);\n\n\treturn (0);\n}", "project": "varnish-modules", "hash": 144099785511479253322961144789743720145, "size": 32, "commit_id": "2c120e576ebb73bc247790184702ba58dc0afc39", "message": "Check VRT_StrandsWS() return value\n\nFixes: VSV00006", "target": 0, "dataset": "other", "idx": 374518 }, { "func": "VdbeOp *sqlite3VdbeTakeOpArray(Vdbe *p, int *pnOp, int *pnMaxArg){\n VdbeOp *aOp = p->aOp;\n assert( aOp && !p->db->mallocFailed );\n\n /* Check that sqlite3VdbeUsesBtree() was not called on this VM */\n assert( DbMaskAllZero(p->btreeMask) );\n\n resolveP2Values(p, pnMaxArg);\n *pnOp = p->nOp;\n p->aOp = 0;\n return aOp;\n}", "project": "sqlite", "hash": 138562375174702247227537820756335539751, "size": 12, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378634 }, { "func": "MagickExport Image *RotateImage(const Image *image,const double degrees,\n ExceptionInfo *exception)\n{\n Image\n *distort_image,\n *rotate_image;\n\n double\n angle;\n\n PointInfo\n shear;\n\n size_t\n rotations;\n\n /*\n Adjust rotation angle.\n */\n assert(image != (Image *) NULL);\n assert(image->signature == MagickCoreSignature);\n if (image->debug != MagickFalse)\n (void) LogMagickEvent(TraceEvent,GetMagickModule(),\"%s\",image->filename);\n assert(exception != (ExceptionInfo *) NULL);\n assert(exception->signature == MagickCoreSignature);\n angle=fmod(degrees,360.0);\n while (angle < -45.0)\n angle+=360.0;\n for (rotations=0; angle > 45.0; rotations++)\n angle-=90.0;\n rotations%=4;\n shear.x=(-tan((double) DegreesToRadians(angle)/2.0));\n shear.y=sin((double) DegreesToRadians(angle));\n if ((fabs(shear.x) < MagickEpsilon) && (fabs(shear.y) < MagickEpsilon))\n return(IntegralRotateImage(image,rotations,exception));\n distort_image=CloneImage(image,0,0,MagickTrue,exception);\n if (distort_image == (Image *) NULL)\n return((Image *) NULL);\n (void) SetImageVirtualPixelMethod(distort_image,BackgroundVirtualPixelMethod,\n exception);\n rotate_image=DistortImage(distort_image,ScaleRotateTranslateDistortion,1,\n °rees,MagickTrue,exception);\n distort_image=DestroyImage(distort_image);\n return(rotate_image);\n}", "project": "ImageMagick", "hash": 172282403448755800145119040219771286908, "size": 45, "commit_id": "f8e8535bc821f24a30beee0030ff21ee3a2deedc", "message": "https://github.com/ImageMagick/ImageMagick/issues/3331", "target": 0, "dataset": "other", "idx": 383178 }, { "func": "MagickExport Image *AffineTransformImage(const Image *image,\n const AffineMatrix *affine_matrix,ExceptionInfo *exception)\n{\n double\n distort[6];\n\n Image\n *deskew_image;\n\n /*\n Affine transform image.\n */\n assert(image->signature == MagickCoreSignature);\n if (image->debug != MagickFalse)\n (void) LogMagickEvent(TraceEvent,GetMagickModule(),\"%s\",image->filename);\n assert(affine_matrix != (AffineMatrix *) NULL);\n assert(exception != (ExceptionInfo *) NULL);\n assert(exception->signature == MagickCoreSignature);\n distort[0]=affine_matrix->sx;\n distort[1]=affine_matrix->rx;\n distort[2]=affine_matrix->ry;\n distort[3]=affine_matrix->sy;\n distort[4]=affine_matrix->tx;\n distort[5]=affine_matrix->ty;\n deskew_image=DistortImage(image,AffineProjectionDistortion,6,distort,\n MagickTrue,exception);\n return(deskew_image);\n}", "project": "ImageMagick", "hash": 245357582631746343205064047867991677306, "size": 28, "commit_id": "f8e8535bc821f24a30beee0030ff21ee3a2deedc", "message": "https://github.com/ImageMagick/ImageMagick/issues/3331", "target": 0, "dataset": "other", "idx": 383185 }, { "func": "MagickExport Image *ShadowImage(const Image *image,const double opacity,\n const double sigma,const ssize_t x_offset,const ssize_t y_offset,\n ExceptionInfo *exception)\n{\n#define ShadowImageTag \"Shadow/Image\"\n\n CacheView\n *image_view;\n\n Image\n *border_image,\n *clone_image,\n *shadow_image;\n\n MagickBooleanType\n status;\n\n MagickOffsetType\n progress;\n\n RectangleInfo\n border_info;\n\n ssize_t\n y;\n\n assert(image != (Image *) NULL);\n assert(image->signature == MagickCoreSignature);\n if (image->debug != MagickFalse)\n (void) LogMagickEvent(TraceEvent,GetMagickModule(),\"%s\",image->filename);\n assert(exception != (ExceptionInfo *) NULL);\n assert(exception->signature == MagickCoreSignature);\n clone_image=CloneImage(image,0,0,MagickTrue,exception);\n if (clone_image == (Image *) NULL)\n return((Image *) NULL);\n if (IsGrayColorspace(image->colorspace) != MagickFalse)\n (void) SetImageColorspace(clone_image,sRGBColorspace);\n (void) SetImageVirtualPixelMethod(clone_image,EdgeVirtualPixelMethod);\n clone_image->compose=OverCompositeOp;\n border_info.width=(size_t) floor(2.0*sigma+0.5);\n border_info.height=(size_t) floor(2.0*sigma+0.5);\n border_info.x=0;\n border_info.y=0;\n (void) QueryColorDatabase(\"none\",&clone_image->border_color,exception);\n border_image=BorderImage(clone_image,&border_info,exception);\n clone_image=DestroyImage(clone_image);\n if (border_image == (Image *) NULL)\n return((Image *) NULL);\n if (border_image->matte == MagickFalse)\n (void) SetImageAlphaChannel(border_image,OpaqueAlphaChannel);\n /*\n Shadow image.\n */\n status=MagickTrue;\n progress=0;\n image_view=AcquireAuthenticCacheView(border_image,exception);\n#if defined(MAGICKCORE_OPENMP_SUPPORT)\n #pragma omp parallel for schedule(static) shared(progress,status) \\\n magick_number_threads(border_image,border_image,border_image->rows,1)\n#endif\n for (y=0; y < (ssize_t) border_image->rows; y++)\n {\n PixelPacket\n *magick_restrict q;\n\n ssize_t\n x;\n\n if (status == MagickFalse)\n continue;\n q=GetCacheViewAuthenticPixels(image_view,0,y,border_image->columns,1,\n exception);\n if (q == (PixelPacket *) NULL)\n {\n status=MagickFalse;\n continue;\n }\n for (x=0; x < (ssize_t) border_image->columns; x++)\n {\n SetPixelRed(q,border_image->background_color.red);\n SetPixelGreen(q,border_image->background_color.green);\n SetPixelBlue(q,border_image->background_color.blue);\n if (border_image->matte == MagickFalse)\n SetPixelOpacity(q,border_image->background_color.opacity);\n else\n SetPixelOpacity(q,ClampToQuantum((double) (QuantumRange-\n GetPixelAlpha(q)*opacity/100.0)));\n q++;\n }\n if (SyncCacheViewAuthenticPixels(image_view,exception) == MagickFalse)\n status=MagickFalse;\n if (image->progress_monitor != (MagickProgressMonitor) NULL)\n {\n MagickBooleanType\n proceed;\n\n#if defined(MAGICKCORE_OPENMP_SUPPORT)\n #pragma omp atomic\n#endif\n progress++;\n proceed=SetImageProgress(image,ShadowImageTag,progress,\n border_image->rows);\n if (proceed == MagickFalse)\n status=MagickFalse;\n }\n }\n image_view=DestroyCacheView(image_view);\n shadow_image=BlurImageChannel(border_image,AlphaChannel,0.0,sigma,exception);\n border_image=DestroyImage(border_image);\n if (shadow_image == (Image *) NULL)\n return((Image *) NULL);\n if (shadow_image->page.width == 0)\n shadow_image->page.width=shadow_image->columns;\n if (shadow_image->page.height == 0)\n shadow_image->page.height=shadow_image->rows;\n shadow_image->page.width+=x_offset-(ssize_t) border_info.width;\n shadow_image->page.height+=y_offset-(ssize_t) border_info.height;\n shadow_image->page.x+=x_offset-(ssize_t) border_info.width;\n shadow_image->page.y+=y_offset-(ssize_t) border_info.height;\n return(shadow_image);\n}", "project": "ImageMagick6", "hash": 202142931642936684241985033810512406145, "size": 121, "commit_id": "f1e68d22d1b35459421710587a0dcbab6900b51f", "message": "https://github.com/ImageMagick/ImageMagick/issues/3296", "target": 0, "dataset": "other", "idx": 385758 }, { "func": "MagickExport Image *MorphImages(const Image *image,\n const size_t number_frames,ExceptionInfo *exception)\n{\n#define MorphImageTag \"Morph/Image\"\n\n double\n alpha,\n beta;\n\n Image\n *morph_image,\n *morph_images;\n\n MagickBooleanType\n status;\n\n MagickOffsetType\n scene;\n\n const Image\n *next;\n\n ssize_t\n i;\n\n ssize_t\n y;\n\n /*\n Clone first frame in sequence.\n */\n assert(image != (Image *) NULL);\n assert(image->signature == MagickCoreSignature);\n if (image->debug != MagickFalse)\n (void) LogMagickEvent(TraceEvent,GetMagickModule(),\"%s\",image->filename);\n assert(exception != (ExceptionInfo *) NULL);\n assert(exception->signature == MagickCoreSignature);\n morph_images=CloneImage(image,0,0,MagickTrue,exception);\n if (morph_images == (Image *) NULL)\n return((Image *) NULL);\n if (GetNextImageInList(image) == (Image *) NULL)\n {\n /*\n Morph single image.\n */\n for (i=1; i < (ssize_t) number_frames; i++)\n {\n morph_image=CloneImage(image,0,0,MagickTrue,exception);\n if (morph_image == (Image *) NULL)\n {\n morph_images=DestroyImageList(morph_images);\n return((Image *) NULL);\n }\n AppendImageToList(&morph_images,morph_image);\n if (image->progress_monitor != (MagickProgressMonitor) NULL)\n {\n MagickBooleanType\n proceed;\n\n proceed=SetImageProgress(image,MorphImageTag,(MagickOffsetType) i,\n number_frames);\n if (proceed == MagickFalse)\n status=MagickFalse;\n }\n }\n return(GetFirstImageInList(morph_images));\n }\n /*\n Morph image sequence.\n */\n status=MagickTrue;\n scene=0;\n next=image;\n for ( ; GetNextImageInList(next) != (Image *) NULL; next=GetNextImageInList(next))\n {\n for (i=0; i < (ssize_t) number_frames; i++)\n {\n CacheView\n *image_view,\n *morph_view;\n\n beta=(double) (i+1.0)/(double) (number_frames+1.0);\n alpha=1.0-beta;\n morph_image=ResizeImage(next,(size_t) (alpha*next->columns+beta*\n GetNextImageInList(next)->columns+0.5),(size_t) (alpha*\n next->rows+beta*GetNextImageInList(next)->rows+0.5),\n next->filter,next->blur,exception);\n if (morph_image == (Image *) NULL)\n {\n morph_images=DestroyImageList(morph_images);\n return((Image *) NULL);\n }\n if (SetImageStorageClass(morph_image,DirectClass) == MagickFalse)\n {\n InheritException(exception,&morph_image->exception);\n morph_image=DestroyImage(morph_image);\n return((Image *) NULL);\n }\n AppendImageToList(&morph_images,morph_image);\n morph_images=GetLastImageInList(morph_images);\n morph_image=ResizeImage(GetNextImageInList(next),morph_images->columns,\n morph_images->rows,GetNextImageInList(next)->filter,\n GetNextImageInList(next)->blur,exception);\n if (morph_image == (Image *) NULL)\n {\n morph_images=DestroyImageList(morph_images);\n return((Image *) NULL);\n }\n image_view=AcquireVirtualCacheView(morph_image,exception);\n morph_view=AcquireAuthenticCacheView(morph_images,exception);\n#if defined(MAGICKCORE_OPENMP_SUPPORT)\n #pragma omp parallel for schedule(static) shared(status) \\\n magick_number_threads(morph_image,morph_image,morph_image->rows,1)\n#endif\n for (y=0; y < (ssize_t) morph_images->rows; y++)\n {\n MagickBooleanType\n sync;\n\n const PixelPacket\n *magick_restrict p;\n\n ssize_t\n x;\n\n PixelPacket\n *magick_restrict q;\n\n if (status == MagickFalse)\n continue;\n p=GetCacheViewVirtualPixels(image_view,0,y,morph_image->columns,1,\n exception);\n q=GetCacheViewAuthenticPixels(morph_view,0,y,morph_images->columns,1,\n exception);\n if ((p == (const PixelPacket *) NULL) || (q == (PixelPacket *) NULL))\n {\n status=MagickFalse;\n continue;\n }\n for (x=0; x < (ssize_t) morph_images->columns; x++)\n {\n SetPixelRed(q,ClampToQuantum(alpha*\n GetPixelRed(q)+beta*GetPixelRed(p)));\n SetPixelGreen(q,ClampToQuantum(alpha*\n GetPixelGreen(q)+beta*GetPixelGreen(p)));\n SetPixelBlue(q,ClampToQuantum(alpha*\n GetPixelBlue(q)+beta*GetPixelBlue(p)));\n SetPixelOpacity(q,ClampToQuantum(alpha*\n GetPixelOpacity(q)+beta*GetPixelOpacity(p)));\n p++;\n q++;\n }\n sync=SyncCacheViewAuthenticPixels(morph_view,exception);\n if (sync == MagickFalse)\n status=MagickFalse;\n }\n morph_view=DestroyCacheView(morph_view);\n image_view=DestroyCacheView(image_view);\n morph_image=DestroyImage(morph_image);\n }\n if (i < (ssize_t) number_frames)\n break;\n /*\n Clone last frame in sequence.\n */\n morph_image=CloneImage(GetNextImageInList(next),0,0,MagickTrue,exception);\n if (morph_image == (Image *) NULL)\n {\n morph_images=DestroyImageList(morph_images);\n return((Image *) NULL);\n }\n AppendImageToList(&morph_images,morph_image);\n morph_images=GetLastImageInList(morph_images);\n if (image->progress_monitor != (MagickProgressMonitor) NULL)\n {\n MagickBooleanType\n proceed;\n\n proceed=SetImageProgress(image,MorphImageTag,scene,\n GetImageListLength(image));\n if (proceed == MagickFalse)\n status=MagickFalse;\n }\n scene++;\n }\n if (GetNextImageInList(next) != (Image *) NULL)\n {\n morph_images=DestroyImageList(morph_images);\n return((Image *) NULL);\n }\n return(GetFirstImageInList(morph_images));\n}", "project": "ImageMagick6", "hash": 170511033969456508527916950253326484407, "size": 192, "commit_id": "f1e68d22d1b35459421710587a0dcbab6900b51f", "message": "https://github.com/ImageMagick/ImageMagick/issues/3296", "target": 0, "dataset": "other", "idx": 385761 }, { "func": "MagickExport Image *CharcoalImage(const Image *image,const double radius,\n const double sigma,ExceptionInfo *exception)\n{\n Image\n *charcoal_image,\n *edge_image;\n\n MagickBooleanType\n status;\n\n assert(image != (Image *) NULL);\n assert(image->signature == MagickCoreSignature);\n if (image->debug != MagickFalse)\n (void) LogMagickEvent(TraceEvent,GetMagickModule(),\"%s\",image->filename);\n assert(exception != (ExceptionInfo *) NULL);\n assert(exception->signature == MagickCoreSignature);\n edge_image=EdgeImage(image,radius,exception);\n if (edge_image == (Image *) NULL)\n return((Image *) NULL);\n charcoal_image=(Image *) NULL;\n status=ClampImage(edge_image);\n if (status != MagickFalse)\n charcoal_image=BlurImage(edge_image,radius,sigma,exception);\n edge_image=DestroyImage(edge_image);\n if (charcoal_image == (Image *) NULL)\n return((Image *) NULL);\n status=NormalizeImage(charcoal_image);\n if (status != MagickFalse)\n status=NegateImage(charcoal_image,MagickFalse);\n if (status != MagickFalse)\n status=GrayscaleImage(charcoal_image,image->intensity);\n if (status == MagickFalse)\n charcoal_image=DestroyImage(charcoal_image);\n return(charcoal_image);\n}", "project": "ImageMagick6", "hash": 285539184370000784580885346681827680899, "size": 35, "commit_id": "f1e68d22d1b35459421710587a0dcbab6900b51f", "message": "https://github.com/ImageMagick/ImageMagick/issues/3296", "target": 0, "dataset": "other", "idx": 385762 }, { "func": "MagickExport Image *WaveImage(const Image *image,const double amplitude,\n const double wave_length,ExceptionInfo *exception)\n{\n#define WaveImageTag \"Wave/Image\"\n\n CacheView\n *image_view,\n *wave_view;\n\n float\n *sine_map;\n\n Image\n *wave_image;\n\n MagickBooleanType\n status;\n\n MagickOffsetType\n progress;\n\n MagickPixelPacket\n zero;\n\n ssize_t\n i;\n\n ssize_t\n y;\n\n /*\n Initialize wave image attributes.\n */\n assert(image != (Image *) NULL);\n assert(image->signature == MagickCoreSignature);\n if (image->debug != MagickFalse)\n (void) LogMagickEvent(TraceEvent,GetMagickModule(),\"%s\",image->filename);\n assert(exception != (ExceptionInfo *) NULL);\n assert(exception->signature == MagickCoreSignature);\n wave_image=CloneImage(image,image->columns,(size_t) (image->rows+2.0*\n fabs(amplitude)),MagickTrue,exception);\n if (wave_image == (Image *) NULL)\n return((Image *) NULL);\n if (SetImageStorageClass(wave_image,DirectClass) == MagickFalse)\n {\n InheritException(exception,&wave_image->exception);\n wave_image=DestroyImage(wave_image);\n return((Image *) NULL);\n }\n if (wave_image->background_color.opacity != OpaqueOpacity)\n wave_image->matte=MagickTrue;\n /*\n Allocate sine map.\n */\n sine_map=(float *) AcquireQuantumMemory((size_t) wave_image->columns,\n sizeof(*sine_map));\n if (sine_map == (float *) NULL)\n {\n wave_image=DestroyImage(wave_image);\n ThrowImageException(ResourceLimitError,\"MemoryAllocationFailed\");\n }\n for (i=0; i < (ssize_t) wave_image->columns; i++)\n sine_map[i]=(float) fabs(amplitude)+amplitude*sin((double)\n ((2.0*MagickPI*i)*PerceptibleReciprocal(wave_length)));\n /*\n Wave image.\n */\n status=MagickTrue;\n progress=0;\n GetMagickPixelPacket(wave_image,&zero);\n image_view=AcquireVirtualCacheView(image,exception);\n wave_view=AcquireAuthenticCacheView(wave_image,exception);\n (void) SetCacheViewVirtualPixelMethod(image_view,\n BackgroundVirtualPixelMethod);\n#if defined(MAGICKCORE_OPENMP_SUPPORT)\n #pragma omp parallel for schedule(static) shared(progress,status) \\\n magick_number_threads(image,wave_image,wave_image->rows,1)\n#endif\n for (y=0; y < (ssize_t) wave_image->rows; y++)\n {\n MagickPixelPacket\n pixel;\n\n IndexPacket\n *magick_restrict indexes;\n\n PixelPacket\n *magick_restrict q;\n\n ssize_t\n x;\n\n if (status == MagickFalse)\n continue;\n q=QueueCacheViewAuthenticPixels(wave_view,0,y,wave_image->columns,1,\n exception);\n if (q == (PixelPacket *) NULL)\n {\n status=MagickFalse;\n continue;\n }\n indexes=GetCacheViewAuthenticIndexQueue(wave_view);\n pixel=zero;\n for (x=0; x < (ssize_t) wave_image->columns; x++)\n {\n status=InterpolateMagickPixelPacket(image,image_view,\n UndefinedInterpolatePixel,(double) x,(double) (y-sine_map[x]),&pixel,\n exception);\n if (status == MagickFalse)\n break;\n SetPixelPacket(wave_image,&pixel,q,indexes+x);\n q++;\n }\n if (SyncCacheViewAuthenticPixels(wave_view,exception) == MagickFalse)\n status=MagickFalse;\n if (image->progress_monitor != (MagickProgressMonitor) NULL)\n {\n MagickBooleanType\n proceed;\n\n#if defined(MAGICKCORE_OPENMP_SUPPORT)\n #pragma omp atomic\n#endif\n progress++;\n proceed=SetImageProgress(image,WaveImageTag,progress,image->rows);\n if (proceed == MagickFalse)\n status=MagickFalse;\n }\n }\n wave_view=DestroyCacheView(wave_view);\n image_view=DestroyCacheView(image_view);\n sine_map=(float *) RelinquishMagickMemory(sine_map);\n if (status == MagickFalse)\n wave_image=DestroyImage(wave_image);\n return(wave_image);\n}", "project": "ImageMagick6", "hash": 101226025493037855922393203126658342941, "size": 136, "commit_id": "f1e68d22d1b35459421710587a0dcbab6900b51f", "message": "https://github.com/ImageMagick/ImageMagick/issues/3296", "target": 0, "dataset": "other", "idx": 385763 }, { "func": "MagickExport Image *AddNoiseImageChannel(const Image *image,\n const ChannelType channel,const NoiseType noise_type,ExceptionInfo *exception)\n{\n#define AddNoiseImageTag \"AddNoise/Image\"\n\n CacheView\n *image_view,\n *noise_view;\n\n const char\n *option;\n\n double\n attenuate;\n\n Image\n *noise_image;\n\n MagickBooleanType\n status;\n\n MagickOffsetType\n progress;\n\n RandomInfo\n **magick_restrict random_info;\n\n ssize_t\n y;\n\n#if defined(MAGICKCORE_OPENMP_SUPPORT)\n unsigned long\n key;\n#endif\n\n /*\n Initialize noise image attributes.\n */\n assert(image != (const Image *) NULL);\n assert(image->signature == MagickCoreSignature);\n if (image->debug != MagickFalse)\n (void) LogMagickEvent(TraceEvent,GetMagickModule(),\"%s\",image->filename);\n assert(exception != (ExceptionInfo *) NULL);\n assert(exception->signature == MagickCoreSignature);\n#if defined(MAGICKCORE_OPENCL_SUPPORT)\n noise_image=AccelerateAddNoiseImage(image,channel,noise_type,exception);\n if (noise_image != (Image *) NULL)\n return(noise_image);\n#endif\n noise_image=CloneImage(image,0,0,MagickTrue,exception);\n if (noise_image == (Image *) NULL)\n return((Image *) NULL);\n if (SetImageStorageClass(noise_image,DirectClass) == MagickFalse)\n {\n InheritException(exception,&noise_image->exception);\n noise_image=DestroyImage(noise_image);\n return((Image *) NULL);\n }\n /*\n Add noise in each row.\n */\n attenuate=1.0;\n option=GetImageArtifact(image,\"attenuate\");\n if (option != (char *) NULL)\n attenuate=StringToDouble(option,(char **) NULL);\n status=MagickTrue;\n progress=0;\n random_info=AcquireRandomInfoThreadSet();\n image_view=AcquireVirtualCacheView(image,exception);\n noise_view=AcquireAuthenticCacheView(noise_image,exception);\n#if defined(MAGICKCORE_OPENMP_SUPPORT)\n key=GetRandomSecretKey(random_info[0]);\n #pragma omp parallel for schedule(static) shared(progress,status) \\\n magick_number_threads(image,noise_image,image->rows,key == ~0UL)\n#endif\n for (y=0; y < (ssize_t) image->rows; y++)\n {\n const int\n id = GetOpenMPThreadId();\n\n MagickBooleanType\n sync;\n\n const IndexPacket\n *magick_restrict indexes;\n\n const PixelPacket\n *magick_restrict p;\n\n IndexPacket\n *magick_restrict noise_indexes;\n\n ssize_t\n x;\n\n PixelPacket\n *magick_restrict q;\n\n if (status == MagickFalse)\n continue;\n p=GetCacheViewVirtualPixels(image_view,0,y,image->columns,1,exception);\n q=GetCacheViewAuthenticPixels(noise_view,0,y,noise_image->columns,1,\n exception);\n if ((p == (PixelPacket *) NULL) || (q == (PixelPacket *) NULL))\n {\n status=MagickFalse;\n continue;\n }\n indexes=GetCacheViewVirtualIndexQueue(image_view);\n noise_indexes=GetCacheViewAuthenticIndexQueue(noise_view);\n for (x=0; x < (ssize_t) image->columns; x++)\n {\n if ((channel & RedChannel) != 0)\n SetPixelRed(q,ClampToQuantum(GenerateDifferentialNoise(random_info[id],\n GetPixelRed(p),noise_type,attenuate)));\n if (IsGrayColorspace(image->colorspace) != MagickFalse)\n {\n SetPixelGreen(q,GetPixelRed(q));\n SetPixelBlue(q,GetPixelRed(q));\n }\n else\n {\n if ((channel & GreenChannel) != 0)\n SetPixelGreen(q,ClampToQuantum(GenerateDifferentialNoise(\n random_info[id],GetPixelGreen(p),noise_type,attenuate)));\n if ((channel & BlueChannel) != 0)\n SetPixelBlue(q,ClampToQuantum(GenerateDifferentialNoise(\n random_info[id],GetPixelBlue(p),noise_type,attenuate)));\n }\n if ((channel & OpacityChannel) != 0)\n SetPixelOpacity(q,ClampToQuantum(GenerateDifferentialNoise(\n random_info[id],GetPixelOpacity(p),noise_type,attenuate)));\n if (((channel & IndexChannel) != 0) &&\n (image->colorspace == CMYKColorspace))\n SetPixelIndex(noise_indexes+x,ClampToQuantum(\n GenerateDifferentialNoise(random_info[id],GetPixelIndex(\n indexes+x),noise_type,attenuate)));\n p++;\n q++;\n }\n sync=SyncCacheViewAuthenticPixels(noise_view,exception);\n if (sync == MagickFalse)\n status=MagickFalse;\n if (image->progress_monitor != (MagickProgressMonitor) NULL)\n {\n MagickBooleanType\n proceed;\n\n#if defined(MAGICKCORE_OPENMP_SUPPORT)\n #pragma omp atomic\n#endif\n progress++;\n proceed=SetImageProgress(image,AddNoiseImageTag,progress,image->rows);\n if (proceed == MagickFalse)\n status=MagickFalse;\n }\n }\n noise_view=DestroyCacheView(noise_view);\n image_view=DestroyCacheView(image_view);\n random_info=DestroyRandomInfoThreadSet(random_info);\n if (status == MagickFalse)\n noise_image=DestroyImage(noise_image);\n return(noise_image);\n}", "project": "ImageMagick6", "hash": 154378082209657816592208922158675646806, "size": 164, "commit_id": "f1e68d22d1b35459421710587a0dcbab6900b51f", "message": "https://github.com/ImageMagick/ImageMagick/issues/3296", "target": 0, "dataset": "other", "idx": 385765 }, { "func": "MagickExport Image *ColorizeImage(const Image *image,const char *opacity,\n const PixelPacket colorize,ExceptionInfo *exception)\n{\n#define ColorizeImageTag \"Colorize/Image\"\n\n CacheView\n *colorize_view,\n *image_view;\n\n GeometryInfo\n geometry_info;\n\n Image\n *colorize_image;\n\n MagickBooleanType\n status;\n\n MagickOffsetType\n progress;\n\n MagickPixelPacket\n pixel;\n\n MagickStatusType\n flags;\n\n ssize_t\n y;\n\n /*\n Allocate colorized image.\n */\n assert(image != (const Image *) NULL);\n assert(image->signature == MagickCoreSignature);\n if (image->debug != MagickFalse)\n (void) LogMagickEvent(TraceEvent,GetMagickModule(),\"%s\",image->filename);\n assert(exception != (ExceptionInfo *) NULL);\n assert(exception->signature == MagickCoreSignature);\n colorize_image=CloneImage(image,0,0,MagickTrue,exception);\n if (colorize_image == (Image *) NULL)\n return((Image *) NULL);\n if (SetImageStorageClass(colorize_image,DirectClass) == MagickFalse)\n {\n InheritException(exception,&colorize_image->exception);\n colorize_image=DestroyImage(colorize_image);\n return((Image *) NULL);\n }\n if ((IsGrayColorspace(image->colorspace) != MagickFalse) ||\n (IsPixelGray(&colorize) != MagickFalse))\n (void) SetImageColorspace(colorize_image,sRGBColorspace);\n if ((colorize_image->matte == MagickFalse) &&\n (colorize.opacity != OpaqueOpacity))\n (void) SetImageAlphaChannel(colorize_image,OpaqueAlphaChannel);\n if (opacity == (const char *) NULL)\n return(colorize_image);\n /*\n Determine RGB values of the pen color.\n */\n flags=ParseGeometry(opacity,&geometry_info);\n pixel.red=geometry_info.rho;\n pixel.green=geometry_info.rho;\n pixel.blue=geometry_info.rho;\n pixel.opacity=(MagickRealType) OpaqueOpacity;\n if ((flags & SigmaValue) != 0)\n pixel.green=geometry_info.sigma;\n if ((flags & XiValue) != 0)\n pixel.blue=geometry_info.xi;\n if ((flags & PsiValue) != 0)\n pixel.opacity=geometry_info.psi;\n /*\n Colorize DirectClass image.\n */\n status=MagickTrue;\n progress=0;\n image_view=AcquireVirtualCacheView(image,exception);\n colorize_view=AcquireAuthenticCacheView(colorize_image,exception);\n#if defined(MAGICKCORE_OPENMP_SUPPORT)\n #pragma omp parallel for schedule(static) shared(progress,status) \\\n magick_number_threads(image,colorize_image,image->rows,1)\n#endif\n for (y=0; y < (ssize_t) image->rows; y++)\n {\n MagickBooleanType\n sync;\n\n const PixelPacket\n *magick_restrict p;\n\n ssize_t\n x;\n\n PixelPacket\n *magick_restrict q;\n\n if (status == MagickFalse)\n continue;\n p=GetCacheViewVirtualPixels(image_view,0,y,image->columns,1,exception);\n q=QueueCacheViewAuthenticPixels(colorize_view,0,y,colorize_image->columns,1,\n exception);\n if ((p == (const PixelPacket *) NULL) || (q == (PixelPacket *) NULL))\n {\n status=MagickFalse;\n continue;\n }\n for (x=0; x < (ssize_t) image->columns; x++)\n {\n SetPixelRed(q,((GetPixelRed(p)*(100.0-pixel.red)+\n colorize.red*pixel.red)/100.0));\n SetPixelGreen(q,((GetPixelGreen(p)*(100.0-pixel.green)+\n colorize.green*pixel.green)/100.0));\n SetPixelBlue(q,((GetPixelBlue(p)*(100.0-pixel.blue)+\n colorize.blue*pixel.blue)/100.0));\n if (colorize_image->matte == MagickFalse)\n SetPixelOpacity(q,GetPixelOpacity(p));\n else\n SetPixelOpacity(q,((GetPixelOpacity(p)*(100.0-pixel.opacity)+\n colorize.opacity*pixel.opacity)/100.0));\n p++;\n q++;\n }\n sync=SyncCacheViewAuthenticPixels(colorize_view,exception);\n if (sync == MagickFalse)\n status=MagickFalse;\n if (image->progress_monitor != (MagickProgressMonitor) NULL)\n {\n MagickBooleanType\n proceed;\n\n#if defined(MAGICKCORE_OPENMP_SUPPORT)\n #pragma omp atomic\n#endif\n progress++;\n proceed=SetImageProgress(image,ColorizeImageTag,progress,image->rows);\n if (proceed == MagickFalse)\n status=MagickFalse;\n }\n }\n image_view=DestroyCacheView(image_view);\n colorize_view=DestroyCacheView(colorize_view);\n if (status == MagickFalse)\n colorize_image=DestroyImage(colorize_image);\n return(colorize_image);\n}", "project": "ImageMagick6", "hash": 224929501802956776020990946667813241325, "size": 144, "commit_id": "f1e68d22d1b35459421710587a0dcbab6900b51f", "message": "https://github.com/ImageMagick/ImageMagick/issues/3296", "target": 0, "dataset": "other", "idx": 385767 }, { "func": "MagickExport Image *PolaroidImage(const Image *image,const DrawInfo *draw_info,\n const double angle,ExceptionInfo *exception)\n{\n const char\n *value;\n\n Image\n *bend_image,\n *caption_image,\n *flop_image,\n *picture_image,\n *polaroid_image,\n *rotate_image,\n *trim_image;\n\n size_t\n height;\n\n ssize_t\n quantum;\n\n /*\n Simulate a Polaroid picture.\n */\n assert(image != (Image *) NULL);\n assert(image->signature == MagickCoreSignature);\n if (image->debug != MagickFalse)\n (void) LogMagickEvent(TraceEvent,GetMagickModule(),\"%s\",image->filename);\n assert(exception != (ExceptionInfo *) NULL);\n assert(exception->signature == MagickCoreSignature);\n quantum=(ssize_t) MagickMax(MagickMax((double) image->columns,(double)\n image->rows)/25.0,10.0);\n height=image->rows+2*quantum;\n caption_image=(Image *) NULL;\n value=GetImageProperty(image,\"Caption\");\n if (value != (const char *) NULL)\n {\n char\n *caption;\n\n /*\n Generate caption image.\n */\n caption_image=CloneImage(image,image->columns,1,MagickTrue,exception);\n if (caption_image == (Image *) NULL)\n return((Image *) NULL);\n caption=InterpretImageProperties((ImageInfo *) NULL,(Image *) image,\n value);\n if (caption != (char *) NULL)\n {\n char\n geometry[MaxTextExtent];\n\n DrawInfo\n *annotate_info;\n\n MagickBooleanType\n status;\n\n ssize_t\n count;\n\n TypeMetric\n metrics;\n\n annotate_info=CloneDrawInfo((const ImageInfo *) NULL,draw_info);\n (void) CloneString(&annotate_info->text,caption);\n count=FormatMagickCaption(caption_image,annotate_info,MagickTrue,\n &metrics,&caption);\n status=SetImageExtent(caption_image,image->columns,(size_t)\n ((count+1)*(metrics.ascent-metrics.descent)+0.5));\n if (status == MagickFalse)\n caption_image=DestroyImage(caption_image);\n else\n {\n caption_image->background_color=image->border_color;\n (void) SetImageBackgroundColor(caption_image);\n (void) CloneString(&annotate_info->text,caption);\n (void) FormatLocaleString(geometry,MaxTextExtent,\"+0+%.20g\",\n metrics.ascent);\n if (annotate_info->gravity == UndefinedGravity)\n (void) CloneString(&annotate_info->geometry,AcquireString(\n geometry));\n (void) AnnotateImage(caption_image,annotate_info);\n height+=caption_image->rows;\n }\n annotate_info=DestroyDrawInfo(annotate_info);\n caption=DestroyString(caption);\n }\n }\n picture_image=CloneImage(image,image->columns+2*quantum,height,MagickTrue,\n exception);\n if (picture_image == (Image *) NULL)\n {\n if (caption_image != (Image *) NULL)\n caption_image=DestroyImage(caption_image);\n return((Image *) NULL);\n }\n picture_image->background_color=image->border_color;\n (void) SetImageBackgroundColor(picture_image);\n (void) CompositeImage(picture_image,OverCompositeOp,image,quantum,quantum);\n if (caption_image != (Image *) NULL)\n {\n (void) CompositeImage(picture_image,OverCompositeOp,caption_image,\n quantum,(ssize_t) (image->rows+3*quantum/2));\n caption_image=DestroyImage(caption_image);\n }\n (void) QueryColorDatabase(\"none\",&picture_image->background_color,exception);\n (void) SetImageAlphaChannel(picture_image,OpaqueAlphaChannel);\n rotate_image=RotateImage(picture_image,90.0,exception);\n picture_image=DestroyImage(picture_image);\n if (rotate_image == (Image *) NULL)\n return((Image *) NULL);\n picture_image=rotate_image;\n bend_image=WaveImage(picture_image,0.01*picture_image->rows,2.0*\n picture_image->columns,exception);\n picture_image=DestroyImage(picture_image);\n if (bend_image == (Image *) NULL)\n return((Image *) NULL);\n InheritException(&bend_image->exception,exception);\n picture_image=bend_image;\n rotate_image=RotateImage(picture_image,-90.0,exception);\n picture_image=DestroyImage(picture_image);\n if (rotate_image == (Image *) NULL)\n return((Image *) NULL);\n picture_image=rotate_image;\n picture_image->background_color=image->background_color;\n polaroid_image=ShadowImage(picture_image,80.0,2.0,quantum/3,quantum/3,\n exception);\n if (polaroid_image == (Image *) NULL)\n {\n picture_image=DestroyImage(picture_image);\n return(picture_image);\n }\n flop_image=FlopImage(polaroid_image,exception);\n polaroid_image=DestroyImage(polaroid_image);\n if (flop_image == (Image *) NULL)\n {\n picture_image=DestroyImage(picture_image);\n return(picture_image);\n }\n polaroid_image=flop_image;\n (void) CompositeImage(polaroid_image,OverCompositeOp,picture_image,\n (ssize_t) (-0.01*picture_image->columns/2.0),0L);\n picture_image=DestroyImage(picture_image);\n (void) QueryColorDatabase(\"none\",&polaroid_image->background_color,exception);\n rotate_image=RotateImage(polaroid_image,angle,exception);\n polaroid_image=DestroyImage(polaroid_image);\n if (rotate_image == (Image *) NULL)\n return((Image *) NULL);\n polaroid_image=rotate_image;\n trim_image=TrimImage(polaroid_image,exception);\n polaroid_image=DestroyImage(polaroid_image);\n if (trim_image == (Image *) NULL)\n return((Image *) NULL);\n polaroid_image=trim_image;\n return(polaroid_image);\n}", "project": "ImageMagick6", "hash": 34424499474353875834407458480521254695, "size": 158, "commit_id": "f1e68d22d1b35459421710587a0dcbab6900b51f", "message": "https://github.com/ImageMagick/ImageMagick/issues/3296", "target": 0, "dataset": "other", "idx": 385771 }, { "func": "MagickExport Image *StereoAnaglyphImage(const Image *left_image,\n const Image *right_image,const ssize_t x_offset,const ssize_t y_offset,\n ExceptionInfo *exception)\n{\n#define StereoImageTag \"Stereo/Image\"\n\n const Image\n *image;\n\n Image\n *stereo_image;\n\n MagickBooleanType\n status;\n\n ssize_t\n y;\n\n assert(left_image != (const Image *) NULL);\n assert(left_image->signature == MagickCoreSignature);\n if (left_image->debug != MagickFalse)\n (void) LogMagickEvent(TraceEvent,GetMagickModule(),\"%s\",\n left_image->filename);\n assert(right_image != (const Image *) NULL);\n assert(right_image->signature == MagickCoreSignature);\n assert(exception != (ExceptionInfo *) NULL);\n assert(exception->signature == MagickCoreSignature);\n image=left_image;\n if ((left_image->columns != right_image->columns) ||\n (left_image->rows != right_image->rows))\n ThrowImageException(ImageError,\"LeftAndRightImageSizesDiffer\");\n /*\n Initialize stereo image attributes.\n */\n stereo_image=CloneImage(left_image,left_image->columns,left_image->rows,\n MagickTrue,exception);\n if (stereo_image == (Image *) NULL)\n return((Image *) NULL);\n if (SetImageStorageClass(stereo_image,DirectClass) == MagickFalse)\n {\n InheritException(exception,&stereo_image->exception);\n stereo_image=DestroyImage(stereo_image);\n return((Image *) NULL);\n }\n (void) SetImageColorspace(stereo_image,sRGBColorspace);\n /*\n Copy left image to red channel and right image to blue channel.\n */\n status=MagickTrue;\n for (y=0; y < (ssize_t) stereo_image->rows; y++)\n {\n const PixelPacket\n *magick_restrict p,\n *magick_restrict q;\n\n ssize_t\n x;\n\n PixelPacket\n *magick_restrict r;\n\n p=GetVirtualPixels(left_image,-x_offset,y-y_offset,image->columns,1,\n exception);\n q=GetVirtualPixels(right_image,0,y,right_image->columns,1,exception);\n r=QueueAuthenticPixels(stereo_image,0,y,stereo_image->columns,1,exception);\n if ((p == (PixelPacket *) NULL) || (q == (PixelPacket *) NULL) ||\n (r == (PixelPacket *) NULL))\n break;\n for (x=0; x < (ssize_t) stereo_image->columns; x++)\n {\n SetPixelRed(r,GetPixelRed(p));\n SetPixelGreen(r,GetPixelGreen(q));\n SetPixelBlue(r,GetPixelBlue(q));\n SetPixelOpacity(r,(GetPixelOpacity(p)+q->opacity)/2);\n p++;\n q++;\n r++;\n }\n if (SyncAuthenticPixels(stereo_image,exception) == MagickFalse)\n break;\n if (image->progress_monitor != (MagickProgressMonitor) NULL)\n {\n MagickBooleanType\n proceed;\n\n proceed=SetImageProgress(image,StereoImageTag,(MagickOffsetType) y,\n stereo_image->rows);\n if (proceed == MagickFalse)\n status=MagickFalse;\n }\n }\n if (status == MagickFalse)\n stereo_image=DestroyImage(stereo_image);\n return(stereo_image);\n}", "project": "ImageMagick6", "hash": 97438503035949578964443841752161628172, "size": 95, "commit_id": "f1e68d22d1b35459421710587a0dcbab6900b51f", "message": "https://github.com/ImageMagick/ImageMagick/issues/3296", "target": 0, "dataset": "other", "idx": 385774 }, { "func": "MagickExport Image *SepiaToneImage(const Image *image,const double threshold,\n ExceptionInfo *exception)\n{\n#define SepiaToneImageTag \"SepiaTone/Image\"\n\n CacheView\n *image_view,\n *sepia_view;\n\n Image\n *sepia_image;\n\n MagickBooleanType\n status;\n\n MagickOffsetType\n progress;\n\n ssize_t\n y;\n\n /*\n Initialize sepia-toned image attributes.\n */\n assert(image != (const Image *) NULL);\n assert(image->signature == MagickCoreSignature);\n if (image->debug != MagickFalse)\n (void) LogMagickEvent(TraceEvent,GetMagickModule(),\"%s\",image->filename);\n assert(exception != (ExceptionInfo *) NULL);\n assert(exception->signature == MagickCoreSignature);\n sepia_image=CloneImage(image,0,0,MagickTrue,exception);\n if (sepia_image == (Image *) NULL)\n return((Image *) NULL);\n if (SetImageStorageClass(sepia_image,DirectClass) == MagickFalse)\n {\n InheritException(exception,&sepia_image->exception);\n sepia_image=DestroyImage(sepia_image);\n return((Image *) NULL);\n }\n /*\n Tone each row of the image.\n */\n status=MagickTrue;\n progress=0;\n image_view=AcquireVirtualCacheView(image,exception);\n sepia_view=AcquireAuthenticCacheView(sepia_image,exception);\n#if defined(MAGICKCORE_OPENMP_SUPPORT)\n #pragma omp parallel for schedule(static) shared(progress,status) \\\n magick_number_threads(image,sepia_image,image->rows,1)\n#endif\n for (y=0; y < (ssize_t) image->rows; y++)\n {\n const PixelPacket\n *magick_restrict p;\n\n ssize_t\n x;\n\n PixelPacket\n *magick_restrict q;\n\n if (status == MagickFalse)\n continue;\n p=GetCacheViewVirtualPixels(image_view,0,y,image->columns,1,exception);\n q=QueueCacheViewAuthenticPixels(sepia_view,0,y,sepia_image->columns,1,\n exception);\n if ((p == (const PixelPacket *) NULL) || (q == (PixelPacket *) NULL))\n {\n status=MagickFalse;\n continue;\n }\n for (x=0; x < (ssize_t) image->columns; x++)\n {\n double\n intensity,\n tone;\n\n intensity=GetPixelIntensity(image,p);\n tone=intensity > threshold ? (double) QuantumRange : intensity+\n (double) QuantumRange-threshold;\n SetPixelRed(q,ClampToQuantum(tone));\n tone=intensity > (7.0*threshold/6.0) ? (double) QuantumRange :\n intensity+(double) QuantumRange-7.0*threshold/6.0;\n SetPixelGreen(q,ClampToQuantum(tone));\n tone=intensity < (threshold/6.0) ? 0 : intensity-threshold/6.0;\n SetPixelBlue(q,ClampToQuantum(tone));\n tone=threshold/7.0;\n if ((double) GetPixelGreen(q) < tone)\n SetPixelGreen(q,ClampToQuantum(tone));\n if ((double) GetPixelBlue(q) < tone)\n SetPixelBlue(q,ClampToQuantum(tone));\n SetPixelOpacity(q,GetPixelOpacity(p));\n p++;\n q++;\n }\n if (SyncCacheViewAuthenticPixels(sepia_view,exception) == MagickFalse)\n status=MagickFalse;\n if (image->progress_monitor != (MagickProgressMonitor) NULL)\n {\n MagickBooleanType\n proceed;\n\n#if defined(MAGICKCORE_OPENMP_SUPPORT)\n #pragma omp atomic\n#endif\n progress++;\n proceed=SetImageProgress(image,SepiaToneImageTag,progress,image->rows);\n if (proceed == MagickFalse)\n status=MagickFalse;\n }\n }\n sepia_view=DestroyCacheView(sepia_view);\n image_view=DestroyCacheView(image_view);\n (void) NormalizeImage(sepia_image);\n (void) ContrastImage(sepia_image,MagickTrue);\n if (status == MagickFalse)\n sepia_image=DestroyImage(sepia_image);\n return(sepia_image);\n}", "project": "ImageMagick6", "hash": 336114956007454188148670099784213415921, "size": 119, "commit_id": "f1e68d22d1b35459421710587a0dcbab6900b51f", "message": "https://github.com/ImageMagick/ImageMagick/issues/3296", "target": 0, "dataset": "other", "idx": 385775 }, { "func": "MagickExport Image *BlueShiftImage(const Image *image,const double factor,\n ExceptionInfo *exception)\n{\n#define BlueShiftImageTag \"BlueShift/Image\"\n\n CacheView\n *image_view,\n *shift_view;\n\n Image\n *shift_image;\n\n MagickBooleanType\n status;\n\n MagickOffsetType\n progress;\n\n ssize_t\n y;\n\n /*\n Allocate blue shift image.\n */\n assert(image != (const Image *) NULL);\n assert(image->signature == MagickCoreSignature);\n if (image->debug != MagickFalse)\n (void) LogMagickEvent(TraceEvent,GetMagickModule(),\"%s\",image->filename);\n assert(exception != (ExceptionInfo *) NULL);\n assert(exception->signature == MagickCoreSignature);\n shift_image=CloneImage(image,0,0,MagickTrue,exception);\n if (shift_image == (Image *) NULL)\n return((Image *) NULL);\n if (SetImageStorageClass(shift_image,DirectClass) == MagickFalse)\n {\n InheritException(exception,&shift_image->exception);\n shift_image=DestroyImage(shift_image);\n return((Image *) NULL);\n }\n /*\n Blue-shift DirectClass image.\n */\n status=MagickTrue;\n progress=0;\n image_view=AcquireVirtualCacheView(image,exception);\n shift_view=AcquireAuthenticCacheView(shift_image,exception);\n#if defined(MAGICKCORE_OPENMP_SUPPORT)\n #pragma omp parallel for schedule(static) shared(progress,status) \\\n magick_number_threads(image,shift_image,image->rows,1)\n#endif\n for (y=0; y < (ssize_t) image->rows; y++)\n {\n MagickBooleanType\n sync;\n\n MagickPixelPacket\n pixel;\n\n Quantum\n quantum;\n\n const PixelPacket\n *magick_restrict p;\n\n ssize_t\n x;\n\n PixelPacket\n *magick_restrict q;\n\n if (status == MagickFalse)\n continue;\n p=GetCacheViewVirtualPixels(image_view,0,y,image->columns,1,exception);\n q=QueueCacheViewAuthenticPixels(shift_view,0,y,shift_image->columns,1,\n exception);\n if ((p == (const PixelPacket *) NULL) || (q == (PixelPacket *) NULL))\n {\n status=MagickFalse;\n continue;\n }\n for (x=0; x < (ssize_t) image->columns; x++)\n {\n quantum=GetPixelRed(p);\n if (GetPixelGreen(p) < quantum)\n quantum=GetPixelGreen(p);\n if (GetPixelBlue(p) < quantum)\n quantum=GetPixelBlue(p);\n pixel.red=0.5*(GetPixelRed(p)+factor*quantum);\n pixel.green=0.5*(GetPixelGreen(p)+factor*quantum);\n pixel.blue=0.5*(GetPixelBlue(p)+factor*quantum);\n quantum=GetPixelRed(p);\n if (GetPixelGreen(p) > quantum)\n quantum=GetPixelGreen(p);\n if (GetPixelBlue(p) > quantum)\n quantum=GetPixelBlue(p);\n pixel.red=0.5*(pixel.red+factor*quantum);\n pixel.green=0.5*(pixel.green+factor*quantum);\n pixel.blue=0.5*(pixel.blue+factor*quantum);\n SetPixelRed(q,ClampToQuantum(pixel.red));\n SetPixelGreen(q,ClampToQuantum(pixel.green));\n SetPixelBlue(q,ClampToQuantum(pixel.blue));\n p++;\n q++;\n }\n sync=SyncCacheViewAuthenticPixels(shift_view,exception);\n if (sync == MagickFalse)\n status=MagickFalse;\n if (image->progress_monitor != (MagickProgressMonitor) NULL)\n {\n MagickBooleanType\n proceed;\n\n#if defined(MAGICKCORE_OPENMP_SUPPORT)\n #pragma omp atomic\n#endif\n progress++;\n proceed=SetImageProgress(image,BlueShiftImageTag,progress,image->rows);\n if (proceed == MagickFalse)\n status=MagickFalse;\n }\n }\n image_view=DestroyCacheView(image_view);\n shift_view=DestroyCacheView(shift_view);\n if (status == MagickFalse)\n shift_image=DestroyImage(shift_image);\n return(shift_image);\n}", "project": "ImageMagick6", "hash": 327476193371963073629593017628603016935, "size": 127, "commit_id": "f1e68d22d1b35459421710587a0dcbab6900b51f", "message": "https://github.com/ImageMagick/ImageMagick/issues/3296", "target": 0, "dataset": "other", "idx": 385779 }, { "func": "MagickExport Image *SwirlImage(const Image *image,double degrees,\n ExceptionInfo *exception)\n{\n#define SwirlImageTag \"Swirl/Image\"\n\n CacheView\n *image_view,\n *swirl_view;\n\n double\n radius;\n\n Image\n *swirl_image;\n\n MagickBooleanType\n status;\n\n MagickOffsetType\n progress;\n\n MagickPixelPacket\n zero;\n\n PointInfo\n center,\n scale;\n\n ssize_t\n y;\n\n /*\n Initialize swirl image attributes.\n */\n assert(image != (const Image *) NULL);\n assert(image->signature == MagickCoreSignature);\n if (image->debug != MagickFalse)\n (void) LogMagickEvent(TraceEvent,GetMagickModule(),\"%s\",image->filename);\n assert(exception != (ExceptionInfo *) NULL);\n assert(exception->signature == MagickCoreSignature);\n swirl_image=CloneImage(image,0,0,MagickTrue,exception);\n if (swirl_image == (Image *) NULL)\n return((Image *) NULL);\n if (SetImageStorageClass(swirl_image,DirectClass) == MagickFalse)\n {\n InheritException(exception,&swirl_image->exception);\n swirl_image=DestroyImage(swirl_image);\n return((Image *) NULL);\n }\n if (swirl_image->background_color.opacity != OpaqueOpacity)\n swirl_image->matte=MagickTrue;\n /*\n Compute scaling factor.\n */\n center.x=(double) image->columns/2.0;\n center.y=(double) image->rows/2.0;\n radius=MagickMax(center.x,center.y);\n scale.x=1.0;\n scale.y=1.0;\n if (image->columns > image->rows)\n scale.y=(double) image->columns/(double) image->rows;\n else\n if (image->columns < image->rows)\n scale.x=(double) image->rows/(double) image->columns;\n degrees=(double) DegreesToRadians(degrees);\n /*\n Swirl image.\n */\n status=MagickTrue;\n progress=0;\n GetMagickPixelPacket(swirl_image,&zero);\n image_view=AcquireVirtualCacheView(image,exception);\n swirl_view=AcquireAuthenticCacheView(swirl_image,exception);\n#if defined(MAGICKCORE_OPENMP_SUPPORT)\n #pragma omp parallel for schedule(static) shared(progress,status) \\\n magick_number_threads(image,swirl_image,image->rows,1)\n#endif\n for (y=0; y < (ssize_t) image->rows; y++)\n {\n double\n distance;\n\n MagickPixelPacket\n pixel;\n\n PointInfo\n delta;\n\n IndexPacket\n *magick_restrict swirl_indexes;\n\n ssize_t\n x;\n\n PixelPacket\n *magick_restrict q;\n\n if (status == MagickFalse)\n continue;\n q=GetCacheViewAuthenticPixels(swirl_view,0,y,swirl_image->columns,1,\n exception);\n if (q == (PixelPacket *) NULL)\n {\n status=MagickFalse;\n continue;\n }\n swirl_indexes=GetCacheViewAuthenticIndexQueue(swirl_view);\n delta.y=scale.y*(double) (y-center.y);\n pixel=zero;\n for (x=0; x < (ssize_t) image->columns; x++)\n {\n /*\n Determine if the pixel is within an ellipse.\n */\n delta.x=scale.x*(double) (x-center.x);\n distance=delta.x*delta.x+delta.y*delta.y;\n if (distance < (radius*radius))\n {\n double\n cosine,\n factor,\n sine;\n\n /*\n Swirl the pixel.\n */\n factor=1.0-sqrt(distance)/radius;\n sine=sin((double) (degrees*factor*factor));\n cosine=cos((double) (degrees*factor*factor));\n status=InterpolateMagickPixelPacket(image,image_view,\n UndefinedInterpolatePixel,(double) ((cosine*delta.x-sine*delta.y)/\n scale.x+center.x),(double) ((sine*delta.x+cosine*delta.y)/scale.y+\n center.y),&pixel,exception);\n if (status == MagickFalse)\n break;\n SetPixelPacket(swirl_image,&pixel,q,swirl_indexes+x);\n }\n q++;\n }\n if (SyncCacheViewAuthenticPixels(swirl_view,exception) == MagickFalse)\n status=MagickFalse;\n if (image->progress_monitor != (MagickProgressMonitor) NULL)\n {\n MagickBooleanType\n proceed;\n\n#if defined(MAGICKCORE_OPENMP_SUPPORT)\n #pragma omp atomic\n#endif\n progress++;\n proceed=SetImageProgress(image,SwirlImageTag,progress,image->rows);\n if (proceed == MagickFalse)\n status=MagickFalse;\n }\n }\n swirl_view=DestroyCacheView(swirl_view);\n image_view=DestroyCacheView(image_view);\n if (status == MagickFalse)\n swirl_image=DestroyImage(swirl_image);\n return(swirl_image);\n}", "project": "ImageMagick6", "hash": 175203348974155502850801611844941440748, "size": 161, "commit_id": "f1e68d22d1b35459421710587a0dcbab6900b51f", "message": "https://github.com/ImageMagick/ImageMagick/issues/3296", "target": 0, "dataset": "other", "idx": 385780 }, { "func": "MagickExport Image *TintImage(const Image *image,const char *opacity,\n const PixelPacket tint,ExceptionInfo *exception)\n{\n#define TintImageTag \"Tint/Image\"\n\n CacheView\n *image_view,\n *tint_view;\n\n GeometryInfo\n geometry_info;\n\n Image\n *tint_image;\n\n MagickBooleanType\n status;\n\n MagickOffsetType\n progress;\n\n MagickPixelPacket\n color_vector,\n pixel;\n\n MagickStatusType\n flags;\n\n ssize_t\n y;\n\n /*\n Allocate tint image.\n */\n assert(image != (const Image *) NULL);\n assert(image->signature == MagickCoreSignature);\n if (image->debug != MagickFalse)\n (void) LogMagickEvent(TraceEvent,GetMagickModule(),\"%s\",image->filename);\n assert(exception != (ExceptionInfo *) NULL);\n assert(exception->signature == MagickCoreSignature);\n tint_image=CloneImage(image,0,0,MagickTrue,exception);\n if (tint_image == (Image *) NULL)\n return((Image *) NULL);\n if (SetImageStorageClass(tint_image,DirectClass) == MagickFalse)\n {\n InheritException(exception,&tint_image->exception);\n tint_image=DestroyImage(tint_image);\n return((Image *) NULL);\n }\n if ((IsGrayColorspace(image->colorspace) != MagickFalse) &&\n (IsPixelGray(&tint) == MagickFalse))\n (void) SetImageColorspace(tint_image,sRGBColorspace);\n if (opacity == (const char *) NULL)\n return(tint_image);\n /*\n Determine RGB values of the tint color.\n */\n flags=ParseGeometry(opacity,&geometry_info);\n pixel.red=geometry_info.rho;\n pixel.green=geometry_info.rho;\n pixel.blue=geometry_info.rho;\n pixel.opacity=(MagickRealType) OpaqueOpacity;\n if ((flags & SigmaValue) != 0)\n pixel.green=geometry_info.sigma;\n if ((flags & XiValue) != 0)\n pixel.blue=geometry_info.xi;\n if ((flags & PsiValue) != 0)\n pixel.opacity=geometry_info.psi;\n color_vector.red=(MagickRealType) (pixel.red*tint.red/100.0-\n PixelPacketIntensity(&tint));\n color_vector.green=(MagickRealType) (pixel.green*tint.green/100.0-\n PixelPacketIntensity(&tint));\n color_vector.blue=(MagickRealType) (pixel.blue*tint.blue/100.0-\n PixelPacketIntensity(&tint));\n /*\n Tint image.\n */\n status=MagickTrue;\n progress=0;\n image_view=AcquireVirtualCacheView(image,exception);\n tint_view=AcquireAuthenticCacheView(tint_image,exception);\n#if defined(MAGICKCORE_OPENMP_SUPPORT)\n #pragma omp parallel for schedule(static) shared(progress,status) \\\n magick_number_threads(image,tint_image,image->rows,1)\n#endif\n for (y=0; y < (ssize_t) image->rows; y++)\n {\n const PixelPacket\n *magick_restrict p;\n\n PixelPacket\n *magick_restrict q;\n\n ssize_t\n x;\n\n if (status == MagickFalse)\n continue;\n p=GetCacheViewVirtualPixels(image_view,0,y,image->columns,1,exception);\n q=QueueCacheViewAuthenticPixels(tint_view,0,y,tint_image->columns,1,\n exception);\n if ((p == (const PixelPacket *) NULL) || (q == (PixelPacket *) NULL))\n {\n status=MagickFalse;\n continue;\n }\n for (x=0; x < (ssize_t) image->columns; x++)\n {\n double\n weight;\n\n MagickPixelPacket\n pixel;\n\n weight=QuantumScale*GetPixelRed(p)-0.5;\n pixel.red=(MagickRealType) GetPixelRed(p)+color_vector.red*(1.0-(4.0*\n (weight*weight)));\n SetPixelRed(q,ClampToQuantum(pixel.red));\n weight=QuantumScale*GetPixelGreen(p)-0.5;\n pixel.green=(MagickRealType) GetPixelGreen(p)+color_vector.green*(1.0-\n (4.0*(weight*weight)));\n SetPixelGreen(q,ClampToQuantum(pixel.green));\n weight=QuantumScale*GetPixelBlue(p)-0.5;\n pixel.blue=(MagickRealType) GetPixelBlue(p)+color_vector.blue*(1.0-(4.0*\n (weight*weight)));\n SetPixelBlue(q,ClampToQuantum(pixel.blue));\n SetPixelOpacity(q,GetPixelOpacity(p));\n p++;\n q++;\n }\n if (SyncCacheViewAuthenticPixels(tint_view,exception) == MagickFalse)\n status=MagickFalse;\n if (image->progress_monitor != (MagickProgressMonitor) NULL)\n {\n MagickBooleanType\n proceed;\n\n#if defined(MAGICKCORE_OPENMP_SUPPORT)\n #pragma omp atomic\n#endif\n progress++;\n proceed=SetImageProgress(image,TintImageTag,progress,image->rows);\n if (proceed == MagickFalse)\n status=MagickFalse;\n }\n }\n tint_view=DestroyCacheView(tint_view);\n image_view=DestroyCacheView(image_view);\n if (status == MagickFalse)\n tint_image=DestroyImage(tint_image);\n return(tint_image);\n}", "project": "ImageMagick6", "hash": 136396508258986688143634733129212882346, "size": 152, "commit_id": "f1e68d22d1b35459421710587a0dcbab6900b51f", "message": "https://github.com/ImageMagick/ImageMagick/issues/3296", "target": 0, "dataset": "other", "idx": 385781 }, { "func": "MagickExport Image *VignetteImage(const Image *image,const double radius,\n const double sigma,const ssize_t x,const ssize_t y,ExceptionInfo *exception)\n{\n char\n ellipse[MaxTextExtent];\n\n DrawInfo\n *draw_info;\n\n Image\n *blur_image,\n *canvas_image,\n *oval_image,\n *vignette_image;\n\n assert(image != (Image *) NULL);\n assert(image->signature == MagickCoreSignature);\n if (image->debug != MagickFalse)\n (void) LogMagickEvent(TraceEvent,GetMagickModule(),\"%s\",image->filename);\n assert(exception != (ExceptionInfo *) NULL);\n assert(exception->signature == MagickCoreSignature);\n canvas_image=CloneImage(image,0,0,MagickTrue,exception);\n if (canvas_image == (Image *) NULL)\n return((Image *) NULL);\n if (SetImageStorageClass(canvas_image,DirectClass) == MagickFalse)\n {\n InheritException(exception,&canvas_image->exception);\n canvas_image=DestroyImage(canvas_image);\n return((Image *) NULL);\n }\n canvas_image->matte=MagickTrue;\n oval_image=CloneImage(canvas_image,canvas_image->columns,canvas_image->rows,\n MagickTrue,exception);\n if (oval_image == (Image *) NULL)\n {\n canvas_image=DestroyImage(canvas_image);\n return((Image *) NULL);\n }\n (void) QueryColorDatabase(\"#000000\",&oval_image->background_color,exception);\n (void) SetImageBackgroundColor(oval_image);\n draw_info=CloneDrawInfo((const ImageInfo *) NULL,(const DrawInfo *) NULL);\n (void) QueryColorDatabase(\"#ffffff\",&draw_info->fill,exception);\n (void) QueryColorDatabase(\"#ffffff\",&draw_info->stroke,exception);\n (void) FormatLocaleString(ellipse,MaxTextExtent,\n \"ellipse %g,%g,%g,%g,0.0,360.0\",image->columns/2.0,\n image->rows/2.0,image->columns/2.0-x,image->rows/2.0-y);\n draw_info->primitive=AcquireString(ellipse);\n (void) DrawImage(oval_image,draw_info);\n draw_info=DestroyDrawInfo(draw_info);\n blur_image=BlurImage(oval_image,radius,sigma,exception);\n oval_image=DestroyImage(oval_image);\n if (blur_image == (Image *) NULL)\n {\n canvas_image=DestroyImage(canvas_image);\n return((Image *) NULL);\n }\n blur_image->matte=MagickFalse;\n (void) CompositeImage(canvas_image,CopyOpacityCompositeOp,blur_image,0,0);\n blur_image=DestroyImage(blur_image);\n vignette_image=MergeImageLayers(canvas_image,FlattenLayer,exception);\n canvas_image=DestroyImage(canvas_image);\n if (vignette_image != (Image *) NULL)\n (void) TransformImageColorspace(vignette_image,image->colorspace);\n return(vignette_image);\n}", "project": "ImageMagick6", "hash": 105069194825224569848517755177973313020, "size": 65, "commit_id": "f1e68d22d1b35459421710587a0dcbab6900b51f", "message": "https://github.com/ImageMagick/ImageMagick/issues/3296", "target": 0, "dataset": "other", "idx": 385782 }, { "func": "MagickExport Image *PolynomialImage(const Image *images,\n const size_t number_terms,const double *terms,ExceptionInfo *exception)\n{\n#define PolynomialImageTag \"Polynomial/Image\"\n\n CacheView\n *polynomial_view;\n\n Image\n *image;\n\n MagickBooleanType\n status;\n\n MagickOffsetType\n progress;\n\n PixelChannels\n **magick_restrict polynomial_pixels;\n\n size_t\n number_images;\n\n ssize_t\n y;\n\n assert(images != (Image *) NULL);\n assert(images->signature == MagickCoreSignature);\n if (images->debug != MagickFalse)\n (void) LogMagickEvent(TraceEvent,GetMagickModule(),\"%s\",images->filename);\n assert(exception != (ExceptionInfo *) NULL);\n assert(exception->signature == MagickCoreSignature);\n image=AcquireImageCanvas(images,exception);\n if (image == (Image *) NULL)\n return((Image *) NULL);\n if (SetImageStorageClass(image,DirectClass,exception) == MagickFalse)\n {\n image=DestroyImage(image);\n return((Image *) NULL);\n }\n number_images=GetImageListLength(images);\n polynomial_pixels=AcquirePixelThreadSet(images);\n if (polynomial_pixels == (PixelChannels **) NULL)\n {\n image=DestroyImage(image);\n (void) ThrowMagickException(exception,GetMagickModule(),\n ResourceLimitError,\"MemoryAllocationFailed\",\"`%s'\",images->filename);\n return((Image *) NULL);\n }\n /*\n Polynomial image pixels.\n */\n status=MagickTrue;\n progress=0;\n polynomial_view=AcquireAuthenticCacheView(image,exception);\n#if defined(MAGICKCORE_OPENMP_SUPPORT)\n #pragma omp parallel for schedule(static) shared(progress,status) \\\n magick_number_threads(image,image,image->rows,1)\n#endif\n for (y=0; y < (ssize_t) image->rows; y++)\n {\n CacheView\n *image_view;\n\n const Image\n *next;\n\n const int\n id = GetOpenMPThreadId();\n\n ssize_t\n i,\n x;\n\n PixelChannels\n *polynomial_pixel;\n\n Quantum\n *magick_restrict q;\n\n ssize_t\n j;\n\n if (status == MagickFalse)\n continue;\n q=QueueCacheViewAuthenticPixels(polynomial_view,0,y,image->columns,1,\n exception);\n if (q == (Quantum *) NULL)\n {\n status=MagickFalse;\n continue;\n }\n polynomial_pixel=polynomial_pixels[id];\n for (j=0; j < (ssize_t) image->columns; j++)\n for (i=0; i < MaxPixelChannels; i++)\n polynomial_pixel[j].channel[i]=0.0;\n next=images;\n for (j=0; j < (ssize_t) number_images; j++)\n {\n const Quantum\n *p;\n\n if (j >= (ssize_t) number_terms)\n continue;\n image_view=AcquireVirtualCacheView(next,exception);\n p=GetCacheViewVirtualPixels(image_view,0,y,image->columns,1,exception);\n if (p == (const Quantum *) NULL)\n {\n image_view=DestroyCacheView(image_view);\n break;\n }\n for (x=0; x < (ssize_t) image->columns; x++)\n {\n ssize_t\n i;\n\n for (i=0; i < (ssize_t) GetPixelChannels(next); i++)\n {\n MagickRealType\n coefficient,\n degree;\n\n PixelChannel channel = GetPixelChannelChannel(image,i);\n PixelTrait traits = GetPixelChannelTraits(next,channel);\n PixelTrait polynomial_traits=GetPixelChannelTraits(image,channel);\n if ((traits == UndefinedPixelTrait) ||\n (polynomial_traits == UndefinedPixelTrait))\n continue;\n if ((traits & UpdatePixelTrait) == 0)\n continue;\n coefficient=(MagickRealType) terms[2*j];\n degree=(MagickRealType) terms[(j << 1)+1];\n polynomial_pixel[x].channel[i]+=coefficient*\n pow(QuantumScale*GetPixelChannel(image,channel,p),degree);\n }\n p+=GetPixelChannels(next);\n }\n image_view=DestroyCacheView(image_view);\n next=GetNextImageInList(next);\n }\n for (x=0; x < (ssize_t) image->columns; x++)\n {\n ssize_t\n i;\n\n for (i=0; i < (ssize_t) GetPixelChannels(image); i++)\n {\n PixelChannel channel = GetPixelChannelChannel(image,i);\n PixelTrait traits = GetPixelChannelTraits(image,channel);\n if (traits == UndefinedPixelTrait)\n continue;\n if ((traits & UpdatePixelTrait) == 0)\n continue;\n q[i]=ClampToQuantum(QuantumRange*polynomial_pixel[x].channel[i]);\n }\n q+=GetPixelChannels(image);\n }\n if (SyncCacheViewAuthenticPixels(polynomial_view,exception) == MagickFalse)\n status=MagickFalse;\n if (images->progress_monitor != (MagickProgressMonitor) NULL)\n {\n MagickBooleanType\n proceed;\n\n#if defined(MAGICKCORE_OPENMP_SUPPORT)\n #pragma omp atomic\n#endif\n progress++;\n proceed=SetImageProgress(images,PolynomialImageTag,progress,\n image->rows);\n if (proceed == MagickFalse)\n status=MagickFalse;\n }\n }\n polynomial_view=DestroyCacheView(polynomial_view);\n polynomial_pixels=DestroyPixelThreadSet(images,polynomial_pixels);\n if (status == MagickFalse)\n image=DestroyImage(image);\n return(image);\n}", "project": "ImageMagick", "hash": 118572384476724939939771906852237838314, "size": 180, "commit_id": "4717744e4bb27de8ea978e51c6d5bcddf62ffe49", "message": "https://github.com/ImageMagick/ImageMagick/issues/3332", "target": 0, "dataset": "other", "idx": 388286 }, { "func": "static PixelChannels **DestroyPixelThreadSet(const Image *images,\n PixelChannels **pixels)\n{\n ssize_t\n i;\n\n size_t\n rows;\n\n assert(pixels != (PixelChannels **) NULL);\n rows=MagickMax(GetImageListLength(images),(size_t)\n GetMagickResourceLimit(ThreadResource));\n for (i=0; i < (ssize_t) rows; i++)\n if (pixels[i] != (PixelChannels *) NULL)\n pixels[i]=(PixelChannels *) RelinquishMagickMemory(pixels[i]);\n pixels=(PixelChannels **) RelinquishMagickMemory(pixels);\n return(pixels);\n}", "project": "ImageMagick", "hash": 161300106065882431475756676570925073170, "size": 18, "commit_id": "4717744e4bb27de8ea978e51c6d5bcddf62ffe49", "message": "https://github.com/ImageMagick/ImageMagick/issues/3332", "target": 0, "dataset": "other", "idx": 388302 }, { "func": "yum_repo_path(LrYumRepo *repo, const char *type)\n{\n assert(repo);\n\n for (GSList *elem = repo->paths; elem; elem = g_slist_next(elem)) {\n LrYumRepoPath *yumrepopath = elem->data;\n assert(yumrepopath);\n if (!strcmp(yumrepopath->type, type))\n return yumrepopath->path;\n }\n return NULL;\n}", "project": "librepo", "hash": 69266026049519144389659821958034765958, "size": 12, "commit_id": "7daea2a2429a54dad68b1de9b37a5f65c5cf2600", "message": "Validate path read from repomd.xml (RhBug:1868639)\n\n= changelog =\nmsg: Validate path read from repomd.xml\ntype: security\nresolves: https://bugzilla.redhat.com/show_bug.cgi?id=1868639", "target": 0, "dataset": "other", "idx": 393602 }, { "func": "lr_yum_download_repo(LrHandle *handle,\n LrYumRepo *repo,\n LrYumRepoMd *repomd,\n GError **err)\n{\n gboolean ret = TRUE;\n GSList *targets = NULL;\n GSList *cbdata_list = NULL;\n GError *tmp_err = NULL;\n\n assert(!err || *err == NULL);\n\n prepare_repo_download_targets(handle, repo, repomd, NULL, &targets, &cbdata_list, err);\n\n if (!targets)\n return TRUE;\n\n ret = lr_download_single_cb(targets,\n FALSE,\n (cbdata_list) ? progresscb : NULL,\n (cbdata_list) ? hmfcb : NULL,\n &tmp_err);\n\n assert((ret && !tmp_err) || (!ret && tmp_err));\n ret = error_handling(targets, err, tmp_err);\n\n g_slist_free_full(cbdata_list, (GDestroyNotify)cbdata_free);\n g_slist_free_full(targets, (GDestroyNotify)lr_downloadtarget_free);\n\n return ret;\n}", "project": "librepo", "hash": 133750915693206432495397759802358942610, "size": 31, "commit_id": "7daea2a2429a54dad68b1de9b37a5f65c5cf2600", "message": "Validate path read from repomd.xml (RhBug:1868639)\n\n= changelog =\nmsg: Validate path read from repomd.xml\ntype: security\nresolves: https://bugzilla.redhat.com/show_bug.cgi?id=1868639", "target": 0, "dataset": "other", "idx": 393606 }, { "func": "lr_yum_download_url(LrHandle *lr_handle, const char *url, int fd,\n gboolean no_cache, gboolean is_zchunk, GError **err)\n{\n gboolean ret;\n LrDownloadTarget *target;\n GError *tmp_err = NULL;\n\n assert(url);\n assert(!err || *err == NULL);\n\n CbData *cbdata = cbdata_new(lr_handle->user_data,\n NULL,\n lr_handle->user_cb,\n lr_handle->hmfcb,\n url);\n\n // Prepare target\n target = lr_downloadtarget_new(lr_handle,\n url, NULL, fd, NULL,\n NULL, 0, 0,(lr_handle->user_cb) ? progresscb : NULL, cbdata,\n NULL, (lr_handle->hmfcb) ? hmfcb : NULL, NULL, 0, 0,\n NULL, no_cache, is_zchunk);\n\n // Download the target\n ret = lr_download_target(target, &tmp_err);\n\n assert(ret || tmp_err);\n assert(!(target->err) || !ret);\n cbdata_free(cbdata);\n\n if (!ret)\n g_propagate_error(err, tmp_err);\n\n lr_downloadtarget_free(target);\n\n lseek(fd, 0, SEEK_SET);\n\n return ret;\n}", "project": "librepo", "hash": 314433832583315873595550632829803294693, "size": 39, "commit_id": "7daea2a2429a54dad68b1de9b37a5f65c5cf2600", "message": "Validate path read from repomd.xml (RhBug:1868639)\n\n= changelog =\nmsg: Validate path read from repomd.xml\ntype: security\nresolves: https://bugzilla.redhat.com/show_bug.cgi?id=1868639", "target": 0, "dataset": "other", "idx": 393611 }, { "func": "lr_yum_repo_path(LrYumRepo *repo, const char *type)\n{\n assert(repo);\n\n gchar *chk_type = get_type(repo, type);\n const char *path = yum_repo_path(repo, chk_type);\n g_free(chk_type);\n return path;\n}", "project": "librepo", "hash": 311670833901500387586422021224461372783, "size": 9, "commit_id": "7daea2a2429a54dad68b1de9b37a5f65c5cf2600", "message": "Validate path read from repomd.xml (RhBug:1868639)\n\n= changelog =\nmsg: Validate path read from repomd.xml\ntype: security\nresolves: https://bugzilla.redhat.com/show_bug.cgi?id=1868639", "target": 0, "dataset": "other", "idx": 393612 }, { "func": "lr_yum_repo_append(LrYumRepo *repo, const char *type, const char *path)\n{\n assert(repo);\n assert(type);\n assert(path);\n\n LrYumRepoPath *yumrepopath = lr_malloc(sizeof(LrYumRepoPath));\n yumrepopath->type = g_strdup(type);\n yumrepopath->path = g_strdup(path);\n repo->paths = g_slist_append(repo->paths, yumrepopath);\n}", "project": "librepo", "hash": 282503553202557465751611699919884256391, "size": 11, "commit_id": "7daea2a2429a54dad68b1de9b37a5f65c5cf2600", "message": "Validate path read from repomd.xml (RhBug:1868639)\n\n= changelog =\nmsg: Validate path read from repomd.xml\ntype: security\nresolves: https://bugzilla.redhat.com/show_bug.cgi?id=1868639", "target": 0, "dataset": "other", "idx": 393619 }, { "func": "lr_yum_repo_update(LrYumRepo *repo, const char *type, const char *path)\n{\n assert(repo);\n assert(type);\n assert(path);\n\n for (GSList *elem = repo->paths; elem; elem = g_slist_next(elem)) {\n LrYumRepoPath *yumrepopath = elem->data;\n assert(yumrepopath);\n\n if (!strcmp(yumrepopath->type, type)) {\n lr_free(yumrepopath->path);\n yumrepopath->path = g_strdup(path);\n return;\n }\n }\n\n lr_yum_repo_append(repo, type, path);\n}", "project": "librepo", "hash": 94416245607739388659208306066964526038, "size": 19, "commit_id": "7daea2a2429a54dad68b1de9b37a5f65c5cf2600", "message": "Validate path read from repomd.xml (RhBug:1868639)\n\n= changelog =\nmsg: Validate path read from repomd.xml\ntype: security\nresolves: https://bugzilla.redhat.com/show_bug.cgi?id=1868639", "target": 0, "dataset": "other", "idx": 393621 }, { "func": "lr_yum_check_repo_checksums(LrYumRepo *repo,\n LrYumRepoMd *repomd,\n GError **err)\n{\n assert(!err || *err == NULL);\n\n for (GSList *elem = repomd->records; elem; elem = g_slist_next(elem)) {\n gboolean ret;\n LrYumRepoMdRecord *record = elem->data;\n\n assert(record);\n\n const char *path = yum_repo_path(repo, record->type);\n\n ret = lr_yum_check_checksum_of_md_record(record, path, err);\n if (!ret)\n return FALSE;\n }\n\n return TRUE;\n}", "project": "librepo", "hash": 167729375527776588567716623246411845239, "size": 21, "commit_id": "7daea2a2429a54dad68b1de9b37a5f65c5cf2600", "message": "Validate path read from repomd.xml (RhBug:1868639)\n\n= changelog =\nmsg: Validate path read from repomd.xml\ntype: security\nresolves: https://bugzilla.redhat.com/show_bug.cgi?id=1868639", "target": 0, "dataset": "other", "idx": 393625 }, { "func": "std::ostream &operator <<(std::ostream &os, const HttpStateData::ReuseDecision &d)\n{\n static const char *ReuseMessages[] = {\n \"do not cache and do not share\", // reuseNot\n \"cache positively and share\", // cachePositively\n \"cache negatively and share\", // cacheNegatively\n \"do not cache but share\" // doNotCacheButShare\n };\n\n assert(d.answer >= HttpStateData::ReuseDecision::reuseNot &&\n d.answer <= HttpStateData::ReuseDecision::doNotCacheButShare);\n return os << ReuseMessages[d.answer] << \" because \" << d.reason <<\n \"; HTTP status \" << d.statusCode << \" \" << *(d.entry);\n}", "project": "squid", "hash": 101554091823460026721571262429561347732, "size": 14, "commit_id": "fd68382860633aca92065e6c343cfd1b12b126e7", "message": "Improve Transfer-Encoding handling (#702)\n\nReject messages containing Transfer-Encoding header with coding other\nthan chunked or identity. Squid does not support other codings.\n\nFor simplicity and security sake, also reject messages where\nTransfer-Encoding contains unnecessary complex values that are\ntechnically equivalent to \"chunked\" or \"identity\" (e.g., \",,chunked\" or\n\"identity, chunked\").\n\nRFC 7230 formally deprecated and removed identity coding, but it is\nstill used by some agents.", "target": 0, "dataset": "other", "idx": 402302 }, { "func": "findPreviouslyCachedEntry(StoreEntry *newEntry) {\n assert(newEntry->mem_obj);\n return newEntry->mem_obj->request ?\n storeGetPublicByRequest(newEntry->mem_obj->request) :\n storeGetPublic(newEntry->mem_obj->storeId(), newEntry->mem_obj->method);\n}", "project": "squid", "hash": 163706184638262836857861389072287457516, "size": 6, "commit_id": "fd68382860633aca92065e6c343cfd1b12b126e7", "message": "Improve Transfer-Encoding handling (#702)\n\nReject messages containing Transfer-Encoding header with coding other\nthan chunked or identity. Squid does not support other codings.\n\nFor simplicity and security sake, also reject messages where\nTransfer-Encoding contains unnecessary complex values that are\ntechnically equivalent to \"chunked\" or \"identity\" (e.g., \",,chunked\" or\n\"identity, chunked\").\n\nRFC 7230 formally deprecated and removed identity coding, but it is\nstill used by some agents.", "target": 0, "dataset": "other", "idx": 402320 }, { "func": "httpsEstablish(ConnStateData *connState, const Security::ContextPointer &ctx)\n{\n assert(connState);\n const Comm::ConnectionPointer &details = connState->clientConnection;\n\n if (!ctx || !httpsCreate(connState, ctx))\n return;\n\n typedef CommCbMemFunT TimeoutDialer;\n AsyncCall::Pointer timeoutCall = JobCallback(33, 5, TimeoutDialer,\n connState, ConnStateData::requestTimeout);\n commSetConnTimeout(details, Config.Timeout.request, timeoutCall);\n\n Comm::SetSelect(details->fd, COMM_SELECT_READ, clientNegotiateSSL, connState, 0);\n}", "project": "squid", "hash": 291815180386146765475096096331114322733, "size": 15, "commit_id": "fd68382860633aca92065e6c343cfd1b12b126e7", "message": "Improve Transfer-Encoding handling (#702)\n\nReject messages containing Transfer-Encoding header with coding other\nthan chunked or identity. Squid does not support other codings.\n\nFor simplicity and security sake, also reject messages where\nTransfer-Encoding contains unnecessary complex values that are\ntechnically equivalent to \"chunked\" or \"identity\" (e.g., \",,chunked\" or\n\"identity, chunked\").\n\nRFC 7230 formally deprecated and removed identity coding, but it is\nstill used by some agents.", "target": 0, "dataset": "other", "idx": 402390 }, { "func": "MagickExport ResampleFilter *DestroyResampleFilter(\n ResampleFilter *resample_filter)\n{\n assert(resample_filter != (ResampleFilter *) NULL);\n assert(resample_filter->signature == MagickCoreSignature);\n assert(resample_filter->image != (Image *) NULL);\n if (resample_filter->debug != MagickFalse)\n (void) LogMagickEvent(TraceEvent,GetMagickModule(),\"%s\",\n resample_filter->image->filename);\n resample_filter->view=DestroyCacheView(resample_filter->view);\n resample_filter->image=DestroyImage(resample_filter->image);\n#if ! FILTER_LUT\n resample_filter->filter_def=DestroyResizeFilter(resample_filter->filter_def);\n#endif\n resample_filter->signature=(~MagickCoreSignature);\n resample_filter=(ResampleFilter *) RelinquishMagickMemory(resample_filter);\n return(resample_filter);\n}", "project": "ImageMagick", "hash": 289676394133202446326744025133734109530, "size": 18, "commit_id": "8d25d94a363b104acd6ff23df7470aeedb806c51", "message": "https://github.com/ImageMagick/ImageMagick/issues/3195", "target": 0, "dataset": "other", "idx": 406502 }, { "func": "MagickExport ResampleFilter *AcquireResampleFilter(const Image *image,\n ExceptionInfo *exception)\n{\n ResampleFilter\n *resample_filter;\n\n assert(image != (Image *) NULL);\n assert(image->signature == MagickCoreSignature);\n if (image->debug != MagickFalse)\n (void) LogMagickEvent(TraceEvent,GetMagickModule(),\"%s\",image->filename);\n assert(exception != (ExceptionInfo *) NULL);\n assert(exception->signature == MagickCoreSignature);\n resample_filter=(ResampleFilter *) AcquireCriticalMemory(sizeof(\n *resample_filter));\n (void) memset(resample_filter,0,sizeof(*resample_filter));\n resample_filter->exception=exception;\n resample_filter->image=ReferenceImage((Image *) image);\n resample_filter->view=AcquireVirtualCacheView(resample_filter->image,\n exception);\n resample_filter->debug=IsEventLogging();\n resample_filter->image_area=(ssize_t) (image->columns*image->rows);\n resample_filter->average_defined=MagickFalse;\n resample_filter->signature=MagickCoreSignature;\n SetResampleFilter(resample_filter,image->filter);\n (void) SetResampleFilterInterpolateMethod(resample_filter,image->interpolate);\n (void) SetResampleFilterVirtualPixelMethod(resample_filter,\n GetImageVirtualPixelMethod(image));\n return(resample_filter);\n}", "project": "ImageMagick", "hash": 114940163410715199554362733396113306378, "size": 29, "commit_id": "8d25d94a363b104acd6ff23df7470aeedb806c51", "message": "https://github.com/ImageMagick/ImageMagick/issues/3195", "target": 0, "dataset": "other", "idx": 406504 }, { "func": "MagickExport Image *GetImageClipMask(const Image *image,\n ExceptionInfo *exception)\n{\n assert(image != (const Image *) NULL);\n if (image->debug != MagickFalse)\n (void) LogMagickEvent(TraceEvent,GetMagickModule(),\"...\");\n assert(image->signature == MagickCoreSignature);\n if (image->clip_mask == (Image *) NULL)\n return((Image *) NULL);\n return(CloneImage(image->clip_mask,0,0,MagickTrue,exception));\n}", "project": "ImageMagick6", "hash": 243771942382686482738587785562748511308, "size": 11, "commit_id": "27b1c74979ac473a430e266ff6c4b645664bc805", "message": "https://github.com/ImageMagick/ImageMagick/issues/1522", "target": 0, "dataset": "other", "idx": 438539 }, { "func": "MagickExport ImageInfo *DestroyImageInfo(ImageInfo *image_info)\n{\n assert(image_info != (ImageInfo *) NULL);\n assert(image_info->signature == MagickCoreSignature);\n if (image_info->debug != MagickFalse)\n (void) LogMagickEvent(TraceEvent,GetMagickModule(),\"%s\",\n image_info->filename);\n if (image_info->size != (char *) NULL)\n image_info->size=DestroyString(image_info->size);\n if (image_info->extract != (char *) NULL)\n image_info->extract=DestroyString(image_info->extract);\n if (image_info->scenes != (char *) NULL)\n image_info->scenes=DestroyString(image_info->scenes);\n if (image_info->page != (char *) NULL)\n image_info->page=DestroyString(image_info->page);\n if (image_info->sampling_factor != (char *) NULL)\n image_info->sampling_factor=DestroyString(\n image_info->sampling_factor);\n if (image_info->server_name != (char *) NULL)\n image_info->server_name=DestroyString(\n image_info->server_name);\n if (image_info->font != (char *) NULL)\n image_info->font=DestroyString(image_info->font);\n if (image_info->texture != (char *) NULL)\n image_info->texture=DestroyString(image_info->texture);\n if (image_info->density != (char *) NULL)\n image_info->density=DestroyString(image_info->density);\n if (image_info->view != (char *) NULL)\n image_info->view=DestroyString(image_info->view);\n if (image_info->authenticate != (char *) NULL)\n image_info->authenticate=DestroyString(\n image_info->authenticate);\n DestroyImageOptions(image_info);\n if (image_info->cache != (void *) NULL)\n image_info->cache=DestroyPixelCache(image_info->cache);\n if (image_info->profile != (StringInfo *) NULL)\n image_info->profile=(void *) DestroyStringInfo((StringInfo *)\n image_info->profile);\n image_info->signature=(~MagickCoreSignature);\n image_info=(ImageInfo *) RelinquishMagickMemory(image_info);\n return(image_info);\n}", "project": "ImageMagick6", "hash": 110617789440242032546805133585775053088, "size": 42, "commit_id": "27b1c74979ac473a430e266ff6c4b645664bc805", "message": "https://github.com/ImageMagick/ImageMagick/issues/1522", "target": 0, "dataset": "other", "idx": 438544 }, { "func": "MagickExport Image *GetImageMask(const Image *image,ExceptionInfo *exception)\n{\n assert(image != (const Image *) NULL);\n if (image->debug != MagickFalse)\n (void) LogMagickEvent(TraceEvent,GetMagickModule(),\"...\");\n assert(image->signature == MagickCoreSignature);\n if (image->mask == (Image *) NULL)\n return((Image *) NULL);\n return(CloneImage(image->mask,0,0,MagickTrue,exception));\n}", "project": "ImageMagick6", "hash": 4030760268639464470377161383296436656, "size": 10, "commit_id": "27b1c74979ac473a430e266ff6c4b645664bc805", "message": "https://github.com/ImageMagick/ImageMagick/issues/1522", "target": 0, "dataset": "other", "idx": 438549 }, { "func": "MagickExport Image *CloneImage(const Image *image,const size_t columns,\n const size_t rows,const MagickBooleanType detach,ExceptionInfo *exception)\n{\n double\n scale;\n\n Image\n *clone_image;\n\n size_t\n length;\n\n /*\n Clone the image.\n */\n assert(image != (const Image *) NULL);\n assert(image->signature == MagickCoreSignature);\n if (image->debug != MagickFalse)\n (void) LogMagickEvent(TraceEvent,GetMagickModule(),\"%s\",image->filename);\n assert(exception != (ExceptionInfo *) NULL);\n assert(exception->signature == MagickCoreSignature);\n if ((image->columns == 0) || (image->rows == 0))\n {\n (void) ThrowMagickException(exception,GetMagickModule(),CorruptImageError,\n \"NegativeOrZeroImageSize\",\"`%s'\",image->filename);\n return((Image *) NULL);\n }\n clone_image=(Image *) AcquireCriticalMemory(sizeof(*clone_image));\n (void) memset(clone_image,0,sizeof(*clone_image));\n clone_image->signature=MagickCoreSignature;\n clone_image->storage_class=image->storage_class;\n clone_image->channels=image->channels;\n clone_image->colorspace=image->colorspace;\n clone_image->matte=image->matte;\n clone_image->columns=image->columns;\n clone_image->rows=image->rows;\n clone_image->dither=image->dither;\n (void) CloneImageProfiles(clone_image,image);\n (void) CloneImageProperties(clone_image,image);\n (void) CloneImageArtifacts(clone_image,image);\n GetTimerInfo(&clone_image->timer);\n InitializeExceptionInfo(&clone_image->exception);\n InheritException(&clone_image->exception,&image->exception);\n if (image->ascii85 != (void *) NULL)\n Ascii85Initialize(clone_image);\n clone_image->extent=image->extent;\n clone_image->magick_columns=image->magick_columns;\n clone_image->magick_rows=image->magick_rows;\n clone_image->type=image->type;\n (void) CopyMagickString(clone_image->magick_filename,image->magick_filename,\n MaxTextExtent);\n (void) CopyMagickString(clone_image->magick,image->magick,MaxTextExtent);\n (void) CopyMagickString(clone_image->filename,image->filename,MaxTextExtent);\n clone_image->progress_monitor=image->progress_monitor;\n clone_image->client_data=image->client_data;\n clone_image->reference_count=1;\n clone_image->next=image->next;\n clone_image->previous=image->previous;\n clone_image->list=NewImageList();\n clone_image->clip_mask=NewImageList();\n clone_image->mask=NewImageList();\n if (detach == MagickFalse)\n clone_image->blob=ReferenceBlob(image->blob);\n else\n {\n clone_image->next=NewImageList();\n clone_image->previous=NewImageList();\n clone_image->blob=CloneBlobInfo((BlobInfo *) NULL);\n }\n clone_image->ping=image->ping;\n clone_image->debug=IsEventLogging();\n clone_image->semaphore=AllocateSemaphoreInfo();\n if (image->colormap != (PixelPacket *) NULL)\n {\n /*\n Allocate and copy the image colormap.\n */\n clone_image->colors=image->colors;\n length=(size_t) image->colors;\n clone_image->colormap=(PixelPacket *) AcquireQuantumMemory(length+1,\n sizeof(*clone_image->colormap));\n if (clone_image->colormap == (PixelPacket *) NULL)\n {\n clone_image=DestroyImage(clone_image);\n ThrowImageException(ResourceLimitError,\"MemoryAllocationFailed\");\n }\n (void) memcpy(clone_image->colormap,image->colormap,length*\n sizeof(*clone_image->colormap));\n }\n if ((columns == 0) || (rows == 0))\n {\n if (image->montage != (char *) NULL)\n (void) CloneString(&clone_image->montage,image->montage);\n if (image->directory != (char *) NULL)\n (void) CloneString(&clone_image->directory,image->directory);\n if (image->clip_mask != (Image *) NULL)\n clone_image->clip_mask=CloneImage(image->clip_mask,0,0,MagickTrue,\n exception);\n if (image->mask != (Image *) NULL)\n clone_image->mask=CloneImage(image->mask,0,0,MagickTrue,exception);\n clone_image->cache=ReferencePixelCache(image->cache);\n return(clone_image);\n }\n if ((columns == image->columns) && (rows == image->rows))\n {\n if (image->clip_mask != (Image *) NULL)\n clone_image->clip_mask=CloneImage(image->clip_mask,0,0,MagickTrue,\n exception);\n if (image->mask != (Image *) NULL)\n clone_image->mask=CloneImage(image->mask,0,0,MagickTrue,exception);\n }\n scale=1.0;\n if (image->columns != 0)\n scale=(double) columns/(double) image->columns;\n clone_image->page.width=(size_t) floor(scale*image->page.width+0.5);\n clone_image->page.x=(ssize_t) ceil(scale*image->page.x-0.5);\n clone_image->tile_offset.x=(ssize_t) ceil(scale*image->tile_offset.x-0.5);\n scale=1.0;\n if (image->rows != 0)\n scale=(double) rows/(double) image->rows;\n clone_image->page.height=(size_t) floor(scale*image->page.height+0.5);\n clone_image->page.y=(ssize_t) ceil(scale*image->page.y-0.5);\n clone_image->tile_offset.y=(ssize_t) ceil(scale*image->tile_offset.y-0.5);\n clone_image->cache=ClonePixelCache(image->cache);\n if (SetImageExtent(clone_image,columns,rows) == MagickFalse)\n {\n InheritException(exception,&clone_image->exception);\n clone_image=DestroyImage(clone_image);\n }\n return(clone_image);\n}", "project": "ImageMagick6", "hash": 146955673251321399598566396796029064611, "size": 131, "commit_id": "27b1c74979ac473a430e266ff6c4b645664bc805", "message": "https://github.com/ImageMagick/ImageMagick/issues/1522", "target": 0, "dataset": "other", "idx": 438561 }, { "func": "MagickExport Image *NewMagickImage(const ImageInfo *image_info,\n const size_t width,const size_t height,const MagickPixelPacket *background)\n{\n CacheView\n *image_view;\n\n ExceptionInfo\n *exception;\n\n Image\n *image;\n\n ssize_t\n y;\n\n MagickBooleanType\n status;\n\n assert(image_info != (const ImageInfo *) NULL);\n if (image_info->debug != MagickFalse)\n (void) LogMagickEvent(TraceEvent,GetMagickModule(),\"...\");\n assert(image_info->signature == MagickCoreSignature);\n assert(background != (const MagickPixelPacket *) NULL);\n image=AcquireImage(image_info);\n image->columns=width;\n image->rows=height;\n image->colorspace=background->colorspace;\n image->matte=background->matte;\n image->fuzz=background->fuzz;\n image->depth=background->depth;\n status=MagickTrue;\n exception=(&image->exception);\n image_view=AcquireAuthenticCacheView(image,exception);\n#if defined(MAGICKCORE_OPENMP_SUPPORT)\n #pragma omp parallel for schedule(static) shared(status) \\\n magick_number_threads(image,image,image->rows,1)\n#endif\n for (y=0; y < (ssize_t) image->rows; y++)\n {\n register IndexPacket\n *magick_restrict indexes;\n\n register PixelPacket\n *magick_restrict q;\n\n register ssize_t\n x;\n\n if (status == MagickFalse)\n continue;\n q=QueueCacheViewAuthenticPixels(image_view,0,y,image->columns,1,exception);\n if (q == (PixelPacket *) NULL)\n {\n status=MagickFalse;\n continue;\n }\n indexes=GetCacheViewAuthenticIndexQueue(image_view);\n for (x=0; x < (ssize_t) image->columns; x++)\n {\n SetPixelPacket(image,background,q,indexes+x);\n q++;\n }\n if (SyncCacheViewAuthenticPixels(image_view,exception) == MagickFalse)\n status=MagickFalse;\n }\n image_view=DestroyCacheView(image_view);\n if (status == MagickFalse)\n image=DestroyImage(image);\n return(image);\n}", "project": "ImageMagick6", "hash": 23976047337338271408916529767764235150, "size": 70, "commit_id": "27b1c74979ac473a430e266ff6c4b645664bc805", "message": "https://github.com/ImageMagick/ImageMagick/issues/1522", "target": 0, "dataset": "other", "idx": 438563 }, { "func": "MagickExport Image *DestroyImage(Image *image)\n{\n MagickBooleanType\n destroy;\n\n /*\n Dereference image.\n */\n assert(image != (Image *) NULL);\n assert(image->signature == MagickCoreSignature);\n if (image->debug != MagickFalse)\n (void) LogMagickEvent(TraceEvent,GetMagickModule(),\"%s\",image->filename);\n destroy=MagickFalse;\n LockSemaphoreInfo(image->semaphore);\n image->reference_count--;\n if (image->reference_count == 0)\n destroy=MagickTrue;\n UnlockSemaphoreInfo(image->semaphore);\n if (destroy == MagickFalse)\n return((Image *) NULL);\n /*\n Destroy image.\n */\n DestroyImagePixels(image);\n if (image->clip_mask != (Image *) NULL)\n image->clip_mask=DestroyImage(image->clip_mask);\n if (image->mask != (Image *) NULL)\n image->mask=DestroyImage(image->mask);\n if (image->montage != (char *) NULL)\n image->montage=DestroyString(image->montage);\n if (image->directory != (char *) NULL)\n image->directory=DestroyString(image->directory);\n if (image->colormap != (PixelPacket *) NULL)\n image->colormap=(PixelPacket *) RelinquishMagickMemory(image->colormap);\n if (image->geometry != (char *) NULL)\n image->geometry=DestroyString(image->geometry);\n DestroyImageProfiles(image);\n DestroyImageProperties(image);\n DestroyImageArtifacts(image);\n if (image->ascii85 != (Ascii85Info*) NULL)\n image->ascii85=(Ascii85Info *) RelinquishMagickMemory(image->ascii85);\n DestroyBlob(image);\n (void) ClearExceptionInfo(&image->exception,MagickTrue);\n if (image->semaphore != (SemaphoreInfo *) NULL)\n DestroySemaphoreInfo(&image->semaphore);\n image->signature=(~MagickCoreSignature);\n image=(Image *) RelinquishMagickMemory(image);\n return(image);\n}", "project": "ImageMagick6", "hash": 6485514574459374628019413968491024247, "size": 49, "commit_id": "27b1c74979ac473a430e266ff6c4b645664bc805", "message": "https://github.com/ImageMagick/ImageMagick/issues/1522", "target": 0, "dataset": "other", "idx": 438568 }, { "func": "are_urls_equal (const char *u1, const char *u2)\n{\n const char *p, *q;\n int pp, qq;\n char ch1, ch2;\n assert(u1 && u2);\n\n p = u1;\n q = u2;\n\n while (*p && *q\n && (pp = getchar_from_escaped_string (p, &ch1))\n && (qq = getchar_from_escaped_string (q, &ch2))\n && (c_tolower(ch1) == c_tolower(ch2)))\n {\n p += pp;\n q += qq;\n }\n\n return (*p == 0 && *q == 0 ? true : false);\n}", "target": 0, "cwe": [], "project": "wget", "commit_id": "59b920874daa565a1323ffa1e756e80493190686", "hash": 66420033504192920858014448327348478159, "size": 21, "message": "Support non-ASCII URLs\n\n* src/url.c [HAVE_ICONV]: Include iconv.h and langinfo.h.\n(convert_fname): New function.\n[HAVE_ICONV]: Convert file name from remote encoding to local\nencoding.\n(url_file_name): Call convert_fname.\n(filechr_table): Don't consider bytes in 128..159 as control\ncharacters.\n\n* tests/Test-ftp-iri.px: Fix the expected file name to match the\nnew file-name recoding. State the remote encoding explicitly on\nthe Wget command line.\n\n* NEWS: Mention the URI recoding when built with libiconv.", "dataset": "other", "idx": 498307 }, { "func": "RAMBlock *qemu_ram_alloc(ram_addr_t size, uint32_t ram_flags,\n MemoryRegion *mr, Error **errp)\n{\n assert((ram_flags & ~(RAM_SHARED | RAM_NORESERVE)) == 0);\n return qemu_ram_alloc_internal(size, size, NULL, NULL, ram_flags, mr, errp);\n}", "target": 0, "cwe": [ "CWE-908" ], "project": "qemu", "commit_id": "418ade7849ce7641c0f7333718caf5091a02fd4c", "hash": 322634961777705745287133053145515903410, "size": 6, "message": "softmmu: Always initialize xlat in address_space_translate_for_iotlb\n\nThe bug is an uninitialized memory read, along the translate_fail\npath, which results in garbage being read from iotlb_to_section,\nwhich can lead to a crash in io_readx/io_writex.\n\nThe bug may be fixed by writing any value with zero\nin ~TARGET_PAGE_MASK, so that the call to iotlb_to_section using\nthe xlat'ed address returns io_mem_unassigned, as desired by the\ntranslate_fail path.\n\nIt is most useful to record the original physical page address,\nwhich will eventually be logged by memory_region_access_valid\nwhen the access is rejected by unassigned_mem_accepts.\n\nResolves: https://gitlab.com/qemu-project/qemu/-/issues/1065\nSigned-off-by: Richard Henderson \nReviewed-by: Peter Maydell \nMessage-Id: <20220621153829.366423-1-richard.henderson@linaro.org>", "dataset": "other", "idx": 514757 }, { "func": "free_charset (re_charset_t *cset)\n{\n re_free (cset->mbchars);\n# ifdef _LIBC\n re_free (cset->coll_syms);\n re_free (cset->equiv_classes);\n re_free (cset->range_starts);\n re_free (cset->range_ends);\n# endif\n re_free (cset->char_classes);\n re_free (cset);\n}", "project": "gnulib", "hash": 40579038741916708235588636258690024109, "size": 12, "commit_id": "5513b40999149090987a0341c018d05d3eea1272", "message": "Diagnose ERE '()|\\1'\n\nProblem reported by Hanno Böck in: http://bugs.gnu.org/21513\n* lib/regcomp.c (parse_reg_exp): While parsing alternatives, keep\ntrack of the set of previously-completed subexpressions available\nbefore the first alternative, and restore this set just before\nparsing each subsequent alternative. This lets us diagnose the\ninvalid back-reference in the ERE '()|\\1'.", "target": 0, "dataset": "other", "idx": 285531 }, { "func": " const FunctionDefLibrary* library() const override { return library_; }", "project": "tensorflow", "hash": 230071898278149185358384609513245684590, "size": 1, "commit_id": "0cc38aaa4064fd9e79101994ce9872c6d91f816b", "message": "Prevent unitialized memory access in `GraphConstructor::MakeEdge`\n\nThe `MakeEdge` implementation assumes that there exists an output at `output_index` of `src` node and an input at `input_index` of `dst` node. However, if this is not the case this results in accessing data out of bounds. Because we are accessing an array that is a private member of a class and only in read only mode, this usually results only in unitialized memory access. However, it is reasonable to think that malicious users could manipulate these indexes to actually read data outside the class, thus resulting in information leakage and further exploits.\n\nPiperOrigin-RevId: 346343288\nChange-Id: I2127da27c2023d27f26efd39afa6c853385cab6f", "target": 0, "dataset": "other", "idx": 268301 }, { "func": " const FunctionDefLibrary* library() const override {\n return &graph_def_.library();\n }", "project": "tensorflow", "hash": 240494832295052821805266184485503545442, "size": 3, "commit_id": "0cc38aaa4064fd9e79101994ce9872c6d91f816b", "message": "Prevent unitialized memory access in `GraphConstructor::MakeEdge`\n\nThe `MakeEdge` implementation assumes that there exists an output at `output_index` of `src` node and an input at `input_index` of `dst` node. However, if this is not the case this results in accessing data out of bounds. Because we are accessing an array that is a private member of a class and only in read only mode, this usually results only in unitialized memory access. However, it is reasonable to think that malicious users could manipulate these indexes to actually read data outside the class, thus resulting in information leakage and further exploits.\n\nPiperOrigin-RevId: 346343288\nChange-Id: I2127da27c2023d27f26efd39afa6c853385cab6f", "target": 0, "dataset": "other", "idx": 268312 }, { "func": "static void init_object(struct kmem_cache *s, void *object, u8 val)\n{\n\tu8 *p = object;\n\n\tif (s->flags & SLAB_RED_ZONE)\n\t\tmemset(p - s->red_left_pad, val, s->red_left_pad);\n\n\tif (s->flags & __OBJECT_POISON) {\n\t\tmemset(p, POISON_FREE, s->object_size - 1);\n\t\tp[s->object_size - 1] = POISON_END;\n\t}\n\n\tif (s->flags & SLAB_RED_ZONE)\n\t\tmemset(p + s->object_size, val, s->inuse - s->object_size);\n}", "project": "linux", "hash": 221033576015579933452579255540402607174, "size": 15, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280094 }, { "func": "CallResult JSObject::setParent(\n JSObject *self,\n Runtime *runtime,\n JSObject *parent,\n PropOpFlags opFlags) {\n if (LLVM_UNLIKELY(self->isProxyObject())) {\n return proxyOpFlags(\n runtime,\n opFlags,\n \"Object is not extensible.\",\n JSProxy::setPrototypeOf(\n runtime->makeHandle(self), runtime, runtime->makeHandle(parent)));\n }\n // ES9 9.1.2\n // 4.\n if (self->parent_.get(runtime) == parent)\n return true;\n // 5.\n if (!self->isExtensible()) {\n if (opFlags.getThrowOnError()) {\n return runtime->raiseTypeError(\"Object is not extensible.\");\n } else {\n return false;\n }\n }\n // 6-8. Check for a prototype cycle.\n for (JSObject *cur = parent; cur; cur = cur->parent_.get(runtime)) {\n if (cur == self) {\n if (opFlags.getThrowOnError()) {\n return runtime->raiseTypeError(\"Prototype cycle detected\");\n } else {\n return false;\n }\n } else if (LLVM_UNLIKELY(cur->isProxyObject())) {\n // TODO this branch should also be used for module namespace and\n // immutable prototype exotic objects.\n break;\n }\n }\n // 9.\n self->parent_.set(runtime, parent, &runtime->getHeap());\n // 10.\n return true;\n}", "project": "hermes", "hash": 235976756549259371250724586263162222617, "size": 44, "commit_id": "fe52854cdf6725c2eaa9e125995da76e6ceb27da", "message": "[CVE-2020-1911] Look up HostObject computed properties on the right object in the prototype chain.\n\nSummary:\nThe change in the hermes repository fixes the security vulnerability\nCVE-2020-1911. This vulnerability only affects applications which\nallow evaluation of uncontrolled, untrusted JavaScript code not\nshipped with the app, so React Native apps will generally not be affected.\n\nThis revision includes a test for the bug. The test is generic JSI\ncode, so it is included in the hermes and react-native repositories.\n\nChangelog: [Internal]\n\nReviewed By: tmikov\n\nDifferential Revision: D23322992\n\nfbshipit-source-id: 4e88c974afe1ad33a263f9cac03e9dc98d33649a", "target": 0, "dataset": "other", "idx": 230204 }, { "func": "static inline int io_alloc_async_data(struct io_kiocb *req)\n{\n\tWARN_ON_ONCE(!io_op_defs[req->opcode].async_size);\n\treq->async_data = kmalloc(io_op_defs[req->opcode].async_size, GFP_KERNEL);\n\treturn req->async_data == NULL;\n}", "project": "linux", "hash": 128683994020762827695122286517540970707, "size": 6, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338698 }, { "func": "slab_out_of_memory(struct kmem_cache *s, gfp_t gfpflags, int nid)\n{\n#ifdef CONFIG_SLUB_DEBUG\n\tstatic DEFINE_RATELIMIT_STATE(slub_oom_rs, DEFAULT_RATELIMIT_INTERVAL,\n\t\t\t\t DEFAULT_RATELIMIT_BURST);\n\tint node;\n\tstruct kmem_cache_node *n;\n\n\tif ((gfpflags & __GFP_NOWARN) || !__ratelimit(&slub_oom_rs))\n\t\treturn;\n\n\tpr_warn(\"SLUB: Unable to allocate memory on node %d, gfp=%#x(%pGg)\\n\",\n\t\tnid, gfpflags, &gfpflags);\n\tpr_warn(\" cache: %s, object size: %u, buffer size: %u, default order: %u, min order: %u\\n\",\n\t\ts->name, s->object_size, s->size, oo_order(s->oo),\n\t\too_order(s->min));\n\n\tif (oo_order(s->min) > get_order(s->object_size))\n\t\tpr_warn(\" %s debugging increased min order, use slub_debug=O to disable.\\n\",\n\t\t\ts->name);\n\n\tfor_each_kmem_cache_node(s, node, n) {\n\t\tunsigned long nr_slabs;\n\t\tunsigned long nr_objs;\n\t\tunsigned long nr_free;\n\n\t\tnr_free = count_partial(n, count_free);\n\t\tnr_slabs = node_nr_slabs(n);\n\t\tnr_objs = node_nr_objs(n);\n\n\t\tpr_warn(\" node %d: slabs: %ld, objs: %ld, free: %ld\\n\",\n\t\t\tnode, nr_slabs, nr_objs, nr_free);\n\t}\n#endif\n}", "project": "linux", "hash": 159512031983182378416940587644517822374, "size": 35, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280068 }, { "func": "void lj_debug_addloc(lua_State *L, const char *msg,\n\t\t cTValue *frame, cTValue *nextframe)\n{\n if (frame) {\n GCfunc *fn = frame_func(frame);\n if (isluafunc(fn)) {\n BCLine line = debug_frameline(L, fn, nextframe);\n if (line >= 0) {\n\tchar buf[LUA_IDSIZE];\n\tlj_debug_shortname(buf, proto_chunkname(funcproto(fn)));\n\tlj_str_pushf(L, \"%s:%d: %s\", buf, line, msg);\n\treturn;\n }\n }\n }\n lj_str_pushf(L, \"%s\", msg);\n}", "project": "LuaJIT", "hash": 112114269542622968866558037384981603286, "size": 17, "commit_id": "e296f56b825c688c3530a981dc6b495d972f3d01", "message": "Call error function on rethrow after trace exit.", "target": 0, "dataset": "other", "idx": 394659 }, { "project": "Chrome", "commit_id": "de5aa214ea77b3d2c4ff8a0c58f446896c107ce0", "target": 0, "func": "bool TranslateManager::IsAcceptLanguage(TabContents* tab,\n const std::string& language) {\n PrefService* pref_service = tab->profile()->GetPrefs();\n PrefServiceLanguagesMap::const_iterator iter =\n accept_languages_.find(pref_service);\n if (iter == accept_languages_.end()) {\n InitAcceptLanguages(pref_service);\n notification_registrar_.Add(this, NotificationType::PROFILE_DESTROYED,\n Source(tab->profile()));\n pref_change_registrar_.Add(prefs::kAcceptLanguages, this);\n\n iter = accept_languages_.find(pref_service);\n }\n\n return iter->second.count(language) != 0;\n}\n", "cwe": "", "big_vul_idx": 108002, "idx": 96968, "hash": 147511106765663076685185423227191112240 }, { "func": "static int pipe_rcv_status(struct sock *sk, struct sk_buff *skb)\n{\n\tstruct pep_sock *pn = pep_sk(sk);\n\tstruct pnpipehdr *hdr;\n\tint wake = 0;\n\n\tif (!pskb_may_pull(skb, sizeof(*hdr) + 4))\n\t\treturn -EINVAL;\n\n\thdr = pnp_hdr(skb);\n\tif (hdr->pep_type != PN_PEP_TYPE_COMMON) {\n\t\tnet_dbg_ratelimited(\"Phonet unknown PEP type: %u\\n\",\n\t\t\t\t (unsigned int)hdr->pep_type);\n\t\treturn -EOPNOTSUPP;\n\t}\n\n\tswitch (hdr->data[0]) {\n\tcase PN_PEP_IND_FLOW_CONTROL:\n\t\tswitch (pn->tx_fc) {\n\t\tcase PN_LEGACY_FLOW_CONTROL:\n\t\t\tswitch (hdr->data[3]) {\n\t\t\tcase PEP_IND_BUSY:\n\t\t\t\tatomic_set(&pn->tx_credits, 0);\n\t\t\t\tbreak;\n\t\t\tcase PEP_IND_READY:\n\t\t\t\tatomic_set(&pn->tx_credits, wake = 1);\n\t\t\t\tbreak;\n\t\t\t}\n\t\t\tbreak;\n\t\tcase PN_ONE_CREDIT_FLOW_CONTROL:\n\t\t\tif (hdr->data[3] == PEP_IND_READY)\n\t\t\t\tatomic_set(&pn->tx_credits, wake = 1);\n\t\t\tbreak;\n\t\t}\n\t\tbreak;\n\n\tcase PN_PEP_IND_ID_MCFC_GRANT_CREDITS:\n\t\tif (pn->tx_fc != PN_MULTI_CREDIT_FLOW_CONTROL)\n\t\t\tbreak;\n\t\tatomic_add(wake = hdr->data[3], &pn->tx_credits);\n\t\tbreak;\n\n\tdefault:\n\t\tnet_dbg_ratelimited(\"Phonet unknown PEP indication: %u\\n\",\n\t\t\t\t (unsigned int)hdr->data[0]);\n\t\treturn -EOPNOTSUPP;\n\t}\n\tif (wake)\n\t\tsk->sk_write_space(sk);\n\treturn 0;\n}", "project": "linux", "hash": 7986086699742023260287500164777840817, "size": 51, "commit_id": "bcd0f93353326954817a4f9fa55ec57fb38acbb0", "message": "phonet: refcount leak in pep_sock_accep\n\nsock_hold(sk) is invoked in pep_sock_accept(), but __sock_put(sk) is not\ninvoked in subsequent failure branches(pep_accept_conn() != 0).\n\nSigned-off-by: Hangyu Hua \nLink: https://lore.kernel.org/r/20211209082839.33985-1-hbh25y@gmail.com\nSigned-off-by: Jakub Kicinski ", "target": 0, "dataset": "other", "idx": 224810 }, { "func": "static OPJ_BOOL opj_j2k_read_eoc(opj_j2k_t *p_j2k,\n opj_stream_private_t *p_stream,\n opj_event_mgr_t * p_manager)\n{\n OPJ_UINT32 i;\n opj_tcd_t * l_tcd = 00;\n OPJ_UINT32 l_nb_tiles;\n opj_tcp_t * l_tcp = 00;\n OPJ_BOOL l_success;\n\n /* preconditions */\n assert(p_j2k != 00);\n assert(p_manager != 00);\n assert(p_stream != 00);\n\n l_nb_tiles = p_j2k->m_cp.th * p_j2k->m_cp.tw;\n l_tcp = p_j2k->m_cp.tcps;\n\n l_tcd = opj_tcd_create(OPJ_TRUE);\n if (l_tcd == 00) {\n opj_event_msg(p_manager, EVT_ERROR, \"Cannot decode tile, memory error\\n\");\n return OPJ_FALSE;\n }\n\n for (i = 0; i < l_nb_tiles; ++i) {\n if (l_tcp->m_data) {\n if (! opj_tcd_init_decode_tile(l_tcd, i)) {\n opj_tcd_destroy(l_tcd);\n opj_event_msg(p_manager, EVT_ERROR, \"Cannot decode tile, memory error\\n\");\n return OPJ_FALSE;\n }\n\n l_success = opj_tcd_decode_tile(l_tcd, l_tcp->m_data, l_tcp->m_data_size, i,\n p_j2k->cstr_index);\n /* cleanup */\n\n if (! l_success) {\n p_j2k->m_specific_param.m_decoder.m_state |= J2K_STATE_ERR;\n break;\n }\n }\n\n opj_j2k_tcp_destroy(l_tcp);\n ++l_tcp;\n }\n\n opj_tcd_destroy(l_tcd);\n return OPJ_TRUE;\n}", "project": "openjpeg", "hash": 177771026842125067510898148856990807723, "size": 49, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357330 }, { "func": "static int tty_tiocmget(struct tty_struct *tty, int __user *p)\n{\n\tint retval = -EINVAL;\n\n\tif (tty->ops->tiocmget) {\n\t\tretval = tty->ops->tiocmget(tty);\n\n\t\tif (retval >= 0)\n\t\t\tretval = put_user(retval, p);\n\t}\n\treturn retval;\n}", "project": "linux", "hash": 261177872067636017525372344233774521722, "size": 12, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 326043 }, { "func": "static int usb_host_scan(void *opaque, USBScanFunc *func)\n{\n Monitor *mon = cur_mon;\n FILE *f = NULL;\n DIR *dir = NULL;\n int ret = 0;\n const char *fs_type[] = {\"unknown\", \"proc\", \"dev\", \"sys\"};\n char devpath[PATH_MAX];\n\n /* only check the host once */\n if (!usb_fs_type) {\n dir = opendir(USBSYSBUS_PATH \"/devices\");\n if (dir) {\n /* devices found in /dev/bus/usb/ (yes - not a mistake!) */\n strcpy(devpath, USBDEVBUS_PATH);\n usb_fs_type = USB_FS_SYS;\n closedir(dir);\n dprintf(USBDBG_DEVOPENED, USBSYSBUS_PATH);\n goto found_devices;\n }\n f = fopen(USBPROCBUS_PATH \"/devices\", \"r\");\n if (f) {\n /* devices found in /proc/bus/usb/ */\n strcpy(devpath, USBPROCBUS_PATH);\n usb_fs_type = USB_FS_PROC;\n fclose(f);\n dprintf(USBDBG_DEVOPENED, USBPROCBUS_PATH);\n goto found_devices;\n }\n /* try additional methods if an access method hasn't been found yet */\n f = fopen(USBDEVBUS_PATH \"/devices\", \"r\");\n if (f) {\n /* devices found in /dev/bus/usb/ */\n strcpy(devpath, USBDEVBUS_PATH);\n usb_fs_type = USB_FS_DEV;\n fclose(f);\n dprintf(USBDBG_DEVOPENED, USBDEVBUS_PATH);\n goto found_devices;\n }\n found_devices:\n if (!usb_fs_type) {\n monitor_printf(mon, \"husb: unable to access USB devices\\n\");\n return -ENOENT;\n }\n\n /* the module setting (used later for opening devices) */\n usb_host_device_path = qemu_mallocz(strlen(devpath)+1);\n strcpy(usb_host_device_path, devpath);\n monitor_printf(mon, \"husb: using %s file-system with %s\\n\",\n fs_type[usb_fs_type], usb_host_device_path);\n }\n\n switch (usb_fs_type) {\n case USB_FS_PROC:\n case USB_FS_DEV:\n ret = usb_host_scan_dev(opaque, func);\n break;\n case USB_FS_SYS:\n ret = usb_host_scan_sys(opaque, func);\n break;\n default:\n ret = -EINVAL;\n break;\n }\n return ret;\n}", "project": "qemu", "hash": 178376958154419987329914307443644698873, "size": 66, "commit_id": "babd03fde68093482528010a5435c14ce9128e3f", "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel. However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris \nSigned-off-by: Anthony Liguori ", "target": 0, "dataset": "other", "idx": 346287 }, { "func": " explicit MaxPoolingGradWithArgmaxOp(OpKernelConstruction* context)\n : OpKernel(context) {\n string data_format_str;\n auto status = context->GetAttr(\"data_format\", &data_format_str);\n if (status.ok()) {\n OP_REQUIRES(context, FormatFromString(data_format_str, &data_format_),\n errors::InvalidArgument(\"Invalid data format\"));\n }\n\n OP_REQUIRES_OK(context, context->GetAttr(\"ksize\", &ksize_));\n OP_REQUIRES(context, ksize_.size() == 4,\n errors::InvalidArgument(\"Sliding window ksize field must \"\n \"specify 4 dimensions\"));\n OP_REQUIRES_OK(context, context->GetAttr(\"strides\", &stride_));\n OP_REQUIRES(context, stride_.size() == 4,\n errors::InvalidArgument(\"Sliding window stride field must \"\n \"specify 4 dimensions\"));\n OP_REQUIRES_OK(context, context->GetAttr(\"padding\", &padding_));\n OP_REQUIRES(context, ksize_[0] == 1 && stride_[0] == 1,\n errors::Unimplemented(\n \"Pooling is not yet supported on the batch dimension.\"));\n OP_REQUIRES_OK(context, context->GetAttr(\"include_batch_in_index\",\n &include_batch_in_index_));\n }", "project": "tensorflow", "hash": 16850756091582359071904230260986410321, "size": 24, "commit_id": "dcd7867de0fea4b72a2b34bd41eb74548dc23886", "message": "Fix heap buffer overflow\n\nPiperOrigin-RevId: 372132844\nChange-Id: Idef9895efaf145f2b1c23d31983601ec980cd5e4", "target": 0, "dataset": "other", "idx": 245442 }, { "func": "int ssh_buffer_add_u64(struct ssh_buffer_struct *buffer, uint64_t data)\n{\n int rc;\n\n rc = ssh_buffer_add_data(buffer, &data, sizeof(data));\n if (rc < 0) {\n return -1;\n }\n\n return 0;\n}", "project": "libssh-mirror", "hash": 287310650968156648758539126902377680985, "size": 11, "commit_id": "10b3ebbe61a7031a3dae97f05834442220447181", "message": "buffer: Reformat ssh_buffer_add_data()\n\nSigned-off-by: Andreas Schneider \nReviewed-by: Anderson Toshiyuki Sasaki \nReviewed-by: Jakub Jelen ", "target": 0, "dataset": "other", "idx": 345165 }, { "func": "int64_t switch_segment(int32_t segment)\n{\n location.segment = segment;\n if (segment == NO_SEG) {\n location.offset = absolute.offset;\n in_absolute = true;\n } else {\n location.offset = raa_read(offsets, segment);\n in_absolute = false;\n }\n return location.offset;\n}", "project": "nasm", "hash": 119514210440113922396592355461352185262, "size": 12, "commit_id": "e996d28c70d45008085322b442b44a9224308548", "message": "labels: Don't nil dereference if no label provided\n\nAn equ without label may cause nil dereference\n\n |\tequ 0x100\n\nFixes 98578071b9d71ecaa2344dd9c185237c1765041e\n\nSigned-off-by: Cyrill Gorcunov ", "target": 0, "dataset": "other", "idx": 257465 }, { "func": "static void set_track(struct kmem_cache *s, void *object,\n\t\t\tenum track_item alloc, unsigned long addr)\n{\n\tstruct track *p = get_track(s, object, alloc);\n\n\tif (addr) {\n#ifdef CONFIG_STACKTRACE\n\t\tunsigned int nr_entries;\n\n\t\tmetadata_access_enable();\n\t\tnr_entries = stack_trace_save(p->addrs, TRACK_ADDRS_COUNT, 3);\n\t\tmetadata_access_disable();\n\n\t\tif (nr_entries < TRACK_ADDRS_COUNT)\n\t\t\tp->addrs[nr_entries] = 0;\n#endif\n\t\tp->addr = addr;\n\t\tp->cpu = smp_processor_id();\n\t\tp->pid = current->pid;\n\t\tp->when = jiffies;\n\t} else {\n\t\tmemset(p, 0, sizeof(struct track));\n\t}\n}", "project": "linux", "hash": 108556483215384923152124993103451248824, "size": 24, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280277 }, { "project": "opaque", "commit_id": "5ddda15d89f5ac82f4416208c5319ace4aecdc36", "target": 0, "func": "JNIEXPORT jbyteArray JNICALL Java_edu_berkeley_cs_rise_opaque_execution_SGXEnclave_Encrypt(\n JNIEnv *env, jobject obj, jlong eid, jbyteArray plaintext) {\n (void)obj;\n\n uint32_t plength = (uint32_t) env->GetArrayLength(plaintext);\n jboolean if_copy = false;\n jbyte *ptr = env->GetByteArrayElements(plaintext, &if_copy);\n\n uint8_t *plaintext_ptr = (uint8_t *) ptr;\n\n const jsize clength = plength + SGX_AESGCM_IV_SIZE + SGX_AESGCM_MAC_SIZE;\n jbyteArray ciphertext = env->NewByteArray(clength);\n\n uint8_t *ciphertext_copy = new uint8_t[clength];\n\n sgx_check_quiet(\n \"Encrypt\", ecall_encrypt(eid, plaintext_ptr, plength, ciphertext_copy, (uint32_t) clength));\n\n env->SetByteArrayRegion(ciphertext, 0, clength, (jbyte *) ciphertext_copy);\n\n env->ReleaseByteArrayElements(plaintext, ptr, 0);\n\n delete[] ciphertext_copy;\n\n return ciphertext;\n}", "idx": 519052, "cwe": "CWE-787", "hash": 173191752340029021010293094979880773664, "dataset": "other" }, { "func": "int mnt_optstr_prepend_option(char **optstr, const char *name, const char *value)\n{\n\tstruct ul_buffer buf = UL_INIT_BUFFER;\n\tsize_t nsz, vsz, osz;\n\tint rc;\n\n\tif (!optstr)\n\t\treturn -EINVAL;\n\tif (!name || !*name)\n\t\treturn 0;\n\n\tnsz = strlen(name);\n\tosz = *optstr ? strlen(*optstr) : 0;\n\tvsz = value ? strlen(value) : 0;\n\n\tul_buffer_set_chunksize(&buf, osz + nsz + vsz + 3); /* to call realloc() only once */\n\n\trc = __buffer_append_option(&buf, name, nsz, value, vsz);\n\tif (*optstr && !rc) {\n\t\trc = ul_buffer_append_data(&buf, \",\", 1);\n\t\tif (!rc)\n\t\t\trc = ul_buffer_append_data(&buf, *optstr, osz);\n\t\tfree(*optstr);\n\t}\n\n\t*optstr = ul_buffer_get_data(&buf, NULL, NULL);\n\treturn rc;\n}", "project": "util-linux", "hash": 187441229399559023183319985090370175478, "size": 28, "commit_id": "57202f5713afa2af20ffbb6ab5331481d0396f8d", "message": "libmount: fix UID check for FUSE umount [CVE-2021-3995]\n\nImproper UID check allows an unprivileged user to unmount FUSE\nfilesystems of users with similar UID.\n\nSigned-off-by: Karel Zak ", "target": 0, "dataset": "other", "idx": 410438 }, { "func": "int ssh_buffer_add_buffer(struct ssh_buffer_struct *buffer,\n struct ssh_buffer_struct *source)\n{\n int rc;\n\n rc = ssh_buffer_add_data(buffer,\n ssh_buffer_get(source),\n ssh_buffer_get_len(source));\n if (rc < 0) {\n return -1;\n }\n\n return 0;\n}", "project": "libssh-mirror", "hash": 50821561615363242341231736179327218994, "size": 14, "commit_id": "10b3ebbe61a7031a3dae97f05834442220447181", "message": "buffer: Reformat ssh_buffer_add_data()\n\nSigned-off-by: Andreas Schneider \nReviewed-by: Anderson Toshiyuki Sasaki \nReviewed-by: Jakub Jelen ", "target": 0, "dataset": "other", "idx": 345148 }, { "project": "Chrome", "commit_id": "957973753ec4159003ff7930d946b7e89c7e09f3", "target": 0, "func": "bool BlobURLRequestJob::ReadItem() {\n if (remaining_bytes_ == 0)\n return true;\n\n if (item_index_ >= blob_data_->items().size()) {\n NotifyFailure(net::ERR_FAILED);\n return false;\n }\n\n bytes_to_read_ = ComputeBytesToRead();\n\n if (bytes_to_read_ == 0) {\n AdvanceItem();\n return ReadItem();\n }\n\n const BlobData::Item& item = blob_data_->items().at(item_index_);\n switch (item.type()) {\n case BlobData::TYPE_DATA:\n return ReadBytes(item);\n case BlobData::TYPE_FILE:\n return DispatchReadFile(item);\n default:\n DCHECK(false);\n return false;\n }\n}\n", "cwe": "", "big_vul_idx": 106422, "idx": 95573, "hash": 283120546104958220060115637460000422763 }, { "func": "static apr_byte_t oidc_set_request_user(request_rec *r, oidc_cfg *c,\n\t\toidc_provider_t *provider, oidc_jwt_t *jwt, const char *s_claims) {\n\n\tchar *issuer = provider->issuer;\n\tchar *claim_name = apr_pstrdup(r->pool, c->remote_user_claim.claim_name);\n\tint n = strlen(claim_name);\n\tapr_byte_t post_fix_with_issuer = (claim_name[n - 1] == OIDC_CHAR_AT);\n\tif (post_fix_with_issuer == TRUE) {\n\t\tclaim_name[n - 1] = '\\0';\n\t\tissuer =\n\t\t\t\t(strstr(issuer, \"https://\") == NULL) ?\n\t\t\t\t\t\tapr_pstrdup(r->pool, issuer) :\n\t\t\t\t\t\tapr_pstrdup(r->pool, issuer + strlen(\"https://\"));\n\t}\n\n\t/* extract the username claim (default: \"sub\") from the id_token payload or user claims */\n\tapr_byte_t rc = FALSE;\n\tchar *remote_user = NULL;\n\tjson_t *claims = NULL;\n\toidc_util_decode_json_object(r, s_claims, &claims);\n\tif (claims == NULL) {\n\t\trc = oidc_get_remote_user(r, claim_name, c->remote_user_claim.reg_exp,\n\t\t\t\tc->remote_user_claim.replace, jwt->payload.value.json,\n\t\t\t\t&remote_user);\n\t} else {\n\t\toidc_util_json_merge(r, jwt->payload.value.json, claims);\n\t\trc = oidc_get_remote_user(r, claim_name, c->remote_user_claim.reg_exp,\n\t\t\t\tc->remote_user_claim.replace, claims, &remote_user);\n\t\tjson_decref(claims);\n\t}\n\n\tif ((rc == FALSE) || (remote_user == NULL)) {\n\t\toidc_error(r,\n\t\t\t\t\"\" OIDCRemoteUserClaim \"is set to \\\"%s\\\", but could not set the remote user based on the requested claim \\\"%s\\\" and the available claims for the user\",\n\t\t\t\tc->remote_user_claim.claim_name, claim_name);\n\t\treturn FALSE;\n\t}\n\n\tif (post_fix_with_issuer == TRUE)\n\t\tremote_user = apr_psprintf(r->pool, \"%s%s%s\", remote_user, OIDC_STR_AT,\n\t\t\t\tissuer);\n\n\tr->user = apr_pstrdup(r->pool, remote_user);\n\n\toidc_debug(r, \"set remote_user to \\\"%s\\\" based on claim: \\\"%s\\\"%s\", r->user,\n\t\t\tc->remote_user_claim.claim_name,\n\t\t\tc->remote_user_claim.reg_exp ?\n\t\t\t\t\tapr_psprintf(r->pool,\n\t\t\t\t\t\t\t\" and expression: \\\"%s\\\" and replace string: \\\"%s\\\"\",\n\t\t\t\t\t\t\tc->remote_user_claim.reg_exp,\n\t\t\t\t\t\t\tc->remote_user_claim.replace) :\n\t\t\t\t\t\t\t\"\");\n\n\treturn TRUE;\n}", "project": "mod_auth_openidc", "hash": 282015007034519865269726944199793178243, "size": 55, "commit_id": "00c315cb0c8ab77c67be4a2ac08a71a83ac58751", "message": "avoid XSS vulnerability when using OIDCPreservePost On\n\nand supplying URLs that contain single quotes; thanks @oss-aimoto\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 381943 }, { "func": "static int sctp_setsockopt_partial_delivery_point(struct sock *sk, u32 *val,\n\t\t\t\t\t\t unsigned int optlen)\n{\n\tif (optlen != sizeof(u32))\n\t\treturn -EINVAL;\n\n\t/* Note: We double the receive buffer from what the user sets\n\t * it to be, also initial rwnd is based on rcvbuf/2.\n\t */\n\tif (*val > (sk->sk_rcvbuf >> 1))\n\t\treturn -EINVAL;\n\n\tsctp_sk(sk)->pd_point = *val;\n\n\treturn 0; /* is this the right error code? */\n}", "project": "linux", "hash": 314495714593911687407917234681806250705, "size": 16, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398167 }, { "func": "static inline int tcp_skb_timedout(const struct sock *sk,\n\t\t\t\t const struct sk_buff *skb)\n{\n\treturn tcp_time_stamp - TCP_SKB_CB(skb)->when > inet_csk(sk)->icsk_rto;\n}", "project": "net-next", "hash": 23955093156150757551573313474412436351, "size": 5, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409927 }, { "func": "bool imap_account_match(const struct ConnAccount *a1, const struct ConnAccount *a2)\n{\n if (!a1 || !a2)\n return false;\n if (a1->type != a2->type)\n return false;\n if (!mutt_istr_equal(a1->host, a2->host))\n return false;\n if ((a1->port != 0) && (a2->port != 0) && (a1->port != a2->port))\n return false;\n if (a1->flags & a2->flags & MUTT_ACCT_USER)\n return strcmp(a1->user, a2->user) == 0;\n\n const char *user = NONULL(Username);\n\n const char *const c_imap_user = cs_subset_string(NeoMutt->sub, \"imap_user\");\n if ((a1->type == MUTT_ACCT_TYPE_IMAP) && c_imap_user)\n user = c_imap_user;\n\n if (a1->flags & MUTT_ACCT_USER)\n return strcmp(a1->user, user) == 0;\n if (a2->flags & MUTT_ACCT_USER)\n return strcmp(a2->user, user) == 0;\n\n return true;\n}", "project": "neomutt", "hash": 268677067126984186226669898847832712261, "size": 26, "commit_id": "fa1db5785e5cfd9d3cd27b7571b9fe268d2ec2dc", "message": "Fix seqset iterator when it ends in a comma\n\nIf the seqset ended with a comma, the substr_end marker would be just\nbefore the trailing nul. In the next call, the loop to skip the\nmarker would iterate right past the end of string too.\n\nThe fix is simple: place the substr_end marker and skip past it\nimmediately.", "target": 0, "dataset": "other", "idx": 399290 }, { "project": "Chrome", "commit_id": "6834289784ed45b5524de0fb7ef43ae283b0d6d3", "target": 1, "func": "void MediaElementAudioSourceNode::process(size_t numberOfFrames)\n{\n AudioBus* outputBus = output(0)->bus();\n\n if (!mediaElement() || !m_sourceNumberOfChannels || !m_sourceSampleRate) {\n outputBus->zero();\n return;\n }\n\n MutexTryLocker tryLocker(m_processLock);\n if (tryLocker.locked()) {\n if (AudioSourceProvider* provider = mediaElement()->audioSourceProvider()) {\n if (m_multiChannelResampler.get()) {\n ASSERT(m_sourceSampleRate != sampleRate());\n m_multiChannelResampler->process(provider, outputBus, numberOfFrames);\n } else {\n ASSERT(m_sourceSampleRate == sampleRate());\n provider->provideInput(outputBus, numberOfFrames);\n }\n } else {\n outputBus->zero();\n }\n } else {\n outputBus->zero();\n }\n}\n", "cwe": "", "big_vul_idx": 185901, "idx": 6705, "hash": 214516605251072031911924399596715967965 }, { "project": "Chrome", "commit_id": "6834289784ed45b5524de0fb7ef43ae283b0d6d3", "target": 0, "func": "void MediaElementAudioSourceNode::process(size_t numberOfFrames)\n{\n AudioBus* outputBus = output(0)->bus();\n\n if (!mediaElement() || !m_sourceNumberOfChannels || !m_sourceSampleRate) {\n outputBus->zero();\n return;\n }\n\n MutexTryLocker tryLocker(m_processLock);\n if (tryLocker.locked()) {\n if (AudioSourceProvider* provider = mediaElement()->audioSourceProvider()) {\n // Grab data from the provider so that the element continues to make progress, even if\n // we're going to output silence anyway.\n if (m_multiChannelResampler.get()) {\n ASSERT(m_sourceSampleRate != sampleRate());\n m_multiChannelResampler->process(provider, outputBus, numberOfFrames);\n } else {\n ASSERT(m_sourceSampleRate == sampleRate());\n provider->provideInput(outputBus, numberOfFrames);\n }\n // Output silence if we don't have access to the element.\n if (!(mediaElement()->webMediaPlayer()->didPassCORSAccessCheck()\n || context()->securityOrigin()->canRequest(mediaElement()->currentSrc()))) {\n outputBus->zero();\n }\n } else {\n outputBus->zero();\n }\n } else {\n outputBus->zero();\n }\n}\n", "cwe": "", "big_vul_idx": 185901, "idx": 163787, "hash": 144288665457382459246238377147852566025 }, { "func": "bool FromkLinuxSigset(const klinux_sigset_t *input, sigset_t *output) {\n if (!input || !output) {\n output = nullptr;\n return false;\n }\n sigemptyset(output);\n for (int klinux_sig = 1; klinux_sig < kLinux_NSIG; klinux_sig++) {\n if (klinux_sigismember(input, klinux_sig)) {\n int sig = FromkLinuxSignalNumber(klinux_sig);\n if (sig != -1) {\n sigaddset(output, sig);\n }\n }\n }\n return true;\n}", "project": "asylo", "hash": 298172837302529229732145477206327530516, "size": 16, "commit_id": "bda9772e7872b0d2b9bee32930cf7a4983837b39", "message": "Check input length in FromLinuxSockAddr\n\nPiperOrigin-RevId: 333785506\nChange-Id: I1d68fb8954665eebc1018d80ff995cbe9e7ed6a9", "target": 0, "dataset": "other", "idx": 263468 }, { "func": "static bool has_pending_adv_report(struct hci_dev *hdev)\n{\n\tstruct discovery_state *d = &hdev->discovery;\n\n\treturn bacmp(&d->last_adv_addr, BDADDR_ANY);\n}", "project": "linux", "hash": 66369123566380421446566412116170421185, "size": 6, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431916 }, { "func": " double toDouble () const { return m_str ? m_str->toDouble () : 0;}", "project": "hhvm", "hash": 252386787265456742943537380009630986641, "size": 1, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219695 }, { "func": "static int validate_slab_node(struct kmem_cache *s,\n\t\tstruct kmem_cache_node *n)\n{\n\tunsigned long count = 0;\n\tstruct page *page;\n\tunsigned long flags;\n\n\tspin_lock_irqsave(&n->list_lock, flags);\n\n\tlist_for_each_entry(page, &n->partial, slab_list) {\n\t\tvalidate_slab(s, page);\n\t\tcount++;\n\t}\n\tif (count != n->nr_partial)\n\t\tpr_err(\"SLUB %s: %ld partial slabs counted but counter=%ld\\n\",\n\t\t s->name, count, n->nr_partial);\n\n\tif (!(s->flags & SLAB_STORE_USER))\n\t\tgoto out;\n\n\tlist_for_each_entry(page, &n->full, slab_list) {\n\t\tvalidate_slab(s, page);\n\t\tcount++;\n\t}\n\tif (count != atomic_long_read(&n->nr_slabs))\n\t\tpr_err(\"SLUB: %s %ld slabs counted but counter=%ld\\n\",\n\t\t s->name, count, atomic_long_read(&n->nr_slabs));\n\nout:\n\tspin_unlock_irqrestore(&n->list_lock, flags);\n\treturn count;\n}", "project": "linux", "hash": 145091747412823337012489738823749047714, "size": 32, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280280 }, { "func": "int build_detached_freelist(struct kmem_cache *s, size_t size,\n\t\t\t void **p, struct detached_freelist *df)\n{\n\tsize_t first_skipped_index = 0;\n\tint lookahead = 3;\n\tvoid *object;\n\tstruct page *page;\n\n\t/* Always re-init detached_freelist */\n\tdf->page = NULL;\n\n\tdo {\n\t\tobject = p[--size];\n\t\t/* Do we need !ZERO_OR_NULL_PTR(object) here? (for kfree) */\n\t} while (!object && size);\n\n\tif (!object)\n\t\treturn 0;\n\n\tpage = virt_to_head_page(object);\n\tif (!s) {\n\t\t/* Handle kalloc'ed objects */\n\t\tif (unlikely(!PageSlab(page))) {\n\t\t\tBUG_ON(!PageCompound(page));\n\t\t\tkfree_hook(object);\n\t\t\t__free_pages(page, compound_order(page));\n\t\t\tp[size] = NULL; /* mark object processed */\n\t\t\treturn size;\n\t\t}\n\t\t/* Derive kmem_cache from object */\n\t\tdf->s = page->slab_cache;\n\t} else {\n\t\tdf->s = cache_from_obj(s, object); /* Support for memcg */\n\t}\n\n\t/* Start new detached freelist */\n\tdf->page = page;\n\tset_freepointer(df->s, object, NULL);\n\tdf->tail = object;\n\tdf->freelist = object;\n\tp[size] = NULL; /* mark object processed */\n\tdf->cnt = 1;\n\n\twhile (size) {\n\t\tobject = p[--size];\n\t\tif (!object)\n\t\t\tcontinue; /* Skip processed objects */\n\n\t\t/* df->page is always set at this point */\n\t\tif (df->page == virt_to_head_page(object)) {\n\t\t\t/* Opportunity build freelist */\n\t\t\tset_freepointer(df->s, object, df->freelist);\n\t\t\tdf->freelist = object;\n\t\t\tdf->cnt++;\n\t\t\tp[size] = NULL; /* mark object processed */\n\n\t\t\tcontinue;\n\t\t}\n\n\t\t/* Limit look ahead search */\n\t\tif (!--lookahead)\n\t\t\tbreak;\n\n\t\tif (!first_skipped_index)\n\t\t\tfirst_skipped_index = size + 1;\n\t}\n\n\treturn first_skipped_index;\n}", "project": "linux", "hash": 108861274928988260209564877746590485503, "size": 69, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280084 }, { "func": "static void hci_cc_write_auth_payload_timeout(struct hci_dev *hdev,\n\t\t\t\t\t struct sk_buff *skb)\n{\n\tstruct hci_rp_write_auth_payload_to *rp = (void *)skb->data;\n\tstruct hci_conn *conn;\n\tvoid *sent;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, rp->status);\n\n\tif (rp->status)\n\t\treturn;\n\n\tsent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_PAYLOAD_TO);\n\tif (!sent)\n\t\treturn;\n\n\thci_dev_lock(hdev);\n\n\tconn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));\n\tif (conn)\n\t\tconn->auth_payload_timeout = get_unaligned_le16(sent + 2);\n\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 239219378808534349409668266029047637593, "size": 24, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431924 }, { "func": "static inline int tracing_get_cpu(struct inode *inode)\n{\n\tif (inode->i_cdev) /* See trace_create_cpu_file() */\n\t\treturn (long)inode->i_cdev - 1;\n\treturn RING_BUFFER_ALL_CPUS;\n}", "project": "linux", "hash": 151459007865993206525975547548670293016, "size": 6, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445782 }, { "func": "static void nf_tables_commit_chain_free_rules_old(struct nft_rule **rules)\n{\n\tstruct nft_rule **r = rules;\n\tstruct nft_rules_old *old;\n\n\twhile (*r)\n\t\tr++;\n\n\tr++;\t/* rcu_head is after end marker */\n\told = (void *) r;\n\told->start = rules;\n\n\tcall_rcu(&old->h, __nf_tables_commit_chain_free_rules_old);\n}", "project": "linux", "hash": 99555665360103907150455314866389093101, "size": 14, "commit_id": "ad9f151e560b016b6ad3280b48e42fa11e1a5440", "message": "netfilter: nf_tables: initialize set before expression setup\n\nnft_set_elem_expr_alloc() needs an initialized set if expression sets on\nthe NFT_EXPR_GC flag. Move set fields initialization before expression\nsetup.\n\n[4512935.019450] ==================================================================\n[4512935.019456] BUG: KASAN: null-ptr-deref in nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019487] Read of size 8 at addr 0000000000000070 by task nft/23532\n[4512935.019494] CPU: 1 PID: 23532 Comm: nft Not tainted 5.12.0-rc4+ #48\n[...]\n[4512935.019502] Call Trace:\n[4512935.019505] dump_stack+0x89/0xb4\n[4512935.019512] ? nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019536] ? nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019560] kasan_report.cold.12+0x5f/0xd8\n[4512935.019566] ? nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019590] nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019615] nf_tables_newset+0xc7f/0x1460 [nf_tables]\n\nReported-by: syzbot+ce96ca2b1d0b37c6422d@syzkaller.appspotmail.com\nFixes: 65038428b2c6 (\"netfilter: nf_tables: allow to specify stateful expression in set definition\")\nSigned-off-by: Pablo Neira Ayuso ", "target": 0, "dataset": "other", "idx": 328349 }, { "func": "R_API void r_core_fini(RCore *c) {\n\tif (!c) {\n\t\treturn;\n\t}\n\tr_core_task_break_all (&c->tasks);\n\tr_core_task_join (&c->tasks, NULL, -1);\n\tr_core_wait (c);\n\t/* TODO: it leaks as shit */\n\t//update_sdb (c);\n\t// avoid double free\n\tr_list_free (c->ropchain);\n\tr_event_free (c->ev);\n\tfree (c->cmdlog);\n\tfree (c->lastsearch);\n\tR_FREE (c->cons->pager);\n\tfree (c->cmdqueue);\n\tfree (c->lastcmd);\n\tfree (c->stkcmd);\n\tr_list_free (c->visual.tabs);\n\tfree (c->block);\n\tr_core_autocomplete_free (c->autocomplete);\n\n\tr_list_free (c->gadgets);\n\tr_list_free (c->undos);\n\tr_num_free (c->num);\n\t// TODO: sync or not? sdb_sync (c->sdb);\n\t// TODO: sync all dbs?\n\t//r_core_file_free (c->file);\n\t//c->file = NULL;\n\tfree (c->table_query);\n\tr_list_free (c->files);\n\tr_list_free (c->watchers);\n\tr_list_free (c->scriptstack);\n\tr_core_task_scheduler_fini (&c->tasks);\n\tc->rcmd = r_cmd_free (c->rcmd);\n\tr_list_free (c->cmd_descriptors);\n\tc->anal = r_anal_free (c->anal);\n\tr_asm_free (c->assembler);\n\tc->assembler = NULL;\n\tc->print = r_print_free (c->print);\n\tc->bin = (r_bin_free (c->bin), NULL);\n\tc->lang = (r_lang_free (c->lang), NULL);\n\tc->dbg = (r_debug_free (c->dbg), NULL);\n\tr_io_free (c->io);\n\tr_config_free (c->config);\n\t/* after r_config_free, the value of I.teefile is trashed */\n\t/* rconfig doesnt knows how to deinitialize vars, so we\n\tshould probably need to add a r_config_free_payload callback */\n\tr_cons_free ();\n\tr_cons_singleton ()->teefile = NULL; // HACK\n\tr_search_free (c->search);\n\tr_flag_free (c->flags);\n\tr_fs_free (c->fs);\n\tr_egg_free (c->egg);\n\tr_lib_free (c->lib);\n\tr_buf_free (c->yank_buf);\n\tr_agraph_free (c->graph);\n\tfree (c->asmqjmps);\n\tsdb_free (c->sdb);\n\tr_core_log_free (c->log);\n\tr_parse_free (c->parser);\n\tfree (c->times);\n}", "project": "radare2", "hash": 307897061826018138760096537879143991047, "size": 63, "commit_id": "cb8b683758edddae2d2f62e8e63a738c39f92683", "message": "Fix #16303 - c->table_query double free (#16318)", "target": 1, "dataset": "other", "idx": 195727 }, { "func": "R_API void r_core_fini(RCore *c) {\n\tif (!c) {\n\t\treturn;\n\t}\n\tr_core_task_break_all (&c->tasks);\n\tr_core_task_join (&c->tasks, NULL, -1);\n\tr_core_wait (c);\n\t/* TODO: it leaks as shit */\n\t//update_sdb (c);\n\t// avoid double free\n\tr_list_free (c->ropchain);\n\tr_event_free (c->ev);\n\tfree (c->cmdlog);\n\tfree (c->lastsearch);\n\tR_FREE (c->cons->pager);\n\tfree (c->cmdqueue);\n\tfree (c->lastcmd);\n\tfree (c->stkcmd);\n\tr_list_free (c->visual.tabs);\n\tfree (c->block);\n\tr_core_autocomplete_free (c->autocomplete);\n\n\tr_list_free (c->gadgets);\n\tr_list_free (c->undos);\n\tr_num_free (c->num);\n\t// TODO: sync or not? sdb_sync (c->sdb);\n\t// TODO: sync all dbs?\n\t//r_core_file_free (c->file);\n\t//c->file = NULL;\n\tR_FREE (c->table_query);\n\tr_list_free (c->files);\n\tr_list_free (c->watchers);\n\tr_list_free (c->scriptstack);\n\tr_core_task_scheduler_fini (&c->tasks);\n\tc->rcmd = r_cmd_free (c->rcmd);\n\tr_list_free (c->cmd_descriptors);\n\tc->anal = r_anal_free (c->anal);\n\tr_asm_free (c->assembler);\n\tc->assembler = NULL;\n\tc->print = r_print_free (c->print);\n\tc->bin = (r_bin_free (c->bin), NULL);\n\tc->lang = (r_lang_free (c->lang), NULL);\n\tc->dbg = (r_debug_free (c->dbg), NULL);\n\tr_io_free (c->io);\n\tr_config_free (c->config);\n\t/* after r_config_free, the value of I.teefile is trashed */\n\t/* rconfig doesnt knows how to deinitialize vars, so we\n\tshould probably need to add a r_config_free_payload callback */\n\tr_cons_free ();\n\tr_cons_singleton ()->teefile = NULL; // HACK\n\tr_search_free (c->search);\n\tr_flag_free (c->flags);\n\tr_fs_free (c->fs);\n\tr_egg_free (c->egg);\n\tr_lib_free (c->lib);\n\tr_buf_free (c->yank_buf);\n\tr_agraph_free (c->graph);\n\tfree (c->asmqjmps);\n\tsdb_free (c->sdb);\n\tr_core_log_free (c->log);\n\tr_parse_free (c->parser);\n\tfree (c->times);\n}", "project": "radare2", "hash": 120305734667673744603788082192514109384, "size": 63, "commit_id": "cb8b683758edddae2d2f62e8e63a738c39f92683", "message": "Fix #16303 - c->table_query double free (#16318)", "target": 0, "dataset": "other", "idx": 232153 }, { "func": "static int sctp_getsockopt_scheduler_value(struct sock *sk, int len,\n\t\t\t\t\t char __user *optval,\n\t\t\t\t\t int __user *optlen)\n{\n\tstruct sctp_stream_value params;\n\tstruct sctp_association *asoc;\n\tint retval = -EFAULT;\n\n\tif (len < sizeof(params)) {\n\t\tretval = -EINVAL;\n\t\tgoto out;\n\t}\n\n\tlen = sizeof(params);\n\tif (copy_from_user(¶ms, optval, len))\n\t\tgoto out;\n\n\tasoc = sctp_id2assoc(sk, params.assoc_id);\n\tif (!asoc) {\n\t\tretval = -EINVAL;\n\t\tgoto out;\n\t}\n\n\tretval = sctp_sched_get_value(asoc, params.stream_id,\n\t\t\t\t ¶ms.stream_value);\n\tif (retval)\n\t\tgoto out;\n\n\tif (put_user(len, optlen)) {\n\t\tretval = -EFAULT;\n\t\tgoto out;\n\t}\n\n\tif (copy_to_user(optval, ¶ms, len)) {\n\t\tretval = -EFAULT;\n\t\tgoto out;\n\t}\n\nout:\n\treturn retval;\n}", "project": "linux", "hash": 235695585444535554730846294370975544233, "size": 41, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398158 }, { "func": " NodeInfo() : NodeInfo(-1) {}", "project": "tensorflow", "hash": 311499846850306839784704005306769006170, "size": 1, "commit_id": "0cc38aaa4064fd9e79101994ce9872c6d91f816b", "message": "Prevent unitialized memory access in `GraphConstructor::MakeEdge`\n\nThe `MakeEdge` implementation assumes that there exists an output at `output_index` of `src` node and an input at `input_index` of `dst` node. However, if this is not the case this results in accessing data out of bounds. Because we are accessing an array that is a private member of a class and only in read only mode, this usually results only in unitialized memory access. However, it is reasonable to think that malicious users could manipulate these indexes to actually read data outside the class, thus resulting in information leakage and further exploits.\n\nPiperOrigin-RevId: 346343288\nChange-Id: I2127da27c2023d27f26efd39afa6c853385cab6f", "target": 0, "dataset": "other", "idx": 268345 }, { "func": "const char*oidc_request_state_get(request_rec *r, const char *key) {\n\n\t/* get a handle to the global state, which is a table */\n\tapr_table_t *state = oidc_request_state(r);\n\n\t/* return the value from the table */\n\treturn apr_table_get(state, key);\n}", "project": "mod_auth_openidc", "hash": 184220510696078148203480933033593616325, "size": 8, "commit_id": "ce37080c6aea30aabae8b4a9b4eea7808445cc8e", "message": "2.4.0.2 oops\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 447702 }, { "project": "Chrome", "commit_id": "6834289784ed45b5524de0fb7ef43ae283b0d6d3", "target": 0, "func": "void AudioContext::handlePreRenderTasks()\n{\n ASSERT(isAudioThread());\n\n if (tryLock()) {\n updateChangedChannelCountMode();\n\n handleDirtyAudioSummingJunctions();\n handleDirtyAudioNodeOutputs();\n\n updateAutomaticPullNodes();\n resolvePromisesForResume();\n\n handleStoppableSourceNodes();\n\n m_cachedSampleFrame = currentSampleFrame();\n\n unlock();\n }\n}\n", "cwe": "", "big_vul_idx": 139661, "idx": 124811, "hash": 124038923141452819460616609091207915474 }, { "func": "static int sctp_setsockopt_scheduler_value(struct sock *sk,\n\t\t\t\t\t struct sctp_stream_value *params,\n\t\t\t\t\t unsigned int optlen)\n{\n\tstruct sctp_association *asoc;\n\tint retval = -EINVAL;\n\n\tif (optlen < sizeof(*params))\n\t\tgoto out;\n\n\tasoc = sctp_id2assoc(sk, params->assoc_id);\n\tif (!asoc && params->assoc_id != SCTP_CURRENT_ASSOC &&\n\t sctp_style(sk, UDP))\n\t\tgoto out;\n\n\tif (asoc) {\n\t\tretval = sctp_sched_set_value(asoc, params->stream_id,\n\t\t\t\t\t params->stream_value, GFP_KERNEL);\n\t\tgoto out;\n\t}\n\n\tretval = 0;\n\n\tlist_for_each_entry(asoc, &sctp_sk(sk)->ep->asocs, asocs) {\n\t\tint ret = sctp_sched_set_value(asoc, params->stream_id,\n\t\t\t\t\t params->stream_value,\n\t\t\t\t\t GFP_KERNEL);\n\t\tif (ret && !retval) /* try to return the 1st error. */\n\t\t\tretval = ret;\n\t}\n\nout:\n\treturn retval;\n}", "project": "linux", "hash": 107894206774491603761496580972689266224, "size": 34, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398214 }, { "func": " */\nstatic int bfq_max_budget(struct bfq_data *bfqd)\n{\n\tif (bfqd->budgets_assigned < bfq_stats_min_budgets)\n\t\treturn bfq_default_max_budget;\n\telse\n\t\treturn bfqd->bfq_max_budget;", "project": "linux", "hash": 72970519602415105332405873889954581814, "size": 7, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453346 }, { "func": "R_API int r_sys_cmdbg (const char *str) {\n#if __UNIX__\n\tint ret, pid = r_sys_fork ();\n\tif (pid == -1) {\n\t\treturn -1;\n\t}\n\tif (pid) {\n\t\treturn pid;\n\t}\n\tret = r_sandbox_system (str, 0);\n\teprintf (\"{exit: %d, pid: %d, cmd: \\\"%s\\\"}\", ret, pid, str);\n\texit (0);\n\treturn -1;\n#else\n#ifdef _MSC_VER\n#pragma message (\"r_sys_cmdbg is not implemented for this platform\")\n#else\n#warning r_sys_cmdbg is not implemented for this platform\n#endif\n\treturn -1;\n#endif\n}", "project": "radare2", "hash": 271933189772851576559732062132863386614, "size": 22, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 0, "dataset": "other", "idx": 269032 }, { "func": " bool got_fatal_error()\n {\n return unhandled_errors > 0;\n }", "target": 0, "cwe": [ "CWE-416" ], "project": "server", "commit_id": "0beed9b5e933f0ff79b3bb346524f7a451d14e38", "hash": 12862045268914670379671091968594748946, "size": 4, "message": "MDEV-28097 use-after-free when WHERE has subquery with an outer reference in HAVING\n\nwhen resolving WHERE and ON clauses, do not look in\nSELECT list/aliases.", "dataset": "other", "idx": 514548 }, { "func": "static unsigned int fuse_write_flags(struct kiocb *iocb)\n{\n\tunsigned int flags = iocb->ki_filp->f_flags;\n\n\tif (iocb->ki_flags & IOCB_DSYNC)\n\t\tflags |= O_DSYNC;\n\tif (iocb->ki_flags & IOCB_SYNC)\n\t\tflags |= O_SYNC;\n\n\treturn flags;\n}", "project": "linux", "hash": 126423857046111639931561895964788399757, "size": 11, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341997 }, { "func": "static int _nfs41_proc_get_locations(struct inode *inode,\n\t\t\t\t struct nfs4_fs_locations *locations,\n\t\t\t\t struct page *page, const struct cred *cred)\n{\n\tstruct nfs_server *server = NFS_SERVER(inode);\n\tstruct rpc_clnt *clnt = server->client;\n\tu32 bitmask[2] = {\n\t\t[0] = FATTR4_WORD0_FSID | FATTR4_WORD0_FS_LOCATIONS,\n\t};\n\tstruct nfs4_fs_locations_arg args = {\n\t\t.fh\t\t= NFS_FH(inode),\n\t\t.page\t\t= page,\n\t\t.bitmask\t= bitmask,\n\t\t.migration\t= 1,\t\t/* skip LOOKUP */\n\t};\n\tstruct nfs4_fs_locations_res res = {\n\t\t.fs_locations\t= locations,\n\t\t.migration\t= 1,\n\t};\n\tstruct rpc_message msg = {\n\t\t.rpc_proc\t= &nfs4_procedures[NFSPROC4_CLNT_FS_LOCATIONS],\n\t\t.rpc_argp\t= &args,\n\t\t.rpc_resp\t= &res,\n\t\t.rpc_cred\t= cred,\n\t};\n\tint status;\n\n\tnfs_fattr_init(&locations->fattr);\n\tlocations->server = server;\n\tlocations->nlocations = 0;\n\n\tnfs4_init_sequence(&args.seq_args, &res.seq_res, 0, 1);\n\tstatus = nfs4_call_sync_sequence(clnt, server, &msg,\n\t\t\t\t\t&args.seq_args, &res.seq_res);\n\tif (status == NFS4_OK &&\n\t res.seq_res.sr_status_flags & SEQ4_STATUS_LEASE_MOVED)\n\t\tstatus = -NFS4ERR_LEASE_MOVED;\n\treturn status;\n}", "project": "linux", "hash": 5058061171879316947362723012483746832, "size": 39, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431240 }, { "func": " bool parseMixedKey() {\n int len;\n int64_t num;\n if (!parseRawString(&len)) return false;\n auto const start = reinterpret_cast(top);\n auto const slice = folly::StringPiece(start, len);\n start[len] = '\\0';\n if (container_type != JSONContainerType::HACK_ARRAYS &&\n container_type != JSONContainerType::LEGACY_HACK_ARRAYS &&\n is_strictly_integer(start, len, num)) {\n pushInt64(num);\n } else if (auto const str = lookupStaticString(slice)) {\n auto const tv = top++;\n tv->m_type = KindOfPersistentString;\n tv->m_data.pstr = str;\n } else {\n pushStringData(StringData::Make(start, len, CopyString));\n }\n return true;\n }", "project": "hhvm", "hash": 323881348106032157614969635759901660492, "size": 20, "commit_id": "b3679121bb3c7017ff04b4c08402ffff5cf59b13", "message": "Fix buffer overrun in SimpleParser::handleBackslash\n\nSummary:\nIt read 4 chars, then checked for validity, but any of them could have\nbeen the end of the string, so check after each one instead.\n\nReviewed By: oulgen\n\nDifferential Revision: D19611163\n\nfbshipit-source-id: 3da0a39555cb85a93f4fd98048368f17cf37e2e4", "target": 0, "dataset": "other", "idx": 227330 }, { "func": "static string _get_persist_file()\n{\n return Options.filename + \".persist\";\n}", "project": "crawl", "hash": 205597377582803505105954076579503782418, "size": 4, "commit_id": "768f60da87a3fa0b5561da5ade9309577c176d04", "message": "Disable lua bytecode loading", "target": 0, "dataset": "other", "idx": 230519 }, { "func": "int blosc_run_decompression_with_context(blosc2_context* context, const void* src, int32_t srcsize,\n void* dest, int32_t destsize) {\n int32_t ntbytes;\n uint8_t* _src = (uint8_t*)src;\n uint8_t version;\n int error;\n\n if (srcsize <= 0) {\n /* Invalid argument */\n return -1;\n }\n version = _src[0]; /* blosc format version */\n if (version > BLOSC_VERSION_FORMAT) {\n /* Version from future */\n return -1;\n }\n\n error = initialize_context_decompression(context, src, srcsize, dest, destsize);\n if (error < 0) {\n return error;\n }\n\n /* Check whether this buffer is memcpy'ed */\n bool memcpyed = context->header_flags & (uint8_t)BLOSC_MEMCPYED;\n if (memcpyed) {\n // Check that sizes in header are compatible, otherwise there is a header corruption\n ntbytes = context->sourcesize;\n int32_t cbytes = sw32_(_src + 12); /* compressed buffer size */\n if (ntbytes + BLOSC_MAX_OVERHEAD != cbytes) {\n return -1;\n }\n // Check that we have enough space in destination for the copy operation\n if (destsize < ntbytes) {\n return -1;\n }\n memcpy(dest, _src + BLOSC_MAX_OVERHEAD, (unsigned int)ntbytes);\n }\n else {\n /* Do the actual decompression */\n ntbytes = do_job(context);\n if (ntbytes < 0) {\n return -1;\n }\n }\n\n assert(ntbytes <= (int32_t)destsize);\n return ntbytes;\n}", "project": "c-blosc2", "hash": 103536174545309179959242783635791098770, "size": 48, "commit_id": "c4c6470e88210afc95262c8b9fcc27e30ca043ee", "message": "Fixed asan heap buffer overflow when not enough space to write compressed block size.", "target": 0, "dataset": "other", "idx": 303111 }, { "func": "static void fuse_lookup_init(struct fuse_conn *fc, struct fuse_args *args,\n\t\t\t u64 nodeid, const struct qstr *name,\n\t\t\t struct fuse_entry_out *outarg)\n{\n\tmemset(outarg, 0, sizeof(struct fuse_entry_out));\n\targs->opcode = FUSE_LOOKUP;\n\targs->nodeid = nodeid;\n\targs->in_numargs = 1;\n\targs->in_args[0].size = name->len + 1;\n\targs->in_args[0].value = name->name;\n\targs->out_numargs = 1;\n\targs->out_args[0].size = sizeof(struct fuse_entry_out);\n\targs->out_args[0].value = outarg;\n}", "project": "linux", "hash": 336495819934515676187069590061775256495, "size": 14, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342049 }, { "func": "static int kvm_s390_vm_get_attr(struct kvm *kvm, struct kvm_device_attr *attr)\n{\n\tint ret;\n\n\tswitch (attr->group) {\n\tcase KVM_S390_VM_MEM_CTRL:\n\t\tret = kvm_s390_get_mem_control(kvm, attr);\n\t\tbreak;\n\tcase KVM_S390_VM_TOD:\n\t\tret = kvm_s390_get_tod(kvm, attr);\n\t\tbreak;\n\tcase KVM_S390_VM_CPU_MODEL:\n\t\tret = kvm_s390_get_cpu_model(kvm, attr);\n\t\tbreak;\n\tcase KVM_S390_VM_MIGRATION:\n\t\tret = kvm_s390_vm_get_migration(kvm, attr);\n\t\tbreak;\n\tdefault:\n\t\tret = -ENXIO;\n\t\tbreak;\n\t}\n\n\treturn ret;\n}", "project": "linux", "hash": 326301220332413447215718410936980130420, "size": 24, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354435 }, { "func": "LineBuffer::LineBuffer (Compressor *comp):\n uncompressedData (0),\n buffer (0),\n dataSize (0),\n compressor (comp),\n format (defaultFormat(compressor)),\n number (-1),\n hasException (false),\n exception (),\n _sem (1)\n{\n // empty\n}", "project": "openexr", "hash": 305752957971440795808452602058683987180, "size": 13, "commit_id": "bc88cdb6c97fbf5bc5d11ad8ca55306da931283a", "message": "sanity check ScanlineInput bytesPerLine instead of lineOffset size (#863)\n\nSigned-off-by: Peter Hillman \r\n\r\nCo-authored-by: Cary Phillips ", "target": 0, "dataset": "other", "idx": 446291 }, { "func": "static int kvm_s390_apxa_installed(void)\n{\n\tstruct ap_config_info info;\n\n\tif (ap_instructions_available()) {\n\t\tif (ap_qci(&info) == 0)\n\t\t\treturn info.apxa;\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 318182163433677056914084800345476542645, "size": 11, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354412 }, { "func": "bool CClient::OnPingMessage(CMessage& Message) {\n // All PONGs are generated by ZNC. We will still forward this to\n // the ircd, but all PONGs from irc will be blocked.\n if (!Message.GetParams().empty())\n PutClient(\":irc.znc.in PONG irc.znc.in \" + Message.GetParamsColon(0));\n else\n PutClient(\":irc.znc.in PONG irc.znc.in\");\n return false;\n}", "project": "znc", "hash": 84713959520801605396774738380058783968, "size": 9, "commit_id": "d229761821da38d984a9e4098ad96842490dc001", "message": "Fix echo-message for *status\n\nClose #1705", "target": 0, "dataset": "other", "idx": 231565 }, { "func": "wStream* cliprdr_packet_lock_clipdata_new(const CLIPRDR_LOCK_CLIPBOARD_DATA* lockClipboardData)\n{\n\twStream* s;\n\n\tif (!lockClipboardData)\n\t\treturn NULL;\n\n\ts = cliprdr_packet_new(CB_LOCK_CLIPDATA, 0, 4);\n\n\tif (!s)\n\t\treturn NULL;\n\n\tcliprdr_write_lock_clipdata(s, lockClipboardData);\n\treturn s;\n}", "project": "FreeRDP", "hash": 270930766460030087012414940389050576727, "size": 15, "commit_id": "b73143cf7ee5fe4cdabcbf56908aa15d8a883821", "message": "Fixed oob read in cliprdr_read_format_list", "target": 0, "dataset": "other", "idx": 388306 }, { "func": "static void hci_cc_le_clear_resolv_list(struct hci_dev *hdev,\n\t\t\t\t struct sk_buff *skb)\n{\n\t__u8 status = *((__u8 *) skb->data);\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, status);\n\n\tif (status)\n\t\treturn;\n\n\thci_bdaddr_list_clear(&hdev->le_resolv_list);\n}", "project": "linux", "hash": 100083918213764175001661783300966847611, "size": 12, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 432011 }, { "func": "static void update_attr(struct vc_data *vc)\n{\n\tvc->vc_attr = build_attr(vc, vc->vc_color, vc->vc_intensity,\n\t vc->vc_blink, vc->vc_underline,\n\t vc->vc_reverse ^ vc->vc_decscnm, vc->vc_italic);\n\tvc->vc_video_erase_char = (build_attr(vc, vc->vc_color, 1, vc->vc_blink, 0, vc->vc_decscnm, 0) << 8) | ' ';\n}", "project": "linux", "hash": 142998841486549655863972193588630395581, "size": 7, "commit_id": "ca4463bf8438b403596edd0ec961ca0d4fbe0220", "message": "vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console\n\nThe VT_DISALLOCATE ioctl can free a virtual console while tty_release()\nis still running, causing a use-after-free in con_shutdown(). This\noccurs because VT_DISALLOCATE considers a virtual console's\n'struct vc_data' to be unused as soon as the corresponding tty's\nrefcount hits 0. But actually it may be still being closed.\n\nFix this by making vc_data be reference-counted via the embedded\n'struct tty_port'. A newly allocated virtual console has refcount 1.\nOpening it for the first time increments the refcount to 2. Closing it\nfor the last time decrements the refcount (in tty_operations::cleanup()\nso that it happens late enough), as does VT_DISALLOCATE.\n\nReproducer:\n\t#include \n\t#include \n\t#include \n\t#include \n\n\tint main()\n\t{\n\t\tif (fork()) {\n\t\t\tfor (;;)\n\t\t\t\tclose(open(\"/dev/tty5\", O_RDWR));\n\t\t} else {\n\t\t\tint fd = open(\"/dev/tty10\", O_RDWR);\n\n\t\t\tfor (;;)\n\t\t\t\tioctl(fd, VT_DISALLOCATE, 5);\n\t\t}\n\t}\n\nKASAN report:\n\tBUG: KASAN: use-after-free in con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\tWrite of size 8 at addr ffff88806a4ec108 by task syz_vt/129\n\n\tCPU: 0 PID: 129 Comm: syz_vt Not tainted 5.6.0-rc2 #11\n\tHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20191223_100556-anatol 04/01/2014\n\tCall Trace:\n\t [...]\n\t con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\t release_tty+0xa8/0x410 drivers/tty/tty_io.c:1514\n\t tty_release_struct+0x34/0x50 drivers/tty/tty_io.c:1629\n\t tty_release+0x984/0xed0 drivers/tty/tty_io.c:1789\n\t [...]\n\n\tAllocated by task 129:\n\t [...]\n\t kzalloc include/linux/slab.h:669 [inline]\n\t vc_allocate drivers/tty/vt/vt.c:1085 [inline]\n\t vc_allocate+0x1ac/0x680 drivers/tty/vt/vt.c:1066\n\t con_install+0x4d/0x3f0 drivers/tty/vt/vt.c:3229\n\t tty_driver_install_tty drivers/tty/tty_io.c:1228 [inline]\n\t tty_init_dev+0x94/0x350 drivers/tty/tty_io.c:1341\n\t tty_open_by_driver drivers/tty/tty_io.c:1987 [inline]\n\t tty_open+0x3ca/0xb30 drivers/tty/tty_io.c:2035\n\t [...]\n\n\tFreed by task 130:\n\t [...]\n\t kfree+0xbf/0x1e0 mm/slab.c:3757\n\t vt_disallocate drivers/tty/vt/vt_ioctl.c:300 [inline]\n\t vt_ioctl+0x16dc/0x1e30 drivers/tty/vt/vt_ioctl.c:818\n\t tty_ioctl+0x9db/0x11b0 drivers/tty/tty_io.c:2660\n\t [...]\n\nFixes: 4001d7b7fc27 (\"vt: push down the tty lock so we can see what is left to tackle\")\nCc: # v3.4+\nReported-by: syzbot+522643ab5729b0421998@syzkaller.appspotmail.com\nAcked-by: Jiri Slaby \nSigned-off-by: Eric Biggers \nLink: https://lore.kernel.org/r/20200322034305.210082-2-ebiggers@kernel.org\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 437076 }, { "func": "static void send_conn_param_neg_reply(struct hci_dev *hdev, u16 handle,\n\t\t\t\t u8 reason)\n{\n\tstruct hci_cp_le_conn_param_req_neg_reply cp;\n\n\tcp.handle = cpu_to_le16(handle);\n\tcp.reason = reason;\n\n\thci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_NEG_REPLY, sizeof(cp),\n\t\t &cp);\n}", "project": "linux", "hash": 214198933632568821385474311872259005218, "size": 11, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431936 }, { "func": "static int getSubsamp(j_decompress_ptr dinfo)\n{\n\tint retval=-1, i, k;\n\n\t/* The sampling factors actually have no meaning with grayscale JPEG files,\n\t and in fact it's possible to generate grayscale JPEGs with sampling\n\t factors > 1 (even though those sampling factors are ignored by the\n\t decompressor.) Thus, we need to treat grayscale as a special case. */\n\tif(dinfo->num_components==1 && dinfo->jpeg_color_space==JCS_GRAYSCALE)\n\t\treturn TJSAMP_GRAY;\n\n\tfor(i=0; inum_components==pixelsize[i]\n\t\t\t|| ((dinfo->jpeg_color_space==JCS_YCCK\n\t\t\t\t|| dinfo->jpeg_color_space==JCS_CMYK)\n\t\t\t\t\t&& pixelsize[i]==3 && dinfo->num_components==4))\n\t\t{\n\t\t\tif(dinfo->comp_info[0].h_samp_factor==tjMCUWidth[i]/8\n\t\t\t\t&& dinfo->comp_info[0].v_samp_factor==tjMCUHeight[i]/8)\n\t\t\t{\n\t\t\t\tint match=0;\n\t\t\t\tfor(k=1; knum_components; k++)\n\t\t\t\t{\n\t\t\t\t\tint href=1, vref=1;\n\t\t\t\t\tif((dinfo->jpeg_color_space==JCS_YCCK\n\t\t\t\t\t\t|| dinfo->jpeg_color_space==JCS_CMYK) && k==3)\n\t\t\t\t\t{\n\t\t\t\t\t\thref=tjMCUWidth[i]/8; vref=tjMCUHeight[i]/8;\n\t\t\t\t\t}\n\t\t\t\t\tif(dinfo->comp_info[k].h_samp_factor==href\n\t\t\t\t\t\t&& dinfo->comp_info[k].v_samp_factor==vref)\n\t\t\t\t\t\tmatch++;\n\t\t\t\t}\n\t\t\t\tif(match==dinfo->num_components-1)\n\t\t\t\t{\n\t\t\t\t\tretval=i; break;\n\t\t\t\t}\n\t\t\t}\n\t\t\t/* Handle 4:2:2 and 4:4:0 images whose sampling factors are specified\n\t\t\t in non-standard ways. */\n\t\t\tif(dinfo->comp_info[0].h_samp_factor==2 &&\n\t\t\t\tdinfo->comp_info[0].v_samp_factor==2 &&\n\t\t\t\t(i==TJSAMP_422 || i==TJSAMP_440))\n\t\t\t{\n\t\t\t\tint match=0;\n\t\t\t\tfor(k=1; knum_components; k++)\n\t\t\t\t{\n\t\t\t\t\tint href=tjMCUHeight[i]/8, vref=tjMCUWidth[i]/8;\n\t\t\t\t\tif((dinfo->jpeg_color_space==JCS_YCCK\n\t\t\t\t\t\t|| dinfo->jpeg_color_space==JCS_CMYK) && k==3)\n\t\t\t\t\t{\n\t\t\t\t\t\thref=vref=2;\n\t\t\t\t\t}\n\t\t\t\t\tif(dinfo->comp_info[k].h_samp_factor==href\n\t\t\t\t\t\t&& dinfo->comp_info[k].v_samp_factor==vref)\n\t\t\t\t\t\tmatch++;\n\t\t\t\t}\n\t\t\t\tif(match==dinfo->num_components-1)\n\t\t\t\t{\n\t\t\t\t\tretval=i; break;\n\t\t\t\t}\n\t\t\t}\n\t\t\t/* Handle 4:4:4 images whose sampling factors are specified in\n\t\t\t non-standard ways. */\n\t\t\tif(dinfo->comp_info[0].h_samp_factor*dinfo->comp_info[0].v_samp_factor<=\n\t\t\t\tD_MAX_BLOCKS_IN_MCU/pixelsize[i] && i==TJSAMP_444)\n\t\t\t{\n\t\t\t\tint match=0;\n\t\t\t\tfor(k=1; knum_components; k++) {\n\t\t\t\t\tif(dinfo->comp_info[i].h_samp_factor==\n\t\t\t\t\t\tdinfo->comp_info[0].h_samp_factor &&\n\t\t\t\t\t\tdinfo->comp_info[i].v_samp_factor==\n\t\t\t\t\t\tdinfo->comp_info[0].v_samp_factor)\n\t\t\t\t\t\tmatch++;\n\t\t\t\t\tif(match==dinfo->num_components-1)\n\t\t\t\t\t{\n\t\t\t\t\t\tretval=i; break;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\treturn retval;\n}", "project": "libjpeg-turbo", "hash": 51854898357855964195558773968133986352, "size": 85, "commit_id": "dab6be4cfb2f9307b5378d2d1dc74d9080383dc2", "message": "tjDecompressToYUV*(): Fix OOB write/double free\n\n... when attempting to decompress grayscale JPEG images with sampling\nfactors != 1.\n\nFixes #387", "target": 0, "dataset": "other", "idx": 311116 }, { "func": "bool setup_tables(THD *thd, Name_resolution_context *context,\n List *from_clause, TABLE_LIST *tables,\n List &leaves, bool select_insert,\n bool full_table_list)\n{\n uint tablenr= 0;\n List_iterator ti(leaves);\n TABLE_LIST *table_list;\n\n DBUG_ENTER(\"setup_tables\");\n\n DBUG_ASSERT ((select_insert && !tables->next_name_resolution_table) || !tables || \n (context->table_list && context->first_name_resolution_table));\n /*\n this is used for INSERT ... SELECT.\n For select we setup tables except first (and its underlying tables)\n */\n TABLE_LIST *first_select_table= (select_insert ?\n tables->next_local:\n 0);\n SELECT_LEX *select_lex= select_insert ? thd->lex->first_select_lex() :\n thd->lex->current_select;\n if (select_lex->first_cond_optimization)\n {\n leaves.empty();\n if (select_lex->prep_leaf_list_state != SELECT_LEX::SAVED)\n {\n make_leaves_list(thd, leaves, tables, full_table_list, first_select_table);\n select_lex->prep_leaf_list_state= SELECT_LEX::READY;\n select_lex->leaf_tables_exec.empty();\n }\n else\n {\n List_iterator_fast ti(select_lex->leaf_tables_prep);\n while ((table_list= ti++))\n leaves.push_back(table_list, thd->mem_root);\n }\n \n while ((table_list= ti++))\n {\n TABLE *table= table_list->table;\n if (table)\n table->pos_in_table_list= table_list;\n if (first_select_table &&\n table_list->top_table() == first_select_table)\n {\n /* new counting for SELECT of INSERT ... SELECT command */\n first_select_table= 0;\n thd->lex->first_select_lex()->insert_tables= tablenr;\n tablenr= 0;\n }\n if(table_list->jtbm_subselect)\n {\n table_list->jtbm_table_no= tablenr;\n }\n else if (table)\n {\n table->pos_in_table_list= table_list;\n setup_table_map(table, table_list, tablenr);\n\n if (table_list->process_index_hints(table))\n DBUG_RETURN(1);\n }\n tablenr++;\n /*\n We test the max tables here as we setup_table_map() should not be called\n with tablenr >= 64\n */\n if (tablenr > MAX_TABLES)\n {\n my_error(ER_TOO_MANY_TABLES,MYF(0), static_cast(MAX_TABLES));\n DBUG_RETURN(1);\n }\n }\n }\n else\n { \n List_iterator_fast ti(select_lex->leaf_tables_exec);\n select_lex->leaf_tables.empty();\n while ((table_list= ti++))\n {\n if(table_list->jtbm_subselect)\n {\n table_list->jtbm_table_no= table_list->tablenr_exec;\n }\n else\n {\n table_list->table->tablenr= table_list->tablenr_exec;\n table_list->table->map= table_list->map_exec;\n table_list->table->maybe_null= table_list->maybe_null_exec;\n table_list->table->pos_in_table_list= table_list;\n if (table_list->process_index_hints(table_list->table))\n DBUG_RETURN(1);\n }\n select_lex->leaf_tables.push_back(table_list);\n }\n } \n\n for (table_list= tables;\n table_list;\n table_list= table_list->next_local)\n {\n if (table_list->merge_underlying_list)\n {\n DBUG_ASSERT(table_list->is_merged_derived());\n Query_arena *arena, backup;\n arena= thd->activate_stmt_arena_if_needed(&backup);\n bool res;\n res= table_list->setup_underlying(thd);\n if (arena)\n thd->restore_active_arena(arena, &backup);\n if (res)\n DBUG_RETURN(1);\n }\n\n if (table_list->jtbm_subselect)\n {\n Item *item= table_list->jtbm_subselect->optimizer;\n if (!table_list->jtbm_subselect->optimizer->fixed &&\n table_list->jtbm_subselect->optimizer->fix_fields(thd, &item))\n {\n my_error(ER_TOO_MANY_TABLES,MYF(0), static_cast(MAX_TABLES)); /* psergey-todo: WHY ER_TOO_MANY_TABLES ???*/\n DBUG_RETURN(1);\n }\n DBUG_ASSERT(item == table_list->jtbm_subselect->optimizer);\n }\n }\n\n /* Precompute and store the row types of NATURAL/USING joins. */\n if (setup_natural_join_row_types(thd, from_clause, context))\n DBUG_RETURN(1);\n\n DBUG_RETURN(0);\n}", "target": 0, "cwe": [ "CWE-416" ], "project": "server", "commit_id": "0beed9b5e933f0ff79b3bb346524f7a451d14e38", "hash": 86773489602328879098383491229219552240, "size": 134, "message": "MDEV-28097 use-after-free when WHERE has subquery with an outer reference in HAVING\n\nwhen resolving WHERE and ON clauses, do not look in\nSELECT list/aliases.", "dataset": "other", "idx": 514555 }, { "func": "static void cmd_list(char *arg1, char *arg2)\n{\n if (!arg1)\n\targ1 = \"active\";\n else\n\tlcase(arg1);\n\n if (!strcmp(arg1, \"active\")) {\n\tchar pattern[MAX_MAILBOX_BUFFER];\n\tstruct list_rock lrock;\n\tstruct enum_rock erock;\n\n\tif (!arg2) arg2 = \"*\";\n\n\terock.cmd = \"ACTIVE\";\n\terock.wild = xstrdup(arg2); /* make a copy before we munge it */\n\n\tlrock.proc = do_active;\n\tlrock.wild = split_wildmats(arg2); /* split the list of wildmats */\n\n\t/* xxx better way to determine a size for this table? */\n\tconstruct_hash_table(&lrock.server_table, 10, 1);\n\n\tprot_printf(nntp_out, \"215 List of newsgroups follows:\\r\\n\");\n\n\tstrcpy(pattern, newsprefix);\n\tstrcat(pattern, \"*\");\n\tlist_cb(NULL, 0, 0, NULL);\n\tmboxlist_findall(NULL, pattern, 0, nntp_userid, nntp_authstate,\n\t\t\t list_cb, &lrock);\n\n\t/* proxy to the backends */\n\thash_enumerate(&lrock.server_table, list_proxy, &erock);\n\n\tprot_printf(nntp_out, \".\\r\\n\");\n\n\t/* free the hash table */\n\tfree_hash_table(&lrock.server_table, NULL);\n\n\t/* free the wildmats */\n\tfree_wildmats(lrock.wild);\n\tfree(erock.wild);\n\n\tif (group_state)\n\t index_close(&group_state);\n }\n else if (!(nntp_capa & MODE_READ)) {\n\tprot_printf(nntp_out, \"502 Permission denied\\r\\n\");\n\treturn;\n }\n else if (!nntp_userid && !allowanonymous) {\n\tprot_printf(nntp_out, \"480 Authentication required\\r\\n\");\n\treturn;\n }\n else if (!strcmp(arg1, \"headers\")) {\n\tif (arg2 && strcmp(arg2, \"msgid\") && strcmp(arg2, \"range\")) {\n\t prot_printf(nntp_out, \"501 Unexpected extra argument\\r\\n\");\n\t return;\n\t}\n\n\tprot_printf(nntp_out, \"215 Header and metadata list follows:\\r\\n\");\n\tprot_printf(nntp_out, \":\\r\\n\"); /* all headers */\n\tprot_printf(nntp_out, \":bytes\\r\\n\");\n\tprot_printf(nntp_out, \":lines\\r\\n\");\n\tprot_printf(nntp_out, \".\\r\\n\");\n }\n else if (!strcmp(arg1, \"newsgroups\")) {\n\tchar pattern[MAX_MAILBOX_BUFFER];\n\tstruct list_rock lrock;\n\tstruct enum_rock erock;\n\n\tif (!arg2) arg2 = \"*\";\n\n\terock.cmd = \"NEWSGROUPS\";\n\terock.wild = xstrdup(arg2); /* make a copy before we munge it */\n\n\tlrock.proc = do_newsgroups;\n\tlrock.wild = split_wildmats(arg2); /* split the list of wildmats */\n\n\t/* xxx better way to determine a size for this table? */\n\tconstruct_hash_table(&lrock.server_table, 10, 1);\n\n\tprot_printf(nntp_out, \"215 List of newsgroups follows:\\r\\n\");\n\n\tstrcpy(pattern, newsprefix);\n\tstrcat(pattern, \"*\");\n\tlist_cb(NULL, 0, 0, NULL);\n\tmboxlist_findall(NULL, pattern, 0, nntp_userid, nntp_authstate,\n\t\t\t list_cb, &lrock);\n\n\t/* proxy to the backends */\n\thash_enumerate(&lrock.server_table, list_proxy, &erock);\n\n\tstrcpy(pattern, newsprefix);\n\tstrcat(pattern, \"*\");\n\tannotatemore_findall(pattern, 0, \"/comment\",\n\t\t\t newsgroups_cb, lrock.wild);\n\n\tprot_printf(nntp_out, \".\\r\\n\");\n\n\t/* free the hash table */\n\tfree_hash_table(&lrock.server_table, NULL);\n\n\t/* free the wildmats */\n\tfree_wildmats(lrock.wild);\n\tfree(erock.wild);\n }\n else if (!strcmp(arg1, \"overview.fmt\")) {\n\tif (arg2) {\n\t prot_printf(nntp_out, \"501 Unexpected extra argument\\r\\n\");\n\t return;\n\t}\n\n\tprot_printf(nntp_out, \"215 Order of overview fields follows:\\r\\n\");\n\tprot_printf(nntp_out, \"Subject:\\r\\n\");\n\tprot_printf(nntp_out, \"From:\\r\\n\");\n\tprot_printf(nntp_out, \"Date:\\r\\n\");\n\tprot_printf(nntp_out, \"Message-ID:\\r\\n\");\n\tprot_printf(nntp_out, \"References:\\r\\n\");\n\tif (did_capabilities) {\n\t /* new OVER format */\n\t prot_printf(nntp_out, \":bytes\\r\\n\");\n\t prot_printf(nntp_out, \":lines\\r\\n\");\n\t} else {\n\t /* old XOVER format */\n\t prot_printf(nntp_out, \"Bytes:\\r\\n\");\n\t prot_printf(nntp_out, \"Lines:\\r\\n\");\n\t}\n\tprot_printf(nntp_out, \"Xref:full\\r\\n\");\n\tprot_printf(nntp_out, \".\\r\\n\");\n }\n else if (!strcmp(arg1, \"active.times\") || !strcmp(arg1, \"distributions\") ||\n\t !strcmp(arg1, \"distrib.pats\")) {\n\tprot_printf(nntp_out, \"503 Unsupported LIST command\\r\\n\");\n }\n else {\n\tprot_printf(nntp_out, \"501 Unrecognized LIST command\\r\\n\");\n }\n prot_flush(nntp_out);\n}", "project": "cyrus-imapd", "hash": 126332938661817919940122136381197015579, "size": 140, "commit_id": "0f8f026699829b65733c3081657b24e2174f4f4d", "message": "CVE-2011-3208 - fix buffer overflow in nntpd", "target": 0, "dataset": "other", "idx": 451898 }, { "func": "static int64_t _intsetGet(intset *is, int pos) {\n return _intsetGetEncoded(is,pos,intrev32ifbe(is->encoding));\n}", "project": "redis", "hash": 198282080164266039734319403761120143239, "size": 3, "commit_id": "789f10156009b404950ad717642a9496ed887083", "message": "Fix integer overflow in intset (CVE-2021-29478)\n\nAn integer overflow bug in Redis 6.2 could be exploited to corrupt the heap and\npotentially result with remote code execution.\n\nThe vulnerability involves changing the default set-max-intset-entries\nconfiguration value, creating a large set key that consists of integer values\nand using the COPY command to duplicate it.\n\nThe integer overflow bug exists in all versions of Redis starting with 2.6,\nwhere it could result with a corrupted RDB or DUMP payload, but not exploited\nthrough COPY (which did not exist before 6.2).\n\n(cherry picked from commit 29900d4e6bccdf3691bedf0ea9a5d84863fa3592)", "target": 0, "dataset": "other", "idx": 290644 }, { "func": "DLLEXPORT unsigned long DLLCALL TJBUFSIZEYUV(int width, int height,\n\tint subsamp)\n{\n\treturn tjBufSizeYUV(width, height, subsamp);\n}", "project": "libjpeg-turbo", "hash": 310297053767962811628477991222892517824, "size": 5, "commit_id": "dab6be4cfb2f9307b5378d2d1dc74d9080383dc2", "message": "tjDecompressToYUV*(): Fix OOB write/double free\n\n... when attempting to decompress grayscale JPEG images with sampling\nfactors != 1.\n\nFixes #387", "target": 0, "dataset": "other", "idx": 311124 }, { "func": "static void hci_cc_read_local_pairing_opts(struct hci_dev *hdev,\n\t\t\t\t\t struct sk_buff *skb)\n{\n\tstruct hci_rp_read_local_pairing_opts *rp = (void *) skb->data;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, rp->status);\n\n\tif (rp->status)\n\t\treturn;\n\n\tif (hci_dev_test_flag(hdev, HCI_SETUP) ||\n\t hci_dev_test_flag(hdev, HCI_CONFIG)) {\n\t\thdev->pairing_opts = rp->pairing_opts;\n\t\thdev->max_enc_key_size = rp->max_key_size;\n\t}\n}", "project": "linux", "hash": 223441115630578122872978840902047135435, "size": 16, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431972 }, { "func": " static inline ShapeArray TensorShapeToVector(const TensorShape& shape) {\n ShapeArray vec(shape.dims());\n for (int i = 0; i < shape.dims(); ++i) vec[i] = shape.dim_size(i);\n return vec;\n }", "project": "tensorflow", "hash": 89137838085698682724006635713094970925, "size": 5, "commit_id": "8ba6fa29cd8bf9cef9b718dc31c78c73081f5b31", "message": "Fix heap-buffer-overflow issue with `tf.raw_ops.SparseSplit`.\n\nPiperOrigin-RevId: 371242872\nChange-Id: I482bb3d12602c7c3cc9446f97fb9f584bb98e9a4", "target": 0, "dataset": "other", "idx": 277012 }, { "project": "Chrome", "commit_id": "6834289784ed45b5524de0fb7ef43ae283b0d6d3", "target": 0, "func": "void AudioContext::derefUnfinishedSourceNodes()\n{\n ASSERT(isMainThread());\n for (unsigned i = 0; i < m_referencedNodes.size(); ++i)\n m_referencedNodes.at(i)->breakConnection();\n\n m_referencedNodes.clear();\n}\n", "cwe": "", "big_vul_idx": 139653, "idx": 124803, "hash": 200781828297569947244585088739669112604 }, { "func": "int nfs4_proc_getattr(struct nfs_server *server, struct nfs_fh *fhandle,\n\t\t\t\tstruct nfs_fattr *fattr, struct nfs4_label *label,\n\t\t\t\tstruct inode *inode)\n{\n\tstruct nfs4_exception exception = {\n\t\t.interruptible = true,\n\t};\n\tint err;\n\tdo {\n\t\terr = _nfs4_proc_getattr(server, fhandle, fattr, label, inode);\n\t\ttrace_nfs4_getattr(server, fhandle, fattr, err);\n\t\terr = nfs4_handle_exception(server, err,\n\t\t\t\t&exception);\n\t} while (exception.retry);\n\treturn err;\n}", "project": "linux", "hash": 56717132743202226932925784436524716180, "size": 16, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 430997 }, { "func": "static bool prepare_sum_aggregators(Item_sum **func_ptr, bool need_distinct)\n{\n Item_sum *func;\n DBUG_ENTER(\"prepare_sum_aggregators\");\n while ((func= *(func_ptr++)))\n {\n if (func->set_aggregator(need_distinct && func->has_with_distinct() ?\n Aggregator::DISTINCT_AGGREGATOR :\n Aggregator::SIMPLE_AGGREGATOR))\n DBUG_RETURN(TRUE);\n }\n DBUG_RETURN(FALSE);\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 180092951950280105377570332605887845314, "size": 13, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508432 }, { "func": "sudoers_policy_invalidate(int unlinkit)\n{\n debug_decl(sudoers_policy_invalidate, SUDOERS_DEBUG_PLUGIN);\n\n user_cmnd = \"kill\";\n /* XXX - plugin API should support a return value for fatal errors. */\n timestamp_remove(unlinkit);\n sudoers_cleanup();\n\n debug_return;\n}", "project": "sudo", "hash": 26599908442321872282845871764563506060, "size": 11, "commit_id": "c4d384082fdbc8406cf19e08d05db4cded920a55", "message": "Add sudoedit flag checks in plugin that are consistent with front-end.\nDon't assume the sudo front-end is sending reasonable mode flags.\nThese checks need to be kept consistent between the sudo front-end\nand the sudoers plugin.", "target": 0, "dataset": "other", "idx": 356723 }, { "func": "parse_bool(const char *line, int varlen, int *flags, int fval)\n{\n debug_decl(parse_bool, SUDOERS_DEBUG_PLUGIN);\n\n switch (sudo_strtobool(line + varlen + 1)) {\n case true:\n\tSET(*flags, fval);\n\tdebug_return_int(true);\n case false:\n\tCLR(*flags, fval);\n\tdebug_return_int(false);\n default:\n\tsudo_warn(U_(\"invalid %.*s set by sudo front-end\"),\n\t varlen, line);\n\tdebug_return_int(-1);\n }\n}", "project": "sudo", "hash": 135536649514318810572997201178077843245, "size": 17, "commit_id": "c4d384082fdbc8406cf19e08d05db4cded920a55", "message": "Add sudoedit flag checks in plugin that are consistent with front-end.\nDon't assume the sudo front-end is sending reasonable mode flags.\nThese checks need to be kept consistent between the sudo front-end\nand the sudoers plugin.", "target": 0, "dataset": "other", "idx": 356727 }, { "func": "static void power_pmu_del(struct perf_event *event, int ef_flags)\n{\n\tstruct cpu_hw_events *cpuhw;\n\tlong i;\n\tunsigned long flags;\n\n\tlocal_irq_save(flags);\n\tperf_pmu_disable(event->pmu);\n\n\tpower_pmu_read(event);\n\n\tcpuhw = this_cpu_ptr(&cpu_hw_events);\n\tfor (i = 0; i < cpuhw->n_events; ++i) {\n\t\tif (event == cpuhw->event[i]) {\n\t\t\twhile (++i < cpuhw->n_events) {\n\t\t\t\tcpuhw->event[i-1] = cpuhw->event[i];\n\t\t\t\tcpuhw->events[i-1] = cpuhw->events[i];\n\t\t\t\tcpuhw->flags[i-1] = cpuhw->flags[i];\n\t\t\t}\n\t\t\t--cpuhw->n_events;\n\t\t\tppmu->disable_pmc(event->hw.idx - 1, &cpuhw->mmcr);\n\t\t\tif (event->hw.idx) {\n\t\t\t\twrite_pmc(event->hw.idx, 0);\n\t\t\t\tevent->hw.idx = 0;\n\t\t\t}\n\t\t\tperf_event_update_userpage(event);\n\t\t\tbreak;\n\t\t}\n\t}\n\tfor (i = 0; i < cpuhw->n_limited; ++i)\n\t\tif (event == cpuhw->limited_counter[i])\n\t\t\tbreak;\n\tif (i < cpuhw->n_limited) {\n\t\twhile (++i < cpuhw->n_limited) {\n\t\t\tcpuhw->limited_counter[i-1] = cpuhw->limited_counter[i];\n\t\t\tcpuhw->limited_hwidx[i-1] = cpuhw->limited_hwidx[i];\n\t\t}\n\t\t--cpuhw->n_limited;\n\t}\n\tif (cpuhw->n_events == 0) {\n\t\t/* disable exceptions if no events are running */\n\t\tcpuhw->mmcr.mmcr0 &= ~(MMCR0_PMXE | MMCR0_FCECE);\n\t}\n\n\tif (has_branch_stack(event))\n\t\tpower_pmu_bhrb_disable(event);\n\n\tperf_pmu_enable(event->pmu);\n\tlocal_irq_restore(flags);\n}", "project": "linux", "hash": 284649461447120373441215152716663829954, "size": 50, "commit_id": "60b7ed54a41b550d50caf7f2418db4a7e75b5bdc", "message": "powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set\n\nOn systems without any specific PMU driver support registered, running\nperf record causes Oops.\n\nThe relevant portion from call trace:\n\n BUG: Kernel NULL pointer dereference on read at 0x00000040\n Faulting instruction address: 0xc0021f0c\n Oops: Kernel access of bad area, sig: 11 [#1]\n BE PAGE_SIZE=4K PREEMPT CMPCPRO\n SAF3000 DIE NOTIFICATION\n CPU: 0 PID: 442 Comm: null_syscall Not tainted 5.13.0-rc6-s3k-dev-01645-g7649ee3d2957 #5164\n NIP: c0021f0c LR: c00e8ad8 CTR: c00d8a5c\n NIP perf_instruction_pointer+0x10/0x60\n LR perf_prepare_sample+0x344/0x674\n Call Trace:\n perf_prepare_sample+0x7c/0x674 (unreliable)\n perf_event_output_forward+0x3c/0x94\n __perf_event_overflow+0x74/0x14c\n perf_swevent_hrtimer+0xf8/0x170\n __hrtimer_run_queues.constprop.0+0x160/0x318\n hrtimer_interrupt+0x148/0x3b0\n timer_interrupt+0xc4/0x22c\n Decrementer_virt+0xb8/0xbc\n\nDuring perf record session, perf_instruction_pointer() is called to\ncapture the sample IP. This function in core-book3s accesses\nppmu->flags. If a platform specific PMU driver is not registered, ppmu\nis set to NULL and accessing its members results in a crash. Fix this\ncrash by checking if ppmu is set.\n\nFixes: 2ca13a4cc56c (\"powerpc/perf: Use regs->nip when SIAR is zero\")\nCc: stable@vger.kernel.org # v5.11+\nReported-by: Christophe Leroy \nSigned-off-by: Athira Rajeev \nTested-by: Christophe Leroy \nSigned-off-by: Michael Ellerman \nLink: https://lore.kernel.org/r/1623952506-1431-1-git-send-email-atrajeev@linux.vnet.ibm.com", "target": 0, "dataset": "other", "idx": 374706 }, { "func": "static long kvm_dev_ioctl(struct file *filp,\n\t\t\t unsigned int ioctl, unsigned long arg)\n{\n\tlong r = -EINVAL;\n\n\tswitch (ioctl) {\n\tcase KVM_GET_API_VERSION:\n\t\tif (arg)\n\t\t\tgoto out;\n\t\tr = KVM_API_VERSION;\n\t\tbreak;\n\tcase KVM_CREATE_VM:\n\t\tr = kvm_dev_ioctl_create_vm(arg);\n\t\tbreak;\n\tcase KVM_CHECK_EXTENSION:\n\t\tr = kvm_vm_ioctl_check_extension_generic(NULL, arg);\n\t\tbreak;\n\tcase KVM_GET_VCPU_MMAP_SIZE:\n\t\tif (arg)\n\t\t\tgoto out;\n\t\tr = PAGE_SIZE; /* struct kvm_run */\n#ifdef CONFIG_X86\n\t\tr += PAGE_SIZE; /* pio data page */\n#endif\n#ifdef CONFIG_KVM_MMIO\n\t\tr += PAGE_SIZE; /* coalesced mmio ring page */\n#endif\n\t\tbreak;\n\tcase KVM_TRACE_ENABLE:\n\tcase KVM_TRACE_PAUSE:\n\tcase KVM_TRACE_DISABLE:\n\t\tr = -EOPNOTSUPP;\n\t\tbreak;\n\tdefault:\n\t\treturn kvm_arch_dev_ioctl(filp, ioctl, arg);\n\t}\nout:\n\treturn r;\n}", "project": "linux", "hash": 160255255993308046964136215299316695229, "size": 39, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354594 }, { "func": "static void dump_object_metadata(struct req_state * const s,\n\t\t\t\t const map& attrs)\n{\n map response_attrs;\n\n for (auto kv : attrs) {\n const char * name = kv.first.c_str();\n const auto aiter = rgw_to_http_attrs.find(name);\n\n if (aiter != std::end(rgw_to_http_attrs)) {\n response_attrs[aiter->second] = rgw_bl_str(kv.second);\n } else if (strcmp(name, RGW_ATTR_SLO_UINDICATOR) == 0) {\n // this attr has an extra length prefix from encode() in prior versions\n dump_header(s, \"X-Object-Meta-Static-Large-Object\", \"True\");\n } else if (strncmp(name, RGW_ATTR_META_PREFIX,\n\t\t sizeof(RGW_ATTR_META_PREFIX)-1) == 0) {\n name += sizeof(RGW_ATTR_META_PREFIX) - 1;\n dump_header_prefixed(s, \"X-Object-Meta-\",\n camelcase_dash_http_attr(name), kv.second);\n }\n }\n\n /* Handle override and fallback for Content-Disposition HTTP header.\n * At the moment this will be used only by TempURL of the Swift API. */\n const auto cditer = rgw_to_http_attrs.find(RGW_ATTR_CONTENT_DISP);\n if (cditer != std::end(rgw_to_http_attrs)) {\n const auto& name = cditer->second;\n\n if (!s->content_disp.override.empty()) {\n response_attrs[name] = s->content_disp.override;\n } else if (!s->content_disp.fallback.empty()\n && response_attrs.find(name) == std::end(response_attrs)) {\n response_attrs[name] = s->content_disp.fallback;\n }\n }\n\n for (const auto kv : response_attrs) {\n dump_header(s, kv.first, kv.second);\n }\n\n const auto iter = attrs.find(RGW_ATTR_DELETE_AT);\n if (iter != std::end(attrs)) {\n utime_t delete_at;\n try {\n decode(delete_at, iter->second);\n if (!delete_at.is_zero()) {\n dump_header(s, \"X-Delete-At\", delete_at.sec());\n }\n } catch (buffer::error& err) {\n ldout(s->cct, 0) << \"ERROR: cannot decode object's \" RGW_ATTR_DELETE_AT\n \" attr, ignoring\"\n << dendl;\n }\n }\n}", "project": "ceph", "hash": 87872759312635016101956434691757074969, "size": 55, "commit_id": "f44a8ae8aa27ecef69528db9aec220f12492810e", "message": "rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name\n\nchecking for empty name avoids later assertion in RGWObjectCtx::set_atomic\n\nFixes: CVE-2021-3531\n\nReviewed-by: Casey Bodley \nSigned-off-by: Casey Bodley \n(cherry picked from commit 7196a469b4470f3c8628489df9a41ec8b00a5610)", "target": 0, "dataset": "other", "idx": 448837 }, { "func": "static inline void tcp_fast_path_on(struct tcp_sock *tp)\n{\n\t__tcp_fast_path_on(tp, tp->snd_wnd >> tp->rx_opt.snd_wscale);\n}", "project": "linux", "hash": 206411351515298193787714825357381719326, "size": 4, "commit_id": "bb1fceca22492109be12640d49f5ea5a544c6bb4", "message": "tcp: fix use after free in tcp_xmit_retransmit_queue()\n\nWhen tcp_sendmsg() allocates a fresh and empty skb, it puts it at the\ntail of the write queue using tcp_add_write_queue_tail()\n\nThen it attempts to copy user data into this fresh skb.\n\nIf the copy fails, we undo the work and remove the fresh skb.\n\nUnfortunately, this undo lacks the change done to tp->highest_sack and\nwe can leave a dangling pointer (to a freed skb)\n\nLater, tcp_xmit_retransmit_queue() can dereference this pointer and\naccess freed memory. For regular kernels where memory is not unmapped,\nthis might cause SACK bugs because tcp_highest_sack_seq() is buggy,\nreturning garbage instead of tp->snd_nxt, but with various debug\nfeatures like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel.\n\nThis bug was found by Marco Grassi thanks to syzkaller.\n\nFixes: 6859d49475d4 (\"[TCP]: Abstract tp->highest_sack accessing & point to next skb\")\nReported-by: Marco Grassi \nSigned-off-by: Eric Dumazet \nCc: Ilpo Järvinen \nCc: Yuchung Cheng \nCc: Neal Cardwell \nAcked-by: Neal Cardwell \nReviewed-by: Cong Wang \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 410759 }, { "func": "static int kvm_s390_get_machine_subfunc(struct kvm *kvm,\n\t\t\t\t\tstruct kvm_device_attr *attr)\n{\n\tif (copy_to_user((void __user *)attr->addr, &kvm_s390_available_subfunc,\n\t sizeof(struct kvm_s390_vm_cpu_subfunc)))\n\t\treturn -EFAULT;\n\n\tVM_EVENT(kvm, 3, \"GET: host PLO subfunc 0x%16.16lx.%16.16lx.%16.16lx.%16.16lx\",\n\t\t ((unsigned long *) &kvm_s390_available_subfunc.plo)[0],\n\t\t ((unsigned long *) &kvm_s390_available_subfunc.plo)[1],\n\t\t ((unsigned long *) &kvm_s390_available_subfunc.plo)[2],\n\t\t ((unsigned long *) &kvm_s390_available_subfunc.plo)[3]);\n\tVM_EVENT(kvm, 3, \"GET: host PTFF subfunc 0x%16.16lx.%16.16lx\",\n\t\t ((unsigned long *) &kvm_s390_available_subfunc.ptff)[0],\n\t\t ((unsigned long *) &kvm_s390_available_subfunc.ptff)[1]);\n\tVM_EVENT(kvm, 3, \"GET: host KMAC subfunc 0x%16.16lx.%16.16lx\",\n\t\t ((unsigned long *) &kvm_s390_available_subfunc.kmac)[0],\n\t\t ((unsigned long *) &kvm_s390_available_subfunc.kmac)[1]);\n\tVM_EVENT(kvm, 3, \"GET: host KMC subfunc 0x%16.16lx.%16.16lx\",\n\t\t ((unsigned long *) &kvm_s390_available_subfunc.kmc)[0],\n\t\t ((unsigned long *) &kvm_s390_available_subfunc.kmc)[1]);\n\tVM_EVENT(kvm, 3, \"GET: host KM subfunc 0x%16.16lx.%16.16lx\",\n\t\t ((unsigned long *) &kvm_s390_available_subfunc.km)[0],\n\t\t ((unsigned long *) &kvm_s390_available_subfunc.km)[1]);\n\tVM_EVENT(kvm, 3, \"GET: host KIMD subfunc 0x%16.16lx.%16.16lx\",\n\t\t ((unsigned long *) &kvm_s390_available_subfunc.kimd)[0],\n\t\t ((unsigned long *) &kvm_s390_available_subfunc.kimd)[1]);\n\tVM_EVENT(kvm, 3, \"GET: host KLMD subfunc 0x%16.16lx.%16.16lx\",\n\t\t ((unsigned long *) &kvm_s390_available_subfunc.klmd)[0],\n\t\t ((unsigned long *) &kvm_s390_available_subfunc.klmd)[1]);\n\tVM_EVENT(kvm, 3, \"GET: host PCKMO subfunc 0x%16.16lx.%16.16lx\",\n\t\t ((unsigned long *) &kvm_s390_available_subfunc.pckmo)[0],\n\t\t ((unsigned long *) &kvm_s390_available_subfunc.pckmo)[1]);\n\tVM_EVENT(kvm, 3, \"GET: host KMCTR subfunc 0x%16.16lx.%16.16lx\",\n\t\t ((unsigned long *) &kvm_s390_available_subfunc.kmctr)[0],\n\t\t ((unsigned long *) &kvm_s390_available_subfunc.kmctr)[1]);\n\tVM_EVENT(kvm, 3, \"GET: host KMF subfunc 0x%16.16lx.%16.16lx\",\n\t\t ((unsigned long *) &kvm_s390_available_subfunc.kmf)[0],\n\t\t ((unsigned long *) &kvm_s390_available_subfunc.kmf)[1]);\n\tVM_EVENT(kvm, 3, \"GET: host KMO subfunc 0x%16.16lx.%16.16lx\",\n\t\t ((unsigned long *) &kvm_s390_available_subfunc.kmo)[0],\n\t\t ((unsigned long *) &kvm_s390_available_subfunc.kmo)[1]);\n\tVM_EVENT(kvm, 3, \"GET: host PCC subfunc 0x%16.16lx.%16.16lx\",\n\t\t ((unsigned long *) &kvm_s390_available_subfunc.pcc)[0],\n\t\t ((unsigned long *) &kvm_s390_available_subfunc.pcc)[1]);\n\tVM_EVENT(kvm, 3, \"GET: host PPNO subfunc 0x%16.16lx.%16.16lx\",\n\t\t ((unsigned long *) &kvm_s390_available_subfunc.ppno)[0],\n\t\t ((unsigned long *) &kvm_s390_available_subfunc.ppno)[1]);\n\tVM_EVENT(kvm, 3, \"GET: host KMA subfunc 0x%16.16lx.%16.16lx\",\n\t\t ((unsigned long *) &kvm_s390_available_subfunc.kma)[0],\n\t\t ((unsigned long *) &kvm_s390_available_subfunc.kma)[1]);\n\tVM_EVENT(kvm, 3, \"GET: host KDSA subfunc 0x%16.16lx.%16.16lx\",\n\t\t ((unsigned long *) &kvm_s390_available_subfunc.kdsa)[0],\n\t\t ((unsigned long *) &kvm_s390_available_subfunc.kdsa)[1]);\n\tVM_EVENT(kvm, 3, \"GET: host SORTL subfunc 0x%16.16lx.%16.16lx.%16.16lx.%16.16lx\",\n\t\t ((unsigned long *) &kvm_s390_available_subfunc.sortl)[0],\n\t\t ((unsigned long *) &kvm_s390_available_subfunc.sortl)[1],\n\t\t ((unsigned long *) &kvm_s390_available_subfunc.sortl)[2],\n\t\t ((unsigned long *) &kvm_s390_available_subfunc.sortl)[3]);\n\tVM_EVENT(kvm, 3, \"GET: host DFLTCC subfunc 0x%16.16lx.%16.16lx.%16.16lx.%16.16lx\",\n\t\t ((unsigned long *) &kvm_s390_available_subfunc.dfltcc)[0],\n\t\t ((unsigned long *) &kvm_s390_available_subfunc.dfltcc)[1],\n\t\t ((unsigned long *) &kvm_s390_available_subfunc.dfltcc)[2],\n\t\t ((unsigned long *) &kvm_s390_available_subfunc.dfltcc)[3]);\n\n\treturn 0;\n}", "project": "linux", "hash": 222607716446035078916192550698824747490, "size": 67, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354733 }, { "func": "static void bcf_set_variant_type(const char *ref, const char *alt, variant_t *var)\n{\n if ( *alt == '*' && !alt[1] ) { var->n = 0; var->type = VCF_OVERLAP; return; } // overlapping variant\n\n // The most frequent case\n if ( !ref[1] && !alt[1] )\n {\n if ( *alt == '.' || *ref==*alt ) { var->n = 0; var->type = VCF_REF; return; }\n if ( *alt == 'X' ) { var->n = 0; var->type = VCF_REF; return; } // mpileup's X allele shouldn't be treated as variant\n var->n = 1; var->type = VCF_SNP; return;\n }\n if ( alt[0]=='<' )\n {\n if ( alt[1]=='X' && alt[2]=='>' ) { var->n = 0; var->type = VCF_REF; return; } // mpileup's X allele shouldn't be treated as variant\n if ( alt[1]=='*' && alt[2]=='>' ) { var->n = 0; var->type = VCF_REF; return; }\n if ( !strcmp(\"NON_REF>\",alt+1) ) { var->n = 0; var->type = VCF_REF; return; }\n var->type = VCF_OTHER;\n return;\n }\n\n const char *r = ref, *a = alt;\n while (*r && *a && toupper_c(*r)==toupper_c(*a) ) { r++; a++; } // unfortunately, matching REF,ALT case is not guaranteed\n\n if ( *a && !*r )\n {\n if ( *a==']' || *a=='[' ) { var->type = VCF_BND; return; }\n while ( *a ) a++;\n var->n = (a-alt)-(r-ref); var->type = VCF_INDEL; return;\n }\n else if ( *r && !*a )\n {\n while ( *r ) r++;\n var->n = (a-alt)-(r-ref); var->type = VCF_INDEL; return;\n }\n else if ( !*r && !*a )\n {\n var->n = 0; var->type = VCF_REF; return;\n }\n\n const char *re = r, *ae = a;\n while ( re[1] ) re++;\n while ( ae[1] ) ae++;\n while ( re>r && ae>a && toupper_c(*re)==toupper_c(*ae) ) { re--; ae--; }\n if ( ae==a )\n {\n if ( re==r ) { var->n = 1; var->type = VCF_SNP; return; }\n var->n = -(re-r);\n if ( toupper_c(*re)==toupper_c(*ae) ) { var->type = VCF_INDEL; return; }\n var->type = VCF_OTHER; return;\n }\n else if ( re==r )\n {\n var->n = ae-a;\n if ( toupper_c(*re)==toupper_c(*ae) ) { var->type = VCF_INDEL; return; }\n var->type = VCF_OTHER; return;\n }\n\n var->type = ( re-r == ae-a ) ? VCF_MNP : VCF_OTHER;\n var->n = ( re-r > ae-a ) ? -(re-r+1) : ae-a+1;\n\n // should do also complex events, SVs, etc...\n}", "project": "htslib", "hash": 120651341140215659333047020067653713819, "size": 62, "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c", "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields. It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097", "target": 0, "dataset": "other", "idx": 402172 }, { "func": "static int nfs4_map_errors(int err)\n{\n\tif (err >= -1000)\n\t\treturn err;\n\tswitch (err) {\n\tcase -NFS4ERR_RESOURCE:\n\tcase -NFS4ERR_LAYOUTTRYLATER:\n\tcase -NFS4ERR_RECALLCONFLICT:\n\t\treturn -EREMOTEIO;\n\tcase -NFS4ERR_WRONGSEC:\n\tcase -NFS4ERR_WRONG_CRED:\n\t\treturn -EPERM;\n\tcase -NFS4ERR_BADOWNER:\n\tcase -NFS4ERR_BADNAME:\n\t\treturn -EINVAL;\n\tcase -NFS4ERR_SHARE_DENIED:\n\t\treturn -EACCES;\n\tcase -NFS4ERR_MINOR_VERS_MISMATCH:\n\t\treturn -EPROTONOSUPPORT;\n\tcase -NFS4ERR_FILE_OPEN:\n\t\treturn -EBUSY;\n\tdefault:\n\t\tdprintk(\"%s could not handle NFSv4 error %d\\n\",\n\t\t\t\t__func__, -err);\n\t\tbreak;\n\t}\n\treturn -EIO;\n}", "project": "linux", "hash": 223711413361745064956290635098981696092, "size": 28, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431324 }, { "func": "void input_reset_device(struct input_dev *dev)\n{\n\tunsigned long flags;\n\n\tmutex_lock(&dev->mutex);\n\tspin_lock_irqsave(&dev->event_lock, flags);\n\n\tinput_dev_toggle(dev, true);\n\tinput_dev_release_keys(dev);\n\n\tspin_unlock_irqrestore(&dev->event_lock, flags);\n\tmutex_unlock(&dev->mutex);\n}", "project": "linux", "hash": 41636468543646223245260427509520931514, "size": 13, "commit_id": "cb222aed03d798fc074be55e59d9a112338ee784", "message": "Input: add safety guards to input_set_keycode()\n\nIf we happen to have a garbage in input device's keycode table with values\ntoo big we'll end up doing clear_bit() with offset way outside of our\nbitmaps, damaging other objects within an input device or even outside of\nit. Let's add sanity checks to the returned old keycodes.\n\nReported-by: syzbot+c769968809f9359b07aa@syzkaller.appspotmail.com\nReported-by: syzbot+76f3a30e88d256644c78@syzkaller.appspotmail.com\nLink: https://lore.kernel.org/r/20191207212757.GA245964@dtor-ws\nSigned-off-by: Dmitry Torokhov ", "target": 0, "dataset": "other", "idx": 353315 }, { "func": "static unsigned int input_estimate_events_per_packet(struct input_dev *dev)\n{\n\tint mt_slots;\n\tint i;\n\tunsigned int events;\n\n\tif (dev->mt) {\n\t\tmt_slots = dev->mt->num_slots;\n\t} else if (test_bit(ABS_MT_TRACKING_ID, dev->absbit)) {\n\t\tmt_slots = dev->absinfo[ABS_MT_TRACKING_ID].maximum -\n\t\t\t dev->absinfo[ABS_MT_TRACKING_ID].minimum + 1,\n\t\tmt_slots = clamp(mt_slots, 2, 32);\n\t} else if (test_bit(ABS_MT_POSITION_X, dev->absbit)) {\n\t\tmt_slots = 2;\n\t} else {\n\t\tmt_slots = 0;\n\t}\n\n\tevents = mt_slots + 1; /* count SYN_MT_REPORT and SYN_REPORT */\n\n\tif (test_bit(EV_ABS, dev->evbit))\n\t\tfor_each_set_bit(i, dev->absbit, ABS_CNT)\n\t\t\tevents += input_is_mt_axis(i) ? mt_slots : 1;\n\n\tif (test_bit(EV_REL, dev->evbit))\n\t\tevents += bitmap_weight(dev->relbit, REL_CNT);\n\n\t/* Make room for KEY and MSC events */\n\tevents += 7;\n\n\treturn events;\n}", "project": "linux", "hash": 322200725909428989142639671335241857748, "size": 32, "commit_id": "cb222aed03d798fc074be55e59d9a112338ee784", "message": "Input: add safety guards to input_set_keycode()\n\nIf we happen to have a garbage in input device's keycode table with values\ntoo big we'll end up doing clear_bit() with offset way outside of our\nbitmaps, damaging other objects within an input device or even outside of\nit. Let's add sanity checks to the returned old keycodes.\n\nReported-by: syzbot+c769968809f9359b07aa@syzkaller.appspotmail.com\nReported-by: syzbot+76f3a30e88d256644c78@syzkaller.appspotmail.com\nLink: https://lore.kernel.org/r/20191207212757.GA245964@dtor-ws\nSigned-off-by: Dmitry Torokhov ", "target": 0, "dataset": "other", "idx": 353379 }, { "func": "static int sctp_bind_add(struct sock *sk, struct sockaddr *addrs,\n\t\tint addrlen)\n{\n\tint err;\n\n\tlock_sock(sk);\n\terr = sctp_setsockopt_bindx(sk, addrs, addrlen, SCTP_BINDX_ADD_ADDR);\n\trelease_sock(sk);\n\treturn err;\n}", "project": "linux", "hash": 223221693962563678211110797544783556371, "size": 10, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398069 }, { "func": "static void shrink_halt_poll_ns(struct kvm_vcpu *vcpu)\n{\n\tunsigned int old, val, shrink;\n\n\told = val = vcpu->halt_poll_ns;\n\tshrink = READ_ONCE(halt_poll_ns_shrink);\n\tif (shrink == 0)\n\t\tval = 0;\n\telse\n\t\tval /= shrink;\n\n\tvcpu->halt_poll_ns = val;\n\ttrace_kvm_halt_poll_ns_shrink(vcpu->vcpu_id, val, old);\n}", "project": "linux", "hash": 290129643538394143302665340014264806352, "size": 14, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354826 }, { "func": "static void packet_parse_headers(struct sk_buff *skb, struct socket *sock)\n{\n\tif ((!skb->protocol || skb->protocol == htons(ETH_P_ALL)) &&\n\t sock->type == SOCK_RAW) {\n\t\tskb_reset_mac_header(skb);\n\t\tskb->protocol = dev_parse_header_protocol(skb);\n\t}\n\n\tskb_probe_transport_header(skb);\n}", "project": "linux", "hash": 206859008919858175765119271403059764030, "size": 10, "commit_id": "acf69c946233259ab4d64f8869d4037a198c7f06", "message": "net/packet: fix overflow in tpacket_rcv\n\nUsing tp_reserve to calculate netoff can overflow as\ntp_reserve is unsigned int and netoff is unsigned short.\n\nThis may lead to macoff receving a smaller value then\nsizeof(struct virtio_net_hdr), and if po->has_vnet_hdr\nis set, an out-of-bounds write will occur when\ncalling virtio_net_hdr_from_skb.\n\nThe bug is fixed by converting netoff to unsigned int\nand checking if it exceeds USHRT_MAX.\n\nThis addresses CVE-2020-14386\n\nFixes: 8913336a7e8d (\"packet: add PACKET_RESERVE sockopt\")\nSigned-off-by: Or Cohen \nSigned-off-by: Eric Dumazet \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 330422 }, { "func": "int bcf_hdr_set_samples(bcf_hdr_t *hdr, const char *samples, int is_file)\n{\n if ( samples && !strcmp(\"-\",samples) ) return 0; // keep all samples\n\n int i, narr = bit_array_size(bcf_hdr_nsamples(hdr));\n hdr->keep_samples = (uint8_t*) calloc(narr,1);\n if (!hdr->keep_samples) return -1;\n\n hdr->nsamples_ori = bcf_hdr_nsamples(hdr);\n if ( !samples )\n {\n // exclude all samples\n khint_t k;\n vdict_t *d = (vdict_t*)hdr->dict[BCF_DT_SAMPLE], *new_dict;\n new_dict = kh_init(vdict);\n if (!new_dict) return -1;\n\n bcf_hdr_nsamples(hdr) = 0;\n\n for (k = kh_begin(d); k != kh_end(d); ++k)\n if (kh_exist(d, k)) free((char*)kh_key(d, k));\n kh_destroy(vdict, d);\n hdr->dict[BCF_DT_SAMPLE] = new_dict;\n if (bcf_hdr_sync(hdr) < 0) return -1;\n\n return 0;\n }\n\n if ( samples[0]=='^' )\n for (i=0; ikeep_samples,i);\n\n int idx, n, ret = 0;\n char **smpls = hts_readlist(samples[0]=='^'?samples+1:samples, is_file, &n);\n if ( !smpls ) return -1;\n for (i=0; ikeep_samples, idx);\n else\n bit_array_set(hdr->keep_samples, idx);\n }\n for (i=0; insamples_ori; i++)\n if ( bit_array_test(hdr->keep_samples,i) ) bcf_hdr_nsamples(hdr)++;\n\n if ( !bcf_hdr_nsamples(hdr) ) { free(hdr->keep_samples); hdr->keep_samples=NULL; }\n else\n {\n // Make new list and dictionary with desired samples\n char **samples = (char**) malloc(sizeof(char*)*bcf_hdr_nsamples(hdr));\n vdict_t *new_dict, *d;\n int k, res;\n if (!samples) return -1;\n\n new_dict = kh_init(vdict);\n if (!new_dict) {\n free(samples);\n return -1;\n }\n idx = 0;\n for (i=0; insamples_ori; i++) {\n if ( bit_array_test(hdr->keep_samples,i) ) {\n samples[idx] = hdr->samples[i];\n k = kh_put(vdict, new_dict, hdr->samples[i], &res);\n if (res < 0) {\n free(samples);\n kh_destroy(vdict, new_dict);\n return -1;\n }\n kh_val(new_dict, k) = bcf_idinfo_def;\n kh_val(new_dict, k).id = idx;\n idx++;\n }\n }\n\n // Delete desired samples from old dictionary, so we don't free them\n d = (vdict_t*)hdr->dict[BCF_DT_SAMPLE];\n for (i=0; i < idx; i++) {\n int k = kh_get(vdict, d, samples[i]);\n if (k < kh_end(d)) kh_del(vdict, d, k);\n }\n\n // Free everything else\n for (k = kh_begin(d); k != kh_end(d); ++k)\n if (kh_exist(d, k)) free((char*)kh_key(d, k));\n kh_destroy(vdict, d);\n hdr->dict[BCF_DT_SAMPLE] = new_dict;\n\n free(hdr->samples);\n hdr->samples = samples;\n\n if (bcf_hdr_sync(hdr) < 0)\n return -1;\n }\n\n return ret;\n}", "project": "htslib", "hash": 5124733939316110475696540828826835194, "size": 107, "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c", "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields. It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097", "target": 0, "dataset": "other", "idx": 402256 }, { "func": "static int __vcpu_run(struct kvm_vcpu *vcpu)\n{\n\tint rc, exit_reason;\n\tstruct sie_page *sie_page = (struct sie_page *)vcpu->arch.sie_block;\n\n\t/*\n\t * We try to hold kvm->srcu during most of vcpu_run (except when run-\n\t * ning the guest), so that memslots (and other stuff) are protected\n\t */\n\tvcpu->srcu_idx = srcu_read_lock(&vcpu->kvm->srcu);\n\n\tdo {\n\t\trc = vcpu_pre_run(vcpu);\n\t\tif (rc)\n\t\t\tbreak;\n\n\t\tsrcu_read_unlock(&vcpu->kvm->srcu, vcpu->srcu_idx);\n\t\t/*\n\t\t * As PF_VCPU will be used in fault handler, between\n\t\t * guest_enter and guest_exit should be no uaccess.\n\t\t */\n\t\tlocal_irq_disable();\n\t\tguest_enter_irqoff();\n\t\t__disable_cpu_timer_accounting(vcpu);\n\t\tlocal_irq_enable();\n\t\tif (kvm_s390_pv_cpu_is_protected(vcpu)) {\n\t\t\tmemcpy(sie_page->pv_grregs,\n\t\t\t vcpu->run->s.regs.gprs,\n\t\t\t sizeof(sie_page->pv_grregs));\n\t\t}\n\t\texit_reason = sie64a(vcpu->arch.sie_block,\n\t\t\t\t vcpu->run->s.regs.gprs);\n\t\tif (kvm_s390_pv_cpu_is_protected(vcpu)) {\n\t\t\tmemcpy(vcpu->run->s.regs.gprs,\n\t\t\t sie_page->pv_grregs,\n\t\t\t sizeof(sie_page->pv_grregs));\n\t\t\t/*\n\t\t\t * We're not allowed to inject interrupts on intercepts\n\t\t\t * that leave the guest state in an \"in-between\" state\n\t\t\t * where the next SIE entry will do a continuation.\n\t\t\t * Fence interrupts in our \"internal\" PSW.\n\t\t\t */\n\t\t\tif (vcpu->arch.sie_block->icptcode == ICPT_PV_INSTR ||\n\t\t\t vcpu->arch.sie_block->icptcode == ICPT_PV_PREF) {\n\t\t\t\tvcpu->arch.sie_block->gpsw.mask &= ~PSW_INT_MASK;\n\t\t\t}\n\t\t}\n\t\tlocal_irq_disable();\n\t\t__enable_cpu_timer_accounting(vcpu);\n\t\tguest_exit_irqoff();\n\t\tlocal_irq_enable();\n\t\tvcpu->srcu_idx = srcu_read_lock(&vcpu->kvm->srcu);\n\n\t\trc = vcpu_post_run(vcpu, exit_reason);\n\t} while (!signal_pending(current) && !guestdbg_exit_pending(vcpu) && !rc);\n\n\tsrcu_read_unlock(&vcpu->kvm->srcu, vcpu->srcu_idx);\n\treturn rc;\n}", "project": "linux", "hash": 47151825157303228719533349633151363246, "size": 59, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354797 }, { "func": "static void fuse_iqueue_init(struct fuse_iqueue *fiq,\n\t\t\t const struct fuse_iqueue_ops *ops,\n\t\t\t void *priv)\n{\n\tmemset(fiq, 0, sizeof(struct fuse_iqueue));\n\tspin_lock_init(&fiq->lock);\n\tinit_waitqueue_head(&fiq->waitq);\n\tINIT_LIST_HEAD(&fiq->pending);\n\tINIT_LIST_HEAD(&fiq->interrupts);\n\tfiq->forget_list_tail = &fiq->forget_list_head;\n\tfiq->connected = 1;\n\tfiq->ops = ops;\n\tfiq->priv = priv;\n}", "project": "linux", "hash": 46445922705403331238007055033779936518, "size": 14, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342117 }, { "func": "static void gdImageTileApply (gdImagePtr im, int x, int y)\n{\n\tgdImagePtr tile = im->tile;\n\tint srcx, srcy;\n\tint p;\n\tif (!tile) {\n\t\treturn;\n\t}\n\tsrcx = x % gdImageSX(tile);\n\tsrcy = y % gdImageSY(tile);\n\tif (im->trueColor) {\n\t\tp = gdImageGetPixel(tile, srcx, srcy);\n\t\tif (p != gdImageGetTransparent (tile)) {\n\t\t\tif (!tile->trueColor) {\n\t\t\t\tp = gdTrueColorAlpha(tile->red[p], tile->green[p], tile->blue[p], tile->alpha[p]);\n\t\t\t}\n\t\t\tgdImageSetPixel(im, x, y, p);\n\t\t}\n\t} else {\n\t\tp = gdImageGetPixel(tile, srcx, srcy);\n\t\t/* Allow for transparency */\n\t\tif (p != gdImageGetTransparent(tile)) {\n\t\t\tif (tile->trueColor) {\n\t\t\t\t/* Truecolor tile. Very slow on a palette destination. */\n\t\t\t\tgdImageSetPixel(im, x, y, gdImageColorResolveAlpha(im,\n\t\t\t\t\t\t\t\t\t\t\tgdTrueColorGetRed(p),\n\t\t\t\t\t\t\t\t\t\t\tgdTrueColorGetGreen(p),\n\t\t\t\t\t\t\t\t\t\t\tgdTrueColorGetBlue(p),\n\t\t\t\t\t\t\t\t\t\t\tgdTrueColorGetAlpha(p)));\n\t\t\t} else {\n\t\t\t\tgdImageSetPixel(im, x, y, im->tileColorMap[p]);\n\t\t\t}\n\t\t}\n\t}\n}", "project": "php-src", "hash": 306931785885693412991652931036785685351, "size": 35, "commit_id": "c395c6e5d7e8df37a21265ff76e48fe75ceb5ae6", "message": "iFixed bug #72446 - Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow", "target": 0, "dataset": "other", "idx": 295128 }, { "func": "void mpol_free_shared_policy(struct shared_policy *p)\n{\n\tstruct sp_node *n;\n\tstruct rb_node *next;\n\n\tif (!p->root.rb_node)\n\t\treturn;\n\twrite_lock(&p->lock);\n\tnext = rb_first(&p->root);\n\twhile (next) {\n\t\tn = rb_entry(next, struct sp_node, nd);\n\t\tnext = rb_next(&n->nd);\n\t\tsp_delete(p, n);\n\t}\n\twrite_unlock(&p->lock);\n}", "project": "linux", "hash": 254029968395948433194864113203765777333, "size": 16, "commit_id": "aa9f7d5172fac9bf1f09e678c35e287a40a7b7dd", "message": "mm: mempolicy: require at least one nodeid for MPOL_PREFERRED\n\nUsing an empty (malformed) nodelist that is not caught during mount option\nparsing leads to a stack-out-of-bounds access.\n\nThe option string that was used was: \"mpol=prefer:,\". However,\nMPOL_PREFERRED requires a single node number, which is not being provided\nhere.\n\nAdd a check that 'nodes' is not empty after parsing for MPOL_PREFERRED's\nnodeid.\n\nFixes: 095f1fc4ebf3 (\"mempolicy: rework shmem mpol parsing and display\")\nReported-by: Entropy Moe <3ntr0py1337@gmail.com>\nReported-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nSigned-off-by: Randy Dunlap \nSigned-off-by: Andrew Morton \nTested-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nCc: Lee Schermerhorn \nLink: http://lkml.kernel.org/r/89526377-7eb6-b662-e1d8-4430928abde9@infradead.org\nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 366773 }, { "func": "static void prb_close_block(struct tpacket_kbdq_core *pkc1,\n\t\tstruct tpacket_block_desc *pbd1,\n\t\tstruct packet_sock *po, unsigned int stat)\n{\n\t__u32 status = TP_STATUS_USER | stat;\n\n\tstruct tpacket3_hdr *last_pkt;\n\tstruct tpacket_hdr_v1 *h1 = &pbd1->hdr.bh1;\n\tstruct sock *sk = &po->sk;\n\n\tif (atomic_read(&po->tp_drops))\n\t\tstatus |= TP_STATUS_LOSING;\n\n\tlast_pkt = (struct tpacket3_hdr *)pkc1->prev;\n\tlast_pkt->tp_next_offset = 0;\n\n\t/* Get the ts of the last pkt */\n\tif (BLOCK_NUM_PKTS(pbd1)) {\n\t\th1->ts_last_pkt.ts_sec = last_pkt->tp_sec;\n\t\th1->ts_last_pkt.ts_nsec\t= last_pkt->tp_nsec;\n\t} else {\n\t\t/* Ok, we tmo'd - so get the current time.\n\t\t *\n\t\t * It shouldn't really happen as we don't close empty\n\t\t * blocks. See prb_retire_rx_blk_timer_expired().\n\t\t */\n\t\tstruct timespec64 ts;\n\t\tktime_get_real_ts64(&ts);\n\t\th1->ts_last_pkt.ts_sec = ts.tv_sec;\n\t\th1->ts_last_pkt.ts_nsec\t= ts.tv_nsec;\n\t}\n\n\tsmp_wmb();\n\n\t/* Flush the block */\n\tprb_flush_block(pkc1, pbd1, status);\n\n\tsk->sk_data_ready(sk);\n\n\tpkc1->kactive_blk_num = GET_NEXT_PRB_BLK_NUM(pkc1);\n}", "project": "linux", "hash": 74632250379057635369598327511264695167, "size": 41, "commit_id": "acf69c946233259ab4d64f8869d4037a198c7f06", "message": "net/packet: fix overflow in tpacket_rcv\n\nUsing tp_reserve to calculate netoff can overflow as\ntp_reserve is unsigned int and netoff is unsigned short.\n\nThis may lead to macoff receving a smaller value then\nsizeof(struct virtio_net_hdr), and if po->has_vnet_hdr\nis set, an out-of-bounds write will occur when\ncalling virtio_net_hdr_from_skb.\n\nThe bug is fixed by converting netoff to unsigned int\nand checking if it exceeds USHRT_MAX.\n\nThis addresses CVE-2020-14386\n\nFixes: 8913336a7e8d (\"packet: add PACKET_RESERVE sockopt\")\nSigned-off-by: Or Cohen \nSigned-off-by: Eric Dumazet \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 330395 }, { "func": "gin::Handle WebContents::FromOrCreate(\n v8::Isolate* isolate,\n content::WebContents* web_contents) {\n auto existing = From(isolate, web_contents);\n if (!existing.IsEmpty())\n return existing;\n else\n return gin::CreateHandle(isolate, new WebContents(isolate, web_contents));\n}", "project": "electron", "hash": 128682095697451455344041110898070010736, "size": 9, "commit_id": "18613925610ba319da7f497b6deed85ad712c59b", "message": "refactor: wire will-navigate up to a navigation throttle instead of OpenURL (#25108)\n\n* refactor: wire will-navigate up to a navigation throttle instead of OpenURL (#25065)\r\n\r\n* refactor: wire will-navigate up to a navigation throttle instead of OpenURL\r\n\r\n* spec: add test for x-site _top navigation\r\n\r\n* chore: old code be old", "target": 0, "dataset": "other", "idx": 269758 }, { "func": "\nstatic int io_async_cancel_one(struct io_uring_task *tctx, u64 user_data,\n\t\t\t struct io_ring_ctx *ctx)\n{\n\tstruct io_cancel_data data = { .ctx = ctx, .user_data = user_data, };\n\tenum io_wq_cancel cancel_ret;\n\tint ret = 0;\n\n\tif (!tctx || !tctx->io_wq)\n\t\treturn -ENOENT;\n\n\tcancel_ret = io_wq_cancel_cb(tctx->io_wq, io_cancel_cb, &data, false);\n\tswitch (cancel_ret) {\n\tcase IO_WQ_CANCEL_OK:\n\t\tret = 0;\n\t\tbreak;\n\tcase IO_WQ_CANCEL_RUNNING:\n\t\tret = -EALREADY;\n\t\tbreak;\n\tcase IO_WQ_CANCEL_NOTFOUND:\n\t\tret = -ENOENT;\n\t\tbreak;\n\t}\n\n\treturn ret;", "project": "linux", "hash": 272307451335544927439348569151220588417, "size": 25, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338524 }, { "func": "static void nfs4_delegreturn_prepare(struct rpc_task *task, void *data)\n{\n\tstruct nfs4_delegreturndata *d_data;\n\tstruct pnfs_layout_hdr *lo;\n\n\td_data = (struct nfs4_delegreturndata *)data;\n\n\tif (!d_data->lr.roc && nfs4_wait_on_layoutreturn(d_data->inode, task)) {\n\t\tnfs4_sequence_done(task, &d_data->res.seq_res);\n\t\treturn;\n\t}\n\n\tlo = d_data->args.lr_args ? d_data->args.lr_args->layout : NULL;\n\tif (lo && !pnfs_layout_is_valid(lo)) {\n\t\td_data->args.lr_args = NULL;\n\t\td_data->res.lr_res = NULL;\n\t}\n\n\tnfs4_setup_sequence(d_data->res.server->nfs_client,\n\t\t\t&d_data->args.seq_args,\n\t\t\t&d_data->res.seq_res,\n\t\t\ttask);\n}", "project": "linux", "hash": 112290124111749052828363811760336635283, "size": 23, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431173 }, { "func": "R_API bool r_str_glob(const char* str, const char *glob) {\n const char* cp = NULL, *mp = NULL;\n if (!glob || !strcmp (glob, \"*\")) {\n return true;\n }\n if (!strchr (glob, '*')) {\n if (*glob == '^') {\n glob++;\n while (*str) {\n if (*glob != *str) {\n return false;\n }\n if (!*++glob) {\n return true;\n }\n str++;\n }\n } else {\n return strstr (str, glob) != NULL;\n }\n }\n if (*glob == '^') {\n glob++;\n }\n while (*str && (*glob != '*')) {\n if (*glob != *str) {\n return false;\n }\n glob++;\n str++;\n }\n while (*str) {\n if (*glob == '*') {\n if (!*++glob) {\n return true;\n }\n mp = glob;\n cp = str + 1;\n } else if (*glob == *str) {\n glob++;\n str++;\n } else {\n glob = mp;\n str = cp++;\n }\n }\n while (*glob == '*') {\n ++glob;\n }\n return (*glob == '\\x00');\n}", "project": "radare2", "hash": 133697011603981100012536836551093294381, "size": 51, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 0, "dataset": "other", "idx": 269056 }, { "func": "static int sctp_setsockopt_ecn_supported(struct sock *sk,\n\t\t\t\t\t struct sctp_assoc_value *params,\n\t\t\t\t\t unsigned int optlen)\n{\n\tstruct sctp_association *asoc;\n\tint retval = -EINVAL;\n\n\tif (optlen != sizeof(*params))\n\t\tgoto out;\n\n\tasoc = sctp_id2assoc(sk, params->assoc_id);\n\tif (!asoc && params->assoc_id != SCTP_FUTURE_ASSOC &&\n\t sctp_style(sk, UDP))\n\t\tgoto out;\n\n\tsctp_sk(sk)->ep->ecn_enable = !!params->assoc_value;\n\tretval = 0;\n\nout:\n\treturn retval;\n}", "project": "linux", "hash": 228481333669567276916429633104670236590, "size": 21, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398060 }, { "func": "static int hw_perf_cache_event(u64 config, u64 *eventp)\n{\n\tunsigned long type, op, result;\n\tu64 ev;\n\n\tif (!ppmu->cache_events)\n\t\treturn -EINVAL;\n\n\t/* unpack config */\n\ttype = config & 0xff;\n\top = (config >> 8) & 0xff;\n\tresult = (config >> 16) & 0xff;\n\n\tif (type >= PERF_COUNT_HW_CACHE_MAX ||\n\t op >= PERF_COUNT_HW_CACHE_OP_MAX ||\n\t result >= PERF_COUNT_HW_CACHE_RESULT_MAX)\n\t\treturn -EINVAL;\n\n\tev = (*ppmu->cache_events)[type][op][result];\n\tif (ev == 0)\n\t\treturn -EOPNOTSUPP;\n\tif (ev == -1)\n\t\treturn -EINVAL;\n\t*eventp = ev;\n\treturn 0;\n}", "project": "linux", "hash": 65451487626710947284761335278876305314, "size": 26, "commit_id": "60b7ed54a41b550d50caf7f2418db4a7e75b5bdc", "message": "powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set\n\nOn systems without any specific PMU driver support registered, running\nperf record causes Oops.\n\nThe relevant portion from call trace:\n\n BUG: Kernel NULL pointer dereference on read at 0x00000040\n Faulting instruction address: 0xc0021f0c\n Oops: Kernel access of bad area, sig: 11 [#1]\n BE PAGE_SIZE=4K PREEMPT CMPCPRO\n SAF3000 DIE NOTIFICATION\n CPU: 0 PID: 442 Comm: null_syscall Not tainted 5.13.0-rc6-s3k-dev-01645-g7649ee3d2957 #5164\n NIP: c0021f0c LR: c00e8ad8 CTR: c00d8a5c\n NIP perf_instruction_pointer+0x10/0x60\n LR perf_prepare_sample+0x344/0x674\n Call Trace:\n perf_prepare_sample+0x7c/0x674 (unreliable)\n perf_event_output_forward+0x3c/0x94\n __perf_event_overflow+0x74/0x14c\n perf_swevent_hrtimer+0xf8/0x170\n __hrtimer_run_queues.constprop.0+0x160/0x318\n hrtimer_interrupt+0x148/0x3b0\n timer_interrupt+0xc4/0x22c\n Decrementer_virt+0xb8/0xbc\n\nDuring perf record session, perf_instruction_pointer() is called to\ncapture the sample IP. This function in core-book3s accesses\nppmu->flags. If a platform specific PMU driver is not registered, ppmu\nis set to NULL and accessing its members results in a crash. Fix this\ncrash by checking if ppmu is set.\n\nFixes: 2ca13a4cc56c (\"powerpc/perf: Use regs->nip when SIAR is zero\")\nCc: stable@vger.kernel.org # v5.11+\nReported-by: Christophe Leroy \nSigned-off-by: Athira Rajeev \nTested-by: Christophe Leroy \nSigned-off-by: Michael Ellerman \nLink: https://lore.kernel.org/r/1623952506-1431-1-git-send-email-atrajeev@linux.vnet.ibm.com", "target": 0, "dataset": "other", "idx": 374745 }, { "func": " SparseHybridFullyConnectedTask(\n TfLiteContext* context, TfLiteNode* node,\n TfLiteFullyConnectedParams* params, OpData* data,\n const TfLiteTensor* input, const TfLiteTensor* filter,\n const TfLiteTensor* bias, const int thread_start, const int thread_end,\n TfLiteTensor* input_quantized, TfLiteTensor* scaling_factors,\n TfLiteTensor* accum_scratch, TfLiteTensor* row_sums,\n TfLiteTensor* input_offsets, TfLiteTensor* output)\n : context(context),\n node(node),\n params(params),\n data(data),\n input(input),\n filter(filter),\n bias(bias),\n thread_start(thread_start),\n thread_end(thread_end),\n input_quantized(input_quantized),\n scaling_factors(scaling_factors),\n accum_scratch(accum_scratch),\n row_sums(row_sums),\n input_offsets(input_offsets),\n output(output) {}", "project": "tensorflow", "hash": 285264330120618665310171198681428688283, "size": 23, "commit_id": "6c0b2b70eeee588591680f5b7d5d38175fd7cdf6", "message": "[lite] add validation check for sparse fully connected\n\nPiperOrigin-RevId: 417629354\nChange-Id: If96171c4bd4f5fdb01d6368d6deab19d1c9beca7", "target": 0, "dataset": "other", "idx": 220479 }, { "func": "static void ov518_mode_init_regs(struct sd *sd)\n{\n\tstruct gspca_dev *gspca_dev = (struct gspca_dev *)sd;\n\tint hsegs, vsegs, packet_size;\n\tstruct usb_host_interface *alt;\n\tstruct usb_interface *intf;\n\n\tintf = usb_ifnum_to_if(sd->gspca_dev.dev, sd->gspca_dev.iface);\n\talt = usb_altnum_to_altsetting(intf, sd->gspca_dev.alt);\n\tif (!alt) {\n\t\tgspca_err(gspca_dev, \"Couldn't get altsetting\\n\");\n\t\tsd->gspca_dev.usb_err = -EIO;\n\t\treturn;\n\t}\n\n\tpacket_size = le16_to_cpu(alt->endpoint[0].desc.wMaxPacketSize);\n\tov518_reg_w32(sd, R51x_FIFO_PSIZE, packet_size & ~7, 2);\n\n\t/******** Set the mode ********/\n\treg_w(sd, 0x2b, 0);\n\treg_w(sd, 0x2c, 0);\n\treg_w(sd, 0x2d, 0);\n\treg_w(sd, 0x2e, 0);\n\treg_w(sd, 0x3b, 0);\n\treg_w(sd, 0x3c, 0);\n\treg_w(sd, 0x3d, 0);\n\treg_w(sd, 0x3e, 0);\n\n\tif (sd->bridge == BRIDGE_OV518) {\n\t\t/* Set 8-bit (YVYU) input format */\n\t\treg_w_mask(sd, 0x20, 0x08, 0x08);\n\n\t\t/* Set 12-bit (4:2:0) output format */\n\t\treg_w_mask(sd, 0x28, 0x80, 0xf0);\n\t\treg_w_mask(sd, 0x38, 0x80, 0xf0);\n\t} else {\n\t\treg_w(sd, 0x28, 0x80);\n\t\treg_w(sd, 0x38, 0x80);\n\t}\n\n\thsegs = sd->gspca_dev.pixfmt.width / 16;\n\tvsegs = sd->gspca_dev.pixfmt.height / 4;\n\n\treg_w(sd, 0x29, hsegs);\n\treg_w(sd, 0x2a, vsegs);\n\n\treg_w(sd, 0x39, hsegs);\n\treg_w(sd, 0x3a, vsegs);\n\n\t/* Windows driver does this here; who knows why */\n\treg_w(sd, 0x2f, 0x80);\n\n\t/******** Set the framerate ********/\n\tif (sd->bridge == BRIDGE_OV518PLUS && sd->revision == 0 &&\n\t\t\t\t\t sd->sensor == SEN_OV7620AE)\n\t\tsd->clockdiv = 0;\n\telse\n\t\tsd->clockdiv = 1;\n\n\t/* Mode independent, but framerate dependent, regs */\n\t/* 0x51: Clock divider; Only works on some cams which use 2 crystals */\n\treg_w(sd, 0x51, 0x04);\n\treg_w(sd, 0x22, 0x18);\n\treg_w(sd, 0x23, 0xff);\n\n\tif (sd->bridge == BRIDGE_OV518PLUS) {\n\t\tswitch (sd->sensor) {\n\t\tcase SEN_OV7620AE:\n\t\t\t/*\n\t\t\t * HdG: 640x480 needs special handling on device\n\t\t\t * revision 2, we check for device revision > 0 to\n\t\t\t * avoid regressions, as we don't know the correct\n\t\t\t * thing todo for revision 1.\n\t\t\t *\n\t\t\t * Also this likely means we don't need to\n\t\t\t * differentiate between the OV7620 and OV7620AE,\n\t\t\t * earlier testing hitting this same problem likely\n\t\t\t * happened to be with revision < 2 cams using an\n\t\t\t * OV7620 and revision 2 cams using an OV7620AE.\n\t\t\t */\n\t\t\tif (sd->revision > 0 &&\n\t\t\t\t\tsd->gspca_dev.pixfmt.width == 640) {\n\t\t\t\treg_w(sd, 0x20, 0x60);\n\t\t\t\treg_w(sd, 0x21, 0x1f);\n\t\t\t} else {\n\t\t\t\treg_w(sd, 0x20, 0x00);\n\t\t\t\treg_w(sd, 0x21, 0x19);\n\t\t\t}\n\t\t\tbreak;\n\t\tcase SEN_OV7620:\n\t\t\treg_w(sd, 0x20, 0x00);\n\t\t\treg_w(sd, 0x21, 0x19);\n\t\t\tbreak;\n\t\tdefault:\n\t\t\treg_w(sd, 0x21, 0x19);\n\t\t}\n\t} else\n\t\treg_w(sd, 0x71, 0x17);\t/* Compression-related? */\n\n\t/* FIXME: Sensor-specific */\n\t/* Bit 5 is what matters here. Of course, it is \"reserved\" */\n\ti2c_w(sd, 0x54, 0x23);\n\n\treg_w(sd, 0x2f, 0x80);\n\n\tif (sd->bridge == BRIDGE_OV518PLUS) {\n\t\treg_w(sd, 0x24, 0x94);\n\t\treg_w(sd, 0x25, 0x90);\n\t\tov518_reg_w32(sd, 0xc4, 400, 2);\t/* 190h */\n\t\tov518_reg_w32(sd, 0xc6, 540, 2);\t/* 21ch */\n\t\tov518_reg_w32(sd, 0xc7, 540, 2);\t/* 21ch */\n\t\tov518_reg_w32(sd, 0xc8, 108, 2);\t/* 6ch */\n\t\tov518_reg_w32(sd, 0xca, 131098, 3);\t/* 2001ah */\n\t\tov518_reg_w32(sd, 0xcb, 532, 2);\t/* 214h */\n\t\tov518_reg_w32(sd, 0xcc, 2400, 2);\t/* 960h */\n\t\tov518_reg_w32(sd, 0xcd, 32, 2);\t/* 20h */\n\t\tov518_reg_w32(sd, 0xce, 608, 2);\t/* 260h */\n\t} else {\n\t\treg_w(sd, 0x24, 0x9f);\n\t\treg_w(sd, 0x25, 0x90);\n\t\tov518_reg_w32(sd, 0xc4, 400, 2);\t/* 190h */\n\t\tov518_reg_w32(sd, 0xc6, 381, 2);\t/* 17dh */\n\t\tov518_reg_w32(sd, 0xc7, 381, 2);\t/* 17dh */\n\t\tov518_reg_w32(sd, 0xc8, 128, 2);\t/* 80h */\n\t\tov518_reg_w32(sd, 0xca, 183331, 3);\t/* 2cc23h */\n\t\tov518_reg_w32(sd, 0xcb, 746, 2);\t/* 2eah */\n\t\tov518_reg_w32(sd, 0xcc, 1750, 2);\t/* 6d6h */\n\t\tov518_reg_w32(sd, 0xcd, 45, 2);\t/* 2dh */\n\t\tov518_reg_w32(sd, 0xce, 851, 2);\t/* 353h */\n\t}\n\n\treg_w(sd, 0x2f, 0x80);\n}", "project": "linux", "hash": 263247290990414325966345455466875763387, "size": 133, "commit_id": "998912346c0da53a6dbb71fab3a138586b596b30", "message": "media: ov519: add missing endpoint sanity checks\n\nMake sure to check that we have at least one endpoint before accessing\nthe endpoint array to avoid dereferencing a NULL-pointer on stream\nstart.\n\nNote that these sanity checks are not redundant as the driver is mixing\nlooking up altsettings by index and by number, which need not coincide.\n\nFixes: 1876bb923c98 (\"V4L/DVB (12079): gspca_ov519: add support for the ov511 bridge\")\nFixes: b282d87332f5 (\"V4L/DVB (12080): gspca_ov519: Fix ov518+ with OV7620AE (Trust spacecam 320)\")\nCc: stable # 2.6.31\nCc: Hans de Goede \nSigned-off-by: Johan Hovold \nSigned-off-by: Hans Verkuil \nSigned-off-by: Mauro Carvalho Chehab ", "target": 1, "dataset": "other", "idx": 200622 }, { "func": "static void ov518_mode_init_regs(struct sd *sd)\n{\n\tstruct gspca_dev *gspca_dev = (struct gspca_dev *)sd;\n\tint hsegs, vsegs, packet_size;\n\tstruct usb_host_interface *alt;\n\tstruct usb_interface *intf;\n\n\tintf = usb_ifnum_to_if(sd->gspca_dev.dev, sd->gspca_dev.iface);\n\talt = usb_altnum_to_altsetting(intf, sd->gspca_dev.alt);\n\tif (!alt) {\n\t\tgspca_err(gspca_dev, \"Couldn't get altsetting\\n\");\n\t\tsd->gspca_dev.usb_err = -EIO;\n\t\treturn;\n\t}\n\n\tif (alt->desc.bNumEndpoints < 1) {\n\t\tsd->gspca_dev.usb_err = -ENODEV;\n\t\treturn;\n\t}\n\n\tpacket_size = le16_to_cpu(alt->endpoint[0].desc.wMaxPacketSize);\n\tov518_reg_w32(sd, R51x_FIFO_PSIZE, packet_size & ~7, 2);\n\n\t/******** Set the mode ********/\n\treg_w(sd, 0x2b, 0);\n\treg_w(sd, 0x2c, 0);\n\treg_w(sd, 0x2d, 0);\n\treg_w(sd, 0x2e, 0);\n\treg_w(sd, 0x3b, 0);\n\treg_w(sd, 0x3c, 0);\n\treg_w(sd, 0x3d, 0);\n\treg_w(sd, 0x3e, 0);\n\n\tif (sd->bridge == BRIDGE_OV518) {\n\t\t/* Set 8-bit (YVYU) input format */\n\t\treg_w_mask(sd, 0x20, 0x08, 0x08);\n\n\t\t/* Set 12-bit (4:2:0) output format */\n\t\treg_w_mask(sd, 0x28, 0x80, 0xf0);\n\t\treg_w_mask(sd, 0x38, 0x80, 0xf0);\n\t} else {\n\t\treg_w(sd, 0x28, 0x80);\n\t\treg_w(sd, 0x38, 0x80);\n\t}\n\n\thsegs = sd->gspca_dev.pixfmt.width / 16;\n\tvsegs = sd->gspca_dev.pixfmt.height / 4;\n\n\treg_w(sd, 0x29, hsegs);\n\treg_w(sd, 0x2a, vsegs);\n\n\treg_w(sd, 0x39, hsegs);\n\treg_w(sd, 0x3a, vsegs);\n\n\t/* Windows driver does this here; who knows why */\n\treg_w(sd, 0x2f, 0x80);\n\n\t/******** Set the framerate ********/\n\tif (sd->bridge == BRIDGE_OV518PLUS && sd->revision == 0 &&\n\t\t\t\t\t sd->sensor == SEN_OV7620AE)\n\t\tsd->clockdiv = 0;\n\telse\n\t\tsd->clockdiv = 1;\n\n\t/* Mode independent, but framerate dependent, regs */\n\t/* 0x51: Clock divider; Only works on some cams which use 2 crystals */\n\treg_w(sd, 0x51, 0x04);\n\treg_w(sd, 0x22, 0x18);\n\treg_w(sd, 0x23, 0xff);\n\n\tif (sd->bridge == BRIDGE_OV518PLUS) {\n\t\tswitch (sd->sensor) {\n\t\tcase SEN_OV7620AE:\n\t\t\t/*\n\t\t\t * HdG: 640x480 needs special handling on device\n\t\t\t * revision 2, we check for device revision > 0 to\n\t\t\t * avoid regressions, as we don't know the correct\n\t\t\t * thing todo for revision 1.\n\t\t\t *\n\t\t\t * Also this likely means we don't need to\n\t\t\t * differentiate between the OV7620 and OV7620AE,\n\t\t\t * earlier testing hitting this same problem likely\n\t\t\t * happened to be with revision < 2 cams using an\n\t\t\t * OV7620 and revision 2 cams using an OV7620AE.\n\t\t\t */\n\t\t\tif (sd->revision > 0 &&\n\t\t\t\t\tsd->gspca_dev.pixfmt.width == 640) {\n\t\t\t\treg_w(sd, 0x20, 0x60);\n\t\t\t\treg_w(sd, 0x21, 0x1f);\n\t\t\t} else {\n\t\t\t\treg_w(sd, 0x20, 0x00);\n\t\t\t\treg_w(sd, 0x21, 0x19);\n\t\t\t}\n\t\t\tbreak;\n\t\tcase SEN_OV7620:\n\t\t\treg_w(sd, 0x20, 0x00);\n\t\t\treg_w(sd, 0x21, 0x19);\n\t\t\tbreak;\n\t\tdefault:\n\t\t\treg_w(sd, 0x21, 0x19);\n\t\t}\n\t} else\n\t\treg_w(sd, 0x71, 0x17);\t/* Compression-related? */\n\n\t/* FIXME: Sensor-specific */\n\t/* Bit 5 is what matters here. Of course, it is \"reserved\" */\n\ti2c_w(sd, 0x54, 0x23);\n\n\treg_w(sd, 0x2f, 0x80);\n\n\tif (sd->bridge == BRIDGE_OV518PLUS) {\n\t\treg_w(sd, 0x24, 0x94);\n\t\treg_w(sd, 0x25, 0x90);\n\t\tov518_reg_w32(sd, 0xc4, 400, 2);\t/* 190h */\n\t\tov518_reg_w32(sd, 0xc6, 540, 2);\t/* 21ch */\n\t\tov518_reg_w32(sd, 0xc7, 540, 2);\t/* 21ch */\n\t\tov518_reg_w32(sd, 0xc8, 108, 2);\t/* 6ch */\n\t\tov518_reg_w32(sd, 0xca, 131098, 3);\t/* 2001ah */\n\t\tov518_reg_w32(sd, 0xcb, 532, 2);\t/* 214h */\n\t\tov518_reg_w32(sd, 0xcc, 2400, 2);\t/* 960h */\n\t\tov518_reg_w32(sd, 0xcd, 32, 2);\t/* 20h */\n\t\tov518_reg_w32(sd, 0xce, 608, 2);\t/* 260h */\n\t} else {\n\t\treg_w(sd, 0x24, 0x9f);\n\t\treg_w(sd, 0x25, 0x90);\n\t\tov518_reg_w32(sd, 0xc4, 400, 2);\t/* 190h */\n\t\tov518_reg_w32(sd, 0xc6, 381, 2);\t/* 17dh */\n\t\tov518_reg_w32(sd, 0xc7, 381, 2);\t/* 17dh */\n\t\tov518_reg_w32(sd, 0xc8, 128, 2);\t/* 80h */\n\t\tov518_reg_w32(sd, 0xca, 183331, 3);\t/* 2cc23h */\n\t\tov518_reg_w32(sd, 0xcb, 746, 2);\t/* 2eah */\n\t\tov518_reg_w32(sd, 0xcc, 1750, 2);\t/* 6d6h */\n\t\tov518_reg_w32(sd, 0xcd, 45, 2);\t/* 2dh */\n\t\tov518_reg_w32(sd, 0xce, 851, 2);\t/* 353h */\n\t}\n\n\treg_w(sd, 0x2f, 0x80);\n}", "project": "linux", "hash": 205218704415973742418430089136769528517, "size": 138, "commit_id": "998912346c0da53a6dbb71fab3a138586b596b30", "message": "media: ov519: add missing endpoint sanity checks\n\nMake sure to check that we have at least one endpoint before accessing\nthe endpoint array to avoid dereferencing a NULL-pointer on stream\nstart.\n\nNote that these sanity checks are not redundant as the driver is mixing\nlooking up altsettings by index and by number, which need not coincide.\n\nFixes: 1876bb923c98 (\"V4L/DVB (12079): gspca_ov519: add support for the ov511 bridge\")\nFixes: b282d87332f5 (\"V4L/DVB (12080): gspca_ov519: Fix ov518+ with OV7620AE (Trust spacecam 320)\")\nCc: stable # 2.6.31\nCc: Hans de Goede \nSigned-off-by: Johan Hovold \nSigned-off-by: Hans Verkuil \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 306292 }, { "func": "CallResult proxyOpFlags(\n Runtime *runtime,\n PropOpFlags opFlags,\n const char *msg,\n CallResult res) {\n if (LLVM_UNLIKELY(res == ExecutionStatus::EXCEPTION)) {\n return ExecutionStatus::EXCEPTION;\n }\n if (!*res && opFlags.getThrowOnError()) {\n return runtime->raiseTypeError(msg);\n }\n return res;\n}", "project": "hermes", "hash": 164476373757396595450187342876154899452, "size": 13, "commit_id": "fe52854cdf6725c2eaa9e125995da76e6ceb27da", "message": "[CVE-2020-1911] Look up HostObject computed properties on the right object in the prototype chain.\n\nSummary:\nThe change in the hermes repository fixes the security vulnerability\nCVE-2020-1911. This vulnerability only affects applications which\nallow evaluation of uncontrolled, untrusted JavaScript code not\nshipped with the app, so React Native apps will generally not be affected.\n\nThis revision includes a test for the bug. The test is generic JSI\ncode, so it is included in the hermes and react-native repositories.\n\nChangelog: [Internal]\n\nReviewed By: tmikov\n\nDifferential Revision: D23322992\n\nfbshipit-source-id: 4e88c974afe1ad33a263f9cac03e9dc98d33649a", "target": 0, "dataset": "other", "idx": 230242 }, { "func": "bool JOIN::prepare_stage2()\n{\n bool res= TRUE;\n DBUG_ENTER(\"JOIN::prepare_stage2\");\n\n /* Init join struct */\n count_field_types(select_lex, &tmp_table_param, all_fields, 0);\n this->group= group_list != 0;\n\n if (tmp_table_param.sum_func_count && !group_list)\n {\n implicit_grouping= TRUE;\n // Result will contain zero or one row - ordering is meaningless\n order= NULL;\n }\n\n#ifdef RESTRICTED_GROUP\n if (implicit_grouping)\n {\n my_message(ER_WRONG_SUM_SELECT,ER_THD(thd, ER_WRONG_SUM_SELECT),MYF(0));\n goto err;\n }\n#endif\n if (select_lex->olap == ROLLUP_TYPE && rollup_init())\n goto err;\n if (alloc_func_list())\n goto err;\n\n res= FALSE;\nerr:\n DBUG_RETURN(res);\t\t\t\t/* purecov: inspected */\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 169062288885918560523487388764674238467, "size": 32, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508487 }, { "func": "static int unlock_futex_pi(u32 __user *uaddr, u32 uval)\n{\n\tu32 oldval;\n\n\t/*\n\t * There is no waiter, so we unlock the futex. The owner died\n\t * bit has not to be preserved here. We are the owner:\n\t */\n\toldval = cmpxchg_futex_value_locked(uaddr, uval, 0);\n\n\tif (oldval == -EFAULT)\n\t\treturn oldval;\n\tif (oldval != uval)\n\t\treturn -EAGAIN;\n\n\treturn 0;\n}", "target": 0, "cwe": [], "project": "linux-2.6", "commit_id": "5ecb01cfdf96c5f465192bdb2a4fd4a61a24c6cc", "hash": 234532365493921505331994751545894498890, "size": 17, "message": "futex_lock_pi() key refcnt fix\n\nThis fixes a futex key reference count bug in futex_lock_pi(),\nwhere a key's reference count is incremented twice but decremented\nonly once, causing the backing object to not be released.\n\nIf the futex is created in a temporary file in an ext3 file system,\nthis bug causes the file's inode to become an \"undead\" orphan,\nwhich causes an oops from a BUG_ON() in ext3_put_super() when the\nfile system is unmounted. glibc's test suite is known to trigger this,\nsee .\n\nThe bug is a regression from 2.6.28-git3, namely Peter Zijlstra's\n38d47c1b7075bd7ec3881141bb3629da58f88dab \"[PATCH] futex: rely on\nget_user_pages() for shared futexes\". That commit made get_futex_key()\nalso increment the reference count of the futex key, and updated its\ncallers to decrement the key's reference count before returning.\nUnfortunately the normal exit path in futex_lock_pi() wasn't corrected:\nthe reference count is incremented by get_futex_key() and queue_lock(),\nbut the normal exit path only decrements once, via unqueue_me_pi().\nThe fix is to put_futex_key() after unqueue_me_pi(), since 2.6.31\nthis is easily done by 'goto out_put_key' rather than 'goto out'.\n\nSigned-off-by: Mikael Pettersson \nAcked-by: Peter Zijlstra \nAcked-by: Darren Hart \nSigned-off-by: Thomas Gleixner \nCc: ", "dataset": "other", "idx": 492295 }, { "func": "void h2_stream_dispatch(h2_stream *stream, h2_stream_event_t ev)\n{\n int new_state;\n \n ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, stream->session->c,\n H2_STRM_MSG(stream, \"dispatch event %d\"), ev);\n new_state = on_event(stream, ev);\n if (new_state < 0) {\n ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, stream->session->c, \n H2_STRM_LOG(APLOGNO(10002), stream, \"invalid event %d\"), ev);\n on_state_invalid(stream);\n AP_DEBUG_ASSERT(new_state > S_XXX);\n return;\n }\n else if (new_state == stream->state) {\n /* nop */\n ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, stream->session->c,\n H2_STRM_MSG(stream, \"non-state event %d\"), ev);\n return;\n }\n else {\n on_state_event(stream, ev);\n transit(stream, new_state);\n }\n}", "project": "httpd", "hash": 298874725384815621451193809879536502559, "size": 25, "commit_id": "f990e5ecad40b100a8a5c7c1033c46044a9cb244", "message": "mod_htt2: fix incomplete sync with latest changes in github, adjust version number.\n\n\n\ngit-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1889119 13f79535-47bb-0310-9956-ffa450edef68", "target": 0, "dataset": "other", "idx": 284268 }, { "func": "static uint make_join_orderinfo(JOIN *join)\n{\n /*\n This function needs to be fixed to take into account that we now have SJM\n nests.\n */\n DBUG_ASSERT(0);\n\n JOIN_TAB *tab;\n if (join->need_tmp)\n return join->table_count;\n tab= join->get_sort_by_join_tab();\n return tab ? (uint)(tab-join->join_tab) : join->table_count;\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 283902594194436581319613644176353241573, "size": 14, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508619 }, { "func": "int pfkey_sockaddr_extract(const struct sockaddr *sa, xfrm_address_t *xaddr)\n{\n\tswitch (sa->sa_family) {\n\tcase AF_INET:\n\t\txaddr->a4 =\n\t\t\t((struct sockaddr_in *)sa)->sin_addr.s_addr;\n\t\treturn AF_INET;\n#if IS_ENABLED(CONFIG_IPV6)\n\tcase AF_INET6:\n\t\tmemcpy(xaddr->a6,\n\t\t &((struct sockaddr_in6 *)sa)->sin6_addr,\n\t\t sizeof(struct in6_addr));\n\t\treturn AF_INET6;\n#endif\n\t}\n\treturn 0;\n}", "project": "linux", "hash": 205508890766411838186112663960709604084, "size": 17, "commit_id": "9a564bccb78a76740ea9d75a259942df8143d02c", "message": "af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\n\nAdd __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\nto initialize the buffer of supp_skb to fix a kernel-info-leak issue.\n1) Function pfkey_register calls compose_sadb_supported to request\na sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate\na sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then\ncompose_sadb_supported treats the memory as a struct sadb_supported and\nbegins to initialize. But it just initializes the field sadb_supported_len\nand field sadb_supported_exttype without field sadb_supported_reserved.\n\nReported-by: TCS Robot \nSigned-off-by: Haimin Zhang \nSigned-off-by: Steffen Klassert ", "target": 0, "dataset": "other", "idx": 268016 }, { "func": "static size_t longest_common_prefix(char *dest, const char *src, size_t start, size_t dlen)\n{\n size_t pos = start;\n\n while ((pos < dlen) && dest[pos] && (dest[pos] == src[pos]))\n pos++;\n dest[pos] = '\\0';\n\n return pos;\n}", "project": "neomutt", "hash": 305505699727179552014740499544964711067, "size": 10, "commit_id": "9c36717a3e2af1f2c1b7242035455ec8112b4b06", "message": "imap: close connection on all failures\n\nThanks to Gabriel Salles-Loustau for spotting the problem.\n\nCo-authored-by: Kevin McCarthy ", "target": 0, "dataset": "other", "idx": 357043 }, { "func": "HttpStateData::continueAfterParsingHeader()\n{\n if (flags.handling1xx) {\n debugs(11, 5, HERE << \"wait for 1xx handling\");\n Must(!flags.headers_parsed);\n return false;\n }\n\n if (!flags.headers_parsed && !eof) {\n debugs(11, 9, \"needs more at \" << inBuf.length());\n flags.do_next_read = true;\n /** \\retval false If we have not finished parsing the headers and may get more data.\n * Schedules more reads to retrieve the missing data.\n */\n maybeReadVirginBody(); // schedules all kinds of reads; TODO: rename\n return false;\n }\n\n /** If we are done with parsing, check for errors */\n\n err_type error = ERR_NONE;\n\n if (flags.headers_parsed) { // parsed headers, possibly with errors\n // check for header parsing errors\n if (HttpReply *vrep = virginReply()) {\n const Http::StatusCode s = vrep->sline.status();\n const AnyP::ProtocolVersion &v = vrep->sline.version;\n if (s == Http::scInvalidHeader && v != Http::ProtocolVersion(0,9)) {\n debugs(11, DBG_IMPORTANT, \"WARNING: HTTP: Invalid Response: Bad header encountered from \" << entry->url() << \" AKA \" << request->url);\n error = ERR_INVALID_RESP;\n } else if (s == Http::scHeaderTooLarge) {\n fwd->dontRetry(true);\n error = ERR_TOO_BIG;\n } else if (vrep->header.conflictingContentLength()) {\n fwd->dontRetry(true);\n error = ERR_INVALID_RESP;\n } else if (vrep->header.unsupportedTe()) {\n fwd->dontRetry(true);\n error = ERR_INVALID_RESP;\n } else {\n return true; // done parsing, got reply, and no error\n }\n } else {\n // parsed headers but got no reply\n debugs(11, DBG_IMPORTANT, \"WARNING: HTTP: Invalid Response: No reply at all for \" << entry->url() << \" AKA \" << request->url);\n error = ERR_INVALID_RESP;\n }\n } else {\n assert(eof);\n if (inBuf.length()) {\n error = ERR_INVALID_RESP;\n debugs(11, DBG_IMPORTANT, \"WARNING: HTTP: Invalid Response: Headers did not parse at all for \" << entry->url() << \" AKA \" << request->url);\n } else {\n error = ERR_ZERO_SIZE_OBJECT;\n debugs(11, (request->flags.accelerated?DBG_IMPORTANT:2), \"WARNING: HTTP: Invalid Response: No object data received for \" << entry->url() << \" AKA \" << request->url);\n }\n }\n\n assert(error != ERR_NONE);\n entry->reset();\n fwd->fail(new ErrorState(error, Http::scBadGateway, fwd->request));\n flags.do_next_read = false;\n closeServer();\n mustStop(\"HttpStateData::continueAfterParsingHeader\");\n return false; // quit on error\n}", "project": "squid", "hash": 61435160596382069929986498877866599639, "size": 66, "commit_id": "fd68382860633aca92065e6c343cfd1b12b126e7", "message": "Improve Transfer-Encoding handling (#702)\n\nReject messages containing Transfer-Encoding header with coding other\nthan chunked or identity. Squid does not support other codings.\n\nFor simplicity and security sake, also reject messages where\nTransfer-Encoding contains unnecessary complex values that are\ntechnically equivalent to \"chunked\" or \"identity\" (e.g., \",,chunked\" or\n\"identity, chunked\").\n\nRFC 7230 formally deprecated and removed identity coding, but it is\nstill used by some agents.", "target": 0, "dataset": "other", "idx": 402384 }, { "func": "static int copy_tiles(int tx, int ty, int nt) {\n\tint x, y, line;\n\tint size_x, size_y, width1, width2;\n\tint off, len, n, dw, dx, t;\n\tint w1, w2, dx1, dx2;\t/* tmps for normal and short tiles */\n\tint pixelsize = bpp/8;\n\tint first_min, last_max;\n\tint first_x = -1, last_x = -1;\n\tstatic int prev_ntiles_x = -1;\n\n\tchar *src, *dst, *s_src, *s_dst, *m_src, *m_dst;\n\tchar *h_src, *h_dst;\n\tif (unixpw_in_progress) return 0;\n\n\tif (ntiles_x != prev_ntiles_x && first_line != NULL) {\n\t\tfree(first_line);\tfirst_line = NULL;\n\t\tfree(last_line);\tlast_line = NULL;\n\t\tfree(left_diff);\tleft_diff = NULL;\n\t\tfree(right_diff);\tright_diff = NULL;\n\t}\n\n\tif (first_line == NULL) {\n\t\t/* allocate arrays first time in. */\n\t\tint n = ntiles_x + 1;\n\t\trfbLog(\"copy_tiles: allocating first_line at size %d\\n\", n);\n\t\tfirst_line = (int *) malloc((size_t) (n * sizeof(int)));\n\t\tlast_line = (int *) malloc((size_t) (n * sizeof(int)));\n\t\tleft_diff = (unsigned short *)\n\t\t\tmalloc((size_t) (n * sizeof(unsigned short)));\n\t\tright_diff = (unsigned short *)\n\t\t\tmalloc((size_t) (n * sizeof(unsigned short)));\n\t}\n\tprev_ntiles_x = ntiles_x;\n\n\tx = tx * tile_x;\n\ty = ty * tile_y;\n\n\tsize_x = dpy_x - x;\n\tif ( size_x > tile_x * nt ) {\n\t\tsize_x = tile_x * nt;\n\t\twidth1 = tile_x;\n\t\twidth2 = tile_x;\n\t} else {\n\t\t/* short tile */\n\t\twidth1 = tile_x;\t/* internal tile */\n\t\twidth2 = size_x - (nt - 1) * tile_x;\t/* right hand tile */\n\t}\n\n\tsize_y = dpy_y - y;\n\tif ( size_y > tile_y ) {\n\t\tsize_y = tile_y;\n\t}\n\n\tn = tx + ty * ntiles_x;\t\t/* number of the first tile */\n\n\tif (blackouts && tile_blackout[n].cover == 2) {\n\t\t/*\n\t\t * If there are blackouts and this tile is completely covered\n\t\t * no need to poll screen or do anything else..\n\t\t * n.b. we are in single copy_tile mode: nt=1\n\t\t */\n\t\ttile_has_diff[n] = 0;\n\t\treturn(0);\n\t}\n\n\tX_LOCK;\n\tXRANDR_SET_TRAP_RET(-1, \"copy_tile-set\");\n\t/* read in the whole tile run at once: */\n\tcopy_image(tile_row[nt], x, y, size_x, size_y);\n\tXRANDR_CHK_TRAP_RET(-1, \"copy_tile-chk\");\n\n\n\tX_UNLOCK;\n\n\tif (blackouts && tile_blackout[n].cover == 1) {\n\t\t/*\n\t\t * If there are blackouts and this tile is partially covered\n\t\t * we should re-black-out the portion.\n\t\t * n.b. we are in single copy_tile mode: nt=1\n\t\t */\n\t\tint x1, x2, y1, y2, b;\n\t\tint w, s, fill = 0;\n\n\t\tfor (b=0; b < tile_blackout[n].count; b++) {\n\t\t\tchar *b_dst = tile_row[nt]->data;\n\t\t\t\n\t\t\tx1 = tile_blackout[n].bo[b].x1 - x;\n\t\t\ty1 = tile_blackout[n].bo[b].y1 - y;\n\t\t\tx2 = tile_blackout[n].bo[b].x2 - x;\n\t\t\ty2 = tile_blackout[n].bo[b].y2 - y;\n\n\t\t\tw = (x2 - x1) * pixelsize;\n\t\t\ts = x1 * pixelsize;\n\n\t\t\tfor (line = 0; line < size_y; line++) {\n\t\t\t\tif (y1 <= line && line < y2) {\n\t\t\t\t\tmemset(b_dst + s, fill, (size_t) w);\n\t\t\t\t}\n\t\t\t\tb_dst += tile_row[nt]->bytes_per_line;\n\t\t\t}\n\t\t}\n\t}\n\n\tsrc = tile_row[nt]->data;\n\tdst = main_fb + y * main_bytes_per_line + x * pixelsize;\n\n\ts_src = src;\n\ts_dst = dst;\n\n\tfor (t=1; t <= nt; t++) {\n\t\tfirst_line[t] = -1;\n\t}\n\n\t/* find the first line with difference: */\n\tw1 = width1 * pixelsize;\n\tw2 = width2 * pixelsize;\n\n\t/* foreach line: */\n\tfor (line = 0; line < size_y; line++) {\n\t\t/* foreach horizontal tile: */\n\t\tfor (t=1; t <= nt; t++) {\n\t\t\tif (first_line[t] != -1) {\n\t\t\t\tcontinue;\n\t\t\t}\n\n\t\t\toff = (t-1) * w1;\n\t\t\tif (t == nt) {\n\t\t\t\tlen = w2;\t/* possible short tile */\n\t\t\t} else {\n\t\t\t\tlen = w1;\n\t\t\t}\n\t\t\t\n\t\t\tif (memcmp(s_dst + off, s_src + off, len)) {\n\t\t\t\tfirst_line[t] = line;\n\t\t\t}\n\t\t}\n\t\ts_src += tile_row[nt]->bytes_per_line;\n\t\ts_dst += main_bytes_per_line;\n\t}\n\n\t/* see if there were any differences for any tile: */\n\tfirst_min = -1;\n\tfor (t=1; t <= nt; t++) {\n\t\ttile_tried[n+(t-1)] = 1;\n\t\tif (first_line[t] != -1) {\n\t\t\tif (first_min == -1 || first_line[t] < first_min) {\n\t\t\t\tfirst_min = first_line[t];\n\t\t\t}\n\t\t}\n\t}\n\tif (first_min == -1) {\n\t\t/* no tile has a difference, note this and get out: */\n\t\tfor (t=1; t <= nt; t++) {\n\t\t\ttile_has_diff[n+(t-1)] = 0;\n\t\t}\n\t\treturn(0);\n\t} else {\n\t\t/*\n\t\t * at least one tile has a difference. make sure info\n\t\t * is recorded (e.g. sometimes we guess tiles and they\n\t\t * came in with tile_has_diff 0)\n\t\t */\n\t\tfor (t=1; t <= nt; t++) {\n\t\t\tif (first_line[t] == -1) {\n\t\t\t\ttile_has_diff[n+(t-1)] = 0;\n\t\t\t} else {\n\t\t\t\ttile_has_diff[n+(t-1)] = 1;\n\t\t\t}\n\t\t}\n\t}\n\n\tm_src = src + (tile_row[nt]->bytes_per_line * size_y);\n\tm_dst = dst + (main_bytes_per_line * size_y);\n\n\tfor (t=1; t <= nt; t++) {\n\t\tlast_line[t] = first_line[t];\n\t}\n\n\t/* find the last line with difference: */\n\tw1 = width1 * pixelsize;\n\tw2 = width2 * pixelsize;\n\n\t/* foreach line: */\n\tfor (line = size_y - 1; line > first_min; line--) {\n\n\t\tm_src -= tile_row[nt]->bytes_per_line;\n\t\tm_dst -= main_bytes_per_line;\n\n\t\t/* foreach tile: */\n\t\tfor (t=1; t <= nt; t++) {\n\t\t\tif (first_line[t] == -1\n\t\t\t || last_line[t] != first_line[t]) {\n\t\t\t\t/* tile has no changes or already done */\n\t\t\t\tcontinue;\n\t\t\t}\n\n\t\t\toff = (t-1) * w1;\n\t\t\tif (t == nt) {\n\t\t\t\tlen = w2;\t/* possible short tile */\n\t\t\t} else {\n\t\t\t\tlen = w1;\n\t\t\t}\n\t\t\tif (memcmp(m_dst + off, m_src + off, len)) {\n\t\t\t\tlast_line[t] = line;\n\t\t\t}\n\t\t}\n\t}\n\t\n\t/*\n\t * determine the farthest down last changed line\n\t * will be used below to limit our memcpy() to the framebuffer.\n\t */\n\tlast_max = -1;\n\tfor (t=1; t <= nt; t++) {\n\t\tif (first_line[t] == -1) {\n\t\t\tcontinue;\n\t\t}\n\t\tif (last_max == -1 || last_line[t] > last_max) {\n\t\t\tlast_max = last_line[t];\n\t\t}\n\t}\n\n\t/* look for differences on left and right hand edges: */\n\tfor (t=1; t <= nt; t++) {\n\t\tleft_diff[t] = 0;\n\t\tright_diff[t] = 0;\n\t}\n\n\th_src = src;\n\th_dst = dst;\n\n\tw1 = width1 * pixelsize;\n\tw2 = width2 * pixelsize;\n\n\tdx1 = (width1 - tile_fuzz) * pixelsize;\n\tdx2 = (width2 - tile_fuzz) * pixelsize;\n\tdw = tile_fuzz * pixelsize; \n\n\t/* foreach line: */\n\tfor (line = 0; line < size_y; line++) {\n\t\t/* foreach tile: */\n\t\tfor (t=1; t <= nt; t++) {\n\t\t\tif (first_line[t] == -1) {\n\t\t\t\t/* tile has no changes at all */\n\t\t\t\tcontinue;\n\t\t\t}\n\n\t\t\toff = (t-1) * w1;\n\t\t\tif (t == nt) {\n\t\t\t\tdx = dx2;\t/* possible short tile */\n\t\t\t\tif (dx <= 0) {\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\tdx = dx1;\n\t\t\t}\n\n\t\t\tif (! left_diff[t] && memcmp(h_dst + off,\n\t\t\t h_src + off, dw)) {\n\t\t\t\tleft_diff[t] = 1;\n\t\t\t}\n\t\t\tif (! right_diff[t] && memcmp(h_dst + off + dx,\n\t\t\t h_src + off + dx, dw) ) {\n\t\t\t\tright_diff[t] = 1;\n\t\t\t}\n\t\t}\n\t\th_src += tile_row[nt]->bytes_per_line;\n\t\th_dst += main_bytes_per_line;\n\t}\n\n\t/* now finally copy the difference to the rfb framebuffer: */\n\ts_src = src + tile_row[nt]->bytes_per_line * first_min;\n\ts_dst = dst + main_bytes_per_line * first_min;\n\n\tfor (line = first_min; line <= last_max; line++) {\n\t\t/* for I/O speed we do not do this tile by tile */\n\t\tmemcpy(s_dst, s_src, size_x * pixelsize);\n\t\tif (nt == 1) {\n\t\t\t/*\n\t\t\t * optimization for tall skinny lines, e.g. wm\n\t\t\t * frame. try to find first_x and last_x to limit\n\t\t\t * the size of the hint. could help for a slow\n\t\t\t * link. Unfortunately we spent a lot of time\n\t\t\t * reading in the many tiles.\n\t\t\t *\n\t\t\t * BTW, we like to think the above memcpy leaves\n\t\t\t * the data we use below in the cache... (but\n\t\t\t * it could be two 128 byte segments at 32bpp)\n\t\t\t * so this inner loop is not as bad as it seems.\n\t\t\t */\n\t\t\tint k, kx;\n\t\t\tkx = pixelsize;\n\t\t\tfor (k=0; k last_x) {\n\t\t\t\t\t\tlast_x = k;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\ts_src += tile_row[nt]->bytes_per_line;\n\t\ts_dst += main_bytes_per_line;\n\t}\n\n\t/* record all the info in the region array for this tile: */\n\tfor (t=1; t <= nt; t++) {\n\t\tint s = t - 1;\n\n\t\tif (first_line[t] == -1) {\n\t\t\t/* tile unchanged */\n\t\t\tcontinue;\n\t\t}\n\t\ttile_region[n+s].first_line = first_line[t];\n\t\ttile_region[n+s].last_line = last_line[t];\n\n\t\ttile_region[n+s].first_x = first_x;\n\t\ttile_region[n+s].last_x = last_x;\n\n\t\ttile_region[n+s].top_diff = 0;\n\t\ttile_region[n+s].bot_diff = 0;\n\t\tif ( first_line[t] < tile_fuzz ) {\n\t\t\ttile_region[n+s].top_diff = 1;\n\t\t}\n\t\tif ( last_line[t] > (size_y - 1) - tile_fuzz ) {\n\t\t\ttile_region[n+s].bot_diff = 1;\n\t\t}\n\n\t\ttile_region[n+s].left_diff = left_diff[t];\n\t\ttile_region[n+s].right_diff = right_diff[t];\n\n\t\ttile_copied[n+s] = 1;\n\t}\n\n\treturn(1);\n}", "project": "x11vnc", "hash": 259891596298826237505489950008004012625, "size": 338, "commit_id": "69eeb9f7baa14ca03b16c9de821f9876def7a36a", "message": "scan: limit access to shared memory segments to current user", "target": 0, "dataset": "other", "idx": 360781 }, { "func": "static void csi_X(struct vc_data *vc, int vpar) /* erase the following vpar positions */\n{\t\t\t\t\t /* not vt100? */\n\tint count;\n\n\tif (!vpar)\n\t\tvpar++;\n\tcount = (vpar > vc->vc_cols - vc->vc_x) ? (vc->vc_cols - vc->vc_x) : vpar;\n\n\tvc_uniscr_clear_line(vc, vc->vc_x, count);\n\tscr_memsetw((unsigned short *)vc->vc_pos, vc->vc_video_erase_char, 2 * count);\n\tif (con_should_update(vc))\n\t\tvc->vc_sw->con_clear(vc, vc->vc_y, vc->vc_x, 1, count);\n\tvc->vc_need_wrap = 0;\n}", "project": "linux", "hash": 325615814805155650358784768258130618383, "size": 14, "commit_id": "ca4463bf8438b403596edd0ec961ca0d4fbe0220", "message": "vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console\n\nThe VT_DISALLOCATE ioctl can free a virtual console while tty_release()\nis still running, causing a use-after-free in con_shutdown(). This\noccurs because VT_DISALLOCATE considers a virtual console's\n'struct vc_data' to be unused as soon as the corresponding tty's\nrefcount hits 0. But actually it may be still being closed.\n\nFix this by making vc_data be reference-counted via the embedded\n'struct tty_port'. A newly allocated virtual console has refcount 1.\nOpening it for the first time increments the refcount to 2. Closing it\nfor the last time decrements the refcount (in tty_operations::cleanup()\nso that it happens late enough), as does VT_DISALLOCATE.\n\nReproducer:\n\t#include \n\t#include \n\t#include \n\t#include \n\n\tint main()\n\t{\n\t\tif (fork()) {\n\t\t\tfor (;;)\n\t\t\t\tclose(open(\"/dev/tty5\", O_RDWR));\n\t\t} else {\n\t\t\tint fd = open(\"/dev/tty10\", O_RDWR);\n\n\t\t\tfor (;;)\n\t\t\t\tioctl(fd, VT_DISALLOCATE, 5);\n\t\t}\n\t}\n\nKASAN report:\n\tBUG: KASAN: use-after-free in con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\tWrite of size 8 at addr ffff88806a4ec108 by task syz_vt/129\n\n\tCPU: 0 PID: 129 Comm: syz_vt Not tainted 5.6.0-rc2 #11\n\tHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20191223_100556-anatol 04/01/2014\n\tCall Trace:\n\t [...]\n\t con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\t release_tty+0xa8/0x410 drivers/tty/tty_io.c:1514\n\t tty_release_struct+0x34/0x50 drivers/tty/tty_io.c:1629\n\t tty_release+0x984/0xed0 drivers/tty/tty_io.c:1789\n\t [...]\n\n\tAllocated by task 129:\n\t [...]\n\t kzalloc include/linux/slab.h:669 [inline]\n\t vc_allocate drivers/tty/vt/vt.c:1085 [inline]\n\t vc_allocate+0x1ac/0x680 drivers/tty/vt/vt.c:1066\n\t con_install+0x4d/0x3f0 drivers/tty/vt/vt.c:3229\n\t tty_driver_install_tty drivers/tty/tty_io.c:1228 [inline]\n\t tty_init_dev+0x94/0x350 drivers/tty/tty_io.c:1341\n\t tty_open_by_driver drivers/tty/tty_io.c:1987 [inline]\n\t tty_open+0x3ca/0xb30 drivers/tty/tty_io.c:2035\n\t [...]\n\n\tFreed by task 130:\n\t [...]\n\t kfree+0xbf/0x1e0 mm/slab.c:3757\n\t vt_disallocate drivers/tty/vt/vt_ioctl.c:300 [inline]\n\t vt_ioctl+0x16dc/0x1e30 drivers/tty/vt/vt_ioctl.c:818\n\t tty_ioctl+0x9db/0x11b0 drivers/tty/tty_io.c:2660\n\t [...]\n\nFixes: 4001d7b7fc27 (\"vt: push down the tty lock so we can see what is left to tackle\")\nCc: # v3.4+\nReported-by: syzbot+522643ab5729b0421998@syzkaller.appspotmail.com\nAcked-by: Jiri Slaby \nSigned-off-by: Eric Biggers \nLink: https://lore.kernel.org/r/20200322034305.210082-2-ebiggers@kernel.org\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 437077 }, { "func": "\treturn &priv->session_cont.ac == cont;\n}\n\nstatic int iscsi_conn_match(struct attribute_container *cont,\n\t\t\t struct device *dev)\n{\n\tstruct iscsi_cls_session *session;\n\tstruct iscsi_cls_conn *conn;\n\tstruct Scsi_Host *shost;\n\tstruct iscsi_internal *priv;\n\n\tif (!iscsi_is_conn_dev(dev))\n\t\treturn 0;\n\n\tconn = iscsi_dev_to_conn(dev);\n\tsession = iscsi_dev_to_session(conn->dev.parent);\n\tshost = iscsi_session_to_shost(session);\n\n\tif (!shost->transportt)\n\t\treturn 0;\n\n\tpriv = to_iscsi_internal(shost->transportt);\n\tif (priv->conn_cont.ac.class != &iscsi_connection_class.class)\n\t\treturn 0;", "project": "linux", "hash": 260967289260809111602631514009298291976, "size": 24, "commit_id": "f9dbdf97a5bd92b1a49cee3d591b55b11fd7a6d5", "message": "scsi: iscsi: Verify lengths on passthrough PDUs\n\nOpen-iSCSI sends passthrough PDUs over netlink, but the kernel should be\nverifying that the provided PDU header and data lengths fall within the\nnetlink message to prevent accessing beyond that in memory.\n\nCc: stable@vger.kernel.org\nReported-by: Adam Nichols \nReviewed-by: Lee Duncan \nReviewed-by: Mike Christie \nSigned-off-by: Chris Leech \nSigned-off-by: Martin K. Petersen ", "target": 0, "dataset": "other", "idx": 379961 }, { "func": "static int slab_mem_going_online_callback(void *arg)\n{\n\tstruct kmem_cache_node *n;\n\tstruct kmem_cache *s;\n\tstruct memory_notify *marg = arg;\n\tint nid = marg->status_change_nid_normal;\n\tint ret = 0;\n\n\t/*\n\t * If the node's memory is already available, then kmem_cache_node is\n\t * already created. Nothing to do.\n\t */\n\tif (nid < 0)\n\t\treturn 0;\n\n\t/*\n\t * We are bringing a node online. No memory is available yet. We must\n\t * allocate a kmem_cache_node structure in order to bring the node\n\t * online.\n\t */\n\tmutex_lock(&slab_mutex);\n\tlist_for_each_entry(s, &slab_caches, list) {\n\t\t/*\n\t\t * XXX: kmem_cache_alloc_node will fallback to other nodes\n\t\t * since memory is not yet available from the node that\n\t\t * is brought up.\n\t\t */\n\t\tn = kmem_cache_alloc(kmem_cache_node, GFP_KERNEL);\n\t\tif (!n) {\n\t\t\tret = -ENOMEM;\n\t\t\tgoto out;\n\t\t}\n\t\tinit_kmem_cache_node(n);\n\t\ts->node[nid] = n;\n\t}\nout:\n\tmutex_unlock(&slab_mutex);\n\treturn ret;\n}", "project": "linux", "hash": 146338948474202250727481553215257661670, "size": 39, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280157 }, { "func": "int imap_code (const char *s)\n{\n return cmd_status (s) == IMAP_CMD_OK;\n}", "project": "mutt", "hash": 146431017928641404215496917668438785219, "size": 4, "commit_id": "9347b5c01dc52682cb6be11539d9b7ebceae4416", "message": "Handle NO response without message properly", "target": 0, "dataset": "other", "idx": 338020 }, { "func": "void WuManberReplacement::initTables() {\n size_t max_shift = m - B + 1;\n hash.fill(-1);\n shift.fill(max_shift);\n prefix.reserve(patterns.size());\n\n strtr_compare_hash_suffix comparator(m, B);\n std::sort(patterns.begin(), patterns.end(), comparator);\n\n {\n uint16_t last_h = -1; // assumes not all bits are used\n // patterns is already ordered by hash.\n // Make hash[h] de index of the first pattern in\n // patterns that has hash\n int size = patterns.size();\n for(int i = 0; i != size; ++i) {\n // init hash tab\n uint16_t h = patterns[i].hash(m - B, B) & HASH_TAB_MASK;\n if (h != last_h) {\n hash[h] = i;\n last_h = h;\n }\n // init shift tab\n for (int j = 0; j < max_shift; j++) {\n uint16_t h2 = patterns[i].hash( j, B ) & SHIFT_TAB_MASK;\n assertx((long long) m - (long long) j - B >= 0);\n shift[h2] = MIN(shift[h2], m - j - B);\n }\n // init prefix\n prefix.push_back(patterns[i].hash(0, Bp));\n }\n }\n\n hash[HASH_TAB_SIZE] = patterns.size(); // OK, we allocated SIZE+1\n for (int i = HASH_TAB_SIZE - 1; i >= 0; i--) {\n if (hash[i] == -1) {\n hash[i] = hash[i + 1];\n }\n }\n}", "project": "hhvm", "hash": 57573665956401189765308702124582641, "size": 40, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219157 }, { "func": "static void nfs4_xdr_enc_pathconf(struct rpc_rqst *req, struct xdr_stream *xdr,\n\t\t\t\t const void *data)\n{\n\tconst struct nfs4_pathconf_arg *args = data;\n\tstruct compound_hdr hdr = {\n\t\t.minorversion = nfs4_xdr_minorversion(&args->seq_args),\n\t};\n\n\tencode_compound_hdr(xdr, req, &hdr);\n\tencode_sequence(xdr, &args->seq_args, &hdr);\n\tencode_putfh(xdr, args->fh, &hdr);\n\tencode_getattr(xdr, nfs4_pathconf_bitmap, args->bitmask,\n\t\t\tARRAY_SIZE(nfs4_pathconf_bitmap), &hdr);\n\tencode_nops(&hdr);\n}", "project": "linux", "hash": 104837632634507028864932053800261085495, "size": 15, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431151 }, { "func": "static void push_data(struct archive_read* a, struct rar5* rar,\n const uint8_t* buf, int64_t idx_begin, int64_t idx_end)\n{\n\tconst uint64_t wmask = rar->cstate.window_mask;\n\tconst ssize_t solid_write_ptr = (rar->cstate.solid_offset +\n\t rar->cstate.last_write_ptr) & wmask;\n\n\tidx_begin += rar->cstate.solid_offset;\n\tidx_end += rar->cstate.solid_offset;\n\n\t/* Check if our unpacked data is wrapped inside the window circular\n\t * buffer. If it's not wrapped, it can be copied out by using\n\t * a single memcpy, but when it's wrapped, we need to copy the first\n\t * part with one memcpy, and the second part with another memcpy. */\n\n\tif((idx_begin & wmask) > (idx_end & wmask)) {\n\t\t/* The data is wrapped (begin offset sis bigger than end\n\t\t * offset). */\n\t\tconst ssize_t frag1_size = rar->cstate.window_size -\n\t\t (idx_begin & wmask);\n\t\tconst ssize_t frag2_size = idx_end & wmask;\n\n\t\t/* Copy the first part of the buffer first. */\n\t\tpush_data_ready(a, rar, buf + solid_write_ptr, frag1_size,\n\t\t rar->cstate.last_write_ptr);\n\n\t\t/* Copy the second part of the buffer. */\n\t\tpush_data_ready(a, rar, buf, frag2_size,\n\t\t rar->cstate.last_write_ptr + frag1_size);\n\n\t\trar->cstate.last_write_ptr += frag1_size + frag2_size;\n\t} else {\n\t\t/* Data is not wrapped, so we can just use one call to copy the\n\t\t * data. */\n\t\tpush_data_ready(a, rar,\n\t\t buf + solid_write_ptr, (idx_end - idx_begin) & wmask,\n\t\t rar->cstate.last_write_ptr);\n\n\t\trar->cstate.last_write_ptr += idx_end - idx_begin;\n\t}\n}", "project": "libarchive", "hash": 255987072124207298604511262832929281390, "size": 41, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 0, "dataset": "other", "idx": 244682 }, { "func": "void WebContents::DevToolsClosed() {\n v8::Locker locker(isolate());\n v8::HandleScope handle_scope(isolate());\n devtools_web_contents_.Reset();\n\n Emit(\"devtools-closed\");\n}", "project": "electron", "hash": 2214409841054232164004388867929390316, "size": 7, "commit_id": "18613925610ba319da7f497b6deed85ad712c59b", "message": "refactor: wire will-navigate up to a navigation throttle instead of OpenURL (#25108)\n\n* refactor: wire will-navigate up to a navigation throttle instead of OpenURL (#25065)\r\n\r\n* refactor: wire will-navigate up to a navigation throttle instead of OpenURL\r\n\r\n* spec: add test for x-site _top navigation\r\n\r\n* chore: old code be old", "target": 0, "dataset": "other", "idx": 269749 }, { "func": "static void tcp_undo_cwr(struct sock *sk, const bool undo_ssthresh)\n{\n\tstruct tcp_sock *tp = tcp_sk(sk);\n\n\tif (tp->prior_ssthresh) {\n\t\tconst struct inet_connection_sock *icsk = inet_csk(sk);\n\n\t\tif (icsk->icsk_ca_ops->undo_cwnd)\n\t\t\ttp->snd_cwnd = icsk->icsk_ca_ops->undo_cwnd(sk);\n\t\telse\n\t\t\ttp->snd_cwnd = max(tp->snd_cwnd, tp->snd_ssthresh << 1);\n\n\t\tif (undo_ssthresh && tp->prior_ssthresh > tp->snd_ssthresh) {\n\t\t\ttp->snd_ssthresh = tp->prior_ssthresh;\n\t\t\tTCP_ECN_withdraw_cwr(tp);\n\t\t}\n\t} else {\n\t\ttp->snd_cwnd = max(tp->snd_cwnd, tp->snd_ssthresh);\n\t}\n\ttp->snd_cwnd_stamp = tcp_time_stamp;\n}", "project": "net-next", "hash": 99721249527401010062023658406371687450, "size": 21, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409948 }, { "func": "static rsRetVal qDestructLinkedList(qqueue_t __attribute__((unused)) *pThis)\n{\n\tDEFiRet;\n\n\tqueueDrain(pThis); /* discard any remaining queue entries */\n\n\t/* with the linked list type, there is nothing left to do here. The\n\t * reason is that there are no dynamic elements for the list itself.\n\t */\n\n\tRETiRet;\n}", "project": "rsyslog", "hash": 106309367660462428204121185328151384232, "size": 12, "commit_id": "dfa88369d4ca4290db56b843f9eabdae1bfe0fd5", "message": "bugfix: memory leak when $RepeatedMsgReduction on was used\n\nbug tracker: http://bugzilla.adiscon.com/show_bug.cgi?id=225", "target": 0, "dataset": "other", "idx": 373787 }, { "func": "bool NodeNameInValues(const std::vector& control_dependencies,\n const StringPiece& node_name) {\n return std::find(control_dependencies.begin(), control_dependencies.end(),\n node_name) != control_dependencies.end();\n}", "project": "tensorflow", "hash": 98627590299568441832837622800592447392, "size": 5, "commit_id": "0cc38aaa4064fd9e79101994ce9872c6d91f816b", "message": "Prevent unitialized memory access in `GraphConstructor::MakeEdge`\n\nThe `MakeEdge` implementation assumes that there exists an output at `output_index` of `src` node and an input at `input_index` of `dst` node. However, if this is not the case this results in accessing data out of bounds. Because we are accessing an array that is a private member of a class and only in read only mode, this usually results only in unitialized memory access. However, it is reasonable to think that malicious users could manipulate these indexes to actually read data outside the class, thus resulting in information leakage and further exploits.\n\nPiperOrigin-RevId: 346343288\nChange-Id: I2127da27c2023d27f26efd39afa6c853385cab6f", "target": 0, "dataset": "other", "idx": 268309 }, { "func": "bool NodeNameInValues(const std::map& input_map,\n const StringPiece& node_name) {\n for (auto iter = input_map.begin(); iter != input_map.end(); ++iter) {\n if (iter->second.first == node_name) return true;\n }\n return false;\n}", "project": "tensorflow", "hash": 191476774842696148880054106849652133677, "size": 7, "commit_id": "0cc38aaa4064fd9e79101994ce9872c6d91f816b", "message": "Prevent unitialized memory access in `GraphConstructor::MakeEdge`\n\nThe `MakeEdge` implementation assumes that there exists an output at `output_index` of `src` node and an input at `input_index` of `dst` node. However, if this is not the case this results in accessing data out of bounds. Because we are accessing an array that is a private member of a class and only in read only mode, this usually results only in unitialized memory access. However, it is reasonable to think that malicious users could manipulate these indexes to actually read data outside the class, thus resulting in information leakage and further exploits.\n\nPiperOrigin-RevId: 346343288\nChange-Id: I2127da27c2023d27f26efd39afa6c853385cab6f", "target": 0, "dataset": "other", "idx": 268314 }, { "func": "unsigned long kvm_vcpu_gfn_to_hva_prot(struct kvm_vcpu *vcpu, gfn_t gfn, bool *writable)\n{\n\tstruct kvm_memory_slot *slot = kvm_vcpu_gfn_to_memslot(vcpu, gfn);\n\n\treturn gfn_to_hva_memslot_prot(slot, gfn, writable);\n}", "project": "linux", "hash": 95396634562139292050294053513913831270, "size": 6, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354746 }, { "func": "static void tcp_enter_frto_loss(struct sock *sk, int allowed_segments, int flag)\n{\n\tstruct tcp_sock *tp = tcp_sk(sk);\n\tstruct sk_buff *skb;\n\n\ttp->lost_out = 0;\n\ttp->retrans_out = 0;\n\tif (tcp_is_reno(tp))\n\t\ttcp_reset_reno_sack(tp);\n\n\ttcp_for_write_queue(skb, sk) {\n\t\tif (skb == tcp_send_head(sk))\n\t\t\tbreak;\n\n\t\tTCP_SKB_CB(skb)->sacked &= ~TCPCB_LOST;\n\t\t/*\n\t\t * Count the retransmission made on RTO correctly (only when\n\t\t * waiting for the first ACK and did not get it)...\n\t\t */\n\t\tif ((tp->frto_counter == 1) && !(flag & FLAG_DATA_ACKED)) {\n\t\t\t/* For some reason this R-bit might get cleared? */\n\t\t\tif (TCP_SKB_CB(skb)->sacked & TCPCB_SACKED_RETRANS)\n\t\t\t\ttp->retrans_out += tcp_skb_pcount(skb);\n\t\t\t/* ...enter this if branch just for the first segment */\n\t\t\tflag |= FLAG_DATA_ACKED;\n\t\t} else {\n\t\t\tif (TCP_SKB_CB(skb)->sacked & TCPCB_RETRANS)\n\t\t\t\ttp->undo_marker = 0;\n\t\t\tTCP_SKB_CB(skb)->sacked &= ~TCPCB_SACKED_RETRANS;\n\t\t}\n\n\t\t/* Marking forward transmissions that were made after RTO lost\n\t\t * can cause unnecessary retransmissions in some scenarios,\n\t\t * SACK blocks will mitigate that in some but not in all cases.\n\t\t * We used to not mark them but it was causing break-ups with\n\t\t * receivers that do only in-order receival.\n\t\t *\n\t\t * TODO: we could detect presence of such receiver and select\n\t\t * different behavior per flow.\n\t\t */\n\t\tif (!(TCP_SKB_CB(skb)->sacked & TCPCB_SACKED_ACKED)) {\n\t\t\tTCP_SKB_CB(skb)->sacked |= TCPCB_LOST;\n\t\t\ttp->lost_out += tcp_skb_pcount(skb);\n\t\t\ttp->retransmit_high = TCP_SKB_CB(skb)->end_seq;\n\t\t}\n\t}\n\ttcp_verify_left_out(tp);\n\n\ttp->snd_cwnd = tcp_packets_in_flight(tp) + allowed_segments;\n\ttp->snd_cwnd_cnt = 0;\n\ttp->snd_cwnd_stamp = tcp_time_stamp;\n\ttp->frto_counter = 0;\n\ttp->bytes_acked = 0;\n\n\ttp->reordering = min_t(unsigned int, tp->reordering,\n\t\t\t sysctl_tcp_reordering);\n\ttcp_set_ca_state(sk, TCP_CA_Loss);\n\ttp->high_seq = tp->snd_nxt;\n\tTCP_ECN_queue_cwr(tp);\n\n\ttcp_clear_all_retrans_hints(tp);\n}", "project": "net-next", "hash": 288276895698792010861430122131485751654, "size": 62, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409890 }, { "func": "static int tty_paranoia_check(struct tty_struct *tty, struct inode *inode,\n\t\t\t const char *routine)\n{\n#ifdef TTY_PARANOIA_CHECK\n\tif (!tty) {\n\t\tpr_warn(\"(%d:%d): %s: NULL tty\\n\",\n\t\t\timajor(inode), iminor(inode), routine);\n\t\treturn 1;\n\t}\n\tif (tty->magic != TTY_MAGIC) {\n\t\tpr_warn(\"(%d:%d): %s: bad magic number\\n\",\n\t\t\timajor(inode), iminor(inode), routine);\n\t\treturn 1;\n\t}\n#endif\n\treturn 0;\n}", "project": "linux", "hash": 239516082255674863595454889871082219555, "size": 17, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 325981 }, { "func": "static inline int nfs4_server_supports_acls(struct nfs_server *server)\n{\n\treturn server->caps & NFS_CAP_ACLS;\n}", "project": "linux", "hash": 232777681069546526348679802745943549168, "size": 4, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 430957 }, { "func": "bool JOIN::change_result(select_result *new_result, select_result *old_result)\n{\n DBUG_ENTER(\"JOIN::change_result\");\n if (old_result == NULL || result == old_result)\n {\n result= new_result;\n if (result->prepare(fields_list, select_lex->master_unit()) ||\n result->prepare2(this))\n DBUG_RETURN(true); /* purecov: inspected */\n DBUG_RETURN(false);\n }\n DBUG_RETURN(result->change_result(new_result));\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 240268805684657828057971908794652230060, "size": 13, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508442 }, { "func": "void input_unregister_device(struct input_dev *dev)\n{\n\tif (dev->devres_managed) {\n\t\tWARN_ON(devres_destroy(dev->dev.parent,\n\t\t\t\t\tdevm_input_device_unregister,\n\t\t\t\t\tdevm_input_device_match,\n\t\t\t\t\tdev));\n\t\t__input_unregister_device(dev);\n\t\t/*\n\t\t * We do not do input_put_device() here because it will be done\n\t\t * when 2nd devres fires up.\n\t\t */\n\t} else {\n\t\t__input_unregister_device(dev);\n\t\tinput_put_device(dev);\n\t}\n}", "project": "linux", "hash": 137329313921326813008763897080114544390, "size": 17, "commit_id": "cb222aed03d798fc074be55e59d9a112338ee784", "message": "Input: add safety guards to input_set_keycode()\n\nIf we happen to have a garbage in input device's keycode table with values\ntoo big we'll end up doing clear_bit() with offset way outside of our\nbitmaps, damaging other objects within an input device or even outside of\nit. Let's add sanity checks to the returned old keycodes.\n\nReported-by: syzbot+c769968809f9359b07aa@syzkaller.appspotmail.com\nReported-by: syzbot+76f3a30e88d256644c78@syzkaller.appspotmail.com\nLink: https://lore.kernel.org/r/20191207212757.GA245964@dtor-ws\nSigned-off-by: Dmitry Torokhov ", "target": 0, "dataset": "other", "idx": 353376 }, { "func": "static void oidc_revoke_tokens(request_rec *r, oidc_cfg *c,\n\t\toidc_session_t *session) {\n\n\tchar *response = NULL;\n\tchar *basic_auth = NULL;\n\tchar *bearer_auth = NULL;\n\tapr_table_t *params = NULL;\n\tconst char *token = NULL;\n\toidc_provider_t *provider = NULL;\n\n\toidc_debug(r, \"enter\");\n\n\tif (oidc_get_provider_from_session(r, c, session, &provider) == FALSE)\n\t\tgoto out;\n\n\toidc_debug(r, \"revocation_endpoint=%s\",\n\t\t\tprovider->revocation_endpoint_url ?\n\t\t\t\t\tprovider->revocation_endpoint_url : \"(null)\");\n\n\tif (provider->revocation_endpoint_url == NULL)\n\t\tgoto out;\n\n\tparams = apr_table_make(r->pool, 4);\n\n\t// add the token endpoint authentication credentials to the revocation endpoint call...\n\tif (oidc_proto_token_endpoint_auth(r, c, provider->token_endpoint_auth,\n\t\t\tprovider->client_id, provider->client_secret,\n\t\t\tprovider->client_signing_keys, provider->token_endpoint_url, params,\n\t\t\tNULL, &basic_auth, &bearer_auth) == FALSE)\n\t\tgoto out;\n\n\t// TODO: use oauth.ssl_validate_server ...\n\ttoken = oidc_session_get_refresh_token(r, session);\n\tif (token != NULL) {\n\t\tapr_table_addn(params, \"token_type_hint\", \"refresh_token\");\n\t\tapr_table_addn(params, \"token\", token);\n\n\t\tif (oidc_util_http_post_form(r, provider->revocation_endpoint_url,\n\t\t\t\tparams, basic_auth, bearer_auth, c->oauth.ssl_validate_server,\n\t\t\t\t&response, c->http_timeout_long, c->outgoing_proxy,\n\t\t\t\toidc_dir_cfg_pass_cookies(r), NULL,\n\t\t\t\tNULL, NULL) == FALSE) {\n\t\t\toidc_warn(r, \"revoking refresh token failed\");\n\t\t}\n\t\tapr_table_clear(params);\n\t}\n\n\ttoken = oidc_session_get_access_token(r, session);\n\tif (token != NULL) {\n\t\tapr_table_addn(params, \"token_type_hint\", \"access_token\");\n\t\tapr_table_addn(params, \"token\", token);\n\n\t\tif (oidc_util_http_post_form(r, provider->revocation_endpoint_url,\n\t\t\t\tparams, basic_auth, bearer_auth, c->oauth.ssl_validate_server,\n\t\t\t\t&response, c->http_timeout_long, c->outgoing_proxy,\n\t\t\t\toidc_dir_cfg_pass_cookies(r), NULL,\n\t\t\t\tNULL, NULL) == FALSE) {\n\t\t\toidc_warn(r, \"revoking access token failed\");\n\t\t}\n\t}\n\nout:\n\n\toidc_debug(r, \"leave\");\n}", "project": "mod_auth_openidc", "hash": 55644018620205717801166394564557549389, "size": 65, "commit_id": "00c315cb0c8ab77c67be4a2ac08a71a83ac58751", "message": "avoid XSS vulnerability when using OIDCPreservePost On\n\nand supplying URLs that contain single quotes; thanks @oss-aimoto\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 381912 }, { "func": "static void oidc_revoke_tokens(request_rec *r, oidc_cfg *c,\n\t\toidc_session_t *session) {\n\n\tchar *response = NULL;\n\tchar *basic_auth = NULL;\n\tchar *bearer_auth = NULL;\n\tapr_table_t *params = NULL;\n\tconst char *token = NULL;\n\toidc_provider_t *provider = NULL;\n\n\toidc_debug(r, \"enter\");\n\n\tif (oidc_get_provider_from_session(r, c, session, &provider) == FALSE)\n\t\tgoto out;\n\n\toidc_debug(r, \"revocation_endpoint=%s\",\n\t\t\tprovider->revocation_endpoint_url ?\n\t\t\t\t\tprovider->revocation_endpoint_url : \"(null)\");\n\n\tif (provider->revocation_endpoint_url == NULL)\n\t\tgoto out;\n\n\tparams = apr_table_make(r->pool, 4);\n\n\t// add the token endpoint authentication credentials to the revocation endpoint call...\n\tif (oidc_proto_token_endpoint_auth(r, c, provider->token_endpoint_auth,\n\t\t\tprovider->client_id, provider->client_secret,\n\t\t\tprovider->client_signing_keys, provider->token_endpoint_url, params,\n\t\t\tNULL, &basic_auth, &bearer_auth) == FALSE)\n\t\tgoto out;\n\n\t// TODO: use oauth.ssl_validate_server ...\n\ttoken = oidc_session_get_refresh_token(r, session);\n\tif (token != NULL) {\n\t\tapr_table_addn(params, \"token_type_hint\", \"refresh_token\");\n\t\tapr_table_addn(params, \"token\", token);\n\n\t\tif (oidc_util_http_post_form(r, provider->revocation_endpoint_url,\n\t\t\t\tparams, basic_auth, bearer_auth, c->oauth.ssl_validate_server,\n\t\t\t\t&response, c->http_timeout_long, c->outgoing_proxy,\n\t\t\t\toidc_dir_cfg_pass_cookies(r), NULL,\n\t\t\t\tNULL) == FALSE) {\n\t\t\toidc_warn(r, \"revoking refresh token failed\");\n\t\t}\n\t\tapr_table_clear(params);\n\t}\n\n\ttoken = oidc_session_get_access_token(r, session);\n\tif (token != NULL) {\n\t\tapr_table_addn(params, \"token_type_hint\", \"access_token\");\n\t\tapr_table_addn(params, \"token\", token);\n\n\t\tif (oidc_util_http_post_form(r, provider->revocation_endpoint_url,\n\t\t\t\tparams, basic_auth, bearer_auth, c->oauth.ssl_validate_server,\n\t\t\t\t&response, c->http_timeout_long, c->outgoing_proxy,\n\t\t\t\toidc_dir_cfg_pass_cookies(r), NULL,\n\t\t\t\tNULL) == FALSE) {\n\t\t\toidc_warn(r, \"revoking access token failed\");\n\t\t}\n\t}\n\nout:\n\n\toidc_debug(r, \"leave\");\n}", "project": "mod_auth_openidc", "hash": 247344149488179022720296588715179988968, "size": 65, "commit_id": "ce37080c6aea30aabae8b4a9b4eea7808445cc8e", "message": "2.4.0.2 oops\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 447718 }, { "func": "static void tipc_lxc_xmit(struct net *peer_net, struct sk_buff_head *list)\n{\n\tstruct tipc_msg *hdr = buf_msg(skb_peek(list));\n\tstruct sk_buff_head inputq;\n\n\tswitch (msg_user(hdr)) {\n\tcase TIPC_LOW_IMPORTANCE:\n\tcase TIPC_MEDIUM_IMPORTANCE:\n\tcase TIPC_HIGH_IMPORTANCE:\n\tcase TIPC_CRITICAL_IMPORTANCE:\n\t\tif (msg_connected(hdr) || msg_named(hdr) ||\n\t\t msg_direct(hdr)) {\n\t\t\ttipc_loopback_trace(peer_net, list);\n\t\t\tspin_lock_init(&list->lock);\n\t\t\ttipc_sk_rcv(peer_net, list);\n\t\t\treturn;\n\t\t}\n\t\tif (msg_mcast(hdr)) {\n\t\t\ttipc_loopback_trace(peer_net, list);\n\t\t\tskb_queue_head_init(&inputq);\n\t\t\ttipc_sk_mcast_rcv(peer_net, list, &inputq);\n\t\t\t__skb_queue_purge(list);\n\t\t\tskb_queue_purge(&inputq);\n\t\t\treturn;\n\t\t}\n\t\treturn;\n\tcase MSG_FRAGMENTER:\n\t\tif (tipc_msg_assemble(list)) {\n\t\t\ttipc_loopback_trace(peer_net, list);\n\t\t\tskb_queue_head_init(&inputq);\n\t\t\ttipc_sk_mcast_rcv(peer_net, list, &inputq);\n\t\t\t__skb_queue_purge(list);\n\t\t\tskb_queue_purge(&inputq);\n\t\t}\n\t\treturn;\n\tcase GROUP_PROTOCOL:\n\tcase CONN_MANAGER:\n\t\ttipc_loopback_trace(peer_net, list);\n\t\tspin_lock_init(&list->lock);\n\t\ttipc_sk_rcv(peer_net, list);\n\t\treturn;\n\tcase LINK_PROTOCOL:\n\tcase NAME_DISTRIBUTOR:\n\tcase TUNNEL_PROTOCOL:\n\tcase BCAST_PROTOCOL:\n\t\treturn;\n\tdefault:\n\t\treturn;\n\t}\n}", "project": "linux", "hash": 205779578540351515842202532526615261948, "size": 50, "commit_id": "0217ed2848e8538bcf9172d97ed2eeb4a26041bb", "message": "tipc: better validate user input in tipc_nl_retrieve_key()\n\nBefore calling tipc_aead_key_size(ptr), we need to ensure\nwe have enough data to dereference ptr->keylen.\n\nWe probably also want to make sure tipc_aead_key_size()\nwont overflow with malicious ptr->keylen values.\n\nSyzbot reported:\n\nBUG: KMSAN: uninit-value in __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\nBUG: KMSAN: uninit-value in tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\nCPU: 0 PID: 21060 Comm: syz-executor.5 Not tainted 5.11.0-rc7-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nCall Trace:\n __dump_stack lib/dump_stack.c:79 [inline]\n dump_stack+0x21c/0x280 lib/dump_stack.c:120\n kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118\n __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197\n __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\n tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\n genl_family_rcv_msg_doit net/netlink/genetlink.c:739 [inline]\n genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]\n genl_rcv_msg+0x1319/0x1610 net/netlink/genetlink.c:800\n netlink_rcv_skb+0x6fa/0x810 net/netlink/af_netlink.c:2494\n genl_rcv+0x63/0x80 net/netlink/genetlink.c:811\n netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]\n netlink_unicast+0x11d6/0x14a0 net/netlink/af_netlink.c:1330\n netlink_sendmsg+0x1740/0x1840 net/netlink/af_netlink.c:1919\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\nRIP: 0023:0xf7f60549\nCode: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00\nRSP: 002b:00000000f555a5fc EFLAGS: 00000296 ORIG_RAX: 0000000000000172\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000200\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n\nUninit was created at:\n kmsan_save_stack_with_flags mm/kmsan/kmsan.c:121 [inline]\n kmsan_internal_poison_shadow+0x5c/0xf0 mm/kmsan/kmsan.c:104\n kmsan_slab_alloc+0x8d/0xe0 mm/kmsan/kmsan_hooks.c:76\n slab_alloc_node mm/slub.c:2907 [inline]\n __kmalloc_node_track_caller+0xa37/0x1430 mm/slub.c:4527\n __kmalloc_reserve net/core/skbuff.c:142 [inline]\n __alloc_skb+0x2f8/0xb30 net/core/skbuff.c:210\n alloc_skb include/linux/skbuff.h:1099 [inline]\n netlink_alloc_large_skb net/netlink/af_netlink.c:1176 [inline]\n netlink_sendmsg+0xdbc/0x1840 net/netlink/af_netlink.c:1894\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\n\nFixes: e1f32190cf7d (\"tipc: add support for AEAD key setting via netlink\")\nSigned-off-by: Eric Dumazet \nCc: Tuong Lien \nCc: Jon Maloy \nCc: Ying Xue \nReported-by: syzbot \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 364963 }, { "func": "static int cr_interception(struct vcpu_svm *svm)\n{\n\tint reg, cr;\n\tunsigned long val;\n\tint err;\n\n\tif (!static_cpu_has(X86_FEATURE_DECODEASSISTS))\n\t\treturn emulate_on_interception(svm);\n\n\tif (unlikely((svm->vmcb->control.exit_info_1 & CR_VALID) == 0))\n\t\treturn emulate_on_interception(svm);\n\n\treg = svm->vmcb->control.exit_info_1 & SVM_EXITINFO_REG_MASK;\n\tif (svm->vmcb->control.exit_code == SVM_EXIT_CR0_SEL_WRITE)\n\t\tcr = SVM_EXIT_WRITE_CR0 - SVM_EXIT_READ_CR0;\n\telse\n\t\tcr = svm->vmcb->control.exit_code - SVM_EXIT_READ_CR0;\n\n\terr = 0;\n\tif (cr >= 16) { /* mov to cr */\n\t\tcr -= 16;\n\t\tval = kvm_register_read(&svm->vcpu, reg);\n\t\tswitch (cr) {\n\t\tcase 0:\n\t\t\tif (!check_selective_cr0_intercepted(svm, val))\n\t\t\t\terr = kvm_set_cr0(&svm->vcpu, val);\n\t\t\telse\n\t\t\t\treturn 1;\n\n\t\t\tbreak;\n\t\tcase 3:\n\t\t\terr = kvm_set_cr3(&svm->vcpu, val);\n\t\t\tbreak;\n\t\tcase 4:\n\t\t\terr = kvm_set_cr4(&svm->vcpu, val);\n\t\t\tbreak;\n\t\tcase 8:\n\t\t\terr = kvm_set_cr8(&svm->vcpu, val);\n\t\t\tbreak;\n\t\tdefault:\n\t\t\tWARN(1, \"unhandled write to CR%d\", cr);\n\t\t\tkvm_queue_exception(&svm->vcpu, UD_VECTOR);\n\t\t\treturn 1;\n\t\t}\n\t} else { /* mov from cr */\n\t\tswitch (cr) {\n\t\tcase 0:\n\t\t\tval = kvm_read_cr0(&svm->vcpu);\n\t\t\tbreak;\n\t\tcase 2:\n\t\t\tval = svm->vcpu.arch.cr2;\n\t\t\tbreak;\n\t\tcase 3:\n\t\t\tval = kvm_read_cr3(&svm->vcpu);\n\t\t\tbreak;\n\t\tcase 4:\n\t\t\tval = kvm_read_cr4(&svm->vcpu);\n\t\t\tbreak;\n\t\tcase 8:\n\t\t\tval = kvm_get_cr8(&svm->vcpu);\n\t\t\tbreak;\n\t\tdefault:\n\t\t\tWARN(1, \"unhandled read from CR%d\", cr);\n\t\t\tkvm_queue_exception(&svm->vcpu, UD_VECTOR);\n\t\t\treturn 1;\n\t\t}\n\t\tkvm_register_write(&svm->vcpu, reg, val);\n\t}\n\treturn kvm_complete_insn_gp(&svm->vcpu, err);\n}", "project": "linux", "hash": 101732366872644645329186380026638906561, "size": 70, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432517 }, { "func": "static int cr_interception(struct vcpu_svm *svm)\n{\n\tint reg, cr;\n\tunsigned long val;\n\tint err;\n\n\tif (!static_cpu_has(X86_FEATURE_DECODEASSISTS))\n\t\treturn emulate_on_interception(svm);\n\n\tif (unlikely((svm->vmcb->control.exit_info_1 & CR_VALID) == 0))\n\t\treturn emulate_on_interception(svm);\n\n\treg = svm->vmcb->control.exit_info_1 & SVM_EXITINFO_REG_MASK;\n\tcr = svm->vmcb->control.exit_code - SVM_EXIT_READ_CR0;\n\n\terr = 0;\n\tif (cr >= 16) { /* mov to cr */\n\t\tcr -= 16;\n\t\tval = kvm_register_read(&svm->vcpu, reg);\n\t\tswitch (cr) {\n\t\tcase 0:\n\t\t\tif (!check_selective_cr0_intercepted(svm, val))\n\t\t\t\terr = kvm_set_cr0(&svm->vcpu, val);\n\t\t\telse\n\t\t\t\treturn 1;\n\n\t\t\tbreak;\n\t\tcase 3:\n\t\t\terr = kvm_set_cr3(&svm->vcpu, val);\n\t\t\tbreak;\n\t\tcase 4:\n\t\t\terr = kvm_set_cr4(&svm->vcpu, val);\n\t\t\tbreak;\n\t\tcase 8:\n\t\t\terr = kvm_set_cr8(&svm->vcpu, val);\n\t\t\tbreak;\n\t\tdefault:\n\t\t\tWARN(1, \"unhandled write to CR%d\", cr);\n\t\t\tkvm_queue_exception(&svm->vcpu, UD_VECTOR);\n\t\t\treturn 1;\n\t\t}\n\t} else { /* mov from cr */\n\t\tswitch (cr) {\n\t\tcase 0:\n\t\t\tval = kvm_read_cr0(&svm->vcpu);\n\t\t\tbreak;\n\t\tcase 2:\n\t\t\tval = svm->vcpu.arch.cr2;\n\t\t\tbreak;\n\t\tcase 3:\n\t\t\tval = kvm_read_cr3(&svm->vcpu);\n\t\t\tbreak;\n\t\tcase 4:\n\t\t\tval = kvm_read_cr4(&svm->vcpu);\n\t\t\tbreak;\n\t\tcase 8:\n\t\t\tval = kvm_get_cr8(&svm->vcpu);\n\t\t\tbreak;\n\t\tdefault:\n\t\t\tWARN(1, \"unhandled read from CR%d\", cr);\n\t\t\tkvm_queue_exception(&svm->vcpu, UD_VECTOR);\n\t\t\treturn 1;\n\t\t}\n\t\tkvm_register_write(&svm->vcpu, reg, val);\n\t}\n\tkvm_complete_insn_gp(&svm->vcpu, err);\n\n\treturn 1;\n}", "project": "kvm", "hash": 309352941326791688874986789573371667262, "size": 69, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437650 }, { "func": "static int bprm_mm_init(struct linux_binprm *bprm)\n{\n\tint err;\n\tstruct mm_struct *mm = NULL;\n\n\tbprm->mm = mm = mm_alloc();\n\terr = -ENOMEM;\n\tif (!mm)\n\t\tgoto err;\n\n\t/* Save current stack limit for all calculations made during exec. */\n\ttask_lock(current->group_leader);\n\tbprm->rlim_stack = current->signal->rlim[RLIMIT_STACK];\n\ttask_unlock(current->group_leader);\n\n\terr = __bprm_mm_init(bprm);\n\tif (err)\n\t\tgoto err;\n\n\treturn 0;\n\nerr:\n\tif (mm) {\n\t\tbprm->mm = NULL;\n\t\tmmdrop(mm);\n\t}\n\n\treturn err;\n}", "project": "linux", "hash": 7098171959305799244218612759086900671, "size": 29, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375263 }, { "func": "static int svm_nmi_allowed(struct kvm_vcpu *vcpu)\n{\n\tstruct vcpu_svm *svm = to_svm(vcpu);\n\tstruct vmcb *vmcb = svm->vmcb;\n\tint ret;\n\tret = !(vmcb->control.int_state & SVM_INTERRUPT_SHADOW_MASK) &&\n\t !(svm->vcpu.arch.hflags & HF_NMI_MASK);\n\tret = ret && gif_set(svm) && nested_svm_nmi(svm);\n\n\treturn ret;\n}", "project": "linux", "hash": 102385552652890297018126678183705146388, "size": 11, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432407 }, { "func": "static void send_signature(void) {\n uint8_t hash[32], sig[64];\n uint8_t v;\n layoutProgress(_(\"Signing\"), 1000);\n\n /* eip-155 replay protection */\n if (chain_id) {\n /* hash v=chain_id, r=0, s=0 */\n hash_rlp_number(chain_id);\n hash_rlp_length(0, 0);\n hash_rlp_length(0, 0);\n }\n\n keccak_Final(&keccak_ctx, hash);\n if (ecdsa_sign_digest(&secp256k1, privkey, hash, sig, &v,\n ethereum_is_canonic) != 0) {\n fsm_sendFailure(FailureType_Failure_Other, \"Signing failed\");\n ethereum_signing_abort();\n return;\n }\n\n memzero(privkey, sizeof(privkey));\n\n /* Send back the result */\n msg_tx_request.has_data_length = false;\n\n msg_tx_request.has_signature_v = true;\n if (chain_id > MAX_CHAIN_ID) {\n msg_tx_request.signature_v = v;\n } else if (chain_id) {\n msg_tx_request.signature_v = v + 2 * chain_id + 35;\n } else {\n msg_tx_request.signature_v = v + 27;\n }\n\n msg_tx_request.has_signature_r = true;\n msg_tx_request.signature_r.size = 32;\n memcpy(msg_tx_request.signature_r.bytes, sig, 32);\n\n msg_tx_request.has_signature_s = true;\n msg_tx_request.signature_s.size = 32;\n memcpy(msg_tx_request.signature_s.bytes, sig + 32, 32);\n\n // KeepKey custom (for the KeepKey Client)\n msg_tx_request.has_hash = true;\n msg_tx_request.hash.size = sizeof(msg_tx_request.hash.bytes);\n memcpy(msg_tx_request.hash.bytes, hash, msg_tx_request.hash.size);\n msg_tx_request.has_signature_der = true;\n msg_tx_request.signature_der.size =\n ecdsa_sig_to_der(sig, msg_tx_request.signature_der.bytes);\n\n msg_write(MessageType_MessageType_EthereumTxRequest, &msg_tx_request);\n\n ethereum_signing_abort();\n}", "project": "keepkey-firmware", "hash": 264335657194038897775977423305829222173, "size": 55, "commit_id": "e49d45594002d4d3fbc1f03488e6dfc0a0a65836", "message": "710 merge", "target": 0, "dataset": "other", "idx": 220885 }, { "func": "static int x25_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)\n{\n\tstruct sock *sk = sock->sk;\n\tstruct sockaddr_x25 *addr = (struct sockaddr_x25 *)uaddr;\n\tint len, i, rc = 0;\n\n\tif (addr_len != sizeof(struct sockaddr_x25) ||\n\t addr->sx25_family != AF_X25 ||\n\t strnlen(addr->sx25_addr.x25_addr, X25_ADDR_LEN) == X25_ADDR_LEN) {\n\t\trc = -EINVAL;\n\t\tgoto out;\n\t}\n\n\t/* check for the null_x25_address */\n\tif (strcmp(addr->sx25_addr.x25_addr, null_x25_address.x25_addr)) {\n\n\t\tlen = strlen(addr->sx25_addr.x25_addr);\n\t\tfor (i = 0; i < len; i++) {\n\t\t\tif (!isdigit(addr->sx25_addr.x25_addr[i])) {\n\t\t\t\trc = -EINVAL;\n\t\t\t\tgoto out;\n\t\t\t}\n\t\t}\n\t}\n\n\tlock_sock(sk);\n\tif (sock_flag(sk, SOCK_ZAPPED)) {\n\t\tx25_sk(sk)->source_addr = addr->sx25_addr;\n\t\tx25_insert_socket(sk);\n\t\tsock_reset_flag(sk, SOCK_ZAPPED);\n\t} else {\n\t\trc = -EINVAL;\n\t}\n\trelease_sock(sk);\n\tSOCK_DEBUG(sk, \"x25_bind: socket is bound\\n\");\nout:\n\treturn rc;\n}", "project": "net", "hash": 259839467690217435570108768186745914121, "size": 38, "commit_id": "7781607938c8371d4c2b243527430241c62e39c2", "message": "net/x25: Fix null-ptr-deref caused by x25_disconnect\n\nWhen the link layer is terminating, x25->neighbour will be set to NULL\nin x25_disconnect(). As a result, it could cause null-ptr-deref bugs in\nx25_sendmsg(),x25_recvmsg() and x25_connect(). One of the bugs is\nshown below.\n\n (Thread 1) | (Thread 2)\nx25_link_terminated() | x25_recvmsg()\n x25_kill_by_neigh() | ...\n x25_disconnect() | lock_sock(sk)\n ... | ...\n x25->neighbour = NULL //(1) |\n ... | x25->neighbour->extended //(2)\n\nThe code sets NULL to x25->neighbour in position (1) and dereferences\nx25->neighbour in position (2), which could cause null-ptr-deref bug.\n\nThis patch adds lock_sock() in x25_kill_by_neigh() in order to synchronize\nwith x25_sendmsg(), x25_recvmsg() and x25_connect(). What`s more, the\nsock held by lock_sock() is not NULL, because it is extracted from x25_list\nand uses x25_list_lock to synchronize.\n\nFixes: 4becb7ee5b3d (\"net/x25: Fix x25_neigh refcnt leak when x25 disconnect\")\nSigned-off-by: Duoming Zhou \nReviewed-by: Lin Ma \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 449182 }, { "func": "static OPJ_BOOL opj_j2k_add_tlmarker(OPJ_UINT32 tileno,\n opj_codestream_index_t *cstr_index, OPJ_UINT32 type, OPJ_OFF_T pos,\n OPJ_UINT32 len)\n{\n assert(cstr_index != 00);\n assert(cstr_index->tile_index != 00);\n\n /* expand the list? */\n if ((cstr_index->tile_index[tileno].marknum + 1) >\n cstr_index->tile_index[tileno].maxmarknum) {\n opj_marker_info_t *new_marker;\n cstr_index->tile_index[tileno].maxmarknum = (OPJ_UINT32)(100 +\n (OPJ_FLOAT32) cstr_index->tile_index[tileno].maxmarknum);\n new_marker = (opj_marker_info_t *) opj_realloc(\n cstr_index->tile_index[tileno].marker,\n cstr_index->tile_index[tileno].maxmarknum * sizeof(opj_marker_info_t));\n if (! new_marker) {\n opj_free(cstr_index->tile_index[tileno].marker);\n cstr_index->tile_index[tileno].marker = NULL;\n cstr_index->tile_index[tileno].maxmarknum = 0;\n cstr_index->tile_index[tileno].marknum = 0;\n /* opj_event_msg(p_manager, EVT_ERROR, \"Not enough memory to add tl marker\\n\"); */\n return OPJ_FALSE;\n }\n cstr_index->tile_index[tileno].marker = new_marker;\n }\n\n /* add the marker */\n cstr_index->tile_index[tileno].marker[cstr_index->tile_index[tileno].marknum].type\n = (OPJ_UINT16)type;\n cstr_index->tile_index[tileno].marker[cstr_index->tile_index[tileno].marknum].pos\n = (OPJ_INT32)pos;\n cstr_index->tile_index[tileno].marker[cstr_index->tile_index[tileno].marknum].len\n = (OPJ_INT32)len;\n cstr_index->tile_index[tileno].marknum++;\n\n if (type == J2K_MS_SOT) {\n OPJ_UINT32 l_current_tile_part = cstr_index->tile_index[tileno].current_tpsno;\n\n if (cstr_index->tile_index[tileno].tp_index) {\n cstr_index->tile_index[tileno].tp_index[l_current_tile_part].start_pos = pos;\n }\n\n }\n return OPJ_TRUE;\n}", "project": "openjpeg", "hash": 202623008400780886683893912587158342844, "size": 46, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357392 }, { "func": "static int oidc_clean_expired_state_cookies(request_rec *r, oidc_cfg *c,\n\t\tconst char *currentCookieName, int delete_oldest) {\n\tint number_of_valid_state_cookies = 0;\n\toidc_state_cookies_t *first = NULL, *last = NULL;\n\tchar *cookie, *tokenizerCtx = NULL;\n\tchar *cookies = apr_pstrdup(r->pool, oidc_util_hdr_in_cookie_get(r));\n\tif (cookies != NULL) {\n\t\tcookie = apr_strtok(cookies, OIDC_STR_SEMI_COLON, &tokenizerCtx);\n\t\twhile (cookie != NULL) {\n\t\t\twhile (*cookie == OIDC_CHAR_SPACE)\n\t\t\t\tcookie++;\n\t\t\tif (strstr(cookie, oidc_cfg_dir_state_cookie_prefix(r)) == cookie) {\n\t\t\t\tchar *cookieName = cookie;\n\t\t\t\twhile (cookie != NULL && *cookie != OIDC_CHAR_EQUAL)\n\t\t\t\t\tcookie++;\n\t\t\t\tif (*cookie == OIDC_CHAR_EQUAL) {\n\t\t\t\t\t*cookie = '\\0';\n\t\t\t\t\tcookie++;\n\t\t\t\t\tif ((currentCookieName == NULL)\n\t\t\t\t\t\t\t|| (apr_strnatcmp(cookieName, currentCookieName)\n\t\t\t\t\t\t\t\t\t!= 0)) {\n\t\t\t\t\t\toidc_proto_state_t *proto_state =\n\t\t\t\t\t\t\t\toidc_proto_state_from_cookie(r, c, cookie);\n\t\t\t\t\t\tif (proto_state != NULL) {\n\t\t\t\t\t\t\tjson_int_t ts = oidc_proto_state_get_timestamp(\n\t\t\t\t\t\t\t\t\tproto_state);\n\t\t\t\t\t\t\tif (apr_time_now() > ts + apr_time_from_sec(c->state_timeout)) {\n\t\t\t\t\t\t\t\toidc_warn(r,\n\t\t\t\t\t\t\t\t\t\t\"state (%s) has expired (original_url=%s)\",\n\t\t\t\t\t\t\t\t\t\tcookieName,\n\t\t\t\t\t\t\t\t\t\toidc_proto_state_get_original_url(\n\t\t\t\t\t\t\t\t\t\t\t\tproto_state));\n\t\t\t\t\t\t\t\toidc_util_set_cookie(r, cookieName, \"\", 0,\n\t\t\t\t\t\t\t\t\t\tOIDC_COOKIE_EXT_SAME_SITE_NONE(r));\n\t\t\t\t\t\t\t} else {\n\t\t\t\t\t\t\t\tif (first == NULL) {\n\t\t\t\t\t\t\t\t\tfirst = apr_pcalloc(r->pool,\n\t\t\t\t\t\t\t\t\t\t\tsizeof(oidc_state_cookies_t));\n\t\t\t\t\t\t\t\t\tlast = first;\n\t\t\t\t\t\t\t\t} else {\n\t\t\t\t\t\t\t\t\tlast->next = apr_pcalloc(r->pool,\n\t\t\t\t\t\t\t\t\t\t\tsizeof(oidc_state_cookies_t));\n\t\t\t\t\t\t\t\t\tlast = last->next;\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\tlast->name = cookieName;\n\t\t\t\t\t\t\t\tlast->timestamp = ts;\n\t\t\t\t\t\t\t\tlast->next = NULL;\n\t\t\t\t\t\t\t\tnumber_of_valid_state_cookies++;\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\toidc_proto_state_destroy(proto_state);\n\t\t\t\t\t\t} else {\n\t\t\t\t\t\t\toidc_warn(r,\n\t\t\t\t\t\t\t\t\t\"state cookie could not be retrieved/decoded, deleting: %s\",\n\t\t\t\t\t\t\t\t\tcookieName);\n\t\t\t\t\t\t\toidc_util_set_cookie(r, cookieName, \"\", 0,\n\t\t\t\t\t\t\t\t\tOIDC_COOKIE_EXT_SAME_SITE_NONE(r));\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t\tcookie = apr_strtok(NULL, OIDC_STR_SEMI_COLON, &tokenizerCtx);\n\t\t}\n\t}\n\n\tif (delete_oldest > 0)\n\t\tnumber_of_valid_state_cookies = oidc_delete_oldest_state_cookies(r,\n\t\t\t\tnumber_of_valid_state_cookies, c->max_number_of_state_cookies,\n\t\t\t\tfirst);\n\n\treturn number_of_valid_state_cookies;\n}", "project": "mod_auth_openidc", "hash": 29258534652691829134551184159621728567, "size": 71, "commit_id": "00c315cb0c8ab77c67be4a2ac08a71a83ac58751", "message": "avoid XSS vulnerability when using OIDCPreservePost On\n\nand supplying URLs that contain single quotes; thanks @oss-aimoto\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 381907 }, { "func": "static int oidc_clean_expired_state_cookies(request_rec *r, oidc_cfg *c,\n\t\tconst char *currentCookieName, int delete_oldest) {\n\tint number_of_valid_state_cookies = 0;\n\toidc_state_cookies_t *first = NULL, *last = NULL;\n\tchar *cookie, *tokenizerCtx = NULL;\n\tchar *cookies = apr_pstrdup(r->pool, oidc_util_hdr_in_cookie_get(r));\n\tif (cookies != NULL) {\n\t\tcookie = apr_strtok(cookies, OIDC_STR_SEMI_COLON, &tokenizerCtx);\n\t\twhile (cookie != NULL) {\n\t\t\twhile (*cookie == OIDC_CHAR_SPACE)\n\t\t\t\tcookie++;\n\t\t\tif (strstr(cookie, OIDC_STATE_COOKIE_PREFIX) == cookie) {\n\t\t\t\tchar *cookieName = cookie;\n\t\t\t\twhile (cookie != NULL && *cookie != OIDC_CHAR_EQUAL)\n\t\t\t\t\tcookie++;\n\t\t\t\tif (*cookie == OIDC_CHAR_EQUAL) {\n\t\t\t\t\t*cookie = '\\0';\n\t\t\t\t\tcookie++;\n\t\t\t\t\tif ((currentCookieName == NULL)\n\t\t\t\t\t\t\t|| (apr_strnatcmp(cookieName, currentCookieName)\n\t\t\t\t\t\t\t\t\t!= 0)) {\n\t\t\t\t\t\toidc_proto_state_t *proto_state =\n\t\t\t\t\t\t\t\toidc_proto_state_from_cookie(r, c, cookie);\n\t\t\t\t\t\tif (proto_state != NULL) {\n\t\t\t\t\t\t\tjson_int_t ts = oidc_proto_state_get_timestamp(\n\t\t\t\t\t\t\t\t\tproto_state);\n\t\t\t\t\t\t\tif (apr_time_now() > ts + apr_time_from_sec(c->state_timeout)) {\n\t\t\t\t\t\t\t\toidc_error(r,\n\t\t\t\t\t\t\t\t\t\t\"state (%s) has expired (original_url=%s)\",\n\t\t\t\t\t\t\t\t\t\tcookieName,\n\t\t\t\t\t\t\t\t\t\toidc_proto_state_get_original_url(\n\t\t\t\t\t\t\t\t\t\t\t\tproto_state));\n\t\t\t\t\t\t\t\toidc_util_set_cookie(r, cookieName, \"\", 0,\n\t\t\t\t\t\t\t\t\t\tNULL);\n\t\t\t\t\t\t\t} else {\n\t\t\t\t\t\t\t\tif (first == NULL) {\n\t\t\t\t\t\t\t\t\tfirst = apr_pcalloc(r->pool,\n\t\t\t\t\t\t\t\t\t\t\tsizeof(oidc_state_cookies_t));\n\t\t\t\t\t\t\t\t\tlast = first;\n\t\t\t\t\t\t\t\t} else {\n\t\t\t\t\t\t\t\t\tlast->next = apr_pcalloc(r->pool,\n\t\t\t\t\t\t\t\t\t\t\tsizeof(oidc_state_cookies_t));\n\t\t\t\t\t\t\t\t\tlast = last->next;\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\tlast->name = cookieName;\n\t\t\t\t\t\t\t\tlast->timestamp = ts;\n\t\t\t\t\t\t\t\tlast->next = NULL;\n\t\t\t\t\t\t\t\tnumber_of_valid_state_cookies++;\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\toidc_proto_state_destroy(proto_state);\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t\tcookie = apr_strtok(NULL, OIDC_STR_SEMI_COLON, &tokenizerCtx);\n\t\t}\n\t}\n\n\tif (delete_oldest > 0)\n\t\tnumber_of_valid_state_cookies = oidc_delete_oldest_state_cookies(r,\n\t\t\t\tnumber_of_valid_state_cookies, c->max_number_of_state_cookies,\n\t\t\t\tfirst);\n\n\treturn number_of_valid_state_cookies;\n}", "project": "mod_auth_openidc", "hash": 178838067854325724477547803574791762709, "size": 65, "commit_id": "ce37080c6aea30aabae8b4a9b4eea7808445cc8e", "message": "2.4.0.2 oops\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 447707 }, { "func": "OPJ_BOOL opj_tcd_is_band_empty(opj_tcd_band_t* band)\n{\n return (band->x1 - band->x0 == 0) || (band->y1 - band->y0 == 0);\n}", "project": "openjpeg", "hash": 158001555432201719602323120870104732037, "size": 4, "commit_id": "15cf3d95814dc931ca0ecb132f81cb152e051bae", "message": "Encoder: grow again buffer size in opj_tcd_code_block_enc_allocate_data() (fixes #1283)", "target": 0, "dataset": "other", "idx": 359157 }, { "func": "PLUGINDEX CSoundFile::GetBestPlugin(CHANNELINDEX nChn, PluginPriority priority, PluginMutePriority respectMutes) const\n{\n\tif (nChn >= MAX_CHANNELS)\t\t//Check valid channel number\n\t{\n\t\treturn 0;\n\t}\n\n\t//Define search source order\n\tPLUGINDEX nPlugin = 0;\n\tswitch (priority)\n\t{\n\t\tcase ChannelOnly:\n\t\t\tnPlugin = GetChannelPlugin(nChn, respectMutes);\n\t\t\tbreak;\n\t\tcase InstrumentOnly:\n\t\t\tnPlugin = GetActiveInstrumentPlugin(nChn, respectMutes);\n\t\t\tbreak;\n\t\tcase PrioritiseInstrument:\n\t\t\tnPlugin = GetActiveInstrumentPlugin(nChn, respectMutes);\n\t\t\tif ((!nPlugin) || (nPlugin > MAX_MIXPLUGINS))\n\t\t\t{\n\t\t\t\tnPlugin = GetChannelPlugin(nChn, respectMutes);\n\t\t\t}\n\t\t\tbreak;\n\t\tcase PrioritiseChannel:\n\t\t\tnPlugin = GetChannelPlugin(nChn, respectMutes);\n\t\t\tif ((!nPlugin) || (nPlugin > MAX_MIXPLUGINS))\n\t\t\t{\n\t\t\t\tnPlugin = GetActiveInstrumentPlugin(nChn, respectMutes);\n\t\t\t}\n\t\t\tbreak;\n\t}\n\n\treturn nPlugin; // 0 Means no plugin found.\n}", "project": "openmpt", "hash": 145732416257614709474939019230115517063, "size": 35, "commit_id": "7ebf02af2e90f03e0dbd0e18b8b3164f372fb97c", "message": "[Fix] Possible out-of-bounds read when computing length of some IT files with pattern loops (OpenMPT: formats that are converted to IT, libopenmpt: IT/ITP/MO3), caught with afl-fuzz.\n\ngit-svn-id: https://source.openmpt.org/svn/openmpt/trunk/OpenMPT@10027 56274372-70c3-4bfc-bfc3-4c3a0b034d27", "target": 0, "dataset": "other", "idx": 255207 }, { "func": "static GuidelineSet *SFDReadGuideline(FILE *sfd, GuidelineSet **gll, GuidelineSet *lastgl)\n{\n GuidelineSet *gl = chunkalloc(sizeof(GuidelineSet));\n gl->name = SFDReadUTF7Str(sfd);\n gl->identifier = SFDReadUTF7Str(sfd);\n getreal(sfd,&gl->point.x);\n getreal(sfd,&gl->point.y);\n getreal(sfd,&gl->angle);\n getint(sfd,&gl->color);\n getint(sfd,&gl->flags);\n if ( lastgl!=NULL )\n\tlastgl->next = gl;\n else if (gll)\n *gll = gl;\n return( gl );\n}", "project": "fontforge", "hash": 87727394153484392540146024283745442010, "size": 16, "commit_id": "048a91e2682c1a8936ae34dbc7bd70291ec05410", "message": "Fix for #4084 Use-after-free (heap) in the SFD_GetFontMetaData() function\nFix for #4086 NULL pointer dereference in the SFDGetSpiros() function\nFix for #4088 NULL pointer dereference in the SFD_AssignLookups() function\nAdd empty sf->fontname string if it isn't set, fixing #4089 #4090 and many\n other potential issues (many downstream calls to strlen() on the value).", "target": 0, "dataset": "other", "idx": 417907 }, { "func": "static int getreal(FILE *sfd, real *val) {\n char tokbuf[100];\n int ch;\n char *pt=tokbuf, *end = tokbuf+100-2, *nend;\n\n while ( isspace(ch = nlgetc(sfd)));\n if ( ch!='e' && ch!='E' )\t\t/* real's can't begin with exponants */\n\twhile ( isdigit(ch) || ch=='-' || ch=='+' || ch=='e' || ch=='E' || ch=='.' || ch==',' ) {\n\t if ( ptfontname string if it isn't set, fixing #4089 #4090 and many\n other potential issues (many downstream calls to strlen() on the value).", "target": 0, "dataset": "other", "idx": 417932 }, { "func": "\tCHKiRet_Hdlr(qqueuePersist(pThis, QUEUE_NO_CHECKPOINT)) {\n\t\tDBGOPRINT((obj_t*) pThis, \"error %d persisting queue - data lost!\\n\", iRet);\n\t}", "project": "rsyslog", "hash": 32941063525433848440163180659358728059, "size": 3, "commit_id": "dfa88369d4ca4290db56b843f9eabdae1bfe0fd5", "message": "bugfix: memory leak when $RepeatedMsgReduction on was used\n\nbug tracker: http://bugzilla.adiscon.com/show_bug.cgi?id=225", "target": 0, "dataset": "other", "idx": 373760 }, { "func": "intrusive_ptr ExpressionReplaceBase::optimize() {\n _input = _input->optimize();\n _find = _find->optimize();\n _replacement = _replacement->optimize();\n return this;\n}", "project": "mongo", "hash": 329102658307086099354338662394874966550, "size": 6, "commit_id": "1772b9a0393b55e6a280a35e8f0a1f75c014f301", "message": "SERVER-49404 Enforce additional checks in $arrayToObject", "target": 0, "dataset": "other", "idx": 370019 }, { "func": "intrusive_ptr ExpressionRandom::optimize() {\n return intrusive_ptr(this);\n}", "project": "mongo", "hash": 257304285311090156035694907921685765237, "size": 3, "commit_id": "1772b9a0393b55e6a280a35e8f0a1f75c014f301", "message": "SERVER-49404 Enforce additional checks in $arrayToObject", "target": 0, "dataset": "other", "idx": 370091 }, { "func": "int JOIN::optimize()\n{\n int res= 0;\n create_explain_query_if_not_exists(thd->lex, thd->mem_root);\n join_optimization_state init_state= optimization_state;\n if (optimization_state == JOIN::OPTIMIZATION_PHASE_1_DONE)\n res= optimize_stage2();\n else\n {\n // to prevent double initialization on EXPLAIN\n if (optimization_state != JOIN::NOT_OPTIMIZED)\n return FALSE;\n optimization_state= JOIN::OPTIMIZATION_IN_PROGRESS;\n res= optimize_inner();\n }\n if (!with_two_phase_optimization ||\n init_state == JOIN::OPTIMIZATION_PHASE_1_DONE)\n {\n if (!res && have_query_plan != QEP_DELETED)\n res= build_explain();\n optimization_state= JOIN::OPTIMIZATION_DONE;\n }\n return res;\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 287411204675032410550816520033061783358, "size": 24, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508734 }, { "func": " bool eq_def(const Field *field) \n { \n return cached_field ? cached_field->eq_def (field) : FALSE;\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 4900236584480179560441499129330842326, "size": 4, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509133 }, { "project": "Chrome", "commit_id": "3454ed7b88318dcd4539c6e1a50d27b0ca535686", "target": 0, "func": "void SearchEngineTabHelper::GenerateKeywordIfNecessary(\n const content::FrameNavigateParams& params) {\n if (!params.searchable_form_url.is_valid())\n return;\n\n Profile* profile =\n Profile::FromBrowserContext(web_contents()->GetBrowserContext());\n if (profile->IsOffTheRecord())\n return;\n\n const NavigationController& controller = web_contents()->GetController();\n int last_index = controller.GetLastCommittedEntryIndex();\n if (last_index <= 0)\n return;\n\n base::string16 keyword(GenerateKeywordFromNavigationEntry(\n controller.GetEntryAtIndex(last_index - 1),\n profile->GetPrefs()->GetString(prefs::kAcceptLanguages)));\n if (keyword.empty())\n return;\n\n TemplateURLService* url_service =\n TemplateURLServiceFactory::GetForProfile(profile);\n if (!url_service)\n return;\n\n if (!url_service->loaded()) {\n url_service->Load();\n return;\n }\n\n TemplateURL* current_url;\n GURL url = params.searchable_form_url;\n if (!url_service->CanAddAutogeneratedKeyword(keyword, url, ¤t_url))\n return;\n\n if (current_url) {\n if (current_url->originating_url().is_valid()) {\n return;\n }\n url_service->Remove(current_url);\n }\n\n TemplateURLData data;\n data.SetShortName(keyword);\n data.SetKeyword(keyword);\n data.SetURL(url.spec());\n DCHECK(controller.GetLastCommittedEntry());\n const GURL& current_favicon =\n controller.GetLastCommittedEntry()->GetFavicon().url;\n data.favicon_url = current_favicon.is_valid() ?\n current_favicon : TemplateURL::GenerateFaviconURL(params.referrer.url);\n data.safe_for_autoreplace = true;\n data.input_encodings.push_back(params.searchable_form_encoding);\n url_service->Add(new TemplateURL(data));\n}\n", "cwe": "", "big_vul_idx": 130381, "idx": 116649, "hash": 334499976917274173622040942751502522911 }, { "func": "static void tcp_dsack_set(struct sock *sk, u32 seq, u32 end_seq)\n{\n\tstruct tcp_sock *tp = tcp_sk(sk);\n\n\tif (tcp_is_sack(tp) && sysctl_tcp_dsack) {\n\t\tint mib_idx;\n\n\t\tif (before(seq, tp->rcv_nxt))\n\t\t\tmib_idx = LINUX_MIB_TCPDSACKOLDSENT;\n\t\telse\n\t\t\tmib_idx = LINUX_MIB_TCPDSACKOFOSENT;\n\n\t\tNET_INC_STATS_BH(sock_net(sk), mib_idx);\n\n\t\ttp->rx_opt.dsack = 1;\n\t\ttp->duplicate_sack[0].start_seq = seq;\n\t\ttp->duplicate_sack[0].end_seq = end_seq;\n\t}\n}", "project": "net-next", "hash": 232956412490241477227406511608840342550, "size": 19, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409940 }, { "func": "static enum_func_status\nphp_mysqlnd_rowp_read(void * _packet, MYSQLND_CONN_DATA * conn TSRMLS_DC)\n{\n\tzend_uchar *p;\n\tenum_func_status ret = PASS;\n\tMYSQLND_PACKET_ROW *packet= (MYSQLND_PACKET_ROW *) _packet;\n\tsize_t post_alloc_for_bit_fields = 0;\n\tsize_t data_size = 0;\n\n\tDBG_ENTER(\"php_mysqlnd_rowp_read\");\n\n\tif (!packet->binary_protocol && packet->bit_fields_count) {\n\t\t/* For every field we need terminating \\0 */\n\t\tpost_alloc_for_bit_fields = packet->bit_fields_total_len + packet->bit_fields_count;\n\t}\n\n\tret = php_mysqlnd_read_row_ex(conn, packet->result_set_memory_pool, &packet->row_buffer, &data_size,\n\t\t\t\t\t\t\t\t packet->persistent_alloc, post_alloc_for_bit_fields\n\t\t\t\t\t\t\t\t TSRMLS_CC);\n\tif (FAIL == ret) {\n\t\tgoto end;\n\t}\n\tMYSQLND_INC_CONN_STATISTIC_W_VALUE2(conn->stats, packet_type_to_statistic_byte_count[PROT_ROW_PACKET],\n\t\t\t\t\t\t\t\t\t\tMYSQLND_HEADER_SIZE + packet->header.size,\n\t\t\t\t\t\t\t\t\t\tpacket_type_to_statistic_packet_count[PROT_ROW_PACKET],\n\t\t\t\t\t\t\t\t\t\t1);\n\n\t/* packet->row_buffer->ptr is of size 'data_size + 1' */\n\tpacket->header.size = data_size;\n\tpacket->row_buffer->app = data_size;\n\n\tif (ERROR_MARKER == (*(p = packet->row_buffer->ptr))) {\n\t\t/*\n\t\t Error message as part of the result set,\n\t\t not good but we should not hang. See:\n\t\t Bug #27876 : SF with cyrillic variable name fails during execution\n\t\t*/\n\t\tret = FAIL;\n\t\tphp_mysqlnd_read_error_from_line(p + 1, data_size - 1,\n\t\t\t\t\t\t\t\t\t\t packet->error_info.error,\n\t\t\t\t\t\t\t\t\t\t sizeof(packet->error_info.error),\n\t\t\t\t\t\t\t\t\t\t &packet->error_info.error_no,\n\t\t\t\t\t\t\t\t\t\t packet->error_info.sqlstate\n\t\t\t\t\t\t\t\t\t\t TSRMLS_CC);\n\t} else if (EODATA_MARKER == *p && data_size < 8) { /* EOF */\n\t\tpacket->eof = TRUE;\n\t\tp++;\n\t\tif (data_size > 1) {\n\t\t\tpacket->warning_count = uint2korr(p);\n\t\t\tp += 2;\n\t\t\tpacket->server_status = uint2korr(p);\n\t\t\t/* Seems we have 3 bytes reserved for future use */\n\t\t\tDBG_INF_FMT(\"server_status=%u warning_count=%u\", packet->server_status, packet->warning_count);\n\t\t}\n\t} else {\n\t\tMYSQLND_INC_CONN_STATISTIC(conn->stats,\n\t\t\t\t\t\t\t\t\tpacket->binary_protocol? STAT_ROWS_FETCHED_FROM_SERVER_PS:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t STAT_ROWS_FETCHED_FROM_SERVER_NORMAL);\n\n\t\tpacket->eof = FALSE;\n\t\t/* packet->field_count is set by the user of the packet */\n\n\t\tif (!packet->skip_extraction) {\n\t\t\tif (!packet->fields) {\n\t\t\t\tDBG_INF(\"Allocating packet->fields\");\n\t\t\t\t/*\n\t\t\t\t old-API will probably set packet->fields to NULL every time, though for\n\t\t\t\t unbuffered sets it makes not much sense as the zvals in this buffer matter,\n\t\t\t\t not the buffer. Constantly allocating and deallocating brings nothing.\n\n\t\t\t\t For PS - if stmt_store() is performed, thus we don't have a cursor, it will\n\t\t\t\t behave just like old-API buffered. Cursors will behave like a bit different,\n\t\t\t\t but mostly like old-API unbuffered and thus will populate this array with\n\t\t\t\t value.\n\t\t\t\t*/\n\t\t\t\tpacket->fields = (zval **) mnd_pecalloc(packet->field_count, sizeof(zval *),\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tpacket->persistent_alloc);\n\t\t\t}\n\t\t} else {\n\t\t\tMYSQLND_INC_CONN_STATISTIC(conn->stats,\n\t\t\t\t\t\t\t\t\t\tpacket->binary_protocol? STAT_ROWS_SKIPPED_PS:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t STAT_ROWS_SKIPPED_NORMAL);\n\t\t}\n\t}\n\nend:\n\tDBG_RETURN(ret);", "project": "php-src", "hash": 214642112435050142990880393713400495201, "size": 87, "commit_id": "28f80baf3c53e267c9ce46a2a0fadbb981585132", "message": "Fix bug #72293 - Heap overflow in mysqlnd related to BIT fields", "target": 0, "dataset": "other", "idx": 416641 }, { "func": "static int handle_truncate(struct file *filp)\n{\n\tconst struct path *path = &filp->f_path;\n\tstruct inode *inode = path->dentry->d_inode;\n\tint error = get_write_access(inode);\n\tif (error)\n\t\treturn error;\n\t/*\n\t * Refuse to truncate files with mandatory locks held on them.\n\t */\n\terror = locks_verify_locked(filp);\n\tif (!error)\n\t\terror = security_path_truncate(path);\n\tif (!error) {\n\t\terror = do_truncate(path->dentry, 0,\n\t\t\t\t ATTR_MTIME|ATTR_CTIME|ATTR_OPEN,\n\t\t\t\t filp);\n\t}\n\tput_write_access(inode);\n\treturn error;\n}", "project": "linux", "hash": 330342460113412417185398239205731468072, "size": 21, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295421 }, { "project": "Chrome", "commit_id": "de5aa214ea77b3d2c4ff8a0c58f446896c107ce0", "target": 0, "func": "void TranslateManager::Observe(NotificationType type,\n const NotificationSource& source,\n const NotificationDetails& details) {\n switch (type.value) {\n case NotificationType::NAV_ENTRY_COMMITTED: {\n NavigationController* controller =\n Source(source).ptr();\n NavigationController::LoadCommittedDetails* load_details =\n Details(details).ptr();\n NavigationEntry* entry = controller->GetActiveEntry();\n if (!entry) {\n NOTREACHED();\n return;\n }\n if (!load_details->is_main_frame &&\n controller->tab_contents()->language_state().translation_declined()) {\n return;\n }\n if (entry->transition_type() != PageTransition::RELOAD &&\n load_details->type != NavigationType::SAME_PAGE) {\n return;\n }\n MessageLoop::current()->PostTask(FROM_HERE,\n method_factory_.NewRunnableMethod(\n &TranslateManager::InitiateTranslationPosted,\n controller->tab_contents()->render_view_host()->process()->id(),\n controller->tab_contents()->render_view_host()->routing_id(),\n controller->tab_contents()->language_state().\n original_language()));\n break;\n }\n case NotificationType::TAB_LANGUAGE_DETERMINED: {\n TabContents* tab = Source(source).ptr();\n LanguageState& language_state = tab->language_state();\n if (language_state.page_translatable() &&\n !language_state.translation_pending() &&\n !language_state.translation_declined() &&\n !language_state.IsPageTranslated()) {\n std::string language = *(Details(details).ptr());\n InitiateTranslation(tab, language);\n }\n break;\n }\n case NotificationType::PAGE_TRANSLATED: {\n TabContents* tab = Source(source).ptr();\n PageTranslatedDetails* page_translated_details =\n Details(details).ptr();\n PageTranslated(tab, page_translated_details);\n break;\n }\n case NotificationType::PROFILE_DESTROYED: {\n Profile* profile = Source(source).ptr();\n notification_registrar_.Remove(this, NotificationType::PROFILE_DESTROYED,\n source);\n size_t count = accept_languages_.erase(profile->GetPrefs());\n DCHECK(count > 0);\n pref_change_registrar_.Remove(prefs::kAcceptLanguages, this);\n break;\n }\n case NotificationType::PREF_CHANGED: {\n DCHECK(*Details(details).ptr() == prefs::kAcceptLanguages);\n PrefService* prefs = Source(source).ptr();\n InitAcceptLanguages(prefs);\n break;\n }\n default:\n NOTREACHED();\n }\n}\n", "cwe": "", "big_vul_idx": 108003, "idx": 96969, "hash": 173311888363814009092229889631200529133 }, { "func": "bool WebContents::SendIPCMessageWithSender(bool internal,\n bool send_to_all,\n const std::string& channel,\n blink::CloneableMessage args,\n int32_t sender_id) {\n std::vector target_hosts;\n if (!send_to_all) {\n auto* frame_host = web_contents()->GetMainFrame();\n if (frame_host) {\n target_hosts.push_back(frame_host);\n }\n } else {\n target_hosts = web_contents()->GetAllFrames();\n }\n\n for (auto* frame_host : target_hosts) {\n mojo::AssociatedRemote electron_renderer;\n frame_host->GetRemoteAssociatedInterfaces()->GetInterface(\n &electron_renderer);\n electron_renderer->Message(internal, false, channel, args.ShallowClone(),\n sender_id);\n }\n return true;\n}", "project": "electron", "hash": 91050134789740724965657479088274316649, "size": 24, "commit_id": "18613925610ba319da7f497b6deed85ad712c59b", "message": "refactor: wire will-navigate up to a navigation throttle instead of OpenURL (#25108)\n\n* refactor: wire will-navigate up to a navigation throttle instead of OpenURL (#25065)\r\n\r\n* refactor: wire will-navigate up to a navigation throttle instead of OpenURL\r\n\r\n* spec: add test for x-site _top navigation\r\n\r\n* chore: old code be old", "target": 0, "dataset": "other", "idx": 269771 }, { "func": "static inline bool pfmemalloc_match(struct page *page, gfp_t gfpflags)\n{\n\tif (unlikely(PageSlabPfmemalloc(page)))\n\t\treturn gfp_pfmemalloc_allowed(gfpflags);\n\n\treturn true;\n}", "project": "linux", "hash": 27675974425477589962500329012517825968, "size": 7, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280220 }, { "func": "static int fuse_write_end(struct file *file, struct address_space *mapping,\n\t\tloff_t pos, unsigned len, unsigned copied,\n\t\tstruct page *page, void *fsdata)\n{\n\tstruct inode *inode = page->mapping->host;\n\n\t/* Haven't copied anything? Skip zeroing, size extending, dirtying. */\n\tif (!copied)\n\t\tgoto unlock;\n\n\tif (!PageUptodate(page)) {\n\t\t/* Zero any unwritten bytes at the end of the page */\n\t\tsize_t endoff = (pos + copied) & ~PAGE_MASK;\n\t\tif (endoff)\n\t\t\tzero_user_segment(page, endoff, PAGE_SIZE);\n\t\tSetPageUptodate(page);\n\t}\n\n\tfuse_write_update_size(inode, pos + copied);\n\tset_page_dirty(page);\n\nunlock:\n\tunlock_page(page);\n\tput_page(page);\n\n\treturn copied;\n}", "project": "linux", "hash": 107670793263132065967155082306370077027, "size": 27, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342106 }, { "func": " static void* json_malloc(size_t size) {\n if (RuntimeOption::EvalJsonParserUseLocalArena) {\n return local_malloc(size);\n } else {\n return malloc(size);\n }\n }", "project": "hhvm", "hash": 339167585183642916383518705775779630592, "size": 7, "commit_id": "b3679121bb3c7017ff04b4c08402ffff5cf59b13", "message": "Fix buffer overrun in SimpleParser::handleBackslash\n\nSummary:\nIt read 4 chars, then checked for validity, but any of them could have\nbeen the end of the string, so check after each one instead.\n\nReviewed By: oulgen\n\nDifferential Revision: D19611163\n\nfbshipit-source-id: 3da0a39555cb85a93f4fd98048368f17cf37e2e4", "target": 0, "dataset": "other", "idx": 227284 }, { "func": "static bool checkreturn decode_static_field(pb_istream_t *stream, pb_wire_type_t wire_type, pb_field_iter_t *field)\n{\n switch (PB_HTYPE(field->type))\n {\n case PB_HTYPE_REQUIRED:\n return decode_basic_field(stream, wire_type, field);\n \n case PB_HTYPE_OPTIONAL:\n if (field->pSize != NULL)\n *(bool*)field->pSize = true;\n return decode_basic_field(stream, wire_type, field);\n \n case PB_HTYPE_REPEATED:\n if (wire_type == PB_WT_STRING\n && PB_LTYPE(field->type) <= PB_LTYPE_LAST_PACKABLE)\n {\n /* Packed array */\n bool status = true;\n pb_istream_t substream;\n pb_size_t *size = (pb_size_t*)field->pSize;\n field->pData = (char*)field->pField + field->data_size * (*size);\n\n if (!pb_make_string_substream(stream, &substream))\n return false;\n\n while (substream.bytes_left > 0 && *size < field->array_size)\n {\n if (!decode_basic_field(&substream, PB_WT_PACKED, field))\n {\n status = false;\n break;\n }\n (*size)++;\n field->pData = (char*)field->pData + field->data_size;\n }\n\n if (substream.bytes_left != 0)\n PB_RETURN_ERROR(stream, \"array overflow\");\n if (!pb_close_string_substream(stream, &substream))\n return false;\n\n return status;\n }\n else\n {\n /* Repeated field */\n pb_size_t *size = (pb_size_t*)field->pSize;\n field->pData = (char*)field->pField + field->data_size * (*size);\n\n if ((*size)++ >= field->array_size)\n PB_RETURN_ERROR(stream, \"array overflow\");\n\n return decode_basic_field(stream, wire_type, field);\n }\n\n case PB_HTYPE_ONEOF:\n if (PB_LTYPE_IS_SUBMSG(field->type) &&\n *(pb_size_t*)field->pSize != field->tag)\n {\n /* We memset to zero so that any callbacks are set to NULL.\n * This is because the callbacks might otherwise have values\n * from some other union field.\n * If callbacks are needed inside oneof field, use .proto\n * option submsg_callback to have a separate callback function\n * that can set the fields before submessage is decoded.\n * pb_dec_submessage() will set any default values. */\n memset(field->pData, 0, (size_t)field->data_size);\n\n /* Set default values for the submessage fields. */\n if (field->submsg_desc->default_value != NULL ||\n field->submsg_desc->field_callback != NULL ||\n field->submsg_desc->submsg_info[0] != NULL)\n {\n pb_field_iter_t submsg_iter;\n if (pb_field_iter_begin(&submsg_iter, field->submsg_desc, field->pData))\n {\n if (!pb_message_set_to_defaults(&submsg_iter))\n PB_RETURN_ERROR(stream, \"failed to set defaults\");\n }\n }\n }\n *(pb_size_t*)field->pSize = field->tag;\n\n return decode_basic_field(stream, wire_type, field);\n\n default:\n PB_RETURN_ERROR(stream, \"invalid field type\");\n }\n}", "project": "nanopb", "hash": 81909065239190828098869947120195204953, "size": 89, "commit_id": "e2f0ccf939d9f82931d085acb6df8e9a182a4261", "message": "Fix invalid free() with oneof (#647)\n\nNanopb would call free() or realloc() on an invalid\n(attacker controlled) pointer value when all the following\nconditions are true:\n\n- PB_ENABLE_MALLOC is defined at the compile time\n- Message definition contains an oneof field, and the oneof\n contains at least one pointer type field and at least one\n non-pointer type field.\n- Data being decoded first contains a non-pointer value for\n the oneof field, and later contains an overwriting pointer\n value.\n\nDepending on message layout, the bug may not be exploitable in all\ncases, but it is known to be exploitable at least with string and\nbytes fields. Actual security impact will also depend on the heap\nimplementation used.", "target": 0, "dataset": "other", "idx": 254691 }, { "func": "static bool checkreturn decode_static_field(pb_istream_t *stream, pb_wire_type_t wire_type, pb_field_iterator_t *iter)\n{\n pb_type_t type;\n pb_decoder_t func;\n \n type = iter->pos->type;\n func = PB_DECODERS[PB_LTYPE(type)];\n\n switch (PB_HTYPE(type))\n {\n case PB_HTYPE_REQUIRED:\n return func(stream, iter->pos, iter->pData);\n \n case PB_HTYPE_OPTIONAL:\n *(bool*)iter->pSize = true;\n return func(stream, iter->pos, iter->pData);\n \n case PB_HTYPE_REPEATED:\n if (wire_type == PB_WT_STRING\n && PB_LTYPE(type) <= PB_LTYPE_LAST_PACKABLE)\n {\n /* Packed array */\n bool status = true;\n size_t *size = (size_t*)iter->pSize;\n pb_istream_t substream;\n if (!pb_make_string_substream(stream, &substream))\n return false;\n \n while (substream.bytes_left > 0 && *size < iter->pos->array_size)\n {\n void *pItem = (uint8_t*)iter->pData + iter->pos->data_size * (*size);\n if (!func(&substream, iter->pos, pItem))\n {\n status = false;\n break;\n }\n (*size)++;\n }\n pb_close_string_substream(stream, &substream);\n \n if (substream.bytes_left != 0)\n PB_RETURN_ERROR(stream, \"array overflow\");\n \n return status;\n }\n else\n {\n /* Repeated field */\n size_t *size = (size_t*)iter->pSize;\n void *pItem = (uint8_t*)iter->pData + iter->pos->data_size * (*size);\n if (*size >= iter->pos->array_size)\n PB_RETURN_ERROR(stream, \"array overflow\");\n \n (*size)++;\n return func(stream, iter->pos, pItem);\n }\n\n default:\n PB_RETURN_ERROR(stream, \"invalid field type\");\n }\n}", "project": "nanopb", "hash": 189961828283950180200281984395967042369, "size": 61, "commit_id": "7b396821ddd06df8e39143f16e1dc0a4645b89a3", "message": "Fix invalid free() after failed realloc() (GHSA-gcx3-7m76-287p)", "target": 0, "dataset": "other", "idx": 255329 }, { "func": "HeaderIterator headerFreeIterator(HeaderIterator hi)\n{\n if (hi != NULL) {\n\thi->h = headerFree(hi->h);\n\thi = _free(hi);\n }\n return NULL;\n}", "project": "rpm", "hash": 1474599612348591818395238814597117707, "size": 8, "commit_id": "8f4b3c3cab8922a2022b9e47c71f1ecf906077ef", "message": "hdrblobInit() needs bounds checks too\n\nUsers can pass untrusted data to hdrblobInit() and it must be robust\nagainst this.", "target": 0, "dataset": "other", "idx": 318200 }, { "func": "static void io_req_complete_failed(struct io_kiocb *req, long res)\n{\n\treq_set_fail_links(req);\n\tio_put_req(req);\n\tio_req_complete_post(req, res, 0);\n}", "project": "linux", "hash": 128680983652288561656063237426042689781, "size": 6, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338542 }, { "func": "static int kvm_s390_get_processor_subfunc(struct kvm *kvm,\n\t\t\t\t\t struct kvm_device_attr *attr)\n{\n\tif (copy_to_user((void __user *)attr->addr, &kvm->arch.model.subfuncs,\n\t sizeof(struct kvm_s390_vm_cpu_subfunc)))\n\t\treturn -EFAULT;\n\n\tVM_EVENT(kvm, 3, \"GET: guest PLO subfunc 0x%16.16lx.%16.16lx.%16.16lx.%16.16lx\",\n\t\t ((unsigned long *) &kvm->arch.model.subfuncs.plo)[0],\n\t\t ((unsigned long *) &kvm->arch.model.subfuncs.plo)[1],\n\t\t ((unsigned long *) &kvm->arch.model.subfuncs.plo)[2],\n\t\t ((unsigned long *) &kvm->arch.model.subfuncs.plo)[3]);\n\tVM_EVENT(kvm, 3, \"GET: guest PTFF subfunc 0x%16.16lx.%16.16lx\",\n\t\t ((unsigned long *) &kvm->arch.model.subfuncs.ptff)[0],\n\t\t ((unsigned long *) &kvm->arch.model.subfuncs.ptff)[1]);\n\tVM_EVENT(kvm, 3, \"GET: guest KMAC subfunc 0x%16.16lx.%16.16lx\",\n\t\t ((unsigned long *) &kvm->arch.model.subfuncs.kmac)[0],\n\t\t ((unsigned long *) &kvm->arch.model.subfuncs.kmac)[1]);\n\tVM_EVENT(kvm, 3, \"GET: guest KMC subfunc 0x%16.16lx.%16.16lx\",\n\t\t ((unsigned long *) &kvm->arch.model.subfuncs.kmc)[0],\n\t\t ((unsigned long *) &kvm->arch.model.subfuncs.kmc)[1]);\n\tVM_EVENT(kvm, 3, \"GET: guest KM subfunc 0x%16.16lx.%16.16lx\",\n\t\t ((unsigned long *) &kvm->arch.model.subfuncs.km)[0],\n\t\t ((unsigned long *) &kvm->arch.model.subfuncs.km)[1]);\n\tVM_EVENT(kvm, 3, \"GET: guest KIMD subfunc 0x%16.16lx.%16.16lx\",\n\t\t ((unsigned long *) &kvm->arch.model.subfuncs.kimd)[0],\n\t\t ((unsigned long *) &kvm->arch.model.subfuncs.kimd)[1]);\n\tVM_EVENT(kvm, 3, \"GET: guest KLMD subfunc 0x%16.16lx.%16.16lx\",\n\t\t ((unsigned long *) &kvm->arch.model.subfuncs.klmd)[0],\n\t\t ((unsigned long *) &kvm->arch.model.subfuncs.klmd)[1]);\n\tVM_EVENT(kvm, 3, \"GET: guest PCKMO subfunc 0x%16.16lx.%16.16lx\",\n\t\t ((unsigned long *) &kvm->arch.model.subfuncs.pckmo)[0],\n\t\t ((unsigned long *) &kvm->arch.model.subfuncs.pckmo)[1]);\n\tVM_EVENT(kvm, 3, \"GET: guest KMCTR subfunc 0x%16.16lx.%16.16lx\",\n\t\t ((unsigned long *) &kvm->arch.model.subfuncs.kmctr)[0],\n\t\t ((unsigned long *) &kvm->arch.model.subfuncs.kmctr)[1]);\n\tVM_EVENT(kvm, 3, \"GET: guest KMF subfunc 0x%16.16lx.%16.16lx\",\n\t\t ((unsigned long *) &kvm->arch.model.subfuncs.kmf)[0],\n\t\t ((unsigned long *) &kvm->arch.model.subfuncs.kmf)[1]);\n\tVM_EVENT(kvm, 3, \"GET: guest KMO subfunc 0x%16.16lx.%16.16lx\",\n\t\t ((unsigned long *) &kvm->arch.model.subfuncs.kmo)[0],\n\t\t ((unsigned long *) &kvm->arch.model.subfuncs.kmo)[1]);\n\tVM_EVENT(kvm, 3, \"GET: guest PCC subfunc 0x%16.16lx.%16.16lx\",\n\t\t ((unsigned long *) &kvm->arch.model.subfuncs.pcc)[0],\n\t\t ((unsigned long *) &kvm->arch.model.subfuncs.pcc)[1]);\n\tVM_EVENT(kvm, 3, \"GET: guest PPNO subfunc 0x%16.16lx.%16.16lx\",\n\t\t ((unsigned long *) &kvm->arch.model.subfuncs.ppno)[0],\n\t\t ((unsigned long *) &kvm->arch.model.subfuncs.ppno)[1]);\n\tVM_EVENT(kvm, 3, \"GET: guest KMA subfunc 0x%16.16lx.%16.16lx\",\n\t\t ((unsigned long *) &kvm->arch.model.subfuncs.kma)[0],\n\t\t ((unsigned long *) &kvm->arch.model.subfuncs.kma)[1]);\n\tVM_EVENT(kvm, 3, \"GET: guest KDSA subfunc 0x%16.16lx.%16.16lx\",\n\t\t ((unsigned long *) &kvm->arch.model.subfuncs.kdsa)[0],\n\t\t ((unsigned long *) &kvm->arch.model.subfuncs.kdsa)[1]);\n\tVM_EVENT(kvm, 3, \"GET: guest SORTL subfunc 0x%16.16lx.%16.16lx.%16.16lx.%16.16lx\",\n\t\t ((unsigned long *) &kvm->arch.model.subfuncs.sortl)[0],\n\t\t ((unsigned long *) &kvm->arch.model.subfuncs.sortl)[1],\n\t\t ((unsigned long *) &kvm->arch.model.subfuncs.sortl)[2],\n\t\t ((unsigned long *) &kvm->arch.model.subfuncs.sortl)[3]);\n\tVM_EVENT(kvm, 3, \"GET: guest DFLTCC subfunc 0x%16.16lx.%16.16lx.%16.16lx.%16.16lx\",\n\t\t ((unsigned long *) &kvm->arch.model.subfuncs.dfltcc)[0],\n\t\t ((unsigned long *) &kvm->arch.model.subfuncs.dfltcc)[1],\n\t\t ((unsigned long *) &kvm->arch.model.subfuncs.dfltcc)[2],\n\t\t ((unsigned long *) &kvm->arch.model.subfuncs.dfltcc)[3]);\n\n\treturn 0;\n}", "project": "linux", "hash": 35171716641585786860837714231593104612, "size": 67, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354732 }, { "func": "int newsgroups_cb(const char *mailbox,\n\t\t uint32_t uid __attribute__((unused)),\n\t\t const char *entry __attribute__((unused)),\n\t\t const char *userid,\n\t\t const struct buf *value, void *rock)\n{\n struct wildmat *wild = (struct wildmat *) rock;\n\n /* skip personal mailboxes */\n if ((!strncasecmp(mailbox, \"INBOX\", 5) &&\n\t (!mailbox[5] || mailbox[5] == '.')) ||\n\t!strncmp(mailbox, \"user.\", 5))\n\treturn 0;\n\n /* see if the mailbox matches one of our wildmats */\n while (wild->pat && wildmat(mailbox, wild->pat) != 1) wild++;\n\n /* if we don't have a match, or its a negative match, skip it */\n if (!wild->pat || wild->not) return 0;\n\n /* we only care about shared /comment */\n if (userid[0]) return 0;\n\n prot_printf(nntp_out, \"%s\\t%s\\r\\n\", mailbox+strlen(newsprefix),\n\t\tvalue->s);\n\n return 0;\n}", "project": "cyrus-imapd", "hash": 22480921120495191108296832784880391165, "size": 28, "commit_id": "0f8f026699829b65733c3081657b24e2174f4f4d", "message": "CVE-2011-3208 - fix buffer overflow in nntpd", "target": 0, "dataset": "other", "idx": 451914 }, { "func": "static struct urb *simple_alloc_urb(\n\tstruct usb_device\t*udev,\n\tint\t\t\tpipe,\n\tunsigned long\t\tbytes,\n\tu8\t\t\tbInterval)\n{\n\treturn usbtest_alloc_urb(udev, pipe, bytes, URB_NO_TRANSFER_DMA_MAP, 0,\n\t\t\tbInterval, simple_callback);\n}", "project": "linux", "hash": 265162136031020866191194814990629970330, "size": 9, "commit_id": "28ebeb8db77035e058a510ce9bd17c2b9a009dba", "message": "usb: usbtest: fix missing kfree(dev->buf) in usbtest_disconnect\n\nBUG: memory leak\nunreferenced object 0xffff888055046e00 (size 256):\n comm \"kworker/2:9\", pid 2570, jiffies 4294942129 (age 1095.500s)\n hex dump (first 32 bytes):\n 00 70 04 55 80 88 ff ff 18 bb 5a 81 ff ff ff ff .p.U......Z.....\n f5 96 78 81 ff ff ff ff 37 de 8e 81 ff ff ff ff ..x.....7.......\n backtrace:\n [<00000000d121dccf>] kmemleak_alloc_recursive\ninclude/linux/kmemleak.h:43 [inline]\n [<00000000d121dccf>] slab_post_alloc_hook mm/slab.h:586 [inline]\n [<00000000d121dccf>] slab_alloc_node mm/slub.c:2786 [inline]\n [<00000000d121dccf>] slab_alloc mm/slub.c:2794 [inline]\n [<00000000d121dccf>] kmem_cache_alloc_trace+0x15e/0x2d0 mm/slub.c:2811\n [<000000005c3c3381>] kmalloc include/linux/slab.h:555 [inline]\n [<000000005c3c3381>] usbtest_probe+0x286/0x19d0\ndrivers/usb/misc/usbtest.c:2790\n [<000000001cec6910>] usb_probe_interface+0x2bd/0x870\ndrivers/usb/core/driver.c:361\n [<000000007806c118>] really_probe+0x48d/0x8f0 drivers/base/dd.c:551\n [<00000000a3308c3e>] driver_probe_device+0xfc/0x2a0 drivers/base/dd.c:724\n [<000000003ef66004>] __device_attach_driver+0x1b6/0x240\ndrivers/base/dd.c:831\n [<00000000eee53e97>] bus_for_each_drv+0x14e/0x1e0 drivers/base/bus.c:431\n [<00000000bb0648d0>] __device_attach+0x1f9/0x350 drivers/base/dd.c:897\n [<00000000838b324a>] device_initial_probe+0x1a/0x20 drivers/base/dd.c:944\n [<0000000030d501c1>] bus_probe_device+0x1e1/0x280 drivers/base/bus.c:491\n [<000000005bd7adef>] device_add+0x131d/0x1c40 drivers/base/core.c:2504\n [<00000000a0937814>] usb_set_configuration+0xe84/0x1ab0\ndrivers/usb/core/message.c:2030\n [<00000000e3934741>] generic_probe+0x6a/0xe0 drivers/usb/core/generic.c:210\n [<0000000098ade0f1>] usb_probe_device+0x90/0xd0\ndrivers/usb/core/driver.c:266\n [<000000007806c118>] really_probe+0x48d/0x8f0 drivers/base/dd.c:551\n [<00000000a3308c3e>] driver_probe_device+0xfc/0x2a0 drivers/base/dd.c:724\n\nAcked-by: Alan Stern \nReported-by: Kyungtae Kim \nSigned-off-by: Zqiang \nLink: https://lore.kernel.org/r/20200612035210.20494-1-qiang.zhang@windriver.com\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 412280 }, { "func": "static struct urb *complicated_alloc_urb(\n\tstruct usb_device\t*udev,\n\tint\t\t\tpipe,\n\tunsigned long\t\tbytes,\n\tu8\t\t\tbInterval)\n{\n\treturn usbtest_alloc_urb(udev, pipe, bytes, URB_NO_TRANSFER_DMA_MAP, 0,\n\t\t\tbInterval, complicated_callback);\n}", "project": "linux", "hash": 13055273654170362461885615518818166207, "size": 9, "commit_id": "28ebeb8db77035e058a510ce9bd17c2b9a009dba", "message": "usb: usbtest: fix missing kfree(dev->buf) in usbtest_disconnect\n\nBUG: memory leak\nunreferenced object 0xffff888055046e00 (size 256):\n comm \"kworker/2:9\", pid 2570, jiffies 4294942129 (age 1095.500s)\n hex dump (first 32 bytes):\n 00 70 04 55 80 88 ff ff 18 bb 5a 81 ff ff ff ff .p.U......Z.....\n f5 96 78 81 ff ff ff ff 37 de 8e 81 ff ff ff ff ..x.....7.......\n backtrace:\n [<00000000d121dccf>] kmemleak_alloc_recursive\ninclude/linux/kmemleak.h:43 [inline]\n [<00000000d121dccf>] slab_post_alloc_hook mm/slab.h:586 [inline]\n [<00000000d121dccf>] slab_alloc_node mm/slub.c:2786 [inline]\n [<00000000d121dccf>] slab_alloc mm/slub.c:2794 [inline]\n [<00000000d121dccf>] kmem_cache_alloc_trace+0x15e/0x2d0 mm/slub.c:2811\n [<000000005c3c3381>] kmalloc include/linux/slab.h:555 [inline]\n [<000000005c3c3381>] usbtest_probe+0x286/0x19d0\ndrivers/usb/misc/usbtest.c:2790\n [<000000001cec6910>] usb_probe_interface+0x2bd/0x870\ndrivers/usb/core/driver.c:361\n [<000000007806c118>] really_probe+0x48d/0x8f0 drivers/base/dd.c:551\n [<00000000a3308c3e>] driver_probe_device+0xfc/0x2a0 drivers/base/dd.c:724\n [<000000003ef66004>] __device_attach_driver+0x1b6/0x240\ndrivers/base/dd.c:831\n [<00000000eee53e97>] bus_for_each_drv+0x14e/0x1e0 drivers/base/bus.c:431\n [<00000000bb0648d0>] __device_attach+0x1f9/0x350 drivers/base/dd.c:897\n [<00000000838b324a>] device_initial_probe+0x1a/0x20 drivers/base/dd.c:944\n [<0000000030d501c1>] bus_probe_device+0x1e1/0x280 drivers/base/bus.c:491\n [<000000005bd7adef>] device_add+0x131d/0x1c40 drivers/base/core.c:2504\n [<00000000a0937814>] usb_set_configuration+0xe84/0x1ab0\ndrivers/usb/core/message.c:2030\n [<00000000e3934741>] generic_probe+0x6a/0xe0 drivers/usb/core/generic.c:210\n [<0000000098ade0f1>] usb_probe_device+0x90/0xd0\ndrivers/usb/core/driver.c:266\n [<000000007806c118>] really_probe+0x48d/0x8f0 drivers/base/dd.c:551\n [<00000000a3308c3e>] driver_probe_device+0xfc/0x2a0 drivers/base/dd.c:724\n\nAcked-by: Alan Stern \nReported-by: Kyungtae Kim \nSigned-off-by: Zqiang \nLink: https://lore.kernel.org/r/20200612035210.20494-1-qiang.zhang@windriver.com\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 412283 }, { "func": "ShutdownWorkers(qqueue_t *pThis)\n{\n\tDEFiRet;\n\n\tISOBJ_TYPE_assert(pThis, qqueue);\n\tASSERT(pThis->pqParent == NULL); /* detect invalid calling sequence */\n\n\tDBGOPRINT((obj_t*) pThis, \"initiating worker thread shutdown sequence\\n\");\n\n\tCHKiRet(tryShutdownWorkersWithinQueueTimeout(pThis));\n\n\tif(getPhysicalQueueSize(pThis) > 0) {\n\t\tCHKiRet(tryShutdownWorkersWithinActionTimeout(pThis));\n\t}\n\n\tCHKiRet(cancelWorkers(pThis));\n\n\t/* ... finally ... all worker threads have terminated :-)\n\t * Well, more precisely, they *are in termination*. Some cancel cleanup handlers\n\t * may still be running. Note that the main queue's DA worker may still be running.\n\t */\n\tDBGOPRINT((obj_t*) pThis, \"worker threads terminated, remaining queue size log %d, phys %d.\\n\",\n\t\t getLogicalQueueSize(pThis), getPhysicalQueueSize(pThis));\n\nfinalize_it:\n\tRETiRet;\n}", "project": "rsyslog", "hash": 11581347690721436006588141253220436424, "size": 27, "commit_id": "dfa88369d4ca4290db56b843f9eabdae1bfe0fd5", "message": "bugfix: memory leak when $RepeatedMsgReduction on was used\n\nbug tracker: http://bugzilla.adiscon.com/show_bug.cgi?id=225", "target": 0, "dataset": "other", "idx": 373759 }, { "func": "batchProcessed(qqueue_t *pThis, wti_t *pWti)\n{\n\tDEFiRet;\n\n\tISOBJ_TYPE_assert(pThis, qqueue);\n\tISOBJ_TYPE_assert(pWti, wti);\n\n\tint iCancelStateSave;\n\t/* at this spot, we must not be cancelled */\n\tpthread_setcancelstate(PTHREAD_CANCEL_DISABLE, &iCancelStateSave);\n\tDeleteProcessedBatch(pThis, &pWti->batch);\n\tqqueueChkPersist(pThis, pWti->batch.nElemDeq);\n\tpthread_setcancelstate(iCancelStateSave, NULL);\n\n\tRETiRet;\n}", "project": "rsyslog", "hash": 91006024719818835595937164557479051104, "size": 16, "commit_id": "dfa88369d4ca4290db56b843f9eabdae1bfe0fd5", "message": "bugfix: memory leak when $RepeatedMsgReduction on was used\n\nbug tracker: http://bugzilla.adiscon.com/show_bug.cgi?id=225", "target": 0, "dataset": "other", "idx": 373801 }, { "func": "DequeueForConsumer(qqueue_t *pThis, wti_t *pWti)\n{\n\tDEFiRet;\n\n\tISOBJ_TYPE_assert(pThis, qqueue);\n\tISOBJ_TYPE_assert(pWti, wti);\n\n\tCHKiRet(DequeueConsumable(pThis, pWti));\n\n\tif(pWti->batch.nElem == 0)\n\t\tABORT_FINALIZE(RS_RET_IDLE);\n\n\nfinalize_it:\n\tRETiRet;\n}", "project": "rsyslog", "hash": 151462429677389066658958523964280916917, "size": 16, "commit_id": "dfa88369d4ca4290db56b843f9eabdae1bfe0fd5", "message": "bugfix: memory leak when $RepeatedMsgReduction on was used\n\nbug tracker: http://bugzilla.adiscon.com/show_bug.cgi?id=225", "target": 0, "dataset": "other", "idx": 373802 }, { "func": "static long kvm_vm_compat_ioctl(struct file *filp,\n\t\t\t unsigned int ioctl, unsigned long arg)\n{\n\tstruct kvm *kvm = filp->private_data;\n\tint r;\n\n\tif (kvm->mm != current->mm)\n\t\treturn -EIO;\n\tswitch (ioctl) {\n\tcase KVM_GET_DIRTY_LOG: {\n\t\tstruct compat_kvm_dirty_log compat_log;\n\t\tstruct kvm_dirty_log log;\n\n\t\tif (copy_from_user(&compat_log, (void __user *)arg,\n\t\t\t\t sizeof(compat_log)))\n\t\t\treturn -EFAULT;\n\t\tlog.slot\t = compat_log.slot;\n\t\tlog.padding1\t = compat_log.padding1;\n\t\tlog.padding2\t = compat_log.padding2;\n\t\tlog.dirty_bitmap = compat_ptr(compat_log.dirty_bitmap);\n\n\t\tr = kvm_vm_ioctl_get_dirty_log(kvm, &log);\n\t\tbreak;\n\t}\n\tdefault:\n\t\tr = kvm_vm_ioctl(filp, ioctl, arg);\n\t}\n\treturn r;\n}", "project": "linux", "hash": 270322336901758719705453009874722476421, "size": 29, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354633 }, { "func": "static void tipc_node_clear_links(struct tipc_node *node)\n{\n\tint i;\n\n\tfor (i = 0; i < MAX_BEARERS; i++) {\n\t\tstruct tipc_link_entry *le = &node->links[i];\n\n\t\tif (le->link) {\n\t\t\tkfree(le->link);\n\t\t\tle->link = NULL;\n\t\t\tnode->link_cnt--;\n\t\t}\n\t}\n}", "project": "linux", "hash": 97016364361527085947790300483563137963, "size": 14, "commit_id": "0217ed2848e8538bcf9172d97ed2eeb4a26041bb", "message": "tipc: better validate user input in tipc_nl_retrieve_key()\n\nBefore calling tipc_aead_key_size(ptr), we need to ensure\nwe have enough data to dereference ptr->keylen.\n\nWe probably also want to make sure tipc_aead_key_size()\nwont overflow with malicious ptr->keylen values.\n\nSyzbot reported:\n\nBUG: KMSAN: uninit-value in __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\nBUG: KMSAN: uninit-value in tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\nCPU: 0 PID: 21060 Comm: syz-executor.5 Not tainted 5.11.0-rc7-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nCall Trace:\n __dump_stack lib/dump_stack.c:79 [inline]\n dump_stack+0x21c/0x280 lib/dump_stack.c:120\n kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118\n __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197\n __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\n tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\n genl_family_rcv_msg_doit net/netlink/genetlink.c:739 [inline]\n genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]\n genl_rcv_msg+0x1319/0x1610 net/netlink/genetlink.c:800\n netlink_rcv_skb+0x6fa/0x810 net/netlink/af_netlink.c:2494\n genl_rcv+0x63/0x80 net/netlink/genetlink.c:811\n netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]\n netlink_unicast+0x11d6/0x14a0 net/netlink/af_netlink.c:1330\n netlink_sendmsg+0x1740/0x1840 net/netlink/af_netlink.c:1919\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\nRIP: 0023:0xf7f60549\nCode: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00\nRSP: 002b:00000000f555a5fc EFLAGS: 00000296 ORIG_RAX: 0000000000000172\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000200\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n\nUninit was created at:\n kmsan_save_stack_with_flags mm/kmsan/kmsan.c:121 [inline]\n kmsan_internal_poison_shadow+0x5c/0xf0 mm/kmsan/kmsan.c:104\n kmsan_slab_alloc+0x8d/0xe0 mm/kmsan/kmsan_hooks.c:76\n slab_alloc_node mm/slub.c:2907 [inline]\n __kmalloc_node_track_caller+0xa37/0x1430 mm/slub.c:4527\n __kmalloc_reserve net/core/skbuff.c:142 [inline]\n __alloc_skb+0x2f8/0xb30 net/core/skbuff.c:210\n alloc_skb include/linux/skbuff.h:1099 [inline]\n netlink_alloc_large_skb net/netlink/af_netlink.c:1176 [inline]\n netlink_sendmsg+0xdbc/0x1840 net/netlink/af_netlink.c:1894\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\n\nFixes: e1f32190cf7d (\"tipc: add support for AEAD key setting via netlink\")\nSigned-off-by: Eric Dumazet \nCc: Tuong Lien \nCc: Jon Maloy \nCc: Ying Xue \nReported-by: syzbot \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 364950 }, { "func": "static void nfs4_close_context(struct nfs_open_context *ctx, int is_sync)\n{\n\tif (ctx->state == NULL)\n\t\treturn;\n\tif (is_sync)\n\t\tnfs4_close_sync(ctx->state, _nfs4_ctx_to_openmode(ctx));\n\telse\n\t\tnfs4_close_state(ctx->state, _nfs4_ctx_to_openmode(ctx));\n}", "project": "linux", "hash": 280949430508804157306614671906447003367, "size": 9, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431371 }, { "func": "enum print_line_t trace_handle_return(struct trace_seq *s)\n{\n\treturn trace_seq_has_overflowed(s) ?\n\t\tTRACE_TYPE_PARTIAL_LINE : TRACE_TYPE_HANDLED;\n}", "project": "linux", "hash": 154877510272086907024875807438601258075, "size": 5, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445616 }, { "func": "void proc_clear_tty(struct task_struct *p)\n{\n\tunsigned long flags;\n\tstruct tty_struct *tty;\n\tspin_lock_irqsave(&p->sighand->siglock, flags);\n\ttty = p->signal->tty;\n\tp->signal->tty = NULL;\n\tspin_unlock_irqrestore(&p->sighand->siglock, flags);\n\ttty_kref_put(tty);\n}", "project": "linux", "hash": 99638019396278554844278599433885280597, "size": 10, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 326048 }, { "func": "static int intAppendEntry(Header h, rpmtd td)\n{\n indexEntry entry;\n int length;\n\n if (td->type == RPM_STRING_TYPE || td->type == RPM_I18NSTRING_TYPE) {\n\t/* we can't do this */\n\treturn 0;\n }\n\n /* Find the tag entry in the header. */\n entry = findEntry(h, td->tag, td->type);\n if (!entry)\n\treturn 0;\n\n length = dataLength(td->type, td->data, td->count, 0, NULL);\n if (length < 0)\n\treturn 0;\n\n if (ENTRY_IN_REGION(entry)) {\n\tchar * t = xmalloc(entry->length + length);\n\tmemcpy(t, entry->data, entry->length);\n\tentry->data = t;\n\tentry->info.offset = 0;\n } else\n\tentry->data = xrealloc(entry->data, entry->length + length);\n\n copyData(td->type, ((char *) entry->data) + entry->length, \n\t td->data, td->count, length);\n\n entry->length += length;\n\n entry->info.count += td->count;\n\n return 1;\n}", "project": "rpm", "hash": 323179519176044722064726964522147386549, "size": 36, "commit_id": "8f4b3c3cab8922a2022b9e47c71f1ecf906077ef", "message": "hdrblobInit() needs bounds checks too\n\nUsers can pass untrusted data to hdrblobInit() and it must be robust\nagainst this.", "target": 0, "dataset": "other", "idx": 318204 }, { "func": "static void hci_cc_user_confirm_reply(struct hci_dev *hdev, struct sk_buff *skb)\n{\n\tstruct hci_rp_user_confirm_reply *rp = (void *) skb->data;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, rp->status);\n\n\thci_dev_lock(hdev);\n\n\tif (hci_dev_test_flag(hdev, HCI_MGMT))\n\t\tmgmt_user_confirm_reply_complete(hdev, &rp->bdaddr, ACL_LINK, 0,\n\t\t\t\t\t\t rp->status);\n\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 338987141701516222829080297936106585082, "size": 14, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431942 }, { "func": "static bool nfs4_xattr_list_nfs4_acl(struct dentry *dentry)\n{\n\treturn nfs4_server_supports_acls(NFS_SERVER(d_inode(dentry)));\n}", "project": "linux", "hash": 57392511304849933329513357947104296325, "size": 4, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431018 }, { "func": "void gdImageSetPixel (gdImagePtr im, int x, int y, int color)\n{\n\tint p;\n\tswitch (color) {\n\t\tcase gdStyled:\n\t\t\tif (!im->style) {\n\t\t\t\t/* Refuse to draw if no style is set. */\n\t\t\t\treturn;\n\t\t\t} else {\n\t\t\t\tp = im->style[im->stylePos++];\n\t\t\t}\n\t\t\tif (p != gdTransparent) {\n\t\t\t\tgdImageSetPixel(im, x, y, p);\n\t\t\t}\n\t\t\tim->stylePos = im->stylePos % im->styleLength;\n\t\t\tbreak;\n\t\tcase gdStyledBrushed:\n\t\t\tif (!im->style) {\n\t\t\t\t/* Refuse to draw if no style is set. */\n\t\t\t\treturn;\n\t\t\t}\n\t\t\tp = im->style[im->stylePos++];\n\t\t\tif (p != gdTransparent && p != 0) {\n\t\t\t\tgdImageSetPixel(im, x, y, gdBrushed);\n\t\t\t}\n\t\t\tim->stylePos = im->stylePos % im->styleLength;\n\t\t\tbreak;\n\t\tcase gdBrushed:\n\t\t\tgdImageBrushApply(im, x, y);\n\t\t\tbreak;\n\t\tcase gdTiled:\n\t\t\tgdImageTileApply(im, x, y);\n\t\t\tbreak;\n\t\tcase gdAntiAliased:\n\t\t\tgdImageAntiAliasedApply(im, x, y);\n\t\t\tbreak;\n\t\tdefault:\n\t\t\tif (gdImageBoundsSafe(im, x, y)) {\n\t\t\t\tif (im->trueColor) {\n\t\t\t\t\tswitch (im->alphaBlendingFlag) {\n\t\t\t\t\t\tdefault:\n\t\t\t\t\t\tcase gdEffectReplace:\n\t\t\t\t\t\t\tim->tpixels[y][x] = color;\n\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\tcase gdEffectAlphaBlend:\n\t\t\t\t\t\t\tim->tpixels[y][x] = gdAlphaBlend(im->tpixels[y][x], color);\n\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\tcase gdEffectNormal:\n\t\t\t\t\t\t\tim->tpixels[y][x] = gdAlphaBlend(im->tpixels[y][x], color);\n\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\tcase gdEffectOverlay :\n\t\t\t\t\t\t\tim->tpixels[y][x] = gdLayerOverlay(im->tpixels[y][x], color);\n\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t}\n\t\t\t\t} else {\n\t\t\t\t\tim->pixels[y][x] = color;\n\t\t\t\t}\n\t\t\t}\n\t\t\tbreak;\n\t}\n}", "project": "php-src", "hash": 184629180944788525440700088977269322849, "size": 61, "commit_id": "c395c6e5d7e8df37a21265ff76e48fe75ceb5ae6", "message": "iFixed bug #72446 - Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow", "target": 0, "dataset": "other", "idx": 295147 }, { "func": "void CServer::DoSnapshot()\n{\n\tGameServer()->OnPreSnap();\n\n\t// create snapshot for demo recording\n\tif(m_DemoRecorder.IsRecording())\n\t{\n\t\tchar aData[CSnapshot::MAX_SIZE];\n\t\tint SnapshotSize;\n\n\t\t// build snap and possibly add some messages\n\t\tm_SnapshotBuilder.Init();\n\t\tGameServer()->OnSnap(-1);\n\t\tSnapshotSize = m_SnapshotBuilder.Finish(aData);\n\n\t\t// write snapshot\n\t\tm_DemoRecorder.RecordSnapshot(Tick(), aData, SnapshotSize);\n\t}\n\n\t// create snapshots for all clients\n\tfor(int i = 0; i < MAX_CLIENTS; i++)\n\t{\n\t\t// client must be ingame to receive snapshots\n\t\tif(m_aClients[i].m_State != CClient::STATE_INGAME)\n\t\t\tcontinue;\n\n\t\t// this client is trying to recover, don't spam snapshots\n\t\tif(m_aClients[i].m_SnapRate == CClient::SNAPRATE_RECOVER && (Tick()%50) != 0)\n\t\t\tcontinue;\n\n\t\t// this client is trying to recover, don't spam snapshots\n\t\tif(m_aClients[i].m_SnapRate == CClient::SNAPRATE_INIT && (Tick()%10) != 0)\n\t\t\tcontinue;\n\n\t\t{\n\t\t\tchar aData[CSnapshot::MAX_SIZE];\n\t\t\tCSnapshot *pData = (CSnapshot*)aData;\t// Fix compiler warning for strict-aliasing\n\t\t\tchar aDeltaData[CSnapshot::MAX_SIZE];\n\t\t\tchar aCompData[CSnapshot::MAX_SIZE];\n\t\t\tint SnapshotSize;\n\t\t\tint Crc;\n\t\t\tstatic CSnapshot EmptySnap;\n\t\t\tCSnapshot *pDeltashot = &EmptySnap;\n\t\t\tint DeltashotSize;\n\t\t\tint DeltaTick = -1;\n\t\t\tint DeltaSize;\n\n\t\t\tm_SnapshotBuilder.Init();\n\n\t\t\tGameServer()->OnSnap(i);\n\n\t\t\t// finish snapshot\n\t\t\tSnapshotSize = m_SnapshotBuilder.Finish(pData);\n\t\t\tCrc = pData->Crc();\n\n\t\t\t// remove old snapshos\n\t\t\t// keep 3 seconds worth of snapshots\n\t\t\tm_aClients[i].m_Snapshots.PurgeUntil(m_CurrentGameTick-SERVER_TICK_SPEED*3);\n\n\t\t\t// save it the snapshot\n\t\t\tm_aClients[i].m_Snapshots.Add(m_CurrentGameTick, time_get(), SnapshotSize, pData, 0);\n\n\t\t\t// find snapshot that we can perform delta against\n\t\t\tEmptySnap.Clear();\n\n\t\t\t{\n\t\t\t\tDeltashotSize = m_aClients[i].m_Snapshots.Get(m_aClients[i].m_LastAckedSnapshot, 0, &pDeltashot, 0);\n\t\t\t\tif(DeltashotSize >= 0)\n\t\t\t\t\tDeltaTick = m_aClients[i].m_LastAckedSnapshot;\n\t\t\t\telse\n\t\t\t\t{\n\t\t\t\t\t// no acked package found, force client to recover rate\n\t\t\t\t\tif(m_aClients[i].m_SnapRate == CClient::SNAPRATE_FULL)\n\t\t\t\t\t\tm_aClients[i].m_SnapRate = CClient::SNAPRATE_RECOVER;\n\t\t\t\t}\n\t\t\t}\n\n\t\t\t// create delta\n\t\t\tDeltaSize = m_SnapshotDelta.CreateDelta(pDeltashot, pData, aDeltaData);\n\n\t\t\tif(DeltaSize)\n\t\t\t{\n\t\t\t\t// compress it\n\t\t\t\tint SnapshotSize;\n\t\t\t\tconst int MaxSize = MAX_SNAPSHOT_PACKSIZE;\n\t\t\t\tint NumPackets;\n\n\t\t\t\tSnapshotSize = CVariableInt::Compress(aDeltaData, DeltaSize, aCompData, sizeof(aCompData));\n\t\t\t\tNumPackets = (SnapshotSize+MaxSize-1)/MaxSize;\n\n\t\t\t\tfor(int n = 0, Left = SnapshotSize; Left > 0; n++)\n\t\t\t\t{\n\t\t\t\t\tint Chunk = Left < MaxSize ? Left : MaxSize;\n\t\t\t\t\tLeft -= Chunk;\n\n\t\t\t\t\tif(NumPackets == 1)\n\t\t\t\t\t{\n\t\t\t\t\t\tCMsgPacker Msg(NETMSG_SNAPSINGLE, true);\n\t\t\t\t\t\tMsg.AddInt(m_CurrentGameTick);\n\t\t\t\t\t\tMsg.AddInt(m_CurrentGameTick-DeltaTick);\n\t\t\t\t\t\tMsg.AddInt(Crc);\n\t\t\t\t\t\tMsg.AddInt(Chunk);\n\t\t\t\t\t\tMsg.AddRaw(&aCompData[n*MaxSize], Chunk);\n\t\t\t\t\t\tSendMsg(&Msg, MSGFLAG_FLUSH, i);\n\t\t\t\t\t}\n\t\t\t\t\telse\n\t\t\t\t\t{\n\t\t\t\t\t\tCMsgPacker Msg(NETMSG_SNAP, true);\n\t\t\t\t\t\tMsg.AddInt(m_CurrentGameTick);\n\t\t\t\t\t\tMsg.AddInt(m_CurrentGameTick-DeltaTick);\n\t\t\t\t\t\tMsg.AddInt(NumPackets);\n\t\t\t\t\t\tMsg.AddInt(n);\n\t\t\t\t\t\tMsg.AddInt(Crc);\n\t\t\t\t\t\tMsg.AddInt(Chunk);\n\t\t\t\t\t\tMsg.AddRaw(&aCompData[n*MaxSize], Chunk);\n\t\t\t\t\t\tSendMsg(&Msg, MSGFLAG_FLUSH, i);\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t\telse\n\t\t\t{\n\t\t\t\tCMsgPacker Msg(NETMSG_SNAPEMPTY, true);\n\t\t\t\tMsg.AddInt(m_CurrentGameTick);\n\t\t\t\tMsg.AddInt(m_CurrentGameTick-DeltaTick);\n\t\t\t\tSendMsg(&Msg, MSGFLAG_FLUSH, i);\n\t\t\t}\n\t\t}\n\t}\n\n\tGameServer()->OnPostSnap();\n}", "project": "teeworlds", "hash": 80082248201364134497828751198788877123, "size": 131, "commit_id": "c68402fa7e279d42886d5951d1ea8ac2facc1ea5", "message": "changed a check", "target": 0, "dataset": "other", "idx": 382050 }, { "func": "static int zlib_wrap_decompress(const char* input, size_t compressed_length,\n char* output, size_t maxout) {\n int status;\n uLongf ul = (uLongf)maxout;\n status = uncompress(\n (Bytef*)output, &ul, (Bytef*)input, (uLong)compressed_length);\n if (status != Z_OK) {\n return 0;\n }\n return (int)ul;\n}", "project": "c-blosc2", "hash": 146064921760417219596730707065204327570, "size": 11, "commit_id": "c4c6470e88210afc95262c8b9fcc27e30ca043ee", "message": "Fixed asan heap buffer overflow when not enough space to write compressed block size.", "target": 0, "dataset": "other", "idx": 303099 }, { "func": "static int parse_dirfile(char *buf, size_t nbytes, struct file *file,\n\t\t\t struct dir_context *ctx)\n{\n\twhile (nbytes >= FUSE_NAME_OFFSET) {\n\t\tstruct fuse_dirent *dirent = (struct fuse_dirent *) buf;\n\t\tsize_t reclen = FUSE_DIRENT_SIZE(dirent);\n\t\tif (!dirent->namelen || dirent->namelen > FUSE_NAME_MAX)\n\t\t\treturn -EIO;\n\t\tif (reclen > nbytes)\n\t\t\tbreak;\n\t\tif (memchr(dirent->name, '/', dirent->namelen) != NULL)\n\t\t\treturn -EIO;\n\n\t\tif (!fuse_emit(file, ctx, dirent))\n\t\t\tbreak;\n\n\t\tbuf += reclen;\n\t\tnbytes -= reclen;\n\t\tctx->pos = dirent->off;\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 263871217137822045369073300133389287745, "size": 23, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342105 }, { "func": "static bool nfs4_error_stateid_expired(int err)\n{\n\tswitch (err) {\n\tcase -NFS4ERR_DELEG_REVOKED:\n\tcase -NFS4ERR_ADMIN_REVOKED:\n\tcase -NFS4ERR_BAD_STATEID:\n\tcase -NFS4ERR_STALE_STATEID:\n\tcase -NFS4ERR_OLD_STATEID:\n\tcase -NFS4ERR_OPENMODE:\n\tcase -NFS4ERR_EXPIRED:\n\t\treturn true;\n\t}\n\treturn false;\n}", "project": "linux", "hash": 47090824724803411460223281947482249152, "size": 14, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431103 }, { "func": " virtual longlong val_time_packed()\n {\n MYSQL_TIME ltime;\n uint fuzzydate= TIME_FUZZY_DATES | TIME_INVALID_DATES | TIME_TIME_ONLY;\n return get_date(<ime, fuzzydate) ? 0 : pack_time(<ime);\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 311204878426609144656714346999180551128, "size": 6, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509085 }, { "func": " longlong val_time_packed()\n {\n if (check_null_ref())\n return 0;\n else\n return Item_direct_ref::val_time_packed();\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 286837991854852869114139696920059628701, "size": 7, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509152 }, { "func": "static inline void tcp_advance_send_head(struct sock *sk, const struct sk_buff *skb)\n{\n\tif (tcp_skb_is_last(sk, skb))\n\t\tsk->sk_send_head = NULL;\n\telse\n\t\tsk->sk_send_head = tcp_write_queue_next(sk, skb);\n}", "project": "linux", "hash": 116061665956012584199825924555303855028, "size": 7, "commit_id": "bb1fceca22492109be12640d49f5ea5a544c6bb4", "message": "tcp: fix use after free in tcp_xmit_retransmit_queue()\n\nWhen tcp_sendmsg() allocates a fresh and empty skb, it puts it at the\ntail of the write queue using tcp_add_write_queue_tail()\n\nThen it attempts to copy user data into this fresh skb.\n\nIf the copy fails, we undo the work and remove the fresh skb.\n\nUnfortunately, this undo lacks the change done to tp->highest_sack and\nwe can leave a dangling pointer (to a freed skb)\n\nLater, tcp_xmit_retransmit_queue() can dereference this pointer and\naccess freed memory. For regular kernels where memory is not unmapped,\nthis might cause SACK bugs because tcp_highest_sack_seq() is buggy,\nreturning garbage instead of tp->snd_nxt, but with various debug\nfeatures like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel.\n\nThis bug was found by Marco Grassi thanks to syzkaller.\n\nFixes: 6859d49475d4 (\"[TCP]: Abstract tp->highest_sack accessing & point to next skb\")\nReported-by: Marco Grassi \nSigned-off-by: Eric Dumazet \nCc: Ilpo Järvinen \nCc: Yuchung Cheng \nCc: Neal Cardwell \nAcked-by: Neal Cardwell \nReviewed-by: Cong Wang \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 410796 }, { "func": "static void kvm_s390_vcpu_crypto_setup(struct kvm_vcpu *vcpu)\n{\n\t/*\n\t * If the AP instructions are not being interpreted and the MSAX3\n\t * facility is not configured for the guest, there is nothing to set up.\n\t */\n\tif (!vcpu->kvm->arch.crypto.apie && !test_kvm_facility(vcpu->kvm, 76))\n\t\treturn;\n\n\tvcpu->arch.sie_block->crycbd = vcpu->kvm->arch.crypto.crycbd;\n\tvcpu->arch.sie_block->ecb3 &= ~(ECB3_AES | ECB3_DEA);\n\tvcpu->arch.sie_block->eca &= ~ECA_APIE;\n\tvcpu->arch.sie_block->ecd &= ~ECD_ECC;\n\n\tif (vcpu->kvm->arch.crypto.apie)\n\t\tvcpu->arch.sie_block->eca |= ECA_APIE;\n\n\t/* Set up protected key support */\n\tif (vcpu->kvm->arch.crypto.aes_kw) {\n\t\tvcpu->arch.sie_block->ecb3 |= ECB3_AES;\n\t\t/* ecc is also wrapped with AES key */\n\t\tif (kvm_has_pckmo_ecc(vcpu->kvm))\n\t\t\tvcpu->arch.sie_block->ecd |= ECD_ECC;\n\t}\n\n\tif (vcpu->kvm->arch.crypto.dea_kw)\n\t\tvcpu->arch.sie_block->ecb3 |= ECB3_DEA;\n}", "project": "linux", "hash": 295185242112643409986644470643126589489, "size": 28, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354607 }, { "func": "static int pfkey_send_policy_notify(struct xfrm_policy *xp, int dir, const struct km_event *c)\n{\n\tif (xp && xp->type != XFRM_POLICY_TYPE_MAIN)\n\t\treturn 0;\n\n\tswitch (c->event) {\n\tcase XFRM_MSG_POLEXPIRE:\n\t\treturn key_notify_policy_expire(xp, c);\n\tcase XFRM_MSG_DELPOLICY:\n\tcase XFRM_MSG_NEWPOLICY:\n\tcase XFRM_MSG_UPDPOLICY:\n\t\treturn key_notify_policy(xp, dir, c);\n\tcase XFRM_MSG_FLUSHPOLICY:\n\t\tif (c->data.type != XFRM_POLICY_TYPE_MAIN)\n\t\t\tbreak;\n\t\treturn key_notify_policy_flush(c);\n\tdefault:\n\t\tpr_err(\"pfkey: Unknown policy event %d\\n\", c->event);\n\t\tbreak;\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 124897600852934245625582408265534869926, "size": 23, "commit_id": "9a564bccb78a76740ea9d75a259942df8143d02c", "message": "af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\n\nAdd __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\nto initialize the buffer of supp_skb to fix a kernel-info-leak issue.\n1) Function pfkey_register calls compose_sadb_supported to request\na sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate\na sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then\ncompose_sadb_supported treats the memory as a struct sadb_supported and\nbegins to initialize. But it just initializes the field sadb_supported_len\nand field sadb_supported_exttype without field sadb_supported_reserved.\n\nReported-by: TCS Robot \nSigned-off-by: Haimin Zhang \nSigned-off-by: Steffen Klassert ", "target": 0, "dataset": "other", "idx": 268068 }, { "func": "int __hci_req_setup_ext_adv_instance(struct hci_request *req, u8 instance)\n{\n\tstruct hci_cp_le_set_ext_adv_params cp;\n\tstruct hci_dev *hdev = req->hdev;\n\tbool connectable;\n\tu32 flags;\n\tbdaddr_t random_addr;\n\tu8 own_addr_type;\n\tint err;\n\tstruct adv_info *adv_instance;\n\tbool secondary_adv;\n\n\tif (instance > 0) {\n\t\tadv_instance = hci_find_adv_instance(hdev, instance);\n\t\tif (!adv_instance)\n\t\t\treturn -EINVAL;\n\t} else {\n\t\tadv_instance = NULL;\n\t}\n\n\tflags = get_adv_instance_flags(hdev, instance);\n\n\t/* If the \"connectable\" instance flag was not set, then choose between\n\t * ADV_IND and ADV_NONCONN_IND based on the global connectable setting.\n\t */\n\tconnectable = (flags & MGMT_ADV_FLAG_CONNECTABLE) ||\n\t\t mgmt_get_connectable(hdev);\n\n\tif (!is_advertising_allowed(hdev, connectable))\n\t\treturn -EPERM;\n\n\t/* Set require_privacy to true only when non-connectable\n\t * advertising is used. In that case it is fine to use a\n\t * non-resolvable private address.\n\t */\n\terr = hci_get_random_address(hdev, !connectable,\n\t\t\t\t adv_use_rpa(hdev, flags), adv_instance,\n\t\t\t\t &own_addr_type, &random_addr);\n\tif (err < 0)\n\t\treturn err;\n\n\tmemset(&cp, 0, sizeof(cp));\n\n\tif (adv_instance) {\n\t\thci_cpu_to_le24(adv_instance->min_interval, cp.min_interval);\n\t\thci_cpu_to_le24(adv_instance->max_interval, cp.max_interval);\n\t\tcp.tx_power = adv_instance->tx_power;\n\t} else {\n\t\thci_cpu_to_le24(hdev->le_adv_min_interval, cp.min_interval);\n\t\thci_cpu_to_le24(hdev->le_adv_max_interval, cp.max_interval);\n\t\tcp.tx_power = HCI_ADV_TX_POWER_NO_PREFERENCE;\n\t}\n\n\tsecondary_adv = (flags & MGMT_ADV_FLAG_SEC_MASK);\n\n\tif (connectable) {\n\t\tif (secondary_adv)\n\t\t\tcp.evt_properties = cpu_to_le16(LE_EXT_ADV_CONN_IND);\n\t\telse\n\t\t\tcp.evt_properties = cpu_to_le16(LE_LEGACY_ADV_IND);\n\t} else if (adv_instance_is_scannable(hdev, instance)) {\n\t\tif (secondary_adv)\n\t\t\tcp.evt_properties = cpu_to_le16(LE_EXT_ADV_SCAN_IND);\n\t\telse\n\t\t\tcp.evt_properties = cpu_to_le16(LE_LEGACY_ADV_SCAN_IND);\n\t} else {\n\t\tif (secondary_adv)\n\t\t\tcp.evt_properties = cpu_to_le16(LE_EXT_ADV_NON_CONN_IND);\n\t\telse\n\t\t\tcp.evt_properties = cpu_to_le16(LE_LEGACY_NONCONN_IND);\n\t}\n\n\tcp.own_addr_type = own_addr_type;\n\tcp.channel_map = hdev->le_adv_channel_map;\n\tcp.handle = instance;\n\n\tif (flags & MGMT_ADV_FLAG_SEC_2M) {\n\t\tcp.primary_phy = HCI_ADV_PHY_1M;\n\t\tcp.secondary_phy = HCI_ADV_PHY_2M;\n\t} else if (flags & MGMT_ADV_FLAG_SEC_CODED) {\n\t\tcp.primary_phy = HCI_ADV_PHY_CODED;\n\t\tcp.secondary_phy = HCI_ADV_PHY_CODED;\n\t} else {\n\t\t/* In all other cases use 1M */\n\t\tcp.primary_phy = HCI_ADV_PHY_1M;\n\t\tcp.secondary_phy = HCI_ADV_PHY_1M;\n\t}\n\n\thci_req_add(req, HCI_OP_LE_SET_EXT_ADV_PARAMS, sizeof(cp), &cp);\n\n\tif (own_addr_type == ADDR_LE_DEV_RANDOM &&\n\t bacmp(&random_addr, BDADDR_ANY)) {\n\t\tstruct hci_cp_le_set_adv_set_rand_addr cp;\n\n\t\t/* Check if random address need to be updated */\n\t\tif (adv_instance) {\n\t\t\tif (!bacmp(&random_addr, &adv_instance->random_addr))\n\t\t\t\treturn 0;\n\t\t} else {\n\t\t\tif (!bacmp(&random_addr, &hdev->random_addr))\n\t\t\t\treturn 0;\n\t\t}\n\n\t\tmemset(&cp, 0, sizeof(cp));\n\n\t\tcp.handle = instance;\n\t\tbacpy(&cp.bdaddr, &random_addr);\n\n\t\thci_req_add(req,\n\t\t\t HCI_OP_LE_SET_ADV_SET_RAND_ADDR,\n\t\t\t sizeof(cp), &cp);\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 10854545739398897812681797436737996268, "size": 115, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402514 }, { "func": "static void ip_copy_metadata(struct sk_buff *to, struct sk_buff *from)\n{\n\tto->pkt_type = from->pkt_type;\n\tto->priority = from->priority;\n\tto->protocol = from->protocol;\n\tskb_dst_drop(to);\n\tskb_dst_copy(to, from);\n\tto->dev = from->dev;\n\tto->mark = from->mark;\n\n\t/* Copy the flags to each fragment. */\n\tIPCB(to)->flags = IPCB(from)->flags;\n\n#ifdef CONFIG_NET_SCHED\n\tto->tc_index = from->tc_index;\n#endif\n\tnf_copy(to, from);\n#if IS_ENABLED(CONFIG_IP_VS)\n\tto->ipvs_property = from->ipvs_property;\n#endif\n\tskb_copy_secmark(to, from);\n}", "project": "net", "hash": 163242754538268748518869629094022349933, "size": 22, "commit_id": "85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa", "message": "udp: consistently apply ufo or fragmentation\n\nWhen iteratively building a UDP datagram with MSG_MORE and that\ndatagram exceeds MTU, consistently choose UFO or fragmentation.\n\nOnce skb_is_gso, always apply ufo. Conversely, once a datagram is\nsplit across multiple skbs, do not consider ufo.\n\nSendpage already maintains the first invariant, only add the second.\nIPv6 does not have a sendpage implementation to modify.\n\nA gso skb must have a partial checksum, do not follow sk_no_check_tx\nin udp_send_skb.\n\nFound by syzkaller.\n\nFixes: e89e9cf539a2 (\"[IPv4/IPv6]: UFO Scatter-gather approach\")\nReported-by: Andrey Konovalov \nSigned-off-by: Willem de Bruijn \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 469004 }, { "func": "rpmRC hdrblobImport(hdrblob blob, int fast, Header *hdrp, char **emsg)\n{\n Header h = NULL;\n indexEntry entry; \n int rdlen;\n\n h = headerCreate(blob->ei, blob->il);\n\n entry = h->index;\n if (!(htonl(blob->pe->tag) < RPMTAG_HEADERI18NTABLE)) {\n\t/* An original v3 header, create a legacy region entry for it */\n\th->flags |= HEADERFLAG_LEGACY;\n\tentry->info.type = REGION_TAG_TYPE;\n\tentry->info.tag = RPMTAG_HEADERIMAGE;\n\tentry->info.count = REGION_TAG_COUNT;\n\tentry->info.offset = ((unsigned char *)blob->pe - blob->dataStart); /* negative offset */\n\n\tentry->data = blob->pe;\n\tentry->length = blob->pvlen - sizeof(blob->il) - sizeof(blob->dl);\n\trdlen = regionSwab(entry+1, blob->il, 0, blob->pe,\n\t\t\t blob->dataStart, blob->dataEnd,\n\t\t\t entry->info.offset, fast);\n\tif (rdlen != blob->dl)\n\t goto errxit;\n\tentry->rdlen = rdlen;\n\th->indexUsed++;\n } else {\n\t/* Either a v4 header or an \"upgraded\" v3 header with a legacy region */\n\tint32_t ril;\n\n\th->flags &= ~HEADERFLAG_LEGACY;\n\tei2h(blob->pe, &entry->info);\n\tril = (entry->info.offset != 0) ? blob->ril : blob->il;\n\n\tentry->info.offset = -(ril * sizeof(*blob->pe)); /* negative offset */\n\tentry->data = blob->pe;\n\tentry->length = blob->pvlen - sizeof(blob->il) - sizeof(blob->dl);\n\trdlen = regionSwab(entry+1, ril-1, 0, blob->pe+1,\n\t\t\t blob->dataStart, blob->dataEnd,\n\t\t\t entry->info.offset, fast);\n\tif (rdlen < 0)\n\t goto errxit;\n\tentry->rdlen = rdlen;\n\n\tif (ril < h->indexUsed) {\n\t indexEntry newEntry = entry + ril;\n\t int ne = (h->indexUsed - ril);\n\t int rid = entry->info.offset+1;\n\n\t /* Load dribble entries from region. */\n\t rdlen = regionSwab(newEntry, ne, rdlen, blob->pe+ril,\n\t\t\t\tblob->dataStart, blob->dataEnd, rid, fast);\n\t if (rdlen < 0)\n\t\tgoto errxit;\n\n\t { indexEntry firstEntry = newEntry;\n\t int save = h->indexUsed;\n\t int j;\n\n\t /* Dribble entries replace duplicate region entries. */\n\t h->indexUsed -= ne;\n\t for (j = 0; j < ne; j++, newEntry++) {\n\t\t(void) headerDel(h, newEntry->info.tag);\n\t\tif (newEntry->info.tag == RPMTAG_BASENAMES)\n\t\t (void) headerDel(h, RPMTAG_OLDFILENAMES);\n\t }\n\n\t /* If any duplicate entries were replaced, move new entries down. */\n\t if (h->indexUsed < (save - ne)) {\n\t\tmemmove(h->index + h->indexUsed, firstEntry,\n\t\t\t(ne * sizeof(*entry)));\n\t }\n\t h->indexUsed += ne;\n\t }\n\t}\n\n\trdlen += REGION_TAG_COUNT;\n\n\tif (rdlen != blob->dl)\n\t goto errxit;\n }\n\n /* Force sorting, dribble lookups can cause early sort on partial header */\n h->sorted = 0;\n headerSort(h);\n h->flags |= HEADERFLAG_ALLOCATED;\n *hdrp = h;\n\n /* We own the memory now, avoid double-frees */\n blob->ei = NULL;\n\n return RPMRC_OK;\n\nerrxit:\n if (h) {\n\tfree(h->index);\n\tfree(h);\n\trasprintf(emsg, _(\"hdr load: BAD\"));\n }\n return RPMRC_FAIL;\n}", "project": "rpm", "hash": 192080992111415115202236957624687651429, "size": 101, "commit_id": "8f4b3c3cab8922a2022b9e47c71f1ecf906077ef", "message": "hdrblobInit() needs bounds checks too\n\nUsers can pass untrusted data to hdrblobInit() and it must be robust\nagainst this.", "target": 0, "dataset": "other", "idx": 318201 }, { "func": "static void hci_cc_pin_code_neg_reply(struct hci_dev *hdev, struct sk_buff *skb)\n{\n\tstruct hci_rp_pin_code_neg_reply *rp = (void *) skb->data;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, rp->status);\n\n\thci_dev_lock(hdev);\n\n\tif (hci_dev_test_flag(hdev, HCI_MGMT))\n\t\tmgmt_pin_code_neg_reply_complete(hdev, &rp->bdaddr,\n\t\t\t\t\t\t rp->status);\n\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 148244187629634416526446654731317199861, "size": 14, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 432035 }, { "func": "static inline int tcp_checksum_complete_user(struct sock *sk,\n\t\t\t\t\t struct sk_buff *skb)\n{\n\treturn !skb_csum_unnecessary(skb) &&\n\t __tcp_checksum_complete_user(sk, skb);\n}", "project": "net-next", "hash": 172000534088011421735600821470413146610, "size": 6, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409841 }, { "func": "int bcf_remove_filter(const bcf_hdr_t *hdr, bcf1_t *line, int flt_id, int pass)\n{\n if ( !(line->unpacked & BCF_UN_FLT) ) bcf_unpack(line, BCF_UN_FLT);\n int i;\n for (i=0; id.n_flt; i++)\n if ( flt_id==line->d.flt[i] ) break;\n if ( i==line->d.n_flt ) return 0; // the filter is not present\n line->d.shared_dirty |= BCF1_DIRTY_FLT;\n if ( i!=line->d.n_flt-1 ) memmove(line->d.flt+i,line->d.flt+i+1,(line->d.n_flt-i-1)*sizeof(*line->d.flt));\n line->d.n_flt--;\n if ( !line->d.n_flt && pass ) bcf_add_filter(hdr,line,0);\n return 0;\n}", "project": "htslib", "hash": 108238314678111078823054796552786598063, "size": 13, "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c", "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields. It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097", "target": 0, "dataset": "other", "idx": 402136 }, { "func": "static void nfs4_open_prepare(struct rpc_task *task, void *calldata)\n{\n\tstruct nfs4_opendata *data = calldata;\n\tstruct nfs4_state_owner *sp = data->owner;\n\tstruct nfs_client *clp = sp->so_server->nfs_client;\n\tenum open_claim_type4 claim = data->o_arg.claim;\n\n\tif (nfs_wait_on_sequence(data->o_arg.seqid, task) != 0)\n\t\tgoto out_wait;\n\t/*\n\t * Check if we still need to send an OPEN call, or if we can use\n\t * a delegation instead.\n\t */\n\tif (data->state != NULL) {\n\t\tstruct nfs_delegation *delegation;\n\n\t\tif (can_open_cached(data->state, data->o_arg.fmode,\n\t\t\t\t\tdata->o_arg.open_flags, claim))\n\t\t\tgoto out_no_action;\n\t\trcu_read_lock();\n\t\tdelegation = nfs4_get_valid_delegation(data->state->inode);\n\t\tif (can_open_delegated(delegation, data->o_arg.fmode, claim))\n\t\t\tgoto unlock_no_action;\n\t\trcu_read_unlock();\n\t}\n\t/* Update client id. */\n\tdata->o_arg.clientid = clp->cl_clientid;\n\tswitch (claim) {\n\tdefault:\n\t\tbreak;\n\tcase NFS4_OPEN_CLAIM_PREVIOUS:\n\tcase NFS4_OPEN_CLAIM_DELEG_CUR_FH:\n\tcase NFS4_OPEN_CLAIM_DELEG_PREV_FH:\n\t\tdata->o_arg.open_bitmap = &nfs4_open_noattr_bitmap[0];\n\t\t/* Fall through */\n\tcase NFS4_OPEN_CLAIM_FH:\n\t\ttask->tk_msg.rpc_proc = &nfs4_procedures[NFSPROC4_CLNT_OPEN_NOATTR];\n\t}\n\tdata->timestamp = jiffies;\n\tif (nfs4_setup_sequence(data->o_arg.server->nfs_client,\n\t\t\t\t&data->o_arg.seq_args,\n\t\t\t\t&data->o_res.seq_res,\n\t\t\t\ttask) != 0)\n\t\tnfs_release_seqid(data->o_arg.seqid);\n\n\t/* Set the create mode (note dependency on the session type) */\n\tdata->o_arg.createmode = NFS4_CREATE_UNCHECKED;\n\tif (data->o_arg.open_flags & O_EXCL) {\n\t\tdata->o_arg.createmode = NFS4_CREATE_EXCLUSIVE;\n\t\tif (nfs4_has_persistent_session(clp))\n\t\t\tdata->o_arg.createmode = NFS4_CREATE_GUARDED;\n\t\telse if (clp->cl_mvops->minor_version > 0)\n\t\t\tdata->o_arg.createmode = NFS4_CREATE_EXCLUSIVE4_1;\n\t}\n\treturn;\nunlock_no_action:\n\ttrace_nfs4_cached_open(data->state);\n\trcu_read_unlock();\nout_no_action:\n\ttask->tk_action = NULL;\nout_wait:\n\tnfs4_sequence_done(task, &data->o_res.seq_res);\n}", "project": "linux", "hash": 10595928261426951164293862162167797454, "size": 63, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431010 }, { "func": "size_t Frame::getStack(int level, char *result_buf, size_t result_len) {\n // End recursion if we dont need deeper levels or\n // we dont have any deeper levels\n if (!m_parent || level <= 1) {\n return getName(result_buf, result_len);\n }\n\n // Take care of all ancestors first\n size_t len = m_parent->getStack(level - 1, result_buf, result_len);\n if (result_len < (len + HP_STACK_DELIM_LEN)) {\n return len; // Insufficient result_buf. Bail out!\n }\n\n // Add delimiter only if entry had ancestors\n if (len) {\n strncat(result_buf + len, HP_STACK_DELIM, result_len - len);\n len += HP_STACK_DELIM_LEN;\n }\n\n // Append the current function name\n return len + getName(result_buf + len, result_len - len);\n}", "project": "hhvm", "hash": 333144912774067954735799394507192321026, "size": 22, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219335 }, { "func": "static void tcp_init_buffer_space(struct sock *sk)\n{\n\tstruct tcp_sock *tp = tcp_sk(sk);\n\tint maxwin;\n\n\tif (!(sk->sk_userlocks & SOCK_RCVBUF_LOCK))\n\t\ttcp_fixup_rcvbuf(sk);\n\tif (!(sk->sk_userlocks & SOCK_SNDBUF_LOCK))\n\t\ttcp_fixup_sndbuf(sk);\n\n\ttp->rcvq_space.space = tp->rcv_wnd;\n\n\tmaxwin = tcp_full_space(sk);\n\n\tif (tp->window_clamp >= maxwin) {\n\t\ttp->window_clamp = maxwin;\n\n\t\tif (sysctl_tcp_app_win && maxwin > 4 * tp->advmss)\n\t\t\ttp->window_clamp = max(maxwin -\n\t\t\t\t\t (maxwin >> sysctl_tcp_app_win),\n\t\t\t\t\t 4 * tp->advmss);\n\t}\n\n\t/* Force reservation of one segment. */\n\tif (sysctl_tcp_app_win &&\n\t tp->window_clamp > 2 * tp->advmss &&\n\t tp->window_clamp + tp->advmss > maxwin)\n\t\ttp->window_clamp = max(2 * tp->advmss, maxwin - tp->advmss);\n\n\ttp->rcv_ssthresh = min(tp->rcv_ssthresh, tp->window_clamp);\n\ttp->snd_cwnd_stamp = tcp_time_stamp;\n}", "project": "net-next", "hash": 207837914831122590152955962821209225986, "size": 32, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409873 }, { "func": "zend_string* php_openssl_x509_fingerprint(X509 *peer, const char *method, zend_bool raw)\n{\n\tunsigned char md[EVP_MAX_MD_SIZE];\n\tconst EVP_MD *mdtype;\n\tunsigned int n;\n\tzend_string *ret;\n\n\tif (!(mdtype = EVP_get_digestbyname(method))) {\n\t\tphp_error_docref(NULL, E_WARNING, \"Unknown signature algorithm\");\n\t\treturn NULL;\n\t} else if (!X509_digest(peer, mdtype, md, &n)) {\n\t\tphp_openssl_store_errors();\n\t\tphp_error_docref(NULL, E_ERROR, \"Could not generate signature\");\n\t\treturn NULL;\n\t}\n\n\tif (raw) {\n\t\tret = zend_string_init((char*)md, n, 0);\n\t} else {\n\t\tret = zend_string_alloc(n * 2, 0);\n\t\tmake_digest_ex(ZSTR_VAL(ret), md, n);\n\t\tZSTR_VAL(ret)[n * 2] = '\\0';\n\t}\n\n\treturn ret;\n}", "project": "php-src", "hash": 131802616830278566979010573068444852081, "size": 26, "commit_id": "0216630ea2815a5789a24279a1211ac398d4de79", "message": "Fix bug #79601 (Wrong ciphertext/tag in AES-CCM encryption for a 12 bytes IV)", "target": 0, "dataset": "other", "idx": 291435 }, { "func": "static u8 mlme_reset_request_sync(\n\tu8 set_default_pib,\n\tvoid *device_ref\n)\n{\n\tu8 status;\n\tstruct mac_message command, response;\n\tstruct spi_device *spi = device_ref;\n\n\tcommand.command_id = SPI_MLME_RESET_REQUEST;\n\tcommand.length = 1;\n\tcommand.pdata.u8param = set_default_pib;\n\n\tif (cascoda_api_downstream(\n\t\t&command.command_id,\n\t\tcommand.length + 2,\n\t\t&response.command_id,\n\t\tdevice_ref)) {\n\t\tdev_err(&spi->dev, \"cascoda_api_downstream failed\\n\");\n\t\treturn MAC_SYSTEM_ERROR;\n\t}\n\n\tif (response.command_id != SPI_MLME_RESET_CONFIRM)\n\t\treturn MAC_SYSTEM_ERROR;\n\n\tstatus = response.pdata.status;\n\n\t/* reset COORD Bit for Channel Filtering as Coordinator */\n\tif (CA8210_MAC_WORKAROUNDS && set_default_pib && !status) {\n\t\tstatus = tdme_setsfr_request_sync(\n\t\t\t0,\n\t\t\tCA8210_SFR_MACCON,\n\t\t\t0,\n\t\t\tdevice_ref\n\t\t);\n\t}\n\n\treturn status;\n}", "project": "linux", "hash": 222485143167793496042413064768580270151, "size": 39, "commit_id": "6402939ec86eaf226c8b8ae00ed983936b164908", "message": "ieee802154: ca8210: prevent memory leak\n\nIn ca8210_probe the allocated pdata needs to be assigned to\nspi_device->dev.platform_data before calling ca8210_get_platform_data.\nOthrwise when ca8210_get_platform_data fails pdata cannot be released.\n\nSigned-off-by: Navid Emamdoost \nLink: https://lore.kernel.org/r/20190917224713.26371-1-navid.emamdoost@gmail.com\nSigned-off-by: Stefan Schmidt ", "target": 0, "dataset": "other", "idx": 408801 }, { "func": "static int realloc_buffer(struct ssh_buffer_struct *buffer, size_t needed)\n{\n size_t smallest = 1;\n uint8_t *new = NULL;\n\n buffer_verify(buffer);\n\n /* Find the smallest power of two which is greater or equal to needed */\n while(smallest <= needed) {\n if (smallest == 0) {\n return -1;\n }\n smallest <<= 1;\n }\n needed = smallest;\n\n if (needed > BUFFER_SIZE_MAX) {\n return -1;\n }\n\n if (buffer->secure) {\n new = malloc(needed);\n if (new == NULL) {\n return -1;\n }\n memcpy(new, buffer->data, buffer->used);\n explicit_bzero(buffer->data, buffer->used);\n SAFE_FREE(buffer->data);\n } else {\n new = realloc(buffer->data, needed);\n if (new == NULL) {\n return -1;\n }\n }\n buffer->data = new;\n buffer->allocated = needed;\n\n buffer_verify(buffer);\n return 0;\n}", "project": "libssh-mirror", "hash": 322355617581933753790404304037521530416, "size": 40, "commit_id": "10b3ebbe61a7031a3dae97f05834442220447181", "message": "buffer: Reformat ssh_buffer_add_data()\n\nSigned-off-by: Andreas Schneider \nReviewed-by: Anderson Toshiyuki Sasaki \nReviewed-by: Jakub Jelen ", "target": 0, "dataset": "other", "idx": 345163 }, { "func": "TfLiteStatus Subgraph::AllocateTensors() {\n TFLITE_SCOPED_TAGGED_DEFAULT_PROFILE(profiler_.get(), \"AllocateTensors\");\n\n if (!consistent_) {\n ReportError(\"AllocateTensors() called on inconsistent model.\");\n return kTfLiteError;\n }\n\n // Restore delegation state if applicable.\n TF_LITE_ENSURE_STATUS(RedoAllDelegates());\n\n // Explicit (re)allocation is necessary if nodes have been changed or tensors\n // have been resized. For inputs marked as dynamic, we can't short-circuit the\n // allocation as the client may have done the resize manually.\n if (state_ != kStateUninvokable &&\n !HasDynamicTensorImpl(context_, inputs())) {\n if (memory_planner_ && !memory_planner_->HasNonPersistentMemory()) {\n // If the only change was the release of non-persistent memory via\n // ReleaseNonPersistentMemory(), just re-allocate it. For any other type\n // of memory-planning change (for eg, ResizeInputTensor), the state would\n // be kStateUninvokable.\n memory_planner_->AcquireNonPersistentMemory();\n }\n return kTfLiteOk;\n }\n\n // Note `AllocateTensors` sometimes calls itself recursively above\n // for delegates. Therefore only the logic below need to be guarded\n // by `SubgraphGuard`.\n SubgraphGuard guard(&context_, &is_subgraph_in_use_);\n TF_LITE_ENSURE_OK(&context_, guard.status());\n\n next_execution_plan_index_to_prepare_ = 0;\n next_execution_plan_index_to_plan_allocation_ = 0;\n next_original_execution_plan_index_to_prepare_ = 0;\n if (memory_planner_) {\n TF_LITE_ENSURE_STATUS(memory_planner_->ResetAllocations());\n }\n\n TF_LITE_ENSURE_STATUS(PrepareOpsAndTensors());\n\n state_ = kStateInvokable;\n\n // Reset the variable tensors to zero after (re)allocating the tensors.\n // Developers shouldn't rely on the side effect of this function to reset\n // variable tensors. They should call `ResetVariableTensors` directly\n // instead.\n ResetVariableTensors();\n\n return kTfLiteOk;\n}", "project": "tensorflow", "hash": 278567867505748945527859577295731843312, "size": 51, "commit_id": "c6173f5fe66cdbab74f4f869311fe6aae2ba35f4", "message": "TFLite: Error out when the graph has a recurion.\n\nRecursion is currently unsupported.\n\nPiperOrigin-RevId: 371708957\nChange-Id: I8dfad0d85cbfe08e39ae8ea7bad21254ddee5003", "target": 0, "dataset": "other", "idx": 269615 }, { "func": " void decode_xml(XMLObj *obj) {\n string status_str;\n string mfa_str;\n RGWXMLDecoder::decode_xml(\"Status\", status_str, obj);\n if (status_str == \"Enabled\") {\n status = VersioningEnabled;\n } else if (status_str != \"Suspended\") {\n status = VersioningStatusInvalid;\n }\n\n\n if (RGWXMLDecoder::decode_xml(\"MfaDelete\", mfa_str, obj)) {\n if (mfa_str == \"Enabled\") {\n mfa_status = MFA_ENABLED;\n } else if (mfa_str == \"Disabled\") {\n mfa_status = MFA_DISABLED;\n } else {\n retcode = -EINVAL;\n }\n }\n }", "project": "ceph", "hash": 98082516426596339909585985398984248524, "size": 21, "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 281348 }, { "func": " Item_num(THD *thd): Item_basic_constant(thd) { collation.set_numeric(); }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 31016214913005923544795711425671259891, "size": 1, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 508983 }, { "func": "static void nfs4_free_createdata(struct nfs4_createdata *data)\n{\n\tnfs4_label_free(data->label);\n\tkfree(data);\n}", "project": "linux", "hash": 249930889070383114563423985606516541693, "size": 5, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431609 }, { "func": "UnicodeString::operator=(const UnicodeString &src) {\n return copyFrom(src);\n}", "project": "icu", "hash": 228366260647610653140102194301376077450, "size": 3, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430789 }, { "func": "UnicodeString::copyFrom(const UnicodeString &src, UBool fastCopy) {\n // if assigning to ourselves, do nothing\n if(this == &src) {\n return *this;\n }\n\n // is the right side bogus?\n if(src.isBogus()) {\n setToBogus();\n return *this;\n }\n\n // delete the current contents\n releaseArray();\n\n if(src.isEmpty()) {\n // empty string - use the stack buffer\n setToEmpty();\n return *this;\n }\n\n // fLength>0 and not an \"open\" src.getBuffer(minCapacity)\n fUnion.fFields.fLengthAndFlags = src.fUnion.fFields.fLengthAndFlags;\n switch(src.fUnion.fFields.fLengthAndFlags & kAllStorageFlags) {\n case kShortString:\n // short string using the stack buffer, do the same\n uprv_memcpy(fUnion.fStackFields.fBuffer, src.fUnion.fStackFields.fBuffer,\n getShortLength() * U_SIZEOF_UCHAR);\n break;\n case kLongString:\n // src uses a refCounted string buffer, use that buffer with refCount\n // src is const, use a cast - we don't actually change it\n ((UnicodeString &)src).addRef();\n // copy all fields, share the reference-counted buffer\n fUnion.fFields.fArray = src.fUnion.fFields.fArray;\n fUnion.fFields.fCapacity = src.fUnion.fFields.fCapacity;\n if(!hasShortLength()) {\n fUnion.fFields.fLength = src.fUnion.fFields.fLength;\n }\n break;\n case kReadonlyAlias:\n if(fastCopy) {\n // src is a readonly alias, do the same\n // -> maintain the readonly alias as such\n fUnion.fFields.fArray = src.fUnion.fFields.fArray;\n fUnion.fFields.fCapacity = src.fUnion.fFields.fCapacity;\n if(!hasShortLength()) {\n fUnion.fFields.fLength = src.fUnion.fFields.fLength;\n }\n break;\n }\n // else if(!fastCopy) fall through to case kWritableAlias\n // -> allocate a new buffer and copy the contents\n U_FALLTHROUGH;\n case kWritableAlias: {\n // src is a writable alias; we make a copy of that instead\n int32_t srcLength = src.length();\n if(allocate(srcLength)) {\n u_memcpy(getArrayStart(), src.getArrayStart(), srcLength);\n setLength(srcLength);\n break;\n }\n // if there is not enough memory, then fall through to setting to bogus\n U_FALLTHROUGH;\n }\n default:\n // if src is bogus, set ourselves to bogus\n // do not call setToBogus() here because fArray and flags are not consistent here\n fUnion.fFields.fLengthAndFlags = kIsBogus;\n fUnion.fFields.fArray = 0;\n fUnion.fFields.fCapacity = 0;\n break;\n }\n\n return *this;\n}", "project": "icu", "hash": 304550123016949604347925569968284755273, "size": 76, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430843 }, { "func": "void ItemStackMetadata::deSerialize(std::istream &is)\n{\n\tstd::string in = deSerializeJsonStringIfNeeded(is);\n\n\tm_stringvars.clear();\n\n\tif (!in.empty()) {\n\t\tif (in[0] == DESERIALIZE_START) {\n\t\t\tStrfnd fnd(in);\n\t\t\tfnd.to(1);\n\t\t\twhile (!fnd.at_end()) {\n\t\t\t\tstd::string name = fnd.next(DESERIALIZE_KV_DELIM_STR);\n\t\t\t\tstd::string var = fnd.next(DESERIALIZE_PAIR_DELIM_STR);\n\t\t\t\tm_stringvars[name] = var;\n\t\t\t}\n\t\t} else {\n\t\t\t// BACKWARDS COMPATIBILITY\n\t\t\tm_stringvars[\"\"] = in;\n\t\t}\n\t}\n\tupdateToolCapabilities();\n}", "project": "minetest", "hash": 336324878187178739020643035750202602154, "size": 22, "commit_id": "b5956bde259faa240a81060ff4e598e25ad52dae", "message": "Sanitize ItemStack meta text", "target": 0, "dataset": "other", "idx": 279960 }, { "project": "Chrome", "commit_id": "6834289784ed45b5524de0fb7ef43ae283b0d6d3", "target": 0, "func": "ChannelMergerNode* AudioContext::createChannelMerger(ExceptionState& exceptionState)\n{\n const unsigned ChannelMergerDefaultNumberOfInputs = 6;\n return createChannelMerger(ChannelMergerDefaultNumberOfInputs, exceptionState);\n}\n", "cwe": "", "big_vul_idx": 139629, "idx": 124781, "hash": 121887100561764804244457213731802318279 }, { "project": "Chrome", "commit_id": "6834289784ed45b5524de0fb7ef43ae283b0d6d3", "target": 0, "func": "ChannelMergerNode* AudioContext::createChannelMerger(size_t numberOfInputs, ExceptionState& exceptionState)\n{\n ASSERT(isMainThread());\n\n ChannelMergerNode* node = ChannelMergerNode::create(this, m_destinationNode->sampleRate(), numberOfInputs);\n\n if (!node) {\n exceptionState.throwDOMException(\n IndexSizeError,\n \"number of inputs (\" + String::number(numberOfInputs)\n + \") must be between 1 and \"\n + String::number(AudioContext::maxNumberOfChannels()) + \".\");\n return 0;\n }\n\n return node;\n}\n", "cwe": "", "big_vul_idx": 139630, "idx": 124782, "hash": 56127637584605058184960591719696242590 }, { "func": "string SummarizeString(const string& str) {\n string escaped = absl::CEscape(str);\n\n // If the string is long, replace the middle with ellipses.\n constexpr int kMaxStringSummarySize = 80;\n if (escaped.size() >= kMaxStringSummarySize) {\n StringPiece prefix(escaped);\n StringPiece suffix = prefix;\n prefix.remove_suffix(escaped.size() - 10);\n suffix.remove_prefix(escaped.size() - 10);\n return strings::StrCat(\"\\\"\", prefix, \"...\", suffix, \"\\\"\");\n } else {\n return strings::StrCat(\"\\\"\", escaped, \"\\\"\");\n }\n}", "project": "tensorflow", "hash": 13801460747545578166929009031481186757, "size": 15, "commit_id": "c2426bba00a01de6913738df8fa78e0215fcce02", "message": "Use `PartialTensorShape` instead of `TensorShape`.\n\n`TensorShape` constructor throws a CHECK-fail if shape is partial/overflows which the other doesn't. We are only determining the number of elements in the shape and partial shape should be used as it returns negative number when needed.\n\nPiperOrigin-RevId: 409205384\nChange-Id: Ia56542ff9ec758f2c9ffc7e4dcc9fa7eecd86e7b", "target": 0, "dataset": "other", "idx": 223151 }, { "func": "static OPJ_BOOL opj_j2k_write_SPCod_SPCoc(opj_j2k_t *p_j2k,\n OPJ_UINT32 p_tile_no,\n OPJ_UINT32 p_comp_no,\n OPJ_BYTE * p_data,\n OPJ_UINT32 * p_header_size,\n struct opj_event_mgr * p_manager)\n{\n OPJ_UINT32 i;\n opj_cp_t *l_cp = 00;\n opj_tcp_t *l_tcp = 00;\n opj_tccp_t *l_tccp = 00;\n\n /* preconditions */\n assert(p_j2k != 00);\n assert(p_header_size != 00);\n assert(p_manager != 00);\n assert(p_data != 00);\n\n l_cp = &(p_j2k->m_cp);\n l_tcp = &l_cp->tcps[p_tile_no];\n l_tccp = &l_tcp->tccps[p_comp_no];\n\n /* preconditions again */\n assert(p_tile_no < (l_cp->tw * l_cp->th));\n assert(p_comp_no < (p_j2k->m_private_image->numcomps));\n\n if (*p_header_size < 5) {\n opj_event_msg(p_manager, EVT_ERROR, \"Error writing SPCod SPCoc element\\n\");\n return OPJ_FALSE;\n }\n\n opj_write_bytes(p_data, l_tccp->numresolutions - 1, 1); /* SPcoc (D) */\n ++p_data;\n\n opj_write_bytes(p_data, l_tccp->cblkw - 2, 1); /* SPcoc (E) */\n ++p_data;\n\n opj_write_bytes(p_data, l_tccp->cblkh - 2, 1); /* SPcoc (F) */\n ++p_data;\n\n opj_write_bytes(p_data, l_tccp->cblksty,\n 1); /* SPcoc (G) */\n ++p_data;\n\n opj_write_bytes(p_data, l_tccp->qmfbid,\n 1); /* SPcoc (H) */\n ++p_data;\n\n *p_header_size = *p_header_size - 5;\n\n if (l_tccp->csty & J2K_CCP_CSTY_PRT) {\n\n if (*p_header_size < l_tccp->numresolutions) {\n opj_event_msg(p_manager, EVT_ERROR, \"Error writing SPCod SPCoc element\\n\");\n return OPJ_FALSE;\n }\n\n for (i = 0; i < l_tccp->numresolutions; ++i) {\n opj_write_bytes(p_data, l_tccp->prcw[i] + (l_tccp->prch[i] << 4),\n 1); /* SPcoc (I_i) */\n ++p_data;\n }\n\n *p_header_size = *p_header_size - l_tccp->numresolutions;\n }\n\n return OPJ_TRUE;\n}", "project": "openjpeg", "hash": 201418410693356164359242153986051005567, "size": 68, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357304 }, { "func": "int blosc_set_compressor(const char* compname) {\n int code = blosc_compname_to_compcode(compname);\n\n g_compressor = code;\n\n /* Check whether the library should be initialized */\n if (!g_initlib) blosc_init();\n\n return code;\n}", "project": "c-blosc2", "hash": 192182115078905841920914693588916209787, "size": 10, "commit_id": "c4c6470e88210afc95262c8b9fcc27e30ca043ee", "message": "Fixed asan heap buffer overflow when not enough space to write compressed block size.", "target": 0, "dataset": "other", "idx": 303073 }, { "func": " */\nstatic int io_cqring_wait(struct io_ring_ctx *ctx, int min_events,\n\t\t\t const sigset_t __user *sig, size_t sigsz,\n\t\t\t struct __kernel_timespec __user *uts)\n{\n\tstruct io_wait_queue iowq = {\n\t\t.wq = {\n\t\t\t.private\t= current,\n\t\t\t.func\t\t= io_wake_function,\n\t\t\t.entry\t\t= LIST_HEAD_INIT(iowq.wq.entry),\n\t\t},\n\t\t.ctx\t\t= ctx,\n\t\t.to_wait\t= min_events,\n\t};\n\tstruct io_rings *rings = ctx->rings;\n\tsigned long timeout = MAX_SCHEDULE_TIMEOUT;\n\tint ret;\n\n\tdo {\n\t\tio_cqring_overflow_flush(ctx, false);\n\t\tif (io_cqring_events(ctx) >= min_events)\n\t\t\treturn 0;\n\t\tif (!io_run_task_work())\n\t\t\tbreak;\n\t} while (1);\n\n\tif (sig) {\n#ifdef CONFIG_COMPAT\n\t\tif (in_compat_syscall())\n\t\t\tret = set_compat_user_sigmask((const compat_sigset_t __user *)sig,\n\t\t\t\t\t\t sigsz);\n\t\telse\n#endif\n\t\t\tret = set_user_sigmask(sig, sigsz);\n\n\t\tif (ret)\n\t\t\treturn ret;\n\t}\n\n\tif (uts) {\n\t\tstruct timespec64 ts;\n\n\t\tif (get_timespec64(&ts, uts))\n\t\t\treturn -EFAULT;\n\t\ttimeout = timespec64_to_jiffies(&ts);\n\t}\n\n\tiowq.nr_timeouts = atomic_read(&ctx->cq_timeouts);\n\ttrace_io_uring_cqring_wait(ctx, min_events);\n\tdo {\n\t\t/* if we can't even flush overflow, don't wait for more */\n\t\tif (!io_cqring_overflow_flush(ctx, false)) {\n\t\t\tret = -EBUSY;\n\t\t\tbreak;\n\t\t}\n\t\tprepare_to_wait_exclusive(&ctx->wait, &iowq.wq,\n\t\t\t\t\t\tTASK_INTERRUPTIBLE);\n\t\tret = io_cqring_wait_schedule(ctx, &iowq, &timeout);\n\t\tfinish_wait(&ctx->wait, &iowq.wq);\n\t\tcond_resched();\n\t} while (ret > 0);\n\n\trestore_saved_sigmask_unless(ret == -EINTR);\n\n\treturn READ_ONCE(rings->cq.head) == READ_ONCE(rings->cq.tail) ? ret : 0;", "project": "linux", "hash": 243140638556651887451588632587081646150, "size": 65, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338670 }, { "func": "dev_t tty_devnum(struct tty_struct *tty)\n{\n\treturn MKDEV(tty->driver->major, tty->driver->minor_start) + tty->index;\n}", "project": "linux", "hash": 110418883386032553801962809231462286676, "size": 4, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 325990 }, { "func": "int sigprocmask(int how, sigset_t *set, sigset_t *oldset)\n{\n\tstruct task_struct *tsk = current;\n\tsigset_t newset;\n\n\t/* Lockless, only current can change ->blocked, never from irq */\n\tif (oldset)\n\t\t*oldset = tsk->blocked;\n\n\tswitch (how) {\n\tcase SIG_BLOCK:\n\t\tsigorsets(&newset, &tsk->blocked, set);\n\t\tbreak;\n\tcase SIG_UNBLOCK:\n\t\tsigandnsets(&newset, &tsk->blocked, set);\n\t\tbreak;\n\tcase SIG_SETMASK:\n\t\tnewset = *set;\n\t\tbreak;\n\tdefault:\n\t\treturn -EINVAL;\n\t}\n\n\t__set_current_blocked(&newset);\n\treturn 0;\n}", "project": "linux", "hash": 302033458614595350954214424981319250975, "size": 26, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375230 }, { "func": "static int exif_read_file(image_info_type *ImageInfo, String FileName,\n bool read_thumbnail, bool read_all) {\n struct stat st;\n\n /* Start with an empty image information structure. */\n memset(ImageInfo, 0, sizeof(*ImageInfo));\n\n ImageInfo->motorola_intel = -1; /* flag as unknown */\n\n ImageInfo->infile = File::Open(FileName, \"rb\");\n if (!ImageInfo->infile) {\n raise_warning(\"Unable to open file %s\", FileName.c_str());\n return 0;\n }\n auto plain_file = dyn_cast(ImageInfo->infile);\n if (plain_file) {\n if (stat(FileName.c_str(), &st) >= 0) {\n if ((st.st_mode & S_IFMT) != S_IFREG) {\n raise_warning(\"Not a file\");\n return 0;\n }\n }\n\n /* Store file date/time. */\n ImageInfo->FileDateTime = st.st_mtime;\n ImageInfo->FileSize = st.st_size;\n } else {\n if (!ImageInfo->FileSize) {\n ImageInfo->infile->seek(0, SEEK_END);\n ImageInfo->FileSize = ImageInfo->infile->tell();\n ImageInfo->infile->seek(0, SEEK_SET);\n }\n }\n\n ImageInfo->FileName = HHVM_FN(basename)(FileName);\n ImageInfo->read_thumbnail = read_thumbnail;\n ImageInfo->read_all = read_all;\n ImageInfo->Thumbnail.filetype = IMAGE_FILETYPE_UNKNOWN;\n\n PHP_STRDUP(ImageInfo->encode_unicode, \"ISO-8859-15\");\n PHP_STRDUP(ImageInfo->decode_unicode_be, \"UCS-2BE\");\n PHP_STRDUP(ImageInfo->decode_unicode_le, \"UCS-2LE\");\n PHP_STRDUP(ImageInfo->encode_jis, \"\");\n PHP_STRDUP(ImageInfo->decode_jis_be, \"JIS\");\n PHP_STRDUP(ImageInfo->decode_jis_le, \"JIS\");\n\n ImageInfo->ifd_nesting_level = 0;\n\n /* Scan the JPEG headers. */\n auto ret = exif_scan_FILE_header(ImageInfo);\n\n ImageInfo->infile->close();\n return ret;\n}", "project": "hhvm", "hash": 104859158599524320655753017939494318582, "size": 54, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219540 }, { "func": "static void print_section(char *level, char *text, u8 *addr,\n\t\t\t unsigned int length)\n{\n\tmetadata_access_enable();\n\tprint_hex_dump(level, text, DUMP_PREFIX_ADDRESS, 16, 1, addr,\n\t\t\tlength, 1);\n\tmetadata_access_disable();\n}", "project": "linux", "hash": 195012006594441622705761812158265118225, "size": 8, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280133 }, { "func": "static void mpol_rebind_nodemask(struct mempolicy *pol, const nodemask_t *nodes)\n{\n\tnodemask_t tmp;\n\n\tif (pol->flags & MPOL_F_STATIC_NODES)\n\t\tnodes_and(tmp, pol->w.user_nodemask, *nodes);\n\telse if (pol->flags & MPOL_F_RELATIVE_NODES)\n\t\tmpol_relative_nodemask(&tmp, &pol->w.user_nodemask, nodes);\n\telse {\n\t\tnodes_remap(tmp, pol->v.nodes,pol->w.cpuset_mems_allowed,\n\t\t\t\t\t\t\t\t*nodes);\n\t\tpol->w.cpuset_mems_allowed = *nodes;\n\t}\n\n\tif (nodes_empty(tmp))\n\t\ttmp = *nodes;\n\n\tpol->v.nodes = tmp;\n}", "project": "linux", "hash": 254588786270450458224569718533360983107, "size": 19, "commit_id": "aa9f7d5172fac9bf1f09e678c35e287a40a7b7dd", "message": "mm: mempolicy: require at least one nodeid for MPOL_PREFERRED\n\nUsing an empty (malformed) nodelist that is not caught during mount option\nparsing leads to a stack-out-of-bounds access.\n\nThe option string that was used was: \"mpol=prefer:,\". However,\nMPOL_PREFERRED requires a single node number, which is not being provided\nhere.\n\nAdd a check that 'nodes' is not empty after parsing for MPOL_PREFERRED's\nnodeid.\n\nFixes: 095f1fc4ebf3 (\"mempolicy: rework shmem mpol parsing and display\")\nReported-by: Entropy Moe <3ntr0py1337@gmail.com>\nReported-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nSigned-off-by: Randy Dunlap \nSigned-off-by: Andrew Morton \nTested-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nCc: Lee Schermerhorn \nLink: http://lkml.kernel.org/r/89526377-7eb6-b662-e1d8-4430928abde9@infradead.org\nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 366716 }, { "func": "static int ep_poll_callback(wait_queue_entry_t *wait, unsigned mode, int sync, void *key)\n{\n\tint pwake = 0;\n\tstruct epitem *epi = ep_item_from_wait(wait);\n\tstruct eventpoll *ep = epi->ep;\n\t__poll_t pollflags = key_to_poll(key);\n\tunsigned long flags;\n\tint ewake = 0;\n\n\tread_lock_irqsave(&ep->lock, flags);\n\n\tep_set_busy_poll_napi_id(epi);\n\n\t/*\n\t * If the event mask does not contain any poll(2) event, we consider the\n\t * descriptor to be disabled. This condition is likely the effect of the\n\t * EPOLLONESHOT bit that disables the descriptor when an event is received,\n\t * until the next EPOLL_CTL_MOD will be issued.\n\t */\n\tif (!(epi->event.events & ~EP_PRIVATE_BITS))\n\t\tgoto out_unlock;\n\n\t/*\n\t * Check the events coming with the callback. At this stage, not\n\t * every device reports the events in the \"key\" parameter of the\n\t * callback. We need to be able to handle both cases here, hence the\n\t * test for \"key\" != NULL before the event match test.\n\t */\n\tif (pollflags && !(pollflags & epi->event.events))\n\t\tgoto out_unlock;\n\n\t/*\n\t * If we are transferring events to userspace, we can hold no locks\n\t * (because we're accessing user memory, and because of linux f_op->poll()\n\t * semantics). All the events that happen during that period of time are\n\t * chained in ep->ovflist and requeued later on.\n\t */\n\tif (READ_ONCE(ep->ovflist) != EP_UNACTIVE_PTR) {\n\t\tif (chain_epi_lockless(epi))\n\t\t\tep_pm_stay_awake_rcu(epi);\n\t} else if (!ep_is_linked(epi)) {\n\t\t/* In the usual case, add event to ready list. */\n\t\tif (list_add_tail_lockless(&epi->rdllink, &ep->rdllist))\n\t\t\tep_pm_stay_awake_rcu(epi);\n\t}\n\n\t/*\n\t * Wake up ( if active ) both the eventpoll wait list and the ->poll()\n\t * wait list.\n\t */\n\tif (waitqueue_active(&ep->wq)) {\n\t\tif ((epi->event.events & EPOLLEXCLUSIVE) &&\n\t\t\t\t\t!(pollflags & POLLFREE)) {\n\t\t\tswitch (pollflags & EPOLLINOUT_BITS) {\n\t\t\tcase EPOLLIN:\n\t\t\t\tif (epi->event.events & EPOLLIN)\n\t\t\t\t\tewake = 1;\n\t\t\t\tbreak;\n\t\t\tcase EPOLLOUT:\n\t\t\t\tif (epi->event.events & EPOLLOUT)\n\t\t\t\t\tewake = 1;\n\t\t\t\tbreak;\n\t\t\tcase 0:\n\t\t\t\tewake = 1;\n\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\t\twake_up(&ep->wq);\n\t}\n\tif (waitqueue_active(&ep->poll_wait))\n\t\tpwake++;\n\nout_unlock:\n\tread_unlock_irqrestore(&ep->lock, flags);\n\n\t/* We have to call this outside the lock */\n\tif (pwake)\n\t\tep_poll_safewake(ep, epi);\n\n\tif (!(epi->event.events & EPOLLEXCLUSIVE))\n\t\tewake = 1;\n\n\tif (pollflags & POLLFREE) {\n\t\t/*\n\t\t * If we race with ep_remove_wait_queue() it can miss\n\t\t * ->whead = NULL and do another remove_wait_queue() after\n\t\t * us, so we can't use __remove_wait_queue().\n\t\t */\n\t\tlist_del_init(&wait->entry);\n\t\t/*\n\t\t * ->whead != NULL protects us from the race with ep_free()\n\t\t * or ep_remove(), ep_remove_wait_queue() takes whead->lock\n\t\t * held by the caller. Once we nullify it, nothing protects\n\t\t * ep/epi or even wait.\n\t\t */\n\t\tsmp_store_release(&ep_pwq_from_wait(wait)->whead, NULL);\n\t}\n\n\treturn ewake;\n}", "project": "linux", "hash": 315354489185889700010930288237673690281, "size": 100, "commit_id": "52c479697c9b73f628140dcdfcd39ea302d05482", "message": "do_epoll_ctl(): clean the failure exits up a bit\n\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 336274 }, { "func": "static unsigned long count_partial(struct kmem_cache_node *n,\n\t\t\t\t\tint (*get_count)(struct page *))\n{\n\tunsigned long flags;\n\tunsigned long x = 0;\n\tstruct page *page;\n\n\tspin_lock_irqsave(&n->list_lock, flags);\n\tlist_for_each_entry(page, &n->partial, slab_list)\n\t\tx += get_count(page);\n\tspin_unlock_irqrestore(&n->list_lock, flags);\n\treturn x;\n}", "project": "linux", "hash": 189129638801346083558643254204463342261, "size": 13, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280200 }, { "func": "static void hidinput_configure_usage(struct hid_input *hidinput, struct hid_field *field,\n\t\t\t\t struct hid_usage *usage)\n{\n\tstruct input_dev *input = hidinput->input;\n\tstruct hid_device *device = input_get_drvdata(input);\n\tint max = 0, code;\n\tunsigned long *bit = NULL;\n\n\tfield->hidinput = hidinput;\n\n\tif (field->flags & HID_MAIN_ITEM_CONSTANT)\n\t\tgoto ignore;\n\n\t/* Ignore if report count is out of bounds. */\n\tif (field->report_count < 1)\n\t\tgoto ignore;\n\n\t/* only LED usages are supported in output fields */\n\tif (field->report_type == HID_OUTPUT_REPORT &&\n\t\t\t(usage->hid & HID_USAGE_PAGE) != HID_UP_LED) {\n\t\tgoto ignore;\n\t}\n\n\tif (device->driver->input_mapping) {\n\t\tint ret = device->driver->input_mapping(device, hidinput, field,\n\t\t\t\tusage, &bit, &max);\n\t\tif (ret > 0)\n\t\t\tgoto mapped;\n\t\tif (ret < 0)\n\t\t\tgoto ignore;\n\t}\n\n\tswitch (usage->hid & HID_USAGE_PAGE) {\n\tcase HID_UP_UNDEFINED:\n\t\tgoto ignore;\n\n\tcase HID_UP_KEYBOARD:\n\t\tset_bit(EV_REP, input->evbit);\n\n\t\tif ((usage->hid & HID_USAGE) < 256) {\n\t\t\tif (!hid_keyboard[usage->hid & HID_USAGE]) goto ignore;\n\t\t\tmap_key_clear(hid_keyboard[usage->hid & HID_USAGE]);\n\t\t} else\n\t\t\tmap_key(KEY_UNKNOWN);\n\n\t\tbreak;\n\n\tcase HID_UP_BUTTON:\n\t\tcode = ((usage->hid - 1) & HID_USAGE);\n\n\t\tswitch (field->application) {\n\t\tcase HID_GD_MOUSE:\n\t\tcase HID_GD_POINTER: code += BTN_MOUSE; break;\n\t\tcase HID_GD_JOYSTICK:\n\t\t\t\tif (code <= 0xf)\n\t\t\t\t\tcode += BTN_JOYSTICK;\n\t\t\t\telse\n\t\t\t\t\tcode += BTN_TRIGGER_HAPPY - 0x10;\n\t\t\t\tbreak;\n\t\tcase HID_GD_GAMEPAD:\n\t\t\t\tif (code <= 0xf)\n\t\t\t\t\tcode += BTN_GAMEPAD;\n\t\t\t\telse\n\t\t\t\t\tcode += BTN_TRIGGER_HAPPY - 0x10;\n\t\t\t\tbreak;\n\t\tdefault:\n\t\t\tswitch (field->physical) {\n\t\t\tcase HID_GD_MOUSE:\n\t\t\tcase HID_GD_POINTER: code += BTN_MOUSE; break;\n\t\t\tcase HID_GD_JOYSTICK: code += BTN_JOYSTICK; break;\n\t\t\tcase HID_GD_GAMEPAD: code += BTN_GAMEPAD; break;\n\t\t\tdefault: code += BTN_MISC;\n\t\t\t}\n\t\t}\n\n\t\tmap_key(code);\n\t\tbreak;\n\n\tcase HID_UP_SIMULATION:\n\t\tswitch (usage->hid & 0xffff) {\n\t\tcase 0xba: map_abs(ABS_RUDDER); break;\n\t\tcase 0xbb: map_abs(ABS_THROTTLE); break;\n\t\tcase 0xc4: map_abs(ABS_GAS); break;\n\t\tcase 0xc5: map_abs(ABS_BRAKE); break;\n\t\tcase 0xc8: map_abs(ABS_WHEEL); break;\n\t\tdefault: goto ignore;\n\t\t}\n\t\tbreak;\n\n\tcase HID_UP_GENDESK:\n\t\tif ((usage->hid & 0xf0) == 0x80) {\t/* SystemControl */\n\t\t\tswitch (usage->hid & 0xf) {\n\t\t\tcase 0x1: map_key_clear(KEY_POWER); break;\n\t\t\tcase 0x2: map_key_clear(KEY_SLEEP); break;\n\t\t\tcase 0x3: map_key_clear(KEY_WAKEUP); break;\n\t\t\tcase 0x4: map_key_clear(KEY_CONTEXT_MENU); break;\n\t\t\tcase 0x5: map_key_clear(KEY_MENU); break;\n\t\t\tcase 0x6: map_key_clear(KEY_PROG1); break;\n\t\t\tcase 0x7: map_key_clear(KEY_HELP); break;\n\t\t\tcase 0x8: map_key_clear(KEY_EXIT); break;\n\t\t\tcase 0x9: map_key_clear(KEY_SELECT); break;\n\t\t\tcase 0xa: map_key_clear(KEY_RIGHT); break;\n\t\t\tcase 0xb: map_key_clear(KEY_LEFT); break;\n\t\t\tcase 0xc: map_key_clear(KEY_UP); break;\n\t\t\tcase 0xd: map_key_clear(KEY_DOWN); break;\n\t\t\tcase 0xe: map_key_clear(KEY_POWER2); break;\n\t\t\tcase 0xf: map_key_clear(KEY_RESTART); break;\n\t\t\tdefault: goto unknown;\n\t\t\t}\n\t\t\tbreak;\n\t\t}\n\n\t\tif ((usage->hid & 0xf0) == 0xb0) {\t/* SC - Display */\n\t\t\tswitch (usage->hid & 0xf) {\n\t\t\tcase 0x05: map_key_clear(KEY_SWITCHVIDEOMODE); break;\n\t\t\tdefault: goto ignore;\n\t\t\t}\n\t\t\tbreak;\n\t\t}\n\n\t\t/*\n\t\t * Some lazy vendors declare 255 usages for System Control,\n\t\t * leading to the creation of ABS_X|Y axis and too many others.\n\t\t * It wouldn't be a problem if joydev doesn't consider the\n\t\t * device as a joystick then.\n\t\t */\n\t\tif (field->application == HID_GD_SYSTEM_CONTROL)\n\t\t\tgoto ignore;\n\n\t\tif ((usage->hid & 0xf0) == 0x90) {\t/* D-pad */\n\t\t\tswitch (usage->hid) {\n\t\t\tcase HID_GD_UP:\t usage->hat_dir = 1; break;\n\t\t\tcase HID_GD_DOWN: usage->hat_dir = 5; break;\n\t\t\tcase HID_GD_RIGHT: usage->hat_dir = 3; break;\n\t\t\tcase HID_GD_LEFT: usage->hat_dir = 7; break;\n\t\t\tdefault: goto unknown;\n\t\t\t}\n\t\t\tif (field->dpad) {\n\t\t\t\tmap_abs(field->dpad);\n\t\t\t\tgoto ignore;\n\t\t\t}\n\t\t\tmap_abs(ABS_HAT0X);\n\t\t\tbreak;\n\t\t}\n\n\t\tswitch (usage->hid) {\n\t\t/* These usage IDs map directly to the usage codes. */\n\t\tcase HID_GD_X: case HID_GD_Y: case HID_GD_Z:\n\t\tcase HID_GD_RX: case HID_GD_RY: case HID_GD_RZ:\n\t\t\tif (field->flags & HID_MAIN_ITEM_RELATIVE)\n\t\t\t\tmap_rel(usage->hid & 0xf);\n\t\t\telse\n\t\t\t\tmap_abs_clear(usage->hid & 0xf);\n\t\t\tbreak;\n\n\t\tcase HID_GD_WHEEL:\n\t\t\tif (field->flags & HID_MAIN_ITEM_RELATIVE) {\n\t\t\t\tset_bit(REL_WHEEL, input->relbit);\n\t\t\t\tmap_rel(REL_WHEEL_HI_RES);\n\t\t\t} else {\n\t\t\t\tmap_abs(usage->hid & 0xf);\n\t\t\t}\n\t\t\tbreak;\n\t\tcase HID_GD_SLIDER: case HID_GD_DIAL:\n\t\t\tif (field->flags & HID_MAIN_ITEM_RELATIVE)\n\t\t\t\tmap_rel(usage->hid & 0xf);\n\t\t\telse\n\t\t\t\tmap_abs(usage->hid & 0xf);\n\t\t\tbreak;\n\n\t\tcase HID_GD_HATSWITCH:\n\t\t\tusage->hat_min = field->logical_minimum;\n\t\t\tusage->hat_max = field->logical_maximum;\n\t\t\tmap_abs(ABS_HAT0X);\n\t\t\tbreak;\n\n\t\tcase HID_GD_START:\tmap_key_clear(BTN_START);\tbreak;\n\t\tcase HID_GD_SELECT:\tmap_key_clear(BTN_SELECT);\tbreak;\n\n\t\tcase HID_GD_RFKILL_BTN:\n\t\t\t/* MS wireless radio ctl extension, also check CA */\n\t\t\tif (field->application == HID_GD_WIRELESS_RADIO_CTLS) {\n\t\t\t\tmap_key_clear(KEY_RFKILL);\n\t\t\t\t/* We need to simulate the btn release */\n\t\t\t\tfield->flags |= HID_MAIN_ITEM_RELATIVE;\n\t\t\t\tbreak;\n\t\t\t}\n\n\t\tdefault: goto unknown;\n\t\t}\n\n\t\tbreak;\n\n\tcase HID_UP_LED:\n\t\tswitch (usage->hid & 0xffff) {\t\t /* HID-Value: */\n\t\tcase 0x01: map_led (LED_NUML); break; /* \"Num Lock\" */\n\t\tcase 0x02: map_led (LED_CAPSL); break; /* \"Caps Lock\" */\n\t\tcase 0x03: map_led (LED_SCROLLL); break; /* \"Scroll Lock\" */\n\t\tcase 0x04: map_led (LED_COMPOSE); break; /* \"Compose\" */\n\t\tcase 0x05: map_led (LED_KANA); break; /* \"Kana\" */\n\t\tcase 0x27: map_led (LED_SLEEP); break; /* \"Stand-By\" */\n\t\tcase 0x4c: map_led (LED_SUSPEND); break; /* \"System Suspend\" */\n\t\tcase 0x09: map_led (LED_MUTE); break; /* \"Mute\" */\n\t\tcase 0x4b: map_led (LED_MISC); break; /* \"Generic Indicator\" */\n\t\tcase 0x19: map_led (LED_MAIL); break; /* \"Message Waiting\" */\n\t\tcase 0x4d: map_led (LED_CHARGING); break; /* \"External Power Connected\" */\n\n\t\tdefault: goto ignore;\n\t\t}\n\t\tbreak;\n\n\tcase HID_UP_DIGITIZER:\n\t\tif ((field->application & 0xff) == 0x01) /* Digitizer */\n\t\t\t__set_bit(INPUT_PROP_POINTER, input->propbit);\n\t\telse if ((field->application & 0xff) == 0x02) /* Pen */\n\t\t\t__set_bit(INPUT_PROP_DIRECT, input->propbit);\n\n\t\tswitch (usage->hid & 0xff) {\n\t\tcase 0x00: /* Undefined */\n\t\t\tgoto ignore;\n\n\t\tcase 0x30: /* TipPressure */\n\t\t\tif (!test_bit(BTN_TOUCH, input->keybit)) {\n\t\t\t\tdevice->quirks |= HID_QUIRK_NOTOUCH;\n\t\t\t\tset_bit(EV_KEY, input->evbit);\n\t\t\t\tset_bit(BTN_TOUCH, input->keybit);\n\t\t\t}\n\t\t\tmap_abs_clear(ABS_PRESSURE);\n\t\t\tbreak;\n\n\t\tcase 0x32: /* InRange */\n\t\t\tswitch (field->physical & 0xff) {\n\t\t\tcase 0x21: map_key(BTN_TOOL_MOUSE); break;\n\t\t\tcase 0x22: map_key(BTN_TOOL_FINGER); break;\n\t\t\tdefault: map_key(BTN_TOOL_PEN); break;\n\t\t\t}\n\t\t\tbreak;\n\n\t\tcase 0x3b: /* Battery Strength */\n\t\t\thidinput_setup_battery(device, HID_INPUT_REPORT, field);\n\t\t\tusage->type = EV_PWR;\n\t\t\tgoto ignore;\n\n\t\tcase 0x3c: /* Invert */\n\t\t\tmap_key_clear(BTN_TOOL_RUBBER);\n\t\t\tbreak;\n\n\t\tcase 0x3d: /* X Tilt */\n\t\t\tmap_abs_clear(ABS_TILT_X);\n\t\t\tbreak;\n\n\t\tcase 0x3e: /* Y Tilt */\n\t\t\tmap_abs_clear(ABS_TILT_Y);\n\t\t\tbreak;\n\n\t\tcase 0x33: /* Touch */\n\t\tcase 0x42: /* TipSwitch */\n\t\tcase 0x43: /* TipSwitch2 */\n\t\t\tdevice->quirks &= ~HID_QUIRK_NOTOUCH;\n\t\t\tmap_key_clear(BTN_TOUCH);\n\t\t\tbreak;\n\n\t\tcase 0x44: /* BarrelSwitch */\n\t\t\tmap_key_clear(BTN_STYLUS);\n\t\t\tbreak;\n\n\t\tcase 0x45: /* ERASER */\n\t\t\t/*\n\t\t\t * This event is reported when eraser tip touches the surface.\n\t\t\t * Actual eraser (BTN_TOOL_RUBBER) is set by Invert usage when\n\t\t\t * tool gets in proximity.\n\t\t\t */\n\t\t\tmap_key_clear(BTN_TOUCH);\n\t\t\tbreak;\n\n\t\tcase 0x46: /* TabletPick */\n\t\tcase 0x5a: /* SecondaryBarrelSwitch */\n\t\t\tmap_key_clear(BTN_STYLUS2);\n\t\t\tbreak;\n\n\t\tcase 0x5b: /* TransducerSerialNumber */\n\t\t\tusage->type = EV_MSC;\n\t\t\tusage->code = MSC_SERIAL;\n\t\t\tbit = input->mscbit;\n\t\t\tmax = MSC_MAX;\n\t\t\tbreak;\n\n\t\tdefault: goto unknown;\n\t\t}\n\t\tbreak;\n\n\tcase HID_UP_TELEPHONY:\n\t\tswitch (usage->hid & HID_USAGE) {\n\t\tcase 0x2f: map_key_clear(KEY_MICMUTE);\t\tbreak;\n\t\tcase 0xb0: map_key_clear(KEY_NUMERIC_0);\tbreak;\n\t\tcase 0xb1: map_key_clear(KEY_NUMERIC_1);\tbreak;\n\t\tcase 0xb2: map_key_clear(KEY_NUMERIC_2);\tbreak;\n\t\tcase 0xb3: map_key_clear(KEY_NUMERIC_3);\tbreak;\n\t\tcase 0xb4: map_key_clear(KEY_NUMERIC_4);\tbreak;\n\t\tcase 0xb5: map_key_clear(KEY_NUMERIC_5);\tbreak;\n\t\tcase 0xb6: map_key_clear(KEY_NUMERIC_6);\tbreak;\n\t\tcase 0xb7: map_key_clear(KEY_NUMERIC_7);\tbreak;\n\t\tcase 0xb8: map_key_clear(KEY_NUMERIC_8);\tbreak;\n\t\tcase 0xb9: map_key_clear(KEY_NUMERIC_9);\tbreak;\n\t\tcase 0xba: map_key_clear(KEY_NUMERIC_STAR);\tbreak;\n\t\tcase 0xbb: map_key_clear(KEY_NUMERIC_POUND);\tbreak;\n\t\tcase 0xbc: map_key_clear(KEY_NUMERIC_A);\tbreak;\n\t\tcase 0xbd: map_key_clear(KEY_NUMERIC_B);\tbreak;\n\t\tcase 0xbe: map_key_clear(KEY_NUMERIC_C);\tbreak;\n\t\tcase 0xbf: map_key_clear(KEY_NUMERIC_D);\tbreak;\n\t\tdefault: goto ignore;\n\t\t}\n\t\tbreak;\n\n\tcase HID_UP_CONSUMER:\t/* USB HUT v1.12, pages 75-84 */\n\t\tswitch (usage->hid & HID_USAGE) {\n\t\tcase 0x000: goto ignore;\n\t\tcase 0x030: map_key_clear(KEY_POWER);\t\tbreak;\n\t\tcase 0x031: map_key_clear(KEY_RESTART);\t\tbreak;\n\t\tcase 0x032: map_key_clear(KEY_SLEEP);\t\tbreak;\n\t\tcase 0x034: map_key_clear(KEY_SLEEP);\t\tbreak;\n\t\tcase 0x035: map_key_clear(KEY_KBDILLUMTOGGLE);\tbreak;\n\t\tcase 0x036: map_key_clear(BTN_MISC);\t\tbreak;\n\n\t\tcase 0x040: map_key_clear(KEY_MENU);\t\tbreak; /* Menu */\n\t\tcase 0x041: map_key_clear(KEY_SELECT);\t\tbreak; /* Menu Pick */\n\t\tcase 0x042: map_key_clear(KEY_UP);\t\tbreak; /* Menu Up */\n\t\tcase 0x043: map_key_clear(KEY_DOWN);\t\tbreak; /* Menu Down */\n\t\tcase 0x044: map_key_clear(KEY_LEFT);\t\tbreak; /* Menu Left */\n\t\tcase 0x045: map_key_clear(KEY_RIGHT);\t\tbreak; /* Menu Right */\n\t\tcase 0x046: map_key_clear(KEY_ESC);\t\tbreak; /* Menu Escape */\n\t\tcase 0x047: map_key_clear(KEY_KPPLUS);\t\tbreak; /* Menu Value Increase */\n\t\tcase 0x048: map_key_clear(KEY_KPMINUS);\t\tbreak; /* Menu Value Decrease */\n\n\t\tcase 0x060: map_key_clear(KEY_INFO);\t\tbreak; /* Data On Screen */\n\t\tcase 0x061: map_key_clear(KEY_SUBTITLE);\tbreak; /* Closed Caption */\n\t\tcase 0x063: map_key_clear(KEY_VCR);\t\tbreak; /* VCR/TV */\n\t\tcase 0x065: map_key_clear(KEY_CAMERA);\t\tbreak; /* Snapshot */\n\t\tcase 0x069: map_key_clear(KEY_RED);\t\tbreak;\n\t\tcase 0x06a: map_key_clear(KEY_GREEN);\t\tbreak;\n\t\tcase 0x06b: map_key_clear(KEY_BLUE);\t\tbreak;\n\t\tcase 0x06c: map_key_clear(KEY_YELLOW);\t\tbreak;\n\t\tcase 0x06d: map_key_clear(KEY_ASPECT_RATIO);\tbreak;\n\n\t\tcase 0x06f: map_key_clear(KEY_BRIGHTNESSUP);\t\tbreak;\n\t\tcase 0x070: map_key_clear(KEY_BRIGHTNESSDOWN);\t\tbreak;\n\t\tcase 0x072: map_key_clear(KEY_BRIGHTNESS_TOGGLE);\tbreak;\n\t\tcase 0x073: map_key_clear(KEY_BRIGHTNESS_MIN);\t\tbreak;\n\t\tcase 0x074: map_key_clear(KEY_BRIGHTNESS_MAX);\t\tbreak;\n\t\tcase 0x075: map_key_clear(KEY_BRIGHTNESS_AUTO);\t\tbreak;\n\n\t\tcase 0x079: map_key_clear(KEY_KBDILLUMUP);\tbreak;\n\t\tcase 0x07a: map_key_clear(KEY_KBDILLUMDOWN);\tbreak;\n\t\tcase 0x07c: map_key_clear(KEY_KBDILLUMTOGGLE);\tbreak;\n\n\t\tcase 0x082: map_key_clear(KEY_VIDEO_NEXT);\tbreak;\n\t\tcase 0x083: map_key_clear(KEY_LAST);\t\tbreak;\n\t\tcase 0x084: map_key_clear(KEY_ENTER);\t\tbreak;\n\t\tcase 0x088: map_key_clear(KEY_PC);\t\tbreak;\n\t\tcase 0x089: map_key_clear(KEY_TV);\t\tbreak;\n\t\tcase 0x08a: map_key_clear(KEY_WWW);\t\tbreak;\n\t\tcase 0x08b: map_key_clear(KEY_DVD);\t\tbreak;\n\t\tcase 0x08c: map_key_clear(KEY_PHONE);\t\tbreak;\n\t\tcase 0x08d: map_key_clear(KEY_PROGRAM);\t\tbreak;\n\t\tcase 0x08e: map_key_clear(KEY_VIDEOPHONE);\tbreak;\n\t\tcase 0x08f: map_key_clear(KEY_GAMES);\t\tbreak;\n\t\tcase 0x090: map_key_clear(KEY_MEMO);\t\tbreak;\n\t\tcase 0x091: map_key_clear(KEY_CD);\t\tbreak;\n\t\tcase 0x092: map_key_clear(KEY_VCR);\t\tbreak;\n\t\tcase 0x093: map_key_clear(KEY_TUNER);\t\tbreak;\n\t\tcase 0x094: map_key_clear(KEY_EXIT);\t\tbreak;\n\t\tcase 0x095: map_key_clear(KEY_HELP);\t\tbreak;\n\t\tcase 0x096: map_key_clear(KEY_TAPE);\t\tbreak;\n\t\tcase 0x097: map_key_clear(KEY_TV2);\t\tbreak;\n\t\tcase 0x098: map_key_clear(KEY_SAT);\t\tbreak;\n\t\tcase 0x09a: map_key_clear(KEY_PVR);\t\tbreak;\n\n\t\tcase 0x09c: map_key_clear(KEY_CHANNELUP);\tbreak;\n\t\tcase 0x09d: map_key_clear(KEY_CHANNELDOWN);\tbreak;\n\t\tcase 0x0a0: map_key_clear(KEY_VCR2);\t\tbreak;\n\n\t\tcase 0x0b0: map_key_clear(KEY_PLAY);\t\tbreak;\n\t\tcase 0x0b1: map_key_clear(KEY_PAUSE);\t\tbreak;\n\t\tcase 0x0b2: map_key_clear(KEY_RECORD);\t\tbreak;\n\t\tcase 0x0b3: map_key_clear(KEY_FASTFORWARD);\tbreak;\n\t\tcase 0x0b4: map_key_clear(KEY_REWIND);\t\tbreak;\n\t\tcase 0x0b5: map_key_clear(KEY_NEXTSONG);\tbreak;\n\t\tcase 0x0b6: map_key_clear(KEY_PREVIOUSSONG);\tbreak;\n\t\tcase 0x0b7: map_key_clear(KEY_STOPCD);\t\tbreak;\n\t\tcase 0x0b8: map_key_clear(KEY_EJECTCD);\t\tbreak;\n\t\tcase 0x0bc: map_key_clear(KEY_MEDIA_REPEAT);\tbreak;\n\t\tcase 0x0b9: map_key_clear(KEY_SHUFFLE);\t\tbreak;\n\t\tcase 0x0bf: map_key_clear(KEY_SLOW);\t\tbreak;\n\n\t\tcase 0x0cd: map_key_clear(KEY_PLAYPAUSE);\tbreak;\n\t\tcase 0x0cf: map_key_clear(KEY_VOICECOMMAND);\tbreak;\n\t\tcase 0x0e0: map_abs_clear(ABS_VOLUME);\t\tbreak;\n\t\tcase 0x0e2: map_key_clear(KEY_MUTE);\t\tbreak;\n\t\tcase 0x0e5: map_key_clear(KEY_BASSBOOST);\tbreak;\n\t\tcase 0x0e9: map_key_clear(KEY_VOLUMEUP);\tbreak;\n\t\tcase 0x0ea: map_key_clear(KEY_VOLUMEDOWN);\tbreak;\n\t\tcase 0x0f5: map_key_clear(KEY_SLOW);\t\tbreak;\n\n\t\tcase 0x181: map_key_clear(KEY_BUTTONCONFIG);\tbreak;\n\t\tcase 0x182: map_key_clear(KEY_BOOKMARKS);\tbreak;\n\t\tcase 0x183: map_key_clear(KEY_CONFIG);\t\tbreak;\n\t\tcase 0x184: map_key_clear(KEY_WORDPROCESSOR);\tbreak;\n\t\tcase 0x185: map_key_clear(KEY_EDITOR);\t\tbreak;\n\t\tcase 0x186: map_key_clear(KEY_SPREADSHEET);\tbreak;\n\t\tcase 0x187: map_key_clear(KEY_GRAPHICSEDITOR);\tbreak;\n\t\tcase 0x188: map_key_clear(KEY_PRESENTATION);\tbreak;\n\t\tcase 0x189: map_key_clear(KEY_DATABASE);\tbreak;\n\t\tcase 0x18a: map_key_clear(KEY_MAIL);\t\tbreak;\n\t\tcase 0x18b: map_key_clear(KEY_NEWS);\t\tbreak;\n\t\tcase 0x18c: map_key_clear(KEY_VOICEMAIL);\tbreak;\n\t\tcase 0x18d: map_key_clear(KEY_ADDRESSBOOK);\tbreak;\n\t\tcase 0x18e: map_key_clear(KEY_CALENDAR);\tbreak;\n\t\tcase 0x18f: map_key_clear(KEY_TASKMANAGER);\tbreak;\n\t\tcase 0x190: map_key_clear(KEY_JOURNAL);\t\tbreak;\n\t\tcase 0x191: map_key_clear(KEY_FINANCE);\t\tbreak;\n\t\tcase 0x192: map_key_clear(KEY_CALC);\t\tbreak;\n\t\tcase 0x193: map_key_clear(KEY_PLAYER);\t\tbreak;\n\t\tcase 0x194: map_key_clear(KEY_FILE);\t\tbreak;\n\t\tcase 0x196: map_key_clear(KEY_WWW);\t\tbreak;\n\t\tcase 0x199: map_key_clear(KEY_CHAT);\t\tbreak;\n\t\tcase 0x19c: map_key_clear(KEY_LOGOFF);\t\tbreak;\n\t\tcase 0x19e: map_key_clear(KEY_COFFEE);\t\tbreak;\n\t\tcase 0x19f: map_key_clear(KEY_CONTROLPANEL);\t\tbreak;\n\t\tcase 0x1a2: map_key_clear(KEY_APPSELECT);\t\tbreak;\n\t\tcase 0x1a3: map_key_clear(KEY_NEXT);\t\tbreak;\n\t\tcase 0x1a4: map_key_clear(KEY_PREVIOUS);\tbreak;\n\t\tcase 0x1a6: map_key_clear(KEY_HELP);\t\tbreak;\n\t\tcase 0x1a7: map_key_clear(KEY_DOCUMENTS);\tbreak;\n\t\tcase 0x1ab: map_key_clear(KEY_SPELLCHECK);\tbreak;\n\t\tcase 0x1ae: map_key_clear(KEY_KEYBOARD);\tbreak;\n\t\tcase 0x1b1: map_key_clear(KEY_SCREENSAVER);\t\tbreak;\n\t\tcase 0x1b4: map_key_clear(KEY_FILE);\t\tbreak;\n\t\tcase 0x1b6: map_key_clear(KEY_IMAGES);\t\tbreak;\n\t\tcase 0x1b7: map_key_clear(KEY_AUDIO);\t\tbreak;\n\t\tcase 0x1b8: map_key_clear(KEY_VIDEO);\t\tbreak;\n\t\tcase 0x1bc: map_key_clear(KEY_MESSENGER);\tbreak;\n\t\tcase 0x1bd: map_key_clear(KEY_INFO);\t\tbreak;\n\t\tcase 0x1cb: map_key_clear(KEY_ASSISTANT);\tbreak;\n\t\tcase 0x201: map_key_clear(KEY_NEW);\t\tbreak;\n\t\tcase 0x202: map_key_clear(KEY_OPEN);\t\tbreak;\n\t\tcase 0x203: map_key_clear(KEY_CLOSE);\t\tbreak;\n\t\tcase 0x204: map_key_clear(KEY_EXIT);\t\tbreak;\n\t\tcase 0x207: map_key_clear(KEY_SAVE);\t\tbreak;\n\t\tcase 0x208: map_key_clear(KEY_PRINT);\t\tbreak;\n\t\tcase 0x209: map_key_clear(KEY_PROPS);\t\tbreak;\n\t\tcase 0x21a: map_key_clear(KEY_UNDO);\t\tbreak;\n\t\tcase 0x21b: map_key_clear(KEY_COPY);\t\tbreak;\n\t\tcase 0x21c: map_key_clear(KEY_CUT);\t\tbreak;\n\t\tcase 0x21d: map_key_clear(KEY_PASTE);\t\tbreak;\n\t\tcase 0x21f: map_key_clear(KEY_FIND);\t\tbreak;\n\t\tcase 0x221: map_key_clear(KEY_SEARCH);\t\tbreak;\n\t\tcase 0x222: map_key_clear(KEY_GOTO);\t\tbreak;\n\t\tcase 0x223: map_key_clear(KEY_HOMEPAGE);\tbreak;\n\t\tcase 0x224: map_key_clear(KEY_BACK);\t\tbreak;\n\t\tcase 0x225: map_key_clear(KEY_FORWARD);\t\tbreak;\n\t\tcase 0x226: map_key_clear(KEY_STOP);\t\tbreak;\n\t\tcase 0x227: map_key_clear(KEY_REFRESH);\t\tbreak;\n\t\tcase 0x22a: map_key_clear(KEY_BOOKMARKS);\tbreak;\n\t\tcase 0x22d: map_key_clear(KEY_ZOOMIN);\t\tbreak;\n\t\tcase 0x22e: map_key_clear(KEY_ZOOMOUT);\t\tbreak;\n\t\tcase 0x22f: map_key_clear(KEY_ZOOMRESET);\tbreak;\n\t\tcase 0x232: map_key_clear(KEY_FULL_SCREEN);\tbreak;\n\t\tcase 0x233: map_key_clear(KEY_SCROLLUP);\tbreak;\n\t\tcase 0x234: map_key_clear(KEY_SCROLLDOWN);\tbreak;\n\t\tcase 0x238: /* AC Pan */\n\t\t\tset_bit(REL_HWHEEL, input->relbit);\n\t\t\tmap_rel(REL_HWHEEL_HI_RES);\n\t\t\tbreak;\n\t\tcase 0x23d: map_key_clear(KEY_EDIT);\t\tbreak;\n\t\tcase 0x25f: map_key_clear(KEY_CANCEL);\t\tbreak;\n\t\tcase 0x269: map_key_clear(KEY_INSERT);\t\tbreak;\n\t\tcase 0x26a: map_key_clear(KEY_DELETE);\t\tbreak;\n\t\tcase 0x279: map_key_clear(KEY_REDO);\t\tbreak;\n\n\t\tcase 0x289: map_key_clear(KEY_REPLY);\t\tbreak;\n\t\tcase 0x28b: map_key_clear(KEY_FORWARDMAIL);\tbreak;\n\t\tcase 0x28c: map_key_clear(KEY_SEND);\t\tbreak;\n\n\t\tcase 0x29d: map_key_clear(KEY_KBD_LAYOUT_NEXT);\tbreak;\n\n\t\tcase 0x2c7: map_key_clear(KEY_KBDINPUTASSIST_PREV);\t\tbreak;\n\t\tcase 0x2c8: map_key_clear(KEY_KBDINPUTASSIST_NEXT);\t\tbreak;\n\t\tcase 0x2c9: map_key_clear(KEY_KBDINPUTASSIST_PREVGROUP);\t\tbreak;\n\t\tcase 0x2ca: map_key_clear(KEY_KBDINPUTASSIST_NEXTGROUP);\t\tbreak;\n\t\tcase 0x2cb: map_key_clear(KEY_KBDINPUTASSIST_ACCEPT);\tbreak;\n\t\tcase 0x2cc: map_key_clear(KEY_KBDINPUTASSIST_CANCEL);\tbreak;\n\n\t\tcase 0x29f: map_key_clear(KEY_SCALE);\t\tbreak;\n\n\t\tdefault: map_key_clear(KEY_UNKNOWN);\n\t\t}\n\t\tbreak;\n\n\tcase HID_UP_GENDEVCTRLS:\n\t\tswitch (usage->hid) {\n\t\tcase HID_DC_BATTERYSTRENGTH:\n\t\t\thidinput_setup_battery(device, HID_INPUT_REPORT, field);\n\t\t\tusage->type = EV_PWR;\n\t\t\tgoto ignore;\n\t\t}\n\t\tgoto unknown;\n\n\tcase HID_UP_HPVENDOR:\t/* Reported on a Dutch layout HP5308 */\n\t\tset_bit(EV_REP, input->evbit);\n\t\tswitch (usage->hid & HID_USAGE) {\n\t\tcase 0x021: map_key_clear(KEY_PRINT); break;\n\t\tcase 0x070: map_key_clear(KEY_HP);\t\tbreak;\n\t\tcase 0x071: map_key_clear(KEY_CAMERA);\t\tbreak;\n\t\tcase 0x072: map_key_clear(KEY_SOUND);\t\tbreak;\n\t\tcase 0x073: map_key_clear(KEY_QUESTION);\tbreak;\n\t\tcase 0x080: map_key_clear(KEY_EMAIL);\t\tbreak;\n\t\tcase 0x081: map_key_clear(KEY_CHAT);\t\tbreak;\n\t\tcase 0x082: map_key_clear(KEY_SEARCH);\t\tbreak;\n\t\tcase 0x083: map_key_clear(KEY_CONNECT);\t break;\n\t\tcase 0x084: map_key_clear(KEY_FINANCE);\t\tbreak;\n\t\tcase 0x085: map_key_clear(KEY_SPORT);\t\tbreak;\n\t\tcase 0x086: map_key_clear(KEY_SHOP);\t break;\n\t\tdefault: goto ignore;\n\t\t}\n\t\tbreak;\n\n\tcase HID_UP_HPVENDOR2:\n\t\tset_bit(EV_REP, input->evbit);\n\t\tswitch (usage->hid & HID_USAGE) {\n\t\tcase 0x001: map_key_clear(KEY_MICMUTE);\t\tbreak;\n\t\tcase 0x003: map_key_clear(KEY_BRIGHTNESSDOWN);\tbreak;\n\t\tcase 0x004: map_key_clear(KEY_BRIGHTNESSUP);\tbreak;\n\t\tdefault: goto ignore;\n\t\t}\n\t\tbreak;\n\n\tcase HID_UP_MSVENDOR:\n\t\tgoto ignore;\n\n\tcase HID_UP_CUSTOM: /* Reported on Logitech and Apple USB keyboards */\n\t\tset_bit(EV_REP, input->evbit);\n\t\tgoto ignore;\n\n\tcase HID_UP_LOGIVENDOR:\n\t\t/* intentional fallback */\n\tcase HID_UP_LOGIVENDOR2:\n\t\t/* intentional fallback */\n\tcase HID_UP_LOGIVENDOR3:\n\t\tgoto ignore;\n\n\tcase HID_UP_PID:\n\t\tswitch (usage->hid & HID_USAGE) {\n\t\tcase 0xa4: map_key_clear(BTN_DEAD);\tbreak;\n\t\tdefault: goto ignore;\n\t\t}\n\t\tbreak;\n\n\tdefault:\n\tunknown:\n\t\tif (field->report_size == 1) {\n\t\t\tif (field->report->type == HID_OUTPUT_REPORT) {\n\t\t\t\tmap_led(LED_MISC);\n\t\t\t\tbreak;\n\t\t\t}\n\t\t\tmap_key(BTN_MISC);\n\t\t\tbreak;\n\t\t}\n\t\tif (field->flags & HID_MAIN_ITEM_RELATIVE) {\n\t\t\tmap_rel(REL_MISC);\n\t\t\tbreak;\n\t\t}\n\t\tmap_abs(ABS_MISC);\n\t\tbreak;\n\t}\n\nmapped:\n\t/* Mapping failed, bail out */\n\tif (!bit)\n\t\treturn;\n\n\tif (device->driver->input_mapped &&\n\t device->driver->input_mapped(device, hidinput, field, usage,\n\t\t\t\t\t &bit, &max) < 0) {\n\t\t/*\n\t\t * The driver indicated that no further generic handling\n\t\t * of the usage is desired.\n\t\t */\n\t\treturn;\n\t}\n\n\tset_bit(usage->type, input->evbit);\n\n\t/*\n\t * This part is *really* controversial:\n\t * - HID aims at being generic so we should do our best to export\n\t * all incoming events\n\t * - HID describes what events are, so there is no reason for ABS_X\n\t * to be mapped to ABS_Y\n\t * - HID is using *_MISC+N as a default value, but nothing prevents\n\t * *_MISC+N to overwrite a legitimate even, which confuses userspace\n\t * (for instance ABS_MISC + 7 is ABS_MT_SLOT, which has a different\n\t * processing)\n\t *\n\t * If devices still want to use this (at their own risk), they will\n\t * have to use the quirk HID_QUIRK_INCREMENT_USAGE_ON_DUPLICATE, but\n\t * the default should be a reliable mapping.\n\t */\n\twhile (usage->code <= max && test_and_set_bit(usage->code, bit)) {\n\t\tif (device->quirks & HID_QUIRK_INCREMENT_USAGE_ON_DUPLICATE) {\n\t\t\tusage->code = find_next_zero_bit(bit,\n\t\t\t\t\t\t\t max + 1,\n\t\t\t\t\t\t\t usage->code);\n\t\t} else {\n\t\t\tdevice->status |= HID_STAT_DUP_DETECTED;\n\t\t\tgoto ignore;\n\t\t}\n\t}\n\n\tif (usage->code > max)\n\t\tgoto ignore;\n\n\tif (usage->type == EV_ABS) {\n\n\t\tint a = field->logical_minimum;\n\t\tint b = field->logical_maximum;\n\n\t\tif ((device->quirks & HID_QUIRK_BADPAD) && (usage->code == ABS_X || usage->code == ABS_Y)) {\n\t\t\ta = field->logical_minimum = 0;\n\t\t\tb = field->logical_maximum = 255;\n\t\t}\n\n\t\tif (field->application == HID_GD_GAMEPAD || field->application == HID_GD_JOYSTICK)\n\t\t\tinput_set_abs_params(input, usage->code, a, b, (b - a) >> 8, (b - a) >> 4);\n\t\telse\tinput_set_abs_params(input, usage->code, a, b, 0, 0);\n\n\t\tinput_abs_set_res(input, usage->code,\n\t\t\t\t hidinput_calc_abs_res(field, usage->code));\n\n\t\t/* use a larger default input buffer for MT devices */\n\t\tif (usage->code == ABS_MT_POSITION_X && input->hint_events_per_packet == 0)\n\t\t\tinput_set_events_per_packet(input, 60);\n\t}\n\n\tif (usage->type == EV_ABS &&\n\t (usage->hat_min < usage->hat_max || usage->hat_dir)) {\n\t\tint i;\n\t\tfor (i = usage->code; i < usage->code + 2 && i <= max; i++) {\n\t\t\tinput_set_abs_params(input, i, -1, 1, 0, 0);\n\t\t\tset_bit(i, input->absbit);\n\t\t}\n\t\tif (usage->hat_dir && !field->dpad)\n\t\t\tfield->dpad = usage->code;\n\t}\n\n\t/* for those devices which produce Consumer volume usage as relative,\n\t * we emulate pressing volumeup/volumedown appropriate number of times\n\t * in hidinput_hid_event()\n\t */\n\tif ((usage->type == EV_ABS) && (field->flags & HID_MAIN_ITEM_RELATIVE) &&\n\t\t\t(usage->code == ABS_VOLUME)) {\n\t\tset_bit(KEY_VOLUMEUP, input->keybit);\n\t\tset_bit(KEY_VOLUMEDOWN, input->keybit);\n\t}\n\n\tif (usage->type == EV_KEY) {\n\t\tset_bit(EV_MSC, input->evbit);\n\t\tset_bit(MSC_SCAN, input->mscbit);\n\t}\n\n\treturn;\n\nignore:\n\tusage->type = 0;\n\tusage->code = 0;\n}", "project": "linux", "hash": 109634807423480813893257820665352709213, "size": 675, "commit_id": "35556bed836f8dc07ac55f69c8d17dce3e7f0e25", "message": "HID: core: Sanitize event code and type when mapping input\n\nWhen calling into hid_map_usage(), the passed event code is\nblindly stored as is, even if it doesn't fit in the associated bitmap.\n\nThis event code can come from a variety of sources, including devices\nmasquerading as input devices, only a bit more \"programmable\".\n\nInstead of taking the event code at face value, check that it actually\nfits the corresponding bitmap, and if it doesn't:\n- spit out a warning so that we know which device is acting up\n- NULLify the bitmap pointer so that we catch unexpected uses\n\nCode paths that can make use of untrusted inputs can now check\nthat the mapping was indeed correct and bail out if not.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Marc Zyngier \nSigned-off-by: Benjamin Tissoires ", "target": 0, "dataset": "other", "idx": 458380 }, { "func": "static void nfs4_xdr_enc_close(struct rpc_rqst *req, struct xdr_stream *xdr,\n\t\t\t const void *data)\n{\n\tconst struct nfs_closeargs *args = data;\n\tstruct compound_hdr hdr = {\n\t\t.minorversion = nfs4_xdr_minorversion(&args->seq_args),\n\t};\n\n\tencode_compound_hdr(xdr, req, &hdr);\n\tencode_sequence(xdr, &args->seq_args, &hdr);\n\tencode_putfh(xdr, args->fh, &hdr);\n\tif (args->lr_args)\n\t\tencode_layoutreturn(xdr, args->lr_args, &hdr);\n\tif (args->bitmask != NULL)\n\t\tencode_getfattr(xdr, args->bitmask, &hdr);\n\tencode_close(xdr, args, &hdr);\n\tencode_nops(&hdr);\n}", "project": "linux", "hash": 114613483091133905629471622432754209578, "size": 18, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431185 }, { "func": "static int get_tx_bufs(struct vhost_net *net,\n\t\t struct vhost_net_virtqueue *nvq,\n\t\t struct msghdr *msg,\n\t\t unsigned int *out, unsigned int *in,\n\t\t size_t *len, bool *busyloop_intr)\n{\n\tstruct vhost_virtqueue *vq = &nvq->vq;\n\tint ret;\n\n\tret = vhost_net_tx_get_vq_desc(net, nvq, out, in, msg, busyloop_intr);\n\n\tif (ret < 0 || ret == vq->num)\n\t\treturn ret;\n\n\tif (*in) {\n\t\tvq_err(vq, \"Unexpected descriptor format for TX: out %d, int %d\\n\",\n\t\t\t*out, *in);\n\t\treturn -EFAULT;\n\t}\n\n\t/* Sanity check */\n\t*len = init_iov_iter(vq, &msg->msg_iter, nvq->vhost_hlen, *out);\n\tif (*len == 0) {\n\t\tvq_err(vq, \"Unexpected header len for TX: %zd expected %zd\\n\",\n\t\t\t*len, nvq->vhost_hlen);\n\t\treturn -EFAULT;\n\t}\n\n\treturn ret;\n}", "project": "linux", "hash": 213621519609755971881010019321757648255, "size": 30, "commit_id": "42d84c8490f9f0931786f1623191fcab397c3d64", "message": "vhost: Check docket sk_family instead of call getname\n\nDoing so, we save one call to get data we already have in the struct.\n\nAlso, since there is no guarantee that getname use sockaddr_ll\nparameter beyond its size, we add a little bit of security here.\nIt should do not do beyond MAX_ADDR_LEN, but syzbot found that\nax25_getname writes more (72 bytes, the size of full_sockaddr_ax25,\nversus 20 + 32 bytes of sockaddr_ll + MAX_ADDR_LEN in syzbot repro).\n\nFixes: 3a4d5c94e9593 (\"vhost_net: a kernel-level virtio server\")\nReported-by: syzbot+f2a62d07a5198c819c7b@syzkaller.appspotmail.com\nSigned-off-by: Eugenio Pérez \nAcked-by: Michael S. Tsirkin \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 441965 }, { "func": "void ProtocolV1::send_message(Message *m) {\n bufferlist bl;\n uint64_t f = connection->get_features();\n\n // TODO: Currently not all messages supports reencode like MOSDMap, so here\n // only let fast dispatch support messages prepare message\n bool can_fast_prepare = messenger->ms_can_fast_dispatch(m);\n if (can_fast_prepare) {\n prepare_send_message(f, m, bl);\n }\n\n std::lock_guard l(connection->write_lock);\n // \"features\" changes will change the payload encoding\n if (can_fast_prepare &&\n (can_write == WriteStatus::NOWRITE || connection->get_features() != f)) {\n // ensure the correctness of message encoding\n bl.clear();\n m->clear_payload();\n ldout(cct, 5) << __func__ << \" clear encoded buffer previous \" << f\n << \" != \" << connection->get_features() << dendl;\n }\n if (can_write == WriteStatus::CLOSED) {\n ldout(cct, 10) << __func__ << \" connection closed.\"\n << \" Drop message \" << m << dendl;\n m->put();\n } else {\n m->queue_start = ceph::mono_clock::now();\n m->trace.event(\"async enqueueing message\");\n out_q[m->get_priority()].emplace_back(std::move(bl), m);\n ldout(cct, 15) << __func__ << \" inline write is denied, reschedule m=\" << m\n << dendl;\n if (can_write != WriteStatus::REPLACING && !write_in_progress) {\n write_in_progress = true;\n connection->center->dispatch_event_external(connection->write_handler);\n }\n }\n}", "project": "ceph", "hash": 196093646404901296921157971573666421507, "size": 37, "commit_id": "bafdfec8f974f1a3f7d404bcfd0a4cfad784937d", "message": "msg/async/ProtocolV1: resurrect \"implement cephx_*require_version options\"\n\nThis was added in commit 9bcbc2a3621f (\"mon,msg: implement\ncephx_*_require_version options\") and inadvertently dropped in\ncommit e6f043f7d2dc (\"msgr/async: huge refactoring of protocol V1\").\nAs a result, service daemons don't enforce cephx_require_version\nand cephx_cluster_require_version options and connections without\nCEPH_FEATURE_CEPHX_V2 are allowed through.\n\n(cephx_service_require_version enforcement was brought back a\nyear later in commit 321548010578 (\"mon/MonClient: skip CEPHX_V2\nchallenge if client doesn't support it\"), although the peer gets\nTAG_BADAUTHORIZER instead of TAG_FEATURES.)\n\nResurrect the original behaviour: all cephx_*require_version\noptions are enforced and the peer gets TAG_FEATURES, signifying\nthat it is missing a required feature.\n\nSigned-off-by: Ilya Dryomov \n(cherry picked from commit 6f5c4152ca2c6423e665cde2196c6301f76043a2)", "target": 0, "dataset": "other", "idx": 356901 }, { "func": "HttpStateData::sendRequest()\n{\n MemBuf mb;\n\n debugs(11, 5, HERE << serverConnection << \", request \" << request << \", this \" << this << \".\");\n\n if (!Comm::IsConnOpen(serverConnection)) {\n debugs(11,3, HERE << \"cannot send request to closing \" << serverConnection);\n assert(closeHandler != NULL);\n return false;\n }\n\n typedef CommCbMemFunT TimeoutDialer;\n AsyncCall::Pointer timeoutCall = JobCallback(11, 5,\n TimeoutDialer, this, HttpStateData::httpTimeout);\n commSetConnTimeout(serverConnection, Config.Timeout.lifetime, timeoutCall);\n flags.do_next_read = true;\n maybeReadVirginBody();\n\n if (request->body_pipe != NULL) {\n if (!startRequestBodyFlow()) // register to receive body data\n return false;\n typedef CommCbMemFunT Dialer;\n requestSender = JobCallback(11,5,\n Dialer, this, HttpStateData::sentRequestBody);\n\n Must(!flags.chunked_request);\n // use chunked encoding if we do not know the length\n if (request->content_length < 0)\n flags.chunked_request = true;\n } else {\n assert(!requestBodySource);\n typedef CommCbMemFunT Dialer;\n requestSender = JobCallback(11,5,\n Dialer, this, HttpStateData::wroteLast);\n }\n\n flags.originpeer = (_peer != NULL && _peer->options.originserver);\n flags.proxying = (_peer != NULL && !flags.originpeer);\n\n /*\n * Is keep-alive okay for all request methods?\n */\n if (request->flags.mustKeepalive)\n flags.keepalive = true;\n else if (request->flags.pinned)\n flags.keepalive = request->persistent();\n else if (!Config.onoff.server_pconns)\n flags.keepalive = false;\n else if (_peer == NULL)\n flags.keepalive = true;\n else if (_peer->stats.n_keepalives_sent < 10)\n flags.keepalive = true;\n else if ((double) _peer->stats.n_keepalives_recv /\n (double) _peer->stats.n_keepalives_sent > 0.50)\n flags.keepalive = true;\n\n if (_peer) {\n /*The old code here was\n if (neighborType(_peer, request->url) == PEER_SIBLING && ...\n which is equivalent to:\n if (neighborType(_peer, URL()) == PEER_SIBLING && ...\n or better:\n if (((_peer->type == PEER_MULTICAST && p->options.mcast_siblings) ||\n _peer->type == PEER_SIBLINGS ) && _peer->options.allow_miss)\n flags.only_if_cached = 1;\n\n But I suppose it was a bug\n */\n if (neighborType(_peer, request->url) == PEER_SIBLING && !_peer->options.allow_miss)\n flags.only_if_cached = true;\n\n flags.front_end_https = _peer->front_end_https;\n }\n\n mb.init();\n request->peer_host=_peer?_peer->host:NULL;\n buildRequestPrefix(&mb);\n\n debugs(11, 2, \"HTTP Server \" << serverConnection);\n debugs(11, 2, \"HTTP Server REQUEST:\\n---------\\n\" << mb.buf << \"\\n----------\");\n\n Comm::Write(serverConnection, &mb, requestSender);\n return true;\n}", "project": "squid", "hash": 54253410410276161321666149417620117872, "size": 85, "commit_id": "fd68382860633aca92065e6c343cfd1b12b126e7", "message": "Improve Transfer-Encoding handling (#702)\n\nReject messages containing Transfer-Encoding header with coding other\nthan chunked or identity. Squid does not support other codings.\n\nFor simplicity and security sake, also reject messages where\nTransfer-Encoding contains unnecessary complex values that are\ntechnically equivalent to \"chunked\" or \"identity\" (e.g., \",,chunked\" or\n\"identity, chunked\").\n\nRFC 7230 formally deprecated and removed identity coding, but it is\nstill used by some agents.", "target": 0, "dataset": "other", "idx": 402309 }, { "func": "static int rar5_read_data(struct archive_read *a, const void **buff,\n size_t *size, int64_t *offset) {\n\tint ret;\n\tstruct rar5* rar = get_context(a);\n\n\tif(rar->file.dir > 0) {\n\t\t/* Don't process any data if this file entry was declared\n\t\t * as a directory. This is needed, because entries marked as\n\t\t * directory doesn't have any dictionary buffer allocated, so\n\t\t * it's impossible to perform any decompression. */\n\t\tarchive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,\n\t\t \"Can't decompress an entry marked as a directory\");\n\t\treturn ARCHIVE_FAILED;\n\t}\n\n\tif(!rar->skip_mode && (rar->cstate.last_write_ptr > rar->file.unpacked_size)) {\n\t\tarchive_set_error(&a->archive, ARCHIVE_ERRNO_PROGRAMMER,\n\t\t \"Unpacker has written too many bytes\");\n\t\treturn ARCHIVE_FATAL;\n\t}\n\n\tret = use_data(rar, buff, size, offset);\n\tif(ret == ARCHIVE_OK) {\n\t\treturn ret;\n\t}\n\n\tif(rar->file.eof == 1) {\n\t\treturn ARCHIVE_EOF;\n\t}\n\n\tret = do_unpack(a, rar, buff, size, offset);\n\tif(ret != ARCHIVE_OK) {\n\t\treturn ret;\n\t}\n\n\tif(rar->file.bytes_remaining == 0 &&\n\t\t\trar->cstate.last_write_ptr == rar->file.unpacked_size)\n\t{\n\t\t/* If all bytes of current file were processed, run\n\t\t * finalization.\n\t\t *\n\t\t * Finalization will check checksum against proper values. If\n\t\t * some of the checksums will not match, we'll return an error\n\t\t * value in the last `archive_read_data` call to signal an error\n\t\t * to the user. */\n\n\t\trar->file.eof = 1;\n\t\treturn verify_global_checksums(a);\n\t}\n\n\treturn ARCHIVE_OK;\n}", "project": "libarchive", "hash": 242824082336714874559778270097049721410, "size": 52, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 0, "dataset": "other", "idx": 244707 }, { "func": "static int bcf_hdr_add_sample_len(bcf_hdr_t *h, const char *s, size_t len)\n{\n if ( !s ) return 0;\n if (len == 0) len = strlen(s);\n\n const char *ss = s;\n while ( *ss && isspace_c(*ss) && ss - s < len) ss++;\n if ( !*ss || ss - s == len)\n {\n hts_log_error(\"Empty sample name: trailing spaces/tabs in the header line?\");\n return -1;\n }\n\n vdict_t *d = (vdict_t*)h->dict[BCF_DT_SAMPLE];\n int ret;\n char *sdup = malloc(len + 1);\n if (!sdup) return -1;\n memcpy(sdup, s, len);\n sdup[len] = 0;\n\n // Ensure space is available in h->samples\n size_t n = kh_size(d);\n char **new_samples = realloc(h->samples, sizeof(char*) * (n + 1));\n if (!new_samples) {\n free(sdup);\n return -1;\n }\n h->samples = new_samples;\n\n int k = kh_put(vdict, d, sdup, &ret);\n if (ret < 0) {\n free(sdup);\n return -1;\n }\n if (ret) { // absent\n kh_val(d, k) = bcf_idinfo_def;\n kh_val(d, k).id = n;\n } else {\n hts_log_error(\"Duplicated sample name '%s'\", s);\n free(sdup);\n return -1;\n }\n h->samples[n] = sdup;\n h->dirty = 1;\n return 0;\n}", "project": "htslib", "hash": 317122152801252116715873533213552870229, "size": 46, "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c", "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields. It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097", "target": 0, "dataset": "other", "idx": 402207 }, { "func": "static void __hci_req_resume_adv_instances(struct hci_request *req)\n{\n\tstruct adv_info *adv;\n\n\tbt_dev_dbg(req->hdev, \"Resuming advertising instances\");\n\n\tif (ext_adv_capable(req->hdev)) {\n\t\t/* Call for each tracked instance to be re-enabled */\n\t\tlist_for_each_entry(adv, &req->hdev->adv_instances, list) {\n\t\t\t__hci_req_enable_ext_advertising(req,\n\t\t\t\t\t\t\t adv->instance);\n\t\t}\n\n\t} else {\n\t\t/* Schedule for most recent instance to be restarted and begin\n\t\t * the software rotation loop\n\t\t */\n\t\t__hci_req_schedule_adv_instance(req,\n\t\t\t\t\t\treq->hdev->cur_adv_instance,\n\t\t\t\t\t\ttrue);\n\t}\n}", "project": "linux", "hash": 256670433615404665504123963590982530629, "size": 22, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402501 }, { "func": "static int fuse_rmdir(struct inode *dir, struct dentry *entry)\n{\n\tint err;\n\tstruct fuse_mount *fm = get_fuse_mount(dir);\n\tFUSE_ARGS(args);\n\n\tif (fuse_is_bad(dir))\n\t\treturn -EIO;\n\n\targs.opcode = FUSE_RMDIR;\n\targs.nodeid = get_node_id(dir);\n\targs.in_numargs = 1;\n\targs.in_args[0].size = entry->d_name.len + 1;\n\targs.in_args[0].value = entry->d_name.name;\n\terr = fuse_simple_request(fm, &args);\n\tif (!err) {\n\t\tclear_nlink(d_inode(entry));\n\t\tfuse_dir_changed(dir);\n\t\tfuse_invalidate_entry_cache(entry);\n\t} else if (err == -EINTR)\n\t\tfuse_invalidate_entry(entry);\n\treturn err;\n}", "project": "linux", "hash": 180215439696701907360466347846893960601, "size": 23, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342124 }, { "func": "string GraphConstructor::FindUniqueName(StringPiece original_name) {\n string name(original_name);\n int count = 0;\n // Check that any generated names don't collide with imported NodeDefs (as\n // well as nodes in g_).\n while (NameExistsInGraph(name) || (count > 0 && NameExistsInGraphDef(name))) {\n name = strings::StrCat(original_name, \"_\", ++count);\n }\n return name;\n}", "project": "tensorflow", "hash": 242585525824469833322701226959546081722, "size": 10, "commit_id": "0cc38aaa4064fd9e79101994ce9872c6d91f816b", "message": "Prevent unitialized memory access in `GraphConstructor::MakeEdge`\n\nThe `MakeEdge` implementation assumes that there exists an output at `output_index` of `src` node and an input at `input_index` of `dst` node. However, if this is not the case this results in accessing data out of bounds. Because we are accessing an array that is a private member of a class and only in read only mode, this usually results only in unitialized memory access. However, it is reasonable to think that malicious users could manipulate these indexes to actually read data outside the class, thus resulting in information leakage and further exploits.\n\nPiperOrigin-RevId: 346343288\nChange-Id: I2127da27c2023d27f26efd39afa6c853385cab6f", "target": 0, "dataset": "other", "idx": 268318 }, { "func": "static int pick_link(struct nameidata *nd, struct path *link,\n\t\t struct inode *inode, unsigned seq)\n{\n\tint error;\n\tstruct saved *last;\n\tif (unlikely(nd->total_link_count++ >= MAXSYMLINKS)) {\n\t\tpath_to_nameidata(link, nd);\n\t\treturn -ELOOP;\n\t}\n\tif (!(nd->flags & LOOKUP_RCU)) {\n\t\tif (link->mnt == nd->path.mnt)\n\t\t\tmntget(link->mnt);\n\t}\n\terror = nd_alloc_stack(nd);\n\tif (unlikely(error)) {\n\t\tif (error == -ECHILD) {\n\t\t\tif (unlikely(!legitimize_path(nd, link, seq))) {\n\t\t\t\tdrop_links(nd);\n\t\t\t\tnd->depth = 0;\n\t\t\t\tnd->flags &= ~LOOKUP_RCU;\n\t\t\t\tnd->path.mnt = NULL;\n\t\t\t\tnd->path.dentry = NULL;\n\t\t\t\trcu_read_unlock();\n\t\t\t} else if (likely(unlazy_walk(nd)) == 0)\n\t\t\t\terror = nd_alloc_stack(nd);\n\t\t}\n\t\tif (error) {\n\t\t\tpath_put(link);\n\t\t\treturn error;\n\t\t}\n\t}\n\n\tlast = nd->stack + nd->depth++;\n\tlast->link = *link;\n\tclear_delayed_call(&last->done);\n\tnd->link_inode = inode;\n\tlast->seq = seq;\n\treturn 1;\n}", "project": "linux", "hash": 222437808140466797289672282226555077871, "size": 39, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295409 }, { "func": "static int SFDGetBitmapProps(FILE *sfd,BDFFont *bdf,char *tok) {\n int pcnt;\n int i;\n\n if ( getint(sfd,&pcnt)!=1 || pcnt<=0 )\nreturn( 0 );\n bdf->prop_cnt = pcnt;\n bdf->props = malloc(pcnt*sizeof(BDFProperties));\n for ( i=0; iprops[i].name = copy(tok);\n\tgetint(sfd,&bdf->props[i].type);\n\tswitch ( bdf->props[i].type&~prt_property ) {\n\t case prt_int: case prt_uint:\n\t getint(sfd,&bdf->props[i].u.val);\n\t break;\n\t case prt_string: case prt_atom:\n\t geteol(sfd,tok);\n\t if ( tok[strlen(tok)-1]=='\"' ) tok[strlen(tok)-1] = '\\0';\n\t bdf->props[i].u.str = copy(tok[0]=='\"'?tok+1:tok);\n\t break;\n\t default:\n\t break;\n\t}\n }\n bdf->prop_cnt = i;\nreturn( 1 );\n}", "project": "fontforge", "hash": 214103632234151133122792906786018386089, "size": 31, "commit_id": "048a91e2682c1a8936ae34dbc7bd70291ec05410", "message": "Fix for #4084 Use-after-free (heap) in the SFD_GetFontMetaData() function\nFix for #4086 NULL pointer dereference in the SFDGetSpiros() function\nFix for #4088 NULL pointer dereference in the SFD_AssignLookups() function\nAdd empty sf->fontname string if it isn't set, fixing #4089 #4090 and many\n other potential issues (many downstream calls to strlen() on the value).", "target": 0, "dataset": "other", "idx": 417809 }, { "func": "void CSoundFile::MidiPortamento(CHANNELINDEX nChn, int param, bool doFineSlides)\n{\n\tint actualParam = mpt::abs(param);\n\tint pitchBend = 0;\n\n\t// Old MIDI Pitch Bends:\n\t// - Applied on every tick\n\t// - No fine pitch slides (they are interpreted as normal slides)\n\t// New MIDI Pitch Bends:\n\t// - Behaviour identical to sample pitch bends if the instrument's PWD parameter corresponds to the actual VSTi setting.\n\n\tif(doFineSlides && actualParam >= 0xE0 && !m_playBehaviour[kOldMIDIPitchBends])\n\t{\n\t\tif(m_PlayState.Chn[nChn].isFirstTick)\n\t\t{\n\t\t\t// Extra fine slide...\n\t\t\tpitchBend = (actualParam & 0x0F) * sgn(param);\n\t\t\tif(actualParam >= 0xF0)\n\t\t\t{\n\t\t\t\t// ... or just a fine slide!\n\t\t\t\tpitchBend *= 4;\n\t\t\t}\n\t\t}\n\t} else if(!m_PlayState.Chn[nChn].isFirstTick || m_playBehaviour[kOldMIDIPitchBends])\n\t{\n\t\t// Regular slide\n\t\tpitchBend = param * 4;\n\t}\n\n\tif(pitchBend)\n\t{\n#ifndef NO_PLUGINS\n\t\tIMixPlugin *plugin = GetChannelInstrumentPlugin(nChn);\n\t\tif(plugin != nullptr)\n\t\t{\n\t\t\tint8 pwd = 13;\t// Early OpenMPT legacy... Actually it's not *exactly* 13, but close enough...\n\t\t\tif(m_PlayState.Chn[nChn].pModInstrument != nullptr)\n\t\t\t{\n\t\t\t\tpwd = m_PlayState.Chn[nChn].pModInstrument->midiPWD;\n\t\t\t}\n\t\t\tplugin->MidiPitchBend(GetBestMidiChannel(nChn), pitchBend, pwd);\n\t\t}\n#endif // NO_PLUGINS\n\t}\n}", "project": "openmpt", "hash": 307367055381300807367175489854329061336, "size": 45, "commit_id": "7ebf02af2e90f03e0dbd0e18b8b3164f372fb97c", "message": "[Fix] Possible out-of-bounds read when computing length of some IT files with pattern loops (OpenMPT: formats that are converted to IT, libopenmpt: IT/ITP/MO3), caught with afl-fuzz.\n\ngit-svn-id: https://source.openmpt.org/svn/openmpt/trunk/OpenMPT@10027 56274372-70c3-4bfc-bfc3-4c3a0b034d27", "target": 0, "dataset": "other", "idx": 255183 }, { "func": "static void stimer_prepare_msg(struct kvm_vcpu_hv_stimer *stimer)\n{\n\tstruct hv_message *msg = &stimer->msg;\n\tstruct hv_timer_message_payload *payload =\n\t\t\t(struct hv_timer_message_payload *)&msg->u.payload;\n\n\tmemset(&msg->header, 0, sizeof(msg->header));\n\tmsg->header.message_type = HVMSG_TIMER_EXPIRED;\n\tmsg->header.payload_size = sizeof(*payload);\n\n\tpayload->timer_index = stimer->index;\n\tpayload->expiration_time = 0;\n\tpayload->delivery_time = 0;\n}", "project": "linux", "hash": 182777931085834919587188919541655277524, "size": 14, "commit_id": "919f4ebc598701670e80e31573a58f1f2d2bf918", "message": "KVM: x86: hyper-v: Fix Hyper-V context null-ptr-deref\n\nReported by syzkaller:\n\n KASAN: null-ptr-deref in range [0x0000000000000140-0x0000000000000147]\n CPU: 1 PID: 8370 Comm: syz-executor859 Not tainted 5.11.0-syzkaller #0\n RIP: 0010:synic_get arch/x86/kvm/hyperv.c:165 [inline]\n RIP: 0010:kvm_hv_set_sint_gsi arch/x86/kvm/hyperv.c:475 [inline]\n RIP: 0010:kvm_hv_irq_routing_update+0x230/0x460 arch/x86/kvm/hyperv.c:498\n Call Trace:\n kvm_set_irq_routing+0x69b/0x940 arch/x86/kvm/../../../virt/kvm/irqchip.c:223\n kvm_vm_ioctl+0x12d0/0x2800 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3959\n vfs_ioctl fs/ioctl.c:48 [inline]\n __do_sys_ioctl fs/ioctl.c:753 [inline]\n __se_sys_ioctl fs/ioctl.c:739 [inline]\n __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739\n do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nHyper-V context is lazily allocated until Hyper-V specific MSRs are accessed\nor SynIC is enabled. However, the syzkaller testcase sets irq routing table\ndirectly w/o enabling SynIC. This results in null-ptr-deref when accessing\nSynIC Hyper-V context. This patch fixes it.\n\nsyzkaller source: https://syzkaller.appspot.com/x/repro.c?x=163342ccd00000\n\nReported-by: syzbot+6987f3b2dbd9eda95f12@syzkaller.appspotmail.com\nFixes: 8f014550dfb1 (\"KVM: x86: hyper-v: Make Hyper-V emulation enablement conditional\")\nSigned-off-by: Wanpeng Li \nMessage-Id: <1614326399-5762-1-git-send-email-wanpengli@tencent.com>\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 343516 }, { "func": "bool CClient::OnOtherMessage(CMessage& Message) {\n const CString& sCommand = Message.GetCommand();\n\n if (sCommand.Equals(\"ZNC\")) {\n CString sTarget = Message.GetParam(0);\n CString sModCommand;\n\n if (sTarget.TrimPrefix(m_pUser->GetStatusPrefix())) {\n sModCommand = Message.GetParamsColon(1);\n } else {\n sTarget = \"status\";\n sModCommand = Message.GetParamsColon(0);\n }\n\n if (sTarget.Equals(\"status\")) {\n if (sModCommand.empty())\n PutStatus(t_s(\"Hello. How may I help you?\"));\n else\n UserCommand(sModCommand);\n } else {\n if (sModCommand.empty())\n CALLMOD(sTarget, this, m_pUser, m_pNetwork,\n PutModule(t_s(\"Hello. How may I help you?\")))\n else\n CALLMOD(sTarget, this, m_pUser, m_pNetwork,\n OnModCommand(sModCommand))\n }\n return true;\n } else if (sCommand.Equals(\"ATTACH\")) {\n if (!m_pNetwork) {\n return true;\n }\n\n CString sPatterns = Message.GetParamsColon(0);\n\n if (sPatterns.empty()) {\n PutStatusNotice(t_s(\"Usage: /attach <#chans>\"));\n return true;\n }\n\n set sChans = MatchChans(sPatterns);\n unsigned int uAttachedChans = AttachChans(sChans);\n\n PutStatusNotice(t_p(\"There was {1} channel matching [{2}]\",\n \"There were {1} channels matching [{2}]\",\n sChans.size())(sChans.size(), sPatterns));\n PutStatusNotice(t_p(\"Attached {1} channel\", \"Attached {1} channels\",\n uAttachedChans)(uAttachedChans));\n\n return true;\n } else if (sCommand.Equals(\"DETACH\")) {\n if (!m_pNetwork) {\n return true;\n }\n\n CString sPatterns = Message.GetParamsColon(0);\n\n if (sPatterns.empty()) {\n PutStatusNotice(t_s(\"Usage: /detach <#chans>\"));\n return true;\n }\n\n set sChans = MatchChans(sPatterns);\n unsigned int uDetached = DetachChans(sChans);\n\n PutStatusNotice(t_p(\"There was {1} channel matching [{2}]\",\n \"There were {1} channels matching [{2}]\",\n sChans.size())(sChans.size(), sPatterns));\n PutStatusNotice(t_p(\"Detached {1} channel\", \"Detached {1} channels\",\n uDetached)(uDetached));\n\n return true;\n } else if (sCommand.Equals(\"PROTOCTL\")) {\n for (const CString& sParam : Message.GetParams()) {\n if (sParam == \"NAMESX\") {\n m_bNamesx = true;\n } else if (sParam == \"UHNAMES\") {\n m_bUHNames = true;\n }\n }\n return true; // If the server understands it, we already enabled namesx\n // / uhnames\n }\n\n return false;\n}", "project": "znc", "hash": 279876878076674096267232383586043218276, "size": 86, "commit_id": "d229761821da38d984a9e4098ad96842490dc001", "message": "Fix echo-message for *status\n\nClose #1705", "target": 0, "dataset": "other", "idx": 231553 }, { "func": "static INLINE OPJ_BOOL opj_tcd_init_tile(opj_tcd_t *p_tcd, OPJ_UINT32 p_tile_no,\n OPJ_BOOL isEncoder, OPJ_FLOAT32 fraction, OPJ_SIZE_T sizeof_block,\n opj_event_mgr_t* manager)\n{\n OPJ_UINT32(*l_gain_ptr)(OPJ_UINT32) = 00;\n OPJ_UINT32 compno, resno, bandno, precno, cblkno;\n opj_tcp_t * l_tcp = 00;\n opj_cp_t * l_cp = 00;\n opj_tcd_tile_t * l_tile = 00;\n opj_tccp_t *l_tccp = 00;\n opj_tcd_tilecomp_t *l_tilec = 00;\n opj_image_comp_t * l_image_comp = 00;\n opj_tcd_resolution_t *l_res = 00;\n opj_tcd_band_t *l_band = 00;\n opj_stepsize_t * l_step_size = 00;\n opj_tcd_precinct_t *l_current_precinct = 00;\n opj_image_t *l_image = 00;\n OPJ_UINT32 p, q;\n OPJ_UINT32 l_level_no;\n OPJ_UINT32 l_pdx, l_pdy;\n OPJ_UINT32 l_gain;\n OPJ_INT32 l_x0b, l_y0b;\n OPJ_UINT32 l_tx0, l_ty0;\n /* extent of precincts , top left, bottom right**/\n OPJ_INT32 l_tl_prc_x_start, l_tl_prc_y_start, l_br_prc_x_end, l_br_prc_y_end;\n /* number of precinct for a resolution */\n OPJ_UINT32 l_nb_precincts;\n /* room needed to store l_nb_precinct precinct for a resolution */\n OPJ_UINT32 l_nb_precinct_size;\n /* number of code blocks for a precinct*/\n OPJ_UINT32 l_nb_code_blocks;\n /* room needed to store l_nb_code_blocks code blocks for a precinct*/\n OPJ_UINT32 l_nb_code_blocks_size;\n /* size of data for a tile */\n OPJ_UINT32 l_data_size;\n\n l_cp = p_tcd->cp;\n l_tcp = &(l_cp->tcps[p_tile_no]);\n l_tile = p_tcd->tcd_image->tiles;\n l_tccp = l_tcp->tccps;\n l_tilec = l_tile->comps;\n l_image = p_tcd->image;\n l_image_comp = p_tcd->image->comps;\n\n p = p_tile_no % l_cp->tw; /* tile coordinates */\n q = p_tile_no / l_cp->tw;\n /*fprintf(stderr, \"Tile coordinate = %d,%d\\n\", p, q);*/\n\n /* 4 borders of the tile rescale on the image if necessary */\n l_tx0 = l_cp->tx0 + p *\n l_cp->tdx; /* can't be greater than l_image->x1 so won't overflow */\n l_tile->x0 = (OPJ_INT32)opj_uint_max(l_tx0, l_image->x0);\n l_tile->x1 = (OPJ_INT32)opj_uint_min(opj_uint_adds(l_tx0, l_cp->tdx),\n l_image->x1);\n /* all those OPJ_UINT32 are casted to OPJ_INT32, let's do some sanity check */\n if ((l_tile->x0 < 0) || (l_tile->x1 <= l_tile->x0)) {\n opj_event_msg(manager, EVT_ERROR, \"Tile X coordinates are not supported\\n\");\n return OPJ_FALSE;\n }\n l_ty0 = l_cp->ty0 + q *\n l_cp->tdy; /* can't be greater than l_image->y1 so won't overflow */\n l_tile->y0 = (OPJ_INT32)opj_uint_max(l_ty0, l_image->y0);\n l_tile->y1 = (OPJ_INT32)opj_uint_min(opj_uint_adds(l_ty0, l_cp->tdy),\n l_image->y1);\n /* all those OPJ_UINT32 are casted to OPJ_INT32, let's do some sanity check */\n if ((l_tile->y0 < 0) || (l_tile->y1 <= l_tile->y0)) {\n opj_event_msg(manager, EVT_ERROR, \"Tile Y coordinates are not supported\\n\");\n return OPJ_FALSE;\n }\n\n\n /* testcase 1888.pdf.asan.35.988 */\n if (l_tccp->numresolutions == 0) {\n opj_event_msg(manager, EVT_ERROR, \"tiles require at least one resolution\\n\");\n return OPJ_FALSE;\n }\n /*fprintf(stderr, \"Tile border = %d,%d,%d,%d\\n\", l_tile->x0, l_tile->y0,l_tile->x1,l_tile->y1);*/\n\n /*tile->numcomps = image->numcomps; */\n for (compno = 0; compno < l_tile->numcomps; ++compno) {\n /*fprintf(stderr, \"compno = %d/%d\\n\", compno, l_tile->numcomps);*/\n l_image_comp->resno_decoded = 0;\n /* border of each l_tile component (global) */\n l_tilec->x0 = opj_int_ceildiv(l_tile->x0, (OPJ_INT32)l_image_comp->dx);\n l_tilec->y0 = opj_int_ceildiv(l_tile->y0, (OPJ_INT32)l_image_comp->dy);\n l_tilec->x1 = opj_int_ceildiv(l_tile->x1, (OPJ_INT32)l_image_comp->dx);\n l_tilec->y1 = opj_int_ceildiv(l_tile->y1, (OPJ_INT32)l_image_comp->dy);\n l_tilec->compno = compno;\n /*fprintf(stderr, \"\\tTile compo border = %d,%d,%d,%d\\n\", l_tilec->x0, l_tilec->y0,l_tilec->x1,l_tilec->y1);*/\n\n l_tilec->numresolutions = l_tccp->numresolutions;\n if (l_tccp->numresolutions < l_cp->m_specific_param.m_dec.m_reduce) {\n l_tilec->minimum_num_resolutions = 1;\n } else {\n l_tilec->minimum_num_resolutions = l_tccp->numresolutions -\n l_cp->m_specific_param.m_dec.m_reduce;\n }\n\n if (isEncoder) {\n OPJ_SIZE_T l_tile_data_size;\n\n /* compute l_data_size with overflow check */\n OPJ_SIZE_T w = (OPJ_SIZE_T)(l_tilec->x1 - l_tilec->x0);\n OPJ_SIZE_T h = (OPJ_SIZE_T)(l_tilec->y1 - l_tilec->y0);\n\n /* issue 733, l_data_size == 0U, probably something wrong should be checked before getting here */\n if (h > 0 && w > SIZE_MAX / h) {\n opj_event_msg(manager, EVT_ERROR, \"Size of tile data exceeds system limits\\n\");\n return OPJ_FALSE;\n }\n l_tile_data_size = w * h;\n\n if (SIZE_MAX / sizeof(OPJ_UINT32) < l_tile_data_size) {\n opj_event_msg(manager, EVT_ERROR, \"Size of tile data exceeds system limits\\n\");\n return OPJ_FALSE;\n }\n l_tile_data_size = l_tile_data_size * sizeof(OPJ_UINT32);\n\n l_tilec->data_size_needed = l_tile_data_size;\n }\n\n l_data_size = l_tilec->numresolutions * (OPJ_UINT32)sizeof(\n opj_tcd_resolution_t);\n\n opj_image_data_free(l_tilec->data_win);\n l_tilec->data_win = NULL;\n l_tilec->win_x0 = 0;\n l_tilec->win_y0 = 0;\n l_tilec->win_x1 = 0;\n l_tilec->win_y1 = 0;\n\n if (l_tilec->resolutions == 00) {\n l_tilec->resolutions = (opj_tcd_resolution_t *) opj_malloc(l_data_size);\n if (! l_tilec->resolutions) {\n return OPJ_FALSE;\n }\n /*fprintf(stderr, \"\\tAllocate resolutions of tilec (opj_tcd_resolution_t): %d\\n\",l_data_size);*/\n l_tilec->resolutions_size = l_data_size;\n memset(l_tilec->resolutions, 0, l_data_size);\n } else if (l_data_size > l_tilec->resolutions_size) {\n opj_tcd_resolution_t* new_resolutions = (opj_tcd_resolution_t *) opj_realloc(\n l_tilec->resolutions, l_data_size);\n if (! new_resolutions) {\n opj_event_msg(manager, EVT_ERROR, \"Not enough memory for tile resolutions\\n\");\n opj_free(l_tilec->resolutions);\n l_tilec->resolutions = NULL;\n l_tilec->resolutions_size = 0;\n return OPJ_FALSE;\n }\n l_tilec->resolutions = new_resolutions;\n /*fprintf(stderr, \"\\tReallocate data of tilec (int): from %d to %d x OPJ_UINT32\\n\", l_tilec->resolutions_size, l_data_size);*/\n memset(((OPJ_BYTE*) l_tilec->resolutions) + l_tilec->resolutions_size, 0,\n l_data_size - l_tilec->resolutions_size);\n l_tilec->resolutions_size = l_data_size;\n }\n\n l_level_no = l_tilec->numresolutions;\n l_res = l_tilec->resolutions;\n l_step_size = l_tccp->stepsizes;\n if (l_tccp->qmfbid == 0) {\n l_gain_ptr = &opj_dwt_getgain_real;\n } else {\n l_gain_ptr = &opj_dwt_getgain;\n }\n /*fprintf(stderr, \"\\tlevel_no=%d\\n\",l_level_no);*/\n\n for (resno = 0; resno < l_tilec->numresolutions; ++resno) {\n /*fprintf(stderr, \"\\t\\tresno = %d/%d\\n\", resno, l_tilec->numresolutions);*/\n OPJ_INT32 tlcbgxstart, tlcbgystart /*, brcbgxend, brcbgyend*/;\n OPJ_UINT32 cbgwidthexpn, cbgheightexpn;\n OPJ_UINT32 cblkwidthexpn, cblkheightexpn;\n\n --l_level_no;\n\n /* border for each resolution level (global) */\n l_res->x0 = opj_int_ceildivpow2(l_tilec->x0, (OPJ_INT32)l_level_no);\n l_res->y0 = opj_int_ceildivpow2(l_tilec->y0, (OPJ_INT32)l_level_no);\n l_res->x1 = opj_int_ceildivpow2(l_tilec->x1, (OPJ_INT32)l_level_no);\n l_res->y1 = opj_int_ceildivpow2(l_tilec->y1, (OPJ_INT32)l_level_no);\n\n /*fprintf(stderr, \"\\t\\t\\tres_x0= %d, res_y0 =%d, res_x1=%d, res_y1=%d\\n\", l_res->x0, l_res->y0, l_res->x1, l_res->y1);*/\n /* p. 35, table A-23, ISO/IEC FDIS154444-1 : 2000 (18 august 2000) */\n l_pdx = l_tccp->prcw[resno];\n l_pdy = l_tccp->prch[resno];\n /*fprintf(stderr, \"\\t\\t\\tpdx=%d, pdy=%d\\n\", l_pdx, l_pdy);*/\n /* p. 64, B.6, ISO/IEC FDIS15444-1 : 2000 (18 august 2000) */\n l_tl_prc_x_start = opj_int_floordivpow2(l_res->x0, (OPJ_INT32)l_pdx) << l_pdx;\n l_tl_prc_y_start = opj_int_floordivpow2(l_res->y0, (OPJ_INT32)l_pdy) << l_pdy;\n l_br_prc_x_end = opj_int_ceildivpow2(l_res->x1, (OPJ_INT32)l_pdx) << l_pdx;\n l_br_prc_y_end = opj_int_ceildivpow2(l_res->y1, (OPJ_INT32)l_pdy) << l_pdy;\n /*fprintf(stderr, \"\\t\\t\\tprc_x_start=%d, prc_y_start=%d, br_prc_x_end=%d, br_prc_y_end=%d \\n\", l_tl_prc_x_start, l_tl_prc_y_start, l_br_prc_x_end ,l_br_prc_y_end );*/\n\n l_res->pw = (l_res->x0 == l_res->x1) ? 0U : (OPJ_UINT32)((\n l_br_prc_x_end - l_tl_prc_x_start) >> l_pdx);\n l_res->ph = (l_res->y0 == l_res->y1) ? 0U : (OPJ_UINT32)((\n l_br_prc_y_end - l_tl_prc_y_start) >> l_pdy);\n /*fprintf(stderr, \"\\t\\t\\tres_pw=%d, res_ph=%d\\n\", l_res->pw, l_res->ph );*/\n\n if ((l_res->pw != 0U) && ((((OPJ_UINT32) - 1) / l_res->pw) < l_res->ph)) {\n opj_event_msg(manager, EVT_ERROR, \"Size of tile data exceeds system limits\\n\");\n return OPJ_FALSE;\n }\n l_nb_precincts = l_res->pw * l_res->ph;\n\n if ((((OPJ_UINT32) - 1) / (OPJ_UINT32)sizeof(opj_tcd_precinct_t)) <\n l_nb_precincts) {\n opj_event_msg(manager, EVT_ERROR, \"Size of tile data exceeds system limits\\n\");\n return OPJ_FALSE;\n }\n l_nb_precinct_size = l_nb_precincts * (OPJ_UINT32)sizeof(opj_tcd_precinct_t);\n\n if (resno == 0) {\n tlcbgxstart = l_tl_prc_x_start;\n tlcbgystart = l_tl_prc_y_start;\n /*brcbgxend = l_br_prc_x_end;*/\n /* brcbgyend = l_br_prc_y_end;*/\n cbgwidthexpn = l_pdx;\n cbgheightexpn = l_pdy;\n l_res->numbands = 1;\n } else {\n tlcbgxstart = opj_int_ceildivpow2(l_tl_prc_x_start, 1);\n tlcbgystart = opj_int_ceildivpow2(l_tl_prc_y_start, 1);\n /*brcbgxend = opj_int_ceildivpow2(l_br_prc_x_end, 1);*/\n /*brcbgyend = opj_int_ceildivpow2(l_br_prc_y_end, 1);*/\n cbgwidthexpn = l_pdx - 1;\n cbgheightexpn = l_pdy - 1;\n l_res->numbands = 3;\n }\n\n cblkwidthexpn = opj_uint_min(l_tccp->cblkw, cbgwidthexpn);\n cblkheightexpn = opj_uint_min(l_tccp->cblkh, cbgheightexpn);\n l_band = l_res->bands;\n\n for (bandno = 0; bandno < l_res->numbands; ++bandno, ++l_band, ++l_step_size) {\n OPJ_INT32 numbps;\n /*fprintf(stderr, \"\\t\\t\\tband_no=%d/%d\\n\", bandno, l_res->numbands );*/\n\n if (resno == 0) {\n l_band->bandno = 0 ;\n l_band->x0 = opj_int_ceildivpow2(l_tilec->x0, (OPJ_INT32)l_level_no);\n l_band->y0 = opj_int_ceildivpow2(l_tilec->y0, (OPJ_INT32)l_level_no);\n l_band->x1 = opj_int_ceildivpow2(l_tilec->x1, (OPJ_INT32)l_level_no);\n l_band->y1 = opj_int_ceildivpow2(l_tilec->y1, (OPJ_INT32)l_level_no);\n } else {\n l_band->bandno = bandno + 1;\n /* x0b = 1 if bandno = 1 or 3 */\n l_x0b = l_band->bandno & 1;\n /* y0b = 1 if bandno = 2 or 3 */\n l_y0b = (OPJ_INT32)((l_band->bandno) >> 1);\n /* l_band border (global) */\n l_band->x0 = opj_int64_ceildivpow2(l_tilec->x0 - ((OPJ_INT64)l_x0b <<\n l_level_no), (OPJ_INT32)(l_level_no + 1));\n l_band->y0 = opj_int64_ceildivpow2(l_tilec->y0 - ((OPJ_INT64)l_y0b <<\n l_level_no), (OPJ_INT32)(l_level_no + 1));\n l_band->x1 = opj_int64_ceildivpow2(l_tilec->x1 - ((OPJ_INT64)l_x0b <<\n l_level_no), (OPJ_INT32)(l_level_no + 1));\n l_band->y1 = opj_int64_ceildivpow2(l_tilec->y1 - ((OPJ_INT64)l_y0b <<\n l_level_no), (OPJ_INT32)(l_level_no + 1));\n }\n\n if (isEncoder) {\n /* Skip empty bands */\n if (opj_tcd_is_band_empty(l_band)) {\n /* Do not zero l_band->precints to avoid leaks */\n /* but make sure we don't use it later, since */\n /* it will point to precincts of previous bands... */\n continue;\n }\n }\n\n /** avoid an if with storing function pointer */\n l_gain = (*l_gain_ptr)(l_band->bandno);\n numbps = (OPJ_INT32)(l_image_comp->prec + l_gain);\n l_band->stepsize = (OPJ_FLOAT32)(((1.0 + l_step_size->mant / 2048.0) * pow(2.0,\n (OPJ_INT32)(numbps - l_step_size->expn)))) * fraction;\n /* Mb value of Equation E-2 in \"E.1 Inverse quantization\n * procedure\" of the standard */\n l_band->numbps = l_step_size->expn + (OPJ_INT32)l_tccp->numgbits -\n 1;\n\n if (!l_band->precincts && (l_nb_precincts > 0U)) {\n l_band->precincts = (opj_tcd_precinct_t *) opj_malloc(/*3 * */\n l_nb_precinct_size);\n if (! l_band->precincts) {\n opj_event_msg(manager, EVT_ERROR,\n \"Not enough memory to handle band precints\\n\");\n return OPJ_FALSE;\n }\n /*fprintf(stderr, \"\\t\\t\\t\\tAllocate precincts of a band (opj_tcd_precinct_t): %d\\n\",l_nb_precinct_size); */\n memset(l_band->precincts, 0, l_nb_precinct_size);\n l_band->precincts_data_size = l_nb_precinct_size;\n } else if (l_band->precincts_data_size < l_nb_precinct_size) {\n\n opj_tcd_precinct_t * new_precincts = (opj_tcd_precinct_t *) opj_realloc(\n l_band->precincts,/*3 * */ l_nb_precinct_size);\n if (! new_precincts) {\n opj_event_msg(manager, EVT_ERROR,\n \"Not enough memory to handle band precints\\n\");\n opj_free(l_band->precincts);\n l_band->precincts = NULL;\n l_band->precincts_data_size = 0;\n return OPJ_FALSE;\n }\n l_band->precincts = new_precincts;\n /*fprintf(stderr, \"\\t\\t\\t\\tReallocate precincts of a band (opj_tcd_precinct_t): from %d to %d\\n\",l_band->precincts_data_size, l_nb_precinct_size);*/\n memset(((OPJ_BYTE *) l_band->precincts) + l_band->precincts_data_size, 0,\n l_nb_precinct_size - l_band->precincts_data_size);\n l_band->precincts_data_size = l_nb_precinct_size;\n }\n\n l_current_precinct = l_band->precincts;\n for (precno = 0; precno < l_nb_precincts; ++precno) {\n OPJ_INT32 tlcblkxstart, tlcblkystart, brcblkxend, brcblkyend;\n OPJ_INT32 cbgxstart = tlcbgxstart + (OPJ_INT32)(precno % l_res->pw) *\n (1 << cbgwidthexpn);\n OPJ_INT32 cbgystart = tlcbgystart + (OPJ_INT32)(precno / l_res->pw) *\n (1 << cbgheightexpn);\n OPJ_INT32 cbgxend = cbgxstart + (1 << cbgwidthexpn);\n OPJ_INT32 cbgyend = cbgystart + (1 << cbgheightexpn);\n /*fprintf(stderr, \"\\t precno=%d; bandno=%d, resno=%d; compno=%d\\n\", precno, bandno , resno, compno);*/\n /*fprintf(stderr, \"\\t tlcbgxstart(=%d) + (precno(=%d) percent res->pw(=%d)) * (1 << cbgwidthexpn(=%d)) \\n\",tlcbgxstart,precno,l_res->pw,cbgwidthexpn);*/\n\n /* precinct size (global) */\n /*fprintf(stderr, \"\\t cbgxstart=%d, l_band->x0 = %d \\n\",cbgxstart, l_band->x0);*/\n\n l_current_precinct->x0 = opj_int_max(cbgxstart, l_band->x0);\n l_current_precinct->y0 = opj_int_max(cbgystart, l_band->y0);\n l_current_precinct->x1 = opj_int_min(cbgxend, l_band->x1);\n l_current_precinct->y1 = opj_int_min(cbgyend, l_band->y1);\n /*fprintf(stderr, \"\\t prc_x0=%d; prc_y0=%d, prc_x1=%d; prc_y1=%d\\n\",l_current_precinct->x0, l_current_precinct->y0 ,l_current_precinct->x1, l_current_precinct->y1);*/\n\n tlcblkxstart = opj_int_floordivpow2(l_current_precinct->x0,\n (OPJ_INT32)cblkwidthexpn) << cblkwidthexpn;\n /*fprintf(stderr, \"\\t tlcblkxstart =%d\\n\",tlcblkxstart );*/\n tlcblkystart = opj_int_floordivpow2(l_current_precinct->y0,\n (OPJ_INT32)cblkheightexpn) << cblkheightexpn;\n /*fprintf(stderr, \"\\t tlcblkystart =%d\\n\",tlcblkystart );*/\n brcblkxend = opj_int_ceildivpow2(l_current_precinct->x1,\n (OPJ_INT32)cblkwidthexpn) << cblkwidthexpn;\n /*fprintf(stderr, \"\\t brcblkxend =%d\\n\",brcblkxend );*/\n brcblkyend = opj_int_ceildivpow2(l_current_precinct->y1,\n (OPJ_INT32)cblkheightexpn) << cblkheightexpn;\n /*fprintf(stderr, \"\\t brcblkyend =%d\\n\",brcblkyend );*/\n l_current_precinct->cw = (OPJ_UINT32)((brcblkxend - tlcblkxstart) >>\n cblkwidthexpn);\n l_current_precinct->ch = (OPJ_UINT32)((brcblkyend - tlcblkystart) >>\n cblkheightexpn);\n\n l_nb_code_blocks = l_current_precinct->cw * l_current_precinct->ch;\n /*fprintf(stderr, \"\\t\\t\\t\\t precinct_cw = %d x recinct_ch = %d\\n\",l_current_precinct->cw, l_current_precinct->ch); */\n if ((((OPJ_UINT32) - 1) / (OPJ_UINT32)sizeof_block) <\n l_nb_code_blocks) {\n opj_event_msg(manager, EVT_ERROR,\n \"Size of code block data exceeds system limits\\n\");\n return OPJ_FALSE;\n }\n l_nb_code_blocks_size = l_nb_code_blocks * (OPJ_UINT32)sizeof_block;\n\n if (!l_current_precinct->cblks.blocks && (l_nb_code_blocks > 0U)) {\n l_current_precinct->cblks.blocks = opj_malloc(l_nb_code_blocks_size);\n if (! l_current_precinct->cblks.blocks) {\n return OPJ_FALSE;\n }\n /*fprintf(stderr, \"\\t\\t\\t\\tAllocate cblks of a precinct (opj_tcd_cblk_dec_t): %d\\n\",l_nb_code_blocks_size);*/\n\n memset(l_current_precinct->cblks.blocks, 0, l_nb_code_blocks_size);\n\n l_current_precinct->block_size = l_nb_code_blocks_size;\n } else if (l_nb_code_blocks_size > l_current_precinct->block_size) {\n void *new_blocks = opj_realloc(l_current_precinct->cblks.blocks,\n l_nb_code_blocks_size);\n if (! new_blocks) {\n opj_free(l_current_precinct->cblks.blocks);\n l_current_precinct->cblks.blocks = NULL;\n l_current_precinct->block_size = 0;\n opj_event_msg(manager, EVT_ERROR,\n \"Not enough memory for current precinct codeblock element\\n\");\n return OPJ_FALSE;\n }\n l_current_precinct->cblks.blocks = new_blocks;\n /*fprintf(stderr, \"\\t\\t\\t\\tReallocate cblks of a precinct (opj_tcd_cblk_dec_t): from %d to %d\\n\",l_current_precinct->block_size, l_nb_code_blocks_size); */\n\n memset(((OPJ_BYTE *) l_current_precinct->cblks.blocks) +\n l_current_precinct->block_size\n , 0\n , l_nb_code_blocks_size - l_current_precinct->block_size);\n\n l_current_precinct->block_size = l_nb_code_blocks_size;\n }\n\n if (! l_current_precinct->incltree) {\n l_current_precinct->incltree = opj_tgt_create(l_current_precinct->cw,\n l_current_precinct->ch, manager);\n } else {\n l_current_precinct->incltree = opj_tgt_init(l_current_precinct->incltree,\n l_current_precinct->cw, l_current_precinct->ch, manager);\n }\n\n if (! l_current_precinct->imsbtree) {\n l_current_precinct->imsbtree = opj_tgt_create(l_current_precinct->cw,\n l_current_precinct->ch, manager);\n } else {\n l_current_precinct->imsbtree = opj_tgt_init(l_current_precinct->imsbtree,\n l_current_precinct->cw, l_current_precinct->ch, manager);\n }\n\n for (cblkno = 0; cblkno < l_nb_code_blocks; ++cblkno) {\n OPJ_INT32 cblkxstart = tlcblkxstart + (OPJ_INT32)(cblkno %\n l_current_precinct->cw) * (1 << cblkwidthexpn);\n OPJ_INT32 cblkystart = tlcblkystart + (OPJ_INT32)(cblkno /\n l_current_precinct->cw) * (1 << cblkheightexpn);\n OPJ_INT32 cblkxend = cblkxstart + (1 << cblkwidthexpn);\n OPJ_INT32 cblkyend = cblkystart + (1 << cblkheightexpn);\n\n if (isEncoder) {\n opj_tcd_cblk_enc_t* l_code_block = l_current_precinct->cblks.enc + cblkno;\n\n if (! opj_tcd_code_block_enc_allocate(l_code_block)) {\n return OPJ_FALSE;\n }\n /* code-block size (global) */\n l_code_block->x0 = opj_int_max(cblkxstart, l_current_precinct->x0);\n l_code_block->y0 = opj_int_max(cblkystart, l_current_precinct->y0);\n l_code_block->x1 = opj_int_min(cblkxend, l_current_precinct->x1);\n l_code_block->y1 = opj_int_min(cblkyend, l_current_precinct->y1);\n\n if (! opj_tcd_code_block_enc_allocate_data(l_code_block)) {\n return OPJ_FALSE;\n }\n } else {\n opj_tcd_cblk_dec_t* l_code_block = l_current_precinct->cblks.dec + cblkno;\n\n if (! opj_tcd_code_block_dec_allocate(l_code_block)) {\n return OPJ_FALSE;\n }\n /* code-block size (global) */\n l_code_block->x0 = opj_int_max(cblkxstart, l_current_precinct->x0);\n l_code_block->y0 = opj_int_max(cblkystart, l_current_precinct->y0);\n l_code_block->x1 = opj_int_min(cblkxend, l_current_precinct->x1);\n l_code_block->y1 = opj_int_min(cblkyend, l_current_precinct->y1);\n }\n }\n ++l_current_precinct;\n } /* precno */\n } /* bandno */\n ++l_res;\n } /* resno */\n ++l_tccp;\n ++l_tilec;\n ++l_image_comp;\n } /* compno */\n return OPJ_TRUE;\n}", "project": "openjpeg", "hash": 301875613015014834062286873026081725728, "size": 453, "commit_id": "05f9b91e60debda0e83977e5e63b2e66486f7074", "message": "opj_tcd_init_tile(): avoid integer overflow\n\nThat could lead to later assertion failures.\n\nFixes #1231 / CVE-2020-8112", "target": 1, "dataset": "other", "idx": 211795 }, { "func": "static INLINE OPJ_BOOL opj_tcd_init_tile(opj_tcd_t *p_tcd, OPJ_UINT32 p_tile_no,\n OPJ_BOOL isEncoder, OPJ_SIZE_T sizeof_block,\n opj_event_mgr_t* manager)\n{\n OPJ_UINT32 compno, resno, bandno, precno, cblkno;\n opj_tcp_t * l_tcp = 00;\n opj_cp_t * l_cp = 00;\n opj_tcd_tile_t * l_tile = 00;\n opj_tccp_t *l_tccp = 00;\n opj_tcd_tilecomp_t *l_tilec = 00;\n opj_image_comp_t * l_image_comp = 00;\n opj_tcd_resolution_t *l_res = 00;\n opj_tcd_band_t *l_band = 00;\n opj_stepsize_t * l_step_size = 00;\n opj_tcd_precinct_t *l_current_precinct = 00;\n opj_image_t *l_image = 00;\n OPJ_UINT32 p, q;\n OPJ_UINT32 l_level_no;\n OPJ_UINT32 l_pdx, l_pdy;\n OPJ_INT32 l_x0b, l_y0b;\n OPJ_UINT32 l_tx0, l_ty0;\n /* extent of precincts , top left, bottom right**/\n OPJ_INT32 l_tl_prc_x_start, l_tl_prc_y_start, l_br_prc_x_end, l_br_prc_y_end;\n /* number of precinct for a resolution */\n OPJ_UINT32 l_nb_precincts;\n /* room needed to store l_nb_precinct precinct for a resolution */\n OPJ_UINT32 l_nb_precinct_size;\n /* number of code blocks for a precinct*/\n OPJ_UINT32 l_nb_code_blocks;\n /* room needed to store l_nb_code_blocks code blocks for a precinct*/\n OPJ_UINT32 l_nb_code_blocks_size;\n /* size of data for a tile */\n OPJ_UINT32 l_data_size;\n\n l_cp = p_tcd->cp;\n l_tcp = &(l_cp->tcps[p_tile_no]);\n l_tile = p_tcd->tcd_image->tiles;\n l_tccp = l_tcp->tccps;\n l_tilec = l_tile->comps;\n l_image = p_tcd->image;\n l_image_comp = p_tcd->image->comps;\n\n p = p_tile_no % l_cp->tw; /* tile coordinates */\n q = p_tile_no / l_cp->tw;\n /*fprintf(stderr, \"Tile coordinate = %d,%d\\n\", p, q);*/\n\n /* 4 borders of the tile rescale on the image if necessary */\n l_tx0 = l_cp->tx0 + p *\n l_cp->tdx; /* can't be greater than l_image->x1 so won't overflow */\n l_tile->x0 = (OPJ_INT32)opj_uint_max(l_tx0, l_image->x0);\n l_tile->x1 = (OPJ_INT32)opj_uint_min(opj_uint_adds(l_tx0, l_cp->tdx),\n l_image->x1);\n /* all those OPJ_UINT32 are casted to OPJ_INT32, let's do some sanity check */\n if ((l_tile->x0 < 0) || (l_tile->x1 <= l_tile->x0)) {\n opj_event_msg(manager, EVT_ERROR, \"Tile X coordinates are not supported\\n\");\n return OPJ_FALSE;\n }\n l_ty0 = l_cp->ty0 + q *\n l_cp->tdy; /* can't be greater than l_image->y1 so won't overflow */\n l_tile->y0 = (OPJ_INT32)opj_uint_max(l_ty0, l_image->y0);\n l_tile->y1 = (OPJ_INT32)opj_uint_min(opj_uint_adds(l_ty0, l_cp->tdy),\n l_image->y1);\n /* all those OPJ_UINT32 are casted to OPJ_INT32, let's do some sanity check */\n if ((l_tile->y0 < 0) || (l_tile->y1 <= l_tile->y0)) {\n opj_event_msg(manager, EVT_ERROR, \"Tile Y coordinates are not supported\\n\");\n return OPJ_FALSE;\n }\n\n\n /* testcase 1888.pdf.asan.35.988 */\n if (l_tccp->numresolutions == 0) {\n opj_event_msg(manager, EVT_ERROR, \"tiles require at least one resolution\\n\");\n return OPJ_FALSE;\n }\n /*fprintf(stderr, \"Tile border = %d,%d,%d,%d\\n\", l_tile->x0, l_tile->y0,l_tile->x1,l_tile->y1);*/\n\n /*tile->numcomps = image->numcomps; */\n for (compno = 0; compno < l_tile->numcomps; ++compno) {\n /*fprintf(stderr, \"compno = %d/%d\\n\", compno, l_tile->numcomps);*/\n l_image_comp->resno_decoded = 0;\n /* border of each l_tile component (global) */\n l_tilec->x0 = opj_int_ceildiv(l_tile->x0, (OPJ_INT32)l_image_comp->dx);\n l_tilec->y0 = opj_int_ceildiv(l_tile->y0, (OPJ_INT32)l_image_comp->dy);\n l_tilec->x1 = opj_int_ceildiv(l_tile->x1, (OPJ_INT32)l_image_comp->dx);\n l_tilec->y1 = opj_int_ceildiv(l_tile->y1, (OPJ_INT32)l_image_comp->dy);\n l_tilec->compno = compno;\n /*fprintf(stderr, \"\\tTile compo border = %d,%d,%d,%d\\n\", l_tilec->x0, l_tilec->y0,l_tilec->x1,l_tilec->y1);*/\n\n l_tilec->numresolutions = l_tccp->numresolutions;\n if (l_tccp->numresolutions < l_cp->m_specific_param.m_dec.m_reduce) {\n l_tilec->minimum_num_resolutions = 1;\n } else {\n l_tilec->minimum_num_resolutions = l_tccp->numresolutions -\n l_cp->m_specific_param.m_dec.m_reduce;\n }\n\n if (isEncoder) {\n OPJ_SIZE_T l_tile_data_size;\n\n /* compute l_data_size with overflow check */\n OPJ_SIZE_T w = (OPJ_SIZE_T)(l_tilec->x1 - l_tilec->x0);\n OPJ_SIZE_T h = (OPJ_SIZE_T)(l_tilec->y1 - l_tilec->y0);\n\n /* issue 733, l_data_size == 0U, probably something wrong should be checked before getting here */\n if (h > 0 && w > SIZE_MAX / h) {\n opj_event_msg(manager, EVT_ERROR, \"Size of tile data exceeds system limits\\n\");\n return OPJ_FALSE;\n }\n l_tile_data_size = w * h;\n\n if (SIZE_MAX / sizeof(OPJ_UINT32) < l_tile_data_size) {\n opj_event_msg(manager, EVT_ERROR, \"Size of tile data exceeds system limits\\n\");\n return OPJ_FALSE;\n }\n l_tile_data_size = l_tile_data_size * sizeof(OPJ_UINT32);\n\n l_tilec->data_size_needed = l_tile_data_size;\n }\n\n l_data_size = l_tilec->numresolutions * (OPJ_UINT32)sizeof(\n opj_tcd_resolution_t);\n\n opj_image_data_free(l_tilec->data_win);\n l_tilec->data_win = NULL;\n l_tilec->win_x0 = 0;\n l_tilec->win_y0 = 0;\n l_tilec->win_x1 = 0;\n l_tilec->win_y1 = 0;\n\n if (l_tilec->resolutions == 00) {\n l_tilec->resolutions = (opj_tcd_resolution_t *) opj_malloc(l_data_size);\n if (! l_tilec->resolutions) {\n return OPJ_FALSE;\n }\n /*fprintf(stderr, \"\\tAllocate resolutions of tilec (opj_tcd_resolution_t): %d\\n\",l_data_size);*/\n l_tilec->resolutions_size = l_data_size;\n memset(l_tilec->resolutions, 0, l_data_size);\n } else if (l_data_size > l_tilec->resolutions_size) {\n opj_tcd_resolution_t* new_resolutions = (opj_tcd_resolution_t *) opj_realloc(\n l_tilec->resolutions, l_data_size);\n if (! new_resolutions) {\n opj_event_msg(manager, EVT_ERROR, \"Not enough memory for tile resolutions\\n\");\n opj_free(l_tilec->resolutions);\n l_tilec->resolutions = NULL;\n l_tilec->resolutions_size = 0;\n return OPJ_FALSE;\n }\n l_tilec->resolutions = new_resolutions;\n /*fprintf(stderr, \"\\tReallocate data of tilec (int): from %d to %d x OPJ_UINT32\\n\", l_tilec->resolutions_size, l_data_size);*/\n memset(((OPJ_BYTE*) l_tilec->resolutions) + l_tilec->resolutions_size, 0,\n l_data_size - l_tilec->resolutions_size);\n l_tilec->resolutions_size = l_data_size;\n }\n\n l_level_no = l_tilec->numresolutions;\n l_res = l_tilec->resolutions;\n l_step_size = l_tccp->stepsizes;\n /*fprintf(stderr, \"\\tlevel_no=%d\\n\",l_level_no);*/\n\n for (resno = 0; resno < l_tilec->numresolutions; ++resno) {\n /*fprintf(stderr, \"\\t\\tresno = %d/%d\\n\", resno, l_tilec->numresolutions);*/\n OPJ_INT32 tlcbgxstart, tlcbgystart /*, brcbgxend, brcbgyend*/;\n OPJ_UINT32 cbgwidthexpn, cbgheightexpn;\n OPJ_UINT32 cblkwidthexpn, cblkheightexpn;\n\n --l_level_no;\n\n /* border for each resolution level (global) */\n l_res->x0 = opj_int_ceildivpow2(l_tilec->x0, (OPJ_INT32)l_level_no);\n l_res->y0 = opj_int_ceildivpow2(l_tilec->y0, (OPJ_INT32)l_level_no);\n l_res->x1 = opj_int_ceildivpow2(l_tilec->x1, (OPJ_INT32)l_level_no);\n l_res->y1 = opj_int_ceildivpow2(l_tilec->y1, (OPJ_INT32)l_level_no);\n\n /*fprintf(stderr, \"\\t\\t\\tres_x0= %d, res_y0 =%d, res_x1=%d, res_y1=%d\\n\", l_res->x0, l_res->y0, l_res->x1, l_res->y1);*/\n /* p. 35, table A-23, ISO/IEC FDIS154444-1 : 2000 (18 august 2000) */\n l_pdx = l_tccp->prcw[resno];\n l_pdy = l_tccp->prch[resno];\n /*fprintf(stderr, \"\\t\\t\\tpdx=%d, pdy=%d\\n\", l_pdx, l_pdy);*/\n /* p. 64, B.6, ISO/IEC FDIS15444-1 : 2000 (18 august 2000) */\n l_tl_prc_x_start = opj_int_floordivpow2(l_res->x0, (OPJ_INT32)l_pdx) << l_pdx;\n l_tl_prc_y_start = opj_int_floordivpow2(l_res->y0, (OPJ_INT32)l_pdy) << l_pdy;\n {\n OPJ_UINT32 tmp = ((OPJ_UINT32)opj_int_ceildivpow2(l_res->x1,\n (OPJ_INT32)l_pdx)) << l_pdx;\n if (tmp > (OPJ_UINT32)INT_MAX) {\n opj_event_msg(manager, EVT_ERROR, \"Integer overflow\\n\");\n return OPJ_FALSE;\n }\n l_br_prc_x_end = (OPJ_INT32)tmp;\n }\n {\n OPJ_UINT32 tmp = ((OPJ_UINT32)opj_int_ceildivpow2(l_res->y1,\n (OPJ_INT32)l_pdy)) << l_pdy;\n if (tmp > (OPJ_UINT32)INT_MAX) {\n opj_event_msg(manager, EVT_ERROR, \"Integer overflow\\n\");\n return OPJ_FALSE;\n }\n l_br_prc_y_end = (OPJ_INT32)tmp;\n }\n /*fprintf(stderr, \"\\t\\t\\tprc_x_start=%d, prc_y_start=%d, br_prc_x_end=%d, br_prc_y_end=%d \\n\", l_tl_prc_x_start, l_tl_prc_y_start, l_br_prc_x_end ,l_br_prc_y_end );*/\n\n l_res->pw = (l_res->x0 == l_res->x1) ? 0U : (OPJ_UINT32)((\n l_br_prc_x_end - l_tl_prc_x_start) >> l_pdx);\n l_res->ph = (l_res->y0 == l_res->y1) ? 0U : (OPJ_UINT32)((\n l_br_prc_y_end - l_tl_prc_y_start) >> l_pdy);\n /*fprintf(stderr, \"\\t\\t\\tres_pw=%d, res_ph=%d\\n\", l_res->pw, l_res->ph );*/\n\n if ((l_res->pw != 0U) && ((((OPJ_UINT32) - 1) / l_res->pw) < l_res->ph)) {\n opj_event_msg(manager, EVT_ERROR, \"Size of tile data exceeds system limits\\n\");\n return OPJ_FALSE;\n }\n l_nb_precincts = l_res->pw * l_res->ph;\n\n if ((((OPJ_UINT32) - 1) / (OPJ_UINT32)sizeof(opj_tcd_precinct_t)) <\n l_nb_precincts) {\n opj_event_msg(manager, EVT_ERROR, \"Size of tile data exceeds system limits\\n\");\n return OPJ_FALSE;\n }\n l_nb_precinct_size = l_nb_precincts * (OPJ_UINT32)sizeof(opj_tcd_precinct_t);\n\n if (resno == 0) {\n tlcbgxstart = l_tl_prc_x_start;\n tlcbgystart = l_tl_prc_y_start;\n /*brcbgxend = l_br_prc_x_end;*/\n /* brcbgyend = l_br_prc_y_end;*/\n cbgwidthexpn = l_pdx;\n cbgheightexpn = l_pdy;\n l_res->numbands = 1;\n } else {\n tlcbgxstart = opj_int_ceildivpow2(l_tl_prc_x_start, 1);\n tlcbgystart = opj_int_ceildivpow2(l_tl_prc_y_start, 1);\n /*brcbgxend = opj_int_ceildivpow2(l_br_prc_x_end, 1);*/\n /*brcbgyend = opj_int_ceildivpow2(l_br_prc_y_end, 1);*/\n cbgwidthexpn = l_pdx - 1;\n cbgheightexpn = l_pdy - 1;\n l_res->numbands = 3;\n }\n\n cblkwidthexpn = opj_uint_min(l_tccp->cblkw, cbgwidthexpn);\n cblkheightexpn = opj_uint_min(l_tccp->cblkh, cbgheightexpn);\n l_band = l_res->bands;\n\n for (bandno = 0; bandno < l_res->numbands; ++bandno, ++l_band, ++l_step_size) {\n /*fprintf(stderr, \"\\t\\t\\tband_no=%d/%d\\n\", bandno, l_res->numbands );*/\n\n if (resno == 0) {\n l_band->bandno = 0 ;\n l_band->x0 = opj_int_ceildivpow2(l_tilec->x0, (OPJ_INT32)l_level_no);\n l_band->y0 = opj_int_ceildivpow2(l_tilec->y0, (OPJ_INT32)l_level_no);\n l_band->x1 = opj_int_ceildivpow2(l_tilec->x1, (OPJ_INT32)l_level_no);\n l_band->y1 = opj_int_ceildivpow2(l_tilec->y1, (OPJ_INT32)l_level_no);\n } else {\n l_band->bandno = bandno + 1;\n /* x0b = 1 if bandno = 1 or 3 */\n l_x0b = l_band->bandno & 1;\n /* y0b = 1 if bandno = 2 or 3 */\n l_y0b = (OPJ_INT32)((l_band->bandno) >> 1);\n /* l_band border (global) */\n l_band->x0 = opj_int64_ceildivpow2(l_tilec->x0 - ((OPJ_INT64)l_x0b <<\n l_level_no), (OPJ_INT32)(l_level_no + 1));\n l_band->y0 = opj_int64_ceildivpow2(l_tilec->y0 - ((OPJ_INT64)l_y0b <<\n l_level_no), (OPJ_INT32)(l_level_no + 1));\n l_band->x1 = opj_int64_ceildivpow2(l_tilec->x1 - ((OPJ_INT64)l_x0b <<\n l_level_no), (OPJ_INT32)(l_level_no + 1));\n l_band->y1 = opj_int64_ceildivpow2(l_tilec->y1 - ((OPJ_INT64)l_y0b <<\n l_level_no), (OPJ_INT32)(l_level_no + 1));\n }\n\n if (isEncoder) {\n /* Skip empty bands */\n if (opj_tcd_is_band_empty(l_band)) {\n /* Do not zero l_band->precints to avoid leaks */\n /* but make sure we don't use it later, since */\n /* it will point to precincts of previous bands... */\n continue;\n }\n }\n\n {\n /* Table E-1 - Sub-band gains */\n /* BUG_WEIRD_TWO_INVK (look for this identifier in dwt.c): */\n /* the test (!isEncoder && l_tccp->qmfbid == 0) is strongly */\n /* linked to the use of two_invK instead of invK */\n const OPJ_INT32 log2_gain = (!isEncoder &&\n l_tccp->qmfbid == 0) ? 0 : (l_band->bandno == 0) ? 0 :\n (l_band->bandno == 3) ? 2 : 1;\n\n /* Nominal dynamic range. Equation E-4 */\n const OPJ_INT32 Rb = (OPJ_INT32)l_image_comp->prec + log2_gain;\n\n /* Delta_b value of Equation E-3 in \"E.1 Inverse quantization\n * procedure\" of the standard */\n l_band->stepsize = (OPJ_FLOAT32)(((1.0 + l_step_size->mant / 2048.0) * pow(2.0,\n (OPJ_INT32)(Rb - l_step_size->expn))));\n }\n\n /* Mb value of Equation E-2 in \"E.1 Inverse quantization\n * procedure\" of the standard */\n l_band->numbps = l_step_size->expn + (OPJ_INT32)l_tccp->numgbits -\n 1;\n\n if (!l_band->precincts && (l_nb_precincts > 0U)) {\n l_band->precincts = (opj_tcd_precinct_t *) opj_malloc(/*3 * */\n l_nb_precinct_size);\n if (! l_band->precincts) {\n opj_event_msg(manager, EVT_ERROR,\n \"Not enough memory to handle band precints\\n\");\n return OPJ_FALSE;\n }\n /*fprintf(stderr, \"\\t\\t\\t\\tAllocate precincts of a band (opj_tcd_precinct_t): %d\\n\",l_nb_precinct_size); */\n memset(l_band->precincts, 0, l_nb_precinct_size);\n l_band->precincts_data_size = l_nb_precinct_size;\n } else if (l_band->precincts_data_size < l_nb_precinct_size) {\n\n opj_tcd_precinct_t * new_precincts = (opj_tcd_precinct_t *) opj_realloc(\n l_band->precincts,/*3 * */ l_nb_precinct_size);\n if (! new_precincts) {\n opj_event_msg(manager, EVT_ERROR,\n \"Not enough memory to handle band precints\\n\");\n opj_free(l_band->precincts);\n l_band->precincts = NULL;\n l_band->precincts_data_size = 0;\n return OPJ_FALSE;\n }\n l_band->precincts = new_precincts;\n /*fprintf(stderr, \"\\t\\t\\t\\tReallocate precincts of a band (opj_tcd_precinct_t): from %d to %d\\n\",l_band->precincts_data_size, l_nb_precinct_size);*/\n memset(((OPJ_BYTE *) l_band->precincts) + l_band->precincts_data_size, 0,\n l_nb_precinct_size - l_band->precincts_data_size);\n l_band->precincts_data_size = l_nb_precinct_size;\n }\n\n l_current_precinct = l_band->precincts;\n for (precno = 0; precno < l_nb_precincts; ++precno) {\n OPJ_INT32 tlcblkxstart, tlcblkystart, brcblkxend, brcblkyend;\n OPJ_INT32 cbgxstart = tlcbgxstart + (OPJ_INT32)(precno % l_res->pw) *\n (1 << cbgwidthexpn);\n OPJ_INT32 cbgystart = tlcbgystart + (OPJ_INT32)(precno / l_res->pw) *\n (1 << cbgheightexpn);\n OPJ_INT32 cbgxend = cbgxstart + (1 << cbgwidthexpn);\n OPJ_INT32 cbgyend = cbgystart + (1 << cbgheightexpn);\n /*fprintf(stderr, \"\\t precno=%d; bandno=%d, resno=%d; compno=%d\\n\", precno, bandno , resno, compno);*/\n /*fprintf(stderr, \"\\t tlcbgxstart(=%d) + (precno(=%d) percent res->pw(=%d)) * (1 << cbgwidthexpn(=%d)) \\n\",tlcbgxstart,precno,l_res->pw,cbgwidthexpn);*/\n\n /* precinct size (global) */\n /*fprintf(stderr, \"\\t cbgxstart=%d, l_band->x0 = %d \\n\",cbgxstart, l_band->x0);*/\n\n l_current_precinct->x0 = opj_int_max(cbgxstart, l_band->x0);\n l_current_precinct->y0 = opj_int_max(cbgystart, l_band->y0);\n l_current_precinct->x1 = opj_int_min(cbgxend, l_band->x1);\n l_current_precinct->y1 = opj_int_min(cbgyend, l_band->y1);\n /*fprintf(stderr, \"\\t prc_x0=%d; prc_y0=%d, prc_x1=%d; prc_y1=%d\\n\",l_current_precinct->x0, l_current_precinct->y0 ,l_current_precinct->x1, l_current_precinct->y1);*/\n\n tlcblkxstart = opj_int_floordivpow2(l_current_precinct->x0,\n (OPJ_INT32)cblkwidthexpn) << cblkwidthexpn;\n /*fprintf(stderr, \"\\t tlcblkxstart =%d\\n\",tlcblkxstart );*/\n tlcblkystart = opj_int_floordivpow2(l_current_precinct->y0,\n (OPJ_INT32)cblkheightexpn) << cblkheightexpn;\n /*fprintf(stderr, \"\\t tlcblkystart =%d\\n\",tlcblkystart );*/\n brcblkxend = opj_int_ceildivpow2(l_current_precinct->x1,\n (OPJ_INT32)cblkwidthexpn) << cblkwidthexpn;\n /*fprintf(stderr, \"\\t brcblkxend =%d\\n\",brcblkxend );*/\n brcblkyend = opj_int_ceildivpow2(l_current_precinct->y1,\n (OPJ_INT32)cblkheightexpn) << cblkheightexpn;\n /*fprintf(stderr, \"\\t brcblkyend =%d\\n\",brcblkyend );*/\n l_current_precinct->cw = (OPJ_UINT32)((brcblkxend - tlcblkxstart) >>\n cblkwidthexpn);\n l_current_precinct->ch = (OPJ_UINT32)((brcblkyend - tlcblkystart) >>\n cblkheightexpn);\n\n l_nb_code_blocks = l_current_precinct->cw * l_current_precinct->ch;\n /*fprintf(stderr, \"\\t\\t\\t\\t precinct_cw = %d x recinct_ch = %d\\n\",l_current_precinct->cw, l_current_precinct->ch); */\n if ((((OPJ_UINT32) - 1) / (OPJ_UINT32)sizeof_block) <\n l_nb_code_blocks) {\n opj_event_msg(manager, EVT_ERROR,\n \"Size of code block data exceeds system limits\\n\");\n return OPJ_FALSE;\n }\n l_nb_code_blocks_size = l_nb_code_blocks * (OPJ_UINT32)sizeof_block;\n\n if (!l_current_precinct->cblks.blocks && (l_nb_code_blocks > 0U)) {\n l_current_precinct->cblks.blocks = opj_malloc(l_nb_code_blocks_size);\n if (! l_current_precinct->cblks.blocks) {\n return OPJ_FALSE;\n }\n /*fprintf(stderr, \"\\t\\t\\t\\tAllocate cblks of a precinct (opj_tcd_cblk_dec_t): %d\\n\",l_nb_code_blocks_size);*/\n\n memset(l_current_precinct->cblks.blocks, 0, l_nb_code_blocks_size);\n\n l_current_precinct->block_size = l_nb_code_blocks_size;\n } else if (l_nb_code_blocks_size > l_current_precinct->block_size) {\n void *new_blocks = opj_realloc(l_current_precinct->cblks.blocks,\n l_nb_code_blocks_size);\n if (! new_blocks) {\n opj_free(l_current_precinct->cblks.blocks);\n l_current_precinct->cblks.blocks = NULL;\n l_current_precinct->block_size = 0;\n opj_event_msg(manager, EVT_ERROR,\n \"Not enough memory for current precinct codeblock element\\n\");\n return OPJ_FALSE;\n }\n l_current_precinct->cblks.blocks = new_blocks;\n /*fprintf(stderr, \"\\t\\t\\t\\tReallocate cblks of a precinct (opj_tcd_cblk_dec_t): from %d to %d\\n\",l_current_precinct->block_size, l_nb_code_blocks_size); */\n\n memset(((OPJ_BYTE *) l_current_precinct->cblks.blocks) +\n l_current_precinct->block_size\n , 0\n , l_nb_code_blocks_size - l_current_precinct->block_size);\n\n l_current_precinct->block_size = l_nb_code_blocks_size;\n }\n\n if (! l_current_precinct->incltree) {\n l_current_precinct->incltree = opj_tgt_create(l_current_precinct->cw,\n l_current_precinct->ch, manager);\n } else {\n l_current_precinct->incltree = opj_tgt_init(l_current_precinct->incltree,\n l_current_precinct->cw, l_current_precinct->ch, manager);\n }\n\n if (! l_current_precinct->imsbtree) {\n l_current_precinct->imsbtree = opj_tgt_create(l_current_precinct->cw,\n l_current_precinct->ch, manager);\n } else {\n l_current_precinct->imsbtree = opj_tgt_init(l_current_precinct->imsbtree,\n l_current_precinct->cw, l_current_precinct->ch, manager);\n }\n\n for (cblkno = 0; cblkno < l_nb_code_blocks; ++cblkno) {\n OPJ_INT32 cblkxstart = tlcblkxstart + (OPJ_INT32)(cblkno %\n l_current_precinct->cw) * (1 << cblkwidthexpn);\n OPJ_INT32 cblkystart = tlcblkystart + (OPJ_INT32)(cblkno /\n l_current_precinct->cw) * (1 << cblkheightexpn);\n OPJ_INT32 cblkxend = cblkxstart + (1 << cblkwidthexpn);\n OPJ_INT32 cblkyend = cblkystart + (1 << cblkheightexpn);\n\n if (isEncoder) {\n opj_tcd_cblk_enc_t* l_code_block = l_current_precinct->cblks.enc + cblkno;\n\n if (! opj_tcd_code_block_enc_allocate(l_code_block)) {\n return OPJ_FALSE;\n }\n /* code-block size (global) */\n l_code_block->x0 = opj_int_max(cblkxstart, l_current_precinct->x0);\n l_code_block->y0 = opj_int_max(cblkystart, l_current_precinct->y0);\n l_code_block->x1 = opj_int_min(cblkxend, l_current_precinct->x1);\n l_code_block->y1 = opj_int_min(cblkyend, l_current_precinct->y1);\n\n if (! opj_tcd_code_block_enc_allocate_data(l_code_block)) {\n return OPJ_FALSE;\n }\n } else {\n opj_tcd_cblk_dec_t* l_code_block = l_current_precinct->cblks.dec + cblkno;\n\n if (! opj_tcd_code_block_dec_allocate(l_code_block)) {\n return OPJ_FALSE;\n }\n /* code-block size (global) */\n l_code_block->x0 = opj_int_max(cblkxstart, l_current_precinct->x0);\n l_code_block->y0 = opj_int_max(cblkystart, l_current_precinct->y0);\n l_code_block->x1 = opj_int_min(cblkxend, l_current_precinct->x1);\n l_code_block->y1 = opj_int_min(cblkyend, l_current_precinct->y1);\n }\n }\n ++l_current_precinct;\n } /* precno */\n } /* bandno */\n ++l_res;\n } /* resno */\n ++l_tccp;\n ++l_tilec;\n ++l_image_comp;\n } /* compno */\n return OPJ_TRUE;\n}", "project": "openjpeg", "hash": 102964088464842634317683220494856397545, "size": 474, "commit_id": "15cf3d95814dc931ca0ecb132f81cb152e051bae", "message": "Encoder: grow again buffer size in opj_tcd_code_block_enc_allocate_data() (fixes #1283)", "target": 0, "dataset": "other", "idx": 359186 }, { "func": " */\nvoid __io_uring_cancel(struct files_struct *files)\n{\n\tstruct io_uring_task *tctx = current->io_uring;\n\tDEFINE_WAIT(wait);\n\ts64 inflight;\n\n\t/* make sure overflow events are dropped */\n\tatomic_inc(&tctx->in_idle);\n\tdo {\n\t\t/* read completions before cancelations */\n\t\tinflight = tctx_inflight(tctx, !!files);\n\t\tif (!inflight)\n\t\t\tbreak;\n\t\tio_uring_try_cancel(files);\n\t\tprepare_to_wait(&tctx->wait, &wait, TASK_UNINTERRUPTIBLE);\n\n\t\t/*\n\t\t * If we've seen completions, retry without waiting. This\n\t\t * avoids a race where a completion comes in before we did\n\t\t * prepare_to_wait().\n\t\t */\n\t\tif (inflight == tctx_inflight(tctx, !!files))\n\t\t\tschedule();\n\t\tfinish_wait(&tctx->wait, &wait);\n\t} while (1);\n\tatomic_dec(&tctx->in_idle);\n\n\tio_uring_clean_tctx(tctx);\n\tif (!files) {\n\t\t/* for exec all current's requests should be gone, kill tctx */\n\t\t__io_uring_free(current);\n\t}", "project": "linux", "hash": 270123901580391366720242762621326506912, "size": 33, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338615 }, { "func": " */\nstatic bool bfq_bfqq_budget_timeout(struct bfq_queue *bfqq)\n{\n\treturn time_is_before_eq_jiffies(bfqq->budget_timeout);", "project": "linux", "hash": 324267847336971410274054663038201112841, "size": 4, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453379 }, { "func": "bool get_signal(struct ksignal *ksig)\n{\n\tstruct sighand_struct *sighand = current->sighand;\n\tstruct signal_struct *signal = current->signal;\n\tint signr;\n\n\tif (unlikely(current->task_works))\n\t\ttask_work_run();\n\n\tif (unlikely(uprobe_deny_signal()))\n\t\treturn false;\n\n\t/*\n\t * Do this once, we can't return to user-mode if freezing() == T.\n\t * do_signal_stop() and ptrace_stop() do freezable_schedule() and\n\t * thus do not need another check after return.\n\t */\n\ttry_to_freeze();\n\nrelock:\n\tspin_lock_irq(&sighand->siglock);\n\t/*\n\t * Every stopped thread goes here after wakeup. Check to see if\n\t * we should notify the parent, prepare_signal(SIGCONT) encodes\n\t * the CLD_ si_code into SIGNAL_CLD_MASK bits.\n\t */\n\tif (unlikely(signal->flags & SIGNAL_CLD_MASK)) {\n\t\tint why;\n\n\t\tif (signal->flags & SIGNAL_CLD_CONTINUED)\n\t\t\twhy = CLD_CONTINUED;\n\t\telse\n\t\t\twhy = CLD_STOPPED;\n\n\t\tsignal->flags &= ~SIGNAL_CLD_MASK;\n\n\t\tspin_unlock_irq(&sighand->siglock);\n\n\t\t/*\n\t\t * Notify the parent that we're continuing. This event is\n\t\t * always per-process and doesn't make whole lot of sense\n\t\t * for ptracers, who shouldn't consume the state via\n\t\t * wait(2) either, but, for backward compatibility, notify\n\t\t * the ptracer of the group leader too unless it's gonna be\n\t\t * a duplicate.\n\t\t */\n\t\tread_lock(&tasklist_lock);\n\t\tdo_notify_parent_cldstop(current, false, why);\n\n\t\tif (ptrace_reparented(current->group_leader))\n\t\t\tdo_notify_parent_cldstop(current->group_leader,\n\t\t\t\t\t\ttrue, why);\n\t\tread_unlock(&tasklist_lock);\n\n\t\tgoto relock;\n\t}\n\n\t/* Has this task already been marked for death? */\n\tif (signal_group_exit(signal)) {\n\t\tksig->info.si_signo = signr = SIGKILL;\n\t\tsigdelset(¤t->pending.signal, SIGKILL);\n\t\ttrace_signal_deliver(SIGKILL, SEND_SIG_NOINFO,\n\t\t\t\t&sighand->action[SIGKILL - 1]);\n\t\trecalc_sigpending();\n\t\tgoto fatal;\n\t}\n\n\tfor (;;) {\n\t\tstruct k_sigaction *ka;\n\n\t\tif (unlikely(current->jobctl & JOBCTL_STOP_PENDING) &&\n\t\t do_signal_stop(0))\n\t\t\tgoto relock;\n\n\t\tif (unlikely(current->jobctl &\n\t\t\t (JOBCTL_TRAP_MASK | JOBCTL_TRAP_FREEZE))) {\n\t\t\tif (current->jobctl & JOBCTL_TRAP_MASK) {\n\t\t\t\tdo_jobctl_trap();\n\t\t\t\tspin_unlock_irq(&sighand->siglock);\n\t\t\t} else if (current->jobctl & JOBCTL_TRAP_FREEZE)\n\t\t\t\tdo_freezer_trap();\n\n\t\t\tgoto relock;\n\t\t}\n\n\t\t/*\n\t\t * If the task is leaving the frozen state, let's update\n\t\t * cgroup counters and reset the frozen bit.\n\t\t */\n\t\tif (unlikely(cgroup_task_frozen(current))) {\n\t\t\tspin_unlock_irq(&sighand->siglock);\n\t\t\tcgroup_leave_frozen(false);\n\t\t\tgoto relock;\n\t\t}\n\n\t\t/*\n\t\t * Signals generated by the execution of an instruction\n\t\t * need to be delivered before any other pending signals\n\t\t * so that the instruction pointer in the signal stack\n\t\t * frame points to the faulting instruction.\n\t\t */\n\t\tsignr = dequeue_synchronous_signal(&ksig->info);\n\t\tif (!signr)\n\t\t\tsignr = dequeue_signal(current, ¤t->blocked, &ksig->info);\n\n\t\tif (!signr)\n\t\t\tbreak; /* will return 0 */\n\n\t\tif (unlikely(current->ptrace) && signr != SIGKILL) {\n\t\t\tsignr = ptrace_signal(signr, &ksig->info);\n\t\t\tif (!signr)\n\t\t\t\tcontinue;\n\t\t}\n\n\t\tka = &sighand->action[signr-1];\n\n\t\t/* Trace actually delivered signals. */\n\t\ttrace_signal_deliver(signr, &ksig->info, ka);\n\n\t\tif (ka->sa.sa_handler == SIG_IGN) /* Do nothing. */\n\t\t\tcontinue;\n\t\tif (ka->sa.sa_handler != SIG_DFL) {\n\t\t\t/* Run the handler. */\n\t\t\tksig->ka = *ka;\n\n\t\t\tif (ka->sa.sa_flags & SA_ONESHOT)\n\t\t\t\tka->sa.sa_handler = SIG_DFL;\n\n\t\t\tbreak; /* will return non-zero \"signr\" value */\n\t\t}\n\n\t\t/*\n\t\t * Now we are doing the default action for this signal.\n\t\t */\n\t\tif (sig_kernel_ignore(signr)) /* Default is nothing. */\n\t\t\tcontinue;\n\n\t\t/*\n\t\t * Global init gets no signals it doesn't want.\n\t\t * Container-init gets no signals it doesn't want from same\n\t\t * container.\n\t\t *\n\t\t * Note that if global/container-init sees a sig_kernel_only()\n\t\t * signal here, the signal must have been generated internally\n\t\t * or must have come from an ancestor namespace. In either\n\t\t * case, the signal cannot be dropped.\n\t\t */\n\t\tif (unlikely(signal->flags & SIGNAL_UNKILLABLE) &&\n\t\t\t\t!sig_kernel_only(signr))\n\t\t\tcontinue;\n\n\t\tif (sig_kernel_stop(signr)) {\n\t\t\t/*\n\t\t\t * The default action is to stop all threads in\n\t\t\t * the thread group. The job control signals\n\t\t\t * do nothing in an orphaned pgrp, but SIGSTOP\n\t\t\t * always works. Note that siglock needs to be\n\t\t\t * dropped during the call to is_orphaned_pgrp()\n\t\t\t * because of lock ordering with tasklist_lock.\n\t\t\t * This allows an intervening SIGCONT to be posted.\n\t\t\t * We need to check for that and bail out if necessary.\n\t\t\t */\n\t\t\tif (signr != SIGSTOP) {\n\t\t\t\tspin_unlock_irq(&sighand->siglock);\n\n\t\t\t\t/* signals can be posted during this window */\n\n\t\t\t\tif (is_current_pgrp_orphaned())\n\t\t\t\t\tgoto relock;\n\n\t\t\t\tspin_lock_irq(&sighand->siglock);\n\t\t\t}\n\n\t\t\tif (likely(do_signal_stop(ksig->info.si_signo))) {\n\t\t\t\t/* It released the siglock. */\n\t\t\t\tgoto relock;\n\t\t\t}\n\n\t\t\t/*\n\t\t\t * We didn't actually stop, due to a race\n\t\t\t * with SIGCONT or something like that.\n\t\t\t */\n\t\t\tcontinue;\n\t\t}\n\n\tfatal:\n\t\tspin_unlock_irq(&sighand->siglock);\n\t\tif (unlikely(cgroup_task_frozen(current)))\n\t\t\tcgroup_leave_frozen(true);\n\n\t\t/*\n\t\t * Anything else is fatal, maybe with a core dump.\n\t\t */\n\t\tcurrent->flags |= PF_SIGNALED;\n\n\t\tif (sig_kernel_coredump(signr)) {\n\t\t\tif (print_fatal_signals)\n\t\t\t\tprint_fatal_signal(ksig->info.si_signo);\n\t\t\tproc_coredump_connector(current);\n\t\t\t/*\n\t\t\t * If it was able to dump core, this kills all\n\t\t\t * other threads in the group and synchronizes with\n\t\t\t * their demise. If we lost the race with another\n\t\t\t * thread getting here, it set group_exit_code\n\t\t\t * first and our do_group_exit call below will use\n\t\t\t * that value and ignore the one we pass it.\n\t\t\t */\n\t\t\tdo_coredump(&ksig->info);\n\t\t}\n\n\t\t/*\n\t\t * Death signals, no core dump.\n\t\t */\n\t\tdo_group_exit(ksig->info.si_signo);\n\t\t/* NOTREACHED */\n\t}\n\tspin_unlock_irq(&sighand->siglock);\n\n\tksig->sig = signr;\n\treturn ksig->sig > 0;\n}", "project": "linux", "hash": 311761225246392987965693393734581690197, "size": 221, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375275 }, { "func": "static int __kvm_read_guest_page(struct kvm_memory_slot *slot, gfn_t gfn,\n\t\t\t\t void *data, int offset, int len)\n{\n\tint r;\n\tunsigned long addr;\n\n\taddr = gfn_to_hva_memslot_prot(slot, gfn, NULL);\n\tif (kvm_is_error_hva(addr))\n\t\treturn -EFAULT;\n\tr = __copy_from_user(data, (void __user *)addr + offset, len);\n\tif (r)\n\t\treturn -EFAULT;\n\treturn 0;\n}", "project": "linux", "hash": 332909408176310183394692084271886484017, "size": 14, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354634 }, { "func": "void blosc_set_blocksize(size_t size) {\n g_force_blocksize = (int32_t)size;\n}", "project": "c-blosc2", "hash": 303126173402015901984721841160679470586, "size": 3, "commit_id": "c4c6470e88210afc95262c8b9fcc27e30ca043ee", "message": "Fixed asan heap buffer overflow when not enough space to write compressed block size.", "target": 0, "dataset": "other", "idx": 303108 }, { "func": "static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr,\n\t\t\t u8 bdaddr_type, bdaddr_t *direct_addr,\n\t\t\t u8 direct_addr_type, s8 rssi, u8 *data, u8 len)\n{\n\tstruct discovery_state *d = &hdev->discovery;\n\tstruct smp_irk *irk;\n\tstruct hci_conn *conn;\n\tbool match;\n\tu32 flags;\n\tu8 *ptr, real_len;\n\n\tswitch (type) {\n\tcase LE_ADV_IND:\n\tcase LE_ADV_DIRECT_IND:\n\tcase LE_ADV_SCAN_IND:\n\tcase LE_ADV_NONCONN_IND:\n\tcase LE_ADV_SCAN_RSP:\n\t\tbreak;\n\tdefault:\n\t\tbt_dev_err_ratelimited(hdev, \"unknown advertising packet \"\n\t\t\t\t \"type: 0x%02x\", type);\n\t\treturn;\n\t}\n\n\t/* Find the end of the data in case the report contains padded zero\n\t * bytes at the end causing an invalid length value.\n\t *\n\t * When data is NULL, len is 0 so there is no need for extra ptr\n\t * check as 'ptr < data + 0' is already false in such case.\n\t */\n\tfor (ptr = data; ptr < data + len && *ptr; ptr += *ptr + 1) {\n\t\tif (ptr + 1 + *ptr > data + len)\n\t\t\tbreak;\n\t}\n\n\treal_len = ptr - data;\n\n\t/* Adjust for actual length */\n\tif (len != real_len) {\n\t\tbt_dev_err_ratelimited(hdev, \"advertising data len corrected %u -> %u\",\n\t\t\t\t len, real_len);\n\t\tlen = real_len;\n\t}\n\n\t/* If the direct address is present, then this report is from\n\t * a LE Direct Advertising Report event. In that case it is\n\t * important to see if the address is matching the local\n\t * controller address.\n\t */\n\tif (direct_addr) {\n\t\t/* Only resolvable random addresses are valid for these\n\t\t * kind of reports and others can be ignored.\n\t\t */\n\t\tif (!hci_bdaddr_is_rpa(direct_addr, direct_addr_type))\n\t\t\treturn;\n\n\t\t/* If the controller is not using resolvable random\n\t\t * addresses, then this report can be ignored.\n\t\t */\n\t\tif (!hci_dev_test_flag(hdev, HCI_PRIVACY))\n\t\t\treturn;\n\n\t\t/* If the local IRK of the controller does not match\n\t\t * with the resolvable random address provided, then\n\t\t * this report can be ignored.\n\t\t */\n\t\tif (!smp_irk_matches(hdev, hdev->irk, direct_addr))\n\t\t\treturn;\n\t}\n\n\t/* Check if we need to convert to identity address */\n\tirk = hci_get_irk(hdev, bdaddr, bdaddr_type);\n\tif (irk) {\n\t\tbdaddr = &irk->bdaddr;\n\t\tbdaddr_type = irk->addr_type;\n\t}\n\n\t/* Check if we have been requested to connect to this device.\n\t *\n\t * direct_addr is set only for directed advertising reports (it is NULL\n\t * for advertising reports) and is already verified to be RPA above.\n\t */\n\tconn = check_pending_le_conn(hdev, bdaddr, bdaddr_type, type,\n\t\t\t\t\t\t\t\tdirect_addr);\n\tif (conn && type == LE_ADV_IND) {\n\t\t/* Store report for later inclusion by\n\t\t * mgmt_device_connected\n\t\t */\n\t\tmemcpy(conn->le_adv_data, data, len);\n\t\tconn->le_adv_data_len = len;\n\t}\n\n\t/* Passive scanning shouldn't trigger any device found events,\n\t * except for devices marked as CONN_REPORT for which we do send\n\t * device found events, or advertisement monitoring requested.\n\t */\n\tif (hdev->le_scan_type == LE_SCAN_PASSIVE) {\n\t\tif (type == LE_ADV_DIRECT_IND)\n\t\t\treturn;\n\n\t\tif (!hci_pend_le_action_lookup(&hdev->pend_le_reports,\n\t\t\t\t\t bdaddr, bdaddr_type) &&\n\t\t idr_is_empty(&hdev->adv_monitors_idr))\n\t\t\treturn;\n\n\t\tif (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND)\n\t\t\tflags = MGMT_DEV_FOUND_NOT_CONNECTABLE;\n\t\telse\n\t\t\tflags = 0;\n\t\tmgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,\n\t\t\t\t rssi, flags, data, len, NULL, 0);\n\t\treturn;\n\t}\n\n\t/* When receiving non-connectable or scannable undirected\n\t * advertising reports, this means that the remote device is\n\t * not connectable and then clearly indicate this in the\n\t * device found event.\n\t *\n\t * When receiving a scan response, then there is no way to\n\t * know if the remote device is connectable or not. However\n\t * since scan responses are merged with a previously seen\n\t * advertising report, the flags field from that report\n\t * will be used.\n\t *\n\t * In the really unlikely case that a controller get confused\n\t * and just sends a scan response event, then it is marked as\n\t * not connectable as well.\n\t */\n\tif (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND ||\n\t type == LE_ADV_SCAN_RSP)\n\t\tflags = MGMT_DEV_FOUND_NOT_CONNECTABLE;\n\telse\n\t\tflags = 0;\n\n\t/* If there's nothing pending either store the data from this\n\t * event or send an immediate device found event if the data\n\t * should not be stored for later.\n\t */\n\tif (!has_pending_adv_report(hdev)) {\n\t\t/* If the report will trigger a SCAN_REQ store it for\n\t\t * later merging.\n\t\t */\n\t\tif (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {\n\t\t\tstore_pending_adv_report(hdev, bdaddr, bdaddr_type,\n\t\t\t\t\t\t rssi, flags, data, len);\n\t\t\treturn;\n\t\t}\n\n\t\tmgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,\n\t\t\t\t rssi, flags, data, len, NULL, 0);\n\t\treturn;\n\t}\n\n\t/* Check if the pending report is for the same device as the new one */\n\tmatch = (!bacmp(bdaddr, &d->last_adv_addr) &&\n\t\t bdaddr_type == d->last_adv_addr_type);\n\n\t/* If the pending data doesn't match this report or this isn't a\n\t * scan response (e.g. we got a duplicate ADV_IND) then force\n\t * sending of the pending data.\n\t */\n\tif (type != LE_ADV_SCAN_RSP || !match) {\n\t\t/* Send out whatever is in the cache, but skip duplicates */\n\t\tif (!match)\n\t\t\tmgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,\n\t\t\t\t\t d->last_adv_addr_type, NULL,\n\t\t\t\t\t d->last_adv_rssi, d->last_adv_flags,\n\t\t\t\t\t d->last_adv_data,\n\t\t\t\t\t d->last_adv_data_len, NULL, 0);\n\n\t\t/* If the new report will trigger a SCAN_REQ store it for\n\t\t * later merging.\n\t\t */\n\t\tif (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {\n\t\t\tstore_pending_adv_report(hdev, bdaddr, bdaddr_type,\n\t\t\t\t\t\t rssi, flags, data, len);\n\t\t\treturn;\n\t\t}\n\n\t\t/* The advertising reports cannot be merged, so clear\n\t\t * the pending report and send out a device found event.\n\t\t */\n\t\tclear_pending_adv_report(hdev);\n\t\tmgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,\n\t\t\t\t rssi, flags, data, len, NULL, 0);\n\t\treturn;\n\t}\n\n\t/* If we get here we've got a pending ADV_IND or ADV_SCAN_IND and\n\t * the new event is a SCAN_RSP. We can therefore proceed with\n\t * sending a merged device found event.\n\t */\n\tmgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,\n\t\t\t d->last_adv_addr_type, NULL, rssi, d->last_adv_flags,\n\t\t\t d->last_adv_data, d->last_adv_data_len, data, len);\n\tclear_pending_adv_report(hdev);\n}", "project": "linux", "hash": 298379673674003891390483028015119319144, "size": 198, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431890 }, { "func": "bool save_agg_explain_data(JOIN *join, Explain_select *xpl_sel)\n{\n JOIN_TAB *join_tab=join->join_tab + join->exec_join_tab_cnt();\n Explain_aggr_node *prev_node;\n Explain_aggr_node *node= xpl_sel->aggr_tree;\n bool is_analyze= join->thd->lex->analyze_stmt;\n THD *thd= join->thd;\n\n for (uint i= 0; i < join->aggr_tables; i++, join_tab++)\n {\n // Each aggregate means a temp.table\n prev_node= node;\n if (!(node= new (thd->mem_root) Explain_aggr_tmp_table))\n return 1;\n node->child= prev_node;\n\n if (join_tab->window_funcs_step)\n {\n Explain_aggr_node *new_node= \n join_tab->window_funcs_step->save_explain_plan(thd->mem_root,\n is_analyze);\n if (!new_node)\n return 1;\n\n prev_node=node;\n node= new_node;\n node->child= prev_node;\n }\n\n /* The below matches execution in join_init_read_record() */\n if (join_tab->distinct)\n {\n prev_node= node;\n if (!(node= new (thd->mem_root) Explain_aggr_remove_dups))\n return 1;\n node->child= prev_node;\n }\n\n if (join_tab->filesort)\n {\n Explain_aggr_filesort *eaf =\n new (thd->mem_root) Explain_aggr_filesort(thd->mem_root, is_analyze, join_tab->filesort);\n if (!eaf)\n return 1;\n prev_node= node;\n node= eaf;\n node->child= prev_node;\n }\n }\n xpl_sel->aggr_tree= node;\n return 0;\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 243730028164953613726654424804899987729, "size": 52, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508668 }, { "func": "bool RGWSwiftWebsiteHandler::is_web_dir() const\n{\n std::string subdir_name = url_decode(s->object.name);\n\n /* Remove character from the subdir name if it is \"/\". */\n if (subdir_name.empty()) {\n return false;\n } else if (subdir_name.back() == '/') {\n subdir_name.pop_back();\n }\n\n rgw_obj obj(s->bucket, std::move(subdir_name));\n\n /* First, get attrset of the object we'll try to retrieve. */\n RGWObjectCtx& obj_ctx = *static_cast(s->obj_ctx);\n obj_ctx.set_atomic(obj);\n obj_ctx.set_prefetch_data(obj);\n\n RGWObjState* state = nullptr;\n if (store->get_obj_state(&obj_ctx, s->bucket_info, obj, &state, false) < 0) {\n return false;\n }\n\n /* A nonexistent object cannot be a considered as a marker representing\n * the emulation of catalog in FS hierarchy. */\n if (! state->exists) {\n return false;\n }\n\n /* Decode the content type. */\n std::string content_type;\n get_contype_from_attrs(state->attrset, content_type);\n\n const auto& ws_conf = s->bucket_info.website_conf;\n const std::string subdir_marker = ws_conf.subdir_marker.empty()\n ? \"application/directory\"\n : ws_conf.subdir_marker;\n return subdir_marker == content_type && state->size <= 1;\n}", "project": "ceph", "hash": 48255843606487150326028348212204674985, "size": 39, "commit_id": "f44a8ae8aa27ecef69528db9aec220f12492810e", "message": "rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name\n\nchecking for empty name avoids later assertion in RGWObjectCtx::set_atomic\n\nFixes: CVE-2021-3531\n\nReviewed-by: Casey Bodley \nSigned-off-by: Casey Bodley \n(cherry picked from commit 7196a469b4470f3c8628489df9a41ec8b00a5610)", "target": 1, "dataset": "other", "idx": 211502 }, { "func": "bool RGWSwiftWebsiteHandler::is_web_dir() const\n{\n std::string subdir_name = url_decode(s->object.name);\n\n /* Remove character from the subdir name if it is \"/\". */\n if (subdir_name.empty()) {\n return false;\n } else if (subdir_name.back() == '/') {\n subdir_name.pop_back();\n if (subdir_name.empty()) {\n return false;\n }\n }\n\n rgw_obj obj(s->bucket, std::move(subdir_name));\n\n /* First, get attrset of the object we'll try to retrieve. */\n RGWObjectCtx& obj_ctx = *static_cast(s->obj_ctx);\n obj_ctx.set_atomic(obj);\n obj_ctx.set_prefetch_data(obj);\n\n RGWObjState* state = nullptr;\n if (store->get_obj_state(&obj_ctx, s->bucket_info, obj, &state, false) < 0) {\n return false;\n }\n\n /* A nonexistent object cannot be a considered as a marker representing\n * the emulation of catalog in FS hierarchy. */\n if (! state->exists) {\n return false;\n }\n\n /* Decode the content type. */\n std::string content_type;\n get_contype_from_attrs(state->attrset, content_type);\n\n const auto& ws_conf = s->bucket_info.website_conf;\n const std::string subdir_marker = ws_conf.subdir_marker.empty()\n ? \"application/directory\"\n : ws_conf.subdir_marker;\n return subdir_marker == content_type && state->size <= 1;\n}", "project": "ceph", "hash": 298807666171918733354542069578347162633, "size": 42, "commit_id": "f44a8ae8aa27ecef69528db9aec220f12492810e", "message": "rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name\n\nchecking for empty name avoids later assertion in RGWObjectCtx::set_atomic\n\nFixes: CVE-2021-3531\n\nReviewed-by: Casey Bodley \nSigned-off-by: Casey Bodley \n(cherry picked from commit 7196a469b4470f3c8628489df9a41ec8b00a5610)", "target": 0, "dataset": "other", "idx": 448852 }, { "func": "bool cond_has_datetime_is_null(Item *cond)\n{\n if (cond_is_datetime_is_null(cond))\n return true;\n\n if (cond->type() == Item::COND_ITEM)\n {\n List *cond_arg_list= ((Item_cond*) cond)->argument_list();\n List_iterator li(*cond_arg_list);\n Item *item;\n while ((item= li++))\n {\n if (cond_has_datetime_is_null(item))\n return true;\n }\n }\n return false;\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 144430531609492285539622735797795703789, "size": 18, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508638 }, { "func": "int nfs4_proc_commit(struct file *dst, __u64 offset, __u32 count, struct nfs_commitres *res)\n{\n\tstruct nfs_commitargs args = {\n\t\t.offset = offset,\n\t\t.count = count,\n\t};\n\tstruct nfs_server *dst_server = NFS_SERVER(file_inode(dst));\n\tstruct nfs4_exception exception = { };\n\tint status;\n\n\tdo {\n\t\tstatus = _nfs4_proc_commit(dst, &args, res);\n\t\tstatus = nfs4_handle_exception(dst_server, status, &exception);\n\t} while (exception.retry);\n\n\treturn status;\n}", "project": "linux", "hash": 17673411358441976397004824842677270424, "size": 17, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431143 }, { "func": "static int tiocswinsz(struct tty_struct *tty, struct winsize __user *arg)\n{\n\tstruct winsize tmp_ws;\n\tif (copy_from_user(&tmp_ws, arg, sizeof(*arg)))\n\t\treturn -EFAULT;\n\n\tif (tty->ops->resize)\n\t\treturn tty->ops->resize(tty, &tmp_ws);\n\telse\n\t\treturn tty_do_resize(tty, &tmp_ws);\n}", "project": "linux", "hash": 194453403463654058995716656475386510370, "size": 11, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 325966 }, { "func": "void Interpreter::saveGenerator(\n Runtime *runtime,\n PinnedHermesValue *frameRegs,\n const Inst *resumeIP) {\n auto *innerFn = vmcast(FRAME.getCalleeClosure());\n innerFn->saveStack(runtime);\n innerFn->setNextIP(resumeIP);\n innerFn->setState(GeneratorInnerFunction::State::SuspendedYield);\n}", "project": "hermes", "hash": 218272726857542645689132817754008944073, "size": 9, "commit_id": "b2021df620824627f5a8c96615edbd1eb7fdddfc", "message": "Fix CVE-2020-1914 by using NEXTINST for SaveGeneratorLong\n\nSummary:\nIf `SaveGeneratorLong` was emitted, it would accidentally jump to the\nwrong next instruction, based on how long SaveGenerator was.\n\nMake a callout function to handle the common case, and handle the dispatch\nwithin each case of the interpreter loop.\n\nFixes CVE-2020-1914\n\nReviewed By: neildhar\n\nDifferential Revision: D24024242\n\nfbshipit-source-id: 3bcb88daa740f0d50e91771a49eb212551ce8bd8", "target": 0, "dataset": "other", "idx": 295516 }, { "func": "static void adv_timeout_expire(struct work_struct *work)\n{\n\tstruct hci_dev *hdev = container_of(work, struct hci_dev,\n\t\t\t\t\t adv_instance_expire.work);\n\n\tstruct hci_request req;\n\tu8 instance;\n\n\tbt_dev_dbg(hdev, \"\");\n\n\thci_dev_lock(hdev);\n\n\thdev->adv_instance_timeout = 0;\n\n\tinstance = hdev->cur_adv_instance;\n\tif (instance == 0x00)\n\t\tgoto unlock;\n\n\thci_req_init(&req, hdev);\n\n\thci_req_clear_adv_instance(hdev, NULL, &req, instance, false);\n\n\tif (list_empty(&hdev->adv_instances))\n\t\t__hci_req_disable_advertising(&req);\n\n\thci_req_run(&req, NULL);\n\nunlock:\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 62026407106328168773833046851906035288, "size": 30, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402554 }, { "func": "static ssize_t min_partial_store(struct kmem_cache *s, const char *buf,\n\t\t\t\t size_t length)\n{\n\tunsigned long min;\n\tint err;\n\n\terr = kstrtoul(buf, 10, &min);\n\tif (err)\n\t\treturn err;\n\n\tset_min_partial(s, min);\n\treturn length;\n}", "project": "linux", "hash": 310130326403496694014921808999734559918, "size": 13, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280107 }, { "func": "static int is_limited_pmc(int pmcnum)\n{\n\treturn (ppmu->flags & PPMU_LIMITED_PMC5_6)\n\t\t&& (pmcnum == 5 || pmcnum == 6);\n}", "project": "linux", "hash": 221036700181896702847862942839906308066, "size": 5, "commit_id": "60b7ed54a41b550d50caf7f2418db4a7e75b5bdc", "message": "powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set\n\nOn systems without any specific PMU driver support registered, running\nperf record causes Oops.\n\nThe relevant portion from call trace:\n\n BUG: Kernel NULL pointer dereference on read at 0x00000040\n Faulting instruction address: 0xc0021f0c\n Oops: Kernel access of bad area, sig: 11 [#1]\n BE PAGE_SIZE=4K PREEMPT CMPCPRO\n SAF3000 DIE NOTIFICATION\n CPU: 0 PID: 442 Comm: null_syscall Not tainted 5.13.0-rc6-s3k-dev-01645-g7649ee3d2957 #5164\n NIP: c0021f0c LR: c00e8ad8 CTR: c00d8a5c\n NIP perf_instruction_pointer+0x10/0x60\n LR perf_prepare_sample+0x344/0x674\n Call Trace:\n perf_prepare_sample+0x7c/0x674 (unreliable)\n perf_event_output_forward+0x3c/0x94\n __perf_event_overflow+0x74/0x14c\n perf_swevent_hrtimer+0xf8/0x170\n __hrtimer_run_queues.constprop.0+0x160/0x318\n hrtimer_interrupt+0x148/0x3b0\n timer_interrupt+0xc4/0x22c\n Decrementer_virt+0xb8/0xbc\n\nDuring perf record session, perf_instruction_pointer() is called to\ncapture the sample IP. This function in core-book3s accesses\nppmu->flags. If a platform specific PMU driver is not registered, ppmu\nis set to NULL and accessing its members results in a crash. Fix this\ncrash by checking if ppmu is set.\n\nFixes: 2ca13a4cc56c (\"powerpc/perf: Use regs->nip when SIAR is zero\")\nCc: stable@vger.kernel.org # v5.11+\nReported-by: Christophe Leroy \nSigned-off-by: Athira Rajeev \nTested-by: Christophe Leroy \nSigned-off-by: Michael Ellerman \nLink: https://lore.kernel.org/r/1623952506-1431-1-git-send-email-atrajeev@linux.vnet.ibm.com", "target": 0, "dataset": "other", "idx": 374715 }, { "func": "static void power_pmu_bhrb_read(struct perf_event *event, struct cpu_hw_events *cpuhw)\n{\n\tu64 val;\n\tu64 addr;\n\tint r_index, u_index, pred;\n\n\tr_index = 0;\n\tu_index = 0;\n\twhile (r_index < ppmu->bhrb_nr) {\n\t\t/* Assembly read function */\n\t\tval = read_bhrb(r_index++);\n\t\tif (!val)\n\t\t\t/* Terminal marker: End of valid BHRB entries */\n\t\t\tbreak;\n\t\telse {\n\t\t\taddr = val & BHRB_EA;\n\t\t\tpred = val & BHRB_PREDICTION;\n\n\t\t\tif (!addr)\n\t\t\t\t/* invalid entry */\n\t\t\t\tcontinue;\n\n\t\t\t/*\n\t\t\t * BHRB rolling buffer could very much contain the kernel\n\t\t\t * addresses at this point. Check the privileges before\n\t\t\t * exporting it to userspace (avoid exposure of regions\n\t\t\t * where we could have speculative execution)\n\t\t\t * Incase of ISA v3.1, BHRB will capture only user-space\n\t\t\t * addresses, hence include a check before filtering code\n\t\t\t */\n\t\t\tif (!(ppmu->flags & PPMU_ARCH_31) &&\n\t\t\t is_kernel_addr(addr) && event->attr.exclude_kernel)\n\t\t\t\tcontinue;\n\n\t\t\t/* Branches are read most recent first (ie. mfbhrb 0 is\n\t\t\t * the most recent branch).\n\t\t\t * There are two types of valid entries:\n\t\t\t * 1) a target entry which is the to address of a\n\t\t\t * computed goto like a blr,bctr,btar. The next\n\t\t\t * entry read from the bhrb will be branch\n\t\t\t * corresponding to this target (ie. the actual\n\t\t\t * blr/bctr/btar instruction).\n\t\t\t * 2) a from address which is an actual branch. If a\n\t\t\t * target entry proceeds this, then this is the\n\t\t\t * matching branch for that target. If this is not\n\t\t\t * following a target entry, then this is a branch\n\t\t\t * where the target is given as an immediate field\n\t\t\t * in the instruction (ie. an i or b form branch).\n\t\t\t * In this case we need to read the instruction from\n\t\t\t * memory to determine the target/to address.\n\t\t\t */\n\n\t\t\tif (val & BHRB_TARGET) {\n\t\t\t\t/* Target branches use two entries\n\t\t\t\t * (ie. computed gotos/XL form)\n\t\t\t\t */\n\t\t\t\tcpuhw->bhrb_entries[u_index].to = addr;\n\t\t\t\tcpuhw->bhrb_entries[u_index].mispred = pred;\n\t\t\t\tcpuhw->bhrb_entries[u_index].predicted = ~pred;\n\n\t\t\t\t/* Get from address in next entry */\n\t\t\t\tval = read_bhrb(r_index++);\n\t\t\t\taddr = val & BHRB_EA;\n\t\t\t\tif (val & BHRB_TARGET) {\n\t\t\t\t\t/* Shouldn't have two targets in a\n\t\t\t\t\t row.. Reset index and try again */\n\t\t\t\t\tr_index--;\n\t\t\t\t\taddr = 0;\n\t\t\t\t}\n\t\t\t\tcpuhw->bhrb_entries[u_index].from = addr;\n\t\t\t} else {\n\t\t\t\t/* Branches to immediate field \n\t\t\t\t (ie I or B form) */\n\t\t\t\tcpuhw->bhrb_entries[u_index].from = addr;\n\t\t\t\tcpuhw->bhrb_entries[u_index].to =\n\t\t\t\t\tpower_pmu_bhrb_to(addr);\n\t\t\t\tcpuhw->bhrb_entries[u_index].mispred = pred;\n\t\t\t\tcpuhw->bhrb_entries[u_index].predicted = ~pred;\n\t\t\t}\n\t\t\tu_index++;\n\n\t\t}\n\t}\n\tcpuhw->bhrb_stack.nr = u_index;\n\tcpuhw->bhrb_stack.hw_idx = -1ULL;\n\treturn;\n}", "project": "linux", "hash": 209004380930638341185453537754647459725, "size": 87, "commit_id": "60b7ed54a41b550d50caf7f2418db4a7e75b5bdc", "message": "powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set\n\nOn systems without any specific PMU driver support registered, running\nperf record causes Oops.\n\nThe relevant portion from call trace:\n\n BUG: Kernel NULL pointer dereference on read at 0x00000040\n Faulting instruction address: 0xc0021f0c\n Oops: Kernel access of bad area, sig: 11 [#1]\n BE PAGE_SIZE=4K PREEMPT CMPCPRO\n SAF3000 DIE NOTIFICATION\n CPU: 0 PID: 442 Comm: null_syscall Not tainted 5.13.0-rc6-s3k-dev-01645-g7649ee3d2957 #5164\n NIP: c0021f0c LR: c00e8ad8 CTR: c00d8a5c\n NIP perf_instruction_pointer+0x10/0x60\n LR perf_prepare_sample+0x344/0x674\n Call Trace:\n perf_prepare_sample+0x7c/0x674 (unreliable)\n perf_event_output_forward+0x3c/0x94\n __perf_event_overflow+0x74/0x14c\n perf_swevent_hrtimer+0xf8/0x170\n __hrtimer_run_queues.constprop.0+0x160/0x318\n hrtimer_interrupt+0x148/0x3b0\n timer_interrupt+0xc4/0x22c\n Decrementer_virt+0xb8/0xbc\n\nDuring perf record session, perf_instruction_pointer() is called to\ncapture the sample IP. This function in core-book3s accesses\nppmu->flags. If a platform specific PMU driver is not registered, ppmu\nis set to NULL and accessing its members results in a crash. Fix this\ncrash by checking if ppmu is set.\n\nFixes: 2ca13a4cc56c (\"powerpc/perf: Use regs->nip when SIAR is zero\")\nCc: stable@vger.kernel.org # v5.11+\nReported-by: Christophe Leroy \nSigned-off-by: Athira Rajeev \nTested-by: Christophe Leroy \nSigned-off-by: Michael Ellerman \nLink: https://lore.kernel.org/r/1623952506-1431-1-git-send-email-atrajeev@linux.vnet.ibm.com", "target": 0, "dataset": "other", "idx": 374728 }, { "func": "static inline void power_pmu_bhrb_read(struct perf_event *event, struct cpu_hw_events *cpuhw) {}", "project": "linux", "hash": 192564218103549110426633033088982712214, "size": 1, "commit_id": "60b7ed54a41b550d50caf7f2418db4a7e75b5bdc", "message": "powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set\n\nOn systems without any specific PMU driver support registered, running\nperf record causes Oops.\n\nThe relevant portion from call trace:\n\n BUG: Kernel NULL pointer dereference on read at 0x00000040\n Faulting instruction address: 0xc0021f0c\n Oops: Kernel access of bad area, sig: 11 [#1]\n BE PAGE_SIZE=4K PREEMPT CMPCPRO\n SAF3000 DIE NOTIFICATION\n CPU: 0 PID: 442 Comm: null_syscall Not tainted 5.13.0-rc6-s3k-dev-01645-g7649ee3d2957 #5164\n NIP: c0021f0c LR: c00e8ad8 CTR: c00d8a5c\n NIP perf_instruction_pointer+0x10/0x60\n LR perf_prepare_sample+0x344/0x674\n Call Trace:\n perf_prepare_sample+0x7c/0x674 (unreliable)\n perf_event_output_forward+0x3c/0x94\n __perf_event_overflow+0x74/0x14c\n perf_swevent_hrtimer+0xf8/0x170\n __hrtimer_run_queues.constprop.0+0x160/0x318\n hrtimer_interrupt+0x148/0x3b0\n timer_interrupt+0xc4/0x22c\n Decrementer_virt+0xb8/0xbc\n\nDuring perf record session, perf_instruction_pointer() is called to\ncapture the sample IP. This function in core-book3s accesses\nppmu->flags. If a platform specific PMU driver is not registered, ppmu\nis set to NULL and accessing its members results in a crash. Fix this\ncrash by checking if ppmu is set.\n\nFixes: 2ca13a4cc56c (\"powerpc/perf: Use regs->nip when SIAR is zero\")\nCc: stable@vger.kernel.org # v5.11+\nReported-by: Christophe Leroy \nSigned-off-by: Athira Rajeev \nTested-by: Christophe Leroy \nSigned-off-by: Michael Ellerman \nLink: https://lore.kernel.org/r/1623952506-1431-1-git-send-email-atrajeev@linux.vnet.ibm.com", "target": 0, "dataset": "other", "idx": 374729 }, { "func": "static int kill_something_info(int sig, struct kernel_siginfo *info, pid_t pid)\n{\n\tint ret;\n\n\tif (pid > 0) {\n\t\trcu_read_lock();\n\t\tret = kill_pid_info(sig, info, find_vpid(pid));\n\t\trcu_read_unlock();\n\t\treturn ret;\n\t}\n\n\t/* -INT_MIN is undefined. Exclude this case to avoid a UBSAN warning */\n\tif (pid == INT_MIN)\n\t\treturn -ESRCH;\n\n\tread_lock(&tasklist_lock);\n\tif (pid != -1) {\n\t\tret = __kill_pgrp_info(sig, info,\n\t\t\t\tpid ? find_vpid(-pid) : task_pgrp(current));\n\t} else {\n\t\tint retval = 0, count = 0;\n\t\tstruct task_struct * p;\n\n\t\tfor_each_process(p) {\n\t\t\tif (task_pid_vnr(p) > 1 &&\n\t\t\t\t\t!same_thread_group(p, current)) {\n\t\t\t\tint err = group_send_sig_info(sig, info, p,\n\t\t\t\t\t\t\t PIDTYPE_MAX);\n\t\t\t\t++count;\n\t\t\t\tif (err != -EPERM)\n\t\t\t\t\tretval = err;\n\t\t\t}\n\t\t}\n\t\tret = count ? retval : -ESRCH;\n\t}\n\tread_unlock(&tasklist_lock);\n\n\treturn ret;\n}", "project": "linux", "hash": 314737051425769758627596268490139058843, "size": 39, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375295 }, { "func": " Item_default_value(THD *thd, Name_resolution_context *context_arg, Field *a)\n :Item_field(thd, context_arg, (const char *)NULL, (const char *)NULL,\n (const char *)NULL),\n arg(NULL),cached_field(NULL) {}", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 53237587457669563062953012615844575226, "size": 4, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509094 }, { "func": "static void fuse_short_read(struct inode *inode, u64 attr_ver, size_t num_read,\n\t\t\t struct fuse_args_pages *ap)\n{\n\tstruct fuse_conn *fc = get_fuse_conn(inode);\n\n\tif (fc->writeback_cache) {\n\t\t/*\n\t\t * A hole in a file. Some data after the hole are in page cache,\n\t\t * but have not reached the client fs yet. So, the hole is not\n\t\t * present there.\n\t\t */\n\t\tint i;\n\t\tint start_idx = num_read >> PAGE_SHIFT;\n\t\tsize_t off = num_read & (PAGE_SIZE - 1);\n\n\t\tfor (i = start_idx; i < ap->num_pages; i++) {\n\t\t\tzero_user_segment(ap->pages[i], off, PAGE_SIZE);\n\t\t\toff = 0;\n\t\t}\n\t} else {\n\t\tloff_t pos = page_offset(ap->pages[0]) + num_read;\n\t\tfuse_read_update_size(inode, pos, attr_ver);\n\t}\n}", "project": "linux", "hash": 80274429305823749840897078641816054056, "size": 24, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342052 }, { "func": "R_API int r_socket_puts(RSocket *s, char *buf) {\n\treturn -1;\n}", "project": "radare2", "hash": 8327122062186769847510349402188500281, "size": 3, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 0, "dataset": "other", "idx": 269086 }, { "func": "R_API int r_socket_puts(RSocket *s, char *buf) {\n\treturn r_socket_write (s, buf, strlen (buf));\n}", "project": "radare2", "hash": 131534192050646460649692657447941701576, "size": 3, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 0, "dataset": "other", "idx": 269089 }, { "func": "static void nfs4_layoutget_release(void *calldata)\n{\n\tstruct nfs4_layoutget *lgp = calldata;\n\n\tdprintk(\"--> %s\\n\", __func__);\n\tnfs4_sequence_free_slot(&lgp->res.seq_res);\n\tpnfs_layoutget_free(lgp);\n\tdprintk(\"<-- %s\\n\", __func__);\n}", "project": "linux", "hash": 122410332286975959957120735461693290632, "size": 9, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431318 }, { "func": "create_thread_context(blosc2_context* context, int32_t tid) {\n struct thread_context* thread_context;\n thread_context = (struct thread_context*)my_malloc(sizeof(struct thread_context));\n init_thread_context(thread_context, context, tid);\n return thread_context;\n}", "project": "c-blosc2", "hash": 286815443014150795397918115977890246092, "size": 6, "commit_id": "c4c6470e88210afc95262c8b9fcc27e30ca043ee", "message": "Fixed asan heap buffer overflow when not enough space to write compressed block size.", "target": 0, "dataset": "other", "idx": 303095 }, { "func": "static void init_thread_context(struct thread_context* thread_context, blosc2_context* context, int32_t tid)\n{\n int32_t ebsize;\n\n thread_context->parent_context = context;\n thread_context->tid = tid;\n\n ebsize = context->blocksize + context->typesize * (int32_t)sizeof(int32_t);\n thread_context->tmp_nbytes = (size_t)3 * context->blocksize + ebsize;\n thread_context->tmp = my_malloc(thread_context->tmp_nbytes);\n thread_context->tmp2 = thread_context->tmp + context->blocksize;\n thread_context->tmp3 = thread_context->tmp + context->blocksize + ebsize;\n thread_context->tmp4 = thread_context->tmp + 2 * context->blocksize + ebsize;\n thread_context->tmp_blocksize = context->blocksize;\n #if defined(HAVE_ZSTD)\n thread_context->zstd_cctx = NULL;\n thread_context->zstd_dctx = NULL;\n #endif\n\n /* Create the hash table for LZ4 in case we are using IPP */\n#ifdef HAVE_IPP\n IppStatus status;\n int inlen = thread_context->tmp_blocksize > 0 ? thread_context->tmp_blocksize : 1 << 16;\n int hash_size = 0;\n status = ippsEncodeLZ4HashTableGetSize_8u(&hash_size);\n if (status != ippStsNoErr) {\n fprintf(stderr, \"Error in ippsEncodeLZ4HashTableGetSize_8u\");\n }\n Ipp8u *hash_table = ippsMalloc_8u(hash_size);\n status = ippsEncodeLZ4HashTableInit_8u(hash_table, inlen);\n if (status != ippStsNoErr) {\n fprintf(stderr, \"Error in ippsEncodeLZ4HashTableInit_8u\");\n }\n thread_context->lz4_hash_table = hash_table;\n#endif\n}", "project": "c-blosc2", "hash": 17809279518761208114208506679269008343, "size": 36, "commit_id": "c4c6470e88210afc95262c8b9fcc27e30ca043ee", "message": "Fixed asan heap buffer overflow when not enough space to write compressed block size.", "target": 0, "dataset": "other", "idx": 303127 }, { "func": "\nstatic sector_t bfq_io_struct_pos(void *io_struct, bool request)\n{\n\tif (request)\n\t\treturn blk_rq_pos(io_struct);\n\telse\n\t\treturn ((struct bio *)io_struct)->bi_iter.bi_sector;", "project": "linux", "hash": 159981624133097695590050318543460519025, "size": 7, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453342 }, { "func": "void add_input_randomness(unsigned int type, unsigned int code,\n\t\t\t\t unsigned int value)\n{\n\tstatic unsigned char last_value;\n\n\t/* ignore autorepeat and the like */\n\tif (value == last_value)\n\t\treturn;\n\n\tDEBUG_ENT(\"input event\\n\");\n\tlast_value = value;\n\tadd_timer_randomness(&input_timer_state,\n\t\t\t (type << 4) ^ code ^ (code >> 4) ^ value);\n}", "target": 0, "cwe": [ "CWE-310" ], "project": "linux-2.6", "commit_id": "8a0a9bd4db63bc45e3017bedeafbd88d0eb84d02", "hash": 39949940238324606318685766735706948276, "size": 14, "message": "random: make get_random_int() more random\n\nIt's a really simple patch that basically just open-codes the current\n\"secure_ip_id()\" call, but when open-coding it we now use a _static_\nhashing area, so that it gets updated every time.\n\nAnd to make sure somebody can't just start from the same original seed of\nall-zeroes, and then do the \"half_md4_transform()\" over and over until\nthey get the same sequence as the kernel has, each iteration also mixes in\nthe same old \"current->pid + jiffies\" we used - so we should now have a\nregular strong pseudo-number generator, but we also have one that doesn't\nhave a single seed.\n\nNote: the \"pid + jiffies\" is just meant to be a tiny tiny bit of noise. It\nhas no real meaning. It could be anything. I just picked the previous\nseed, it's just that now we keep the state in between calls and that will\nfeed into the next result, and that should make all the difference.\n\nI made that hash be a per-cpu data just to avoid cache-line ping-pong:\nhaving multiple CPU's write to the same data would be fine for randomness,\nand add yet another layer of chaos to it, but since get_random_int() is\nsupposed to be a fast interface I did it that way instead. I considered\nusing \"__raw_get_cpu_var()\" to avoid any preemption overhead while still\ngetting the hash be _mostly_ ping-pong free, but in the end good taste won\nout.\n\nSigned-off-by: Ingo Molnar \nSigned-off-by: Linus Torvalds ", "dataset": "other", "idx": 499913 }, { "func": "const void* glyph_cache_fragment_get(rdpGlyphCache* glyphCache, UINT32 index, UINT32* size)\n{\n\tvoid* fragment;\n\n\tif (index > 255)\n\t{\n\t\tWLog_ERR(TAG, \"invalid glyph cache fragment index: %\" PRIu32 \"\", index);\n\t\treturn NULL;\n\t}\n\n\tfragment = glyphCache->fragCache.entries[index].fragment;\n\t*size = (BYTE)glyphCache->fragCache.entries[index].size;\n\tWLog_Print(glyphCache->log, WLOG_DEBUG,\n\t \"GlyphCacheFragmentGet: index: %\" PRIu32 \" size: %\" PRIu32 \"\", index, *size);\n\n\tif (!fragment)\n\t\tWLog_ERR(TAG, \"invalid glyph fragment at index:%\" PRIu32 \"\", index);\n\n\treturn fragment;\n}", "project": "FreeRDP", "hash": 2793180009683217512021450344170662493, "size": 20, "commit_id": "c0fd449ec0870b050d350d6d844b1ea6dad4bc7d", "message": "Fixed Out-of-bound read in glyph_cache_put\n\nCVE-2020-11098 thanks to @antonio-morales for finding this.", "target": 0, "dataset": "other", "idx": 432866 }, { "func": "void * processing_thread(void *_thread_id) {\n long thread_id = (long) _thread_id;\n char pcap_error_buffer[PCAP_ERRBUF_SIZE];\n\n#if defined(linux) && defined(HAVE_PTHREAD_SETAFFINITY_NP)\n if(core_affinity[thread_id] >= 0) {\n cpu_set_t cpuset;\n\n CPU_ZERO(&cpuset);\n CPU_SET(core_affinity[thread_id], &cpuset);\n\n if(pthread_setaffinity_np(pthread_self(), sizeof(cpu_set_t), &cpuset) != 0)\n fprintf(stderr, \"Error while binding thread %ld to core %d\\n\", thread_id, core_affinity[thread_id]);\n else {\n if((!quiet_mode)) printf(\"Running thread %ld on core %d...\\n\", thread_id, core_affinity[thread_id]);\n }\n } else\n#endif\n if((!quiet_mode)) printf(\"Running thread %ld...\\n\", thread_id);\n\n#ifdef USE_DPDK\n while(dpdk_run_capture) {\n struct rte_mbuf *bufs[BURST_SIZE];\n u_int16_t num = rte_eth_rx_burst(dpdk_port_id, 0, bufs, BURST_SIZE);\n u_int i;\n\n if(num == 0) {\n usleep(1);\n continue;\n }\n\n for(i = 0; i < PREFETCH_OFFSET && i < num; i++)\n rte_prefetch0(rte_pktmbuf_mtod(bufs[i], void *));\n\n for(i = 0; i < num; i++) {\n char *data = rte_pktmbuf_mtod(bufs[i], char *);\n int len = rte_pktmbuf_pkt_len(bufs[i]);\n struct pcap_pkthdr h;\n\n h.len = h.caplen = len;\n gettimeofday(&h.ts, NULL);\n\n ndpi_process_packet((u_char*)&thread_id, &h, (const u_char *)data);\n rte_pktmbuf_free(bufs[i]);\n }\n }\n#else\npcap_loop:\n runPcapLoop(thread_id);\n\n if(playlist_fp[thread_id] != NULL) { /* playlist: read next file */\n char filename[256];\n\n if(getNextPcapFileFromPlaylist(thread_id, filename, sizeof(filename)) == 0 &&\n (ndpi_thread_info[thread_id].workflow->pcap_handle = pcap_open_offline(filename, pcap_error_buffer)) != NULL) {\n configurePcapHandle(ndpi_thread_info[thread_id].workflow->pcap_handle);\n goto pcap_loop;\n }\n }\n#endif\n\n return NULL;\n}", "project": "nDPI", "hash": 337306268146097381272302203642292098117, "size": 63, "commit_id": "b7e666e465f138ae48ab81976726e67deed12701", "message": "Added fix to avoid potential heap buffer overflow in H.323 dissector\nModified HTTP report information to make it closer to the HTTP field names", "target": 0, "dataset": "other", "idx": 254814 }, { "func": "static void encode_reclaim_complete(struct xdr_stream *xdr,\n\t\t\t\t const struct nfs41_reclaim_complete_args *args,\n\t\t\t\t struct compound_hdr *hdr)\n{\n\tencode_op_hdr(xdr, OP_RECLAIM_COMPLETE, decode_reclaim_complete_maxsz, hdr);\n\tencode_uint32(xdr, args->one_fs);\n}", "project": "linux", "hash": 58101713702888187186266515551406161724, "size": 7, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431453 }, { "func": "static int pipe_skb_send(struct sock *sk, struct sk_buff *skb)\n{\n\tstruct pep_sock *pn = pep_sk(sk);\n\tstruct pnpipehdr *ph;\n\tint err;\n\n\tif (pn_flow_safe(pn->tx_fc) &&\n\t !atomic_add_unless(&pn->tx_credits, -1, 0)) {\n\t\tkfree_skb(skb);\n\t\treturn -ENOBUFS;\n\t}\n\n\tskb_push(skb, 3 + pn->aligned);\n\tskb_reset_transport_header(skb);\n\tph = pnp_hdr(skb);\n\tph->utid = 0;\n\tif (pn->aligned) {\n\t\tph->message_id = PNS_PIPE_ALIGNED_DATA;\n\t\tph->data0 = 0; /* padding */\n\t} else\n\t\tph->message_id = PNS_PIPE_DATA;\n\tph->pipe_handle = pn->pipe_handle;\n\terr = pn_skb_send(sk, skb, NULL);\n\n\tif (err && pn_flow_safe(pn->tx_fc))\n\t\tatomic_inc(&pn->tx_credits);\n\treturn err;\n\n}", "project": "linux", "hash": 339863323858225066475063485138120856084, "size": 29, "commit_id": "bcd0f93353326954817a4f9fa55ec57fb38acbb0", "message": "phonet: refcount leak in pep_sock_accep\n\nsock_hold(sk) is invoked in pep_sock_accept(), but __sock_put(sk) is not\ninvoked in subsequent failure branches(pep_accept_conn() != 0).\n\nSigned-off-by: Hangyu Hua \nLink: https://lore.kernel.org/r/20211209082839.33985-1-hbh25y@gmail.com\nSigned-off-by: Jakub Kicinski ", "target": 0, "dataset": "other", "idx": 224798 }, { "func": "}\n\nstruct iscsi_cls_session *\niscsi_alloc_session(struct Scsi_Host *shost, struct iscsi_transport *transport,\n\t\t int dd_size)\n{\n\tstruct iscsi_cls_session *session;\n\n\tsession = kzalloc(sizeof(*session) + dd_size,\n\t\t\t GFP_KERNEL);\n\tif (!session)\n\t\treturn NULL;\n\n\tsession->transport = transport;\n\tsession->creator = -1;\n\tsession->recovery_tmo = 120;\n\tsession->recovery_tmo_sysfs_override = false;\n\tsession->state = ISCSI_SESSION_FREE;\n\tINIT_DELAYED_WORK(&session->recovery_work, session_recovery_timedout);\n\tINIT_LIST_HEAD(&session->sess_list);\n\tINIT_WORK(&session->unblock_work, __iscsi_unblock_session);\n\tINIT_WORK(&session->block_work, __iscsi_block_session);\n\tINIT_WORK(&session->unbind_work, __iscsi_unbind_session);\n\tINIT_WORK(&session->scan_work, iscsi_scan_session);\n\tINIT_WORK(&session->destroy_work, __iscsi_destroy_session);\n\tspin_lock_init(&session->lock);\n\n\t/* this is released in the dev's release function */\n\tscsi_host_get(shost);\n\tsession->dev.parent = &shost->shost_gendev;\n\tsession->dev.release = iscsi_session_release;\n\tdevice_initialize(&session->dev);\n\tif (dd_size)\n\t\tsession->dd_data = &session[1];\n", "project": "linux", "hash": 319716366590289742392495677738759403262, "size": 35, "commit_id": "f9dbdf97a5bd92b1a49cee3d591b55b11fd7a6d5", "message": "scsi: iscsi: Verify lengths on passthrough PDUs\n\nOpen-iSCSI sends passthrough PDUs over netlink, but the kernel should be\nverifying that the provided PDU header and data lengths fall within the\nnetlink message to prevent accessing beyond that in memory.\n\nCc: stable@vger.kernel.org\nReported-by: Adam Nichols \nReviewed-by: Lee Duncan \nReviewed-by: Mike Christie \nSigned-off-by: Chris Leech \nSigned-off-by: Martin K. Petersen ", "target": 0, "dataset": "other", "idx": 379939 }, { "func": "static int instance_rmdir(const char *name)\n{\n\tstruct trace_array *tr;\n\tint found = 0;\n\tint ret;\n\tint i;\n\n\tmutex_lock(&event_mutex);\n\tmutex_lock(&trace_types_lock);\n\n\tret = -ENODEV;\n\tlist_for_each_entry(tr, &ftrace_trace_arrays, list) {\n\t\tif (tr->name && strcmp(tr->name, name) == 0) {\n\t\t\tfound = 1;\n\t\t\tbreak;\n\t\t}\n\t}\n\tif (!found)\n\t\tgoto out_unlock;\n\n\tret = -EBUSY;\n\tif (tr->ref || (tr->current_trace && tr->current_trace->ref))\n\t\tgoto out_unlock;\n\n\tlist_del(&tr->list);\n\n\t/* Disable all the flags that were enabled coming in */\n\tfor (i = 0; i < TRACE_FLAGS_MAX_SIZE; i++) {\n\t\tif ((1 << i) & ZEROED_TRACE_FLAGS)\n\t\t\tset_tracer_flag(tr, 1 << i, 0);\n\t}\n\n\ttracing_set_nop(tr);\n\tclear_ftrace_function_probes(tr);\n\tevent_trace_del_tracer(tr);\n\tftrace_clear_pids(tr);\n\tftrace_destroy_function_files(tr);\n\ttracefs_remove_recursive(tr->dir);\n\tfree_trace_buffers(tr);\n\n\tfor (i = 0; i < tr->nr_topts; i++) {\n\t\tkfree(tr->topts[i].topts);\n\t}\n\tkfree(tr->topts);\n\n\tfree_cpumask_var(tr->tracing_cpumask);\n\tkfree(tr->name);\n\tkfree(tr);\n\n\tret = 0;\n\n out_unlock:\n\tmutex_unlock(&trace_types_lock);\n\tmutex_unlock(&event_mutex);\n\n\treturn ret;\n}", "project": "linux", "hash": 191284367982024758878676295541751388706, "size": 57, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445583 }, { "func": "static unsigned long kvm_s390_fac_size(void)\n{\n\tBUILD_BUG_ON(SIZE_INTERNAL > S390_ARCH_FAC_MASK_SIZE_U64);\n\tBUILD_BUG_ON(SIZE_INTERNAL > S390_ARCH_FAC_LIST_SIZE_U64);\n\tBUILD_BUG_ON(SIZE_INTERNAL * sizeof(unsigned long) >\n\t\tsizeof(S390_lowcore.stfle_fac_list));\n\n\treturn SIZE_INTERNAL;\n}", "project": "linux", "hash": 224012164336747121273601636218610564541, "size": 9, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354566 }, { "func": "static int synic_get_msr(struct kvm_vcpu_hv_synic *synic, u32 msr, u64 *pdata,\n\t\t\t bool host)\n{\n\tint ret;\n\n\tif (!synic->active && !host)\n\t\treturn 1;\n\n\tret = 0;\n\tswitch (msr) {\n\tcase HV_X64_MSR_SCONTROL:\n\t\t*pdata = synic->control;\n\t\tbreak;\n\tcase HV_X64_MSR_SVERSION:\n\t\t*pdata = synic->version;\n\t\tbreak;\n\tcase HV_X64_MSR_SIEFP:\n\t\t*pdata = synic->evt_page;\n\t\tbreak;\n\tcase HV_X64_MSR_SIMP:\n\t\t*pdata = synic->msg_page;\n\t\tbreak;\n\tcase HV_X64_MSR_EOM:\n\t\t*pdata = 0;\n\t\tbreak;\n\tcase HV_X64_MSR_SINT0 ... HV_X64_MSR_SINT15:\n\t\t*pdata = atomic64_read(&synic->sint[msr - HV_X64_MSR_SINT0]);\n\t\tbreak;\n\tdefault:\n\t\tret = 1;\n\t\tbreak;\n\t}\n\treturn ret;\n}", "project": "linux", "hash": 14877755549854221976355761186635893860, "size": 34, "commit_id": "919f4ebc598701670e80e31573a58f1f2d2bf918", "message": "KVM: x86: hyper-v: Fix Hyper-V context null-ptr-deref\n\nReported by syzkaller:\n\n KASAN: null-ptr-deref in range [0x0000000000000140-0x0000000000000147]\n CPU: 1 PID: 8370 Comm: syz-executor859 Not tainted 5.11.0-syzkaller #0\n RIP: 0010:synic_get arch/x86/kvm/hyperv.c:165 [inline]\n RIP: 0010:kvm_hv_set_sint_gsi arch/x86/kvm/hyperv.c:475 [inline]\n RIP: 0010:kvm_hv_irq_routing_update+0x230/0x460 arch/x86/kvm/hyperv.c:498\n Call Trace:\n kvm_set_irq_routing+0x69b/0x940 arch/x86/kvm/../../../virt/kvm/irqchip.c:223\n kvm_vm_ioctl+0x12d0/0x2800 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3959\n vfs_ioctl fs/ioctl.c:48 [inline]\n __do_sys_ioctl fs/ioctl.c:753 [inline]\n __se_sys_ioctl fs/ioctl.c:739 [inline]\n __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739\n do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nHyper-V context is lazily allocated until Hyper-V specific MSRs are accessed\nor SynIC is enabled. However, the syzkaller testcase sets irq routing table\ndirectly w/o enabling SynIC. This results in null-ptr-deref when accessing\nSynIC Hyper-V context. This patch fixes it.\n\nsyzkaller source: https://syzkaller.appspot.com/x/repro.c?x=163342ccd00000\n\nReported-by: syzbot+6987f3b2dbd9eda95f12@syzkaller.appspotmail.com\nFixes: 8f014550dfb1 (\"KVM: x86: hyper-v: Make Hyper-V emulation enablement conditional\")\nSigned-off-by: Wanpeng Li \nMessage-Id: <1614326399-5762-1-git-send-email-wanpengli@tencent.com>\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 343486 }, { "func": "static_fn Sfdouble_t arith(const char **ptr, struct lval *lvalue, int type, Sfdouble_t n) {\n Shell_t *shp = lvalue->shp;\n Sfdouble_t r = 0;\n char *str = (char *)*ptr;\n char *cp;\n\n switch (type) {\n case ASSIGN: {\n Namval_t *np = (Namval_t *)(lvalue->value);\n np = scope(np, lvalue, 1);\n nv_putval(np, (char *)&n, NV_LDOUBLE);\n if (lvalue->eflag) lvalue->ptr = nv_hasdisc(np, &ENUM_disc);\n lvalue->eflag = 0;\n r = nv_getnum(np);\n lvalue->value = (char *)np;\n break;\n }\n case LOOKUP: {\n int c = *str;\n char *xp = str;\n lvalue->value = NULL;\n if (c == '.') str++;\n c = mb1char(&str);\n if (isaletter(c)) {\n Namval_t *np = NULL;\n int dot = 0;\n while (1) {\n xp = str;\n while (c = mb1char(&str), isaname(c)) xp = str;\n str = xp;\n while (c == '[' && dot == NV_NOADD) {\n str = nv_endsubscript(NULL, str, 0, shp);\n c = *str;\n }\n if (c != '.') break;\n dot = NV_NOADD;\n c = *++str;\n if (c != '[') continue;\n str = nv_endsubscript(NULL, cp = str, NV_SUBQUOTE, shp) - 1;\n if (sh_checkid(cp + 1, NULL)) str -= 2;\n }\n if (c == '(') {\n int off = stktell(shp->stk);\n int fsize = str - (char *)(*ptr);\n const struct mathtab *tp;\n Namval_t *nq;\n lvalue->fun = NULL;\n sfprintf(shp->stk, \".sh.math.%.*s%c\", fsize, *ptr, 0);\n stkseek(shp->stk, off);\n nq = nv_search(stkptr(shp->stk, off), shp->fun_tree, 0);\n if (nq) {\n struct Ufunction *rp = FETCH_VT(nq->nvalue, rp);\n lvalue->nargs = -rp->argc;\n lvalue->fun = (Math_f)nq;\n break;\n }\n if (fsize <= (sizeof(tp->fname) - 2)) {\n lvalue->fun = (Math_f)sh_mathstdfun(*ptr, fsize, &lvalue->nargs);\n }\n if (lvalue->fun) break;\n if (lvalue->emode & ARITH_COMP) {\n lvalue->value = (char *)e_function;\n } else {\n lvalue->value = (char *)ERROR_dictionary(e_function);\n }\n return r;\n }\n if ((lvalue->emode & ARITH_COMP) && dot) {\n lvalue->value = (char *)*ptr;\n lvalue->flag = str - lvalue->value;\n break;\n }\n *str = 0;\n if (sh_isoption(shp, SH_NOEXEC)) {\n np = VAR_underscore;\n } else {\n int offset = stktell(shp->stk);\n char *saveptr = stkfreeze(shp->stk, 0);\n Dt_t *root = (lvalue->emode & ARITH_COMP) ? shp->var_base : shp->var_tree;\n *str = c;\n cp = str;\n while (c == '[' || c == '.') {\n if (c == '[') {\n str = nv_endsubscript(np, str, 0, shp);\n c = *str;\n if (c != '[' && c != '.') {\n str = cp;\n c = '[';\n break;\n }\n } else {\n dot = NV_NOADD | NV_NOFAIL;\n str++;\n xp = str;\n while (c = mb1char(&str), isaname(c)) xp = str;\n str = xp;\n }\n }\n *str = 0;\n cp = (char *)*ptr;\n Varsubscript = false;\n if ((cp[0] == 'i' || cp[0] == 'I') && (cp[1] == 'n' || cp[1] == 'N') &&\n (cp[2] == 'f' || cp[2] == 'F') && cp[3] == 0) {\n Inf = strtold(\"Inf\", NULL);\n STORE_VT(Infnod.nvalue, sfdoublep, &Inf);\n np = &Infnod;\n np->nvshell = shp;\n nv_onattr(np, NV_NOFREE | NV_LDOUBLE | NV_RDONLY);\n } else if ((cp[0] == 'n' || cp[0] == 'N') && (cp[1] == 'a' || cp[1] == 'A') &&\n (cp[2] == 'n' || cp[2] == 'N') && cp[3] == 0) {\n NaN = strtold(\"NaN\", NULL);\n STORE_VT(NaNnod.nvalue, sfdoublep, &NaN);\n np = &NaNnod;\n np->nvshell = shp;\n nv_onattr(np, NV_NOFREE | NV_LDOUBLE | NV_RDONLY);\n } else {\n const struct Mathconst *mp = NULL;\n np = NULL;\n if (strchr(\"ELPS12\", **ptr)) {\n for (mp = Mtable; *mp->name; mp++) {\n if (strcmp(mp->name, *ptr) == 0) break;\n }\n }\n if (mp && *mp->name) {\n r = mp->value;\n lvalue->isfloat = TYPE_LD;\n goto skip2;\n }\n if (shp->namref_root && !(lvalue->emode & ARITH_COMP)) {\n np = nv_open(*ptr, shp->namref_root,\n NV_NOREF | NV_VARNAME | NV_NOSCOPE | NV_NOADD | dot);\n }\n if (!np) {\n np = nv_open(*ptr, root, NV_NOREF | NV_VARNAME | dot);\n }\n if (!np || Varsubscript) {\n np = NULL;\n lvalue->value = (char *)*ptr;\n lvalue->flag = str - lvalue->value;\n }\n }\n skip2:\n if (saveptr != stkptr(shp->stk, 0)) {\n stkset(shp->stk, saveptr, offset);\n } else {\n stkseek(shp->stk, offset);\n }\n }\n *str = c;\n if (lvalue->isfloat == TYPE_LD) break;\n if (!np) break; // this used to also test `&& lvalue->value` but that's redundant\n lvalue->value = (char *)np;\n // Bind subscript later.\n if (nv_isattr(np, NV_DOUBLE) == NV_DOUBLE) lvalue->isfloat = 1;\n lvalue->flag = 0;\n if (c == '[') {\n lvalue->flag = (str - lvalue->expr);\n do {\n while (c == '.') {\n str++;\n while (xp = str, c = mb1char(&str), isaname(c)) {\n ; // empty body\n }\n c = *(str = xp);\n }\n if (c == '[') str = nv_endsubscript(np, str, 0, np->nvshell);\n c = *str;\n } while (c == '[' || c == '.');\n break;\n }\n } else {\n r = number(xp, &str, 0, lvalue);\n }\n break;\n }\n case VALUE: {\n Namval_t *np = (Namval_t *)(lvalue->value);\n Namarr_t *ap;\n if (sh_isoption(shp, SH_NOEXEC)) return 0;\n np = scope(np, lvalue, 0);\n if (!np) {\n if (sh_isoption(shp, SH_NOUNSET)) {\n *ptr = lvalue->value;\n goto skip;\n }\n return 0;\n }\n lvalue->ovalue = (char *)np;\n if (lvalue->eflag) {\n lvalue->ptr = nv_hasdisc(np, &ENUM_disc);\n } else if ((Namfun_t *)lvalue->ptr && !nv_hasdisc(np, &ENUM_disc) &&\n !nv_isattr(np, NV_INTEGER)) {\n // TODO: The calloc() below should be considered a bandaid and may not be correct.\n // See https://github.com/att/ast/issues/980. This dynamic allocation may leak some\n // memory but that is preferable to referencing a stack var after this function\n // returns. I think I have addressed this by removing the NV_NOFREE flag but I'm\n // leaving this comment due to my low confidence.\n Namval_t *mp = ((Namfun_t *)lvalue->ptr)->type;\n Namval_t *node = calloc(1, sizeof(Namval_t));\n nv_clone(mp, node, 0);\n nv_offattr(node, NV_NOFREE);\n nv_offattr(node, NV_RDONLY);\n nv_putval(node, np->nvname, 0);\n\n if (nv_isattr(node, NV_NOFREE)) return nv_getnum(node);\n }\n lvalue->eflag = 0;\n if (((lvalue->emode & 2) || lvalue->level > 1 ||\n (lvalue->nextop != A_STORE && sh_isoption(shp, SH_NOUNSET))) &&\n nv_isnull(np) && !nv_isattr(np, NV_INTEGER)) {\n *ptr = nv_name(np);\n skip:\n lvalue->value = (char *)ERROR_dictionary(e_notset);\n lvalue->emode |= 010;\n return 0;\n }\n if (lvalue->userfn) {\n ap = nv_arrayptr(np);\n if (ap && (ap->flags & ARRAY_UNDEF)) {\n r = (Sfdouble_t)(uintptr_t)np;\n lvalue->isfloat = 5;\n return r;\n }\n }\n r = nv_getnum(np);\n if (nv_isattr(np, NV_INTEGER | NV_BINARY) == (NV_INTEGER | NV_BINARY)) {\n lvalue->isfloat = (r != (Sflong_t)r) ? TYPE_LD : 0;\n } else if (nv_isattr(np, (NV_DOUBLE | NV_SHORT)) == (NV_DOUBLE | NV_SHORT)) {\n lvalue->isfloat = TYPE_F;\n r = (float)r;\n } else if (nv_isattr(np, (NV_DOUBLE | NV_LONG)) == (NV_DOUBLE | NV_LONG)) {\n lvalue->isfloat = TYPE_LD;\n } else if (nv_isattr(np, NV_DOUBLE) == NV_DOUBLE) {\n lvalue->isfloat = TYPE_D;\n r = (double)r;\n }\n if ((lvalue->emode & ARITH_ASSIGNOP) && nv_isarray(np)) {\n lvalue->nosub = nv_aindex(np) + 1;\n }\n return r;\n }\n case MESSAGE: {\n sfsync(NULL);\n if (lvalue->emode & ARITH_COMP) return -1;\n\n errormsg(SH_DICT, ERROR_exit((lvalue->emode & 3) != 0), lvalue->value, *ptr);\n }\n }\n *ptr = str;\n return r;\n}", "project": "ast", "hash": 196949596544977779975318592555014516975, "size": 251, "commit_id": "c7de8b641266bac7c77942239ac659edfee9ecd2", "message": "Harden env var imports", "target": 0, "dataset": "other", "idx": 321868 }, { "func": " bool chunked() const { return has(Http::HdrType::TRANSFER_ENCODING); }", "project": "squid", "hash": 15916918782205596423563831724075527022, "size": 1, "commit_id": "fd68382860633aca92065e6c343cfd1b12b126e7", "message": "Improve Transfer-Encoding handling (#702)\n\nReject messages containing Transfer-Encoding header with coding other\nthan chunked or identity. Squid does not support other codings.\n\nFor simplicity and security sake, also reject messages where\nTransfer-Encoding contains unnecessary complex values that are\ntechnically equivalent to \"chunked\" or \"identity\" (e.g., \",,chunked\" or\n\"identity, chunked\").\n\nRFC 7230 formally deprecated and removed identity coding, but it is\nstill used by some agents.", "target": 0, "dataset": "other", "idx": 402326 }, { "func": "static int sctp_setsockopt_hmac_ident(struct sock *sk,\n\t\t\t\t struct sctp_hmacalgo *hmacs,\n\t\t\t\t unsigned int optlen)\n{\n\tstruct sctp_endpoint *ep = sctp_sk(sk)->ep;\n\tu32 idents;\n\n\tif (!ep->auth_enable)\n\t\treturn -EACCES;\n\n\tif (optlen < sizeof(struct sctp_hmacalgo))\n\t\treturn -EINVAL;\n\toptlen = min_t(unsigned int, optlen, sizeof(struct sctp_hmacalgo) +\n\t\t\t\t\t SCTP_AUTH_NUM_HMACS * sizeof(u16));\n\n\tidents = hmacs->shmac_num_idents;\n\tif (idents == 0 || idents > SCTP_AUTH_NUM_HMACS ||\n\t (idents * sizeof(u16)) > (optlen - sizeof(struct sctp_hmacalgo)))\n\t\treturn -EINVAL;\n\n\treturn sctp_auth_ep_set_hmacs(ep, hmacs);\n}", "project": "linux", "hash": 110602363863652534194560927161920751944, "size": 22, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398109 }, { "func": "static void ovfx2_configure(struct sd *sd)\n{\n\tstatic const struct ov_regvals init_fx2[] = {\n\t\t{ 0x00, 0x60 },\n\t\t{ 0x02, 0x01 },\n\t\t{ 0x0f, 0x1d },\n\t\t{ 0xe9, 0x82 },\n\t\t{ 0xea, 0xc7 },\n\t\t{ 0xeb, 0x10 },\n\t\t{ 0xec, 0xf6 },\n\t};\n\n\tsd->stopped = 1;\n\n\twrite_regvals(sd, init_fx2, ARRAY_SIZE(init_fx2));\n}", "project": "linux", "hash": 38975565269575246008869332548013126290, "size": 16, "commit_id": "998912346c0da53a6dbb71fab3a138586b596b30", "message": "media: ov519: add missing endpoint sanity checks\n\nMake sure to check that we have at least one endpoint before accessing\nthe endpoint array to avoid dereferencing a NULL-pointer on stream\nstart.\n\nNote that these sanity checks are not redundant as the driver is mixing\nlooking up altsettings by index and by number, which need not coincide.\n\nFixes: 1876bb923c98 (\"V4L/DVB (12079): gspca_ov519: add support for the ov511 bridge\")\nFixes: b282d87332f5 (\"V4L/DVB (12080): gspca_ov519: Fix ov518+ with OV7620AE (Trust spacecam 320)\")\nCc: stable # 2.6.31\nCc: Hans de Goede \nSigned-off-by: Johan Hovold \nSigned-off-by: Hans Verkuil \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 306331 }, { "func": "static ssize_t validate_store(struct kmem_cache *s,\n\t\t\tconst char *buf, size_t length)\n{\n\tint ret = -EINVAL;\n\n\tif (buf[0] == '1') {\n\t\tret = validate_slab_cache(s);\n\t\tif (ret >= 0)\n\t\t\tret = length;\n\t}\n\treturn ret;\n}", "project": "linux", "hash": 182566611780587657191089862200985613654, "size": 12, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280222 }, { "func": "static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optval, int __user *optlen)\n{\n\t/* Applicable to UDP-style socket only */\n\tif (sctp_style(sk, TCP))\n\t\treturn -EOPNOTSUPP;\n\tif (len < sizeof(int))\n\t\treturn -EINVAL;\n\tlen = sizeof(int);\n\tif (put_user(len, optlen))\n\t\treturn -EFAULT;\n\tif (put_user(sctp_sk(sk)->autoclose, (int __user *)optval))\n\t\treturn -EFAULT;\n\treturn 0;\n}", "project": "linux", "hash": 165776810905907828417998963358805485554, "size": 14, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398173 }, { "func": "static inline rsRetVal tdlPop(qqueue_t *pQueue)\n{\n\ttoDeleteLst_t *pRemove;\n\tDEFiRet;\n\n\tISOBJ_TYPE_assert(pQueue, qqueue);\n\tassert(pQueue->toDeleteLst != NULL);\n\n\tpRemove = pQueue->toDeleteLst;\n\tpQueue->toDeleteLst = pQueue->toDeleteLst->pNext;\n\tfree(pRemove);\n\n\tRETiRet;\n}", "project": "rsyslog", "hash": 100842493317240356168692425511411891635, "size": 14, "commit_id": "dfa88369d4ca4290db56b843f9eabdae1bfe0fd5", "message": "bugfix: memory leak when $RepeatedMsgReduction on was used\n\nbug tracker: http://bugzilla.adiscon.com/show_bug.cgi?id=225", "target": 0, "dataset": "other", "idx": 373748 }, { "func": "R_API char *r_str_r2_prefix(const char *str) {\n\treturn r_str_newf (\"%s%s%s\", r_sys_prefix (NULL), R_SYS_DIR, str);\n}", "project": "radare2", "hash": 85004473781251241012879600796922577954, "size": 3, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 0, "dataset": "other", "idx": 268945 }, { "func": "R_API char *r_socket_to_string(RSocket *s) {\n#if __WINDOWS__\n\treturn r_str_newf (\"fd%d\", (int)(size_t)s->fd);\n#elif __UNIX__\n\tchar *str = NULL;\n\tstruct sockaddr sa;\n\tsocklen_t sl = sizeof (sa);\n\tmemset (&sa, 0, sizeof (sa));\n\tif (!getpeername (s->fd, &sa, &sl)) {\n\t\tstruct sockaddr_in *sain = (struct sockaddr_in*) &sa;\n\t\tut8 *a = (ut8*) &(sain->sin_addr);\n\t\tif ((str = malloc (32))) {\n\t\t\tsprintf (str, \"%d.%d.%d.%d:%d\",\n\t\t\t\ta[0], a[1], a[2], a[3], ntohs (sain->sin_port));\n\t\t}\n\t} else {\n\t\teprintf (\"getperrname: failed\\n\"); //r_sys_perror (\"getpeername\");\n\t}\n\treturn str;\n#else\n\treturn NULL;\n#endif\n}", "project": "radare2", "hash": 145187393063728508056899460491537254621, "size": 23, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 0, "dataset": "other", "idx": 269082 }, { "func": "static int io_openat_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)\n{\n\tu64 flags, mode;\n\n\tif (req->flags & REQ_F_NEED_CLEANUP)\n\t\treturn 0;\n\tmode = READ_ONCE(sqe->len);\n\tflags = READ_ONCE(sqe->open_flags);\n\treq->open.how = build_open_how(flags, mode);\n\treturn __io_openat_prep(req, sqe);\n}", "project": "linux", "hash": 96061966544913074980692852009400366467, "size": 11, "commit_id": "6d816e088c359866f9867057e04f244c608c42fe", "message": "io_uring: hold 'ctx' reference around task_work queue + execute\n\nWe're holding the request reference, but we need to go one higher\nto ensure that the ctx remains valid after the request has finished.\nIf the ring is closed with pending task_work inflight, and the\ngiven io_kiocb finishes sync during issue, then we need a reference\nto the ring itself around the task_work execution cycle.\n\nCc: stable@vger.kernel.org # v5.7+\nReported-by: syzbot+9b260fc33297966f5a8e@syzkaller.appspotmail.com\nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 456961 }, { "func": "static int nfs4_read_done_cb(struct rpc_task *task, struct nfs_pgio_header *hdr)\n{\n\tstruct nfs_server *server = NFS_SERVER(hdr->inode);\n\n\ttrace_nfs4_read(hdr, task->tk_status);\n\tif (task->tk_status < 0) {\n\t\tstruct nfs4_exception exception = {\n\t\t\t.inode = hdr->inode,\n\t\t\t.state = hdr->args.context->state,\n\t\t\t.stateid = &hdr->args.stateid,\n\t\t};\n\t\ttask->tk_status = nfs4_async_handle_exception(task,\n\t\t\t\tserver, task->tk_status, &exception);\n\t\tif (exception.retry) {\n\t\t\trpc_restart_call_prepare(task);\n\t\t\treturn -EAGAIN;\n\t\t}\n\t}\n\n\tif (task->tk_status > 0)\n\t\trenew_lease(server, hdr->timestamp);\n\treturn 0;\n}", "project": "linux", "hash": 107979665852061042114090744795122215406, "size": 23, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 430978 }, { "func": "ExecutionStatus JSObject::getComputedPrimitiveDescriptor(\n Handle selfHandle,\n Runtime *runtime,\n Handle<> nameValHandle,\n MutableHandle &propObj,\n ComputedPropertyDescriptor &desc) {\n assert(\n !nameValHandle->isObject() &&\n \"nameValHandle passed to \"\n \"getComputedPrimitiveDescriptor cannot \"\n \"be an object\");\n\n propObj = selfHandle.get();\n\n SymbolID id{};\n\n GCScopeMarkerRAII marker{runtime};\n do {\n // A proxy is ignored here so we can check the bit later and\n // return it back to the caller for additional processing.\n\n Handle loopHandle = propObj;\n\n CallResult res = getOwnComputedPrimitiveDescriptorImpl(\n loopHandle, runtime, nameValHandle, IgnoreProxy::Yes, id, desc);\n if (LLVM_UNLIKELY(res == ExecutionStatus::EXCEPTION)) {\n return ExecutionStatus::EXCEPTION;\n }\n if (*res) {\n return ExecutionStatus::RETURNED;\n }\n\n if (LLVM_UNLIKELY(propObj->flags_.hostObject)) {\n desc.flags.hostObject = true;\n desc.flags.writable = true;\n return ExecutionStatus::RETURNED;\n }\n if (LLVM_UNLIKELY(propObj->flags_.proxyObject)) {\n desc.flags.proxyObject = true;\n return ExecutionStatus::RETURNED;\n }\n // This isn't a proxy, so use the faster getParent() instead of\n // getPrototypeOf.\n propObj = propObj->getParent(runtime);\n // Flush at the end of the loop to allow first iteration to be as fast as\n // possible.\n marker.flush();\n } while (propObj);\n return ExecutionStatus::RETURNED;\n}", "project": "hermes", "hash": 125950904587244558987886346052047846638, "size": 50, "commit_id": "fe52854cdf6725c2eaa9e125995da76e6ceb27da", "message": "[CVE-2020-1911] Look up HostObject computed properties on the right object in the prototype chain.\n\nSummary:\nThe change in the hermes repository fixes the security vulnerability\nCVE-2020-1911. This vulnerability only affects applications which\nallow evaluation of uncontrolled, untrusted JavaScript code not\nshipped with the app, so React Native apps will generally not be affected.\n\nThis revision includes a test for the bug. The test is generic JSI\ncode, so it is included in the hermes and react-native repositories.\n\nChangelog: [Internal]\n\nReviewed By: tmikov\n\nDifferential Revision: D23322992\n\nfbshipit-source-id: 4e88c974afe1ad33a263f9cac03e9dc98d33649a", "target": 0, "dataset": "other", "idx": 230238 }, { "func": "int ssh_buffer_reinit(struct ssh_buffer_struct *buffer)\n{\n if (buffer == NULL) {\n return -1;\n }\n\n buffer_verify(buffer);\n\n if (buffer->secure && buffer->allocated > 0) {\n explicit_bzero(buffer->data, buffer->allocated);\n }\n buffer->used = 0;\n buffer->pos = 0;\n\n /* If the buffer is bigger then 64K, reset it to 64K */\n if (buffer->allocated > 65536) {\n int rc;\n\n /* -1 for realloc_buffer magic */\n rc = realloc_buffer(buffer, 65536 - 1);\n if (rc != 0) {\n return -1;\n }\n }\n\n buffer_verify(buffer);\n\n return 0;\n}", "project": "libssh-mirror", "hash": 134838858705807398173344886852430515517, "size": 29, "commit_id": "10b3ebbe61a7031a3dae97f05834442220447181", "message": "buffer: Reformat ssh_buffer_add_data()\n\nSigned-off-by: Andreas Schneider \nReviewed-by: Anderson Toshiyuki Sasaki \nReviewed-by: Jakub Jelen ", "target": 0, "dataset": "other", "idx": 345145 }, { "func": "R_API bool r_core_serve(RCore *core, RIODesc *file) {\n\tut8 cmd, flg, *ptr = NULL, buf[1024];\n\tint i, pipefd = -1;\n\tut64 x;\n\n\tRIORap *rior = (RIORap *)file->data;\n\tif (!rior|| !rior->fd) {\n\t\teprintf (\"rap: cannot listen.\\n\");\n\t\treturn false;\n\t}\n\tRSocket *fd = rior->fd;\n\teprintf (\"RAP Server started (rap.loop=%s)\\n\",\n\t\t\tr_config_get (core->config, \"rap.loop\"));\n\tr_cons_break_push (rap_break, rior);\nreaccept:\n\twhile (!r_cons_is_breaked ()) {\n\t\tRSocket *c = r_socket_accept (fd);\n\t\tif (!c) {\n\t\t\tbreak;\n\t\t}\n\t\tif (r_cons_is_breaked ()) {\n\t\t\tgoto out_of_function;\n\t\t}\n\t\tif (!c) {\n\t\t\teprintf (\"rap: cannot accept\\n\");\n\t\t\tr_socket_free (c);\n\t\t\tgoto out_of_function;\n\t\t}\n\t\teprintf (\"rap: client connected\\n\");\n\t\tfor (;!r_cons_is_breaked ();) {\n\t\t\tif (!r_socket_read (c, &cmd, 1)) {\n\t\t\t\teprintf (\"rap: connection closed\\n\");\n\t\t\t\tif (r_config_get_i (core->config, \"rap.loop\")) {\n\t\t\t\t\teprintf (\"rap: waiting for new connection\\n\");\n\t\t\t\t\tr_socket_free (c);\n\t\t\t\t\tgoto reaccept;\n\t\t\t\t}\n\t\t\t\tgoto out_of_function;\n\t\t\t}\n\t\t\tswitch ((ut8)cmd) {\n\t\t\tcase RMT_OPEN:\n\t\t\t\tr_socket_read_block (c, &flg, 1); // flags\n\t\t\t\teprintf (\"open (%d): \", cmd);\n\t\t\t\tr_socket_read_block (c, &cmd, 1); // len\n\t\t\t\tpipefd = -1;\n\t\t\t\tptr = malloc (cmd + 1);\n\t\t\t\t//XXX cmd is ut8..so <256 if (cmdconfig, \"bin.laddr\");\n\t\t\t\t\tr_socket_read_block (c, ptr, cmd);\n\t\t\t\t\tptr[cmd] = 0;\n\t\t\t\t\tut32 perm = R_PERM_R;\n\t\t\t\t\tif (flg & R_PERM_W) {\n\t\t\t\t\t\tperm |= R_PERM_W;\n\t\t\t\t\t}\n\t\t\t\t\tif (r_core_file_open (core, (const char *)ptr, perm, 0)) {\n\t\t\t\t\t\tint fd = r_io_fd_get_current (core->io);\n\t\t\t\t\t\tr_core_bin_load (core, NULL, baddr);\n\t\t\t\t\t\tr_io_map_add (core->io, fd, perm, 0, 0, r_io_fd_size (core->io, fd));\n\t\t\t\t\t\tif (core->file) {\n\t\t\t\t\t\t\tpipefd = fd;\n\t\t\t\t\t\t} else {\n\t\t\t\t\t\t\tpipefd = -1;\n\t\t\t\t\t\t}\n\t\t\t\t\t\teprintf (\"(flags: %d) len: %d filename: '%s'\\n\",\n\t\t\t\t\t\t\tflg, cmd, ptr); //config.file);\n\t\t\t\t\t} else {\n\t\t\t\t\t\tpipefd = -1;\n\t\t\t\t\t\teprintf (\"Cannot open file (%s)\\n\", ptr);\n\t\t\t\t\t\tr_socket_close (c);\n\t\t\t\t\t\tif (r_config_get_i (core->config, \"rap.loop\")) {\n\t\t\t\t\t\t\teprintf (\"rap: waiting for new connection\\n\");\n\t\t\t\t\t\t\tr_socket_free (c);\n\t\t\t\t\t\t\tgoto reaccept;\n\t\t\t\t\t\t}\n\t\t\t\t\t\tgoto out_of_function; //XXX: Close connection and goto accept\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\tbuf[0] = RMT_OPEN | RMT_REPLY;\n\t\t\t\tr_write_be32 (buf + 1, pipefd);\n\t\t\t\tr_socket_write (c, buf, 5);\n\t\t\t\tr_socket_flush (c);\n\t\t\t\tR_FREE (ptr);\n\t\t\t\tbreak;\n\t\t\tcase RMT_READ:\n\t\t\t\tr_socket_read_block (c, (ut8*)&buf, 4);\n\t\t\t\ti = r_read_be32 (buf);\n\t\t\t\tptr = (ut8 *)malloc (i + core->blocksize + 5);\n\t\t\t\tif (ptr) {\n\t\t\t\t\tr_core_block_read (core);\n\t\t\t\t\tptr[0] = RMT_READ | RMT_REPLY;\n\t\t\t\t\tif (i > RMT_MAX) {\n\t\t\t\t\t\ti = RMT_MAX;\n\t\t\t\t\t}\n\t\t\t\t\tif (i > core->blocksize) {\n\t\t\t\t\t\tr_core_block_size (core, i);\n\t\t\t\t\t}\n\t\t\t\t\tif (i + 128 < core->blocksize) {\n\t\t\t\t\t\tr_core_block_size (core, i);\n\t\t\t\t\t}\n\t\t\t\t\tr_write_be32 (ptr + 1, i);\n\t\t\t\t\tmemcpy (ptr + 5, core->block, i); //core->blocksize);\n\t\t\t\t\tr_socket_write (c, ptr, i + 5);\n\t\t\t\t\tr_socket_flush (c);\n\t\t\t\t\tR_FREE (ptr);\n\t\t\t\t} else {\n\t\t\t\t\teprintf (\"Cannot read %d byte(s)\\n\", i);\n\t\t\t\t\tr_socket_free (c);\n\t\t\t\t\t// TODO: reply error here\n\t\t\t\t\tgoto out_of_function;\n\t\t\t\t}\n\t\t\t\tbreak;\n\t\t\tcase RMT_CMD:\n\t\t\t\t{\n\t\t\t\tchar *cmd = NULL, *cmd_output = NULL;\n\t\t\t\tchar bufr[8], *bufw = NULL;\n\t\t\t\tut32 cmd_len = 0;\n\t\t\t\tint i;\n\n\t\t\t\t/* read */\n\t\t\t\tr_socket_read_block (c, (ut8*)&bufr, 4);\n\t\t\t\ti = r_read_be32 (bufr);\n\t\t\t\tif (i > 0 && i < RMT_MAX) {\n\t\t\t\t\tif ((cmd = malloc (i + 1))) {\n\t\t\t\t\t\tr_socket_read_block (c, (ut8*)cmd, i);\n\t\t\t\t\t\tcmd[i] = '\\0';\n\t\t\t\t\t\tint scr_interactive = r_config_get_i (core->config, \"scr.interactive\");\n\t\t\t\t\t\tr_config_set_i (core->config, \"scr.interactive\", 0);\n\t\t\t\t\t\tcmd_output = r_core_cmd_str (core, cmd);\n\t\t\t\t\t\tr_config_set_i (core->config, \"scr.interactive\", scr_interactive);\n\t\t\t\t\t\tfree (cmd);\n\t\t\t\t\t} else {\n\t\t\t\t\t\teprintf (\"rap: cannot malloc\\n\");\n\t\t\t\t\t}\n\t\t\t\t} else {\n\t\t\t\t\teprintf (\"rap: invalid length '%d'\\n\", i);\n\t\t\t\t}\n\t\t\t\t/* write */\n\t\t\t\tif (cmd_output) {\n\t\t\t\t\tcmd_len = strlen (cmd_output) + 1;\n\t\t\t\t} else {\n\t\t\t\t\tcmd_output = strdup (\"\");\n\t\t\t\t\tcmd_len = 0;\n\t\t\t\t}\n#if DEMO_SERVER_SENDS_CMD_TO_CLIENT\n\t\t\t\tstatic bool once = true;\n\t\t\t\t/* TODO: server can reply a command request to the client only here */\n\t\t\t\tif (once) {\n\t\t\t\t\tconst char *cmd = \"pd 4\";\n\t\t\t\t\tint cmd_len = strlen (cmd) + 1;\n\t\t\t\t\tut8 *b = malloc (cmd_len + 5);\n\t\t\t\t\tb[0] = RMT_CMD;\n\t\t\t\t\tr_write_be32 (b + 1, cmd_len);\n\t\t\t\t\tstrcpy ((char *)b+ 5, cmd);\n\t\t\t\t\tr_socket_write (c, b, 5 + cmd_len);\n\t\t\t\t\tr_socket_flush (c);\n\n\t\t\t\t\t/* read response */\n\t\t\t\t\tr_socket_read (c, b, 5);\n\t\t\t\t\tif (b[0] == (RMT_CMD | RMT_REPLY)) {\n\t\t\t\t\t\tut32 n = r_read_be32 (b + 1);\n\t\t\t\t\t\teprintf (\"REPLY %d\\n\", n);\n\t\t\t\t\t\tif (n > 0) {\n\t\t\t\t\t\t\tut8 *res = calloc (1, n);\n\t\t\t\t\t\t\tr_socket_read (c, res, n);\n\t\t\t\t\t\t\teprintf (\"RESPONSE(%s)\\n\", (const char *)res);\n\t\t\t\t\t\t\tfree (res);\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t\tr_socket_flush (c);\n\t\t\t\t\tfree (b);\n\t\t\t\t\tonce = false;\n\t\t\t\t}\n#endif\n\t\t\t\tbufw = malloc (cmd_len + 5);\n\t\t\t\tbufw[0] = (ut8) (RMT_CMD | RMT_REPLY);\n\t\t\t\tr_write_be32 (bufw + 1, cmd_len);\n\t\t\t\tmemcpy (bufw + 5, cmd_output, cmd_len);\n\t\t\t\tr_socket_write (c, bufw, cmd_len+5);\n\t\t\t\tr_socket_flush (c);\n\t\t\t\tfree (bufw);\n\t\t\t\tfree (cmd_output);\n\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\tcase RMT_WRITE:\n\t\t\t\tr_socket_read (c, buf, 4);\n\t\t\t\tx = r_read_at_be32 (buf, 0);\n\t\t\t\tptr = malloc (x);\n\t\t\t\tr_socket_read (c, ptr, x);\n\t\t\t\tint ret = r_core_write_at (core, core->offset, ptr, x);\n\t\t\t\tbuf[0] = RMT_WRITE | RMT_REPLY;\n\t\t\t\tr_write_be32 (buf + 1, ret);\n\t\t\t\tr_socket_write (c, buf, 5);\n\t\t\t\tr_socket_flush (c);\n\t\t\t\tR_FREE (ptr);\n\t\t\t\tbreak;\n\t\t\tcase RMT_SEEK:\n\t\t\t\tr_socket_read_block (c, buf, 9);\n\t\t\t\tx = r_read_at_be64 (buf, 1);\n\t\t\t\tif (buf[0] == 2) {\n\t\t\t\t\tif (core->file) {\n\t\t\t\t\t\tx = r_io_fd_size (core->io, core->file->fd);\n\t\t\t\t\t} else {\n\t\t\t\t\t\tx = 0;\n\t\t\t\t\t}\n\t\t\t\t} else {\n\t\t\t\t\tif (buf[0] == 0) {\n\t\t\t\t\t\tr_core_seek (core, x, 1); //buf[0]);\n\t\t\t\t\t}\n\t\t\t\t\tx = core->offset;\n\t\t\t\t}\n\t\t\t\tbuf[0] = RMT_SEEK | RMT_REPLY;\n\t\t\t\tr_write_be64 (buf + 1, x);\n\t\t\t\tr_socket_write (c, buf, 9);\n\t\t\t\tr_socket_flush (c);\n\t\t\t\tbreak;\n\t\t\tcase RMT_CLOSE:\n\t\t\t\t// XXX : proper shutdown\n\t\t\t\tr_socket_read_block (c, buf, 4);\n\t\t\t\ti = r_read_be32 (buf);\n\t\t\t\t{\n\t\t\t\t//FIXME: Use r_socket_close\n\t\t\t\tint ret = close (i);\n\t\t\t\tr_write_be32 (buf + 1, ret);\n\t\t\t\tbuf[0] = RMT_CLOSE | RMT_REPLY;\n\t\t\t\tr_socket_write (c, buf, 5);\n\t\t\t\tr_socket_flush (c);\n\t\t\t\t}\n\t\t\t\tbreak;\n\t\t\tdefault:\n\t\t\t\tif (cmd == 'G') {\n\t\t\t\t\t// silly http emulation over rap://\n\t\t\t\t\tchar line[256] = {0};\n\t\t\t\t\tchar *cmd = line;\n\t\t\t\t\tr_socket_read (c, (ut8*)line, sizeof (line));\n\t\t\t\t\tif (!strncmp (line, \"ET /cmd/\", 8)) {\n\t\t\t\t\t\tcmd = line + 8;\n\t\t\t\t\t\tchar *http = strstr (cmd, \"HTTP\");\n\t\t\t\t\t\tif (http) {\n\t\t\t\t\t\t\t*http = 0;\n\t\t\t\t\t\t\thttp--;\n\t\t\t\t\t\t\tif (*http == ' ') {\n\t\t\t\t\t\t\t\t*http = 0;\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}\n\t\t\t\t\t\tr_str_uri_decode (cmd);\n\t\t\t\t\t\tchar *res = r_core_cmd_str (core, cmd);\n\t\t\t\t\t\tif (res) {\n\t\t\t\t\t\t\tr_socket_printf (c, \"HTTP/1.0 %d %s\\r\\n%s\"\n\t\t\t\t\t\t\t\t\t\"Connection: close\\r\\nContent-Length: %d\\r\\n\\r\\n\",\n\t\t\t\t\t\t\t\t\t200, \"OK\", \"\", -1); // strlen (res));\n\t\t\t\t\t\t\tr_socket_write (c, res, strlen (res));\n\t\t\t\t\t\t\tfree (res);\n\t\t\t\t\t\t}\n\t\t\t\t\t\tr_socket_flush (c);\n\t\t\t\t\t\tr_socket_close (c);\n\t\t\t\t\t}\n\t\t\t\t} else {\n\t\t\t\t\teprintf (\"[r2p] unknown command 0x%02x\\n\", cmd);\n\t\t\t\t\tr_socket_close (c);\n\t\t\t\t\tR_FREE (ptr);\n\t\t\t\t}\n\t\t\t\tif (r_config_get_i (core->config, \"rap.loop\")) {\n\t\t\t\t\teprintf (\"rap: waiting for new connection\\n\");\n\t\t\t\t\tr_socket_free (c);\n\t\t\t\t\tgoto reaccept;\n\t\t\t\t}\n\t\t\t\tgoto out_of_function;\n\t\t\t}\n\t\t}\n\t\teprintf (\"client: disconnected\\n\");\n\t\tr_socket_free (c);\n\t}\nout_of_function:\n\tr_cons_break_pop ();\n\treturn false;\n}", "project": "radare2", "hash": 94163911611877170484756478893963172179, "size": 279, "commit_id": "cb8b683758edddae2d2f62e8e63a738c39f92683", "message": "Fix #16303 - c->table_query double free (#16318)", "target": 0, "dataset": "other", "idx": 232203 }, { "func": "static void encode_rename(struct xdr_stream *xdr, const struct qstr *oldname, const struct qstr *newname, struct compound_hdr *hdr)\n{\n\tencode_op_hdr(xdr, OP_RENAME, decode_rename_maxsz, hdr);\n\tencode_string(xdr, oldname->len, oldname->name);\n\tencode_string(xdr, newname->len, newname->name);\n}", "project": "linux", "hash": 139940904489845909668725616150106965176, "size": 6, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431547 }, { "func": "static int send_signal(int sig, struct kernel_siginfo *info, struct task_struct *t,\n\t\t\tenum pid_type type)\n{\n\t/* Should SIGKILL or SIGSTOP be received by a pid namespace init? */\n\tbool force = false;\n\n\tif (info == SEND_SIG_NOINFO) {\n\t\t/* Force if sent from an ancestor pid namespace */\n\t\tforce = !task_pid_nr_ns(current, task_active_pid_ns(t));\n\t} else if (info == SEND_SIG_PRIV) {\n\t\t/* Don't ignore kernel generated signals */\n\t\tforce = true;\n\t} else if (has_si_pid_and_uid(info)) {\n\t\t/* SIGKILL and SIGSTOP is special or has ids */\n\t\tstruct user_namespace *t_user_ns;\n\n\t\trcu_read_lock();\n\t\tt_user_ns = task_cred_xxx(t, user_ns);\n\t\tif (current_user_ns() != t_user_ns) {\n\t\t\tkuid_t uid = make_kuid(current_user_ns(), info->si_uid);\n\t\t\tinfo->si_uid = from_kuid_munged(t_user_ns, uid);\n\t\t}\n\t\trcu_read_unlock();\n\n\t\t/* A kernel generated signal? */\n\t\tforce = (info->si_code == SI_KERNEL);\n\n\t\t/* From an ancestor pid namespace? */\n\t\tif (!task_pid_nr_ns(current, task_active_pid_ns(t))) {\n\t\t\tinfo->si_pid = 0;\n\t\t\tforce = true;\n\t\t}\n\t}\n\treturn __send_signal(sig, info, t, type, force);\n}", "project": "linux", "hash": 188078945292814734740402278305014990339, "size": 35, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375223 }, { "func": "__group_send_sig_info(int sig, struct kernel_siginfo *info, struct task_struct *p)\n{\n\treturn send_signal(sig, info, p, PIDTYPE_TGID);\n}", "project": "linux", "hash": 181807518294467711607962293772367059981, "size": 4, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375323 }, { "func": "route_quota_exceeded(const struct multi_instance *mi)\n{\n struct gc_arena gc = gc_new();\n msg(D_ROUTE_QUOTA, \"MULTI ROUTE: route quota (%d) exceeded for %s (see --max-routes-per-client option)\",\n mi->context.options.max_routes_per_client,\n multi_instance_string(mi, false, &gc));\n gc_free(&gc);\n}", "project": "openvpn", "hash": 11669767816574708555702912961814857652, "size": 8, "commit_id": "37bc691e7d26ea4eb61a8a434ebd7a9ae76225ab", "message": "Fix illegal client float (CVE-2020-11810)\n\nThere is a time frame between allocating peer-id and initializing data\nchannel key (which is performed on receiving push request or on async\npush-reply) in which the existing peer-id float checks do not work right.\n\nIf a \"rogue\" data channel packet arrives during that time frame from\nanother address and with same peer-id, this would cause client to float\nto that new address. This is because:\n\n - tls_pre_decrypt() sets packet length to zero if\n data channel key has not been initialized, which leads to\n\n - openvpn_decrypt() returns true if packet length is zero,\n which leads to\n\n - process_incoming_link_part1() returns true, which\n calls multi_process_float(), which commits float\n\nNote that problem doesn't happen when data channel key is initialized,\nsince in this case openvpn_decrypt() returns false.\n\nThe net effect of this behaviour is that the VPN session for the\n\"victim client\" is broken. Since the \"attacker client\" does not have\nsuitable keys, it can not inject or steal VPN traffic from the other\nsession. The time window is small and it can not be used to attack\na specific client's session, unless some other way is found to make it\ndisconnect and reconnect first.\n\nCVE-2020-11810 has been assigned to acknowledge this risk.\n\nFix illegal float by adding buffer length check (\"is this packet still\nconsidered valid\") before calling multi_process_float().\n\nTrac: #1272\nCVE: 2020-11810\n\nSigned-off-by: Lev Stipakov \nAcked-by: Arne Schwabe \nAcked-by: Antonio Quartulli \nAcked-by: Gert Doering \nMessage-Id: <20200415073017.22839-1-lstipakov@gmail.com>\nURL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19720.html\nSigned-off-by: Gert Doering ", "target": 0, "dataset": "other", "idx": 272267 }, { "func": " longlong val_time_packed_result()\n {\n MYSQL_TIME ltime;\n uint fuzzydate= TIME_TIME_ONLY | TIME_INVALID_DATES | TIME_FUZZY_DATES;\n return get_date_result(<ime, fuzzydate) ? 0 : pack_time(<ime);\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 245278910049760594901920012591141363580, "size": 6, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509442 }, { "func": "void gdImageFilledPolygon (gdImagePtr im, gdPointPtr p, int n, int c)\n{\n\tint i;\n\tint y;\n\tint miny, maxy, pmaxy;\n\tint x1, y1;\n\tint x2, y2;\n\tint ind1, ind2;\n\tint ints;\n\tint fill_color;\n\n\tif (n <= 0) {\n\t\treturn;\n\t}\n\n\tif (overflow2(sizeof(int), n)) {\n\t\treturn;\n\t}\n\n\tif (c == gdAntiAliased) {\n\t\tfill_color = im->AA_color;\n\t} else {\n\t\tfill_color = c;\n\t}\n\n\tif (!im->polyAllocated) {\n\t\tim->polyInts = (int *) gdMalloc(sizeof(int) * n);\n\t\tim->polyAllocated = n;\n\t}\n\tif (im->polyAllocated < n) {\n\t\twhile (im->polyAllocated < n) {\n\t\t\tim->polyAllocated *= 2;\n\t\t}\n\t\tif (overflow2(sizeof(int), im->polyAllocated)) {\n\t\t\treturn;\n\t\t}\n\t\tim->polyInts = (int *) gdRealloc(im->polyInts, sizeof(int) * im->polyAllocated);\n\t}\n\tminy = p[0].y;\n\tmaxy = p[0].y;\n\tfor (i = 1; i < n; i++) {\n\t\tif (p[i].y < miny) {\n\t\t\tminy = p[i].y;\n\t\t}\n\t\tif (p[i].y > maxy) {\n\t\t\tmaxy = p[i].y;\n\t\t}\n\t}\n\tpmaxy = maxy;\n\t/* 2.0.16: Optimization by Ilia Chipitsine -- don't waste time offscreen */\n\tif (miny < 0) {\n\t\tminy = 0;\n\t}\n\tif (maxy >= gdImageSY(im)) {\n\t\tmaxy = gdImageSY(im) - 1;\n\t}\n\n\t/* Fix in 1.3: count a vertex only once */\n\tfor (y = miny; y <= maxy; y++) {\n\t\t/*1.4 int interLast = 0; */\n\t\t/* int dirLast = 0; */\n\t\t/* int interFirst = 1; */\n\t\tints = 0;\n\t\tfor (i = 0; i < n; i++) {\n\t\t\tif (!i) {\n\t\t\t\tind1 = n - 1;\n\t\t\t\tind2 = 0;\n\t\t\t} else {\n\t\t\t\tind1 = i - 1;\n\t\t\t\tind2 = i;\n\t\t\t}\n\t\t\ty1 = p[ind1].y;\n\t\t\ty2 = p[ind2].y;\n\t\t\tif (y1 < y2) {\n\t\t\t\tx1 = p[ind1].x;\n\t\t\t\tx2 = p[ind2].x;\n\t\t\t} else if (y1 > y2) {\n\t\t\t\ty2 = p[ind1].y;\n\t\t\t\ty1 = p[ind2].y;\n\t\t\t\tx2 = p[ind1].x;\n\t\t\t\tx1 = p[ind2].x;\n\t\t\t} else {\n\t\t\t\tcontinue;\n\t\t\t}\n\t\t\t/* Do the following math as float intermediately, and round to ensure\n\t\t\t * that Polygon and FilledPolygon for the same set of points have the\n\t\t\t * same footprint.\n\t\t\t */\n\t\t\tif (y >= y1 && y < y2) {\n\t\t\t\tim->polyInts[ints++] = (float) ((y - y1) * (x2 - x1)) / (float) (y2 - y1) + 0.5 + x1;\n\t\t\t} else if (y == pmaxy && y == y2) {\n\t\t\t\tim->polyInts[ints++] = x2;\n\t\t\t}\n\t\t}\n\t\tqsort(im->polyInts, ints, sizeof(int), gdCompareInt);\n\n\t\tfor (i = 0; i < ints - 1; i += 2) {\n\t\t\tgdImageLine(im, im->polyInts[i], y, im->polyInts[i + 1], y, fill_color);\n\t\t}\n\t}\n\n\t/* If we are drawing this AA, then redraw the border with AA lines. */\n\tif (c == gdAntiAliased) {\n\t\tgdImagePolygon(im, p, n, c);\n\t}\n}", "project": "php-src", "hash": 246801587220464827571663570104984743662, "size": 106, "commit_id": "c395c6e5d7e8df37a21265ff76e48fe75ceb5ae6", "message": "iFixed bug #72446 - Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow", "target": 0, "dataset": "other", "idx": 295132 }, { "func": "static void trace_consume(struct trace_iterator *iter)\n{\n\tring_buffer_consume(iter->trace_buffer->buffer, iter->cpu, &iter->ts,\n\t\t\t &iter->lost_events);\n}", "project": "linux", "hash": 146701334723995645299746309931578541379, "size": 5, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445647 }, { "func": "static void incr_us_interval(struct timeval *start, uint64_t incr) {\n incr += (start->tv_sec * 1000000 + start->tv_usec);\n start->tv_sec = incr/1000000;\n start->tv_usec = incr%1000000;\n return;\n}", "project": "hhvm", "hash": 271512091393075310623692644722729304211, "size": 6, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219150 }, { "func": "static int power_pmu_add(struct perf_event *event, int ef_flags)\n{\n\tstruct cpu_hw_events *cpuhw;\n\tunsigned long flags;\n\tint n0;\n\tint ret = -EAGAIN;\n\n\tlocal_irq_save(flags);\n\tperf_pmu_disable(event->pmu);\n\n\t/*\n\t * Add the event to the list (if there is room)\n\t * and check whether the total set is still feasible.\n\t */\n\tcpuhw = this_cpu_ptr(&cpu_hw_events);\n\tn0 = cpuhw->n_events;\n\tif (n0 >= ppmu->n_counter)\n\t\tgoto out;\n\tcpuhw->event[n0] = event;\n\tcpuhw->events[n0] = event->hw.config;\n\tcpuhw->flags[n0] = event->hw.event_base;\n\n\t/*\n\t * This event may have been disabled/stopped in record_and_restart()\n\t * because we exceeded the ->event_limit. If re-starting the event,\n\t * clear the ->hw.state (STOPPED and UPTODATE flags), so the user\n\t * notification is re-enabled.\n\t */\n\tif (!(ef_flags & PERF_EF_START))\n\t\tevent->hw.state = PERF_HES_STOPPED | PERF_HES_UPTODATE;\n\telse\n\t\tevent->hw.state = 0;\n\n\t/*\n\t * If group events scheduling transaction was started,\n\t * skip the schedulability test here, it will be performed\n\t * at commit time(->commit_txn) as a whole\n\t */\n\tif (cpuhw->txn_flags & PERF_PMU_TXN_ADD)\n\t\tgoto nocheck;\n\n\tif (check_excludes(cpuhw->event, cpuhw->flags, n0, 1))\n\t\tgoto out;\n\tif (power_check_constraints(cpuhw, cpuhw->events, cpuhw->flags, n0 + 1, cpuhw->event))\n\t\tgoto out;\n\tevent->hw.config = cpuhw->events[n0];\n\nnocheck:\n\tebb_event_add(event);\n\n\t++cpuhw->n_events;\n\t++cpuhw->n_added;\n\n\tret = 0;\n out:\n\tif (has_branch_stack(event)) {\n\t\tu64 bhrb_filter = -1;\n\n\t\tif (ppmu->bhrb_filter_map)\n\t\t\tbhrb_filter = ppmu->bhrb_filter_map(\n\t\t\t\tevent->attr.branch_sample_type);\n\n\t\tif (bhrb_filter != -1) {\n\t\t\tcpuhw->bhrb_filter = bhrb_filter;\n\t\t\tpower_pmu_bhrb_enable(event);\n\t\t}\n\t}\n\n\tperf_pmu_enable(event->pmu);\n\tlocal_irq_restore(flags);\n\treturn ret;\n}", "project": "linux", "hash": 313822400585653782668328738508080682812, "size": 72, "commit_id": "60b7ed54a41b550d50caf7f2418db4a7e75b5bdc", "message": "powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set\n\nOn systems without any specific PMU driver support registered, running\nperf record causes Oops.\n\nThe relevant portion from call trace:\n\n BUG: Kernel NULL pointer dereference on read at 0x00000040\n Faulting instruction address: 0xc0021f0c\n Oops: Kernel access of bad area, sig: 11 [#1]\n BE PAGE_SIZE=4K PREEMPT CMPCPRO\n SAF3000 DIE NOTIFICATION\n CPU: 0 PID: 442 Comm: null_syscall Not tainted 5.13.0-rc6-s3k-dev-01645-g7649ee3d2957 #5164\n NIP: c0021f0c LR: c00e8ad8 CTR: c00d8a5c\n NIP perf_instruction_pointer+0x10/0x60\n LR perf_prepare_sample+0x344/0x674\n Call Trace:\n perf_prepare_sample+0x7c/0x674 (unreliable)\n perf_event_output_forward+0x3c/0x94\n __perf_event_overflow+0x74/0x14c\n perf_swevent_hrtimer+0xf8/0x170\n __hrtimer_run_queues.constprop.0+0x160/0x318\n hrtimer_interrupt+0x148/0x3b0\n timer_interrupt+0xc4/0x22c\n Decrementer_virt+0xb8/0xbc\n\nDuring perf record session, perf_instruction_pointer() is called to\ncapture the sample IP. This function in core-book3s accesses\nppmu->flags. If a platform specific PMU driver is not registered, ppmu\nis set to NULL and accessing its members results in a crash. Fix this\ncrash by checking if ppmu is set.\n\nFixes: 2ca13a4cc56c (\"powerpc/perf: Use regs->nip when SIAR is zero\")\nCc: stable@vger.kernel.org # v5.11+\nReported-by: Christophe Leroy \nSigned-off-by: Athira Rajeev \nTested-by: Christophe Leroy \nSigned-off-by: Michael Ellerman \nLink: https://lore.kernel.org/r/1623952506-1431-1-git-send-email-atrajeev@linux.vnet.ibm.com", "target": 0, "dataset": "other", "idx": 374742 }, { "func": "static int sctp_setsockopt(struct sock *sk, int level, int optname,\n\t\t\t sockptr_t optval, unsigned int optlen)\n{\n\tvoid *kopt = NULL;\n\tint retval = 0;\n\n\tpr_debug(\"%s: sk:%p, optname:%d\\n\", __func__, sk, optname);\n\n\t/* I can hardly begin to describe how wrong this is. This is\n\t * so broken as to be worse than useless. The API draft\n\t * REALLY is NOT helpful here... I am not convinced that the\n\t * semantics of setsockopt() with a level OTHER THAN SOL_SCTP\n\t * are at all well-founded.\n\t */\n\tif (level != SOL_SCTP) {\n\t\tstruct sctp_af *af = sctp_sk(sk)->pf->af;\n\n\t\treturn af->setsockopt(sk, level, optname, optval, optlen);\n\t}\n\n\tif (optlen > 0) {\n\t\tkopt = memdup_sockptr(optval, optlen);\n\t\tif (IS_ERR(kopt))\n\t\t\treturn PTR_ERR(kopt);\n\t}\n\n\tlock_sock(sk);\n\n\tswitch (optname) {\n\tcase SCTP_SOCKOPT_BINDX_ADD:\n\t\t/* 'optlen' is the size of the addresses buffer. */\n\t\tretval = sctp_setsockopt_bindx(sk, kopt, optlen,\n\t\t\t\t\t SCTP_BINDX_ADD_ADDR);\n\t\tbreak;\n\n\tcase SCTP_SOCKOPT_BINDX_REM:\n\t\t/* 'optlen' is the size of the addresses buffer. */\n\t\tretval = sctp_setsockopt_bindx(sk, kopt, optlen,\n\t\t\t\t\t SCTP_BINDX_REM_ADDR);\n\t\tbreak;\n\n\tcase SCTP_SOCKOPT_CONNECTX_OLD:\n\t\t/* 'optlen' is the size of the addresses buffer. */\n\t\tretval = sctp_setsockopt_connectx_old(sk, kopt, optlen);\n\t\tbreak;\n\n\tcase SCTP_SOCKOPT_CONNECTX:\n\t\t/* 'optlen' is the size of the addresses buffer. */\n\t\tretval = sctp_setsockopt_connectx(sk, kopt, optlen);\n\t\tbreak;\n\n\tcase SCTP_DISABLE_FRAGMENTS:\n\t\tretval = sctp_setsockopt_disable_fragments(sk, kopt, optlen);\n\t\tbreak;\n\n\tcase SCTP_EVENTS:\n\t\tretval = sctp_setsockopt_events(sk, kopt, optlen);\n\t\tbreak;\n\n\tcase SCTP_AUTOCLOSE:\n\t\tretval = sctp_setsockopt_autoclose(sk, kopt, optlen);\n\t\tbreak;\n\n\tcase SCTP_PEER_ADDR_PARAMS:\n\t\tretval = sctp_setsockopt_peer_addr_params(sk, kopt, optlen);\n\t\tbreak;\n\n\tcase SCTP_DELAYED_SACK:\n\t\tretval = sctp_setsockopt_delayed_ack(sk, kopt, optlen);\n\t\tbreak;\n\tcase SCTP_PARTIAL_DELIVERY_POINT:\n\t\tretval = sctp_setsockopt_partial_delivery_point(sk, kopt, optlen);\n\t\tbreak;\n\n\tcase SCTP_INITMSG:\n\t\tretval = sctp_setsockopt_initmsg(sk, kopt, optlen);\n\t\tbreak;\n\tcase SCTP_DEFAULT_SEND_PARAM:\n\t\tretval = sctp_setsockopt_default_send_param(sk, kopt, optlen);\n\t\tbreak;\n\tcase SCTP_DEFAULT_SNDINFO:\n\t\tretval = sctp_setsockopt_default_sndinfo(sk, kopt, optlen);\n\t\tbreak;\n\tcase SCTP_PRIMARY_ADDR:\n\t\tretval = sctp_setsockopt_primary_addr(sk, kopt, optlen);\n\t\tbreak;\n\tcase SCTP_SET_PEER_PRIMARY_ADDR:\n\t\tretval = sctp_setsockopt_peer_primary_addr(sk, kopt, optlen);\n\t\tbreak;\n\tcase SCTP_NODELAY:\n\t\tretval = sctp_setsockopt_nodelay(sk, kopt, optlen);\n\t\tbreak;\n\tcase SCTP_RTOINFO:\n\t\tretval = sctp_setsockopt_rtoinfo(sk, kopt, optlen);\n\t\tbreak;\n\tcase SCTP_ASSOCINFO:\n\t\tretval = sctp_setsockopt_associnfo(sk, kopt, optlen);\n\t\tbreak;\n\tcase SCTP_I_WANT_MAPPED_V4_ADDR:\n\t\tretval = sctp_setsockopt_mappedv4(sk, kopt, optlen);\n\t\tbreak;\n\tcase SCTP_MAXSEG:\n\t\tretval = sctp_setsockopt_maxseg(sk, kopt, optlen);\n\t\tbreak;\n\tcase SCTP_ADAPTATION_LAYER:\n\t\tretval = sctp_setsockopt_adaptation_layer(sk, kopt, optlen);\n\t\tbreak;\n\tcase SCTP_CONTEXT:\n\t\tretval = sctp_setsockopt_context(sk, kopt, optlen);\n\t\tbreak;\n\tcase SCTP_FRAGMENT_INTERLEAVE:\n\t\tretval = sctp_setsockopt_fragment_interleave(sk, kopt, optlen);\n\t\tbreak;\n\tcase SCTP_MAX_BURST:\n\t\tretval = sctp_setsockopt_maxburst(sk, kopt, optlen);\n\t\tbreak;\n\tcase SCTP_AUTH_CHUNK:\n\t\tretval = sctp_setsockopt_auth_chunk(sk, kopt, optlen);\n\t\tbreak;\n\tcase SCTP_HMAC_IDENT:\n\t\tretval = sctp_setsockopt_hmac_ident(sk, kopt, optlen);\n\t\tbreak;\n\tcase SCTP_AUTH_KEY:\n\t\tretval = sctp_setsockopt_auth_key(sk, kopt, optlen);\n\t\tbreak;\n\tcase SCTP_AUTH_ACTIVE_KEY:\n\t\tretval = sctp_setsockopt_active_key(sk, kopt, optlen);\n\t\tbreak;\n\tcase SCTP_AUTH_DELETE_KEY:\n\t\tretval = sctp_setsockopt_del_key(sk, kopt, optlen);\n\t\tbreak;\n\tcase SCTP_AUTH_DEACTIVATE_KEY:\n\t\tretval = sctp_setsockopt_deactivate_key(sk, kopt, optlen);\n\t\tbreak;\n\tcase SCTP_AUTO_ASCONF:\n\t\tretval = sctp_setsockopt_auto_asconf(sk, kopt, optlen);\n\t\tbreak;\n\tcase SCTP_PEER_ADDR_THLDS:\n\t\tretval = sctp_setsockopt_paddr_thresholds(sk, kopt, optlen,\n\t\t\t\t\t\t\t false);\n\t\tbreak;\n\tcase SCTP_PEER_ADDR_THLDS_V2:\n\t\tretval = sctp_setsockopt_paddr_thresholds(sk, kopt, optlen,\n\t\t\t\t\t\t\t true);\n\t\tbreak;\n\tcase SCTP_RECVRCVINFO:\n\t\tretval = sctp_setsockopt_recvrcvinfo(sk, kopt, optlen);\n\t\tbreak;\n\tcase SCTP_RECVNXTINFO:\n\t\tretval = sctp_setsockopt_recvnxtinfo(sk, kopt, optlen);\n\t\tbreak;\n\tcase SCTP_PR_SUPPORTED:\n\t\tretval = sctp_setsockopt_pr_supported(sk, kopt, optlen);\n\t\tbreak;\n\tcase SCTP_DEFAULT_PRINFO:\n\t\tretval = sctp_setsockopt_default_prinfo(sk, kopt, optlen);\n\t\tbreak;\n\tcase SCTP_RECONFIG_SUPPORTED:\n\t\tretval = sctp_setsockopt_reconfig_supported(sk, kopt, optlen);\n\t\tbreak;\n\tcase SCTP_ENABLE_STREAM_RESET:\n\t\tretval = sctp_setsockopt_enable_strreset(sk, kopt, optlen);\n\t\tbreak;\n\tcase SCTP_RESET_STREAMS:\n\t\tretval = sctp_setsockopt_reset_streams(sk, kopt, optlen);\n\t\tbreak;\n\tcase SCTP_RESET_ASSOC:\n\t\tretval = sctp_setsockopt_reset_assoc(sk, kopt, optlen);\n\t\tbreak;\n\tcase SCTP_ADD_STREAMS:\n\t\tretval = sctp_setsockopt_add_streams(sk, kopt, optlen);\n\t\tbreak;\n\tcase SCTP_STREAM_SCHEDULER:\n\t\tretval = sctp_setsockopt_scheduler(sk, kopt, optlen);\n\t\tbreak;\n\tcase SCTP_STREAM_SCHEDULER_VALUE:\n\t\tretval = sctp_setsockopt_scheduler_value(sk, kopt, optlen);\n\t\tbreak;\n\tcase SCTP_INTERLEAVING_SUPPORTED:\n\t\tretval = sctp_setsockopt_interleaving_supported(sk, kopt,\n\t\t\t\t\t\t\t\toptlen);\n\t\tbreak;\n\tcase SCTP_REUSE_PORT:\n\t\tretval = sctp_setsockopt_reuse_port(sk, kopt, optlen);\n\t\tbreak;\n\tcase SCTP_EVENT:\n\t\tretval = sctp_setsockopt_event(sk, kopt, optlen);\n\t\tbreak;\n\tcase SCTP_ASCONF_SUPPORTED:\n\t\tretval = sctp_setsockopt_asconf_supported(sk, kopt, optlen);\n\t\tbreak;\n\tcase SCTP_AUTH_SUPPORTED:\n\t\tretval = sctp_setsockopt_auth_supported(sk, kopt, optlen);\n\t\tbreak;\n\tcase SCTP_ECN_SUPPORTED:\n\t\tretval = sctp_setsockopt_ecn_supported(sk, kopt, optlen);\n\t\tbreak;\n\tcase SCTP_EXPOSE_POTENTIALLY_FAILED_STATE:\n\t\tretval = sctp_setsockopt_pf_expose(sk, kopt, optlen);\n\t\tbreak;\n\tcase SCTP_REMOTE_UDP_ENCAPS_PORT:\n\t\tretval = sctp_setsockopt_encap_port(sk, kopt, optlen);\n\t\tbreak;\n\tdefault:\n\t\tretval = -ENOPROTOOPT;\n\t\tbreak;\n\t}\n\n\trelease_sock(sk);\n\tkfree(kopt);\n\treturn retval;\n}", "project": "linux", "hash": 108481329134596065687617628670459756807, "size": 212, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398059 }, { "func": "static int tty_open(struct inode *inode, struct file *filp)\n{\n\tstruct tty_struct *tty;\n\tint noctty, retval;\n\tdev_t device = inode->i_rdev;\n\tunsigned saved_flags = filp->f_flags;\n\n\tnonseekable_open(inode, filp);\n\nretry_open:\n\tretval = tty_alloc_file(filp);\n\tif (retval)\n\t\treturn -ENOMEM;\n\n\ttty = tty_open_current_tty(device, filp);\n\tif (!tty)\n\t\ttty = tty_open_by_driver(device, filp);\n\n\tif (IS_ERR(tty)) {\n\t\ttty_free_file(filp);\n\t\tretval = PTR_ERR(tty);\n\t\tif (retval != -EAGAIN || signal_pending(current))\n\t\t\treturn retval;\n\t\tschedule();\n\t\tgoto retry_open;\n\t}\n\n\ttty_add_file(tty, filp);\n\n\tcheck_tty_count(tty, __func__);\n\ttty_debug_hangup(tty, \"opening (count=%d)\\n\", tty->count);\n\n\tif (tty->ops->open)\n\t\tretval = tty->ops->open(tty, filp);\n\telse\n\t\tretval = -ENODEV;\n\tfilp->f_flags = saved_flags;\n\n\tif (retval) {\n\t\ttty_debug_hangup(tty, \"open error %d, releasing\\n\", retval);\n\n\t\ttty_unlock(tty); /* need to call tty_release without BTM */\n\t\ttty_release(inode, filp);\n\t\tif (retval != -ERESTARTSYS)\n\t\t\treturn retval;\n\n\t\tif (signal_pending(current))\n\t\t\treturn retval;\n\n\t\tschedule();\n\t\t/*\n\t\t * Need to reset f_op in case a hangup happened.\n\t\t */\n\t\tif (tty_hung_up_p(filp))\n\t\t\tfilp->f_op = &tty_fops;\n\t\tgoto retry_open;\n\t}\n\tclear_bit(TTY_HUPPED, &tty->flags);\n\n\tnoctty = (filp->f_flags & O_NOCTTY) ||\n\t\t (IS_ENABLED(CONFIG_VT) && device == MKDEV(TTY_MAJOR, 0)) ||\n\t\t device == MKDEV(TTYAUX_MAJOR, 1) ||\n\t\t (tty->driver->type == TTY_DRIVER_TYPE_PTY &&\n\t\t tty->driver->subtype == PTY_TYPE_MASTER);\n\tif (!noctty)\n\t\ttty_open_proc_set_tty(filp, tty);\n\ttty_unlock(tty);\n\treturn 0;\n}", "project": "linux", "hash": 150207371082627714210525085983499925631, "size": 69, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 326055 }, { "func": "static int sctp_getsockopt_auth_supported(struct sock *sk, int len,\n\t\t\t\t\t char __user *optval,\n\t\t\t\t\t int __user *optlen)\n{\n\tstruct sctp_assoc_value params;\n\tstruct sctp_association *asoc;\n\tint retval = -EFAULT;\n\n\tif (len < sizeof(params)) {\n\t\tretval = -EINVAL;\n\t\tgoto out;\n\t}\n\n\tlen = sizeof(params);\n\tif (copy_from_user(¶ms, optval, len))\n\t\tgoto out;\n\n\tasoc = sctp_id2assoc(sk, params.assoc_id);\n\tif (!asoc && params.assoc_id != SCTP_FUTURE_ASSOC &&\n\t sctp_style(sk, UDP)) {\n\t\tretval = -EINVAL;\n\t\tgoto out;\n\t}\n\n\tparams.assoc_value = asoc ? asoc->peer.auth_capable\n\t\t\t\t : sctp_sk(sk)->ep->auth_enable;\n\n\tif (put_user(len, optlen))\n\t\tgoto out;\n\n\tif (copy_to_user(optval, ¶ms, len))\n\t\tgoto out;\n\n\tretval = 0;\n\nout:\n\treturn retval;\n}", "project": "linux", "hash": 95725143753719272498427092602929457486, "size": 38, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398119 }, { "func": "static int svm_set_nested_state(struct kvm_vcpu *vcpu,\n\t\t\t\tstruct kvm_nested_state __user *user_kvm_nested_state,\n\t\t\t\tstruct kvm_nested_state *kvm_state)\n{\n\tstruct vcpu_svm *svm = to_svm(vcpu);\n\tstruct vmcb *hsave = svm->nested.hsave;\n\tstruct vmcb __user *user_vmcb = (struct vmcb __user *)\n\t\t&user_kvm_nested_state->data.svm[0];\n\tstruct vmcb_control_area *ctl;\n\tstruct vmcb_save_area *save;\n\tint ret;\n\tu32 cr0;\n\n\tBUILD_BUG_ON(sizeof(struct vmcb_control_area) + sizeof(struct vmcb_save_area) >\n\t\t KVM_STATE_NESTED_SVM_VMCB_SIZE);\n\n\tif (kvm_state->format != KVM_STATE_NESTED_FORMAT_SVM)\n\t\treturn -EINVAL;\n\n\tif (kvm_state->flags & ~(KVM_STATE_NESTED_GUEST_MODE |\n\t\t\t\t KVM_STATE_NESTED_RUN_PENDING |\n\t\t\t\t KVM_STATE_NESTED_GIF_SET))\n\t\treturn -EINVAL;\n\n\t/*\n\t * If in guest mode, vcpu->arch.efer actually refers to the L2 guest's\n\t * EFER.SVME, but EFER.SVME still has to be 1 for VMRUN to succeed.\n\t */\n\tif (!(vcpu->arch.efer & EFER_SVME)) {\n\t\t/* GIF=1 and no guest mode are required if SVME=0. */\n\t\tif (kvm_state->flags != KVM_STATE_NESTED_GIF_SET)\n\t\t\treturn -EINVAL;\n\t}\n\n\t/* SMM temporarily disables SVM, so we cannot be in guest mode. */\n\tif (is_smm(vcpu) && (kvm_state->flags & KVM_STATE_NESTED_GUEST_MODE))\n\t\treturn -EINVAL;\n\n\tif (!(kvm_state->flags & KVM_STATE_NESTED_GUEST_MODE)) {\n\t\tsvm_leave_nested(svm);\n\t\tsvm_set_gif(svm, !!(kvm_state->flags & KVM_STATE_NESTED_GIF_SET));\n\t\treturn 0;\n\t}\n\n\tif (!page_address_valid(vcpu, kvm_state->hdr.svm.vmcb_pa))\n\t\treturn -EINVAL;\n\tif (kvm_state->size < sizeof(*kvm_state) + KVM_STATE_NESTED_SVM_VMCB_SIZE)\n\t\treturn -EINVAL;\n\n\tret = -ENOMEM;\n\tctl = kzalloc(sizeof(*ctl), GFP_KERNEL);\n\tsave = kzalloc(sizeof(*save), GFP_KERNEL);\n\tif (!ctl || !save)\n\t\tgoto out_free;\n\n\tret = -EFAULT;\n\tif (copy_from_user(ctl, &user_vmcb->control, sizeof(*ctl)))\n\t\tgoto out_free;\n\tif (copy_from_user(save, &user_vmcb->save, sizeof(*save)))\n\t\tgoto out_free;\n\n\tret = -EINVAL;\n\tif (!nested_vmcb_check_controls(ctl))\n\t\tgoto out_free;\n\n\t/*\n\t * Processor state contains L2 state. Check that it is\n\t * valid for guest mode (see nested_vmcb_checks).\n\t */\n\tcr0 = kvm_read_cr0(vcpu);\n if (((cr0 & X86_CR0_CD) == 0) && (cr0 & X86_CR0_NW))\n\t\tgoto out_free;\n\n\t/*\n\t * Validate host state saved from before VMRUN (see\n\t * nested_svm_check_permissions).\n\t * TODO: validate reserved bits for all saved state.\n\t */\n\tif (!(save->cr0 & X86_CR0_PG))\n\t\tgoto out_free;\n\n\t/*\n\t * All checks done, we can enter guest mode. L1 control fields\n\t * come from the nested save state. Guest state is already\n\t * in the registers, the save area of the nested state instead\n\t * contains saved L1 state.\n\t */\n\tcopy_vmcb_control_area(&hsave->control, &svm->vmcb->control);\n\thsave->save = *save;\n\n\tsvm->nested.vmcb12_gpa = kvm_state->hdr.svm.vmcb_pa;\n\tload_nested_vmcb_control(svm, ctl);\n\tnested_prepare_vmcb_control(svm);\n\n\tkvm_make_request(KVM_REQ_GET_NESTED_STATE_PAGES, vcpu);\n\tret = 0;\nout_free:\n\tkfree(save);\n\tkfree(ctl);\n\n\treturn ret;\n}", "project": "linux", "hash": 172131632556643755087790583991596709181, "size": 102, "commit_id": "a58d9166a756a0f4a6618e4f593232593d6df134", "message": "KVM: SVM: load control fields from VMCB12 before checking them\n\nAvoid races between check and use of the nested VMCB controls. This\nfor example ensures that the VMRUN intercept is always reflected to the\nnested hypervisor, instead of being processed by the host. Without this\npatch, it is possible to end up with svm->nested.hsave pointing to\nthe MSR permission bitmap for nested guests.\n\nThis bug is CVE-2021-29657.\n\nReported-by: Felix Wilhelm \nCc: stable@vger.kernel.org\nFixes: 2fcf4876ada (\"KVM: nSVM: implement on demand allocation of the nested state\")\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 376659 }, { "func": "static int snappy_wrap_decompress(const char* input, size_t compressed_length,\n char* output, size_t maxout) {\n snappy_status status;\n size_t ul = maxout;\n status = snappy_uncompress(input, compressed_length, output, &ul);\n if (status != SNAPPY_OK) {\n return 0;\n }\n return (int)ul;\n}", "project": "c-blosc2", "hash": 155427173270198186259505029907378764955, "size": 10, "commit_id": "c4c6470e88210afc95262c8b9fcc27e30ca043ee", "message": "Fixed asan heap buffer overflow when not enough space to write compressed block size.", "target": 0, "dataset": "other", "idx": 303070 }, { "func": "static void execlists_dequeue(struct intel_engine_cs *engine)\n{\n\tstruct intel_engine_execlists * const execlists = &engine->execlists;\n\tstruct i915_request **port = execlists->pending;\n\tstruct i915_request ** const last_port = port + execlists->port_mask;\n\tstruct i915_request *last;\n\tstruct rb_node *rb;\n\tbool submit = false;\n\n\t/*\n\t * Hardware submission is through 2 ports. Conceptually each port\n\t * has a (RING_START, RING_HEAD, RING_TAIL) tuple. RING_START is\n\t * static for a context, and unique to each, so we only execute\n\t * requests belonging to a single context from each ring. RING_HEAD\n\t * is maintained by the CS in the context image, it marks the place\n\t * where it got up to last time, and through RING_TAIL we tell the CS\n\t * where we want to execute up to this time.\n\t *\n\t * In this list the requests are in order of execution. Consecutive\n\t * requests from the same context are adjacent in the ringbuffer. We\n\t * can combine these requests into a single RING_TAIL update:\n\t *\n\t * RING_HEAD...req1...req2\n\t * ^- RING_TAIL\n\t * since to execute req2 the CS must first execute req1.\n\t *\n\t * Our goal then is to point each port to the end of a consecutive\n\t * sequence of requests as being the most optimal (fewest wake ups\n\t * and context switches) submission.\n\t */\n\n\tfor (rb = rb_first_cached(&execlists->virtual); rb; ) {\n\t\tstruct virtual_engine *ve =\n\t\t\trb_entry(rb, typeof(*ve), nodes[engine->id].rb);\n\t\tstruct i915_request *rq = READ_ONCE(ve->request);\n\n\t\tif (!rq) { /* lazily cleanup after another engine handled rq */\n\t\t\trb_erase_cached(rb, &execlists->virtual);\n\t\t\tRB_CLEAR_NODE(rb);\n\t\t\trb = rb_first_cached(&execlists->virtual);\n\t\t\tcontinue;\n\t\t}\n\n\t\tif (!virtual_matches(ve, rq, engine)) {\n\t\t\trb = rb_next(rb);\n\t\t\tcontinue;\n\t\t}\n\n\t\tbreak;\n\t}\n\n\t/*\n\t * If the queue is higher priority than the last\n\t * request in the currently active context, submit afresh.\n\t * We will resubmit again afterwards in case we need to split\n\t * the active context to interject the preemption request,\n\t * i.e. we will retrigger preemption following the ack in case\n\t * of trouble.\n\t */\n\tlast = last_active(execlists);\n\tif (last) {\n\t\tif (need_preempt(engine, last, rb)) {\n\t\t\tGEM_TRACE(\"%s: preempting last=%llx:%lld, prio=%d, hint=%d\\n\",\n\t\t\t\t engine->name,\n\t\t\t\t last->fence.context,\n\t\t\t\t last->fence.seqno,\n\t\t\t\t last->sched.attr.priority,\n\t\t\t\t execlists->queue_priority_hint);\n\t\t\trecord_preemption(execlists);\n\n\t\t\t/*\n\t\t\t * Don't let the RING_HEAD advance past the breadcrumb\n\t\t\t * as we unwind (and until we resubmit) so that we do\n\t\t\t * not accidentally tell it to go backwards.\n\t\t\t */\n\t\t\tring_set_paused(engine, 1);\n\n\t\t\t/*\n\t\t\t * Note that we have not stopped the GPU at this point,\n\t\t\t * so we are unwinding the incomplete requests as they\n\t\t\t * remain inflight and so by the time we do complete\n\t\t\t * the preemption, some of the unwound requests may\n\t\t\t * complete!\n\t\t\t */\n\t\t\t__unwind_incomplete_requests(engine);\n\n\t\t\t/*\n\t\t\t * If we need to return to the preempted context, we\n\t\t\t * need to skip the lite-restore and force it to\n\t\t\t * reload the RING_TAIL. Otherwise, the HW has a\n\t\t\t * tendency to ignore us rewinding the TAIL to the\n\t\t\t * end of an earlier request.\n\t\t\t */\n\t\t\tlast->hw_context->lrc_desc |= CTX_DESC_FORCE_RESTORE;\n\t\t\tlast = NULL;\n\t\t} else if (need_timeslice(engine, last) &&\n\t\t\t timer_expired(&engine->execlists.timer)) {\n\t\t\tGEM_TRACE(\"%s: expired last=%llx:%lld, prio=%d, hint=%d\\n\",\n\t\t\t\t engine->name,\n\t\t\t\t last->fence.context,\n\t\t\t\t last->fence.seqno,\n\t\t\t\t last->sched.attr.priority,\n\t\t\t\t execlists->queue_priority_hint);\n\n\t\t\tring_set_paused(engine, 1);\n\t\t\tdefer_active(engine);\n\n\t\t\t/*\n\t\t\t * Unlike for preemption, if we rewind and continue\n\t\t\t * executing the same context as previously active,\n\t\t\t * the order of execution will remain the same and\n\t\t\t * the tail will only advance. We do not need to\n\t\t\t * force a full context restore, as a lite-restore\n\t\t\t * is sufficient to resample the monotonic TAIL.\n\t\t\t *\n\t\t\t * If we switch to any other context, similarly we\n\t\t\t * will not rewind TAIL of current context, and\n\t\t\t * normal save/restore will preserve state and allow\n\t\t\t * us to later continue executing the same request.\n\t\t\t */\n\t\t\tlast = NULL;\n\t\t} else {\n\t\t\t/*\n\t\t\t * Otherwise if we already have a request pending\n\t\t\t * for execution after the current one, we can\n\t\t\t * just wait until the next CS event before\n\t\t\t * queuing more. In either case we will force a\n\t\t\t * lite-restore preemption event, but if we wait\n\t\t\t * we hopefully coalesce several updates into a single\n\t\t\t * submission.\n\t\t\t */\n\t\t\tif (!list_is_last(&last->sched.link,\n\t\t\t\t\t &engine->active.requests)) {\n\t\t\t\t/*\n\t\t\t\t * Even if ELSP[1] is occupied and not worthy\n\t\t\t\t * of timeslices, our queue might be.\n\t\t\t\t */\n\t\t\t\tif (!execlists->timer.expires &&\n\t\t\t\t need_timeslice(engine, last))\n\t\t\t\t\tset_timer_ms(&execlists->timer,\n\t\t\t\t\t\t timeslice(engine));\n\n\t\t\t\treturn;\n\t\t\t}\n\t\t}\n\t}\n\n\twhile (rb) { /* XXX virtual is always taking precedence */\n\t\tstruct virtual_engine *ve =\n\t\t\trb_entry(rb, typeof(*ve), nodes[engine->id].rb);\n\t\tstruct i915_request *rq;\n\n\t\tspin_lock(&ve->base.active.lock);\n\n\t\trq = ve->request;\n\t\tif (unlikely(!rq)) { /* lost the race to a sibling */\n\t\t\tspin_unlock(&ve->base.active.lock);\n\t\t\trb_erase_cached(rb, &execlists->virtual);\n\t\t\tRB_CLEAR_NODE(rb);\n\t\t\trb = rb_first_cached(&execlists->virtual);\n\t\t\tcontinue;\n\t\t}\n\n\t\tGEM_BUG_ON(rq != ve->request);\n\t\tGEM_BUG_ON(rq->engine != &ve->base);\n\t\tGEM_BUG_ON(rq->hw_context != &ve->context);\n\n\t\tif (rq_prio(rq) >= queue_prio(execlists)) {\n\t\t\tif (!virtual_matches(ve, rq, engine)) {\n\t\t\t\tspin_unlock(&ve->base.active.lock);\n\t\t\t\trb = rb_next(rb);\n\t\t\t\tcontinue;\n\t\t\t}\n\n\t\t\tif (last && !can_merge_rq(last, rq)) {\n\t\t\t\tspin_unlock(&ve->base.active.lock);\n\t\t\t\treturn; /* leave this for another */\n\t\t\t}\n\n\t\t\tGEM_TRACE(\"%s: virtual rq=%llx:%lld%s, new engine? %s\\n\",\n\t\t\t\t engine->name,\n\t\t\t\t rq->fence.context,\n\t\t\t\t rq->fence.seqno,\n\t\t\t\t i915_request_completed(rq) ? \"!\" :\n\t\t\t\t i915_request_started(rq) ? \"*\" :\n\t\t\t\t \"\",\n\t\t\t\t yesno(engine != ve->siblings[0]));\n\n\t\t\tve->request = NULL;\n\t\t\tve->base.execlists.queue_priority_hint = INT_MIN;\n\t\t\trb_erase_cached(rb, &execlists->virtual);\n\t\t\tRB_CLEAR_NODE(rb);\n\n\t\t\tGEM_BUG_ON(!(rq->execution_mask & engine->mask));\n\t\t\trq->engine = engine;\n\n\t\t\tif (engine != ve->siblings[0]) {\n\t\t\t\tu32 *regs = ve->context.lrc_reg_state;\n\t\t\t\tunsigned int n;\n\n\t\t\t\tGEM_BUG_ON(READ_ONCE(ve->context.inflight));\n\n\t\t\t\tif (!intel_engine_has_relative_mmio(engine))\n\t\t\t\t\tvirtual_update_register_offsets(regs,\n\t\t\t\t\t\t\t\t\tengine);\n\n\t\t\t\tif (!list_empty(&ve->context.signals))\n\t\t\t\t\tvirtual_xfer_breadcrumbs(ve, engine);\n\n\t\t\t\t/*\n\t\t\t\t * Move the bound engine to the top of the list\n\t\t\t\t * for future execution. We then kick this\n\t\t\t\t * tasklet first before checking others, so that\n\t\t\t\t * we preferentially reuse this set of bound\n\t\t\t\t * registers.\n\t\t\t\t */\n\t\t\t\tfor (n = 1; n < ve->num_siblings; n++) {\n\t\t\t\t\tif (ve->siblings[n] == engine) {\n\t\t\t\t\t\tswap(ve->siblings[n],\n\t\t\t\t\t\t ve->siblings[0]);\n\t\t\t\t\t\tbreak;\n\t\t\t\t\t}\n\t\t\t\t}\n\n\t\t\t\tGEM_BUG_ON(ve->siblings[0] != engine);\n\t\t\t}\n\n\t\t\tif (__i915_request_submit(rq)) {\n\t\t\t\tsubmit = true;\n\t\t\t\tlast = rq;\n\t\t\t}\n\t\t\ti915_request_put(rq);\n\n\t\t\t/*\n\t\t\t * Hmm, we have a bunch of virtual engine requests,\n\t\t\t * but the first one was already completed (thanks\n\t\t\t * preempt-to-busy!). Keep looking at the veng queue\n\t\t\t * until we have no more relevant requests (i.e.\n\t\t\t * the normal submit queue has higher priority).\n\t\t\t */\n\t\t\tif (!submit) {\n\t\t\t\tspin_unlock(&ve->base.active.lock);\n\t\t\t\trb = rb_first_cached(&execlists->virtual);\n\t\t\t\tcontinue;\n\t\t\t}\n\t\t}\n\n\t\tspin_unlock(&ve->base.active.lock);\n\t\tbreak;\n\t}\n\n\twhile ((rb = rb_first_cached(&execlists->queue))) {\n\t\tstruct i915_priolist *p = to_priolist(rb);\n\t\tstruct i915_request *rq, *rn;\n\t\tint i;\n\n\t\tpriolist_for_each_request_consume(rq, rn, p, i) {\n\t\t\tbool merge = true;\n\n\t\t\t/*\n\t\t\t * Can we combine this request with the current port?\n\t\t\t * It has to be the same context/ringbuffer and not\n\t\t\t * have any exceptions (e.g. GVT saying never to\n\t\t\t * combine contexts).\n\t\t\t *\n\t\t\t * If we can combine the requests, we can execute both\n\t\t\t * by updating the RING_TAIL to point to the end of the\n\t\t\t * second request, and so we never need to tell the\n\t\t\t * hardware about the first.\n\t\t\t */\n\t\t\tif (last && !can_merge_rq(last, rq)) {\n\t\t\t\t/*\n\t\t\t\t * If we are on the second port and cannot\n\t\t\t\t * combine this request with the last, then we\n\t\t\t\t * are done.\n\t\t\t\t */\n\t\t\t\tif (port == last_port)\n\t\t\t\t\tgoto done;\n\n\t\t\t\t/*\n\t\t\t\t * We must not populate both ELSP[] with the\n\t\t\t\t * same LRCA, i.e. we must submit 2 different\n\t\t\t\t * contexts if we submit 2 ELSP.\n\t\t\t\t */\n\t\t\t\tif (last->hw_context == rq->hw_context)\n\t\t\t\t\tgoto done;\n\n\t\t\t\tif (i915_request_has_sentinel(last))\n\t\t\t\t\tgoto done;\n\n\t\t\t\t/*\n\t\t\t\t * If GVT overrides us we only ever submit\n\t\t\t\t * port[0], leaving port[1] empty. Note that we\n\t\t\t\t * also have to be careful that we don't queue\n\t\t\t\t * the same context (even though a different\n\t\t\t\t * request) to the second port.\n\t\t\t\t */\n\t\t\t\tif (ctx_single_port_submission(last->hw_context) ||\n\t\t\t\t ctx_single_port_submission(rq->hw_context))\n\t\t\t\t\tgoto done;\n\n\t\t\t\tmerge = false;\n\t\t\t}\n\n\t\t\tif (__i915_request_submit(rq)) {\n\t\t\t\tif (!merge) {\n\t\t\t\t\t*port = execlists_schedule_in(last, port - execlists->pending);\n\t\t\t\t\tport++;\n\t\t\t\t\tlast = NULL;\n\t\t\t\t}\n\n\t\t\t\tGEM_BUG_ON(last &&\n\t\t\t\t\t !can_merge_ctx(last->hw_context,\n\t\t\t\t\t\t\t rq->hw_context));\n\n\t\t\t\tsubmit = true;\n\t\t\t\tlast = rq;\n\t\t\t}\n\t\t}\n\n\t\trb_erase_cached(&p->node, &execlists->queue);\n\t\ti915_priolist_free(p);\n\t}\n\ndone:\n\t/*\n\t * Here be a bit of magic! Or sleight-of-hand, whichever you prefer.\n\t *\n\t * We choose the priority hint such that if we add a request of greater\n\t * priority than this, we kick the submission tasklet to decide on\n\t * the right order of submitting the requests to hardware. We must\n\t * also be prepared to reorder requests as they are in-flight on the\n\t * HW. We derive the priority hint then as the first \"hole\" in\n\t * the HW submission ports and if there are no available slots,\n\t * the priority of the lowest executing request, i.e. last.\n\t *\n\t * When we do receive a higher priority request ready to run from the\n\t * user, see queue_request(), the priority hint is bumped to that\n\t * request triggering preemption on the next dequeue (or subsequent\n\t * interrupt for secondary ports).\n\t */\n\texeclists->queue_priority_hint = queue_prio(execlists);\n\tGEM_TRACE(\"%s: queue_priority_hint:%d, submit:%s\\n\",\n\t\t engine->name, execlists->queue_priority_hint,\n\t\t yesno(submit));\n\n\tif (submit) {\n\t\t*port = execlists_schedule_in(last, port - execlists->pending);\n\t\texeclists->switch_priority_hint =\n\t\t\tswitch_prio(engine, *execlists->pending);\n\n\t\t/*\n\t\t * Skip if we ended up with exactly the same set of requests,\n\t\t * e.g. trying to timeslice a pair of ordered contexts\n\t\t */\n\t\tif (!memcmp(execlists->active, execlists->pending,\n\t\t\t (port - execlists->pending + 1) * sizeof(*port))) {\n\t\t\tdo\n\t\t\t\texeclists_schedule_out(fetch_and_zero(port));\n\t\t\twhile (port-- != execlists->pending);\n\n\t\t\tgoto skip_submit;\n\t\t}\n\n\t\tmemset(port + 1, 0, (last_port - port) * sizeof(*port));\n\t\texeclists_submit_ports(engine);\n\n\t\tset_preempt_timeout(engine);\n\t} else {\nskip_submit:\n\t\tring_set_paused(engine, 0);\n\t}\n}", "project": "linux", "hash": 213319648018928949821984285662741199298, "size": 373, "commit_id": "bc8a76a152c5f9ef3b48104154a65a68a8b76946", "message": "drm/i915/gen9: Clear residual context state on context switch\n\nIntel ID: PSIRT-TA-201910-001\nCVEID: CVE-2019-14615\n\nIntel GPU Hardware prior to Gen11 does not clear EU state\nduring a context switch. This can result in information\nleakage between contexts.\n\nFor Gen8 and Gen9, hardware provides a mechanism for\nfast cleardown of the EU state, by issuing a PIPE_CONTROL\nwith bit 27 set. We can use this in a context batch buffer\nto explicitly cleardown the state on every context switch.\n\nAs this workaround is already in place for gen8, we can borrow\nthe code verbatim for Gen9.\n\nSigned-off-by: Mika Kuoppala \nSigned-off-by: Akeem G Abodunrin \nCc: Kumar Valsan Prathap \nCc: Chris Wilson \nCc: Balestrieri Francesco \nCc: Bloomfield Jon \nCc: Dutt Sudeep ", "target": 0, "dataset": "other", "idx": 281428 }, { "func": "CWebSession::CWebSession(const CString& sId, const CString& sIP)\n : m_sId(sId),\n m_sIP(sIP),\n m_pUser(nullptr),\n m_vsErrorMsgs(),\n m_vsSuccessMsgs(),\n m_tmLastActive() {\n Sessions.m_mIPSessions.insert(make_pair(sIP, this));\n UpdateLastActive();\n}", "project": "znc", "hash": 190005992477381278248382722879346953348, "size": 10, "commit_id": "a4a5aeeb17d32937d8c7d743dae9a4cc755ce773", "message": "Don't let web skin name ../../../../ access files outside of usual skins directories.\n\nThanks for Jeriko One for finding and reporting this.", "target": 0, "dataset": "other", "idx": 265775 }, { "func": "static const char *no_set_limit(cmd_parms *cmd, void *conf_,\n const char *arg, const char *arg2)\n{\n ap_log_error(APLOG_MARK, APLOG_ERR, 0, cmd->server, APLOGNO(00118)\n \"%s not supported on this platform\", cmd->cmd->name);\n\n return NULL;\n}", "project": "httpd", "hash": 47725181193879957093210851624935596218, "size": 8, "commit_id": "4cc27823899e070268b906ca677ee838d07cf67a", "message": "core: Disallow Methods' registration at run time (.htaccess), they may be\nused only if registered at init time (httpd.conf).\n\nCalling ap_method_register() in children processes is not the right scope\nsince it won't be shared for all requests.\n\n\ngit-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1807655 13f79535-47bb-0310-9956-ffa450edef68", "target": 0, "dataset": "other", "idx": 246368 }, { "func": " int64 CalculateBatchSize(const OpInputList& ragged_splits_list,\n const OpInputList& sparse_shape_list,\n const OpInputList& dense_list) {\n if (ragged_splits_list.size() > 0) {\n return ragged_splits_list[0].NumElements() - 1;\n } else if (dense_list.size() > 0) {\n return dense_list[0].dim_size(0);\n } else if (sparse_shape_list.size() > 0) {\n return sparse_shape_list[0].flat()(0);\n } else {\n return 0;\n }\n }", "project": "tensorflow", "hash": 142200734865404775544159826750711029671, "size": 13, "commit_id": "44b7f486c0143f68b56c34e2d01e146ee445134a", "message": "Fix out of bounds read in `ragged_cross_op.cc`.\n\nPiperOrigin-RevId: 369757702\nChange-Id: Ie6e5d2c21513a8d56bf41fcf35960caf76e890f9", "target": 0, "dataset": "other", "idx": 230087 }, { "func": "int trace_empty(struct trace_iterator *iter)\n{\n\tstruct ring_buffer_iter *buf_iter;\n\tint cpu;\n\n\t/* If we are looking at one CPU buffer, only check that one */\n\tif (iter->cpu_file != RING_BUFFER_ALL_CPUS) {\n\t\tcpu = iter->cpu_file;\n\t\tbuf_iter = trace_buffer_iter(iter, cpu);\n\t\tif (buf_iter) {\n\t\t\tif (!ring_buffer_iter_empty(buf_iter))\n\t\t\t\treturn 0;\n\t\t} else {\n\t\t\tif (!ring_buffer_empty_cpu(iter->trace_buffer->buffer, cpu))\n\t\t\t\treturn 0;\n\t\t}\n\t\treturn 1;\n\t}\n\n\tfor_each_tracing_cpu(cpu) {\n\t\tbuf_iter = trace_buffer_iter(iter, cpu);\n\t\tif (buf_iter) {\n\t\t\tif (!ring_buffer_iter_empty(buf_iter))\n\t\t\t\treturn 0;\n\t\t} else {\n\t\t\tif (!ring_buffer_empty_cpu(iter->trace_buffer->buffer, cpu))\n\t\t\t\treturn 0;\n\t\t}\n\t}\n\n\treturn 1;\n}", "project": "linux", "hash": 18607256663625475150882853831470985864, "size": 32, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445557 }, { "func": "static int kvm_hv_msr_set_crash_data(struct kvm *kvm, u32 index, u64 data)\n{\n\tstruct kvm_hv *hv = to_kvm_hv(kvm);\n\tsize_t size = ARRAY_SIZE(hv->hv_crash_param);\n\n\tif (WARN_ON_ONCE(index >= size))\n\t\treturn -EINVAL;\n\n\thv->hv_crash_param[array_index_nospec(index, size)] = data;\n\treturn 0;\n}", "project": "linux", "hash": 172316471688573924986507258078820083986, "size": 11, "commit_id": "919f4ebc598701670e80e31573a58f1f2d2bf918", "message": "KVM: x86: hyper-v: Fix Hyper-V context null-ptr-deref\n\nReported by syzkaller:\n\n KASAN: null-ptr-deref in range [0x0000000000000140-0x0000000000000147]\n CPU: 1 PID: 8370 Comm: syz-executor859 Not tainted 5.11.0-syzkaller #0\n RIP: 0010:synic_get arch/x86/kvm/hyperv.c:165 [inline]\n RIP: 0010:kvm_hv_set_sint_gsi arch/x86/kvm/hyperv.c:475 [inline]\n RIP: 0010:kvm_hv_irq_routing_update+0x230/0x460 arch/x86/kvm/hyperv.c:498\n Call Trace:\n kvm_set_irq_routing+0x69b/0x940 arch/x86/kvm/../../../virt/kvm/irqchip.c:223\n kvm_vm_ioctl+0x12d0/0x2800 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3959\n vfs_ioctl fs/ioctl.c:48 [inline]\n __do_sys_ioctl fs/ioctl.c:753 [inline]\n __se_sys_ioctl fs/ioctl.c:739 [inline]\n __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739\n do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nHyper-V context is lazily allocated until Hyper-V specific MSRs are accessed\nor SynIC is enabled. However, the syzkaller testcase sets irq routing table\ndirectly w/o enabling SynIC. This results in null-ptr-deref when accessing\nSynIC Hyper-V context. This patch fixes it.\n\nsyzkaller source: https://syzkaller.appspot.com/x/repro.c?x=163342ccd00000\n\nReported-by: syzbot+6987f3b2dbd9eda95f12@syzkaller.appspotmail.com\nFixes: 8f014550dfb1 (\"KVM: x86: hyper-v: Make Hyper-V emulation enablement conditional\")\nSigned-off-by: Wanpeng Li \nMessage-Id: <1614326399-5762-1-git-send-email-wanpengli@tencent.com>\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 343518 }, { "func": "void JOIN::handle_implicit_grouping_with_window_funcs()\n{\n if (select_lex->have_window_funcs() && send_row_on_empty_set())\n {\n const_tables= top_join_tab_count= table_count= 0;\n }\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 326924299024690279805118292675120860485, "size": 7, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508652 }, { "func": "static void release_tty(struct tty_struct *tty, int idx)\n{\n\t/* This should always be true but check for the moment */\n\tWARN_ON(tty->index != idx);\n\tWARN_ON(!mutex_is_locked(&tty_mutex));\n\tif (tty->ops->shutdown)\n\t\ttty->ops->shutdown(tty);\n\ttty_save_termios(tty);\n\ttty_driver_remove_tty(tty->driver, tty);\n\tif (tty->port)\n\t\ttty->port->itty = NULL;\n\tif (tty->link)\n\t\ttty->link->port->itty = NULL;\n\tif (tty->port)\n\t\ttty_buffer_cancel_work(tty->port);\n\tif (tty->link)\n\t\ttty_buffer_cancel_work(tty->link->port);\n\n\ttty_kref_put(tty->link);\n\ttty_kref_put(tty);\n}", "project": "linux", "hash": 125836478122309155906082487498991654430, "size": 21, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 325974 }, { "func": "static void layoutEthereumConfirmTx(const uint8_t *to, uint32_t to_len,\n const uint8_t *value, uint32_t value_len,\n const TokenType *token, char *out_str,\n size_t out_str_len, bool approve) {\n bignum256 val;\n uint8_t pad_val[32];\n memset(pad_val, 0, sizeof(pad_val));\n memcpy(pad_val + (32 - value_len), value, value_len);\n bn_read_be(pad_val, &val);\n\n char amount[32];\n if (token == NULL) {\n if (bn_is_zero(&val)) {\n strcpy(amount, _(\"message\"));\n } else {\n ethereumFormatAmount(&val, NULL, chain_id, amount, sizeof(amount));\n }\n } else {\n ethereumFormatAmount(&val, token, chain_id, amount, sizeof(amount));\n }\n\n char addr[43] = \"0x\";\n if (to_len) {\n ethereum_address_checksum(to, addr + 2, false, chain_id);\n }\n\n bool approve_all =\n approve && value_len == 32 &&\n memcmp(value, \"\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\", 8) == 0 &&\n memcmp(value + 8, \"\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\", 8) == 0 &&\n memcmp(value + 16, \"\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\", 8) == 0 &&\n memcmp(value + 24, \"\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\", 8) == 0;\n\n const char *address = addr;\n if (to_len && makerdao_isOasisDEXAddress(to, chain_id)) {\n address = \"OasisDEX\";\n }\n\n int cx;\n if (approve && bn_is_zero(&val) && token) {\n cx = snprintf(out_str, out_str_len, \"Remove ability for %s to withdraw %s?\",\n address, token->ticker + 1);\n } else if (approve_all) {\n cx = snprintf(out_str, out_str_len,\n \"Unlock full %s balance for withdrawal by %s?\",\n token->ticker + 1, address);\n } else if (approve) {\n cx = snprintf(out_str, out_str_len, \"Approve withdrawal of up to %s by %s?\",\n amount, address);\n } else {\n cx = snprintf(out_str, out_str_len, \"Send %s to %s\", amount,\n to_len ? address : \"new contract?\");\n }\n\n if (out_str_len <= (size_t)cx) {\n /*error detected. Clear the buffer */\n memset(out_str, 0, out_str_len);\n }\n}", "project": "keepkey-firmware", "hash": 155320529394062306911620303122142287309, "size": 59, "commit_id": "e49d45594002d4d3fbc1f03488e6dfc0a0a65836", "message": "710 merge", "target": 0, "dataset": "other", "idx": 220867 }, { "func": "static void power_pmu_bhrb_reset(void)\n{\n\tasm volatile(PPC_CLRBHRB);\n}", "project": "linux", "hash": 182840507089169161340625773739077705190, "size": 4, "commit_id": "60b7ed54a41b550d50caf7f2418db4a7e75b5bdc", "message": "powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set\n\nOn systems without any specific PMU driver support registered, running\nperf record causes Oops.\n\nThe relevant portion from call trace:\n\n BUG: Kernel NULL pointer dereference on read at 0x00000040\n Faulting instruction address: 0xc0021f0c\n Oops: Kernel access of bad area, sig: 11 [#1]\n BE PAGE_SIZE=4K PREEMPT CMPCPRO\n SAF3000 DIE NOTIFICATION\n CPU: 0 PID: 442 Comm: null_syscall Not tainted 5.13.0-rc6-s3k-dev-01645-g7649ee3d2957 #5164\n NIP: c0021f0c LR: c00e8ad8 CTR: c00d8a5c\n NIP perf_instruction_pointer+0x10/0x60\n LR perf_prepare_sample+0x344/0x674\n Call Trace:\n perf_prepare_sample+0x7c/0x674 (unreliable)\n perf_event_output_forward+0x3c/0x94\n __perf_event_overflow+0x74/0x14c\n perf_swevent_hrtimer+0xf8/0x170\n __hrtimer_run_queues.constprop.0+0x160/0x318\n hrtimer_interrupt+0x148/0x3b0\n timer_interrupt+0xc4/0x22c\n Decrementer_virt+0xb8/0xbc\n\nDuring perf record session, perf_instruction_pointer() is called to\ncapture the sample IP. This function in core-book3s accesses\nppmu->flags. If a platform specific PMU driver is not registered, ppmu\nis set to NULL and accessing its members results in a crash. Fix this\ncrash by checking if ppmu is set.\n\nFixes: 2ca13a4cc56c (\"powerpc/perf: Use regs->nip when SIAR is zero\")\nCc: stable@vger.kernel.org # v5.11+\nReported-by: Christophe Leroy \nSigned-off-by: Athira Rajeev \nTested-by: Christophe Leroy \nSigned-off-by: Michael Ellerman \nLink: https://lore.kernel.org/r/1623952506-1431-1-git-send-email-atrajeev@linux.vnet.ibm.com", "target": 0, "dataset": "other", "idx": 374697 }, { "func": "static int path_lookupat(struct nameidata *nd, unsigned flags, struct path *path)\n{\n\tconst char *s = path_init(nd, flags);\n\tint err;\n\n\tif (unlikely(flags & LOOKUP_DOWN) && !IS_ERR(s)) {\n\t\terr = handle_lookup_down(nd);\n\t\tif (unlikely(err < 0))\n\t\t\ts = ERR_PTR(err);\n\t}\n\n\twhile (!(err = link_path_walk(s, nd))\n\t\t&& ((err = lookup_last(nd)) > 0)) {\n\t\ts = trailing_symlink(nd);\n\t}\n\tif (!err)\n\t\terr = complete_walk(nd);\n\n\tif (!err && nd->flags & LOOKUP_DIRECTORY)\n\t\tif (!d_can_lookup(nd->path.dentry))\n\t\t\terr = -ENOTDIR;\n\tif (!err) {\n\t\t*path = nd->path;\n\t\tnd->path.mnt = NULL;\n\t\tnd->path.dentry = NULL;\n\t}\n\tterminate_walk(nd);\n\treturn err;\n}", "project": "linux", "hash": 303360150624717428264947388935916158398, "size": 29, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295424 }, { "func": "__poll_t sctp_poll(struct file *file, struct socket *sock, poll_table *wait)\n{\n\tstruct sock *sk = sock->sk;\n\tstruct sctp_sock *sp = sctp_sk(sk);\n\t__poll_t mask;\n\n\tpoll_wait(file, sk_sleep(sk), wait);\n\n\tsock_rps_record_flow(sk);\n\n\t/* A TCP-style listening socket becomes readable when the accept queue\n\t * is not empty.\n\t */\n\tif (sctp_style(sk, TCP) && sctp_sstate(sk, LISTENING))\n\t\treturn (!list_empty(&sp->ep->asocs)) ?\n\t\t\t(EPOLLIN | EPOLLRDNORM) : 0;\n\n\tmask = 0;\n\n\t/* Is there any exceptional events? */\n\tif (sk->sk_err || !skb_queue_empty_lockless(&sk->sk_error_queue))\n\t\tmask |= EPOLLERR |\n\t\t\t(sock_flag(sk, SOCK_SELECT_ERR_QUEUE) ? EPOLLPRI : 0);\n\tif (sk->sk_shutdown & RCV_SHUTDOWN)\n\t\tmask |= EPOLLRDHUP | EPOLLIN | EPOLLRDNORM;\n\tif (sk->sk_shutdown == SHUTDOWN_MASK)\n\t\tmask |= EPOLLHUP;\n\n\t/* Is it readable? Reconsider this code with TCP-style support. */\n\tif (!skb_queue_empty_lockless(&sk->sk_receive_queue))\n\t\tmask |= EPOLLIN | EPOLLRDNORM;\n\n\t/* The association is either gone or not ready. */\n\tif (!sctp_style(sk, UDP) && sctp_sstate(sk, CLOSED))\n\t\treturn mask;\n\n\t/* Is it writable? */\n\tif (sctp_writeable(sk)) {\n\t\tmask |= EPOLLOUT | EPOLLWRNORM;\n\t} else {\n\t\tsk_set_bit(SOCKWQ_ASYNC_NOSPACE, sk);\n\t\t/*\n\t\t * Since the socket is not locked, the buffer\n\t\t * might be made available after the writeable check and\n\t\t * before the bit is set. This could cause a lost I/O\n\t\t * signal. tcp_poll() has a race breaker for this race\n\t\t * condition. Based on their implementation, we put\n\t\t * in the following code to cover it as well.\n\t\t */\n\t\tif (sctp_writeable(sk))\n\t\t\tmask |= EPOLLOUT | EPOLLWRNORM;\n\t}\n\treturn mask;\n}", "project": "linux", "hash": 83918836860948535392133641827646640919, "size": 54, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398062 }, { "func": "static int ca8210_spi_exchange(\n\tconst u8 *buf,\n\tsize_t len,\n\tu8 *response,\n\tvoid *device_ref\n)\n{\n\tint status = 0;\n\tstruct spi_device *spi = device_ref;\n\tstruct ca8210_priv *priv = spi->dev.driver_data;\n\tlong wait_remaining;\n\n\tif ((buf[0] & SPI_SYN) && response) { /* if sync wait for confirm */\n\t\treinit_completion(&priv->sync_exchange_complete);\n\t\tpriv->sync_command_response = response;\n\t}\n\n\tdo {\n\t\treinit_completion(&priv->spi_transfer_complete);\n\t\tstatus = ca8210_spi_transfer(priv->spi, buf, len);\n\t\tif (status) {\n\t\t\tdev_warn(\n\t\t\t\t&spi->dev,\n\t\t\t\t\"spi write failed, returned %d\\n\",\n\t\t\t\tstatus\n\t\t\t);\n\t\t\tif (status == -EBUSY)\n\t\t\t\tcontinue;\n\t\t\tif (((buf[0] & SPI_SYN) && response))\n\t\t\t\tcomplete(&priv->sync_exchange_complete);\n\t\t\tgoto cleanup;\n\t\t}\n\n\t\twait_remaining = wait_for_completion_interruptible_timeout(\n\t\t\t&priv->spi_transfer_complete,\n\t\t\tmsecs_to_jiffies(1000)\n\t\t);\n\t\tif (wait_remaining == -ERESTARTSYS) {\n\t\t\tstatus = -ERESTARTSYS;\n\t\t} else if (wait_remaining == 0) {\n\t\t\tdev_err(\n\t\t\t\t&spi->dev,\n\t\t\t\t\"SPI downstream transfer timed out!\\n\"\n\t\t\t);\n\t\t\tstatus = -ETIME;\n\t\t\tgoto cleanup;\n\t\t}\n\t} while (status < 0);\n\n\tif (!((buf[0] & SPI_SYN) && response))\n\t\tgoto cleanup;\n\n\twait_remaining = wait_for_completion_interruptible_timeout(\n\t\t&priv->sync_exchange_complete,\n\t\tmsecs_to_jiffies(CA8210_SYNC_TIMEOUT)\n\t);\n\tif (wait_remaining == -ERESTARTSYS) {\n\t\tstatus = -ERESTARTSYS;\n\t} else if (wait_remaining == 0) {\n\t\tdev_err(\n\t\t\t&spi->dev,\n\t\t\t\"Synchronous confirm timeout\\n\"\n\t\t);\n\t\tstatus = -ETIME;\n\t}\n\ncleanup:\n\tpriv->sync_command_response = NULL;\n\treturn status;\n}", "project": "linux", "hash": 97177269923578159817633830607467553455, "size": 70, "commit_id": "6402939ec86eaf226c8b8ae00ed983936b164908", "message": "ieee802154: ca8210: prevent memory leak\n\nIn ca8210_probe the allocated pdata needs to be assigned to\nspi_device->dev.platform_data before calling ca8210_get_platform_data.\nOthrwise when ca8210_get_platform_data fails pdata cannot be released.\n\nSigned-off-by: Navid Emamdoost \nLink: https://lore.kernel.org/r/20190917224713.26371-1-navid.emamdoost@gmail.com\nSigned-off-by: Stefan Schmidt ", "target": 0, "dataset": "other", "idx": 408795 }, { "func": "void vcpu_load(struct kvm_vcpu *vcpu)\n{\n\tint cpu = get_cpu();\n\n\t__this_cpu_write(kvm_running_vcpu, vcpu);\n\tpreempt_notifier_register(&vcpu->preempt_notifier);\n\tkvm_arch_vcpu_load(vcpu, cpu);\n\tput_cpu();\n}", "project": "linux", "hash": 242750102818360691608441926534830447679, "size": 9, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354667 }, { "func": "static int migrate_page_add(struct page *page, struct list_head *pagelist,\n\t\t\t\tunsigned long flags)\n{\n\tstruct page *head = compound_head(page);\n\t/*\n\t * Avoid migrating a page that is shared with others.\n\t */\n\tif ((flags & MPOL_MF_MOVE_ALL) || page_mapcount(head) == 1) {\n\t\tif (!isolate_lru_page(head)) {\n\t\t\tlist_add_tail(&head->lru, pagelist);\n\t\t\tmod_node_page_state(page_pgdat(head),\n\t\t\t\tNR_ISOLATED_ANON + page_is_file_cache(head),\n\t\t\t\thpage_nr_pages(head));\n\t\t} else if (flags & MPOL_MF_STRICT) {\n\t\t\t/*\n\t\t\t * Non-movable page may reach here. And, there may be\n\t\t\t * temporary off LRU pages or non-LRU movable pages.\n\t\t\t * Treat them as unmovable pages since they can't be\n\t\t\t * isolated, so they can't be moved at the moment. It\n\t\t\t * should return -EIO for this case too.\n\t\t\t */\n\t\t\treturn -EIO;\n\t\t}\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 225982387755670420843492775798274770095, "size": 27, "commit_id": "aa9f7d5172fac9bf1f09e678c35e287a40a7b7dd", "message": "mm: mempolicy: require at least one nodeid for MPOL_PREFERRED\n\nUsing an empty (malformed) nodelist that is not caught during mount option\nparsing leads to a stack-out-of-bounds access.\n\nThe option string that was used was: \"mpol=prefer:,\". However,\nMPOL_PREFERRED requires a single node number, which is not being provided\nhere.\n\nAdd a check that 'nodes' is not empty after parsing for MPOL_PREFERRED's\nnodeid.\n\nFixes: 095f1fc4ebf3 (\"mempolicy: rework shmem mpol parsing and display\")\nReported-by: Entropy Moe <3ntr0py1337@gmail.com>\nReported-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nSigned-off-by: Randy Dunlap \nSigned-off-by: Andrew Morton \nTested-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nCc: Lee Schermerhorn \nLink: http://lkml.kernel.org/r/89526377-7eb6-b662-e1d8-4430928abde9@infradead.org\nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 366728 }, { "func": "static int migrate_page_add(struct page *page, struct list_head *pagelist,\n\t\t\t\tunsigned long flags)\n{\n\treturn -EIO;\n}", "project": "linux", "hash": 178245859990790591511151174583564300801, "size": 5, "commit_id": "aa9f7d5172fac9bf1f09e678c35e287a40a7b7dd", "message": "mm: mempolicy: require at least one nodeid for MPOL_PREFERRED\n\nUsing an empty (malformed) nodelist that is not caught during mount option\nparsing leads to a stack-out-of-bounds access.\n\nThe option string that was used was: \"mpol=prefer:,\". However,\nMPOL_PREFERRED requires a single node number, which is not being provided\nhere.\n\nAdd a check that 'nodes' is not empty after parsing for MPOL_PREFERRED's\nnodeid.\n\nFixes: 095f1fc4ebf3 (\"mempolicy: rework shmem mpol parsing and display\")\nReported-by: Entropy Moe <3ntr0py1337@gmail.com>\nReported-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nSigned-off-by: Randy Dunlap \nSigned-off-by: Andrew Morton \nTested-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nCc: Lee Schermerhorn \nLink: http://lkml.kernel.org/r/89526377-7eb6-b662-e1d8-4430928abde9@infradead.org\nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 366793 }, { "func": "static int handle_eviocgbit(struct input_dev *dev,\n\t\t\t unsigned int type, unsigned int size,\n\t\t\t void __user *p, int compat_mode)\n{\n\tstatic unsigned long keymax_warn_time;\n\tunsigned long *bits;\n\tint len;\n\n\tswitch (type) {\n\n\tcase 0: bits = dev->evbit; len = EV_MAX; break;\n\tcase EV_KEY: bits = dev->keybit; len = KEY_MAX; break;\n\tcase EV_REL: bits = dev->relbit; len = REL_MAX; break;\n\tcase EV_ABS: bits = dev->absbit; len = ABS_MAX; break;\n\tcase EV_MSC: bits = dev->mscbit; len = MSC_MAX; break;\n\tcase EV_LED: bits = dev->ledbit; len = LED_MAX; break;\n\tcase EV_SND: bits = dev->sndbit; len = SND_MAX; break;\n\tcase EV_FF: bits = dev->ffbit; len = FF_MAX; break;\n\tcase EV_SW: bits = dev->swbit; len = SW_MAX; break;\n\tdefault: return -EINVAL;\n\t}\n\n\t/*\n\t * Work around bugs in userspace programs that like to do\n\t * EVIOCGBIT(EV_KEY, KEY_MAX) and not realize that 'len'\n\t * should be in bytes, not in bits.\n\t */\n\tif (type == EV_KEY && size == OLD_KEY_MAX) {\n\t\tlen = OLD_KEY_MAX;\n\t\tif (printk_timed_ratelimit(&keymax_warn_time, 10 * 1000))\n\t\t\tpr_warning(\"(EVIOCGBIT): Suspicious buffer size %u, \"\n\t\t\t\t \"limiting output to %zu bytes. See \"\n\t\t\t\t \"http://userweb.kernel.org/~dtor/eviocgbit-bug.html\\n\",\n\t\t\t\t OLD_KEY_MAX,\n\t\t\t\t BITS_TO_LONGS(OLD_KEY_MAX) * sizeof(long));\n\t}\n\n\treturn bits_to_user(bits, len, size, p, compat_mode);\n}", "project": "linux", "hash": 145221208048613613962175165369963152790, "size": 39, "commit_id": "483180281f0ac60d1138710eb21f4b9961901294", "message": "Input: evdev - flush queues during EVIOCGKEY-like ioctls\n\nIf userspace requests current KEY-state, they very likely assume that no\nsuch events are pending in the output queue of the evdev device.\nOtherwise, they will parse events which they already handled via\nEVIOCGKEY(). For XKB applications this can cause irreversible keyboard\nstates if a modifier is locked multiple times because a CTRL-DOWN event is\nhandled once via EVIOCGKEY() and once from the queue via read(), even\nthough it should handle it only once.\n\nTherefore, lets do the only logical thing and flush the evdev queue\natomically during this ioctl. We only flush events that are affected by\nthe given ioctl.\n\nThis only affects boolean events like KEY, SND, SW and LED. ABS, REL and\nothers are not affected as duplicate events can be handled gracefully by\nuser-space.\n\nNote: This actually breaks semantics of the evdev ABI. However,\ninvestigations showed that userspace already expects the new semantics and\nwe end up fixing at least all XKB applications.\nAll applications that are aware of this race-condition mirror the KEY\nstate for each open-file and detect/drop duplicate events. Hence, they do\nnot care whether duplicates are posted or not and work fine with this fix.\n\nAlso note that we need proper locking to guarantee atomicity and avoid\ndead-locks. event_lock must be locked before queue_lock (see input-core).\nHowever, we can safely release event_lock while flushing the queue. This\nallows the input-core to proceed with pending events and only stop if it\nneeds our queue_lock to post new events.\nThis should guarantee that we don't block event-dispatching for too long\nwhile flushing a single event queue.\n\nSigned-off-by: David Herrmann \nAcked-by: Peter Hutterer \nSigned-off-by: Dmitry Torokhov ", "target": 0, "dataset": "other", "idx": 381721 }, { "func": "uint8_t bf_byte_count(const struct compressed_block_header* hdr) {\n\treturn (hdr->block_flags_u8 >> 3) & 7;\n}", "project": "libarchive", "hash": 27986492554743831006412334688321142499, "size": 3, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 0, "dataset": "other", "idx": 244694 }, { "func": "ClientHttpRequest::logRequest()\n{\n if (!out.size && logType.oldType == LOG_TAG_NONE)\n debugs(33, 5, \"logging half-baked transaction: \" << log_uri);\n\n al->icp.opcode = ICP_INVALID;\n al->url = log_uri;\n debugs(33, 9, \"clientLogRequest: al.url='\" << al->url << \"'\");\n\n if (al->reply) {\n al->http.code = al->reply->sline.status();\n al->http.content_type = al->reply->content_type.termedBuf();\n } else if (loggingEntry() && loggingEntry()->mem_obj) {\n al->http.code = loggingEntry()->mem_obj->getReply()->sline.status();\n al->http.content_type = loggingEntry()->mem_obj->getReply()->content_type.termedBuf();\n }\n\n debugs(33, 9, \"clientLogRequest: http.code='\" << al->http.code << \"'\");\n\n if (loggingEntry() && loggingEntry()->mem_obj && loggingEntry()->objectLen() >= 0)\n al->cache.objectSize = loggingEntry()->contentLen(); // payload duplicate ?? with or without TE ?\n\n al->http.clientRequestSz.header = req_sz;\n // the virgin request is saved to al->request\n if (al->request && al->request->body_pipe)\n al->http.clientRequestSz.payloadData = al->request->body_pipe->producedSize();\n al->http.clientReplySz.header = out.headers_sz;\n // XXX: calculate without payload encoding or headers !!\n al->http.clientReplySz.payloadData = out.size - out.headers_sz; // pretend its all un-encoded data for now.\n\n al->cache.highOffset = out.offset;\n\n al->cache.code = logType;\n\n tvSub(al->cache.trTime, al->cache.start_time, current_time);\n\n if (request)\n prepareLogWithRequestDetails(request, al);\n\n#if USE_OPENSSL && 0\n\n /* This is broken. Fails if the connection has been closed. Needs\n * to snarf the ssl details some place earlier..\n */\n if (getConn() != NULL)\n al->cache.ssluser = sslGetUserEmail(fd_table[getConn()->fd].ssl);\n\n#endif\n\n /* Add notes (if we have a request to annotate) */\n if (request) {\n // The al->notes and request->notes must point to the same object.\n (void)SyncNotes(*al, *request);\n for (auto i = Config.notes.begin(); i != Config.notes.end(); ++i) {\n if (const char *value = (*i)->match(request, al->reply, al)) {\n NotePairs ¬es = SyncNotes(*al, *request);\n notes.add((*i)->key.termedBuf(), value);\n debugs(33, 3, (*i)->key.termedBuf() << \" \" << value);\n }\n }\n }\n\n ACLFilledChecklist checklist(NULL, request, NULL);\n if (al->reply) {\n checklist.reply = al->reply;\n HTTPMSGLOCK(checklist.reply);\n }\n\n if (request) {\n HTTPMSGUNLOCK(al->adapted_request);\n al->adapted_request = request;\n HTTPMSGLOCK(al->adapted_request);\n }\n // no need checklist.syncAle(): already synced\n checklist.al = al;\n accessLogLog(al, &checklist);\n\n bool updatePerformanceCounters = true;\n if (Config.accessList.stats_collection) {\n ACLFilledChecklist statsCheck(Config.accessList.stats_collection, request, NULL);\n statsCheck.al = al;\n if (al->reply) {\n statsCheck.reply = al->reply;\n HTTPMSGLOCK(statsCheck.reply);\n }\n updatePerformanceCounters = statsCheck.fastCheck().allowed();\n }\n\n if (updatePerformanceCounters) {\n if (request)\n updateCounters();\n\n if (getConn() != NULL && getConn()->clientConnection != NULL)\n clientdbUpdate(getConn()->clientConnection->remote, logType, AnyP::PROTO_HTTP, out.size);\n }\n}", "project": "squid", "hash": 93644798201713680262225186142430681981, "size": 96, "commit_id": "fd68382860633aca92065e6c343cfd1b12b126e7", "message": "Improve Transfer-Encoding handling (#702)\n\nReject messages containing Transfer-Encoding header with coding other\nthan chunked or identity. Squid does not support other codings.\n\nFor simplicity and security sake, also reject messages where\nTransfer-Encoding contains unnecessary complex values that are\ntechnically equivalent to \"chunked\" or \"identity\" (e.g., \",,chunked\" or\n\"identity, chunked\").\n\nRFC 7230 formally deprecated and removed identity coding, but it is\nstill used by some agents.", "target": 0, "dataset": "other", "idx": 402304 }, { "func": "static void write_mmcr0(struct cpu_hw_events *cpuhw, unsigned long mmcr0)\n{\n\tunsigned long pmc5, pmc6;\n\n\tif (!cpuhw->n_limited) {\n\t\tmtspr(SPRN_MMCR0, mmcr0);\n\t\treturn;\n\t}\n\n\t/*\n\t * Write MMCR0, then read PMC5 and PMC6 immediately.\n\t * To ensure we don't get a performance monitor interrupt\n\t * between writing MMCR0 and freezing/thawing the limited\n\t * events, we first write MMCR0 with the event overflow\n\t * interrupt enable bits turned off.\n\t */\n\tasm volatile(\"mtspr %3,%2; mfspr %0,%4; mfspr %1,%5\"\n\t\t : \"=&r\" (pmc5), \"=&r\" (pmc6)\n\t\t : \"r\" (mmcr0 & ~(MMCR0_PMC1CE | MMCR0_PMCjCE)),\n\t\t \"i\" (SPRN_MMCR0),\n\t\t \"i\" (SPRN_PMC5), \"i\" (SPRN_PMC6));\n\n\tif (mmcr0 & MMCR0_FC)\n\t\tfreeze_limited_counters(cpuhw, pmc5, pmc6);\n\telse\n\t\tthaw_limited_counters(cpuhw, pmc5, pmc6);\n\n\t/*\n\t * Write the full MMCR0 including the event overflow interrupt\n\t * enable bits, if necessary.\n\t */\n\tif (mmcr0 & (MMCR0_PMC1CE | MMCR0_PMCjCE))\n\t\tmtspr(SPRN_MMCR0, mmcr0);\n}", "project": "linux", "hash": 261726437658370027772734044904068414256, "size": 34, "commit_id": "60b7ed54a41b550d50caf7f2418db4a7e75b5bdc", "message": "powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set\n\nOn systems without any specific PMU driver support registered, running\nperf record causes Oops.\n\nThe relevant portion from call trace:\n\n BUG: Kernel NULL pointer dereference on read at 0x00000040\n Faulting instruction address: 0xc0021f0c\n Oops: Kernel access of bad area, sig: 11 [#1]\n BE PAGE_SIZE=4K PREEMPT CMPCPRO\n SAF3000 DIE NOTIFICATION\n CPU: 0 PID: 442 Comm: null_syscall Not tainted 5.13.0-rc6-s3k-dev-01645-g7649ee3d2957 #5164\n NIP: c0021f0c LR: c00e8ad8 CTR: c00d8a5c\n NIP perf_instruction_pointer+0x10/0x60\n LR perf_prepare_sample+0x344/0x674\n Call Trace:\n perf_prepare_sample+0x7c/0x674 (unreliable)\n perf_event_output_forward+0x3c/0x94\n __perf_event_overflow+0x74/0x14c\n perf_swevent_hrtimer+0xf8/0x170\n __hrtimer_run_queues.constprop.0+0x160/0x318\n hrtimer_interrupt+0x148/0x3b0\n timer_interrupt+0xc4/0x22c\n Decrementer_virt+0xb8/0xbc\n\nDuring perf record session, perf_instruction_pointer() is called to\ncapture the sample IP. This function in core-book3s accesses\nppmu->flags. If a platform specific PMU driver is not registered, ppmu\nis set to NULL and accessing its members results in a crash. Fix this\ncrash by checking if ppmu is set.\n\nFixes: 2ca13a4cc56c (\"powerpc/perf: Use regs->nip when SIAR is zero\")\nCc: stable@vger.kernel.org # v5.11+\nReported-by: Christophe Leroy \nSigned-off-by: Athira Rajeev \nTested-by: Christophe Leroy \nSigned-off-by: Michael Ellerman \nLink: https://lore.kernel.org/r/1623952506-1431-1-git-send-email-atrajeev@linux.vnet.ibm.com", "target": 0, "dataset": "other", "idx": 374741 }, { "func": "void input_free_device(struct input_dev *dev)\n{\n\tif (dev) {\n\t\tif (dev->devres_managed)\n\t\t\tWARN_ON(devres_destroy(dev->dev.parent,\n\t\t\t\t\t\tdevm_input_device_release,\n\t\t\t\t\t\tdevm_input_device_match,\n\t\t\t\t\t\tdev));\n\t\tinput_put_device(dev);\n\t}\n}", "project": "linux", "hash": 187654907891352828263566187097908651762, "size": 11, "commit_id": "cb222aed03d798fc074be55e59d9a112338ee784", "message": "Input: add safety guards to input_set_keycode()\n\nIf we happen to have a garbage in input device's keycode table with values\ntoo big we'll end up doing clear_bit() with offset way outside of our\nbitmaps, damaging other objects within an input device or even outside of\nit. Let's add sanity checks to the returned old keycodes.\n\nReported-by: syzbot+c769968809f9359b07aa@syzkaller.appspotmail.com\nReported-by: syzbot+76f3a30e88d256644c78@syzkaller.appspotmail.com\nLink: https://lore.kernel.org/r/20191207212757.GA245964@dtor-ws\nSigned-off-by: Dmitry Torokhov ", "target": 0, "dataset": "other", "idx": 353328 }, { "func": "void input_alloc_absinfo(struct input_dev *dev)\n{\n\tif (dev->absinfo)\n\t\treturn;\n\n\tdev->absinfo = kcalloc(ABS_CNT, sizeof(*dev->absinfo), GFP_KERNEL);\n\tif (!dev->absinfo) {\n\t\tdev_err(dev->dev.parent ?: &dev->dev,\n\t\t\t\"%s: unable to allocate memory\\n\", __func__);\n\t\t/*\n\t\t * We will handle this allocation failure in\n\t\t * input_register_device() when we refuse to register input\n\t\t * device with ABS bits but without absinfo.\n\t\t */\n\t}\n}", "project": "linux", "hash": 220893828973865453865130455567719699585, "size": 16, "commit_id": "cb222aed03d798fc074be55e59d9a112338ee784", "message": "Input: add safety guards to input_set_keycode()\n\nIf we happen to have a garbage in input device's keycode table with values\ntoo big we'll end up doing clear_bit() with offset way outside of our\nbitmaps, damaging other objects within an input device or even outside of\nit. Let's add sanity checks to the returned old keycodes.\n\nReported-by: syzbot+c769968809f9359b07aa@syzkaller.appspotmail.com\nReported-by: syzbot+76f3a30e88d256644c78@syzkaller.appspotmail.com\nLink: https://lore.kernel.org/r/20191207212757.GA245964@dtor-ws\nSigned-off-by: Dmitry Torokhov ", "target": 0, "dataset": "other", "idx": 353311 }, { "func": "static inline void set_dr_intercepts(struct vcpu_svm *svm)\n{\n\tstruct vmcb *vmcb = get_host_vmcb(svm);\n\n\tvmcb->control.intercept_dr = (1 << INTERCEPT_DR0_READ)\n\t\t| (1 << INTERCEPT_DR1_READ)\n\t\t| (1 << INTERCEPT_DR2_READ)\n\t\t| (1 << INTERCEPT_DR3_READ)\n\t\t| (1 << INTERCEPT_DR4_READ)\n\t\t| (1 << INTERCEPT_DR5_READ)\n\t\t| (1 << INTERCEPT_DR6_READ)\n\t\t| (1 << INTERCEPT_DR7_READ)\n\t\t| (1 << INTERCEPT_DR0_WRITE)\n\t\t| (1 << INTERCEPT_DR1_WRITE)\n\t\t| (1 << INTERCEPT_DR2_WRITE)\n\t\t| (1 << INTERCEPT_DR3_WRITE)\n\t\t| (1 << INTERCEPT_DR4_WRITE)\n\t\t| (1 << INTERCEPT_DR5_WRITE)\n\t\t| (1 << INTERCEPT_DR6_WRITE)\n\t\t| (1 << INTERCEPT_DR7_WRITE);\n\n\trecalc_intercepts(svm);\n}", "project": "linux", "hash": 165256631562629577348288649946018053082, "size": 23, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432459 }, { "func": "struct kvm_memory_slot *kvm_vcpu_gfn_to_memslot(struct kvm_vcpu *vcpu, gfn_t gfn)\n{\n\treturn __gfn_to_memslot(kvm_vcpu_memslots(vcpu), gfn);\n}", "project": "linux", "hash": 161456936276993570718627589120554584066, "size": 4, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354739 }, { "func": "static int nf_tables_commit(struct net *net, struct sk_buff *skb)\n{\n\tstruct nftables_pernet *nft_net = nft_pernet(net);\n\tstruct nft_trans *trans, *next;\n\tstruct nft_trans_elem *te;\n\tstruct nft_chain *chain;\n\tstruct nft_table *table;\n\tLIST_HEAD(adl);\n\tint err;\n\n\tif (list_empty(&nft_net->commit_list)) {\n\t\tmutex_unlock(&nft_net->commit_mutex);\n\t\treturn 0;\n\t}\n\n\t/* 0. Validate ruleset, otherwise roll back for error reporting. */\n\tif (nf_tables_validate(net) < 0)\n\t\treturn -EAGAIN;\n\n\terr = nft_flow_rule_offload_commit(net);\n\tif (err < 0)\n\t\treturn err;\n\n\t/* 1. Allocate space for next generation rules_gen_X[] */\n\tlist_for_each_entry_safe(trans, next, &nft_net->commit_list, list) {\n\t\tint ret;\n\n\t\tret = nf_tables_commit_audit_alloc(&adl, trans->ctx.table);\n\t\tif (ret) {\n\t\t\tnf_tables_commit_chain_prepare_cancel(net);\n\t\t\treturn ret;\n\t\t}\n\t\tif (trans->msg_type == NFT_MSG_NEWRULE ||\n\t\t trans->msg_type == NFT_MSG_DELRULE) {\n\t\t\tchain = trans->ctx.chain;\n\n\t\t\tret = nf_tables_commit_chain_prepare(net, chain);\n\t\t\tif (ret < 0) {\n\t\t\t\tnf_tables_commit_chain_prepare_cancel(net);\n\t\t\t\treturn ret;\n\t\t\t}\n\t\t}\n\t}\n\n\t/* step 2. Make rules_gen_X visible to packet path */\n\tlist_for_each_entry(table, &nft_net->tables, list) {\n\t\tlist_for_each_entry(chain, &table->chains, list)\n\t\t\tnf_tables_commit_chain(net, chain);\n\t}\n\n\t/*\n\t * Bump generation counter, invalidate any dump in progress.\n\t * Cannot fail after this point.\n\t */\n\twhile (++nft_net->base_seq == 0)\n\t\t;\n\n\t/* step 3. Start new generation, rules_gen_X now in use. */\n\tnet->nft.gencursor = nft_gencursor_next(net);\n\n\tlist_for_each_entry_safe(trans, next, &nft_net->commit_list, list) {\n\t\tnf_tables_commit_audit_collect(&adl, trans->ctx.table,\n\t\t\t\t\t trans->msg_type);\n\t\tswitch (trans->msg_type) {\n\t\tcase NFT_MSG_NEWTABLE:\n\t\t\tif (nft_trans_table_update(trans)) {\n\t\t\t\tif (!(trans->ctx.table->flags & __NFT_TABLE_F_UPDATE)) {\n\t\t\t\t\tnft_trans_destroy(trans);\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t\tif (trans->ctx.table->flags & NFT_TABLE_F_DORMANT)\n\t\t\t\t\tnf_tables_table_disable(net, trans->ctx.table);\n\n\t\t\t\ttrans->ctx.table->flags &= ~__NFT_TABLE_F_UPDATE;\n\t\t\t} else {\n\t\t\t\tnft_clear(net, trans->ctx.table);\n\t\t\t}\n\t\t\tnf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE);\n\t\t\tnft_trans_destroy(trans);\n\t\t\tbreak;\n\t\tcase NFT_MSG_DELTABLE:\n\t\t\tlist_del_rcu(&trans->ctx.table->list);\n\t\t\tnf_tables_table_notify(&trans->ctx, NFT_MSG_DELTABLE);\n\t\t\tbreak;\n\t\tcase NFT_MSG_NEWCHAIN:\n\t\t\tif (nft_trans_chain_update(trans)) {\n\t\t\t\tnft_chain_commit_update(trans);\n\t\t\t\tnf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);\n\t\t\t\t/* trans destroyed after rcu grace period */\n\t\t\t} else {\n\t\t\t\tnft_chain_commit_drop_policy(trans);\n\t\t\t\tnft_clear(net, trans->ctx.chain);\n\t\t\t\tnf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);\n\t\t\t\tnft_trans_destroy(trans);\n\t\t\t}\n\t\t\tbreak;\n\t\tcase NFT_MSG_DELCHAIN:\n\t\t\tnft_chain_del(trans->ctx.chain);\n\t\t\tnf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN);\n\t\t\tnf_tables_unregister_hook(trans->ctx.net,\n\t\t\t\t\t\t trans->ctx.table,\n\t\t\t\t\t\t trans->ctx.chain);\n\t\t\tbreak;\n\t\tcase NFT_MSG_NEWRULE:\n\t\t\tnft_clear(trans->ctx.net, nft_trans_rule(trans));\n\t\t\tnf_tables_rule_notify(&trans->ctx,\n\t\t\t\t\t nft_trans_rule(trans),\n\t\t\t\t\t NFT_MSG_NEWRULE);\n\t\t\tnft_trans_destroy(trans);\n\t\t\tbreak;\n\t\tcase NFT_MSG_DELRULE:\n\t\t\tlist_del_rcu(&nft_trans_rule(trans)->list);\n\t\t\tnf_tables_rule_notify(&trans->ctx,\n\t\t\t\t\t nft_trans_rule(trans),\n\t\t\t\t\t NFT_MSG_DELRULE);\n\t\t\tnft_rule_expr_deactivate(&trans->ctx,\n\t\t\t\t\t\t nft_trans_rule(trans),\n\t\t\t\t\t\t NFT_TRANS_COMMIT);\n\t\t\tbreak;\n\t\tcase NFT_MSG_NEWSET:\n\t\t\tnft_clear(net, nft_trans_set(trans));\n\t\t\t/* This avoids hitting -EBUSY when deleting the table\n\t\t\t * from the transaction.\n\t\t\t */\n\t\t\tif (nft_set_is_anonymous(nft_trans_set(trans)) &&\n\t\t\t !list_empty(&nft_trans_set(trans)->bindings))\n\t\t\t\ttrans->ctx.table->use--;\n\n\t\t\tnf_tables_set_notify(&trans->ctx, nft_trans_set(trans),\n\t\t\t\t\t NFT_MSG_NEWSET, GFP_KERNEL);\n\t\t\tnft_trans_destroy(trans);\n\t\t\tbreak;\n\t\tcase NFT_MSG_DELSET:\n\t\t\tlist_del_rcu(&nft_trans_set(trans)->list);\n\t\t\tnf_tables_set_notify(&trans->ctx, nft_trans_set(trans),\n\t\t\t\t\t NFT_MSG_DELSET, GFP_KERNEL);\n\t\t\tbreak;\n\t\tcase NFT_MSG_NEWSETELEM:\n\t\t\tte = (struct nft_trans_elem *)trans->data;\n\n\t\t\tnft_setelem_activate(net, te->set, &te->elem);\n\t\t\tnf_tables_setelem_notify(&trans->ctx, te->set,\n\t\t\t\t\t\t &te->elem,\n\t\t\t\t\t\t NFT_MSG_NEWSETELEM, 0);\n\t\t\tnft_trans_destroy(trans);\n\t\t\tbreak;\n\t\tcase NFT_MSG_DELSETELEM:\n\t\t\tte = (struct nft_trans_elem *)trans->data;\n\n\t\t\tnf_tables_setelem_notify(&trans->ctx, te->set,\n\t\t\t\t\t\t &te->elem,\n\t\t\t\t\t\t NFT_MSG_DELSETELEM, 0);\n\t\t\tnft_setelem_remove(net, te->set, &te->elem);\n\t\t\tif (!nft_setelem_is_catchall(te->set, &te->elem)) {\n\t\t\t\tatomic_dec(&te->set->nelems);\n\t\t\t\tte->set->ndeact--;\n\t\t\t}\n\t\t\tbreak;\n\t\tcase NFT_MSG_NEWOBJ:\n\t\t\tif (nft_trans_obj_update(trans)) {\n\t\t\t\tnft_obj_commit_update(trans);\n\t\t\t\tnf_tables_obj_notify(&trans->ctx,\n\t\t\t\t\t\t nft_trans_obj(trans),\n\t\t\t\t\t\t NFT_MSG_NEWOBJ);\n\t\t\t} else {\n\t\t\t\tnft_clear(net, nft_trans_obj(trans));\n\t\t\t\tnf_tables_obj_notify(&trans->ctx,\n\t\t\t\t\t\t nft_trans_obj(trans),\n\t\t\t\t\t\t NFT_MSG_NEWOBJ);\n\t\t\t\tnft_trans_destroy(trans);\n\t\t\t}\n\t\t\tbreak;\n\t\tcase NFT_MSG_DELOBJ:\n\t\t\tnft_obj_del(nft_trans_obj(trans));\n\t\t\tnf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),\n\t\t\t\t\t NFT_MSG_DELOBJ);\n\t\t\tbreak;\n\t\tcase NFT_MSG_NEWFLOWTABLE:\n\t\t\tif (nft_trans_flowtable_update(trans)) {\n\t\t\t\tnft_trans_flowtable(trans)->data.flags =\n\t\t\t\t\tnft_trans_flowtable_flags(trans);\n\t\t\t\tnf_tables_flowtable_notify(&trans->ctx,\n\t\t\t\t\t\t\t nft_trans_flowtable(trans),\n\t\t\t\t\t\t\t &nft_trans_flowtable_hooks(trans),\n\t\t\t\t\t\t\t NFT_MSG_NEWFLOWTABLE);\n\t\t\t\tlist_splice(&nft_trans_flowtable_hooks(trans),\n\t\t\t\t\t &nft_trans_flowtable(trans)->hook_list);\n\t\t\t} else {\n\t\t\t\tnft_clear(net, nft_trans_flowtable(trans));\n\t\t\t\tnf_tables_flowtable_notify(&trans->ctx,\n\t\t\t\t\t\t\t nft_trans_flowtable(trans),\n\t\t\t\t\t\t\t &nft_trans_flowtable(trans)->hook_list,\n\t\t\t\t\t\t\t NFT_MSG_NEWFLOWTABLE);\n\t\t\t}\n\t\t\tnft_trans_destroy(trans);\n\t\t\tbreak;\n\t\tcase NFT_MSG_DELFLOWTABLE:\n\t\t\tif (nft_trans_flowtable_update(trans)) {\n\t\t\t\tnft_flowtable_hooks_del(nft_trans_flowtable(trans),\n\t\t\t\t\t\t\t&nft_trans_flowtable_hooks(trans));\n\t\t\t\tnf_tables_flowtable_notify(&trans->ctx,\n\t\t\t\t\t\t\t nft_trans_flowtable(trans),\n\t\t\t\t\t\t\t &nft_trans_flowtable_hooks(trans),\n\t\t\t\t\t\t\t NFT_MSG_DELFLOWTABLE);\n\t\t\t\tnft_unregister_flowtable_net_hooks(net,\n\t\t\t\t\t\t\t\t &nft_trans_flowtable_hooks(trans));\n\t\t\t} else {\n\t\t\t\tlist_del_rcu(&nft_trans_flowtable(trans)->list);\n\t\t\t\tnf_tables_flowtable_notify(&trans->ctx,\n\t\t\t\t\t\t\t nft_trans_flowtable(trans),\n\t\t\t\t\t\t\t &nft_trans_flowtable(trans)->hook_list,\n\t\t\t\t\t\t\t NFT_MSG_DELFLOWTABLE);\n\t\t\t\tnft_unregister_flowtable_net_hooks(net,\n\t\t\t\t\t\t&nft_trans_flowtable(trans)->hook_list);\n\t\t\t}\n\t\t\tbreak;\n\t\t}\n\t}\n\n\tnft_commit_notify(net, NETLINK_CB(skb).portid);\n\tnf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);\n\tnf_tables_commit_audit_log(&adl, nft_net->base_seq);\n\tnf_tables_commit_release(net);\n\n\treturn 0;\n}", "project": "linux", "hash": 307071837548192674599844571878937454001, "size": 226, "commit_id": "ad9f151e560b016b6ad3280b48e42fa11e1a5440", "message": "netfilter: nf_tables: initialize set before expression setup\n\nnft_set_elem_expr_alloc() needs an initialized set if expression sets on\nthe NFT_EXPR_GC flag. Move set fields initialization before expression\nsetup.\n\n[4512935.019450] ==================================================================\n[4512935.019456] BUG: KASAN: null-ptr-deref in nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019487] Read of size 8 at addr 0000000000000070 by task nft/23532\n[4512935.019494] CPU: 1 PID: 23532 Comm: nft Not tainted 5.12.0-rc4+ #48\n[...]\n[4512935.019502] Call Trace:\n[4512935.019505] dump_stack+0x89/0xb4\n[4512935.019512] ? nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019536] ? nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019560] kasan_report.cold.12+0x5f/0xd8\n[4512935.019566] ? nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019590] nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019615] nf_tables_newset+0xc7f/0x1460 [nf_tables]\n\nReported-by: syzbot+ce96ca2b1d0b37c6422d@syzkaller.appspotmail.com\nFixes: 65038428b2c6 (\"netfilter: nf_tables: allow to specify stateful expression in set definition\")\nSigned-off-by: Pablo Neira Ayuso ", "target": 0, "dataset": "other", "idx": 328354 }, { "func": "static bool change_group_ref(THD *thd, Item_func *expr, ORDER *group_list,\n bool *changed)\n{\n if (expr->argument_count())\n {\n Name_resolution_context *context= &thd->lex->current_select->context;\n Item **arg,**arg_end;\n bool arg_changed= FALSE;\n for (arg= expr->arguments(),\n arg_end= expr->arguments() + expr->argument_count();\n arg != arg_end; arg++)\n {\n Item *item= *arg;\n if (item->type() == Item::FIELD_ITEM || item->type() == Item::REF_ITEM)\n {\n ORDER *group_tmp;\n for (group_tmp= group_list; group_tmp; group_tmp= group_tmp->next)\n {\n if (item->eq(*group_tmp->item,0))\n {\n Item *new_item;\n if (!(new_item= new (thd->mem_root) Item_ref(thd, context,\n group_tmp->item, 0,\n &item->name)))\n return 1; // fatal_error is set\n thd->change_item_tree(arg, new_item);\n arg_changed= TRUE;\n }\n }\n }\n else if (item->type() == Item::FUNC_ITEM)\n {\n if (change_group_ref(thd, (Item_func *) item, group_list, &arg_changed))\n return 1;\n }\n }\n if (arg_changed)\n {\n expr->maybe_null= 1;\n expr->in_rollup= 1;\n *changed= TRUE;\n }\n }\n return 0;\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 7636540035984972277458561945635775775, "size": 45, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508590 }, { "func": "void utf16_to_utf8_tail(UncheckedBuffer &buf, unsigned short utf16) {\n if (utf16 < 0x800) {\n buf.append((char)(0xc0 | (utf16 >> 6)));\n buf.append((char)(0x80 | (utf16 & 0x3f)));\n } else if ((utf16 & 0xfc00) == 0xdc00\n && buf.size() >= 3\n && ((unsigned char)buf.data()[buf.size() - 3]) == 0xed\n && ((unsigned char)buf.data()[buf.size() - 2] & 0xf0) == 0xa0\n && ((unsigned char)buf.data()[buf.size() - 1] & 0xc0) == 0x80) {\n /* found surrogate pair */\n unsigned long utf32;\n\n utf32 = (((buf.data()[buf.size() - 2] & 0xf) << 16)\n | ((buf.data()[buf.size() - 1] & 0x3f) << 10)\n | (utf16 & 0x3ff)) + 0x10000;\n buf.shrinkBy(3);\n\n buf.append((char)(0xf0 | (utf32 >> 18)));\n buf.append((char)(0x80 | ((utf32 >> 12) & 0x3f)));\n buf.append((char)(0x80 | ((utf32 >> 6) & 0x3f)));\n buf.append((char)(0x80 | (utf32 & 0x3f)));\n } else {\n buf.append((char)(0xe0 | (utf16 >> 12)));\n buf.append((char)(0x80 | ((utf16 >> 6) & 0x3f)));\n buf.append((char)(0x80 | (utf16 & 0x3f)));\n }\n}", "project": "hhvm", "hash": 189198210877993479577745939464200408677, "size": 27, "commit_id": "b3679121bb3c7017ff04b4c08402ffff5cf59b13", "message": "Fix buffer overrun in SimpleParser::handleBackslash\n\nSummary:\nIt read 4 chars, then checked for validity, but any of them could have\nbeen the end of the string, so check after each one instead.\n\nReviewed By: oulgen\n\nDifferential Revision: D19611163\n\nfbshipit-source-id: 3da0a39555cb85a93f4fd98048368f17cf37e2e4", "target": 0, "dataset": "other", "idx": 227324 }, { "func": "int gdImageColorExactAlpha (gdImagePtr im, int r, int g, int b, int a)\n{\n\tint i;\n\tif (im->trueColor) {\n\t\treturn gdTrueColorAlpha(r, g, b, a);\n\t}\n\tfor (i = 0; i < im->colorsTotal; i++) {\n\t\tif (im->open[i]) {\n\t\t\tcontinue;\n\t\t}\n\t\tif ((im->red[i] == r) && (im->green[i] == g) && (im->blue[i] == b) && (im->alpha[i] == a)) {\n\t\t\treturn i;\n\t\t}\n\t}\n\treturn -1;\n}", "project": "php-src", "hash": 255791849920490897298612152652153918746, "size": 16, "commit_id": "c395c6e5d7e8df37a21265ff76e48fe75ceb5ae6", "message": "iFixed bug #72446 - Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow", "target": 0, "dataset": "other", "idx": 295134 }, { "func": "static void init_tracking(struct kmem_cache *s, void *object)\n{\n\tif (!(s->flags & SLAB_STORE_USER))\n\t\treturn;\n\n\tset_track(s, object, TRACK_FREE, 0UL);\n\tset_track(s, object, TRACK_ALLOC, 0UL);\n}", "project": "linux", "hash": 113442243450661538759913821784815773533, "size": 8, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280180 }, { "func": "bool JOIN::add_having_as_table_cond(JOIN_TAB *tab)\n{\n tmp_having->update_used_tables();\n table_map used_tables= tab->table->map | OUTER_REF_TABLE_BIT;\n\n /* If tmp table is not used then consider conditions of const table also */\n if (!need_tmp)\n used_tables|= const_table_map;\n\n DBUG_ENTER(\"JOIN::add_having_as_table_cond\");\n\n Item* sort_table_cond= make_cond_for_table(thd, tmp_having, used_tables,\n (table_map) 0, false,\n false, false);\n if (sort_table_cond)\n {\n if (!tab->select)\n {\n if (!(tab->select= new SQL_SELECT))\n DBUG_RETURN(true);\n tab->select->head= tab->table;\n }\n if (!tab->select->cond)\n tab->select->cond= sort_table_cond;\n else\n {\n if (!(tab->select->cond=\n\t new (thd->mem_root) Item_cond_and(thd,\n tab->select->cond,\n sort_table_cond)))\n DBUG_RETURN(true);\n }\n if (tab->pre_idx_push_select_cond)\n {\n if (sort_table_cond->type() == Item::COND_ITEM)\n sort_table_cond= sort_table_cond->copy_andor_structure(thd);\n if (!(tab->pre_idx_push_select_cond=\n new (thd->mem_root) Item_cond_and(thd,\n tab->pre_idx_push_select_cond,\n sort_table_cond)))\n DBUG_RETURN(true);\n }\n if (tab->select->cond)\n tab->select->cond->fix_fields_if_needed(thd, 0);\n if (tab->pre_idx_push_select_cond)\n tab->pre_idx_push_select_cond->fix_fields_if_needed(thd, 0);\n tab->select->pre_idx_push_select_cond= tab->pre_idx_push_select_cond;\n tab->set_select_cond(tab->select->cond, __LINE__);\n tab->select_cond->top_level_item();\n DBUG_EXECUTE(\"where\",print_where(tab->select->cond,\n\t\t\t\t \"select and having\",\n QT_ORDINARY););\n\n having= make_cond_for_table(thd, tmp_having, ~ (table_map) 0,\n ~used_tables, false, false, false);\n DBUG_EXECUTE(\"where\",\n print_where(having, \"having after sort\", QT_ORDINARY););\n }\n\n DBUG_RETURN(false);\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 119138166364189257800755177402652250557, "size": 61, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508463 }, { "func": "UnicodeString::allocate(int32_t capacity) {\n if(capacity <= US_STACKBUF_SIZE) {\n fUnion.fFields.fLengthAndFlags = kShortString;\n return TRUE;\n }\n if(capacity <= kMaxCapacity) {\n ++capacity; // for the NUL\n // Switch to size_t which is unsigned so that we can allocate up to 4GB.\n // Reference counter + UChars.\n size_t numBytes = sizeof(int32_t) + (size_t)capacity * U_SIZEOF_UCHAR;\n // Round up to a multiple of 16.\n numBytes = (numBytes + 15) & ~15;\n int32_t *array = (int32_t *) uprv_malloc(numBytes);\n if(array != NULL) {\n // set initial refCount and point behind the refCount\n *array++ = 1;\n numBytes -= sizeof(int32_t);\n\n // have fArray point to the first UChar\n fUnion.fFields.fArray = (UChar *)array;\n fUnion.fFields.fCapacity = (int32_t)(numBytes / U_SIZEOF_UCHAR);\n fUnion.fFields.fLengthAndFlags = kLongString;\n return TRUE;\n }\n }\n fUnion.fFields.fLengthAndFlags = kIsBogus;\n fUnion.fFields.fArray = 0;\n fUnion.fFields.fCapacity = 0;\n return FALSE;\n}", "project": "icu", "hash": 77827340135700225657839004570920866195, "size": 30, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430851 }, { "func": " virtual bool allocate(THD *thd, uint i) { return 0; }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 256620752311438600201569057771552843746, "size": 1, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509205 }, { "func": "static void phar_add_file(phar_archive_data **pphar, char *filename, int filename_len, char *cont_str, int cont_len, zval *zresource TSRMLS_DC)\n{\n\tchar *error;\n\tsize_t contents_len;\n\tphar_entry_data *data;\n\tphp_stream *contents_file;\n\n\tif (filename_len >= sizeof(\".phar\")-1 && !memcmp(filename, \".phar\", sizeof(\".phar\")-1)) {\n\t\tzend_throw_exception_ex(spl_ce_BadMethodCallException, 0 TSRMLS_CC, \"Cannot create any files in magic \\\".phar\\\" directory\", (*pphar)->fname);\n\t\treturn;\n\t}\n\n\tif (!(data = phar_get_or_create_entry_data((*pphar)->fname, (*pphar)->fname_len, filename, filename_len, \"w+b\", 0, &error, 1 TSRMLS_CC))) {\n\t\tif (error) {\n\t\t\tzend_throw_exception_ex(spl_ce_BadMethodCallException, 0 TSRMLS_CC, \"Entry %s does not exist and cannot be created: %s\", filename, error);\n\t\t\tefree(error);\n\t\t} else {\n\t\t\tzend_throw_exception_ex(spl_ce_BadMethodCallException, 0 TSRMLS_CC, \"Entry %s does not exist and cannot be created\", filename);\n\t\t}\n\t\treturn;\n\t} else {\n\t\tif (error) {\n\t\t\tefree(error);\n\t\t}\n\n\t\tif (!data->internal_file->is_dir) {\n\t\t\tif (cont_str) {\n\t\t\t\tcontents_len = php_stream_write(data->fp, cont_str, cont_len);\n\t\t\t\tif (contents_len != cont_len) {\n\t\t\t\t\tzend_throw_exception_ex(spl_ce_BadMethodCallException, 0 TSRMLS_CC, \"Entry %s could not be written to\", filename);\n\t\t\t\t\treturn;\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\tif (!(php_stream_from_zval_no_verify(contents_file, &zresource))) {\n\t\t\t\t\tzend_throw_exception_ex(spl_ce_BadMethodCallException, 0 TSRMLS_CC, \"Entry %s could not be written to\", filename);\n\t\t\t\t\treturn;\n\t\t\t\t}\n\t\t\t\tphar_stream_copy_to_stream(contents_file, data->fp, PHP_STREAM_COPY_ALL, &contents_len);\n\t\t\t}\n\n\t\t\tdata->internal_file->compressed_filesize = data->internal_file->uncompressed_filesize = contents_len;\n\t\t}\n\n\t\t/* check for copy-on-write */\n\t\tif (pphar[0] != data->phar) {\n\t\t\t*pphar = data->phar;\n\t\t}\n\t\tphar_entry_delref(data TSRMLS_CC);\n\t\tphar_flush(*pphar, 0, 0, 0, &error TSRMLS_CC);\n\n\t\tif (error) {\n\t\t\tzend_throw_exception_ex(phar_ce_PharException, 0 TSRMLS_CC, \"%s\", error);\n\t\t\tefree(error);\n\t\t}\n\t}\n}", "project": "php-src", "hash": 200866143911476317788031801564583529586, "size": 56, "commit_id": "b2cf3f064b8f5efef89bb084521b61318c71781b", "message": "Fixed bug #68901 (use after free)", "target": 0, "dataset": "other", "idx": 413458 }, { "func": "static inline int open_to_namei_flags(int flag)\n{\n\tif ((flag & O_ACCMODE) == 3)\n\t\tflag--;\n\treturn flag;\n}", "project": "linux", "hash": 234047835344750641643890247140356743460, "size": 6, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295322 }, { "func": "/* see the definition of bfq_async_charge_factor for details */\nstatic unsigned long bfq_serv_to_charge(struct request *rq,\n\t\t\t\t\tstruct bfq_queue *bfqq)\n{\n\tif (bfq_bfqq_sync(bfqq) || bfqq->wr_coeff > 1 ||\n\t bfq_asymmetric_scenario(bfqq->bfqd, bfqq))\n\t\treturn blk_rq_sectors(rq);\n\n\treturn blk_rq_sectors(rq) * bfq_async_charge_factor;", "project": "linux", "hash": 111269398744752978175456204584464527071, "size": 9, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453365 }, { "func": " void sample_stack() {\n char symbol[5120];\n m_stack->getStack(INT_MAX, symbol, sizeof(symbol));\n\n auto time = std::make_pair((int64_t)m_last_sample_time.tv_sec,\n (int64_t)m_last_sample_time.tv_usec);\n m_samples.push_back(std::make_pair(time, symbol));\n }", "project": "hhvm", "hash": 330606893440491754893988955668235160192, "size": 8, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219264 }, { "func": "static inline void ov51x_restart(struct sd *sd)\n{\n\tstruct gspca_dev *gspca_dev = (struct gspca_dev *)sd;\n\n\tgspca_dbg(gspca_dev, D_STREAM, \"restarting\\n\");\n\tif (!sd->stopped)\n\t\treturn;\n\tsd->stopped = 0;\n\n\t/* Reinitialize the stream */\n\tswitch (sd->bridge) {\n\tcase BRIDGE_OV511:\n\tcase BRIDGE_OV511PLUS:\n\t\treg_w(sd, R51x_SYS_RESET, 0x00);\n\t\tbreak;\n\tcase BRIDGE_OV518:\n\tcase BRIDGE_OV518PLUS:\n\t\treg_w(sd, 0x2f, 0x80);\n\t\treg_w(sd, R51x_SYS_RESET, 0x00);\n\t\tbreak;\n\tcase BRIDGE_OV519:\n\t\treg_w(sd, OV519_R51_RESET1, 0x0f);\n\t\treg_w(sd, OV519_R51_RESET1, 0x00);\n\t\treg_w(sd, 0x22, 0x1d);\t\t/* FRAR */\n\t\tbreak;\n\tcase BRIDGE_OVFX2:\n\t\treg_w_mask(sd, 0x0f, 0x02, 0x02);\n\t\tbreak;\n\tcase BRIDGE_W9968CF:\n\t\treg_w(sd, 0x3c, 0x8a05); /* USB FIFO enable */\n\t\tbreak;\n\t}\n}", "project": "linux", "hash": 27101688848721593932516148949498630350, "size": 33, "commit_id": "998912346c0da53a6dbb71fab3a138586b596b30", "message": "media: ov519: add missing endpoint sanity checks\n\nMake sure to check that we have at least one endpoint before accessing\nthe endpoint array to avoid dereferencing a NULL-pointer on stream\nstart.\n\nNote that these sanity checks are not redundant as the driver is mixing\nlooking up altsettings by index and by number, which need not coincide.\n\nFixes: 1876bb923c98 (\"V4L/DVB (12079): gspca_ov519: add support for the ov511 bridge\")\nFixes: b282d87332f5 (\"V4L/DVB (12080): gspca_ov519: Fix ov518+ with OV7620AE (Trust spacecam 320)\")\nCc: stable # 2.6.31\nCc: Hans de Goede \nSigned-off-by: Johan Hovold \nSigned-off-by: Hans Verkuil \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 306323 }, { "func": "int mnt_optstr_fix_user(char **optstr)\n{\n\tchar *username;\n\tstruct libmnt_optloc ol = MNT_INIT_OPTLOC;\n\tint rc = 0;\n\n\tDBG(CXT, ul_debug(\"fixing user\"));\n\n\trc = mnt_optstr_locate_option(*optstr, \"user\", &ol);\n\tif (rc)\n\t\treturn rc == 1 ? 0 : rc;\t/* 1: user= not found */\n\n\tusername = mnt_get_username(getuid());\n\tif (!username)\n\t\treturn -ENOMEM;\n\n\tif (!ol.valsz || (ol.value && strncmp(ol.value, username, ol.valsz) != 0)) {\n\t\tif (ol.valsz)\n\t\t\t/* remove old value */\n\t\t\tmnt_optstr_remove_option_at(optstr, ol.value, ol.end);\n\n\t\trc = insert_value(optstr, ol.value ? ol.value : ol.end,\n\t\t\t\t username, NULL);\n\t}\n\n\tfree(username);\n\treturn rc;\n}", "project": "util-linux", "hash": 143508707351596004190173771241503424392, "size": 28, "commit_id": "57202f5713afa2af20ffbb6ab5331481d0396f8d", "message": "libmount: fix UID check for FUSE umount [CVE-2021-3995]\n\nImproper UID check allows an unprivileged user to unmount FUSE\nfilesystems of users with similar UID.\n\nSigned-off-by: Karel Zak ", "target": 0, "dataset": "other", "idx": 410395 }, { "func": " void walkTrace(TraceIterator begin, TraceIterator end, TraceIterator final,\n Stats& stats) {\n TraceWalker walker;\n walker.walk(begin, end, final, stats);\n }", "project": "hhvm", "hash": 106965670805202959969605673525469173921, "size": 5, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219088 }, { "project": "ardour", "commit_id": "96daa4036a425ff3f23a7dfcba57bfb0f942bec6", "target": 0, "func": "XMLNode::property(const string& name)\n{\n\tXMLPropertyIterator iter = _proplist.begin();\n\n\twhile (iter != _proplist.end()) {\n\t\tif ((*iter)->name() == name) {\n\t\t\treturn *iter;\n\t\t}\n\t\t++iter;\n\t}\n\n\treturn 0;\n}", "idx": 519642, "cwe": "CWE-416", "hash": 65176918053694380515527451692909683920, "dataset": "other" }, { "project": "ardour", "commit_id": "96daa4036a425ff3f23a7dfcba57bfb0f942bec6", "target": 0, "func": "XMLNode::property(const char* name)\n{\n\tXMLPropertyIterator iter = _proplist.begin();\n\n\twhile (iter != _proplist.end()) {\n\t\tif ((*iter)->name() == name) {\n\t\t\treturn *iter;\n\t\t}\n\t\t++iter;\n\t}\n\treturn 0;\n}", "idx": 519687, "cwe": "CWE-416", "hash": 48310641881229148163867447289360593138, "dataset": "other" }, { "func": "static int do_con_write(struct tty_struct *tty, const unsigned char *buf, int count)\n{\n\tint c, next_c, tc, ok, n = 0, draw_x = -1;\n\tunsigned int currcons;\n\tunsigned long draw_from = 0, draw_to = 0;\n\tstruct vc_data *vc;\n\tunsigned char vc_attr;\n\tstruct vt_notifier_param param;\n\tuint8_t rescan;\n\tuint8_t inverse;\n\tuint8_t width;\n\tu16 himask, charmask;\n\n\tif (in_interrupt())\n\t\treturn count;\n\n\tconsole_lock();\n\tvc = tty->driver_data;\n\tif (vc == NULL) {\n\t\tpr_err(\"vt: argh, driver_data is NULL !\\n\");\n\t\tconsole_unlock();\n\t\treturn 0;\n\t}\n\n\tcurrcons = vc->vc_num;\n\tif (!vc_cons_allocated(currcons)) {\n\t\t/* could this happen? */\n\t\tpr_warn_once(\"con_write: tty %d not allocated\\n\", currcons+1);\n\t\tconsole_unlock();\n\t\treturn 0;\n\t}\n\n\thimask = vc->vc_hi_font_mask;\n\tcharmask = himask ? 0x1ff : 0xff;\n\n\t/* undraw cursor first */\n\tif (con_is_fg(vc))\n\t\thide_cursor(vc);\n\n\tparam.vc = vc;\n\n\twhile (!tty->stopped && count) {\n\t\tint orig = *buf;\n\t\tc = orig;\n\t\tbuf++;\n\t\tn++;\n\t\tcount--;\n\t\trescan = 0;\n\t\tinverse = 0;\n\t\twidth = 1;\n\n\t\t/* Do no translation at all in control states */\n\t\tif (vc->vc_state != ESnormal) {\n\t\t\ttc = c;\n\t\t} else if (vc->vc_utf && !vc->vc_disp_ctrl) {\n\t\t /* Combine UTF-8 into Unicode in vc_utf_char.\n\t\t * vc_utf_count is the number of continuation bytes still\n\t\t * expected to arrive.\n\t\t * vc_npar is the number of continuation bytes arrived so\n\t\t * far\n\t\t */\nrescan_last_byte:\n\t\t if ((c & 0xc0) == 0x80) {\n\t\t\t/* Continuation byte received */\n\t\t\tstatic const uint32_t utf8_length_changes[] = { 0x0000007f, 0x000007ff, 0x0000ffff, 0x001fffff, 0x03ffffff, 0x7fffffff };\n\t\t\tif (vc->vc_utf_count) {\n\t\t\t vc->vc_utf_char = (vc->vc_utf_char << 6) | (c & 0x3f);\n\t\t\t vc->vc_npar++;\n\t\t\t if (--vc->vc_utf_count) {\n\t\t\t\t/* Still need some bytes */\n\t\t\t\tcontinue;\n\t\t\t }\n\t\t\t /* Got a whole character */\n\t\t\t c = vc->vc_utf_char;\n\t\t\t /* Reject overlong sequences */\n\t\t\t if (c <= utf8_length_changes[vc->vc_npar - 1] ||\n\t\t\t\t\tc > utf8_length_changes[vc->vc_npar])\n\t\t\t\tc = 0xfffd;\n\t\t\t} else {\n\t\t\t /* Unexpected continuation byte */\n\t\t\t vc->vc_utf_count = 0;\n\t\t\t c = 0xfffd;\n\t\t\t}\n\t\t } else {\n\t\t\t/* Single ASCII byte or first byte of a sequence received */\n\t\t\tif (vc->vc_utf_count) {\n\t\t\t /* Continuation byte expected */\n\t\t\t rescan = 1;\n\t\t\t vc->vc_utf_count = 0;\n\t\t\t c = 0xfffd;\n\t\t\t} else if (c > 0x7f) {\n\t\t\t /* First byte of a multibyte sequence received */\n\t\t\t vc->vc_npar = 0;\n\t\t\t if ((c & 0xe0) == 0xc0) {\n\t\t\t\tvc->vc_utf_count = 1;\n\t\t\t\tvc->vc_utf_char = (c & 0x1f);\n\t\t\t } else if ((c & 0xf0) == 0xe0) {\n\t\t\t\tvc->vc_utf_count = 2;\n\t\t\t\tvc->vc_utf_char = (c & 0x0f);\n\t\t\t } else if ((c & 0xf8) == 0xf0) {\n\t\t\t\tvc->vc_utf_count = 3;\n\t\t\t\tvc->vc_utf_char = (c & 0x07);\n\t\t\t } else if ((c & 0xfc) == 0xf8) {\n\t\t\t\tvc->vc_utf_count = 4;\n\t\t\t\tvc->vc_utf_char = (c & 0x03);\n\t\t\t } else if ((c & 0xfe) == 0xfc) {\n\t\t\t\tvc->vc_utf_count = 5;\n\t\t\t\tvc->vc_utf_char = (c & 0x01);\n\t\t\t } else {\n\t\t\t\t/* 254 and 255 are invalid */\n\t\t\t\tc = 0xfffd;\n\t\t\t }\n\t\t\t if (vc->vc_utf_count) {\n\t\t\t\t/* Still need some bytes */\n\t\t\t\tcontinue;\n\t\t\t }\n\t\t\t}\n\t\t\t/* Nothing to do if an ASCII byte was received */\n\t\t }\n\t\t /* End of UTF-8 decoding. */\n\t\t /* c is the received character, or U+FFFD for invalid sequences. */\n\t\t /* Replace invalid Unicode code points with U+FFFD too */\n\t\t if ((c >= 0xd800 && c <= 0xdfff) || c == 0xfffe || c == 0xffff)\n\t\t\tc = 0xfffd;\n\t\t tc = c;\n\t\t} else {\t/* no utf or alternate charset mode */\n\t\t tc = vc_translate(vc, c);\n\t\t}\n\n\t\tparam.c = tc;\n\t\tif (atomic_notifier_call_chain(&vt_notifier_list, VT_PREWRITE,\n\t\t\t\t\t¶m) == NOTIFY_STOP)\n\t\t\tcontinue;\n\n /* If the original code was a control character we\n * only allow a glyph to be displayed if the code is\n * not normally used (such as for cursor movement) or\n * if the disp_ctrl mode has been explicitly enabled.\n * Certain characters (as given by the CTRL_ALWAYS\n * bitmap) are always displayed as control characters,\n * as the console would be pretty useless without\n * them; to display an arbitrary font position use the\n * direct-to-font zone in UTF-8 mode.\n */\n ok = tc && (c >= 32 ||\n\t\t\t !(vc->vc_disp_ctrl ? (CTRL_ALWAYS >> c) & 1 :\n\t\t\t\t vc->vc_utf || ((CTRL_ACTION >> c) & 1)))\n\t\t\t&& (c != 127 || vc->vc_disp_ctrl)\n\t\t\t&& (c != 128+27);\n\n\t\tif (vc->vc_state == ESnormal && ok) {\n\t\t\tif (vc->vc_utf && !vc->vc_disp_ctrl) {\n\t\t\t\tif (is_double_width(c))\n\t\t\t\t\twidth = 2;\n\t\t\t}\n\t\t\t/* Now try to find out how to display it */\n\t\t\ttc = conv_uni_to_pc(vc, tc);\n\t\t\tif (tc & ~charmask) {\n\t\t\t\tif (tc == -1 || tc == -2) {\n\t\t\t\t continue; /* nothing to display */\n\t\t\t\t}\n\t\t\t\t/* Glyph not found */\n\t\t\t\tif ((!(vc->vc_utf && !vc->vc_disp_ctrl) || c < 128) && !(c & ~charmask)) {\n\t\t\t\t /* In legacy mode use the glyph we get by a 1:1 mapping.\n\t\t\t\t This would make absolutely no sense with Unicode in mind,\n\t\t\t\t but do this for ASCII characters since a font may lack\n\t\t\t\t Unicode mapping info and we don't want to end up with\n\t\t\t\t having question marks only. */\n\t\t\t\t tc = c;\n\t\t\t\t} else {\n\t\t\t\t /* Display U+FFFD. If it's not found, display an inverse question mark. */\n\t\t\t\t tc = conv_uni_to_pc(vc, 0xfffd);\n\t\t\t\t if (tc < 0) {\n\t\t\t\t\tinverse = 1;\n\t\t\t\t\ttc = conv_uni_to_pc(vc, '?');\n\t\t\t\t\tif (tc < 0) tc = '?';\n\t\t\t\t }\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tif (!inverse) {\n\t\t\t\tvc_attr = vc->vc_attr;\n\t\t\t} else {\n\t\t\t\t/* invert vc_attr */\n\t\t\t\tif (!vc->vc_can_do_color) {\n\t\t\t\t\tvc_attr = (vc->vc_attr) ^ 0x08;\n\t\t\t\t} else if (vc->vc_hi_font_mask == 0x100) {\n\t\t\t\t\tvc_attr = ((vc->vc_attr) & 0x11) | (((vc->vc_attr) & 0xe0) >> 4) | (((vc->vc_attr) & 0x0e) << 4);\n\t\t\t\t} else {\n\t\t\t\t\tvc_attr = ((vc->vc_attr) & 0x88) | (((vc->vc_attr) & 0x70) >> 4) | (((vc->vc_attr) & 0x07) << 4);\n\t\t\t\t}\n\t\t\t\tcon_flush(vc, draw_from, draw_to, &draw_x);\n\t\t\t}\n\n\t\t\tnext_c = c;\n\t\t\twhile (1) {\n\t\t\t\tif (vc->vc_need_wrap || vc->vc_decim)\n\t\t\t\t\tcon_flush(vc, draw_from, draw_to,\n\t\t\t\t\t\t\t&draw_x);\n\t\t\t\tif (vc->vc_need_wrap) {\n\t\t\t\t\tcr(vc);\n\t\t\t\t\tlf(vc);\n\t\t\t\t}\n\t\t\t\tif (vc->vc_decim)\n\t\t\t\t\tinsert_char(vc, 1);\n\t\t\t\tvc_uniscr_putc(vc, next_c);\n\t\t\t\tscr_writew(himask ?\n\t\t\t\t\t ((vc_attr << 8) & ~himask) + ((tc & 0x100) ? himask : 0) + (tc & 0xff) :\n\t\t\t\t\t (vc_attr << 8) + tc,\n\t\t\t\t\t (u16 *) vc->vc_pos);\n\t\t\t\tif (con_should_update(vc) && draw_x < 0) {\n\t\t\t\t\tdraw_x = vc->vc_x;\n\t\t\t\t\tdraw_from = vc->vc_pos;\n\t\t\t\t}\n\t\t\t\tif (vc->vc_x == vc->vc_cols - 1) {\n\t\t\t\t\tvc->vc_need_wrap = vc->vc_decawm;\n\t\t\t\t\tdraw_to = vc->vc_pos + 2;\n\t\t\t\t} else {\n\t\t\t\t\tvc->vc_x++;\n\t\t\t\t\tdraw_to = (vc->vc_pos += 2);\n\t\t\t\t}\n\n\t\t\t\tif (!--width) break;\n\n\t\t\t\ttc = conv_uni_to_pc(vc, ' '); /* A space is printed in the second column */\n\t\t\t\tif (tc < 0) tc = ' ';\n\t\t\t\tnext_c = ' ';\n\t\t\t}\n\t\t\tnotify_write(vc, c);\n\n\t\t\tif (inverse)\n\t\t\t\tcon_flush(vc, draw_from, draw_to, &draw_x);\n\n\t\t\tif (rescan) {\n\t\t\t\trescan = 0;\n\t\t\t\tinverse = 0;\n\t\t\t\twidth = 1;\n\t\t\t\tc = orig;\n\t\t\t\tgoto rescan_last_byte;\n\t\t\t}\n\t\t\tcontinue;\n\t\t}\n\t\tcon_flush(vc, draw_from, draw_to, &draw_x);\n\t\tdo_con_trol(tty, vc, orig);\n\t}\n\tcon_flush(vc, draw_from, draw_to, &draw_x);\n\tvc_uniscr_debug_check(vc);\n\tconsole_conditional_schedule();\n\tnotify_update(vc);\n\tconsole_unlock();\n\treturn n;\n}", "project": "linux", "hash": 255149920644884816407251494612043117294, "size": 252, "commit_id": "ca4463bf8438b403596edd0ec961ca0d4fbe0220", "message": "vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console\n\nThe VT_DISALLOCATE ioctl can free a virtual console while tty_release()\nis still running, causing a use-after-free in con_shutdown(). This\noccurs because VT_DISALLOCATE considers a virtual console's\n'struct vc_data' to be unused as soon as the corresponding tty's\nrefcount hits 0. But actually it may be still being closed.\n\nFix this by making vc_data be reference-counted via the embedded\n'struct tty_port'. A newly allocated virtual console has refcount 1.\nOpening it for the first time increments the refcount to 2. Closing it\nfor the last time decrements the refcount (in tty_operations::cleanup()\nso that it happens late enough), as does VT_DISALLOCATE.\n\nReproducer:\n\t#include \n\t#include \n\t#include \n\t#include \n\n\tint main()\n\t{\n\t\tif (fork()) {\n\t\t\tfor (;;)\n\t\t\t\tclose(open(\"/dev/tty5\", O_RDWR));\n\t\t} else {\n\t\t\tint fd = open(\"/dev/tty10\", O_RDWR);\n\n\t\t\tfor (;;)\n\t\t\t\tioctl(fd, VT_DISALLOCATE, 5);\n\t\t}\n\t}\n\nKASAN report:\n\tBUG: KASAN: use-after-free in con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\tWrite of size 8 at addr ffff88806a4ec108 by task syz_vt/129\n\n\tCPU: 0 PID: 129 Comm: syz_vt Not tainted 5.6.0-rc2 #11\n\tHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20191223_100556-anatol 04/01/2014\n\tCall Trace:\n\t [...]\n\t con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\t release_tty+0xa8/0x410 drivers/tty/tty_io.c:1514\n\t tty_release_struct+0x34/0x50 drivers/tty/tty_io.c:1629\n\t tty_release+0x984/0xed0 drivers/tty/tty_io.c:1789\n\t [...]\n\n\tAllocated by task 129:\n\t [...]\n\t kzalloc include/linux/slab.h:669 [inline]\n\t vc_allocate drivers/tty/vt/vt.c:1085 [inline]\n\t vc_allocate+0x1ac/0x680 drivers/tty/vt/vt.c:1066\n\t con_install+0x4d/0x3f0 drivers/tty/vt/vt.c:3229\n\t tty_driver_install_tty drivers/tty/tty_io.c:1228 [inline]\n\t tty_init_dev+0x94/0x350 drivers/tty/tty_io.c:1341\n\t tty_open_by_driver drivers/tty/tty_io.c:1987 [inline]\n\t tty_open+0x3ca/0xb30 drivers/tty/tty_io.c:2035\n\t [...]\n\n\tFreed by task 130:\n\t [...]\n\t kfree+0xbf/0x1e0 mm/slab.c:3757\n\t vt_disallocate drivers/tty/vt/vt_ioctl.c:300 [inline]\n\t vt_ioctl+0x16dc/0x1e30 drivers/tty/vt/vt_ioctl.c:818\n\t tty_ioctl+0x9db/0x11b0 drivers/tty/tty_io.c:2660\n\t [...]\n\nFixes: 4001d7b7fc27 (\"vt: push down the tty lock so we can see what is left to tackle\")\nCc: # v3.4+\nReported-by: syzbot+522643ab5729b0421998@syzkaller.appspotmail.com\nAcked-by: Jiri Slaby \nSigned-off-by: Eric Biggers \nLink: https://lore.kernel.org/r/20200322034305.210082-2-ebiggers@kernel.org\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 437044 }, { "func": "static void ptrace_do_notify(int signr, int exit_code, int why)\n{\n\tkernel_siginfo_t info;\n\n\tclear_siginfo(&info);\n\tinfo.si_signo = signr;\n\tinfo.si_code = exit_code;\n\tinfo.si_pid = task_pid_vnr(current);\n\tinfo.si_uid = from_kuid_munged(current_user_ns(), current_uid());\n\n\t/* Let the debugger run. */\n\tptrace_stop(exit_code, why, 1, &info);\n}", "project": "linux", "hash": 139492579150682394139559666716676137479, "size": 13, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375158 }, { "func": "bool vma_migratable(struct vm_area_struct *vma)\n{\n\tif (vma->vm_flags & (VM_IO | VM_PFNMAP))\n\t\treturn false;\n\n\t/*\n\t * DAX device mappings require predictable access latency, so avoid\n\t * incurring periodic faults.\n\t */\n\tif (vma_is_dax(vma))\n\t\treturn false;\n\n\tif (is_vm_hugetlb_page(vma) &&\n\t\t!hugepage_migration_supported(hstate_vma(vma)))\n\t\treturn false;\n\n\t/*\n\t * Migration allocates pages in the highest zone. If we cannot\n\t * do so then migration (at least from node to node) is not\n\t * possible.\n\t */\n\tif (vma->vm_file &&\n\t\tgfp_zone(mapping_gfp_mask(vma->vm_file->f_mapping))\n\t\t\t< policy_zone)\n\t\treturn false;\n\treturn true;\n}", "project": "linux", "hash": 59966299901369795100251506636555642235, "size": 27, "commit_id": "aa9f7d5172fac9bf1f09e678c35e287a40a7b7dd", "message": "mm: mempolicy: require at least one nodeid for MPOL_PREFERRED\n\nUsing an empty (malformed) nodelist that is not caught during mount option\nparsing leads to a stack-out-of-bounds access.\n\nThe option string that was used was: \"mpol=prefer:,\". However,\nMPOL_PREFERRED requires a single node number, which is not being provided\nhere.\n\nAdd a check that 'nodes' is not empty after parsing for MPOL_PREFERRED's\nnodeid.\n\nFixes: 095f1fc4ebf3 (\"mempolicy: rework shmem mpol parsing and display\")\nReported-by: Entropy Moe <3ntr0py1337@gmail.com>\nReported-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nSigned-off-by: Randy Dunlap \nSigned-off-by: Andrew Morton \nTested-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nCc: Lee Schermerhorn \nLink: http://lkml.kernel.org/r/89526377-7eb6-b662-e1d8-4430928abde9@infradead.org\nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 366753 }, { "func": "static void nfs4_open_confirm_release(void *calldata)\n{\n\tstruct nfs4_opendata *data = calldata;\n\tstruct nfs4_state *state = NULL;\n\n\t/* If this request hasn't been cancelled, do nothing */\n\tif (!data->cancelled)\n\t\tgoto out_free;\n\t/* In case of error, no cleanup! */\n\tif (!data->rpc_done)\n\t\tgoto out_free;\n\tstate = nfs4_opendata_to_nfs4_state(data);\n\tif (!IS_ERR(state))\n\t\tnfs4_close_state(state, data->o_arg.fmode);\nout_free:\n\tnfs4_opendata_put(data);\n}", "project": "linux", "hash": 135419894292617764713433504248769223466, "size": 17, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431101 }, { "func": "int gdImageGetPixel (gdImagePtr im, int x, int y)\n{\n\tif (gdImageBoundsSafe(im, x, y)) {\n\t\tif (im->trueColor) {\n\t\t\treturn im->tpixels[y][x];\n\t\t} else {\n\t\t\treturn im->pixels[y][x];\n\t\t}\n\t} else {\n\t\treturn 0;\n\t}\n}", "project": "php-src", "hash": 18179232665376204512283763895423155681, "size": 12, "commit_id": "c395c6e5d7e8df37a21265ff76e48fe75ceb5ae6", "message": "iFixed bug #72446 - Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow", "target": 0, "dataset": "other", "idx": 295191 }, { "func": "void nap_sleep(int ms, int split) {\n\tint i, input = got_user_input;\n\tint gd = got_local_pointer_input;\n\n\tfor (i=0; ifs);\n\tif (!opts)\n\t\treturn 0;\n\n\tif (mnt_optstr_get_option(opts, name, &suffix, &valsz))\n\t\treturn 0;\n\n\tsuffix = strndup(suffix, valsz);\n\tif (!suffix)\n\t\treturn -ENOMEM;\n\n\tDBG(CXT, ul_debugobj(cxt, \"umount: umount.%s %s requested\", suffix, name));\n\n\trc = mnt_context_prepare_helper(cxt, \"umount\", suffix);\n\tfree(suffix);\n\n\treturn rc;\n}", "project": "util-linux", "hash": 338008890322804798182736171106442376409, "size": 29, "commit_id": "57202f5713afa2af20ffbb6ab5331481d0396f8d", "message": "libmount: fix UID check for FUSE umount [CVE-2021-3995]\n\nImproper UID check allows an unprivileged user to unmount FUSE\nfilesystems of users with similar UID.\n\nSigned-off-by: Karel Zak ", "target": 0, "dataset": "other", "idx": 410432 }, { "func": "int bcf_hrec_find_key(bcf_hrec_t *hrec, const char *key)\n{\n int i;\n for (i=0; inkeys; i++)\n if ( !strcasecmp(key,hrec->keys[i]) ) return i;\n return -1;\n}", "project": "htslib", "hash": 177816624145697675113641690624858259424, "size": 7, "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c", "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields. It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097", "target": 0, "dataset": "other", "idx": 402223 }, { "func": "static void update_open_stateflags(struct nfs4_state *state, fmode_t fmode)\n{\n\tswitch (fmode) {\n\t\tcase FMODE_WRITE:\n\t\t\tstate->n_wronly++;\n\t\t\tbreak;\n\t\tcase FMODE_READ:\n\t\t\tstate->n_rdonly++;\n\t\t\tbreak;\n\t\tcase FMODE_READ|FMODE_WRITE:\n\t\t\tstate->n_rdwr++;\n\t}\n\tnfs4_state_set_mode_locked(state, state->state | fmode);\n}", "project": "linux", "hash": 181378159298758649509236754611038650225, "size": 14, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431515 }, { "func": "static void blacklist_pc(GCproto *pt, BCIns *pc)\n{\n setbc_op(pc, (int)bc_op(*pc)+(int)BC_ILOOP-(int)BC_LOOP);\n pt->flags |= PROTO_ILOOP;\n}", "project": "LuaJIT", "hash": 176964384894726780269791611590156490088, "size": 5, "commit_id": "e296f56b825c688c3530a981dc6b495d972f3d01", "message": "Call error function on rethrow after trace exit.", "target": 0, "dataset": "other", "idx": 394663 }, { "func": "void LibRaw::process_Sony_0x940e(uchar *buf, ushort len, unsigned long long id)\n{\n if (((imSony.CameraType != LIBRAW_SONY_SLT) &&\n (imSony.CameraType != LIBRAW_SONY_ILCA)) ||\n (id == SonyID_SLT_A33) ||\n (id == SonyID_SLT_A55) ||\n (id == SonyID_SLT_A35) ||\n (len < 3))\n return;\n\n imSony.AFType = SonySubstitution[buf[0x02]];\n\n if (imSony.CameraType == LIBRAW_SONY_ILCA)\n {\n if (len >= 0x06)\n {\n imgdata.shootinginfo.FocusMode = SonySubstitution[buf[0x05]];\n }\n if (len >= 0x0051)\n {\n imSony.AFMicroAdjValue = SonySubstitution[buf[0x0050]];\n }\n }\n else\n {\n if (len >= 0x0c)\n {\n imgdata.shootinginfo.FocusMode = SonySubstitution[buf[0x0b]];\n }\n if (len >= 0x017e)\n {\n imSony.AFMicroAdjValue = SonySubstitution[buf[0x017d]];\n }\n }\n\n if (imSony.AFMicroAdjValue != 0)\n imSony.AFMicroAdjOn = 1;\n}", "project": "LibRaw", "hash": 234493754735590077436045569352354604005, "size": 38, "commit_id": "c243f4539233053466c1309bde606815351bee81", "message": "additional checks in parseSonySRF\n\nparseSonySR2: buffer size check", "target": 0, "dataset": "other", "idx": 394109 }, { "project": "Chrome", "commit_id": "6834289784ed45b5524de0fb7ef43ae283b0d6d3", "target": 0, "func": "void AudioContext::handleStoppableSourceNodes()\n{\n ASSERT(isGraphOwner());\n\n for (unsigned i = 0; i < m_referencedNodes.size(); ++i) {\n AudioNode* node = m_referencedNodes.at(i).get();\n\n if (node->nodeType() == AudioNode::NodeTypeAudioBufferSource) {\n AudioBufferSourceNode* sourceNode = static_cast(node);\n sourceNode->handleStoppableSourceNode();\n }\n }\n}\n", "cwe": "", "big_vul_idx": 139662, "idx": 124812, "hash": 313092370975818569872520623113551677022 }, { "func": "\nstatic void io_put_sq_data(struct io_sq_data *sqd)\n{\n\tif (refcount_dec_and_test(&sqd->refs)) {\n\t\tWARN_ON_ONCE(atomic_read(&sqd->park_pending));\n\n\t\tio_sq_thread_stop(sqd);\n\t\tkfree(sqd);\n\t}", "project": "linux", "hash": 337085821985809908116491545106778136440, "size": 9, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338537 }, { "func": "static inline int kvm_arch_flush_remote_tlb(struct kvm *kvm)\n{\n\treturn -ENOTSUPP;\n}", "project": "linux", "hash": 290810689363155588131745821360719574989, "size": 4, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354460 }, { "func": "struct iscsi_endpoint *iscsi_lookup_endpoint(u64 handle)\n{\n\tstruct iscsi_endpoint *ep;\n\tstruct device *dev;\n\n\tdev = class_find_device(&iscsi_endpoint_class, NULL, &handle,\n\t\t\t\tiscsi_match_epid);\n\tif (!dev)\n\t\treturn NULL;\n\n\tep = iscsi_dev_to_endpoint(dev);\n\t/*\n\t * we can drop this now because the interface will prevent\n\t * removals and lookups from racing.\n\t */\n\tput_device(dev);\n\treturn ep;\n}", "project": "linux", "hash": 270223154145997019244693779194342857636, "size": 18, "commit_id": "f9dbdf97a5bd92b1a49cee3d591b55b11fd7a6d5", "message": "scsi: iscsi: Verify lengths on passthrough PDUs\n\nOpen-iSCSI sends passthrough PDUs over netlink, but the kernel should be\nverifying that the provided PDU header and data lengths fall within the\nnetlink message to prevent accessing beyond that in memory.\n\nCc: stable@vger.kernel.org\nReported-by: Adam Nichols \nReviewed-by: Lee Duncan \nReviewed-by: Mike Christie \nSigned-off-by: Chris Leech \nSigned-off-by: Martin K. Petersen ", "target": 0, "dataset": "other", "idx": 379922 }, { "func": "static apr_status_t close_input(h2_stream *stream)\n{\n conn_rec *c = stream->session->c;\n apr_status_t status = APR_SUCCESS;\n\n stream->input_eof = 1;\n if (stream->input && h2_beam_is_closed(stream->input)) {\n return APR_SUCCESS;\n }\n \n ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, stream->session->c,\n H2_STRM_MSG(stream, \"closing input\"));\n if (stream->rst_error) {\n return APR_ECONNRESET;\n }\n \n if (stream->trailers && !apr_is_empty_table(stream->trailers)) {\n apr_bucket *b;\n h2_headers *r;\n \n if (!stream->in_buffer) {\n stream->in_buffer = apr_brigade_create(stream->pool, c->bucket_alloc);\n }\n \n r = h2_headers_create(HTTP_OK, stream->trailers, NULL, \n stream->in_trailer_octets, stream->pool);\n stream->trailers = NULL; \n b = h2_bucket_headers_create(c->bucket_alloc, r);\n APR_BRIGADE_INSERT_TAIL(stream->in_buffer, b);\n \n b = apr_bucket_eos_create(c->bucket_alloc);\n APR_BRIGADE_INSERT_TAIL(stream->in_buffer, b);\n \n ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, stream->session->c,\n H2_STRM_MSG(stream, \"added trailers\"));\n h2_stream_dispatch(stream, H2_SEV_IN_DATA_PENDING);\n }\n if (stream->input) {\n h2_stream_flush_input(stream);\n return h2_beam_close(stream->input);\n }\n return status;\n}", "project": "httpd", "hash": 265658331145078452441416766799012233274, "size": 43, "commit_id": "f990e5ecad40b100a8a5c7c1033c46044a9cb244", "message": "mod_htt2: fix incomplete sync with latest changes in github, adjust version number.\n\n\n\ngit-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1889119 13f79535-47bb-0310-9956-ffa450edef68", "target": 0, "dataset": "other", "idx": 284271 }, { "func": "static void tcp_mark_head_lost(struct sock *sk, int packets, int mark_head)\n{\n\tstruct tcp_sock *tp = tcp_sk(sk);\n\tstruct sk_buff *skb;\n\tint cnt, oldcnt;\n\tint err;\n\tunsigned int mss;\n\n\tWARN_ON(packets > tp->packets_out);\n\tif (tp->lost_skb_hint) {\n\t\tskb = tp->lost_skb_hint;\n\t\tcnt = tp->lost_cnt_hint;\n\t\t/* Head already handled? */\n\t\tif (mark_head && skb != tcp_write_queue_head(sk))\n\t\t\treturn;\n\t} else {\n\t\tskb = tcp_write_queue_head(sk);\n\t\tcnt = 0;\n\t}\n\n\ttcp_for_write_queue_from(skb, sk) {\n\t\tif (skb == tcp_send_head(sk))\n\t\t\tbreak;\n\t\t/* TODO: do this better */\n\t\t/* this is not the most efficient way to do this... */\n\t\ttp->lost_skb_hint = skb;\n\t\ttp->lost_cnt_hint = cnt;\n\n\t\tif (after(TCP_SKB_CB(skb)->end_seq, tp->high_seq))\n\t\t\tbreak;\n\n\t\toldcnt = cnt;\n\t\tif (tcp_is_fack(tp) || tcp_is_reno(tp) ||\n\t\t (TCP_SKB_CB(skb)->sacked & TCPCB_SACKED_ACKED))\n\t\t\tcnt += tcp_skb_pcount(skb);\n\n\t\tif (cnt > packets) {\n\t\t\tif ((tcp_is_sack(tp) && !tcp_is_fack(tp)) ||\n\t\t\t (oldcnt >= packets))\n\t\t\t\tbreak;\n\n\t\t\tmss = skb_shinfo(skb)->gso_size;\n\t\t\terr = tcp_fragment(sk, skb, (packets - oldcnt) * mss, mss);\n\t\t\tif (err < 0)\n\t\t\t\tbreak;\n\t\t\tcnt = packets;\n\t\t}\n\n\t\ttcp_skb_mark_lost(tp, skb);\n\n\t\tif (mark_head)\n\t\t\tbreak;\n\t}\n\ttcp_verify_left_out(tp);\n}", "project": "net-next", "hash": 296263516602705160651308610521540806437, "size": 55, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409840 }, { "func": "static void encode_share_access(struct xdr_stream *xdr, u32 share_access)\n{\n\t__be32 *p;\n\n\tp = reserve_space(xdr, 8);\n\t*p++ = cpu_to_be32(share_access);\n\t*p = cpu_to_be32(0);\t\t/* for linux, share_deny = 0 always */\n}", "project": "linux", "hash": 308834946664245901062707071668187687102, "size": 8, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431026 }, { "func": "void imap_clean_path(char *path, size_t plen)\n{\n struct ImapAccountData *adata = NULL;\n struct ImapMboxData *mdata = NULL;\n\n if (imap_adata_find(path, &adata, &mdata) < 0)\n return;\n\n /* Returns a fully qualified IMAP url */\n imap_qualify_path(path, plen, &adata->conn->account, mdata->name);\n imap_mdata_free((void *) &mdata);\n}", "project": "neomutt", "hash": 50774360389713728657824872364037810380, "size": 12, "commit_id": "fa1db5785e5cfd9d3cd27b7571b9fe268d2ec2dc", "message": "Fix seqset iterator when it ends in a comma\n\nIf the seqset ended with a comma, the substr_end marker would be just\nbefore the trailing nul. In the next call, the loop to skip the\nmarker would iterate right past the end of string too.\n\nThe fix is simple: place the substr_end marker and skip past it\nimmediately.", "target": 0, "dataset": "other", "idx": 399291 }, { "func": "static bool can_merge_rq(const struct i915_request *prev,\n\t\t\t const struct i915_request *next)\n{\n\tGEM_BUG_ON(prev == next);\n\tGEM_BUG_ON(!assert_priority_queue(prev, next));\n\n\t/*\n\t * We do not submit known completed requests. Therefore if the next\n\t * request is already completed, we can pretend to merge it in\n\t * with the previous context (and we will skip updating the ELSP\n\t * and tracking). Thus hopefully keeping the ELSP full with active\n\t * contexts, despite the best efforts of preempt-to-busy to confuse\n\t * us.\n\t */\n\tif (i915_request_completed(next))\n\t\treturn true;\n\n\tif (unlikely((prev->flags ^ next->flags) &\n\t\t (I915_REQUEST_NOPREEMPT | I915_REQUEST_SENTINEL)))\n\t\treturn false;\n\n\tif (!can_merge_ctx(prev->hw_context, next->hw_context))\n\t\treturn false;\n\n\treturn true;\n}", "project": "linux", "hash": 169294404921833782854031356948279139585, "size": 26, "commit_id": "bc8a76a152c5f9ef3b48104154a65a68a8b76946", "message": "drm/i915/gen9: Clear residual context state on context switch\n\nIntel ID: PSIRT-TA-201910-001\nCVEID: CVE-2019-14615\n\nIntel GPU Hardware prior to Gen11 does not clear EU state\nduring a context switch. This can result in information\nleakage between contexts.\n\nFor Gen8 and Gen9, hardware provides a mechanism for\nfast cleardown of the EU state, by issuing a PIPE_CONTROL\nwith bit 27 set. We can use this in a context batch buffer\nto explicitly cleardown the state on every context switch.\n\nAs this workaround is already in place for gen8, we can borrow\nthe code verbatim for Gen9.\n\nSigned-off-by: Mika Kuoppala \nSigned-off-by: Akeem G Abodunrin \nCc: Kumar Valsan Prathap \nCc: Chris Wilson \nCc: Balestrieri Francesco \nCc: Bloomfield Jon \nCc: Dutt Sudeep ", "target": 0, "dataset": "other", "idx": 281474 }, { "func": "static zend_bool php_auto_globals_create_post(zend_string *name)\n{\n\tif (PG(variables_order) &&\n\t\t\t(strchr(PG(variables_order),'P') || strchr(PG(variables_order),'p')) &&\n\t\t!SG(headers_sent) &&\n\t\tSG(request_info).request_method &&\n\t\t!strcasecmp(SG(request_info).request_method, \"POST\")) {\n\t\tsapi_module.treat_data(PARSE_POST, NULL, NULL);\n\t} else {\n\t\tzval_ptr_dtor(&PG(http_globals)[TRACK_VARS_POST]);\n\t\tarray_init(&PG(http_globals)[TRACK_VARS_POST]);\n\t}\n\n\tzend_hash_update(&EG(symbol_table), name, &PG(http_globals)[TRACK_VARS_POST]);\n\tZ_ADDREF(PG(http_globals)[TRACK_VARS_POST]);\n\n\treturn 0; /* don't rearm */\n}", "project": "php-src", "hash": 179551171663285387021954076544779087002, "size": 18, "commit_id": "6559fe912661ca5ce5f0eeeb591d928451428ed0", "message": "Do not decode cookie names anymore", "target": 0, "dataset": "other", "idx": 374957 }, { "func": "static inline void tcp_fast_path_check(struct sock *sk)\n{\n\tstruct tcp_sock *tp = tcp_sk(sk);\n\n\tif (skb_queue_empty(&tp->out_of_order_queue) &&\n\t tp->rcv_wnd &&\n\t atomic_read(&sk->sk_rmem_alloc) < sk->sk_rcvbuf &&\n\t !tp->urg_data)\n\t\ttcp_fast_path_on(tp);\n}", "project": "linux", "hash": 76949428854071726397067679624146050917, "size": 10, "commit_id": "bb1fceca22492109be12640d49f5ea5a544c6bb4", "message": "tcp: fix use after free in tcp_xmit_retransmit_queue()\n\nWhen tcp_sendmsg() allocates a fresh and empty skb, it puts it at the\ntail of the write queue using tcp_add_write_queue_tail()\n\nThen it attempts to copy user data into this fresh skb.\n\nIf the copy fails, we undo the work and remove the fresh skb.\n\nUnfortunately, this undo lacks the change done to tp->highest_sack and\nwe can leave a dangling pointer (to a freed skb)\n\nLater, tcp_xmit_retransmit_queue() can dereference this pointer and\naccess freed memory. For regular kernels where memory is not unmapped,\nthis might cause SACK bugs because tcp_highest_sack_seq() is buggy,\nreturning garbage instead of tp->snd_nxt, but with various debug\nfeatures like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel.\n\nThis bug was found by Marco Grassi thanks to syzkaller.\n\nFixes: 6859d49475d4 (\"[TCP]: Abstract tp->highest_sack accessing & point to next skb\")\nReported-by: Marco Grassi \nSigned-off-by: Eric Dumazet \nCc: Ilpo Järvinen \nCc: Yuchung Cheng \nCc: Neal Cardwell \nAcked-by: Neal Cardwell \nReviewed-by: Cong Wang \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 410751 }, { "project": "Chrome", "commit_id": "957973753ec4159003ff7930d946b7e89c7e09f3", "target": 0, "func": "void BlobURLRequestJob::AdvanceBytesRead(int result) {\n DCHECK_GT(result, 0);\n\n current_item_offset_ += result;\n if (current_item_offset_ == item_length_list_[item_index_])\n AdvanceItem();\n\n remaining_bytes_ -= result;\n DCHECK_GE(remaining_bytes_, 0);\n\n read_buf_offset_ += result;\n read_buf_remaining_bytes_ -= result;\n DCHECK_GE(read_buf_remaining_bytes_, 0);\n}\n", "cwe": "", "big_vul_idx": 106404, "idx": 95558, "hash": 190915578915147569549005917582549008430 }, { "func": "static int pipe_rcv_created(struct sock *sk, struct sk_buff *skb)\n{\n\tstruct pep_sock *pn = pep_sk(sk);\n\tstruct pnpipehdr *hdr = pnp_hdr(skb);\n\tu8 n_sb = hdr->data0;\n\n\tpn->rx_fc = pn->tx_fc = PN_LEGACY_FLOW_CONTROL;\n\t__skb_pull(skb, sizeof(*hdr));\n\twhile (n_sb > 0) {\n\t\tu8 type, buf[2], len = sizeof(buf);\n\t\tu8 *data = pep_get_sb(skb, &type, &len, buf);\n\n\t\tif (data == NULL)\n\t\t\treturn -EINVAL;\n\t\tswitch (type) {\n\t\tcase PN_PIPE_SB_NEGOTIATED_FC:\n\t\t\tif (len < 2 || (data[0] | data[1]) > 3)\n\t\t\t\tbreak;\n\t\t\tpn->tx_fc = data[0] & 3;\n\t\t\tpn->rx_fc = data[1] & 3;\n\t\t\tbreak;\n\t\t}\n\t\tn_sb--;\n\t}\n\treturn 0;\n}", "project": "linux", "hash": 6898152367901694612924216645089226862, "size": 26, "commit_id": "bcd0f93353326954817a4f9fa55ec57fb38acbb0", "message": "phonet: refcount leak in pep_sock_accep\n\nsock_hold(sk) is invoked in pep_sock_accept(), but __sock_put(sk) is not\ninvoked in subsequent failure branches(pep_accept_conn() != 0).\n\nSigned-off-by: Hangyu Hua \nLink: https://lore.kernel.org/r/20211209082839.33985-1-hbh25y@gmail.com\nSigned-off-by: Jakub Kicinski ", "target": 0, "dataset": "other", "idx": 224814 }, { "func": "static inline unsigned int size_from_object(struct kmem_cache *s)\n{\n\tif (s->flags & SLAB_RED_ZONE)\n\t\treturn s->size - s->red_left_pad;\n\n\treturn s->size;\n}", "project": "linux", "hash": 66582628500247580079553556913082660889, "size": 7, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280215 }, { "func": "static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p,\n\t\t\t\tsize_t msg_len)\n{\n\tstruct sock *sk = asoc->base.sk;\n\tlong current_timeo = *timeo_p;\n\tDEFINE_WAIT(wait);\n\tint err = 0;\n\n\tpr_debug(\"%s: asoc:%p, timeo:%ld, msg_len:%zu\\n\", __func__, asoc,\n\t\t *timeo_p, msg_len);\n\n\t/* Increment the association's refcnt. */\n\tsctp_association_hold(asoc);\n\n\t/* Wait on the association specific sndbuf space. */\n\tfor (;;) {\n\t\tprepare_to_wait_exclusive(&asoc->wait, &wait,\n\t\t\t\t\t TASK_INTERRUPTIBLE);\n\t\tif (asoc->base.dead)\n\t\t\tgoto do_dead;\n\t\tif (!*timeo_p)\n\t\t\tgoto do_nonblock;\n\t\tif (sk->sk_err || asoc->state >= SCTP_STATE_SHUTDOWN_PENDING)\n\t\t\tgoto do_error;\n\t\tif (signal_pending(current))\n\t\t\tgoto do_interrupted;\n\t\tif (sk_under_memory_pressure(sk))\n\t\t\tsk_mem_reclaim(sk);\n\t\tif ((int)msg_len <= sctp_wspace(asoc) &&\n\t\t sk_wmem_schedule(sk, msg_len))\n\t\t\tbreak;\n\n\t\t/* Let another process have a go. Since we are going\n\t\t * to sleep anyway.\n\t\t */\n\t\trelease_sock(sk);\n\t\tcurrent_timeo = schedule_timeout(current_timeo);\n\t\tlock_sock(sk);\n\t\tif (sk != asoc->base.sk)\n\t\t\tgoto do_error;\n\n\t\t*timeo_p = current_timeo;\n\t}\n\nout:\n\tfinish_wait(&asoc->wait, &wait);\n\n\t/* Release the association's refcnt. */\n\tsctp_association_put(asoc);\n\n\treturn err;\n\ndo_dead:\n\terr = -ESRCH;\n\tgoto out;\n\ndo_error:\n\terr = -EPIPE;\n\tgoto out;\n\ndo_interrupted:\n\terr = sock_intr_errno(*timeo_p);\n\tgoto out;\n\ndo_nonblock:\n\terr = -EAGAIN;\n\tgoto out;\n}", "project": "linux", "hash": 172861347538464918331363044304157555669, "size": 68, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398071 }, { "func": "static inline unsigned int order_objects(unsigned int order, unsigned int size)\n{\n\treturn ((unsigned int)PAGE_SIZE << order) / size;\n}", "project": "linux", "hash": 131047053097241477758990247762642673091, "size": 4, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280130 }, { "func": "static void print_tracking(struct kmem_cache *s, void *object)\n{\n\tunsigned long pr_time = jiffies;\n\tif (!(s->flags & SLAB_STORE_USER))\n\t\treturn;\n\n\tprint_track(\"Allocated\", get_track(s, object, TRACK_ALLOC), pr_time);\n\tprint_track(\"Freed\", get_track(s, object, TRACK_FREE), pr_time);\n}", "project": "linux", "hash": 113733309295805068835247247014095907173, "size": 9, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280150 }, { "func": "int tty_release(struct inode *inode, struct file *filp)\n{\n\tstruct tty_struct *tty = file_tty(filp);\n\tstruct tty_struct *o_tty = NULL;\n\tint\tdo_sleep, final;\n\tint\tidx;\n\tlong\ttimeout = 0;\n\tint\tonce = 1;\n\n\tif (tty_paranoia_check(tty, inode, __func__))\n\t\treturn 0;\n\n\ttty_lock(tty);\n\tcheck_tty_count(tty, __func__);\n\n\t__tty_fasync(-1, filp, 0);\n\n\tidx = tty->index;\n\tif (tty->driver->type == TTY_DRIVER_TYPE_PTY &&\n\t tty->driver->subtype == PTY_TYPE_MASTER)\n\t\to_tty = tty->link;\n\n\tif (tty_release_checks(tty, idx)) {\n\t\ttty_unlock(tty);\n\t\treturn 0;\n\t}\n\n\ttty_debug_hangup(tty, \"releasing (count=%d)\\n\", tty->count);\n\n\tif (tty->ops->close)\n\t\ttty->ops->close(tty, filp);\n\n\t/* If tty is pty master, lock the slave pty (stable lock order) */\n\ttty_lock_slave(o_tty);\n\n\t/*\n\t * Sanity check: if tty->count is going to zero, there shouldn't be\n\t * any waiters on tty->read_wait or tty->write_wait. We test the\n\t * wait queues and kick everyone out _before_ actually starting to\n\t * close. This ensures that we won't block while releasing the tty\n\t * structure.\n\t *\n\t * The test for the o_tty closing is necessary, since the master and\n\t * slave sides may close in any order. If the slave side closes out\n\t * first, its count will be one, since the master side holds an open.\n\t * Thus this test wouldn't be triggered at the time the slave closed,\n\t * so we do it now.\n\t */\n\twhile (1) {\n\t\tdo_sleep = 0;\n\n\t\tif (tty->count <= 1) {\n\t\t\tif (waitqueue_active(&tty->read_wait)) {\n\t\t\t\twake_up_poll(&tty->read_wait, EPOLLIN);\n\t\t\t\tdo_sleep++;\n\t\t\t}\n\t\t\tif (waitqueue_active(&tty->write_wait)) {\n\t\t\t\twake_up_poll(&tty->write_wait, EPOLLOUT);\n\t\t\t\tdo_sleep++;\n\t\t\t}\n\t\t}\n\t\tif (o_tty && o_tty->count <= 1) {\n\t\t\tif (waitqueue_active(&o_tty->read_wait)) {\n\t\t\t\twake_up_poll(&o_tty->read_wait, EPOLLIN);\n\t\t\t\tdo_sleep++;\n\t\t\t}\n\t\t\tif (waitqueue_active(&o_tty->write_wait)) {\n\t\t\t\twake_up_poll(&o_tty->write_wait, EPOLLOUT);\n\t\t\t\tdo_sleep++;\n\t\t\t}\n\t\t}\n\t\tif (!do_sleep)\n\t\t\tbreak;\n\n\t\tif (once) {\n\t\t\tonce = 0;\n\t\t\ttty_warn(tty, \"read/write wait queue active!\\n\");\n\t\t}\n\t\tschedule_timeout_killable(timeout);\n\t\tif (timeout < 120 * HZ)\n\t\t\ttimeout = 2 * timeout + 1;\n\t\telse\n\t\t\ttimeout = MAX_SCHEDULE_TIMEOUT;\n\t}\n\n\tif (o_tty) {\n\t\tif (--o_tty->count < 0) {\n\t\t\ttty_warn(tty, \"bad slave count (%d)\\n\", o_tty->count);\n\t\t\to_tty->count = 0;\n\t\t}\n\t}\n\tif (--tty->count < 0) {\n\t\ttty_warn(tty, \"bad tty->count (%d)\\n\", tty->count);\n\t\ttty->count = 0;\n\t}\n\n\t/*\n\t * We've decremented tty->count, so we need to remove this file\n\t * descriptor off the tty->tty_files list; this serves two\n\t * purposes:\n\t * - check_tty_count sees the correct number of file descriptors\n\t * associated with this tty.\n\t * - do_tty_hangup no longer sees this file descriptor as\n\t * something that needs to be handled for hangups.\n\t */\n\ttty_del_file(filp);\n\n\t/*\n\t * Perform some housekeeping before deciding whether to return.\n\t *\n\t * If _either_ side is closing, make sure there aren't any\n\t * processes that still think tty or o_tty is their controlling\n\t * tty.\n\t */\n\tif (!tty->count) {\n\t\tread_lock(&tasklist_lock);\n\t\tsession_clear_tty(tty->session);\n\t\tif (o_tty)\n\t\t\tsession_clear_tty(o_tty->session);\n\t\tread_unlock(&tasklist_lock);\n\t}\n\n\t/* check whether both sides are closing ... */\n\tfinal = !tty->count && !(o_tty && o_tty->count);\n\n\ttty_unlock_slave(o_tty);\n\ttty_unlock(tty);\n\n\t/* At this point, the tty->count == 0 should ensure a dead tty\n\t cannot be re-opened by a racing opener */\n\n\tif (!final)\n\t\treturn 0;\n\n\ttty_debug_hangup(tty, \"final close\\n\");\n\n\ttty_release_struct(tty, idx);\n\treturn 0;\n}", "project": "linux", "hash": 206195906166470094287504279162526093939, "size": 139, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 326040 }, { "func": "static ssize_t fuse_cache_write_iter(struct kiocb *iocb, struct iov_iter *from)\n{\n\tstruct file *file = iocb->ki_filp;\n\tstruct address_space *mapping = file->f_mapping;\n\tssize_t written = 0;\n\tssize_t written_buffered = 0;\n\tstruct inode *inode = mapping->host;\n\tssize_t err;\n\tstruct fuse_conn *fc = get_fuse_conn(inode);\n\tloff_t endbyte = 0;\n\n\tif (fc->writeback_cache) {\n\t\t/* Update size (EOF optimization) and mode (SUID clearing) */\n\t\terr = fuse_update_attributes(mapping->host, file);\n\t\tif (err)\n\t\t\treturn err;\n\n\t\tif (fc->handle_killpriv_v2 &&\n\t\t should_remove_suid(file_dentry(file))) {\n\t\t\tgoto writethrough;\n\t\t}\n\n\t\treturn generic_file_write_iter(iocb, from);\n\t}\n\nwritethrough:\n\tinode_lock(inode);\n\n\t/* We can write back this queue in page reclaim */\n\tcurrent->backing_dev_info = inode_to_bdi(inode);\n\n\terr = generic_write_checks(iocb, from);\n\tif (err <= 0)\n\t\tgoto out;\n\n\terr = file_remove_privs(file);\n\tif (err)\n\t\tgoto out;\n\n\terr = file_update_time(file);\n\tif (err)\n\t\tgoto out;\n\n\tif (iocb->ki_flags & IOCB_DIRECT) {\n\t\tloff_t pos = iocb->ki_pos;\n\t\twritten = generic_file_direct_write(iocb, from);\n\t\tif (written < 0 || !iov_iter_count(from))\n\t\t\tgoto out;\n\n\t\tpos += written;\n\n\t\twritten_buffered = fuse_perform_write(iocb, mapping, from, pos);\n\t\tif (written_buffered < 0) {\n\t\t\terr = written_buffered;\n\t\t\tgoto out;\n\t\t}\n\t\tendbyte = pos + written_buffered - 1;\n\n\t\terr = filemap_write_and_wait_range(file->f_mapping, pos,\n\t\t\t\t\t\t endbyte);\n\t\tif (err)\n\t\t\tgoto out;\n\n\t\tinvalidate_mapping_pages(file->f_mapping,\n\t\t\t\t\t pos >> PAGE_SHIFT,\n\t\t\t\t\t endbyte >> PAGE_SHIFT);\n\n\t\twritten += written_buffered;\n\t\tiocb->ki_pos = pos + written_buffered;\n\t} else {\n\t\twritten = fuse_perform_write(iocb, mapping, from, iocb->ki_pos);\n\t\tif (written >= 0)\n\t\t\tiocb->ki_pos += written;\n\t}\nout:\n\tcurrent->backing_dev_info = NULL;\n\tinode_unlock(inode);\n\tif (written > 0)\n\t\twritten = generic_write_sync(iocb, written);\n\n\treturn written ? written : err;\n}", "project": "linux", "hash": 265875084859488111986852882757643595155, "size": 82, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341890 }, { "func": "static void set_root(struct nameidata *nd)\n{\n\tstruct fs_struct *fs = current->fs;\n\n\tif (nd->flags & LOOKUP_RCU) {\n\t\tunsigned seq;\n\n\t\tdo {\n\t\t\tseq = read_seqcount_begin(&fs->seq);\n\t\t\tnd->root = fs->root;\n\t\t\tnd->root_seq = __read_seqcount_begin(&nd->root.dentry->d_seq);\n\t\t} while (read_seqcount_retry(&fs->seq, seq));\n\t} else {\n\t\tget_fs_root(fs, &nd->root);\n\t\tnd->flags |= LOOKUP_ROOT_GRABBED;\n\t}\n}", "project": "linux", "hash": 98133105662206696898757998230320465155, "size": 17, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295383 }, { "func": "bool GraphConstructor::NameExistsInGraph(StringPiece name) {\n if (existing_nodes_.find(name) != existing_nodes_.end()) return true;\n if (existing_prefixes_.find(name) != existing_prefixes_.end()) return true;\n return false;\n}", "project": "tensorflow", "hash": 239381046781543169787741447640737707964, "size": 5, "commit_id": "0cc38aaa4064fd9e79101994ce9872c6d91f816b", "message": "Prevent unitialized memory access in `GraphConstructor::MakeEdge`\n\nThe `MakeEdge` implementation assumes that there exists an output at `output_index` of `src` node and an input at `input_index` of `dst` node. However, if this is not the case this results in accessing data out of bounds. Because we are accessing an array that is a private member of a class and only in read only mode, this usually results only in unitialized memory access. However, it is reasonable to think that malicious users could manipulate these indexes to actually read data outside the class, thus resulting in information leakage and further exploits.\n\nPiperOrigin-RevId: 346343288\nChange-Id: I2127da27c2023d27f26efd39afa6c853385cab6f", "target": 0, "dataset": "other", "idx": 268333 }, { "func": "static LIST_HEAD(connlist_err);\nstatic DEFINE_SPINLOCK(connlock);\n\nstatic uint32_t iscsi_conn_get_sid(struct iscsi_cls_conn *conn)\n{", "project": "linux", "hash": 95044364047942923946558727863871216170, "size": 5, "commit_id": "f9dbdf97a5bd92b1a49cee3d591b55b11fd7a6d5", "message": "scsi: iscsi: Verify lengths on passthrough PDUs\n\nOpen-iSCSI sends passthrough PDUs over netlink, but the kernel should be\nverifying that the provided PDU header and data lengths fall within the\nnetlink message to prevent accessing beyond that in memory.\n\nCc: stable@vger.kernel.org\nReported-by: Adam Nichols \nReviewed-by: Lee Duncan \nReviewed-by: Mike Christie \nSigned-off-by: Chris Leech \nSigned-off-by: Martin K. Petersen ", "target": 0, "dataset": "other", "idx": 379962 }, { "func": "static u64 svm_scale_tsc(struct kvm_vcpu *vcpu, u64 tsc)\n{\n\tstruct vcpu_svm *svm = to_svm(vcpu);\n\tu64 _tsc = tsc;\n\n\tif (svm->tsc_ratio != TSC_RATIO_DEFAULT)\n\t\t_tsc = __scale_tsc(svm->tsc_ratio, tsc);\n\n\treturn _tsc;\n}", "project": "kvm", "hash": 316055389695713210782623853532344081070, "size": 10, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437567 }, { "func": "static int _clua_dofile(lua_State *ls)\n{\n const char *file = luaL_checkstring(ls, 1);\n if (!file)\n return 0;\n\n const int err = CLua::loadfile(ls, file, !CLua::is_managed_vm(ls));\n if (err)\n return lua_error(ls);\n\n lua_call(ls, 0, LUA_MULTRET);\n return lua_gettop(ls);\n}", "project": "crawl", "hash": 37665821354605615131873295221506384876, "size": 13, "commit_id": "768f60da87a3fa0b5561da5ade9309577c176d04", "message": "Disable lua bytecode loading", "target": 0, "dataset": "other", "idx": 230480 }, { "func": " TfLiteStatus status() const { return status_; }", "project": "tensorflow", "hash": 35573118640229992086672185979732986575, "size": 1, "commit_id": "c6173f5fe66cdbab74f4f869311fe6aae2ba35f4", "message": "TFLite: Error out when the graph has a recurion.\n\nRecursion is currently unsupported.\n\nPiperOrigin-RevId: 371708957\nChange-Id: I8dfad0d85cbfe08e39ae8ea7bad21254ddee5003", "target": 0, "dataset": "other", "idx": 269620 }, { "func": "int bcf_write(htsFile *hfp, bcf_hdr_t *h, bcf1_t *v)\n{\n if ( h->dirty ) {\n if (bcf_hdr_sync(h) < 0) return -1;\n }\n if ( bcf_hdr_nsamples(h)!=v->n_sample )\n {\n hts_log_error(\"Broken VCF record, the number of columns at %s:%\"PRIhts_pos\" does not match the number of samples (%d vs %d)\",\n bcf_seqname_safe(h,v), v->pos+1, v->n_sample, bcf_hdr_nsamples(h));\n return -1;\n }\n\n if ( hfp->format.format == vcf || hfp->format.format == text_format )\n return vcf_write(hfp,h,v);\n\n if ( v->errcode )\n {\n // vcf_parse1() encountered a new contig or tag, undeclared in the\n // header. At this point, the header must have been printed,\n // proceeding would lead to a broken BCF file. Errors must be checked\n // and cleared by the caller before we can proceed.\n hts_log_error(\"Unchecked error (%d) at %s:%\"PRIhts_pos, v->errcode, bcf_seqname_safe(h,v), v->pos+1);\n return -1;\n }\n bcf1_sync(v); // check if the BCF record was modified\n\n if ( v->unpacked & BCF_IS_64BIT )\n {\n hts_log_error(\"Data at %s:%\"PRIhts_pos\" contains 64-bit values not representable in BCF. Please use VCF instead\", bcf_seqname_safe(h,v), v->pos+1);\n return -1;\n }\n\n BGZF *fp = hfp->fp.bgzf;\n uint8_t x[32];\n u32_to_le(v->shared.l + 24, x); // to include six 32-bit integers\n u32_to_le(v->indiv.l, x + 4);\n i32_to_le(v->rid, x + 8);\n u32_to_le(v->pos, x + 12);\n u32_to_le(v->rlen, x + 16);\n float_to_le(v->qual, x + 20);\n u16_to_le(v->n_info, x + 24);\n u16_to_le(v->n_allele, x + 26);\n u32_to_le((uint32_t)v->n_fmt<<24 | (v->n_sample & 0xffffff), x + 28);\n if ( bgzf_write(fp, x, 32) != 32 ) return -1;\n if ( bgzf_write(fp, v->shared.s, v->shared.l) != v->shared.l ) return -1;\n if ( bgzf_write(fp, v->indiv.s, v->indiv.l) != v->indiv.l ) return -1;\n\n if (hfp->idx) {\n if (hts_idx_push(hfp->idx, v->rid, v->pos, v->pos + v->rlen, bgzf_tell(fp), 1) < 0)\n return -1;\n }\n\n return 0;\n}", "project": "htslib", "hash": 178734724348639011142346219095884856449, "size": 54, "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c", "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields. It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097", "target": 0, "dataset": "other", "idx": 402188 }, { "func": "static void mt_release_contacts(struct hid_device *hid)\n{\n\tstruct hid_input *hidinput;\n\tstruct mt_application *application;\n\tstruct mt_device *td = hid_get_drvdata(hid);\n\n\tlist_for_each_entry(hidinput, &hid->inputs, list) {\n\t\tstruct input_dev *input_dev = hidinput->input;\n\t\tstruct input_mt *mt = input_dev->mt;\n\t\tint i;\n\n\t\tif (mt) {\n\t\t\tfor (i = 0; i < mt->num_slots; i++) {\n\t\t\t\tinput_mt_slot(input_dev, i);\n\t\t\t\tinput_mt_report_slot_inactive(input_dev);\n\t\t\t}\n\t\t\tinput_mt_sync_frame(input_dev);\n\t\t\tinput_sync(input_dev);\n\t\t}\n\t}\n\n\tlist_for_each_entry(application, &td->applications, list) {\n\t\tapplication->num_received = 0;\n\t}\n}", "project": "linux", "hash": 145385736007589656110251457347014614302, "size": 25, "commit_id": "35556bed836f8dc07ac55f69c8d17dce3e7f0e25", "message": "HID: core: Sanitize event code and type when mapping input\n\nWhen calling into hid_map_usage(), the passed event code is\nblindly stored as is, even if it doesn't fit in the associated bitmap.\n\nThis event code can come from a variety of sources, including devices\nmasquerading as input devices, only a bit more \"programmable\".\n\nInstead of taking the event code at face value, check that it actually\nfits the corresponding bitmap, and if it doesn't:\n- spit out a warning so that we know which device is acting up\n- NULLify the bitmap pointer so that we catch unexpected uses\n\nCode paths that can make use of untrusted inputs can now check\nthat the mapping was indeed correct and bail out if not.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Marc Zyngier \nSigned-off-by: Benjamin Tissoires ", "target": 0, "dataset": "other", "idx": 458350 }, { "func": "static void SFDGetTtfInstrs(FILE *sfd, SplineChar *sc) {\n /* We've read the TtfInstr token, it is followed by a byte count */\n /* and then the instructions in enc85 format */\n int i,len;\n struct enc85 dec;\n\n memset(&dec,'\\0', sizeof(dec)); dec.pos = -1;\n dec.sfd = sfd;\n\n getint(sfd,&len);\n sc->ttf_instrs = malloc(len);\n sc->ttf_instrs_len = len;\n for ( i=0; ittf_instrs[i] = Dec85(&dec);\n}", "project": "fontforge", "hash": 117339637225242047078808413076250624483, "size": 15, "commit_id": "048a91e2682c1a8936ae34dbc7bd70291ec05410", "message": "Fix for #4084 Use-after-free (heap) in the SFD_GetFontMetaData() function\nFix for #4086 NULL pointer dereference in the SFDGetSpiros() function\nFix for #4088 NULL pointer dereference in the SFD_AssignLookups() function\nAdd empty sf->fontname string if it isn't set, fixing #4089 #4090 and many\n other potential issues (many downstream calls to strlen() on the value).", "target": 0, "dataset": "other", "idx": 417797 }, { "func": "static rsRetVal qConstructDisk(qqueue_t *pThis)\n{\n\tDEFiRet;\n\tint bRestarted = 0;\n\n\tASSERT(pThis != NULL);\n\n\t/* and now check if there is some persistent information that needs to be read in */\n\tiRet = qqueueTryLoadPersistedInfo(pThis);\n\tif(iRet == RS_RET_OK)\n\t\tbRestarted = 1;\n\telse if(iRet != RS_RET_FILE_NOT_FOUND)\n\t\t\tFINALIZE;\n\n\tif(bRestarted == 1) {\n\t\t;\n\t} else {\n\t\tCHKiRet(strm.Construct(&pThis->tVars.disk.pWrite));\n\t\tCHKiRet(strm.SetbSync(pThis->tVars.disk.pWrite, pThis->bSyncQueueFiles));\n\t\tCHKiRet(strm.SetDir(pThis->tVars.disk.pWrite, glbl.GetWorkDir(), strlen((char*)glbl.GetWorkDir())));\n\t\tCHKiRet(strm.SetiMaxFiles(pThis->tVars.disk.pWrite, 10000000));\n\t\tCHKiRet(strm.SettOperationsMode(pThis->tVars.disk.pWrite, STREAMMODE_WRITE));\n\t\tCHKiRet(strm.SetsType(pThis->tVars.disk.pWrite, STREAMTYPE_FILE_CIRCULAR));\n\t\tCHKiRet(strm.ConstructFinalize(pThis->tVars.disk.pWrite));\n\n\t\tCHKiRet(strm.Construct(&pThis->tVars.disk.pReadDeq));\n\t\tCHKiRet(strm.SetbDeleteOnClose(pThis->tVars.disk.pReadDeq, 0));\n\t\tCHKiRet(strm.SetDir(pThis->tVars.disk.pReadDeq, glbl.GetWorkDir(), strlen((char*)glbl.GetWorkDir())));\n\t\tCHKiRet(strm.SetiMaxFiles(pThis->tVars.disk.pReadDeq, 10000000));\n\t\tCHKiRet(strm.SettOperationsMode(pThis->tVars.disk.pReadDeq, STREAMMODE_READ));\n\t\tCHKiRet(strm.SetsType(pThis->tVars.disk.pReadDeq, STREAMTYPE_FILE_CIRCULAR));\n\t\tCHKiRet(strm.ConstructFinalize(pThis->tVars.disk.pReadDeq));\n\n\t\tCHKiRet(strm.Construct(&pThis->tVars.disk.pReadDel));\n\t\tCHKiRet(strm.SetbSync(pThis->tVars.disk.pReadDel, pThis->bSyncQueueFiles));\n\t\tCHKiRet(strm.SetbDeleteOnClose(pThis->tVars.disk.pReadDel, 1));\n\t\tCHKiRet(strm.SetDir(pThis->tVars.disk.pReadDel, glbl.GetWorkDir(), strlen((char*)glbl.GetWorkDir())));\n\t\tCHKiRet(strm.SetiMaxFiles(pThis->tVars.disk.pReadDel, 10000000));\n\t\tCHKiRet(strm.SettOperationsMode(pThis->tVars.disk.pReadDel, STREAMMODE_READ));\n\t\tCHKiRet(strm.SetsType(pThis->tVars.disk.pReadDel, STREAMTYPE_FILE_CIRCULAR));\n\t\tCHKiRet(strm.ConstructFinalize(pThis->tVars.disk.pReadDel));\n\n\t\tCHKiRet(strm.SetFName(pThis->tVars.disk.pWrite, pThis->pszFilePrefix, pThis->lenFilePrefix));\n\t\tCHKiRet(strm.SetFName(pThis->tVars.disk.pReadDeq, pThis->pszFilePrefix, pThis->lenFilePrefix));\n\t\tCHKiRet(strm.SetFName(pThis->tVars.disk.pReadDel, pThis->pszFilePrefix, pThis->lenFilePrefix));\n\t}\n\n\t/* now we set (and overwrite in case of a persisted restart) some parameters which\n\t * should always reflect the current configuration variables. Be careful by doing so,\n\t * for example file name generation must not be changed as that would break the\n\t * ability to read existing queue files. -- rgerhards, 2008-01-12\n\t */\n\tCHKiRet(strm.SetiMaxFileSize(pThis->tVars.disk.pWrite, pThis->iMaxFileSize));\n\tCHKiRet(strm.SetiMaxFileSize(pThis->tVars.disk.pReadDeq, pThis->iMaxFileSize));\n\tCHKiRet(strm.SetiMaxFileSize(pThis->tVars.disk.pReadDel, pThis->iMaxFileSize));\n\nfinalize_it:\n\tRETiRet;\n}", "project": "rsyslog", "hash": 82004020132199555433474538964984872507, "size": 59, "commit_id": "dfa88369d4ca4290db56b843f9eabdae1bfe0fd5", "message": "bugfix: memory leak when $RepeatedMsgReduction on was used\n\nbug tracker: http://bugzilla.adiscon.com/show_bug.cgi?id=225", "target": 0, "dataset": "other", "idx": 373749 }, { "func": " static Value performCastDecimalToDouble(ExpressionContext* const expCtx, Value inputValue) {\n Decimal128 inputDecimal = inputValue.getDecimal();\n\n std::uint32_t signalingFlags = Decimal128::SignalingFlag::kNoFlag;\n double result =\n inputDecimal.toDouble(&signalingFlags, Decimal128::RoundingMode::kRoundTiesToEven);\n\n uassert(ErrorCodes::ConversionFailure,\n str::stream()\n << \"Conversion would overflow target type in $convert with no onError value: \"\n << inputDecimal.toString(),\n signalingFlags == Decimal128::SignalingFlag::kNoFlag ||\n signalingFlags == Decimal128::SignalingFlag::kInexact);\n\n return Value(result);\n }", "project": "mongo", "hash": 158071093527251026801503939246746899805, "size": 16, "commit_id": "1772b9a0393b55e6a280a35e8f0a1f75c014f301", "message": "SERVER-49404 Enforce additional checks in $arrayToObject", "target": 0, "dataset": "other", "idx": 370075 }, { "func": "\nstatic bool io_uring_try_cancel_iowq(struct io_ring_ctx *ctx)\n{\n\tstruct io_tctx_node *node;\n\tenum io_wq_cancel cret;\n\tbool ret = false;\n\n\tmutex_lock(&ctx->uring_lock);\n\tlist_for_each_entry(node, &ctx->tctx_list, ctx_node) {\n\t\tstruct io_uring_task *tctx = node->task->io_uring;\n\n\t\t/*\n\t\t * io_wq will stay alive while we hold uring_lock, because it's\n\t\t * killed after ctx nodes, which requires to take the lock.\n\t\t */\n\t\tif (!tctx || !tctx->io_wq)\n\t\t\tcontinue;\n\t\tcret = io_wq_cancel_cb(tctx->io_wq, io_cancel_ctx_cb, ctx, true);\n\t\tret |= (cret != IO_WQ_CANCEL_NOTFOUND);\n\t}\n\tmutex_unlock(&ctx->uring_lock);\n\n\treturn ret;", "project": "linux", "hash": 326674534556494973567136095101888418780, "size": 23, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338716 }, { "func": "otError Commissioner::GeneratePskc(const char * aPassPhrase,\n const char * aNetworkName,\n const Mac::ExtendedPanId &aExtPanId,\n Pskc & aPskc)\n{\n otError error = OT_ERROR_NONE;\n const char *saltPrefix = \"Thread\";\n uint8_t salt[OT_PBKDF2_SALT_MAX_LEN];\n uint16_t saltLen = 0;\n\n VerifyOrExit((strlen(aPassPhrase) >= OT_COMMISSIONING_PASSPHRASE_MIN_SIZE) &&\n (strlen(aPassPhrase) <= OT_COMMISSIONING_PASSPHRASE_MAX_SIZE) &&\n (strlen(aNetworkName) <= OT_NETWORK_NAME_MAX_SIZE),\n error = OT_ERROR_INVALID_ARGS);\n\n memset(salt, 0, sizeof(salt));\n memcpy(salt, saltPrefix, strlen(saltPrefix));\n saltLen += static_cast(strlen(saltPrefix));\n\n memcpy(salt + saltLen, aExtPanId.m8, sizeof(aExtPanId));\n saltLen += OT_EXT_PAN_ID_SIZE;\n\n memcpy(salt + saltLen, aNetworkName, strlen(aNetworkName));\n saltLen += static_cast(strlen(aNetworkName));\n\n otPbkdf2Cmac(reinterpret_cast(aPassPhrase), static_cast(strlen(aPassPhrase)),\n reinterpret_cast(salt), saltLen, 16384, OT_PSKC_MAX_SIZE, aPskc.m8);\n\nexit:\n return error;\n}", "project": "openthread", "hash": 269174587310881469223710673598831931018, "size": 31, "commit_id": "c3a3a0c424322009fec3ab735fb20ce8f6e19e70", "message": "[commissioner] use strnlen instead of strlen (#4404)", "target": 1, "dataset": "other", "idx": 198147 }, { "func": "otError Commissioner::GeneratePskc(const char * aPassPhrase,\n const char * aNetworkName,\n const Mac::ExtendedPanId &aExtPanId,\n Pskc & aPskc)\n{\n otError error = OT_ERROR_NONE;\n const char saltPrefix[] = \"Thread\";\n uint8_t salt[OT_PBKDF2_SALT_MAX_LEN];\n uint16_t saltLen = 0;\n uint16_t passphraseLen;\n uint8_t networkNameLen;\n\n passphraseLen = static_cast(strnlen(aPassPhrase, OT_COMMISSIONING_PASSPHRASE_MAX_SIZE + 1));\n networkNameLen = static_cast(strnlen(aNetworkName, OT_NETWORK_NAME_MAX_SIZE + 1));\n\n VerifyOrExit((passphraseLen >= OT_COMMISSIONING_PASSPHRASE_MIN_SIZE) &&\n (passphraseLen <= OT_COMMISSIONING_PASSPHRASE_MAX_SIZE) &&\n (networkNameLen <= OT_NETWORK_NAME_MAX_SIZE),\n error = OT_ERROR_INVALID_ARGS);\n\n memset(salt, 0, sizeof(salt));\n memcpy(salt, saltPrefix, sizeof(saltPrefix) - 1);\n saltLen += static_cast(sizeof(saltPrefix) - 1);\n\n memcpy(salt + saltLen, aExtPanId.m8, sizeof(aExtPanId));\n saltLen += OT_EXT_PAN_ID_SIZE;\n\n memcpy(salt + saltLen, aNetworkName, networkNameLen);\n saltLen += networkNameLen;\n\n otPbkdf2Cmac(reinterpret_cast(aPassPhrase), passphraseLen, reinterpret_cast(salt),\n saltLen, 16384, OT_PSKC_MAX_SIZE, aPskc.m8);\n\nexit:\n return error;\n}", "project": "openthread", "hash": 130996794969779372185141123675944404951, "size": 36, "commit_id": "c3a3a0c424322009fec3ab735fb20ce8f6e19e70", "message": "[commissioner] use strnlen instead of strlen (#4404)", "target": 0, "dataset": "other", "idx": 269900 }, { "func": "TfLiteStatus Eval(TfLiteContext* context, TfLiteNode* node) {\n // Retrieve tensors (All should be allocated by now)\n const TfLiteTensor* output_shape;\n TF_LITE_ENSURE_OK(\n context, GetInputSafe(context, node, kOutputShapeTensor, &output_shape));\n const TfLiteTensor* weights;\n TF_LITE_ENSURE_OK(context,\n GetInputSafe(context, node, kWeightsTensor, &weights));\n const TfLiteTensor* input;\n TF_LITE_ENSURE_OK(context,\n GetInputSafe(context, node, kDataInputTensor, &input));\n const TfLiteTensor* bias =\n (NumInputs(node) == 4)\n ? GetOptionalInputTensor(context, node, kBiasTensor)\n : nullptr;\n TfLiteTensor* output;\n TF_LITE_ENSURE_OK(context,\n GetOutputSafe(context, node, kOutputTensor, &output));\n OpData* data = reinterpret_cast(node->user_data);\n TfLiteTensor* col2im = data->has_col2im\n ? GetTemporary(context, node, data->col2im_index)\n : nullptr;\n TfLiteTensor* transposed_weights =\n data->weights_are_transposed\n ? GetTemporary(context, node, data->transposed_weights_index)\n : nullptr;\n const auto* params =\n reinterpret_cast(node->builtin_data);\n\n // Resize any deferred dynamic tensors\n if (IsDynamicTensor(output)) {\n TF_LITE_ENSURE_OK(context, ResizeTensor(context, output_shape, output));\n }\n if (data->has_col2im && IsDynamicTensor(col2im)) {\n TF_LITE_ENSURE_OK(context, ResizeCol2ImTensor(context, output_shape,\n weights, input, col2im));\n }\n\n // Get height and width of the output image.\n const int width = SizeOfDimension(output, 2);\n const int height = SizeOfDimension(output, 1);\n const int filter_width = SizeOfDimension(weights, 2);\n const int filter_height = SizeOfDimension(weights, 1);\n\n int unused_output_height, unused_output_width;\n data->padding = ComputePaddingHeightWidth(\n params->stride_height, params->stride_width, 1, 1, height, width,\n filter_height, filter_width, params->padding, &unused_output_height,\n &unused_output_width);\n\n // Currently support float32, uint8, int8, int16.\n switch (input->type) {\n case kTfLiteFloat32: {\n // Only for GenericOptimized path, we use transposed weights.\n if (data->weights_are_transposed) {\n if (!IsConstantTensor(weights)) {\n ResizeAndTransposeWeights(context, weights, transposed_weights);\n }\n }\n EvalFloat(context, params, data, input, weights, bias,\n transposed_weights, col2im, output);\n break;\n }\n case kTfLiteUInt8: {\n TfLiteTensor* scratch_buffer;\n TF_LITE_ENSURE_OK(\n context, GetTemporarySafe(context, node, data->scratch_tensor_index,\n &scratch_buffer));\n if (IsDynamicTensor(scratch_buffer)) {\n TF_LITE_ENSURE_OK(context,\n ResizeTensor(context, output_shape, scratch_buffer));\n }\n if (data->weights_are_transposed) {\n if (!IsConstantTensor(weights)) {\n ResizeAndTransposeWeights(context, weights, transposed_weights);\n }\n }\n EvalQuantized(context, params, data, input, weights,\n transposed_weights, bias, col2im, output,\n scratch_buffer);\n break;\n }\n case kTfLiteInt8: {\n TfLiteTensor* scratch_buffer;\n TF_LITE_ENSURE_OK(\n context, GetTemporarySafe(context, node, data->scratch_tensor_index,\n &scratch_buffer));\n if (IsDynamicTensor(scratch_buffer)) {\n TF_LITE_ENSURE_OK(context,\n ResizeTensor(context, output_shape, scratch_buffer));\n }\n if (data->weights_are_transposed && !IsConstantTensor(weights)) {\n ResizeAndTransposeWeights(context, weights, transposed_weights);\n }\n EvalQuantizedPerChannel(context, params, data, input,\n weights, transposed_weights, bias,\n col2im, output, scratch_buffer);\n break;\n }\n case kTfLiteInt16: {\n TfLiteTensor* scratch_buffer;\n TF_LITE_ENSURE_OK(\n context, GetTemporarySafe(context, node, data->scratch_tensor_index,\n &scratch_buffer));\n if (IsDynamicTensor(scratch_buffer)) {\n TF_LITE_ENSURE_OK(context,\n ResizeTensor(context, output_shape, scratch_buffer));\n }\n if (data->weights_are_transposed && !IsConstantTensor(weights)) {\n ResizeAndTransposeWeights(context, weights, transposed_weights);\n }\n EvalQuantizedPerChannel16x8(context, params, data, input, weights,\n transposed_weights, bias, col2im, output,\n scratch_buffer);\n break;\n }\n default:\n context->ReportError(context, \"Type '%s' is not currently supported.\",\n TfLiteTypeGetName(input->type));\n return kTfLiteError;\n }\n return kTfLiteOk;\n}", "project": "tensorflow", "hash": 290740829738125502038333394047295607616, "size": 123, "commit_id": "801c1c6be5324219689c98e1bd3e0ca365ee834d", "message": "Fix another division by 0 in TFLite\n\nPiperOrigin-RevId: 370800181\nChange-Id: I924809166a6131f5075e6d45c455106538d755f9", "target": 1, "dataset": "other", "idx": 197892 }, { "func": "TfLiteStatus Eval(TfLiteContext* context, TfLiteNode* node) {\n auto* params =\n reinterpret_cast(node->builtin_data);\n OpData* data = reinterpret_cast(node->user_data);\n\n const TfLiteTensor* input;\n TF_LITE_ENSURE_OK(context, GetInputSafe(context, node, kInputTensor, &input));\n const TfLiteTensor* filter;\n TF_LITE_ENSURE_OK(context,\n GetInputSafe(context, node, kWeightsTensor, &filter));\n const TfLiteTensor* bias =\n (node->inputs->size == 3)\n ? GetOptionalInputTensor(context, node, kBiasTensor)\n : nullptr;\n TfLiteTensor* output;\n TF_LITE_ENSURE_OK(context,\n GetOutputSafe(context, node, kOutputTensor, &output));\n // Do nothing if expected output is empty.\n if (NumElements(output) == 0) {\n return kTfLiteOk;\n }\n\n switch (filter->type) {\n case kTfLiteFloat32:\n return EvalFloat(context, node, params, data, input, filter,\n bias, output);\n case kTfLiteUInt8:\n if (params->weights_format ==\n kTfLiteFullyConnectedWeightsFormatShuffled4x16Int8) {\n TfLiteTensor* shuffled_input_workspace;\n TF_LITE_ENSURE_OK(\n context, GetOutputSafe(context, node, kShuffledInputWorkspaceTensor,\n &shuffled_input_workspace));\n return EvalShuffledQuantized(context, node, params, data,\n input, filter, bias, output,\n shuffled_input_workspace);\n } else if (params->weights_format ==\n kTfLiteFullyConnectedWeightsFormatDefault) {\n return EvalQuantized(context, node, params, data, input,\n filter, bias, output);\n } else {\n context->ReportError(context,\n \"Unhandled fully-connected weights format\");\n return kTfLiteError;\n }\n case kTfLiteInt8:\n if (params->weights_format == kTfLiteFullyConnectedWeightsFormatDefault) {\n return EvalQuantized(context, node, params, data, input,\n filter, bias, output);\n } else {\n context->ReportError(context,\n \"Unhandled fully-connected weights format\");\n return kTfLiteError;\n }\n default:\n context->ReportError(context,\n \"Filter data type %s currently not supported.\",\n TfLiteTypeGetName(filter->type));\n return kTfLiteError;\n }\n return kTfLiteOk;\n}", "project": "tensorflow", "hash": 291638103280884884189267764002852735730, "size": 62, "commit_id": "6c0b2b70eeee588591680f5b7d5d38175fd7cdf6", "message": "[lite] add validation check for sparse fully connected\n\nPiperOrigin-RevId: 417629354\nChange-Id: If96171c4bd4f5fdb01d6368d6deab19d1c9beca7", "target": 0, "dataset": "other", "idx": 220484 }, { "func": "TfLiteStatus Eval(TfLiteContext* context, TfLiteNode* node) {\n const TfLiteTensor* input;\n TF_LITE_ENSURE_OK(context, GetInputSafe(context, node, kInputTensor, &input));\n\n switch (input->type) { // Already know in/out types are same.\n case kTfLiteFloat32:\n return EvalImpl(context, node);\n case kTfLiteUInt8:\n return EvalImpl(context, node);\n case kTfLiteInt8:\n return EvalImpl(context, node);\n case kTfLiteInt16:\n return EvalImpl(context, node);\n default:\n context->ReportError(context, \"Type %d not currently supported.\",\n input->type);\n return kTfLiteError;\n }\n}", "project": "tensorflow", "hash": 174724900149181575844762465376787012816, "size": 19, "commit_id": "e5b0eec199c2d03de54fd6a7fd9275692218e2bc", "message": "[lite] Add validation check for dilation height/width to be positive integers.\n\nPiperOrigin-RevId: 416429178\nChange-Id: If7cdcddca54486434d9b2f06e7e2b401d7c3ee25", "target": 0, "dataset": "other", "idx": 223179 }, { "func": "TfLiteStatus Eval(TfLiteContext* context, TfLiteNode* node) {\n // Retrieve tensors (All should be allocated by now)\n const TfLiteTensor* output_shape;\n TF_LITE_ENSURE_OK(\n context, GetInputSafe(context, node, kOutputShapeTensor, &output_shape));\n const TfLiteTensor* weights;\n TF_LITE_ENSURE_OK(context,\n GetInputSafe(context, node, kWeightsTensor, &weights));\n const TfLiteTensor* input;\n TF_LITE_ENSURE_OK(context,\n GetInputSafe(context, node, kDataInputTensor, &input));\n const TfLiteTensor* bias =\n (NumInputs(node) == 4)\n ? GetOptionalInputTensor(context, node, kBiasTensor)\n : nullptr;\n TfLiteTensor* output;\n TF_LITE_ENSURE_OK(context,\n GetOutputSafe(context, node, kOutputTensor, &output));\n OpData* data = reinterpret_cast(node->user_data);\n TfLiteTensor* col2im = data->has_col2im\n ? GetTemporary(context, node, data->col2im_index)\n : nullptr;\n TfLiteTensor* transposed_weights =\n data->weights_are_transposed\n ? GetTemporary(context, node, data->transposed_weights_index)\n : nullptr;\n const auto* params =\n reinterpret_cast(node->builtin_data);\n\n // Prevent divisions by 0\n TF_LITE_ENSURE(context, params->stride_height > 0);\n TF_LITE_ENSURE(context, params->stride_width > 0);\n\n // Resize any deferred dynamic tensors\n if (IsDynamicTensor(output)) {\n TF_LITE_ENSURE_OK(context, ResizeTensor(context, output_shape, output));\n }\n if (data->has_col2im && IsDynamicTensor(col2im)) {\n TF_LITE_ENSURE_OK(context, ResizeCol2ImTensor(context, output_shape,\n weights, input, col2im));\n }\n\n // Get height and width of the output image.\n const int width = SizeOfDimension(output, 2);\n const int height = SizeOfDimension(output, 1);\n const int filter_width = SizeOfDimension(weights, 2);\n const int filter_height = SizeOfDimension(weights, 1);\n\n int unused_output_height, unused_output_width;\n data->padding = ComputePaddingHeightWidth(\n params->stride_height, params->stride_width, 1, 1, height, width,\n filter_height, filter_width, params->padding, &unused_output_height,\n &unused_output_width);\n\n // Currently support float32, uint8, int8, int16.\n switch (input->type) {\n case kTfLiteFloat32: {\n // Only for GenericOptimized path, we use transposed weights.\n if (data->weights_are_transposed) {\n if (!IsConstantTensor(weights)) {\n ResizeAndTransposeWeights(context, weights, transposed_weights);\n }\n }\n EvalFloat(context, params, data, input, weights, bias,\n transposed_weights, col2im, output);\n break;\n }\n case kTfLiteUInt8: {\n TfLiteTensor* scratch_buffer;\n TF_LITE_ENSURE_OK(\n context, GetTemporarySafe(context, node, data->scratch_tensor_index,\n &scratch_buffer));\n if (IsDynamicTensor(scratch_buffer)) {\n TF_LITE_ENSURE_OK(context,\n ResizeTensor(context, output_shape, scratch_buffer));\n }\n if (data->weights_are_transposed) {\n if (!IsConstantTensor(weights)) {\n ResizeAndTransposeWeights(context, weights, transposed_weights);\n }\n }\n EvalQuantized(context, params, data, input, weights,\n transposed_weights, bias, col2im, output,\n scratch_buffer);\n break;\n }\n case kTfLiteInt8: {\n TfLiteTensor* scratch_buffer;\n TF_LITE_ENSURE_OK(\n context, GetTemporarySafe(context, node, data->scratch_tensor_index,\n &scratch_buffer));\n if (IsDynamicTensor(scratch_buffer)) {\n TF_LITE_ENSURE_OK(context,\n ResizeTensor(context, output_shape, scratch_buffer));\n }\n if (data->weights_are_transposed && !IsConstantTensor(weights)) {\n ResizeAndTransposeWeights(context, weights, transposed_weights);\n }\n EvalQuantizedPerChannel(context, params, data, input,\n weights, transposed_weights, bias,\n col2im, output, scratch_buffer);\n break;\n }\n case kTfLiteInt16: {\n TfLiteTensor* scratch_buffer;\n TF_LITE_ENSURE_OK(\n context, GetTemporarySafe(context, node, data->scratch_tensor_index,\n &scratch_buffer));\n if (IsDynamicTensor(scratch_buffer)) {\n TF_LITE_ENSURE_OK(context,\n ResizeTensor(context, output_shape, scratch_buffer));\n }\n if (data->weights_are_transposed && !IsConstantTensor(weights)) {\n ResizeAndTransposeWeights(context, weights, transposed_weights);\n }\n EvalQuantizedPerChannel16x8(context, params, data, input, weights,\n transposed_weights, bias, col2im, output,\n scratch_buffer);\n break;\n }\n default:\n context->ReportError(context, \"Type '%s' is not currently supported.\",\n TfLiteTypeGetName(input->type));\n return kTfLiteError;\n }\n return kTfLiteOk;\n}", "project": "tensorflow", "hash": 66934807467757635082995213425103966019, "size": 127, "commit_id": "801c1c6be5324219689c98e1bd3e0ca365ee834d", "message": "Fix another division by 0 in TFLite\n\nPiperOrigin-RevId: 370800181\nChange-Id: I924809166a6131f5075e6d45c455106538d755f9", "target": 0, "dataset": "other", "idx": 265428 }, { "func": "TfLiteStatus Eval(TfLiteContext* context, TfLiteNode* node) {\n OneHotContext op_context{context, node};\n\n if (IsDynamicTensor(op_context.output)) {\n ResizeOutputTensor(context, op_context);\n }\n\n switch (op_context.output->type) {\n case kTfLiteFloat32:\n OneHotCompute(op_context);\n break;\n case kTfLiteInt32:\n OneHotCompute(op_context);\n break;\n case kTfLiteInt64:\n OneHotCompute(op_context);\n break;\n case kTfLiteInt8:\n OneHotCompute(op_context);\n break;\n case kTfLiteUInt8:\n OneHotCompute(op_context);\n break;\n case kTfLiteBool:\n OneHotCompute(op_context);\n break;\n default:\n return kTfLiteError;\n }\n\n return kTfLiteOk;\n}", "project": "tensorflow", "hash": 236585625066856602455550262825461730049, "size": 32, "commit_id": "3ebedd7e345453d68e279cfc3e4072648e5e12e5", "message": "Prevent division by 0 in OneHot implementation\n\nIf input indices is degenerate, the implementation would do a divide by zero. See https://github.com/tensorflow/tensorflow/blob/745d57df6d5e9bc568666a2a48ed8dd629c27241/tensorflow/lite/kernels/one_hot.cc#L68-L72\n\nPiperOrigin-RevId: 370966870\nChange-Id: Ie018337811c8016b5a1d3a277d00d5f2e19a2058", "target": 0, "dataset": "other", "idx": 267935 }, { "func": "TfLiteStatus Eval(TfLiteContext* context, TfLiteNode* node) {\n auto* params =\n reinterpret_cast(node->builtin_data);\n int axis = params->axis;\n TfLiteTensor* output;\n TF_LITE_ENSURE_OK(context, GetOutputSafe(context, node, 0, &output));\n if (axis < 0) axis += output->dims->size;\n\n// TODO(ahentz): Creating 'all_inputs' below is not very efficient. We should\n// allocate and populate these during Prepare().\n// TODO(ycling): Activation function parameter is ignored. For now we don't have\n// a model with a Concatenation with fused activation function.\n#define TF_LITE_CONCATENATION(scalar) \\\n { \\\n VectorOfTensors all_inputs(*context, *node->inputs); \\\n tflite::ConcatenationParams op_params; \\\n op_params.axis = axis; \\\n op_params.inputs_count = node->inputs->size; \\\n if (kernel_type == kReference) { \\\n reference_ops::Concatenation(op_params, all_inputs.shapes(), \\\n all_inputs.data(), GetTensorShape(output), \\\n GetTensorData(output)); \\\n } else { \\\n optimized_ops::Concatenation(op_params, all_inputs.shapes(), \\\n all_inputs.data(), GetTensorShape(output), \\\n GetTensorData(output)); \\\n } \\\n }\n\n#define TF_LITE_CONCATENATION_QUANTIZED() \\\n { \\\n VectorOfQuantizedTensors all_inputs(*context, *node->inputs); \\\n tflite::ConcatenationParams op_params; \\\n op_params.axis = axis; \\\n op_params.input_zeropoint = all_inputs.zero_point(); \\\n op_params.input_scale = all_inputs.scale(); \\\n op_params.inputs_count = node->inputs->size; \\\n op_params.output_zeropoint = output->params.zero_point; \\\n op_params.output_scale = output->params.scale; \\\n if (kernel_type == kReference) { \\\n reference_ops::ConcatenationWithScaling( \\\n op_params, all_inputs.shapes(), all_inputs.data(), \\\n GetTensorShape(output), GetTensorData(output)); \\\n } else { \\\n optimized_ops::ConcatenationWithScaling( \\\n op_params, all_inputs.shapes(), all_inputs.data(), \\\n GetTensorShape(output), GetTensorData(output)); \\\n } \\\n }\n\n switch (output->type) { // Already know in/outtypes are same.\n case kTfLiteFloat32:\n TF_LITE_CONCATENATION(float);\n break;\n case kTfLiteInt32:\n TF_LITE_CONCATENATION(int32);\n break;\n case kTfLiteUInt8:\n TF_LITE_CONCATENATION_QUANTIZED();\n break;\n case kTfLiteInt8:\n TF_LITE_CONCATENATION(int8_t);\n break;\n case kTfLiteInt64:\n TF_LITE_CONCATENATION(int64_t);\n break;\n case kTfLiteInt16:\n TF_LITE_CONCATENATION(int16_t);\n break;\n case kTfLiteBool:\n TF_LITE_CONCATENATION(bool);\n break;\n default:\n context->ReportError(context, \"Type '%s' is not supported currently.\",\n TfLiteTypeGetName(output->type));\n return kTfLiteError;\n }\n\n#undef TF_LITE_CONCATENATION_QUANTIZED\n#undef TF_LITE_CONCATENATION\n\n return kTfLiteOk;\n}", "project": "tensorflow", "hash": 28666720540575461519673531522758058847, "size": 83, "commit_id": "4253f96a58486ffe84b61c0415bb234a4632ee73", "message": "Fix integer overflow in TFLite concat\n\nPiperOrigin-RevId: 371013841\nChange-Id: I6a4782ce7ca753e23ff31e7fb6aeb7f9d412cd29", "target": 0, "dataset": "other", "idx": 273049 }, { "func": "TfLiteStatus Eval(TfLiteContext* context, TfLiteNode* node, bool is_arg_max) {\n const TfLiteTensor* input;\n TF_LITE_ENSURE_OK(context, GetInputSafe(context, node, kInputTensor, &input));\n const TfLiteTensor* axis;\n TF_LITE_ENSURE_OK(context, GetInputSafe(context, node, kAxis, &axis));\n TfLiteTensor* output;\n TF_LITE_ENSURE_OK(context,\n GetOutputSafe(context, node, kOutputTensor, &output));\n if (IsDynamicTensor(output)) {\n TF_LITE_ENSURE_STATUS(ResizeOutput(context, input, axis, output));\n }\n\n#define TF_LITE_ARG_MIN_MAX(data_type, axis_type, output_type) \\\n optimized_ops::ArgMinMax( \\\n GetTensorShape(input), GetTensorData(input), \\\n GetTensorData(axis), GetTensorShape(output), \\\n GetTensorData(output), is_arg_max)\n if (axis->type == kTfLiteInt32) {\n switch (output->type) {\n case kTfLiteInt32: {\n switch (input->type) {\n case kTfLiteFloat32:\n TF_LITE_ARG_MIN_MAX(float, int32_t, int32_t);\n break;\n case kTfLiteUInt8:\n TF_LITE_ARG_MIN_MAX(uint8_t, int32_t, int32_t);\n break;\n case kTfLiteInt8:\n TF_LITE_ARG_MIN_MAX(int8_t, int32_t, int32_t);\n break;\n case kTfLiteInt32:\n TF_LITE_ARG_MIN_MAX(int32_t, int32_t, int32_t);\n break;\n default:\n context->ReportError(context,\n \"Only float32, uint8, int8 and int32 are \"\n \"supported currently, got %s.\",\n TfLiteTypeGetName(input->type));\n return kTfLiteError;\n }\n } break;\n case kTfLiteInt64: {\n switch (input->type) {\n case kTfLiteFloat32:\n TF_LITE_ARG_MIN_MAX(float, int32_t, int64_t);\n break;\n case kTfLiteUInt8:\n TF_LITE_ARG_MIN_MAX(uint8_t, int32_t, int64_t);\n break;\n case kTfLiteInt8:\n TF_LITE_ARG_MIN_MAX(int8_t, int32_t, int64_t);\n break;\n case kTfLiteInt32:\n TF_LITE_ARG_MIN_MAX(int32_t, int32_t, int64_t);\n break;\n default:\n context->ReportError(context,\n \"Only float32, uint8, int8 and int32 are \"\n \"supported currently, got %s.\",\n TfLiteTypeGetName(input->type));\n return kTfLiteError;\n }\n } break;\n default:\n context->ReportError(\n context, \"Only int32 and int64 are supported currently, got %s.\",\n TfLiteTypeGetName(output->type));\n return kTfLiteError;\n }\n } else {\n switch (output->type) {\n case kTfLiteInt32: {\n switch (input->type) {\n case kTfLiteFloat32:\n TF_LITE_ARG_MIN_MAX(float, int64_t, int32_t);\n break;\n case kTfLiteUInt8:\n TF_LITE_ARG_MIN_MAX(uint8_t, int64_t, int32_t);\n break;\n case kTfLiteInt8:\n TF_LITE_ARG_MIN_MAX(int8_t, int64_t, int32_t);\n break;\n case kTfLiteInt32:\n TF_LITE_ARG_MIN_MAX(int32_t, int64_t, int32_t);\n break;\n default:\n context->ReportError(context,\n \"Only float32, uint8, int8 and int32 are \"\n \"supported currently, got %s.\",\n TfLiteTypeGetName(input->type));\n return kTfLiteError;\n }\n } break;\n case kTfLiteInt64: {\n switch (input->type) {\n case kTfLiteFloat32:\n TF_LITE_ARG_MIN_MAX(float, int64_t, int64_t);\n break;\n case kTfLiteUInt8:\n TF_LITE_ARG_MIN_MAX(uint8_t, int64_t, int64_t);\n break;\n case kTfLiteInt8:\n TF_LITE_ARG_MIN_MAX(int8_t, int64_t, int64_t);\n break;\n case kTfLiteInt32:\n TF_LITE_ARG_MIN_MAX(int32_t, int64_t, int64_t);\n break;\n default:\n context->ReportError(context,\n \"Only float32, uint8, int8 and int32 are \"\n \"supported currently, got %s.\",\n TfLiteTypeGetName(input->type));\n return kTfLiteError;\n }\n } break;\n default:\n context->ReportError(\n context, \"Only int32 and int64 are supported currently, got %s.\",\n TfLiteTypeGetName(output->type));\n return kTfLiteError;\n }\n }\n#undef TF_LITE_ARG_MIN_MAX\n\n return kTfLiteOk;\n}", "project": "tensorflow", "hash": 283596514577462048093885674773113131448, "size": 126, "commit_id": "c59c37e7b2d563967da813fa50fe20b21f4da683", "message": "Prevent array write out-of-bounds.\n\nIf user passes an invalid axis, then we copy one too many dimensions to the output in the loop below these checks. Even if we didn't do that, there will be further issues with an invalid axis, so we check for that right now.\n\nPiperOrigin-RevId: 371023299\nChange-Id: I9eca37ffc2b29e8e48710f500701270ef0790224", "target": 0, "dataset": "other", "idx": 273770 }, { "func": "R_API int r_socket_close (RSocket *s) {\n\treturn -1;\n}", "project": "radare2", "hash": 213972358556761905670593276287266108078, "size": 3, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 0, "dataset": "other", "idx": 268837 }, { "func": "R_API int r_socket_close(RSocket *s) {\n\tint ret = false;\n\tif (!s) {\n\t\treturn false;\n\t}\n\tif (s->fd != R_INVALID_SOCKET) {\n#if __UNIX__\n\t\tshutdown (s->fd, SHUT_RDWR);\n#endif\n#if __WINDOWS__\n\t\t// https://msdn.microsoft.com/en-us/library/windows/desktop/ms740481(v=vs.85).aspx\n\t\tshutdown (s->fd, SD_SEND);\n\t\tif (r_socket_ready (s, 0, 250)) {\n\t\t\tdo {\n\t\t\t\tchar buf = 0;\n\t\t\t\tret = recv (s->fd, &buf, 1, 0);\n\t\t\t} while (ret != 0 && ret != SOCKET_ERROR);\n\t\t}\n\t\tret = closesocket (s->fd);\n#else\n\t\tret = close (s->fd);\n#endif\n\t\ts->fd = R_INVALID_SOCKET;\n\t}\n#if HAVE_LIB_SSL\n\tif (s->is_ssl && s->sfd) {\n\t\tSSL_free (s->sfd);\n\t\ts->sfd = NULL;\n\t}\n#endif\n\treturn ret;\n}", "project": "radare2", "hash": 7698250400327171110022105660133684717, "size": 32, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 0, "dataset": "other", "idx": 268982 }, { "func": "static int nested_svm_exit_handled_msr(struct vcpu_svm *svm)\n{\n\tu32 offset, msr, value;\n\tint write, mask;\n\n\tif (!(svm->nested.intercept & (1ULL << INTERCEPT_MSR_PROT)))\n\t\treturn NESTED_EXIT_HOST;\n\n\tmsr = svm->vcpu.arch.regs[VCPU_REGS_RCX];\n\toffset = svm_msrpm_offset(msr);\n\twrite = svm->vmcb->control.exit_info_1 & 1;\n\tmask = 1 << ((2 * (msr & 0xf)) + write);\n\n\tif (offset == MSR_INVALID)\n\t\treturn NESTED_EXIT_DONE;\n\n\t/* Offset is in 32 bit units but need in 8 bit units */\n\toffset *= 4;\n\n\tif (kvm_vcpu_read_guest(&svm->vcpu, svm->nested.vmcb_msrpm + offset, &value, 4))\n\t\treturn NESTED_EXIT_DONE;\n\n\treturn (value & mask) ? NESTED_EXIT_DONE : NESTED_EXIT_HOST;\n}", "project": "linux", "hash": 249803932338905810676701432512874031763, "size": 24, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432436 }, { "func": "static int nested_svm_exit_handled_msr(struct vcpu_svm *svm)\n{\n\tu32 offset, msr, value;\n\tint write, mask;\n\n\tif (!(svm->nested.intercept & (1ULL << INTERCEPT_MSR_PROT)))\n\t\treturn NESTED_EXIT_HOST;\n\n\tmsr = svm->vcpu.arch.regs[VCPU_REGS_RCX];\n\toffset = svm_msrpm_offset(msr);\n\twrite = svm->vmcb->control.exit_info_1 & 1;\n\tmask = 1 << ((2 * (msr & 0xf)) + write);\n\n\tif (offset == MSR_INVALID)\n\t\treturn NESTED_EXIT_DONE;\n\n\t/* Offset is in 32 bit units but need in 8 bit units */\n\toffset *= 4;\n\n\tif (kvm_read_guest(svm->vcpu.kvm, svm->nested.vmcb_msrpm + offset, &value, 4))\n\t\treturn NESTED_EXIT_DONE;\n\n\treturn (value & mask) ? NESTED_EXIT_DONE : NESTED_EXIT_HOST;\n}", "project": "kvm", "hash": 268559956276204822125056438622749591347, "size": 24, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437616 }, { "func": "static int pfkey_send_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport)\n{\n\tstruct sk_buff *skb;\n\tstruct sadb_msg *hdr;\n\tstruct sadb_sa *sa;\n\tstruct sadb_address *addr;\n\tstruct sadb_x_nat_t_port *n_port;\n\tint sockaddr_size;\n\tint size;\n\t__u8 satype = (x->id.proto == IPPROTO_ESP ? SADB_SATYPE_ESP : 0);\n\tstruct xfrm_encap_tmpl *natt = NULL;\n\n\tsockaddr_size = pfkey_sockaddr_size(x->props.family);\n\tif (!sockaddr_size)\n\t\treturn -EINVAL;\n\n\tif (!satype)\n\t\treturn -EINVAL;\n\n\tif (!x->encap)\n\t\treturn -EINVAL;\n\n\tnatt = x->encap;\n\n\t/* Build an SADB_X_NAT_T_NEW_MAPPING message:\n\t *\n\t * HDR | SA | ADDRESS_SRC (old addr) | NAT_T_SPORT (old port) |\n\t * ADDRESS_DST (new addr) | NAT_T_DPORT (new port)\n\t */\n\n\tsize = sizeof(struct sadb_msg) +\n\t\tsizeof(struct sadb_sa) +\n\t\t(sizeof(struct sadb_address) * 2) +\n\t\t(sockaddr_size * 2) +\n\t\t(sizeof(struct sadb_x_nat_t_port) * 2);\n\n\tskb = alloc_skb(size + 16, GFP_ATOMIC);\n\tif (skb == NULL)\n\t\treturn -ENOMEM;\n\n\thdr = skb_put(skb, sizeof(struct sadb_msg));\n\thdr->sadb_msg_version = PF_KEY_V2;\n\thdr->sadb_msg_type = SADB_X_NAT_T_NEW_MAPPING;\n\thdr->sadb_msg_satype = satype;\n\thdr->sadb_msg_len = size / sizeof(uint64_t);\n\thdr->sadb_msg_errno = 0;\n\thdr->sadb_msg_reserved = 0;\n\thdr->sadb_msg_seq = x->km.seq = get_acqseq();\n\thdr->sadb_msg_pid = 0;\n\n\t/* SA */\n\tsa = skb_put(skb, sizeof(struct sadb_sa));\n\tsa->sadb_sa_len = sizeof(struct sadb_sa)/sizeof(uint64_t);\n\tsa->sadb_sa_exttype = SADB_EXT_SA;\n\tsa->sadb_sa_spi = x->id.spi;\n\tsa->sadb_sa_replay = 0;\n\tsa->sadb_sa_state = 0;\n\tsa->sadb_sa_auth = 0;\n\tsa->sadb_sa_encrypt = 0;\n\tsa->sadb_sa_flags = 0;\n\n\t/* ADDRESS_SRC (old addr) */\n\taddr = skb_put(skb, sizeof(struct sadb_address) + sockaddr_size);\n\taddr->sadb_address_len =\n\t\t(sizeof(struct sadb_address)+sockaddr_size)/\n\t\t\tsizeof(uint64_t);\n\taddr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;\n\taddr->sadb_address_proto = 0;\n\taddr->sadb_address_reserved = 0;\n\taddr->sadb_address_prefixlen =\n\t\tpfkey_sockaddr_fill(&x->props.saddr, 0,\n\t\t\t\t (struct sockaddr *) (addr + 1),\n\t\t\t\t x->props.family);\n\tif (!addr->sadb_address_prefixlen)\n\t\tBUG();\n\n\t/* NAT_T_SPORT (old port) */\n\tn_port = skb_put(skb, sizeof(*n_port));\n\tn_port->sadb_x_nat_t_port_len = sizeof(*n_port)/sizeof(uint64_t);\n\tn_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_SPORT;\n\tn_port->sadb_x_nat_t_port_port = natt->encap_sport;\n\tn_port->sadb_x_nat_t_port_reserved = 0;\n\n\t/* ADDRESS_DST (new addr) */\n\taddr = skb_put(skb, sizeof(struct sadb_address) + sockaddr_size);\n\taddr->sadb_address_len =\n\t\t(sizeof(struct sadb_address)+sockaddr_size)/\n\t\t\tsizeof(uint64_t);\n\taddr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;\n\taddr->sadb_address_proto = 0;\n\taddr->sadb_address_reserved = 0;\n\taddr->sadb_address_prefixlen =\n\t\tpfkey_sockaddr_fill(ipaddr, 0,\n\t\t\t\t (struct sockaddr *) (addr + 1),\n\t\t\t\t x->props.family);\n\tif (!addr->sadb_address_prefixlen)\n\t\tBUG();\n\n\t/* NAT_T_DPORT (new port) */\n\tn_port = skb_put(skb, sizeof(*n_port));\n\tn_port->sadb_x_nat_t_port_len = sizeof(*n_port)/sizeof(uint64_t);\n\tn_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_DPORT;\n\tn_port->sadb_x_nat_t_port_port = sport;\n\tn_port->sadb_x_nat_t_port_reserved = 0;\n\n\treturn pfkey_broadcast(skb, GFP_ATOMIC, BROADCAST_REGISTERED, NULL,\n\t\t\t xs_net(x));\n}", "project": "linux", "hash": 82419796565948202713813550611721144197, "size": 108, "commit_id": "9a564bccb78a76740ea9d75a259942df8143d02c", "message": "af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\n\nAdd __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\nto initialize the buffer of supp_skb to fix a kernel-info-leak issue.\n1) Function pfkey_register calls compose_sadb_supported to request\na sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate\na sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then\ncompose_sadb_supported treats the memory as a struct sadb_supported and\nbegins to initialize. But it just initializes the field sadb_supported_len\nand field sadb_supported_exttype without field sadb_supported_reserved.\n\nReported-by: TCS Robot \nSigned-off-by: Haimin Zhang \nSigned-off-by: Steffen Klassert ", "target": 0, "dataset": "other", "idx": 268103 }, { "func": "\tPrivmsg(User* source, const User* targetuser, const std::string& text, MessageType mt = MSG_PRIVMSG)\n\t\t: ClientProtocol::Message(CommandStrFromMsgType(mt), source)\n\t{\n\t\tPushTargetUser(targetuser);\n\t\tPushParam(text);\n\t}", "project": "inspircd", "hash": 104386601708451295155449663797399571209, "size": 6, "commit_id": "4350a11c663b0d75f8119743bffb7736d87abd4d", "message": "Fix sending malformed pong messages in some cases.", "target": 0, "dataset": "other", "idx": 273235 }, { "func": "\tvoid PushTargetUser(const User* targetuser)\n\t{\n\t\tif (targetuser->registered & REG_NICK)\n\t\t\tPushParamRef(targetuser->nick);\n\t\telse\n\t\t\tPushParam(\"*\");\n\t}", "project": "inspircd", "hash": 134927806254294330822647829259665359471, "size": 7, "commit_id": "4350a11c663b0d75f8119743bffb7736d87abd4d", "message": "Fix sending malformed pong messages in some cases.", "target": 0, "dataset": "other", "idx": 273244 }, { "func": "\tPrivmsg(NoCopy, User* source, const User* targetuser, const std::string& text, MessageType mt = MSG_PRIVMSG)\n\t\t: ClientProtocol::Message(CommandStrFromMsgType(mt), source)\n\t{\n\t\tPushTargetUser(targetuser);\n\t\tPushParamRef(text);\n\t}", "project": "inspircd", "hash": 187593327630165330144794831998270543359, "size": 6, "commit_id": "4350a11c663b0d75f8119743bffb7736d87abd4d", "message": "Fix sending malformed pong messages in some cases.", "target": 0, "dataset": "other", "idx": 273254 }, { "func": "\tPrivmsg(const std::string& source, const User* targetuser, const std::string& text, MessageType mt = MSG_PRIVMSG)\n\t\t: ClientProtocol::Message(CommandStrFromMsgType(mt), source)\n\t{\n\t\tPushTargetUser(targetuser);\n\t\tPushParam(text);\n\t}", "project": "inspircd", "hash": 80240476290220270622164456521596733780, "size": 6, "commit_id": "4350a11c663b0d75f8119743bffb7736d87abd4d", "message": "Fix sending malformed pong messages in some cases.", "target": 0, "dataset": "other", "idx": 273260 }, { "func": "\tPrivmsg(NoCopy, const std::string& source, const User* targetuser, const std::string& text, MessageType mt = MSG_PRIVMSG)\n\t\t: ClientProtocol::Message(CommandStrFromMsgType(mt), source)\n\t{\n\t\tPushTargetUser(targetuser);\n\t\tPushParamRef(text);\n\t}", "project": "inspircd", "hash": 251990835793875729560371405952355568578, "size": 6, "commit_id": "4350a11c663b0d75f8119743bffb7736d87abd4d", "message": "Fix sending malformed pong messages in some cases.", "target": 0, "dataset": "other", "idx": 273268 }, { "func": "static void ov51x_upload_quan_tables(struct sd *sd)\n{\n\tstatic const unsigned char yQuanTable511[] = {\n\t\t0, 1, 1, 2, 2, 3, 3, 4,\n\t\t1, 1, 1, 2, 2, 3, 4, 4,\n\t\t1, 1, 2, 2, 3, 4, 4, 4,\n\t\t2, 2, 2, 3, 4, 4, 4, 4,\n\t\t2, 2, 3, 4, 4, 5, 5, 5,\n\t\t3, 3, 4, 4, 5, 5, 5, 5,\n\t\t3, 4, 4, 4, 5, 5, 5, 5,\n\t\t4, 4, 4, 4, 5, 5, 5, 5\n\t};\n\n\tstatic const unsigned char uvQuanTable511[] = {\n\t\t0, 2, 2, 3, 4, 4, 4, 4,\n\t\t2, 2, 2, 4, 4, 4, 4, 4,\n\t\t2, 2, 3, 4, 4, 4, 4, 4,\n\t\t3, 4, 4, 4, 4, 4, 4, 4,\n\t\t4, 4, 4, 4, 4, 4, 4, 4,\n\t\t4, 4, 4, 4, 4, 4, 4, 4,\n\t\t4, 4, 4, 4, 4, 4, 4, 4,\n\t\t4, 4, 4, 4, 4, 4, 4, 4\n\t};\n\n\t/* OV518 quantization tables are 8x4 (instead of 8x8) */\n\tstatic const unsigned char yQuanTable518[] = {\n\t\t5, 4, 5, 6, 6, 7, 7, 7,\n\t\t5, 5, 5, 5, 6, 7, 7, 7,\n\t\t6, 6, 6, 6, 7, 7, 7, 8,\n\t\t7, 7, 6, 7, 7, 7, 8, 8\n\t};\n\tstatic const unsigned char uvQuanTable518[] = {\n\t\t6, 6, 6, 7, 7, 7, 7, 7,\n\t\t6, 6, 6, 7, 7, 7, 7, 7,\n\t\t6, 6, 6, 7, 7, 7, 7, 8,\n\t\t7, 7, 7, 7, 7, 7, 8, 8\n\t};\n\n\tstruct gspca_dev *gspca_dev = (struct gspca_dev *)sd;\n\tconst unsigned char *pYTable, *pUVTable;\n\tunsigned char val0, val1;\n\tint i, size, reg = R51x_COMP_LUT_BEGIN;\n\n\tgspca_dbg(gspca_dev, D_PROBE, \"Uploading quantization tables\\n\");\n\n\tif (sd->bridge == BRIDGE_OV511 || sd->bridge == BRIDGE_OV511PLUS) {\n\t\tpYTable = yQuanTable511;\n\t\tpUVTable = uvQuanTable511;\n\t\tsize = 32;\n\t} else {\n\t\tpYTable = yQuanTable518;\n\t\tpUVTable = uvQuanTable518;\n\t\tsize = 16;\n\t}\n\n\tfor (i = 0; i < size; i++) {\n\t\tval0 = *pYTable++;\n\t\tval1 = *pYTable++;\n\t\tval0 &= 0x0f;\n\t\tval1 &= 0x0f;\n\t\tval0 |= val1 << 4;\n\t\treg_w(sd, reg, val0);\n\n\t\tval0 = *pUVTable++;\n\t\tval1 = *pUVTable++;\n\t\tval0 &= 0x0f;\n\t\tval1 &= 0x0f;\n\t\tval0 |= val1 << 4;\n\t\treg_w(sd, reg + size, val0);\n\n\t\treg++;\n\t}\n}", "project": "linux", "hash": 131076237406949043342130890714639917611, "size": 73, "commit_id": "998912346c0da53a6dbb71fab3a138586b596b30", "message": "media: ov519: add missing endpoint sanity checks\n\nMake sure to check that we have at least one endpoint before accessing\nthe endpoint array to avoid dereferencing a NULL-pointer on stream\nstart.\n\nNote that these sanity checks are not redundant as the driver is mixing\nlooking up altsettings by index and by number, which need not coincide.\n\nFixes: 1876bb923c98 (\"V4L/DVB (12079): gspca_ov519: add support for the ov511 bridge\")\nFixes: b282d87332f5 (\"V4L/DVB (12080): gspca_ov519: Fix ov518+ with OV7620AE (Trust spacecam 320)\")\nCc: stable # 2.6.31\nCc: Hans de Goede \nSigned-off-by: Johan Hovold \nSigned-off-by: Hans Verkuil \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 306321 }, { "func": "int JOIN::save_explain_data_intern(Explain_query *output, \n bool need_tmp_table_arg,\n bool need_order_arg, bool distinct_arg, \n const char *message)\n{\n JOIN *join= this; /* Legacy: this code used to be a non-member function */\n DBUG_ENTER(\"JOIN::save_explain_data_intern\");\n DBUG_PRINT(\"info\", (\"Select %p, type %s, message %s\",\n\t\t join->select_lex, join->select_lex->type,\n\t\t message ? message : \"NULL\"));\n DBUG_ASSERT(have_query_plan == QEP_AVAILABLE);\n /* fake_select_lex is created/printed by Explain_union */\n DBUG_ASSERT(join->select_lex != join->unit->fake_select_lex);\n\n /* There should be no attempts to save query plans for merged selects */\n DBUG_ASSERT(!join->select_lex->master_unit()->derived ||\n join->select_lex->master_unit()->derived->is_materialized_derived() ||\n join->select_lex->master_unit()->derived->is_with_table());\n\n /* Don't log this into the slow query log */\n\n if (message)\n {\n if (!(explain= new (output->mem_root)\n Explain_select(output->mem_root,\n thd->lex->analyze_stmt)))\n DBUG_RETURN(1);\n#ifndef DBUG_OFF\n explain->select_lex= select_lex;\n#endif\n join->select_lex->set_explain_type(true);\n\n explain->select_id= join->select_lex->select_number;\n explain->select_type= join->select_lex->type;\n explain->linkage= select_lex->linkage;\n explain->using_temporary= need_tmp;\n explain->using_filesort= need_order_arg;\n /* Setting explain->message means that all other members are invalid */\n explain->message= message;\n\n if (select_lex->master_unit()->derived)\n explain->connection_type= Explain_node::EXPLAIN_NODE_DERIVED;\n if (save_agg_explain_data(this, explain))\n DBUG_RETURN(1);\n\n output->add_node(explain);\n }\n else if (pushdown_query)\n {\n if (!(explain= new (output->mem_root)\n Explain_select(output->mem_root,\n thd->lex->analyze_stmt)))\n DBUG_RETURN(1);\n select_lex->set_explain_type(true);\n\n explain->select_id= select_lex->select_number;\n explain->select_type= select_lex->type;\n explain->linkage= select_lex->linkage;\n explain->using_temporary= need_tmp;\n explain->using_filesort= need_order_arg;\n explain->message= \"Storage engine handles GROUP BY\";\n\n if (select_lex->master_unit()->derived)\n explain->connection_type= Explain_node::EXPLAIN_NODE_DERIVED;\n output->add_node(explain);\n }\n else\n {\n Explain_select *xpl_sel;\n explain= xpl_sel= \n new (output->mem_root) Explain_select(output->mem_root, \n thd->lex->analyze_stmt);\n if (!explain)\n DBUG_RETURN(1);\n\n table_map used_tables=0;\n\n join->select_lex->set_explain_type(true);\n xpl_sel->select_id= join->select_lex->select_number;\n xpl_sel->select_type= join->select_lex->type;\n xpl_sel->linkage= select_lex->linkage;\n xpl_sel->is_lateral= ((select_lex->linkage == DERIVED_TABLE_TYPE) &&\n (select_lex->uncacheable & UNCACHEABLE_DEPENDENT));\n if (select_lex->master_unit()->derived)\n xpl_sel->connection_type= Explain_node::EXPLAIN_NODE_DERIVED;\n \n if (save_agg_explain_data(this, xpl_sel))\n DBUG_RETURN(1);\n\n xpl_sel->exec_const_cond= exec_const_cond;\n xpl_sel->outer_ref_cond= outer_ref_cond;\n xpl_sel->pseudo_bits_cond= pseudo_bits_cond;\n if (tmp_having)\n xpl_sel->having= tmp_having;\n else\n xpl_sel->having= having;\n xpl_sel->having_value= having_value;\n\n JOIN_TAB* const first_top_tab= join->first_breadth_first_tab();\n JOIN_TAB* prev_bush_root_tab= NULL;\n\n Explain_basic_join *cur_parent= xpl_sel;\n \n for (JOIN_TAB *tab= first_explain_order_tab(join); tab;\n tab= next_explain_order_tab(join, tab))\n {\n JOIN_TAB *saved_join_tab= NULL;\n TABLE *cur_table= tab->table;\n\n /* Don't show eliminated tables */\n if (cur_table->map & join->eliminated_tables)\n {\n used_tables|= cur_table->map;\n continue;\n }\n\n\n Explain_table_access *eta= (new (output->mem_root)\n Explain_table_access(output->mem_root));\n\n if (!eta)\n DBUG_RETURN(1);\n if (tab->bush_root_tab != prev_bush_root_tab)\n {\n if (tab->bush_root_tab)\n {\n /* \n We've entered an SJ-Materialization nest. Create an object for it.\n */\n if (!(cur_parent=\n new (output->mem_root) Explain_basic_join(output->mem_root)))\n DBUG_RETURN(1);\n\n JOIN_TAB *first_child= tab->bush_root_tab->bush_children->start;\n cur_parent->select_id=\n first_child->emb_sj_nest->sj_subq_pred->get_identifier();\n }\n else\n {\n /* \n We've just left an SJ-Materialization nest. We are at the join tab\n that 'embeds the nest'\n */\n DBUG_ASSERT(tab->bush_children);\n eta->sjm_nest= cur_parent;\n cur_parent= xpl_sel;\n }\n }\n prev_bush_root_tab= tab->bush_root_tab;\n\n cur_parent->add_table(eta, output);\n if (tab->save_explain_data(eta, used_tables, distinct_arg, first_top_tab))\n DBUG_RETURN(1);\n\n if (saved_join_tab)\n tab= saved_join_tab;\n\n // For next iteration\n used_tables|= cur_table->map;\n }\n output->add_node(xpl_sel);\n }\n\n for (SELECT_LEX_UNIT *tmp_unit= join->select_lex->first_inner_unit();\n tmp_unit;\n tmp_unit= tmp_unit->next_unit())\n {\n /* \n Display subqueries only if \n (1) they are not parts of ON clauses that were eliminated by table \n elimination.\n (2) they are not merged derived tables\n (3) they are not hanging CTEs (they are needed for execution)\n */\n if (!(tmp_unit->item && tmp_unit->item->eliminated) && // (1)\n (!tmp_unit->derived ||\n tmp_unit->derived->is_materialized_derived()) && // (2)\n (!tmp_unit->with_element ||\n (tmp_unit->derived &&\n tmp_unit->derived->derived_result &&\n !tmp_unit->with_element->is_hanging_recursive()))) // (3)\n {\n explain->add_child(tmp_unit->first_select()->select_number);\n }\n }\n\n if (select_lex->is_top_level_node())\n output->query_plan_ready();\n\n DBUG_RETURN(0);\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 259542002022222038619915141784023735636, "size": 191, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508738 }, { "func": "static void fuse_writepages_send(struct fuse_fill_wb_data *data)\n{\n\tstruct fuse_writepage_args *wpa = data->wpa;\n\tstruct inode *inode = data->inode;\n\tstruct fuse_inode *fi = get_fuse_inode(inode);\n\tint num_pages = wpa->ia.ap.num_pages;\n\tint i;\n\n\twpa->ia.ff = fuse_file_get(data->ff);\n\tspin_lock(&fi->lock);\n\tlist_add_tail(&wpa->queue_entry, &fi->queued_writes);\n\tfuse_flush_writepages(inode);\n\tspin_unlock(&fi->lock);\n\n\tfor (i = 0; i < num_pages; i++)\n\t\tend_page_writeback(data->orig_pages[i]);\n}", "project": "linux", "hash": 70357023048142339159246167421213656988, "size": 17, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342143 }, { "func": "static int avic_update_access_page(struct kvm *kvm, bool activate)\n{\n\tint ret = 0;\n\n\tmutex_lock(&kvm->slots_lock);\n\t/*\n\t * During kvm_destroy_vm(), kvm_pit_set_reinject() could trigger\n\t * APICv mode change, which update APIC_ACCESS_PAGE_PRIVATE_MEMSLOT\n\t * memory region. So, we need to ensure that kvm->mm == current->mm.\n\t */\n\tif ((kvm->arch.apic_access_page_done == activate) ||\n\t (kvm->mm != current->mm))\n\t\tgoto out;\n\n\tret = __x86_set_memory_region(kvm,\n\t\t\t\t APIC_ACCESS_PAGE_PRIVATE_MEMSLOT,\n\t\t\t\t APIC_DEFAULT_PHYS_BASE,\n\t\t\t\t activate ? PAGE_SIZE : 0);\n\tif (ret)\n\t\tgoto out;\n\n\tkvm->arch.apic_access_page_done = activate;\nout:\n\tmutex_unlock(&kvm->slots_lock);\n\treturn ret;\n}", "project": "linux", "hash": 157794681911344803472852456800821274418, "size": 26, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432405 }, { "func": "pb_istream_t pb_istream_from_buffer(const pb_byte_t *buf, size_t msglen)\n{\n pb_istream_t stream;\n /* Cast away the const from buf without a compiler error. We are\n * careful to use it only in a const manner in the callbacks.\n */\n union {\n void *state;\n const void *c_state;\n } state;\n#ifdef PB_BUFFER_ONLY\n stream.callback = NULL;\n#else\n stream.callback = &buf_read;\n#endif\n state.c_state = buf;\n stream.state = state.state;\n stream.bytes_left = msglen;\n#ifndef PB_NO_ERRMSG\n stream.errmsg = NULL;\n#endif\n return stream;\n}", "project": "nanopb", "hash": 119139206311509270080019536424959641705, "size": 23, "commit_id": "e2f0ccf939d9f82931d085acb6df8e9a182a4261", "message": "Fix invalid free() with oneof (#647)\n\nNanopb would call free() or realloc() on an invalid\n(attacker controlled) pointer value when all the following\nconditions are true:\n\n- PB_ENABLE_MALLOC is defined at the compile time\n- Message definition contains an oneof field, and the oneof\n contains at least one pointer type field and at least one\n non-pointer type field.\n- Data being decoded first contains a non-pointer value for\n the oneof field, and later contains an overwriting pointer\n value.\n\nDepending on message layout, the bug may not be exploitable in all\ncases, but it is known to be exploitable at least with string and\nbytes fields. Actual security impact will also depend on the heap\nimplementation used.", "target": 0, "dataset": "other", "idx": 254696 }, { "func": "pb_istream_t pb_istream_from_buffer(uint8_t *buf, size_t bufsize)\n{\n pb_istream_t stream;\n#ifdef PB_BUFFER_ONLY\n stream.callback = NULL;\n#else\n stream.callback = &buf_read;\n#endif\n stream.state = buf;\n stream.bytes_left = bufsize;\n#ifndef PB_NO_ERRMSG\n stream.errmsg = NULL;\n#endif\n return stream;\n}", "project": "nanopb", "hash": 17703642829184458412560921730642804716, "size": 15, "commit_id": "7b396821ddd06df8e39143f16e1dc0a4645b89a3", "message": "Fix invalid free() after failed realloc() (GHSA-gcx3-7m76-287p)", "target": 0, "dataset": "other", "idx": 255344 }, { "func": "static void hci_cc_write_auth_enable(struct hci_dev *hdev, struct sk_buff *skb)\n{\n\t__u8 status = *((__u8 *) skb->data);\n\tvoid *sent;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, status);\n\n\tsent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_ENABLE);\n\tif (!sent)\n\t\treturn;\n\n\thci_dev_lock(hdev);\n\n\tif (!status) {\n\t\t__u8 param = *((__u8 *) sent);\n\n\t\tif (param == AUTH_ENABLED)\n\t\t\tset_bit(HCI_AUTH, &hdev->flags);\n\t\telse\n\t\t\tclear_bit(HCI_AUTH, &hdev->flags);\n\t}\n\n\tif (hci_dev_test_flag(hdev, HCI_MGMT))\n\t\tmgmt_auth_enable_complete(hdev, status);\n\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 279622209137981810238494722738823116837, "size": 27, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431919 }, { "func": "int kvm_write_guest_offset_cached(struct kvm *kvm, struct gfn_to_hva_cache *ghc,\n\t\t\t\t void *data, unsigned int offset,\n\t\t\t\t unsigned long len)\n{\n\tstruct kvm_memslots *slots = kvm_memslots(kvm);\n\tint r;\n\tgpa_t gpa = ghc->gpa + offset;\n\n\tBUG_ON(len + offset > ghc->len);\n\n\tif (slots->generation != ghc->generation) {\n\t\tif (__kvm_gfn_to_hva_cache_init(slots, ghc, ghc->gpa, ghc->len))\n\t\t\treturn -EFAULT;\n\t}\n\n\tif (kvm_is_error_hva(ghc->hva))\n\t\treturn -EFAULT;\n\n\tif (unlikely(!ghc->memslot))\n\t\treturn kvm_write_guest(kvm, gpa, data, len);\n\n\tr = __copy_to_user((void __user *)ghc->hva + offset, data, len);\n\tif (r)\n\t\treturn -EFAULT;\n\tmark_page_dirty_in_slot(ghc->memslot, gpa >> PAGE_SHIFT);\n\n\treturn 0;\n}", "project": "linux", "hash": 29596039071073147543087601249453643970, "size": 28, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354636 }, { "func": "int kvm_write_guest_offset_cached(struct kvm *kvm, struct gfn_to_hva_cache *ghc,\n\t\t\t\t void *data, unsigned int offset,\n\t\t\t\t unsigned long len)\n{\n\tstruct kvm_memslots *slots = kvm_memslots(kvm);\n\tint r;\n\tgpa_t gpa = ghc->gpa + offset;\n\n\tBUG_ON(len + offset > ghc->len);\n\n\tif (slots->generation != ghc->generation) {\n\t\tif (__kvm_gfn_to_hva_cache_init(slots, ghc, ghc->gpa, ghc->len))\n\t\t\treturn -EFAULT;\n\t}\n\n\tif (kvm_is_error_hva(ghc->hva))\n\t\treturn -EFAULT;\n\n\tif (unlikely(!ghc->memslot))\n\t\treturn kvm_write_guest(kvm, gpa, data, len);\n\n\tr = __copy_to_user((void __user *)ghc->hva + offset, data, len);\n\tif (r)\n\t\treturn -EFAULT;\n\tmark_page_dirty_in_slot(kvm, ghc->memslot, gpa >> PAGE_SHIFT);\n\n\treturn 0;\n}", "project": "linux", "hash": 183597604946247846989718505499719926137, "size": 28, "commit_id": "f8be156be163a052a067306417cd0ff679068c97", "message": "KVM: do not allow mapping valid but non-reference-counted pages\n\nIt's possible to create a region which maps valid but non-refcounted\npages (e.g., tail pages of non-compound higher order allocations). These\nhost pages can then be returned by gfn_to_page, gfn_to_pfn, etc., family\nof APIs, which take a reference to the page, which takes it from 0 to 1.\nWhen the reference is dropped, this will free the page incorrectly.\n\nFix this by only taking a reference on valid pages if it was non-zero,\nwhich indicates it is participating in normal refcounting (and can be\nreleased with put_page).\n\nThis addresses CVE-2021-22543.\n\nSigned-off-by: Nicholas Piggin \nTested-by: Paolo Bonzini \nCc: stable@vger.kernel.org\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 404090 }, { "project": "Chrome", "commit_id": "957973753ec4159003ff7930d946b7e89c7e09f3", "target": 0, "func": "bool BlobURLRequestJob::ReadRawData(net::IOBuffer* dest,\n int dest_size,\n int* bytes_read) {\n DCHECK_NE(dest_size, 0);\n DCHECK(bytes_read);\n DCHECK_GE(remaining_bytes_, 0);\n\n if (error_) {\n *bytes_read = 0;\n return true;\n }\n\n if (remaining_bytes_ < dest_size)\n dest_size = static_cast(remaining_bytes_);\n\n if (!dest_size) {\n *bytes_read = 0;\n return true;\n }\n\n DCHECK(!read_buf_);\n read_buf_ = dest;\n read_buf_offset_ = 0;\n read_buf_size_ = dest_size;\n read_buf_remaining_bytes_ = dest_size;\n\n return ReadLoop(bytes_read);\n}\n", "cwe": "", "big_vul_idx": 106424, "idx": 95575, "hash": 150849546399000452089091594844805915019 }, { "func": "bool checkreturn pb_decode_noinit(pb_istream_t *stream, const pb_field_t fields[], void *dest_struct)\n{\n uint32_t fields_seen[(PB_MAX_REQUIRED_FIELDS + 31) / 32] = {0, 0};\n const uint32_t allbits = ~(uint32_t)0;\n uint32_t extension_range_start = 0;\n pb_field_iter_t iter;\n\n /* 'fixed_count_field' and 'fixed_count_size' track position of a repeated fixed\n * count field. This can only handle _one_ repeated fixed count field that\n * is unpacked and unordered among other (non repeated fixed count) fields.\n */\n const pb_field_t *fixed_count_field = NULL;\n pb_size_t fixed_count_size = 0;\n\n /* Return value ignored, as empty message types will be correctly handled by\n * pb_field_iter_find() anyway. */\n (void)pb_field_iter_begin(&iter, fields, dest_struct);\n\n while (stream->bytes_left)\n {\n uint32_t tag;\n pb_wire_type_t wire_type;\n bool eof;\n\n if (!pb_decode_tag(stream, &wire_type, &tag, &eof))\n {\n if (eof)\n break;\n else\n return false;\n }\n\n if (!pb_field_iter_find(&iter, tag))\n {\n /* No match found, check if it matches an extension. */\n if (tag >= extension_range_start)\n {\n if (!find_extension_field(&iter))\n extension_range_start = (uint32_t)-1;\n else\n extension_range_start = iter.pos->tag;\n\n if (tag >= extension_range_start)\n {\n size_t pos = stream->bytes_left;\n\n if (!decode_extension(stream, tag, wire_type, &iter))\n return false;\n\n if (pos != stream->bytes_left)\n {\n /* The field was handled */\n continue;\n }\n }\n }\n\n /* No match found, skip data */\n if (!pb_skip_field(stream, wire_type))\n return false;\n continue;\n }\n\n /* If a repeated fixed count field was found, get size from\n * 'fixed_count_field' as there is no counter contained in the struct.\n */\n if (PB_HTYPE(iter.pos->type) == PB_HTYPE_REPEATED\n && iter.pSize == iter.pData)\n {\n if (fixed_count_field != iter.pos) {\n /* If the new fixed count field does not match the previous one,\n * check that the previous one is NULL or that it finished\n * receiving all the expected data.\n */\n if (fixed_count_field != NULL &&\n fixed_count_size != fixed_count_field->array_size)\n {\n PB_RETURN_ERROR(stream, \"wrong size for fixed count field\");\n }\n\n fixed_count_field = iter.pos;\n fixed_count_size = 0;\n }\n\n iter.pSize = &fixed_count_size;\n }\n\n if (PB_HTYPE(iter.pos->type) == PB_HTYPE_REQUIRED\n && iter.required_field_index < PB_MAX_REQUIRED_FIELDS)\n {\n uint32_t tmp = ((uint32_t)1 << (iter.required_field_index & 31));\n fields_seen[iter.required_field_index >> 5] |= tmp;\n }\n\n if (!decode_field(stream, wire_type, &iter))\n return false;\n }\n\n /* Check that all elements of the last decoded fixed count field were present. */\n if (fixed_count_field != NULL &&\n fixed_count_size != fixed_count_field->array_size)\n {\n PB_RETURN_ERROR(stream, \"wrong size for fixed count field\");\n }\n\n /* Check that all required fields were present. */\n {\n /* First figure out the number of required fields by\n * seeking to the end of the field array. Usually we\n * are already close to end after decoding.\n */\n unsigned req_field_count;\n pb_type_t last_type;\n unsigned i;\n do {\n req_field_count = iter.required_field_index;\n last_type = iter.pos->type;\n } while (pb_field_iter_next(&iter));\n \n /* Fixup if last field was also required. */\n if (PB_HTYPE(last_type) == PB_HTYPE_REQUIRED && iter.pos->tag != 0)\n req_field_count++;\n \n if (req_field_count > PB_MAX_REQUIRED_FIELDS)\n req_field_count = PB_MAX_REQUIRED_FIELDS;\n\n if (req_field_count > 0)\n {\n /* Check the whole words */\n for (i = 0; i < (req_field_count >> 5); i++)\n {\n if (fields_seen[i] != allbits)\n PB_RETURN_ERROR(stream, \"missing required field\");\n }\n \n /* Check the remaining bits (if any) */\n if ((req_field_count & 31) != 0)\n {\n if (fields_seen[req_field_count >> 5] !=\n (allbits >> (32 - (req_field_count & 31))))\n {\n PB_RETURN_ERROR(stream, \"missing required field\");\n }\n }\n }\n }\n \n return true;\n}", "project": "nanopb", "hash": 217861995960351886769383834029584598503, "size": 149, "commit_id": "aa9d0d1ca78d6adec3adfeecf3a706c7f9df81f2", "message": "Fix invalid free() after failed realloc() (GHSA-gcx3-7m76-287p)", "target": 0, "dataset": "other", "idx": 252503 }, { "func": "bool checkreturn pb_decode_noinit(pb_istream_t *stream, const pb_field_t fields[], void *dest_struct)\n{\n uint8_t fields_seen[(PB_MAX_REQUIRED_FIELDS + 7) / 8] = {0, 0, 0, 0, 0, 0, 0, 0};\n uint32_t extension_range_start = 0;\n pb_field_iterator_t iter;\n \n pb_field_init(&iter, fields, dest_struct);\n \n while (stream->bytes_left)\n {\n uint32_t tag;\n pb_wire_type_t wire_type;\n bool eof;\n \n if (!pb_decode_tag(stream, &wire_type, &tag, &eof))\n {\n if (eof)\n break;\n else\n return false;\n }\n \n if (!pb_field_find(&iter, tag))\n {\n /* No match found, check if it matches an extension. */\n if (tag >= extension_range_start)\n {\n if (!find_extension_field(&iter))\n extension_range_start = (uint32_t)-1;\n else\n extension_range_start = iter.pos->tag;\n \n if (tag >= extension_range_start)\n {\n size_t pos = stream->bytes_left;\n \n if (!decode_extension(stream, tag, wire_type, &iter))\n return false;\n \n if (pos != stream->bytes_left)\n {\n /* The field was handled */\n continue; \n }\n }\n }\n \n /* No match found, skip data */\n if (!pb_skip_field(stream, wire_type))\n return false;\n continue;\n }\n \n if (PB_HTYPE(iter.pos->type) == PB_HTYPE_REQUIRED\n && iter.required_field_index < PB_MAX_REQUIRED_FIELDS)\n {\n fields_seen[iter.required_field_index >> 3] |= (uint8_t)(1 << (iter.required_field_index & 7));\n }\n \n if (!decode_field(stream, wire_type, &iter))\n return false;\n }\n \n /* Check that all required fields were present. */\n {\n /* First figure out the number of required fields by\n * seeking to the end of the field array. Usually we\n * are already close to end after decoding.\n */\n unsigned req_field_count;\n pb_type_t last_type;\n unsigned i;\n do {\n req_field_count = iter.required_field_index;\n last_type = iter.pos->type;\n } while (pb_field_next(&iter));\n \n /* Fixup if last field was also required. */\n if (PB_HTYPE(last_type) == PB_HTYPE_REQUIRED && iter.pos->tag != 0)\n req_field_count++;\n \n /* Check the whole bytes */\n for (i = 0; i < (req_field_count >> 3); i++)\n {\n if (fields_seen[i] != 0xFF)\n PB_RETURN_ERROR(stream, \"missing required field\");\n }\n \n /* Check the remaining bits */\n if (fields_seen[req_field_count >> 3] != (0xFF >> (8 - (req_field_count & 7))))\n PB_RETURN_ERROR(stream, \"missing required field\");\n }\n \n return true;\n}", "project": "nanopb", "hash": 148903095891672077434801331197916985114, "size": 95, "commit_id": "7b396821ddd06df8e39143f16e1dc0a4645b89a3", "message": "Fix invalid free() after failed realloc() (GHSA-gcx3-7m76-287p)", "target": 0, "dataset": "other", "idx": 255336 }, { "func": "bool CClient::OnPongMessage(CMessage& Message) {\n // Block PONGs, we already responded to the pings\n return true;\n}", "project": "znc", "hash": 333392986423364100716710998126121803301, "size": 4, "commit_id": "d229761821da38d984a9e4098ad96842490dc001", "message": "Fix echo-message for *status\n\nClose #1705", "target": 0, "dataset": "other", "idx": 231548 }, { "func": "int fuse_open_common(struct inode *inode, struct file *file, bool isdir)\n{\n\tstruct fuse_mount *fm = get_fuse_mount(inode);\n\tstruct fuse_conn *fc = fm->fc;\n\tint err;\n\tbool is_wb_truncate = (file->f_flags & O_TRUNC) &&\n\t\t\t fc->atomic_o_trunc &&\n\t\t\t fc->writeback_cache;\n\tbool dax_truncate = (file->f_flags & O_TRUNC) &&\n\t\t\t fc->atomic_o_trunc && FUSE_IS_DAX(inode);\n\n\tif (fuse_is_bad(inode))\n\t\treturn -EIO;\n\n\terr = generic_file_open(inode, file);\n\tif (err)\n\t\treturn err;\n\n\tif (is_wb_truncate || dax_truncate) {\n\t\tinode_lock(inode);\n\t\tfuse_set_nowrite(inode);\n\t}\n\n\tif (dax_truncate) {\n\t\tdown_write(&get_fuse_inode(inode)->i_mmap_sem);\n\t\terr = fuse_dax_break_layouts(inode, 0, 0);\n\t\tif (err)\n\t\t\tgoto out;\n\t}\n\n\terr = fuse_do_open(fm, get_node_id(inode), file, isdir);\n\tif (!err)\n\t\tfuse_finish_open(inode, file);\n\nout:\n\tif (dax_truncate)\n\t\tup_write(&get_fuse_inode(inode)->i_mmap_sem);\n\n\tif (is_wb_truncate | dax_truncate) {\n\t\tfuse_release_nowrite(inode);\n\t\tinode_unlock(inode);\n\t}\n\n\treturn err;\n}", "project": "linux", "hash": 190718308052304227674619135395425706983, "size": 45, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342016 }, { "func": "static int sctp_setsockopt_deactivate_key(struct sock *sk,\n\t\t\t\t\t struct sctp_authkeyid *val,\n\t\t\t\t\t unsigned int optlen)\n{\n\tstruct sctp_endpoint *ep = sctp_sk(sk)->ep;\n\tstruct sctp_association *asoc;\n\tint ret = 0;\n\n\tif (optlen != sizeof(struct sctp_authkeyid))\n\t\treturn -EINVAL;\n\n\tasoc = sctp_id2assoc(sk, val->scact_assoc_id);\n\tif (!asoc && val->scact_assoc_id > SCTP_ALL_ASSOC &&\n\t sctp_style(sk, UDP))\n\t\treturn -EINVAL;\n\n\tif (asoc)\n\t\treturn sctp_auth_deact_key_id(ep, asoc, val->scact_keynumber);\n\n\tif (sctp_style(sk, TCP))\n\t\tval->scact_assoc_id = SCTP_FUTURE_ASSOC;\n\n\tif (val->scact_assoc_id == SCTP_FUTURE_ASSOC ||\n\t val->scact_assoc_id == SCTP_ALL_ASSOC) {\n\t\tret = sctp_auth_deact_key_id(ep, asoc, val->scact_keynumber);\n\t\tif (ret)\n\t\t\treturn ret;\n\t}\n\n\tif (val->scact_assoc_id == SCTP_CURRENT_ASSOC ||\n\t val->scact_assoc_id == SCTP_ALL_ASSOC) {\n\t\tlist_for_each_entry(asoc, &ep->asocs, asocs) {\n\t\t\tint res = sctp_auth_deact_key_id(ep, asoc,\n\t\t\t\t\t\t\t val->scact_keynumber);\n\n\t\t\tif (res && !ret)\n\t\t\t\tret = res;\n\t\t}\n\t}\n\n\treturn ret;\n}", "project": "linux", "hash": 228757686152149619818862681289095619305, "size": 42, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398077 }, { "func": "OPJ_BOOL opj_j2k_end_compress(opj_j2k_t *p_j2k,\n opj_stream_private_t *p_stream,\n opj_event_mgr_t * p_manager)\n{\n /* customization of the encoding */\n if (! opj_j2k_setup_end_compress(p_j2k, p_manager)) {\n return OPJ_FALSE;\n }\n\n if (! opj_j2k_exec(p_j2k, p_j2k->m_procedure_list, p_stream, p_manager)) {\n return OPJ_FALSE;\n }\n\n return OPJ_TRUE;\n}", "project": "openjpeg", "hash": 98360745065090099217685565782672581454, "size": 15, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357377 }, { "func": "static int nfs4_proc_fsinfo(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fsinfo *fsinfo)\n{\n\tint error;\n\n\tnfs_fattr_init(fsinfo->fattr);\n\terror = nfs4_do_fsinfo(server, fhandle, fsinfo);\n\tif (error == 0) {\n\t\t/* block layout checks this! */\n\t\tserver->pnfs_blksize = fsinfo->blksize;\n\t\tset_pnfs_layoutdriver(server, fhandle, fsinfo);\n\t}\n\n\treturn error;\n}", "project": "linux", "hash": 62123179804544651248866797387559953541, "size": 14, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431225 }, { "func": "void scale_rect(double factor_x, double factor_y, int blend, int interpolate, int Bpp,\n char *src_fb, int src_bytes_per_line, char *dst_fb, int dst_bytes_per_line,\n int Nx, int Ny, int nx, int ny, int X1, int Y1, int X2, int Y2, int mark) {\n/*\n * Notation:\n * \"i\" an x pixel index in the destination (scaled) framebuffer\n * \"j\" a y pixel index in the destination (scaled) framebuffer\n * \"I\" an x pixel index in the source (un-scaled, i.e. main) framebuffer\n * \"J\" a y pixel index in the source (un-scaled, i.e. main) framebuffer\n *\n * Similarly for nx, ny, Nx, Ny, etc. Lowercase: dest, Uppercase: source.\n */\n\tint i, j, i1, i2, j1, j2;\t/* indices for scaled fb (dest) */\n\tint I, J, I1, I2, J1, J2;\t/* indices for main fb (source) */\n\n\tdouble w, wx, wy, wtot;\t/* pixel weights */\n\n\tdouble x1, y1, x2, y2;\t/* x-y coords for destination pixels edges */\n\tdouble dx, dy;\t\t/* size of destination pixel */\n\tdouble ddx=0, ddy=0;\t/* for interpolation expansion */\n\n\tchar *src, *dest;\t/* pointers to the two framebuffers */\n\n\n\tunsigned short us = 0;\n\tunsigned char uc = 0;\n\tunsigned int ui = 0;\n\n\tint use_noblend_shortcut = 1;\n\tint shrink;\t\t/* whether shrinking or expanding */\n\tstatic int constant_weights = -1, mag_int = -1;\n\tstatic int last_Nx = -1, last_Ny = -1, cnt = 0;\n\tstatic double last_factor = -1.0;\n\tint b, k;\n\tdouble pixave[4];\t/* for averaging pixel values */\n\n\tif (factor_x <= 1.0 && factor_y <= 1.0) {\n\t\tshrink = 1;\n\t} else {\n\t\tshrink = 0;\n\t}\n\n\t/*\n\t * N.B. width and height (real numbers) of a scaled pixel.\n\t * both are > 1 (e.g. 1.333 for -scale 3/4)\n\t * they should also be equal but we don't assume it.\n\t *\n\t * This new way is probably the best we can do, take the inverse\n\t * of the scaling factor to double precision.\n\t */\n\tdx = 1.0/factor_x;\n\tdy = 1.0/factor_y;\n\n\t/*\n\t * There is some speedup if the pixel weights are constant, so\n\t * let's special case these.\n\t *\n\t * If scale = 1/n and n divides Nx and Ny, the pixel weights\n\t * are constant (e.g. 1/2 => equal on 2x2 square).\n\t */\n\tif (factor_x != last_factor || Nx != last_Nx || Ny != last_Ny) {\n\t\tconstant_weights = -1;\n\t\tmag_int = -1;\n\t\tlast_Nx = Nx;\n\t\tlast_Ny = Ny;\n\t\tlast_factor = factor_x;\n\t}\n\tif (constant_weights < 0 && factor_x != factor_y) {\n\t\tconstant_weights = 0;\n\t\tmag_int = 0;\n\n\t} else if (constant_weights < 0) {\n\t\tint n = 0;\n\n\t\tconstant_weights = 0;\n\t\tmag_int = 0;\n\n\t\tfor (i = 2; i<=128; i++) {\n\t\t\tdouble test = ((double) 1)/ i;\n\t\t\tdouble diff, eps = 1.0e-7;\n\t\t\tdiff = factor_x - test;\n\t\t\tif (-eps < diff && diff < eps) {\n\t\t\t\tn = i;\n\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\t\tif (! blend || ! shrink || interpolate) {\n\t\t\t;\n\t\t} else if (n != 0) {\n\t\t\tif (Nx % n == 0 && Ny % n == 0) {\n\t\t\t\tstatic int didmsg = 0;\n\t\t\t\tif (mark && ! didmsg) {\n\t\t\t\t\tdidmsg = 1;\n\t\t\t\t\trfbLog(\"scale_and_mark_rect: using \"\n\t\t\t\t\t \"constant pixel weight speedup \"\n\t\t\t\t\t \"for 1/%d\\n\", n);\n\t\t\t\t}\n\t\t\t\tconstant_weights = 1;\n\t\t\t}\n\t\t}\n\n\t\tn = 0;\n\t\tfor (i = 2; i<=32; i++) {\n\t\t\tdouble test = (double) i;\n\t\t\tdouble diff, eps = 1.0e-7;\n\t\t\tdiff = factor_x - test;\n\t\t\tif (-eps < diff && diff < eps) {\n\t\t\t\tn = i;\n\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\t\tif (! blend && factor_x > 1.0 && n) {\n\t\t\tmag_int = n;\n\t\t}\n\t}\n\n\tif (mark && factor_x > 1.0 && blend) {\n\t\t/*\n\t\t * kludge: correct for interpolating blurring leaking\n\t\t * up or left 1 destination pixel.\n\t\t */\n\t\tif (X1 > 0) X1--;\n\t\tif (Y1 > 0) Y1--;\n\t}\n\n\t/*\n\t * find the extent of the change the input rectangle induces in\n\t * the scaled framebuffer.\n\t */\n\n\t/* Left edges: find largest i such that i * dx <= X1 */\n\ti1 = FLOOR(X1/dx);\n\n\t/* Right edges: find smallest i such that (i+1) * dx >= X2+1 */\n\ti2 = CEIL( (X2+1)/dx ) - 1;\n\n\t/* To be safe, correct any overflows: */\n\ti1 = nfix(i1, nx);\n\ti2 = nfix(i2, nx) + 1;\t/* add 1 to make a rectangle upper boundary */\n\n\t/* Repeat above for y direction: */\n\tj1 = FLOOR(Y1/dy);\n\tj2 = CEIL( (Y2+1)/dy ) - 1;\n\n\tj1 = nfix(j1, ny);\n\tj2 = nfix(j2, ny) + 1;\n\n\t/*\n\t * special case integer magnification with no blending.\n\t * vision impaired magnification usage is interested in this case.\n\t */\n\tif (mark && ! blend && mag_int && Bpp != 3) {\n\t\tint jmin, jmax, imin, imax;\n\n\t\t/* outer loop over *source* pixels */\n\t\tfor (J=Y1; J < Y2; J++) {\n\t\t jmin = J * mag_int;\n\t\t jmax = jmin + mag_int;\n\t\t for (I=X1; I < X2; I++) {\n\t\t\t/* extract value */\n\t\t\tsrc = src_fb + J*src_bytes_per_line + I*Bpp;\n\t\t\tif (Bpp == 4) {\n\t\t\t\tui = *((unsigned int *)src);\n\t\t\t} else if (Bpp == 2) {\n\t\t\t\tus = *((unsigned short *)src);\n\t\t\t} else if (Bpp == 1) {\n\t\t\t\tuc = *((unsigned char *)src);\n\t\t\t}\n\t\t\timin = I * mag_int;\n\t\t\timax = imin + mag_int;\n\t\t\t/* inner loop over *dest* pixels */\n\t\t\tfor (j=jmin; j Ny - 1) {\n\t\t\t/* can go over with dy = 1/scale_fac */\n\t\t\ty1 = Ny - 1;\n\t\t}\n\t\ty2 = y1 + dy;\t/* bottom edge */\n\n\t\t/* Find main fb indices covered by this dest pixel: */\n\t\tJ1 = (int) FLOOR(y1);\n\t\tJ1 = nfix(J1, Ny);\n\n\t\tif (shrink && ! interpolate) {\n\t\t\tJ2 = (int) CEIL(y2) - 1;\n\t\t\tJ2 = nfix(J2, Ny);\n\t\t} else {\n\t\t\tJ2 = J1 + 1;\t/* simple interpolation */\n\t\t\tddy = y1 - J1;\n\t\t}\n\n\t\t/* destination char* pointer: */\n\t\tdest = dst_fb + j*dst_bytes_per_line + i1*Bpp;\n\t\t\n\t\tfor (i=i1; i Nx - 1) {\n\t\t\t\t/* can go over with dx = 1/scale_fac */\n\t\t\t\tx1 = Nx - 1;\n\t\t\t}\n\t\t\tx2 = x1 + dx;\t/* right edge */\n\n\t\t\tcnt++;\n\n\t\t\t/* Find main fb indices covered by this dest pixel: */\n\t\t\tI1 = (int) FLOOR(x1);\n\t\t\tif (I1 >= Nx) I1 = Nx - 1;\n\n\t\t\tif (! blend && use_noblend_shortcut) {\n\t\t\t\t/*\n\t\t\t\t * The noblend case involves no weights,\n\t\t\t\t * and 1 pixel, so just copy the value\n\t\t\t\t * directly.\n\t\t\t\t */\n\t\t\t\tsrc = src_fb + J1*src_bytes_per_line + I1*Bpp;\n\t\t\t\tif (Bpp == 4) {\n\t\t\t\t\t*((unsigned int *)dest)\n\t\t\t\t\t = *((unsigned int *)src);\n\t\t\t\t} else if (Bpp == 2) {\n\t\t\t\t\t*((unsigned short *)dest)\n\t\t\t\t\t = *((unsigned short *)src);\n\t\t\t\t} else if (Bpp == 1) {\n\t\t\t\t\t*(dest) = *(src);\n\t\t\t\t} else if (Bpp == 3) {\n\t\t\t\t\t/* rare case */\n\t\t\t\t\tfor (k=0; k<=2; k++) {\n\t\t\t\t\t\t*(dest+k) = *(src+k);\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\tdest += Bpp;\n\t\t\t\tcontinue;\n\t\t\t}\n\t\t\t\n\t\t\tif (shrink && ! interpolate) {\n\t\t\t\tI2 = (int) CEIL(x2) - 1;\n\t\t\t\tif (I2 >= Nx) I2 = Nx - 1;\n\t\t\t} else {\n\t\t\t\tI2 = I1 + 1;\t/* simple interpolation */\n\t\t\t\tddx = x1 - I1;\n\t\t\t}\n\n\t\t\t/* Zero out accumulators for next pixel average: */\n\t\t\tfor (b=0; b<4; b++) {\n\t\t\t\tpixave[b] = 0.0; /* for RGB weighted sums */\n\t\t\t}\n\n\t\t\t/*\n\t\t\t * wtot is for accumulating the total weight.\n\t\t\t * It should always sum to 1/(scale_fac * scale_fac).\n\t\t\t */\n\t\t\twtot = 0.0;\n\n\t\t\t/*\n\t\t\t * Loop over source pixels covered by this dest pixel.\n\t\t\t * \n\t\t\t * These \"extra\" loops over \"J\" and \"I\" make\n\t\t\t * the cache/cacheline performance unclear.\n\t\t\t * For example, will the data brought in from\n\t\t\t * src for j, i, and J=0 still be in the cache\n\t\t\t * after the J > 0 data have been accessed and\n\t\t\t * we are at j, i+1, J=0? The stride in J is\n\t\t\t * main_bytes_per_line, and so ~4 KB.\n\t\t\t *\n\t\t\t * Typical case when shrinking are 2x2 loop, so\n\t\t\t * just two lines to worry about.\n\t\t\t */\n\t\t\tfor (J=J1; J<=J2; J++) {\n\t\t\t /* see comments for I, x1, x2, etc. below */\n\t\t\t if (constant_weights) {\n\t\t\t\t;\n\t\t\t } else if (! blend) {\n\t\t\t\tif (J != J1) {\n\t\t\t\t\tcontinue;\n\t\t\t\t}\n\t\t\t\twy = 1.0;\n\n\t\t\t\t/* interpolation scheme: */\n\t\t\t } else if (! shrink || interpolate) {\n\t\t\t\tif (J >= Ny) {\n\t\t\t\t\tcontinue;\n\t\t\t\t} else if (J == J1) {\n\t\t\t\t\twy = 1.0 - ddy;\n\t\t\t\t} else if (J != J1) {\n\t\t\t\t\twy = ddy;\n\t\t\t\t}\n\n\t\t\t\t/* integration scheme: */\n\t\t\t } else if (J < y1) {\n\t\t\t\twy = J+1 - y1;\n\t\t\t } else if (J+1 > y2) {\n\t\t\t\twy = y2 - J;\n\t\t\t } else {\n\t\t\t\twy = 1.0;\n\t\t\t }\n\n\t\t\t src = src_fb + J*src_bytes_per_line + I1*Bpp;\n\n\t\t\t for (I=I1; I<=I2; I++) {\n\n\t\t\t\t/* Work out the weight: */\n\n\t\t\t\tif (constant_weights) {\n\t\t\t\t\t;\n\t\t\t\t} else if (! blend) {\n\t\t\t\t\t/*\n\t\t\t\t\t * Ugh, PseudoColor colormap is\n\t\t\t\t\t * bad news, to avoid random\n\t\t\t\t\t * colors just take the first\n\t\t\t\t\t * pixel. Or user may have\n\t\t\t\t\t * specified :nb to fraction.\n\t\t\t\t\t * The :fb will force blending\n\t\t\t\t\t * for this case.\n\t\t\t\t\t */\n\t\t\t\t\tif (I != I1) {\n\t\t\t\t\t\tcontinue;\n\t\t\t\t\t}\n\t\t\t\t\twx = 1.0;\n\n\t\t\t\t\t/* interpolation scheme: */\n\t\t\t\t} else if (! shrink || interpolate) {\n\t\t\t\t\tif (I >= Nx) {\n\t\t\t\t\t\tcontinue;\t/* off edge */\n\t\t\t\t\t} else if (I == I1) {\n\t\t\t\t\t\twx = 1.0 - ddx;\n\t\t\t\t\t} else if (I != I1) {\n\t\t\t\t\t\twx = ddx;\n\t\t\t\t\t}\n\n\t\t\t\t\t/* integration scheme: */\n\t\t\t\t} else if (I < x1) {\n\t\t\t\t\t/* \n\t\t\t\t\t * source left edge (I) to the\n\t\t\t\t\t * left of dest left edge (x1):\n\t\t\t\t\t * fractional weight\n\t\t\t\t\t */\n\t\t\t\t\twx = I+1 - x1;\n\t\t\t\t} else if (I+1 > x2) {\n\t\t\t\t\t/* \n\t\t\t\t\t * source right edge (I+1) to the\n\t\t\t\t\t * right of dest right edge (x2):\n\t\t\t\t\t * fractional weight\n\t\t\t\t\t */\n\t\t\t\t\twx = x2 - I;\n\t\t\t\t} else {\n\t\t\t\t\t/* \n\t\t\t\t\t * source edges (I and I+1) completely\n\t\t\t\t\t * inside dest edges (x1 and x2):\n\t\t\t\t\t * full weight\n\t\t\t\t\t */\n\t\t\t\t\twx = 1.0;\n\t\t\t\t}\n\n\t\t\t\tw = wx * wy;\n\t\t\t\twtot += w;\n\n\t\t\t\t/* \n\t\t\t\t * We average the unsigned char value\n\t\t\t\t * instead of char value: otherwise\n\t\t\t\t * the minimum (char 0) is right next\n\t\t\t\t * to the maximum (char -1)! This way\n\t\t\t\t * they are spread between 0 and 255.\n\t\t\t\t */\n\t\t\t\tif (Bpp == 4) {\n\t\t\t\t\t/* unroll the loops, can give 20% */\n\t\t\t\t\tpixave[0] += w * ((unsigned char) *(src ));\n\t\t\t\t\tpixave[1] += w * ((unsigned char) *(src+1));\n\t\t\t\t\tpixave[2] += w * ((unsigned char) *(src+2));\n\t\t\t\t\tpixave[3] += w * ((unsigned char) *(src+3));\n\t\t\t\t} else if (Bpp == 2) {\n\t\t\t\t\t/*\n\t\t\t\t\t * 16bpp: trickier with green\n\t\t\t\t\t * split over two bytes, so we\n\t\t\t\t\t * use the masks:\n\t\t\t\t\t */\n\t\t\t\t\tus = *((unsigned short *) src);\n\t\t\t\t\tpixave[0] += w*(us & main_red_mask);\n\t\t\t\t\tpixave[1] += w*(us & main_green_mask);\n\t\t\t\t\tpixave[2] += w*(us & main_blue_mask);\n\t\t\t\t} else if (Bpp == 1) {\n\t\t\t\t\tpixave[0] += w *\n\t\t\t\t\t ((unsigned char) *(src));\n\t\t\t\t} else {\n\t\t\t\t\tfor (b=0; b= MAX_LENGTH_OF_LONG - 1) {\n if (len == MAX_LENGTH_OF_LONG - 1) {\n int cmp = strcmp(p + (neg ? 1 : 0), long_min_digits);\n if (!(cmp < 0 || (cmp == 0 && neg))) {\n bigint = true;\n }\n } else {\n bigint = true;\n }\n }\n\n if (bigint) {\n if (!(options & k_JSON_BIGINT_AS_STRING)) {\n // See KindOfDouble (below)\n z = to_double(buf);\n } else {\n z = copy_and_clear(buf);\n }\n } else {\n z = fast_strtoll_base10(buf.data());\n }\n return;\n }\n\n case KindOfDouble:\n // Use zend_strtod() instead of strtod() here since JSON specifies using\n // a '.' for decimal separators regardless of locale.\n z = to_double(buf);\n return;\n\n case KindOfString:\n z = copy_and_clear(buf);\n return;\n\n case KindOfUninit:\n case KindOfNull:\n case KindOfPersistentString:\n case KindOfPersistentDArray:\n case KindOfDArray:\n case KindOfPersistentVArray:\n case KindOfVArray:\n case KindOfPersistentArray:\n case KindOfArray:\n case KindOfPersistentVec:\n case KindOfVec:\n case KindOfPersistentDict:\n case KindOfDict:\n case KindOfPersistentKeyset:\n case KindOfKeyset:\n case KindOfObject:\n case KindOfResource:\n case KindOfFunc:\n case KindOfClass:\n case KindOfClsMeth:\n case KindOfRecord:\n z = uninit_null();\n return;\n }\n not_reached();\n}", "project": "hhvm", "hash": 4258503486100927537184384078087402250, "size": 80, "commit_id": "b3679121bb3c7017ff04b4c08402ffff5cf59b13", "message": "Fix buffer overrun in SimpleParser::handleBackslash\n\nSummary:\nIt read 4 chars, then checked for validity, but any of them could have\nbeen the end of the string, so check after each one instead.\n\nReviewed By: oulgen\n\nDifferential Revision: D19611163\n\nfbshipit-source-id: 3da0a39555cb85a93f4fd98048368f17cf37e2e4", "target": 0, "dataset": "other", "idx": 227289 }, { "func": "static inline void __flush_cpu_slab(struct kmem_cache *s, int cpu)\n{\n\tstruct kmem_cache_cpu *c = per_cpu_ptr(s->cpu_slab, cpu);\n\n\tif (c->page)\n\t\tflush_slab(s, c);\n\n\tunfreeze_partials(s, c);\n}", "project": "linux", "hash": 189831734059899164725501925224570560419, "size": 9, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280177 }, { "func": "static ssize_t free_calls_show(struct kmem_cache *s, char *buf)\n{\n\tif (!(s->flags & SLAB_STORE_USER))\n\t\treturn -ENOSYS;\n\treturn list_locations(s, buf, TRACK_FREE);\n}", "project": "linux", "hash": 35178514390654892325992161353083165867, "size": 6, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280097 }, { "func": "static int on_freelist(struct kmem_cache *s, struct page *page, void *search)\n{\n\tint nr = 0;\n\tvoid *fp;\n\tvoid *object = NULL;\n\tint max_objects;\n\n\tfp = page->freelist;\n\twhile (fp && nr <= page->objects) {\n\t\tif (fp == search)\n\t\t\treturn 1;\n\t\tif (!check_valid_pointer(s, page, fp)) {\n\t\t\tif (object) {\n\t\t\t\tobject_err(s, page, object,\n\t\t\t\t\t\"Freechain corrupt\");\n\t\t\t\tset_freepointer(s, object, NULL);\n\t\t\t} else {\n\t\t\t\tslab_err(s, page, \"Freepointer corrupt\");\n\t\t\t\tpage->freelist = NULL;\n\t\t\t\tpage->inuse = page->objects;\n\t\t\t\tslab_fix(s, \"Freelist cleared\");\n\t\t\t\treturn 0;\n\t\t\t}\n\t\t\tbreak;\n\t\t}\n\t\tobject = fp;\n\t\tfp = get_freepointer(s, object);\n\t\tnr++;\n\t}\n\n\tmax_objects = order_objects(compound_order(page), s->size);\n\tif (max_objects > MAX_OBJS_PER_PAGE)\n\t\tmax_objects = MAX_OBJS_PER_PAGE;\n\n\tif (page->objects != max_objects) {\n\t\tslab_err(s, page, \"Wrong number of objects. Found %d but should be %d\",\n\t\t\t page->objects, max_objects);\n\t\tpage->objects = max_objects;\n\t\tslab_fix(s, \"Number of objects adjusted.\");\n\t}\n\tif (page->inuse != page->objects - nr) {\n\t\tslab_err(s, page, \"Wrong object count. Counter is %d but counted were %d\",\n\t\t\t page->inuse, page->objects - nr);\n\t\tpage->inuse = page->objects - nr;\n\t\tslab_fix(s, \"Object count adjusted.\");\n\t}\n\treturn search == NULL;\n}", "project": "linux", "hash": 17744736136833344457556995364228571093, "size": 48, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280241 }, { "func": "int bcf_enc_vint(kstring_t *s, int n, int32_t *a, int wsize)\n{\n int32_t max = INT32_MIN, min = INT32_MAX;\n int i;\n if (n <= 0) bcf_enc_size(s, 0, BCF_BT_NULL);\n else if (n == 1) bcf_enc_int1(s, a[0]);\n else {\n if (wsize <= 0) wsize = n;\n for (i = 0; i < n; ++i) {\n if (a[i] == bcf_int32_missing || a[i] == bcf_int32_vector_end ) continue;\n if (max < a[i]) max = a[i];\n if (min > a[i]) min = a[i];\n }\n if (max <= BCF_MAX_BT_INT8 && min >= BCF_MIN_BT_INT8) {\n bcf_enc_size(s, wsize, BCF_BT_INT8);\n for (i = 0; i < n; ++i)\n if ( a[i]==bcf_int32_vector_end ) kputc(bcf_int8_vector_end, s);\n else if ( a[i]==bcf_int32_missing ) kputc(bcf_int8_missing, s);\n else kputc(a[i], s);\n } else if (max <= BCF_MAX_BT_INT16 && min >= BCF_MIN_BT_INT16) {\n uint8_t *p;\n bcf_enc_size(s, wsize, BCF_BT_INT16);\n ks_resize(s, s->l + n * sizeof(int16_t));\n p = (uint8_t *) s->s + s->l;\n for (i = 0; i < n; ++i)\n {\n int16_t x;\n if ( a[i]==bcf_int32_vector_end ) x = bcf_int16_vector_end;\n else if ( a[i]==bcf_int32_missing ) x = bcf_int16_missing;\n else x = a[i];\n i16_to_le(x, p);\n p += sizeof(int16_t);\n }\n s->l += n * sizeof(int16_t);\n } else {\n uint8_t *p;\n bcf_enc_size(s, wsize, BCF_BT_INT32);\n ks_resize(s, s->l + n * sizeof(int32_t));\n p = (uint8_t *) s->s + s->l;\n for (i = 0; i < n; ++i) {\n i32_to_le(a[i], p);\n p += sizeof(int32_t);\n }\n s->l += n * sizeof(int32_t);\n }\n }\n\n return 0; // FIXME: check for errs in this function\n}", "project": "htslib", "hash": 337653159884733784137559751425513225880, "size": 49, "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c", "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields. It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097", "target": 0, "dataset": "other", "idx": 402247 }, { "func": "static void kvm_destroy_vm(struct kvm *kvm)\n{\n\tint i;\n\tstruct mm_struct *mm = kvm->mm;\n\n\tkvm_uevent_notify_change(KVM_EVENT_DESTROY_VM, kvm);\n\tkvm_destroy_vm_debugfs(kvm);\n\tkvm_arch_sync_events(kvm);\n\tmutex_lock(&kvm_lock);\n\tlist_del(&kvm->vm_list);\n\tmutex_unlock(&kvm_lock);\n\tkvm_arch_pre_destroy_vm(kvm);\n\n\tkvm_free_irq_routing(kvm);\n\tfor (i = 0; i < KVM_NR_BUSES; i++) {\n\t\tstruct kvm_io_bus *bus = kvm_get_bus(kvm, i);\n\n\t\tif (bus)\n\t\t\tkvm_io_bus_destroy(bus);\n\t\tkvm->buses[i] = NULL;\n\t}\n\tkvm_coalesced_mmio_free(kvm);\n#if defined(CONFIG_MMU_NOTIFIER) && defined(KVM_ARCH_WANT_MMU_NOTIFIER)\n\tmmu_notifier_unregister(&kvm->mmu_notifier, kvm->mm);\n#else\n\tkvm_arch_flush_shadow_all(kvm);\n#endif\n\tkvm_arch_destroy_vm(kvm);\n\tkvm_destroy_devices(kvm);\n\tfor (i = 0; i < KVM_ADDRESS_SPACE_NUM; i++)\n\t\tkvm_free_memslots(kvm, __kvm_memslots(kvm, i));\n\tcleanup_srcu_struct(&kvm->irq_srcu);\n\tcleanup_srcu_struct(&kvm->srcu);\n\tkvm_arch_free_vm(kvm);\n\tpreempt_notifier_dec();\n\thardware_disable_all();\n\tmmdrop(mm);\n}", "project": "linux", "hash": 80475832577748454265963840273473935838, "size": 38, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354718 }, { "func": "static int ctnetlink_dump_ct_synproxy(struct sk_buff *skb, struct nf_conn *ct)\n{\n\tstruct nf_conn_synproxy *synproxy = nfct_synproxy(ct);\n\tstruct nlattr *nest_parms;\n\n\tif (!synproxy)\n\t\treturn 0;\n\n\tnest_parms = nla_nest_start(skb, CTA_SYNPROXY);\n\tif (!nest_parms)\n\t\tgoto nla_put_failure;\n\n\tif (nla_put_be32(skb, CTA_SYNPROXY_ISN, htonl(synproxy->isn)) ||\n\t nla_put_be32(skb, CTA_SYNPROXY_ITS, htonl(synproxy->its)) ||\n\t nla_put_be32(skb, CTA_SYNPROXY_TSOFF, htonl(synproxy->tsoff)))\n\t\tgoto nla_put_failure;\n\n\tnla_nest_end(skb, nest_parms);\n\n\treturn 0;\n\nnla_put_failure:\n\treturn -1;\n}", "project": "linux", "hash": 110690939415400682844420746580644391493, "size": 24, "commit_id": "1cc5ef91d2ff94d2bf2de3b3585423e8a1051cb6", "message": "netfilter: ctnetlink: add a range check for l3/l4 protonum\n\nThe indexes to the nf_nat_l[34]protos arrays come from userspace. So\ncheck the tuple's family, e.g. l3num, when creating the conntrack in\norder to prevent an OOB memory access during setup. Here is an example\nkernel panic on 4.14.180 when userspace passes in an index greater than\nNFPROTO_NUMPROTO.\n\nInternal error: Oops - BUG: 0 [#1] PREEMPT SMP\nModules linked in:...\nProcess poc (pid: 5614, stack limit = 0x00000000a3933121)\nCPU: 4 PID: 5614 Comm: poc Tainted: G S W O 4.14.180-g051355490483\nHardware name: Qualcomm Technologies, Inc. SM8150 V2 PM8150 Google Inc. MSM\ntask: 000000002a3dfffe task.stack: 00000000a3933121\npc : __cfi_check_fail+0x1c/0x24\nlr : __cfi_check_fail+0x1c/0x24\n...\nCall trace:\n__cfi_check_fail+0x1c/0x24\nname_to_dev_t+0x0/0x468\nnfnetlink_parse_nat_setup+0x234/0x258\nctnetlink_parse_nat_setup+0x4c/0x228\nctnetlink_new_conntrack+0x590/0xc40\nnfnetlink_rcv_msg+0x31c/0x4d4\nnetlink_rcv_skb+0x100/0x184\nnfnetlink_rcv+0xf4/0x180\nnetlink_unicast+0x360/0x770\nnetlink_sendmsg+0x5a0/0x6a4\n___sys_sendmsg+0x314/0x46c\nSyS_sendmsg+0xb4/0x108\nel0_svc_naked+0x34/0x38\n\nThis crash is not happening since 5.4+, however, ctnetlink still\nallows for creating entries with unsupported layer 3 protocol number.\n\nFixes: c1d10adb4a521 (\"[NETFILTER]: Add ctnetlink port for nf_conntrack\")\nSigned-off-by: Will McVicker \n[pablo@netfilter.org: rebased original patch on top of nf.git]\nSigned-off-by: Pablo Neira Ayuso ", "target": 0, "dataset": "other", "idx": 394191 }, { "project": "Chrome", "commit_id": "1da0daecc540238cb473f0d6322da51d3a544244", "target": 0, "func": " void EnterEndOfStreamState() {\n scoped_refptr video_frame;\n VideoDecoder::DecoderStatus status;\n Read(&status, &video_frame);\n EXPECT_EQ(status, VideoDecoder::kOk);\n ASSERT_TRUE(video_frame);\n EXPECT_TRUE(video_frame->IsEndOfStream());\n }\n", "cwe": "", "big_vul_idx": 113339, "idx": 101631, "hash": 301961414915255213393718135118043766636 }, { "project": "Chrome", "commit_id": "a5333583f14284a411abac2fef7caed889a8bba3", "target": 0, "func": "void EmbeddedWorkerContextClient::workerContextFailedToStart() {\n DCHECK(main_thread_proxy_->RunsTasksOnCurrentThread());\n DCHECK(!script_context_);\n\n RenderThreadImpl::current()->embedded_worker_dispatcher()->\n WorkerContextDestroyed(embedded_worker_id_);\n}\n", "cwe": "", "big_vul_idx": 121735, "idx": 109025, "hash": 180679682142517140795398398937009244939 }, { "func": "bool CClient::OnTopicMessage(CTopicMessage& Message) {\n bool bReturn = false;\n CString sChan = Message.GetTarget();\n CString sTopic = Message.GetTopic();\n if (m_pNetwork) {\n // May be nullptr.\n Message.SetChan(m_pNetwork->FindChan(sChan));\n }\n\n if (!sTopic.empty()) {\n NETWORKMODULECALL(OnUserTopicMessage(Message), m_pUser, m_pNetwork,\n this, &bReturn);\n } else {\n NETWORKMODULECALL(OnUserTopicRequest(sChan), m_pUser, m_pNetwork, this,\n &bReturn);\n Message.SetTarget(sChan);\n }\n\n return bReturn;\n}", "project": "znc", "hash": 295805505719272341777088119781534178679, "size": 20, "commit_id": "d229761821da38d984a9e4098ad96842490dc001", "message": "Fix echo-message for *status\n\nClose #1705", "target": 0, "dataset": "other", "idx": 231598 }, { "func": "static void __tty_hangup(struct tty_struct *tty, int exit_session)\n{\n\tstruct file *cons_filp = NULL;\n\tstruct file *filp, *f = NULL;\n\tstruct tty_file_private *priv;\n\tint closecount = 0, n;\n\tint refs;\n\n\tif (!tty)\n\t\treturn;\n\n\n\tspin_lock(&redirect_lock);\n\tif (redirect && file_tty(redirect) == tty) {\n\t\tf = redirect;\n\t\tredirect = NULL;\n\t}\n\tspin_unlock(&redirect_lock);\n\n\ttty_lock(tty);\n\n\tif (test_bit(TTY_HUPPED, &tty->flags)) {\n\t\ttty_unlock(tty);\n\t\treturn;\n\t}\n\n\t/*\n\t * Some console devices aren't actually hung up for technical and\n\t * historical reasons, which can lead to indefinite interruptible\n\t * sleep in n_tty_read(). The following explicitly tells\n\t * n_tty_read() to abort readers.\n\t */\n\tset_bit(TTY_HUPPING, &tty->flags);\n\n\t/* inuse_filps is protected by the single tty lock,\n\t this really needs to change if we want to flush the\n\t workqueue with the lock held */\n\tcheck_tty_count(tty, \"tty_hangup\");\n\n\tspin_lock(&tty->files_lock);\n\t/* This breaks for file handles being sent over AF_UNIX sockets ? */\n\tlist_for_each_entry(priv, &tty->tty_files, list) {\n\t\tfilp = priv->file;\n\t\tif (filp->f_op->write == redirected_tty_write)\n\t\t\tcons_filp = filp;\n\t\tif (filp->f_op->write != tty_write)\n\t\t\tcontinue;\n\t\tclosecount++;\n\t\t__tty_fasync(-1, filp, 0);\t/* can't block */\n\t\tfilp->f_op = &hung_up_tty_fops;\n\t}\n\tspin_unlock(&tty->files_lock);\n\n\trefs = tty_signal_session_leader(tty, exit_session);\n\t/* Account for the p->signal references we killed */\n\twhile (refs--)\n\t\ttty_kref_put(tty);\n\n\ttty_ldisc_hangup(tty, cons_filp != NULL);\n\n\tspin_lock_irq(&tty->ctrl_lock);\n\tclear_bit(TTY_THROTTLED, &tty->flags);\n\tclear_bit(TTY_DO_WRITE_WAKEUP, &tty->flags);\n\tput_pid(tty->session);\n\tput_pid(tty->pgrp);\n\ttty->session = NULL;\n\ttty->pgrp = NULL;\n\ttty->ctrl_status = 0;\n\tspin_unlock_irq(&tty->ctrl_lock);\n\n\t/*\n\t * If one of the devices matches a console pointer, we\n\t * cannot just call hangup() because that will cause\n\t * tty->count and state->count to go out of sync.\n\t * So we just call close() the right number of times.\n\t */\n\tif (cons_filp) {\n\t\tif (tty->ops->close)\n\t\t\tfor (n = 0; n < closecount; n++)\n\t\t\t\ttty->ops->close(tty, cons_filp);\n\t} else if (tty->ops->hangup)\n\t\ttty->ops->hangup(tty);\n\t/*\n\t * We don't want to have driver/ldisc interactions beyond the ones\n\t * we did here. The driver layer expects no calls after ->hangup()\n\t * from the ldisc side, which is now guaranteed.\n\t */\n\tset_bit(TTY_HUPPED, &tty->flags);\n\tclear_bit(TTY_HUPPING, &tty->flags);\n\ttty_unlock(tty);\n\n\tif (f)\n\t\tfput(f);\n}", "project": "linux", "hash": 8683562260226360233714755744192366895, "size": 94, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 326041 }, { "func": "static void svm_flush_tlb(struct kvm_vcpu *vcpu, bool invalidate_gpa)\n{\n\tstruct vcpu_svm *svm = to_svm(vcpu);\n\n\tif (static_cpu_has(X86_FEATURE_FLUSHBYASID))\n\t\tsvm->vmcb->control.tlb_ctl = TLB_CONTROL_FLUSH_ASID;\n\telse\n\t\tsvm->asid_generation--;\n}", "project": "linux", "hash": 78033825216762240500151937247027554440, "size": 9, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432529 }, { "func": "static void svm_flush_tlb(struct kvm_vcpu *vcpu)\n{\n\tstruct vcpu_svm *svm = to_svm(vcpu);\n\n\tif (static_cpu_has(X86_FEATURE_FLUSHBYASID))\n\t\tsvm->vmcb->control.tlb_ctl = TLB_CONTROL_FLUSH_ASID;\n\telse\n\t\tsvm->asid_generation--;\n}", "project": "kvm", "hash": 262955374425820426129190551151513118715, "size": 9, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437593 }, { "func": "static void virtual_update_register_offsets(u32 *regs,\n\t\t\t\t\t struct intel_engine_cs *engine)\n{\n\tset_offsets(regs, reg_offsets(engine), engine);\n}", "project": "linux", "hash": 257157188342395422837323272269354900196, "size": 5, "commit_id": "bc8a76a152c5f9ef3b48104154a65a68a8b76946", "message": "drm/i915/gen9: Clear residual context state on context switch\n\nIntel ID: PSIRT-TA-201910-001\nCVEID: CVE-2019-14615\n\nIntel GPU Hardware prior to Gen11 does not clear EU state\nduring a context switch. This can result in information\nleakage between contexts.\n\nFor Gen8 and Gen9, hardware provides a mechanism for\nfast cleardown of the EU state, by issuing a PIPE_CONTROL\nwith bit 27 set. We can use this in a context batch buffer\nto explicitly cleardown the state on every context switch.\n\nAs this workaround is already in place for gen8, we can borrow\nthe code verbatim for Gen9.\n\nSigned-off-by: Mika Kuoppala \nSigned-off-by: Akeem G Abodunrin \nCc: Kumar Valsan Prathap \nCc: Chris Wilson \nCc: Balestrieri Francesco \nCc: Bloomfield Jon \nCc: Dutt Sudeep ", "target": 0, "dataset": "other", "idx": 281536 }, { "func": "static int ep_poll(struct eventpoll *ep, struct epoll_event __user *events,\n\t\t int maxevents, long timeout)\n{\n\tint res = 0, eavail, timed_out = 0;\n\tu64 slack = 0;\n\twait_queue_entry_t wait;\n\tktime_t expires, *to = NULL;\n\n\tlockdep_assert_irqs_enabled();\n\n\tif (timeout > 0) {\n\t\tstruct timespec64 end_time = ep_set_mstimeout(timeout);\n\n\t\tslack = select_estimate_accuracy(&end_time);\n\t\tto = &expires;\n\t\t*to = timespec64_to_ktime(end_time);\n\t} else if (timeout == 0) {\n\t\t/*\n\t\t * Avoid the unnecessary trip to the wait queue loop, if the\n\t\t * caller specified a non blocking operation. We still need\n\t\t * lock because we could race and not see an epi being added\n\t\t * to the ready list while in irq callback. Thus incorrectly\n\t\t * returning 0 back to userspace.\n\t\t */\n\t\ttimed_out = 1;\n\n\t\twrite_lock_irq(&ep->lock);\n\t\teavail = ep_events_available(ep);\n\t\twrite_unlock_irq(&ep->lock);\n\n\t\tgoto send_events;\n\t}\n\nfetch_events:\n\n\tif (!ep_events_available(ep))\n\t\tep_busy_loop(ep, timed_out);\n\n\teavail = ep_events_available(ep);\n\tif (eavail)\n\t\tgoto send_events;\n\n\t/*\n\t * Busy poll timed out. Drop NAPI ID for now, we can add\n\t * it back in when we have moved a socket with a valid NAPI\n\t * ID onto the ready list.\n\t */\n\tep_reset_busy_poll_napi_id(ep);\n\n\tdo {\n\t\t/*\n\t\t * Internally init_wait() uses autoremove_wake_function(),\n\t\t * thus wait entry is removed from the wait queue on each\n\t\t * wakeup. Why it is important? In case of several waiters\n\t\t * each new wakeup will hit the next waiter, giving it the\n\t\t * chance to harvest new event. Otherwise wakeup can be\n\t\t * lost. This is also good performance-wise, because on\n\t\t * normal wakeup path no need to call __remove_wait_queue()\n\t\t * explicitly, thus ep->lock is not taken, which halts the\n\t\t * event delivery.\n\t\t */\n\t\tinit_wait(&wait);\n\n\t\twrite_lock_irq(&ep->lock);\n\t\t/*\n\t\t * Barrierless variant, waitqueue_active() is called under\n\t\t * the same lock on wakeup ep_poll_callback() side, so it\n\t\t * is safe to avoid an explicit barrier.\n\t\t */\n\t\t__set_current_state(TASK_INTERRUPTIBLE);\n\n\t\t/*\n\t\t * Do the final check under the lock. ep_scan_ready_list()\n\t\t * plays with two lists (->rdllist and ->ovflist) and there\n\t\t * is always a race when both lists are empty for short\n\t\t * period of time although events are pending, so lock is\n\t\t * important.\n\t\t */\n\t\teavail = ep_events_available(ep);\n\t\tif (!eavail) {\n\t\t\tif (signal_pending(current))\n\t\t\t\tres = -EINTR;\n\t\t\telse\n\t\t\t\t__add_wait_queue_exclusive(&ep->wq, &wait);\n\t\t}\n\t\twrite_unlock_irq(&ep->lock);\n\n\t\tif (eavail || res)\n\t\t\tbreak;\n\n\t\tif (!schedule_hrtimeout_range(to, slack, HRTIMER_MODE_ABS)) {\n\t\t\ttimed_out = 1;\n\t\t\tbreak;\n\t\t}\n\n\t\t/* We were woken up, thus go and try to harvest some events */\n\t\teavail = 1;\n\n\t} while (0);\n\n\t__set_current_state(TASK_RUNNING);\n\n\tif (!list_empty_careful(&wait.entry)) {\n\t\twrite_lock_irq(&ep->lock);\n\t\t__remove_wait_queue(&ep->wq, &wait);\n\t\twrite_unlock_irq(&ep->lock);\n\t}\n\nsend_events:\n\tif (fatal_signal_pending(current)) {\n\t\t/*\n\t\t * Always short-circuit for fatal signals to allow\n\t\t * threads to make a timely exit without the chance of\n\t\t * finding more events available and fetching\n\t\t * repeatedly.\n\t\t */\n\t\tres = -EINTR;\n\t}\n\t/*\n\t * Try to transfer events to user space. In case we get 0 events and\n\t * there's still timeout left over, we go trying again in search of\n\t * more luck.\n\t */\n\tif (!res && eavail &&\n\t !(res = ep_send_events(ep, events, maxevents)) && !timed_out)\n\t\tgoto fetch_events;\n\n\treturn res;\n}", "project": "linux", "hash": 79168841784260917377301738833845084359, "size": 129, "commit_id": "52c479697c9b73f628140dcdfcd39ea302d05482", "message": "do_epoll_ctl(): clean the failure exits up a bit\n\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 336256 }, { "func": "static __poll_t input_proc_devices_poll(struct file *file, poll_table *wait)\n{\n\tpoll_wait(file, &input_devices_poll_wait, wait);\n\tif (file->f_version != input_devices_state) {\n\t\tfile->f_version = input_devices_state;\n\t\treturn EPOLLIN | EPOLLRDNORM;\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 77054298316944008838236904895728404555, "size": 10, "commit_id": "cb222aed03d798fc074be55e59d9a112338ee784", "message": "Input: add safety guards to input_set_keycode()\n\nIf we happen to have a garbage in input device's keycode table with values\ntoo big we'll end up doing clear_bit() with offset way outside of our\nbitmaps, damaging other objects within an input device or even outside of\nit. Let's add sanity checks to the returned old keycodes.\n\nReported-by: syzbot+c769968809f9359b07aa@syzkaller.appspotmail.com\nReported-by: syzbot+76f3a30e88d256644c78@syzkaller.appspotmail.com\nLink: https://lore.kernel.org/r/20191207212757.GA245964@dtor-ws\nSigned-off-by: Dmitry Torokhov ", "target": 0, "dataset": "other", "idx": 353324 }, { "func": "static int sctp_getsockopt_interleaving_supported(struct sock *sk, int len,\n\t\t\t\t\t\t char __user *optval,\n\t\t\t\t\t\t int __user *optlen)\n{\n\tstruct sctp_assoc_value params;\n\tstruct sctp_association *asoc;\n\tint retval = -EFAULT;\n\n\tif (len < sizeof(params)) {\n\t\tretval = -EINVAL;\n\t\tgoto out;\n\t}\n\n\tlen = sizeof(params);\n\tif (copy_from_user(¶ms, optval, len))\n\t\tgoto out;\n\n\tasoc = sctp_id2assoc(sk, params.assoc_id);\n\tif (!asoc && params.assoc_id != SCTP_FUTURE_ASSOC &&\n\t sctp_style(sk, UDP)) {\n\t\tretval = -EINVAL;\n\t\tgoto out;\n\t}\n\n\tparams.assoc_value = asoc ? asoc->peer.intl_capable\n\t\t\t\t : sctp_sk(sk)->ep->intl_enable;\n\n\tif (put_user(len, optlen))\n\t\tgoto out;\n\n\tif (copy_to_user(optval, ¶ms, len))\n\t\tgoto out;\n\n\tretval = 0;\n\nout:\n\treturn retval;\n}", "project": "linux", "hash": 297690030196428518468512055340541258321, "size": 38, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398076 }, { "func": "static void virtual_submit_request(struct i915_request *rq)\n{\n\tstruct virtual_engine *ve = to_virtual_engine(rq->engine);\n\tstruct i915_request *old;\n\tunsigned long flags;\n\n\tGEM_TRACE(\"%s: rq=%llx:%lld\\n\",\n\t\t ve->base.name,\n\t\t rq->fence.context,\n\t\t rq->fence.seqno);\n\n\tGEM_BUG_ON(ve->base.submit_request != virtual_submit_request);\n\n\tspin_lock_irqsave(&ve->base.active.lock, flags);\n\n\told = ve->request;\n\tif (old) { /* background completion event from preempt-to-busy */\n\t\tGEM_BUG_ON(!i915_request_completed(old));\n\t\t__i915_request_submit(old);\n\t\ti915_request_put(old);\n\t}\n\n\tif (i915_request_completed(rq)) {\n\t\t__i915_request_submit(rq);\n\n\t\tve->base.execlists.queue_priority_hint = INT_MIN;\n\t\tve->request = NULL;\n\t} else {\n\t\tve->base.execlists.queue_priority_hint = rq_prio(rq);\n\t\tve->request = i915_request_get(rq);\n\n\t\tGEM_BUG_ON(!list_empty(virtual_queue(ve)));\n\t\tlist_move_tail(&rq->sched.link, virtual_queue(ve));\n\n\t\ttasklet_schedule(&ve->base.execlists.tasklet);\n\t}\n\n\tspin_unlock_irqrestore(&ve->base.active.lock, flags);\n}", "project": "linux", "hash": 310697712315449491531028826832502040935, "size": 39, "commit_id": "bc8a76a152c5f9ef3b48104154a65a68a8b76946", "message": "drm/i915/gen9: Clear residual context state on context switch\n\nIntel ID: PSIRT-TA-201910-001\nCVEID: CVE-2019-14615\n\nIntel GPU Hardware prior to Gen11 does not clear EU state\nduring a context switch. This can result in information\nleakage between contexts.\n\nFor Gen8 and Gen9, hardware provides a mechanism for\nfast cleardown of the EU state, by issuing a PIPE_CONTROL\nwith bit 27 set. We can use this in a context batch buffer\nto explicitly cleardown the state on every context switch.\n\nAs this workaround is already in place for gen8, we can borrow\nthe code verbatim for Gen9.\n\nSigned-off-by: Mika Kuoppala \nSigned-off-by: Akeem G Abodunrin \nCc: Kumar Valsan Prathap \nCc: Chris Wilson \nCc: Balestrieri Francesco \nCc: Bloomfield Jon \nCc: Dutt Sudeep ", "target": 0, "dataset": "other", "idx": 281521 }, { "func": "int ecryptfs_new_file_context(struct dentry *ecryptfs_dentry)\n{\n\tstruct ecryptfs_crypt_stat *crypt_stat =\n\t &ecryptfs_inode_to_private(ecryptfs_dentry->d_inode)->crypt_stat;\n\tstruct ecryptfs_mount_crypt_stat *mount_crypt_stat =\n\t &ecryptfs_superblock_to_private(\n\t\t ecryptfs_dentry->d_sb)->mount_crypt_stat;\n\tint cipher_name_len;\n\tint rc = 0;\n\n\tecryptfs_set_default_crypt_stat_vals(crypt_stat, mount_crypt_stat);\n\tcrypt_stat->flags |= (ECRYPTFS_ENCRYPTED | ECRYPTFS_KEY_VALID);\n\tecryptfs_copy_mount_wide_flags_to_inode_flags(crypt_stat,\n\t\t\t\t\t\t mount_crypt_stat);\n\trc = ecryptfs_copy_mount_wide_sigs_to_inode_sigs(crypt_stat,\n\t\t\t\t\t\t\t mount_crypt_stat);\n\tif (rc) {\n\t\tprintk(KERN_ERR \"Error attempting to copy mount-wide key sigs \"\n\t\t \"to the inode key sigs; rc = [%d]\\n\", rc);\n\t\tgoto out;\n\t}\n\tcipher_name_len =\n\t\tstrlen(mount_crypt_stat->global_default_cipher_name);\n\tmemcpy(crypt_stat->cipher,\n\t mount_crypt_stat->global_default_cipher_name,\n\t cipher_name_len);\n\tcrypt_stat->cipher[cipher_name_len] = '\\0';\n\tcrypt_stat->key_size =\n\t\tmount_crypt_stat->global_default_cipher_key_size;\n\tecryptfs_generate_new_key(crypt_stat);\n\trc = ecryptfs_init_crypt_ctx(crypt_stat);\n\tif (rc)\n\t\tecryptfs_printk(KERN_ERR, \"Error initializing cryptographic \"\n\t\t\t\t\"context for cipher [%s]: rc = [%d]\\n\",\n\t\t\t\tcrypt_stat->cipher, rc);\nout:\n\treturn rc;\n}", "target": 0, "cwe": [ "CWE-189" ], "project": "linux-2.6", "commit_id": "8faece5f906725c10e7a1f6caf84452abadbdc7b", "hash": 317666200339354240452312549417284074317, "size": 38, "message": "eCryptfs: Allocate a variable number of pages for file headers\n\nWhen allocating the memory used to store the eCryptfs header contents, a\nsingle, zeroed page was being allocated with get_zeroed_page().\nHowever, the size of an eCryptfs header is either PAGE_CACHE_SIZE or\nECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE (8192), whichever is larger, and is\nstored in the file's private_data->crypt_stat->num_header_bytes_at_front\nfield.\n\necryptfs_write_metadata_to_contents() was using\nnum_header_bytes_at_front to decide how many bytes should be written to\nthe lower filesystem for the file header. Unfortunately, at least 8K\nwas being written from the page, despite the chance of the single,\nzeroed page being smaller than 8K. This resulted in random areas of\nkernel memory being written between the 0x1000 and 0x1FFF bytes offsets\nin the eCryptfs file headers if PAGE_SIZE was 4K.\n\nThis patch allocates a variable number of pages, calculated with\nnum_header_bytes_at_front, and passes the number of allocated pages\nalong to ecryptfs_write_metadata_to_contents().\n\nThanks to Florian Streibelt for reporting the data leak and working with\nme to find the problem. 2.6.28 is the only kernel release with this\nvulnerability. Corresponds to CVE-2009-0787\n\nSigned-off-by: Tyler Hicks \nAcked-by: Dustin Kirkland \nReviewed-by: Eric Sandeen \nReviewed-by: Eugene Teo \nCc: Greg KH \nCc: dann frazier \nCc: Serge E. Hallyn \nCc: Florian Streibelt \nCc: stable@kernel.org\nSigned-off-by: Linus Torvalds ", "dataset": "other", "idx": 490177 }, { "project": "opaque", "commit_id": "5ddda15d89f5ac82f4416208c5319ace4aecdc36", "target": 0, "func": "void print_error_message(sgx_status_t ret)\n{\n size_t idx = 0;\n size_t ttl = sizeof sgx_errlist/sizeof sgx_errlist[0];\n\n for (idx = 0; idx < ttl; idx++) {\n if(ret == sgx_errlist[idx].err) {\n if(NULL != sgx_errlist[idx].sug)\n printf(\"Info: %s\\n\", sgx_errlist[idx].sug);\n printf(\"Error: %s\\n\", sgx_errlist[idx].msg);\n break;\n }\n }\n\n if (idx == ttl)\n printf(\"Error: Unexpected error occurred.\\n\");\n}", "idx": 519100, "cwe": "CWE-787", "hash": 26981395811070408311075648368668135711, "dataset": "other" }, { "func": "static void hci_change_link_key_complete_evt(struct hci_dev *hdev,\n\t\t\t\t\t struct sk_buff *skb)\n{\n\tstruct hci_ev_change_link_key_complete *ev = (void *) skb->data;\n\tstruct hci_conn *conn;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, ev->status);\n\n\thci_dev_lock(hdev);\n\n\tconn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));\n\tif (conn) {\n\t\tif (!ev->status)\n\t\t\tset_bit(HCI_CONN_SECURE, &conn->flags);\n\n\t\tclear_bit(HCI_CONN_AUTH_PEND, &conn->flags);\n\n\t\thci_key_change_cfm(conn, ev->status);\n\t}\n\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 111541043794331046695624458708286855221, "size": 22, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431988 }, { "func": "void ___cache_free(struct kmem_cache *cache, void *x, unsigned long addr)\n{\n\tdo_slab_free(cache, virt_to_head_page(x), x, NULL, 1, addr);\n}", "project": "linux", "hash": 189924578619644245815421766846540926459, "size": 4, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280022 }, { "func": "static int open_in(HLSContext *c, AVIOContext **in, const char *url)\n{\n AVDictionary *tmp = NULL;\n int ret;\n\n av_dict_copy(&tmp, c->avio_opts, 0);\n\n ret = avio_open2(in, url, AVIO_FLAG_READ, c->interrupt_callback, &tmp);\n\n av_dict_free(&tmp);\n return ret;\n}", "project": "FFmpeg", "hash": 213685092260128987495649457701704078369, "size": 12, "commit_id": "6959358683c7533f586c07a766acc5fe9544d8b2", "message": "avformat/hls: check segment duration value of EXTINF\n\nfix ticket: 8673\nset the default EXTINF duration to 1ms if duration is smaller than 1ms\n\nSigned-off-by: Steven Liu \n(cherry picked from commit 9dfb19baeb86a8bb02c53a441682c6e9a6e104cc)", "target": 0, "dataset": "other", "idx": 270462 }, { "func": " * stop work. But, in that case, it is guaranteed not to race with\n * iscsi_destroy by conn_mutex.\n */\nstatic void iscsi_if_stop_conn(struct iscsi_cls_conn *conn, int flag)\n{\n\t/*\n\t * It is important that this path doesn't rely on\n\t * rx_queue_mutex, otherwise, a thread doing allocation on a\n\t * start_session/start_connection could sleep waiting on a\n\t * writeback to a failed iscsi device, that cannot be recovered\n\t * because the lock is held. If we don't hold it here, the\n\t * kernel stop_conn_work_fn has a chance to stop the broken\n\t * session and resolve the allocation.\n\t *\n\t * Still, the user invoked .stop_conn() needs to be serialized\n\t * with stop_conn_work_fn by a private mutex. Not pretty, but\n\t * it works.\n\t */\n\tmutex_lock(&conn_mutex);\n\tconn->transport->stop_conn(conn, flag);", "project": "linux", "hash": 144681758853231227929876875406775510896, "size": 20, "commit_id": "f9dbdf97a5bd92b1a49cee3d591b55b11fd7a6d5", "message": "scsi: iscsi: Verify lengths on passthrough PDUs\n\nOpen-iSCSI sends passthrough PDUs over netlink, but the kernel should be\nverifying that the provided PDU header and data lengths fall within the\nnetlink message to prevent accessing beyond that in memory.\n\nCc: stable@vger.kernel.org\nReported-by: Adam Nichols \nReviewed-by: Lee Duncan \nReviewed-by: Mike Christie \nSigned-off-by: Chris Leech \nSigned-off-by: Martin K. Petersen ", "target": 0, "dataset": "other", "idx": 380020 }, { "func": "static void autocomplete_evals(RCore *core, RLineCompletion *completion, const char *str) {\n\tr_return_if_fail (str);\n\tRConfigNode *bt;\n\tRListIter *iter;\n\tchar *tmp = strrchr (str, ' ');\n\tif (tmp) {\n\t\tstr = tmp + 1;\n\t}\n\tint n = strlen (str);\n\tif (n < 1) {\n\t\treturn;\n\t}\n\tr_list_foreach (core->config->nodes, iter, bt) {\n\t\tif (!strncmp (bt->name, str, n)) {\n\t\t\tr_line_completion_push (completion, bt->name);\n\t\t}\n\t}\n}", "project": "radare2", "hash": 312405776486597331908617036011373938744, "size": 18, "commit_id": "cb8b683758edddae2d2f62e8e63a738c39f92683", "message": "Fix #16303 - c->table_query double free (#16318)", "target": 0, "dataset": "other", "idx": 232108 }, { "func": "static int huf_build_dec_table(EXRContext *s,\n EXRThreadData *td, int im, int iM)\n{\n int j = 0;\n\n td->run_sym = -1;\n for (int i = im; i < iM; i++) {\n td->he[j].sym = i;\n td->he[j].len = td->freq[i] & 63;\n td->he[j].code = td->freq[i] >> 6;\n if (td->he[j].len > 32) {\n avpriv_request_sample(s->avctx, \"Too big code length\");\n return AVERROR_PATCHWELCOME;\n }\n if (td->he[j].len > 0)\n j++;\n else\n td->run_sym = i;\n }\n\n if (im > 0)\n td->run_sym = 0;\n else if (iM < 65535)\n td->run_sym = 65535;\n\n if (td->run_sym == -1) {\n avpriv_request_sample(s->avctx, \"No place for run symbol\");\n return AVERROR_PATCHWELCOME;\n }\n\n td->he[j].sym = td->run_sym;\n td->he[j].len = td->freq[iM] & 63;\n if (td->he[j].len > 32) {\n avpriv_request_sample(s->avctx, \"Too big code length\");\n return AVERROR_PATCHWELCOME;\n }\n td->he[j].code = td->freq[iM] >> 6;\n j++;\n\n ff_free_vlc(&td->vlc);\n return ff_init_vlc_sparse(&td->vlc, 12, j,\n &td->he[0].len, sizeof(td->he[0]), sizeof(td->he[0].len),\n &td->he[0].code, sizeof(td->he[0]), sizeof(td->he[0].code),\n &td->he[0].sym, sizeof(td->he[0]), sizeof(td->he[0].sym), 0);\n}", "project": "FFmpeg", "hash": 41648798485075935091131017294923262082, "size": 45, "commit_id": "26d3c81bc5ef2f8c3f09d45eaeacfb4b1139a777", "message": "avcodec/exr: More strictly check dc_count\n\nFixes: out of array access\nFixes: exr/deneme\n\nFound-by: Burak Çarıkçı \nSigned-off-by: Michael Niedermayer ", "target": 0, "dataset": "other", "idx": 262683 }, { "func": "static void trace_unpatch(jit_State *J, GCtrace *T)\n{\n BCOp op = bc_op(T->startins);\n BCIns *pc = mref(T->startpc, BCIns);\n UNUSED(J);\n if (op == BC_JMP)\n return; /* No need to unpatch branches in parent traces (yet). */\n switch (bc_op(*pc)) {\n case BC_JFORL:\n lua_assert(traceref(J, bc_d(*pc)) == T);\n *pc = T->startins;\n pc += bc_j(T->startins);\n lua_assert(bc_op(*pc) == BC_JFORI);\n setbc_op(pc, BC_FORI);\n break;\n case BC_JITERL:\n case BC_JLOOP:\n lua_assert(op == BC_ITERL || op == BC_LOOP || bc_isret(op));\n *pc = T->startins;\n break;\n case BC_JMP:\n lua_assert(op == BC_ITERL);\n pc += bc_j(*pc)+2;\n if (bc_op(*pc) == BC_JITERL) {\n lua_assert(traceref(J, bc_d(*pc)) == T);\n *pc = T->startins;\n }\n break;\n case BC_JFUNCF:\n lua_assert(op == BC_FUNCF);\n *pc = T->startins;\n break;\n default: /* Already unpatched. */\n break;\n }\n}", "project": "LuaJIT", "hash": 132065062915730728735702552651025703867, "size": 36, "commit_id": "e296f56b825c688c3530a981dc6b495d972f3d01", "message": "Call error function on rethrow after trace exit.", "target": 0, "dataset": "other", "idx": 394619 }, { "func": "bool CClient::OnQuitMessage(CQuitMessage& Message) {\n bool bReturn = false;\n NETWORKMODULECALL(OnUserQuitMessage(Message), m_pUser, m_pNetwork, this,\n &bReturn);\n if (!bReturn) {\n Close(Csock::CLT_AFTERWRITE); // Treat a client quit as a detach\n }\n // Don't forward this msg. We don't want the client getting us\n // disconnected.\n return true;\n}", "project": "znc", "hash": 64735848501562857968057468238761261870, "size": 11, "commit_id": "d229761821da38d984a9e4098ad96842490dc001", "message": "Fix echo-message for *status\n\nClose #1705", "target": 0, "dataset": "other", "idx": 231560 }, { "func": "void kvm_hv_synic_send_eoi(struct kvm_vcpu *vcpu, int vector)\n{\n\tstruct kvm_vcpu_hv_synic *synic = to_hv_synic(vcpu);\n\tint i;\n\n\ttrace_kvm_hv_synic_send_eoi(vcpu->vcpu_id, vector);\n\n\tfor (i = 0; i < ARRAY_SIZE(synic->sint); i++)\n\t\tif (synic_get_sint_vector(synic_read_sint(synic, i)) == vector)\n\t\t\tkvm_hv_notify_acked_sint(vcpu, i);\n}", "project": "linux", "hash": 168583593922302471943070369144242339364, "size": 11, "commit_id": "919f4ebc598701670e80e31573a58f1f2d2bf918", "message": "KVM: x86: hyper-v: Fix Hyper-V context null-ptr-deref\n\nReported by syzkaller:\n\n KASAN: null-ptr-deref in range [0x0000000000000140-0x0000000000000147]\n CPU: 1 PID: 8370 Comm: syz-executor859 Not tainted 5.11.0-syzkaller #0\n RIP: 0010:synic_get arch/x86/kvm/hyperv.c:165 [inline]\n RIP: 0010:kvm_hv_set_sint_gsi arch/x86/kvm/hyperv.c:475 [inline]\n RIP: 0010:kvm_hv_irq_routing_update+0x230/0x460 arch/x86/kvm/hyperv.c:498\n Call Trace:\n kvm_set_irq_routing+0x69b/0x940 arch/x86/kvm/../../../virt/kvm/irqchip.c:223\n kvm_vm_ioctl+0x12d0/0x2800 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3959\n vfs_ioctl fs/ioctl.c:48 [inline]\n __do_sys_ioctl fs/ioctl.c:753 [inline]\n __se_sys_ioctl fs/ioctl.c:739 [inline]\n __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739\n do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nHyper-V context is lazily allocated until Hyper-V specific MSRs are accessed\nor SynIC is enabled. However, the syzkaller testcase sets irq routing table\ndirectly w/o enabling SynIC. This results in null-ptr-deref when accessing\nSynIC Hyper-V context. This patch fixes it.\n\nsyzkaller source: https://syzkaller.appspot.com/x/repro.c?x=163342ccd00000\n\nReported-by: syzbot+6987f3b2dbd9eda95f12@syzkaller.appspotmail.com\nFixes: 8f014550dfb1 (\"KVM: x86: hyper-v: Make Hyper-V emulation enablement conditional\")\nSigned-off-by: Wanpeng Li \nMessage-Id: <1614326399-5762-1-git-send-email-wanpengli@tencent.com>\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 343476 }, { "func": "void Strobelight::shutdown() {\n RuntimeOption::StrobelightEnabled = false;\n}", "project": "hhvm", "hash": 117585652362882132569710485318552393398, "size": 3, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219843 }, { "func": "void lua_datum::shutdown(CLua &)\n{\n cleanup();\n}", "project": "crawl", "hash": 324416558610243174834336308547609871341, "size": 4, "commit_id": "768f60da87a3fa0b5561da5ade9309577c176d04", "message": "Disable lua bytecode loading", "target": 0, "dataset": "other", "idx": 230484 }, { "func": "static void defer_active(struct intel_engine_cs *engine)\n{\n\tstruct i915_request *rq;\n\n\trq = __unwind_incomplete_requests(engine);\n\tif (!rq)\n\t\treturn;\n\n\tdefer_request(rq, i915_sched_lookup_priolist(engine, rq_prio(rq)));\n}", "project": "linux", "hash": 23944907562251189926612940215323282511, "size": 10, "commit_id": "bc8a76a152c5f9ef3b48104154a65a68a8b76946", "message": "drm/i915/gen9: Clear residual context state on context switch\n\nIntel ID: PSIRT-TA-201910-001\nCVEID: CVE-2019-14615\n\nIntel GPU Hardware prior to Gen11 does not clear EU state\nduring a context switch. This can result in information\nleakage between contexts.\n\nFor Gen8 and Gen9, hardware provides a mechanism for\nfast cleardown of the EU state, by issuing a PIPE_CONTROL\nwith bit 27 set. We can use this in a context batch buffer\nto explicitly cleardown the state on every context switch.\n\nAs this workaround is already in place for gen8, we can borrow\nthe code verbatim for Gen9.\n\nSigned-off-by: Mika Kuoppala \nSigned-off-by: Akeem G Abodunrin \nCc: Kumar Valsan Prathap \nCc: Chris Wilson \nCc: Balestrieri Francesco \nCc: Bloomfield Jon \nCc: Dutt Sudeep ", "target": 0, "dataset": "other", "idx": 281473 }, { "func": "static void hci_cc_write_sc_support(struct hci_dev *hdev, struct sk_buff *skb)\n{\n\tu8 status = *((u8 *) skb->data);\n\tstruct hci_cp_write_sc_support *sent;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, status);\n\n\tsent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SC_SUPPORT);\n\tif (!sent)\n\t\treturn;\n\n\thci_dev_lock(hdev);\n\n\tif (!status) {\n\t\tif (sent->support)\n\t\t\thdev->features[1][0] |= LMP_HOST_SC;\n\t\telse\n\t\t\thdev->features[1][0] &= ~LMP_HOST_SC;\n\t}\n\n\tif (!hci_dev_test_flag(hdev, HCI_MGMT) && !status) {\n\t\tif (sent->support)\n\t\t\thci_dev_set_flag(hdev, HCI_SC_ENABLED);\n\t\telse\n\t\t\thci_dev_clear_flag(hdev, HCI_SC_ENABLED);\n\t}\n\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 172603623854219396160752775520652437119, "size": 29, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 432038 }, { "project": "Chrome", "commit_id": "6834289784ed45b5524de0fb7ef43ae283b0d6d3", "target": 0, "func": "void AudioContext::notifyNodeStartedProcessing(AudioNode* node)\n{\n refNode(node);\n}\n", "cwe": "", "big_vul_idx": 139671, "idx": 124820, "hash": 282510652011256105549442300045585224917 }, { "func": "static void tipc_node_bc_sync_rcv(struct tipc_node *n, struct tipc_msg *hdr,\n\t\t\t\t int bearer_id, struct sk_buff_head *xmitq)\n{\n\tstruct tipc_link *ucl;\n\tint rc;\n\n\trc = tipc_bcast_sync_rcv(n->net, n->bc_entry.link, hdr, xmitq);\n\n\tif (rc & TIPC_LINK_DOWN_EVT) {\n\t\ttipc_node_reset_links(n);\n\t\treturn;\n\t}\n\n\tif (!(rc & TIPC_LINK_SND_STATE))\n\t\treturn;\n\n\t/* If probe message, a STATE response will be sent anyway */\n\tif (msg_probe(hdr))\n\t\treturn;\n\n\t/* Produce a STATE message carrying broadcast NACK */\n\ttipc_node_read_lock(n);\n\tucl = n->links[bearer_id].link;\n\tif (ucl)\n\t\ttipc_link_build_state_msg(ucl, xmitq);\n\ttipc_node_read_unlock(n);\n}", "project": "linux", "hash": 77502772945063301739355023809301690491, "size": 27, "commit_id": "0217ed2848e8538bcf9172d97ed2eeb4a26041bb", "message": "tipc: better validate user input in tipc_nl_retrieve_key()\n\nBefore calling tipc_aead_key_size(ptr), we need to ensure\nwe have enough data to dereference ptr->keylen.\n\nWe probably also want to make sure tipc_aead_key_size()\nwont overflow with malicious ptr->keylen values.\n\nSyzbot reported:\n\nBUG: KMSAN: uninit-value in __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\nBUG: KMSAN: uninit-value in tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\nCPU: 0 PID: 21060 Comm: syz-executor.5 Not tainted 5.11.0-rc7-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nCall Trace:\n __dump_stack lib/dump_stack.c:79 [inline]\n dump_stack+0x21c/0x280 lib/dump_stack.c:120\n kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118\n __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197\n __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\n tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\n genl_family_rcv_msg_doit net/netlink/genetlink.c:739 [inline]\n genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]\n genl_rcv_msg+0x1319/0x1610 net/netlink/genetlink.c:800\n netlink_rcv_skb+0x6fa/0x810 net/netlink/af_netlink.c:2494\n genl_rcv+0x63/0x80 net/netlink/genetlink.c:811\n netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]\n netlink_unicast+0x11d6/0x14a0 net/netlink/af_netlink.c:1330\n netlink_sendmsg+0x1740/0x1840 net/netlink/af_netlink.c:1919\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\nRIP: 0023:0xf7f60549\nCode: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00\nRSP: 002b:00000000f555a5fc EFLAGS: 00000296 ORIG_RAX: 0000000000000172\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000200\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n\nUninit was created at:\n kmsan_save_stack_with_flags mm/kmsan/kmsan.c:121 [inline]\n kmsan_internal_poison_shadow+0x5c/0xf0 mm/kmsan/kmsan.c:104\n kmsan_slab_alloc+0x8d/0xe0 mm/kmsan/kmsan_hooks.c:76\n slab_alloc_node mm/slub.c:2907 [inline]\n __kmalloc_node_track_caller+0xa37/0x1430 mm/slub.c:4527\n __kmalloc_reserve net/core/skbuff.c:142 [inline]\n __alloc_skb+0x2f8/0xb30 net/core/skbuff.c:210\n alloc_skb include/linux/skbuff.h:1099 [inline]\n netlink_alloc_large_skb net/netlink/af_netlink.c:1176 [inline]\n netlink_sendmsg+0xdbc/0x1840 net/netlink/af_netlink.c:1894\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\n\nFixes: e1f32190cf7d (\"tipc: add support for AEAD key setting via netlink\")\nSigned-off-by: Eric Dumazet \nCc: Tuong Lien \nCc: Jon Maloy \nCc: Ying Xue \nReported-by: syzbot \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 364943 }, { "func": "static OPJ_BOOL opj_j2k_setup_header_reading(opj_j2k_t *p_j2k,\n opj_event_mgr_t * p_manager)\n{\n /* preconditions*/\n assert(p_j2k != 00);\n assert(p_manager != 00);\n\n if (! opj_procedure_list_add_procedure(p_j2k->m_procedure_list,\n (opj_procedure)opj_j2k_read_header_procedure, p_manager)) {\n return OPJ_FALSE;\n }\n\n /* DEVELOPER CORNER, add your custom procedures */\n if (! opj_procedure_list_add_procedure(p_j2k->m_procedure_list,\n (opj_procedure)opj_j2k_copy_default_tcp_and_create_tcd, p_manager)) {\n return OPJ_FALSE;\n }\n\n return OPJ_TRUE;\n}", "project": "openjpeg", "hash": 74817695450943563745790936523530236363, "size": 20, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357424 }, { "func": "CallResult JSObject::hasComputed(\n Handle selfHandle,\n Runtime *runtime,\n Handle<> nameValHandle) {\n // Try the fast-path first: no \"index-like\" properties and the \"name\" already\n // is a valid integer index.\n if (selfHandle->flags_.fastIndexProperties) {\n if (auto arrayIndex = toArrayIndexFastPath(*nameValHandle)) {\n // Do we have this value present in our array storage? If so, return true.\n if (haveOwnIndexed(selfHandle.get(), runtime, *arrayIndex)) {\n return true;\n }\n }\n }\n\n // If nameValHandle is an object, we should convert it to string now,\n // because toString may have side-effect, and we want to do this only\n // once.\n auto converted = toPropertyKeyIfObject(runtime, nameValHandle);\n if (LLVM_UNLIKELY(converted == ExecutionStatus::EXCEPTION)) {\n return ExecutionStatus::EXCEPTION;\n }\n auto nameValPrimitiveHandle = *converted;\n\n ComputedPropertyDescriptor desc;\n MutableHandle propObj{runtime};\n if (getComputedPrimitiveDescriptor(\n selfHandle, runtime, nameValPrimitiveHandle, propObj, desc) ==\n ExecutionStatus::EXCEPTION) {\n return ExecutionStatus::EXCEPTION;\n }\n if (!propObj) {\n return false;\n }\n if (LLVM_UNLIKELY(desc.flags.proxyObject)) {\n CallResult> key = toPropertyKey(runtime, nameValPrimitiveHandle);\n if (key == ExecutionStatus::EXCEPTION)\n return ExecutionStatus::EXCEPTION;\n return JSProxy::hasComputed(propObj, runtime, *key);\n }\n // For compatibility with polyfills we want to pretend that all HostObject\n // properties are \"own\" properties in 'in'. Since there is no way to check for\n // a HostObject property, we must always assume success. In practice the\n // property name would have been obtained from enumerating the properties in\n // JS code that looks something like this:\n // for(key in hostObj) {\n // if (key in hostObj)\n // ...\n // }\n return true;\n}", "project": "hermes", "hash": 41609154707183801587887649295266078047, "size": 51, "commit_id": "fe52854cdf6725c2eaa9e125995da76e6ceb27da", "message": "[CVE-2020-1911] Look up HostObject computed properties on the right object in the prototype chain.\n\nSummary:\nThe change in the hermes repository fixes the security vulnerability\nCVE-2020-1911. This vulnerability only affects applications which\nallow evaluation of uncontrolled, untrusted JavaScript code not\nshipped with the app, so React Native apps will generally not be affected.\n\nThis revision includes a test for the bug. The test is generic JSI\ncode, so it is included in the hermes and react-native repositories.\n\nChangelog: [Internal]\n\nReviewed By: tmikov\n\nDifferential Revision: D23322992\n\nfbshipit-source-id: 4e88c974afe1ad33a263f9cac03e9dc98d33649a", "target": 0, "dataset": "other", "idx": 230170 }, { "project": "Chrome", "commit_id": "ea994548ed483e234a6fadd0cbdfa10d58b75cef", "target": 0, "func": "void* SoftwareFrameManager::GetCurrentFramePixels() const {\n DCHECK(HasCurrentFrame());\n DCHECK(base::SharedMemory::IsHandleValid(\n current_frame_->shared_memory_->handle()));\n return current_frame_->shared_memory_->memory();\n}\n", "cwe": "", "big_vul_idx": 129968, "idx": 116280, "hash": 165834928268533883083647944934942755462 }, { "func": "static int pipe_do_rcv(struct sock *sk, struct sk_buff *skb)\n{\n\tstruct pep_sock *pn = pep_sk(sk);\n\tstruct pnpipehdr *hdr = pnp_hdr(skb);\n\tstruct sk_buff_head *queue;\n\tint err = 0;\n\n\tBUG_ON(sk->sk_state == TCP_CLOSE_WAIT);\n\n\tswitch (hdr->message_id) {\n\tcase PNS_PEP_CONNECT_REQ:\n\t\tpep_reject_conn(sk, skb, PN_PIPE_ERR_PEP_IN_USE, GFP_ATOMIC);\n\t\tbreak;\n\n\tcase PNS_PEP_DISCONNECT_REQ:\n\t\tpep_reply(sk, skb, PN_PIPE_NO_ERROR, NULL, 0, GFP_ATOMIC);\n\t\tsk->sk_state = TCP_CLOSE_WAIT;\n\t\tif (!sock_flag(sk, SOCK_DEAD))\n\t\t\tsk->sk_state_change(sk);\n\t\tbreak;\n\n\tcase PNS_PEP_ENABLE_REQ:\n\t\t/* Wait for PNS_PIPE_(ENABLED|REDIRECTED)_IND */\n\t\tpep_reply(sk, skb, PN_PIPE_NO_ERROR, NULL, 0, GFP_ATOMIC);\n\t\tbreak;\n\n\tcase PNS_PEP_RESET_REQ:\n\t\tswitch (hdr->state_after_reset) {\n\t\tcase PN_PIPE_DISABLE:\n\t\t\tpn->init_enable = 0;\n\t\t\tbreak;\n\t\tcase PN_PIPE_ENABLE:\n\t\t\tpn->init_enable = 1;\n\t\t\tbreak;\n\t\tdefault: /* not allowed to send an error here!? */\n\t\t\terr = -EINVAL;\n\t\t\tgoto out;\n\t\t}\n\t\tfallthrough;\n\tcase PNS_PEP_DISABLE_REQ:\n\t\tatomic_set(&pn->tx_credits, 0);\n\t\tpep_reply(sk, skb, PN_PIPE_NO_ERROR, NULL, 0, GFP_ATOMIC);\n\t\tbreak;\n\n\tcase PNS_PEP_CTRL_REQ:\n\t\tif (skb_queue_len(&pn->ctrlreq_queue) >= PNPIPE_CTRLREQ_MAX) {\n\t\t\tatomic_inc(&sk->sk_drops);\n\t\t\tbreak;\n\t\t}\n\t\t__skb_pull(skb, 4);\n\t\tqueue = &pn->ctrlreq_queue;\n\t\tgoto queue;\n\n\tcase PNS_PIPE_ALIGNED_DATA:\n\t\t__skb_pull(skb, 1);\n\t\tfallthrough;\n\tcase PNS_PIPE_DATA:\n\t\t__skb_pull(skb, 3); /* Pipe data header */\n\t\tif (!pn_flow_safe(pn->rx_fc)) {\n\t\t\terr = sock_queue_rcv_skb(sk, skb);\n\t\t\tif (!err)\n\t\t\t\treturn NET_RX_SUCCESS;\n\t\t\terr = -ENOBUFS;\n\t\t\tbreak;\n\t\t}\n\n\t\tif (pn->rx_credits == 0) {\n\t\t\tatomic_inc(&sk->sk_drops);\n\t\t\terr = -ENOBUFS;\n\t\t\tbreak;\n\t\t}\n\t\tpn->rx_credits--;\n\t\tqueue = &sk->sk_receive_queue;\n\t\tgoto queue;\n\n\tcase PNS_PEP_STATUS_IND:\n\t\tpipe_rcv_status(sk, skb);\n\t\tbreak;\n\n\tcase PNS_PIPE_REDIRECTED_IND:\n\t\terr = pipe_rcv_created(sk, skb);\n\t\tbreak;\n\n\tcase PNS_PIPE_CREATED_IND:\n\t\terr = pipe_rcv_created(sk, skb);\n\t\tif (err)\n\t\t\tbreak;\n\t\tfallthrough;\n\tcase PNS_PIPE_RESET_IND:\n\t\tif (!pn->init_enable)\n\t\t\tbreak;\n\t\tfallthrough;\n\tcase PNS_PIPE_ENABLED_IND:\n\t\tif (!pn_flow_safe(pn->tx_fc)) {\n\t\t\tatomic_set(&pn->tx_credits, 1);\n\t\t\tsk->sk_write_space(sk);\n\t\t}\n\t\tif (sk->sk_state == TCP_ESTABLISHED)\n\t\t\tbreak; /* Nothing to do */\n\t\tsk->sk_state = TCP_ESTABLISHED;\n\t\tpipe_grant_credits(sk, GFP_ATOMIC);\n\t\tbreak;\n\n\tcase PNS_PIPE_DISABLED_IND:\n\t\tsk->sk_state = TCP_SYN_RECV;\n\t\tpn->rx_credits = 0;\n\t\tbreak;\n\n\tdefault:\n\t\tnet_dbg_ratelimited(\"Phonet unknown PEP message: %u\\n\",\n\t\t\t\t hdr->message_id);\n\t\terr = -EINVAL;\n\t}\nout:\n\tkfree_skb(skb);\n\treturn (err == -ENOBUFS) ? NET_RX_DROP : NET_RX_SUCCESS;\n\nqueue:\n\tskb->dev = NULL;\n\tskb_set_owner_r(skb, sk);\n\tskb_queue_tail(queue, skb);\n\tif (!sock_flag(sk, SOCK_DEAD))\n\t\tsk->sk_data_ready(sk);\n\treturn NET_RX_SUCCESS;\n}", "project": "linux", "hash": 5739826000196974561943698377457326466, "size": 125, "commit_id": "bcd0f93353326954817a4f9fa55ec57fb38acbb0", "message": "phonet: refcount leak in pep_sock_accep\n\nsock_hold(sk) is invoked in pep_sock_accept(), but __sock_put(sk) is not\ninvoked in subsequent failure branches(pep_accept_conn() != 0).\n\nSigned-off-by: Hangyu Hua \nLink: https://lore.kernel.org/r/20211209082839.33985-1-hbh25y@gmail.com\nSigned-off-by: Jakub Kicinski ", "target": 0, "dataset": "other", "idx": 224800 }, { "func": "void UnicodeStringTest::TestUnescape(void) {\n UnicodeString IN(\"abc\\\\u4567 \\\\n\\\\r \\\\U00101234xyz\\\\x1\\\\x{5289}\\\\x1b\", -1, US_INV);\n UnicodeString OUT(\"abc\");\n OUT.append((UChar)0x4567);\n OUT.append(\" \");\n OUT.append((UChar)0xA);\n OUT.append((UChar)0xD);\n OUT.append(\" \");\n OUT.append((UChar32)0x00101234);\n OUT.append(\"xyz\");\n OUT.append((UChar32)1).append((UChar32)0x5289).append((UChar)0x1b);\n UnicodeString result = IN.unescape();\n if (result != OUT) {\n errln(\"FAIL: \" + prettify(IN) + \".unescape() -> \" +\n prettify(result) + \", expected \" +\n prettify(OUT));\n }\n\n // test that an empty string is returned in case of an error\n if (!UNICODE_STRING(\"wrong \\\\u sequence\", 17).unescape().isEmpty()) {\n errln(\"FAIL: unescaping of a string with an illegal escape sequence did not return an empty string\");\n }\n}", "project": "icu", "hash": 263891614011883420250503151546923998097, "size": 23, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430791 }, { "func": "}\nEXPORT_SYMBOL_GPL(iscsi_conn_error_event);\n\nvoid iscsi_conn_login_event(struct iscsi_cls_conn *conn,\n\t\t\t enum iscsi_conn_state state)\n{\n\tstruct nlmsghdr *nlh;\n\tstruct sk_buff *skb;\n\tstruct iscsi_uevent *ev;\n\tstruct iscsi_internal *priv;\n\tint len = nlmsg_total_size(sizeof(*ev));\n\n\tpriv = iscsi_if_transport_lookup(conn->transport);\n\tif (!priv)\n\t\treturn;\n\n\tskb = alloc_skb(len, GFP_ATOMIC);\n\tif (!skb) {\n\t\tiscsi_cls_conn_printk(KERN_ERR, conn, \"gracefully ignored \"\n\t\t\t\t \"conn login (%d)\\n\", state);\n\t\treturn;\n\t}\n\n\tnlh = __nlmsg_put(skb, 0, 0, 0, (len - sizeof(*nlh)), 0);\n\tev = nlmsg_data(nlh);\n\tev->transport_handle = iscsi_handle(conn->transport);\n\tev->type = ISCSI_KEVENT_CONN_LOGIN_STATE;\n\tev->r.conn_login.state = state;\n\tev->r.conn_login.cid = conn->cid;\n\tev->r.conn_login.sid = iscsi_conn_get_sid(conn);\n\tiscsi_multicast_skb(skb, ISCSI_NL_GRP_ISCSID, GFP_ATOMIC);\n", "project": "linux", "hash": 294932263876213878784846097525910869148, "size": 32, "commit_id": "f9dbdf97a5bd92b1a49cee3d591b55b11fd7a6d5", "message": "scsi: iscsi: Verify lengths on passthrough PDUs\n\nOpen-iSCSI sends passthrough PDUs over netlink, but the kernel should be\nverifying that the provided PDU header and data lengths fall within the\nnetlink message to prevent accessing beyond that in memory.\n\nCc: stable@vger.kernel.org\nReported-by: Adam Nichols \nReviewed-by: Lee Duncan \nReviewed-by: Mike Christie \nSigned-off-by: Chris Leech \nSigned-off-by: Martin K. Petersen ", "target": 0, "dataset": "other", "idx": 379994 }, { "func": "static int nf_tables_newset(struct sk_buff *skb, const struct nfnl_info *info,\n\t\t\t const struct nlattr * const nla[])\n{\n\tconst struct nfgenmsg *nfmsg = nlmsg_data(info->nlh);\n\tu32 ktype, dtype, flags, policy, gc_int, objtype;\n\tstruct netlink_ext_ack *extack = info->extack;\n\tu8 genmask = nft_genmask_next(info->net);\n\tint family = nfmsg->nfgen_family;\n\tconst struct nft_set_ops *ops;\n\tstruct nft_expr *expr = NULL;\n\tstruct net *net = info->net;\n\tstruct nft_set_desc desc;\n\tstruct nft_table *table;\n\tunsigned char *udata;\n\tstruct nft_set *set;\n\tstruct nft_ctx ctx;\n\tsize_t alloc_size;\n\tu64 timeout;\n\tchar *name;\n\tint err, i;\n\tu16 udlen;\n\tu64 size;\n\n\tif (nla[NFTA_SET_TABLE] == NULL ||\n\t nla[NFTA_SET_NAME] == NULL ||\n\t nla[NFTA_SET_KEY_LEN] == NULL ||\n\t nla[NFTA_SET_ID] == NULL)\n\t\treturn -EINVAL;\n\n\tmemset(&desc, 0, sizeof(desc));\n\n\tktype = NFT_DATA_VALUE;\n\tif (nla[NFTA_SET_KEY_TYPE] != NULL) {\n\t\tktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));\n\t\tif ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)\n\t\t\treturn -EINVAL;\n\t}\n\n\tdesc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));\n\tif (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN)\n\t\treturn -EINVAL;\n\n\tflags = 0;\n\tif (nla[NFTA_SET_FLAGS] != NULL) {\n\t\tflags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));\n\t\tif (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |\n\t\t\t NFT_SET_INTERVAL | NFT_SET_TIMEOUT |\n\t\t\t NFT_SET_MAP | NFT_SET_EVAL |\n\t\t\t NFT_SET_OBJECT | NFT_SET_CONCAT | NFT_SET_EXPR))\n\t\t\treturn -EOPNOTSUPP;\n\t\t/* Only one of these operations is supported */\n\t\tif ((flags & (NFT_SET_MAP | NFT_SET_OBJECT)) ==\n\t\t\t (NFT_SET_MAP | NFT_SET_OBJECT))\n\t\t\treturn -EOPNOTSUPP;\n\t\tif ((flags & (NFT_SET_EVAL | NFT_SET_OBJECT)) ==\n\t\t\t (NFT_SET_EVAL | NFT_SET_OBJECT))\n\t\t\treturn -EOPNOTSUPP;\n\t}\n\n\tdtype = 0;\n\tif (nla[NFTA_SET_DATA_TYPE] != NULL) {\n\t\tif (!(flags & NFT_SET_MAP))\n\t\t\treturn -EINVAL;\n\n\t\tdtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));\n\t\tif ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&\n\t\t dtype != NFT_DATA_VERDICT)\n\t\t\treturn -EINVAL;\n\n\t\tif (dtype != NFT_DATA_VERDICT) {\n\t\t\tif (nla[NFTA_SET_DATA_LEN] == NULL)\n\t\t\t\treturn -EINVAL;\n\t\t\tdesc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));\n\t\t\tif (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN)\n\t\t\t\treturn -EINVAL;\n\t\t} else\n\t\t\tdesc.dlen = sizeof(struct nft_verdict);\n\t} else if (flags & NFT_SET_MAP)\n\t\treturn -EINVAL;\n\n\tif (nla[NFTA_SET_OBJ_TYPE] != NULL) {\n\t\tif (!(flags & NFT_SET_OBJECT))\n\t\t\treturn -EINVAL;\n\n\t\tobjtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE]));\n\t\tif (objtype == NFT_OBJECT_UNSPEC ||\n\t\t objtype > NFT_OBJECT_MAX)\n\t\t\treturn -EOPNOTSUPP;\n\t} else if (flags & NFT_SET_OBJECT)\n\t\treturn -EINVAL;\n\telse\n\t\tobjtype = NFT_OBJECT_UNSPEC;\n\n\ttimeout = 0;\n\tif (nla[NFTA_SET_TIMEOUT] != NULL) {\n\t\tif (!(flags & NFT_SET_TIMEOUT))\n\t\t\treturn -EINVAL;\n\n\t\terr = nf_msecs_to_jiffies64(nla[NFTA_SET_TIMEOUT], &timeout);\n\t\tif (err)\n\t\t\treturn err;\n\t}\n\tgc_int = 0;\n\tif (nla[NFTA_SET_GC_INTERVAL] != NULL) {\n\t\tif (!(flags & NFT_SET_TIMEOUT))\n\t\t\treturn -EINVAL;\n\t\tgc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));\n\t}\n\n\tpolicy = NFT_SET_POL_PERFORMANCE;\n\tif (nla[NFTA_SET_POLICY] != NULL)\n\t\tpolicy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));\n\n\tif (nla[NFTA_SET_DESC] != NULL) {\n\t\terr = nf_tables_set_desc_parse(&desc, nla[NFTA_SET_DESC]);\n\t\tif (err < 0)\n\t\t\treturn err;\n\t}\n\n\tif (nla[NFTA_SET_EXPR] || nla[NFTA_SET_EXPRESSIONS])\n\t\tdesc.expr = true;\n\n\ttable = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, genmask,\n\t\t\t\t NETLINK_CB(skb).portid);\n\tif (IS_ERR(table)) {\n\t\tNL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);\n\t\treturn PTR_ERR(table);\n\t}\n\n\tnft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);\n\n\tset = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask);\n\tif (IS_ERR(set)) {\n\t\tif (PTR_ERR(set) != -ENOENT) {\n\t\t\tNL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);\n\t\t\treturn PTR_ERR(set);\n\t\t}\n\t} else {\n\t\tif (info->nlh->nlmsg_flags & NLM_F_EXCL) {\n\t\t\tNL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);\n\t\t\treturn -EEXIST;\n\t\t}\n\t\tif (info->nlh->nlmsg_flags & NLM_F_REPLACE)\n\t\t\treturn -EOPNOTSUPP;\n\n\t\treturn 0;\n\t}\n\n\tif (!(info->nlh->nlmsg_flags & NLM_F_CREATE))\n\t\treturn -ENOENT;\n\n\tops = nft_select_set_ops(&ctx, nla, &desc, policy);\n\tif (IS_ERR(ops))\n\t\treturn PTR_ERR(ops);\n\n\tudlen = 0;\n\tif (nla[NFTA_SET_USERDATA])\n\t\tudlen = nla_len(nla[NFTA_SET_USERDATA]);\n\n\tsize = 0;\n\tif (ops->privsize != NULL)\n\t\tsize = ops->privsize(nla, &desc);\n\talloc_size = sizeof(*set) + size + udlen;\n\tif (alloc_size < size)\n\t\treturn -ENOMEM;\n\tset = kvzalloc(alloc_size, GFP_KERNEL);\n\tif (!set)\n\t\treturn -ENOMEM;\n\n\tname = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL);\n\tif (!name) {\n\t\terr = -ENOMEM;\n\t\tgoto err_set_name;\n\t}\n\n\terr = nf_tables_set_alloc_name(&ctx, set, name);\n\tkfree(name);\n\tif (err < 0)\n\t\tgoto err_set_alloc_name;\n\n\tif (nla[NFTA_SET_EXPR]) {\n\t\texpr = nft_set_elem_expr_alloc(&ctx, set, nla[NFTA_SET_EXPR]);\n\t\tif (IS_ERR(expr)) {\n\t\t\terr = PTR_ERR(expr);\n\t\t\tgoto err_set_alloc_name;\n\t\t}\n\t\tset->exprs[0] = expr;\n\t\tset->num_exprs++;\n\t} else if (nla[NFTA_SET_EXPRESSIONS]) {\n\t\tstruct nft_expr *expr;\n\t\tstruct nlattr *tmp;\n\t\tint left;\n\n\t\tif (!(flags & NFT_SET_EXPR)) {\n\t\t\terr = -EINVAL;\n\t\t\tgoto err_set_alloc_name;\n\t\t}\n\t\ti = 0;\n\t\tnla_for_each_nested(tmp, nla[NFTA_SET_EXPRESSIONS], left) {\n\t\t\tif (i == NFT_SET_EXPR_MAX) {\n\t\t\t\terr = -E2BIG;\n\t\t\t\tgoto err_set_init;\n\t\t\t}\n\t\t\tif (nla_type(tmp) != NFTA_LIST_ELEM) {\n\t\t\t\terr = -EINVAL;\n\t\t\t\tgoto err_set_init;\n\t\t\t}\n\t\t\texpr = nft_set_elem_expr_alloc(&ctx, set, tmp);\n\t\t\tif (IS_ERR(expr)) {\n\t\t\t\terr = PTR_ERR(expr);\n\t\t\t\tgoto err_set_init;\n\t\t\t}\n\t\t\tset->exprs[i++] = expr;\n\t\t\tset->num_exprs++;\n\t\t}\n\t}\n\n\tudata = NULL;\n\tif (udlen) {\n\t\tudata = set->data + size;\n\t\tnla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen);\n\t}\n\n\tINIT_LIST_HEAD(&set->bindings);\n\tINIT_LIST_HEAD(&set->catchall_list);\n\tset->table = table;\n\twrite_pnet(&set->net, net);\n\tset->ops = ops;\n\tset->ktype = ktype;\n\tset->klen = desc.klen;\n\tset->dtype = dtype;\n\tset->objtype = objtype;\n\tset->dlen = desc.dlen;\n\tset->flags = flags;\n\tset->size = desc.size;\n\tset->policy = policy;\n\tset->udlen = udlen;\n\tset->udata = udata;\n\tset->timeout = timeout;\n\tset->gc_int = gc_int;\n\tset->handle = nf_tables_alloc_handle(table);\n\n\tset->field_count = desc.field_count;\n\tfor (i = 0; i < desc.field_count; i++)\n\t\tset->field_len[i] = desc.field_len[i];\n\n\terr = ops->init(set, &desc, nla);\n\tif (err < 0)\n\t\tgoto err_set_init;\n\n\terr = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);\n\tif (err < 0)\n\t\tgoto err_set_trans;\n\n\tlist_add_tail_rcu(&set->list, &table->sets);\n\ttable->use++;\n\treturn 0;\n\nerr_set_trans:\n\tops->destroy(set);\nerr_set_init:\n\tfor (i = 0; i < set->num_exprs; i++)\n\t\tnft_expr_destroy(&ctx, set->exprs[i]);\nerr_set_alloc_name:\n\tkfree(set->name);\nerr_set_name:\n\tkvfree(set);\n\treturn err;\n}", "project": "linux", "hash": 193021357358532201027347093134489495686, "size": 269, "commit_id": "ad9f151e560b016b6ad3280b48e42fa11e1a5440", "message": "netfilter: nf_tables: initialize set before expression setup\n\nnft_set_elem_expr_alloc() needs an initialized set if expression sets on\nthe NFT_EXPR_GC flag. Move set fields initialization before expression\nsetup.\n\n[4512935.019450] ==================================================================\n[4512935.019456] BUG: KASAN: null-ptr-deref in nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019487] Read of size 8 at addr 0000000000000070 by task nft/23532\n[4512935.019494] CPU: 1 PID: 23532 Comm: nft Not tainted 5.12.0-rc4+ #48\n[...]\n[4512935.019502] Call Trace:\n[4512935.019505] dump_stack+0x89/0xb4\n[4512935.019512] ? nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019536] ? nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019560] kasan_report.cold.12+0x5f/0xd8\n[4512935.019566] ? nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019590] nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019615] nf_tables_newset+0xc7f/0x1460 [nf_tables]\n\nReported-by: syzbot+ce96ca2b1d0b37c6422d@syzkaller.appspotmail.com\nFixes: 65038428b2c6 (\"netfilter: nf_tables: allow to specify stateful expression in set definition\")\nSigned-off-by: Pablo Neira Ayuso ", "target": 1, "dataset": "other", "idx": 202069 }, { "func": "static int nf_tables_newset(struct sk_buff *skb, const struct nfnl_info *info,\n\t\t\t const struct nlattr * const nla[])\n{\n\tconst struct nfgenmsg *nfmsg = nlmsg_data(info->nlh);\n\tu32 ktype, dtype, flags, policy, gc_int, objtype;\n\tstruct netlink_ext_ack *extack = info->extack;\n\tu8 genmask = nft_genmask_next(info->net);\n\tint family = nfmsg->nfgen_family;\n\tconst struct nft_set_ops *ops;\n\tstruct nft_expr *expr = NULL;\n\tstruct net *net = info->net;\n\tstruct nft_set_desc desc;\n\tstruct nft_table *table;\n\tunsigned char *udata;\n\tstruct nft_set *set;\n\tstruct nft_ctx ctx;\n\tsize_t alloc_size;\n\tu64 timeout;\n\tchar *name;\n\tint err, i;\n\tu16 udlen;\n\tu64 size;\n\n\tif (nla[NFTA_SET_TABLE] == NULL ||\n\t nla[NFTA_SET_NAME] == NULL ||\n\t nla[NFTA_SET_KEY_LEN] == NULL ||\n\t nla[NFTA_SET_ID] == NULL)\n\t\treturn -EINVAL;\n\n\tmemset(&desc, 0, sizeof(desc));\n\n\tktype = NFT_DATA_VALUE;\n\tif (nla[NFTA_SET_KEY_TYPE] != NULL) {\n\t\tktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));\n\t\tif ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)\n\t\t\treturn -EINVAL;\n\t}\n\n\tdesc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));\n\tif (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN)\n\t\treturn -EINVAL;\n\n\tflags = 0;\n\tif (nla[NFTA_SET_FLAGS] != NULL) {\n\t\tflags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));\n\t\tif (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |\n\t\t\t NFT_SET_INTERVAL | NFT_SET_TIMEOUT |\n\t\t\t NFT_SET_MAP | NFT_SET_EVAL |\n\t\t\t NFT_SET_OBJECT | NFT_SET_CONCAT | NFT_SET_EXPR))\n\t\t\treturn -EOPNOTSUPP;\n\t\t/* Only one of these operations is supported */\n\t\tif ((flags & (NFT_SET_MAP | NFT_SET_OBJECT)) ==\n\t\t\t (NFT_SET_MAP | NFT_SET_OBJECT))\n\t\t\treturn -EOPNOTSUPP;\n\t\tif ((flags & (NFT_SET_EVAL | NFT_SET_OBJECT)) ==\n\t\t\t (NFT_SET_EVAL | NFT_SET_OBJECT))\n\t\t\treturn -EOPNOTSUPP;\n\t}\n\n\tdtype = 0;\n\tif (nla[NFTA_SET_DATA_TYPE] != NULL) {\n\t\tif (!(flags & NFT_SET_MAP))\n\t\t\treturn -EINVAL;\n\n\t\tdtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));\n\t\tif ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&\n\t\t dtype != NFT_DATA_VERDICT)\n\t\t\treturn -EINVAL;\n\n\t\tif (dtype != NFT_DATA_VERDICT) {\n\t\t\tif (nla[NFTA_SET_DATA_LEN] == NULL)\n\t\t\t\treturn -EINVAL;\n\t\t\tdesc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));\n\t\t\tif (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN)\n\t\t\t\treturn -EINVAL;\n\t\t} else\n\t\t\tdesc.dlen = sizeof(struct nft_verdict);\n\t} else if (flags & NFT_SET_MAP)\n\t\treturn -EINVAL;\n\n\tif (nla[NFTA_SET_OBJ_TYPE] != NULL) {\n\t\tif (!(flags & NFT_SET_OBJECT))\n\t\t\treturn -EINVAL;\n\n\t\tobjtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE]));\n\t\tif (objtype == NFT_OBJECT_UNSPEC ||\n\t\t objtype > NFT_OBJECT_MAX)\n\t\t\treturn -EOPNOTSUPP;\n\t} else if (flags & NFT_SET_OBJECT)\n\t\treturn -EINVAL;\n\telse\n\t\tobjtype = NFT_OBJECT_UNSPEC;\n\n\ttimeout = 0;\n\tif (nla[NFTA_SET_TIMEOUT] != NULL) {\n\t\tif (!(flags & NFT_SET_TIMEOUT))\n\t\t\treturn -EINVAL;\n\n\t\terr = nf_msecs_to_jiffies64(nla[NFTA_SET_TIMEOUT], &timeout);\n\t\tif (err)\n\t\t\treturn err;\n\t}\n\tgc_int = 0;\n\tif (nla[NFTA_SET_GC_INTERVAL] != NULL) {\n\t\tif (!(flags & NFT_SET_TIMEOUT))\n\t\t\treturn -EINVAL;\n\t\tgc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));\n\t}\n\n\tpolicy = NFT_SET_POL_PERFORMANCE;\n\tif (nla[NFTA_SET_POLICY] != NULL)\n\t\tpolicy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));\n\n\tif (nla[NFTA_SET_DESC] != NULL) {\n\t\terr = nf_tables_set_desc_parse(&desc, nla[NFTA_SET_DESC]);\n\t\tif (err < 0)\n\t\t\treturn err;\n\t}\n\n\tif (nla[NFTA_SET_EXPR] || nla[NFTA_SET_EXPRESSIONS])\n\t\tdesc.expr = true;\n\n\ttable = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, genmask,\n\t\t\t\t NETLINK_CB(skb).portid);\n\tif (IS_ERR(table)) {\n\t\tNL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);\n\t\treturn PTR_ERR(table);\n\t}\n\n\tnft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);\n\n\tset = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask);\n\tif (IS_ERR(set)) {\n\t\tif (PTR_ERR(set) != -ENOENT) {\n\t\t\tNL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);\n\t\t\treturn PTR_ERR(set);\n\t\t}\n\t} else {\n\t\tif (info->nlh->nlmsg_flags & NLM_F_EXCL) {\n\t\t\tNL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);\n\t\t\treturn -EEXIST;\n\t\t}\n\t\tif (info->nlh->nlmsg_flags & NLM_F_REPLACE)\n\t\t\treturn -EOPNOTSUPP;\n\n\t\treturn 0;\n\t}\n\n\tif (!(info->nlh->nlmsg_flags & NLM_F_CREATE))\n\t\treturn -ENOENT;\n\n\tops = nft_select_set_ops(&ctx, nla, &desc, policy);\n\tif (IS_ERR(ops))\n\t\treturn PTR_ERR(ops);\n\n\tudlen = 0;\n\tif (nla[NFTA_SET_USERDATA])\n\t\tudlen = nla_len(nla[NFTA_SET_USERDATA]);\n\n\tsize = 0;\n\tif (ops->privsize != NULL)\n\t\tsize = ops->privsize(nla, &desc);\n\talloc_size = sizeof(*set) + size + udlen;\n\tif (alloc_size < size)\n\t\treturn -ENOMEM;\n\tset = kvzalloc(alloc_size, GFP_KERNEL);\n\tif (!set)\n\t\treturn -ENOMEM;\n\n\tname = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL);\n\tif (!name) {\n\t\terr = -ENOMEM;\n\t\tgoto err_set_name;\n\t}\n\n\terr = nf_tables_set_alloc_name(&ctx, set, name);\n\tkfree(name);\n\tif (err < 0)\n\t\tgoto err_set_name;\n\n\tudata = NULL;\n\tif (udlen) {\n\t\tudata = set->data + size;\n\t\tnla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen);\n\t}\n\n\tINIT_LIST_HEAD(&set->bindings);\n\tINIT_LIST_HEAD(&set->catchall_list);\n\tset->table = table;\n\twrite_pnet(&set->net, net);\n\tset->ops = ops;\n\tset->ktype = ktype;\n\tset->klen = desc.klen;\n\tset->dtype = dtype;\n\tset->objtype = objtype;\n\tset->dlen = desc.dlen;\n\tset->flags = flags;\n\tset->size = desc.size;\n\tset->policy = policy;\n\tset->udlen = udlen;\n\tset->udata = udata;\n\tset->timeout = timeout;\n\tset->gc_int = gc_int;\n\n\tset->field_count = desc.field_count;\n\tfor (i = 0; i < desc.field_count; i++)\n\t\tset->field_len[i] = desc.field_len[i];\n\n\terr = ops->init(set, &desc, nla);\n\tif (err < 0)\n\t\tgoto err_set_init;\n\n\tif (nla[NFTA_SET_EXPR]) {\n\t\texpr = nft_set_elem_expr_alloc(&ctx, set, nla[NFTA_SET_EXPR]);\n\t\tif (IS_ERR(expr)) {\n\t\t\terr = PTR_ERR(expr);\n\t\t\tgoto err_set_expr_alloc;\n\t\t}\n\t\tset->exprs[0] = expr;\n\t\tset->num_exprs++;\n\t} else if (nla[NFTA_SET_EXPRESSIONS]) {\n\t\tstruct nft_expr *expr;\n\t\tstruct nlattr *tmp;\n\t\tint left;\n\n\t\tif (!(flags & NFT_SET_EXPR)) {\n\t\t\terr = -EINVAL;\n\t\t\tgoto err_set_expr_alloc;\n\t\t}\n\t\ti = 0;\n\t\tnla_for_each_nested(tmp, nla[NFTA_SET_EXPRESSIONS], left) {\n\t\t\tif (i == NFT_SET_EXPR_MAX) {\n\t\t\t\terr = -E2BIG;\n\t\t\t\tgoto err_set_expr_alloc;\n\t\t\t}\n\t\t\tif (nla_type(tmp) != NFTA_LIST_ELEM) {\n\t\t\t\terr = -EINVAL;\n\t\t\t\tgoto err_set_expr_alloc;\n\t\t\t}\n\t\t\texpr = nft_set_elem_expr_alloc(&ctx, set, tmp);\n\t\t\tif (IS_ERR(expr)) {\n\t\t\t\terr = PTR_ERR(expr);\n\t\t\t\tgoto err_set_expr_alloc;\n\t\t\t}\n\t\t\tset->exprs[i++] = expr;\n\t\t\tset->num_exprs++;\n\t\t}\n\t}\n\n\tset->handle = nf_tables_alloc_handle(table);\n\n\terr = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);\n\tif (err < 0)\n\t\tgoto err_set_expr_alloc;\n\n\tlist_add_tail_rcu(&set->list, &table->sets);\n\ttable->use++;\n\treturn 0;\n\nerr_set_expr_alloc:\n\tfor (i = 0; i < set->num_exprs; i++)\n\t\tnft_expr_destroy(&ctx, set->exprs[i]);\n\n\tops->destroy(set);\nerr_set_init:\n\tkfree(set->name);\nerr_set_name:\n\tkvfree(set);\n\treturn err;\n}", "project": "linux", "hash": 70145795789126680677504544991909643805, "size": 270, "commit_id": "ad9f151e560b016b6ad3280b48e42fa11e1a5440", "message": "netfilter: nf_tables: initialize set before expression setup\n\nnft_set_elem_expr_alloc() needs an initialized set if expression sets on\nthe NFT_EXPR_GC flag. Move set fields initialization before expression\nsetup.\n\n[4512935.019450] ==================================================================\n[4512935.019456] BUG: KASAN: null-ptr-deref in nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019487] Read of size 8 at addr 0000000000000070 by task nft/23532\n[4512935.019494] CPU: 1 PID: 23532 Comm: nft Not tainted 5.12.0-rc4+ #48\n[...]\n[4512935.019502] Call Trace:\n[4512935.019505] dump_stack+0x89/0xb4\n[4512935.019512] ? nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019536] ? nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019560] kasan_report.cold.12+0x5f/0xd8\n[4512935.019566] ? nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019590] nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019615] nf_tables_newset+0xc7f/0x1460 [nf_tables]\n\nReported-by: syzbot+ce96ca2b1d0b37c6422d@syzkaller.appspotmail.com\nFixes: 65038428b2c6 (\"netfilter: nf_tables: allow to specify stateful expression in set definition\")\nSigned-off-by: Pablo Neira Ayuso ", "target": 0, "dataset": "other", "idx": 328360 }, { "func": "static int sctp_setsockopt_event(struct sock *sk, struct sctp_event *param,\n\t\t\t\t unsigned int optlen)\n{\n\tstruct sctp_sock *sp = sctp_sk(sk);\n\tstruct sctp_association *asoc;\n\tint retval = 0;\n\n\tif (optlen < sizeof(*param))\n\t\treturn -EINVAL;\n\n\tif (param->se_type < SCTP_SN_TYPE_BASE ||\n\t param->se_type > SCTP_SN_TYPE_MAX)\n\t\treturn -EINVAL;\n\n\tasoc = sctp_id2assoc(sk, param->se_assoc_id);\n\tif (!asoc && param->se_assoc_id > SCTP_ALL_ASSOC &&\n\t sctp_style(sk, UDP))\n\t\treturn -EINVAL;\n\n\tif (asoc)\n\t\treturn sctp_assoc_ulpevent_type_set(param, asoc);\n\n\tif (sctp_style(sk, TCP))\n\t\tparam->se_assoc_id = SCTP_FUTURE_ASSOC;\n\n\tif (param->se_assoc_id == SCTP_FUTURE_ASSOC ||\n\t param->se_assoc_id == SCTP_ALL_ASSOC)\n\t\tsctp_ulpevent_type_set(&sp->subscribe,\n\t\t\t\t param->se_type, param->se_on);\n\n\tif (param->se_assoc_id == SCTP_CURRENT_ASSOC ||\n\t param->se_assoc_id == SCTP_ALL_ASSOC) {\n\t\tlist_for_each_entry(asoc, &sp->ep->asocs, asocs) {\n\t\t\tint ret = sctp_assoc_ulpevent_type_set(param, asoc);\n\n\t\t\tif (ret && !retval)\n\t\t\t\tretval = ret;\n\t\t}\n\t}\n\n\treturn retval;\n}", "project": "linux", "hash": 176687957822126597799288774129599463048, "size": 42, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398082 }, { "func": "void initialize_polling_images(void) {\n\tint i, MB = 1024 * 1024;\n\n\t/* set all shm areas to \"none\" before trying to create any */\n\tscanline_shm.shmid\t= -1;\n\tscanline_shm.shmaddr\t= (char *) -1;\n\tscanline\t\t= NULL;\n\tfullscreen_shm.shmid\t= -1;\n\tfullscreen_shm.shmaddr\t= (char *) -1;\n\tfullscreen\t\t= NULL;\n\tsnaprect_shm.shmid\t= -1;\n\tsnaprect_shm.shmaddr\t= (char *) -1;\n\tsnaprect\t\t= NULL;\n\tfor (i=1; i<=ntiles_x; i++) {\n\t\ttile_row_shm[i].shmid\t= -1;\n\t\ttile_row_shm[i].shmaddr\t= (char *) -1;\n\t\ttile_row[i]\t\t= NULL;\n\t}\n\n\t/* the scanline (e.g. 1280x1) shared memory area image: */\n\n\tif (! shm_create(&scanline_shm, &scanline, dpy_x, 1, \"scanline\")) {\n\t\tclean_up_exit(1);\n\t}\n\n\t/*\n\t * the fullscreen (e.g. 1280x1024/fs_factor) shared memory area image:\n\t * (we cut down the size of the shm area to try avoid and shm segment\n\t * limits, e.g. the default 1MB on Solaris)\n\t */\n\tif (UT.sysname && strstr(UT.sysname, \"Linux\")) {\n\t\tset_fs_factor(10 * MB);\n\t} else {\n\t\tset_fs_factor(1 * MB);\n\t}\n\tif (fs_frac >= 1.0) {\n\t\tfs_frac = 1.1;\n\t\tfs_factor = 0;\n\t}\n\tif (! fs_factor) {\n\t\trfbLog(\"warning: fullscreen updates are disabled.\\n\");\n\t} else {\n\t\tif (! shm_create(&fullscreen_shm, &fullscreen, dpy_x,\n\t\t dpy_y/fs_factor, \"fullscreen\")) {\n\t\t\tclean_up_exit(1);\n\t\t}\n\t}\n\tif (use_snapfb) {\n\t\tif (! fs_factor) {\n\t\t\trfbLog(\"warning: disabling -snapfb mode.\\n\");\n\t\t\tuse_snapfb = 0;\n\t\t} else if (! shm_create(&snaprect_shm, &snaprect, dpy_x,\n\t\t dpy_y/fs_factor, \"snaprect\")) {\n\t\t\tclean_up_exit(1);\n\t\t}\n\t}\n\n\t/*\n\t * for copy_tiles we need a lot of shared memory areas, one for\n\t * each possible run length of changed tiles. 32 for 1024x768\n\t * and 40 for 1280x1024, etc. \n\t */\n\n\ttile_shm_count = 0;\n\tfor (i=1; i<=ntiles_x; i++) {\n\t\tif (! shm_create(&tile_row_shm[i], &tile_row[i], tile_x * i,\n\t\t tile_y, \"tile_row\")) {\n\t\t\tif (i == 1) {\n\t\t\t\tclean_up_exit(1);\n\t\t\t}\n\t\t\trfbLog(\"shm: Error creating shared memory tile-row for\"\n\t\t\t \" len=%d,\\n\", i);\n\t\t\trfbLog(\"shm: reverting to -onetile mode. If this\"\n\t\t\t \" problem persists\\n\");\n\t\t\trfbLog(\"shm: try using the -onetile or -noshm options\"\n\t\t\t \" to limit\\n\");\n\t\t\trfbLog(\"shm: shared memory usage, or run ipcrm(1)\"\n\t\t\t \" to manually\\n\");\n\t\t\trfbLog(\"shm: delete unattached shm segments.\\n\");\n\t\t\tsingle_copytile_count = i;\n\t\t\tsingle_copytile = 1;\n\t\t}\n\t\ttile_shm_count++;\n\t\tif (single_copytile && i >= 1) {\n\t\t\t/* only need 1x1 tiles */\n\t\t\tbreak;\n\t\t}\n\t}\n\tif (verbose) {\n\t\tif (using_shm && ! xform24to32) {\n\t\t\trfbLog(\"created %d tile_row shm polling images.\\n\",\n\t\t\t tile_shm_count);\n\t\t} else {\n\t\t\trfbLog(\"created %d tile_row polling images.\\n\",\n\t\t\t tile_shm_count);\n\t\t}\n\t}\n}", "project": "x11vnc", "hash": 166877960423359145693099274484477960940, "size": 98, "commit_id": "69eeb9f7baa14ca03b16c9de821f9876def7a36a", "message": "scan: limit access to shared memory segments to current user", "target": 0, "dataset": "other", "idx": 360763 }, { "func": "static int nfs4_do_open_expired(struct nfs_open_context *ctx, struct nfs4_state *state)\n{\n\tstruct nfs_server *server = NFS_SERVER(state->inode);\n\tstruct nfs4_exception exception = { };\n\tint err;\n\n\tdo {\n\t\terr = _nfs4_open_expired(ctx, state);\n\t\ttrace_nfs4_open_expired(ctx, 0, err);\n\t\tif (nfs4_clear_cap_atomic_open_v1(server, err, &exception))\n\t\t\tcontinue;\n\t\tswitch (err) {\n\t\tdefault:\n\t\t\tgoto out;\n\t\tcase -NFS4ERR_GRACE:\n\t\tcase -NFS4ERR_DELAY:\n\t\t\tnfs4_handle_exception(server, err, &exception);\n\t\t\terr = 0;\n\t\t}\n\t} while (exception.retry);\nout:\n\treturn err;\n}", "project": "linux", "hash": 301960486244775565215133350621650192804, "size": 23, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431404 }, { "func": "static bool __isMapped(RCore *core, ut64 addr, int perm) {\n\tif (r_config_get_i (core->config, \"cfg.debug\")) {\n\t\t// RList *maps = core->dbg->maps;\n\t\tRDebugMap *map = NULL;\n\t\tRListIter *iter = NULL;\n\n\t\tr_list_foreach (core->dbg->maps, iter, map) {\n\t\t\tif (addr >= map->addr && addr < map->addr_end) {\n\t\t\t\tif (perm > 0) {\n\t\t\t\t\tif (map->perm & perm) {\n\t\t\t\t\t\treturn true;\n\t\t\t\t\t}\n\t\t\t\t} else {\n\t\t\t\t\treturn true;\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\treturn false;\n\t}\n\n\treturn r_io_map_is_mapped (core->io, addr);\n}", "project": "radare2", "hash": 216726729054332024185925631438707946988, "size": 23, "commit_id": "cb8b683758edddae2d2f62e8e63a738c39f92683", "message": "Fix #16303 - c->table_query double free (#16318)", "target": 0, "dataset": "other", "idx": 232145 }, { "func": "void path_put(const struct path *path)\n{\n\tdput(path->dentry);\n\tmntput(path->mnt);\n}", "project": "linux", "hash": 77542375356296165193566130792504204514, "size": 5, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295436 }, { "func": "R_API int r_sys_setenv(const char *key, const char *value) {\n\tif (!key) {\n\t\treturn 0;\n\t}\n#if __UNIX__\n\tif (!value) {\n\t\tunsetenv (key);\n\t\treturn 0;\n\t}\n\treturn setenv (key, value, 1);\n#elif __WINDOWS__\n\tLPTSTR key_ = r_sys_conv_utf8_to_win (key);\n\tLPTSTR value_ = r_sys_conv_utf8_to_win (value);\n\tint ret = SetEnvironmentVariable (key_, value_);\n\tif (!ret) {\n\t\tr_sys_perror (\"r_sys_setenv/SetEnvironmentVariable\");\n\t}\n\tfree (key_);\n\tfree (value_);\n\treturn ret ? 0 : -1;\n#else\n#warning r_sys_setenv : unimplemented for this platform\n\treturn 0;\n#endif\n}", "project": "radare2", "hash": 76790137851069451806631973988171418238, "size": 25, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 0, "dataset": "other", "idx": 268964 }, { "func": "ALWAYS_INLINE Variant preg_return_internal_error(Variant&& return_value) {\n *rl_last_error_code = PHP_PCRE_INTERNAL_ERROR;\n return std::move(return_value);\n}", "project": "hhvm", "hash": 336609188241422613540463419550740818582, "size": 4, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219791 }, { "project": "Chrome", "commit_id": "6834289784ed45b5524de0fb7ef43ae283b0d6d3", "target": 0, "func": "void AudioContext::stop()\n{\n if (m_isStopScheduled)\n return;\n m_isStopScheduled = true;\n\n callOnMainThread(bind(&AudioContext::uninitialize, this));\n}\n", "cwe": "", "big_vul_idx": 139690, "idx": 124838, "hash": 109829400758828799239792458721219837129 }, { "func": "Variant ProfilerFactory::stop() {\n if (m_profiler) {\n m_profiler->endAllFrames();\n\n Array ret;\n m_profiler->writeStats(ret);\n req::destroy_raw(m_profiler);\n m_profiler = nullptr;\n RequestInfo::s_requestInfo->m_profiler = nullptr;\n\n return ret;\n }\n return init_null();\n}", "project": "hhvm", "hash": 242189287156307491982646925704886781575, "size": 14, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219120 }, { "func": "bool WindowsServiceControl::stop()\n{\n\tif( checkService() == false )\n\t{\n\t\treturn false;\n\t}\n\n\tSERVICE_STATUS status;\n\n\t// Try to stop the service\n\tif( ControlService( m_serviceHandle, SERVICE_CONTROL_STOP, &status ) )\n\t{\n\t\twhile( QueryServiceStatus( m_serviceHandle, &status ) )\n\t\t{\n\t\t\tif( status.dwCurrentState == SERVICE_STOP_PENDING )\n\t\t\t{\n\t\t\t\tSleep( 1000 );\n\t\t\t}\n\t\t\telse\n\t\t\t{\n\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\n\t\tif( status.dwCurrentState != SERVICE_STOPPED )\n\t\t{\n\t\t\tvWarning() << \"service\" << m_name << \"could not be stopped.\";\n\t\t\treturn false;\n\t\t}\n\t}\n\n\treturn true;\n}", "project": "veyon", "hash": 22770722503596653292375414083920927630, "size": 33, "commit_id": "f231ec511b9a09f43f49b2c7bb7c60b8046276b1", "message": "WindowsServiceControl: quote service binary path\n\nFix unquoted service path vulnerability.\n\nCloses #657.", "target": 0, "dataset": "other", "idx": 241031 }, { "func": "void RGWAsioFrontend::stop()\n{\n impl->stop();\n}", "project": "ceph", "hash": 137495416089329043789798499299096487594, "size": 4, "commit_id": "ff72c50a2c43c57aead933eb4903ad1ca6d1748a", "message": "rgw: improve beast\n\nAvoid leaking connections that had partially-consumed\nclient data on unexpected disconnect.\n\nResolves CVE-2020-1700 (moderate impact flaw).\n\nFixes: https://tracker.ceph.com/issues/42531\n\nSigned-off-by: Or Friedmann \nSigned-off-by: Matt Benjamin ", "target": 0, "dataset": "other", "idx": 384542 }, { "func": "static void process_csb(struct intel_engine_cs *engine)\n{\n\tstruct intel_engine_execlists * const execlists = &engine->execlists;\n\tconst u32 * const buf = execlists->csb_status;\n\tconst u8 num_entries = execlists->csb_size;\n\tu8 head, tail;\n\n\t/*\n\t * As we modify our execlists state tracking we require exclusive\n\t * access. Either we are inside the tasklet, or the tasklet is disabled\n\t * and we assume that is only inside the reset paths and so serialised.\n\t */\n\tGEM_BUG_ON(!tasklet_is_locked(&execlists->tasklet) &&\n\t\t !reset_in_progress(execlists));\n\tGEM_BUG_ON(!intel_engine_in_execlists_submission_mode(engine));\n\n\t/*\n\t * Note that csb_write, csb_status may be either in HWSP or mmio.\n\t * When reading from the csb_write mmio register, we have to be\n\t * careful to only use the GEN8_CSB_WRITE_PTR portion, which is\n\t * the low 4bits. As it happens we know the next 4bits are always\n\t * zero and so we can simply masked off the low u8 of the register\n\t * and treat it identically to reading from the HWSP (without having\n\t * to use explicit shifting and masking, and probably bifurcating\n\t * the code to handle the legacy mmio read).\n\t */\n\thead = execlists->csb_head;\n\ttail = READ_ONCE(*execlists->csb_write);\n\tGEM_TRACE(\"%s cs-irq head=%d, tail=%d\\n\", engine->name, head, tail);\n\tif (unlikely(head == tail))\n\t\treturn;\n\n\t/*\n\t * Hopefully paired with a wmb() in HW!\n\t *\n\t * We must complete the read of the write pointer before any reads\n\t * from the CSB, so that we do not see stale values. Without an rmb\n\t * (lfence) the HW may speculatively perform the CSB[] reads *before*\n\t * we perform the READ_ONCE(*csb_write).\n\t */\n\trmb();\n\n\tdo {\n\t\tbool promote;\n\n\t\tif (++head == num_entries)\n\t\t\thead = 0;\n\n\t\t/*\n\t\t * We are flying near dragons again.\n\t\t *\n\t\t * We hold a reference to the request in execlist_port[]\n\t\t * but no more than that. We are operating in softirq\n\t\t * context and so cannot hold any mutex or sleep. That\n\t\t * prevents us stopping the requests we are processing\n\t\t * in port[] from being retired simultaneously (the\n\t\t * breadcrumb will be complete before we see the\n\t\t * context-switch). As we only hold the reference to the\n\t\t * request, any pointer chasing underneath the request\n\t\t * is subject to a potential use-after-free. Thus we\n\t\t * store all of the bookkeeping within port[] as\n\t\t * required, and avoid using unguarded pointers beneath\n\t\t * request itself. The same applies to the atomic\n\t\t * status notifier.\n\t\t */\n\n\t\tGEM_TRACE(\"%s csb[%d]: status=0x%08x:0x%08x\\n\",\n\t\t\t engine->name, head,\n\t\t\t buf[2 * head + 0], buf[2 * head + 1]);\n\n\t\tif (INTEL_GEN(engine->i915) >= 12)\n\t\t\tpromote = gen12_csb_parse(execlists, buf + 2 * head);\n\t\telse\n\t\t\tpromote = gen8_csb_parse(execlists, buf + 2 * head);\n\t\tif (promote) {\n\t\t\tstruct i915_request * const *old = execlists->active;\n\n\t\t\t/* Point active to the new ELSP; prevent overwriting */\n\t\t\tWRITE_ONCE(execlists->active, execlists->pending);\n\t\t\tset_timeslice(engine);\n\n\t\t\tif (!inject_preempt_hang(execlists))\n\t\t\t\tring_set_paused(engine, 0);\n\n\t\t\t/* cancel old inflight, prepare for switch */\n\t\t\ttrace_ports(execlists, \"preempted\", old);\n\t\t\twhile (*old)\n\t\t\t\texeclists_schedule_out(*old++);\n\n\t\t\t/* switch pending to inflight */\n\t\t\tGEM_BUG_ON(!assert_pending_valid(execlists, \"promote\"));\n\t\t\tWRITE_ONCE(execlists->active,\n\t\t\t\t memcpy(execlists->inflight,\n\t\t\t\t\t execlists->pending,\n\t\t\t\t\t execlists_num_ports(execlists) *\n\t\t\t\t\t sizeof(*execlists->pending)));\n\n\t\t\tWRITE_ONCE(execlists->pending[0], NULL);\n\t\t} else {\n\t\t\tGEM_BUG_ON(!*execlists->active);\n\n\t\t\t/* port0 completed, advanced to port1 */\n\t\t\ttrace_ports(execlists, \"completed\", execlists->active);\n\n\t\t\t/*\n\t\t\t * We rely on the hardware being strongly\n\t\t\t * ordered, that the breadcrumb write is\n\t\t\t * coherent (visible from the CPU) before the\n\t\t\t * user interrupt and CSB is processed.\n\t\t\t */\n\t\t\tGEM_BUG_ON(!i915_request_completed(*execlists->active) &&\n\t\t\t\t !reset_in_progress(execlists));\n\t\t\texeclists_schedule_out(*execlists->active++);\n\n\t\t\tGEM_BUG_ON(execlists->active - execlists->inflight >\n\t\t\t\t execlists_num_ports(execlists));\n\t\t}\n\t} while (head != tail);\n\n\texeclists->csb_head = head;\n\n\t/*\n\t * Gen11 has proven to fail wrt global observation point between\n\t * entry and tail update, failing on the ordering and thus\n\t * we see an old entry in the context status buffer.\n\t *\n\t * Forcibly evict out entries for the next gpu csb update,\n\t * to increase the odds that we get a fresh entries with non\n\t * working hardware. The cost for doing so comes out mostly with\n\t * the wash as hardware, working or not, will need to do the\n\t * invalidation before.\n\t */\n\tinvalidate_csb_entries(&buf[0], &buf[num_entries - 1]);\n}", "project": "linux", "hash": 282668584722599748345810711380431415335, "size": 134, "commit_id": "bc8a76a152c5f9ef3b48104154a65a68a8b76946", "message": "drm/i915/gen9: Clear residual context state on context switch\n\nIntel ID: PSIRT-TA-201910-001\nCVEID: CVE-2019-14615\n\nIntel GPU Hardware prior to Gen11 does not clear EU state\nduring a context switch. This can result in information\nleakage between contexts.\n\nFor Gen8 and Gen9, hardware provides a mechanism for\nfast cleardown of the EU state, by issuing a PIPE_CONTROL\nwith bit 27 set. We can use this in a context batch buffer\nto explicitly cleardown the state on every context switch.\n\nAs this workaround is already in place for gen8, we can borrow\nthe code verbatim for Gen9.\n\nSigned-off-by: Mika Kuoppala \nSigned-off-by: Akeem G Abodunrin \nCc: Kumar Valsan Prathap \nCc: Chris Wilson \nCc: Balestrieri Francesco \nCc: Bloomfield Jon \nCc: Dutt Sudeep ", "target": 0, "dataset": "other", "idx": 281490 }, { "func": "\nstatic void io_tctx_exit_cb(struct callback_head *cb)\n{\n\tstruct io_uring_task *tctx = current->io_uring;\n\tstruct io_tctx_exit *work;\n\n\twork = container_of(cb, struct io_tctx_exit, task_work);\n\t/*\n\t * When @in_idle, we're in cancellation and it's racy to remove the\n\t * node. It'll be removed by the end of cancellation, just ignore it.\n\t */\n\tif (!atomic_read(&tctx->in_idle))\n\t\tio_uring_del_task_file((unsigned long)work->ctx);\n\tcomplete(&work->completion);", "project": "linux", "hash": 139759659772797446386683833372168788662, "size": 14, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338532 }, { "func": "static int sctp_setsockopt_interleaving_supported(struct sock *sk,\n\t\t\t\t\t\t struct sctp_assoc_value *p,\n\t\t\t\t\t\t unsigned int optlen)\n{\n\tstruct sctp_sock *sp = sctp_sk(sk);\n\tstruct sctp_association *asoc;\n\n\tif (optlen < sizeof(*p))\n\t\treturn -EINVAL;\n\n\tasoc = sctp_id2assoc(sk, p->assoc_id);\n\tif (!asoc && p->assoc_id != SCTP_FUTURE_ASSOC && sctp_style(sk, UDP))\n\t\treturn -EINVAL;\n\n\tif (!sock_net(sk)->sctp.intl_enable || !sp->frag_interleave) {\n\t\treturn -EPERM;\n\t}\n\n\tsp->ep->intl_enable = !!p->assoc_value;\n\treturn 0;\n}", "project": "linux", "hash": 50943375251122256781663031347462655369, "size": 21, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398165 }, { "func": "static int lookup_open(struct nameidata *nd, struct path *path,\n\t\t\tstruct file *file,\n\t\t\tconst struct open_flags *op,\n\t\t\tbool got_write)\n{\n\tstruct dentry *dir = nd->path.dentry;\n\tstruct inode *dir_inode = dir->d_inode;\n\tint open_flag = op->open_flag;\n\tstruct dentry *dentry;\n\tint error, create_error = 0;\n\tumode_t mode = op->mode;\n\tDECLARE_WAIT_QUEUE_HEAD_ONSTACK(wq);\n\n\tif (unlikely(IS_DEADDIR(dir_inode)))\n\t\treturn -ENOENT;\n\n\tfile->f_mode &= ~FMODE_CREATED;\n\tdentry = d_lookup(dir, &nd->last);\n\tfor (;;) {\n\t\tif (!dentry) {\n\t\t\tdentry = d_alloc_parallel(dir, &nd->last, &wq);\n\t\t\tif (IS_ERR(dentry))\n\t\t\t\treturn PTR_ERR(dentry);\n\t\t}\n\t\tif (d_in_lookup(dentry))\n\t\t\tbreak;\n\n\t\terror = d_revalidate(dentry, nd->flags);\n\t\tif (likely(error > 0))\n\t\t\tbreak;\n\t\tif (error)\n\t\t\tgoto out_dput;\n\t\td_invalidate(dentry);\n\t\tdput(dentry);\n\t\tdentry = NULL;\n\t}\n\tif (dentry->d_inode) {\n\t\t/* Cached positive dentry: will open in f_op->open */\n\t\tgoto out_no_open;\n\t}\n\n\t/*\n\t * Checking write permission is tricky, bacuse we don't know if we are\n\t * going to actually need it: O_CREAT opens should work as long as the\n\t * file exists. But checking existence breaks atomicity. The trick is\n\t * to check access and if not granted clear O_CREAT from the flags.\n\t *\n\t * Another problem is returing the \"right\" error value (e.g. for an\n\t * O_EXCL open we want to return EEXIST not EROFS).\n\t */\n\tif (open_flag & O_CREAT) {\n\t\tif (!IS_POSIXACL(dir->d_inode))\n\t\t\tmode &= ~current_umask();\n\t\tif (unlikely(!got_write)) {\n\t\t\tcreate_error = -EROFS;\n\t\t\topen_flag &= ~O_CREAT;\n\t\t\tif (open_flag & (O_EXCL | O_TRUNC))\n\t\t\t\tgoto no_open;\n\t\t\t/* No side effects, safe to clear O_CREAT */\n\t\t} else {\n\t\t\tcreate_error = may_o_create(&nd->path, dentry, mode);\n\t\t\tif (create_error) {\n\t\t\t\topen_flag &= ~O_CREAT;\n\t\t\t\tif (open_flag & O_EXCL)\n\t\t\t\t\tgoto no_open;\n\t\t\t}\n\t\t}\n\t} else if ((open_flag & (O_TRUNC|O_WRONLY|O_RDWR)) &&\n\t\t unlikely(!got_write)) {\n\t\t/*\n\t\t * No O_CREATE -> atomicity not a requirement -> fall\n\t\t * back to lookup + open\n\t\t */\n\t\tgoto no_open;\n\t}\n\n\tif (dir_inode->i_op->atomic_open) {\n\t\terror = atomic_open(nd, dentry, path, file, op, open_flag,\n\t\t\t\t mode);\n\t\tif (unlikely(error == -ENOENT) && create_error)\n\t\t\terror = create_error;\n\t\treturn error;\n\t}\n\nno_open:\n\tif (d_in_lookup(dentry)) {\n\t\tstruct dentry *res = dir_inode->i_op->lookup(dir_inode, dentry,\n\t\t\t\t\t\t\t nd->flags);\n\t\td_lookup_done(dentry);\n\t\tif (unlikely(res)) {\n\t\t\tif (IS_ERR(res)) {\n\t\t\t\terror = PTR_ERR(res);\n\t\t\t\tgoto out_dput;\n\t\t\t}\n\t\t\tdput(dentry);\n\t\t\tdentry = res;\n\t\t}\n\t}\n\n\t/* Negative dentry, just create the file */\n\tif (!dentry->d_inode && (open_flag & O_CREAT)) {\n\t\tfile->f_mode |= FMODE_CREATED;\n\t\taudit_inode_child(dir_inode, dentry, AUDIT_TYPE_CHILD_CREATE);\n\t\tif (!dir_inode->i_op->create) {\n\t\t\terror = -EACCES;\n\t\t\tgoto out_dput;\n\t\t}\n\t\terror = dir_inode->i_op->create(dir_inode, dentry, mode,\n\t\t\t\t\t\topen_flag & O_EXCL);\n\t\tif (error)\n\t\t\tgoto out_dput;\n\t\tfsnotify_create(dir_inode, dentry);\n\t}\n\tif (unlikely(create_error) && !dentry->d_inode) {\n\t\terror = create_error;\n\t\tgoto out_dput;\n\t}\nout_no_open:\n\tpath->dentry = dentry;\n\tpath->mnt = nd->path.mnt;\n\treturn 0;\n\nout_dput:\n\tdput(dentry);\n\treturn error;\n}", "project": "linux", "hash": 242348279151553628050866514762874760502, "size": 126, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295352 }, { "func": "static int kvm_vm_ioctl_enable_dirty_log_ring(struct kvm *kvm, u32 size)\n{\n\tint r;\n\n\tif (!KVM_DIRTY_LOG_PAGE_OFFSET)\n\t\treturn -EINVAL;\n\n\t/* the size should be power of 2 */\n\tif (!size || (size & (size - 1)))\n\t\treturn -EINVAL;\n\n\t/* Should be bigger to keep the reserved entries, or a page */\n\tif (size < kvm_dirty_ring_get_rsvd_entries() *\n\t sizeof(struct kvm_dirty_gfn) || size < PAGE_SIZE)\n\t\treturn -EINVAL;\n\n\tif (size > KVM_DIRTY_RING_MAX_ENTRIES *\n\t sizeof(struct kvm_dirty_gfn))\n\t\treturn -E2BIG;\n\n\t/* We only allow it to set once */\n\tif (kvm->dirty_ring_size)\n\t\treturn -EINVAL;\n\n\tmutex_lock(&kvm->lock);\n\n\tif (kvm->created_vcpus) {\n\t\t/* We don't allow to change this value after vcpu created */\n\t\tr = -EINVAL;\n\t} else {\n\t\tkvm->dirty_ring_size = size;\n\t\tr = 0;\n\t}\n\n\tmutex_unlock(&kvm->lock);\n\treturn r;\n}", "project": "linux", "hash": 262920631084772420977600143893952757443, "size": 37, "commit_id": "f8be156be163a052a067306417cd0ff679068c97", "message": "KVM: do not allow mapping valid but non-reference-counted pages\n\nIt's possible to create a region which maps valid but non-refcounted\npages (e.g., tail pages of non-compound higher order allocations). These\nhost pages can then be returned by gfn_to_page, gfn_to_pfn, etc., family\nof APIs, which take a reference to the page, which takes it from 0 to 1.\nWhen the reference is dropped, this will free the page incorrectly.\n\nFix this by only taking a reference on valid pages if it was non-zero,\nwhich indicates it is participating in normal refcounting (and can be\nreleased with put_page).\n\nThis addresses CVE-2021-22543.\n\nSigned-off-by: Nicholas Piggin \nTested-by: Paolo Bonzini \nCc: stable@vger.kernel.org\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 404050 }, { "func": "static int sctp_setsockopt_peer_primary_addr(struct sock *sk,\n\t\t\t\t\t struct sctp_setpeerprim *prim,\n\t\t\t\t\t unsigned int optlen)\n{\n\tstruct sctp_sock\t*sp;\n\tstruct sctp_association\t*asoc = NULL;\n\tstruct sctp_chunk\t*chunk;\n\tstruct sctp_af\t\t*af;\n\tint \t\t\terr;\n\n\tsp = sctp_sk(sk);\n\n\tif (!sp->ep->asconf_enable)\n\t\treturn -EPERM;\n\n\tif (optlen != sizeof(struct sctp_setpeerprim))\n\t\treturn -EINVAL;\n\n\tasoc = sctp_id2assoc(sk, prim->sspp_assoc_id);\n\tif (!asoc)\n\t\treturn -EINVAL;\n\n\tif (!asoc->peer.asconf_capable)\n\t\treturn -EPERM;\n\n\tif (asoc->peer.addip_disabled_mask & SCTP_PARAM_SET_PRIMARY)\n\t\treturn -EPERM;\n\n\tif (!sctp_state(asoc, ESTABLISHED))\n\t\treturn -ENOTCONN;\n\n\taf = sctp_get_af_specific(prim->sspp_addr.ss_family);\n\tif (!af)\n\t\treturn -EINVAL;\n\n\tif (!af->addr_valid((union sctp_addr *)&prim->sspp_addr, sp, NULL))\n\t\treturn -EADDRNOTAVAIL;\n\n\tif (!sctp_assoc_lookup_laddr(asoc, (union sctp_addr *)&prim->sspp_addr))\n\t\treturn -EADDRNOTAVAIL;\n\n\t/* Allow security module to validate address. */\n\terr = security_sctp_bind_connect(sk, SCTP_SET_PEER_PRIMARY_ADDR,\n\t\t\t\t\t (struct sockaddr *)&prim->sspp_addr,\n\t\t\t\t\t af->sockaddr_len);\n\tif (err)\n\t\treturn err;\n\n\t/* Create an ASCONF chunk with SET_PRIMARY parameter\t*/\n\tchunk = sctp_make_asconf_set_prim(asoc,\n\t\t\t\t\t (union sctp_addr *)&prim->sspp_addr);\n\tif (!chunk)\n\t\treturn -ENOMEM;\n\n\terr = sctp_send_asconf(asoc, chunk);\n\n\tpr_debug(\"%s: we set peer primary addr primitively\\n\", __func__);\n\n\treturn err;\n}", "project": "linux", "hash": 275790493064450329622251584934940586348, "size": 60, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398138 }, { "func": "int hci_req_run(struct hci_request *req, hci_req_complete_t complete)\n{\n\treturn req_run(req, complete, NULL);\n}", "project": "linux", "hash": 307986018545116303125518221617203243602, "size": 4, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402544 }, { "func": "inline folly::StringPiece StringData::slice() const {\n return folly::StringPiece{data(), m_len};\n}", "project": "hhvm", "hash": 175263743059598216595106252989301963457, "size": 3, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219527 }, { "func": "static void autocomplete_ms_path(RLineCompletion *completion, RCore *core, const char *str, const char *path) {\n\tchar *lpath = NULL, *dirname = NULL , *basename = NULL;\n\tchar *p = NULL;\n\tchar *pwd = (core->rfs && *(core->rfs->cwd)) ? *(core->rfs->cwd): \".\";\n\tint n = 0;\n\tRList *list;\n\tRListIter *iter;\n\tRFSFile *file;\n\tr_return_if_fail (path);\n\tlpath = r_str_new (path);\n\tp = (char *)r_str_last (lpath, R_SYS_DIR);\n\tif (p) {\n\t\t*p = 0;\n\t\tif (p == lpath) { // /xxx\n\t\t\tdirname = r_str_new (\"/\");\n\t\t} else if (lpath[0] == '.') { // ./xxx/yyy\n\t\t\tdirname = r_str_newf (\"%s%s\", pwd, R_SYS_DIR);\n\t\t} else if (lpath[0] == '/') { // /xxx/yyy\n \t\t\tdirname = r_str_newf (\"%s%s\", lpath, R_SYS_DIR);\n \t\t} else { // xxx/yyy\n \t\t\tif (strlen (pwd) == 1) { // if pwd is root\n \t\t\tdirname = r_str_newf (\"%s%s%s\", R_SYS_DIR, lpath, R_SYS_DIR);\n \t\t\t} else {\n\t\t\t\tdirname = r_str_newf (\"%s%s%s%s\", pwd, R_SYS_DIR, lpath, R_SYS_DIR);\n \t\t\t}\n\t\t}\n\t\tbasename = r_str_new (p + 1);\n\t} else { // xxx\n \t\tif (strlen (pwd) == 1) {\n \t\t\tdirname = r_str_newf (\"%s\", R_SYS_DIR);\n \t\t} else {\n \t\t\tdirname = r_str_newf (\"%s%s\", pwd, R_SYS_DIR);\n \t\t}\n\t\tbasename = r_str_new (lpath);\n\t}\n\n\tif (!dirname || !basename) {\n\t\tgoto out;\n\t}\n\tlist= r_fs_dir (core->fs, dirname);\n\tn = strlen (basename);\n\tbool chgdir = !strncmp (str, \"cd \", 3);\n\tif (list) {\n\t\tr_list_foreach (list, iter, file) {\n\t\t\tif (!file) {\n\t\t\t\tcontinue;\n\t\t\t}\n\t\t\tif (!basename[0] || !strncmp (file->name, basename, n)) {\n\t\t\t\tchar *tmpstring = r_str_newf (\"%s%s\", dirname, file->name);\n\t\t\t\tif (r_file_is_directory (tmpstring)) {\n\t\t\t\t\tchar *s = r_str_newf (\"%s/\", tmpstring);\n\t\t\t\t\tr_line_completion_push (completion, s);\n\t\t\t\t\tfree (s);\n\t\t\t\t} else if (!chgdir) {\n\t\t\t\t\tr_line_completion_push (completion, tmpstring);\n\t\t\t\t}\n\t\t\t\tfree (tmpstring);\n\t\t\t}\n\t\t}\n\t\tr_list_free (list);\n\t}\n\tautocomplete_mount_point (completion, core, path);\nout:\n\tfree (lpath);\n\tfree (dirname);\n\tfree (basename);\n}", "project": "radare2", "hash": 89449735478234690084495369699888652126, "size": 67, "commit_id": "cb8b683758edddae2d2f62e8e63a738c39f92683", "message": "Fix #16303 - c->table_query double free (#16318)", "target": 0, "dataset": "other", "idx": 232091 }, { "func": "HttpStateData::httpBuildRequestHeader(HttpRequest * request,\n StoreEntry * entry,\n const AccessLogEntryPointer &al,\n HttpHeader * hdr_out,\n const Http::StateFlags &flags)\n{\n /* building buffer for complex strings */\n#define BBUF_SZ (MAX_URL+32)\n LOCAL_ARRAY(char, bbuf, BBUF_SZ);\n LOCAL_ARRAY(char, ntoabuf, MAX_IPSTRLEN);\n const HttpHeader *hdr_in = &request->header;\n const HttpHeaderEntry *e = NULL;\n HttpHeaderPos pos = HttpHeaderInitPos;\n assert (hdr_out->owner == hoRequest);\n\n /* use our IMS header if the cached entry has Last-Modified time */\n if (request->lastmod > -1)\n hdr_out->putTime(Http::HdrType::IF_MODIFIED_SINCE, request->lastmod);\n\n // Add our own If-None-Match field if the cached entry has a strong ETag.\n // copyOneHeaderFromClientsideRequestToUpstreamRequest() adds client ones.\n if (request->etag.size() > 0) {\n hdr_out->addEntry(new HttpHeaderEntry(Http::HdrType::IF_NONE_MATCH, NULL,\n request->etag.termedBuf()));\n }\n\n bool we_do_ranges = decideIfWeDoRanges (request);\n\n String strConnection (hdr_in->getList(Http::HdrType::CONNECTION));\n\n while ((e = hdr_in->getEntry(&pos)))\n copyOneHeaderFromClientsideRequestToUpstreamRequest(e, strConnection, request, hdr_out, we_do_ranges, flags);\n\n /* Abstraction break: We should interpret multipart/byterange responses\n * into offset-length data, and this works around our inability to do so.\n */\n if (!we_do_ranges && request->multipartRangeRequest()) {\n /* don't cache the result */\n request->flags.cachable = false;\n /* pretend it's not a range request */\n request->ignoreRange(\"want to request the whole object\");\n request->flags.isRanged = false;\n }\n\n hdr_out->addVia(request->http_ver, hdr_in);\n\n if (request->flags.accelerated) {\n /* Append Surrogate-Capabilities */\n String strSurrogate(hdr_in->getList(Http::HdrType::SURROGATE_CAPABILITY));\n#if USE_SQUID_ESI\n snprintf(bbuf, BBUF_SZ, \"%s=\\\"Surrogate/1.0 ESI/1.0\\\"\", Config.Accel.surrogate_id);\n#else\n snprintf(bbuf, BBUF_SZ, \"%s=\\\"Surrogate/1.0\\\"\", Config.Accel.surrogate_id);\n#endif\n strListAdd(&strSurrogate, bbuf, ',');\n hdr_out->putStr(Http::HdrType::SURROGATE_CAPABILITY, strSurrogate.termedBuf());\n }\n\n /** \\pre Handle X-Forwarded-For */\n if (strcmp(opt_forwarded_for, \"delete\") != 0) {\n\n String strFwd = hdr_in->getList(Http::HdrType::X_FORWARDED_FOR);\n\n // if we cannot double strFwd size, then it grew past 50% of the limit\n if (!strFwd.canGrowBy(strFwd.size())) {\n // There is probably a forwarding loop with Via detection disabled.\n // If we do nothing, String will assert on overflow soon.\n // TODO: Terminate all transactions with huge XFF?\n strFwd = \"error\";\n\n static int warnedCount = 0;\n if (warnedCount++ < 100) {\n const SBuf url(entry ? SBuf(entry->url()) : request->effectiveRequestUri());\n debugs(11, DBG_IMPORTANT, \"Warning: likely forwarding loop with \" << url);\n }\n }\n\n if (strcmp(opt_forwarded_for, \"on\") == 0) {\n /** If set to ON - append client IP or 'unknown'. */\n if ( request->client_addr.isNoAddr() )\n strListAdd(&strFwd, \"unknown\", ',');\n else\n strListAdd(&strFwd, request->client_addr.toStr(ntoabuf, MAX_IPSTRLEN), ',');\n } else if (strcmp(opt_forwarded_for, \"off\") == 0) {\n /** If set to OFF - append 'unknown'. */\n strListAdd(&strFwd, \"unknown\", ',');\n } else if (strcmp(opt_forwarded_for, \"transparent\") == 0) {\n /** If set to TRANSPARENT - pass through unchanged. */\n } else if (strcmp(opt_forwarded_for, \"truncate\") == 0) {\n /** If set to TRUNCATE - drop existing list and replace with client IP or 'unknown'. */\n if ( request->client_addr.isNoAddr() )\n strFwd = \"unknown\";\n else\n strFwd = request->client_addr.toStr(ntoabuf, MAX_IPSTRLEN);\n }\n if (strFwd.size() > 0)\n hdr_out->putStr(Http::HdrType::X_FORWARDED_FOR, strFwd.termedBuf());\n }\n /** If set to DELETE - do not copy through. */\n\n /* append Host if not there already */\n if (!hdr_out->has(Http::HdrType::HOST)) {\n if (request->peer_domain) {\n hdr_out->putStr(Http::HdrType::HOST, request->peer_domain);\n } else {\n SBuf authority = request->url.authority();\n hdr_out->putStr(Http::HdrType::HOST, authority.c_str());\n }\n }\n\n /* append Authorization if known in URL, not in header and going direct */\n if (!hdr_out->has(Http::HdrType::AUTHORIZATION)) {\n if (!request->flags.proxying && !request->url.userInfo().isEmpty()) {\n static char result[base64_encode_len(MAX_URL*2)]; // should be big enough for a single URI segment\n struct base64_encode_ctx ctx;\n base64_encode_init(&ctx);\n size_t blen = base64_encode_update(&ctx, result, request->url.userInfo().length(), reinterpret_cast(request->url.userInfo().rawContent()));\n blen += base64_encode_final(&ctx, result+blen);\n result[blen] = '\\0';\n if (blen)\n httpHeaderPutStrf(hdr_out, Http::HdrType::AUTHORIZATION, \"Basic %.*s\", (int)blen, result);\n }\n }\n\n /* Fixup (Proxy-)Authorization special cases. Plain relaying dealt with above */\n httpFixupAuthentication(request, hdr_in, hdr_out, flags);\n\n /* append Cache-Control, add max-age if not there already */\n {\n HttpHdrCc *cc = hdr_in->getCc();\n\n if (!cc)\n cc = new HttpHdrCc();\n\n#if 0 /* see bug 2330 */\n /* Set no-cache if determined needed but not found */\n if (request->flags.nocache)\n EBIT_SET(cc->mask, HttpHdrCcType::CC_NO_CACHE);\n#endif\n\n /* Add max-age only without no-cache */\n if (!cc->hasMaxAge() && !cc->hasNoCache()) {\n // XXX: performance regression. c_str() reallocates\n SBuf tmp(request->effectiveRequestUri());\n cc->maxAge(getMaxAge(entry ? entry->url() : tmp.c_str()));\n }\n\n /* Enforce sibling relations */\n if (flags.only_if_cached)\n cc->onlyIfCached(true);\n\n hdr_out->putCc(cc);\n\n delete cc;\n }\n\n // Always send Connection because HTTP/1.0 servers need explicit \"keep-alive\"\n // while HTTP/1.1 servers need explicit \"close\", and we do not always know\n // the server expectations.\n hdr_out->putStr(Http::HdrType::CONNECTION, flags.keepalive ? \"keep-alive\" : \"close\");\n\n /* append Front-End-Https */\n if (flags.front_end_https) {\n if (flags.front_end_https == 1 || request->url.getScheme() == AnyP::PROTO_HTTPS)\n hdr_out->putStr(Http::HdrType::FRONT_END_HTTPS, \"On\");\n }\n\n if (flags.chunked_request) {\n // Do not just copy the original value so that if the client-side\n // starts decode other encodings, this code may remain valid.\n hdr_out->putStr(Http::HdrType::TRANSFER_ENCODING, \"chunked\");\n }\n\n /* Now mangle the headers. */\n httpHdrMangleList(hdr_out, request, al, ROR_REQUEST);\n\n strConnection.clean();\n}", "project": "squid", "hash": 245686285878289958385798141143154249713, "size": 178, "commit_id": "fd68382860633aca92065e6c343cfd1b12b126e7", "message": "Improve Transfer-Encoding handling (#702)\n\nReject messages containing Transfer-Encoding header with coding other\nthan chunked or identity. Squid does not support other codings.\n\nFor simplicity and security sake, also reject messages where\nTransfer-Encoding contains unnecessary complex values that are\ntechnically equivalent to \"chunked\" or \"identity\" (e.g., \",,chunked\" or\n\"identity, chunked\").\n\nRFC 7230 formally deprecated and removed identity coding, but it is\nstill used by some agents.", "target": 0, "dataset": "other", "idx": 402314 }, { "func": "void reset_output_levels(void)\n{\n\tint j;\n\n\tmemset(info_levels, 0, sizeof info_levels);\n\tmemset(debug_levels, 0, sizeof debug_levels);\n\n\tfor (j = 0; j < COUNT_INFO; j++)\n\t\tinfo_words[j].priority = DEFAULT_PRIORITY;\n\n\tfor (j = 0; j < COUNT_DEBUG; j++)\n\t\tdebug_words[j].priority = DEFAULT_PRIORITY;\n}", "project": "rsync", "hash": 225703086869747720536826545624520908277, "size": 13, "commit_id": "7706303828fcde524222babb2833864a4bd09e07", "message": "Ignore --protect-args when already sent by client\n\nIn parse_arguments when --protect-args is encountered the function exits\nearly. The caller is expected to check protect_args, and recall\nparse_arguments setting protect_args to 2. This patch prevents the\nclient from resetting protect_args during the second pass of\nparse_arguments. This prevents parse_arguments returning early the\nsecond time before it's able to sanitize the arguments it received.", "target": 0, "dataset": "other", "idx": 364674 }, { "func": "static int sctp_setsockopt_recvrcvinfo(struct sock *sk, int *val,\n\t\t\t\t unsigned int optlen)\n{\n\tif (optlen < sizeof(int))\n\t\treturn -EINVAL;\n\n\tsctp_sk(sk)->recvrcvinfo = (*val == 0) ? 0 : 1;\n\n\treturn 0;\n}", "project": "linux", "hash": 167574124077221237789683200408930652259, "size": 10, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398189 }, { "func": "static void tipc_node_link_failover(struct tipc_node *n, struct tipc_link *l,\n\t\t\t\t struct tipc_link *tnl,\n\t\t\t\t struct sk_buff_head *xmitq)\n{\n\t/* Avoid to be \"self-failover\" that can never end */\n\tif (!tipc_link_is_up(tnl))\n\t\treturn;\n\n\t/* Don't rush, failure link may be in the process of resetting */\n\tif (l && !tipc_link_is_reset(l))\n\t\treturn;\n\n\ttipc_link_fsm_evt(tnl, LINK_SYNCH_END_EVT);\n\ttipc_node_fsm_evt(n, NODE_SYNCH_END_EVT);\n\n\tn->sync_point = tipc_link_rcv_nxt(tnl) + (U16_MAX / 2 - 1);\n\ttipc_link_failover_prepare(l, tnl, xmitq);\n\n\tif (l)\n\t\ttipc_link_fsm_evt(l, LINK_FAILOVER_BEGIN_EVT);\n\ttipc_node_fsm_evt(n, NODE_FAILOVER_BEGIN_EVT);\n}", "project": "linux", "hash": 78109315524351905934994095074405225486, "size": 22, "commit_id": "0217ed2848e8538bcf9172d97ed2eeb4a26041bb", "message": "tipc: better validate user input in tipc_nl_retrieve_key()\n\nBefore calling tipc_aead_key_size(ptr), we need to ensure\nwe have enough data to dereference ptr->keylen.\n\nWe probably also want to make sure tipc_aead_key_size()\nwont overflow with malicious ptr->keylen values.\n\nSyzbot reported:\n\nBUG: KMSAN: uninit-value in __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\nBUG: KMSAN: uninit-value in tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\nCPU: 0 PID: 21060 Comm: syz-executor.5 Not tainted 5.11.0-rc7-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nCall Trace:\n __dump_stack lib/dump_stack.c:79 [inline]\n dump_stack+0x21c/0x280 lib/dump_stack.c:120\n kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118\n __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197\n __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\n tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\n genl_family_rcv_msg_doit net/netlink/genetlink.c:739 [inline]\n genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]\n genl_rcv_msg+0x1319/0x1610 net/netlink/genetlink.c:800\n netlink_rcv_skb+0x6fa/0x810 net/netlink/af_netlink.c:2494\n genl_rcv+0x63/0x80 net/netlink/genetlink.c:811\n netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]\n netlink_unicast+0x11d6/0x14a0 net/netlink/af_netlink.c:1330\n netlink_sendmsg+0x1740/0x1840 net/netlink/af_netlink.c:1919\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\nRIP: 0023:0xf7f60549\nCode: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00\nRSP: 002b:00000000f555a5fc EFLAGS: 00000296 ORIG_RAX: 0000000000000172\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000200\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n\nUninit was created at:\n kmsan_save_stack_with_flags mm/kmsan/kmsan.c:121 [inline]\n kmsan_internal_poison_shadow+0x5c/0xf0 mm/kmsan/kmsan.c:104\n kmsan_slab_alloc+0x8d/0xe0 mm/kmsan/kmsan_hooks.c:76\n slab_alloc_node mm/slub.c:2907 [inline]\n __kmalloc_node_track_caller+0xa37/0x1430 mm/slub.c:4527\n __kmalloc_reserve net/core/skbuff.c:142 [inline]\n __alloc_skb+0x2f8/0xb30 net/core/skbuff.c:210\n alloc_skb include/linux/skbuff.h:1099 [inline]\n netlink_alloc_large_skb net/netlink/af_netlink.c:1176 [inline]\n netlink_sendmsg+0xdbc/0x1840 net/netlink/af_netlink.c:1894\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\n\nFixes: e1f32190cf7d (\"tipc: add support for AEAD key setting via netlink\")\nSigned-off-by: Eric Dumazet \nCc: Tuong Lien \nCc: Jon Maloy \nCc: Ying Xue \nReported-by: syzbot \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 364929 }, { "func": "\nstatic int io_sqe_buffers_unregister(struct io_ring_ctx *ctx)\n{\n\tint ret;\n\n\tif (!ctx->buf_data)\n\t\treturn -ENXIO;\n\n\tret = io_rsrc_ref_quiesce(ctx->buf_data, ctx);\n\tif (!ret)\n\t\t__io_sqe_buffers_unregister(ctx);\n\treturn ret;", "project": "linux", "hash": 273583645375557017355528475130124320530, "size": 12, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338545 }, { "func": "bool __mpol_equal(struct mempolicy *a, struct mempolicy *b)\n{\n\tif (!a || !b)\n\t\treturn false;\n\tif (a->mode != b->mode)\n\t\treturn false;\n\tif (a->flags != b->flags)\n\t\treturn false;\n\tif (mpol_store_user_nodemask(a))\n\t\tif (!nodes_equal(a->w.user_nodemask, b->w.user_nodemask))\n\t\t\treturn false;\n\n\tswitch (a->mode) {\n\tcase MPOL_BIND:\n\t\t/* Fall through */\n\tcase MPOL_INTERLEAVE:\n\t\treturn !!nodes_equal(a->v.nodes, b->v.nodes);\n\tcase MPOL_PREFERRED:\n\t\t/* a's ->flags is the same as b's */\n\t\tif (a->flags & MPOL_F_LOCAL)\n\t\t\treturn true;\n\t\treturn a->v.preferred_node == b->v.preferred_node;\n\tdefault:\n\t\tBUG();\n\t\treturn false;\n\t}\n}", "project": "linux", "hash": 119027936937980215294596546874145485478, "size": 27, "commit_id": "aa9f7d5172fac9bf1f09e678c35e287a40a7b7dd", "message": "mm: mempolicy: require at least one nodeid for MPOL_PREFERRED\n\nUsing an empty (malformed) nodelist that is not caught during mount option\nparsing leads to a stack-out-of-bounds access.\n\nThe option string that was used was: \"mpol=prefer:,\". However,\nMPOL_PREFERRED requires a single node number, which is not being provided\nhere.\n\nAdd a check that 'nodes' is not empty after parsing for MPOL_PREFERRED's\nnodeid.\n\nFixes: 095f1fc4ebf3 (\"mempolicy: rework shmem mpol parsing and display\")\nReported-by: Entropy Moe <3ntr0py1337@gmail.com>\nReported-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nSigned-off-by: Randy Dunlap \nSigned-off-by: Andrew Morton \nTested-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nCc: Lee Schermerhorn \nLink: http://lkml.kernel.org/r/89526377-7eb6-b662-e1d8-4430928abde9@infradead.org\nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 366759 }, { "func": "static void nfs4_release_lockowner_done(struct rpc_task *task, void *calldata)\n{\n\tstruct nfs_release_lockowner_data *data = calldata;\n\tstruct nfs_server *server = data->server;\n\n\tnfs40_sequence_done(task, &data->res.seq_res);\n\n\tswitch (task->tk_status) {\n\tcase 0:\n\t\trenew_lease(server, data->timestamp);\n\t\tbreak;\n\tcase -NFS4ERR_STALE_CLIENTID:\n\tcase -NFS4ERR_EXPIRED:\n\t\tnfs4_schedule_lease_recovery(server->nfs_client);\n\t\tbreak;\n\tcase -NFS4ERR_LEASE_MOVED:\n\tcase -NFS4ERR_DELAY:\n\t\tif (nfs4_async_handle_error(task, server,\n\t\t\t\t\t NULL, NULL) == -EAGAIN)\n\t\t\trpc_restart_call_prepare(task);\n\t}\n}", "project": "linux", "hash": 197076016209839147021575485157402022416, "size": 22, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431214 }, { "func": "static bool nfs4_update_lock_stateid(struct nfs4_lock_state *lsp,\n\t\tconst nfs4_stateid *stateid)\n{\n\tstruct nfs4_state *state = lsp->ls_state;\n\tbool ret = false;\n\n\tspin_lock(&state->state_lock);\n\tif (!nfs4_stateid_match_other(stateid, &lsp->ls_stateid))\n\t\tgoto out_noupdate;\n\tif (!nfs4_stateid_is_newer(stateid, &lsp->ls_stateid))\n\t\tgoto out_noupdate;\n\tnfs4_stateid_copy(&lsp->ls_stateid, stateid);\n\tret = true;\nout_noupdate:\n\tspin_unlock(&state->state_lock);\n\treturn ret;\n}", "project": "linux", "hash": 66208293635456490562249677051531259942, "size": 17, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431159 }, { "func": "static void hci_req_set_event_filter(struct hci_request *req)\n{\n\tstruct bdaddr_list_with_flags *b;\n\tstruct hci_cp_set_event_filter f;\n\tstruct hci_dev *hdev = req->hdev;\n\tu8 scan = SCAN_DISABLED;\n\n\t/* Always clear event filter when starting */\n\thci_req_clear_event_filter(req);\n\n\tlist_for_each_entry(b, &hdev->whitelist, list) {\n\t\tif (!hci_conn_test_flag(HCI_CONN_FLAG_REMOTE_WAKEUP,\n\t\t\t\t\tb->current_flags))\n\t\t\tcontinue;\n\n\t\tmemset(&f, 0, sizeof(f));\n\t\tbacpy(&f.addr_conn_flt.bdaddr, &b->bdaddr);\n\t\tf.flt_type = HCI_FLT_CONN_SETUP;\n\t\tf.cond_type = HCI_CONN_SETUP_ALLOW_BDADDR;\n\t\tf.addr_conn_flt.auto_accept = HCI_CONN_SETUP_AUTO_ON;\n\n\t\tbt_dev_dbg(hdev, \"Adding event filters for %pMR\", &b->bdaddr);\n\t\thci_req_add(req, HCI_OP_SET_EVENT_FLT, sizeof(f), &f);\n\t\tscan = SCAN_PAGE;\n\t}\n\n\tif (scan)\n\t\tset_bit(SUSPEND_SCAN_ENABLE, hdev->suspend_tasks);\n\telse\n\t\tset_bit(SUSPEND_SCAN_DISABLE, hdev->suspend_tasks);\n\n\thci_req_add(req, HCI_OP_WRITE_SCAN_ENABLE, 1, &scan);\n}", "project": "linux", "hash": 26462738155850659321330007977202600042, "size": 33, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402523 }, { "func": "\nstatic void bfq_update_has_short_ttime(struct bfq_data *bfqd,\n\t\t\t\t struct bfq_queue *bfqq,\n\t\t\t\t struct bfq_io_cq *bic)\n{\n\tbool has_short_ttime = true, state_changed;\n\n\t/*\n\t * No need to update has_short_ttime if bfqq is async or in\n\t * idle io prio class, or if bfq_slice_idle is zero, because\n\t * no device idling is performed for bfqq in this case.\n\t */\n\tif (!bfq_bfqq_sync(bfqq) || bfq_class_idle(bfqq) ||\n\t bfqd->bfq_slice_idle == 0)\n\t\treturn;\n\n\t/* Idle window just restored, statistics are meaningless. */\n\tif (time_is_after_eq_jiffies(bfqq->split_time +\n\t\t\t\t bfqd->bfq_wr_min_idle_time))\n\t\treturn;\n\n\t/* Think time is infinite if no process is linked to\n\t * bfqq. Otherwise check average think time to\n\t * decide whether to mark as has_short_ttime\n\t */\n\tif (atomic_read(&bic->icq.ioc->active_ref) == 0 ||\n\t (bfq_sample_valid(bfqq->ttime.ttime_samples) &&\n\t bfqq->ttime.ttime_mean > bfqd->bfq_slice_idle))\n\t\thas_short_ttime = false;\n\n\tstate_changed = has_short_ttime != bfq_bfqq_has_short_ttime(bfqq);\n\n\tif (has_short_ttime)\n\t\tbfq_mark_bfqq_has_short_ttime(bfqq);\n\telse\n\t\tbfq_clear_bfqq_has_short_ttime(bfqq);\n\n\t/*\n\t * Until the base value for the total service time gets\n\t * finally computed for bfqq, the inject limit does depend on\n\t * the think-time state (short|long). In particular, the limit\n\t * is 0 or 1 if the think time is deemed, respectively, as\n\t * short or long (details in the comments in\n\t * bfq_update_inject_limit()). Accordingly, the next\n\t * instructions reset the inject limit if the think-time state\n\t * has changed and the above base value is still to be\n\t * computed.\n\t *\n\t * However, the reset is performed only if more than 100 ms\n\t * have elapsed since the last update of the inject limit, or\n\t * (inclusive) if the change is from short to long think\n\t * time. The reason for this waiting is as follows.\n\t *\n\t * bfqq may have a long think time because of a\n\t * synchronization with some other queue, i.e., because the\n\t * I/O of some other queue may need to be completed for bfqq\n\t * to receive new I/O. Details in the comments on the choice\n\t * of the queue for injection in bfq_select_queue().\n\t *\n\t * As stressed in those comments, if such a synchronization is\n\t * actually in place, then, without injection on bfqq, the\n\t * blocking I/O cannot happen to served while bfqq is in\n\t * service. As a consequence, if bfqq is granted\n\t * I/O-dispatch-plugging, then bfqq remains empty, and no I/O\n\t * is dispatched, until the idle timeout fires. This is likely\n\t * to result in lower bandwidth and higher latencies for bfqq,\n\t * and in a severe loss of total throughput.\n\t *\n\t * On the opposite end, a non-zero inject limit may allow the\n\t * I/O that blocks bfqq to be executed soon, and therefore\n\t * bfqq to receive new I/O soon.\n\t *\n\t * But, if the blocking gets actually eliminated, then the\n\t * next think-time sample for bfqq may be very low. This in\n\t * turn may cause bfqq's think time to be deemed\n\t * short. Without the 100 ms barrier, this new state change\n\t * would cause the body of the next if to be executed\n\t * immediately. But this would set to 0 the inject\n\t * limit. Without injection, the blocking I/O would cause the\n\t * think time of bfqq to become long again, and therefore the\n\t * inject limit to be raised again, and so on. The only effect\n\t * of such a steady oscillation between the two think-time\n\t * states would be to prevent effective injection on bfqq.\n\t *\n\t * In contrast, if the inject limit is not reset during such a\n\t * long time interval as 100 ms, then the number of short\n\t * think time samples can grow significantly before the reset\n\t * is performed. As a consequence, the think time state can\n\t * become stable before the reset. Therefore there will be no\n\t * state change when the 100 ms elapse, and no reset of the\n\t * inject limit. The inject limit remains steadily equal to 1\n\t * both during and after the 100 ms. So injection can be\n\t * performed at all times, and throughput gets boosted.\n\t *\n\t * An inject limit equal to 1 is however in conflict, in\n\t * general, with the fact that the think time of bfqq is\n\t * short, because injection may be likely to delay bfqq's I/O\n\t * (as explained in the comments in\n\t * bfq_update_inject_limit()). But this does not happen in\n\t * this special case, because bfqq's low think time is due to\n\t * an effective handling of a synchronization, through\n\t * injection. In this special case, bfqq's I/O does not get\n\t * delayed by injection; on the contrary, bfqq's I/O is\n\t * brought forward, because it is not blocked for\n\t * milliseconds.\n\t *\n\t * In addition, serving the blocking I/O much sooner, and much\n\t * more frequently than once per I/O-plugging timeout, makes\n\t * it much quicker to detect a waker queue (the concept of\n\t * waker queue is defined in the comments in\n\t * bfq_add_request()). This makes it possible to start sooner\n\t * to boost throughput more effectively, by injecting the I/O\n\t * of the waker queue unconditionally on every\n\t * bfq_dispatch_request().\n\t *\n\t * One last, important benefit of not resetting the inject\n\t * limit before 100 ms is that, during this time interval, the\n\t * base value for the total service time is likely to get\n\t * finally computed for bfqq, freeing the inject limit from\n\t * its relation with the think time.\n\t */\n\tif (state_changed && bfqq->last_serv_time_ns == 0 &&\n\t (time_is_before_eq_jiffies(bfqq->decrease_time_jif +\n\t\t\t\t msecs_to_jiffies(100)) ||\n\t !has_short_ttime))\n\t\tbfq_reset_inject_limit(bfqd, bfqq);", "project": "linux", "hash": 67562039587602556807721278737612457739, "size": 126, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453341 }, { "func": "\nstatic void io_rsrc_put_work(struct work_struct *work)\n{\n\tstruct io_ring_ctx *ctx;\n\tstruct llist_node *node;\n\n\tctx = container_of(work, struct io_ring_ctx, rsrc_put_work.work);\n\tnode = llist_del_all(&ctx->rsrc_put_llist);\n\n\twhile (node) {\n\t\tstruct io_rsrc_node *ref_node;\n\t\tstruct llist_node *next = node->next;\n\n\t\tref_node = llist_entry(node, struct io_rsrc_node, llist);\n\t\t__io_rsrc_put_work(ref_node);\n\t\tnode = next;\n\t}", "project": "linux", "hash": 263020877813727460027667811407589854339, "size": 17, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338603 }, { "func": " const EntryPtr& entryPtr() const {\n assertx(m_kind == Kind::SmartPtr);\n return m_u.smart_ptr;\n }", "project": "hhvm", "hash": 173634319754452935107817342796762940701, "size": 4, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219551 }, { "func": "void gdImageLine (gdImagePtr im, int x1, int y1, int x2, int y2, int color)\n{\n\tint dx, dy, incr1, incr2, d, x, y, xend, yend, xdirflag, ydirflag;\n\tint wid;\n\tint w, wstart;\n\tint thick = im->thick;\n\n\tif (color == gdAntiAliased) {\n\t\t/*\n\t\t gdAntiAliased passed as color: use the much faster, much cheaper\n\t\t and equally attractive gdImageAALine implementation. That\n\t\t clips too, so don't clip twice.\n\t\t */\n\t\tgdImageAALine(im, x1, y1, x2, y2, im->AA_color);\n\t\treturn;\n\t}\n\n\t/* 2.0.10: Nick Atty: clip to edges of drawing rectangle, return if no points need to be drawn */\n\tif (!clip_1d(&x1,&y1,&x2,&y2,gdImageSX(im)) || !clip_1d(&y1,&x1,&y2,&x2,gdImageSY(im))) {\n\t\treturn;\n\t}\n\n\tdx = abs (x2 - x1);\n\tdy = abs (y2 - y1);\n\n\tif (dx == 0) {\n\t\tgdImageVLine(im, x1, y1, y2, color);\n\t\treturn;\n\t} else if (dy == 0) {\n\t\tgdImageHLine(im, y1, x1, x2, color);\n\t\treturn;\n\t}\n\n\tif (dy <= dx) {\n\t\t/* More-or-less horizontal. use wid for vertical stroke */\n\t\t/* Doug Claar: watch out for NaN in atan2 (2.0.5) */\n\t\tif ((dx == 0) && (dy == 0)) {\n\t\t\twid = 1;\n\t\t} else {\n\t\t\t/* 2.0.12: Michael Schwartz: divide rather than multiply;\nTBB: but watch out for /0! */\n\t\t\tdouble ac = cos (atan2 (dy, dx));\n\t\t\tif (ac != 0) {\n\t\t\t\twid = thick / ac;\n\t\t\t} else {\n\t\t\t\twid = 1;\n\t\t\t}\n\t\t\tif (wid == 0) {\n\t\t\t\twid = 1;\n\t\t\t}\n\t\t}\n\t\td = 2 * dy - dx;\n\t\tincr1 = 2 * dy;\n\t\tincr2 = 2 * (dy - dx);\n\t\tif (x1 > x2) {\n\t\t\tx = x2;\n\t\t\ty = y2;\n\t\t\tydirflag = (-1);\n\t\t\txend = x1;\n\t\t} else {\n\t\t\tx = x1;\n\t\t\ty = y1;\n\t\t\tydirflag = 1;\n\t\t\txend = x2;\n\t\t}\n\n\t\t/* Set up line thickness */\n\t\twstart = y - wid / 2;\n\t\tfor (w = wstart; w < wstart + wid; w++) {\n\t\t\tgdImageSetPixel(im, x, w, color);\n\t\t}\n\n\t\tif (((y2 - y1) * ydirflag) > 0) {\n\t\t\twhile (x < xend) {\n\t\t\t\tx++;\n\t\t\t\tif (d < 0) {\n\t\t\t\t\td += incr1;\n\t\t\t\t} else {\n\t\t\t\t\ty++;\n\t\t\t\t\td += incr2;\n\t\t\t\t}\n\t\t\t\twstart = y - wid / 2;\n\t\t\t\tfor (w = wstart; w < wstart + wid; w++) {\n\t\t\t\t\tgdImageSetPixel (im, x, w, color);\n\t\t\t\t}\n\t\t\t}\n\t\t} else {\n\t\t\twhile (x < xend) {\n\t\t\t\tx++;\n\t\t\t\tif (d < 0) {\n\t\t\t\t\td += incr1;\n\t\t\t\t} else {\n\t\t\t\t\ty--;\n\t\t\t\t\td += incr2;\n\t\t\t\t}\n\t\t\t\twstart = y - wid / 2;\n\t\t\t\tfor (w = wstart; w < wstart + wid; w++) {\n\t\t\t\t\tgdImageSetPixel (im, x, w, color);\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t} else {\n\t\t/* More-or-less vertical. use wid for horizontal stroke */\n\t\t/* 2.0.12: Michael Schwartz: divide rather than multiply;\n\t\t TBB: but watch out for /0! */\n\t\tdouble as = sin (atan2 (dy, dx));\n\t\tif (as != 0) {\n\t\t\twid = thick / as;\n\t\t} else {\n\t\t\twid = 1;\n\t\t}\n\t\tif (wid == 0) {\n\t\t\twid = 1;\n\t\t}\n\n\t\td = 2 * dx - dy;\n\t\tincr1 = 2 * dx;\n\t\tincr2 = 2 * (dx - dy);\n\t\tif (y1 > y2) {\n\t\t\ty = y2;\n\t\t\tx = x2;\n\t\t\tyend = y1;\n\t\t\txdirflag = (-1);\n\t\t} else {\n\t\t\ty = y1;\n\t\t\tx = x1;\n\t\t\tyend = y2;\n\t\t\txdirflag = 1;\n\t\t}\n\n\t\t/* Set up line thickness */\n\t\twstart = x - wid / 2;\n\t\tfor (w = wstart; w < wstart + wid; w++) {\n\t\t\tgdImageSetPixel (im, w, y, color);\n\t\t}\n\n\t\tif (((x2 - x1) * xdirflag) > 0) {\n\t\t\twhile (y < yend) {\n\t\t\t\ty++;\n\t\t\t\tif (d < 0) {\n\t\t\t\t\td += incr1;\n\t\t\t\t} else {\n\t\t\t\t\tx++;\n\t\t\t\t\td += incr2;\n\t\t\t\t}\n\t\t\t\twstart = x - wid / 2;\n\t\t\t\tfor (w = wstart; w < wstart + wid; w++) {\n\t\t\t\t\tgdImageSetPixel (im, w, y, color);\n\t\t\t\t}\n\t\t\t}\n\t\t} else {\n\t\t\twhile (y < yend) {\n\t\t\t\ty++;\n\t\t\t\tif (d < 0) {\n\t\t\t\t\td += incr1;\n\t\t\t\t} else {\n\t\t\t\t\tx--;\n\t\t\t\t\td += incr2;\n\t\t\t\t}\n\t\t\t\twstart = x - wid / 2;\n\t\t\t\tfor (w = wstart; w < wstart + wid; w++) {\n\t\t\t\t\tgdImageSetPixel (im, w, y, color);\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n}", "project": "php-src", "hash": 162902473726693974462297163055332584432, "size": 167, "commit_id": "c395c6e5d7e8df37a21265ff76e48fe75ceb5ae6", "message": "iFixed bug #72446 - Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow", "target": 0, "dataset": "other", "idx": 295157 }, { "func": "mysql_options4(MYSQL *mysql,enum mysql_option option, const void *arg1, const void *arg2)\n{\n return mysql_optionsv(mysql, option, arg1, arg2);\n}", "project": "mariadb-connector-c", "hash": 226893579352102450904666654970551477885, "size": 4, "commit_id": "2759b87d72926b7c9b5426437a7c8dd15ff57945", "message": "sanity checks for client-supplied OK packet content\n\nreported by Matthias Kaiser, Apple Information Security", "target": 0, "dataset": "other", "idx": 429647 }, { "func": "mysql_options(MYSQL *mysql,enum mysql_option option, const void *arg)\n{\n return mysql_optionsv(mysql, option, arg);\n}", "project": "mariadb-connector-c", "hash": 267371213734971032218499827739053661254, "size": 4, "commit_id": "2759b87d72926b7c9b5426437a7c8dd15ff57945", "message": "sanity checks for client-supplied OK packet content\n\nreported by Matthias Kaiser, Apple Information Security", "target": 0, "dataset": "other", "idx": 429731 }, { "func": "static void trace_start(jit_State *J)\n{\n lua_State *L;\n TraceNo traceno;\n\n if ((J->pt->flags & PROTO_NOJIT)) { /* JIT disabled for this proto? */\n if (J->parent == 0) {\n /* Lazy bytecode patching to disable hotcount events. */\n lua_assert(bc_op(*J->pc) == BC_FORL || bc_op(*J->pc) == BC_ITERL ||\n\t\t bc_op(*J->pc) == BC_LOOP || bc_op(*J->pc) == BC_FUNCF);\n setbc_op(J->pc, (int)bc_op(*J->pc)+(int)BC_ILOOP-(int)BC_LOOP);\n J->pt->flags |= PROTO_ILOOP;\n }\n J->state = LJ_TRACE_IDLE; /* Silently ignored. */\n return;\n }\n\n /* Get a new trace number. */\n traceno = trace_findfree(J);\n if (LJ_UNLIKELY(traceno == 0)) { /* No free trace? */\n lua_assert((J2G(J)->hookmask & HOOK_GC) == 0);\n lj_trace_flushall(J->L);\n J->state = LJ_TRACE_IDLE; /* Silently ignored. */\n return;\n }\n setgcrefp(J->trace[traceno], &J->cur);\n\n /* Setup enough of the current trace to be able to send the vmevent. */\n memset(&J->cur, 0, sizeof(GCtrace));\n J->cur.traceno = traceno;\n J->cur.nins = J->cur.nk = REF_BASE;\n J->cur.ir = J->irbuf;\n J->cur.snap = J->snapbuf;\n J->cur.snapmap = J->snapmapbuf;\n J->mergesnap = 0;\n J->needsnap = 0;\n J->bcskip = 0;\n J->guardemit.irt = 0;\n J->postproc = LJ_POST_NONE;\n lj_resetsplit(J);\n setgcref(J->cur.startpt, obj2gco(J->pt));\n\n L = J->L;\n lj_vmevent_send(L, TRACE,\n setstrV(L, L->top++, lj_str_newlit(L, \"start\"));\n setintV(L->top++, traceno);\n setfuncV(L, L->top++, J->fn);\n setintV(L->top++, proto_bcpos(J->pt, J->pc));\n if (J->parent) {\n setintV(L->top++, J->parent);\n setintV(L->top++, J->exitno);\n }\n );\n lj_record_setup(J);\n}", "project": "LuaJIT", "hash": 229131810567235150316471605638114273750, "size": 55, "commit_id": "e296f56b825c688c3530a981dc6b495d972f3d01", "message": "Call error function on rethrow after trace exit.", "target": 0, "dataset": "other", "idx": 394616 }, { "func": "static OPJ_BOOL opj_j2k_write_sod(opj_j2k_t *p_j2k,\n opj_tcd_t * p_tile_coder,\n OPJ_BYTE * p_data,\n OPJ_UINT32 * p_data_written,\n OPJ_UINT32 total_data_size,\n const opj_stream_private_t *p_stream,\n opj_event_mgr_t * p_manager\n )\n{\n opj_codestream_info_t *l_cstr_info = 00;\n OPJ_UINT32 l_remaining_data;\n opj_tcd_marker_info_t* marker_info = NULL;\n\n /* preconditions */\n assert(p_j2k != 00);\n assert(p_manager != 00);\n assert(p_stream != 00);\n\n OPJ_UNUSED(p_stream);\n\n if (total_data_size < 4) {\n opj_event_msg(p_manager, EVT_ERROR,\n \"Not enough bytes in output buffer to write SOD marker\\n\");\n return OPJ_FALSE;\n }\n\n opj_write_bytes(p_data, J2K_MS_SOD,\n 2); /* SOD */\n\n /* make room for the EOF marker */\n l_remaining_data = total_data_size - 4;\n\n /* update tile coder */\n p_tile_coder->tp_num =\n p_j2k->m_specific_param.m_encoder.m_current_poc_tile_part_number ;\n p_tile_coder->cur_tp_num =\n p_j2k->m_specific_param.m_encoder.m_current_tile_part_number;\n\n /* INDEX >> */\n /* TODO mergeV2: check this part which use cstr_info */\n /*l_cstr_info = p_j2k->cstr_info;\n if (l_cstr_info) {\n if (!p_j2k->m_specific_param.m_encoder.m_current_tile_part_number ) {\n //TODO cstr_info->tile[p_j2k->m_current_tile_number].end_header = p_stream_tell(p_stream) + p_j2k->pos_correction - 1;\n l_cstr_info->tile[p_j2k->m_current_tile_number].tileno = p_j2k->m_current_tile_number;\n }\n else {*/\n /*\n TODO\n if\n (cstr_info->tile[p_j2k->m_current_tile_number].packet[cstr_info->packno - 1].end_pos < p_stream_tell(p_stream))\n {\n cstr_info->tile[p_j2k->m_current_tile_number].packet[cstr_info->packno].start_pos = p_stream_tell(p_stream);\n }*/\n /*}*/\n /* UniPG>> */\n#ifdef USE_JPWL\n /* update markers struct */\n /*OPJ_BOOL res = j2k_add_marker(p_j2k->cstr_info, J2K_MS_SOD, p_j2k->sod_start, 2);\n */\n assert(0 && \"TODO\");\n#endif /* USE_JPWL */\n /* <m_specific_param.m_encoder.m_current_tile_part_number == 0) {\n p_tile_coder->tcd_image->tiles->packno = 0;\n#ifdef deadcode\n if (l_cstr_info) {\n l_cstr_info->packno = 0;\n }\n#endif\n }\n\n *p_data_written = 0;\n\n if (p_j2k->m_specific_param.m_encoder.m_PLT) {\n marker_info = opj_tcd_marker_info_create(\n p_j2k->m_specific_param.m_encoder.m_PLT);\n if (marker_info == NULL) {\n opj_event_msg(p_manager, EVT_ERROR,\n \"Cannot encode tile: opj_tcd_marker_info_create() failed\\n\");\n return OPJ_FALSE;\n }\n }\n\n assert(l_remaining_data >\n p_j2k->m_specific_param.m_encoder.m_reserved_bytes_for_PLT);\n l_remaining_data -= p_j2k->m_specific_param.m_encoder.m_reserved_bytes_for_PLT;\n\n if (! opj_tcd_encode_tile(p_tile_coder, p_j2k->m_current_tile_number,\n p_data + 2,\n p_data_written, l_remaining_data, l_cstr_info,\n marker_info,\n p_manager)) {\n opj_event_msg(p_manager, EVT_ERROR, \"Cannot encode tile\\n\");\n opj_tcd_marker_info_destroy(marker_info);\n return OPJ_FALSE;\n }\n\n /* For SOD */\n *p_data_written += 2;\n\n if (p_j2k->m_specific_param.m_encoder.m_PLT) {\n OPJ_UINT32 l_data_written_PLT = 0;\n OPJ_BYTE* p_PLT_buffer = (OPJ_BYTE*)opj_malloc(\n p_j2k->m_specific_param.m_encoder.m_reserved_bytes_for_PLT);\n if (!p_PLT_buffer) {\n opj_event_msg(p_manager, EVT_ERROR, \"Cannot allocate memory\\n\");\n opj_tcd_marker_info_destroy(marker_info);\n return OPJ_FALSE;\n }\n if (!opj_j2k_write_plt_in_memory(p_j2k,\n marker_info,\n p_PLT_buffer,\n &l_data_written_PLT,\n p_manager)) {\n opj_tcd_marker_info_destroy(marker_info);\n opj_free(p_PLT_buffer);\n return OPJ_FALSE;\n }\n\n assert(l_data_written_PLT <=\n p_j2k->m_specific_param.m_encoder.m_reserved_bytes_for_PLT);\n\n /* Move PLT marker(s) before SOD */\n memmove(p_data + l_data_written_PLT, p_data, *p_data_written);\n memcpy(p_data, p_PLT_buffer, l_data_written_PLT);\n opj_free(p_PLT_buffer);\n *p_data_written += l_data_written_PLT;\n }\n\n opj_tcd_marker_info_destroy(marker_info);\n\n return OPJ_TRUE;\n}", "project": "openjpeg", "hash": 2596444094136185670542568690370435768, "size": 137, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 1, "dataset": "other", "idx": 204345 }, { "func": "static OPJ_BOOL opj_j2k_write_sod(opj_j2k_t *p_j2k,\n opj_tcd_t * p_tile_coder,\n OPJ_BYTE * p_data,\n OPJ_UINT32 * p_data_written,\n OPJ_UINT32 total_data_size,\n const opj_stream_private_t *p_stream,\n opj_event_mgr_t * p_manager\n )\n{\n opj_codestream_info_t *l_cstr_info = 00;\n OPJ_UINT32 l_remaining_data;\n opj_tcd_marker_info_t* marker_info = NULL;\n\n /* preconditions */\n assert(p_j2k != 00);\n assert(p_manager != 00);\n assert(p_stream != 00);\n\n OPJ_UNUSED(p_stream);\n\n if (total_data_size < 4) {\n opj_event_msg(p_manager, EVT_ERROR,\n \"Not enough bytes in output buffer to write SOD marker\\n\");\n return OPJ_FALSE;\n }\n\n opj_write_bytes(p_data, J2K_MS_SOD,\n 2); /* SOD */\n\n /* make room for the EOF marker */\n l_remaining_data = total_data_size - 4;\n\n /* update tile coder */\n p_tile_coder->tp_num =\n p_j2k->m_specific_param.m_encoder.m_current_poc_tile_part_number ;\n p_tile_coder->cur_tp_num =\n p_j2k->m_specific_param.m_encoder.m_current_tile_part_number;\n\n /* INDEX >> */\n /* TODO mergeV2: check this part which use cstr_info */\n /*l_cstr_info = p_j2k->cstr_info;\n if (l_cstr_info) {\n if (!p_j2k->m_specific_param.m_encoder.m_current_tile_part_number ) {\n //TODO cstr_info->tile[p_j2k->m_current_tile_number].end_header = p_stream_tell(p_stream) + p_j2k->pos_correction - 1;\n l_cstr_info->tile[p_j2k->m_current_tile_number].tileno = p_j2k->m_current_tile_number;\n }\n else {*/\n /*\n TODO\n if\n (cstr_info->tile[p_j2k->m_current_tile_number].packet[cstr_info->packno - 1].end_pos < p_stream_tell(p_stream))\n {\n cstr_info->tile[p_j2k->m_current_tile_number].packet[cstr_info->packno].start_pos = p_stream_tell(p_stream);\n }*/\n /*}*/\n /* UniPG>> */\n#ifdef USE_JPWL\n /* update markers struct */\n /*OPJ_BOOL res = j2k_add_marker(p_j2k->cstr_info, J2K_MS_SOD, p_j2k->sod_start, 2);\n */\n assert(0 && \"TODO\");\n#endif /* USE_JPWL */\n /* <m_specific_param.m_encoder.m_current_tile_part_number == 0) {\n p_tile_coder->tcd_image->tiles->packno = 0;\n#ifdef deadcode\n if (l_cstr_info) {\n l_cstr_info->packno = 0;\n }\n#endif\n }\n\n *p_data_written = 0;\n\n if (p_j2k->m_specific_param.m_encoder.m_PLT) {\n marker_info = opj_tcd_marker_info_create(\n p_j2k->m_specific_param.m_encoder.m_PLT);\n if (marker_info == NULL) {\n opj_event_msg(p_manager, EVT_ERROR,\n \"Cannot encode tile: opj_tcd_marker_info_create() failed\\n\");\n return OPJ_FALSE;\n }\n }\n\n if (l_remaining_data <\n p_j2k->m_specific_param.m_encoder.m_reserved_bytes_for_PLT) {\n opj_event_msg(p_manager, EVT_ERROR,\n \"Not enough bytes in output buffer to write SOD marker\\n\");\n opj_tcd_marker_info_destroy(marker_info);\n return OPJ_FALSE;\n }\n l_remaining_data -= p_j2k->m_specific_param.m_encoder.m_reserved_bytes_for_PLT;\n\n if (! opj_tcd_encode_tile(p_tile_coder, p_j2k->m_current_tile_number,\n p_data + 2,\n p_data_written, l_remaining_data, l_cstr_info,\n marker_info,\n p_manager)) {\n opj_event_msg(p_manager, EVT_ERROR, \"Cannot encode tile\\n\");\n opj_tcd_marker_info_destroy(marker_info);\n return OPJ_FALSE;\n }\n\n /* For SOD */\n *p_data_written += 2;\n\n if (p_j2k->m_specific_param.m_encoder.m_PLT) {\n OPJ_UINT32 l_data_written_PLT = 0;\n OPJ_BYTE* p_PLT_buffer = (OPJ_BYTE*)opj_malloc(\n p_j2k->m_specific_param.m_encoder.m_reserved_bytes_for_PLT);\n if (!p_PLT_buffer) {\n opj_event_msg(p_manager, EVT_ERROR, \"Cannot allocate memory\\n\");\n opj_tcd_marker_info_destroy(marker_info);\n return OPJ_FALSE;\n }\n if (!opj_j2k_write_plt_in_memory(p_j2k,\n marker_info,\n p_PLT_buffer,\n &l_data_written_PLT,\n p_manager)) {\n opj_tcd_marker_info_destroy(marker_info);\n opj_free(p_PLT_buffer);\n return OPJ_FALSE;\n }\n\n assert(l_data_written_PLT <=\n p_j2k->m_specific_param.m_encoder.m_reserved_bytes_for_PLT);\n\n /* Move PLT marker(s) before SOD */\n memmove(p_data + l_data_written_PLT, p_data, *p_data_written);\n memcpy(p_data, p_PLT_buffer, l_data_written_PLT);\n opj_free(p_PLT_buffer);\n *p_data_written += l_data_written_PLT;\n }\n\n opj_tcd_marker_info_destroy(marker_info);\n\n return OPJ_TRUE;\n}", "project": "openjpeg", "hash": 110807645529220467738052209881275757752, "size": 142, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357326 }, { "func": "static void encode_opentype(struct xdr_stream *xdr, const struct nfs_openargs *arg)\n{\n\t__be32 *p;\n\n\tp = reserve_space(xdr, 4);\n\tswitch (arg->open_flags & O_CREAT) {\n\tcase 0:\n\t\t*p = cpu_to_be32(NFS4_OPEN_NOCREATE);\n\t\tbreak;\n\tdefault:\n\t\t*p = cpu_to_be32(NFS4_OPEN_CREATE);\n\t\tencode_createmode(xdr, arg);\n\t}\n}", "project": "linux", "hash": 161178433437388534694803608247289943476, "size": 14, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431180 }, { "func": "void LibRaw::identify_finetune_pentax()\n{\n\tif (makeIs(LIBRAW_CAMERAMAKER_Pentax) ||\n\t\tmakeIs(LIBRAW_CAMERAMAKER_Samsung)) {\n\t\tif (height == 2624 &&\n\t\t\twidth == 3936) // Pentax K10D, Samsung GX10;\n\t\t{\n\t\t\theight = 2616;\n\t\t\twidth = 3896;\n\t\t}\n\t\tif (height == 3136 &&\n\t\t\twidth == 4864) // Pentax K20D, Samsung GX20;\n\t\t{\n\t\t\theight = 3124;\n\t\t\twidth = 4688;\n\t\t\tfilters = 0x16161616;\n\t\t}\n\t}\n\n\tif (makeIs(LIBRAW_CAMERAMAKER_Pentax)) {\n\t\tif ((width == 4352) &&\n\t\t\t((unique_id == PentaxID_K_r) ||\n\t\t\t(unique_id == PentaxID_K_x)))\n\t\t{\n\t\t\twidth = 4309;\n\t\t\tfilters = 0x16161616;\n\t\t}\n\t\tif ((width >= 4960) &&\n\t\t\t((unique_id == PentaxID_K_5) ||\n\t\t\t(unique_id == PentaxID_K_5_II) ||\n\t\t\t\t(unique_id == PentaxID_K_5_II_s)))\n\t\t{\n\t\t\tleft_margin = 10;\n\t\t\twidth = 4950;\n\t\t\tfilters = 0x16161616;\n\t\t}\n\t\tif ((width == 6080) && (unique_id == PentaxID_K_70))\n\t\t{\n\t\t\theight = 4016;\n\t\t\ttop_margin = 32;\n\t\t\twidth = 6020;\n\t\t\tleft_margin = 60;\n\t\t}\n\t\tif ((width == 4736) && (unique_id == PentaxID_K_7))\n\t\t{\n\t\t\theight = 3122;\n\t\t\twidth = 4684;\n\t\t\tfilters = 0x16161616;\n\t\t\ttop_margin = 2;\n\t\t}\n\t\tif ((width == 6080) && (unique_id == PentaxID_K_3_II))\n\t\t{\n\t\t\tleft_margin = 4;\n\t\t\twidth = 6040;\n\t\t}\n\t\tif ((width == 6112) && (unique_id == PentaxID_KP))\n\t\t{\n\t\t\t// From DNG, maybe too strict\n\t\t\tleft_margin = 54;\n\t\t\ttop_margin = 28;\n\t\t\twidth = 6028;\n\t\t\theight = raw_height - top_margin;\n\t\t}\n\t\tif ((width == 6080) && (unique_id == PentaxID_K_3))\n\t\t{\n\t\t\tleft_margin = 4;\n\t\t\twidth = 6040;\n\t\t}\n\t\tif ((width == 7424) && (unique_id == PentaxID_645D))\n\t\t{\n\t\t\theight = 5502;\n\t\t\twidth = 7328;\n\t\t\tfilters = 0x61616161;\n\t\t\ttop_margin = 29;\n\t\t\tleft_margin = 48;\n\t\t}\n\t}\n\telse if (makeIs(LIBRAW_CAMERAMAKER_Ricoh) &&\n\t\t(height == 3014) && (width == 4096)) // Ricoh GX200\n\t\twidth = 4014;\n}", "project": "LibRaw", "hash": 183007717092009589078471883597906736138, "size": 81, "commit_id": "4feaed4dea636cee4fee010f615881ccf76a096d", "message": "limit loops to MIN(colors,4) in dng fields parser", "target": 0, "dataset": "other", "idx": 482357 }, { "func": "static bool recalc_sigpending_tsk(struct task_struct *t)\n{\n\tif ((t->jobctl & (JOBCTL_PENDING_MASK | JOBCTL_TRAP_FREEZE)) ||\n\t PENDING(&t->pending, &t->blocked) ||\n\t PENDING(&t->signal->shared_pending, &t->blocked) ||\n\t cgroup_task_frozen(t)) {\n\t\tset_tsk_thread_flag(t, TIF_SIGPENDING);\n\t\treturn true;\n\t}\n\n\t/*\n\t * We must never clear the flag in another thread, or in current\n\t * when it's possible the current syscall is returning -ERESTART*.\n\t * So we don't clear it here, and only callers who know they should do.\n\t */\n\treturn false;\n}", "project": "linux", "hash": 203805944639940650609985023893427855568, "size": 17, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375269 }, { "func": "static int sctp_wait_for_connect(struct sctp_association *asoc, long *timeo_p)\n{\n\tstruct sock *sk = asoc->base.sk;\n\tint err = 0;\n\tlong current_timeo = *timeo_p;\n\tDEFINE_WAIT(wait);\n\n\tpr_debug(\"%s: asoc:%p, timeo:%ld\\n\", __func__, asoc, *timeo_p);\n\n\t/* Increment the association's refcnt. */\n\tsctp_association_hold(asoc);\n\n\tfor (;;) {\n\t\tprepare_to_wait_exclusive(&asoc->wait, &wait,\n\t\t\t\t\t TASK_INTERRUPTIBLE);\n\t\tif (!*timeo_p)\n\t\t\tgoto do_nonblock;\n\t\tif (sk->sk_shutdown & RCV_SHUTDOWN)\n\t\t\tbreak;\n\t\tif (sk->sk_err || asoc->state >= SCTP_STATE_SHUTDOWN_PENDING ||\n\t\t asoc->base.dead)\n\t\t\tgoto do_error;\n\t\tif (signal_pending(current))\n\t\t\tgoto do_interrupted;\n\n\t\tif (sctp_state(asoc, ESTABLISHED))\n\t\t\tbreak;\n\n\t\t/* Let another process have a go. Since we are going\n\t\t * to sleep anyway.\n\t\t */\n\t\trelease_sock(sk);\n\t\tcurrent_timeo = schedule_timeout(current_timeo);\n\t\tlock_sock(sk);\n\n\t\t*timeo_p = current_timeo;\n\t}\n\nout:\n\tfinish_wait(&asoc->wait, &wait);\n\n\t/* Release the association's refcnt. */\n\tsctp_association_put(asoc);\n\n\treturn err;\n\ndo_error:\n\tif (asoc->init_err_counter + 1 > asoc->max_init_attempts)\n\t\terr = -ETIMEDOUT;\n\telse\n\t\terr = -ECONNREFUSED;\n\tgoto out;\n\ndo_interrupted:\n\terr = sock_intr_errno(*timeo_p);\n\tgoto out;\n\ndo_nonblock:\n\terr = -EINPROGRESS;\n\tgoto out;\n}", "project": "linux", "hash": 2616329023682935662443537076652082193, "size": 61, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398209 }, { "func": "uint32 CSoundFile::GetPeriodFromNote(uint32 note, int32 nFineTune, uint32 nC5Speed) const\n{\n\tif (note == NOTE_NONE || (note >= NOTE_MIN_SPECIAL)) return 0;\n\tnote -= NOTE_MIN;\n\tif (!UseFinetuneAndTranspose())\n\t{\n\t\tif(GetType() & (MOD_TYPE_MDL | MOD_TYPE_DTM))\n\t\t{\n\t\t\t// MDL uses non-linear slides, but their effectiveness does not depend on the middle-C frequency.\n\t\t\treturn (FreqS3MTable[note % 12u] << 4) >> (note / 12);\n\t\t}\n\t\tif(m_SongFlags[SONG_LINEARSLIDES] || GetType() == MOD_TYPE_669)\n\t\t{\n\t\t\t// In IT linear slide mode, directly use frequency in Hertz rather than periods.\n\t\t\tif(m_playBehaviour[kHertzInLinearMode] || GetType() == MOD_TYPE_669)\n\t\t\t\treturn Util::muldiv_unsigned(nC5Speed, LinearSlideUpTable[(note % 12u) * 16u] << (note / 12u), 65536 << 5);\n\t\t\telse\n\t\t\t\treturn (FreqS3MTable[note % 12u] << 5) >> (note / 12);\n\t\t} else\n\t\t{\n\t\t\tif (!nC5Speed)\n\t\t\t\tnC5Speed = 8363;\n\t\t\tLimitMax(nC5Speed, uint32_max >> (note / 12u));\n\t\t\t//(a*b)/c\n\t\t\treturn Util::muldiv_unsigned(8363, (FreqS3MTable[note % 12u] << 5), nC5Speed << (note / 12u));\n\t\t\t//8363 * freq[note%12] / nC5Speed * 2^(5-note/12)\n\t\t}\n\t} else if (GetType() == MOD_TYPE_XM)\n\t{\n\t\tif (note < 12) note = 12;\n\t\tnote -= 12;\n\n\t\t// FT2 Compatibility: The lower three bits of the finetune are truncated.\n\t\t// Test case: Finetune-Precision.xm\n\t\tif(m_playBehaviour[kFT2FinetunePrecision])\n\t\t{\n\t\t\tnFineTune &= ~7;\n\t\t}\n\n\t\tif(m_SongFlags[SONG_LINEARSLIDES])\n\t\t{\n\t\t\tint l = ((NOTE_MAX - note) << 6) - (nFineTune / 2);\n\t\t\tif (l < 1) l = 1;\n\t\t\treturn static_cast(l);\n\t\t} else\n\t\t{\n\t\t\tint finetune = nFineTune;\n\t\t\tuint32 rnote = (note % 12) << 3;\n\t\t\tuint32 roct = note / 12;\n\t\t\tint rfine = finetune / 16;\n\t\t\tint i = rnote + rfine + 8;\n\t\t\tLimit(i , 0, 103);\n\t\t\tuint32 per1 = XMPeriodTable[i];\n\t\t\tif(finetune < 0)\n\t\t\t{\n\t\t\t\trfine--;\n\t\t\t\tfinetune = -finetune;\n\t\t\t} else rfine++;\n\t\t\ti = rnote+rfine+8;\n\t\t\tif (i < 0) i = 0;\n\t\t\tif (i >= 104) i = 103;\n\t\t\tuint32 per2 = XMPeriodTable[i];\n\t\t\trfine = finetune & 0x0F;\n\t\t\tper1 *= 16-rfine;\n\t\t\tper2 *= rfine;\n\t\t\treturn ((per1 + per2) << 1) >> roct;\n\t\t}\n\t} else\n\t{\n\t\tnFineTune = XM2MODFineTune(nFineTune);\n\t\tif ((nFineTune) || (note < 36) || (note >= 36 + 6 * 12))\n\t\t\treturn (ProTrackerTunedPeriods[nFineTune * 12u + note % 12u] << 5) >> (note / 12u);\n\t\telse\n\t\t\treturn (ProTrackerPeriodTable[note - 36] << 2);\n\t}\n}", "project": "openmpt", "hash": 248344662536059457335115073488728361463, "size": 76, "commit_id": "7ebf02af2e90f03e0dbd0e18b8b3164f372fb97c", "message": "[Fix] Possible out-of-bounds read when computing length of some IT files with pattern loops (OpenMPT: formats that are converted to IT, libopenmpt: IT/ITP/MO3), caught with afl-fuzz.\n\ngit-svn-id: https://source.openmpt.org/svn/openmpt/trunk/OpenMPT@10027 56274372-70c3-4bfc-bfc3-4c3a0b034d27", "target": 0, "dataset": "other", "idx": 255233 }, { "func": "void hci_req_reenable_advertising(struct hci_dev *hdev)\n{\n\tstruct hci_request req;\n\n\tif (!hci_dev_test_flag(hdev, HCI_ADVERTISING) &&\n\t list_empty(&hdev->adv_instances))\n\t\treturn;\n\n\thci_req_init(&req, hdev);\n\n\tif (hdev->cur_adv_instance) {\n\t\t__hci_req_schedule_adv_instance(&req, hdev->cur_adv_instance,\n\t\t\t\t\t\ttrue);\n\t} else {\n\t\tif (ext_adv_capable(hdev)) {\n\t\t\t__hci_req_start_ext_adv(&req, 0x00);\n\t\t} else {\n\t\t\t__hci_req_update_adv_data(&req, 0x00);\n\t\t\t__hci_req_update_scan_rsp_data(&req, 0x00);\n\t\t\t__hci_req_enable_advertising(&req);\n\t\t}\n\t}\n\n\thci_req_run(&req, adv_enable_complete);\n}", "project": "linux", "hash": 301597454140371688341248600334473847824, "size": 25, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402488 }, { "func": "TfLiteStatus ResizeOutput(TfLiteContext* context, const TfLiteTensor* input,\n const TfLiteTensor* axis, TfLiteTensor* output) {\n int axis_value;\n // Retrive all 8 bytes when axis type is kTfLiteInt64 to avoid data loss.\n if (axis->type == kTfLiteInt64) {\n axis_value = static_cast(*GetTensorData(axis));\n } else {\n axis_value = *GetTensorData(axis);\n }\n if (axis_value < 0) {\n axis_value += NumDimensions(input);\n }\n\n // Copy the input dimensions to output except the axis dimension.\n TfLiteIntArray* output_dims = TfLiteIntArrayCreate(NumDimensions(input) - 1);\n int j = 0;\n for (int i = 0; i < NumDimensions(input); ++i) {\n if (i != axis_value) {\n output_dims->data[j] = SizeOfDimension(input, i);\n ++j;\n }\n }\n return context->ResizeTensor(context, output, output_dims);\n}", "project": "tensorflow", "hash": 85730760625429324821980003967303687262, "size": 24, "commit_id": "c59c37e7b2d563967da813fa50fe20b21f4da683", "message": "Prevent array write out-of-bounds.\n\nIf user passes an invalid axis, then we copy one too many dimensions to the output in the loop below these checks. Even if we didn't do that, there will be further issues with an invalid axis, so we check for that right now.\n\nPiperOrigin-RevId: 371023299\nChange-Id: I9eca37ffc2b29e8e48710f500701270ef0790224", "target": 1, "dataset": "other", "idx": 198396 }, { "func": "TfLiteStatus ResizeOutput(TfLiteContext* context, const TfLiteTensor* input,\n const TfLiteTensor* axis, TfLiteTensor* output) {\n int axis_value;\n // Retrive all 8 bytes when axis type is kTfLiteInt64 to avoid data loss.\n if (axis->type == kTfLiteInt64) {\n axis_value = static_cast(*GetTensorData(axis));\n } else {\n axis_value = *GetTensorData(axis);\n }\n if (axis_value < 0) {\n axis_value += NumDimensions(input);\n }\n\n TF_LITE_ENSURE(context, axis_value >= 0);\n TF_LITE_ENSURE(context, axis_value < NumDimensions(input));\n\n // Copy the input dimensions to output except the axis dimension.\n TfLiteIntArray* output_dims = TfLiteIntArrayCreate(NumDimensions(input) - 1);\n int j = 0;\n for (int i = 0; i < NumDimensions(input); ++i) {\n if (i != axis_value) {\n output_dims->data[j] = SizeOfDimension(input, i);\n ++j;\n }\n }\n return context->ResizeTensor(context, output, output_dims);\n}", "project": "tensorflow", "hash": 224958909197921227858368302688275106543, "size": 27, "commit_id": "c59c37e7b2d563967da813fa50fe20b21f4da683", "message": "Prevent array write out-of-bounds.\n\nIf user passes an invalid axis, then we copy one too many dimensions to the output in the loop below these checks. Even if we didn't do that, there will be further issues with an invalid axis, so we check for that right now.\n\nPiperOrigin-RevId: 371023299\nChange-Id: I9eca37ffc2b29e8e48710f500701270ef0790224", "target": 0, "dataset": "other", "idx": 273769 }, { "project": "Chrome", "commit_id": "ea994548ed483e234a6fadd0cbdfa10d58b75cef", "target": 0, "func": "gfx::Size SoftwareFrameManager::GetCurrentFrameSizeInDIP() const {\n DCHECK(HasCurrentFrame());\n return ConvertSizeToDIP(current_frame_->frame_device_scale_factor_,\n current_frame_->frame_size_pixels_);\n}\n", "cwe": "", "big_vul_idx": 129969, "idx": 116281, "hash": 253581890277475578233098222333681513520 }, { "func": "static enum print_line_t print_hex_fmt(struct trace_iterator *iter)\n{\n\tstruct trace_array *tr = iter->tr;\n\tstruct trace_seq *s = &iter->seq;\n\tunsigned char newline = '\\n';\n\tstruct trace_entry *entry;\n\tstruct trace_event *event;\n\n\tentry = iter->ent;\n\n\tif (tr->trace_flags & TRACE_ITER_CONTEXT_INFO) {\n\t\tSEQ_PUT_HEX_FIELD(s, entry->pid);\n\t\tSEQ_PUT_HEX_FIELD(s, iter->cpu);\n\t\tSEQ_PUT_HEX_FIELD(s, iter->ts);\n\t\tif (trace_seq_has_overflowed(s))\n\t\t\treturn TRACE_TYPE_PARTIAL_LINE;\n\t}\n\n\tevent = ftrace_find_event(entry->type);\n\tif (event) {\n\t\tenum print_line_t ret = event->funcs->hex(iter, 0, event);\n\t\tif (ret != TRACE_TYPE_HANDLED)\n\t\t\treturn ret;\n\t}\n\n\tSEQ_PUT_FIELD(s, newline);\n\n\treturn trace_handle_return(s);\n}", "project": "linux", "hash": 160104964230293147452650782992605045181, "size": 29, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445846 }, { "func": "\nstatic int io_uring_alloc_task_context(struct task_struct *task,\n\t\t\t\t struct io_ring_ctx *ctx)\n{\n\tstruct io_uring_task *tctx;\n\tint ret;\n\n\ttctx = kmalloc(sizeof(*tctx), GFP_KERNEL);\n\tif (unlikely(!tctx))\n\t\treturn -ENOMEM;\n\n\tret = percpu_counter_init(&tctx->inflight, 0, GFP_KERNEL);\n\tif (unlikely(ret)) {\n\t\tkfree(tctx);\n\t\treturn ret;\n\t}\n\n\ttctx->io_wq = io_init_wq_offload(ctx, task);\n\tif (IS_ERR(tctx->io_wq)) {\n\t\tret = PTR_ERR(tctx->io_wq);\n\t\tpercpu_counter_destroy(&tctx->inflight);\n\t\tkfree(tctx);\n\t\treturn ret;\n\t}\n\n\txa_init(&tctx->xa);\n\tinit_waitqueue_head(&tctx->wait);\n\ttctx->last = NULL;\n\tatomic_set(&tctx->in_idle, 0);\n\tatomic_set(&tctx->inflight_tracked, 0);\n\ttask->io_uring = tctx;\n\tspin_lock_init(&tctx->task_lock);\n\tINIT_WQ_LIST(&tctx->task_list);\n\ttctx->task_state = 0;\n\tinit_task_work(&tctx->task_work, tctx_task_work);\n\treturn 0;", "project": "linux", "hash": 46914501499779081793896155522849940726, "size": 36, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338691 }, { "func": "static void nfs4_xdr_enc_lookupp(struct rpc_rqst *req, struct xdr_stream *xdr,\n\t\tconst void *data)\n{\n\tconst struct nfs4_lookupp_arg *args = data;\n\tstruct compound_hdr hdr = {\n\t\t.minorversion = nfs4_xdr_minorversion(&args->seq_args),\n\t};\n\n\tencode_compound_hdr(xdr, req, &hdr);\n\tencode_sequence(xdr, &args->seq_args, &hdr);\n\tencode_putfh(xdr, args->fh, &hdr);\n\tencode_lookupp(xdr, &hdr);\n\tencode_getfh(xdr, &hdr);\n\tencode_getfattr(xdr, args->bitmask, &hdr);\n\tencode_nops(&hdr);\n}", "project": "linux", "hash": 304184795892794829935272804531311420530, "size": 16, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431272 }, { "func": "static void tipc_node_timeout(struct timer_list *t)\n{\n\tstruct tipc_node *n = from_timer(n, t, timer);\n\tstruct tipc_link_entry *le;\n\tstruct sk_buff_head xmitq;\n\tint remains = n->link_cnt;\n\tint bearer_id;\n\tint rc = 0;\n\n\ttrace_tipc_node_timeout(n, false, \" \");\n\tif (!node_is_up(n) && tipc_node_cleanup(n)) {\n\t\t/*Removing the reference of Timer*/\n\t\ttipc_node_put(n);\n\t\treturn;\n\t}\n\n#ifdef CONFIG_TIPC_CRYPTO\n\t/* Take any crypto key related actions first */\n\ttipc_crypto_timeout(n->crypto_rx);\n#endif\n\t__skb_queue_head_init(&xmitq);\n\n\t/* Initial node interval to value larger (10 seconds), then it will be\n\t * recalculated with link lowest tolerance\n\t */\n\ttipc_node_read_lock(n);\n\tn->keepalive_intv = 10000;\n\ttipc_node_read_unlock(n);\n\tfor (bearer_id = 0; remains && (bearer_id < MAX_BEARERS); bearer_id++) {\n\t\ttipc_node_read_lock(n);\n\t\tle = &n->links[bearer_id];\n\t\tif (le->link) {\n\t\t\tspin_lock_bh(&le->lock);\n\t\t\t/* Link tolerance may change asynchronously: */\n\t\t\ttipc_node_calculate_timer(n, le->link);\n\t\t\trc = tipc_link_timeout(le->link, &xmitq);\n\t\t\tspin_unlock_bh(&le->lock);\n\t\t\tremains--;\n\t\t}\n\t\ttipc_node_read_unlock(n);\n\t\ttipc_bearer_xmit(n->net, bearer_id, &xmitq, &le->maddr, n);\n\t\tif (rc & TIPC_LINK_DOWN_EVT)\n\t\t\ttipc_node_link_down(n, bearer_id, false);\n\t}\n\tmod_timer(&n->timer, jiffies + msecs_to_jiffies(n->keepalive_intv));\n}", "project": "linux", "hash": 165113048484103138738893376105079685897, "size": 46, "commit_id": "0217ed2848e8538bcf9172d97ed2eeb4a26041bb", "message": "tipc: better validate user input in tipc_nl_retrieve_key()\n\nBefore calling tipc_aead_key_size(ptr), we need to ensure\nwe have enough data to dereference ptr->keylen.\n\nWe probably also want to make sure tipc_aead_key_size()\nwont overflow with malicious ptr->keylen values.\n\nSyzbot reported:\n\nBUG: KMSAN: uninit-value in __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\nBUG: KMSAN: uninit-value in tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\nCPU: 0 PID: 21060 Comm: syz-executor.5 Not tainted 5.11.0-rc7-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nCall Trace:\n __dump_stack lib/dump_stack.c:79 [inline]\n dump_stack+0x21c/0x280 lib/dump_stack.c:120\n kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118\n __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197\n __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\n tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\n genl_family_rcv_msg_doit net/netlink/genetlink.c:739 [inline]\n genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]\n genl_rcv_msg+0x1319/0x1610 net/netlink/genetlink.c:800\n netlink_rcv_skb+0x6fa/0x810 net/netlink/af_netlink.c:2494\n genl_rcv+0x63/0x80 net/netlink/genetlink.c:811\n netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]\n netlink_unicast+0x11d6/0x14a0 net/netlink/af_netlink.c:1330\n netlink_sendmsg+0x1740/0x1840 net/netlink/af_netlink.c:1919\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\nRIP: 0023:0xf7f60549\nCode: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00\nRSP: 002b:00000000f555a5fc EFLAGS: 00000296 ORIG_RAX: 0000000000000172\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000200\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n\nUninit was created at:\n kmsan_save_stack_with_flags mm/kmsan/kmsan.c:121 [inline]\n kmsan_internal_poison_shadow+0x5c/0xf0 mm/kmsan/kmsan.c:104\n kmsan_slab_alloc+0x8d/0xe0 mm/kmsan/kmsan_hooks.c:76\n slab_alloc_node mm/slub.c:2907 [inline]\n __kmalloc_node_track_caller+0xa37/0x1430 mm/slub.c:4527\n __kmalloc_reserve net/core/skbuff.c:142 [inline]\n __alloc_skb+0x2f8/0xb30 net/core/skbuff.c:210\n alloc_skb include/linux/skbuff.h:1099 [inline]\n netlink_alloc_large_skb net/netlink/af_netlink.c:1176 [inline]\n netlink_sendmsg+0xdbc/0x1840 net/netlink/af_netlink.c:1894\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\n\nFixes: e1f32190cf7d (\"tipc: add support for AEAD key setting via netlink\")\nSigned-off-by: Eric Dumazet \nCc: Tuong Lien \nCc: Jon Maloy \nCc: Ying Xue \nReported-by: syzbot \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 364910 }, { "func": "static OPJ_BOOL opj_tcd_t2_encode(opj_tcd_t *p_tcd,\n OPJ_BYTE * p_dest_data,\n OPJ_UINT32 * p_data_written,\n OPJ_UINT32 p_max_dest_size,\n opj_codestream_info_t *p_cstr_info,\n opj_tcd_marker_info_t* p_marker_info,\n opj_event_mgr_t *p_manager)\n{\n opj_t2_t * l_t2;\n\n l_t2 = opj_t2_create(p_tcd->image, p_tcd->cp);\n if (l_t2 == 00) {\n return OPJ_FALSE;\n }\n\n if (! opj_t2_encode_packets(\n l_t2,\n p_tcd->tcd_tileno,\n p_tcd->tcd_image->tiles,\n p_tcd->tcp->numlayers,\n p_dest_data,\n p_data_written,\n p_max_dest_size,\n p_cstr_info,\n p_marker_info,\n p_tcd->tp_num,\n p_tcd->tp_pos,\n p_tcd->cur_pino,\n FINAL_PASS,\n p_manager)) {\n opj_t2_destroy(l_t2);\n return OPJ_FALSE;\n }\n\n opj_t2_destroy(l_t2);\n\n /*---------------CLEAN-------------------*/\n return OPJ_TRUE;\n}", "project": "openjpeg", "hash": 328242769141351416695598991954223485736, "size": 39, "commit_id": "15cf3d95814dc931ca0ecb132f81cb152e051bae", "message": "Encoder: grow again buffer size in opj_tcd_code_block_enc_allocate_data() (fixes #1283)", "target": 0, "dataset": "other", "idx": 359172 }, { "func": "static int x25_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)\n{\n\tstruct sock *sk = sock->sk;\n\tstruct x25_sock *x25 = x25_sk(sk);\n\tvoid __user *argp = (void __user *)arg;\n\tint rc;\n\n\tswitch (cmd) {\n\tcase TIOCOUTQ: {\n\t\tint amount;\n\n\t\tamount = sk->sk_sndbuf - sk_wmem_alloc_get(sk);\n\t\tif (amount < 0)\n\t\t\tamount = 0;\n\t\trc = put_user(amount, (unsigned int __user *)argp);\n\t\tbreak;\n\t}\n\n\tcase TIOCINQ: {\n\t\tstruct sk_buff *skb;\n\t\tint amount = 0;\n\t\t/*\n\t\t * These two are safe on a single CPU system as\n\t\t * only user tasks fiddle here\n\t\t */\n\t\tlock_sock(sk);\n\t\tif ((skb = skb_peek(&sk->sk_receive_queue)) != NULL)\n\t\t\tamount = skb->len;\n\t\trelease_sock(sk);\n\t\trc = put_user(amount, (unsigned int __user *)argp);\n\t\tbreak;\n\t}\n\n\tcase SIOCGIFADDR:\n\tcase SIOCSIFADDR:\n\tcase SIOCGIFDSTADDR:\n\tcase SIOCSIFDSTADDR:\n\tcase SIOCGIFBRDADDR:\n\tcase SIOCSIFBRDADDR:\n\tcase SIOCGIFNETMASK:\n\tcase SIOCSIFNETMASK:\n\tcase SIOCGIFMETRIC:\n\tcase SIOCSIFMETRIC:\n\t\trc = -EINVAL;\n\t\tbreak;\n\tcase SIOCADDRT:\n\tcase SIOCDELRT:\n\t\trc = -EPERM;\n\t\tif (!capable(CAP_NET_ADMIN))\n\t\t\tbreak;\n\t\trc = x25_route_ioctl(cmd, argp);\n\t\tbreak;\n\tcase SIOCX25GSUBSCRIP:\n\t\trc = x25_subscr_ioctl(cmd, argp);\n\t\tbreak;\n\tcase SIOCX25SSUBSCRIP:\n\t\trc = -EPERM;\n\t\tif (!capable(CAP_NET_ADMIN))\n\t\t\tbreak;\n\t\trc = x25_subscr_ioctl(cmd, argp);\n\t\tbreak;\n\tcase SIOCX25GFACILITIES: {\n\t\tlock_sock(sk);\n\t\trc = copy_to_user(argp, &x25->facilities,\n\t\t\t\t sizeof(x25->facilities))\n\t\t\t? -EFAULT : 0;\n\t\trelease_sock(sk);\n\t\tbreak;\n\t}\n\n\tcase SIOCX25SFACILITIES: {\n\t\tstruct x25_facilities facilities;\n\t\trc = -EFAULT;\n\t\tif (copy_from_user(&facilities, argp, sizeof(facilities)))\n\t\t\tbreak;\n\t\trc = -EINVAL;\n\t\tlock_sock(sk);\n\t\tif (sk->sk_state != TCP_LISTEN &&\n\t\t sk->sk_state != TCP_CLOSE)\n\t\t\tgoto out_fac_release;\n\t\tif (facilities.pacsize_in < X25_PS16 ||\n\t\t facilities.pacsize_in > X25_PS4096)\n\t\t\tgoto out_fac_release;\n\t\tif (facilities.pacsize_out < X25_PS16 ||\n\t\t facilities.pacsize_out > X25_PS4096)\n\t\t\tgoto out_fac_release;\n\t\tif (facilities.winsize_in < 1 ||\n\t\t facilities.winsize_in > 127)\n\t\t\tgoto out_fac_release;\n\t\tif (facilities.throughput) {\n\t\t\tint out = facilities.throughput & 0xf0;\n\t\t\tint in = facilities.throughput & 0x0f;\n\t\t\tif (!out)\n\t\t\t\tfacilities.throughput |=\n\t\t\t\t\tX25_DEFAULT_THROUGHPUT << 4;\n\t\t\telse if (out < 0x30 || out > 0xD0)\n\t\t\t\tgoto out_fac_release;\n\t\t\tif (!in)\n\t\t\t\tfacilities.throughput |=\n\t\t\t\t\tX25_DEFAULT_THROUGHPUT;\n\t\t\telse if (in < 0x03 || in > 0x0D)\n\t\t\t\tgoto out_fac_release;\n\t\t}\n\t\tif (facilities.reverse &&\n\t\t (facilities.reverse & 0x81) != 0x81)\n\t\t\tgoto out_fac_release;\n\t\tx25->facilities = facilities;\n\t\trc = 0;\nout_fac_release:\n\t\trelease_sock(sk);\n\t\tbreak;\n\t}\n\n\tcase SIOCX25GDTEFACILITIES: {\n\t\tlock_sock(sk);\n\t\trc = copy_to_user(argp, &x25->dte_facilities,\n\t\t\t\t sizeof(x25->dte_facilities));\n\t\trelease_sock(sk);\n\t\tif (rc)\n\t\t\trc = -EFAULT;\n\t\tbreak;\n\t}\n\n\tcase SIOCX25SDTEFACILITIES: {\n\t\tstruct x25_dte_facilities dtefacs;\n\t\trc = -EFAULT;\n\t\tif (copy_from_user(&dtefacs, argp, sizeof(dtefacs)))\n\t\t\tbreak;\n\t\trc = -EINVAL;\n\t\tlock_sock(sk);\n\t\tif (sk->sk_state != TCP_LISTEN &&\n\t\t sk->sk_state != TCP_CLOSE)\n\t\t\tgoto out_dtefac_release;\n\t\tif (dtefacs.calling_len > X25_MAX_AE_LEN)\n\t\t\tgoto out_dtefac_release;\n\t\tif (dtefacs.called_len > X25_MAX_AE_LEN)\n\t\t\tgoto out_dtefac_release;\n\t\tx25->dte_facilities = dtefacs;\n\t\trc = 0;\nout_dtefac_release:\n\t\trelease_sock(sk);\n\t\tbreak;\n\t}\n\n\tcase SIOCX25GCALLUSERDATA: {\n\t\tlock_sock(sk);\n\t\trc = copy_to_user(argp, &x25->calluserdata,\n\t\t\t\t sizeof(x25->calluserdata))\n\t\t\t? -EFAULT : 0;\n\t\trelease_sock(sk);\n\t\tbreak;\n\t}\n\n\tcase SIOCX25SCALLUSERDATA: {\n\t\tstruct x25_calluserdata calluserdata;\n\n\t\trc = -EFAULT;\n\t\tif (copy_from_user(&calluserdata, argp, sizeof(calluserdata)))\n\t\t\tbreak;\n\t\trc = -EINVAL;\n\t\tif (calluserdata.cudlength > X25_MAX_CUD_LEN)\n\t\t\tbreak;\n\t\tlock_sock(sk);\n\t\tx25->calluserdata = calluserdata;\n\t\trelease_sock(sk);\n\t\trc = 0;\n\t\tbreak;\n\t}\n\n\tcase SIOCX25GCAUSEDIAG: {\n\t\tlock_sock(sk);\n\t\trc = copy_to_user(argp, &x25->causediag, sizeof(x25->causediag))\n\t\t\t? -EFAULT : 0;\n\t\trelease_sock(sk);\n\t\tbreak;\n\t}\n\n\tcase SIOCX25SCAUSEDIAG: {\n\t\tstruct x25_causediag causediag;\n\t\trc = -EFAULT;\n\t\tif (copy_from_user(&causediag, argp, sizeof(causediag)))\n\t\t\tbreak;\n\t\tlock_sock(sk);\n\t\tx25->causediag = causediag;\n\t\trelease_sock(sk);\n\t\trc = 0;\n\t\tbreak;\n\n\t}\n\n\tcase SIOCX25SCUDMATCHLEN: {\n\t\tstruct x25_subaddr sub_addr;\n\t\trc = -EINVAL;\n\t\tlock_sock(sk);\n\t\tif(sk->sk_state != TCP_CLOSE)\n\t\t\tgoto out_cud_release;\n\t\trc = -EFAULT;\n\t\tif (copy_from_user(&sub_addr, argp,\n\t\t\t\t sizeof(sub_addr)))\n\t\t\tgoto out_cud_release;\n\t\trc = -EINVAL;\n\t\tif (sub_addr.cudmatchlength > X25_MAX_CUD_LEN)\n\t\t\tgoto out_cud_release;\n\t\tx25->cudmatchlength = sub_addr.cudmatchlength;\n\t\trc = 0;\nout_cud_release:\n\t\trelease_sock(sk);\n\t\tbreak;\n\t}\n\n\tcase SIOCX25CALLACCPTAPPRV: {\n\t\trc = -EINVAL;\n\t\tlock_sock(sk);\n\t\tif (sk->sk_state == TCP_CLOSE) {\n\t\t\tclear_bit(X25_ACCPT_APPRV_FLAG, &x25->flags);\n\t\t\trc = 0;\n\t\t}\n\t\trelease_sock(sk);\n\t\tbreak;\n\t}\n\n\tcase SIOCX25SENDCALLACCPT: {\n\t\trc = -EINVAL;\n\t\tlock_sock(sk);\n\t\tif (sk->sk_state != TCP_ESTABLISHED)\n\t\t\tgoto out_sendcallaccpt_release;\n\t\t/* must call accptapprv above */\n\t\tif (test_bit(X25_ACCPT_APPRV_FLAG, &x25->flags))\n\t\t\tgoto out_sendcallaccpt_release;\n\t\tx25_write_internal(sk, X25_CALL_ACCEPTED);\n\t\tx25->state = X25_STATE_3;\n\t\trc = 0;\nout_sendcallaccpt_release:\n\t\trelease_sock(sk);\n\t\tbreak;\n\t}\n\n\tdefault:\n\t\trc = -ENOIOCTLCMD;\n\t\tbreak;\n\t}\n\n\treturn rc;\n}", "project": "net", "hash": 35555975278827580854521248583635378973, "size": 244, "commit_id": "7781607938c8371d4c2b243527430241c62e39c2", "message": "net/x25: Fix null-ptr-deref caused by x25_disconnect\n\nWhen the link layer is terminating, x25->neighbour will be set to NULL\nin x25_disconnect(). As a result, it could cause null-ptr-deref bugs in\nx25_sendmsg(),x25_recvmsg() and x25_connect(). One of the bugs is\nshown below.\n\n (Thread 1) | (Thread 2)\nx25_link_terminated() | x25_recvmsg()\n x25_kill_by_neigh() | ...\n x25_disconnect() | lock_sock(sk)\n ... | ...\n x25->neighbour = NULL //(1) |\n ... | x25->neighbour->extended //(2)\n\nThe code sets NULL to x25->neighbour in position (1) and dereferences\nx25->neighbour in position (2), which could cause null-ptr-deref bug.\n\nThis patch adds lock_sock() in x25_kill_by_neigh() in order to synchronize\nwith x25_sendmsg(), x25_recvmsg() and x25_connect(). What`s more, the\nsock held by lock_sock() is not NULL, because it is extracted from x25_list\nand uses x25_list_lock to synchronize.\n\nFixes: 4becb7ee5b3d (\"net/x25: Fix x25_neigh refcnt leak when x25 disconnect\")\nSigned-off-by: Duoming Zhou \nReviewed-by: Lin Ma \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 449170 }, { "func": "static void sync_regs(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)\n{\n\tif (kvm_run->kvm_dirty_regs & KVM_SYNC_PREFIX)\n\t\tkvm_s390_set_prefix(vcpu, kvm_run->s.regs.prefix);\n\tif (kvm_run->kvm_dirty_regs & KVM_SYNC_CRS) {\n\t\tmemcpy(&vcpu->arch.sie_block->gcr, &kvm_run->s.regs.crs, 128);\n\t\t/* some control register changes require a tlb flush */\n\t\tkvm_make_request(KVM_REQ_TLB_FLUSH, vcpu);\n\t}\n\tif (kvm_run->kvm_dirty_regs & KVM_SYNC_ARCH0) {\n\t\tkvm_s390_set_cpu_timer(vcpu, kvm_run->s.regs.cputm);\n\t\tvcpu->arch.sie_block->ckc = kvm_run->s.regs.ckc;\n\t}\n\tsave_access_regs(vcpu->arch.host_acrs);\n\trestore_access_regs(vcpu->run->s.regs.acrs);\n\t/* save host (userspace) fprs/vrs */\n\tsave_fpu_regs();\n\tvcpu->arch.host_fpregs.fpc = current->thread.fpu.fpc;\n\tvcpu->arch.host_fpregs.regs = current->thread.fpu.regs;\n\tif (MACHINE_HAS_VX)\n\t\tcurrent->thread.fpu.regs = vcpu->run->s.regs.vrs;\n\telse\n\t\tcurrent->thread.fpu.regs = vcpu->run->s.regs.fprs;\n\tcurrent->thread.fpu.fpc = vcpu->run->s.regs.fpc;\n\tif (test_fp_ctl(current->thread.fpu.fpc))\n\t\t/* User space provided an invalid FPC, let's clear it */\n\t\tcurrent->thread.fpu.fpc = 0;\n\n\t/* Sync fmt2 only data */\n\tif (likely(!kvm_s390_pv_cpu_is_protected(vcpu))) {\n\t\tsync_regs_fmt2(vcpu, kvm_run);\n\t} else {\n\t\t/*\n\t\t * In several places we have to modify our internal view to\n\t\t * not do things that are disallowed by the ultravisor. For\n\t\t * example we must not inject interrupts after specific exits\n\t\t * (e.g. 112 prefix page not secure). We do this by turning\n\t\t * off the machine check, external and I/O interrupt bits\n\t\t * of our PSW copy. To avoid getting validity intercepts, we\n\t\t * do only accept the condition code from userspace.\n\t\t */\n\t\tvcpu->arch.sie_block->gpsw.mask &= ~PSW_MASK_CC;\n\t\tvcpu->arch.sie_block->gpsw.mask |= kvm_run->psw_mask &\n\t\t\t\t\t\t PSW_MASK_CC;\n\t}\n\n\tkvm_run->kvm_dirty_regs = 0;\n}", "project": "linux", "hash": 113826733210257204162781571564082853698, "size": 48, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354513 }, { "func": "static int ud_interception(struct vcpu_svm *svm)\n{\n\treturn handle_ud(&svm->vcpu);\n}", "project": "linux", "hash": 337519073765060690419353971771452455907, "size": 4, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432409 }, { "func": "static int ud_interception(struct vcpu_svm *svm)\n{\n\tint er;\n\n\ter = emulate_instruction(&svm->vcpu, EMULTYPE_TRAP_UD);\n\tif (er != EMULATE_DONE)\n\t\tkvm_queue_exception(&svm->vcpu, UD_VECTOR);\n\treturn 1;\n}", "project": "kvm", "hash": 302839733234888836708153151496446697968, "size": 9, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437627 }, { "func": "static inline void ep_pm_stay_awake_rcu(struct epitem *epi)\n{\n\tstruct wakeup_source *ws;\n\n\trcu_read_lock();\n\tws = rcu_dereference(epi->ws);\n\tif (ws)\n\t\t__pm_stay_awake(ws);\n\trcu_read_unlock();\n}", "project": "linux", "hash": 339659032414687705221173383941336062856, "size": 10, "commit_id": "52c479697c9b73f628140dcdfcd39ea302d05482", "message": "do_epoll_ctl(): clean the failure exits up a bit\n\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 336259 }, { "func": "static void ip_copy_addrs(struct iphdr *iph, const struct flowi4 *fl4)\n{\n\tBUILD_BUG_ON(offsetof(typeof(*fl4), daddr) !=\n\t\t offsetof(typeof(*fl4), saddr) + sizeof(fl4->saddr));\n\tmemcpy(&iph->saddr, &fl4->saddr,\n\t sizeof(fl4->saddr) + sizeof(fl4->daddr));\n}", "project": "net", "hash": 105922126851765208476846074009227943194, "size": 7, "commit_id": "85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa", "message": "udp: consistently apply ufo or fragmentation\n\nWhen iteratively building a UDP datagram with MSG_MORE and that\ndatagram exceeds MTU, consistently choose UFO or fragmentation.\n\nOnce skb_is_gso, always apply ufo. Conversely, once a datagram is\nsplit across multiple skbs, do not consider ufo.\n\nSendpage already maintains the first invariant, only add the second.\nIPv6 does not have a sendpage implementation to modify.\n\nA gso skb must have a partial checksum, do not follow sk_no_check_tx\nin udp_send_skb.\n\nFound by syzkaller.\n\nFixes: e89e9cf539a2 (\"[IPv4/IPv6]: UFO Scatter-gather approach\")\nReported-by: Andrey Konovalov \nSigned-off-by: Willem de Bruijn \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 468952 }, { "func": "static ssize_t nfs4_get_acl_uncached(struct inode *inode, void *buf, size_t buflen)\n{\n\tstruct nfs4_exception exception = {\n\t\t.interruptible = true,\n\t};\n\tssize_t ret;\n\tdo {\n\t\tret = __nfs4_get_acl_uncached(inode, buf, buflen);\n\t\ttrace_nfs4_get_acl(inode, ret);\n\t\tif (ret >= 0)\n\t\t\tbreak;\n\t\tret = nfs4_handle_exception(NFS_SERVER(inode), ret, &exception);\n\t} while (exception.retry);\n\treturn ret;\n}", "project": "linux", "hash": 331380493513391855061704024239621841913, "size": 15, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431626 }, { "func": "static OPJ_BOOL opj_j2k_write_first_tile_part(opj_j2k_t *p_j2k,\n OPJ_BYTE * p_data,\n OPJ_UINT32 * p_data_written,\n OPJ_UINT32 total_data_size,\n opj_stream_private_t *p_stream,\n struct opj_event_mgr * p_manager)\n{\n OPJ_UINT32 l_nb_bytes_written = 0;\n OPJ_UINT32 l_current_nb_bytes_written;\n OPJ_BYTE * l_begin_data = 00;\n\n opj_tcd_t * l_tcd = 00;\n opj_cp_t * l_cp = 00;\n\n l_tcd = p_j2k->m_tcd;\n l_cp = &(p_j2k->m_cp);\n\n l_tcd->cur_pino = 0;\n\n /*Get number of tile parts*/\n p_j2k->m_specific_param.m_encoder.m_current_poc_tile_part_number = 0;\n\n /* INDEX >> */\n /* << INDEX */\n\n l_current_nb_bytes_written = 0;\n l_begin_data = p_data;\n if (! opj_j2k_write_sot(p_j2k, p_data, total_data_size,\n &l_current_nb_bytes_written, p_stream,\n p_manager)) {\n return OPJ_FALSE;\n }\n\n l_nb_bytes_written += l_current_nb_bytes_written;\n p_data += l_current_nb_bytes_written;\n total_data_size -= l_current_nb_bytes_written;\n\n if (!OPJ_IS_CINEMA(l_cp->rsiz)) {\n#if 0\n for (compno = 1; compno < p_j2k->m_private_image->numcomps; compno++) {\n l_current_nb_bytes_written = 0;\n opj_j2k_write_coc_in_memory(p_j2k, compno, p_data, &l_current_nb_bytes_written,\n p_manager);\n l_nb_bytes_written += l_current_nb_bytes_written;\n p_data += l_current_nb_bytes_written;\n total_data_size -= l_current_nb_bytes_written;\n\n l_current_nb_bytes_written = 0;\n opj_j2k_write_qcc_in_memory(p_j2k, compno, p_data, &l_current_nb_bytes_written,\n p_manager);\n l_nb_bytes_written += l_current_nb_bytes_written;\n p_data += l_current_nb_bytes_written;\n total_data_size -= l_current_nb_bytes_written;\n }\n#endif\n if (l_cp->tcps[p_j2k->m_current_tile_number].POC) {\n l_current_nb_bytes_written = 0;\n opj_j2k_write_poc_in_memory(p_j2k, p_data, &l_current_nb_bytes_written,\n p_manager);\n l_nb_bytes_written += l_current_nb_bytes_written;\n p_data += l_current_nb_bytes_written;\n total_data_size -= l_current_nb_bytes_written;\n }\n }\n\n l_current_nb_bytes_written = 0;\n if (! opj_j2k_write_sod(p_j2k, l_tcd, p_data, &l_current_nb_bytes_written,\n total_data_size, p_stream, p_manager)) {\n return OPJ_FALSE;\n }\n\n l_nb_bytes_written += l_current_nb_bytes_written;\n * p_data_written = l_nb_bytes_written;\n\n /* Writing Psot in SOT marker */\n opj_write_bytes(l_begin_data + 6, l_nb_bytes_written,\n 4); /* PSOT */\n\n if (OPJ_IS_CINEMA(l_cp->rsiz) || OPJ_IS_IMF(l_cp->rsiz)) {\n opj_j2k_update_tlm(p_j2k, l_nb_bytes_written);\n }\n\n return OPJ_TRUE;\n}", "project": "openjpeg", "hash": 165449997972225520199484165617599352446, "size": 84, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357329 }, { "func": "Status GraphConstructor::UpdateVersionDef() {\n if (versions() == nullptr) return Status::OK();\n\n if (!opts_.importing) {\n g_->set_versions(*versions());\n return Status::OK();\n }\n VersionDef g_versions = g_->versions();\n g_versions.set_producer(\n std::min(g_versions.producer(), versions()->producer()));\n g_versions.set_min_consumer(\n std::max(g_versions.min_consumer(), versions()->min_consumer()));\n if (versions()->bad_consumers_size() > 0) {\n std::set bad(g_versions.bad_consumers().begin(),\n g_versions.bad_consumers().end());\n bad.insert(versions()->bad_consumers().begin(),\n versions()->bad_consumers().end());\n g_versions.clear_bad_consumers();\n for (int v : bad) {\n g_versions.add_bad_consumers(v);\n }\n }\n g_->set_versions(g_versions);\n return Status::OK();\n}", "project": "tensorflow", "hash": 254579308951349610958707131243645219610, "size": 25, "commit_id": "0cc38aaa4064fd9e79101994ce9872c6d91f816b", "message": "Prevent unitialized memory access in `GraphConstructor::MakeEdge`\n\nThe `MakeEdge` implementation assumes that there exists an output at `output_index` of `src` node and an input at `input_index` of `dst` node. However, if this is not the case this results in accessing data out of bounds. Because we are accessing an array that is a private member of a class and only in read only mode, this usually results only in unitialized memory access. However, it is reasonable to think that malicious users could manipulate these indexes to actually read data outside the class, thus resulting in information leakage and further exploits.\n\nPiperOrigin-RevId: 346343288\nChange-Id: I2127da27c2023d27f26efd39afa6c853385cab6f", "target": 0, "dataset": "other", "idx": 268359 }, { "func": "AP_DECLARE(apr_size_t) ap_register_request_note(void)\n{\n apr_pool_cleanup_register(apr_hook_global_pool, NULL, reset_request_notes,\n apr_pool_cleanup_null);\n return num_request_notes++;\n}", "project": "httpd", "hash": 217070498578013622737858319254471419273, "size": 6, "commit_id": "4cc27823899e070268b906ca677ee838d07cf67a", "message": "core: Disallow Methods' registration at run time (.htaccess), they may be\nused only if registered at init time (httpd.conf).\n\nCalling ap_method_register() in children processes is not the right scope\nsince it won't be shared for all requests.\n\n\ngit-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1807655 13f79535-47bb-0310-9956-ffa450edef68", "target": 0, "dataset": "other", "idx": 246375 }, { "func": "static void csi_J(struct vc_data *vc, int vpar)\n{\n\tunsigned int count;\n\tunsigned short * start;\n\n\tswitch (vpar) {\n\t\tcase 0:\t/* erase from cursor to end of display */\n\t\t\tvc_uniscr_clear_line(vc, vc->vc_x,\n\t\t\t\t\t vc->vc_cols - vc->vc_x);\n\t\t\tvc_uniscr_clear_lines(vc, vc->vc_y + 1,\n\t\t\t\t\t vc->vc_rows - vc->vc_y - 1);\n\t\t\tcount = (vc->vc_scr_end - vc->vc_pos) >> 1;\n\t\t\tstart = (unsigned short *)vc->vc_pos;\n\t\t\tbreak;\n\t\tcase 1:\t/* erase from start to cursor */\n\t\t\tvc_uniscr_clear_line(vc, 0, vc->vc_x + 1);\n\t\t\tvc_uniscr_clear_lines(vc, 0, vc->vc_y);\n\t\t\tcount = ((vc->vc_pos - vc->vc_origin) >> 1) + 1;\n\t\t\tstart = (unsigned short *)vc->vc_origin;\n\t\t\tbreak;\n\t\tcase 3: /* include scrollback */\n\t\t\tflush_scrollback(vc);\n\t\t\t/* fallthrough */\n\t\tcase 2: /* erase whole display */\n\t\t\tvc_uniscr_clear_lines(vc, 0, vc->vc_rows);\n\t\t\tcount = vc->vc_cols * vc->vc_rows;\n\t\t\tstart = (unsigned short *)vc->vc_origin;\n\t\t\tbreak;\n\t\tdefault:\n\t\t\treturn;\n\t}\n\tscr_memsetw(start, vc->vc_video_erase_char, 2 * count);\n\tif (con_should_update(vc))\n\t\tdo_update_region(vc, (unsigned long) start, count);\n\tvc->vc_need_wrap = 0;\n}", "project": "linux", "hash": 96697707772971686561784622976220561881, "size": 36, "commit_id": "ca4463bf8438b403596edd0ec961ca0d4fbe0220", "message": "vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console\n\nThe VT_DISALLOCATE ioctl can free a virtual console while tty_release()\nis still running, causing a use-after-free in con_shutdown(). This\noccurs because VT_DISALLOCATE considers a virtual console's\n'struct vc_data' to be unused as soon as the corresponding tty's\nrefcount hits 0. But actually it may be still being closed.\n\nFix this by making vc_data be reference-counted via the embedded\n'struct tty_port'. A newly allocated virtual console has refcount 1.\nOpening it for the first time increments the refcount to 2. Closing it\nfor the last time decrements the refcount (in tty_operations::cleanup()\nso that it happens late enough), as does VT_DISALLOCATE.\n\nReproducer:\n\t#include \n\t#include \n\t#include \n\t#include \n\n\tint main()\n\t{\n\t\tif (fork()) {\n\t\t\tfor (;;)\n\t\t\t\tclose(open(\"/dev/tty5\", O_RDWR));\n\t\t} else {\n\t\t\tint fd = open(\"/dev/tty10\", O_RDWR);\n\n\t\t\tfor (;;)\n\t\t\t\tioctl(fd, VT_DISALLOCATE, 5);\n\t\t}\n\t}\n\nKASAN report:\n\tBUG: KASAN: use-after-free in con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\tWrite of size 8 at addr ffff88806a4ec108 by task syz_vt/129\n\n\tCPU: 0 PID: 129 Comm: syz_vt Not tainted 5.6.0-rc2 #11\n\tHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20191223_100556-anatol 04/01/2014\n\tCall Trace:\n\t [...]\n\t con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\t release_tty+0xa8/0x410 drivers/tty/tty_io.c:1514\n\t tty_release_struct+0x34/0x50 drivers/tty/tty_io.c:1629\n\t tty_release+0x984/0xed0 drivers/tty/tty_io.c:1789\n\t [...]\n\n\tAllocated by task 129:\n\t [...]\n\t kzalloc include/linux/slab.h:669 [inline]\n\t vc_allocate drivers/tty/vt/vt.c:1085 [inline]\n\t vc_allocate+0x1ac/0x680 drivers/tty/vt/vt.c:1066\n\t con_install+0x4d/0x3f0 drivers/tty/vt/vt.c:3229\n\t tty_driver_install_tty drivers/tty/tty_io.c:1228 [inline]\n\t tty_init_dev+0x94/0x350 drivers/tty/tty_io.c:1341\n\t tty_open_by_driver drivers/tty/tty_io.c:1987 [inline]\n\t tty_open+0x3ca/0xb30 drivers/tty/tty_io.c:2035\n\t [...]\n\n\tFreed by task 130:\n\t [...]\n\t kfree+0xbf/0x1e0 mm/slab.c:3757\n\t vt_disallocate drivers/tty/vt/vt_ioctl.c:300 [inline]\n\t vt_ioctl+0x16dc/0x1e30 drivers/tty/vt/vt_ioctl.c:818\n\t tty_ioctl+0x9db/0x11b0 drivers/tty/tty_io.c:2660\n\t [...]\n\nFixes: 4001d7b7fc27 (\"vt: push down the tty lock so we can see what is left to tackle\")\nCc: # v3.4+\nReported-by: syzbot+522643ab5729b0421998@syzkaller.appspotmail.com\nAcked-by: Jiri Slaby \nSigned-off-by: Eric Biggers \nLink: https://lore.kernel.org/r/20200322034305.210082-2-ebiggers@kernel.org\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 437045 }, { "func": "static int ptrace_signal(int signr, kernel_siginfo_t *info)\n{\n\t/*\n\t * We do not check sig_kernel_stop(signr) but set this marker\n\t * unconditionally because we do not know whether debugger will\n\t * change signr. This flag has no meaning unless we are going\n\t * to stop after return from ptrace_stop(). In this case it will\n\t * be checked in do_signal_stop(), we should only stop if it was\n\t * not cleared by SIGCONT while we were sleeping. See also the\n\t * comment in dequeue_signal().\n\t */\n\tcurrent->jobctl |= JOBCTL_STOP_DEQUEUED;\n\tptrace_stop(signr, CLD_TRAPPED, 0, info);\n\n\t/* We're back. Did the debugger cancel the sig? */\n\tsignr = current->exit_code;\n\tif (signr == 0)\n\t\treturn signr;\n\n\tcurrent->exit_code = 0;\n\n\t/*\n\t * Update the siginfo structure if the signal has\n\t * changed. If the debugger wanted something\n\t * specific in the siginfo structure then it should\n\t * have updated *info via PTRACE_SETSIGINFO.\n\t */\n\tif (signr != info->si_signo) {\n\t\tclear_siginfo(info);\n\t\tinfo->si_signo = signr;\n\t\tinfo->si_errno = 0;\n\t\tinfo->si_code = SI_USER;\n\t\trcu_read_lock();\n\t\tinfo->si_pid = task_pid_vnr(current->parent);\n\t\tinfo->si_uid = from_kuid_munged(current_user_ns(),\n\t\t\t\t\t\ttask_uid(current->parent));\n\t\trcu_read_unlock();\n\t}\n\n\t/* If the (new) signal is now blocked, requeue it. */\n\tif (sigismember(¤t->blocked, signr)) {\n\t\tsend_signal(signr, info, current, PIDTYPE_PID);\n\t\tsignr = 0;\n\t}\n\n\treturn signr;\n}", "project": "linux", "hash": 217507375514660089922058530942772544872, "size": 47, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375283 }, { "func": "int next_filter(const uint8_t* filters, int current_filter, char cmode) {\n for (int i = current_filter - 1; i >= 0; i--) {\n if (!do_nothing(filters[i], cmode)) {\n return filters[i];\n }\n }\n return BLOSC_NOFILTER;\n}", "project": "c-blosc2", "hash": 244276264338248627031536948242917943722, "size": 8, "commit_id": "c4c6470e88210afc95262c8b9fcc27e30ca043ee", "message": "Fixed asan heap buffer overflow when not enough space to write compressed block size.", "target": 0, "dataset": "other", "idx": 303098 }, { "func": "static apr_byte_t oidc_is_front_channel_logout(const char *logout_param_value) {\n\treturn ((logout_param_value != NULL)\n\t\t\t&& ((apr_strnatcmp(logout_param_value,\n\t\t\t\t\tOIDC_GET_STYLE_LOGOUT_PARAM_VALUE) == 0)\n\t\t\t\t\t|| (apr_strnatcmp(logout_param_value,\n\t\t\t\t\t\t\tOIDC_IMG_STYLE_LOGOUT_PARAM_VALUE) == 0)));\n}", "project": "mod_auth_openidc", "hash": 218229335760242638320089204202427200864, "size": 7, "commit_id": "00c315cb0c8ab77c67be4a2ac08a71a83ac58751", "message": "avoid XSS vulnerability when using OIDCPreservePost On\n\nand supplying URLs that contain single quotes; thanks @oss-aimoto\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 381920 }, { "func": "static void hci_cs_le_read_remote_features(struct hci_dev *hdev, u8 status)\n{\n\tstruct hci_cp_le_read_remote_features *cp;\n\tstruct hci_conn *conn;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, status);\n\n\tif (!status)\n\t\treturn;\n\n\tcp = hci_sent_cmd_data(hdev, HCI_OP_LE_READ_REMOTE_FEATURES);\n\tif (!cp)\n\t\treturn;\n\n\thci_dev_lock(hdev);\n\n\tconn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));\n\tif (conn) {\n\t\tif (conn->state == BT_CONFIG) {\n\t\t\thci_connect_cfm(conn, status);\n\t\t\thci_conn_drop(conn);\n\t\t}\n\t}\n\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 231939865544592235647748347727863641795, "size": 26, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 432022 }, { "func": " inline uint argument_count() const { return arg_count; }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 264389630798888695997462271933951335719, "size": 1, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509310 }, { "func": "static int usb_host_auto_add(const char *spec)\n{\n struct USBAutoFilter filter, *f;\n\n if (parse_filter(spec, &filter) < 0)\n return -1;\n\n f = qemu_mallocz(sizeof(*f));\n\n *f = filter; \n\n if (!usb_auto_filter) {\n /*\n * First entry. Init and start the monitor.\n * Right now we're using timer to check for new devices.\n * If this turns out to be too expensive we can move that into a \n * separate thread.\n */\n\tusb_auto_timer = qemu_new_timer(rt_clock, usb_host_auto_timer, NULL);\n\tif (!usb_auto_timer) {\n fprintf(stderr, \"husb: failed to allocate auto scan timer\\n\");\n qemu_free(f);\n return -1;\n }\n\n /* Check for new devices every two seconds */\n qemu_mod_timer(usb_auto_timer, qemu_get_clock(rt_clock) + 2000);\n }\n\n dprintf(\"husb: added auto filter: bus_num %d addr %d vid %d pid %d\\n\",\n\tf->bus_num, f->addr, f->vendor_id, f->product_id);\n\n f->next = usb_auto_filter;\n usb_auto_filter = f;\n\n return 0;\n}", "project": "qemu", "hash": 94605163368626209148486279183121740879, "size": 37, "commit_id": "babd03fde68093482528010a5435c14ce9128e3f", "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel. However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris \nSigned-off-by: Anthony Liguori ", "target": 0, "dataset": "other", "idx": 346281 }, { "func": "static int _nfs4_do_set_security_label(struct inode *inode,\n\t\tstruct nfs4_label *ilabel,\n\t\tstruct nfs_fattr *fattr,\n\t\tstruct nfs4_label *olabel)\n{\n\n\tstruct iattr sattr = {0};\n\tstruct nfs_server *server = NFS_SERVER(inode);\n\tconst u32 bitmask[3] = { 0, 0, FATTR4_WORD2_SECURITY_LABEL };\n\tstruct nfs_setattrargs arg = {\n\t\t.fh\t\t= NFS_FH(inode),\n\t\t.iap\t\t= &sattr,\n\t\t.server\t\t= server,\n\t\t.bitmask\t= bitmask,\n\t\t.label\t\t= ilabel,\n\t};\n\tstruct nfs_setattrres res = {\n\t\t.fattr\t\t= fattr,\n\t\t.label\t\t= olabel,\n\t\t.server\t\t= server,\n\t};\n\tstruct rpc_message msg = {\n\t\t.rpc_proc\t= &nfs4_procedures[NFSPROC4_CLNT_SETATTR],\n\t\t.rpc_argp\t= &arg,\n\t\t.rpc_resp\t= &res,\n\t};\n\tint status;\n\n\tnfs4_stateid_copy(&arg.stateid, &zero_stateid);\n\n\tstatus = nfs4_call_sync(server->client, server, &msg, &arg.seq_args, &res.seq_res, 1);\n\tif (status)\n\t\tdprintk(\"%s failed: %d\\n\", __func__, status);\n\n\treturn status;\n}", "project": "linux", "hash": 172471471116821471142082669538507002028, "size": 36, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431320 }, { "func": "int WindowsServiceControl::startType()\n{\n\tif( checkService() == false )\n\t{\n\t\treturn InvalidStartType;\n\t}\n\n\tLPQUERY_SERVICE_CONFIG serviceConfig{nullptr};\n\tDWORD bufferSize = 0;\n\tDWORD bytesNeeded = 0;\n\n\tif( QueryServiceConfig( m_serviceHandle, nullptr, 0, &bytesNeeded ) == false )\n\t{\n\t\tif( GetLastError() == ERROR_INSUFFICIENT_BUFFER )\n\t\t{\n\t\t\tbufferSize = bytesNeeded;\n\t\t\tserviceConfig = LPQUERY_SERVICE_CONFIG(LocalAlloc(LMEM_FIXED, bufferSize));\n\t\t}\n\t\telse\n\t\t{\n\t\t\treturn InvalidStartType;\n\t\t}\n\t}\n\telse\n\t{\n\t\treturn InvalidStartType;\n\t}\n\n\tif( QueryServiceConfig( m_serviceHandle, serviceConfig, bufferSize, &bytesNeeded ) == false )\n\t{\n\t\tconst auto error = GetLastError();\n\t\tvCritical() << error;\n\t\tLocalFree( serviceConfig );\n\t\treturn InvalidStartType;\n\t}\n\n\tconst auto startType = serviceConfig->dwStartType;\n\n\tLocalFree( serviceConfig );\n\n\treturn startType;\n}", "project": "veyon", "hash": 297470292426290932667675718602000618642, "size": 42, "commit_id": "f231ec511b9a09f43f49b2c7bb7c60b8046276b1", "message": "WindowsServiceControl: quote service binary path\n\nFix unquoted service path vulnerability.\n\nCloses #657.", "target": 0, "dataset": "other", "idx": 241034 }, { "func": "static int kvm_s390_get_cmma_bits(struct kvm *kvm,\n\t\t\t\t struct kvm_s390_cmma_log *args)\n{\n\tunsigned long bufsize;\n\tint srcu_idx, peek, ret;\n\tu8 *values;\n\n\tif (!kvm->arch.use_cmma)\n\t\treturn -ENXIO;\n\t/* Invalid/unsupported flags were specified */\n\tif (args->flags & ~KVM_S390_CMMA_PEEK)\n\t\treturn -EINVAL;\n\t/* Migration mode query, and we are not doing a migration */\n\tpeek = !!(args->flags & KVM_S390_CMMA_PEEK);\n\tif (!peek && !kvm->arch.migration_mode)\n\t\treturn -EINVAL;\n\t/* CMMA is disabled or was not used, or the buffer has length zero */\n\tbufsize = min(args->count, KVM_S390_CMMA_SIZE_MAX);\n\tif (!bufsize || !kvm->mm->context.uses_cmm) {\n\t\tmemset(args, 0, sizeof(*args));\n\t\treturn 0;\n\t}\n\t/* We are not peeking, and there are no dirty pages */\n\tif (!peek && !atomic64_read(&kvm->arch.cmma_dirty_pages)) {\n\t\tmemset(args, 0, sizeof(*args));\n\t\treturn 0;\n\t}\n\n\tvalues = vmalloc(bufsize);\n\tif (!values)\n\t\treturn -ENOMEM;\n\n\tdown_read(&kvm->mm->mmap_sem);\n\tsrcu_idx = srcu_read_lock(&kvm->srcu);\n\tif (peek)\n\t\tret = kvm_s390_peek_cmma(kvm, args, values, bufsize);\n\telse\n\t\tret = kvm_s390_get_cmma(kvm, args, values, bufsize);\n\tsrcu_read_unlock(&kvm->srcu, srcu_idx);\n\tup_read(&kvm->mm->mmap_sem);\n\n\tif (kvm->arch.migration_mode)\n\t\targs->remaining = atomic64_read(&kvm->arch.cmma_dirty_pages);\n\telse\n\t\targs->remaining = 0;\n\n\tif (copy_to_user((void __user *)args->values, values, args->count))\n\t\tret = -EFAULT;\n\n\tvfree(values);\n\treturn ret;\n}", "project": "linux", "hash": 21314735383031502834550558202000205218, "size": 52, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354780 }, { "func": "static OPJ_BOOL opj_j2k_read_sot(opj_j2k_t *p_j2k,\n OPJ_BYTE * p_header_data,\n OPJ_UINT32 p_header_size,\n opj_event_mgr_t * p_manager)\n{\n opj_cp_t *l_cp = 00;\n opj_tcp_t *l_tcp = 00;\n OPJ_UINT32 l_tot_len, l_num_parts = 0;\n OPJ_UINT32 l_current_part;\n OPJ_UINT32 l_tile_x, l_tile_y;\n\n /* preconditions */\n\n assert(p_j2k != 00);\n assert(p_manager != 00);\n\n if (! opj_j2k_get_sot_values(p_header_data, p_header_size,\n &(p_j2k->m_current_tile_number), &l_tot_len, &l_current_part, &l_num_parts,\n p_manager)) {\n opj_event_msg(p_manager, EVT_ERROR, \"Error reading SOT marker\\n\");\n return OPJ_FALSE;\n }\n#ifdef DEBUG_VERBOSE\n fprintf(stderr, \"SOT %d %d %d %d\\n\",\n p_j2k->m_current_tile_number, l_tot_len, l_current_part, l_num_parts);\n#endif\n\n l_cp = &(p_j2k->m_cp);\n\n /* testcase 2.pdf.SIGFPE.706.1112 */\n if (p_j2k->m_current_tile_number >= l_cp->tw * l_cp->th) {\n opj_event_msg(p_manager, EVT_ERROR, \"Invalid tile number %d\\n\",\n p_j2k->m_current_tile_number);\n return OPJ_FALSE;\n }\n\n l_tcp = &l_cp->tcps[p_j2k->m_current_tile_number];\n l_tile_x = p_j2k->m_current_tile_number % l_cp->tw;\n l_tile_y = p_j2k->m_current_tile_number / l_cp->tw;\n\n if (p_j2k->m_specific_param.m_decoder.m_tile_ind_to_dec < 0 ||\n p_j2k->m_current_tile_number == (OPJ_UINT32)\n p_j2k->m_specific_param.m_decoder.m_tile_ind_to_dec) {\n /* Do only this check if we decode all tile part headers, or if */\n /* we decode one precise tile. Otherwise the m_current_tile_part_number */\n /* might not be valid */\n /* Fixes issue with id_000020,sig_06,src_001958,op_flip4,pos_149 */\n /* of https://github.com/uclouvain/openjpeg/issues/939 */\n /* We must avoid reading twice the same tile part number for a given tile */\n /* so as to avoid various issues, like opj_j2k_merge_ppt being called */\n /* several times. */\n /* ISO 15444-1 A.4.2 Start of tile-part (SOT) mandates that tile parts */\n /* should appear in increasing order. */\n if (l_tcp->m_current_tile_part_number + 1 != (OPJ_INT32)l_current_part) {\n opj_event_msg(p_manager, EVT_ERROR,\n \"Invalid tile part index for tile number %d. \"\n \"Got %d, expected %d\\n\",\n p_j2k->m_current_tile_number,\n l_current_part,\n l_tcp->m_current_tile_part_number + 1);\n return OPJ_FALSE;\n }\n }\n\n l_tcp->m_current_tile_part_number = (OPJ_INT32) l_current_part;\n\n#ifdef USE_JPWL\n if (l_cp->correct) {\n\n OPJ_UINT32 tileno = p_j2k->m_current_tile_number;\n static OPJ_UINT32 backup_tileno = 0;\n\n /* tileno is negative or larger than the number of tiles!!! */\n if (tileno > (l_cp->tw * l_cp->th)) {\n opj_event_msg(p_manager, EVT_ERROR,\n \"JPWL: bad tile number (%d out of a maximum of %d)\\n\",\n tileno, (l_cp->tw * l_cp->th));\n if (!JPWL_ASSUME) {\n opj_event_msg(p_manager, EVT_ERROR, \"JPWL: giving up\\n\");\n return OPJ_FALSE;\n }\n /* we try to correct */\n tileno = backup_tileno;\n opj_event_msg(p_manager, EVT_WARNING, \"- trying to adjust this\\n\"\n \"- setting tile number to %d\\n\",\n tileno);\n }\n\n /* keep your private count of tiles */\n backup_tileno++;\n };\n#endif /* USE_JPWL */\n\n /* look for the tile in the list of already processed tile (in parts). */\n /* Optimization possible here with a more complex data structure and with the removing of tiles */\n /* since the time taken by this function can only grow at the time */\n\n /* PSot should be equal to zero or >=14 or <= 2^32-1 */\n if ((l_tot_len != 0) && (l_tot_len < 14)) {\n if (l_tot_len ==\n 12) { /* MSD: Special case for the PHR data which are read by kakadu*/\n opj_event_msg(p_manager, EVT_WARNING, \"Empty SOT marker detected: Psot=%d.\\n\",\n l_tot_len);\n } else {\n opj_event_msg(p_manager, EVT_ERROR,\n \"Psot value is not correct regards to the JPEG2000 norm: %d.\\n\", l_tot_len);\n return OPJ_FALSE;\n }\n }\n\n#ifdef USE_JPWL\n if (l_cp->correct) {\n\n /* totlen is negative or larger than the bytes left!!! */\n if (/*(l_tot_len < 0) ||*/ (l_tot_len >\n p_header_size)) { /* FIXME it seems correct; for info in V1 -> (p_stream_numbytesleft(p_stream) + 8))) { */\n opj_event_msg(p_manager, EVT_ERROR,\n \"JPWL: bad tile byte size (%d bytes against %d bytes left)\\n\",\n l_tot_len,\n p_header_size); /* FIXME it seems correct; for info in V1 -> p_stream_numbytesleft(p_stream) + 8); */\n if (!JPWL_ASSUME) {\n opj_event_msg(p_manager, EVT_ERROR, \"JPWL: giving up\\n\");\n return OPJ_FALSE;\n }\n /* we try to correct */\n l_tot_len = 0;\n opj_event_msg(p_manager, EVT_WARNING, \"- trying to adjust this\\n\"\n \"- setting Psot to %d => assuming it is the last tile\\n\",\n l_tot_len);\n }\n };\n#endif /* USE_JPWL */\n\n /* Ref A.4.2: Psot could be equal zero if it is the last tile-part of the codestream.*/\n if (!l_tot_len) {\n opj_event_msg(p_manager, EVT_INFO,\n \"Psot value of the current tile-part is equal to zero, \"\n \"we assuming it is the last tile-part of the codestream.\\n\");\n p_j2k->m_specific_param.m_decoder.m_last_tile_part = 1;\n }\n\n if (l_tcp->m_nb_tile_parts != 0 && l_current_part >= l_tcp->m_nb_tile_parts) {\n /* Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2851 */\n opj_event_msg(p_manager, EVT_ERROR,\n \"In SOT marker, TPSot (%d) is not valid regards to the previous \"\n \"number of tile-part (%d), giving up\\n\", l_current_part,\n l_tcp->m_nb_tile_parts);\n p_j2k->m_specific_param.m_decoder.m_last_tile_part = 1;\n return OPJ_FALSE;\n }\n\n if (l_num_parts !=\n 0) { /* Number of tile-part header is provided by this tile-part header */\n l_num_parts += p_j2k->m_specific_param.m_decoder.m_nb_tile_parts_correction;\n /* Useful to manage the case of textGBR.jp2 file because two values of TNSot are allowed: the correct numbers of\n * tile-parts for that tile and zero (A.4.2 of 15444-1 : 2002). */\n if (l_tcp->m_nb_tile_parts) {\n if (l_current_part >= l_tcp->m_nb_tile_parts) {\n opj_event_msg(p_manager, EVT_ERROR,\n \"In SOT marker, TPSot (%d) is not valid regards to the current \"\n \"number of tile-part (%d), giving up\\n\", l_current_part,\n l_tcp->m_nb_tile_parts);\n p_j2k->m_specific_param.m_decoder.m_last_tile_part = 1;\n return OPJ_FALSE;\n }\n }\n if (l_current_part >= l_num_parts) {\n /* testcase 451.pdf.SIGSEGV.ce9.3723 */\n opj_event_msg(p_manager, EVT_ERROR,\n \"In SOT marker, TPSot (%d) is not valid regards to the current \"\n \"number of tile-part (header) (%d), giving up\\n\", l_current_part, l_num_parts);\n p_j2k->m_specific_param.m_decoder.m_last_tile_part = 1;\n return OPJ_FALSE;\n }\n l_tcp->m_nb_tile_parts = l_num_parts;\n }\n\n /* If know the number of tile part header we will check if we didn't read the last*/\n if (l_tcp->m_nb_tile_parts) {\n if (l_tcp->m_nb_tile_parts == (l_current_part + 1)) {\n p_j2k->m_specific_param.m_decoder.m_can_decode =\n 1; /* Process the last tile-part header*/\n }\n }\n\n if (!p_j2k->m_specific_param.m_decoder.m_last_tile_part) {\n /* Keep the size of data to skip after this marker */\n p_j2k->m_specific_param.m_decoder.m_sot_length = l_tot_len -\n 12; /* SOT_marker_size = 12 */\n } else {\n /* FIXME: need to be computed from the number of bytes remaining in the codestream */\n p_j2k->m_specific_param.m_decoder.m_sot_length = 0;\n }\n\n p_j2k->m_specific_param.m_decoder.m_state = J2K_STATE_TPH;\n\n /* Check if the current tile is outside the area we want decode or not corresponding to the tile index*/\n if (p_j2k->m_specific_param.m_decoder.m_tile_ind_to_dec == -1) {\n p_j2k->m_specific_param.m_decoder.m_skip_data =\n (l_tile_x < p_j2k->m_specific_param.m_decoder.m_start_tile_x)\n || (l_tile_x >= p_j2k->m_specific_param.m_decoder.m_end_tile_x)\n || (l_tile_y < p_j2k->m_specific_param.m_decoder.m_start_tile_y)\n || (l_tile_y >= p_j2k->m_specific_param.m_decoder.m_end_tile_y);\n } else {\n assert(p_j2k->m_specific_param.m_decoder.m_tile_ind_to_dec >= 0);\n p_j2k->m_specific_param.m_decoder.m_skip_data =\n (p_j2k->m_current_tile_number != (OPJ_UINT32)\n p_j2k->m_specific_param.m_decoder.m_tile_ind_to_dec);\n }\n\n /* Index */\n if (p_j2k->cstr_index) {\n assert(p_j2k->cstr_index->tile_index != 00);\n p_j2k->cstr_index->tile_index[p_j2k->m_current_tile_number].tileno =\n p_j2k->m_current_tile_number;\n p_j2k->cstr_index->tile_index[p_j2k->m_current_tile_number].current_tpsno =\n l_current_part;\n\n if (l_num_parts != 0) {\n p_j2k->cstr_index->tile_index[p_j2k->m_current_tile_number].nb_tps =\n l_num_parts;\n p_j2k->cstr_index->tile_index[p_j2k->m_current_tile_number].current_nb_tps =\n l_num_parts;\n\n if (!p_j2k->cstr_index->tile_index[p_j2k->m_current_tile_number].tp_index) {\n p_j2k->cstr_index->tile_index[p_j2k->m_current_tile_number].tp_index =\n (opj_tp_index_t*)opj_calloc(l_num_parts, sizeof(opj_tp_index_t));\n if (!p_j2k->cstr_index->tile_index[p_j2k->m_current_tile_number].tp_index) {\n opj_event_msg(p_manager, EVT_ERROR,\n \"Not enough memory to read SOT marker. Tile index allocation failed\\n\");\n return OPJ_FALSE;\n }\n } else {\n opj_tp_index_t *new_tp_index = (opj_tp_index_t *) opj_realloc(\n p_j2k->cstr_index->tile_index[p_j2k->m_current_tile_number].tp_index,\n l_num_parts * sizeof(opj_tp_index_t));\n if (! new_tp_index) {\n opj_free(p_j2k->cstr_index->tile_index[p_j2k->m_current_tile_number].tp_index);\n p_j2k->cstr_index->tile_index[p_j2k->m_current_tile_number].tp_index = NULL;\n opj_event_msg(p_manager, EVT_ERROR,\n \"Not enough memory to read SOT marker. Tile index allocation failed\\n\");\n return OPJ_FALSE;\n }\n p_j2k->cstr_index->tile_index[p_j2k->m_current_tile_number].tp_index =\n new_tp_index;\n }\n } else {\n /*if (!p_j2k->cstr_index->tile_index[p_j2k->m_current_tile_number].tp_index)*/ {\n\n if (!p_j2k->cstr_index->tile_index[p_j2k->m_current_tile_number].tp_index) {\n p_j2k->cstr_index->tile_index[p_j2k->m_current_tile_number].current_nb_tps = 10;\n p_j2k->cstr_index->tile_index[p_j2k->m_current_tile_number].tp_index =\n (opj_tp_index_t*)opj_calloc(\n p_j2k->cstr_index->tile_index[p_j2k->m_current_tile_number].current_nb_tps,\n sizeof(opj_tp_index_t));\n if (!p_j2k->cstr_index->tile_index[p_j2k->m_current_tile_number].tp_index) {\n p_j2k->cstr_index->tile_index[p_j2k->m_current_tile_number].current_nb_tps = 0;\n opj_event_msg(p_manager, EVT_ERROR,\n \"Not enough memory to read SOT marker. Tile index allocation failed\\n\");\n return OPJ_FALSE;\n }\n }\n\n if (l_current_part >=\n p_j2k->cstr_index->tile_index[p_j2k->m_current_tile_number].current_nb_tps) {\n opj_tp_index_t *new_tp_index;\n p_j2k->cstr_index->tile_index[p_j2k->m_current_tile_number].current_nb_tps =\n l_current_part + 1;\n new_tp_index = (opj_tp_index_t *) opj_realloc(\n p_j2k->cstr_index->tile_index[p_j2k->m_current_tile_number].tp_index,\n p_j2k->cstr_index->tile_index[p_j2k->m_current_tile_number].current_nb_tps *\n sizeof(opj_tp_index_t));\n if (! new_tp_index) {\n opj_free(p_j2k->cstr_index->tile_index[p_j2k->m_current_tile_number].tp_index);\n p_j2k->cstr_index->tile_index[p_j2k->m_current_tile_number].tp_index = NULL;\n p_j2k->cstr_index->tile_index[p_j2k->m_current_tile_number].current_nb_tps = 0;\n opj_event_msg(p_manager, EVT_ERROR,\n \"Not enough memory to read SOT marker. Tile index allocation failed\\n\");\n return OPJ_FALSE;\n }\n p_j2k->cstr_index->tile_index[p_j2k->m_current_tile_number].tp_index =\n new_tp_index;\n }\n }\n\n }\n\n }\n\n /* FIXME move this onto a separate method to call before reading any SOT, remove part about main_end header, use a index struct inside p_j2k */\n /* if (p_j2k->cstr_info) {\n if (l_tcp->first) {\n if (tileno == 0) {\n p_j2k->cstr_info->main_head_end = p_stream_tell(p_stream) - 13;\n }\n\n p_j2k->cstr_info->tile[tileno].tileno = tileno;\n p_j2k->cstr_info->tile[tileno].start_pos = p_stream_tell(p_stream) - 12;\n p_j2k->cstr_info->tile[tileno].end_pos = p_j2k->cstr_info->tile[tileno].start_pos + totlen - 1;\n p_j2k->cstr_info->tile[tileno].num_tps = numparts;\n\n if (numparts) {\n p_j2k->cstr_info->tile[tileno].tp = (opj_tp_info_t *) opj_malloc(numparts * sizeof(opj_tp_info_t));\n }\n else {\n p_j2k->cstr_info->tile[tileno].tp = (opj_tp_info_t *) opj_malloc(10 * sizeof(opj_tp_info_t)); // Fixme (10)\n }\n }\n else {\n p_j2k->cstr_info->tile[tileno].end_pos += totlen;\n }\n\n p_j2k->cstr_info->tile[tileno].tp[partno].tp_start_pos = p_stream_tell(p_stream) - 12;\n p_j2k->cstr_info->tile[tileno].tp[partno].tp_end_pos =\n p_j2k->cstr_info->tile[tileno].tp[partno].tp_start_pos + totlen - 1;\n }*/\n return OPJ_TRUE;\n}", "project": "openjpeg", "hash": 212489723034050241186122404288330447058, "size": 318, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357389 }, { "func": "void nested_svm_vmloadsave(struct vmcb *from_vmcb, struct vmcb *to_vmcb)\n{\n\tto_vmcb->save.fs = from_vmcb->save.fs;\n\tto_vmcb->save.gs = from_vmcb->save.gs;\n\tto_vmcb->save.tr = from_vmcb->save.tr;\n\tto_vmcb->save.ldtr = from_vmcb->save.ldtr;\n\tto_vmcb->save.kernel_gs_base = from_vmcb->save.kernel_gs_base;\n\tto_vmcb->save.star = from_vmcb->save.star;\n\tto_vmcb->save.lstar = from_vmcb->save.lstar;\n\tto_vmcb->save.cstar = from_vmcb->save.cstar;\n\tto_vmcb->save.sfmask = from_vmcb->save.sfmask;\n\tto_vmcb->save.sysenter_cs = from_vmcb->save.sysenter_cs;\n\tto_vmcb->save.sysenter_esp = from_vmcb->save.sysenter_esp;\n\tto_vmcb->save.sysenter_eip = from_vmcb->save.sysenter_eip;\n}", "project": "linux", "hash": 316318996593834043091607282178670792291, "size": 15, "commit_id": "a58d9166a756a0f4a6618e4f593232593d6df134", "message": "KVM: SVM: load control fields from VMCB12 before checking them\n\nAvoid races between check and use of the nested VMCB controls. This\nfor example ensures that the VMRUN intercept is always reflected to the\nnested hypervisor, instead of being processed by the host. Without this\npatch, it is possible to end up with svm->nested.hsave pointing to\nthe MSR permission bitmap for nested guests.\n\nThis bug is CVE-2021-29657.\n\nReported-by: Felix Wilhelm \nCc: stable@vger.kernel.org\nFixes: 2fcf4876ada (\"KVM: nSVM: implement on demand allocation of the nested state\")\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 376671 }, { "func": "static void nested_svm_vmloadsave(struct vmcb *from_vmcb, struct vmcb *to_vmcb)\n{\n\tto_vmcb->save.fs = from_vmcb->save.fs;\n\tto_vmcb->save.gs = from_vmcb->save.gs;\n\tto_vmcb->save.tr = from_vmcb->save.tr;\n\tto_vmcb->save.ldtr = from_vmcb->save.ldtr;\n\tto_vmcb->save.kernel_gs_base = from_vmcb->save.kernel_gs_base;\n\tto_vmcb->save.star = from_vmcb->save.star;\n\tto_vmcb->save.lstar = from_vmcb->save.lstar;\n\tto_vmcb->save.cstar = from_vmcb->save.cstar;\n\tto_vmcb->save.sfmask = from_vmcb->save.sfmask;\n\tto_vmcb->save.sysenter_cs = from_vmcb->save.sysenter_cs;\n\tto_vmcb->save.sysenter_esp = from_vmcb->save.sysenter_esp;\n\tto_vmcb->save.sysenter_eip = from_vmcb->save.sysenter_eip;\n}", "project": "linux", "hash": 56481263211623674338433551222405702785, "size": 15, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432583 }, { "func": "\tJoin(Membership* Memb)\n\t\t: ClientProtocol::Message(\"JOIN\", Memb->user)\n\t{\n\t\tSetParams(Memb);\n\t}", "project": "inspircd", "hash": 125894762283554939631569266017063229011, "size": 5, "commit_id": "4350a11c663b0d75f8119743bffb7736d87abd4d", "message": "Fix sending malformed pong messages in some cases.", "target": 0, "dataset": "other", "idx": 273221 }, { "func": "\tJoin(Membership* Memb, const std::string& sourcestrref)\n\t\t: ClientProtocol::Message(\"JOIN\", sourcestrref, Memb->user)\n\t{\n\t\tSetParams(Memb);\n\t}", "project": "inspircd", "hash": 2306363492794433528577392462455472138, "size": 5, "commit_id": "4350a11c663b0d75f8119743bffb7736d87abd4d", "message": "Fix sending malformed pong messages in some cases.", "target": 0, "dataset": "other", "idx": 273226 }, { "func": "\tvoid SetParams(Channel* Chantarget, User* Usertarget, const Modes::ChangeList& changelist)\n\t{\n\t\tClearParams();\n\n\t\tchantarget = Chantarget;\n\t\tusertarget = Usertarget;\n\t\tbeginit = changelist.getlist().begin();\n\n\t\tPushParamRef(GetStrTarget());\n\t\tPushParam(ToModeLetters(changelist.getlist(), 450, beginit, lastit));\n\t\tPushModeParams();\n\t}", "project": "inspircd", "hash": 288912384548505842522422820364905290422, "size": 12, "commit_id": "4350a11c663b0d75f8119743bffb7736d87abd4d", "message": "Fix sending malformed pong messages in some cases.", "target": 0, "dataset": "other", "idx": 273228 }, { "func": "\tvoid SetParams(Membership* Memb)\n\t{\n\t\tmemb = Memb;\n\t\tPushParamRef(memb->chan->name);\n\t}", "project": "inspircd", "hash": 273015913359568778150064882279688517177, "size": 5, "commit_id": "4350a11c663b0d75f8119743bffb7736d87abd4d", "message": "Fix sending malformed pong messages in some cases.", "target": 0, "dataset": "other", "idx": 273266 }, { "func": "static double SFDStartsCorrectly(FILE *sfd,char *tok) {\n real dval;\n int ch;\n\n if ( getname(sfd,tok)!=1 )\nreturn( -1 );\n if ( strcmp(tok,\"SplineFontDB:\")!=0 )\nreturn( -1 );\n if ( getreal(sfd,&dval)!=1 )\nreturn( -1 );\n /* We don't yet generate version 4 of sfd. It will contain backslash */\n /* newline in the middle of very long lines. I've put in code to parse */\n /* this sequence, but I don't yet generate it. I want the parser to */\n /* perculate through to users before I introduce the new format so there */\n /* will be fewer complaints when it happens */\n // MIQ: getreal() can give some funky rounding errors it seems\n if ( dval!=0 && dval!=1 && dval!=2.0 && dval!=3.0\n && !(dval > 3.09 && dval <= 3.21)\n && dval!=4.0 )\n {\n LogError(\"Bad SFD Version number %.1f\", dval );\nreturn( -1 );\n }\n ch = nlgetc(sfd); ungetc(ch,sfd);\n if ( ch!='\\r' && ch!='\\n' )\nreturn( -1 );\n\nreturn( dval );\n}", "project": "fontforge", "hash": 195091160638879335526843434899508222937, "size": 29, "commit_id": "048a91e2682c1a8936ae34dbc7bd70291ec05410", "message": "Fix for #4084 Use-after-free (heap) in the SFD_GetFontMetaData() function\nFix for #4086 NULL pointer dereference in the SFDGetSpiros() function\nFix for #4088 NULL pointer dereference in the SFD_AssignLookups() function\nAdd empty sf->fontname string if it isn't set, fixing #4089 #4090 and many\n other potential issues (many downstream calls to strlen() on the value).", "target": 0, "dataset": "other", "idx": 417751 }, { "func": "kvm_pfn_t gfn_to_pfn_memslot(struct kvm_memory_slot *slot, gfn_t gfn)\n{\n\treturn __gfn_to_pfn_memslot(slot, gfn, false, NULL, true, NULL);\n}", "project": "linux", "hash": 37026052342131463136516844792048187652, "size": 4, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354420 }, { "func": "kvm_pfn_t gfn_to_pfn_memslot(struct kvm_memory_slot *slot, gfn_t gfn)\n{\n\treturn __gfn_to_pfn_memslot(slot, gfn, false, NULL, true, NULL, NULL);\n}", "project": "linux", "hash": 180163534920529405849523746916429471316, "size": 4, "commit_id": "f8be156be163a052a067306417cd0ff679068c97", "message": "KVM: do not allow mapping valid but non-reference-counted pages\n\nIt's possible to create a region which maps valid but non-refcounted\npages (e.g., tail pages of non-compound higher order allocations). These\nhost pages can then be returned by gfn_to_page, gfn_to_pfn, etc., family\nof APIs, which take a reference to the page, which takes it from 0 to 1.\nWhen the reference is dropped, this will free the page incorrectly.\n\nFix this by only taking a reference on valid pages if it was non-zero,\nwhich indicates it is participating in normal refcounting (and can be\nreleased with put_page).\n\nThis addresses CVE-2021-22543.\n\nSigned-off-by: Nicholas Piggin \nTested-by: Paolo Bonzini \nCc: stable@vger.kernel.org\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 404070 }, { "func": "TEST_P(JSITest, ScopeDoesNotCrashTest) {\n Scope scope(rt);\n Object o(rt);\n}", "project": "hermes", "hash": 234727554228083355189219243147508879840, "size": 4, "commit_id": "fe52854cdf6725c2eaa9e125995da76e6ceb27da", "message": "[CVE-2020-1911] Look up HostObject computed properties on the right object in the prototype chain.\n\nSummary:\nThe change in the hermes repository fixes the security vulnerability\nCVE-2020-1911. This vulnerability only affects applications which\nallow evaluation of uncontrolled, untrusted JavaScript code not\nshipped with the app, so React Native apps will generally not be affected.\n\nThis revision includes a test for the bug. The test is generic JSI\ncode, so it is included in the hermes and react-native repositories.\n\nChangelog: [Internal]\n\nReviewed By: tmikov\n\nDifferential Revision: D23322992\n\nfbshipit-source-id: 4e88c974afe1ad33a263f9cac03e9dc98d33649a", "target": 0, "dataset": "other", "idx": 230219 }, { "func": "extern \"C\" void enc_set_error_handler(\n void (*abort_handler)(const char *message)) {\n error_handler = abort_handler;\n}", "project": "asylo", "hash": 244178526018590111084046490937265400852, "size": 4, "commit_id": "90d7619e9dd99bcdb6cd28c7649d741d254d9a1a", "message": "Add sysno check in MessageReader\n\nThe sysno in MessageReader is interpreted from the Message header passed\nfrom the host. A malicious Message header may provide a modified sysno\nto bypass the validation, and overwrites enclave memory. This change\nadds a check for sysno to make sure it matches the expected value.\n\nThis issue was reported by Qinkun Bao, Zhaofeng Chen, Mingshen Sun, and\nKang Li from Baidu Security.\n\nPiperOrigin-RevId: 377328054\nChange-Id: I3ff6f60694d3390f66da89d139cf7cc7b49abaea", "target": 0, "dataset": "other", "idx": 248773 }, { "func": "repodata_empty(Repodata *data, int localpool)\n{\n void (*loadcallback)(Repodata *) = data->loadcallback;\n int state = data->state;\n repodata_freedata(data);\n repodata_initdata(data, data->repo, localpool);\n data->state = state;\n data->loadcallback = loadcallback;\n}", "project": "libsolv", "hash": 198130743899255707132473966090643939302, "size": 9, "commit_id": "fdb9c9c03508990e4583046b590c30d958f272da", "message": "repodata_schema2id: fix heap-buffer-overflow in memcmp\n\nWhen the length of last schema in data->schemadata is\nless than length of input schema, we got a read overflow\nin asan test.\n\nSigned-off-by: Zhipeng Xie ", "target": 0, "dataset": "other", "idx": 333143 }, { "func": "p11_rpc_buffer_new_full (size_t reserve,\n void * (* frealloc) (void *data, size_t size),\n void (* ffree) (void *data))\n{\n\tp11_buffer *buffer;\n\n\tbuffer = calloc (1, sizeof (p11_buffer));\n\treturn_val_if_fail (buffer != NULL, NULL);\n\n\tp11_buffer_init_full (buffer, NULL, 0, 0, frealloc, ffree);\n\tif (!p11_buffer_reset (buffer, reserve))\n\t\treturn_val_if_reached (NULL);\n\n\treturn buffer;\n}", "project": "p11-kit", "hash": 84026954722824705947284706230265303749, "size": 15, "commit_id": "69d751ca9df9ac101adfb1e5aa7e83e3358106ba", "message": "Fix bounds check in p11_rpc_buffer_get_byte_array\n\nThis bounds check should be using off, not *offset, because it has been\nadvanced four bytes from reading a uint32 earlier in the function.\nAdditionally, the pointer that is returned is computed using off, not\n*offset.", "target": 0, "dataset": "other", "idx": 349503 }, { "func": "write_nuls_to_file (off_t num_bytes, int out_des, \n void (*writer) (char *in_buf, int out_des, off_t num_bytes))\n{\n off_t\tblocks;\n off_t\textra_bytes;\n off_t\ti;\n static char zeros_512[512];\n \n blocks = num_bytes / sizeof zeros_512;\n extra_bytes = num_bytes % sizeof zeros_512;\n for (i = 0; i < blocks; ++i)\n writer (zeros_512, out_des, sizeof zeros_512);\n if (extra_bytes)\n writer (zeros_512, out_des, extra_bytes);\n}", "target": 0, "cwe": [ "CWE-190" ], "project": "cpio", "commit_id": "dd96882877721703e19272fe25034560b794061b", "hash": 325580780693661806359561534419513257373, "size": 15, "message": "Rewrite dynamic string support.\n\n* src/dstring.c (ds_init): Take a single argument.\n(ds_free): New function.\n(ds_resize): Take a single argument. Use x2nrealloc to expand\nthe storage.\n(ds_reset,ds_append,ds_concat,ds_endswith): New function.\n(ds_fgetstr): Rewrite. In particular, this fixes integer overflow.\n* src/dstring.h (dynamic_string): Keep both the allocated length\n(ds_size) and index of the next free byte in the string (ds_idx).\n(ds_init,ds_resize): Change signature.\n(ds_len): New macro.\n(ds_free,ds_reset,ds_append,ds_concat,ds_endswith): New protos.\n* src/copyin.c: Use new ds_ functions.\n* src/copyout.c: Likewise.\n* src/copypass.c: Likewise.\n* src/util.c: Likewise.", "dataset": "other", "idx": 499644 }, { "func": "open_archive (char *file)\n{\n int fd;\n void (*copy_in) ();\t\t/* Workaround for pcc bug. */\n\n copy_in = process_copy_in;\n\n if (copy_function == copy_in)\n fd = rmtopen (file, O_RDONLY | O_BINARY, MODE_RW, rsh_command_option);\n else\n {\n if (!append_flag)\n\tfd = rmtopen (file, O_WRONLY | O_CREAT | O_TRUNC | O_BINARY, MODE_RW,\n\t\t\trsh_command_option);\n else\n\tfd = rmtopen (file, O_RDWR | O_BINARY, MODE_RW, rsh_command_option);\n }\n\n return fd;\n}", "target": 0, "cwe": [ "CWE-190" ], "project": "cpio", "commit_id": "dd96882877721703e19272fe25034560b794061b", "hash": 183625547136985666387687851399666807403, "size": 20, "message": "Rewrite dynamic string support.\n\n* src/dstring.c (ds_init): Take a single argument.\n(ds_free): New function.\n(ds_resize): Take a single argument. Use x2nrealloc to expand\nthe storage.\n(ds_reset,ds_append,ds_concat,ds_endswith): New function.\n(ds_fgetstr): Rewrite. In particular, this fixes integer overflow.\n* src/dstring.h (dynamic_string): Keep both the allocated length\n(ds_size) and index of the next free byte in the string (ds_idx).\n(ds_init,ds_resize): Change signature.\n(ds_len): New macro.\n(ds_free,ds_reset,ds_append,ds_concat,ds_endswith): New protos.\n* src/copyin.c: Use new ds_ functions.\n* src/copyout.c: Likewise.\n* src/copypass.c: Likewise.\n* src/util.c: Likewise.", "dataset": "other", "idx": 499718 }, { "func": "RAMBlock *qemu_ram_alloc_resizeable(ram_addr_t size, ram_addr_t maxsz,\n void (*resized)(const char*,\n uint64_t length,\n void *host),\n MemoryRegion *mr, Error **errp)\n{\n return qemu_ram_alloc_internal(size, maxsz, resized, NULL,\n RAM_RESIZEABLE, mr, errp);\n}", "target": 0, "cwe": [ "CWE-908" ], "project": "qemu", "commit_id": "418ade7849ce7641c0f7333718caf5091a02fd4c", "hash": 181578742891391580864877295601917255405, "size": 9, "message": "softmmu: Always initialize xlat in address_space_translate_for_iotlb\n\nThe bug is an uninitialized memory read, along the translate_fail\npath, which results in garbage being read from iotlb_to_section,\nwhich can lead to a crash in io_readx/io_writex.\n\nThe bug may be fixed by writing any value with zero\nin ~TARGET_PAGE_MASK, so that the call to iotlb_to_section using\nthe xlat'ed address returns io_mem_unassigned, as desired by the\ntranslate_fail path.\n\nIt is most useful to record the original physical page address,\nwhich will eventually be logged by memory_region_access_valid\nwhen the access is rejected by unassigned_mem_accepts.\n\nResolves: https://gitlab.com/qemu-project/qemu/-/issues/1065\nSigned-off-by: Richard Henderson \nReviewed-by: Peter Maydell \nMessage-Id: <20220621153829.366423-1-richard.henderson@linaro.org>", "dataset": "other", "idx": 514756 }, { "func": "void json_parser_flush_caches() {\n s_json_parser->flushSb();\n}", "project": "hhvm", "hash": 329226839433022082575259158025994260349, "size": 3, "commit_id": "b3679121bb3c7017ff04b4c08402ffff5cf59b13", "message": "Fix buffer overrun in SimpleParser::handleBackslash\n\nSummary:\nIt read 4 chars, then checked for validity, but any of them could have\nbeen the end of the string, so check after each one instead.\n\nReviewed By: oulgen\n\nDifferential Revision: D19611163\n\nfbshipit-source-id: 3da0a39555cb85a93f4fd98048368f17cf37e2e4", "target": 0, "dataset": "other", "idx": 227325 }, { "func": "static void reg_w_mask(struct sd *sd,\n\t\t\tu16 index,\n\t\t\tu8 value,\n\t\t\tu8 mask)\n{\n\tint ret;\n\tu8 oldval;\n\n\tif (mask != 0xff) {\n\t\tvalue &= mask;\t\t\t/* Enforce mask on value */\n\t\tret = reg_r(sd, index);\n\t\tif (ret < 0)\n\t\t\treturn;\n\n\t\toldval = ret & ~mask;\t\t/* Clear the masked bits */\n\t\tvalue |= oldval;\t\t/* Set the desired bits */\n\t}\n\treg_w(sd, index, value);\n}", "project": "linux", "hash": 171780424473879566697917709701077023177, "size": 19, "commit_id": "998912346c0da53a6dbb71fab3a138586b596b30", "message": "media: ov519: add missing endpoint sanity checks\n\nMake sure to check that we have at least one endpoint before accessing\nthe endpoint array to avoid dereferencing a NULL-pointer on stream\nstart.\n\nNote that these sanity checks are not redundant as the driver is mixing\nlooking up altsettings by index and by number, which need not coincide.\n\nFixes: 1876bb923c98 (\"V4L/DVB (12079): gspca_ov519: add support for the ov511 bridge\")\nFixes: b282d87332f5 (\"V4L/DVB (12080): gspca_ov519: Fix ov518+ with OV7620AE (Trust spacecam 320)\")\nCc: stable # 2.6.31\nCc: Hans de Goede \nSigned-off-by: Johan Hovold \nSigned-off-by: Hans Verkuil \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 306338 }, { "func": "void CLua::add_shutdown_listener(lua_shutdown_listener *listener)\n{\n if (find(shutdown_listeners.begin(), shutdown_listeners.end(), listener)\n == shutdown_listeners.end())\n {\n shutdown_listeners.push_back(listener);\n }\n}", "project": "crawl", "hash": 261973382360551265876783570272923463842, "size": 8, "commit_id": "768f60da87a3fa0b5561da5ade9309577c176d04", "message": "Disable lua bytecode loading", "target": 0, "dataset": "other", "idx": 230507 }, { "func": "static inline bool req_ref_inc_not_zero(struct io_kiocb *req)\n{\n\treturn atomic_inc_not_zero(&req->refs);\n}", "project": "linux", "hash": 230651898015952808246001011086415546427, "size": 4, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338534 }, { "func": "R_API void r_str_uri_decode(char *s) {\n\tint n;\n\tchar *d;\n\tfor (d = s; *s; s++, d++) {\n\t\tif (*s == '%') {\n\t\t\tsscanf (s + 1, \"%02x\", &n);\n\t\t\t*d = n;\n\t\t\ts += 2;\n\t\t} else {\n\t\t\t*d = *s;\n\t\t}\n\t}\n\t*d = 0;\n}", "project": "radare2", "hash": 258560394684183318860350199642410170971, "size": 14, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 0, "dataset": "other", "idx": 268803 }, { "func": "void input_event(struct input_dev *dev,\n\t\t unsigned int type, unsigned int code, int value)\n{\n\tunsigned long flags;\n\n\tif (is_event_supported(type, dev->evbit, EV_MAX)) {\n\n\t\tspin_lock_irqsave(&dev->event_lock, flags);\n\t\tinput_handle_event(dev, type, code, value);\n\t\tspin_unlock_irqrestore(&dev->event_lock, flags);\n\t}\n}", "project": "linux", "hash": 109462892472440389426749518257156991027, "size": 12, "commit_id": "cb222aed03d798fc074be55e59d9a112338ee784", "message": "Input: add safety guards to input_set_keycode()\n\nIf we happen to have a garbage in input device's keycode table with values\ntoo big we'll end up doing clear_bit() with offset way outside of our\nbitmaps, damaging other objects within an input device or even outside of\nit. Let's add sanity checks to the returned old keycodes.\n\nReported-by: syzbot+c769968809f9359b07aa@syzkaller.appspotmail.com\nReported-by: syzbot+76f3a30e88d256644c78@syzkaller.appspotmail.com\nLink: https://lore.kernel.org/r/20191207212757.GA245964@dtor-ws\nSigned-off-by: Dmitry Torokhov ", "target": 0, "dataset": "other", "idx": 353391 }, { "func": "bool checkreturn pb_skip_string(pb_istream_t *stream)\n{\n uint32_t length;\n if (!pb_decode_varint32(stream, &length))\n return false;\n \n return pb_read(stream, NULL, length);\n}", "project": "nanopb", "hash": 26959604630905098304747132361871071313, "size": 8, "commit_id": "aa9d0d1ca78d6adec3adfeecf3a706c7f9df81f2", "message": "Fix invalid free() after failed realloc() (GHSA-gcx3-7m76-287p)", "target": 0, "dataset": "other", "idx": 252511 }, { "func": "void ecryptfs_set_default_sizes(struct ecryptfs_crypt_stat *crypt_stat)\n{\n\t/* Default values; may be overwritten as we are parsing the\n\t * packets. */\n\tcrypt_stat->extent_size = ECRYPTFS_DEFAULT_EXTENT_SIZE;\n\tset_extent_mask_and_shift(crypt_stat);\n\tcrypt_stat->iv_bytes = ECRYPTFS_DEFAULT_IV_BYTES;\n\tif (crypt_stat->flags & ECRYPTFS_METADATA_IN_XATTR)\n\t\tcrypt_stat->num_header_bytes_at_front = 0;\n\telse {\n\t\tif (PAGE_CACHE_SIZE <= ECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE)\n\t\t\tcrypt_stat->num_header_bytes_at_front =\n\t\t\t\tECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE;\n\t\telse\n\t\t\tcrypt_stat->num_header_bytes_at_front =\tPAGE_CACHE_SIZE;\n\t}\n}", "target": 0, "cwe": [ "CWE-189" ], "project": "linux-2.6", "commit_id": "8faece5f906725c10e7a1f6caf84452abadbdc7b", "hash": 98452490623481419142077551996807154212, "size": 17, "message": "eCryptfs: Allocate a variable number of pages for file headers\n\nWhen allocating the memory used to store the eCryptfs header contents, a\nsingle, zeroed page was being allocated with get_zeroed_page().\nHowever, the size of an eCryptfs header is either PAGE_CACHE_SIZE or\nECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE (8192), whichever is larger, and is\nstored in the file's private_data->crypt_stat->num_header_bytes_at_front\nfield.\n\necryptfs_write_metadata_to_contents() was using\nnum_header_bytes_at_front to decide how many bytes should be written to\nthe lower filesystem for the file header. Unfortunately, at least 8K\nwas being written from the page, despite the chance of the single,\nzeroed page being smaller than 8K. This resulted in random areas of\nkernel memory being written between the 0x1000 and 0x1FFF bytes offsets\nin the eCryptfs file headers if PAGE_SIZE was 4K.\n\nThis patch allocates a variable number of pages, calculated with\nnum_header_bytes_at_front, and passes the number of allocated pages\nalong to ecryptfs_write_metadata_to_contents().\n\nThanks to Florian Streibelt for reporting the data leak and working with\nme to find the problem. 2.6.28 is the only kernel release with this\nvulnerability. Corresponds to CVE-2009-0787\n\nSigned-off-by: Tyler Hicks \nAcked-by: Dustin Kirkland \nReviewed-by: Eric Sandeen \nReviewed-by: Eugene Teo \nCc: Greg KH \nCc: dann frazier \nCc: Serge E. Hallyn \nCc: Florian Streibelt \nCc: stable@kernel.org\nSigned-off-by: Linus Torvalds ", "dataset": "other", "idx": 490178 }, { "func": "static void hci_cs_disconnect(struct hci_dev *hdev, u8 status)\n{\n\tstruct hci_cp_disconnect *cp;\n\tstruct hci_conn *conn;\n\n\tif (!status)\n\t\treturn;\n\n\tcp = hci_sent_cmd_data(hdev, HCI_OP_DISCONNECT);\n\tif (!cp)\n\t\treturn;\n\n\thci_dev_lock(hdev);\n\n\tconn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));\n\tif (conn) {\n\t\tu8 type = conn->type;\n\n\t\tmgmt_disconnect_failed(hdev, &conn->dst, conn->type,\n\t\t\t\t conn->dst_type, status);\n\n\t\t/* If the disconnection failed for any reason, the upper layer\n\t\t * does not retry to disconnect in current implementation.\n\t\t * Hence, we need to do some basic cleanup here and re-enable\n\t\t * advertising if necessary.\n\t\t */\n\t\thci_conn_del(conn);\n\t\tif (type == LE_LINK)\n\t\t\thci_req_reenable_advertising(hdev);\n\t}\n\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 275491209589276271025324373022536858433, "size": 33, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431961 }, { "func": "static void nasm_verror_common(int severity, const char *fmt, va_list args)\n{\n char msg[1024];\n const char *pfx;\n\n switch (severity & (ERR_MASK|ERR_NO_SEVERITY)) {\n case ERR_WARNING:\n pfx = \"warning: \";\n break;\n case ERR_NONFATAL:\n pfx = \"error: \";\n break;\n case ERR_FATAL:\n pfx = \"fatal: \";\n break;\n case ERR_PANIC:\n pfx = \"panic: \";\n break;\n case ERR_DEBUG:\n pfx = \"debug: \";\n break;\n default:\n pfx = \"\";\n break;\n }\n\n vsnprintf(msg, sizeof msg - 64, fmt, args);\n if (is_valid_warning(severity) && WARN_IDX(severity) != ERR_WARN_OTHER) {\n char *p = strchr(msg, '\\0');\n\tsnprintf(p, 64, \" [-w+%s]\", warnings[WARN_IDX(severity)].name);\n }\n\n if (!skip_this_pass(severity))\n\tfprintf(error_file, \"%s%s\\n\", pfx, msg);\n\n /* Are we recursing from error_list_macros? */\n if (severity & ERR_PP_LISTMACRO)\n\treturn;\n\n /*\n * Don't suppress this with skip_this_pass(), or we don't get\n * pass1 or preprocessor warnings in the list file\n */\n lfmt->error(severity, pfx, msg);\n\n if (skip_this_pass(severity))\n return;\n\n if (severity & ERR_USAGE)\n want_usage = true;\n\n preproc->error_list_macros(severity);\n\n switch (severity & ERR_MASK) {\n case ERR_DEBUG:\n /* no further action, by definition */\n break;\n case ERR_WARNING:\n /* Treat warnings as errors */\n if (warning_is_error(severity))\n terminate_after_phase = true;\n break;\n case ERR_NONFATAL:\n terminate_after_phase = true;\n break;\n case ERR_FATAL:\n if (ofile) {\n fclose(ofile);\n if (!keep_all)\n remove(outname);\n ofile = NULL;\n }\n if (want_usage)\n usage();\n exit(1); /* instantly die */\n break; /* placate silly compilers */\n case ERR_PANIC:\n fflush(NULL);\n\n if (abort_on_panic)\n abort();\t\t/* halt, catch fire, dump core/stop debugger */\n\n if (ofile) {\n fclose(ofile);\n if (!keep_all)\n remove(outname);\n ofile = NULL;\n }\n exit(3);\n break;\n }\n}", "project": "nasm", "hash": 144628025537600608146298140054780346590, "size": 92, "commit_id": "e996d28c70d45008085322b442b44a9224308548", "message": "labels: Don't nil dereference if no label provided\n\nAn equ without label may cause nil dereference\n\n |\tequ 0x100\n\nFixes 98578071b9d71ecaa2344dd9c185237c1765041e\n\nSigned-off-by: Cyrill Gorcunov ", "target": 0, "dataset": "other", "idx": 257476 }, { "func": "struct page *follow_trans_huge_pmd(struct vm_area_struct *vma,\n\t\t\t\t unsigned long addr,\n\t\t\t\t pmd_t *pmd,\n\t\t\t\t unsigned int flags)\n{\n\tstruct mm_struct *mm = vma->vm_mm;\n\tstruct page *page = NULL;\n\n\tassert_spin_locked(pmd_lockptr(mm, pmd));\n\n\tif (flags & FOLL_WRITE && !can_follow_write_pmd(*pmd, flags))\n\t\tgoto out;\n\n\t/* Avoid dumping huge zero page */\n\tif ((flags & FOLL_DUMP) && is_huge_zero_pmd(*pmd))\n\t\treturn ERR_PTR(-EFAULT);\n\n\t/* Full NUMA hinting faults to serialise migration in fault paths */\n\tif ((flags & FOLL_NUMA) && pmd_protnone(*pmd))\n\t\tgoto out;\n\n\tpage = pmd_page(*pmd);\n\tVM_BUG_ON_PAGE(!PageHead(page) && !is_zone_device_page(page), page);\n\n\tif (!try_grab_page(page, flags))\n\t\treturn ERR_PTR(-ENOMEM);\n\n\tif (flags & FOLL_TOUCH)\n\t\ttouch_pmd(vma, addr, pmd, flags);\n\n\tif ((flags & FOLL_MLOCK) && (vma->vm_flags & VM_LOCKED)) {\n\t\t/*\n\t\t * We don't mlock() pte-mapped THPs. This way we can avoid\n\t\t * leaking mlocked pages into non-VM_LOCKED VMAs.\n\t\t *\n\t\t * For anon THP:\n\t\t *\n\t\t * In most cases the pmd is the only mapping of the page as we\n\t\t * break COW for the mlock() -- see gup_flags |= FOLL_WRITE for\n\t\t * writable private mappings in populate_vma_page_range().\n\t\t *\n\t\t * The only scenario when we have the page shared here is if we\n\t\t * mlocking read-only mapping shared over fork(). We skip\n\t\t * mlocking such pages.\n\t\t *\n\t\t * For file THP:\n\t\t *\n\t\t * We can expect PageDoubleMap() to be stable under page lock:\n\t\t * for file pages we set it in page_add_file_rmap(), which\n\t\t * requires page to be locked.\n\t\t */\n\n\t\tif (PageAnon(page) && compound_mapcount(page) != 1)\n\t\t\tgoto skip_mlock;\n\t\tif (PageDoubleMap(page) || !page->mapping)\n\t\t\tgoto skip_mlock;\n\t\tif (!trylock_page(page))\n\t\t\tgoto skip_mlock;\n\t\tlru_add_drain();\n\t\tif (page->mapping && !PageDoubleMap(page))\n\t\t\tmlock_vma_page(page);\n\t\tunlock_page(page);\n\t}\nskip_mlock:\n\tpage += (addr & ~HPAGE_PMD_MASK) >> PAGE_SHIFT;\n\tVM_BUG_ON_PAGE(!PageCompound(page) && !is_zone_device_page(page), page);\n\nout:\n\treturn page;\n}", "project": "linux", "hash": 100168424101257642871656345665759044313, "size": 70, "commit_id": "c444eb564fb16645c172d550359cb3d75fe8a040", "message": "mm: thp: make the THP mapcount atomic against __split_huge_pmd_locked()\n\nWrite protect anon page faults require an accurate mapcount to decide\nif to break the COW or not. This is implemented in the THP path with\nreuse_swap_page() ->\npage_trans_huge_map_swapcount()/page_trans_huge_mapcount().\n\nIf the COW triggers while the other processes sharing the page are\nunder a huge pmd split, to do an accurate reading, we must ensure the\nmapcount isn't computed while it's being transferred from the head\npage to the tail pages.\n\nreuse_swap_cache() already runs serialized by the page lock, so it's\nenough to add the page lock around __split_huge_pmd_locked too, in\norder to add the missing serialization.\n\nNote: the commit in \"Fixes\" is just to facilitate the backporting,\nbecause the code before such commit didn't try to do an accurate THP\nmapcount calculation and it instead used the page_count() to decide if\nto COW or not. Both the page_count and the pin_count are THP-wide\nrefcounts, so they're inaccurate if used in\nreuse_swap_page(). Reverting such commit (besides the unrelated fix to\nthe local anon_vma assignment) would have also opened the window for\nmemory corruption side effects to certain workloads as documented in\nsuch commit header.\n\nSigned-off-by: Andrea Arcangeli \nSuggested-by: Jann Horn \nReported-by: Jann Horn \nAcked-by: Kirill A. Shutemov \nFixes: 6d0a07edd17c (\"mm: thp: calculate the mapcount correctly for THP pages during WP faults\")\nCc: stable@vger.kernel.org\nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 364145 }, { "func": "struct page *follow_devmap_pud(struct vm_area_struct *vma, unsigned long addr,\n\t\tpud_t *pud, int flags, struct dev_pagemap **pgmap)\n{\n\tunsigned long pfn = pud_pfn(*pud);\n\tstruct mm_struct *mm = vma->vm_mm;\n\tstruct page *page;\n\n\tassert_spin_locked(pud_lockptr(mm, pud));\n\n\tif (flags & FOLL_WRITE && !pud_write(*pud))\n\t\treturn NULL;\n\n\t/* FOLL_GET and FOLL_PIN are mutually exclusive. */\n\tif (WARN_ON_ONCE((flags & (FOLL_PIN | FOLL_GET)) ==\n\t\t\t (FOLL_PIN | FOLL_GET)))\n\t\treturn NULL;\n\n\tif (pud_present(*pud) && pud_devmap(*pud))\n\t\t/* pass */;\n\telse\n\t\treturn NULL;\n\n\tif (flags & FOLL_TOUCH)\n\t\ttouch_pud(vma, addr, pud, flags);\n\n\t/*\n\t * device mapped pages can only be returned if the\n\t * caller will manage the page reference count.\n\t *\n\t * At least one of FOLL_GET | FOLL_PIN must be set, so assert that here:\n\t */\n\tif (!(flags & (FOLL_GET | FOLL_PIN)))\n\t\treturn ERR_PTR(-EEXIST);\n\n\tpfn += (addr & ~PUD_MASK) >> PAGE_SHIFT;\n\t*pgmap = get_dev_pagemap(pfn, *pgmap);\n\tif (!*pgmap)\n\t\treturn ERR_PTR(-EFAULT);\n\tpage = pfn_to_page(pfn);\n\tif (!try_grab_page(page, flags))\n\t\tpage = ERR_PTR(-ENOMEM);\n\n\treturn page;\n}", "project": "linux", "hash": 294103260657905415649471378019006066053, "size": 44, "commit_id": "c444eb564fb16645c172d550359cb3d75fe8a040", "message": "mm: thp: make the THP mapcount atomic against __split_huge_pmd_locked()\n\nWrite protect anon page faults require an accurate mapcount to decide\nif to break the COW or not. This is implemented in the THP path with\nreuse_swap_page() ->\npage_trans_huge_map_swapcount()/page_trans_huge_mapcount().\n\nIf the COW triggers while the other processes sharing the page are\nunder a huge pmd split, to do an accurate reading, we must ensure the\nmapcount isn't computed while it's being transferred from the head\npage to the tail pages.\n\nreuse_swap_cache() already runs serialized by the page lock, so it's\nenough to add the page lock around __split_huge_pmd_locked too, in\norder to add the missing serialization.\n\nNote: the commit in \"Fixes\" is just to facilitate the backporting,\nbecause the code before such commit didn't try to do an accurate THP\nmapcount calculation and it instead used the page_count() to decide if\nto COW or not. Both the page_count and the pin_count are THP-wide\nrefcounts, so they're inaccurate if used in\nreuse_swap_page(). Reverting such commit (besides the unrelated fix to\nthe local anon_vma assignment) would have also opened the window for\nmemory corruption side effects to certain workloads as documented in\nsuch commit header.\n\nSigned-off-by: Andrea Arcangeli \nSuggested-by: Jann Horn \nReported-by: Jann Horn \nAcked-by: Kirill A. Shutemov \nFixes: 6d0a07edd17c (\"mm: thp: calculate the mapcount correctly for THP pages during WP faults\")\nCc: stable@vger.kernel.org\nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 364156 }, { "func": "struct page *follow_devmap_pmd(struct vm_area_struct *vma, unsigned long addr,\n\t\tpmd_t *pmd, int flags, struct dev_pagemap **pgmap)\n{\n\tunsigned long pfn = pmd_pfn(*pmd);\n\tstruct mm_struct *mm = vma->vm_mm;\n\tstruct page *page;\n\n\tassert_spin_locked(pmd_lockptr(mm, pmd));\n\n\t/*\n\t * When we COW a devmap PMD entry, we split it into PTEs, so we should\n\t * not be in this function with `flags & FOLL_COW` set.\n\t */\n\tWARN_ONCE(flags & FOLL_COW, \"mm: In follow_devmap_pmd with FOLL_COW set\");\n\n\t/* FOLL_GET and FOLL_PIN are mutually exclusive. */\n\tif (WARN_ON_ONCE((flags & (FOLL_PIN | FOLL_GET)) ==\n\t\t\t (FOLL_PIN | FOLL_GET)))\n\t\treturn NULL;\n\n\tif (flags & FOLL_WRITE && !pmd_write(*pmd))\n\t\treturn NULL;\n\n\tif (pmd_present(*pmd) && pmd_devmap(*pmd))\n\t\t/* pass */;\n\telse\n\t\treturn NULL;\n\n\tif (flags & FOLL_TOUCH)\n\t\ttouch_pmd(vma, addr, pmd, flags);\n\n\t/*\n\t * device mapped pages can only be returned if the\n\t * caller will manage the page reference count.\n\t */\n\tif (!(flags & (FOLL_GET | FOLL_PIN)))\n\t\treturn ERR_PTR(-EEXIST);\n\n\tpfn += (addr & ~PMD_MASK) >> PAGE_SHIFT;\n\t*pgmap = get_dev_pagemap(pfn, *pgmap);\n\tif (!*pgmap)\n\t\treturn ERR_PTR(-EFAULT);\n\tpage = pfn_to_page(pfn);\n\tif (!try_grab_page(page, flags))\n\t\tpage = ERR_PTR(-ENOMEM);\n\n\treturn page;\n}", "project": "linux", "hash": 236441366463219685971361213616450467387, "size": 48, "commit_id": "c444eb564fb16645c172d550359cb3d75fe8a040", "message": "mm: thp: make the THP mapcount atomic against __split_huge_pmd_locked()\n\nWrite protect anon page faults require an accurate mapcount to decide\nif to break the COW or not. This is implemented in the THP path with\nreuse_swap_page() ->\npage_trans_huge_map_swapcount()/page_trans_huge_mapcount().\n\nIf the COW triggers while the other processes sharing the page are\nunder a huge pmd split, to do an accurate reading, we must ensure the\nmapcount isn't computed while it's being transferred from the head\npage to the tail pages.\n\nreuse_swap_cache() already runs serialized by the page lock, so it's\nenough to add the page lock around __split_huge_pmd_locked too, in\norder to add the missing serialization.\n\nNote: the commit in \"Fixes\" is just to facilitate the backporting,\nbecause the code before such commit didn't try to do an accurate THP\nmapcount calculation and it instead used the page_count() to decide if\nto COW or not. Both the page_count and the pin_count are THP-wide\nrefcounts, so they're inaccurate if used in\nreuse_swap_page(). Reverting such commit (besides the unrelated fix to\nthe local anon_vma assignment) would have also opened the window for\nmemory corruption side effects to certain workloads as documented in\nsuch commit header.\n\nSigned-off-by: Andrea Arcangeli \nSuggested-by: Jann Horn \nReported-by: Jann Horn \nAcked-by: Kirill A. Shutemov \nFixes: 6d0a07edd17c (\"mm: thp: calculate the mapcount correctly for THP pages during WP faults\")\nCc: stable@vger.kernel.org\nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 364172 }, { "func": "static void io_poll_complete(struct io_kiocb *req, __poll_t mask, int error)\n{\n\tstruct io_ring_ctx *ctx = req->ctx;\n\n\tio_poll_remove_double(req, req->io);\n\treq->poll.done = true;\n\tio_cqring_fill_event(req, error ? error : mangle_poll(mask));\n\tio_commit_cqring(ctx);\n}", "project": "linux", "hash": 281304753813252639204312110114208228380, "size": 9, "commit_id": "6d816e088c359866f9867057e04f244c608c42fe", "message": "io_uring: hold 'ctx' reference around task_work queue + execute\n\nWe're holding the request reference, but we need to go one higher\nto ensure that the ctx remains valid after the request has finished.\nIf the ring is closed with pending task_work inflight, and the\ngiven io_kiocb finishes sync during issue, then we need a reference\nto the ring itself around the task_work execution cycle.\n\nCc: stable@vger.kernel.org # v5.7+\nReported-by: syzbot+9b260fc33297966f5a8e@syzkaller.appspotmail.com\nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 456922 }, { "func": "static int sctp_getsockopt_peer_addr_params(struct sock *sk, int len,\n\t\t\t\t\t char __user *optval, int __user *optlen)\n{\n\tstruct sctp_paddrparams params;\n\tstruct sctp_transport *trans = NULL;\n\tstruct sctp_association *asoc = NULL;\n\tstruct sctp_sock *sp = sctp_sk(sk);\n\n\tif (len >= sizeof(params))\n\t\tlen = sizeof(params);\n\telse if (len >= ALIGN(offsetof(struct sctp_paddrparams,\n\t\t\t\t spp_ipv6_flowlabel), 4))\n\t\tlen = ALIGN(offsetof(struct sctp_paddrparams,\n\t\t\t\t spp_ipv6_flowlabel), 4);\n\telse\n\t\treturn -EINVAL;\n\n\tif (copy_from_user(¶ms, optval, len))\n\t\treturn -EFAULT;\n\n\t/* If an address other than INADDR_ANY is specified, and\n\t * no transport is found, then the request is invalid.\n\t */\n\tif (!sctp_is_any(sk, (union sctp_addr *)¶ms.spp_address)) {\n\t\ttrans = sctp_addr_id2transport(sk, ¶ms.spp_address,\n\t\t\t\t\t params.spp_assoc_id);\n\t\tif (!trans) {\n\t\t\tpr_debug(\"%s: failed no transport\\n\", __func__);\n\t\t\treturn -EINVAL;\n\t\t}\n\t}\n\n\t/* Get association, if assoc_id != SCTP_FUTURE_ASSOC and the\n\t * socket is a one to many style socket, and an association\n\t * was not found, then the id was invalid.\n\t */\n\tasoc = sctp_id2assoc(sk, params.spp_assoc_id);\n\tif (!asoc && params.spp_assoc_id != SCTP_FUTURE_ASSOC &&\n\t sctp_style(sk, UDP)) {\n\t\tpr_debug(\"%s: failed no association\\n\", __func__);\n\t\treturn -EINVAL;\n\t}\n\n\tif (trans) {\n\t\t/* Fetch transport values. */\n\t\tparams.spp_hbinterval = jiffies_to_msecs(trans->hbinterval);\n\t\tparams.spp_pathmtu = trans->pathmtu;\n\t\tparams.spp_pathmaxrxt = trans->pathmaxrxt;\n\t\tparams.spp_sackdelay = jiffies_to_msecs(trans->sackdelay);\n\n\t\t/*draft-11 doesn't say what to return in spp_flags*/\n\t\tparams.spp_flags = trans->param_flags;\n\t\tif (trans->flowlabel & SCTP_FLOWLABEL_SET_MASK) {\n\t\t\tparams.spp_ipv6_flowlabel = trans->flowlabel &\n\t\t\t\t\t\t SCTP_FLOWLABEL_VAL_MASK;\n\t\t\tparams.spp_flags |= SPP_IPV6_FLOWLABEL;\n\t\t}\n\t\tif (trans->dscp & SCTP_DSCP_SET_MASK) {\n\t\t\tparams.spp_dscp\t= trans->dscp & SCTP_DSCP_VAL_MASK;\n\t\t\tparams.spp_flags |= SPP_DSCP;\n\t\t}\n\t} else if (asoc) {\n\t\t/* Fetch association values. */\n\t\tparams.spp_hbinterval = jiffies_to_msecs(asoc->hbinterval);\n\t\tparams.spp_pathmtu = asoc->pathmtu;\n\t\tparams.spp_pathmaxrxt = asoc->pathmaxrxt;\n\t\tparams.spp_sackdelay = jiffies_to_msecs(asoc->sackdelay);\n\n\t\t/*draft-11 doesn't say what to return in spp_flags*/\n\t\tparams.spp_flags = asoc->param_flags;\n\t\tif (asoc->flowlabel & SCTP_FLOWLABEL_SET_MASK) {\n\t\t\tparams.spp_ipv6_flowlabel = asoc->flowlabel &\n\t\t\t\t\t\t SCTP_FLOWLABEL_VAL_MASK;\n\t\t\tparams.spp_flags |= SPP_IPV6_FLOWLABEL;\n\t\t}\n\t\tif (asoc->dscp & SCTP_DSCP_SET_MASK) {\n\t\t\tparams.spp_dscp\t= asoc->dscp & SCTP_DSCP_VAL_MASK;\n\t\t\tparams.spp_flags |= SPP_DSCP;\n\t\t}\n\t} else {\n\t\t/* Fetch socket values. */\n\t\tparams.spp_hbinterval = sp->hbinterval;\n\t\tparams.spp_pathmtu = sp->pathmtu;\n\t\tparams.spp_sackdelay = sp->sackdelay;\n\t\tparams.spp_pathmaxrxt = sp->pathmaxrxt;\n\n\t\t/*draft-11 doesn't say what to return in spp_flags*/\n\t\tparams.spp_flags = sp->param_flags;\n\t\tif (sp->flowlabel & SCTP_FLOWLABEL_SET_MASK) {\n\t\t\tparams.spp_ipv6_flowlabel = sp->flowlabel &\n\t\t\t\t\t\t SCTP_FLOWLABEL_VAL_MASK;\n\t\t\tparams.spp_flags |= SPP_IPV6_FLOWLABEL;\n\t\t}\n\t\tif (sp->dscp & SCTP_DSCP_SET_MASK) {\n\t\t\tparams.spp_dscp\t= sp->dscp & SCTP_DSCP_VAL_MASK;\n\t\t\tparams.spp_flags |= SPP_DSCP;\n\t\t}\n\t}\n\n\tif (copy_to_user(optval, ¶ms, len))\n\t\treturn -EFAULT;\n\n\tif (put_user(len, optlen))\n\t\treturn -EFAULT;\n\n\treturn 0;\n}", "project": "linux", "hash": 85946682648898078809556621330159329169, "size": 107, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398074 }, { "func": "static void tree_insert(struct rb_root *root, struct fuse_writepage_args *wpa)\n{\n\tWARN_ON(fuse_insert_writeback(root, wpa));\n}", "project": "linux", "hash": 173180327416337962634329704514171057444, "size": 4, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342152 }, { "func": "R_API int r_socket_ready(RSocket *s, int secs, int usecs) {\n\tfd_set rfds;\n\tstruct timeval tv = {secs, usecs};\n\tif (s->fd == R_INVALID_SOCKET) {\n\t\treturn -1;\n\t}\n\tFD_ZERO (&rfds);\n\tFD_SET (s->fd, &rfds);\n\treturn select (s->fd + 1, &rfds, NULL, NULL, &tv);\n}", "project": "radare2", "hash": 201939798112563123191950711343933466645, "size": 10, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 0, "dataset": "other", "idx": 269017 }, { "func": "int umd_unload_blob(struct umd_info *info)\n{\n\tif (WARN_ON_ONCE(!info->wd.mnt ||\n\t\t\t !info->wd.dentry ||\n\t\t\t info->wd.mnt->mnt_root != info->wd.dentry))\n\t\treturn -EINVAL;\n\n\tkern_unmount(info->wd.mnt);\n\tinfo->wd.mnt = NULL;\n\tinfo->wd.dentry = NULL;\n\treturn 0;\n}", "project": "linux", "hash": 104634038503583500479999829263239493719, "size": 12, "commit_id": "f60a85cad677c4f9bb4cadd764f1d106c38c7cf8", "message": "bpf: Fix umd memory leak in copy_process()\n\nThe syzbot reported a memleak as follows:\n\nBUG: memory leak\nunreferenced object 0xffff888101b41d00 (size 120):\n comm \"kworker/u4:0\", pid 8, jiffies 4294944270 (age 12.780s)\n backtrace:\n [] alloc_pid+0x66/0x560\n [] copy_process+0x1465/0x25e0\n [] kernel_clone+0xf3/0x670\n [] kernel_thread+0x61/0x80\n [] call_usermodehelper_exec_work\n [] call_usermodehelper_exec_work+0xc4/0x120\n [] process_one_work+0x2c9/0x600\n [] worker_thread+0x59/0x5d0\n [] kthread+0x178/0x1b0\n [] ret_from_fork+0x1f/0x30\n\nunreferenced object 0xffff888110ef5c00 (size 232):\n comm \"kworker/u4:0\", pid 8414, jiffies 4294944270 (age 12.780s)\n backtrace:\n [] kmem_cache_zalloc\n [] __alloc_file+0x1f/0xf0\n [] alloc_empty_file+0x69/0x120\n [] alloc_file+0x33/0x1b0\n [] alloc_file_pseudo+0xb2/0x140\n [] create_pipe_files+0x138/0x2e0\n [] umd_setup+0x33/0x220\n [] call_usermodehelper_exec_async+0xb4/0x1b0\n [] ret_from_fork+0x1f/0x30\n\nAfter the UMD process exits, the pipe_to_umh/pipe_from_umh and\ntgid need to be released.\n\nFixes: d71fa5c9763c (\"bpf: Add kernel module with user mode driver that populates bpffs.\")\nReported-by: syzbot+44908bb56d2bfe56b28e@syzkaller.appspotmail.com\nSigned-off-by: Zqiang \nSigned-off-by: Daniel Borkmann \nLink: https://lore.kernel.org/bpf/20210317030915.2865-1-qiang.zhang@windriver.com", "target": 0, "dataset": "other", "idx": 385298 }, { "func": "static void buffer_shift(ssh_buffer buffer)\n{\n size_t burn_pos = buffer->pos;\n\n buffer_verify(buffer);\n\n if (buffer->pos == 0) {\n return;\n }\n memmove(buffer->data,\n buffer->data + buffer->pos,\n buffer->used - buffer->pos);\n buffer->used -= buffer->pos;\n buffer->pos = 0;\n\n if (buffer->secure) {\n void *ptr = buffer->data + buffer->used;\n explicit_bzero(ptr, burn_pos);\n }\n\n buffer_verify(buffer);\n}", "project": "libssh-mirror", "hash": 217817082170979374712369803316774790139, "size": 22, "commit_id": "10b3ebbe61a7031a3dae97f05834442220447181", "message": "buffer: Reformat ssh_buffer_add_data()\n\nSigned-off-by: Andreas Schneider \nReviewed-by: Anderson Toshiyuki Sasaki \nReviewed-by: Jakub Jelen ", "target": 0, "dataset": "other", "idx": 345158 }, { "func": "static inline int tcp_paws_discard(const struct sock *sk,\n\t\t\t\t const struct sk_buff *skb)\n{\n\tconst struct tcp_sock *tp = tcp_sk(sk);\n\n\treturn !tcp_paws_check(&tp->rx_opt, TCP_PAWS_WINDOW) &&\n\t !tcp_disordered_ack(sk, skb);\n}", "project": "net-next", "hash": 71105559454206627022653433345864313598, "size": 8, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409905 }, { "func": "bool skip_setup_conds(THD *thd)\n{\n return (!thd->stmt_arena->is_conventional()\n && !thd->stmt_arena->is_stmt_prepare_or_first_sp_execute())\n || thd->lex->is_view_context_analysis();\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 164354002827399113364492603310751780740, "size": 6, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508427 }, { "func": "void kvm_vcpu_block(struct kvm_vcpu *vcpu)\n{\n\tktime_t start, cur;\n\tDECLARE_SWAITQUEUE(wait);\n\tbool waited = false;\n\tu64 block_ns;\n\n\tkvm_arch_vcpu_blocking(vcpu);\n\n\tstart = cur = ktime_get();\n\tif (vcpu->halt_poll_ns && !kvm_arch_no_poll(vcpu)) {\n\t\tktime_t stop = ktime_add_ns(ktime_get(), vcpu->halt_poll_ns);\n\n\t\t++vcpu->stat.halt_attempted_poll;\n\t\tdo {\n\t\t\t/*\n\t\t\t * This sets KVM_REQ_UNHALT if an interrupt\n\t\t\t * arrives.\n\t\t\t */\n\t\t\tif (kvm_vcpu_check_block(vcpu) < 0) {\n\t\t\t\t++vcpu->stat.halt_successful_poll;\n\t\t\t\tif (!vcpu_valid_wakeup(vcpu))\n\t\t\t\t\t++vcpu->stat.halt_poll_invalid;\n\t\t\t\tgoto out;\n\t\t\t}\n\t\t\tcur = ktime_get();\n\t\t} while (single_task_running() && ktime_before(cur, stop));\n\t}\n\n\tfor (;;) {\n\t\tprepare_to_swait_exclusive(&vcpu->wq, &wait, TASK_INTERRUPTIBLE);\n\n\t\tif (kvm_vcpu_check_block(vcpu) < 0)\n\t\t\tbreak;\n\n\t\twaited = true;\n\t\tschedule();\n\t}\n\n\tfinish_swait(&vcpu->wq, &wait);\n\tcur = ktime_get();\nout:\n\tkvm_arch_vcpu_unblocking(vcpu);\n\tblock_ns = ktime_to_ns(cur) - ktime_to_ns(start);\n\n\tif (!kvm_arch_no_poll(vcpu)) {\n\t\tif (!vcpu_valid_wakeup(vcpu)) {\n\t\t\tshrink_halt_poll_ns(vcpu);\n\t\t} else if (halt_poll_ns) {\n\t\t\tif (block_ns <= vcpu->halt_poll_ns)\n\t\t\t\t;\n\t\t\t/* we had a long block, shrink polling */\n\t\t\telse if (vcpu->halt_poll_ns && block_ns > halt_poll_ns)\n\t\t\t\tshrink_halt_poll_ns(vcpu);\n\t\t\t/* we had a short halt and our poll time is too small */\n\t\t\telse if (vcpu->halt_poll_ns < halt_poll_ns &&\n\t\t\t\tblock_ns < halt_poll_ns)\n\t\t\t\tgrow_halt_poll_ns(vcpu);\n\t\t} else {\n\t\t\tvcpu->halt_poll_ns = 0;\n\t\t}\n\t}\n\n\ttrace_kvm_vcpu_wakeup(block_ns, waited, vcpu_valid_wakeup(vcpu));\n\tkvm_arch_vcpu_block_finish(vcpu);\n}", "project": "linux", "hash": 158472393318836440178246983613526846145, "size": 66, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354775 }, { "func": "void kvm_vcpu_block(struct kvm_vcpu *vcpu)\n{\n\tktime_t start, cur, poll_end;\n\tbool waited = false;\n\tu64 block_ns;\n\n\tkvm_arch_vcpu_blocking(vcpu);\n\n\tstart = cur = poll_end = ktime_get();\n\tif (vcpu->halt_poll_ns && !kvm_arch_no_poll(vcpu)) {\n\t\tktime_t stop = ktime_add_ns(ktime_get(), vcpu->halt_poll_ns);\n\n\t\t++vcpu->stat.halt_attempted_poll;\n\t\tdo {\n\t\t\t/*\n\t\t\t * This sets KVM_REQ_UNHALT if an interrupt\n\t\t\t * arrives.\n\t\t\t */\n\t\t\tif (kvm_vcpu_check_block(vcpu) < 0) {\n\t\t\t\t++vcpu->stat.halt_successful_poll;\n\t\t\t\tif (!vcpu_valid_wakeup(vcpu))\n\t\t\t\t\t++vcpu->stat.halt_poll_invalid;\n\t\t\t\tgoto out;\n\t\t\t}\n\t\t\tpoll_end = cur = ktime_get();\n\t\t} while (kvm_vcpu_can_poll(cur, stop));\n\t}\n\n\tprepare_to_rcuwait(&vcpu->wait);\n\tfor (;;) {\n\t\tset_current_state(TASK_INTERRUPTIBLE);\n\n\t\tif (kvm_vcpu_check_block(vcpu) < 0)\n\t\t\tbreak;\n\n\t\twaited = true;\n\t\tschedule();\n\t}\n\tfinish_rcuwait(&vcpu->wait);\n\tcur = ktime_get();\nout:\n\tkvm_arch_vcpu_unblocking(vcpu);\n\tblock_ns = ktime_to_ns(cur) - ktime_to_ns(start);\n\n\tupdate_halt_poll_stats(\n\t\tvcpu, ktime_to_ns(ktime_sub(poll_end, start)), waited);\n\n\tif (!kvm_arch_no_poll(vcpu)) {\n\t\tif (!vcpu_valid_wakeup(vcpu)) {\n\t\t\tshrink_halt_poll_ns(vcpu);\n\t\t} else if (vcpu->kvm->max_halt_poll_ns) {\n\t\t\tif (block_ns <= vcpu->halt_poll_ns)\n\t\t\t\t;\n\t\t\t/* we had a long block, shrink polling */\n\t\t\telse if (vcpu->halt_poll_ns &&\n\t\t\t\t\tblock_ns > vcpu->kvm->max_halt_poll_ns)\n\t\t\t\tshrink_halt_poll_ns(vcpu);\n\t\t\t/* we had a short halt and our poll time is too small */\n\t\t\telse if (vcpu->halt_poll_ns < vcpu->kvm->max_halt_poll_ns &&\n\t\t\t\t\tblock_ns < vcpu->kvm->max_halt_poll_ns)\n\t\t\t\tgrow_halt_poll_ns(vcpu);\n\t\t} else {\n\t\t\tvcpu->halt_poll_ns = 0;\n\t\t}\n\t}\n\n\ttrace_kvm_vcpu_wakeup(block_ns, waited, vcpu_valid_wakeup(vcpu));\n\tkvm_arch_vcpu_block_finish(vcpu);\n}", "project": "linux", "hash": 263754280320562546015699989940686729987, "size": 69, "commit_id": "f8be156be163a052a067306417cd0ff679068c97", "message": "KVM: do not allow mapping valid but non-reference-counted pages\n\nIt's possible to create a region which maps valid but non-refcounted\npages (e.g., tail pages of non-compound higher order allocations). These\nhost pages can then be returned by gfn_to_page, gfn_to_pfn, etc., family\nof APIs, which take a reference to the page, which takes it from 0 to 1.\nWhen the reference is dropped, this will free the page incorrectly.\n\nFix this by only taking a reference on valid pages if it was non-zero,\nwhich indicates it is participating in normal refcounting (and can be\nreleased with put_page).\n\nThis addresses CVE-2021-22543.\n\nSigned-off-by: Nicholas Piggin \nTested-by: Paolo Bonzini \nCc: stable@vger.kernel.org\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 404068 }, { "func": "const TfLiteTensor* GetOptionalInputTensor(const TfLiteContext* context,\n const TfLiteNode* node, int index) {\n const bool use_tensor = index < node->inputs->size &&\n node->inputs->data[index] != kTfLiteOptionalTensor;\n if (use_tensor) {\n return GetMutableInput(context, node, index);\n }\n return nullptr;\n}", "project": "tensorflow", "hash": 268531922670221259458581656815740967324, "size": 9, "commit_id": "00302787b788c5ff04cb6f62aed5a74d936e86c0", "message": "[tflite] Make `GetOptionalInputTensor` the same as `GetInput`.\n\nWith the previous change, there is no more need for two separate APIs. We would deprecate `GetOptionalInputTensor` in the future.\n\nPiperOrigin-RevId: 332513386\nChange-Id: Id7110271c25ebd6126ad8c82a493e37e0e0756b3", "target": 1, "dataset": "other", "idx": 198155 }, { "func": " uint divisor_precision_increment() const\n {\n return decimals < NOT_FIXED_DEC ? decimals :\n is_temporal_type_with_time(field_type()) ?\n TIME_SECOND_PART_DIGITS :\n decimals;\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 310038734749218382917301989416816511995, "size": 7, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509003 }, { "func": "AGGR_OP::end_send()\n{\n enum_nested_loop_state rc= NESTED_LOOP_OK;\n TABLE *table= join_tab->table;\n JOIN *join= join_tab->join;\n\n // All records were stored, send them further\n int tmp, new_errno= 0;\n\n if ((rc= put_record(true)) < NESTED_LOOP_OK)\n return rc;\n\n if ((tmp= table->file->extra(HA_EXTRA_NO_CACHE)))\n {\n DBUG_PRINT(\"error\",(\"extra(HA_EXTRA_NO_CACHE) failed\"));\n new_errno= tmp;\n }\n if ((tmp= table->file->ha_index_or_rnd_end()))\n {\n DBUG_PRINT(\"error\",(\"ha_index_or_rnd_end() failed\"));\n new_errno= tmp;\n }\n if (new_errno)\n {\n table->file->print_error(new_errno,MYF(0));\n return NESTED_LOOP_ERROR;\n }\n\n // Update ref array\n join_tab->join->set_items_ref_array(*join_tab->ref_array);\n bool keep_last_filesort_result = join_tab->filesort ? false : true;\n if (join_tab->window_funcs_step)\n {\n if (join_tab->window_funcs_step->exec(join, keep_last_filesort_result))\n return NESTED_LOOP_ERROR;\n }\n\n table->reginfo.lock_type= TL_UNLOCK;\n\n bool in_first_read= true;\n while (rc == NESTED_LOOP_OK)\n {\n int error;\n if (in_first_read)\n {\n in_first_read= false;\n error= join_init_read_record(join_tab);\n }\n else\n error= join_tab->read_record.read_record();\n\n if (unlikely(error > 0 || (join->thd->is_error()))) // Fatal error\n rc= NESTED_LOOP_ERROR;\n else if (error < 0)\n break;\n else if (unlikely(join->thd->killed))\t\t // Aborted by user\n {\n join->thd->send_kill_message();\n rc= NESTED_LOOP_KILLED;\n }\n else\n {\n rc= evaluate_join_record(join, join_tab, 0);\n }\n }\n\n if (keep_last_filesort_result)\n {\n delete join_tab->filesort_result;\n join_tab->filesort_result= NULL;\n }\n\n // Finish rnd scn after sending records\n if (join_tab->table->file->inited)\n join_tab->table->file->ha_rnd_end();\n\n return rc;\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 10398993763661269545394781484323693991, "size": 78, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508632 }, { "func": "HttpStateData::decodeAndWriteReplyBody()\n{\n const char *data = NULL;\n int len;\n bool wasThereAnException = false;\n assert(flags.chunked);\n assert(httpChunkDecoder);\n SQUID_ENTER_THROWING_CODE();\n MemBuf decodedData;\n decodedData.init();\n httpChunkDecoder->setPayloadBuffer(&decodedData);\n const bool doneParsing = httpChunkDecoder->parse(inBuf);\n inBuf = httpChunkDecoder->remaining(); // sync buffers after parse\n len = decodedData.contentSize();\n data=decodedData.content();\n addVirginReplyBody(data, len);\n if (doneParsing) {\n lastChunk = 1;\n flags.do_next_read = false;\n }\n SQUID_EXIT_THROWING_CODE(wasThereAnException);\n return wasThereAnException;\n}", "project": "squid", "hash": 212493385006047600971478340620679183142, "size": 23, "commit_id": "fd68382860633aca92065e6c343cfd1b12b126e7", "message": "Improve Transfer-Encoding handling (#702)\n\nReject messages containing Transfer-Encoding header with coding other\nthan chunked or identity. Squid does not support other codings.\n\nFor simplicity and security sake, also reject messages where\nTransfer-Encoding contains unnecessary complex values that are\ntechnically equivalent to \"chunked\" or \"identity\" (e.g., \",,chunked\" or\n\"identity, chunked\").\n\nRFC 7230 formally deprecated and removed identity coding, but it is\nstill used by some agents.", "target": 0, "dataset": "other", "idx": 402336 }, { "func": "void WebContents::InspectElement(int x, int y) {\n if (type_ == Type::REMOTE)\n return;\n\n if (!enable_devtools_)\n return;\n\n if (!managed_web_contents()->GetDevToolsWebContents())\n OpenDevTools(nullptr);\n managed_web_contents()->InspectElement(x, y);\n}", "project": "electron", "hash": 211211220812959017464206012320075033912, "size": 11, "commit_id": "18613925610ba319da7f497b6deed85ad712c59b", "message": "refactor: wire will-navigate up to a navigation throttle instead of OpenURL (#25108)\n\n* refactor: wire will-navigate up to a navigation throttle instead of OpenURL (#25065)\r\n\r\n* refactor: wire will-navigate up to a navigation throttle instead of OpenURL\r\n\r\n* spec: add test for x-site _top navigation\r\n\r\n* chore: old code be old", "target": 0, "dataset": "other", "idx": 269755 }, { "func": "static inline int aalg_tmpl_set(const struct xfrm_tmpl *t,\n\t\t\t\tconst struct xfrm_algo_desc *d)\n{\n\tunsigned int id = d->desc.sadb_alg_id;\n\n\tif (id >= sizeof(t->aalgos) * 8)\n\t\treturn 0;\n\n\treturn (t->aalgos >> id) & 1;\n}", "project": "linux", "hash": 70529167697043716682602682871747034190, "size": 10, "commit_id": "9a564bccb78a76740ea9d75a259942df8143d02c", "message": "af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\n\nAdd __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\nto initialize the buffer of supp_skb to fix a kernel-info-leak issue.\n1) Function pfkey_register calls compose_sadb_supported to request\na sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate\na sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then\ncompose_sadb_supported treats the memory as a struct sadb_supported and\nbegins to initialize. But it just initializes the field sadb_supported_len\nand field sadb_supported_exttype without field sadb_supported_reserved.\n\nReported-by: TCS Robot \nSigned-off-by: Haimin Zhang \nSigned-off-by: Steffen Klassert ", "target": 0, "dataset": "other", "idx": 267994 }, { "func": "static void grow_halt_poll_ns(struct kvm_vcpu *vcpu)\n{\n\tunsigned int old, val, grow, grow_start;\n\n\told = val = vcpu->halt_poll_ns;\n\tgrow_start = READ_ONCE(halt_poll_ns_grow_start);\n\tgrow = READ_ONCE(halt_poll_ns_grow);\n\tif (!grow)\n\t\tgoto out;\n\n\tval *= grow;\n\tif (val < grow_start)\n\t\tval = grow_start;\n\n\tif (val > halt_poll_ns)\n\t\tval = halt_poll_ns;\n\n\tvcpu->halt_poll_ns = val;\nout:\n\ttrace_kvm_halt_poll_ns_grow(vcpu->vcpu_id, val, old);\n}", "project": "linux", "hash": 316846605760302483904794705014928331723, "size": 21, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354835 }, { "func": "static void grow_halt_poll_ns(struct kvm_vcpu *vcpu)\n{\n\tunsigned int old, val, grow, grow_start;\n\n\told = val = vcpu->halt_poll_ns;\n\tgrow_start = READ_ONCE(halt_poll_ns_grow_start);\n\tgrow = READ_ONCE(halt_poll_ns_grow);\n\tif (!grow)\n\t\tgoto out;\n\n\tval *= grow;\n\tif (val < grow_start)\n\t\tval = grow_start;\n\n\tif (val > vcpu->kvm->max_halt_poll_ns)\n\t\tval = vcpu->kvm->max_halt_poll_ns;\n\n\tvcpu->halt_poll_ns = val;\nout:\n\ttrace_kvm_halt_poll_ns_grow(vcpu->vcpu_id, val, old);\n}", "project": "linux", "hash": 138206457399084405173481349749554487228, "size": 21, "commit_id": "f8be156be163a052a067306417cd0ff679068c97", "message": "KVM: do not allow mapping valid but non-reference-counted pages\n\nIt's possible to create a region which maps valid but non-refcounted\npages (e.g., tail pages of non-compound higher order allocations). These\nhost pages can then be returned by gfn_to_page, gfn_to_pfn, etc., family\nof APIs, which take a reference to the page, which takes it from 0 to 1.\nWhen the reference is dropped, this will free the page incorrectly.\n\nFix this by only taking a reference on valid pages if it was non-zero,\nwhich indicates it is participating in normal refcounting (and can be\nreleased with put_page).\n\nThis addresses CVE-2021-22543.\n\nSigned-off-by: Nicholas Piggin \nTested-by: Paolo Bonzini \nCc: stable@vger.kernel.org\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 404091 }, { "func": "static void initialize_pointer_field(void *pItem, pb_field_iter_t *iter)\n{\n if (PB_LTYPE(iter->pos->type) == PB_LTYPE_STRING ||\n PB_LTYPE(iter->pos->type) == PB_LTYPE_BYTES)\n {\n *(void**)pItem = NULL;\n }\n else if (PB_LTYPE(iter->pos->type) == PB_LTYPE_SUBMESSAGE)\n {\n /* We memset to zero so that any callbacks are set to NULL.\n * Then set any default values. */\n memset(pItem, 0, iter->pos->data_size);\n pb_message_set_to_defaults((const pb_field_t *) iter->pos->ptr, pItem);\n }\n}", "project": "nanopb", "hash": 258772843963509291176726920420396131596, "size": 15, "commit_id": "aa9d0d1ca78d6adec3adfeecf3a706c7f9df81f2", "message": "Fix invalid free() after failed realloc() (GHSA-gcx3-7m76-287p)", "target": 0, "dataset": "other", "idx": 252493 }, { "func": "static void initialize_pointer_field(void *pItem, pb_field_iter_t *field)\n{\n if (PB_LTYPE(field->type) == PB_LTYPE_STRING ||\n PB_LTYPE(field->type) == PB_LTYPE_BYTES)\n {\n *(void**)pItem = NULL;\n }\n else if (PB_LTYPE_IS_SUBMSG(field->type))\n {\n /* We memset to zero so that any callbacks are set to NULL.\n * Default values will be set by pb_dec_submessage(). */\n memset(pItem, 0, field->data_size);\n }\n}", "project": "nanopb", "hash": 298291139306989254953978609192634366274, "size": 14, "commit_id": "e2f0ccf939d9f82931d085acb6df8e9a182a4261", "message": "Fix invalid free() with oneof (#647)\n\nNanopb would call free() or realloc() on an invalid\n(attacker controlled) pointer value when all the following\nconditions are true:\n\n- PB_ENABLE_MALLOC is defined at the compile time\n- Message definition contains an oneof field, and the oneof\n contains at least one pointer type field and at least one\n non-pointer type field.\n- Data being decoded first contains a non-pointer value for\n the oneof field, and later contains an overwriting pointer\n value.\n\nDepending on message layout, the bug may not be exploitable in all\ncases, but it is known to be exploitable at least with string and\nbytes fields. Actual security impact will also depend on the heap\nimplementation used.", "target": 0, "dataset": "other", "idx": 254702 }, { "func": "static void initialize_pointer_field(void *pItem, pb_field_iterator_t *iter)\n{\n if (PB_LTYPE(iter->pos->type) == PB_LTYPE_STRING ||\n PB_LTYPE(iter->pos->type) == PB_LTYPE_BYTES)\n {\n *(void**)pItem = NULL;\n }\n else if (PB_LTYPE(iter->pos->type) == PB_LTYPE_SUBMESSAGE)\n {\n pb_message_set_to_defaults((const pb_field_t *) iter->pos->ptr, pItem);\n }\n}", "project": "nanopb", "hash": 68111298595250759703080380251568777449, "size": 12, "commit_id": "7b396821ddd06df8e39143f16e1dc0a4645b89a3", "message": "Fix invalid free() after failed realloc() (GHSA-gcx3-7m76-287p)", "target": 0, "dataset": "other", "idx": 255352 }, { "func": "static void hci_cc_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb)\n{\n\t__u8 status = *((__u8 *) skb->data);\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, status);\n\n\tif (status)\n\t\treturn;\n\n\thci_dev_set_flag(hdev, HCI_PERIODIC_INQ);\n}", "project": "linux", "hash": 24926333872858325980104440719523263858, "size": 11, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 432032 }, { "func": "int ip_local_out(struct net *net, struct sock *sk, struct sk_buff *skb)\n{\n\tint err;\n\n\terr = __ip_local_out(net, sk, skb);\n\tif (likely(err == 1))\n\t\terr = dst_output(net, sk, skb);\n\n\treturn err;\n}", "project": "net", "hash": 28213141011060935645441177863272627438, "size": 10, "commit_id": "85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa", "message": "udp: consistently apply ufo or fragmentation\n\nWhen iteratively building a UDP datagram with MSG_MORE and that\ndatagram exceeds MTU, consistently choose UFO or fragmentation.\n\nOnce skb_is_gso, always apply ufo. Conversely, once a datagram is\nsplit across multiple skbs, do not consider ufo.\n\nSendpage already maintains the first invariant, only add the second.\nIPv6 does not have a sendpage implementation to modify.\n\nA gso skb must have a partial checksum, do not follow sk_no_check_tx\nin udp_send_skb.\n\nFound by syzkaller.\n\nFixes: e89e9cf539a2 (\"[IPv4/IPv6]: UFO Scatter-gather approach\")\nReported-by: Andrey Konovalov \nSigned-off-by: Willem de Bruijn \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 468977 }, { "func": "static ssize_t cpu_partial_store(struct kmem_cache *s, const char *buf,\n\t\t\t\t size_t length)\n{\n\tunsigned int objects;\n\tint err;\n\n\terr = kstrtouint(buf, 10, &objects);\n\tif (err)\n\t\treturn err;\n\tif (objects && !kmem_cache_has_cpu_partial(s))\n\t\treturn -EINVAL;\n\n\tslub_set_cpu_partial(s, objects);\n\tflush_all(s);\n\treturn length;\n}", "project": "linux", "hash": 164241274551730718705297583688556004543, "size": 16, "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 280260 }, { "func": "static void handle_rx(struct vhost_net *net)\n{\n\tstruct vhost_net_virtqueue *nvq = &net->vqs[VHOST_NET_VQ_RX];\n\tstruct vhost_virtqueue *vq = &nvq->vq;\n\tunsigned uninitialized_var(in), log;\n\tstruct vhost_log *vq_log;\n\tstruct msghdr msg = {\n\t\t.msg_name = NULL,\n\t\t.msg_namelen = 0,\n\t\t.msg_control = NULL, /* FIXME: get and handle RX aux data. */\n\t\t.msg_controllen = 0,\n\t\t.msg_flags = MSG_DONTWAIT,\n\t};\n\tstruct virtio_net_hdr hdr = {\n\t\t.flags = 0,\n\t\t.gso_type = VIRTIO_NET_HDR_GSO_NONE\n\t};\n\tsize_t total_len = 0;\n\tint err, mergeable;\n\ts16 headcount;\n\tsize_t vhost_hlen, sock_hlen;\n\tsize_t vhost_len, sock_len;\n\tbool busyloop_intr = false;\n\tstruct socket *sock;\n\tstruct iov_iter fixup;\n\t__virtio16 num_buffers;\n\tint recv_pkts = 0;\n\n\tmutex_lock_nested(&vq->mutex, VHOST_NET_VQ_RX);\n\tsock = vq->private_data;\n\tif (!sock)\n\t\tgoto out;\n\n\tif (!vq_meta_prefetch(vq))\n\t\tgoto out;\n\n\tvhost_disable_notify(&net->dev, vq);\n\tvhost_net_disable_vq(net, vq);\n\n\tvhost_hlen = nvq->vhost_hlen;\n\tsock_hlen = nvq->sock_hlen;\n\n\tvq_log = unlikely(vhost_has_feature(vq, VHOST_F_LOG_ALL)) ?\n\t\tvq->log : NULL;\n\tmergeable = vhost_has_feature(vq, VIRTIO_NET_F_MRG_RXBUF);\n\n\tdo {\n\t\tsock_len = vhost_net_rx_peek_head_len(net, sock->sk,\n\t\t\t\t\t\t &busyloop_intr);\n\t\tif (!sock_len)\n\t\t\tbreak;\n\t\tsock_len += sock_hlen;\n\t\tvhost_len = sock_len + vhost_hlen;\n\t\theadcount = get_rx_bufs(vq, vq->heads + nvq->done_idx,\n\t\t\t\t\tvhost_len, &in, vq_log, &log,\n\t\t\t\t\tlikely(mergeable) ? UIO_MAXIOV : 1);\n\t\t/* On error, stop handling until the next kick. */\n\t\tif (unlikely(headcount < 0))\n\t\t\tgoto out;\n\t\t/* OK, now we need to know about added descriptors. */\n\t\tif (!headcount) {\n\t\t\tif (unlikely(busyloop_intr)) {\n\t\t\t\tvhost_poll_queue(&vq->poll);\n\t\t\t} else if (unlikely(vhost_enable_notify(&net->dev, vq))) {\n\t\t\t\t/* They have slipped one in as we were\n\t\t\t\t * doing that: check again. */\n\t\t\t\tvhost_disable_notify(&net->dev, vq);\n\t\t\t\tcontinue;\n\t\t\t}\n\t\t\t/* Nothing new? Wait for eventfd to tell us\n\t\t\t * they refilled. */\n\t\t\tgoto out;\n\t\t}\n\t\tbusyloop_intr = false;\n\t\tif (nvq->rx_ring)\n\t\t\tmsg.msg_control = vhost_net_buf_consume(&nvq->rxq);\n\t\t/* On overrun, truncate and discard */\n\t\tif (unlikely(headcount > UIO_MAXIOV)) {\n\t\t\tiov_iter_init(&msg.msg_iter, READ, vq->iov, 1, 1);\n\t\t\terr = sock->ops->recvmsg(sock, &msg,\n\t\t\t\t\t\t 1, MSG_DONTWAIT | MSG_TRUNC);\n\t\t\tpr_debug(\"Discarded rx packet: len %zd\\n\", sock_len);\n\t\t\tcontinue;\n\t\t}\n\t\t/* We don't need to be notified again. */\n\t\tiov_iter_init(&msg.msg_iter, READ, vq->iov, in, vhost_len);\n\t\tfixup = msg.msg_iter;\n\t\tif (unlikely((vhost_hlen))) {\n\t\t\t/* We will supply the header ourselves\n\t\t\t * TODO: support TSO.\n\t\t\t */\n\t\t\tiov_iter_advance(&msg.msg_iter, vhost_hlen);\n\t\t}\n\t\terr = sock->ops->recvmsg(sock, &msg,\n\t\t\t\t\t sock_len, MSG_DONTWAIT | MSG_TRUNC);\n\t\t/* Userspace might have consumed the packet meanwhile:\n\t\t * it's not supposed to do this usually, but might be hard\n\t\t * to prevent. Discard data we got (if any) and keep going. */\n\t\tif (unlikely(err != sock_len)) {\n\t\t\tpr_debug(\"Discarded rx packet: \"\n\t\t\t\t \" len %d, expected %zd\\n\", err, sock_len);\n\t\t\tvhost_discard_vq_desc(vq, headcount);\n\t\t\tcontinue;\n\t\t}\n\t\t/* Supply virtio_net_hdr if VHOST_NET_F_VIRTIO_NET_HDR */\n\t\tif (unlikely(vhost_hlen)) {\n\t\t\tif (copy_to_iter(&hdr, sizeof(hdr),\n\t\t\t\t\t &fixup) != sizeof(hdr)) {\n\t\t\t\tvq_err(vq, \"Unable to write vnet_hdr \"\n\t\t\t\t \"at addr %p\\n\", vq->iov->iov_base);\n\t\t\t\tgoto out;\n\t\t\t}\n\t\t} else {\n\t\t\t/* Header came from socket; we'll need to patch\n\t\t\t * ->num_buffers over if VIRTIO_NET_F_MRG_RXBUF\n\t\t\t */\n\t\t\tiov_iter_advance(&fixup, sizeof(hdr));\n\t\t}\n\t\t/* TODO: Should check and handle checksum. */\n\n\t\tnum_buffers = cpu_to_vhost16(vq, headcount);\n\t\tif (likely(mergeable) &&\n\t\t copy_to_iter(&num_buffers, sizeof num_buffers,\n\t\t\t\t &fixup) != sizeof num_buffers) {\n\t\t\tvq_err(vq, \"Failed num_buffers write\");\n\t\t\tvhost_discard_vq_desc(vq, headcount);\n\t\t\tgoto out;\n\t\t}\n\t\tnvq->done_idx += headcount;\n\t\tif (nvq->done_idx > VHOST_NET_BATCH)\n\t\t\tvhost_net_signal_used(nvq);\n\t\tif (unlikely(vq_log))\n\t\t\tvhost_log_write(vq, vq_log, log, vhost_len,\n\t\t\t\t\tvq->iov, in);\n\t\ttotal_len += vhost_len;\n\t} while (likely(!vhost_exceeds_weight(vq, ++recv_pkts, total_len)));\n\n\tif (unlikely(busyloop_intr))\n\t\tvhost_poll_queue(&vq->poll);\n\telse if (!sock_len)\n\t\tvhost_net_enable_vq(net, vq);\nout:\n\tvhost_net_signal_used(nvq);\n\tmutex_unlock(&vq->mutex);\n}", "project": "linux", "hash": 319993524422649544760781052767977335772, "size": 145, "commit_id": "42d84c8490f9f0931786f1623191fcab397c3d64", "message": "vhost: Check docket sk_family instead of call getname\n\nDoing so, we save one call to get data we already have in the struct.\n\nAlso, since there is no guarantee that getname use sockaddr_ll\nparameter beyond its size, we add a little bit of security here.\nIt should do not do beyond MAX_ADDR_LEN, but syzbot found that\nax25_getname writes more (72 bytes, the size of full_sockaddr_ax25,\nversus 20 + 32 bytes of sockaddr_ll + MAX_ADDR_LEN in syzbot repro).\n\nFixes: 3a4d5c94e9593 (\"vhost_net: a kernel-level virtio server\")\nReported-by: syzbot+f2a62d07a5198c819c7b@syzkaller.appspotmail.com\nSigned-off-by: Eugenio Pérez \nAcked-by: Michael S. Tsirkin \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 441988 }, { "func": "static void ov518_reg_w32(struct sd *sd, u16 index, u32 value, int n)\n{\n\tstruct gspca_dev *gspca_dev = (struct gspca_dev *)sd;\n\tint ret;\n\n\tif (sd->gspca_dev.usb_err < 0)\n\t\treturn;\n\n\t*((__le32 *) sd->gspca_dev.usb_buf) = __cpu_to_le32(value);\n\n\t/* Avoid things going to fast for the bridge with a xhci host */\n\tudelay(150);\n\tret = usb_control_msg(sd->gspca_dev.dev,\n\t\t\tusb_sndctrlpipe(sd->gspca_dev.dev, 0),\n\t\t\t1 /* REG_IO */,\n\t\t\tUSB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_DEVICE,\n\t\t\t0, index,\n\t\t\tsd->gspca_dev.usb_buf, n, 500);\n\tif (ret < 0) {\n\t\tgspca_err(gspca_dev, \"reg_w32 %02x failed %d\\n\", index, ret);\n\t\tsd->gspca_dev.usb_err = ret;\n\t}\n}", "project": "linux", "hash": 247222911015661318701624011680706646664, "size": 23, "commit_id": "998912346c0da53a6dbb71fab3a138586b596b30", "message": "media: ov519: add missing endpoint sanity checks\n\nMake sure to check that we have at least one endpoint before accessing\nthe endpoint array to avoid dereferencing a NULL-pointer on stream\nstart.\n\nNote that these sanity checks are not redundant as the driver is mixing\nlooking up altsettings by index and by number, which need not coincide.\n\nFixes: 1876bb923c98 (\"V4L/DVB (12079): gspca_ov519: add support for the ov511 bridge\")\nFixes: b282d87332f5 (\"V4L/DVB (12080): gspca_ov519: Fix ov518+ with OV7620AE (Trust spacecam 320)\")\nCc: stable # 2.6.31\nCc: Hans de Goede \nSigned-off-by: Johan Hovold \nSigned-off-by: Hans Verkuil \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 306339 }, { "project": "Chrome", "commit_id": "957973753ec4159003ff7930d946b7e89c7e09f3", "target": 0, "func": "void BlobURLRequestJob::Seek(int64 offset) {\n for (item_index_ = 0;\n item_index_ < blob_data_->items().size() &&\n offset >= item_length_list_[item_index_];\n ++item_index_) {\n offset -= item_length_list_[item_index_];\n }\n\n current_item_offset_ = offset;\n}\n", "cwe": "", "big_vul_idx": 106425, "idx": 95576, "hash": 122298769819699740327149078104539975848 }, { "project": "Chrome", "commit_id": "1da0daecc540238cb473f0d6322da51d3a544244", "target": 0, "func": "void VideoRendererBase::Seek(base::TimeDelta time, const PipelineStatusCB& cb) {\n base::AutoLock auto_lock(lock_);\n DCHECK_EQ(state_, kFlushed) << \"Must flush prior to seeking.\";\n DCHECK(!cb.is_null());\n DCHECK(seek_cb_.is_null());\n\n state_ = kSeeking;\n seek_cb_ = cb;\n seek_timestamp_ = time;\n AttemptRead_Locked();\n}\n", "cwe": "", "big_vul_idx": 113360, "idx": 177167, "hash": 117082229419646024307192183004989347930 }, { "func": " void save_org_in_field(Field *field,\n fast_field_copier data __attribute__ ((__unused__)))\n {\n if (check_null_ref())\n field->set_null();\n else\n Item_direct_ref::save_val(field);\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 42168874291004978560058983134635996654, "size": 8, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509019 }, { "func": " void save_org_in_field(Field *field,\n fast_field_copier data __attribute__ ((__unused__)))\n {\n save_val(field);\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 188449648329066942882764326633771569634, "size": 5, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509236 }, { "func": " virtual void save_org_in_field(Field *field,\n fast_field_copier data\n __attribute__ ((__unused__)))\n { (void) save_in_field(field, 1); }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 301993451284057628118206186118145351269, "size": 4, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509306 }, { "func": "static void cmd_handle_fatal (IMAP_DATA* idata)\n{\n idata->status = IMAP_FATAL;\n\n if ((idata->state >= IMAP_SELECTED) &&\n (idata->reopen & IMAP_REOPEN_ALLOW))\n {\n mx_fastclose_mailbox (idata->ctx);\n mutt_socket_close (idata->conn);\n mutt_error (_(\"Mailbox %s@%s closed\"),\n\tidata->conn->account.login, idata->conn->account.host);\n mutt_sleep (1);\n idata->state = IMAP_DISCONNECTED;\n }\n\n if (idata->state < IMAP_SELECTED)\n imap_close_connection (idata);\n}", "project": "mutt", "hash": 333471484654661974099982478011653851255, "size": 18, "commit_id": "9347b5c01dc52682cb6be11539d9b7ebceae4416", "message": "Handle NO response without message properly", "target": 0, "dataset": "other", "idx": 338011 }, { "project": "Chrome", "commit_id": "6834289784ed45b5524de0fb7ef43ae283b0d6d3", "target": 0, "func": "void AudioContext::notifyNodeFinishedProcessing(AudioNode* node)\n{\n ASSERT(isAudioThread());\n m_finishedNodes.append(node);\n}\n", "cwe": "", "big_vul_idx": 139670, "idx": 180120, "hash": 307873283131365361411363030329310065856 }, { "func": "void LanLinkProvider::onNetworkConfigurationChanged(const QNetworkConfiguration& config)\n{\n if (m_lastConfig != config && config.state() == QNetworkConfiguration::Active) {\n m_lastConfig = config;\n onNetworkChange();\n }\n}", "project": "kdeconnect-kde", "hash": 153288939668946490179008446425980662825, "size": 7, "commit_id": "542d94a70c56aa386c8d4d793481ce181b0422e8", "message": "Limit number of connected sockets from unpaired devices\n\nThanks Matthias Gerstner for reporting this.", "target": 0, "dataset": "other", "idx": 227354 }, { "func": "static zend_bool php_openssl_pkey_init_dsa(DSA *dsa, zval *data)\n{\n\tBIGNUM *p, *q, *g, *priv_key, *pub_key;\n\tconst BIGNUM *priv_key_const, *pub_key_const;\n\n\tOPENSSL_PKEY_SET_BN(data, p);\n\tOPENSSL_PKEY_SET_BN(data, q);\n\tOPENSSL_PKEY_SET_BN(data, g);\n\tif (!p || !q || !g || !DSA_set0_pqg(dsa, p, q, g)) {\n\t\treturn 0;\n\t}\n\n\tOPENSSL_PKEY_SET_BN(data, pub_key);\n\tOPENSSL_PKEY_SET_BN(data, priv_key);\n\tif (pub_key) {\n\t\treturn DSA_set0_key(dsa, pub_key, priv_key);\n\t}\n\n\t/* generate key */\n\tPHP_OPENSSL_RAND_ADD_TIME();\n\tif (!DSA_generate_key(dsa)) {\n\t\tphp_openssl_store_errors();\n\t\treturn 0;\n\t}\n\n\t/* if BN_mod_exp return -1, then DSA_generate_key succeed for failed key\n\t * so we need to double check that public key is created */\n\tDSA_get0_key(dsa, &pub_key_const, &priv_key_const);\n\tif (!pub_key_const || BN_is_zero(pub_key_const)) {\n\t\treturn 0;\n\t}\n\t/* all good */\n\treturn 1;\n}", "project": "php-src", "hash": 303260219060090503825929655702808293437, "size": 34, "commit_id": "0216630ea2815a5789a24279a1211ac398d4de79", "message": "Fix bug #79601 (Wrong ciphertext/tag in AES-CCM encryption for a 12 bytes IV)", "target": 0, "dataset": "other", "idx": 291475 }, { "func": "static void credit_entropy_bits(struct entropy_store *r, int nbits)\n{\n\tunsigned long flags;\n\tint entropy_count;\n\n\tif (!nbits)\n\t\treturn;\n\n\tspin_lock_irqsave(&r->lock, flags);\n\n\tDEBUG_ENT(\"added %d entropy credits to %s\\n\", nbits, r->name);\n\tentropy_count = r->entropy_count;\n\tentropy_count += nbits;\n\tif (entropy_count < 0) {\n\t\tDEBUG_ENT(\"negative entropy/overflow\\n\");\n\t\tentropy_count = 0;\n\t} else if (entropy_count > r->poolinfo->POOLBITS)\n\t\tentropy_count = r->poolinfo->POOLBITS;\n\tr->entropy_count = entropy_count;\n\n\t/* should we wake readers? */\n\tif (r == &input_pool && entropy_count >= random_read_wakeup_thresh) {\n\t\twake_up_interruptible(&random_read_wait);\n\t\tkill_fasync(&fasync, SIGIO, POLL_IN);\n\t}\n\tspin_unlock_irqrestore(&r->lock, flags);\n}", "target": 0, "cwe": [ "CWE-310" ], "project": "linux-2.6", "commit_id": "8a0a9bd4db63bc45e3017bedeafbd88d0eb84d02", "hash": 89481756772189556219773547429399345600, "size": 27, "message": "random: make get_random_int() more random\n\nIt's a really simple patch that basically just open-codes the current\n\"secure_ip_id()\" call, but when open-coding it we now use a _static_\nhashing area, so that it gets updated every time.\n\nAnd to make sure somebody can't just start from the same original seed of\nall-zeroes, and then do the \"half_md4_transform()\" over and over until\nthey get the same sequence as the kernel has, each iteration also mixes in\nthe same old \"current->pid + jiffies\" we used - so we should now have a\nregular strong pseudo-number generator, but we also have one that doesn't\nhave a single seed.\n\nNote: the \"pid + jiffies\" is just meant to be a tiny tiny bit of noise. It\nhas no real meaning. It could be anything. I just picked the previous\nseed, it's just that now we keep the state in between calls and that will\nfeed into the next result, and that should make all the difference.\n\nI made that hash be a per-cpu data just to avoid cache-line ping-pong:\nhaving multiple CPU's write to the same data would be fine for randomness,\nand add yet another layer of chaos to it, but since get_random_int() is\nsupposed to be a fast interface I did it that way instead. I considered\nusing \"__raw_get_cpu_var()\" to avoid any preemption overhead while still\ngetting the hash be _mostly_ ping-pong free, but in the end good taste won\nout.\n\nSigned-off-by: Ingo Molnar \nSigned-off-by: Linus Torvalds ", "dataset": "other", "idx": 499888 }, { "func": "static int stimer_notify_direct(struct kvm_vcpu_hv_stimer *stimer)\n{\n\tstruct kvm_vcpu *vcpu = hv_stimer_to_vcpu(stimer);\n\tstruct kvm_lapic_irq irq = {\n\t\t.delivery_mode = APIC_DM_FIXED,\n\t\t.vector = stimer->config.apic_vector\n\t};\n\n\tif (lapic_in_kernel(vcpu))\n\t\treturn !kvm_apic_set_irq(vcpu, &irq, NULL);\n\treturn 0;\n}", "project": "linux", "hash": 2668026875036401733376131638242645132, "size": 12, "commit_id": "919f4ebc598701670e80e31573a58f1f2d2bf918", "message": "KVM: x86: hyper-v: Fix Hyper-V context null-ptr-deref\n\nReported by syzkaller:\n\n KASAN: null-ptr-deref in range [0x0000000000000140-0x0000000000000147]\n CPU: 1 PID: 8370 Comm: syz-executor859 Not tainted 5.11.0-syzkaller #0\n RIP: 0010:synic_get arch/x86/kvm/hyperv.c:165 [inline]\n RIP: 0010:kvm_hv_set_sint_gsi arch/x86/kvm/hyperv.c:475 [inline]\n RIP: 0010:kvm_hv_irq_routing_update+0x230/0x460 arch/x86/kvm/hyperv.c:498\n Call Trace:\n kvm_set_irq_routing+0x69b/0x940 arch/x86/kvm/../../../virt/kvm/irqchip.c:223\n kvm_vm_ioctl+0x12d0/0x2800 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3959\n vfs_ioctl fs/ioctl.c:48 [inline]\n __do_sys_ioctl fs/ioctl.c:753 [inline]\n __se_sys_ioctl fs/ioctl.c:739 [inline]\n __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739\n do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nHyper-V context is lazily allocated until Hyper-V specific MSRs are accessed\nor SynIC is enabled. However, the syzkaller testcase sets irq routing table\ndirectly w/o enabling SynIC. This results in null-ptr-deref when accessing\nSynIC Hyper-V context. This patch fixes it.\n\nsyzkaller source: https://syzkaller.appspot.com/x/repro.c?x=163342ccd00000\n\nReported-by: syzbot+6987f3b2dbd9eda95f12@syzkaller.appspotmail.com\nFixes: 8f014550dfb1 (\"KVM: x86: hyper-v: Make Hyper-V emulation enablement conditional\")\nSigned-off-by: Wanpeng Li \nMessage-Id: <1614326399-5762-1-git-send-email-wanpengli@tencent.com>\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 343474 }, { "func": " GraphConstructor(const Options& opts, Graph* g, ShapeRefiner* refiner,\n std::vector>* return_tensors,\n std::vector* return_nodes,\n std::vector* missing_unused_input_map_keys)\n : opts_(opts),\n g_(g),\n original_versions_(g->versions()),\n prefix_(opts.prefix),\n refiner_(refiner),\n return_tensors_(return_tensors),\n return_nodes_(return_nodes),\n missing_unused_input_map_keys_(missing_unused_input_map_keys) {}", "project": "tensorflow", "hash": 260807471995288940226779115058245938217, "size": 12, "commit_id": "0cc38aaa4064fd9e79101994ce9872c6d91f816b", "message": "Prevent unitialized memory access in `GraphConstructor::MakeEdge`\n\nThe `MakeEdge` implementation assumes that there exists an output at `output_index` of `src` node and an input at `input_index` of `dst` node. However, if this is not the case this results in accessing data out of bounds. Because we are accessing an array that is a private member of a class and only in read only mode, this usually results only in unitialized memory access. However, it is reasonable to think that malicious users could manipulate these indexes to actually read data outside the class, thus resulting in information leakage and further exploits.\n\nPiperOrigin-RevId: 346343288\nChange-Id: I2127da27c2023d27f26efd39afa6c853385cab6f", "target": 0, "dataset": "other", "idx": 268315 }, { "func": "void tcp_parse_options(const struct sk_buff *skb, struct tcp_options_received *opt_rx,\n\t\t const u8 **hvpp, int estab)\n{\n\tconst unsigned char *ptr;\n\tconst struct tcphdr *th = tcp_hdr(skb);\n\tint length = (th->doff * 4) - sizeof(struct tcphdr);\n\n\tptr = (const unsigned char *)(th + 1);\n\topt_rx->saw_tstamp = 0;\n\n\twhile (length > 0) {\n\t\tint opcode = *ptr++;\n\t\tint opsize;\n\n\t\tswitch (opcode) {\n\t\tcase TCPOPT_EOL:\n\t\t\treturn;\n\t\tcase TCPOPT_NOP:\t/* Ref: RFC 793 section 3.1 */\n\t\t\tlength--;\n\t\t\tcontinue;\n\t\tdefault:\n\t\t\topsize = *ptr++;\n\t\t\tif (opsize < 2) /* \"silly options\" */\n\t\t\t\treturn;\n\t\t\tif (opsize > length)\n\t\t\t\treturn;\t/* don't parse partial options */\n\t\t\tswitch (opcode) {\n\t\t\tcase TCPOPT_MSS:\n\t\t\t\tif (opsize == TCPOLEN_MSS && th->syn && !estab) {\n\t\t\t\t\tu16 in_mss = get_unaligned_be16(ptr);\n\t\t\t\t\tif (in_mss) {\n\t\t\t\t\t\tif (opt_rx->user_mss &&\n\t\t\t\t\t\t opt_rx->user_mss < in_mss)\n\t\t\t\t\t\t\tin_mss = opt_rx->user_mss;\n\t\t\t\t\t\topt_rx->mss_clamp = in_mss;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\tbreak;\n\t\t\tcase TCPOPT_WINDOW:\n\t\t\t\tif (opsize == TCPOLEN_WINDOW && th->syn &&\n\t\t\t\t !estab && sysctl_tcp_window_scaling) {\n\t\t\t\t\t__u8 snd_wscale = *(__u8 *)ptr;\n\t\t\t\t\topt_rx->wscale_ok = 1;\n\t\t\t\t\tif (snd_wscale > 14) {\n\t\t\t\t\t\tif (net_ratelimit())\n\t\t\t\t\t\t\tprintk(KERN_INFO \"tcp_parse_options: Illegal window \"\n\t\t\t\t\t\t\t \"scaling value %d >14 received.\\n\",\n\t\t\t\t\t\t\t snd_wscale);\n\t\t\t\t\t\tsnd_wscale = 14;\n\t\t\t\t\t}\n\t\t\t\t\topt_rx->snd_wscale = snd_wscale;\n\t\t\t\t}\n\t\t\t\tbreak;\n\t\t\tcase TCPOPT_TIMESTAMP:\n\t\t\t\tif ((opsize == TCPOLEN_TIMESTAMP) &&\n\t\t\t\t ((estab && opt_rx->tstamp_ok) ||\n\t\t\t\t (!estab && sysctl_tcp_timestamps))) {\n\t\t\t\t\topt_rx->saw_tstamp = 1;\n\t\t\t\t\topt_rx->rcv_tsval = get_unaligned_be32(ptr);\n\t\t\t\t\topt_rx->rcv_tsecr = get_unaligned_be32(ptr + 4);\n\t\t\t\t}\n\t\t\t\tbreak;\n\t\t\tcase TCPOPT_SACK_PERM:\n\t\t\t\tif (opsize == TCPOLEN_SACK_PERM && th->syn &&\n\t\t\t\t !estab && sysctl_tcp_sack) {\n\t\t\t\t\topt_rx->sack_ok = 1;\n\t\t\t\t\ttcp_sack_reset(opt_rx);\n\t\t\t\t}\n\t\t\t\tbreak;\n\n\t\t\tcase TCPOPT_SACK:\n\t\t\t\tif ((opsize >= (TCPOLEN_SACK_BASE + TCPOLEN_SACK_PERBLOCK)) &&\n\t\t\t\t !((opsize - TCPOLEN_SACK_BASE) % TCPOLEN_SACK_PERBLOCK) &&\n\t\t\t\t opt_rx->sack_ok) {\n\t\t\t\t\tTCP_SKB_CB(skb)->sacked = (ptr - 2) - (unsigned char *)th;\n\t\t\t\t}\n\t\t\t\tbreak;\n#ifdef CONFIG_TCP_MD5SIG\n\t\t\tcase TCPOPT_MD5SIG:\n\t\t\t\t/*\n\t\t\t\t * The MD5 Hash has already been\n\t\t\t\t * checked (see tcp_v{4,6}_do_rcv()).\n\t\t\t\t */\n\t\t\t\tbreak;\n#endif\n\t\t\tcase TCPOPT_COOKIE:\n\t\t\t\t/* This option is variable length.\n\t\t\t\t */\n\t\t\t\tswitch (opsize) {\n\t\t\t\tcase TCPOLEN_COOKIE_BASE:\n\t\t\t\t\t/* not yet implemented */\n\t\t\t\t\tbreak;\n\t\t\t\tcase TCPOLEN_COOKIE_PAIR:\n\t\t\t\t\t/* not yet implemented */\n\t\t\t\t\tbreak;\n\t\t\t\tcase TCPOLEN_COOKIE_MIN+0:\n\t\t\t\tcase TCPOLEN_COOKIE_MIN+2:\n\t\t\t\tcase TCPOLEN_COOKIE_MIN+4:\n\t\t\t\tcase TCPOLEN_COOKIE_MIN+6:\n\t\t\t\tcase TCPOLEN_COOKIE_MAX:\n\t\t\t\t\t/* 16-bit multiple */\n\t\t\t\t\topt_rx->cookie_plus = opsize;\n\t\t\t\t\t*hvpp = ptr;\n\t\t\t\t\tbreak;\n\t\t\t\tdefault:\n\t\t\t\t\t/* ignore option */\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t\tbreak;\n\t\t\t}\n\n\t\t\tptr += opsize-2;\n\t\t\tlength -= opsize;\n\t\t}\n\t}\n}", "project": "net-next", "hash": 46158969398205260058366342253567570334, "size": 116, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409861 }, { "func": "static unsigned int irda_poll(struct file * file, struct socket *sock,\n\t\t\t poll_table *wait)\n{\n\tstruct sock *sk = sock->sk;\n\tstruct irda_sock *self = irda_sk(sk);\n\tunsigned int mask;\n\n\tIRDA_DEBUG(4, \"%s()\\n\", __func__);\n\n\tpoll_wait(file, sk->sk_sleep, wait);\n\tmask = 0;\n\n\t/* Exceptional events? */\n\tif (sk->sk_err)\n\t\tmask |= POLLERR;\n\tif (sk->sk_shutdown & RCV_SHUTDOWN) {\n\t\tIRDA_DEBUG(0, \"%s(), POLLHUP\\n\", __func__);\n\t\tmask |= POLLHUP;\n\t}\n\n\t/* Readable? */\n\tif (!skb_queue_empty(&sk->sk_receive_queue)) {\n\t\tIRDA_DEBUG(4, \"Socket is readable\\n\");\n\t\tmask |= POLLIN | POLLRDNORM;\n\t}\n\n\t/* Connection-based need to check for termination and startup */\n\tswitch (sk->sk_type) {\n\tcase SOCK_STREAM:\n\t\tif (sk->sk_state == TCP_CLOSE) {\n\t\t\tIRDA_DEBUG(0, \"%s(), POLLHUP\\n\", __func__);\n\t\t\tmask |= POLLHUP;\n\t\t}\n\n\t\tif (sk->sk_state == TCP_ESTABLISHED) {\n\t\t\tif ((self->tx_flow == FLOW_START) &&\n\t\t\t sock_writeable(sk))\n\t\t\t{\n\t\t\t\tmask |= POLLOUT | POLLWRNORM | POLLWRBAND;\n\t\t\t}\n\t\t}\n\t\tbreak;\n\tcase SOCK_SEQPACKET:\n\t\tif ((self->tx_flow == FLOW_START) &&\n\t\t sock_writeable(sk))\n\t\t{\n\t\t\tmask |= POLLOUT | POLLWRNORM | POLLWRBAND;\n\t\t}\n\t\tbreak;\n\tcase SOCK_DGRAM:\n\t\tif (sock_writeable(sk))\n\t\t\tmask |= POLLOUT | POLLWRNORM | POLLWRBAND;\n\t\tbreak;\n\tdefault:\n\t\tbreak;\n\t}\n\treturn mask;\n}", "target": 0, "cwe": [ "CWE-200" ], "project": "linux-2.6", "commit_id": "09384dfc76e526c3993c09c42e016372dc9dd22c", "hash": 259380128299509018556345339431407482066, "size": 58, "message": "irda: Fix irda_getname() leak\n\nirda_getname() can leak kernel memory to user.\n\nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "dataset": "other", "idx": 490842 }, { "func": "static void hci_cc_le_read_max_data_len(struct hci_dev *hdev,\n\t\t\t\t\tstruct sk_buff *skb)\n{\n\tstruct hci_rp_le_read_max_data_len *rp = (void *) skb->data;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, rp->status);\n\n\tif (rp->status)\n\t\treturn;\n\n\thdev->le_max_tx_len = le16_to_cpu(rp->tx_len);\n\thdev->le_max_tx_time = le16_to_cpu(rp->tx_time);\n\thdev->le_max_rx_len = le16_to_cpu(rp->rx_len);\n\thdev->le_max_rx_time = le16_to_cpu(rp->rx_time);\n}", "project": "linux", "hash": 61370637087242960112940659585810554960, "size": 15, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431883 }, { "func": "static apr_byte_t oidc_is_discovery_response(request_rec *r, oidc_cfg *cfg) {\n\t/*\n\t * prereq: this is a call to the configured redirect_uri, now see if:\n\t * the OIDC_DISC_OP_PARAM is present\n\t */\n\treturn oidc_util_request_has_parameter(r, OIDC_DISC_OP_PARAM)\n\t\t\t|| oidc_util_request_has_parameter(r, OIDC_DISC_USER_PARAM);\n}", "project": "mod_auth_openidc", "hash": 124034883829638695328422836218418615748, "size": 8, "commit_id": "00c315cb0c8ab77c67be4a2ac08a71a83ac58751", "message": "avoid XSS vulnerability when using OIDCPreservePost On\n\nand supplying URLs that contain single quotes; thanks @oss-aimoto\n\nSigned-off-by: Hans Zandbelt ", "target": 0, "dataset": "other", "idx": 381927 }, { "project": "Chrome", "commit_id": "1da0daecc540238cb473f0d6322da51d3a544244", "target": 0, "func": " void Read(VideoDecoder::DecoderStatus* status,\n scoped_refptr* video_frame) {\n EXPECT_CALL(*this, FrameReady(_, _))\n .WillOnce(DoAll(SaveArg<0>(status), SaveArg<1>(video_frame)));\n\n decoder_->Read(read_cb_);\n\n message_loop_.RunAllPending();\n }\n", "cwe": "", "big_vul_idx": 113343, "idx": 101635, "hash": 71688311983708679707330215455045395516 }, { "func": "TEST_P(RemoteJwksIntegrationTest, WithGoodToken) {\n initializeFilter(/*add_cluster=*/true);\n\n codec_client_ = makeHttpConnection(lookupPort(\"http\"));\n\n auto response = codec_client_->makeHeaderOnlyRequest(Http::TestRequestHeaderMapImpl{\n {\":method\", \"GET\"},\n {\":path\", \"/\"},\n {\":scheme\", \"http\"},\n {\":authority\", \"host\"},\n {\"Authorization\", \"Bearer \" + std::string(GoodToken)},\n });\n\n waitForJwksResponse(\"200\", PublicKey);\n\n waitForNextUpstreamRequest();\n\n const auto payload_entry =\n upstream_request_->headers().get(Http::LowerCaseString(\"sec-istio-auth-userinfo\"));\n EXPECT_FALSE(payload_entry.empty());\n EXPECT_EQ(payload_entry[0]->value().getStringView(), ExpectedPayloadValue);\n // Verify the token is removed.\n EXPECT_TRUE(upstream_request_->headers().get(Http::CustomHeaders::get().Authorization).empty());\n\n upstream_request_->encodeHeaders(Http::TestResponseHeaderMapImpl{{\":status\", \"200\"}}, true);\n\n ASSERT_TRUE(response->waitForEndStream());\n ASSERT_TRUE(response->complete());\n EXPECT_EQ(\"200\", response->headers().getStatusValue());\n\n cleanup();\n}", "project": "envoy", "hash": 227892865794258224846199140480531424183, "size": 32, "commit_id": "9371333230b1a6e1be2eccf4868771e11af6253a", "message": "CVE-2021-43824\n\njwt_atuhn: fixed the crash when a CONNECT request is sent to JWT filter\nconfigured with regex match.\n\nSigned-off-by: Yan Avlasov ", "target": 0, "dataset": "other", "idx": 246594 }, { "func": " void initializeFilter(bool add_cluster) {\n config_helper_.prependFilter(getFilterConfig(false));\n\n if (add_cluster) {\n config_helper_.addConfigModifier([](envoy::config::bootstrap::v3::Bootstrap& bootstrap) {\n auto* jwks_cluster = bootstrap.mutable_static_resources()->add_clusters();\n jwks_cluster->MergeFrom(bootstrap.static_resources().clusters()[0]);\n jwks_cluster->set_name(\"pubkey_cluster\");\n });\n } else {\n config_helper_.skipPortUsageValidation();\n }\n\n initialize();\n }", "project": "envoy", "hash": 184553952914599583524372230805190045156, "size": 15, "commit_id": "9371333230b1a6e1be2eccf4868771e11af6253a", "message": "CVE-2021-43824\n\njwt_atuhn: fixed the crash when a CONNECT request is sent to JWT filter\nconfigured with regex match.\n\nSigned-off-by: Yan Avlasov ", "target": 0, "dataset": "other", "idx": 246611 }, { "func": "TEST_P(RemoteJwksIntegrationTest, FetchFailedMissingCluster) {\n initializeFilter(/*add_cluster=*/false);\n\n codec_client_ = makeHttpConnection(lookupPort(\"http\"));\n\n auto response = codec_client_->makeHeaderOnlyRequest(Http::TestRequestHeaderMapImpl{\n {\":method\", \"GET\"},\n {\":path\", \"/\"},\n {\":scheme\", \"http\"},\n {\":authority\", \"host\"},\n {\"Authorization\", \"Bearer \" + std::string(GoodToken)},\n });\n\n ASSERT_TRUE(response->waitForEndStream());\n ASSERT_TRUE(response->complete());\n EXPECT_EQ(\"401\", response->headers().getStatusValue());\n EXPECT_EQ(\n \"Bearer realm=\\\"http://host/\\\", error=\\\"invalid_token\\\"\",\n response->headers().get(Http::Headers::get().WWWAuthenticate)[0]->value().getStringView());\n cleanup();\n}", "project": "envoy", "hash": 221143445916310021272562660583206685300, "size": 21, "commit_id": "9371333230b1a6e1be2eccf4868771e11af6253a", "message": "CVE-2021-43824\n\njwt_atuhn: fixed the crash when a CONNECT request is sent to JWT filter\nconfigured with regex match.\n\nSigned-off-by: Yan Avlasov ", "target": 0, "dataset": "other", "idx": 246620 }, { "func": "TEST_P(RemoteJwksIntegrationTest, FetchFailedJwks) {\n initializeFilter(/*add_cluster=*/true);\n\n codec_client_ = makeHttpConnection(lookupPort(\"http\"));\n\n auto response = codec_client_->makeHeaderOnlyRequest(Http::TestRequestHeaderMapImpl{\n {\":method\", \"GET\"},\n {\":path\", \"/\"},\n {\":scheme\", \"http\"},\n {\":authority\", \"host\"},\n {\"Authorization\", \"Bearer \" + std::string(GoodToken)},\n });\n\n // Fails the jwks fetching.\n waitForJwksResponse(\"500\", \"\");\n\n ASSERT_TRUE(response->waitForEndStream());\n ASSERT_TRUE(response->complete());\n EXPECT_EQ(\"401\", response->headers().getStatusValue());\n EXPECT_EQ(\n \"Bearer realm=\\\"http://host/\\\", error=\\\"invalid_token\\\"\",\n response->headers().get(Http::Headers::get().WWWAuthenticate)[0]->value().getStringView());\n\n cleanup();\n}", "project": "envoy", "hash": 195197542695494114004198616825385632408, "size": 25, "commit_id": "9371333230b1a6e1be2eccf4868771e11af6253a", "message": "CVE-2021-43824\n\njwt_atuhn: fixed the crash when a CONNECT request is sent to JWT filter\nconfigured with regex match.\n\nSigned-off-by: Yan Avlasov ", "target": 0, "dataset": "other", "idx": 246634 }, { "func": "int setup_order(THD *thd, Ref_ptr_array ref_pointer_array, TABLE_LIST *tables,\n List &fields, List &all_fields, ORDER *order,\n bool from_window_spec)\n{ \n SELECT_LEX *select = thd->lex->current_select;\n enum_parsing_place context_analysis_place=\n thd->lex->current_select->context_analysis_place;\n thd->where=\"order clause\";\n const bool for_union= select->master_unit()->is_unit_op() &&\n select == select->master_unit()->fake_select_lex;\n for (uint number = 1; order; order=order->next, number++)\n {\n if (find_order_in_list(thd, ref_pointer_array, tables, order, fields,\n all_fields, false, true, from_window_spec))\n return 1;\n if ((*order->item)->with_window_func &&\n context_analysis_place != IN_ORDER_BY)\n {\n my_error(ER_WINDOW_FUNCTION_IN_WINDOW_SPEC, MYF(0));\n return 1;\n }\n\n /*\n UNION queries cannot be used with an aggregate function in\n an ORDER BY clause\n */\n\n if (for_union && (*order->item)->with_sum_func)\n {\n my_error(ER_AGGREGATE_ORDER_FOR_UNION, MYF(0), number);\n return 1;\n }\n\n if (from_window_spec && (*order->item)->with_sum_func &&\n (*order->item)->type() != Item::SUM_FUNC_ITEM)\n (*order->item)->split_sum_func(thd, ref_pointer_array,\n all_fields, SPLIT_SUM_SELECT);\n }\n return 0;\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 147026409754639985757340399444111654659, "size": 40, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508527 }, { "func": "void untrusted_cache_free(void *buffer) {\n asylo::UntrustedCacheMalloc *instance =\n asylo::UntrustedCacheMalloc::Instance();\n instance->Free(buffer);\n}", "project": "asylo", "hash": 106421208551991779176289086583099845186, "size": 5, "commit_id": "a47ef55db2337d29de19c50cd29b0deb2871d31c", "message": "Fix vulnerability in UntrustedCacheMalloc\n\nThe pointer array is stored in untrusted memory, so we cannot trust the\nvalue even after validation. We should validate the pointer is pointing\nto untrusted memory after it's stored inside the enclave.\n\nPiperOrigin-RevId: 358474391\nChange-Id: I63cf6c251bdaf1b491dbf06cc0dcf77f7b141756", "target": 0, "dataset": "other", "idx": 264756 }, { "func": "static unsigned long read_pmc(int idx)\n{\n\tunsigned long val;\n\n\tswitch (idx) {\n\tcase 1:\n\t\tval = mfspr(SPRN_PMC1);\n\t\tbreak;\n\tcase 2:\n\t\tval = mfspr(SPRN_PMC2);\n\t\tbreak;\n\tcase 3:\n\t\tval = mfspr(SPRN_PMC3);\n\t\tbreak;\n\tcase 4:\n\t\tval = mfspr(SPRN_PMC4);\n\t\tbreak;\n\tcase 5:\n\t\tval = mfspr(SPRN_PMC5);\n\t\tbreak;\n\tcase 6:\n\t\tval = mfspr(SPRN_PMC6);\n\t\tbreak;\n#ifdef CONFIG_PPC64\n\tcase 7:\n\t\tval = mfspr(SPRN_PMC7);\n\t\tbreak;\n\tcase 8:\n\t\tval = mfspr(SPRN_PMC8);\n\t\tbreak;\n#endif /* CONFIG_PPC64 */\n\tdefault:\n\t\tprintk(KERN_ERR \"oops trying to read PMC%d\\n\", idx);\n\t\tval = 0;\n\t}\n\treturn val;\n}", "project": "linux", "hash": 14845473302513523474270180903183629261, "size": 37, "commit_id": "60b7ed54a41b550d50caf7f2418db4a7e75b5bdc", "message": "powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set\n\nOn systems without any specific PMU driver support registered, running\nperf record causes Oops.\n\nThe relevant portion from call trace:\n\n BUG: Kernel NULL pointer dereference on read at 0x00000040\n Faulting instruction address: 0xc0021f0c\n Oops: Kernel access of bad area, sig: 11 [#1]\n BE PAGE_SIZE=4K PREEMPT CMPCPRO\n SAF3000 DIE NOTIFICATION\n CPU: 0 PID: 442 Comm: null_syscall Not tainted 5.13.0-rc6-s3k-dev-01645-g7649ee3d2957 #5164\n NIP: c0021f0c LR: c00e8ad8 CTR: c00d8a5c\n NIP perf_instruction_pointer+0x10/0x60\n LR perf_prepare_sample+0x344/0x674\n Call Trace:\n perf_prepare_sample+0x7c/0x674 (unreliable)\n perf_event_output_forward+0x3c/0x94\n __perf_event_overflow+0x74/0x14c\n perf_swevent_hrtimer+0xf8/0x170\n __hrtimer_run_queues.constprop.0+0x160/0x318\n hrtimer_interrupt+0x148/0x3b0\n timer_interrupt+0xc4/0x22c\n Decrementer_virt+0xb8/0xbc\n\nDuring perf record session, perf_instruction_pointer() is called to\ncapture the sample IP. This function in core-book3s accesses\nppmu->flags. If a platform specific PMU driver is not registered, ppmu\nis set to NULL and accessing its members results in a crash. Fix this\ncrash by checking if ppmu is set.\n\nFixes: 2ca13a4cc56c (\"powerpc/perf: Use regs->nip when SIAR is zero\")\nCc: stable@vger.kernel.org # v5.11+\nReported-by: Christophe Leroy \nSigned-off-by: Athira Rajeev \nTested-by: Christophe Leroy \nSigned-off-by: Michael Ellerman \nLink: https://lore.kernel.org/r/1623952506-1431-1-git-send-email-atrajeev@linux.vnet.ibm.com", "target": 0, "dataset": "other", "idx": 374721 }, { "func": "static int uuid_strategy(ctl_table *table,\n\t\t\t void __user *oldval, size_t __user *oldlenp,\n\t\t\t void __user *newval, size_t newlen)\n{\n\tunsigned char tmp_uuid[16], *uuid;\n\tunsigned int len;\n\n\tif (!oldval || !oldlenp)\n\t\treturn 1;\n\n\tuuid = table->data;\n\tif (!uuid) {\n\t\tuuid = tmp_uuid;\n\t\tuuid[8] = 0;\n\t}\n\tif (uuid[8] == 0)\n\t\tgenerate_random_uuid(uuid);\n\n\tif (get_user(len, oldlenp))\n\t\treturn -EFAULT;\n\tif (len) {\n\t\tif (len > 16)\n\t\t\tlen = 16;\n\t\tif (copy_to_user(oldval, uuid, len) ||\n\t\t put_user(len, oldlenp))\n\t\t\treturn -EFAULT;\n\t}\n\treturn 1;\n}", "target": 0, "cwe": [ "CWE-310" ], "project": "linux-2.6", "commit_id": "8a0a9bd4db63bc45e3017bedeafbd88d0eb84d02", "hash": 41698427011128991042418953691756325764, "size": 29, "message": "random: make get_random_int() more random\n\nIt's a really simple patch that basically just open-codes the current\n\"secure_ip_id()\" call, but when open-coding it we now use a _static_\nhashing area, so that it gets updated every time.\n\nAnd to make sure somebody can't just start from the same original seed of\nall-zeroes, and then do the \"half_md4_transform()\" over and over until\nthey get the same sequence as the kernel has, each iteration also mixes in\nthe same old \"current->pid + jiffies\" we used - so we should now have a\nregular strong pseudo-number generator, but we also have one that doesn't\nhave a single seed.\n\nNote: the \"pid + jiffies\" is just meant to be a tiny tiny bit of noise. It\nhas no real meaning. It could be anything. I just picked the previous\nseed, it's just that now we keep the state in between calls and that will\nfeed into the next result, and that should make all the difference.\n\nI made that hash be a per-cpu data just to avoid cache-line ping-pong:\nhaving multiple CPU's write to the same data would be fine for randomness,\nand add yet another layer of chaos to it, but since get_random_int() is\nsupposed to be a fast interface I did it that way instead. I considered\nusing \"__raw_get_cpu_var()\" to avoid any preemption overhead while still\ngetting the hash be _mostly_ ping-pong free, but in the end good taste won\nout.\n\nSigned-off-by: Ingo Molnar \nSigned-off-by: Linus Torvalds ", "dataset": "other", "idx": 499882 }, { "func": "void x25_kill_by_neigh(struct x25_neigh *nb)\n{\n\tstruct sock *s;\n\n\twrite_lock_bh(&x25_list_lock);\n\n\tsk_for_each(s, &x25_list) {\n\t\tif (x25_sk(s)->neighbour == nb) {\n\t\t\twrite_unlock_bh(&x25_list_lock);\n\t\t\tlock_sock(s);\n\t\t\tx25_disconnect(s, ENETUNREACH, 0, 0);\n\t\t\trelease_sock(s);\n\t\t\twrite_lock_bh(&x25_list_lock);\n\t\t}\n\t}\n\twrite_unlock_bh(&x25_list_lock);\n\n\t/* Remove any related forwards */\n\tx25_clear_forward_by_dev(nb->dev);\n}", "project": "net", "hash": 165301710065862689388528827056862408124, "size": 20, "commit_id": "7781607938c8371d4c2b243527430241c62e39c2", "message": "net/x25: Fix null-ptr-deref caused by x25_disconnect\n\nWhen the link layer is terminating, x25->neighbour will be set to NULL\nin x25_disconnect(). As a result, it could cause null-ptr-deref bugs in\nx25_sendmsg(),x25_recvmsg() and x25_connect(). One of the bugs is\nshown below.\n\n (Thread 1) | (Thread 2)\nx25_link_terminated() | x25_recvmsg()\n x25_kill_by_neigh() | ...\n x25_disconnect() | lock_sock(sk)\n ... | ...\n x25->neighbour = NULL //(1) |\n ... | x25->neighbour->extended //(2)\n\nThe code sets NULL to x25->neighbour in position (1) and dereferences\nx25->neighbour in position (2), which could cause null-ptr-deref bug.\n\nThis patch adds lock_sock() in x25_kill_by_neigh() in order to synchronize\nwith x25_sendmsg(), x25_recvmsg() and x25_connect(). What`s more, the\nsock held by lock_sock() is not NULL, because it is extracted from x25_list\nand uses x25_list_lock to synchronize.\n\nFixes: 4becb7ee5b3d (\"net/x25: Fix x25_neigh refcnt leak when x25 disconnect\")\nSigned-off-by: Duoming Zhou \nReviewed-by: Lin Ma \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 449176 }, { "func": "static int unlazy_child(struct nameidata *nd, struct dentry *dentry, unsigned seq)\n{\n\tBUG_ON(!(nd->flags & LOOKUP_RCU));\n\n\tnd->flags &= ~LOOKUP_RCU;\n\tif (unlikely(!legitimize_links(nd)))\n\t\tgoto out2;\n\tif (unlikely(!legitimize_mnt(nd->path.mnt, nd->m_seq)))\n\t\tgoto out2;\n\tif (unlikely(!lockref_get_not_dead(&nd->path.dentry->d_lockref)))\n\t\tgoto out1;\n\n\t/*\n\t * We need to move both the parent and the dentry from the RCU domain\n\t * to be properly refcounted. And the sequence number in the dentry\n\t * validates *both* dentry counters, since we checked the sequence\n\t * number of the parent after we got the child sequence number. So we\n\t * know the parent must still be valid if the child sequence number is\n\t */\n\tif (unlikely(!lockref_get_not_dead(&dentry->d_lockref)))\n\t\tgoto out;\n\tif (unlikely(read_seqcount_retry(&dentry->d_seq, seq)))\n\t\tgoto out_dput;\n\t/*\n\t * Sequence counts matched. Now make sure that the root is\n\t * still valid and get it if required.\n\t */\n\tif (unlikely(!legitimize_root(nd)))\n\t\tgoto out_dput;\n\trcu_read_unlock();\n\treturn 0;\n\nout2:\n\tnd->path.mnt = NULL;\nout1:\n\tnd->path.dentry = NULL;\nout:\n\trcu_read_unlock();\n\treturn -ECHILD;\nout_dput:\n\trcu_read_unlock();\n\tdput(dentry);\n\treturn -ECHILD;\n}", "project": "linux", "hash": 78823683479632610893838797491359443324, "size": 44, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295317 }, { "func": "inline bool Virtual_column_info::is_equal(const Virtual_column_info* vcol) const\n{\n return field_type == vcol->get_real_type()\n && stored_in_db == vcol->is_stored()\n && expr->eq(vcol->expr, true);\n}", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 19454135720359000561503092573717256461, "size": 6, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509120 }, { "project": "Chrome", "commit_id": "de5aa214ea77b3d2c4ff8a0c58f446896c107ce0", "target": 0, "func": "TranslateInfoBarDelegate* TranslateManager::GetTranslateInfoBarDelegate(\n TabContents* tab) {\n for (int i = 0; i < tab->infobar_delegate_count(); ++i) {\n TranslateInfoBarDelegate* delegate =\n tab->GetInfoBarDelegateAt(i)->AsTranslateInfoBarDelegate();\n if (delegate)\n return delegate;\n }\n return NULL;\n}\n", "cwe": "", "big_vul_idx": 107999, "idx": 96965, "hash": 320167623959162681601579944879934982241 }, { "func": "void trace_init_global_iter(struct trace_iterator *iter)\n{\n\titer->tr = &global_trace;\n\titer->trace = iter->tr->current_trace;\n\titer->cpu_file = RING_BUFFER_ALL_CPUS;\n\titer->trace_buffer = &global_trace.trace_buffer;\n\n\tif (iter->trace && iter->trace->open)\n\t\titer->trace->open(iter);\n\n\t/* Annotate start of buffers if we had overruns */\n\tif (ring_buffer_overruns(iter->trace_buffer->buffer))\n\t\titer->iter_flags |= TRACE_FILE_ANNOTATE;\n\n\t/* Output in nanoseconds only if we are using a clock in nanoseconds. */\n\tif (trace_clocks[iter->tr->clock_id].in_ns)\n\t\titer->iter_flags |= TRACE_FILE_TIME_IN_NS;\n}", "project": "linux", "hash": 113425923860997863045162904062396448172, "size": 18, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445673 }, { "func": "static __poll_t ep_scan_ready_list(struct eventpoll *ep,\n\t\t\t __poll_t (*sproc)(struct eventpoll *,\n\t\t\t\t\t struct list_head *, void *),\n\t\t\t void *priv, int depth, bool ep_locked)\n{\n\t__poll_t res;\n\tstruct epitem *epi, *nepi;\n\tLIST_HEAD(txlist);\n\n\tlockdep_assert_irqs_enabled();\n\n\t/*\n\t * We need to lock this because we could be hit by\n\t * eventpoll_release_file() and epoll_ctl().\n\t */\n\n\tif (!ep_locked)\n\t\tmutex_lock_nested(&ep->mtx, depth);\n\n\t/*\n\t * Steal the ready list, and re-init the original one to the\n\t * empty list. Also, set ep->ovflist to NULL so that events\n\t * happening while looping w/out locks, are not lost. We cannot\n\t * have the poll callback to queue directly on ep->rdllist,\n\t * because we want the \"sproc\" callback to be able to do it\n\t * in a lockless way.\n\t */\n\twrite_lock_irq(&ep->lock);\n\tlist_splice_init(&ep->rdllist, &txlist);\n\tWRITE_ONCE(ep->ovflist, NULL);\n\twrite_unlock_irq(&ep->lock);\n\n\t/*\n\t * Now call the callback function.\n\t */\n\tres = (*sproc)(ep, &txlist, priv);\n\n\twrite_lock_irq(&ep->lock);\n\t/*\n\t * During the time we spent inside the \"sproc\" callback, some\n\t * other events might have been queued by the poll callback.\n\t * We re-insert them inside the main ready-list here.\n\t */\n\tfor (nepi = READ_ONCE(ep->ovflist); (epi = nepi) != NULL;\n\t nepi = epi->next, epi->next = EP_UNACTIVE_PTR) {\n\t\t/*\n\t\t * We need to check if the item is already in the list.\n\t\t * During the \"sproc\" callback execution time, items are\n\t\t * queued into ->ovflist but the \"txlist\" might already\n\t\t * contain them, and the list_splice() below takes care of them.\n\t\t */\n\t\tif (!ep_is_linked(epi)) {\n\t\t\t/*\n\t\t\t * ->ovflist is LIFO, so we have to reverse it in order\n\t\t\t * to keep in FIFO.\n\t\t\t */\n\t\t\tlist_add(&epi->rdllink, &ep->rdllist);\n\t\t\tep_pm_stay_awake(epi);\n\t\t}\n\t}\n\t/*\n\t * We need to set back ep->ovflist to EP_UNACTIVE_PTR, so that after\n\t * releasing the lock, events will be queued in the normal way inside\n\t * ep->rdllist.\n\t */\n\tWRITE_ONCE(ep->ovflist, EP_UNACTIVE_PTR);\n\n\t/*\n\t * Quickly re-inject items left on \"txlist\".\n\t */\n\tlist_splice(&txlist, &ep->rdllist);\n\t__pm_relax(ep->ws);\n\twrite_unlock_irq(&ep->lock);\n\n\tif (!ep_locked)\n\t\tmutex_unlock(&ep->mtx);\n\n\treturn res;\n}", "project": "linux", "hash": 159618899779559111320445567119442206976, "size": 79, "commit_id": "52c479697c9b73f628140dcdfcd39ea302d05482", "message": "do_epoll_ctl(): clean the failure exits up a bit\n\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 336233 }, { "func": "static void hci_cc_write_voice_setting(struct hci_dev *hdev,\n\t\t\t\t struct sk_buff *skb)\n{\n\t__u8 status = *((__u8 *) skb->data);\n\t__u16 setting;\n\tvoid *sent;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, status);\n\n\tif (status)\n\t\treturn;\n\n\tsent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_VOICE_SETTING);\n\tif (!sent)\n\t\treturn;\n\n\tsetting = get_unaligned_le16(sent);\n\n\tif (hdev->voice_setting == setting)\n\t\treturn;\n\n\thdev->voice_setting = setting;\n\n\tBT_DBG(\"%s voice setting 0x%4.4x\", hdev->name, setting);\n\n\tif (hdev->notify)\n\t\thdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);\n}", "project": "linux", "hash": 89675846511590445582272308302468349233, "size": 28, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431963 }, { "func": "void CServer::InitRegister(CNetServer *pNetServer, IEngineMasterServer *pMasterServer, CConfig *pConfig, IConsole *pConsole)\n{\n\tm_Register.Init(pNetServer, pMasterServer, pConfig, pConsole);\n}", "project": "teeworlds", "hash": 264508525041065761790882452798445346046, "size": 4, "commit_id": "c68402fa7e279d42886d5951d1ea8ac2facc1ea5", "message": "changed a check", "target": 0, "dataset": "other", "idx": 382011 }, { "func": "static ssize_t hung_up_tty_write(struct file *file, const char __user *buf,\n\t\t\t\t size_t count, loff_t *ppos)\n{\n\treturn -EIO;\n}", "project": "linux", "hash": 112775655432225560210677397085413565960, "size": 5, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 325972 }, { "func": "int gdImageColorResolveAlpha (gdImagePtr im, int r, int g, int b, int a)\n{\n int c;\n int ct = -1;\n int op = -1;\n long rd, gd, bd, ad, dist;\n long mindist = 4 * 255 * 255;\t/* init to max poss dist */\n if (im->trueColor)\n {\n return gdTrueColorAlpha (r, g, b, a);\n }\n\n for (c = 0; c < im->colorsTotal; c++)\n {\n if (im->open[c])\n\t{\n\t op = c;\t\t/* Save open slot */\n\t continue;\t\t/* Color not in use */\n\t}\n if (c == im->transparent)\n {\n /* don't ever resolve to the color that has\n * been designated as the transparent color */\n continue;\n\t}\n rd = (long) (im->red[c] - r);\n gd = (long) (im->green[c] - g);\n bd = (long) (im->blue[c] - b);\n ad = (long) (im->alpha[c] - a);\n dist = rd * rd + gd * gd + bd * bd + ad * ad;\n if (dist < mindist)\n\t{\n\t if (dist == 0)\n\t {\n\t return c;\t\t/* Return exact match color */\n\t }\n\t mindist = dist;\n\t ct = c;\n\t}\n }\n /* no exact match. We now know closest, but first try to allocate exact */\n if (op == -1)\n {\n op = im->colorsTotal;\n if (op == gdMaxColors)\n\t{\t\t\t/* No room for more colors */\n\t return ct;\t\t/* Return closest available color */\n\t}\n im->colorsTotal++;\n }\n im->red[op] = r;\n im->green[op] = g;\n im->blue[op] = b;\n im->alpha[op] = a;\n im->open[op] = 0;\n return op;\t\t\t/* Return newly allocated color */\n}", "project": "php-src", "hash": 24901243544222785542663919890196678946, "size": 57, "commit_id": "c395c6e5d7e8df37a21265ff76e48fe75ceb5ae6", "message": "iFixed bug #72446 - Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow", "target": 0, "dataset": "other", "idx": 295153 }, { "func": "static inline void cr(struct vc_data *vc)\n{\n\tvc->vc_pos -= vc->vc_x << 1;\n\tvc->vc_need_wrap = vc->vc_x = 0;\n\tnotify_write(vc, '\\r');\n}", "project": "linux", "hash": 143469496800503261642580411882055657581, "size": 6, "commit_id": "ca4463bf8438b403596edd0ec961ca0d4fbe0220", "message": "vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console\n\nThe VT_DISALLOCATE ioctl can free a virtual console while tty_release()\nis still running, causing a use-after-free in con_shutdown(). This\noccurs because VT_DISALLOCATE considers a virtual console's\n'struct vc_data' to be unused as soon as the corresponding tty's\nrefcount hits 0. But actually it may be still being closed.\n\nFix this by making vc_data be reference-counted via the embedded\n'struct tty_port'. A newly allocated virtual console has refcount 1.\nOpening it for the first time increments the refcount to 2. Closing it\nfor the last time decrements the refcount (in tty_operations::cleanup()\nso that it happens late enough), as does VT_DISALLOCATE.\n\nReproducer:\n\t#include \n\t#include \n\t#include \n\t#include \n\n\tint main()\n\t{\n\t\tif (fork()) {\n\t\t\tfor (;;)\n\t\t\t\tclose(open(\"/dev/tty5\", O_RDWR));\n\t\t} else {\n\t\t\tint fd = open(\"/dev/tty10\", O_RDWR);\n\n\t\t\tfor (;;)\n\t\t\t\tioctl(fd, VT_DISALLOCATE, 5);\n\t\t}\n\t}\n\nKASAN report:\n\tBUG: KASAN: use-after-free in con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\tWrite of size 8 at addr ffff88806a4ec108 by task syz_vt/129\n\n\tCPU: 0 PID: 129 Comm: syz_vt Not tainted 5.6.0-rc2 #11\n\tHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20191223_100556-anatol 04/01/2014\n\tCall Trace:\n\t [...]\n\t con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\t release_tty+0xa8/0x410 drivers/tty/tty_io.c:1514\n\t tty_release_struct+0x34/0x50 drivers/tty/tty_io.c:1629\n\t tty_release+0x984/0xed0 drivers/tty/tty_io.c:1789\n\t [...]\n\n\tAllocated by task 129:\n\t [...]\n\t kzalloc include/linux/slab.h:669 [inline]\n\t vc_allocate drivers/tty/vt/vt.c:1085 [inline]\n\t vc_allocate+0x1ac/0x680 drivers/tty/vt/vt.c:1066\n\t con_install+0x4d/0x3f0 drivers/tty/vt/vt.c:3229\n\t tty_driver_install_tty drivers/tty/tty_io.c:1228 [inline]\n\t tty_init_dev+0x94/0x350 drivers/tty/tty_io.c:1341\n\t tty_open_by_driver drivers/tty/tty_io.c:1987 [inline]\n\t tty_open+0x3ca/0xb30 drivers/tty/tty_io.c:2035\n\t [...]\n\n\tFreed by task 130:\n\t [...]\n\t kfree+0xbf/0x1e0 mm/slab.c:3757\n\t vt_disallocate drivers/tty/vt/vt_ioctl.c:300 [inline]\n\t vt_ioctl+0x16dc/0x1e30 drivers/tty/vt/vt_ioctl.c:818\n\t tty_ioctl+0x9db/0x11b0 drivers/tty/tty_io.c:2660\n\t [...]\n\nFixes: 4001d7b7fc27 (\"vt: push down the tty lock so we can see what is left to tackle\")\nCc: # v3.4+\nReported-by: syzbot+522643ab5729b0421998@syzkaller.appspotmail.com\nAcked-by: Jiri Slaby \nSigned-off-by: Eric Biggers \nLink: https://lore.kernel.org/r/20200322034305.210082-2-ebiggers@kernel.org\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 437090 }, { "func": "static void __proc_set_tty(struct tty_struct *tty)\n{\n\tunsigned long flags;\n\n\tspin_lock_irqsave(&tty->ctrl_lock, flags);\n\t/*\n\t * The session and fg pgrp references will be non-NULL if\n\t * tiocsctty() is stealing the controlling tty\n\t */\n\tput_pid(tty->session);\n\tput_pid(tty->pgrp);\n\ttty->pgrp = get_pid(task_pgrp(current));\n\ttty->session = get_pid(task_session(current));\n\tspin_unlock_irqrestore(&tty->ctrl_lock, flags);\n\tif (current->signal->tty) {\n\t\ttty_debug(tty, \"current tty %s not NULL!!\\n\",\n\t\t\t current->signal->tty->name);\n\t\ttty_kref_put(current->signal->tty);\n\t}\n\tput_pid(current->signal->tty_old_pgrp);\n\tcurrent->signal->tty = tty_kref_get(tty);\n\tcurrent->signal->tty_old_pgrp = NULL;\n}", "project": "linux", "hash": 66892134415744905622655431861278563611, "size": 23, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 325961 }, { "func": "static int RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp)\n{\n\tr->dmp1 = dmp1;\n\tr->dmq1 = dmq1;\n\tr->iqmp = iqmp;\n\n\treturn 1;\n}", "project": "php-src", "hash": 24821275635292223950099054314748054282, "size": 8, "commit_id": "0216630ea2815a5789a24279a1211ac398d4de79", "message": "Fix bug #79601 (Wrong ciphertext/tag in AES-CCM encryption for a 12 bytes IV)", "target": 0, "dataset": "other", "idx": 291404 }, { "func": "\tput_device(parent);\n}\n\nstatic int iscsi_is_conn_dev(const struct device *dev)", "project": "linux", "hash": 145594505669541975455976398435323305753, "size": 4, "commit_id": "f9dbdf97a5bd92b1a49cee3d591b55b11fd7a6d5", "message": "scsi: iscsi: Verify lengths on passthrough PDUs\n\nOpen-iSCSI sends passthrough PDUs over netlink, but the kernel should be\nverifying that the provided PDU header and data lengths fall within the\nnetlink message to prevent accessing beyond that in memory.\n\nCc: stable@vger.kernel.org\nReported-by: Adam Nichols \nReviewed-by: Lee Duncan \nReviewed-by: Mike Christie \nSigned-off-by: Chris Leech \nSigned-off-by: Martin K. Petersen ", "target": 0, "dataset": "other", "idx": 379965 }, { "func": "get_lineno (var)\n SHELL_VAR *var;\n{\n char *p;\n int ln;\n\n ln = executing_line_number ();\n p = itos (ln);\n FREE (value_cell (var));\n var_setvalue (var, p);\n return (var);\n}", "project": "bash", "hash": 103072498867621490696686417680646130483, "size": 12, "commit_id": "863d31ae775d56b785dc5b0105b6d251515d81d5", "message": "commit bash-20120224 snapshot", "target": 0, "dataset": "other", "idx": 379342 }, { "func": "get_histcmd (var)\n SHELL_VAR *var;\n{\n char *p;\n\n p = itos (history_number ());\n FREE (value_cell (var));\n var_setvalue (var, p);\n return (var);\n}", "project": "bash", "hash": 221807705317968746883854568689698588780, "size": 10, "commit_id": "863d31ae775d56b785dc5b0105b6d251515d81d5", "message": "commit bash-20120224 snapshot", "target": 0, "dataset": "other", "idx": 379386 }, { "func": "get_random (var)\n SHELL_VAR *var;\n{\n int rv;\n char *p;\n\n rv = get_random_number ();\n last_random_value = rv;\n p = itos (rv);\n\n FREE (value_cell (var));\n\n VSETATTR (var, att_integer);\n var_setvalue (var, p);\n return (var);\n}", "project": "bash", "hash": 93248856158970944787264022414068088466, "size": 16, "commit_id": "863d31ae775d56b785dc5b0105b6d251515d81d5", "message": "commit bash-20120224 snapshot", "target": 0, "dataset": "other", "idx": 379417 }, { "func": "get_seconds (var)\n SHELL_VAR *var;\n{\n time_t time_since_start;\n char *p;\n\n time_since_start = NOW - shell_start_time;\n p = itos(seconds_value_assigned + time_since_start);\n\n FREE (value_cell (var));\n\n VSETATTR (var, att_integer);\n var_setvalue (var, p);\n return (var);\n}", "project": "bash", "hash": 64863143343818463397214422583308165822, "size": 15, "commit_id": "863d31ae775d56b785dc5b0105b6d251515d81d5", "message": "commit bash-20120224 snapshot", "target": 0, "dataset": "other", "idx": 379427 }, { "func": "get_subshell (var)\n SHELL_VAR *var;\n{\n char *p;\n\n p = itos (subshell_level);\n FREE (value_cell (var));\n var_setvalue (var, p);\n return (var);\n}", "project": "bash", "hash": 125568374591365747196418595423316748841, "size": 10, "commit_id": "863d31ae775d56b785dc5b0105b6d251515d81d5", "message": "commit bash-20120224 snapshot", "target": 0, "dataset": "other", "idx": 379453 }, { "func": "dispose_fd_bitmap (fdbp)\n struct fd_bitmap *fdbp;\n{\n FREE (fdbp->bitmap);\n free (fdbp);\n}", "project": "bash", "hash": 314027448966057666004809238216167640136, "size": 6, "commit_id": "863d31ae775d56b785dc5b0105b6d251515d81d5", "message": "commit bash-20120224 snapshot", "target": 0, "dataset": "other", "idx": 379556 }, { "func": "get_bashpid (var)\n SHELL_VAR *var;\n{\n int pid;\n char *p;\n\n pid = getpid ();\n p = itos (pid);\n\n FREE (value_cell (var));\n VSETATTR (var, att_integer|att_readonly);\n var_setvalue (var, p);\n return (var);\n}", "project": "bash", "hash": 282291080316433169176093560974519745501, "size": 14, "commit_id": "863d31ae775d56b785dc5b0105b6d251515d81d5", "message": "commit bash-20120224 snapshot", "target": 0, "dataset": "other", "idx": 379610 }, { "func": "\nstatic bool io_cancel_defer_files(struct io_ring_ctx *ctx,\n\t\t\t\t struct task_struct *task,\n\t\t\t\t struct files_struct *files)\n{\n\tstruct io_defer_entry *de;\n\tLIST_HEAD(list);\n\n\tspin_lock_irq(&ctx->completion_lock);\n\tlist_for_each_entry_reverse(de, &ctx->defer_list, list) {\n\t\tif (io_match_task(de->req, task, files)) {\n\t\t\tlist_cut_position(&list, &ctx->defer_list, &de->list);\n\t\t\tbreak;\n\t\t}\n\t}\n\tspin_unlock_irq(&ctx->completion_lock);\n\tif (list_empty(&list))\n\t\treturn false;\n\n\twhile (!list_empty(&list)) {\n\t\tde = list_first_entry(&list, struct io_defer_entry, list);\n\t\tlist_del_init(&de->list);\n\t\tio_req_complete_failed(de->req, -ECANCELED);\n\t\tkfree(de);\n\t}\n\treturn true;", "project": "linux", "hash": 18551413633519403352626949463411175289, "size": 26, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338723 }, { "func": "static int consume(struct archive_read* a, int64_t how_many) {\n\tint ret;\n\n\tret = how_many == __archive_read_consume(a, how_many)\n\t\t? ARCHIVE_OK\n\t\t: ARCHIVE_FATAL;\n\n\treturn ret;\n}", "project": "libarchive", "hash": 193776390077581288526938501534384845075, "size": 9, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 0, "dataset": "other", "idx": 244703 }, { "func": "static void encode_setattr(struct xdr_stream *xdr, const struct nfs_setattrargs *arg, const struct nfs_server *server, struct compound_hdr *hdr)\n{\n\tencode_op_hdr(xdr, OP_SETATTR, decode_setattr_maxsz, hdr);\n\tencode_nfs4_stateid(xdr, &arg->stateid);\n\tencode_attrs(xdr, arg->iap, arg->label, NULL, server,\n\t\t\tserver->attr_bitmask);\n}", "project": "linux", "hash": 40419100858488745723454216064531638509, "size": 7, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431603 }, { "func": "static void ff_layout_write_call_done(struct rpc_task *task, void *data)\n{\n\tstruct nfs_pgio_header *hdr = data;\n\n\tif (test_bit(NFS_IOHDR_REDO, &hdr->flags) &&\n\t task->tk_status == 0) {\n\t\tnfs4_sequence_done(task, &hdr->res.seq_res);\n\t\treturn;\n\t}\n\n\t/* Note this may cause RPC to be resent */\n\thdr->mds_ops->rpc_call_done(task, hdr);\n}", "project": "linux", "hash": 48948870596986245477204380019544764412, "size": 13, "commit_id": "ed34695e15aba74f45247f1ee2cf7e09d449f925", "message": "pNFS/flexfiles: fix incorrect size check in decode_nfs_fh()\n\nWe (adam zabrocki, alexander matrosov, alexander tereshkin, maksym\nbazalii) observed the check:\n\n\tif (fh->size > sizeof(struct nfs_fh))\n\nshould not use the size of the nfs_fh struct which includes an extra two\nbytes from the size field.\n\nstruct nfs_fh {\n\tunsigned short size;\n\tunsigned char data[NFS_MAXFHSIZE];\n}\n\nbut should determine the size from data[NFS_MAXFHSIZE] so the memcpy\nwill not write 2 bytes beyond destination. The proposed fix is to\ncompare against the NFS_MAXFHSIZE directly, as is done elsewhere in fs\ncode base.\n\nFixes: d67ae825a59d (\"pnfs/flexfiles: Add the FlexFile Layout Driver\")\nSigned-off-by: Nikola Livic \nSigned-off-by: Dan Carpenter \nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 234418 }, { "func": "void Free(TfLiteContext* context, void* buffer) {\n delete reinterpret_cast(buffer);\n}", "project": "tensorflow", "hash": 305592996914762184843169232844901199529, "size": 3, "commit_id": "6c0b2b70eeee588591680f5b7d5d38175fd7cdf6", "message": "[lite] add validation check for sparse fully connected\n\nPiperOrigin-RevId: 417629354\nChange-Id: If96171c4bd4f5fdb01d6368d6deab19d1c9beca7", "target": 0, "dataset": "other", "idx": 220490 }, { "func": "void UntrustedCacheMalloc::Free(void *buffer) {\n if (is_destroyed_ || GetSwitchedHeapNext()) {\n primitives::TrustedPrimitives::UntrustedLocalFree(buffer);\n return;\n }\n LockGuard spin_lock(&lock_);\n\n // Add the buffer to the free list if it was not allocated from the buffer\n // pool and was allocated via UntrustedLocalAlloc. If the\n // buffer was allocated from the buffer pool push it back to the pool.\n if (busy_buffers_.find(buffer) == busy_buffers_.end()) {\n PushToFreeList(buffer);\n return;\n }\n busy_buffers_.erase(buffer);\n buffer_pool_.push(buffer);\n}", "project": "asylo", "hash": 182459590178654765593805891188866197543, "size": 17, "commit_id": "a47ef55db2337d29de19c50cd29b0deb2871d31c", "message": "Fix vulnerability in UntrustedCacheMalloc\n\nThe pointer array is stored in untrusted memory, so we cannot trust the\nvalue even after validation. We should validate the pointer is pointing\nto untrusted memory after it's stored inside the enclave.\n\nPiperOrigin-RevId: 358474391\nChange-Id: I63cf6c251bdaf1b491dbf06cc0dcf77f7b141756", "target": 0, "dataset": "other", "idx": 264760 }, { "func": "static void tipc_node_reset_links(struct tipc_node *n)\n{\n\tint i;\n\n\tpr_warn(\"Resetting all links to %x\\n\", n->addr);\n\n\ttrace_tipc_node_reset_links(n, true, \" \");\n\tfor (i = 0; i < MAX_BEARERS; i++) {\n\t\ttipc_node_link_down(n, i, false);\n\t}\n}", "project": "linux", "hash": 48471896316313527121842277261667356118, "size": 11, "commit_id": "0217ed2848e8538bcf9172d97ed2eeb4a26041bb", "message": "tipc: better validate user input in tipc_nl_retrieve_key()\n\nBefore calling tipc_aead_key_size(ptr), we need to ensure\nwe have enough data to dereference ptr->keylen.\n\nWe probably also want to make sure tipc_aead_key_size()\nwont overflow with malicious ptr->keylen values.\n\nSyzbot reported:\n\nBUG: KMSAN: uninit-value in __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\nBUG: KMSAN: uninit-value in tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\nCPU: 0 PID: 21060 Comm: syz-executor.5 Not tainted 5.11.0-rc7-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nCall Trace:\n __dump_stack lib/dump_stack.c:79 [inline]\n dump_stack+0x21c/0x280 lib/dump_stack.c:120\n kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118\n __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197\n __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\n tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\n genl_family_rcv_msg_doit net/netlink/genetlink.c:739 [inline]\n genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]\n genl_rcv_msg+0x1319/0x1610 net/netlink/genetlink.c:800\n netlink_rcv_skb+0x6fa/0x810 net/netlink/af_netlink.c:2494\n genl_rcv+0x63/0x80 net/netlink/genetlink.c:811\n netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]\n netlink_unicast+0x11d6/0x14a0 net/netlink/af_netlink.c:1330\n netlink_sendmsg+0x1740/0x1840 net/netlink/af_netlink.c:1919\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\nRIP: 0023:0xf7f60549\nCode: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00\nRSP: 002b:00000000f555a5fc EFLAGS: 00000296 ORIG_RAX: 0000000000000172\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000200\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n\nUninit was created at:\n kmsan_save_stack_with_flags mm/kmsan/kmsan.c:121 [inline]\n kmsan_internal_poison_shadow+0x5c/0xf0 mm/kmsan/kmsan.c:104\n kmsan_slab_alloc+0x8d/0xe0 mm/kmsan/kmsan_hooks.c:76\n slab_alloc_node mm/slub.c:2907 [inline]\n __kmalloc_node_track_caller+0xa37/0x1430 mm/slub.c:4527\n __kmalloc_reserve net/core/skbuff.c:142 [inline]\n __alloc_skb+0x2f8/0xb30 net/core/skbuff.c:210\n alloc_skb include/linux/skbuff.h:1099 [inline]\n netlink_alloc_large_skb net/netlink/af_netlink.c:1176 [inline]\n netlink_sendmsg+0xdbc/0x1840 net/netlink/af_netlink.c:1894\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\n\nFixes: e1f32190cf7d (\"tipc: add support for AEAD key setting via netlink\")\nSigned-off-by: Eric Dumazet \nCc: Tuong Lien \nCc: Jon Maloy \nCc: Ying Xue \nReported-by: syzbot \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 364966 }, { "func": "otError Commissioner::SendCommissionerSet(void)\n{\n otError error;\n otCommissioningDataset dataset;\n SteeringDataTlv steeringData;\n Mac::ExtAddress joinerId;\n\n VerifyOrExit(mState == OT_COMMISSIONER_STATE_ACTIVE, error = OT_ERROR_INVALID_STATE);\n\n memset(&dataset, 0, sizeof(dataset));\n\n // session id\n dataset.mSessionId = mSessionId;\n dataset.mIsSessionIdSet = true;\n\n // compute bloom filter\n steeringData.Init();\n steeringData.Clear();\n\n for (Joiner *joiner = &mJoiners[0]; joiner < OT_ARRAY_END(mJoiners); joiner++)\n {\n if (!joiner->mValid)\n {\n continue;\n }\n\n if (joiner->mAny)\n {\n steeringData.SetLength(1);\n steeringData.Set();\n break;\n }\n\n ComputeJoinerId(joiner->mEui64, joinerId);\n steeringData.ComputeBloomFilter(joinerId);\n }\n\n // set bloom filter\n dataset.mSteeringData.mLength = steeringData.GetSteeringDataLength();\n memcpy(dataset.mSteeringData.m8, steeringData.GetValue(), dataset.mSteeringData.mLength);\n dataset.mIsSteeringDataSet = true;\n\n SuccessOrExit(error = SendMgmtCommissionerSetRequest(dataset, NULL, 0));\n\nexit:\n return error;\n}", "project": "openthread", "hash": 148542274207915874791928361454913466407, "size": 47, "commit_id": "c3a3a0c424322009fec3ab735fb20ce8f6e19e70", "message": "[commissioner] use strnlen instead of strlen (#4404)", "target": 0, "dataset": "other", "idx": 269907 }, { "func": "static int grep_object(struct grep_opt *opt, const char **paths,\n\t\t struct object *obj, const char *name)\n{\n\tif (obj->type == OBJ_BLOB)\n\t\treturn grep_sha1(opt, obj->sha1, name, 0);\n\tif (obj->type == OBJ_COMMIT || obj->type == OBJ_TREE) {\n\t\tstruct tree_desc tree;\n\t\tvoid *data;\n\t\tunsigned long size;\n\t\tint hit;\n\t\tdata = read_object_with_reference(obj->sha1, tree_type,\n\t\t\t\t\t\t &size, NULL);\n\t\tif (!data)\n\t\t\tdie(\"unable to read tree (%s)\", sha1_to_hex(obj->sha1));\n\t\tinit_tree_desc(&tree, data, size);\n\t\thit = grep_tree(opt, paths, &tree, name, \"\");\n\t\tfree(data);\n\t\treturn hit;\n\t}\n\tdie(\"unable to grep from object of type %s\", typename(obj->type));\n}", "project": "git", "hash": 6941939086032129917228591415220635945, "size": 21, "commit_id": "620e2bb93785ed8eb60846d94fd4753d4817c8ec", "message": "Fix buffer overflow in git-grep\n\nIf PATH_MAX on your system is smaller than any path stored in the git\nrepository, that can cause memory corruption inside of the grep_tree\nfunction used by git-grep.\n\nSigned-off-by: Dmitry Potapov \nSigned-off-by: Junio C Hamano ", "target": 0, "dataset": "other", "idx": 446050 }, { "func": "static void set_extent_mask_and_shift(struct ecryptfs_crypt_stat *crypt_stat)\n{\n\tint extent_size_tmp;\n\n\tcrypt_stat->extent_mask = 0xFFFFFFFF;\n\tcrypt_stat->extent_shift = 0;\n\tif (crypt_stat->extent_size == 0)\n\t\treturn;\n\textent_size_tmp = crypt_stat->extent_size;\n\twhile ((extent_size_tmp & 0x01) == 0) {\n\t\textent_size_tmp >>= 1;\n\t\tcrypt_stat->extent_mask <<= 1;\n\t\tcrypt_stat->extent_shift++;\n\t}\n}", "target": 0, "cwe": [ "CWE-189" ], "project": "linux-2.6", "commit_id": "8faece5f906725c10e7a1f6caf84452abadbdc7b", "hash": 206879953591317277418247262982043916429, "size": 15, "message": "eCryptfs: Allocate a variable number of pages for file headers\n\nWhen allocating the memory used to store the eCryptfs header contents, a\nsingle, zeroed page was being allocated with get_zeroed_page().\nHowever, the size of an eCryptfs header is either PAGE_CACHE_SIZE or\nECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE (8192), whichever is larger, and is\nstored in the file's private_data->crypt_stat->num_header_bytes_at_front\nfield.\n\necryptfs_write_metadata_to_contents() was using\nnum_header_bytes_at_front to decide how many bytes should be written to\nthe lower filesystem for the file header. Unfortunately, at least 8K\nwas being written from the page, despite the chance of the single,\nzeroed page being smaller than 8K. This resulted in random areas of\nkernel memory being written between the 0x1000 and 0x1FFF bytes offsets\nin the eCryptfs file headers if PAGE_SIZE was 4K.\n\nThis patch allocates a variable number of pages, calculated with\nnum_header_bytes_at_front, and passes the number of allocated pages\nalong to ecryptfs_write_metadata_to_contents().\n\nThanks to Florian Streibelt for reporting the data leak and working with\nme to find the problem. 2.6.28 is the only kernel release with this\nvulnerability. Corresponds to CVE-2009-0787\n\nSigned-off-by: Tyler Hicks \nAcked-by: Dustin Kirkland \nReviewed-by: Eric Sandeen \nReviewed-by: Eugene Teo \nCc: Greg KH \nCc: dann frazier \nCc: Serge E. Hallyn \nCc: Florian Streibelt \nCc: stable@kernel.org\nSigned-off-by: Linus Torvalds ", "dataset": "other", "idx": 490203 }, { "func": "int imap_wait_keepalive(pid_t pid)\n{\n struct sigaction oldalrm;\n struct sigaction act;\n sigset_t oldmask;\n int rc;\n\n const bool c_imap_passive = cs_subset_bool(NeoMutt->sub, \"imap_passive\");\n cs_subset_str_native_set(NeoMutt->sub, \"imap_passive\", true, NULL);\n OptKeepQuiet = true;\n\n sigprocmask(SIG_SETMASK, NULL, &oldmask);\n\n sigemptyset(&act.sa_mask);\n act.sa_handler = mutt_sig_empty_handler;\n#ifdef SA_INTERRUPT\n act.sa_flags = SA_INTERRUPT;\n#else\n act.sa_flags = 0;\n#endif\n\n sigaction(SIGALRM, &act, &oldalrm);\n\n const short c_imap_keepalive =\n cs_subset_number(NeoMutt->sub, \"imap_keepalive\");\n alarm(c_imap_keepalive);\n while ((waitpid(pid, &rc, 0) < 0) && (errno == EINTR))\n {\n alarm(0); /* cancel a possibly pending alarm */\n imap_keepalive();\n alarm(c_imap_keepalive);\n }\n\n alarm(0); /* cancel a possibly pending alarm */\n\n sigaction(SIGALRM, &oldalrm, NULL);\n sigprocmask(SIG_SETMASK, &oldmask, NULL);\n\n OptKeepQuiet = false;\n cs_subset_str_native_set(NeoMutt->sub, \"imap_passive\", c_imap_passive, NULL);\n\n return rc;\n}", "project": "neomutt", "hash": 338303879253051572095228132950039718898, "size": 43, "commit_id": "fa1db5785e5cfd9d3cd27b7571b9fe268d2ec2dc", "message": "Fix seqset iterator when it ends in a comma\n\nIf the seqset ended with a comma, the substr_end marker would be just\nbefore the trailing nul. In the next call, the loop to skip the\nmarker would iterate right past the end of string too.\n\nThe fix is simple: place the substr_end marker and skip past it\nimmediately.", "target": 0, "dataset": "other", "idx": 399283 }, { "func": "static OFF_T parse_size_arg(char **size_arg, char def_suf)\n{\n\tint reps, mult, make_compatible = 0;\n\tconst char *arg;\n\tOFF_T size = 1;\n\n\tfor (arg = *size_arg; isDigit(arg); arg++) {}\n\tif (*arg == '.')\n\t\tfor (arg++; isDigit(arg); arg++) {}\n\tswitch (*arg && *arg != '+' && *arg != '-' ? *arg++ : def_suf) {\n\tcase 'b': case 'B':\n\t\treps = 0;\n\t\tbreak;\n\tcase 'k': case 'K':\n\t\treps = 1;\n\t\tbreak;\n\tcase 'm': case 'M':\n\t\treps = 2;\n\t\tbreak;\n\tcase 'g': case 'G':\n\t\treps = 3;\n\t\tbreak;\n\tdefault:\n\t\treturn -1;\n\t}\n\tif (*arg == 'b' || *arg == 'B')\n\t\tmult = 1000, make_compatible = 1, arg++;\n\telse if (!*arg || *arg == '+' || *arg == '-')\n\t\tmult = 1024;\n\telse if (strncasecmp(arg, \"ib\", 2) == 0)\n\t\tmult = 1024, arg += 2;\n\telse\n\t\treturn -1;\n\twhile (reps--)\n\t\tsize *= mult;\n\tsize *= atof(*size_arg);\n\tif ((*arg == '+' || *arg == '-') && arg[1] == '1')\n\t\tsize += atoi(arg), make_compatible = 1, arg += 2;\n\tif (*arg)\n\t\treturn -1;\n\tif (size > 0 && make_compatible && def_suf == 'b') {\n\t\t/* We convert this manually because we may need %lld precision,\n\t\t * and that's not a portable sprintf() escape. */\n\t\tchar buf[128], *s = buf + sizeof buf - 1;\n\t\tOFF_T num = size;\n\t\t*s = '\\0';\n\t\twhile (num) {\n\t\t\t*--s = (char)(num % 10) + '0';\n\t\t\tnum /= 10;\n\t\t}\n\t\tif (!(*size_arg = strdup(s)))\n\t\t\tout_of_memory(\"parse_size_arg\");\n\t}\n\treturn size;\n}", "project": "rsync", "hash": 315846193088866392851993920638320213739, "size": 55, "commit_id": "7706303828fcde524222babb2833864a4bd09e07", "message": "Ignore --protect-args when already sent by client\n\nIn parse_arguments when --protect-args is encountered the function exits\nearly. The caller is expected to check protect_args, and recall\nparse_arguments setting protect_args to 2. This patch prevents the\nclient from resetting protect_args during the second pass of\nparse_arguments. This prevents parse_arguments returning early the\nsecond time before it's able to sanitize the arguments it received.", "target": 0, "dataset": "other", "idx": 364676 }, { "func": "static int _nfs40_proc_fsid_present(struct inode *inode, const struct cred *cred)\n{\n\tstruct nfs_server *server = NFS_SERVER(inode);\n\tstruct nfs_client *clp = NFS_SERVER(inode)->nfs_client;\n\tstruct rpc_clnt *clnt = server->client;\n\tstruct nfs4_fsid_present_arg args = {\n\t\t.fh\t\t= NFS_FH(inode),\n\t\t.clientid\t= clp->cl_clientid,\n\t\t.renew\t\t= 1,\t\t/* append RENEW */\n\t};\n\tstruct nfs4_fsid_present_res res = {\n\t\t.renew\t\t= 1,\n\t};\n\tstruct rpc_message msg = {\n\t\t.rpc_proc\t= &nfs4_procedures[NFSPROC4_CLNT_FSID_PRESENT],\n\t\t.rpc_argp\t= &args,\n\t\t.rpc_resp\t= &res,\n\t\t.rpc_cred\t= cred,\n\t};\n\tunsigned long now = jiffies;\n\tint status;\n\n\tres.fh = nfs_alloc_fhandle();\n\tif (res.fh == NULL)\n\t\treturn -ENOMEM;\n\n\tnfs4_init_sequence(&args.seq_args, &res.seq_res, 0, 1);\n\tstatus = nfs4_call_sync_sequence(clnt, server, &msg,\n\t\t\t\t\t\t&args.seq_args, &res.seq_res);\n\tnfs_free_fhandle(res.fh);\n\tif (status)\n\t\treturn status;\n\n\tdo_renew_lease(clp, now);\n\treturn 0;\n}", "project": "linux", "hash": 112110510407917632236033288930007810472, "size": 36, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431100 }, { "func": "static void hci_remote_oob_data_request_evt(struct hci_dev *hdev,\n\t\t\t\t\t struct sk_buff *skb)\n{\n\tstruct hci_ev_remote_oob_data_request *ev = (void *) skb->data;\n\tstruct oob_data *data;\n\n\tBT_DBG(\"%s\", hdev->name);\n\n\thci_dev_lock(hdev);\n\n\tif (!hci_dev_test_flag(hdev, HCI_MGMT))\n\t\tgoto unlock;\n\n\tdata = hci_find_remote_oob_data(hdev, &ev->bdaddr, BDADDR_BREDR);\n\tif (!data) {\n\t\tstruct hci_cp_remote_oob_data_neg_reply cp;\n\n\t\tbacpy(&cp.bdaddr, &ev->bdaddr);\n\t\thci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_NEG_REPLY,\n\t\t\t sizeof(cp), &cp);\n\t\tgoto unlock;\n\t}\n\n\tif (bredr_sc_enabled(hdev)) {\n\t\tstruct hci_cp_remote_oob_ext_data_reply cp;\n\n\t\tbacpy(&cp.bdaddr, &ev->bdaddr);\n\t\tif (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {\n\t\t\tmemset(cp.hash192, 0, sizeof(cp.hash192));\n\t\t\tmemset(cp.rand192, 0, sizeof(cp.rand192));\n\t\t} else {\n\t\t\tmemcpy(cp.hash192, data->hash192, sizeof(cp.hash192));\n\t\t\tmemcpy(cp.rand192, data->rand192, sizeof(cp.rand192));\n\t\t}\n\t\tmemcpy(cp.hash256, data->hash256, sizeof(cp.hash256));\n\t\tmemcpy(cp.rand256, data->rand256, sizeof(cp.rand256));\n\n\t\thci_send_cmd(hdev, HCI_OP_REMOTE_OOB_EXT_DATA_REPLY,\n\t\t\t sizeof(cp), &cp);\n\t} else {\n\t\tstruct hci_cp_remote_oob_data_reply cp;\n\n\t\tbacpy(&cp.bdaddr, &ev->bdaddr);\n\t\tmemcpy(cp.hash, data->hash192, sizeof(cp.hash));\n\t\tmemcpy(cp.rand, data->rand192, sizeof(cp.rand));\n\n\t\thci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_REPLY,\n\t\t\t sizeof(cp), &cp);\n\t}\n\nunlock:\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 71962689739983223408206628625039480474, "size": 53, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431930 }, { "func": " void initializeAsyncFetchFilter(bool fast_listener) {\n config_helper_.prependFilter(getAsyncFetchFilterConfig(ExampleConfig, fast_listener));\n\n config_helper_.addConfigModifier([](envoy::config::bootstrap::v3::Bootstrap& bootstrap) {\n auto* jwks_cluster = bootstrap.mutable_static_resources()->add_clusters();\n jwks_cluster->MergeFrom(bootstrap.static_resources().clusters()[0]);\n jwks_cluster->set_name(\"pubkey_cluster\");\n });\n\n initialize();\n }", "project": "envoy", "hash": 223352804779483216399396234332739109412, "size": 11, "commit_id": "9371333230b1a6e1be2eccf4868771e11af6253a", "message": "CVE-2021-43824\n\njwt_atuhn: fixed the crash when a CONNECT request is sent to JWT filter\nconfigured with regex match.\n\nSigned-off-by: Yan Avlasov ", "target": 0, "dataset": "other", "idx": 246593 }, { "func": "TEST_P(RemoteJwksIntegrationTest, WithFailedJwksAsyncFetchFast) {\n on_server_init_function_ = [this]() { waitForJwksResponse(\"500\", \"\"); };\n initializeAsyncFetchFilter(true);\n\n codec_client_ = makeHttpConnection(lookupPort(\"http\"));\n\n auto response = codec_client_->makeHeaderOnlyRequest(Http::TestRequestHeaderMapImpl{\n {\":method\", \"GET\"},\n {\":path\", \"/\"},\n {\":scheme\", \"http\"},\n {\":authority\", \"host\"},\n {\"Authorization\", \"Bearer \" + std::string(GoodToken)},\n });\n\n ASSERT_TRUE(response->waitForEndStream());\n ASSERT_TRUE(response->complete());\n EXPECT_EQ(\"401\", response->headers().getStatusValue());\n\n cleanup();\n}", "project": "envoy", "hash": 312183124010935845268175821359874383837, "size": 20, "commit_id": "9371333230b1a6e1be2eccf4868771e11af6253a", "message": "CVE-2021-43824\n\njwt_atuhn: fixed the crash when a CONNECT request is sent to JWT filter\nconfigured with regex match.\n\nSigned-off-by: Yan Avlasov ", "target": 0, "dataset": "other", "idx": 246595 }, { "func": "TEST_P(RemoteJwksIntegrationTest, WithGoodTokenAsyncFetchFast) {\n on_server_init_function_ = [this]() { waitForJwksResponse(\"200\", PublicKey); };\n initializeAsyncFetchFilter(true);\n\n // This test is only expecting one jwks fetch, but there is a race condition in the test:\n // In fast fetch mode, the listener is activated without waiting for jwks fetch to be\n // completed. When the first request comes at the worker thread, jwks fetch could be at\n // any state at the main thread. If its result is not saved into jwks thread local slot,\n // the first request will trigger a second jwks fetch, this is not expected, test will fail.\n // To avoid such race condition, before making the first request, wait for the first\n // fetch stats to be updated.\n test_server_->waitForCounterGe(\"http.config_test.jwt_authn.jwks_fetch_success\", 1);\n\n codec_client_ = makeHttpConnection(lookupPort(\"http\"));\n\n auto response = codec_client_->makeHeaderOnlyRequest(Http::TestRequestHeaderMapImpl{\n {\":method\", \"GET\"},\n {\":path\", \"/\"},\n {\":scheme\", \"http\"},\n {\":authority\", \"host\"},\n {\"Authorization\", \"Bearer \" + std::string(GoodToken)},\n });\n\n waitForNextUpstreamRequest();\n\n const auto payload_entry =\n upstream_request_->headers().get(Http::LowerCaseString(\"sec-istio-auth-userinfo\"));\n EXPECT_FALSE(payload_entry.empty());\n EXPECT_EQ(payload_entry[0]->value().getStringView(), ExpectedPayloadValue);\n // Verify the token is removed.\n EXPECT_TRUE(upstream_request_->headers().get(Http::CustomHeaders::get().Authorization).empty());\n\n upstream_request_->encodeHeaders(Http::TestResponseHeaderMapImpl{{\":status\", \"200\"}}, true);\n\n ASSERT_TRUE(response->waitForEndStream());\n ASSERT_TRUE(response->complete());\n EXPECT_EQ(\"200\", response->headers().getStatusValue());\n\n cleanup();\n}", "project": "envoy", "hash": 168217075684885367283353178905351054621, "size": 40, "commit_id": "9371333230b1a6e1be2eccf4868771e11af6253a", "message": "CVE-2021-43824\n\njwt_atuhn: fixed the crash when a CONNECT request is sent to JWT filter\nconfigured with regex match.\n\nSigned-off-by: Yan Avlasov ", "target": 0, "dataset": "other", "idx": 246604 }, { "func": "TEST_P(RemoteJwksIntegrationTest, WithGoodTokenAsyncFetch) {\n on_server_init_function_ = [this]() { waitForJwksResponse(\"200\", PublicKey); };\n initializeAsyncFetchFilter(false);\n\n codec_client_ = makeHttpConnection(lookupPort(\"http\"));\n\n auto response = codec_client_->makeHeaderOnlyRequest(Http::TestRequestHeaderMapImpl{\n {\":method\", \"GET\"},\n {\":path\", \"/\"},\n {\":scheme\", \"http\"},\n {\":authority\", \"host\"},\n {\"Authorization\", \"Bearer \" + std::string(GoodToken)},\n });\n\n waitForNextUpstreamRequest();\n\n const auto payload_entry =\n upstream_request_->headers().get(Http::LowerCaseString(\"sec-istio-auth-userinfo\"));\n EXPECT_FALSE(payload_entry.empty());\n EXPECT_EQ(payload_entry[0]->value().getStringView(), ExpectedPayloadValue);\n // Verify the token is removed.\n EXPECT_TRUE(upstream_request_->headers().get(Http::CustomHeaders::get().Authorization).empty());\n\n upstream_request_->encodeHeaders(Http::TestResponseHeaderMapImpl{{\":status\", \"200\"}}, true);\n\n ASSERT_TRUE(response->waitForEndStream());\n ASSERT_TRUE(response->complete());\n EXPECT_EQ(\"200\", response->headers().getStatusValue());\n\n cleanup();\n}", "project": "envoy", "hash": 43179483027392626103536198494912379600, "size": 31, "commit_id": "9371333230b1a6e1be2eccf4868771e11af6253a", "message": "CVE-2021-43824\n\njwt_atuhn: fixed the crash when a CONNECT request is sent to JWT filter\nconfigured with regex match.\n\nSigned-off-by: Yan Avlasov ", "target": 0, "dataset": "other", "idx": 246613 }, { "func": "TEST_P(RemoteJwksIntegrationTest, WithFailedJwksAsyncFetch) {\n on_server_init_function_ = [this]() { waitForJwksResponse(\"500\", \"\"); };\n initializeAsyncFetchFilter(false);\n\n codec_client_ = makeHttpConnection(lookupPort(\"http\"));\n\n auto response = codec_client_->makeHeaderOnlyRequest(Http::TestRequestHeaderMapImpl{\n {\":method\", \"GET\"},\n {\":path\", \"/\"},\n {\":scheme\", \"http\"},\n {\":authority\", \"host\"},\n {\"Authorization\", \"Bearer \" + std::string(GoodToken)},\n });\n\n ASSERT_TRUE(response->waitForEndStream());\n ASSERT_TRUE(response->complete());\n EXPECT_EQ(\"401\", response->headers().getStatusValue());\n\n cleanup();\n}", "project": "envoy", "hash": 202626744712810877527573645923610639475, "size": 20, "commit_id": "9371333230b1a6e1be2eccf4868771e11af6253a", "message": "CVE-2021-43824\n\njwt_atuhn: fixed the crash when a CONNECT request is sent to JWT filter\nconfigured with regex match.\n\nSigned-off-by: Yan Avlasov ", "target": 0, "dataset": "other", "idx": 246621 }, { "func": "static int kvm_clear_dirty_log_protect(struct kvm *kvm,\n\t\t\t\t struct kvm_clear_dirty_log *log)\n{\n\tstruct kvm_memslots *slots;\n\tstruct kvm_memory_slot *memslot;\n\tint as_id, id;\n\tgfn_t offset;\n\tunsigned long i, n;\n\tunsigned long *dirty_bitmap;\n\tunsigned long *dirty_bitmap_buffer;\n\tbool flush;\n\n\tas_id = log->slot >> 16;\n\tid = (u16)log->slot;\n\tif (as_id >= KVM_ADDRESS_SPACE_NUM || id >= KVM_USER_MEM_SLOTS)\n\t\treturn -EINVAL;\n\n\tif (log->first_page & 63)\n\t\treturn -EINVAL;\n\n\tslots = __kvm_memslots(kvm, as_id);\n\tmemslot = id_to_memslot(slots, id);\n\tif (!memslot || !memslot->dirty_bitmap)\n\t\treturn -ENOENT;\n\n\tdirty_bitmap = memslot->dirty_bitmap;\n\n\tn = ALIGN(log->num_pages, BITS_PER_LONG) / 8;\n\n\tif (log->first_page > memslot->npages ||\n\t log->num_pages > memslot->npages - log->first_page ||\n\t (log->num_pages < memslot->npages - log->first_page && (log->num_pages & 63)))\n\t return -EINVAL;\n\n\tkvm_arch_sync_dirty_log(kvm, memslot);\n\n\tflush = false;\n\tdirty_bitmap_buffer = kvm_second_dirty_bitmap(memslot);\n\tif (copy_from_user(dirty_bitmap_buffer, log->dirty_bitmap, n))\n\t\treturn -EFAULT;\n\n\tspin_lock(&kvm->mmu_lock);\n\tfor (offset = log->first_page, i = offset / BITS_PER_LONG,\n\t\t n = DIV_ROUND_UP(log->num_pages, BITS_PER_LONG); n--;\n\t i++, offset += BITS_PER_LONG) {\n\t\tunsigned long mask = *dirty_bitmap_buffer++;\n\t\tatomic_long_t *p = (atomic_long_t *) &dirty_bitmap[i];\n\t\tif (!mask)\n\t\t\tcontinue;\n\n\t\tmask &= atomic_long_fetch_andnot(mask, p);\n\n\t\t/*\n\t\t * mask contains the bits that really have been cleared. This\n\t\t * never includes any bits beyond the length of the memslot (if\n\t\t * the length is not aligned to 64 pages), therefore it is not\n\t\t * a problem if userspace sets them in log->dirty_bitmap.\n\t\t*/\n\t\tif (mask) {\n\t\t\tflush = true;\n\t\t\tkvm_arch_mmu_enable_log_dirty_pt_masked(kvm, memslot,\n\t\t\t\t\t\t\t\toffset, mask);\n\t\t}\n\t}\n\tspin_unlock(&kvm->mmu_lock);\n\n\tif (flush)\n\t\tkvm_arch_flush_remote_tlbs_memslot(kvm, memslot);\n\n\treturn 0;\n}", "project": "linux", "hash": 325373502086968739911403514967111815006, "size": 71, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354782 }, { "func": "static int kvm_clear_dirty_log_protect(struct kvm *kvm,\n\t\t\t\t struct kvm_clear_dirty_log *log)\n{\n\tstruct kvm_memslots *slots;\n\tstruct kvm_memory_slot *memslot;\n\tint as_id, id;\n\tgfn_t offset;\n\tunsigned long i, n;\n\tunsigned long *dirty_bitmap;\n\tunsigned long *dirty_bitmap_buffer;\n\tbool flush;\n\n\t/* Dirty ring tracking is exclusive to dirty log tracking */\n\tif (kvm->dirty_ring_size)\n\t\treturn -ENXIO;\n\n\tas_id = log->slot >> 16;\n\tid = (u16)log->slot;\n\tif (as_id >= KVM_ADDRESS_SPACE_NUM || id >= KVM_USER_MEM_SLOTS)\n\t\treturn -EINVAL;\n\n\tif (log->first_page & 63)\n\t\treturn -EINVAL;\n\n\tslots = __kvm_memslots(kvm, as_id);\n\tmemslot = id_to_memslot(slots, id);\n\tif (!memslot || !memslot->dirty_bitmap)\n\t\treturn -ENOENT;\n\n\tdirty_bitmap = memslot->dirty_bitmap;\n\n\tn = ALIGN(log->num_pages, BITS_PER_LONG) / 8;\n\n\tif (log->first_page > memslot->npages ||\n\t log->num_pages > memslot->npages - log->first_page ||\n\t (log->num_pages < memslot->npages - log->first_page && (log->num_pages & 63)))\n\t return -EINVAL;\n\n\tkvm_arch_sync_dirty_log(kvm, memslot);\n\n\tflush = false;\n\tdirty_bitmap_buffer = kvm_second_dirty_bitmap(memslot);\n\tif (copy_from_user(dirty_bitmap_buffer, log->dirty_bitmap, n))\n\t\treturn -EFAULT;\n\n\tKVM_MMU_LOCK(kvm);\n\tfor (offset = log->first_page, i = offset / BITS_PER_LONG,\n\t\t n = DIV_ROUND_UP(log->num_pages, BITS_PER_LONG); n--;\n\t i++, offset += BITS_PER_LONG) {\n\t\tunsigned long mask = *dirty_bitmap_buffer++;\n\t\tatomic_long_t *p = (atomic_long_t *) &dirty_bitmap[i];\n\t\tif (!mask)\n\t\t\tcontinue;\n\n\t\tmask &= atomic_long_fetch_andnot(mask, p);\n\n\t\t/*\n\t\t * mask contains the bits that really have been cleared. This\n\t\t * never includes any bits beyond the length of the memslot (if\n\t\t * the length is not aligned to 64 pages), therefore it is not\n\t\t * a problem if userspace sets them in log->dirty_bitmap.\n\t\t*/\n\t\tif (mask) {\n\t\t\tflush = true;\n\t\t\tkvm_arch_mmu_enable_log_dirty_pt_masked(kvm, memslot,\n\t\t\t\t\t\t\t\toffset, mask);\n\t\t}\n\t}\n\tKVM_MMU_UNLOCK(kvm);\n\n\tif (flush)\n\t\tkvm_arch_flush_remote_tlbs_memslot(kvm, memslot);\n\n\treturn 0;\n}", "project": "linux", "hash": 217427579972635027857317059557251961768, "size": 75, "commit_id": "f8be156be163a052a067306417cd0ff679068c97", "message": "KVM: do not allow mapping valid but non-reference-counted pages\n\nIt's possible to create a region which maps valid but non-refcounted\npages (e.g., tail pages of non-compound higher order allocations). These\nhost pages can then be returned by gfn_to_page, gfn_to_pfn, etc., family\nof APIs, which take a reference to the page, which takes it from 0 to 1.\nWhen the reference is dropped, this will free the page incorrectly.\n\nFix this by only taking a reference on valid pages if it was non-zero,\nwhich indicates it is participating in normal refcounting (and can be\nreleased with put_page).\n\nThis addresses CVE-2021-22543.\n\nSigned-off-by: Nicholas Piggin \nTested-by: Paolo Bonzini \nCc: stable@vger.kernel.org\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 404084 }, { "func": "static inline void encode_claim_delegate_cur(struct xdr_stream *xdr, const struct qstr *name, const nfs4_stateid *stateid)\n{\n\t__be32 *p;\n\n\tp = reserve_space(xdr, 4);\n\t*p = cpu_to_be32(NFS4_OPEN_CLAIM_DELEGATE_CUR);\n\tencode_nfs4_stateid(xdr, stateid);\n\tencode_string(xdr, name->len, name->name);\n}", "project": "linux", "hash": 8706044208651350768632383318452169345, "size": 9, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431129 }, { "func": "static int udp_lib_lport_inuse(struct net *net, __u16 num,\n\t\t\t const struct udp_hslot *hslot,\n\t\t\t unsigned long *bitmap,\n\t\t\t struct sock *sk, unsigned int log)\n{\n\tstruct sock *sk2;\n\tkuid_t uid = sock_i_uid(sk);\n\n\tsk_for_each(sk2, &hslot->head) {\n\t\tif (net_eq(sock_net(sk2), net) &&\n\t\t sk2 != sk &&\n\t\t (bitmap || udp_sk(sk2)->udp_port_hash == num) &&\n\t\t (!sk2->sk_reuse || !sk->sk_reuse) &&\n\t\t (!sk2->sk_bound_dev_if || !sk->sk_bound_dev_if ||\n\t\t sk2->sk_bound_dev_if == sk->sk_bound_dev_if) &&\n\t\t inet_rcv_saddr_equal(sk, sk2, true)) {\n\t\t\tif (sk2->sk_reuseport && sk->sk_reuseport &&\n\t\t\t !rcu_access_pointer(sk->sk_reuseport_cb) &&\n\t\t\t uid_eq(uid, sock_i_uid(sk2))) {\n\t\t\t\tif (!bitmap)\n\t\t\t\t\treturn 0;\n\t\t\t} else {\n\t\t\t\tif (!bitmap)\n\t\t\t\t\treturn 1;\n\t\t\t\t__set_bit(udp_sk(sk2)->udp_port_hash >> log,\n\t\t\t\t\t bitmap);\n\t\t\t}\n\t\t}\n\t}\n\treturn 0;\n}", "project": "net", "hash": 273080478589016714530170071023269993611, "size": 31, "commit_id": "85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa", "message": "udp: consistently apply ufo or fragmentation\n\nWhen iteratively building a UDP datagram with MSG_MORE and that\ndatagram exceeds MTU, consistently choose UFO or fragmentation.\n\nOnce skb_is_gso, always apply ufo. Conversely, once a datagram is\nsplit across multiple skbs, do not consider ufo.\n\nSendpage already maintains the first invariant, only add the second.\nIPv6 does not have a sendpage implementation to modify.\n\nA gso skb must have a partial checksum, do not follow sk_no_check_tx\nin udp_send_skb.\n\nFound by syzkaller.\n\nFixes: e89e9cf539a2 (\"[IPv4/IPv6]: UFO Scatter-gather approach\")\nReported-by: Andrey Konovalov \nSigned-off-by: Willem de Bruijn \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 468922 }, { "func": " void Jp2Image::encodeJp2Header(const DataBuf& boxBuf,DataBuf& outBuf)\n {\n DataBuf output(boxBuf.size_ + iccProfile_.size_ + 100); // allocate sufficient space\n int outlen = sizeof(Jp2BoxHeader) ; // now many bytes have we written to output?\n int inlen = sizeof(Jp2BoxHeader) ; // how many bytes have we read from boxBuf?\n Jp2BoxHeader* pBox = (Jp2BoxHeader*) boxBuf.pData_;\n int32_t length = getLong((byte*)&pBox->length, bigEndian);\n int32_t count = sizeof (Jp2BoxHeader);\n char* p = (char*) boxBuf.pData_;\n bool bWroteColor = false ;\n\n while ( count < length || !bWroteColor ) {\n Jp2BoxHeader* pSubBox = (Jp2BoxHeader*) (p+count) ;\n\n // copy data. pointer could be into a memory mapped file which we will decode!\n Jp2BoxHeader subBox ; memcpy(&subBox,pSubBox,sizeof(subBox));\n Jp2BoxHeader newBox = subBox;\n\n if ( count < length ) {\n subBox.length = getLong((byte*)&subBox.length, bigEndian);\n subBox.type = getLong((byte*)&subBox.type , bigEndian);\n#ifdef EXIV2_DEBUG_MESSAGES\n std::cout << \"Jp2Image::encodeJp2Header subbox: \"<< toAscii(subBox.type) << \" length = \" << subBox.length << std::endl;\n#endif\n count += subBox.length;\n newBox.type = subBox.type;\n } else {\n subBox.length=0;\n newBox.type = kJp2BoxTypeColorHeader;\n count = length;\n }\n\n int32_t newlen = subBox.length;\n if ( newBox.type == kJp2BoxTypeColorHeader ) {\n bWroteColor = true ;\n if ( ! iccProfileDefined() ) {\n const char* pad = \"\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x05\\x1cuuid\";\n uint32_t psize = 15;\n newlen = sizeof(newBox) + psize ;\n ul2Data((byte*)&newBox.length,psize ,bigEndian);\n ul2Data((byte*)&newBox.type ,newBox.type,bigEndian);\n ::memcpy(output.pData_+outlen ,&newBox ,sizeof(newBox));\n ::memcpy(output.pData_+outlen+sizeof(newBox) ,pad ,psize );\n } else {\n const char* pad = \"\\x02\\x00\\x00\";\n uint32_t psize = 3;\n newlen = sizeof(newBox) + psize + iccProfile_.size_;\n ul2Data((byte*)&newBox.length,newlen,bigEndian);\n ul2Data((byte*)&newBox.type,newBox.type,bigEndian);\n ::memcpy(output.pData_+outlen ,&newBox ,sizeof(newBox) );\n ::memcpy(output.pData_+outlen+sizeof(newBox) , pad ,psize );\n ::memcpy(output.pData_+outlen+sizeof(newBox)+psize,iccProfile_.pData_,iccProfile_.size_);\n }\n } else {\n ::memcpy(output.pData_+outlen,boxBuf.pData_+inlen,subBox.length);\n }\n\n outlen += newlen;\n inlen += subBox.length;\n }\n\n // allocate the correct number of bytes, copy the data and update the box header\n outBuf.alloc(outlen);\n ::memcpy(outBuf.pData_,output.pData_,outlen);\n pBox = (Jp2BoxHeader*) outBuf.pData_;\n ul2Data((byte*)&pBox->type,kJp2BoxTypeJp2Header,bigEndian);\n ul2Data((byte*)&pBox->length,outlen,bigEndian);\n } // Jp2Image::encodeJp2Header", "project": "exiv2", "hash": 3024404238179680571348817945424819382, "size": 68, "commit_id": "f9308839198aca5e68a65194f151a1de92398f54", "message": "Better bounds checking in Jp2Image::encodeJp2Header()", "target": 1, "dataset": "other", "idx": 208379 }, { "func": " void Jp2Image::encodeJp2Header(const DataBuf& boxBuf,DataBuf& outBuf)\n {\n DataBuf output(boxBuf.size_ + iccProfile_.size_ + 100); // allocate sufficient space\n long outlen = sizeof(Jp2BoxHeader) ; // now many bytes have we written to output?\n long inlen = sizeof(Jp2BoxHeader) ; // how many bytes have we read from boxBuf?\n Jp2BoxHeader* pBox = (Jp2BoxHeader*) boxBuf.pData_;\n uint32_t length = getLong((byte*)&pBox->length, bigEndian);\n uint32_t count = sizeof (Jp2BoxHeader);\n char* p = (char*) boxBuf.pData_;\n bool bWroteColor = false ;\n\n while ( count < length || !bWroteColor ) {\n Jp2BoxHeader* pSubBox = (Jp2BoxHeader*) (p+count) ;\n\n // copy data. pointer could be into a memory mapped file which we will decode!\n Jp2BoxHeader subBox ; memcpy(&subBox,pSubBox,sizeof(subBox));\n Jp2BoxHeader newBox = subBox;\n\n if ( count < length ) {\n subBox.length = getLong((byte*)&subBox.length, bigEndian);\n subBox.type = getLong((byte*)&subBox.type , bigEndian);\n#ifdef EXIV2_DEBUG_MESSAGES\n std::cout << \"Jp2Image::encodeJp2Header subbox: \"<< toAscii(subBox.type) << \" length = \" << subBox.length << std::endl;\n#endif\n enforce(subBox.length <= length - count, Exiv2::kerCorruptedMetadata);\n count += subBox.length;\n newBox.type = subBox.type;\n } else {\n subBox.length=0;\n newBox.type = kJp2BoxTypeColorHeader;\n count = length;\n }\n\n uint32_t newlen = subBox.length;\n if ( newBox.type == kJp2BoxTypeColorHeader ) {\n bWroteColor = true ;\n if ( ! iccProfileDefined() ) {\n const char* pad = \"\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x05\\x1cuuid\";\n uint32_t psize = 15;\n newlen = sizeof(newBox) + psize ;\n enforce(newlen <= output.size_ - outlen, Exiv2::kerCorruptedMetadata);\n ul2Data((byte*)&newBox.length,psize ,bigEndian);\n ul2Data((byte*)&newBox.type ,newBox.type,bigEndian);\n ::memcpy(output.pData_+outlen ,&newBox ,sizeof(newBox));\n ::memcpy(output.pData_+outlen+sizeof(newBox) ,pad ,psize );\n } else {\n const char* pad = \"\\x02\\x00\\x00\";\n uint32_t psize = 3;\n newlen = sizeof(newBox) + psize + iccProfile_.size_;\n enforce(newlen <= output.size_ - outlen, Exiv2::kerCorruptedMetadata);\n ul2Data((byte*)&newBox.length,newlen,bigEndian);\n ul2Data((byte*)&newBox.type,newBox.type,bigEndian);\n ::memcpy(output.pData_+outlen ,&newBox ,sizeof(newBox) );\n ::memcpy(output.pData_+outlen+sizeof(newBox) , pad ,psize );\n ::memcpy(output.pData_+outlen+sizeof(newBox)+psize,iccProfile_.pData_,iccProfile_.size_);\n }\n } else {\n enforce(newlen <= output.size_ - outlen, Exiv2::kerCorruptedMetadata);\n ::memcpy(output.pData_+outlen,boxBuf.pData_+inlen,subBox.length);\n }\n\n outlen += newlen;\n inlen += subBox.length;\n }\n\n // allocate the correct number of bytes, copy the data and update the box header\n outBuf.alloc(outlen);\n ::memcpy(outBuf.pData_,output.pData_,outlen);\n pBox = (Jp2BoxHeader*) outBuf.pData_;\n ul2Data((byte*)&pBox->type,kJp2BoxTypeJp2Header,bigEndian);\n ul2Data((byte*)&pBox->length,outlen,bigEndian);\n } // Jp2Image::encodeJp2Header", "project": "exiv2", "hash": 152635762460183118135898337348969828226, "size": 72, "commit_id": "f9308839198aca5e68a65194f151a1de92398f54", "message": "Better bounds checking in Jp2Image::encodeJp2Header()", "target": 0, "dataset": "other", "idx": 409137 }, { "func": "static inline void tcp_replace_ts_recent(struct tcp_sock *tp, u32 seq)\n{\n\tif (tp->rx_opt.saw_tstamp && !after(seq, tp->rcv_wup)) {\n\t\t/* PAWS bug workaround wrt. ACK frames, the PAWS discard\n\t\t * extra check below makes sure this can only happen\n\t\t * for pure ACK frames. -DaveM\n\t\t *\n\t\t * Not only, also it occurs for expired timestamps.\n\t\t */\n\n\t\tif (tcp_paws_check(&tp->rx_opt, 0))\n\t\t\ttcp_store_ts_recent(tp);\n\t}\n}", "project": "net-next", "hash": 194164589233503438014779154516005792395, "size": 14, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409870 }, { "func": "static void trace_insert_eval_map(struct module *mod,\n\t\t\t\t struct trace_eval_map **start, int len)\n{\n\tstruct trace_eval_map **map;\n\n\tif (len <= 0)\n\t\treturn;\n\n\tmap = start;\n\n\ttrace_event_eval_update(map, len);\n\n\ttrace_insert_eval_map_file(mod, start, len);\n}", "project": "linux", "hash": 265973181607592910379516013351370290917, "size": 14, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445842 }, { "func": "static int dump_sa(struct xfrm_state *x, int count, void *ptr)\n{\n\tstruct pfkey_sock *pfk = ptr;\n\tstruct sk_buff *out_skb;\n\tstruct sadb_msg *out_hdr;\n\n\tif (!pfkey_can_dump(&pfk->sk))\n\t\treturn -ENOBUFS;\n\n\tout_skb = pfkey_xfrm_state2msg(x);\n\tif (IS_ERR(out_skb))\n\t\treturn PTR_ERR(out_skb);\n\n\tout_hdr = (struct sadb_msg *) out_skb->data;\n\tout_hdr->sadb_msg_version = pfk->dump.msg_version;\n\tout_hdr->sadb_msg_type = SADB_DUMP;\n\tout_hdr->sadb_msg_satype = pfkey_proto2satype(x->id.proto);\n\tout_hdr->sadb_msg_errno = 0;\n\tout_hdr->sadb_msg_reserved = 0;\n\tout_hdr->sadb_msg_seq = count + 1;\n\tout_hdr->sadb_msg_pid = pfk->dump.msg_portid;\n\n\tif (pfk->dump.skb)\n\t\tpfkey_broadcast(pfk->dump.skb, GFP_ATOMIC, BROADCAST_ONE,\n\t\t\t\t&pfk->sk, sock_net(&pfk->sk));\n\tpfk->dump.skb = out_skb;\n\n\treturn 0;\n}", "project": "linux", "hash": 245172107342065919975553614418611278048, "size": 29, "commit_id": "9a564bccb78a76740ea9d75a259942df8143d02c", "message": "af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\n\nAdd __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\nto initialize the buffer of supp_skb to fix a kernel-info-leak issue.\n1) Function pfkey_register calls compose_sadb_supported to request\na sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate\na sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then\ncompose_sadb_supported treats the memory as a struct sadb_supported and\nbegins to initialize. But it just initializes the field sadb_supported_len\nand field sadb_supported_exttype without field sadb_supported_reserved.\n\nReported-by: TCS Robot \nSigned-off-by: Haimin Zhang \nSigned-off-by: Steffen Klassert ", "target": 0, "dataset": "other", "idx": 268009 }, { "func": "bool TABLE_REF::is_access_triggered()\n{\n for (uint i = 0; i < key_parts; i++)\n {\n if (cond_guards[i])\n return TRUE;\n }\n return FALSE;\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 101814976125189437350558887635509068942, "size": 9, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508440 }, { "func": "static int do_uncompress_file(struct archive_read* a) {\n\tstruct rar5* rar = get_context(a);\n\tint ret;\n\tint64_t max_end_pos;\n\n\tif(!rar->cstate.initialized) {\n\t\t/* Don't perform full context reinitialization if we're\n\t\t * processing a solid archive. */\n\t\tif(!rar->main.solid || !rar->cstate.window_buf) {\n\t\t\tinit_unpack(rar);\n\t\t}\n\n\t\trar->cstate.initialized = 1;\n\t}\n\n\tif(rar->cstate.all_filters_applied == 1) {\n\t\t/* We use while(1) here, but standard case allows for just 1\n\t\t * iteration. The loop will iterate if process_block() didn't\n\t\t * generate any data at all. This can happen if the block\n\t\t * contains only filter definitions (this is common in big\n\t\t * files). */\n\t\twhile(1) {\n\t\t\tret = process_block(a);\n\t\t\tif(ret == ARCHIVE_EOF || ret == ARCHIVE_FATAL)\n\t\t\t\treturn ret;\n\n\t\t\tif(rar->cstate.last_write_ptr ==\n\t\t\t rar->cstate.write_ptr) {\n\t\t\t\t/* The block didn't generate any new data,\n\t\t\t\t * so just process a new block. */\n\t\t\t\tcontinue;\n\t\t\t}\n\n\t\t\t/* The block has generated some new data, so break\n\t\t\t * the loop. */\n\t\t\tbreak;\n\t\t}\n\t}\n\n\t/* Try to run filters. If filters won't be applied, it means that\n\t * insufficient data was generated. */\n\tret = apply_filters(a);\n\tif(ret == ARCHIVE_RETRY) {\n\t\treturn ARCHIVE_OK;\n\t} else if(ret == ARCHIVE_FATAL) {\n\t\treturn ARCHIVE_FATAL;\n\t}\n\n\t/* If apply_filters() will return ARCHIVE_OK, we can continue here. */\n\n\tif(cdeque_size(&rar->cstate.filters) > 0) {\n\t\t/* Check if we can write something before hitting first\n\t\t * filter. */\n\t\tstruct filter_info* flt;\n\n\t\t/* Get the block_start offset from the first filter. */\n\t\tif(CDE_OK != cdeque_front(&rar->cstate.filters,\n\t\t cdeque_filter_p(&flt)))\n\t\t{\n\t\t\tarchive_set_error(&a->archive,\n\t\t\t ARCHIVE_ERRNO_PROGRAMMER,\n\t\t\t \"Can't read first filter\");\n\t\t\treturn ARCHIVE_FATAL;\n\t\t}\n\n\t\tmax_end_pos = rar5_min(flt->block_start,\n\t\t rar->cstate.write_ptr);\n\t} else {\n\t\t/* There are no filters defined, or all filters were applied.\n\t\t * This means we can just store the data without any\n\t\t * postprocessing. */\n\t\tmax_end_pos = rar->cstate.write_ptr;\n\t}\n\n\tif(max_end_pos == rar->cstate.last_write_ptr) {\n\t\t/* We can't write anything yet. The block uncompression\n\t\t * function did not generate enough data, and no filter can be\n\t\t * applied. At the same time we don't have any data that can be\n\t\t * stored without filter postprocessing. This means we need to\n\t\t * wait for more data to be generated, so we can apply the\n\t\t * filters.\n\t\t *\n\t\t * Signal the caller that we need more data to be able to do\n\t\t * anything.\n\t\t */\n\t\treturn ARCHIVE_RETRY;\n\t} else {\n\t\t/* We can write the data before hitting the first filter.\n\t\t * So let's do it. The push_window_data() function will\n\t\t * effectively return the selected data block to the user\n\t\t * application. */\n\t\tpush_window_data(a, rar, rar->cstate.last_write_ptr,\n\t\t max_end_pos);\n\t\trar->cstate.last_write_ptr = max_end_pos;\n\t}\n\n\treturn ARCHIVE_OK;\n}", "project": "libarchive", "hash": 282436702760739784767982154034102159697, "size": 98, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 0, "dataset": "other", "idx": 244723 }, { "func": "int _blosc_getitem(blosc2_context* context, const void* src, int32_t srcsize,\n int start, int nitems, void* dest) {\n uint8_t* _src = NULL; /* current pos for source buffer */\n uint8_t flags; /* flags for header */\n int32_t ntbytes = 0; /* the number of uncompressed bytes */\n int32_t nblocks; /* number of total blocks in buffer */\n int32_t leftover; /* extra bytes at end of buffer */\n int32_t* bstarts; /* start pointers for each block */\n int32_t typesize, blocksize, nbytes;\n int32_t bsize, bsize2, ebsize, leftoverblock;\n int32_t cbytes;\n int32_t startb, stopb;\n int32_t stop = start + nitems;\n int j;\n\n if (srcsize < BLOSC_MIN_HEADER_LENGTH) {\n /* Not enough input to parse Blosc1 header */\n return -1;\n }\n _src = (uint8_t*)(src);\n\n /* Read the header block */\n flags = _src[2]; /* flags */\n bool memcpyed = flags & (uint8_t)BLOSC_MEMCPYED;\n typesize = (int32_t)_src[3]; /* typesize */\n nbytes = sw32_(_src + 4); /* buffer size */\n blocksize = sw32_(_src + 8); /* block size */\n cbytes = sw32_(_src + 12); /* compressed buffer size */\n\n ebsize = blocksize + typesize * (int32_t)sizeof(int32_t);\n\n if ((context->header_flags & BLOSC_DOSHUFFLE) &&\n (context->header_flags & BLOSC_DOBITSHUFFLE)) {\n /* Extended header */\n if (srcsize < BLOSC_EXTENDED_HEADER_LENGTH) {\n /* Not enough input to parse Blosc2 header */\n return -1;\n }\n uint8_t* filters = _src + BLOSC_MIN_HEADER_LENGTH;\n uint8_t* filters_meta = filters + 8;\n for (int i = 0; i < BLOSC2_MAX_FILTERS; i++) {\n context->filters[i] = filters[i];\n context->filters_meta[i] = filters_meta[i];\n }\n bstarts = (int32_t*)(_src + BLOSC_EXTENDED_HEADER_LENGTH);\n } else {\n /* Minimal header */\n flags_to_filters(flags, context->filters);\n bstarts = (int32_t*)(_src + BLOSC_MIN_HEADER_LENGTH);\n }\n\n // Some checks for malformed buffers\n if (blocksize <= 0 || blocksize > nbytes || typesize <= 0 || typesize > BLOSC_MAX_TYPESIZE) {\n return -1;\n }\n\n /* Compute some params */\n /* Total blocks */\n nblocks = nbytes / blocksize;\n leftover = nbytes % blocksize;\n nblocks = (leftover > 0) ? nblocks + 1 : nblocks;\n\n /* Check region boundaries */\n if ((start < 0) || (start * typesize > nbytes)) {\n fprintf(stderr, \"`start` out of bounds\");\n return -1;\n }\n\n if ((stop < 0) || (stop * typesize > nbytes)) {\n fprintf(stderr, \"`start`+`nitems` out of bounds\");\n return -1;\n }\n\n if (_src + srcsize < (uint8_t *)(bstarts + nblocks)) {\n /* Not enough input to read all `bstarts` */\n return -1;\n }\n\n for (j = 0; j < nblocks; j++) {\n bsize = blocksize;\n leftoverblock = 0;\n if ((j == nblocks - 1) && (leftover > 0)) {\n bsize = leftover;\n leftoverblock = 1;\n }\n\n /* Compute start & stop for each block */\n startb = start * (int)typesize - j * (int)blocksize;\n stopb = stop * (int)typesize - j * (int)blocksize;\n if ((startb >= (int)blocksize) || (stopb <= 0)) {\n continue;\n }\n if (startb < 0) {\n startb = 0;\n }\n if (stopb > (int)blocksize) {\n stopb = (int)blocksize;\n }\n bsize2 = stopb - startb;\n\n /* Do the actual data copy */\n if (memcpyed) {\n // Check that sizes in header are compatible, otherwise there is a header corruption\n if (nbytes + BLOSC_MAX_OVERHEAD != cbytes) {\n return -1;\n }\n if (srcsize < BLOSC_MAX_OVERHEAD + j * blocksize + startb + bsize2) {\n /* Not enough input to copy data */\n return -1;\n }\n memcpy((uint8_t*)dest + ntbytes,\n (uint8_t*)src + BLOSC_MAX_OVERHEAD + j * blocksize + startb,\n (unsigned int)bsize2);\n cbytes = (int)bsize2;\n }\n else {\n struct thread_context* scontext = context->serial_context;\n\n /* Resize the temporaries in serial context if needed */\n if (blocksize != scontext->tmp_blocksize) {\n my_free(scontext->tmp);\n scontext->tmp_nbytes = (size_t)3 * context->blocksize + ebsize;\n scontext->tmp = my_malloc(scontext->tmp_nbytes);\n scontext->tmp2 = scontext->tmp + blocksize;\n scontext->tmp3 = scontext->tmp + blocksize + ebsize;\n scontext->tmp4 = scontext->tmp + 2 * blocksize + ebsize;\n scontext->tmp_blocksize = (int32_t)blocksize;\n }\n\n // Regular decompression. Put results in tmp2.\n // If the block is aligned and the worst case fits in destination, let's avoid a copy\n bool get_single_block = ((startb == 0) && (bsize == nitems * typesize));\n uint8_t* tmp2 = get_single_block ? dest : scontext->tmp2;\n cbytes = blosc_d(context->serial_context, bsize, leftoverblock,\n src, srcsize, sw32_(bstarts + j),\n tmp2, 0, scontext->tmp, scontext->tmp3);\n if (cbytes < 0) {\n ntbytes = cbytes;\n break;\n }\n if (!get_single_block) {\n /* Copy to destination */\n memcpy((uint8_t *) dest + ntbytes, tmp2 + startb, (unsigned int) bsize2);\n }\n cbytes = (int)bsize2;\n }\n ntbytes += cbytes;\n }\n\n return ntbytes;\n}", "project": "c-blosc2", "hash": 202050948771881884400524664822859034113, "size": 151, "commit_id": "c4c6470e88210afc95262c8b9fcc27e30ca043ee", "message": "Fixed asan heap buffer overflow when not enough space to write compressed block size.", "target": 0, "dataset": "other", "idx": 303104 }, { "func": "static inline void io_put_req_deferred(struct io_kiocb *req, int refs)\n{\n\tif (req_ref_sub_and_test(req, refs))\n\t\tio_free_req_deferred(req);\n}", "project": "linux", "hash": 191293996798143387312079941952514569898, "size": 5, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338729 }, { "func": "otError Commissioner::SendMgmtCommissionerGetRequest(const uint8_t *aTlvs, uint8_t aLength)\n{\n otError error = OT_ERROR_NONE;\n Coap::Message * message;\n Ip6::MessageInfo messageInfo;\n MeshCoP::Tlv tlv;\n\n VerifyOrExit((message = NewMeshCoPMessage(Get())) != NULL, error = OT_ERROR_NO_BUFS);\n\n SuccessOrExit(error = message->Init(OT_COAP_TYPE_CONFIRMABLE, OT_COAP_CODE_POST, OT_URI_PATH_COMMISSIONER_GET));\n\n if (aLength > 0)\n {\n SuccessOrExit(error = message->SetPayloadMarker());\n }\n\n if (aLength > 0)\n {\n tlv.SetType(MeshCoP::Tlv::kGet);\n tlv.SetLength(aLength);\n SuccessOrExit(error = message->Append(&tlv, sizeof(tlv)));\n SuccessOrExit(error = message->Append(aTlvs, aLength));\n }\n\n messageInfo.SetSockAddr(Get().GetMeshLocal16());\n SuccessOrExit(error = Get().GetLeaderAloc(messageInfo.GetPeerAddr()));\n messageInfo.SetPeerPort(kCoapUdpPort);\n SuccessOrExit(error = Get().SendMessage(*message, messageInfo,\n Commissioner::HandleMgmtCommissionerGetResponse, this));\n\n otLogInfoMeshCoP(\"sent MGMT_COMMISSIONER_GET.req to leader\");\n\nexit:\n\n if (error != OT_ERROR_NONE && message != NULL)\n {\n message->Free();\n }\n\n return error;\n}", "project": "openthread", "hash": 287071334083149291120062483834897808338, "size": 41, "commit_id": "c3a3a0c424322009fec3ab735fb20ce8f6e19e70", "message": "[commissioner] use strnlen instead of strlen (#4404)", "target": 0, "dataset": "other", "idx": 269865 }, { "func": " virtual bool view_used_tables_processor(void *arg) { return 0; }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 87780643930051494903493068839880666493, "size": 1, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509137 }, { "func": " bool view_used_tables_processor(void *arg) \n {\n TABLE_LIST *view_arg= (TABLE_LIST *) arg;\n if (view_arg == view)\n view_arg->view_used_tables|= (*ref)->used_tables();\n return 0;\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 211369036509479340445077391189787977681, "size": 7, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509468 }, { "func": "static void exif_iif_add_tag(image_info_type *image_info, int section_index,\n char *name, int tag, int format,\n size_t length, void* value) {\n exif_iif_add_value(image_info, section_index, name, tag, format,\n (int)length, value, image_info->motorola_intel);\n}", "project": "hhvm", "hash": 118439501844946720809629695938674871707, "size": 6, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219348 }, { "func": "static int kvm_create_vm_debugfs(struct kvm *kvm, int fd)\n{\n\tchar dir_name[ITOA_MAX_LEN * 2];\n\tstruct kvm_stat_data *stat_data;\n\tstruct kvm_stats_debugfs_item *p;\n\n\tif (!debugfs_initialized())\n\t\treturn 0;\n\n\tsnprintf(dir_name, sizeof(dir_name), \"%d-%d\", task_pid_nr(current), fd);\n\tkvm->debugfs_dentry = debugfs_create_dir(dir_name, kvm_debugfs_dir);\n\n\tkvm->debugfs_stat_data = kcalloc(kvm_debugfs_num_entries,\n\t\t\t\t\t sizeof(*kvm->debugfs_stat_data),\n\t\t\t\t\t GFP_KERNEL_ACCOUNT);\n\tif (!kvm->debugfs_stat_data)\n\t\treturn -ENOMEM;\n\n\tfor (p = debugfs_entries; p->name; p++) {\n\t\tstat_data = kzalloc(sizeof(*stat_data), GFP_KERNEL_ACCOUNT);\n\t\tif (!stat_data)\n\t\t\treturn -ENOMEM;\n\n\t\tstat_data->kvm = kvm;\n\t\tstat_data->dbgfs_item = p;\n\t\tkvm->debugfs_stat_data[p - debugfs_entries] = stat_data;\n\t\tdebugfs_create_file(p->name, KVM_DBGFS_GET_MODE(p),\n\t\t\t\t kvm->debugfs_dentry, stat_data,\n\t\t\t\t &stat_fops_per_vm);\n\t}\n\treturn 0;\n}", "project": "linux", "hash": 168864784915568521790088432606966608906, "size": 32, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354473 }, { "func": "static bool are_tables_local(JOIN_TAB *jtab, table_map used_tables)\n{\n if (jtab->bush_root_tab)\n {\n /*\n jtab is inside execution join nest. We may not refer to outside tables,\n except the const tables.\n */\n table_map local_tables= jtab->emb_sj_nest->nested_join->used_tables |\n jtab->join->const_table_map |\n OUTER_REF_TABLE_BIT;\n return !MY_TEST(used_tables & ~local_tables);\n }\n\n /* \n If we got here then jtab is at top level. \n - all other tables at top level are accessible,\n - tables in join nests are accessible too, because all their columns that \n are needed at top level will be unpacked when scanning the\n materialization table.\n */\n return TRUE;\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 272537075297918788144541095689750603680, "size": 23, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508695 }, { "func": "static int collect_events(struct perf_event *group, int max_count,\n\t\t\t struct perf_event *ctrs[], u64 *events,\n\t\t\t unsigned int *flags)\n{\n\tint n = 0;\n\tstruct perf_event *event;\n\n\tif (group->pmu->task_ctx_nr == perf_hw_context) {\n\t\tif (n >= max_count)\n\t\t\treturn -1;\n\t\tctrs[n] = group;\n\t\tflags[n] = group->hw.event_base;\n\t\tevents[n++] = group->hw.config;\n\t}\n\tfor_each_sibling_event(event, group) {\n\t\tif (event->pmu->task_ctx_nr == perf_hw_context &&\n\t\t event->state != PERF_EVENT_STATE_OFF) {\n\t\t\tif (n >= max_count)\n\t\t\t\treturn -1;\n\t\t\tctrs[n] = event;\n\t\t\tflags[n] = event->hw.event_base;\n\t\t\tevents[n++] = event->hw.config;\n\t\t}\n\t}\n\treturn n;\n}", "project": "linux", "hash": 299582562943241945437941622597663418160, "size": 26, "commit_id": "60b7ed54a41b550d50caf7f2418db4a7e75b5bdc", "message": "powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set\n\nOn systems without any specific PMU driver support registered, running\nperf record causes Oops.\n\nThe relevant portion from call trace:\n\n BUG: Kernel NULL pointer dereference on read at 0x00000040\n Faulting instruction address: 0xc0021f0c\n Oops: Kernel access of bad area, sig: 11 [#1]\n BE PAGE_SIZE=4K PREEMPT CMPCPRO\n SAF3000 DIE NOTIFICATION\n CPU: 0 PID: 442 Comm: null_syscall Not tainted 5.13.0-rc6-s3k-dev-01645-g7649ee3d2957 #5164\n NIP: c0021f0c LR: c00e8ad8 CTR: c00d8a5c\n NIP perf_instruction_pointer+0x10/0x60\n LR perf_prepare_sample+0x344/0x674\n Call Trace:\n perf_prepare_sample+0x7c/0x674 (unreliable)\n perf_event_output_forward+0x3c/0x94\n __perf_event_overflow+0x74/0x14c\n perf_swevent_hrtimer+0xf8/0x170\n __hrtimer_run_queues.constprop.0+0x160/0x318\n hrtimer_interrupt+0x148/0x3b0\n timer_interrupt+0xc4/0x22c\n Decrementer_virt+0xb8/0xbc\n\nDuring perf record session, perf_instruction_pointer() is called to\ncapture the sample IP. This function in core-book3s accesses\nppmu->flags. If a platform specific PMU driver is not registered, ppmu\nis set to NULL and accessing its members results in a crash. Fix this\ncrash by checking if ppmu is set.\n\nFixes: 2ca13a4cc56c (\"powerpc/perf: Use regs->nip when SIAR is zero\")\nCc: stable@vger.kernel.org # v5.11+\nReported-by: Christophe Leroy \nSigned-off-by: Athira Rajeev \nTested-by: Christophe Leroy \nSigned-off-by: Michael Ellerman \nLink: https://lore.kernel.org/r/1623952506-1431-1-git-send-email-atrajeev@linux.vnet.ibm.com", "target": 0, "dataset": "other", "idx": 374712 }, { "func": "static void record_preemption(struct intel_engine_execlists *execlists)\n{\n\t(void)I915_SELFTEST_ONLY(execlists->preempt_hang.count++);\n}", "project": "linux", "hash": 94178342799488359132011658493443091880, "size": 4, "commit_id": "bc8a76a152c5f9ef3b48104154a65a68a8b76946", "message": "drm/i915/gen9: Clear residual context state on context switch\n\nIntel ID: PSIRT-TA-201910-001\nCVEID: CVE-2019-14615\n\nIntel GPU Hardware prior to Gen11 does not clear EU state\nduring a context switch. This can result in information\nleakage between contexts.\n\nFor Gen8 and Gen9, hardware provides a mechanism for\nfast cleardown of the EU state, by issuing a PIPE_CONTROL\nwith bit 27 set. We can use this in a context batch buffer\nto explicitly cleardown the state on every context switch.\n\nAs this workaround is already in place for gen8, we can borrow\nthe code verbatim for Gen9.\n\nSigned-off-by: Mika Kuoppala \nSigned-off-by: Akeem G Abodunrin \nCc: Kumar Valsan Prathap \nCc: Chris Wilson \nCc: Balestrieri Francesco \nCc: Bloomfield Jon \nCc: Dutt Sudeep ", "target": 0, "dataset": "other", "idx": 281489 }, { "func": "static void set_buffer_entries(struct trace_buffer *buf, unsigned long val)\n{\n\tint cpu;\n\n\tfor_each_tracing_cpu(cpu)\n\t\tper_cpu_ptr(buf->data, cpu)->entries = val;\n}", "project": "linux", "hash": 32088592113657068243667161203410755679, "size": 7, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445593 }, { "func": "static int halt_simple(struct usbtest_dev *dev)\n{\n\tint\t\t\tep;\n\tint\t\t\tretval = 0;\n\tstruct urb\t\t*urb;\n\tstruct usb_device\t*udev = testdev_to_usbdev(dev);\n\n\tif (udev->speed == USB_SPEED_SUPER)\n\t\turb = simple_alloc_urb(udev, 0, 1024, 0);\n\telse\n\t\turb = simple_alloc_urb(udev, 0, 512, 0);\n\tif (urb == NULL)\n\t\treturn -ENOMEM;\n\n\tif (dev->in_pipe) {\n\t\tep = usb_pipeendpoint(dev->in_pipe) | USB_DIR_IN;\n\t\turb->pipe = dev->in_pipe;\n\t\tretval = test_halt(dev, ep, urb);\n\t\tif (retval < 0)\n\t\t\tgoto done;\n\t}\n\n\tif (dev->out_pipe) {\n\t\tep = usb_pipeendpoint(dev->out_pipe);\n\t\turb->pipe = dev->out_pipe;\n\t\tretval = test_halt(dev, ep, urb);\n\t}\ndone:\n\tsimple_free_urb(urb);\n\treturn retval;\n}", "project": "linux", "hash": 249037518127668371656811887061891476006, "size": 31, "commit_id": "28ebeb8db77035e058a510ce9bd17c2b9a009dba", "message": "usb: usbtest: fix missing kfree(dev->buf) in usbtest_disconnect\n\nBUG: memory leak\nunreferenced object 0xffff888055046e00 (size 256):\n comm \"kworker/2:9\", pid 2570, jiffies 4294942129 (age 1095.500s)\n hex dump (first 32 bytes):\n 00 70 04 55 80 88 ff ff 18 bb 5a 81 ff ff ff ff .p.U......Z.....\n f5 96 78 81 ff ff ff ff 37 de 8e 81 ff ff ff ff ..x.....7.......\n backtrace:\n [<00000000d121dccf>] kmemleak_alloc_recursive\ninclude/linux/kmemleak.h:43 [inline]\n [<00000000d121dccf>] slab_post_alloc_hook mm/slab.h:586 [inline]\n [<00000000d121dccf>] slab_alloc_node mm/slub.c:2786 [inline]\n [<00000000d121dccf>] slab_alloc mm/slub.c:2794 [inline]\n [<00000000d121dccf>] kmem_cache_alloc_trace+0x15e/0x2d0 mm/slub.c:2811\n [<000000005c3c3381>] kmalloc include/linux/slab.h:555 [inline]\n [<000000005c3c3381>] usbtest_probe+0x286/0x19d0\ndrivers/usb/misc/usbtest.c:2790\n [<000000001cec6910>] usb_probe_interface+0x2bd/0x870\ndrivers/usb/core/driver.c:361\n [<000000007806c118>] really_probe+0x48d/0x8f0 drivers/base/dd.c:551\n [<00000000a3308c3e>] driver_probe_device+0xfc/0x2a0 drivers/base/dd.c:724\n [<000000003ef66004>] __device_attach_driver+0x1b6/0x240\ndrivers/base/dd.c:831\n [<00000000eee53e97>] bus_for_each_drv+0x14e/0x1e0 drivers/base/bus.c:431\n [<00000000bb0648d0>] __device_attach+0x1f9/0x350 drivers/base/dd.c:897\n [<00000000838b324a>] device_initial_probe+0x1a/0x20 drivers/base/dd.c:944\n [<0000000030d501c1>] bus_probe_device+0x1e1/0x280 drivers/base/bus.c:491\n [<000000005bd7adef>] device_add+0x131d/0x1c40 drivers/base/core.c:2504\n [<00000000a0937814>] usb_set_configuration+0xe84/0x1ab0\ndrivers/usb/core/message.c:2030\n [<00000000e3934741>] generic_probe+0x6a/0xe0 drivers/usb/core/generic.c:210\n [<0000000098ade0f1>] usb_probe_device+0x90/0xd0\ndrivers/usb/core/driver.c:266\n [<000000007806c118>] really_probe+0x48d/0x8f0 drivers/base/dd.c:551\n [<00000000a3308c3e>] driver_probe_device+0xfc/0x2a0 drivers/base/dd.c:724\n\nAcked-by: Alan Stern \nReported-by: Kyungtae Kim \nSigned-off-by: Zqiang \nLink: https://lore.kernel.org/r/20200612035210.20494-1-qiang.zhang@windriver.com\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 412248 }, { "func": "static int nfs4_read_done(struct rpc_task *task, struct nfs_pgio_header *hdr)\n{\n\n\tdprintk(\"--> %s\\n\", __func__);\n\n\tif (!nfs4_sequence_done(task, &hdr->res.seq_res))\n\t\treturn -EAGAIN;\n\tif (nfs4_read_stateid_changed(task, &hdr->args))\n\t\treturn -EAGAIN;\n\tif (task->tk_status > 0)\n\t\tnfs_invalidate_atime(hdr->inode);\n\treturn hdr->pgio_done_cb ? hdr->pgio_done_cb(task, hdr) :\n\t\t\t\t nfs4_read_done_cb(task, hdr);\n}", "project": "linux", "hash": 199820488148965747019768470664531803180, "size": 14, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431226 }, { "func": "\t__releases(¤t->sighand->siglock)\n{\n\tstruct signal_struct *sig = current->signal;\n\n\tif (!(current->jobctl & JOBCTL_STOP_PENDING)) {\n\t\tunsigned long gstop = JOBCTL_STOP_PENDING | JOBCTL_STOP_CONSUME;\n\t\tstruct task_struct *t;\n\n\t\t/* signr will be recorded in task->jobctl for retries */\n\t\tWARN_ON_ONCE(signr & ~JOBCTL_STOP_SIGMASK);\n\n\t\tif (!likely(current->jobctl & JOBCTL_STOP_DEQUEUED) ||\n\t\t unlikely(signal_group_exit(sig)))\n\t\t\treturn false;\n\t\t/*\n\t\t * There is no group stop already in progress. We must\n\t\t * initiate one now.\n\t\t *\n\t\t * While ptraced, a task may be resumed while group stop is\n\t\t * still in effect and then receive a stop signal and\n\t\t * initiate another group stop. This deviates from the\n\t\t * usual behavior as two consecutive stop signals can't\n\t\t * cause two group stops when !ptraced. That is why we\n\t\t * also check !task_is_stopped(t) below.\n\t\t *\n\t\t * The condition can be distinguished by testing whether\n\t\t * SIGNAL_STOP_STOPPED is already set. Don't generate\n\t\t * group_exit_code in such case.\n\t\t *\n\t\t * This is not necessary for SIGNAL_STOP_CONTINUED because\n\t\t * an intervening stop signal is required to cause two\n\t\t * continued events regardless of ptrace.\n\t\t */\n\t\tif (!(sig->flags & SIGNAL_STOP_STOPPED))\n\t\t\tsig->group_exit_code = signr;\n\n\t\tsig->group_stop_count = 0;\n\n\t\tif (task_set_jobctl_pending(current, signr | gstop))\n\t\t\tsig->group_stop_count++;\n\n\t\tt = current;\n\t\twhile_each_thread(current, t) {\n\t\t\t/*\n\t\t\t * Setting state to TASK_STOPPED for a group\n\t\t\t * stop is always done with the siglock held,\n\t\t\t * so this check has no races.\n\t\t\t */\n\t\t\tif (!task_is_stopped(t) &&\n\t\t\t task_set_jobctl_pending(t, signr | gstop)) {\n\t\t\t\tsig->group_stop_count++;\n\t\t\t\tif (likely(!(t->ptrace & PT_SEIZED)))\n\t\t\t\t\tsignal_wake_up(t, 0);\n\t\t\t\telse\n\t\t\t\t\tptrace_trap_notify(t);\n\t\t\t}\n\t\t}\n\t}\n\n\tif (likely(!current->ptrace)) {\n\t\tint notify = 0;\n\n\t\t/*\n\t\t * If there are no other threads in the group, or if there\n\t\t * is a group stop in progress and we are the last to stop,\n\t\t * report to the parent.\n\t\t */\n\t\tif (task_participate_group_stop(current))\n\t\t\tnotify = CLD_STOPPED;\n\n\t\tset_special_state(TASK_STOPPED);\n\t\tspin_unlock_irq(¤t->sighand->siglock);\n\n\t\t/*\n\t\t * Notify the parent of the group stop completion. Because\n\t\t * we're not holding either the siglock or tasklist_lock\n\t\t * here, ptracer may attach inbetween; however, this is for\n\t\t * group stop and should always be delivered to the real\n\t\t * parent of the group leader. The new ptracer will get\n\t\t * its notification when this task transitions into\n\t\t * TASK_TRACED.\n\t\t */\n\t\tif (notify) {\n\t\t\tread_lock(&tasklist_lock);\n\t\t\tdo_notify_parent_cldstop(current, false, notify);\n\t\t\tread_unlock(&tasklist_lock);\n\t\t}\n\n\t\t/* Now we don't run again until woken by SIGCONT or SIGKILL */\n\t\tcgroup_enter_frozen();\n\t\tfreezable_schedule();\n\t\treturn true;\n\t} else {\n\t\t/*\n\t\t * While ptraced, group stop is handled by STOP trap.\n\t\t * Schedule it and let the caller deal with it.\n\t\t */\n\t\ttask_set_jobctl_pending(current, JOBCTL_TRAP_STOP);\n\t\treturn false;\n\t}\n}", "project": "linux", "hash": 99597931969966502675486821370856681757, "size": 101, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375219 }, { "func": "static void free_init_section_list(struct playlist *pls)\n{\n int i;\n for (i = 0; i < pls->n_init_sections; i++) {\n av_freep(&pls->init_sections[i]->url);\n av_freep(&pls->init_sections[i]);\n }\n av_freep(&pls->init_sections);\n pls->n_init_sections = 0;\n}", "project": "FFmpeg", "hash": 159275662923933922526383954930853844432, "size": 10, "commit_id": "6959358683c7533f586c07a766acc5fe9544d8b2", "message": "avformat/hls: check segment duration value of EXTINF\n\nfix ticket: 8673\nset the default EXTINF duration to 1ms if duration is smaller than 1ms\n\nSigned-off-by: Steven Liu \n(cherry picked from commit 9dfb19baeb86a8bb02c53a441682c6e9a6e104cc)", "target": 0, "dataset": "other", "idx": 270463 }, { "project": "opaque", "commit_id": "5ddda15d89f5ac82f4416208c5319ace4aecdc36", "target": 0, "func": "void ecall_enclave_ra_close(sgx_ra_context_t context) {\n try {\n enclave_ra_close(context);\n } catch (const std::runtime_error &e) {\n ocall_throw(e.what());\n }\n}", "idx": 519085, "cwe": "CWE-787", "hash": 282157273772193280774319231467266560089, "dataset": "other" }, { "func": " Item_empty_string(THD *thd, const char *header,uint length,\n CHARSET_INFO *cs= NULL):\n Item_partition_func_safe_string(thd, \"\", 0,\n cs ? cs : &my_charset_utf8_general_ci)\n { name=(char*) header; max_length= length * collation.collation->mbmaxlen; }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 249593923691679540340454076807373994771, "size": 5, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509111 }, { "func": "static void parse_cmdline(int argc, char **argv, int pass)\n{\n FILE *rfile;\n char *envreal, *envcopy = NULL, *p;\n int i;\n\n /* Initialize all the warnings to their default state */\n for (i = 0; i < ERR_WARN_ALL; i++) {\n warning_state_init[i] = warning_state[i] =\n\t warnings[i].enabled ? WARN_ST_ENABLED : 0;\n }\n\n /*\n * First, process the NASMENV environment variable.\n */\n envreal = getenv(\"NASMENV\");\n if (envreal) {\n envcopy = nasm_strdup(envreal);\n process_args(envcopy, pass);\n nasm_free(envcopy);\n }\n\n /*\n * Now process the actual command line.\n */\n while (--argc) {\n bool advance;\n argv++;\n if (argv[0][0] == '@') {\n /*\n * We have a response file, so process this as a set of\n * arguments like the environment variable. This allows us\n * to have multiple arguments on a single line, which is\n * different to the -@resp file processing below for regular\n * NASM.\n */\n process_response_file(argv[0]+1, pass);\n argc--;\n argv++;\n }\n if (!stopoptions && argv[0][0] == '-' && argv[0][1] == '@') {\n p = get_param(argv[0], argc > 1 ? argv[1] : NULL, &advance);\n if (p) {\n rfile = nasm_open_read(p, NF_TEXT);\n if (rfile) {\n process_respfile(rfile, pass);\n fclose(rfile);\n } else\n nasm_error(ERR_NONFATAL | ERR_NOFILE | ERR_USAGE,\n \"unable to open response file `%s'\", p);\n }\n } else\n advance = process_arg(argv[0], argc > 1 ? argv[1] : NULL, pass);\n argv += advance, argc -= advance;\n }\n\n /*\n * Look for basic command line typos. This definitely doesn't\n * catch all errors, but it might help cases of fumbled fingers.\n */\n if (pass != 2)\n return;\n\n if (!inname)\n nasm_fatal(ERR_NOFILE | ERR_USAGE, \"no input file specified\");\n\n else if ((errname && !strcmp(inname, errname)) ||\n (outname && !strcmp(inname, outname)) ||\n (listname && !strcmp(inname, listname)) ||\n (depend_file && !strcmp(inname, depend_file)))\n nasm_fatal(ERR_USAGE, \"will not overwrite input file\");\n\n if (errname) {\n error_file = nasm_open_write(errname, NF_TEXT);\n if (!error_file) {\n error_file = stderr; /* Revert to default! */\n nasm_fatal(ERR_NOFILE | ERR_USAGE,\n \"cannot open file `%s' for error messages\",\n errname);\n }\n }\n}", "project": "nasm", "hash": 32513286844953940686369781888892612202, "size": 82, "commit_id": "e996d28c70d45008085322b442b44a9224308548", "message": "labels: Don't nil dereference if no label provided\n\nAn equ without label may cause nil dereference\n\n |\tequ 0x100\n\nFixes 98578071b9d71ecaa2344dd9c185237c1765041e\n\nSigned-off-by: Cyrill Gorcunov ", "target": 0, "dataset": "other", "idx": 257493 }, { "func": "static void power_pmu_read(struct perf_event *event)\n{\n\ts64 val, delta, prev;\n\n\tif (event->hw.state & PERF_HES_STOPPED)\n\t\treturn;\n\n\tif (!event->hw.idx)\n\t\treturn;\n\n\tif (is_ebb_event(event)) {\n\t\tval = read_pmc(event->hw.idx);\n\t\tlocal64_set(&event->hw.prev_count, val);\n\t\treturn;\n\t}\n\n\t/*\n\t * Performance monitor interrupts come even when interrupts\n\t * are soft-disabled, as long as interrupts are hard-enabled.\n\t * Therefore we treat them like NMIs.\n\t */\n\tdo {\n\t\tprev = local64_read(&event->hw.prev_count);\n\t\tbarrier();\n\t\tval = read_pmc(event->hw.idx);\n\t\tdelta = check_and_compute_delta(prev, val);\n\t\tif (!delta)\n\t\t\treturn;\n\t} while (local64_cmpxchg(&event->hw.prev_count, prev, val) != prev);\n\n\tlocal64_add(delta, &event->count);\n\n\t/*\n\t * A number of places program the PMC with (0x80000000 - period_left).\n\t * We never want period_left to be less than 1 because we will program\n\t * the PMC with a value >= 0x800000000 and an edge detected PMC will\n\t * roll around to 0 before taking an exception. We have seen this\n\t * on POWER8.\n\t *\n\t * To fix this, clamp the minimum value of period_left to 1.\n\t */\n\tdo {\n\t\tprev = local64_read(&event->hw.period_left);\n\t\tval = prev - delta;\n\t\tif (val < 1)\n\t\t\tval = 1;\n\t} while (local64_cmpxchg(&event->hw.period_left, prev, val) != prev);\n}", "project": "linux", "hash": 276314359578584772971396430463926814585, "size": 48, "commit_id": "60b7ed54a41b550d50caf7f2418db4a7e75b5bdc", "message": "powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set\n\nOn systems without any specific PMU driver support registered, running\nperf record causes Oops.\n\nThe relevant portion from call trace:\n\n BUG: Kernel NULL pointer dereference on read at 0x00000040\n Faulting instruction address: 0xc0021f0c\n Oops: Kernel access of bad area, sig: 11 [#1]\n BE PAGE_SIZE=4K PREEMPT CMPCPRO\n SAF3000 DIE NOTIFICATION\n CPU: 0 PID: 442 Comm: null_syscall Not tainted 5.13.0-rc6-s3k-dev-01645-g7649ee3d2957 #5164\n NIP: c0021f0c LR: c00e8ad8 CTR: c00d8a5c\n NIP perf_instruction_pointer+0x10/0x60\n LR perf_prepare_sample+0x344/0x674\n Call Trace:\n perf_prepare_sample+0x7c/0x674 (unreliable)\n perf_event_output_forward+0x3c/0x94\n __perf_event_overflow+0x74/0x14c\n perf_swevent_hrtimer+0xf8/0x170\n __hrtimer_run_queues.constprop.0+0x160/0x318\n hrtimer_interrupt+0x148/0x3b0\n timer_interrupt+0xc4/0x22c\n Decrementer_virt+0xb8/0xbc\n\nDuring perf record session, perf_instruction_pointer() is called to\ncapture the sample IP. This function in core-book3s accesses\nppmu->flags. If a platform specific PMU driver is not registered, ppmu\nis set to NULL and accessing its members results in a crash. Fix this\ncrash by checking if ppmu is set.\n\nFixes: 2ca13a4cc56c (\"powerpc/perf: Use regs->nip when SIAR is zero\")\nCc: stable@vger.kernel.org # v5.11+\nReported-by: Christophe Leroy \nSigned-off-by: Athira Rajeev \nTested-by: Christophe Leroy \nSigned-off-by: Michael Ellerman \nLink: https://lore.kernel.org/r/1623952506-1431-1-git-send-email-atrajeev@linux.vnet.ibm.com", "target": 0, "dataset": "other", "idx": 374702 }, { "func": "static OPJ_BOOL opj_j2k_init_info(opj_j2k_t *p_j2k,\n struct opj_stream_private *p_stream,\n struct opj_event_mgr * p_manager)\n{\n opj_codestream_info_t * l_cstr_info = 00;\n\n /* preconditions */\n assert(p_j2k != 00);\n assert(p_manager != 00);\n assert(p_stream != 00);\n (void)l_cstr_info;\n\n OPJ_UNUSED(p_stream);\n\n /* TODO mergeV2: check this part which use cstr_info */\n /*l_cstr_info = p_j2k->cstr_info;\n\n if (l_cstr_info) {\n OPJ_UINT32 compno;\n l_cstr_info->tile = (opj_tile_info_t *) opj_malloc(p_j2k->m_cp.tw * p_j2k->m_cp.th * sizeof(opj_tile_info_t));\n\n l_cstr_info->image_w = p_j2k->m_image->x1 - p_j2k->m_image->x0;\n l_cstr_info->image_h = p_j2k->m_image->y1 - p_j2k->m_image->y0;\n\n l_cstr_info->prog = (&p_j2k->m_cp.tcps[0])->prg;\n\n l_cstr_info->tw = p_j2k->m_cp.tw;\n l_cstr_info->th = p_j2k->m_cp.th;\n\n l_cstr_info->tile_x = p_j2k->m_cp.tdx;*/ /* new version parser */\n /*l_cstr_info->tile_y = p_j2k->m_cp.tdy;*/ /* new version parser */\n /*l_cstr_info->tile_Ox = p_j2k->m_cp.tx0;*/ /* new version parser */\n /*l_cstr_info->tile_Oy = p_j2k->m_cp.ty0;*/ /* new version parser */\n\n /*l_cstr_info->numcomps = p_j2k->m_image->numcomps;\n\n l_cstr_info->numlayers = (&p_j2k->m_cp.tcps[0])->numlayers;\n\n l_cstr_info->numdecompos = (OPJ_INT32*) opj_malloc(p_j2k->m_image->numcomps * sizeof(OPJ_INT32));\n\n for (compno=0; compno < p_j2k->m_image->numcomps; compno++) {\n l_cstr_info->numdecompos[compno] = (&p_j2k->m_cp.tcps[0])->tccps->numresolutions - 1;\n }\n\n l_cstr_info->D_max = 0.0; */ /* ADD Marcela */\n\n /*l_cstr_info->main_head_start = opj_stream_tell(p_stream);*/ /* position of SOC */\n\n /*l_cstr_info->maxmarknum = 100;\n l_cstr_info->marker = (opj_marker_info_t *) opj_malloc(l_cstr_info->maxmarknum * sizeof(opj_marker_info_t));\n l_cstr_info->marknum = 0;\n }*/\n\n return opj_j2k_calculate_tp(p_j2k, &(p_j2k->m_cp),\n &p_j2k->m_specific_param.m_encoder.m_total_tile_parts, p_j2k->m_private_image,\n p_manager);\n}", "project": "openjpeg", "hash": 332063579981840465865391839451012572546, "size": 57, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357439 }, { "func": "static int xsetbv_interception(struct vcpu_svm *svm)\n{\n\tu64 new_bv = kvm_read_edx_eax(&svm->vcpu);\n\tu32 index = kvm_rcx_read(&svm->vcpu);\n\n\tif (kvm_set_xcr(&svm->vcpu, index, new_bv) == 0) {\n\t\treturn kvm_skip_emulated_instruction(&svm->vcpu);\n\t}\n\n\treturn 1;\n}", "project": "linux", "hash": 97443348161233904865809436440617277239, "size": 11, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432489 }, { "func": "static int xsetbv_interception(struct vcpu_svm *svm)\n{\n\tu64 new_bv = kvm_read_edx_eax(&svm->vcpu);\n\tu32 index = kvm_register_read(&svm->vcpu, VCPU_REGS_RCX);\n\n\tif (kvm_set_xcr(&svm->vcpu, index, new_bv) == 0) {\n\t\tsvm->next_rip = kvm_rip_read(&svm->vcpu) + 3;\n\t\tskip_emulated_instruction(&svm->vcpu);\n\t}\n\n\treturn 1;\n}", "project": "kvm", "hash": 204118720603672382744831389741508895027, "size": 12, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437622 }, { "func": "int generic_permission(struct inode *inode, int mask)\n{\n\tint ret;\n\n\t/*\n\t * Do the basic permission checks.\n\t */\n\tret = acl_permission_check(inode, mask);\n\tif (ret != -EACCES)\n\t\treturn ret;\n\n\tif (S_ISDIR(inode->i_mode)) {\n\t\t/* DACs are overridable for directories */\n\t\tif (!(mask & MAY_WRITE))\n\t\t\tif (capable_wrt_inode_uidgid(inode,\n\t\t\t\t\t\t CAP_DAC_READ_SEARCH))\n\t\t\t\treturn 0;\n\t\tif (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE))\n\t\t\treturn 0;\n\t\treturn -EACCES;\n\t}\n\n\t/*\n\t * Searching includes executable on directories, else just read.\n\t */\n\tmask &= MAY_READ | MAY_WRITE | MAY_EXEC;\n\tif (mask == MAY_READ)\n\t\tif (capable_wrt_inode_uidgid(inode, CAP_DAC_READ_SEARCH))\n\t\t\treturn 0;\n\t/*\n\t * Read/write DACs are always overridable.\n\t * Executable DACs are overridable when there is\n\t * at least one exec bit set.\n\t */\n\tif (!(mask & MAY_EXEC) || (inode->i_mode & S_IXUGO))\n\t\tif (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE))\n\t\t\treturn 0;\n\n\treturn -EACCES;\n}", "project": "linux", "hash": 78636070323607103115427694228581779335, "size": 40, "commit_id": "d0cb50185ae942b03c4327be322055d622dc79f6", "message": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late\n\nmay_create_in_sticky() call is done when we already have dropped the\nreference to dir.\n\nFixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 295363 }, { "func": "static int sca_can_add_vcpu(struct kvm *kvm, unsigned int id)\n{\n\tint rc;\n\n\tif (!kvm_s390_use_sca_entries()) {\n\t\tif (id < KVM_MAX_VCPUS)\n\t\t\treturn true;\n\t\treturn false;\n\t}\n\tif (id < KVM_S390_BSCA_CPU_SLOTS)\n\t\treturn true;\n\tif (!sclp.has_esca || !sclp.has_64bscao)\n\t\treturn false;\n\n\tmutex_lock(&kvm->lock);\n\trc = kvm->arch.use_esca ? 0 : sca_switch_to_extended(kvm);\n\tmutex_unlock(&kvm->lock);\n\n\treturn rc == 0 && id < KVM_S390_ESCA_CPU_SLOTS;\n}", "project": "linux", "hash": 13856027220389500927116800995660839449, "size": 20, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354632 }, { "func": "static int vcf_parse_filter(kstring_t *str, const bcf_hdr_t *h, bcf1_t *v, char *p, char *q) {\n int i, n_flt = 1, max_n_flt = 0;\n char *r, *t;\n int32_t *a_flt = NULL;\n ks_tokaux_t aux1;\n khint_t k;\n vdict_t *d = (vdict_t*)h->dict[BCF_DT_ID];\n // count the number of filters\n if (*(q-1) == ';') *(q-1) = 0;\n for (r = p; *r; ++r)\n if (*r == ';') ++n_flt;\n if (n_flt > max_n_flt) {\n a_flt = malloc(n_flt * sizeof(*a_flt));\n if (!a_flt) {\n hts_log_error(\"Could not allocate memory at %s:%\"PRIhts_pos, bcf_seqname_safe(h,v), v->pos+1);\n v->errcode |= BCF_ERR_LIMITS; // No appropriate code?\n return -1;\n }\n max_n_flt = n_flt;\n }\n // add filters\n for (t = kstrtok(p, \";\", &aux1), i = 0; t; t = kstrtok(0, 0, &aux1)) {\n *(char*)aux1.p = 0;\n k = kh_get(vdict, d, t);\n if (k == kh_end(d))\n {\n // Simple error recovery for FILTERs not defined in the header. It will not help when VCF header has\n // been already printed, but will enable tools like vcfcheck to proceed.\n hts_log_warning(\"FILTER '%s' is not defined in the header\", t);\n kstring_t tmp = {0,0,0};\n int l;\n ksprintf(&tmp, \"##FILTER=\", t);\n bcf_hrec_t *hrec = bcf_hdr_parse_line(h,tmp.s,&l);\n free(tmp.s);\n int res = hrec ? bcf_hdr_add_hrec((bcf_hdr_t*)h, hrec) : -1;\n if (res < 0) bcf_hrec_destroy(hrec);\n if (res > 0) res = bcf_hdr_sync((bcf_hdr_t*)h);\n k = kh_get(vdict, d, t);\n v->errcode |= BCF_ERR_TAG_UNDEF;\n if (res || k == kh_end(d)) {\n hts_log_error(\"Could not add dummy header for FILTER '%s' at %s:%\"PRIhts_pos, t, bcf_seqname_safe(h,v), v->pos+1);\n v->errcode |= BCF_ERR_TAG_INVALID;\n free(a_flt);\n return -1;\n }\n }\n a_flt[i++] = kh_val(d, k).id;\n }\n\n bcf_enc_vint(str, n_flt, a_flt, -1);\n free(a_flt);\n\n return 0;\n}", "project": "htslib", "hash": 114400645781186860228412482571330887416, "size": 54, "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c", "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields. It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097", "target": 0, "dataset": "other", "idx": 402205 }, { "func": "TfLiteStatus EvalHybridDense(\n TfLiteContext* context, TfLiteNode* node,\n TfLiteFullyConnectedParams* params, OpData* data, const TfLiteTensor* input,\n const TfLiteTensor* filter, const TfLiteTensor* bias,\n TfLiteTensor* input_quantized, TfLiteTensor* scaling_factors,\n TfLiteTensor* accum_scratch, TfLiteTensor* row_sums,\n TfLiteTensor* input_offsets, TfLiteTensor* output) {\n int total_input_size = 1;\n for (int i = 0; i < input->dims->size; i++) {\n total_input_size *= input->dims->data[i];\n }\n\n const int input_size = filter->dims->data[1];\n const int batch_size = total_input_size / filter->dims->data[1];\n const int num_units = filter->dims->data[0];\n\n // Output = bias if bias tensor exists.\n if (bias) {\n tensor_utils::VectorBatchVectorAssign(GetTensorData(bias), num_units,\n batch_size,\n GetTensorData(output));\n } else {\n std::fill_n(GetTensorData(output), batch_size * num_units, 0.0f);\n }\n\n // Save matrix multiplication computation for all zero input.\n if (tensor_utils::IsZeroVector(GetTensorData(input),\n total_input_size)) {\n tensor_utils::ApplyActivationToVector(\n GetTensorData(output), batch_size * num_units,\n params->activation, GetTensorData(output));\n return kTfLiteOk;\n }\n\n // Quantize input from float to uint8 + quantization params (scaling factor).\n float* scaling_factors_ptr = GetTensorData(scaling_factors);\n int32_t* input_offset_ptr = nullptr;\n int32_t* row_sums_ptr = nullptr;\n if (params->asymmetric_quantize_inputs) {\n input_offset_ptr = GetTensorData(input_offsets);\n row_sums_ptr = GetTensorData(row_sums);\n }\n int8_t* quant_data = GetTensorData(input_quantized);\n const int8_t* filter_data = GetTensorData(filter);\n const float* input_ptr = GetTensorData(input);\n tensor_utils::BatchQuantizeFloats(\n input_ptr, batch_size, input_size, quant_data, scaling_factors_ptr,\n input_offset_ptr, params->asymmetric_quantize_inputs);\n for (int b = 0; b < batch_size; ++b) {\n // Incorporate scaling of the filter.\n scaling_factors_ptr[b] *= filter->params.scale;\n }\n\n // Compute output += weight * quantized_input\n int32_t* scratch = GetTensorData(accum_scratch);\n tensor_utils::MatrixBatchVectorMultiplyAccumulate(\n filter_data, num_units, input_size, quant_data, scaling_factors_ptr,\n batch_size, GetTensorData(output), /*per_channel_scale=*/nullptr,\n input_offset_ptr, scratch, row_sums_ptr, &data->compute_row_sums,\n CpuBackendContext::GetFromContext(context));\n\n // Apply activation function to floats.\n tensor_utils::ApplyActivationToVector(\n GetTensorData(output), batch_size * num_units, params->activation,\n GetTensorData(output));\n return kTfLiteOk;\n}", "project": "tensorflow", "hash": 292719402800913833048825724699806336235, "size": 67, "commit_id": "6c0b2b70eeee588591680f5b7d5d38175fd7cdf6", "message": "[lite] add validation check for sparse fully connected\n\nPiperOrigin-RevId: 417629354\nChange-Id: If96171c4bd4f5fdb01d6368d6deab19d1c9beca7", "target": 0, "dataset": "other", "idx": 220481 }, { "func": "static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event)\n{\n\tstruct nftables_pernet *nft_net;\n\tstruct sk_buff *skb;\n\tint err;\n\n\tif (!ctx->report &&\n\t !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))\n\t\treturn;\n\n\tskb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);\n\tif (skb == NULL)\n\t\tgoto err;\n\n\terr = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,\n\t\t\t\t\tevent, 0, ctx->family, ctx->table,\n\t\t\t\t\tctx->chain);\n\tif (err < 0) {\n\t\tkfree_skb(skb);\n\t\tgoto err;\n\t}\n\n\tnft_net = nft_pernet(ctx->net);\n\tnft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);\n\treturn;\nerr:\n\tnfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);\n}", "project": "linux", "hash": 218656669340816769029389203375913230346, "size": 28, "commit_id": "ad9f151e560b016b6ad3280b48e42fa11e1a5440", "message": "netfilter: nf_tables: initialize set before expression setup\n\nnft_set_elem_expr_alloc() needs an initialized set if expression sets on\nthe NFT_EXPR_GC flag. Move set fields initialization before expression\nsetup.\n\n[4512935.019450] ==================================================================\n[4512935.019456] BUG: KASAN: null-ptr-deref in nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019487] Read of size 8 at addr 0000000000000070 by task nft/23532\n[4512935.019494] CPU: 1 PID: 23532 Comm: nft Not tainted 5.12.0-rc4+ #48\n[...]\n[4512935.019502] Call Trace:\n[4512935.019505] dump_stack+0x89/0xb4\n[4512935.019512] ? nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019536] ? nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019560] kasan_report.cold.12+0x5f/0xd8\n[4512935.019566] ? nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019590] nft_set_elem_expr_alloc+0x84/0xd0 [nf_tables]\n[4512935.019615] nf_tables_newset+0xc7f/0x1460 [nf_tables]\n\nReported-by: syzbot+ce96ca2b1d0b37c6422d@syzkaller.appspotmail.com\nFixes: 65038428b2c6 (\"netfilter: nf_tables: allow to specify stateful expression in set definition\")\nSigned-off-by: Pablo Neira Ayuso ", "target": 0, "dataset": "other", "idx": 328387 }, { "func": "\nstatic int io_init_req(struct io_ring_ctx *ctx, struct io_kiocb *req,\n\t\t const struct io_uring_sqe *sqe)\n{\n\tstruct io_submit_state *state;\n\tunsigned int sqe_flags;\n\tint personality, ret = 0;\n\n\treq->opcode = READ_ONCE(sqe->opcode);\n\t/* same numerical values with corresponding REQ_F_*, safe to copy */\n\treq->flags = sqe_flags = READ_ONCE(sqe->flags);\n\treq->user_data = READ_ONCE(sqe->user_data);\n\treq->async_data = NULL;\n\treq->file = NULL;\n\treq->ctx = ctx;\n\treq->link = NULL;\n\treq->fixed_rsrc_refs = NULL;\n\t/* one is dropped after submission, the other at completion */\n\tatomic_set(&req->refs, 2);\n\treq->task = current;\n\treq->result = 0;\n\treq->work.creds = NULL;\n\n\t/* enforce forwards compatibility on users */\n\tif (unlikely(sqe_flags & ~SQE_VALID_FLAGS))\n\t\treturn -EINVAL;\n\tif (unlikely(req->opcode >= IORING_OP_LAST))\n\t\treturn -EINVAL;\n\tif (unlikely(!io_check_restriction(ctx, req, sqe_flags)))\n\t\treturn -EACCES;\n\n\tif ((sqe_flags & IOSQE_BUFFER_SELECT) &&\n\t !io_op_defs[req->opcode].buffer_select)\n\t\treturn -EOPNOTSUPP;\n\n\tpersonality = READ_ONCE(sqe->personality);\n\tif (personality) {\n\t\treq->work.creds = xa_load(&ctx->personalities, personality);\n\t\tif (!req->work.creds)\n\t\t\treturn -EINVAL;\n\t\tget_cred(req->work.creds);\n\t}\n\tstate = &ctx->submit_state;\n\n\t/*\n\t * Plug now if we have more than 1 IO left after this, and the target\n\t * is potentially a read/write to block based storage.\n\t */\n\tif (!state->plug_started && state->ios_left > 1 &&\n\t io_op_defs[req->opcode].plug) {\n\t\tblk_start_plug(&state->plug);\n\t\tstate->plug_started = true;\n\t}\n\n\tif (io_op_defs[req->opcode].needs_file) {\n\t\tbool fixed = req->flags & REQ_F_FIXED_FILE;\n\n\t\treq->file = io_file_get(state, req, READ_ONCE(sqe->fd), fixed);\n\t\tif (unlikely(!req->file))\n\t\t\tret = -EBADF;\n\t}\n\n\tstate->ios_left--;\n\treturn ret;", "project": "linux", "hash": 222377651744687445558048163424957460248, "size": 64, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338652 }, { "func": "static int io_init_req(struct io_ring_ctx *ctx, struct io_kiocb *req,\n\t\t const struct io_uring_sqe *sqe,\n\t\t struct io_submit_state *state)\n{\n\tunsigned int sqe_flags;\n\tint id;\n\n\treq->opcode = READ_ONCE(sqe->opcode);\n\treq->user_data = READ_ONCE(sqe->user_data);\n\treq->io = NULL;\n\treq->file = NULL;\n\treq->ctx = ctx;\n\treq->flags = 0;\n\t/* one is dropped after submission, the other at completion */\n\trefcount_set(&req->refs, 2);\n\treq->task = current;\n\treq->result = 0;\n\n\tif (unlikely(req->opcode >= IORING_OP_LAST))\n\t\treturn -EINVAL;\n\n\tif (unlikely(io_sq_thread_acquire_mm(ctx, req)))\n\t\treturn -EFAULT;\n\n\tsqe_flags = READ_ONCE(sqe->flags);\n\t/* enforce forwards compatibility on users */\n\tif (unlikely(sqe_flags & ~SQE_VALID_FLAGS))\n\t\treturn -EINVAL;\n\n\tif ((sqe_flags & IOSQE_BUFFER_SELECT) &&\n\t !io_op_defs[req->opcode].buffer_select)\n\t\treturn -EOPNOTSUPP;\n\n\tid = READ_ONCE(sqe->personality);\n\tif (id) {\n\t\tio_req_init_async(req);\n\t\treq->work.creds = idr_find(&ctx->personality_idr, id);\n\t\tif (unlikely(!req->work.creds))\n\t\t\treturn -EINVAL;\n\t\tget_cred(req->work.creds);\n\t}\n\n\t/* same numerical values with corresponding REQ_F_*, safe to copy */\n\treq->flags |= sqe_flags;\n\n\tif (!io_op_defs[req->opcode].needs_file)\n\t\treturn 0;\n\n\treturn io_req_set_file(state, req, READ_ONCE(sqe->fd));\n}", "project": "linux", "hash": 3892921087710525929147041655694693966, "size": 50, "commit_id": "6d816e088c359866f9867057e04f244c608c42fe", "message": "io_uring: hold 'ctx' reference around task_work queue + execute\n\nWe're holding the request reference, but we need to go one higher\nto ensure that the ctx remains valid after the request has finished.\nIf the ring is closed with pending task_work inflight, and the\ngiven io_kiocb finishes sync during issue, then we need a reference\nto the ring itself around the task_work execution cycle.\n\nCc: stable@vger.kernel.org # v5.7+\nReported-by: syzbot+9b260fc33297966f5a8e@syzkaller.appspotmail.com\nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 456908 }, { "func": "\nstatic int __io_sqe_buffers_update(struct io_ring_ctx *ctx,\n\t\t\t\t struct io_uring_rsrc_update2 *up,\n\t\t\t\t unsigned int nr_args)\n{\n\tu64 __user *tags = u64_to_user_ptr(up->tags);\n\tstruct iovec iov, __user *iovs = u64_to_user_ptr(up->data);\n\tstruct page *last_hpage = NULL;\n\tbool needs_switch = false;\n\t__u32 done;\n\tint i, err;\n\n\tif (!ctx->buf_data)\n\t\treturn -ENXIO;\n\tif (up->offset + nr_args > ctx->nr_user_bufs)\n\t\treturn -EINVAL;\n\n\tfor (done = 0; done < nr_args; done++) {\n\t\tstruct io_mapped_ubuf *imu;\n\t\tint offset = up->offset + done;\n\t\tu64 tag = 0;\n\n\t\terr = io_copy_iov(ctx, &iov, iovs, done);\n\t\tif (err)\n\t\t\tbreak;\n\t\tif (tags && copy_from_user(&tag, &tags[done], sizeof(tag))) {\n\t\t\terr = -EFAULT;\n\t\t\tbreak;\n\t\t}\n\t\terr = io_buffer_validate(&iov);\n\t\tif (err)\n\t\t\tbreak;\n\t\tif (!iov.iov_base && tag) {\n\t\t\terr = -EINVAL;\n\t\t\tbreak;\n\t\t}\n\t\terr = io_sqe_buffer_register(ctx, &iov, &imu, &last_hpage);\n\t\tif (err)\n\t\t\tbreak;\n\n\t\ti = array_index_nospec(offset, ctx->nr_user_bufs);\n\t\tif (ctx->user_bufs[i] != ctx->dummy_ubuf) {\n\t\t\terr = io_queue_rsrc_removal(ctx->buf_data, offset,\n\t\t\t\t\t\t ctx->rsrc_node, ctx->user_bufs[i]);\n\t\t\tif (unlikely(err)) {\n\t\t\t\tio_buffer_unmap(ctx, &imu);\n\t\t\t\tbreak;\n\t\t\t}\n\t\t\tctx->user_bufs[i] = NULL;\n\t\t\tneeds_switch = true;\n\t\t}\n\n\t\tctx->user_bufs[i] = imu;\n\t\tctx->buf_data->tags[offset] = tag;\n\t}\n\n\tif (needs_switch)\n\t\tio_rsrc_node_switch(ctx, ctx->buf_data);\n\treturn done ? done : err;", "project": "linux", "hash": 189930561718581859165090252352005115032, "size": 59, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338636 }, { "func": "static OPJ_BOOL opj_j2k_compare_qcc(opj_j2k_t *p_j2k,\n OPJ_UINT32 p_first_comp_no, OPJ_UINT32 p_second_comp_no)\n{\n return opj_j2k_compare_SQcd_SQcc(p_j2k, p_j2k->m_current_tile_number,\n p_first_comp_no, p_second_comp_no);\n}", "project": "openjpeg", "hash": 285025982408989449747230303336928240545, "size": 6, "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296", "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)", "target": 0, "dataset": "other", "idx": 357284 }, { "func": "static int copy_string(struct archive_read* a, int len, int dist) {\n\tstruct rar5* rar = get_context(a);\n\tconst uint64_t cmask = rar->cstate.window_mask;\n\tconst uint64_t write_ptr = rar->cstate.write_ptr +\n\t rar->cstate.solid_offset;\n\tint i;\n\n\tif (rar->cstate.window_buf == NULL)\n\t\treturn ARCHIVE_FATAL;\n\n\t/* The unpacker spends most of the time in this function. It would be\n\t * a good idea to introduce some optimizations here.\n\t *\n\t * Just remember that this loop treats buffers that overlap differently\n\t * than buffers that do not overlap. This is why a simple memcpy(3)\n\t * call will not be enough. */\n\n\tfor(i = 0; i < len; i++) {\n\t\tconst ssize_t write_idx = (write_ptr + i) & cmask;\n\t\tconst ssize_t read_idx = (write_ptr + i - dist) & cmask;\n\t\trar->cstate.window_buf[write_idx] =\n\t\t rar->cstate.window_buf[read_idx];\n\t}\n\n\trar->cstate.write_ptr += len;\n\treturn ARCHIVE_OK;\n}", "project": "libarchive", "hash": 63208947997904701901146073678943439616, "size": 27, "commit_id": "94821008d6eea81e315c5881cdf739202961040a", "message": "RAR5 reader: reject files that declare invalid header flags\n\nOne of the fields in RAR5's base block structure is the size of the\nheader. Some invalid files declare a 0 header size setting, which can\nconfuse the unpacker. Minimum header size for RAR5 base blocks is 7\nbytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0\nbytes should be rejected at header parsing stage.\n\nThe fix adds an error condition if header size of 0 bytes is detected.\nIn this case, the unpacker will not attempt to unpack the file, as the\nheader is corrupted.\n\nThe commit also adds OSSFuzz #20459 sample to test further regressions\nin this area.", "target": 0, "dataset": "other", "idx": 244728 }, { "func": "static void ov519_configure(struct sd *sd)\n{\n\tstatic const struct ov_regvals init_519[] = {\n\t\t{ 0x5a, 0x6d }, /* EnableSystem */\n\t\t{ 0x53, 0x9b }, /* don't enable the microcontroller */\n\t\t{ OV519_R54_EN_CLK1, 0xff }, /* set bit2 to enable jpeg */\n\t\t{ 0x5d, 0x03 },\n\t\t{ 0x49, 0x01 },\n\t\t{ 0x48, 0x00 },\n\t\t/* Set LED pin to output mode. Bit 4 must be cleared or sensor\n\t\t * detection will fail. This deserves further investigation. */\n\t\t{ OV519_GPIO_IO_CTRL0, 0xee },\n\t\t{ OV519_R51_RESET1, 0x0f },\n\t\t{ OV519_R51_RESET1, 0x00 },\n\t\t{ 0x22, 0x00 },\n\t\t/* windows reads 0x55 at this point*/\n\t};\n\n\twrite_regvals(sd, init_519, ARRAY_SIZE(init_519));\n}", "project": "linux", "hash": 210698933882776491961127639506956694875, "size": 20, "commit_id": "998912346c0da53a6dbb71fab3a138586b596b30", "message": "media: ov519: add missing endpoint sanity checks\n\nMake sure to check that we have at least one endpoint before accessing\nthe endpoint array to avoid dereferencing a NULL-pointer on stream\nstart.\n\nNote that these sanity checks are not redundant as the driver is mixing\nlooking up altsettings by index and by number, which need not coincide.\n\nFixes: 1876bb923c98 (\"V4L/DVB (12079): gspca_ov519: add support for the ov511 bridge\")\nFixes: b282d87332f5 (\"V4L/DVB (12080): gspca_ov519: Fix ov518+ with OV7620AE (Trust spacecam 320)\")\nCc: stable # 2.6.31\nCc: Hans de Goede \nSigned-off-by: Johan Hovold \nSigned-off-by: Hans Verkuil \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 306314 }, { "func": "static int io_req_defer_prep(struct io_kiocb *req,\n\t\t\t const struct io_uring_sqe *sqe)\n{\n\tssize_t ret = 0;\n\n\tif (!sqe)\n\t\treturn 0;\n\n\tif (io_alloc_async_ctx(req))\n\t\treturn -EAGAIN;\n\tret = io_prep_work_files(req);\n\tif (unlikely(ret))\n\t\treturn ret;\n\n\tswitch (req->opcode) {\n\tcase IORING_OP_NOP:\n\t\tbreak;\n\tcase IORING_OP_READV:\n\tcase IORING_OP_READ_FIXED:\n\tcase IORING_OP_READ:\n\t\tret = io_read_prep(req, sqe, true);\n\t\tbreak;\n\tcase IORING_OP_WRITEV:\n\tcase IORING_OP_WRITE_FIXED:\n\tcase IORING_OP_WRITE:\n\t\tret = io_write_prep(req, sqe, true);\n\t\tbreak;\n\tcase IORING_OP_POLL_ADD:\n\t\tret = io_poll_add_prep(req, sqe);\n\t\tbreak;\n\tcase IORING_OP_POLL_REMOVE:\n\t\tret = io_poll_remove_prep(req, sqe);\n\t\tbreak;\n\tcase IORING_OP_FSYNC:\n\t\tret = io_prep_fsync(req, sqe);\n\t\tbreak;\n\tcase IORING_OP_SYNC_FILE_RANGE:\n\t\tret = io_prep_sfr(req, sqe);\n\t\tbreak;\n\tcase IORING_OP_SENDMSG:\n\tcase IORING_OP_SEND:\n\t\tret = io_sendmsg_prep(req, sqe);\n\t\tbreak;\n\tcase IORING_OP_RECVMSG:\n\tcase IORING_OP_RECV:\n\t\tret = io_recvmsg_prep(req, sqe);\n\t\tbreak;\n\tcase IORING_OP_CONNECT:\n\t\tret = io_connect_prep(req, sqe);\n\t\tbreak;\n\tcase IORING_OP_TIMEOUT:\n\t\tret = io_timeout_prep(req, sqe, false);\n\t\tbreak;\n\tcase IORING_OP_TIMEOUT_REMOVE:\n\t\tret = io_timeout_remove_prep(req, sqe);\n\t\tbreak;\n\tcase IORING_OP_ASYNC_CANCEL:\n\t\tret = io_async_cancel_prep(req, sqe);\n\t\tbreak;\n\tcase IORING_OP_LINK_TIMEOUT:\n\t\tret = io_timeout_prep(req, sqe, true);\n\t\tbreak;\n\tcase IORING_OP_ACCEPT:\n\t\tret = io_accept_prep(req, sqe);\n\t\tbreak;\n\tcase IORING_OP_FALLOCATE:\n\t\tret = io_fallocate_prep(req, sqe);\n\t\tbreak;\n\tcase IORING_OP_OPENAT:\n\t\tret = io_openat_prep(req, sqe);\n\t\tbreak;\n\tcase IORING_OP_CLOSE:\n\t\tret = io_close_prep(req, sqe);\n\t\tbreak;\n\tcase IORING_OP_FILES_UPDATE:\n\t\tret = io_files_update_prep(req, sqe);\n\t\tbreak;\n\tcase IORING_OP_STATX:\n\t\tret = io_statx_prep(req, sqe);\n\t\tbreak;\n\tcase IORING_OP_FADVISE:\n\t\tret = io_fadvise_prep(req, sqe);\n\t\tbreak;\n\tcase IORING_OP_MADVISE:\n\t\tret = io_madvise_prep(req, sqe);\n\t\tbreak;\n\tcase IORING_OP_OPENAT2:\n\t\tret = io_openat2_prep(req, sqe);\n\t\tbreak;\n\tcase IORING_OP_EPOLL_CTL:\n\t\tret = io_epoll_ctl_prep(req, sqe);\n\t\tbreak;\n\tcase IORING_OP_SPLICE:\n\t\tret = io_splice_prep(req, sqe);\n\t\tbreak;\n\tcase IORING_OP_PROVIDE_BUFFERS:\n\t\tret = io_provide_buffers_prep(req, sqe);\n\t\tbreak;\n\tcase IORING_OP_REMOVE_BUFFERS:\n\t\tret = io_remove_buffers_prep(req, sqe);\n\t\tbreak;\n\tcase IORING_OP_TEE:\n\t\tret = io_tee_prep(req, sqe);\n\t\tbreak;\n\tdefault:\n\t\tprintk_once(KERN_WARNING \"io_uring: unhandled opcode %d\\n\",\n\t\t\t\treq->opcode);\n\t\tret = -EINVAL;\n\t\tbreak;\n\t}\n\n\treturn ret;\n}", "project": "linux", "hash": 45885003353673501002864433489593867659, "size": 113, "commit_id": "6d816e088c359866f9867057e04f244c608c42fe", "message": "io_uring: hold 'ctx' reference around task_work queue + execute\n\nWe're holding the request reference, but we need to go one higher\nto ensure that the ctx remains valid after the request has finished.\nIf the ring is closed with pending task_work inflight, and the\ngiven io_kiocb finishes sync during issue, then we need a reference\nto the ring itself around the task_work execution cycle.\n\nCc: stable@vger.kernel.org # v5.7+\nReported-by: syzbot+9b260fc33297966f5a8e@syzkaller.appspotmail.com\nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 456939 }, { "func": "static inline int tcp_may_update_window(const struct tcp_sock *tp,\n\t\t\t\t\tconst u32 ack, const u32 ack_seq,\n\t\t\t\t\tconst u32 nwin)\n{\n\treturn\tafter(ack, tp->snd_una) ||\n\t\tafter(ack_seq, tp->snd_wl1) ||\n\t\t(ack_seq == tp->snd_wl1 && nwin > tp->snd_wnd);\n}", "project": "net-next", "hash": 40421755716085877590586488921115504551, "size": 8, "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko \nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 409933 }, { "func": "static void printFlow(u_int16_t id, struct ndpi_flow_info *flow, u_int16_t thread_id) {\n FILE *out = results_file ? results_file : stdout;\n u_int8_t known_tls;\n char buf[32], buf1[64];\n u_int i;\n\n double dos_ge_score;\n double dos_slow_score;\n double dos_hulk_score;\n double ddos_score;\n\n double hearthbleed_score;\n\n double ftp_patator_score;\n double ssh_patator_score;\n\n double inf_score;\n\n if(csv_fp != NULL) {\n float data_ratio = ndpi_data_ratio(flow->src2dst_bytes, flow->dst2src_bytes);\n double f = (double)flow->first_seen, l = (double)flow->last_seen;\n\n /* PLEASE KEEP IN SYNC WITH printCSVHeader() */\n dos_ge_score = Dos_goldeneye_score(flow);\n \n dos_slow_score = Dos_slow_score(flow);\n dos_hulk_score = Dos_hulk_score(flow);\n ddos_score = Ddos_score(flow);\n\n hearthbleed_score = Hearthbleed_score(flow);\n\n ftp_patator_score = Ftp_patator_score(flow);\n ssh_patator_score = Ssh_patator_score(flow);\n\n inf_score = Infiltration_score(flow);\n \n double benign_score = dos_ge_score < 1 && dos_slow_score < 1 && \\\n dos_hulk_score < 1 && ddos_score < 1 && hearthbleed_score < 1 && \\\n ftp_patator_score < 1 && ssh_patator_score < 1 && inf_score < 1 ? 1.1 : 0;\n\n fprintf(csv_fp, \"%u,%u,%.3f,%.3f,%.3f,%s,%u,%s,%u,\",\n\t flow->flow_id,\n\t flow->protocol,\n\t f/1000.0, l/1000.0,\n\t (l-f)/1000.0,\n\t flow->src_name, ntohs(flow->src_port),\n\t flow->dst_name, ntohs(flow->dst_port)\n\t );\n\n fprintf(csv_fp, \"%s,\",\n\t ndpi_protocol2id(ndpi_thread_info[thread_id].workflow->ndpi_struct,\n\t\t\t flow->detected_protocol, buf, sizeof(buf)));\n\n fprintf(csv_fp, \"%s,%s,\",\n\t ndpi_protocol2name(ndpi_thread_info[thread_id].workflow->ndpi_struct,\n\t\t\t flow->detected_protocol, buf, sizeof(buf)),\n\t flow->host_server_name);\n \n fprintf(csv_fp, \"%.4lf,%.4lf,%.4lf,%.4lf,%.4lf,%.4lf,%.4lf,%.4lf,%.4lf,\", \\\n\t benign_score, dos_slow_score, dos_ge_score, dos_hulk_score, \\\n\t ddos_score, hearthbleed_score, ftp_patator_score,\t\t\\\n\t ssh_patator_score, inf_score);\n \n fprintf(csv_fp, \"%u,%llu,%llu,\", flow->src2dst_packets,\n\t (long long unsigned int) flow->src2dst_bytes, (long long unsigned int) flow->src2dst_goodput_bytes);\n fprintf(csv_fp, \"%u,%llu,%llu,\", flow->dst2src_packets,\n\t (long long unsigned int) flow->dst2src_bytes, (long long unsigned int) flow->dst2src_goodput_bytes);\n fprintf(csv_fp, \"%.3f,%s,\", data_ratio, ndpi_data_ratio2str(data_ratio));\n fprintf(csv_fp, \"%.1f,%.1f,\", 100.0*((float)flow->src2dst_goodput_bytes / (float)(flow->src2dst_bytes+1)),\n\t 100.0*((float)flow->dst2src_goodput_bytes / (float)(flow->dst2src_bytes+1)));\n \n /* IAT (Inter Arrival Time) */\n fprintf(csv_fp, \"%u,%.1f,%u,%.1f,\",\n\t ndpi_data_min(flow->iat_flow), ndpi_data_average(flow->iat_flow), ndpi_data_max(flow->iat_flow), ndpi_data_stddev(flow->iat_flow));\n\n fprintf(csv_fp, \"%u,%.1f,%u,%.1f,%u,%.1f,%u,%.1f,\",\n\t ndpi_data_min(flow->iat_c_to_s), ndpi_data_average(flow->iat_c_to_s), ndpi_data_max(flow->iat_c_to_s), ndpi_data_stddev(flow->iat_c_to_s),\n\t ndpi_data_min(flow->iat_s_to_c), ndpi_data_average(flow->iat_s_to_c), ndpi_data_max(flow->iat_s_to_c), ndpi_data_stddev(flow->iat_s_to_c));\n\n /* Packet Length */\n fprintf(csv_fp, \"%u,%.1f,%u,%.1f,%u,%.1f,%u,%.1f,\",\n\t ndpi_data_min(flow->pktlen_c_to_s), ndpi_data_average(flow->pktlen_c_to_s), ndpi_data_max(flow->pktlen_c_to_s), ndpi_data_stddev(flow->pktlen_c_to_s),\n\t ndpi_data_min(flow->pktlen_s_to_c), ndpi_data_average(flow->pktlen_s_to_c), ndpi_data_max(flow->pktlen_s_to_c), ndpi_data_stddev(flow->pktlen_s_to_c));\n\n /* TCP flags */\n fprintf(csv_fp, \"%d,%d,%d,%d,%d,%d,%d,%d,\", flow->cwr_count, flow->ece_count, flow->urg_count, flow->ack_count, flow->psh_count, flow->rst_count, flow->syn_count, flow->fin_count);\n\n fprintf(csv_fp, \"%d,%d,%d,%d,%d,%d,%d,%d,\", flow->src2dst_cwr_count, flow->src2dst_ece_count, flow->src2dst_urg_count, flow->src2dst_ack_count, flow->src2dst_psh_count, flow->src2dst_rst_count, flow->src2dst_syn_count, flow->src2dst_fin_count);\n\n fprintf(csv_fp, \"%d,%d,%d,%d,%d,%d,%d,%d,\", flow->dst2src_cwr_count, flow->ece_count, flow->urg_count, flow->ack_count, flow->psh_count, flow->rst_count, flow->syn_count, flow->fin_count);\n\n /* TCP window */\n fprintf(csv_fp, \"%u,%u,\", flow->c_to_s_init_win, flow->s_to_c_init_win);\n\n fprintf(csv_fp, \"%s,%s,\",\n\t (flow->ssh_tls.client_requested_server_name[0] != '\\0') ? flow->ssh_tls.client_requested_server_name : \"\",\n\t (flow->ssh_tls.server_info[0] != '\\0') ? flow->ssh_tls.server_info : \"\");\n\n fprintf(csv_fp, \"%s,%s,%s,%s,%s,\",\n\t (flow->ssh_tls.ssl_version != 0) ? ndpi_ssl_version2str(flow->ssh_tls.ssl_version, &known_tls) : \"0\",\n\t (flow->ssh_tls.ja3_client[0] != '\\0') ? flow->ssh_tls.ja3_client : \"\",\n\t (flow->ssh_tls.ja3_client[0] != '\\0') ? is_unsafe_cipher(flow->ssh_tls.client_unsafe_cipher) : \"0\",\n\t (flow->ssh_tls.ja3_server[0] != '\\0') ? flow->ssh_tls.ja3_server : \"\",\n\t (flow->ssh_tls.ja3_server[0] != '\\0') ? is_unsafe_cipher(flow->ssh_tls.server_unsafe_cipher) : \"0\");\n \n fprintf(csv_fp, \"%s,%s,\",\n\t flow->ssh_tls.tls_alpn ? flow->ssh_tls.tls_alpn : \"\",\n\t flow->ssh_tls.tls_supported_versions ? flow->ssh_tls.tls_supported_versions : \"\" \n\t );\n fprintf(csv_fp, \"%s,%s,\",\n\t flow->ssh_tls.tls_issuerDN ? flow->ssh_tls.tls_issuerDN : \"\",\n\t flow->ssh_tls.tls_subjectDN ? flow->ssh_tls.tls_subjectDN : \"\" \n\t );\n fprintf(csv_fp, \"%s,%s\",\n\t (flow->ssh_tls.client_hassh[0] != '\\0') ? flow->ssh_tls.client_hassh : \"\",\n\t (flow->ssh_tls.server_hassh[0] != '\\0') ? flow->ssh_tls.server_hassh : \"\"\n\t );\n\n fprintf(csv_fp, \",%s\", flow->info);\n }\n\n if((verbose != 1) && (verbose != 2)) {\n if(csv_fp && enable_joy_stats) {\n flowGetBDMeanandVariance(flow);\n }\n\n if(csv_fp)\n fprintf(csv_fp, \"\\n\");\n return;\n }\n\n if(csv_fp || (verbose > 1)) {\n#if 1\n fprintf(out, \"\\t%u\", id);\n#else\n fprintf(out, \"\\t%u(%u)\", id, flow->flow_id);\n#endif\n\n fprintf(out, \"\\t%s \", ipProto2Name(flow->protocol));\n\n fprintf(out, \"%s%s%s:%u %s %s%s%s:%u \",\n\t (flow->ip_version == 6) ? \"[\" : \"\",\n\t flow->src_name, (flow->ip_version == 6) ? \"]\" : \"\", ntohs(flow->src_port),\n\t flow->bidirectional ? \"<->\" : \"->\",\n\t (flow->ip_version == 6) ? \"[\" : \"\",\n\t flow->dst_name, (flow->ip_version == 6) ? \"]\" : \"\", ntohs(flow->dst_port)\n\t );\n\n if(flow->vlan_id > 0) fprintf(out, \"[VLAN: %u]\", flow->vlan_id);\n if(enable_payload_analyzer) fprintf(out, \"[flowId: %u]\", flow->flow_id);\n }\n \n if(enable_joy_stats) {\n /* Print entropy values for monitored flows. */\n flowGetBDMeanandVariance(flow);\n fflush(out);\n fprintf(out, \"[score: %.4f]\", flow->entropy.score);\n }\n\t\n if(csv_fp) fprintf(csv_fp, \"\\n\");\n \n fprintf(out, \"[proto: \");\n if(flow->tunnel_type != ndpi_no_tunnel)\n fprintf(out, \"%s:\", ndpi_tunnel2str(flow->tunnel_type));\n\n fprintf(out, \"%s/%s]\",\n\t ndpi_protocol2id(ndpi_thread_info[thread_id].workflow->ndpi_struct,\n\t\t\t flow->detected_protocol, buf, sizeof(buf)),\n\t ndpi_protocol2name(ndpi_thread_info[thread_id].workflow->ndpi_struct,\n\t\t\t flow->detected_protocol, buf1, sizeof(buf1)));\n\n if(flow->detected_protocol.category != 0)\n fprintf(out, \"[cat: %s/%u]\",\n\t ndpi_category_get_name(ndpi_thread_info[thread_id].workflow->ndpi_struct,\n\t\t\t\t flow->detected_protocol.category),\n\t (unsigned int)flow->detected_protocol.category);\n\n fprintf(out, \"[%u pkts/%llu bytes \", flow->src2dst_packets, (long long unsigned int) flow->src2dst_bytes);\n fprintf(out, \"%s %u pkts/%llu bytes]\",\n\t (flow->dst2src_packets > 0) ? \"<->\" : \"->\",\n\t flow->dst2src_packets, (long long unsigned int) flow->dst2src_bytes);\n\n fprintf(out, \"[Goodput ratio: %.0f/%.0f]\",\n\t 100.0*((float)flow->src2dst_goodput_bytes / (float)(flow->src2dst_bytes+1)),\n\t 100.0*((float)flow->dst2src_goodput_bytes / (float)(flow->dst2src_bytes+1)));\n\n if(flow->last_seen > flow->first_seen)\n fprintf(out, \"[%.2f sec]\", ((float)(flow->last_seen - flow->first_seen))/(float)1000);\n else\n fprintf(out, \"[< 1 sec]\");\n\n if(flow->telnet.username[0] != '\\0') fprintf(out, \"[Username: %s]\", flow->telnet.username);\n if(flow->telnet.password[0] != '\\0') fprintf(out, \"[Password: %s]\", flow->telnet.password);\n if(flow->host_server_name[0] != '\\0') fprintf(out, \"[Host: %s]\", flow->host_server_name);\n\n if(flow->info[0] != '\\0') fprintf(out, \"[%s]\", flow->info);\n if(flow->flow_extra_info[0] != '\\0') fprintf(out, \"[%s]\", flow->flow_extra_info);\n\n if((flow->src2dst_packets+flow->dst2src_packets) > 5) {\n if(flow->iat_c_to_s && flow->iat_s_to_c) {\n float data_ratio = ndpi_data_ratio(flow->src2dst_bytes, flow->dst2src_bytes);\n\n fprintf(out, \"[bytes ratio: %.3f (%s)]\", data_ratio, ndpi_data_ratio2str(data_ratio));\n\n /* IAT (Inter Arrival Time) */\n fprintf(out, \"[IAT c2s/s2c min/avg/max/stddev: %u/%u %.0f/%.0f %u/%u %.0f/%.0f]\",\n\t ndpi_data_min(flow->iat_c_to_s), ndpi_data_min(flow->iat_s_to_c),\n\t (float)ndpi_data_average(flow->iat_c_to_s), (float)ndpi_data_average(flow->iat_s_to_c),\n\t ndpi_data_max(flow->iat_c_to_s), ndpi_data_max(flow->iat_s_to_c),\n\t (float)ndpi_data_stddev(flow->iat_c_to_s), (float)ndpi_data_stddev(flow->iat_s_to_c));\n\n /* Packet Length */\n fprintf(out, \"[Pkt Len c2s/s2c min/avg/max/stddev: %u/%u %.0f/%.0f %u/%u %.0f/%.0f]\",\n\t ndpi_data_min(flow->pktlen_c_to_s), ndpi_data_min(flow->pktlen_s_to_c),\n\t ndpi_data_average(flow->pktlen_c_to_s), ndpi_data_average(flow->pktlen_s_to_c),\n\t ndpi_data_max(flow->pktlen_c_to_s), ndpi_data_max(flow->pktlen_s_to_c),\n\t ndpi_data_stddev(flow->pktlen_c_to_s), ndpi_data_stddev(flow->pktlen_s_to_c));\n }\n }\n\n if(flow->http.url[0] != '\\0') {\n ndpi_risk_enum risk = ndpi_validate_url(flow->http.url);\n\n if(risk != NDPI_NO_RISK)\n NDPI_SET_BIT(flow->risk, risk);\n \n fprintf(out, \"[URL: %s][StatusCode: %u]\",\n\t flow->http.url, flow->http.response_status_code);\n\n if(flow->http.content_type[0] != '\\0')\n fprintf(out, \"[Content-Type: %s]\", flow->http.content_type);\n\n if(flow->http.user_agent[0] != '\\0')\n fprintf(out, \"[User-Agent: %s]\", flow->http.user_agent);\n }\n\n if(flow->risk) {\n u_int i;\n \n fprintf(out, \"[Risk: \");\n\n for(i=0; irisk, i))\n\tfprintf(out, \"** %s **\", ndpi_risk2str(i));\n \n fprintf(out, \"]\");\n }\n \n if(flow->ssh_tls.ssl_version != 0) fprintf(out, \"[%s]\", ndpi_ssl_version2str(flow->ssh_tls.ssl_version, &known_tls));\n if(flow->ssh_tls.client_requested_server_name[0] != '\\0') fprintf(out, \"[Client: %s]\", flow->ssh_tls.client_requested_server_name);\n if(flow->ssh_tls.client_hassh[0] != '\\0') fprintf(out, \"[HASSH-C: %s]\", flow->ssh_tls.client_hassh);\n\n if(flow->ssh_tls.ja3_client[0] != '\\0') fprintf(out, \"[JA3C: %s%s]\", flow->ssh_tls.ja3_client,\n\t\t\t\t\t\t print_cipher(flow->ssh_tls.client_unsafe_cipher));\n\n if(flow->ssh_tls.server_info[0] != '\\0') fprintf(out, \"[Server: %s]\", flow->ssh_tls.server_info);\n\n if(flow->ssh_tls.server_names) fprintf(out, \"[ServerNames: %s]\", flow->ssh_tls.server_names);\n if(flow->ssh_tls.server_hassh[0] != '\\0') fprintf(out, \"[HASSH-S: %s]\", flow->ssh_tls.server_hassh);\n\n if(flow->ssh_tls.ja3_server[0] != '\\0') fprintf(out, \"[JA3S: %s%s]\", flow->ssh_tls.ja3_server,\n\t\t\t\t\t\t print_cipher(flow->ssh_tls.server_unsafe_cipher));\n\n if(flow->ssh_tls.tls_issuerDN) fprintf(out, \"[Issuer: %s]\", flow->ssh_tls.tls_issuerDN);\n if(flow->ssh_tls.tls_subjectDN) fprintf(out, \"[Subject: %s]\", flow->ssh_tls.tls_subjectDN);\n\n if((flow->detected_protocol.master_protocol == NDPI_PROTOCOL_TLS)\n || (flow->detected_protocol.app_protocol == NDPI_PROTOCOL_TLS)) {\n if(flow->ssh_tls.sha1_cert_fingerprint_set) {\n fprintf(out, \"[Certificate SHA-1: \");\n for(i=0; i<20; i++)\n\tfprintf(out, \"%s%02X\", (i > 0) ? \":\" : \"\",\n\t\tflow->ssh_tls.sha1_cert_fingerprint[i] & 0xFF);\n fprintf(out, \"]\");\n }\n }\n\n if(flow->ssh_tls.notBefore && flow->ssh_tls.notAfter) {\n char notBefore[32], notAfter[32];\n struct tm a, b;\n struct tm *before = gmtime_r(&flow->ssh_tls.notBefore, &a);\n struct tm *after = gmtime_r(&flow->ssh_tls.notAfter, &b);\n\n strftime(notBefore, sizeof(notBefore), \"%F %T\", before);\n strftime(notAfter, sizeof(notAfter), \"%F %T\", after);\n\n fprintf(out, \"[Validity: %s - %s]\", notBefore, notAfter);\n }\n\n if(flow->ssh_tls.server_cipher != '\\0') fprintf(out, \"[Cipher: %s]\", ndpi_cipher2str(flow->ssh_tls.server_cipher));\n if(flow->bittorent_hash[0] != '\\0') fprintf(out, \"[BT Hash: %s]\", flow->bittorent_hash);\n if(flow->dhcp_fingerprint[0] != '\\0') fprintf(out, \"[DHCP Fingerprint: %s]\", flow->dhcp_fingerprint);\n\n if(flow->has_human_readeable_strings) fprintf(out, \"[PLAIN TEXT (%s)]\", flow->human_readeable_string_buffer);\n\n fprintf(out, \"\\n\");\n}", "project": "nDPI", "hash": 168268128840138250382065295573531258716, "size": 297, "commit_id": "b7e666e465f138ae48ab81976726e67deed12701", "message": "Added fix to avoid potential heap buffer overflow in H.323 dissector\nModified HTTP report information to make it closer to the HTTP field names", "target": 0, "dataset": "other", "idx": 254844 }, { "func": "static void hci_cs_set_conn_encrypt(struct hci_dev *hdev, __u8 status)\n{\n\tstruct hci_cp_set_conn_encrypt *cp;\n\tstruct hci_conn *conn;\n\n\tBT_DBG(\"%s status 0x%2.2x\", hdev->name, status);\n\n\tif (!status)\n\t\treturn;\n\n\tcp = hci_sent_cmd_data(hdev, HCI_OP_SET_CONN_ENCRYPT);\n\tif (!cp)\n\t\treturn;\n\n\thci_dev_lock(hdev);\n\n\tconn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));\n\tif (conn) {\n\t\tif (conn->state == BT_CONFIG) {\n\t\t\thci_connect_cfm(conn, status);\n\t\t\thci_conn_drop(conn);\n\t\t}\n\t}\n\n\thci_dev_unlock(hdev);\n}", "project": "linux", "hash": 182343337981488470848682183805259834636, "size": 26, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431974 }, { "func": "static void ep_rbtree_insert(struct eventpoll *ep, struct epitem *epi)\n{\n\tint kcmp;\n\tstruct rb_node **p = &ep->rbr.rb_root.rb_node, *parent = NULL;\n\tstruct epitem *epic;\n\tbool leftmost = true;\n\n\twhile (*p) {\n\t\tparent = *p;\n\t\tepic = rb_entry(parent, struct epitem, rbn);\n\t\tkcmp = ep_cmp_ffd(&epi->ffd, &epic->ffd);\n\t\tif (kcmp > 0) {\n\t\t\tp = &parent->rb_right;\n\t\t\tleftmost = false;\n\t\t} else\n\t\t\tp = &parent->rb_left;\n\t}\n\trb_link_node(&epi->rbn, parent, p);\n\trb_insert_color_cached(&epi->rbn, &ep->rbr, leftmost);\n}", "project": "linux", "hash": 63641174315093975177153809830032902492, "size": 20, "commit_id": "52c479697c9b73f628140dcdfcd39ea302d05482", "message": "do_epoll_ctl(): clean the failure exits up a bit\n\nSigned-off-by: Al Viro ", "target": 0, "dataset": "other", "idx": 336245 }, { "func": "static void vhost_net_busy_poll_try_queue(struct vhost_net *net,\n\t\t\t\t\t struct vhost_virtqueue *vq)\n{\n\tif (!vhost_vq_avail_empty(&net->dev, vq)) {\n\t\tvhost_poll_queue(&vq->poll);\n\t} else if (unlikely(vhost_enable_notify(&net->dev, vq))) {\n\t\tvhost_disable_notify(&net->dev, vq);\n\t\tvhost_poll_queue(&vq->poll);\n\t}\n}", "project": "linux", "hash": 262922705719944998516598880619872886131, "size": 10, "commit_id": "42d84c8490f9f0931786f1623191fcab397c3d64", "message": "vhost: Check docket sk_family instead of call getname\n\nDoing so, we save one call to get data we already have in the struct.\n\nAlso, since there is no guarantee that getname use sockaddr_ll\nparameter beyond its size, we add a little bit of security here.\nIt should do not do beyond MAX_ADDR_LEN, but syzbot found that\nax25_getname writes more (72 bytes, the size of full_sockaddr_ax25,\nversus 20 + 32 bytes of sockaddr_ll + MAX_ADDR_LEN in syzbot repro).\n\nFixes: 3a4d5c94e9593 (\"vhost_net: a kernel-level virtio server\")\nReported-by: syzbot+f2a62d07a5198c819c7b@syzkaller.appspotmail.com\nSigned-off-by: Eugenio Pérez \nAcked-by: Michael S. Tsirkin \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 441987 }, { "func": "static void buffer_verify(ssh_buffer buf)\n{\n bool do_abort = false;\n\n if (buf->data == NULL) {\n return;\n }\n\n if (buf->used > buf->allocated) {\n fprintf(stderr,\n \"BUFFER ERROR: allocated %zu, used %zu\\n\",\n buf->allocated,\n buf->used);\n do_abort = true;\n }\n if (buf->pos > buf->used) {\n fprintf(stderr,\n \"BUFFER ERROR: position %zu, used %zu\\n\",\n buf->pos,\n buf->used);\n do_abort = true;\n }\n if (buf->pos > buf->allocated) {\n fprintf(stderr,\n \"BUFFER ERROR: position %zu, allocated %zu\\n\",\n buf->pos,\n buf->allocated);\n do_abort = true;\n }\n if (do_abort) {\n abort();\n }\n}", "project": "libssh-mirror", "hash": 201596289800579978789901100003385038802, "size": 33, "commit_id": "10b3ebbe61a7031a3dae97f05834442220447181", "message": "buffer: Reformat ssh_buffer_add_data()\n\nSigned-off-by: Andreas Schneider \nReviewed-by: Anderson Toshiyuki Sasaki \nReviewed-by: Jakub Jelen ", "target": 0, "dataset": "other", "idx": 345154 }, { "func": "UnicodeString::padLeading(int32_t targetLength,\n UChar padChar)\n{\n int32_t oldLength = length();\n if(oldLength >= targetLength || !cloneArrayIfNeeded(targetLength)) {\n return FALSE;\n } else {\n // move contents up by padding width\n UChar *array = getArrayStart();\n int32_t start = targetLength - oldLength;\n us_arrayCopy(array, 0, array, start, oldLength);\n\n // fill in padding character\n while(--start >= 0) {\n array[start] = padChar;\n }\n setLength(targetLength);\n return TRUE;\n }\n}", "project": "icu", "hash": 175763642427568556095450150415019528717, "size": 20, "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca", "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971", "target": 0, "dataset": "other", "idx": 430817 }, { "func": "static int __kvm_write_guest_page(struct kvm_memory_slot *memslot, gfn_t gfn,\n\t\t\t const void *data, int offset, int len)\n{\n\tint r;\n\tunsigned long addr;\n\n\taddr = gfn_to_hva_memslot(memslot, gfn);\n\tif (kvm_is_error_hva(addr))\n\t\treturn -EFAULT;\n\tr = __copy_to_user((void __user *)addr + offset, data, len);\n\tif (r)\n\t\treturn -EFAULT;\n\tmark_page_dirty_in_slot(memslot, gfn);\n\treturn 0;\n}", "project": "linux", "hash": 196831685759873311973943750000149701377, "size": 15, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354654 }, { "func": "static int __kvm_write_guest_page(struct kvm *kvm,\n\t\t\t\t struct kvm_memory_slot *memslot, gfn_t gfn,\n\t\t\t const void *data, int offset, int len)\n{\n\tint r;\n\tunsigned long addr;\n\n\taddr = gfn_to_hva_memslot(memslot, gfn);\n\tif (kvm_is_error_hva(addr))\n\t\treturn -EFAULT;\n\tr = __copy_to_user((void __user *)addr + offset, data, len);\n\tif (r)\n\t\treturn -EFAULT;\n\tmark_page_dirty_in_slot(kvm, memslot, gfn);\n\treturn 0;\n}", "project": "linux", "hash": 49276504487313143620955144018707604770, "size": 16, "commit_id": "f8be156be163a052a067306417cd0ff679068c97", "message": "KVM: do not allow mapping valid but non-reference-counted pages\n\nIt's possible to create a region which maps valid but non-refcounted\npages (e.g., tail pages of non-compound higher order allocations). These\nhost pages can then be returned by gfn_to_page, gfn_to_pfn, etc., family\nof APIs, which take a reference to the page, which takes it from 0 to 1.\nWhen the reference is dropped, this will free the page incorrectly.\n\nFix this by only taking a reference on valid pages if it was non-zero,\nwhich indicates it is participating in normal refcounting (and can be\nreleased with put_page).\n\nThis addresses CVE-2021-22543.\n\nSigned-off-by: Nicholas Piggin \nTested-by: Paolo Bonzini \nCc: stable@vger.kernel.org\nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 404067 }, { "func": "int bcf_hdr_add_hrec(bcf_hdr_t *hdr, bcf_hrec_t *hrec)\n{\n int res;\n if ( !hrec ) return 0;\n\n hrec->type = BCF_HL_GEN;\n res = bcf_hdr_register_hrec(hdr,hrec);\n if (res < 0) return -1;\n if ( !res )\n {\n // If one of the hashed field, then it is already present\n if ( hrec->type != BCF_HL_GEN )\n {\n bcf_hrec_destroy(hrec);\n return 0;\n }\n\n // Is one of the generic fields and already present?\n int i;\n for (i=0; inhrec; i++)\n {\n if ( hdr->hrec[i]->type!=BCF_HL_GEN ) continue;\n if ( !strcmp(hdr->hrec[i]->key,hrec->key) && !strcmp(hrec->key,\"fileformat\") ) break;\n if ( !strcmp(hdr->hrec[i]->key,hrec->key) && !strcmp(hdr->hrec[i]->value,hrec->value) ) break;\n }\n if ( inhrec )\n {\n bcf_hrec_destroy(hrec);\n return 0;\n }\n }\n\n // New record, needs to be added\n int n = hdr->nhrec + 1;\n bcf_hrec_t **new_hrec = realloc(hdr->hrec, n*sizeof(bcf_hrec_t*));\n if (!new_hrec) return -1;\n hdr->hrec = new_hrec;\n hdr->hrec[hdr->nhrec] = hrec;\n hdr->dirty = 1;\n hdr->nhrec = n;\n\n return hrec->type==BCF_HL_GEN ? 0 : 1;\n}", "project": "htslib", "hash": 151353182232590957597337826022653685402, "size": 43, "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c", "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields. It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097", "target": 0, "dataset": "other", "idx": 402166 }, { "func": "static void kvm_s390_get_tod_clock(struct kvm *kvm,\n\t\t\t\t struct kvm_s390_vm_tod_clock *gtod)\n{\n\tstruct kvm_s390_tod_clock_ext htod;\n\n\tpreempt_disable();\n\n\tget_tod_clock_ext((char *)&htod);\n\n\tgtod->tod = htod.tod + kvm->arch.epoch;\n\tgtod->epoch_idx = 0;\n\tif (test_kvm_facility(kvm, 139)) {\n\t\tgtod->epoch_idx = htod.epoch_idx + kvm->arch.epdx;\n\t\tif (gtod->tod < htod.tod)\n\t\t\tgtod->epoch_idx += 1;\n\t}\n\n\tpreempt_enable();\n}", "project": "linux", "hash": 178445454629995417480670063528897072268, "size": 19, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354615 }, { "func": "static inline int pfkey_sockaddr_len(sa_family_t family)\n{\n\tswitch (family) {\n\tcase AF_INET:\n\t\treturn sizeof(struct sockaddr_in);\n#if IS_ENABLED(CONFIG_IPV6)\n\tcase AF_INET6:\n\t\treturn sizeof(struct sockaddr_in6);\n#endif\n\t}\n\treturn 0;\n}", "project": "linux", "hash": 278904035866326502315063647933735420782, "size": 12, "commit_id": "9a564bccb78a76740ea9d75a259942df8143d02c", "message": "af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\n\nAdd __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\nto initialize the buffer of supp_skb to fix a kernel-info-leak issue.\n1) Function pfkey_register calls compose_sadb_supported to request\na sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate\na sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then\ncompose_sadb_supported treats the memory as a struct sadb_supported and\nbegins to initialize. But it just initializes the field sadb_supported_len\nand field sadb_supported_exttype without field sadb_supported_reserved.\n\nReported-by: TCS Robot \nSigned-off-by: Haimin Zhang \nSigned-off-by: Steffen Klassert ", "target": 0, "dataset": "other", "idx": 268028 }, { "func": "static void xfer_secondary_pool(struct entropy_store *r, size_t nbytes)\n{\n\t__u32 tmp[OUTPUT_POOL_WORDS];\n\n\tif (r->pull && r->entropy_count < nbytes * 8 &&\n\t r->entropy_count < r->poolinfo->POOLBITS) {\n\t\t/* If we're limited, always leave two wakeup worth's BITS */\n\t\tint rsvd = r->limit ? 0 : random_read_wakeup_thresh/4;\n\t\tint bytes = nbytes;\n\n\t\t/* pull at least as many as BYTES as wakeup BITS */\n\t\tbytes = max_t(int, bytes, random_read_wakeup_thresh / 8);\n\t\t/* but never more than the buffer size */\n\t\tbytes = min_t(int, bytes, sizeof(tmp));\n\n\t\tDEBUG_ENT(\"going to reseed %s with %d bits \"\n\t\t\t \"(%d of %d requested)\\n\",\n\t\t\t r->name, bytes * 8, nbytes * 8, r->entropy_count);\n\n\t\tbytes = extract_entropy(r->pull, tmp, bytes,\n\t\t\t\t\trandom_read_wakeup_thresh / 8, rsvd);\n\t\tmix_pool_bytes(r, tmp, bytes);\n\t\tcredit_entropy_bits(r, bytes*8);\n\t}\n}", "target": 0, "cwe": [ "CWE-310" ], "project": "linux-2.6", "commit_id": "8a0a9bd4db63bc45e3017bedeafbd88d0eb84d02", "hash": 77611772723871048721505878135031119618, "size": 25, "message": "random: make get_random_int() more random\n\nIt's a really simple patch that basically just open-codes the current\n\"secure_ip_id()\" call, but when open-coding it we now use a _static_\nhashing area, so that it gets updated every time.\n\nAnd to make sure somebody can't just start from the same original seed of\nall-zeroes, and then do the \"half_md4_transform()\" over and over until\nthey get the same sequence as the kernel has, each iteration also mixes in\nthe same old \"current->pid + jiffies\" we used - so we should now have a\nregular strong pseudo-number generator, but we also have one that doesn't\nhave a single seed.\n\nNote: the \"pid + jiffies\" is just meant to be a tiny tiny bit of noise. It\nhas no real meaning. It could be anything. I just picked the previous\nseed, it's just that now we keep the state in between calls and that will\nfeed into the next result, and that should make all the difference.\n\nI made that hash be a per-cpu data just to avoid cache-line ping-pong:\nhaving multiple CPU's write to the same data would be fine for randomness,\nand add yet another layer of chaos to it, but since get_random_int() is\nsupposed to be a fast interface I did it that way instead. I considered\nusing \"__raw_get_cpu_var()\" to avoid any preemption overhead while still\ngetting the hash be _mostly_ ping-pong free, but in the end good taste won\nout.\n\nSigned-off-by: Ingo Molnar \nSigned-off-by: Linus Torvalds ", "dataset": "other", "idx": 499899 }, { "func": "TEST_P(JSITest, FunctionThisTest) {\n Function checkPropertyFunction =\n function(\"function() { return this.a === 'a_property' }\");\n\n Object jsObject = Object(rt);\n jsObject.setProperty(rt, \"a\", String::createFromUtf8(rt, \"a_property\"));\n\n class APropertyHostObject : public HostObject {\n Value get(Runtime& rt, const PropNameID& sym) override {\n return String::createFromUtf8(rt, \"a_property\");\n }\n\n void set(Runtime&, const PropNameID&, const Value&) override {}\n };\n Object hostObject =\n Object::createFromHostObject(rt, std::make_shared());\n\n EXPECT_TRUE(checkPropertyFunction.callWithThis(rt, jsObject).getBool());\n EXPECT_TRUE(checkPropertyFunction.callWithThis(rt, hostObject).getBool());\n EXPECT_FALSE(checkPropertyFunction.callWithThis(rt, Array(rt, 5)).getBool());\n EXPECT_FALSE(checkPropertyFunction.call(rt).getBool());\n}", "project": "hermes", "hash": 150689608706520066583037026082663676241, "size": 22, "commit_id": "fe52854cdf6725c2eaa9e125995da76e6ceb27da", "message": "[CVE-2020-1911] Look up HostObject computed properties on the right object in the prototype chain.\n\nSummary:\nThe change in the hermes repository fixes the security vulnerability\nCVE-2020-1911. This vulnerability only affects applications which\nallow evaluation of uncontrolled, untrusted JavaScript code not\nshipped with the app, so React Native apps will generally not be affected.\n\nThis revision includes a test for the bug. The test is generic JSI\ncode, so it is included in the hermes and react-native repositories.\n\nChangelog: [Internal]\n\nReviewed By: tmikov\n\nDifferential Revision: D23322992\n\nfbshipit-source-id: 4e88c974afe1ad33a263f9cac03e9dc98d33649a", "target": 0, "dataset": "other", "idx": 230193 }, { "func": "TEST_P(JSITest, FunctionTest) {\n // test move ctor\n Function fmove = function(\"function() { return 1 }\");\n {\n Function g = function(\"function() { return 2 }\");\n fmove = std::move(g);\n }\n EXPECT_EQ(fmove.call(rt).getNumber(), 2);\n\n // This tests all the function argument converters, and all the\n // non-lvalue overloads of call().\n Function f = function(\n \"function(n, b, d, df, i, s1, s2, s3, s_sun, s_bad, o, a, f, v) { \"\n \"return \"\n \"n === null && \"\n \"b === true && \"\n \"d === 3.14 && \"\n \"Math.abs(df - 2.71) < 0.001 && \"\n \"i === 17 && \"\n \"s1 == 's1' && \"\n \"s2 == 's2' && \"\n \"s3 == 's3' && \"\n \"s_sun == 's\\\\u2600' && \"\n \"typeof s_bad == 'string' && \"\n \"typeof o == 'object' && \"\n \"Array.isArray(a) && \"\n \"typeof f == 'function' && \"\n \"v == 42 }\");\n EXPECT_TRUE(f.call(\n rt,\n nullptr,\n true,\n 3.14,\n 2.71f,\n 17,\n \"s1\",\n String::createFromAscii(rt, \"s2\"),\n std::string{\"s3\"},\n std::string{u8\"s\\u2600\"},\n // invalid UTF8 sequence due to unexpected continuation byte\n std::string{\"s\\x80\"},\n Object(rt),\n Array(rt, 1),\n function(\"function(){}\"),\n Value(42))\n .getBool());\n\n // lvalue overloads of call()\n Function flv = function(\n \"function(s, o, a, f, v) { return \"\n \"s == 's' && \"\n \"typeof o == 'object' && \"\n \"Array.isArray(a) && \"\n \"typeof f == 'function' && \"\n \"v == 42 }\");\n\n String s = String::createFromAscii(rt, \"s\");\n Object o = Object(rt);\n Array a = Array(rt, 1);\n Value v = 42;\n EXPECT_TRUE(flv.call(rt, s, o, a, f, v).getBool());\n\n Function f1 = function(\"function() { return 1; }\");\n Function f2 = function(\"function() { return 2; }\");\n f2 = std::move(f1);\n EXPECT_EQ(f2.call(rt).getNumber(), 1);\n}", "project": "hermes", "hash": 248058344743517029457636731436853380453, "size": 67, "commit_id": "fe52854cdf6725c2eaa9e125995da76e6ceb27da", "message": "[CVE-2020-1911] Look up HostObject computed properties on the right object in the prototype chain.\n\nSummary:\nThe change in the hermes repository fixes the security vulnerability\nCVE-2020-1911. This vulnerability only affects applications which\nallow evaluation of uncontrolled, untrusted JavaScript code not\nshipped with the app, so React Native apps will generally not be affected.\n\nThis revision includes a test for the bug. The test is generic JSI\ncode, so it is included in the hermes and react-native repositories.\n\nChangelog: [Internal]\n\nReviewed By: tmikov\n\nDifferential Revision: D23322992\n\nfbshipit-source-id: 4e88c974afe1ad33a263f9cac03e9dc98d33649a", "target": 0, "dataset": "other", "idx": 230243 }, { "func": "TEST_P(JSITest, JSErrorStackOverflowHandling) {\n rt.global().setProperty(\n rt,\n \"callSomething\",\n Function::createFromHostFunction(\n rt,\n PropNameID::forAscii(rt, \"callSomething\"),\n 0,\n [this](\n Runtime& rt2,\n const Value& thisVal,\n const Value* args,\n size_t count) {\n EXPECT_EQ(&rt, &rt2);\n return function(\"function() { return 0; }\").call(rt);\n }));\n try {\n eval(\"(function f() { callSomething(); f.apply(); })()\");\n FAIL();\n } catch (const JSError& ex) {\n EXPECT_NE(std::string(ex.what()).find(\"exceeded\"), std::string::npos);\n }\n}", "project": "hermes", "hash": 129979681900389205337550868469643878279, "size": 23, "commit_id": "fe52854cdf6725c2eaa9e125995da76e6ceb27da", "message": "[CVE-2020-1911] Look up HostObject computed properties on the right object in the prototype chain.\n\nSummary:\nThe change in the hermes repository fixes the security vulnerability\nCVE-2020-1911. This vulnerability only affects applications which\nallow evaluation of uncontrolled, untrusted JavaScript code not\nshipped with the app, so React Native apps will generally not be affected.\n\nThis revision includes a test for the bug. The test is generic JSI\ncode, so it is included in the hermes and react-native repositories.\n\nChangelog: [Internal]\n\nReviewed By: tmikov\n\nDifferential Revision: D23322992\n\nfbshipit-source-id: 4e88c974afe1ad33a263f9cac03e9dc98d33649a", "target": 0, "dataset": "other", "idx": 230267 }, { "func": "int JOIN::optimize_stage2()\n{\n ulonglong select_opts_for_readinfo;\n uint no_jbuf_after;\n JOIN_TAB *tab;\n DBUG_ENTER(\"JOIN::optimize_stage2\");\n\n if (subq_exit_fl)\n goto setup_subq_exit;\n\n if (unlikely(thd->check_killed()))\n DBUG_RETURN(1);\n\n /* Generate an execution plan from the found optimal join order. */\n if (get_best_combination())\n DBUG_RETURN(1);\n\n if (select_lex->handle_derived(thd->lex, DT_OPTIMIZE))\n DBUG_RETURN(1);\n\n if (optimizer_flag(thd, OPTIMIZER_SWITCH_DERIVED_WITH_KEYS))\n drop_unused_derived_keys();\n\n if (rollup.state != ROLLUP::STATE_NONE)\n {\n if (rollup_process_const_fields())\n {\n DBUG_PRINT(\"error\", (\"Error: rollup_process_fields() failed\"));\n DBUG_RETURN(1);\n }\n }\n else\n {\n /* Remove distinct if only const tables */\n select_distinct= select_distinct && (const_tables != table_count);\n }\n\n THD_STAGE_INFO(thd, stage_preparing);\n if (result->initialize_tables(this))\n {\n DBUG_PRINT(\"error\",(\"Error: initialize_tables() failed\"));\n DBUG_RETURN(1);\t\t\t\t// error == -1\n }\n if (const_table_map != found_const_table_map &&\n !(select_options & SELECT_DESCRIBE))\n {\n // There is at least one empty const table\n zero_result_cause= \"no matching row in const table\";\n DBUG_PRINT(\"error\",(\"Error: %s\", zero_result_cause));\n error= 0;\n handle_implicit_grouping_with_window_funcs();\n goto setup_subq_exit;\n }\n if (!(thd->variables.option_bits & OPTION_BIG_SELECTS) &&\n best_read > (double) thd->variables.max_join_size &&\n !(select_options & SELECT_DESCRIBE))\n {\t\t\t\t\t\t/* purecov: inspected */\n my_message(ER_TOO_BIG_SELECT, ER_THD(thd, ER_TOO_BIG_SELECT), MYF(0));\n error= -1;\n DBUG_RETURN(1);\n }\n if (const_tables && !thd->locked_tables_mode &&\n !(select_options & SELECT_NO_UNLOCK))\n {\n /*\n Unlock all tables, except sequences, as accessing these may still\n require table updates\n */\n mysql_unlock_some_tables(thd, table, const_tables,\n GET_LOCK_SKIP_SEQUENCES);\n }\n if (!conds && outer_join)\n {\n /* Handle the case where we have an OUTER JOIN without a WHERE */\n conds= new (thd->mem_root) Item_int(thd, (longlong) 1,1); // Always true\n }\n\n if (impossible_where)\n {\n zero_result_cause=\n \"Impossible WHERE noticed after reading const tables\";\n select_lex->mark_const_derived(zero_result_cause);\n handle_implicit_grouping_with_window_funcs();\n goto setup_subq_exit;\n }\n\n select= make_select(*table, const_table_map,\n const_table_map, conds, (SORT_INFO*) 0, 1, &error);\n if (unlikely(error))\n {\t\t\t\t\t\t/* purecov: inspected */\n error= -1;\t\t\t\t\t/* purecov: inspected */\n DBUG_PRINT(\"error\",(\"Error: make_select() failed\"));\n DBUG_RETURN(1);\n }\n \n reset_nj_counters(this, join_list);\n if (make_outerjoin_info(this))\n {\n DBUG_RETURN(1);\n }\n\n /*\n Among the equal fields belonging to the same multiple equality\n choose the one that is to be retrieved first and substitute\n all references to these in where condition for a reference for\n the selected field.\n */\n if (conds)\n {\n conds= substitute_for_best_equal_field(thd, NO_PARTICULAR_TAB, conds,\n cond_equal, map2table);\n if (unlikely(thd->is_error()))\n {\n error= 1;\n DBUG_PRINT(\"error\",(\"Error from substitute_for_best_equal\"));\n DBUG_RETURN(1);\n }\n conds->update_used_tables();\n DBUG_EXECUTE(\"where\",\n print_where(conds,\n \"after substitute_best_equal\",\n QT_ORDINARY););\n }\n\n /*\n Perform the optimization on fields evaluation mentioned above\n for all on expressions.\n */\n for (tab= first_linear_tab(this, WITH_BUSH_ROOTS, WITHOUT_CONST_TABLES); tab;\n tab= next_linear_tab(this, tab, WITH_BUSH_ROOTS))\n {\n if (*tab->on_expr_ref)\n {\n *tab->on_expr_ref= substitute_for_best_equal_field(thd, NO_PARTICULAR_TAB,\n *tab->on_expr_ref,\n tab->cond_equal,\n map2table);\n if (unlikely(thd->is_error()))\n {\n error= 1;\n DBUG_PRINT(\"error\",(\"Error from substitute_for_best_equal\"));\n DBUG_RETURN(1);\n }\n (*tab->on_expr_ref)->update_used_tables();\n }\n }\n\n /*\n Perform the optimization on fields evaliation mentioned above\n for all used ref items.\n */\n for (tab= first_linear_tab(this, WITH_BUSH_ROOTS, WITHOUT_CONST_TABLES); tab;\n tab= next_linear_tab(this, tab, WITH_BUSH_ROOTS))\n {\n uint key_copy_index=0;\n for (uint i=0; i < tab->ref.key_parts; i++)\n {\n Item **ref_item_ptr= tab->ref.items+i;\n Item *ref_item= *ref_item_ptr;\n if (!ref_item->used_tables() && !(select_options & SELECT_DESCRIBE))\n continue;\n COND_EQUAL *equals= cond_equal;\n JOIN_TAB *first_inner= tab->first_inner;\n while (equals)\n {\n ref_item= substitute_for_best_equal_field(thd, tab, ref_item,\n equals, map2table);\n if (unlikely(thd->is_fatal_error))\n DBUG_RETURN(1);\n\n if (first_inner)\n\t{\n equals= first_inner->cond_equal;\n first_inner= first_inner->first_upper;\n }\n else\n equals= 0;\n } \n ref_item->update_used_tables();\n if (*ref_item_ptr != ref_item)\n {\n *ref_item_ptr= ref_item;\n Item *item= ref_item->real_item();\n store_key *key_copy= tab->ref.key_copy[key_copy_index];\n if (key_copy->type() == store_key::FIELD_STORE_KEY)\n {\n if (item->basic_const_item())\n {\n /* It is constant propagated here */\n tab->ref.key_copy[key_copy_index]=\n new store_key_const_item(*tab->ref.key_copy[key_copy_index],\n item);\n }\n else if (item->const_item())\n\t {\n tab->ref.key_copy[key_copy_index]=\n new store_key_item(*tab->ref.key_copy[key_copy_index],\n item, TRUE);\n } \n else\n {\n store_key_field *field_copy= ((store_key_field *)key_copy);\n DBUG_ASSERT(item->type() == Item::FIELD_ITEM);\n field_copy->change_source_field((Item_field *) item);\n }\n }\n }\n key_copy_index++;\n }\n }\n\n if (conds && const_table_map != found_const_table_map &&\n (select_options & SELECT_DESCRIBE))\n {\n conds=new (thd->mem_root) Item_int(thd, (longlong) 0, 1); // Always false\n }\n\n /* Cache constant expressions in WHERE, HAVING, ON clauses. */\n cache_const_exprs();\n\n if (setup_semijoin_loosescan(this))\n DBUG_RETURN(1);\n\n if (make_join_select(this, select, conds))\n {\n zero_result_cause=\n \"Impossible WHERE noticed after reading const tables\";\n select_lex->mark_const_derived(zero_result_cause);\n handle_implicit_grouping_with_window_funcs();\n goto setup_subq_exit;\n }\n\n error= -1;\t\t\t\t\t/* if goto err */\n\n /* Optimize distinct away if possible */\n {\n ORDER *org_order= order;\n order=remove_const(this, order,conds,1, &simple_order);\n if (unlikely(thd->is_error()))\n {\n error= 1;\n DBUG_RETURN(1);\n }\n\n /*\n If we are using ORDER BY NULL or ORDER BY const_expression,\n return result in any order (even if we are using a GROUP BY)\n */\n if (!order && org_order)\n skip_sort_order= 1;\n }\n /*\n Check if we can optimize away GROUP BY/DISTINCT.\n We can do that if there are no aggregate functions, the\n fields in DISTINCT clause (if present) and/or columns in GROUP BY\n (if present) contain direct references to all key parts of\n an unique index (in whatever order) and if the key parts of the\n unique index cannot contain NULLs.\n Note that the unique keys for DISTINCT and GROUP BY should not\n be the same (as long as they are unique).\n\n The FROM clause must contain a single non-constant table.\n */\n if (table_count - const_tables == 1 && (group || select_distinct) &&\n !tmp_table_param.sum_func_count &&\n (!join_tab[const_tables].select ||\n !join_tab[const_tables].select->quick ||\n join_tab[const_tables].select->quick->get_type() != \n QUICK_SELECT_I::QS_TYPE_GROUP_MIN_MAX) &&\n !select_lex->have_window_funcs())\n {\n if (group && rollup.state == ROLLUP::STATE_NONE &&\n list_contains_unique_index(join_tab[const_tables].table,\n find_field_in_order_list,\n (void *) group_list))\n {\n /*\n We have found that grouping can be removed since groups correspond to\n only one row anyway, but we still have to guarantee correct result\n order. The line below effectively rewrites the query from GROUP BY\n to ORDER BY . There are three exceptions:\n - if skip_sort_order is set (see above), then we can simply skip\n GROUP BY;\n - if we are in a subquery, we don't have to maintain order unless there\n\t is a limit clause in the subquery.\n - we can only rewrite ORDER BY if the ORDER BY fields are 'compatible'\n with the GROUP BY ones, i.e. either one is a prefix of another.\n We only check if the ORDER BY is a prefix of GROUP BY. In this case\n test_if_subpart() copies the ASC/DESC attributes from the original\n ORDER BY fields.\n If GROUP BY is a prefix of ORDER BY, then it is safe to leave\n 'order' as is.\n */\n if (!order || test_if_subpart(group_list, order))\n {\n if (skip_sort_order ||\n (select_lex->master_unit()->item && select_limit == HA_POS_ERROR)) // This is a subquery\n order= NULL;\n else\n order= group_list;\n }\n /*\n If we have an IGNORE INDEX FOR GROUP BY(fields) clause, this must be \n rewritten to IGNORE INDEX FOR ORDER BY(fields).\n */\n join_tab->table->keys_in_use_for_order_by=\n join_tab->table->keys_in_use_for_group_by;\n group_list= 0;\n group= 0;\n }\n if (select_distinct &&\n list_contains_unique_index(join_tab[const_tables].table,\n find_field_in_item_list,\n (void *) &fields_list))\n {\n select_distinct= 0;\n }\n }\n if (group || tmp_table_param.sum_func_count)\n {\n if (! hidden_group_fields && rollup.state == ROLLUP::STATE_NONE\n && !select_lex->have_window_funcs())\n select_distinct=0;\n }\n else if (select_distinct && table_count - const_tables == 1 &&\n rollup.state == ROLLUP::STATE_NONE &&\n !select_lex->have_window_funcs())\n {\n /*\n We are only using one table. In this case we change DISTINCT to a\n GROUP BY query if:\n - The GROUP BY can be done through indexes (no sort) and the ORDER\n BY only uses selected fields.\n\t(In this case we can later optimize away GROUP BY and ORDER BY)\n - We are scanning the whole table without LIMIT\n This can happen if:\n - We are using CALC_FOUND_ROWS\n - We are using an ORDER BY that can't be optimized away.\n\n We don't want to use this optimization when we are using LIMIT\n because in this case we can just create a temporary table that\n holds LIMIT rows and stop when this table is full.\n */\n bool all_order_fields_used;\n\n tab= &join_tab[const_tables];\n if (order)\n {\n skip_sort_order=\n test_if_skip_sort_order(tab, order, select_limit,\n true, // no_changes\n &tab->table->keys_in_use_for_order_by);\n }\n if ((group_list=create_distinct_group(thd, select_lex->ref_pointer_array,\n order, fields_list, all_fields,\n\t\t\t\t &all_order_fields_used)))\n {\n const bool skip_group=\n skip_sort_order &&\n test_if_skip_sort_order(tab, group_list, select_limit,\n true, // no_changes\n &tab->table->keys_in_use_for_group_by);\n count_field_types(select_lex, &tmp_table_param, all_fields, 0);\n if ((skip_group && all_order_fields_used) ||\n\t select_limit == HA_POS_ERROR ||\n\t (order && !skip_sort_order))\n {\n\t/* Change DISTINCT to GROUP BY */\n\tselect_distinct= 0;\n\tno_order= !order;\n\tif (all_order_fields_used)\n\t{\n\t if (order && skip_sort_order)\n\t {\n\t /*\n\t Force MySQL to read the table in sorted order to get result in\n\t ORDER BY order.\n\t */\n\t tmp_table_param.quick_group=0;\n\t }\n\t order=0;\n }\n\tgroup=1;\t\t\t\t// For end_write_group\n }\n else\n\tgroup_list= 0;\n }\n else if (thd->is_fatal_error)\t\t\t// End of memory\n DBUG_RETURN(1);\n }\n simple_group= rollup.state == ROLLUP::STATE_NONE;\n if (group)\n {\n /*\n Update simple_group and group_list as we now have more information, like\n which tables or columns are constant.\n */\n group_list= remove_const(this, group_list, conds,\n rollup.state == ROLLUP::STATE_NONE,\n &simple_group);\n if (unlikely(thd->is_error()))\n {\n error= 1;\n DBUG_RETURN(1);\n }\n if (!group_list)\n {\n /* The output has only one row */\n order=0;\n simple_order=1;\n select_distinct= 0;\n group_optimized_away= 1;\n }\n }\n\n calc_group_buffer(this, group_list);\n send_group_parts= tmp_table_param.group_parts; /* Save org parts */\n if (procedure && procedure->group)\n {\n group_list= procedure->group= remove_const(this, procedure->group, conds,\n\t\t\t\t\t 1, &simple_group);\n if (unlikely(thd->is_error()))\n {\n error= 1;\n DBUG_RETURN(1);\n } \n calc_group_buffer(this, group_list);\n }\n\n if (test_if_subpart(group_list, order) ||\n (!group_list && tmp_table_param.sum_func_count))\n {\n order=0;\n if (is_indexed_agg_distinct(this, NULL))\n sort_and_group= 0;\n }\n\n // Can't use sort on head table if using join buffering\n if (full_join || hash_join)\n {\n TABLE *stable= (sort_by_table == (TABLE *) 1 ? \n join_tab[const_tables].table : sort_by_table);\n /* \n FORCE INDEX FOR ORDER BY can be used to prevent join buffering when\n sorting on the first table.\n */\n if (!stable || (!stable->force_index_order &&\n !map2table[stable->tablenr]->keep_current_rowid))\n {\n if (group_list)\n simple_group= 0;\n if (order)\n simple_order= 0;\n }\n }\n\n need_tmp= test_if_need_tmp_table();\n\n /*\n If window functions are present then we can't have simple_order set to\n TRUE as the window function needs a temp table for computation.\n ORDER BY is computed after the window function computation is done, so\n the sort will be done on the temp table.\n */\n if (select_lex->have_window_funcs())\n simple_order= FALSE;\n\n\n /*\n If the hint FORCE INDEX FOR ORDER BY/GROUP BY is used for the table\n whose columns are required to be returned in a sorted order, then\n the proper value for no_jbuf_after should be yielded by a call to\n the make_join_orderinfo function.\n Yet the current implementation of FORCE INDEX hints does not\n allow us to do it in a clean manner.\n */\n no_jbuf_after= 1 ? table_count : make_join_orderinfo(this);\n\n // Don't use join buffering when we use MATCH\n select_opts_for_readinfo=\n (select_options & (SELECT_DESCRIBE | SELECT_NO_JOIN_CACHE)) |\n (select_lex->ftfunc_list->elements ? SELECT_NO_JOIN_CACHE : 0);\n\n if (select_lex->options & OPTION_SCHEMA_TABLE &&\n optimize_schema_tables_reads(this))\n DBUG_RETURN(1);\n\n if (make_join_readinfo(this, select_opts_for_readinfo, no_jbuf_after))\n DBUG_RETURN(1);\n\n /* Perform FULLTEXT search before all regular searches */\n if (!(select_options & SELECT_DESCRIBE))\n if (init_ftfuncs(thd, select_lex, MY_TEST(order)))\n DBUG_RETURN(1);\n\n /*\n It's necessary to check const part of HAVING cond as\n there is a chance that some cond parts may become\n const items after make_join_statistics(for example\n when Item is a reference to cost table field from\n outer join).\n This check is performed only for those conditions\n which do not use aggregate functions. In such case\n temporary table may not be used and const condition\n elements may be lost during further having\n condition transformation in JOIN::exec.\n */\n if (having && const_table_map && !having->with_sum_func)\n {\n having->update_used_tables();\n having= having->remove_eq_conds(thd, &select_lex->having_value, true);\n if (select_lex->having_value == Item::COND_FALSE)\n {\n having= new (thd->mem_root) Item_int(thd, (longlong) 0,1);\n zero_result_cause= \"Impossible HAVING noticed after reading const tables\";\n error= 0;\n select_lex->mark_const_derived(zero_result_cause);\n goto setup_subq_exit;\n }\n }\n\n if (optimize_unflattened_subqueries())\n DBUG_RETURN(1);\n \n int res;\n if ((res= rewrite_to_index_subquery_engine(this)) != -1)\n DBUG_RETURN(res);\n if (setup_subquery_caches())\n DBUG_RETURN(-1);\n\n /*\n Need to tell handlers that to play it safe, it should fetch all\n columns of the primary key of the tables: this is because MySQL may\n build row pointers for the rows, and for all columns of the primary key\n the read set has not necessarily been set by the server code.\n */\n if (need_tmp || select_distinct || group_list || order)\n {\n for (uint i= 0; i < table_count; i++)\n {\n if (!(table[i]->map & const_table_map))\n table[i]->prepare_for_position();\n }\n }\n\n DBUG_EXECUTE(\"info\",TEST_join(this););\n\n if (!only_const_tables())\n {\n JOIN_TAB *tab= &join_tab[const_tables];\n\n if (order)\n {\n /*\n Force using of tmp table if sorting by a SP or UDF function due to\n their expensive and probably non-deterministic nature.\n */\n for (ORDER *tmp_order= order; tmp_order ; tmp_order=tmp_order->next)\n {\n Item *item= *tmp_order->item;\n if (item->is_expensive())\n {\n /* Force tmp table without sort */\n need_tmp=1; simple_order=simple_group=0;\n break;\n }\n }\n }\n\n /*\n Because filesort always does a full table scan or a quick range scan\n we must add the removed reference to the select for the table.\n We only need to do this when we have a simple_order or simple_group\n as in other cases the join is done before the sort.\n */\n if ((order || group_list) &&\n tab->type != JT_ALL &&\n tab->type != JT_FT &&\n tab->type != JT_REF_OR_NULL &&\n ((order && simple_order) || (group_list && simple_group)))\n {\n if (add_ref_to_table_cond(thd,tab)) {\n DBUG_RETURN(1);\n }\n }\n /*\n Investigate whether we may use an ordered index as part of either\n DISTINCT, GROUP BY or ORDER BY execution. An ordered index may be\n used for only the first of any of these terms to be executed. This\n is reflected in the order which we check for test_if_skip_sort_order()\n below. However we do not check for DISTINCT here, as it would have\n been transformed to a GROUP BY at this stage if it is a candidate for \n ordered index optimization.\n If a decision was made to use an ordered index, the availability\n of such an access path is stored in 'ordered_index_usage' for later\n use by 'execute' or 'explain'\n */\n DBUG_ASSERT(ordered_index_usage == ordered_index_void);\n\n if (group_list) // GROUP BY honoured first\n // (DISTINCT was rewritten to GROUP BY if skippable)\n {\n /*\n When there is SQL_BIG_RESULT do not sort using index for GROUP BY,\n and thus force sorting on disk unless a group min-max optimization\n is going to be used as it is applied now only for one table queries\n with covering indexes.\n */\n if (!(select_options & SELECT_BIG_RESULT) ||\n (tab->select &&\n tab->select->quick &&\n tab->select->quick->get_type() ==\n QUICK_SELECT_I::QS_TYPE_GROUP_MIN_MAX))\n {\n if (simple_group && // GROUP BY is possibly skippable\n !select_distinct) // .. if not preceded by a DISTINCT\n {\n /*\n Calculate a possible 'limit' of table rows for 'GROUP BY':\n A specified 'LIMIT' is relative to the final resultset.\n 'need_tmp' implies that there will be more postprocessing \n so the specified 'limit' should not be enforced yet.\n */\n const ha_rows limit = need_tmp ? HA_POS_ERROR : select_limit;\n if (test_if_skip_sort_order(tab, group_list, limit, false, \n &tab->table->keys_in_use_for_group_by))\n {\n ordered_index_usage= ordered_index_group_by;\n }\n }\n\n\t/*\n\t If we are going to use semi-join LooseScan, it will depend\n\t on the selected index scan to be used. If index is not used\n\t for the GROUP BY, we risk that sorting is put on the LooseScan\n\t table. In order to avoid this, force use of temporary table.\n\t TODO: Explain the quick_group part of the test below.\n\t */\n if ((ordered_index_usage != ordered_index_group_by) &&\n ((tmp_table_param.quick_group && !procedure) || \n\t (tab->emb_sj_nest && \n\t best_positions[const_tables].sj_strategy == SJ_OPT_LOOSE_SCAN)))\n {\n need_tmp=1;\n simple_order= simple_group= false; // Force tmp table without sort\n }\n }\n }\n else if (order && // ORDER BY wo/ preceding GROUP BY\n (simple_order || skip_sort_order)) // which is possibly skippable\n {\n if (test_if_skip_sort_order(tab, order, select_limit, false, \n &tab->table->keys_in_use_for_order_by))\n {\n ordered_index_usage= ordered_index_order_by;\n }\n }\n }\n\n if (having)\n having_is_correlated= MY_TEST(having->used_tables() & OUTER_REF_TABLE_BIT);\n tmp_having= having;\n\n if (unlikely(thd->is_error()))\n DBUG_RETURN(TRUE);\n\n /*\n The loose index scan access method guarantees that all grouping or\n duplicate row elimination (for distinct) is already performed\n during data retrieval, and that all MIN/MAX functions are already\n computed for each group. Thus all MIN/MAX functions should be\n treated as regular functions, and there is no need to perform\n grouping in the main execution loop.\n Notice that currently loose index scan is applicable only for\n single table queries, thus it is sufficient to test only the first\n join_tab element of the plan for its access method.\n */\n if (join_tab->is_using_loose_index_scan())\n {\n tmp_table_param.precomputed_group_by= TRUE;\n if (join_tab->is_using_agg_loose_index_scan())\n {\n need_distinct= FALSE;\n tmp_table_param.precomputed_group_by= FALSE;\n }\n }\n\n if (make_aggr_tables_info())\n DBUG_RETURN(1);\n\n if (init_join_caches())\n DBUG_RETURN(1);\n\n error= 0;\n\n if (select_options & SELECT_DESCRIBE)\n goto derived_exit;\n\n DBUG_RETURN(0);\n\nsetup_subq_exit:\n /* Choose an execution strategy for this JOIN. */\n if (!tables_list || !table_count)\n {\n choose_tableless_subquery_plan();\n\n /* The output has atmost one row */\n if (group_list)\n {\n group_list= NULL;\n group_optimized_away= 1;\n rollup.state= ROLLUP::STATE_NONE;\n }\n order= NULL;\n simple_order= TRUE;\n select_distinct= FALSE;\n\n if (select_lex->have_window_funcs())\n {\n if (!(join_tab= (JOIN_TAB*) thd->alloc(sizeof(JOIN_TAB))))\n DBUG_RETURN(1);\n need_tmp= 1;\n }\n if (make_aggr_tables_info())\n DBUG_RETURN(1);\n }\n /*\n Even with zero matching rows, subqueries in the HAVING clause may\n need to be evaluated if there are aggregate functions in the query.\n */\n if (optimize_unflattened_subqueries())\n DBUG_RETURN(1);\n error= 0;\n\nderived_exit:\n\n select_lex->mark_const_derived(zero_result_cause);\n DBUG_RETURN(0);\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 321087860206240971586589385447775122615, "size": 739, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508651 }, { "func": "static void sctp_sendmsg_update_sinfo(struct sctp_association *asoc,\n\t\t\t\t struct sctp_sndrcvinfo *sinfo,\n\t\t\t\t struct sctp_cmsgs *cmsgs)\n{\n\tif (!cmsgs->srinfo && !cmsgs->sinfo) {\n\t\tsinfo->sinfo_stream = asoc->default_stream;\n\t\tsinfo->sinfo_ppid = asoc->default_ppid;\n\t\tsinfo->sinfo_context = asoc->default_context;\n\t\tsinfo->sinfo_assoc_id = sctp_assoc2id(asoc);\n\n\t\tif (!cmsgs->prinfo)\n\t\t\tsinfo->sinfo_flags = asoc->default_flags;\n\t}\n\n\tif (!cmsgs->srinfo && !cmsgs->prinfo)\n\t\tsinfo->sinfo_timetolive = asoc->default_timetolive;\n\n\tif (cmsgs->authinfo) {\n\t\t/* Reuse sinfo_tsn to indicate that authinfo was set and\n\t\t * sinfo_ssn to save the keyid on tx path.\n\t\t */\n\t\tsinfo->sinfo_tsn = 1;\n\t\tsinfo->sinfo_ssn = cmsgs->authinfo->auth_keynumber;\n\t}\n}", "project": "linux", "hash": 40969011154889036353924464675287982763, "size": 25, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398075 }, { "func": "unsigned int CClient::AttachChans(const std::set& sChans) {\n unsigned int uAttached = 0;\n for (CChan* pChan : sChans) {\n if (!pChan->IsDetached()) continue;\n uAttached++;\n pChan->AttachUser();\n }\n return uAttached;\n}", "project": "znc", "hash": 148906281087534026140987290264957501616, "size": 9, "commit_id": "d229761821da38d984a9e4098ad96842490dc001", "message": "Fix echo-message for *status\n\nClose #1705", "target": 0, "dataset": "other", "idx": 231605 }, { "func": "static int sctp_getsockopt_reuse_port(struct sock *sk, int len,\n\t\t\t\t char __user *optval,\n\t\t\t\t int __user *optlen)\n{\n\tint val;\n\n\tif (len < sizeof(int))\n\t\treturn -EINVAL;\n\n\tlen = sizeof(int);\n\tval = sctp_sk(sk)->reuse;\n\tif (put_user(len, optlen))\n\t\treturn -EFAULT;\n\n\tif (copy_to_user(optval, &val, len))\n\t\treturn -EFAULT;\n\n\treturn 0;\n}", "project": "linux", "hash": 336717124702478125632253878843391393685, "size": 19, "commit_id": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "message": "net/sctp: fix race condition in sctp_destroy_sock\n\nIf sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock\nheld and sp->do_auto_asconf is true, then an element is removed\nfrom the auto_asconf_splist without any proper locking.\n\nThis can happen in the following functions:\n1. In sctp_accept, if sctp_sock_migrate fails.\n2. In inet_create or inet6_create, if there is a bpf program\n attached to BPF_CGROUP_INET_SOCK_CREATE which denies\n creation of the sctp socket.\n\nThe bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock\ninstead of sctp_close.\n\nThis addresses CVE-2021-23133.\n\nReported-by: Or Cohen \nReviewed-by: Xin Long \nFixes: 610236587600 (\"bpf: Add new cgroup attach type to enable sock modifications\")\nSigned-off-by: Or Cohen \nAcked-by: Marcelo Ricardo Leitner \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 398079 }, { "project": "ardour", "commit_id": "96daa4036a425ff3f23a7dfcba57bfb0f942bec6", "target": 0, "func": "XMLNode::~XMLNode()\n{\n\tclear_lists ();\n}", "idx": 519648, "cwe": "CWE-416", "hash": 179491817245806833293402301091429151276, "dataset": "other" }, { "func": "futex_wake_op(u32 __user *uaddr1, int fshared, u32 __user *uaddr2,\n\t int nr_wake, int nr_wake2, int op)\n{\n\tunion futex_key key1 = FUTEX_KEY_INIT, key2 = FUTEX_KEY_INIT;\n\tstruct futex_hash_bucket *hb1, *hb2;\n\tstruct plist_head *head;\n\tstruct futex_q *this, *next;\n\tint ret, op_ret;\n\nretry:\n\tret = get_futex_key(uaddr1, fshared, &key1);\n\tif (unlikely(ret != 0))\n\t\tgoto out;\n\tret = get_futex_key(uaddr2, fshared, &key2);\n\tif (unlikely(ret != 0))\n\t\tgoto out_put_key1;\n\n\thb1 = hash_futex(&key1);\n\thb2 = hash_futex(&key2);\n\nretry_private:\n\tdouble_lock_hb(hb1, hb2);\n\top_ret = futex_atomic_op_inuser(op, uaddr2);\n\tif (unlikely(op_ret < 0)) {\n\n\t\tdouble_unlock_hb(hb1, hb2);\n\n#ifndef CONFIG_MMU\n\t\t/*\n\t\t * we don't get EFAULT from MMU faults if we don't have an MMU,\n\t\t * but we might get them from range checking\n\t\t */\n\t\tret = op_ret;\n\t\tgoto out_put_keys;\n#endif\n\n\t\tif (unlikely(op_ret != -EFAULT)) {\n\t\t\tret = op_ret;\n\t\t\tgoto out_put_keys;\n\t\t}\n\n\t\tret = fault_in_user_writeable(uaddr2);\n\t\tif (ret)\n\t\t\tgoto out_put_keys;\n\n\t\tif (!fshared)\n\t\t\tgoto retry_private;\n\n\t\tput_futex_key(fshared, &key2);\n\t\tput_futex_key(fshared, &key1);\n\t\tgoto retry;\n\t}\n\n\thead = &hb1->chain;\n\n\tplist_for_each_entry_safe(this, next, head, list) {\n\t\tif (match_futex (&this->key, &key1)) {\n\t\t\twake_futex(this);\n\t\t\tif (++ret >= nr_wake)\n\t\t\t\tbreak;\n\t\t}\n\t}\n\n\tif (op_ret > 0) {\n\t\thead = &hb2->chain;\n\n\t\top_ret = 0;\n\t\tplist_for_each_entry_safe(this, next, head, list) {\n\t\t\tif (match_futex (&this->key, &key2)) {\n\t\t\t\twake_futex(this);\n\t\t\t\tif (++op_ret >= nr_wake2)\n\t\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\t\tret += op_ret;\n\t}\n\n\tdouble_unlock_hb(hb1, hb2);\nout_put_keys:\n\tput_futex_key(fshared, &key2);\nout_put_key1:\n\tput_futex_key(fshared, &key1);\nout:\n\treturn ret;\n}", "target": 0, "cwe": [], "project": "linux-2.6", "commit_id": "5ecb01cfdf96c5f465192bdb2a4fd4a61a24c6cc", "hash": 216164598221691370158498773067985269938, "size": 85, "message": "futex_lock_pi() key refcnt fix\n\nThis fixes a futex key reference count bug in futex_lock_pi(),\nwhere a key's reference count is incremented twice but decremented\nonly once, causing the backing object to not be released.\n\nIf the futex is created in a temporary file in an ext3 file system,\nthis bug causes the file's inode to become an \"undead\" orphan,\nwhich causes an oops from a BUG_ON() in ext3_put_super() when the\nfile system is unmounted. glibc's test suite is known to trigger this,\nsee .\n\nThe bug is a regression from 2.6.28-git3, namely Peter Zijlstra's\n38d47c1b7075bd7ec3881141bb3629da58f88dab \"[PATCH] futex: rely on\nget_user_pages() for shared futexes\". That commit made get_futex_key()\nalso increment the reference count of the futex key, and updated its\ncallers to decrement the key's reference count before returning.\nUnfortunately the normal exit path in futex_lock_pi() wasn't corrected:\nthe reference count is incremented by get_futex_key() and queue_lock(),\nbut the normal exit path only decrements once, via unqueue_me_pi().\nThe fix is to put_futex_key() after unqueue_me_pi(), since 2.6.31\nthis is easily done by 'goto out_put_key' rather than 'goto out'.\n\nSigned-off-by: Mikael Pettersson \nAcked-by: Peter Zijlstra \nAcked-by: Darren Hart \nSigned-off-by: Thomas Gleixner \nCc: ", "dataset": "other", "idx": 492318 }, { "func": "lookup_pi_state(u32 uval, struct futex_hash_bucket *hb,\n\t\tunion futex_key *key, struct futex_pi_state **ps)\n{\n\tstruct futex_pi_state *pi_state = NULL;\n\tstruct futex_q *this, *next;\n\tstruct plist_head *head;\n\tstruct task_struct *p;\n\tpid_t pid = uval & FUTEX_TID_MASK;\n\n\thead = &hb->chain;\n\n\tplist_for_each_entry_safe(this, next, head, list) {\n\t\tif (match_futex(&this->key, key)) {\n\t\t\t/*\n\t\t\t * Another waiter already exists - bump up\n\t\t\t * the refcount and return its pi_state:\n\t\t\t */\n\t\t\tpi_state = this->pi_state;\n\t\t\t/*\n\t\t\t * Userspace might have messed up non PI and PI futexes\n\t\t\t */\n\t\t\tif (unlikely(!pi_state))\n\t\t\t\treturn -EINVAL;\n\n\t\t\tWARN_ON(!atomic_read(&pi_state->refcount));\n\t\t\tWARN_ON(pid && pi_state->owner &&\n\t\t\t\tpi_state->owner->pid != pid);\n\n\t\t\tatomic_inc(&pi_state->refcount);\n\t\t\t*ps = pi_state;\n\n\t\t\treturn 0;\n\t\t}\n\t}\n\n\t/*\n\t * We are the first waiter - try to look up the real owner and attach\n\t * the new pi_state to it, but bail out when TID = 0\n\t */\n\tif (!pid)\n\t\treturn -ESRCH;\n\tp = futex_find_get_task(pid);\n\tif (IS_ERR(p))\n\t\treturn PTR_ERR(p);\n\n\t/*\n\t * We need to look at the task state flags to figure out,\n\t * whether the task is exiting. To protect against the do_exit\n\t * change of the task flags, we do this protected by\n\t * p->pi_lock:\n\t */\n\traw_spin_lock_irq(&p->pi_lock);\n\tif (unlikely(p->flags & PF_EXITING)) {\n\t\t/*\n\t\t * The task is on the way out. When PF_EXITPIDONE is\n\t\t * set, we know that the task has finished the\n\t\t * cleanup:\n\t\t */\n\t\tint ret = (p->flags & PF_EXITPIDONE) ? -ESRCH : -EAGAIN;\n\n\t\traw_spin_unlock_irq(&p->pi_lock);\n\t\tput_task_struct(p);\n\t\treturn ret;\n\t}\n\n\tpi_state = alloc_pi_state();\n\n\t/*\n\t * Initialize the pi_mutex in locked state and make 'p'\n\t * the owner of it:\n\t */\n\trt_mutex_init_proxy_locked(&pi_state->pi_mutex, p);\n\n\t/* Store the key for possible exit cleanups: */\n\tpi_state->key = *key;\n\n\tWARN_ON(!list_empty(&pi_state->list));\n\tlist_add(&pi_state->list, &p->pi_state_list);\n\tpi_state->owner = p;\n\traw_spin_unlock_irq(&p->pi_lock);\n\n\tput_task_struct(p);\n\n\t*ps = pi_state;\n\n\treturn 0;\n}", "target": 0, "cwe": [], "project": "linux-2.6", "commit_id": "5ecb01cfdf96c5f465192bdb2a4fd4a61a24c6cc", "hash": 52444793049532938536502919047276864458, "size": 87, "message": "futex_lock_pi() key refcnt fix\n\nThis fixes a futex key reference count bug in futex_lock_pi(),\nwhere a key's reference count is incremented twice but decremented\nonly once, causing the backing object to not be released.\n\nIf the futex is created in a temporary file in an ext3 file system,\nthis bug causes the file's inode to become an \"undead\" orphan,\nwhich causes an oops from a BUG_ON() in ext3_put_super() when the\nfile system is unmounted. glibc's test suite is known to trigger this,\nsee .\n\nThe bug is a regression from 2.6.28-git3, namely Peter Zijlstra's\n38d47c1b7075bd7ec3881141bb3629da58f88dab \"[PATCH] futex: rely on\nget_user_pages() for shared futexes\". That commit made get_futex_key()\nalso increment the reference count of the futex key, and updated its\ncallers to decrement the key's reference count before returning.\nUnfortunately the normal exit path in futex_lock_pi() wasn't corrected:\nthe reference count is incremented by get_futex_key() and queue_lock(),\nbut the normal exit path only decrements once, via unqueue_me_pi().\nThe fix is to put_futex_key() after unqueue_me_pi(), since 2.6.31\nthis is easily done by 'goto out_put_key' rather than 'goto out'.\n\nSigned-off-by: Mikael Pettersson \nAcked-by: Peter Zijlstra \nAcked-by: Darren Hart \nSigned-off-by: Thomas Gleixner \nCc: ", "dataset": "other", "idx": 492322 }, { "func": "static int connect_with_timeout(int fd, struct sockaddr *sa_ptr,\n size_t sa_size, double timeout,\n const HostURL &hosturl,\n std::string &errstr, int &errnum) {\n if (timeout <= 0) {\n int retval = connect(fd, sa_ptr, sa_size);\n if (retval < 0) {\n errstr = \"unable to connect to \" + hosturl.getHostURL();\n errnum = errno;\n }\n return retval;\n }\n\n // set non-blocking so we can do timeouts\n long arg = fcntl(fd, F_GETFL, nullptr);\n fcntl(fd, F_SETFL, arg | O_NONBLOCK);\n\n int retval = connect(fd, sa_ptr, sa_size);\n if (retval < 0) {\n if (errno == EINPROGRESS) {\n struct pollfd fds[1];\n fds[0].fd = fd;\n fds[0].events = POLLOUT;\n if (poll(fds, 1, (int)(timeout * 1000))) {\n int valopt;\n socklen_t lon = sizeof(int);\n getsockopt(fd, SOL_SOCKET, SO_ERROR, (void*)(&valopt), &lon);\n if (valopt) {\n errstr = \"failed to connect to \" + hosturl.getHostURL();\n errnum = valopt;\n }\n retval = valopt ? -1 : 0;\n } else {\n errstr = \"timed out after \";\n errstr += folly::to(timeout);\n errstr += \" seconds when connecting to \" + hosturl.getHostURL();\n errnum = ETIMEDOUT;\n retval = -1;\n }\n } else {\n errstr = \"unable to connect to \" + hosturl.getHostURL();\n errnum = errno;\n }\n }\n\n // set to blocking mode\n arg = fcntl(fd, F_GETFL, nullptr);\n fcntl(fd, F_SETFL, arg & ~O_NONBLOCK);\n\n return retval;\n}", "project": "hhvm", "hash": 198601898725570357683770751312177192666, "size": 51, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219343 }, { "func": "static bool io_flush_cached_reqs(struct io_ring_ctx *ctx)\n{\n\tstruct io_submit_state *state = &ctx->submit_state;\n\tstruct io_comp_state *cs = &state->comp;\n\tint nr;\n\n\t/*\n\t * If we have more than a batch's worth of requests in our IRQ side\n\t * locked cache, grab the lock and move them over to our submission\n\t * side cache.\n\t */\n\tif (READ_ONCE(cs->locked_free_nr) > IO_COMPL_BATCH)\n\t\tio_flush_cached_locked_reqs(ctx, cs);\n\n\tnr = state->free_reqs;\n\twhile (!list_empty(&cs->free_list)) {\n\t\tstruct io_kiocb *req = list_first_entry(&cs->free_list,\n\t\t\t\t\t\tstruct io_kiocb, compl.list);\n\n\t\tlist_del(&req->compl.list);\n\t\tstate->reqs[nr++] = req;\n\t\tif (nr == ARRAY_SIZE(state->reqs))\n\t\t\tbreak;\n\t}\n\n\tstate->free_reqs = nr;\n\treturn nr != 0;\n}", "project": "linux", "hash": 129468919525347465935098236004092013919, "size": 28, "commit_id": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "message": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\n\nRead and write operations are capped to MAX_RW_COUNT. Some read ops rely on\nthat limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.\n\nTruncate those lengths when doing io_add_buffers, so buffer addresses still\nuse the uncapped length.\n\nAlso, take the chance and change struct io_buffer len member to __u32, so\nit matches struct io_provide_buffer len member.\n\nThis fixes CVE-2021-3491, also reported as ZDI-CAN-13546.\n\nFixes: ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\")\nReported-by: Billy Jheng Bing-Jhong (@st424204)\nSigned-off-by: Thadeu Lima de Souza Cascardo \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 338635 }, { "func": "int tipc_node_distr_xmit(struct net *net, struct sk_buff_head *xmitq)\n{\n\tstruct sk_buff *skb;\n\tu32 selector, dnode;\n\n\twhile ((skb = __skb_dequeue(xmitq))) {\n\t\tselector = msg_origport(buf_msg(skb));\n\t\tdnode = msg_destnode(buf_msg(skb));\n\t\ttipc_node_xmit_skb(net, skb, dnode, selector);\n\t}\n\treturn 0;\n}", "project": "linux", "hash": 287363192497352310495346422788596518277, "size": 12, "commit_id": "0217ed2848e8538bcf9172d97ed2eeb4a26041bb", "message": "tipc: better validate user input in tipc_nl_retrieve_key()\n\nBefore calling tipc_aead_key_size(ptr), we need to ensure\nwe have enough data to dereference ptr->keylen.\n\nWe probably also want to make sure tipc_aead_key_size()\nwont overflow with malicious ptr->keylen values.\n\nSyzbot reported:\n\nBUG: KMSAN: uninit-value in __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\nBUG: KMSAN: uninit-value in tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\nCPU: 0 PID: 21060 Comm: syz-executor.5 Not tainted 5.11.0-rc7-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nCall Trace:\n __dump_stack lib/dump_stack.c:79 [inline]\n dump_stack+0x21c/0x280 lib/dump_stack.c:120\n kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118\n __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197\n __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\n tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\n genl_family_rcv_msg_doit net/netlink/genetlink.c:739 [inline]\n genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]\n genl_rcv_msg+0x1319/0x1610 net/netlink/genetlink.c:800\n netlink_rcv_skb+0x6fa/0x810 net/netlink/af_netlink.c:2494\n genl_rcv+0x63/0x80 net/netlink/genetlink.c:811\n netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]\n netlink_unicast+0x11d6/0x14a0 net/netlink/af_netlink.c:1330\n netlink_sendmsg+0x1740/0x1840 net/netlink/af_netlink.c:1919\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\nRIP: 0023:0xf7f60549\nCode: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00\nRSP: 002b:00000000f555a5fc EFLAGS: 00000296 ORIG_RAX: 0000000000000172\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000200\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n\nUninit was created at:\n kmsan_save_stack_with_flags mm/kmsan/kmsan.c:121 [inline]\n kmsan_internal_poison_shadow+0x5c/0xf0 mm/kmsan/kmsan.c:104\n kmsan_slab_alloc+0x8d/0xe0 mm/kmsan/kmsan_hooks.c:76\n slab_alloc_node mm/slub.c:2907 [inline]\n __kmalloc_node_track_caller+0xa37/0x1430 mm/slub.c:4527\n __kmalloc_reserve net/core/skbuff.c:142 [inline]\n __alloc_skb+0x2f8/0xb30 net/core/skbuff.c:210\n alloc_skb include/linux/skbuff.h:1099 [inline]\n netlink_alloc_large_skb net/netlink/af_netlink.c:1176 [inline]\n netlink_sendmsg+0xdbc/0x1840 net/netlink/af_netlink.c:1894\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\n\nFixes: e1f32190cf7d (\"tipc: add support for AEAD key setting via netlink\")\nSigned-off-by: Eric Dumazet \nCc: Tuong Lien \nCc: Jon Maloy \nCc: Ying Xue \nReported-by: syzbot \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 364934 }, { "func": "static int fuse_readdir_cached(struct file *file, struct dir_context *ctx)\n{\n\tstruct fuse_file *ff = file->private_data;\n\tstruct inode *inode = file_inode(file);\n\tstruct fuse_conn *fc = get_fuse_conn(inode);\n\tstruct fuse_inode *fi = get_fuse_inode(inode);\n\tenum fuse_parse_result res;\n\tpgoff_t index;\n\tunsigned int size;\n\tstruct page *page;\n\tvoid *addr;\n\n\t/* Seeked? If so, reset the cache stream */\n\tif (ff->readdir.pos != ctx->pos) {\n\t\tff->readdir.pos = 0;\n\t\tff->readdir.cache_off = 0;\n\t}\n\n\t/*\n\t * We're just about to start reading into the cache or reading the\n\t * cache; both cases require an up-to-date mtime value.\n\t */\n\tif (!ctx->pos && fc->auto_inval_data) {\n\t\tint err = fuse_update_attributes(inode, file);\n\n\t\tif (err)\n\t\t\treturn err;\n\t}\n\nretry:\n\tspin_lock(&fi->rdc.lock);\nretry_locked:\n\tif (!fi->rdc.cached) {\n\t\t/* Starting cache? Set cache mtime. */\n\t\tif (!ctx->pos && !fi->rdc.size) {\n\t\t\tfi->rdc.mtime = inode->i_mtime;\n\t\t\tfi->rdc.iversion = inode_query_iversion(inode);\n\t\t}\n\t\tspin_unlock(&fi->rdc.lock);\n\t\treturn UNCACHED;\n\t}\n\t/*\n\t * When at the beginning of the directory (i.e. just after opendir(3) or\n\t * rewinddir(3)), then need to check whether directory contents have\n\t * changed, and reset the cache if so.\n\t */\n\tif (!ctx->pos) {\n\t\tif (inode_peek_iversion(inode) != fi->rdc.iversion ||\n\t\t !timespec64_equal(&fi->rdc.mtime, &inode->i_mtime)) {\n\t\t\tfuse_rdc_reset(inode);\n\t\t\tgoto retry_locked;\n\t\t}\n\t}\n\n\t/*\n\t * If cache version changed since the last getdents() call, then reset\n\t * the cache stream.\n\t */\n\tif (ff->readdir.version != fi->rdc.version) {\n\t\tff->readdir.pos = 0;\n\t\tff->readdir.cache_off = 0;\n\t}\n\t/*\n\t * If at the beginning of the cache, than reset version to\n\t * current.\n\t */\n\tif (ff->readdir.pos == 0)\n\t\tff->readdir.version = fi->rdc.version;\n\n\tWARN_ON(fi->rdc.size < ff->readdir.cache_off);\n\n\tindex = ff->readdir.cache_off >> PAGE_SHIFT;\n\n\tif (index == (fi->rdc.size >> PAGE_SHIFT))\n\t\tsize = fi->rdc.size & ~PAGE_MASK;\n\telse\n\t\tsize = PAGE_SIZE;\n\tspin_unlock(&fi->rdc.lock);\n\n\t/* EOF? */\n\tif ((ff->readdir.cache_off & ~PAGE_MASK) == size)\n\t\treturn 0;\n\n\tpage = find_get_page_flags(file->f_mapping, index,\n\t\t\t\t FGP_ACCESSED | FGP_LOCK);\n\tspin_lock(&fi->rdc.lock);\n\tif (!page) {\n\t\t/*\n\t\t * Uh-oh: page gone missing, cache is useless\n\t\t */\n\t\tif (fi->rdc.version == ff->readdir.version)\n\t\t\tfuse_rdc_reset(inode);\n\t\tgoto retry_locked;\n\t}\n\n\t/* Make sure it's still the same version after getting the page. */\n\tif (ff->readdir.version != fi->rdc.version) {\n\t\tspin_unlock(&fi->rdc.lock);\n\t\tunlock_page(page);\n\t\tput_page(page);\n\t\tgoto retry;\n\t}\n\tspin_unlock(&fi->rdc.lock);\n\n\t/*\n\t * Contents of the page are now protected against changing by holding\n\t * the page lock.\n\t */\n\taddr = kmap(page);\n\tres = fuse_parse_cache(ff, addr, size, ctx);\n\tkunmap(page);\n\tunlock_page(page);\n\tput_page(page);\n\n\tif (res == FOUND_ERR)\n\t\treturn -EIO;\n\n\tif (res == FOUND_ALL)\n\t\treturn 0;\n\n\tif (size == PAGE_SIZE) {\n\t\t/* We hit end of page: skip to next page. */\n\t\tff->readdir.cache_off = ALIGN(ff->readdir.cache_off, PAGE_SIZE);\n\t\tgoto retry;\n\t}\n\n\t/*\n\t * End of cache reached. If found position, then we are done, otherwise\n\t * need to fall back to uncached, since the position we were looking for\n\t * wasn't in the cache.\n\t */\n\treturn res == FOUND_SOME ? 0 : UNCACHED;\n}", "project": "linux", "hash": 338035821784858571180262289438918056044, "size": 133, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341956 }, { "func": "static int kvm_vcpu_ioctl_enable_cap(struct kvm_vcpu *vcpu,\n\t\t\t\t struct kvm_enable_cap *cap)\n{\n\tint r;\n\n\tif (cap->flags)\n\t\treturn -EINVAL;\n\n\tswitch (cap->cap) {\n\tcase KVM_CAP_S390_CSS_SUPPORT:\n\t\tif (!vcpu->kvm->arch.css_support) {\n\t\t\tvcpu->kvm->arch.css_support = 1;\n\t\t\tVM_EVENT(vcpu->kvm, 3, \"%s\", \"ENABLE: CSS support\");\n\t\t\ttrace_kvm_s390_enable_css(vcpu->kvm);\n\t\t}\n\t\tr = 0;\n\t\tbreak;\n\tdefault:\n\t\tr = -EINVAL;\n\t\tbreak;\n\t}\n\treturn r;\n}", "project": "linux", "hash": 114631061285672388395605176926459772051, "size": 23, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354741 }, { "func": "static int kvm_s390_set_tod_low(struct kvm *kvm, struct kvm_device_attr *attr)\n{\n\tstruct kvm_s390_vm_tod_clock gtod = { 0 };\n\n\tif (copy_from_user(>od.tod, (void __user *)attr->addr,\n\t\t\t sizeof(gtod.tod)))\n\t\treturn -EFAULT;\n\n\tkvm_s390_set_tod_clock(kvm, >od);\n\tVM_EVENT(kvm, 3, \"SET: TOD base: 0x%llx\", gtod.tod);\n\treturn 0;\n}", "project": "linux", "hash": 34936031980655568204979737675469645181, "size": 12, "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai \nCc: Peter Xu \nSigned-off-by: Sean Christopherson \nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 354550 }, { "func": "static int nfs4_find_root_sec(struct nfs_server *server, struct nfs_fh *fhandle,\n\t\t\t struct nfs_fsinfo *info)\n{\n\t/* Per 3530bis 15.33.5 */\n\tstatic const rpc_authflavor_t flav_array[] = {\n\t\tRPC_AUTH_GSS_KRB5P,\n\t\tRPC_AUTH_GSS_KRB5I,\n\t\tRPC_AUTH_GSS_KRB5,\n\t\tRPC_AUTH_UNIX,\t\t\t/* courtesy */\n\t\tRPC_AUTH_NULL,\n\t};\n\tint status = -EPERM;\n\tsize_t i;\n\n\tif (server->auth_info.flavor_len > 0) {\n\t\t/* try each flavor specified by user */\n\t\tfor (i = 0; i < server->auth_info.flavor_len; i++) {\n\t\t\tstatus = nfs4_lookup_root_sec(server, fhandle, info,\n\t\t\t\t\t\tserver->auth_info.flavors[i]);\n\t\t\tif (status == -NFS4ERR_WRONGSEC || status == -EACCES)\n\t\t\t\tcontinue;\n\t\t\tbreak;\n\t\t}\n\t} else {\n\t\t/* no flavors specified by user, try default list */\n\t\tfor (i = 0; i < ARRAY_SIZE(flav_array); i++) {\n\t\t\tstatus = nfs4_lookup_root_sec(server, fhandle, info,\n\t\t\t\t\t\t flav_array[i]);\n\t\t\tif (status == -NFS4ERR_WRONGSEC || status == -EACCES)\n\t\t\t\tcontinue;\n\t\t\tbreak;\n\t\t}\n\t}\n\n\t/*\n\t * -EACCES could mean that the user doesn't have correct permissions\n\t * to access the mount. It could also mean that we tried to mount\n\t * with a gss auth flavor, but rpc.gssd isn't running. Either way,\n\t * existing mount programs don't handle -EACCES very well so it should\n\t * be mapped to -EPERM instead.\n\t */\n\tif (status == -EACCES)\n\t\tstatus = -EPERM;\n\treturn status;\n}", "project": "linux", "hash": 173649899198381896490391953891449874501, "size": 45, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431616 } ] }, { "call_depth": 14, "longest_call_chain": [ "mp4boxMain", "gf_isom_open_segment", "gf_isom_parse_movie_boxes", "gf_isom_parse_movie_boxes_internal", "MergeFragment", "SetTrackDuration", "Media_SetDuration", "Media_GetESD", "HEVC_RewriteESDescriptorEx", "merge_all_config", "merge_avc_config", "AVC_DuplicateConfig", "gf_isom_get_avc_svc_type", "gf_isom_is_video_handler_type" ], "group_size": 500, "functions": [ { "func": "GF_Err gf_isom_dump_supported_box(u32 idx, FILE * trace)\n{\n\tu32 i;\n\tu32 nb_versions=0;\n\tGF_Err e;\n\tGF_Box *a;\n\n\tif (box_registry[idx].max_version_plus_one) {\n\t\tnb_versions = box_registry[idx].max_version_plus_one - 1;\n\t}\n\tfor (i = 0; i <= nb_versions; i++) {\n\t\ta = gf_isom_box_new(box_registry[idx].box_4cc);\n\t\ta->registry = &box_registry[idx];\n\n\t\tif (box_registry[idx].alt_4cc) {\n\t\t\tif (a->type==GF_ISOM_BOX_TYPE_REFT)\n\t\t\t\t((GF_TrackReferenceTypeBox*)a)->reference_type = box_registry[idx].alt_4cc;\n\t\t\telse if (a->type==GF_ISOM_BOX_TYPE_REFI)\n\t\t\t\t((GF_ItemReferenceTypeBox*)a)->reference_type = box_registry[idx].alt_4cc;\n\t\t\telse if (a->type==GF_ISOM_BOX_TYPE_TRGT)\n\t\t\t\t((GF_TrackGroupTypeBox*)a)->group_type = box_registry[idx].alt_4cc;\n\t\t\telse if (a->type==GF_ISOM_BOX_TYPE_SGPD)\n\t\t\t\t((GF_SampleGroupDescriptionBox*)a)->grouping_type = box_registry[idx].alt_4cc;\n\t\t\telse if (a->type==GF_ISOM_BOX_TYPE_GRPT)\n\t\t\t\t((GF_EntityToGroupTypeBox*)a)->grouping_type = box_registry[idx].alt_4cc;\n\t\t}\n\t\tif (box_registry[idx].max_version_plus_one) {\n\t\t\t((GF_FullBox *)a)->version = i;\n\t\t}\n\t\tif (box_registry[idx].flags) {\n\t\t\tu32 flag_mask=1;\n\t\t\tu32 flags = box_registry[idx].flags;\n\t\t\t((GF_FullBox *)a)->flags = 0;\n\t\t\te = gf_isom_box_dump(a, trace);\n\n\t\t\t//we dump all flags individually and this for all version, in order to simplify the XSLT processing\n\t\t\twhile (!e) {\n\t\t\t\tu32 flag = flags & flag_mask;\n\t\t\t\tflag_mask <<= 1;\n\t\t\t\tif (flag) {\n\t\t\t\t\t((GF_FullBox *)a)->flags = flag;\n\t\t\t\t\te = gf_isom_box_dump(a, trace);\n\t\t\t\t}\n\t\t\t\tif (flag_mask > flags) break;\n\t\t\t\tif (flag_mask == 0x80000000) break;\n\t\t\t}\n\n\t\t} else {\n\t\t\te = gf_isom_box_dump(a, trace);\n\t\t}\n\n\t\tgf_isom_box_del(a);\n\t}\n\treturn e;\n}", "project": "gpac", "hash": 57564363842551154814892758217012086202, "size": 55, "commit_id": "8e585e623b1d666b4ef736ed609264639cb27701", "message": "fixed potential crash - cf #1406", "target": 0, "dataset": "other", "idx": 224908 }, { "func": "GF_EXPORT\nBool gf_isom_get_tile_info(GF_ISOFile *file, u32 trackNumber, u32 sample_description_index, u32 *default_sample_group_index, u32 *id, u32 *independent, Bool *full_picture, u32 *x, u32 *y, u32 *w, u32 *h)\n{\n\tconst u8 *data;\n\tu32 size;\n\n\tif (!gf_isom_get_sample_group_info(file, trackNumber, sample_description_index, GF_ISOM_SAMPLE_GROUP_TRIF, default_sample_group_index, &data, &size))\n\t\treturn GF_FALSE;\n\tgf_isom_parse_trif_info(data, size, id, independent, full_picture, x, y, w, h);\n\treturn GF_TRUE;", "project": "gpac", "hash": 123163745250489220653817285372466874459, "size": 10, "commit_id": "984787de3d414a5f7d43d0b4584d9469dff2a5a5", "message": "fixed #1784 (fuzz)", "target": 0, "dataset": "other", "idx": 246801 }, { "func": "void gf_isom_push_mdat_end(GF_ISOFile *mov, u64 mdat_end)\n{\n\tu32 i, count;\n\tif (!mov || !mov->moov) return;\n\t\n\tcount = gf_list_count(mov->moov->trackList);\n\tfor (i=0; imoov->trackList, i);\n\t\tif (!trak->Media->information->sampleTable->traf_map) continue;\n\n\t\ttraf_map = trak->Media->information->sampleTable->traf_map;\n\t\tfor (j=traf_map->nb_entries; j>0; j--) {\n\t\t\tif (!traf_map->frag_starts[j-1].mdat_end) {\n\t\t\t\ttraf_map->frag_starts[j-1].mdat_end = mdat_end;\n\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\t}\n}", "project": "gpac", "hash": 179341666237858911096085025324869930447, "size": 21, "commit_id": "fe5155cf047252d1c4cb91602048bfa682af0ea7", "message": "fixed #1783 (fuzz)", "target": 0, "dataset": "other", "idx": 271714 }, { "func": "GF_Err MergeTrack(GF_TrackBox *trak, GF_TrackFragmentBox *traf, GF_MovieFragmentBox *moof_box, u64 moof_offset, s32 compressed_diff, u64 *cumulated_offset, Bool is_first_merge)\n{\n\tu32 i, j, chunk_size, track_num;\n\tu64 base_offset, data_offset, traf_duration;\n\tu32 def_duration, DescIndex, def_size, def_flags;\n\tu32 duration, size, flags, prev_trun_data_offset, sample_index;\n\tu8 pad, sync;\n\tu16 degr;\n\tBool first_samp_in_traf=GF_TRUE;\n\tBool store_traf_map=GF_FALSE;\n\tu8 *moof_template=NULL;\n\tu32 moof_template_size=0;\n\tBool is_seg_start = GF_FALSE;\n\tu64 seg_start=0, sidx_start=0, sidx_end=0, frag_start=0, last_dts=0;\n\tGF_TrackFragmentRunBox *trun;\n\tGF_TrunEntry *ent;\n#ifdef GF_ENABLE_CTRN\n\tGF_TrackFragmentBox *traf_ref = NULL;\n#endif\n\n\tGF_Err stbl_AppendTime(GF_SampleTableBox *stbl, u32 duration, u32 nb_pack);\n\tGF_Err stbl_AppendSize(GF_SampleTableBox *stbl, u32 size, u32 nb_pack);\n\tGF_Err stbl_AppendChunk(GF_SampleTableBox *stbl, u64 offset);\n\tGF_Err stbl_AppendSampleToChunk(GF_SampleTableBox *stbl, u32 DescIndex, u32 samplesInChunk);\n\tGF_Err stbl_AppendCTSOffset(GF_SampleTableBox *stbl, s32 CTSOffset);\n\tGF_Err stbl_AppendRAP(GF_SampleTableBox *stbl, u8 isRap);\n\tGF_Err stbl_AppendPadding(GF_SampleTableBox *stbl, u8 padding);\n\tGF_Err stbl_AppendDegradation(GF_SampleTableBox *stbl, u16 DegradationPriority);\n\n\tif (trak->Header->trackID != traf->tfhd->trackID) return GF_OK;\n\tif (!trak->Media->information->sampleTable\n\t\t|| !trak->Media->information->sampleTable->SampleSize\n\t\t|| !trak->Media->information->sampleTable->TimeToSample\n\t\t|| !trak->Media->information->sampleTable->SampleToChunk\n\t\t|| !trak->Media->information->sampleTable->ChunkOffset\n\t) {\n\t\treturn GF_ISOM_INVALID_FILE;\n\t}\n\n\tif (!traf->trex->track)\n\t\ttraf->trex->track = trak;\n\n\t//setup all our defaults\n\tDescIndex = (traf->tfhd->flags & GF_ISOM_TRAF_SAMPLE_DESC) ? traf->tfhd->sample_desc_index : traf->trex->def_sample_desc_index;\n\tif (!DescIndex) {\n\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, (\"[iso file] default sample description set to 0, likely broken ! Fixing to 1\\n\" ));\n\t\tDescIndex = 1;\n\t} else if (DescIndex > gf_list_count(trak->Media->information->sampleTable->SampleDescription->child_boxes)) {\n\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, (\"[iso file] default sample description set to %d but only %d sample description(s), likely broken ! Fixing to 1\\n\", DescIndex, gf_list_count(trak->Media->information->sampleTable->SampleDescription->child_boxes)));\n\t\tDescIndex = 1;\n\t}\n#ifdef GF_ENABLE_CTRN\n\tif (traf->trex->inherit_from_traf_id) {\n\t\tu32 traf_count = gf_list_count(moof_box->TrackList);\n\t\tfor (i=0; iTrackList, i);\n\t\t\tif (atraf->tfhd && atraf->tfhd->trackID==traf->trex->inherit_from_traf_id) {\n\t\t\t\ttraf_ref = atraf;\n\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\t}\n#endif\n\n\tdef_duration = (traf->tfhd->flags & GF_ISOM_TRAF_SAMPLE_DUR) ? traf->tfhd->def_sample_duration : traf->trex->def_sample_duration;\n\tdef_size = (traf->tfhd->flags & GF_ISOM_TRAF_SAMPLE_SIZE) ? traf->tfhd->def_sample_size : traf->trex->def_sample_size;\n\tdef_flags = (traf->tfhd->flags & GF_ISOM_TRAF_SAMPLE_FLAGS) ? traf->tfhd->def_sample_flags : traf->trex->def_sample_flags;\n\n\t//locate base offset, by default use moof (dash-like)\n\tbase_offset = moof_offset;\n\t//explicit base offset, use it\n\tif (traf->tfhd->flags & GF_ISOM_TRAF_BASE_OFFSET)\n\t\tbase_offset = traf->tfhd->base_data_offset;\n\t//no moof offset and no explicit offset, the offset is the end of the last written chunk of\n\t//the previous traf. For the first traf, *cumulated_offset is actually moof offset\n\telse if (!(traf->tfhd->flags & GF_ISOM_MOOF_BASE_OFFSET))\n\t\tbase_offset = *cumulated_offset;\n\n\tchunk_size = 0;\n\tprev_trun_data_offset = 0;\n\tdata_offset = 0;\n\ttraf_duration = 0;\n\n\t/*in playback mode*/\n\tif (traf->tfdt && is_first_merge) {\n#ifndef GPAC_DISABLE_LOG\n\t\tif (trak->moov->mov->NextMoofNumber && trak->present_in_scalable_segment && trak->sample_count_at_seg_start && (trak->dts_at_seg_start != traf->tfdt->baseMediaDecodeTime)) {\n\t\t\ts32 drift = (s32) ((s64) traf->tfdt->baseMediaDecodeTime - (s64)trak->dts_at_seg_start);\n\t\t\tif (drift<0) {\n\t\t\t\tGF_LOG(GF_LOG_WARNING, GF_LOG_CONTAINER, (\"[iso file] Warning: TFDT timing \"LLD\" less than cumulated timing \"LLD\" - using tfdt\\n\", traf->tfdt->baseMediaDecodeTime, trak->dts_at_seg_start ));\n\t\t\t} else {\n\t\t\t\tGF_LOG(GF_LOG_INFO, GF_LOG_CONTAINER, (\"[iso file] TFDT timing \"LLD\" higher than cumulated timing \"LLD\" (last sample got extended in duration)\\n\", traf->tfdt->baseMediaDecodeTime, trak->dts_at_seg_start ));\n\t\t\t}\n\t\t}\n#endif\n\t\ttrak->dts_at_seg_start = traf->tfdt->baseMediaDecodeTime;\n\t}\n\telse if (traf->tfxd) {\n\t\ttrak->dts_at_seg_start = traf->tfxd->absolute_time_in_track_timescale;\n\t}\n\n\tif (traf->tfxd) {\n\t\ttrak->last_tfxd_value = traf->tfxd->absolute_time_in_track_timescale;\n\t\ttrak->last_tfxd_value += traf->tfxd->fragment_duration_in_track_timescale;\n\t}\n\tif (traf->tfrf) {\n\t\tif (trak->tfrf) gf_isom_box_del_parent(&trak->child_boxes, (GF_Box *)trak->tfrf);\n\t\ttrak->tfrf = traf->tfrf;\n\t\tgf_list_del_item(traf->child_boxes, traf->tfrf);\n\t\tgf_list_add(trak->child_boxes, trak->tfrf);\n\t}\n\n\tif (trak->moov->mov->signal_frag_bounds) {\n\t\tstore_traf_map = GF_TRUE;\n\t\tif (is_first_merge) {\n\t\t\tGF_MovieFragmentBox *moof_clone = NULL;\n\t\t\tgf_isom_box_freeze_order((GF_Box *)moof_box);\n\t\t\tgf_isom_clone_box((GF_Box *)moof_box, (GF_Box **)&moof_clone);\n\n\t\t\tif (moof_clone) {\n\t\t\t\tGF_BitStream *bs;\n\t\t\t\tfor (i=0; iTrackList); i++) {\n\t\t\t\t\tGF_TrackFragmentBox *traf_clone = gf_list_get(moof_clone->TrackList, i);\n\t\t\t\t\tgf_isom_box_array_reset_parent(&traf_clone->child_boxes, traf_clone->TrackRuns);\n\t\t\t\t\tgf_isom_box_array_reset_parent(&traf_clone->child_boxes, traf_clone->sampleGroups);\n\t\t\t\t\tgf_isom_box_array_reset_parent(&traf_clone->child_boxes, traf_clone->sampleGroupsDescription);\n\t\t\t\t\tgf_isom_box_array_reset_parent(&traf_clone->child_boxes, traf_clone->sub_samples);\n\t\t\t\t\tgf_isom_box_array_reset_parent(&traf_clone->child_boxes, traf_clone->sai_offsets);\n\t\t\t\t\tgf_isom_box_array_reset_parent(&traf_clone->child_boxes, traf_clone->sai_sizes);\n\t\t\t\t\tif (traf_clone->sample_encryption) {\n\t\t\t\t\t\tgf_isom_box_del_parent(&traf_clone->child_boxes, (GF_Box *) traf_clone->sample_encryption);\n\t\t\t\t\t\ttraf_clone->sample_encryption = NULL;\n\t\t\t\t\t}\n\t\t\t\t\tif (traf_clone->sdtp) {\n\t\t\t\t\t\tgf_isom_box_del_parent(&traf_clone->child_boxes, (GF_Box *) traf_clone->sdtp);\n\t\t\t\t\t\ttraf_clone->sdtp = NULL;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\tgf_isom_box_size((GF_Box *)moof_clone);\n\t\t\t\tbs = gf_bs_new(NULL, 0, GF_BITSTREAM_WRITE);\n\n\t\t\t\tif (trak->moov->mov->seg_styp) {\n\t\t\t\t\tgf_isom_box_size(trak->moov->mov->seg_styp);\n\t\t\t\t\tgf_isom_box_write(trak->moov->mov->seg_styp, bs);\n\t\t\t\t}\n\t\t\t\tif (trak->moov->mov->root_sidx) {\n\t\t\t\t\tgf_isom_box_size((GF_Box *)trak->moov->mov->root_sidx);\n\t\t\t\t\tgf_isom_box_write((GF_Box *)trak->moov->mov->root_sidx, bs);\n\t\t\t\t}\n\t\t\t\tif (trak->moov->mov->seg_ssix) {\n\t\t\t\t\tgf_isom_box_size(trak->moov->mov->seg_ssix);\n\t\t\t\t\tgf_isom_box_write(trak->moov->mov->seg_ssix, bs);\n\t\t\t\t}\n\t\t\t\tgf_isom_box_write((GF_Box *)moof_clone, bs);\n\t\t\t\tgf_isom_box_del((GF_Box*)moof_clone);\n\n\t\t\t\tgf_bs_get_content(bs, &moof_template, &moof_template_size);\n\t\t\t\tgf_bs_del(bs);\n\t\t\t}\n\t\t}\n\t\tif (trak->moov->mov->seg_styp) {\n\t\t\tis_seg_start = GF_TRUE;\n\t\t\tseg_start = trak->moov->mov->styp_start_offset;\n\t\t}\n\t\tif (trak->moov->mov->root_sidx) {\n\t\t\tis_seg_start = GF_TRUE;\n\t\t\tsidx_start = trak->moov->mov->sidx_start_offset;\n\t\t\tsidx_end = trak->moov->mov->sidx_end_offset;\n\t\t\tif (! seg_start || (sidx_startmoov->mov->current_top_box_start;\n\t}\n\telse if (trak->moov->mov->store_traf_map) {\n\t\tstore_traf_map = GF_TRUE;\n\t}\n\n\n\tsample_index = 0;\n\ti=0;\n\twhile ((trun = (GF_TrackFragmentRunBox *)gf_list_enum(traf->TrackRuns, &i))) {\n\t\t//merge the run\n\t\tfor (j=0; jsample_count; j++) {\n\t\t\tGF_Err e;\n\t\t\ts32 cts_offset=0;\n\t\t\tif (jnb_samples) {\n\t\t\t\tent = &trun->samples[j];\n\t\t\t} else {\n\t\t\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, (\"[iso file] Track %d doesn't have enough trun entries (%d) compared to sample count (%d) in run\\n\", traf->trex->trackID, trun->nb_samples, trun->sample_count ));\n\t\t\t\tbreak;\n\t\t\t}\n\t\t\tsize = def_size;\n\t\t\tduration = def_duration;\n\t\t\tflags = def_flags;\n\n\t\t\t//CTS - if flag not set (trun or ctrn) defaults to 0 which is the base value after alloc\n\t\t\t//we just need to overrite its value if inherited\n\t\t\tcts_offset = ent->CTS_Offset;\n\n#ifdef GF_ENABLE_CTRN\n\t\t\tif (trun->use_ctrn) {\n\t\t\t\tif (!j && (trun->ctrn_flags & GF_ISOM_CTRN_FIRST_SAMPLE) ) {\n\t\t\t\t\tif (trun->ctrn_first_dur) duration = ent->Duration;\n\t\t\t\t\tif (trun->ctrn_first_size) size = ent->size;\n\t\t\t\t\tif (trun->ctrn_first_ctts) flags = ent->flags;\n\t\t\t\t} else {\n\t\t\t\t\tif (trun->ctrn_dur) duration = ent->Duration;\n\t\t\t\t\tif (trun->ctrn_size) size = ent->size;\n\t\t\t\t\tif (trun->ctrn_sample_flags) flags = ent->flags;\n\t\t\t\t}\n\t\t\t\t/*re-override*/\n\t\t\t\tif (trun->ctrn_flags & 0xF0) {\n\t\t\t\t\tGF_TrunEntry *ref_entry;\n\t\t\t\t\tif (!traf_ref) {\n\t\t\t\t\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, (\"[iso file] Track %d use traf inheritance to track ID %d but reference traf not found\\n\", traf->trex->trackID, traf->trex->inherit_from_traf_id ));\n\t\t\t\t\t\tbreak;\n\t\t\t\t\t}\n\t\t\t\t\tref_entry = traf_get_sample_entry(traf_ref, sample_index);\n\t\t\t\t\tif (!ref_entry) {\n\t\t\t\t\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, (\"[iso file] Track %d use traf inheritance but sample %d not found in reference traf\\n\", traf->trex->trackID, sample_index+1 ));\n\t\t\t\t\t\tbreak;\n\t\t\t\t\t}\n\t\t\t\t\tif (trun->ctrn_flags & GF_ISOM_CTRN_INHERIT_DUR)\n\t\t\t\t\t\tduration = ref_entry->Duration;\n\t\t\t\t\tif (trun->ctrn_flags & GF_ISOM_CTRN_INHERIT_SIZE)\n\t\t\t\t\t\tsize = ref_entry->size;\n\t\t\t\t\tif (trun->ctrn_flags & GF_ISOM_CTRN_INHERIT_FLAGS)\n\t\t\t\t\t\tflags = ref_entry->flags;\n\t\t\t\t\tif (trun->ctrn_flags & GF_ISOM_CTRN_INHERIT_CTSO)\n\t\t\t\t\t\tcts_offset = ref_entry->CTS_Offset;\n\t\t\t\t}\n\n\t\t\t} else\n#endif\n\t\t\t{\n\t\t\t\tif (trun->flags & GF_ISOM_TRUN_DURATION) duration = ent->Duration;\n\t\t\t\tif (trun->flags & GF_ISOM_TRUN_SIZE) size = ent->size;\n\t\t\t\tif (trun->flags & GF_ISOM_TRUN_FLAGS) {\n\t\t\t\t\tflags = ent->flags;\n\t\t\t\t} else if (!j && (trun->flags & GF_ISOM_TRUN_FIRST_FLAG)) {\n\t\t\t\t\tflags = trun->first_sample_flags;\n\t\t\t\t}\n\t\t\t}\n\t\t\tsample_index++;\n\t\t\t/*store the resolved value in case we have inheritance*/\n\t\t\tent->size = size;\n\t\t\tent->Duration = duration;\n\t\t\tent->flags = flags;\n\t\t\tent->CTS_Offset = cts_offset;\n\n\t\t\tlast_dts += duration;\n\n\t\t\t//add size first\n\t\t\tif (!trak->Media->information->sampleTable->SampleSize) {\n\t\t\t\ttrak->Media->information->sampleTable->SampleSize = (GF_SampleSizeBox *) gf_isom_box_new_parent(&trak->Media->information->sampleTable->child_boxes, GF_ISOM_BOX_TYPE_STSZ);\n\t\t\t\tif (!trak->Media->information->sampleTable->SampleSize)\n\t\t\t\t\treturn GF_OUT_OF_MEM;\n\t\t\t}\n\t\t\te = stbl_AppendSize(trak->Media->information->sampleTable, size, ent->nb_pack);\n\t\t\tif (e) return e;\n\n\t\t\t//then TS\n\t\t\tif (!trak->Media->information->sampleTable->TimeToSample) {\n\t\t\t\ttrak->Media->information->sampleTable->TimeToSample = (GF_TimeToSampleBox *) gf_isom_box_new_parent(&trak->Media->information->sampleTable->child_boxes, GF_ISOM_BOX_TYPE_STTS);\n\t\t\t\tif (!trak->Media->information->sampleTable->TimeToSample)\n\t\t\t\t\treturn GF_OUT_OF_MEM;\n\t\t\t}\n\t\t\te = stbl_AppendTime(trak->Media->information->sampleTable, duration, ent->nb_pack);\n\t\t\tif (e) return e;\n\n\t\t\t//add chunk on first sample\n\t\t\tif (!j) {\n\t\t\t\tu64 final_offset;\n\t\t\t\tdata_offset = base_offset;\n\t\t\t\t//we have an explicit data offset for this trun\n\t\t\t\tif (trun->flags & GF_ISOM_TRUN_DATA_OFFSET) {\n\t\t\t\t\tdata_offset += trun->data_offset;\n\t\t\t\t\t/*reset chunk size since data is now relative to this trun*/\n\t\t\t\t\tchunk_size = 0;\n\t\t\t\t\t/*remember this data offset for following trun*/\n\t\t\t\t\tprev_trun_data_offset = trun->data_offset;\n\t\t\t\t\t/*if mdat is located after the moof, and the moof was compressed, adjust offset\n\t\t\t\t\totherwise the offset does not need adjustment*/\n\t\t\t\t\tif (trun->data_offset>=0) {\n\t\t\t\t\t\tdata_offset -= compressed_diff;\n\t\t\t\t\t\tprev_trun_data_offset -= compressed_diff;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\t//we had an explicit data offset for the previous trun, use it + chunk size\n\t\t\t\telse if (prev_trun_data_offset) {\n\t\t\t\t\t/*data offset is previous chunk size plus previous offset of the trun*/\n\t\t\t\t\tdata_offset += prev_trun_data_offset + chunk_size;\n\t\t\t\t}\n\t\t\t\t//no explicit data offset, continuous data after last data in previous chunk\n\t\t\t\telse {\n\t\t\t\t\tdata_offset += chunk_size;\n\t\t\t\t\t//data offset of first trun in first traf, adjust if compressed moof\n\t\t\t\t\tif ((i==1) && (trun->data_offset>=0)) {\n\t\t\t\t\t\tdata_offset -= compressed_diff;\n\t\t\t\t\t}\n\t\t\t\t}\n\n\t\t\t\tfinal_offset = data_offset;\n\t\t\t\t//adjust offset if moov was also compressed and we are still in the same file\n\t\t\t\t//so that later call to gf_isom_get_sample properly adjust back the offset\n\t\t\t\tif (trak->moov->compressed_diff) {\n\t\t\t\t\tfinal_offset += trak->moov->compressed_diff;\n\t\t\t\t}\n\n\t\t\t\tif (!trak->Media->information->sampleTable->ChunkOffset) {\n\t\t\t\t\ttrak->Media->information->sampleTable->ChunkOffset = gf_isom_box_new_parent(&trak->Media->information->sampleTable->child_boxes, GF_ISOM_BOX_TYPE_STCO);\n\t\t\t\t\tif (!trak->Media->information->sampleTable->ChunkOffset)\n\t\t\t\t\t\treturn GF_OUT_OF_MEM;\n\t\t\t\t}\n\t\t\t\te = stbl_AppendChunk(trak->Media->information->sampleTable, final_offset);\n\t\t\t\tif (e) return e;\n\t\t\t\t//then sampleToChunk\n\t\t\t\tif (!trak->Media->information->sampleTable->SampleToChunk) {\n\t\t\t\t\ttrak->Media->information->sampleTable->SampleToChunk = (GF_SampleToChunkBox *) gf_isom_box_new_parent(&trak->Media->information->sampleTable->child_boxes, GF_ISOM_BOX_TYPE_STSC);\n\t\t\t\t\tif (!trak->Media->information->sampleTable->SampleToChunk)\n\t\t\t\t\t\treturn GF_OUT_OF_MEM;\n\t\t\t\t}\n\t\t\t\te = stbl_AppendSampleToChunk(trak->Media->information->sampleTable,\n\t\t\t\t DescIndex, trun->sample_count);\n\t\t\t\tif (e) return e;\n\t\t\t}\n\t\t\tchunk_size += size;\n\n\t\t\tif (store_traf_map && first_samp_in_traf) {\n\t\t\t\tfirst_samp_in_traf = GF_FALSE;\n\t\t\t\te = stbl_AppendTrafMap(trak->Media->information->sampleTable, is_seg_start, seg_start, frag_start, moof_template, moof_template_size, sidx_start, sidx_end);\n\t\t\t\tif (e) return e;\n\t\t\t\t//do not deallocate, the memory is now owned by traf map\n\t\t\t\tmoof_template = NULL;\n\t\t\t\tmoof_template_size = 0;\n\t\t\t}\n\t\t\tif (ent->nb_pack>1) {\n\t\t\t\tj+= ent->nb_pack-1;\n\t\t\t\ttraf_duration += ent->nb_pack*duration;\n\t\t\t\tcontinue;\n\t\t\t}\n\n\t\t\ttraf_duration += duration;\n\n\t\t\te = stbl_AppendCTSOffset(trak->Media->information->sampleTable, cts_offset);\n\t\t\tif (e) return e;\n\t\t\t//flags\n\t\t\tsync = GF_ISOM_GET_FRAG_SYNC(flags);\n\t\t\tif (trak->Media->information->sampleTable->no_sync_found && sync) {\n\t\t\t\ttrak->Media->information->sampleTable->no_sync_found = 0;\n\t\t\t}\n\t\t\te = stbl_AppendRAP(trak->Media->information->sampleTable, sync);\n\t\t\tif (e) return e;\n\t\t\tpad = GF_ISOM_GET_FRAG_PAD(flags);\n\t\t\tif (pad) {\n\t\t\t\te = stbl_AppendPadding(trak->Media->information->sampleTable, pad);\n\t\t\t\tif (e) return e;\n\t\t\t}\n\t\t\tdegr = GF_ISOM_GET_FRAG_DEG(flags);\n\t\t\tif (degr) {\n\t\t\t\te = stbl_AppendDegradation(trak->Media->information->sampleTable, degr);\n\t\t\t\tif (e) return e;\n\t\t\t}\n\t\t\te = stbl_AppendDependencyType(trak->Media->information->sampleTable, GF_ISOM_GET_FRAG_LEAD(flags), GF_ISOM_GET_FRAG_DEPENDS(flags), GF_ISOM_GET_FRAG_DEPENDED(flags), GF_ISOM_GET_FRAG_REDUNDANT(flags));\n\t\t\tif (e) return e;\n\t\t}\n\t}\n\n\tif (trak->moov->mov->is_smooth && !traf->tfdt && !traf->tfxd) {\n\t\tif (is_first_merge)\n\t\t\ttrak->dts_at_seg_start = trak->dts_at_next_seg_start;\n\t\ttrak->dts_at_next_seg_start += last_dts;\n\t}\n\tif (traf_duration && trak->editBox && trak->editBox->editList) {\n\t\tfor (i=0; ieditBox->editList->entryList); i++) {\n\t\t\tGF_EdtsEntry *edts_e = gf_list_get(trak->editBox->editList->entryList, i);\n\t\t\tif (edts_e->was_empty_dur) {\n\t\t\t\tu64 extend_dur = traf_duration;\n\t\t\t\textend_dur *= trak->moov->mvhd->timeScale;\n\t\t\t\textend_dur /= trak->Media->mediaHeader->timeScale;\n\t\t\t\tedts_e->segmentDuration += extend_dur;\n\t\t\t}\n\t\t\telse if (!edts_e->segmentDuration) {\n\t\t\t\tedts_e->was_empty_dur = GF_TRUE;\n\t\t\t\tif ((s64) traf_duration > edts_e->mediaTime)\n\t\t\t\t\ttraf_duration -= edts_e->mediaTime;\n\t\t\t\telse\n\t\t\t\t\ttraf_duration = 0;\n\n\t\t\t\tedts_e->segmentDuration = traf_duration;\n\t\t\t\tedts_e->segmentDuration *= trak->moov->mvhd->timeScale;\n\t\t\t\tedts_e->segmentDuration /= trak->Media->mediaHeader->timeScale;\n\t\t\t}\n\n\t\t}\n\t}\n\n\t//in any case, update the cumulated offset\n\t//this will handle hypothetical files mixing MOOF offset and implicit non-moof offset\n\t*cumulated_offset = data_offset + chunk_size;\n\n\t/*merge sample groups*/\n\tif (traf->sampleGroups) {\n\t\tGF_List *groups;\n\t\tGF_List *groupDescs;\n\t\tBool is_identical_sgpd = GF_TRUE;\n\t\tu32 *new_idx = NULL, new_idx_count=0;\n\n\t\tif (!trak->Media->information->sampleTable->sampleGroups)\n\t\t\ttrak->Media->information->sampleTable->sampleGroups = gf_list_new();\n\n\t\tif (!trak->Media->information->sampleTable->sampleGroupsDescription)\n\t\t\ttrak->Media->information->sampleTable->sampleGroupsDescription = gf_list_new();\n\n\t\tgroupDescs = trak->Media->information->sampleTable->sampleGroupsDescription;\n\t\tfor (i=0; isampleGroupsDescription); i++) {\n\t\t\tGF_SampleGroupDescriptionBox *new_sgdesc = NULL;\n\t\t\tGF_SampleGroupDescriptionBox *sgdesc = gf_list_get(traf->sampleGroupsDescription, i);\n\t\t\tfor (j=0; jgrouping_type==sgdesc->grouping_type) break;\n\t\t\t\tnew_sgdesc = NULL;\n\t\t\t}\n\t\t\t/*new description, move it to our sample table*/\n\t\t\tif (!new_sgdesc) {\n\t\t\t\tgf_list_add(groupDescs, sgdesc);\n\t\t\t\tgf_list_add(trak->Media->information->sampleTable->child_boxes, sgdesc);\n\t\t\t\tgf_list_rem(traf->sampleGroupsDescription, i);\n\t\t\t\tgf_list_del_item(traf->child_boxes, sgdesc);\n\t\t\t\ti--;\n\t\t\t}\n\t\t\t/*merge descriptions*/\n\t\t\telse {\n\t\t\t\tu32 count;\n\n\t\t\t\tis_identical_sgpd = gf_isom_is_identical_sgpd(new_sgdesc, sgdesc, 0);\n\t\t\t\tif (is_identical_sgpd)\n\t\t\t\t\tcontinue;\n\n\t\t\t\tnew_idx_count = gf_list_count(sgdesc->group_descriptions);\n\t\t\t\tnew_idx = (u32 *)gf_malloc(new_idx_count * sizeof(u32));\n\t\t\t\tif (!new_idx) return GF_OUT_OF_MEM;\n\n\t\t\t\tcount = 0;\n\t\t\t\twhile (gf_list_count(sgdesc->group_descriptions)) {\n\t\t\t\t\tvoid *sgpd_entry = gf_list_get(sgdesc->group_descriptions, 0);\n\t\t\t\t\tBool new_entry = GF_TRUE;\n\n\t\t\t\t\tfor (j = 0; j < gf_list_count(new_sgdesc->group_descriptions); j++) {\n\t\t\t\t\t\tvoid *ptr = gf_list_get(new_sgdesc->group_descriptions, j);\n\t\t\t\t\t\tif (gf_isom_is_identical_sgpd(sgpd_entry, ptr, new_sgdesc->grouping_type)) {\n\t\t\t\t\t\t\tnew_idx[count] = j + 1;\n\t\t\t\t\t\t\tcount ++;\n\t\t\t\t\t\t\tnew_entry = GF_FALSE;\n\t\t\t\t\t\t\tgf_free(sgpd_entry);\n\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\n\t\t\t\t\tif (new_entry) {\n\t\t\t\t\t\tgf_list_add(new_sgdesc->group_descriptions, sgpd_entry);\n\t\t\t\t\t\tnew_idx[count] = gf_list_count(new_sgdesc->group_descriptions);\n\t\t\t\t\t\tcount ++;\n\t\t\t\t\t}\n\n\t\t\t\t\tgf_list_rem(sgdesc->group_descriptions, 0);\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\tgroups = trak->Media->information->sampleTable->sampleGroups;\n\t\tfor (i=0; isampleGroups); i++) {\n\t\t\tGF_SampleGroupBox *stbl_group = NULL;\n\t\t\tGF_SampleGroupBox *frag_group = gf_list_get(traf->sampleGroups, i);\n\n\n\t\t\tfor (j=0; jgrouping_type==stbl_group->grouping_type) && (frag_group->grouping_type_parameter==stbl_group->grouping_type_parameter))\n\t\t\t\t\tbreak;\n\t\t\t\tstbl_group = NULL;\n\t\t\t}\n\t\t\tif (!stbl_group) {\n\t\t\t\tstbl_group = (GF_SampleGroupBox *) gf_isom_box_new_parent(&trak->Media->information->sampleTable->child_boxes, GF_ISOM_BOX_TYPE_SBGP);\n\t\t\t\tif (!stbl_group) return GF_OUT_OF_MEM;\n\t\t\t\tstbl_group->grouping_type = frag_group->grouping_type;\n\t\t\t\tstbl_group->grouping_type_parameter = frag_group->grouping_type_parameter;\n\t\t\t\tstbl_group->version = frag_group->version;\n\t\t\t\tgf_list_add(groups, stbl_group);\n\t\t\t}\n\n\t\t\tif (is_identical_sgpd) {\n\t\t\t\t//adjust sgpd index: in traf index start at 0x1001\n\t\t\t\tfor (j = 0; j < frag_group->entry_count; j++)\n\t\t\t\t\tfrag_group->sample_entries[j].group_description_index &= 0x0FFFF;\n\t\t\t\tif (frag_group->entry_count && stbl_group->entry_count &&\n\t\t\t\t (frag_group->sample_entries[0].group_description_index==stbl_group->sample_entries[stbl_group->entry_count-1].group_description_index)\n\t\t\t\t ) {\n\t\t\t\t\tstbl_group->sample_entries[stbl_group->entry_count - 1].sample_count += frag_group->sample_entries[0].sample_count;\n\t\t\t\t\tif (frag_group->entry_count>1) {\n\t\t\t\t\t\tstbl_group->sample_entries = gf_realloc(stbl_group->sample_entries, sizeof(GF_SampleGroupEntry) * (stbl_group->entry_count + frag_group->entry_count - 1));\n\t\t\t\t\t\tmemcpy(&stbl_group->sample_entries[stbl_group->entry_count], &frag_group->sample_entries[1], sizeof(GF_SampleGroupEntry) * (frag_group->entry_count - 1));\n\t\t\t\t\t\tstbl_group->entry_count += frag_group->entry_count - 1;\n\t\t\t\t\t}\n\t\t\t\t} else {\n\t\t\t\t\tstbl_group->sample_entries = gf_realloc(stbl_group->sample_entries, sizeof(GF_SampleGroupEntry) * (stbl_group->entry_count + frag_group->entry_count));\n\t\t\t\t\tmemcpy(&stbl_group->sample_entries[stbl_group->entry_count], &frag_group->sample_entries[0], sizeof(GF_SampleGroupEntry) * frag_group->entry_count);\n\t\t\t\t\tstbl_group->entry_count += frag_group->entry_count;\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\tstbl_group->sample_entries = gf_realloc(stbl_group->sample_entries, sizeof(GF_SampleGroupEntry) * (stbl_group->entry_count + frag_group->entry_count));\n\t\t\t\t//adjust sgpd index\n\t\t\t\tfor (j = 0; j < frag_group->entry_count; j++) {\n\t\t\t\t\tu32 sgidx = frag_group->sample_entries[j].group_description_index;\n\t\t\t\t\tif (sgidx > 0x10000) {\n\t\t\t\t\t\tsgidx -= 0x10001;\n\t\t\t\t\t\tif (sgidx>=new_idx_count) {\n\t\t\t\t\t\t\tGF_LOG(GF_LOG_WARNING, GF_LOG_CONTAINER, (\"[isobmf] corrupted sample group index in fragment %d but only %d group descriptions in fragment\\n\", sgidx, new_idx_count));\n\t\t\t\t\t\t} else {\n\t\t\t\t\t\t\tfrag_group->sample_entries[j].group_description_index = new_idx[sgidx];\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\tmemcpy(&stbl_group->sample_entries[stbl_group->entry_count], &frag_group->sample_entries[0], sizeof(GF_SampleGroupEntry) * frag_group->entry_count);\n\t\t\t\tstbl_group->entry_count += frag_group->entry_count;\n\t\t\t}\n\t\t}\n\n\t\tif (new_idx) gf_free(new_idx);\n\t}\n\n\t/*content is encrypted*/\n\ttrack_num = gf_isom_get_tracknum_from_id(trak->moov, trak->Header->trackID);\n\tif (gf_isom_is_cenc_media(trak->moov->mov, track_num, DescIndex)\n\t\t|| traf->sample_encryption) {\n\t\t/*Merge sample auxiliary encryption information*/\n\t\tGF_SampleEncryptionBox *senc = NULL;\n\t\tu32 scheme_type;\n\t\tgf_isom_get_cenc_info(trak->moov->mov, track_num, DescIndex, NULL, &scheme_type, NULL);\n\n\t\tif (traf->sample_encryption) {\n\t\t\tfor (i = 0; i < gf_list_count(trak->Media->information->sampleTable->child_boxes); i++) {\n\t\t\t\tGF_Box *a = (GF_Box *)gf_list_get(trak->Media->information->sampleTable->child_boxes, i);\n\t\t\t\tif (a->type != traf->sample_encryption->type) continue;\n\n\t\t\t\tif ((a->type ==GF_ISOM_BOX_TYPE_UUID) && (((GF_UUIDBox *)a)->internal_4cc == GF_ISOM_BOX_UUID_PSEC)) {\n\t\t\t\t\tsenc = (GF_SampleEncryptionBox *)a;\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t\telse if (a->type ==GF_ISOM_BOX_TYPE_SENC) {\n\t\t\t\t\tsenc = (GF_SampleEncryptionBox *)a;\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t}\n\t\t\tif (!senc && trak->sample_encryption)\n\t\t\t\tsenc = trak->sample_encryption;\n\n\t\t\tif (!senc) {\n\t\t\t\tif (traf->sample_encryption->piff_type==1) {\n\t\t\t\t\tsenc = (GF_SampleEncryptionBox *)gf_isom_create_piff_psec_box(1, 0x2, 0, 0, NULL);\n\t\t\t\t} else {\n\t\t\t\t\tsenc = gf_isom_create_samp_enc_box(1, 0x2);\n\t\t\t\t}\n\n\t\t\t\tif (!trak->Media->information->sampleTable->child_boxes) trak->Media->information->sampleTable->child_boxes = gf_list_new();\n\n\t\t\t\ttrak->sample_encryption = senc;\n\t\t\t\tif (!trak->child_boxes) trak->child_boxes = gf_list_new();\n\t\t\t\tgf_list_add(trak->child_boxes, senc);\n\t\t\t}\n\t\t}\n\n\t\t/*get sample auxiliary information by saiz/saio rather than by parsing senc box*/\n\t\tif (gf_isom_cenc_has_saiz_saio_traf(traf, scheme_type)) {\n\t\t\tu32 nb_saio;\n\t\t\tu32 aux_info_type;\n\t\t\tu64 offset;\n\t\t\tGF_Err e;\n\t\t\tBool is_encrypted;\n\t\t\tGF_SampleAuxiliaryInfoOffsetBox *saio = NULL;\n\t\t\tGF_SampleAuxiliaryInfoSizeBox *saiz = NULL;\n\n\t\t\toffset = nb_saio = 0;\n\n\t\t\tfor (i = 0; i < gf_list_count(traf->sai_offsets); i++) {\n\t\t\t\tsaio = (GF_SampleAuxiliaryInfoOffsetBox *)gf_list_get(traf->sai_offsets, i);\n\t\t\t\taux_info_type = saio->aux_info_type;\n\t\t\t\tif (!aux_info_type) aux_info_type = scheme_type;\n\n\t\t\t\t/*if we have only 1 sai_offsets, assume that its type is cenc*/\n\t\t\t\tif ((aux_info_type == GF_ISOM_CENC_SCHEME) || (aux_info_type == GF_ISOM_CBC_SCHEME) ||\n\t\t\t\t\t(aux_info_type == GF_ISOM_CENS_SCHEME) || (aux_info_type == GF_ISOM_CBCS_SCHEME) ||\n\t\t\t\t\t(gf_list_count(traf->sai_offsets) == 1)) {\n\t\t\t\t\toffset = saio->offsets[0] + moof_offset;\n\t\t\t\t\tnb_saio = saio->entry_count;\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t}\n\t\t\tfor (i = 0; i < gf_list_count(traf->sai_sizes); i++) {\n\t\t\t\tsaiz = (GF_SampleAuxiliaryInfoSizeBox *)gf_list_get(traf->sai_sizes, i);\n\t\t\t\taux_info_type = saiz->aux_info_type;\n\t\t\t\tif (!aux_info_type) aux_info_type = scheme_type;\n\t\t\t\t/*if we have only 1 sai_sizes, assume that its type is cenc*/\n\t\t\t\tif ((aux_info_type == GF_ISOM_CENC_SCHEME) || (aux_info_type == GF_ISOM_CBC_SCHEME) ||\n\t\t\t\t\t(aux_info_type == GF_ISOM_CENS_SCHEME) || (aux_info_type == GF_ISOM_CBCS_SCHEME) ||\n\t\t\t\t\t(gf_list_count(traf->sai_sizes) == 1)) {\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t}\n\t\t\tif (saiz && saio && senc) {\n\t\t\t\tfor (i = 0; i < saiz->sample_count; i++) {\n\t\t\t\t\tGF_CENCSampleAuxInfo *sai;\n\t\t\t\t\tconst u8 *key_info=NULL;\n\t\t\t\t\tu32 key_info_size;\n\t\t\t\t\tu64 cur_position;\n\t\t\t\t\tif (nb_saio != 1)\n\t\t\t\t\t\toffset = saio->offsets[i] + moof_offset;\n\t\t\t\t\tsize = saiz->default_sample_info_size ? saiz->default_sample_info_size : saiz->sample_info_size[i];\n\n\t\t\t\t\tcur_position = gf_bs_get_position(trak->moov->mov->movieFileMap->bs);\n\t\t\t\t\tgf_bs_seek(trak->moov->mov->movieFileMap->bs, offset);\n\n\t\t\t\t\tGF_SAFEALLOC(sai, GF_CENCSampleAuxInfo);\n\t\t\t\t\tif (!sai) return GF_OUT_OF_MEM;\n\n\t\t\t\t\te = gf_isom_get_sample_cenc_info_internal(trak, traf, senc, i+1, &is_encrypted, NULL, NULL, &key_info, &key_info_size);\n\t\t\t\t\tif (e) {\n\t\t\t\t\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, (\"[isobmf] could not get cenc info for sample %d: %s\\n\", i+1, gf_error_to_string(e) ));\n\t\t\t\t\t\treturn e;\n\t\t\t\t\t}\n\n\t\t\t\t\tif (is_encrypted) {\n\t\t\t\t\t\tsai->cenc_data_size = size;\n\t\t\t\t\t\tsai->cenc_data = gf_malloc(sizeof(u8)*size);\n\t\t\t\t\t\tif (!sai->cenc_data) return GF_OUT_OF_MEM;\n\t\t\t\t\t\tgf_bs_read_data(trak->moov->mov->movieFileMap->bs, sai->cenc_data, sai->cenc_data_size);\n\t\t\t\t\t} else {\n\t\t\t\t\t\tsai->isNotProtected=1;\n\t\t\t\t\t}\n\n\t\t\t\t\tif (key_info) {\n\t\t\t\t\t\t//not multikey\n\t\t\t\t\t\tif (!key_info[0]) {\n\t\t\t\t\t\t\t//size greater than IV\n\t\t\t\t\t\t\tif (size > key_info[3])\n\t\t\t\t\t\t\t\tsenc->flags = 0x00000002;\n\t\t\t\t\t\t}\n\t\t\t\t\t\t//multikey, always use subsamples\n\t\t\t\t\t\telse {\n\t\t\t\t\t\t\tsenc->flags = 0x00000002;\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\n\n\t\t\t\t\tgf_bs_seek(trak->moov->mov->movieFileMap->bs, cur_position);\n\n\t\t\t\t\tgf_list_add(senc->samp_aux_info, sai);\n\n\t\t\t\t\te = gf_isom_cenc_merge_saiz_saio(senc, trak->Media->information->sampleTable, offset, size);\n\t\t\t\t\tif (e) return e;\n\t\t\t\t\tif (nb_saio == 1)\n\t\t\t\t\t\toffset += size;\n\t\t\t\t}\n\t\t\t}\n\t\t} else if (traf->sample_encryption) {\n\t\t\tsenc_Parse(trak->moov->mov->movieFileMap->bs, trak, traf, traf->sample_encryption);\n\t\t\ttrak->sample_encryption->AlgorithmID = traf->sample_encryption->AlgorithmID;\n\t\t\tif (!trak->sample_encryption->IV_size)\n\t\t\t\ttrak->sample_encryption->IV_size = traf->sample_encryption->IV_size;\n\t\t\tif (!trak->sample_encryption->samp_aux_info) trak->sample_encryption->samp_aux_info = gf_list_new();\n\t\t\tgf_list_transfer(trak->sample_encryption->samp_aux_info, traf->sample_encryption->samp_aux_info);\n\t\t\tif (traf->sample_encryption->flags & 0x00000002)\n\t\t\t\ttrak->sample_encryption->flags |= 0x00000002;\n\t\t}\n\t}\n\treturn GF_OK;\n}", "project": "gpac", "hash": 149457244667447276186807458417399459366, "size": 677, "commit_id": "df8fffd839fe5ae9acd82d26fd48280a397411d9", "message": "fixed #1736", "target": 1, "dataset": "other", "idx": 198316 }, { "func": "GF_Err MergeTrack(GF_TrackBox *trak, GF_TrackFragmentBox *traf, GF_MovieFragmentBox *moof_box, u64 moof_offset, s32 compressed_diff, u64 *cumulated_offset, Bool is_first_merge)\n{\n\tu32 i, j, chunk_size, track_num;\n\tu64 base_offset, data_offset, traf_duration;\n\tu32 def_duration, DescIndex, def_size, def_flags;\n\tu32 duration, size, flags, prev_trun_data_offset, sample_index;\n\tu8 pad, sync;\n\tu16 degr;\n\tBool first_samp_in_traf=GF_TRUE;\n\tBool store_traf_map=GF_FALSE;\n\tu8 *moof_template=NULL;\n\tu32 moof_template_size=0;\n\tBool is_seg_start = GF_FALSE;\n\tu64 seg_start=0, sidx_start=0, sidx_end=0, frag_start=0, last_dts=0;\n\tGF_TrackFragmentRunBox *trun;\n\tGF_TrunEntry *ent;\n#ifdef GF_ENABLE_CTRN\n\tGF_TrackFragmentBox *traf_ref = NULL;\n#endif\n\n\tGF_Err stbl_AppendTime(GF_SampleTableBox *stbl, u32 duration, u32 nb_pack);\n\tGF_Err stbl_AppendSize(GF_SampleTableBox *stbl, u32 size, u32 nb_pack);\n\tGF_Err stbl_AppendChunk(GF_SampleTableBox *stbl, u64 offset);\n\tGF_Err stbl_AppendSampleToChunk(GF_SampleTableBox *stbl, u32 DescIndex, u32 samplesInChunk);\n\tGF_Err stbl_AppendCTSOffset(GF_SampleTableBox *stbl, s32 CTSOffset);\n\tGF_Err stbl_AppendRAP(GF_SampleTableBox *stbl, u8 isRap);\n\tGF_Err stbl_AppendPadding(GF_SampleTableBox *stbl, u8 padding);\n\tGF_Err stbl_AppendDegradation(GF_SampleTableBox *stbl, u16 DegradationPriority);\n\n\tif (trak->Header->trackID != traf->tfhd->trackID) return GF_OK;\n\tif (!trak->Media->information->sampleTable\n\t\t|| !trak->Media->information->sampleTable->SampleSize\n\t\t|| !trak->Media->information->sampleTable->TimeToSample\n\t\t|| !trak->Media->information->sampleTable->SampleToChunk\n\t\t|| !trak->Media->information->sampleTable->ChunkOffset\n\t) {\n\t\treturn GF_ISOM_INVALID_FILE;\n\t}\n\n\tif (!traf->trex->track)\n\t\ttraf->trex->track = trak;\n\n\t//setup all our defaults\n\tDescIndex = (traf->tfhd->flags & GF_ISOM_TRAF_SAMPLE_DESC) ? traf->tfhd->sample_desc_index : traf->trex->def_sample_desc_index;\n\tif (!DescIndex) {\n\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, (\"[iso file] default sample description set to 0, likely broken ! Fixing to 1\\n\" ));\n\t\tDescIndex = 1;\n\t} else if (DescIndex > gf_list_count(trak->Media->information->sampleTable->SampleDescription->child_boxes)) {\n\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, (\"[iso file] default sample description set to %d but only %d sample description(s), likely broken ! Fixing to 1\\n\", DescIndex, gf_list_count(trak->Media->information->sampleTable->SampleDescription->child_boxes)));\n\t\tDescIndex = 1;\n\t}\n#ifdef GF_ENABLE_CTRN\n\tif (traf->trex->inherit_from_traf_id) {\n\t\tu32 traf_count = gf_list_count(moof_box->TrackList);\n\t\tfor (i=0; iTrackList, i);\n\t\t\tif (atraf->tfhd && atraf->tfhd->trackID==traf->trex->inherit_from_traf_id) {\n\t\t\t\ttraf_ref = atraf;\n\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\t}\n#endif\n\n\tdef_duration = (traf->tfhd->flags & GF_ISOM_TRAF_SAMPLE_DUR) ? traf->tfhd->def_sample_duration : traf->trex->def_sample_duration;\n\tdef_size = (traf->tfhd->flags & GF_ISOM_TRAF_SAMPLE_SIZE) ? traf->tfhd->def_sample_size : traf->trex->def_sample_size;\n\tdef_flags = (traf->tfhd->flags & GF_ISOM_TRAF_SAMPLE_FLAGS) ? traf->tfhd->def_sample_flags : traf->trex->def_sample_flags;\n\n\t//locate base offset, by default use moof (dash-like)\n\tbase_offset = moof_offset;\n\t//explicit base offset, use it\n\tif (traf->tfhd->flags & GF_ISOM_TRAF_BASE_OFFSET)\n\t\tbase_offset = traf->tfhd->base_data_offset;\n\t//no moof offset and no explicit offset, the offset is the end of the last written chunk of\n\t//the previous traf. For the first traf, *cumulated_offset is actually moof offset\n\telse if (!(traf->tfhd->flags & GF_ISOM_MOOF_BASE_OFFSET))\n\t\tbase_offset = *cumulated_offset;\n\n\tchunk_size = 0;\n\tprev_trun_data_offset = 0;\n\tdata_offset = 0;\n\ttraf_duration = 0;\n\n\t/*in playback mode*/\n\tif (traf->tfdt && is_first_merge) {\n#ifndef GPAC_DISABLE_LOG\n\t\tif (trak->moov->mov->NextMoofNumber && trak->present_in_scalable_segment && trak->sample_count_at_seg_start && (trak->dts_at_seg_start != traf->tfdt->baseMediaDecodeTime)) {\n\t\t\ts32 drift = (s32) ((s64) traf->tfdt->baseMediaDecodeTime - (s64)trak->dts_at_seg_start);\n\t\t\tif (drift<0) {\n\t\t\t\tGF_LOG(GF_LOG_WARNING, GF_LOG_CONTAINER, (\"[iso file] Warning: TFDT timing \"LLD\" less than cumulated timing \"LLD\" - using tfdt\\n\", traf->tfdt->baseMediaDecodeTime, trak->dts_at_seg_start ));\n\t\t\t} else {\n\t\t\t\tGF_LOG(GF_LOG_INFO, GF_LOG_CONTAINER, (\"[iso file] TFDT timing \"LLD\" higher than cumulated timing \"LLD\" (last sample got extended in duration)\\n\", traf->tfdt->baseMediaDecodeTime, trak->dts_at_seg_start ));\n\t\t\t}\n\t\t}\n#endif\n\t\ttrak->dts_at_seg_start = traf->tfdt->baseMediaDecodeTime;\n\t}\n\telse if (traf->tfxd) {\n\t\ttrak->dts_at_seg_start = traf->tfxd->absolute_time_in_track_timescale;\n\t}\n\n\tif (traf->tfxd) {\n\t\ttrak->last_tfxd_value = traf->tfxd->absolute_time_in_track_timescale;\n\t\ttrak->last_tfxd_value += traf->tfxd->fragment_duration_in_track_timescale;\n\t}\n\tif (traf->tfrf) {\n\t\tif (trak->tfrf) gf_isom_box_del_parent(&trak->child_boxes, (GF_Box *)trak->tfrf);\n\t\ttrak->tfrf = traf->tfrf;\n\t\tgf_list_del_item(traf->child_boxes, traf->tfrf);\n\t\tgf_list_add(trak->child_boxes, trak->tfrf);\n\t}\n\n\tif (trak->moov->mov->signal_frag_bounds) {\n\t\tstore_traf_map = GF_TRUE;\n\t\tif (is_first_merge) {\n\t\t\tGF_MovieFragmentBox *moof_clone = NULL;\n\t\t\tgf_isom_box_freeze_order((GF_Box *)moof_box);\n\t\t\tgf_isom_clone_box((GF_Box *)moof_box, (GF_Box **)&moof_clone);\n\n\t\t\tif (moof_clone) {\n\t\t\t\tGF_BitStream *bs;\n\t\t\t\tfor (i=0; iTrackList); i++) {\n\t\t\t\t\tGF_TrackFragmentBox *traf_clone = gf_list_get(moof_clone->TrackList, i);\n\t\t\t\t\tgf_isom_box_array_reset_parent(&traf_clone->child_boxes, traf_clone->TrackRuns);\n\t\t\t\t\tgf_isom_box_array_reset_parent(&traf_clone->child_boxes, traf_clone->sampleGroups);\n\t\t\t\t\tgf_isom_box_array_reset_parent(&traf_clone->child_boxes, traf_clone->sampleGroupsDescription);\n\t\t\t\t\tgf_isom_box_array_reset_parent(&traf_clone->child_boxes, traf_clone->sub_samples);\n\t\t\t\t\tgf_isom_box_array_reset_parent(&traf_clone->child_boxes, traf_clone->sai_offsets);\n\t\t\t\t\tgf_isom_box_array_reset_parent(&traf_clone->child_boxes, traf_clone->sai_sizes);\n\t\t\t\t\tif (traf_clone->sample_encryption) {\n\t\t\t\t\t\tgf_isom_box_del_parent(&traf_clone->child_boxes, (GF_Box *) traf_clone->sample_encryption);\n\t\t\t\t\t\ttraf_clone->sample_encryption = NULL;\n\t\t\t\t\t}\n\t\t\t\t\tif (traf_clone->sdtp) {\n\t\t\t\t\t\tgf_isom_box_del_parent(&traf_clone->child_boxes, (GF_Box *) traf_clone->sdtp);\n\t\t\t\t\t\ttraf_clone->sdtp = NULL;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\tgf_isom_box_size((GF_Box *)moof_clone);\n\t\t\t\tbs = gf_bs_new(NULL, 0, GF_BITSTREAM_WRITE);\n\n\t\t\t\tif (trak->moov->mov->seg_styp) {\n\t\t\t\t\tgf_isom_box_size(trak->moov->mov->seg_styp);\n\t\t\t\t\tgf_isom_box_write(trak->moov->mov->seg_styp, bs);\n\t\t\t\t}\n\t\t\t\tif (trak->moov->mov->root_sidx) {\n\t\t\t\t\tgf_isom_box_size((GF_Box *)trak->moov->mov->root_sidx);\n\t\t\t\t\tgf_isom_box_write((GF_Box *)trak->moov->mov->root_sidx, bs);\n\t\t\t\t}\n\t\t\t\tif (trak->moov->mov->seg_ssix) {\n\t\t\t\t\tgf_isom_box_size(trak->moov->mov->seg_ssix);\n\t\t\t\t\tgf_isom_box_write(trak->moov->mov->seg_ssix, bs);\n\t\t\t\t}\n\t\t\t\tgf_isom_box_write((GF_Box *)moof_clone, bs);\n\t\t\t\tgf_isom_box_del((GF_Box*)moof_clone);\n\n\t\t\t\tgf_bs_get_content(bs, &moof_template, &moof_template_size);\n\t\t\t\tgf_bs_del(bs);\n\t\t\t}\n\t\t}\n\t\tif (trak->moov->mov->seg_styp) {\n\t\t\tis_seg_start = GF_TRUE;\n\t\t\tseg_start = trak->moov->mov->styp_start_offset;\n\t\t}\n\t\tif (trak->moov->mov->root_sidx) {\n\t\t\tis_seg_start = GF_TRUE;\n\t\t\tsidx_start = trak->moov->mov->sidx_start_offset;\n\t\t\tsidx_end = trak->moov->mov->sidx_end_offset;\n\t\t\tif (! seg_start || (sidx_startmoov->mov->current_top_box_start;\n\t}\n\telse if (trak->moov->mov->store_traf_map) {\n\t\tstore_traf_map = GF_TRUE;\n\t}\n\n\n\tsample_index = 0;\n\ti=0;\n\twhile ((trun = (GF_TrackFragmentRunBox *)gf_list_enum(traf->TrackRuns, &i))) {\n\t\t//merge the run\n\t\tfor (j=0; jsample_count; j++) {\n\t\t\tGF_Err e;\n\t\t\ts32 cts_offset=0;\n\t\t\tif (jnb_samples) {\n\t\t\t\tent = &trun->samples[j];\n\t\t\t} else {\n\t\t\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, (\"[iso file] Track %d doesn't have enough trun entries (%d) compared to sample count (%d) in run\\n\", traf->trex->trackID, trun->nb_samples, trun->sample_count ));\n\t\t\t\tbreak;\n\t\t\t}\n\t\t\tsize = def_size;\n\t\t\tduration = def_duration;\n\t\t\tflags = def_flags;\n\n\t\t\t//CTS - if flag not set (trun or ctrn) defaults to 0 which is the base value after alloc\n\t\t\t//we just need to overrite its value if inherited\n\t\t\tcts_offset = ent->CTS_Offset;\n\n#ifdef GF_ENABLE_CTRN\n\t\t\tif (trun->use_ctrn) {\n\t\t\t\tif (!j && (trun->ctrn_flags & GF_ISOM_CTRN_FIRST_SAMPLE) ) {\n\t\t\t\t\tif (trun->ctrn_first_dur) duration = ent->Duration;\n\t\t\t\t\tif (trun->ctrn_first_size) size = ent->size;\n\t\t\t\t\tif (trun->ctrn_first_ctts) flags = ent->flags;\n\t\t\t\t} else {\n\t\t\t\t\tif (trun->ctrn_dur) duration = ent->Duration;\n\t\t\t\t\tif (trun->ctrn_size) size = ent->size;\n\t\t\t\t\tif (trun->ctrn_sample_flags) flags = ent->flags;\n\t\t\t\t}\n\t\t\t\t/*re-override*/\n\t\t\t\tif (trun->ctrn_flags & 0xF0) {\n\t\t\t\t\tGF_TrunEntry *ref_entry;\n\t\t\t\t\tif (!traf_ref) {\n\t\t\t\t\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, (\"[iso file] Track %d use traf inheritance to track ID %d but reference traf not found\\n\", traf->trex->trackID, traf->trex->inherit_from_traf_id ));\n\t\t\t\t\t\tbreak;\n\t\t\t\t\t}\n\t\t\t\t\tref_entry = traf_get_sample_entry(traf_ref, sample_index);\n\t\t\t\t\tif (!ref_entry) {\n\t\t\t\t\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, (\"[iso file] Track %d use traf inheritance but sample %d not found in reference traf\\n\", traf->trex->trackID, sample_index+1 ));\n\t\t\t\t\t\tbreak;\n\t\t\t\t\t}\n\t\t\t\t\tif (trun->ctrn_flags & GF_ISOM_CTRN_INHERIT_DUR)\n\t\t\t\t\t\tduration = ref_entry->Duration;\n\t\t\t\t\tif (trun->ctrn_flags & GF_ISOM_CTRN_INHERIT_SIZE)\n\t\t\t\t\t\tsize = ref_entry->size;\n\t\t\t\t\tif (trun->ctrn_flags & GF_ISOM_CTRN_INHERIT_FLAGS)\n\t\t\t\t\t\tflags = ref_entry->flags;\n\t\t\t\t\tif (trun->ctrn_flags & GF_ISOM_CTRN_INHERIT_CTSO)\n\t\t\t\t\t\tcts_offset = ref_entry->CTS_Offset;\n\t\t\t\t}\n\n\t\t\t} else\n#endif\n\t\t\t{\n\t\t\t\tif (trun->flags & GF_ISOM_TRUN_DURATION) duration = ent->Duration;\n\t\t\t\tif (trun->flags & GF_ISOM_TRUN_SIZE) size = ent->size;\n\t\t\t\tif (trun->flags & GF_ISOM_TRUN_FLAGS) {\n\t\t\t\t\tflags = ent->flags;\n\t\t\t\t} else if (!j && (trun->flags & GF_ISOM_TRUN_FIRST_FLAG)) {\n\t\t\t\t\tflags = trun->first_sample_flags;\n\t\t\t\t}\n\t\t\t}\n\t\t\tsample_index++;\n\t\t\t/*store the resolved value in case we have inheritance*/\n\t\t\tent->size = size;\n\t\t\tent->Duration = duration;\n\t\t\tent->flags = flags;\n\t\t\tent->CTS_Offset = cts_offset;\n\n\t\t\tlast_dts += duration;\n\n\t\t\t//add size first\n\t\t\tif (!trak->Media->information->sampleTable->SampleSize) {\n\t\t\t\ttrak->Media->information->sampleTable->SampleSize = (GF_SampleSizeBox *) gf_isom_box_new_parent(&trak->Media->information->sampleTable->child_boxes, GF_ISOM_BOX_TYPE_STSZ);\n\t\t\t\tif (!trak->Media->information->sampleTable->SampleSize)\n\t\t\t\t\treturn GF_OUT_OF_MEM;\n\t\t\t}\n\t\t\te = stbl_AppendSize(trak->Media->information->sampleTable, size, ent->nb_pack);\n\t\t\tif (e) return e;\n\n\t\t\t//then TS\n\t\t\tif (!trak->Media->information->sampleTable->TimeToSample) {\n\t\t\t\ttrak->Media->information->sampleTable->TimeToSample = (GF_TimeToSampleBox *) gf_isom_box_new_parent(&trak->Media->information->sampleTable->child_boxes, GF_ISOM_BOX_TYPE_STTS);\n\t\t\t\tif (!trak->Media->information->sampleTable->TimeToSample)\n\t\t\t\t\treturn GF_OUT_OF_MEM;\n\t\t\t}\n\t\t\te = stbl_AppendTime(trak->Media->information->sampleTable, duration, ent->nb_pack);\n\t\t\tif (e) return e;\n\n\t\t\t//add chunk on first sample\n\t\t\tif (!j) {\n\t\t\t\tu64 final_offset;\n\t\t\t\tdata_offset = base_offset;\n\t\t\t\t//we have an explicit data offset for this trun\n\t\t\t\tif (trun->flags & GF_ISOM_TRUN_DATA_OFFSET) {\n\t\t\t\t\tdata_offset += trun->data_offset;\n\t\t\t\t\t/*reset chunk size since data is now relative to this trun*/\n\t\t\t\t\tchunk_size = 0;\n\t\t\t\t\t/*remember this data offset for following trun*/\n\t\t\t\t\tprev_trun_data_offset = trun->data_offset;\n\t\t\t\t\t/*if mdat is located after the moof, and the moof was compressed, adjust offset\n\t\t\t\t\totherwise the offset does not need adjustment*/\n\t\t\t\t\tif (trun->data_offset>=0) {\n\t\t\t\t\t\tdata_offset -= compressed_diff;\n\t\t\t\t\t\tprev_trun_data_offset -= compressed_diff;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\t//we had an explicit data offset for the previous trun, use it + chunk size\n\t\t\t\telse if (prev_trun_data_offset) {\n\t\t\t\t\t/*data offset is previous chunk size plus previous offset of the trun*/\n\t\t\t\t\tdata_offset += prev_trun_data_offset + chunk_size;\n\t\t\t\t}\n\t\t\t\t//no explicit data offset, continuous data after last data in previous chunk\n\t\t\t\telse {\n\t\t\t\t\tdata_offset += chunk_size;\n\t\t\t\t\t//data offset of first trun in first traf, adjust if compressed moof\n\t\t\t\t\tif ((i==1) && (trun->data_offset>=0)) {\n\t\t\t\t\t\tdata_offset -= compressed_diff;\n\t\t\t\t\t}\n\t\t\t\t}\n\n\t\t\t\tfinal_offset = data_offset;\n\t\t\t\t//adjust offset if moov was also compressed and we are still in the same file\n\t\t\t\t//so that later call to gf_isom_get_sample properly adjust back the offset\n\t\t\t\tif (trak->moov->compressed_diff) {\n\t\t\t\t\tfinal_offset += trak->moov->compressed_diff;\n\t\t\t\t}\n\n\t\t\t\tif (!trak->Media->information->sampleTable->ChunkOffset) {\n\t\t\t\t\ttrak->Media->information->sampleTable->ChunkOffset = gf_isom_box_new_parent(&trak->Media->information->sampleTable->child_boxes, GF_ISOM_BOX_TYPE_STCO);\n\t\t\t\t\tif (!trak->Media->information->sampleTable->ChunkOffset)\n\t\t\t\t\t\treturn GF_OUT_OF_MEM;\n\t\t\t\t}\n\t\t\t\te = stbl_AppendChunk(trak->Media->information->sampleTable, final_offset);\n\t\t\t\tif (e) return e;\n\t\t\t\t//then sampleToChunk\n\t\t\t\tif (!trak->Media->information->sampleTable->SampleToChunk) {\n\t\t\t\t\ttrak->Media->information->sampleTable->SampleToChunk = (GF_SampleToChunkBox *) gf_isom_box_new_parent(&trak->Media->information->sampleTable->child_boxes, GF_ISOM_BOX_TYPE_STSC);\n\t\t\t\t\tif (!trak->Media->information->sampleTable->SampleToChunk)\n\t\t\t\t\t\treturn GF_OUT_OF_MEM;\n\t\t\t\t}\n\t\t\t\te = stbl_AppendSampleToChunk(trak->Media->information->sampleTable,\n\t\t\t\t DescIndex, trun->sample_count);\n\t\t\t\tif (e) return e;\n\t\t\t}\n\t\t\tchunk_size += size;\n\n\t\t\tif (store_traf_map && first_samp_in_traf) {\n\t\t\t\tfirst_samp_in_traf = GF_FALSE;\n\t\t\t\te = stbl_AppendTrafMap(trak->Media->information->sampleTable, is_seg_start, seg_start, frag_start, moof_template, moof_template_size, sidx_start, sidx_end);\n\t\t\t\tif (e) return e;\n\t\t\t\t//do not deallocate, the memory is now owned by traf map\n\t\t\t\tmoof_template = NULL;\n\t\t\t\tmoof_template_size = 0;\n\t\t\t}\n\t\t\tif (ent->nb_pack>1) {\n\t\t\t\tj+= ent->nb_pack-1;\n\t\t\t\ttraf_duration += ent->nb_pack*duration;\n\t\t\t\tcontinue;\n\t\t\t}\n\n\t\t\ttraf_duration += duration;\n\n\t\t\te = stbl_AppendCTSOffset(trak->Media->information->sampleTable, cts_offset);\n\t\t\tif (e) return e;\n\t\t\t//flags\n\t\t\tsync = GF_ISOM_GET_FRAG_SYNC(flags);\n\t\t\tif (trak->Media->information->sampleTable->no_sync_found && sync) {\n\t\t\t\ttrak->Media->information->sampleTable->no_sync_found = 0;\n\t\t\t}\n\t\t\te = stbl_AppendRAP(trak->Media->information->sampleTable, sync);\n\t\t\tif (e) return e;\n\t\t\tpad = GF_ISOM_GET_FRAG_PAD(flags);\n\t\t\tif (pad) {\n\t\t\t\te = stbl_AppendPadding(trak->Media->information->sampleTable, pad);\n\t\t\t\tif (e) return e;\n\t\t\t}\n\t\t\tdegr = GF_ISOM_GET_FRAG_DEG(flags);\n\t\t\tif (degr) {\n\t\t\t\te = stbl_AppendDegradation(trak->Media->information->sampleTable, degr);\n\t\t\t\tif (e) return e;\n\t\t\t}\n\t\t\te = stbl_AppendDependencyType(trak->Media->information->sampleTable, GF_ISOM_GET_FRAG_LEAD(flags), GF_ISOM_GET_FRAG_DEPENDS(flags), GF_ISOM_GET_FRAG_DEPENDED(flags), GF_ISOM_GET_FRAG_REDUNDANT(flags));\n\t\t\tif (e) return e;\n\t\t}\n\t}\n\n\tif (trak->moov->mov->is_smooth && !traf->tfdt && !traf->tfxd) {\n\t\tif (is_first_merge)\n\t\t\ttrak->dts_at_seg_start = trak->dts_at_next_seg_start;\n\t\ttrak->dts_at_next_seg_start += last_dts;\n\t}\n\tif (traf_duration && trak->editBox && trak->editBox->editList) {\n\t\tfor (i=0; ieditBox->editList->entryList); i++) {\n\t\t\tGF_EdtsEntry *edts_e = gf_list_get(trak->editBox->editList->entryList, i);\n\t\t\tif (edts_e->was_empty_dur) {\n\t\t\t\tu64 extend_dur = traf_duration;\n\t\t\t\textend_dur *= trak->moov->mvhd->timeScale;\n\t\t\t\textend_dur /= trak->Media->mediaHeader->timeScale;\n\t\t\t\tedts_e->segmentDuration += extend_dur;\n\t\t\t}\n\t\t\telse if (!edts_e->segmentDuration) {\n\t\t\t\tedts_e->was_empty_dur = GF_TRUE;\n\t\t\t\tif ((s64) traf_duration > edts_e->mediaTime)\n\t\t\t\t\ttraf_duration -= edts_e->mediaTime;\n\t\t\t\telse\n\t\t\t\t\ttraf_duration = 0;\n\n\t\t\t\tedts_e->segmentDuration = traf_duration;\n\t\t\t\tedts_e->segmentDuration *= trak->moov->mvhd->timeScale;\n\t\t\t\tedts_e->segmentDuration /= trak->Media->mediaHeader->timeScale;\n\t\t\t}\n\n\t\t}\n\t}\n\n\t//in any case, update the cumulated offset\n\t//this will handle hypothetical files mixing MOOF offset and implicit non-moof offset\n\t*cumulated_offset = data_offset + chunk_size;\n\n\t/*merge sample groups*/\n\tif (traf->sampleGroups) {\n\t\tGF_List *groups;\n\t\tGF_List *groupDescs;\n\t\tBool is_identical_sgpd = GF_TRUE;\n\t\tu32 *new_idx = NULL, new_idx_count=0;\n\n\t\tif (!trak->Media->information->sampleTable->sampleGroups)\n\t\t\ttrak->Media->information->sampleTable->sampleGroups = gf_list_new();\n\n\t\tif (!trak->Media->information->sampleTable->sampleGroupsDescription)\n\t\t\ttrak->Media->information->sampleTable->sampleGroupsDescription = gf_list_new();\n\n\t\tgroupDescs = trak->Media->information->sampleTable->sampleGroupsDescription;\n\t\tfor (i=0; isampleGroupsDescription); i++) {\n\t\t\tGF_SampleGroupDescriptionBox *new_sgdesc = NULL;\n\t\t\tGF_SampleGroupDescriptionBox *sgdesc = gf_list_get(traf->sampleGroupsDescription, i);\n\t\t\tfor (j=0; jgrouping_type==sgdesc->grouping_type) break;\n\t\t\t\tnew_sgdesc = NULL;\n\t\t\t}\n\t\t\t/*new description, move it to our sample table*/\n\t\t\tif (!new_sgdesc) {\n\t\t\t\tgf_list_add(groupDescs, sgdesc);\n\t\t\t\tgf_list_add(trak->Media->information->sampleTable->child_boxes, sgdesc);\n\t\t\t\tgf_list_rem(traf->sampleGroupsDescription, i);\n\t\t\t\tgf_list_del_item(traf->child_boxes, sgdesc);\n\t\t\t\ti--;\n\t\t\t}\n\t\t\t/*merge descriptions*/\n\t\t\telse {\n\t\t\t\tu32 count;\n\n\t\t\t\tis_identical_sgpd = gf_isom_is_identical_sgpd(new_sgdesc, sgdesc, 0);\n\t\t\t\tif (is_identical_sgpd)\n\t\t\t\t\tcontinue;\n\n\t\t\t\tnew_idx_count = gf_list_count(sgdesc->group_descriptions);\n\t\t\t\tnew_idx = (u32 *)gf_malloc(new_idx_count * sizeof(u32));\n\t\t\t\tif (!new_idx) return GF_OUT_OF_MEM;\n\n\t\t\t\tcount = 0;\n\t\t\t\twhile (gf_list_count(sgdesc->group_descriptions)) {\n\t\t\t\t\tvoid *sgpd_entry = gf_list_get(sgdesc->group_descriptions, 0);\n\t\t\t\t\tBool new_entry = GF_TRUE;\n\n\t\t\t\t\tfor (j = 0; j < gf_list_count(new_sgdesc->group_descriptions); j++) {\n\t\t\t\t\t\tvoid *ptr = gf_list_get(new_sgdesc->group_descriptions, j);\n\t\t\t\t\t\tif (gf_isom_is_identical_sgpd(sgpd_entry, ptr, new_sgdesc->grouping_type)) {\n\t\t\t\t\t\t\tnew_idx[count] = j + 1;\n\t\t\t\t\t\t\tcount ++;\n\t\t\t\t\t\t\tnew_entry = GF_FALSE;\n\t\t\t\t\t\t\tgf_free(sgpd_entry);\n\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\n\t\t\t\t\tif (new_entry) {\n\t\t\t\t\t\tgf_list_add(new_sgdesc->group_descriptions, sgpd_entry);\n\t\t\t\t\t\tnew_idx[count] = gf_list_count(new_sgdesc->group_descriptions);\n\t\t\t\t\t\tcount ++;\n\t\t\t\t\t}\n\n\t\t\t\t\tgf_list_rem(sgdesc->group_descriptions, 0);\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\tgroups = trak->Media->information->sampleTable->sampleGroups;\n\t\tfor (i=0; isampleGroups); i++) {\n\t\t\tGF_SampleGroupBox *stbl_group = NULL;\n\t\t\tGF_SampleGroupBox *frag_group = gf_list_get(traf->sampleGroups, i);\n\n\n\t\t\tfor (j=0; jgrouping_type==stbl_group->grouping_type) && (frag_group->grouping_type_parameter==stbl_group->grouping_type_parameter))\n\t\t\t\t\tbreak;\n\t\t\t\tstbl_group = NULL;\n\t\t\t}\n\t\t\tif (!stbl_group) {\n\t\t\t\tstbl_group = (GF_SampleGroupBox *) gf_isom_box_new_parent(&trak->Media->information->sampleTable->child_boxes, GF_ISOM_BOX_TYPE_SBGP);\n\t\t\t\tif (!stbl_group) return GF_OUT_OF_MEM;\n\t\t\t\tstbl_group->grouping_type = frag_group->grouping_type;\n\t\t\t\tstbl_group->grouping_type_parameter = frag_group->grouping_type_parameter;\n\t\t\t\tstbl_group->version = frag_group->version;\n\t\t\t\tgf_list_add(groups, stbl_group);\n\t\t\t}\n\n\t\t\tif (is_identical_sgpd) {\n\t\t\t\t//adjust sgpd index: in traf index start at 0x1001\n\t\t\t\tfor (j = 0; j < frag_group->entry_count; j++)\n\t\t\t\t\tfrag_group->sample_entries[j].group_description_index &= 0x0FFFF;\n\t\t\t\tif (frag_group->entry_count && stbl_group->entry_count &&\n\t\t\t\t (frag_group->sample_entries[0].group_description_index==stbl_group->sample_entries[stbl_group->entry_count-1].group_description_index)\n\t\t\t\t ) {\n\t\t\t\t\tstbl_group->sample_entries[stbl_group->entry_count - 1].sample_count += frag_group->sample_entries[0].sample_count;\n\t\t\t\t\tif (frag_group->entry_count>1) {\n\t\t\t\t\t\tstbl_group->sample_entries = gf_realloc(stbl_group->sample_entries, sizeof(GF_SampleGroupEntry) * (stbl_group->entry_count + frag_group->entry_count - 1));\n\t\t\t\t\t\tmemcpy(&stbl_group->sample_entries[stbl_group->entry_count], &frag_group->sample_entries[1], sizeof(GF_SampleGroupEntry) * (frag_group->entry_count - 1));\n\t\t\t\t\t\tstbl_group->entry_count += frag_group->entry_count - 1;\n\t\t\t\t\t}\n\t\t\t\t} else {\n\t\t\t\t\tstbl_group->sample_entries = gf_realloc(stbl_group->sample_entries, sizeof(GF_SampleGroupEntry) * (stbl_group->entry_count + frag_group->entry_count));\n\t\t\t\t\tmemcpy(&stbl_group->sample_entries[stbl_group->entry_count], &frag_group->sample_entries[0], sizeof(GF_SampleGroupEntry) * frag_group->entry_count);\n\t\t\t\t\tstbl_group->entry_count += frag_group->entry_count;\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\tstbl_group->sample_entries = gf_realloc(stbl_group->sample_entries, sizeof(GF_SampleGroupEntry) * (stbl_group->entry_count + frag_group->entry_count));\n\t\t\t\t//adjust sgpd index\n\t\t\t\tfor (j = 0; j < frag_group->entry_count; j++) {\n\t\t\t\t\tu32 sgidx = frag_group->sample_entries[j].group_description_index;\n\t\t\t\t\tif (sgidx > 0x10000) {\n\t\t\t\t\t\tsgidx -= 0x10001;\n\t\t\t\t\t\tif (sgidx>=new_idx_count) {\n\t\t\t\t\t\t\tGF_LOG(GF_LOG_WARNING, GF_LOG_CONTAINER, (\"[isobmf] corrupted sample group index in fragment %d but only %d group descriptions in fragment\\n\", sgidx, new_idx_count));\n\t\t\t\t\t\t} else {\n\t\t\t\t\t\t\tfrag_group->sample_entries[j].group_description_index = new_idx[sgidx];\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\tmemcpy(&stbl_group->sample_entries[stbl_group->entry_count], &frag_group->sample_entries[0], sizeof(GF_SampleGroupEntry) * frag_group->entry_count);\n\t\t\t\tstbl_group->entry_count += frag_group->entry_count;\n\t\t\t}\n\t\t}\n\n\t\tif (new_idx) gf_free(new_idx);\n\t}\n\n\t/*content is encrypted*/\n\ttrack_num = gf_isom_get_tracknum_from_id(trak->moov, trak->Header->trackID);\n\tif (gf_isom_is_cenc_media(trak->moov->mov, track_num, DescIndex)\n\t\t|| traf->sample_encryption) {\n\t\t/*Merge sample auxiliary encryption information*/\n\t\tGF_SampleEncryptionBox *senc = NULL;\n\t\tu32 scheme_type;\n\t\tgf_isom_get_cenc_info(trak->moov->mov, track_num, DescIndex, NULL, &scheme_type, NULL);\n\n\t\tif (traf->sample_encryption) {\n\t\t\tfor (i = 0; i < gf_list_count(trak->Media->information->sampleTable->child_boxes); i++) {\n\t\t\t\tGF_Box *a = (GF_Box *)gf_list_get(trak->Media->information->sampleTable->child_boxes, i);\n\t\t\t\tif (a->type != traf->sample_encryption->type) continue;\n\n\t\t\t\tif ((a->type ==GF_ISOM_BOX_TYPE_UUID) && (((GF_UUIDBox *)a)->internal_4cc == GF_ISOM_BOX_UUID_PSEC)) {\n\t\t\t\t\tsenc = (GF_SampleEncryptionBox *)a;\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t\telse if (a->type ==GF_ISOM_BOX_TYPE_SENC) {\n\t\t\t\t\tsenc = (GF_SampleEncryptionBox *)a;\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t}\n\t\t\tif (!senc && trak->sample_encryption)\n\t\t\t\tsenc = trak->sample_encryption;\n\n\t\t\tif (!senc) {\n\t\t\t\tif (traf->sample_encryption->piff_type==1) {\n\t\t\t\t\tsenc = (GF_SampleEncryptionBox *)gf_isom_create_piff_psec_box(1, 0x2, 0, 0, NULL);\n\t\t\t\t} else {\n\t\t\t\t\tsenc = gf_isom_create_samp_enc_box(1, 0x2);\n\t\t\t\t}\n\n\t\t\t\tif (!trak->Media->information->sampleTable->child_boxes) trak->Media->information->sampleTable->child_boxes = gf_list_new();\n\n\t\t\t\ttrak->sample_encryption = senc;\n\t\t\t\tif (!trak->child_boxes) trak->child_boxes = gf_list_new();\n\t\t\t\tgf_list_add(trak->child_boxes, senc);\n\t\t\t}\n\t\t}\n\n\t\t/*get sample auxiliary information by saiz/saio rather than by parsing senc box*/\n\t\tif (gf_isom_cenc_has_saiz_saio_traf(traf, scheme_type)) {\n\t\t\tu32 nb_saio;\n\t\t\tu32 aux_info_type;\n\t\t\tu64 offset;\n\t\t\tGF_Err e;\n\t\t\tBool is_encrypted;\n\t\t\tGF_SampleAuxiliaryInfoOffsetBox *saio = NULL;\n\t\t\tGF_SampleAuxiliaryInfoSizeBox *saiz = NULL;\n\n\t\t\toffset = nb_saio = 0;\n\n\t\t\tfor (i = 0; i < gf_list_count(traf->sai_offsets); i++) {\n\t\t\t\tsaio = (GF_SampleAuxiliaryInfoOffsetBox *)gf_list_get(traf->sai_offsets, i);\n\t\t\t\taux_info_type = saio->aux_info_type;\n\t\t\t\tif (!aux_info_type) aux_info_type = scheme_type;\n\n\t\t\t\t/*if we have only 1 sai_offsets, assume that its type is cenc*/\n\t\t\t\tif ((aux_info_type == GF_ISOM_CENC_SCHEME) || (aux_info_type == GF_ISOM_CBC_SCHEME) ||\n\t\t\t\t\t(aux_info_type == GF_ISOM_CENS_SCHEME) || (aux_info_type == GF_ISOM_CBCS_SCHEME) ||\n\t\t\t\t\t(gf_list_count(traf->sai_offsets) == 1)) {\n\t\t\t\t\tif (saio->offsets && saio->entry_count) {\n\t\t\t\t\t\toffset = saio->offsets[0] + moof_offset;\n\t\t\t\t\t\tnb_saio = saio->entry_count;\n\t\t\t\t\t\tbreak;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\tsaio = NULL;\n\t\t\t}\n\t\t\tfor (i = 0; i < gf_list_count(traf->sai_sizes); i++) {\n\t\t\t\tsaiz = (GF_SampleAuxiliaryInfoSizeBox *)gf_list_get(traf->sai_sizes, i);\n\t\t\t\taux_info_type = saiz->aux_info_type;\n\t\t\t\tif (!aux_info_type) aux_info_type = scheme_type;\n\t\t\t\t/*if we have only 1 sai_sizes, assume that its type is cenc*/\n\t\t\t\tif ((aux_info_type == GF_ISOM_CENC_SCHEME) || (aux_info_type == GF_ISOM_CBC_SCHEME) ||\n\t\t\t\t\t(aux_info_type == GF_ISOM_CENS_SCHEME) || (aux_info_type == GF_ISOM_CBCS_SCHEME) ||\n\t\t\t\t\t(gf_list_count(traf->sai_sizes) == 1)) {\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t\tsaiz = NULL;\n\t\t\t}\n\t\t\tif (saiz && saio && senc) {\n\t\t\t\tfor (i = 0; i < saiz->sample_count; i++) {\n\t\t\t\t\tGF_CENCSampleAuxInfo *sai;\n\t\t\t\t\tconst u8 *key_info=NULL;\n\t\t\t\t\tu32 key_info_size;\n\t\t\t\t\tu64 cur_position;\n\t\t\t\t\tif (nb_saio != 1)\n\t\t\t\t\t\toffset = saio->offsets[i] + moof_offset;\n\t\t\t\t\tsize = saiz->default_sample_info_size ? saiz->default_sample_info_size : saiz->sample_info_size[i];\n\n\t\t\t\t\tcur_position = gf_bs_get_position(trak->moov->mov->movieFileMap->bs);\n\t\t\t\t\tgf_bs_seek(trak->moov->mov->movieFileMap->bs, offset);\n\n\t\t\t\t\tGF_SAFEALLOC(sai, GF_CENCSampleAuxInfo);\n\t\t\t\t\tif (!sai) return GF_OUT_OF_MEM;\n\n\t\t\t\t\te = gf_isom_get_sample_cenc_info_internal(trak, traf, senc, i+1, &is_encrypted, NULL, NULL, &key_info, &key_info_size);\n\t\t\t\t\tif (e) {\n\t\t\t\t\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, (\"[isobmf] could not get cenc info for sample %d: %s\\n\", i+1, gf_error_to_string(e) ));\n\t\t\t\t\t\treturn e;\n\t\t\t\t\t}\n\n\t\t\t\t\tif (is_encrypted) {\n\t\t\t\t\t\tsai->cenc_data_size = size;\n\t\t\t\t\t\tsai->cenc_data = gf_malloc(sizeof(u8)*size);\n\t\t\t\t\t\tif (!sai->cenc_data) return GF_OUT_OF_MEM;\n\t\t\t\t\t\tgf_bs_read_data(trak->moov->mov->movieFileMap->bs, sai->cenc_data, sai->cenc_data_size);\n\t\t\t\t\t} else {\n\t\t\t\t\t\tsai->isNotProtected=1;\n\t\t\t\t\t}\n\n\t\t\t\t\tif (key_info) {\n\t\t\t\t\t\t//not multikey\n\t\t\t\t\t\tif (!key_info[0]) {\n\t\t\t\t\t\t\t//size greater than IV\n\t\t\t\t\t\t\tif (size > key_info[3])\n\t\t\t\t\t\t\t\tsenc->flags = 0x00000002;\n\t\t\t\t\t\t}\n\t\t\t\t\t\t//multikey, always use subsamples\n\t\t\t\t\t\telse {\n\t\t\t\t\t\t\tsenc->flags = 0x00000002;\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\n\n\t\t\t\t\tgf_bs_seek(trak->moov->mov->movieFileMap->bs, cur_position);\n\n\t\t\t\t\tgf_list_add(senc->samp_aux_info, sai);\n\n\t\t\t\t\te = gf_isom_cenc_merge_saiz_saio(senc, trak->Media->information->sampleTable, offset, size);\n\t\t\t\t\tif (e) return e;\n\t\t\t\t\tif (nb_saio == 1)\n\t\t\t\t\t\toffset += size;\n\t\t\t\t}\n\t\t\t}\n\t\t} else if (traf->sample_encryption) {\n\t\t\tsenc_Parse(trak->moov->mov->movieFileMap->bs, trak, traf, traf->sample_encryption);\n\t\t\ttrak->sample_encryption->AlgorithmID = traf->sample_encryption->AlgorithmID;\n\t\t\tif (!trak->sample_encryption->IV_size)\n\t\t\t\ttrak->sample_encryption->IV_size = traf->sample_encryption->IV_size;\n\t\t\tif (!trak->sample_encryption->samp_aux_info) trak->sample_encryption->samp_aux_info = gf_list_new();\n\t\t\tgf_list_transfer(trak->sample_encryption->samp_aux_info, traf->sample_encryption->samp_aux_info);\n\t\t\tif (traf->sample_encryption->flags & 0x00000002)\n\t\t\t\ttrak->sample_encryption->flags |= 0x00000002;\n\t\t}\n\t}\n\treturn GF_OK;\n}", "project": "gpac", "hash": 303288141822567692112362620916464223543, "size": 681, "commit_id": "df8fffd839fe5ae9acd82d26fd48280a397411d9", "message": "fixed #1736", "target": 0, "dataset": "other", "idx": 272325 }, { "func": "void PrintVersion()\n{\n\tfprintf(stderr, \"MP4Box - GPAC version %s\\n\"\n\t \"%s\\n\"\n\t \"GPAC Configuration: \" GPAC_CONFIGURATION \"\\n\"\n\t \"Features: %s %s\\n\", gf_gpac_version(), gf_gpac_copyright(), gf_sys_features(GF_FALSE), gf_sys_features(GF_TRUE));\n}", "project": "gpac", "hash": 210749237724215705471612647633201196437, "size": 7, "commit_id": "9eeac00b38348c664dfeae2525bba0cf1bc32349", "message": "fixed #1565", "target": 0, "dataset": "other", "idx": 244384 }, { "func": "static void dump_isom_nal_ex(GF_ISOFile *file, GF_ISOTrackID trackID, FILE *dump, u32 dump_flags)\n{\n\tu32 i, j, count, nb_descs, track, nalh_size, timescale, cur_extract_mode;\n\ts32 countRef;\n\tBool is_adobe_protected = GF_FALSE;\n\tBool is_cenc_protected = GF_FALSE;\n\tBool is_hevc = GF_FALSE;\n\tBool is_vvc = GF_FALSE;\n#ifndef GPAC_DISABLE_AV_PARSERS\n\tAVCState *avc_state = NULL;\n\tHEVCState *hevc_state = NULL;\n\tVVCState *vvc_state = NULL;\n#endif\n\tGF_AVCConfig *avccfg, *svccfg;\n\tGF_HEVCConfig *hevccfg, *lhvccfg;\n\tGF_VVCConfig *vvccfg;\n\tGF_NALUFFParam *slc;\n\tBool has_svcc = GF_FALSE;\n\n\ttrack = gf_isom_get_track_by_id(file, trackID);\n\n\tcount = gf_isom_get_sample_count(file, track);\n\n\ttimescale = gf_isom_get_media_timescale(file, track);\n\n\tcur_extract_mode = gf_isom_get_nalu_extract_mode(file, track);\n\n\tnb_descs = gf_isom_get_sample_description_count(file, track);\n\tif (!nb_descs) {\n\t\tM4_LOG(GF_LOG_ERROR, (\"Error: Track #%d has no sample description so is likely not NALU-based!\\n\", trackID));\n\t\treturn;\n\t}\n\n\tfprintf(dump, \"\\n\", trackID, count, timescale);\n\n#ifndef GPAC_DISABLE_AV_PARSERS\n\n#define DUMP_ARRAY(arr, name, loc, _is_svc)\\\n\tif (arr) {\\\n\t\tfprintf(dump, \" <%sArray location=\\\"%s\\\">\\n\", name, loc);\\\n\t\tfor (i=0; isize);\\\n\t\t\tgf_inspect_dump_nalu(dump, (u8 *) slc->data, slc->size, _is_svc, is_hevc ? hevc_state : NULL, avc_state, is_vvc ? vvc_state : NULL, nalh_size, (dump_flags&1) ? GF_TRUE : GF_FALSE, GF_FALSE);\\\n\t\t}\\\n\t\tfprintf(dump, \" \\n\", name);\\\n\t}\\\n\n#else\n\n#define DUMP_ARRAY(arr, name, loc, _is_svc)\\\n\tif (arr) {\\\n\t\tfprintf(dump, \" <%sArray location=\\\"%s\\\">\\n\", name, loc);\\\n\t\tfor (i=0; isize);\\\n\t\t\tfprintf(dump, \"/>\\n\");\\\n\t\t}\\\n\t\tfprintf(dump, \" \\n\", name);\\\n\t}\\\n\n#endif\n\n\tnalh_size = 0;\n\n\tfor (j=0; j\\n\");\n\n\t\tif (!avccfg && !svccfg && !hevccfg && !lhvccfg && !vvccfg) {\n\t\t\tM4_LOG(GF_LOG_ERROR, (\"Error: Track #%d is not NALU or OBU based!\\n\", trackID));\n\t\t\treturn;\n\t\t}\n\n\t\tif (avccfg) {\n\t\t\tnalh_size = avccfg->nal_unit_size;\n\n\t\t\tDUMP_ARRAY(avccfg->sequenceParameterSets, \"AVCSPS\", \"avcC\", is_svc);\n\t\t\tDUMP_ARRAY(avccfg->pictureParameterSets, \"AVCPPS\", \"avcC\", is_svc)\n\t\t\tDUMP_ARRAY(avccfg->sequenceParameterSetExtensions, \"AVCSPSEx\", \"avcC\", is_svc)\n\t\t}\n\t\tif (is_svc) {\n\t\t\tif (!nalh_size) nalh_size = svccfg->nal_unit_size;\n\t\t\tDUMP_ARRAY(svccfg->sequenceParameterSets, \"SVCSPS\", \"svcC\", is_svc)\n\t\t\tDUMP_ARRAY(svccfg->pictureParameterSets, \"SVCPPS\", \"svcC\", is_svc)\n\t\t}\n\t\tif (mvccfg) {\n\t\t\tif (!nalh_size) nalh_size = mvccfg->nal_unit_size;\n\t\t\tDUMP_ARRAY(mvccfg->sequenceParameterSets, \"SVCSPS\", \"mvcC\", is_svc)\n\t\t\tDUMP_ARRAY(mvccfg->pictureParameterSets, \"SVCPPS\", \"mvcC\", is_svc)\n\t\t}\n\t\tif (hevccfg) {\n\t\t\tu32 idx;\n\t\t\tnalh_size = hevccfg->nal_unit_size;\n\t\t\tfor (idx=0; idxparam_array); idx++) {\n\t\t\t\tGF_NALUFFParamArray *ar = gf_list_get(hevccfg->param_array, idx);\n\t\t\t\tif (ar->type==GF_HEVC_NALU_SEQ_PARAM) {\n\t\t\t\t\tDUMP_ARRAY(ar->nalus, \"HEVCSPS\", \"hvcC\", 0)\n\t\t\t\t} else if (ar->type==GF_HEVC_NALU_PIC_PARAM) {\n\t\t\t\t\tDUMP_ARRAY(ar->nalus, \"HEVCPPS\", \"hvcC\", 0)\n\t\t\t\t} else if (ar->type==GF_HEVC_NALU_VID_PARAM) {\n\t\t\t\t\tDUMP_ARRAY(ar->nalus, \"HEVCVPS\", \"hvcC\", 0)\n\t\t\t\t} else {\n\t\t\t\t\tDUMP_ARRAY(ar->nalus, \"HEVCUnknownPS\", \"hvcC\", 0)\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\tif (vvccfg) {\n\t\t\tu32 idx;\n\t\t\tnalh_size = vvccfg->nal_unit_size;\n\t\t\tfor (idx=0; idxparam_array); idx++) {\n\t\t\t\tGF_NALUFFParamArray *ar = gf_list_get(vvccfg->param_array, idx);\n\t\t\t\tif (ar->type==GF_VVC_NALU_SEQ_PARAM) {\n\t\t\t\t\tDUMP_ARRAY(ar->nalus, \"VVCSPS\", \"vvcC\", 0)\n\t\t\t\t} else if (ar->type==GF_VVC_NALU_PIC_PARAM) {\n\t\t\t\t\tDUMP_ARRAY(ar->nalus, \"VVCPPS\", \"vvcC\", 0)\n\t\t\t\t} else if (ar->type==GF_VVC_NALU_VID_PARAM) {\n\t\t\t\t\tDUMP_ARRAY(ar->nalus, \"VVCVPS\", \"vvcC\", 0)\n\t\t\t\t} else {\n\t\t\t\t\tDUMP_ARRAY(ar->nalus, \"VVCUnknownPS\", \"vvcC\", 0)\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\tif (lhvccfg) {\n\t\t\tu32 idx;\n\t\t\tnalh_size = lhvccfg->nal_unit_size;\n\t\t\tfor (idx=0; idxparam_array); idx++) {\n\t\t\t\tGF_NALUFFParamArray *ar = gf_list_get(lhvccfg->param_array, idx);\n\t\t\t\tif (ar->type==GF_HEVC_NALU_SEQ_PARAM) {\n\t\t\t\t\tDUMP_ARRAY(ar->nalus, \"HEVCSPS\", \"lhcC\", 0)\n\t\t\t\t} else if (ar->type==GF_HEVC_NALU_PIC_PARAM) {\n\t\t\t\t\tDUMP_ARRAY(ar->nalus, \"HEVCPPS\", \"lhcC\", 0)\n\t\t\t\t} else if (ar->type==GF_HEVC_NALU_VID_PARAM) {\n\t\t\t\t\tDUMP_ARRAY(ar->nalus, \"HEVCVPS\", \"lhcC\", 0)\n\t\t\t\t} else {\n\t\t\t\t\tDUMP_ARRAY(ar->nalus, \"HEVCUnknownPS\", \"lhcC\", 0)\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\tfprintf(dump, \" \\n\");\n\n\t\tif (avccfg) gf_odf_avc_cfg_del(avccfg);\n\t\tif (svccfg) {\n\t\t\tgf_odf_avc_cfg_del(svccfg);\n\t\t\thas_svcc = GF_TRUE;\n\t\t}\n\t\tif (hevccfg) gf_odf_hevc_cfg_del(hevccfg);\n\t\tif (vvccfg) gf_odf_vvc_cfg_del(vvccfg);\n\t\tif (lhvccfg) gf_odf_hevc_cfg_del(lhvccfg);\n\t}\n\n\t/*fixme: for dumping encrypted track: we don't have neither avccfg nor svccfg*/\n\tif (!nalh_size) nalh_size = 4;\n\n\t/*for testing dependency*/\n\tcountRef = gf_isom_get_reference_count(file, track, GF_ISOM_REF_SCAL);\n\tif (countRef > 0)\n\t{\n\t\tGF_ISOTrackID refTrackID;\n\t\tfprintf(dump, \" \\n\");\n\t\tfor (i = 1; i <= (u32) countRef; i++)\n\t\t{\n\t\t\tgf_isom_get_reference_ID(file, track, GF_ISOM_REF_SCAL, i, &refTrackID);\n\t\t\tfprintf(dump, \" \\n\", i, refTrackID);\n\t\t}\n\n\t\tfprintf(dump, \" \\n\");\n\t}\n\n\tfprintf(dump, \" \\n\");\n\tgf_isom_set_nalu_extract_mode(file, track, GF_ISOM_NALU_EXTRACT_INSPECT);\n\tis_adobe_protected = gf_isom_is_adobe_protection_media(file, track, 1);\n\tis_cenc_protected = gf_isom_is_cenc_media(file, track, 1);\n\tfor (i=0; i\\n\", i+1);\n\t\t\tcontinue;\n\t\t}\n\t\tdts = samp->DTS;\n\t\tcts = dts + (s32) samp->CTS_Offset;\n\t\tis_rap = samp->IsRAP;\n\t\tif (!is_rap) gf_isom_get_sample_rap_roll_info(file, track, i+1, &is_rap, NULL, NULL);\n\n\t\tif (dump_flags&2) {\n\t\t\tfprintf(dump, \" dataLength, is_rap);\n\t\t} else {\n\t\t\tfprintf(dump, \" dataLength, is_rap);\n\t\t}\n\t\tif (nb_descs>1)\n\t\t\tfprintf(dump, \" sample_description=\\\"%d\\\"\", di);\n\t\tfprintf(dump, \" >\\n\");\n\n\t\tif (cts\\n\");\n\n\t\tidx = 1;\n\t\tptr = samp->data;\n\t\tsize = samp->dataLength;\n\t\tif (is_adobe_protected) {\n\t\t\tu8 encrypted_au = ptr[0];\n\t\t\tif (encrypted_au) {\n\t\t\t\tfprintf(dump, \" \\n\", i+1);\n\t\t\t\tfprintf(dump, \" \\n\\n\");\n\t\t\t\tcontinue;\n\t\t\t}\n\t\t\telse {\n\t\t\t\tptr++;\n\t\t\t\tsize--;\n\t\t\t}\n\t\t}\n\t\twhile (size) {\n\t\t\tnal_size = read_nal_size_hdr(ptr, nalh_size);\n\t\t\tptr += nalh_size;\n\n\t\t\tif (nal_size >= UINT_MAX-nalh_size || nalh_size + nal_size > size) {\n\t\t\t\tfprintf(dump, \" \\n\", idx, nal_size, size);\n\t\t\t\tbreak;\n\t\t\t} else {\n\t\t\t\tfprintf(dump, \" \\n\");\n#endif\n\t\t\t}\n\t\t\tidx++;\n\t\t\tptr+=nal_size;\n\t\t\tsize -= nal_size + nalh_size;\n\t\t}\n\t\tfprintf(dump, \" \\n\");\n\t\tgf_isom_sample_del(&samp);\n\n\t\tfprintf(dump, \"\\n\");\n\t\tgf_set_progress(\"Analysing Track NALUs\", i+1, count);\n\t}\n\tfprintf(dump, \" \\n\");\n\tfprintf(dump, \"\\n\");\n\n\tgf_isom_set_nalu_extract_mode(file, track, cur_extract_mode);\n\n#ifndef GPAC_DISABLE_AV_PARSERS\n\tif (hevc_state) gf_free(hevc_state);\n\tif (vvc_state) gf_free(vvc_state);\n\tif (avc_state) gf_free(avc_state);", "project": "gpac", "hash": 266510646699987192419690074938534431103, "size": 291, "commit_id": "289ffce3e0d224d314f5f92a744d5fe35999f20b", "message": "fixed #1767 (fuzz)", "target": 0, "dataset": "other", "idx": 243210 }, { "func": "static void dump_isom_nal_ex(GF_ISOFile *file, GF_ISOTrackID trackID, FILE *dump, u32 dump_flags)\n{\n\tu32 i, j, count, nb_descs, track, nalh_size, timescale, cur_extract_mode;\n\ts32 countRef;\n\tBool is_adobe_protected = GF_FALSE;\n\tBool is_cenc_protected = GF_FALSE;\n\tBool is_hevc = GF_FALSE;\n#ifndef GPAC_DISABLE_AV_PARSERS\n\tAVCState avc;\n\tHEVCState hevc;\n#endif\n\tGF_AVCConfig *avccfg, *svccfg;\n\tGF_HEVCConfig *hevccfg, *lhvccfg;\n\tGF_AVCConfigSlot *slc;\n\tBool has_svcc = GF_FALSE;\n\n\ttrack = gf_isom_get_track_by_id(file, trackID);\n\n#ifndef GPAC_DISABLE_AV_PARSERS\n\tmemset(&avc, 0, sizeof(AVCState));\n\tmemset(&hevc, 0, sizeof(HEVCState));\n#endif\n\n\tcount = gf_isom_get_sample_count(file, track);\n\n\ttimescale = gf_isom_get_media_timescale(file, track);\n\n\tcur_extract_mode = gf_isom_get_nalu_extract_mode(file, track);\n\n\tnb_descs = gf_isom_get_sample_description_count(file, track);\n\tif (!nb_descs) {\n\t\tfprintf(stderr, \"Error: Track #%d has no sample description so is likely not NALU-based!\\n\", trackID);\n\t\treturn;\n\t}\n\n\tfprintf(dump, \"\\n\", trackID, count, timescale);\n\n#ifndef GPAC_DISABLE_AV_PARSERS\n\n#define DUMP_ARRAY(arr, name, loc, _is_svc)\\\n\tif (arr) {\\\n\t\tfprintf(dump, \" <%sArray location=\\\"%s\\\">\\n\", name, loc);\\\n\t\tfor (i=0; isize);\\\n\t\t\tgf_inspect_dump_nalu(dump, (u8 *) slc->data, slc->size, _is_svc, is_hevc ? &hevc : NULL, &avc, nalh_size, (dump_flags&1) ? GF_TRUE : GF_FALSE, GF_FALSE);\\\n\t\t\tfprintf(dump, \"/>\\n\");\\\n\t\t}\\\n\t\tfprintf(dump, \" \\n\", name);\\\n\t}\\\n\n#else\n\n#define DUMP_ARRAY(arr, name, loc, _is_svc)\\\n\tif (arr) {\\\n\t\tfprintf(dump, \" <%sArray location=\\\"%s\\\">\\n\", name, loc);\\\n\t\tfor (i=0; isize);\\\n\t\t\tfprintf(dump, \"/>\\n\");\\\n\t\t}\\\n\t\tfprintf(dump, \" \\n\", name);\\\n\t}\\\n\n#endif\n\n\tnalh_size = 0;\n\n\tfor (j=0; j\\n\");\n\n\t\tif (!avccfg && !svccfg && !hevccfg && !lhvccfg) {\n\t\t\tfprintf(stderr, \"Error: Track #%d is not NALU-based!\\n\", trackID);\n\t\t\treturn;\n\t\t}\n\n\t\tif (avccfg) {\n\t\t\tnalh_size = avccfg->nal_unit_size;\n\n\t\t\tDUMP_ARRAY(avccfg->sequenceParameterSets, \"AVCSPS\", \"avcC\", is_svc);\n\t\t\tDUMP_ARRAY(avccfg->pictureParameterSets, \"AVCPPS\", \"avcC\", is_svc)\n\t\t\tDUMP_ARRAY(avccfg->sequenceParameterSetExtensions, \"AVCSPSEx\", \"avcC\", is_svc)\n\t\t}\n\t\tif (is_svc) {\n\t\t\tif (!nalh_size) nalh_size = svccfg->nal_unit_size;\n\t\t\tDUMP_ARRAY(svccfg->sequenceParameterSets, \"SVCSPS\", \"svcC\", is_svc)\n\t\t\tDUMP_ARRAY(svccfg->pictureParameterSets, \"SVCPPS\", \"svcC\", is_svc)\n\t\t}\n\t\tif (mvccfg) {\n\t\t\tif (!nalh_size) nalh_size = mvccfg->nal_unit_size;\n\t\t\tDUMP_ARRAY(mvccfg->sequenceParameterSets, \"SVCSPS\", \"mvcC\", is_svc)\n\t\t\tDUMP_ARRAY(mvccfg->pictureParameterSets, \"SVCPPS\", \"mvcC\", is_svc)\n\t\t}\n\t\tif (hevccfg) {\n\t\t\tu32 idx;\n\t\t\tnalh_size = hevccfg->nal_unit_size;\n\t\t\tis_hevc = 1;\n\t\t\tfor (idx=0; idxparam_array); idx++) {\n\t\t\t\tGF_HEVCParamArray *ar = gf_list_get(hevccfg->param_array, idx);\n\t\t\t\tif (ar->type==GF_HEVC_NALU_SEQ_PARAM) {\n\t\t\t\t\tDUMP_ARRAY(ar->nalus, \"HEVCSPS\", \"hvcC\", 0)\n\t\t\t\t} else if (ar->type==GF_HEVC_NALU_PIC_PARAM) {\n\t\t\t\t\tDUMP_ARRAY(ar->nalus, \"HEVCPPS\", \"hvcC\", 0)\n\t\t\t\t} else if (ar->type==GF_HEVC_NALU_VID_PARAM) {\n\t\t\t\t\tDUMP_ARRAY(ar->nalus, \"HEVCVPS\", \"hvcC\", 0)\n\t\t\t\t} else {\n\t\t\t\t\tDUMP_ARRAY(ar->nalus, \"HEVCUnknownPS\", \"hvcC\", 0)\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\tif (lhvccfg) {\n\t\t\tu32 idx;\n\t\t\tnalh_size = lhvccfg->nal_unit_size;\n\t\t\tis_hevc = 1;\n\t\t\tfor (idx=0; idxparam_array); idx++) {\n\t\t\t\tGF_HEVCParamArray *ar = gf_list_get(lhvccfg->param_array, idx);\n\t\t\t\tif (ar->type==GF_HEVC_NALU_SEQ_PARAM) {\n\t\t\t\t\tDUMP_ARRAY(ar->nalus, \"HEVCSPS\", \"lhcC\", 0)\n\t\t\t\t} else if (ar->type==GF_HEVC_NALU_PIC_PARAM) {\n\t\t\t\t\tDUMP_ARRAY(ar->nalus, \"HEVCPPS\", \"lhcC\", 0)\n\t\t\t\t} else if (ar->type==GF_HEVC_NALU_VID_PARAM) {\n\t\t\t\t\tDUMP_ARRAY(ar->nalus, \"HEVCVPS\", \"lhcC\", 0)\n\t\t\t\t} else {\n\t\t\t\t\tDUMP_ARRAY(ar->nalus, \"HEVCUnknownPS\", \"lhcC\", 0)\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\tfprintf(dump, \" \\n\");\n\n\t\tif (avccfg) gf_odf_avc_cfg_del(avccfg);\n\t\tif (svccfg) {\n\t\t\tgf_odf_avc_cfg_del(svccfg);\n\t\t\thas_svcc = GF_TRUE;\n\t\t}\n\t\tif (hevccfg) gf_odf_hevc_cfg_del(hevccfg);\n\t\tif (lhvccfg) gf_odf_hevc_cfg_del(lhvccfg);\n\t}\n\n\t/*fixme: for dumping encrypted track: we don't have neither avccfg nor svccfg*/\n\tif (!nalh_size) nalh_size = 4;\n\n\t/*for testing dependency*/\n\tcountRef = gf_isom_get_reference_count(file, track, GF_ISOM_REF_SCAL);\n\tif (countRef > 0)\n\t{\n\t\tGF_ISOTrackID refTrackID;\n\t\tfprintf(dump, \" \\n\");\n\t\tfor (i = 1; i <= (u32) countRef; i++)\n\t\t{\n\t\t\tgf_isom_get_reference_ID(file, track, GF_ISOM_REF_SCAL, i, &refTrackID);\n\t\t\tfprintf(dump, \" \\n\", i, refTrackID);\n\t\t}\n\n\t\tfprintf(dump, \" \\n\");\n\t}\n\n\tfprintf(dump, \" \\n\");\n\tgf_isom_set_nalu_extract_mode(file, track, GF_ISOM_NALU_EXTRACT_INSPECT);\n\tis_adobe_protected = gf_isom_is_adobe_protection_media(file, track, 1);\n\tis_cenc_protected = gf_isom_is_cenc_media(file, track, 1);\n\tfor (i=0; i\\n\", i+1);\n\t\t\tcontinue;\n\t\t}\n\t\tdts = samp->DTS;\n\t\tcts = dts + (s32) samp->CTS_Offset;\n\t\tis_rap = samp->IsRAP;\n\t\tif (!is_rap) gf_isom_get_sample_rap_roll_info(file, track, i+1, &is_rap, NULL, NULL);\n\n\t\tif (dump_flags&2) {\n\t\t\tfprintf(dump, \" dataLength, is_rap);\n\t\t} else {\n\t\t\tfprintf(dump, \" dataLength, is_rap);\n\t\t}\n\t\tif (nb_descs>1)\n\t\t\tfprintf(dump, \" sample_description=\\\"%d\\\"\", di);\n\t\tfprintf(dump, \" >\\n\");\n\n\t\tif (cts\\n\");\n\n\t\tidx = 1;\n\t\tptr = samp->data;\n\t\tsize = samp->dataLength;\n\t\tif (is_adobe_protected) {\n\t\t\tu8 encrypted_au = ptr[0];\n\t\t\tif (encrypted_au) {\n\t\t\t\tfprintf(dump, \" \\n\", i+1);\n\t\t\t\tfprintf(dump, \" \\n\\n\");\n\t\t\t\tcontinue;\n\t\t\t}\n\t\t\telse {\n\t\t\t\tptr++;\n\t\t\t\tsize--;\n\t\t\t}\n\t\t}\n\t\twhile (size) {\n\t\t\tnal_size = read_nal_size_hdr(ptr, nalh_size);\n\t\t\tptr += nalh_size;\n\n\t\t\tif (nal_size >= UINT_MAX-nalh_size || nalh_size + nal_size > size) {\n\t\t\t\tfprintf(dump, \" \\n\", idx, nal_size, size);\n\t\t\t\tbreak;\n\t\t\t} else {\n\t\t\t\tfprintf(dump, \" \\n\");\n\t\t\t}\n\t\t\tidx++;\n\t\t\tptr+=nal_size;\n\t\t\tsize -= nal_size + nalh_size;\n\t\t}\n\t\tfprintf(dump, \" \\n\");\n\t\tgf_isom_sample_del(&samp);\n\n\t\tfprintf(dump, \"\\n\");\n\t\tgf_set_progress(\"Analysing Track NALUs\", i+1, count);\n\t}\n\tfprintf(dump, \" \\n\");\n\tfprintf(dump, \"\\n\");\n", "project": "gpac", "hash": 231038225852360546698611616707213829531, "size": 254, "commit_id": "ce01bd15f711d4575b7424b54b3a395ec64c1784", "message": "fixed #1566", "target": 0, "dataset": "other", "idx": 249531 }, { "func": "GF_ISOMAVCType gf_isom_get_avc_svc_type(GF_ISOFile *the_file, u32 trackNumber, u32 DescriptionIndex)\n{\n\tu32 type;\n\tGF_TrackBox *trak;\n\tGF_MPEGVisualSampleEntryBox *entry;\n\ttrak = gf_isom_get_track_from_file(the_file, trackNumber);\n\tif (!trak || !trak->Media || !trak->Media->handler || !DescriptionIndex) return GF_ISOM_AVCTYPE_NONE;\n\tif (!gf_isom_is_video_handler_type(trak->Media->handler->handlerType))\n\t\treturn GF_ISOM_AVCTYPE_NONE;\n\n\tentry = (GF_MPEGVisualSampleEntryBox*)gf_list_get(trak->Media->information->sampleTable->SampleDescription->child_boxes, DescriptionIndex-1);\n\tif (!entry) return GF_ISOM_AVCTYPE_NONE;\n\n\ttype = entry->type;\n\n\tif (type == GF_ISOM_BOX_TYPE_ENCV) {\n\t\tGF_ProtectionSchemeInfoBox *sinf = (GF_ProtectionSchemeInfoBox *) gf_isom_box_find_child(entry->child_boxes, GF_ISOM_BOX_TYPE_SINF);\n\t\tif (sinf && sinf->original_format) type = sinf->original_format->data_format;\n\t}\n\telse if (type == GF_ISOM_BOX_TYPE_RESV) {\n\t\tif (entry->rinf && entry->rinf->original_format) type = entry->rinf->original_format->data_format;\n\t}\n\n\tswitch (type) {\n\tcase GF_ISOM_BOX_TYPE_AVC1:\n\tcase GF_ISOM_BOX_TYPE_AVC2:\n\tcase GF_ISOM_BOX_TYPE_AVC3:\n\tcase GF_ISOM_BOX_TYPE_AVC4:\n\tcase GF_ISOM_BOX_TYPE_SVC1:\n\tcase GF_ISOM_BOX_TYPE_MVC1:\n\t\tbreak;\n\tdefault:\n\t\treturn GF_ISOM_AVCTYPE_NONE;\n\t}\n\tif (entry->avc_config && !entry->svc_config && !entry->mvc_config) return GF_ISOM_AVCTYPE_AVC_ONLY;\n\tif (entry->avc_config && entry->svc_config) return GF_ISOM_AVCTYPE_AVC_SVC;\n\tif (entry->avc_config && entry->mvc_config) return GF_ISOM_AVCTYPE_AVC_MVC;\n\tif (!entry->avc_config && entry->svc_config) return GF_ISOM_AVCTYPE_SVC_ONLY;\n\tif (!entry->avc_config && entry->mvc_config) return GF_ISOM_AVCTYPE_MVC_ONLY;\n\treturn GF_ISOM_AVCTYPE_NONE;\n}", "project": "gpac", "hash": 227435620295001667493729900795113710152, "size": 41, "commit_id": "0a85029d694f992f3631e2f249e4999daee15cbf", "message": "fixed #1785 (fuzz)", "target": 0, "dataset": "other", "idx": 237584 }, { "func": "static u32 Media_FindOD_ID(GF_MediaBox *mdia, GF_ISOSample *sample, u32 track_id)\n{\n\tGF_Err e;\n\tGF_ODCodec *ODdecode;\n\tGF_ODCom *com;\n\tu32 the_od_id;\n\tGF_ODUpdate *odU;\n\tGF_ESD *esd;\n\tGF_Descriptor *desc;\n\tGF_TrackReferenceTypeBox *mpod;\n\tu32 i, j;\n\n\tif (!mdia || !sample || !sample->data || !sample->dataLength) return 0;\n\n\tmpod = NULL;\n\te = Track_FindRef(mdia->mediaTrack, GF_ISOM_BOX_TYPE_MPOD, &mpod);\n\tif (e) return 0;\n\t//no references, nothing to do...\n\tif (!mpod) return 0;\n\n\tthe_od_id = 0;\n\n\tODdecode = gf_odf_codec_new();\n\tif (!ODdecode) return 0;\n\te = gf_odf_codec_set_au(ODdecode, sample->data, sample->dataLength);\n\tif (e) goto err_exit;\n\te = gf_odf_codec_decode(ODdecode);\n\tif (e) goto err_exit;\n\n\twhile (1) {\n\t\tGF_List *esd_list = NULL;\n\t\tcom = gf_odf_codec_get_com(ODdecode);\n\t\tif (!com) break;\n\t\tif (com->tag != GF_ODF_OD_UPDATE_TAG) continue;\n\t\todU = (GF_ODUpdate *) com;\n\n\t\ti=0;\n\t\twhile ((desc = (GF_Descriptor*)gf_list_enum(odU->objectDescriptors, &i))) {\n\t\t\tswitch (desc->tag) {\n\t\t\tcase GF_ODF_OD_TAG:\n\t\t\tcase GF_ODF_IOD_TAG:\n\t\t\t\tesd_list = ((GF_ObjectDescriptor *)desc)->ESDescriptors;\n\t\t\t\tbreak;\n\t\t\tdefault:\n\t\t\t\tcontinue;\n\t\t\t}\n\t\t\tj=0;\n\t\t\twhile ((esd = (GF_ESD*)gf_list_enum( esd_list, &j))) {\n\t\t\t\tif (esd->ESID==track_id) {\n\t\t\t\t\tthe_od_id = ((GF_IsomObjectDescriptor*)desc)->objectDescriptorID;\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t}\n\t\t\tif (the_od_id) break;\n\t\t}\n\t\tgf_odf_com_del((GF_ODCom **)&odU);\n\t\tif (the_od_id) break;\n\t}\n\nerr_exit:\n\tgf_odf_codec_del(ODdecode);\n\treturn the_od_id; //still 0 if error, no need to check for e\n}", "project": "gpac", "hash": 38329020095656068622272114369473859302, "size": 63, "commit_id": "f0ba83717b6e4d7a15a1676d1fe06152e199b011", "message": "fixed #1772 (fuzz)", "target": 0, "dataset": "other", "idx": 265418 }, { "func": "GF_Err Media_ParseODFrame(GF_MediaBox *mdia, const GF_ISOSample *sample, GF_ISOSample **od_samp)\n{\n\tGF_TrackReferenceBox *tref;\n\tGF_TrackReferenceTypeBox *mpod;\n\tGF_Err e;\n\tGF_ODCom *com;\n\tGF_ODCodec *ODencode;\n\tGF_ODCodec *ODdecode;\n\tu32 i, j;\n\t//the commands we proceed\n\tGF_ESDUpdate *esdU, *esdU2;\n\tGF_ESDRemove *esdR, *esdR2;\n\tGF_ODUpdate *odU, *odU2;\n\n\t//the desc they contain\n\tGF_ObjectDescriptor *od;\n\tGF_IsomObjectDescriptor *isom_od;\n\tGF_ESD *esd;\n\tGF_ES_ID_Ref *ref;\n\tGF_Descriptor *desc;\n\n\t*od_samp = NULL;\n\tif (!mdia || !sample || !sample->data || !sample->dataLength) return GF_BAD_PARAM;\n\n\t//First find the references, and create them if none\n\ttref = mdia->mediaTrack->References;\n\tif (!tref) {\n\t\ttref = (GF_TrackReferenceBox *) gf_isom_box_new_parent(&mdia->mediaTrack->child_boxes, GF_ISOM_BOX_TYPE_TREF);\n\t\tif (!tref) return GF_OUT_OF_MEM;\n\t\te = trak_on_child_box((GF_Box*)mdia->mediaTrack, (GF_Box *) tref, GF_FALSE);\n\t\tif (e) return e;\n\t}\n\t//then find the OD reference, and create it if none\n\te = Track_FindRef(mdia->mediaTrack, GF_ISOM_BOX_TYPE_MPOD, &mpod);\n\tif (e) return e;\n\tif (!mpod) {\n\t\tmpod = (GF_TrackReferenceTypeBox *) gf_isom_box_new_parent(&tref->child_boxes, GF_ISOM_BOX_TYPE_REFT);\n\t\tif (!mpod) return GF_OUT_OF_MEM;\n\t\tmpod->reference_type = GF_ISOM_BOX_TYPE_MPOD;\n\t}\n\n\t//OK, create our codecs\n\tODencode = gf_odf_codec_new();\n\tif (!ODencode) return GF_OUT_OF_MEM;\n\tODdecode = gf_odf_codec_new();\n\tif (!ODdecode) return GF_OUT_OF_MEM;\n\n\te = gf_odf_codec_set_au(ODdecode, sample->data, sample->dataLength);\n\tif (e) goto err_exit;\n\te = gf_odf_codec_decode(ODdecode);\n\tif (e) goto err_exit;\n\n\twhile (1) {\n\t\tcom = gf_odf_codec_get_com(ODdecode);\n\t\tif (!com) break;\n\n\t\t//check our commands\n\t\tswitch (com->tag) {\n\t\t//Rewrite OD Update\n\t\tcase GF_ODF_OD_UPDATE_TAG:\n\t\t\t//duplicate our command\n\t\t\todU = (GF_ODUpdate *) com;\n\t\t\todU2 = (GF_ODUpdate *) gf_odf_com_new(GF_ODF_OD_UPDATE_TAG);\n\n\t\t\ti=0;\n\t\t\twhile ((desc = (GF_Descriptor*)gf_list_enum(odU->objectDescriptors, &i))) {\n\t\t\t\t//both OD and IODs are accepted\n\t\t\t\tswitch (desc->tag) {\n\t\t\t\tcase GF_ODF_OD_TAG:\n\t\t\t\tcase GF_ODF_IOD_TAG:\n\t\t\t\t\tbreak;\n\t\t\t\tdefault:\n\t\t\t\t\te = GF_ODF_INVALID_DESCRIPTOR;\n\t\t\t\t\tgoto err_exit;\n\t\t\t\t}\n\t\t\t\t//get the esd\n\t\t\t\te = gf_odf_desc_copy(desc, (GF_Descriptor **)&od);\n\t\t\t\tif (e) goto err_exit;\n\t\t\t\tif (desc->tag == GF_ODF_OD_TAG) {\n\t\t\t\t\tisom_od = (GF_IsomObjectDescriptor *) gf_malloc(sizeof(GF_IsomObjectDescriptor));\n\t\t\t\t\tif (!isom_od) return GF_OUT_OF_MEM;\n\t\t\t\t\tisom_od->tag = GF_ODF_ISOM_OD_TAG;\n\t\t\t\t} else {\n\t\t\t\t\tisom_od = (GF_IsomObjectDescriptor *) gf_malloc(sizeof(GF_IsomInitialObjectDescriptor));\n\t\t\t\t\tif (!isom_od) return GF_OUT_OF_MEM;\n\t\t\t\t\tisom_od->tag = GF_ODF_ISOM_IOD_TAG;\n\t\t\t\t\t//copy PL\n\t\t\t\t\t((GF_IsomInitialObjectDescriptor *)isom_od)->inlineProfileFlag = ((GF_InitialObjectDescriptor *)od)->inlineProfileFlag;\n\t\t\t\t\t((GF_IsomInitialObjectDescriptor *)isom_od)->graphics_profileAndLevel = ((GF_InitialObjectDescriptor *)od)->graphics_profileAndLevel;\n\t\t\t\t\t((GF_IsomInitialObjectDescriptor *)isom_od)->audio_profileAndLevel = ((GF_InitialObjectDescriptor *)od)->audio_profileAndLevel;\n\t\t\t\t\t((GF_IsomInitialObjectDescriptor *)isom_od)->OD_profileAndLevel = ((GF_InitialObjectDescriptor *)od)->OD_profileAndLevel;\n\t\t\t\t\t((GF_IsomInitialObjectDescriptor *)isom_od)->scene_profileAndLevel = ((GF_InitialObjectDescriptor *)od)->scene_profileAndLevel;\n\t\t\t\t\t((GF_IsomInitialObjectDescriptor *)isom_od)->visual_profileAndLevel = ((GF_InitialObjectDescriptor *)od)->visual_profileAndLevel;\n\t\t\t\t\t((GF_IsomInitialObjectDescriptor *)isom_od)->IPMPToolList = ((GF_InitialObjectDescriptor *)od)->IPMPToolList;\n\t\t\t\t\t((GF_InitialObjectDescriptor *)od)->IPMPToolList = NULL;\n\t\t\t\t}\n\t\t\t\t//in OD stream only ref desc are accepted\n\t\t\t\tisom_od->ES_ID_RefDescriptors = gf_list_new();\n\t\t\t\tisom_od->ES_ID_IncDescriptors = NULL;\n\n\t\t\t\t//TO DO: check that a given sampleDescription exists\n\t\t\t\tisom_od->extensionDescriptors = od->extensionDescriptors;\n\t\t\t\tod->extensionDescriptors = NULL;\n\t\t\t\tisom_od->IPMP_Descriptors = od->IPMP_Descriptors;\n\t\t\t\tod->IPMP_Descriptors = NULL;\n\t\t\t\tisom_od->OCIDescriptors = od->OCIDescriptors;\n\t\t\t\tod->OCIDescriptors = NULL;\n\t\t\t\tisom_od->URLString = od->URLString;\n\t\t\t\tod->URLString = NULL;\n\t\t\t\tisom_od->objectDescriptorID = od->objectDescriptorID;\n\n\t\t\t\tj=0;\n\t\t\t\twhile ((esd = (GF_ESD*)gf_list_enum(od->ESDescriptors, &j))) {\n\t\t\t\t\tref = (GF_ES_ID_Ref *) gf_odf_desc_new(GF_ODF_ESD_REF_TAG);\n\t\t\t\t\tif (!esd->ESID) {\n\t\t\t\t\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, (\"[ISOM] Missing ESID on ESD, cannot add track reference in OD frame\"));\n\t\t\t\t\t\te = GF_BAD_PARAM;\n\t\t\t\t\t\tgoto err_exit;\n\t\t\t\t\t}\n\t\t\t\t\t//1 to 1 mapping trackID and ESID. Add this track to MPOD\n\t\t\t\t\t//if track does not exist, this will be remove while reading the OD stream\n\t\t\t\t\te = reftype_AddRefTrack(mpod, esd->ESID, &ref->trackRef);\n\t\t\t\t\tif (e) goto err_exit;\n\t\t\t\t\te = gf_odf_desc_add_desc((GF_Descriptor *)isom_od, (GF_Descriptor *)ref);\n\t\t\t\t\tif (e) goto err_exit;\n\t\t\t\t}\n\t\t\t\t//delete our desc\n\t\t\t\tgf_odf_desc_del((GF_Descriptor *)od);\n\t\t\t\t//and add the new one to our command\n\t\t\t\tgf_list_add(odU2->objectDescriptors, isom_od);\n\t\t\t}\n\t\t\t//delete the command\n\t\t\tgf_odf_com_del((GF_ODCom **)&odU);\n\t\t\t//and add the new one to the codec\n\t\t\tgf_odf_codec_add_com(ODencode, (GF_ODCom *)odU2);\n\t\t\tbreak;\n\n\t\t//Rewrite ESD Update\n\t\tcase GF_ODF_ESD_UPDATE_TAG:\n\t\t\tesdU = (GF_ESDUpdate *) com;\n\t\t\tesdU2 = (GF_ESDUpdate *) gf_odf_com_new(GF_ODF_ESD_UPDATE_TAG);\n\t\t\tesdU2->ODID = esdU->ODID;\n\t\t\ti=0;\n\t\t\twhile ((esd = (GF_ESD*)gf_list_enum(esdU->ESDescriptors, &i))) {\n\t\t\t\tref = (GF_ES_ID_Ref *) gf_odf_desc_new(GF_ODF_ESD_REF_TAG);\n\t\t\t\t//1 to 1 mapping trackID and ESID\n\t\t\t\te = reftype_AddRefTrack(mpod, esd->ESID, &ref->trackRef);\n\t\t\t\tif (e) goto err_exit;\n\t\t\t\te = gf_list_add(esdU2->ESDescriptors, ref);\n\t\t\t\tif (e) goto err_exit;\n\t\t\t}\n\t\t\tgf_odf_com_del((GF_ODCom **)&esdU);\n\t\t\tgf_odf_codec_add_com(ODencode, (GF_ODCom *)esdU2);\n\t\t\tbreak;\n\n\t\t//Brand new case: the ESRemove has to be rewritten too according to the specs...\n\t\tcase GF_ODF_ESD_REMOVE_TAG:\n\t\t\tesdR = (GF_ESDRemove *) com;\n\t\t\tesdR2 = (GF_ESDRemove *) gf_odf_com_new(GF_ODF_ESD_REMOVE_TAG);\n\t\t\t//change the tag for the file format\n\t\t\tesdR2->tag = GF_ODF_ESD_REMOVE_REF_TAG;\n\t\t\tesdR2->ODID = esdR->ODID;\n\t\t\tesdR2->NbESDs = esdR->NbESDs;\n\t\t\tif (esdR->NbESDs) {\n\t\t\t\t//alloc our stuff\n\t\t\t\tesdR2->ES_ID = (unsigned short*)gf_malloc(sizeof(u32) * esdR->NbESDs);\n\t\t\t\tif (!esdR2->ES_ID) {\n\t\t\t\t\te = GF_OUT_OF_MEM;\n\t\t\t\t\tgoto err_exit;\n\t\t\t\t}\n\t\t\t\tfor (i = 0; i < esdR->NbESDs; i++) {\n\t\t\t\t\t//1 to 1 mapping trackID and ESID\n\t\t\t\t\te = reftype_AddRefTrack(mpod, esdR->ES_ID[i], &esdR2->ES_ID[i]);\n\t\t\t\t\tif (e) goto err_exit;\n\t\t\t\t}\n\t\t\t}\n\t\t\tgf_odf_com_del(&com);\n\t\t\tgf_odf_codec_add_com(ODencode, (GF_ODCom *)esdR2);\n\t\t\tbreak;\n\n\t\t//Add the command as is\n\t\tdefault:\n\t\t\te = gf_odf_codec_add_com(ODencode, com);\n\t\t\tif (e) goto err_exit;\n\t\t}\n\t}\n\n\t//encode our new AU\n\te = gf_odf_codec_encode(ODencode, 1);\n\tif (e) goto err_exit;\n\n\t//and set the buffer in the sample\n\t*od_samp = gf_isom_sample_new();\n\t(*od_samp)->CTS_Offset = sample->CTS_Offset;\n\t(*od_samp)->DTS = sample->DTS;\n\t(*od_samp)->IsRAP = sample->IsRAP;\n\te = gf_odf_codec_get_au(ODencode, & (*od_samp)->data, & (*od_samp)->dataLength);\n\tif (e) {\n\t\tgf_isom_sample_del(od_samp);\n\t\t*od_samp = NULL;\n\t}\n\nerr_exit:\n\n\tgf_odf_codec_del(ODencode);\n\tgf_odf_codec_del(ODdecode);\n\treturn e;\n}", "project": "gpac", "hash": 300055804056972864306831633311354456360, "size": 208, "commit_id": "f0ba83717b6e4d7a15a1676d1fe06152e199b011", "message": "fixed #1772 (fuzz)", "target": 0, "dataset": "other", "idx": 265417 }, { "func": "void PrintEncryptUsage()\n{\n\tu32 i=0;\n\tgf_sys_format_help(helpout, help_flags, \"# Encryption/Decryption Options\\n\"\n\t\"MP4Box supports encryption and decryption of ISMA, OMA and CENC content, see [encryption filter `gpac -h cecrypt`](cecrypt).\\n\"\n\t\"It requires a specific XML file called `CryptFile`, whose syntax is available at https://wiki.gpac.io/Common-Encryption\\n\"\n\t\" \\n\"\n\t\"Options:\\n\"\n\t);\n\twhile (m4b_crypt_args[i].name) {\n\t\tGF_GPACArg *arg = &m4b_crypt_args[i];\n\t\ti++;\n\t\tgf_sys_print_arg(helpout, help_flags, arg, \"mp4box-crypt\");\n\t}\n}", "project": "gpac", "hash": 194342396525868004058145197993791961797, "size": 15, "commit_id": "9eeac00b38348c664dfeae2525bba0cf1bc32349", "message": "fixed #1565", "target": 0, "dataset": "other", "idx": 244408 }, { "func": "void GetGhostNum(GF_StscEntry *ent, u32 EntryIndex, u32 count, GF_SampleTableBox *stbl)\n{\n\tGF_StscEntry *nextEnt;\n\tu32 ghostNum = 1;\n\n\tif (!ent) {\n\t\tstbl->SampleToChunk->ghostNumber = 0;\n\t\treturn;\n\t}\n\n\tif (!ent->nextChunk) {\n\t\tif (EntryIndex+1 == count) {\n\t\t\t//not specified in the spec, what if the last sample to chunk is no written?\n\t\t\tif (stbl->ChunkOffset->type == GF_ISOM_BOX_TYPE_STCO) {\n\t\t\t\tGF_ChunkOffsetBox *stco = (GF_ChunkOffsetBox *)stbl->ChunkOffset;\n\t\t\t\tghostNum = (stco->nb_entries > ent->firstChunk) ? (1 + stco->nb_entries - ent->firstChunk) : 1;\n\t\t\t} else {\n\t\t\t\tGF_ChunkLargeOffsetBox *co64 = (GF_ChunkLargeOffsetBox *)stbl->ChunkOffset;\n\t\t\t\tghostNum = (co64->nb_entries > ent->firstChunk) ? (1 + co64->nb_entries - ent->firstChunk) : 1;\n\t\t\t}\n\t\t} else {\n\t\t\t//this is an unknown case due to edit mode...\n\t\t\tnextEnt = &stbl->SampleToChunk->entries[EntryIndex+1];\n\t\t\tghostNum = nextEnt->firstChunk - ent->firstChunk;\n\t\t}\n\t} else {\n\t\tghostNum = (ent->nextChunk > ent->firstChunk) ? (ent->nextChunk - ent->firstChunk) : 1;\n\t}\n\tstbl->SampleToChunk->ghostNumber = ghostNum;\n}", "project": "gpac", "hash": 337413207045705345500917603342640913409, "size": 30, "commit_id": "2da2f68bffd51d89b1d272d22aa8cc023c1c066e", "message": "fixed #1705", "target": 0, "dataset": "other", "idx": 258552 }, { "func": "GF_Err stbl_RemoveRAP(GF_SampleTableBox *stbl, u32 sampleNumber)\n{\n\tu32 i;\n\n\tGF_SyncSampleBox *stss = stbl->SyncSample;\n\tif (!stss) return GF_OK;\n\n\t//we remove the only one around...\n\tif (stss->nb_entries == 1) {\n\t\tif (stss->sampleNumbers[0] != sampleNumber) return GF_OK;\n\t\t//free our numbers but don't delete (all samples are NON-sync\n\t\tgf_free(stss->sampleNumbers);\n\t\tstss->sampleNumbers = NULL;\n\t\tstss->r_LastSampleIndex = stss->r_LastSyncSample = 0;\n\t\tstss->alloc_size = stss->nb_entries = 0;\n\t\treturn GF_OK;\n\t}\n\n\tfor (i=0; inb_entries; i++) {\n\t\t//found the sample\n\t\tif (sampleNumber == stss->sampleNumbers[i]) {\n\t\t\tmemmove(&stss->sampleNumbers[i], &stss->sampleNumbers[i+1], sizeof(u32)* (stss->nb_entries-i-1) );\n\t\t\tstss->nb_entries--;\n\t\t}\n\n\t\tif (sampleNumber < stss->sampleNumbers[i]) {\n\t\t\tassert(stss->sampleNumbers[i]);\n\t\t\tstss->sampleNumbers[i]--;\n\t\t}\n\t}\n\treturn GF_OK;\n}", "project": "gpac", "hash": 264893940654494648541123592080604406195, "size": 32, "commit_id": "77ed81c069e10b3861d88f72e1c6be1277ee7eae", "message": "fixed #1774 (fuzz)", "target": 0, "dataset": "other", "idx": 267881 }, { "func": "GF_Err gf_isom_get_omadrm_info(GF_ISOFile *the_file, u32 trackNumber, u32 sampleDescriptionIndex, u32 *outOriginalFormat,\n u32 *outSchemeType, u32 *outSchemeVersion,\n const char **outContentID, const char **outRightsIssuerURL, const char **outTextualHeaders, u32 *outTextualHeadersLen, u64 *outPlaintextLength, u32 *outEncryptionType, Bool *outSelectiveEncryption, u32 *outIVLength, u32 *outKeyIndicationLength)\n{\n\tGF_TrackBox *trak;\n\tGF_ProtectionSchemeInfoBox *sinf;\n\n\ttrak = gf_isom_get_track_from_file(the_file, trackNumber);\n\tif (!trak) return GF_BAD_PARAM;\n\n\tsinf = isom_get_sinf_entry(trak, sampleDescriptionIndex, GF_ISOM_OMADRM_SCHEME, NULL);\n\tif (!sinf) return GF_OK;\n\n\tif (!sinf->info || !sinf->info->odkm || !sinf->info->odkm->hdr) return GF_NON_COMPLIANT_BITSTREAM;\n\n\tif (outOriginalFormat) {\n\t\t*outOriginalFormat = sinf->original_format->data_format;\n\t\tif (IsMP4Description(sinf->original_format->data_format)) *outOriginalFormat = GF_ISOM_SUBTYPE_MPEG4;\n\t}\n\tif (outSchemeType) *outSchemeType = sinf->scheme_type->scheme_type;\n\tif (outSchemeVersion) *outSchemeVersion = sinf->scheme_type->scheme_version;\n\tif (outContentID) *outContentID = sinf->info->odkm->hdr->ContentID;\n\tif (outRightsIssuerURL) *outRightsIssuerURL = sinf->info->odkm->hdr->RightsIssuerURL;\n\tif (outTextualHeaders) {\n\t\t*outTextualHeaders = sinf->info->odkm->hdr->TextualHeaders;\n\t\tif (outTextualHeadersLen) *outTextualHeadersLen = sinf->info->odkm->hdr->TextualHeadersLen;\n\t}\n\tif (outPlaintextLength) *outPlaintextLength = sinf->info->odkm->hdr->PlaintextLength;\n\tif (outEncryptionType) *outEncryptionType = sinf->info->odkm->hdr->EncryptionMethod;\n\n\tif (sinf->info && sinf->info->odkm && sinf->info->odkm->fmt) {\n\t\tif (outSelectiveEncryption) *outSelectiveEncryption = sinf->info->odkm->fmt->selective_encryption;\n\t\tif (outIVLength) *outIVLength = sinf->info->odkm->fmt->IV_length;\n\t\tif (outKeyIndicationLength) *outKeyIndicationLength = sinf->info->odkm->fmt->key_indicator_length;\n\t} else {\n\t\tif (outSelectiveEncryption) *outSelectiveEncryption = GF_FALSE;\n\t\tif (outIVLength) *outIVLength = 0;\n\t\tif (outKeyIndicationLength) *outKeyIndicationLength = 0;\n\t}\n\treturn GF_OK;\n}", "project": "gpac", "hash": 280208012704154969999212322413703810930, "size": 41, "commit_id": "3b84ffcbacf144ce35650df958432f472b6483f8", "message": "fixed #1735", "target": 0, "dataset": "other", "idx": 275402 }, { "func": "\nGF_Err udta_on_child_box(GF_Box *s, GF_Box *a)\n{\n\tGF_Err e;\n\tu32 box_type;\n\tGF_UserDataMap *map;\n\tGF_UserDataBox *ptr = (GF_UserDataBox *)s;\n\tif (!ptr) return GF_BAD_PARAM;\n\tif (!a) return GF_OK;\n\n\t//detach from parent list if any\n\tgf_list_del_item(ptr->child_boxes, a);\n\n\t/* for unknown udta boxes, we reference them by their original box type */\n\tbox_type = a->type;\n\tif (box_type == GF_ISOM_BOX_TYPE_UNKNOWN) {\n\t\tGF_UnknownBox* unkn = (GF_UnknownBox *)a;\n\t\tbox_type = unkn->original_4cc;\n\t}\n\n\tmap = udta_getEntry(ptr, box_type, (a->type==GF_ISOM_BOX_TYPE_UUID) ? & ((GF_UUIDBox *)a)->uuid : NULL);\n\tif (map == NULL) {\n\t\tmap = (GF_UserDataMap *) gf_malloc(sizeof(GF_UserDataMap));\n\t\tif (map == NULL) return GF_OUT_OF_MEM;\n\t\tmemset(map, 0, sizeof(GF_UserDataMap));\n\n\t\tmap->boxType = box_type;\n\t\tif (a->type == GF_ISOM_BOX_TYPE_UUID)\n\t\t\tmemcpy(map->uuid, ((GF_UUIDBox *)a)->uuid, 16);\n\t\tmap->boxes = gf_list_new();\n\t\tif (!map->boxes) {\n\t\t\tgf_free(map);\n\t\t\treturn GF_OUT_OF_MEM;\n\t\t}\n\t\te = gf_list_add(ptr->recordList, map);\n\t\tif (e) return e;\n\t}\n\treturn gf_list_add(map->boxes, a);", "project": "gpac", "hash": 198901519472576320788249690905304392975, "size": 38, "commit_id": "388ecce75d05e11fc8496aa4857b91245007d26e", "message": "fixed #1587", "target": 0, "dataset": "other", "idx": 264801 }, { "func": "GF_Err video_sample_entry_box_read(GF_Box *s, GF_BitStream *bs)\n{\n\tGF_MPEGVisualSampleEntryBox *mp4v = (GF_MPEGVisualSampleEntryBox*)s;\n\tGF_Err e;\n\te = gf_isom_video_sample_entry_read((GF_VisualSampleEntryBox *)s, bs);\n\tif (e) return e;\n\te = gf_isom_box_array_read(s, bs, video_sample_entry_on_child_box);\n\tif (e) return e;\n\t/*this is an AVC sample desc*/\n\tif (mp4v->avc_config || mp4v->svc_config || mp4v->mvc_config)\n\t\tAVC_RewriteESDescriptor(mp4v);\n\t/*this is an HEVC sample desc*/\n\tif (mp4v->hevc_config || mp4v->lhvc_config || (mp4v->type==GF_ISOM_BOX_TYPE_HVT1))\n\t\tHEVC_RewriteESDescriptor(mp4v);\n\t/*this is an AV1 sample desc*/\n\tif (mp4v->av1_config)\n\t\tAV1_RewriteESDescriptor(mp4v);\n\t/*this is a VP8-9 sample desc*/\n\tif (mp4v->vp_config)\n\t\tVP9_RewriteESDescriptor(mp4v);\n\n\tif (s->type==GF_ISOM_BOX_TYPE_ENCV) {\n\t\tGF_ProtectionSchemeInfoBox *sinf = (GF_ProtectionSchemeInfoBox *) gf_isom_box_find_child(s->child_boxes, GF_ISOM_BOX_TYPE_SINF);\n\n\t\tif (sinf && sinf->original_format) {\n\t\t\tu32 type = sinf->original_format->data_format;\n\t\t\tswitch (type) {\n\t\t\tcase GF_ISOM_SUBTYPE_3GP_H263:\n\t\t\t\tif (mp4v->cfg_3gpp) mp4v->cfg_3gpp->cfg.type = type;\n\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\t}\n\treturn GF_OK;\n}", "project": "gpac", "hash": 275334734574286670604786055535531308572, "size": 35, "commit_id": "388ecce75d05e11fc8496aa4857b91245007d26e", "message": "fixed #1587", "target": 0, "dataset": "other", "idx": 264850 }, { "func": "GF_Err gf_isom_load_extra_boxes(GF_ISOFile *movie, u8 *moov_boxes, u32 moov_boxes_size, Bool udta_only)\n{\n\tGF_BitStream *bs;\n\n\tGF_Err e = CanAccessMovie(movie, GF_ISOM_OPEN_WRITE);\n\tif (e) return e;\n\te = gf_isom_insert_moov(movie);\n\tif (e) return e;\n\n\tbs = gf_bs_new(moov_boxes, moov_boxes_size, GF_BITSTREAM_READ);\n\n\t//we may have terminators in some QT files (4 bytes set to 0 ...)\n\twhile (gf_bs_available(bs) >= 8) {\n\t\tGF_Box *a_box;\n\t\te = gf_isom_box_parse_ex((GF_Box**)&a_box, bs, GF_ISOM_BOX_TYPE_MOOV, GF_FALSE);\n\t\tif (e || !a_box) goto exit;\n\n\t\tif (a_box->type == GF_ISOM_BOX_TYPE_UDTA) {\n\t\t\tif (movie->moov->udta) gf_isom_box_del_parent(&movie->moov->child_boxes, (GF_Box*)movie->moov->udta);\n\t\t\tmovie->moov->udta = (GF_UserDataBox*) a_box;\n\n\t\t\tif (!movie->moov->child_boxes) movie->moov->child_boxes = gf_list_new();\n\t\t\tgf_list_add(movie->moov->child_boxes, a_box);\n\n\t\t} else if (!udta_only && (a_box->type!=GF_ISOM_BOX_TYPE_PSSH) ) {\n\t\t\tif (!movie->moov->child_boxes) movie->moov->child_boxes = gf_list_new();\n\t\t\tgf_list_add(movie->moov->child_boxes, a_box);\n\t\t} else {\n\t\t\tgf_isom_box_del(a_box);\n\t\t}\n\t}\nexit:\n\tgf_bs_del(bs);\n\treturn e;\n}", "project": "gpac", "hash": 34539407554620030559616958276814945138, "size": 35, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267235 }, { "func": "GF_Err stbl_GetSampleDTS(GF_TimeToSampleBox *stts, u32 SampleNumber, u64 *DTS)\n{\n\treturn stbl_GetSampleDTS_and_Duration(stts, SampleNumber, DTS, NULL);\n}", "project": "gpac", "hash": 301146032702642585704011975992224506114, "size": 4, "commit_id": "2da2f68bffd51d89b1d272d22aa8cc023c1c066e", "message": "fixed #1705", "target": 0, "dataset": "other", "idx": 258557 }, { "func": "GF_Err gf_isom_set_handler_name(GF_ISOFile *the_file, u32 trackNumber, const char *nameUTF8)\n{\n\tGF_TrackBox *trak;\n\ttrak = gf_isom_get_track_from_file(the_file, trackNumber);\n\tif (!trak) return GF_BAD_PARAM;\n\tif (trak->Media->handler->nameUTF8) gf_free(trak->Media->handler->nameUTF8);\n\ttrak->Media->handler->nameUTF8 = NULL;\n\n\tif (!nameUTF8) return GF_OK;\n\n\tif (!strnicmp(nameUTF8, \"file://\", 7)) {\n\t\tu8 BOM[4];\n\t\tFILE *f = gf_fopen(nameUTF8+7, \"rb\");\n\t\tu64 size;\n\t\tif (!f) return GF_URL_ERROR;\n\t\tsize = gf_fsize(f);\n\t\tif (3!=gf_fread(BOM, 3, f)) {\n\t\t\tgf_fclose(f);\n\t\t\treturn GF_CORRUPTED_DATA;\n\t\t}\n\t\t/*skip BOM if any*/\n\t\tif ((BOM[0]==0xEF) && (BOM[1]==0xBB) && (BOM[2]==0xBF)) size -= 3;\n\t\telse if ((BOM[0]==0xEF) || (BOM[0]==0xFF)) {\n\t\t\tgf_fclose(f);\n\t\t\treturn GF_BAD_PARAM;\n\t\t}\n\t\telse gf_fseek(f, 0, SEEK_SET);\n\t\ttrak->Media->handler->nameUTF8 = (char*)gf_malloc(sizeof(char)*(size_t)(size+1));\n\t\tif (!trak->Media->handler->nameUTF8) {\n\t\t\tgf_fclose(f);\n\t\t\treturn GF_OUT_OF_MEM;\n\t\t}\n\t\tsize = gf_fread(trak->Media->handler->nameUTF8, (size_t)size, f);\n\t\ttrak->Media->handler->nameUTF8[size] = 0;\n\t\tgf_fclose(f);\n\t} else {\n\t\tu32 i, j, len;\n\t\tchar szOrig[1024], szLine[1024];\n\t\tstrcpy(szOrig, nameUTF8);\n\t\tj=0;\n\t\tlen = (u32) strlen(szOrig);\n\t\tfor (i=0; i> 6) & 0x3 );\n\t\t\t\t\tj++;\n\t\t\t\t\tszOrig[i] &= 0xbf;\n\t\t\t\t}\n\t\t\t\t/*UTF8 2 bytes char */\n\t\t\t\telse if ( (szOrig[i] & 0xe0) == 0xc0) {\n\t\t\t\t\tszLine[j] = szOrig[i];\n\t\t\t\t\ti++;\n\t\t\t\t\tj++;\n\t\t\t\t}\n\t\t\t\t/*UTF8 3 bytes char */\n\t\t\t\telse if ( (szOrig[i] & 0xf0) == 0xe0) {\n\t\t\t\t\tszLine[j] = szOrig[i];\n\t\t\t\t\ti++;\n\t\t\t\t\tj++;\n\t\t\t\t\tszLine[j] = szOrig[i];\n\t\t\t\t\ti++;\n\t\t\t\t\tj++;\n\t\t\t\t}\n\t\t\t\t/*UTF8 4 bytes char */\n\t\t\t\telse if ( (szOrig[i] & 0xf8) == 0xf0) {\n\t\t\t\t\tszLine[j] = szOrig[i];\n\t\t\t\t\ti++;\n\t\t\t\t\tj++;\n\t\t\t\t\tszLine[j] = szOrig[i];\n\t\t\t\t\ti++;\n\t\t\t\t\tj++;\n\t\t\t\t\tszLine[j] = szOrig[i];\n\t\t\t\t\ti++;\n\t\t\t\t\tj++;\n\t\t\t\t}\n\t\t\t}\n\t\t\tszLine[j] = szOrig[i];\n\t\t\tj++;\n\t\t}\n\t\tszLine[j] = 0;\n\t\ttrak->Media->handler->nameUTF8 = gf_strdup(szLine);\n\t}\n\treturn GF_OK;\n}", "project": "gpac", "hash": 1097152766773659812308448673978413151, "size": 85, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267177 }, { "func": "GF_EXPORT\nu32 gf_isom_get_next_alternate_group_id(GF_ISOFile *movie)\n{\n\tu32 id = 0;\n\tu32 i=0;\n\n\twhile (i< gf_isom_get_track_count(movie) ) {\n\t\tGF_TrackBox *trak = gf_isom_get_track_from_file(movie, i+1);\n\t\tif (trak->Header->alternate_group > id)\n\t\t\tid = trak->Header->alternate_group;\n\t\ti++;\n\t}\n\treturn id+1;", "project": "gpac", "hash": 171462149361089720128543231001035212410, "size": 13, "commit_id": "984787de3d414a5f7d43d0b4584d9469dff2a5a5", "message": "fixed #1784 (fuzz)", "target": 0, "dataset": "other", "idx": 246816 }, { "func": "GF_Err audio_sample_entry_box_read(GF_Box *s, GF_BitStream *bs)\n{\n\tGF_MPEGAudioSampleEntryBox *ptr;\n\tchar *data;\n\tu8 a, b, c, d;\n\tu32 i, size, v, nb_alnum;\n\tGF_Err e;\n\tu64 pos, start;\n\n\tptr = (GF_MPEGAudioSampleEntryBox *)s;\n\n\tstart = gf_bs_get_position(bs);\n\tgf_bs_seek(bs, start + 8);\n\tv = gf_bs_read_u16(bs);\n\tif (v)\n\t\tptr->qtff_mode = GF_ISOM_AUDIO_QTFF_ON_NOEXT;\n\n\t//try to disambiguate QTFF v1 and MP4 v1 audio sample entries ...\n\tif (v==1) {\n\t\t//go to end of ISOM audio sample entry, skip 4 byte (box size field), read 4 bytes (box type) and check if this looks like a box\n\t\tgf_bs_seek(bs, start + 8 + 20 + 4);\n\t\ta = gf_bs_read_u8(bs);\n\t\tb = gf_bs_read_u8(bs);\n\t\tc = gf_bs_read_u8(bs);\n\t\td = gf_bs_read_u8(bs);\n\t\tnb_alnum = 0;\n\t\tif (isalnum(a)) nb_alnum++;\n\t\tif (isalnum(b)) nb_alnum++;\n\t\tif (isalnum(c)) nb_alnum++;\n\t\tif (isalnum(d)) nb_alnum++;\n\t\tif (nb_alnum>2) ptr->qtff_mode = GF_ISOM_AUDIO_QTFF_NONE;\n\t}\n\n\tgf_bs_seek(bs, start);\n\te = gf_isom_audio_sample_entry_read((GF_AudioSampleEntryBox*)s, bs);\n\tif (e) return e;\n\tpos = gf_bs_get_position(bs);\n\tsize = (u32) s->size;\n\n\t//when cookie is set on bs, always convert qtff-style mp4a to isobmff-style\n\t//since the conversion is done in addBox and we don't have the bitstream there (arg...), flag the box\n \tif (gf_bs_get_cookie(bs) & GF_ISOM_BS_COOKIE_QT_CONV) {\n \t\tptr->qtff_mode |= GF_ISOM_AUDIO_QTFF_CONVERT_FLAG;\n \t}\n\n\te = gf_isom_box_array_read(s, bs, audio_sample_entry_on_child_box);\n\tif (!e) {\n\t\tif (s->type==GF_ISOM_BOX_TYPE_ENCA) {\n\t\t\tGF_ProtectionSchemeInfoBox *sinf = (GF_ProtectionSchemeInfoBox *) gf_isom_box_find_child(s->child_boxes, GF_ISOM_BOX_TYPE_SINF);\n\n\t\t\tif (sinf && sinf->original_format) {\n\t\t\t\tu32 type = sinf->original_format->data_format;\n\t\t\t\tswitch (type) {\n\t\t\t\tcase GF_ISOM_SUBTYPE_3GP_AMR:\n\t\t\t\tcase GF_ISOM_SUBTYPE_3GP_AMR_WB:\n\t\t\t\tcase GF_ISOM_SUBTYPE_3GP_EVRC:\n\t\t\t\tcase GF_ISOM_SUBTYPE_3GP_QCELP:\n\t\t\t\tcase GF_ISOM_SUBTYPE_3GP_SMV:\n\t\t\t\t\tif (ptr->cfg_3gpp) ptr->cfg_3gpp->cfg.type = type;\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\treturn GF_OK;\n\t}\n\tif (size<8) return GF_ISOM_INVALID_FILE;\n\n\n\t/*hack for some weird files (possibly recorded with live.com tools, needs further investigations)*/\n\tgf_bs_seek(bs, pos);\n\tdata = (char*)gf_malloc(sizeof(char) * size);\n\tif (!data) return GF_OUT_OF_MEM;\n\n\tgf_bs_read_data(bs, data, size);\n\tfor (i=0; iesd) gf_isom_box_del_parent(&ptr->child_boxes, (GF_Box *)ptr->esd);\n\t\t\tptr->esd = NULL;\n\t\t\te = gf_isom_box_parse((GF_Box **)&ptr->esd, mybs);\n\t\t\tgf_bs_del(mybs);\n\t\t\tif (e==GF_OK) {\n\t\t\t\tif (!ptr->child_boxes) ptr->child_boxes = gf_list_new();\n\t\t\t\tgf_list_add(ptr->child_boxes, ptr->esd);\n\t\t\t} else if (ptr->esd) {\n\t\t\t\tgf_isom_box_del((GF_Box *)ptr->esd);\n\t\t\t\tptr->esd = NULL;\n\t\t\t}\n\t\t\tbreak;\n\t\t}\n\t}\n\tgf_free(data);\n\treturn e;\n}", "project": "gpac", "hash": 262329884561455982202817194615648903690, "size": 94, "commit_id": "388ecce75d05e11fc8496aa4857b91245007d26e", "message": "fixed #1587", "target": 0, "dataset": "other", "idx": 264857 }, { "func": "GF_Err abst_box_size(GF_Box *s)\n{\n\tGF_Err e;\n\tu32 i;\n\tGF_AdobeBootstrapInfoBox *ptr = (GF_AdobeBootstrapInfoBox *)s;\n\n\ts->size += 25\n\t + (ptr->movie_identifier ? (strlen(ptr->movie_identifier) + 1) : 1)\n\t + 1;\n\n\tfor (i=0; iserver_entry_count; i++)\n\t\ts->size += strlen(gf_list_get(ptr->server_entry_table, i)) + 1;\n\n\ts->size += 1;\n\n\tfor (i=0; iquality_entry_count; i++)\n\t\ts->size += strlen(gf_list_get(ptr->quality_entry_table, i)) + 1;\n\n\ts->size += (ptr->drm_data ? (strlen(ptr->drm_data) + 1) : 1)\n\t + (ptr->meta_data ? (strlen(ptr->meta_data) + 1) : 1)\n\t + 1;\n\n\tfor (i=0; isegment_run_table_count; i++) {\n\t\tGF_Box *box = (GF_Box *)gf_list_get(ptr->segment_run_table_entries, i);\n\t\te = gf_isom_box_size(box);\n\t\tif (e) return e;\n\t\ts->size += box->size;\n\t}\n\n\ts->size += 1;\n\tfor (i=0; ifragment_run_table_count; i++) {\n\t\tGF_Box *box = (GF_Box *)gf_list_get(ptr->fragment_run_table_entries, i);\n\t\te = gf_isom_box_size(box);\n\t\tif (e) return e;\n\t\ts->size += box->size;\n\t}\n\treturn GF_OK;\n}", "project": "gpac", "hash": 77363806137723692328748107724600665591, "size": 38, "commit_id": "e74be5976a6fee059c638050a237893f7e9a3b23", "message": "fixed #1753", "target": 0, "dataset": "other", "idx": 230586 }, { "func": "GF_Err gf_isom_set_track_matrix(GF_ISOFile *the_file, u32 trackNumber, s32 matrix[9])\n{\n\tGF_TrackBox *trak = gf_isom_get_track_from_file(the_file, trackNumber);\n\tif (!trak || !trak->Header) return GF_BAD_PARAM;\n\tmemcpy(trak->Header->matrix, matrix, sizeof(trak->Header->matrix));\n\treturn GF_OK;\n}", "project": "gpac", "hash": 185503007082069257997742657623325058583, "size": 7, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267192 }, { "func": "GF_Err stbl_SearchSAPs(GF_SampleTableBox *stbl, u32 SampleNumber, GF_ISOSAPType *IsRAP, u32 *prevRAP, u32 *nextRAP)\n{\n\tu32 i, j, count, count2;\n\tassert(prevRAP);\n\tassert(nextRAP);\n\t(*prevRAP) = 0;\n\t(*nextRAP) = 0;\n\t(*IsRAP) = RAP_NO;\n\n\tif (!stbl->sampleGroups || !stbl->sampleGroupsDescription) return GF_OK;\n\n\tcount = gf_list_count(stbl->sampleGroups);\n\tcount2 = gf_list_count(stbl->sampleGroupsDescription);\n\tfor (i=0; isampleGroups, i);\n\t\tswitch (sg->grouping_type) {\n\t\tcase GF_ISOM_SAMPLE_GROUP_RAP:\n\t\tcase GF_ISOM_SAMPLE_GROUP_SYNC:\n\t\t\tis_rap_group = 1;\n\t\t\tbreak;\n\t\tcase GF_ISOM_SAMPLE_GROUP_ROLL:\n\t\t\tbreak;\n\t\tdefault:\n\t\t\tcontinue;\n\t\t}\n\t\tfor (j=0; jsampleGroupsDescription, j);\n\t\t\tif (sgdp->grouping_type==sg->grouping_type) break;\n\t\t\tsgdp = NULL;\n\t\t}\n\t\tif (! sgdp) continue;\n\n\t\tfirst_sample_in_entry=1;\n\t\tfor (j=0; jentry_count; j++) {\n\t\t\tu32 first_rap_in_entry, last_rap_in_entry;\n\t\t\tlast_sample_in_entry = first_sample_in_entry + sg->sample_entries[j].sample_count - 1;\n\n\t\t\t/*samples in this entry are not RAPs, continue*/\n\t\t\tif (! sg->sample_entries[j].group_description_index) {\n\t\t\t\tfirst_sample_in_entry += sg->sample_entries[j].sample_count;\n\t\t\t\tcontinue;\n\t\t\t}\n\t\t\tif (!is_rap_group) {\n\t\t\t\tGF_RollRecoveryEntry *entry = gf_list_get(sgdp->group_descriptions, sg->sample_entries[j].group_description_index - 1);\n\t\t\t\troll_distance = entry ? entry->roll_distance : 0;\n\t\t\t}\n\n\t\t\t/*we consider the first sample in a roll or rap group entry to be the RAP (eg, we have to decode from this sample anyway)\n\t\t\texcept if roll_distance is strictly negative in which case we have to rewind our sample numbers from roll_distance*/\n\t\t\tif (roll_distance < 0) {\n\t\t\t\tif ((s32) first_sample_in_entry + roll_distance>=0) first_rap_in_entry = first_sample_in_entry + roll_distance;\n\t\t\t\telse first_rap_in_entry = 0;\n\n\t\t\t\tif ((s32) last_sample_in_entry + roll_distance>=0) last_rap_in_entry = last_sample_in_entry + roll_distance;\n\t\t\t\telse last_rap_in_entry = 0;\n\t\t\t} else {\n\t\t\t\tfirst_rap_in_entry = first_sample_in_entry;\n\t\t\t\tlast_rap_in_entry = last_sample_in_entry;\n\t\t\t}\n\n\t\t\t/*store previous & next sample RAP - note that we do not store the closest previous RAP, only the first of the previous RAP group\n\t\t\tas RAPs are usually isolated this should not be an issue*/\n\t\t\tif (first_rap_in_entry <= SampleNumber) {\n\t\t\t\t*prevRAP = first_rap_in_entry;\n\t\t\t}\n\t\t\t*nextRAP = last_rap_in_entry;\n\t\t\t\n\t\t\t/*sample lies in this (rap) group, it is rap*/\n\t\t\tif (is_rap_group) {\n\t\t\t\tif ((first_rap_in_entry <= SampleNumber) && (SampleNumber <= last_rap_in_entry)) {\n\t\t\t\t\t(*IsRAP) = RAP;\n\t\t\t\t\treturn GF_OK;\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\t/*prevRAP or nextRAP matches SampleNumber, sample is RAP*/\n\t\t\t\tif ((*prevRAP == SampleNumber) || (*nextRAP == SampleNumber)) {\n\t\t\t\t\t(*IsRAP) = RAP;\n\t\t\t\t\treturn GF_OK;\n\t\t\t\t}\n\t\t\t}\n\n\t\t\t/*first sample in entry is after our target sample, abort*/\n\t\t\tif (first_rap_in_entry > SampleNumber) {\n\t\t\t\tbreak;\n\t\t\t}\n\t\t\tfirst_sample_in_entry += sg->sample_entries[j].sample_count;\n\t\t}\n\t}\n\treturn GF_OK;\n}", "project": "gpac", "hash": 180168002328296813466638507414404872729, "size": 94, "commit_id": "2da2f68bffd51d89b1d272d22aa8cc023c1c066e", "message": "fixed #1705", "target": 0, "dataset": "other", "idx": 258561 }, { "func": "GF_Err stbl_AppendCTSOffset(GF_SampleTableBox *stbl, s32 offset)\n{\n\tGF_CompositionOffsetBox *ctts;\n\n\tif (!stbl->CompositionOffset) {\n\t\tstbl->CompositionOffset = (GF_CompositionOffsetBox *) gf_isom_box_new_parent(&stbl->child_boxes, GF_ISOM_BOX_TYPE_CTTS);\n\t\tif (!stbl->CompositionOffset) return GF_OUT_OF_MEM;\n\t}\n\tctts = stbl->CompositionOffset;\n\tctts->w_LastSampleNumber ++;\n\n\tif (!ctts->unpack_mode && ctts->nb_entries && (ctts->entries[ctts->nb_entries-1].decodingOffset == offset) ) {\n\t\tctts->entries[ctts->nb_entries-1].sampleCount++;\n\t\treturn GF_OK;\n\t}\n\tif (ctts->nb_entries==ctts->alloc_size) {\n\t\tALLOC_INC(ctts->alloc_size);\n\t\tctts->entries = gf_realloc(ctts->entries, sizeof(GF_DttsEntry)*ctts->alloc_size);\n\t\tif (!ctts->entries) return GF_OUT_OF_MEM;\n\t\tmemset(&ctts->entries[ctts->nb_entries], 0, sizeof(GF_DttsEntry)*(ctts->alloc_size-ctts->nb_entries) );\n\t}\n\tctts->entries[ctts->nb_entries].decodingOffset = offset;\n\tctts->entries[ctts->nb_entries].sampleCount = 1;\n\tctts->nb_entries++;\n\tif (offset<0) ctts->version=1;\n\n\tif (ABS(offset) > ctts->max_ts_delta) ctts->max_ts_delta = ABS(offset);\n\n\treturn GF_OK;\n}", "project": "gpac", "hash": 148231355148328770899180460039028106692, "size": 30, "commit_id": "77ed81c069e10b3861d88f72e1c6be1277ee7eae", "message": "fixed #1774 (fuzz)", "target": 0, "dataset": "other", "idx": 267907 }, { "func": "GF_Err avcc_box_write(GF_Box *s, GF_BitStream *bs)\n{\n\tu32 i, count;\n\tGF_Err e;\n\tGF_AVCConfigurationBox *ptr = (GF_AVCConfigurationBox *) s;\n\tif (!s) return GF_BAD_PARAM;\n\tif (!ptr->config) return GF_OK;\n\te = gf_isom_box_write_header(s, bs);\n\tif (e) return e;\n\n\tgf_bs_write_u8(bs, ptr->config->configurationVersion);\n\tgf_bs_write_u8(bs, ptr->config->AVCProfileIndication);\n\tgf_bs_write_u8(bs, ptr->config->profile_compatibility);\n\tgf_bs_write_u8(bs, ptr->config->AVCLevelIndication);\n\tif (ptr->type==GF_ISOM_BOX_TYPE_AVCC) {\n\t\tgf_bs_write_int(bs, 0x3F, 6);\n\t} else {\n\t\tgf_bs_write_int(bs, ptr->config->complete_representation, 1);\n\t\tgf_bs_write_int(bs, 0x1F, 5);\n\t}\n\tgf_bs_write_int(bs, ptr->config->nal_unit_size - 1, 2);\n\tgf_bs_write_int(bs, 0x7, 3);\n\tcount = gf_list_count(ptr->config->sequenceParameterSets);\n\tgf_bs_write_int(bs, count, 5);\n\tfor (i=0; iconfig->sequenceParameterSets, i);\n\t\tgf_bs_write_u16(bs, sl->size);\n\t\tgf_bs_write_data(bs, sl->data, sl->size);\n\t}\n\n\tcount = gf_list_count(ptr->config->pictureParameterSets);\n\tgf_bs_write_u8(bs, count);\n\tfor (i=0; iconfig->pictureParameterSets, i);\n\t\tgf_bs_write_u16(bs, sl->size);\n\t\tgf_bs_write_data(bs, sl->data, sl->size);\n\t}\n\n\n\tif (ptr->type==GF_ISOM_BOX_TYPE_AVCC) {\n\t\tif (gf_avc_is_rext_profile(ptr->config->AVCProfileIndication)) {\n\t\t\tgf_bs_write_int(bs, 0xFF, 6);\n\t\t\tgf_bs_write_int(bs, ptr->config->chroma_format, 2);\n\t\t\tgf_bs_write_int(bs, 0xFF, 5);\n\t\t\tgf_bs_write_int(bs, ptr->config->luma_bit_depth - 8, 3);\n\t\t\tgf_bs_write_int(bs, 0xFF, 5);\n\t\t\tgf_bs_write_int(bs, ptr->config->chroma_bit_depth - 8, 3);\n\n\t\t\tcount = ptr->config->sequenceParameterSetExtensions ? gf_list_count(ptr->config->sequenceParameterSetExtensions) : 0;\n\t\t\tgf_bs_write_u8(bs, count);\n\t\t\tfor (i=0; iconfig->sequenceParameterSetExtensions, i);\n\t\t\t\tgf_bs_write_u16(bs, sl->size);\n\t\t\t\tgf_bs_write_data(bs, sl->data, sl->size);\n\t\t\t}\n\t\t}\n\t}\n\treturn GF_OK;\n}", "project": "gpac", "hash": 172565555841992888995303723501173140836, "size": 59, "commit_id": "0a85029d694f992f3631e2f249e4999daee15cbf", "message": "fixed #1785 (fuzz)", "target": 0, "dataset": "other", "idx": 237652 }, { "func": "#ifndef GPAC_DISABLE_ISOM_HINTING\n\nvoid dump_isom_sdp(GF_ISOFile *file, char *inName, Bool is_final_name)\n{\n\tconst char *sdp;\n\tu32 size, i;\n\tFILE *dump;\n\n\tif (inName) {\n\t\tchar szBuf[1024];\n\t\tstrcpy(szBuf, inName);\n\t\tif (!is_final_name) {\n\t\t\tchar *ext = strchr(szBuf, '.');\n\t\t\tif (ext) ext[0] = 0;\n\t\t\tstrcat(szBuf, \"_sdp.txt\");\n\t\t}\n\t\tdump = gf_fopen(szBuf, \"wt\");\n\t\tif (!dump) {\n\t\t\tfprintf(stderr, \"Failed to open %s for dumping\\n\", szBuf);\n\t\t\treturn;\n\t\t}\n\t} else {\n\t\tdump = stdout;\n\t\tfprintf(dump, \"* File SDP content *\\n\\n\");\n\t}\n\t//get the movie SDP\n\tgf_isom_sdp_get(file, &sdp, &size);\n\tfprintf(dump, \"%s\", sdp);\n\tfprintf(dump, \"\\r\\n\");\n\n\t//then tracks\n\tfor (i=0; imoov) return 0;\n\n\tmdat_size = 0;\n\tcount = gf_list_count(movie->moov->trackList);\n\tfor (i=0; i 0xFFFFFFFF) mdat_size += 8;\n\t}\n\n\ti=0;\n\twhile ((a = (GF_Box*)gf_list_enum(movie->TopBoxes, &i))) {\n\t\te = gf_isom_box_size(a);\n\t\tif (e == GF_OK)\n\t\t\tmdat_size += a->size;\n\t}\n\treturn mdat_size;\n}", "project": "gpac", "hash": 271224477780916445891310474751670836668, "size": 26, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267268 }, { "func": "GF_Err AddMovieIOD(GF_MovieBox *moov, u8 isIOD)\n{\n\tGF_Descriptor *od;\n\tGF_ObjectDescriptorBox *iods;\n\n\t//do we have an IOD ?? If not, create one.\n\tif (moov->iods) return GF_OK;\n\n\tif (isIOD) {\n\t\tod = gf_odf_desc_new(GF_ODF_ISOM_IOD_TAG);\n\t} else {\n\t\tod = gf_odf_desc_new(GF_ODF_ISOM_OD_TAG);\n\t}\n\tif (!od) return GF_OUT_OF_MEM;\n\t((GF_IsomObjectDescriptor *)od)->objectDescriptorID = 1;\n\n\tiods = (GF_ObjectDescriptorBox *) gf_isom_box_new_parent(&moov->child_boxes, GF_ISOM_BOX_TYPE_IODS);\n\tif (!iods) return GF_OUT_OF_MEM;\n\tiods->descriptor = od;\n\treturn moov_on_child_box((GF_Box*)moov, (GF_Box *)iods, GF_FALSE);\n}", "project": "gpac", "hash": 17152355201316836153782801948592192761, "size": 21, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267222 }, { "func": "GF_Err gf_isom_remove_chapter(GF_ISOFile *movie, u32 trackNumber, u32 index)\n{\n\tGF_Err e;\n\tGF_ChapterListBox *ptr;\n\tGF_ChapterEntry *ce;\n\tGF_UserDataBox *udta;\n\tGF_UserDataMap *map;\n\n\te = CanAccessMovie(movie, GF_ISOM_OPEN_WRITE);\n\tif (e) return e;\n\te = gf_isom_insert_moov(movie);\n\tif (e) return e;\n\n\tif (trackNumber) {\n\t\tGF_TrackBox *trak = gf_isom_get_track_from_file(movie, trackNumber);\n\t\tif (!trak) return GF_BAD_PARAM;\n\t\tif (!trak->udta) return GF_OK;\n\t\tudta = trak->udta;\n\t} else {\n\t\tif (!movie->moov->udta) return GF_OK;\n\t\tudta = movie->moov->udta;\n\t}\n\n\tmap = udta_getEntry(udta, GF_ISOM_BOX_TYPE_CHPL, NULL);\n\tif (!map) return GF_OK;\n\tptr = (GF_ChapterListBox*)gf_list_get(map->boxes, 0);\n\tif (!ptr) return GF_OK;\n\n\tif (index) {\n\t\tce = (GF_ChapterEntry *)gf_list_get(ptr->list, index-1);\n\t\tif (!ce) return GF_BAD_PARAM;\n\t\tif (ce->name) gf_free(ce->name);\n\t\tgf_free(ce);\n\t\tgf_list_rem(ptr->list, index-1);\n\t} else {\n\t\twhile (gf_list_count(ptr->list)) {\n\t\t\tce = (GF_ChapterEntry *)gf_list_get(ptr->list, 0);\n\t\t\tif (ce->name) gf_free(ce->name);\n\t\t\tgf_free(ce);\n\t\t\tgf_list_rem(ptr->list, 0);\n\t\t}\n\t}\n\tif (!gf_list_count(ptr->list)) {\n\t\tgf_list_del_item(udta->recordList, map);\n\t\tgf_isom_box_array_del(map->boxes);\n\t\tgf_free(map);\n\t}\n\treturn GF_OK;\n}", "project": "gpac", "hash": 324855361736332719163187640886357547332, "size": 49, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267271 }, { "func": "GF_VPConfig *gf_isom_vp_config_get(GF_ISOFile *the_file, u32 trackNumber, u32 DescriptionIndex)\n{\n\tGF_TrackBox *trak;\n\tGF_MPEGVisualSampleEntryBox *entry;\n\ttrak = gf_isom_get_track_from_file(the_file, trackNumber);\n\tif (!trak || !trak->Media || !DescriptionIndex) return NULL;\n\tentry = (GF_MPEGVisualSampleEntryBox*)gf_list_get(trak->Media->information->sampleTable->SampleDescription->child_boxes, DescriptionIndex - 1);\n\tif (!entry || !entry->vp_config) return NULL;\n\treturn VP_DuplicateConfig(entry->vp_config->config);\n}", "project": "gpac", "hash": 299441002088465870823566075742607331941, "size": 10, "commit_id": "0a85029d694f992f3631e2f249e4999daee15cbf", "message": "fixed #1785 (fuzz)", "target": 0, "dataset": "other", "idx": 237542 }, { "func": "static GF_VPConfig* VP_DuplicateConfig(GF_VPConfig const * const cfg)\n{\n\tGF_VPConfig *out = gf_odf_vp_cfg_new();\n\tif (out) {\n\t\tout->profile = cfg->profile;\n\t\tout->level = cfg->level;\n\t\tout->bit_depth = cfg->bit_depth;\n\t\tout->chroma_subsampling = cfg->chroma_subsampling;\n\t\tout->video_fullRange_flag = cfg->video_fullRange_flag;\n\t\tout->colour_primaries = cfg->colour_primaries;\n\t\tout->transfer_characteristics = cfg->transfer_characteristics;\n\t\tout->matrix_coefficients = cfg->matrix_coefficients;\n\t}\n\n\treturn out;\n}", "project": "gpac", "hash": 311414985773297203030627423061372747314, "size": 16, "commit_id": "0a85029d694f992f3631e2f249e4999daee15cbf", "message": "fixed #1785 (fuzz)", "target": 0, "dataset": "other", "idx": 237656 }, { "func": "GF_Err gf_isom_set_ctts_v1(GF_ISOFile *file, u32 track, u32 ctts_shift)\n{\n\tu32 i, shift;\n\tu64 duration;\n\tGF_CompositionOffsetBox *ctts;\n\tGF_CompositionToDecodeBox *cslg;\n\ts32 leastCTTS, greatestCTTS;\n\tGF_TrackBox *trak;\n\tGF_Err e = CanAccessMovie(file, GF_ISOM_OPEN_WRITE);\n\tif (e) return e;\n\n \ttrak = gf_isom_get_track_from_file(file, track);\n\tif (!trak) return GF_BAD_PARAM;\n\n\tctts = trak->Media->information->sampleTable->CompositionOffset;\n\tshift = ctts->version ? ctts_shift : ctts->entries[0].decodingOffset;\n\tleastCTTS = GF_INT_MAX;\n\tgreatestCTTS = 0;\n\tfor (i=0; inb_entries; i++) {\n\t\tif (!ctts->version)\n\t\t\tctts->entries[i].decodingOffset -= shift;\n\n\t\tif ((s32)ctts->entries[i].decodingOffset < leastCTTS)\n\t\t\tleastCTTS = ctts->entries[i].decodingOffset;\n\t\tif ((s32)ctts->entries[i].decodingOffset > greatestCTTS)\n\t\t\tgreatestCTTS = ctts->entries[i].decodingOffset;\n\t}\n\tif (!ctts->version) {\n\t\tctts->version = 1;\n\t\t//if we had edit lists, shift all media times by the given amount\n\t\tif (trak->editBox && trak->editBox->editList) {\n\t\t\tfor (i=0; ieditBox->editList->entryList); i++) {\n\t\t\t\tGF_EdtsEntry *ent = (GF_EdtsEntry*)gf_list_get(trak->editBox->editList->entryList, i);\n\t\t\t\t//empty edit\n\t\t\t\tif (ent->mediaTime<0) continue;\n\t\t\t\tif (ent->mediaTime>=shift) ent->mediaTime -= shift;\n\t\t\t\telse ent->mediaTime = 0;\n\t\t\t\t//no offset and last entry, trash edit\n\t\t\t\tif (!ent->mediaTime && (gf_list_count(trak->editBox->editList->entryList)==1)) {\n\t\t\t\t\tgf_isom_box_del_parent(&trak->child_boxes, (GF_Box *)trak->editBox);\n\t\t\t\t\ttrak->editBox = NULL;\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t}\n\t\t\tSetTrackDuration(trak);\n\t\t}\n\t}\n\n\tif (!trak->Media->information->sampleTable->CompositionToDecode) {\n\t\ttrak->Media->information->sampleTable->CompositionToDecode = (GF_CompositionToDecodeBox *) gf_isom_box_new_parent(&trak->Media->information->sampleTable->child_boxes, GF_ISOM_BOX_TYPE_CSLG);\n\t\tif (!trak->Media->information->sampleTable->CompositionToDecode)\n\t\t\treturn GF_OUT_OF_MEM;\n\t}\n\n\tcslg = trak->Media->information->sampleTable->CompositionToDecode;\n\tif (cslg) {\n\t\tcslg->compositionToDTSShift = shift;\n\t\tcslg->leastDecodeToDisplayDelta = leastCTTS;\n\t\tcslg->greatestDecodeToDisplayDelta = greatestCTTS;\n\t\tcslg->compositionStartTime = 0;\n\t\t/*for our use case (first CTS set to 0), the composition end time is the media duration if it fits on 32 bits*/\n\t\tduration = gf_isom_get_media_duration(file, track);\n\t\tcslg->compositionEndTime = (duration<0x7FFFFFFF) ? (s32) duration : 0;\n\t}\n\n\tgf_isom_modify_alternate_brand(file, GF_ISOM_BRAND_ISO4, GF_TRUE);\n\treturn GF_OK;\n}", "project": "gpac", "hash": 160454401276407070553208440386884357186, "size": 68, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267200 }, { "func": "GF_Err gf_isom_piff_allocate_storage(GF_ISOFile *the_file, u32 trackNumber, u32 AlgorithmID, u8 IV_size, bin128 KID)\n{\n\tGF_TrackBox *trak = gf_isom_get_track_from_file(the_file, trackNumber);\n\tif (!trak) return GF_BAD_PARAM;\n\n\tif (trak->sample_encryption) return GF_OK;\n\ttrak->sample_encryption = (GF_SampleEncryptionBox *)gf_isom_create_piff_psec_box(1, 0, AlgorithmID, IV_size, KID);\n\t//senc will be written and destroyed with the other boxes\n\tif (!trak->child_boxes) trak->child_boxes = gf_list_new();\n\treturn gf_list_add(trak->child_boxes, trak->sample_encryption);\n}", "project": "gpac", "hash": 61003063164933334406073187927802020062, "size": 11, "commit_id": "3b84ffcbacf144ce35650df958432f472b6483f8", "message": "fixed #1735", "target": 0, "dataset": "other", "idx": 275439 }, { "func": "GF_Err gf_isom_remove_sample(GF_ISOFile *movie, u32 trackNumber, u32 sampleNumber)\n{\n\tGF_Err e;\n\tGF_TrackBox *trak;\n\n\te = CanAccessMovie(movie, GF_ISOM_OPEN_EDIT);\n\tif (e) return e;\n\n\ttrak = gf_isom_get_track_from_file(movie, trackNumber);\n\tif (!trak || !sampleNumber || (sampleNumber > trak->Media->information->sampleTable->SampleSize->sampleCount) )\n\t\treturn GF_BAD_PARAM;\n\n\t//block for hint tracks\n\tif (trak->Media->handler->handlerType == GF_ISOM_MEDIA_HINT) return GF_BAD_PARAM;\n\n\te = unpack_track(trak);\n\tif (e) return e;\n\t//do NOT change the order DTS, CTS, size chunk\n\n\t//remove DTS\n\te = stbl_RemoveDTS(trak->Media->information->sampleTable, sampleNumber, 1, trak->Media->mediaHeader->timeScale);\n\tif (e) return e;\n\t//remove CTS if any\n\tif (trak->Media->information->sampleTable->CompositionOffset) {\n\t\te = stbl_RemoveCTS(trak->Media->information->sampleTable, sampleNumber, 1);\n\t\tif (e) return e;\n\t}\n\t//remove size\n\te = stbl_RemoveSize(trak->Media->information->sampleTable, sampleNumber, 1);\n\tif (e) return e;\n\t//remove sampleToChunk and chunk\n\te = stbl_RemoveChunk(trak->Media->information->sampleTable, sampleNumber, 1);\n\tif (e) return e;\n\t//remove sync\n\tif (trak->Media->information->sampleTable->SyncSample) {\n\t\te = stbl_RemoveRAP(trak->Media->information->sampleTable, sampleNumber);\n\t\tif (e) return e;\n\t}\n\t//remove sample dep\n\tif (trak->Media->information->sampleTable->SampleDep) {\n\t\te = stbl_RemoveRedundant(trak->Media->information->sampleTable, sampleNumber, 1);\n\t\tif (e) return e;\n\t}\n\t//remove shadow\n\te = stbl_RemoveShadow(trak->Media->information->sampleTable, sampleNumber);\n\tif (e) return e;\n\n\t//remove padding\n\te = stbl_RemovePaddingBits(trak->Media->information->sampleTable, sampleNumber);\n\tif (e) return e;\n\n\te = stbl_RemoveSubSample(trak->Media->information->sampleTable, sampleNumber);\n\tif (e) return e;\n\n\te = stbl_RemoveSampleGroup(trak->Media->information->sampleTable, sampleNumber);\n\tif (e) return e;\n\n\tgf_isom_disable_inplace_rewrite(movie);\n\n\treturn SetTrackDuration(trak);\n}", "project": "gpac", "hash": 80822430940959502565935039042578008539, "size": 61, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267254 }, { "func": "GF_Err stbl_RemoveCTS(GF_SampleTableBox *stbl, u32 sampleNumber, u32 nb_samples)\n{\n\tGF_CompositionOffsetBox *ctts = stbl->CompositionOffset;\n\tif (!ctts) return GF_OK;\n\n\tassert(ctts->unpack_mode);\n\tif ((nb_samples>1) && (sampleNumber>1)) return GF_BAD_PARAM;\n\n\t//last one...\n\tif (stbl->SampleSize->sampleCount == 1) {\n\t\tgf_isom_box_del_parent(&stbl->child_boxes, (GF_Box *) ctts);\n\t\tstbl->CompositionOffset = NULL;\n\t\treturn GF_OK;\n\t}\n\n\t//the number of entries is NOT ALWAYS the number of samples !\n\t//instead, use the cache\n\t//first case, we're removing a sample that was not added yet\n\tif (sampleNumber > ctts->w_LastSampleNumber) return GF_OK;\n\n\tif (nb_samples==1) {\n\t\tassert(ctts->nb_entries);\n\t\tmemmove(&ctts->entries[sampleNumber-1], &ctts->entries[sampleNumber], sizeof(GF_DttsEntry)* (ctts->nb_entries-sampleNumber) );\n\t\tctts->nb_entries--;\n\t} else {\n\t\tmemmove(&ctts->entries[0], &ctts->entries[nb_samples], sizeof(GF_DttsEntry)* (ctts->nb_entries-nb_samples) );\n\t\tctts->nb_entries -= nb_samples;\n\t}\n\tctts->w_LastSampleNumber -= nb_samples;\n\tassert(ctts->w_LastSampleNumber >= ctts->nb_entries);\n\n\treturn GF_OK;\n}", "project": "gpac", "hash": 241930021565510432055809179189322545009, "size": 33, "commit_id": "77ed81c069e10b3861d88f72e1c6be1277ee7eae", "message": "fixed #1774 (fuzz)", "target": 0, "dataset": "other", "idx": 267893 }, { "func": "GF_Box *gf_isom_box_new(u32 boxType)\n{\n\treturn gf_isom_box_new_ex(boxType, 0, 0, GF_FALSE);\n}", "project": "gpac", "hash": 337060867671705741432925646045000778945, "size": 4, "commit_id": "8e585e623b1d666b4ef736ed609264639cb27701", "message": "fixed potential crash - cf #1406", "target": 0, "dataset": "other", "idx": 224900 }, { "func": "GF_Err AddCompositionOffset(GF_CompositionOffsetBox *ctts, s32 offset)\n{\n\tif (!ctts) return GF_BAD_PARAM;\n\n\tif (ctts->nb_entries && (ctts->entries[ctts->nb_entries-1].decodingOffset==offset)) {\n\t\tctts->entries[ctts->nb_entries-1].sampleCount++;\n\t} else {\n\t\tif (ctts->alloc_size==ctts->nb_entries) {\n\t\t\tALLOC_INC(ctts->alloc_size);\n\t\t\tctts->entries = gf_realloc(ctts->entries, sizeof(GF_DttsEntry)*ctts->alloc_size);\n\t\t\tif (!ctts->entries) return GF_OUT_OF_MEM;\n\t\t\tmemset(&ctts->entries[ctts->nb_entries], 0, sizeof(GF_DttsEntry)*(ctts->alloc_size-ctts->nb_entries) );\n\t\t}\n\t\tif (!ctts->entries) return GF_OUT_OF_MEM;\n\n\t\tctts->entries[ctts->nb_entries].decodingOffset = offset;\n\t\tctts->entries[ctts->nb_entries].sampleCount = 1;\n\t\tctts->nb_entries++;\n\t}\n\tif (offset<0) ctts->version=1;\n\tctts->w_LastSampleNumber++;\n\treturn GF_OK;\n}", "project": "gpac", "hash": 70095993946082148812159192245676732458, "size": 23, "commit_id": "77ed81c069e10b3861d88f72e1c6be1277ee7eae", "message": "fixed #1774 (fuzz)", "target": 0, "dataset": "other", "idx": 267895 }, { "func": "static GF_Err do_compress_top_boxes(char *inName, char *outName, char *compress_top_boxes, u32 comp_top_box_version, Bool use_lzma)\n{\n\tFILE *in, *out;\n\tu8 *buf;\n\tu32 buf_alloc, comp_size, start_offset;\n\ts32 bytes_comp=0;\n\ts32 bytes_uncomp=0;\n\tGF_Err e = GF_OK;\n\tu64 source_size, dst_size;\n\tu32 orig_box_overhead;\n\tu32 final_box_overhead;\n\tu32 gzip_code = use_lzma ? GF_4CC('l','z','m','a') : GF_4CC('g','z','i','p') ;\n\tu32 nb_added_box_bytes=0;\n\tBool has_mov = GF_FALSE;\n\tu32 range_idx, nb_ranges=0;\n\tBool replace_all = !strcmp(compress_top_boxes, \"*\");\n\tBool requires_byte_ranges=GF_FALSE;\n\tGF_BitStream *bs_in, *bs_out;\n\tu32 idx_size=0, nb_moof;\n\tstruct _ranges {\n\t\tu32 size, csize;\n\t} *ranges=NULL;\n\n\tif (!outName) {\n\t\tfprintf(stderr, \"Missing output file name\\n\");\n\t\treturn GF_BAD_PARAM;\n\t}\n\n\tin = gf_fopen(inName, \"rb\");\n\tif (!in) return GF_URL_ERROR;\n\tout = gf_fopen(outName, \"wb\");\n\tif (!out) return GF_IO_ERR;\n\n\tbuf_alloc = 4096;\n\tbuf = gf_malloc(buf_alloc);\n\n\tbs_in = gf_bs_from_file(in, GF_BITSTREAM_READ);\n\tsource_size = gf_bs_get_size(bs_in);\n\n\tbs_out = gf_bs_from_file(out, GF_BITSTREAM_WRITE);\n\n\tstart_offset = 0;\n\tnb_moof = 0;\n\tif (comp_top_box_version==2) {\n\t\tu32 i;\n\t\twhile (gf_bs_available(bs_in)) {\n\t\t\tu32 size = gf_bs_read_u32(bs_in);\n\t\t\tu32 type = gf_bs_read_u32(bs_in);\n\t\t\tconst char *b4cc = gf_4cc_to_str(type);\n\t\t\tconst char *replace = strstr(compress_top_boxes, b4cc);\n\n\t\t\tif (start_offset) {\n\t\t\t\tBool compress = (replace || replace_all) ? 1 : 0;\n\t\t\t\tranges = gf_realloc(ranges, sizeof(struct _ranges)*(nb_ranges+1));\n\t\t\t\tranges[nb_ranges].csize = compress;\n\t\t\t\tranges[nb_ranges].size = size-8;\n\t\t\t\tnb_ranges++;\n\t\t\t}\n\t\t\tif (!strcmp(b4cc, \"ftyp\") || !strcmp(b4cc, \"styp\")) {\n\t\t\t\tif (!start_offset) start_offset = (u32) gf_bs_get_position(bs_in) + size-8;\n\t\t\t}\n\t\t\tif (!strcmp(b4cc, \"sidx\") || !strcmp(b4cc, \"ssix\")) {\n\t\t\t\trequires_byte_ranges = GF_TRUE;\n\t\t\t}\n\t\t\tif (!strcmp(b4cc, \"moof\"))\n\t\t\t\tnb_moof++;\n\n\t\t\tgf_bs_skip_bytes(bs_in, size-8);\n\t\t}\n\n\t\tgf_bs_seek(bs_in, 0);\n\t\tif (buf_allocbuf_alloc) nbytes=buf_alloc;\n\t\t\t\tgf_bs_read_data(bs_in, buf, nbytes);\n\t\t\t\tgf_bs_write_data(bs_out, buf, nbytes);\n\t\t\t\tsize-=nbytes;\n\t\t\t}\n\t\t\tcontinue;\n\t\t}\n\t\torig_box_overhead += size;\n\n\t\tif (comp_top_box_version != 1)\n\t\t\tsize-=8;\n\n\t\tif (size>buf_alloc) {\n\t\t\tbuf_alloc = size;\n\t\t\tbuf = gf_realloc(buf, buf_alloc);\n\t\t}\n\t\tgf_bs_read_data(bs_in, buf, size);\n\n\t\tif (comp_top_box_version != 1)\n\t\t\treplace+=5;\n\n\t\tcomp_size = buf_alloc;\n\n\t\tif (use_lzma) {\n\t\t\te = gf_lz_compress_payload(&buf, size, &comp_size);\n\t\t} else {\n\t\t\te = gf_gz_compress_payload(&buf, size, &comp_size);\n\t\t}\n\t\tif (e) break;\n\n\t\tif (comp_size>buf_alloc) {\n\t\t\tbuf_alloc = comp_size;\n\t\t}\n\t\tbytes_uncomp += size;\n\t\tbytes_comp += comp_size;\n\t\tif (comp_top_box_version==1)\n\t\t\tnb_added_box_bytes +=8;\n\n\t\t//write size\n\t\tgf_bs_write_u32(bs_out, comp_size+8);\n\t\t//write type\n\t\tif (comp_top_box_version==1)\n\t\t\tgf_bs_write_u32(bs_out, gzip_code);\n\t\telse\n\t\t\tgf_bs_write_data(bs_out, replace, 4);\n\t\t//write data\n\t\tgf_bs_write_data(bs_out, buf, comp_size);\n\n\t\tfinal_box_overhead += 8+comp_size;\n\n\t\tif (ranges) {\n\t\t\tassert(ranges[range_idx].size == size);\n\t\t\tranges[range_idx].csize = comp_size;\n\t\t\trange_idx++;\n\t\t}\n\t}\n\tdst_size = gf_bs_get_position(bs_out);\n\n\tif (comp_top_box_version==2) {\n\t\tu32 i;\n\t\tgf_bs_seek(bs_out, start_offset);\n\t\tgf_bs_write_u32(bs_out, idx_size);\n\t\tgf_bs_write_u32(bs_out, GF_4CC('c','m','a','p'));\n\t\tgf_bs_write_u32(bs_out, gzip_code);\n\t\tgf_bs_write_u32(bs_out, nb_ranges);\n\t\tfor (i=0; i0xFFFF ? 1 : 0;\n\t\t\tgf_bs_write_int(bs_out, ranges[i].csize ? 1 : 0, 1);\n\t\t\tgf_bs_write_int(bs_out, large_size ? 1 : 0, 1);\n\t\t\tgf_bs_write_int(bs_out, 0, 6);\n\t\t\tlarge_size = large_size ? 32 : 16;\n\n\t\t\tgf_bs_write_int(bs_out, ranges[i].size, large_size);\n\t\t\tif (ranges[i].csize)\n\t\t\t\tgf_bs_write_int(bs_out, ranges[i].csize, large_size);\n\t\t}\n\t\tfinal_box_overhead += idx_size;\n\t\tnb_added_box_bytes += idx_size;\n\n\t}\n\tgf_bs_del(bs_in);\n\tgf_bs_del(bs_out);\n\tgf_fclose(in);\n\tgf_fclose(out);\n\tif (e) {\n\t\tfprintf(stderr, \"Error compressing: %s\\n\", gf_error_to_string(e));\n\t\treturn e;\n\t}\n\n\tif (has_mov) {\n\t\tu32 i, nb_tracks, nb_samples;\n\t\tGF_ISOFile *mov;\n\t\tDouble rate, new_rate, duration;\n\n\t\tmov = gf_isom_open(inName, GF_ISOM_OPEN_READ, NULL);\n\t\tduration = (Double) gf_isom_get_duration(mov);\n\t\tduration /= gf_isom_get_timescale(mov);\n\n\t\tnb_samples = 0;\n\t\tnb_tracks = gf_isom_get_track_count(mov);\n\t\tfor (i=0; iFragmentsFlags & GF_ISOM_FRAG_WRITE_READY)) {\n\t\tGF_Err e = CanAccessMovie(movie, GF_ISOM_OPEN_WRITE);\n\t\tif (e) return e;\n\n\t\te = CheckNoData(movie);\n\t\tif (e) return e;\n\t}\n#endif\n\n\tif (!movie->brand) {\n\t\tmovie->brand = (GF_FileTypeBox *) gf_isom_box_new(GF_ISOM_BOX_TYPE_FTYP);\n\t\tif (!movie->brand) return GF_OUT_OF_MEM;\n\t\tgf_list_add(movie->TopBoxes, movie->brand);\n\t}\n\tgf_free(movie->brand->altBrand);\n\tif (leave_empty) {\n\t\tmovie->brand->altCount = 0;\n\t\tmovie->brand->altBrand = NULL;\n\t} else {\n\t\tp = (u32*)gf_malloc(sizeof(u32));\n\t\tif (!p) return GF_OUT_OF_MEM;\n\t\tp[0] = movie->brand->majorBrand;\n\t\tmovie->brand->altCount = 1;\n\t\tmovie->brand->altBrand = p;\n\t}\n\treturn GF_OK;\n}", "project": "gpac", "hash": 290719914915941338223036194692634739490, "size": 32, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267231 }, { "func": "GF_EXPORT\nGF_Err gf_isom_get_track_layout_info(GF_ISOFile *movie, u32 trackNumber, u32 *width, u32 *height, s32 *translation_x, s32 *translation_y, s16 *layer)\n{\n\tGF_TrackBox *tk = gf_isom_get_track_from_file(movie, trackNumber);\n\tif (!tk) return GF_BAD_PARAM;\n\tif (width) *width = tk->Header->width>>16;\n\tif (height) *height = tk->Header->height>>16;\n\tif (layer) *layer = tk->Header->layer;\n\tif (translation_x) *translation_x = tk->Header->matrix[6] >> 16;\n\tif (translation_y) *translation_y = tk->Header->matrix[7] >> 16;\n\treturn GF_OK;", "project": "gpac", "hash": 255581983764523482211652943410427540043, "size": 11, "commit_id": "984787de3d414a5f7d43d0b4584d9469dff2a5a5", "message": "fixed #1784 (fuzz)", "target": 0, "dataset": "other", "idx": 246793 }, { "func": "static GF_Err hash_file(char *name, u32 dump_std)\n{\n\tu32 i;\n\tu8 hash[20];\n\tGF_Err e = gf_media_get_file_hash(name, hash);\n\tif (e) return e;\n\tif (dump_std==2) {\n\t\tgf_fwrite(hash, 20, stdout);\n\t} else if (dump_std==1) {\n\t\tfor (i=0; i<20; i++) fprintf(stdout, \"%02X\", hash[i]);\n\t}\n\tfprintf(stderr, \"File hash (SHA-1): \");\n\tfor (i=0; i<20; i++) fprintf(stderr, \"%02X\", hash[i]);\n\tfprintf(stderr, \"\\n\");\n\n\treturn GF_OK;\n}", "project": "gpac", "hash": 175894215974446760185290817997411714459, "size": 17, "commit_id": "9eeac00b38348c664dfeae2525bba0cf1bc32349", "message": "fixed #1565", "target": 0, "dataset": "other", "idx": 244402 }, { "func": "void AV1_RewriteESDescriptorEx(GF_MPEGVisualSampleEntryBox *av1, GF_MediaBox *mdia)\n{\n\tGF_BitRateBox *btrt = gf_isom_sample_entry_get_bitrate((GF_SampleEntryBox *)av1, GF_FALSE);\n\n\tif (av1->emul_esd) gf_odf_desc_del((GF_Descriptor *)av1->emul_esd);\n\tav1->emul_esd = gf_odf_desc_esd_new(2);\n\tav1->emul_esd->decoderConfig->streamType = GF_STREAM_VISUAL;\n\tav1->emul_esd->decoderConfig->objectTypeIndication = GF_CODECID_AV1;\n\n\tif (btrt) {\n\t\tav1->emul_esd->decoderConfig->bufferSizeDB = btrt->bufferSizeDB;\n\t\tav1->emul_esd->decoderConfig->avgBitrate = btrt->avgBitrate;\n\t\tav1->emul_esd->decoderConfig->maxBitrate = btrt->maxBitrate;\n\t}\n\tif (av1->av1_config && av1->av1_config->config) {\n\t\tGF_AV1Config *av1_cfg = AV1_DuplicateConfig(av1->av1_config->config);\n\t\tif (av1_cfg) {\n\t\t\tgf_odf_av1_cfg_write(av1_cfg, &av1->emul_esd->decoderConfig->decoderSpecificInfo->data, &av1->emul_esd->decoderConfig->decoderSpecificInfo->dataLength);\n\t\t\tgf_odf_av1_cfg_del(av1_cfg);\n\t\t}\n\t}\n}", "project": "gpac", "hash": 183651951768832497475557207988524578476, "size": 22, "commit_id": "0a85029d694f992f3631e2f249e4999daee15cbf", "message": "fixed #1785 (fuzz)", "target": 0, "dataset": "other", "idx": 237572 }, { "func": "static GF_Err trak_add_sample(GF_ISOFile *movie, GF_TrackBox *trak, const GF_ISOSample *sample, u32 descIndex, u64 data_offset, u32 syncShadowSampleNum)\n{\n\tBool skip_data = GF_FALSE;\n\tGF_Err e;\n\n\t//faststart mode with interleaving time, cache data until we have a full chunk\n\tif ((movie->storageMode==GF_ISOM_STORE_FASTSTART) && movie->interleavingTime) {\n\t\tBool flush_chunk = GF_FALSE;\n\t\tu64 stime = sample->DTS;\n\t\tstime *= movie->moov->mvhd->timeScale;\n\t\tstime /= trak->Media->mediaHeader->timeScale;\n\n\t\tif (stime - trak->first_dts_chunk > movie->interleavingTime)\n\t\t\tflush_chunk = GF_TRUE;\n\n\t\tif (movie->next_flush_chunk_time < stime)\n\t\t\tflush_chunk = GF_TRUE;\n\n\t\tif (trak->chunk_stsd_idx != descIndex)\n\t\t\tflush_chunk = GF_TRUE;\n\n\t\tif (trak->Media->information->sampleTable->MaxChunkSize && trak->Media->information->sampleTable->MaxChunkSize < trak->chunk_cache_size + sample->dataLength)\n\t\t\tflush_chunk = GF_TRUE;\n\n\t\tif (flush_chunk) {\n\t\t\tmovie->next_flush_chunk_time = stime + movie->interleavingTime;\n\t\t\tif (trak->chunk_cache) {\n\t\t\t\te = gf_isom_flush_chunk(trak, GF_FALSE);\n\t\t\t\tif (e) return e;\n\t\t\t}\n\t\t\ttrak->nb_samples_in_cache = 0;\n\t\t\ttrak->chunk_cache_size = 0;\n\t\t\ttrak->first_dts_chunk = stime;\n\t\t}\n\t\tif (!trak->chunk_cache)\n\t\t\ttrak->chunk_cache = gf_bs_new(NULL, 0, GF_BITSTREAM_WRITE);\n\t\tgf_bs_write_data(trak->chunk_cache, sample->data, sample->dataLength);\n\t\ttrak->nb_samples_in_cache += sample->nb_pack ? sample->nb_pack : 1;\n\t\ttrak->chunk_cache_size += sample->dataLength;\n\t\ttrak->chunk_stsd_idx = descIndex;\n\n\t\tskip_data = GF_TRUE;\n\t}\n\n\te = Media_AddSample(trak->Media, data_offset, sample, descIndex, syncShadowSampleNum);\n\tif (e) return e;\n\n\tif (!skip_data && sample->dataLength) {\n\t\te = gf_isom_datamap_add_data(trak->Media->information->dataHandler, sample->data, sample->dataLength);\n\t\tif (e) return e;\n\t}\n\n\treturn GF_OK;\n}", "project": "gpac", "hash": 133277725734267738531550322570607192589, "size": 54, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267211 }, { "func": "GF_Err gf_isom_add_sample_info(GF_ISOFile *movie, u32 track, u32 sample_number, u32 grouping_type, u32 sampleGroupDescriptionIndex, u32 grouping_type_parameter)\n{\n\tGF_Err e;\n\tGF_TrackBox *trak;\n\tGF_List *groupList;\n\te = CanAccessMovie(movie, GF_ISOM_OPEN_WRITE);\n\tif (e) return e;\n\n\ttrak = gf_isom_get_track_from_file(movie, track);\n\tif (!trak) return GF_BAD_PARAM;\n\n\tif (!trak->Media->information->sampleTable->sampleGroups)\n\t\ttrak->Media->information->sampleTable->sampleGroups = gf_list_new();\n\n\tgroupList = trak->Media->information->sampleTable->sampleGroups;\n\treturn gf_isom_add_sample_group_entry(groupList, sample_number, grouping_type, grouping_type_parameter, sampleGroupDescriptionIndex, trak->Media->information->sampleTable->child_boxes, trak->Media->information->sampleTable);\n}", "project": "gpac", "hash": 290246054397074878957895036285128772578, "size": 17, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267190 }, { "func": "GF_Err stbl_findEntryForTime(GF_SampleTableBox *stbl, u64 DTS, u8 useCTS, u32 *sampleNumber, u32 *prevSampleNumber)\n{\n\tu32 i, j, curSampNum, count;\n\ts32 CTSOffset;\n\tu64 curDTS;\n\tGF_SttsEntry *ent;\n\t(*sampleNumber) = 0;\n\t(*prevSampleNumber) = 0;\n\n\tif (!stbl->TimeToSample) return GF_ISOM_INVALID_FILE;\n\n\t/*CTS is ALWAYS disabled for now to make sure samples are fetched in decoding order. useCTS is therefore disabled*/\n#if 0\n\tif (!stbl->CompositionOffset) useCTS = 0;\n#endif\n\n\t//our cache\n\tif (stbl->TimeToSample->r_FirstSampleInEntry &&\n\t (DTS >= stbl->TimeToSample->r_CurrentDTS) ) {\n\t\t//if we're using CTS, we don't really know whether we're in the good entry or not\n\t\t//(eg, the real DTS of the sample could be in a previous entry\n\t\ti = stbl->TimeToSample->r_currentEntryIndex;\n\t\tcurDTS = stbl->TimeToSample->r_CurrentDTS;\n\t\tcurSampNum = stbl->TimeToSample->r_FirstSampleInEntry;\n\t} else {\n\t\ti = 0;\n\t\tcurDTS = stbl->TimeToSample->r_CurrentDTS = 0;\n\t\tcurSampNum = stbl->TimeToSample->r_FirstSampleInEntry = 1;\n\t\tstbl->TimeToSample->r_currentEntryIndex = 0;\n\t}\n\n#if 0\n\t//we need to validate our cache if we are using CTS because of B-frames and co...\n\tif (i && useCTS) {\n\t\twhile (1) {\n\t\t\tstbl_GetSampleCTS(stbl->CompositionOffset, curSampNum, &CTSOffset);\n\t\t\t//we're too far, rewind\n\t\t\tif ( i && (curDTS + CTSOffset > DTS) ) {\n\t\t\t\tent = &stbl->TimeToSample->entries[i];\n\t\t\t\tcurSampNum -= ent->sampleCount;\n\t\t\t\tcurDTS -= (u64)ent->sampleDelta * ent->sampleCount;\n\t\t\t\ti --;\n\t\t\t} else if (!i) {\n\t\t\t\t//beginning of the table, no choice\n\t\t\t\tcurDTS = stbl->TimeToSample->r_CurrentDTS = 0;\n\t\t\t\tcurSampNum = stbl->TimeToSample->r_FirstSampleInEntry = 1;\n\t\t\t\tstbl->TimeToSample->r_currentEntryIndex = 0;\n\t\t\t\tbreak;\n\t\t\t} else {\n\t\t\t\t//OK now we're good\n\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\t}\n#endif\n\n\t//look for the DTS from this entry\n\tcount = stbl->TimeToSample->nb_entries;\n\tfor (; iTimeToSample->entries[i];\n#if 0\n\t\tif (useCTS) {\n\t\t\tstbl_GetSampleCTS(stbl->CompositionOffset, curSampNum, &CTSOffset);\n\t\t} else\n#endif\n\t\t{\n\t\t\tCTSOffset = 0;\n\t\t}\n\t\tfor (j=0; jsampleCount; j++) {\n\t\t\tif (curDTS + CTSOffset >= DTS) goto entry_found;\n\t\t\tcurSampNum += 1;\n\t\t\tcurDTS += ent->sampleDelta;\n\t\t}\n\t\t//we're switching to the next entry, update the cache!\n\t\tstbl->TimeToSample->r_CurrentDTS += (u64)ent->sampleCount * ent->sampleDelta;\n\t\tstbl->TimeToSample->r_currentEntryIndex += 1;\n\t\tstbl->TimeToSample->r_FirstSampleInEntry += ent->sampleCount;\n\t}\n\t//return as is\n\treturn GF_OK;\n\nentry_found:\n\t//do we have the exact time ?\n\tif (curDTS + CTSOffset == DTS) {\n\t\t(*sampleNumber) = curSampNum;\n\t}\n\t//if we match the exact DTS also select this sample\n\telse if (curDTS == DTS) {\n\t\t(*sampleNumber) = curSampNum;\n\t} else {\n\t\t//exception for the first sample (we need to \"load\" the playback)\n\t\tif (curSampNum != 1) {\n\t\t\t(*prevSampleNumber) = curSampNum - 1;\n\t\t} else {\n\t\t\t(*prevSampleNumber) = 1;\n\t\t}\n\t}\n\treturn GF_OK;\n}", "project": "gpac", "hash": 127500404377641133747582516086197046888, "size": 99, "commit_id": "2da2f68bffd51d89b1d272d22aa8cc023c1c066e", "message": "fixed #1705", "target": 0, "dataset": "other", "idx": 258555 }, { "func": "Bool gf_cenc_validate_key_info(const u8 *key_info, u32 key_info_size)\n{\n\tu32 i, n_keys, kpos, nb_missing = 19;\n\tif (!key_info|| (key_info_size<19))\n\t\tgoto exit;\n\n\tn_keys = 1;\n\tif (key_info[0]) {\n\t\tn_keys = key_info[1];\n\t\tn_keys <<= 8;\n\t\tn_keys |= key_info[2];\n\t}\n\tkpos=3;\n\tfor (i=0;i key_info_size) {\n\t\t\tnb_missing = kpos + 17 - key_info_size;\n\t\t\tgoto exit;\n\t\t}\n\t\tiv_size = key_info[kpos];\n\t\tkpos += 17;\n\t\tif (!iv_size) {\n\t\t\tif (kpos + 1 > key_info_size) {\n\t\t\t\tnb_missing = kpos + 1 - key_info_size;\n\t\t\t\tgoto exit;\n\t\t\t}\n\t\t\tiv_size = key_info[kpos];\n\t\t\tif (kpos + 1 + iv_size > key_info_size) {\n\t\t\t\tnb_missing = kpos + 1 + iv_size - key_info_size;\n\t\t\t\tgoto exit;\n\t\t\t}\n\t\t\tkpos += 1 + iv_size;\n\t\t}\n\t}\n\treturn GF_TRUE;\n\nexit:\n\tGF_LOG(GF_LOG_ERROR, GF_LOG_CORE, (\"Invalid key info format, missing %d bytes\\n\", nb_missing));\n\treturn GF_FALSE;\n}", "project": "gpac", "hash": 271839166153486200283889710881823348039, "size": 40, "commit_id": "3b84ffcbacf144ce35650df958432f472b6483f8", "message": "fixed #1735", "target": 0, "dataset": "other", "idx": 275406 }, { "func": "GF_Err stbl_AddShadow(GF_ShadowSyncBox *stsh, u32 sampleNumber, u32 shadowNumber)\n{\n\tGF_StshEntry *ent;\n\tu32 i, count;\n\tcount = gf_list_count(stsh->entries);\n\tfor (i=0; ientries, i);\n\t\tif (ent->shadowedSampleNumber == shadowNumber) {\n\t\t\tent->syncSampleNumber = sampleNumber;\n\t\t\treturn GF_OK;\n\t\t} else if (ent->shadowedSampleNumber > shadowNumber) break;\n\t}\n\tent = (GF_StshEntry*)gf_malloc(sizeof(GF_StshEntry));\n\tif (!ent) return GF_OUT_OF_MEM;\n\tent->shadowedSampleNumber = shadowNumber;\n\tent->syncSampleNumber = sampleNumber;\n\tif (i == gf_list_count(stsh->entries)) {\n\t\treturn gf_list_add(stsh->entries, ent);\n\t} else {\n\t\treturn gf_list_insert(stsh->entries, ent, i ? i-1 : 0);\n\t}\n}", "project": "gpac", "hash": 166201440947652413789775871822648307561, "size": 22, "commit_id": "77ed81c069e10b3861d88f72e1c6be1277ee7eae", "message": "fixed #1774 (fuzz)", "target": 0, "dataset": "other", "idx": 267887 }, { "func": "GF_Err gf_isom_append_sample_data(GF_ISOFile *movie, u32 trackNumber, u8 *data, u32 data_size)\n{\n\tGF_Err e;\n\tGF_TrackBox *trak;\n\tGF_SampleEntryBox *entry;\n\tu32 dataRefIndex;\n\tu32 descIndex;\n\tGF_DataEntryURLBox *Dentry;\n\n\tif (!data_size) return GF_OK;\n\te = CanAccessMovie(movie, GF_ISOM_OPEN_WRITE);\n\tif (e) return e;\n\n\ttrak = gf_isom_get_track_from_file(movie, trackNumber);\n\tif (!trak) return GF_BAD_PARAM;\n\n\tif (trak->Media->handler->handlerType == GF_ISOM_MEDIA_OD) return GF_BAD_PARAM;\n\n\t//OK, add the sample\n\tdescIndex = trak->Media->information->sampleTable->currentEntryIndex;\n\n\te = Media_GetSampleDesc(trak->Media, descIndex, &entry, &dataRefIndex);\n\tif (e) return e;\n\tif (!entry || !dataRefIndex) return GF_BAD_PARAM;\n\n\t//get this dataRef and return false if not self contained\n\tDentry = (GF_DataEntryURLBox*)gf_list_get(trak->Media->information->dataInformation->dref->child_boxes, dataRefIndex - 1);\n\tif (!Dentry || Dentry->flags != 1) return GF_BAD_PARAM;\n\n\t//Open our data map. We are adding stuff, so use EDIT\n\te = gf_isom_datamap_open(trak->Media, dataRefIndex, 1);\n\tif (e) return e;\n\n\t//add the media data\n\tif (trak->chunk_cache) {\n\t\tgf_bs_write_data(trak->chunk_cache, data, data_size);\n\t\ttrak->chunk_cache_size += data_size;\n\t} else {\n\t\te = gf_isom_datamap_add_data(trak->Media->information->dataHandler, data, data_size);\n\t\tif (e) return e;\n\t}\n\t//update data size\n\treturn stbl_SampleSizeAppend(trak->Media->information->sampleTable->SampleSize, data_size);\n}", "project": "gpac", "hash": 73464291193035819647913848951062703996, "size": 44, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267276 }, { "func": "GF_Err gf_isom_new_mpeg4_description(GF_ISOFile *movie,\n u32 trackNumber,\n const GF_ESD *esd,\n const char *URLname,\n const char *URNname,\n u32 *outDescriptionIndex)\n{\n\tGF_TrackBox *trak;\n\tGF_Err e;\n\tu32 dataRefIndex;\n\tGF_ESD *new_esd;\n\n\te = CanAccessMovie(movie, GF_ISOM_OPEN_WRITE);\n\tif (e) return e;\n\n\ttrak = gf_isom_get_track_from_file(movie, trackNumber);\n\tif (!trak || !trak->Media ||\n\t !esd || !esd->decoderConfig ||\n\t !esd->slConfig) return GF_BAD_PARAM;\n\n\t//get or create the data ref\n\te = Media_FindDataRef(trak->Media->information->dataInformation->dref, (char *)URLname, (char *)URNname, &dataRefIndex);\n\tif (e) return e;\n\tif (!dataRefIndex) {\n\t\te = Media_CreateDataRef(movie, trak->Media->information->dataInformation->dref, (char *)URLname, (char *)URNname, &dataRefIndex);\n\t\tif (e) return e;\n\t}\n\t//duplicate our desc\n\te = gf_odf_desc_copy((GF_Descriptor *)esd, (GF_Descriptor **)&new_esd);\n\tif (e) return e;\n\tif (!movie->keep_utc)\n\t\ttrak->Media->mediaHeader->modificationTime = gf_isom_get_mp4time();\n\te = Track_SetStreamDescriptor(trak, 0, dataRefIndex, new_esd, outDescriptionIndex);\n\tif (e) {\n\t\tgf_odf_desc_del((GF_Descriptor *)new_esd);\n\t\treturn e;\n\t}\n\treturn e;\n}", "project": "gpac", "hash": 186687630226050993223757942789787698421, "size": 39, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267275 }, { "func": "}\n\nvoid DumpMovieInfo(GF_ISOFile *file)\n{\n\tGF_InitialObjectDescriptor *iod;\n\tBool dump_m4sys = GF_FALSE;\n\tu32 i, brand, min, timescale, count, data_len;\n\tconst u8 *data;\n\tu64 create, modif;\n\tBool has_itags = GF_FALSE;\n\tchar szDur[50];\n\n\tDumpMetaItem(file, 1, 0, \"# File Meta\");\n\tif (!gf_isom_has_movie(file)) {\n\t\tif (gf_isom_has_segment(file, &brand, &min)) {\n\t\t\tcount = gf_isom_segment_get_fragment_count(file);\n\t\t\tfprintf(stderr, \"File is a segment - %d movie fragments - Brand %s (version %d):\\n\", count, gf_4cc_to_str(brand), min);\n\t\t\tfor (i=0; i1 ? \"s\" : \"\", timescale);\n\n\tmodif = gf_isom_get_duration(file);\n\tcreate = gf_isom_get_original_duration(file);\n\tfprintf(stderr, \"Duration %s\", format_duration(create, timescale, szDur));\n\tif (create!=modif) {\n\t\tfprintf(stderr, \" (recomputed %s)\", format_duration(modif, timescale, szDur));\n\t}\n\tfprintf(stderr, \"\\n\");\n\n#ifndef\tGPAC_DISABLE_ISOM_FRAGMENTS\n\tif (gf_isom_is_fragmented(file)) {\n\t\tfprintf(stderr, \"Fragmented: yes - duration %s\\n%d fragments - %d SegmentIndexes\\n\", format_duration(gf_isom_get_fragmented_duration(file), timescale, szDur), gf_isom_get_fragments_count(file, 0) , gf_isom_get_fragments_count(file, 1) );\n\t} else {\n\t\tfprintf(stderr, \"Fragmented: no\\n\");\n\t}\n#endif\n\n\tif (gf_isom_moov_first(file))\n\t\tfprintf(stderr, \"Progressive (moov before mdat)\\n\");\n\n\tif (gf_isom_get_brand_info(file, &brand, &min, &count) == GF_OK) {\n\t\tfprintf(stderr, \"Major Brand %s - version %d - compatible brands:\", gf_4cc_to_str(brand), min);\n\t\tfor (i=0; itag == GF_ODF_IOD_TAG) {\n\t\t\tfprintf(stderr, \"File has root IOD (%d bytes)\\n\", desc_size);\n\t\t\tfprintf(stderr, \"Scene PL 0x%02x - Graphics PL 0x%02x - OD PL 0x%02x\\n\", iod->scene_profileAndLevel, iod->graphics_profileAndLevel, iod->OD_profileAndLevel);\n\t\t\tfprintf(stderr, \"Visual PL: %s (0x%02x)\\n\", gf_m4v_get_profile_name(iod->visual_profileAndLevel), iod->visual_profileAndLevel);\n\t\t\tfprintf(stderr, \"Audio PL: %s (0x%02x)\\n\", gf_m4a_get_profile_name(iod->audio_profileAndLevel), iod->audio_profileAndLevel);\n\t\t\t//fprintf(stderr, \"inline profiles included %s\\n\", iod->inlineProfileFlag ? \"yes\" : \"no\");\n\t\t} else {\n\t\t\tfprintf(stderr, \"File has root OD (%d bytes)\\n\", desc_size);\n\t\t}\n\t\tif (!gf_list_count(iod->ESDescriptors))\n\t\t\tfprintf(stderr, \"No streams included in root OD\\n\");\n\t\telse\n\t\t\tdump_m4sys = GF_TRUE;\n\n\t\tgf_odf_desc_del((GF_Descriptor *) iod);\n\t}\n\tif (gf_isom_is_JPEG2000(file)) fprintf(stderr, \"File is JPEG 2000\\n\");\n\n\tcount = gf_isom_get_copyright_count(file);\n\tif (count) {\n\t\tconst char *lang, *note;\n\t\tfprintf(stderr, \"\\nCopyrights:\\n\");\n\t\tfor (i=0; i1 ? \"s\" : \"\");\n\n\tfprintf(stderr, \"\\tComputed Duration %s\", format_duration(gf_isom_get_duration(file), timescale, szDur));\n\tfprintf(stderr, \" - Indicated Duration %s\\n\", format_duration(gf_isom_get_original_duration(file), timescale, szDur));\n\n#ifndef\tGPAC_DISABLE_ISOM_FRAGMENTS\n\tif (gf_isom_is_fragmented(file)) {\n\t\tfprintf(stderr, \"\\tFragmented File: yes - duration %s\\n%d fragments - %d SegmentIndexes\\n\", format_duration(gf_isom_get_fragmented_duration(file), timescale, szDur), gf_isom_get_fragments_count(file, 0) , gf_isom_get_fragments_count(file, 1) );\n\t} else {\n\t\tfprintf(stderr, \"\\tFragmented File: no\\n\");\n\t}\n#endif\n\n\tif (gf_isom_moov_first(file))\n\t\tfprintf(stderr, \"\\tFile suitable for progressive download (moov before mdat)\\n\");\n\n\tif (gf_isom_get_brand_info(file, &brand, &min, &count) == GF_OK) {\n\t\tfprintf(stderr, \"\\tFile Brand %s - version %d\\n\\t\\tCompatible brands:\", gf_4cc_to_str(brand), min);\n\t\tfor (i=0; itag == GF_ODF_IOD_TAG) {\n\t\t\tfprintf(stderr, \"File has root IOD (%d bytes)\\n\", desc_size);\n\t\t\tfprintf(stderr, \"Scene PL 0x%02x - Graphics PL 0x%02x - OD PL 0x%02x\\n\", iod->scene_profileAndLevel, iod->graphics_profileAndLevel, iod->OD_profileAndLevel);\n\t\t\tfprintf(stderr, \"Visual PL: %s (0x%02x)\\n\", gf_m4v_get_profile_name(iod->visual_profileAndLevel), iod->visual_profileAndLevel);\n\t\t\tfprintf(stderr, \"Audio PL: %s (0x%02x)\\n\", gf_m4a_get_profile_name(iod->audio_profileAndLevel), iod->audio_profileAndLevel);\n\t\t\t//fprintf(stderr, \"inline profiles included %s\\n\", iod->inlineProfileFlag ? \"yes\" : \"no\");\n\t\t} else {\n\t\t\tfprintf(stderr, \"File has root OD (%d bytes)\\n\", desc_size);\n\t\t}\n\t\tif (!gf_list_count(iod->ESDescriptors)) fprintf(stderr, \"No streams included in root OD\\n\");\n\t\tgf_odf_desc_del((GF_Descriptor *) iod);\n\t} else {\n\t\tfprintf(stderr, \"File has no MPEG4 IOD/OD\\n\");\n\t}\n\tif (gf_isom_is_JPEG2000(file)) fprintf(stderr, \"File is JPEG 2000\\n\");\n\n\tcount = gf_isom_get_copyright_count(file);\n\tif (count) {\n\t\tconst char *lang, *note;\n\t\tfprintf(stderr, \"\\nCopyrights:\\n\");\n\t\tfor (i=0; i>31) fprintf(stderr, \"\\tCover Art: PNG File\\n\");\n\t\t\telse fprintf(stderr, \"\\tCover Art: JPEG File\\n\");\n\t\t}\n\t}\n\n\tprint_udta(file, 0);\n\tfprintf(stderr, \"\\n\");\n\tfor (i=0; iemul_esd) gf_odf_desc_del((GF_Descriptor *)avc->emul_esd);\n\tavc->emul_esd = gf_odf_desc_esd_new(2);\n\tavc->emul_esd->decoderConfig->streamType = GF_STREAM_VISUAL;\n\t/*AVC OTI is 0x21, AVC parameter set stream OTI (not supported in gpac) is 0x22, SVC OTI is 0x24*/\n\t/*if we have only SVC stream, set objectTypeIndication to AVC OTI; else set it to AVC OTI*/\n\tif (avc->svc_config && !avc->avc_config)\n\t\tavc->emul_esd->decoderConfig->objectTypeIndication = GF_CODECID_SVC;\n\telse if (avc->mvc_config && !avc->avc_config)\n\t\tavc->emul_esd->decoderConfig->objectTypeIndication = GF_CODECID_MVC;\n\telse\n\t\tavc->emul_esd->decoderConfig->objectTypeIndication = GF_CODECID_AVC;\n\n\tif (btrt) {\n\t\tavc->emul_esd->decoderConfig->bufferSizeDB = btrt->bufferSizeDB;\n\t\tavc->emul_esd->decoderConfig->avgBitrate = btrt->avgBitrate;\n\t\tavc->emul_esd->decoderConfig->maxBitrate = btrt->maxBitrate;\n\t}\n\tGF_MPEG4ExtensionDescriptorsBox *mdesc = (GF_MPEG4ExtensionDescriptorsBox *) gf_isom_box_find_child(avc->child_boxes, GF_ISOM_BOX_TYPE_M4DS);\n\tif (mdesc) {\n\t\tu32 i=0;\n\t\tGF_Descriptor *desc,*clone;\n\t\ti=0;\n\t\twhile ((desc = (GF_Descriptor *)gf_list_enum(mdesc->descriptors, &i))) {\n\t\t\tclone = NULL;\n\t\t\tgf_odf_desc_copy(desc, &clone);\n\t\t\tif (gf_odf_desc_add_desc((GF_Descriptor *)avc->emul_esd, clone) != GF_OK)\n\t\t\t\tgf_odf_desc_del(clone);\n\t\t}\n\t}\n\tif (avc->avc_config) {\n\t\tGF_AVCConfig *avcc = avc->avc_config->config ? AVC_DuplicateConfig(avc->avc_config->config) : NULL;\n\t\t/*merge SVC config*/\n\t\tif (avc->svc_config) {\n\t\t\tmerge_avc_config(avcc, avc->svc_config->config);\n\t\t}\n\t\t/*merge MVC config*/\n\t\tif (avc->mvc_config) {\n\t\t\tmerge_avc_config(avcc, avc->mvc_config->config);\n\t\t}\n\t\tif (avcc) {\n\t\t\tif (mdia) merge_all_config(avcc, NULL, mdia);\n\n\t\t\tgf_odf_avc_cfg_write(avcc, &avc->emul_esd->decoderConfig->decoderSpecificInfo->data, &avc->emul_esd->decoderConfig->decoderSpecificInfo->dataLength);\n\t\t\tgf_odf_avc_cfg_del(avcc);\n\t\t}\n\t} else if (avc->svc_config) {\n\t\tGF_AVCConfig *svcc = AVC_DuplicateConfig(avc->svc_config->config);\n\n\t\tif (mdia) merge_all_config(svcc, NULL, mdia);\n\n\t\tgf_odf_avc_cfg_write(svcc, &avc->emul_esd->decoderConfig->decoderSpecificInfo->data, &avc->emul_esd->decoderConfig->decoderSpecificInfo->dataLength);\n\t\tgf_odf_avc_cfg_del(svcc);\n\t}\n\telse if (avc->mvc_config) {\n\t\tGF_AVCConfig *mvcc = AVC_DuplicateConfig(avc->mvc_config->config);\n\n\t\tif (mdia) merge_all_config(mvcc, NULL, mdia);\n\n\t\tgf_odf_avc_cfg_write(mvcc, &avc->emul_esd->decoderConfig->decoderSpecificInfo->data, &avc->emul_esd->decoderConfig->decoderSpecificInfo->dataLength);\n\t\tgf_odf_avc_cfg_del(mvcc);\n\t}\n}", "project": "gpac", "hash": 227429555665254523791259348153796870212, "size": 66, "commit_id": "0a85029d694f992f3631e2f249e4999daee15cbf", "message": "fixed #1785 (fuzz)", "target": 0, "dataset": "other", "idx": 237614 }, { "func": "}\n\nstatic void DumpMetaItem(GF_ISOFile *file, Bool root_meta, u32 tk_num, char *name)\n{\n\tchar szInd[2];\n\tu32 i, count, primary_id;\n\tu32 meta_type = gf_isom_get_meta_type(file, root_meta, tk_num);\n\tif (name[0]=='\\t') {\n\t\tszInd[0] = '\\t';\n\t\tszInd[1] = 0;\n\t} else {\n\t\tszInd[0] = 0;\n\t}\n\n\tcount = gf_isom_get_meta_item_count(file, root_meta, tk_num);\n\tprimary_id = gf_isom_get_meta_primary_item_id(file, root_meta, tk_num);\n\tfprintf(stderr, \"%s type: \\\"%s\\\" - %d resource item(s)\\n\", name, meta_type ? gf_4cc_to_str(meta_type) : \"undefined\", (count+(primary_id>0)));\n\tswitch (gf_isom_has_meta_xml(file, root_meta, tk_num)) {\n\tcase 1:\n\t\tfprintf(stderr, \"%sMeta has XML resource\\n\", szInd);\n\t\tbreak;\n\tcase 2:\n\t\tfprintf(stderr, \"%sMeta has BinaryXML resource\\n\", szInd);\n\t\tbreak;\n\t}\n\tif (primary_id) {\n\t\tfprintf(stderr, \"%sPrimary Item - ID %d\\n\", szInd, primary_id);\n\t}\n\tfor (i=0; i1) ? \"s\" : \"\");\n\t\t\t\t\tfor (j=1; j0)));\n\tswitch (gf_isom_has_meta_xml(file, root_meta, tk_num)) {\n\tcase 1:\n\t\tfprintf(stderr, \"Meta has XML resource\\n\");\n\t\tbreak;\n\tcase 2:\n\t\tfprintf(stderr, \"Meta has BinaryXML resource\\n\");\n\t\tbreak;\n\t}\n\tif (primary_id) {\n\t\tfprintf(stderr, \"Primary Item - ID %d\\n\", primary_id);\n\t}\n\tfor (i=0; iHeader) {\n\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, (\"[iso file] Missing TrackHeaderBox\\n\"));\n\t\treturn GF_ISOM_INVALID_FILE;\n\t}\n\tif (!ptr->Media) {\n\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, (\"[iso file] Missing MediaBox\\n\"));\n\t\treturn GF_ISOM_INVALID_FILE;\n\t}\n\tif (!ptr->Media->information || !ptr->Media->information->sampleTable) {\n\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, (\"[iso file] Invalid MediaBox\\n\"));\n\t\treturn GF_ISOM_INVALID_FILE;\n\t}\n\tif (!ptr->Media->information->sampleTable->SampleSize || (ptr->Media->information->sampleTable->SampleSize->sampleCount==0)) {\n\t\tif (ptr->Header->initial_duration) {\n\t\t\tGF_LOG(GF_LOG_DEBUG, GF_LOG_CONTAINER, (\"[iso file] Track with no samples but duration defined, ignoring duration\\n\"));\n\t\t\tptr->Header->initial_duration = 0;\n\t\t}\n\t}\n\n\tfor (i=0; iMedia->information->sampleTable->child_boxes); i++) {\n\t\tGF_Box *a = gf_list_get(ptr->Media->information->sampleTable->child_boxes, i);\n\t\tif ((a->type ==GF_ISOM_BOX_TYPE_UUID) && (((GF_UUIDBox *)a)->internal_4cc == GF_ISOM_BOX_UUID_PSEC)) {\n\t\t\tptr->sample_encryption = (struct __sample_encryption_box *) a;\n\t\t\tbreak;\n\t\t}\n\t\telse if (a->type == GF_ISOM_BOX_TYPE_SENC) {\n\t\t\tptr->sample_encryption = (struct __sample_encryption_box *)a;\n\t\t\tbreak;\n\t\t}\n\t}\n\treturn e;", "project": "gpac", "hash": 197302910241648715988033433202123199569, "size": 41, "commit_id": "388ecce75d05e11fc8496aa4857b91245007d26e", "message": "fixed #1587", "target": 0, "dataset": "other", "idx": 264862 }, { "func": "GF_Err gf_isom_set_cenc_protection(GF_ISOFile *the_file, u32 trackNumber, u32 desc_index, u32 scheme_type,\n u32 scheme_version, u32 default_IsEncrypted, u8 default_crypt_byte_block, u8 default_skip_byte_block,\n\t\t\t\t\t\t\t\t u8 *key_info, u32 key_info_size)\n{\n\tGF_Err e;\n\tGF_ProtectionSchemeInfoBox *sinf;\n\n\tif (!gf_cenc_validate_key_info(key_info, key_info_size))\n\t\treturn GF_BAD_PARAM;\n\n\t//setup generic protection\n\te = isom_set_protected_entry(the_file, trackNumber, desc_index, 0, 0, scheme_type, scheme_version, NULL, GF_FALSE, &sinf);\n\tif (e) return e;\n\n\tif (scheme_type==GF_ISOM_PIFF_SCHEME) {\n\t\tsinf->info->piff_tenc = (GF_PIFFTrackEncryptionBox *) gf_isom_box_new_parent(&sinf->info->child_boxes, GF_ISOM_BOX_UUID_TENC);\n\t\tif (!sinf->info->piff_tenc) return GF_OUT_OF_MEM;\n\t\tsinf->info->piff_tenc->AlgorithmID = 1;\n\t\tsinf->info->piff_tenc->key_info[0] = 0;\n\t\tsinf->info->piff_tenc->key_info[1] = 0;\n\t\tsinf->info->piff_tenc->key_info[2] = 0;\n\t\tsinf->info->piff_tenc->key_info[3] = key_info[3];\n\t\tmemcpy(sinf->info->piff_tenc->key_info+4, key_info+4, 16*sizeof(char));\n\t}\n\t//tenc only for mkey\n\telse if (!key_info[0]) {\n\t\tif (key_info_size<20) return GF_BAD_PARAM;\n\t\tsinf->info->tenc = (GF_TrackEncryptionBox *)gf_isom_box_new_parent(&sinf->info->child_boxes, GF_ISOM_BOX_TYPE_TENC);\n\t\tif (!sinf->info->tenc) return GF_OUT_OF_MEM;\n\n\t\tsinf->info->tenc->isProtected = default_IsEncrypted;\n\t\tif ((scheme_type == GF_ISOM_CENS_SCHEME) || (scheme_type == GF_ISOM_CBCS_SCHEME)) {\n\t\t\tsinf->info->tenc->version = 1;\n\t\t\tsinf->info->tenc->crypt_byte_block = default_crypt_byte_block;\n\t\t\tsinf->info->tenc->skip_byte_block = default_skip_byte_block;\n\t\t}\n\t\tif (key_info_size>37) key_info_size = 37;\n\t\tmemcpy(sinf->info->tenc->key_info, key_info, key_info_size);\n\t}\n\treturn GF_OK;\n}", "project": "gpac", "hash": 146777542450198012672419961215736885425, "size": 41, "commit_id": "3b84ffcbacf144ce35650df958432f472b6483f8", "message": "fixed #1735", "target": 0, "dataset": "other", "idx": 275407 }, { "func": "GF_Err Media_AddSample(GF_MediaBox *mdia, u64 data_offset, const GF_ISOSample *sample, u32 StreamDescIndex, u32 syncShadowNumber)\n{\n\tGF_Err e;\n\tGF_SampleTableBox *stbl;\n\tu32 sampleNumber, i;\n\tif (!mdia || !sample) return GF_BAD_PARAM;\n\n\tstbl = mdia->information->sampleTable;\n\n\t//get a valid sampleNumber for this new guy\n\te = stbl_AddDTS(stbl, sample->DTS, &sampleNumber, mdia->mediaHeader->timeScale, sample->nb_pack);\n\tif (e) return e;\n\n\t//add size\n\te = stbl_AddSize(stbl->SampleSize, sampleNumber, sample->dataLength, sample->nb_pack);\n\tif (e) return e;\n\n\t//adds CTS offset\n\tif (sample->CTS_Offset) {\n\t\t//if we don't have a CTS table, add it...\n\t\tif (!stbl->CompositionOffset) {\n\t\t\tstbl->CompositionOffset = (GF_CompositionOffsetBox *) gf_isom_box_new_parent(&stbl->child_boxes, GF_ISOM_BOX_TYPE_CTTS);\n\t\t\tif (!stbl->CompositionOffset) return GF_OUT_OF_MEM;\n\t\t}\n\t\t//then add our CTS (the prev samples with no CTS offset will be automatically added...\n\t\te = stbl_AddCTS(stbl, sampleNumber, sample->CTS_Offset);\n\t\tif (e) return e;\n\t} else if (stbl->CompositionOffset) {\n\t\te = stbl_AddCTS(stbl, sampleNumber, sample->CTS_Offset);\n\t\tif (e) return e;\n\t}\n\n\t//The first non sync sample we see must create a syncTable\n\tif (sample->IsRAP) {\n\t\t//insert it only if we have a sync table and if we have an IDR slice\n\t\tif (stbl->SyncSample && (sample->IsRAP == RAP)) {\n\t\t\te = stbl_AddRAP(stbl->SyncSample, sampleNumber);\n\t\t\tif (e) return e;\n\t\t}\n\t} else {\n\t\t//non-sync sample. Create a SyncSample table if needed\n\t\tif (!stbl->SyncSample) {\n\t\t\tstbl->SyncSample = (GF_SyncSampleBox *) gf_isom_box_new_parent(&stbl->child_boxes, GF_ISOM_BOX_TYPE_STSS);\n\t\t\tif (!stbl->SyncSample) return GF_OUT_OF_MEM;\n\t\t\t//all the prev samples are sync\n\t\t\tfor (i=0; iSampleSize->sampleCount; i++) {\n\t\t\t\tif (i+1 != sampleNumber) {\n\t\t\t\t\te = stbl_AddRAP(stbl->SyncSample, i+1);\n\t\t\t\t\tif (e) return e;\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\tif (sample->IsRAP==RAP_REDUNDANT) {\n\t\te = stbl_AddRedundant(stbl, sampleNumber);\n\t\tif (e) return e;\n\t}\n\n\tif (!mdia->mediaTrack->chunk_cache) {\n\t\t//and update the chunks\n\t\te = stbl_AddChunkOffset(mdia, sampleNumber, StreamDescIndex, data_offset, sample->nb_pack);\n\t\tif (e) return e;\n\t}\n\t\n\tif (!syncShadowNumber) return GF_OK;\n\tif (!stbl->ShadowSync) {\n\t\tstbl->ShadowSync = (GF_ShadowSyncBox *) gf_isom_box_new_parent(&stbl->child_boxes, GF_ISOM_BOX_TYPE_STSH);\n\t\tif (!stbl->ShadowSync) return GF_OUT_OF_MEM;\n\t}\n\treturn stbl_AddShadow(mdia->information->sampleTable->ShadowSync, sampleNumber, syncShadowNumber);\n}", "project": "gpac", "hash": 248400678099519583849700990229395653306, "size": 71, "commit_id": "328def7d3b93847d64ecb6e9e0399684e57c3eca", "message": "fixed #1766 (fuzz)", "target": 0, "dataset": "other", "idx": 231619 }, { "func": "GF_EXPORT\nGF_Err gf_isom_get_rvc_config(GF_ISOFile *movie, u32 track, u32 sampleDescriptionIndex, u16 *rvc_predefined, u8 **data, u32 *size, const char **mime)\n{\n\tGF_MPEGVisualSampleEntryBox *entry;\n\tGF_TrackBox *trak;\n\n\tif (!rvc_predefined || !data || !size) return GF_BAD_PARAM;\n\t*rvc_predefined = 0;\n\n\ttrak = gf_isom_get_track_from_file(movie, track);\n\tif (!trak) return GF_BAD_PARAM;\n\n\n\tentry = (GF_MPEGVisualSampleEntryBox *) gf_list_get(trak->Media->information->sampleTable->SampleDescription->child_boxes, sampleDescriptionIndex-1);\n\tif (!entry ) return GF_BAD_PARAM;\n\tif (entry->internal_type != GF_ISOM_SAMPLE_ENTRY_VIDEO) return GF_BAD_PARAM;\n\n\tGF_RVCConfigurationBox *rvcc = (GF_RVCConfigurationBox *)gf_isom_box_find_child(entry->child_boxes, GF_ISOM_BOX_TYPE_RVCC);\n\tif (!rvcc) return GF_NOT_FOUND;\n\n\t*rvc_predefined = rvcc->predefined_rvc_config;\n\tif (rvcc->rvc_meta_idx) {\n\t\tif (!data || !size) return GF_OK;\n\t\treturn gf_isom_extract_meta_item_mem(movie, GF_FALSE, track, rvcc->rvc_meta_idx, data, size, NULL, mime, GF_FALSE);\n\t}\n\treturn GF_OK;", "project": "gpac", "hash": 121568148095336148140302533547258847151, "size": 26, "commit_id": "984787de3d414a5f7d43d0b4584d9469dff2a5a5", "message": "fixed #1784 (fuzz)", "target": 0, "dataset": "other", "idx": 246810 }, { "func": "GF_Err stbl_RemoveChunk(GF_SampleTableBox *stbl, u32 sampleNumber, u32 nb_samples)\n{\n\tu32 i;\n\tGF_SampleToChunkBox *stsc = stbl->SampleToChunk;\n\n\tif ((nb_samples>1) && (sampleNumber>1))\n\t\treturn GF_BAD_PARAM;\n\t\n\t//raw audio or constant sample size and dur\n\tif (stsc->nb_entries < stbl->SampleSize->sampleCount) {\n\t\tif (sampleNumber==stbl->SampleSize->sampleCount+1) {\n\t\t\tGF_StscEntry *ent = &stsc->entries[stsc->nb_entries-1];\n\t\t\tif (ent->samplesPerChunk)\n\t\t\t\tent->samplesPerChunk--;\n\t\t\tif (!ent->samplesPerChunk) {\n\t\t\t\tstsc->nb_entries--;\n\n\t\t\t\tif (stbl->ChunkOffset->type == GF_ISOM_BOX_TYPE_STCO) {\n\t\t\t\t\t((GF_ChunkOffsetBox *)stbl->ChunkOffset)->nb_entries --;\n\t\t\t\t} else {\n\t\t\t\t\t((GF_ChunkLargeOffsetBox *)stbl->ChunkOffset)->nb_entries --;\n\t\t\t\t}\n\t\t\t\tif (stsc->nb_entries) {\n\t\t\t\t\tent = &stsc->entries[stsc->nb_entries-1];\n\t\t\t\t\tent->nextChunk --;\n\t\t\t\t}\n\t\t\t}\n\t\t\treturn GF_OK;\n\t\t}\n\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, (\"[iso file] removing sample in middle of track not supported for constant size and duration samples\\n\"));\n\t\treturn GF_NOT_SUPPORTED;\n\t}\n\n\t//remove the entry in SampleToChunk (1 <-> 1 in edit mode)\n\tif (nb_samples==1) {\n\t\tmemmove(&stsc->entries[sampleNumber-1], &stsc->entries[sampleNumber], sizeof(GF_StscEntry)*(stsc->nb_entries-sampleNumber));\n\t\tstsc->nb_entries--;\n\n\t\t//update the firstchunk info\n\t\tfor (i=sampleNumber-1; i < stsc->nb_entries; i++) {\n\t\t\tassert(stsc->entries[i].firstChunk >= 1);\n\t\t\tstsc->entries[i].firstChunk -= 1;\n\t\t\tif (stsc->entries[i].nextChunk) {\n\t\t\t\tassert(stsc->entries[i].nextChunk >= 1);\n\t\t\t\tstsc->entries[i].nextChunk -= 1;\n\t\t\t}\n\t\t}\n\t} else {\n\t\tmemmove(&stsc->entries[0], &stsc->entries[nb_samples], sizeof(GF_StscEntry)*(stsc->nb_entries-nb_samples));\n\t\tstsc->nb_entries -= nb_samples;\n\n\t\t//update the firstchunk info\n\t\tfor (i=0; i < stsc->nb_entries; i++) {\n\t\t\tstsc->entries[i].firstChunk = i+1;\n\t\t\tstsc->entries[i].nextChunk = (stsc->nb_entries==i+1) ? 0 : i+2;\n\t\t}\n\t}\n\tmemset(&stsc->entries[stsc->nb_entries], 0, sizeof(GF_StscEntry)*(stsc->alloc_size - stsc->nb_entries) );\n\n\t//update the cache\n\tstsc->firstSampleInCurrentChunk = 1;\n\tstsc->currentIndex = 0;\n\tstsc->currentChunk = 1;\n\tstsc->ghostNumber = 1;\n\n\t//realloc the chunk offset\n\tif (stbl->ChunkOffset->type == GF_ISOM_BOX_TYPE_STCO) {\n\t\tGF_ChunkOffsetBox *stco = (GF_ChunkOffsetBox *)stbl->ChunkOffset;\n\t\tif (!stbl->SampleSize->sampleCount) {\n\t\t\tgf_free(stco->offsets);\n\t\t\tstco->offsets = NULL;\n\t\t\tstco->nb_entries = 0;\n\t\t\tstco->alloc_size = 0;\n\t\t\treturn GF_OK;\n\t\t}\n\t\tassert(stco->nb_entries - nb_samples == stbl->SampleSize->sampleCount);\n\t\tif (nb_samples==1) {\n\t\t\tmemmove(&stco->offsets[sampleNumber-1], &stco->offsets[sampleNumber], sizeof(u32) * (stco->nb_entries - sampleNumber) );\n\t\t} else {\n\t\t\tmemmove(&stco->offsets[0], &stco->offsets[nb_samples], sizeof(u32) * (stco->nb_entries - nb_samples) );\n\t\t}\n\t\tstco->nb_entries -= nb_samples;\n\t} else {\n\t\tGF_ChunkLargeOffsetBox *co64 = (GF_ChunkLargeOffsetBox *)stbl->ChunkOffset;\n\t\tif (!stbl->SampleSize->sampleCount) {\n\t\t\tgf_free(co64->offsets);\n\t\t\tco64->offsets = NULL;\n\t\t\tco64->nb_entries = 0;\n\t\t\tco64->alloc_size = 0;\n\t\t\treturn GF_OK;\n\t\t}\n\n\t\tassert(co64->nb_entries - nb_samples == stbl->SampleSize->sampleCount);\n\t\tif (nb_samples==1) {\n\t\t\tmemmove(&co64->offsets[sampleNumber-1], &co64->offsets[sampleNumber], sizeof(u64) * (co64->nb_entries - sampleNumber) );\n\t\t} else {\n\t\t\tmemmove(&co64->offsets[0], &co64->offsets[nb_samples], sizeof(u64) * (co64->nb_entries - nb_samples) );\n\t\t}\n\t\tco64->nb_entries -= nb_samples;\n\t}\n\treturn GF_OK;\n}", "project": "gpac", "hash": 91588033201983465434153302851263440823, "size": 102, "commit_id": "77ed81c069e10b3861d88f72e1c6be1277ee7eae", "message": "fixed #1774 (fuzz)", "target": 0, "dataset": "other", "idx": 267901 }, { "func": "static void nalu_merge_ps(GF_BitStream *ps_bs, Bool rewrite_start_codes, u32 nal_unit_size_field, GF_MPEGVisualSampleEntryBox *entry, Bool is_hevc, Bool *has_vps)\n{\n\tu32 i, count;\n\tif (is_hevc) {\n\t\tif (entry->hevc_config) {\n\t\t\tcount = gf_list_count(entry->hevc_config->config->param_array);\n\t\t\tfor (i=0; ihevc_config->config->param_array, i);\n\t\t\t\tif (ar->type == GF_HEVC_NALU_VID_PARAM) {\n\t\t\t\t\tif (! *has_vps) *has_vps = GF_TRUE;\n\t\t\t\t\telse continue;\n\t\t\t\t}\n\t\t\t\trewrite_nalus_list(ar->nalus, ps_bs, rewrite_start_codes, nal_unit_size_field);\n\t\t\t}\n\t\t}\n\t\tif (entry->lhvc_config) {\n\t\t\tcount = gf_list_count(entry->lhvc_config->config->param_array);\n\t\t\tfor (i=0; ilhvc_config->config->param_array, i);\n\t\t\t\tif (ar->type == GF_HEVC_NALU_VID_PARAM) {\n\t\t\t\t\tif (! *has_vps) *has_vps = GF_TRUE;\n\t\t\t\t\telse continue;\n\t\t\t\t}\n\t\t\t\trewrite_nalus_list(ar->nalus, ps_bs, rewrite_start_codes, nal_unit_size_field);\n\t\t\t}\n\t\t}\n\t} else {\n\t\tif (entry->avc_config) {\n\t\t\trewrite_nalus_list(entry->avc_config->config->sequenceParameterSets, ps_bs, rewrite_start_codes, nal_unit_size_field);\n\t\t\trewrite_nalus_list(entry->avc_config->config->sequenceParameterSetExtensions, ps_bs, rewrite_start_codes, nal_unit_size_field);\n\t\t\trewrite_nalus_list(entry->avc_config->config->pictureParameterSets, ps_bs, rewrite_start_codes, nal_unit_size_field);\n\t\t}\n\n\t\t/*add svc config */\n\t\tif (entry->svc_config) {\n\t\t\trewrite_nalus_list(entry->svc_config->config->sequenceParameterSets, ps_bs, rewrite_start_codes, nal_unit_size_field);\n\t\t\trewrite_nalus_list(entry->svc_config->config->pictureParameterSets, ps_bs, rewrite_start_codes, nal_unit_size_field);\n\t\t}\n\t\t/*add mvc config */\n\t\tif (entry->mvc_config) {\n\t\t\trewrite_nalus_list(entry->mvc_config->config->sequenceParameterSets, ps_bs, rewrite_start_codes, nal_unit_size_field);\n\t\t\trewrite_nalus_list(entry->mvc_config->config->pictureParameterSets, ps_bs, rewrite_start_codes, nal_unit_size_field);\n\t\t}\n\t}\n}", "project": "gpac", "hash": 254360377776019737169031781092830526848, "size": 45, "commit_id": "0a85029d694f992f3631e2f249e4999daee15cbf", "message": "fixed #1785 (fuzz)", "target": 0, "dataset": "other", "idx": 237653 }, { "func": "u32 PrintNode(const char *name, u32 graph_type)\n{\n#ifdef GPAC_DISABLE_VRML\n\tM4_LOG(GF_LOG_ERROR, (\"VRML/MPEG-4/X3D scene graph is disabled in this build of GPAC\\n\"));\n\treturn 2;\n#else\n\tconst char *std_name;\n\tGF_Node *node;\n\tGF_SceneGraph *sg;\n\tu32 tag;\n#ifndef GPAC_DISABLE_BIFS\n#endif /*GPAC_DISABLE_BIFS*/\n\tBool is_nodefield = 0;\n\n\tchar *sep = strchr(name, '.');\n\tif (sep) {\n\t\tsep[0] = 0;\n\t\tis_nodefield = 1;\n\t}\n\n\tif (graph_type==1) {\n#ifndef GPAC_DISABLE_X3D\n\t\ttag = gf_node_x3d_type_by_class_name(name);\n\t\tstd_name = \"X3D\";\n#else\n\t\tM4_LOG(GF_LOG_ERROR, (\"X3D node printing is not supported (X3D support disabled)\\n\"));\n\t\treturn 2;\n#endif\n\t} else {\n\t\ttag = gf_node_mpeg4_type_by_class_name(name);\n\t\tstd_name = \"MPEG4\";\n\t}\n\tif (!tag) {\n\t\tM4_LOG(GF_LOG_ERROR, (\"Unknown %s node %s\\n\", std_name, name));\n\t\treturn 2;\n\t}\n\n\tsg = gf_sg_new();\n\tnode = gf_node_new(sg, tag);\n\tgf_node_register(node, NULL);\n\tname = gf_node_get_class_name(node);\n\tif (!node) {\n\t\tM4_LOG(GF_LOG_ERROR, (\"Node %s not supported in current built\\n\", name));\n\t\treturn 2;\n\t}\n\tdo_print_node(node, sg, name, graph_type, is_nodefield, GF_FALSE);\n\n\tgf_node_unregister(node, NULL);\n\tgf_sg_del(sg);\n#endif /*GPAC_DISABLE_VRML*/\n\treturn 1;\n}", "project": "gpac", "hash": 241547713955475058831576129788996029791, "size": 52, "commit_id": "289ffce3e0d224d314f5f92a744d5fe35999f20b", "message": "fixed #1767 (fuzz)", "target": 0, "dataset": "other", "idx": 243189 }, { "func": "void PrintNode(const char *name, u32 graph_type)\n{\n#ifdef GPAC_DISABLE_VRML\n\tfprintf(stderr, \"VRML/MPEG-4/X3D scene graph is disabled in this build of GPAC\\n\");\n\treturn;\n#else\n\tconst char *std_name;\n\tGF_Node *node;\n\tGF_SceneGraph *sg;\n\tu32 tag;\n#ifndef GPAC_DISABLE_BIFS\n#endif /*GPAC_DISABLE_BIFS*/\n\tBool is_nodefield = 0;\n\n\tchar *sep = strchr(name, '.');\n\tif (sep) {\n\t\tsep[0] = 0;\n\t\tis_nodefield = 1;\n\t}\n\n\tif (graph_type==1) {\n#ifndef GPAC_DISABLE_X3D\n\t\ttag = gf_node_x3d_type_by_class_name(name);\n\t\tstd_name = \"X3D\";\n#else\n\t\tfprintf(stderr, \"X3D node printing is not supported (X3D support disabled)\\n\");\n\t\treturn;\n#endif\n\t} else {\n\t\ttag = gf_node_mpeg4_type_by_class_name(name);\n\t\tstd_name = \"MPEG4\";\n\t}\n\tif (!tag) {\n\t\tfprintf(stderr, \"Unknown %s node %s\\n\", std_name, name);\n\t\treturn;\n\t}\n\n\tsg = gf_sg_new();\n\tnode = gf_node_new(sg, tag);\n\tgf_node_register(node, NULL);\n\tname = gf_node_get_class_name(node);\n\tif (!node) {\n\t\tfprintf(stderr, \"Node %s not supported in current built\\n\", name);\n\t\treturn;\n\t}\n\tdo_print_node(node, sg, name, graph_type, is_nodefield, GF_FALSE);\n\n\tgf_node_unregister(node, NULL);\n\tgf_sg_del(sg);\n#endif /*GPAC_DISABLE_VRML*/\n}", "project": "gpac", "hash": 287409241069574379988598714921158864833, "size": 51, "commit_id": "ce01bd15f711d4575b7424b54b3a395ec64c1784", "message": "fixed #1566", "target": 0, "dataset": "other", "idx": 249542 }, { "func": "u32 gf_isom_get_tracknum_from_id(GF_MovieBox *moov, GF_ISOTrackID trackID)\n{\n\tu32 i;\n\tGF_TrackBox *trak;\n\ti=0;\n\twhile ((trak = (GF_TrackBox *)gf_list_enum(moov->trackList, &i))) {\n\t\tif (trak->Header->trackID == trackID) return i;\n\t}\n\treturn 0;\n}", "project": "gpac", "hash": 253022893409580713993426603303477125913, "size": 10, "commit_id": "df8fffd839fe5ae9acd82d26fd48280a397411d9", "message": "fixed #1736", "target": 0, "dataset": "other", "idx": 272326 }, { "func": "GF_EXPORT\nu64 gf_isom_get_fragmented_duration(GF_ISOFile *movie)\n{\n\tif (movie->moov->mvex && movie->moov->mvex->mehd)\n\t\treturn movie->moov->mvex->mehd->fragment_duration;\n\n\treturn 0;", "project": "gpac", "hash": 179624524395425218364016725975836881288, "size": 7, "commit_id": "984787de3d414a5f7d43d0b4584d9469dff2a5a5", "message": "fixed #1784 (fuzz)", "target": 0, "dataset": "other", "idx": 246798 }, { "func": "GF_Err gf_isom_get_extraction_slc(GF_ISOFile *the_file, u32 trackNumber, u32 StreamDescriptionIndex, GF_SLConfig **slConfig)\n{\n\tGF_TrackBox *trak;\n\tGF_SampleEntryBox *entry;\n\tGF_Err e;\n\tGF_SLConfig *slc;\n\n\ttrak = gf_isom_get_track_from_file(the_file, trackNumber);\n\tif (!trak) return GF_BAD_PARAM;\n\n\te = Media_GetSampleDesc(trak->Media, StreamDescriptionIndex, &entry, NULL);\n\tif (e) return e;\n\n\t//we must be sure we are not using a remote ESD\n\tslc = NULL;\n\t*slConfig = NULL;\n\tswitch (entry->type) {\n\tcase GF_ISOM_BOX_TYPE_MP4S:\n\t\tif (((GF_MPEGSampleEntryBox *)entry)->esd->desc->slConfig->predefined != SLPredef_MP4) return GF_BAD_PARAM;\n\t\tslc = ((GF_MPEGSampleEntryBox *)entry)->slc;\n\t\tbreak;\n\tcase GF_ISOM_BOX_TYPE_MP4A:\n\t\tif (((GF_MPEGAudioSampleEntryBox *)entry)->esd->desc->slConfig->predefined != SLPredef_MP4) return GF_BAD_PARAM;\n\t\tslc = ((GF_MPEGAudioSampleEntryBox *)entry)->slc;\n\t\tbreak;\n\tcase GF_ISOM_BOX_TYPE_MP4V:\n\t\tif (((GF_MPEGVisualSampleEntryBox *)entry)->esd->desc->slConfig->predefined != SLPredef_MP4) return GF_BAD_PARAM;\n\t\tslc = ((GF_MPEGVisualSampleEntryBox *)entry)->slc;\n\t\tbreak;\n\tdefault:\n\t\treturn GF_BAD_PARAM;\n\t}\n\n\tif (!slc) return GF_OK;\n\t//finally duplicate the SL\n\treturn gf_odf_desc_copy((GF_Descriptor *) slc, (GF_Descriptor **) slConfig);\n}", "project": "gpac", "hash": 72759115469568498014505720549617618583, "size": 37, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267342 }, { "func": "static void PrintHelp(char *arg_name, Bool search_desc, Bool no_match)\n{\n\tGF_FilterSession *fs;\n\tBool res;\n\n\tfs = gf_fs_new_defaults(0);\n\n\tif (arg_name[0]=='-')\n\t\targ_name++;\n\n\tif (search_desc) {\n\t\tchar *_arg_name = gf_strdup(arg_name);\n\t\tstrlwr(_arg_name);\n\t\tGF_LOG(GF_LOG_INFO, GF_LOG_APP, (\"Possible options mentionning `%s`:\\n\", arg_name));\n\t\tres = PrintHelpArg(_arg_name, SEARCH_DESC, fs);\n\t\tgf_free(_arg_name);\n\t} else {\n\t\tres = no_match ? GF_FALSE : PrintHelpArg(arg_name, SEARCH_ARG_EXACT, fs);\n\t\tif (!res) {\n\t\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_APP, (\"Option -%s unknown, please check usage.\\n\", arg_name));\n\t\t\tGF_LOG(GF_LOG_INFO, GF_LOG_APP, (\"Possible options are:\\n\"));\n\n\t\t\tPrintHelpArg(arg_name, SEARCH_ARG_CLOSE, fs);\n\t\t}\n\t}\n\tif (fs)\n\t\tgf_fs_del(fs);\n}", "project": "gpac", "hash": 136425801866170952092521525921687572579, "size": 28, "commit_id": "9eeac00b38348c664dfeae2525bba0cf1bc32349", "message": "fixed #1565", "target": 0, "dataset": "other", "idx": 244374 }, { "func": "GF_EXPORT\nvoid gf_isom_keep_utc_times(GF_ISOFile *file, Bool keep_utc)\n{\n\tif (!file) return;\n\tfile->keep_utc = keep_utc;", "project": "gpac", "hash": 160463663680766558790888710463112879814, "size": 5, "commit_id": "984787de3d414a5f7d43d0b4584d9469dff2a5a5", "message": "fixed #1784 (fuzz)", "target": 0, "dataset": "other", "idx": 246827 }, { "func": "static void do_print_node(GF_Node *node, GF_SceneGraph *sg, const char *name, u32 graph_type, Bool is_nodefield, Bool do_cov)\n{\n\tu32 nbF, i;\n\tGF_FieldInfo f;\n#ifndef GPAC_DISABLE_BIFS\n\tu8 qt, at;\n\tFixed bmin, bmax;\n\tu32 nbBits;\n#endif /*GPAC_DISABLE_BIFS*/\n\n\tnbF = gf_node_get_field_count(node);\n\n\tif (is_nodefield) {\n\t\tchar szField[1024];\n\t\tu32 tfirst, tlast;\n\t\tif (gf_node_get_field_by_name(node, szField, &f) != GF_OK) {\n\t\t\tM4_LOG(GF_LOG_ERROR, (\"Field %s is not a member of node %s\\n\", szField, name));\n\t\t\treturn;\n\t\t}\n\t\tfprintf(stderr, \"Allowed nodes in %s.%s:\\n\", name, szField);\n\t\tif (graph_type==1) {\n\t\t\ttfirst = GF_NODE_RANGE_FIRST_X3D;\n\t\t\ttlast = GF_NODE_RANGE_LAST_X3D;\n\t\t} else {\n\t\t\ttfirst = GF_NODE_RANGE_FIRST_MPEG4;\n\t\t\ttlast = GF_NODE_RANGE_LAST_MPEG4;\n\t\t}\n\t\tfor (i=tfirst; icount; j++) {\n\t\t\t\tif (j) fprintf(stderr, \" \");\n\t\t\t\tgf_sg_vrml_mf_get_item(f.far_ptr, f.fieldType, &ptr, j);\n\t\t\t\tPrintNodeSFField(sftype, ptr);\n\t\t\t}\n\t\t\tfprintf(stderr, \"]\");\n\t\t}\n#ifndef GPAC_DISABLE_BIFS\n\t\tif (gf_bifs_get_aq_info(node, i, &qt, &at, &bmin, &bmax, &nbBits)) {\n\t\t\tif (qt) {\n\t\t\t\tfprintf(stderr, \" #QP=%d\", qt);\n\t\t\t\tif (qt==13) fprintf(stderr, \" NbBits=%d\", nbBits);\n\t\t\t\tif (bmin && bmax) {\n\t\t\t\t\tfprintf(stderr, \" Bounds=[\");\n\t\t\t\t\tPrintFixed(bmin, 0);\n\t\t\t\t\tfprintf(stderr, \",\");\n\t\t\t\t\tPrintFixed(bmax, 0);\n\t\t\t\t\tfprintf(stderr, \"]\");\n\t\t\t\t}\n\t\t\t}\n\t\t}\n#endif /*GPAC_DISABLE_BIFS*/\n\t\tfprintf(stderr, \"\\n\");\n\n\t\tif (do_cov) {\n\t\t\tgf_node_get_field_by_name(node, (char *) f.name, &f);\n\t\t}\n\t}\n\tfprintf(stderr, \"}\\n\\n\");\n\n}", "project": "gpac", "hash": 314314358674245022893234045039237155162, "size": 114, "commit_id": "289ffce3e0d224d314f5f92a744d5fe35999f20b", "message": "fixed #1767 (fuzz)", "target": 0, "dataset": "other", "idx": 243190 }, { "func": "static void do_print_node(GF_Node *node, GF_SceneGraph *sg, const char *name, u32 graph_type, Bool is_nodefield, Bool do_cov)\n{\n\tu32 nbF, i;\n\tGF_FieldInfo f;\n#ifndef GPAC_DISABLE_BIFS\n\tu8 qt, at;\n\tFixed bmin, bmax;\n\tu32 nbBits;\n#endif /*GPAC_DISABLE_BIFS*/\n\n\tnbF = gf_node_get_field_count(node);\n\n\tif (is_nodefield) {\n\t\tchar szField[1024];\n\t\tu32 tfirst, tlast;\n\t\tif (gf_node_get_field_by_name(node, szField, &f) != GF_OK) {\n\t\t\tfprintf(stderr, \"Field %s is not a member of node %s\\n\", szField, name);\n\t\t\treturn;\n\t\t}\n\t\tfprintf(stderr, \"Allowed nodes in %s.%s:\\n\", name, szField);\n\t\tif (graph_type==1) {\n\t\t\ttfirst = GF_NODE_RANGE_FIRST_X3D;\n\t\t\ttlast = GF_NODE_RANGE_LAST_X3D;\n\t\t} else {\n\t\t\ttfirst = GF_NODE_RANGE_FIRST_MPEG4;\n\t\t\ttlast = GF_NODE_RANGE_LAST_MPEG4;\n\t\t}\n\t\tfor (i=tfirst; icount; j++) {\n\t\t\t\tif (j) fprintf(stderr, \" \");\n\t\t\t\tgf_sg_vrml_mf_get_item(f.far_ptr, f.fieldType, &ptr, j);\n\t\t\t\tPrintNodeSFField(sftype, ptr);\n\t\t\t}\n\t\t\tfprintf(stderr, \"]\");\n\t\t}\n#ifndef GPAC_DISABLE_BIFS\n\t\tif (gf_bifs_get_aq_info(node, i, &qt, &at, &bmin, &bmax, &nbBits)) {\n\t\t\tif (qt) {\n\t\t\t\tfprintf(stderr, \" #QP=%d\", qt);\n\t\t\t\tif (qt==13) fprintf(stderr, \" NbBits=%d\", nbBits);\n\t\t\t\tif (bmin && bmax) {\n\t\t\t\t\tfprintf(stderr, \" Bounds=[\");\n\t\t\t\t\tPrintFixed(bmin, 0);\n\t\t\t\t\tfprintf(stderr, \",\");\n\t\t\t\t\tPrintFixed(bmax, 0);\n\t\t\t\t\tfprintf(stderr, \"]\");\n\t\t\t\t}\n\t\t\t}\n\t\t}\n#endif /*GPAC_DISABLE_BIFS*/\n\t\tfprintf(stderr, \"\\n\");\n\n\t\tif (do_cov) {\n\t\t\tgf_node_get_field_by_name(node, (char *) f.name, &f);\n\t\t}\n\t}\n\tfprintf(stderr, \"}\\n\\n\");\n\n}", "project": "gpac", "hash": 58271676235318931811671597816129592977, "size": 114, "commit_id": "ce01bd15f711d4575b7424b54b3a395ec64c1784", "message": "fixed #1566", "target": 0, "dataset": "other", "idx": 249556 }, { "func": "GF_Err gf_isom_set_ipod_compatible(GF_ISOFile *the_file, u32 trackNumber)\n{\n\tGF_TrackBox *trak;\n\tGF_Err e;\n\tGF_MPEGVisualSampleEntryBox *entry;\n\n\te = CanAccessMovie(the_file, GF_ISOM_OPEN_WRITE);\n\tif (e) return e;\n\ttrak = gf_isom_get_track_from_file(the_file, trackNumber);\n\tif (!trak || !trak->Media) return GF_BAD_PARAM;\n\tentry = (GF_MPEGVisualSampleEntryBox*)gf_list_get(trak->Media->information->sampleTable->SampleDescription->child_boxes, 0);\n\tif (!entry) return GF_OK;\n\tswitch (entry->type) {\n\tcase GF_ISOM_BOX_TYPE_AVC1:\n\tcase GF_ISOM_BOX_TYPE_AVC2:\n\tcase GF_ISOM_BOX_TYPE_AVC3:\n\tcase GF_ISOM_BOX_TYPE_AVC4:\n\tcase GF_ISOM_BOX_TYPE_SVC1:\n\tcase GF_ISOM_BOX_TYPE_MVC1:\n\tcase GF_ISOM_BOX_TYPE_HVC1:\n\tcase GF_ISOM_BOX_TYPE_HEV1:\n\tcase GF_ISOM_BOX_TYPE_HVT1:\n\t\tbreak;\n\tdefault:\n\t\treturn GF_OK;\n\t}\n\n\tif (!entry->ipod_ext) {\n\t\tentry->ipod_ext = (GF_UnknownUUIDBox *) gf_isom_box_new_parent(&entry->child_boxes, GF_ISOM_BOX_TYPE_UUID);\n\t\tif (!entry->ipod_ext) return GF_OUT_OF_MEM;\n\t}\n\tmemcpy(entry->ipod_ext->uuid, GF_ISOM_IPOD_EXT, sizeof(u8)*16);\n\tentry->ipod_ext->dataSize = 4;\n\tentry->ipod_ext->data = gf_malloc(sizeof(u8)*4);\n\tif (!entry->ipod_ext->data) return GF_OUT_OF_MEM;\n\tmemset(entry->ipod_ext->data, 0, sizeof(u8)*4);\n\treturn GF_OK;\n}", "project": "gpac", "hash": 47609732661615122237616728697050747657, "size": 38, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267326 }, { "func": "GF_Err Track_SetStreamDescriptor(GF_TrackBox *trak, u32 StreamDescriptionIndex, u32 DataReferenceIndex, GF_ESD *esd, u32 *outStreamIndex)\n{\n\tGF_Err e;\n\tGF_MPEGSampleEntryBox *entry;\n\tGF_MPEGVisualSampleEntryBox *entry_v;\n\tGF_MPEGAudioSampleEntryBox *entry_a;\n\tGF_TrackReferenceBox *tref;\n\tGF_TrackReferenceTypeBox *dpnd;\n\tu16 tmpRef;\n\n\tentry = NULL;\n\ttref = NULL;\n\n\tif (!trak || !esd || (!outStreamIndex && !DataReferenceIndex) ) return GF_BAD_PARAM;\n\tif (!Track_IsMPEG4Stream(trak->Media->handler->handlerType)) return GF_ISOM_INVALID_MEDIA;\n\n\n\tesd->ESID = 0;\n\t//set SL to predefined if no url\n\tif (esd->URLString == NULL) {\n\t\tif (!esd->slConfig) esd->slConfig = (GF_SLConfig*) gf_odf_desc_new(GF_ODF_SLC_TAG);\n\t\tesd->slConfig->predefined = SLPredef_MP4;\n\t\tesd->slConfig->durationFlag = 0;\n\t\tesd->slConfig->useTimestampsFlag = 1;\n\t}\n\n\t//get the REF box if needed\n\tif (esd->dependsOnESID || (esd->OCRESID && (esd->OCRESID != trak->moov->mov->es_id_default_sync)) ) {\n\t\tif (!trak->References) {\n\t\t\ttref = (GF_TrackReferenceBox *) gf_isom_box_new_parent(&trak->child_boxes, GF_ISOM_BOX_TYPE_TREF);\n\t\t\tif (!tref) return GF_OUT_OF_MEM;\n\t\t\te = trak_on_child_box((GF_Box*)trak, (GF_Box *)tref, GF_FALSE);\n\t\t\tif (e) return e;\n\t\t}\n\t\ttref = trak->References;\n\t}\n\n\t//Update Stream dependencies\n\te = Track_FindRef(trak, GF_ISOM_REF_DECODE, &dpnd);\n\tif (e) return e;\n\n\tif (!dpnd && esd->dependsOnESID) {\n\t\te = Track_FindRef(trak, GF_ISOM_REF_BASE, &dpnd);\n\t\tif (e) return e;\n\t}\n\n\tif (!dpnd && esd->dependsOnESID) {\n\t\tdpnd = (GF_TrackReferenceTypeBox *) gf_isom_box_new_parent(&tref->child_boxes, GF_ISOM_BOX_TYPE_REFT);\n\t\tdpnd->reference_type = GF_ISOM_BOX_TYPE_DPND;\n\t\te = reftype_AddRefTrack(dpnd, esd->dependsOnESID, NULL);\n\t\tif (e) return e;\n\t} else if (dpnd && !esd->dependsOnESID) {\n\t\tTrack_RemoveRef(trak, GF_ISOM_BOX_TYPE_DPND);\n\t}\n\tesd->dependsOnESID = 0;\n\n\t//Update GF_Clock dependencies\n\te = Track_FindRef(trak, GF_ISOM_REF_OCR, &dpnd);\n\tif (e) return e;\n\tif (!dpnd && esd->OCRESID && (esd->OCRESID != trak->moov->mov->es_id_default_sync)) {\n\t\tdpnd = (GF_TrackReferenceTypeBox *) gf_isom_box_new_parent(&tref->child_boxes, GF_ISOM_BOX_TYPE_REFT);\n\t\tif (!dpnd) return GF_OUT_OF_MEM;\n\t\tdpnd->reference_type = GF_ISOM_BOX_TYPE_SYNC;\n\t\te = reftype_AddRefTrack(dpnd, esd->OCRESID, NULL);\n\t\tif (e) return e;\n\t} else if (dpnd && !esd->OCRESID) {\n\t\tTrack_RemoveRef(trak, GF_ISOM_BOX_TYPE_SYNC);\n\t} else if (dpnd && esd->OCRESID) {\n\t\tif (dpnd->trackIDCount != 1) return GF_ISOM_INVALID_MEDIA;\n\t\tdpnd->trackIDs[0] = esd->OCRESID;\n\t}\n\tesd->OCRESID = 0;\n\n\t//brand new case: we have to change the IPI desc\n\tif (esd->ipiPtr) {\n\t\te = Track_FindRef(trak, GF_ISOM_REF_IPI, &dpnd);\n\t\tif (e) return e;\n\t\tif (!dpnd) {\n\t\t\ttmpRef = 0;\n\t\t\tdpnd = (GF_TrackReferenceTypeBox *) gf_isom_box_new_parent(&tref->child_boxes, GF_ISOM_BOX_TYPE_REFT);\n\t\t\tif (!dpnd) return GF_OUT_OF_MEM;\n\t\t\tdpnd->reference_type = GF_ISOM_BOX_TYPE_IPIR;\n\t\t\te = reftype_AddRefTrack(dpnd, esd->ipiPtr->IPI_ES_Id, &tmpRef);\n\t\t\tif (e) return e;\n\t\t\t//and replace the tag and value...\n\t\t\tesd->ipiPtr->IPI_ES_Id = tmpRef;\n\t\t\tesd->ipiPtr->tag = GF_ODF_ISOM_IPI_PTR_TAG;\n\t\t} else {\n\t\t\t//Watch out! ONLY ONE IPI dependency is allowed per stream\n\t\t\tif (dpnd->trackIDCount != 1) return GF_ISOM_INVALID_MEDIA;\n\t\t\t//if an existing one is there, what shall we do ???\n\t\t\t//donno, erase it\n\t\t\tdpnd->trackIDs[0] = esd->ipiPtr->IPI_ES_Id;\n\t\t\t//and replace the tag and value...\n\t\t\tesd->ipiPtr->IPI_ES_Id = 1;\n\t\t\tesd->ipiPtr->tag = GF_ODF_ISOM_IPI_PTR_TAG;\n\t\t}\n\t}\n\n\t/*don't store the lang desc in ESD, use the media header language info*/\n\tif (esd->langDesc) {\n\t\ttrak->Media->mediaHeader->packedLanguage[0] = (esd->langDesc->langCode>>16)&0xFF;\n\t\ttrak->Media->mediaHeader->packedLanguage[1] = (esd->langDesc->langCode>>8)&0xFF;\n\t\ttrak->Media->mediaHeader->packedLanguage[2] = (esd->langDesc->langCode)&0xFF;\n\t\tgf_odf_desc_del((GF_Descriptor *)esd->langDesc);\n\t\tesd->langDesc = NULL;\n\t}\n\n\t//we have a streamDescriptionIndex, use it\n\tif (StreamDescriptionIndex) {\n\t\tu32 entry_type;\n\t\tentry = (GF_MPEGSampleEntryBox*)gf_list_get(trak->Media->information->sampleTable->SampleDescription->child_boxes, StreamDescriptionIndex - 1);\n\t\tif (!entry) return GF_ISOM_INVALID_FILE;\n\n\t\tentry_type = entry->type;\n\t\tGF_ProtectionSchemeInfoBox *sinf = (GF_ProtectionSchemeInfoBox *) gf_isom_box_find_child(entry->child_boxes, GF_ISOM_BOX_TYPE_SINF);\n\t\tif (sinf && sinf->original_format) entry_type = sinf->original_format->data_format;\n\t\t\n\t\tswitch (entry_type) {\n\t\tcase GF_ISOM_BOX_TYPE_MP4S:\n\t\t\t//OK, delete the previous ESD\n\t\t\tgf_odf_desc_del((GF_Descriptor *) entry->esd->desc);\n\t\t\tentry->esd->desc = esd;\n\t\t\tbreak;\n\t\tcase GF_ISOM_BOX_TYPE_MP4V:\n\t\t\tentry_v = (GF_MPEGVisualSampleEntryBox*) entry;\n\t\t\t//OK, delete the previous ESD\n\t\t\tgf_odf_desc_del((GF_Descriptor *) entry_v->esd->desc);\n\t\t\tentry_v->esd->desc = esd;\n\t\t\tbreak;\n\t\tcase GF_ISOM_BOX_TYPE_MP4A:\n\t\t\tentry_a = (GF_MPEGAudioSampleEntryBox*) entry;\n if (entry_a->esd) { // some non-conformant files may not have an ESD ...\n //OK, delete the previous ESD\n gf_odf_desc_del((GF_Descriptor *) entry_a->esd->desc);\n entry_a->esd->desc = esd;\n } else {\n\t\t\t\t// can't return OK here otherwise we can't know if esd hasn't been used\n\t\t\t\t// and need to be freed\n\t\t\t\treturn GF_ISOM_INVALID_MEDIA;\n\t\t\t}\n\t\t\tbreak;\n\t\tcase GF_ISOM_BOX_TYPE_AVC1:\n\t\tcase GF_ISOM_BOX_TYPE_AVC2:\n\t\tcase GF_ISOM_BOX_TYPE_AVC3:\n\t\tcase GF_ISOM_BOX_TYPE_AVC4:\n\t\tcase GF_ISOM_BOX_TYPE_SVC1:\n\t\tcase GF_ISOM_BOX_TYPE_MVC1:\n\t\tcase GF_ISOM_BOX_TYPE_HVC1:\n\t\tcase GF_ISOM_BOX_TYPE_HEV1:\n\t\tcase GF_ISOM_BOX_TYPE_HVC2:\n\t\tcase GF_ISOM_BOX_TYPE_HEV2:\n\t\tcase GF_ISOM_BOX_TYPE_LHE1:\n\t\tcase GF_ISOM_BOX_TYPE_LHV1:\n\t\tcase GF_ISOM_BOX_TYPE_HVT1:\n\t\tcase GF_ISOM_BOX_TYPE_VVC1:\n\t\tcase GF_ISOM_BOX_TYPE_VVI1:\n\t\t\te = AVC_HEVC_UpdateESD((GF_MPEGVisualSampleEntryBox*)entry, esd);\n\t\t\tif (e) return e;\n\t\t\tbreak;\n\t\tcase GF_ISOM_BOX_TYPE_LSR1:\n\t\t\te = LSR_UpdateESD((GF_LASeRSampleEntryBox*)entry, esd);\n\t\t\tif (e) return e;\n\t\t\tbreak;\n\t\tcase GF_ISOM_BOX_TYPE_AV01:\n\t\tcase GF_ISOM_BOX_TYPE_AV1C:\n\t\tcase GF_ISOM_BOX_TYPE_OPUS:\n\t\tcase GF_ISOM_BOX_TYPE_DOPS:\n\t\tcase GF_ISOM_BOX_TYPE_STXT:\n\t\tcase GF_ISOM_BOX_TYPE_WVTT:\n\t\tcase GF_ISOM_BOX_TYPE_STPP:\n\t\t\tif (esd) gf_odf_desc_del((GF_Descriptor *) esd);\n\t\t\tbreak;\n\n\t\tdefault:\n\t\t\t//silently fail, not an MPEG-4 esd\n\t\t\tgf_odf_desc_del((GF_Descriptor *) esd);\n\t\t\treturn GF_OK;\n\t\t}\n\t} else {\n\t\t//need to check we're not in URL mode where only ONE description is allowed...\n\t\tStreamDescriptionIndex = gf_list_count(trak->Media->information->sampleTable->SampleDescription->child_boxes);\n\t\tif (StreamDescriptionIndex) {\n\t\t\tGF_ESD *old_esd=NULL;\n\t\t\tentry = (GF_MPEGSampleEntryBox*)gf_list_get(trak->Media->information->sampleTable->SampleDescription->child_boxes, StreamDescriptionIndex - 1);\n\t\t\tif (!entry) return GF_ISOM_INVALID_FILE;\n\t\t\t//get ESD (only if present, do not emulate)\n\t\t\tMedia_GetESD(trak->Media, StreamDescriptionIndex, &old_esd, GF_TRUE);\n\t\t\tif (old_esd && old_esd->URLString) return GF_BAD_PARAM;\n\t\t}\n\n\t\t//OK, check the handler and create the entry\n\t\tswitch (trak->Media->handler->handlerType) {\n case GF_ISOM_MEDIA_AUXV:\n case GF_ISOM_MEDIA_PICT:\n\t\tcase GF_ISOM_MEDIA_VISUAL:\n\t\t\tif ((esd->decoderConfig->objectTypeIndication==GF_CODECID_AVC) || (esd->decoderConfig->objectTypeIndication==GF_CODECID_SVC) || (esd->decoderConfig->objectTypeIndication==GF_CODECID_MVC)) {\n\t\t\t\tentry_v = (GF_MPEGVisualSampleEntryBox *) gf_isom_box_new(GF_ISOM_BOX_TYPE_AVC1);\n\t\t\t\tif (!entry_v) return GF_OUT_OF_MEM;\n\t\t\t\te = AVC_HEVC_UpdateESD((GF_MPEGVisualSampleEntryBox*)entry_v, esd);\n\t\t\t\tif (e) return e;\n\t\t\t} else if (esd->decoderConfig->objectTypeIndication==GF_CODECID_HEVC) {\n\t\t\t\tentry_v = (GF_MPEGVisualSampleEntryBox *) gf_isom_box_new(GF_ISOM_BOX_TYPE_HVC1);\n\t\t\t\tif (!entry_v) return GF_OUT_OF_MEM;\n\t\t\t\te = AVC_HEVC_UpdateESD((GF_MPEGVisualSampleEntryBox*)entry_v, esd);\n\t\t\t\tif (e) return e;\n\t\t\t} else if (esd->decoderConfig->objectTypeIndication==GF_CODECID_VVC) {\n\t\t\t\tentry_v = (GF_MPEGVisualSampleEntryBox *) gf_isom_box_new(GF_ISOM_BOX_TYPE_VVC1);\n\t\t\t\tif (!entry_v) return GF_OUT_OF_MEM;\n\t\t\t\te = AVC_HEVC_UpdateESD((GF_MPEGVisualSampleEntryBox*)entry_v, esd);\n\t\t\t\tif (e) return e;\n\t\t\t} else {\n\t\t\t\tentry_v = (GF_MPEGVisualSampleEntryBox *) gf_isom_box_new(GF_ISOM_BOX_TYPE_MP4V);\n\t\t\t\tif (!entry_v) return GF_OUT_OF_MEM;\n\t\t\t\tentry_v->esd = (GF_ESDBox *) gf_isom_box_new_parent(&entry_v->child_boxes, GF_ISOM_BOX_TYPE_ESDS);\n\t\t\t\tif (!entry_v->esd) return GF_OUT_OF_MEM;\n\t\t\t\tentry_v->esd->desc = esd;\n\t\t\t}\n\n\t\t\t//type cast possible now\n\t\t\tentry = (GF_MPEGSampleEntryBox*) entry_v;\n\t\t\tbreak;\n\t\tcase GF_ISOM_MEDIA_AUDIO:\n\t\t\tif (esd->decoderConfig->objectTypeIndication == GF_CODECID_OPUS) {\n\t\t\t\tGF_MPEGAudioSampleEntryBox *opus = (GF_MPEGAudioSampleEntryBox *)gf_isom_box_new(GF_ISOM_BOX_TYPE_OPUS);\n\t\t\t\tif (!opus) return GF_OUT_OF_MEM;\n\t\t\t\topus->cfg_opus = (GF_OpusSpecificBox *)gf_isom_box_new_parent(&opus->child_boxes, GF_ISOM_BOX_TYPE_DOPS);\n\t\t\t\tif (!opus->cfg_opus) return GF_OUT_OF_MEM;\n\t\t\t\tentry = (GF_MPEGSampleEntryBox*)opus;\n\t\t\t\tgf_odf_desc_del((GF_Descriptor *) esd);\n\t\t\t} else if (esd->decoderConfig->objectTypeIndication == GF_CODECID_AC3) {\n\t\t\t\tGF_MPEGAudioSampleEntryBox *ac3 = (GF_MPEGAudioSampleEntryBox *) gf_isom_box_new(GF_ISOM_BOX_TYPE_AC3);\n\t\t\t\tif (!ac3) return GF_OUT_OF_MEM;\n\t\t\t\tac3->cfg_ac3 = (GF_AC3ConfigBox *) gf_isom_box_new_parent(&ac3->child_boxes, GF_ISOM_BOX_TYPE_DAC3);\n\t\t\t\tif (!ac3->cfg_ac3) return GF_OUT_OF_MEM;\n\t\t\t\tentry = (GF_MPEGSampleEntryBox*) ac3;\n\t\t\t\tgf_odf_desc_del((GF_Descriptor *) esd);\n\t\t\t} else if (esd->decoderConfig->objectTypeIndication==GF_CODECID_EAC3) {\n\t\t\t\tGF_MPEGAudioSampleEntryBox *eac3 = (GF_MPEGAudioSampleEntryBox *) gf_isom_box_new(GF_ISOM_BOX_TYPE_EC3);\n\t\t\t\tif (!eac3) return GF_OUT_OF_MEM;\n\t\t\t\teac3->cfg_ac3 = (GF_AC3ConfigBox *) gf_isom_box_new_parent(&eac3->child_boxes, GF_ISOM_BOX_TYPE_DEC3);\n\t\t\t\tif (!eac3->cfg_ac3) return GF_OUT_OF_MEM;\n\t\t\t\tentry = (GF_MPEGSampleEntryBox*) eac3;\n\t\t\t\tgf_odf_desc_del((GF_Descriptor *) esd);\n\t\t\t} else {\n\t\t\t\tentry_a = (GF_MPEGAudioSampleEntryBox *) gf_isom_box_new(GF_ISOM_BOX_TYPE_MP4A);\n\t\t\t\tif (!entry_a) return GF_OUT_OF_MEM;\n\t\t\t\tentry_a->samplerate_hi = trak->Media->mediaHeader->timeScale;\n\t\t\t\tentry_a->esd = (GF_ESDBox *) gf_isom_box_new_parent(&entry_a->child_boxes, GF_ISOM_BOX_TYPE_ESDS);\n\t\t\t\tif (!entry_a->esd) return GF_OUT_OF_MEM;\n\t\t\t\tentry_a->esd->desc = esd;\n\t\t\t\t//type cast possible now\n\t\t\t\tentry = (GF_MPEGSampleEntryBox*) entry_a;\n\t\t\t}\n\t\t\tbreak;\n\t\tdefault:\n\t\t\tif ((esd->decoderConfig->streamType==0x03) && (esd->decoderConfig->objectTypeIndication==0x09)) {\n\t\t\t\tentry = (GF_MPEGSampleEntryBox *) gf_isom_box_new(GF_ISOM_BOX_TYPE_LSR1);\n\t\t\t\tif (!entry) return GF_OUT_OF_MEM;\n\t\t\t\te = LSR_UpdateESD((GF_LASeRSampleEntryBox*)entry, esd);\n\t\t\t\tif (e) return e;\n\t\t\t} else {\n\t\t\t\tentry = (GF_MPEGSampleEntryBox *) gf_isom_box_new(GF_ISOM_BOX_TYPE_MP4S);\n\t\t\t\tentry->esd = (GF_ESDBox *) gf_isom_box_new_parent(&entry->child_boxes, GF_ISOM_BOX_TYPE_ESDS);\n\t\t\t\tif (!entry->esd) return GF_OUT_OF_MEM;\n\t\t\t\tentry->esd->desc = esd;\n\t\t\t}\n\t\t\tbreak;\n\t\t}\n\t\tentry->dataReferenceIndex = DataReferenceIndex;\n\n\t\tif (!trak->Media->information->sampleTable->SampleDescription->child_boxes)\n\t\t\ttrak->Media->information->sampleTable->SampleDescription->child_boxes = gf_list_new();\n\t\tgf_list_add(trak->Media->information->sampleTable->SampleDescription->child_boxes, entry);\n\t\t\n\t\te = stsd_on_child_box((GF_Box*)trak->Media->information->sampleTable->SampleDescription, (GF_Box *) entry, GF_FALSE);\n\t\tif (e) return e;\n\t\tif(outStreamIndex) *outStreamIndex = gf_list_count(trak->Media->information->sampleTable->SampleDescription->child_boxes);\n\t}\n\treturn GF_OK;\n}", "project": "gpac", "hash": 231357900987433658254911882591765169173, "size": 281, "commit_id": "df8fffd839fe5ae9acd82d26fd48280a397411d9", "message": "fixed #1736", "target": 0, "dataset": "other", "idx": 272324 }, { "func": "static void check_media_profile(GF_ISOFile *file, u32 track)\n{\n\tu8 PL;\n\tGF_ESD *esd = gf_isom_get_esd(file, track, 1);\n\tif (!esd) return;\n\n\tswitch (esd->decoderConfig->streamType) {\n\tcase 0x04:\n\t\tPL = gf_isom_get_pl_indication(file, GF_ISOM_PL_VISUAL);\n\t\tif (esd->decoderConfig->objectTypeIndication==GF_CODECID_MPEG4_PART2) {\n\t\t\tGF_M4VDecSpecInfo vdsi;\n\t\t\tgf_m4v_get_config(esd->decoderConfig->decoderSpecificInfo->data, esd->decoderConfig->decoderSpecificInfo->dataLength, &vdsi);\n\t\t\tif (vdsi.VideoPL > PL) gf_isom_set_pl_indication(file, GF_ISOM_PL_VISUAL, vdsi.VideoPL);\n\t\t} else if ((esd->decoderConfig->objectTypeIndication==GF_CODECID_AVC) || (esd->decoderConfig->objectTypeIndication==GF_CODECID_SVC)) {\n\t\t\tgf_isom_set_pl_indication(file, GF_ISOM_PL_VISUAL, 0x15);\n\t\t} else if (!PL) {\n\t\t\tgf_isom_set_pl_indication(file, GF_ISOM_PL_VISUAL, 0xFE);\n\t\t}\n\t\tbreak;\n\tcase 0x05:\n\t\tPL = gf_isom_get_pl_indication(file, GF_ISOM_PL_AUDIO);\n\t\tswitch (esd->decoderConfig->objectTypeIndication) {\n\t\tcase GF_CODECID_AAC_MPEG2_MP:\n\t\tcase GF_CODECID_AAC_MPEG2_LCP:\n\t\tcase GF_CODECID_AAC_MPEG2_SSRP:\n\t\tcase GF_CODECID_AAC_MPEG4:\n\t\t{\n\t\t\tGF_M4ADecSpecInfo adsi;\n\t\t\tgf_m4a_get_config(esd->decoderConfig->decoderSpecificInfo->data, esd->decoderConfig->decoderSpecificInfo->dataLength, &adsi);\n\t\t\tif (adsi.audioPL > PL) gf_isom_set_pl_indication(file, GF_ISOM_PL_AUDIO, adsi.audioPL);\n\t\t}\n\t\t\tbreak;\n\t\tdefault:\n\t\t\tif (!PL) gf_isom_set_pl_indication(file, GF_ISOM_PL_AUDIO, 0xFE);\n\t\t}\n\t\tbreak;\n\t}\n\tgf_odf_desc_del((GF_Descriptor *) esd);\n}", "project": "gpac", "hash": 301175838092690062480792697795253185112, "size": 39, "commit_id": "9eeac00b38348c664dfeae2525bba0cf1bc32349", "message": "fixed #1565", "target": 0, "dataset": "other", "idx": 244393 }, { "func": "GF_Err stbl_RemovePaddingBits(GF_SampleTableBox *stbl, u32 SampleNumber)\n{\n\tu8 *p;\n\tu32 i, k;\n\n\tif (!stbl->PaddingBits) return GF_OK;\n\tif (stbl->PaddingBits->SampleCount < SampleNumber) return GF_BAD_PARAM;\n\n\t//last sample - remove the table\n\tif (stbl->PaddingBits->SampleCount == 1) {\n\t\tgf_isom_box_del_parent(&stbl->child_boxes, (GF_Box *) stbl->PaddingBits);\n\t\tstbl->PaddingBits = NULL;\n\t\treturn GF_OK;\n\t}\n\n\t//reallocate and check size by the way...\n\tp = (u8 *)gf_malloc(sizeof(u8) * (stbl->PaddingBits->SampleCount - 1));\n\tif (!p) return GF_OUT_OF_MEM;\n\n\tk=0;\n\tfor (i=0; iPaddingBits->SampleCount; i++) {\n\t\tif (i+1 != SampleNumber) {\n\t\t\tp[k] = stbl->PaddingBits->padbits[i];\n\t\t\tk++;\n\t\t}\n\t}\n\n\tstbl->PaddingBits->SampleCount -= 1;\n\tgf_free(stbl->PaddingBits->padbits);\n\tstbl->PaddingBits->padbits = p;\n\treturn GF_OK;\n}", "project": "gpac", "hash": 106253514025024742953497961173636089452, "size": 32, "commit_id": "77ed81c069e10b3861d88f72e1c6be1277ee7eae", "message": "fixed #1774 (fuzz)", "target": 0, "dataset": "other", "idx": 267911 }, { "func": "GF_Err gf_isom_patch_last_sample_duration(GF_ISOFile *movie, u32 trackNumber, u64 next_dts)\n{\n\treturn gf_isom_set_last_sample_duration_internal(movie, trackNumber, next_dts, 0, 2);\n}", "project": "gpac", "hash": 187867793095353495243456515806652339682, "size": 4, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267198 }, { "func": "GF_Err stbl_AddCTS(GF_SampleTableBox *stbl, u32 sampleNumber, s32 offset)\n{\n\tu32 i, j, sampNum, *CTSs;\n\n\tGF_CompositionOffsetBox *ctts = stbl->CompositionOffset;\n\n\t/*in unpack mode we're sure to have 1 ctts entry per sample*/\n\tif (ctts->unpack_mode) {\n\t\tif (ctts->nb_entries==ctts->alloc_size) {\n\t\t\tALLOC_INC(ctts->alloc_size);\n\t\t\tctts->entries = gf_realloc(ctts->entries, sizeof(GF_DttsEntry)*ctts->alloc_size);\n\t\t\tif (!ctts->entries) return GF_OUT_OF_MEM;\n\t\t\tmemset(&ctts->entries[ctts->nb_entries], 0, sizeof(GF_DttsEntry)*(ctts->alloc_size - ctts->nb_entries) );\n\t\t}\n\t\tctts->entries[ctts->nb_entries].decodingOffset = offset;\n\t\tctts->entries[ctts->nb_entries].sampleCount = 1;\n\t\tctts->nb_entries++;\n\t\tctts->w_LastSampleNumber++;\n\t\tif (offset<0) ctts->version=1;\n\t\treturn GF_OK;\n\t}\n\t//check if we're working in order...\n\tif (ctts->w_LastSampleNumber < sampleNumber) {\n\t\t//add some 0 till we get to the sample\n\t\twhile (ctts->w_LastSampleNumber + 1 != sampleNumber) {\n\t\t\tGF_Err e = AddCompositionOffset(ctts, 0);\n\t\t\tif (e) return e;\n\t\t}\n\t\treturn AddCompositionOffset(ctts, offset);\n\t}\n\n\t//NOPE we are inserting a sample...\n\tCTSs = (u32*)gf_malloc(sizeof(u32) * (stbl->SampleSize->sampleCount+1) );\n\tif (!CTSs) return GF_OUT_OF_MEM;\n\tsampNum = 0;\n\tfor (i=0; inb_entries; i++) {\n\t\tfor (j = 0; jentries[i].sampleCount; j++) {\n\t\t\tif (sampNum > stbl->SampleSize->sampleCount) {\n\t\t\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, (\"[iso file] Too many CTS Offset entries for %d samples\\n\", stbl->SampleSize->sampleCount ));\n\t\t\t\tgf_free(CTSs);\n\t\t\t\treturn GF_ISOM_INVALID_FILE;\n\t\t\t}\n\t\t\tif (sampNum+1==sampleNumber) {\n\t\t\t\tCTSs[sampNum] = offset;\n\t\t\t\tsampNum ++;\n\t\t\t}\n\t\t\tCTSs[sampNum] = ctts->entries[i].decodingOffset;\n\t\t\tsampNum ++;\n\t\t}\n\t}\n\n\t/*we will at most add 2 new entries (splitting of an existing one)*/\n\tif (ctts->nb_entries+2>=ctts->alloc_size) {\n\t\tctts->alloc_size += 2;\n\t\tctts->entries = gf_realloc(ctts->entries, sizeof(GF_DttsEntry)*ctts->alloc_size);\n\t\tif (!ctts->entries) return GF_OUT_OF_MEM;\n\t\tmemset(&ctts->entries[ctts->nb_entries], 0, sizeof(GF_DttsEntry)*(ctts->alloc_size-ctts->nb_entries) );\n\t}\n\n\tctts->entries[0].sampleCount = 1;\n\tctts->entries[0].decodingOffset = CTSs[0];\n\tctts->nb_entries = 1;\n\tj=0;\n\tfor (i=1; iSampleSize->sampleCount + 1; i++) {\n\t\tif (CTSs[i]==ctts->entries[j].decodingOffset) {\n\t\t\tctts->entries[j].sampleCount++;\n\t\t} else {\n\t\t\tj++;\n\t\t\tctts->nb_entries++;\n\t\t\tctts->entries[j].sampleCount = 1;\n\t\t\tctts->entries[j].decodingOffset = CTSs[i];\n\t\t}\n\t}\n\tgf_free(CTSs);\n\n\tif (offset<0) ctts->version=1;\n\n\t/*we've inserted a sample, therefore the last sample (n) has now number n+1\n\twe cannot use SampleCount because we have probably skipped some samples\n\t(we're calling AddCTS only if the sample has a offset !!!)*/\n\tctts->w_LastSampleNumber += 1;\n\treturn GF_OK;\n}", "project": "gpac", "hash": 18699702542015527069322532464778714373, "size": 83, "commit_id": "77ed81c069e10b3861d88f72e1c6be1277ee7eae", "message": "fixed #1774 (fuzz)", "target": 0, "dataset": "other", "idx": 267905 }, { "func": "GF_Err gf_isom_change_ismacryp_protection(GF_ISOFile *the_file, u32 trackNumber, u32 sampleDescriptionIndex, char *scheme_uri, char *kms_uri)\n{\n\tGF_TrackBox *trak;\n\tGF_Err e;\n\tGF_SampleEntryBox *sea;\n\tGF_ProtectionSchemeInfoBox *sinf;\n\n\te = CanAccessMovie(the_file, GF_ISOM_OPEN_WRITE);\n\tif (e) return e;\n\n\ttrak = gf_isom_get_track_from_file(the_file, trackNumber);\n\tif (!trak || !trak->Media || !sampleDescriptionIndex) return GF_BAD_PARAM;\n\n\tsea = NULL;\n\tsinf = isom_get_sinf_entry(trak, sampleDescriptionIndex, GF_ISOM_ISMACRYP_SCHEME, &sea);\n\tif (!sinf) return GF_OK;\n\n\tif (scheme_uri) {\n\t\tgf_free(sinf->scheme_type->URI);\n\t\tsinf->scheme_type->URI = gf_strdup(scheme_uri);\n\t}\n\tif (kms_uri) {\n\t\tgf_free(sinf->info->ikms->URI);\n\t\tsinf->info->ikms->URI = gf_strdup(kms_uri);\n\t}\n\treturn GF_OK;\n}", "project": "gpac", "hash": 233251125758162915015138817413510487001, "size": 27, "commit_id": "3b84ffcbacf144ce35650df958432f472b6483f8", "message": "fixed #1735", "target": 0, "dataset": "other", "idx": 275442 }, { "func": "void PrintImportUsage()\n{\n\tu32 i;\n\t\n\tgf_sys_format_help(helpout, help_flags, \"# Importing Options\\n\"\n\t\t\"# File importing\\n\"\n\t\t\"Syntax is [-add]() / [-cat]() `filename[#FRAGMENT][:opt1...:optN=val]`\\n\"\n\t\t\"This process will create the destination file if not existing, and add the track(s) to it. If you wish to always create a new destination file, add [-new](MP4B_GEN).\\n\"\n\t\t\"The supported input media types depend on your installation, check [filters documentation](Filters) for more info.\\n\"\n\t\t\" \\n\"\n\t\t\"To select a desired media track from a source, a fragment identifier '#' can be specified, bfore any other options. The following syntax is used:\\n\"\n\t\t\"- `#video`: adds the first video track found in source\\n\"\n\t\t\"- `#audio`: adds the first audio track found in source\\n\"\n\t\t\"- `#auxv`: adds the first auxiliary video track found in source\\n\"\n\t\t\"- `#pict`: adds the first picture track found in source\\n\"\n\t\t\"- `#trackID=ID` or `#ID`: adds the specified track. For IsoMedia files, ID is the track ID. For other media files, ID is the value indicated by `MP4Box -info inputFile`\\n\"\n\t\t\"- `#pid=ID`: number of desired PID for MPEG-2 TS sources\\n\"\n\t\t\"- `#prog_id=ID`: number of desired program for MPEG-2 TS sources\\n\"\n\t\t\"- `#program=NAME`: name of desired program for MPEG-2 TS sources\\n\"\n\t\t\" \\n\"\n\t\t\"By default all imports are performed sequentially, and final interleaving is done at the end; this however requires a temporary file holding original ISOBMF file (if any) and added files before creating the final output. Since this can become quite large, it is possible to add media to a new file without temporary storage, using [-flat](MP4B_GEN) option, but this disables media interleaving.\\n\"\n\t\t\" \\n\"\n\t\t\"If you wish to create an interleaved new file with no temporary storage, use the [-newfs](MP4B_GEN) option. The interleaving might not be as precise as when using [-new]() since it is dependent on muxer input scheduling (each execution might lead to a slightly different result). Additionally in this mode: \\n\"\n\t\t\" - Some muxing options (marked with `X` below) will be activated for all inputs (e.g it is not possible to import one AVC track with `xps_inband` and another without).\\n\"\n\t\t\" - Some muxing options (marked as `D` below) cannot be used as they require temporary storage for file edition.\\n\"\n\t\t\" - Usage of [-cat]() is possible, but concatenated sources will not be interleaved in the output. If you wish to perforom more complex cat/add operations without temp file, use the [gpac application](Filters).\\n\"\n\t\t\" \\n\"\n\t\t\"Note: MP4Box cannot start importing from a random point in the input, it always import from the begining. If you wish to import from another point in the source, use the [gpac application](Filters).\\n\"\n\t\t\" \\n\"\n\t\t\"Note: When importing SRT or SUB files, MP4Box will choose default layout options to make the subtitle appear at the bottom of the video. You SHOULD NOT import such files before any video track is added to the destination file, otherwise the results will likelly not be useful (default SRT/SUB importing uses default serif font, fontSize 18 and display size 400x60). For more details, check [TTXT doc](Subtitling-with-GPAC).\\n\"\n\t\t\" \\n\"\n\t\t\"When importing several tracks/sources in one pass, all options will be applied if relevant to each source. These options are set for all imported streams. If you need to specify these options par stream, set per-file options using the syntax `-add stream[:opt1:...:optN]`. Allowed per-file options:\\n\\n\"\n\t);\n\n\ti=0;\n\twhile (ImportFileOpts[i].name) {\n\t\tGF_GPACArg *arg = &ImportFileOpts[i];\n\t\ti++;\n\t\tgf_sys_print_arg(helpout, help_flags | GF_PRINTARG_NO_DASH, arg, \"mp4box-import\");\n\t}\n\n\tgf_sys_format_help(helpout, help_flags, \"\\n\"\n\t\t\"Note: `sopt`, `dopt` and `@@f` must be placed after all other options.\\n\"\n\t\t\"# Global import options\\n\"\n\t);\n\n\ti=0;\n\twhile (m4b_imp_args[i].name) {\n\t\tGF_GPACArg *arg = &m4b_imp_args[i];\n\t\ti++;\n\t\tgf_sys_print_arg(helpout, help_flags, arg, \"mp4box-import\");\n\t}\n}", "project": "gpac", "hash": 235227674095898717127214395155296879513, "size": 53, "commit_id": "9eeac00b38348c664dfeae2525bba0cf1bc32349", "message": "fixed #1565", "target": 0, "dataset": "other", "idx": 244377 }, { "func": "void remove_systems_tracks(GF_ISOFile *file)\n{\n\tu32 i, count;\n\n\tcount = gf_isom_get_track_count(file);\n\tif (count==1) return;\n\n\t/*force PL rewrite*/\n\tgf_isom_set_pl_indication(file, GF_ISOM_PL_VISUAL, 0);\n\tgf_isom_set_pl_indication(file, GF_ISOM_PL_AUDIO, 0);\n\tgf_isom_set_pl_indication(file, GF_ISOM_PL_OD, 1);\t/*the lib always remove IOD when no profiles are specified..*/\n\n\tfor (i=0; imoov->child_boxes, &i))) {\n\t\tif (pssh->type != GF_ISOM_BOX_TYPE_PSSH) continue;\n\t\tif (count == pssh_index) break;\n\t\tcount++;\n\t}\n\tif (!pssh) return GF_BAD_PARAM;\n\tbs = gf_bs_new(NULL, 0, GF_BITSTREAM_WRITE);\n\te = gf_isom_box_write(pssh, bs);\n\tif (!e) {\n\t\tgf_bs_get_content(bs, pssh_data, pssh_size);\n\t}\n\tgf_bs_del(bs);\n\treturn e;", "project": "gpac", "hash": 64240267662658993709524187069868746882, "size": 21, "commit_id": "984787de3d414a5f7d43d0b4584d9469dff2a5a5", "message": "fixed #1784 (fuzz)", "target": 0, "dataset": "other", "idx": 246786 }, { "func": "GF_Err stbl_AppendDegradation(GF_SampleTableBox *stbl, u16 DegradationPriority)\n{\n\tif (!stbl->DegradationPriority) {\n\t\tstbl->DegradationPriority = (GF_DegradationPriorityBox *) gf_isom_box_new_parent(&stbl->child_boxes, GF_ISOM_BOX_TYPE_STDP);\n\t\tif (!stbl->DegradationPriority) return GF_OUT_OF_MEM;\n\t}\n\n\tstbl->DegradationPriority->priorities = (u16 *)gf_realloc(stbl->DegradationPriority->priorities, sizeof(u16) * stbl->SampleSize->sampleCount);\n\tif (!stbl->DegradationPriority->priorities) return GF_OUT_OF_MEM;\n\tstbl->DegradationPriority->priorities[stbl->SampleSize->sampleCount-1] = DegradationPriority;\n\tstbl->DegradationPriority->nb_entries = stbl->SampleSize->sampleCount;\n\treturn GF_OK;\n}", "project": "gpac", "hash": 91337271778799755613863040944513024507, "size": 13, "commit_id": "77ed81c069e10b3861d88f72e1c6be1277ee7eae", "message": "fixed #1774 (fuzz)", "target": 0, "dataset": "other", "idx": 267908 }, { "func": "static Bool strstr_nocase(const char *text, const char *subtext, u32 subtext_len)\n{\n\tif (!text || !*text || !subtext || !subtext)\n\t\treturn GF_FALSE;\n\n\twhile (*text) {\n\t\tif (tolower(*text) == *subtext) {\n\t\t\tif (!strnicmp(text, subtext, subtext_len))\n\t\t\t\treturn GF_TRUE;\n\n\t\t}\n\t\ttext++;\n\t}\n\treturn GF_FALSE;\n}", "project": "gpac", "hash": 103418602072729012426508035975191228136, "size": 15, "commit_id": "9eeac00b38348c664dfeae2525bba0cf1bc32349", "message": "fixed #1565", "target": 0, "dataset": "other", "idx": 244396 }, { "func": "GF_EXPORT\nBool gf_isom_sample_is_fragment_start(GF_ISOFile *movie, u32 trackNumber, u32 sampleNum, GF_ISOFragmentBoundaryInfo *frag_info)\n{\n\tu32 i;\n\tGF_TrackBox *trak;\n\tGF_TrafToSampleMap *tmap;\n\n\tif (frag_info) memset(frag_info, 0, sizeof(GF_ISOFragmentBoundaryInfo));\n\n\ttrak = gf_isom_get_track_from_file(movie, trackNumber);\n\tif (!trak || !trak->Media) return GF_FALSE;\n\tif (!trak->Media->information->sampleTable->traf_map) return GF_FALSE;\n\n#ifndef\tGPAC_DISABLE_ISOM_FRAGMENTS\n\tif (sampleNum<=trak->sample_count_at_seg_start)\n\t\treturn GF_FALSE;\n\tsampleNum -= trak->sample_count_at_seg_start;\n#endif\n\n\ttmap = trak->Media->information->sampleTable->traf_map;\n\tif (!tmap) return GF_FALSE;\n\tfor (i=0; inb_entries; i++) {\n\t\tGF_TrafMapEntry *finfo = &tmap->frag_starts[i];\n\t\tif (finfo->sample_num == sampleNum) {\n\t\t\tif (frag_info) {\n\t\t\t\tfrag_info->frag_start = finfo->moof_start;\n\t\t\t\tfrag_info->mdat_end = finfo->mdat_end;\n\t\t\t\tfrag_info->moof_template = finfo->moof_template;\n\t\t\t\tfrag_info->moof_template_size = finfo->moof_template_size;\n\t\t\t\tfrag_info->seg_start_plus_one = finfo->seg_start_plus_one;\n\t\t\t\tfrag_info->sidx_start = finfo->sidx_start;\n\t\t\t\tfrag_info->sidx_end = finfo->sidx_end;\n\t\t\t}\n\t\t\treturn GF_TRUE;\n\t\t}\n\n\t\tif (tmap->frag_starts[i].sample_num > sampleNum) return GF_FALSE;\n\t}\n\treturn GF_FALSE;", "project": "gpac", "hash": 71725807407755468088547077795904043503, "size": 39, "commit_id": "984787de3d414a5f7d43d0b4584d9469dff2a5a5", "message": "fixed #1784 (fuzz)", "target": 0, "dataset": "other", "idx": 246805 }, { "func": "GF_Err gf_isom_mvc_config_del(GF_ISOFile *the_file, u32 trackNumber, u32 DescriptionIndex)\n{\n\treturn gf_isom_svc_mvc_config_del(the_file, trackNumber, DescriptionIndex, GF_TRUE);\n}", "project": "gpac", "hash": 329155851848520290452368156622950758501, "size": 4, "commit_id": "0a85029d694f992f3631e2f249e4999daee15cbf", "message": "fixed #1785 (fuzz)", "target": 0, "dataset": "other", "idx": 237565 }, { "func": "GF_SampleEncryptionBox * gf_isom_create_piff_psec_box(u8 version, u32 flags, u32 AlgorithmID, u8 IV_size, bin128 KID)\n{\n\tGF_SampleEncryptionBox *psec;\n\n\tpsec = (GF_SampleEncryptionBox *) gf_isom_box_new(GF_ISOM_BOX_UUID_PSEC);\n\tif (!psec)\n\t\treturn NULL;\n\tpsec->version = version;\n\tpsec->flags = flags;\n\tpsec->piff_type = 1;\n\tif (psec->flags & 0x1) {\n\t\tpsec->AlgorithmID = AlgorithmID;\n\t\tpsec->IV_size = IV_size;\n\t\tstrcpy((char *)psec->KID, (const char *)KID);\n\t}\n\tpsec->samp_aux_info = gf_list_new();\n\n\treturn psec;\n}", "project": "gpac", "hash": 85412431627933219144998372704528045484, "size": 19, "commit_id": "3b84ffcbacf144ce35650df958432f472b6483f8", "message": "fixed #1735", "target": 0, "dataset": "other", "idx": 275438 }, { "func": "Bool gf_isom_is_cenc_media(GF_ISOFile *the_file, u32 trackNumber, u32 sampleDescriptionIndex)\n{\n\tGF_TrackBox *trak;\n\tGF_ProtectionSchemeInfoBox *sinf;\n\tu32 i, count;\n\n\ttrak = gf_isom_get_track_from_file(the_file, trackNumber);\n\tif (!trak) return GF_FALSE;\n\n\tcount = gf_list_count(trak->Media->information->sampleTable->SampleDescription->child_boxes);\n\tfor (i=0; ischeme_type)\n\t\t\treturn GF_FALSE;\n\n\t\tswitch (sinf->scheme_type->scheme_type) {\n\t\tcase GF_ISOM_CENC_SCHEME:\n\t\tcase GF_ISOM_CBC_SCHEME:\n\t\tcase GF_ISOM_CENS_SCHEME:\n\t\tcase GF_ISOM_CBCS_SCHEME:\n\t\tcase GF_ISOM_SVE1_SCHEME:\n\t\t\treturn GF_TRUE;\n\t\tdefault:\n\t\t\treturn GF_FALSE;\n\t\t}\n\t\treturn GF_TRUE;\n\t}\n\treturn GF_FALSE;\n\n}", "project": "gpac", "hash": 334799904487992352185137180104910473729, "size": 40, "commit_id": "3b84ffcbacf144ce35650df958432f472b6483f8", "message": "fixed #1735", "target": 0, "dataset": "other", "idx": 275437 }, { "func": "GF_Err gf_isom_modify_alternate_brand(GF_ISOFile *movie, u32 Brand, Bool AddIt)\n{\n\tu32 i, k, *p;\n\n\tif (!Brand) return GF_BAD_PARAM;\n\n#ifndef GPAC_DISABLE_ISOM_FRAGMENTS\n\tif (! (movie->FragmentsFlags & GF_ISOM_FRAG_WRITE_READY)) {\n\t\tGF_Err e = CanAccessMovie(movie, GF_ISOM_OPEN_WRITE);\n\t\tif (e) return e;\n\n\t\te = CheckNoData(movie);\n\t\tif (e) return e;\n\t}\n#endif\n\n\tif (!movie->brand && AddIt) {\n\t\tmovie->brand = (GF_FileTypeBox *) gf_isom_box_new(GF_ISOM_BOX_TYPE_FTYP);\n\t\tif (!movie->brand) return GF_OUT_OF_MEM;\n\t\tgf_list_add(movie->TopBoxes, movie->brand);\n\t}\n\tif (!AddIt && !movie->brand) return GF_OK;\n\n\t//do not mofify major one\n\tif (!AddIt && movie->brand->majorBrand == Brand) return GF_OK;\n\n\tif (!AddIt && movie->brand->altCount == 1) {\n\t\t//fixes it in case\n\t\tmovie->brand->altBrand[0] = movie->brand->majorBrand;\n\t\treturn GF_OK;\n\t}\n\t//check for the brand\n\tfor (i=0; ibrand->altCount; i++) {\n\t\tif (movie->brand->altBrand[i] == Brand) goto found;\n\t}\n\t//Not found\n\tif (!AddIt) return GF_OK;\n\t//add it\n\tp = (u32*)gf_malloc(sizeof(u32)*(movie->brand->altCount + 1));\n\tif (!p) return GF_OUT_OF_MEM;\n\tif (movie->brand->altBrand) {\n\t\tmemcpy(p, movie->brand->altBrand, sizeof(u32)*movie->brand->altCount);\n\t\tgf_free(movie->brand->altBrand);\n\t}\n\tp[movie->brand->altCount] = Brand;\n\tmovie->brand->altCount += 1;\n\tmovie->brand->altBrand = p;\n\treturn GF_OK;\n\nfound:\n\n\t//found\n\tif (AddIt) return GF_OK;\n\tassert(movie->brand->altCount>1);\n\n\t//remove it\n\tp = (u32*)gf_malloc(sizeof(u32)*(movie->brand->altCount - 1));\n\tif (!p) return GF_OUT_OF_MEM;\n\tk = 0;\n\tfor (i=0; ibrand->altCount; i++) {\n\t\tif (movie->brand->altBrand[i] == Brand) continue;\n\t\telse {\n\t\t\tp[k] = movie->brand->altBrand[i];\n\t\t\tk++;\n\t\t}\n\t}\n\tmovie->brand->altCount -= 1;\n\tgf_free(movie->brand->altBrand);\n\tmovie->brand->altBrand = p;\n\treturn GF_OK;\n}", "project": "gpac", "hash": 81860963654264169076694993557766080940, "size": 71, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267344 }, { "func": "GF_Err stbl_AppendTrafMap(GF_SampleTableBox *stbl, Bool is_seg_start, u64 seg_start_offset, u64 frag_start_offset, u8 *moof_template, u32 moof_template_size, u64 sidx_start, u64 sidx_end)\n{\n\tGF_TrafToSampleMap *tmap;\n\tGF_TrafMapEntry *tmap_ent;\n\tif (!stbl->traf_map) {\n\t\t//nope, create one\n\t\tGF_SAFEALLOC(stbl->traf_map, GF_TrafToSampleMap);\n\t\tif (!stbl->traf_map) return GF_OUT_OF_MEM;\n\t}\n\ttmap = stbl->traf_map;\n\tif (tmap->nb_entries >= stbl->SampleSize->sampleCount) {\n\t\tu32 i;\n\t\tfor (i=0; inb_entries; i++) {\n\t\t\tif (tmap->frag_starts[i].moof_template)\n\t\t\t\tgf_free(tmap->frag_starts[i].moof_template);\n\t\t}\n\t\tmemset(tmap->frag_starts, 0, sizeof(GF_TrafMapEntry)*tmap->nb_alloc);\n\t\ttmap->nb_entries = 0;\n\t}\n\n\tif (tmap->nb_entries + 1 > tmap->nb_alloc) {\n\t\ttmap->nb_alloc++;\n\t\ttmap->frag_starts = gf_realloc(tmap->frag_starts, sizeof(GF_TrafMapEntry) * tmap->nb_alloc);\n\t\tif (!tmap->frag_starts) return GF_OUT_OF_MEM;\n\t}\n\ttmap_ent = &tmap->frag_starts[tmap->nb_entries];\n\ttmap->nb_entries += 1;\n\n\tmemset(tmap_ent, 0, sizeof(GF_TrafMapEntry));\n\ttmap_ent->sample_num = stbl->SampleSize->sampleCount;\n\ttmap_ent->moof_template = moof_template;\n\ttmap_ent->moof_template_size = moof_template_size;\n\ttmap_ent->moof_start = frag_start_offset;\n\ttmap_ent->sidx_start = sidx_start;\n\ttmap_ent->sidx_end = sidx_end;\n\tif (is_seg_start)\n\t\ttmap_ent->seg_start_plus_one = 1 + seg_start_offset;\n\n\treturn GF_OK;\n}", "project": "gpac", "hash": 192832077402496377642132858738677117034, "size": 40, "commit_id": "77ed81c069e10b3861d88f72e1c6be1277ee7eae", "message": "fixed #1774 (fuzz)", "target": 0, "dataset": "other", "idx": 267874 }, { "func": "GF_Err gf_isom_add_sample_shadow(GF_ISOFile *movie, u32 trackNumber, GF_ISOSample *sample)\n{\n\tGF_Err e;\n\tGF_TrackBox *trak;\n\tGF_ISOSample *prev;\n\tGF_SampleEntryBox *entry;\n\tu32 dataRefIndex;\n\tu64 data_offset;\n\tu32 descIndex;\n\tu32 sampleNum, prevSampleNum;\n\tGF_DataEntryURLBox *Dentry;\n\tBool offset_times = GF_FALSE;\n\n\te = CanAccessMovie(movie, GF_ISOM_OPEN_WRITE);\n\tif (e) return e;\n\n\ttrak = gf_isom_get_track_from_file(movie, trackNumber);\n\tif (!trak || !sample) return GF_BAD_PARAM;\n\n\te = FlushCaptureMode(movie);\n\tif (e) return e;\n\n\te = unpack_track(trak);\n\tif (e) return e;\n\n\te = stbl_findEntryForTime(trak->Media->information->sampleTable, sample->DTS, 0, &sampleNum, &prevSampleNum);\n\tif (e) return e;\n\t/*we need the EXACT match*/\n\tif (!sampleNum) return GF_BAD_PARAM;\n\n\tprev = gf_isom_get_sample_info(movie, trackNumber, sampleNum, &descIndex, NULL);\n\tif (!prev) return gf_isom_last_error(movie);\n\t/*for conformance*/\n\tif (sample->DTS==prev->DTS) offset_times = GF_TRUE;\n\tgf_isom_sample_del(&prev);\n\n\te = Media_GetSampleDesc(trak->Media, descIndex, &entry, &dataRefIndex);\n\tif (e) return e;\n\tif (!entry || !dataRefIndex) return GF_BAD_PARAM;\n\ttrak->Media->information->sampleTable->currentEntryIndex = descIndex;\n\n\t//get this dataRef and return false if not self contained\n\tDentry = (GF_DataEntryURLBox*)gf_list_get(trak->Media->information->dataInformation->dref->child_boxes, dataRefIndex - 1);\n\tif (!Dentry || Dentry->flags != 1) return GF_BAD_PARAM;\n\n\t//Open our data map. We are adding stuff, so use EDIT\n\te = gf_isom_datamap_open(trak->Media, dataRefIndex, 1);\n\tif (e) return e;\n\n\tdata_offset = gf_isom_datamap_get_offset(trak->Media->information->dataHandler);\n\tif (offset_times) sample->DTS += 1;\n\n\t/*REWRITE ANY OD STUFF*/\n\tif (trak->Media->handler->handlerType == GF_ISOM_MEDIA_OD) {\n\t\tGF_ISOSample *od_sample = NULL;\n\t\te = Media_ParseODFrame(trak->Media, sample, &od_sample);\n\t\tif (e) return e;\n\n\t\te = trak_add_sample(movie, trak, od_sample, descIndex, data_offset, sampleNum);\n\t\tif (od_sample)\n\t\t\tgf_isom_sample_del(&od_sample);\n\t} else {\n\t\te = trak_add_sample(movie, trak, sample, descIndex, data_offset, sampleNum);\n\t}\n\tif (e) return e;\n\tif (offset_times) sample->DTS -= 1;\n\n\t//OK, update duration\n\te = Media_SetDuration(trak);\n\tif (e) return e;\n\tif (!movie->keep_utc)\n\t\ttrak->Media->mediaHeader->modificationTime = gf_isom_get_mp4time();\n\treturn SetTrackDuration(trak);\n}", "project": "gpac", "hash": 2320039993952253949337416776506805984, "size": 74, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267269 }, { "func": "GF_EXPORT\nGF_ISONaluExtractMode gf_isom_get_nalu_extract_mode(GF_ISOFile *the_file, u32 trackNumber)\n{\n\tGF_TrackBox *trak = gf_isom_get_track_from_file(the_file, trackNumber);\n\tif (!trak) return 0;\n\treturn trak->extractor_mode;", "project": "gpac", "hash": 246677189019276401703476654959076406411, "size": 6, "commit_id": "984787de3d414a5f7d43d0b4584d9469dff2a5a5", "message": "fixed #1784 (fuzz)", "target": 0, "dataset": "other", "idx": 246831 }, { "func": "void HEVC_RewriteESDescriptorEx(GF_MPEGVisualSampleEntryBox *hevc, GF_MediaBox *mdia)\n{\n\tGF_BitRateBox *btrt = gf_isom_sample_entry_get_bitrate((GF_SampleEntryBox *)hevc, GF_FALSE);\n\n\tif (hevc->emul_esd) gf_odf_desc_del((GF_Descriptor *)hevc->emul_esd);\n\thevc->emul_esd = gf_odf_desc_esd_new(2);\n\thevc->emul_esd->decoderConfig->streamType = GF_STREAM_VISUAL;\n\thevc->emul_esd->decoderConfig->objectTypeIndication = GF_CODECID_HEVC;\n\n\tif (btrt) {\n\t\thevc->emul_esd->decoderConfig->bufferSizeDB = btrt->bufferSizeDB;\n\t\thevc->emul_esd->decoderConfig->avgBitrate = btrt->avgBitrate;\n\t\thevc->emul_esd->decoderConfig->maxBitrate = btrt->maxBitrate;\n\t}\n\tGF_MPEG4ExtensionDescriptorsBox *mdesc = (GF_MPEG4ExtensionDescriptorsBox *) gf_isom_box_find_child(hevc->child_boxes, GF_ISOM_BOX_TYPE_M4DS);\n\tif (mdesc) {\n\t\tu32 i=0;\n\t\tGF_Descriptor *desc,*clone;\n\t\ti=0;\n\t\twhile ((desc = (GF_Descriptor *)gf_list_enum(mdesc->descriptors, &i))) {\n\t\t\tclone = NULL;\n\t\t\tgf_odf_desc_copy(desc, &clone);\n\t\t\tif (gf_odf_desc_add_desc((GF_Descriptor *)hevc->emul_esd, clone) != GF_OK)\n\t\t\t\tgf_odf_desc_del(clone);\n\t\t}\n\t}\n\n\tif (hevc->hevc_config || hevc->lhvc_config) {\n\t\tGF_HEVCConfig *hcfg = HEVC_DuplicateConfig(hevc->hevc_config ? hevc->hevc_config->config : hevc->lhvc_config->config);\n\n\t\tif (hevc->hevc_config && hevc->lhvc_config) {\n\t\t\t//merge LHVC config to HEVC conf, so we add entry rather than insert\n\t\t\tmerge_hevc_config(hcfg, hevc->lhvc_config->config, GF_FALSE);\n\t\t}\n\n\t\tif (mdia) merge_all_config(NULL, hcfg, mdia);\n\n\t\tif (hcfg) {\n\t\t\tif (mdia && ((mdia->mediaTrack->extractor_mode&0x0000FFFF) != GF_ISOM_NALU_EXTRACT_INSPECT)) {\n\t\t\t\thcfg->is_lhvc=GF_FALSE;\n\t\t\t}\n\n\t\t\tgf_odf_hevc_cfg_write(hcfg, &hevc->emul_esd->decoderConfig->decoderSpecificInfo->data, &hevc->emul_esd->decoderConfig->decoderSpecificInfo->dataLength);\n\t\t\tgf_odf_hevc_cfg_del(hcfg);\n\t\t}\n\t}\n}", "project": "gpac", "hash": 226201594867397679240569071768760867886, "size": 47, "commit_id": "0a85029d694f992f3631e2f249e4999daee15cbf", "message": "fixed #1785 (fuzz)", "target": 0, "dataset": "other", "idx": 237586 }, { "func": "static u64 do_size_top_boxes(char *inName, char *compress_top_boxes, u32 mode)\n{\n\tFILE *in;\n\tu64 top_size = 0;\n\tBool do_all = GF_FALSE;\n\tGF_BitStream *bs_in;\n\tif (!compress_top_boxes) return GF_BAD_PARAM;\n\tif (!strcmp(compress_top_boxes, \"all\"))\n\t\tdo_all = GF_TRUE;\n\n\tin = gf_fopen(inName, \"rb\");\n\tif (!in) return GF_URL_ERROR;\n\tbs_in = gf_bs_from_file(in, GF_BITSTREAM_READ);\n\twhile (gf_bs_available(bs_in)) {\n\t\tconst char *stype;\n\t\tu32 hdr_size = 8;\n\t\tu64 lsize = gf_bs_read_u32(bs_in);\n\t\tu32 type = gf_bs_read_u32(bs_in);\n\n\t\tif (lsize==1) {\n\t\t\tlsize = gf_bs_read_u64(bs_in);\n\t\t\thdr_size = 16;\n\t\t} else if (lsize==0) {\n\t\t\tlsize = gf_bs_available(bs_in) + 8;\n\t\t}\n\t\tstype = gf_4cc_to_str(type);\n\t\tif (do_all || strstr(compress_top_boxes, stype)) {\n\t\t\t//only count boxes\n\t\t\tif (mode==2) {\n\t\t\t\ttop_size += 1;\n\t\t\t} else {\n\t\t\t\ttop_size += lsize;\n\t\t\t}\n\t\t}\n\t\tgf_bs_skip_bytes(bs_in, lsize - hdr_size);\n\t}\n\tgf_bs_del(bs_in);\n\tgf_fclose(in);\n\treturn top_size;\n\n}", "project": "gpac", "hash": 300031576311104105303245637804488310760, "size": 41, "commit_id": "9eeac00b38348c664dfeae2525bba0cf1bc32349", "message": "fixed #1565", "target": 0, "dataset": "other", "idx": 244416 }, { "func": "}\n\nvoid print_udta(GF_ISOFile *file, u32 track_number, Bool has_itags)\n{\n\tu32 i, count;\n\n\tcount = gf_isom_get_udta_count(file, track_number);\n\tif (!count) return;\n\n\tif (has_itags) {\n\t\tfor (i=0; ieditBox || !trak->editBox->editList) return GF_OK;\n\tif (gf_list_count(trak->editBox->editList->entryList)<=1) return gf_isom_remove_edits(movie, trackNumber);\n\n\tent = (GF_EdtsEntry*) gf_list_get(trak->editBox->editList->entryList, seg_index-1);\n\tgf_list_rem(trak->editBox->editList->entryList, seg_index-1);\n\tnext_ent = (GF_EdtsEntry *)gf_list_get(trak->editBox->editList->entryList, seg_index-1);\n\tif (next_ent) next_ent->segmentDuration += ent->segmentDuration;\n\tgf_free(ent);\n\treturn SetTrackDuration(trak);\n}", "project": "gpac", "hash": 236372395827109459056774664389624316219, "size": 21, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267249 }, { "func": "GF_Err traf_on_child_box(GF_Box *s, GF_Box *a)\n{\n\tGF_TrackFragmentBox *ptr = (GF_TrackFragmentBox *)s;\n\n\tswitch (a->type) {\n\tcase GF_ISOM_BOX_TYPE_TFHD:\n\t\tif (ptr->tfhd) ERROR_ON_DUPLICATED_BOX(a, ptr)\n\t\tptr->tfhd = (GF_TrackFragmentHeaderBox *) a;\n\t\treturn GF_OK;\n\tcase GF_ISOM_BOX_TYPE_TRUN:\n\t\treturn gf_list_add(ptr->TrackRuns, a);\n\tcase GF_ISOM_BOX_TYPE_SDTP:\n\t\tif (ptr->sdtp) ERROR_ON_DUPLICATED_BOX(a, ptr)\n\t\tptr->sdtp = (GF_SampleDependencyTypeBox *)a;\n\t\treturn GF_OK;\n\tcase GF_ISOM_BOX_TYPE_TFDT:\n\t\tif (ptr->tfdt) ERROR_ON_DUPLICATED_BOX(a, ptr)\n\t\tptr->tfdt = (GF_TFBaseMediaDecodeTimeBox*) a;\n\t\treturn GF_OK;\n\tcase GF_ISOM_BOX_TYPE_SUBS:\n\t\tif (!ptr->sub_samples) ptr->sub_samples = gf_list_new();\n\t\treturn gf_list_add(ptr->sub_samples, a);\n\tcase GF_ISOM_BOX_TYPE_SBGP:\n\t\tif (!ptr->sampleGroups) ptr->sampleGroups = gf_list_new();\n\t\tgf_list_add(ptr->sampleGroups, a);\n\t\treturn GF_OK;\n\tcase GF_ISOM_BOX_TYPE_SGPD:\n\t\tif (!ptr->sampleGroupsDescription) ptr->sampleGroupsDescription = gf_list_new();\n\t\tgf_list_add(ptr->sampleGroupsDescription, a);\n\t\treturn GF_OK;\n\tcase GF_ISOM_BOX_TYPE_SAIZ:\n\t\tif (!ptr->sai_sizes) ptr->sai_sizes = gf_list_new();\n\t\tgf_list_add(ptr->sai_sizes, a);\n\t\treturn GF_OK;\n\tcase GF_ISOM_BOX_TYPE_SAIO:\n\t\tif (!ptr->sai_offsets) ptr->sai_offsets = gf_list_new();\n\t\tgf_list_add(ptr->sai_offsets, a);\n\t\treturn GF_OK;\n\t//we will throw an error if both PIFF_PSEC and SENC are found. Not such files seen yet\n\tcase GF_ISOM_BOX_TYPE_UUID:\n\t\tif ( ((GF_UUIDBox *)a)->internal_4cc==GF_ISOM_BOX_UUID_PSEC) {\n\t\t\tif (ptr->sample_encryption) ERROR_ON_DUPLICATED_BOX(a, ptr)\n\t\t\tptr->sample_encryption = (GF_SampleEncryptionBox *)a;\n\t\t\tptr->sample_encryption->traf = ptr;\n\t\t\treturn GF_OK;\n\t\t} else {\n\t\t\treturn GF_OK;\n\t\t}\n\tcase GF_ISOM_BOX_TYPE_SENC:\n\t\tif (ptr->sample_encryption) ERROR_ON_DUPLICATED_BOX(a, ptr)\n\t\tptr->sample_encryption = (GF_SampleEncryptionBox *)a;\n\t\tptr->sample_encryption->traf = ptr;\n\t\treturn GF_OK;\n\t}\n\treturn GF_OK;\n}", "project": "gpac", "hash": 126237251865605347544268370891679965139, "size": 56, "commit_id": "388ecce75d05e11fc8496aa4857b91245007d26e", "message": "fixed #1587", "target": 0, "dataset": "other", "idx": 264812 }, { "func": "GF_Err gf_isom_new_generic_sample_description(GF_ISOFile *movie, u32 trackNumber, const char *URLname, const char *URNname, GF_GenericSampleDescription *udesc, u32 *outDescriptionIndex)\n{\n\tGF_TrackBox *trak;\n\tGF_Err e;\n\tu32 dataRefIndex;\n\n\te = CanAccessMovie(movie, GF_ISOM_OPEN_WRITE);\n\tif (e) return e;\n\n\ttrak = gf_isom_get_track_from_file(movie, trackNumber);\n\tif (!trak || !trak->Media || !udesc) return GF_BAD_PARAM;\n\n\t//get or create the data ref\n\te = Media_FindDataRef(trak->Media->information->dataInformation->dref, (char *)URLname, (char *)URNname, &dataRefIndex);\n\tif (e) return e;\n\tif (!dataRefIndex) {\n\t\te = Media_CreateDataRef(movie, trak->Media->information->dataInformation->dref, (char *)URLname, (char *)URNname, &dataRefIndex);\n\t\tif (e) return e;\n\t}\n\tif (!movie->keep_utc)\n\t\ttrak->Media->mediaHeader->modificationTime = gf_isom_get_mp4time();\n\n\tif (gf_isom_is_video_handler_type(trak->Media->handler->handlerType)) {\n\t\tGF_GenericVisualSampleEntryBox *entry;\n\t\t//create a new entry\n\t\tentry = (GF_GenericVisualSampleEntryBox*) gf_isom_box_new(GF_ISOM_BOX_TYPE_GNRV);\n\t\tif (!entry) return GF_OUT_OF_MEM;\n\n\t\tif (!udesc->codec_tag) {\n\t\t\tentry->EntryType = GF_ISOM_BOX_TYPE_UUID;\n\t\t\tmemcpy(entry->uuid, udesc->UUID, sizeof(bin128));\n\t\t} else {\n\t\t\tentry->EntryType = udesc->codec_tag;\n\t\t}\n\t\tif (entry->EntryType == 0) {\n\t\t\tgf_isom_box_del((GF_Box *)entry);\n\t\t\treturn GF_NOT_SUPPORTED;\n\t\t}\n\n\t\tentry->dataReferenceIndex = dataRefIndex;\n\t\tentry->vendor = udesc->vendor_code;\n\t\tentry->version = udesc->version;\n\t\tentry->revision = udesc->revision;\n\t\tentry->temporal_quality = udesc->temporal_quality;\n\t\tentry->spatial_quality = udesc->spatial_quality;\n\t\tentry->Width = udesc->width;\n\t\tentry->Height = udesc->height;\n\t\tstrcpy(entry->compressor_name, udesc->compressor_name);\n\t\tentry->color_table_index = -1;\n\t\tentry->frames_per_sample = 1;\n\t\tentry->horiz_res = udesc->h_res ? udesc->h_res : 0x00480000;\n\t\tentry->vert_res = udesc->v_res ? udesc->v_res : 0x00480000;\n\t\tentry->bit_depth = udesc->depth ? udesc->depth : 0x18;\n\t\tif (udesc->extension_buf && udesc->extension_buf_size) {\n\t\t\tentry->data = (char*)gf_malloc(sizeof(char) * udesc->extension_buf_size);\n\t\t\tif (!entry->data) {\n\t\t\t\tgf_isom_box_del((GF_Box *) entry);\n\t\t\t\treturn GF_OUT_OF_MEM;\n\t\t\t}\n\t\t\tmemcpy(entry->data, udesc->extension_buf, udesc->extension_buf_size);\n\t\t\tentry->data_size = udesc->extension_buf_size;\n\t\t}\n\t\te = gf_list_add(trak->Media->information->sampleTable->SampleDescription->child_boxes, entry);\n\t}\n\telse if (trak->Media->handler->handlerType==GF_ISOM_MEDIA_AUDIO) {\n\t\tGF_GenericAudioSampleEntryBox *gena;\n\t\t//create a new entry\n\t\tgena = (GF_GenericAudioSampleEntryBox*) gf_isom_box_new(GF_ISOM_BOX_TYPE_GNRA);\n\t\tif (!gena) return GF_OUT_OF_MEM;\n\n\t\tif (!udesc->codec_tag) {\n\t\t\tgena->EntryType = GF_ISOM_BOX_TYPE_UUID;\n\t\t\tmemcpy(gena->uuid, udesc->UUID, sizeof(bin128));\n\t\t} else {\n\t\t\tgena->EntryType = udesc->codec_tag;\n\t\t}\n\t\tif (gena->EntryType == 0) {\n\t\t\tgf_isom_box_del((GF_Box *)gena);\n\t\t\treturn GF_NOT_SUPPORTED;\n\t\t}\n\n\t\tgena->dataReferenceIndex = dataRefIndex;\n\t\tgena->vendor = udesc->vendor_code;\n\t\tgena->version = udesc->version;\n\t\tgena->revision = udesc->revision;\n\t\tgena->bitspersample = udesc->bits_per_sample ? udesc->bits_per_sample : 16;\n\t\tgena->channel_count = udesc->nb_channels ? udesc->nb_channels : 2;\n\t\tgena->samplerate_hi = udesc->samplerate;\n\t\tgena->samplerate_lo = 0;\n\t\tgena->qtff_mode = udesc->is_qtff ? GF_ISOM_AUDIO_QTFF_ON_NOEXT : GF_ISOM_AUDIO_QTFF_NONE;\n\n\t\tif (udesc->extension_buf && udesc->extension_buf_size) {\n\t\t\tgena->data = (char*)gf_malloc(sizeof(char) * udesc->extension_buf_size);\n\t\t\tif (!gena->data) {\n\t\t\t\tgf_isom_box_del((GF_Box *) gena);\n\t\t\t\treturn GF_OUT_OF_MEM;\n\t\t\t}\n\t\t\tmemcpy(gena->data, udesc->extension_buf, udesc->extension_buf_size);\n\t\t\tgena->data_size = udesc->extension_buf_size;\n\t\t}\n\t\te = gf_list_add(trak->Media->information->sampleTable->SampleDescription->child_boxes, gena);\n\t}\n\telse {\n\t\tGF_GenericSampleEntryBox *genm;\n\t\t//create a new entry\n\t\tgenm = (GF_GenericSampleEntryBox*) gf_isom_box_new(GF_ISOM_BOX_TYPE_GNRM);\n\t\tif (!genm) return GF_OUT_OF_MEM;\n\n\t\tif (!udesc->codec_tag) {\n\t\t\tgenm->EntryType = GF_ISOM_BOX_TYPE_UUID;\n\t\t\tmemcpy(genm->uuid, udesc->UUID, sizeof(bin128));\n\t\t} else {\n\t\t\tgenm->EntryType = udesc->codec_tag;\n\t\t}\n\t\tif (genm->EntryType == 0) {\n\t\t\tgf_isom_box_del((GF_Box *)genm);\n\t\t\treturn GF_NOT_SUPPORTED;\n\t\t}\n\n\t\tgenm->dataReferenceIndex = dataRefIndex;\n\t\tif (udesc->extension_buf && udesc->extension_buf_size) {\n\t\t\tgenm->data = (char*)gf_malloc(sizeof(char) * udesc->extension_buf_size);\n\t\t\tif (!genm->data) {\n\t\t\t\tgf_isom_box_del((GF_Box *) genm);\n\t\t\t\treturn GF_OUT_OF_MEM;\n\t\t\t}\n\t\t\tmemcpy(genm->data, udesc->extension_buf, udesc->extension_buf_size);\n\t\t\tgenm->data_size = udesc->extension_buf_size;\n\t\t}\n\t\te = gf_list_add(trak->Media->information->sampleTable->SampleDescription->child_boxes, genm);\n\t}\n\t*outDescriptionIndex = gf_list_count(trak->Media->information->sampleTable->SampleDescription->child_boxes);\n\treturn e;\n}", "project": "gpac", "hash": 146438121001086094961368981094670591077, "size": 134, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267244 }, { "func": "static void gf_isom_check_sample_desc(GF_TrackBox *trak)\n{\n\tGF_BitStream *bs;\n\tGF_UnknownBox *a;\n\tu32 i;\n\tGF_Err e;\n\tGF_SampleTableBox *stbl;\n\n\tif (!trak->Media || !trak->Media->information) {\n\t\tGF_LOG(GF_LOG_WARNING, GF_LOG_CONTAINER, (\"[iso file] Track with no media box !\\n\" ));\n\t\treturn;\n\t}\n\tif (!trak->Media->information->sampleTable) {\n\t\tGF_LOG(GF_LOG_WARNING, GF_LOG_CONTAINER, (\"[iso file] Track with no sample table !\\n\" ));\n\t\ttrak->Media->information->sampleTable = (GF_SampleTableBox *) gf_isom_box_new_parent(&trak->Media->information->child_boxes, GF_ISOM_BOX_TYPE_STBL);\n\t}\n\tstbl = trak->Media->information->sampleTable;\n\n\tif (!stbl->SampleDescription) {\n\t\tGF_LOG(GF_LOG_WARNING, GF_LOG_CONTAINER, (\"[iso file] Track with no sample description box !\\n\" ));\n\t\tstbl->SampleDescription = (GF_SampleDescriptionBox *) gf_isom_box_new_parent(&stbl->child_boxes, GF_ISOM_BOX_TYPE_STSD);\n\t\treturn;\n\t}\n\n\ti=0;\n\twhile ((a = (GF_UnknownBox*)gf_list_enum(trak->Media->information->sampleTable->SampleDescription->child_boxes, &i))) {\n\t\tswitch (a->type) {\n\t\tcase GF_ISOM_BOX_TYPE_MP4S:\n\t\tcase GF_ISOM_BOX_TYPE_ENCS:\n\t\tcase GF_ISOM_BOX_TYPE_MP4A:\n\t\tcase GF_ISOM_BOX_TYPE_ENCA:\n\t\tcase GF_ISOM_BOX_TYPE_MP4V:\n\t\tcase GF_ISOM_BOX_TYPE_ENCV:\n\t\tcase GF_ISOM_BOX_TYPE_RESV:\n\t\tcase GF_ISOM_SUBTYPE_3GP_AMR:\n\t\tcase GF_ISOM_SUBTYPE_3GP_AMR_WB:\n\t\tcase GF_ISOM_SUBTYPE_3GP_EVRC:\n\t\tcase GF_ISOM_SUBTYPE_3GP_QCELP:\n\t\tcase GF_ISOM_SUBTYPE_3GP_SMV:\n\t\tcase GF_ISOM_SUBTYPE_3GP_H263:\n\t\tcase GF_ISOM_BOX_TYPE_GHNT:\n\t\tcase GF_ISOM_BOX_TYPE_RTP_STSD:\n\t\tcase GF_ISOM_BOX_TYPE_SRTP_STSD:\n\t\tcase GF_ISOM_BOX_TYPE_FDP_STSD:\n\t\tcase GF_ISOM_BOX_TYPE_RRTP_STSD:\n\t\tcase GF_ISOM_BOX_TYPE_RTCP_STSD:\n\t\tcase GF_ISOM_BOX_TYPE_METX:\n\t\tcase GF_ISOM_BOX_TYPE_METT:\n\t\tcase GF_ISOM_BOX_TYPE_STXT:\n\t\tcase GF_ISOM_BOX_TYPE_AVC1:\n\t\tcase GF_ISOM_BOX_TYPE_AVC2:\n\t\tcase GF_ISOM_BOX_TYPE_AVC3:\n\t\tcase GF_ISOM_BOX_TYPE_AVC4:\n\t\tcase GF_ISOM_BOX_TYPE_SVC1:\n\t\tcase GF_ISOM_BOX_TYPE_MVC1:\n\t\tcase GF_ISOM_BOX_TYPE_HVC1:\n\t\tcase GF_ISOM_BOX_TYPE_HEV1:\n\t\tcase GF_ISOM_BOX_TYPE_HVC2:\n\t\tcase GF_ISOM_BOX_TYPE_HEV2:\n\t\tcase GF_ISOM_BOX_TYPE_HVT1:\n\t\tcase GF_ISOM_BOX_TYPE_LHV1:\n\t\tcase GF_ISOM_BOX_TYPE_LHE1:\n\t\tcase GF_ISOM_BOX_TYPE_AV01:\n\t\tcase GF_ISOM_BOX_TYPE_VP08:\n\t\tcase GF_ISOM_BOX_TYPE_VP09:\n\t\tcase GF_ISOM_BOX_TYPE_AV1C:\n\t\tcase GF_ISOM_BOX_TYPE_TX3G:\n\t\tcase GF_ISOM_BOX_TYPE_TEXT:\n\t\tcase GF_ISOM_BOX_TYPE_ENCT:\n\t\tcase GF_ISOM_BOX_TYPE_DIMS:\n\t\tcase GF_ISOM_BOX_TYPE_OPUS:\n\t\tcase GF_ISOM_BOX_TYPE_AC3:\n\t\tcase GF_ISOM_BOX_TYPE_EC3:\n\t\tcase GF_ISOM_BOX_TYPE_LSR1:\n\t\tcase GF_ISOM_BOX_TYPE_WVTT:\n\t\tcase GF_ISOM_BOX_TYPE_STPP:\n\t\tcase GF_ISOM_BOX_TYPE_SBTT:\n\t\tcase GF_ISOM_BOX_TYPE_MP3:\n\t\tcase GF_ISOM_BOX_TYPE_JPEG:\n\t\tcase GF_ISOM_BOX_TYPE_PNG:\n\t\tcase GF_ISOM_BOX_TYPE_JP2K:\n\t\tcase GF_ISOM_BOX_TYPE_MHA1:\n\t\tcase GF_ISOM_BOX_TYPE_MHA2:\n\t\tcase GF_ISOM_BOX_TYPE_MHM1:\n\t\tcase GF_ISOM_BOX_TYPE_MHM2:\n\t\tcase GF_ISOM_BOX_TYPE_MJP2:\n\t\tcase GF_QT_SUBTYPE_RAW_AUD:\n\t\tcase GF_QT_SUBTYPE_TWOS:\n\t\tcase GF_QT_SUBTYPE_SOWT:\n\t\tcase GF_QT_SUBTYPE_FL32:\n\t\tcase GF_QT_SUBTYPE_FL64:\n\t\tcase GF_QT_SUBTYPE_IN24:\n\t\tcase GF_QT_SUBTYPE_IN32:\n\t\tcase GF_QT_SUBTYPE_ULAW:\n\t\tcase GF_QT_SUBTYPE_ALAW:\n\t\tcase GF_QT_SUBTYPE_ADPCM:\n\t\tcase GF_QT_SUBTYPE_IMA_ADPCM:\n\t\tcase GF_QT_SUBTYPE_DVCA:\n\t\tcase GF_QT_SUBTYPE_QDMC:\n\t\tcase GF_QT_SUBTYPE_QDMC2:\n\t\tcase GF_QT_SUBTYPE_QCELP:\n\t\tcase GF_QT_SUBTYPE_kMP3:\n\t\tcase GF_QT_SUBTYPE_RAW_VID:\n\t\tcase GF_QT_SUBTYPE_APCH:\n\t\tcase GF_QT_SUBTYPE_APCO:\n\t\tcase GF_QT_SUBTYPE_APCN:\n\t\tcase GF_QT_SUBTYPE_APCS:\n\t\tcase GF_QT_SUBTYPE_AP4X:\n\t\tcase GF_QT_SUBTYPE_AP4H:\n\t\tcase GF_QT_SUBTYPE_YUV422:\n\t\tcase GF_QT_SUBTYPE_YUV444:\n\t\tcase GF_QT_SUBTYPE_YUV422_10:\n\t\tcase GF_QT_SUBTYPE_YUV444_10:\n\t\tcase GF_ISOM_BOX_TYPE_IPCM:\n\t\tcase GF_ISOM_BOX_TYPE_FPCM:\n\t\t\tcontinue;\n\n\t\tcase GF_ISOM_BOX_TYPE_UNKNOWN:\n\t\t\tbreak;\n\t\tdefault:\n\t\t\tif (gf_box_valid_in_parent((GF_Box *) a, \"stsd\")) {\n\t\t\t\tcontinue;\n\t\t\t}\n\t\t\tGF_LOG(GF_LOG_WARNING, GF_LOG_CONTAINER, (\"[iso file] Unexpected box %s in stsd!\\n\", gf_4cc_to_str(a->type)));\n\t\t\tcontinue;\n\t\t}\n\t\t//we are sure to have an unknown box here\n\t\tassert(a->type==GF_ISOM_BOX_TYPE_UNKNOWN);\n\n\t\tif (!a->data || (a->dataSize<8) ) {\n\t\t\tGF_LOG(GF_LOG_WARNING, GF_LOG_CONTAINER, (\"[iso file] Sample description %s does not have at least 8 bytes!\\n\", gf_4cc_to_str(a->original_4cc) ));\n\t\t\tcontinue;\n\t\t}\n\t\telse if (a->dataSize > a->size) {\n\t\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, (\"[iso file] Sample description %s has wrong data size %d!\\n\", gf_4cc_to_str(a->original_4cc), a->dataSize));\n\t\t\tcontinue;\n\t\t}\n\n#define STSD_SWITCH_BOX(_box) \\\n\t\tif (gf_bs_available(bs)) { \\\n\t\t\tu64 pos = gf_bs_get_position(bs); \\\n\t\t\tu32 count_subb = 0; \\\n\t\t\tgf_bs_set_cookie(bs, GF_ISOM_BS_COOKIE_NO_LOGS);\\\n\t\t\te = gf_isom_box_array_read((GF_Box *) _box, bs, NULL); \\\n\t\t\tcount_subb = _box->child_boxes ? gf_list_count(_box->child_boxes) : 0; \\\n\t\t\tif (!count_subb || e) { \\\n\t\t\t\tgf_bs_seek(bs, pos); \\\n\t\t\t\t_box->data_size = (u32) gf_bs_available(bs); \\\n\t\t\t\tif (_box->data_size) { \\\n\t\t\t\t\t_box->data = a->data; \\\n\t\t\t\t\ta->data = NULL; \\\n\t\t\t\t\tmemmove(_box->data, _box->data + pos, _box->data_size); \\\n\t\t\t\t} \\\n\t\t\t} else { \\\n\t\t\t\t_box->data_size = 0; \\\n\t\t\t} \\\n\t\t} \\\n\t\tgf_bs_del(bs); \\\n\t\tif (!_box->data_size && _box->data) { \\\n\t\t\tgf_free(_box->data); \\\n\t\t\t_box->data = NULL; \\\n\t\t} \\\n\t\t_box->size = 0; \\\n\t\t_box->EntryType = a->original_4cc; \\\n\t\tgf_list_rem(trak->Media->information->sampleTable->SampleDescription->child_boxes, i-1); \\\n\t\tgf_isom_box_del((GF_Box *)a); \\\n\t\tgf_list_insert(trak->Media->information->sampleTable->SampleDescription->child_boxes, _box, i-1); \\\n\n\n\t\t/*only process visual or audio\n\t\tnote: no need for new_box_parent here since we always store sample descriptions in child_boxes*/\n\t\tswitch (trak->Media->handler->handlerType) {\n case GF_ISOM_MEDIA_VISUAL:\n\t\tcase GF_ISOM_MEDIA_AUXV:\n\t\tcase GF_ISOM_MEDIA_PICT:\n\t\t{\n\t\t\tGF_GenericVisualSampleEntryBox *genv = (GF_GenericVisualSampleEntryBox *) gf_isom_box_new(GF_ISOM_BOX_TYPE_GNRV);\n\t\t\tbs = gf_bs_new(a->data, a->dataSize, GF_BITSTREAM_READ);\n\t\t\tgenv->size = a->size-8;\n\t\t\tgf_isom_video_sample_entry_read((GF_VisualSampleEntryBox *) genv, bs);\n\n\t\t\tSTSD_SWITCH_BOX(genv)\n\n\t\t}\n\t\tbreak;\n\t\tcase GF_ISOM_MEDIA_AUDIO:\n\t\t{\n\t\t\tGF_GenericAudioSampleEntryBox *gena = (GF_GenericAudioSampleEntryBox *) gf_isom_box_new(GF_ISOM_BOX_TYPE_GNRA);\n\t\t\tgena->size = a->size-8;\n\t\t\tbs = gf_bs_new(a->data, a->dataSize, GF_BITSTREAM_READ);\n\t\t\tgf_isom_audio_sample_entry_read((GF_AudioSampleEntryBox *) gena, bs);\n\n\t\t\tSTSD_SWITCH_BOX(gena)\n\n\t\t}\n\t\tbreak;\n\n\t\tdefault:\n\t\t{\n\t\t\tGF_GenericSampleEntryBox *genm = (GF_GenericSampleEntryBox *) gf_isom_box_new(GF_ISOM_BOX_TYPE_GNRM);\n\t\t\tgenm->size = a->size-8;\n\t\t\tbs = gf_bs_new(a->data, a->dataSize, GF_BITSTREAM_READ);\n\n\t\t\te = gf_isom_base_sample_entry_read((GF_SampleEntryBox *)genm, bs);\n\t\t\tif (e) return;\n\n\t\t\tSTSD_SWITCH_BOX(genm)\n\t\t}\n\t\tbreak;\n\t\t}\n\n\t}", "project": "gpac", "hash": 41657810898392634449457044887056309333, "size": 212, "commit_id": "388ecce75d05e11fc8496aa4857b91245007d26e", "message": "fixed #1587", "target": 0, "dataset": "other", "idx": 264821 }, { "func": "static GF_Err parse_track_action_params(char *string, TrackAction *action)\n{\n\tchar *param = string;\n\tif (!action || !string) return GF_BAD_PARAM;\n\n\twhile (param) {\n\t\tparam = gf_url_colon_suffix(param);\n\t\tif (param) {\n\t\t\t*param = 0;\n\t\t\tparam++;\n#ifndef GPAC_DISABLE_MEDIA_EXPORT\n\t\t\tif (!strncmp(\"vttnomerge\", param, 10)) {\n\t\t\t\taction->dump_type |= GF_EXPORT_WEBVTT_NOMERGE;\n\t\t\t} else if (!strncmp(\"layer\", param, 5)) {\n\t\t\t\taction->dump_type |= GF_EXPORT_SVC_LAYER;\n\t\t\t} else if (!strncmp(\"full\", param, 4)) {\n\t\t\t\taction->dump_type |= GF_EXPORT_NHML_FULL;\n\t\t\t} else if (!strncmp(\"embedded\", param, 8)) {\n\t\t\t\taction->dump_type |= GF_EXPORT_WEBVTT_META_EMBEDDED;\n\t\t\t} else if (!strncmp(\"output=\", param, 7)) {\n\t\t\t\taction->out_name = gf_strdup(param+7);\n\t\t\t} else if (!strncmp(\"src=\", param, 4)) {\n\t\t\t\taction->src_name = gf_strdup(param+4);\n\t\t\t} else if (!strncmp(\"box=\", param, 4)) {\n\t\t\t\taction->src_name = gf_strdup(param+4);\n\t\t\t\taction->sample_num = 1;\n\t\t\t} else if (!strncmp(\"type=\", param, 4)) {\n\t\t\t\taction->udta_type = GF_4CC(param[5], param[6], param[7], param[8]);\n\t\t\t} else if (action->dump_type == GF_EXPORT_RAW_SAMPLES) {\n\t\t\t\taction->sample_num = atoi(param);\n\t\t\t}\n#endif\n\t\t}\n\t}\n\tif (!strcmp(string, \"*\")) {\n\t\taction->trackID = (u32) -1;\n\t} else {\n\t\taction->trackID = atoi(string);\n\t}\n\treturn GF_OK;\n}", "project": "gpac", "hash": 197539540085845444964399347670349707982, "size": 41, "commit_id": "9eeac00b38348c664dfeae2525bba0cf1bc32349", "message": "fixed #1565", "target": 0, "dataset": "other", "idx": 244379 }, { "func": "GF_Err gf_isom_vp_config_new(GF_ISOFile *the_file, u32 trackNumber, GF_VPConfig *cfg, const char *URLname, const char *URNname, u32 *outDescriptionIndex, u32 vpx_type)\n{\n\tGF_TrackBox *trak;\n\tGF_Err e;\n\tu32 dataRefIndex;\n\tGF_SampleDescriptionBox *stsd;\n\tGF_MPEGVisualSampleEntryBox *entry;\n\n\te = CanAccessMovie(the_file, GF_ISOM_OPEN_WRITE);\n\tif (e) return e;\n\n\ttrak = gf_isom_get_track_from_file(the_file, trackNumber);\n\tif (!trak || !trak->Media || !cfg) return GF_BAD_PARAM;\n\n\t//get or create the data ref\n\te = Media_FindDataRef(trak->Media->information->dataInformation->dref, (char *)URLname, (char *)URNname, &dataRefIndex);\n\tif (e) return e;\n\tif (!dataRefIndex) {\n\t\te = Media_CreateDataRef(the_file, trak->Media->information->dataInformation->dref, (char *)URLname, (char *)URNname, &dataRefIndex);\n\t\tif (e) return e;\n\t}\n\tif (!the_file->keep_utc)\n\t\ttrak->Media->mediaHeader->modificationTime = gf_isom_get_mp4time();\n\n\tstsd = trak->Media->information->sampleTable->SampleDescription;\n\t//create a new entry\n\tentry = (GF_MPEGVisualSampleEntryBox *)gf_isom_box_new_parent(&stsd->child_boxes, vpx_type);\n\tif (!entry) return GF_OUT_OF_MEM;\n\t\n\tentry->vp_config = (GF_VPConfigurationBox*)gf_isom_box_new_parent(&entry->child_boxes, GF_ISOM_BOX_TYPE_VPCC);\n\tif (!entry->vp_config) return GF_OUT_OF_MEM;\n\tentry->vp_config->config = VP_DuplicateConfig(cfg);\n\tif (!entry->vp_config->config) return GF_OUT_OF_MEM;\n\tstrncpy(entry->compressor_name, \"\\012VPC Coding\", sizeof(entry->compressor_name)-1);\n\tentry->dataReferenceIndex = dataRefIndex;\n\t*outDescriptionIndex = gf_list_count(stsd->child_boxes);\n\treturn e;\n}", "project": "gpac", "hash": 158690899773128408652776271377406819078, "size": 38, "commit_id": "0a85029d694f992f3631e2f249e4999daee15cbf", "message": "fixed #1785 (fuzz)", "target": 0, "dataset": "other", "idx": 237638 }, { "func": "void SetupClockReferences(GF_ISOFile *file)\n{\n\tu32 i, count, ocr_id;\n\tcount = gf_isom_get_track_count(file);\n\tif (count==1) return;\n\tocr_id = 0;\n\tfor (i=0; iOCRESID = ocr_id;\n\t\t\tgf_isom_change_mpeg4_description(file, i+1, 1, esd);\n\t\t\tgf_odf_desc_del((GF_Descriptor *) esd);\n\t\t}\n\t}\n}", "project": "gpac", "hash": 71499075537991277475270395862874926686, "size": 22, "commit_id": "9eeac00b38348c664dfeae2525bba0cf1bc32349", "message": "fixed #1565", "target": 0, "dataset": "other", "idx": 244419 }, { "func": "GF_Err afrt_box_write(GF_Box *s, GF_BitStream *bs)\n{\n\tGF_Err e;\n\tunsigned int i;\n\tGF_AdobeFragmentRunTableBox *ptr = (GF_AdobeFragmentRunTableBox *)s;\n\n\te = gf_isom_full_box_write(s, bs);\n\tif (e) return e;\n\n\tgf_bs_write_u32(bs, ptr->timescale);\n\tgf_bs_write_u8(bs, ptr->quality_entry_count);\n\tfor (i=0; iquality_entry_count; i++) {\n\t\tchar *str = (char*)gf_list_get(ptr->quality_segment_url_modifiers, i);\n\t\tgf_bs_write_data(bs, str, (u32)strlen(str) + 1);\n\t}\n\n\tgf_bs_write_u32(bs, ptr->fragment_run_entry_count);\n\tfor (i=0; ifragment_run_entry_count; i++) {\n\t\tGF_AdobeFragmentRunEntry *fre = (GF_AdobeFragmentRunEntry *)gf_list_get(ptr->fragment_run_entry_table, i);\n\t\tgf_bs_write_u32(bs, fre->first_fragment);\n\t\tgf_bs_write_u64(bs, fre->first_fragment_timestamp);\n\t\tgf_bs_write_u32(bs, fre->fragment_duration);\n\t\tif (!fre->fragment_duration)\n\t\t\tgf_bs_write_u8(bs, fre->discontinuity_indicator);\n\t}\n\n\treturn GF_OK;\n}", "project": "gpac", "hash": 95157708849433412976774052578035455635, "size": 28, "commit_id": "e74be5976a6fee059c638050a237893f7e9a3b23", "message": "fixed #1753", "target": 0, "dataset": "other", "idx": 230582 }, { "func": "static GF_Err gf_isom_box_size_listing(GF_Box *a)\n{\n\tif (!a) return GF_BAD_PARAM;\n\tif (!a->registry) {\n\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, (\"[iso file] Size invalid box type %s without registry\\n\", gf_4cc_to_str(a->type) ));\n\t\treturn GF_ISOM_INVALID_FILE;\n\t}\n\ta->size = 8;\n\n\tif (a->type == GF_ISOM_BOX_TYPE_UUID) {\n\t\ta->size += 16;\n\t}\n\t//the large size is handled during write, cause at this stage we don't know the size\n\tif (a->registry->max_version_plus_one) {\n\t\ta->size += 4;\n\t}\n\treturn a->registry->size_fn(a);\n}", "project": "gpac", "hash": 244372833000537755925698925174860606607, "size": 18, "commit_id": "8e585e623b1d666b4ef736ed609264639cb27701", "message": "fixed potential crash - cf #1406", "target": 0, "dataset": "other", "idx": 224894 }, { "func": "void gf_inspect_format_timecode(const u8 *data, u32 size, u32 tmcd_flags, u32 tc_num, u32 tc_den, u32 tmcd_fpt, char szFmt[100]);\n\nvoid DumpTrackInfo(GF_ISOFile *file, GF_ISOTrackID trackID, Bool full_dump, Bool is_track_num, Bool dump_m4sys)\n{\n\tchar szCodec[RFC6381_CODEC_NAME_SIZE_MAX];\n\tDouble scale, max_rate, rate;\n\tBool is_od_track = 0;\n\tu32 trackNum, i, j, ts, mtype, msub_type, timescale, sr, nb_ch, count, alt_group, nb_groups, nb_edits, cdur, csize, bps, pfmt, codecid;\n\tu64 time_slice, dur, size;\n\ts32 cts_shift;\n\tGF_ESD *esd;\n\tchar szDur[50];\n\tchar *lang;\n\n\tif (!is_track_num) {\n\t\ttrackNum = gf_isom_get_track_by_id(file, trackID);\n\t} else {\n\t\ttrackNum = trackID;\n\t\ttrackID = gf_isom_get_track_id(file, trackNum);\n\t}\n\tif (!trackNum) {\n\t\tM4_LOG(GF_LOG_ERROR, (\"No track with ID %d found\\n\", trackID));\n\t\treturn;\n\t}\n\n\ttimescale = gf_isom_get_media_timescale(file, trackNum);\n\tfprintf(stderr, \"# Track %d Info - ID %d - TimeScale %d\\n\", trackNum, trackID, timescale);\n\n\tdur = gf_isom_get_media_original_duration(file, trackNum);\n\tsize = gf_isom_get_media_duration(file, trackNum);\n\tfprintf(stderr, \"Media Duration %s \", format_duration(dur, timescale, szDur));\n\tif (dur != size)\n\t\tfprintf(stderr, \" (recomputed %s)\", format_duration(size, timescale, szDur));\n\tfprintf(stderr, \"\\n\");\n\n\tif (gf_isom_check_data_reference(file, trackNum, 1) != GF_OK) {\n\t\tM4_LOG(GF_LOG_WARNING, (\"Track uses external data reference not supported by GPAC!\\n\"));\n\t}\n\n\tnb_edits = gf_isom_get_edits_count(file, trackNum);\n\tif (nb_edits)\n\t\tfprintf(stderr, \"Track has %d edits: track duration is %s\\n\", nb_edits, format_duration(gf_isom_get_track_duration(file, trackNum), gf_isom_get_timescale(file), szDur));\n\n\tcts_shift = gf_isom_get_composition_offset_shift(file, trackNum);\n\tif (cts_shift)\n\t\tfprintf(stderr, \"Track composition offset shift (negative CTS offset): %d\\n\", cts_shift);\n\n\tif (gf_isom_is_track_in_root_od(file, trackNum) ) fprintf(stderr, \"Track is present in Root OD\\n\");\n\tif (!gf_isom_is_track_enabled(file, trackNum)) fprintf(stderr, \"Track is disabled\\n\");\n\tgf_isom_get_media_language(file, trackNum, &lang);\n\tfprintf(stderr, \"Media Info: Language \\\"%s (%s)\\\" - \", GetLanguage(lang), lang );\n\tgf_free(lang);\n\tmtype = gf_isom_get_media_type(file, trackNum);\n\tfprintf(stderr, \"Type \\\"%s:\", gf_4cc_to_str(mtype));\n\tmsub_type = gf_isom_get_mpeg4_subtype(file, trackNum, 1);\n\tif (!msub_type) msub_type = gf_isom_get_media_subtype(file, trackNum, 1);\n\tfprintf(stderr, \"%s\\\" - %d samples\\n\", gf_4cc_to_str(msub_type), gf_isom_get_sample_count(file, trackNum));\n\n\tpfmt = gf_pixel_fmt_from_qt_type(msub_type);\n\tcodecid = gf_codec_id_from_isobmf(msub_type);\n\n\tcount = gf_isom_get_track_kind_count(file, trackNum);\n\tfor (i = 0; i < count; i++) {\n\t\tchar *kind_scheme, *kind_value;\n\t\tgf_isom_get_track_kind(file, trackNum, i, &kind_scheme, &kind_value);\n\t\tfprintf(stderr, \"Kind: %s - %s\\n\", kind_scheme ? kind_scheme : \"null\", kind_value ? kind_value : \"null\");\n\t\tif (kind_scheme) gf_free(kind_scheme);\n\t\tif (kind_value) gf_free(kind_value);\n\t}\n\n\tif (gf_isom_is_track_fragmented(file, trackID) ) {\n\t\tu32 defaultDuration, defaultSize, defaultDescriptionIndex, defaultRandomAccess;\n\t\tu8 defaultPadding;\n\t\tu16 defaultDegradationPriority;\n\t\tu32 frag_samples;\n\t\tu64 frag_duration;\n\t\tgf_isom_get_fragmented_samples_info(file, trackID, &frag_samples, &frag_duration);\n\t\tfprintf(stderr, \"Fragmented track: %d samples - Media Duration %s\\n\", frag_samples, format_duration(frag_duration, timescale, szDur));\n\n\t\tgf_isom_get_fragment_defaults(file, trackNum, &defaultDuration, &defaultSize, &defaultDescriptionIndex, &defaultRandomAccess, &defaultPadding, &defaultDegradationPriority);\n\n\t\tfprintf(stderr, \"Fragment sample defaults: duration %d size %d stsd %d sync %d padding %d degradation_priority %d\\n\",\n\t\t\t\tdefaultDuration, defaultSize, defaultDescriptionIndex, defaultRandomAccess,\n\t\t\t\t(u32) defaultPadding, (u32) defaultDegradationPriority\n\t\t);\n\t}\n\n\tif (!gf_isom_is_self_contained(file, trackNum, 1)) {\n\t\tconst char *url, *urn;\n\t\tgf_isom_get_data_reference(file, trackNum, 1, &url, &urn);\n\t\tfprintf(stderr, \"Media Data Location: %s\\n\", url ? url : urn);\n\t}\n\n\tif (full_dump) {\n\t\tconst char *handler_name;\n\t\tgf_isom_get_handler_name(file, trackNum, &handler_name);\n\t\tfprintf(stderr, \"Handler name: %s\\n\", handler_name);\n\t}\n\n\tprint_udta(file, trackNum, GF_FALSE);\n\n\tif (gf_isom_is_video_handler_type(mtype) ) {\n\t\ts32 tx, ty;\n\t\tu32 w, h;\n\t\tu16 bit_depth;\n\n\t\tgf_isom_get_visual_info(file, trackNum, 1, &w, &h);\n\t\tgf_isom_get_visual_bit_depth(file, trackNum, 1, &bit_depth);\n\t\tfprintf(stderr, \"Visual Sample Entry Info: width=%d height=%d (depth=%d bits)\\n\", w, h, (int)bit_depth);\n\n\t\tgf_isom_get_track_layout_info(file, trackNum, &w, &h, &tx, &ty, NULL);\n\t\tfprintf(stderr, \"Visual Track layout: x=%d y=%d width=%d height=%d\\n\", tx, ty, w, h);\n\t}\n\n\tgf_isom_get_audio_info(file, trackNum, 1, &sr, &nb_ch, &bps);\n\tgf_isom_set_nalu_extract_mode(file, trackNum, GF_ISOM_NALU_EXTRACT_INSPECT);\n\n\tmsub_type = gf_isom_get_media_subtype(file, trackNum, 1);\n\tif (msub_type==GF_ISOM_SUBTYPE_MPEG4_CRYP)\n\t\tgf_isom_get_original_format_type(file, trackNum, 1, &msub_type);\n\n\tif ((msub_type==GF_ISOM_SUBTYPE_MPEG4)\n\t || (msub_type==GF_ISOM_SUBTYPE_AVC_H264)\n\t || (msub_type==GF_ISOM_SUBTYPE_AVC2_H264)\n\t || (msub_type==GF_ISOM_SUBTYPE_AVC3_H264)\n\t || (msub_type==GF_ISOM_SUBTYPE_AVC4_H264)\n\t || (msub_type==GF_ISOM_SUBTYPE_SVC_H264)\n\t || (msub_type==GF_ISOM_SUBTYPE_MVC_H264)\n\t || (msub_type==GF_ISOM_SUBTYPE_LSR1)\n\t || (msub_type==GF_ISOM_SUBTYPE_HVC1)\n\t || (msub_type==GF_ISOM_SUBTYPE_HEV1)\n\t || (msub_type==GF_ISOM_SUBTYPE_HVC2)\n\t || (msub_type==GF_ISOM_SUBTYPE_HEV2)\n\t || (msub_type==GF_ISOM_SUBTYPE_LHV1)\n\t || (msub_type==GF_ISOM_SUBTYPE_LHE1)\n\t || (msub_type==GF_ISOM_SUBTYPE_HVT1)\n\t ) {\n\t\tesd = gf_isom_get_esd(file, trackNum, 1);\n\t\tif (!esd || !esd->decoderConfig) {\n\t\t\tM4_LOG(GF_LOG_WARNING, (\"WARNING: Broken MPEG-4 Track\\n\"));\n\t\t\tif (esd) gf_odf_desc_del((GF_Descriptor *)esd);\n\t\t} else {\n\t\t\tconst char *st = gf_stream_type_name(esd->decoderConfig->streamType);\n\t\t\tif (dump_m4sys) {\n\t\t\t\tif (st) {\n\t\t\t\t\tfprintf(stderr, \"MPEG-4 Config%s%s Stream - ObjectTypeIndication 0x%02x\\n\",\n\t\t\t\t\t\t\tfull_dump ? \"\\n\\t\" : \": \", st, esd->decoderConfig->objectTypeIndication);\n\t\t\t\t} else {\n\t\t\t\t\tfprintf(stderr, \"MPEG-4 Config%sStream Type 0x%02x - ObjectTypeIndication 0x%02x\\n\",\n\t\t\t\t\t\t\tfull_dump ? \"\\n\\t\" : \": \", esd->decoderConfig->streamType, esd->decoderConfig->objectTypeIndication);\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tif (esd->decoderConfig->streamType==GF_STREAM_OD)\n\t\t\t\tis_od_track=1;\n\n\t\t\tif (esd->decoderConfig->streamType==GF_STREAM_VISUAL) {\n\t\t\t\tu32 w, h;\n\t\t\t\tu16 rvc_predef;\n\t\t\t\tw = h = 0;\n\t\t\t\tif (esd->decoderConfig->objectTypeIndication==GF_CODECID_MPEG4_PART2) {\n#ifndef GPAC_DISABLE_AV_PARSERS\n\t\t\t\t\tif (!esd->decoderConfig->decoderSpecificInfo) {\n#else\n\t\t\t\t\tgf_isom_get_visual_info(file, trackNum, 1, &w, &h);\n\t\t\t\t\tfprintf(stderr, \"MPEG-4 Visual Size %d x %d\\n\", w, h);\n#endif\n\t\t\t\t\t\tM4_LOG(GF_LOG_WARNING, (\"Non-compliant MPEG-4 Visual track: video_object_layer infos not found in sample description\\n\"));\n#ifndef GPAC_DISABLE_AV_PARSERS\n\t\t\t\t\t} else {\n\t\t\t\t\t\tGF_M4VDecSpecInfo dsi;\n\t\t\t\t\t\tgf_m4v_get_config(esd->decoderConfig->decoderSpecificInfo->data, esd->decoderConfig->decoderSpecificInfo->dataLength, &dsi);\n\t\t\t\t\t\tif (full_dump) fprintf(stderr, \"\\t\");\n\t\t\t\t\t\tw = dsi.width;\n\t\t\t\t\t\th = dsi.height;\n\t\t\t\t\t\tfprintf(stderr, \"MPEG-4 Visual Size %d x %d - %s\\n\", w, h, gf_m4v_get_profile_name(dsi.VideoPL));\n\t\t\t\t\t\tif (dsi.par_den && dsi.par_num) {\n\t\t\t\t\t\t\tu32 tw, th;\n\t\t\t\t\t\t\tgf_isom_get_track_layout_info(file, trackNum, &tw, &th, NULL, NULL, NULL);\n\t\t\t\t\t\t\tfprintf(stderr, \"Pixel Aspect Ratio %d:%d - Indicated track size %d x %d\\n\", dsi.par_num, dsi.par_den, tw, th);\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n#endif\n\t\t\t\t} else if (gf_isom_get_avc_svc_type(file, trackNum, 1) != GF_ISOM_AVCTYPE_NONE) {\n\t\t\t\t\tGF_AVCConfig *avccfg, *svccfg, *mvccfg;\n\n\t\t\t\t\tgf_isom_get_visual_info(file, trackNum, 1, &w, &h);\n\t\t\t\t\tif (full_dump) fprintf(stderr, \"\\t\");\n\t\t\t\t\tfprintf(stderr, \"AVC/H264 Video - Visual Size %d x %d\\n\", w, h);\n\n\t\t\t\t\tavccfg = gf_isom_avc_config_get(file, trackNum, 1);\n\t\t\t\t\tsvccfg = gf_isom_svc_config_get(file, trackNum, 1);\n\t\t\t\t\tmvccfg = gf_isom_mvc_config_get(file, trackNum, 1);\n\t\t\t\t\tif (!avccfg && !svccfg && !mvccfg) {\n\t\t\t\t\t\tM4_LOG(GF_LOG_ERROR, (\"\\tNon-compliant AVC track: SPS/PPS not found in sample description\\n\"));\n\t\t\t\t\t} else if (avccfg) {\n\t\t\t\t\t\tfprintf(stderr, \"\\tAVC Info: %d SPS - %d PPS\", gf_list_count(avccfg->sequenceParameterSets) , gf_list_count(avccfg->pictureParameterSets) );\n\t\t\t\t\t\tfprintf(stderr, \" - Profile %s @ Level %g\\n\", gf_avc_get_profile_name(avccfg->AVCProfileIndication), ((Double)avccfg->AVCLevelIndication)/10.0 );\n\t\t\t\t\t\tfprintf(stderr, \"\\tNAL Unit length bits: %d\\n\", 8*avccfg->nal_unit_size);\n\n#ifndef GPAC_DISABLE_AV_PARSERS\n\t\t\t\t\t\tfor (i=0; isequenceParameterSets); i++) {\n\t\t\t\t\t\t\ts32 par_n, par_d;\n\t\t\t\t\t\t\tGF_NALUFFParam *slc = gf_list_get(avccfg->sequenceParameterSets, i);\n\t\t\t\t\t\t\tgf_avc_get_sps_info(slc->data, slc->size, NULL, NULL, NULL, &par_n, &par_d);\n\t\t\t\t\t\t\tif ((par_n>0) && (par_d>0)) {\n\t\t\t\t\t\t\t\tu32 tw, th;\n\t\t\t\t\t\t\t\tgf_isom_get_track_layout_info(file, trackNum, &tw, &th, NULL, NULL, NULL);\n\t\t\t\t\t\t\t\tfprintf(stderr, \"\\tPixel Aspect Ratio %d:%d - Indicated track size %d x %d\\n\", par_n, par_d, tw, th);\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\tif (!full_dump) break;\n\t\t\t\t\t\t}\n#endif\n\n\t\t\t\t\t\tif (avccfg->chroma_bit_depth) {\n\t\t\t\t\t\t\tfprintf(stderr, \"\\tChroma format %s - Luma bit depth %d - chroma bit depth %d\\n\", gf_avc_hevc_get_chroma_format_name(avccfg->chroma_format), avccfg->luma_bit_depth, avccfg->chroma_bit_depth);\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\tprint_config_hash(avccfg->sequenceParameterSets, \"SPS\");\n\t\t\t\t\t\tprint_config_hash(avccfg->pictureParameterSets, \"PPS\");\n\n\t\t\t\t\t\tgf_odf_avc_cfg_del(avccfg);\n\t\t\t\t\t}\n\t\t\t\t\tif (svccfg) {\n\t\t\t\t\t\tfprintf(stderr, \"\\n\\tSVC Info: %d SPS - %d PPS - Profile %s @ Level %g\\n\", gf_list_count(svccfg->sequenceParameterSets) , gf_list_count(svccfg->pictureParameterSets), gf_avc_get_profile_name(svccfg->AVCProfileIndication), ((Double)svccfg->AVCLevelIndication)/10.0 );\n\t\t\t\t\t\tfprintf(stderr, \"\\tSVC NAL Unit length bits: %d\\n\", 8*svccfg->nal_unit_size);\n#ifndef GPAC_DISABLE_AV_PARSERS\n\t\t\t\t\t\tfor (i=0; isequenceParameterSets); i++) {\n\t\t\t\t\t\t\tGF_NALUFFParam *slc = gf_list_get(svccfg->sequenceParameterSets, i);\n\t\t\t\t\t\t\tif (slc) {\n\t\t\t\t\t\t\t\ts32 par_n, par_d;\n\t\t\t\t\t\t\t\tu32 s_w, s_h, sps_id;\n\t\t\t\t\t\t\t\tgf_avc_get_sps_info(slc->data, slc->size, &sps_id, &s_w, &s_h, &par_n, &par_d);\n\t\t\t\t\t\t\t\tfprintf(stderr, \"\\t\\tSPS ID %d - Visual Size %d x %d\\n\", sps_id, s_w, s_h);\n\t\t\t\t\t\t\t\tif ((par_n>0) && (par_d>0)) {\n\t\t\t\t\t\t\t\t\tu32 tw, th;\n\t\t\t\t\t\t\t\t\tgf_isom_get_track_layout_info(file, trackNum, &tw, &th, NULL, NULL, NULL);\n\t\t\t\t\t\t\t\t\tfprintf(stderr, \"\\tPixel Aspect Ratio %d:%d - Indicated track size %d x %d\\n\", par_n, par_d, tw, th);\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}\n#endif\n\t\t\t\t\t\tprint_config_hash(svccfg->sequenceParameterSets, \"SPS\");\n\t\t\t\t\t\tprint_config_hash(svccfg->pictureParameterSets, \"PPS\");\n\t\t\t\t\t\tprint_config_hash(svccfg->sequenceParameterSetExtensions, \"SPSEx\");\n\n\t\t\t\t\t\tgf_odf_avc_cfg_del(svccfg);\n\t\t\t\t\t}\n\n\t\t\t\t\tif (mvccfg) {\n\t\t\t\t\t\tfprintf(stderr, \"\\n\\tMVC Info: %d SPS - %d PPS - Profile %s @ Level %g\\n\", gf_list_count(mvccfg->sequenceParameterSets) , gf_list_count(mvccfg->pictureParameterSets), gf_avc_get_profile_name(mvccfg->AVCProfileIndication), ((Double)mvccfg->AVCLevelIndication)/10.0 );\n\t\t\t\t\t\tfprintf(stderr, \"\\tMVC NAL Unit length bits: %d\\n\", 8*mvccfg->nal_unit_size);\n#ifndef GPAC_DISABLE_AV_PARSERS\n\t\t\t\t\t\tfor (i=0; isequenceParameterSets); i++) {\n\t\t\t\t\t\t\tGF_NALUFFParam *slc = gf_list_get(mvccfg->sequenceParameterSets, i);\n\t\t\t\t\t\t\tif (slc) {\n\t\t\t\t\t\t\t\tu32 s_w, s_h, sps_id;\n\t\t\t\t\t\t\t\ts32 par_n, par_d;\n\t\t\t\t\t\t\t\tgf_avc_get_sps_info(slc->data, slc->size, &sps_id, &s_w, &s_h, &par_n, &par_d);\n\t\t\t\t\t\t\t\tfprintf(stderr, \"\\t\\tSPS ID %d - Visual Size %d x %d\\n\", sps_id, s_w, s_h);\n\t\t\t\t\t\t\t\tif ((par_n>0) && (par_d>0)) {\n\t\t\t\t\t\t\t\t\tu32 tw, th;\n\t\t\t\t\t\t\t\t\tgf_isom_get_track_layout_info(file, trackNum, &tw, &th, NULL, NULL, NULL);\n\t\t\t\t\t\t\t\t\tfprintf(stderr, \"\\tPixel Aspect Ratio %d:%d - Indicated track size %d x %d\\n\", par_n, par_d, tw, th);\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}\n#endif\n\t\t\t\t\t\tprint_config_hash(mvccfg->sequenceParameterSets, \"SPS\");\n\t\t\t\t\t\tprint_config_hash(mvccfg->pictureParameterSets, \"PPS\");\n\t\t\t\t\t\tgf_odf_avc_cfg_del(mvccfg);\n\t\t\t\t\t}\n\n\t\t\t\t} else if ((esd->decoderConfig->objectTypeIndication==GF_CODECID_HEVC)\n\t\t\t\t || (esd->decoderConfig->objectTypeIndication==GF_CODECID_LHVC)\n\t\t\t\t ) {\n\t\t\t\t\tGF_HEVCConfig *hevccfg, *lhvccfg;\n\t\t\t\t\tGF_OperatingPointsInformation *oinf;\n#if !defined(GPAC_DISABLE_AV_PARSERS) && !defined(GPAC_DISABLE_HEVC)\n\t\t\t\t\tHEVCState hevc_state;\n\t\t\t\t\tmemset(&hevc_state, 0, sizeof(HEVCState));\n\t\t\t\t\thevc_state.sps_active_idx = -1;\n#endif\n\n\t\t\t\t\tgf_isom_get_visual_info(file, trackNum, 1, &w, &h);\n\t\t\t\t\tif (full_dump) fprintf(stderr, \"\\t\");\n\t\t\t\t\tfprintf(stderr, \"HEVC Video - Visual Size %d x %d\\n\", w, h);\n\t\t\t\t\thevccfg = gf_isom_hevc_config_get(file, trackNum, 1);\n\t\t\t\t\tlhvccfg = gf_isom_lhvc_config_get(file, trackNum, 1);\n\n\t\t\t\t\tif (msub_type==GF_ISOM_SUBTYPE_HVT1) {\n\t\t\t\t\t\tconst u8 *data;\n\t\t\t\t\t\tu32 tsize;\n\t\t\t\t\t\tu32 is_default, tx,ty,tw,th, id, independent;\n\t\t\t\t\t\tBool full_frame;\n\t\t\t\t\t\tif (gf_isom_get_tile_info(file, trackNum, 1, &is_default, &id, &independent, &full_frame, &tx, &ty, &tw, &th)) {\n\t\t\t\t\t\t\tfprintf(stderr, \"\\tHEVC Tile - ID %d independent %d (x,y,w,h)=%d,%d,%d,%d \\n\", id, independent, tx, ty, tw, th);\n\t\t\t\t\t\t} else if (gf_isom_get_sample_group_info(file, trackNum, 1, GF_ISOM_SAMPLE_GROUP_TRIF, &is_default, &data, &tsize)) {\n\t\t\t\t\t\t\tfprintf(stderr, \"\\tHEVC Tile track containing a tile set\\n\");\n\t\t\t\t\t\t} else {\n\t\t\t\t\t\t\tfprintf(stderr, \"\\tHEVC Tile track without tiling info\\n\");\n\t\t\t\t\t\t}\n\t\t\t\t\t} else if (!hevccfg && !lhvccfg) {\n\t\t\t\t\t\tM4_LOG(GF_LOG_ERROR, (\"\\tNon-compliant HEVC track: No hvcC or shcC found in sample description\\n\"));\n\t\t\t\t\t}\n\n\t\t\t\t\tif (gf_isom_get_reference_count(file, trackNum, GF_ISOM_REF_SABT)) {\n\t\t\t\t\t\tfprintf(stderr, \"\\tHEVC Tile base track\\n\");\n\t\t\t\t\t}\n\t\t\t\t\tif (hevccfg) {\n\t\t\t\t\t\tdump_hevc_track_info(file, trackNum, hevccfg\n#if !defined(GPAC_DISABLE_AV_PARSERS) && !defined(GPAC_DISABLE_HEVC)\n\t\t\t\t\t\t\t, &hevc_state\n#endif\n\t\t\t\t\t\t);\n\t\t\t\t\t\tgf_odf_hevc_cfg_del(hevccfg);\n\t\t\t\t\t\tfprintf(stderr, \"\\n\");\n\t\t\t\t\t}\n\t\t\t\t\tif (lhvccfg) {\n\t\t\t\t\t\tdump_hevc_track_info(file, trackNum, lhvccfg\n#if !defined(GPAC_DISABLE_AV_PARSERS) && !defined(GPAC_DISABLE_HEVC)\n\t\t\t\t\t\t\t, &hevc_state\n#endif\n\t\t\t\t\t\t);\n\t\t\t\t\t\tgf_odf_hevc_cfg_del(lhvccfg);\n\t\t\t\t\t}\n\n\t\t\t\t\tif (gf_isom_get_oinf_info(file, trackNum, &oinf)) {\n\t\t\t\t\t\tfprintf(stderr, \"\\n\\tOperating Points Information -\");\n\t\t\t\t\t\tfprintf(stderr, \" scalability_mask %d (\", oinf->scalability_mask);\n\t\t\t\t\t\tswitch (oinf->scalability_mask) {\n\t\t\t\t\t\tcase 2:\n\t\t\t\t\t\t\tfprintf(stderr, \"Multiview\");\n\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\tcase 4:\n\t\t\t\t\t\t\tfprintf(stderr, \"Spatial scalability\");\n\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\tcase 8:\n\t\t\t\t\t\t\tfprintf(stderr, \"Auxilary\");\n\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\tdefault:\n\t\t\t\t\t\t\tfprintf(stderr, \"unknown\");\n\t\t\t\t\t\t}\n\t\t\t\t\t\t//TODO: need to dump more info ?\n\t\t\t\t\t\tfprintf(stderr, \") num_profile_tier_level %d \", gf_list_count(oinf->profile_tier_levels) );\n\t\t\t\t\t\tfprintf(stderr, \" num_operating_points %d dependency layers %d \\n\", gf_list_count(oinf->operating_points), gf_list_count(oinf->dependency_layers) );\n\t\t\t\t\t}\n\t\t\t\t}\n\n\t\t\t\t/*OGG media*/\n\t\t\t\telse if (esd->decoderConfig->objectTypeIndication==GF_CODECID_THEORA) {\n\t\t\t\t\tchar *szName;\n\t\t\t\t\tgf_isom_get_visual_info(file, trackNum, 1, &w, &h);\n\t\t\t\t\tif (full_dump) fprintf(stderr, \"\\t\");\n\t\t\t\t\tif (!strnicmp((char *) &esd->decoderConfig->decoderSpecificInfo->data[3], \"theora\", 6)) szName = \"Theora\";\n\t\t\t\t\telse szName = \"Unknown\";\n\t\t\t\t\tfprintf(stderr, \"Ogg/%s video / GPAC Mux - Visual Size %d x %d\\n\", szName, w, h);\n\t\t\t\t}\n\t\t\t\telse {\n\t\t\t\t\t//check if we know this codec from its OTI\n\t\t\t\t\tu32 codec_id = gf_codecid_from_oti(GF_STREAM_VISUAL, esd->decoderConfig->objectTypeIndication);\n\t\t\t\t\tif (codec_id) {\n\t\t\t\t\t\tgf_isom_get_visual_info(file, trackNum, 1, &w, &h);\n\t\t\t\t\t\tfprintf(stderr, \"%s - Visual Size %d x %d\\n\", gf_codecid_name(codec_id), w, h);\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\tif (!w || !h) {\n\t\t\t\t\tgf_isom_get_visual_info(file, trackNum, 1, &w, &h);\n\t\t\t\t\tif (full_dump) fprintf(stderr, \"\\t\");\n\t\t\t\t\tfprintf(stderr, \"Visual Size %d x %d\\n\", w, h);\n\t\t\t\t}\n\t\t\t\tif (gf_isom_get_rvc_config(file, trackNum, 1, &rvc_predef, NULL, NULL, NULL)==GF_OK) {\n\t\t\t\t\tfprintf(stderr, \"Has RVC signaled - Predefined configuration %d\\n\", rvc_predef);\n\t\t\t\t}\n\n\t\t\t} else if (esd->decoderConfig->streamType==GF_STREAM_AUDIO) {\n#ifndef GPAC_DISABLE_AV_PARSERS\n\t\t\t\tGF_M4ADecSpecInfo a_cfg;\n\t\t\t\tGF_Err e;\n\t\t\t\tu32 oti;\n#endif\n\t\t\t\tu32 codec_id;\n\t\t\t\tBool is_mp2 = GF_FALSE;\n\t\t\t\tswitch (esd->decoderConfig->objectTypeIndication) {\n\t\t\t\tcase GF_CODECID_AAC_MPEG2_MP:\n\t\t\t\tcase GF_CODECID_AAC_MPEG2_LCP:\n\t\t\t\tcase GF_CODECID_AAC_MPEG2_SSRP:\n\t\t\t\t\tis_mp2 = GF_TRUE;\n\t\t\t\tcase GF_CODECID_AAC_MPEG4:\n#ifndef GPAC_DISABLE_AV_PARSERS\n\t\t\t\t\tif (!esd->decoderConfig->decoderSpecificInfo)\n\t\t\t\t\t\te = GF_NON_COMPLIANT_BITSTREAM;\n\t\t\t\t\telse\n\t\t\t\t\t\te = gf_m4a_get_config(esd->decoderConfig->decoderSpecificInfo->data, esd->decoderConfig->decoderSpecificInfo->dataLength, &a_cfg);\n\t\t\t\t\tif (full_dump) fprintf(stderr, \"\\t\");\n\t\t\t\t\tif (e) {\n\t\t\t\t\t\tM4_LOG(GF_LOG_ERROR, (\"Corrupted AAC Config\\n\"));\n\t\t\t\t\t} else {\n\t\t\t\t\t\tchar *signaling = \"implicit\";\n\t\t\t\t\t\tchar *heaac = \"\";\n\t\t\t\t\t\tif (!is_mp2 && a_cfg.has_sbr) {\n\t\t\t\t\t\t\tif (a_cfg.has_ps) heaac = \"(HE-AAC v2) \";\n\t\t\t\t\t\t\telse heaac = \"(HE-AAC v1) \";\n\t\t\t\t\t\t}\n\t\t\t\t\t\tif (a_cfg.base_object_type==2) {\n\t\t\t\t\t\t\tif (a_cfg.has_ps || a_cfg.has_sbr)\n\t\t\t\t\t\t\t\tsignaling = \"backward compatible\";\n\t\t\t\t\t\t} else {\n\t\t\t\t\t\t\tsignaling = \"hierarchical\";\n\t\t\t\t\t\t}\n\t\t\t\t\t\tfprintf(stderr, \"%s (AOT=%d %s) %s- %d Channel(s) - SampleRate %d\", gf_m4a_object_type_name(a_cfg.base_object_type), a_cfg.base_object_type, signaling, heaac, a_cfg.nb_chan, a_cfg.base_sr);\n\t\t\t\t\t\tif (is_mp2) fprintf(stderr, \" (MPEG-2 Signaling)\");\n\t\t\t\t\t\tif (a_cfg.has_sbr) fprintf(stderr, \" - SBR: SampleRate %d Type %s\", a_cfg.sbr_sr, gf_m4a_object_type_name(a_cfg.sbr_object_type));\n\t\t\t\t\t\tif (a_cfg.has_ps) fprintf(stderr, \" - PS\");\n\t\t\t\t\t\tfprintf(stderr, \"\\n\");\n\t\t\t\t\t}\n#else\n\t\t\t\t\tfprintf(stderr, \"MPEG-2/4 Audio - %d Channels - SampleRate %d\\n\", nb_ch, sr);\n#endif\n\t\t\t\t\tbreak;\n\t\t\t\tcase GF_CODECID_MPEG2_PART3:\n\t\t\t\tcase GF_CODECID_MPEG_AUDIO:\n\t\t\t\t\tif (msub_type == GF_ISOM_SUBTYPE_MPEG4_CRYP) {\n\t\t\t\t\t\tfprintf(stderr, \"MPEG-1/2 Audio - %d Channels - SampleRate %d\\n\", nb_ch, sr);\n\t\t\t\t\t} else {\n#ifndef GPAC_DISABLE_AV_PARSERS\n\t\t\t\t\t\tGF_ISOSample *samp = gf_isom_get_sample(file, trackNum, 1, &oti);\n\t\t\t\t\t\tif (samp) {\n\t\t\t\t\t\t\tu32 mhdr = GF_4CC((u8)samp->data[0], (u8)samp->data[1], (u8)samp->data[2], (u8)samp->data[3]);\n\t\t\t\t\t\t\tif (full_dump) fprintf(stderr, \"\\t\");\n\t\t\t\t\t\t\tfprintf(stderr, \"%s Audio - %d Channel(s) - SampleRate %d - Layer %d\\n\",\n\t\t\t\t\t\t\t gf_mp3_version_name(mhdr),\n\t\t\t\t\t\t\t gf_mp3_num_channels(mhdr),\n\t\t\t\t\t\t\t gf_mp3_sampling_rate(mhdr),\n\t\t\t\t\t\t\t gf_mp3_layer(mhdr)\n\t\t\t\t\t\t\t );\n\t\t\t\t\t\t\tgf_isom_sample_del(&samp);\n\t\t\t\t\t\t} else {\n\t\t\t\t\t\t\tM4_LOG(GF_LOG_ERROR, (\"Error fetching sample: %s\\n\", gf_error_to_string(gf_isom_last_error(file)) ));\n\t\t\t\t\t\t}\n#else\n\t\t\t\t\t\tfprintf(stderr, \"MPEG-1/2 Audio - %d Channels - SampleRate %d\\n\", nb_ch, sr);\n#endif\n\t\t\t\t\t}\n\t\t\t\t\tbreak;\n\t\t\t\tcase GF_CODECID_EVRC:\n\t\t\t\t\tfprintf(stderr, \"EVRC Audio - Sample Rate 8000 - 1 channel\\n\");\n\t\t\t\t\tbreak;\n\t\t\t\tcase GF_CODECID_SMV:\n\t\t\t\t\tfprintf(stderr, \"SMV Audio - Sample Rate 8000 - 1 channel\\n\");\n\t\t\t\t\tbreak;\n\t\t\t\tcase GF_CODECID_QCELP:\n\t\t\t\t\tfprintf(stderr, \"QCELP Audio - Sample Rate 8000 - 1 channel\\n\");\n\t\t\t\t\tbreak;\n\t\t\t\t/*packetVideo hack for EVRC...*/\n\t\t\t\tcase GF_CODECID_EVRC_PV:\n\t\t\t\t\tif (esd->decoderConfig->decoderSpecificInfo && (esd->decoderConfig->decoderSpecificInfo->dataLength==8)\n\t\t\t\t\t && !strnicmp((char *)esd->decoderConfig->decoderSpecificInfo->data, \"pvmm\", 4)) {\n\t\t\t\t\t\tif (full_dump) fprintf(stderr, \"\\t\");\n\t\t\t\t\t\tfprintf(stderr, \"EVRC Audio (PacketVideo Mux) - Sample Rate 8000 - 1 channel\\n\");\n\t\t\t\t\t}\n\t\t\t\t\tbreak;\n\t\t\t\tdefault:\n\t\t\t\t\tcodec_id = gf_codecid_from_oti(GF_STREAM_AUDIO, esd->decoderConfig->objectTypeIndication);\n\t\t\t\t\tif (codec_id) {\n\t\t\t\t\t\tfprintf(stderr, \"%s - Sample Rate %d - %d channel(s)\\n\", gf_codecid_name(codec_id), sr, nb_ch);\n\t\t\t\t\t}\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t}\n\t\t\telse if (esd->decoderConfig->streamType==GF_STREAM_SCENE) {\n\t\t\t\tif (esd->decoderConfig->objectTypeIndication<=4) {\n\t\t\t\t\tGF_BIFSConfig *b_cfg = gf_odf_get_bifs_config(esd->decoderConfig->decoderSpecificInfo, esd->decoderConfig->objectTypeIndication);\n\t\t\t\t\tfprintf(stderr, \"BIFS Scene description - %s stream\\n\", b_cfg->elementaryMasks ? \"Animation\" : \"Command\");\n\t\t\t\t\tif (full_dump && !b_cfg->elementaryMasks) {\n\t\t\t\t\t\tfprintf(stderr, \"\\tWidth %d Height %d Pixel Metrics %s\\n\", b_cfg->pixelWidth, b_cfg->pixelHeight, b_cfg->pixelMetrics ? \"yes\" : \"no\");\n\t\t\t\t\t}\n\t\t\t\t\tgf_odf_desc_del((GF_Descriptor *)b_cfg);\n\t\t\t\t} else if (esd->decoderConfig->objectTypeIndication==GF_CODECID_AFX) {\n\t\t\t\t\tu8 tag = esd->decoderConfig->decoderSpecificInfo ? esd->decoderConfig->decoderSpecificInfo->data[0] : 0xFF;\n\t\t\t\t\tconst char *afxtype = gf_stream_type_afx_name(tag);\n\t\t\t\t\tfprintf(stderr, \"AFX Stream - type %s (%d)\\n\", afxtype, tag);\n\t\t\t\t} else if (esd->decoderConfig->objectTypeIndication==GF_CODECID_FONT) {\n\t\t\t\t\tfprintf(stderr, \"Font Data stream\\n\");\n\t\t\t\t} else if (esd->decoderConfig->objectTypeIndication==GF_CODECID_LASER) {\n\t\t\t\t\tGF_LASERConfig l_cfg;\n\t\t\t\t\tgf_odf_get_laser_config(esd->decoderConfig->decoderSpecificInfo, &l_cfg);\n\t\t\t\t\tfprintf(stderr, \"LASER Stream - %s\\n\", l_cfg.newSceneIndicator ? \"Full Scene\" : \"Scene Segment\");\n\t\t\t\t} else if (esd->decoderConfig->objectTypeIndication==GF_CODECID_TEXT_MPEG4) {\n\t\t\t\t\tfprintf(stderr, \"MPEG-4 Streaming Text stream\\n\");\n\t\t\t\t} else if (esd->decoderConfig->objectTypeIndication==GF_CODECID_SYNTHESIZED_TEXTURE) {\n\t\t\t\t\tfprintf(stderr, \"Synthetized Texture stream stream\\n\");\n\t\t\t\t} else {\n\t\t\t\t\tM4_LOG(GF_LOG_WARNING, (\"Unknown Systems stream OTI %d\\n\", esd->decoderConfig->objectTypeIndication));\n\t\t\t\t}\n\t\t\t}\n\n\t\t\t/*sync is only valid if we open all tracks to take care of default MP4 sync..*/\n\t\t\tif (!full_dump) {\n\t\t\t\tif (dump_m4sys) {\n\t\t\t\t\tif (!esd->OCRESID || (esd->OCRESID == esd->ESID))\n\t\t\t\t\t\tfprintf(stderr, \"Self-synchronized\\n\");\n\t\t\t\t\telse\n\t\t\t\t\t\tfprintf(stderr, \"Synchronized on stream %d\\n\", esd->OCRESID);\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\tfprintf(stderr, \"\\tDecoding Buffer size %d - Bitrate: avg %d - max %d kbps\\n\", esd->decoderConfig->bufferSizeDB, esd->decoderConfig->avgBitrate/1000, esd->decoderConfig->maxBitrate/1000);\n\t\t\t\tif (esd->dependsOnESID)\n\t\t\t\t\tfprintf(stderr, \"\\tDepends on stream %d for decoding\\n\", esd->dependsOnESID);\n\t\t\t\telse\n\t\t\t\t\tfprintf(stderr, \"\\tNo stream dependencies for decoding\\n\");\n\n\t\t\t\tfprintf(stderr, \"\\tStreamPriority %d\\n\", esd->streamPriority);\n\t\t\t\tif (esd->URLString) fprintf(stderr, \"\\tRemote Data Source %s\\n\", esd->URLString);\n\t\t\t}\n\t\t\tgf_odf_desc_del((GF_Descriptor *) esd);\n\t\t}\n\t} else if (msub_type == GF_ISOM_SUBTYPE_AV01) {\n\t\tGF_AV1Config *av1c;\n\t\tu32 w, h;\n\t\tgf_isom_get_visual_info(file, trackNum, 1, &w, &h);\n\t\tfprintf(stderr, \"\\tAOM AV1 stream - Resolution %d x %d\\n\", w, h);\n\n\t\tav1c = gf_isom_av1_config_get(file, trackNum, 1);\n\t\tfprintf(stderr, \"\\tversion=%u, profile=%u, level_idx0=%u, tier=%u\\n\", (u32)av1c->version, (u32)av1c->seq_profile, (u32)av1c->seq_level_idx_0, (u32)av1c->seq_tier_0);\n\t\tfprintf(stderr, \"\\thigh_bitdepth=%u, twelve_bit=%u, monochrome=%u\\n\", (u32)av1c->high_bitdepth, (u32)av1c->twelve_bit, (u32)av1c->monochrome);\n\t\tfprintf(stderr, \"\\tchroma: subsampling_x=%u, subsampling_y=%u, sample_position=%u\\n\", (u32)av1c->chroma_subsampling_x, (u32)av1c->chroma_subsampling_y, (u32)av1c->chroma_sample_position);\n\n\t\tif (av1c->initial_presentation_delay_present)\n\t\t\tfprintf(stderr, \"\\tInitial presentation delay %u\\n\", (u32) av1c->initial_presentation_delay_minus_one+1);\n\n\t\tcount = gf_list_count(av1c->obu_array);\n\t\tfor (i=0; iobu_array, i);\n\t\t\tgf_sha1_csum((u8*)obu->obu, (u32)obu->obu_length, hash);\n\t\t\tfprintf(stderr, \"\\tOBU#%d %s hash: \", i+1, gf_av1_get_obu_name(obu->obu_type) );\n\t\t\tfor (j=0; j<20; j++) fprintf(stderr, \"%02X\", hash[j]);\n\t\t\tfprintf(stderr, \"\\n\");\n\t\t}\n\t\tgf_odf_av1_cfg_del(av1c);\n\t} else if (msub_type == GF_ISOM_SUBTYPE_3GP_H263) {\n\t\tu32 w, h;\n\t\tgf_isom_get_visual_info(file, trackNum, 1, &w, &h);\n\t\tfprintf(stderr, \"\\t3GPP H263 stream - Resolution %d x %d\\n\", w, h);\n\t} else if (msub_type == GF_ISOM_SUBTYPE_MJP2) {\n\t\tu32 w, h;\n\t\tgf_isom_get_visual_info(file, trackNum, 1, &w, &h);\n\t\tfprintf(stderr, \"\\tMotionJPEG2000 stream - Resolution %d x %d\\n\", w, h);\n\t} else if ((msub_type == GF_ISOM_SUBTYPE_3GP_AMR) || (msub_type == GF_ISOM_SUBTYPE_3GP_AMR_WB)) {\n\t\tfprintf(stderr, \"\\t3GPP AMR%s stream - Sample Rate %d - %d channel(s) %d bps\\n\", (msub_type == GF_ISOM_SUBTYPE_3GP_AMR_WB) ? \" Wide Band\" : \"\", sr, nb_ch, (u32) bps);\n\t} else if (msub_type == GF_ISOM_SUBTYPE_3GP_EVRC) {\n\t\tfprintf(stderr, \"\\t3GPP EVRC stream - Sample Rate %d - %d channel(s) %d bps\\n\", sr, nb_ch, (u32) bps);\n\t} else if (msub_type == GF_ISOM_SUBTYPE_3GP_QCELP) {\n\t\tfprintf(stderr, \"\\t3GPP QCELP stream - Sample Rate %d - %d channel(s) %d bps\\n\", sr, nb_ch, (u32) bps);\n\t} else if (msub_type == GF_ISOM_SUBTYPE_MP3) {\n\t\tfprintf(stderr, \"\\tMPEG 1/2 Audio stream - Sample Rate %d - %d channel(s) %d bps\\n\", sr, nb_ch, (u32) bps);\n\t} else if ((msub_type == GF_ISOM_SUBTYPE_AC3) || (msub_type == GF_ISOM_SUBTYPE_EC3)) {\n\t\tu32 br = 0;\n\t\tconst char *lfe = \"\";\n\t\tBool is_ec3 = (msub_type == GF_ISOM_SUBTYPE_EC3) ? GF_TRUE : GF_FALSE;\n#ifndef GPAC_DISABLE_AV_PARSERS\n\t\tGF_AC3Config *ac3 = gf_isom_ac3_config_get(file, trackNum, 1);\n\t\tif (ac3) {\n\t\t\tnb_ch = gf_ac3_get_channels(ac3->streams[0].acmod);\n\t\t\tfor (i=0; istreams[0].nb_dep_sub; ++i) {\n\t\t\t\tassert(ac3->streams[0].nb_dep_sub == 1);\n\t\t\t\tnb_ch += gf_ac3_get_channels(ac3->streams[0].chan_loc);\n\t\t\t}\n\t\t\tif (ac3->streams[0].lfon) lfe = \".1\";\n\t\t\tbr = ac3->is_ec3 ? ac3->brcode : gf_ac3_get_bitrate(ac3->brcode);\n\t\t\tis_ec3 = ac3->is_ec3;\n\t\t\tgf_free(ac3);\n\t\t}\n#endif\n\t\tfprintf(stderr, \"\\t%s stream - Sample Rate %d - %d%s channel(s) - bitrate %d\\n\", is_ec3 ? \"EC-3\" : \"AC-3\", sr, nb_ch, lfe, br);\n\t} else if (msub_type == GF_ISOM_SUBTYPE_3GP_SMV) {\n\t\tfprintf(stderr, \"\\t3GPP SMV stream - Sample Rate %d - %d channel(s) %d bits per samples\\n\", sr, nb_ch, (u32) bps);\n\t} else if (msub_type == GF_ISOM_SUBTYPE_3GP_DIMS) {\n\t\tu32 w, h;\n\t\tGF_DIMSDescription dims;\n\t\tgf_isom_get_visual_info(file, trackNum, 1, &w, &h);\n\n\t\tgf_isom_get_dims_description(file, trackNum, 1, &dims);\n\t\tfprintf(stderr, \"\\t3GPP DIMS stream - size %d x %d - Profile %d - Level %d\\n\", w, h, dims.profile, dims.level);\n\t\tfprintf(stderr, \"\\tpathComponents: %d - useFullRequestHost: %s\\n\", dims.pathComponents, dims.fullRequestHost ? \"yes\" : \"no\");\n\t\tfprintf(stderr, \"\\tstream type: %s - redundant: %s\\n\", dims.streamType ? \"primary\" : \"secondary\", (dims.containsRedundant==1) ? \"main\" : ((dims.containsRedundant==2) ? \"redundant\" : \"main+redundant\") );\n\t\tif (dims.textEncoding[0]) fprintf(stderr, \"\\ttext encoding %s\\n\", dims.textEncoding);\n\t\tif (dims.contentEncoding[0]) fprintf(stderr, \"\\tcontent encoding %s\\n\", dims.contentEncoding);\n\t\tif (dims.content_script_types) fprintf(stderr, \"\\tscript languages %s\\n\", dims.content_script_types);\n\t} else if (mtype==GF_ISOM_MEDIA_HINT) {\n\t\tu32 refTrack;\n\t\ts32 refCount = gf_isom_get_reference_count(file, trackNum, GF_ISOM_REF_HINT);\n\t\tif (refCount>0) {\n\t\t\tfprintf(stderr, \"Streaming Hint Track for track%s \", (refCount>1) ? \"s\" :\"\");\n\t\t\tfor (i=0; i<(u32) refCount; i++) {\n\t\t\t\tgf_isom_get_reference(file, trackNum, GF_ISOM_REF_HINT, i+1, &refTrack);\n\t\t\t\tif (i) fprintf(stderr, \" - \");\n\t\t\t\tfprintf(stderr, \"ID %d\", gf_isom_get_track_id(file, refTrack));\n\t\t\t}\n\t\t\tfprintf(stderr, \"\\n\");\n\t\t} else {\n\t\t\tfprintf(stderr, \"Streaming Hint Track (no refs)\\n\");\n\t\t}\n#ifndef GPAC_DISABLE_ISOM_HINTING\n\t\trefCount = gf_isom_get_payt_count(file, trackNum);\n\t\tif (refCount>0) {\n\t\t\tfor (i=0; i<(u32) refCount; i++) {\n\t\t\t\tconst char *name = gf_isom_get_payt_info(file, trackNum, i+1, &refTrack);\n\t\t\t\tfprintf(stderr, \"\\tPayload ID %d: type %s\\n\", refTrack, name);\n\t\t\t}\n\t\t}\n#endif\n\t} else if (mtype==GF_ISOM_MEDIA_FLASH) {\n\t\tfprintf(stderr, \"Macromedia Flash Movie\\n\");\n\t} else if ((mtype==GF_ISOM_MEDIA_TEXT) || (mtype==GF_ISOM_MEDIA_SUBT) || (mtype==GF_ISOM_MEDIA_MPEG_SUBT)) {\n\t\tu32 w, h;\n\t\ts16 l;\n\t\ts32 tx, ty;\n\t\tconst char *content_encoding = NULL;\n\t\tconst char *mime = NULL;\n\t\tconst char *config = NULL;\n\t\tconst char *_namespace = NULL;\n\t\tconst char *schema_loc = NULL;\n\t\tconst char *auxiliary_mimes = NULL;\n\t\tgf_isom_get_track_layout_info(file, trackNum, &w, &h, &tx, &ty, &l);\n\t\tif (msub_type == GF_ISOM_SUBTYPE_SBTT) {\n\t\t\tgf_isom_stxt_get_description(file, trackNum, 1, &mime, &content_encoding, &config);\n\t\t\tfprintf(stderr, \"Textual Subtitle Stream \");\n\t\t\tfprintf(stderr, \"- mime %s\", mime);\n\t\t\tif (content_encoding != NULL) {\n\t\t\t\tfprintf(stderr, \" - encoding %s\", content_encoding);\n\t\t\t}\n\t\t\tif (config != NULL) {\n\t\t\t\tfprintf(stderr, \" - %d bytes config\", (u32) strlen(config));\n\t\t\t}\n\t\t} else if (msub_type == GF_ISOM_SUBTYPE_STXT) {\n\t\t\tgf_isom_stxt_get_description(file, trackNum, 1, &mime, &content_encoding, &config);\n\t\t\tfprintf(stderr, \"Simple Timed Text Stream \");\n\t\t\tfprintf(stderr, \"- mime %s\", mime);\n\t\t\tif (content_encoding != NULL) {\n\t\t\t\tfprintf(stderr, \" - encoding %s\", content_encoding);\n\t\t\t}\n\t\t\tif (config != NULL) {\n\t\t\t\tfprintf(stderr, \" - %d bytes config\", (u32) strlen(config));\n\t\t\t}\n\t\t} else if (msub_type == GF_ISOM_SUBTYPE_STPP) {\n\t\t\tgf_isom_xml_subtitle_get_description(file, trackNum, 1, &_namespace, &schema_loc, &auxiliary_mimes);\n\t\t\tfprintf(stderr, \"XML Subtitle Stream \");\n\t\t\tfprintf(stderr, \"- namespace %s\", _namespace);\n\t\t\tif (schema_loc != NULL) {\n\t\t\t\tfprintf(stderr, \" - schema-location %s\", schema_loc);\n\t\t\t}\n\t\t\tif (auxiliary_mimes != NULL) {\n\t\t\t\tfprintf(stderr, \" - auxiliary-mime-types %s\", auxiliary_mimes);\n\t\t\t}\n\t\t} else {\n\t\t\tfprintf(stderr, \"Unknown Text Stream\");\n\t\t}\n\t\tfprintf(stderr, \"\\n Size %d x %d - Translation X=%d Y=%d - Layer %d\\n\", w, h, tx, ty, l);\n\t} else if (mtype == GF_ISOM_MEDIA_META) {\n\t\tconst char *content_encoding = NULL;\n\t\tif (msub_type == GF_ISOM_SUBTYPE_METT) {\n\t\t\tconst char *mime = NULL;\n\t\t\tconst char *config = NULL;\n\t\t\tgf_isom_stxt_get_description(file, trackNum, 1, &mime, &content_encoding, &config);\n\t\t\tfprintf(stderr, \"Textual Metadata Stream - mime %s\", mime);\n\t\t\tif (content_encoding != NULL) {\n\t\t\t\tfprintf(stderr, \" - encoding %s\", content_encoding);\n\t\t\t}\n\t\t\tif (config != NULL) {\n\t\t\t\tfprintf(stderr, \" - %d bytes config\", (u32) strlen(config));\n\t\t\t}\n\t\t\tfprintf(stderr, \"\\n\");\n\t\t} else if (msub_type == GF_ISOM_SUBTYPE_METX) {\n\t\t\tconst char *_namespace = NULL;\n\t\t\tconst char *schema_loc = NULL;\n\t\t\tgf_isom_get_xml_metadata_description(file, trackNum, 1, &_namespace, &schema_loc, &content_encoding);\n\t\t\tfprintf(stderr, \"XML Metadata Stream - namespace %s\", _namespace);\n\t\t\tif (content_encoding != NULL) {\n\t\t\t\tfprintf(stderr, \" - encoding %s\", content_encoding);\n\t\t\t}\n\t\t\tif (schema_loc != NULL) {\n\t\t\t\tfprintf(stderr, \" - schema-location %s\", schema_loc);\n\t\t\t}\n\t\t\tfprintf(stderr, \"\\n\");\n\t\t} else {\n\t\t\tfprintf(stderr, \"Unknown Metadata Stream\\n\");\n\t\t}\n\t} else if ((msub_type==GF_ISOM_SUBTYPE_VVC1) || (msub_type==GF_ISOM_SUBTYPE_VVI1)) {\n\t\tGF_VVCConfig *vvccfg;\n\t\tu32 w, h;\n#if !defined(GPAC_DISABLE_AV_PARSERS)\n\t\tVVCState *vvc_state;\n\t\tGF_SAFEALLOC(vvc_state, VVCState);\n\t\tif (vvc_state) vvc_state->sps_active_idx = -1;\n#endif\n\n\t\tgf_isom_get_visual_info(file, trackNum, 1, &w, &h);\n\t\tif (full_dump) fprintf(stderr, \"\\t\");\n\t\tfprintf(stderr, \"VVC Video - Visual Size %d x %d\\n\", w, h);\n\t\tvvccfg = gf_isom_vvc_config_get(file, trackNum, 1);\n\n\t\tif (!vvccfg) {\n\t\t\tM4_LOG(GF_LOG_ERROR, (\"Non-compliant VVC track: No vvcC found in sample description\\n\"));\n\t\t} else {\n\t\t\tdump_vvc_track_info(file, trackNum, vvccfg\n#if !defined(GPAC_DISABLE_AV_PARSERS)\n\t\t\t\t, vvc_state\n#endif\n\t\t\t);\n\t\t\tgf_odf_vvc_cfg_del(vvccfg);\n\t\t\tfprintf(stderr, \"\\n\");\n\t\t}\n#if !defined(GPAC_DISABLE_AV_PARSERS)\n\t\tif (vvc_state) gf_free(vvc_state);\n#endif\n\t} else if ((msub_type == GF_ISOM_SUBTYPE_MH3D_MHA1) || (msub_type == GF_ISOM_SUBTYPE_MH3D_MHA2)\n\t\t\t|| (msub_type == GF_ISOM_SUBTYPE_MH3D_MHM1) || (msub_type == GF_ISOM_SUBTYPE_MH3D_MHM2)\n\t) {\n\t\tconst u8 *compat_profiles;\n\t\tu32 nb_compat_profiles;\n\t\tBool valid = GF_FALSE;\n\t\tBool allow_inband = GF_FALSE;\n\t\tif ( (msub_type == GF_ISOM_SUBTYPE_MH3D_MHM1) || (msub_type == GF_ISOM_SUBTYPE_MH3D_MHM2))\n\t\t\tallow_inband = GF_TRUE;\n\n\t\tfprintf(stderr, \"\\tMPEG-H Audio stream - Sample Rate %d\\n\", sr);\n\n\t\tesd = gf_media_map_esd(file, trackNum, 1);\n\t\tif (!esd || !esd->decoderConfig || !esd->decoderConfig->decoderSpecificInfo\n\t\t\t|| !esd->decoderConfig->decoderSpecificInfo->data\n\t\t) {\n\t\t\tif (allow_inband) {\n\t\t\t\tGF_ISOSample *samp = gf_isom_get_sample(file, trackNum, 1, NULL);\n\t\t\t\tif (samp) {\n\t\t\t\t\tu64 ch_layout=0;\n\t\t\t\t\ts32 PL = gf_mpegh_get_mhas_pl(samp->data, samp->dataLength, &ch_layout);\n\t\t\t\t\tif (PL>=0) {\n\t\t\t\t\t\tfprintf(stderr, \"\\tProfileLevelIndication: 0x%02X\", PL);\n\t\t\t\t\t\tif (ch_layout)\n\t\t\t\t\t\t\tfprintf(stderr, \" - Reference Channel Layout %s\", gf_audio_fmt_get_layout_name(ch_layout) );\n\t\t\t\t\t\tfprintf(stderr, \"\\n\");\n\t\t\t\t\t}\n\t\t\t\t\tgf_isom_sample_del(&samp);\n\t\t\t\t}\n\t\t\t\tvalid = GF_TRUE;\n\t\t\t}\n\t\t} else if (esd->decoderConfig->decoderSpecificInfo->dataLength>=5) {\n\t\t\tfprintf(stderr, \"\\tProfileLevelIndication: 0x%02X - Reference Channel Layout %s\\n\", esd->decoderConfig->decoderSpecificInfo->data[1]\n\t\t\t\t, gf_audio_fmt_get_layout_name_from_cicp(esd->decoderConfig->decoderSpecificInfo->data[2])\n\t\t\t);\n\t\t\tvalid = GF_TRUE;\n\t\t}\n\t\tif (!valid) {\n\t\t\tM4_LOG(GF_LOG_ERROR, (\"Invalid MPEG-H audio config\\n\"));\n\t\t}\n\t\tif (esd) gf_odf_desc_del((GF_Descriptor *)esd);\n\t\tcompat_profiles = gf_isom_get_mpegh_compatible_profiles(file, trackNum, 1, &nb_compat_profiles);\n\t\tfor (i=0; idata, sample->dataLength, tmcd_flags, tmcd_num, tmcd_den, tmcd_fpt, szTimecode);\n\n\t\t\tgf_isom_sample_del(&sample);\n\t\t\tfprintf(stderr, \"\\tFirst timecode: %s\\n\", szTimecode);\n\t\t}\n\t} else {\n\t\tGF_GenericSampleDescription *udesc;\n\n\t\tudesc = gf_isom_get_generic_sample_description(file, trackNum, 1);\n\t\tif (udesc) {\n\t\t\tif (gf_isom_is_video_handler_type(mtype) ) {\n fprintf(stderr, \"%s - Compressor \\\"%s\\\" - Resolution %d x %d\\n\",\n\t\t\t\t\t\t( (mtype == GF_ISOM_MEDIA_VISUAL ? \"Visual\" : \"Auxiliary Video\") ),\n udesc->compressor_name, udesc->width, udesc->height);\n\t\t\t} else if (mtype==GF_ISOM_MEDIA_AUDIO) {\n\t\t\t\tfprintf(stderr, \"Audio - Sample Rate %d - %d channel(s)\\n\", udesc->samplerate, udesc->nb_channels);\n\t\t\t} else {\n\t\t\t\tfprintf(stderr, \"Unknown media type\\n\");\n\t\t\t}\n\t\t\tif (udesc->vendor_code)\n\t\t\t\tfprintf(stderr, \"\\tVendor code \\\"%s\\\" - Version %d - revision %d\\n\", gf_4cc_to_str(udesc->vendor_code), udesc->version, udesc->revision);\n\n\t\t\tif (udesc->extension_buf) {\n\t\t\t\tfprintf(stderr, \"\\tCodec configuration data size: %d bytes\\n\", udesc->extension_buf_size);\n\t\t\t\tgf_free(udesc->extension_buf);\n\t\t\t}\n\t\t\tgf_free(udesc);\n\t\t} else {\n\t\t\tfprintf(stderr, \"Unknown track type\\n\");\n\t\t}\n\t}\n\n\n\t/*Crypto info*/\n\tif (gf_isom_is_track_encrypted(file, trackNum)) {\n\t\tconst char *scheme_URI, *KMS_URI;\n\t\tu32 scheme_type, version;\n\t\tu32 IV_size;\n\t\tBool use_sel_enc;\n\n\t\tif (gf_isom_is_ismacryp_media(file, trackNum, 1)) {\n\t\t\tgf_isom_get_ismacryp_info(file, trackNum, 1, NULL, &scheme_type, &version, &scheme_URI, &KMS_URI, &use_sel_enc, &IV_size, NULL);\n\t\t\tfprintf(stderr, \"\\n\\tProtected by ISMA E&A scheme %s (version %d)\\n\", gf_4cc_to_str(scheme_type), version);\n\t\t\tif (scheme_URI) fprintf(stderr, \"scheme location: %s\\n\", scheme_URI);\n\t\t\tif (KMS_URI) {\n\t\t\t\tif (!strnicmp(KMS_URI, \"(key)\", 5)) fprintf(stderr, \"\\tKMS location: key in file\\n\");\n\t\t\t\telse fprintf(stderr, \"\\tKMS location: %s\\n\", KMS_URI);\n\t\t\t}\n\t\t\tfprintf(stderr, \"\\tSelective Encryption: %s\\n\", use_sel_enc ? \"Yes\" : \"No\");\n\t\t\tif (IV_size) fprintf(stderr, \"\\tInitialization Vector size: %d bits\\n\", IV_size*8);\n\t\t} else if (gf_isom_is_omadrm_media(file, trackNum, 1)) {\n\t\t\tconst char *textHdrs;\n\t\t\tu32 enc_type, hdr_len;\n\t\t\tu64 orig_len;\n\t\t\tgf_isom_get_omadrm_info(file, trackNum, 1, NULL, &scheme_type, &version, &scheme_URI, &KMS_URI, &textHdrs, &hdr_len, &orig_len, &enc_type, &use_sel_enc, &IV_size, NULL);\n\t\t\tfprintf(stderr, \"\\n\\tProtected by OMA DRM scheme %s (version %d)\\n\", gf_4cc_to_str(scheme_type), version);\n\t\t\tfprintf(stderr, \"\\tRights Issuer: %s\\n\", KMS_URI);\n\t\t\tfprintf(stderr, \"\\tContent ID: %s\\n\", scheme_URI);\n\t\t\tif (textHdrs) {\n\t\t\t\tu32 offset;\n\t\t\t\tconst char *start = textHdrs;\n\t\t\t\tfprintf(stderr, \"\\tOMA Textual Headers:\\n\");\n\t\t\t\ti=0;\n\t\t\t\toffset=0;\n\t\t\t\twhile (iDTS+samp->CTS_Offset;\n\t\t\tsize += samp->dataLength;\n\t\t\trate += samp->dataLength;\n\t\t\tif (samp->DTS - time_slice > ts) {\n\t\t\t\tDouble max_tmp = rate * ts / (samp->DTS - time_slice);\n\t\t\t\tif (max_rate < max_tmp )\n\t\t\t\t\tmax_rate = max_tmp;\n\n\t\t\t\trate = 0;\n\t\t\t\ttime_slice = samp->DTS;\n\t\t\t}\n\t\t\tgf_isom_sample_del(&samp);\n\t\t}\n\t}\n\tfprintf(stderr, \"\\nComputed info from media:\\n\");\n\tif (csize && cdur) {\n\t\tfprintf(stderr, \"\\tConstant sample size %d bytes and dur %d / %d\\n\", csize, cdur, ts);\n\t}\n\tscale = 1000.0 / ts;\n\tdur = (u64) (scale * dur);\n\tfprintf(stderr, \"\\tTotal size \"LLU\" bytes - Total samples duration \"LLU\" ms\\n\", size, dur);\n\tif (!dur) {\n\t\tfprintf(stderr, \"\\n\");\n\t\treturn;\n\t}\n\t/*rate in byte, dur is in ms*/\n\trate = 8000.0 * size / dur;\n\n\tif (!max_rate)\n\t\tmax_rate = rate;\n\telse\n\t\tmax_rate *= 8.0;\n\n\tif (rate >= 1500) {\n\t\tfprintf(stderr, \"\\tAverage rate %.2f kbps - Max Rate %.2f kbps\\n\", rate/1000, max_rate/1000);\n\t} else {\n\t\tfprintf(stderr, \"\\tAverage rate %.2f bps - Max Rate %.2f bps\\n\", rate, max_rate);\n\t}\n\n\t{\n\t\tu32 dmin, dmax, davg, smin, smax, savg;\n\t\tgf_isom_get_chunks_infos(file, trackNum, &dmin, &davg, &dmax, &smin, &savg, &smax);\n\t\tfprintf(stderr, \"\\tChunk durations: min %d ms - max %d ms - average %d ms\\n\", (1000*dmin)/ts, (1000*dmax)/ts, (1000*davg)/ts);\n\t\tfprintf(stderr, \"\\tChunk sizes (bytes): min %d - max %d - average %d\\n\", smin, smax, savg);\n\t}\n\tfprintf(stderr, \"\\n\");\n\n\tcount = gf_isom_get_chapter_count(file, trackNum);\n\tif (count) {\n\t\tconst char *name;\n\t\tu64 time;\n\t\tfprintf(stderr, \"\\nChapters:\\n\");\n\t\tfor (j=0; jdecoderConfig) {\n\t\t\tM4_LOG(GF_LOG_WARNING, (\"WARNING: Broken MPEG-4 Track\\n\"));\n\t\t\tif (esd) gf_odf_desc_del((GF_Descriptor *)esd);\n\t\t} else {\n\t\t\tconst char *st = gf_stream_type_name(esd->decoderConfig->streamType);\n\t\t\tif (dump_m4sys) {\n\t\t\t\tif (st) {\n\t\t\t\t\tfprintf(stderr, \"MPEG-4 Config%s%s Stream - ObjectTypeIndication 0x%02x\\n\",\n\t\t\t\t\t\t\tfull_dump ? \"\\n\\t\" : \": \", st, esd->decoderConfig->objectTypeIndication);\n\t\t\t\t} else {\n\t\t\t\t\tfprintf(stderr, \"MPEG-4 Config%sStream Type 0x%02x - ObjectTypeIndication 0x%02x\\n\",\n\t\t\t\t\t\t\tfull_dump ? \"\\n\\t\" : \": \", esd->decoderConfig->streamType, esd->decoderConfig->objectTypeIndication);\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tif (esd->decoderConfig->streamType==GF_STREAM_OD)\n\t\t\t\tis_od_track=1;\n\n\t\t\tif (esd->decoderConfig->streamType==GF_STREAM_VISUAL) {\n\t\t\t\tu32 w, h;\n\t\t\t\tu16 rvc_predef;\n\t\t\t\tw = h = 0;\n\t\t\t\tif (esd->decoderConfig->objectTypeIndication==GF_CODECID_MPEG4_PART2) {\n#ifndef GPAC_DISABLE_AV_PARSERS\n\t\t\t\t\tif (!esd->decoderConfig->decoderSpecificInfo) {\n#else\n\t\t\t\t\tgf_isom_get_visual_info(file, trackNum, 1, &w, &h);\n\t\t\t\t\tfprintf(stderr, \"MPEG-4 Visual Size %d x %d\\n\", w, h);\n#endif\n\t\t\t\t\t\tM4_LOG(GF_LOG_WARNING, (\"Non-compliant MPEG-4 Visual track: video_object_layer infos not found in sample description\\n\"));\n#ifndef GPAC_DISABLE_AV_PARSERS\n\t\t\t\t\t} else {\n\t\t\t\t\t\tGF_M4VDecSpecInfo dsi;\n\t\t\t\t\t\tgf_m4v_get_config(esd->decoderConfig->decoderSpecificInfo->data, esd->decoderConfig->decoderSpecificInfo->dataLength, &dsi);\n\t\t\t\t\t\tif (full_dump) fprintf(stderr, \"\\t\");\n\t\t\t\t\t\tw = dsi.width;\n\t\t\t\t\t\th = dsi.height;\n\t\t\t\t\t\tfprintf(stderr, \"MPEG-4 Visual Size %d x %d - %s\\n\", w, h, gf_m4v_get_profile_name(dsi.VideoPL));\n\t\t\t\t\t\tif (dsi.par_den && dsi.par_num) {\n\t\t\t\t\t\t\tu32 tw, th;\n\t\t\t\t\t\t\tgf_isom_get_track_layout_info(file, trackNum, &tw, &th, NULL, NULL, NULL);\n\t\t\t\t\t\t\tfprintf(stderr, \"Pixel Aspect Ratio %d:%d - Indicated track size %d x %d\\n\", dsi.par_num, dsi.par_den, tw, th);\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n#endif\n\t\t\t\t} else if (gf_isom_get_avc_svc_type(file, trackNum, 1) != GF_ISOM_AVCTYPE_NONE) {\n\t\t\t\t\tGF_AVCConfig *avccfg, *svccfg, *mvccfg;\n\n\t\t\t\t\tgf_isom_get_visual_info(file, trackNum, 1, &w, &h);\n\t\t\t\t\tif (full_dump) fprintf(stderr, \"\\t\");\n\t\t\t\t\tfprintf(stderr, \"AVC/H264 Video - Visual Size %d x %d\\n\", w, h);\n\n\t\t\t\t\tavccfg = gf_isom_avc_config_get(file, trackNum, 1);\n\t\t\t\t\tsvccfg = gf_isom_svc_config_get(file, trackNum, 1);\n\t\t\t\t\tmvccfg = gf_isom_mvc_config_get(file, trackNum, 1);\n\t\t\t\t\tif (!avccfg && !svccfg && !mvccfg) {\n\t\t\t\t\t\tM4_LOG(GF_LOG_ERROR, (\"\\tNon-compliant AVC track: SPS/PPS not found in sample description\\n\"));\n\t\t\t\t\t} else if (avccfg) {\n\t\t\t\t\t\tfprintf(stderr, \"\\tAVC Info: %d SPS - %d PPS\", gf_list_count(avccfg->sequenceParameterSets) , gf_list_count(avccfg->pictureParameterSets) );\n\t\t\t\t\t\tfprintf(stderr, \" - Profile %s @ Level %g\\n\", gf_avc_get_profile_name(avccfg->AVCProfileIndication), ((Double)avccfg->AVCLevelIndication)/10.0 );\n\t\t\t\t\t\tfprintf(stderr, \"\\tNAL Unit length bits: %d\\n\", 8*avccfg->nal_unit_size);\n\n#ifndef GPAC_DISABLE_AV_PARSERS\n\t\t\t\t\t\tfor (i=0; isequenceParameterSets); i++) {\n\t\t\t\t\t\t\ts32 par_n, par_d;\n\t\t\t\t\t\t\tGF_NALUFFParam *slc = gf_list_get(avccfg->sequenceParameterSets, i);\n\t\t\t\t\t\t\tgf_avc_get_sps_info(slc->data, slc->size, NULL, NULL, NULL, &par_n, &par_d);\n\t\t\t\t\t\t\tif ((par_n>0) && (par_d>0)) {\n\t\t\t\t\t\t\t\tu32 tw, th;\n\t\t\t\t\t\t\t\tgf_isom_get_track_layout_info(file, trackNum, &tw, &th, NULL, NULL, NULL);\n\t\t\t\t\t\t\t\tfprintf(stderr, \"\\tPixel Aspect Ratio %d:%d - Indicated track size %d x %d\\n\", par_n, par_d, tw, th);\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\tif (!full_dump) break;\n\t\t\t\t\t\t}\n#endif\n\n\t\t\t\t\t\tif (avccfg->chroma_bit_depth) {\n\t\t\t\t\t\t\tfprintf(stderr, \"\\tChroma format %s - Luma bit depth %d - chroma bit depth %d\\n\", gf_avc_hevc_get_chroma_format_name(avccfg->chroma_format), avccfg->luma_bit_depth, avccfg->chroma_bit_depth);\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\tprint_config_hash(avccfg->sequenceParameterSets, \"SPS\");\n\t\t\t\t\t\tprint_config_hash(avccfg->pictureParameterSets, \"PPS\");\n\n\t\t\t\t\t\tgf_odf_avc_cfg_del(avccfg);\n\t\t\t\t\t}\n\t\t\t\t\tif (svccfg) {\n\t\t\t\t\t\tfprintf(stderr, \"\\n\\tSVC Info: %d SPS - %d PPS - Profile %s @ Level %g\\n\", gf_list_count(svccfg->sequenceParameterSets) , gf_list_count(svccfg->pictureParameterSets), gf_avc_get_profile_name(svccfg->AVCProfileIndication), ((Double)svccfg->AVCLevelIndication)/10.0 );\n\t\t\t\t\t\tfprintf(stderr, \"\\tSVC NAL Unit length bits: %d\\n\", 8*svccfg->nal_unit_size);\n#ifndef GPAC_DISABLE_AV_PARSERS\n\t\t\t\t\t\tfor (i=0; isequenceParameterSets); i++) {\n\t\t\t\t\t\t\tGF_NALUFFParam *slc = gf_list_get(svccfg->sequenceParameterSets, i);\n\t\t\t\t\t\t\tif (slc) {\n\t\t\t\t\t\t\t\ts32 par_n, par_d;\n\t\t\t\t\t\t\t\tu32 s_w, s_h, sps_id;\n\t\t\t\t\t\t\t\tgf_avc_get_sps_info(slc->data, slc->size, &sps_id, &s_w, &s_h, &par_n, &par_d);\n\t\t\t\t\t\t\t\tfprintf(stderr, \"\\t\\tSPS ID %d - Visual Size %d x %d\\n\", sps_id, s_w, s_h);\n\t\t\t\t\t\t\t\tif ((par_n>0) && (par_d>0)) {\n\t\t\t\t\t\t\t\t\tu32 tw, th;\n\t\t\t\t\t\t\t\t\tgf_isom_get_track_layout_info(file, trackNum, &tw, &th, NULL, NULL, NULL);\n\t\t\t\t\t\t\t\t\tfprintf(stderr, \"\\tPixel Aspect Ratio %d:%d - Indicated track size %d x %d\\n\", par_n, par_d, tw, th);\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}\n#endif\n\t\t\t\t\t\tprint_config_hash(svccfg->sequenceParameterSets, \"SPS\");\n\t\t\t\t\t\tprint_config_hash(svccfg->pictureParameterSets, \"PPS\");\n\t\t\t\t\t\tprint_config_hash(svccfg->sequenceParameterSetExtensions, \"SPSEx\");\n\n\t\t\t\t\t\tgf_odf_avc_cfg_del(svccfg);\n\t\t\t\t\t}\n\n\t\t\t\t\tif (mvccfg) {\n\t\t\t\t\t\tfprintf(stderr, \"\\n\\tMVC Info: %d SPS - %d PPS - Profile %s @ Level %g\\n\", gf_list_count(mvccfg->sequenceParameterSets) , gf_list_count(mvccfg->pictureParameterSets), gf_avc_get_profile_name(mvccfg->AVCProfileIndication), ((Double)mvccfg->AVCLevelIndication)/10.0 );\n\t\t\t\t\t\tfprintf(stderr, \"\\tMVC NAL Unit length bits: %d\\n\", 8*mvccfg->nal_unit_size);\n#ifndef GPAC_DISABLE_AV_PARSERS\n\t\t\t\t\t\tfor (i=0; isequenceParameterSets); i++) {\n\t\t\t\t\t\t\tGF_NALUFFParam *slc = gf_list_get(mvccfg->sequenceParameterSets, i);\n\t\t\t\t\t\t\tif (slc) {\n\t\t\t\t\t\t\t\tu32 s_w, s_h, sps_id;\n\t\t\t\t\t\t\t\ts32 par_n, par_d;\n\t\t\t\t\t\t\t\tgf_avc_get_sps_info(slc->data, slc->size, &sps_id, &s_w, &s_h, &par_n, &par_d);\n\t\t\t\t\t\t\t\tfprintf(stderr, \"\\t\\tSPS ID %d - Visual Size %d x %d\\n\", sps_id, s_w, s_h);\n\t\t\t\t\t\t\t\tif ((par_n>0) && (par_d>0)) {\n\t\t\t\t\t\t\t\t\tu32 tw, th;\n\t\t\t\t\t\t\t\t\tgf_isom_get_track_layout_info(file, trackNum, &tw, &th, NULL, NULL, NULL);\n\t\t\t\t\t\t\t\t\tfprintf(stderr, \"\\tPixel Aspect Ratio %d:%d - Indicated track size %d x %d\\n\", par_n, par_d, tw, th);\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}\n#endif\n\t\t\t\t\t\tprint_config_hash(mvccfg->sequenceParameterSets, \"SPS\");\n\t\t\t\t\t\tprint_config_hash(mvccfg->pictureParameterSets, \"PPS\");\n\t\t\t\t\t\tgf_odf_avc_cfg_del(mvccfg);\n\t\t\t\t\t}\n\n\t\t\t\t} else if ((esd->decoderConfig->objectTypeIndication==GF_CODECID_HEVC)\n\t\t\t\t || (esd->decoderConfig->objectTypeIndication==GF_CODECID_LHVC)\n\t\t\t\t ) {\n\t\t\t\t\tGF_HEVCConfig *hevccfg, *lhvccfg;\n\t\t\t\t\tGF_OperatingPointsInformation *oinf;\n#if !defined(GPAC_DISABLE_AV_PARSERS) && !defined(GPAC_DISABLE_HEVC)\n\t\t\t\t\tHEVCState hevc_state;\n\t\t\t\t\tmemset(&hevc_state, 0, sizeof(HEVCState));\n\t\t\t\t\thevc_state.sps_active_idx = -1;\n#endif\n\n\t\t\t\t\tgf_isom_get_visual_info(file, trackNum, 1, &w, &h);\n\t\t\t\t\tif (full_dump) fprintf(stderr, \"\\t\");\n\t\t\t\t\tfprintf(stderr, \"HEVC Video - Visual Size %d x %d\\n\", w, h);\n\t\t\t\t\thevccfg = gf_isom_hevc_config_get(file, trackNum, 1);\n\t\t\t\t\tlhvccfg = gf_isom_lhvc_config_get(file, trackNum, 1);\n\n\t\t\t\t\tif (msub_type==GF_ISOM_SUBTYPE_HVT1) {\n\t\t\t\t\t\tconst u8 *data;\n\t\t\t\t\t\tu32 tsize;\n\t\t\t\t\t\tu32 is_default, tx,ty,tw,th, id, independent;\n\t\t\t\t\t\tBool full_frame;\n\t\t\t\t\t\tif (gf_isom_get_tile_info(file, trackNum, 1, &is_default, &id, &independent, &full_frame, &tx, &ty, &tw, &th)) {\n\t\t\t\t\t\t\tfprintf(stderr, \"\\tHEVC Tile - ID %d independent %d (x,y,w,h)=%d,%d,%d,%d \\n\", id, independent, tx, ty, tw, th);\n\t\t\t\t\t\t} else if (gf_isom_get_sample_group_info(file, trackNum, 1, GF_ISOM_SAMPLE_GROUP_TRIF, &is_default, &data, &tsize)) {\n\t\t\t\t\t\t\tfprintf(stderr, \"\\tHEVC Tile track containing a tile set\\n\");\n\t\t\t\t\t\t} else {\n\t\t\t\t\t\t\tfprintf(stderr, \"\\tHEVC Tile track without tiling info\\n\");\n\t\t\t\t\t\t}\n\t\t\t\t\t} else if (!hevccfg && !lhvccfg) {\n\t\t\t\t\t\tM4_LOG(GF_LOG_ERROR, (\"\\tNon-compliant HEVC track: No hvcC or shcC found in sample description\\n\"));\n\t\t\t\t\t}\n\n\t\t\t\t\tif (gf_isom_get_reference_count(file, trackNum, GF_ISOM_REF_SABT)) {\n\t\t\t\t\t\tfprintf(stderr, \"\\tHEVC Tile base track\\n\");\n\t\t\t\t\t}\n\t\t\t\t\tif (hevccfg) {\n\t\t\t\t\t\tdump_hevc_track_info(file, trackNum, hevccfg\n#if !defined(GPAC_DISABLE_AV_PARSERS) && !defined(GPAC_DISABLE_HEVC)\n\t\t\t\t\t\t\t, &hevc_state\n#endif\n\t\t\t\t\t\t);\n\t\t\t\t\t\tgf_odf_hevc_cfg_del(hevccfg);\n\t\t\t\t\t\tfprintf(stderr, \"\\n\");\n\t\t\t\t\t}\n\t\t\t\t\tif (lhvccfg) {\n\t\t\t\t\t\tdump_hevc_track_info(file, trackNum, lhvccfg\n#if !defined(GPAC_DISABLE_AV_PARSERS) && !defined(GPAC_DISABLE_HEVC)\n\t\t\t\t\t\t\t, &hevc_state\n#endif\n\t\t\t\t\t\t);\n\t\t\t\t\t\tgf_odf_hevc_cfg_del(lhvccfg);\n\t\t\t\t\t}\n\n\t\t\t\t\tif (gf_isom_get_oinf_info(file, trackNum, &oinf)) {\n\t\t\t\t\t\tfprintf(stderr, \"\\n\\tOperating Points Information -\");\n\t\t\t\t\t\tfprintf(stderr, \" scalability_mask %d (\", oinf->scalability_mask);\n\t\t\t\t\t\tswitch (oinf->scalability_mask) {\n\t\t\t\t\t\tcase 2:\n\t\t\t\t\t\t\tfprintf(stderr, \"Multiview\");\n\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\tcase 4:\n\t\t\t\t\t\t\tfprintf(stderr, \"Spatial scalability\");\n\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\tcase 8:\n\t\t\t\t\t\t\tfprintf(stderr, \"Auxilary\");\n\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\tdefault:\n\t\t\t\t\t\t\tfprintf(stderr, \"unknown\");\n\t\t\t\t\t\t}\n\t\t\t\t\t\t//TODO: need to dump more info ?\n\t\t\t\t\t\tfprintf(stderr, \") num_profile_tier_level %d \", gf_list_count(oinf->profile_tier_levels) );\n\t\t\t\t\t\tfprintf(stderr, \" num_operating_points %d dependency layers %d \\n\", gf_list_count(oinf->operating_points), gf_list_count(oinf->dependency_layers) );\n\t\t\t\t\t}\n\t\t\t\t}\n\n\t\t\t\t/*OGG media*/\n\t\t\t\telse if (esd->decoderConfig->objectTypeIndication==GF_CODECID_THEORA) {\n\t\t\t\t\tchar *szName;\n\t\t\t\t\tgf_isom_get_visual_info(file, trackNum, 1, &w, &h);\n\t\t\t\t\tif (full_dump) fprintf(stderr, \"\\t\");\n\t\t\t\t\tif (!strnicmp((char *) &esd->decoderConfig->decoderSpecificInfo->data[3], \"theora\", 6)) szName = \"Theora\";\n\t\t\t\t\telse szName = \"Unknown\";\n\t\t\t\t\tfprintf(stderr, \"Ogg/%s video / GPAC Mux - Visual Size %d x %d\\n\", szName, w, h);\n\t\t\t\t}\n\t\t\t\telse {\n\t\t\t\t\t//check if we know this codec from its OTI\n\t\t\t\t\tu32 codec_id = gf_codecid_from_oti(GF_STREAM_VISUAL, esd->decoderConfig->objectTypeIndication);\n\t\t\t\t\tif (codec_id) {\n\t\t\t\t\t\tgf_isom_get_visual_info(file, trackNum, 1, &w, &h);\n\t\t\t\t\t\tfprintf(stderr, \"%s - Visual Size %d x %d\\n\", gf_codecid_name(codec_id), w, h);\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\tif (!w || !h) {\n\t\t\t\t\tgf_isom_get_visual_info(file, trackNum, 1, &w, &h);\n\t\t\t\t\tif (full_dump) fprintf(stderr, \"\\t\");\n\t\t\t\t\tfprintf(stderr, \"Visual Size %d x %d\\n\", w, h);\n\t\t\t\t}\n\t\t\t\tif (gf_isom_get_rvc_config(file, trackNum, 1, &rvc_predef, NULL, NULL, NULL)==GF_OK) {\n\t\t\t\t\tfprintf(stderr, \"Has RVC signaled - Predefined configuration %d\\n\", rvc_predef);\n\t\t\t\t}\n\n\t\t\t} else if (esd->decoderConfig->streamType==GF_STREAM_AUDIO) {\n#ifndef GPAC_DISABLE_AV_PARSERS\n\t\t\t\tGF_M4ADecSpecInfo a_cfg;\n\t\t\t\tGF_Err e;\n\t\t\t\tu32 oti;\n#endif\n\t\t\t\tu32 codec_id;\n\t\t\t\tBool is_mp2 = GF_FALSE;\n\t\t\t\tswitch (esd->decoderConfig->objectTypeIndication) {\n\t\t\t\tcase GF_CODECID_AAC_MPEG2_MP:\n\t\t\t\tcase GF_CODECID_AAC_MPEG2_LCP:\n\t\t\t\tcase GF_CODECID_AAC_MPEG2_SSRP:\n\t\t\t\t\tis_mp2 = GF_TRUE;\n\t\t\t\tcase GF_CODECID_AAC_MPEG4:\n#ifndef GPAC_DISABLE_AV_PARSERS\n\t\t\t\t\tif (!esd->decoderConfig->decoderSpecificInfo)\n\t\t\t\t\t\te = GF_NON_COMPLIANT_BITSTREAM;\n\t\t\t\t\telse\n\t\t\t\t\t\te = gf_m4a_get_config(esd->decoderConfig->decoderSpecificInfo->data, esd->decoderConfig->decoderSpecificInfo->dataLength, &a_cfg);\n\t\t\t\t\tif (full_dump) fprintf(stderr, \"\\t\");\n\t\t\t\t\tif (e) {\n\t\t\t\t\t\tM4_LOG(GF_LOG_ERROR, (\"Corrupted AAC Config\\n\"));\n\t\t\t\t\t} else {\n\t\t\t\t\t\tchar *signaling = \"implicit\";\n\t\t\t\t\t\tchar *heaac = \"\";\n\t\t\t\t\t\tif (!is_mp2 && a_cfg.has_sbr) {\n\t\t\t\t\t\t\tif (a_cfg.has_ps) heaac = \"(HE-AAC v2) \";\n\t\t\t\t\t\t\telse heaac = \"(HE-AAC v1) \";\n\t\t\t\t\t\t}\n\t\t\t\t\t\tif (a_cfg.base_object_type==2) {\n\t\t\t\t\t\t\tif (a_cfg.has_ps || a_cfg.has_sbr)\n\t\t\t\t\t\t\t\tsignaling = \"backward compatible\";\n\t\t\t\t\t\t} else {\n\t\t\t\t\t\t\tsignaling = \"hierarchical\";\n\t\t\t\t\t\t}\n\t\t\t\t\t\tfprintf(stderr, \"%s (AOT=%d %s) %s- %d Channel(s) - SampleRate %d\", gf_m4a_object_type_name(a_cfg.base_object_type), a_cfg.base_object_type, signaling, heaac, a_cfg.nb_chan, a_cfg.base_sr);\n\t\t\t\t\t\tif (is_mp2) fprintf(stderr, \" (MPEG-2 Signaling)\");\n\t\t\t\t\t\tif (a_cfg.has_sbr) fprintf(stderr, \" - SBR: SampleRate %d Type %s\", a_cfg.sbr_sr, gf_m4a_object_type_name(a_cfg.sbr_object_type));\n\t\t\t\t\t\tif (a_cfg.has_ps) fprintf(stderr, \" - PS\");\n\t\t\t\t\t\tfprintf(stderr, \"\\n\");\n\t\t\t\t\t}\n#else\n\t\t\t\t\tfprintf(stderr, \"MPEG-2/4 Audio - %d Channels - SampleRate %d\\n\", nb_ch, sr);\n#endif\n\t\t\t\t\tbreak;\n\t\t\t\tcase GF_CODECID_MPEG2_PART3:\n\t\t\t\tcase GF_CODECID_MPEG_AUDIO:\n\t\t\t\t\tif (msub_type == GF_ISOM_SUBTYPE_MPEG4_CRYP) {\n\t\t\t\t\t\tfprintf(stderr, \"MPEG-1/2 Audio - %d Channels - SampleRate %d\\n\", nb_ch, sr);\n\t\t\t\t\t} else {\n#ifndef GPAC_DISABLE_AV_PARSERS\n\t\t\t\t\t\tGF_ISOSample *samp = gf_isom_get_sample(file, trackNum, 1, &oti);\n\t\t\t\t\t\tif (samp) {\n\t\t\t\t\t\t\tu32 mhdr = GF_4CC((u8)samp->data[0], (u8)samp->data[1], (u8)samp->data[2], (u8)samp->data[3]);\n\t\t\t\t\t\t\tif (full_dump) fprintf(stderr, \"\\t\");\n\t\t\t\t\t\t\tfprintf(stderr, \"%s Audio - %d Channel(s) - SampleRate %d - Layer %d\\n\",\n\t\t\t\t\t\t\t gf_mp3_version_name(mhdr),\n\t\t\t\t\t\t\t gf_mp3_num_channels(mhdr),\n\t\t\t\t\t\t\t gf_mp3_sampling_rate(mhdr),\n\t\t\t\t\t\t\t gf_mp3_layer(mhdr)\n\t\t\t\t\t\t\t );\n\t\t\t\t\t\t\tgf_isom_sample_del(&samp);\n\t\t\t\t\t\t} else {\n\t\t\t\t\t\t\tM4_LOG(GF_LOG_ERROR, (\"Error fetching sample: %s\\n\", gf_error_to_string(gf_isom_last_error(file)) ));\n\t\t\t\t\t\t}\n#else\n\t\t\t\t\t\tfprintf(stderr, \"MPEG-1/2 Audio - %d Channels - SampleRate %d\\n\", nb_ch, sr);\n#endif\n\t\t\t\t\t}\n\t\t\t\t\tbreak;\n\t\t\t\tcase GF_CODECID_EVRC:\n\t\t\t\t\tfprintf(stderr, \"EVRC Audio - Sample Rate 8000 - 1 channel\\n\");\n\t\t\t\t\tbreak;\n\t\t\t\tcase GF_CODECID_SMV:\n\t\t\t\t\tfprintf(stderr, \"SMV Audio - Sample Rate 8000 - 1 channel\\n\");\n\t\t\t\t\tbreak;\n\t\t\t\tcase GF_CODECID_QCELP:\n\t\t\t\t\tfprintf(stderr, \"QCELP Audio - Sample Rate 8000 - 1 channel\\n\");\n\t\t\t\t\tbreak;\n\t\t\t\t/*packetVideo hack for EVRC...*/\n\t\t\t\tcase GF_CODECID_EVRC_PV:\n\t\t\t\t\tif (esd->decoderConfig->decoderSpecificInfo && (esd->decoderConfig->decoderSpecificInfo->dataLength==8)\n\t\t\t\t\t && !strnicmp((char *)esd->decoderConfig->decoderSpecificInfo->data, \"pvmm\", 4)) {\n\t\t\t\t\t\tif (full_dump) fprintf(stderr, \"\\t\");\n\t\t\t\t\t\tfprintf(stderr, \"EVRC Audio (PacketVideo Mux) - Sample Rate 8000 - 1 channel\\n\");\n\t\t\t\t\t}\n\t\t\t\t\tbreak;\n\t\t\t\tdefault:\n\t\t\t\t\tcodec_id = gf_codecid_from_oti(GF_STREAM_AUDIO, esd->decoderConfig->objectTypeIndication);\n\t\t\t\t\tif (codec_id) {\n\t\t\t\t\t\tfprintf(stderr, \"%s - Sample Rate %d - %d channel(s)\\n\", gf_codecid_name(codec_id), sr, nb_ch);\n\t\t\t\t\t}\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t}\n\t\t\telse if (esd->decoderConfig->streamType==GF_STREAM_SCENE) {\n\t\t\t\tif (esd->decoderConfig->objectTypeIndication<=4) {\n\t\t\t\t\tGF_BIFSConfig *b_cfg = gf_odf_get_bifs_config(esd->decoderConfig->decoderSpecificInfo, esd->decoderConfig->objectTypeIndication);\n\t\t\t\t\tfprintf(stderr, \"BIFS Scene description - %s stream\\n\", b_cfg->elementaryMasks ? \"Animation\" : \"Command\");\n\t\t\t\t\tif (full_dump && !b_cfg->elementaryMasks) {\n\t\t\t\t\t\tfprintf(stderr, \"\\tWidth %d Height %d Pixel Metrics %s\\n\", b_cfg->pixelWidth, b_cfg->pixelHeight, b_cfg->pixelMetrics ? \"yes\" : \"no\");\n\t\t\t\t\t}\n\t\t\t\t\tgf_odf_desc_del((GF_Descriptor *)b_cfg);\n\t\t\t\t} else if (esd->decoderConfig->objectTypeIndication==GF_CODECID_AFX) {\n\t\t\t\t\tu8 tag = esd->decoderConfig->decoderSpecificInfo ? esd->decoderConfig->decoderSpecificInfo->data[0] : 0xFF;\n\t\t\t\t\tconst char *afxtype = gf_stream_type_afx_name(tag);\n\t\t\t\t\tfprintf(stderr, \"AFX Stream - type %s (%d)\\n\", afxtype, tag);\n\t\t\t\t} else if (esd->decoderConfig->objectTypeIndication==GF_CODECID_FONT) {\n\t\t\t\t\tfprintf(stderr, \"Font Data stream\\n\");\n\t\t\t\t} else if (esd->decoderConfig->objectTypeIndication==GF_CODECID_LASER) {\n\t\t\t\t\tGF_LASERConfig l_cfg;\n\t\t\t\t\tgf_odf_get_laser_config(esd->decoderConfig->decoderSpecificInfo, &l_cfg);\n\t\t\t\t\tfprintf(stderr, \"LASER Stream - %s\\n\", l_cfg.newSceneIndicator ? \"Full Scene\" : \"Scene Segment\");\n\t\t\t\t} else if (esd->decoderConfig->objectTypeIndication==GF_CODECID_TEXT_MPEG4) {\n\t\t\t\t\tfprintf(stderr, \"MPEG-4 Streaming Text stream\\n\");\n\t\t\t\t} else if (esd->decoderConfig->objectTypeIndication==GF_CODECID_SYNTHESIZED_TEXTURE) {\n\t\t\t\t\tfprintf(stderr, \"Synthetized Texture stream stream\\n\");\n\t\t\t\t} else {\n\t\t\t\t\tM4_LOG(GF_LOG_WARNING, (\"Unknown Systems stream OTI %d\\n\", esd->decoderConfig->objectTypeIndication));\n\t\t\t\t}\n\t\t\t}\n\n\t\t\t/*sync is only valid if we open all tracks to take care of default MP4 sync..*/\n\t\t\tif (!full_dump) {\n\t\t\t\tif (dump_m4sys) {\n\t\t\t\t\tif (!esd->OCRESID || (esd->OCRESID == esd->ESID))\n\t\t\t\t\t\tfprintf(stderr, \"Self-synchronized\\n\");\n\t\t\t\t\telse\n\t\t\t\t\t\tfprintf(stderr, \"Synchronized on stream %d\\n\", esd->OCRESID);\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\tfprintf(stderr, \"\\tDecoding Buffer size %d - Bitrate: avg %d - max %d kbps\\n\", esd->decoderConfig->bufferSizeDB, esd->decoderConfig->avgBitrate/1000, esd->decoderConfig->maxBitrate/1000);\n\t\t\t\tif (esd->dependsOnESID)\n\t\t\t\t\tfprintf(stderr, \"\\tDepends on stream %d for decoding\\n\", esd->dependsOnESID);\n\t\t\t\telse\n\t\t\t\t\tfprintf(stderr, \"\\tNo stream dependencies for decoding\\n\");\n\n\t\t\t\tfprintf(stderr, \"\\tStreamPriority %d\\n\", esd->streamPriority);\n\t\t\t\tif (esd->URLString) fprintf(stderr, \"\\tRemote Data Source %s\\n\", esd->URLString);\n\t\t\t}\n\t\t\tgf_odf_desc_del((GF_Descriptor *) esd);\n\t\t}\n\t} else if (msub_type == GF_ISOM_SUBTYPE_AV01) {\n\t\tGF_AV1Config *av1c;\n\t\tu32 w, h;\n\t\tgf_isom_get_visual_info(file, trackNum, 1, &w, &h);\n\t\tfprintf(stderr, \"\\tAOM AV1 stream - Resolution %d x %d\\n\", w, h);\n\n\t\tav1c = gf_isom_av1_config_get(file, trackNum, 1);\n\t\tif (!av1c) {\n\t\t\tfprintf(stderr, \"\\tCorrupted av1 config\\n\");\n\t\t} else {\n\t\t\tfprintf(stderr, \"\\tversion=%u, profile=%u, level_idx0=%u, tier=%u\\n\", (u32)av1c->version, (u32)av1c->seq_profile, (u32)av1c->seq_level_idx_0, (u32)av1c->seq_tier_0);\n\t\t\tfprintf(stderr, \"\\thigh_bitdepth=%u, twelve_bit=%u, monochrome=%u\\n\", (u32)av1c->high_bitdepth, (u32)av1c->twelve_bit, (u32)av1c->monochrome);\n\t\t\tfprintf(stderr, \"\\tchroma: subsampling_x=%u, subsampling_y=%u, sample_position=%u\\n\", (u32)av1c->chroma_subsampling_x, (u32)av1c->chroma_subsampling_y, (u32)av1c->chroma_sample_position);\n\n\t\t\tif (av1c->initial_presentation_delay_present)\n\t\t\t\tfprintf(stderr, \"\\tInitial presentation delay %u\\n\", (u32) av1c->initial_presentation_delay_minus_one+1);\n\n\t\t\tcount = gf_list_count(av1c->obu_array);\n\t\t\tfor (i=0; iobu_array, i);\n\t\t\t\tgf_sha1_csum((u8*)obu->obu, (u32)obu->obu_length, hash);\n\t\t\t\tfprintf(stderr, \"\\tOBU#%d %s hash: \", i+1, gf_av1_get_obu_name(obu->obu_type) );\n\t\t\t\tfor (j=0; j<20; j++) fprintf(stderr, \"%02X\", hash[j]);\n\t\t\t\tfprintf(stderr, \"\\n\");\n\t\t\t}\n\t\t\tgf_odf_av1_cfg_del(av1c);\n\t\t}\n\t} else if (msub_type == GF_ISOM_SUBTYPE_3GP_H263) {\n\t\tu32 w, h;\n\t\tgf_isom_get_visual_info(file, trackNum, 1, &w, &h);\n\t\tfprintf(stderr, \"\\t3GPP H263 stream - Resolution %d x %d\\n\", w, h);\n\t} else if (msub_type == GF_ISOM_SUBTYPE_MJP2) {\n\t\tu32 w, h;\n\t\tgf_isom_get_visual_info(file, trackNum, 1, &w, &h);\n\t\tfprintf(stderr, \"\\tMotionJPEG2000 stream - Resolution %d x %d\\n\", w, h);\n\t} else if ((msub_type == GF_ISOM_SUBTYPE_3GP_AMR) || (msub_type == GF_ISOM_SUBTYPE_3GP_AMR_WB)) {\n\t\tfprintf(stderr, \"\\t3GPP AMR%s stream - Sample Rate %d - %d channel(s) %d bps\\n\", (msub_type == GF_ISOM_SUBTYPE_3GP_AMR_WB) ? \" Wide Band\" : \"\", sr, nb_ch, (u32) bps);\n\t} else if (msub_type == GF_ISOM_SUBTYPE_3GP_EVRC) {\n\t\tfprintf(stderr, \"\\t3GPP EVRC stream - Sample Rate %d - %d channel(s) %d bps\\n\", sr, nb_ch, (u32) bps);\n\t} else if (msub_type == GF_ISOM_SUBTYPE_3GP_QCELP) {\n\t\tfprintf(stderr, \"\\t3GPP QCELP stream - Sample Rate %d - %d channel(s) %d bps\\n\", sr, nb_ch, (u32) bps);\n\t} else if (msub_type == GF_ISOM_SUBTYPE_MP3) {\n\t\tfprintf(stderr, \"\\tMPEG 1/2 Audio stream - Sample Rate %d - %d channel(s) %d bps\\n\", sr, nb_ch, (u32) bps);\n\t} else if ((msub_type == GF_ISOM_SUBTYPE_AC3) || (msub_type == GF_ISOM_SUBTYPE_EC3)) {\n\t\tu32 br = 0;\n\t\tconst char *lfe = \"\";\n\t\tBool is_ec3 = (msub_type == GF_ISOM_SUBTYPE_EC3) ? GF_TRUE : GF_FALSE;\n#ifndef GPAC_DISABLE_AV_PARSERS\n\t\tGF_AC3Config *ac3 = gf_isom_ac3_config_get(file, trackNum, 1);\n\t\tif (ac3) {\n\t\t\tnb_ch = gf_ac3_get_channels(ac3->streams[0].acmod);\n\t\t\tfor (i=0; istreams[0].nb_dep_sub; ++i) {\n\t\t\t\tassert(ac3->streams[0].nb_dep_sub == 1);\n\t\t\t\tnb_ch += gf_ac3_get_channels(ac3->streams[0].chan_loc);\n\t\t\t}\n\t\t\tif (ac3->streams[0].lfon) lfe = \".1\";\n\t\t\tbr = ac3->is_ec3 ? ac3->brcode : gf_ac3_get_bitrate(ac3->brcode);\n\t\t\tis_ec3 = ac3->is_ec3;\n\t\t\tgf_free(ac3);\n\t\t}\n#endif\n\t\tfprintf(stderr, \"\\t%s stream - Sample Rate %d - %d%s channel(s) - bitrate %d\\n\", is_ec3 ? \"EC-3\" : \"AC-3\", sr, nb_ch, lfe, br);\n\t} else if (msub_type == GF_ISOM_SUBTYPE_3GP_SMV) {\n\t\tfprintf(stderr, \"\\t3GPP SMV stream - Sample Rate %d - %d channel(s) %d bits per samples\\n\", sr, nb_ch, (u32) bps);\n\t} else if (msub_type == GF_ISOM_SUBTYPE_3GP_DIMS) {\n\t\tu32 w, h;\n\t\tGF_DIMSDescription dims;\n\t\tgf_isom_get_visual_info(file, trackNum, 1, &w, &h);\n\n\t\tgf_isom_get_dims_description(file, trackNum, 1, &dims);\n\t\tfprintf(stderr, \"\\t3GPP DIMS stream - size %d x %d - Profile %d - Level %d\\n\", w, h, dims.profile, dims.level);\n\t\tfprintf(stderr, \"\\tpathComponents: %d - useFullRequestHost: %s\\n\", dims.pathComponents, dims.fullRequestHost ? \"yes\" : \"no\");\n\t\tfprintf(stderr, \"\\tstream type: %s - redundant: %s\\n\", dims.streamType ? \"primary\" : \"secondary\", (dims.containsRedundant==1) ? \"main\" : ((dims.containsRedundant==2) ? \"redundant\" : \"main+redundant\") );\n\t\tif (dims.textEncoding[0]) fprintf(stderr, \"\\ttext encoding %s\\n\", dims.textEncoding);\n\t\tif (dims.contentEncoding[0]) fprintf(stderr, \"\\tcontent encoding %s\\n\", dims.contentEncoding);\n\t\tif (dims.content_script_types) fprintf(stderr, \"\\tscript languages %s\\n\", dims.content_script_types);\n\t} else if (mtype==GF_ISOM_MEDIA_HINT) {\n\t\tu32 refTrack;\n\t\ts32 refCount = gf_isom_get_reference_count(file, trackNum, GF_ISOM_REF_HINT);\n\t\tif (refCount>0) {\n\t\t\tfprintf(stderr, \"Streaming Hint Track for track%s \", (refCount>1) ? \"s\" :\"\");\n\t\t\tfor (i=0; i<(u32) refCount; i++) {\n\t\t\t\tgf_isom_get_reference(file, trackNum, GF_ISOM_REF_HINT, i+1, &refTrack);\n\t\t\t\tif (i) fprintf(stderr, \" - \");\n\t\t\t\tfprintf(stderr, \"ID %d\", gf_isom_get_track_id(file, refTrack));\n\t\t\t}\n\t\t\tfprintf(stderr, \"\\n\");\n\t\t} else {\n\t\t\tfprintf(stderr, \"Streaming Hint Track (no refs)\\n\");\n\t\t}\n#ifndef GPAC_DISABLE_ISOM_HINTING\n\t\trefCount = gf_isom_get_payt_count(file, trackNum);\n\t\tif (refCount>0) {\n\t\t\tfor (i=0; i<(u32) refCount; i++) {\n\t\t\t\tconst char *name = gf_isom_get_payt_info(file, trackNum, i+1, &refTrack);\n\t\t\t\tfprintf(stderr, \"\\tPayload ID %d: type %s\\n\", refTrack, name);\n\t\t\t}\n\t\t}\n#endif\n\t} else if (mtype==GF_ISOM_MEDIA_FLASH) {\n\t\tfprintf(stderr, \"Macromedia Flash Movie\\n\");\n\t} else if ((mtype==GF_ISOM_MEDIA_TEXT) || (mtype==GF_ISOM_MEDIA_SUBT) || (mtype==GF_ISOM_MEDIA_MPEG_SUBT)) {\n\t\tu32 w, h;\n\t\ts16 l;\n\t\ts32 tx, ty;\n\t\tconst char *content_encoding = NULL;\n\t\tconst char *mime = NULL;\n\t\tconst char *config = NULL;\n\t\tconst char *_namespace = NULL;\n\t\tconst char *schema_loc = NULL;\n\t\tconst char *auxiliary_mimes = NULL;\n\t\tgf_isom_get_track_layout_info(file, trackNum, &w, &h, &tx, &ty, &l);\n\t\tif (msub_type == GF_ISOM_SUBTYPE_SBTT) {\n\t\t\tgf_isom_stxt_get_description(file, trackNum, 1, &mime, &content_encoding, &config);\n\t\t\tfprintf(stderr, \"Textual Subtitle Stream \");\n\t\t\tfprintf(stderr, \"- mime %s\", mime);\n\t\t\tif (content_encoding != NULL) {\n\t\t\t\tfprintf(stderr, \" - encoding %s\", content_encoding);\n\t\t\t}\n\t\t\tif (config != NULL) {\n\t\t\t\tfprintf(stderr, \" - %d bytes config\", (u32) strlen(config));\n\t\t\t}\n\t\t} else if (msub_type == GF_ISOM_SUBTYPE_STXT) {\n\t\t\tgf_isom_stxt_get_description(file, trackNum, 1, &mime, &content_encoding, &config);\n\t\t\tfprintf(stderr, \"Simple Timed Text Stream \");\n\t\t\tfprintf(stderr, \"- mime %s\", mime);\n\t\t\tif (content_encoding != NULL) {\n\t\t\t\tfprintf(stderr, \" - encoding %s\", content_encoding);\n\t\t\t}\n\t\t\tif (config != NULL) {\n\t\t\t\tfprintf(stderr, \" - %d bytes config\", (u32) strlen(config));\n\t\t\t}\n\t\t} else if (msub_type == GF_ISOM_SUBTYPE_STPP) {\n\t\t\tgf_isom_xml_subtitle_get_description(file, trackNum, 1, &_namespace, &schema_loc, &auxiliary_mimes);\n\t\t\tfprintf(stderr, \"XML Subtitle Stream \");\n\t\t\tfprintf(stderr, \"- namespace %s\", _namespace);\n\t\t\tif (schema_loc != NULL) {\n\t\t\t\tfprintf(stderr, \" - schema-location %s\", schema_loc);\n\t\t\t}\n\t\t\tif (auxiliary_mimes != NULL) {\n\t\t\t\tfprintf(stderr, \" - auxiliary-mime-types %s\", auxiliary_mimes);\n\t\t\t}\n\t\t} else {\n\t\t\tfprintf(stderr, \"Unknown Text Stream\");\n\t\t}\n\t\tfprintf(stderr, \"\\n Size %d x %d - Translation X=%d Y=%d - Layer %d\\n\", w, h, tx, ty, l);\n\t} else if (mtype == GF_ISOM_MEDIA_META) {\n\t\tconst char *content_encoding = NULL;\n\t\tif (msub_type == GF_ISOM_SUBTYPE_METT) {\n\t\t\tconst char *mime = NULL;\n\t\t\tconst char *config = NULL;\n\t\t\tgf_isom_stxt_get_description(file, trackNum, 1, &mime, &content_encoding, &config);\n\t\t\tfprintf(stderr, \"Textual Metadata Stream - mime %s\", mime);\n\t\t\tif (content_encoding != NULL) {\n\t\t\t\tfprintf(stderr, \" - encoding %s\", content_encoding);\n\t\t\t}\n\t\t\tif (config != NULL) {\n\t\t\t\tfprintf(stderr, \" - %d bytes config\", (u32) strlen(config));\n\t\t\t}\n\t\t\tfprintf(stderr, \"\\n\");\n\t\t} else if (msub_type == GF_ISOM_SUBTYPE_METX) {\n\t\t\tconst char *_namespace = NULL;\n\t\t\tconst char *schema_loc = NULL;\n\t\t\tgf_isom_get_xml_metadata_description(file, trackNum, 1, &_namespace, &schema_loc, &content_encoding);\n\t\t\tfprintf(stderr, \"XML Metadata Stream - namespace %s\", _namespace);\n\t\t\tif (content_encoding != NULL) {\n\t\t\t\tfprintf(stderr, \" - encoding %s\", content_encoding);\n\t\t\t}\n\t\t\tif (schema_loc != NULL) {\n\t\t\t\tfprintf(stderr, \" - schema-location %s\", schema_loc);\n\t\t\t}\n\t\t\tfprintf(stderr, \"\\n\");\n\t\t} else {\n\t\t\tfprintf(stderr, \"Unknown Metadata Stream\\n\");\n\t\t}\n\t} else if ((msub_type==GF_ISOM_SUBTYPE_VVC1) || (msub_type==GF_ISOM_SUBTYPE_VVI1)) {\n\t\tGF_VVCConfig *vvccfg;\n\t\tu32 w, h;\n#if !defined(GPAC_DISABLE_AV_PARSERS)\n\t\tVVCState *vvc_state;\n\t\tGF_SAFEALLOC(vvc_state, VVCState);\n\t\tif (vvc_state) vvc_state->sps_active_idx = -1;\n#endif\n\n\t\tgf_isom_get_visual_info(file, trackNum, 1, &w, &h);\n\t\tif (full_dump) fprintf(stderr, \"\\t\");\n\t\tfprintf(stderr, \"VVC Video - Visual Size %d x %d\\n\", w, h);\n\t\tvvccfg = gf_isom_vvc_config_get(file, trackNum, 1);\n\n\t\tif (!vvccfg) {\n\t\t\tM4_LOG(GF_LOG_ERROR, (\"Non-compliant VVC track: No vvcC found in sample description\\n\"));\n\t\t} else {\n\t\t\tdump_vvc_track_info(file, trackNum, vvccfg\n#if !defined(GPAC_DISABLE_AV_PARSERS)\n\t\t\t\t, vvc_state\n#endif\n\t\t\t);\n\t\t\tgf_odf_vvc_cfg_del(vvccfg);\n\t\t\tfprintf(stderr, \"\\n\");\n\t\t}\n#if !defined(GPAC_DISABLE_AV_PARSERS)\n\t\tif (vvc_state) gf_free(vvc_state);\n#endif\n\t} else if ((msub_type == GF_ISOM_SUBTYPE_MH3D_MHA1) || (msub_type == GF_ISOM_SUBTYPE_MH3D_MHA2)\n\t\t\t|| (msub_type == GF_ISOM_SUBTYPE_MH3D_MHM1) || (msub_type == GF_ISOM_SUBTYPE_MH3D_MHM2)\n\t) {\n\t\tconst u8 *compat_profiles;\n\t\tu32 nb_compat_profiles;\n\t\tBool valid = GF_FALSE;\n\t\tBool allow_inband = GF_FALSE;\n\t\tif ( (msub_type == GF_ISOM_SUBTYPE_MH3D_MHM1) || (msub_type == GF_ISOM_SUBTYPE_MH3D_MHM2))\n\t\t\tallow_inband = GF_TRUE;\n\n\t\tfprintf(stderr, \"\\tMPEG-H Audio stream - Sample Rate %d\\n\", sr);\n\n\t\tesd = gf_media_map_esd(file, trackNum, 1);\n\t\tif (!esd || !esd->decoderConfig || !esd->decoderConfig->decoderSpecificInfo\n\t\t\t|| !esd->decoderConfig->decoderSpecificInfo->data\n\t\t) {\n\t\t\tif (allow_inband) {\n\t\t\t\tGF_ISOSample *samp = gf_isom_get_sample(file, trackNum, 1, NULL);\n\t\t\t\tif (samp) {\n\t\t\t\t\tu64 ch_layout=0;\n\t\t\t\t\ts32 PL = gf_mpegh_get_mhas_pl(samp->data, samp->dataLength, &ch_layout);\n\t\t\t\t\tif (PL>=0) {\n\t\t\t\t\t\tfprintf(stderr, \"\\tProfileLevelIndication: 0x%02X\", PL);\n\t\t\t\t\t\tif (ch_layout)\n\t\t\t\t\t\t\tfprintf(stderr, \" - Reference Channel Layout %s\", gf_audio_fmt_get_layout_name(ch_layout) );\n\t\t\t\t\t\tfprintf(stderr, \"\\n\");\n\t\t\t\t\t}\n\t\t\t\t\tgf_isom_sample_del(&samp);\n\t\t\t\t}\n\t\t\t\tvalid = GF_TRUE;\n\t\t\t}\n\t\t} else if (esd->decoderConfig->decoderSpecificInfo->dataLength>=5) {\n\t\t\tfprintf(stderr, \"\\tProfileLevelIndication: 0x%02X - Reference Channel Layout %s\\n\", esd->decoderConfig->decoderSpecificInfo->data[1]\n\t\t\t\t, gf_audio_fmt_get_layout_name_from_cicp(esd->decoderConfig->decoderSpecificInfo->data[2])\n\t\t\t);\n\t\t\tvalid = GF_TRUE;\n\t\t}\n\t\tif (!valid) {\n\t\t\tM4_LOG(GF_LOG_ERROR, (\"Invalid MPEG-H audio config\\n\"));\n\t\t}\n\t\tif (esd) gf_odf_desc_del((GF_Descriptor *)esd);\n\t\tcompat_profiles = gf_isom_get_mpegh_compatible_profiles(file, trackNum, 1, &nb_compat_profiles);\n\t\tfor (i=0; idata, sample->dataLength, tmcd_flags, tmcd_num, tmcd_den, tmcd_fpt, szTimecode);\n\n\t\t\tgf_isom_sample_del(&sample);\n\t\t\tfprintf(stderr, \"\\tFirst timecode: %s\\n\", szTimecode);\n\t\t}\n\t} else {\n\t\tGF_GenericSampleDescription *udesc;\n\n\t\tudesc = gf_isom_get_generic_sample_description(file, trackNum, 1);\n\t\tif (udesc) {\n\t\t\tif (gf_isom_is_video_handler_type(mtype) ) {\n fprintf(stderr, \"%s - Compressor \\\"%s\\\" - Resolution %d x %d\\n\",\n\t\t\t\t\t\t( (mtype == GF_ISOM_MEDIA_VISUAL ? \"Visual\" : \"Auxiliary Video\") ),\n udesc->compressor_name, udesc->width, udesc->height);\n\t\t\t} else if (mtype==GF_ISOM_MEDIA_AUDIO) {\n\t\t\t\tfprintf(stderr, \"Audio - Sample Rate %d - %d channel(s)\\n\", udesc->samplerate, udesc->nb_channels);\n\t\t\t} else {\n\t\t\t\tfprintf(stderr, \"Unknown media type\\n\");\n\t\t\t}\n\t\t\tif (udesc->vendor_code)\n\t\t\t\tfprintf(stderr, \"\\tVendor code \\\"%s\\\" - Version %d - revision %d\\n\", gf_4cc_to_str(udesc->vendor_code), udesc->version, udesc->revision);\n\n\t\t\tif (udesc->extension_buf) {\n\t\t\t\tfprintf(stderr, \"\\tCodec configuration data size: %d bytes\\n\", udesc->extension_buf_size);\n\t\t\t\tgf_free(udesc->extension_buf);\n\t\t\t}\n\t\t\tgf_free(udesc);\n\t\t} else {\n\t\t\tfprintf(stderr, \"Unknown track type\\n\");\n\t\t}\n\t}\n\n\n\t/*Crypto info*/\n\tif (gf_isom_is_track_encrypted(file, trackNum)) {\n\t\tconst char *scheme_URI, *KMS_URI;\n\t\tu32 scheme_type, version;\n\t\tu32 IV_size;\n\t\tBool use_sel_enc;\n\n\t\tif (gf_isom_is_ismacryp_media(file, trackNum, 1)) {\n\t\t\tgf_isom_get_ismacryp_info(file, trackNum, 1, NULL, &scheme_type, &version, &scheme_URI, &KMS_URI, &use_sel_enc, &IV_size, NULL);\n\t\t\tfprintf(stderr, \"\\n\\tProtected by ISMA E&A scheme %s (version %d)\\n\", gf_4cc_to_str(scheme_type), version);\n\t\t\tif (scheme_URI) fprintf(stderr, \"scheme location: %s\\n\", scheme_URI);\n\t\t\tif (KMS_URI) {\n\t\t\t\tif (!strnicmp(KMS_URI, \"(key)\", 5)) fprintf(stderr, \"\\tKMS location: key in file\\n\");\n\t\t\t\telse fprintf(stderr, \"\\tKMS location: %s\\n\", KMS_URI);\n\t\t\t}\n\t\t\tfprintf(stderr, \"\\tSelective Encryption: %s\\n\", use_sel_enc ? \"Yes\" : \"No\");\n\t\t\tif (IV_size) fprintf(stderr, \"\\tInitialization Vector size: %d bits\\n\", IV_size*8);\n\t\t} else if (gf_isom_is_omadrm_media(file, trackNum, 1)) {\n\t\t\tconst char *textHdrs;\n\t\t\tu32 enc_type, hdr_len;\n\t\t\tu64 orig_len;\n\t\t\tgf_isom_get_omadrm_info(file, trackNum, 1, NULL, &scheme_type, &version, &scheme_URI, &KMS_URI, &textHdrs, &hdr_len, &orig_len, &enc_type, &use_sel_enc, &IV_size, NULL);\n\t\t\tfprintf(stderr, \"\\n\\tProtected by OMA DRM scheme %s (version %d)\\n\", gf_4cc_to_str(scheme_type), version);\n\t\t\tfprintf(stderr, \"\\tRights Issuer: %s\\n\", KMS_URI);\n\t\t\tfprintf(stderr, \"\\tContent ID: %s\\n\", scheme_URI);\n\t\t\tif (textHdrs) {\n\t\t\t\tu32 offset;\n\t\t\t\tconst char *start = textHdrs;\n\t\t\t\tfprintf(stderr, \"\\tOMA Textual Headers:\\n\");\n\t\t\t\ti=0;\n\t\t\t\toffset=0;\n\t\t\t\twhile (iDTS+samp->CTS_Offset;\n\t\t\tsize += samp->dataLength;\n\t\t\trate += samp->dataLength;\n\t\t\tif (samp->DTS - time_slice > ts) {\n\t\t\t\tDouble max_tmp = rate * ts / (samp->DTS - time_slice);\n\t\t\t\tif (max_rate < max_tmp )\n\t\t\t\t\tmax_rate = max_tmp;\n\n\t\t\t\trate = 0;\n\t\t\t\ttime_slice = samp->DTS;\n\t\t\t}\n\t\t\tgf_isom_sample_del(&samp);\n\t\t}\n\t}\n\tfprintf(stderr, \"\\nComputed info from media:\\n\");\n\tif (csize && cdur) {\n\t\tfprintf(stderr, \"\\tConstant sample size %d bytes and dur %d / %d\\n\", csize, cdur, ts);\n\t}\n\tscale = 1000.0 / ts;\n\tdur = (u64) (scale * dur);\n\tfprintf(stderr, \"\\tTotal size \"LLU\" bytes - Total samples duration \"LLU\" ms\\n\", size, dur);\n\tif (!dur) {\n\t\tfprintf(stderr, \"\\n\");\n\t\treturn;\n\t}\n\t/*rate in byte, dur is in ms*/\n\trate = 8000.0 * size / dur;\n\n\tif (!max_rate)\n\t\tmax_rate = rate;\n\telse\n\t\tmax_rate *= 8.0;\n\n\tif (rate >= 1500) {\n\t\tfprintf(stderr, \"\\tAverage rate %.2f kbps - Max Rate %.2f kbps\\n\", rate/1000, max_rate/1000);\n\t} else {\n\t\tfprintf(stderr, \"\\tAverage rate %.2f bps - Max Rate %.2f bps\\n\", rate, max_rate);\n\t}\n\n\t{\n\t\tu32 dmin, dmax, davg, smin, smax, savg;\n\t\tgf_isom_get_chunks_infos(file, trackNum, &dmin, &davg, &dmax, &smin, &savg, &smax);\n\t\tfprintf(stderr, \"\\tChunk durations: min %d ms - max %d ms - average %d ms\\n\", (1000*dmin)/ts, (1000*dmax)/ts, (1000*davg)/ts);\n\t\tfprintf(stderr, \"\\tChunk sizes (bytes): min %d - max %d - average %d\\n\", smin, smax, savg);\n\t}\n\tfprintf(stderr, \"\\n\");\n\n\tcount = gf_isom_get_chapter_count(file, trackNum);\n\tif (count) {\n\t\tconst char *name;\n\t\tu64 time;\n\t\tfprintf(stderr, \"\\nChapters:\\n\");\n\t\tfor (j=0; jdecoderConfig) {\n\t\t\tfprintf(stderr, \"WARNING: Broken MPEG-4 Track\\n\");\n\t\t\tif (esd) gf_odf_desc_del((GF_Descriptor *)esd);\n\t\t} else {\n\t\t\tconst char *st = gf_stream_type_name(esd->decoderConfig->streamType);\n\t\t\tif (st) {\n\t\t\t\tfprintf(stderr, \"MPEG-4 Config%s%s Stream - ObjectTypeIndication 0x%02x\\n\",\n\t\t\t\t full_dump ? \"\\n\\t\" : \": \", st, esd->decoderConfig->objectTypeIndication);\n\t\t\t} else {\n\t\t\t\tfprintf(stderr, \"MPEG-4 Config%sStream Type 0x%02x - ObjectTypeIndication 0x%02x\\n\",\n\t\t\t\t full_dump ? \"\\n\\t\" : \": \", esd->decoderConfig->streamType, esd->decoderConfig->objectTypeIndication);\n\t\t\t}\n\t\t\tif (esd->decoderConfig->streamType==GF_STREAM_OD)\n\t\t\t\tis_od_track=1;\n\n\t\t\tif (esd->decoderConfig->streamType==GF_STREAM_VISUAL) {\n\t\t\t\tu32 w, h;\n\t\t\t\tu16 rvc_predef;\n\t\t\t\tw = h = 0;\n\t\t\t\tif (esd->decoderConfig->objectTypeIndication==GF_CODECID_MPEG4_PART2) {\n#ifndef GPAC_DISABLE_AV_PARSERS\n\t\t\t\t\tif (!esd->decoderConfig->decoderSpecificInfo) {\n#else\n\t\t\t\t\tgf_isom_get_visual_info(file, trackNum, 1, &w, &h);\n\t\t\t\t\tfprintf(stderr, \"MPEG-4 Visual Size %d x %d\\n\", w, h);\n#endif\n\t\t\t\t\t\tfprintf(stderr, \"\\tNon-compliant MPEG-4 Visual track: video_object_layer infos not found in sample description\\n\");\n#ifndef GPAC_DISABLE_AV_PARSERS\n\t\t\t\t\t} else {\n\t\t\t\t\t\tGF_M4VDecSpecInfo dsi;\n\t\t\t\t\t\tgf_m4v_get_config(esd->decoderConfig->decoderSpecificInfo->data, esd->decoderConfig->decoderSpecificInfo->dataLength, &dsi);\n\t\t\t\t\t\tif (full_dump) fprintf(stderr, \"\\t\");\n\t\t\t\t\t\tw = dsi.width;\n\t\t\t\t\t\th = dsi.height;\n\t\t\t\t\t\tfprintf(stderr, \"MPEG-4 Visual Size %d x %d - %s\\n\", w, h, gf_m4v_get_profile_name(dsi.VideoPL));\n\t\t\t\t\t\tif (dsi.par_den && dsi.par_num) {\n\t\t\t\t\t\t\tu32 tw, th;\n\t\t\t\t\t\t\tgf_isom_get_track_layout_info(file, trackNum, &tw, &th, NULL, NULL, NULL);\n\t\t\t\t\t\t\tfprintf(stderr, \"Pixel Aspect Ratio %d:%d - Indicated track size %d x %d\\n\", dsi.par_num, dsi.par_den, tw, th);\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n#endif\n\t\t\t\t} else if (gf_isom_get_avc_svc_type(file, trackNum, 1) != GF_ISOM_AVCTYPE_NONE) {\n\t\t\t\t\tGF_AVCConfig *avccfg, *svccfg, *mvccfg;\n\n\t\t\t\t\tgf_isom_get_visual_info(file, trackNum, 1, &w, &h);\n\t\t\t\t\tif (full_dump) fprintf(stderr, \"\\t\");\n\t\t\t\t\tfprintf(stderr, \"AVC/H264 Video - Visual Size %d x %d\\n\", w, h);\n\n\t\t\t\t\tavccfg = gf_isom_avc_config_get(file, trackNum, 1);\n\t\t\t\t\tsvccfg = gf_isom_svc_config_get(file, trackNum, 1);\n\t\t\t\t\tmvccfg = gf_isom_mvc_config_get(file, trackNum, 1);\n\t\t\t\t\tif (!avccfg && !svccfg && !mvccfg) {\n\t\t\t\t\t\tfprintf(stderr, \"\\n\\n\\tNon-compliant AVC track: SPS/PPS not found in sample description\\n\");\n\t\t\t\t\t} else if (avccfg) {\n\t\t\t\t\t\tfprintf(stderr, \"\\tAVC Info: %d SPS - %d PPS\", gf_list_count(avccfg->sequenceParameterSets) , gf_list_count(avccfg->pictureParameterSets) );\n\t\t\t\t\t\tfprintf(stderr, \" - Profile %s @ Level %g\\n\", gf_avc_get_profile_name(avccfg->AVCProfileIndication), ((Double)avccfg->AVCLevelIndication)/10.0 );\n\t\t\t\t\t\tfprintf(stderr, \"\\tNAL Unit length bits: %d\\n\", 8*avccfg->nal_unit_size);\n\n#ifndef GPAC_DISABLE_AV_PARSERS\n\t\t\t\t\t\tfor (i=0; isequenceParameterSets); i++) {\n\t\t\t\t\t\t\ts32 par_n, par_d;\n\t\t\t\t\t\t\tGF_AVCConfigSlot *slc = gf_list_get(avccfg->sequenceParameterSets, i);\n\t\t\t\t\t\t\tgf_avc_get_sps_info(slc->data, slc->size, NULL, NULL, NULL, &par_n, &par_d);\n\t\t\t\t\t\t\tif ((par_n>0) && (par_d>0)) {\n\t\t\t\t\t\t\t\tu32 tw, th;\n\t\t\t\t\t\t\t\tgf_isom_get_track_layout_info(file, trackNum, &tw, &th, NULL, NULL, NULL);\n\t\t\t\t\t\t\t\tfprintf(stderr, \"\\tPixel Aspect Ratio %d:%d - Indicated track size %d x %d\\n\", par_n, par_d, tw, th);\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\tif (!full_dump) break;\n\t\t\t\t\t\t}\n#endif\n\n\t\t\t\t\t\tif (avccfg->chroma_bit_depth) {\n\t\t\t\t\t\t\tfprintf(stderr, \"\\tChroma format %s - Luma bit depth %d - chroma bit depth %d\\n\", gf_avc_hevc_get_chroma_format_name(avccfg->chroma_format), avccfg->luma_bit_depth, avccfg->chroma_bit_depth);\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\tprint_config_hash(avccfg->sequenceParameterSets, \"SPS\");\n\t\t\t\t\t\tprint_config_hash(avccfg->pictureParameterSets, \"PPS\");\n\n\t\t\t\t\t\tgf_odf_avc_cfg_del(avccfg);\n\t\t\t\t\t}\n\t\t\t\t\tif (svccfg) {\n\t\t\t\t\t\tfprintf(stderr, \"\\n\\tSVC Info: %d SPS - %d PPS - Profile %s @ Level %g\\n\", gf_list_count(svccfg->sequenceParameterSets) , gf_list_count(svccfg->pictureParameterSets), gf_avc_get_profile_name(svccfg->AVCProfileIndication), ((Double)svccfg->AVCLevelIndication)/10.0 );\n\t\t\t\t\t\tfprintf(stderr, \"\\tSVC NAL Unit length bits: %d\\n\", 8*svccfg->nal_unit_size);\n#ifndef GPAC_DISABLE_AV_PARSERS\n\t\t\t\t\t\tfor (i=0; isequenceParameterSets); i++) {\n\t\t\t\t\t\t\tGF_AVCConfigSlot *slc = gf_list_get(svccfg->sequenceParameterSets, i);\n\t\t\t\t\t\t\tif (slc) {\n\t\t\t\t\t\t\t\ts32 par_n, par_d;\n\t\t\t\t\t\t\t\tu32 s_w, s_h, sps_id;\n\t\t\t\t\t\t\t\tgf_avc_get_sps_info(slc->data, slc->size, &sps_id, &s_w, &s_h, &par_n, &par_d);\n\t\t\t\t\t\t\t\tfprintf(stderr, \"\\t\\tSPS ID %d - Visual Size %d x %d\\n\", sps_id, s_w, s_h);\n\t\t\t\t\t\t\t\tif ((par_n>0) && (par_d>0)) {\n\t\t\t\t\t\t\t\t\tu32 tw, th;\n\t\t\t\t\t\t\t\t\tgf_isom_get_track_layout_info(file, trackNum, &tw, &th, NULL, NULL, NULL);\n\t\t\t\t\t\t\t\t\tfprintf(stderr, \"\\tPixel Aspect Ratio %d:%d - Indicated track size %d x %d\\n\", par_n, par_d, tw, th);\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}\n#endif\n\t\t\t\t\t\tprint_config_hash(svccfg->sequenceParameterSets, \"SPS\");\n\t\t\t\t\t\tprint_config_hash(svccfg->pictureParameterSets, \"PPS\");\n\t\t\t\t\t\tprint_config_hash(svccfg->sequenceParameterSetExtensions, \"SPSEx\");\n\n\t\t\t\t\t\tgf_odf_avc_cfg_del(svccfg);\n\t\t\t\t\t}\n\n\t\t\t\t\tif (mvccfg) {\n\t\t\t\t\t\tfprintf(stderr, \"\\n\\tMVC Info: %d SPS - %d PPS - Profile %s @ Level %g\\n\", gf_list_count(mvccfg->sequenceParameterSets) , gf_list_count(mvccfg->pictureParameterSets), gf_avc_get_profile_name(mvccfg->AVCProfileIndication), ((Double)mvccfg->AVCLevelIndication)/10.0 );\n\t\t\t\t\t\tfprintf(stderr, \"\\tMVC NAL Unit length bits: %d\\n\", 8*mvccfg->nal_unit_size);\n#ifndef GPAC_DISABLE_AV_PARSERS\n\t\t\t\t\t\tfor (i=0; isequenceParameterSets); i++) {\n\t\t\t\t\t\t\tGF_AVCConfigSlot *slc = gf_list_get(mvccfg->sequenceParameterSets, i);\n\t\t\t\t\t\t\tif (slc) {\n\t\t\t\t\t\t\t\tu32 s_w, s_h, sps_id;\n\t\t\t\t\t\t\t\ts32 par_n, par_d;\n\t\t\t\t\t\t\t\tgf_avc_get_sps_info(slc->data, slc->size, &sps_id, &s_w, &s_h, &par_n, &par_d);\n\t\t\t\t\t\t\t\tfprintf(stderr, \"\\t\\tSPS ID %d - Visual Size %d x %d\\n\", sps_id, s_w, s_h);\n\t\t\t\t\t\t\t\tif ((par_n>0) && (par_d>0)) {\n\t\t\t\t\t\t\t\t\tu32 tw, th;\n\t\t\t\t\t\t\t\t\tgf_isom_get_track_layout_info(file, trackNum, &tw, &th, NULL, NULL, NULL);\n\t\t\t\t\t\t\t\t\tfprintf(stderr, \"\\tPixel Aspect Ratio %d:%d - Indicated track size %d x %d\\n\", par_n, par_d, tw, th);\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}\n#endif\n\t\t\t\t\t\tprint_config_hash(mvccfg->sequenceParameterSets, \"SPS\");\n\t\t\t\t\t\tprint_config_hash(mvccfg->pictureParameterSets, \"PPS\");\n\t\t\t\t\t\tgf_odf_avc_cfg_del(mvccfg);\n\t\t\t\t\t}\n\n\t\t\t\t} else if ((esd->decoderConfig->objectTypeIndication==GF_CODECID_HEVC)\n\t\t\t\t || (esd->decoderConfig->objectTypeIndication==GF_CODECID_LHVC)\n\t\t\t\t ) {\n\t\t\t\t\tGF_HEVCConfig *hevccfg, *lhvccfg;\n\t\t\t\t\tGF_OperatingPointsInformation *oinf;\n#if !defined(GPAC_DISABLE_AV_PARSERS) && !defined(GPAC_DISABLE_HEVC)\n\t\t\t\t\tHEVCState hevc_state;\n\t\t\t\t\tmemset(&hevc_state, 0, sizeof(HEVCState));\n\t\t\t\t\thevc_state.sps_active_idx = -1;\n#endif\n\n\t\t\t\t\tgf_isom_get_visual_info(file, trackNum, 1, &w, &h);\n\t\t\t\t\tif (full_dump) fprintf(stderr, \"\\t\");\n\t\t\t\t\tfprintf(stderr, \"HEVC Video - Visual Size %d x %d\\n\", w, h);\n\t\t\t\t\thevccfg = gf_isom_hevc_config_get(file, trackNum, 1);\n\t\t\t\t\tlhvccfg = gf_isom_lhvc_config_get(file, trackNum, 1);\n\n\t\t\t\t\tif (msub_type==GF_ISOM_SUBTYPE_HVT1) {\n\t\t\t\t\t\tconst u8 *data;\n\t\t\t\t\t\tu32 tsize;\n\t\t\t\t\t\tu32 is_default, tx,ty,tw,th, id, independent;\n\t\t\t\t\t\tBool full_frame;\n\t\t\t\t\t\tif (gf_isom_get_tile_info(file, trackNum, 1, &is_default, &id, &independent, &full_frame, &tx, &ty, &tw, &th)) {\n\t\t\t\t\t\t\tfprintf(stderr, \"\\tHEVC Tile - ID %d independent %d (x,y,w,h)=%d,%d,%d,%d \\n\", id, independent, tx, ty, tw, th);\n\t\t\t\t\t\t} else if (gf_isom_get_sample_group_info(file, trackNum, 1, GF_ISOM_SAMPLE_GROUP_TRIF, &is_default, &data, &tsize)) {\n\t\t\t\t\t\t\tfprintf(stderr, \"\\tHEVC Tile track containing a tile set\\n\");\n\t\t\t\t\t\t} else {\n\t\t\t\t\t\t\tfprintf(stderr, \"\\tHEVC Tile track without tiling info\\n\");\n\t\t\t\t\t\t}\n\t\t\t\t\t} else if (!hevccfg && !lhvccfg) {\n\t\t\t\t\t\tfprintf(stderr, \"\\n\\n\\tNon-compliant HEVC track: No hvcC or shcC found in sample description\\n\");\n\t\t\t\t\t}\n\n\t\t\t\t\tif (gf_isom_get_reference_count(file, trackNum, GF_ISOM_REF_SABT)) {\n\t\t\t\t\t\tfprintf(stderr, \"\\tHEVC Tile base track\\n\");\n\t\t\t\t\t}\n\t\t\t\t\tif (hevccfg) {\n\t\t\t\t\t\tdump_hevc_track_info(file, trackNum, hevccfg\n#if !defined(GPAC_DISABLE_AV_PARSERS) && !defined(GPAC_DISABLE_HEVC)\n\t\t\t\t\t\t\t, &hevc_state\n#endif\n\t\t\t\t\t\t);\n\t\t\t\t\t\tgf_odf_hevc_cfg_del(hevccfg);\n\t\t\t\t\t\tfprintf(stderr, \"\\n\");\n\t\t\t\t\t}\n\t\t\t\t\tif (lhvccfg) {\n\t\t\t\t\t\tdump_hevc_track_info(file, trackNum, lhvccfg\n#if !defined(GPAC_DISABLE_AV_PARSERS) && !defined(GPAC_DISABLE_HEVC)\n\t\t\t\t\t\t\t, &hevc_state\n#endif\n\t\t\t\t\t\t);\n\t\t\t\t\t\tgf_odf_hevc_cfg_del(lhvccfg);\n\t\t\t\t\t}\n\n\t\t\t\t\tif (gf_isom_get_oinf_info(file, trackNum, &oinf)) {\n\t\t\t\t\t\tfprintf(stderr, \"\\n\\tOperating Points Information -\");\n\t\t\t\t\t\tfprintf(stderr, \" scalability_mask %d (\", oinf->scalability_mask);\n\t\t\t\t\t\tswitch (oinf->scalability_mask) {\n\t\t\t\t\t\tcase 2:\n\t\t\t\t\t\t\tfprintf(stderr, \"Multiview\");\n\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\tcase 4:\n\t\t\t\t\t\t\tfprintf(stderr, \"Spatial scalability\");\n\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\tcase 8:\n\t\t\t\t\t\t\tfprintf(stderr, \"Auxilary\");\n\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\tdefault:\n\t\t\t\t\t\t\tfprintf(stderr, \"unknown\");\n\t\t\t\t\t\t}\n\t\t\t\t\t\t//TODO: need to dump more info ?\n\t\t\t\t\t\tfprintf(stderr, \") num_profile_tier_level %d \", gf_list_count(oinf->profile_tier_levels) );\n\t\t\t\t\t\tfprintf(stderr, \" num_operating_points %d dependency layers %d \\n\", gf_list_count(oinf->operating_points), gf_list_count(oinf->dependency_layers) );\n\t\t\t\t\t}\n\t\t\t\t}\n\n\t\t\t\t/*OGG media*/\n\t\t\t\telse if (esd->decoderConfig->objectTypeIndication==GF_CODECID_THEORA) {\n\t\t\t\t\tchar *szName;\n\t\t\t\t\tgf_isom_get_visual_info(file, trackNum, 1, &w, &h);\n\t\t\t\t\tif (full_dump) fprintf(stderr, \"\\t\");\n\t\t\t\t\tif (!strnicmp((char *) &esd->decoderConfig->decoderSpecificInfo->data[3], \"theora\", 6)) szName = \"Theora\";\n\t\t\t\t\telse szName = \"Unknown\";\n\t\t\t\t\tfprintf(stderr, \"Ogg/%s video / GPAC Mux - Visual Size %d x %d\\n\", szName, w, h);\n\t\t\t\t}\n\t\t\t\telse if (esd->decoderConfig->objectTypeIndication==GF_CODECID_JPEG) {\n\t\t\t\t\tgf_isom_get_visual_info(file, trackNum, 1, &w, &h);\n\t\t\t\t\tfprintf(stderr, \"JPEG Stream - Visual Size %d x %d\\n\", w, h);\n\t\t\t\t}\n\t\t\t\telse if (esd->decoderConfig->objectTypeIndication==GF_CODECID_PNG) {\n\t\t\t\t\tgf_isom_get_visual_info(file, trackNum, 1, &w, &h);\n\t\t\t\t\tfprintf(stderr, \"PNG Stream - Visual Size %d x %d\\n\", w, h);\n\t\t\t\t}\n\t\t\t\telse if (esd->decoderConfig->objectTypeIndication==GF_CODECID_J2K) {\n\t\t\t\t\tgf_isom_get_visual_info(file, trackNum, 1, &w, &h);\n\t\t\t\t\tfprintf(stderr, \"JPEG2000 Stream - Visual Size %d x %d\\n\", w, h);\n\t\t\t\t}\n\t\t\t\tif (!w || !h) {\n\t\t\t\t\tgf_isom_get_visual_info(file, trackNum, 1, &w, &h);\n\t\t\t\t\tif (full_dump) fprintf(stderr, \"\\t\");\n\t\t\t\t\tfprintf(stderr, \"Visual Size %d x %d\\n\", w, h);\n\t\t\t\t}\n\t\t\t\tif (gf_isom_get_rvc_config(file, trackNum, 1, &rvc_predef, NULL, NULL, NULL)==GF_OK) {\n\t\t\t\t\tfprintf(stderr, \"Has RVC signaled - Predefined configuration %d\\n\", rvc_predef);\n\t\t\t\t}\n\n\t\t\t} else if (esd->decoderConfig->streamType==GF_STREAM_AUDIO) {\n#ifndef GPAC_DISABLE_AV_PARSERS\n\t\t\t\tGF_M4ADecSpecInfo a_cfg;\n\t\t\t\tGF_Err e;\n\t\t\t\tu32 oti;\n#endif\n\t\t\t\tBool is_mp2 = GF_FALSE;\n\t\t\t\tswitch (esd->decoderConfig->objectTypeIndication) {\n\t\t\t\tcase GF_CODECID_AAC_MPEG2_MP:\n\t\t\t\tcase GF_CODECID_AAC_MPEG2_LCP:\n\t\t\t\tcase GF_CODECID_AAC_MPEG2_SSRP:\n\t\t\t\t\tis_mp2 = GF_TRUE;\n\t\t\t\tcase GF_CODECID_AAC_MPEG4:\n#ifndef GPAC_DISABLE_AV_PARSERS\n\t\t\t\t\tif (!esd->decoderConfig->decoderSpecificInfo)\n\t\t\t\t\t\te = GF_NON_COMPLIANT_BITSTREAM;\n\t\t\t\t\telse\n\t\t\t\t\t\te = gf_m4a_get_config(esd->decoderConfig->decoderSpecificInfo->data, esd->decoderConfig->decoderSpecificInfo->dataLength, &a_cfg);\n\t\t\t\t\tif (full_dump) fprintf(stderr, \"\\t\");\n\t\t\t\t\tif (e) fprintf(stderr, \"Corrupted AAC Config\\n\");\n\t\t\t\t\telse {\n\t\t\t\t\t\tchar *signaling = \"implicit\";\n\t\t\t\t\t\tchar *heaac = \"\";\n\t\t\t\t\t\tif (!is_mp2 && a_cfg.has_sbr) {\n\t\t\t\t\t\t\tif (a_cfg.has_ps) heaac = \"(HE-AAC v2) \";\n\t\t\t\t\t\t\telse heaac = \"(HE-AAC v1) \";\n\t\t\t\t\t\t}\n\t\t\t\t\t\tif (a_cfg.base_object_type==2) {\n\t\t\t\t\t\t\tif (a_cfg.has_ps || a_cfg.has_sbr)\n\t\t\t\t\t\t\t\tsignaling = \"backward compatible\";\n\t\t\t\t\t\t} else {\n\t\t\t\t\t\t\tsignaling = \"hierarchical\";\n\t\t\t\t\t\t}\n\t\t\t\t\t\tfprintf(stderr, \"%s (AOT=%d %s) %s- %d Channel(s) - SampleRate %d\", gf_m4a_object_type_name(a_cfg.base_object_type), a_cfg.base_object_type, signaling, heaac, a_cfg.nb_chan, a_cfg.base_sr);\n\t\t\t\t\t\tif (is_mp2) fprintf(stderr, \" (MPEG-2 Signaling)\");\n\t\t\t\t\t\tif (a_cfg.has_sbr) fprintf(stderr, \" - SBR: SampleRate %d Type %s\", a_cfg.sbr_sr, gf_m4a_object_type_name(a_cfg.sbr_object_type));\n\t\t\t\t\t\tif (a_cfg.has_ps) fprintf(stderr, \" - PS\");\n\t\t\t\t\t\tfprintf(stderr, \"\\n\");\n\t\t\t\t\t}\n#else\n\t\t\t\t\tfprintf(stderr, \"MPEG-2/4 Audio - %d Channels - SampleRate %d\\n\", nb_ch, sr);\n#endif\n\t\t\t\t\tbreak;\n\t\t\t\tcase GF_CODECID_MPEG2_PART3:\n\t\t\t\tcase GF_CODECID_MPEG_AUDIO:\n\t\t\t\t\tif (msub_type == GF_ISOM_SUBTYPE_MPEG4_CRYP) {\n\t\t\t\t\t\tfprintf(stderr, \"MPEG-1/2 Audio - %d Channels - SampleRate %d\\n\", nb_ch, sr);\n\t\t\t\t\t} else {\n#ifndef GPAC_DISABLE_AV_PARSERS\n\t\t\t\t\t\tGF_ISOSample *samp = gf_isom_get_sample(file, trackNum, 1, &oti);\n\t\t\t\t\t\tif (samp) {\n\t\t\t\t\t\t\tu32 mhdr = GF_4CC((u8)samp->data[0], (u8)samp->data[1], (u8)samp->data[2], (u8)samp->data[3]);\n\t\t\t\t\t\t\tif (full_dump) fprintf(stderr, \"\\t\");\n\t\t\t\t\t\t\tfprintf(stderr, \"%s Audio - %d Channel(s) - SampleRate %d - Layer %d\\n\",\n\t\t\t\t\t\t\t gf_mp3_version_name(mhdr),\n\t\t\t\t\t\t\t gf_mp3_num_channels(mhdr),\n\t\t\t\t\t\t\t gf_mp3_sampling_rate(mhdr),\n\t\t\t\t\t\t\t gf_mp3_layer(mhdr)\n\t\t\t\t\t\t\t );\n\t\t\t\t\t\t\tgf_isom_sample_del(&samp);\n\t\t\t\t\t\t} else {\n\t\t\t\t\t\t\tfprintf(stderr, \"\\n\\tError fetching sample: %s\\n\", gf_error_to_string(gf_isom_last_error(file)) );\n\t\t\t\t\t\t}\n#else\n\t\t\t\t\t\tfprintf(stderr, \"MPEG-1/2 Audio - %d Channels - SampleRate %d\\n\", nb_ch, sr);\n#endif\n\t\t\t\t\t}\n\t\t\t\t\tbreak;\n\t\t\t\t/*OGG media*/\n\t\t\t\tcase GF_CODECID_VORBIS:\n\t\t\t\t\tfprintf(stderr, \"Ogg/Vorbis audio / GPAC Mux - Sample Rate %d - %d channel(s)\\n\", sr, nb_ch);\n\t\t\t\t\tbreak;\n\t\t\t\tcase GF_CODECID_FLAC:\n\t\t\t\t\tfprintf(stderr, \"Ogg/FLAC audio / GPAC Mux - Sample Rate %d - %d channel(s)\\n\", sr, nb_ch);\n\t\t\t\t\tbreak;\n\t\t\t\tcase GF_CODECID_SPEEX:\n\t\t\t\t\tfprintf(stderr, \"Ogg/Speex audio / GPAC Mux - Sample Rate %d - %d channel(s)\\n\", sr, nb_ch);\n\t\t\t\t\tbreak;\n\t\t\t\tcase GF_CODECID_EVRC:\n\t\t\t\t\tfprintf(stderr, \"EVRC Audio - Sample Rate 8000 - 1 channel\\n\");\n\t\t\t\t\tbreak;\n\t\t\t\tcase GF_CODECID_SMV:\n\t\t\t\t\tfprintf(stderr, \"SMV Audio - Sample Rate 8000 - 1 channel\\n\");\n\t\t\t\t\tbreak;\n\t\t\t\tcase GF_CODECID_QCELP:\n\t\t\t\t\tfprintf(stderr, \"QCELP Audio - Sample Rate 8000 - 1 channel\\n\");\n\t\t\t\t\tbreak;\n\t\t\t\t/*packetVideo hack for EVRC...*/\n\t\t\t\tcase GF_CODECID_EVRC_PV:\n\t\t\t\t\tif (esd->decoderConfig->decoderSpecificInfo && (esd->decoderConfig->decoderSpecificInfo->dataLength==8)\n\t\t\t\t\t && !strnicmp((char *)esd->decoderConfig->decoderSpecificInfo->data, \"pvmm\", 4)) {\n\t\t\t\t\t\tif (full_dump) fprintf(stderr, \"\\t\");\n\t\t\t\t\t\tfprintf(stderr, \"EVRC Audio (PacketVideo Mux) - Sample Rate 8000 - 1 channel\\n\");\n\t\t\t\t\t}\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t}\n\t\t\telse if (esd->decoderConfig->streamType==GF_STREAM_SCENE) {\n\t\t\t\tif (esd->decoderConfig->objectTypeIndication<=4) {\n\t\t\t\t\tGF_BIFSConfig *b_cfg = gf_odf_get_bifs_config(esd->decoderConfig->decoderSpecificInfo, esd->decoderConfig->objectTypeIndication);\n\t\t\t\t\tfprintf(stderr, \"BIFS Scene description - %s stream\\n\", b_cfg->elementaryMasks ? \"Animation\" : \"Command\");\n\t\t\t\t\tif (full_dump && !b_cfg->elementaryMasks) {\n\t\t\t\t\t\tfprintf(stderr, \"\\tWidth %d Height %d Pixel Metrics %s\\n\", b_cfg->pixelWidth, b_cfg->pixelHeight, b_cfg->pixelMetrics ? \"yes\" : \"no\");\n\t\t\t\t\t}\n\t\t\t\t\tgf_odf_desc_del((GF_Descriptor *)b_cfg);\n\t\t\t\t} else if (esd->decoderConfig->objectTypeIndication==GF_CODECID_AFX) {\n\t\t\t\t\tu8 tag = esd->decoderConfig->decoderSpecificInfo ? esd->decoderConfig->decoderSpecificInfo->data[0] : 0xFF;\n\t\t\t\t\tconst char *afxtype = gf_stream_type_afx_name(tag);\n\t\t\t\t\tfprintf(stderr, \"AFX Stream - type %s (%d)\\n\", afxtype, tag);\n\t\t\t\t} else if (esd->decoderConfig->objectTypeIndication==GF_CODECID_FONT) {\n\t\t\t\t\tfprintf(stderr, \"Font Data stream\\n\");\n\t\t\t\t} else if (esd->decoderConfig->objectTypeIndication==GF_CODECID_LASER) {\n\t\t\t\t\tGF_LASERConfig l_cfg;\n\t\t\t\t\tgf_odf_get_laser_config(esd->decoderConfig->decoderSpecificInfo, &l_cfg);\n\t\t\t\t\tfprintf(stderr, \"LASER Stream - %s\\n\", l_cfg.newSceneIndicator ? \"Full Scene\" : \"Scene Segment\");\n\t\t\t\t} else if (esd->decoderConfig->objectTypeIndication==GF_CODECID_TEXT_MPEG4) {\n\t\t\t\t\tfprintf(stderr, \"MPEG-4 Streaming Text stream\\n\");\n\t\t\t\t} else if (esd->decoderConfig->objectTypeIndication==GF_CODECID_SYNTHESIZED_TEXTURE) {\n\t\t\t\t\tfprintf(stderr, \"Synthetized Texture stream stream\\n\");\n\t\t\t\t} else {\n\t\t\t\t\tfprintf(stderr, \"Unknown Systems stream OTI %d\\n\", esd->decoderConfig->objectTypeIndication);\n\t\t\t\t}\n\t\t\t}\n\n\t\t\t/*sync is only valid if we open all tracks to take care of default MP4 sync..*/\n\t\t\tif (!full_dump) {\n\t\t\t\tif (!esd->OCRESID || (esd->OCRESID == esd->ESID))\n\t\t\t\t\tfprintf(stderr, \"Self-synchronized\\n\");\n\t\t\t\telse\n\t\t\t\t\tfprintf(stderr, \"Synchronized on stream %d\\n\", esd->OCRESID);\n\t\t\t} else {\n\t\t\t\tfprintf(stderr, \"\\tDecoding Buffer size %d - Bitrate: avg %d - max %d kbps\\n\", esd->decoderConfig->bufferSizeDB, esd->decoderConfig->avgBitrate/1000, esd->decoderConfig->maxBitrate/1000);\n\t\t\t\tif (esd->dependsOnESID)\n\t\t\t\t\tfprintf(stderr, \"\\tDepends on stream %d for decoding\\n\", esd->dependsOnESID);\n\t\t\t\telse\n\t\t\t\t\tfprintf(stderr, \"\\tNo stream dependencies for decoding\\n\");\n\n\t\t\t\tfprintf(stderr, \"\\tStreamPriority %d\\n\", esd->streamPriority);\n\t\t\t\tif (esd->URLString) fprintf(stderr, \"\\tRemote Data Source %s\\n\", esd->URLString);\n\t\t\t}\n\t\t\tgf_odf_desc_del((GF_Descriptor *) esd);\n\n\t\t\t/*ISMACryp*/\n\t\t\tif (msub_type == GF_ISOM_SUBTYPE_MPEG4_CRYP) {\n\t\t\t\tconst char *scheme_URI, *KMS_URI;\n\t\t\t\tu32 scheme_type, version;\n\t\t\t\tu32 IV_size;\n\t\t\t\tBool use_sel_enc;\n\n\t\t\t\tif (gf_isom_is_ismacryp_media(file, trackNum, 1)) {\n\t\t\t\t\tgf_isom_get_ismacryp_info(file, trackNum, 1, NULL, &scheme_type, &version, &scheme_URI, &KMS_URI, &use_sel_enc, &IV_size, NULL);\n\t\t\t\t\tfprintf(stderr, \"\\n*Encrypted stream - ISMA scheme %s (version %d)\\n\", gf_4cc_to_str(scheme_type), version);\n\t\t\t\t\tif (scheme_URI) fprintf(stderr, \"scheme location: %s\\n\", scheme_URI);\n\t\t\t\t\tif (KMS_URI) {\n\t\t\t\t\t\tif (!strnicmp(KMS_URI, \"(key)\", 5)) fprintf(stderr, \"KMS location: key in file\\n\");\n\t\t\t\t\t\telse fprintf(stderr, \"KMS location: %s\\n\", KMS_URI);\n\t\t\t\t\t}\n\t\t\t\t\tfprintf(stderr, \"Selective Encryption: %s\\n\", use_sel_enc ? \"Yes\" : \"No\");\n\t\t\t\t\tif (IV_size) fprintf(stderr, \"Initialization Vector size: %d bits\\n\", IV_size*8);\n\t\t\t\t} else if (gf_isom_is_omadrm_media(file, trackNum, 1)) {\n\t\t\t\t\tconst char *textHdrs;\n\t\t\t\t\tu32 enc_type, hdr_len;\n\t\t\t\t\tu64 orig_len;\n\t\t\t\t\tfprintf(stderr, \"\\n*Encrypted stream - OMA DRM\\n\");\n\t\t\t\t\tgf_isom_get_omadrm_info(file, trackNum, 1, NULL, NULL, NULL, &scheme_URI, &KMS_URI, &textHdrs, &hdr_len, &orig_len, &enc_type, &use_sel_enc, &IV_size, NULL);\n\t\t\t\t\tfprintf(stderr, \"Rights Issuer: %s\\n\", KMS_URI);\n\t\t\t\t\tfprintf(stderr, \"Content ID: %s\\n\", scheme_URI);\n\t\t\t\t\tif (textHdrs) {\n\t\t\t\t\t\tu32 offset;\n\t\t\t\t\t\tconst char *start = textHdrs;\n\t\t\t\t\t\tfprintf(stderr, \"OMA Textual Headers:\\n\");\n\t\t\t\t\t\ti=0;\n\t\t\t\t\t\toffset=0;\n\t\t\t\t\t\twhile (i>16, version&0xFFFF);\n\t\t\t\t\tif (IV_size)\n\t\t\t\t\t\tfprintf(stderr, \"Initialization Vector size: %d bits\\n\", IV_size*8);\n\t\t\t\t\tif (gf_isom_cenc_is_pattern_mode(file, trackNum, 1))\n\t\t\t\t\t\tfprintf(stderr, \"Pattern mode enabled\\n\");\n\n\t\t\t\t} else if(gf_isom_is_adobe_protection_media(file, trackNum, 1)) {\n\t\t\t\t\tgf_isom_get_adobe_protection_info(file, trackNum, 1, NULL, &scheme_type, &version, NULL);\n\t\t\t\t\tfprintf(stderr, \"\\n*Encrypted stream - Adobe protection scheme %s (version %d)\\n\", gf_4cc_to_str(scheme_type), version);\n\t\t\t\t} else {\n\t\t\t\t\tfprintf(stderr, \"\\n*Encrypted stream - unknown scheme %s\\n\", gf_4cc_to_str(gf_isom_is_media_encrypted(file, trackNum, 0) ));\n\t\t\t\t}\n\t\t\t}\n\n\t\t}\n\t} else if (msub_type == GF_ISOM_SUBTYPE_AV01) {\n\t\tGF_AV1Config *av1c;\n\t\tu32 w, h;\n\t\tgf_isom_get_visual_info(file, trackNum, 1, &w, &h);\n\t\tfprintf(stderr, \"\\tAOM AV1 stream - Resolution %d x %d\\n\", w, h);\n\n\t\tav1c = gf_isom_av1_config_get(file, trackNum, 1);\n\t\tfprintf(stderr, \"\\tversion=%u, profile=%u, level_idx0=%u, tier=%u\\n\", (u32)av1c->version, (u32)av1c->seq_profile, (u32)av1c->seq_level_idx_0, (u32)av1c->seq_tier_0);\n\t\tfprintf(stderr, \"\\thigh_bitdepth=%u, twelve_bit=%u, monochrome=%u\\n\", (u32)av1c->high_bitdepth, (u32)av1c->twelve_bit, (u32)av1c->monochrome);\n\t\tfprintf(stderr, \"\\tchroma: subsampling_x=%u, subsampling_y=%u, sample_position=%u\\n\", (u32)av1c->chroma_subsampling_x, (u32)av1c->chroma_subsampling_y, (u32)av1c->chroma_sample_position);\n\n\t\tif (av1c->initial_presentation_delay_present)\n\t\t\tfprintf(stderr, \"\\tInitial presentation delay %u\\n\", (u32) av1c->initial_presentation_delay_minus_one+1);\n\n\t\tcount = gf_list_count(av1c->obu_array);\n\t\tfor (i=0; iobu_array, i);\n\t\t\tgf_sha1_csum((u8*)obu->obu, (u32)obu->obu_length, hash);\n\t\t\tfprintf(stderr, \"\\tOBU#%d %s hash: \", i+1, gf_av1_get_obu_name(obu->obu_type) );\n\t\t\tfor (j=0; j<20; j++) fprintf(stderr, \"%02X\", hash[j]);\n\t\t\tfprintf(stderr, \"\\n\");\n\t\t}\n\t\tgf_odf_av1_cfg_del(av1c);\n\t} else if (msub_type == GF_ISOM_SUBTYPE_3GP_H263) {\n\t\tu32 w, h;\n\t\tgf_isom_get_visual_info(file, trackNum, 1, &w, &h);\n\t\tfprintf(stderr, \"\\t3GPP H263 stream - Resolution %d x %d\\n\", w, h);\n\t} else if (msub_type == GF_ISOM_SUBTYPE_MJP2) {\n\t\tu32 w, h;\n\t\tgf_isom_get_visual_info(file, trackNum, 1, &w, &h);\n\t\tfprintf(stderr, \"\\tMotionJPEG2000 stream - Resolution %d x %d\\n\", w, h);\n\t} else if ((msub_type == GF_ISOM_SUBTYPE_3GP_AMR) || (msub_type == GF_ISOM_SUBTYPE_3GP_AMR_WB)) {\n\t\tfprintf(stderr, \"\\t3GPP AMR%s stream - Sample Rate %d - %d channel(s) %d bps\\n\", (msub_type == GF_ISOM_SUBTYPE_3GP_AMR_WB) ? \" Wide Band\" : \"\", sr, nb_ch, (u32) bps);\n\t} else if (msub_type == GF_ISOM_SUBTYPE_3GP_EVRC) {\n\t\tfprintf(stderr, \"\\t3GPP EVRC stream - Sample Rate %d - %d channel(s) %d bps\\n\", sr, nb_ch, (u32) bps);\n\t} else if (msub_type == GF_ISOM_SUBTYPE_3GP_QCELP) {\n\t\tfprintf(stderr, \"\\t3GPP QCELP stream - Sample Rate %d - %d channel(s) %d bps\\n\", sr, nb_ch, (u32) bps);\n\t} else if (msub_type == GF_ISOM_SUBTYPE_MP3) {\n\t\tfprintf(stderr, \"\\tMPEG 1/2 Audio stream - Sample Rate %d - %d channel(s) %d bps\\n\", sr, nb_ch, (u32) bps);\n\t} else if ((msub_type == GF_ISOM_SUBTYPE_AC3) || (msub_type == GF_ISOM_SUBTYPE_EC3)) {\n\t\tu32 br = 0;\n\t\tconst char *lfe = \"\";\n\t\tBool is_ec3 = (msub_type == GF_ISOM_SUBTYPE_EC3) ? GF_TRUE : GF_FALSE;\n#ifndef GPAC_DISABLE_AV_PARSERS\n\t\tGF_AC3Config *ac3 = gf_isom_ac3_config_get(file, trackNum, 1);\n\t\tif (ac3) {\n\t\t\tnb_ch = gf_ac3_get_channels(ac3->streams[0].acmod);\n\t\t\tfor (i=0; istreams[0].nb_dep_sub; ++i) {\n\t\t\t\tassert(ac3->streams[0].nb_dep_sub == 1);\n\t\t\t\tnb_ch += gf_ac3_get_channels(ac3->streams[0].chan_loc);\n\t\t\t}\n\t\t\tif (ac3->streams[0].lfon) lfe = \".1\";\n\t\t\tbr = ac3->is_ec3 ? ac3->brcode : gf_ac3_get_bitrate(ac3->brcode);\n\t\t\tis_ec3 = ac3->is_ec3;\n\t\t\tgf_free(ac3);\n\t\t}\n#endif\n\t\tfprintf(stderr, \"\\t%s stream - Sample Rate %d - %d%s channel(s) - bitrate %d\\n\", is_ec3 ? \"EC-3\" : \"AC-3\", sr, nb_ch, lfe, br);\n\t} else if (msub_type == GF_ISOM_SUBTYPE_3GP_SMV) {\n\t\tfprintf(stderr, \"\\t3GPP SMV stream - Sample Rate %d - %d channel(s) %d bits per samples\\n\", sr, nb_ch, (u32) bps);\n\t} else if (msub_type == GF_ISOM_SUBTYPE_3GP_DIMS) {\n\t\tu32 w, h;\n\t\tGF_DIMSDescription dims;\n\t\tgf_isom_get_visual_info(file, trackNum, 1, &w, &h);\n\n\t\tgf_isom_get_dims_description(file, trackNum, 1, &dims);\n\t\tfprintf(stderr, \"\\t3GPP DIMS stream - size %d x %d - Profile %d - Level %d\\n\", w, h, dims.profile, dims.level);\n\t\tfprintf(stderr, \"\\tpathComponents: %d - useFullRequestHost: %s\\n\", dims.pathComponents, dims.fullRequestHost ? \"yes\" : \"no\");\n\t\tfprintf(stderr, \"\\tstream type: %s - redundant: %s\\n\", dims.streamType ? \"primary\" : \"secondary\", (dims.containsRedundant==1) ? \"main\" : ((dims.containsRedundant==2) ? \"redundant\" : \"main+redundant\") );\n\t\tif (dims.textEncoding[0]) fprintf(stderr, \"\\ttext encoding %s\\n\", dims.textEncoding);\n\t\tif (dims.contentEncoding[0]) fprintf(stderr, \"\\tcontent encoding %s\\n\", dims.contentEncoding);\n\t\tif (dims.content_script_types) fprintf(stderr, \"\\tscript languages %s\\n\", dims.content_script_types);\n\t} else if (mtype==GF_ISOM_MEDIA_HINT) {\n\t\tu32 refTrack;\n\t\ts32 refCount = gf_isom_get_reference_count(file, trackNum, GF_ISOM_REF_HINT);\n\t\tif (refCount>0) {\n\t\t\tfprintf(stderr, \"Streaming Hint Track for track%s \", (refCount>1) ? \"s\" :\"\");\n\t\t\tfor (i=0; i<(u32) refCount; i++) {\n\t\t\t\tgf_isom_get_reference(file, trackNum, GF_ISOM_REF_HINT, i+1, &refTrack);\n\t\t\t\tif (i) fprintf(stderr, \" - \");\n\t\t\t\tfprintf(stderr, \"ID %d\", gf_isom_get_track_id(file, refTrack));\n\t\t\t}\n\t\t\tfprintf(stderr, \"\\n\");\n\t\t} else {\n\t\t\tfprintf(stderr, \"Streaming Hint Track (no refs)\\n\");\n\t\t}\n#ifndef GPAC_DISABLE_ISOM_HINTING\n\t\trefCount = gf_isom_get_payt_count(file, trackNum);\n\t\tif (refCount>0) {\n\t\t\tfor (i=0; i<(u32) refCount; i++) {\n\t\t\t\tconst char *name = gf_isom_get_payt_info(file, trackNum, i+1, &refTrack);\n\t\t\t\tfprintf(stderr, \"\\tPayload ID %d: type %s\\n\", refTrack, name);\n\t\t\t}\n\t\t}\n#endif\n\t} else if (mtype==GF_ISOM_MEDIA_FLASH) {\n\t\tfprintf(stderr, \"Macromedia Flash Movie\\n\");\n\t} else if ((mtype==GF_ISOM_MEDIA_TEXT) || (mtype==GF_ISOM_MEDIA_SUBT) || (mtype==GF_ISOM_MEDIA_MPEG_SUBT)) {\n\t\tu32 w, h;\n\t\ts16 l;\n\t\ts32 tx, ty;\n\t\tconst char *content_encoding = NULL;\n\t\tconst char *mime = NULL;\n\t\tconst char *config = NULL;\n\t\tconst char *_namespace = NULL;\n\t\tconst char *schema_loc = NULL;\n\t\tconst char *auxiliary_mimes = NULL;\n\t\tgf_isom_get_track_layout_info(file, trackNum, &w, &h, &tx, &ty, &l);\n\t\tif (msub_type == GF_ISOM_SUBTYPE_SBTT) {\n\t\t\tgf_isom_stxt_get_description(file, trackNum, 1, &mime, &content_encoding, &config);\n\t\t\tfprintf(stderr, \"Textual Subtitle Stream \");\n\t\t\tfprintf(stderr, \"- mime %s\", mime);\n\t\t\tif (content_encoding != NULL) {\n\t\t\t\tfprintf(stderr, \" - encoding %s\", content_encoding);\n\t\t\t}\n\t\t\tif (config != NULL) {\n\t\t\t\tfprintf(stderr, \" - %d bytes config\", (u32) strlen(config));\n\t\t\t}\n\t\t} else if (msub_type == GF_ISOM_SUBTYPE_STXT) {\n\t\t\tgf_isom_stxt_get_description(file, trackNum, 1, &mime, &content_encoding, &config);\n\t\t\tfprintf(stderr, \"Simple Timed Text Stream \");\n\t\t\tfprintf(stderr, \"- mime %s\", mime);\n\t\t\tif (content_encoding != NULL) {\n\t\t\t\tfprintf(stderr, \" - encoding %s\", content_encoding);\n\t\t\t}\n\t\t\tif (config != NULL) {\n\t\t\t\tfprintf(stderr, \" - %d bytes config\", (u32) strlen(config));\n\t\t\t}\n\t\t} else if (msub_type == GF_ISOM_SUBTYPE_STPP) {\n\t\t\tgf_isom_xml_subtitle_get_description(file, trackNum, 1, &_namespace, &schema_loc, &auxiliary_mimes);\n\t\t\tfprintf(stderr, \"XML Subtitle Stream \");\n\t\t\tfprintf(stderr, \"- namespace %s\", _namespace);\n\t\t\tif (schema_loc != NULL) {\n\t\t\t\tfprintf(stderr, \" - schema-location %s\", schema_loc);\n\t\t\t}\n\t\t\tif (auxiliary_mimes != NULL) {\n\t\t\t\tfprintf(stderr, \" - auxiliary-mime-types %s\", auxiliary_mimes);\n\t\t\t}\n\t\t} else {\n\t\t\tfprintf(stderr, \"Unknown Text Stream\");\n\t\t}\n\t\tfprintf(stderr, \"\\n Size %d x %d - Translation X=%d Y=%d - Layer %d\\n\", w, h, tx, ty, l);\n\t} else if (mtype == GF_ISOM_MEDIA_META) {\n\t\tconst char *content_encoding = NULL;\n\t\tif (msub_type == GF_ISOM_SUBTYPE_METT) {\n\t\t\tconst char *mime = NULL;\n\t\t\tconst char *config = NULL;\n\t\t\tgf_isom_stxt_get_description(file, trackNum, 1, &mime, &content_encoding, &config);\n\t\t\tfprintf(stderr, \"Textual Metadata Stream - mime %s\", mime);\n\t\t\tif (content_encoding != NULL) {\n\t\t\t\tfprintf(stderr, \" - encoding %s\", content_encoding);\n\t\t\t}\n\t\t\tif (config != NULL) {\n\t\t\t\tfprintf(stderr, \" - %d bytes config\", (u32) strlen(config));\n\t\t\t}\n\t\t\tfprintf(stderr, \"\\n\");\n\t\t} else if (msub_type == GF_ISOM_SUBTYPE_METX) {\n\t\t\tconst char *_namespace = NULL;\n\t\t\tconst char *schema_loc = NULL;\n\t\t\tgf_isom_get_xml_metadata_description(file, trackNum, 1, &_namespace, &schema_loc, &content_encoding);\n\t\t\tfprintf(stderr, \"XML Metadata Stream - namespace %s\", _namespace);\n\t\t\tif (content_encoding != NULL) {\n\t\t\t\tfprintf(stderr, \" - encoding %s\", content_encoding);\n\t\t\t}\n\t\t\tif (schema_loc != NULL) {\n\t\t\t\tfprintf(stderr, \" - schema-location %s\", schema_loc);\n\t\t\t}\n\t\t\tfprintf(stderr, \"\\n\");\n\t\t} else {\n\t\t\tfprintf(stderr, \"Unknown Metadata Stream\\n\");\n\t\t}\n\t} else if ((msub_type == GF_ISOM_SUBTYPE_MH3D_MHA1) || (msub_type == GF_ISOM_SUBTYPE_MH3D_MHA2)) {\n\t\tfprintf(stderr, \"\\tMPEG-H Audio stream - Sample Rate %d - %d channel(s) %d bps\\n\", sr, nb_ch, (u32) bps);\n\t\tGF_ESD *esd = gf_media_map_esd(file, trackNum, 1);\n\t\tif (!esd || !esd->decoderConfig || !esd->decoderConfig->decoderSpecificInfo\n\t\t|| !esd->decoderConfig->decoderSpecificInfo->data || (esd->decoderConfig->decoderSpecificInfo->dataLength<5)\n\t\t) {\n\t\t\tfprintf(stderr, \"\\tInvalid MPEG-H audio config\\n\");\n\t\t} else {\n\t\t\tfprintf(stderr, \"\\tProfileLevelIndication: %02X\\n\", esd->decoderConfig->decoderSpecificInfo->data[1]);\n\t\t}\n\t\tif (esd) gf_odf_desc_del((GF_Descriptor *)esd);\n\t} else if ((msub_type == GF_ISOM_SUBTYPE_MH3D_MHM1) || (msub_type == GF_ISOM_SUBTYPE_MH3D_MHM2)) {\n\t\tfprintf(stderr, \"\\tMPEG-H AudioMux stream - Sample Rate %d - %d channel(s) %d bps\\n\", sr, nb_ch, (u32) bps);\n\t\tGF_ESD *esd = gf_media_map_esd(file, trackNum, 1);\n\t\tif (!esd || !esd->decoderConfig || !esd->decoderConfig->decoderSpecificInfo\n\t\t\t|| !esd->decoderConfig->decoderSpecificInfo->data) {\n\t\t\tGF_ISOSample *samp = gf_isom_get_sample(file, trackNum, 1, NULL);\n\t\t\tif (samp) {\n\t\t\t\ts32 PL = gf_mpegh_get_mhas_pl(samp->data, samp->dataLength);\n\t\t\t\tif (PL>=0)\n\t\t\t\t\tfprintf(stderr, \"\\tProfileLevelIndication: %02X\\n\", PL);\n\t\t\t\tif (samp) gf_isom_sample_del(&samp);\n\t\t\t}\n\t\t} else if (esd->decoderConfig->decoderSpecificInfo->dataLength<5) {\n\t\t\tfprintf(stderr, \"\\tInvalid MPEG-H audio config\\n\");\n\t\t} else {\n\t\t\tfprintf(stderr, \"\\tProfileLevelIndication: %02X\\n\", esd->decoderConfig->decoderSpecificInfo->data[1]);\n\t\t}\n\t\tif (esd) gf_odf_desc_del((GF_Descriptor *)esd);\n\t} else {\n\t\tGF_GenericSampleDescription *udesc = gf_isom_get_generic_sample_description(file, trackNum, 1);\n\t\tif (udesc) {\n\t\t\tif (gf_isom_is_video_handler_type(mtype) ) {\n fprintf(stderr, \"%s Track - Compressor \\\"%s\\\" - Resolution %d x %d\\n\",\n (mtype == GF_ISOM_MEDIA_VISUAL?\"Visual\":\"Auxiliary Video\"),\n udesc->compressor_name, udesc->width, udesc->height);\n\t\t\t} else if (mtype==GF_ISOM_MEDIA_AUDIO) {\n\t\t\t\tfprintf(stderr, \"Audio Track - Sample Rate %d - %d channel(s)\\n\", udesc->samplerate, udesc->nb_channels);\n\t\t\t} else {\n\t\t\t\tfprintf(stderr, \"Unknown media type\\n\");\n\t\t\t}\n\t\t\tif (udesc->vendor_code)\n\t\t\t\tfprintf(stderr, \"\\tVendor code \\\"%s\\\" - Version %d - revision %d\\n\", gf_4cc_to_str(udesc->vendor_code), udesc->version, udesc->revision);\n\n\t\t\tif (udesc->extension_buf) {\n\t\t\t\tfprintf(stderr, \"\\tCodec configuration data size: %d bytes\\n\", udesc->extension_buf_size);\n\t\t\t\tgf_free(udesc->extension_buf);\n\t\t\t}\n\t\t\tgf_free(udesc);\n\t\t} else {\n\t\t\tfprintf(stderr, \"Unknown track type\\n\");\n\t\t}\n\t}\n\n\t{\n\t\tchar szCodec[RFC6381_CODEC_NAME_SIZE_MAX];\n\t\tGF_Err e = gf_media_get_rfc_6381_codec_name(file, trackNum, szCodec, GF_FALSE, GF_FALSE);\n\t\tif (e == GF_OK) {\n\t\t\tfprintf(stderr, \"\\tRFC6381 Codec Parameters: %s\\n\", szCodec);\n\t\t}\n\t}\n\n\tDumpMetaItem(file, 0, trackNum, \"Track Meta\");\n\n\tgf_isom_get_track_switch_group_count(file, trackNum, &alt_group, &nb_groups);\n\tif (alt_group) {\n\t\tfprintf(stderr, \"Alternate Group ID %d\\n\", alt_group);\n\t\tfor (i=0; iDTS+samp->CTS_Offset;\n\t\t\tsize += samp->dataLength;\n\t\t\trate += samp->dataLength;\n\t\t\tif (samp->DTS - time_slice>ts) {\n\t\t\t\tif (max_rate < rate) max_rate = rate;\n\t\t\t\trate = 0;\n\t\t\t\ttime_slice = samp->DTS;\n\t\t\t}\n\t\t\tgf_isom_sample_del(&samp);\n\t\t}\n\t}\n\tfprintf(stderr, \"\\nComputed info from media:\\n\");\n\tif (csize && cdur) {\n\t\tfprintf(stderr, \"\\tConstant sample size %d bytes and dur %d / %d\\n\", csize, cdur, ts);\n\t}\n\tscale = 1000;\n\tscale /= ts;\n\tdur = (u64) (scale * (s64)dur);\n\tfprintf(stderr, \"\\tTotal size \"LLU\" bytes - Total samples duration \"LLU\" ms\\n\", size, dur);\n\tif (!dur) {\n\t\tfprintf(stderr, \"\\n\");\n\t\treturn;\n\t}\n\t/*rate in byte, dur is in ms*/\n\trate = (u32) ((size * 8 * 1000) / dur);\n\n\tif (!max_rate)\n\t\tmax_rate = rate;\n\telse\n\t\tmax_rate *= 8;\n\n\tif (rate >= 1500) {\n\t\trate /= 1000;\n\t\tmax_rate /= 1000;\n\t\tfprintf(stderr, \"\\tAverage rate %d kbps - Max Rate %d kbps\\n\", rate, max_rate);\n\t} else {\n\t\tfprintf(stderr, \"\\tAverage rate %d bps - Max Rate %d bps\\n\", rate, max_rate);\n\t}\n\n\t{\n\t\tu32 dmin, dmax, davg, smin, smax, savg;\n\t\tgf_isom_get_chunks_infos(file, trackNum, &dmin, &davg, &dmax, &smin, &savg, &smax);\n\t\tfprintf(stderr, \"\\tChunk durations: min %d ms - max %d ms - average %d ms\\n\", (1000*dmin)/ts, (1000*dmax)/ts, (1000*davg)/ts);\n\t\tfprintf(stderr, \"\\tChunk sizes (bytes): min %d - max %d - average %d\\n\", smin, smax, savg);\n\t}\n\tfprintf(stderr, \"\\n\");\n\n\tcount = gf_isom_get_chapter_count(file, trackNum);\n\tif (count) {\n\t\tconst char *name;\n\t\tu64 time;\n\t\tfprintf(stderr, \"\\nChapters:\\n\");\n\t\tfor (j=0; jinformation->sampleTable->SampleDescription;\n\tif (!stsd) return GF_ISOM_INVALID_FILE;\n\tif (!SampleDescIndex || (SampleDescIndex > gf_list_count(stsd->child_boxes)) ) return GF_BAD_PARAM;\n\n\tentry = (GF_SampleEntryBox*)gf_list_get(stsd->child_boxes, SampleDescIndex - 1);\n\tif (!entry) return GF_ISOM_INVALID_FILE;\n\n\tif (out_entry) *out_entry = entry;\n\tif (dataRefIndex) *dataRefIndex = entry->dataReferenceIndex;\n\treturn GF_OK;\n}", "project": "gpac", "hash": 252065104214927658670904087775534060759, "size": 18, "commit_id": "328def7d3b93847d64ecb6e9e0399684e57c3eca", "message": "fixed #1766 (fuzz)", "target": 0, "dataset": "other", "idx": 231626 }, { "func": "static Bool nalu_cleanup_config(GF_List *param_array, Bool set_inband, Bool keep_xps)\n{\n\tu32 i;\n\tBool array_incomplete = set_inband;\n\tif (!param_array) return 0;\n\n\tfor (i=0; iarray_completeness = 0;\n\t\t\tif (keep_xps) {\n\t\t\t\tarray_incomplete=1;\n\t\t\t\tcontinue;\n\t\t\t}\n\n\t\t\twhile (gf_list_count(ar->nalus)) {\n\t\t\t\tGF_NALUFFParam *sl = (GF_NALUFFParam*)gf_list_get(ar->nalus, 0);\n\t\t\t\tgf_list_rem(ar->nalus, 0);\n\t\t\t\tif (sl->data) gf_free(sl->data);\n\t\t\t\tgf_free(sl);\n\t\t\t}\n\t\t\tgf_list_del(ar->nalus);\n\t\t\tgf_free(ar);\n\t\t\tar=NULL;\n\t\t\tgf_list_rem(param_array, i);\n\t\t\ti--;\n\t\t\tcontinue;\n\t\t}\n\t\tif (ar && !ar->array_completeness)\n\t\t\tarray_incomplete = 1;\n\t}\n\treturn array_incomplete;\n}", "project": "gpac", "hash": 283024104036097330961834881460097019789, "size": 35, "commit_id": "0a85029d694f992f3631e2f249e4999daee15cbf", "message": "fixed #1785 (fuzz)", "target": 0, "dataset": "other", "idx": 237606 }, { "func": "GF_Err stbl_SetRedundant(GF_SampleTableBox *stbl, u32 sampleNumber)\n{\n\tif (stbl->SampleDep->sampleCount < sampleNumber) {\n\t\treturn stbl_AddRedundant(stbl, sampleNumber);\n\t} else {\n\t\tstbl->SampleDep->sample_info[sampleNumber-1] = 0x29;\n\t\treturn GF_OK;\n\t}\n}", "project": "gpac", "hash": 5949309286460583304865224417091189301, "size": 9, "commit_id": "77ed81c069e10b3861d88f72e1c6be1277ee7eae", "message": "fixed #1774 (fuzz)", "target": 0, "dataset": "other", "idx": 267888 }, { "func": "GF_Err gf_isom_make_interleave_ex(GF_ISOFile *file, GF_Fraction *fTimeInSec)\n{\n\tGF_Err e;\n\tu64 itime;\n\tif (!file || !fTimeInSec->den || (fTimeInSec->num<=0)) return GF_BAD_PARAM;\n\n\titime = (u64) fTimeInSec->num;\n\titime *= gf_isom_get_timescale(file);\n\titime /= fTimeInSec->den;\n\tif (file->storageMode==GF_ISOM_STORE_FASTSTART) {\n\t\treturn gf_isom_set_interleave_time(file, (u32) itime);\n\t}\n\tif (gf_isom_get_mode(file) < GF_ISOM_OPEN_EDIT) return GF_BAD_PARAM;\n\te = gf_isom_set_storage_mode(file, GF_ISOM_STORE_DRIFT_INTERLEAVED);\n\tif (e) return e;\n\treturn gf_isom_set_interleave_time(file, (u32) itime);\n}", "project": "gpac", "hash": 243528718899356206286746398870858491242, "size": 17, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267294 }, { "func": "GF_Err gf_hinter_finalize(GF_ISOFile *file, GF_SDP_IODProfile IOD_Profile, u32 bandwidth)\n{\n\tu32 i, sceneT, odT, descIndex, size, size64;\n\tGF_InitialObjectDescriptor *iod;\n\tGF_SLConfig slc;\n\tGF_ISOSample *samp;\n\tBool remove_ocr;\n\tu8 *buffer;\n\tchar buf64[5000], sdpLine[5100];\n\n\n\tgf_isom_sdp_clean(file);\n\n\tif (bandwidth) {\n\t\tsprintf(buf64, \"b=AS:%d\", bandwidth);\n\t\tgf_isom_sdp_add_line(file, buf64);\n\t}\n //xtended attribute for copyright\n if (gf_sys_is_test_mode()) {\n sprintf(buf64, \"a=x-copyright: %s\", \"MP4/3GP File hinted with GPAC - (c) Telecom ParisTech (http://gpac.io)\");\n } else {\n sprintf(buf64, \"a=x-copyright: MP4/3GP File hinted with GPAC %s - %s\", gf_gpac_version(), gf_gpac_copyright() );\n }\n\tgf_isom_sdp_add_line(file, buf64);\n\n\tif (IOD_Profile == GF_SDP_IOD_NONE) return GF_OK;\n\n\todT = sceneT = 0;\n\tfor (i=0; iESDescriptors)) {\n\t\t\tesd = (GF_ESD*)gf_list_get(iod->ESDescriptors, 0);\n\t\t\tgf_odf_desc_del((GF_Descriptor *) esd);\n\t\t\tgf_list_rem(iod->ESDescriptors, 0);\n\t\t}\n\n\n\t\t/*get OD esd, and embbed stream data if possible*/\n\t\tif (odT) {\n\t\t\tesd = gf_isom_get_esd(file, odT, 1);\n\t\t\tif (gf_isom_get_sample_count(file, odT)==1) {\n\t\t\t\tsamp = gf_isom_get_sample(file, odT, 1, &descIndex);\n\t\t\t\tif (samp && gf_hinter_can_embbed_data(samp->data, samp->dataLength, GF_STREAM_OD)) {\n\t\t\t\t\tInitSL_NULL(&slc);\n\t\t\t\t\tslc.predefined = 0;\n\t\t\t\t\tslc.hasRandomAccessUnitsOnlyFlag = 1;\n\t\t\t\t\tslc.timeScale = slc.timestampResolution = gf_isom_get_media_timescale(file, odT);\n\t\t\t\t\tslc.OCRResolution = 1000;\n\t\t\t\t\tslc.startCTS = samp->DTS+samp->CTS_Offset;\n\t\t\t\t\tslc.startDTS = samp->DTS;\n\t\t\t\t\t//set the SL for future extraction\n\t\t\t\t\tgf_isom_set_extraction_slc(file, odT, 1, &slc);\n\n\t\t\t\t\tsize64 = gf_base64_encode(samp->data, samp->dataLength, buf64, 2000);\n\t\t\t\t\tbuf64[size64] = 0;\n\t\t\t\t\tsprintf(sdpLine, \"data:application/mpeg4-od-au;base64,%s\", buf64);\n\n\t\t\t\t\tesd->decoderConfig->avgBitrate = 0;\n\t\t\t\t\tesd->decoderConfig->bufferSizeDB = samp->dataLength;\n\t\t\t\t\tesd->decoderConfig->maxBitrate = 0;\n\t\t\t\t\tsize64 = (u32) strlen(sdpLine)+1;\n\t\t\t\t\tesd->URLString = (char*)gf_malloc(sizeof(char) * size64);\n\t\t\t\t\tstrcpy(esd->URLString, sdpLine);\n\t\t\t\t} else {\n\t\t\t\t\tGF_LOG(GF_LOG_WARNING, GF_LOG_RTP, (\"[rtp hinter] OD sample too large to be embedded in IOD - ISMA disabled\\n\"));\n\t\t\t\t\tis_ok = 0;\n\t\t\t\t}\n\t\t\t\tgf_isom_sample_del(&samp);\n\t\t\t}\n\t\t\tif (remove_ocr) esd->OCRESID = 0;\n\t\t\telse if (esd->OCRESID == esd->ESID) esd->OCRESID = 0;\n\n\t\t\t//OK, add this to our IOD\n\t\t\tgf_list_add(iod->ESDescriptors, esd);\n\t\t}\n\n\t\tesd = gf_isom_get_esd(file, sceneT, 1);\n\t\tif (gf_isom_get_sample_count(file, sceneT)==1) {\n\t\t\tsamp = gf_isom_get_sample(file, sceneT, 1, &descIndex);\n\t\t\tif (gf_hinter_can_embbed_data(samp->data, samp->dataLength, GF_STREAM_SCENE)) {\n\n\t\t\t\tslc.timeScale = slc.timestampResolution = gf_isom_get_media_timescale(file, sceneT);\n\t\t\t\tslc.OCRResolution = 1000;\n\t\t\t\tslc.startCTS = samp->DTS+samp->CTS_Offset;\n\t\t\t\tslc.startDTS = samp->DTS;\n\t\t\t\t//set the SL for future extraction\n\t\t\t\tgf_isom_set_extraction_slc(file, sceneT, 1, &slc);\n\t\t\t\t//encode in Base64 the sample\n\t\t\t\tsize64 = gf_base64_encode(samp->data, samp->dataLength, buf64, 2000);\n\t\t\t\tbuf64[size64] = 0;\n\t\t\t\tsprintf(sdpLine, \"data:application/mpeg4-bifs-au;base64,%s\", buf64);\n\n\t\t\t\tesd->decoderConfig->avgBitrate = 0;\n\t\t\t\tesd->decoderConfig->bufferSizeDB = samp->dataLength;\n\t\t\t\tesd->decoderConfig->maxBitrate = 0;\n\t\t\t\tesd->URLString = (char*)gf_malloc(sizeof(char) * (strlen(sdpLine)+1));\n\t\t\t\tstrcpy(esd->URLString, sdpLine);\n\t\t\t} else {\n\t\t\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_RTP, (\"[rtp hinter] Scene description sample too large to be embedded in IOD - ISMA disabled\\n\"));\n\t\t\t\tis_ok = 0;\n\t\t\t}\n\t\t\tgf_isom_sample_del(&samp);\n\t\t}\n\t\tif (remove_ocr) esd->OCRESID = 0;\n\t\telse if (esd->OCRESID == esd->ESID) esd->OCRESID = 0;\n\n\t\tgf_list_add(iod->ESDescriptors, esd);\n\n\t\tif (is_ok) {\n\t\t\tu32 has_a, has_v, has_i_a, has_i_v;\n\t\t\thas_a = has_v = has_i_a = has_i_v = 0;\n\t\t\tfor (i=0; idecoderConfig->streamType==GF_STREAM_VISUAL) {\n\t\t\t\t\tif (esd->decoderConfig->objectTypeIndication==GF_CODECID_MPEG4_PART2) has_i_v ++;\n\t\t\t\t\telse has_v++;\n\t\t\t\t} else if (esd->decoderConfig->streamType==GF_STREAM_AUDIO) {\n\t\t\t\t\tif (esd->decoderConfig->objectTypeIndication==GF_CODECID_AAC_MPEG4) has_i_a ++;\n\t\t\t\t\telse has_a++;\n\t\t\t\t}\n\t\t\t\tgf_odf_desc_del((GF_Descriptor *)esd);\n\t\t\t}\n\t\t\t/*only 1 MPEG-4 visual max and 1 MPEG-4 audio max for ISMA compliancy*/\n\t\t\tif (!has_v && !has_a && (has_i_v<=1) && (has_i_a<=1)) {\n\t\t\t\tsprintf(sdpLine, \"a=isma-compliance:1,1.0,1\");\n\t\t\t\tgf_isom_sdp_add_line(file, sdpLine);\n\t\t\t}\n\t\t}\n\t}\n\n\t//encode the IOD\n\tbuffer = NULL;\n\tsize = 0;\n\tgf_odf_desc_write((GF_Descriptor *) iod, &buffer, &size);\n\tgf_odf_desc_del((GF_Descriptor *)iod);\n\n\t//encode in Base64 the iod\n\tsize64 = gf_base64_encode(buffer, size, buf64, 2000);\n\tbuf64[size64] = 0;\n\tgf_free(buffer);\n\n\tsprintf(sdpLine, \"a=mpeg4-iod:\\\"data:application/mpeg4-iod;base64,%s\\\"\", buf64);\n\tgf_isom_sdp_add_line(file, sdpLine);\n\n\treturn GF_OK;\n}", "project": "gpac", "hash": 223649118603140396935168133970864337311, "size": 173, "commit_id": "1653f31cf874eb6df964bea88d58d8e9b98b485e", "message": "fixed #1770 (fuzz)", "target": 1, "dataset": "other", "idx": 198018 }, { "func": "GF_Err gf_hinter_finalize(GF_ISOFile *file, GF_SDP_IODProfile IOD_Profile, u32 bandwidth)\n{\n\tu32 i, sceneT, odT, descIndex, size, size64;\n\tGF_InitialObjectDescriptor *iod;\n\tGF_SLConfig slc;\n\tGF_ISOSample *samp;\n\tBool remove_ocr;\n\tu8 *buffer;\n\tchar buf64[5000], sdpLine[5100];\n\n\n\tgf_isom_sdp_clean(file);\n\n\tif (bandwidth) {\n\t\tsprintf(buf64, \"b=AS:%d\", bandwidth);\n\t\tgf_isom_sdp_add_line(file, buf64);\n\t}\n //xtended attribute for copyright\n if (gf_sys_is_test_mode()) {\n sprintf(buf64, \"a=x-copyright: %s\", \"MP4/3GP File hinted with GPAC - (c) Telecom ParisTech (http://gpac.io)\");\n } else {\n sprintf(buf64, \"a=x-copyright: MP4/3GP File hinted with GPAC %s - %s\", gf_gpac_version(), gf_gpac_copyright() );\n }\n\tgf_isom_sdp_add_line(file, buf64);\n\n\tif (IOD_Profile == GF_SDP_IOD_NONE) return GF_OK;\n\n\todT = sceneT = 0;\n\tfor (i=0; iESDescriptors)) {\n\t\t\tesd = (GF_ESD*)gf_list_get(iod->ESDescriptors, 0);\n\t\t\tgf_odf_desc_del((GF_Descriptor *) esd);\n\t\t\tgf_list_rem(iod->ESDescriptors, 0);\n\t\t}\n\n\n\t\t/*get OD esd, and embbed stream data if possible*/\n\t\tif (odT) {\n\t\t\tesd = gf_isom_get_esd(file, odT, 1);\n\t\t\tif (gf_isom_get_sample_count(file, odT)==1) {\n\t\t\t\tsamp = gf_isom_get_sample(file, odT, 1, &descIndex);\n\t\t\t\tif (samp && gf_hinter_can_embbed_data(samp->data, samp->dataLength, GF_STREAM_OD)) {\n\t\t\t\t\tInitSL_NULL(&slc);\n\t\t\t\t\tslc.predefined = 0;\n\t\t\t\t\tslc.hasRandomAccessUnitsOnlyFlag = 1;\n\t\t\t\t\tslc.timeScale = slc.timestampResolution = gf_isom_get_media_timescale(file, odT);\n\t\t\t\t\tslc.OCRResolution = 1000;\n\t\t\t\t\tslc.startCTS = samp->DTS+samp->CTS_Offset;\n\t\t\t\t\tslc.startDTS = samp->DTS;\n\t\t\t\t\t//set the SL for future extraction\n\t\t\t\t\tgf_isom_set_extraction_slc(file, odT, 1, &slc);\n\n\t\t\t\t\tsize64 = gf_base64_encode(samp->data, samp->dataLength, buf64, 2000);\n\t\t\t\t\tbuf64[size64] = 0;\n\t\t\t\t\tsprintf(sdpLine, \"data:application/mpeg4-od-au;base64,%s\", buf64);\n\n\t\t\t\t\tesd->decoderConfig->avgBitrate = 0;\n\t\t\t\t\tesd->decoderConfig->bufferSizeDB = samp->dataLength;\n\t\t\t\t\tesd->decoderConfig->maxBitrate = 0;\n\t\t\t\t\tsize64 = (u32) strlen(sdpLine)+1;\n\t\t\t\t\tesd->URLString = (char*)gf_malloc(sizeof(char) * size64);\n\t\t\t\t\tstrcpy(esd->URLString, sdpLine);\n\t\t\t\t} else {\n\t\t\t\t\tGF_LOG(GF_LOG_WARNING, GF_LOG_RTP, (\"[rtp hinter] OD sample too large to be embedded in IOD - ISMA disabled\\n\"));\n\t\t\t\t\tis_ok = 0;\n\t\t\t\t}\n\t\t\t\tgf_isom_sample_del(&samp);\n\t\t\t}\n\t\t\tif (remove_ocr) esd->OCRESID = 0;\n\t\t\telse if (esd->OCRESID == esd->ESID) esd->OCRESID = 0;\n\n\t\t\t//OK, add this to our IOD\n\t\t\tgf_list_add(iod->ESDescriptors, esd);\n\t\t}\n\n\t\tesd = gf_isom_get_esd(file, sceneT, 1);\n\t\tif (gf_isom_get_sample_count(file, sceneT)==1) {\n\t\t\tsamp = gf_isom_get_sample(file, sceneT, 1, &descIndex);\n\t\t\tif (samp && gf_hinter_can_embbed_data(samp->data, samp->dataLength, GF_STREAM_SCENE)) {\n\n\t\t\t\tslc.timeScale = slc.timestampResolution = gf_isom_get_media_timescale(file, sceneT);\n\t\t\t\tslc.OCRResolution = 1000;\n\t\t\t\tslc.startCTS = samp->DTS+samp->CTS_Offset;\n\t\t\t\tslc.startDTS = samp->DTS;\n\t\t\t\t//set the SL for future extraction\n\t\t\t\tgf_isom_set_extraction_slc(file, sceneT, 1, &slc);\n\t\t\t\t//encode in Base64 the sample\n\t\t\t\tsize64 = gf_base64_encode(samp->data, samp->dataLength, buf64, 2000);\n\t\t\t\tbuf64[size64] = 0;\n\t\t\t\tsprintf(sdpLine, \"data:application/mpeg4-bifs-au;base64,%s\", buf64);\n\n\t\t\t\tesd->decoderConfig->avgBitrate = 0;\n\t\t\t\tesd->decoderConfig->bufferSizeDB = samp->dataLength;\n\t\t\t\tesd->decoderConfig->maxBitrate = 0;\n\t\t\t\tesd->URLString = (char*)gf_malloc(sizeof(char) * (strlen(sdpLine)+1));\n\t\t\t\tstrcpy(esd->URLString, sdpLine);\n\t\t\t} else {\n\t\t\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_RTP, (\"[rtp hinter] Scene description sample too large to be embedded in IOD - ISMA disabled\\n\"));\n\t\t\t\tis_ok = 0;\n\t\t\t}\n\t\t\tgf_isom_sample_del(&samp);\n\t\t}\n\t\tif (remove_ocr) esd->OCRESID = 0;\n\t\telse if (esd->OCRESID == esd->ESID) esd->OCRESID = 0;\n\n\t\tgf_list_add(iod->ESDescriptors, esd);\n\n\t\tif (is_ok) {\n\t\t\tu32 has_a, has_v, has_i_a, has_i_v;\n\t\t\thas_a = has_v = has_i_a = has_i_v = 0;\n\t\t\tfor (i=0; idecoderConfig->streamType==GF_STREAM_VISUAL) {\n\t\t\t\t\tif (esd->decoderConfig->objectTypeIndication==GF_CODECID_MPEG4_PART2) has_i_v ++;\n\t\t\t\t\telse has_v++;\n\t\t\t\t} else if (esd->decoderConfig->streamType==GF_STREAM_AUDIO) {\n\t\t\t\t\tif (esd->decoderConfig->objectTypeIndication==GF_CODECID_AAC_MPEG4) has_i_a ++;\n\t\t\t\t\telse has_a++;\n\t\t\t\t}\n\t\t\t\tgf_odf_desc_del((GF_Descriptor *)esd);\n\t\t\t}\n\t\t\t/*only 1 MPEG-4 visual max and 1 MPEG-4 audio max for ISMA compliancy*/\n\t\t\tif (!has_v && !has_a && (has_i_v<=1) && (has_i_a<=1)) {\n\t\t\t\tsprintf(sdpLine, \"a=isma-compliance:1,1.0,1\");\n\t\t\t\tgf_isom_sdp_add_line(file, sdpLine);\n\t\t\t}\n\t\t}\n\t}\n\n\t//encode the IOD\n\tbuffer = NULL;\n\tsize = 0;\n\tgf_odf_desc_write((GF_Descriptor *) iod, &buffer, &size);\n\tgf_odf_desc_del((GF_Descriptor *)iod);\n\n\t//encode in Base64 the iod\n\tsize64 = gf_base64_encode(buffer, size, buf64, 2000);\n\tbuf64[size64] = 0;\n\tgf_free(buffer);\n\n\tsprintf(sdpLine, \"a=mpeg4-iod:\\\"data:application/mpeg4-iod;base64,%s\\\"\", buf64);\n\tgf_isom_sdp_add_line(file, sdpLine);\n\n\treturn GF_OK;\n}", "project": "gpac", "hash": 130544004901735494505112604949465488922, "size": 173, "commit_id": "1653f31cf874eb6df964bea88d58d8e9b98b485e", "message": "fixed #1770 (fuzz)", "target": 0, "dataset": "other", "idx": 268147 }, { "func": "GF_Err gf_isom_clone_pl_indications(GF_ISOFile *orig, GF_ISOFile *dest)\n{\n\tGF_IsomInitialObjectDescriptor *iod_d;\n\tif (!orig || !dest) return GF_BAD_PARAM;\n\tif (!orig->moov->iods || !orig->moov->iods->descriptor) return GF_OK;\n\tif (orig->moov->iods->descriptor->tag != GF_ODF_ISOM_IOD_TAG) return GF_OK;\n\n\tAddMovieIOD(dest->moov, 1);\n\tgf_odf_desc_del((GF_Descriptor *)dest->moov->iods->descriptor);\n\tgf_odf_desc_copy((GF_Descriptor *)orig->moov->iods->descriptor, (GF_Descriptor **)&dest->moov->iods->descriptor);\n\tiod_d = (GF_IsomInitialObjectDescriptor *) dest->moov->iods->descriptor;\n\twhile (gf_list_count(iod_d->ES_ID_IncDescriptors)) {\n\t\tGF_Descriptor *d = (GF_Descriptor *)gf_list_get(iod_d->ES_ID_IncDescriptors, 0);\n\t\tgf_list_rem(iod_d->ES_ID_IncDescriptors, 0);\n\t\tgf_odf_desc_del(d);\n\t}\n\twhile (gf_list_count(iod_d->ES_ID_RefDescriptors)) {\n\t\tGF_Descriptor *d = (GF_Descriptor *)gf_list_get(iod_d->ES_ID_RefDescriptors, 0);\n\t\tgf_list_rem(iod_d->ES_ID_RefDescriptors, 0);\n\t\tgf_odf_desc_del(d);\n\t}\n\treturn GF_OK;\n}", "project": "gpac", "hash": 222240309099467730094091175543614328133, "size": 23, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267170 }, { "func": "void PrintUsage()\n{\n\tu32 i=0;\n\tgf_sys_format_help(helpout, help_flags, \"MP4Box [option] input [option]\\n\"\n\t\t\" \\n\"\n\t\t\"# General Options:\\n\"\n\t);\n\twhile (m4b_usage_args[i].name) {\n\t\tGF_GPACArg *arg = &m4b_usage_args[i];\n\t\ti++;\n\t\tgf_sys_print_arg(helpout, help_flags, arg, \"mp4box-general\");\n\t}\n}", "project": "gpac", "hash": 133338761484836478453941715294512398165, "size": 13, "commit_id": "9eeac00b38348c664dfeae2525bba0cf1bc32349", "message": "fixed #1565", "target": 0, "dataset": "other", "idx": 244400 }, { "func": "GF_Err gf_isom_add_desc_to_root_od(GF_ISOFile *movie, const GF_Descriptor *theDesc)\n{\n\tGF_Err e;\n\tGF_Descriptor *desc, *dupDesc;\n\n\te = CanAccessMovie(movie, GF_ISOM_OPEN_WRITE);\n\tif (e) return e;\n\te = gf_isom_insert_moov(movie);\n\tif (e) return e;\n\n\tif (!movie->moov->iods) {\n\t\te = AddMovieIOD(movie->moov, 0);\n\t\tif (e) return e;\n\t}\n\tif (theDesc->tag==GF_ODF_IPMP_TL_TAG) gf_isom_set_root_iod(movie);\n\n\tdesc = movie->moov->iods->descriptor;\n\t//the type of desc is handled at the OD/IOD level, we'll be notified\n\t//if the desc is not allowed\n\tswitch (desc->tag) {\n\tcase GF_ODF_ISOM_IOD_TAG:\n\tcase GF_ODF_ISOM_OD_TAG:\n\t\t//duplicate the desc\n\t\te = gf_odf_desc_copy((GF_Descriptor *)theDesc, &dupDesc);\n\t\tif (e) return e;\n\t\t//add it (MUST BE (I)OD level desc)\n\t\tmovie->LastError = gf_odf_desc_add_desc(desc, dupDesc);\n\t\tif (movie->LastError) gf_odf_desc_del((GF_Descriptor *)dupDesc);\n\t\tbreak;\n\tdefault:\n\t\tmovie->LastError = GF_ISOM_INVALID_FILE;\n\t\tbreak;\n\t}\n\treturn movie->LastError;\n}", "project": "gpac", "hash": 322192589819187197958119086559943020590, "size": 35, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267210 }, { "func": "GF_Err gf_isom_add_sample_reference(GF_ISOFile *movie, u32 trackNumber, u32 StreamDescriptionIndex, GF_ISOSample *sample, u64 dataOffset)\n{\n\tGF_TrackBox *trak;\n\tGF_SampleEntryBox *entry;\n\tu32 dataRefIndex;\n\tu32 descIndex;\n\tGF_DataEntryURLBox *Dentry;\n\tGF_Err e;\n\n\te = CanAccessMovie(movie, GF_ISOM_OPEN_WRITE);\n\tif (e) return e;\n\n\ttrak = gf_isom_get_track_from_file(movie, trackNumber);\n\tif (!trak) return GF_BAD_PARAM;\n\n\te = unpack_track(trak);\n\tif (e) return e;\n\n\t//OD is not allowed as a data ref\n\tif (trak->Media->handler->handlerType == GF_ISOM_MEDIA_OD) {\n\t\treturn GF_BAD_PARAM;\n\t}\n\t//OK, add the sample\n\t//1- Get the streamDescriptionIndex and dataRefIndex\n\t//not specified, get the latest used...\n\tdescIndex = StreamDescriptionIndex;\n\tif (!StreamDescriptionIndex) {\n\t\tdescIndex = trak->Media->information->sampleTable->currentEntryIndex;\n\t}\n\te = Media_GetSampleDesc(trak->Media, descIndex, &entry, &dataRefIndex);\n\tif (e) return e;\n\tif (!entry || !dataRefIndex) return GF_BAD_PARAM;\n\t//set the current to this one\n\ttrak->Media->information->sampleTable->currentEntryIndex = descIndex;\n\n\n\t//get this dataRef and return false if self contained\n\tDentry =(GF_DataEntryURLBox*) gf_list_get(trak->Media->information->dataInformation->dref->child_boxes, dataRefIndex - 1);\n\tif (Dentry->flags == 1) return GF_BAD_PARAM;\n\n\t//add the meta data\n\te = Media_AddSample(trak->Media, dataOffset, sample, descIndex, 0);\n\tif (e) return e;\n\n\tif (!movie->keep_utc)\n\t\ttrak->Media->mediaHeader->modificationTime = gf_isom_get_mp4time();\n\t//OK, update duration\n\te = Media_SetDuration(trak);\n\tif (e) return e;\n\treturn SetTrackDuration(trak);\n\n}", "project": "gpac", "hash": 53145887017749226941612521358904771973, "size": 52, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267292 }, { "func": "GF_Err gf_isom_remove_edits(GF_ISOFile *movie, u32 trackNumber)\n{\n\tGF_Err e;\n\tGF_TrackBox *trak;\n\ttrak = gf_isom_get_track_from_file(movie, trackNumber);\n\tif (!trak) return GF_BAD_PARAM;\n\n\te = CanAccessMovie(movie, GF_ISOM_OPEN_WRITE);\n\tif (e) return e;\n\n\tif (!trak->editBox || !trak->editBox->editList) return GF_OK;\n\n\twhile (gf_list_count(trak->editBox->editList->entryList)) {\n\t\tGF_EdtsEntry *ent = (GF_EdtsEntry*)gf_list_get(trak->editBox->editList->entryList, 0);\n\t\tgf_free(ent);\n\t\te = gf_list_rem(trak->editBox->editList->entryList, 0);\n\t\tif (e) return e;\n\t}\n\t//then delete the GF_EditBox...\n\tgf_isom_box_del_parent(&trak->child_boxes, (GF_Box *)trak->editBox);\n\ttrak->editBox = NULL;\n\treturn SetTrackDuration(trak);\n}", "project": "gpac", "hash": 242392798605902873358517936854692558340, "size": 23, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267339 }, { "func": "GF_Err gf_isom_remove_track(GF_ISOFile *movie, u32 trackNumber)\n{\n\tGF_Err e;\n\tGF_TrackBox *the_trak, *trak;\n\tGF_TrackReferenceTypeBox *tref;\n\tu32 i, j, k, descIndex;\n\tGF_ISOTrackID *newRefs;\n\tu8 found;\n\tGF_ISOSample *samp;\n\tthe_trak = gf_isom_get_track_from_file(movie, trackNumber);\n\tif (!the_trak) return GF_BAD_PARAM;\n\n\te = CanAccessMovie(movie, GF_ISOM_OPEN_WRITE);\n\tif (e) return e;\n\n\tif (movie->moov->iods && movie->moov->iods->descriptor) {\n\t\tGF_Descriptor *desc;\n\t\tGF_ES_ID_Inc *inc;\n\t\tGF_List *ESDs;\n\t\tdesc = movie->moov->iods->descriptor;\n\t\tif (desc->tag == GF_ODF_ISOM_IOD_TAG) {\n\t\t\tESDs = ((GF_IsomInitialObjectDescriptor *)desc)->ES_ID_IncDescriptors;\n\t\t} else if (desc->tag == GF_ODF_ISOM_OD_TAG) {\n\t\t\tESDs = ((GF_IsomObjectDescriptor *)desc)->ES_ID_IncDescriptors;\n\t\t} else {\n\t\t\treturn GF_ISOM_INVALID_FILE;\n\t\t}\n\n\t\t//remove the track ref from the root OD if any\n\t\ti=0;\n\t\twhile ((inc = (GF_ES_ID_Inc *)gf_list_enum(ESDs, &i))) {\n\t\t\tif (inc->trackID == the_trak->Header->trackID) {\n\t\t\t\tgf_odf_desc_del((GF_Descriptor *)inc);\n\t\t\t\ti--;\n\t\t\t\tgf_list_rem(ESDs, i);\n\t\t\t}\n\t\t}\n\t}\n\n\t//remove the track from the movie\n\tgf_list_del_item(movie->moov->trackList, the_trak);\n\n\t//rewrite any OD tracks\n\ti=0;\n\twhile ((trak = (GF_TrackBox *)gf_list_enum(movie->moov->trackList, &i))) {\n\t\tif (trak->Media->handler->handlerType != GF_ISOM_MEDIA_OD) continue;\n\t\t//this is an OD track...\n\t\tj = gf_isom_get_sample_count(movie, i);\n\t\tfor (k=0; k < j; k++) {\n\t\t\t//getting the sample will remove the references to the deleted track in the output OD frame\n\t\t\tsamp = gf_isom_get_sample(movie, i, k+1, &descIndex);\n\t\t\tif (!samp) break;\n\t\t\t//so let's update with the new OD frame ! If the sample is empty, remove it\n\t\t\tif (!samp->dataLength) {\n\t\t\t\te = gf_isom_remove_sample(movie, i, k+1);\n\t\t\t\tif (e) return e;\n\t\t\t} else {\n\t\t\t\te = gf_isom_update_sample(movie, i, k+1, samp, GF_TRUE);\n\t\t\t\tif (e) return e;\n\t\t\t}\n\t\t\t//and don't forget to delete the sample\n\t\t\tgf_isom_sample_del(&samp);\n\t\t}\n\t}\n\n\t//remove the track ref from any \"tref\" box in all tracks, except the one to delete\n\t//note that we don't touch scal references, as we don't want to rewrite AVC/HEVC samples ...\n\ti=0;\n\twhile ((trak = (GF_TrackBox *)gf_list_enum(movie->moov->trackList, &i))) {\n\t\tif (trak == the_trak) continue;\n\t\tif (! trak->References || ! gf_list_count(trak->References->child_boxes)) continue;\n\n\t\tj=0;\n\t\twhile ((tref = (GF_TrackReferenceTypeBox *)gf_list_enum(trak->References->child_boxes, &j))) {\n\t\t\tif (tref->reference_type==GF_ISOM_REF_SCAL)\n\t\t\t\tcontinue;\n\n\t\t\tfound = 0;\n\t\t\tfor (k=0; ktrackIDCount; k++) {\n\t\t\t\tif (tref->trackIDs[k] == the_trak->Header->trackID) found++;\n\t\t\t}\n\t\t\tif (!found) continue;\n\t\t\t//no more refs, remove this ref_type\n\t\t\tif (found == tref->trackIDCount) {\n\t\t\t\tgf_isom_box_del_parent(&trak->References->child_boxes, (GF_Box *)tref);\n\t\t\t\tj--;\n\t\t\t} else {\n\t\t\t\tnewRefs = (GF_ISOTrackID*)gf_malloc(sizeof(GF_ISOTrackID) * (tref->trackIDCount - found));\n\t\t\t\tif (!newRefs) return GF_OUT_OF_MEM;\n\t\t\t\tfound = 0;\n\t\t\t\tfor (k = 0; k < tref->trackIDCount; k++) {\n\t\t\t\t\tif (tref->trackIDs[k] != the_trak->Header->trackID) {\n\t\t\t\t\t\tnewRefs[k-found] = tref->trackIDs[k];\n\t\t\t\t\t} else {\n\t\t\t\t\t\tfound++;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\tgf_free(tref->trackIDs);\n\t\t\t\ttref->trackIDs = newRefs;\n\t\t\t\ttref->trackIDCount -= found;\n\t\t\t}\n\t\t}\n\t\t//a little opt: remove the ref box if empty...\n\t\tif (! gf_list_count(trak->References->child_boxes)) {\n\t\t\tgf_isom_box_del_parent(&trak->child_boxes, (GF_Box *)trak->References);\n\t\t\ttrak->References = NULL;\n\t\t}\n\t}\n\n\tgf_isom_disable_inplace_rewrite(movie);\n\n\t//delete the track\n\tgf_isom_box_del_parent(&movie->moov->child_boxes, (GF_Box *)the_trak);\n\n\t/*update next track ID*/\n\tmovie->moov->mvhd->nextTrackID = 0;\n\ti=0;\n\twhile ((trak = (GF_TrackBox *)gf_list_enum(movie->moov->trackList, &i))) {\n\t\tif (trak->Header->trackID>movie->moov->mvhd->nextTrackID)\n\t\t\tmovie->moov->mvhd->nextTrackID = trak->Header->trackID;\n\t}\n\n\tif (!gf_list_count(movie->moov->trackList)) {\n\t\tgf_list_del_item(movie->TopBoxes, movie->moov);\n\t\tgf_isom_box_del((GF_Box *)movie->moov);\n\t\tmovie->moov = NULL;\n\t}\n\treturn GF_OK;\n}", "project": "gpac", "hash": 251582272212355144045879390969516780154, "size": 129, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267253 }, { "func": "GF_Err Track_RemoveRef(GF_TrackBox *trak, u32 ReferenceType)\n{\n\tGF_TrackReferenceBox *ref;\n\tGF_Box *a;\n\tu32 i;\n\tif (! trak) return GF_BAD_PARAM;\n\tif (! trak->References) return GF_OK;\n\tref = trak->References;\n\ti=0;\n\twhile ((a = (GF_Box *)gf_list_enum(ref->child_boxes, &i))) {\n\t\tif (a->type == ReferenceType) {\n\t\t\tgf_isom_box_del_parent(&ref->child_boxes, a);\n\t\t\treturn GF_OK;\n\t\t}\n\t}\n\treturn GF_OK;\n}", "project": "gpac", "hash": 215178032095696281258212229230221864237, "size": 17, "commit_id": "df8fffd839fe5ae9acd82d26fd48280a397411d9", "message": "fixed #1736", "target": 0, "dataset": "other", "idx": 272323 }, { "func": "GF_Err stbl_unpackCTS(GF_SampleTableBox *stbl)\n{\n\tGF_DttsEntry *packed;\n\tu32 i, j, count;\n\tGF_CompositionOffsetBox *ctts;\n\tctts = stbl->CompositionOffset;\n\tif (!ctts || ctts->unpack_mode) return GF_OK;\n\tctts->unpack_mode = 1;\n\n\tpacked = ctts->entries;\n\tcount = ctts->nb_entries;\n\tctts->entries = NULL;\n\tctts->nb_entries = 0;\n\tctts->alloc_size = 0;\n\tfor (i=0; inb_entries == ctts->alloc_size) {\n\t\t\t\tALLOC_INC(ctts->alloc_size);\n\t\t\t\tctts->entries = gf_realloc(ctts->entries, sizeof(GF_DttsEntry)*ctts->alloc_size);\n\t\t\t\tif (!ctts->entries) return GF_OUT_OF_MEM;\n\n\t\t\t\tmemset(&ctts->entries[ctts->nb_entries], 0, sizeof(GF_DttsEntry)*(ctts->alloc_size-ctts->nb_entries) );\n\t\t\t}\n\t\t\tctts->entries[ctts->nb_entries].decodingOffset = packed[i].decodingOffset;\n\t\t\tctts->entries[ctts->nb_entries].sampleCount = 1;\n\t\t\tctts->nb_entries++;\n\t\t}\n\t}\n\tgf_free(packed);\n\n\twhile (stbl->SampleSize->sampleCount > ctts->nb_entries) {\n\t\tif (ctts->nb_entries == ctts->alloc_size) {\n\t\t\tALLOC_INC(ctts->alloc_size);\n\t\t\tctts->entries = gf_realloc(ctts->entries, sizeof(GF_DttsEntry)*ctts->alloc_size);\n\t\t\tif (!ctts->entries) return GF_OUT_OF_MEM;\n\t\t\tmemset(&ctts->entries[ctts->nb_entries], 0, sizeof(GF_DttsEntry)*(ctts->alloc_size-ctts->nb_entries) );\n\t\t}\n\t\tctts->entries[ctts->nb_entries].decodingOffset = 0;\n\t\tctts->entries[ctts->nb_entries].sampleCount = 1;\n\t\tctts->nb_entries++;\n\t}\n\treturn GF_OK;\n}", "project": "gpac", "hash": 232519623103022324629752107262939468273, "size": 43, "commit_id": "77ed81c069e10b3861d88f72e1c6be1277ee7eae", "message": "fixed #1774 (fuzz)", "target": 0, "dataset": "other", "idx": 267892 }, { "func": "GF_EXPORT\nu32 gf_isom_get_fragments_count(GF_ISOFile *movie, Bool segments_only)\n{\n\tu32 i=0;\n\tu32 nb_frags = 0;\n\tGF_Box *b;\n\twhile ((b=(GF_Box*)gf_list_enum(movie->TopBoxes, &i))) {\n\t\tif (segments_only) {\n\t\t\tif (b->type==GF_ISOM_BOX_TYPE_SIDX)\n\t\t\t\tnb_frags++;\n\t\t} else {\n\t\t\tif (b->type==GF_ISOM_BOX_TYPE_MOOF)\n\t\t\t\tnb_frags++;\n\t\t}\n\t}\n\treturn nb_frags;", "project": "gpac", "hash": 98425965617317842367241274535393903855, "size": 16, "commit_id": "984787de3d414a5f7d43d0b4584d9469dff2a5a5", "message": "fixed #1784 (fuzz)", "target": 0, "dataset": "other", "idx": 246856 }, { "func": "static GF_Err gf_isom_get_3gpp_audio_esd(GF_SampleTableBox *stbl, u32 type, GF_GenericAudioSampleEntryBox *entry, GF_ESD **out_esd)\n{\n\t(*out_esd) = gf_odf_desc_esd_new(2);\n\t(*out_esd)->decoderConfig->streamType = GF_STREAM_AUDIO;\n\t/*official mapping to MPEG-4*/\n\tswitch (type) {\n\tcase GF_ISOM_SUBTYPE_3GP_EVRC:\n\t\t(*out_esd)->decoderConfig->objectTypeIndication = GF_CODECID_EVRC;\n\t\treturn GF_OK;\n\tcase GF_ISOM_SUBTYPE_3GP_QCELP:\n\t{\n\t\tu32 block_size, sample_rate, sample_size, i;\n\t\tGF_SttsEntry *ent;\n\t\tGF_BitStream *bs;\n\t\tchar szName[80];\n\t\t/*only map CBR*/\n\t\tsample_size = stbl->SampleSize->sampleSize;\n\t\t(*out_esd)->decoderConfig->objectTypeIndication = GF_CODECID_QCELP;\n\t\tbs = gf_bs_new(NULL, 0, GF_BITSTREAM_WRITE);\n\t\tgf_bs_write_data(bs, \"QLCMfmt \", 8);\n\t\tgf_bs_write_u32_le(bs, 150);/*fmt chunk size*/\n\t\tgf_bs_write_u8(bs, 1);\n\t\tgf_bs_write_u8(bs, 0);\n\t\t/*QCELP GUID*/\n\t\tgf_bs_write_data(bs, \"\\x41\\x6D\\x7F\\x5E\\x15\\xB1\\xD0\\x11\\xBA\\x91\\x00\\x80\\x5F\\xB4\\xB9\\x7E\", 16);\n\t\tgf_bs_write_u16_le(bs, 1);\n\t\tmemset(szName, 0, 80);\n\t\tstrcpy(szName, \"QCELP-13K(GPAC-emulated)\");\n\t\tgf_bs_write_data(bs, szName, 80);\n\t\tent = &stbl->TimeToSample->entries[0];\n\t\tsample_rate = entry->samplerate_hi;\n\t\tblock_size = ent ? ent->sampleDelta : 160;\n\t\tgf_bs_write_u16_le(bs, 8*sample_size*sample_rate/block_size);\n\t\tgf_bs_write_u16_le(bs, sample_size);\n\t\tgf_bs_write_u16_le(bs, block_size);\n\t\tgf_bs_write_u16_le(bs, sample_rate);\n\t\tgf_bs_write_u16_le(bs, entry->bitspersample);\n\t\tgf_bs_write_u32_le(bs, sample_size ? 0 : 7);\n\t\t/**/\n\t\tfor (i=0; i<7; i++) {\n\t\t\tstatic const u32 qcelp_r2s [] = {0, 1, 1, 4, 2, 8, 3, 17, 4, 35, 5, 8, 14, 1};\n\t\t\tif (sample_size) {\n\t\t\t\tgf_bs_write_u16(bs, 0);\n\t\t\t} else {\n\t\t\t\tgf_bs_write_u8(bs, qcelp_r2s[2*i+1]);\n\t\t\t\tgf_bs_write_u8(bs, qcelp_r2s[2*i]);\n\t\t\t}\n\t\t}\n\t\tgf_bs_write_u16(bs, 0);\n\t\tmemset(szName, 0, 80);\n\t\tgf_bs_write_data(bs, szName, 20);/*reserved*/\n\t\tgf_bs_get_content(bs, & (*out_esd)->decoderConfig->decoderSpecificInfo->data, & (*out_esd)->decoderConfig->decoderSpecificInfo->dataLength);\n\t\tgf_bs_del(bs);\n\t}\n\treturn GF_OK;\n\tcase GF_ISOM_SUBTYPE_3GP_SMV:\n\t\t(*out_esd)->decoderConfig->objectTypeIndication = GF_CODECID_SMV;\n\t\treturn GF_OK;\n\tcase GF_ISOM_SUBTYPE_3GP_AMR:\n\t\t(*out_esd)->decoderConfig->objectTypeIndication = GF_CODECID_AMR;\n\t\treturn GF_OK;\n\tcase GF_ISOM_SUBTYPE_3GP_AMR_WB:\n\t\t(*out_esd)->decoderConfig->objectTypeIndication = GF_CODECID_AMR_WB;\n\t\treturn GF_OK;\n\tdefault:\n\t\tGF_LOG(GF_LOG_WARNING, GF_LOG_CONTAINER, (\"[iso file] unsupported sample description type %s\\n\", gf_4cc_to_str(entry->type)));\n\t\tbreak;\n\t}\n\treturn GF_OK;\n}", "project": "gpac", "hash": 242552304528760432527852800116502407922, "size": 70, "commit_id": "328def7d3b93847d64ecb6e9e0399684e57c3eca", "message": "fixed #1766 (fuzz)", "target": 0, "dataset": "other", "idx": 231616 }, { "func": "GF_Err stbl_GetSampleSize(GF_SampleSizeBox *stsz, u32 SampleNumber, u32 *Size)\n{\n\tif (!stsz || !SampleNumber || (SampleNumber > stsz->sampleCount))\n\t\treturn GF_BAD_PARAM;\n\n\tif (stsz->sampleSize && (stsz->type != GF_ISOM_BOX_TYPE_STZ2)) {\n\t\t(*Size) = stsz->sampleSize;\n\t} else if (stsz->sizes) {\n\t\t(*Size) = stsz->sizes[SampleNumber - 1];\n\t} else {\n\t\t(*Size) = 0;\n\t}\n\treturn GF_OK;\n}", "project": "gpac", "hash": 144542408682130580829035591969235102924, "size": 14, "commit_id": "2da2f68bffd51d89b1d272d22aa8cc023c1c066e", "message": "fixed #1705", "target": 0, "dataset": "other", "idx": 258550 }, { "func": "GF_Err gf_isom_set_composition_offset_mode(GF_ISOFile *file, u32 track, Bool use_negative_offsets)\n{\n\tGF_Err e;\n\tGF_TrackBox *trak;\n\tGF_CompositionOffsetBox *ctts;\n\n\te = CanAccessMovie(file, GF_ISOM_OPEN_WRITE);\n\tif (e) return e;\n\n\ttrak = gf_isom_get_track_from_file(file, track);\n\tif (!trak) return GF_BAD_PARAM;\n\n\tctts = trak->Media->information->sampleTable->CompositionOffset;\n\tif (!ctts) {\n\t\tif (!use_negative_offsets && trak->Media->information->sampleTable->CompositionToDecode) {\n\t\t\tgf_isom_box_del_parent(&trak->Media->information->sampleTable->child_boxes, (GF_Box *)trak->Media->information->sampleTable->CompositionToDecode);\n\t\t\ttrak->Media->information->sampleTable->CompositionToDecode = NULL;\n\t\t}\n\t\treturn GF_OK;\n\t}\n\n\tif (use_negative_offsets) {\n\t\treturn gf_isom_set_ctts_v1(file, track, 0);\n\t} else {\n\t\tif (ctts->version==0) return GF_OK;\n\t\treturn gf_isom_set_ctts_v0(file, trak);\n\t}\n}", "project": "gpac", "hash": 112634590464808628150321078252949287693, "size": 28, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267320 }, { "func": "GF_Err gf_isom_change_mpeg4_description(GF_ISOFile *movie, u32 trackNumber, u32 StreamDescriptionIndex, const GF_ESD *newESD)\n{\n\tGF_Err e;\n\tGF_ESD *esd;\n\tGF_TrackBox *trak;\n\tGF_SampleEntryBox *entry;\n\tGF_SampleDescriptionBox *stsd;\n\n\te = CanAccessMovie(movie, GF_ISOM_OPEN_WRITE);\n\tif (e) return e;\n\n\ttrak = gf_isom_get_track_from_file(movie, trackNumber);\n\tif (!trak) return GF_BAD_PARAM;\n\n\tstsd = trak->Media->information->sampleTable->SampleDescription;\n\tif (!stsd) return movie->LastError = GF_ISOM_INVALID_FILE;\n\n\tif (!StreamDescriptionIndex || StreamDescriptionIndex > gf_list_count(stsd->child_boxes)) {\n\t\treturn movie->LastError = GF_BAD_PARAM;\n\t}\n\tentry = (GF_SampleEntryBox *)gf_list_get(stsd->child_boxes, StreamDescriptionIndex - 1);\n\t//no support for generic sample entries (eg, no MPEG4 descriptor)\n\tif (entry == NULL) return GF_BAD_PARAM;\n\n\tif (!movie->keep_utc)\n\t\ttrak->Media->mediaHeader->modificationTime = gf_isom_get_mp4time();\n\t//duplicate our desc\n\te = gf_odf_desc_copy((GF_Descriptor *)newESD, (GF_Descriptor **)&esd);\n\tif (e) return e;\n\te = Track_SetStreamDescriptor(trak, StreamDescriptionIndex, entry->dataReferenceIndex, esd, NULL);\n\tif (e != GF_OK) {\n\t\tgf_odf_desc_del((GF_Descriptor *) esd);\n\t}\n\treturn e;\n}", "project": "gpac", "hash": 223036477985981689934700614816926529691, "size": 35, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267352 }, { "func": "static void ReorderAU(GF_List *sample_list, GF_AUContext *au)\n{\n\tu32 i;\n\tfor (i=0; itiming_sec > au->timing_sec)\n\t\t /*set bifs first*/\n\t\t || ((ptr->timing_sec == au->timing_sec) && (ptr->owner->streamType < au->owner->streamType))\n\t\t) {\n\t\t\tgf_list_insert(sample_list, au, i);\n\t\t\treturn;\n\t\t}\n\t}\n\tgf_list_add(sample_list, au);\n}", "project": "gpac", "hash": 11864634391671163254044751773908465455, "size": 17, "commit_id": "289ffce3e0d224d314f5f92a744d5fe35999f20b", "message": "fixed #1767 (fuzz)", "target": 0, "dataset": "other", "idx": 243183 }, { "func": "GF_EXPORT\nu8 gf_isom_get_pl_indication(GF_ISOFile *movie, GF_ISOProfileLevelType PL_Code)\n{\n\tGF_IsomInitialObjectDescriptor *iod;\n\tif (!movie || !movie->moov) return 0xFF;\n\tif (!movie->moov->iods || !movie->moov->iods->descriptor) return 0xFF;\n\tif (movie->moov->iods->descriptor->tag != GF_ODF_ISOM_IOD_TAG) return 0xFF;\n\n\tiod = (GF_IsomInitialObjectDescriptor *)movie->moov->iods->descriptor;\n\tswitch (PL_Code) {\n\tcase GF_ISOM_PL_AUDIO:\n\t\treturn iod->audio_profileAndLevel;\n\tcase GF_ISOM_PL_VISUAL:\n\t\treturn iod->visual_profileAndLevel;\n\tcase GF_ISOM_PL_GRAPHICS:\n\t\treturn iod->graphics_profileAndLevel;\n\tcase GF_ISOM_PL_SCENE:\n\t\treturn iod->scene_profileAndLevel;\n\tcase GF_ISOM_PL_OD:\n\t\treturn iod->OD_profileAndLevel;\n\tcase GF_ISOM_PL_INLINE:\n\t\treturn iod->inlineProfileFlag;\n\tcase GF_ISOM_PL_MPEGJ:\n\tdefault:\n\t\treturn 0xFF;\n\t}", "project": "gpac", "hash": 189024794638269320979420520267987667009, "size": 26, "commit_id": "984787de3d414a5f7d43d0b4584d9469dff2a5a5", "message": "fixed #1784 (fuzz)", "target": 0, "dataset": "other", "idx": 246858 }, { "func": "Bool gf_box_valid_in_parent(GF_Box *a, const char *parent_4cc)\n{\n\tif (!a || !a->registry || !a->registry->parents_4cc) return GF_FALSE;\n\tif (strstr(a->registry->parents_4cc, parent_4cc) != NULL) return GF_TRUE;\n\treturn GF_FALSE;\n}", "project": "gpac", "hash": 262095818610162384732854452030455307238, "size": 6, "commit_id": "8e585e623b1d666b4ef736ed609264639cb27701", "message": "fixed potential crash - cf #1406", "target": 0, "dataset": "other", "idx": 224892 }, { "func": "GF_Err gf_isom_set_nalu_length_field(GF_ISOFile *file, u32 track, u32 StreamDescriptionIndex, u32 nalu_size_length)\n{\n\tGF_Err e;\n\tGF_TrackBox *trak;\n\tGF_SampleEntryBox *entry;\n\tGF_MPEGVisualSampleEntryBox *ve;\n\tGF_SampleDescriptionBox *stsd;\n\n\te = CanAccessMovie(file, GF_ISOM_OPEN_WRITE);\n\tif (e) return e;\n\n\ttrak = gf_isom_get_track_from_file(file, track);\n\tif (!trak) return GF_BAD_PARAM;\n\n\tstsd = trak->Media->information->sampleTable->SampleDescription;\n\tif (!stsd || !StreamDescriptionIndex || StreamDescriptionIndex > gf_list_count(stsd->child_boxes)) {\n\t\treturn GF_BAD_PARAM;\n\t}\n\n\tentry = (GF_SampleEntryBox *)gf_list_get(stsd->child_boxes, StreamDescriptionIndex - 1);\n\t//no support for generic sample entries (eg, no MPEG4 descriptor)\n\tif (!entry || ! gf_isom_is_nalu_based_entry(trak->Media, entry)) {\n\t\treturn GF_BAD_PARAM;\n\t}\n\n\tve = (GF_MPEGVisualSampleEntryBox*)entry;\n\tif (ve->avc_config) ve->avc_config->config->nal_unit_size = nalu_size_length;\n\tif (ve->svc_config) ve->svc_config->config->nal_unit_size = nalu_size_length;\n\tif (ve->hevc_config) ve->hevc_config->config->nal_unit_size = nalu_size_length;\n\tif (ve->lhvc_config) ve->lhvc_config->config->nal_unit_size = nalu_size_length;\n\treturn GF_OK;\n}", "project": "gpac", "hash": 115106983350067124918044159543101041514, "size": 32, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267331 }, { "func": "GF_Err stbl_RemoveSampleGroup(GF_SampleTableBox *stbl, u32 SampleNumber)\n{\n\tu32 i, k, count, prev_sample;\n\n\tif (!stbl->sampleGroups) return GF_OK;\n\n\tcount = gf_list_count(stbl->sampleGroups);\n\tprev_sample = 0;\n\tfor (i=0; isampleGroups, i);\n\t\tfor (k=0; kentry_count; k++) {\n\t\t\tif ((SampleNumber>prev_sample) && (SampleNumber <= prev_sample + e->sample_entries[k].sample_count) ) {\n\t\t\t\te->sample_entries[k].sample_count--;\n\t\t\t\tif (!e->sample_entries[k].sample_count) {\n\t\t\t\t\tmemmove(&e->sample_entries[k], &e->sample_entries[k+1], sizeof(GF_SampleGroupEntry) * (e->entry_count-k-1));\n\t\t\t\t\te->entry_count--;\n\t\t\t\t}\n\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\t\tif (!e->entry_count) {\n\t\t\tgf_list_rem(stbl->sampleGroups, i);\n\t\t\ti--;\n\t\t\tcount--;\n\t\t\tgf_isom_box_del_parent(&stbl->child_boxes, (GF_Box *) e);\n\t\t}\n\t}\n\treturn GF_OK;\n}", "project": "gpac", "hash": 156245689533273653166830823167579316144, "size": 29, "commit_id": "77ed81c069e10b3861d88f72e1c6be1277ee7eae", "message": "fixed #1774 (fuzz)", "target": 0, "dataset": "other", "idx": 267909 }, { "func": "GF_Err dump_isom_scene(char *file, char *inName, Bool is_final_name, GF_SceneDumpFormat dump_mode, Bool do_log, Bool no_odf_conv)\n{\n\tGF_Err e;\n\tGF_SceneManager *ctx;\n\tGF_SceneGraph *sg;\n\tGF_SceneLoader load;\n\tGF_FileType ftype;\n\tgf_log_cbk prev_logs = NULL;\n\tFILE *logs = NULL;\n\n\tsg = gf_sg_new();\n\tctx = gf_sm_new(sg);\n\tmemset(&load, 0, sizeof(GF_SceneLoader));\n\tload.fileName = file;\n\tload.ctx = ctx;\n\tload.swf_import_flags = swf_flags;\n\tif (dump_mode == GF_SM_DUMP_SVG) {\n\t\tload.swf_import_flags |= GF_SM_SWF_USE_SVG;\n\t\tload.svgOutFile = inName;\n\t}\n\tload.swf_flatten_limit = swf_flatten_angle;\n\n\tftype = get_file_type_by_ext(file);\n\tif (ftype == GF_FILE_TYPE_ISO_MEDIA) {\n\t\tload.isom = gf_isom_open(file, GF_ISOM_OPEN_READ, NULL);\n\t\tif (!load.isom) {\n\t\t\te = gf_isom_last_error(NULL);\n\t\t\tM4_LOG(GF_LOG_ERROR, (\"Error opening file: %s\\n\", gf_error_to_string(e)));\n\t\t\tgf_sm_del(ctx);\n\t\t\tgf_sg_del(sg);\n\t\t\treturn e;\n\t\t}\n\t\tif (no_odf_conv)\n\t\t\tgf_isom_disable_odf_conversion(load.isom, GF_TRUE);\n\n\t} else if (ftype==GF_FILE_TYPE_LSR_SAF) {\n\t\tload.isom = gf_isom_open(\"saf_conv\", GF_ISOM_WRITE_EDIT, NULL);\n#ifndef GPAC_DISABLE_MEDIA_IMPORT\n\t\tif (load.isom) {\n\t\t\tGF_Fraction _frac = {0,0};\n\t\t\te = import_file(load.isom, file, 0, _frac, 0, NULL, NULL, 0);\n\t\t} else\n#else\n\t\tM4_LOG(GF_LOG_WARNING, (\"Warning: GPAC was compiled without Media Import support\\n\"));\n#endif\n\t\t\te = gf_isom_last_error(NULL);\n\n\t\tif (e) {\n\t\t\tM4_LOG(GF_LOG_ERROR, (\"Error importing file: %s\\n\", gf_error_to_string(e)));\n\t\t\tgf_sm_del(ctx);\n\t\t\tgf_sg_del(sg);\n\t\t\tif (load.isom) gf_isom_delete(load.isom);\n\t\t\treturn e;\n\t\t}\n\t}\n\n\tif (do_log) {\n\t\tchar szLog[GF_MAX_PATH];\n\t\tsprintf(szLog, \"%s_dec.logs\", inName);\n\t\tlogs = gf_fopen(szLog, \"wt\");\n\n\t\tgf_log_set_tool_level(GF_LOG_CODING, GF_LOG_DEBUG);\n\t\tprev_logs = gf_log_set_callback(logs, scene_coding_log);\n\t}\n\te = gf_sm_load_init(&load);\n\tif (!e) e = gf_sm_load_run(&load);\n\tgf_sm_load_done(&load);\n\tif (logs) {\n\t\tgf_log_set_tool_level(GF_LOG_CODING, GF_LOG_ERROR);\n\t\tgf_log_set_callback(NULL, prev_logs);\n\t\tgf_fclose(logs);\n\t}\n\tif (!e && dump_mode != GF_SM_DUMP_SVG) {\n\t\tu32 count = gf_list_count(ctx->streams);\n\t\tif (count)\n\t\t\tfprintf(stderr, \"Scene loaded - dumping %d systems streams\\n\", count);\n\t\telse\n\t\t\tfprintf(stderr, \"Scene loaded - dumping root scene\\n\");\n\n\t\te = gf_sm_dump(ctx, inName, is_final_name, dump_mode);\n\t}\n\n\tgf_sm_del(ctx);\n\tgf_sg_del(sg);\n\tif (e) M4_LOG(GF_LOG_ERROR, (\"Error loading scene: %s\\n\", gf_error_to_string(e)));\n\tif (load.isom) gf_isom_delete(load.isom);\n\treturn e;\n}", "project": "gpac", "hash": 1172614427379004120958201400150866104, "size": 88, "commit_id": "289ffce3e0d224d314f5f92a744d5fe35999f20b", "message": "fixed #1767 (fuzz)", "target": 0, "dataset": "other", "idx": 243178 }, { "func": "GF_Err dump_isom_scene(char *file, char *inName, Bool is_final_name, GF_SceneDumpFormat dump_mode, Bool do_log, Bool no_odf_conv)\n{\n\tGF_Err e;\n\tGF_SceneManager *ctx;\n\tGF_SceneGraph *sg;\n\tGF_SceneLoader load;\n\tGF_FileType ftype;\n\tgf_log_cbk prev_logs = NULL;\n\tFILE *logs = NULL;\n\n\tsg = gf_sg_new();\n\tctx = gf_sm_new(sg);\n\tmemset(&load, 0, sizeof(GF_SceneLoader));\n\tload.fileName = file;\n\tload.ctx = ctx;\n\tload.swf_import_flags = swf_flags;\n\tif (dump_mode == GF_SM_DUMP_SVG) {\n\t\tload.swf_import_flags |= GF_SM_SWF_USE_SVG;\n\t\tload.svgOutFile = inName;\n\t}\n\tload.swf_flatten_limit = swf_flatten_angle;\n\n\tftype = get_file_type_by_ext(file);\n\tif (ftype == GF_FILE_TYPE_ISO_MEDIA) {\n\t\tload.isom = gf_isom_open(file, GF_ISOM_OPEN_READ, NULL);\n\t\tif (!load.isom) {\n\t\t\te = gf_isom_last_error(NULL);\n\t\t\tfprintf(stderr, \"Error opening file: %s\\n\", gf_error_to_string(e));\n\t\t\tgf_sm_del(ctx);\n\t\t\tgf_sg_del(sg);\n\t\t\treturn e;\n\t\t}\n\t\tif (no_odf_conv)\n\t\t\tgf_isom_disable_odf_conversion(load.isom, GF_TRUE);\n\n\t} else if (ftype==GF_FILE_TYPE_LSR_SAF) {\n\t\tload.isom = gf_isom_open(\"saf_conv\", GF_ISOM_WRITE_EDIT, NULL);\n#ifndef GPAC_DISABLE_MEDIA_IMPORT\n\t\tif (load.isom) {\n\t\t\tGF_Fraction _frac = {0,0};\n\t\t\te = import_file(load.isom, file, 0, _frac, 0, NULL, NULL, 0);\n\t\t} else\n#else\n\t\tfprintf(stderr, \"Warning: GPAC was compiled without Media Import support\\n\");\n#endif\n\t\t\te = gf_isom_last_error(NULL);\n\n\t\tif (e) {\n\t\t\tfprintf(stderr, \"Error importing file: %s\\n\", gf_error_to_string(e));\n\t\t\tgf_sm_del(ctx);\n\t\t\tgf_sg_del(sg);\n\t\t\tif (load.isom) gf_isom_delete(load.isom);\n\t\t\treturn e;\n\t\t}\n\t}\n\n\tif (do_log) {\n\t\tchar szLog[GF_MAX_PATH];\n\t\tsprintf(szLog, \"%s_dec.logs\", inName);\n\t\tlogs = gf_fopen(szLog, \"wt\");\n\n\t\tgf_log_set_tool_level(GF_LOG_CODING, GF_LOG_DEBUG);\n\t\tprev_logs = gf_log_set_callback(logs, scene_coding_log);\n\t}\n\te = gf_sm_load_init(&load);\n\tif (!e) e = gf_sm_load_run(&load);\n\tgf_sm_load_done(&load);\n\tif (logs) {\n\t\tgf_log_set_tool_level(GF_LOG_CODING, GF_LOG_ERROR);\n\t\tgf_log_set_callback(NULL, prev_logs);\n\t\tgf_fclose(logs);\n\t}\n\tif (!e && dump_mode != GF_SM_DUMP_SVG) {\n\t\tu32 count = gf_list_count(ctx->streams);\n\t\tif (count)\n\t\t\tfprintf(stderr, \"Scene loaded - dumping %d systems streams\\n\", count);\n\t\telse\n\t\t\tfprintf(stderr, \"Scene loaded - dumping root scene\\n\");\n\n\t\te = gf_sm_dump(ctx, inName, is_final_name, dump_mode);\n\t}\n\n\tgf_sm_del(ctx);\n\tgf_sg_del(sg);\n\tif (e) fprintf(stderr, \"Error loading scene: %s\\n\", gf_error_to_string(e));\n\tif (load.isom) gf_isom_delete(load.isom);\n\treturn e;\n}", "project": "gpac", "hash": 54909694909230875641503970339541316726, "size": 88, "commit_id": "ce01bd15f711d4575b7424b54b3a395ec64c1784", "message": "fixed #1566", "target": 0, "dataset": "other", "idx": 249536 }, { "func": "GF_Err stbl_AddDependencyType(GF_SampleTableBox *stbl, u32 sampleNumber, u32 isLeading, u32 dependsOn, u32 dependedOn, u32 redundant)\n{\n\tu32 flags;\n\tGF_SampleDependencyTypeBox *sdtp;\n\n\tif (stbl->SampleDep == NULL) {\n\t\tstbl->SampleDep = (GF_SampleDependencyTypeBox *) gf_isom_box_new_parent(&stbl->child_boxes, GF_ISOM_BOX_TYPE_SDTP);\n\t\tif (!stbl->SampleDep) return GF_OUT_OF_MEM;\n\t}\n\tsdtp = stbl->SampleDep;\n\tif (sdtp->sampleCount + 1 < sampleNumber) {\n\t\tu32 missed = sampleNumber-1 - sdtp->sampleCount;\n\t\tsdtp->sample_info = (u8*) gf_realloc(sdtp->sample_info, sizeof(u8) * (sdtp->sampleCount+missed) );\n\t\tif (!sdtp->sample_info) return GF_OUT_OF_MEM;\n\t\tsdtp->sample_alloc = sdtp->sampleCount+missed;\n\t\tmemset(&sdtp->sample_info[sdtp->sampleCount], 0, sizeof(u8) * missed );\n\t\twhile (missed) {\n\t\t\tGF_ISOSAPType isRAP;\n\t\t\tif (stbl->SyncSample) stbl_GetSampleRAP(stbl->SyncSample, sdtp->sampleCount+1, &isRAP, NULL, NULL);\n\t\t\telse isRAP = 1;\n\t\t\tsdtp->sample_info[sdtp->sampleCount] = isRAP ? (2<<4) : 0;\n\t\t\tif (isRAP) {\n\t\t\t\tsdtp->sample_info[sdtp->sampleCount] = 0;\n\n\t\t\t}\n\t\t\tsdtp->sampleCount++;\n\t\t\tmissed--;\n\t\t}\n\t}\n\n\tflags = 0;\n\tflags |= isLeading << 6;\n\tflags |= dependsOn << 4;\n\tflags |= dependedOn << 2;\n\tflags |= redundant;\n\n\tsdtp->sample_info = (u8*) gf_realloc(sdtp->sample_info, sizeof(u8) * (sdtp->sampleCount + 1));\n\tif (!sdtp->sample_info) return GF_OUT_OF_MEM;\n\tsdtp->sample_alloc = sdtp->sampleCount + 1;\n\tif (sdtp->sampleCount < sampleNumber) {\n\t\tsdtp->sample_info[sdtp->sampleCount] = flags;\n\t} else {\n\t\tu32 snum = sampleNumber-1;\n\t\tmemmove(sdtp->sample_info+snum+1, sdtp->sample_info+snum, sizeof(u8) * (sdtp->sampleCount - snum) );\n\t\tsdtp->sample_info[snum] = flags;\n\t}\n\t//update our list\n\tsdtp->sampleCount ++;\n\treturn GF_OK;\n}", "project": "gpac", "hash": 175806822914660473424154544335258887614, "size": 50, "commit_id": "77ed81c069e10b3861d88f72e1c6be1277ee7eae", "message": "fixed #1774 (fuzz)", "target": 0, "dataset": "other", "idx": 267889 }, { "func": "u32 gf_isom_solve_uuid_box(char *UUID)\n{\n\tu32 i;\n\tchar strUUID[33], strChar[3];\n\tstrUUID[0] = 0;\n\tstrUUID[32] = 0;\n\tfor (i=0; i<16; i++) {\n\t\tsnprintf(strChar, 3, \"%02X\", (unsigned char) UUID[i]);\n\t\tstrcat(strUUID, strChar);\n\t}\n\tif (!strnicmp(strUUID, \"8974dbce7be74c5184f97148f9882554\", 32))\n\t\treturn GF_ISOM_BOX_UUID_TENC;\n\tif (!strnicmp(strUUID, \"A5D40B30E81411DDBA2F0800200C9A66\", 32))\n\t\treturn GF_ISOM_BOX_UUID_MSSM;\n\tif (!strnicmp(strUUID, \"D4807EF2CA3946958E5426CB9E46A79F\", 32))\n\t\treturn GF_ISOM_BOX_UUID_TFRF;\n\tif (!strnicmp(strUUID, \"6D1D9B0542D544E680E2141DAFF757B2\", 32))\n\t\treturn GF_ISOM_BOX_UUID_TFXD;\n\tif (!strnicmp(strUUID, \"A2394F525A9B4F14A2446C427C648DF4\", 32))\n\t\treturn GF_ISOM_BOX_UUID_PSEC;\n\tif (!strnicmp(strUUID, \"D08A4F1810F34A82B6C832D8ABA183D3\", 32))\n\t\treturn GF_ISOM_BOX_UUID_PSSH;\n\n\treturn 0;\n}", "project": "gpac", "hash": 277738476160615590900128614152176296615, "size": 25, "commit_id": "8e585e623b1d666b4ef736ed609264639cb27701", "message": "fixed potential crash - cf #1406", "target": 0, "dataset": "other", "idx": 224893 }, { "func": "GF_Err gf_isom_remove_user_data_item(GF_ISOFile *movie, u32 trackNumber, u32 UserDataType, bin128 UUID, u32 UserDataIndex)\n{\n\tGF_UserDataMap *map;\n\tGF_Box *a;\n\tu32 i;\n\tbin128 t;\n\tGF_Err e;\n\tGF_TrackBox *trak;\n\tGF_UserDataBox *udta;\n\n\te = CanAccessMovie(movie, GF_ISOM_OPEN_WRITE);\n\tif (e) return e;\n\n\tif (UserDataType == GF_ISOM_BOX_TYPE_UUID) UserDataType = 0;\n\tmemset(t, 1, 16);\n\n\tif (trackNumber) {\n\t\ttrak = gf_isom_get_track_from_file(movie, trackNumber);\n\t\tif (!trak) return GF_BAD_PARAM;\n\t\tudta = trak->udta;\n\t} else {\n\t\tudta = movie->moov->udta;\n\t}\n\tif (!udta) return GF_BAD_PARAM;\n\tif (!UserDataIndex) return GF_BAD_PARAM;\n\n\ti=0;\n\twhile ((map = (GF_UserDataMap*)gf_list_enum(udta->recordList, &i))) {\n\t\tif ((map->boxType == GF_ISOM_BOX_TYPE_UUID) && !memcmp(map->uuid, UUID, 16)) goto found;\n\t\telse if (map->boxType == UserDataType) goto found;\n\t}\n\t//not found\n\treturn GF_OK;\n\nfound:\n\n\tif (UserDataIndex > gf_list_count(map->boxes) ) return GF_BAD_PARAM;\n\t//delete the box\n\ta = (GF_Box*)gf_list_get(map->boxes, UserDataIndex-1);\n\tgf_isom_box_del_parent(&map->boxes, a);\n\n\t//remove the map if empty\n\tif (!gf_list_count(map->boxes)) {\n\t\tgf_list_rem(udta->recordList, i-1);\n\t\tgf_isom_box_array_del(map->boxes);\n\t\tgf_free(map);\n\t}\n\t//but we keep the UDTA no matter what\n\treturn GF_OK;\n}", "project": "gpac", "hash": 327721945703607343385412188949304728621, "size": 50, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267233 }, { "func": "GF_Err stbl_GetSampleRAP(GF_SyncSampleBox *stss, u32 SampleNumber, GF_ISOSAPType *IsRAP, u32 *prevRAP, u32 *nextRAP)\n{\n\tu32 i;\n\tif (prevRAP) *prevRAP = 0;\n\tif (nextRAP) *nextRAP = 0;\n\n\t(*IsRAP) = RAP_NO;\n\tif (!stss || !SampleNumber) return GF_BAD_PARAM;\n\n\tif (stss->r_LastSyncSample && (stss->r_LastSyncSample < SampleNumber) ) {\n\t\ti = stss->r_LastSampleIndex;\n\t} else {\n\t\ti = 0;\n\t}\n\tfor (; i < stss->nb_entries; i++) {\n\t\t//get the entry\n\t\tif (stss->sampleNumbers[i] == SampleNumber) {\n\t\t\t//update the cache\n\t\t\tstss->r_LastSyncSample = SampleNumber;\n\t\t\tstss->r_LastSampleIndex = i;\n\t\t\t(*IsRAP) = RAP;\n\t\t}\n\t\telse if (stss->sampleNumbers[i] > SampleNumber) {\n\t\t\tif (nextRAP) *nextRAP = stss->sampleNumbers[i];\n\t\t\treturn GF_OK;\n\t\t}\n\t\tif (prevRAP) *prevRAP = stss->sampleNumbers[i];\n\t}\n\treturn GF_OK;\n}", "project": "gpac", "hash": 159880549304118397817425055809292769858, "size": 30, "commit_id": "2da2f68bffd51d89b1d272d22aa8cc023c1c066e", "message": "fixed #1705", "target": 0, "dataset": "other", "idx": 258551 }, { "func": "GF_Err stbl_SetSampleSize(GF_SampleSizeBox *stsz, u32 SampleNumber, u32 size)\n{\n\tu32 i;\n\tif (!SampleNumber || (stsz->sampleCount < SampleNumber)) return GF_BAD_PARAM;\n\n\tif (stsz->sampleSize) {\n\t\tif (stsz->sampleSize == size) return GF_OK;\n\t\tif (stsz->sampleCount == 1) {\n\t\t\tstsz->sampleSize = size;\n\t\t\treturn GF_OK;\n\t\t}\n\t\t//nope, we have to rewrite a table\n\t\tstsz->sizes = (u32*)gf_malloc(sizeof(u32)*stsz->sampleCount);\n\t\tif (!stsz->sizes) return GF_OUT_OF_MEM;\n\t\tfor (i=0; isampleCount; i++) stsz->sizes[i] = stsz->sampleSize;\n\t\tstsz->sampleSize = 0;\n\t}\n\tstsz->sizes[SampleNumber - 1] = size;\n\treturn GF_OK;\n}", "project": "gpac", "hash": 100213760687790706611128486617396681787, "size": 20, "commit_id": "77ed81c069e10b3861d88f72e1c6be1277ee7eae", "message": "fixed #1774 (fuzz)", "target": 0, "dataset": "other", "idx": 267885 }, { "func": "u32 PrintBuiltInBoxes(char *argval, u32 do_cov)\n{\n\tu32 i, count=gf_isom_get_num_supported_boxes();\n\t\n\tfprintf(stdout, \"\\n\");\n\t//index 0 is our internal unknown box handler\n\tfor (i=1; i\\n\");\n\treturn 1;\n}", "project": "gpac", "hash": 194070866769026812206669990469822436133, "size": 22, "commit_id": "289ffce3e0d224d314f5f92a744d5fe35999f20b", "message": "fixed #1767 (fuzz)", "target": 0, "dataset": "other", "idx": 243187 }, { "func": "void PrintBuiltInBoxes(Bool do_cov)\n{\n\tu32 i, count=gf_isom_get_num_supported_boxes();\n\tfprintf(stdout, \"\\n\");\n\t//index 0 is our internal unknown box handler\n\tfor (i=1; i\\n\");\n}", "project": "gpac", "hash": 179908258725542751705048895368447884875, "size": 20, "commit_id": "ce01bd15f711d4575b7424b54b3a395ec64c1784", "message": "fixed #1566", "target": 0, "dataset": "other", "idx": 249529 }, { "func": "GF_Err tfxd_box_write(GF_Box *s, GF_BitStream *bs)\n{\n\tGF_Err e;\n\tGF_MSSTimeExtBox *uuid = (GF_MSSTimeExtBox*)s;\n\te = gf_isom_box_write_header(s, bs);\n\tif (e) return e;\n\n\tgf_bs_write_u8(bs, 1);\n\tgf_bs_write_u24(bs, 0);\n\tgf_bs_write_u64(bs, uuid->absolute_time_in_track_timescale);\n\tgf_bs_write_u64(bs, uuid->fragment_duration_in_track_timescale);\n\n\treturn GF_OK;\n}", "project": "gpac", "hash": 26011149153278880284649009187350941666, "size": 14, "commit_id": "388ecce75d05e11fc8496aa4857b91245007d26e", "message": "fixed #1587", "target": 0, "dataset": "other", "idx": 264865 }, { "func": "static u32 get_box_reg_idx(u32 boxCode, u32 parent_type)\n{\n\tu32 i=0, count = gf_isom_get_num_supported_boxes();\n\tconst char *parent_name = parent_type ? gf_4cc_to_str(parent_type) : NULL;\n\n\tfor (i=1; igrouping_type==grouping_type) break;\n\t\tsgroup = NULL;\n\t}\n\tif (!sgroup) {\n\t\tsgroup = (GF_SampleGroupBox *) gf_isom_box_new(GF_ISOM_BOX_TYPE_SBGP);\n\t\tif (!sgroup) return GF_OUT_OF_MEM;\n\t\tsgroup->grouping_type = grouping_type;\n\t\tsgroup->grouping_type_parameter = grouping_type_parameter;\n//\t\tgf_list_add(sampleGroups, sgroup);\n\t\t//crude patch to align old arch and filters\n\t\tgf_list_insert(sampleGroups, sgroup, 0);\n\t\tassert(parent);\n\t\tgf_list_add(parent, sgroup);\n\t}\n\t/*used in fragments, means we are adding the last sample*/\n\tif (!sample_number) {\n\t\tsample_number = 1;\n\t\tif (sgroup->entry_count) {\n\t\t\tfor (i=0; ientry_count; i++) {\n\t\t\t\tsample_number += sgroup->sample_entries[i].sample_count;\n\t\t\t}\n\t\t}\n\t} else if (sample_number==(u32) -1) {\n\t\tall_samples = GF_TRUE;\n\t\tsample_number = 1;\n\t}\n\n\tif (!sgroup->entry_count) {\n\t\tu32 idx = 0;\n\t\tsgroup->entry_count = (sample_number>1) ? 2 : 1;\n\t\tsgroup->sample_entries = (GF_SampleGroupEntry*)gf_malloc(sizeof(GF_SampleGroupEntry) * sgroup->entry_count );\n\t\tif (!sgroup->sample_entries) return GF_OUT_OF_MEM;\n\t\tif (sample_number>1) {\n\t\t\tsgroup->sample_entries[0].sample_count = sample_number-1;\n\t\t\tsgroup->sample_entries[0].group_description_index = sampleGroupDescriptionIndex ? 0 : 1;\n\t\t\tidx = 1;\n\t\t}\n\t\tsgroup->sample_entries[idx].sample_count = 1;\n\t\tsgroup->sample_entries[idx].group_description_index = sampleGroupDescriptionIndex;\n\t\tif (all_samples && stbl) {\n\t\t\tsgroup->sample_entries[idx].sample_count = stbl->SampleSize->sampleCount;\n\t\t}\n\t\treturn GF_OK;\n\t}\n\tif (all_samples && stbl) {\n\t\tsgroup->entry_count = 1;\n\t\tsgroup->sample_entries[0].group_description_index = sampleGroupDescriptionIndex;\n\t\tsgroup->sample_entries[0].sample_count = stbl->SampleSize->sampleCount;\n\t\treturn GF_OK;\n\t}\n\tlast_sample_in_entry = 0;\n\tfor (i=0; ientry_count; i++) {\n\t\t/*TODO*/\n\t\tif (last_sample_in_entry + sgroup->sample_entries[i].sample_count > sample_number) return GF_NOT_SUPPORTED;\n\t\tlast_sample_in_entry += sgroup->sample_entries[i].sample_count;\n\t}\n\n\tif (last_sample_in_entry == sample_number) {\n\t\tif (sgroup->sample_entries[sgroup->entry_count-1].group_description_index==sampleGroupDescriptionIndex)\n\t\t\treturn GF_OK;\n\t\telse\n\t\t\treturn GF_NOT_SUPPORTED;\n\t}\n\n\tif ((sgroup->sample_entries[sgroup->entry_count-1].group_description_index==sampleGroupDescriptionIndex) && (last_sample_in_entry+1==sample_number)) {\n\t\tsgroup->sample_entries[sgroup->entry_count-1].sample_count++;\n\t\treturn GF_OK;\n\t}\n\t/*last entry was an empty desc (no group associated), just add the number of samples missing until new one, then add new one*/\n\tif (! sgroup->sample_entries[sgroup->entry_count-1].group_description_index) {\n\t\tsgroup->sample_entries[sgroup->entry_count-1].sample_count += sample_number - 1 - last_sample_in_entry;\n\t\tsgroup->sample_entries = (GF_SampleGroupEntry*)gf_realloc(sgroup->sample_entries, sizeof(GF_SampleGroupEntry) * (sgroup->entry_count + 1) );\n\t\tsgroup->sample_entries[sgroup->entry_count].sample_count = 1;\n\t\tsgroup->sample_entries[sgroup->entry_count].group_description_index = sampleGroupDescriptionIndex;\n\t\tsgroup->entry_count++;\n\t\treturn GF_OK;\n\t}\n\t/*we are adding a sample with no desc, add entry at the end*/\n\tif (!sampleGroupDescriptionIndex || (sample_number - 1 - last_sample_in_entry==0) ) {\n\t\tsgroup->sample_entries = (GF_SampleGroupEntry*)gf_realloc(sgroup->sample_entries, sizeof(GF_SampleGroupEntry) * (sgroup->entry_count + 1) );\n\t\tsgroup->sample_entries[sgroup->entry_count].sample_count = 1;\n\t\tsgroup->sample_entries[sgroup->entry_count].group_description_index = sampleGroupDescriptionIndex;\n\t\tsgroup->entry_count++;\n\t\treturn GF_OK;\n\t}\n\t/*need to insert two entries ...*/\n\tsgroup->sample_entries = (GF_SampleGroupEntry*)gf_realloc(sgroup->sample_entries, sizeof(GF_SampleGroupEntry) * (sgroup->entry_count + 2) );\n\n\tsgroup->sample_entries[sgroup->entry_count].sample_count = sample_number - 1 - last_sample_in_entry;\n\tsgroup->sample_entries[sgroup->entry_count].group_description_index = 0;\n\n\tsgroup->sample_entries[sgroup->entry_count+1].sample_count = 1;\n\tsgroup->sample_entries[sgroup->entry_count+1].group_description_index = sampleGroupDescriptionIndex;\n\tsgroup->entry_count+=2;\n\treturn GF_OK;\n}", "project": "gpac", "hash": 58006449555452169968368053221189041666, "size": 105, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267327 }, { "func": "GF_Err gf_isom_parse_movie_boxes(GF_ISOFile *mov, u32 *boxType, u64 *bytesMissing, Bool progressive_mode)\n{\n\tGF_Err e;\n\tGF_Blob *blob = NULL;\n\n\t//if associated file is a blob, lock blob before parsing !\n\tif (mov->movieFileMap && ((mov->movieFileMap->type == GF_ISOM_DATA_MEM) || (mov->movieFileMap->type == GF_ISOM_DATA_FILE))) {\n\t\tblob = ((GF_FileDataMap *)mov->movieFileMap)->blob;\n\t}\n\n\tif (blob)\n\t\tgf_mx_p(blob->mx);\n\n\te = gf_isom_parse_movie_boxes_internal(mov, boxType, bytesMissing, progressive_mode);\n\n\tif (blob)\n\t\tgf_mx_v(blob->mx);\n\treturn e;\n\n}", "project": "gpac", "hash": 253143380461230434712540295678916901754, "size": 20, "commit_id": "fe5155cf047252d1c4cb91602048bfa682af0ea7", "message": "fixed #1783 (fuzz)", "target": 0, "dataset": "other", "idx": 271711 }, { "func": "static GF_Err gf_isom_set_last_sample_duration_internal(GF_ISOFile *movie, u32 trackNumber, u64 dur_num, u32 dur_den, u32 mode)\n{\n\tGF_TrackBox *trak;\n\tGF_SttsEntry *ent;\n\tGF_TimeToSampleBox *stts;\n\tu64 mdur;\n\tu32 duration;\n\tGF_Err e;\n\tBool is_patch = GF_FALSE;\n\n\te = CanAccessMovie(movie, GF_ISOM_OPEN_WRITE);\n\tif (e) return e;\n\n\ttrak = gf_isom_get_track_from_file(movie, trackNumber);\n\tif (!trak) return GF_BAD_PARAM;\n\n\tif (mode==0) {\n\t\tduration = (u32) dur_num;\n\t} else if (mode==1) {\n\t\tduration = (u32) dur_num;\n\t\tif (dur_den) {\n\t\t\tduration *= trak->Media->mediaHeader->timeScale;\n\t\t\tduration /= dur_den;\n\t\t}\n\t} else {\n\t\tis_patch = GF_TRUE;\n\t}\n\tmdur = trak->Media->mediaHeader->duration;\n\tstts = trak->Media->information->sampleTable->TimeToSample;\n\tif (!stts->nb_entries) return GF_BAD_PARAM;\n\n\tif (is_patch) {\n\t\tu32 i, avg_dur, nb_samp=0;\n\t\tu64 cum_dur=0;\n\t\tfor (i=0; inb_entries; i++) {\n\t\t\tent = (GF_SttsEntry*) &stts->entries[i];\n\t\t\tcum_dur += ent->sampleCount*ent->sampleDelta;\n\t\t\tnb_samp += ent->sampleCount;\n\t\t}\n\t\tif (cum_dur <= dur_num || !nb_samp) return GF_OK;\n\t\tavg_dur = (u32) (dur_num / nb_samp);\n\n\t\tfor (i=0; inb_entries; i++) {\n\t\t\tent = (GF_SttsEntry*) &stts->entries[i];\n\t\t\tent->sampleDelta = avg_dur;\n\t\t}\n\t\tstts->w_LastDTS = dur_num - avg_dur;\n\t\treturn GF_OK;\n\t}\n\t//get the last entry\n\tent = (GF_SttsEntry*) &stts->entries[stts->nb_entries-1];\n\tif ((mode==1) && !duration && !dur_den) {\n\t\t//same as previous, nothing to adjust\n\t\tif (ent->sampleCount>1) return GF_OK;\n\t\tif (stts->nb_entries==1) return GF_OK;\n\t\tduration = stts->entries[stts->nb_entries-2].sampleDelta;\n\t}\n\n\tmdur -= ent->sampleDelta;\n\tmdur += duration;\n\n\t//we only have one sample\n\tif (ent->sampleCount == 1) {\n\t\tent->sampleDelta = (u32) duration;\n\t\tif (mode && (stts->nb_entries>1) && (stts->entries[stts->nb_entries-2].sampleDelta==duration)) {\n\t\t\tstts->entries[stts->nb_entries-2].sampleCount++;\n\t\t\tstts->nb_entries--;\n\t\t\t//and update the write cache\n\t\t\tstts->w_currentSampleNum = trak->Media->information->sampleTable->SampleSize->sampleCount;\n\t\t}\n\t} else {\n\t\tif (ent->sampleDelta == duration) return GF_OK;\n\t\tent->sampleCount -= 1;\n\n\t\tif (stts->nb_entries==stts->alloc_size) {\n\t\t\tstts->alloc_size++;\n\t\t\tstts->entries = (GF_SttsEntry*)gf_realloc(stts->entries, sizeof(GF_SttsEntry)*stts->alloc_size);\n\t\t\tif (!stts->entries) return GF_OUT_OF_MEM;\n\t\t}\n\t\tstts->entries[stts->nb_entries].sampleCount = 1;\n\t\tstts->entries[stts->nb_entries].sampleDelta = (u32) duration;\n\t\tstts->nb_entries++;\n\t\t//and update the write cache\n\t\tstts->w_currentSampleNum = trak->Media->information->sampleTable->SampleSize->sampleCount;\n\t}\n\tif (!movie->keep_utc)\n\t\ttrak->Media->mediaHeader->modificationTime = gf_isom_get_mp4time();\n\ttrak->Media->mediaHeader->duration = mdur;\n\treturn SetTrackDuration(trak);\n}", "project": "gpac", "hash": 279633319250051707066448425583526263624, "size": 90, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267224 }, { "func": "GF_Err FlushCaptureMode(GF_ISOFile *movie)\n{\n\tGF_Err e;\n\tif (movie->openMode != GF_ISOM_OPEN_WRITE) {\n\t\tif (!movie->editFileMap) return GF_ISOM_INVALID_MODE;\n\t\treturn GF_OK;\n\t}\n\t/*make sure nothing was added*/\n\tif (gf_bs_get_position(movie->editFileMap->bs)) return GF_OK;\n\n\tif (!strcmp(movie->fileName, \"_gpac_isobmff_redirect\")) {\n\t\tif (!movie->on_block_out) {\n\t\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, (\"[ISOBMFF] Missing output block callback, cannot write\\n\"));\n\t\t\treturn GF_BAD_PARAM;\n\t\t}\n\n\t\tgf_bs_del(movie->editFileMap->bs);\n\t\tmovie->editFileMap->bs = gf_bs_new_cbk(movie->on_block_out, movie->on_block_out_usr_data, movie->on_block_out_block_size);\n\t}\n\n\t/*add all first boxes*/\n\tif (movie->brand) {\n\t\te = gf_isom_box_size((GF_Box *)movie->brand);\n\t\tif (e) return e;\n\t\te = gf_isom_box_write((GF_Box *)movie->brand, movie->editFileMap->bs);\n\t\tif (e) return e;\n\t}\n\tif (movie->pdin) {\n\t\te = gf_isom_box_size((GF_Box *)movie->pdin);\n\t\tif (e) return e;\n\t\te = gf_isom_box_write((GF_Box *)movie->pdin, movie->editFileMap->bs);\n\t\tif (e) return e;\n\t}\n\tmovie->mdat->bsOffset = gf_bs_get_position(movie->editFileMap->bs);\n\n\t/*we have a trick here: the data will be stored on the fly, so the first\n\tthing in the file is the MDAT. As we don't know if we have a large file (>4 GB) or not\n\tdo as if we had one and write 16 bytes: 4 (type) + 4 (size) + 8 (largeSize)...*/\n\tgf_bs_write_long_int(movie->editFileMap->bs, 0, 64);\n\tgf_bs_write_long_int(movie->editFileMap->bs, 0, 64);\n\treturn GF_OK;\n}", "project": "gpac", "hash": 97752467468181475042047172333465659484, "size": 42, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267216 }, { "func": "GF_EXPORT\nBool gf_isom_moov_first(GF_ISOFile *movie)\n{\n\tu32 i;\n\tfor (i=0; iTopBoxes); i++) {\n\t\tGF_Box *b = (GF_Box*)gf_list_get(movie->TopBoxes, i);\n\t\tif (b->type == GF_ISOM_BOX_TYPE_MOOV) return GF_TRUE;\n\t\tif (b->type == GF_ISOM_BOX_TYPE_MDAT) return GF_FALSE;\n\t}\n\treturn GF_FALSE;", "project": "gpac", "hash": 21523012237342377141237299516588739502, "size": 10, "commit_id": "984787de3d414a5f7d43d0b4584d9469dff2a5a5", "message": "fixed #1784 (fuzz)", "target": 0, "dataset": "other", "idx": 246859 }, { "func": "GF_AVCConfig *gf_isom_svc_config_get(GF_ISOFile *the_file, u32 trackNumber, u32 DescriptionIndex)\n{\n\tGF_TrackBox *trak;\n\tGF_MPEGVisualSampleEntryBox *entry;\n\ttrak = gf_isom_get_track_from_file(the_file, trackNumber);\n\tif (!trak || !trak->Media || !DescriptionIndex) return NULL;\n\tif (gf_isom_get_avc_svc_type(the_file, trackNumber, DescriptionIndex)==GF_ISOM_AVCTYPE_NONE)\n\t\treturn NULL;\n\tentry = (GF_MPEGVisualSampleEntryBox*)gf_list_get(trak->Media->information->sampleTable->SampleDescription->child_boxes, DescriptionIndex-1);\n\tif (!entry) return NULL;\n\tif (!entry->svc_config) return NULL;\n\treturn AVC_DuplicateConfig(entry->svc_config->config);\n}", "project": "gpac", "hash": 307285331719461974772054182085063152610, "size": 13, "commit_id": "0a85029d694f992f3631e2f249e4999daee15cbf", "message": "fixed #1785 (fuzz)", "target": 0, "dataset": "other", "idx": 237583 }, { "func": "GF_AVCConfig *gf_isom_mvc_config_get(GF_ISOFile *the_file, u32 trackNumber, u32 DescriptionIndex)\n{\n\tGF_TrackBox *trak;\n\tGF_MPEGVisualSampleEntryBox *entry;\n\ttrak = gf_isom_get_track_from_file(the_file, trackNumber);\n\tif (!trak || !trak->Media || !DescriptionIndex) return NULL;\n\tif (gf_isom_get_avc_svc_type(the_file, trackNumber, DescriptionIndex)==GF_ISOM_AVCTYPE_NONE)\n\t\treturn NULL;\n\tentry = (GF_MPEGVisualSampleEntryBox*)gf_list_get(trak->Media->information->sampleTable->SampleDescription->child_boxes, DescriptionIndex-1);\n\tif (!entry) return NULL;\n\tif (!entry->mvc_config) return NULL;\n\treturn AVC_DuplicateConfig(entry->mvc_config->config);\n}", "project": "gpac", "hash": 260660899808549711745683041977288476522, "size": 13, "commit_id": "0a85029d694f992f3631e2f249e4999daee15cbf", "message": "fixed #1785 (fuzz)", "target": 0, "dataset": "other", "idx": 237644 }, { "func": "static Bool parse_tsel_args(TSELAction **__tsel_list, char *opts, u32 *nb_tsel_act, TSELActionType act)\n{\n\tGF_ISOTrackID refTrackID = 0;\n\tBool has_switch_id;\n\tu32 switch_id = 0;\n\tu32 criteria[30];\n\tu32 nb_criteria = 0;\n\tTSELAction *tsel_act;\n\tchar szSlot[1024];\n\tTSELAction *tsel_list;\n\n\thas_switch_id = 0;\n\n\n\tif (!opts) return 0;\n\twhile (1) {\n\t\tchar *next;\n\t\tif (!opts || !opts[0]) return 1;\n\t\tif (opts[0]==':') opts += 1;\n\t\tstrcpy(szSlot, opts);\n\t\tnext = gf_url_colon_suffix(szSlot);\n\t\tif (next) next[0] = 0;\n\n\n\t\tif (!strnicmp(szSlot, \"refTrack=\", 9)) refTrackID = atoi(szSlot+9);\n\t\telse if (!strnicmp(szSlot, \"switchID=\", 9)) {\n\t\t\tif (atoi(szSlot+9)<0) {\n\t\t\t\tswitch_id = 0;\n\t\t\t\thas_switch_id = 0;\n\t\t\t} else {\n\t\t\t\tswitch_id = atoi(szSlot+9);\n\t\t\t\thas_switch_id = 1;\n\t\t\t}\n\t\t}\n\t\telse if (!strnicmp(szSlot, \"switchID\", 8)) {\n\t\t\tswitch_id = 0;\n\t\t\thas_switch_id = 1;\n\t\t}\n\t\telse if (!strnicmp(szSlot, \"criteria=\", 9)) {\n\t\t\tu32 j=9;\n\t\t\tnb_criteria = 0;\n\t\t\twhile (j+3refTrackID = refTrackID;\n\t\t\ttsel_act->switchGroupID = switch_id;\n\t\t\ttsel_act->is_switchGroup = has_switch_id;\n\t\t\ttsel_act->nb_criteria = nb_criteria;\n\t\t\tmemcpy(tsel_act->criteria, criteria, sizeof(u32)*nb_criteria);\n\n\t\t\tif (!refTrackID)\n\t\t\t\trefTrackID = tsel_act->trackID;\n\n\t\t\t(*nb_tsel_act) ++;\n\t\t}\n\t\topts += strlen(szSlot);\n\t}\n\treturn 1;\n}", "project": "gpac", "hash": 27359676744596964789457028976021673816, "size": 70, "commit_id": "9eeac00b38348c664dfeae2525bba0cf1bc32349", "message": "fixed #1565", "target": 0, "dataset": "other", "idx": 244392 }, { "func": "GF_VVCConfig *gf_isom_vvc_config_get(GF_ISOFile *the_file, u32 trackNumber, u32 DescriptionIndex)\n{\n\tGF_TrackBox *trak;\n\tGF_MPEGVisualSampleEntryBox *entry;\n\t/*todo, add support for subpic track and nvcl tracks*/\n\ttrak = gf_isom_get_track_from_file(the_file, trackNumber);\n\tif (!trak || !trak->Media || !DescriptionIndex) return NULL;\n\tif (gf_isom_get_vvc_type(the_file, trackNumber, DescriptionIndex)==GF_ISOM_VVCTYPE_NONE)\n\t\treturn NULL;\n\tentry = (GF_MPEGVisualSampleEntryBox*)gf_list_get(trak->Media->information->sampleTable->SampleDescription->child_boxes, DescriptionIndex-1);\n\tif (!entry) return NULL;\n\tif (!entry->vvc_config) return NULL;\n\treturn VVC_DuplicateConfig(entry->vvc_config->config);\n}", "project": "gpac", "hash": 247782835209298638789430517359209309478, "size": 14, "commit_id": "0a85029d694f992f3631e2f249e4999daee15cbf", "message": "fixed #1785 (fuzz)", "target": 0, "dataset": "other", "idx": 237595 }, { "func": "void gf_isom_box_del(GF_Box *a)\n{\n\tGF_List *other_boxes;\n\tif (!a) return;\n\tif (skip_box_dump_del) return;\n\n\tother_boxes\t= a->other_boxes;\n\ta->other_boxes = NULL;\n\n\tif (!a->registry) {\n\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, (\"[iso file] Delete invalid box type %s without registry\\n\", gf_4cc_to_str(a->type) ));\n\t} else {\n\t\tif (use_dump_mode) {\n\t\t\tskip_box_dump_del = GF_TRUE;\n\t\t\ta->registry->del_fn(a);\n\t\t\tskip_box_dump_del = GF_FALSE;\n\t\t} else {\n\t\t\ta->registry->del_fn(a);\n\t\t}\n\t}\n\t//delet the other boxes after deleting the box for dumper case where all child boxes are stored in otherbox\n\tif (other_boxes) {\n\t\tgf_isom_box_array_del(other_boxes);\n\t}\n}", "project": "gpac", "hash": 177938661992160262147863676460354005479, "size": 25, "commit_id": "8e585e623b1d666b4ef736ed609264639cb27701", "message": "fixed potential crash - cf #1406", "target": 0, "dataset": "other", "idx": 224912 }, { "func": "GF_EXPORT\nBool gf_isom_is_JPEG2000(GF_ISOFile *mov)\n{\n\treturn (mov && mov->is_jp2) ? GF_TRUE : GF_FALSE;", "project": "gpac", "hash": 92560222677155594597737333675823303832, "size": 4, "commit_id": "984787de3d414a5f7d43d0b4584d9469dff2a5a5", "message": "fixed #1784 (fuzz)", "target": 0, "dataset": "other", "idx": 246813 }, { "func": "GF_Err Media_GetSample(GF_MediaBox *mdia, u32 sampleNumber, GF_ISOSample **samp, u32 *sIDX, Bool no_data, u64 *out_offset)\n{\n\tGF_Err e;\n\tu32 bytesRead;\n\tu32 dataRefIndex, chunkNumber;\n\tu64 offset, new_size;\n\tu32 sdesc_idx;\n\tGF_SampleEntryBox *entry;\n\tGF_StscEntry *stsc_entry;\n\n\tif (!mdia || !mdia->information->sampleTable) return GF_BAD_PARAM;\n\tif (!mdia->information->sampleTable->SampleSize)\n\t\treturn GF_ISOM_INVALID_FILE;\n\n\t//OK, here we go....\n\tif (sampleNumber > mdia->information->sampleTable->SampleSize->sampleCount) return GF_BAD_PARAM;\n\n\t//the data info\n\tif (!sIDX && !no_data) return GF_BAD_PARAM;\n\n\te = stbl_GetSampleInfos(mdia->information->sampleTable, sampleNumber, &offset, &chunkNumber, &sdesc_idx, &stsc_entry);\n\tif (e) return e;\n\tif (sIDX) (*sIDX) = sdesc_idx;\n\n\tif (out_offset) *out_offset = offset;\n\tif (!samp ) return GF_OK;\n\n\tif (mdia->information->sampleTable->TimeToSample) {\n\t\t//get the DTS\n\t\te = stbl_GetSampleDTS(mdia->information->sampleTable->TimeToSample, sampleNumber, &(*samp)->DTS);\n\t\tif (e) return e;\n\t} else {\n\t\t(*samp)->DTS=0;\n\t}\n\t//the CTS offset\n\tif (mdia->information->sampleTable->CompositionOffset) {\n\t\te = stbl_GetSampleCTS(mdia->information->sampleTable->CompositionOffset , sampleNumber, &(*samp)->CTS_Offset);\n\t\tif (e) return e;\n\t} else {\n\t\t(*samp)->CTS_Offset = 0;\n\t}\n\t//the size\n\te = stbl_GetSampleSize(mdia->information->sampleTable->SampleSize, sampleNumber, &(*samp)->dataLength);\n\tif (e) return e;\n\t//the RAP\n\tif (mdia->information->sampleTable->SyncSample) {\n\t\te = stbl_GetSampleRAP(mdia->information->sampleTable->SyncSample, sampleNumber, &(*samp)->IsRAP, NULL, NULL);\n\t\tif (e) return e;\n\t} else {\n\t\t//if no SyncSample, all samples are sync (cf spec)\n\t\t(*samp)->IsRAP = RAP;\n\t}\n\n\tif (mdia->information->sampleTable->SampleDep) {\n\t\tu32 isLeading, dependsOn, dependedOn, redundant;\n\t\te = stbl_GetSampleDepType(mdia->information->sampleTable->SampleDep, sampleNumber, &isLeading, &dependsOn, &dependedOn, &redundant);\n\t\tif (!e) {\n\t\t\tif (dependsOn==1) (*samp)->IsRAP = RAP_NO;\n\t\t\t//commenting following code since it is wrong - an I frame is not always a SAP1, it can be a SAP2 or SAP3.\n\t\t\t//Keeping this code breaks AVC / HEVC openGOP import when writing sample dependencies\n\t\t\t//else if (dependsOn==2) (*samp)->IsRAP = RAP;\n\n\t\t\t/*if not depended upon and redundant, mark as carousel sample*/\n\t\t\tif ((dependedOn==2) && (redundant==1)) (*samp)->IsRAP = RAP_REDUNDANT;\n\t\t\t/*TODO FIXME - we must enhance the IsRAP semantics to carry disposable info ... */\n\t\t}\n\t}\n\n\t/*get sync shadow*/\n\tif (Media_IsSampleSyncShadow(mdia->information->sampleTable->ShadowSync, sampleNumber)) (*samp)->IsRAP = RAP_REDUNDANT;\n\n\t//the data info\n\tif (!sIDX && !no_data) return GF_BAD_PARAM;\n\tif (!sIDX && !out_offset) return GF_OK;\n\tif (!sIDX) return GF_OK;\n\n\t(*sIDX) = sdesc_idx;\n//\te = stbl_GetSampleInfos(mdia->information->sampleTable, sampleNumber, &offset, &chunkNumber, sIDX, &stsc_entry);\n//\tif (e) return e;\n\n\t//then get the DataRef\n\te = Media_GetSampleDesc(mdia, sdesc_idx, &entry, &dataRefIndex);\n\tif (e) return e;\n\n\t//if moov is compressed, remove offset if sample is after moov in this file\n\tif (mdia->mediaTrack->moov->compressed_diff) {\n\t\tGF_DataEntryBox *ent = (GF_DataEntryBox*)gf_list_get(mdia->information->dataInformation->dref->child_boxes, dataRefIndex - 1);\n\t\tif (ent && (ent->flags&1) && (offset>=mdia->mediaTrack->moov->file_offset)) {\n\t\t\toffset -= mdia->mediaTrack->moov->compressed_diff;\n\t\t}\n\t}\n\n\n\tif (no_data) {\n\t\tif ( ((*samp)->dataLength != 0) && mdia->mediaTrack->pack_num_samples) {\n\t\t\tu32 idx_in_chunk = sampleNumber - mdia->information->sampleTable->SampleToChunk->firstSampleInCurrentChunk;\n\t\t\tu32 left_in_chunk = stsc_entry->samplesPerChunk - idx_in_chunk;\n\t\t\tif (left_in_chunk > mdia->mediaTrack->pack_num_samples)\n\t\t\t\tleft_in_chunk = mdia->mediaTrack->pack_num_samples;\n\t\t\t(*samp)->dataLength *= left_in_chunk;\n\t\t\t(*samp)->nb_pack = left_in_chunk;\n\t\t}\n\t\treturn GF_OK;\n\t}\n\n\t// Open the data handler - check our mode, don't reopen in read only if this is\n\t//the same entry. In other modes we have no choice because the main data map is\n\t//divided into the original and the edition files\n\tif (mdia->mediaTrack->moov->mov->openMode == GF_ISOM_OPEN_READ) {\n\t\t//same as last call in read mode\n\t\tif (!mdia->information->dataHandler) {\n\t\t\te = gf_isom_datamap_open(mdia, dataRefIndex, stsc_entry->isEdited);\n\t\t\tif (e) return e;\n\t\t}\n\t\tmdia->information->dataEntryIndex = dataRefIndex;\n\t} else {\n\t\te = gf_isom_datamap_open(mdia, dataRefIndex, stsc_entry->isEdited);\n\t\tif (e) return e;\n\t}\n\n\tif ( mdia->mediaTrack->moov->mov->read_byte_offset || mdia->mediaTrack->moov->mov->bytes_removed) {\n\t\tGF_DataEntryBox *ent = (GF_DataEntryBox*)gf_list_get(mdia->information->dataInformation->dref->child_boxes, dataRefIndex - 1);\n\t\tif (ent && (ent->flags&1)) {\n\t\t\tu64 real_offset = mdia->mediaTrack->moov->mov->read_byte_offset + mdia->mediaTrack->moov->mov->bytes_removed;\n\t\t\tif (offset < real_offset)\n\t\t\t\treturn GF_IO_ERR;\n\n\t\t\tif (mdia->information->dataHandler->last_read_offset != mdia->mediaTrack->moov->mov->read_byte_offset) {\n\t\t\t\tmdia->information->dataHandler->last_read_offset = mdia->mediaTrack->moov->mov->read_byte_offset;\n\t\t\t\tgf_bs_get_refreshed_size(mdia->information->dataHandler->bs);\n\t\t\t}\n\n\t\t\toffset -= real_offset;\n\t\t}\n\t}\n\tif ((*samp)->dataLength != 0) {\n\t\tif (mdia->mediaTrack->pack_num_samples) {\n\t\t\tu32 idx_in_chunk = sampleNumber - mdia->information->sampleTable->SampleToChunk->firstSampleInCurrentChunk;\n\t\t\tu32 left_in_chunk = stsc_entry->samplesPerChunk - idx_in_chunk;\n\t\t\tif (left_in_chunk > mdia->mediaTrack->pack_num_samples)\n\t\t\t\tleft_in_chunk = mdia->mediaTrack->pack_num_samples;\n\t\t\t(*samp)->dataLength *= left_in_chunk;\n\t\t\t(*samp)->nb_pack = left_in_chunk;\n\t\t}\n\n\t\t/*and finally get the data, include padding if needed*/\n\t\tif ((*samp)->alloc_size) {\n\t\t\tif ((*samp)->alloc_size < (*samp)->dataLength + mdia->mediaTrack->padding_bytes) {\n\t\t\t\t(*samp)->data = (char *) gf_realloc((*samp)->data, sizeof(char) * ( (*samp)->dataLength + mdia->mediaTrack->padding_bytes) );\n\t\t\t\tif (! (*samp)->data) return GF_OUT_OF_MEM;\n\n\t\t\t\t(*samp)->alloc_size = (*samp)->dataLength + mdia->mediaTrack->padding_bytes;\n\t\t\t}\n\t\t} else {\n\t\t\t(*samp)->data = (char *) gf_malloc(sizeof(char) * ( (*samp)->dataLength + mdia->mediaTrack->padding_bytes) );\n\t\t\tif (! (*samp)->data) return GF_OUT_OF_MEM;\n\t\t}\n\t\tif (mdia->mediaTrack->padding_bytes)\n\t\t\tmemset((*samp)->data + (*samp)->dataLength, 0, sizeof(char) * mdia->mediaTrack->padding_bytes);\n\n\t\t//check if we can get the sample (make sure we have enougth data...)\n\t\tnew_size = gf_bs_get_size(mdia->information->dataHandler->bs);\n\t\tif (offset + (*samp)->dataLength > new_size) {\n\t\t\t//always refresh the size to avoid wrong info on http/ftp\n\t\t\tnew_size = gf_bs_get_refreshed_size(mdia->information->dataHandler->bs);\n\t\t\tif (offset + (*samp)->dataLength > new_size) {\n\t\t\t\tmdia->BytesMissing = offset + (*samp)->dataLength - new_size;\n\t\t\t\treturn GF_ISOM_INCOMPLETE_FILE;\n\t\t\t}\n\t\t}\n\n\t\tbytesRead = gf_isom_datamap_get_data(mdia->information->dataHandler, (*samp)->data, (*samp)->dataLength, offset);\n\t\t//if bytesRead != sampleSize, we have an IO err\n\t\tif (bytesRead < (*samp)->dataLength) {\n\t\t\treturn GF_IO_ERR;\n\t\t}\n\t\tmdia->BytesMissing = 0;\n\t}\n\n\t//finally rewrite the sample if this is an OD Access Unit or NAL-based one\n\t//we do this even if sample size is zero because of sample implicit reconstruction rules (especially tile tracks)\n\tif (mdia->handler->handlerType == GF_ISOM_MEDIA_OD) {\n\t\tif (!mdia->mediaTrack->moov->mov->disable_odf_translate) {\n\t\t\te = Media_RewriteODFrame(mdia, *samp);\n\t\t\tif (e) return e;\n\t\t}\n\t}\n\telse if (gf_isom_is_nalu_based_entry(mdia, entry)\n\t\t&& !gf_isom_is_encrypted_entry(entry->type)\n\t) {\n\t\te = gf_isom_nalu_sample_rewrite(mdia, *samp, sampleNumber, (GF_MPEGVisualSampleEntryBox *)entry);\n\t\tif (e) return e;\n\t}\n\telse if (mdia->mediaTrack->moov->mov->convert_streaming_text\n\t && ((mdia->handler->handlerType == GF_ISOM_MEDIA_TEXT) || (mdia->handler->handlerType == GF_ISOM_MEDIA_SCENE) || (mdia->handler->handlerType == GF_ISOM_MEDIA_SUBT))\n\t && (entry->type == GF_ISOM_BOX_TYPE_TX3G || entry->type == GF_ISOM_BOX_TYPE_TEXT)\n\t ) {\n\t\tu64 dur;\n\t\tif (sampleNumber == mdia->information->sampleTable->SampleSize->sampleCount) {\n\t\t\tdur = mdia->mediaHeader->duration - (*samp)->DTS;\n\t\t} else {\n\t\t\tstbl_GetSampleDTS(mdia->information->sampleTable->TimeToSample, sampleNumber+1, &dur);\n\t\t\tdur -= (*samp)->DTS;\n\t\t}\n\t\te = gf_isom_rewrite_text_sample(*samp, sdesc_idx, (u32) dur);\n\t\tif (e) return e;\n\t}\n\treturn GF_OK;\n}", "project": "gpac", "hash": 134155529117070898756787204683196281388, "size": 209, "commit_id": "328def7d3b93847d64ecb6e9e0399684e57c3eca", "message": "fixed #1766 (fuzz)", "target": 0, "dataset": "other", "idx": 231624 }, { "func": "static GF_Err gf_isom_svc_mvc_config_new(GF_ISOFile *the_file, u32 trackNumber, GF_AVCConfig *cfg, Bool is_mvc, char *URLname, char *URNname, u32 *outDescriptionIndex)\n{\n\tGF_TrackBox *trak;\n\tGF_Err e;\n\tu32 dataRefIndex;\n\tGF_SampleDescriptionBox *stsd;\n\tGF_MPEGVisualSampleEntryBox *entry;\n\n\te = CanAccessMovie(the_file, GF_ISOM_OPEN_WRITE);\n\tif (e) return e;\n\n\ttrak = gf_isom_get_track_from_file(the_file, trackNumber);\n\tif (!trak || !trak->Media || !cfg) return GF_BAD_PARAM;\n\n\t//get or create the data ref\n\te = Media_FindDataRef(trak->Media->information->dataInformation->dref, URLname, URNname, &dataRefIndex);\n\tif (e) return e;\n\tif (!dataRefIndex) {\n\t\te = Media_CreateDataRef(the_file, trak->Media->information->dataInformation->dref, URLname, URNname, &dataRefIndex);\n\t\tif (e) return e;\n\t}\n\tif (!the_file->keep_utc)\n\t\ttrak->Media->mediaHeader->modificationTime = gf_isom_get_mp4time();\n\n\tstsd = trak->Media->information->sampleTable->SampleDescription;\n\t//create a new entry\n\tif (is_mvc) {\n\t\tentry = (GF_MPEGVisualSampleEntryBox *) gf_isom_box_new_parent(&stsd->child_boxes, GF_ISOM_BOX_TYPE_MVC1);\n\t\tif (!entry) return GF_OUT_OF_MEM;\n\t\tentry->mvc_config = (GF_AVCConfigurationBox*)gf_isom_box_new_parent(&entry->child_boxes, GF_ISOM_BOX_TYPE_MVCC);\n\t\tif (!entry->mvc_config) return GF_OUT_OF_MEM;\n\t\tentry->mvc_config->config = AVC_DuplicateConfig(cfg);\n\t\tif (!entry->mvc_config->config) return GF_OUT_OF_MEM;\n\t} else {\n\t\tentry = (GF_MPEGVisualSampleEntryBox *) gf_isom_box_new_parent(&stsd->child_boxes,GF_ISOM_BOX_TYPE_SVC1);\n\t\tif (!entry) return GF_OUT_OF_MEM;\n\t\tentry->svc_config = (GF_AVCConfigurationBox*)gf_isom_box_new_parent(&entry->child_boxes,GF_ISOM_BOX_TYPE_SVCC);\n\t\tif (!entry->svc_config) return GF_OUT_OF_MEM;\n\t\tentry->svc_config->config = AVC_DuplicateConfig(cfg);\n\t\tif (!entry->svc_config->config) return GF_OUT_OF_MEM;\n\t}\n\tentry->dataReferenceIndex = dataRefIndex;\n\t*outDescriptionIndex = gf_list_count(stsd->child_boxes);\n\tAVC_RewriteESDescriptor(entry);\n\treturn e;\n}", "project": "gpac", "hash": 68730450522173409097303041904916803314, "size": 46, "commit_id": "0a85029d694f992f3631e2f249e4999daee15cbf", "message": "fixed #1785 (fuzz)", "target": 0, "dataset": "other", "idx": 237541 }, { "func": "GF_Err gf_isom_apply_box_patch(GF_ISOFile *file, GF_ISOTrackID globalTrackID, const char *box_patch_filename, Bool for_fragments)\n{\n\tGF_Err e;\n\tGF_DOMParser *dom;\n\tu32 i;\n\tGF_XMLNode *root;\n\tu8 *box_data=NULL;\n\tu32 box_data_size;\n\tif (!file || !box_patch_filename) return GF_BAD_PARAM;\n\tdom = gf_xml_dom_new();\n\tif (strstr(box_patch_filename, \"name, \"GPACBOXES\")) {\n\t\te = GF_NON_COMPLIANT_BITSTREAM;\n\t\tgoto err_exit;\n\t}\n\n\t//compute size of each child boxes to freeze the order\n\tif (for_fragments) {\n\t\tu32 count = file->moof ? gf_list_count(file->moof->child_boxes) : 0;\n\t\tfor (i=0; imoof->child_boxes, i);\n\t\t\tif (!(box->internal_flags & GF_ISOM_ORDER_FREEZE)) {\n\t\t\t\tgf_isom_box_size(box);\n\t\t\t\tgf_isom_box_freeze_order(box);\n\t\t\t}\n\t\t}\n\t} else {\n\t\tfor (i=0; iTopBoxes); i++) {\n\t\t\tGF_Box *box = gf_list_get(file->TopBoxes, i);\n\t\t\tif (!(box->internal_flags & GF_ISOM_ORDER_FREEZE)) {\n\t\t\t\tgf_isom_box_size(box);\n\t\t\t\tgf_isom_box_freeze_order(box);\n\t\t\t}\n\t\t}\n\t}\n\n\tfor (i=0; icontent); i++) {\n\t\tu32 j;\n\t\tu32 path_len;\n\t\tBool essential_prop=GF_FALSE;\n\t\tu32 trackID=globalTrackID;\n\t\tu32 item_id=trackID;\n\t\tBool is_frag_box;\n\t\tchar *box_path=NULL;\n\t\tGF_Box *parent_box = NULL;\n\t\tGF_XMLNode *box_edit = gf_list_get(root->content, i);\n\t\tif (!box_edit->name || strcmp(box_edit->name, \"Box\")) continue;\n\n\t\tfor (j=0; jattributes);j++) {\n\t\t\tGF_XMLAttribute *att = gf_list_get(box_edit->attributes, j);\n\t\t\tif (!strcmp(att->name, \"path\")) box_path = att->value;\n\t\t\telse if (!strcmp(att->name, \"essential\")) {\n\t\t\t\tif (!strcmp(att->value, \"yes\") || !strcmp(att->value, \"true\") || !strcmp(att->value, \"1\")) {\n\t\t\t\t\tessential_prop=GF_TRUE;\n\t\t\t\t}\n\t\t\t}\n\t\t\telse if (!strcmp(att->name, \"itemID\"))\n\t\t\t\titem_id = atoi(att->value);\n\t\t\telse if (!globalTrackID && !strcmp(att->name, \"trackID\"))\n\t\t\t\ttrackID = atoi(att->value);\n\t\t}\n\n\t\tif (!box_path) continue;\n\t\tpath_len = (u32) strlen(box_path);\n\n\t\tis_frag_box = !strncmp(box_path, \"traf\", 4) ? GF_TRUE : GF_FALSE;\n\n\t\tif (for_fragments && !is_frag_box) continue;\n\t\telse if (!for_fragments && is_frag_box) continue;\n\n\t\tgf_xml_parse_bit_sequence(box_edit, box_patch_filename, &box_data, &box_data_size);\n\t\tif (box_data_size && (box_data_size<4) ) {\n\t\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, (\"[ISOBMFF] Wrong BS specification for box, shall either be empty or at least 4 bytes for box type\\n\"));\n\t\t\te = GF_NON_COMPLIANT_BITSTREAM;\n\t\t\tgoto err_exit;\n\t\t}\n\n\t\twhile (box_path && (path_len>=4)) {\n\t\t\tu32 parent_list_box_type;\n\t\t\tGF_List **parent_list;\n\t\t\tu32 box_type = GF_4CC(box_path[0],box_path[1],box_path[2],box_path[3]);\n\t\t\tGF_Box *box=NULL;\n\t\t\tGF_BitStream *bs;\n\t\t\ts32 insert_pos = -1;\n\t\t\tbox_path+=4;\n\t\t\tpath_len-=4;\n\n\t\t\tif (!parent_box) {\n\t\t\t\tbox=gf_isom_box_find_child(file->TopBoxes, box_type);\n\t\t\t\tif (!box) {\n\t\t\t\t\tif (box_type==GF_ISOM_BOX_TYPE_TRAK) {\n\t\t\t\t\t\tif (trackID) {\n\t\t\t\t\t\t\tbox = (GF_Box *) gf_isom_get_track_from_file(file, gf_isom_get_track_by_id(file, trackID) );\n\t\t\t\t\t\t}\n\t\t\t\t\t\tif (!box && gf_list_count(file->moov->trackList)==1) {\n\t\t\t\t\t\t\tbox = gf_list_get(file->moov->trackList, 0);\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t\telse if (box_type==GF_ISOM_BOX_TYPE_TRAF) {\n\t\t\t\t\t\tif (trackID) {\n\t\t\t\t\t\t\tbox = (GF_Box *) gf_isom_get_traf(file, trackID);\n\t\t\t\t\t\t}\n\t\t\t\t\t\tif (!box && file->moof && gf_list_count(file->moof->TrackList)==1) {\n\t\t\t\t\t\t\tbox = gf_list_get(file->moof->TrackList, 0);\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\tif (!box) {\n\t\t\t\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, (\"[ISOBMFF] Cannot locate box type %s at root or as track\\n\", gf_4cc_to_str(box_type) ));\n\t\t\t\t\te = GF_BAD_PARAM;\n\t\t\t\t\tgoto err_exit;\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\tbox = gf_isom_box_find_child(parent_box->child_boxes, box_type);\n\t\t\t\tif (!box) {\n\t\t\t\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, (\"[ISOBMFF] Cannot locate box type %s at child of %s\\n\", gf_4cc_to_str(box_type), gf_4cc_to_str(parent_box->type)));\n\t\t\t\t\te = GF_BAD_PARAM;\n\t\t\t\t\tgoto err_exit;\n\t\t\t\t}\n\t\t\t}\n\t\t\t// '.' is child access\n\t\t\tif (path_len && (box_path[0]=='.')) {\n\t\t\t\tbox_path += 1;\n\t\t\t\tpath_len-=1;\n\t\t\t\tparent_box = box;\n\t\t\t\tcontinue;\n\t\t\t}\n\n\t\t\tif (parent_box && !parent_box->child_boxes) parent_box->child_boxes = gf_list_new();\n\t\t\tparent_list = parent_box ? &parent_box->child_boxes : &file->TopBoxes;\n\t\t\tparent_list_box_type = parent_box ? parent_box->type : 0;\n\n\t\t\t// '+' is append after, '-' is insert before\n\t\t\tif (path_len && ((box_path[0]=='-') || (box_path[0]=='+')) ) {\n\t\t\t\ts32 idx = gf_list_find(*parent_list, box);\n\t\t\t\tassert(idx>=0);\n\t\t\t\tif (box_path[0]=='+') insert_pos = idx+1;\n\t\t\t\telse insert_pos = idx;\n\t\t\t}\n\t\t\telse if (path_len) {\n\t\t\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, (\"[ISOBMFF] Invalid path %s, expecting either '-', '+' or '.' as separators\\n\", box_path));\n\t\t\t\te = GF_NON_COMPLIANT_BITSTREAM;\n\t\t\t\tgoto err_exit;\n\t\t\t}\n\n\t\t\tif (!box_data) {\n\t\t\t\tif (insert_pos>=0) {\n\t\t\t\t\tGF_LOG(GF_LOG_WARNING, GF_LOG_CONTAINER, (\"[ISOBMFF] Invalid path %s for box removal, ignoring position\\n\", box_path));\n\t\t\t\t}\n\t\t\t\tswitch (box->type) {\n\t\t\t\tcase GF_ISOM_BOX_TYPE_MOOV:\n\t\t\t\t\tfile->moov = NULL;\n\t\t\t\t\tbreak;\n\t\t\t\tcase GF_ISOM_BOX_TYPE_MDAT:\n\t\t\t\t\tfile->mdat = NULL;\n\t\t\t\t\tbreak;\n\t\t\t\tcase GF_ISOM_BOX_TYPE_PDIN:\n\t\t\t\t\tfile->pdin = NULL;\n\t\t\t\t\tbreak;\n\t\t\t\tcase GF_ISOM_BOX_TYPE_FTYP:\n\t\t\t\t\tfile->brand = NULL;\n\t\t\t\t\tbreak;\n\t\t\t\tcase GF_ISOM_BOX_TYPE_META:\n\t\t\t\t\tif ((GF_Box *) file->meta == box) file->meta = NULL;\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t\tif (parent_box) {\n\t\t\t\t\tgf_isom_box_remove_from_parent(parent_box, box);\n\t\t\t\t}\n\t\t\t\tgf_isom_box_del_parent(parent_list, box);\n\t\t\t} else {\n\t\t\t\tu32 size;\n\n\t\t\t\tbs = gf_bs_new(box_data, box_data_size, GF_BITSTREAM_READ);\n\t\t\t\tsize = gf_bs_read_u32(bs);\n\t\t\t\tif (size != box_data_size) {\n\t\t\t\t\tGF_UnknownBox *new_box = (GF_UnknownBox *) gf_isom_box_new(GF_ISOM_BOX_TYPE_UNKNOWN);\n\t\t\t\t\tnew_box->original_4cc = size;\n\t\t\t\t\tnew_box->dataSize = (u32) gf_bs_available(bs);\n\t\t\t\t\tnew_box->data = gf_malloc(sizeof(u8)*new_box->dataSize);\n\t\t\t\t\tgf_bs_read_data(bs, new_box->data, new_box->dataSize);\n\t\t\t\t\tif (insert_pos<0) {\n\t\t\t\t\t\tgf_list_add(box->child_boxes, new_box);\n\t\t\t\t\t\tinsert_pos = gf_list_find(box->child_boxes, new_box);\n\t\t\t\t\t} else {\n\t\t\t\t\t\tgf_list_insert(*parent_list, new_box, insert_pos);\n\t\t\t\t\t}\n\n\t\t\t\t\tif (parent_box && (parent_box->type==GF_ISOM_BOX_TYPE_IPRP)) {\n\t\t\t\t\t\tGF_ItemPropertyAssociationBox *ipma = (GF_ItemPropertyAssociationBox *) gf_isom_box_find_child(parent_box->child_boxes, GF_ISOM_BOX_TYPE_IPMA);\n\t\t\t\t\t\tif (!item_id) {\n\t\t\t\t\t\t\tGF_LOG(GF_LOG_WARNING, GF_LOG_CONTAINER, (\"[ISOBMFF] Inserting box in ipco without itemID, no association added\\n\"));\n\t\t\t\t\t\t} else if (ipma) {\n\t\t\t\t\t\t\tu32 nb_asso, k;\n\t\t\t\t\t\t\tGF_ItemPropertyAssociationEntry *entry = NULL;\n\t\t\t\t\t\t\tnb_asso = gf_list_count(ipma->entries);\n\t\t\t\t\t\t\tfor (k=0; kentries, k);\n\t\t\t\t\t\t\t\tif (entry->item_id==item_id) break;\n\t\t\t\t\t\t\t\tentry = NULL;\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\tif (!entry) {\n\t\t\t\t\t\t\t\tGF_SAFEALLOC(entry, GF_ItemPropertyAssociationEntry);\n\t\t\t\t\t\t\t\tif (!entry) return GF_OUT_OF_MEM;\n\t\t\t\t\t\t\t\tgf_list_add(ipma->entries, entry);\n\t\t\t\t\t\t\t\tentry->item_id = item_id;\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\tentry->associations = gf_realloc(entry->associations, sizeof(GF_ItemPropertyAssociationSlot) * (entry->nb_associations+1));\n\t\t\t\t\t\t\tentry->associations[entry->nb_associations].essential = essential_prop;\n\t\t\t\t\t\t\tentry->associations[entry->nb_associations].index = 1+insert_pos;\n\t\t\t\t\t\t\tentry->nb_associations++;\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t} else {\n\t\t\t\t\tu32 box_idx = 0;\n\n\t\t\t\t\tgf_bs_seek(bs, 0);\n\t\t\t\t\twhile (gf_bs_available(bs)) {\n\t\t\t\t\t\tGF_Box *new_box;\n\t\t\t\t\t\te = gf_isom_box_parse_ex(&new_box, bs, (insert_pos<0) ? box->type : parent_list_box_type, parent_box ? GF_FALSE : GF_TRUE);\n\t\t\t\t\t\tif (e) {\n\t\t\t\t\t\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, (\"[ISOBMFF] failed to parse box\\n\", box_path));\n\t\t\t\t\t\t\tgf_bs_del(bs);\n\t\t\t\t\t\t\tgoto err_exit;\n\t\t\t\t\t\t}\n\t\t\t\t\t\tif (insert_pos<0) {\n\t\t\t\t\t\t\tgf_list_add(box->child_boxes, new_box);\n\t\t\t\t\t\t} else {\n\t\t\t\t\t\t\tgf_list_insert(*parent_list, new_box, insert_pos+box_idx);\n\t\t\t\t\t\t\tbox_idx++;\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\tgf_bs_del(bs);\n\n\t\t\t}\n\t\t\tgf_free(box_data);\n\t\t\tbox_data = NULL;\n\t\t\tbox_path = NULL;\n\t\t}\n\t}\n\nerr_exit:\n\n\tgf_xml_dom_del(dom);\n\tif (box_data) gf_free(box_data);\n\treturn e;\n}", "project": "gpac", "hash": 227805052274039502029857385954527495662, "size": 255, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267214 }, { "func": "GF_Err gf_isom_update_sample_description_from_template(GF_ISOFile *file, u32 track, u32 sampleDescriptionIndex, u8 *data, u32 size)\n{\n\tGF_BitStream *bs;\n\tGF_TrackBox *trak;\n\tGF_Box *ent, *tpl_ent;\n\tGF_Err e;\n\t/*get orig sample desc and clone it*/\n\ttrak = gf_isom_get_track_from_file(file, track);\n\tif (!trak || !sampleDescriptionIndex) return GF_BAD_PARAM;\n\n\tif (!trak->Media || !trak->Media->handler || !trak->Media->information || !trak->Media->information->sampleTable || !trak->Media->information->sampleTable->SampleDescription)\n\t\treturn GF_ISOM_INVALID_FILE;\n\n\tent = gf_list_get(trak->Media->information->sampleTable->SampleDescription->child_boxes, sampleDescriptionIndex-1);\n\tif (!ent) return GF_BAD_PARAM;\n\n\tbs = gf_bs_new(data, size, GF_BITSTREAM_READ);\n//\te = gf_isom_box_parse(&tpl_ent, bs);\n\te = gf_isom_box_parse_ex (&tpl_ent, bs, GF_ISOM_BOX_TYPE_STSD, GF_FALSE);\n\tgf_bs_del(bs);\n\tif (e) return e;\n\n\twhile (gf_list_count(tpl_ent->child_boxes)) {\n\t\tu32 j=0;\n\t\tBool found = GF_FALSE;\n\t\tGF_Box *abox = gf_list_pop_front(tpl_ent->child_boxes);\n\n\t\tswitch (abox->type) {\n\t\tcase GF_ISOM_BOX_TYPE_SINF:\n\t\tcase GF_ISOM_BOX_TYPE_RINF:\n\t\tcase GF_ISOM_BOX_TYPE_BTRT:\n\t\t\tfound = GF_TRUE;\n\t\t\tbreak;\n\t\t}\n\n\t\tif (found) {\n\t\t\tgf_isom_box_del(abox);\n\t\t\tcontinue;\n\t\t}\n\t\t\n\t\tif (!ent->child_boxes) ent->child_boxes = gf_list_new();\n\t\tfor (j=0; jchild_boxes); j++) {\n\t\t\tGF_Box *b = gf_list_get(ent->child_boxes, j);\n\t\t\tif (b->type == abox->type) {\n\t\t\t\tfound = GF_TRUE;\n\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\t\tif (!found) {\n\t\t\tgf_list_add(ent->child_boxes, abox);\n\t\t} else {\n\t\t\tgf_isom_box_del(abox);\n\t\t}\n\t}\n\tgf_isom_box_del(tpl_ent);\n\n\t//patch for old export\n\tGF_Box *abox = gf_isom_box_find_child(ent->child_boxes, GF_ISOM_BOX_TYPE_SINF);\n\tif (abox) {\n\t\tgf_list_del_item(ent->child_boxes, abox);\n\t\tgf_list_add(ent->child_boxes, abox);\n\t}\n\treturn GF_OK;\n}", "project": "gpac", "hash": 191932660055467636192832750422027446955, "size": 64, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267290 }, { "func": "GF_Err Media_FindDataRef(GF_DataReferenceBox *dref, char *URLname, char *URNname, u32 *dataRefIndex)\n{\n\tu32 i;\n\tGF_DataEntryURLBox *entry;\n\n\tif (!dref) return GF_BAD_PARAM;\n\t*dataRefIndex = 0;\n\ti=0;\n\twhile ((entry = (GF_DataEntryURLBox*)gf_list_enum(dref->child_boxes, &i))) {\n\t\tif (entry->type == GF_ISOM_BOX_TYPE_URL) {\n\t\t\t//self-contained case\n\t\t\tif (entry->flags == 1) {\n\t\t\t\t//if nothing specified, get the dataRef\n\t\t\t\tif (!URLname && !URNname) {\n\t\t\t\t\t*dataRefIndex = i;\n\t\t\t\t\treturn GF_OK;\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\t//OK, check if we have URL\n\t\t\t\tif (URLname && !strcmp(URLname, entry->location)) {\n\t\t\t\t\t*dataRefIndex = i;\n\t\t\t\t\treturn GF_OK;\n\t\t\t\t}\n\t\t\t}\n\t\t} else {\n\t\t\t//this is a URN one, only check the URN name (URL optional)\n\t\t\tif (URNname && !strcmp(URNname, ((GF_DataEntryURNBox *)entry)->nameURN)) {\n\t\t\t\t*dataRefIndex = i;\n\t\t\t\treturn GF_OK;\n\t\t\t}\n\t\t}\n\t}\n\treturn GF_OK;\n}", "project": "gpac", "hash": 323708775261228257544495929091144601587, "size": 34, "commit_id": "328def7d3b93847d64ecb6e9e0399684e57c3eca", "message": "fixed #1766 (fuzz)", "target": 0, "dataset": "other", "idx": 231622 }, { "func": "GF_Err mdia_on_child_box(GF_Box *s, GF_Box *a)\n{\n\tGF_MediaBox *ptr = (GF_MediaBox *)s;\n\tswitch(a->type) {\n\tcase GF_ISOM_BOX_TYPE_MDHD:\n\t\tif (ptr->mediaHeader) ERROR_ON_DUPLICATED_BOX(a, ptr)\n\t\tptr->mediaHeader = (GF_MediaHeaderBox *)a;\n\t\treturn GF_OK;\n\n\tcase GF_ISOM_BOX_TYPE_HDLR:\n\t\tif (ptr->handler) ERROR_ON_DUPLICATED_BOX(a, ptr)\n\t\tptr->handler = (GF_HandlerBox *)a;\n\t\treturn GF_OK;\n\n\tcase GF_ISOM_BOX_TYPE_MINF:\n\t\tif (ptr->information) ERROR_ON_DUPLICATED_BOX(a, ptr)\n\t\tptr->information = (GF_MediaInformationBox *)a;\n\t\treturn GF_OK;\n\t}\n\treturn GF_OK;\n}", "project": "gpac", "hash": 225997116569451209884257896197506892855, "size": 21, "commit_id": "388ecce75d05e11fc8496aa4857b91245007d26e", "message": "fixed #1587", "target": 0, "dataset": "other", "idx": 264814 }, { "func": "GF_Err stbl_UnpackOffsets(GF_SampleTableBox *stbl)\n{\n\tGF_Err e;\n\tu32 i, chunkNumber, sampleDescIndex;\n\tu64 dataOffset;\n\tGF_StscEntry *ent;\n\tGF_ChunkOffsetBox *stco_tmp;\n\tGF_ChunkLargeOffsetBox *co64_tmp;\n\tGF_SampleToChunkBox *stsc_tmp;\n\n\tif (!stbl) return GF_ISOM_INVALID_FILE;\n\n\t//we should have none of the mandatory boxes (allowed in the spec)\n\tif (!stbl->ChunkOffset && !stbl->SampleDescription && !stbl->SampleSize && !stbl->SampleToChunk && !stbl->TimeToSample)\n\t\treturn GF_OK;\n\t/*empty track (just created)*/\n\tif (!stbl->SampleToChunk && !stbl->TimeToSample) return GF_OK;\n\n\t//or all the mandatory ones ...\n\tif (!stbl->ChunkOffset || !stbl->SampleDescription || !stbl->SampleSize || !stbl->SampleToChunk || !stbl->TimeToSample)\n\t\treturn GF_ISOM_INVALID_FILE;\n\n\t//do we need to unpack? Not if we have only one sample per chunk.\n\tif (stbl->SampleSize->sampleCount == stbl->SampleToChunk->nb_entries) return GF_OK;\n\n\t//check the offset type and create a new table...\n\tif (stbl->ChunkOffset->type == GF_ISOM_BOX_TYPE_STCO) {\n\t\tco64_tmp = NULL;\n\t\tstco_tmp = (GF_ChunkOffsetBox *) gf_isom_box_new(GF_ISOM_BOX_TYPE_STCO);\n\t\tif (!stco_tmp) return GF_OUT_OF_MEM;\n\t\tstco_tmp->nb_entries = stbl->SampleSize->sampleCount;\n\t\tstco_tmp->offsets = (u32*)gf_malloc(stco_tmp->nb_entries * sizeof(u32));\n\t\tif (!stco_tmp->offsets) {\n\t\t\tgf_isom_box_del((GF_Box*)stco_tmp);\n\t\t\treturn GF_OUT_OF_MEM;\n\t\t}\n\t\tstco_tmp->alloc_size = stco_tmp->nb_entries;\n\t} else if (stbl->ChunkOffset->type == GF_ISOM_BOX_TYPE_CO64) {\n\t\tstco_tmp = NULL;\n\t\tco64_tmp = (GF_ChunkLargeOffsetBox *) gf_isom_box_new(GF_ISOM_BOX_TYPE_CO64);\n\t\tif (!co64_tmp) return GF_OUT_OF_MEM;\n\t\tco64_tmp->nb_entries = stbl->SampleSize->sampleCount;\n\t\tco64_tmp->offsets = (u64*)gf_malloc(co64_tmp->nb_entries * sizeof(u64));\n\t\tif (!co64_tmp->offsets) {\n\t\t\tgf_isom_box_del((GF_Box*)co64_tmp);\n\t\t\treturn GF_OUT_OF_MEM;\n\t\t}\n\t\tco64_tmp->alloc_size = co64_tmp->nb_entries;\n\t} else {\n\t\treturn GF_ISOM_INVALID_FILE;\n\t}\n\n\t//create a new SampleToChunk table\n\tstsc_tmp = (GF_SampleToChunkBox *) gf_isom_box_new(GF_ISOM_BOX_TYPE_STSC);\n\tif (!stsc_tmp) return GF_OUT_OF_MEM;\n\n\tstsc_tmp->nb_entries = stsc_tmp->alloc_size = stbl->SampleSize->sampleCount;\n\tstsc_tmp->entries = gf_malloc(sizeof(GF_StscEntry)*stsc_tmp->nb_entries);\n\tif (!stsc_tmp->entries) return GF_OUT_OF_MEM;\n\t//set write cache to last sample before unpack\n\tstsc_tmp->w_lastSampleNumber = stbl->SampleSize->sampleCount;\n\tstsc_tmp->w_lastChunkNumber = stbl->SampleSize->sampleCount;\n\n\t//OK write our two tables...\n\tent = NULL;\n\tfor (i = 0; i < stbl->SampleSize->sampleCount; i++) {\n\t\t//get the data info for the sample\n\t\te = stbl_GetSampleInfos(stbl, i+1, &dataOffset, &chunkNumber, &sampleDescIndex, NULL);\n\t\tif (e) goto err_exit;\n\t\tent = &stsc_tmp->entries[i];\n\t\tent->isEdited = 0;\n\t\tent->sampleDescriptionIndex = sampleDescIndex;\n\t\t//here's the trick: each sample is in ONE chunk\n\t\tent->firstChunk = i+1;\n\t\tent->nextChunk = i+2;\n\t\tent->samplesPerChunk = 1;\n\t\tif (stco_tmp) {\n\t\t\tstco_tmp->offsets[i] = (u32) dataOffset;\n\t\t} else {\n\t\t\tco64_tmp->offsets[i] = dataOffset;\n\t\t}\n\t}\n\t//close the list\n\tif (ent) ent->nextChunk = 0;\n\n\n\t//done, remove our previous tables\n\tgf_list_del_item(stbl->child_boxes, stbl->ChunkOffset);\n\tgf_list_del_item(stbl->child_boxes, stbl->SampleToChunk);\n\tgf_isom_box_del(stbl->ChunkOffset);\n\tgf_isom_box_del((GF_Box *)stbl->SampleToChunk);\n\t//and set these ones...\n\tif (stco_tmp) {\n\t\tstbl->ChunkOffset = (GF_Box *)stco_tmp;\n\t} else {\n\t\tstbl->ChunkOffset = (GF_Box *)co64_tmp;\n\t}\n\tstbl->SampleToChunk = stsc_tmp;\n\tgf_list_add(stbl->child_boxes, stbl->ChunkOffset);\n\tgf_list_add(stbl->child_boxes, stbl->SampleToChunk);\n\n\tstbl->SampleToChunk->currentIndex = 0;\n\tstbl->SampleToChunk->currentChunk = 0;\n\tstbl->SampleToChunk->firstSampleInCurrentChunk = 0;\n\treturn GF_OK;\n\nerr_exit:\n\tif (stco_tmp) gf_isom_box_del((GF_Box *) stco_tmp);\n\tif (co64_tmp) gf_isom_box_del((GF_Box *) co64_tmp);\n\tif (stsc_tmp) gf_isom_box_del((GF_Box *) stsc_tmp);\n\treturn e;\n}", "project": "gpac", "hash": 49801421006546778060520983417205815857, "size": 112, "commit_id": "77ed81c069e10b3861d88f72e1c6be1277ee7eae", "message": "fixed #1774 (fuzz)", "target": 0, "dataset": "other", "idx": 267894 }, { "func": "GF_EXPORT\nGF_Err gf_isom_get_track_switch_group_count(GF_ISOFile *movie, u32 trackNumber, u32 *alternateGroupID, u32 *nb_groups)\n{\n\tGF_UserDataMap *map;\n\tGF_TrackBox *trak;\n\n\ttrak = gf_isom_get_track_from_file(movie, trackNumber);\n\tif (!trak || !trak->Header) return GF_BAD_PARAM;\n\t*alternateGroupID = trak->Header->alternate_group;\n\t*nb_groups = 0;\n\tif (!trak->udta) return GF_OK;\n\n\tmap = udta_getEntry(trak->udta, GF_ISOM_BOX_TYPE_TSEL, NULL);\n\tif (!map) return GF_OK;\n\t*nb_groups = gf_list_count(map->boxes);\n\treturn GF_OK;", "project": "gpac", "hash": 118464421399056829728514970643925647373, "size": 16, "commit_id": "984787de3d414a5f7d43d0b4584d9469dff2a5a5", "message": "fixed #1784 (fuzz)", "target": 0, "dataset": "other", "idx": 246803 }, { "func": "GF_Err stbl_RemoveSubSample(GF_SampleTableBox *stbl, u32 SampleNumber)\n{\n\tu32 i, count, j, subs_count, prev_sample, delta=0;\n\n\tif (! stbl->sub_samples) return GF_OK;\n\tsubs_count = gf_list_count(stbl->sub_samples);\n\tfor (j=0; jsub_samples, j);\n\t\tif (! subs->Samples) continue;\n\n\t\tprev_sample = 0;\n\t\tcount = gf_list_count(subs->Samples);\n\t\tfor (i=0; iSamples, i);\n\t\t\tprev_sample += e->sample_delta;\n\t\t\tif (prev_sample==SampleNumber) {\n\t\t\t\tgf_list_rem(subs->Samples, i);\n\t\t\t\twhile (gf_list_count(e->SubSamples)) {\n\t\t\t\t\tGF_SubSampleEntry *pSubSamp = (GF_SubSampleEntry*) gf_list_get(e->SubSamples, 0);\n\t\t\t\t\tgf_free(pSubSamp);\n\t\t\t\t\tgf_list_rem(e->SubSamples, 0);\n\t\t\t\t}\n\t\t\t\tgf_list_del(e->SubSamples);\n\t\t\t\tgf_free(e);\n\t\t\t\ti--;\n\t\t\t\tcount--;\n\t\t\t\tdelta=1;\n\t\t\t\tcontinue;\n\t\t\t}\n\t\t\te->sample_delta+=delta;\n\t\t}\n\t}\n\treturn GF_OK;\n}", "project": "gpac", "hash": 280922075349482440285372481849411236087, "size": 34, "commit_id": "77ed81c069e10b3861d88f72e1c6be1277ee7eae", "message": "fixed #1774 (fuzz)", "target": 0, "dataset": "other", "idx": 267912 }, { "func": "GF_Err gf_isom_box_write_header(GF_Box *ptr, GF_BitStream *bs)\n{\n\tu64 start;\n\tif (! bs || !ptr) return GF_BAD_PARAM;\n\tif (!ptr->size) return GF_ISOM_INVALID_FILE;\n\n\tstart = gf_bs_get_position(bs);\n\tif (ptr->size > 0xFFFFFFFF) {\n\t\tgf_bs_write_u32(bs, 1);\n\t} else {\n\t\tgf_bs_write_u32(bs, (u32) ptr->size);\n\t}\n\tgf_bs_write_u32(bs, ptr->type);\n\tif (ptr->type == GF_ISOM_BOX_TYPE_UUID) {\n\t\tu32 i;\n\t\tchar uuid[16];\n\t\tchar strUUID[32];\n\n\t\tswitch (((GF_UUIDBox*)ptr)->internal_4cc) {\n\t\tcase GF_ISOM_BOX_UUID_TENC:\n\t\t\tmemcpy(strUUID, \"8974dbce7be74c5184f97148f9882554\", 32);\n\t\t\tbreak;\n\t\tcase GF_ISOM_BOX_UUID_PSEC:\n\t\t\tmemcpy(strUUID, \"A2394F525A9B4F14A2446C427C648DF4\", 32);\n\t\t\tbreak;\n\t\tcase GF_ISOM_BOX_UUID_MSSM:\n\t\t\tmemcpy(strUUID, \"A5D40B30E81411DDBA2F0800200C9A66\", 32);\n\t\t\tbreak;\n\t\tcase GF_ISOM_BOX_UUID_PSSH:\n\t\t\tmemcpy(strUUID, \"D08A4F1810F34A82B6C832D8ABA183D3\", 32);\n\t\t\tbreak;\n\t\tcase GF_ISOM_BOX_UUID_TFXD:\n\t\t\tmemcpy(strUUID, \"6D1D9B0542D544E680E2141DAFF757B2\", 32);\n\t\t\tbreak;\n\t\tdefault:\n\t\t\tmemset(strUUID, 0, 32);\n\t\t\tbreak;\n\t\t}\n\n\t\tfor (i = 0; i < 16; i++) {\n\t\t\tchar t[3];\n\t\t\tt[2] = 0;\n\t\t\tt[0] = strUUID[2*i];\n\t\t\tt[1] = strUUID[2*i+1];\n\t\t\tuuid[i] = (u8) strtol(t, NULL, 16);\n\t\t}\n\n\t\tgf_bs_write_data(bs, uuid, 16);\n\t}\n\tif (ptr->size > 0xFFFFFFFF)\n\t\tgf_bs_write_u64(bs, ptr->size);\n\n\tGF_LOG(GF_LOG_DEBUG, GF_LOG_CONTAINER, (\"[iso file] Written Box type %s size \"LLD\" start \"LLD\"\\n\", gf_4cc_to_str(ptr->type), LLD_CAST ptr->size, LLD_CAST start));\n\n\treturn GF_OK;\n}", "project": "gpac", "hash": 253426502377268248124575584047488948794, "size": 56, "commit_id": "8e585e623b1d666b4ef736ed609264639cb27701", "message": "fixed potential crash - cf #1406", "target": 0, "dataset": "other", "idx": 224909 }, { "func": "GF_Err gf_isom_get_original_format_type(GF_ISOFile *the_file, u32 trackNumber, u32 sampleDescriptionIndex, u32 *outOriginalFormat)\n{\n\tGF_TrackBox *trak;\n\tGF_SampleEntryBox *sea;\n\tGF_ProtectionSchemeInfoBox *sinf;\n\tu32 i, count;\n\n\ttrak = gf_isom_get_track_from_file(the_file, trackNumber);\n\tif (!trak) return GF_BAD_PARAM;\n\n\tcount = gf_list_count(trak->Media->information->sampleTable->SampleDescription->child_boxes);\n\tfor (i=0; iMedia, i+1, &sea, NULL);\n\t\tif (!sea) return GF_BAD_PARAM;\n\t\tsinf = (GF_ProtectionSchemeInfoBox*) gf_isom_box_find_child(sea->child_boxes, GF_ISOM_BOX_TYPE_SINF);\n\t\tif (!sinf) continue;\n\n\t\tif (outOriginalFormat && sinf->original_format) {\n\t\t\t*outOriginalFormat = sinf->original_format->data_format;\n\t\t}\n\t\treturn GF_OK;\n\t}\n\tif (outOriginalFormat) *outOriginalFormat = 0;\n\treturn GF_OK;\n}", "project": "gpac", "hash": 172598125118688425250337341872427414492, "size": 27, "commit_id": "3b84ffcbacf144ce35650df958432f472b6483f8", "message": "fixed #1735", "target": 0, "dataset": "other", "idx": 275430 }, { "func": "GF_Err stbl_repackCTS(GF_CompositionOffsetBox *ctts)\n{\n\tu32 i, j;\n\n\tif (!ctts->unpack_mode) return GF_OK;\n\tctts->unpack_mode = 0;\n\n\tj=0;\n\tfor (i=1; inb_entries; i++) {\n\t\tif (ctts->entries[i].decodingOffset==ctts->entries[j].decodingOffset) {\n\t\t\tctts->entries[j].sampleCount++;\n\t\t} else {\n\t\t\tj++;\n\t\t\tctts->entries[j].sampleCount = 1;\n\t\t\tctts->entries[j].decodingOffset = ctts->entries[i].decodingOffset;\n\t\t}\n\t}\n\tctts->nb_entries=j+1;\n\t/*note we don't realloc*/\n\treturn GF_OK;\n}", "project": "gpac", "hash": 316267610213988848159607004720423444770, "size": 21, "commit_id": "77ed81c069e10b3861d88f72e1c6be1277ee7eae", "message": "fixed #1774 (fuzz)", "target": 0, "dataset": "other", "idx": 267884 }, { "func": "Bool Media_IsSelfContained(GF_MediaBox *mdia, u32 StreamDescIndex)\n{\n\tu32 drefIndex=0;\n\tGF_FullBox *a=NULL;\n\tGF_SampleEntryBox *se = NULL;\n\n\tMedia_GetSampleDesc(mdia, StreamDescIndex, &se, &drefIndex);\n\tif (!drefIndex) return 0;\n\tif (mdia\n\t\t&& mdia->information\n\t\t&& mdia->information->dataInformation\n\t\t&& mdia->information->dataInformation->dref\n\t) {\n\t\ta = (GF_FullBox*)gf_list_get(mdia->information->dataInformation->dref->child_boxes, drefIndex - 1);\n\t}\n\tif (!a) {\n\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, (\"[iso file] broken file: Data reference index set to %d but no data reference entry found\\n\", drefIndex));\n\t\treturn 1;\n\t}\n\tif (a->flags & 1) return 1;\n\t/*QT specific*/\n\tif (a->type == GF_QT_BOX_TYPE_ALIS) return 1;\n\treturn 0;\n}", "project": "gpac", "hash": 175306242452441119581862748027087161007, "size": 24, "commit_id": "328def7d3b93847d64ecb6e9e0399684e57c3eca", "message": "fixed #1766 (fuzz)", "target": 0, "dataset": "other", "idx": 231615 }, { "func": "static GF_Err gf_isom_set_edit_internal(GF_ISOFile *movie, u32 trackNumber, u64 EditTime, u64 EditDuration, u64 MediaTime, u32 media_rate, GF_ISOEditType EditMode)\n{\n\tGF_TrackBox *trak;\n\tGF_EditBox *edts;\n\tGF_EditListBox *elst;\n\tGF_EdtsEntry *ent, *newEnt;\n\tu32 i;\n\tGF_Err e;\n\tu64 startTime;\n\n\te = CanAccessMovie(movie, GF_ISOM_OPEN_WRITE);\n\tif (e) return e;\n\n\ttrak = gf_isom_get_track_from_file(movie, trackNumber);\n\tif (!trak) return GF_BAD_PARAM;\n\n\tedts = trak->editBox;\n\tif (! edts) {\n\t\tedts = (GF_EditBox *) gf_isom_box_new_parent(&trak->child_boxes, GF_ISOM_BOX_TYPE_EDTS);\n\t\tif (!edts) return GF_OUT_OF_MEM;\n\t\ttrak_on_child_box((GF_Box*)trak, (GF_Box *)edts, GF_FALSE);\n\t}\n\telst = edts->editList;\n\tif (!elst) {\n\t\telst = (GF_EditListBox *) gf_isom_box_new_parent(&edts->child_boxes, GF_ISOM_BOX_TYPE_ELST);\n\t\tif (!elst) return GF_OUT_OF_MEM;\n\t\tedts_on_child_box((GF_Box*)edts, (GF_Box *)elst, GF_FALSE);\n\t}\n\n\tstartTime = 0;\n\tent = NULL;\n\t//get the prev entry to this startTime if any\n\ti=0;\n\twhile ((ent = (GF_EdtsEntry *)gf_list_enum(elst->entryList, &i))) {\n\t\tif ( (startTime <= EditTime) && (startTime + ent->segmentDuration > EditTime) )\n\t\t\tgoto found;\n\t\tstartTime += ent->segmentDuration;\n\t}\n\n\t//not found, add a new entry and adjust the prev one if any\n\tif (!ent) {\n\t\tnewEnt = CreateEditEntry(EditDuration, MediaTime, EditMode);\n\t\tif (!newEnt) return GF_OUT_OF_MEM;\n\t\tif (EditMode==GF_ISOM_EDIT_NORMAL+1) {\n\t\t\tnewEnt->mediaRate = media_rate;\n\t\t}\n\t\tgf_list_add(elst->entryList, newEnt);\n\t\treturn SetTrackDuration(trak);\n\t}\n\n\tstartTime -= ent->segmentDuration;\n\nfound:\n\n\t//if same time, we erase the current one...\n\tif (startTime == EditTime) {\n\t\tent->segmentDuration = EditDuration;\n\t\tif (EditMode==GF_ISOM_EDIT_NORMAL+1) {\n\t\t\tent->mediaRate = media_rate;\n\t\t\tent->mediaTime = MediaTime;\n\t\t} else {\n\t\t\tswitch (EditMode) {\n\t\t\tcase GF_ISOM_EDIT_EMPTY:\n\t\t\t\tent->mediaRate = 0x10000;\n\t\t\t\tent->mediaTime = -1;\n\t\t\t\tbreak;\n\t\t\tcase GF_ISOM_EDIT_DWELL:\n\t\t\t\tent->mediaRate = 0;\n\t\t\t\tent->mediaTime = MediaTime;\n\t\t\t\tbreak;\n\t\t\tdefault:\n\t\t\t\tent->mediaRate = 0x10000;\n\t\t\t\tent->mediaTime = MediaTime;\n\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\t\treturn SetTrackDuration(trak);\n\t}\n\n\t//adjust so that the prev ent leads to EntryTime\n\t//Note: we don't change the next one as it is unknown to us in\n\t//a lot of case (the author's changes)\n\tent->segmentDuration = EditTime - startTime;\n\tnewEnt = CreateEditEntry(EditDuration, MediaTime, EditMode);\n\tif (!newEnt) return GF_OUT_OF_MEM;\n\tif (EditMode==GF_ISOM_EDIT_NORMAL+1) {\n\t\tnewEnt->mediaRate = media_rate;\n\t\tnewEnt->mediaTime = MediaTime;\n\t}\n\t//is it the last entry ???\n\tif (i >= gf_list_count(elst->entryList) - 1) {\n\t\t//add the new entry at the end\n\t\tgf_list_add(elst->entryList, newEnt);\n\t\treturn SetTrackDuration(trak);\n\t} else {\n\t\t//insert after the current entry (which is i)\n\t\tgf_list_insert(elst->entryList, newEnt, i+1);\n\t\treturn SetTrackDuration(trak);\n\t}\n}", "project": "gpac", "hash": 18877770288518574989150797515873198497, "size": 100, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267208 }, { "func": "void dump_isom_rtp(GF_ISOFile *file, char *inName, Bool is_final_name)\n{\n\tu32 i, j, size;\n\tFILE *dump;\n\tconst char *sdp;\n\n\tif (inName) {\n\t\tchar szBuf[1024];\n\t\tstrcpy(szBuf, inName);\n\t\tif (!is_final_name) strcat(szBuf, \"_rtp.xml\");\n\t\tdump = gf_fopen(szBuf, \"wt\");\n\t\tif (!dump) {\n\t\t\tM4_LOG(GF_LOG_ERROR, (\"Failed to open %s\\n\", szBuf));\n\t\t\treturn;\n\t\t}\n\t} else {\n\t\tdump = stdout;\n\t}\n\n\tfprintf(dump, \"\\n\");\n\tfprintf(dump, \"\\n\");\n\tfprintf(dump, \"\\n\");\n\n\tfor (i=0; i\\n\", gf_isom_get_track_id(file, i+1));\n\t\tgf_isom_sdp_track_get(file, i+1, &sdp, &size);\n\t\tfprintf(dump, \"%s\", sdp);\n\n#ifndef GPAC_DISABLE_ISOM_HINTING\n\t\tfor (j=0; j\\n\");\n\t}\n\tfprintf(dump, \"\\n\");\n\tif (inName) gf_fclose(dump);\n}", "project": "gpac", "hash": 263578088295673493450354486406858279155, "size": 40, "commit_id": "289ffce3e0d224d314f5f92a744d5fe35999f20b", "message": "fixed #1767 (fuzz)", "target": 0, "dataset": "other", "idx": 243172 }, { "func": "void dump_isom_rtp(GF_ISOFile *file, char *inName, Bool is_final_name)\n{\n\tu32 i, j, size;\n\tFILE *dump;\n\tconst char *sdp;\n\n\tif (inName) {\n\t\tchar szBuf[1024];\n\t\tstrcpy(szBuf, inName);\n\t\tif (!is_final_name) strcat(szBuf, \"_rtp.xml\");\n\t\tdump = gf_fopen(szBuf, \"wt\");\n\t\tif (!dump) {\n\t\t\tfprintf(stderr, \"Failed to open %s\\n\", szBuf);\n\t\t\treturn;\n\t\t}\n\t} else {\n\t\tdump = stdout;\n\t}\n\n\tfprintf(dump, \"\\n\");\n\tfprintf(dump, \"\\n\");\n\tfprintf(dump, \"\\n\");\n\n\tfor (i=0; i\\n\", gf_isom_get_track_id(file, i+1));\n\t\tgf_isom_sdp_track_get(file, i+1, &sdp, &size);\n\t\tfprintf(dump, \"%s\", sdp);\n\n#ifndef GPAC_DISABLE_ISOM_HINTING\n\t\tfor (j=0; j\\n\");\n\t}\n\tfprintf(dump, \"\\n\");\n\tif (inName) gf_fclose(dump);\n}", "project": "gpac", "hash": 312245904364181130687904354605584762618, "size": 40, "commit_id": "ce01bd15f711d4575b7424b54b3a395ec64c1784", "message": "fixed #1566", "target": 0, "dataset": "other", "idx": 249544 }, { "func": "void PrintHintUsage()\n{\n\tu32 i=0;\n\tgf_sys_format_help(helpout, help_flags, \"# Hinting Options\\n\"\n\t\t\"IsoMedia hinting consists in creating special tracks in the file that contain transport protocol specific information and optionally multiplexing information. These tracks are then used by the server to create the actual packets being sent over the network, in other words they provide the server with hints on how to build packets, hence their names `hint tracks`.\\n\"\n\t\t\"MP4Box supports creation of hint tracks for RTSP servers supporting these such as QuickTime Streaming Server, DarwinStreaming Server or 3GPP-compliant RTSP servers.\\n\"\n\t\t\"Note: GPAC streaming tools [rtp output](rtpout) and [rtsp server](rtspout) do not use hint tracks, they use on-the-fly packetization \"\n\t\t\"from any media sources, not just MP4\\n\"\n\t\t\" \\n\"\n\t\t\"Options:\\n\"\n\t);\n\twhile (m4b_hint_args[i].name) {\n\t\tGF_GPACArg *arg = &m4b_hint_args[i];\n\t\ti++;\n\t\tgf_sys_print_arg(helpout, help_flags, arg, \"mp4box-hint\");\n\t}\n}", "project": "gpac", "hash": 11271945047073111984512272474845380426, "size": 17, "commit_id": "9eeac00b38348c664dfeae2525bba0cf1bc32349", "message": "fixed #1565", "target": 0, "dataset": "other", "idx": 244418 }, { "func": "GF_Err abst_box_write(GF_Box *s, GF_BitStream *bs)\n{\n\tGF_Err e;\n\tunsigned int i;\n\tGF_AdobeBootstrapInfoBox *ptr = (GF_AdobeBootstrapInfoBox *)s;\n\n\te = gf_isom_full_box_write(s, bs);\n\tif (e) return e;\n\n\tgf_bs_write_u32(bs, ptr->bootstrapinfo_version);\n\tgf_bs_write_int(bs, ptr->profile, 2);\n\tgf_bs_write_int(bs, ptr->live, 1);\n\tgf_bs_write_int(bs, ptr->update, 1);\n\tgf_bs_write_int(bs, ptr->reserved, 4);\n\tgf_bs_write_u32(bs, ptr->time_scale);\n\tgf_bs_write_u64(bs, ptr->current_media_time);\n\tgf_bs_write_u64(bs, ptr->smpte_time_code_offset);\n\tif (ptr->movie_identifier)\n\t\tgf_bs_write_data(bs, ptr->movie_identifier, (u32)strlen(ptr->movie_identifier) + 1);\n\telse\n\t\tgf_bs_write_u8(bs, 0);\n\n\tgf_bs_write_u8(bs, ptr->server_entry_count);\n\tfor (i=0; iserver_entry_count; i++) {\n\t\tchar *str = (char*)gf_list_get(ptr->server_entry_table, i);\n\t\tgf_bs_write_data(bs, str, (u32)strlen(str) + 1);\n\t}\n\n\tgf_bs_write_u8(bs, ptr->quality_entry_count);\n\tfor (i=0; iquality_entry_count; i++) {\n\t\tchar *str = (char*)gf_list_get(ptr->quality_entry_table, i);\n\t\tgf_bs_write_data(bs, str, (u32)strlen(str) + 1);\n\t}\n\n\tif (ptr->drm_data)\n\t\tgf_bs_write_data(bs, ptr->drm_data, (u32)strlen(ptr->drm_data) + 1);\n\telse\n\t\tgf_bs_write_u8(bs, 0);\n\n\tif (ptr->meta_data)\n\t\tgf_bs_write_data(bs, ptr->meta_data, (u32)strlen(ptr->meta_data) + 1);\n\telse\n\t\tgf_bs_write_u8(bs, 0);\n\n\tgf_bs_write_u8(bs, ptr->segment_run_table_count);\n\tfor (i=0; isegment_run_table_count; i++) {\n\t\te = gf_isom_box_write((GF_Box *)gf_list_get(ptr->segment_run_table_entries, i), bs);\n\t\tif (e) return e;\n\t}\n\n\tgf_bs_write_u8(bs, ptr->fragment_run_table_count);\n\tfor (i=0; ifragment_run_table_count; i++) {\n\t\te = gf_isom_box_write((GF_Box *)gf_list_get(ptr->fragment_run_table_entries, i), bs);\n\t\tif (e) return e;\n\t}\n\n\treturn GF_OK;\n}", "project": "gpac", "hash": 222315327795959668844989235329603850360, "size": 58, "commit_id": "e74be5976a6fee059c638050a237893f7e9a3b23", "message": "fixed #1753", "target": 0, "dataset": "other", "idx": 230591 }, { "func": "GF_Err gf_isom_set_media_type(GF_ISOFile *movie, u32 trackNumber, u32 new_type)\n{\n\tGF_TrackBox *trak = gf_isom_get_track_from_file(movie, trackNumber);\n\tif (!trak || !new_type) return GF_BAD_PARAM;\n\ttrak->Media->handler->handlerType = new_type;\n\treturn GF_OK;\n}", "project": "gpac", "hash": 260986771817463398608456344188278593598, "size": 7, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267259 }, { "func": "static GF_ISOSAPType sap_type_from_nal_type(u8 nal_type) {\n\tswitch (nal_type) {\n\tcase GF_HEVC_NALU_SLICE_CRA:\n\t\treturn SAP_TYPE_3;\n\tcase GF_HEVC_NALU_SLICE_IDR_N_LP:\n\tcase GF_HEVC_NALU_SLICE_BLA_N_LP:\n\t\treturn SAP_TYPE_1;\n\tcase GF_HEVC_NALU_SLICE_IDR_W_DLP:\n\tcase GF_HEVC_NALU_SLICE_BLA_W_DLP:\n\tcase GF_HEVC_NALU_SLICE_BLA_W_LP:\n\t\treturn SAP_TYPE_2;\n\tdefault:\n\t\treturn RAP_NO;\n\t}\n}", "project": "gpac", "hash": 230590903924340649379888412660861272064, "size": 15, "commit_id": "0a85029d694f992f3631e2f249e4999daee15cbf", "message": "fixed #1785 (fuzz)", "target": 0, "dataset": "other", "idx": 237570 }, { "func": "GF_Err gf_isom_remove_track_from_root_od(GF_ISOFile *movie, u32 trackNumber)\n{\n\tGF_List *esds;\n\tGF_ES_ID_Inc *inc;\n\tu32 i;\n\tGF_Err e;\n\n\te = CanAccessMovie(movie, GF_ISOM_OPEN_WRITE);\n\tif (e) return e;\n\tif (!movie->moov) return GF_OK;\n\n\tif (!gf_isom_is_track_in_root_od(movie, trackNumber)) return GF_OK;\n\n\tif (!movie->moov->iods) {\n\t\te = AddMovieIOD(movie->moov, 0);\n\t\tif (e) return e;\n\t}\n\tswitch (movie->moov->iods->descriptor->tag) {\n\tcase GF_ODF_ISOM_IOD_TAG:\n\t\tesds = ((GF_IsomInitialObjectDescriptor *)movie->moov->iods->descriptor)->ES_ID_IncDescriptors;\n\t\tbreak;\n\tcase GF_ODF_ISOM_OD_TAG:\n\t\tesds = ((GF_IsomObjectDescriptor *)movie->moov->iods->descriptor)->ES_ID_IncDescriptors;\n\t\tbreak;\n\tdefault:\n\t\treturn GF_ISOM_INVALID_FILE;\n\t}\n\n\t//get the desc\n\ti=0;\n\twhile ((inc = (GF_ES_ID_Inc*)gf_list_enum(esds, &i))) {\n\t\tif (inc->trackID == (u32) gf_isom_get_track_id(movie, trackNumber)) {\n\t\t\tgf_odf_desc_del((GF_Descriptor *)inc);\n\t\t\tgf_list_rem(esds, i-1);\n\t\t\tbreak;\n\t\t}\n\t}\n\t//we don't remove the iod for P&Ls and other potential info\n\treturn GF_OK;\n}", "project": "gpac", "hash": 14229144915471135186671729423048254682, "size": 40, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267321 }, { "func": "GF_Err gf_isom_change_sample_desc_index(GF_ISOFile *the_file, u32 trackNumber, u32 sample_number, u32 newSampleDescIndex)\n{\n\tGF_TrackBox *trak = gf_isom_get_track_from_file(the_file, trackNumber);\n\tif (!trak || !sample_number || !newSampleDescIndex) return GF_BAD_PARAM;\n\tif (!trak->is_unpacked) {\n\t\tunpack_track(trak);\n\t}\n\tif (!trak->Media->information->sampleTable->SampleToChunk) return GF_BAD_PARAM;\n\tif (trak->Media->information->sampleTable->SampleToChunk->nb_entries < sample_number) return GF_BAD_PARAM;\n\ttrak->Media->information->sampleTable->SampleToChunk->entries[sample_number-1].sampleDescriptionIndex = newSampleDescIndex;\n\treturn GF_OK;\n}", "project": "gpac", "hash": 286811952354731612805492998269290370683, "size": 12, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267309 }, { "func": "GF_Err gf_isom_sample_set_dep_info(GF_ISOFile *file, u32 track, u32 sampleNumber, u32 isLeading, u32 dependsOn, u32 dependedOn, u32 redundant)\n{\n\tGF_TrackBox *trak;\n\n\ttrak = gf_isom_get_track_from_file(file, track);\n\tif (!trak) return GF_BAD_PARAM;\n\n\treturn stbl_AddDependencyType(trak->Media->information->sampleTable, sampleNumber, isLeading, dependsOn, dependedOn, redundant);\n}", "project": "gpac", "hash": 239381139595426548902035503014037608703, "size": 9, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267287 }, { "func": "GF_Err gf_isom_clone_sample_description(GF_ISOFile *the_file, u32 trackNumber, GF_ISOFile *orig_file, u32 orig_track, u32 orig_desc_index, const char *URLname, const char *URNname, u32 *outDescriptionIndex)\n{\n\tGF_TrackBox *trak;\n\tGF_BitStream *bs;\n\tu8 *data;\n\tu32 data_size;\n\tGF_Box *entry;\n\tGF_Err e;\n\tu32 dataRefIndex;\n u32 mtype;\n\n\te = CanAccessMovie(the_file, GF_ISOM_OPEN_WRITE);\n\tif (e) return e;\n\n\t/*get orig sample desc and clone it*/\n\ttrak = gf_isom_get_track_from_file(orig_file, orig_track);\n\tif (!trak || !trak->Media) return GF_BAD_PARAM;\n\n\tentry = (GF_Box*)gf_list_get(trak->Media->information->sampleTable->SampleDescription->child_boxes, orig_desc_index-1);\n\tif (!entry) return GF_BAD_PARAM;\n\n\tbs = gf_bs_new(NULL, 0, GF_BITSTREAM_WRITE);\n\n\tgf_isom_box_size(entry);\n\tgf_isom_box_write(entry, bs);\n\tgf_bs_get_content(bs, &data, &data_size);\n\tgf_bs_del(bs);\n\tbs = gf_bs_new(data, data_size, GF_BITSTREAM_READ);\n\te = gf_isom_box_parse(&entry, bs);\n\tgf_bs_del(bs);\n\tgf_free(data);\n\tif (e) return e;\n\n\t/*get new track and insert clone*/\n\ttrak = gf_isom_get_track_from_file(the_file, trackNumber);\n\tif (!trak || !trak->Media) goto exit;\n\n\t/*get or create the data ref*/\n\te = Media_FindDataRef(trak->Media->information->dataInformation->dref, (char *)URLname, (char *)URNname, &dataRefIndex);\n\tif (e) goto exit;\n\tif (!dataRefIndex) {\n\t\te = Media_CreateDataRef(the_file, trak->Media->information->dataInformation->dref, (char *)URLname, (char *)URNname, &dataRefIndex);\n\t\tif (e) goto exit;\n\t}\n\tif (!the_file->keep_utc)\n\t\ttrak->Media->mediaHeader->modificationTime = gf_isom_get_mp4time();\n\t/*overwrite dref*/\n\t((GF_SampleEntryBox *)entry)->dataReferenceIndex = dataRefIndex;\n\te = gf_list_add(trak->Media->information->sampleTable->SampleDescription->child_boxes, entry);\n\t*outDescriptionIndex = gf_list_count(trak->Media->information->sampleTable->SampleDescription->child_boxes);\n\n\t/*also clone track w/h info*/\n mtype = gf_isom_get_media_type(the_file, trackNumber);\n\tif (gf_isom_is_video_handler_type(mtype) ) {\n\t\tgf_isom_set_visual_info(the_file, trackNumber, (*outDescriptionIndex), ((GF_VisualSampleEntryBox*)entry)->Width, ((GF_VisualSampleEntryBox*)entry)->Height);\n\t}\n\treturn e;\n\nexit:\n\tgf_isom_box_del(entry);\n\treturn e;\n}", "project": "gpac", "hash": 323125033925555767909386398867119530080, "size": 62, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267345 }, { "func": "GF_Err gf_isom_make_interleave(GF_ISOFile *file, Double TimeInSec)\n{\n\tGF_Fraction f;\n\tf.num = (s32) (TimeInSec * 1000);\n\tf.den = 1000;\n\treturn gf_isom_make_interleave_ex(file, &f);\n\n}", "project": "gpac", "hash": 282758002092227132332119350483091487936, "size": 8, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267349 }, { "func": "GF_Err CoLL_box_write(GF_Box *s, GF_BitStream *bs)\n{\n\tGF_Err e;\n\tGF_VPContentLightLevelBox *p = (GF_VPContentLightLevelBox*)s;\n\te = gf_isom_full_box_write(s, bs);\n\tif (e) return e;\n\n\tgf_bs_write_u16(bs, p->maxCLL);\n\tgf_bs_write_u16(bs, p->maxFALL);\n\n\treturn GF_OK;\n}", "project": "gpac", "hash": 264209090601185997745367402271287274879, "size": 12, "commit_id": "0a85029d694f992f3631e2f249e4999daee15cbf", "message": "fixed #1785 (fuzz)", "target": 0, "dataset": "other", "idx": 237568 }, { "func": "Bool gf_isom_cenc_has_saiz_saio_track(GF_SampleTableBox *stbl, u32 scheme_type)\n{\n\treturn gf_isom_cenc_has_saiz_saio_full(stbl, NULL, scheme_type);\n}", "project": "gpac", "hash": 189904562773623896219425084249575315306, "size": 4, "commit_id": "3b84ffcbacf144ce35650df958432f472b6483f8", "message": "fixed #1735", "target": 0, "dataset": "other", "idx": 275425 }, { "func": "GF_Err unkn_box_read(GF_Box *s, GF_BitStream *bs)\n{\n\tGF_Err e;\n\tu32 bytesToRead, sub_size, sub_a;\n\tGF_BitStream *sub_bs;\n\tGF_UnknownBox *ptr = (GF_UnknownBox *)s;\n\tif (ptr->size > 0xFFFFFFFF) return GF_ISOM_INVALID_FILE;\n\tbytesToRead = (u32) (ptr->size);\n\n\tif (!bytesToRead) return GF_OK;\n\tif (bytesToRead>1000000) {\n\t\tGF_LOG(GF_LOG_WARNING, GF_LOG_CONTAINER, (\"[iso file] Unknown box %s (0x%08X) with payload larger than 1 MBytes, ignoring\\n\", gf_4cc_to_str(ptr->type), ptr->type ));\n\t\tgf_bs_skip_bytes(bs, ptr->dataSize);\n\t\treturn GF_OK;\n\t}\n\n\tptr->data = (char*)gf_malloc(bytesToRead);\n\tif (ptr->data == NULL ) return GF_OUT_OF_MEM;\n\tptr->dataSize = bytesToRead;\n\tgf_bs_read_data(bs, ptr->data, ptr->dataSize);\n\n\t//try to parse container boxes, check if next 8 bytes match a subbox\n\tsub_bs = gf_bs_new(ptr->data, ptr->dataSize, GF_BITSTREAM_READ);\n\tsub_size = gf_bs_read_u32(sub_bs);\n\tsub_a = gf_bs_read_u8(sub_bs);\n\te = (sub_size && (sub_size <= ptr->dataSize)) ? GF_OK : GF_NOT_SUPPORTED;\n\tif (! isalnum(sub_a)) e = GF_NOT_SUPPORTED;\n\tsub_a = gf_bs_read_u8(sub_bs);\n\tif (! isalnum(sub_a)) e = GF_NOT_SUPPORTED;\n\tsub_a = gf_bs_read_u8(sub_bs);\n\tif (! isalnum(sub_a)) e = GF_NOT_SUPPORTED;\n\tsub_a = gf_bs_read_u8(sub_bs);\n\tif (! isalnum(sub_a)) e = GF_NOT_SUPPORTED;\n\n\tif (e == GF_OK) {\n\t\tgf_bs_seek(sub_bs, 0);\n\t\tgf_bs_set_cookie(sub_bs, GF_ISOM_BS_COOKIE_NO_LOGS);\n\t\te = gf_isom_box_array_read(s, sub_bs, NULL);\n\t}\n\tgf_bs_del(sub_bs);\n\tif (e==GF_OK) {\n\t\tgf_free(ptr->data);\n\t\tptr->data = NULL;\n\t\tptr->dataSize = 0;\n\t} else if (s->child_boxes) {\n\t\tgf_isom_box_array_del(s->child_boxes);\n\t\ts->child_boxes=NULL;\n\t}\n\n\treturn GF_OK;\n}", "project": "gpac", "hash": 314241899649378036035837015930474162688, "size": 51, "commit_id": "388ecce75d05e11fc8496aa4857b91245007d26e", "message": "fixed #1587", "target": 0, "dataset": "other", "idx": 264795 }, { "func": "GF_Err Media_CreateDataRef(GF_ISOFile *movie, GF_DataReferenceBox *dref, char *URLname, char *URNname, u32 *dataRefIndex)\n{\n\tGF_Err e;\n\tBool use_alis=GF_FALSE;\n\tGF_DataEntryURLBox *entry;\n\n\tif (URLname && !strcmp(URLname, \"alis\")) {\n\t\tURLname = NULL;\n\t\tuse_alis=GF_TRUE;\n\t}\n\n\tif (!URLname && !URNname) {\n\t\t//THIS IS SELF CONTAIN, create a regular entry if needed\n\t\tentry = (GF_DataEntryURLBox *) gf_isom_box_new_parent(&dref->child_boxes, use_alis ? GF_QT_BOX_TYPE_ALIS : GF_ISOM_BOX_TYPE_URL);\n\t\tif (!entry) return GF_OUT_OF_MEM;\n\t\tentry->flags = 1;\n\t\t*dataRefIndex = gf_list_count(dref->child_boxes);\n\t\treturn GF_OK;\n\t} else if (!URNname && URLname) {\n\t\t//THIS IS URL\n\t\tentry = (GF_DataEntryURLBox *) gf_isom_box_new_parent(&dref->child_boxes, GF_ISOM_BOX_TYPE_URL);\n\t\tif (!entry) return GF_OUT_OF_MEM;\n\t\tentry->flags = 0;\n\n\t\te = Media_SetDrefURL(entry, URLname, movie->fileName ? movie->fileName : movie->finalName);\n\t\tif (! entry->location) {\n\t\t\tgf_isom_box_del_parent(&dref->child_boxes, (GF_Box *)entry);\n\t\t\treturn e ? e : GF_OUT_OF_MEM;\n\t\t}\n\t\t*dataRefIndex = gf_list_count(dref->child_boxes);\n\t\treturn GF_OK;\n\t} else {\n\t\t//THIS IS URN\n\t\tentry = (GF_DataEntryURLBox *) gf_isom_box_new_parent(&dref->child_boxes, GF_ISOM_BOX_TYPE_URN);\n\t\tif (!entry) return GF_OUT_OF_MEM;\n\t\t((GF_DataEntryURNBox *)entry)->flags = 0;\n\t\t((GF_DataEntryURNBox *)entry)->nameURN = (char*)gf_malloc(strlen(URNname)+1);\n\t\tif (! ((GF_DataEntryURNBox *)entry)->nameURN) {\n\t\t\tgf_isom_box_del_parent(&dref->child_boxes, (GF_Box *)entry);\n\t\t\treturn GF_OUT_OF_MEM;\n\t\t}\n\t\tstrcpy(((GF_DataEntryURNBox *)entry)->nameURN, URNname);\n\t\t//check for URL\n\t\tif (URLname) {\n\t\t\t((GF_DataEntryURNBox *)entry)->location = (char*)gf_malloc(strlen(URLname)+1);\n\t\t\tif (! ((GF_DataEntryURNBox *)entry)->location) {\n\t\t\t\tgf_isom_box_del_parent(&dref->child_boxes, (GF_Box *)entry);\n\t\t\t\treturn GF_OUT_OF_MEM;\n\t\t\t}\n\t\t\tstrcpy(((GF_DataEntryURNBox *)entry)->location, URLname);\n\t\t}\n\t\t*dataRefIndex = gf_list_count(dref->child_boxes);\n\t\treturn GF_OK;\n\t}\n\treturn GF_OK;\n}", "project": "gpac", "hash": 318521768541635327083792291448374465042, "size": 56, "commit_id": "328def7d3b93847d64ecb6e9e0399684e57c3eca", "message": "fixed #1766 (fuzz)", "target": 0, "dataset": "other", "idx": 231610 }, { "func": "GF_Err stbl_SetSampleCTS(GF_SampleTableBox *stbl, u32 sampleNumber, s32 offset)\n{\n\tGF_CompositionOffsetBox *ctts = stbl->CompositionOffset;\n\n\tassert(ctts->unpack_mode);\n\n\t//if we're setting the CTS of a sample we've skipped...\n\tif (ctts->w_LastSampleNumber < sampleNumber) {\n\t\t//add some 0 till we get to the sample\n\t\twhile (ctts->w_LastSampleNumber + 1 != sampleNumber) {\n\t\t\tGF_Err e = AddCompositionOffset(ctts, 0);\n\t\t\tif (e) return e;\n\t\t}\n\t\treturn AddCompositionOffset(ctts, offset);\n\t}\n\tif (offset<0) ctts->version=1;\n\tctts->entries[sampleNumber-1].decodingOffset = offset;\n\treturn GF_OK;\n}", "project": "gpac", "hash": 279418588568387893516469518074759850957, "size": 19, "commit_id": "77ed81c069e10b3861d88f72e1c6be1277ee7eae", "message": "fixed #1774 (fuzz)", "target": 0, "dataset": "other", "idx": 267900 }, { "func": "GF_Err gf_isom_add_track_kind(GF_ISOFile *movie, u32 trackNumber, const char *schemeURI, const char *value)\n{\n\tGF_Err e;\n\tGF_KindBox *ptr;\n\tGF_UserDataBox *udta;\n\tGF_UserDataMap *map;\n\tu32 i, count;\n\n\te = CanAccessMovie(movie, GF_ISOM_OPEN_WRITE);\n\tif (e) return e;\n\n\te = gf_isom_insert_moov(movie);\n\tif (e) return e;\n\n\tif (trackNumber) {\n\t\tGF_TrackBox *trak = gf_isom_get_track_from_file(movie, trackNumber);\n\t\tif (!trak) return GF_BAD_PARAM;\n\t\tif (!trak->udta) {\n\t\t\te = trak_on_child_box((GF_Box*)trak, gf_isom_box_new_parent(&trak->child_boxes, GF_ISOM_BOX_TYPE_UDTA), GF_FALSE);\n\t\t\tif (e) return e;\n\t\t}\n\t\tudta = trak->udta;\n\t} else {\n\t\treturn GF_BAD_PARAM;\n\t}\n\n\tmap = udta_getEntry(udta, GF_ISOM_BOX_TYPE_KIND, NULL);\n\tif (map) {\n\t\tcount = gf_list_count(map->boxes);\n\t\tfor (i=0; iboxes, i);\n\t\t\tif (b->type == GF_ISOM_BOX_TYPE_KIND) {\n\t\t\t\tGF_KindBox *kb = (GF_KindBox *)b;\n\t\t\t\tif (!strcmp(kb->schemeURI, schemeURI) &&\n\t\t\t\t ((value && kb->value && !strcmp(value, kb->value)) || (!value && !kb->value))) {\n\t\t\t\t\t// Already there\n\t\t\t\t\treturn GF_OK;\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\n\tptr = (GF_KindBox *)gf_isom_box_new(GF_ISOM_BOX_TYPE_KIND);\n\tif (e) return e;\n\n\tptr->schemeURI = gf_strdup(schemeURI);\n\tif (value) ptr->value = gf_strdup(value);\n\treturn udta_on_child_box((GF_Box *)udta, (GF_Box *) ptr, GF_FALSE);\n}", "project": "gpac", "hash": 212132836631576039061235648268287977572, "size": 49, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267201 }, { "func": "void gf_isom_registry_disable(u32 boxCode, Bool disable)\n{\n\tu32 i=0, count = gf_isom_get_num_supported_boxes();\n\tfor (i=1; iMedia || !trak->Media->mediaHeader) return GF_BAD_PARAM;\n\tif ((trak->Media->mediaHeader->timeScale==newTS) && !new_tsinc)\n\t\treturn GF_EOS;\n\n\tif (!newTS) newTS = trak->Media->mediaHeader->timeScale;\n\tscale = newTS;\n\tscale /= trak->Media->mediaHeader->timeScale;\n\told_timescale = trak->Media->mediaHeader->timeScale;\n\ttrak->Media->mediaHeader->timeScale = newTS;\n\n\tstbl = trak->Media->information->sampleTable;\n\tif (new_tsinc) {\n\t\tu32 i;\n\t\tif (!stbl->TimeToSample || !stbl->TimeToSample->nb_entries)\n\t\t\treturn GF_BAD_PARAM;\n\n\t\tfor (i=0; iTimeToSample->nb_entries; i++) {\n\t\t\tif (!old_ts_inc)\n\t\t\t\told_ts_inc = stbl->TimeToSample->entries[i].sampleDelta;\n\t\t\telse if (old_ts_incTimeToSample->entries[i].sampleDelta)\n\t\t\t\told_ts_inc = stbl->TimeToSample->entries[i].sampleDelta;\n\t\t}\n\n\t\tif ((old_timescale==newTS) && (old_ts_inc==new_tsinc))\n\t\t\treturn GF_EOS;\n\n\t\tif (!force_rescale_type)\n\t\t\tforce_rescale_type = 1;\n\t\telse if (force_rescale_type==2) {\n\t\t\tgf_free(stbl->TimeToSample->entries);\n\t\t\tstbl->TimeToSample->alloc_size = 1;\n\t\t\tstbl->TimeToSample->nb_entries = 1;\n\t\t\tstbl->TimeToSample->entries = gf_malloc(sizeof(GF_SttsEntry));\n\t\t\tstbl->TimeToSample->entries[0].sampleDelta = new_tsinc;\n\t\t\tstbl->TimeToSample->entries[0].sampleCount = stbl->SampleSize->sampleCount;\n\t\t}\n\n\n\t\tfor (i=0; iTimeToSample->nb_entries; i++) {\n\t\t\tstbl->TimeToSample->entries[i].sampleDelta = new_tsinc;\n\t\t}\n\n\t\tif (stbl->CompositionOffset) {\n\t\t\tfor (i=0; iCompositionOffset->nb_entries; i++) {\n\t\t\t\tu32 old_offset = stbl->CompositionOffset->entries[i].decodingOffset;\n\t\t\t\tif (force_rescale_type==2) {\n\t\t\t\t\tu32 val = old_offset ;\n\t\t\t\t\t//get number of TS delta\n\t\t\t\t\told_offset /= old_ts_inc;\n\t\t\t\t\tif (old_offset * old_ts_inc < val)\n\t\t\t\t\t\told_offset++;\n\t\t\t\t\told_offset *= new_tsinc;\n\t\t\t\t} else {\n\t\t\t\t\told_offset *= new_tsinc;\n\t\t\t\t\told_offset /= old_ts_inc;\n\t\t\t\t}\n\t\t\t\tstbl->CompositionOffset->entries[i].decodingOffset = old_offset;\n\t\t\t}\n\t\t}\n\n#define RESCALE_TSVAL(_tsval) {\\\n\t\t\ts64 val = ((s64) _tsval) * new_tsinc;\\\n\t\t\tval /= old_ts_inc;\\\n\t\t\t_tsval = (s32) val;\\\n\t\t}\n\n\t\tif (stbl->CompositionToDecode) {\n\t\t\tRESCALE_TSVAL(stbl->CompositionToDecode->compositionEndTime)\n\t\t\tRESCALE_TSVAL(stbl->CompositionToDecode->compositionStartTime)\n\t\t\tRESCALE_TSVAL(stbl->CompositionToDecode->compositionToDTSShift)\n\t\t\tRESCALE_TSVAL(stbl->CompositionToDecode->greatestDecodeToDisplayDelta)\n\t\t\tRESCALE_TSVAL(stbl->CompositionToDecode->leastDecodeToDisplayDelta)\n\t\t}\n\t\tif (trak->editBox) {\n\t\t\tGF_EdtsEntry *ent;\n\t\t\ti=0;\n\t\t\twhile ((ent = (GF_EdtsEntry*)gf_list_enum(trak->editBox->editList->entryList, &i))) {\n\t\t\t\tRESCALE_TSVAL(ent->mediaTime)\n\t\t\t}\n\t\t}\n#undef RESCALE_TSVAL\n\n\t\treturn SetTrackDuration(trak);\n\t}\n\n\t//rescale timings\n\tu32 i, k, idx, last_delta;\n\tu64 cur_dts;\n\tu64*DTSs = NULL;\n\ts64*CTSs = NULL;\n\n\tif (trak->editBox) {\n\t\tGF_EdtsEntry *ent;\n\t\ti=0;\n\t\twhile ((ent = (GF_EdtsEntry*)gf_list_enum(trak->editBox->editList->entryList, &i))) {\n\t\t\tent->mediaTime = (u32) (scale*ent->mediaTime);\n\t\t}\n\t}\n\tif (! stbl || !stbl->TimeToSample || !stbl->TimeToSample->nb_entries) {\n\t\treturn SetTrackDuration(trak);\n\t}\n\n\tidx = 0;\n\tcur_dts = 0;\n\t//unpack the DTSs\n\tDTSs = (u64*)gf_malloc(sizeof(u64) * (stbl->SampleSize->sampleCount) );\n\tif (!DTSs) return GF_OUT_OF_MEM;\n\n\tCTSs = NULL;\n\tif (stbl->CompositionOffset) {\n\t\tCTSs = (s64*)gf_malloc(sizeof(u64) * (stbl->SampleSize->sampleCount) );\n\t\tif (!CTSs) return GF_OUT_OF_MEM;\n\t}\n\n\tfor (i=0; iTimeToSample->nb_entries; i++) {\n\t\tfor (k=0; kTimeToSample->entries[i].sampleCount; k++) {\n\t\t\tcur_dts += stbl->TimeToSample->entries[i].sampleDelta;\n\t\t\tDTSs[idx] = (u64) (cur_dts * scale);\n\n\t\t\tif (stbl->CompositionOffset) {\n\t\t\t\ts32 cts_o;\n\t\t\t\tstbl_GetSampleCTS(stbl->CompositionOffset, idx+1, &cts_o);\n\t\t\t\tCTSs[idx] = (s64) ( ((s64) cur_dts + cts_o) * scale);\n\t\t\t}\n\t\t\tidx++;\n\t\t}\n\t}\n\tlast_delta = (u32) (stbl->TimeToSample->entries[stbl->TimeToSample->nb_entries-1].sampleDelta * scale);\n\n\t//repack DTS\n\tif (stbl->SampleSize->sampleCount) {\n\t\tstbl->TimeToSample->entries = gf_realloc(stbl->TimeToSample->entries, sizeof(GF_SttsEntry)*stbl->SampleSize->sampleCount);\n\t\tmemset(stbl->TimeToSample->entries, 0, sizeof(GF_SttsEntry)*stbl->SampleSize->sampleCount);\n\t\tstbl->TimeToSample->entries[0].sampleDelta = (u32) DTSs[0];\n\t\tstbl->TimeToSample->entries[0].sampleCount = 1;\n\t\tidx=0;\n\t\tfor (i=1; i< stbl->SampleSize->sampleCount - 1; i++) {\n\t\t\tif (DTSs[i+1] - DTSs[i] == stbl->TimeToSample->entries[idx].sampleDelta) {\n\t\t\t\tstbl->TimeToSample->entries[idx].sampleCount++;\n\t\t\t} else {\n\t\t\t\tidx++;\n\t\t\t\tstbl->TimeToSample->entries[idx].sampleDelta = (u32) ( DTSs[i+1] - DTSs[i] );\n\t\t\t\tstbl->TimeToSample->entries[idx].sampleCount=1;\n\t\t\t}\n\t\t}\n\t\tif (stbl->SampleSize->sampleCount > 1) {\n\t\t\t//add the sample delta for the last sample\n\t\t\tif (stbl->TimeToSample->entries[idx].sampleDelta == last_delta) {\n\t\t\t\tstbl->TimeToSample->entries[idx].sampleCount++;\n\t\t\t} else {\n\t\t\t\tidx++;\n\t\t\t\tstbl->TimeToSample->entries[idx].sampleDelta = last_delta;\n\t\t\t\tstbl->TimeToSample->entries[idx].sampleCount=1;\n\t\t\t}\n\n\t\t\tstbl->TimeToSample->nb_entries = idx+1;\n\t\t\tstbl->TimeToSample->entries = gf_realloc(stbl->TimeToSample->entries, sizeof(GF_SttsEntry)*stbl->TimeToSample->nb_entries);\n\t\t}\n\t}\n\n\tif (CTSs && stbl->SampleSize->sampleCount>0) {\n\t\t//repack CTS\n\t\tstbl->CompositionOffset->entries = gf_realloc(stbl->CompositionOffset->entries, sizeof(GF_DttsEntry)*stbl->SampleSize->sampleCount);\n\t\tmemset(stbl->CompositionOffset->entries, 0, sizeof(GF_DttsEntry)*stbl->SampleSize->sampleCount);\n\t\tstbl->CompositionOffset->entries[0].decodingOffset = (s32) (CTSs[0] - DTSs[0]);\n\t\tstbl->CompositionOffset->entries[0].sampleCount = 1;\n\t\tidx=0;\n\t\tfor (i=1; i< stbl->SampleSize->sampleCount; i++) {\n\t\t\ts32 cts_o = (s32) (CTSs[i] - DTSs[i]);\n\t\t\tif (cts_o == stbl->CompositionOffset->entries[idx].decodingOffset) {\n\t\t\t\tstbl->CompositionOffset->entries[idx].sampleCount++;\n\t\t\t} else {\n\t\t\t\tidx++;\n\t\t\t\tstbl->CompositionOffset->entries[idx].decodingOffset = cts_o;\n\t\t\t\tstbl->CompositionOffset->entries[idx].sampleCount=1;\n\t\t\t}\n\t\t}\n\t\tstbl->CompositionOffset->nb_entries = idx+1;\n\t\tstbl->CompositionOffset->entries = gf_realloc(stbl->CompositionOffset->entries, sizeof(GF_DttsEntry)*stbl->CompositionOffset->nb_entries);\n\n\t\tgf_free(CTSs);\n\t}\n\tgf_free(DTSs);\n\n\tif (stbl->CompositionToDecode) {\n\t\tstbl->CompositionToDecode->compositionEndTime = (s32) (stbl->CompositionToDecode->compositionEndTime * scale);\n\t\tstbl->CompositionToDecode->compositionStartTime = (s32)(stbl->CompositionToDecode->compositionStartTime * scale);\n\t\tstbl->CompositionToDecode->compositionToDTSShift = (s32)(stbl->CompositionToDecode->compositionToDTSShift * scale);\n\t\tstbl->CompositionToDecode->greatestDecodeToDisplayDelta = (s32)(stbl->CompositionToDecode->greatestDecodeToDisplayDelta * scale);\n\t\tstbl->CompositionToDecode->leastDecodeToDisplayDelta = (s32)(stbl->CompositionToDecode->leastDecodeToDisplayDelta * scale);\n\t}\n\n\treturn SetTrackDuration(trak);\n}", "project": "gpac", "hash": 225997520511645717129045795651546649069, "size": 203, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267270 }, { "func": "Bool gf_isom_is_same_sample_description(GF_ISOFile *f1, u32 tk1, u32 sdesc_index1, GF_ISOFile *f2, u32 tk2, u32 sdesc_index2)\n{\n\tu32 i, count;\n\tGF_TrackBox *trak1, *trak2;\n\tGF_ESD *esd1, *esd2;\n\tBool need_memcmp, ret;\n\tGF_Box *a, *b;\n\n\t/*get orig sample desc and clone it*/\n\ttrak1 = gf_isom_get_track_from_file(f1, tk1);\n\tif (!trak1 || !trak1->Media) return GF_FALSE;\n\ttrak2 = gf_isom_get_track_from_file(f2, tk2);\n\tif (!trak2 || !trak2->Media) return GF_FALSE;\n\n\tif (trak1->Media->handler->handlerType != trak2->Media->handler->handlerType) return GF_FALSE;\n\tcount = gf_list_count(trak1->Media->information->sampleTable->SampleDescription->child_boxes);\n\tif (count != gf_list_count(trak2->Media->information->sampleTable->SampleDescription->child_boxes)) {\n\t\tif (!sdesc_index1 && !sdesc_index2) return GF_FALSE;\n\t}\n\n\tneed_memcmp = GF_TRUE;\n\tfor (i=0; iMedia->information->sampleTable->SampleDescription->child_boxes, i);\n\t\tGF_Box *ent2 = (GF_Box *)gf_list_get(trak2->Media->information->sampleTable->SampleDescription->child_boxes, i);\n\n\t\tif (sdesc_index1) ent1 = (GF_Box *)gf_list_get(trak1->Media->information->sampleTable->SampleDescription->child_boxes, sdesc_index1 - 1);\n\t\tif (sdesc_index2) ent2 = (GF_Box *)gf_list_get(trak2->Media->information->sampleTable->SampleDescription->child_boxes, sdesc_index2 - 1);\n\n\t\tif (!ent1 || !ent2) return GF_FALSE;\n\t\tif (ent1->type != ent2->type) return GF_FALSE;\n\n\t\tswitch (ent1->type) {\n\t\t/*for MPEG-4 streams, only compare decSpecInfo (bitrate may not be the same but that's not an issue)*/\n\t\tcase GF_ISOM_BOX_TYPE_MP4S:\n\t\tcase GF_ISOM_BOX_TYPE_MP4A:\n\t\tcase GF_ISOM_BOX_TYPE_MP4V:\n\t\tcase GF_ISOM_BOX_TYPE_ENCA:\n\t\tcase GF_ISOM_BOX_TYPE_ENCV:\n\t\tcase GF_ISOM_BOX_TYPE_RESV:\n\t\tcase GF_ISOM_BOX_TYPE_ENCS:\n\t\t\tMedia_GetESD(trak1->Media, sdesc_index1 ? sdesc_index1 : i+1, &esd1, GF_TRUE);\n\t\t\tMedia_GetESD(trak2->Media, sdesc_index2 ? sdesc_index2 : i+1, &esd2, GF_TRUE);\n\t\t\tif (!esd1 || !esd2) continue;\n\t\t\tneed_memcmp = GF_FALSE;\n\t\t\tif (esd1->decoderConfig->streamType != esd2->decoderConfig->streamType) return GF_FALSE;\n\t\t\tif (esd1->decoderConfig->objectTypeIndication != esd2->decoderConfig->objectTypeIndication) return GF_FALSE;\n\t\t\tif (!esd1->decoderConfig->decoderSpecificInfo && esd2->decoderConfig->decoderSpecificInfo) return GF_FALSE;\n\t\t\tif (esd1->decoderConfig->decoderSpecificInfo && !esd2->decoderConfig->decoderSpecificInfo) return GF_FALSE;\n\t\t\tif (!esd1->decoderConfig->decoderSpecificInfo || !esd2->decoderConfig->decoderSpecificInfo) continue;\n\t\t\tif (memcmp(esd1->decoderConfig->decoderSpecificInfo->data, esd2->decoderConfig->decoderSpecificInfo->data, sizeof(char)*esd1->decoderConfig->decoderSpecificInfo->dataLength)!=0) return GF_FALSE;\n\t\t\tbreak;\n\t\tcase GF_ISOM_BOX_TYPE_HVT1:\n\t\t\treturn GF_TRUE;\n\t\tcase GF_ISOM_BOX_TYPE_AVC1:\n\t\tcase GF_ISOM_BOX_TYPE_AVC2:\n\t\tcase GF_ISOM_BOX_TYPE_AVC3:\n\t\tcase GF_ISOM_BOX_TYPE_AVC4:\n\t\tcase GF_ISOM_BOX_TYPE_SVC1:\n\t\tcase GF_ISOM_BOX_TYPE_MVC1:\n\t\tcase GF_ISOM_BOX_TYPE_HVC1:\n\t\tcase GF_ISOM_BOX_TYPE_HEV1:\n\t\tcase GF_ISOM_BOX_TYPE_HVC2:\n\t\tcase GF_ISOM_BOX_TYPE_HEV2:\n\t\tcase GF_ISOM_BOX_TYPE_LHE1:\n\t\tcase GF_ISOM_BOX_TYPE_LHV1:\n\t\tcase GF_ISOM_BOX_TYPE_AV01:\n\t\tcase GF_ISOM_BOX_TYPE_VVC1:\n\t\tcase GF_ISOM_BOX_TYPE_VVI1:\n\t\t{\n\t\t\tGF_MPEGVisualSampleEntryBox *avc1 = (GF_MPEGVisualSampleEntryBox *)ent1;\n\t\t\tGF_MPEGVisualSampleEntryBox *avc2 = (GF_MPEGVisualSampleEntryBox *)ent2;\n\n\t\t\tif (avc1->hevc_config)\n\t\t\t\ta = (GF_Box *) avc1->hevc_config;\n\t\t\telse if (avc1->lhvc_config)\n\t\t\t\ta = (GF_Box *) avc1->lhvc_config;\n\t\t\telse if (avc1->svc_config)\n\t\t\t\ta = (GF_Box *) avc1->svc_config;\n\t\t\telse if (avc1->mvc_config)\n\t\t\t\ta = (GF_Box *) avc1->mvc_config;\n\t\t\telse if (avc1->av1_config)\n\t\t\t\ta = (GF_Box *)avc1->av1_config;\n\t\t\telse\n\t\t\t\ta = (GF_Box *) avc1->avc_config;\n\n\t\t\tif (avc2->hevc_config)\n\t\t\t\tb = (GF_Box *) avc2->hevc_config;\n\t\t\telse if (avc2->lhvc_config)\n\t\t\t\tb = (GF_Box *) avc2->lhvc_config;\n\t\t\telse if (avc2->svc_config)\n\t\t\t\tb = (GF_Box *) avc2->svc_config;\n\t\t\telse if (avc2->mvc_config)\n\t\t\t\tb = (GF_Box *) avc2->mvc_config;\n\t\t\telse if (avc2->av1_config)\n\t\t\t\tb = (GF_Box *)avc2->av1_config;\n\t\t\telse\n\t\t\t\tb = (GF_Box *) avc2->avc_config;\n\n\t\t\treturn gf_isom_box_equal(a,b);\n\t\t}\n\t\tbreak;\n\t\tcase GF_ISOM_BOX_TYPE_LSR1:\n\t\t{\n\t\t\tGF_LASeRSampleEntryBox *lsr1 = (GF_LASeRSampleEntryBox *)ent1;\n\t\t\tGF_LASeRSampleEntryBox *lsr2 = (GF_LASeRSampleEntryBox *)ent2;\n\t\t\tif (lsr1->lsr_config && lsr2->lsr_config\n\t\t\t && lsr1->lsr_config->hdr && lsr2->lsr_config->hdr\n\t\t\t && (lsr1->lsr_config->hdr_size==lsr2->lsr_config->hdr_size)\n\t\t\t && !memcmp(lsr1->lsr_config->hdr, lsr2->lsr_config->hdr, lsr2->lsr_config->hdr_size)\n\t\t\t ) {\n\t\t\t\treturn GF_TRUE;\n\t\t\t}\n\t\t\treturn GF_FALSE;\n\t\t}\n\t\tbreak;\n#ifndef GPAC_DISABLE_VTT\n\t\tcase GF_ISOM_BOX_TYPE_WVTT:\n\t\t{\n\t\t\tGF_WebVTTSampleEntryBox *wvtt1 = (GF_WebVTTSampleEntryBox *)ent1;\n\t\t\tGF_WebVTTSampleEntryBox *wvtt2 = (GF_WebVTTSampleEntryBox *)ent2;\n\t\t\tif (wvtt1->config && wvtt2->config &&\n\t\t\t (wvtt1->config->string && wvtt2->config->string && !strcmp(wvtt1->config->string, wvtt2->config->string))) {\n\t\t\t\treturn GF_TRUE;\n\t\t\t}\n\t\t\treturn GF_FALSE;\n\t\t}\n\t\tbreak;\n#endif\n\t\tcase GF_ISOM_BOX_TYPE_STPP:\n\t\t{\n\t\t\tGF_MetaDataSampleEntryBox *stpp1 = (GF_MetaDataSampleEntryBox *)ent1;\n\t\t\tGF_MetaDataSampleEntryBox *stpp2 = (GF_MetaDataSampleEntryBox *)ent2;\n\t\t\tif (stpp1->xml_namespace && stpp2->xml_namespace && !strcmp(stpp1->xml_namespace, stpp2->xml_namespace)) {\n\t\t\t\treturn GF_TRUE;\n\t\t\t}\n\t\t\treturn GF_FALSE;\n\t\t}\n\t\tbreak;\n\t\tcase GF_ISOM_BOX_TYPE_SBTT:\n\t\t{\n\t\t\treturn GF_FALSE;\n\t\t}\n\t\tbreak;\n\t\tcase GF_ISOM_BOX_TYPE_STXT:\n\t\t{\n\t\t\tGF_MetaDataSampleEntryBox *stxt1 = (GF_MetaDataSampleEntryBox *)ent1;\n\t\t\tGF_MetaDataSampleEntryBox *stxt2 = (GF_MetaDataSampleEntryBox *)ent2;\n\t\t\tif (stxt1->mime_type && stxt2->mime_type &&\n\t\t\t ( (!stxt1->config && !stxt2->config) ||\n\t\t\t (stxt1->config && stxt2->config && stxt1->config->config && stxt2->config->config &&\n\t\t\t !strcmp(stxt1->config->config, stxt2->config->config)))) {\n\t\t\t\treturn GF_TRUE;\n\t\t\t}\n\t\t\treturn GF_FALSE;\n\t\t}\n\t\tcase GF_ISOM_BOX_TYPE_MP3:\n\t\tcase GF_QT_SUBTYPE_RAW_AUD:\n\t\tcase GF_QT_SUBTYPE_TWOS:\n\t\tcase GF_QT_SUBTYPE_SOWT:\n\t\tcase GF_QT_SUBTYPE_FL32:\n\t\tcase GF_QT_SUBTYPE_FL64:\n\t\tcase GF_QT_SUBTYPE_IN24:\n\t\tcase GF_QT_SUBTYPE_IN32:\n\t\tcase GF_QT_SUBTYPE_ULAW:\n\t\tcase GF_QT_SUBTYPE_ALAW:\n\t\tcase GF_QT_SUBTYPE_ADPCM:\n\t\tcase GF_QT_SUBTYPE_IMA_ADPCM:\n\t\tcase GF_QT_SUBTYPE_DVCA:\n\t\tcase GF_QT_SUBTYPE_QDMC:\n\t\tcase GF_QT_SUBTYPE_QDMC2:\n\t\tcase GF_QT_SUBTYPE_QCELP:\n\t\tcase GF_QT_SUBTYPE_kMP3:\n\t\t\treturn GF_TRUE;\n\t\tcase GF_QT_SUBTYPE_APCH:\n\t\tcase GF_QT_SUBTYPE_APCO:\n\t\tcase GF_QT_SUBTYPE_APCN:\n\t\tcase GF_QT_SUBTYPE_APCS:\n\t\tcase GF_QT_SUBTYPE_AP4X:\n\t\tcase GF_QT_SUBTYPE_AP4H:\n\t\tcase GF_QT_SUBTYPE_RAW_VID:\n\t\tcase GF_QT_SUBTYPE_YUYV:\n\t\tcase GF_QT_SUBTYPE_UYVY:\n\t\tcase GF_QT_SUBTYPE_YUV444:\n\t\tcase GF_QT_SUBTYPE_YUVA444:\n\t\tcase GF_QT_SUBTYPE_YUV422_10:\n\t\tcase GF_QT_SUBTYPE_YUV444_10:\n\t\tcase GF_QT_SUBTYPE_YUV422_16:\n\t\tcase GF_QT_SUBTYPE_YUV420:\n\t\tcase GF_QT_SUBTYPE_I420:\n\t\tcase GF_QT_SUBTYPE_IYUV:\n\t\tcase GF_QT_SUBTYPE_YV12:\n\t\tcase GF_QT_SUBTYPE_YVYU:\n\t\tcase GF_QT_SUBTYPE_RGBA:\n\t\tcase GF_QT_SUBTYPE_ABGR:\n\t\t\treturn GF_TRUE;\n\t\t}\n\n\t\tif (sdesc_index1 && sdesc_index2) break;\n\t}\n\tif (!need_memcmp) return GF_TRUE;\n\ta = (GF_Box *)trak1->Media->information->sampleTable->SampleDescription;\n\tb = (GF_Box *)trak2->Media->information->sampleTable->SampleDescription;\n\t//we ignore all bitrate boxes when comparing the box, disable their writing\n\tgf_isom_registry_disable(GF_ISOM_BOX_TYPE_BTRT, GF_TRUE);\n\tret = gf_isom_box_equal(a,b);\n\t//re-enable btrt writing\n\tgf_isom_registry_disable(GF_ISOM_BOX_TYPE_BTRT, GF_FALSE);\n\n\treturn ret;\n}", "project": "gpac", "hash": 78612075461782449928658984303250229477, "size": 210, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267180 }, { "func": "Bool gf_isom_cenc_has_saiz_saio_full(GF_SampleTableBox *stbl, void *_traf, u32 scheme_type)\n{\n\tu32 i, c1, c2;\n\tGF_List *sai_sizes, *sai_offsets;\n\tu32 sinf_fmt = 0;\n\tBool has_saiz, has_saio;\n#ifndef GPAC_DISABLE_ISOM_FRAGMENTS\n\tGF_TrackFragmentBox *traf=(GF_TrackFragmentBox *)_traf;\n#endif\n\thas_saiz = has_saio = GF_FALSE;\n\n\tif (stbl) {\n\t\tsai_sizes = stbl->sai_sizes;\n\t\tsai_offsets = stbl->sai_offsets;\n\t}\n#ifndef GPAC_DISABLE_ISOM_FRAGMENTS\n\telse if (_traf) {\n\t\tsai_sizes = traf->sai_sizes;\n\t\tsai_offsets = traf->sai_offsets;\n\t}\n#endif\n\telse\n\t\treturn GF_FALSE;\n\n\tc1 = gf_list_count(sai_sizes);\n\tc2 = gf_list_count(sai_offsets);\n\tfor (i = 0; i < c1; i++) {\n\t\tGF_SampleAuxiliaryInfoSizeBox *saiz = (GF_SampleAuxiliaryInfoSizeBox *)gf_list_get(sai_sizes, i);\n\t\tu32 saiz_aux_info_type = saiz->aux_info_type;\n\t\tif (!saiz_aux_info_type) saiz_aux_info_type = scheme_type;\n\n\n\t\tif (!saiz_aux_info_type) {\n\t\t\tGF_SampleEntryBox *entry = NULL;\n\t\t\tGF_ProtectionSchemeInfoBox *sinf = NULL;\n\t\t\tif (stbl) {\n\t\t\t\tentry = gf_list_get(stbl->SampleDescription->child_boxes, 0);\n\t\t\t} else {\n\t\t\t\tentry = gf_list_get(traf->trex->track->Media->information->sampleTable->SampleDescription->child_boxes, 0);\n\t\t\t}\n\n\t\t\tif (entry)\n\t\t\t\tsinf = (GF_ProtectionSchemeInfoBox *) gf_isom_box_find_child(entry->child_boxes, GF_ISOM_BOX_TYPE_SINF);\n\n\t\t\tif (sinf && sinf->scheme_type) {\n\t\t\t\tsaiz_aux_info_type = sinf_fmt = sinf->scheme_type->scheme_type;\n\t\t\t}\n\t\t}\n\t\tif (!saiz_aux_info_type && (c1==1) && (c2==1)) {\n\t\t\tGF_LOG(GF_LOG_WARNING, GF_LOG_CONTAINER, (\"[iso file] saiz box without flags nor aux info type and no default scheme, ignoring\\n\"));\n\t\t\tcontinue;\n\t\t}\n\n\t\tswitch (saiz_aux_info_type) {\n\t\tcase GF_ISOM_CENC_SCHEME:\n\t\tcase GF_ISOM_CBC_SCHEME:\n\t\tcase GF_ISOM_CENS_SCHEME:\n\t\tcase GF_ISOM_CBCS_SCHEME:\n\t\tcase GF_ISOM_PIFF_SCHEME:\n\t\t\thas_saiz = GF_TRUE;\n\t\t\tbreak;\n\t\t}\n\t}\n\n\tfor (i = 0; i < c2; i++) {\n\t\tGF_SampleAuxiliaryInfoOffsetBox *saio = (GF_SampleAuxiliaryInfoOffsetBox *)gf_list_get(sai_offsets, i);\n\t\tu32 saio_aux_info_type = saio->aux_info_type;\n\t\tif (!saio_aux_info_type) saio_aux_info_type = scheme_type;\n\t\tif (!saio_aux_info_type) saio_aux_info_type = sinf_fmt;\n\n\t\tif (!saio_aux_info_type) {\n\t\t\tGF_SampleEntryBox *entry = NULL;\n\t\t\tGF_ProtectionSchemeInfoBox *sinf = NULL;\n\t\t\tif (stbl) {\n\t\t\t\tentry = gf_list_get(stbl->SampleDescription->child_boxes, 0);\n\t\t\t} else {\n\t\t\t\tentry = gf_list_get(traf->trex->track->Media->information->sampleTable->SampleDescription->child_boxes, 0);\n\t\t\t}\n\t\t\tif (entry)\n\t\t\t\tsinf = (GF_ProtectionSchemeInfoBox *) gf_isom_box_find_child(entry->child_boxes, GF_ISOM_BOX_TYPE_SINF);\n\n\t\t\tif (sinf && sinf->scheme_type) {\n\t\t\t\tsaio_aux_info_type = sinf_fmt = sinf->scheme_type->scheme_type;\n\t\t\t}\n\t\t}\n\t\tif (!saio_aux_info_type && (c1==1) && (c2==1)) {\n\t\t\tGF_LOG(GF_LOG_WARNING, GF_LOG_CONTAINER, (\"[iso file] saio box without flags nor aux info type and no default scheme, ignoring\\n\"));\n\t\t\tcontinue;\n\t\t}\n\t\t//special case for query on a file that has just been imported but not yet written: saio offset is NULL, we must use senc\n\t\tif (saio->entry_count && !saio->offsets)\n\t\t\tcontinue;\n\t\tswitch (saio_aux_info_type) {\n\t\tcase GF_ISOM_CENC_SCHEME:\n\t\tcase GF_ISOM_CBC_SCHEME:\n\t\tcase GF_ISOM_CENS_SCHEME:\n\t\tcase GF_ISOM_CBCS_SCHEME:\n\t\tcase GF_ISOM_PIFF_SCHEME:\n\t\t\thas_saio = GF_TRUE;\n\t\t\tbreak;\n\t\t}\n\t}\n\treturn (has_saiz && has_saio);\n}", "project": "gpac", "hash": 269519824922818643303784469455676396104, "size": 104, "commit_id": "3b84ffcbacf144ce35650df958432f472b6483f8", "message": "fixed #1735", "target": 0, "dataset": "other", "idx": 275397 }, { "func": "GF_Err stbl_GetSampleInfos(GF_SampleTableBox *stbl, u32 sampleNumber, u64 *offset, u32 *chunkNumber, u32 *descIndex, GF_StscEntry **out_ent)\n{\n\tGF_Err e;\n\tu32 i, k, offsetInChunk, size, chunk_num;\n\tGF_ChunkOffsetBox *stco;\n\tGF_ChunkLargeOffsetBox *co64;\n\tGF_StscEntry *ent;\n\n\t(*offset) = 0;\n\t(*chunkNumber) = (*descIndex) = 0;\n\tif (out_ent) (*out_ent) = NULL;\n\tif (!stbl || !sampleNumber) return GF_BAD_PARAM;\n\tif (!stbl->ChunkOffset || !stbl->SampleToChunk || !stbl->SampleSize) return GF_ISOM_INVALID_FILE;\n\n\tif (stbl->SampleSize && stbl->SampleToChunk->nb_entries == stbl->SampleSize->sampleCount) {\n\t\tent = &stbl->SampleToChunk->entries[sampleNumber-1];\n\t\tif (!ent) return GF_BAD_PARAM;\n\t\t(*descIndex) = ent->sampleDescriptionIndex;\n\t\t(*chunkNumber) = sampleNumber;\n\t\tif (out_ent) *out_ent = ent;\n\t\tif ( stbl->ChunkOffset->type == GF_ISOM_BOX_TYPE_STCO) {\n\t\t\tstco = (GF_ChunkOffsetBox *)stbl->ChunkOffset;\n\t\t\tif (!stco->offsets) return GF_ISOM_INVALID_FILE;\n\n\t\t\t(*offset) = (u64) stco->offsets[sampleNumber - 1];\n\t\t} else {\n\t\t\tco64 = (GF_ChunkLargeOffsetBox *)stbl->ChunkOffset;\n\t\t\tif (!co64->offsets) return GF_ISOM_INVALID_FILE;\n\n\t\t\t(*offset) = co64->offsets[sampleNumber - 1];\n\t\t}\n\t\treturn GF_OK;\n\t}\n\n\t//check our cache: if desired sample is at or above current cache entry, start from here\n\tif (stbl->SampleToChunk->firstSampleInCurrentChunk &&\n\t (stbl->SampleToChunk->firstSampleInCurrentChunk <= sampleNumber)) {\n\n\t\ti = stbl->SampleToChunk->currentIndex;\n\t\tent = &stbl->SampleToChunk->entries[stbl->SampleToChunk->currentIndex];\n\t\tGetGhostNum(ent, i, stbl->SampleToChunk->nb_entries, stbl);\n\t\tk = stbl->SampleToChunk->currentChunk;\n\t}\n\t//otherwise start from first entry\n\telse {\n\t\ti = 0;\n\t\tstbl->SampleToChunk->currentIndex = 0;\n\t\tstbl->SampleToChunk->currentChunk = 1;\n\t\tstbl->SampleToChunk->ghostNumber = 1;\n\t\tstbl->SampleToChunk->firstSampleInCurrentChunk = 1;\n\t\tent = &stbl->SampleToChunk->entries[0];\n\t\tGetGhostNum(ent, 0, stbl->SampleToChunk->nb_entries, stbl);\n\t\tk = stbl->SampleToChunk->currentChunk;\n\t}\n\n\t//first get the chunk\n\tfor (; i < stbl->SampleToChunk->nb_entries; i++) {\n\t\tassert(stbl->SampleToChunk->firstSampleInCurrentChunk <= sampleNumber);\n\t\t//corrupted file (less sample2chunk info than sample count\n\t\tif (k > stbl->SampleToChunk->ghostNumber) {\n\t\t\treturn GF_ISOM_INVALID_FILE;\n\t\t}\n\n\n\t\t//check if sample is in current chunk\n\t\tu32 max_chunks_in_entry = stbl->SampleToChunk->ghostNumber - k;\n\t\tu32 nb_chunks_for_sample = sampleNumber - stbl->SampleToChunk->firstSampleInCurrentChunk;\n\t\tif (ent->samplesPerChunk) \n\t\t\tnb_chunks_for_sample /= ent->samplesPerChunk;\n\n\t\tif (\n\t\t\t(nb_chunks_for_sample <= max_chunks_in_entry)\n\t\t\t&& (stbl->SampleToChunk->firstSampleInCurrentChunk + (nb_chunks_for_sample+1) * ent->samplesPerChunk > sampleNumber)\n\t\t) {\n\n\t\t\tstbl->SampleToChunk->firstSampleInCurrentChunk += nb_chunks_for_sample * ent->samplesPerChunk;\n\t\t\tstbl->SampleToChunk->currentChunk += nb_chunks_for_sample;\n\t\t\tgoto sample_found;\n\t\t}\n\t\tmax_chunks_in_entry += 1;\n\t\tstbl->SampleToChunk->firstSampleInCurrentChunk += max_chunks_in_entry * ent->samplesPerChunk;\n\t\tstbl->SampleToChunk->currentChunk += max_chunks_in_entry;\n\n\t\t//not in this entry, get the next entry if not the last one\n\t\tif (i+1 != stbl->SampleToChunk->nb_entries) {\n\t\t\tent = &stbl->SampleToChunk->entries[i+1];\n\t\t\t//update the GhostNumber\n\t\t\tGetGhostNum(ent, i+1, stbl->SampleToChunk->nb_entries, stbl);\n\t\t\t//update the entry in our cache\n\t\t\tstbl->SampleToChunk->currentIndex = i+1;\n\t\t\tstbl->SampleToChunk->currentChunk = 1;\n\t\t\tk = 1;\n\t\t}\n\t}\n\t//if we get here, gasp, the sample was not found\n\treturn GF_ISOM_INVALID_FILE;\n\nsample_found:\n\n\t(*descIndex) = ent->sampleDescriptionIndex;\n\t(*chunkNumber) = chunk_num = ent->firstChunk + stbl->SampleToChunk->currentChunk - 1;\n\tif (out_ent) *out_ent = ent;\n\tif (! *chunkNumber)\n\t\treturn GF_ISOM_INVALID_FILE;\n\t\n\t//ok, get the size of all the previous samples in the chunk\n\toffsetInChunk = 0;\n\t//constant size\n\tif (stbl->SampleSize && stbl->SampleSize->sampleSize) {\n\t\tu32 diff = sampleNumber - stbl->SampleToChunk->firstSampleInCurrentChunk;\n\t\toffsetInChunk += diff * stbl->SampleSize->sampleSize;\n\t} else if ((stbl->r_last_chunk_num == chunk_num) && (stbl->r_last_sample_num == sampleNumber)) {\n\t\toffsetInChunk = stbl->r_last_offset_in_chunk;\n\t} else if ((stbl->r_last_chunk_num == chunk_num) && (stbl->r_last_sample_num + 1 == sampleNumber)) {\n\t\te = stbl_GetSampleSize(stbl->SampleSize, stbl->r_last_sample_num, &size);\n\t\tif (e) return e;\n\t\tstbl->r_last_offset_in_chunk += size;\n\t\tstbl->r_last_sample_num = sampleNumber;\n\t\toffsetInChunk = stbl->r_last_offset_in_chunk;\n\t} else {\n\t\t//warning, firstSampleInChunk is at least 1 - not 0\n\t\tfor (i = stbl->SampleToChunk->firstSampleInCurrentChunk; i < sampleNumber; i++) {\n\t\t\te = stbl_GetSampleSize(stbl->SampleSize, i, &size);\n\t\t\tif (e) return e;\n\t\t\toffsetInChunk += size;\n\t\t}\n\t\tstbl->r_last_chunk_num = chunk_num;\n\t\tstbl->r_last_sample_num = sampleNumber;\n\t\tstbl->r_last_offset_in_chunk = offsetInChunk;\n\t}\n\t//OK, that's the size of our offset in the chunk\n\t//now get the chunk\n\tif ( stbl->ChunkOffset->type == GF_ISOM_BOX_TYPE_STCO) {\n\t\tstco = (GF_ChunkOffsetBox *)stbl->ChunkOffset;\n\t\tif (stco->nb_entries < (*chunkNumber) ) return GF_ISOM_INVALID_FILE;\n\t\t(*offset) = (u64) stco->offsets[(*chunkNumber) - 1] + (u64) offsetInChunk;\n\t} else {\n\t\tco64 = (GF_ChunkLargeOffsetBox *)stbl->ChunkOffset;\n\t\tif (co64->nb_entries < (*chunkNumber) ) return GF_ISOM_INVALID_FILE;\n\t\t(*offset) = co64->offsets[(*chunkNumber) - 1] + (u64) offsetInChunk;\n\t}\n\treturn GF_OK;\n}", "project": "gpac", "hash": 114947250168727677329220353898394132242, "size": 143, "commit_id": "2da2f68bffd51d89b1d272d22aa8cc023c1c066e", "message": "fixed #1705", "target": 1, "dataset": "other", "idx": 197433 }, { "func": "GF_Err stbl_GetSampleInfos(GF_SampleTableBox *stbl, u32 sampleNumber, u64 *offset, u32 *chunkNumber, u32 *descIndex, GF_StscEntry **out_ent)\n{\n\tGF_Err e;\n\tu32 i, k, offsetInChunk, size, chunk_num;\n\tGF_ChunkOffsetBox *stco;\n\tGF_ChunkLargeOffsetBox *co64;\n\tGF_StscEntry *ent;\n\n\t(*offset) = 0;\n\t(*chunkNumber) = (*descIndex) = 0;\n\tif (out_ent) (*out_ent) = NULL;\n\tif (!stbl || !sampleNumber) return GF_BAD_PARAM;\n\tif (!stbl->ChunkOffset || !stbl->SampleToChunk || !stbl->SampleSize) return GF_ISOM_INVALID_FILE;\n\n\tif (stbl->SampleSize && stbl->SampleToChunk->nb_entries == stbl->SampleSize->sampleCount) {\n\t\tent = &stbl->SampleToChunk->entries[sampleNumber-1];\n\t\tif (!ent) return GF_BAD_PARAM;\n\t\t(*descIndex) = ent->sampleDescriptionIndex;\n\t\t(*chunkNumber) = sampleNumber;\n\t\tif (out_ent) *out_ent = ent;\n\t\tif ( stbl->ChunkOffset->type == GF_ISOM_BOX_TYPE_STCO) {\n\t\t\tstco = (GF_ChunkOffsetBox *)stbl->ChunkOffset;\n\t\t\tif (!stco->offsets) return GF_ISOM_INVALID_FILE;\n\t\t\tif (stco->nb_entries < sampleNumber) return GF_ISOM_INVALID_FILE;\n\n\t\t\t(*offset) = (u64) stco->offsets[sampleNumber - 1];\n\t\t} else {\n\t\t\tco64 = (GF_ChunkLargeOffsetBox *)stbl->ChunkOffset;\n\t\t\tif (!co64->offsets) return GF_ISOM_INVALID_FILE;\n\t\t\tif (co64->nb_entries < sampleNumber) return GF_ISOM_INVALID_FILE;\n\n\t\t\t(*offset) = co64->offsets[sampleNumber - 1];\n\t\t}\n\t\treturn GF_OK;\n\t}\n\n\t//check our cache: if desired sample is at or above current cache entry, start from here\n\tif (stbl->SampleToChunk->firstSampleInCurrentChunk &&\n\t (stbl->SampleToChunk->firstSampleInCurrentChunk <= sampleNumber)) {\n\n\t\ti = stbl->SampleToChunk->currentIndex;\n\t\tent = &stbl->SampleToChunk->entries[stbl->SampleToChunk->currentIndex];\n\t\tGetGhostNum(ent, i, stbl->SampleToChunk->nb_entries, stbl);\n\t\tk = stbl->SampleToChunk->currentChunk;\n\t}\n\t//otherwise start from first entry\n\telse {\n\t\ti = 0;\n\t\tstbl->SampleToChunk->currentIndex = 0;\n\t\tstbl->SampleToChunk->currentChunk = 1;\n\t\tstbl->SampleToChunk->ghostNumber = 1;\n\t\tstbl->SampleToChunk->firstSampleInCurrentChunk = 1;\n\t\tent = &stbl->SampleToChunk->entries[0];\n\t\tGetGhostNum(ent, 0, stbl->SampleToChunk->nb_entries, stbl);\n\t\tk = stbl->SampleToChunk->currentChunk;\n\t}\n\n\t//first get the chunk\n\tfor (; i < stbl->SampleToChunk->nb_entries; i++) {\n\t\tassert(stbl->SampleToChunk->firstSampleInCurrentChunk <= sampleNumber);\n\t\t//corrupted file (less sample2chunk info than sample count\n\t\tif (k > stbl->SampleToChunk->ghostNumber) {\n\t\t\treturn GF_ISOM_INVALID_FILE;\n\t\t}\n\n\n\t\t//check if sample is in current chunk\n\t\tu32 max_chunks_in_entry = stbl->SampleToChunk->ghostNumber - k;\n\t\tu32 nb_chunks_for_sample = sampleNumber - stbl->SampleToChunk->firstSampleInCurrentChunk;\n\t\tif (ent->samplesPerChunk) \n\t\t\tnb_chunks_for_sample /= ent->samplesPerChunk;\n\n\t\tif (\n\t\t\t(nb_chunks_for_sample <= max_chunks_in_entry)\n\t\t\t&& (stbl->SampleToChunk->firstSampleInCurrentChunk + (nb_chunks_for_sample+1) * ent->samplesPerChunk > sampleNumber)\n\t\t) {\n\n\t\t\tstbl->SampleToChunk->firstSampleInCurrentChunk += nb_chunks_for_sample * ent->samplesPerChunk;\n\t\t\tstbl->SampleToChunk->currentChunk += nb_chunks_for_sample;\n\t\t\tgoto sample_found;\n\t\t}\n\t\tmax_chunks_in_entry += 1;\n\t\tstbl->SampleToChunk->firstSampleInCurrentChunk += max_chunks_in_entry * ent->samplesPerChunk;\n\t\tstbl->SampleToChunk->currentChunk += max_chunks_in_entry;\n\n\t\t//not in this entry, get the next entry if not the last one\n\t\tif (i+1 != stbl->SampleToChunk->nb_entries) {\n\t\t\tent = &stbl->SampleToChunk->entries[i+1];\n\t\t\t//update the GhostNumber\n\t\t\tGetGhostNum(ent, i+1, stbl->SampleToChunk->nb_entries, stbl);\n\t\t\t//update the entry in our cache\n\t\t\tstbl->SampleToChunk->currentIndex = i+1;\n\t\t\tstbl->SampleToChunk->currentChunk = 1;\n\t\t\tk = 1;\n\t\t}\n\t}\n\t//if we get here, gasp, the sample was not found\n\treturn GF_ISOM_INVALID_FILE;\n\nsample_found:\n\n\t(*descIndex) = ent->sampleDescriptionIndex;\n\t(*chunkNumber) = chunk_num = ent->firstChunk + stbl->SampleToChunk->currentChunk - 1;\n\tif (out_ent) *out_ent = ent;\n\tif (! *chunkNumber)\n\t\treturn GF_ISOM_INVALID_FILE;\n\t\n\t//ok, get the size of all the previous samples in the chunk\n\toffsetInChunk = 0;\n\t//constant size\n\tif (stbl->SampleSize && stbl->SampleSize->sampleSize) {\n\t\tu32 diff = sampleNumber - stbl->SampleToChunk->firstSampleInCurrentChunk;\n\t\toffsetInChunk += diff * stbl->SampleSize->sampleSize;\n\t} else if ((stbl->r_last_chunk_num == chunk_num) && (stbl->r_last_sample_num == sampleNumber)) {\n\t\toffsetInChunk = stbl->r_last_offset_in_chunk;\n\t} else if ((stbl->r_last_chunk_num == chunk_num) && (stbl->r_last_sample_num + 1 == sampleNumber)) {\n\t\te = stbl_GetSampleSize(stbl->SampleSize, stbl->r_last_sample_num, &size);\n\t\tif (e) return e;\n\t\tstbl->r_last_offset_in_chunk += size;\n\t\tstbl->r_last_sample_num = sampleNumber;\n\t\toffsetInChunk = stbl->r_last_offset_in_chunk;\n\t} else {\n\t\t//warning, firstSampleInChunk is at least 1 - not 0\n\t\tfor (i = stbl->SampleToChunk->firstSampleInCurrentChunk; i < sampleNumber; i++) {\n\t\t\te = stbl_GetSampleSize(stbl->SampleSize, i, &size);\n\t\t\tif (e) return e;\n\t\t\toffsetInChunk += size;\n\t\t}\n\t\tstbl->r_last_chunk_num = chunk_num;\n\t\tstbl->r_last_sample_num = sampleNumber;\n\t\tstbl->r_last_offset_in_chunk = offsetInChunk;\n\t}\n\t//OK, that's the size of our offset in the chunk\n\t//now get the chunk\n\tif ( stbl->ChunkOffset->type == GF_ISOM_BOX_TYPE_STCO) {\n\t\tstco = (GF_ChunkOffsetBox *)stbl->ChunkOffset;\n\t\tif (stco->nb_entries < (*chunkNumber) ) return GF_ISOM_INVALID_FILE;\n\t\t(*offset) = (u64) stco->offsets[(*chunkNumber) - 1] + (u64) offsetInChunk;\n\t} else {\n\t\tco64 = (GF_ChunkLargeOffsetBox *)stbl->ChunkOffset;\n\t\tif (co64->nb_entries < (*chunkNumber) ) return GF_ISOM_INVALID_FILE;\n\t\t(*offset) = co64->offsets[(*chunkNumber) - 1] + (u64) offsetInChunk;\n\t}\n\treturn GF_OK;\n}", "project": "gpac", "hash": 241891346465159261036739589837185271650, "size": 145, "commit_id": "2da2f68bffd51d89b1d272d22aa8cc023c1c066e", "message": "fixed #1705", "target": 0, "dataset": "other", "idx": 258553 }, { "func": "GF_EXPORT\nBool gf_isom_is_single_av(GF_ISOFile *file)\n{\n\tu32 count, i, nb_any, nb_a, nb_v, nb_auxv, nb_pict, nb_scene, nb_od, nb_text;\n\tnb_auxv = nb_pict = nb_a = nb_v = nb_any = nb_scene = nb_od = nb_text = 0;\n\n\tif (!file->moov) return GF_FALSE;\n\tcount = gf_isom_get_track_count(file);\n\tfor (i=0; i1) nb_any++;\n\t\t\telse nb_scene++;\n\t\t\tbreak;\n\t\tcase GF_ISOM_MEDIA_OD:\n\t\t\tif (gf_isom_get_sample_count(file, i+1)>1) nb_any++;\n\t\t\telse nb_od++;\n\t\t\tbreak;\n\t\tcase GF_ISOM_MEDIA_TEXT:\n\t\tcase GF_ISOM_MEDIA_SUBT:\n\t\t\tnb_text++;\n\t\t\tbreak;\n\t\tcase GF_ISOM_MEDIA_AUDIO:\n\t\t\tnb_a++;\n\t\t\tbreak;\n case GF_ISOM_MEDIA_AUXV:\n /*discard file with images*/\n if (gf_isom_get_sample_count(file, i+1)==1) nb_any++;\n else nb_auxv++;\n break;\n case GF_ISOM_MEDIA_PICT:\n /*discard file with images*/\n if (gf_isom_get_sample_count(file, i+1)==1) nb_any++;\n else nb_pict++;\n break;\n\t\tcase GF_ISOM_MEDIA_VISUAL:\n\t\t\t/*discard file with images*/\n\t\t\tif (gf_isom_get_sample_count(file, i+1)==1) nb_any++;\n\t\t\telse nb_v++;\n\t\t\tbreak;\n\t\tdefault:\n\t\t\tnb_any++;\n\t\t\tbreak;\n\t\t}\n\t}\n\tif (nb_any) return GF_FALSE;\n\tif ((nb_scene<=1) && (nb_od<=1) && (nb_a<=1) && (nb_v+nb_pict+nb_auxv<=1) && (nb_text<=1) ) return GF_TRUE;\n\treturn GF_FALSE;", "project": "gpac", "hash": 56339257962966406385165634785376437485, "size": 49, "commit_id": "984787de3d414a5f7d43d0b4584d9469dff2a5a5", "message": "fixed #1784 (fuzz)", "target": 0, "dataset": "other", "idx": 246784 }, { "func": "void AV1_RewriteESDescriptor(GF_MPEGVisualSampleEntryBox *av1)\n{\n\tAV1_RewriteESDescriptorEx(av1, NULL);\n}", "project": "gpac", "hash": 198491685332398292789514421618972639355, "size": 4, "commit_id": "0a85029d694f992f3631e2f249e4999daee15cbf", "message": "fixed #1785 (fuzz)", "target": 0, "dataset": "other", "idx": 237612 }, { "func": "GF_Err gf_isom_clone_sample_descriptions(GF_ISOFile *the_file, u32 trackNumber, GF_ISOFile *orig_file, u32 orig_track, Bool reset_existing)\n{\n\tu32 i;\n\tGF_TrackBox *dst_trak, *src_trak;\n\tGF_Err e = CanAccessMovie(the_file, GF_ISOM_OPEN_WRITE);\n\tif (e) return e;\n\n\tdst_trak = gf_isom_get_track_from_file(the_file, trackNumber);\n\tif (!dst_trak || !dst_trak->Media) return GF_BAD_PARAM;\n\tsrc_trak = gf_isom_get_track_from_file(orig_file, orig_track);\n\tif (!src_trak || !src_trak->Media) return GF_BAD_PARAM;\n\n\tif (reset_existing) {\n\t\tgf_isom_box_array_del(dst_trak->Media->information->sampleTable->SampleDescription->child_boxes);\n\t\tdst_trak->Media->information->sampleTable->SampleDescription->child_boxes = gf_list_new();\n\t}\n\n\tfor (i=0; iMedia->information->sampleTable->SampleDescription->child_boxes); i++) {\n\t\tu32 outDesc;\n\t\te = gf_isom_clone_sample_description(the_file, trackNumber, orig_file, orig_track, i+1, NULL, NULL, &outDesc);\n\t\tif (e) break;\n\t}\n\treturn e;\n}", "project": "gpac", "hash": 336625080472217779601441129731440413166, "size": 24, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267178 }, { "func": "static u32 create_new_track_action(char *string, TrackAction **actions, u32 *nb_track_act, u32 dump_type)\n{\n\t*actions = (TrackAction *)gf_realloc(*actions, sizeof(TrackAction) * (*nb_track_act+1));\n\tmemset(&(*actions)[*nb_track_act], 0, sizeof(TrackAction) );\n\t(*actions)[*nb_track_act].act_type = TRAC_ACTION_RAW_EXTRACT;\n\t(*actions)[*nb_track_act].dump_type = dump_type;\n\tparse_track_action_params(string, &(*actions)[*nb_track_act]);\n\t(*nb_track_act)++;\n\treturn dump_type;\n}", "project": "gpac", "hash": 67915822707117543882396966795084229936, "size": 10, "commit_id": "9eeac00b38348c664dfeae2525bba0cf1bc32349", "message": "fixed #1565", "target": 0, "dataset": "other", "idx": 244378 }, { "func": "static void dump_qt_prores(GF_ISOFile *file, GF_ISOTrackID trackID, FILE *dump, Bool dump_crc);\n\nvoid dump_isom_nal(GF_ISOFile *file, GF_ISOTrackID trackID, char *inName, Bool is_final_name, u32 dump_flags)\n{\n\tBool is_av1 = GF_FALSE;\n\tBool is_prores = GF_FALSE;\n\n\tFILE *dump;\n\tif (inName) {\n\t\tGF_ESD* esd;\n\t\tchar szBuf[GF_MAX_PATH];\n\n\t\tstrcpy(szBuf, inName);\n\n\t\tu32 track = gf_isom_get_track_by_id(file, trackID);\n\t\tesd = gf_isom_get_esd(file, track, 1);\n\n\t\tif (!esd || !esd->decoderConfig) {\n\t\t\tswitch (gf_isom_get_media_subtype(file, track, 1)) {\n\t\t\tcase GF_ISOM_SUBTYPE_AV01:\n\t\t\t\tis_av1 = GF_TRUE;\n\t\t\t\tbreak;\n\t\t\tcase GF_QT_SUBTYPE_APCH:\n\t\t\tcase GF_QT_SUBTYPE_APCO:\n\t\t\tcase GF_QT_SUBTYPE_APCN:\n\t\t\tcase GF_QT_SUBTYPE_APCS:\n\t\t\tcase GF_QT_SUBTYPE_AP4X:\n\t\t\tcase GF_QT_SUBTYPE_AP4H:\n\t\t\t\tis_prores = GF_TRUE;\n\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\t\telse if (esd->decoderConfig->objectTypeIndication == GF_CODECID_AV1) {\n\t\t\tis_av1 = GF_TRUE;\n\t\t}\n\t\tif (esd) gf_odf_desc_del((GF_Descriptor*)esd);\n\n\t\tif (!is_final_name) sprintf(szBuf, \"%s_%d_%s.xml\", inName, trackID, is_av1 ? \"obu\" : \"nalu\");\n\t\tdump = gf_fopen(szBuf, \"wt\");\n\t\tif (!dump) {\n\t\t\tM4_LOG(GF_LOG_ERROR, (\"Failed to open %s for dumping\\n\", szBuf));\n\t\t\treturn;\n\t\t}\n\t} else {\n\t\tdump = stdout;\n\t}\n\n\tif (is_av1)\n\t\tdump_isom_obu(file, trackID, dump, dump_flags);\n\telse if (is_prores)\n\t\tdump_qt_prores(file, trackID, dump, dump_flags);\n\telse\n\t\tdump_isom_nal_ex(file, trackID, dump, dump_flags);\n", "project": "gpac", "hash": 289151712136673794150737326159105897791, "size": 54, "commit_id": "289ffce3e0d224d314f5f92a744d5fe35999f20b", "message": "fixed #1767 (fuzz)", "target": 0, "dataset": "other", "idx": 243180 }, { "func": "static void dump_qt_prores(GF_ISOFile *file, GF_ISOTrackID trackID, FILE *dump, Bool dump_crc);\n\nvoid dump_isom_nal(GF_ISOFile *file, GF_ISOTrackID trackID, char *inName, Bool is_final_name, u32 dump_flags)\n{\n\tBool is_av1 = GF_FALSE;\n\tBool is_prores = GF_FALSE;\n\n\tFILE *dump;\n\tif (inName) {\n\t\tGF_ESD* esd;\n\t\tchar szBuf[GF_MAX_PATH];\n\n\t\tstrcpy(szBuf, inName);\n\n\t\tu32 track = gf_isom_get_track_by_id(file, trackID);\n\t\tesd = gf_isom_get_esd(file, track, 1);\n\n\t\tif (!esd || !esd->decoderConfig) {\n\t\t\tswitch (gf_isom_get_media_subtype(file, track, 1)) {\n\t\t\tcase GF_ISOM_SUBTYPE_AV01:\n\t\t\t\tis_av1 = GF_TRUE;\n\t\t\t\tbreak;\n\t\t\tcase GF_QT_SUBTYPE_APCH:\n\t\t\tcase GF_QT_SUBTYPE_APCO:\n\t\t\tcase GF_QT_SUBTYPE_APCN:\n\t\t\tcase GF_QT_SUBTYPE_APCS:\n\t\t\tcase GF_QT_SUBTYPE_AP4X:\n\t\t\tcase GF_QT_SUBTYPE_AP4H:\n\t\t\t\tis_prores = GF_TRUE;\n\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\t\telse if (esd->decoderConfig->objectTypeIndication == GF_CODECID_AV1) {\n\t\t\tis_av1 = GF_TRUE;\n\t\t}\n\t\tif (esd) gf_odf_desc_del((GF_Descriptor*)esd);\n\n\t\tif (!is_final_name) sprintf(szBuf, \"%s_%d_%s.xml\", inName, trackID, is_av1 ? \"obu\" : \"nalu\");\n\t\tdump = gf_fopen(szBuf, \"wt\");\n\t\tif (!dump) {\n\t\t\tfprintf(stderr, \"Failed to open %s for dumping\\n\", szBuf);\n\t\t\treturn;\n\t\t}\n\t} else {\n\t\tdump = stdout;\n\t}\n\n\tif (is_av1)\n\t\tdump_isom_obu(file, trackID, dump, dump_flags);\n\telse if (is_prores)\n\t\tdump_qt_prores(file, trackID, dump, dump_flags);\n\telse\n\t\tdump_isom_nal_ex(file, trackID, dump, dump_flags);\n", "project": "gpac", "hash": 185412755620315856991715588854087218206, "size": 54, "commit_id": "ce01bd15f711d4575b7424b54b3a395ec64c1784", "message": "fixed #1566", "target": 0, "dataset": "other", "idx": 249554 }, { "func": "static void rewrite_nalus_list(GF_List *nalus, GF_BitStream *bs, Bool rewrite_start_codes, u32 nal_unit_size_field)\n{\n\tu32 i, count = gf_list_count(nalus);\n\tfor (i=0; isize, 8*nal_unit_size_field);\n\t\tgf_bs_write_data(bs, sl->data, sl->size);\n\t}\n}", "project": "gpac", "hash": 325909418224907885197452292181885269897, "size": 10, "commit_id": "0a85029d694f992f3631e2f249e4999daee15cbf", "message": "fixed #1785 (fuzz)", "target": 0, "dataset": "other", "idx": 237604 }, { "func": "GF_Err MergeFragment(GF_MovieFragmentBox *moof, GF_ISOFile *mov)\n{\n\tGF_Err e;\n\tu32 i, j;\n\tu64 MaxDur;\n\tGF_TrackFragmentBox *traf;\n\tGF_TrackBox *trak;\n\tu64 base_data_offset;\n\n\tMaxDur = 0;\n\n\t//we shall have a MOOV and its MVEX BEFORE any MOOF\n\tif (!mov->moov || !mov->moov->mvex) {\n\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, (\"[iso file] Error: %s not received before merging fragment\\n\", mov->moov ? \"mvex\" : \"moov\" ));\n\t\treturn GF_ISOM_INVALID_FILE;\n\t}\n\t//and all fragments should be continous but:\n\t//- dash with dependent representations may likely give R1(moofSN 1, 3, 5, 7) plus R2(moofSN 2, 4, 6, 8)\n\t//- smooth muxed in a single file may end up with V(1),A(1), V(2),A(2) ...\n\t//we do not throw an error if not as we may still want to be able to concatenate dependent representations in DASH and\n\tif (mov->NextMoofNumber && moof->mfhd && (mov->NextMoofNumber >= moof->mfhd->sequence_number)) {\n\t\tGF_LOG(GF_LOG_DEBUG, GF_LOG_CONTAINER, (\"[iso file] wrong sequence number: got %d but last one was %d\\n\", moof->mfhd->sequence_number, mov->NextMoofNumber));\n\t}\n\n\tbase_data_offset = mov->current_top_box_start;\n\tif (moof->compressed_diff)\n\t\tbase_data_offset -= moof->compressed_diff;\n\n\ti=0;\n\twhile ((traf = (GF_TrackFragmentBox*)gf_list_enum(moof->TrackList, &i))) {\n\t\tif (!traf->tfhd) {\n\t\t\ttrak = NULL;\n\t\t\ttraf->trex = NULL;\n\t\t} else if (mov->is_smooth) {\n\t\t\ttrak = gf_list_get(mov->moov->trackList, 0);\n\t\t\ttraf->trex = (GF_TrackExtendsBox*)gf_list_get(mov->moov->mvex->TrackExList, 0);\n\t\t\tassert(traf->trex);\n\t\t\ttraf->trex->trackID = trak->Header->trackID = traf->tfhd->trackID;\n\t\t} else {\n\t\t\ttrak = gf_isom_get_track_from_id(mov->moov, traf->tfhd->trackID);\n\t\t\tj=0;\n\t\t\twhile ((traf->trex = (GF_TrackExtendsBox*)gf_list_enum(mov->moov->mvex->TrackExList, &j))) {\n\t\t\t\tif (traf->trex->trackID == traf->tfhd->trackID) break;\n\t\t\t\ttraf->trex = NULL;\n\t\t\t}\n\t\t}\n\n\t\tif (!trak || !traf->trex) {\n\t\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, (\"[iso file] Error: Cannot find fragment track with ID %d\\n\", traf->tfhd ? traf->tfhd->trackID : 0));\n\t\t\treturn GF_ISOM_INVALID_FILE;\n\t\t}\n\n\t\te = MergeTrack(trak, traf, moof, mov->current_top_box_start, moof->compressed_diff, &base_data_offset, !trak->first_traf_merged);\n\t\tif (e) return e;\n\n\t\ttrak->present_in_scalable_segment = 1;\n\n\t\t//update trak duration\n\t\tSetTrackDuration(trak);\n\t\tif (trak->Header->duration > MaxDur)\n\t\t\tMaxDur = trak->Header->duration;\n\n\t\ttrak->first_traf_merged = GF_TRUE;\n\t}\n\n\tif (moof->child_boxes) {\n\t\tGF_Box *a;\n\t\ti = 0;\n\t\twhile ((a = (GF_Box *)gf_list_enum(moof->child_boxes, &i))) {\n\t\t\tif (a->type == GF_ISOM_BOX_TYPE_PSSH) {\n\t\t\t\tGF_ProtectionSystemHeaderBox *pssh = (GF_ProtectionSystemHeaderBox *)gf_isom_box_new_parent(&mov->moov->child_boxes, GF_ISOM_BOX_TYPE_PSSH);\n\t\t\t\tif (!pssh) return GF_OUT_OF_MEM;\n\t\t\t\tmemmove(pssh->SystemID, ((GF_ProtectionSystemHeaderBox *)a)->SystemID, 16);\n\t\t\t\tif (((GF_ProtectionSystemHeaderBox *)a)->KIDs && ((GF_ProtectionSystemHeaderBox *)a)->KID_count > 0) {\n\t\t\t\t\tpssh->KID_count = ((GF_ProtectionSystemHeaderBox *)a)->KID_count;\n\t\t\t\t\tpssh->KIDs = (bin128 *)gf_malloc(pssh->KID_count*sizeof(bin128));\n\t\t\t\t\tif (!pssh->KIDs) return GF_OUT_OF_MEM;\n\n\t\t\t\t\tmemmove(pssh->KIDs, ((GF_ProtectionSystemHeaderBox *)a)->KIDs, pssh->KID_count*sizeof(bin128));\n\t\t\t\t}\n\t\t\t\tpssh->private_data_size = ((GF_ProtectionSystemHeaderBox *)a)->private_data_size;\n\t\t\t\tpssh->private_data = (u8 *)gf_malloc(pssh->private_data_size*sizeof(char));\n\t\t\t\tif (!pssh->private_data) return GF_OUT_OF_MEM;\n\t\t\t\tmemmove(pssh->private_data, ((GF_ProtectionSystemHeaderBox *)a)->private_data, pssh->private_data_size);\n\t\t\t}\n\t\t}\n\t}\n\n\tmov->NextMoofNumber = moof->mfhd ? moof->mfhd->sequence_number : 0;\n\t//update movie duration\n\tif (mov->moov->mvhd->duration < MaxDur) mov->moov->mvhd->duration = MaxDur;\n\treturn GF_OK;\n}", "project": "gpac", "hash": 128994650650265309733629025611452581809, "size": 93, "commit_id": "fe5155cf047252d1c4cb91602048bfa682af0ea7", "message": "fixed #1783 (fuzz)", "target": 0, "dataset": "other", "idx": 271713 }, { "func": "GF_Err gf_isom_set_timescale(GF_ISOFile *movie, u32 timeScale)\n{\n\tGF_TrackBox *trak;\n\tu32 i;\n\tGF_Err e;\n\tif (!timeScale) return GF_BAD_PARAM;\n\te = CanAccessMovie(movie, GF_ISOM_OPEN_WRITE);\n\tif (e) return e;\n\te = gf_isom_insert_moov(movie);\n\tif (e) return e;\n\n\tif (movie->moov->mvhd->timeScale == timeScale) return GF_OK;\n\n\t/*rewrite all durations and edit lists*/\n\tmovie->moov->mvhd->duration *= timeScale;\n\tmovie->moov->mvhd->duration /= movie->moov->mvhd->timeScale;\n\tif (movie->moov->mvex && movie->moov->mvex->mehd) {\n\t\tmovie->moov->mvex->mehd->fragment_duration *= timeScale;\n\t\tmovie->moov->mvex->mehd->fragment_duration /= movie->moov->mvhd->timeScale;\n\t}\n\n\ti=0;\n\twhile ((trak = (GF_TrackBox*)gf_list_enum(movie->moov->trackList, &i))) {\n\t\ttrak->Header->duration *= timeScale;\n\t\ttrak->Header->duration /= movie->moov->mvhd->timeScale;\n\n\t\tif (trak->editBox && trak->editBox->editList) {\n\t\t\tu32 j, count = gf_list_count(trak->editBox->editList->entryList);\n\t\t\tfor (j=0; jeditBox->editList->entryList, j);\n\t\t\t\tent->segmentDuration *= timeScale;\n\t\t\t\tent->segmentDuration /= movie->moov->mvhd->timeScale;\n\t\t\t}\n\t\t}\n\t}\n\tif (movie->moov->mvex && movie->moov->mvex->mehd) {\n\t\tmovie->moov->mvex->mehd->fragment_duration *= timeScale;\n\t\tmovie->moov->mvex->mehd->fragment_duration /= movie->moov->mvhd->timeScale;\n\t}\n\tmovie->moov->mvhd->timeScale = timeScale;\n\tmovie->interleavingTime = timeScale;\n\treturn GF_OK;\n}", "project": "gpac", "hash": 267714377992957862385847438016025127182, "size": 43, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267238 }, { "func": "\nGF_DefaultSampleGroupDescriptionEntry * gf_isom_get_sample_group_info_entry(GF_ISOFile *the_file, GF_TrackBox *trak, u32 grouping_type, u32 sample_group_description_index, u32 *default_index, GF_SampleGroupDescriptionBox **out_sgdp)\n{\n\tu32 i, count;\n\n\tif (!trak || !sample_group_description_index) return NULL;\n\tif (!trak->Media->information->sampleTable->sampleGroupsDescription) return NULL;\n\n\tcount = gf_list_count(trak->Media->information->sampleTable->sampleGroupsDescription);\n\tfor (i=0; iMedia->information->sampleTable->sampleGroupsDescription, i);\n\t\tif (sgdesc->grouping_type != grouping_type) continue;\n\n\t\tif (sgdesc->default_description_index && !sample_group_description_index) sample_group_description_index = sgdesc->default_description_index;\n\n\t\tif (default_index) *default_index = sgdesc->default_description_index ;\n\t\tif (out_sgdp) *out_sgdp = sgdesc;\n\n\t\tif (!sample_group_description_index) return NULL;\n\t\treturn (GF_DefaultSampleGroupDescriptionEntry*)gf_list_get(sgdesc->group_descriptions, sample_group_description_index-1);\n\t}\n\treturn NULL;", "project": "gpac", "hash": 98720808040153073955927124931610484410, "size": 22, "commit_id": "984787de3d414a5f7d43d0b4584d9469dff2a5a5", "message": "fixed #1784 (fuzz)", "target": 0, "dataset": "other", "idx": 246836 }, { "func": "GF_Err gf_isom_set_final_name(GF_ISOFile *movie, char *filename)\n{\n\tGF_Err e;\n\tif (!movie ) return GF_BAD_PARAM;\n\n\t//if mode is not OPEN_EDIT file was created under the right name\n\te = CanAccessMovie(movie, GF_ISOM_OPEN_EDIT);\n\tif (e) return e;\n\n\tif (filename) {\n\t\t//we don't allow file overwriting\n\t\tif ( (movie->openMode == GF_ISOM_OPEN_EDIT)\n\t\t && movie->fileName && !strcmp(filename, movie->fileName))\n\t\t\treturn GF_BAD_PARAM;\n\t\tif (movie->finalName) gf_free(movie->finalName);\n\t\tmovie->finalName = gf_strdup(filename);\n\t\tif (!movie->finalName) return GF_OUT_OF_MEM;\n\t\tgf_isom_disable_inplace_rewrite(movie);\n\t}\n\treturn GF_OK;\n}", "project": "gpac", "hash": 225802388091460718039910567667014104596, "size": 21, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267295 }, { "func": "GF_EXPORT\nGF_Err gf_isom_reset_tables(GF_ISOFile *movie, Bool reset_sample_count)\n{\n#ifndef\tGPAC_DISABLE_ISOM_FRAGMENTS\n\tu32 i, j;\n\n\tif (!movie || !movie->moov || !movie->moov->mvex) return GF_BAD_PARAM;\n\tfor (i=0; imoov->trackList); i++) {\n\t\tGF_Box *a;\n\t\tGF_TrackBox *trak = (GF_TrackBox *)gf_list_get(movie->moov->trackList, i);\n\n\t\tu32 type, dur;\n\t\tu64 dts;\n\t\tGF_SampleTableBox *stbl = trak->Media->information->sampleTable;\n\n\t\ttrak->sample_count_at_seg_start += stbl->SampleSize->sampleCount;\n\t\tif (trak->sample_count_at_seg_start) {\n\t\t\tGF_Err e;\n\t\t\te = stbl_GetSampleDTS_and_Duration(stbl->TimeToSample, stbl->SampleSize->sampleCount, &dts, &dur);\n\t\t\tif (e == GF_OK) {\n\t\t\t\ttrak->dts_at_seg_start += dts + dur;\n\t\t\t}\n\t\t}\n\n\t\tRECREATE_BOX(stbl->ChunkOffset, (GF_Box *));\n\t\tRECREATE_BOX(stbl->CompositionOffset, (GF_CompositionOffsetBox *));\n\t\tRECREATE_BOX(stbl->DegradationPriority, (GF_DegradationPriorityBox *));\n\t\tRECREATE_BOX(stbl->PaddingBits, (GF_PaddingBitsBox *));\n\t\tRECREATE_BOX(stbl->SampleDep, (GF_SampleDependencyTypeBox *));\n\t\tRECREATE_BOX(stbl->SampleSize, (GF_SampleSizeBox *));\n\t\tRECREATE_BOX(stbl->SampleToChunk, (GF_SampleToChunkBox *));\n\t\tRECREATE_BOX(stbl->ShadowSync, (GF_ShadowSyncBox *));\n\t\tRECREATE_BOX(stbl->SyncSample, (GF_SyncSampleBox *));\n\t\tRECREATE_BOX(stbl->TimeToSample, (GF_TimeToSampleBox *));\n\n\t\tgf_isom_box_array_del_parent(&stbl->child_boxes, stbl->sai_offsets);\n\t\tstbl->sai_offsets = NULL;\n\n\t\tgf_isom_box_array_del_parent(&stbl->child_boxes, stbl->sai_sizes);\n\t\tstbl->sai_sizes = NULL;\n\n\t\tgf_isom_box_array_del_parent(&stbl->child_boxes, stbl->sampleGroups);\n\t\tstbl->sampleGroups = NULL;\n\n\t\tj = stbl->nb_sgpd_in_stbl;\n\t\twhile ((a = (GF_Box *)gf_list_enum(stbl->sampleGroupsDescription, &j))) {\n\t\t\tgf_isom_box_del_parent(&stbl->child_boxes, a);\n\t\t\tj--;\n\t\t\tgf_list_rem(stbl->sampleGroupsDescription, j);\n\t\t}\n\n#if 0\n\t\tj = stbl->nb_stbl_boxes;\n\t\twhile ((a = (GF_Box *)gf_list_enum(stbl->child_boxes, &j))) {\n\t\t\tgf_isom_box_del_parent(&stbl->child_boxes, a);\n\t\t\tj--;\n\t\t}\n#endif\n\n\t\tif (reset_sample_count) {\n\t\t\ttrak->Media->information->sampleTable->SampleSize->sampleCount = 0;\n#ifndef GPAC_DISABLE_ISOM_FRAGMENTS\n\t\t\ttrak->sample_count_at_seg_start = 0;\n\t\t\ttrak->dts_at_seg_start = 0;\n\t\t\ttrak->first_traf_merged = GF_FALSE;\n#endif\n\t\t}\n\n\t}\n\tif (reset_sample_count) {\n\t\tmovie->NextMoofNumber = 0;\n\t}\n#endif\n\treturn GF_OK;\n", "project": "gpac", "hash": 147511463378726249416103525443936106059, "size": 75, "commit_id": "984787de3d414a5f7d43d0b4584d9469dff2a5a5", "message": "fixed #1784 (fuzz)", "target": 0, "dataset": "other", "idx": 246779 }, { "func": "GF_Err gf_isom_force_64bit_chunk_offset(GF_ISOFile *file, Bool set_on)\n{\n\tif (!file) return GF_BAD_PARAM;\n\tfile->force_co64 = set_on;\n\treturn GF_OK;\n}", "project": "gpac", "hash": 210203861561912850844829564461734914259, "size": 6, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267336 }, { "func": "GF_Err gf_isom_set_media_language(GF_ISOFile *movie, u32 trackNumber, char *code)\n{\n\tGF_Err e;\n\tGF_TrackBox *trak;\n\n\ttrak = gf_isom_get_track_from_file(movie, trackNumber);\n\tif (!trak || !code) return GF_BAD_PARAM;\n\te = CanAccessMovie(movie, GF_ISOM_OPEN_WRITE);\n\tif (e) return e;\n\n\t// Old language-storage processing\n\t// if the new code is on 3 chars, we use it\n\t// otherwise, we find the associated 3 chars code and use it\n\tif (strlen(code) == 3) {\n\t\tmemcpy(trak->Media->mediaHeader->packedLanguage, code, sizeof(char)*3);\n\t} else {\n\t\ts32 lang_idx;\n\t\tconst char *code_3cc;\n\t\tlang_idx = gf_lang_find(code);\n\t\tif (lang_idx == -1) {\n\t\t\tGF_LOG(GF_LOG_WARNING, GF_LOG_CONTAINER, (\"The given code is not a valid one: %s, using 'und' as 3-letter code\\n\", code));\n\t\t\tcode_3cc = \"und\";\n\t\t} else {\n\t\t\tcode_3cc = gf_lang_get_3cc(lang_idx);\n\t\t}\n\t\tmemcpy(trak->Media->mediaHeader->packedLanguage, code_3cc, sizeof(char)*3);\n\t}\n\n\t// New language-storage processing\n\t// change the code in the extended language box (if any)\n\t// otherwise add an extended language box only if the given code is not 3 chars\n\t{\n\t\tu32 i, count;\n\t\tGF_ExtendedLanguageBox *elng;\n\t\telng = NULL;\n\t\tcount = gf_list_count(trak->Media->child_boxes);\n\t\tfor (i = 0; i < count; i++) {\n\t\t\tGF_Box *box = (GF_Box *)gf_list_get(trak->Media->child_boxes, i);\n\t\t\tif (box->type == GF_ISOM_BOX_TYPE_ELNG) {\n\t\t\t\telng = (GF_ExtendedLanguageBox *)box;\n\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\t\tif (!elng && (strlen(code) > 3)) {\n\t\t\telng = (GF_ExtendedLanguageBox *)gf_isom_box_new_parent(&trak->Media->child_boxes, GF_ISOM_BOX_TYPE_ELNG);\n\t\t\tif (!elng) return GF_OUT_OF_MEM;\n\t\t}\n\t\tif (elng) {\n\t\t\tif (elng->extended_language) {\n\t\t\t\tgf_free(elng->extended_language);\n\t\t\t}\n\t\t\telng->extended_language = gf_strdup(code);\n\t\t}\n\t}\n\tif (!movie->keep_utc)\n\t\ttrak->Media->mediaHeader->modificationTime = gf_isom_get_mp4time();\n\treturn GF_OK;\n}", "project": "gpac", "hash": 19587277728691627737048250770488454880, "size": 58, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267350 }, { "func": "GF_Err gf_hinter_track_process(GF_RTPHinter *tkHint)\n{\n\tGF_Err e;\n\tu32 i, descIndex, duration;\n\tu64 ts;\n\tu8 PadBits;\n\tGF_Fraction ft;\n\tGF_ISOSample *samp;\n\n\ttkHint->HintSample = tkHint->RTPTime = 0;\n\n\ttkHint->TotalSample = gf_isom_get_sample_count(tkHint->file, tkHint->TrackNum);\n\tft.num = tkHint->rtp_p->sl_config.timestampResolution;\n\tft.den = tkHint->OrigTimeScale;\n\n\te = GF_OK;\n\tfor (i=0; iTotalSample; i++) {\n\t\tsamp = gf_isom_get_sample(tkHint->file, tkHint->TrackNum, i+1, &descIndex);\n\t\tif (!samp) return gf_isom_last_error(tkHint->file);\n\n\t\t//setup SL\n\t\ttkHint->CurrentSample = i + 1;\n\n\t\t/*keep same AU indicator if sync shadow - TODO FIXME: this assumes shadows are placed interleaved with\n\t\tthe track content which is the case for GPAC scene carousel generation, but may not always be true*/\n\t\tif (samp->IsRAP==RAP_REDUNDANT) {\n\t\t\ttkHint->rtp_p->sl_header.AU_sequenceNumber -= 1;\n\t\t\tsamp->IsRAP = RAP;\n\t\t}\n\n\t\tts = ft.num * (samp->DTS+samp->CTS_Offset) / ft.den;\n\t\ttkHint->rtp_p->sl_header.compositionTimeStamp = ts;\n\n\t\tts = ft.num * samp->DTS / ft.den;\n\t\ttkHint->rtp_p->sl_header.decodingTimeStamp = ts;\n\t\ttkHint->rtp_p->sl_header.randomAccessPointFlag = samp->IsRAP;\n\n\t\ttkHint->base_offset_in_sample = 0;\n\t\t/*crypted*/\n\t\tif (tkHint->rtp_p->slMap.IV_length) {\n\t\t\tGF_ISMASample *s = gf_isom_get_ismacryp_sample(tkHint->file, tkHint->TrackNum, samp, descIndex);\n\t\t\t/*one byte take for selective_enc flag*/\n\t\t\tif (s->flags & GF_ISOM_ISMA_USE_SEL_ENC) tkHint->base_offset_in_sample += 1;\n\t\t\tif (s->flags & GF_ISOM_ISMA_IS_ENCRYPTED) tkHint->base_offset_in_sample += s->IV_length + s->KI_length;\n\t\t\tgf_free(samp->data);\n\t\t\tsamp->data = s->data;\n\t\t\tsamp->dataLength = s->dataLength;\n\t\t\tgf_rtp_builder_set_cryp_info(tkHint->rtp_p, s->IV, (char*)s->key_indicator, (s->flags & GF_ISOM_ISMA_IS_ENCRYPTED) ? 1 : 0);\n\t\t\ts->data = NULL;\n\t\t\ts->dataLength = 0;\n\t\t\tgf_isom_ismacryp_delete_sample(s);\n\t\t}\n\n\t\tif (tkHint->rtp_p->sl_config.usePaddingFlag) {\n\t\t\tgf_isom_get_sample_padding_bits(tkHint->file, tkHint->TrackNum, i+1, &PadBits);\n\t\t\ttkHint->rtp_p->sl_header.paddingBits = PadBits;\n\t\t} else {\n\t\t\ttkHint->rtp_p->sl_header.paddingBits = 0;\n\t\t}\n\n\t\tduration = gf_isom_get_sample_duration(tkHint->file, tkHint->TrackNum, i+1);\n//\t\tts = (u32) (ft * (s64) (duration));\n\n\t\t/*unpack nal units*/\n\t\tif (tkHint->avc_nalu_size) {\n\t\t\tu32 v, size;\n\t\t\tu32 remain = samp->dataLength;\n\t\t\tchar *ptr = samp->data;\n\n\t\t\ttkHint->rtp_p->sl_header.accessUnitStartFlag = 1;\n\t\t\ttkHint->rtp_p->sl_header.accessUnitEndFlag = 0;\n\t\t\twhile (remain) {\n\t\t\t\tsize = 0;\n\t\t\t\tv = tkHint->avc_nalu_size;\n\t\t\t\tif (v>remain) {\n\t\t\t\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_RTP, (\"[rtp hinter] Broken AVC nalu encapsulation: NALU size length is %d but only %d bytes left in sample %d\\n\", v, remain, tkHint->CurrentSample));\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t\twhile (v) {\n\t\t\t\t\tsize |= (u8) *ptr;\n\t\t\t\t\tptr++;\n\t\t\t\t\tremain--;\n\t\t\t\t\tv-=1;\n\t\t\t\t\tif (v) size<<=8;\n\t\t\t\t}\n\t\t\t\ttkHint->base_offset_in_sample = samp->dataLength-remain;\n\t\t\t\tif (remain < size) {\n\t\t\t\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_RTP, (\"[rtp hinter] Broken AVC nalu encapsulation: NALU size is %d but only %d bytes left in sample %d\\n\", size, remain, tkHint->CurrentSample));\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t\tremain -= size;\n\t\t\t\ttkHint->rtp_p->sl_header.accessUnitEndFlag = remain ? 0 : 1;\n\t\t\t\te = gf_rtp_builder_process(tkHint->rtp_p, ptr, size, (u8) !remain, samp->dataLength, duration, (u8) (descIndex + GF_RTP_TX3G_SIDX_OFFSET) );\n\t\t\t\tptr += size;\n\t\t\t\ttkHint->rtp_p->sl_header.accessUnitStartFlag = 0;\n\t\t\t}\n\t\t} else {\n\t\t\te = gf_rtp_builder_process(tkHint->rtp_p, samp->data, samp->dataLength, 1, samp->dataLength, duration, (u8) (descIndex + GF_RTP_TX3G_SIDX_OFFSET) );\n\t\t}\n\t\ttkHint->rtp_p->sl_header.packetSequenceNumber += 1;\n\n\t\t//signal some progress\n\t\tgf_set_progress(\"Hinting\", tkHint->CurrentSample, tkHint->TotalSample);\n\n\t\ttkHint->rtp_p->sl_header.AU_sequenceNumber += 1;\n\t\tgf_isom_sample_del(&samp);\n\n\t\tif (e) return e;\n\t}\n\n\t//flush\n\tgf_rtp_builder_process(tkHint->rtp_p, NULL, 0, 1, 0, 0, 0);\n\n\tgf_isom_end_hint_sample(tkHint->file, tkHint->HintTrack, (u8) tkHint->SampleIsRAP);\n\treturn GF_OK;\n}", "project": "gpac", "hash": 253947251129091178516153854117054977500, "size": 116, "commit_id": "b15020f54aff24aaeb64b80771472be8e64a7adc", "message": "fixed #1662", "target": 1, "dataset": "other", "idx": 197290 }, { "func": "GF_Err gf_isom_hevc_config_update_ex(GF_ISOFile *the_file, u32 trackNumber, u32 DescriptionIndex, GF_HEVCConfig *cfg, u32 operand_type, Bool keep_xps)\n{\n\tu32 array_incomplete;\n\tGF_TrackBox *trak;\n\tGF_Err e;\n\tGF_MPEGVisualSampleEntryBox *entry;\n\tGF_SampleDescriptionBox *stsd;\n\n\te = CanAccessMovie(the_file, GF_ISOM_OPEN_WRITE);\n\tif (e) return e;\n\ttrak = gf_isom_get_track_from_file(the_file, trackNumber);\n\tif (!trak || !trak->Media || !DescriptionIndex) return GF_BAD_PARAM;\n\tstsd = trak->Media->information->sampleTable->SampleDescription;\n\tentry = (GF_MPEGVisualSampleEntryBox *)gf_list_get(stsd->child_boxes, DescriptionIndex-1);\n\tif (!entry) return GF_BAD_PARAM;\n\tswitch (entry->type) {\n\tcase GF_ISOM_BOX_TYPE_HVC1:\n\tcase GF_ISOM_BOX_TYPE_HEV1:\n\tcase GF_ISOM_BOX_TYPE_HVC2:\n\tcase GF_ISOM_BOX_TYPE_HEV2:\n\tcase GF_ISOM_BOX_TYPE_LHV1:\n\tcase GF_ISOM_BOX_TYPE_LHE1:\n\tcase GF_ISOM_BOX_TYPE_HVT1:\n\t\tbreak;\n\tdefault:\n\t\treturn GF_BAD_PARAM;\n\t}\n\n\n\tif (operand_type == GF_ISOM_HVCC_SET_TILE_BASE_TRACK) {\n\t\tif (entry->type==GF_ISOM_BOX_TYPE_HVC1)\n\t\t\tentry->type = GF_ISOM_BOX_TYPE_HVC2;\n\t\telse if (entry->type==GF_ISOM_BOX_TYPE_HEV1)\n\t\t\tentry->type = GF_ISOM_BOX_TYPE_HEV2;\n\t} else if (operand_type == GF_ISOM_HVCC_SET_TILE) {\n\t\tif (!entry->hevc_config) entry->hevc_config = (GF_HEVCConfigurationBox*)gf_isom_box_new_parent(&entry->child_boxes, GF_ISOM_BOX_TYPE_HVCC);\n\t\tif (!entry->hevc_config) return GF_OUT_OF_MEM;\n\t\tif (entry->hevc_config->config) gf_odf_hevc_cfg_del(entry->hevc_config->config);\n\t\tentry->hevc_config->config = NULL;\n\t\tentry->type = GF_ISOM_BOX_TYPE_HVT1;\n\t} else if (operand_type < GF_ISOM_HVCC_SET_LHVC) {\n\t\tif ((operand_type != GF_ISOM_HVCC_SET_INBAND) && !entry->hevc_config) {\n\t\t\tentry->hevc_config = (GF_HEVCConfigurationBox*)gf_isom_box_new_parent(&entry->child_boxes, GF_ISOM_BOX_TYPE_HVCC);\n\t\t\tif (!entry->hevc_config) return GF_OUT_OF_MEM;\n\t\t}\n\n\t\tif (cfg) {\n\t\t\tif (entry->hevc_config->config) gf_odf_hevc_cfg_del(entry->hevc_config->config);\n\t\t\tentry->hevc_config->config = HEVC_DuplicateConfig(cfg);\n\t\t} else {\n\t\t\toperand_type=GF_ISOM_HVCC_SET_INBAND;\n\t\t}\n\t\tarray_incomplete = (operand_type==GF_ISOM_HVCC_SET_INBAND) ? 1 : 0;\n\t\tif (entry->hevc_config && nalu_cleanup_config(entry->hevc_config->config ? entry->hevc_config->config->param_array : NULL,\n\t\t\t(operand_type==GF_ISOM_HVCC_SET_INBAND) ? GF_TRUE:GF_FALSE,\n\t\t\tkeep_xps)\n\t\t) {\n\t\t\tarray_incomplete=1;\n\t\t}\n\n\t\tif (entry->lhvc_config && nalu_cleanup_config(entry->lhvc_config->config ? entry->lhvc_config->config->param_array : NULL,\n\t\t\t(operand_type==GF_ISOM_HVCC_SET_INBAND),\n\t\t\tkeep_xps)\n\t\t)\n\t\t\tarray_incomplete=1;\n\n\t\tswitch (entry->type) {\n\t\tcase GF_ISOM_BOX_TYPE_HEV1:\n\t\tcase GF_ISOM_BOX_TYPE_HVC1:\n\t\t\tentry->type = array_incomplete ? GF_ISOM_BOX_TYPE_HEV1 : GF_ISOM_BOX_TYPE_HVC1;\n\t\t\tbreak;\n\t\tcase GF_ISOM_BOX_TYPE_HEV2:\n\t\tcase GF_ISOM_BOX_TYPE_HVC2:\n\t\t\tentry->type = array_incomplete ? GF_ISOM_BOX_TYPE_HEV2 : GF_ISOM_BOX_TYPE_HVC2;\n\t\t\tbreak;\n\t\tcase GF_ISOM_BOX_TYPE_LHE1:\n\t\tcase GF_ISOM_BOX_TYPE_LHV1:\n\t\t\tentry->type = array_incomplete ? GF_ISOM_BOX_TYPE_LHE1 : GF_ISOM_BOX_TYPE_LHV1;\n\t\t\tbreak;\n\t\t}\n\t} else {\n\n\t\t/*SVCC replacement/removal with HEVC base, backward compatible signaling*/\n\t\tif ((operand_type==GF_ISOM_HVCC_SET_LHVC_WITH_BASE_BACKWARD) || (operand_type==GF_ISOM_HVCC_SET_LHVC_WITH_BASE) || (operand_type==GF_ISOM_HVCC_SET_HEVC_TILE_BASE) ) {\n\t\t\tif (!entry->hevc_config) return GF_BAD_PARAM;\n\t\t\tif (!cfg) {\n\t\t\t\tif (entry->lhvc_config) {\n\t\t\t\t\tgf_isom_box_del_parent(&entry->child_boxes, (GF_Box*)entry->lhvc_config);\n\t\t\t\t\tentry->lhvc_config = NULL;\n\t\t\t\t}\n\t\t\t\tif (entry->type==GF_ISOM_BOX_TYPE_LHE1) entry->type = (operand_type==GF_ISOM_HVCC_SET_LHVC_WITH_BASE) ? GF_ISOM_BOX_TYPE_HEV2 : GF_ISOM_BOX_TYPE_HEV1;\n\t\t\t\telse if (entry->type==GF_ISOM_BOX_TYPE_HEV1) entry->type = (operand_type==GF_ISOM_HVCC_SET_LHVC_WITH_BASE) ? GF_ISOM_BOX_TYPE_HEV2 : GF_ISOM_BOX_TYPE_HEV1;\n\t\t\t\telse entry->type = (operand_type==GF_ISOM_HVCC_SET_LHVC_WITH_BASE) ? GF_ISOM_BOX_TYPE_HVC2 : GF_ISOM_BOX_TYPE_HVC1;\n\t\t\t} else {\n\t\t\t\tif (operand_type != GF_ISOM_HVCC_SET_HEVC_TILE_BASE) {\n\t\t\t\t\tif (!entry->lhvc_config) {\n\t\t\t\t\t\tentry->lhvc_config = (GF_HEVCConfigurationBox*)gf_isom_box_new_parent(&entry->child_boxes, GF_ISOM_BOX_TYPE_LHVC);\n\t\t\t\t\t\tif (!entry->lhvc_config) return GF_OUT_OF_MEM;\n\t\t\t\t\t}\n\t\t\t\t\tif (entry->lhvc_config->config) gf_odf_hevc_cfg_del(entry->lhvc_config->config);\n\t\t\t\t\tentry->lhvc_config->config = HEVC_DuplicateConfig(cfg);\n\t\t\t\t\tif (!entry->lhvc_config->config) return GF_OUT_OF_MEM;\n\t\t\t\t}\n\t\t\t\t\n\t\t\t\tif (operand_type==GF_ISOM_HVCC_SET_LHVC_WITH_BASE_BACKWARD) {\n\t\t\t\t\tif (entry->type==GF_ISOM_BOX_TYPE_HEV2) entry->type = GF_ISOM_BOX_TYPE_HEV1;\n\t\t\t\t\telse entry->type = GF_ISOM_BOX_TYPE_HVC1;\n\t\t\t\t} else {\n\t\t\t\t\tif (entry->type==GF_ISOM_BOX_TYPE_HEV1) entry->type = GF_ISOM_BOX_TYPE_HEV2;\n\t\t\t\t\telse entry->type = GF_ISOM_BOX_TYPE_HVC2;\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\t/*LHEVC track without base*/\n\t\telse if (operand_type==GF_ISOM_HVCC_SET_LHVC) {\n\t\t\tif (entry->hevc_config) {\n\t\t\t\tgf_isom_box_del_parent(&entry->child_boxes, (GF_Box*)entry->hevc_config);\n\t\t\t\tentry->hevc_config=NULL;\n\t\t\t}\n\t\t\tif (!cfg) return GF_BAD_PARAM;\n\n\t\t\tif (!entry->lhvc_config) {\n\t\t\t\tentry->lhvc_config = (GF_HEVCConfigurationBox*)gf_isom_box_new_parent(&entry->child_boxes, GF_ISOM_BOX_TYPE_LHVC);\n\t\t\t\tif (!entry->lhvc_config) return GF_OUT_OF_MEM;\n\t\t\t}\n\t\t\tif (entry->lhvc_config->config) gf_odf_hevc_cfg_del(entry->lhvc_config->config);\n\t\t\tentry->lhvc_config->config = HEVC_DuplicateConfig(cfg);\n\t\t\tif (!entry->lhvc_config->config) return GF_OUT_OF_MEM;\n\n\t\t\tif ((entry->type==GF_ISOM_BOX_TYPE_HEV1) || (entry->type==GF_ISOM_BOX_TYPE_HEV2)) entry->type = GF_ISOM_BOX_TYPE_LHE1;\n\t\t\telse entry->type = GF_ISOM_BOX_TYPE_LHV1;\n\t\t}\n\t\t/*LHEVC inband, no config change*/\n\t\telse if (operand_type==GF_ISOM_LHCC_SET_INBAND) {\n\t\t\tentry->type = GF_ISOM_BOX_TYPE_LHE1;\n\t\t}\n\t}\n\n\tHEVC_RewriteESDescriptor(entry);\n\treturn GF_OK;\n}", "project": "gpac", "hash": 50099689325971056681351474932798229681, "size": 141, "commit_id": "0a85029d694f992f3631e2f249e4999daee15cbf", "message": "fixed #1785 (fuzz)", "target": 0, "dataset": "other", "idx": 237562 }, { "func": "GF_Err gf_isom_set_track_reference(GF_ISOFile *the_file, u32 trackNumber, u32 referenceType, GF_ISOTrackID ReferencedTrackID)\n{\n\tGF_Err e;\n\tGF_TrackBox *trak;\n\tGF_TrackReferenceBox *tref;\n\tGF_TrackReferenceTypeBox *dpnd;\n\n\ttrak = gf_isom_get_track_from_file(the_file, trackNumber);\n\tif (!trak) return GF_BAD_PARAM;\n\n\t//no tref, create one\n\ttref = trak->References;\n\tif (!tref) {\n\t\ttref = (GF_TrackReferenceBox *) gf_isom_box_new_parent(&trak->child_boxes, GF_ISOM_BOX_TYPE_TREF);\n\t\tif (!tref) return GF_OUT_OF_MEM;\n\t\te = trak_on_child_box((GF_Box*)trak, (GF_Box *) tref, GF_FALSE);\n\t\tif (e) return e;\n\t}\n\t//find a ref of the given type\n\te = Track_FindRef(trak, referenceType, &dpnd);\n\tif (e) return e;\n\n\tif (!dpnd) {\n\t\tdpnd = (GF_TrackReferenceTypeBox *) gf_isom_box_new_parent(&tref->child_boxes, GF_ISOM_BOX_TYPE_REFT);\n\t\tif (!dpnd) return GF_OUT_OF_MEM;\n\t\tdpnd->reference_type = referenceType;\n\t}\n\t//add the ref\n\treturn reftype_AddRefTrack(dpnd, ReferencedTrackID, NULL);\n}", "project": "gpac", "hash": 121777088581359792454980405559683519277, "size": 30, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267347 }, { "func": "static void dump_stats(FILE *dump, const GF_SceneStatistics *stats)\n{\n\tu32 i;\n\ts32 created, count, draw_created, draw_count, deleted, draw_deleted;\n\tcreated = count = draw_created = draw_count = deleted = draw_deleted = 0;\n\n\tfprintf(dump, \"\\n\");\n\tfprintf(dump, \"\\n\", gf_list_count(stats->node_stats));\n\tfor (i=0; inode_stats); i++) {\n\t\tGF_NodeStats *ptr = gf_list_get(stats->node_stats, i);\n\t\tfprintf(dump, \"\\n\", ptr->name);\n\n\t\tswitch (ptr->tag) {\n#ifndef GPAC_DISABLE_VRML\n\t\tcase TAG_MPEG4_Bitmap:\n\t\tcase TAG_MPEG4_Background2D:\n\t\tcase TAG_MPEG4_Background:\n\t\tcase TAG_MPEG4_Box:\n\t\tcase TAG_MPEG4_Circle:\n\t\tcase TAG_MPEG4_CompositeTexture2D:\n\t\tcase TAG_MPEG4_CompositeTexture3D:\n\t\tcase TAG_MPEG4_Cylinder:\n\t\tcase TAG_MPEG4_Cone:\n\t\tcase TAG_MPEG4_Curve2D:\n\t\tcase TAG_MPEG4_Extrusion:\n\t\tcase TAG_MPEG4_ElevationGrid:\n\t\tcase TAG_MPEG4_IndexedFaceSet2D:\n\t\tcase TAG_MPEG4_IndexedFaceSet:\n\t\tcase TAG_MPEG4_IndexedLineSet2D:\n\t\tcase TAG_MPEG4_IndexedLineSet:\n\t\tcase TAG_MPEG4_PointSet2D:\n\t\tcase TAG_MPEG4_PointSet:\n\t\tcase TAG_MPEG4_Rectangle:\n\t\tcase TAG_MPEG4_Sphere:\n\t\tcase TAG_MPEG4_Text:\n\t\tcase TAG_MPEG4_Ellipse:\n\t\tcase TAG_MPEG4_XCurve2D:\n\t\t\tdraw_count += ptr->nb_created + ptr->nb_used - ptr->nb_del;\n\t\t\tdraw_deleted += ptr->nb_del;\n\t\t\tdraw_created += ptr->nb_created;\n\t\t\tbreak;\n#endif /*GPAC_DISABLE_VRML*/\n\t\t}\n\t\tfprintf(dump, \"\\n\", ptr->nb_created, ptr->nb_used, ptr->nb_del);\n\t\tcount += ptr->nb_created + ptr->nb_used;\n\t\tdeleted += ptr->nb_del;\n\t\tcreated += ptr->nb_created;\n\t\tfprintf(dump, \"\\n\");\n\t}\n\tif (i) {\n\t\tfprintf(dump, \"\\n\", count, created, deleted, stats->nb_svg_attributes);\n\t\tfprintf(dump, \"\\n\", draw_count, draw_created, draw_deleted);\n\t}\n\tfprintf(dump, \"\\n\");\n\n\tcreated = count = deleted = 0;\n\tif (gf_list_count(stats->proto_stats)) {\n\t\tfprintf(dump, \"\\n\", gf_list_count(stats->proto_stats));\n\t\tfor (i=0; iproto_stats); i++) {\n\t\t\tGF_NodeStats *ptr = gf_list_get(stats->proto_stats, i);\n\t\t\tfprintf(dump, \"\\n\", ptr->name);\n\t\t\tfprintf(dump, \"\\n\", ptr->nb_created, ptr->nb_used, ptr->nb_del);\n\t\t\tcount += ptr->nb_created + ptr->nb_used;\n\t\t\tdeleted += ptr->nb_del;\n\t\t\tcreated += ptr->nb_created;\n\t\t\tfprintf(dump, \"\\n\");\n\t\t}\n\t\tif (i) fprintf(dump, \"\\n\", count, created, deleted);\n\t\tfprintf(dump, \"\\n\");\n\t}\n\tfprintf(dump, \"\\n\", FIX2FLT( stats->min_fixed) , FIX2FLT( stats->max_fixed ));\n\tfprintf(dump, \"\\n\", stats->scale_int_res_2d, stats->scale_frac_res_2d, stats->int_res_2d, stats->frac_res_2d);\n\tfprintf(dump, \"\\n\");\n\tfprintf(dump, \"\\n\");\n\tfprintf(dump, \"\\n\", stats->count_2d, stats->rem_2d);\n\tif (stats->count_2d) {\n\t\tfprintf(dump, \"\\n\", FIX2FLT( stats->min_2d.x) , FIX2FLT( stats->min_2d.y ), FIX2FLT( stats->max_2d.x ), FIX2FLT( stats->max_2d.y ) );\n\t}\n\tfprintf(dump, \"\\n\");\n\n\tfprintf(dump, \"\\n\");\n\tfprintf(dump, \"\", stats->count_3d, stats->rem_3d);\n\tif (stats->count_3d) {\n\t\tfprintf(dump, \"\\n\", FIX2FLT( stats->min_3d.x ), FIX2FLT( stats->min_3d.y ), FIX2FLT( stats->min_3d.z ), FIX2FLT( stats->max_3d.x ), FIX2FLT( stats->max_3d.y ), FIX2FLT( stats->max_3d.z ) );\n\t}\n\tfprintf(dump, \"\\n\");\n\n\tfprintf(dump, \"\\n\");\n\tfprintf(dump, \"\", stats->count_color, stats->rem_color);\n\tfprintf(dump, \"\\n\");\n\n\tfprintf(dump, \"\\n\");\n\tfprintf(dump, \"\", stats->count_float, stats->rem_float);\n\tfprintf(dump, \"\\n\");\n\n\tfprintf(dump, \"\\n\");\n\tfprintf(dump, \"\", stats->count_2f);\n\tfprintf(dump, \"\\n\");\n\tfprintf(dump, \"\\n\");\n\tfprintf(dump, \"\", stats->count_3f);\n\tfprintf(dump, \"\\n\");\n}", "project": "gpac", "hash": 130399760364438035266462175900578759027, "size": 102, "commit_id": "289ffce3e0d224d314f5f92a744d5fe35999f20b", "message": "fixed #1767 (fuzz)", "target": 0, "dataset": "other", "idx": 243171 }, { "func": "GF_Err gnrv_box_write(GF_Box *s, GF_BitStream *bs)\n{\n\tGF_Err e;\n\tGF_GenericVisualSampleEntryBox *ptr = (GF_GenericVisualSampleEntryBox *)s;\n\n\t//carefull we are not writing the box type but the entry type so switch for write\n\tptr->type = ptr->EntryType;\n\te = gf_isom_box_write_header(s, bs);\n\tif (e) return e;\n\tptr->type = GF_ISOM_BOX_TYPE_GNRV;\n\n\tgf_isom_video_sample_entry_write((GF_VisualSampleEntryBox *)ptr, bs);\n\tgf_bs_write_data(bs, ptr->data, ptr->data_size);\n\treturn GF_OK;\n}", "project": "gpac", "hash": 252340136180174114616067279041334462389, "size": 15, "commit_id": "388ecce75d05e11fc8496aa4857b91245007d26e", "message": "fixed #1587", "target": 0, "dataset": "other", "idx": 264790 }, { "func": "GF_Err gf_isom_vvc_set_inband_config(GF_ISOFile *the_file, u32 trackNumber, u32 DescriptionIndex, Bool keep_xps)\n{\n\treturn gf_isom_vvc_config_update_ex(the_file, trackNumber, DescriptionIndex, NULL, GF_ISOM_VVCC_SET_INBAND, keep_xps);\n}", "project": "gpac", "hash": 200578905911170965698905694705164382876, "size": 4, "commit_id": "0a85029d694f992f3631e2f249e4999daee15cbf", "message": "fixed #1785 (fuzz)", "target": 0, "dataset": "other", "idx": 237551 }, { "func": "void AVC_RewriteESDescriptor(GF_MPEGVisualSampleEntryBox *avc)\n{\n\tAVC_RewriteESDescriptorEx(avc, NULL);\n}", "project": "gpac", "hash": 284852132715345359605365540910811193036, "size": 4, "commit_id": "0a85029d694f992f3631e2f249e4999daee15cbf", "message": "fixed #1785 (fuzz)", "target": 0, "dataset": "other", "idx": 237642 }, { "func": "Bool Track_IsMPEG4Stream(u32 HandlerType)\n{\n\tswitch (HandlerType) {\n\tcase GF_ISOM_MEDIA_VISUAL:\n case GF_ISOM_MEDIA_AUXV:\n case GF_ISOM_MEDIA_PICT:\n\tcase GF_ISOM_MEDIA_AUDIO:\n\tcase GF_ISOM_MEDIA_SUBPIC:\n\tcase GF_ISOM_MEDIA_OD:\n\tcase GF_ISOM_MEDIA_OCR:\n\tcase GF_ISOM_MEDIA_SCENE:\n\tcase GF_ISOM_MEDIA_MPEG7:\n\tcase GF_ISOM_MEDIA_OCI:\n\tcase GF_ISOM_MEDIA_IPMP:\n\tcase GF_ISOM_MEDIA_MPEGJ:\n\tcase GF_ISOM_MEDIA_ESM:\n\t\treturn 1;\n\t/*Timedtext is NOT an MPEG-4 stream*/\n\tdefault:\n\t\t/*consider xxsm as MPEG-4 handlers*/\n\t\tif ( (((HandlerType>>8) & 0xFF)== 's') && ((HandlerType& 0xFF)== 'm'))\n\t\t\treturn 1;\n\t\treturn 0;\n\t}\n}", "project": "gpac", "hash": 169517736791926065230474822654110932702, "size": 25, "commit_id": "df8fffd839fe5ae9acd82d26fd48280a397411d9", "message": "fixed #1736", "target": 0, "dataset": "other", "idx": 272327 }, { "func": "GF_Err gf_isom_append_edit(GF_ISOFile *movie, u32 trackNumber, u64 EditDuration, u64 MediaTime, GF_ISOEditType EditMode)\n{\n\tGF_Err e;\n\tGF_TrackBox *trak;\n\tGF_EdtsEntry *ent;\n\ttrak = gf_isom_get_track_from_file(movie, trackNumber);\n\tif (!trak) return GF_BAD_PARAM;\n\te = CanAccessMovie(movie, GF_ISOM_OPEN_WRITE);\n\tif (e) return e;\n\n\tif (!trak->editBox) {\n\t\tGF_EditBox *edts = (GF_EditBox *) gf_isom_box_new_parent(&trak->child_boxes, GF_ISOM_BOX_TYPE_EDTS);\n\t\tif (!edts) return GF_OUT_OF_MEM;\n\t\ttrak_on_child_box((GF_Box*)trak, (GF_Box *)edts, GF_FALSE);\n\t\tassert(trak->editBox);\n\t}\n\tif (!trak->editBox->editList) {\n\t\tGF_EditListBox *elst = (GF_EditListBox *) gf_isom_box_new_parent(&trak->editBox->child_boxes, GF_ISOM_BOX_TYPE_ELST);\n\t\tif (!elst) return GF_OUT_OF_MEM;\n\t\tedts_on_child_box((GF_Box*)trak->editBox, (GF_Box *)elst, GF_FALSE);\n\t\tassert(trak->editBox->editList);\n\t}\n\tent = (GF_EdtsEntry *)gf_malloc(sizeof(GF_EdtsEntry));\n\tif (!ent) return GF_OUT_OF_MEM;\n\n\tent->segmentDuration = EditDuration;\n\tswitch (EditMode) {\n\tcase GF_ISOM_EDIT_EMPTY:\n\t\tent->mediaRate = 0x10000;\n\t\tent->mediaTime = -1;\n\t\tbreak;\n\tcase GF_ISOM_EDIT_DWELL:\n\t\tent->mediaRate = 0;\n\t\tent->mediaTime = MediaTime;\n\t\tbreak;\n\tdefault:\n\t\tent->mediaRate = 0x10000;\n\t\tent->mediaTime = MediaTime;\n\t\tbreak;\n\t}\n\tgf_list_add(trak->editBox->editList->entryList, ent);\n\treturn SetTrackDuration(trak);\n}", "project": "gpac", "hash": 207605385378870371433752574766901266083, "size": 43, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267245 }, { "func": "GF_Err gf_isom_set_cts_packing(GF_ISOFile *the_file, u32 trackNumber, Bool unpack)\n{\n\tGF_Err e;\n\tGF_Err stbl_repackCTS(GF_CompositionOffsetBox *ctts);\n\tGF_Err stbl_unpackCTS(GF_SampleTableBox *stbl);\n\tGF_SampleTableBox *stbl;\n\n\tGF_TrackBox *trak = gf_isom_get_track_from_file(the_file, trackNumber);\n\tif (!trak) return GF_BAD_PARAM;\n\n\tstbl = trak->Media->information->sampleTable;\n\tif (unpack) {\n\t\tif (!stbl->CompositionOffset) {\n\t\t\tstbl->CompositionOffset = (GF_CompositionOffsetBox *) gf_isom_box_new_parent(&stbl->child_boxes, GF_ISOM_BOX_TYPE_CTTS);\n\t\t\tif (!stbl->CompositionOffset) return GF_OUT_OF_MEM;\n\t\t}\n\t\te = stbl_unpackCTS(stbl);\n\t} else {\n\t\tif (!stbl->CompositionOffset) return GF_OK;\n\t\te = stbl_repackCTS(stbl->CompositionOffset);\n\t}\n\tif (e) return e;\n\treturn SetTrackDuration(trak);\n}", "project": "gpac", "hash": 247251770704113728341393467179258866846, "size": 24, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267299 }, { "func": "GF_Err gf_isom_add_sample(GF_ISOFile *movie, u32 trackNumber, u32 StreamDescriptionIndex, const GF_ISOSample *sample)\n{\n\tGF_Err e;\n\tGF_TrackBox *trak;\n\tGF_SampleEntryBox *entry;\n\tu32 dataRefIndex;\n\tu64 data_offset;\n\tu32 descIndex;\n\tGF_DataEntryURLBox *Dentry;\n\n\te = CanAccessMovie(movie, GF_ISOM_OPEN_WRITE);\n\tif (e) return e;\n\n\ttrak = gf_isom_get_track_from_file(movie, trackNumber);\n\tif (!trak) return GF_BAD_PARAM;\n\n\te = FlushCaptureMode(movie);\n\tif (e) return e;\n\n\te = unpack_track(trak);\n\tif (e) return e;\n\n\t//OK, add the sample\n\t//1- Get the streamDescriptionIndex and dataRefIndex\n\t//not specified, get the latest used...\n\tdescIndex = StreamDescriptionIndex;\n\tif (!StreamDescriptionIndex) {\n\t\tdescIndex = trak->Media->information->sampleTable->currentEntryIndex;\n\t}\n\te = Media_GetSampleDesc(trak->Media, descIndex, &entry, &dataRefIndex);\n\tif (e) return e;\n\tif (!entry || !dataRefIndex) return GF_BAD_PARAM;\n\t//set the current to this one\n\ttrak->Media->information->sampleTable->currentEntryIndex = descIndex;\n\n\n\t//get this dataRef and return false if not self contained\n\tDentry = (GF_DataEntryURLBox*)gf_list_get(trak->Media->information->dataInformation->dref->child_boxes, dataRefIndex - 1);\n\tif (!Dentry || Dentry->flags != 1) return GF_BAD_PARAM;\n\n\t//Open our data map. We are adding stuff, so use EDIT\n\te = gf_isom_datamap_open(trak->Media, dataRefIndex, 1);\n\tif (e) return e;\n\n\t//Get the offset...\n\tdata_offset = gf_isom_datamap_get_offset(trak->Media->information->dataHandler);\n\n\t/*rewrite OD frame*/\n\tif (trak->Media->handler->handlerType == GF_ISOM_MEDIA_OD) {\n\t\tGF_ISOSample *od_sample = NULL;\n\n\t\te = Media_ParseODFrame(trak->Media, sample, &od_sample);\n\t\tif (e) return e;\n\n\t\te = trak_add_sample(movie, trak, od_sample, descIndex, data_offset, 0);\n\n\t\tif (od_sample)\n\t\t\tgf_isom_sample_del(&od_sample);\n\t} else {\n\t\te = trak_add_sample(movie, trak, sample, descIndex, data_offset, 0);\n\t}\n\tif (e) return e;\n\n\n\tif (!movie->keep_utc)\n\t\ttrak->Media->mediaHeader->modificationTime = gf_isom_get_mp4time();\n\treturn SetTrackDuration(trak);\n}", "project": "gpac", "hash": 43787366459069236571605196677194636603, "size": 68, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267311 }, { "func": "void PrintDASHUsage()\n{\n\tu32 i=0;\n\tgf_sys_format_help(helpout, help_flags, \"# DASH Options\\n\"\n\t\t\"Also see:\\n\"\n\t\t\"- the [dasher `gpac -h dash`](dasher) filter documentation\\n\"\n\t\t\"- [[online DASH Intro doc|DASH Introduction]].\\n\"\n\t\t\"\\n\"\n\t\t\"# Specifying input files\\n\"\n\t\t\"Input media files to dash can use the following modifiers\\n\"\n\t\t\"- #trackID=N: only use the track ID N from the source file\\n\"\n\t\t\"- #N: only use the track ID N from the source file (mapped to [-tkid](mp4dmx))\\n\"\n\t\t\"- #video: only use the first video track from the source file\\n\"\n\t\t\"- #audio: only use the first audio track from the source file\\n\"\n\t\t\"- :id=NAME: set the representation ID to NAME. Reserved value `NULL` disables representation ID for multiplexed inputs\\n\"\n\t\t\"- :dur=VALUE: process VALUE seconds from the media. If VALUE is longer than media duration, last sample duration is extended.\\n\"\n\t\t\"- :period=NAME: set the representation's period to NAME. Multiple periods may be used. Periods appear in the MPD in the same order as specified with this option\\n\"\n\t\t\"- :BaseURL=NAME: set the BaseURL. Set multiple times for multiple BaseURLs\\nWarning: This does not modify generated files location (see segment template).\\n\"\n\t\t\"- :bandwidth=VALUE: set the representation's bandwidth to a given value\\n\"\n\t\t\"- :pdur=VALUE: increase the duration of this period by the given duration in seconds (alias for period_duration:VALUE). This is only used when no input media is specified (remote period insertion), eg `:period=X:xlink=Z:pdur=Y`\\n\"\n\t\t\"- :duration=VALUE: override target DASH segment duration for this input\\n\"\n\t\t\"- :xlink=VALUE: set the xlink value for the period containing this element. Only the xlink declared on the first rep of a period will be used\\n\"\n\t\t\"- :asID=VALUE: set the AdaptationSet ID to NAME\\n\"\n\t\t\"- :role=VALUE: set the role of this representation (cf DASH spec). Media with different roles belong to different adaptation sets.\\n\"\n\t\t\"- :desc_p=VALUE: add a descriptor at the Period level. Value must be a properly formatted XML element.\\n\"\n\t\t\"- :desc_as=VALUE: add a descriptor at the AdaptationSet level. Value must be a properly formatted XML element. Two input files with different values will be in different AdaptationSet elements.\\n\"\n\t\t\"- :desc_as_c=VALUE: add a descriptor at the AdaptationSet level. Value must be a properly formatted XML element. Value is ignored while creating AdaptationSet elements.\\n\"\n\t\t\"- :desc_rep=VALUE: add a descriptor at the Representation level. Value must be a properly formatted XML element. Value is ignored while creating AdaptationSet elements.\\n\"\n\t\t\"- :sscale: force movie timescale to match media timescale of the first track in the segment.\\n\"\n\t\t\"- :trackID=N: only use the track ID N from the source file\\n\"\n\t\t\"- @@f1[:args][@@fN:args]: set a filter chain to insert between the source and the dasher. Each filter in the chain is formatted as a regular filter, see [filter doc `gpac -h doc`](filters_general). If several filters are set, they will be chained in the given order.\\n\"\n\t\t\"\\n\"\n\t\t\"Note: `@@f` must be placed after all other options.\\n\"\n\t\t\"\\n\"\n\t\t\"# Options\\n\"\n\t\t);\n\n\n\twhile (m4b_dash_args[i].name) {\n\t\tGF_GPACArg *arg = &m4b_dash_args[i];\n\t\ti++;\n\t\tgf_sys_print_arg(helpout, help_flags, arg, \"mp4box-dash\");\n\t}\n}", "project": "gpac", "hash": 267956754654200037439327618334571120593, "size": 44, "commit_id": "9eeac00b38348c664dfeae2525bba0cf1bc32349", "message": "fixed #1565", "target": 0, "dataset": "other", "idx": 244397 }, { "func": "static GF_Err UpdateSample(GF_MediaBox *mdia, u32 sampleNumber, u32 size, s32 CTS, u64 offset, u8 isRap)\n{\n\tu32 i;\n\tGF_SampleTableBox *stbl = mdia->information->sampleTable;\n\n\t//set size, offset, RAP, CTS ...\n\tstbl_SetSampleSize(stbl->SampleSize, sampleNumber, size);\n\tstbl_SetChunkOffset(mdia, sampleNumber, offset);\n\n\t//do we have a CTS?\n\tif (stbl->CompositionOffset) {\n\t\tstbl_SetSampleCTS(stbl, sampleNumber, CTS);\n\t} else {\n\t\t//do we need one ??\n\t\tif (CTS) {\n\t\t\tstbl->CompositionOffset = (GF_CompositionOffsetBox *) gf_isom_box_new_parent(&stbl->child_boxes, GF_ISOM_BOX_TYPE_CTTS);\n\t\t\tif (!stbl->CompositionOffset) return GF_OUT_OF_MEM;\n\t\t\tstbl_AddCTS(stbl, sampleNumber, CTS);\n\t\t}\n\t}\n\t//do we have a sync ???\n\tif (stbl->SyncSample) {\n\t\tstbl_SetSampleRAP(stbl->SyncSample, sampleNumber, isRap);\n\t} else {\n\t\t//do we need one\n\t\tif (! isRap) {\n\t\t\tstbl->SyncSample = (GF_SyncSampleBox *) gf_isom_box_new_parent(&stbl->child_boxes, GF_ISOM_BOX_TYPE_STSS);\n\t\t\tif (!stbl->SyncSample) return GF_OUT_OF_MEM;\n\t\t\t//what a pain: all the sample we had have to be sync ...\n\t\t\tfor (i=0; iSampleSize->sampleCount; i++) {\n\t\t\t\tif (i+1 != sampleNumber) stbl_AddRAP(stbl->SyncSample, i+1);\n\t\t\t}\n\t\t}\n\t}\n\tif (isRap==2) {\n\t\tstbl_SetRedundant(stbl, sampleNumber);\n\t}\n\treturn GF_OK;\n}", "project": "gpac", "hash": 300840580013244553612030611753298094097, "size": 39, "commit_id": "328def7d3b93847d64ecb6e9e0399684e57c3eca", "message": "fixed #1766 (fuzz)", "target": 0, "dataset": "other", "idx": 231621 }, { "func": "GF_Err gf_isom_get_cenc_info(GF_ISOFile *the_file, u32 trackNumber, u32 sampleDescriptionIndex, u32 *outOriginalFormat, u32 *outSchemeType, u32 *outSchemeVersion)\n{\n\tGF_TrackBox *trak;\n\tGF_ProtectionSchemeInfoBox *sinf;\n\n\ttrak = gf_isom_get_track_from_file(the_file, trackNumber);\n\tif (!trak) return GF_BAD_PARAM;\n\n\n\tsinf = isom_get_sinf_entry(trak, sampleDescriptionIndex, GF_ISOM_CENC_SCHEME, NULL);\n\tif (!sinf) sinf = isom_get_sinf_entry(trak, sampleDescriptionIndex, GF_ISOM_CBC_SCHEME, NULL);\n\tif (!sinf) sinf = isom_get_sinf_entry(trak, sampleDescriptionIndex, GF_ISOM_CENS_SCHEME, NULL);\n\tif (!sinf) sinf = isom_get_sinf_entry(trak, sampleDescriptionIndex, GF_ISOM_CBCS_SCHEME, NULL);\n\tif (!sinf) sinf = isom_get_sinf_entry(trak, sampleDescriptionIndex, GF_ISOM_PIFF_SCHEME, NULL);\n\n\tif (!sinf) return GF_BAD_PARAM;\n\n\tif (outOriginalFormat) {\n\t\t*outOriginalFormat = sinf->original_format->data_format;\n\t\tif (IsMP4Description(sinf->original_format->data_format)) *outOriginalFormat = GF_ISOM_SUBTYPE_MPEG4;\n\t}\n\tif (outSchemeType) *outSchemeType = sinf->scheme_type->scheme_type;\n\tif (outSchemeVersion) *outSchemeVersion = sinf->scheme_type->scheme_version;\n\treturn GF_OK;\n}", "project": "gpac", "hash": 185848137892879891371159992249914425548, "size": 25, "commit_id": "3b84ffcbacf144ce35650df958432f472b6483f8", "message": "fixed #1735", "target": 0, "dataset": "other", "idx": 275408 }, { "func": "GF_EXPORT\nGF_Err gf_isom_get_visual_info(GF_ISOFile *movie, u32 trackNumber, u32 StreamDescriptionIndex, u32 *Width, u32 *Height)\n{\n\tGF_TrackBox *trak;\n\tGF_SampleEntryBox *entry;\n\tGF_SampleDescriptionBox *stsd;\n\n\ttrak = gf_isom_get_track_from_file(movie, trackNumber);\n\tif (!trak) return GF_BAD_PARAM;\n\n\tstsd = trak->Media->information->sampleTable->SampleDescription;\n\tif (!stsd) return movie->LastError = GF_ISOM_INVALID_FILE;\n\tif (!StreamDescriptionIndex || StreamDescriptionIndex > gf_list_count(stsd->child_boxes)) return movie->LastError = GF_BAD_PARAM;\n\n\tentry = (GF_SampleEntryBox *)gf_list_get(stsd->child_boxes, StreamDescriptionIndex - 1);\n\t//no support for generic sample entries (eg, no MPEG4 descriptor)\n\tif (entry == NULL) return GF_BAD_PARAM;\n\n\t//valid for MPEG visual, JPG and 3GPP H263\n\tif (entry->internal_type == GF_ISOM_SAMPLE_ENTRY_VIDEO) {\n\t\t*Width = ((GF_VisualSampleEntryBox*)entry)->Width;\n\t\t*Height = ((GF_VisualSampleEntryBox*)entry)->Height;\n\t} else if (trak->Media->handler->handlerType==GF_ISOM_MEDIA_SCENE) {\n\t\t*Width = trak->Header->width>>16;\n\t\t*Height = trak->Header->height>>16;\n\t} else {\n\t\treturn GF_BAD_PARAM;\n\t}\n\treturn GF_OK;", "project": "gpac", "hash": 106432086624777517301806879307403049038, "size": 29, "commit_id": "984787de3d414a5f7d43d0b4584d9469dff2a5a5", "message": "fixed #1784 (fuzz)", "target": 0, "dataset": "other", "idx": 246809 }, { "func": "GF_Err gf_isom_box_parse_ex(GF_Box **outBox, GF_BitStream *bs, u32 parent_type, Bool is_root_box)\n{\n\tu32 type, uuid_type, hdr_size;\n\tu64 size, start, payload_start, end;\n\tchar uuid[16];\n\tGF_Err e;\n\tGF_Box *newBox;\n\tBool skip_logs = gf_bs_get_cookie(bs) ? GF_TRUE : GF_FALSE;\n\tBool is_special = GF_TRUE;\n\n\tif ((bs == NULL) || (outBox == NULL) ) return GF_BAD_PARAM;\n\t*outBox = NULL;\n\tif (gf_bs_available(bs) < 8) {\n\t\treturn GF_ISOM_INCOMPLETE_FILE;\n\t}\n\n\tstart = gf_bs_get_position(bs);\n\n\tuuid_type = 0;\n\tsize = (u64) gf_bs_read_u32(bs);\n\thdr_size = 4;\n\t/*fix for some boxes found in some old hinted files*/\n\tif ((size >= 2) && (size <= 4)) {\n\t\tsize = 4;\n\t\ttype = GF_ISOM_BOX_TYPE_VOID;\n\t} else {\n\t\ttype = gf_bs_read_u32(bs);\n\t\thdr_size += 4;\n\t\t/*no size means till end of file - EXCEPT FOR some old QuickTime boxes...*/\n\t\tif (type == GF_ISOM_BOX_TYPE_TOTL)\n\t\t\tsize = 12;\n\t\tif (!size) {\n\t\t\tif (is_root_box) {\n\t\t\t\tif (!skip_logs) {\n\t\t\t\t\tGF_LOG(GF_LOG_DEBUG, GF_LOG_CONTAINER, (\"[iso file] Warning Read Box type %s (0x%08X) size 0 reading till the end of file\\n\", gf_4cc_to_str(type), type));\n\t\t\t\t}\n\t\t\t\tsize = gf_bs_available(bs) + 8;\n\t\t\t} else {\n\t\t\t\tif (!skip_logs) {\n\t\t\t\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, (\"[iso file] Read Box type %s (0x%08X) at position \"LLU\" has size 0 but is not at root/file level, skipping\\n\", gf_4cc_to_str(type), type, start));\n\t\t\t\t}\n\t\t\t\treturn GF_OK;\n//\t\t\t\treturn GF_ISOM_INVALID_FILE;\n\t\t\t}\n\t\t}\n\t}\n\t/*handle uuid*/\n\tmemset(uuid, 0, 16);\n\tif (type == GF_ISOM_BOX_TYPE_UUID ) {\n\t\tif (gf_bs_available(bs) < 16) {\n\t\t\treturn GF_ISOM_INCOMPLETE_FILE;\n\t\t}\n\t\tgf_bs_read_data(bs, uuid, 16);\n\t\thdr_size += 16;\n\t\tuuid_type = gf_isom_solve_uuid_box(uuid);\n\t}\n\n\t//handle large box\n\tif (size == 1) {\n\t\tif (gf_bs_available(bs) < 8) {\n\t\t\treturn GF_ISOM_INCOMPLETE_FILE;\n\t\t}\n\t\tsize = gf_bs_read_u64(bs);\n\t\thdr_size += 8;\n\t}\n\tGF_LOG(GF_LOG_DEBUG, GF_LOG_CONTAINER, (\"[iso file] Read Box type %s size \"LLD\" start \"LLD\"\\n\", gf_4cc_to_str(type), LLD_CAST size, LLD_CAST start));\n\n\tif ( size < hdr_size ) {\n\t\tGF_LOG(GF_LOG_DEBUG, GF_LOG_CONTAINER, (\"[iso file] Box size \"LLD\" less than box header size %d\\n\", LLD_CAST size, hdr_size));\n\t\treturn GF_ISOM_INVALID_FILE;\n\t}\n\n\t//some special boxes (references and track groups) are handled by a single generic box with an associated ref/group type\n\tif (parent_type && (parent_type == GF_ISOM_BOX_TYPE_TREF)) {\n\t\tnewBox = gf_isom_box_new(GF_ISOM_BOX_TYPE_REFT);\n\t\tif (!newBox) return GF_OUT_OF_MEM;\n\t\t((GF_TrackReferenceTypeBox*)newBox)->reference_type = type;\n\t} else if (parent_type && (parent_type == GF_ISOM_BOX_TYPE_IREF)) {\n\t\tnewBox = gf_isom_box_new(GF_ISOM_BOX_TYPE_REFI);\n\t\tif (!newBox) return GF_OUT_OF_MEM;\n\t\t((GF_ItemReferenceTypeBox*)newBox)->reference_type = type;\n\t} else if (parent_type && (parent_type == GF_ISOM_BOX_TYPE_TRGR)) {\n\t\tnewBox = gf_isom_box_new(GF_ISOM_BOX_TYPE_TRGT);\n\t\tif (!newBox) return GF_OUT_OF_MEM;\n\t\t((GF_TrackGroupTypeBox*)newBox)->group_type = type;\n\t} else if (parent_type && (parent_type == GF_ISOM_BOX_TYPE_GRPL)) {\n\t\tnewBox = gf_isom_box_new(GF_ISOM_BOX_TYPE_GRPT);\n\t\tif (!newBox) return GF_OUT_OF_MEM;\n\t\t((GF_EntityToGroupTypeBox*)newBox)->grouping_type = type;\n\t} else {\n\t\t//OK, create the box based on the type\n\t\tis_special = GF_FALSE;\n\t\tnewBox = gf_isom_box_new_ex(uuid_type ? uuid_type : type, parent_type, skip_logs, is_root_box);\n\t\tif (!newBox) return GF_OUT_OF_MEM;\n\t}\n\n\t//OK, init and read this box\n\tif (type==GF_ISOM_BOX_TYPE_UUID && !is_special) {\n\t\tmemcpy(((GF_UUIDBox *)newBox)->uuid, uuid, 16);\n\t\t((GF_UUIDBox *)newBox)->internal_4cc = uuid_type;\n\t}\n\n\tif (!newBox->type) newBox->type = type;\n\tpayload_start = gf_bs_get_position(bs);\n\nretry_unknown_box:\n\n\tend = gf_bs_available(bs);\n\tif (size - hdr_size > end ) {\n\t\tnewBox->size = size - hdr_size - end;\n\t\t*outBox = newBox;\n\t\treturn GF_ISOM_INCOMPLETE_FILE;\n\t}\n\n\tnewBox->size = size - hdr_size;\n\n\tif (newBox->size) {\n\t\te = gf_isom_full_box_read(newBox, bs);\n\t\tif (!e) e = gf_isom_box_read(newBox, bs);\n\t\tnewBox->size = size;\n\t\tend = gf_bs_get_position(bs);\n\t} else {\n\t\tnewBox->size = size;\n\t\t//empty box\n\t\te = GF_OK;\n\t\tend = gf_bs_get_position(bs);\n\t}\n\n\tif (e && (e != GF_ISOM_INCOMPLETE_FILE)) {\n\t\tgf_isom_box_del(newBox);\n\t\t*outBox = NULL;\n\n\t\tif (parent_type==GF_ISOM_BOX_TYPE_STSD) {\n\t\t\tnewBox = gf_isom_box_new(GF_ISOM_BOX_TYPE_UNKNOWN);\n\t\t\t((GF_UnknownBox *)newBox)->original_4cc = type;\n\t\t\tnewBox->size = size;\n\t\t\tgf_bs_seek(bs, payload_start);\n\t\t\tgoto retry_unknown_box;\n\t\t}\n\t\tif (!skip_logs) {\n\t\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, (\"[iso file] Read Box \\\"%s\\\" (start \"LLU\") failed (%s) - skipping\\n\", gf_4cc_to_str(type), start, gf_error_to_string(e)));\n\t\t}\n\t\t//we don't try to reparse known boxes that have been failing (too dangerous)\n\t\treturn e;\n\t}\n\n\tif (end-start > size) {\n\t\tif (!skip_logs) {\n\t\t\tGF_LOG(GF_LOG_WARNING, GF_LOG_CONTAINER, (\"[iso file] Box \\\"%s\\\" size \"LLU\" (start \"LLU\") invalid (read \"LLU\")\\n\", gf_4cc_to_str(type), LLU_CAST size, start, LLU_CAST (end-start) ));\n\t\t}\n\t\t/*let's still try to load the file since no error was notified*/\n\t\tgf_bs_seek(bs, start+size);\n\t} else if (end-start < size) {\n\t\tu32 to_skip = (u32) (size-(end-start));\n\t\tif (!skip_logs) {\n\t\t\tif ((to_skip!=4) || gf_bs_peek_bits(bs, 32, 0)) {\n\t\t\t\tGF_LOG(GF_LOG_WARNING, GF_LOG_CONTAINER, (\"[iso file] Box \\\"%s\\\" (start \"LLU\") has %u extra bytes\\n\", gf_4cc_to_str(type), start, to_skip));\n\t\t\t}\n\t\t}\n\t\tgf_bs_skip_bytes(bs, to_skip);\n\t}\n\t*outBox = newBox;\n\n\treturn e;\n}", "project": "gpac", "hash": 63019188358498749414838156609255855956, "size": 165, "commit_id": "8e585e623b1d666b4ef736ed609264639cb27701", "message": "fixed potential crash - cf #1406", "target": 1, "dataset": "other", "idx": 195345 }, { "func": "GF_Err gf_isom_box_parse_ex(GF_Box **outBox, GF_BitStream *bs, u32 parent_type, Bool is_root_box)\n{\n\tu32 type, uuid_type, hdr_size;\n\tu64 size, start, payload_start, end;\n\tchar uuid[16];\n\tGF_Err e;\n\tGF_Box *newBox;\n\tBool skip_logs = gf_bs_get_cookie(bs) ? GF_TRUE : GF_FALSE;\n\tBool is_special = GF_TRUE;\n\n\tif ((bs == NULL) || (outBox == NULL) ) return GF_BAD_PARAM;\n\t*outBox = NULL;\n\tif (gf_bs_available(bs) < 8) {\n\t\treturn GF_ISOM_INCOMPLETE_FILE;\n\t}\n\n\tstart = gf_bs_get_position(bs);\n\n\tuuid_type = 0;\n\tsize = (u64) gf_bs_read_u32(bs);\n\thdr_size = 4;\n\t/*fix for some boxes found in some old hinted files*/\n\tif ((size >= 2) && (size <= 4)) {\n\t\tsize = 4;\n\t\ttype = GF_ISOM_BOX_TYPE_VOID;\n\t} else {\n\t\ttype = gf_bs_read_u32(bs);\n\t\thdr_size += 4;\n\t\t/*no size means till end of file - EXCEPT FOR some old QuickTime boxes...*/\n\t\tif (type == GF_ISOM_BOX_TYPE_TOTL)\n\t\t\tsize = 12;\n\t\tif (!size) {\n\t\t\tif (is_root_box) {\n\t\t\t\tif (!skip_logs) {\n\t\t\t\t\tGF_LOG(GF_LOG_DEBUG, GF_LOG_CONTAINER, (\"[iso file] Warning Read Box type %s (0x%08X) size 0 reading till the end of file\\n\", gf_4cc_to_str(type), type));\n\t\t\t\t}\n\t\t\t\tsize = gf_bs_available(bs) + 8;\n\t\t\t} else {\n\t\t\t\tif (!skip_logs) {\n\t\t\t\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, (\"[iso file] Read Box type %s (0x%08X) at position \"LLU\" has size 0 but is not at root/file level, skipping\\n\", gf_4cc_to_str(type), type, start));\n\t\t\t\t}\n\t\t\t\treturn GF_OK;\n//\t\t\t\treturn GF_ISOM_INVALID_FILE;\n\t\t\t}\n\t\t}\n\t}\n\t/*handle uuid*/\n\tmemset(uuid, 0, 16);\n\tif (type == GF_ISOM_BOX_TYPE_UUID ) {\n\t\tif (gf_bs_available(bs) < 16) {\n\t\t\treturn GF_ISOM_INCOMPLETE_FILE;\n\t\t}\n\t\tgf_bs_read_data(bs, uuid, 16);\n\t\thdr_size += 16;\n\t\tuuid_type = gf_isom_solve_uuid_box(uuid);\n\t}\n\n\t//handle large box\n\tif (size == 1) {\n\t\tif (gf_bs_available(bs) < 8) {\n\t\t\treturn GF_ISOM_INCOMPLETE_FILE;\n\t\t}\n\t\tsize = gf_bs_read_u64(bs);\n\t\thdr_size += 8;\n\t}\n\tGF_LOG(GF_LOG_DEBUG, GF_LOG_CONTAINER, (\"[iso file] Read Box type %s size \"LLD\" start \"LLD\"\\n\", gf_4cc_to_str(type), LLD_CAST size, LLD_CAST start));\n\n\tif ( size < hdr_size ) {\n\t\tGF_LOG(GF_LOG_DEBUG, GF_LOG_CONTAINER, (\"[iso file] Box size \"LLD\" less than box header size %d\\n\", LLD_CAST size, hdr_size));\n\t\treturn GF_ISOM_INVALID_FILE;\n\t}\n\n\t//some special boxes (references and track groups) are handled by a single generic box with an associated ref/group type\n\tif (parent_type && (parent_type == GF_ISOM_BOX_TYPE_TREF)) {\n\t\tnewBox = gf_isom_box_new(GF_ISOM_BOX_TYPE_REFT);\n\t\tif (!newBox) return GF_OUT_OF_MEM;\n\t\t((GF_TrackReferenceTypeBox*)newBox)->reference_type = type;\n\t} else if (parent_type && (parent_type == GF_ISOM_BOX_TYPE_IREF)) {\n\t\tnewBox = gf_isom_box_new(GF_ISOM_BOX_TYPE_REFI);\n\t\tif (!newBox) return GF_OUT_OF_MEM;\n\t\t((GF_ItemReferenceTypeBox*)newBox)->reference_type = type;\n\t} else if (parent_type && (parent_type == GF_ISOM_BOX_TYPE_TRGR)) {\n\t\tnewBox = gf_isom_box_new(GF_ISOM_BOX_TYPE_TRGT);\n\t\tif (!newBox) return GF_OUT_OF_MEM;\n\t\t((GF_TrackGroupTypeBox*)newBox)->group_type = type;\n\t} else if (parent_type && (parent_type == GF_ISOM_BOX_TYPE_GRPL)) {\n\t\tnewBox = gf_isom_box_new(GF_ISOM_BOX_TYPE_GRPT);\n\t\tif (!newBox) return GF_OUT_OF_MEM;\n\t\t((GF_EntityToGroupTypeBox*)newBox)->grouping_type = type;\n\t} else {\n\t\t//OK, create the box based on the type\n\t\tis_special = GF_FALSE;\n\t\tnewBox = gf_isom_box_new_ex(uuid_type ? uuid_type : type, parent_type, skip_logs, is_root_box);\n\t\tif (!newBox) return GF_OUT_OF_MEM;\n\t}\n\n\t//OK, init and read this box\n\tif (type==GF_ISOM_BOX_TYPE_UUID && !is_special) {\n\t\tmemcpy(((GF_UUIDBox *)newBox)->uuid, uuid, 16);\n\t\t((GF_UUIDBox *)newBox)->internal_4cc = uuid_type;\n\t}\n\n\tif (!newBox->type) newBox->type = type;\n\tpayload_start = gf_bs_get_position(bs);\n\nretry_unknown_box:\n\n\tend = gf_bs_available(bs);\n\tif (size - hdr_size > end ) {\n\t\tnewBox->size = size - hdr_size - end;\n\t\t*outBox = newBox;\n\t\treturn GF_ISOM_INCOMPLETE_FILE;\n\t}\n\n\tnewBox->size = size - hdr_size;\n\n\t//parse even if size is 0 - this makes sure that we perform box parsing (usually in box->read)\n\te = gf_isom_full_box_read(newBox, bs);\n\tif (!e) e = gf_isom_box_read(newBox, bs);\n\tnewBox->size = size;\n\tend = gf_bs_get_position(bs);\n\n\tif (e && (e != GF_ISOM_INCOMPLETE_FILE)) {\n\t\tgf_isom_box_del(newBox);\n\t\t*outBox = NULL;\n\n\t\tif (parent_type==GF_ISOM_BOX_TYPE_STSD) {\n\t\t\tnewBox = gf_isom_box_new(GF_ISOM_BOX_TYPE_UNKNOWN);\n\t\t\t((GF_UnknownBox *)newBox)->original_4cc = type;\n\t\t\tnewBox->size = size;\n\t\t\tgf_bs_seek(bs, payload_start);\n\t\t\tgoto retry_unknown_box;\n\t\t}\n\t\tif (!skip_logs) {\n\t\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, (\"[iso file] Read Box \\\"%s\\\" (start \"LLU\") failed (%s) - skipping\\n\", gf_4cc_to_str(type), start, gf_error_to_string(e)));\n\t\t}\n\t\t//we don't try to reparse known boxes that have been failing (too dangerous)\n\t\treturn e;\n\t}\n\n\tif (end-start > size) {\n\t\tif (!skip_logs) {\n\t\t\tGF_LOG(GF_LOG_WARNING, GF_LOG_CONTAINER, (\"[iso file] Box \\\"%s\\\" size \"LLU\" (start \"LLU\") invalid (read \"LLU\")\\n\", gf_4cc_to_str(type), LLU_CAST size, start, LLU_CAST (end-start) ));\n\t\t}\n\t\t/*let's still try to load the file since no error was notified*/\n\t\tgf_bs_seek(bs, start+size);\n\t} else if (end-start < size) {\n\t\tu32 to_skip = (u32) (size-(end-start));\n\t\tif (!skip_logs) {\n\t\t\tif ((to_skip!=4) || gf_bs_peek_bits(bs, 32, 0)) {\n\t\t\t\tGF_LOG(GF_LOG_WARNING, GF_LOG_CONTAINER, (\"[iso file] Box \\\"%s\\\" (start \"LLU\") has %u extra bytes\\n\", gf_4cc_to_str(type), start, to_skip));\n\t\t\t}\n\t\t}\n\t\tgf_bs_skip_bytes(bs, to_skip);\n\t}\n\t*outBox = newBox;\n\n\treturn e;\n}", "project": "gpac", "hash": 267073801759882457635850212143910860248, "size": 159, "commit_id": "8e585e623b1d666b4ef736ed609264639cb27701", "message": "fixed potential crash - cf #1406", "target": 0, "dataset": "other", "idx": 224922 }, { "func": "GF_Err gf_isom_apple_set_tag(GF_ISOFile *mov, GF_ISOiTunesTag tag, const u8 *data, u32 data_len, u64 int_val, u32 int_val2)\n{\n\tGF_Err e;\n\tGF_ItemListBox *ilst;\n\tGF_MetaBox *meta;\n\tGF_ListItemBox *info;\n\tu32 btype, i, itype;\n\ts32 tag_idx;\n\tu32 n=0, d=0;\n\tu8 loc_data[10];\n\tu32 int_flags = 0x15;\n\tGF_DataBox *dbox;\n\n\te = CanAccessMovie(mov, GF_ISOM_OPEN_WRITE);\n\tif (e) return e;\n\n\ttag_idx = gf_itags_find_by_itag(tag);\n\tif (tag_idx<0) {\n\t\titype = GF_ITAG_STR;\n\t} else {\n\t\titype = gf_itags_get_type(tag_idx);\n\t}\n\tmeta = (GF_MetaBox *) gf_isom_create_meta_extensions(mov, GF_FALSE);\n\tif (!meta) return GF_BAD_PARAM;\n\n\tilst = gf_ismo_locate_box(meta->child_boxes, GF_ISOM_BOX_TYPE_ILST, NULL);\n\tif (!ilst) {\n\t\tilst = (GF_ItemListBox *) gf_isom_box_new_parent(&meta->child_boxes, GF_ISOM_BOX_TYPE_ILST);\n\t}\n\n\tif (tag==GF_ISOM_ITUNE_RESET) {\n\t\tgf_isom_box_del_parent(&meta->child_boxes, (GF_Box *) ilst);\n\t\t//if last, delete udta - we may still have a handler box remaining\n\t\tif ((gf_list_count(meta->child_boxes) <= 1) && (gf_list_count(mov->moov->udta->recordList)==1)) {\n\t\t\tgf_isom_box_del_parent(&mov->moov->child_boxes, (GF_Box *) mov->moov->udta);\n\t\t\tmov->moov->udta = NULL;\n\t\t}\n\t\treturn GF_OK;\n\t}\n\n\tif (tag==GF_ISOM_ITUNE_GENRE) {\n\t\tif (!int_val && data) {\n\t\t\tint_val = gf_id3_get_genre_tag(data);\n\t\t\tif (int_val) {\n\t\t\t\tdata = NULL;\n\t\t\t\tdata_len = 0;\n\t\t\t\titype = GF_ITAG_INT16;\n\t\t\t\tint_flags = 0;\n\t\t\t}\n\t\t}\n\t\tbtype = data ? GF_ISOM_ITUNE_GENRE_USER : GF_ISOM_ITUNE_GENRE;\n\t} else {\n\t\tbtype = tag;\n\t}\n\t/*remove tag*/\n\ti = 0;\n\twhile ((info = (GF_ListItemBox*)gf_list_enum(ilst->child_boxes, &i))) {\n\t\tif (info->type==btype) {\n\t\t\tgf_isom_box_del_parent(&ilst->child_boxes, (GF_Box *) info);\n\t\t\tinfo = NULL;\n\t\t\tbreak;\n\t\t}\n\t\tif (info->type==GF_ISOM_BOX_TYPE_UNKNOWN) {\n\t\t\tGF_UnknownBox *u = (GF_UnknownBox *) info;\n\t\t\tif (u->original_4cc==btype) {\n\t\t\t\tgf_isom_box_del_parent(&ilst->child_boxes, (GF_Box *) info);\n\t\t\t\tinfo = NULL;\n\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\t}\n\n\tif (!data && data_len) {\n\t\tif (!gf_list_count(ilst->child_boxes) )\n\t\t\tgf_isom_box_del_parent(&meta->child_boxes, (GF_Box *) ilst);\n\t\treturn GF_OK;\n\t}\n\n\tinfo = (GF_ListItemBox *)gf_isom_box_new(btype);\n\tif (info == NULL) return GF_OUT_OF_MEM;\n\n\tdbox = (GF_DataBox *)gf_isom_box_new_parent(&info->child_boxes, GF_ISOM_BOX_TYPE_DATA);\n\tif (!dbox) {\n\t\tgf_isom_box_del((GF_Box *)info);\n\t\treturn GF_OUT_OF_MEM;\n\t}\n\tif (info->type!=GF_ISOM_BOX_TYPE_UNKNOWN) {\n\t\tinfo->data = dbox;\n\t}\n\n\tswitch (itype) {\n\tcase GF_ITAG_FRAC6:\n\tcase GF_ITAG_FRAC8:\n\t\tif (data && data_len) {\n\t\t\tif (sscanf(data, \"%u/%u\", &n, &d) != 2) {\n\t\t\t\tn = d = 0;\n\t\t\t\tif (sscanf(data, \"%u\", &n) != 1)\n\t\t\t\t\tn = 0;\n\t\t\t}\n\t\t} else {\n\t\t\tn = (u32) int_val;\n\t\t\td = int_val2;\n\t\t}\n\t\tif (n) {\n\t\t\tmemset(loc_data, 0, sizeof(char) * 8);\n\t\t\tdata_len = (itype == GF_ITAG_FRAC6) ? 6 : 8;\n\t\t\tloc_data[3] = n;\n\t\t\tloc_data[2] = n >> 8;\n\t\t\tloc_data[5] = d;\n\t\t\tloc_data[4] = d >> 8;\n\t\t\tdata = loc_data;\n\t\t} else {\n\t\t\tdata = NULL;\n\t\t}\n\t\tdbox->flags = 0x15;\n\t\tbreak;\n\tcase GF_ITAG_BOOL:\n\t\tloc_data[0] = 0;\n\t\tif (data && data_len) {\n\t\t\tif ( !strcmp(data, \"yes\") || !strcmp(data, \"1\") || !strcmp(data, \"true\"))\n\t\t\t\tloc_data[0] = 1;\n\t\t} else {\n\t\t\tloc_data[0] = int_val ? 1 : 0;\n\t\t}\n\t\tdata = loc_data;\n\t\tdata_len = 0;\n\t\tdbox->flags = int_flags;\n\t\tbreak;\n\tcase GF_ITAG_INT16:\n\t\tloc_data[0] = 0;\n\t\tif (data && data_len) int_val = atoi(data);\n\t\tloc_data[1] = (u8) int_val;\n\t\tloc_data[0] = (u8) (int_val>>8);\n\t\tdata = loc_data;\n\t\tdata_len = 2;\n\t\tdbox->flags = int_flags;\n\t\tbreak;\n\tcase GF_ITAG_INT32:\n\t\tloc_data[0] = 0;\n\t\tif (data && data_len) int_val = atoi(data);\n\t\tloc_data[3] = (u8) int_val;\n\t\tloc_data[2] = (u8) (int_val>>8);\n\t\tloc_data[1] = (u8) (int_val>>16);\n\t\tloc_data[0] = (u8) (int_val>>24);\n\t\tdata = loc_data;\n\t\tdata_len = 4;\n\t\tdbox->flags = int_flags;\n\t\tbreak;\n\tcase GF_ITAG_INT64:\n\t\tloc_data[0] = 0;\n\t\tif (data && data_len) sscanf(data, LLU, &int_val);\n\t\tloc_data[7] = (u8) int_val;\n\t\tloc_data[6] = (u8) (int_val>>8);\n\t\tloc_data[5] = (u8) (int_val>>16);\n\t\tloc_data[4] = (u8) (int_val>>24);\n\t\tloc_data[3] = (u8) (int_val>>32);\n\t\tloc_data[2] = (u8) (int_val>>40);\n\t\tloc_data[1] = (u8) (int_val>>48);\n\t\tloc_data[0] = (u8) (int_val>>56);\n\t\tdata = loc_data;\n\t\tdata_len = 4;\n\t\tdbox->flags = int_flags;\n\t\tbreak;\n\tdefault:\n\t\tdbox->flags = 1;\n\t\tbreak;\n\t}\n\n\tif (!data) return GF_BAD_PARAM;\n\n\n\tif (tag==GF_ISOM_ITUNE_COVER_ART) {\n\t\tinfo->data->flags = 0;\n\t\t/*check for PNG sig*/\n\t\tif ((data_len>4) && (data[0] == 0x89) && (data[1] == 0x50) && (data[2] == 0x4E) && (data[3] == 0x47) ) {\n\t\t\tinfo->data->flags = 14;\n\t\t}\n\t\telse if ((data_len>4) && (data[0] == 0xFF) && (data[1] == 0xD8) && (data[2] == 0xFF) && (data[3] == 0xE0) ) {\n\t\t\tinfo->data->flags = 13;\n\t\t}\n\t\telse if ((data_len>3) && (data[0] == 'G') && (data[1] == 'I') && (data[2] == 'F') ) {\n\t\t\tinfo->data->flags = 12;\n\t\t}\n\t}\n\n\tdbox->dataSize = data_len;\n\tdbox->data = (char*)gf_malloc(sizeof(char)*data_len);\n\tif (!dbox->data) return GF_OUT_OF_MEM;\n\tmemcpy(dbox->data, data, sizeof(char)*data_len);\n\n\tif (!info && !gf_list_count(ilst->child_boxes) ) {\n\t\tgf_isom_box_del_parent(&meta->child_boxes, (GF_Box *) ilst);\n\t\treturn GF_OK;\n\t}\n\tif (!ilst->child_boxes) ilst->child_boxes = gf_list_new();\n\t\n\treturn gf_list_add(ilst->child_boxes, info);\n}", "project": "gpac", "hash": 256779304338689360745486879149839918351, "size": 198, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267168 }, { "func": "GF_Err gf_isom_box_parse(GF_Box **outBox, GF_BitStream *bs)\n{\n\treturn gf_isom_box_parse_ex(outBox, bs, 0, GF_FALSE);\n}", "project": "gpac", "hash": 129139268815977092926163672659812991874, "size": 4, "commit_id": "8e585e623b1d666b4ef736ed609264639cb27701", "message": "fixed potential crash - cf #1406", "target": 0, "dataset": "other", "idx": 224916 }, { "func": "GF_Err elst_box_write(GF_Box *s, GF_BitStream *bs)\n{\n\tGF_Err e;\n\tu32 i;\n\tu32 nb_entries;\n\tGF_EditListBox *ptr = (GF_EditListBox *)s;\n\tif (!ptr) return GF_BAD_PARAM;\n\n\tnb_entries = gf_list_count(ptr->entryList);\n\te = gf_isom_full_box_write(s, bs);\n\tif (e) return e;\n\tgf_bs_write_u32(bs, nb_entries);\n\tfor (i = 0; i < nb_entries; i++ ) {\n\t\tGF_EdtsEntry *p = (GF_EdtsEntry*)gf_list_get(ptr->entryList, i);\n\t\tif (ptr->version == 1) {\n\t\t\tgf_bs_write_u64(bs, p->segmentDuration);\n\t\t\tgf_bs_write_u64(bs, p->mediaTime);\n\t\t} else {\n\t\t\tgf_bs_write_u32(bs, (u32) p->segmentDuration);\n\t\t\tgf_bs_write_u32(bs, (s32) p->mediaTime);\n\t\t}\n\t\tgf_bs_write_u16(bs, p->mediaRate);\n\t\tgf_bs_write_u16(bs, 0);\n\t}\n\treturn GF_OK;\n}", "project": "gpac", "hash": 79581818181089242772546806279077151730, "size": 26, "commit_id": "388ecce75d05e11fc8496aa4857b91245007d26e", "message": "fixed #1587", "target": 0, "dataset": "other", "idx": 264829 }, { "func": "GF_Err stbl_on_child_box(GF_Box *s, GF_Box *a)\n{\n\tGF_SampleTableBox *ptr = (GF_SampleTableBox *)s;\n\tif (!a) return GF_OK;\n\tswitch (a->type) {\n\tcase GF_ISOM_BOX_TYPE_STTS:\n\t\tif (ptr->TimeToSample) ERROR_ON_DUPLICATED_BOX(a, ptr)\n\t\tptr->TimeToSample = (GF_TimeToSampleBox *)a;\n\t\tbreak;\n\tcase GF_ISOM_BOX_TYPE_CTTS:\n\t\tif (ptr->CompositionOffset) ERROR_ON_DUPLICATED_BOX(a, ptr)\n\t\tptr->CompositionOffset = (GF_CompositionOffsetBox *)a;\n\t\tbreak;\n\tcase GF_ISOM_BOX_TYPE_CSLG:\n\t\tif (ptr->CompositionToDecode) ERROR_ON_DUPLICATED_BOX(a, ptr)\n\t\tptr->CompositionToDecode = (GF_CompositionToDecodeBox *)a;\n\t\tbreak;\n\tcase GF_ISOM_BOX_TYPE_STSS:\n\t\tif (ptr->SyncSample) ERROR_ON_DUPLICATED_BOX(a, ptr)\n\t\tptr->SyncSample = (GF_SyncSampleBox *)a;\n\t\tbreak;\n\tcase GF_ISOM_BOX_TYPE_STSD:\n\t\tif (ptr->SampleDescription) ERROR_ON_DUPLICATED_BOX(a, ptr)\n\t\tptr->SampleDescription =(GF_SampleDescriptionBox *)a;\n\t\tbreak;\n\tcase GF_ISOM_BOX_TYPE_STZ2:\n\tcase GF_ISOM_BOX_TYPE_STSZ:\n\t\tif (ptr->SampleSize) ERROR_ON_DUPLICATED_BOX(a, ptr)\n\t\tptr->SampleSize = (GF_SampleSizeBox *)a;\n\t\tbreak;\n\tcase GF_ISOM_BOX_TYPE_STSC:\n\t\tif (ptr->SampleToChunk) ERROR_ON_DUPLICATED_BOX(a, ptr)\n\t\tptr->SampleToChunk = (GF_SampleToChunkBox *)a;\n\t\tbreak;\n\tcase GF_ISOM_BOX_TYPE_PADB:\n\t\tif (ptr->PaddingBits) ERROR_ON_DUPLICATED_BOX(a, ptr)\n\t\tptr->PaddingBits = (GF_PaddingBitsBox *) a;\n\t\tbreak;\n\n\t//WARNING: AS THIS MAY CHANGE DYNAMICALLY DURING EDIT,\n\tcase GF_ISOM_BOX_TYPE_CO64:\n\tcase GF_ISOM_BOX_TYPE_STCO:\n\t\tif (ptr->ChunkOffset) ERROR_ON_DUPLICATED_BOX(a, ptr)\n\t\tptr->ChunkOffset = a;\n\t\treturn GF_OK;\n\tcase GF_ISOM_BOX_TYPE_STSH:\n\t\tif (ptr->ShadowSync) ERROR_ON_DUPLICATED_BOX(a, ptr)\n\t\tptr->ShadowSync = (GF_ShadowSyncBox *)a;\n\t\tbreak;\n\tcase GF_ISOM_BOX_TYPE_STDP:\n\t\tif (ptr->DegradationPriority) ERROR_ON_DUPLICATED_BOX(a, ptr)\n\t\tptr->DegradationPriority = (GF_DegradationPriorityBox *)a;\n\t\tbreak;\n\tcase GF_ISOM_BOX_TYPE_SDTP:\n\t\tif (ptr->SampleDep) ERROR_ON_DUPLICATED_BOX(a, ptr)\n\t\tptr->SampleDep = (GF_SampleDependencyTypeBox *)a;\n\t\tbreak;\n\n\tcase GF_ISOM_BOX_TYPE_SUBS:\n\t\tif (!ptr->sub_samples) ptr->sub_samples = gf_list_new();\n\t\tgf_list_add(ptr->sub_samples, a);\n\t\t//check subsample box\n\t\t{\n\t\t\tGF_SubSampleInformationBox *subs = (GF_SubSampleInformationBox *)a;\n\t\t\tGF_SubSampleInfoEntry *ent = gf_list_get(subs->Samples, 0);\n\t\t\tif (!ent) {\n\t\t\t\tgf_list_rem(subs->Samples, 0);\n\t\t\t\tGF_LOG(GF_LOG_WARNING, GF_LOG_CONTAINER, (\"[iso file] first entry in SubSample in track SampleTable is invalid\\n\"));\n\t\t\t}\n\t\t\telse if (ent->sample_delta==0) {\n\t\t\t\tGF_LOG(GF_LOG_WARNING, GF_LOG_CONTAINER, (\"[iso file] first entry in SubSample in track SampleTable has sample_delta of 0, should be one. Fixing\\n\"));\n\t\t\t\tent->sample_delta = 1;\n\t\t\t}\n\t\t}\n\t\tbreak;\n\n\tcase GF_ISOM_BOX_TYPE_SBGP:\n\t\tif (!ptr->sampleGroups) ptr->sampleGroups = gf_list_new();\n\t\tgf_list_add(ptr->sampleGroups, a);\n\t\tbreak;\n\tcase GF_ISOM_BOX_TYPE_SGPD:\n\t\tif (!ptr->sampleGroupsDescription) ptr->sampleGroupsDescription = gf_list_new();\n\t\tgf_list_add(ptr->sampleGroupsDescription, a);\n\t\tbreak;\n\n\tcase GF_ISOM_BOX_TYPE_SAIZ:\n\t\tif (!ptr->sai_sizes) ptr->sai_sizes = gf_list_new();\n\t\tgf_list_add(ptr->sai_sizes, a);\n\t\tbreak;\n\tcase GF_ISOM_BOX_TYPE_SAIO:\n\t\tif (!ptr->sai_offsets) ptr->sai_offsets = gf_list_new();\n\t\tgf_list_add(ptr->sai_offsets, a);\n\t\tbreak;\n\t}\n\treturn GF_OK;\n}", "project": "gpac", "hash": 151285325328101355264316319447921608325, "size": 96, "commit_id": "388ecce75d05e11fc8496aa4857b91245007d26e", "message": "fixed #1587", "target": 0, "dataset": "other", "idx": 264793 }, { "func": "int mp4boxMain(int argc, char **argv)\n{\n\tu32 i, j;\n\tconst char *gpac_profile = \"0\";\n\tGF_Err e = GF_OK;\n\tnb_tsel_acts = nb_add = nb_cat = nb_track_act = nb_sdp_ex = max_ptime = nb_meta_act = rtp_rate = major_brand = nb_alt_brand_add = nb_alt_brand_rem = car_dur = minor_version = 0;\n\n\tsplit_duration = 0.0;\n\tsplit_start = -1.0;\n\tinterleaving_time = 0;\n\tdash_duration = dash_subduration = 0.0;\n\timport_fps.num = import_fps.den = 0;\n\timport_flags = 0;\n\tsplit_size = 0;\n\tmovie_time = 0;\n\tdump_nal = dump_saps = dump_saps_mode = force_new = 0;\n\tFullInter = HintInter = encode = do_scene_log = old_interleave = do_saf = do_hash = verbose = do_mpd_rip = merge_vtt_cues = get_nb_tracks = GF_FALSE;\n#ifndef GPAC_DISABLE_SCENE_DUMP\n\tdump_mode = GF_SM_DUMP_NONE;\n#endif\n\tFrag = force_ocr = remove_sys_tracks = agg_samples = remove_hint = keep_sys_tracks = remove_root_od = single_group = clean_groups = compress_moov = GF_FALSE;\n\tconv_type = HintIt = needSave = print_sdp = regular_iod = dump_std = open_edit = dump_rtp = dump_cr = dump_srt = dump_ttxt = dump_m2ts = dump_cart = import_subtitle = force_cat = pack_wgt = dash_live = GF_FALSE;\n\tno_fragments_defaults = GF_FALSE;\n\tsingle_traf_per_moof = hls_clock = GF_FALSE;\n tfdt_per_traf = GF_FALSE;\n\tdump_nal_type = 0;\n\tdump_isom = 0;\n\tprint_info = 0;\n\t/*align cat is the new default behaviour for -cat*/\n\talign_cat = GF_TRUE;\n\tsubsegs_per_sidx = 0;\n\ttrack_dump_type = 0;\n\tcrypt = 0;\n\ttime_shift_depth = 0;\n\tfile = NULL;\n\titunes_tags = pes_dump = NULL;\n\tseg_name = dash_ctx_file = NULL;\n\tcompress_top_boxes = NULL;\n\tinitial_moof_sn = 0;\n\tinitial_tfdt = 0;\n\n#ifndef GPAC_DISABLE_SCENE_ENCODER\n\tmemset(&smenc_opts, 0, sizeof(smenc_opts));\n#endif\n\n\ttrackID = stat_level = hint_flags = 0;\n\tprogram_number = 0;\n\tinfo_track_id = 0;\n\tdo_flat = 0;\n\tinName = outName = mediaSource = input_ctx = output_ctx = drm_file = avi2raw = cprt = chap_file = pack_file = raw_cat = high_dynamc_range_filename = use_init_seg = box_patch_filename = NULL;\n\n#ifndef GPAC_DISABLE_SWF_IMPORT\n\tswf_flags = GF_SM_SWF_SPLIT_TIMELINE;\n#endif\n\tswf_flatten_angle = 0.0f;\n\ttmpdir = NULL;\n\n\tfor (i = 1; i < (u32) argc ; i++) {\n\t\tif (!strcmp(argv[i], \"-mem-track\") || !strcmp(argv[i], \"-mem-track-stack\")) {\n#ifdef GPAC_MEMORY_TRACKING\n mem_track = !strcmp(argv[i], \"-mem-track-stack\") ? GF_MemTrackerBackTrace : GF_MemTrackerSimple;\n#else\n\t\t\tfprintf(stderr, \"WARNING - GPAC not compiled with Memory Tracker - ignoring \\\"%s\\\"\\n\", argv[i]);\n#endif\n\t\t\tbreak;\n\t\t}\n\t\telse if (!strcmp(argv[i], \"-p\")) {\n\t\t\tif (i+1<(u32) argc)\n\t\t\t\tgpac_profile = argv[i+1];\n\t\t\telse {\n\t\t\t\tfprintf(stderr, \"Bad argument for -p, expecting profile name but no more args\\n\");\n\t\t\t\treturn 1;\n\t\t\t}\n\t\t}\n\t\telse if (!strncmp(argv[i], \"-p=\", 3))\n\t\t\tgpac_profile = argv[i]+3;\n\t}\n\n#ifdef _TWO_DIGIT_EXPONENT\n\t_set_output_format(_TWO_DIGIT_EXPONENT);\n#endif\n\n\t/*init libgpac*/\n\tgf_sys_init(mem_track, gpac_profile);\n\tif (argc < 2) {\n\t\tfprintf(stderr, \"Not enough arguments - check usage with -h\\n\"\n\t\t\t\"MP4Box - GPAC version %s\\n\"\n\t \"%s\\n\", gf_gpac_version(), gf_gpac_copyright());\n\t\tgf_sys_close();\n\t\treturn 0;\n\t}\n\n\thelpout = stdout;\n\n\ti = mp4box_parse_args(argc, argv);\n\tif (i) {\n\t\treturn mp4box_cleanup(i - 1);\n\t}\n\n\tif (!inName && dump_std)\n\t\tinName = \"std\";\n\n\tif (!inName) {\n\t\tif (has_next_arg) {\n\t\t\tfprintf(stderr, \"Broken argument specifier or file name missing - check usage with -h\\n\");\n\t\t} else {\n\t\t\tPrintUsage();\n\t\t}\n\t\treturn mp4box_cleanup(1);\n\t}\n\tif (!strcmp(inName, \"std\")) dump_std = 2;\n\tif (!strcmp(inName, \"stdb\")) {\n\t\tinName = \"std\";\n\t\tdump_std = 1;\n\t}\n\n\tif (!interleaving_time) {\n\t\t/*by default use single fragment per dash segment*/\n\t\tif (dash_duration)\n\t\t\tinterleaving_time = dash_duration;\n\t\telse if (!do_flat) {\n\t\t\tinterleaving_time = DEFAULT_INTERLEAVING_IN_SEC;\n\t\t}\n\t}\n\n\tif (dump_std)\n\t\toutName = \"std\";\n\n\tif (dump_std==2) {\n#ifdef WIN32\n\t\tif ( _setmode(_fileno(stdout), _O_BINARY) == -1 )\n#else\n\t\tif ( freopen(NULL, \"wb\", stdout) == NULL)\n#endif\n\t\t{\n\t\t\tfprintf(stderr, \"Fatal error: cannot reopen stdout in binary mode.\\n\");\n\t\t\treturn mp4box_cleanup(1);\n\t\t}\n\t}\n\n#if !defined(GPAC_DISABLE_STREAMING) && !defined(GPAC_DISABLE_SENG)\n\tif (live_scene) {\n\t\tint ret = live_session(argc, argv);\n\t\treturn mp4box_cleanup(ret);\n\t}\n#endif\n\n\tGF_LOG_Level level = verbose ? GF_LOG_DEBUG : GF_LOG_INFO;\n\tgf_log_set_tool_level(GF_LOG_CONTAINER, level);\n\tgf_log_set_tool_level(GF_LOG_SCENE, level);\n\tgf_log_set_tool_level(GF_LOG_PARSER, level);\n\tgf_log_set_tool_level(GF_LOG_AUTHOR, level);\n\tgf_log_set_tool_level(GF_LOG_CODING, level);\n\tgf_log_set_tool_level(GF_LOG_DASH, level);\n#ifdef GPAC_MEMORY_TRACKING\n\tif (mem_track)\n\t\tgf_log_set_tool_level(GF_LOG_MEMORY, level);\n#endif\n\n\te = gf_sys_set_args(argc, (const char **) argv);\n\tif (e) {\n\t\tfprintf(stderr, \"Error assigning libgpac arguments: %s\\n\", gf_error_to_string(e) );\n\t\treturn mp4box_cleanup(1);\n\t}\n\n\tif (raw_cat) {\n\t\tchar chunk[4096];\n\t\tFILE *fin, *fout;\n\t\ts64 to_copy, done;\n\t\tfin = gf_fopen(raw_cat, \"rb\");\n\t\tif (!fin) return mp4box_cleanup(1);\n\n\t\tfout = gf_fopen(inName, \"a+b\");\n\t\tif (!fout) {\n\t\t\tgf_fclose(fin);\n\t\t\treturn mp4box_cleanup(1);\n\t\t}\n\t\tgf_fseek(fin, 0, SEEK_END);\n\t\tto_copy = gf_ftell(fin);\n\t\tgf_fseek(fin, 0, SEEK_SET);\n\t\tdone = 0;\n\t\twhile (1) {\n\t\t\tu32 nb_bytes = (u32) gf_fread(chunk, 4096, fin);\n\t\t\tgf_fwrite(chunk, nb_bytes, fout);\n\t\t\tdone += nb_bytes;\n\t\t\tfprintf(stderr, \"Appending file %s - %02.2f done\\r\", raw_cat, 100.0*done/to_copy);\n\t\t\tif (done >= to_copy) break;\n\t\t}\n\t\tgf_fclose(fin);\n\t\tgf_fclose(fout);\n\t\treturn mp4box_cleanup(0);\n\t}\n\tif (compress_top_boxes) {\n\t\tif (size_top_box) {\n\t\t\tu64 top_size = do_size_top_boxes(inName, compress_top_boxes, size_top_box);\n\t\t\tfprintf(stdout, LLU\"\\n\", top_size);\n\t\t\treturn mp4box_cleanup(e ? 1 : 0);\n\t\t} else {\n\t\t\te = do_compress_top_boxes(inName, outName, compress_top_boxes, comp_top_box_version, comp_lzma);\n\t\t\treturn mp4box_cleanup(e ? 1 : 0);\n\t\t}\n\t}\n\n\tif (do_mpd_rip) {\n\t\te = rip_mpd(inName, outName);\n\t\treturn mp4box_cleanup(e ? 1 : 0);\n\t}\n\n#ifndef GPAC_DISABLE_CORE_TOOLS\n\tif (do_wget != NULL) {\n\t\te = gf_dm_wget(do_wget, inName, 0, 0, NULL);\n\t\tif (e != GF_OK) {\n\t\t\tfprintf(stderr, \"Cannot retrieve %s: %s\\n\", do_wget, gf_error_to_string(e) );\n\t\t\treturn mp4box_cleanup(1);\n\t\t}\n\t\treturn mp4box_cleanup(0);\n\t}\n#endif\n\n\tif (udp_dest) {\n\t\tGF_Socket *sock = gf_sk_new(GF_SOCK_TYPE_UDP);\n\t\tu16 port = 2345;\n\t\tchar *sep = strrchr(udp_dest, ':');\n\t\tif (sep) {\n\t\t\tsep[0] = 0;\n\t\t\tport = atoi(sep+1);\n\t\t}\n\t\te = gf_sk_bind( sock, \"127.0.0.1\", 0, udp_dest, port, 0);\n\t\tif (sep) sep[0] = ':';\n\t\tif (e) fprintf(stderr, \"Failed to bind socket to %s: %s\\n\", udp_dest, gf_error_to_string(e) );\n\t\telse {\n\t\t\te = gf_sk_send(sock, (u8 *) inName, (u32)strlen(inName));\n\t\t\tif (e) fprintf(stderr, \"Failed to send datagram: %s\\n\", gf_error_to_string(e) );\n\t\t}\n\t\tgf_sk_del(sock);\n\t\treturn 0;\n\t}\n\n#ifndef GPAC_DISABLE_MPD\n\tif (do_mpd) {\n\t\tBool remote = GF_FALSE;\n\t\tGF_MPD *mpd;\n\t\tchar *mpd_base_url = NULL;\n\t\tif (!strnicmp(inName, \"http://\", 7) || !strnicmp(inName, \"https://\", 8)) {\n#if !defined(GPAC_DISABLE_CORE_TOOLS)\n\t\t\te = gf_dm_wget(inName, \"tmp_main.m3u8\", 0, 0, &mpd_base_url);\n\t\t\tif (e != GF_OK) {\n\t\t\t\tfprintf(stderr, \"Cannot retrieve M3U8 (%s): %s\\n\", inName, gf_error_to_string(e));\n\t\t\t\tif (mpd_base_url) gf_free(mpd_base_url);\n\t\t\t\treturn mp4box_cleanup(1);\n\t\t\t}\n\t\t\tremote = GF_TRUE;\n#else\n\t\t\tgf_free(mpd_base_url);\n\t\t\tfprintf(stderr, \"HTTP Downloader disabled in this build\\n\");\n\t\t\treturn mp4box_cleanup(1);\n#endif\n\n\t\t\tif (outName)\n\t\t\t\tstrcpy(outfile, outName);\n\t\t\telse {\n\t\t\t\tconst char *sep = gf_file_basename(inName);\n\t\t\t\tchar *ext = gf_file_ext_start(sep);\n\t\t\t\tif (ext) ext[0] = 0;\n\t\t\t\tsprintf(outfile, \"%s.mpd\", sep);\n\t\t\t\tif (ext) ext[0] = '.';\n\t\t\t}\n\t\t} else {\n\t\t\tif (outName)\n\t\t\t\tstrcpy(outfile, outName);\n\t\t\telse {\n\t\t\t\tchar *dst = strdup(inName);\n\t\t\t\tchar *ext = strstr(dst, \".m3u8\");\n\t\t\t\tif (ext) ext[0] = 0;\n\t\t\t\tsprintf(outfile, \"%s.mpd\", dst);\n\t\t\t\tgf_free(dst);\n\t\t\t}\n\t\t}\n\n\t\tmpd = gf_mpd_new();\n\t\tif (!mpd) {\n\t\t\te = GF_OUT_OF_MEM;\n\t\t\tfprintf(stderr, \"[DASH] Error: MPD creation problem %s\\n\", gf_error_to_string(e));\n\t\t\tmp4box_cleanup(1);\n\t\t}\n\t\tFILE *f = gf_fopen(remote ? \"tmp_main.m3u8\" : inName, \"r\");\n\t\tu32 manif_type = 0;\n\t\tif (f) {\n\t\t\tchar szDATA[1000];\n\t\t\ts32 read;\n\t\t\tszDATA[999]=0;\n\t\t\tread = (s32) gf_fread(szDATA, 999, f);\n\t\t\tif (read<0) read = 0;\n\t\t\tszDATA[read]=0;\n\t\t\tgf_fclose(f);\n\t\t\tif (strstr(szDATA, \"SmoothStreamingMedia\"))\n\t\t\t\tmanif_type = 2;\n\t\t\telse if (strstr(szDATA, \"#EXTM3U\"))\n\t\t\t\tmanif_type = 1;\n\t\t}\n\n\t\tif (manif_type==1) {\n\t\t\te = gf_m3u8_to_mpd(remote ? \"tmp_main.m3u8\" : inName, mpd_base_url ? mpd_base_url : inName, outfile, 0, \"video/mp2t\", GF_TRUE, use_url_template, segment_timeline, NULL, mpd, GF_TRUE, GF_TRUE);\n\t\t} else if (manif_type==2) {\n\t\t\te = gf_mpd_smooth_to_mpd(remote ? \"tmp_main.m3u8\" : inName, mpd, mpd_base_url ? mpd_base_url : inName);\n\t\t} else {\n\t\t\te = GF_NOT_SUPPORTED;\n\t\t}\n\t\tif (!e)\n\t\t\tgf_mpd_write_file(mpd, outfile);\n\n\t\tif (mpd)\n\t\t\tgf_mpd_del(mpd);\n\t\tif (mpd_base_url)\n\t\t\tgf_free(mpd_base_url);\n\n\t\tif (remote) {\n\t\t\tgf_file_delete(\"tmp_main.m3u8\");\n\t\t}\n\t\tif (e != GF_OK) {\n\t\t\tfprintf(stderr, \"Error converting %s (%s) to MPD (%s): %s\\n\", (manif_type==1) ? \"HLS\" : \"Smooth\", inName, outfile, gf_error_to_string(e));\n\t\t\treturn mp4box_cleanup(1);\n\t\t} else {\n\t\t\tfprintf(stderr, \"Done converting %s (%s) to MPD (%s)\\n\", (manif_type==1) ? \"HLS\" : \"Smooth\", inName, outfile);\n\t\t\treturn mp4box_cleanup(0);\n\t\t}\n\t}\n#endif\n\tif (dash_duration && !nb_dash_inputs) {\n\t\tdash_inputs = set_dash_input(dash_inputs, inName, &nb_dash_inputs);\n\t}\n\n\n\tif (do_saf && !encode) {\n\t\tswitch (get_file_type_by_ext(inName)) {\n\t\tcase GF_FILE_TYPE_BT_WRL_X3DV:\n\t\tcase GF_FILE_TYPE_XMT_X3D:\n\t\tcase GF_FILE_TYPE_SVG:\n\t\t\tencode = GF_TRUE;\n\t\t\tbreak;\n\t\tcase GF_FILE_TYPE_NOT_SUPPORTED:\n\t\tcase GF_FILE_TYPE_ISO_MEDIA:\n\t\tcase GF_FILE_TYPE_SWF:\n\t\tcase GF_FILE_TYPE_LSR_SAF:\n\t\t\tbreak;\n\t\t}\n\t}\n\n#ifndef GPAC_DISABLE_SCENE_DUMP\n\tif (dump_mode == GF_SM_DUMP_SVG) {\n\t\tif (strstr(inName, \".srt\") || strstr(inName, \".ttxt\")) import_subtitle = 2;\n\t}\n#endif\n\n\n\tif (import_subtitle && !trackID) {\n\t\t/* We import the subtitle file,\n\t\t i.e. we parse it and store the content as samples of a 3GPP Timed Text track in an ISO file,\n\t\t possibly for later export (e.g. when converting SRT to TTXT, ...) */\n#ifndef GPAC_DISABLE_MEDIA_IMPORT\n\t\tGF_MediaImporter import;\n\t\t/* Prepare the importer */\n\t\tfile = gf_isom_open(\"ttxt_convert\", GF_ISOM_OPEN_WRITE, NULL);\n\t\tif (timescale && file) gf_isom_set_timescale(file, timescale);\n\n\t\tmemset(&import, 0, sizeof(GF_MediaImporter));\n\t\timport.dest = file;\n\t\timport.in_name = inName;\n\t\t/* Start the import */\n\t\te = gf_media_import(&import);\n\t\tif (e) {\n\t\t\tfprintf(stderr, \"Error importing %s: %s\\n\", inName, gf_error_to_string(e));\n\t\t\tgf_isom_delete(file);\n\t\t\tgf_file_delete(\"ttxt_convert\");\n\t\t\treturn mp4box_cleanup(1);\n\t\t}\n\t\t/* Prepare the export */\n\t\tstrcpy(outfile, inName);\n\t\tif (strchr(outfile, '.')) {\n\t\t\twhile (outfile[strlen(outfile)-1] != '.') outfile[strlen(outfile)-1] = 0;\n\t\t\toutfile[strlen(outfile)-1] = 0;\n\t\t}\n#ifndef GPAC_DISABLE_ISOM_DUMP\n\t\t/* Start the export of the track #1, in the appropriate dump type, indicating it's a conversion */\n\t\tdump_isom_timed_text(file, gf_isom_get_track_id(file, 1),\n\t\t\t\t\t\t\t dump_std ? NULL : (outName ? outName : outfile), outName ? GF_TRUE : GF_FALSE,\n\t\t GF_TRUE,\n\t\t (import_subtitle==2) ? GF_TEXTDUMPTYPE_SVG : (dump_srt ? GF_TEXTDUMPTYPE_SRT : GF_TEXTDUMPTYPE_TTXT));\n#endif\n\t\t/* Clean the importer */\n\t\tgf_isom_delete(file);\n\t\tgf_file_delete(\"ttxt_convert\");\n\t\tif (e) {\n\t\t\tfprintf(stderr, \"Error converting %s: %s\\n\", inName, gf_error_to_string(e));\n\t\t\treturn mp4box_cleanup(1);\n\t\t}\n\t\treturn mp4box_cleanup(0);\n#else\n\t\tfprintf(stderr, \"Feature not supported\\n\");\n\t\treturn mp4box_cleanup(1);\n#endif\n\t}\n\n#if !defined(GPAC_DISABLE_MEDIA_IMPORT) && !defined(GPAC_DISABLE_ISOM_WRITE)\n\tif (nb_add || nb_cat) {\n\t\tu32 ipass, nb_pass = 1;\n\t\tchar *mux_args=NULL;\n\t\tGF_FilterSession *fs = NULL;\n\t\tif (nb_add) {\n\n\t\t\tGF_ISOOpenMode open_mode = GF_ISOM_OPEN_EDIT;\n\t\t\tif (force_new) {\n\t\t\t\topen_mode = (do_flat || (force_new==2)) ? GF_ISOM_OPEN_WRITE : GF_ISOM_WRITE_EDIT;\n\t\t\t} else {\n\t\t\t\tFILE *test = gf_fopen(inName, \"rb\");\n\t\t\t\tif (!test) {\n\t\t\t\t\topen_mode = (do_flat) ? GF_ISOM_OPEN_WRITE : GF_ISOM_WRITE_EDIT;\n\t\t\t\t\tif (!outName) outName = inName;\n\t\t\t\t} else {\n\t\t\t\t\tgf_fclose(test);\n\t\t\t\t\tif (! gf_isom_probe_file(inName) ) {\n\t\t\t\t\t\topen_mode = (do_flat) ? GF_ISOM_OPEN_WRITE : GF_ISOM_WRITE_EDIT;\n\t\t\t\t\t\tif (!outName) outName = inName;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t\topen_edit = do_flat ? GF_FALSE : GF_TRUE;\n\t\t\tfile = gf_isom_open(inName, open_mode, tmpdir);\n\t\t\tif (!file) {\n\t\t\t\tfprintf(stderr, \"Cannot open destination file %s: %s\\n\", inName, gf_error_to_string(gf_isom_last_error(NULL)) );\n\t\t\t\treturn mp4box_cleanup(1);\n\t\t\t}\n\n\t\t\tif (freeze_box_order)\n\t\t\t\tgf_isom_freeze_order(file);\n\t\t}\n\n\t\tif (do_flat && interleaving_time) {\n\t\t\tchar szSubArg[100];\n\t\t\tgf_isom_set_storage_mode(file, GF_ISOM_STORE_FASTSTART);\n\t\t\tdo_flat = 2;\n\t\t\tnb_pass = 2;\n\t\t\tfs = gf_fs_new_defaults(0);\n\t\t\tif (!fs) {\n\t\t\t\tfprintf(stderr, \"Error creating filter session\\n\");\n\t\t\t\tgf_isom_delete(file);\n\t\t\t\treturn mp4box_cleanup(1);\n\t\t\t}\n\n\t\t\t//mux args\n\t\t\tgf_dynstrcat(&mux_args, \"mp4mx:importer:store=fstart\", \":\");\n\n\t\t\tsprintf(szSubArg, \"file=%p\", file);\n\t\t\tgf_dynstrcat(&mux_args, szSubArg, \":\");\n\t\t\tsprintf(szSubArg, \"cdur=%g\", interleaving_time);\n\t\t\tgf_dynstrcat(&mux_args, szSubArg, \":\");\n\t\t}\n\n\t\tfor (ipass=0; ipass0) && (dash_duration > dash_subduration)) {\n\t\t\tfprintf(stderr, \"Warning: -subdur parameter (%g s) should be greater than segment duration (%g s), using segment duration instead\\n\", dash_subduration, dash_duration);\n\t\t\tdash_subduration = dash_duration;\n\t\t}\n\n\t\tif (dash_mode && dash_live)\n\t\t\tfprintf(stderr, \"Live DASH-ing - press 'q' to quit, 's' to save context and quit\\n\");\n\n\t\tif (!dash_ctx_file && dash_live) {\n\t\t\tu32 r1;\n\t\t\tu64 add = (u64) (intptr_t) &dasher;\n\t\t\tadd ^= gf_net_get_utc();\n\t\t\tr1 = (u32) add ^ (u32) (add/0xFFFFFFFF);\n\t\t\tr1 ^= gf_rand();\n \t\t\tsprintf(szStateFile, \"%s/dasher_%X.xml\", gf_get_default_cache_directory(), r1 );\n\t\t\tdash_ctx_file = szStateFile;\n\t\t\tdyn_state_file = GF_TRUE;\n\t\t} else if (dash_ctx_file) {\n\t\t\tif (force_new)\n\t\t\t\tgf_file_delete(dash_ctx_file);\n\t\t}\n\n\t\tif (dash_profile==GF_DASH_PROFILE_AUTO)\n\t\t\tdash_profile = dash_mode ? GF_DASH_PROFILE_LIVE : GF_DASH_PROFILE_FULL;\n\n\t\tif (!dash_mode) {\n\t\t\ttime_shift_depth = 0;\n\t\t\tmpd_update_time = 0;\n\t\t} else if ((dash_profile>=GF_DASH_PROFILE_MAIN) && !use_url_template && !mpd_update_time) {\n\t\t\t/*use a default MPD update of dash_duration sec*/\n\t\t\tmpd_update_time = (Double) (dash_subduration ? dash_subduration : dash_duration);\n\t\t\tfprintf(stderr, \"Using default MPD refresh of %g seconds\\n\", mpd_update_time);\n\t\t}\n\n\t\tif (file && needSave) {\n\t\t\tgf_isom_close(file);\n\t\t\tfile = NULL;\n\t\t\tdel_file = GF_TRUE;\n\t\t}\n\n\t\t/*setup dash*/\n\t\tdasher = gf_dasher_new(szMPD, dash_profile, tmpdir, dash_scale, dash_ctx_file);\n\t\tif (!dasher) {\n\t\t\treturn mp4box_cleanup(1);\n\t\t}\n\t\te = gf_dasher_set_info(dasher, dash_title, cprt, dash_more_info, dash_source, NULL);\n\t\tif (e) {\n\t\t\tfprintf(stderr, \"DASH Error: %s\\n\", gf_error_to_string(e));\n\t\t\tgf_dasher_del(dasher);\n\t\t\treturn mp4box_cleanup(1);\n\t\t}\n\n\t\tgf_dasher_set_start_date(dasher, dash_start_date);\n\t\tgf_dasher_set_location(dasher, dash_source);\n\t\tfor (i=0; i < nb_mpd_base_urls; i++) {\n\t\t\te = gf_dasher_add_base_url(dasher, mpd_base_urls[i]);\n\t\t\tif (e) {\n\t\t\t\tfprintf(stderr, \"DASH Error: %s\\n\", gf_error_to_string(e));\n\t\t\t\tgf_dasher_del(dasher);\n\t\t\t\treturn mp4box_cleanup(1);\n\t\t\t}\n\t\t}\n\n\t\tif (segment_timeline && !use_url_template) {\n\t\t\tfprintf(stderr, \"DASH Warning: using -segment-timeline with no -url-template. Forcing URL template.\\n\");\n\t\t\tuse_url_template = GF_TRUE;\n\t\t}\n\n\t\te = gf_dasher_enable_url_template(dasher, (Bool) use_url_template, seg_name, seg_ext, init_seg_ext);\n\t\tif (!e) e = gf_dasher_enable_segment_timeline(dasher, segment_timeline);\n\t\tif (!e) e = gf_dasher_enable_single_segment(dasher, single_segment);\n\t\tif (!e) e = gf_dasher_enable_single_file(dasher, single_file);\n\t\tif (!e) e = gf_dasher_set_switch_mode(dasher, bitstream_switching_mode);\n\t\tif (!e) e = gf_dasher_set_durations(dasher, dash_duration, interleaving_time, dash_subduration);\n\t\tif (!e) e = gf_dasher_enable_rap_splitting(dasher, seg_at_rap, frag_at_rap);\n\t\tif (!e) e = gf_dasher_set_segment_marker(dasher, segment_marker);\n\t\tif (!e) e = gf_dasher_enable_sidx(dasher, (subsegs_per_sidx>=0) ? 1 : 0, (u32) subsegs_per_sidx, daisy_chain_sidx, use_ssix);\n\t\tif (!e) e = gf_dasher_set_dynamic_mode(dasher, dash_mode, mpd_update_time, time_shift_depth, mpd_live_duration);\n\t\tif (!e) e = gf_dasher_set_min_buffer(dasher, min_buffer);\n\t\tif (!e) e = gf_dasher_set_ast_offset(dasher, ast_offset_ms);\n\t\tif (!e) e = gf_dasher_enable_memory_fragmenting(dasher, memory_frags);\n\t\tif (!e) e = gf_dasher_set_initial_isobmf(dasher, initial_moof_sn, initial_tfdt);\n\t\tif (!e) e = gf_dasher_configure_isobmf_default(dasher, no_fragments_defaults, pssh_mode, samplegroups_in_traf, single_traf_per_moof, tfdt_per_traf, mvex_after_traks, sdtp_in_traf);\n\t\tif (!e) e = gf_dasher_enable_utc_ref(dasher, insert_utc);\n\t\tif (!e) e = gf_dasher_enable_real_time(dasher, frag_real_time);\n\t\tif (!e) e = gf_dasher_set_content_protection_location_mode(dasher, cp_location_mode);\n\t\tif (!e) e = gf_dasher_set_profile_extension(dasher, dash_profile_extension);\n\t\tif (!e) e = gf_dasher_enable_cached_inputs(dasher, no_cache);\n\t\tif (!e) e = gf_dasher_enable_loop_inputs(dasher, ! no_loop);\n\t\tif (!e) e = gf_dasher_set_split_mode(dasher, dash_split_mode);\n\t\tif (!e) e = gf_dasher_set_hls_clock(dasher, hls_clock);\n\t\tif (!e && dash_cues) e = gf_dasher_set_cues(dasher, dash_cues, strict_cues);\n\t\tif (!e && fs_dump_flags) e = gf_dasher_print_session_info(dasher, fs_dump_flags);\n\n\t\tfor (i=0; i < nb_dash_inputs; i++) {\n\t\t\tif (!e) e = gf_dasher_add_input(dasher, &dash_inputs[i]);\n\t\t}\n\t\tif (e) {\n\t\t\tfprintf(stderr, \"DASH Setup Error: %s\\n\", gf_error_to_string(e));\n\t\t\tgf_dasher_del(dasher);\n\t\t\treturn mp4box_cleanup(1);\n\t\t}\n\n\t\tdash_cumulated_time=0;\n\n\t\twhile (1) {\n\t\t\tif (run_for && (dash_cumulated_time >= run_for)) {\n\t\t\t\tfprintf(stderr, \"Done running, computing static MPD\\n\");\n\t\t\t\tdo_abort = 3;\n\t\t\t}\n\n\t\t\tdash_prev_time=gf_sys_clock();\n\t\t\tif (do_abort>=2) {\n\t\t\t\te = gf_dasher_set_dynamic_mode(dasher, GF_DASH_DYNAMIC_LAST, 0, time_shift_depth, mpd_live_duration);\n\t\t\t}\n\n\t\t\tif (!e) e = gf_dasher_process(dasher);\n\t\t\tif (!dash_live && (e==GF_EOS) ) {\n\t\t\t\tfprintf(stderr, \"Nothing to dash, too early ...\\n\");\n\t\t\t\te = GF_OK;\n\t\t\t}\n\n\t\t\tif (do_abort)\n\t\t\t\tbreak;\n\n\t\t\t//this happens when reading file while writing them (local playback of the live session ...)\n\t\t\tif (dash_live && (e==GF_IO_ERR) ) {\n\t\t\t\tfprintf(stderr, \"Error dashing file (%s) but continuing ...\\n\", gf_error_to_string(e) );\n\t\t\t\te = GF_OK;\n\t\t\t}\n\n\t\t\tif (e) break;\n\n\t\t\tif (dash_live) {\n\t\t\t\tu64 ms_in_session=0;\n\t\t\t\tu32 slept = gf_sys_clock();\n\t\t\t\tu32 sleep_for = gf_dasher_next_update_time(dasher, &ms_in_session);\n\t\t\t\tfprintf(stderr, \"Next generation scheduled in %u ms (DASH time \"LLU\" ms)\\r\", sleep_for, ms_in_session);\n\t\t\t\tif (run_for && (ms_in_session>=run_for)) {\n\t\t\t\t\tdash_cumulated_time = 1+run_for;\n\t\t\t\t\tcontinue;\n\t\t\t\t}\n\n\t\t\t\twhile (1) {\n\t\t\t\t\tif (gf_prompt_has_input()) {\n\t\t\t\t\t\tchar c = (char) gf_prompt_get_char();\n\t\t\t\t\t\tif (c=='X') {\n\t\t\t\t\t\t\tdo_abort = 1;\n\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\t}\n\t\t\t\t\t\tif (c=='q') {\n\t\t\t\t\t\t\tdo_abort = 2;\n\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\t}\n\t\t\t\t\t\tif (c=='s') {\n\t\t\t\t\t\t\tdo_abort = 3;\n\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\n\t\t\t\t\tif (dash_mode == GF_DASH_DYNAMIC_DEBUG) {\n\t\t\t\t\t\tbreak;\n\t\t\t\t\t}\n\t\t\t\t\tif (!sleep_for) break;\n\n\t\t\t\t\tgf_sleep(sleep_for/10);\n\t\t\t\t\tsleep_for = gf_dasher_next_update_time(dasher, NULL);\n\t\t\t\t\tif (sleep_for<=1) {\n\t\t\t\t\t\tdash_now_time=gf_sys_clock();\n\t\t\t\t\t\tdash_cumulated_time+=(dash_now_time-dash_prev_time);\n\t\t\t\t\t\tfprintf(stderr, \"Slept for %d ms before generation, dash cumulated time %d\\n\", dash_now_time - slept, dash_cumulated_time);\n\t\t\t\t\t\tbreak;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\n\t\tgf_dasher_del(dasher);\n\n\t\tif (!run_for && dash_ctx_file && (do_abort==3) && (dyn_state_file) && !gf_sys_is_test_mode() ) {\n\t\t\tchar szName[1024];\n\t\t\tfprintf(stderr, \"Enter file name to save dash context:\\n\");\n\t\t\tif (scanf(\"%1023s\", szName) == 1) {\n\t\t\t\tgf_file_move(dash_ctx_file, szName);\n\t\t\t}\n\t\t}\n\t\tif (e) fprintf(stderr, \"Error DASHing file: %s\\n\", gf_error_to_string(e));\n\t\tif (file) gf_isom_delete(file);\n\t\tif (del_file)\n\t\t\tgf_file_delete(inName);\n\n\t\tif (e) return mp4box_cleanup(1);\n\t\tgoto exit;\n\t}\n\n\telse if (!file && !do_hash\n#ifndef GPAC_DISABLE_MEDIA_EXPORT\n\t && !(track_dump_type & GF_EXPORT_AVI_NATIVE)\n#endif\n\t ) {\n\t\tFILE *st = gf_fopen(inName, \"rb\");\n\t\tBool file_exists = 0;\n\t\tGF_ISOOpenMode omode;\n\t\tif (st) {\n\t\t\tfile_exists = 1;\n\t\t\tgf_fclose(st);\n\t\t}\n\t\tswitch (get_file_type_by_ext(inName)) {\n\t\tcase 1:\n\t\t\tomode = (u8) (force_new ? GF_ISOM_WRITE_EDIT : (open_edit ? GF_ISOM_OPEN_EDIT : ( ((dump_isom>0) || print_info) ? GF_ISOM_OPEN_READ_DUMP : GF_ISOM_OPEN_READ) ) );\n\n\t\t\tif (crypt) {\n\t\t\t\t//keep fragment signaling in moov\n\t\t\t\tomode = GF_ISOM_OPEN_READ;\n\t\t\t\tif (use_init_seg)\n\t\t\t\t\tfile = gf_isom_open(use_init_seg, GF_ISOM_OPEN_READ, tmpdir);\n\t\t\t}\n\t\t\tif (!crypt && use_init_seg) {\n\t\t\t\tfile = gf_isom_open(use_init_seg, GF_ISOM_OPEN_READ_DUMP, tmpdir);\n\t\t\t\tif (file) {\n\t\t\t\t\te = gf_isom_open_segment(file, inName, 0, 0, 0);\n\t\t\t\t\tif (e) {\n\t\t\t\t\t\tfprintf(stderr, \"Error opening segment %s: %s\\n\", inName, gf_error_to_string(e) );\n\t\t\t\t\t\tgf_isom_delete(file);\n\t\t\t\t\t\tfile = NULL;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t\tif (!file)\n\t\t\t\tfile = gf_isom_open(inName, omode, tmpdir);\n\n\t\t\tif (!file && (gf_isom_last_error(NULL) == GF_ISOM_INCOMPLETE_FILE) && !open_edit) {\n\t\t\t\tu64 missing_bytes;\n\t\t\t\te = gf_isom_open_progressive(inName, 0, 0, GF_FALSE, &file, &missing_bytes);\n\t\t\t\tfprintf(stderr, \"Truncated file - missing \"LLD\" bytes\\n\", missing_bytes);\n\t\t\t}\n\n\t\t\tif (!file) {\n\t\t\t\tif (open_edit && nb_meta_act) {\n\t\t\t\t\tfile = gf_isom_open(inName, GF_ISOM_WRITE_EDIT, tmpdir);\n\t\t\t\t\tif (!outName && file) outName = inName;\n\t\t\t\t}\n\n\t\t\t\tif (!file) {\n\t\t\t\t\tfprintf(stderr, \"Error opening file %s: %s\\n\", inName, gf_error_to_string(gf_isom_last_error(NULL)));\n\t\t\t\t\treturn mp4box_cleanup(1);\n\t\t\t\t}\n\t\t\t}\n\t\t\tif (freeze_box_order)\n\t\t\t\tgf_isom_freeze_order(file);\n\t\t\tbreak;\n\t\t/*allowed for bt<->xmt*/\n\t\tcase 2:\n\t\tcase 3:\n\t\t/*allowed for svg->lsr**/\n\t\tcase 4:\n\t\t/*allowed for swf->bt, swf->xmt, swf->svg*/\n\t\tcase 5:\n\t\t\tbreak;\n\t\t/*used for .saf / .lsr dump*/\n\t\tcase 6:\n#ifndef GPAC_DISABLE_SCENE_DUMP\n\t\t\tif ((dump_mode==GF_SM_DUMP_LASER) || (dump_mode==GF_SM_DUMP_SVG)) {\n\t\t\t\tbreak;\n\t\t\t}\n#endif\n\n\t\tdefault:\n\t\t\tif (!open_edit && file_exists && !gf_isom_probe_file(inName) && track_dump_type) {\n\t\t\t}\n#ifndef GPAC_DISABLE_ISOM_WRITE\n\t\t\telse if (!open_edit && file_exists /* && !gf_isom_probe_file(inName) */\n#ifndef GPAC_DISABLE_SCENE_DUMP\n\t\t\t && dump_mode == GF_SM_DUMP_NONE\n#endif //GPAC_DISABLE_SCENE_DUMP\n\t\t\t ) {\n\t\t\t\t/*************************************************************************************************/\n#ifndef GPAC_DISABLE_MEDIA_IMPORT\n\t\t\t\tif(dvbhdemux)\n\t\t\t\t{\n\t\t\t\t\tGF_MediaImporter import;\n\t\t\t\t\tfile = gf_isom_open(\"ttxt_convert\", GF_ISOM_OPEN_WRITE, NULL);\n\t\t\t\t\tmemset(&import, 0, sizeof(GF_MediaImporter));\n\t\t\t\t\timport.dest = file;\n\t\t\t\t\timport.in_name = inName;\n\t\t\t\t\timport.flags = GF_IMPORT_MPE_DEMUX;\n\t\t\t\t\te = gf_media_import(&import);\n\t\t\t\t\tif (e) {\n\t\t\t\t\t\tfprintf(stderr, \"Error importing %s: %s\\n\", inName, gf_error_to_string(e));\n\t\t\t\t\t\tgf_isom_delete(file);\n\t\t\t\t\t\tgf_file_delete(\"ttxt_convert\");\n\t\t\t\t\t\treturn mp4box_cleanup(1);\n\t\t\t\t\t}\n\t\t\t\t}\n#endif /*GPAC_DISABLE_MEDIA_IMPORT*/\n\n\t\t\t\tif (dump_m2ts) {\n#ifndef GPAC_DISABLE_MPEG2TS\n\t\t\t\t\tdump_mpeg2_ts(inName, pes_dump, program_number);\n#endif\n\t\t\t\t} else if (dump_timestamps) {\n#ifndef GPAC_DISABLE_MPEG2TS\n\t\t\t\t\tdump_mpeg2_ts(inName, pes_dump, program_number);\n#endif\n#ifndef GPAC_DISABLE_CORE_TOOLS\n\t\t\t\t} else if (do_bin_xml) {\n\t\t\t\t\txml_bs_to_bin(inName, outName, dump_std);\n#endif\n\t\t\t\t} else if (do_hash) {\n\t\t\t\t\thash_file(inName, dump_std);\n\t\t\t\t} else if (print_info) {\n#ifndef GPAC_DISABLE_MEDIA_IMPORT\n\t\t\t\t\tconvert_file_info(inName, info_track_id);\n#endif\n\t\t\t\t} else {\n\t\t\t\t\tfprintf(stderr, \"Input %s is not an MP4 file, operation not allowed\\n\", inName);\n\t\t\t\t\treturn mp4box_cleanup(1);\n\t\t\t\t}\n\t\t\t\tgoto exit;\n\t\t\t}\n#endif /*GPAC_DISABLE_ISOM_WRITE*/\n\t\t\telse if (open_edit) {\n\t\t\t\tfile = gf_isom_open(inName, GF_ISOM_WRITE_EDIT, tmpdir);\n\t\t\t\tif (!outName && file) outName = inName;\n\t\t\t} else if (!file_exists) {\n\t\t\t\tfprintf(stderr, \"Error creating file %s: %s\\n\", inName, gf_error_to_string(GF_URL_ERROR));\n\t\t\t\treturn mp4box_cleanup(1);\n\t\t\t} else {\n\t\t\t\tfprintf(stderr, \"Cannot open %s - extension not supported\\n\", inName);\n\t\t\t\treturn mp4box_cleanup(1);\n\t\t\t}\n\t\t}\n\t}\n\n\tif (high_dynamc_range_filename) {\n\t\te = parse_high_dynamc_range_xml_desc(file, high_dynamc_range_filename);\n\t\tif (e) goto err_exit;\n\t}\n\n\tif (file && keep_utc && open_edit) {\n\t\tgf_isom_keep_utc_times(file, 1);\n\t}\n\n\tstrcpy(outfile, outName ? outName : inName);\n\t{\n\n\t\tchar *szExt = gf_file_ext_start(outfile);\n\n\t\tif (szExt)\n\t\t{\n\t\t\t/*turn on 3GP saving*/\n\t\t\tif (!stricmp(szExt, \".3gp\") || !stricmp(szExt, \".3gpp\") || !stricmp(szExt, \".3g2\"))\n\t\t\t\tconv_type = GF_ISOM_CONV_TYPE_3GPP;\n\t\t\telse if (!stricmp(szExt, \".m4a\") || !stricmp(szExt, \".m4v\"))\n\t\t\t\tconv_type = GF_ISOM_CONV_TYPE_IPOD;\n\t\t\telse if (!stricmp(szExt, \".psp\"))\n\t\t\t\tconv_type = GF_ISOM_CONV_TYPE_PSP;\n\t\t\telse if (!stricmp(szExt, \".mov\") || !stricmp(szExt, \".qt\"))\n\t\t\t\tconv_type = GF_ISOM_CONV_TYPE_MOV;\n\n\t\t\t//remove extension from outfile\n\t\t\t*szExt = 0;\n\t\t}\n\t}\n\n#ifndef GPAC_DISABLE_MEDIA_EXPORT\n\tif (track_dump_type & GF_EXPORT_AVI_NATIVE) {\n\t\tchar szFile[GF_MAX_PATH+24];\n\t\tGF_MediaExporter mdump;\n\t\tmemset(&mdump, 0, sizeof(mdump));\n\t\tmdump.in_name = inName;\n\t\tmdump.flags = GF_EXPORT_AVI_NATIVE;\n\t\tmdump.trackID = trackID;\n\t\tif (dump_std) {\n\t\t\tmdump.out_name = \"std\";\n\t\t} else if (outName) {\n\t\t\tmdump.out_name = outName;\n\t\t} else if (trackID>2) {\n\t\t\tsprintf(szFile, \"%s_audio%d\", outfile, trackID-1);\n\t\t\tmdump.out_name = szFile;\n\t\t} else {\n\t\t\tsprintf(szFile, \"%s_%s\", outfile, (trackID==1) ? \"video\" : \"audio\");\n\t\t\tmdump.out_name = szFile;\n\t\t}\n\n\t\tmdump.print_stats_graph = fs_dump_flags;\n\t\te = gf_media_export(&mdump);\n\t\tif (e) goto err_exit;\n\t\tgoto exit;\n\t}\n\tif (!open_edit && track_dump_type && !gf_isom_probe_file(inName)) {\n\t\tGF_MediaExporter mdump;\n\t\tchar szFile[GF_MAX_PATH+24];\n\t\tfor (i=0; iact_type != TRAC_ACTION_RAW_EXTRACT) continue;\n\t\t\tmemset(&mdump, 0, sizeof(mdump));\n\t\t\tmdump.in_name = inName;\n\t\t\tmdump.flags = tka->dump_type;\n\t\t\tmdump.trackID = tka->trackID;\n\t\t\tmdump.sample_num = tka->sample_num;\n\t\t\tif (outName) {\n\t\t\t\tmdump.out_name = outName;\n\t\t\t\tmdump.flags |= GF_EXPORT_MERGE;\n\t\t\t} else if (nb_track_act>1) {\n\t\t\t\tsprintf(szFile, \"%s_track%d\", outfile, mdump.trackID);\n\t\t\t\tmdump.out_name = szFile;\n\t\t\t} else {\n\t\t\t\tmdump.out_name = outfile;\n\t\t\t}\n\t\t\tmdump.print_stats_graph = fs_dump_flags;\n\t\t\te = gf_media_export(&mdump);\n\t\t\tif (e) goto err_exit;\n\t\t}\n\t\tgoto exit;\n\t}\n\n#endif /*GPAC_DISABLE_MEDIA_EXPORT*/\n\n#ifndef GPAC_DISABLE_SCENE_DUMP\n\tif (dump_mode != GF_SM_DUMP_NONE) {\n\t\te = dump_isom_scene(inName, dump_std ? NULL : (outName ? outName : outfile), outName ? GF_TRUE : GF_FALSE, dump_mode, do_scene_log, no_odf_conf);\n\t\tif (e) goto err_exit;\n\t}\n#endif\n\n#ifndef GPAC_DISABLE_SCENE_STATS\n\tif (stat_level) dump_isom_scene_stats(inName, dump_std ? NULL : (outName ? outName : outfile), outName ? GF_TRUE : GF_FALSE, stat_level);\n#endif\n\n#ifndef GPAC_DISABLE_ISOM_HINTING\n\tif (!HintIt && print_sdp) dump_isom_sdp(file, dump_std ? NULL : (outName ? outName : outfile), outName ? GF_TRUE : GF_FALSE);\n#endif\n\tif (get_nb_tracks) {\n\t\tfprintf(stdout, \"%d\\n\", gf_isom_get_track_count(file));\n\t}\n\tif (print_info) {\n\t\tif (!file) {\n\t\t\tfprintf(stderr, \"Cannot print info on a non ISOM file (%s)\\n\", inName);\n\t\t} else {\n\t\t\tif (info_track_id) DumpTrackInfo(file, info_track_id, 1, (print_info==2) ? GF_TRUE : GF_FALSE);\n\t\t\telse DumpMovieInfo(file);\n\t\t}\n\t}\n#ifndef GPAC_DISABLE_ISOM_DUMP\n\tif (dump_isom) {\n\t\te = dump_isom_xml(file, dump_std ? NULL : (outName ? outName : outfile), outName ? GF_TRUE : GF_FALSE, (dump_isom==2) ? GF_TRUE : GF_FALSE, merge_vtt_cues, use_init_seg ? GF_TRUE : GF_FALSE, (dump_isom==3) ? GF_TRUE : GF_FALSE);\n\t\tif (e) goto err_exit;\n\t}\n\tif (dump_cr) dump_isom_ismacryp(file, dump_std ? NULL : (outName ? outName : outfile), outName ? GF_TRUE : GF_FALSE);\n\tif ((dump_ttxt || dump_srt) && trackID) {\n\n\t\tif (trackID == (u32)-1) {\n\t\t\tfor (j=0; jact_type != TRAC_ACTION_RAW_EXTRACT) continue;\n\t\t\tmemset(&mdump, 0, sizeof(mdump));\n\t\t\tmdump.file = file;\n\t\t\tmdump.flags = tka->dump_type;\n\t\t\tmdump.trackID = tka->trackID;\n\t\t\tmdump.sample_num = tka->sample_num;\n\t\t\tif (tka->out_name) {\n\t\t\t\tmdump.out_name = tka->out_name;\n\t\t\t} else if (outName) {\n\t\t\t\tmdump.out_name = outName;\n\t\t\t\tmdump.flags |= GF_EXPORT_MERGE;\n\t\t\t\t/*don't infer extension on user-given filename*/\n\t\t\t\tmdump.flags |= GF_EXPORT_NO_FILE_EXT;\n\t\t\t} else if (mdump.trackID) {\n\t\t\t\tsprintf(szFile, \"%s_track%d\", outfile, mdump.trackID);\n\t\t\t\tmdump.out_name = szFile;\n\t\t\t} else {\n\t\t\t\tsprintf(szFile, \"%s_export\", outfile);\n\t\t\t\tmdump.out_name = szFile;\n\t\t\t}\n\t\t\tif (tka->trackID==(u32) -1) {\n\t\t\t\tfor (j=0; jtrackID) tk = gf_isom_get_track_by_id(file, meta->trackID);\n\n\t\tswitch (meta->act_type) {\n#ifndef GPAC_DISABLE_ISOM_WRITE\n\t\tcase META_ACTION_SET_TYPE:\n\t\t\t/*note: we don't handle file brand modification, this is an author stuff and cannot be guessed from meta type*/\n\t\t\te = gf_isom_set_meta_type(file, meta->root_meta, tk, meta->meta_4cc);\n\t\t\tgf_isom_modify_alternate_brand(file, GF_ISOM_BRAND_ISO2, GF_TRUE);\n\t\t\tneedSave = GF_TRUE;\n\t\t\tbreak;\n\t\tcase META_ACTION_ADD_ITEM:\n\t\t\tself_ref = !stricmp(meta->szPath, \"NULL\") || !stricmp(meta->szPath, \"this\") || !stricmp(meta->szPath, \"self\");\n\t\t\te = gf_isom_add_meta_item(file, meta->root_meta, tk, self_ref, self_ref ? NULL : meta->szPath,\n\t\t\t meta->szName,\n\t\t\t meta->item_id,\n\t\t\t\t\t\t\t\t\t meta->item_type,\n\t\t\t meta->mime_type,\n\t\t\t meta->enc_type,\n\t\t\t meta->use_dref ? meta->szPath : NULL, NULL,\n\t\t\t meta->image_props);\n\t\t\tif (meta->ref_type) {\n\t\t\t\te = gf_isom_meta_add_item_ref(file, meta->root_meta, tk, meta->item_id, meta->ref_item_id, meta->ref_type, NULL);\n\t\t\t}\n\t\t\tneedSave = GF_TRUE;\n\t\t\tbreak;\n\t\tcase META_ACTION_ADD_IMAGE_ITEM:\n\t\t{\n\t\t\tu32 old_tk_count = gf_isom_get_track_count(file);\n\t\t\tGF_Fraction _frac = {0,0};\n\t\t\te = import_file(file, meta->szPath, 0, _frac, 0, NULL, NULL, 0);\n\t\t\tif (e == GF_OK) {\n\t\t\t\tu32 meta_type = gf_isom_get_meta_type(file, meta->root_meta, tk);\n\t\t\t\tif (!meta_type) {\n\t\t\t\t\te = gf_isom_set_meta_type(file, meta->root_meta, tk, GF_META_ITEM_TYPE_PICT);\n\t\t\t\t} else {\n\t\t\t\t\tif (meta_type != GF_META_ITEM_TYPE_PICT) {\n\t\t\t\t\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, (\"Warning: file already has a root 'meta' box of type %s\\n\", gf_4cc_to_str(meta_type)));\n\t\t\t\t\t\te = GF_BAD_PARAM;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\tif (e == GF_OK) {\n\t\t\t\t\tif (!meta->item_id) {\n\t\t\t\t\t\te = gf_isom_meta_get_next_item_id(file, meta->root_meta, tk, &meta->item_id);\n\t\t\t\t\t}\n\t\t\t\t\tif (e == GF_OK) {\n\t\t\t\t\t\te = gf_isom_iff_create_image_item_from_track(file, meta->root_meta, tk, 1,\n\t\t\t\t\t\t\t\tmeta->szName,\n\t\t\t\t\t\t\t\tmeta->item_id,\n\t\t\t\t\t\t\t\tmeta->image_props, NULL);\n\t\t\t\t\t\tif (e == GF_OK && meta->primary) {\n\t\t\t\t\t\t\te = gf_isom_set_meta_primary_item(file, meta->root_meta, tk, meta->item_id);\n\t\t\t\t\t\t}\n\t\t\t\t\t\tif (e == GF_OK && meta->ref_type) {\n\t\t\t\t\t\t\te = gf_isom_meta_add_item_ref(file, meta->root_meta, tk, meta->item_id, meta->ref_item_id, meta->ref_type, NULL);\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t\tgf_isom_remove_track(file, old_tk_count+1);\n\t\t\tneedSave = GF_TRUE;\n\t\t}\n\t\t\tbreak;\n\t\tcase META_ACTION_REM_ITEM:\n\t\t\te = gf_isom_remove_meta_item(file, meta->root_meta, tk, meta->item_id);\n\t\t\tneedSave = GF_TRUE;\n\t\t\tbreak;\n\t\tcase META_ACTION_SET_PRIMARY_ITEM:\n\t\t\te = gf_isom_set_meta_primary_item(file, meta->root_meta, tk, meta->item_id);\n\t\t\tneedSave = GF_TRUE;\n\t\t\tbreak;\n\t\tcase META_ACTION_SET_XML:\n\t\tcase META_ACTION_SET_BINARY_XML:\n\t\t\te = gf_isom_set_meta_xml(file, meta->root_meta, tk, meta->szPath, NULL, 0, (meta->act_type==META_ACTION_SET_BINARY_XML) ? 1 : 0);\n\t\t\tneedSave = GF_TRUE;\n\t\t\tbreak;\n\t\tcase META_ACTION_REM_XML:\n\t\t\tif (gf_isom_get_meta_item_count(file, meta->root_meta, tk)) {\n\t\t\t\te = gf_isom_remove_meta_xml(file, meta->root_meta, tk);\n\t\t\t\tneedSave = GF_TRUE;\n\t\t\t} else {\n\t\t\t\tfprintf(stderr, \"No meta box in input file\\n\");\n\t\t\t}\n\t\t\tbreak;\n\t\tcase META_ACTION_DUMP_ITEM:\n\t\t\tif (gf_isom_get_meta_item_count(file, meta->root_meta, tk)) {\n\t\t\t\te = gf_isom_extract_meta_item(file, meta->root_meta, tk, meta->item_id, strlen(meta->szPath) ? meta->szPath : NULL);\n\t\t\t} else {\n\t\t\t\tfprintf(stderr, \"No meta box in input file\\n\");\n\t\t\t}\n\t\t\tbreak;\n#endif // GPAC_DISABLE_ISOM_WRITE\n\n\t\tcase META_ACTION_DUMP_XML:\n\t\t\tif (gf_isom_has_meta_xml(file, meta->root_meta, tk)) {\n\t\t\t\te = gf_isom_extract_meta_xml(file, meta->root_meta, tk, meta->szPath, NULL);\n\t\t\t} else {\n\t\t\t\tfprintf(stderr, \"No meta box in input file\\n\");\n\t\t\t}\n\t\t\tbreak;\n\t\tdefault:\n\t\t\tbreak;\n\t\t}\n\t\tif (meta->image_props) {\n\t\t\tgf_free(meta->image_props);\n\t\t\tmeta->image_props = NULL;\n\t\t}\n\t\tif (e) goto err_exit;\n\t}\n\tif (!open_edit && !needSave) {\n\t\tif (file) gf_isom_delete(file);\n\t\tgoto exit;\n\t}\n\n\n#ifndef GPAC_DISABLE_ISOM_WRITE\n\tif (clean_groups) {\n\t\te = gf_isom_reset_switch_parameters(file);\n\t\tif (e) goto err_exit;\n\t\tneedSave = GF_TRUE;\n\t}\n\n\tfor (i=0; i0) {\n\t\t\t\t\t\t\t\tu32 tk, k;\n\t\t\t\t\t\t\t\tfor (k=0; k<(u32) count; k++) {\n\t\t\t\t\t\t\t\t\tgf_isom_get_reference(file, j+1, GF_ISOM_REF_CHAP, k+1, &tk);\n\t\t\t\t\t\t\t\t\tif (tk==i+1) {\n\t\t\t\t\t\t\t\t\t\tis_chap = 1;\n\t\t\t\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\tif (is_chap) break;\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\tif (is_chap) break;\n\t\t\t\t\t\t}\n\t\t\t\t\t\t/*this is a subtitle track*/\n\t\t\t\t\t\tif (!is_chap)\n\t\t\t\t\t\t\tgf_isom_set_media_type(file, i+1, GF_ISOM_MEDIA_SUBT);\n\t\t\t\t\t}\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t}\n\t\t\tgf_isom_set_brand_info(file, ipod_major_brand, 1);\n\t\t\tgf_isom_modify_alternate_brand(file, GF_ISOM_BRAND_MP42, GF_TRUE);\n\t\t\tneedSave = GF_TRUE;\n\t\t}\n\n\t} else if (outName) {\n\t\tstrcpy(outfile, outName);\n\t}\n\n\tfor (j=0; jtrackID ? gf_isom_get_track_by_id(file, tka->trackID) : 0;\n\n\t\ttimescale = gf_isom_get_timescale(file);\n\t\tswitch (tka->act_type) {\n\t\tcase TRAC_ACTION_REM_TRACK:\n\t\t\te = gf_isom_remove_track(file, track);\n\t\t\tif (e) {\n\t\t\t\tfprintf(stderr, \"Error Removing track ID %d: %s\\n\", tka->trackID, gf_error_to_string(e));\n\t\t\t} else {\n\t\t\t\tfprintf(stderr, \"Removing track ID %d\\n\", tka->trackID);\n\t\t\t}\n\t\t\tneedSave = GF_TRUE;\n\t\t\tbreak;\n\t\tcase TRAC_ACTION_SET_LANGUAGE:\n\t\t\tfor (i=0; ilang);\n\t\t\t\tif (e) goto err_exit;\n\t\t\t\tneedSave = GF_TRUE;\n\t\t\t}\n\t\t\tneedSave = GF_TRUE;\n\t\t\tbreak;\n\t\tcase TRAC_ACTION_SET_KIND:\n\t\t\tfor (i=0; ikind_scheme, tka->kind_value);\n\t\t\t\tif (e) goto err_exit;\n\t\t\t\tneedSave = GF_TRUE;\n\t\t\t}\n\t\t\tneedSave = GF_TRUE;\n\t\t\tbreak;\n\t\tcase TRAC_ACTION_REM_KIND:\n\t\t\tfor (i=0; ikind_scheme, tka->kind_value);\n\t\t\t\tif (e) goto err_exit;\n\t\t\t\tneedSave = GF_TRUE;\n\t\t\t}\n\t\t\tneedSave = GF_TRUE;\n\t\t\tbreak;\n\t\tcase TRAC_ACTION_SET_DELAY:\n\t\t\tif (tka->delay_ms) {\n\t\t\t\tu64 tk_dur;\n\n\t\t\t\tgf_isom_remove_edits(file, track);\n\t\t\t\ttk_dur = gf_isom_get_track_duration(file, track);\n\t\t\t\tif (gf_isom_get_edits_count(file, track))\n\t\t\t\t\tneedSave = GF_TRUE;\n\t\t\t\tif (tka->delay_ms>0) {\n\t\t\t\t\tgf_isom_append_edit(file, track, (timescale*tka->delay_ms)/1000, 0, GF_ISOM_EDIT_EMPTY);\n\t\t\t\t\tgf_isom_append_edit(file, track, tk_dur, 0, GF_ISOM_EDIT_NORMAL);\n\t\t\t\t\tneedSave = GF_TRUE;\n\t\t\t\t} else {\n\t\t\t\t\tu64 to_skip = (timescale*(-tka->delay_ms))/1000;\n\t\t\t\t\tif (to_skipdelay_ms)*gf_isom_get_media_timescale(file, track) / 1000;\n\t\t\t\t\t\tgf_isom_append_edit(file, track, tk_dur-to_skip, media_time, GF_ISOM_EDIT_NORMAL);\n\t\t\t\t\t\tneedSave = GF_TRUE;\n\t\t\t\t\t} else {\n\t\t\t\t\t\tfprintf(stderr, \"Warning: request negative delay longer than track duration - ignoring\\n\");\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t} else if (gf_isom_get_edits_count(file, track)) {\n\t\t\t\tgf_isom_remove_edits(file, track);\n\t\t\t\tneedSave = GF_TRUE;\n\t\t\t}\n\t\t\tbreak;\n\t\tcase TRAC_ACTION_SET_KMS_URI:\n\t\t\tfor (i=0; ikms);\n\t\t\t\tif (e) goto err_exit;\n\t\t\t\tneedSave = GF_TRUE;\n\t\t\t}\n\t\t\tbreak;\n\t\tcase TRAC_ACTION_SET_ID:\n\t\t\tif (!tka->trackID && (gf_isom_get_track_count(file) == 1)) {\n\t\t\t\tfprintf(stderr, \"Warning: track id is not specified, but file has only one track - assume that you want to change id for this track\\n\");\n\t\t\t\ttrack = 1;\n\t\t\t}\n\t\t\tif (track) {\n\t\t\t\tu32 newTrack;\n\t\t\t\tnewTrack = gf_isom_get_track_by_id(file, tka->newTrackID);\n\t\t\t\tif (newTrack != 0) {\n\t\t\t\t\tfprintf(stderr, \"Error: Cannot set track id with value %d because a track already exists - ignoring\", tka->newTrackID);\n\t\t\t\t} else {\n\t\t\t\t\te = gf_isom_set_track_id(file, track, tka->newTrackID);\n\t\t\t\t\tneedSave = GF_TRUE;\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\tfprintf(stderr, \"Error: Cannot change id for track %d because it does not exist - ignoring\", tka->trackID);\n\t\t\t}\n\t\t\tbreak;\n\t\tcase TRAC_ACTION_SWAP_ID:\n\t\t\tif (track) {\n\t\t\t\tu32 tk1, tk2;\n\t\t\t\ttk1 = gf_isom_get_track_by_id(file, tka->trackID);\n\t\t\t\ttk2 = gf_isom_get_track_by_id(file, tka->newTrackID);\n\t\t\t\tif (!tk1 || !tk2) {\n\t\t\t\t\tfprintf(stderr, \"Error: Cannot swap track IDs because not existing - ignoring\");\n\t\t\t\t} else {\n\t\t\t\t\te = gf_isom_set_track_id(file, tk2, 0);\n\t\t\t\t\tif (!e) e = gf_isom_set_track_id(file, tk1, tka->newTrackID);\n\t\t\t\t\tif (!e) e = gf_isom_set_track_id(file, tk2, tka->trackID);\n\t\t\t\t\tneedSave = GF_TRUE;\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\tfprintf(stderr, \"Error: Cannot change id for track %d because it does not exist - ignoring\", tka->trackID);\n\t\t\t}\n\t\t\tbreak;\n\t\tcase TRAC_ACTION_SET_PAR:\n\t\t\te = gf_media_change_par(file, track, tka->par_num, tka->par_den, tka->force_par, tka->rewrite_bs);\n\t\t\tneedSave = GF_TRUE;\n\t\t\tbreak;\n\t\tcase TRAC_ACTION_SET_CLAP:\n\t\t\te = gf_isom_set_clean_aperture(file, track, 1, tka->clap_wnum, tka->clap_wden, tka->clap_hnum, tka->clap_hden, tka->clap_honum, tka->clap_hoden, tka->clap_vonum, tka->clap_voden);\n\t\t\tneedSave = GF_TRUE;\n\t\t\tbreak;\n\t\tcase TRAC_ACTION_SET_MX:\n\t\t\te = gf_isom_set_track_matrix(file, track, tka->mx);\n\t\t\tneedSave = GF_TRUE;\n\t\t\tbreak;\n\t\tcase TRAC_ACTION_SET_HANDLER_NAME:\n\t\t\te = gf_isom_set_handler_name(file, track, tka->hdl_name);\n\t\t\tneedSave = GF_TRUE;\n\t\t\tbreak;\n\t\tcase TRAC_ACTION_ENABLE:\n\t\t\tif (!gf_isom_is_track_enabled(file, track)) {\n\t\t\t\te = gf_isom_set_track_enabled(file, track, GF_TRUE);\n\t\t\t\tneedSave = GF_TRUE;\n\t\t\t}\n\t\t\tbreak;\n\t\tcase TRAC_ACTION_DISABLE:\n\t\t\tif (gf_isom_is_track_enabled(file, track)) {\n\t\t\t\te = gf_isom_set_track_enabled(file, track, GF_FALSE);\n\t\t\t\tneedSave = GF_TRUE;\n\t\t\t}\n\t\t\tbreak;\n\t\tcase TRAC_ACTION_REFERENCE:\n\t\t\te = gf_isom_set_track_reference(file, track, GF_4CC(tka->lang[0], tka->lang[1], tka->lang[2], tka->lang[3]), (u32) tka->delay_ms);\n\t\t\tneedSave = GF_TRUE;\n\t\t\tbreak;\n\t\tcase TRAC_ACTION_REM_NON_RAP:\n\t\t\tfprintf(stderr, \"Removing non-rap samples from track %d\\n\", tka->trackID);\n\t\t\te = gf_media_remove_non_rap(file, track, GF_FALSE);\n\t\t\tneedSave = GF_TRUE;\n\t\t\tbreak;\n\t\tcase TRAC_ACTION_REM_NON_REFS:\n\t\t\tfprintf(stderr, \"Removing non-reference samples from track %d\\n\", tka->trackID);\n\t\t\te = gf_media_remove_non_rap(file, track, GF_TRUE);\n\t\t\tneedSave = GF_TRUE;\n\t\t\tbreak;\n\t\tcase TRAC_ACTION_SET_UDTA:\n\t\t\tfprintf(stderr, \"Assigning udta box\\n\");\n\t\t\te = set_file_udta(file, track, tka->udta_type, tka->src_name, tka->sample_num ? GF_TRUE : GF_FALSE);\n\t\t\tif (e) goto err_exit;\n\t\t\tneedSave = GF_TRUE;\n\t\t\tbreak;\n\t\tdefault:\n\t\t\tbreak;\n\t\t}\n\t\tif (e) goto err_exit;\n\t}\n\n\tif (itunes_tags) {\n\t\tchar *tags = itunes_tags;\n\n\t\twhile (tags) {\n\t\t\tchar *val;\n\t\t\tchar *sep = gf_url_colon_suffix(tags);\n\t\t\tu32 tlen, itag = 0;\n\t\t\tif (sep) {\n\t\t\t\twhile (sep) {\n\t\t\t\t\tfor (itag=0; itag> 8;\n\t\t\t\t\t\t_t[5] = t;\n\t\t\t\t\t\t_t[4] = t >> 8;\n\t\t\t\t\t}\n\t\t\t\t\telse if (sscanf(val, \"%u\", &n) == 1) {\n\t\t\t\t\t\t_t[3] = n;\n\t\t\t\t\t\t_t[2] = n >> 8;\n\t\t\t\t\t}\n\t\t\t\t\telse tlen = 0;\n\t\t\t\t}\n\t\t\t\tif (!val || tlen) gf_isom_apple_set_tag(file, itag, val ? (u8 *)_t : NULL, tlen);\n\t\t\t}\n\t\t\tbreak;\n\t\t\tcase GF_ISOM_ITUNE_GAPLESS:\n\t\t\tcase GF_ISOM_ITUNE_COMPILATION:\n\t\t\t{\n\t\t\t\tu8 _t[1];\n\t\t\t\tif (val && !stricmp(val, \"yes\")) _t[0] = 1;\n\t\t\t\telse _t[0] = 0;\n\t\t\t\tgf_isom_apple_set_tag(file, itag, _t, 1);\n\t\t\t}\n\t\t\tbreak;\n\t\t\tdefault:\n\t\t\t\tgf_isom_apple_set_tag(file, itag, (u8 *)val, tlen);\n\t\t\t\tbreak;\n\t\t\t}\n\t\t\tneedSave = GF_TRUE;\n\n\t\t\tif (sep) {\n\t\t\t\tsep[0] = ':';\n\t\t\t\ttags = sep+1;\n\t\t\t} else {\n\t\t\t\ttags = NULL;\n\t\t\t}\n\t\t}\n\t}\n\n\tif (movie_time) {\n\t\tgf_isom_set_creation_time(file, movie_time);\n\t\tfor (i=0; imoov->udta) {\n\t\te = moov_on_child_box((GF_Box*)movie->moov, gf_isom_box_new_parent(&movie->moov->child_boxes, GF_ISOM_BOX_TYPE_UDTA), GF_FALSE);\n\t\tif (e) return e;\n\t}\n\tmap = udta_getEntry(movie->moov->udta, GF_ISOM_BOX_TYPE_CPRT, NULL);\n\n\tif (map) {\n\t\t//try to find one in our language...\n\t\tcount = gf_list_count(map->boxes);\n\t\tfor (i=0; iboxes, i);\n\t\t\tif (!strcmp(threeCharCode, (const char *) ptr->packedLanguageCode)) {\n\t\t\t\tgf_free(ptr->notice);\n\t\t\t\tptr->notice = (char*)gf_malloc(sizeof(char) * (strlen(notice) + 1));\n\t\t\t\tif (!ptr->notice) return GF_OUT_OF_MEM;\n\t\t\t\tstrcpy(ptr->notice, notice);\n\t\t\t\treturn GF_OK;\n\t\t\t}\n\t\t}\n\t}\n\t//nope, create one\n\tptr = (GF_CopyrightBox *)gf_isom_box_new(GF_ISOM_BOX_TYPE_CPRT);\n\tif (!ptr) return GF_OUT_OF_MEM;\n\n\tmemcpy(ptr->packedLanguageCode, threeCharCode, 4);\n\tptr->notice = (char*)gf_malloc(sizeof(char) * (strlen(notice)+1));\n\tif (!ptr->notice) return GF_OUT_OF_MEM;\n\tstrcpy(ptr->notice, notice);\n\treturn udta_on_child_box((GF_Box *)movie->moov->udta, (GF_Box *) ptr, GF_FALSE);\n}", "project": "gpac", "hash": 129003783530618922099975751666858363665, "size": 45, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267307 }, { "func": "#ifndef GPAC_DISABLE_ISOM_DUMP\n\nvoid dump_isom_ismacryp(GF_ISOFile *file, char *inName, Bool is_final_name)\n{\n\tu32 i, j;\n\tFILE *dump;\n\n\tif (inName) {\n\t\tchar szBuf[1024];\n\t\tstrcpy(szBuf, inName);\n\t\tif (!is_final_name) strcat(szBuf, \"_ismacryp.xml\");\n\t\tdump = gf_fopen(szBuf, \"wt\");\n\t\tif (!dump) {\n\t\t\tM4_LOG(GF_LOG_ERROR, (\"Failed to open %s for dumping\\n\", szBuf));\n\t\t\treturn;\n\t\t}\n\t} else {\n\t\tdump = stdout;\n\t}\n\n\tfprintf(dump, \"\\n\");\n\tfprintf(dump, \"\\n\");\n\tfprintf(dump, \"\\n\");\n\n\n\tfor (i=0; i\\n\", gf_isom_get_track_id(file, i+1));\n\t\tfor (j=0; j\\n\");\n\t}\n\tfprintf(dump, \"\\n\");", "project": "gpac", "hash": 142934956003893154113108312789119616651, "size": 37, "commit_id": "289ffce3e0d224d314f5f92a744d5fe35999f20b", "message": "fixed #1767 (fuzz)", "target": 0, "dataset": "other", "idx": 243179 }, { "func": "#ifndef GPAC_DISABLE_ISOM_DUMP\n\nvoid dump_isom_ismacryp(GF_ISOFile *file, char *inName, Bool is_final_name)\n{\n\tu32 i, j;\n\tFILE *dump;\n\n\tif (inName) {\n\t\tchar szBuf[1024];\n\t\tstrcpy(szBuf, inName);\n\t\tif (!is_final_name) strcat(szBuf, \"_ismacryp.xml\");\n\t\tdump = gf_fopen(szBuf, \"wt\");\n\t\tif (!dump) {\n\t\t\tfprintf(stderr, \"Failed to open %s for dumping\\n\", szBuf);\n\t\t\treturn;\n\t\t}\n\t} else {\n\t\tdump = stdout;\n\t}\n\n\tfprintf(dump, \"\\n\");\n\tfprintf(dump, \"\\n\");\n\tfprintf(dump, \"\\n\");\n\n\n\tfor (i=0; i\\n\", gf_isom_get_track_id(file, i+1));\n\t\tfor (j=0; j\\n\");\n\t}\n\tfprintf(dump, \"\\n\");", "project": "gpac", "hash": 69159721755909158175713305182855921810, "size": 37, "commit_id": "ce01bd15f711d4575b7424b54b3a395ec64c1784", "message": "fixed #1566", "target": 0, "dataset": "other", "idx": 249543 }, { "func": "GF_EXPORT\nvoid gf_isom_set_default_sync_track(GF_ISOFile *movie, u32 trackNumber)\n{\n\tGF_TrackBox *tk = gf_isom_get_track_from_file(movie, trackNumber);\n\tif (!tk) movie->es_id_default_sync = -1;\n\telse movie->es_id_default_sync = tk->Header->trackID;", "project": "gpac", "hash": 3167125072944013055079052225837139996, "size": 6, "commit_id": "984787de3d414a5f7d43d0b4584d9469dff2a5a5", "message": "fixed #1784 (fuzz)", "target": 0, "dataset": "other", "idx": 246826 }, { "func": "GF_Err gf_isom_cenc_allocate_storage(GF_ISOFile *the_file, u32 trackNumber)\n{\n\tGF_TrackBox *trak = gf_isom_get_track_from_file(the_file, trackNumber);\n\tif (!trak) return GF_BAD_PARAM;\n\n\tif (trak->sample_encryption) return GF_OK;\n\ttrak->sample_encryption = (GF_SampleEncryptionBox *)gf_isom_create_samp_enc_box(0, 0);\n\t//senc will be written and destroyed with the other boxes\n\tif (!trak->child_boxes) trak->child_boxes = gf_list_new();\n\treturn gf_list_add(trak->child_boxes, trak->sample_encryption);\n}", "project": "gpac", "hash": 109307445904564930282944207856519315464, "size": 11, "commit_id": "3b84ffcbacf144ce35650df958432f472b6483f8", "message": "fixed #1735", "target": 0, "dataset": "other", "idx": 275411 }, { "func": "GF_Err gf_isom_set_clean_aperture(GF_ISOFile *movie, u32 trackNumber, u32 StreamDescriptionIndex, u32 cleanApertureWidthN, u32 cleanApertureWidthD, u32 cleanApertureHeightN, u32 cleanApertureHeightD, u32 horizOffN, u32 horizOffD, u32 vertOffN, u32 vertOffD)\n{\n\tGF_Err e;\n\tGF_TrackBox *trak;\n\tGF_SampleEntryBox *entry;\n\tGF_SampleDescriptionBox *stsd;\n\te = CanAccessMovie(movie, GF_ISOM_OPEN_WRITE);\n\tif (e) return e;\n\n\ttrak = gf_isom_get_track_from_file(movie, trackNumber);\n\tif (!trak) return GF_BAD_PARAM;\n\n\tstsd = trak->Media->information->sampleTable->SampleDescription;\n\tif (!stsd) return movie->LastError = GF_ISOM_INVALID_FILE;\n\tif (!StreamDescriptionIndex || StreamDescriptionIndex > gf_list_count(stsd->child_boxes)) {\n\t\treturn movie->LastError = GF_BAD_PARAM;\n\t}\n\tentry = (GF_SampleEntryBox *)gf_list_get(stsd->child_boxes, StreamDescriptionIndex - 1);\n\t//no support for generic sample entries (eg, no MPEG4 descriptor)\n\tif (entry == NULL) return GF_BAD_PARAM;\n\tif (!movie->keep_utc)\n\t\ttrak->Media->mediaHeader->modificationTime = gf_isom_get_mp4time();\n\n\tif (entry->internal_type != GF_ISOM_SAMPLE_ENTRY_VIDEO) return GF_BAD_PARAM;\n\n\tGF_CleanApertureBox *clap = (GF_CleanApertureBox *)gf_isom_box_find_child(entry->child_boxes, GF_ISOM_BOX_TYPE_CLAP);\n\tif (!cleanApertureHeightD || !cleanApertureWidthD || !horizOffD || !vertOffD) {\n\t\tif (clap) gf_isom_box_del_parent(&entry->child_boxes, (GF_Box*)clap);\n\t\treturn GF_OK;\n\t}\n\tif (!clap) {\n\t\tclap = (GF_CleanApertureBox*)gf_isom_box_new_parent(&entry->child_boxes, GF_ISOM_BOX_TYPE_CLAP);\n\t\tif (!clap) return GF_OUT_OF_MEM;\n\t}\n\n\tclap->cleanApertureWidthN = cleanApertureWidthN;\n\tclap->cleanApertureWidthD = cleanApertureWidthD;\n\tclap->cleanApertureHeightN = cleanApertureHeightN;\n\tclap->cleanApertureHeightD = cleanApertureHeightD;\n\tclap->horizOffN = horizOffN;\n\tclap->horizOffD = horizOffD;\n\tclap->vertOffN = vertOffN;\n\tclap->vertOffD = vertOffD;\n\treturn GF_OK;\n}", "project": "gpac", "hash": 113641142808103784390848582289290547284, "size": 45, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267335 }, { "func": "GF_Err gf_isom_set_adobe_protection(GF_ISOFile *the_file, u32 trackNumber, u32 desc_index, u32 scheme_type, u32 scheme_version, Bool is_selective_enc, char *metadata, u32 len)\n{\n\tGF_ProtectionSchemeInfoBox *sinf;\n\n\t//setup generic protection\n#ifndef GPAC_DISABLE_ISOM_WRITE\n\tGF_Err e;\n\te = isom_set_protected_entry(the_file, trackNumber, desc_index, 1, 0, scheme_type, scheme_version, NULL, GF_FALSE, &sinf);\n\tif (e) return e;\n#else\n\treturn GF_NOT_SUPPORTED;\n#endif\n\n\tsinf->info->adkm = (GF_AdobeDRMKeyManagementSystemBox *)gf_isom_box_new_parent(&sinf->info->child_boxes, GF_ISOM_BOX_TYPE_ADKM);\n\tif (!sinf->info->adkm) return GF_OUT_OF_MEM;\n\n\tsinf->info->adkm->header = (GF_AdobeDRMHeaderBox *)gf_isom_box_new_parent(&sinf->info->adkm->child_boxes, GF_ISOM_BOX_TYPE_AHDR);\n\tif (!sinf->info->adkm->header) return GF_OUT_OF_MEM;\n\n\tsinf->info->adkm->header->std_enc_params = (GF_AdobeStdEncryptionParamsBox *)gf_isom_box_new_parent(& sinf->info->adkm->header->child_boxes, GF_ISOM_BOX_TYPE_APRM);\n\tif (!sinf->info->adkm->header->std_enc_params) return GF_OUT_OF_MEM;\n\n\tsinf->info->adkm->header->std_enc_params->enc_info = (GF_AdobeEncryptionInfoBox *)gf_isom_box_new_parent(&sinf->info->adkm->header->std_enc_params->child_boxes, GF_ISOM_BOX_TYPE_AEIB);\n\tif (!sinf->info->adkm->header->std_enc_params->enc_info) return GF_OUT_OF_MEM;\n\n\tsinf->info->adkm->header->std_enc_params->enc_info->enc_algo = (char *)gf_malloc(8*sizeof(char));\n\tif (!sinf->info->adkm->header->std_enc_params->enc_info->enc_algo) return GF_OUT_OF_MEM;\n\n\tstrcpy(sinf->info->adkm->header->std_enc_params->enc_info->enc_algo, \"AES-CBC\");\n\tsinf->info->adkm->header->std_enc_params->enc_info->key_length = 16;\n\n\tsinf->info->adkm->header->std_enc_params->key_info = (GF_AdobeKeyInfoBox *)gf_isom_box_new_parent(&sinf->info->adkm->header->std_enc_params->child_boxes, GF_ISOM_BOX_TYPE_AKEY);\n\tif (!sinf->info->adkm->header->std_enc_params->key_info) return GF_OUT_OF_MEM;\n\n\tsinf->info->adkm->header->std_enc_params->key_info->params = (GF_AdobeFlashAccessParamsBox *)gf_isom_box_new_parent(&sinf->info->adkm->header->std_enc_params->key_info->child_boxes, GF_ISOM_BOX_TYPE_FLXS);\n\tif (!sinf->info->adkm->header->std_enc_params->key_info->params) return GF_OUT_OF_MEM;\n\n\tif (metadata && len) {\n\t\tsinf->info->adkm->header->std_enc_params->key_info->params->metadata = (char *)gf_malloc((len+1)*sizeof(char));\n\t\tif (!sinf->info->adkm->header->std_enc_params->key_info->params->metadata) return GF_OUT_OF_MEM;\n\n\t\tstrncpy(sinf->info->adkm->header->std_enc_params->key_info->params->metadata, metadata, len);\n\t\tsinf->info->adkm->header->std_enc_params->key_info->params->metadata[len] = 0;\n\t}\n\n\tsinf->info->adkm->au_format = (GF_AdobeDRMAUFormatBox *)gf_isom_box_new_parent(&sinf->info->adkm->child_boxes, GF_ISOM_BOX_TYPE_ADAF);\n\tif (!sinf->info->adkm->au_format) return GF_OUT_OF_MEM;\n\n\tsinf->info->adkm->au_format->selective_enc = is_selective_enc ? 0x10 : 0x00;\n\tsinf->info->adkm->au_format->IV_length = 16;\n\n\treturn GF_OK;\n}", "project": "gpac", "hash": 268267634002888956817932212532879755860, "size": 53, "commit_id": "3b84ffcbacf144ce35650df958432f472b6483f8", "message": "fixed #1735", "target": 0, "dataset": "other", "idx": 275420 }, { "func": "GF_Err Media_SetDuration(GF_TrackBox *trak)\n{\n\tGF_Err e;\n\tGF_ESD *esd;\n\tu64 DTS;\n\tGF_SttsEntry *ent;\n\tu32 nbSamp;\n\n\tif (!trak || !trak->Media || !trak->Media->information || !trak->Media->information->sampleTable)\n\t\treturn GF_ISOM_INVALID_FILE;\n\n\tif (!trak->Media->information->sampleTable->SampleSize || !trak->Media->information->sampleTable->TimeToSample)\n\t\treturn GF_ISOM_INVALID_FILE;\n\n\tnbSamp = trak->Media->information->sampleTable->SampleSize->sampleCount;\n\n\t//we need to check how many samples we have.\n\t// == 1 -> last sample duration == default duration\n\t// > 1 -> last sample duration == prev sample duration\n\tswitch (nbSamp) {\n\tcase 0:\n\t\ttrak->Media->mediaHeader->duration = 0;\n\t\tif (Track_IsMPEG4Stream(trak->Media->handler->handlerType)) {\n\t\t\tMedia_GetESD(trak->Media, 1, &esd, 1);\n\t\t\tif (esd && esd->URLString) trak->Media->mediaHeader->duration = (u64) -1;\n\n\t\t}\n\t\treturn GF_OK;\n\n//\tcase 1:\n//\t\ttrak->Media->mediaHeader->duration = trak->Media->mediaHeader->timeScale;\n//\t\treturn GF_OK;\n\n\tdefault:\n\t\t//we assume a constant frame rate for the media and assume the last sample\n\t\t//will be hold the same time as the prev one\n\t\te = stbl_GetSampleDTS(trak->Media->information->sampleTable->TimeToSample, nbSamp, &DTS);\n\t\tif (e < 0) {\n\t\t\treturn e;\n\t\t}\n\t\tif (trak->Media->information->sampleTable->TimeToSample->nb_entries > 0) {\n\t\t\tent = &trak->Media->information->sampleTable->TimeToSample->entries[trak->Media->information->sampleTable->TimeToSample->nb_entries-1];\n\t\t} else {\n\t\t\tent = NULL;\n\t\t}\n\t\ttrak->Media->mediaHeader->duration = DTS;\n\n\n#if 1\n\t\tif (ent) trak->Media->mediaHeader->duration += ent->sampleDelta;\n#else\n\t\tif (!ent) {\n\t\t\tu64 DTSprev;\n\t\t\tstbl_GetSampleDTS(trak->Media->information->sampleTable->TimeToSample, nbSamp-1, &DTSprev);\n\t\t\ttrak->Media->mediaHeader->duration += (DTS - DTSprev);\n\t\t} else {\n#ifndef GPAC_DISABLE_ISOM_WRITE\n\t\t\tif (trak->moov->mov->editFileMap && trak->Media->information->sampleTable->CompositionOffset) {\n\t\t\t\tu32 count, i;\n\t\t\t\tu64 max_ts;\n\t\t\t\tGF_DttsEntry *cts_ent;\n\t\t\t\tGF_CompositionOffsetBox *ctts = trak->Media->information->sampleTable->CompositionOffset;\n\t\t\t\tif (ctts->w_LastSampleNumber==nbSamp) {\n\t\t\t\t\tcount = gf_list_count(ctts->entryList);\n\t\t\t\t\tmax_ts = trak->Media->mediaHeader->duration;\n\t\t\t\t\twhile (count) {\n\t\t\t\t\t\tcount -= 1;\n\t\t\t\t\t\tcts_ent = gf_list_get(ctts->entryList, count);\n\t\t\t\t\t\tif (nbSampsampleCount) break;\n\n\t\t\t\t\t\tfor (i=0; isampleCount; i++) {\n\t\t\t\t\t\t\tstbl_GetSampleDTS(trak->Media->information->sampleTable->TimeToSample, nbSamp-i, &DTS);\n\t\t\t\t\t\t\tif ((s32) cts_ent->decodingOffset < 0) max_ts = DTS;\n\t\t\t\t\t\t\telse max_ts = DTS + cts_ent->decodingOffset;\n\t\t\t\t\t\t\tif (max_ts>=trak->Media->mediaHeader->duration) {\n\t\t\t\t\t\t\t\ttrak->Media->mediaHeader->duration = max_ts;\n\t\t\t\t\t\t\t} else {\n\t\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}\n\t\t\t\t\t\tif (max_tsMedia->mediaHeader->duration) {\n\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\t}\n\t\t\t\t\t\tnbSamp-=cts_ent->sampleCount;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n#endif /*GPAC_DISABLE_ISOM_WRITE*/\n\t\t\ttrak->Media->mediaHeader->duration += ent->sampleDelta;\n\t\t}\n#endif\n\t\treturn GF_OK;\n\t}\n}", "project": "gpac", "hash": 321577560285880638528943464917487026389, "size": 94, "commit_id": "328def7d3b93847d64ecb6e9e0399684e57c3eca", "message": "fixed #1766 (fuzz)", "target": 0, "dataset": "other", "idx": 231611 }, { "func": "GF_Err gf_isom_set_track_id(GF_ISOFile *movie, u32 trackNumber, GF_ISOTrackID trackID)\n{\n\tGF_TrackReferenceTypeBox *ref;\n\tGF_TrackBox *trak, *a_trak;\n\tu32 i, j, k;\n\n\tif (!movie) return GF_BAD_PARAM;\n\ttrak = gf_isom_get_track_from_file(movie, trackNumber);\n\tif (trak && (trak->Header->trackID==trackID)) return GF_OK;\n\ta_trak = gf_isom_get_track_from_id(movie->moov, trackID);\n\tif (!trak || a_trak) return GF_BAD_PARAM;\n\n\tif (movie->moov->mvhd->nextTrackID<=trackID)\n\t\tmovie->moov->mvhd->nextTrackID = trackID;\n\n\t/*rewrite all dependencies*/\n\ti=0;\n\twhile ((a_trak = (GF_TrackBox*)gf_list_enum(movie->moov->trackList, &i))) {\n\t\tif (!a_trak->References) continue;\n\t\tj=0;\n\t\twhile ((ref = (GF_TrackReferenceTypeBox *)gf_list_enum(a_trak->References->child_boxes, &j))) {\n\t\t\tfor (k=0; ktrackIDCount; k++) {\n\t\t\t\tif (ref->trackIDs[k]==trak->Header->trackID) {\n\t\t\t\t\tref->trackIDs[k] = trackID;\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\n\t/*and update IOD if any*/\n\tif (movie->moov->iods && movie->moov->iods->descriptor) {\n\t\tGF_ES_ID_Inc *inc;\n\t\tGF_IsomObjectDescriptor *od = (GF_IsomObjectDescriptor *)movie->moov->iods->descriptor;\n\n\t\ti=0;\n\t\twhile ((inc = (GF_ES_ID_Inc*)gf_list_enum(od->ES_ID_IncDescriptors, &i))) {\n\t\t\tif (inc->trackID==trak->Header->trackID) inc->trackID = trackID;\n\t\t}\n\t}\n\ttrak->Header->trackID = trackID;\n\treturn GF_OK;\n}", "project": "gpac", "hash": 328498134704446013455660614397585586991, "size": 43, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267226 }, { "func": "GF_Err gf_isom_avc_set_inband_config(GF_ISOFile *the_file, u32 trackNumber, u32 DescriptionIndex, Bool keep_xps)\n{\n\treturn gf_isom_avc_config_update_ex(the_file, trackNumber, DescriptionIndex, NULL, 3, keep_xps);\n}", "project": "gpac", "hash": 85608329360151876086848313779093634649, "size": 4, "commit_id": "0a85029d694f992f3631e2f249e4999daee15cbf", "message": "fixed #1785 (fuzz)", "target": 0, "dataset": "other", "idx": 237599 }, { "func": "static GF_ISOSAPType is_sample_idr(GF_MediaBox *mdia, GF_ISOSample *sample, GF_MPEGVisualSampleEntryBox *entry)\n{\n\tBool is_hevc = GF_FALSE;\n\tu32 nalu_size_field = 0;\n\tif (entry->avc_config && entry->avc_config->config) nalu_size_field = entry->avc_config->config->nal_unit_size;\n\telse if (entry->svc_config && entry->svc_config->config) nalu_size_field = entry->svc_config->config->nal_unit_size;\n\telse if (entry->mvc_config && entry->mvc_config->config) nalu_size_field = entry->mvc_config->config->nal_unit_size;\n\telse if (entry->hevc_config && entry->hevc_config->config) {\n\t\tnalu_size_field = entry->hevc_config->config->nal_unit_size;\n\t\tis_hevc = GF_TRUE;\n\t}\n\telse if (entry->lhvc_config && entry->lhvc_config->config) {\n\t\tnalu_size_field = entry->lhvc_config->config->nal_unit_size;\n\t\tis_hevc = GF_TRUE;\n\t}\n\tif (!nalu_size_field) return RAP_NO;\n\n\tif (!mdia->nalu_parser)\n\t\tmdia->nalu_parser = gf_bs_new(sample->data, sample->dataLength, GF_BITSTREAM_READ);\n\telse\n\t\tgf_bs_reassign_buffer(mdia->nalu_parser, sample->data, sample->dataLength);\n\n\tif (!mdia->nalu_parser) return RAP_NO;\n\n\twhile (gf_bs_available(mdia->nalu_parser)) {\n\t\tu8 nal_type;\n\t\tu32 size = gf_bs_read_int(mdia->nalu_parser, 8*nalu_size_field);\n\n\t\tif (is_hevc) {\n#ifndef GPAC_DISABLE_HEVC\n\t\t\tu16 nal_hdr = gf_bs_read_u16(mdia->nalu_parser);\n\t\t\tnal_type = (nal_hdr&0x7E00) >> 9;\n\n\t\t\tswitch (nal_type) {\n\t\t\tcase GF_HEVC_NALU_SLICE_CRA:\n\t\t\t\treturn SAP_TYPE_3;\n\t\t\tcase GF_HEVC_NALU_SLICE_IDR_N_LP:\n\t\t\tcase GF_HEVC_NALU_SLICE_BLA_N_LP:\n\t\t\t\treturn SAP_TYPE_1;\n\t\t\tcase GF_HEVC_NALU_SLICE_IDR_W_DLP:\n\t\t\tcase GF_HEVC_NALU_SLICE_BLA_W_DLP:\n\t\t\tcase GF_HEVC_NALU_SLICE_BLA_W_LP:\n\t\t\t\treturn SAP_TYPE_2;\n\t\t\tcase GF_HEVC_NALU_ACCESS_UNIT:\n\t\t\tcase GF_HEVC_NALU_FILLER_DATA:\n\t\t\tcase GF_HEVC_NALU_SEI_PREFIX:\n\t\t\tcase GF_HEVC_NALU_VID_PARAM:\n\t\t\tcase GF_HEVC_NALU_SEQ_PARAM:\n\t\t\tcase GF_HEVC_NALU_PIC_PARAM:\n\t\t\t\tbreak;\n\t\t\tdefault:\n\t\t\t\treturn RAP_NO;\n\t\t\t}\n\t\t\tgf_bs_skip_bytes(mdia->nalu_parser, size - 2);\n#endif\n\t\t} else {\n\t\t\tu8 nal_hdr = gf_bs_read_u8(mdia->nalu_parser);\n\t\t\tnal_type = nal_hdr & 0x1F;\n\n\t\t\tif (nal_type==GF_AVC_NALU_IDR_SLICE) return SAP_TYPE_1;\n\t\t\tif (nal_typenalu_parser, size - 1);\n\t\t}\n\t}\n\treturn RAP_NO;\n}", "project": "gpac", "hash": 254807437236475705021758823028196824983, "size": 66, "commit_id": "0a85029d694f992f3631e2f249e4999daee15cbf", "message": "fixed #1785 (fuzz)", "target": 0, "dataset": "other", "idx": 237587 }, { "func": "GF_Err gf_isom_remove_track_kind(GF_ISOFile *movie, u32 trackNumber, const char *schemeURI, const char *value)\n{\n\tGF_Err e;\n\tGF_UserDataBox *udta;\n\tGF_UserDataMap *map;\n\tu32 i;\n\n\te = CanAccessMovie(movie, GF_ISOM_OPEN_WRITE);\n\tif (e) return e;\n\te = gf_isom_insert_moov(movie);\n\tif (e) return e;\n\n\tif (trackNumber) {\n\t\tGF_TrackBox *trak = gf_isom_get_track_from_file(movie, trackNumber);\n\t\tif (!trak) return GF_BAD_PARAM;\n\t\tif (!trak->udta) {\n\t\t\te = trak_on_child_box((GF_Box*)trak, gf_isom_box_new_parent(&trak->child_boxes, GF_ISOM_BOX_TYPE_UDTA), GF_FALSE);\n\t\t\tif (e) return e;\n\t\t}\n\t\tudta = trak->udta;\n\t} else {\n\t\treturn GF_OK;\n\t}\n\tmap = udta_getEntry(udta, GF_ISOM_BOX_TYPE_KIND, NULL);\n\tif (map) {\n\t\tfor (i=0; iboxes); i++) {\n\t\t\tGF_Box *b = (GF_Box *)gf_list_get(map->boxes, i);\n\t\t\tif (b->type == GF_ISOM_BOX_TYPE_KIND) {\n\t\t\t\tGF_KindBox *kb = (GF_KindBox *)b;\n\t\t\t\tif (!schemeURI ||\n\t\t\t\t (!strcmp(kb->schemeURI, schemeURI) &&\n\t\t\t\t ((value && kb->value && !strcmp(value, kb->value)) || (!value && !kb->value)))) {\n\t\t\t\t\tgf_isom_box_del_parent(&map->boxes, b);\n\t\t\t\t\ti--;\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\treturn GF_OK;\n}", "project": "gpac", "hash": 48585137779987599996965729121221706035, "size": 40, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267179 }, { "func": "GF_Err gf_isom_add_user_data(GF_ISOFile *movie, u32 trackNumber, u32 UserDataType, bin128 UUID, u8 *data, u32 DataLength)\n{\n\tGF_Err e;\n\tGF_TrackBox *trak;\n\tGF_UserDataBox *udta;\n\n\te = CanAccessMovie(movie, GF_ISOM_OPEN_WRITE);\n\tif (e) return e;\n\n\tif (UserDataType == GF_ISOM_BOX_TYPE_UUID) UserDataType = 0;\n\n\tif (trackNumber) {\n\t\ttrak = gf_isom_get_track_from_file(movie, trackNumber);\n\t\tif (!trak) return GF_BAD_PARAM;\n\t\tif (!trak->udta) trak_on_child_box((GF_Box*)trak, gf_isom_box_new_parent(&trak->child_boxes, GF_ISOM_BOX_TYPE_UDTA), GF_FALSE);\n\t\tudta = trak->udta;\n\t} else {\n\t\tif (!movie->moov->udta) moov_on_child_box((GF_Box*)movie->moov, gf_isom_box_new_parent(&movie->moov->child_boxes, GF_ISOM_BOX_TYPE_UDTA), GF_FALSE);\n\t\tudta = movie->moov->udta;\n\t}\n\tif (!udta) return GF_OUT_OF_MEM;\n\n\t//create a default box\n\tif (UserDataType) {\n\t\tGF_UnknownBox *a = (GF_UnknownBox *) gf_isom_box_new(GF_ISOM_BOX_TYPE_UNKNOWN);\n\t\tif (!a) return GF_OUT_OF_MEM;\n\t\ta->original_4cc = UserDataType;\n\t\tif (DataLength) {\n\t\t\ta->data = (char*)gf_malloc(sizeof(char)*DataLength);\n\t\t\tif (!a->data) return GF_OUT_OF_MEM;\n\t\t\tmemcpy(a->data, data, DataLength);\n\t\t\ta->dataSize = DataLength;\n\t\t}\n\t\treturn udta_on_child_box((GF_Box *)udta, (GF_Box *) a, GF_FALSE);\n\t} else {\n\t\tGF_UnknownUUIDBox *a = (GF_UnknownUUIDBox *) gf_isom_box_new(GF_ISOM_BOX_TYPE_UUID);\n\t\tif (!a) return GF_OUT_OF_MEM;\n\t\tmemcpy(a->uuid, UUID, 16);\n\t\tif (DataLength) {\n\t\t\ta->data = (char*)gf_malloc(sizeof(char)*DataLength);\n\t\t\tif (!a->data) return GF_OUT_OF_MEM;\n\t\t\tmemcpy(a->data, data, DataLength);\n\t\t\ta->dataSize = DataLength;\n\t\t}\n\t\treturn udta_on_child_box((GF_Box *)udta, (GF_Box *) a, GF_FALSE);\n\t}\n\treturn GF_OK;\n}", "project": "gpac", "hash": 122803780958925306091198156198302100747, "size": 48, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267282 }, { "func": "GF_Err gf_isom_clone_track(GF_ISOFile *orig_file, u32 orig_track, GF_ISOFile *dest_file, GF_ISOTrackCloneFlags flags, u32 *dest_track)\n{\n\tGF_TrackBox *trak, *new_tk;\n\tGF_BitStream *bs;\n\tu8 *data;\n\tconst u8 *buffer;\n\tu32 data_size;\n\tu32 i, count;\n\tGF_Err e;\n\tGF_SampleTableBox *stbl, *stbl_temp;\n\tGF_SampleEncryptionBox *senc;\n\n\te = CanAccessMovie(dest_file, GF_ISOM_OPEN_WRITE);\n\tif (e) return e;\n\te = gf_isom_insert_moov(dest_file);\n\tif (e) return e;\n\n\t/*get orig sample desc and clone it*/\n\ttrak = gf_isom_get_track_from_file(orig_file, orig_track);\n\tif (!trak || !trak->Media) return GF_BAD_PARAM;\n\n\tstbl = trak->Media->information->sampleTable;\n\tstbl_temp = (GF_SampleTableBox *) gf_isom_box_new(GF_ISOM_BOX_TYPE_STBL);\n\tif (!stbl_temp->child_boxes) stbl_temp->child_boxes = gf_list_new();\n\n\ttrak->Media->information->sampleTable = stbl_temp;\n\tgf_list_add(trak->Media->information->child_boxes, stbl_temp);\n\tgf_list_del_item(trak->Media->information->child_boxes, stbl);\n\n\tif (!stbl_temp->child_boxes) stbl_temp->child_boxes = gf_list_new();\n\n\t/*clone sampleDescription table*/\n\tstbl_temp->SampleDescription = stbl->SampleDescription;\n\tgf_list_add(stbl_temp->child_boxes, stbl->SampleDescription);\n\t/*also clone sampleGroups description tables if any*/\n\tstbl_temp->sampleGroupsDescription = stbl->sampleGroupsDescription;\n\tcount = gf_list_count(stbl->sampleGroupsDescription);\n\tfor (i=0; isampleGroupsDescription, i);\n\t\tgf_list_add(stbl_temp->child_boxes, b);\n\t}\n\t/*clone CompositionToDecode table, we may remove it later*/\n\tstbl_temp->CompositionToDecode = stbl->CompositionToDecode;\n\tgf_list_add(stbl_temp->child_boxes, stbl->CompositionToDecode);\n\n\tsenc = trak->sample_encryption;\n\tif (senc) {\n\t\tassert(trak->child_boxes);\n\t\tgf_list_del_item(trak->child_boxes, senc);\n\t\ttrak->sample_encryption = NULL;\n\t}\n\n\tbs = gf_bs_new(NULL, 0, GF_BITSTREAM_WRITE);\n\n\tgf_isom_box_size( (GF_Box *) trak);\n\tgf_isom_box_write((GF_Box *) trak, bs);\n\tgf_bs_get_content(bs, &data, &data_size);\n\tgf_bs_del(bs);\n\tbs = gf_bs_new(data, data_size, GF_BITSTREAM_READ);\n\tif (flags & GF_ISOM_CLONE_TRACK_NO_QT)\n\t\tgf_bs_set_cookie(bs, GF_ISOM_BS_COOKIE_QT_CONV | GF_ISOM_BS_COOKIE_CLONE_TRACK);\n\telse\n\t\tgf_bs_set_cookie(bs, GF_ISOM_BS_COOKIE_CLONE_TRACK);\n\n\te = gf_isom_box_parse((GF_Box **) &new_tk, bs);\n\tgf_bs_del(bs);\n\tgf_free(data);\n\n\ttrak->Media->information->sampleTable = stbl;\n\tgf_list_del_item(trak->Media->information->child_boxes, stbl_temp);\n\tgf_list_add(trak->Media->information->child_boxes, stbl);\n\n\tif (senc) {\n\t\ttrak->sample_encryption = senc;\n\t\tgf_list_add(trak->child_boxes, senc);\n\t}\n\tgf_list_del_item(stbl_temp->child_boxes, stbl_temp->SampleDescription);\n\tstbl_temp->SampleDescription = NULL;\n\n\tcount = gf_list_count(stbl->sampleGroupsDescription);\n\tfor (i=0; isampleGroupsDescription, i);\n\t\tgf_list_del_item(stbl_temp->child_boxes, b);\n\t}\n\tstbl_temp->sampleGroupsDescription = NULL;\n\n\tgf_list_del_item(stbl_temp->child_boxes, stbl_temp->CompositionToDecode);\n\tstbl_temp->CompositionToDecode = NULL;\n\tgf_isom_box_del((GF_Box *)stbl_temp);\n\n\tif (e) {\n\t\tif (new_tk) gf_isom_box_del((GF_Box *)new_tk);\n\t\treturn e;\n\t}\n\n\tgf_isom_disable_inplace_rewrite(dest_file);\n\n\t/*create default boxes*/\n\tstbl = new_tk->Media->information->sampleTable;\n\tstbl->ChunkOffset = gf_isom_box_new_parent(&stbl->child_boxes, GF_ISOM_BOX_TYPE_STCO);\n\tif (!stbl->ChunkOffset) return GF_OUT_OF_MEM;\n\tstbl->SampleSize = (GF_SampleSizeBox *) gf_isom_box_new_parent(&stbl->child_boxes, GF_ISOM_BOX_TYPE_STSZ);\n\tif (!stbl->SampleSize) return GF_OUT_OF_MEM;\n\tstbl->SampleToChunk = (GF_SampleToChunkBox *) gf_isom_box_new_parent(&stbl->child_boxes, GF_ISOM_BOX_TYPE_STSC);\n\tif (!stbl->SampleToChunk) return GF_OUT_OF_MEM;\n\tstbl->TimeToSample = (GF_TimeToSampleBox *) gf_isom_box_new_parent(&stbl->child_boxes, GF_ISOM_BOX_TYPE_STTS);\n\tif (!stbl->TimeToSample) return GF_OUT_OF_MEM;\n\n\t/*check trackID validity before adding track*/\n\tif (gf_isom_get_track_by_id(dest_file, new_tk->Header->trackID)) {\n\t\tu32 ID = 1;\n\t\twhile (1) {\n\t\t\tif (RequestTrack(dest_file->moov, ID)) break;\n\t\t\tID += 1;\n\t\t\tif (ID == 0xFFFFFFFF) break;\n\t\t}\n\t\tnew_tk->Header->trackID = ID;\n\t}\n\tif (!dest_file->moov->child_boxes) dest_file->moov->child_boxes = gf_list_new();\n\tgf_list_add(dest_file->moov->child_boxes, new_tk);\n\tmoov_on_child_box((GF_Box*)dest_file->moov, (GF_Box *)new_tk, GF_FALSE);\n\n\t/*set originalID*/\n\tnew_tk->originalID = trak->Header->trackID;\n\t/*set originalFile*/\n\tbuffer = gf_isom_get_filename(orig_file);\n\tnew_tk->originalFile = gf_crc_32(buffer, (u32) strlen(buffer));\n\n\t/*rewrite edit list segmentDuration to new movie timescale*/\n\tif (dest_file->moov->mvhd->timeScale != orig_file->moov->mvhd->timeScale) {\n\t\tDouble ts_scale = dest_file->moov->mvhd->timeScale;\n\t\tts_scale /= orig_file->moov->mvhd->timeScale;\n\t\tnew_tk->Header->duration = (u64) (new_tk->Header->duration * ts_scale);\n\t\tif (new_tk->editBox && new_tk->editBox->editList) {\n\t\t\tcount = gf_list_count(new_tk->editBox->editList->entryList);\n\t\t\tfor (i=0; ieditBox->editList->entryList, i);\n\t\t\t\tent->segmentDuration = (u64) (ent->segmentDuration * ts_scale);\n\t\t\t}\n\t\t}\n\t}\n\n\tif (!new_tk->Media->information->dataInformation->dref) return GF_BAD_PARAM;\n\n\t/*reset data ref*/\n\tif (! (flags & GF_ISOM_CLONE_TRACK_KEEP_DREF) ) {\n\t\tGF_SampleEntryBox *entry;\n\t\tBool use_alis = GF_FALSE;\n\t\tif (! (flags & GF_ISOM_CLONE_TRACK_NO_QT)) {\n\t\t\tGF_Box *b = gf_list_get(new_tk->Media->information->dataInformation->dref->child_boxes, 0);\n\t\t\tif (b && b->type==GF_QT_BOX_TYPE_ALIS)\n\t\t\t\tuse_alis = GF_TRUE;\n\t\t}\n\t\tgf_isom_box_array_del(new_tk->Media->information->dataInformation->dref->child_boxes);\n\t\tnew_tk->Media->information->dataInformation->dref->child_boxes = gf_list_new();\n\t\t/*update data ref*/\n\t\tentry = (GF_SampleEntryBox*)gf_list_get(new_tk->Media->information->sampleTable->SampleDescription->child_boxes, 0);\n\t\tif (entry) {\n\t\t\tu32 dref;\n\t\t\tMedia_CreateDataRef(dest_file, new_tk->Media->information->dataInformation->dref, use_alis ? \"alis\" : NULL, NULL, &dref);\n\t\t\tentry->dataReferenceIndex = dref;\n\t\t}\n\t} else {\n\t\tfor (i=0; iMedia->information->dataInformation->dref->child_boxes); i++) {\n\t\t\tGF_DataEntryBox *dref_entry = (GF_DataEntryBox *)gf_list_get(new_tk->Media->information->dataInformation->dref->child_boxes, i);\n\t\t\tif (dref_entry->flags & 1) {\n\t\t\t\tdref_entry->flags &= ~1;\n\t\t\t\te = Media_SetDrefURL((GF_DataEntryURLBox *)dref_entry, orig_file->fileName, dest_file->finalName);\n\t\t\t\tif (e) return e;\n\t\t\t}\n\t\t}\n\t}\n\n\t*dest_track = gf_list_count(dest_file->moov->trackList);\n\n\tif (dest_file->moov->mvhd->nextTrackID<= new_tk->Header->trackID)\n\t\tdest_file->moov->mvhd->nextTrackID = new_tk->Header->trackID+1;\n\n\treturn GF_OK;\n}", "project": "gpac", "hash": 197205634511172099506802362365712880924, "size": 180, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267261 }, { "func": "GF_Err stbl_SampleSizeAppend(GF_SampleSizeBox *stsz, u32 data_size)\n{\n\tu32 i;\n\tif (!stsz || !stsz->sampleCount) return GF_BAD_PARAM;\n\n\t//we must realloc our table\n\tif (stsz->sampleSize) {\n\t\tstsz->sizes = (u32*)gf_malloc(sizeof(u32)*stsz->sampleCount);\n\t\tif (!stsz->sizes) return GF_OUT_OF_MEM;\n\t\tfor (i=0; isampleCount; i++) stsz->sizes[i] = stsz->sampleSize;\n\t\tstsz->sampleSize = 0;\n\t}\n\tif (!stsz->sizes) {\n\t\tstsz->sampleSize = data_size;\n\t} else {\n\t\tu32 single_size;\n\t\tstsz->sizes[stsz->sampleCount-1] += data_size;\n\n\t\tsingle_size = stsz->sizes[0];\n\t\tfor (i=1; isampleCount; i++) {\n\t\t\tif (stsz->sizes[i] != single_size) {\n\t\t\t\tsingle_size = 0;\n\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\t\tif (single_size) {\n\t\t\tstsz->sampleSize = single_size;\n\t\t\tgf_free(stsz->sizes);\n\t\t\tstsz->sizes = NULL;\n\t\t}\n\t}\n\treturn GF_OK;\n}", "project": "gpac", "hash": 105833506955750632833831726623523445382, "size": 33, "commit_id": "77ed81c069e10b3861d88f72e1c6be1277ee7eae", "message": "fixed #1774 (fuzz)", "target": 0, "dataset": "other", "idx": 267904 }, { "func": "GF_Err gnra_box_write(GF_Box *s, GF_BitStream *bs)\n{\n\tGF_Err e;\n\tGF_GenericAudioSampleEntryBox *ptr = (GF_GenericAudioSampleEntryBox *)s;\n\n\t//carefull we are not writing the box type but the entry type so switch for write\n\tptr->type = ptr->EntryType;\n\te = gf_isom_box_write_header(s, bs);\n\tif (e) return e;\n\tptr->type = GF_ISOM_BOX_TYPE_GNRA;\n\n\tgf_isom_audio_sample_entry_write((GF_AudioSampleEntryBox *)ptr, bs);\n\tif (ptr->data) {\n\t\tgf_bs_write_data(bs, ptr->data, ptr->data_size);\n\t}\n\treturn GF_OK;\n}", "project": "gpac", "hash": 28645882787079022846966811264755663930, "size": 17, "commit_id": "388ecce75d05e11fc8496aa4857b91245007d26e", "message": "fixed #1587", "target": 0, "dataset": "other", "idx": 264848 }, { "func": "GF_Err gf_isom_set_creation_time(GF_ISOFile *movie, u64 ctime, u64 mtime)\n{\n\tif (!movie || !movie->moov) return GF_BAD_PARAM;\n\tmovie->moov->mvhd->creationTime = ctime;\n\tmovie->moov->mvhd->modificationTime = mtime;\n\treturn GF_OK;\n}", "project": "gpac", "hash": 304448189359914410496668288553144116846, "size": 7, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267351 }, { "func": "GF_Err stbl_AppendTime(GF_SampleTableBox *stbl, u32 duration, u32 nb_pack)\n{\n\tGF_TimeToSampleBox *stts = stbl->TimeToSample;\n\n\tCHECK_PACK(GF_ISOM_INVALID_FILE)\n\n\tif (stts->nb_entries) {\n\t\tif (stts->entries[stts->nb_entries-1].sampleDelta == duration) {\n\t\t\tstts->entries[stts->nb_entries-1].sampleCount += nb_pack;\n\t\t\treturn GF_OK;\n\t\t}\n\t}\n\tif (stts->nb_entries==stts->alloc_size) {\n\t\tALLOC_INC(stts->alloc_size);\n\t\tstts->entries = gf_realloc(stts->entries, sizeof(GF_SttsEntry)*stts->alloc_size);\n\t\tif (!stts->entries) return GF_OUT_OF_MEM;\n\t\tmemset(&stts->entries[stts->nb_entries], 0, sizeof(GF_SttsEntry)*(stts->alloc_size-stts->nb_entries) );\n\t}\n\tstts->entries[stts->nb_entries].sampleCount = nb_pack;\n\tstts->entries[stts->nb_entries].sampleDelta = duration;\n\tstts->nb_entries++;\n\tif (stts->max_ts_delta < duration ) stts->max_ts_delta = duration;\n\treturn GF_OK;\n}", "project": "gpac", "hash": 252743162037282233889050675957037349565, "size": 24, "commit_id": "77ed81c069e10b3861d88f72e1c6be1277ee7eae", "message": "fixed #1774 (fuzz)", "target": 0, "dataset": "other", "idx": 267898 }, { "func": "GF_EXPORT\nGF_Err gf_isom_open_segment(GF_ISOFile *movie, const char *fileName, u64 start_range, u64 end_range, GF_ISOSegOpenMode flags)\n{\n#ifdef\tGPAC_DISABLE_ISOM_FRAGMENTS\n\treturn GF_NOT_SUPPORTED;\n#else\n\tu64 MissingBytes;\n\tGF_Err e;\n\tu32 i;\n\tBool segment_map_assigned = GF_FALSE;\n\tBool is_scalable_segment = (flags & GF_ISOM_SEGMENT_SCALABLE_FLAG) ? GF_TRUE : GF_FALSE;\n\tBool no_order_check = (flags & GF_ISOM_SEGMENT_NO_ORDER_FLAG) ? GF_TRUE: GF_FALSE;\n\tGF_DataMap *tmp = NULL;\n\tGF_DataMap *orig_file_map = NULL;\n\tif (!movie || !movie->moov || !movie->moov->mvex) return GF_BAD_PARAM;\n\tif (movie->openMode != GF_ISOM_OPEN_READ) return GF_BAD_PARAM;\n\n\t/*this is a scalable segment - use a temp data map for the associated track(s) but do NOT touch the movie file map*/\n\tif (is_scalable_segment) {\n\t\ttmp = NULL;\n\t\te = gf_isom_datamap_new(fileName, NULL, GF_ISOM_DATA_MAP_READ_ONLY, &tmp);\n\t\tif (e) return e;\n\n\t\torig_file_map = movie->movieFileMap;\n\t\tmovie->movieFileMap = tmp;\n\t} else {\n\t\tif (movie->movieFileMap)\n\t\t\tgf_isom_release_segment(movie, GF_FALSE);\n\n\t\te = gf_isom_datamap_new(fileName, NULL, GF_ISOM_DATA_MAP_READ_ONLY, &movie->movieFileMap);\n\t\tif (e) return e;\n\t}\n\tmovie->moov->compressed_diff = 0;\n\tmovie->current_top_box_start = 0;\n\n\tif (start_range || end_range) {\n\t\tif (end_range > start_range) {\n\t\t\tgf_bs_seek(movie->movieFileMap->bs, end_range+1);\n\t\t\tgf_bs_truncate(movie->movieFileMap->bs);\n\t\t}\n\t\tgf_bs_seek(movie->movieFileMap->bs, start_range);\n\t\tmovie->current_top_box_start = start_range;\n\t}\n\n\tfor (i=0; imoov->trackList); i++) {\n\t\tGF_TrackBox *trak = (GF_TrackBox*)gf_list_get(movie->moov->trackList, i);\n\n\t\tif (!is_scalable_segment) {\n\t\t\t/*reset data handler to new segment*/\n\t\t\tif (trak->Media->information->dataHandler == NULL) {\n\t\t\t\ttrak->Media->information->dataHandler = movie->movieFileMap;\n\t\t\t}\n\t\t} else {\n\t\t\ttrak->present_in_scalable_segment = GF_FALSE;\n\t\t}\n\t}\n\tif (no_order_check) movie->NextMoofNumber = 0;\n\n\t//ok parse root boxes\n\te = gf_isom_parse_movie_boxes(movie, NULL, &MissingBytes, GF_TRUE);\n\n\tif (!is_scalable_segment)\n\t\treturn e;\n\n\tfor (i=0; imoov->trackList); i++) {\n\t\tGF_TrackBox *trak = (GF_TrackBox*)gf_list_get(movie->moov->trackList, i);\n\t\tif (trak->present_in_scalable_segment) {\n\t\t\t/*store the temp dataHandler into scalableDataHandler so that it will not be destroyed\n\t\t\tif we append another representation - destruction of this data handler is done in release_segment*/\n\t\t\ttrak->Media->information->scalableDataHandler = tmp;\n\t\t\tif (!segment_map_assigned) {\n\t\t\t\ttrak->Media->information->scalableDataHandler = tmp;\n\t\t\t\tsegment_map_assigned = GF_TRUE;\n\t\t\t}\n\t\t\t//and update the regular dataHandler for the Media_GetSample function\n\t\t\ttrak->Media->information->dataHandler = tmp;\n\t\t}\n\t}\n\tmovie->movieFileMap = \torig_file_map;\n\treturn e;\n#endif", "project": "gpac", "hash": 329900638363676741527101539858195116299, "size": 81, "commit_id": "984787de3d414a5f7d43d0b4584d9469dff2a5a5", "message": "fixed #1784 (fuzz)", "target": 0, "dataset": "other", "idx": 246847 }, { "func": "GF_Err stbl_AddChunkOffset(GF_MediaBox *mdia, u32 sampleNumber, u32 StreamDescIndex, u64 offset, u32 nb_pack)\n{\n\tGF_SampleTableBox *stbl;\n\tGF_ChunkOffsetBox *stco;\n\tGF_SampleToChunkBox *stsc;\n\tGF_ChunkLargeOffsetBox *co64;\n\tGF_StscEntry *ent;\n\tu32 i, k, *newOff, new_chunk_idx=0;\n\tu64 *newLarge;\n\ts32 insert_idx = -1;\n\n\tstbl = mdia->information->sampleTable;\n\tstsc = stbl->SampleToChunk;\n\n//\tif (stsc->w_lastSampleNumber + 1 < sampleNumber ) return GF_BAD_PARAM;\n\tCHECK_PACK(GF_BAD_PARAM)\n\n\tif (!stsc->nb_entries || (stsc->nb_entries + 2 >= stsc->alloc_size)) {\n\t\tif (!stsc->alloc_size) stsc->alloc_size = 1;\n\t\tALLOC_INC(stsc->alloc_size);\n\t\tstsc->entries = gf_realloc(stsc->entries, sizeof(GF_StscEntry)*stsc->alloc_size);\n\t\tif (!stsc->entries) return GF_OUT_OF_MEM;\n\t\tmemset(&stsc->entries[stsc->nb_entries], 0, sizeof(GF_StscEntry)*(stsc->alloc_size-stsc->nb_entries) );\n\t}\n\tif (sampleNumber == stsc->w_lastSampleNumber + 1) {\n\t\tent = &stsc->entries[stsc->nb_entries];\n\t\tstsc->w_lastChunkNumber ++;\n\t\tent->firstChunk = stsc->w_lastChunkNumber;\n\t\tif (stsc->nb_entries) stsc->entries[stsc->nb_entries-1].nextChunk = stsc->w_lastChunkNumber;\n\n\t\tnew_chunk_idx = stsc->w_lastChunkNumber;\n\t\tstsc->w_lastSampleNumber = sampleNumber + nb_pack-1;\n\t\tstsc->nb_entries += 1;\n\t} else {\n\t\tu32 cur_samp = 1;\n\t\tu32 samples_in_next_entry = 0;\n\t\tu32 next_entry_first_chunk = 1;\n\t\tfor (i=0; inb_entries; i++) {\n\t\t\tu32 nb_chunks = 1;\n\t\t\tent = &stsc->entries[i];\n\t\t\tif (i+1nb_entries) nb_chunks = stsc->entries[i+1].firstChunk - ent->firstChunk;\n\t\t\tfor (k=0; ksamplesPerChunk + cur_samp > sampleNumber)) {\n\t\t\t\t\tinsert_idx = i;\n\t\t\t\t\t//stsc entry has samples before inserted sample, split\n\t\t\t\t\tif (sampleNumber>cur_samp) {\n\t\t\t\t\t\tsamples_in_next_entry = ent->samplesPerChunk - (sampleNumber-cur_samp);\n\t\t\t\t\t\tent->samplesPerChunk = sampleNumber-cur_samp;\n\t\t\t\t\t}\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t\tcur_samp += ent->samplesPerChunk;\n\t\t\t\tnext_entry_first_chunk++;\n\t\t\t}\n\t\t\tif (insert_idx>=0) break;\n\t\t}\n\t\t//we need to split the entry\n\t\tif (samples_in_next_entry) {\n\t\t\tmemmove(&stsc->entries[insert_idx+3], &stsc->entries[insert_idx+1], sizeof(GF_StscEntry)*(stsc->nb_entries - insert_idx - 1));\n\t\t\t//copy over original entry\n\t\t\tent = &stsc->entries[insert_idx];\n\t\t\tstsc->entries[insert_idx+2] = *ent;\n\t\t\tstsc->entries[insert_idx+2].samplesPerChunk = samples_in_next_entry;\n\t\t\tstsc->entries[insert_idx+2].firstChunk = next_entry_first_chunk + 1;\n\n\t\t\t//setup new entry\n\t\t\tent = &stsc->entries[insert_idx+1];\n\t\t\tent->firstChunk = next_entry_first_chunk;\n\n\t\t\tstsc->nb_entries += 2;\n\t\t} else {\n\t\t\tif (insert_idx<0) {\n\t\t\t\tent = &stsc->entries[stsc->nb_entries];\n\t\t\t\tinsert_idx = stsc->nb_entries;\n\t\t\t} else {\n\t\t\t\tmemmove(&stsc->entries[insert_idx+1], &stsc->entries[insert_idx], sizeof(GF_StscEntry)*(stsc->nb_entries+1-insert_idx));\n\t\t\t\tent = &stsc->entries[insert_idx+1];\n\t\t\t}\n\n\t\t\tent->firstChunk = next_entry_first_chunk;\n\t\t\tstsc->nb_entries += 1;\n\t\t}\n\t\tnew_chunk_idx = next_entry_first_chunk;\n\t}\n\tent->isEdited = (Media_IsSelfContained(mdia, StreamDescIndex)) ? 1 : 0;\n\tent->sampleDescriptionIndex = StreamDescIndex;\n\tent->samplesPerChunk = nb_pack;\n\tent->nextChunk = ent->firstChunk+1;\n\n\t//OK, now if we've inserted a chunk, update the sample to chunk info...\n\tif (sampleNumber + nb_pack - 1 == stsc->w_lastSampleNumber) {\n\t\tif (stsc->nb_entries)\n\t\t\tstsc->entries[stsc->nb_entries-1].nextChunk = ent->firstChunk;\n\n\t\tstbl->SampleToChunk->currentIndex = stsc->nb_entries-1;\n\t\tstbl->SampleToChunk->firstSampleInCurrentChunk = sampleNumber;\n\t\t//write - edit mode: sample number = chunk number\n\t\tstbl->SampleToChunk->currentChunk = stsc->w_lastChunkNumber;\n\t\tstbl->SampleToChunk->ghostNumber = 1;\n\t} else {\n\t\t/*offset remaining entries*/\n\t\tfor (i = insert_idx+1; inb_entries+1; i++) {\n\t\t\tstsc->entries[i].firstChunk++;\n\t\t\tif (i+1nb_entries)\n\t\t\t\tstsc->entries[i-1].nextChunk = stsc->entries[i].firstChunk;\n\t\t}\n\t}\n\n\t//add the offset to the chunk...\n\t//and we change our offset\n\tif (stbl->ChunkOffset->type == GF_ISOM_BOX_TYPE_STCO) {\n\t\tstco = (GF_ChunkOffsetBox *)stbl->ChunkOffset;\n\t\t//if the new offset is a large one, we have to rewrite our table entry by entry (32->64 bit conv)...\n\t\tif (offset > 0xFFFFFFFF) {\n\t\t\tco64 = (GF_ChunkLargeOffsetBox *) gf_isom_box_new_parent(&stbl->child_boxes, GF_ISOM_BOX_TYPE_CO64);\n\t\t\tif (!co64) return GF_OUT_OF_MEM;\n\t\t\tco64->nb_entries = stco->nb_entries + 1;\n\t\t\tco64->alloc_size = co64->nb_entries;\n\t\t\tco64->offsets = (u64*)gf_malloc(sizeof(u64) * co64->nb_entries);\n\t\t\tif (!co64->offsets) return GF_OUT_OF_MEM;\n\t\t\tk = 0;\n\t\t\tfor (i=0; inb_entries; i++) {\n\t\t\t\tif (i + 1 == new_chunk_idx) {\n\t\t\t\t\tco64->offsets[i] = offset;\n\t\t\t\t\tk = 1;\n\t\t\t\t}\n\t\t\t\tco64->offsets[i+k] = (u64) stco->offsets[i];\n\t\t\t}\n\t\t\tif (!k) co64->offsets[co64->nb_entries - 1] = offset;\n\t\t\tgf_isom_box_del_parent(&stbl->child_boxes, stbl->ChunkOffset);\n\t\t\tstbl->ChunkOffset = (GF_Box *) co64;\n\t\t} else {\n\t\t\t//no, we can use this one.\n\t\t\tif (new_chunk_idx > stco->nb_entries) {\n\t\t\t\tif (!stco->alloc_size) stco->alloc_size = stco->nb_entries;\n\t\t\t\tif (stco->nb_entries == stco->alloc_size) {\n\t\t\t\t\tALLOC_INC(stco->alloc_size);\n\t\t\t\t\tstco->offsets = (u32*)gf_realloc(stco->offsets, sizeof(u32) * stco->alloc_size);\n\t\t\t\t\tif (!stco->offsets) return GF_OUT_OF_MEM;\n\t\t\t\t\tmemset(&stco->offsets[stco->nb_entries], 0, sizeof(u32) * (stco->alloc_size-stco->nb_entries) );\n\t\t\t\t}\n\t\t\t\tstco->offsets[stco->nb_entries] = (u32) offset;\n\t\t\t\tstco->nb_entries += 1;\n\t\t\t} else {\n\t\t\t\t//nope. we're inserting\n\t\t\t\tnewOff = (u32*)gf_malloc(sizeof(u32) * (stco->nb_entries + 1));\n\t\t\t\tif (!newOff) return GF_OUT_OF_MEM;\n\t\t\t\tk=0;\n\t\t\t\tfor (i=0; inb_entries; i++) {\n\t\t\t\t\tif (i+1 == new_chunk_idx) {\n\t\t\t\t\t\tnewOff[i] = (u32) offset;\n\t\t\t\t\t\tk=1;\n\t\t\t\t\t}\n\t\t\t\t\tnewOff[i+k] = stco->offsets[i];\n\t\t\t\t}\n\t\t\t\tgf_free(stco->offsets);\n\t\t\t\tstco->offsets = newOff;\n\t\t\t\tstco->nb_entries ++;\n\t\t\t\tstco->alloc_size = stco->nb_entries;\n\t\t\t}\n\t\t}\n\t} else {\n\t\t//use large offset...\n\t\tco64 = (GF_ChunkLargeOffsetBox *)stbl->ChunkOffset;\n\t\tif (sampleNumber > co64->nb_entries) {\n\t\t\tif (!co64->alloc_size) co64->alloc_size = co64->nb_entries;\n\t\t\tif (co64->nb_entries == co64->alloc_size) {\n\t\t\t\tALLOC_INC(co64->alloc_size);\n\t\t\t\tco64->offsets = (u64*)gf_realloc(co64->offsets, sizeof(u64) * co64->alloc_size);\n\t\t\t\tif (!co64->offsets) return GF_OUT_OF_MEM;\n\t\t\t\tmemset(&co64->offsets[co64->nb_entries], 0, sizeof(u64) * (co64->alloc_size - co64->nb_entries) );\n\t\t\t}\n\t\t\tco64->offsets[co64->nb_entries] = offset;\n\t\t\tco64->nb_entries += 1;\n\t\t} else {\n\t\t\t//nope. we're inserting\n\t\t\tnewLarge = (u64*)gf_malloc(sizeof(u64) * (co64->nb_entries + 1));\n\t\t\tif (!newLarge) return GF_OUT_OF_MEM;\n\t\t\tk=0;\n\t\t\tfor (i=0; inb_entries; i++) {\n\t\t\t\tif (i+1 == new_chunk_idx) {\n\t\t\t\t\tnewLarge[i] = offset;\n\t\t\t\t\tk=1;\n\t\t\t\t}\n\t\t\t\tnewLarge[i+k] = co64->offsets[i];\n\t\t\t}\n\t\t\tgf_free(co64->offsets);\n\t\t\tco64->offsets = newLarge;\n\t\t\tco64->nb_entries++;\n\t\t\tco64->alloc_size++;\n\t\t}\n\t}\n\n\treturn GF_OK;\n}", "project": "gpac", "hash": 18239218717088658723257669698164166312, "size": 195, "commit_id": "77ed81c069e10b3861d88f72e1c6be1277ee7eae", "message": "fixed #1774 (fuzz)", "target": 0, "dataset": "other", "idx": 267877 }, { "func": "void PrintExtractUsage()\n{\n\tu32 i=0;\n\tgf_sys_format_help(helpout, help_flags, \"# Extracting Options\\n\"\n\t\"MP4Box can be used to extract media tracks from MP4 files. If you need to convert these tracks however, please check the [filters doc](Filters).\\n\"\n\t\" \\n\"\n\t\"Options:\\n\"\n\t);\n\twhile (m4b_extr_args[i].name) {\n\t\tGF_GPACArg *arg = &m4b_extr_args[i];\n\t\ti++;\n\t\tgf_sys_print_arg(helpout, help_flags, arg, \"mp4box-extract\");\n\t}\n}", "project": "gpac", "hash": 134444745689376316706017061611262899659, "size": 14, "commit_id": "9eeac00b38348c664dfeae2525bba0cf1bc32349", "message": "fixed #1565", "target": 0, "dataset": "other", "idx": 244387 }, { "func": "GF_ISOMHEVCType gf_isom_get_hevc_lhvc_type(GF_ISOFile *the_file, u32 trackNumber, u32 DescriptionIndex)\n{\n\tu32 type;\n\tGF_TrackBox *trak;\n\tGF_MPEGVisualSampleEntryBox *entry;\n\ttrak = gf_isom_get_track_from_file(the_file, trackNumber);\n\tif (!trak || !trak->Media || !DescriptionIndex) return GF_ISOM_HEVCTYPE_NONE;\n\tif (!gf_isom_is_video_handler_type(trak->Media->handler->handlerType))\n\t\treturn GF_ISOM_HEVCTYPE_NONE;\n\tentry = (GF_MPEGVisualSampleEntryBox*)gf_list_get(trak->Media->information->sampleTable->SampleDescription->child_boxes, DescriptionIndex-1);\n\tif (!entry) return GF_ISOM_HEVCTYPE_NONE;\n\ttype = entry->type;\n\n\tif (type == GF_ISOM_BOX_TYPE_ENCV) {\n\t\tGF_ProtectionSchemeInfoBox *sinf = (GF_ProtectionSchemeInfoBox *) gf_isom_box_find_child(entry->child_boxes, GF_ISOM_BOX_TYPE_SINF);\n\t\tif (sinf && sinf->original_format) type = sinf->original_format->data_format;\n\t}\n\telse if (type == GF_ISOM_BOX_TYPE_RESV) {\n\t\tif (entry->rinf && entry->rinf->original_format) type = entry->rinf->original_format->data_format;\n\t}\n\n\tif (type == GF_ISOM_BOX_TYPE_DVHE) {\n\t\ttype = GF_ISOM_BOX_TYPE_HEV1;\n\t}\n\n\tswitch (type) {\n\tcase GF_ISOM_BOX_TYPE_HVC1:\n\tcase GF_ISOM_BOX_TYPE_HEV1:\n\tcase GF_ISOM_BOX_TYPE_HVC2:\n\tcase GF_ISOM_BOX_TYPE_HEV2:\n\tcase GF_ISOM_BOX_TYPE_LHV1:\n\tcase GF_ISOM_BOX_TYPE_LHE1:\n\tcase GF_ISOM_BOX_TYPE_HVT1:\n\t\tbreak;\n\tdefault:\n\t\treturn GF_ISOM_HEVCTYPE_NONE;\n\t}\n\tif (entry->hevc_config && !entry->lhvc_config) return GF_ISOM_HEVCTYPE_HEVC_ONLY;\n\tif (entry->hevc_config && entry->lhvc_config) return GF_ISOM_HEVCTYPE_HEVC_LHVC;\n\tif (!entry->hevc_config && entry->lhvc_config) return GF_ISOM_HEVCTYPE_LHVC_ONLY;\n\treturn GF_ISOM_HEVCTYPE_NONE;\n}", "project": "gpac", "hash": 38915743533465931721573168192463350064, "size": 42, "commit_id": "0a85029d694f992f3631e2f249e4999daee15cbf", "message": "fixed #1785 (fuzz)", "target": 0, "dataset": "other", "idx": 237620 }, { "func": "GF_Err gf_isom_track_cenc_add_sample_info(GF_ISOFile *the_file, u32 trackNumber, u32 container_type, u8 *buf, u32 len, Bool use_subsamples, Bool use_saio_32bit, Bool use_multikey)\n{\n\tGF_SampleEncryptionBox *senc;\n\tGF_CENCSampleAuxInfo *sai;\n\tGF_SampleTableBox *stbl;\n\tGF_TrackBox *trak = gf_isom_get_track_from_file(the_file, trackNumber);\n\tif (!trak) return GF_BAD_PARAM;\n\tstbl = trak->Media->information->sampleTable;\n\tif (!stbl) return GF_BAD_PARAM;\n\n\tswitch (container_type) {\n\tcase GF_ISOM_BOX_UUID_PSEC:\n\tcase GF_ISOM_BOX_TYPE_SENC:\n\tcase 0:\n\t\tsenc = trak->sample_encryption;\n\t\tbreak;\n\tdefault:\n\t\treturn GF_NOT_SUPPORTED;\n\t}\n\n\tif (len && buf) {\n\t\tGF_SAFEALLOC(sai, GF_CENCSampleAuxInfo);\n\t\tif (!sai) return GF_OUT_OF_MEM;\n\t\tsai->cenc_data_size = len;\n\t\tsai->cenc_data = gf_malloc(sizeof(u8) * len);\n\t\tif (!sai->cenc_data) {\n\t\t\tgf_free(sai);\n\t\t\treturn GF_OUT_OF_MEM;\n\t\t}\n\t\tmemcpy(sai->cenc_data, buf, len);\n\n\t\tgf_list_add(senc->samp_aux_info, sai);\n\t} else {\n\t\tGF_SAFEALLOC(sai, GF_CENCSampleAuxInfo);\n\t\tif (!sai) return GF_OUT_OF_MEM;\n\t\tgf_list_add(senc->samp_aux_info, sai);\n\t\tsai->isNotProtected = 1;\n\t}\n\tif (use_subsamples)\n\t\tsenc->flags = 0x00000002;\n\tif (use_multikey)\n\t\tsenc->version = 1;\n\n#ifndef GPAC_DISABLE_ISOM_FRAGMENTS\n\tgf_isom_cenc_set_saiz_saio(senc, stbl, NULL, sai->cenc_data_size, use_saio_32bit, use_multikey);\n#endif\n\n\treturn GF_OK;\n}", "project": "gpac", "hash": 242635886286773675139739925539948124923, "size": 49, "commit_id": "3b84ffcbacf144ce35650df958432f472b6483f8", "message": "fixed #1735", "target": 0, "dataset": "other", "idx": 275427 }, { "func": "GF_Err stbl_GetSampleCTS(GF_CompositionOffsetBox *ctts, u32 SampleNumber, s32 *CTSoffset)\n{\n\tu32 i;\n\n\t(*CTSoffset) = 0;\n\t//test on SampleNumber is done before\n\tif (!ctts || !SampleNumber) return GF_BAD_PARAM;\n\n\tif (ctts->r_FirstSampleInEntry && (ctts->r_FirstSampleInEntry < SampleNumber) ) {\n\t\ti = ctts->r_currentEntryIndex;\n\t} else {\n\t\tctts->r_FirstSampleInEntry = 1;\n\t\tctts->r_currentEntryIndex = 0;\n\t\ti = 0;\n\t}\n\tfor (; i< ctts->nb_entries; i++) {\n\t\tif (SampleNumber < ctts->r_FirstSampleInEntry + ctts->entries[i].sampleCount) break;\n\t\t//update our cache\n\t\tctts->r_currentEntryIndex += 1;\n\t\tctts->r_FirstSampleInEntry += ctts->entries[i].sampleCount;\n\t}\n\t//no ent, set everything to 0...\n\tif (i==ctts->nb_entries) return GF_OK;\n\t/*asked for a sample not in table - this means CTTS is 0 (that's due to out internal packing construction of CTTS)*/\n\tif (SampleNumber >= ctts->r_FirstSampleInEntry + ctts->entries[i].sampleCount) return GF_OK;\n\t(*CTSoffset) = ctts->entries[i].decodingOffset;\n\treturn GF_OK;\n}", "project": "gpac", "hash": 328252495881622073275483219083614341739, "size": 28, "commit_id": "2da2f68bffd51d89b1d272d22aa8cc023c1c066e", "message": "fixed #1705", "target": 0, "dataset": "other", "idx": 258556 }, { "func": "static GF_Err gf_isom_full_box_read(GF_Box *ptr, GF_BitStream *bs)\n{\n\tif (ptr->registry->max_version_plus_one) {\n\t\tGF_FullBox *self = (GF_FullBox *) ptr;\n\t\tif (ptr->size<4) return GF_ISOM_INVALID_FILE;\n\t\tself->version = gf_bs_read_u8(bs);\n\t\tself->flags = gf_bs_read_u24(bs);\n\t\tptr->size -= 4;\n\t}\n\treturn GF_OK;\n}", "project": "gpac", "hash": 249198970355127261027202002769375653688, "size": 11, "commit_id": "8e585e623b1d666b4ef736ed609264639cb27701", "message": "fixed potential crash - cf #1406", "target": 0, "dataset": "other", "idx": 224906 }, { "func": "GF_Err stbl_AppendSize(GF_SampleTableBox *stbl, u32 size, u32 nb_pack)\n{\n\tu32 i;\n\tif (!nb_pack) nb_pack = 1;\n\n\tif (!stbl->SampleSize->sampleCount) {\n\t\tstbl->SampleSize->sampleSize = size;\n\t\tstbl->SampleSize->sampleCount += nb_pack;\n\t\treturn GF_OK;\n\t}\n\tif (stbl->SampleSize->sampleSize && (stbl->SampleSize->sampleSize==size)) {\n\t\tstbl->SampleSize->sampleCount += nb_pack;\n\t\treturn GF_OK;\n\t}\n\tif (!stbl->SampleSize->sizes || (stbl->SampleSize->sampleCount+nb_pack > stbl->SampleSize->alloc_size)) {\n\t\tBool init_table = (stbl->SampleSize->sizes==NULL) ? 1 : 0;\n\t\tALLOC_INC(stbl->SampleSize->alloc_size);\n\t\tif (stbl->SampleSize->sampleCount+nb_pack > stbl->SampleSize->alloc_size)\n\t\t\tstbl->SampleSize->alloc_size = stbl->SampleSize->sampleCount+nb_pack;\n\n\t\tstbl->SampleSize->sizes = (u32 *)gf_realloc(stbl->SampleSize->sizes, sizeof(u32)*stbl->SampleSize->alloc_size);\n\t\tif (!stbl->SampleSize->sizes) return GF_OUT_OF_MEM;\n\t\tmemset(&stbl->SampleSize->sizes[stbl->SampleSize->sampleCount], 0, sizeof(u32) * (stbl->SampleSize->alloc_size - stbl->SampleSize->sampleCount) );\n\n\t\tif (init_table) {\n\t\t\tfor (i=0; iSampleSize->sampleCount; i++)\n\t\t\t\tstbl->SampleSize->sizes[i] = stbl->SampleSize->sampleSize;\n\t\t}\n\t}\n\tstbl->SampleSize->sampleSize = 0;\n\tfor (i=0; iSampleSize->sizes[stbl->SampleSize->sampleCount+i] = size;\n\t}\n\tstbl->SampleSize->sampleCount += nb_pack;\n\tif (size > stbl->SampleSize->max_size)\n\t\tstbl->SampleSize->max_size = size;\n\tstbl->SampleSize->total_size += size;\n\tstbl->SampleSize->total_samples += nb_pack;\n\treturn GF_OK;\n}", "project": "gpac", "hash": 40626517707074933311961960171654671734, "size": 40, "commit_id": "77ed81c069e10b3861d88f72e1c6be1277ee7eae", "message": "fixed #1774 (fuzz)", "target": 1, "dataset": "other", "idx": 197993 }, { "func": "GF_Err stbl_AppendSize(GF_SampleTableBox *stbl, u32 size, u32 nb_pack)\n{\n\tu32 i;\n\tCHECK_PACK(GF_ISOM_INVALID_FILE)\n\n\tif (!stbl->SampleSize->sampleCount) {\n\t\tstbl->SampleSize->sampleSize = size;\n\t\tstbl->SampleSize->sampleCount += nb_pack;\n\t\treturn GF_OK;\n\t}\n\tif (stbl->SampleSize->sampleSize && (stbl->SampleSize->sampleSize==size)) {\n\t\tstbl->SampleSize->sampleCount += nb_pack;\n\t\treturn GF_OK;\n\t}\n\n\tif (!stbl->SampleSize->sizes || (stbl->SampleSize->sampleCount+nb_pack > stbl->SampleSize->alloc_size)) {\n\t\tBool init_table = (stbl->SampleSize->sizes==NULL) ? 1 : 0;\n\t\tALLOC_INC(stbl->SampleSize->alloc_size);\n\t\tif (stbl->SampleSize->sampleCount+nb_pack > stbl->SampleSize->alloc_size) {\n\t\t\tstbl->SampleSize->alloc_size = stbl->SampleSize->sampleCount+nb_pack;\n\t\t}\n\n\t\tstbl->SampleSize->sizes = (u32 *)gf_realloc(stbl->SampleSize->sizes, sizeof(u32)*stbl->SampleSize->alloc_size);\n\t\tif (!stbl->SampleSize->sizes) return GF_OUT_OF_MEM;\n\t\tmemset(&stbl->SampleSize->sizes[stbl->SampleSize->sampleCount], 0, sizeof(u32) * (stbl->SampleSize->alloc_size - stbl->SampleSize->sampleCount) );\n\n\t\tif (init_table) {\n\t\t\tfor (i=0; iSampleSize->sampleCount; i++)\n\t\t\t\tstbl->SampleSize->sizes[i] = stbl->SampleSize->sampleSize;\n\t\t}\n\t}\n\tstbl->SampleSize->sampleSize = 0;\n\tfor (i=0; iSampleSize->sizes[stbl->SampleSize->sampleCount+i] = size;\n\t}\n\tstbl->SampleSize->sampleCount += nb_pack;\n\tif (size > stbl->SampleSize->max_size)\n\t\tstbl->SampleSize->max_size = size;\n\tstbl->SampleSize->total_size += size;\n\tstbl->SampleSize->total_samples += nb_pack;\n\treturn GF_OK;\n}", "project": "gpac", "hash": 253799151103891324267945073818521020976, "size": 42, "commit_id": "77ed81c069e10b3861d88f72e1c6be1277ee7eae", "message": "fixed #1774 (fuzz)", "target": 0, "dataset": "other", "idx": 267899 }, { "func": "GF_Err Media_UpdateSampleReference(GF_MediaBox *mdia, u32 sampleNumber, GF_ISOSample *sample, u64 data_offset)\n{\n\tGF_Err e;\n\tu32 drefIndex, chunkNum, descIndex;\n\tu64 off, DTS;\n\tGF_DataEntryURLBox *Dentry;\n\tGF_SampleTableBox *stbl;\n\n\tif (!mdia) return GF_BAD_PARAM;\n\tstbl = mdia->information->sampleTable;\n\n\t//check we have the sampe dts\n\te = stbl_GetSampleDTS(stbl->TimeToSample, sampleNumber, &DTS);\n\tif (e) return e;\n\tif (DTS != sample->DTS) return GF_BAD_PARAM;\n\n\t//get our infos\n\tstbl_GetSampleInfos(stbl, sampleNumber, &off, &chunkNum, &descIndex, NULL);\n\n\t//then check the data ref\n\te = Media_GetSampleDesc(mdia, descIndex, NULL, &drefIndex);\n\tif (e) return e;\n\tDentry = (GF_DataEntryURLBox*)gf_list_get(mdia->information->dataInformation->dref->child_boxes, drefIndex - 1);\n\tif (!Dentry) return GF_ISOM_INVALID_FILE;\n\n\t//we only modify self-contained data\n\tif (Dentry->flags == 1) return GF_ISOM_INVALID_MODE;\n\n\t//and we don't modify the media data\n\treturn UpdateSample(mdia, sampleNumber, sample->dataLength, sample->CTS_Offset, data_offset, sample->IsRAP);\n}", "project": "gpac", "hash": 32563842266831545788248359489723971253, "size": 31, "commit_id": "328def7d3b93847d64ecb6e9e0399684e57c3eca", "message": "fixed #1766 (fuzz)", "target": 0, "dataset": "other", "idx": 231625 }, { "func": "GF_Err gf_isom_set_watermark(GF_ISOFile *movie, bin128 UUID, u8* data, u32 length)\n{\n\tGF_Err e;\n\tGF_UnknownUUIDBox *ptr;\n\tGF_UserDataMap *map;\n\n\te = CanAccessMovie(movie, GF_ISOM_OPEN_WRITE);\n\tif (e) return e;\n\n\te = gf_isom_insert_moov(movie);\n\tif (e) return e;\n\tif (!movie->moov->udta) {\n\t\te = moov_on_child_box((GF_Box*)movie->moov, gf_isom_box_new_parent(&movie->moov->child_boxes, GF_ISOM_BOX_TYPE_UDTA));\n\t\tif (e) return e;\n\t}\n\n\tmap = udta_getEntry(movie->moov->udta, GF_ISOM_BOX_TYPE_UUID, (bin128 *) & UUID);\n\tif (map) {\n\t\tptr = (GF_UnknownUUIDBox *)gf_list_get(map->boxes, 0);\n\t\tif (ptr) {\n\t\t\tgf_free(ptr->data);\n\t\t\tptr->data = (char*)gf_malloc(length);\n\t\t\tif (!ptr->data) return GF_OUT_OF_MEM;\n\t\t\tmemcpy(ptr->data, data, length);\n\t\t\tptr->dataSize = length;\n\t\t\treturn GF_OK;\n\t\t}\n\t}\n\t//nope, create one\n\tptr = (GF_UnknownUUIDBox *)gf_isom_box_new(GF_ISOM_BOX_TYPE_UUID);\n\tif (!ptr) return GF_OUT_OF_MEM;\n\n\tmemcpy(ptr->uuid, UUID, 16);\n\tptr->data = (char*)gf_malloc(length);\n\tif (!ptr->data) return GF_OUT_OF_MEM;\n\tmemcpy(ptr->data, data, length);\n\tptr->dataSize = length;\n\treturn udta_on_child_box((GF_Box *)movie->moov->udta, (GF_Box *) ptr);\n}", "project": "gpac", "hash": 296878766008799324829722310758024816501, "size": 39, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267242 }, { "func": "GF_Err gf_isom_set_storage_mode(GF_ISOFile *movie, GF_ISOStorageMode storageMode)\n{\n\tGF_Err e;\n\te = CanAccessMovie(movie, GF_ISOM_OPEN_WRITE);\n\tif (e) return e;\n\n\tswitch (storageMode) {\n\tcase GF_ISOM_STORE_FLAT:\n\tcase GF_ISOM_STORE_STREAMABLE:\n\tcase GF_ISOM_STORE_INTERLEAVED:\n\tcase GF_ISOM_STORE_DRIFT_INTERLEAVED:\n\tcase GF_ISOM_STORE_TIGHT:\n\tcase GF_ISOM_STORE_FASTSTART:\n\t\tmovie->storageMode = storageMode;\n\t\t//specifying a storage mode disables inplace rewrite\n\t\tgf_isom_disable_inplace_rewrite(movie);\n\t\treturn GF_OK;\n\tdefault:\n\t\treturn GF_BAD_PARAM;\n\t}\n}", "project": "gpac", "hash": 266607108512069485129834042486291553468, "size": 21, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267191 }, { "func": "GF_FileType get_file_type_by_ext(char *inName)\n{\n\tGF_FileType type = GF_FILE_TYPE_NOT_SUPPORTED;\n\tchar *ext = strrchr(inName, '.');\n\tif (ext) {\n\t\tchar *sep;\n\t\tif (!strcmp(ext, \".gz\")) ext = strrchr(ext-1, '.');\n\t\text+=1;\n\t\tsep = strchr(ext, '.');\n\t\tif (sep) sep[0] = 0;\n\n\t\tif (!stricmp(ext, \"mp4\") || !stricmp(ext, \"3gp\") || !stricmp(ext, \"mov\") || !stricmp(ext, \"3g2\") || !stricmp(ext, \"3gs\")) {\n\t\t\ttype = GF_FILE_TYPE_ISO_MEDIA;\n\t\t} else if (!stricmp(ext, \"bt\") || !stricmp(ext, \"wrl\") || !stricmp(ext, \"x3dv\")) {\n\t\t\ttype = GF_FILE_TYPE_BT_WRL_X3DV;\n\t\t} else if (!stricmp(ext, \"xmt\") || !stricmp(ext, \"x3d\")) {\n\t\t\ttype = GF_FILE_TYPE_XMT_X3D;\n\t\t} else if (!stricmp(ext, \"lsr\") || !stricmp(ext, \"saf\")) {\n\t\t\ttype = GF_FILE_TYPE_LSR_SAF;\n\t\t} else if (!stricmp(ext, \"svg\") || !stricmp(ext, \"xsr\") || !stricmp(ext, \"xml\")) {\n\t\t\ttype = GF_FILE_TYPE_SVG;\n\t\t} else if (!stricmp(ext, \"swf\")) {\n\t\t\ttype = GF_FILE_TYPE_SWF;\n\t\t} else if (!stricmp(ext, \"jp2\")) {\n\t\t\tif (sep) sep[0] = '.';\n\t\t\treturn GF_FILE_TYPE_NOT_SUPPORTED;\n\t\t}\n\t\telse type = GF_FILE_TYPE_NOT_SUPPORTED;\n\n\t\tif (sep) sep[0] = '.';\n\t}\n\n\n\t/*try open file in read mode*/\n\tif (!type && gf_isom_probe_file(inName)) type = GF_FILE_TYPE_ISO_MEDIA;\n\treturn type;\n}", "project": "gpac", "hash": 73405714706321968278938654279405367952, "size": 37, "commit_id": "9eeac00b38348c664dfeae2525bba0cf1bc32349", "message": "fixed #1565", "target": 0, "dataset": "other", "idx": 244414 }, { "func": "GF_Err gf_isom_flush_chunk(GF_TrackBox *trak, Bool is_final)\n{\n\tGF_Err e;\n\tu64 data_offset;\n\tu32 sample_number;\n\tu8 *chunk_data;\n\tu32 chunk_size, chunk_alloc;\n\tif (!trak->chunk_cache) return GF_OK;\n\n\tgf_bs_get_content_no_truncate(trak->chunk_cache, &chunk_data, &chunk_size, &chunk_alloc);\n\n\tdata_offset = gf_isom_datamap_get_offset(trak->Media->information->dataHandler);\n\n\te = gf_isom_datamap_add_data(trak->Media->information->dataHandler, chunk_data, chunk_size);\n\tif (e) return e;\n\n\tsample_number = 1 + trak->Media->information->sampleTable->SampleSize->sampleCount;\n\tsample_number -= trak->nb_samples_in_cache;\n\n\te = stbl_AddChunkOffset(trak->Media, sample_number, trak->chunk_stsd_idx, data_offset, trak->nb_samples_in_cache);\n\n\tif (is_final) {\n\t\tgf_free(chunk_data);\n\t\tgf_bs_del(trak->chunk_cache);\n\t\ttrak->chunk_cache = NULL;\n\t} else {\n\t\tgf_bs_reassign_buffer(trak->chunk_cache, chunk_data, chunk_alloc);\n\t}\n\treturn e;\n}", "project": "gpac", "hash": 35928747562605251414217844575400202393, "size": 30, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267272 }, { "func": "GF_Err gf_isom_enable_compression(GF_ISOFile *file, GF_ISOCompressMode compress_mode, Bool force_compress)\n{\n\tif (!file) return GF_BAD_PARAM;\n\tfile->compress_mode = compress_mode;\n\tfile->force_compress = force_compress;\n\treturn GF_OK;\n}", "project": "gpac", "hash": 212783862737439681778039380169203772828, "size": 7, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267209 }, { "func": "GF_Err vpcc_box_write(GF_Box *s, GF_BitStream *bs)\n{\n\tGF_Err e;\n\tGF_VPConfigurationBox *ptr = (GF_VPConfigurationBox *) s;\n\tif (!s) return GF_BAD_PARAM;\n\tif (!ptr->config) return GF_OK;\n\n\te = gf_isom_full_box_write(s, bs);\n\tif (e) return e;\n\n\treturn gf_odf_vp_cfg_write_bs(ptr->config, bs, ptr->version == 0);\n}", "project": "gpac", "hash": 76902646786815702644135191533890189105, "size": 12, "commit_id": "0a85029d694f992f3631e2f249e4999daee15cbf", "message": "fixed #1785 (fuzz)", "target": 0, "dataset": "other", "idx": 237608 }, { "func": "GF_Err vvcc_box_write(GF_Box *s, GF_BitStream *bs)\n{\n\tGF_Err e;\n\tGF_VVCConfigurationBox *ptr = (GF_VVCConfigurationBox *) s;\n\tif (!s) return GF_BAD_PARAM;\n\tif (!ptr->config) return GF_OK;\n\te = gf_isom_box_write_header(s, bs);\n\tif (e) return e;\n\n\treturn gf_odf_vvc_cfg_write_bs(ptr->config, bs);\n}", "project": "gpac", "hash": 102534599378916565987854240202844541248, "size": 11, "commit_id": "0a85029d694f992f3631e2f249e4999daee15cbf", "message": "fixed #1785 (fuzz)", "target": 0, "dataset": "other", "idx": 237610 }, { "func": "GF_Err gf_isom_copy_sample_info(GF_ISOFile *dst, u32 dst_track, GF_ISOFile *src, u32 src_track, u32 sampleNumber)\n{\n\tu32 i, count, idx, dst_sample_num, subs_flags;\n\tGF_SubSampleInfoEntry *sub_sample;\n\tGF_Err e;\n\tGF_TrackBox *src_trak, *dst_trak;\n\n\tsrc_trak = gf_isom_get_track_from_file(src, src_track);\n\tif (!src_trak) return GF_BAD_PARAM;\n\n\tdst_trak = gf_isom_get_track_from_file(dst, dst_track);\n\tif (!dst_trak) return GF_BAD_PARAM;\n\n\tdst_sample_num = dst_trak->Media->information->sampleTable->SampleSize->sampleCount;\n\n\t/*modify depends flags*/\n\tif (src_trak->Media->information->sampleTable->SampleDep) {\n\t\tu32 isLeading, dependsOn, dependedOn, redundant;\n\n\t\tisLeading = dependsOn = dependedOn = redundant = 0;\n\n\t\te = stbl_GetSampleDepType(src_trak->Media->information->sampleTable->SampleDep, sampleNumber, &isLeading, &dependsOn, &dependedOn, &redundant);\n\t\tif (e) return e;\n\n\t\te = stbl_AppendDependencyType(dst_trak->Media->information->sampleTable, isLeading, dependsOn, dependedOn, redundant);\n\t\tif (e) return e;\n\t}\n\n\t/*copy subsample info if any*/\n\tidx=1;\n\twhile (gf_isom_get_subsample_types(src, src_track, idx, &subs_flags)) {\n\t\tGF_SubSampleInformationBox *dst_subs=NULL;\n\t\tidx++;\n\n\t\tif ( ! gf_isom_sample_get_subsample_entry(src, src_track, sampleNumber, subs_flags, &sub_sample))\n\t\t\tcontinue;\n\n\t\t/*create subsample if needed*/\n\t\tif (!dst_trak->Media->information->sampleTable->sub_samples) {\n\t\t\tdst_trak->Media->information->sampleTable->sub_samples = gf_list_new();\n\t\t}\n\t\tcount = gf_list_count(dst_trak->Media->information->sampleTable->sub_samples);\n\t\tfor (i=0; iMedia->information->sampleTable->sub_samples, i);\n\t\t\tif (dst_subs->flags==subs_flags) break;\n\t\t\tdst_subs=NULL;\n\t\t}\n\t\tif (!dst_subs) {\n\t\t\tdst_subs = (GF_SubSampleInformationBox *) gf_isom_box_new_parent(&dst_trak->Media->information->sampleTable->child_boxes, GF_ISOM_BOX_TYPE_SUBS);\n\t\t\tif (!dst_subs) return GF_OUT_OF_MEM;\n\t\t\tdst_subs->version=0;\n\t\t\tdst_subs->flags = subs_flags;\n\t\t\tgf_list_add(dst_trak->Media->information->sampleTable->sub_samples, dst_subs);\n\t\t}\n\n\t\tcount = gf_list_count(sub_sample->SubSamples);\n\t\tfor (i=0; iSubSamples, i);\n\t\t\te = gf_isom_add_subsample_info(dst_subs, dst_sample_num, entry->subsample_size, entry->subsample_priority, entry->reserved, entry->discardable);\n\t\t\tif (e) return e;\n\t\t}\n\t}\n\n\t/*copy sampleToGroup info if any*/\n\tcount = 0;\n\tif (src_trak->Media->information->sampleTable->sampleGroups)\n\t\tcount = gf_list_count(src_trak->Media->information->sampleTable->sampleGroups);\n\n\tfor (i=0; iMedia->information->sampleTable->sampleGroups, i);\n\t\tfor (j=0; jentry_count; j++) {\n\t\t\tlast_sample_in_entry = first_sample_in_entry + sg->sample_entries[j].sample_count - 1;\n\t\t\tif ((sampleNumberlast_sample_in_entry)) {\n\t\t\t\tfirst_sample_in_entry = last_sample_in_entry+1;\n\t\t\t\tcontinue;\n\t\t\t}\n\n\t\t\tif (!dst_trak->Media->information->sampleTable->sampleGroups)\n\t\t\t\tdst_trak->Media->information->sampleTable->sampleGroups = gf_list_new();\n\n\t\t\tgroup_desc_index_src = group_desc_index_dst = sg->sample_entries[j].group_description_index;\n\n\t\t\tif (group_desc_index_src) {\n\t\t\t\tGF_SampleGroupDescriptionBox *sgd_src, *sgd_dst;\n\t\t\t\tGF_DefaultSampleGroupDescriptionEntry *sgde_src, *sgde_dst;\n\n\t\t\t\tgroup_desc_index_dst = 0;\n\t\t\t\t//check that the sample group description exists !!\n\t\t\t\tsgde_src = gf_isom_get_sample_group_info_entry(src, src_trak, sg->grouping_type, sg->sample_entries[j].group_description_index, &default_index, &sgd_src);\n\n\t\t\t\tif (!sgde_src) break;\n\n\t\t\t\tif (!dst_trak->Media->information->sampleTable->sampleGroupsDescription)\n\t\t\t\t\tdst_trak->Media->information->sampleTable->sampleGroupsDescription = gf_list_new();\n\n\t\t\t\tsgd_dst = NULL;\n\t\t\t\tfor (k=0; k< gf_list_count(dst_trak->Media->information->sampleTable->sampleGroupsDescription); k++) {\n\t\t\t\t\tsgd_dst = gf_list_get(dst_trak->Media->information->sampleTable->sampleGroupsDescription, k);\n\t\t\t\t\tif (sgd_dst->grouping_type==sgd_src->grouping_type) break;\n\t\t\t\t\tsgd_dst = NULL;\n\t\t\t\t}\n\t\t\t\tif (!sgd_dst) {\n\t\t\t\t\tgf_isom_clone_box( (GF_Box *) sgd_src, (GF_Box **) &sgd_dst);\n\t\t\t\t\tif (!sgd_dst) return GF_OUT_OF_MEM;\n\t\t\t\t\tgf_list_add(dst_trak->Media->information->sampleTable->sampleGroupsDescription, sgd_dst);\n\t\t\t\t}\n\n\t\t\t\t//find the same entry\n\t\t\t\tfor (k=0; kgroup_descriptions); k++) {\n\t\t\t\t\tsgde_dst = gf_list_get(sgd_dst->group_descriptions, i);\n\t\t\t\t\tif (gf_isom_is_identical_sgpd(sgde_src, sgde_dst, sgd_src->grouping_type)) {\n\t\t\t\t\t\tgroup_desc_index_dst = k+1;\n\t\t\t\t\t\tbreak;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\tif (!group_desc_index_dst) {\n\t\t\t\t\tGF_SampleGroupDescriptionBox *cloned=NULL;\n\t\t\t\t\tgf_isom_clone_box( (GF_Box *) sgd_src, (GF_Box **) &cloned);\n\t\t\t\t\tif (!cloned) return GF_OUT_OF_MEM;\n\t\t\t\t\tsgde_dst = gf_list_get(cloned->group_descriptions, group_desc_index_dst);\n\t\t\t\t\tgf_list_rem(cloned->group_descriptions, group_desc_index_dst);\n\t\t\t\t\tgf_isom_box_del( (GF_Box *) cloned);\n\t\t\t\t\tgf_list_add(sgd_dst->group_descriptions, sgde_dst);\n\t\t\t\t\tgroup_desc_index_dst = gf_list_count(sgd_dst->group_descriptions);\n\t\t\t\t}\n\t\t\t}\n\n\n\t\t\t/*found our sample, add it to trak->sampleGroups*/\n\t\t\te = gf_isom_add_sample_group_entry(dst_trak->Media->information->sampleTable->sampleGroups, dst_sample_num, sg->grouping_type, sg->grouping_type_parameter, group_desc_index_dst, dst_trak->Media->information->sampleTable->child_boxes, NULL);\n\t\t\tif (e) return e;\n\t\t\tbreak;\n\t\t}\n\t}\n\n\treturn GF_OK;\n}", "project": "gpac", "hash": 325767643111822684651285664141775052515, "size": 142, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267260 }, { "func": "GF_Err stbl_GetSampleDTS_and_Duration(GF_TimeToSampleBox *stts, u32 SampleNumber, u64 *DTS, u32 *duration)\n{\n\tu32 i, j, count;\n\tGF_SttsEntry *ent;\n\n\t(*DTS) = 0;\n\tif (duration) {\n\t\t*duration = 0;\n\t}\n\tif (!stts || !SampleNumber) return GF_BAD_PARAM;\n\n\tent = NULL;\n\t//use our cache\n\tcount = stts->nb_entries;\n\tif (stts->r_FirstSampleInEntry\n\t && (stts->r_FirstSampleInEntry <= SampleNumber)\n\t //this is for read/write access\n\t && (stts->r_currentEntryIndex < count) ) {\n\n\t\ti = stts->r_currentEntryIndex;\n\t} else {\n\t\ti = stts->r_currentEntryIndex = 0;\n\t\tstts->r_FirstSampleInEntry = 1;\n\t\tstts->r_CurrentDTS = 0;\n\t}\n\n\tfor (; i < count; i++) {\n\t\tent = &stts->entries[i];\n\n\t\t//in our entry\n\t\tif (ent->sampleCount + stts->r_FirstSampleInEntry >= 1 + SampleNumber) {\n\t\t\tj = SampleNumber - stts->r_FirstSampleInEntry;\n\t\t\tgoto found;\n\t\t}\n\n\t\t//update our cache\n\t\tstts->r_CurrentDTS += (u64)ent->sampleCount * ent->sampleDelta;\n\t\tstts->r_currentEntryIndex += 1;\n\t\tstts->r_FirstSampleInEntry += ent->sampleCount;\n\t}\n//\tif (SampleNumber >= stts->r_FirstSampleInEntry + ent->sampleCount) return GF_BAD_PARAM;\n\n\t//no ent, this is really weird. Let's assume the DTS is then what is written in the table\n\tif (!ent || (i == count)) {\n\t\t(*DTS) = stts->r_CurrentDTS;\n\t\tif (duration) *duration = ent ? ent->sampleDelta : 0;\n\t}\n\treturn GF_OK;\n\nfound:\n\t(*DTS) = stts->r_CurrentDTS + j * (u64) ent->sampleDelta;\n\tif (duration) *duration = ent->sampleDelta;\n\treturn GF_OK;\n}", "project": "gpac", "hash": 63899178812392427200037954024029434902, "size": 54, "commit_id": "2da2f68bffd51d89b1d272d22aa8cc023c1c066e", "message": "fixed #1705", "target": 0, "dataset": "other", "idx": 258554 }, { "func": "GF_Err gf_isom_remove_root_od(GF_ISOFile *movie)\n{\n\tGF_Err e;\n\n\te = CanAccessMovie(movie, GF_ISOM_OPEN_WRITE);\n\tif (e) return e;\n\tif (!movie->moov || !movie->moov->iods) return GF_OK;\n\tgf_isom_box_del_parent(&movie->moov->child_boxes, (GF_Box *)movie->moov->iods);\n\tmovie->moov->iods = NULL;\n\treturn GF_OK;\n}", "project": "gpac", "hash": 101373989585998269957737612143018007487, "size": 11, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267185 }, { "func": "GF_Err gf_isom_set_visual_info(GF_ISOFile *movie, u32 trackNumber, u32 StreamDescriptionIndex, u32 Width, u32 Height)\n{\n\tGF_Err e;\n\tGF_TrackBox *trak;\n\tGF_SampleEntryBox *entry;\n\tGF_SampleDescriptionBox *stsd;\n\te = CanAccessMovie(movie, GF_ISOM_OPEN_WRITE);\n\tif (e) return e;\n\n\ttrak = gf_isom_get_track_from_file(movie, trackNumber);\n\tif (!trak) return GF_BAD_PARAM;\n\n\tstsd = trak->Media->information->sampleTable->SampleDescription;\n\tif (!stsd) {\n\t\treturn movie->LastError = GF_ISOM_INVALID_FILE;\n\t}\n\tif (!StreamDescriptionIndex || StreamDescriptionIndex > gf_list_count(stsd->child_boxes)) {\n\t\treturn movie->LastError = GF_BAD_PARAM;\n\t}\n\tentry = (GF_SampleEntryBox *)gf_list_get(stsd->child_boxes, StreamDescriptionIndex - 1);\n\t//no support for generic sample entries (eg, no MPEG4 descriptor)\n\tif (entry == NULL) return GF_BAD_PARAM;\n\tif (!movie->keep_utc)\n\t\ttrak->Media->mediaHeader->modificationTime = gf_isom_get_mp4time();\n\n\t//valid for MPEG visual, JPG and 3GPP H263\n\tif (entry->internal_type == GF_ISOM_SAMPLE_ENTRY_VIDEO) {\n\t\t((GF_VisualSampleEntryBox*)entry)->Width = Width;\n\t\t((GF_VisualSampleEntryBox*)entry)->Height = Height;\n\t\ttrak->Header->width = Width<<16;\n\t\ttrak->Header->height = Height<<16;\n\t\treturn GF_OK;\n\t} else if (trak->Media->handler->handlerType==GF_ISOM_MEDIA_SCENE) {\n\t\ttrak->Header->width = Width<<16;\n\t\ttrak->Header->height = Height<<16;\n\t\treturn GF_OK;\n\t} else {\n\t\treturn GF_BAD_PARAM;\n\t}\n}", "project": "gpac", "hash": 83074209191748321543088671484383266464, "size": 40, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267256 }, { "func": "GF_EXPORT\nu32 gf_isom_guess_specification(GF_ISOFile *file)\n{\n\tu32 count, i, nb_any, nb_m4s, nb_a, nb_v, nb_auxv,nb_scene, nb_od, nb_mp3, nb_aac, nb_m4v, nb_avc, nb_amr, nb_h263, nb_qcelp, nb_evrc, nb_smv, nb_text, nb_pict;\n\n\tnb_m4s = nb_a = nb_v = nb_auxv = nb_any = nb_scene = nb_od = nb_mp3 = nb_aac = nb_m4v = nb_avc = nb_amr = nb_h263 = nb_qcelp = nb_evrc = nb_smv = nb_text = nb_pict = 0;\n\n\tif (file->is_jp2) {\n\t\tif (file->moov) return GF_ISOM_BRAND_MJP2;\n\t\treturn GF_ISOM_BRAND_JP2;\n\t}\n\tif (!file->moov) {\n\t\tif (!file->meta || !file->meta->handler) return 0;\n\t\treturn file->meta->handler->handlerType;\n\t}\n\n\tcount = gf_isom_get_track_count(file);\n\tfor (i=0; i1) nb_m4s++;\n\t\t} else if (mtype==GF_ISOM_MEDIA_OD) {\n\t\t\tnb_od++;\n\t\t\t/*forces non-isma*/\n\t\t\tif (gf_isom_get_sample_count(file, i+1)>1) nb_m4s++;\n\t\t}\n\t\telse if ((mtype==GF_ISOM_MEDIA_TEXT) || (mtype==GF_ISOM_MEDIA_SUBT)) nb_text++;\n\t\telse if ((mtype==GF_ISOM_MEDIA_AUDIO) || gf_isom_is_video_handler_type(mtype) ) {\n\t\t\tswitch (mstype) {\n\t\t\tcase GF_ISOM_SUBTYPE_3GP_AMR:\n\t\t\tcase GF_ISOM_SUBTYPE_3GP_AMR_WB:\n\t\t\t\tnb_amr++;\n\t\t\t\tbreak;\n\t\t\tcase GF_ISOM_SUBTYPE_3GP_H263:\n\t\t\t\tnb_h263++;\n\t\t\t\tbreak;\n\t\t\tcase GF_ISOM_SUBTYPE_3GP_EVRC:\n\t\t\t\tnb_evrc++;\n\t\t\t\tbreak;\n\t\t\tcase GF_ISOM_SUBTYPE_3GP_QCELP:\n\t\t\t\tnb_qcelp++;\n\t\t\t\tbreak;\n\t\t\tcase GF_ISOM_SUBTYPE_3GP_SMV:\n\t\t\t\tnb_smv++;\n\t\t\t\tbreak;\n\t\t\tcase GF_ISOM_SUBTYPE_AVC_H264:\n\t\t\tcase GF_ISOM_SUBTYPE_AVC2_H264:\n\t\t\tcase GF_ISOM_SUBTYPE_AVC3_H264:\n\t\t\tcase GF_ISOM_SUBTYPE_AVC4_H264:\n\t\t\t\tnb_avc++;\n\t\t\t\tbreak;\n\t\t\tcase GF_ISOM_SUBTYPE_SVC_H264:\n\t\t\tcase GF_ISOM_SUBTYPE_MVC_H264:\n\t\t\t\tnb_avc++;\n\t\t\t\tbreak;\n\t\t\tcase GF_ISOM_SUBTYPE_MPEG4:\n\t\t\tcase GF_ISOM_SUBTYPE_MPEG4_CRYP:\n\t\t\t{\n\t\t\t\tGF_DecoderConfig *dcd = gf_isom_get_decoder_config(file, i+1, 1);\n\t\t\t\tif (!dcd) break;\n\t\t\t\tswitch (dcd->streamType) {\n\t\t\t\tcase GF_STREAM_VISUAL:\n\t\t\t\t\tif (dcd->objectTypeIndication==GF_CODECID_MPEG4_PART2) nb_m4v++;\n\t\t\t\t\telse if ((dcd->objectTypeIndication==GF_CODECID_AVC) || (dcd->objectTypeIndication==GF_CODECID_SVC) || (dcd->objectTypeIndication==GF_CODECID_MVC)) nb_avc++;\n\t\t\t\t\telse nb_v++;\n\t\t\t\t\tbreak;\n\t\t\t\tcase GF_STREAM_AUDIO:\n\t\t\t\t\tswitch (dcd->objectTypeIndication) {\n\t\t\t\t\tcase GF_CODECID_AAC_MPEG2_MP:\n\t\t\t\t\tcase GF_CODECID_AAC_MPEG2_LCP:\n\t\t\t\t\tcase GF_CODECID_AAC_MPEG2_SSRP:\n\t\t\t\t\tcase GF_CODECID_AAC_MPEG4:\n\t\t\t\t\t\tnb_aac++;\n\t\t\t\t\t\tbreak;\n\t\t\t\t\tcase GF_CODECID_MPEG2_PART3:\n\t\t\t\t\tcase GF_CODECID_MPEG_AUDIO:\n\t\t\t\t\t\tnb_mp3++;\n\t\t\t\t\t\tbreak;\n\t\t\t\t\tcase GF_CODECID_EVRC:\n\t\t\t\t\t\tnb_evrc++;\n\t\t\t\t\t\tbreak;\n\t\t\t\t\tcase GF_CODECID_SMV:\n\t\t\t\t\t\tnb_smv++;\n\t\t\t\t\t\tbreak;\n\t\t\t\t\tcase GF_CODECID_QCELP:\n\t\t\t\t\t\tnb_qcelp++;\n\t\t\t\t\t\tbreak;\n\t\t\t\t\tdefault:\n\t\t\t\t\t\tnb_a++;\n\t\t\t\t\t\tbreak;\n\t\t\t\t\t}\n\t\t\t\t\tbreak;\n\t\t\t\t/*SHOULD NEVER HAPPEN - IF SO, BROKEN MPEG4 FILE*/\n\t\t\t\tdefault:\n\t\t\t\t\tnb_any++;\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t\tgf_odf_desc_del((GF_Descriptor *)dcd);\n\t\t\t}\n\t\t\t\tbreak;\n\t\t\tdefault:\n\t\t\t\tif (mtype==GF_ISOM_MEDIA_VISUAL) nb_v++;\n\t\t\t\telse if (mtype==GF_ISOM_MEDIA_AUXV) nb_auxv++;\n\t\t\t\telse if (mtype==GF_ISOM_MEDIA_PICT) nb_pict++;\n\t\t\t\telse nb_a++;\n\t\t\t\tbreak;\n\t\t\t}\n\t\t} else if ((mtype==GF_ISOM_SUBTYPE_MPEG4) || (mtype==GF_ISOM_SUBTYPE_MPEG4_CRYP)) nb_m4s++;\n\t\telse nb_any++;\n\t}\n\tif (nb_any) return GF_ISOM_BRAND_ISOM;\n\tif (nb_qcelp || nb_evrc || nb_smv) {\n\t\t/*non std mix of streams*/\n\t\tif (nb_m4s || nb_avc || nb_scene || nb_od || nb_mp3 || nb_a || nb_v) return GF_ISOM_BRAND_ISOM;\n\t\treturn GF_ISOM_BRAND_3G2A;\n\t}\n\t/*other a/v/s streams*/\n\tif (nb_v || nb_a || nb_m4s) return GF_ISOM_BRAND_MP42;\n\n\tnb_v = nb_m4v + nb_avc + nb_h263;\n\tnb_a = nb_mp3 + nb_aac + nb_amr;\n\n\t/*avc file: whatever has AVC and no systems*/\n\tif (nb_avc) {\n\t\tif (!nb_scene && !nb_od) return GF_ISOM_BRAND_AVC1;\n\t\treturn GF_ISOM_BRAND_MP42;\n\t}\n\t/*MP3: ISMA and MPEG4*/\n\tif (nb_mp3) {\n\t\tif (!nb_text && (nb_v<=1) && (nb_a<=1) && (nb_scene==1) && (nb_od==1))\n\t\t\treturn GF_ISOM_BRAND_ISMA;\n\t\treturn GF_ISOM_BRAND_MP42;\n\t}\n\t/*MP4*/\n\tif (nb_scene || nb_od) {\n\t\t/*issue with AMR and H263 which don't have MPEG mapping: non compliant file*/\n\t\tif (nb_amr || nb_h263) return GF_ISOM_BRAND_ISOM;\n\t\treturn GF_ISOM_BRAND_MP42;\n\t}\n\t/*use ISMA (3GP fine too)*/\n\tif (!nb_amr && !nb_h263 && !nb_text) {\n\t\tif ((nb_v<=1) && (nb_a<=1)) return GF_ISOM_BRAND_ISMA;\n\t\treturn GF_ISOM_BRAND_MP42;\n\t}\n\n\tif ((nb_v<=1) && (nb_a<=1) && (nb_text<=1)) return nb_text ? GF_ISOM_BRAND_3GP6 : GF_ISOM_BRAND_3GP5;\n\treturn GF_ISOM_BRAND_3GG6;", "project": "gpac", "hash": 232252861300988367663738714585197298194, "size": 151, "commit_id": "984787de3d414a5f7d43d0b4584d9469dff2a5a5", "message": "fixed #1784 (fuzz)", "target": 0, "dataset": "other", "idx": 246846 }, { "func": "u32 mp4box_parse_args_continue(int argc, char **argv, u32 *current_index)\n{\n\tu32 i = *current_index;\n\t/*parse our args*/\n\t{\n\t\tchar *arg = argv[i];\n\t\tif (!stricmp(arg, \"-itags\")) {\n\t\t\tCHECK_NEXT_ARG\n\t\t\titunes_tags = argv[i + 1];\n\t\t\ti++;\n\t\t\topen_edit = GF_TRUE;\n\t\t}\n#ifndef GPAC_DISABLE_ISOM_HINTING\n\t\telse if (!stricmp(arg, \"-hint\")) {\n\t\t\topen_edit = GF_TRUE;\n\t\t\tHintIt = 1;\n\t\t}\n\t\telse if (!stricmp(arg, \"-unhint\")) {\n\t\t\topen_edit = GF_TRUE;\n\t\t\tremove_hint = 1;\n\t\t}\n\t\telse if (!stricmp(arg, \"-copy\")) HintCopy = 1;\n\t\telse if (!stricmp(arg, \"-no-offset\")) hint_no_offset = GF_TRUE;\n\t\telse if (!stricmp(arg, \"-tight\")) {\n\t\t\tFullInter = 1;\n\t\t\topen_edit = GF_TRUE;\n\t\t\tneedSave = GF_TRUE;\n\t\t}\n\t\telse if (!stricmp(arg, \"-ocr\")) force_ocr = 1;\n\t\telse if (!stricmp(arg, \"-latm\")) hint_flags |= GP_RTP_PCK_USE_LATM_AAC;\n\t\telse if (!stricmp(arg, \"-rap\") || !stricmp(arg, \"-refonly\")) {\n\t\t\tif ((i + 1 < (u32)argc) && (argv[i + 1][0] != '-')) {\n\t\t\t\tif (sscanf(argv[i + 1], \"%d\", &trackID) == 1) {\n\t\t\t\t\ttracks = gf_realloc(tracks, sizeof(TrackAction) * (nb_track_act + 1));\n\t\t\t\t\tmemset(&tracks[nb_track_act], 0, sizeof(TrackAction));\n\t\t\t\t\ttracks[nb_track_act].act_type = !stricmp(arg, \"-rap\") ? TRAC_ACTION_REM_NON_RAP : TRAC_ACTION_REM_NON_REFS;\n\t\t\t\t\ttracks[nb_track_act].trackID = trackID;\n\t\t\t\t\tnb_track_act++;\n\t\t\t\t\ti++;\n\t\t\t\t\topen_edit = GF_TRUE;\n\t\t\t\t}\n\t\t\t}\n\t\t\thint_flags |= GP_RTP_PCK_SIGNAL_RAP;\n\t\t\tseg_at_rap = 1;\n\t\t}\n\t\telse if (!stricmp(arg, \"-frag-rap\")) {\n\t\t\tfrag_at_rap = 1;\n\t\t}\n\t\telse if (!stricmp(arg, \"-mfra\")) {\n\t\t\tuse_mfra = GF_TRUE;\n\t\t}\n\t\telse if (!stricmp(arg, \"-ts\")) hint_flags |= GP_RTP_PCK_SIGNAL_TS;\n\t\telse if (!stricmp(arg, \"-size\")) hint_flags |= GP_RTP_PCK_SIGNAL_SIZE;\n\t\telse if (!stricmp(arg, \"-idx\")) hint_flags |= GP_RTP_PCK_SIGNAL_AU_IDX;\n\t\telse if (!stricmp(arg, \"-static\")) hint_flags |= GP_RTP_PCK_USE_STATIC_ID;\n\t\telse if (!stricmp(arg, \"-multi\")) {\n\t\t\thint_flags |= GP_RTP_PCK_USE_MULTI;\n\t\t\tif ((i + 1 < (u32)argc) && (sscanf(argv[i + 1], \"%u\", &max_ptime) == 1)) {\n\t\t\t\tchar szPt[20];\n\t\t\t\tsprintf(szPt, \"%u\", max_ptime);\n\t\t\t\tif (!strcmp(szPt, argv[i + 1])) i++;\n\t\t\t\telse max_ptime = 0;\n\t\t\t}\n\t\t}\n#endif\n\t\telse if (!stricmp(arg, \"-mpeg4\")) {\n#ifndef GPAC_DISABLE_ISOM_HINTING\n\t\t\thint_flags |= GP_RTP_PCK_FORCE_MPEG4;\n#endif\n#ifndef GPAC_DISABLE_MEDIA_IMPORT\n\t\t\timport_flags |= GF_IMPORT_FORCE_MPEG4;\n#endif\n\t\t}\n#ifndef GPAC_DISABLE_ISOM_HINTING\n\t\telse if (!stricmp(arg, \"-mtu\")) {\n\t\t\tCHECK_NEXT_ARG\n\t\t\tMTUSize = atoi(argv[i + 1]);\n\t\t\ti++;\n\t\t}\n\t\telse if (!stricmp(arg, \"-cardur\")) {\n\t\t\tCHECK_NEXT_ARG\n\t\t\tcar_dur = atoi(argv[i + 1]);\n\t\t\ti++;\n\t\t}\n\t\telse if (!stricmp(arg, \"-rate\")) {\n\t\t\tCHECK_NEXT_ARG\n\t\t\trtp_rate = atoi(argv[i + 1]);\n\t\t\ti++;\n\t\t}\n#ifndef GPAC_DISABLE_SENG\n\t\telse if (!stricmp(arg, \"-add-sdp\") || !stricmp(arg, \"-sdp_ex\")) {\n\t\t\tchar *id;\n\t\t\tCHECK_NEXT_ARG\n\t\t\tsdp_lines = gf_realloc(sdp_lines, sizeof(SDPLine) * (nb_sdp_ex + 1));\n\n\t\t\tid = strchr(argv[i + 1], ':');\n\t\t\tif (id) {\n\t\t\t\tid[0] = 0;\n\t\t\t\tif (sscanf(argv[i + 1], \"%u\", &sdp_lines[0].trackID) == 1) {\n\t\t\t\t\tid[0] = ':';\n\t\t\t\t\tsdp_lines[nb_sdp_ex].line = id + 1;\n\t\t\t\t}\n\t\t\t\telse {\n\t\t\t\t\tid[0] = ':';\n\t\t\t\t\tsdp_lines[nb_sdp_ex].line = argv[i + 1];\n\t\t\t\t\tsdp_lines[nb_sdp_ex].trackID = 0;\n\t\t\t\t}\n\t\t\t}\n\t\t\telse {\n\t\t\t\tsdp_lines[nb_sdp_ex].line = argv[i + 1];\n\t\t\t\tsdp_lines[nb_sdp_ex].trackID = 0;\n\t\t\t}\n\t\t\topen_edit = GF_TRUE;\n\t\t\tnb_sdp_ex++;\n\t\t\ti++;\n\t\t}\n#endif /*GPAC_DISABLE_SENG*/\n#endif /*GPAC_DISABLE_ISOM_HINTING*/\n\n\t\telse if (!stricmp(arg, \"-single\")) {\n#ifndef GPAC_DISABLE_MEDIA_EXPORT\n\t\t\tCHECK_NEXT_ARG\n\t\t\ttrack_dump_type = GF_EXPORT_MP4;\n\t\t\ttracks = gf_realloc(tracks, sizeof(TrackAction) * (nb_track_act + 1));\n\t\t\tmemset(&tracks[nb_track_act], 0, sizeof(TrackAction));\n\t\t\ttracks[nb_track_act].act_type = TRAC_ACTION_RAW_EXTRACT;\n\t\t\ttracks[nb_track_act].trackID = atoi(argv[i + 1]);\n\t\t\ttracks[nb_track_act].dump_type = GF_EXPORT_MP4;\n\t\t\tnb_track_act++;\n\t\t\ti++;\n#endif\n\t\t}\n\t\telse if (!stricmp(arg, \"-iod\")) regular_iod = 1;\n\t\telse if (!stricmp(arg, \"-flat\")) {\n\t\t\topen_edit = GF_TRUE;\n\t\t\tdo_flat = 1;\n\t\t}\n\t\telse if (!stricmp(arg, \"-keep-utc\")) keep_utc = GF_TRUE;\n\t\telse if (!stricmp(arg, \"-new\")) force_new = 1;\n\t\telse if (!stricmp(arg, \"-newfs\")) {\n\t\t\tforce_new = 2;\n\t\t\tinterleaving_time = 0.5;\n\t\t\tdo_flat = 1;\n\t\t}\n\t\telse if (!stricmp(arg, \"-timescale\")) {\n\t\t\tCHECK_NEXT_ARG\n\t\t\ttimescale = atoi(argv[i + 1]);\n\t\t\topen_edit = GF_TRUE;\n\t\t\ti++;\n\t\t}\n\t\telse if (!stricmp(arg, \"-udta\")) {\n\t\t\tCHECK_NEXT_ARG\n\t\t\tcreate_new_track_action(argv[i + 1], &tracks, &nb_track_act, 0);\n\t\t\ttracks[nb_track_act - 1].act_type = TRAC_ACTION_SET_UDTA;\n\t\t\topen_edit = GF_TRUE;\n\t\t\ti++;\n\t\t}\n\t\telse if (!stricmp(arg, \"-add\") || !stricmp(arg, \"-import\") || !stricmp(arg, \"-convert\")) {\n\t\t\tCHECK_NEXT_ARG\n\t\t\tif (!stricmp(arg, \"-import\")) fprintf(stderr, \"\\tWARNING: \\\"-import\\\" is deprecated - use \\\"-add\\\"\\n\");\n\t\t\telse if (!stricmp(arg, \"-convert\")) fprintf(stderr, \"\\tWARNING: \\\"-convert\\\" is deprecated - use \\\"-add\\\"\\n\");\n\t\t\tnb_add++;\n\t\t\ti++;\n\t\t}\n\t\telse if (!stricmp(arg, \"-cat\") || !stricmp(arg, \"-catx\") || !stricmp(arg, \"-catpl\")) {\n\t\t\tCHECK_NEXT_ARG\n\t\t\tnb_cat++;\n\t\t\ti++;\n\t\t}\n\t\telse if (!stricmp(arg, \"-time\")) {\n\t\t\tstruct tm time;\n\t\t\tCHECK_NEXT_ARG\n\t\t\tmemset(&time, 0, sizeof(struct tm));\n\t\t\tsscanf(argv[i + 1], \"%d/%d/%d-%d:%d:%d\", &time.tm_mday, &time.tm_mon, &time.tm_year, &time.tm_hour, &time.tm_min, &time.tm_sec);\n\t\t\ttime.tm_isdst = 0;\n\t\t\ttime.tm_year -= 1900;\n\t\t\ttime.tm_mon -= 1;\n\t\t\topen_edit = GF_TRUE;\n\t\t\tmovie_time = 2082758400;\n\t\t\tmovie_time += mktime(&time);\n\t\t\ti++;\n\t\t}\n\t\telse if (!stricmp(arg, \"-force-cat\")) force_cat = 1;\n\t\telse if (!stricmp(arg, \"-align-cat\")) align_cat = 1;\n\t\telse if (!stricmp(arg, \"-unalign-cat\")) align_cat = 0;\n\t\telse if (!stricmp(arg, \"-raw-cat\")) {\n\t\t\tCHECK_NEXT_ARG\n\t\t\traw_cat = argv[i + 1];\n\t\t\ti++;\n\t\t}\n\t\telse if (!stricmp(arg, \"-rem\") || !stricmp(arg, \"-disable\") || !stricmp(arg, \"-enable\")) {\n\t\t\tCHECK_NEXT_ARG\n\t\t\ttracks = gf_realloc(tracks, sizeof(TrackAction) * (nb_track_act + 1));\n\t\t\tmemset(&tracks[nb_track_act], 0, sizeof(TrackAction));\n\t\t\tif (!stricmp(arg, \"-enable\")) tracks[nb_track_act].act_type = TRAC_ACTION_ENABLE;\n\t\t\telse if (!stricmp(arg, \"-disable\")) tracks[nb_track_act].act_type = TRAC_ACTION_DISABLE;\n\t\t\telse tracks[nb_track_act].act_type = TRAC_ACTION_REM_TRACK;\n\t\t\ttracks[nb_track_act].trackID = atoi(argv[i + 1]);\n\t\t\topen_edit = GF_TRUE;\n\t\t\tnb_track_act++;\n\t\t\ti++;\n\t\t}\n\t\telse if (!stricmp(arg, \"-set-track-id\") || !stricmp(arg, \"-swap-track-id\")) {\n\t\t\tchar *sep;\n\t\t\tCHECK_NEXT_ARG\n\t\t\ttracks = gf_realloc(tracks, sizeof(TrackAction) * (nb_track_act + 1));\n\t\t\tmemset(&tracks[nb_track_act], 0, sizeof(TrackAction));\n\t\t\ttracks[nb_track_act].act_type = !stricmp(arg, \"-set-track-id\") ? TRAC_ACTION_SET_ID : TRAC_ACTION_SWAP_ID;\n\t\t\tsep = strchr(argv[i + 1], ':');\n\t\t\tif (!sep) {\n\t\t\t\tfprintf(stderr, \"Bad format for -set-track-id - expecting \\\"id1:id2\\\" got \\\"%s\\\"\\n\", argv[i + 1]);\n\t\t\t\treturn 2;\n\t\t\t}\n\t\t\t*sep = 0;\n\t\t\ttracks[nb_track_act].trackID = atoi(argv[i + 1]);\n\t\t\t*sep = ':';\n\t\t\tsep++;\n\t\t\ttracks[nb_track_act].newTrackID = atoi(sep);\n\t\t\topen_edit = GF_TRUE;\n\t\t\tnb_track_act++;\n\t\t\ti++;\n\t\t}\n\t\telse if (!stricmp(arg, \"-par\")) {\n\t\t\tchar szTK[20], *ext;\n\t\t\tCHECK_NEXT_ARG\n\t\t\ttracks = gf_realloc(tracks, sizeof(TrackAction) * (nb_track_act + 1));\n\t\t\tmemset(&tracks[nb_track_act], 0, sizeof(TrackAction));\n\n\t\t\ttracks[nb_track_act].act_type = TRAC_ACTION_SET_PAR;\n\t\t\tassert(strlen(argv[i + 1]) + 1 <= sizeof(szTK));\n\t\t\tstrncpy(szTK, argv[i + 1], sizeof(szTK));\n\t\t\text = strchr(szTK, '=');\n\t\t\tif (!ext) {\n\t\t\t\tfprintf(stderr, \"Bad format for track par - expecting tkID=none or tkID=PAR_NUM:PAR_DEN got %s\\n\", argv[i + 1]);\n\t\t\t\treturn 2;\n\t\t\t}\n\t\t\tif (!stricmp(ext + 1, \"none\")) {\n\t\t\t\ttracks[nb_track_act].par_num = tracks[nb_track_act].par_den = 0;\n\t\t\t}\n\t\t\telse if (!stricmp(ext + 1, \"auto\")) {\n\t\t\t\ttracks[nb_track_act].par_num = tracks[nb_track_act].par_den = -1;\n\t\t\t\ttracks[nb_track_act].force_par = 1;\n\t\t\t}\n\t\t\telse if (!stricmp(ext + 1, \"force\")) {\n\t\t\t\ttracks[nb_track_act].par_num = tracks[nb_track_act].par_den = 1;\n\t\t\t\ttracks[nb_track_act].force_par = 1;\n\t\t\t}\n\t\t\telse {\n\t\t\t\tif (ext[1]=='w') {\n\t\t\t\t\ttracks[nb_track_act].rewrite_bs = 1;\n\t\t\t\t\text++;\n\t\t\t\t}\n\t\t\t\tsscanf(ext + 1, \"%d\", &tracks[nb_track_act].par_num);\n\t\t\t\text = strchr(ext + 1, ':');\n\t\t\t\tif (!ext) {\n\t\t\t\t\tfprintf(stderr, \"Bad format for track par - expecting tkID=PAR_NUM:PAR_DEN got %s\\n\", argv[i + 1]);\n\t\t\t\t\treturn 2;\n\t\t\t\t}\n\t\t\t\tsscanf(ext + 1, \"%d\", &tracks[nb_track_act].par_den);\n\t\t\t}\n\t\t\text[0] = 0;\n\t\t\ttracks[nb_track_act].trackID = atoi(szTK);\n\t\t\topen_edit = GF_TRUE;\n\t\t\tnb_track_act++;\n\t\t\ti++;\n\t\t}\n\t\telse if (!stricmp(arg, \"-clap\")) {\n\t\t\tchar szTK[200], *ext;\n\t\t\tTrackAction *tka;\n\t\t\tCHECK_NEXT_ARG\n\t\t\ttracks = gf_realloc(tracks, sizeof(TrackAction) * (nb_track_act + 1));\n\t\t\tmemset(&tracks[nb_track_act], 0, sizeof(TrackAction));\n\n\t\t\ttracks[nb_track_act].act_type = TRAC_ACTION_SET_CLAP;\n\t\t\tassert(strlen(argv[i + 1]) + 1 <= sizeof(szTK));\n\t\t\tstrncpy(szTK, argv[i + 1], sizeof(szTK));\n\t\t\text = strchr(szTK, '=');\n\t\t\tif (!ext) {\n\t\t\t\tfprintf(stderr, \"Bad format for track clap - expecting tkID=none or tkID=Wn,Wd,Hn,Hd,HOn,HOd,VOn,VOd got %s\\n\", argv[i + 1]);\n\t\t\t\treturn 2;\n\t\t\t}\n\t\t\ttka = &tracks[nb_track_act];\n\t\t\tif (!stricmp(ext + 1, \"none\")) {\n\t\t\t\ttka->clap_wnum= tka->clap_wden = tka->clap_hnum = tka->clap_hden = tka->clap_honum = tka->clap_hoden = tka->clap_vonum = tka->clap_voden = 0;\n\t\t\t} else {\n\t\t\t\tif (sscanf(ext + 1, \"%d,%d,%d,%d,%d,%d,%d,%d\", &tka->clap_wnum, &tka->clap_wden, &tka->clap_hnum, &tka->clap_hden, &tka->clap_honum, &tka->clap_hoden, &tka->clap_vonum, &tka->clap_voden) != 8) {\n\n\t\t\t\t\tfprintf(stderr, \"Bad format for track clap - expecting tkID=none or tkID=Wn,Wd,Hn,Hd,HOn,HOd,VOn,VOd got %s\\n\", argv[i + 1]);\n\t\t\t\t\treturn 2;\n\t\t\t\t}\n\t\t\t}\n\t\t\text[0] = 0;\n\t\t\ttracks[nb_track_act].trackID = atoi(szTK);\n\t\t\topen_edit = GF_TRUE;\n\t\t\tnb_track_act++;\n\t\t\ti++;\n\t\t}\n\t\telse if (!stricmp(arg, \"-mx\")) {\n\t\t\tchar szTK[200], *ext;\n\t\t\tTrackAction *tka;\n\t\t\tCHECK_NEXT_ARG\n\t\t\ttracks = gf_realloc(tracks, sizeof(TrackAction) * (nb_track_act + 1));\n\t\t\tmemset(&tracks[nb_track_act], 0, sizeof(TrackAction));\n\n\t\t\ttracks[nb_track_act].act_type = TRAC_ACTION_SET_MX;\n\t\t\tassert(strlen(argv[i + 1]) + 1 <= sizeof(szTK));\n\t\t\tstrncpy(szTK, argv[i + 1], sizeof(szTK));\n\t\t\text = strchr(szTK, '=');\n\t\t\tif (!ext) {\n\t\t\t\tfprintf(stderr, \"Bad format for track matrix - expecting ID=none or ID=M1:M2:M3:M4:M5:M6:M7:M8:M9 got %s\\n\", argv[i + 1]);\n\t\t\t\treturn 2;\n\t\t\t}\n\t\t\ttka = &tracks[nb_track_act];\n\t\t\tif (!stricmp(ext + 1, \"none\")) {\n\t\t\t\tmemset(tka->mx, 0, sizeof(s32)*9);\n\t\t\t} else {\n\t\t\t\ts32 res;\n\t\t\t\tif (strstr(ext+1, \"0x\")) {\n\t\t\t\t\tres = sscanf(ext + 1, \"0x%d:0x%d:0x%d:0x%d:0x%d:0x%d:0x%d:0x%d:0x%d\", &tka->mx[0], &tka->mx[1], &tka->mx[2], &tka->mx[3], &tka->mx[4], &tka->mx[5], &tka->mx[6], &tka->mx[7], &tka->mx[8]);\n\t\t\t\t} else {\n\t\t\t\t\tres = sscanf(ext + 1, \"%d:%d:%d:%d:%d:%d:%d:%d:%d\", &tka->mx[0], &tka->mx[1], &tka->mx[2], &tka->mx[3], &tka->mx[4], &tka->mx[5], &tka->mx[6], &tka->mx[7], &tka->mx[8]);\n\t\t\t\t}\n\t\t\t\tif (res != 9) {\n\t\t\t\t\tfprintf(stderr, \"Bad format for track matrix - expecting ID=none or ID=M1:M2:M3:M4:M5:M6:M7:M8:M9 got %s\\n\", argv[i + 1]);\n\t\t\t\t\treturn 2;\n\t\t\t\t}\n\t\t\t}\n\t\t\text[0] = 0;\n\t\t\ttracks[nb_track_act].trackID = atoi(szTK);\n\t\t\topen_edit = GF_TRUE;\n\t\t\tnb_track_act++;\n\t\t\ti++;\n\t\t}\n\t\telse if (!stricmp(arg, \"-hdr\")) {\n\t\t\tCHECK_NEXT_ARG\n\t\t\thigh_dynamc_range_filename = argv[i + 1];\n\t\t\ti++;\n\t\t}\n\t\telse if (!stricmp(arg, \"-bo\")) {\n\t\t\tfreeze_box_order = GF_TRUE;\n\t\t}\n\t\telse if (!stricmp(arg, \"-patch\")) {\n\t\t\tCHECK_NEXT_ARG\n\t\t\tbox_patch_filename = argv[i + 1];\n\t\t\tchar *sep = strchr(box_patch_filename, '=');\n\t\t\tif (sep) {\n\t\t\t\tsep[0] = 0;\n\t\t\t\tbox_patch_trackID = atoi(box_patch_filename);\n\t\t\t\tsep[0] = '=';\n\t\t\t\tbox_patch_filename = sep+1;\n\t\t\t}\n \t\t\topen_edit = GF_TRUE;\n\t\t\ti++;\n\t\t}\n\t\telse if (!stricmp(arg, \"-lang\")) {\n\t\t\tchar szTK[20], *ext;\n\t\t\tCHECK_NEXT_ARG\n\t\t\ttracks = gf_realloc(tracks, sizeof(TrackAction) * (nb_track_act + 1));\n\t\t\tmemset(&tracks[nb_track_act], 0, sizeof(TrackAction));\n\n\t\t\ttracks[nb_track_act].act_type = TRAC_ACTION_SET_LANGUAGE;\n\t\t\ttracks[nb_track_act].trackID = 0;\n\t\t\tstrncpy(szTK, argv[i + 1], sizeof(szTK)-1);\n\t\t\tszTK[sizeof(szTK)-1] = 0;\n\t\t\text = strchr(szTK, '=');\n\t\t\tif (!strnicmp(argv[i + 1], \"all=\", 4)) {\n\t\t\t\tstrncpy(tracks[nb_track_act].lang, argv[i + 1] + 4, 10);\n\t\t\t}\n\t\t\telse if (!ext) {\n\t\t\t\tstrncpy(tracks[nb_track_act].lang, argv[i + 1], 10);\n\t\t\t}\n\t\t\telse {\n\t\t\t\tstrncpy(tracks[nb_track_act].lang, ext + 1, 10);\n\t\t\t\text[0] = 0;\n\t\t\t\ttracks[nb_track_act].trackID = atoi(szTK);\n\t\t\t\text[0] = '=';\n\t\t\t}\n\t\t\topen_edit = GF_TRUE;\n\t\t\tnb_track_act++;\n\t\t\ti++;\n\t\t}\n\t\telse if (!stricmp(arg, \"-kind\") || !stricmp(arg, \"-kind-rem\")) {\n\t\t\tchar szTK[200], *ext;\n\t\t\tchar *scheme_start = NULL;\n\t\t\tBool has_track_id = GF_FALSE;\n\t\t\tCHECK_NEXT_ARG\n\t\t\ttracks = gf_realloc(tracks, sizeof(TrackAction) * (nb_track_act + 1));\n\t\t\tmemset(&tracks[nb_track_act], 0, sizeof(TrackAction));\n\n\t\t\tif (!stricmp(arg, \"-kind\")) {\n\t\t\t\ttracks[nb_track_act].act_type = TRAC_ACTION_SET_KIND;\n\t\t\t}\n\t\t\telse {\n\t\t\t\ttracks[nb_track_act].act_type = TRAC_ACTION_REM_KIND;\n\t\t\t}\n\t\t\ttracks[nb_track_act].trackID = 0;\n\t\t\tif (!strnicmp(argv[i + 1], \"all=\", 4)) {\n\t\t\t\tscheme_start = argv[i + 1] + 4;\n\t\t\t\thas_track_id = GF_TRUE;\n\t\t\t}\n\t\t\tif (!scheme_start) {\n\t\t\t\tif (strlen(argv[i + 1]) > 200) {\n\t\t\t\t\tGF_LOG(GF_LOG_WARNING, GF_LOG_ALL, (\"Warning: track kind parameter is too long!\"));\n\t\t\t\t}\n\t\t\t\tstrncpy(szTK, argv[i + 1], 200);\n\t\t\t\text = strchr(szTK, '=');\n\t\t\t\tif (ext && !has_track_id) {\n\t\t\t\t\text[0] = 0;\n\t\t\t\t\thas_track_id = (sscanf(szTK, \"%d\", &tracks[nb_track_act].trackID) == 1 ? GF_TRUE : GF_FALSE);\n\t\t\t\t\tif (has_track_id) {\n\t\t\t\t\t\tscheme_start = ext + 1;\n\t\t\t\t\t}\n\t\t\t\t\telse {\n\t\t\t\t\t\tscheme_start = szTK;\n\t\t\t\t\t}\n\t\t\t\t\text[0] = '=';\n\t\t\t\t}\n\t\t\t\telse {\n\t\t\t\t\tscheme_start = szTK;\n\t\t\t\t}\n\t\t\t}\n\t\t\text = strchr(scheme_start, '=');\n\t\t\tif (!ext) {\n\t\t\t\ttracks[nb_track_act].kind_scheme = gf_strdup(scheme_start);\n\t\t\t}\n\t\t\telse {\n\t\t\t\text[0] = 0;\n\t\t\t\ttracks[nb_track_act].kind_scheme = gf_strdup(scheme_start);\n\t\t\t\text[0] = '=';\n\t\t\t\ttracks[nb_track_act].kind_value = gf_strdup(ext + 1);\n\t\t\t}\n\t\t\topen_edit = GF_TRUE;\n\t\t\tnb_track_act++;\n\t\t\ti++;\n\t\t}\n\t\telse if (!stricmp(arg, \"-delay\")) {\n\t\t\tchar szTK[20], *ext;\n\t\t\tCHECK_NEXT_ARG\n\t\t\ttracks = gf_realloc(tracks, sizeof(TrackAction) * (nb_track_act + 1));\n\t\t\tmemset(&tracks[nb_track_act], 0, sizeof(TrackAction));\n\n\t\t\tstrncpy(szTK, argv[i + 1], sizeof(szTK)-1);\n\t\t\tszTK[sizeof(szTK)-1] = 0;\n\t\t\text = strchr(szTK, '=');\n\t\t\tif (!ext) {\n\t\t\t\tfprintf(stderr, \"Bad format for track delay - expecting tkID=DLAY got %s\\n\", argv[i + 1]);\n\t\t\t\treturn 2;\n\t\t\t}\n\t\t\ttracks[nb_track_act].act_type = TRAC_ACTION_SET_DELAY;\n\t\t\ttracks[nb_track_act].delay_ms = atoi(ext + 1);\n\t\t\text[0] = 0;\n\t\t\ttracks[nb_track_act].trackID = atoi(szTK);\n\t\t\topen_edit = GF_TRUE;\n\t\t\tnb_track_act++;\n\t\t\ti++;\n\t\t}\n\t\telse if (!stricmp(arg, \"-ref\")) {\n\t\t\tchar *szTK, *ext;\n\t\t\tCHECK_NEXT_ARG\n\t\t\ttracks = gf_realloc(tracks, sizeof(TrackAction) * (nb_track_act + 1));\n\t\t\tmemset(&tracks[nb_track_act], 0, sizeof(TrackAction));\n\n\t\t\tszTK = argv[i + 1];\n\t\t\text = strchr(szTK, ':');\n\t\t\tif (!ext) {\n\t\t\t\tfprintf(stderr, \"Bad format for track reference - expecting tkID:XXXX:refID got %s\\n\", argv[i + 1]);\n\t\t\t\treturn 2;\n\t\t\t}\n\t\t\ttracks[nb_track_act].act_type = TRAC_ACTION_REFERENCE;\n\t\t\text[0] = 0;\n\t\t\ttracks[nb_track_act].trackID = atoi(szTK);\n\t\t\text[0] = ':';\n\t\t\tszTK = ext + 1;\n\t\t\text = strchr(szTK, ':');\n\t\t\tif (!ext) {\n\t\t\t\tfprintf(stderr, \"Bad format for track reference - expecting tkID:XXXX:refID got %s\\n\", argv[i + 1]);\n\t\t\t\treturn 2;\n\t\t\t}\n\t\t\text[0] = 0;\n\t\t\tstrncpy(tracks[nb_track_act].lang, szTK, 10);\n\t\t\text[0] = ':';\n\t\t\ttracks[nb_track_act].delay_ms = (s32)atoi(ext + 1);\n\t\t\topen_edit = GF_TRUE;\n\t\t\tnb_track_act++;\n\t\t\ti++;\n\t\t}\n\t\telse if (!stricmp(arg, \"-name\")) {\n\t\t\tchar szTK[GF_MAX_PATH], *ext;\n\t\t\tCHECK_NEXT_ARG\n\t\t\ttracks = gf_realloc(tracks, sizeof(TrackAction) * (nb_track_act + 1));\n\t\t\tmemset(&tracks[nb_track_act], 0, sizeof(TrackAction));\n\n\t\t\tstrncpy(szTK, argv[i + 1], sizeof(szTK)-1);\n\t\t\tszTK[sizeof(szTK)-1] = 0;\n\t\t\text = strchr(szTK, '=');\n\t\t\tif (!ext) {\n\t\t\t\tfprintf(stderr, \"Bad format for track name - expecting tkID=name got %s\\n\", argv[i + 1]);\n\t\t\t\treturn 2;\n\t\t\t}\n\t\t\ttracks[nb_track_act].act_type = TRAC_ACTION_SET_HANDLER_NAME;\n\t\t\ttracks[nb_track_act].hdl_name = strchr(argv[i + 1], '=') + 1;\n\t\t\text[0] = 0;\n\t\t\ttracks[nb_track_act].trackID = atoi(szTK);\n\t\t\text[0] = '=';\n\t\t\topen_edit = GF_TRUE;\n\t\t\tnb_track_act++;\n\t\t\ti++;\n\t\t}\n#if !defined(GPAC_DISABLE_MEDIA_EXPORT) && !defined(GPAC_DISABLE_MEDIA_IMPORT)\n\t\telse if (!stricmp(arg, \"-dref\")) import_flags |= GF_IMPORT_USE_DATAREF;\n\t\telse if (!stricmp(arg, \"-no-drop\") || !stricmp(arg, \"-nodrop\")) import_flags |= GF_IMPORT_NO_FRAME_DROP;\n\t\telse if (!stricmp(arg, \"-packed\")) import_flags |= GF_IMPORT_FORCE_PACKED;\n\t\telse if (!stricmp(arg, \"-sbr\")) import_flags |= GF_IMPORT_SBR_IMPLICIT;\n\t\telse if (!stricmp(arg, \"-sbrx\")) import_flags |= GF_IMPORT_SBR_EXPLICIT;\n\t\telse if (!stricmp(arg, \"-ps\")) import_flags |= GF_IMPORT_PS_IMPLICIT;\n\t\telse if (!stricmp(arg, \"-psx\")) import_flags |= GF_IMPORT_PS_EXPLICIT;\n\t\telse if (!stricmp(arg, \"-ovsbr\")) import_flags |= GF_IMPORT_OVSBR;\n\t\telse if (!stricmp(arg, \"-fps\")) {\n\t\t\tCHECK_NEXT_ARG\n\t\t\tif (!strcmp(argv[i + 1], \"auto\")) { fprintf(stderr, \"Warning, fps=auto option is deprecated\\n\"); }\n\t\t\telse if (strchr(argv[i + 1], '-')) {\n\t\t\t\tu32 ticks, dts_inc;\n\t\t\t\tsscanf(argv[i + 1], \"%u-%u\", &ticks, &dts_inc);\n\t\t\t\tif (!dts_inc) dts_inc = 1;\n\t\t\t\timport_fps.num = ticks;\n\t\t\t\timport_fps.den = dts_inc;\n\t\t\t} else {\n\t\t\t\timport_fps.num = (s32) (1000 * atof(argv[i + 1]));\n\t\t\t\timport_fps.den = 1000;\n\t\t\t}\n\t\t\ti++;\n\t\t}\n\t\telse if (!stricmp(arg, \"-agg\")) {\n\t\t\tCHECK_NEXT_ARG agg_samples = atoi(argv[i + 1]);\n\t\t\ti++;\n\t\t}\n#endif /*!defined(GPAC_DISABLE_MEDIA_EXPORT) && !defined(GPAC_DISABLE_MEDIA_IMPORT*/\n\t\telse if (!stricmp(arg, \"-keep-sys\") || !stricmp(arg, \"-keepsys\")) keep_sys_tracks = 1;\n\t\telse if (!stricmp(arg, \"-ms\")) {\n\t\t\tCHECK_NEXT_ARG mediaSource = argv[i + 1];\n\t\t\ti++;\n\t\t}\n\t\telse if (!stricmp(arg, \"-mp4\")) {\n\t\t\tencode = GF_TRUE;\n\t\t\topen_edit = GF_TRUE;\n\t\t}\n\t\telse if (!stricmp(arg, \"-saf\")) {\n\t\t\tdo_saf = GF_TRUE;\n\t\t}\n\t\telse if (!stricmp(arg, \"-sclog\")) {\n\t\t\tdo_scene_log = GF_TRUE;\n\t\t}\n#ifndef GPAC_DISABLE_MPD\n\t\telse if (!stricmp(arg, \"-mpd\")) {\n\t\t\tdo_mpd = GF_TRUE;\n\t\t\tCHECK_NEXT_ARG\n\t\t\tinName = argv[i + 1];\n\t\t\ti++;\n\t\t}\n#endif\n\n#ifndef GPAC_DISABLE_SCENE_ENCODER\n\t\telse if (!stricmp(arg, \"-def\")) smenc_opts.flags |= GF_SM_ENCODE_USE_NAMES;\n\t\telse if (!stricmp(arg, \"-sync\")) {\n\t\t\tCHECK_NEXT_ARG\n\t\t\tsmenc_opts.flags |= GF_SM_ENCODE_RAP_INBAND;\n\t\t\tsmenc_opts.rap_freq = atoi(argv[i + 1]);\n\t\t\ti++;\n\t\t}\n\t\telse if (!stricmp(arg, \"-shadow\")) {\n\t\t\tCHECK_NEXT_ARG\n\t\t\tsmenc_opts.flags &= ~GF_SM_ENCODE_RAP_INBAND;\n\t\t\tsmenc_opts.flags |= GF_SM_ENCODE_RAP_SHADOW;\n\t\t\tsmenc_opts.rap_freq = atoi(argv[i + 1]);\n\t\t\ti++;\n\t\t}\n\t\telse if (!stricmp(arg, \"-carousel\")) {\n\t\t\tCHECK_NEXT_ARG\n\t\t\tsmenc_opts.flags &= ~(GF_SM_ENCODE_RAP_INBAND | GF_SM_ENCODE_RAP_SHADOW);\n\t\t\tsmenc_opts.rap_freq = atoi(argv[i + 1]);\n\t\t\ti++;\n\t\t}\n\t\t/*LASeR options*/\n\t\telse if (!stricmp(arg, \"-resolution\")) {\n\t\t\tCHECK_NEXT_ARG\n\t\t\tsmenc_opts.resolution = atoi(argv[i + 1]);\n\t\t\ti++;\n\t\t}\n#ifndef GPAC_DISABLE_SCENE_STATS\n\t\telse if (!stricmp(arg, \"-auto-quant\")) {\n\t\t\tCHECK_NEXT_ARG\n\t\t\tsmenc_opts.resolution = atoi(argv[i + 1]);\n\t\t\tsmenc_opts.auto_quant = 1;\n\t\t\ti++;\n\t\t}\n#endif\n\t\telse if (!stricmp(arg, \"-coord-bits\")) {\n\t\t\tCHECK_NEXT_ARG\n\t\t\tsmenc_opts.coord_bits = atoi(argv[i + 1]);\n\t\t\ti++;\n\t\t}\n\t\telse if (!stricmp(arg, \"-scale-bits\")) {\n\t\t\tCHECK_NEXT_ARG\n\t\t\tsmenc_opts.scale_bits = atoi(argv[i + 1]);\n\t\t\ti++;\n\t\t}\n\t\telse if (!stricmp(arg, \"-global-quant\")) {\n\t\t\tCHECK_NEXT_ARG\n\t\t\tsmenc_opts.resolution = atoi(argv[i + 1]);\n\t\t\tsmenc_opts.auto_quant = 2;\n\t\t\ti++;\n\t\t}\n\t\t/*chunk encoding*/\n\t\telse if (!stricmp(arg, \"-ctx-out\") || !stricmp(arg, \"-outctx\")) {\n\t\t\tCHECK_NEXT_ARG\n\t\t\toutput_ctx = argv[i + 1];\n\t\t\ti++;\n\t\t}\n\t\telse if (!stricmp(arg, \"-ctx-in\") || !stricmp(arg, \"-inctx\")) {\n\t\t\tCHECK_NEXT_ARG\n\t\t\tchunk_mode = GF_TRUE;\n\t\t\tinput_ctx = argv[i + 1];\n\t\t\ti++;\n\t\t}\n#endif /*GPAC_DISABLE_SCENE_ENCODER*/\n\n#ifndef GPAC_DISABLE_ISOM_WRITE\n\t\telse if (!strcmp(arg, \"-crypt\")) {\n\t\t\tCHECK_NEXT_ARG\n\t\t\tcrypt = 1;\n\t\t\tdrm_file = argv[i + 1];\n\t\t\topen_edit = GF_TRUE;\n\t\t\ti += 1;\n\t\t}\n\t\telse if (!strcmp(arg, \"-decrypt\")) {\n\t\t\tCHECK_NEXT_ARG\n\t\t\tcrypt = 2;\n\t\t\tif (get_file_type_by_ext(argv[i + 1]) != 1) {\n\t\t\t\tdrm_file = argv[i + 1];\n\t\t\t\ti += 1;\n\t\t\t}\n\t\t\topen_edit = GF_TRUE;\n\t\t}\n\t\telse if (!stricmp(arg, \"-set-kms\")) {\n\t\t\tchar szTK[20], *ext;\n\t\t\tCHECK_NEXT_ARG\n\t\t\ttracks = gf_realloc(tracks, sizeof(TrackAction) * (nb_track_act + 1));\n\t\t\tmemset(&tracks[nb_track_act], 0, sizeof(TrackAction));\n\n\t\t\tstrncpy(szTK, argv[i + 1], 19);\n\t\t\text = strchr(szTK, '=');\n\t\t\ttracks[nb_track_act].act_type = TRAC_ACTION_SET_KMS_URI;\n\t\t\ttracks[nb_track_act].trackID = 0;\n\t\t\tif (!strnicmp(argv[i + 1], \"all=\", 4)) {\n\t\t\t\ttracks[nb_track_act].kms = argv[i + 1] + 4;\n\t\t\t}\n\t\t\telse if (!ext) {\n\t\t\t\ttracks[nb_track_act].kms = argv[i + 1];\n\t\t\t}\n\t\t\telse {\n\t\t\t\ttracks[nb_track_act].kms = ext + 1;\n\t\t\t\text[0] = 0;\n\t\t\t\ttracks[nb_track_act].trackID = atoi(szTK);\n\t\t\t\text[0] = '=';\n\t\t\t}\n\t\t\topen_edit = GF_TRUE;\n\t\t\tnb_track_act++;\n\t\t\ti++;\n\t\t}\n\t\telse if (!stricmp(arg, \"-split\")) {\n\t\t\tCHECK_NEXT_ARG\n\t\t\tsplit_duration = atof(argv[i + 1]);\n\t\t\tif (split_duration < 0) split_duration = 0;\n\t\t\ti++;\n\t\t\tsplit_size = 0;\n\t\t}\n\t\telse if (!stricmp(arg, \"-split-rap\") || !stricmp(arg, \"-splitr\")) {\n\t\t\tCHECK_NEXT_ARG\n\t\t\tsplit_duration = -1;\n\t\t\tsplit_size = -1;\n\t\t}\n\t\telse if (!stricmp(arg, \"-split-size\") || !stricmp(arg, \"-splits\")) {\n\t\t\tCHECK_NEXT_ARG\n\t\t\tsplit_size = (u32)atoi(argv[i + 1]);\n\t\t\ti++;\n\t\t\tsplit_duration = 0;\n\t\t}\n\t\telse if (!stricmp(arg, \"-split-chunk\") || !stricmp(arg, \"-splitx\") || !stricmp(arg, \"-splitz\")) {\n\t\t\tCHECK_NEXT_ARG\n\t\t\tif (!strstr(argv[i + 1], \":\")) {\n\t\t\t\tfprintf(stderr, \"Chunk extraction usage: \\\"-splitx start:end\\\" expressed in seconds\\n\");\n\t\t\t\treturn 2;\n\t\t\t}\n\t\t\tif (strstr(argv[i + 1], \"end\")) {\n\t\t\t\tif (strstr(argv[i + 1], \"end-\")) {\n\t\t\t\t\tDouble dur_end=0;\n\t\t\t\t\tsscanf(argv[i + 1], \"%lf:end-%lf\", &split_start, &dur_end);\n\t\t\t\t\tsplit_duration = -2 - dur_end;\n\t\t\t\t} else {\n\t\t\t\t\tsscanf(argv[i + 1], \"%lf:end\", &split_start);\n\t\t\t\t\tsplit_duration = -2;\n\t\t\t\t}\n\t\t\t}\n\t\t\telse {\n\t\t\t\tif (strchr(argv[i + 1], '-')) {\n\t\t\t\t\tsplit_range_str = argv[i + 1];\n\t\t\t\t} else {\n\t\t\t\t\tsscanf(argv[i + 1], \"%lf:%lf\", &split_start, &split_duration);\n\t\t\t\t\tsplit_duration -= split_start;\n\t\t\t\t}\n\t\t\t}\n\t\t\tsplit_size = 0;\n\t\t\tif (!stricmp(arg, \"-splitz\")) adjust_split_end = 1;\n\t\t\ti++;\n\t\t}\n\t\t/*meta*/\n\t\telse if (!stricmp(arg, \"-set-meta\")) {\n\t\t\tmetas = gf_realloc(metas, sizeof(MetaAction) * (nb_meta_act + 1));\n\t\t\tparse_meta_args(&metas[nb_meta_act], META_ACTION_SET_TYPE, argv[i + 1]);\n\t\t\tnb_meta_act++;\n\t\t\topen_edit = GF_TRUE;\n\t\t\ti++;\n\t\t}\n\t\telse if (!stricmp(arg, \"-add-item\")) {\n\t\t\tmetas = gf_realloc(metas, sizeof(MetaAction) * (nb_meta_act + 1));\n\t\t\tparse_meta_args(&metas[nb_meta_act], META_ACTION_ADD_ITEM, argv[i + 1]);\n\t\t\tnb_meta_act++;\n\t\t\topen_edit = GF_TRUE;\n\t\t\ti++;\n\t\t}\n\t\telse if (!stricmp(arg, \"-add-image\")) {\n\t\t\tmetas = gf_realloc(metas, sizeof(MetaAction) * (nb_meta_act + 1));\n\t\t\tparse_meta_args(&metas[nb_meta_act], META_ACTION_ADD_IMAGE_ITEM, argv[i + 1]);\n\t\t\tnb_meta_act++;\n\t\t\topen_edit = GF_TRUE;\n\t\t\ti++;\n\t\t}\n\t\telse if (!stricmp(arg, \"-rem-item\")) {\n\t\t\tmetas = gf_realloc(metas, sizeof(MetaAction) * (nb_meta_act + 1));\n\t\t\tparse_meta_args(&metas[nb_meta_act], META_ACTION_REM_ITEM, argv[i + 1]);\n\t\t\tnb_meta_act++;\n\t\t\topen_edit = GF_TRUE;\n\t\t\ti++;\n\t\t}\n\t\telse if (!stricmp(arg, \"-set-primary\")) {\n\t\t\tmetas = gf_realloc(metas, sizeof(MetaAction) * (nb_meta_act + 1));\n\t\t\tparse_meta_args(&metas[nb_meta_act], META_ACTION_SET_PRIMARY_ITEM, argv[i + 1]);\n\t\t\tnb_meta_act++;\n\t\t\topen_edit = GF_TRUE;\n\t\t\ti++;\n\t\t}\n\t\telse if (!stricmp(arg, \"-set-xml\")) {\n\t\t\tmetas = gf_realloc(metas, sizeof(MetaAction) * (nb_meta_act + 1));\n\t\t\tparse_meta_args(&metas[nb_meta_act], META_ACTION_SET_XML, argv[i + 1]);\n\t\t\tnb_meta_act++;\n\t\t\topen_edit = GF_TRUE;\n\t\t\ti++;\n\t\t}\n\t\telse if (!stricmp(arg, \"-rem-xml\")) {\n\t\t\tmetas = gf_realloc(metas, sizeof(MetaAction) * (nb_meta_act + 1));\n\t\t\tif (parse_meta_args(&metas[nb_meta_act], META_ACTION_REM_XML, argv[i + 1])) i++;\n\t\t\tnb_meta_act++;\n\t\t\topen_edit = GF_TRUE;\n\t\t}\n\t\telse if (!stricmp(arg, \"-dump-xml\")) {\n\t\t\tmetas = gf_realloc(metas, sizeof(MetaAction) * (nb_meta_act + 1));\n\t\t\tparse_meta_args(&metas[nb_meta_act], META_ACTION_DUMP_XML, argv[i + 1]);\n\t\t\tnb_meta_act++;\n\t\t\ti++;\n\t\t}\n\t\telse if (!stricmp(arg, \"-dump-item\")) {\n\t\t\tmetas = gf_realloc(metas, sizeof(MetaAction) * (nb_meta_act + 1));\n\t\t\tparse_meta_args(&metas[nb_meta_act], META_ACTION_DUMP_ITEM, argv[i + 1]);\n\t\t\tnb_meta_act++;\n\t\t\ti++;\n\t\t}\n\t\telse if (!stricmp(arg, \"-group-add\") || !stricmp(arg, \"-group-rem-track\") || !stricmp(arg, \"-group-rem\") ) {\n\t\t\tTSELActionType act_type;\n\t\t\tif (!stricmp(arg, \"-group-rem\")) {\n\t\t\t\tact_type = TSEL_ACTION_REMOVE_ALL_TSEL_IN_GROUP;\n\t\t\t}\n\t\t\telse if (!stricmp(arg, \"-group-rem-track\")) {\n\t\t\t\tact_type = TSEL_ACTION_REMOVE_TSEL;\n\t\t\t}\n\t\t\telse {\n\t\t\t\tact_type = TSEL_ACTION_SET_PARAM;\n\t\t\t}\n\t\t\tif (parse_tsel_args(&tsel_acts, argv[i + 1], &nb_tsel_acts, act_type) == 0) {\n\t\t\t\tfprintf(stderr, \"Invalid group syntax - check usage\\n\");\n\t\t\t\treturn 2;\n\t\t\t}\n\t\t\topen_edit = GF_TRUE;\n\t\t\ti++;\n\t\t}\n\t\telse if (!stricmp(arg, \"-group-clean\")) {\n\t\t\tclean_groups = 1;\n\t\t\topen_edit = GF_TRUE;\n\t\t}\n\t\telse if (!stricmp(arg, \"-group-single\")) {\n\t\t\tsingle_group = 1;\n\t\t}\n\t\telse if (!stricmp(arg, \"-package\")) {\n\t\t\tCHECK_NEXT_ARG\n\t\t\tpack_file = argv[i + 1];\n\t\t\ti++;\n\t\t}\n\t\telse if (!stricmp(arg, \"-zmov\")) {\n\t\t\tcompress_moov = GF_TRUE;\n\t\t}\n\t\telse if (!stricmp(arg, \"-mgt\")) {\n\t\t\tCHECK_NEXT_ARG\n\t\t\tpack_file = argv[i + 1];\n\t\t\tpack_wgt = GF_TRUE;\n\t\t\ti++;\n\t\t}\n\t\telse if (!stricmp(arg, \"-brand\")) {\n\t\t\tchar *b = argv[i + 1];\n\t\t\tCHECK_NEXT_ARG\n\t\t\tmajor_brand = GF_4CC(b[0], b[1], b[2], b[3]);\n\t\t\topen_edit = GF_TRUE;\n\t\t\tif (b[4] == ':') {\n\t\t\t\tif (!strncmp(b+5, \"0x\", 2))\n\t\t\t\t\tsscanf(b+5, \"0x%x\", &minor_version);\n\t\t\t\telse\n\t\t\t\t\tminor_version = atoi(b + 5);\n\t\t\t}\n\t\t\ti++;\n\t\t}\n\t\telse if (!stricmp(arg, \"-ab\")) {\n\t\t\tchar *b = argv[i + 1];\n\t\t\tCHECK_NEXT_ARG\n\t\t\tbrand_add = (u32*)gf_realloc(brand_add, sizeof(u32) * (nb_alt_brand_add + 1));\n\t\t\tbrand_add[nb_alt_brand_add] = GF_4CC(b[0], b[1], b[2], b[3]);\n\t\t\tnb_alt_brand_add++;\n\t\t\topen_edit = GF_TRUE;\n\t\t\ti++;\n\t\t}\n\t\telse if (!stricmp(arg, \"-rb\")) {\n\t\t\tchar *b = argv[i + 1];\n\t\t\tCHECK_NEXT_ARG\n\t\t\tbrand_rem = (u32*)gf_realloc(brand_rem, sizeof(u32) * (nb_alt_brand_rem + 1));\n\t\t\tbrand_rem[nb_alt_brand_rem] = GF_4CC(b[0], b[1], b[2], b[3]);\n\t\t\tnb_alt_brand_rem++;\n\t\t\topen_edit = GF_TRUE;\n\t\t\ti++;\n\t\t}\n#endif\n\t\telse if (!stricmp(arg, \"-languages\")) {\n\t\t\tPrintLanguages();\n\t\t\treturn 1;\n\t\t}\n\t\telse if (!stricmp(arg, \"-h\")) {\n\t\t\tgf_sys_set_args(argc, (const char**) argv);\n\n\t\t\tif (i + 1 == (u32)argc) PrintUsage();\n\t\t\telse if (!strcmp(argv[i + 1], \"general\")) PrintGeneralUsage();\n\t\t\telse if (!strcmp(argv[i + 1], \"extract\")) PrintExtractUsage();\n\t\t\telse if (!strcmp(argv[i + 1], \"dash\")) PrintDASHUsage();\n\t\t\telse if (!strcmp(argv[i + 1], \"dump\")) PrintDumpUsage();\n\t\t\telse if (!strcmp(argv[i + 1], \"import\")) PrintImportUsage();\n\t\t\telse if (!strcmp(argv[i + 1], \"format\")) fprintf(stderr, \"deprectaed, see [filters documentation](Filters)\\n\");\n\t\t\telse if (!strcmp(argv[i + 1], \"hint\")) PrintHintUsage();\n\t\t\telse if (!strcmp(argv[i + 1], \"encode\")) PrintEncodeUsage();\n\t\t\telse if (!strcmp(argv[i + 1], \"crypt\")) PrintEncryptUsage();\n\t\t\telse if (!strcmp(argv[i + 1], \"meta\")) PrintMetaUsage();\n\t\t\telse if (!strcmp(argv[i + 1], \"swf\")) PrintSWFUsage();\n#if !defined(GPAC_DISABLE_STREAMING) && !defined(GPAC_DISABLE_SENG)\n\t\t\telse if (!strcmp(argv[i + 1], \"rtp\")) fprintf(stderr, \"RTP streaming deprecated in MP4Box, use gpac application\\n\");\n\t\t\telse if (!strcmp(argv[i + 1], \"live\")) PrintLiveUsage();\n#endif\n\t\t\telse if (!strcmp(argv[i + 1], \"core\")) PrintCoreUsage();\n\t\t\telse if (!strcmp(argv[i + 1], \"all\")) {\n\t\t\t\tPrintGeneralUsage();\n\t\t\t\tPrintExtractUsage();\n\t\t\t\tPrintDASHUsage();\n\t\t\t\tPrintDumpUsage();\n\t\t\t\tPrintImportUsage();\n\t\t\t\tPrintHintUsage();\n\t\t\t\tPrintEncodeUsage();\n\t\t\t\tPrintEncryptUsage();\n\t\t\t\tPrintMetaUsage();\n\t\t\t\tPrintSWFUsage();\n#if !defined(GPAC_DISABLE_STREAMING) && !defined(GPAC_DISABLE_SENG)\n\t\t\t\tPrintLiveUsage();\n#endif\n\t\t\t\tPrintCoreUsage();\n\t\t\t} else if (!strcmp(argv[i + 1], \"opts\")) {\n\t\t\t\tPrintHelp(\"@\", GF_FALSE, GF_FALSE);\n\t\t\t} else {\n\t\t\t\tPrintHelp(argv[i+1], GF_FALSE, GF_FALSE);\n\t\t\t}\n\t\t\treturn 1;\n\t\t}\n\t\telse if (!stricmp(arg, \"-hx\")) {\n\t\t\tif (i + 1 == (u32)argc) PrintUsage();\n\t\t\telse PrintHelp(argv[i+1], GF_TRUE, GF_FALSE);\n\t\t\treturn 1;\n\t\t}\n\t\telse if (!strcmp(arg, \"-genmd\")) {\n\t\t\thelp_flags = GF_PRINTARG_MD | GF_PRINTARG_IS_APP;\n\t\t\thelpout = gf_fopen(\"mp4box-gen-opts.md\", \"w\");\n\n\t \t\tfprintf(helpout, \"[**HOME**](Home) » [**MP4Box**](MP4Box) » General\");\n\t \t\tfprintf(helpout, \"\\n\");\n\t\t\tfprintf(helpout, \"# Syntax\\n\");\n\t\t\tgf_sys_format_help(helpout, help_flags, \"MP4Box [option] input [option] [other_dash_inputs]\\n\"\n\t\t\t\t\" \\n\"\n\t\t\t);\n\t\t\tPrintGeneralUsage();\n\t\t\tPrintEncryptUsage();\n\t\t\tfprintf(helpout, \"# Help Options\\n\");\n\t\t\twhile (m4b_usage_args[i].name) {\n\t\t\t\tGF_GPACArg *g_arg = &m4b_usage_args[i];\n\t\t\t\ti++;\n\t\t\t\tgf_sys_print_arg(helpout, help_flags, g_arg, \"mp4box-general\");\n\t\t\t}\n\n\t\t\tgf_fclose(helpout);\n\n\t\t\thelpout = gf_fopen(\"mp4box-import-opts.md\", \"w\");\n\t \t\tfprintf(helpout, \"[**HOME**](Home) » [**MP4Box**](MP4Box) » Media Import\");\n\t \t\tfprintf(helpout, \"\\n\");\n\t\t\tPrintImportUsage();\n\t\t\tgf_fclose(helpout);\n\n\t\t\thelpout = gf_fopen(\"mp4box-dash-opts.md\", \"w\");\n\t \t\tfprintf(helpout, \"[**HOME**](Home) » [**MP4Box**](MP4Box) » Media DASH\");\n\t \t\tfprintf(helpout, \"\\n\");\n\t\t\tPrintDASHUsage();\n\t\t\tgf_fclose(helpout);\n\n\t\t\thelpout = gf_fopen(\"mp4box-dump-opts.md\", \"w\");\n\t \t\tfprintf(helpout, \"[**HOME**](Home) » [**MP4Box**](MP4Box) » Media Dump and Export\");\n\t \t\tfprintf(helpout, \"\\n\");\n\t\t\tPrintExtractUsage();\n\t\t\tPrintDumpUsage();\n\t\t\tgf_fclose(helpout);\n\n\t\t\thelpout = gf_fopen(\"mp4box-meta-opts.md\", \"w\");\n\t \t\tfprintf(helpout, \"[**HOME**](Home) » [**MP4Box**](MP4Box) » Meta and HEIF/IFF\");\n\t \t\tfprintf(helpout, \"\\n\");\n\t\t\tPrintMetaUsage();\n\t\t\tgf_fclose(helpout);\n\n\n\t\t\thelpout = gf_fopen(\"mp4box-scene-opts.md\", \"w\");\n\t \t\tfprintf(helpout, \"[**HOME**](Home) » [**MP4Box**](MP4Box) » Scene Description\");\n\t \t\tfprintf(helpout, \"\\n\");\n\t\t\tPrintEncodeUsage();\n#if !defined(GPAC_DISABLE_STREAMING) && !defined(GPAC_DISABLE_SENG)\n\t\t\tPrintLiveUsage();\n#endif\n\t\t\tPrintSWFUsage();\n\t\t\tgf_fclose(helpout);\n\n\t\t\thelpout = gf_fopen(\"mp4box-other-opts.md\", \"w\");\n\t \t\tfprintf(helpout, \"[**HOME**](Home) » [**MP4Box**](MP4Box) » Other Features\");\n\t \t\tfprintf(helpout, \"\\n\");\n\t\t\tPrintHintUsage();\n\t\t\tgf_fclose(helpout);\n\n\t\t\tgf_sys_close();\n\t\t\treturn 1;\n\t\t} else if (!strcmp(arg, \"-genman\")) {\n\t\t\thelp_flags = GF_PRINTARG_MAN;\n\t\t\thelpout = gf_fopen(\"mp4box.1\", \"w\");\n\n\n\t \t\tfprintf(helpout, \".TH MP4Box 1 2019 MP4Box GPAC\\n\");\n\t\t\tfprintf(helpout, \".\\n.SH NAME\\n.LP\\nMP4Box \\\\- GPAC command-line media packager\\n.SH SYNOPSIS\\n.LP\\n.B MP4Box\\n.RI [options] \\\\ [file] \\\\ [options]\\n.br\\n.\\n\");\n\n\t\t\tPrintGeneralUsage();\n\t\t\tPrintExtractUsage();\n\t\t\tPrintDASHUsage();\n\t\t\tPrintDumpUsage();\n\t\t\tPrintImportUsage();\n\t\t\tPrintHintUsage();\n\t\t\tPrintEncodeUsage();\n\t\t\tPrintEncryptUsage();\n\t\t\tPrintMetaUsage();\n\t\t\tPrintSWFUsage();\n#if !defined(GPAC_DISABLE_STREAMING) && !defined(GPAC_DISABLE_SENG)\n\t\t\tPrintLiveUsage();\n#endif\n\n\t\t\tfprintf(helpout, \".SH EXAMPLES\\n.TP\\nBasic and advanced examples are available at https://wiki.gpac.io/MP4Box-Introduction\\n\");\n\t\t\tfprintf(helpout, \".SH MORE\\n.LP\\nAuthors: GPAC developers, see git repo history (-log)\\n\"\n\t\t\t\".br\\nFor bug reports, feature requests, more information and source code, visit http://github.com/gpac/gpac\\n\"\n\t\t\t\".br\\nbuild: %s\\n\"\n\t\t\t\".br\\nCopyright: %s\\n.br\\n\"\n\t\t\t\".SH SEE ALSO\\n\"\n\t\t\t\".LP\\ngpac(1), MP4Client(1)\\n\", gf_gpac_version(), gf_gpac_copyright());\n\n\t\t\tgf_fclose(helpout);\n\t\t\tgf_sys_close();\n\t\t\treturn 1;\n\t\t}\n\n\t\telse if (!stricmp(arg, \"-v\")) verbose++;\n\t\telse if (!stricmp(arg, \"-tag-list\")) {\n\t\t\tfprintf(stderr, \"Supported iTunes tag modifiers:\\n\");\n\t\t\tfor (i = 0; i < nb_itunes_tags; i++) {\n\t\t\t\tfprintf(stderr, \"\\t%s\\t%s\\n\", itags[i].name, itags[i].comment);\n\t\t\t}\n\t\t\treturn 1;\n\t\t}\n\t\telse if (!live_scene) {\n\t\t\tu32 res = gf_sys_is_gpac_arg(arg);\n\t\t\tif (res==0) {\n\t\t\t\tPrintHelp(arg, GF_FALSE, GF_TRUE);\n\t\t\t\treturn 2;\n\t\t\t} else if (res==2) {\n\t\t\t\ti++;\n\t\t\t}\n\t\t}\n\t}\n\t*current_index = i;\n\treturn 0;\n}", "project": "gpac", "hash": 231678588551398252646002838969366173050, "size": 1019, "commit_id": "9eeac00b38348c664dfeae2525bba0cf1bc32349", "message": "fixed #1565", "target": 0, "dataset": "other", "idx": 244415 }, { "func": "GF_Err gf_isom_set_brand_info(GF_ISOFile *movie, u32 MajorBrand, u32 MinorVersion)\n{\n\tu32 i, *p;\n\n\tif (!MajorBrand) return GF_BAD_PARAM;\n\n#ifndef GPAC_DISABLE_ISOM_FRAGMENTS\n\tif (! (movie->FragmentsFlags & GF_ISOM_FRAG_WRITE_READY)) {\n\t\tGF_Err e = CanAccessMovie(movie, GF_ISOM_OPEN_WRITE);\n\t\tif (e) return e;\n\n\t\te = CheckNoData(movie);\n\t\tif (e) return e;\n\t}\n#endif\n\n\tif (!movie->brand) {\n\t\tmovie->brand = (GF_FileTypeBox *) gf_isom_box_new(GF_ISOM_BOX_TYPE_FTYP);\n\t\tif (!movie->brand) return GF_OUT_OF_MEM;\n\t\tgf_list_add(movie->TopBoxes, movie->brand);\n\t}\n\n\tmovie->brand->majorBrand = MajorBrand;\n\tmovie->brand->minorVersion = MinorVersion;\n\n\tif (!movie->brand->altBrand) {\n\t\tmovie->brand->altBrand = (u32*)gf_malloc(sizeof(u32));\n\t\tif (!movie->brand->altBrand) return GF_OUT_OF_MEM;\n\t\tmovie->brand->altBrand[0] = MajorBrand;\n\t\tmovie->brand->altCount = 1;\n\t\treturn GF_OK;\n\t}\n\n\t//if brand already present don't change anything\n\tfor (i=0; ibrand->altCount; i++) {\n\t\tif (movie->brand->altBrand[i] == MajorBrand) return GF_OK;\n\t}\n\tp = (u32*)gf_malloc(sizeof(u32)*(movie->brand->altCount + 1));\n\tif (!p) return GF_OUT_OF_MEM;\n\tmemcpy(p, movie->brand->altBrand, sizeof(u32)*movie->brand->altCount);\n\tp[movie->brand->altCount] = MajorBrand;\n\tmovie->brand->altCount += 1;\n\tgf_free(movie->brand->altBrand);\n\tmovie->brand->altBrand = p;\n\treturn GF_OK;\n}", "project": "gpac", "hash": 225360145808874991167241508187649431678, "size": 46, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267205 }, { "func": "GF_Err gf_isom_clone_box(GF_Box *src, GF_Box **dst)\n{\n\tGF_Err e;\n\tu8 *data;\n\tu32 data_size;\n\tGF_BitStream *bs;\n\n\tif (*dst) {\n\t\tgf_isom_box_del(*dst);\n\t\t*dst=NULL;\n\t}\n\tbs = gf_bs_new(NULL, 0, GF_BITSTREAM_WRITE);\n\tif (!bs) return GF_OUT_OF_MEM;\n\te = gf_isom_box_size( (GF_Box *) src);\n\tif (!e) e = gf_isom_box_write((GF_Box *) src, bs);\n\tgf_bs_get_content(bs, &data, &data_size);\n\tgf_bs_del(bs);\n\tif (e) {\n\t\tif (data) gf_free(data);\n\t\treturn e;\n\t}\n\tbs = gf_bs_new(data, data_size, GF_BITSTREAM_READ);\n\tif (!bs) {\n\t\tif (data) gf_free(data);\n\t\treturn GF_OUT_OF_MEM;\n\t}\n\te = gf_isom_box_parse(dst, bs);\n\tgf_bs_del(bs);\n\tgf_free(data);\n\treturn e;\n}", "project": "gpac", "hash": 331237747963183390746532511571535065917, "size": 31, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267255 }, { "func": "GF_ISOMVVCType gf_isom_get_vvc_type(GF_ISOFile *the_file, u32 trackNumber, u32 DescriptionIndex)\n{\n\tu32 type;\n\tGF_TrackBox *trak;\n\tGF_MPEGVisualSampleEntryBox *entry;\n\ttrak = gf_isom_get_track_from_file(the_file, trackNumber);\n\tif (!trak || !trak->Media || !DescriptionIndex) return GF_ISOM_VVCTYPE_NONE;\n\tif (!gf_isom_is_video_handler_type(trak->Media->handler->handlerType))\n\t\treturn GF_ISOM_VVCTYPE_NONE;\n\tentry = (GF_MPEGVisualSampleEntryBox*)gf_list_get(trak->Media->information->sampleTable->SampleDescription->child_boxes, DescriptionIndex-1);\n\tif (!entry) return GF_ISOM_VVCTYPE_NONE;\n\ttype = entry->type;\n\n\tif (type == GF_ISOM_BOX_TYPE_ENCV) {\n\t\tGF_ProtectionSchemeInfoBox *sinf = (GF_ProtectionSchemeInfoBox *) gf_isom_box_find_child(entry->child_boxes, GF_ISOM_BOX_TYPE_SINF);\n\t\tif (sinf && sinf->original_format) type = sinf->original_format->data_format;\n\t}\n\telse if (type == GF_ISOM_BOX_TYPE_RESV) {\n\t\tif (entry->rinf && entry->rinf->original_format) type = entry->rinf->original_format->data_format;\n\t}\n\n\tswitch (type) {\n\tcase GF_ISOM_BOX_TYPE_VVC1:\n\tcase GF_ISOM_BOX_TYPE_VVI1:\n\t\treturn GF_ISOM_VVCTYPE_ONLY;\n\tdefault:\n\t\treturn GF_ISOM_VVCTYPE_NONE;\n\t}\n\treturn GF_ISOM_VVCTYPE_NONE;\n}", "project": "gpac", "hash": 30488221172339514321512012207269817366, "size": 30, "commit_id": "0a85029d694f992f3631e2f249e4999daee15cbf", "message": "fixed #1785 (fuzz)", "target": 0, "dataset": "other", "idx": 237633 }, { "func": "static GF_Err gf_isom_svc_mvc_config_del(GF_ISOFile *the_file, u32 trackNumber, u32 DescriptionIndex, Bool is_mvc)\n{\n\tGF_TrackBox *trak;\n\tGF_Err e;\n\tGF_MPEGVisualSampleEntryBox *entry;\n\n\te = CanAccessMovie(the_file, GF_ISOM_OPEN_WRITE);\n\tif (e) return e;\n\ttrak = gf_isom_get_track_from_file(the_file, trackNumber);\n\tif (!trak || !trak->Media || !DescriptionIndex) return GF_BAD_PARAM;\n\tentry = (GF_MPEGVisualSampleEntryBox *)gf_list_get(trak->Media->information->sampleTable->SampleDescription->child_boxes, DescriptionIndex-1);\n\tif (!entry) return GF_BAD_PARAM;\n\tswitch (entry->type) {\n\tcase GF_ISOM_BOX_TYPE_AVC1:\n\tcase GF_ISOM_BOX_TYPE_AVC2:\n\tcase GF_ISOM_BOX_TYPE_AVC3:\n\tcase GF_ISOM_BOX_TYPE_AVC4:\n\tcase GF_ISOM_BOX_TYPE_SVC1:\n\tcase GF_ISOM_BOX_TYPE_MVC1:\n\t\tbreak;\n\tdefault:\n\t\treturn GF_BAD_PARAM;\n\t}\n\n\tif (is_mvc && entry->mvc_config) {\n\t\tgf_isom_box_del_parent(&entry->child_boxes, (GF_Box*)entry->mvc_config);\n\t\tentry->mvc_config = NULL;\n\t}\n\telse if (!is_mvc && entry->svc_config) {\n\t\tgf_isom_box_del_parent(&entry->child_boxes, (GF_Box*)entry->svc_config);\n\t\tentry->svc_config = NULL;\n\t}\n\tAVC_RewriteESDescriptor(entry);\n\treturn GF_OK;\n}", "project": "gpac", "hash": 34342164026959065709348807528788347829, "size": 35, "commit_id": "0a85029d694f992f3631e2f249e4999daee15cbf", "message": "fixed #1785 (fuzz)", "target": 0, "dataset": "other", "idx": 237625 }, { "func": "u32 PrintBuiltInNodes(char *arg_val, u32 dump_type)\n{\n#if !defined(GPAC_DISABLE_VRML) && !defined(GPAC_DISABLE_X3D) && !defined(GPAC_DISABLE_SVG)\n\tGF_SceneGraph *sg;\n\tu32 i, nb_in, nb_not_in, start_tag, end_tag;\n\tu32 graph_type;\n\tBool dump_nodes = ((dump_type==1) || (dump_type==3)) ? 1 : 0;\n\n\tif (dump_type==4) graph_type = 2;\n\telse if ((dump_type==2) || (dump_type==3)) graph_type = 1;\n\telse graph_type = 0;\n\n\tif (graph_type==1) {\n#if !defined(GPAC_DISABLE_VRML) && !defined(GPAC_DISABLE_X3D)\n\t\tstart_tag = GF_NODE_RANGE_FIRST_X3D;\n\t\tend_tag = TAG_LastImplementedX3D;\n#else\n\t\tM4_LOG(GF_LOG_ERROR, (\"X3D scene graph disabled in this build of GPAC\\n\"));\n\t\treturn 2;\n#endif\n\t} else if (graph_type==2) {\n#ifdef GPAC_DISABLE_SVG\n\t\tM4_LOG(GF_LOG_ERROR, (\"SVG scene graph disabled in this build of GPAC\\n\"));\n\t\treturn 2;\n#else\n\t\tstart_tag = GF_NODE_RANGE_FIRST_SVG;\n\t\tend_tag = GF_NODE_RANGE_LAST_SVG;\n#endif\n\t} else {\n#ifdef GPAC_DISABLE_VRML\n\t\tM4_LOG(GF_LOG_ERROR, (\"VRML/MPEG-4 scene graph disabled in this build of GPAC\\n\"));\n\t\treturn 2;\n#else\n\t\tstart_tag = GF_NODE_RANGE_FIRST_MPEG4;\n\t\tend_tag = TAG_LastImplementedMPEG4;\n#endif\n\t}\n\tnb_in = nb_not_in = 0;\n\tsg = gf_sg_new();\n\n\tif (graph_type==1) {\n\t\tfprintf(stderr, \"Available X3D nodes in this build (dumping):\\n\");\n\t} else if (graph_type==2) {\n\t\tfprintf(stderr, \"Available SVG nodes in this build (dumping and LASeR coding):\\n\");\n\t} else {\n\t\tfprintf(stderr, \"Available MPEG-4 nodes in this build (encoding/decoding/dumping):\\n\");\n\t}\n\tfor (i=start_tag; iversion);\n\tgf_bs_write_u24(bs, ptr->flags);\n\treturn GF_OK;\n}", "project": "gpac", "hash": 265319605904645860130038235013564082492, "size": 10, "commit_id": "8e585e623b1d666b4ef736ed609264639cb27701", "message": "fixed potential crash - cf #1406", "target": 0, "dataset": "other", "idx": 224911 }, { "func": "GF_Err gf_isom_get_stsd_template(GF_ISOFile *file, u32 track, u32 stsd_idx, u8 **output, u32 *output_size)\n{\n\tGF_TrackBox *trak;\n\tGF_BitStream *bs;\n\tGF_Box *ent;\n\n\t*output = NULL;\n\t*output_size = 0;\n\t/*get orig sample desc and clone it*/\n\ttrak = gf_isom_get_track_from_file(file, track);\n\tif (!trak || !stsd_idx || !trak->Media || !trak->Media->information || !trak->Media->information->sampleTable || !trak->Media->information->sampleTable->SampleDescription) return GF_BAD_PARAM;\n\n\tent = gf_list_get(trak->Media->information->sampleTable->SampleDescription->child_boxes, stsd_idx-1);\n\tif (!ent) return GF_BAD_PARAM;\n\n\tbs = gf_bs_new(NULL, 0, GF_BITSTREAM_WRITE);\n\n\tgf_isom_box_size( (GF_Box *) ent);\n\tgf_isom_box_write((GF_Box *) ent, bs);\n\tgf_bs_get_content(bs, output, output_size);\n\tgf_bs_del(bs);\n\treturn GF_OK;\n\n}", "project": "gpac", "hash": 340263476121324343171804793225550369600, "size": 24, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267252 }, { "func": "GF_Err gf_isom_nalu_sample_rewrite(GF_MediaBox *mdia, GF_ISOSample *sample, u32 sampleNumber, GF_MPEGVisualSampleEntryBox *entry)\n{\n\tBool is_hevc = GF_FALSE;\n\t//if only one sync given in the sample sync table, insert sps/pps/vps before cra/bla in hevc\n//\tBool check_cra_bla = (mdia->information->sampleTable->SyncSample && mdia->information->sampleTable->SyncSample->nb_entries>1) ? 0 : 1;\n\tBool check_cra_bla = GF_TRUE;\n\tBool insert_nalu_delim = GF_TRUE;\n\tBool force_sei_inspect = GF_FALSE;\n\tGF_Err e = GF_OK;\n\tGF_BitStream *sei_suffix_bs = NULL;\n\tBool ps_transfered = GF_FALSE;\n\tu32 nal_size, nal_unit_size_field, extractor_mode;\n\tBool rewrite_ps, rewrite_start_codes, insert_vdrd_code;\n\tu8 nal_type;\n\tu32 nal_hdr, sabt_ref, i, track_num;\n\tu32 temporal_id = 0;\n\tGF_ISOFile *file = mdia->mediaTrack->moov->mov;\n\tGF_TrackReferenceTypeBox *scal = NULL;\n\n\tTrack_FindRef(mdia->mediaTrack, GF_ISOM_REF_SCAL, &scal);\n\n\trewrite_ps = (mdia->mediaTrack->extractor_mode & GF_ISOM_NALU_EXTRACT_INBAND_PS_FLAG) ? GF_TRUE : GF_FALSE;\n\trewrite_start_codes = (mdia->mediaTrack->extractor_mode & GF_ISOM_NALU_EXTRACT_ANNEXB_FLAG) ? GF_TRUE : GF_FALSE;\n\tinsert_vdrd_code = (mdia->mediaTrack->extractor_mode & GF_ISOM_NALU_EXTRACT_VDRD_FLAG) ? GF_TRUE : GF_FALSE;\n\tif (!entry->svc_config && !entry->mvc_config && !entry->lhvc_config) insert_vdrd_code = GF_FALSE;\n\textractor_mode = mdia->mediaTrack->extractor_mode&0x0000FFFF;\n\n\tif (mdia->mediaTrack->extractor_mode & GF_ISOM_NALU_EXTRACT_TILE_ONLY) {\n\t\tinsert_nalu_delim = GF_FALSE;\n\t}\n\n\ttrack_num = 1 + gf_list_find(mdia->mediaTrack->moov->trackList, mdia->mediaTrack);\n\n\tif ( (extractor_mode != GF_ISOM_NALU_EXTRACT_INSPECT) && !(mdia->mediaTrack->extractor_mode & GF_ISOM_NALU_EXTRACT_TILE_ONLY) ) {\n\t\tu32 ref_track, di;\n\t\t//aggregate all sabt samples with the same DTS\n\t\tif (entry->lhvc_config && !entry->hevc_config && !(mdia->mediaTrack->extractor_mode & GF_ISOM_NALU_EXTRACT_LAYER_ONLY)) {\n\t\t\tif (gf_isom_get_reference_count(mdia->mediaTrack->moov->mov, track_num, GF_ISOM_REF_SCAL) <= 0) {\n\t\t\t\t//FIXME - for now we only support two layers (base + enh) in implicit\n\t\t\t\tif ( gf_isom_get_reference_count(mdia->mediaTrack->moov->mov, track_num, GF_ISOM_REF_BASE) >= 1) {\n\t\t\t\t\tGF_ISOSample *base_samp;\n\t\t\t\t\tgf_isom_get_reference(mdia->mediaTrack->moov->mov, track_num, GF_ISOM_REF_BASE, 1, &ref_track);\n\t\t\t\t\tswitch (gf_isom_get_media_subtype(mdia->mediaTrack->moov->mov , ref_track, 1)) {\n\t\t\t\t\tcase GF_ISOM_SUBTYPE_HVC1:\n\t\t\t\t\tcase GF_ISOM_SUBTYPE_HVC2:\n\t\t\t\t\tcase GF_ISOM_SUBTYPE_HEV1:\n\t\t\t\t\tcase GF_ISOM_SUBTYPE_HEV2:\n\n\t\t\t\t\t\tif (!mdia->extracted_samp) {\n\t\t\t\t\t\t\tmdia->extracted_samp = gf_isom_sample_new();\n\t\t\t\t\t\t\tif (!mdia->extracted_samp) return GF_OUT_OF_MEM;\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\tbase_samp = gf_isom_get_sample_ex(mdia->mediaTrack->moov->mov, ref_track, sampleNumber + mdia->mediaTrack->sample_count_at_seg_start, &di, mdia->extracted_samp, NULL);\n\t\t\t\t\t\tif (base_samp && base_samp->data) {\n\t\t\t\t\t\t\tif (!sample->alloc_size || (sample->alloc_sizedataLength+base_samp->dataLength) ) {\n\t\t\t\t\t\t\t\tsample->data = gf_realloc(sample->data, sample->dataLength+base_samp->dataLength);\n\t\t\t\t\t\t\t\tif (sample->alloc_size) sample->alloc_size = sample->dataLength+base_samp->dataLength;\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\tmemmove(sample->data + base_samp->dataLength, sample->data , sample->dataLength);\n\t\t\t\t\t\t\tmemcpy(sample->data, base_samp->data, base_samp->dataLength);\n\t\t\t\t\t\t\tsample->dataLength += base_samp->dataLength;\n\t\t\t\t\t\t}\n\t\t\t\t\t\tTrack_FindRef(mdia->mediaTrack, GF_ISOM_REF_BASE, &scal);\n\t\t\t\t\t\tbreak;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\tsabt_ref = gf_isom_get_reference_count(mdia->mediaTrack->moov->mov, track_num, GF_ISOM_REF_SABT);\n\t\tif ((s32) sabt_ref > 0) {\n\t\t\tforce_sei_inspect = GF_TRUE;\n\t\t\tfor (i=0; imediaTrack->moov->mov, track_num, GF_ISOM_REF_SABT, i+1, &ref_track);\n\n\t\t\t\tif (!mdia->extracted_samp) {\n\t\t\t\t\tmdia->extracted_samp = gf_isom_sample_new();\n\t\t\t\t\tif (!mdia->extracted_samp) return GF_OUT_OF_MEM;\n\t\t\t\t}\n\n\t\t\t\ttile_samp = gf_isom_get_sample_ex(mdia->mediaTrack->moov->mov, ref_track, sampleNumber + mdia->mediaTrack->sample_count_at_seg_start, &di, mdia->extracted_samp, NULL);\n\t\t\t\tif (tile_samp && tile_samp ->data) {\n\t\t\t\t\tif (!sample->alloc_size || (sample->alloc_sizedataLength+tile_samp->dataLength) ) {\n\t\t\t\t\t\tsample->data = gf_realloc(sample->data, sample->dataLength+tile_samp->dataLength);\n\t\t\t\t\t\tif (sample->alloc_size) sample->alloc_size = sample->dataLength+tile_samp->dataLength;\n\t\t\t\t\t}\n\t\t\t\t\tmemcpy(sample->data + sample->dataLength, tile_samp->data, tile_samp->dataLength);\n\t\t\t\t\tsample->dataLength += tile_samp->dataLength;\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\n\tif ( gf_isom_get_reference_count(mdia->mediaTrack->moov->mov, track_num, GF_ISOM_REF_TBAS) >= 1) {\n\t\tu32 ref_track;\n\t\tu32 idx = gf_list_find(mdia->information->sampleTable->SampleDescription->child_boxes, entry);\n\t\tGF_TrackBox *tbas;\n\t\tgf_isom_get_reference(mdia->mediaTrack->moov->mov, track_num, GF_ISOM_REF_TBAS, 1, &ref_track);\n\t\ttbas = (GF_TrackBox *)gf_list_get(mdia->mediaTrack->moov->trackList, ref_track-1);\n\t\tentry = gf_list_get(tbas->Media->information->sampleTable->SampleDescription->child_boxes, idx);\n\t}\n\n\n\tif (sample->IsRAP < SAP_TYPE_2) {\n\t\tif (mdia->information->sampleTable->no_sync_found || (!sample->IsRAP && check_cra_bla) ) {\n\t\t\tsample->IsRAP = is_sample_idr(mdia, sample, entry);\n\t\t}\n\t}\n\tif (!sample->IsRAP)\n\t\trewrite_ps = GF_FALSE;\n\n\tif (extractor_mode != GF_ISOM_NALU_EXTRACT_LAYER_ONLY)\n\t\tinsert_vdrd_code = GF_FALSE;\n\n\tif (!entry) return GF_BAD_PARAM;\n\n\t//this is a compatible HEVC, don't insert VDRD, insert NALU delim\n\tif (entry->lhvc_config && entry->hevc_config)\n\t\tinsert_vdrd_code = GF_FALSE;\n\n\tif (extractor_mode == GF_ISOM_NALU_EXTRACT_INSPECT) {\n\t\tif (!rewrite_ps && !rewrite_start_codes)\n\t\t\treturn GF_OK;\n\t}\n\n\tnal_unit_size_field = 0;\n\t/*if svc rewrite*/\n\tif (entry->svc_config && entry->svc_config->config)\n\t\tnal_unit_size_field = entry->svc_config->config->nal_unit_size;\n\t/*if mvc rewrite*/\n\tif (entry->mvc_config && entry->mvc_config->config)\n\t\tnal_unit_size_field = entry->mvc_config->config->nal_unit_size;\n\n\t/*if lhvc rewrite*/\n\telse if (entry->lhvc_config && entry->lhvc_config->config) {\n\t\tis_hevc = GF_TRUE;\n\t\tnal_unit_size_field = entry->lhvc_config->config->nal_unit_size;\n\t}\n\n\t/*otherwise do nothing*/\n\telse if (!rewrite_ps && !rewrite_start_codes && !scal && !force_sei_inspect) {\n\t\treturn GF_OK;\n\t}\n\n\tif (!nal_unit_size_field) {\n\t\tif (entry->avc_config && entry->avc_config->config)\n\t\t\tnal_unit_size_field = entry->avc_config->config->nal_unit_size;\n\t\telse if (entry->lhvc_config && entry->lhvc_config->config) {\n\t\t\tnal_unit_size_field = entry->lhvc_config->config->nal_unit_size;\n\t\t\tis_hevc = GF_TRUE;\n\t\t}\n\t\telse if (entry->hevc_config && entry->hevc_config->config) {\n\t\t\tnal_unit_size_field = entry->hevc_config->config->nal_unit_size;\n\t\t\tis_hevc = GF_TRUE;\n\t\t}\n\t}\n\n\tif (!nal_unit_size_field) return GF_ISOM_INVALID_FILE;\n\n\t//setup PS rewriter\n\tif (!mdia->nalu_ps_bs)\n\t\tmdia->nalu_ps_bs = gf_bs_new(NULL, 0, GF_BITSTREAM_WRITE);\n\tgf_bs_seek(mdia->nalu_ps_bs, 0);\n\n\t//setup sample reader\n\tif (mdia->in_sample_buffer_allocdataLength) {\n\t\tmdia->in_sample_buffer_alloc = sample->dataLength;\n\t\tmdia->in_sample_buffer = gf_realloc(mdia->in_sample_buffer, sample->dataLength);\n\t}\n\tmemcpy(mdia->in_sample_buffer, sample->data, sample->dataLength);\n\n\tif (!mdia->nalu_parser) {\n\t\tmdia->nalu_parser = gf_bs_new(mdia->in_sample_buffer, sample->dataLength, GF_BITSTREAM_READ);\n\t\tif (!mdia->nalu_parser && sample->data) return GF_ISOM_INVALID_FILE;\n\t} else {\n\t\te = gf_bs_reassign_buffer(mdia->nalu_parser, mdia->in_sample_buffer, sample->dataLength);\n\t\tif (e) return e;\n\t}\n\t//setup ouput\n\tif (!mdia->nalu_out_bs) {\n\t\tu8 *output;\n\t\tu32 outSize;\n\t\tmdia->nalu_out_bs = gf_bs_new(NULL, 0, GF_BITSTREAM_WRITE);\n\t\tgf_bs_get_content(mdia->nalu_out_bs, &output, &outSize);\n\t}\n\n\tgf_bs_reassign_buffer(mdia->nalu_out_bs, sample->data, sample->alloc_size ? sample->alloc_size : sample->dataLength);\n\n\t/*rewrite start code with NALU delim*/\n\tif (rewrite_start_codes) {\n\n\t\t//we are SVC, don't write NALU delim, only insert VDRD NALU\n\t\tif (insert_vdrd_code) {\n\t\t\tif (is_hevc) {\n\t\t\t\t//spec is not clear here, we don't insert an NALU AU delimiter before the layer starts since it breaks openHEVC\n//\t\t\t\tinsert_nalu_delim=0;\n\t\t\t} else {\n\t\t\t\tgf_bs_write_int(mdia->nalu_out_bs, 1, 32);\n\t\t\t\tgf_bs_write_int(mdia->nalu_out_bs, GF_AVC_NALU_VDRD , 8);\n\t\t\t\tinsert_nalu_delim=0;\n\t\t\t}\n\t\t}\n\n\t\t//AVC/HEVC base, insert NALU delim\n\t\tif (insert_nalu_delim) {\n\t\t\tgf_bs_write_int(mdia->nalu_out_bs, 1, 32);\n\t\t\tif (is_hevc) {\n#ifndef GPAC_DISABLE_HEVC\n\t\t\t\tgf_bs_write_int(mdia->nalu_out_bs, 0, 1);\n\t\t\t\tgf_bs_write_int(mdia->nalu_out_bs, GF_HEVC_NALU_ACCESS_UNIT, 6);\n\t\t\t\tgf_bs_write_int(mdia->nalu_out_bs, insert_vdrd_code ? 1 : 0, 6); //we should pick the layerID of the following nalus ...\n\t\t\t\tgf_bs_write_int(mdia->nalu_out_bs, 1, 3); //nuh_temporal_id_plus1 - cannot be 0, we use 1 by default, and overwrite it if needed at the end\n\n\t\t\t\t/*pic-type - by default we signal all slice types possible*/\n\t\t\t\tgf_bs_write_int(mdia->nalu_out_bs, 2, 3);\n\t\t\t\tgf_bs_write_int(mdia->nalu_out_bs, 0, 5);\n#endif\n\t\t\t} else {\n\t\t\t\tgf_bs_write_int(mdia->nalu_out_bs, (sample->data[0] & 0x60) | GF_AVC_NALU_ACCESS_UNIT, 8);\n\t\t\t\tgf_bs_write_int(mdia->nalu_out_bs, 0xF0 , 8); /*7 \"all supported NALUs\" (=111) + rbsp trailing (10000)*/;\n\t\t\t}\n\t\t}\n\t}\n\n\tif (rewrite_ps) {\n\t\tBool has_vps = GF_FALSE;\n\t\t//in inspect mode or single-layer mode just use the xPS from this layer\n\t\tif (extractor_mode == GF_ISOM_NALU_EXTRACT_DEFAULT) {\n\t\t\tif (scal) {\n\t\t\t\tfor (i=0; itrackIDCount; i++) {\n\t\t\t\t\tGF_TrackBox *a_track = GetTrackbyID(mdia->mediaTrack->moov, scal->trackIDs[i]);\n\t\t\t\t\tGF_MPEGVisualSampleEntryBox *an_entry = NULL;\n\t\t\t\t\tif (a_track && a_track->Media && a_track->Media->information && a_track->Media->information->sampleTable && a_track->Media->information->sampleTable->SampleDescription)\n\t\t\t\t\t\tan_entry = (GF_MPEGVisualSampleEntryBox*)gf_list_get(a_track->Media->information->sampleTable->SampleDescription->child_boxes, 0);\n\n\t\t\t\t\tif (an_entry)\n\t\t\t\t\t\tnalu_merge_ps(mdia->nalu_ps_bs, rewrite_start_codes, nal_unit_size_field, an_entry, is_hevc, &has_vps);\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\tnalu_merge_ps(mdia->nalu_ps_bs, rewrite_start_codes, nal_unit_size_field, entry, is_hevc, &has_vps);\n\n\n\t\tif (is_hevc) {\n\t\t\t/*little optimization if we are not asked to start codes: copy over the sample*/\n\t\t\tif (!rewrite_start_codes && !entry->lhvc_config && !scal) {\n\t\t\t\tif (! ps_transfered) {\n\t\t\t\t\tnal_type = (sample->data[nal_unit_size_field] & 0x7E) >> 1;\n\t\t\t\t\t//temp fix - if we detect xPS in the beginning of the sample do NOT copy the ps bitstream\n\t\t\t\t\t//this is not correct since we are not sure whether they are the same xPS or not, but it crashes openHEVC ...\n\t\t\t\t\tswitch (nal_type) {\n#ifndef GPAC_DISABLE_HEVC\n\t\t\t\t\tcase GF_HEVC_NALU_VID_PARAM:\n\t\t\t\t\tcase GF_HEVC_NALU_SEQ_PARAM:\n\t\t\t\t\tcase GF_HEVC_NALU_PIC_PARAM:\n\t\t\t\t\t\tbreak;\n#endif\n\t\t\t\t\tdefault:\n\t\t\t\t\t\tgf_bs_transfer(mdia->nalu_out_bs, mdia->nalu_ps_bs, GF_TRUE);\n\t\t\t\t\t\tbreak;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\tgf_bs_write_data(mdia->nalu_out_bs, mdia->in_sample_buffer, sample->dataLength);\n\t\t\t\tgf_bs_get_content_no_truncate(mdia->nalu_out_bs, &sample->data, &sample->dataLength, &sample->alloc_size);\n\n\t\t\t\treturn GF_OK;\n\t\t\t}\n\t\t}\n\t} else {\n\t\tps_transfered = GF_TRUE;\n\t}\n\n\t/*little optimization if we are not asked to rewrite extractors or start codes: copy over the sample*/\n\tif (!scal && !rewrite_start_codes && !rewrite_ps && !force_sei_inspect) {\n\t\tif (! ps_transfered)\n\t\t{\n\t\t\tgf_bs_transfer(mdia->nalu_out_bs, mdia->nalu_ps_bs, GF_TRUE);\n\t\t}\n\t\tgf_bs_write_data(mdia->nalu_out_bs, mdia->in_sample_buffer, sample->dataLength);\n\t\tgf_bs_get_content_no_truncate(mdia->nalu_out_bs, &sample->data, &sample->dataLength, &sample->alloc_size);\n\t\treturn GF_OK;\n\t}\n\n\tif (!mdia->tmp_nal_copy_buffer) {\n\t\tmdia->tmp_nal_copy_buffer = gf_malloc(sizeof(char) * 4096);\n\t\tmdia->tmp_nal_copy_buffer_alloc = 4096;\n\t}\n\n\n\twhile (gf_bs_available(mdia->nalu_parser)) {\n\t\tnal_size = gf_bs_read_int(mdia->nalu_parser, 8*nal_unit_size_field);\n\t\tif (gf_bs_get_position(mdia->nalu_parser) + nal_size > sample->dataLength) {\n\t\t\tGF_LOG(GF_LOG_WARNING, GF_LOG_CODING, (\"Sample %u (size %u) rewrite: corrupted NAL Unit (size %u)\\n\", sampleNumber, sample->dataLength, nal_size));\n\t\t\tgoto exit;\n\t\t}\n\t\tif (nal_size > mdia->tmp_nal_copy_buffer_alloc) {\n\t\t\tmdia->tmp_nal_copy_buffer_alloc = nal_size;\n\t\t\tmdia->tmp_nal_copy_buffer = (char*) gf_realloc(mdia->tmp_nal_copy_buffer, sizeof(char)*nal_size);\n\t\t}\n\t\tif (is_hevc) {\n\t\t\tnal_hdr = gf_bs_read_u16(mdia->nalu_parser);\n\t\t\tnal_type = (nal_hdr&0x7E00) >> 9;\n\t\t} else {\n\t\t\tnal_hdr = gf_bs_read_u8(mdia->nalu_parser);\n\t\t\tnal_type = nal_hdr & 0x1F;\n\t\t}\n\n\t\tif (is_hevc) {\n#ifndef GPAC_DISABLE_HEVC\n\t\t\tGF_BitStream *write_to_bs = mdia->nalu_out_bs;\n#endif\n\n\t\t\tif (!ps_transfered) {\n\t\t\t\tgf_bs_transfer(mdia->nalu_out_bs, mdia->nalu_ps_bs, GF_TRUE);\n\t\t\t\tps_transfered = GF_TRUE;\n\t\t\t}\n\n#ifndef GPAC_DISABLE_HEVC\n\t\t\t/*we already wrote this stuff*/\n\t\t\tif (nal_type==GF_HEVC_NALU_ACCESS_UNIT) {\n\t\t\t\tgf_bs_skip_bytes(mdia->nalu_parser, nal_size-2);\n\t\t\t\tcontinue;\n\t\t\t}\n\t\t\tswitch (nal_type) {\n\t\t\t//extractor\n\t\t\tcase 49:\n\t\t\t\te = process_extractor(file, mdia, sampleNumber, sample->DTS, nal_size, nal_hdr, nal_unit_size_field, GF_TRUE, rewrite_ps, rewrite_start_codes, extractor_mode);\n\t\t\t\tif (e) goto exit;\n\t\t\t\tbreak;\n\n\t\t\tcase GF_HEVC_NALU_SLICE_TSA_N:\n\t\t\tcase GF_HEVC_NALU_SLICE_STSA_N:\n\t\t\tcase GF_HEVC_NALU_SLICE_TSA_R:\n\t\t\tcase GF_HEVC_NALU_SLICE_STSA_R:\n\t\t\t\tif (temporal_id < (nal_hdr & 0x7))\n\t\t\t\t\ttemporal_id = (nal_hdr & 0x7);\n\t\t\t\t/*rewrite nal*/\n\t\t\t\tgf_bs_read_data(mdia->nalu_parser, mdia->tmp_nal_copy_buffer, nal_size-2);\n\t\t\t\tif (rewrite_start_codes)\n\t\t\t\t\tgf_bs_write_u32(mdia->nalu_out_bs, 1);\n\t\t\t\telse\n\t\t\t\t\tgf_bs_write_int(mdia->nalu_out_bs, nal_size, 8*nal_unit_size_field);\n\n\t\t\t\tgf_bs_write_u16(mdia->nalu_out_bs, nal_hdr);\n\t\t\t\tgf_bs_write_data(mdia->nalu_out_bs, mdia->tmp_nal_copy_buffer, nal_size-2);\n\t\t\t\tbreak;\n\n\t\t\tcase GF_HEVC_NALU_SLICE_BLA_W_LP:\n\t\t\tcase GF_HEVC_NALU_SLICE_BLA_W_DLP:\n\t\t\tcase GF_HEVC_NALU_SLICE_BLA_N_LP:\n\t\t\tcase GF_HEVC_NALU_SLICE_IDR_W_DLP:\n\t\t\tcase GF_HEVC_NALU_SLICE_IDR_N_LP:\n\t\t\tcase GF_HEVC_NALU_SLICE_CRA:\n\t\t\t\t//insert xPS before CRA/BLA\n\t\t\t\tif (check_cra_bla && !sample->IsRAP) {\n\t\t\t\t\tsample->IsRAP = sap_type_from_nal_type(nal_type);\n\t\t\t\t\tif (sei_suffix_bs) gf_bs_del(sei_suffix_bs);\n\t\t\t\t\treturn gf_isom_nalu_sample_rewrite(mdia, sample, sampleNumber, entry);\n\t\t\t\t}\n\t\t\tdefault:\n\t\t\t\t/*rewrite nal*/\n\t\t\t\tif (nal_size<2) {\n\t\t\t\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, (\"[iso file] Invalid nal size %d in sample %d\\n\", nal_type, sampleNumber));\n\t\t\t\t\te = GF_NON_COMPLIANT_BITSTREAM;\n\t\t\t\t\tgoto exit;\n\t\t\t\t}\n\n\t\t\t\tgf_bs_read_data(mdia->nalu_parser, mdia->tmp_nal_copy_buffer, nal_size-2);\n\n\t\t\t\tif (nal_type==GF_HEVC_NALU_SEI_SUFFIX) {\n\t\t\t\t\tif (!sei_suffix_bs) sei_suffix_bs = gf_bs_new(NULL, 0, GF_BITSTREAM_WRITE);\n\t\t\t\t\twrite_to_bs = sei_suffix_bs;\n\t\t\t\t}\n\n\t\t\t\tif (rewrite_start_codes)\n\t\t\t\t\tgf_bs_write_u32(write_to_bs, 1);\n\t\t\t\telse\n\t\t\t\t\tgf_bs_write_int(write_to_bs, nal_size, 8*nal_unit_size_field);\n\n\t\t\t\tgf_bs_write_u16(write_to_bs, nal_hdr);\n\t\t\t\tgf_bs_write_data(write_to_bs, mdia->tmp_nal_copy_buffer, nal_size-2);\n\t\t\t}\n#endif\n\n\t\t\t//done with HEVC\n\t\t\tcontinue;\n\t\t}\n\n\t\tswitch(nal_type) {\n\t\tcase GF_AVC_NALU_ACCESS_UNIT:\n\t\t\t/*we already wrote this stuff*/\n\t\t\tgf_bs_skip_bytes(mdia->nalu_parser, nal_size-1);\n\t\t\tcontinue;\n\t\t//extractor\n\t\tcase 31:\n\t\t\te = process_extractor(file, mdia, sampleNumber, sample->DTS, nal_size, nal_hdr, nal_unit_size_field, GF_FALSE, rewrite_ps, rewrite_start_codes, extractor_mode);\n\t\t\tif (e) goto exit;\n\t\t\tbreak;\n//\t\t\tcase GF_AVC_NALU_SEI:\n\t\tcase GF_AVC_NALU_SEQ_PARAM:\n\t\tcase GF_AVC_NALU_PIC_PARAM:\n\t\tcase GF_AVC_NALU_SEQ_PARAM_EXT:\n\t\tcase GF_AVC_NALU_SVC_SUBSEQ_PARAM:\n\t\t\t// we will rewrite the sps/pps if and only if there is no sps/pps in bistream\n\t\t\tif (!ps_transfered) {\n\t\t\t\tps_transfered = GF_TRUE;\n\t\t\t}\n\t\tdefault:\n\t\t\tif (!ps_transfered) {\n\t\t\t\tgf_bs_transfer(mdia->nalu_out_bs, mdia->nalu_ps_bs, GF_TRUE);\n\t\t\t\tps_transfered = GF_TRUE;\n\t\t\t}\n\t\t\tgf_bs_read_data(mdia->nalu_parser, mdia->tmp_nal_copy_buffer, nal_size-1);\n\t\t\tif (rewrite_start_codes)\n\t\t\t\tgf_bs_write_u32(mdia->nalu_out_bs, 1);\n\t\t\telse\n\t\t\t\tgf_bs_write_int(mdia->nalu_out_bs, nal_size, 8*nal_unit_size_field);\n\n\t\t\tgf_bs_write_u8(mdia->nalu_out_bs, nal_hdr);\n\t\t\tgf_bs_write_data(mdia->nalu_out_bs, mdia->tmp_nal_copy_buffer, nal_size-1);\n\t\t}\n\t}\n\n\tif (sei_suffix_bs) {\n\t\tgf_bs_transfer(mdia->nalu_out_bs, sei_suffix_bs, GF_FALSE);\n\t}\n\t/*done*/\n\tgf_bs_get_content_no_truncate(mdia->nalu_out_bs, &sample->data, &sample->dataLength, &sample->alloc_size);\n\n\t/*rewrite temporal ID of AU Ddelim NALU (first one)*/\n\tif (rewrite_start_codes && is_hevc && temporal_id) {\n\t\tsample->data[6] = (sample->data[6] & 0xF8) | (temporal_id+1);\n\t}\n\n\nexit:\n\tif (sei_suffix_bs)\n\t\tgf_bs_del(sei_suffix_bs);\n\n\treturn e;\n}", "project": "gpac", "hash": 25000189813976529662728255216755627095, "size": 443, "commit_id": "0a85029d694f992f3631e2f249e4999daee15cbf", "message": "fixed #1785 (fuzz)", "target": 0, "dataset": "other", "idx": 237567 }, { "func": "}\n\nGF_Err dump_isom_udta(GF_ISOFile *file, char *inName, Bool is_final_name, u32 dump_udta_type, u32 dump_udta_track)\n{\n\tu8 *data;\n\tFILE *t;\n\tbin128 uuid;\n\tu32 count, res;\n\tGF_Err e;\n\n\tmemset(uuid, 0, 16);\n\tcount = gf_isom_get_user_data_count(file, dump_udta_track, dump_udta_type, uuid);\n\tif (!count) {\n\t\tM4_LOG(GF_LOG_ERROR, (\"No UDTA for type %s found\\n\", gf_4cc_to_str(dump_udta_type) ));\n\t\treturn GF_NOT_FOUND;\n\t}\n\n\tdata = NULL;\n\tcount = 0;\n\te = gf_isom_get_user_data(file, dump_udta_track, dump_udta_type, uuid, 0, &data, &count);\n\tif (e) {\n\t\tM4_LOG(GF_LOG_ERROR, (\"Error dumping UDTA %s: %s\\n\", gf_4cc_to_str(dump_udta_type), gf_error_to_string(e) ));\n\t\treturn e;\n\t}\n\tif (inName) {\n\t\tchar szName[1024];\n\t\tif (is_final_name)\n\t\t\tstrcpy(szName, inName);\n\t\telse\n\t\t\tsprintf(szName, \"%s_%s.udta\", inName, gf_4cc_to_str(dump_udta_type) );\n\n\t\tt = gf_fopen(szName, \"wb\");\n\t\tif (!t) {\n\t\t\tgf_free(data);\n\t\t\tM4_LOG(GF_LOG_ERROR, (\"Cannot open file %s\\n\", szName ));\n\t\t\treturn GF_IO_ERR;\n\t\t}\n\t} else {\n\t\tt = stdout;\n\t}\n\tres = (u32) gf_fwrite(data+8, count-8, t);\n\tif (inName) gf_fclose(t);\n\tgf_free(data);\n\tif (count-8 != res) {\n\t\tM4_LOG(GF_LOG_ERROR, (\"Error writing udta to file\\n\"));\n\t\treturn GF_IO_ERR;\n\t}", "project": "gpac", "hash": 115093519312369608573959709992851739119, "size": 47, "commit_id": "289ffce3e0d224d314f5f92a744d5fe35999f20b", "message": "fixed #1767 (fuzz)", "target": 0, "dataset": "other", "idx": 243201 }, { "func": "}\n\nGF_Err dump_isom_udta(GF_ISOFile *file, char *inName, Bool is_final_name, u32 dump_udta_type, u32 dump_udta_track)\n{\n\tu8 *data;\n\tFILE *t;\n\tbin128 uuid;\n\tu32 count, res;\n\tGF_Err e;\n\n\tmemset(uuid, 0, 16);\n\tcount = gf_isom_get_user_data_count(file, dump_udta_track, dump_udta_type, uuid);\n\tif (!count) {\n\t\tfprintf(stderr, \"No UDTA for type %s found\\n\", gf_4cc_to_str(dump_udta_type) );\n\t\treturn GF_OK;\n\t}\n\n\tdata = NULL;\n\tcount = 0;\n\te = gf_isom_get_user_data(file, dump_udta_track, dump_udta_type, uuid, 0, &data, &count);\n\tif (e) {\n\t\tfprintf(stderr, \"Error dumping UDTA %s: %s\\n\", gf_4cc_to_str(dump_udta_type), gf_error_to_string(e) );\n\t\treturn e;\n\t}\n\tif (inName) {\n\t\tchar szName[1024];\n\t\tif (is_final_name)\n\t\t\tstrcpy(szName, inName);\n\t\telse\n\t\t\tsprintf(szName, \"%s_%s.udta\", inName, gf_4cc_to_str(dump_udta_type) );\n\n\t\tt = gf_fopen(szName, \"wb\");\n\t\tif (!t) {\n\t\t\tgf_free(data);\n\t\t\tfprintf(stderr, \"Cannot open file %s\\n\", szName );\n\t\t\treturn GF_IO_ERR;\n\t\t}\n\t} else {\n\t\tt = stdout;\n\t}\n\tres = (u32) gf_fwrite(data+8, count-8, t);\n\tif (inName) gf_fclose(t);\n\tgf_free(data);\n\tif (count-8 != res) {\n\t\tfprintf(stderr, \"Error writing udta to file\\n\");\n\t\treturn GF_IO_ERR;\n\t}", "project": "gpac", "hash": 202523309049712800624140619896006589492, "size": 47, "commit_id": "ce01bd15f711d4575b7424b54b3a395ec64c1784", "message": "fixed #1566", "target": 0, "dataset": "other", "idx": 249527 }, { "func": "GF_Err gf_isom_get_adobe_protection_info(GF_ISOFile *the_file, u32 trackNumber, u32 sampleDescriptionIndex, u32 *outOriginalFormat, u32 *outSchemeType, u32 *outSchemeVersion, const char **outMetadata)\n{\n\tGF_TrackBox *trak;\n\tGF_ProtectionSchemeInfoBox *sinf;\n\n\ttrak = gf_isom_get_track_from_file(the_file, trackNumber);\n\tif (!trak) return GF_BAD_PARAM;\n\n\tsinf = isom_get_sinf_entry(trak, sampleDescriptionIndex, GF_ISOM_ADOBE_SCHEME, NULL);\n\n\tif (!sinf) return GF_BAD_PARAM;\n\n\tif (outOriginalFormat) {\n\t\t*outOriginalFormat = sinf->original_format->data_format;\n\t\tif (IsMP4Description(sinf->original_format->data_format)) *outOriginalFormat = GF_ISOM_SUBTYPE_MPEG4;\n\t}\n\tif (outSchemeType) *outSchemeType = sinf->scheme_type->scheme_type;\n\tif (outSchemeVersion) *outSchemeVersion = sinf->scheme_type->scheme_version;\n\n\tif (outMetadata) {\n\t\t*outMetadata = NULL;\n\t\tif (sinf->info && sinf->info->adkm && sinf->info->adkm->header && sinf->info->adkm->header->std_enc_params && sinf->info->adkm->header->std_enc_params->key_info\n\t\t\t&& sinf->info->adkm->header->std_enc_params->key_info->params && sinf->info->adkm->header->std_enc_params->key_info->params->metadata)\n\t\t{\n\t\t\t*outMetadata = sinf->info->adkm->header->std_enc_params->key_info->params->metadata;\n\t\t}\n\t}\n\n\treturn GF_OK;\n}", "project": "gpac", "hash": 84546501229484347423105188724324096803, "size": 30, "commit_id": "3b84ffcbacf144ce35650df958432f472b6483f8", "message": "fixed #1735", "target": 0, "dataset": "other", "idx": 275413 }, { "func": "GF_EXPORT\nGF_Err gf_isom_get_sample_cenc_info(GF_ISOFile *movie, u32 track, u32 sample_number, Bool *IsEncrypted, u8 *crypt_byte_block, u8 *skip_byte_block, const u8 **key_info, u32 *key_info_size)\n{\n\tGF_TrackBox *trak = gf_isom_get_track_from_file(movie, track);\n\tGF_SampleEncryptionBox *senc = trak->sample_encryption;\n\n\treturn gf_isom_get_sample_cenc_info_internal(trak, NULL, senc, sample_number, IsEncrypted, crypt_byte_block, skip_byte_block, key_info, key_info_size);", "project": "gpac", "hash": 60274210469860677820276968240022994513, "size": 7, "commit_id": "984787de3d414a5f7d43d0b4584d9469dff2a5a5", "message": "fixed #1784 (fuzz)", "target": 0, "dataset": "other", "idx": 246842 }, { "func": "GF_Err SetTrackDuration(GF_TrackBox *trak)\n{\n\tu64 trackDuration;\n\tu32 i;\n\tGF_Err e;\n\n\t//the total duration is the media duration: adjust it in case...\n\te = Media_SetDuration(trak);\n\tif (e) return e;\n\n\t//assert the timeScales are non-NULL\n\tif (!trak->moov->mvhd || !trak->moov->mvhd->timeScale || !trak->Media->mediaHeader->timeScale) return GF_ISOM_INVALID_FILE;\n\ttrackDuration = (trak->Media->mediaHeader->duration * trak->moov->mvhd->timeScale) / trak->Media->mediaHeader->timeScale;\n\n\t//if we have an edit list, the duration is the sum of all the editList\n\t//entries' duration (always expressed in MovieTimeScale)\n\tif (trak->editBox && trak->editBox->editList) {\n\t\tGF_EdtsEntry *ent;\n\t\tGF_EditListBox *elst = trak->editBox->editList;\n\t\ttrackDuration = 0;\n\t\ti=0;\n\t\twhile ((ent = (GF_EdtsEntry*)gf_list_enum(elst->entryList, &i))) {\n\t\t\ttrackDuration += ent->segmentDuration;\n\t\t}\n\t}\n\tif (!trackDuration) {\n\t\ttrackDuration = (trak->Media->mediaHeader->duration * trak->moov->mvhd->timeScale) / trak->Media->mediaHeader->timeScale;\n\t}\n\tif (!trak->Header) {\n\t\treturn GF_OK;\n\t}\n\ttrak->Header->duration = trackDuration;\n\tif (!trak->moov->mov->keep_utc && !gf_sys_is_test_mode() )\n\t\ttrak->Header->modificationTime = gf_isom_get_mp4time();\n\treturn GF_OK;\n}", "project": "gpac", "hash": 325114360995577539480848294311473923545, "size": 36, "commit_id": "df8fffd839fe5ae9acd82d26fd48280a397411d9", "message": "fixed #1736", "target": 0, "dataset": "other", "idx": 272322 }, { "func": "u32 gf_isom_new_track_from_template(GF_ISOFile *movie, GF_ISOTrackID trakID, u32 MediaType, u32 TimeScale, u8 *tk_box, u32 tk_box_size, Bool udta_only)\n{\n\tGF_Err e;\n\tu64 now;\n\tu8 isHint;\n\tGF_TrackBox *trak;\n\tGF_TrackHeaderBox *tkhd;\n\tGF_MediaBox *mdia;\n\tGF_UserDataBox *udta = NULL;\n\n\te = CanAccessMovie(movie, GF_ISOM_OPEN_WRITE);\n\tif (e) {\n\t\tgf_isom_set_last_error(movie, e);\n\t\treturn 0;\n\t}\n\te = gf_isom_insert_moov(movie);\n\tif (e) return e;\n\n\n\tisHint = 0;\n\t//we're creating a hint track... it's the same, but mode HAS TO BE EDIT\n\tif (MediaType == GF_ISOM_MEDIA_HINT) {\n//\t\tif (movie->openMode != GF_ISOM_OPEN_EDIT) return 0;\n\t\tisHint = 1;\n\t}\n\n\tmdia = NULL;\n\ttkhd = NULL;\n\ttrak = NULL;\n\tif (trakID) {\n\t\t//check if we are in ES_ID boundaries\n\t\tif (!isHint && (trakID > 0xFFFF)) {\n\t\t\tgf_isom_set_last_error(movie, GF_BAD_PARAM);\n\t\t\treturn 0;\n\t\t}\n\t\t//here we should look for available IDs ...\n\t\tif (!RequestTrack(movie->moov, trakID)) return 0;\n\t} else {\n\t\ttrakID = movie->moov->mvhd->nextTrackID;\n\t\tif (!trakID) trakID = 1;\n\t\t/*ESIDs are on 16 bits*/\n\t\tif (! isHint && (trakID > 0xFFFF)) trakID = 1;\n\n\t\twhile (1) {\n\t\t\tif (RequestTrack(movie->moov, trakID)) break;\n\t\t\ttrakID += 1;\n\t\t\tif (trakID == 0xFFFFFFFF) break;\n\t\t}\n\t\tif (trakID == 0xFFFFFFFF) {\n\t\t\tgf_isom_set_last_error(movie, GF_BAD_PARAM);\n\t\t\treturn 0;\n\t\t}\n\t\tif (! isHint && (trakID > 0xFFFF)) {\n\t\t\tgf_isom_set_last_error(movie, GF_BAD_PARAM);\n\t\t\treturn 0;\n\t\t}\n\t}\n\n\tif (tk_box) {\n\t\tGF_BitStream *bs = gf_bs_new(tk_box, tk_box_size, GF_BITSTREAM_READ);\n\t\tgf_bs_set_cookie(bs, GF_ISOM_BS_COOKIE_NO_LOGS|GF_ISOM_BS_COOKIE_CLONE_TRACK);\n\n\t\te = gf_isom_box_parse_ex((GF_Box**)&trak, bs, GF_ISOM_BOX_TYPE_MOOV, GF_FALSE);\n\t\tgf_bs_del(bs);\n\t\tif (e) trak = NULL;\n\t\telse if (udta_only) {\n\t\t\tudta = trak->udta;\n\t\t\ttrak->udta = NULL;\n\t\t\tgf_isom_box_del((GF_Box*)trak);\n\t\t} else {\n\t\t\tBool tpl_ok = GF_TRUE;\n\t\t\tif (!trak->Header || !trak->Media || !trak->Media->handler || !trak->Media->mediaHeader || !trak->Media->information) tpl_ok = GF_FALSE;\n\n\t\t\telse {\n\t\t\t\tif (!MediaType) MediaType = trak->Media->handler->handlerType;\n\t\t\t\te = NewMedia(&trak->Media, MediaType, TimeScale);\n\t\t\t\tif (e) tpl_ok = GF_FALSE;\n\t\t\t}\n\t\t\tif (!tpl_ok) {\n\t\t\t\tudta = trak->udta;\n\t\t\t\ttrak->udta = NULL;\n\t\t\t\tgf_isom_box_del((GF_Box*)trak);\n\t\t\t}\n\t\t}\n\t}\n\tnow = gf_isom_get_mp4time();\n\tif (!trak) {\n\t\t//OK, now create a track...\n\t\ttrak = (GF_TrackBox *) gf_isom_box_new_parent(&movie->moov->child_boxes, GF_ISOM_BOX_TYPE_TRAK);\n\t\tif (!trak) {\n\t\t\tgf_isom_set_last_error(movie, GF_OUT_OF_MEM);\n\t\t\treturn 0;\n\t\t}\n\t\ttkhd = (GF_TrackHeaderBox *) gf_isom_box_new_parent(&trak->child_boxes, GF_ISOM_BOX_TYPE_TKHD);\n\t\tif (!tkhd) {\n\t\t\tgf_isom_set_last_error(movie, GF_OUT_OF_MEM);\n\t\t\treturn 0;\n\t\t}\n\n\t\t//OK, set up the media trak\n\t\te = NewMedia(&mdia, MediaType, TimeScale);\n\t\tif (e) {\n\t\t\tgf_isom_box_del((GF_Box *)mdia);\n\t\t\treturn 0;\n\t\t}\n\t\tassert(trak->child_boxes);\n\t\tgf_list_add(trak->child_boxes, mdia);\n\n\t\t//OK, add this media to our track\n\t\tmdia->mediaTrack = trak;\n\n\t\te = trak_on_child_box((GF_Box*)trak, (GF_Box *) tkhd, GF_FALSE);\n\t\tif (e) goto err_exit;\n\t\te = trak_on_child_box((GF_Box*)trak, (GF_Box *) mdia, GF_FALSE);\n\t\tif (e) goto err_exit;\n\t\ttkhd->trackID = trakID;\n\n\t\tif (gf_sys_is_test_mode() ) {\n\t\t\ttkhd->creationTime = 0;\n\t\t\tmdia->mediaHeader->creationTime = 0;\n\t\t} else {\n\t\t\ttkhd->creationTime = now;\n\t\t\tmdia->mediaHeader->creationTime = now;\n\t\t}\n\n\t} else {\n\t\ttkhd = trak->Header;\n\t\ttkhd->trackID = trakID;\n\t\tmdia = trak->Media;\n\t\tmdia->mediaTrack = trak;\n\t\tmdia->mediaHeader->timeScale = TimeScale;\n\t\tif (mdia->handler->handlerType != MediaType) {\n\t\t\tmdia->handler->handlerType = MediaType;\n\t\t\ttkhd->width = 0;\n\t\t\ttkhd->height = 0;\n\t\t\ttkhd->volume = 0;\n\t\t} else {\n\t\t\tMediaType = 0;\n\t\t}\n\t\ttrak->Header->duration = 0;\n\t\tmdia->mediaHeader->duration = 0;\n\n\t\tif (!movie->moov->child_boxes) movie->moov->child_boxes = gf_list_new();\n\t\tgf_list_add(movie->moov->child_boxes, trak);\n\t}\n\tif (MediaType) {\n\t\t//some default properties for Audio, Visual or private tracks\n\t\tswitch (MediaType) {\n\t\tcase GF_ISOM_MEDIA_VISUAL:\n\t\tcase GF_ISOM_MEDIA_AUXV:\n\t\tcase GF_ISOM_MEDIA_PICT:\n\t\tcase GF_ISOM_MEDIA_SCENE:\n\t\tcase GF_ISOM_MEDIA_TEXT:\n\t\tcase GF_ISOM_MEDIA_SUBT:\n\t\t\t/*320-240 pix in 16.16*/\n\t\t\ttkhd->width = 0x01400000;\n\t\t\ttkhd->height = 0x00F00000;\n\t\t\tbreak;\n\t\tcase GF_ISOM_MEDIA_AUDIO:\n\t\t\ttkhd->volume = 0x0100;\n\t\t\tbreak;\n\t\t}\n\t}\n\tmovie->last_created_track_id = tkhd->trackID;\n\t\n\tif (!movie->keep_utc && !gf_sys_is_test_mode() ) {\n\t\ttkhd->modificationTime = now;\n\t \tmdia->mediaHeader->modificationTime = now;\n\t}\n\n\t//OK, add our trak\n\te = moov_on_child_box((GF_Box*)movie->moov, (GF_Box *)trak, GF_FALSE);\n\tif (e) goto err_exit;\n\t//set the new ID available\n\tif (trakID+1> movie->moov->mvhd->nextTrackID)\n\t\tmovie->moov->mvhd->nextTrackID = trakID+1;\n\n\ttrak->udta = udta;\n\n\t//and return our track number\n\treturn gf_isom_get_track_by_id(movie, trakID);\n\nerr_exit:\n\t//tkhd is registered with track and will be destroyed there\n\tif (trak) gf_isom_box_del((GF_Box *)trak);\n\tif (mdia) gf_isom_box_del((GF_Box *)mdia);\n\treturn 0;\n}", "project": "gpac", "hash": 227476981457289677886004392348333971039, "size": 188, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267264 }, { "func": "GF_Err gf_isom_set_ismacryp_protection(GF_ISOFile *the_file, u32 trackNumber, u32 desc_index, u32 scheme_type,\n u32 scheme_version, char *scheme_uri, char *kms_URI,\n Bool selective_encryption, u32 KI_length, u32 IV_length)\n{\n\tGF_Err e;\n\tGF_ProtectionSchemeInfoBox *sinf;\n\n\t//setup generic protection\n\te = isom_set_protected_entry(the_file, trackNumber, desc_index, 0, 0, scheme_type, scheme_version, NULL, GF_TRUE, &sinf);\n\tif (e) return e;\n\n\tif (scheme_uri) {\n\t\tsinf->scheme_type->flags |= 0x000001;\n\t\tsinf->scheme_type->URI = gf_strdup(scheme_uri);\n\t}\n\n\tsinf->info->ikms = (GF_ISMAKMSBox *)gf_isom_box_new_parent(&sinf->info->child_boxes, GF_ISOM_BOX_TYPE_IKMS);\n\tif (!sinf->info->ikms) return GF_OUT_OF_MEM;\n\tsinf->info->ikms->URI = gf_strdup(kms_URI);\n\tif (!sinf->info->ikms->URI) return GF_OUT_OF_MEM;\n\n\tsinf->info->isfm = (GF_ISMASampleFormatBox *)gf_isom_box_new_parent(&sinf->info->child_boxes, GF_ISOM_BOX_TYPE_ISFM);\n\tif (!sinf->info->isfm) return GF_OUT_OF_MEM;\n\n\tsinf->info->isfm->selective_encryption = selective_encryption;\n\tsinf->info->isfm->key_indicator_length = KI_length;\n\tsinf->info->isfm->IV_length = IV_length;\n\treturn GF_OK;\n}", "project": "gpac", "hash": 32236071724633460018693381591573135796, "size": 29, "commit_id": "3b84ffcbacf144ce35650df958432f472b6483f8", "message": "fixed #1735", "target": 0, "dataset": "other", "idx": 275428 }, { "func": "GF_Err stbl_SetSampleRAP(GF_SyncSampleBox *stss, u32 SampleNumber, u8 isRAP)\n{\n\tu32 i;\n\n\t//check if we have already a sync sample\n\tfor (i = 0; i < stss->nb_entries; i++) {\n\n\t\tif (stss->sampleNumbers[i] < SampleNumber) continue;\n\t\telse if (stss->sampleNumbers[i] > SampleNumber) break;\n\n\t\t/*found our sample number*/\n\t\tif (isRAP) return GF_OK;\n\t\t/*remove it...*/\n\t\tif (i+1 < stss->nb_entries)\n\t\t\tmemmove(stss->sampleNumbers + i, stss->sampleNumbers + i + 1, sizeof(u32) * (stss->nb_entries - i - 1));\n\t\tstss->nb_entries--;\n\t\treturn GF_OK;\n\t}\n\t//we need to insert a RAP somewhere if RAP ...\n\tif (!isRAP) return GF_OK;\n\tif (stss->nb_entries==stss->alloc_size) {\n\t\tALLOC_INC(stss->alloc_size);\n\t\tstss->sampleNumbers = gf_realloc(stss->sampleNumbers, sizeof(u32)*stss->alloc_size);\n\t\tif (!stss->sampleNumbers) return GF_OUT_OF_MEM;\n\t\tmemset(&stss->sampleNumbers[stss->nb_entries], 0, sizeof(u32)*(stss->alloc_size - stss->nb_entries) );\n\t}\n\n\tif (i+1 < stss->nb_entries)\n\t\tmemmove(stss->sampleNumbers + i + 1, stss->sampleNumbers + i, sizeof(u32) * (stss->nb_entries - i - 1));\n\tstss->sampleNumbers[i] = SampleNumber;\n\tstss->nb_entries ++;\n\treturn GF_OK;\n}", "project": "gpac", "hash": 248823075978837714722798639067976964580, "size": 33, "commit_id": "77ed81c069e10b3861d88f72e1c6be1277ee7eae", "message": "fixed #1774 (fuzz)", "target": 0, "dataset": "other", "idx": 267880 }, { "func": "\n\nstatic void print_config_hash(GF_List *xps_array, char *szName)\n{\n\tu32 i, j;\n\tu8 hash[20];\n\tfor (i=0; idata, slc->size, hash);\n\t\tfprintf(stderr, \"\\t%s#%d hash: \", szName, i+1);\n\t\tfor (j=0; j<20; j++) fprintf(stderr, \"%02X\", hash[j]);\n\t\tfprintf(stderr, \"\\n\");", "project": "gpac", "hash": 177956667452481562883337272937596545458, "size": 12, "commit_id": "289ffce3e0d224d314f5f92a744d5fe35999f20b", "message": "fixed #1767 (fuzz)", "target": 0, "dataset": "other", "idx": 243192 }, { "func": "\n\nstatic void print_config_hash(GF_List *xps_array, char *szName)\n{\n\tu32 i, j;\n\tu8 hash[20];\n\tfor (i=0; idata, slc->size, hash);\n\t\tfprintf(stderr, \"\\t%s#%d hash: \", szName, i+1);\n\t\tfor (j=0; j<20; j++) fprintf(stderr, \"%02X\", hash[j]);\n\t\tfprintf(stderr, \"\\n\");", "project": "gpac", "hash": 264526618830598711225203537326136086875, "size": 12, "commit_id": "ce01bd15f711d4575b7424b54b3a395ec64c1784", "message": "fixed #1566", "target": 0, "dataset": "other", "idx": 249528 }, { "func": "GF_EXPORT\nu32 gf_isom_get_nalu_length_field(GF_ISOFile *file, u32 track, u32 StreamDescriptionIndex)\n{\n\tGF_TrackBox *trak;\n\tGF_SampleEntryBox *entry;\n\tGF_MPEGVisualSampleEntryBox *ve;\n\tGF_SampleDescriptionBox *stsd;\n\n\ttrak = gf_isom_get_track_from_file(file, track);\n\tif (!trak) {\n\t\tfile->LastError = GF_BAD_PARAM;\n\t\treturn 0;\n\t}\n\n\tstsd = trak->Media->information->sampleTable->SampleDescription;\n\tif (!stsd || !StreamDescriptionIndex || StreamDescriptionIndex > gf_list_count(stsd->child_boxes)) {\n\t\tfile->LastError = GF_BAD_PARAM;\n\t\treturn 0;\n\t}\n\n\tentry = (GF_SampleEntryBox *)gf_list_get(stsd->child_boxes, StreamDescriptionIndex - 1);\n\t//no support for generic sample entries (eg, no MPEG4 descriptor)\n\tif (!entry || ! gf_isom_is_nalu_based_entry(trak->Media, entry)) {\n\t\tfile->LastError = GF_BAD_PARAM;\n\t\treturn 0;\n\t}\n\n\tve = (GF_MPEGVisualSampleEntryBox*)entry;\n\tif (ve->avc_config) return ve->avc_config->config->nal_unit_size;\n\tif (ve->svc_config) return ve->svc_config->config->nal_unit_size;\n\tif (ve->hevc_config) return ve->hevc_config->config->nal_unit_size;\n\tif (ve->lhvc_config) return ve->lhvc_config->config->nal_unit_size;\n\treturn 0;", "project": "gpac", "hash": 48679197726160863484697671068479959186, "size": 33, "commit_id": "984787de3d414a5f7d43d0b4584d9469dff2a5a5", "message": "fixed #1784 (fuzz)", "target": 0, "dataset": "other", "idx": 246807 }, { "func": "Bool gf_isom_is_omadrm_media(GF_ISOFile *the_file, u32 trackNumber, u32 sampleDescriptionIndex)\n{\n\tGF_TrackBox *trak;\n\tGF_ProtectionSchemeInfoBox *sinf;\n\n\ttrak = gf_isom_get_track_from_file(the_file, trackNumber);\n\tif (!trak) return GF_FALSE;\n\n\tsinf = isom_get_sinf_entry(trak, sampleDescriptionIndex, GF_ISOM_OMADRM_SCHEME, NULL);\n\tif (!sinf) return GF_FALSE;\n\n\t/*non-encrypted or non-OMA*/\n\tif (!sinf->info || !sinf->info->odkm || !sinf->info->odkm->hdr)\n\t\treturn GF_FALSE;\n\n\treturn GF_TRUE;\n}", "project": "gpac", "hash": 111691369625685242280503418766233747348, "size": 17, "commit_id": "3b84ffcbacf144ce35650df958432f472b6483f8", "message": "fixed #1735", "target": 0, "dataset": "other", "idx": 275401 }, { "func": "GF_EXPORT\nGF_Err gf_isom_get_jp2_config(GF_ISOFile *movie, u32 trackNumber, u32 sampleDesc, u8 **out_dsi, u32 *out_size)\n{\n\tGF_TrackBox *trak;\n\tGF_MPEGVisualSampleEntryBox *entry;\n\tGF_BitStream *bs;\n\n\ttrak = gf_isom_get_track_from_file(movie, trackNumber);\n\tif (!trak || !trak->Media || !trak->Media->information || !trak->Media->information->sampleTable || !trak->Media->information->sampleTable->SampleDescription) return GF_ISOM_INVALID_FILE;\n\tentry = (GF_MPEGVisualSampleEntryBox *) gf_list_get(trak->Media->information->sampleTable->SampleDescription->child_boxes, sampleDesc-1);\n\tif (!entry || !entry->jp2h) return GF_BAD_PARAM;\n\tif (!entry->jp2h->ihdr) return GF_ISOM_INVALID_FILE;\n\n\tbs = gf_bs_new(NULL, 0, GF_BITSTREAM_WRITE);\n\tgf_isom_box_array_write((GF_Box*)entry->jp2h, entry->jp2h->child_boxes, bs);\n\tgf_bs_get_content(bs, out_dsi, out_size);\n\tgf_bs_del(bs);\n\treturn GF_OK;", "project": "gpac", "hash": 76774208448600671477248247504620832262, "size": 18, "commit_id": "984787de3d414a5f7d43d0b4584d9469dff2a5a5", "message": "fixed #1784 (fuzz)", "target": 0, "dataset": "other", "idx": 246791 }, { "func": "GF_Err gf_isom_box_write(GF_Box *a, GF_BitStream *bs)\n{\n\tGF_Err e;\n\tu64 pos = gf_bs_get_position(bs);\n\tif (!a) return GF_BAD_PARAM;\n\tif (a->registry->disabled) return GF_OK;\n\te = gf_isom_box_write_listing(a, bs);\n\tif (e) return e;\n\tif (a->other_boxes) {\n\t\te = gf_isom_box_array_write(a, a->other_boxes, bs);\n\t}\n\tpos = gf_bs_get_position(bs) - pos;\n\tif (pos != a->size) {\n\t\tif ((a->type==GF_ISOM_BOX_TYPE_MDAT) || (a->type==GF_ISOM_BOX_TYPE_IDAT)) {\n\n\t\t} else {\n\t\t\tGF_LOG(GF_LOG_WARNING, GF_LOG_CONTAINER, (\"[iso file] Box %s wrote \"LLU\" bytes but size is \"LLU\"\\n\", gf_4cc_to_str(a->type), pos, a->size ));\n\t\t}\n\t}\n\treturn e;\n}", "project": "gpac", "hash": 110686807478395933797455215475007981052, "size": 21, "commit_id": "8e585e623b1d666b4ef736ed609264639cb27701", "message": "fixed potential crash - cf #1406", "target": 0, "dataset": "other", "idx": 224914 }, { "func": "GF_Err gf_isom_svc_config_new(GF_ISOFile *the_file, u32 trackNumber, GF_AVCConfig *cfg, const char *URLname, const char *URNname, u32 *outDescriptionIndex)\n{\n\treturn gf_isom_svc_mvc_config_new(the_file, trackNumber, cfg, GF_FALSE, (char *) URLname, (char *) URNname,outDescriptionIndex);\n}", "project": "gpac", "hash": 207433261720084234953868923748053112209, "size": 4, "commit_id": "0a85029d694f992f3631e2f249e4999daee15cbf", "message": "fixed #1785 (fuzz)", "target": 0, "dataset": "other", "idx": 237580 }, { "func": "GF_Err gf_isom_set_interleave_time(GF_ISOFile *movie, u32 InterleaveTime)\n{\n\tGF_Err e;\n\te = CanAccessMovie(movie, GF_ISOM_OPEN_WRITE);\n\tif (e) return e;\n\n\tif (!InterleaveTime || !movie->moov) return GF_OK;\n\tmovie->interleavingTime = InterleaveTime;\n\treturn GF_OK;\n}", "project": "gpac", "hash": 36766285324357278824503368884789638220, "size": 10, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267341 }, { "func": "GF_Err gf_isom_reset_switch_parameters(GF_ISOFile *movie)\n{\n\tu32 i=0;\n\twhile (i< gf_isom_get_track_count(movie) ) {\n\t\t//locate first available ID\n\t\tGF_TrackBox *a_trak = gf_isom_get_track_from_file(movie, i+1);\n\t\treset_tsel_box(a_trak);\n\t\ti++;\n\t}\n\treturn GF_OK;\n}", "project": "gpac", "hash": 44511992891765959765934474167093849046, "size": 11, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267330 }, { "func": "GF_Err gf_isom_box_array_write(GF_Box *parent, GF_List *list, GF_BitStream *bs)\n{\n\tu32 count, i;\n\tGF_Box *a;\n\tGF_Err e;\n\tif (!list) return GF_BAD_PARAM;\n\tcount = gf_list_count(list);\n\tfor (i = 0; i < count; i++) {\n\t\ta = (GF_Box *)gf_list_get(list, i);\n\t\tif (a) {\n\t\t\te = gf_isom_box_write(a, bs);\n\t\t\tif (e) {\n\t\t\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, (\"ISOBMF: Error %s writing box %s\\n\", gf_error_to_string(e), gf_4cc_to_str(a->type) ));\n\t\t\t\treturn e;\n\t\t\t}\n\t\t}\n\t}\n\treturn GF_OK;\n}", "project": "gpac", "hash": 96670623722653207689838056403114996592, "size": 19, "commit_id": "8e585e623b1d666b4ef736ed609264639cb27701", "message": "fixed potential crash - cf #1406", "target": 0, "dataset": "other", "idx": 224896 }, { "func": "void gf_isom_disable_inplace_rewrite(GF_ISOFile *movie)\n{\n\tif (movie)\n\t\tmovie->no_inplace_rewrite = GF_TRUE;\n}", "project": "gpac", "hash": 156058130419821587109133247935363337196, "size": 5, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267241 }, { "func": "GF_Err stbl_AddSize(GF_SampleSizeBox *stsz, u32 sampleNumber, u32 size, u32 nb_pack)\n{\n\tu32 i, k;\n\tu32 *newSizes;\n\tif (!stsz /*|| !size */ || !sampleNumber) return GF_BAD_PARAM;\n\n\tif (sampleNumber > stsz->sampleCount + 1) return GF_BAD_PARAM;\n\n\tCHECK_PACK(GF_BAD_PARAM)\n\n\tif (nb_pack>1)\n\t\tsize /= nb_pack;\n\n\n\t//all samples have the same size\n\tif (stsz->sizes == NULL) {\n\t\t//1 first sample added in NON COMPACT MODE\n\t\tif (! stsz->sampleCount && (stsz->type != GF_ISOM_BOX_TYPE_STZ2) ) {\n\t\t\tstsz->sampleCount = nb_pack;\n\t\t\tstsz->sampleSize = size;\n\t\t\treturn GF_OK;\n\t\t}\n\t\t//2- sample has the same size\n\t\tif (stsz->sampleSize == size) {\n\t\t\tstsz->sampleCount += nb_pack;\n\t\t\treturn GF_OK;\n\t\t}\n\t\tif (nb_pack>1) {\n\t\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, (\"[iso file] Inserting packed samples with different sizes is not yet supported\\n\" ));\n\t\t\treturn GF_NOT_SUPPORTED;\n\t\t}\n\t\t//3- no, need to alloc a size table\n\t\tstsz->sizes = (u32*)gf_malloc(sizeof(u32) * (stsz->sampleCount + 1));\n\t\tif (!stsz->sizes) return GF_OUT_OF_MEM;\n\t\tstsz->alloc_size = stsz->sampleCount + 1;\n\n\t\tk = 0;\n\t\tfor (i = 0 ; i < stsz->sampleCount; i++) {\n\t\t\tif (i + 1 == sampleNumber) {\n\t\t\t\tstsz->sizes[i + k] = size;\n\t\t\t\tk = 1;\n\t\t\t}\n\t\t\tstsz->sizes[i+k] = stsz->sampleSize;\n\t\t}\n\t\t//this if we append a new sample\n\t\tif (stsz->sampleCount + 1 == sampleNumber) {\n\t\t\tstsz->sizes[stsz->sampleCount] = size;\n\t\t}\n\t\tstsz->sampleSize = 0;\n\t\tstsz->sampleCount++;\n\t\treturn GF_OK;\n\t}\n\n\n\t/*append*/\n\tif (stsz->sampleCount + 1 == sampleNumber) {\n\t\tif (!stsz->alloc_size) stsz->alloc_size = stsz->sampleCount;\n\t\tif (stsz->sampleCount == stsz->alloc_size) {\n\t\t\tALLOC_INC(stsz->alloc_size);\n\t\t\tstsz->sizes = gf_realloc(stsz->sizes, sizeof(u32)*(stsz->alloc_size) );\n\t\t\tif (!stsz->sizes) return GF_OUT_OF_MEM;\n\t\t\tmemset(&stsz->sizes[stsz->sampleCount], 0, sizeof(u32)*(stsz->alloc_size - stsz->sampleCount) );\n\t\t}\n\t\tstsz->sizes[stsz->sampleCount] = size;\n\t} else {\n\t\tnewSizes = (u32*)gf_malloc(sizeof(u32)*(1 + stsz->sampleCount) );\n\t\tif (!newSizes) return GF_OUT_OF_MEM;\n\t\tk = 0;\n\t\tfor (i = 0; i < stsz->sampleCount; i++) {\n\t\t\tif (i + 1 == sampleNumber) {\n\t\t\t\tnewSizes[i + k] = size;\n\t\t\t\tk = 1;\n\t\t\t}\n\t\t\tnewSizes[i + k] = stsz->sizes[i];\n\t\t}\n\t\tgf_free(stsz->sizes);\n\t\tstsz->sizes = newSizes;\n\t\tstsz->alloc_size = 1 + stsz->sampleCount;\n\t}\n\tstsz->sampleCount++;\n\treturn GF_OK;\n}", "project": "gpac", "hash": 128053239169498410047141599095612260535, "size": 82, "commit_id": "77ed81c069e10b3861d88f72e1c6be1277ee7eae", "message": "fixed #1774 (fuzz)", "target": 0, "dataset": "other", "idx": 267915 }, { "func": "void reset_tsel_box(GF_TrackBox *trak)\n{\n\tGF_UserDataMap *map;\n\ttrak->Header->alternate_group = 0;\n\tmap = udta_getEntry(trak->udta, GF_ISOM_BOX_TYPE_TSEL, NULL);\n\tif (map) {\n\t\tgf_list_del_item(trak->udta->recordList, map);\n\t\tgf_isom_box_array_del(map->boxes);\n\t\tgf_free(map);\n\t}\n\n}", "project": "gpac", "hash": 133366683119780017738710318194970185717, "size": 12, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267305 }, { "func": "GF_Err NewMedia(GF_MediaBox **mdia, u32 MediaType, u32 TimeScale)\n{\n\tGF_MediaHeaderBox *mdhd;\n\tGF_Box *mediaInfo;\n\tGF_HandlerBox *hdlr;\n\tGF_MediaInformationBox *minf;\n\tGF_DataInformationBox *dinf;\n\tGF_SampleTableBox *stbl;\n\tGF_DataReferenceBox *dref;\n\tchar *str=\"\";\n\n\tGF_Err e;\n\n\tif (!mdia) return GF_BAD_PARAM;\n\n\tminf = *mdia ? (*mdia)->information : NULL;\n\tmdhd = *mdia ? (*mdia)->mediaHeader : NULL;\n\thdlr = *mdia ? (*mdia)->handler : NULL;\n\tdinf = minf ? minf->dataInformation : NULL;\n\tstbl = minf ? minf->sampleTable : NULL;\n\tdref = dinf ? dinf->dref : NULL;\n\tmediaInfo = minf ? minf->InfoHeader : NULL;\n\n\t//first create the media\n\tif (!*mdia) {\n\t\t*mdia = (GF_MediaBox *) gf_isom_box_new(GF_ISOM_BOX_TYPE_MDIA);\n\t\tif (! *mdia) { e = GF_OUT_OF_MEM; goto err_exit; }\n\t}\n\tif (!mdhd) {\n\t\tmdhd = (GF_MediaHeaderBox *) gf_isom_box_new_parent( & ((*mdia)->child_boxes), GF_ISOM_BOX_TYPE_MDHD);\n\t\tif (! mdhd) { e = GF_OUT_OF_MEM; goto err_exit; }\n\t\te = mdia_on_child_box((GF_Box*)*mdia, (GF_Box *) mdhd, GF_FALSE);\n\t\tif (e) goto err_exit;\n\t}\n\tif (!hdlr) {\n\t\thdlr = (GF_HandlerBox *) gf_isom_box_new_parent(& ((*mdia)->child_boxes), GF_ISOM_BOX_TYPE_HDLR);\n\t\tif (! hdlr) { e = GF_OUT_OF_MEM; goto err_exit; }\n\t\te = mdia_on_child_box((GF_Box*)*mdia, (GF_Box *) hdlr, GF_FALSE);\n\t\tif (e) goto err_exit;\n\t}\n\tif (!minf) {\n\t\tminf = (GF_MediaInformationBox *) gf_isom_box_new_parent(& ((*mdia)->child_boxes), GF_ISOM_BOX_TYPE_MINF);\n\t\tif (! minf) { e = GF_OUT_OF_MEM; goto err_exit; }\n\t\te = mdia_on_child_box((GF_Box*)*mdia, (GF_Box *) minf, GF_FALSE);\n\t\tif (e) goto err_exit;\n\t}\n\tif (!dinf) {\n\t\tdinf = (GF_DataInformationBox *) gf_isom_box_new_parent(&minf->child_boxes, GF_ISOM_BOX_TYPE_DINF);\n\t\tif (! dinf) { e = GF_OUT_OF_MEM; goto err_exit; }\n\t\te = minf_on_child_box((GF_Box*)minf, (GF_Box *) dinf, GF_FALSE);\n\t\tif (e) goto err_exit;\n\t}\n\n\tif (!mediaInfo) {\n\t\t//\"handler name\" is for debugging purposes. Let's stick our name here ;)\n\t\tswitch (MediaType) {\n\t\tcase GF_ISOM_MEDIA_VISUAL:\n\t\t\tmediaInfo = gf_isom_box_new(GF_ISOM_BOX_TYPE_VMHD);\n\t\t\tstr = \"GPAC ISO Video Handler\";\n\t\t\tbreak;\n\t\tcase GF_ISOM_MEDIA_AUXV:\n\t\t\tmediaInfo = gf_isom_box_new(GF_ISOM_BOX_TYPE_VMHD);\n\t\t\tstr = \"GPAC ISO Auxiliary Video Handler\";\n\t\t\tbreak;\n\t\tcase GF_ISOM_MEDIA_PICT:\n\t\t\tmediaInfo = gf_isom_box_new(GF_ISOM_BOX_TYPE_VMHD);\n\t\t\tstr = \"GPAC ISO Picture Sequence Handler\";\n\t\t\tbreak;\n\t\tcase GF_ISOM_MEDIA_AUDIO:\n\t\t\tmediaInfo = gf_isom_box_new(GF_ISOM_BOX_TYPE_SMHD);\n\t\t\tstr = \"GPAC ISO Audio Handler\";\n\t\t\tbreak;\n\t\tcase GF_ISOM_MEDIA_HINT:\n\t\t\tmediaInfo = gf_isom_box_new(GF_ISOM_BOX_TYPE_HMHD);\n\t\t\tstr = \"GPAC ISO Hint Handler\";\n\t\t\tbreak;\n\t\tcase GF_ISOM_MEDIA_META:\n\t\t\tmediaInfo = gf_isom_box_new(GF_ISOM_BOX_TYPE_NMHD);\n\t\t\tstr = \"GPAC Timed MetaData Handler\";\n\t\t\tbreak;\n\t\tcase GF_ISOM_MEDIA_OD:\n\t\t\tmediaInfo = gf_isom_box_new(GF_ISOM_BOX_TYPE_NMHD);\n\t\t\tstr = \"GPAC MPEG-4 OD Handler\";\n\t\t\tbreak;\n\t\tcase GF_ISOM_MEDIA_OCR:\n\t\t\tmediaInfo = gf_isom_box_new(GF_ISOM_BOX_TYPE_NMHD);\n\t\t\tstr = \"GPAC MPEG-4 OCR Handler\";\n\t\t\tbreak;\n\t\tcase GF_ISOM_MEDIA_SCENE:\n\t\t\tmediaInfo = gf_isom_box_new(GF_ISOM_BOX_TYPE_NMHD);\n\t\t\tstr = \"GPAC MPEG-4 Scene Description Handler\";\n\t\t\tbreak;\n\t\tcase GF_ISOM_MEDIA_MPEG7:\n\t\t\tmediaInfo = gf_isom_box_new(GF_ISOM_BOX_TYPE_NMHD);\n\t\t\tstr = \"GPAC MPEG-4 MPEG-7 Handler\";\n\t\t\tbreak;\n\t\tcase GF_ISOM_MEDIA_OCI:\n\t\t\tmediaInfo = gf_isom_box_new(GF_ISOM_BOX_TYPE_NMHD);\n\t\t\tstr = \"GPAC MPEG-4 OCI Handler\";\n\t\t\tbreak;\n\t\tcase GF_ISOM_MEDIA_IPMP:\n\t\t\tmediaInfo = gf_isom_box_new(GF_ISOM_BOX_TYPE_NMHD);\n\t\t\tstr = \"GPAC MPEG-4 IPMP Handler\";\n\t\t\tbreak;\n\t\tcase GF_ISOM_MEDIA_MPEGJ:\n\t\t\tmediaInfo = gf_isom_box_new(GF_ISOM_BOX_TYPE_NMHD);\n\t\t\tstr = \"GPAC MPEG-4 MPEG-J Handler\";\n\t\t\tbreak;\n\t\tcase GF_ISOM_MEDIA_TEXT:\n\t\tcase GF_ISOM_MEDIA_SUBT:\n\t\t\tmediaInfo = gf_isom_box_new(GF_ISOM_BOX_TYPE_NMHD);\n\t\t\tstr = \"GPAC Streaming Text Handler\";\n\t\t\tbreak;\n\t\tcase GF_ISOM_MEDIA_MPEG_SUBT:\n\t\t\tmediaInfo = gf_isom_box_new(GF_ISOM_BOX_TYPE_STHD);\n\t\t\tstr = \"GPAC MPEG Subtitle Handler\";\n\t\t\tbreak;\n\t\tcase GF_ISOM_MEDIA_DIMS:\n\t\t\tmediaInfo = gf_isom_box_new(GF_ISOM_BOX_TYPE_VMHD);\n\t\t\tMediaType = GF_ISOM_MEDIA_SCENE;\n\t\t\tstr = \"GPAC DIMS Handler\";\n\t\t\tbreak;\n\t\tcase GF_ISOM_MEDIA_TIMECODE:\n\t\t\tmediaInfo = gf_isom_box_new(GF_ISOM_BOX_TYPE_GMHD);\n\t\t\tstr = \"GPAC TMCD Handler\";\n\t\t\tbreak;\n\t\tdefault:\n\t\t\tmediaInfo = gf_isom_box_new(GF_ISOM_BOX_TYPE_NMHD);\n\t\t\tstr = \"GPAC IsoMedia Handler\";\n\t\t\tbreak;\n\t\t}\n\t\tif (! mediaInfo) { e = GF_OUT_OF_MEM; goto err_exit; }\n\t\tif (!minf->child_boxes) minf->child_boxes = gf_list_new();\n\t\tgf_list_add(minf->child_boxes, mediaInfo);\n\n\t\te = minf_on_child_box((GF_Box*)minf, (GF_Box *) mediaInfo, GF_FALSE);\n\t\tif (e) goto err_exit;\n\t}\n\n\tmdhd->timeScale = TimeScale;\n\thdlr->handlerType = MediaType;\n\tif (!hdlr->nameUTF8)\n\t\thdlr->nameUTF8 = gf_strdup(str);\n\n\tif (!dref) {\n\t\t//Create a data reference WITHOUT DATA ENTRY (we don't know anything yet about the media Data)\n\t\tdref = (GF_DataReferenceBox *) gf_isom_box_new_parent(&dinf->child_boxes, GF_ISOM_BOX_TYPE_DREF);\n\t\tif (! dref) { e = GF_OUT_OF_MEM; goto err_exit; }\n\t\te = dinf_on_child_box((GF_Box*)dinf, (GF_Box *)dref, GF_FALSE);\n\t\tif (e) goto err_exit;\n\t}\n\n\tif (!stbl) {\n\t\t//first set-up the sample table...\n\t\tstbl = (GF_SampleTableBox *) gf_isom_box_new_parent(&minf->child_boxes, GF_ISOM_BOX_TYPE_STBL);\n\t\tif (! stbl) { e = GF_OUT_OF_MEM; goto err_exit; }\n\n\t\te = minf_on_child_box((GF_Box*)minf, (GF_Box *) stbl, GF_FALSE);\n\t\tif (e) goto err_exit;\n\t}\n\tif (!stbl->SampleDescription) {\n\t\tstbl->SampleDescription = (GF_SampleDescriptionBox *) gf_isom_box_new_parent(&stbl->child_boxes, GF_ISOM_BOX_TYPE_STSD);\n\t\tif (! stbl->SampleDescription) { e = GF_OUT_OF_MEM; goto err_exit; }\n\t}\n\n\t//by default create a regular table, 32 but offset and normal sample size\n\tif (!stbl->ChunkOffset) {\n\t\tstbl->ChunkOffset = gf_isom_box_new_parent(&stbl->child_boxes, GF_ISOM_BOX_TYPE_STCO);\n\t\tif (! stbl->ChunkOffset) { e = GF_OUT_OF_MEM; goto err_exit; }\n\t}\n\tif (!stbl->SampleSize) {\n\t\tstbl->SampleSize = (GF_SampleSizeBox *) gf_isom_box_new_parent(&stbl->child_boxes, GF_ISOM_BOX_TYPE_STSZ);\n\t\tif (! stbl->SampleSize) { e = GF_OUT_OF_MEM; goto err_exit; }\n\t}\n\tif (!stbl->SampleToChunk) {\n\t\tstbl->SampleToChunk = (GF_SampleToChunkBox *) gf_isom_box_new_parent(&stbl->child_boxes, GF_ISOM_BOX_TYPE_STSC);\n\t\tif (! stbl->SampleToChunk) { e = GF_OUT_OF_MEM; goto err_exit; }\n\t}\n\tif (!stbl->TimeToSample) {\n\t\tstbl->TimeToSample = (GF_TimeToSampleBox *) gf_isom_box_new_parent(&stbl->child_boxes, GF_ISOM_BOX_TYPE_STTS);\n\t\tif (! stbl->TimeToSample) { e = GF_OUT_OF_MEM; goto err_exit; }\n\t}\n\tif (!stbl->SampleDescription) {\n\t\tstbl->SampleDescription = (GF_SampleDescriptionBox *) gf_isom_box_new_parent(&stbl->child_boxes, GF_ISOM_BOX_TYPE_STSD);\n\t\tif (! stbl->SampleDescription) { e = GF_OUT_OF_MEM; goto err_exit; }\n\t}\n\treturn GF_OK;\n\nerr_exit:\n\tif (mdhd) gf_isom_box_del_parent(& ((*mdia)->child_boxes), (GF_Box *)mdhd);\n\tif (minf) gf_isom_box_del_parent(& ((*mdia)->child_boxes), (GF_Box *)minf);\n\tif (hdlr) {\n\t\tgf_isom_box_del_parent(& ((*mdia)->child_boxes) , (GF_Box *)hdlr);\n\t}\n\treturn e;\n\n}", "project": "gpac", "hash": 171898703946186679477964381169671889662, "size": 197, "commit_id": "df8fffd839fe5ae9acd82d26fd48280a397411d9", "message": "fixed #1736", "target": 0, "dataset": "other", "idx": 272318 }, { "func": "void VP9_RewriteESDescriptor(GF_MPEGVisualSampleEntryBox *vp9)\n{\n\tVP9_RewriteESDescriptorEx(vp9, NULL);\n}", "project": "gpac", "hash": 154819788202359259594224067386021439706, "size": 4, "commit_id": "0a85029d694f992f3631e2f249e4999daee15cbf", "message": "fixed #1785 (fuzz)", "target": 0, "dataset": "other", "idx": 237627 }, { "func": "GF_Err abst_box_read(GF_Box *s, GF_BitStream *bs)\n{\n\tGF_AdobeBootstrapInfoBox *ptr = (GF_AdobeBootstrapInfoBox *)s;\n\tint i;\n\tu32 tmp_strsize;\n\tchar *tmp_str;\n\tBool zfound=GF_FALSE;\n\tGF_Err e;\n\n\tISOM_DECREASE_SIZE(ptr, 25)\n\tptr->bootstrapinfo_version = gf_bs_read_u32(bs);\n\tptr->profile = gf_bs_read_int(bs, 2);\n\tptr->live = gf_bs_read_int(bs, 1);\n\tptr->update = gf_bs_read_int(bs, 1);\n\tptr->reserved = gf_bs_read_int(bs, 4);\n\tptr->time_scale = gf_bs_read_u32(bs);\n\tptr->current_media_time = gf_bs_read_u64(bs);\n\tptr->smpte_time_code_offset = gf_bs_read_u64(bs);\n\n\ti=0;\n\tif (ptr->size<8) return GF_ISOM_INVALID_FILE;\n\ttmp_strsize =(u32)ptr->size;\n\ttmp_str = gf_malloc(sizeof(char)*tmp_strsize);\n\tif (!tmp_str) return GF_OUT_OF_MEM;\n\tmemset(tmp_str, 0, sizeof(char)*tmp_strsize);\n\n\twhile (tmp_strsize) {\n\t\tISOM_DECREASE_SIZE(ptr, 1)\n\t\ttmp_str[i] = gf_bs_read_u8(bs);\n\t\ttmp_strsize--;\n\t\tif (!tmp_str[i]) {\n\t\t\tzfound = GF_TRUE;\n\t\t\tbreak;\n\t\t}\n\t\ti++;\n\t}\n\tif (!zfound)\n\t\treturn GF_ISOM_INVALID_FILE;\n\tif (i) {\n\t\tptr->movie_identifier = gf_strdup(tmp_str);\n\t}\n\n\tISOM_DECREASE_SIZE(ptr, 1)\n\tptr->server_entry_count = gf_bs_read_u8(bs);\n\tfor (i=0; iserver_entry_count; i++) {\n\t\tint j=0;\n\t\tzfound = GF_FALSE;\n\t\ttmp_strsize=(u32)ptr->size;\n\t\twhile (tmp_strsize) {\n\t\t\tISOM_DECREASE_SIZE(ptr, 1)\n\t\t\ttmp_str[j] = gf_bs_read_u8(bs);\n\t\t\ttmp_strsize--;\n\t\t\tif (!tmp_str[j]) {\n\t\t\t\tzfound = GF_TRUE;\n\t\t\t\tbreak;\n\t\t\t}\n\t\t\tj++;\n\t\t}\n\t\tif (!zfound)\n\t\t\treturn GF_ISOM_INVALID_FILE;\n\t\tif (j) {\n\t\t\tgf_list_insert(ptr->server_entry_table, gf_strdup(tmp_str), i);\n\t\t}\n\t}\n\n\tISOM_DECREASE_SIZE(ptr, 1)\n\tptr->quality_entry_count = gf_bs_read_u8(bs);\n\tfor (i=0; iquality_entry_count; i++) {\n\t\tint j=0;\n\t\tzfound = GF_FALSE;\n\t\ttmp_strsize=(u32)ptr->size;\n\t\twhile (tmp_strsize) {\n\t\t\tISOM_DECREASE_SIZE(ptr, 1)\n\t\t\ttmp_str[j] = gf_bs_read_u8(bs);\n\t\t\ttmp_strsize--;\n\t\t\tif (!tmp_str[j]) {\n\t\t\t\tzfound = GF_TRUE;\n\t\t\t\tbreak;\n\t\t\t}\n\t\t\tj++;\n\t\t}\n\n\t\tif (!zfound)\n\t\t\treturn GF_ISOM_INVALID_FILE;\n\t\tif (j) {\n\t\t\tgf_list_insert(ptr->quality_entry_table, gf_strdup(tmp_str), i);\n\t\t}\n\t}\n\n\ti=0;\n\ttmp_strsize=(u32)ptr->size;\n\tzfound = GF_FALSE;\n\twhile (tmp_strsize) {\n\t\tISOM_DECREASE_SIZE(ptr, 1)\n\t\ttmp_str[i] = gf_bs_read_u8(bs);\n\t\ttmp_strsize--;\n\t\tif (!tmp_str[i]) {\n\t\t\tzfound = GF_TRUE;\n\t\t\tbreak;\n\t\t}\n\t\ti++;\n\t}\n\tif (!zfound)\n\t\treturn GF_ISOM_INVALID_FILE;\n\tif (i) {\n\t\tptr->drm_data = gf_strdup(tmp_str);\n\t}\n\n\ti=0;\n\ttmp_strsize=(u32)ptr->size;\n\tzfound = GF_FALSE;\n\twhile (tmp_strsize) {\n\t\tISOM_DECREASE_SIZE(ptr, 1)\n\t\ttmp_str[i] = gf_bs_read_u8(bs);\n\t\ttmp_strsize--;\n\t\tif (!tmp_str[i]) {\n\t\t\tzfound = GF_TRUE;\n\t\t\tbreak;\n\t\t}\n\t\ti++;\n\t}\n\tif (!zfound)\n\t\treturn GF_ISOM_INVALID_FILE;\n\tif (i) {\n\t\tptr->meta_data = gf_strdup(tmp_str);\n\t}\n\n\tISOM_DECREASE_SIZE(ptr, 1)\n\tptr->segment_run_table_count = gf_bs_read_u8(bs);\n\tfor (i=0; isegment_run_table_count; i++) {\n\t\tGF_AdobeSegmentRunTableBox *asrt = NULL;\n\t\te = gf_isom_box_parse((GF_Box **)&asrt, bs);\n\t\tif (e) {\n\t\t\tif (asrt) gf_isom_box_del((GF_Box*)asrt);\n\t\t\tgf_free(tmp_str);\n\t\t\treturn e;\n\t\t}\n\t\tgf_list_add(ptr->segment_run_table_entries, asrt);\n\t}\n\n\tISOM_DECREASE_SIZE(ptr, 1)\n\tptr->fragment_run_table_count = gf_bs_read_u8(bs);\n\tfor (i=0; ifragment_run_table_count; i++) {\n\t\tGF_AdobeFragmentRunTableBox *afrt = NULL;\n\t\te = gf_isom_box_parse((GF_Box **)&afrt, bs);\n\t\tif (e) {\n\t\t\tif (afrt) gf_isom_box_del((GF_Box*)afrt);\n\t\t\tgf_free(tmp_str);\n\t\t\treturn e;\n\t\t}\n\t\tgf_list_add(ptr->fragment_run_table_entries, afrt);\n\t}\n\n\tgf_free(tmp_str);\n\n\treturn GF_OK;\n}", "project": "gpac", "hash": 65800177890771330818160234491326522750, "size": 157, "commit_id": "e74be5976a6fee059c638050a237893f7e9a3b23", "message": "fixed #1753", "target": 1, "dataset": "other", "idx": 195679 }, { "func": "GF_Err abst_box_read(GF_Box *s, GF_BitStream *bs)\n{\n\tGF_AdobeBootstrapInfoBox *ptr = (GF_AdobeBootstrapInfoBox *)s;\n\tint i;\n\tu32 tmp_strsize;\n\tchar *tmp_str;\n\tGF_Err e;\n\n\tISOM_DECREASE_SIZE(ptr, 25)\n\tptr->bootstrapinfo_version = gf_bs_read_u32(bs);\n\tptr->profile = gf_bs_read_int(bs, 2);\n\tptr->live = gf_bs_read_int(bs, 1);\n\tptr->update = gf_bs_read_int(bs, 1);\n\tptr->reserved = gf_bs_read_int(bs, 4);\n\tptr->time_scale = gf_bs_read_u32(bs);\n\tptr->current_media_time = gf_bs_read_u64(bs);\n\tptr->smpte_time_code_offset = gf_bs_read_u64(bs);\n\n\ti=0;\n\tif (ptr->size<8) return GF_ISOM_INVALID_FILE;\n\ttmp_strsize =(u32)ptr->size;\n\ttmp_str = gf_malloc(sizeof(char)*tmp_strsize);\n\tif (!tmp_str) return GF_OUT_OF_MEM;\n\tmemset(tmp_str, 0, sizeof(char)*tmp_strsize);\n\n\twhile (tmp_strsize) {\n\t\tISOM_DECREASE_SIZE(ptr, 1)\n\t\ttmp_str[i] = gf_bs_read_u8(bs);\n\t\ttmp_strsize--;\n\t\tif (!tmp_str[i])\n\t\t\tbreak;\n\t\ti++;\n\t}\n\tif (i) {\n\t\tptr->movie_identifier = gf_strdup(tmp_str);\n\t}\n\n\tISOM_DECREASE_SIZE(ptr, 1)\n\tptr->server_entry_count = gf_bs_read_u8(bs);\n\tfor (i=0; iserver_entry_count; i++) {\n\t\tint j=0;\n\t\ttmp_strsize=(u32)ptr->size;\n\t\twhile (tmp_strsize) {\n\t\t\tISOM_DECREASE_SIZE(ptr, 1)\n\t\t\ttmp_str[j] = gf_bs_read_u8(bs);\n\t\t\ttmp_strsize--;\n\t\t\tif (!tmp_str[j])\n\t\t\t\tbreak;\n\t\t\tj++;\n\t\t}\n\t\tif (j) {\n\t\t\tgf_list_insert(ptr->server_entry_table, gf_strdup(tmp_str), i);\n\t\t}\n\t}\n\n\tISOM_DECREASE_SIZE(ptr, 1)\n\tptr->quality_entry_count = gf_bs_read_u8(bs);\n\tfor (i=0; iquality_entry_count; i++) {\n\t\tint j=0;\n\t\ttmp_strsize=(u32)ptr->size;\n\t\twhile (tmp_strsize) {\n\t\t\tISOM_DECREASE_SIZE(ptr, 1)\n\t\t\ttmp_str[j] = gf_bs_read_u8(bs);\n\t\t\ttmp_strsize--;\n\t\t\tif (!tmp_str[j])\n\t\t\t\tbreak;\n\t\t\tj++;\n\t\t}\n\n\t\tif (j) {\n\t\t\tgf_list_insert(ptr->quality_entry_table, gf_strdup(tmp_str), i);\n\t\t}\n\t}\n\n\ti=0;\n\ttmp_strsize=(u32)ptr->size;\n\twhile (tmp_strsize) {\n\t\tISOM_DECREASE_SIZE(ptr, 1)\n\t\ttmp_str[i] = gf_bs_read_u8(bs);\n\t\ttmp_strsize--;\n\t\tif (!tmp_str[i])\n\t\t\tbreak;\n\t\ti++;\n\t}\n\tif (i) {\n\t\tptr->drm_data = gf_strdup(tmp_str);\n\t}\n\n\ti=0;\n\ttmp_strsize=(u32)ptr->size;\n\twhile (tmp_strsize) {\n\t\tISOM_DECREASE_SIZE(ptr, 1)\n\t\ttmp_str[i] = gf_bs_read_u8(bs);\n\t\ttmp_strsize--;\n\t\tif (!tmp_str[i])\n\t\t\tbreak;\n\t\ti++;\n\t}\n\tif (i) {\n\t\tptr->meta_data = gf_strdup(tmp_str);\n\t}\n\n\tISOM_DECREASE_SIZE(ptr, 1)\n\tptr->segment_run_table_count = gf_bs_read_u8(bs);\n\tfor (i=0; isegment_run_table_count; i++) {\n\t\tGF_AdobeSegmentRunTableBox *asrt = NULL;\n\t\te = gf_isom_box_parse((GF_Box **)&asrt, bs);\n\t\tif (e) {\n\t\t\tif (asrt) gf_isom_box_del((GF_Box*)asrt);\n\t\t\tgf_free(tmp_str);\n\t\t\treturn e;\n\t\t}\n\t\tgf_list_add(ptr->segment_run_table_entries, asrt);\n\t}\n\n\tISOM_DECREASE_SIZE(ptr, 1)\n\tptr->fragment_run_table_count = gf_bs_read_u8(bs);\n\tfor (i=0; ifragment_run_table_count; i++) {\n\t\tGF_AdobeFragmentRunTableBox *afrt = NULL;\n\t\te = gf_isom_box_parse((GF_Box **)&afrt, bs);\n\t\tif (e) {\n\t\t\tif (afrt) gf_isom_box_del((GF_Box*)afrt);\n\t\t\tgf_free(tmp_str);\n\t\t\treturn e;\n\t\t}\n\t\tgf_list_add(ptr->fragment_run_table_entries, afrt);\n\t}\n\n\tgf_free(tmp_str);\n\n\treturn GF_OK;\n}", "project": "gpac", "hash": 308409188853721770492036465417946840792, "size": 132, "commit_id": "758135e91e623d7dfe7f6aaad7aeb3f791b7a4e5", "message": "fixed #1733", "target": 1, "dataset": "other", "idx": 198240 }, { "func": "GF_Err abst_box_read(GF_Box *s, GF_BitStream *bs)\n{\n\tGF_AdobeBootstrapInfoBox *ptr = (GF_AdobeBootstrapInfoBox *)s;\n\tint i;\n\tu32 tmp_strsize;\n\tchar *tmp_str;\n\tBool zfound=GF_FALSE;\n\tGF_Err e = GF_OK;\n\n\tISOM_DECREASE_SIZE(ptr, 25)\n\tptr->bootstrapinfo_version = gf_bs_read_u32(bs);\n\tptr->profile = gf_bs_read_int(bs, 2);\n\tptr->live = gf_bs_read_int(bs, 1);\n\tptr->update = gf_bs_read_int(bs, 1);\n\tptr->reserved = gf_bs_read_int(bs, 4);\n\tptr->time_scale = gf_bs_read_u32(bs);\n\tptr->current_media_time = gf_bs_read_u64(bs);\n\tptr->smpte_time_code_offset = gf_bs_read_u64(bs);\n\n\ti=0;\n\tif (ptr->size<8) return GF_ISOM_INVALID_FILE;\n\ttmp_strsize =(u32)ptr->size;\n\ttmp_str = gf_malloc(sizeof(char)*tmp_strsize);\n\tif (!tmp_str) return GF_OUT_OF_MEM;\n\tmemset(tmp_str, 0, sizeof(char)*tmp_strsize);\n\n\twhile (tmp_strsize) {\n\t\tISOM_DECREASE_SIZE_GOTO_EXIT(ptr, 1)\n\t\ttmp_str[i] = gf_bs_read_u8(bs);\n\t\ttmp_strsize--;\n\t\tif (!tmp_str[i]) {\n\t\t\tzfound = GF_TRUE;\n\t\t\tbreak;\n\t\t}\n\t\ti++;\n\t}\n\tif (!zfound) {\n\t\te = GF_ISOM_INVALID_FILE;\n\t\tgoto exit;\n\t}\n\tif (i) {\n\t\tptr->movie_identifier = gf_strdup(tmp_str);\n\t}\n\n\tISOM_DECREASE_SIZE_GOTO_EXIT(ptr, 1)\n\tptr->server_entry_count = gf_bs_read_u8(bs);\n\tfor (i=0; iserver_entry_count; i++) {\n\t\tint j=0;\n\t\tzfound = GF_FALSE;\n\t\ttmp_strsize=(u32)ptr->size;\n\t\twhile (tmp_strsize) {\n\t\t\tISOM_DECREASE_SIZE_GOTO_EXIT(ptr, 1)\n\t\t\ttmp_str[j] = gf_bs_read_u8(bs);\n\t\t\ttmp_strsize--;\n\t\t\tif (!tmp_str[j]) {\n\t\t\t\tzfound = GF_TRUE;\n\t\t\t\tbreak;\n\t\t\t}\n\t\t\tj++;\n\t\t}\n\t\tif (!zfound) {\n\t\t\te = GF_ISOM_INVALID_FILE;\n\t\t\tgoto exit;\n\t\t}\n\t\tif (j) {\n\t\t\tgf_list_insert(ptr->server_entry_table, gf_strdup(tmp_str), i);\n\t\t}\n\t}\n\tif (ptr->server_entry_count != gf_list_count(ptr->server_entry_table)) {\n\t\te = GF_ISOM_INVALID_FILE;\n\t\tgoto exit;\n\t}\n\n\tISOM_DECREASE_SIZE_GOTO_EXIT(ptr, 1)\n\tptr->quality_entry_count = gf_bs_read_u8(bs);\n\tfor (i=0; iquality_entry_count; i++) {\n\t\tint j=0;\n\t\tzfound = GF_FALSE;\n\t\ttmp_strsize=(u32)ptr->size;\n\t\twhile (tmp_strsize) {\n\t\t\tISOM_DECREASE_SIZE_GOTO_EXIT(ptr, 1)\n\t\t\ttmp_str[j] = gf_bs_read_u8(bs);\n\t\t\ttmp_strsize--;\n\t\t\tif (!tmp_str[j]) {\n\t\t\t\tzfound = GF_TRUE;\n\t\t\t\tbreak;\n\t\t\t}\n\t\t\tj++;\n\t\t}\n\n\t\tif (!zfound) {\n\t\t\te = GF_ISOM_INVALID_FILE;\n\t\t\tgoto exit;\n\t\t}\n\t\tif (j) {\n\t\t\tgf_list_insert(ptr->quality_entry_table, gf_strdup(tmp_str), i);\n\t\t}\n\t}\n\tif (ptr->quality_entry_count != gf_list_count(ptr->quality_entry_table)) {\n\t\te = GF_ISOM_INVALID_FILE;\n\t\tgoto exit;\n\t}\n\n\ti=0;\n\ttmp_strsize=(u32)ptr->size;\n\tzfound = GF_FALSE;\n\twhile (tmp_strsize) {\n\t\tISOM_DECREASE_SIZE_GOTO_EXIT(ptr, 1)\n\t\ttmp_str[i] = gf_bs_read_u8(bs);\n\t\ttmp_strsize--;\n\t\tif (!tmp_str[i]) {\n\t\t\tzfound = GF_TRUE;\n\t\t\tbreak;\n\t\t}\n\t\ti++;\n\t}\n\tif (!zfound) {\n\t\te = GF_ISOM_INVALID_FILE;\n\t\tgoto exit;\n\t}\n\n\tif (i) {\n\t\tptr->drm_data = gf_strdup(tmp_str);\n\t}\n\n\ti=0;\n\ttmp_strsize=(u32)ptr->size;\n\tzfound = GF_FALSE;\n\twhile (tmp_strsize) {\n\t\tISOM_DECREASE_SIZE_GOTO_EXIT(ptr, 1)\n\t\ttmp_str[i] = gf_bs_read_u8(bs);\n\t\ttmp_strsize--;\n\t\tif (!tmp_str[i]) {\n\t\t\tzfound = GF_TRUE;\n\t\t\tbreak;\n\t\t}\n\t\ti++;\n\t}\n\tif (!zfound) {\n\t\te = GF_ISOM_INVALID_FILE;\n\t\tgoto exit;\n\t}\n\n\tif (i) {\n\t\tptr->meta_data = gf_strdup(tmp_str);\n\t}\n\n\tISOM_DECREASE_SIZE_GOTO_EXIT(ptr, 1)\n\tptr->segment_run_table_count = gf_bs_read_u8(bs);\n\tfor (i=0; isegment_run_table_count; i++) {\n\t\tGF_AdobeSegmentRunTableBox *asrt = NULL;\n\t\te = gf_isom_box_parse((GF_Box **)&asrt, bs);\n\t\tif (e) {\n\t\t\tif (asrt) gf_isom_box_del((GF_Box*)asrt);\n\t\t\tgoto exit;\n\t\t}\n\t\tgf_list_add(ptr->segment_run_table_entries, asrt);\n\t}\n\tif (ptr->segment_run_table_count != gf_list_count(ptr->segment_run_table_entries)) {\n\t\te = GF_ISOM_INVALID_FILE;\n\t\tgoto exit;\n\t}\n\n\tISOM_DECREASE_SIZE_GOTO_EXIT(ptr, 1)\n\tptr->fragment_run_table_count = gf_bs_read_u8(bs);\n\tfor (i=0; ifragment_run_table_count; i++) {\n\t\tGF_AdobeFragmentRunTableBox *afrt = NULL;\n\t\te = gf_isom_box_parse((GF_Box **)&afrt, bs);\n\t\tif (e) {\n\t\t\tif (afrt) gf_isom_box_del((GF_Box*)afrt);\n\t\t\tgoto exit;\n\t\t}\n\t\tgf_list_add(ptr->fragment_run_table_entries, afrt);\n\t}\n\tif (ptr->fragment_run_table_count != gf_list_count(ptr->fragment_run_table_entries)) {\n\t\te = GF_ISOM_INVALID_FILE;\n\t\tgoto exit;\n\t}\n\nexit:\n\tgf_free(tmp_str);\n\treturn e;\n}", "project": "gpac", "hash": 263041082295436052908187100475540340486, "size": 183, "commit_id": "e74be5976a6fee059c638050a237893f7e9a3b23", "message": "fixed #1753", "target": 0, "dataset": "other", "idx": 230580 }, { "func": "void dump_isom_timestamps(GF_ISOFile *file, char *inName, Bool is_final_name, u32 dump_mode)\n{\n\tu32 i, j, k, count;\n\tBool has_ctts_error, is_fragmented=GF_FALSE;\n\tFILE *dump;\n\tBool skip_offset = ((dump_mode==2) || (dump_mode==4)) ? GF_TRUE : GF_FALSE;\n\tBool check_ts = ((dump_mode==3) || (dump_mode==4)) ? GF_TRUE : GF_FALSE;\n\tstruct _ts_info {\n\t\tu64 dts;\n\t\ts64 cts;\n\t};\n\tstruct _ts_info *timings = NULL;\n\tu32 nb_timings=0, nb_timings_alloc = 0;\n\n\n\tif (inName) {\n\t\tchar szBuf[1024];\n\t\tstrcpy(szBuf, inName);\n\t\tif (!is_final_name) strcat(szBuf, \"_ts.txt\");\n\t\tdump = gf_fopen(szBuf, \"wt\");\n\t\tif (!dump) {\n\t\t\tM4_LOG(GF_LOG_ERROR, (\"Failed to open %s\\n\", szBuf));\n\t\t\treturn;\n\t\t}\n\t} else {\n\t\tdump = stdout;\n\t}\n\tif (gf_isom_is_fragmented(file))\n\t\tis_fragmented = GF_TRUE;\n\n\thas_ctts_error = GF_FALSE;\n\tfor (i=0; iDTS;\n\t\t\tcts = dts + (s32) samp->CTS_Offset;\n\t\t\tfprintf(dump, \"Sample %d\\tDTS \"LLU\"\\tCTS \"LLD\"\\t%d\\t%d\", j+1, dts, cts, samp->dataLength, samp->IsRAP);\n\n\t\t\tif (!skip_offset)\n\t\t\t\tfprintf(dump, \"\\t\"LLU, offset);\n\n\t\t\tfprintf(dump, \"\\t%d\\t%d\\t%d\\t%d\\t%d\\t%d\\t%d\", isLeading, dependsOn, dependedOn, redundant, is_rap, roll_type, roll_distance);\n\n\t\t\tif (cts< (s64) dts) {\n\t\t\t\tif (has_cts_offset==2) {\n\t\t\t\t\tif (cts_dts_shift && (cts+cts_dts_shift < (s64) dts)) {\n\t\t\t\t\t\tfprintf(dump, \" #NEGATIVE CTS OFFSET!!!\");\n\t\t\t\t\t\thas_ctts_error = 1;\n\t\t\t\t\t} else if (!cts_dts_shift) {\n\t\t\t\t\t\tfprintf(dump, \" #possible negative CTS offset (no cslg in file)\");\n\t\t\t\t\t}\n\t\t\t\t} else {\n\t\t\t\t\tfprintf(dump, \" #NEGATIVE CTS OFFSET!!!\");\n\t\t\t\t\thas_ctts_error = 1;\n\t\t\t\t}\n\t\t\t}\n\t\t\tif (has_cts_offset && check_ts) {\n\t\t\t\tfor (k=0; kDTS;\n\t\t\tcts = dts + (s32) samp->CTS_Offset;\n\t\t\tfprintf(dump, \"Sample %d\\tDTS \"LLU\"\\tCTS \"LLD\"\\t%d\\t%d\", j+1, dts, cts, samp->dataLength, samp->IsRAP);\n\n\t\t\tif (!skip_offset)\n\t\t\t\tfprintf(dump, \"\\t\"LLU, offset);\n\n\t\t\tfprintf(dump, \"\\t%d\\t%d\\t%d\\t%d\\t%d\\t%d\\t%d\", isLeading, dependsOn, dependedOn, redundant, is_rap, roll_type, roll_distance);\n\n\t\t\tif (cts< (s64) dts) {\n\t\t\t\tif (has_cts_offset==2) {\n\t\t\t\t\tif (cts_dts_shift && (cts+cts_dts_shift < (s64) dts)) {\n\t\t\t\t\t\tfprintf(dump, \" #NEGATIVE CTS OFFSET!!!\");\n\t\t\t\t\t\thas_ctts_error = 1;\n\t\t\t\t\t} else if (!cts_dts_shift) {\n\t\t\t\t\t\tfprintf(dump, \" #possible negative CTS offset (no cslg in file)\");\n\t\t\t\t\t}\n\t\t\t\t} else {\n\t\t\t\t\tfprintf(dump, \" #NEGATIVE CTS OFFSET!!!\");\n\t\t\t\t\thas_ctts_error = 1;\n\t\t\t\t}\n\t\t\t}\n\t\t\tif (has_cts_offset && check_ts) {\n\t\t\t\tfor (k=0; kMedia->handler->handlerType == GF_ISOM_MEDIA_HINT) return GF_BAD_PARAM;\n\n\tif (!sampleNumber || !sample) return GF_BAD_PARAM;\n\n\te = unpack_track(trak);\n\tif (e) return e;\n\n\t//OD is not allowed as a data ref\n\tif (trak->Media->handler->handlerType == GF_ISOM_MEDIA_OD) {\n\t\treturn GF_BAD_PARAM;\n\t}\n\t//OK, update it\n\te = Media_UpdateSampleReference(trak->Media, sampleNumber, sample, data_offset);\n\tif (e) return e;\n\n\tif (!movie->keep_utc)\n\t\ttrak->Media->mediaHeader->modificationTime = gf_isom_get_mp4time();\n\treturn GF_OK;\n}", "project": "gpac", "hash": 17669898771558880931297350545820401181, "size": 31, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267172 }, { "func": "GF_Err gf_isom_reset_track_switch_parameter(GF_ISOFile *movie, u32 trackNumber, Bool reset_all_group)\n{\n\tGF_TrackBox *trak;\n\tu32 alternateGroupID = 0;\n\n\ttrak = gf_isom_get_track_from_file(movie, trackNumber);\n\tif (!trak) return GF_BAD_PARAM;\n\tif (!trak->Header->alternate_group) return GF_OK;\n\n\talternateGroupID = trak->Header->alternate_group;\n\tif (reset_all_group) {\n\t\tu32 i=0;\n\t\twhile (i< gf_isom_get_track_count(movie) ) {\n\t\t\t//locate first available ID\n\t\t\tGF_TrackBox *a_trak = gf_isom_get_track_from_file(movie, i+1);\n\t\t\tif (a_trak->Header->alternate_group == alternateGroupID) reset_tsel_box(a_trak);\n\t\t\ti++;\n\t\t}\n\t} else {\n\t\treset_tsel_box(trak);\n\t}\n\treturn GF_OK;\n}", "project": "gpac", "hash": 188339816410627695535299712101081473929, "size": 23, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267194 }, { "func": "static void PrintNodeSFField(u32 type, void *far_ptr)\n{\n\tif (!far_ptr) return;\n\tswitch (type) {\n\tcase GF_SG_VRML_SFBOOL:\n\t\tfprintf(stderr, \"%s\", (*(SFBool *)far_ptr) ? \"TRUE\" : \"FALSE\");\n\t\tbreak;\n\tcase GF_SG_VRML_SFINT32:\n\t\tfprintf(stderr, \"%d\", (*(SFInt32 *)far_ptr));\n\t\tbreak;\n\tcase GF_SG_VRML_SFFLOAT:\n\t\tPrintFixed((*(SFFloat *)far_ptr), 0);\n\t\tbreak;\n\tcase GF_SG_VRML_SFTIME:\n\t\tfprintf(stderr, \"%g\", (*(SFTime *)far_ptr));\n\t\tbreak;\n\tcase GF_SG_VRML_SFVEC2F:\n\t\tPrintFixed(((SFVec2f *)far_ptr)->x, 0);\n\t\tPrintFixed(((SFVec2f *)far_ptr)->y, 1);\n\t\tbreak;\n\tcase GF_SG_VRML_SFVEC3F:\n\t\tPrintFixed(((SFVec3f *)far_ptr)->x, 0);\n\t\tPrintFixed(((SFVec3f *)far_ptr)->y, 1);\n\t\tPrintFixed(((SFVec3f *)far_ptr)->z, 1);\n\t\tbreak;\n\tcase GF_SG_VRML_SFROTATION:\n\t\tPrintFixed(((SFRotation *)far_ptr)->x, 0);\n\t\tPrintFixed(((SFRotation *)far_ptr)->y, 1);\n\t\tPrintFixed(((SFRotation *)far_ptr)->z, 1);\n\t\tPrintFixed(((SFRotation *)far_ptr)->q, 1);\n\t\tbreak;\n\tcase GF_SG_VRML_SFCOLOR:\n\t\tPrintFixed(((SFColor *)far_ptr)->red, 0);\n\t\tPrintFixed(((SFColor *)far_ptr)->green, 1);\n\t\tPrintFixed(((SFColor *)far_ptr)->blue, 1);\n\t\tbreak;\n\tcase GF_SG_VRML_SFSTRING:\n\t\tif (((SFString*)far_ptr)->buffer)\n\t\t\tfprintf(stderr, \"\\\"%s\\\"\", ((SFString*)far_ptr)->buffer);\n\t\telse\n\t\t\tfprintf(stderr, \"NULL\");\n\t\tbreak;\n\t}\n}", "project": "gpac", "hash": 8891707925633516783805761338826118186, "size": 44, "commit_id": "289ffce3e0d224d314f5f92a744d5fe35999f20b", "message": "fixed #1767 (fuzz)", "target": 0, "dataset": "other", "idx": 243188 }, { "func": "GF_Err gf_isom_update_duration(GF_ISOFile *movie)\n{\n\tu32 i;\n\tu64 maxDur;\n\tGF_TrackBox *trak;\n\n\tif (!movie || !movie->moov) return GF_BAD_PARAM;\n\n\t//if file was open in Write or Edit mode, recompute the duration\n\t//the duration of a movie is the MaxDuration of all the tracks...\n\n\tmaxDur = 0;\n\ti=0;\n\twhile ((trak = (GF_TrackBox *)gf_list_enum(movie->moov->trackList, &i))) {\n\t\tif( (movie->LastError = SetTrackDuration(trak))\t) return movie->LastError;\n\t\tif (trak->Header && (trak->Header->duration > maxDur))\n\t\t\tmaxDur = trak->Header->duration;\n\t}\n\tmovie->moov->mvhd->duration = maxDur;\n\n\treturn GF_OK;\n}", "project": "gpac", "hash": 14985360568294401510367030444169488553, "size": 22, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267310 }, { "func": "u32 gf_isom_is_media_encrypted(GF_ISOFile *the_file, u32 trackNumber, u32 sampleDescriptionIndex)\n{\n\tGF_TrackBox *trak;\n\tu32 i, count;\n\tGF_ProtectionSchemeInfoBox *sinf;\n\n\ttrak = gf_isom_get_track_from_file(the_file, trackNumber);\n\tif (!trak) return 0;\n\tcount = gf_list_count(trak->Media->information->sampleTable->SampleDescription->child_boxes);\n\tfor (i=0; ischeme_type) return 0;\n\t\tif (sinf->scheme_type->scheme_type == GF_ISOM_PIFF_SCHEME) return GF_ISOM_CENC_SCHEME;\n\t\treturn sinf->scheme_type->scheme_type;\n\t}\n\treturn 0;\n}", "project": "gpac", "hash": 14495135391881853738505937850342474433, "size": 23, "commit_id": "3b84ffcbacf144ce35650df958432f472b6483f8", "message": "fixed #1735", "target": 0, "dataset": "other", "idx": 275433 }, { "func": "GF_Err gf_isom_get_raw_user_data(GF_ISOFile *file, u8 **output, u32 *output_size)\n{\n\tGF_BitStream *bs;\n\tGF_Err e;\n\tGF_Box *b;\n\tu32 i;\n\n\t*output = NULL;\n\t*output_size = 0;\n\tif (!file || !file->moov || (!file->moov->udta && !file->moov->child_boxes)) return GF_OK;\n\tbs = gf_bs_new(NULL, 0, GF_BITSTREAM_WRITE);\n\n\tif (file->moov->udta) {\n\t\te = gf_isom_box_size( (GF_Box *) file->moov->udta);\n\t\tif (e) goto exit;\n\t\te = gf_isom_box_write((GF_Box *) file->moov->udta, bs);\n\t\tif (e) goto exit;\n\t}\n\te = GF_OK;\n\ti=0;\n\twhile ((b = gf_list_enum(file->moov->child_boxes, &i))) {\n\t\tswitch (b->type) {\n\t\tcase GF_ISOM_BOX_TYPE_TRAK:\n\t\tcase GF_ISOM_BOX_TYPE_MVHD:\n\t\tcase GF_ISOM_BOX_TYPE_MVEX:\n\t\tcase GF_ISOM_BOX_TYPE_IODS:\n\t\tcase GF_ISOM_BOX_TYPE_META:\n\t\t\tcontinue;\n\t\t}\n\t\te = gf_isom_box_size( (GF_Box *) b);\n\t\tif (e) goto exit;\n\t\te = gf_isom_box_write((GF_Box *) b, bs);\n\t\tif (e) goto exit;\n\t}\n\n\tgf_bs_get_content(bs, output, output_size);\n\nexit:\n\tgf_bs_del(bs);\n\treturn e;\n}", "project": "gpac", "hash": 310679503390681922975577896088449798669, "size": 41, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267291 }, { "func": "Bool gf_isom_is_ismacryp_media(GF_ISOFile *the_file, u32 trackNumber, u32 sampleDescriptionIndex)\n{\n\tGF_TrackBox *trak;\n\tGF_ProtectionSchemeInfoBox *sinf;\n\n\ttrak = gf_isom_get_track_from_file(the_file, trackNumber);\n\tif (!trak) return GF_FALSE;\n\n\tsinf = isom_get_sinf_entry(trak, sampleDescriptionIndex, GF_ISOM_ISMACRYP_SCHEME, NULL);\n\tif (!sinf) return GF_FALSE;\n\n\t/*non-encrypted or non-ISMA*/\n\tif (!sinf->info || !sinf->info->ikms || !sinf->info->isfm )\n\t\treturn GF_FALSE;\n\n\treturn GF_TRUE;\n}", "project": "gpac", "hash": 18033321553162240019051627947467992383, "size": 17, "commit_id": "3b84ffcbacf144ce35650df958432f472b6483f8", "message": "fixed #1735", "target": 0, "dataset": "other", "idx": 275426 }, { "func": "GF_Err stbl_AddDTS(GF_SampleTableBox *stbl, u64 DTS, u32 *sampleNumber, u32 LastAUDefDuration, u32 nb_pack)\n{\n\tu32 i, j, sampNum;\n\tu64 *DTSs, curDTS;\n\tBool inserted;\n\tGF_SttsEntry *ent;\n\n\tGF_TimeToSampleBox *stts = stbl->TimeToSample;\n\n\t//reset the reading cache when adding a sample\n\tstts->r_FirstSampleInEntry = 0;\n\n\t*sampleNumber = 0;\n\n\tCHECK_PACK(GF_BAD_PARAM)\n\n\n\t//if we don't have an entry, that's the first one...\n\tif (!stts->nb_entries) {\n\t\t//assert the first DTS is 0. If not, that will break the whole file\n\t\tif (DTS) return GF_BAD_PARAM;\n\t\tstts->alloc_size = 1;\n\t\tstts->nb_entries = 1;\n\t\tstts->entries = gf_malloc(sizeof(GF_SttsEntry));\n\t\tif (!stts->entries) return GF_OUT_OF_MEM;\n\t\tstts->entries[0].sampleCount = nb_pack;\n\t\tstts->entries[0].sampleDelta = (nb_pack>1) ? 0 : LastAUDefDuration;\n\t\t(*sampleNumber) = 1;\n\t\tstts->w_currentSampleNum = nb_pack;\n\t\treturn GF_OK;\n\t}\n\t//check the last DTS - we allow 0-duration samples (same DTS)\n\tif (DTS >= stts->w_LastDTS) {\n\t\tu32 nb_extra = 0;\n\t\tent = &stts->entries[stts->nb_entries-1];\n\t\tif (!ent->sampleDelta && (ent->sampleCount>1)) {\n\t\t\tent->sampleDelta = (u32) ( DTS / ent->sampleCount);\n\t\t\tstts->w_LastDTS = DTS - ent->sampleDelta;\n\t\t}\n\t\t//OK, we're adding at the end\n\t\tif ((DTS == stts->w_LastDTS + ent->sampleDelta)\n\t\t\t//for raw audio, consider (dts==last_dts) and (dts==last_dts+2*delta) as sample append to cope with\n\t\t\t//timescale vs samplerate precision\n\t\t\t|| ((nb_pack>1) && ((DTS == stts->w_LastDTS) || (DTS == stts->w_LastDTS + 2*ent->sampleDelta) ))\n\t\t) {\n\t\t\t(*sampleNumber) = stts->w_currentSampleNum + 1;\n\t\t\tent->sampleCount += nb_pack;\n\t\t\tstts->w_currentSampleNum += nb_pack;\n\t\t\tstts->w_LastDTS = DTS + ent->sampleDelta * (nb_pack-1);\n\t\t\treturn GF_OK;\n\t\t}\n\t\t//we need to split the entry\n\t\tif (ent->sampleCount == 1) {\n\t\t\t//FIXME - we need more tests with timed text\n#if 0\n\t\t\tif (stts->w_LastDTS)\n\t\t\t\tent->sampleDelta += (u32) (DTS - stts->w_LastDTS);\n\t\t\telse\n\t\t\t\tent->sampleDelta = (u32) DTS;\n#else\n\t\t\t//use this one and adjust...\n\t\t\tent->sampleDelta = (u32) (DTS - stts->w_LastDTS);\n#endif\n\n\t\t\tent->sampleCount ++;\n\t\t\t//little opt, merge last entry with previous one if same delta\n\t\t\tif ((stts->nb_entries>=2) && (ent->sampleDelta== stts->entries[stts->nb_entries-2].sampleDelta)) {\n\t\t\t\tstts->entries[stts->nb_entries-2].sampleCount += ent->sampleCount;\n\t\t\t\tstts->nb_entries--;\n\t\t\t}\n\t\t\tstts->w_currentSampleNum ++;\n\t\t\tstts->w_LastDTS = DTS;\n\t\t\t(*sampleNumber) = stts->w_currentSampleNum;\n\t\t\treturn GF_OK;\n\t\t}\n\t\t//we definitely need to split the entry ;)\n\t\tent->sampleCount --;\n\n\t\tif (nb_pack>1)\n\t\t\tnb_extra = 1;\n\n\t\tif (stts->alloc_size <= stts->nb_entries + nb_extra) {\n\t\t\tALLOC_INC(stts->alloc_size);\n\t\t\tstts->entries = gf_realloc(stts->entries, sizeof(GF_SttsEntry)*stts->alloc_size);\n\t\t\tif (!stts->entries) return GF_OUT_OF_MEM;\n\t\t\tmemset(&stts->entries[stts->nb_entries], 0, sizeof(GF_SttsEntry)*(stts->alloc_size-stts->nb_entries) );\n\t\t}\n\n\t\tif (nb_extra)\n\t\t\tnb_extra = stts->entries[stts->nb_entries-1].sampleDelta;\n\n\t\tent = &stts->entries[stts->nb_entries];\n\t\tstts->nb_entries++;\n\n\t\tif (nb_pack==1) {\n\t\t\tent->sampleCount = 2;\n\t\t\tent->sampleDelta = (u32) (DTS - stts->w_LastDTS);\n\t\t\tstts->w_LastDTS = DTS;\n\t\t\t(*sampleNumber) = stts->w_currentSampleNum+1;\n\t\t\tstts->w_currentSampleNum += 1;\n\t\t\treturn GF_OK;\n\t\t}\n\n\t\tent->sampleCount = 1;\n\t\tent->sampleDelta = (u32) (DTS - stts->w_LastDTS);\n\n\t\tent = &stts->entries[stts->nb_entries];\n\t\tstts->nb_entries++;\n\n\t\tent->sampleCount = nb_pack;\n\t\tent->sampleDelta = nb_extra;\n\t\tstts->w_LastDTS = DTS;\n\t\t(*sampleNumber) = stts->w_currentSampleNum + 1;\n\t\tstts->w_currentSampleNum += nb_pack;\n\t\treturn GF_OK;\n\t}\n\n\n\t//unpack the DTSs and locate new sample...\n\tDTSs = (u64*)gf_malloc(sizeof(u64) * (stbl->SampleSize->sampleCount+2) );\n\tif (!DTSs) return GF_OUT_OF_MEM;\n\tcurDTS = 0;\n\tsampNum = 0;\n\tent = NULL;\n\tinserted = 0;\n\tfor (i=0; inb_entries; i++) {\n\t\tent = & stts->entries[i];\n\t\tfor (j = 0; jsampleCount; j++) {\n\t\t\tif (!inserted && (curDTS > DTS)) {\n\t\t\t\tDTSs[sampNum] = DTS;\n\t\t\t\tsampNum++;\n\t\t\t\t*sampleNumber = sampNum;\n\t\t\t\tinserted = 1;\n\t\t\t}\n\t\t\tDTSs[sampNum] = curDTS;\n\t\t\tcurDTS += ent->sampleDelta;\n\t\t\tsampNum ++;\n\t\t}\n\t}\n\tif (!inserted) {\n\t\tgf_free(DTSs);\n\t\treturn GF_BAD_PARAM;\n\t}\n\n\t/*we will at most insert 3 new entries*/\n\tif (stts->nb_entries+3 >= stts->alloc_size) {\n\t\tstts->alloc_size += 3;\n\t\tstts->entries = gf_realloc(stts->entries, sizeof(GF_SttsEntry)*stts->alloc_size);\n\t\tif (!stts->entries) return GF_OUT_OF_MEM;\n\t\tmemset(&stts->entries[stts->nb_entries], 0, sizeof(GF_SttsEntry)*(stts->alloc_size - stts->nb_entries) );\n\t}\n\n\t/*repack the DTSs*/\n\tj=0;\n\tstts->nb_entries = 1;\n\tstts->entries[0].sampleCount = 1;\n\tstts->entries[0].sampleDelta = (u32) DTSs[1] /* - (DTS[0] which is 0)*/;\n\tfor (i=1; iSampleSize->sampleCount+1; i++) {\n\t\tif (i == stbl->SampleSize->sampleCount) {\n\t\t\t//and by default, our last sample has the same delta as the prev\n\t\t\tstts->entries[j].sampleCount++;\n\t\t} else if (stts->entries[j].sampleDelta == (u32) ( DTSs[i+1] - DTSs[i]) ) {\n\t\t\tstts->entries[j].sampleCount ++;\n\t\t} else {\n\t\t\tstts->nb_entries ++;\n\t\t\tj++;\n\t\t\tstts->entries[j].sampleCount = 1;\n\t\t\tstts->entries[j].sampleDelta = (u32) (DTSs[i+1] - DTSs[i]);\n\t\t}\n\t}\n\tgf_free(DTSs);\n\n\t//reset the cache to the end\n\tstts->w_currentSampleNum = stbl->SampleSize->sampleCount + 1;\n\treturn GF_OK;\n}", "project": "gpac", "hash": 12676770305267651697988476914739444354, "size": 176, "commit_id": "77ed81c069e10b3861d88f72e1c6be1277ee7eae", "message": "fixed #1774 (fuzz)", "target": 0, "dataset": "other", "idx": 267878 }, { "func": "void PrintCoreUsage()\n{\n\tgf_sys_format_help(helpout, help_flags, \"# libgpac core options\\n\");\n\tgf_sys_print_core_help(helpout, 0, GF_ARGMODE_ALL, 0);\n}", "project": "gpac", "hash": 309900858615532199472319609929074818085, "size": 5, "commit_id": "9eeac00b38348c664dfeae2525bba0cf1bc32349", "message": "fixed #1565", "target": 0, "dataset": "other", "idx": 244404 }, { "func": "Bool Media_IsSampleSyncShadow(GF_ShadowSyncBox *stsh, u32 sampleNumber)\n{\n\tu32 i;\n\tGF_StshEntry *ent;\n\tif (!stsh) return 0;\n\ti=0;\n\twhile ((ent = (GF_StshEntry*)gf_list_enum(stsh->entries, &i))) {\n\t\tif ((u32) ent->syncSampleNumber == sampleNumber) return 1;\n\t\telse if ((u32) ent->syncSampleNumber > sampleNumber) return 0;\n\t}\n\treturn 0;\n}", "project": "gpac", "hash": 35253940332987658666508891158697529257, "size": 12, "commit_id": "328def7d3b93847d64ecb6e9e0399684e57c3eca", "message": "fixed #1766 (fuzz)", "target": 0, "dataset": "other", "idx": 231620 }, { "func": "static GF_Err isom_set_protected_entry(GF_ISOFile *the_file, u32 trackNumber, u32 desc_index, u8 version, u32 flags,\n u32 scheme_type, u32 scheme_version, char *scheme_uri, Bool is_isma, GF_ProtectionSchemeInfoBox **out_sinf)\n{\n\tu32 original_format;\n\tGF_Err e;\n\tGF_SampleEntryBox *sea;\n\tGF_ProtectionSchemeInfoBox *sinf;\n\tGF_TrackBox *trak = gf_isom_get_track_from_file(the_file, trackNumber);\n\tif (!trak) return GF_BAD_PARAM;\n\n\te = Media_GetSampleDesc(trak->Media, desc_index, &sea, NULL);\n\tif (e) return e;\n\n\toriginal_format = sea->type;\n\tif (original_format==GF_ISOM_BOX_TYPE_GNRA) {\n\t\toriginal_format = ((GF_GenericAudioSampleEntryBox*)sea)->EntryType;\n\t} else if (original_format==GF_ISOM_BOX_TYPE_GNRV) {\n\t\toriginal_format = ((GF_GenericVisualSampleEntryBox*)sea)->EntryType;\n\t} else if (original_format==GF_ISOM_BOX_TYPE_GNRM) {\n\t\toriginal_format = ((GF_GenericSampleEntryBox*)sea)->EntryType;\n\t}\n\n\t/* Replacing the Media Type */\n\tswitch (sea->type) {\n\tcase GF_ISOM_BOX_TYPE_MP4A:\n\tcase GF_ISOM_BOX_TYPE_DAMR:\n\tcase GF_ISOM_BOX_TYPE_DEVC:\n\tcase GF_ISOM_BOX_TYPE_DQCP:\n\tcase GF_ISOM_BOX_TYPE_DSMV:\n\tcase GF_ISOM_BOX_TYPE_AC3:\n\tcase GF_ISOM_BOX_TYPE_EC3:\n\t\tsea->type = GF_ISOM_BOX_TYPE_ENCA;\n\t\tbreak;\n\tcase GF_ISOM_BOX_TYPE_MP4V:\n\tcase GF_ISOM_BOX_TYPE_D263:\n\t\tsea->type = GF_ISOM_BOX_TYPE_ENCV;\n\t\tbreak;\n\t/*special case for AVC1*/\n\tcase GF_ISOM_BOX_TYPE_AVC1:\n\tcase GF_ISOM_BOX_TYPE_AVC2:\n\tcase GF_ISOM_BOX_TYPE_AVC3:\n\tcase GF_ISOM_BOX_TYPE_AVC4:\n\tcase GF_ISOM_BOX_TYPE_SVC1:\n\tcase GF_ISOM_BOX_TYPE_MVC1:\n\t\tif (is_isma)\n\t\t\toriginal_format = GF_ISOM_BOX_TYPE_264B;\n\t\tsea->type = GF_ISOM_BOX_TYPE_ENCV;\n\t\tbreak;\n\tcase GF_ISOM_BOX_TYPE_HVC1:\n\tcase GF_ISOM_BOX_TYPE_HEV1:\n\tcase GF_ISOM_BOX_TYPE_HVC2:\n\tcase GF_ISOM_BOX_TYPE_HEV2:\n\tcase GF_ISOM_BOX_TYPE_LHE1:\n\tcase GF_ISOM_BOX_TYPE_LHV1:\n\tcase GF_ISOM_BOX_TYPE_HVT1:\n\t\tif (is_isma)\n\t\t\toriginal_format = GF_ISOM_BOX_TYPE_265B;\n\t\tsea->type = GF_ISOM_BOX_TYPE_ENCV;\n\t\tbreak;\n\tcase GF_ISOM_BOX_TYPE_VVC1:\n\tcase GF_ISOM_BOX_TYPE_VVI1:\n\t\tsea->type = GF_ISOM_BOX_TYPE_ENCV;\n\t\tbreak;\n\tcase GF_ISOM_BOX_TYPE_VP09:\n\t\tsea->type = GF_ISOM_BOX_TYPE_ENCV;\n\t\tbreak;\n\tcase GF_ISOM_BOX_TYPE_AV01:\n\t\tsea->type = GF_ISOM_BOX_TYPE_ENCV;\n\t\tbreak;\n\tcase GF_ISOM_BOX_TYPE_MP4S:\n\tcase GF_ISOM_BOX_TYPE_LSR1:\n\t\tsea->type = GF_ISOM_BOX_TYPE_ENCS;\n\t\tbreak;\n\tcase GF_ISOM_BOX_TYPE_STXT:\n\tcase GF_ISOM_BOX_TYPE_WVTT:\n\tcase GF_ISOM_BOX_TYPE_STPP:\n\t\tsea->type = GF_ISOM_BOX_TYPE_ENCT;\n\t\tbreak;\n\tcase GF_ISOM_BOX_TYPE_ENCA:\n\tcase GF_ISOM_BOX_TYPE_ENCV:\n\tcase GF_ISOM_BOX_TYPE_ENCT:\n\tcase GF_ISOM_BOX_TYPE_ENCM:\n\tcase GF_ISOM_BOX_TYPE_ENCF:\n\tcase GF_ISOM_BOX_TYPE_ENCS:\n\t\tGF_LOG(GF_LOG_WARNING, GF_LOG_CONTAINER, (\"[iso file] cannot set protection entry: file is already encrypted.\\n\"));\n\t\treturn GF_BAD_PARAM;\n\tdefault:\n\t\tif (sea->internal_type == GF_ISOM_SAMPLE_ENTRY_AUDIO) {\n\t\t\tsea->type = GF_ISOM_BOX_TYPE_ENCA;\n\t\t} else if (sea->internal_type == GF_ISOM_SAMPLE_ENTRY_VIDEO) {\n\t\t\tsea->type = GF_ISOM_BOX_TYPE_ENCV;\n\t\t} else {\n\t\t\tGF_LOG(GF_LOG_WARNING, GF_LOG_CONTAINER, (\"[iso file] unsupported entry type %s for CENC.\\n\", gf_4cc_to_str(sea->type) ));\n\t\t\treturn GF_BAD_PARAM;\n\t\t}\n\t}\n\n\tsinf = (GF_ProtectionSchemeInfoBox *)gf_isom_box_new_parent(&sea->child_boxes, GF_ISOM_BOX_TYPE_SINF);\n\tif (!sinf) return GF_OUT_OF_MEM;\n\n\tsinf->scheme_type = (GF_SchemeTypeBox *)gf_isom_box_new_parent(&sinf->child_boxes, GF_ISOM_BOX_TYPE_SCHM);\n\tif (!sinf->scheme_type) return GF_OUT_OF_MEM;\n\n\tsinf->scheme_type->version = version;\n\tsinf->scheme_type->flags = flags;\n\tsinf->scheme_type->scheme_type = scheme_type;\n\tsinf->scheme_type->scheme_version = scheme_version;\n\tif (scheme_uri && (sinf->scheme_type->flags == 1)) {\n\t\tsinf->scheme_type->URI = (char *)gf_malloc(sizeof(char)*strlen(scheme_uri));\n\t\tif (!sinf->scheme_type->URI) return GF_OUT_OF_MEM;\n\t\tmemmove(sinf->scheme_type->URI, scheme_uri, strlen(scheme_uri));\n\t}\n\n\tsinf->original_format = (GF_OriginalFormatBox *)gf_isom_box_new_parent(&sinf->child_boxes, GF_ISOM_BOX_TYPE_FRMA);\n\tif (!sinf->original_format) return GF_OUT_OF_MEM;\n\tsinf->original_format->data_format = original_format;\n\n\t//common to isma, cenc and oma\n\tsinf->info = (GF_SchemeInformationBox *)gf_isom_box_new_parent(&sinf->child_boxes, GF_ISOM_BOX_TYPE_SCHI);\n\n\t*out_sinf = sinf;\n\treturn GF_OK;\n}", "project": "gpac", "hash": 86217184798869379669706340407795939803, "size": 123, "commit_id": "3b84ffcbacf144ce35650df958432f472b6483f8", "message": "fixed #1735", "target": 0, "dataset": "other", "idx": 275436 }, { "func": "}\n\nvoid dump_mpeg2_ts(char *mpeg2ts_file, char *out_name, Bool prog_num)\n{\n\tu8 data[188];\n\tGF_M2TS_Dump dumper;\n\n\tu32 size;\n\tu64 fsize, fdone;\n\tGF_M2TS_Demuxer *ts;\n\tFILE *src;\n\n\tif (!prog_num && !out_name) {\n\t\tfprintf(stderr, \"No program number nor output filename specified. No timestamp file will be generated.\");\n\t}\n\n\tsrc = gf_fopen(mpeg2ts_file, \"rb\");\n\tif (!src) {\n\t\tM4_LOG(GF_LOG_ERROR, (\"Cannot open %s: no such file\\n\", mpeg2ts_file));\n\t\treturn;\n\t}\n\tts = gf_m2ts_demux_new();\n\tts->on_event = on_m2ts_dump_event;\n\tts->notify_pes_timing = 1;\n\tmemset(&dumper, 0, sizeof(GF_M2TS_Dump));\n\tts->user = &dumper;\n\tdumper.prog_number = prog_num;\n\n\t/*PES dumping*/\n\tif (out_name) {\n\t\tchar *pid = strrchr(out_name, '#');\n\t\tif (pid) {\n\t\t\tdumper.dump_pid = atoi(pid+1);\n\t\t\tpid[0] = 0;\n\t\t\tsprintf(dumper.dump, \"%s_%d.raw\", out_name, dumper.dump_pid);\n\t\t\tdumper.pes_out = gf_fopen(dumper.dump, \"wb\");\n#if 0\n\t\t\tsprintf(dumper.nhml, \"%s_%d.nhml\", pes_out_name, dumper.dump_pid);\n\t\t\tdumper.pes_out_nhml = gf_fopen(dumper.nhml, \"wt\");\n\t\t\tsprintf(dumper.info, \"%s_%d.info\", pes_out_name, dumper.dump_pid);\n\t\t\tdumper.pes_out_info = gf_fopen(dumper.info, \"wb\");\n#endif\n\t\t\tpid[0] = '#';\n\t\t}\n\t}\n\n\tgf_fseek(src, 0, SEEK_END);\n\tfsize = gf_ftell(src);\n\tgf_fseek(src, 0, SEEK_SET);\n\n\t/* first loop to process all packets between two PAT, and assume all signaling was found between these 2 PATs */\n\twhile (!feof(src)) {\n\t\tsize = (u32) gf_fread(data, 188, src);\n\t\tif (size<188) break;\n\n\t\tgf_m2ts_process_data(ts, data, size);\n\t\tif (dumper.has_seen_pat) break;\n\t}\n\tdumper.has_seen_pat = GF_TRUE;\n\n\tif (!prog_num) {\n\t\tGF_M2TS_Program *p = gf_list_get(ts->programs, 0);\n\t\tif (p) prog_num = p->number;\n\t\tfprintf(stderr, \"No program number specified, defaulting to first program\\n\");\n\t}\n\n\tif (!prog_num && !out_name) {\n\t\tfprintf(stderr, \"No program number nor output filename specified. No timestamp file will be generated\\n\");\n\t}\n\n\tif (prog_num) {\n\t\tsprintf(dumper.timestamps_info_name, \"%s_prog_%d_timestamps.txt\", mpeg2ts_file, prog_num/*, mpeg2ts_file*/);\n\t\tdumper.timestamps_info_file = gf_fopen(dumper.timestamps_info_name, \"wt\");\n\t\tif (!dumper.timestamps_info_file) {\n\t\t\tM4_LOG(GF_LOG_ERROR, (\"Cannot open file %s\\n\", dumper.timestamps_info_name));\n\t\t\treturn;\n\t\t}\n\t\tfprintf(dumper.timestamps_info_file, \"PCK#\\tPID\\tPCR\\tDTS\\tPTS\\tRAP\\tDiscontinuity\\tDTS-PCR Diff\\n\");\n\t}\n\n\tgf_m2ts_reset_parsers(ts);\n\tgf_fseek(src, 0, SEEK_SET);\n\tfdone = 0;\n\n\twhile (!feof(src)) {\n\t\tsize = (u32) gf_fread(data, 188, src);\n\t\tif (size<188) break;\n\n\t\tgf_m2ts_process_data(ts, data, size);\n\n\t\tfdone += size;\n\t\tgf_set_progress(\"MPEG-2 TS Parsing\", fdone, fsize);\n\t}\n\n\tgf_fclose(src);\n\tgf_m2ts_demux_del(ts);\n\tif (dumper.pes_out) gf_fclose(dumper.pes_out);\n#if 0\n\tif (dumper.pes_out_nhml) {\n\t\tif (dumper.is_info_dumped) fprintf(dumper.pes_out_nhml, \"\\n\");\n\t\tgf_fclose(dumper.pes_out_nhml);\n\t\tgf_fclose(dumper.pes_out_info);\n\t}\n#endif", "project": "gpac", "hash": 98555357099013798849598770000105739728, "size": 104, "commit_id": "289ffce3e0d224d314f5f92a744d5fe35999f20b", "message": "fixed #1767 (fuzz)", "target": 0, "dataset": "other", "idx": 243214 }, { "func": "}\n\nvoid dump_mpeg2_ts(char *mpeg2ts_file, char *out_name, Bool prog_num)\n{\n\tu8 data[188];\n\tGF_M2TS_Dump dumper;\n\n\tu32 size;\n\tu64 fsize, fdone;\n\tGF_M2TS_Demuxer *ts;\n\tFILE *src;\n\n\tif (!prog_num && !out_name) {\n\t\tfprintf(stderr, \"No program number nor output filename specified. No timestamp file will be generated.\");\n\t}\n\n\tsrc = gf_fopen(mpeg2ts_file, \"rb\");\n\tif (!src) {\n\t\tfprintf(stderr, \"Cannot open %s: no such file\\n\", mpeg2ts_file);\n\t\treturn;\n\t}\n\tts = gf_m2ts_demux_new();\n\tts->on_event = on_m2ts_dump_event;\n\tts->notify_pes_timing = 1;\n\tmemset(&dumper, 0, sizeof(GF_M2TS_Dump));\n\tts->user = &dumper;\n\tdumper.prog_number = prog_num;\n\n\t/*PES dumping*/\n\tif (out_name) {\n\t\tchar *pid = strrchr(out_name, '#');\n\t\tif (pid) {\n\t\t\tdumper.dump_pid = atoi(pid+1);\n\t\t\tpid[0] = 0;\n\t\t\tsprintf(dumper.dump, \"%s_%d.raw\", out_name, dumper.dump_pid);\n\t\t\tdumper.pes_out = gf_fopen(dumper.dump, \"wb\");\n#if 0\n\t\t\tsprintf(dumper.nhml, \"%s_%d.nhml\", pes_out_name, dumper.dump_pid);\n\t\t\tdumper.pes_out_nhml = gf_fopen(dumper.nhml, \"wt\");\n\t\t\tsprintf(dumper.info, \"%s_%d.info\", pes_out_name, dumper.dump_pid);\n\t\t\tdumper.pes_out_info = gf_fopen(dumper.info, \"wb\");\n#endif\n\t\t\tpid[0] = '#';\n\t\t}\n\t}\n\n\tgf_fseek(src, 0, SEEK_END);\n\tfsize = gf_ftell(src);\n\tgf_fseek(src, 0, SEEK_SET);\n\n\t/* first loop to process all packets between two PAT, and assume all signaling was found between these 2 PATs */\n\twhile (!feof(src)) {\n\t\tsize = (u32) gf_fread(data, 188, src);\n\t\tif (size<188) break;\n\n\t\tgf_m2ts_process_data(ts, data, size);\n\t\tif (dumper.has_seen_pat) break;\n\t}\n\tdumper.has_seen_pat = GF_TRUE;\n\n\tif (!prog_num) {\n\t\tGF_M2TS_Program *p = gf_list_get(ts->programs, 0);\n\t\tif (p) prog_num = p->number;\n\t\tfprintf(stderr, \"No program number specified, defaulting to first program\\n\");\n\t}\n\n\tif (!prog_num && !out_name) {\n\t\tfprintf(stderr, \"No program number nor output filename specified. No timestamp file will be generated\\n\");\n\t}\n\n\tif (prog_num) {\n\t\tsprintf(dumper.timestamps_info_name, \"%s_prog_%d_timestamps.txt\", mpeg2ts_file, prog_num/*, mpeg2ts_file*/);\n\t\tdumper.timestamps_info_file = gf_fopen(dumper.timestamps_info_name, \"wt\");\n\t\tif (!dumper.timestamps_info_file) {\n\t\t\tfprintf(stderr, \"Cannot open file %s\\n\", dumper.timestamps_info_name);\n\t\t\treturn;\n\t\t}\n\t\tfprintf(dumper.timestamps_info_file, \"PCK#\\tPID\\tPCR\\tDTS\\tPTS\\tRAP\\tDiscontinuity\\tDTS-PCR Diff\\n\");\n\t}\n\n\tgf_m2ts_reset_parsers(ts);\n\tgf_fseek(src, 0, SEEK_SET);\n\tfdone = 0;\n\n\twhile (!feof(src)) {\n\t\tsize = (u32) gf_fread(data, 188, src);\n\t\tif (size<188) break;\n\n\t\tgf_m2ts_process_data(ts, data, size);\n\n\t\tfdone += size;\n\t\tgf_set_progress(\"MPEG-2 TS Parsing\", fdone, fsize);\n\t}\n\n\tgf_fclose(src);\n\tgf_m2ts_demux_del(ts);\n\tif (dumper.pes_out) gf_fclose(dumper.pes_out);\n#if 0\n\tif (dumper.pes_out_nhml) {\n\t\tif (dumper.is_info_dumped) fprintf(dumper.pes_out_nhml, \"\\n\");\n\t\tgf_fclose(dumper.pes_out_nhml);\n\t\tgf_fclose(dumper.pes_out_info);\n\t}\n#endif", "project": "gpac", "hash": 8682523957251011705826283012012939932, "size": 104, "commit_id": "ce01bd15f711d4575b7424b54b3a395ec64c1784", "message": "fixed #1566", "target": 0, "dataset": "other", "idx": 249551 }, { "func": "GF_Err gf_isom_set_extraction_slc(GF_ISOFile *the_file, u32 trackNumber, u32 StreamDescriptionIndex, const GF_SLConfig *slConfig)\n{\n\tGF_TrackBox *trak;\n\tGF_SampleEntryBox *entry;\n\tGF_Err e;\n\tGF_SLConfig **slc;\n\n\ttrak = gf_isom_get_track_from_file(the_file, trackNumber);\n\tif (!trak) return GF_BAD_PARAM;\n\n\te = Media_GetSampleDesc(trak->Media, StreamDescriptionIndex, &entry, NULL);\n\tif (e) return e;\n\n\t//we must be sure we are not using a remote ESD\n\tswitch (entry->type) {\n\tcase GF_ISOM_BOX_TYPE_MP4S:\n\t\tif (((GF_MPEGSampleEntryBox *)entry)->esd->desc->slConfig->predefined != SLPredef_MP4) return GF_BAD_PARAM;\n\t\tslc = & ((GF_MPEGSampleEntryBox *)entry)->slc;\n\t\tbreak;\n\tcase GF_ISOM_BOX_TYPE_MP4A:\n\t\tif (((GF_MPEGAudioSampleEntryBox *)entry)->esd->desc->slConfig->predefined != SLPredef_MP4) return GF_BAD_PARAM;\n\t\tslc = & ((GF_MPEGAudioSampleEntryBox *)entry)->slc;\n\t\tbreak;\n\tcase GF_ISOM_BOX_TYPE_MP4V:\n\t\tif (((GF_MPEGVisualSampleEntryBox *)entry)->esd->desc->slConfig->predefined != SLPredef_MP4) return GF_BAD_PARAM;\n\t\tslc = & ((GF_MPEGVisualSampleEntryBox *)entry)->slc;\n\t\tbreak;\n\tdefault:\n\t\treturn GF_BAD_PARAM;\n\t}\n\n\tif (*slc) {\n\t\tgf_odf_desc_del((GF_Descriptor *)*slc);\n\t\t*slc = NULL;\n\t}\n\tif (!slConfig) return GF_OK;\n\t//finally duplicate the SL\n\treturn gf_odf_desc_copy((GF_Descriptor *) slConfig, (GF_Descriptor **) slc);\n}", "project": "gpac", "hash": 24076123659296712931521214875422093085, "size": 39, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 1, "dataset": "other", "idx": 197972 }, { "func": "GF_Err gf_isom_set_extraction_slc(GF_ISOFile *the_file, u32 trackNumber, u32 StreamDescriptionIndex, const GF_SLConfig *slConfig)\n{\n\tGF_TrackBox *trak;\n\tGF_SampleEntryBox *entry;\n\tGF_Err e;\n\tGF_SLConfig **slc;\n\tGF_ESDBox *esds;\n\n\ttrak = gf_isom_get_track_from_file(the_file, trackNumber);\n\tif (!trak) return GF_BAD_PARAM;\n\n\te = Media_GetSampleDesc(trak->Media, StreamDescriptionIndex, &entry, NULL);\n\tif (e) return e;\n\n\t//we must be sure we are not using a remote ESD\n\tswitch (entry->type) {\n\tcase GF_ISOM_BOX_TYPE_MP4S:\n\t\tesds = ((GF_MPEGSampleEntryBox *)entry)->esd;\n\t\tif (!esds || !esds->desc || !esds->desc->slConfig || (esds->desc->slConfig->predefined != SLPredef_MP4))\n\t\t\treturn GF_ISOM_INVALID_FILE;\n\t\tslc = & ((GF_MPEGSampleEntryBox *)entry)->slc;\n\t\tbreak;\n\tcase GF_ISOM_BOX_TYPE_MP4A:\n\t\tesds = ((GF_MPEGAudioSampleEntryBox *)entry)->esd;\n\t\tif (!esds || !esds->desc || !esds->desc->slConfig || (esds->desc->slConfig->predefined != SLPredef_MP4))\n\t\t\treturn GF_ISOM_INVALID_FILE;\n\t\tslc = & ((GF_MPEGAudioSampleEntryBox *)entry)->slc;\n\t\tbreak;\n\tcase GF_ISOM_BOX_TYPE_MP4V:\n\t\tesds = ((GF_MPEGVisualSampleEntryBox *)entry)->esd;\n\t\tif (!esds || !esds->desc || !esds->desc->slConfig || (esds->desc->slConfig->predefined != SLPredef_MP4))\n\t\t\treturn GF_ISOM_INVALID_FILE;\n\t\tslc = & ((GF_MPEGVisualSampleEntryBox *)entry)->slc;\n\t\tbreak;\n\tdefault:\n\t\treturn GF_BAD_PARAM;\n\t}\n\n\tif (*slc) {\n\t\tgf_odf_desc_del((GF_Descriptor *)*slc);\n\t\t*slc = NULL;\n\t}\n\tif (!slConfig) return GF_OK;\n\t//finally duplicate the SL\n\treturn gf_odf_desc_copy((GF_Descriptor *) slConfig, (GF_Descriptor **) slc);\n}", "project": "gpac", "hash": 79050086611319345080140881300149105018, "size": 46, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267193 }, { "func": "GF_Err gf_isom_set_root_od_id(GF_ISOFile *movie, u32 OD_ID)\n{\n\tGF_Err e;\n\te = CanAccessMovie(movie, GF_ISOM_OPEN_WRITE);\n\tif (e) return e;\n\n\te = gf_isom_insert_moov(movie);\n\tif (e) return e;\n\tif (!movie->moov->iods) {\n\t\te = AddMovieIOD(movie->moov, 0);\n\t\tif (e) return e;\n\t}\n\n\tswitch (movie->moov->iods->descriptor->tag) {\n\tcase GF_ODF_ISOM_OD_TAG:\n\t\t((GF_IsomObjectDescriptor *)movie->moov->iods->descriptor)->objectDescriptorID = OD_ID;\n\t\tbreak;\n\tcase GF_ODF_ISOM_IOD_TAG:\n\t\t((GF_IsomInitialObjectDescriptor *)movie->moov->iods->descriptor)->objectDescriptorID = OD_ID;\n\t\tbreak;\n\tdefault:\n\t\treturn GF_ISOM_INVALID_FILE;\n\t}\n\treturn GF_OK;\n}", "project": "gpac", "hash": 331202565385710446708134838921530415665, "size": 25, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267196 }, { "func": "GF_Err gf_isom_clone_root_od(GF_ISOFile *input, GF_ISOFile *output)\n{\n\tGF_List *esds;\n\tGF_Err e;\n\tu32 i;\n\tGF_Descriptor *desc;\n\n\te = gf_isom_remove_root_od(output);\n\tif (e) return e;\n\tif (!input->moov || !input->moov->iods || !input->moov->iods->descriptor) return GF_OK;\n\te = gf_isom_insert_moov(output);\n\tif (e) return e;\n\te = AddMovieIOD(output->moov, 0);\n\tif (e) return e;\n\tif (output->moov->iods->descriptor) gf_odf_desc_del(output->moov->iods->descriptor);\n\toutput->moov->iods->descriptor = NULL;\n\tgf_odf_desc_copy(input->moov->iods->descriptor, &output->moov->iods->descriptor);\n\n\tswitch (output->moov->iods->descriptor->tag) {\n\tcase GF_ODF_ISOM_IOD_TAG:\n\t\tesds = ((GF_IsomInitialObjectDescriptor *)output->moov->iods->descriptor)->ES_ID_IncDescriptors;\n\t\tbreak;\n\tcase GF_ODF_ISOM_OD_TAG:\n\t\tesds = ((GF_IsomObjectDescriptor *)output->moov->iods->descriptor)->ES_ID_IncDescriptors;\n\t\tbreak;\n\tdefault:\n\t\treturn GF_ISOM_INVALID_FILE;\n\t}\n\n\t//get the desc\n\ti=0;\n\twhile ((desc = (GF_Descriptor*)gf_list_enum(esds, &i))) {\n\t\tgf_odf_desc_del(desc);\n\t\tgf_list_rem(esds, i-1);\n\t}\n\treturn GF_OK;\n}", "project": "gpac", "hash": 21301798810098219665360963662449463342, "size": 37, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267217 }, { "func": "GF_Err gf_isom_add_uuid(GF_ISOFile *movie, u32 trackNumber, bin128 UUID, const u8 *data, u32 data_size)\n{\n\tGF_List *list;\n u32 btype;\n\tGF_Box *box;\n\tGF_UnknownUUIDBox *uuidb;\n\n\tif (data_size && !data) return GF_BAD_PARAM;\n\tif (trackNumber==(u32) -1) {\n\t\tif (!movie) return GF_BAD_PARAM;\n\t\tlist = movie->TopBoxes;\n\t} else if (trackNumber) {\n\t\tGF_TrackBox *trak = gf_isom_get_track_from_file(movie, trackNumber);\n\t\tif (!trak) return GF_BAD_PARAM;\n\t\tif (!trak->child_boxes) trak->child_boxes = gf_list_new();\n\t\tlist = trak->child_boxes;\n\t} else {\n\t\tif (!movie) return GF_BAD_PARAM;\n\t\tif (!movie->moov->child_boxes) movie->moov->child_boxes = gf_list_new();\n\t\tlist = movie->moov->child_boxes;\n\t}\n btype = gf_isom_solve_uuid_box((char *) UUID);\n if (!btype) btype = GF_ISOM_BOX_TYPE_UUID;\n box = gf_isom_box_new(btype);\n if (!box) return GF_OUT_OF_MEM;\n\tuuidb = (GF_UnknownUUIDBox*)box;\n\tuuidb->internal_4cc = gf_isom_solve_uuid_box((char *) UUID);\n\tmemcpy(uuidb->uuid, UUID, sizeof(bin128));\n\tuuidb->dataSize = data_size;\n\tif (data_size) {\n\t\tuuidb->data = (char*)gf_malloc(sizeof(char)*data_size);\n\t\tif (!uuidb->data) return GF_OUT_OF_MEM;\n\t\tmemcpy(uuidb->data, data, sizeof(char)*data_size);\n\t}\n\tgf_list_add(list, uuidb);\n\treturn GF_OK;\n}", "project": "gpac", "hash": 87372918331138229531976661561840639837, "size": 37, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267308 }, { "func": "GF_Err gf_isom_add_user_data_boxes(GF_ISOFile *movie, u32 trackNumber, u8 *data, u32 DataLength)\n{\n\tGF_Err e;\n\tGF_TrackBox *trak;\n\tGF_UserDataBox *udta;\n\tGF_BitStream *bs;\n\n\te = CanAccessMovie(movie, GF_ISOM_OPEN_WRITE);\n\tif (e) return e;\n\n\tif (trackNumber) {\n\t\ttrak = gf_isom_get_track_from_file(movie, trackNumber);\n\t\tif (!trak) return GF_BAD_PARAM;\n\t\tif (!trak->udta) trak_on_child_box((GF_Box*)trak, gf_isom_box_new_parent(&trak->child_boxes, GF_ISOM_BOX_TYPE_UDTA), GF_FALSE);\n\t\tudta = trak->udta;\n\t} else {\n\t\tif (!movie->moov) return GF_BAD_PARAM;\n\t\tif (!movie->moov->udta) moov_on_child_box((GF_Box*)movie->moov, gf_isom_box_new_parent(&movie->moov->child_boxes, GF_ISOM_BOX_TYPE_UDTA), GF_FALSE);\n\t\tudta = movie->moov->udta;\n\t}\n\tif (!udta) return GF_OUT_OF_MEM;\n\n\tbs = gf_bs_new(data, DataLength, GF_BITSTREAM_READ);\n\twhile (gf_bs_available(bs)) {\n\t\tGF_Box *a;\n\t\te = gf_isom_box_parse(&a, bs);\n\t\tif (e) break;\n\t\te = udta_on_child_box((GF_Box *)udta, a, GF_FALSE);\n\t\tif (e) break;\n\t}\n\tgf_bs_del(bs);\n\treturn e;\n}", "project": "gpac", "hash": 227603523523679826516892691549889297265, "size": 33, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267248 }, { "func": "static GF_Err isom_cenc_get_sai_by_saiz_saio(GF_MediaBox *mdia, u32 sampleNumber, u32 scheme_type, u8 **out_buffer, u32 *out_size)\n{\n\tu32 prev_sai_size, size, i, j, nb_saio;\n\tu64 cur_position, offset;\n\tGF_Err e = GF_OK;\n\tGF_SampleAuxiliaryInfoOffsetBox *saio_cenc=NULL;\n\tGF_SampleAuxiliaryInfoSizeBox *saiz_cenc=NULL;\n\tnb_saio = size = prev_sai_size = 0;\n\toffset = 0;\n\n\tif (! out_buffer || !out_size) return GF_BAD_PARAM;\n\n\tfor (i = 0; i < gf_list_count(mdia->information->sampleTable->sai_offsets); i++) {\n\t\tGF_SampleAuxiliaryInfoOffsetBox *saio = (GF_SampleAuxiliaryInfoOffsetBox *)gf_list_get(mdia->information->sampleTable->sai_offsets, i);\n\t\tu32 aux_info_type = saio->aux_info_type;\n\t\tif (!aux_info_type) aux_info_type = scheme_type;\n\n\t\tswitch (aux_info_type) {\n\t\tcase GF_ISOM_CENC_SCHEME:\n\t\tcase GF_ISOM_CBC_SCHEME:\n\t\tcase GF_ISOM_CENS_SCHEME:\n\t\tcase GF_ISOM_CBCS_SCHEME:\n\t\tcase GF_ISOM_PIFF_SCHEME:\n\t\t\tbreak;\n\t\tdefault:\n\t\t\tcontinue;\n\t\t}\n\n\t\tif (saio->entry_count == 1)\n\t\t\toffset = saio->offsets[0];\n\t\telse\n\t\t\toffset = saio->offsets[sampleNumber-1];\n\t\tnb_saio = saio->entry_count;\n\t\tsaio_cenc = saio;\n\t\tbreak;\n\t}\n\tif (!saio_cenc) return GF_ISOM_INVALID_FILE;\n\n\tfor (i = 0; i < gf_list_count(mdia->information->sampleTable->sai_sizes); i++) {\n\t\tGF_SampleAuxiliaryInfoSizeBox *saiz = (GF_SampleAuxiliaryInfoSizeBox *)gf_list_get(mdia->information->sampleTable->sai_sizes, i);\n\t\tu32 aux_info_type = saiz->aux_info_type;\n\t\tif (!aux_info_type) aux_info_type = scheme_type;\n\n\t\tswitch (aux_info_type) {\n\t\tcase GF_ISOM_CENC_SCHEME:\n\t\tcase GF_ISOM_CBC_SCHEME:\n\t\tcase GF_ISOM_CENS_SCHEME:\n\t\tcase GF_ISOM_CBCS_SCHEME:\n\t\tcase GF_ISOM_PIFF_SCHEME:\n\t\t\tbreak;\n\t\tdefault:\n\t\t\tcontinue;\n\t\t}\n\t\tif (sampleNumber>saiz->sample_count) {\n\t\t\treturn GF_NON_COMPLIANT_BITSTREAM;\n\t\t}\n\t\tif ((nb_saio==1) && !saio_cenc->total_size) {\n\t\t\tfor (j = 0; j < saiz->sample_count; j++) {\n\t\t\t\tsaio_cenc->total_size += saiz->default_sample_info_size ? saiz->default_sample_info_size : saiz->sample_info_size[j];\n\t\t\t}\n\t\t}\n\t\tif (saiz->cached_sample_num+1== sampleNumber) {\n\t\t\tprev_sai_size = saiz->cached_prev_size;\n\t\t} else {\n\t\t\tfor (j = 0; j < sampleNumber-1; j++)\n\t\t\t\tprev_sai_size += saiz->default_sample_info_size ? saiz->default_sample_info_size : saiz->sample_info_size[j];\n\t\t}\n\t\tsize = saiz->default_sample_info_size ? saiz->default_sample_info_size : saiz->sample_info_size[sampleNumber-1];\n\t\tsaiz_cenc=saiz;\n\t\tbreak;\n\t}\n\tif (!saiz_cenc) return GF_BAD_PARAM;\n\n\tsaiz_cenc->cached_sample_num = sampleNumber;\n\tsaiz_cenc->cached_prev_size = prev_sai_size + size;\n\n\tif (saio_cenc->total_size) {\n\t\tif (!saio_cenc->cached_data) {\n\t\t\tsaio_cenc->cached_data = gf_malloc(sizeof(u8)*saio_cenc->total_size);\n\t\t\tif (!saio_cenc->cached_data) return GF_OUT_OF_MEM;\n\t\t\tcur_position = gf_bs_get_position(mdia->information->dataHandler->bs);\n\t\t\tgf_bs_seek(mdia->information->dataHandler->bs, offset);\n\t\t\tgf_bs_read_data(mdia->information->dataHandler->bs, saio_cenc->cached_data, saio_cenc->total_size);\n\t\t\tgf_bs_seek(mdia->information->dataHandler->bs, cur_position);\n\t\t}\n\t\tif (out_size) {\n\t\t\tif (out_buffer) {\n\t\t\t\tif ((*out_size) < size) {\n\t\t\t\t\t(*out_buffer) = gf_realloc((*out_buffer), sizeof(char)*(size) );\n\t\t\t\t\tif (! *out_buffer) return GF_OUT_OF_MEM;\n\t\t\t\t}\n\t\t\t\tmemcpy((*out_buffer), saio_cenc->cached_data + prev_sai_size, size);\n\t\t\t}\n\t\t\t(*out_size) = size;\n\t\t}\n\t\treturn GF_OK;\n\t}\n\n\toffset += (nb_saio == 1) ? prev_sai_size : 0;\n\tcur_position = gf_bs_get_position(mdia->information->dataHandler->bs);\n\tgf_bs_seek(mdia->information->dataHandler->bs, offset);\n\n\tif (out_buffer) {\n\t\tif ((*out_size) < size) {\n\t\t\t(*out_buffer) = gf_realloc((*out_buffer), sizeof(char)*(size) );\n\t\t\tif (! *out_buffer) return GF_OUT_OF_MEM;\n\t\t}\n\t\tgf_bs_read_data(mdia->information->dataHandler->bs, (*out_buffer), size);\n\t}\n\t(*out_size) = size;\n\n\tgf_bs_seek(mdia->information->dataHandler->bs, cur_position);\n\n\treturn e;\n}", "project": "gpac", "hash": 197467620805629474629716623815502248476, "size": 115, "commit_id": "3b84ffcbacf144ce35650df958432f472b6483f8", "message": "fixed #1735", "target": 0, "dataset": "other", "idx": 275421 }, { "func": "static Bool parse_meta_args(MetaAction *meta, MetaActionType act_type, char *opts)\n{\n\tBool ret = 0;\n\n\tmemset(meta, 0, sizeof(MetaAction));\n\tmeta->act_type = act_type;\n\tmeta->trackID = 0;\n\tmeta->root_meta = 1;\n\n\tif (!opts) return 0;\n\twhile (1) {\n\t\tchar *next;\n\t\tchar *szSlot;\n\t\tif (!opts || !opts[0]) return ret;\n\t\tif (opts[0]==':') opts += 1;\n\n\t\tszSlot = opts;\n\t\tnext = gf_url_colon_suffix(opts);\n\t\tif (next) next[0] = 0;\n\n\t\tif (!strnicmp(szSlot, \"tk=\", 3)) {\n\t\t\tsscanf(szSlot, \"tk=%u\", &meta->trackID);\n\t\t\tmeta->root_meta = 0;\n\t\t\tret = 1;\n\t\t}\n\t\telse if (!strnicmp(szSlot, \"id=\", 3)) {\n\t\t\tmeta->item_id = atoi(szSlot+3);\n\t\t\tret = 1;\n\t\t}\n\t\telse if (!strnicmp(szSlot, \"type=\", 5)) {\n\t\t\tmeta->item_type = GF_4CC(szSlot[5], szSlot[6], szSlot[7], szSlot[8]);\n\t\t\tret = 1;\n\t\t}\n\t\telse if (!strnicmp(szSlot, \"ref=\", 4)) {\n\t\t\tchar type[10];\n\t\t\tsscanf(szSlot, \"ref=%9s,%u\", type, &meta->ref_item_id);\n\t\t\tmeta->ref_type = GF_4CC(type[0], type[1], type[2], type[3]);\n\t\t\tret = 1;\n\t\t}\n\t\telse if (!strnicmp(szSlot, \"name=\", 5)) {\n\t\t\tmeta->szName = gf_strdup(szSlot+5);\n\t\t\tret = 1;\n\t\t}\n\t\telse if (!strnicmp(szSlot, \"path=\", 5)) {\n\t\t\tmeta->szPath = gf_strdup(szSlot+5);\n\t\t\tret = 1;\n\t\t}\n\t\telse if (!strnicmp(szSlot, \"mime=\", 5)) {\n\t\t\tmeta->item_type = GF_META_ITEM_TYPE_MIME;\n\t\t\tmeta->mime_type = gf_strdup(szSlot+5);\n\t\t\tret = 1;\n\t\t}\n\t\telse if (!strnicmp(szSlot, \"encoding=\", 9)) {\n\t\t\tmeta->enc_type = gf_strdup(szSlot+9);\n\t\t\tret = 1;\n\t\t}\n\t\telse if (!strnicmp(szSlot, \"image-size=\", 11)) {\n\t\t\tif (!meta->image_props) {\n\t\t\t\tGF_SAFEALLOC(meta->image_props, GF_ImageItemProperties);\n\t\t\t\tif (!meta->image_props) return 0;\n\t\t\t}\n\n\t\t\tsscanf(szSlot+11, \"%dx%d\", &meta->image_props->width, &meta->image_props->height);\n\t\t\tret = 1;\n\t\t}\n\t\telse if (!strnicmp(szSlot, \"image-pasp=\", 11)) {\n\t\t\tif (!meta->image_props) {\n\t\t\t\tGF_SAFEALLOC(meta->image_props, GF_ImageItemProperties);\n\t\t\t\tif (!meta->image_props) return 0;\n\t\t\t}\n\t\t\tsscanf(szSlot+11, \"%dx%d\", &meta->image_props->hSpacing, &meta->image_props->vSpacing);\n\t\t\tret = 1;\n\t\t}\n\t\telse if (!strnicmp(szSlot, \"image-rloc=\", 11)) {\n\t\t\tif (!meta->image_props) {\n\t\t\t\tGF_SAFEALLOC(meta->image_props, GF_ImageItemProperties);\n\t\t\t\tif (!meta->image_props) return 0;\n\t\t\t}\n\t\t\tsscanf(szSlot+11, \"%dx%d\", &meta->image_props->hOffset, &meta->image_props->vOffset);\n\t\t\tret = 1;\n\t\t}\n\t\telse if (!strnicmp(szSlot, \"rotation=\", 9)) {\n\t\t\tif (!meta->image_props) {\n\t\t\t\tGF_SAFEALLOC(meta->image_props, GF_ImageItemProperties);\n\t\t\t\tif (!meta->image_props) return 0;\n\t\t\t}\n\t\t\tmeta->image_props->angle = atoi(szSlot+9);\n\t\t\tret = 1;\n\t\t}\n\t\telse if (!stricmp(szSlot, \"hidden\")) {\n\t\t\tif (!meta->image_props) {\n\t\t\t\tGF_SAFEALLOC(meta->image_props, GF_ImageItemProperties);\n\t\t\t\tif (!meta->image_props) return 0;\n\t\t\t}\n\t\t\tmeta->image_props->hidden = GF_TRUE;\n\t\t\tret = 1;\n\t\t}\n\t\telse if (!stricmp(szSlot, \"alpha\")) {\n\t\t\tif (!meta->image_props) {\n\t\t\t\tGF_SAFEALLOC(meta->image_props, GF_ImageItemProperties);\n\t\t\t\tif (!meta->image_props) return 0;\n\t\t\t}\n\t\t\tmeta->image_props->alpha = GF_TRUE;\n\t\t\tret = 1;\n\t\t}\n\t\telse if (!strnicmp(szSlot, \"time=\", 5)) {\n\t\t\tif (!meta->image_props) {\n\t\t\t\tGF_SAFEALLOC(meta->image_props, GF_ImageItemProperties);\n\t\t\t\tif (!meta->image_props) return 0;\n\t\t\t}\n\t\t\tmeta->image_props->time = atof(szSlot+5);\n\t\t\tret = 1;\n\t\t}\n\t\telse if (!stricmp(szSlot, \"split_tiles\")) {\n\t\t\tif (!meta->image_props) {\n\t\t\t\tGF_SAFEALLOC(meta->image_props, GF_ImageItemProperties);\n\t\t\t\tif (!meta->image_props) return 0;\n\t\t\t}\n\t\t\tmeta->image_props->tile_mode = TILE_ITEM_ALL_BASE;\n\t\t\tret = 1;\n\t\t}\n\t\telse if (!stricmp(szSlot, \"dref\")) {\n\t\t\tmeta->use_dref = 1;\n\t\t\tret = 1;\n\t\t}\n\t\telse if (!stricmp(szSlot, \"primary\")) {\n\t\t\tmeta->primary = 1;\n\t\t\tret = 1;\n\t\t}\n\t\telse if (!stricmp(szSlot, \"binary\")) {\n\t\t\tif (meta->act_type==META_ACTION_SET_XML) meta->act_type=META_ACTION_SET_BINARY_XML;\n\t\t\tret = 1;\n\t\t}\n\t\telse if (!strnicmp(szSlot, \"icc_path=\", 9)) {\n\t\t\tif (!meta->image_props) {\n\t\t\t\tGF_SAFEALLOC(meta->image_props, GF_ImageItemProperties);\n\t\t\t\tif (!meta->image_props) return 0;\n\t\t\t}\n\t\t\tstrcpy(meta->image_props->iccPath, szSlot+9);\n\t\t\tret = 1;\n\t\t}\n\t\telse if (!strchr(szSlot, '=')) {\n\t\t\tswitch (meta->act_type) {\n\t\t\tcase META_ACTION_SET_TYPE:\n\t\t\t\tif (!stricmp(szSlot, \"null\") || !stricmp(szSlot, \"0\")) meta->meta_4cc = 0;\n\t\t\t\telse meta->meta_4cc = GF_4CC(szSlot[0], szSlot[1], szSlot[2], szSlot[3]);\n\t\t\t\tret = 1;\n\t\t\t\tbreak;\n\t\t\tcase META_ACTION_ADD_ITEM:\n\t\t\tcase META_ACTION_ADD_IMAGE_ITEM:\n\t\t\tcase META_ACTION_SET_XML:\n\t\t\tcase META_ACTION_DUMP_XML:\n\t\t\t\tif (!strncmp(szSlot, \"dopt\", 4) || !strncmp(szSlot, \"sopt\", 4) || !strncmp(szSlot, \"@@\", 2)) {\n\t\t\t\t\tif (next) next[0]=':';\n\t\t\t\t\tnext=NULL;\n\t\t\t\t}\n\t\t\t\t//cat as -add arg\n\t\t\t\tgf_dynstrcat(&meta->szPath, szSlot, \":\");\n\t\t\t\tret = 1;\n\t\t\t\tbreak;\n\t\t\tcase META_ACTION_REM_ITEM:\n\t\t\tcase META_ACTION_SET_PRIMARY_ITEM:\n\t\t\tcase META_ACTION_DUMP_ITEM:\n\t\t\t\tmeta->item_id = atoi(szSlot);\n\t\t\t\tret = 1;\n\t\t\t\tbreak;\n\t\t\tdefault:\n\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\t\tif (!next) break;\n\t\topts += strlen(szSlot);\n\t\tnext[0] = ':';\n\t}\n\treturn ret;\n}", "project": "gpac", "hash": 229102423019629824181536280486461565549, "size": 176, "commit_id": "9eeac00b38348c664dfeae2525bba0cf1bc32349", "message": "fixed #1565", "target": 0, "dataset": "other", "idx": 244405 }, { "func": "GF_Err gf_isom_mvc_config_update(GF_ISOFile *the_file, u32 trackNumber, u32 DescriptionIndex, GF_AVCConfig *cfg, Bool is_add)\n{\n\treturn gf_isom_avc_config_update_ex(the_file, trackNumber, DescriptionIndex, cfg, is_add ? 4 : 5, GF_FALSE);\n}", "project": "gpac", "hash": 311701143896340381222006148600226476838, "size": 4, "commit_id": "0a85029d694f992f3631e2f249e4999daee15cbf", "message": "fixed #1785 (fuzz)", "target": 0, "dataset": "other", "idx": 237601 }, { "func": "Bool gf_isom_box_equal(GF_Box *a, GF_Box *b)\n{\n\tBool ret;\n\tu8 *data1, *data2;\n\tu32 data1_size, data2_size;\n\tGF_BitStream *bs;\n\n\tif (a == b) return GF_TRUE;\n\tif (!a || !b) return GF_FALSE;\n\n\tdata1 = data2 = NULL;\n\n\tbs = gf_bs_new(NULL, 0, GF_BITSTREAM_WRITE);\n\tgf_isom_box_size(a);\n\tgf_isom_box_write(a, bs);\n\tgf_bs_get_content(bs, &data1, &data1_size);\n\tgf_bs_del(bs);\n\n\tbs = gf_bs_new(NULL, 0, GF_BITSTREAM_WRITE);\n\tgf_isom_box_size(b);\n\tgf_isom_box_write(b, bs);\n\tgf_bs_get_content(bs, &data2, &data2_size);\n\tgf_bs_del(bs);\n\n\tret = GF_FALSE;\n\tif (data1_size == data2_size) {\n\t\tret = (memcmp(data1, data2, sizeof(char)*data1_size) == 0) ? GF_TRUE : GF_FALSE;\n\t}\n\tgf_free(data1);\n\tgf_free(data2);\n\treturn ret;\n}", "project": "gpac", "hash": 328545770106474233658247667790316990092, "size": 32, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267325 }, { "func": "GF_Err gf_isom_update_edit_list_duration(GF_ISOFile *file, u32 track)\n{\n\tu32 i;\n\tu64 trackDuration;\n\tGF_EdtsEntry *ent;\n\tGF_Err e;\n\tGF_TrackBox *trak;\n\n\te = CanAccessMovie(file, GF_ISOM_OPEN_WRITE);\n\tif (e) return e;\n\n\ttrak = gf_isom_get_track_from_file(file, track);\n\tif (!trak) return GF_BAD_PARAM;\n\n\n\t//the total duration is the media duration: adjust it in case...\n\te = Media_SetDuration(trak);\n\tif (e) return e;\n\n\t//assert the timeScales are non-NULL\n\tif (!trak->moov->mvhd->timeScale || !trak->Media->mediaHeader->timeScale) return GF_ISOM_INVALID_FILE;\n\ttrackDuration = (trak->Media->mediaHeader->duration * trak->moov->mvhd->timeScale) / trak->Media->mediaHeader->timeScale;\n\n\t//if we have an edit list, the duration is the sum of all the editList\n\t//entries' duration (always expressed in MovieTimeScale)\n\tif (trak->editBox && trak->editBox->editList) {\n\t\tu64 editListDuration = 0;\n\t\tGF_EditListBox *elst = trak->editBox->editList;\n\t\ti=0;\n\t\twhile ((ent = (GF_EdtsEntry*)gf_list_enum(elst->entryList, &i))) {\n\t\t\tif (ent->segmentDuration > trackDuration)\n\t\t\t\tent->segmentDuration = trackDuration;\n\t\t\tif (!ent->segmentDuration) {\n\t\t\t\tu64 diff;\n\t\t\t\tent->segmentDuration = trackDuration;\n\t\t\t\tif (ent->mediaTime>0) {\n\t\t\t\t\tdiff = ent->mediaTime;\n\t\t\t\t\tdiff *= trak->moov->mvhd->timeScale;\n\t\t\t\t\tdiff /= trak->Media->mediaHeader->timeScale;\n\t\t\t\t\tif (diff < ent->segmentDuration)\n\t\t\t\t\t\tent->segmentDuration -= diff;\n\t\t\t\t\t/*\n\t\t\t\t\telse\n\t\t\t\t\t\tdiff = 0;\n\t\t\t\t\t*/\n\t\t\t\t}\n\t\t\t}\n\t\t\tif ((ent->mediaTime>=0) && ((u64) ent->mediaTime>=trak->Media->mediaHeader->duration)) {\n\t\t\t\tent->mediaTime = trak->Media->mediaHeader->duration;\n\t\t\t}\n\t\t\teditListDuration += ent->segmentDuration;\n\t\t}\n\t\ttrackDuration = editListDuration;\n\t}\n\tif (!trackDuration) {\n\t\ttrackDuration = (trak->Media->mediaHeader->duration * trak->moov->mvhd->timeScale) / trak->Media->mediaHeader->timeScale;\n\t}\n\ttrak->Header->duration = trackDuration;\n\n\treturn GF_OK;\n\n}", "project": "gpac", "hash": 133905420752475222042250984042612120940, "size": 62, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267281 }, { "func": "GF_Err gf_isom_set_edit(GF_ISOFile *movie, u32 trackNumber, u64 EditTime, u64 EditDuration, u64 MediaTime, GF_ISOEditType EditMode)\n{\n\treturn gf_isom_set_edit_internal(movie, trackNumber, EditTime, EditDuration, MediaTime, 0, EditMode);\n}", "project": "gpac", "hash": 164336416440115775783071885641358647057, "size": 4, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267318 }, { "func": "}\n\nstatic void dump_qt_prores(GF_ISOFile *file, u32 trackID, FILE *dump, Bool dump_crc)\n{\n#ifndef GPAC_DISABLE_AV_PARSERS\n\tu32 i, count, track, timescale;\n\n\ttrack = gf_isom_get_track_by_id(file, trackID);\n\n\tcount = gf_isom_get_sample_count(file, track);\n\ttimescale = gf_isom_get_media_timescale(file, track);\n\n\tfprintf(dump, \"\\n\", trackID, count, timescale);\n\n\tfor (i=0; i\\n\", i+1);\n\t\t\tcontinue;\n\t\t}\n\t\tdts = samp->DTS;\n\t\tcts = dts + (s32) samp->CTS_Offset;\n\n\t\tif (cts!=dts) fprintf(dump, \"\\n\", cts, dts);\n\t\tif (!samp->IsRAP) fprintf(dump, \"\\n\");\n\n\t\tfprintf(dump, \" \\n\", i+1, cts, samp->dataLength);\n\n\t\tgf_inspect_dump_prores(dump, samp->data, samp->dataLength, dump_crc);\n\t\tfprintf(dump, \" \\n\");\n\n\t\tgf_isom_sample_del(&samp);\n\n\t\tfprintf(dump, \"\\n\");\n\t\tgf_set_progress(\"Analysing ProRes Track\", i+1, count);\n\t}\n\tfprintf(dump, \"\\n\");", "project": "gpac", "hash": 126213241379909332164539431294559787270, "size": 39, "commit_id": "289ffce3e0d224d314f5f92a744d5fe35999f20b", "message": "fixed #1767 (fuzz)", "target": 0, "dataset": "other", "idx": 243186 }, { "func": "GF_EXPORT\nBool gf_isom_is_video_handler_type(u32 mtype)\n{\n\tswitch (mtype) {\n\tcase GF_ISOM_MEDIA_VISUAL:\n\tcase GF_ISOM_MEDIA_AUXV:\n\tcase GF_ISOM_MEDIA_PICT:\n\t\treturn GF_TRUE;\n\tdefault:\n\t\treturn GF_FALSE;\n\t}", "project": "gpac", "hash": 116957683993234739700493301141922996455, "size": 11, "commit_id": "984787de3d414a5f7d43d0b4584d9469dff2a5a5", "message": "fixed #1784 (fuzz)", "target": 0, "dataset": "other", "idx": 246806 }, { "func": "GF_Err gf_isom_box_array_size(GF_Box *parent, GF_List *list)\n{\n\tGF_Err e;\n\tu32 count, i;\n\tGF_Box *a;\n\tif (! list) return GF_BAD_PARAM;\n\n\tcount = gf_list_count(list);\n\tfor (i = 0; i < count; i++) {\n\t\ta = (GF_Box *)gf_list_get(list, i);\n\t\tif (a) {\n\t\t\te = gf_isom_box_size(a);\n\t\t\tif (e) {\n\t\t\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, (\"ISOBMF: Error %s computing box %s size\\n\", gf_error_to_string(e), gf_4cc_to_str(a->type) ));\n\t\t\t\treturn e;\n\t\t\t}\n\t\t\tparent->size += a->size;\n\t\t}\n\t}\n\treturn GF_OK;\n}", "project": "gpac", "hash": 237430580174508000427478165657614033383, "size": 21, "commit_id": "8e585e623b1d666b4ef736ed609264639cb27701", "message": "fixed potential crash - cf #1406", "target": 0, "dataset": "other", "idx": 224902 }, { "func": "GF_Err gf_isom_add_desc_to_description(GF_ISOFile *movie, u32 trackNumber, u32 StreamDescriptionIndex, const GF_Descriptor *theDesc)\n{\n\tGF_IPIPtr *ipiD;\n\tGF_Err e;\n\tu16 tmpRef;\n\tGF_TrackBox *trak;\n\tGF_Descriptor *desc;\n\tGF_ESD *esd;\n\tGF_TrackReferenceBox *tref;\n\tGF_TrackReferenceTypeBox *dpnd;\n\tGF_MPEGVisualSampleEntryBox *entry;\n\tu32 msubtype;\n\te = CanAccessMovie(movie, GF_ISOM_OPEN_WRITE);\n\tif (e) return e;\n\n\ttrak = gf_isom_get_track_from_file(movie, trackNumber);\n\tif (!trak) return GF_BAD_PARAM;\n\n\t/*GETS NATIVE DESCRIPTOR ONLY*/\n\te = Media_GetESD(trak->Media, StreamDescriptionIndex, &esd, GF_TRUE);\n\tif (e) return e;\n\n\tentry = gf_list_get(trak->Media->information->sampleTable->SampleDescription->child_boxes, StreamDescriptionIndex-1);\n\tif (!entry) return GF_BAD_PARAM;\n\tmsubtype = entry->type;\n\tif ((msubtype==GF_ISOM_BOX_TYPE_ENCV) || (msubtype==GF_ISOM_BOX_TYPE_ENCA))\n\t\tgf_isom_get_original_format_type(movie, trackNumber, StreamDescriptionIndex, &msubtype);\n\n\t//duplicate the desc\n\te = gf_odf_desc_copy((GF_Descriptor *)theDesc, &desc);\n\tif (e) return e;\n\n\t//and add it to the ESD EXCEPT IPI PTR (we need to translate from ES_ID to TrackID!!!\n\tif (!movie->keep_utc)\n\t\ttrak->Media->mediaHeader->modificationTime = gf_isom_get_mp4time();\n\n\tswitch (desc->tag) {\n\tcase GF_ODF_IPI_PTR_TAG:\n\t\tgoto insertIPI;\n\tdefault:\n\t\tbreak;\n\t}\n\n\tif ((msubtype==GF_ISOM_BOX_TYPE_MP4S) || (msubtype==GF_ISOM_BOX_TYPE_MP4V) || (msubtype==GF_ISOM_BOX_TYPE_MP4A)) {\n\t\treturn gf_odf_desc_add_desc((GF_Descriptor *)esd, desc);\n\t}\n\n\tif (trak->Media->handler->handlerType!=GF_ISOM_MEDIA_VISUAL) {\n\t\tgf_odf_desc_del(desc);\n\t\treturn GF_NOT_SUPPORTED;\n\t}\n\tGF_MPEG4ExtensionDescriptorsBox *mdesc = (GF_MPEG4ExtensionDescriptorsBox *) gf_isom_box_find_child(entry->child_boxes, GF_ISOM_BOX_TYPE_M4DS);\n\tif (!mdesc) {\n\t\tmdesc = (GF_MPEG4ExtensionDescriptorsBox *) gf_isom_box_new_parent(&entry->child_boxes, GF_ISOM_BOX_TYPE_M4DS);\n\t}\n\treturn gf_list_add(mdesc->descriptors, desc);\n\ninsertIPI:\n\tif (esd->ipiPtr) {\n\t\tgf_odf_desc_del((GF_Descriptor *) esd->ipiPtr);\n\t\tesd->ipiPtr = NULL;\n\t}\n\n\tipiD = (GF_IPIPtr *) desc;\n\t//find a tref\n\tif (!trak->References) {\n\t\ttref = (GF_TrackReferenceBox *) gf_isom_box_new_parent(&trak->child_boxes, GF_ISOM_BOX_TYPE_TREF);\n\t\tif (!tref) return GF_OUT_OF_MEM;\n\t\te = trak_on_child_box((GF_Box*)trak, (GF_Box *)tref, GF_FALSE);\n\t\tif (e) return e;\n\t}\n\ttref = trak->References;\n\n\te = Track_FindRef(trak, GF_ISOM_REF_IPI, &dpnd);\n\tif (e) return e;\n\tif (!dpnd) {\n\t\ttmpRef = 0;\n\t\tdpnd = (GF_TrackReferenceTypeBox *) gf_isom_box_new_parent(&tref->child_boxes, GF_ISOM_BOX_TYPE_REFT);\n\t\tif (!dpnd) return GF_OUT_OF_MEM;\n\t\tdpnd->reference_type = GF_ISOM_BOX_TYPE_IPIR;\n\t\te = reftype_AddRefTrack(dpnd, ipiD->IPI_ES_Id, &tmpRef);\n\t\tif (e) return e;\n\t\t//and replace the tag and value...\n\t\tipiD->IPI_ES_Id = tmpRef;\n\t\tipiD->tag = GF_ODF_ISOM_IPI_PTR_TAG;\n\t} else {\n\t\t//Watch out! ONLY ONE IPI dependency is allowed per stream\n\t\tdpnd->trackIDCount = 1;\n\t\tdpnd->trackIDs[0] = ipiD->IPI_ES_Id;\n\t\t//and replace the tag and value...\n\t\tipiD->IPI_ES_Id = 1;\n\t\tipiD->tag = GF_ODF_ISOM_IPI_PTR_TAG;\n\t}\n\t//and add the desc to the esd...\n\treturn gf_odf_desc_add_desc((GF_Descriptor *)esd, desc);\n}", "project": "gpac", "hash": 315791428778405599247808020928936726677, "size": 96, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267313 }, { "func": "GF_Err stbl_AppendRAP(GF_SampleTableBox *stbl, u8 isRap)\n{\n\tu32 i;\n\n\t//no sync table\n\tif (!stbl->SyncSample) {\n\t\t//all samples RAP - no table\n\t\tif (isRap) return GF_OK;\n\n\t\t//nope, create one\n\t\tstbl->SyncSample = (GF_SyncSampleBox *) gf_isom_box_new_parent(&stbl->child_boxes, GF_ISOM_BOX_TYPE_STSS);\n\t\tif (!stbl->SyncSample) return GF_OUT_OF_MEM;\n\n\t\tif (stbl->SampleSize->sampleCount > 1) {\n\t\t\tstbl->SyncSample->sampleNumbers = (u32*)gf_malloc(sizeof(u32) * (stbl->SampleSize->sampleCount-1));\n\t\t\tif (!stbl->SyncSample->sampleNumbers) return GF_OUT_OF_MEM;\n\t\t\tfor (i=0; iSampleSize->sampleCount-1; i++)\n\t\t\t\tstbl->SyncSample->sampleNumbers[i] = i+1;\n\n\t\t}\n\t\tstbl->SyncSample->nb_entries = stbl->SampleSize->sampleCount-1;\n\t\tstbl->SyncSample->alloc_size = stbl->SyncSample->nb_entries;\n\t\treturn GF_OK;\n\t}\n\tif (!isRap) return GF_OK;\n\n\tif (stbl->SyncSample->alloc_size == stbl->SyncSample->nb_entries) {\n\t\tALLOC_INC(stbl->SyncSample->alloc_size);\n\t\tstbl->SyncSample->sampleNumbers = (u32*) gf_realloc(stbl->SyncSample->sampleNumbers, sizeof(u32) * stbl->SyncSample->alloc_size);\n\t\tif (!stbl->SyncSample->sampleNumbers) return GF_OUT_OF_MEM;\n\t\tmemset(&stbl->SyncSample->sampleNumbers[stbl->SyncSample->nb_entries], 0, sizeof(u32) * (stbl->SyncSample->alloc_size-stbl->SyncSample->nb_entries) );\n\t}\n\tstbl->SyncSample->sampleNumbers[stbl->SyncSample->nb_entries] = stbl->SampleSize->sampleCount;\n\tstbl->SyncSample->nb_entries += 1;\n\treturn GF_OK;\n}", "project": "gpac", "hash": 40333450618875372069059624397393665130, "size": 36, "commit_id": "77ed81c069e10b3861d88f72e1c6be1277ee7eae", "message": "fixed #1774 (fuzz)", "target": 0, "dataset": "other", "idx": 267891 }, { "func": "static GF_Err gf_isom_parse_movie_boxes_internal(GF_ISOFile *mov, u32 *boxType, u64 *bytesMissing, Bool progressive_mode)\n{\n\tGF_Box *a;\n\tu64 totSize, mdat_end=0;\n\tGF_Err e = GF_OK;\n\n#ifndef\tGPAC_DISABLE_ISOM_FRAGMENTS\n\tif (mov->single_moof_mode && mov->single_moof_state == 2) {\n\t\treturn e;\n\t}\n\n\t/*restart from where we stopped last*/\n\ttotSize = mov->current_top_box_start;\n\tif (mov->bytes_removed) {\n\t\tassert(totSize >= mov->bytes_removed);\n\t\ttotSize -= mov->bytes_removed;\n\t}\n\tgf_bs_seek(mov->movieFileMap->bs, totSize);\n#endif\n\n\n\t/*while we have some data, parse our boxes*/\n\twhile (gf_bs_available(mov->movieFileMap->bs)) {\n\t\t*bytesMissing = 0;\n#ifndef\tGPAC_DISABLE_ISOM_FRAGMENTS\n\t\tmov->current_top_box_start = gf_bs_get_position(mov->movieFileMap->bs) + mov->bytes_removed;\n\t\tGF_LOG(GF_LOG_DEBUG, GF_LOG_CONTAINER, (\"[iso file] Parsing a top-level box at position %d\\n\", mov->current_top_box_start));\n#endif\n\n\t\te = gf_isom_parse_root_box(&a, mov->movieFileMap->bs, boxType, bytesMissing, progressive_mode);\n\n\t\tif (e >= 0) {\n\n\t\t} else if (e == GF_ISOM_INCOMPLETE_FILE) {\n\t\t\t/*our mdat is uncomplete, only valid for READ ONLY files...*/\n\t\t\tif (mov->openMode != GF_ISOM_OPEN_READ) {\n\t\t\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, (\"[iso file] Incomplete MDAT while file is not read-only\\n\"));\n\t\t\t\treturn GF_ISOM_INVALID_FILE;\n\t\t\t}\n\t\t\tif ((mov->openMode == GF_ISOM_OPEN_READ) && !progressive_mode) {\n\t\t\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, (\"[iso file] Incomplete file while reading for dump - aborting parsing\\n\"));\n\t\t\t\tbreak;\n\t\t\t}\n\t\t\treturn e;\n\t\t} else {\n\t\t\treturn e;\n\t\t}\n\n\t\tswitch (a->type) {\n\t\t/*MOOV box*/\n\t\tcase GF_ISOM_BOX_TYPE_MOOV:\n\t\t\tif (mov->moov) {\n\t\t\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, (\"[iso file] Duplicate MOOV detected!\\n\"));\n\t\t\t\tgf_isom_box_del(a);\n\t\t\t\treturn GF_ISOM_INVALID_FILE;\n\t\t\t}\n\t\t\tmov->moov = (GF_MovieBox *)a;\n\t\t\tmov->original_moov_offset = mov->current_top_box_start;\n\t\t\t/*set our pointer to the movie*/\n\t\t\tmov->moov->mov = mov;\n#ifndef GPAC_DISABLE_ISOM_FRAGMENTS\n\t\t\tif (mov->moov->mvex) mov->moov->mvex->mov = mov;\n\n#ifdef GF_ENABLE_CTRN\n\t\t\tif (! (mov->FragmentsFlags & GF_ISOM_FRAG_READ_DEBUG)) {\n\t\t\t\tgf_isom_setup_traf_inheritance(mov);\n\t\t\t}\n#endif\n\n#endif\n\t\t\te = gf_list_add(mov->TopBoxes, a);\n\t\t\tif (e) return e;\n\n\t\t\ttotSize += a->size;\n\n if (!mov->moov->mvhd) {\n GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, (\"[iso file] Missing MovieHeaderBox\\n\"));\n return GF_ISOM_INVALID_FILE;\n }\n\n if (mov->meta) {\n\t\t\t\tgf_isom_meta_restore_items_ref(mov, mov->meta);\n\t\t\t}\n\n\t\t\t//dump senc info in dump mode\n\t\t\tif (mov->FragmentsFlags & GF_ISOM_FRAG_READ_DEBUG) {\n\t\t\t\tu32 k;\n\t\t\t\tfor (k=0; kmoov->trackList); k++) {\n\t\t\t\t\tGF_TrackBox *trak = (GF_TrackBox *)gf_list_get(mov->moov->trackList, k);\n\n\t\t\t\t\tif (trak->sample_encryption) {\n\t\t\t\t\t\te = senc_Parse(mov->movieFileMap->bs, trak, NULL, trak->sample_encryption);\n\t\t\t\t\t\tif (e) return e;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\tu32 k;\n\t\t\t\tfor (k=0; kmoov->trackList); k++) {\n\t\t\t\t\tGF_TrackBox *trak = (GF_TrackBox *)gf_list_get(mov->moov->trackList, k);\n\t\t\t\t\tif (trak->Media->information->sampleTable->sampleGroups) {\n\t\t\t\t\t\tconvert_compact_sample_groups(trak->Media->information->sampleTable->child_boxes, trak->Media->information->sampleTable->sampleGroups);\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\n if (mdat_end && mov->signal_frag_bounds && !(mov->FragmentsFlags & GF_ISOM_FRAG_READ_DEBUG) ) {\n gf_isom_push_mdat_end(mov, mdat_end);\n mdat_end=0;\n }\n\t\t\tbreak;\n\n\t\t/*META box*/\n\t\tcase GF_ISOM_BOX_TYPE_META:\n\t\t\tif (mov->meta) {\n\t\t\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, (\"[iso file] Duplicate META detected!\\n\"));\n\t\t\t\tgf_isom_box_del(a);\n\t\t\t\treturn GF_ISOM_INVALID_FILE;\n\t\t\t}\n\t\t\tmov->meta = (GF_MetaBox *)a;\n\t\t\tmov->original_meta_offset = mov->current_top_box_start;\n\t\t\te = gf_list_add(mov->TopBoxes, a);\n\t\t\tif (e) {\n\t\t\t\treturn e;\n\t\t\t}\n\t\t\ttotSize += a->size;\n if (mov->moov) {\n\t\t\t\tgf_isom_meta_restore_items_ref(mov, mov->meta);\n\t\t\t}\n\t\t\tbreak;\n\n\t\t/*we only keep the MDAT in READ for dump purposes*/\n\t\tcase GF_ISOM_BOX_TYPE_MDAT:\n\t\t\tif (!mov->first_data_toplevel_offset) {\n\t\t\t\tmov->first_data_toplevel_offset = mov->current_top_box_start;\n\t\t\t\tmov->first_data_toplevel_size = a->size;\n\t\t\t}\n\t\t\ttotSize += a->size;\n\t\t\tif (mov->openMode == GF_ISOM_OPEN_READ) {\n\t\t\t\tif (!mov->mdat) {\n\t\t\t\t\tmov->mdat = (GF_MediaDataBox *) a;\n\t\t\t\t\te = gf_list_add(mov->TopBoxes, mov->mdat);\n\t\t\t\t\tif (e) {\n\t\t\t\t\t\treturn e;\n\t\t\t\t\t}\n\t\t\t\t}\n#ifndef\tGPAC_DISABLE_ISOM_FRAGMENTS\n\t\t\t\telse if (mov->FragmentsFlags & GF_ISOM_FRAG_READ_DEBUG) gf_list_add(mov->TopBoxes, a);\n#endif\n\t\t\t\telse gf_isom_box_del(a); //in other modes we don't care\n\n\n\t\t\t\tif (mov->signal_frag_bounds && !(mov->FragmentsFlags & GF_ISOM_FRAG_READ_DEBUG) ) {\n mdat_end = gf_bs_get_position(mov->movieFileMap->bs);\n if (mov->moov) {\n gf_isom_push_mdat_end(mov, mdat_end);\n mdat_end=0;\n }\n\t\t\t\t}\n\t\t\t}\n\t\t\t/*if we don't have any MDAT yet, create one (edit-write mode)\n\t\t\tWe only work with one mdat, but we're puting it at the place\n\t\t\tof the first mdat found when opening a file for editing*/\n\t\t\telse if (!mov->mdat && (mov->openMode != GF_ISOM_OPEN_READ) && (mov->openMode != GF_ISOM_OPEN_KEEP_FRAGMENTS)) {\n\t\t\t\tgf_isom_box_del(a);\n\t\t\t\tmov->mdat = (GF_MediaDataBox *) gf_isom_box_new(GF_ISOM_BOX_TYPE_MDAT);\n\t\t\t\tif (!mov->mdat) return GF_OUT_OF_MEM;\n\t\t\t\te = gf_list_add(mov->TopBoxes, mov->mdat);\n\t\t\t\tif (e) {\n\t\t\t\t\treturn e;\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\tgf_isom_box_del(a);\n\t\t\t}\n\t\t\tbreak;\n\t\tcase GF_ISOM_BOX_TYPE_FTYP:\n\t\t\t/*ONE AND ONLY ONE FTYP*/\n\t\t\tif (mov->brand) {\n\t\t\t\tgf_isom_box_del(a);\n\t\t\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, (\"[iso file] Duplicate 'ftyp' detected!\\n\"));\n\t\t\t\treturn GF_ISOM_INVALID_FILE;\n\t\t\t}\n\t\t\tmov->brand = (GF_FileTypeBox *)a;\n\t\t\ttotSize += a->size;\n\t\t\te = gf_list_add(mov->TopBoxes, a);\n\t\t\tif (e) return e;\n\t\t\tbreak;\n\n\t\tcase GF_ISOM_BOX_TYPE_OTYP:\n\t\t\t/*ONE AND ONLY ONE FTYP*/\n\t\t\tif (mov->otyp) {\n\t\t\t\tgf_isom_box_del(a);\n\t\t\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, (\"[iso file] Duplicate 'otyp' detected!\\n\"));\n\t\t\t\treturn GF_ISOM_INVALID_FILE;\n\t\t\t}\n\n\t\t\tif (mov->FragmentsFlags & GF_ISOM_FRAG_READ_DEBUG) {\n\t\t\t\tmov->otyp = (GF_Box *)a;\n\t\t\t\ttotSize += a->size;\n\t\t\t\te = gf_list_add(mov->TopBoxes, a);\n\t\t\t\tif (e) return e;\n\t\t\t} else {\n\t\t\t\tGF_FileTypeBox *brand = (GF_FileTypeBox *) gf_isom_box_find_child(a->child_boxes, GF_ISOM_BOX_TYPE_FTYP);\n\t\t\t\tif (brand) {\n\t\t\t\t\ts32 pos;\n\t\t\t\t\tgf_list_del_item(a->child_boxes, brand);\n\t\t\t\t\tpos = gf_list_del_item(mov->TopBoxes, mov->brand);\n\t\t\t\t\tgf_isom_box_del((GF_Box *) mov->brand);\n\t\t\t\t\tmov->brand = brand;\n\t\t\t\t\tif (pos<0) pos=0;\n\t\t\t\t\tgf_list_insert(mov->TopBoxes, brand, pos);\n\t\t\t\t}\n\t\t\t}\n\t\t\tbreak;\n\n\t\tcase GF_ISOM_BOX_TYPE_PDIN:\n\t\t\t/*ONE AND ONLY ONE PDIN*/\n\t\t\tif (mov->pdin) {\n\t\t\t\tgf_isom_box_del(a);\n\t\t\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, (\"[iso file] Duplicate 'pdin'' detected!\\n\"));\n\t\t\t\treturn GF_ISOM_INVALID_FILE;\n\t\t\t}\n\t\t\tmov->pdin = (GF_ProgressiveDownloadBox *) a;\n\t\t\ttotSize += a->size;\n\t\t\te = gf_list_add(mov->TopBoxes, a);\n\t\t\tif (e) return e;\n\t\t\tbreak;\n\n\n#ifndef\tGPAC_DISABLE_ISOM_FRAGMENTS\n\t\tcase GF_ISOM_BOX_TYPE_STYP:\n\t\t{\n\t\t\tu32 brand = ((GF_FileTypeBox *)a)->majorBrand;\n\t\t\tswitch (brand) {\n\t\t\tcase GF_ISOM_BRAND_SISX:\n\t\t\tcase GF_ISOM_BRAND_RISX:\n\t\t\tcase GF_ISOM_BRAND_SSSS:\n\t\t\t\tmov->is_index_segment = GF_TRUE;\n\t\t\t\tbreak;\n\t\t\tdefault:\n\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\t\t/*fall-through*/\n\n\t\tcase GF_ISOM_BOX_TYPE_SIDX:\n\t\tcase GF_ISOM_BOX_TYPE_SSIX:\n\t\t\tif (mov->moov && !mov->first_data_toplevel_offset) {\n\t\t\t\tmov->first_data_toplevel_offset = mov->current_top_box_start;\n\t\t\t\tmov->first_data_toplevel_size = a->size;\n\t\t\t}\n\t\t\ttotSize += a->size;\n\t\t\tif (mov->FragmentsFlags & GF_ISOM_FRAG_READ_DEBUG) {\n\t\t\t\te = gf_list_add(mov->TopBoxes, a);\n\t\t\t\tif (e) return e;\n\t\t\t} else if (mov->signal_frag_bounds && !(mov->FragmentsFlags & GF_ISOM_FRAG_READ_DEBUG) && (mov->openMode!=GF_ISOM_OPEN_KEEP_FRAGMENTS)\n\t\t\t) {\n\t\t\t\tif (a->type==GF_ISOM_BOX_TYPE_SIDX) {\n\t\t\t\t\tif (mov->root_sidx) gf_isom_box_del( (GF_Box *) mov->root_sidx);\n\t\t\t\t\tmov->root_sidx = (GF_SegmentIndexBox *) a;\n\t\t\t\t\tmov->sidx_start_offset = mov->current_top_box_start;\n\t\t\t\t\tmov->sidx_end_offset = gf_bs_get_position(mov->movieFileMap->bs);\n\n\t\t\t\t}\n\t\t\t\telse if (a->type==GF_ISOM_BOX_TYPE_STYP) {\n\t\t\t\t\tmov->styp_start_offset = mov->current_top_box_start;\n\n\t\t\t\t\tif (mov->seg_styp) gf_isom_box_del(mov->seg_styp);\n\t\t\t\t\tmov->seg_styp = a;\n\t\t\t\t} else if (a->type==GF_ISOM_BOX_TYPE_SSIX) {\n\t\t\t\t\tif (mov->seg_ssix) gf_isom_box_del(mov->seg_ssix);\n\t\t\t\t\tmov->seg_ssix = a;\n\t\t\t\t} else {\n\t\t\t\t\tgf_isom_box_del(a);\n\t\t\t\t}\n\t\t\t\tgf_isom_push_mdat_end(mov, mov->current_top_box_start);\n\t\t\t} else if (!mov->NextMoofNumber && (a->type==GF_ISOM_BOX_TYPE_SIDX)) {\n\t\t\t\tif (mov->main_sidx) gf_isom_box_del( (GF_Box *) mov->main_sidx);\n\t\t\t\tmov->main_sidx = (GF_SegmentIndexBox *) a;\n\t\t\t\tmov->main_sidx_end_pos = mov->current_top_box_start + a->size;\n\t\t\t} else {\n\t\t\t\tgf_isom_box_del(a);\n\t\t\t}\n\t\t\tbreak;\n\n\t\tcase GF_ISOM_BOX_TYPE_MOOF:\n\t\t\t//no support for inplace rewrite for fragmented files\n\t\t\tgf_isom_disable_inplace_rewrite(mov);\n\t\t\tif (!mov->moov) {\n\t\t\t\tGF_LOG(GF_LOG_WARNING, GF_LOG_CONTAINER, (\"[iso file] Movie fragment but no moov (yet) - possibly broken parsing!\\n\"));\n\t\t\t}\n\t\t\tif (mov->single_moof_mode) {\n\t\t\t\tmov->single_moof_state++;\n\t\t\t\tif (mov->single_moof_state > 1) {\n\t\t\t\t\tgf_isom_box_del(a);\n\t\t\t\t\treturn GF_OK;\n\t\t\t\t}\n\t\t\t}\n\t\t\t((GF_MovieFragmentBox *)a)->mov = mov;\n\n\t\t\ttotSize += a->size;\n\t\t\tmov->moof = (GF_MovieFragmentBox *) a;\n\n\t\t\t/*some smooth streaming streams contain a SDTP under the TRAF: this is incorrect, convert it*/\n\t\t\tFixTrackID(mov);\n\t\t\tif (! (mov->FragmentsFlags & GF_ISOM_FRAG_READ_DEBUG)) {\n\t\t\t\tFixSDTPInTRAF(mov->moof);\n\t\t\t} else {\n\t\t\t\tu32 k;\n\t\t\t\tfor (k=0; kmoof->TrackList); k++) {\n\t\t\t\t\tGF_TrackFragmentBox *traf = (GF_TrackFragmentBox *)gf_list_get(mov->moof->TrackList, k);\n\t\t\t\t\tif (traf->sampleGroups) {\n\t\t\t\t\t\tconvert_compact_sample_groups(traf->child_boxes, traf->sampleGroups);\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\n\t\t\t/*read & debug: store at root level*/\n\t\t\tif (mov->FragmentsFlags & GF_ISOM_FRAG_READ_DEBUG) {\n\t\t\t\tu32 k;\n\t\t\t\tgf_list_add(mov->TopBoxes, a);\n\t\t\t\t/*also update pointers to trex for debug*/\n\t\t\t\tif (mov->moov) {\n\t\t\t\t\tfor (k=0; kmoof->TrackList); k++) {\n\t\t\t\t\t\tGF_TrackFragmentBox *traf = gf_list_get(mov->moof->TrackList, k);\n\t\t\t\t\t\tif (traf->tfhd && mov->moov->mvex && mov->moov->mvex->TrackExList) {\n\t\t\t\t\t\t\tGF_TrackBox *trak = gf_isom_get_track_from_id(mov->moov, traf->tfhd->trackID);\n\t\t\t\t\t\t\tu32 j=0;\n\t\t\t\t\t\t\twhile ((traf->trex = (GF_TrackExtendsBox*)gf_list_enum(mov->moov->mvex->TrackExList, &j))) {\n\t\t\t\t\t\t\t\tif (traf->trex->trackID == traf->tfhd->trackID) {\n\t\t\t\t\t\t\t\t\tif (!traf->trex->track) traf->trex->track = trak;\n\t\t\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\ttraf->trex = NULL;\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}\n\t\t\t\t\t\t//we should only parse senc/psec when no saiz/saio is present, otherwise we fetch the info directly\n\t\t\t\t\t\tif (traf->trex && traf->tfhd && traf->trex->track && traf->sample_encryption) {\n\t\t\t\t\t\t\tGF_TrackBox *trak = GetTrackbyID(mov->moov, traf->tfhd->trackID);\n\t\t\t\t\t\t\ttrak->current_traf_stsd_idx = traf->tfhd->sample_desc_index ? traf->tfhd->sample_desc_index : traf->trex->def_sample_desc_index;\n\t\t\t\t\t\t\te = senc_Parse(mov->movieFileMap->bs, trak, traf, traf->sample_encryption);\n\t\t\t\t\t\t\tif (e) return e;\n\t\t\t\t\t\t\ttrak->current_traf_stsd_idx = 0;\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t} else {\n\t\t\t\t\tfor (k=0; kmoof->TrackList); k++) {\n\t\t\t\t\t\tGF_TrackFragmentBox *traf = gf_list_get(mov->moof->TrackList, k);\n\t\t\t\t\t\tif (traf->sample_encryption) {\n\t\t\t\t\t\t\te = senc_Parse(mov->movieFileMap->bs, NULL, traf, traf->sample_encryption);\n\t\t\t\t\t\t\tif (e) return e;\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\n\t\t\t\t}\n\t\t\t} else if (mov->openMode==GF_ISOM_OPEN_KEEP_FRAGMENTS) {\n\t\t\t\tmov->NextMoofNumber = mov->moof->mfhd->sequence_number+1;\n\t\t\t\tmov->moof = NULL;\n\t\t\t\tgf_isom_box_del(a);\n\t\t\t} else {\n\t\t\t\t/*merge all info*/\n\t\t\t\te = MergeFragment((GF_MovieFragmentBox *)a, mov);\n\t\t\t\tgf_isom_box_del(a);\n\t\t\t\tif (e) return e;\n\t\t\t}\n\n\t\t\t//done with moov\n\t\t\tif (mov->root_sidx) {\n\t\t\t\tgf_isom_box_del((GF_Box *) mov->root_sidx);\n\t\t\t\tmov->root_sidx = NULL;\n\t\t\t}\n\t\t\tif (mov->root_ssix) {\n\t\t\t\tgf_isom_box_del(mov->seg_ssix);\n\t\t\t\tmov->root_ssix = NULL;\n\t\t\t}\n\t\t\tif (mov->seg_styp) {\n\t\t\t\tgf_isom_box_del(mov->seg_styp);\n\t\t\t\tmov->seg_styp = NULL;\n\t\t\t}\n\t\t\tmov->sidx_start_offset = 0;\n\t\t\tmov->sidx_end_offset = 0;\n\t\t\tmov->styp_start_offset = 0;\n\t\t\tbreak;\n#endif\n\t\tcase GF_ISOM_BOX_TYPE_UNKNOWN:\n\t\t{\n\t\t\tGF_UnknownBox *box = (GF_UnknownBox*)a;\n\t\t\tif (box->original_4cc == GF_ISOM_BOX_TYPE_JP) {\n\t\t\t\tu8 *c = (u8 *) box->data;\n\t\t\t\tif ((box->dataSize==4) && (GF_4CC(c[0],c[1],c[2],c[3])==(u32)0x0D0A870A))\n\t\t\t\t\tmov->is_jp2 = 1;\n\t\t\t\tgf_isom_box_del(a);\n\t\t\t} else {\n\t\t\t\te = gf_list_add(mov->TopBoxes, a);\n\t\t\t\tif (e) return e;\n\t\t\t}\n\t\t}\n\t\tbreak;\n\n\t\tcase GF_ISOM_BOX_TYPE_PRFT:\n#ifndef GPAC_DISABLE_ISOM_FRAGMENTS\n\t\t\tif (!(mov->FragmentsFlags & GF_ISOM_FRAG_READ_DEBUG)) {\n\t\t\t\t//keep the last one read\n\t\t\t\tif (mov->last_producer_ref_time)\n\t\t\t\t\tgf_isom_box_del(a);\n\t\t\t\telse\n\t\t\t\t\tmov->last_producer_ref_time = (GF_ProducerReferenceTimeBox *)a;\n\t\t\t\tbreak;\n\t\t\t}\n#endif\n\t\t//fallthrough\n\n\t\tdefault:\n\t\t\ttotSize += a->size;\n\t\t\te = gf_list_add(mov->TopBoxes, a);\n\t\t\tif (e) return e;\n\t\t\tbreak;\n\t\t}\n\n#ifndef\tGPAC_DISABLE_ISOM_FRAGMENTS\n\t\t/*remember where we left, in case we append an entire number of movie fragments*/\n\t\tmov->current_top_box_start = gf_bs_get_position(mov->movieFileMap->bs) + mov->bytes_removed;\n#endif\n\t}\n\n\t/*we need at least moov or meta*/\n\tif (!mov->moov && !mov->meta\n#ifndef GPAC_DISABLE_ISOM_FRAGMENTS\n\t && !mov->moof && !mov->is_index_segment\n#endif\n\t ) {\n\t\treturn GF_ISOM_INCOMPLETE_FILE;\n\t}\n\t/*we MUST have movie header*/\n\tif (!gf_opts_get_bool(\"core\", \"no-check\")) {\n\t\tif (mov->moov && !mov->moov->mvhd) {\n\t\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, (\"[iso file] Missing MVHD in MOOV!\\n\"));\n\t\t\treturn GF_ISOM_INVALID_FILE;\n\t\t}\n\n\t\t/*we MUST have meta handler*/\n\t\tif (mov->meta && !mov->meta->handler) {\n\t\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, (\"[iso file] Missing handler in META!\\n\"));\n\t\t\treturn GF_ISOM_INVALID_FILE;\n\t\t}\n\t}\n\n#ifndef GPAC_DISABLE_ISOM_WRITE\n\n\tif (mov->moov) {\n\t\t/*set the default interleaving time*/\n\t\tmov->interleavingTime = mov->moov->mvhd->timeScale;\n\n#ifndef\tGPAC_DISABLE_ISOM_FRAGMENTS\n\t\t/*in edit mode with successfully loaded fragments, delete all fragment signaling since\n\t\tfile is no longer fragmented*/\n\t\tif ((mov->openMode > GF_ISOM_OPEN_READ) && (mov->openMode != GF_ISOM_OPEN_KEEP_FRAGMENTS) && mov->moov->mvex) {\n\t\t\tgf_isom_box_del_parent(&mov->moov->child_boxes, (GF_Box *)mov->moov->mvex);\n\t\t\tmov->moov->mvex = NULL;\n\t\t}\n#endif\n\n\t}\n\n\t//create a default mdat if none was found\n\tif (!mov->mdat && (mov->openMode != GF_ISOM_OPEN_READ) && (mov->openMode != GF_ISOM_OPEN_KEEP_FRAGMENTS)) {\n\t\tmov->mdat = (GF_MediaDataBox *) gf_isom_box_new(GF_ISOM_BOX_TYPE_MDAT);\n\t\tif (!mov->mdat) return GF_OUT_OF_MEM;\n\t\te = gf_list_add(mov->TopBoxes, mov->mdat);\n\t\tif (e) return e;\n\t}\n#endif /*GPAC_DISABLE_ISOM_WRITE*/\n\n\treturn GF_OK;\n}", "project": "gpac", "hash": 86450605193316092897460625068419387462, "size": 474, "commit_id": "fe5155cf047252d1c4cb91602048bfa682af0ea7", "message": "fixed #1783 (fuzz)", "target": 1, "dataset": "other", "idx": 198286 }, { "func": "static GF_Err gf_isom_parse_movie_boxes_internal(GF_ISOFile *mov, u32 *boxType, u64 *bytesMissing, Bool progressive_mode)\n{\n\tGF_Box *a;\n\tu64 totSize, mdat_end=0;\n\tGF_Err e = GF_OK;\n\n#ifndef\tGPAC_DISABLE_ISOM_FRAGMENTS\n\tif (mov->single_moof_mode && mov->single_moof_state == 2) {\n\t\treturn e;\n\t}\n\n\t/*restart from where we stopped last*/\n\ttotSize = mov->current_top_box_start;\n\tif (mov->bytes_removed) {\n\t\tassert(totSize >= mov->bytes_removed);\n\t\ttotSize -= mov->bytes_removed;\n\t}\n\tgf_bs_seek(mov->movieFileMap->bs, totSize);\n#endif\n\n\n\t/*while we have some data, parse our boxes*/\n\twhile (gf_bs_available(mov->movieFileMap->bs)) {\n\t\t*bytesMissing = 0;\n#ifndef\tGPAC_DISABLE_ISOM_FRAGMENTS\n\t\tmov->current_top_box_start = gf_bs_get_position(mov->movieFileMap->bs) + mov->bytes_removed;\n\t\tGF_LOG(GF_LOG_DEBUG, GF_LOG_CONTAINER, (\"[iso file] Parsing a top-level box at position %d\\n\", mov->current_top_box_start));\n#endif\n\n\t\te = gf_isom_parse_root_box(&a, mov->movieFileMap->bs, boxType, bytesMissing, progressive_mode);\n\n\t\tif (e >= 0) {\n\n\t\t} else if (e == GF_ISOM_INCOMPLETE_FILE) {\n\t\t\t/*our mdat is uncomplete, only valid for READ ONLY files...*/\n\t\t\tif (mov->openMode != GF_ISOM_OPEN_READ) {\n\t\t\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, (\"[iso file] Incomplete MDAT while file is not read-only\\n\"));\n\t\t\t\treturn GF_ISOM_INVALID_FILE;\n\t\t\t}\n\t\t\tif ((mov->openMode == GF_ISOM_OPEN_READ) && !progressive_mode) {\n\t\t\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, (\"[iso file] Incomplete file while reading for dump - aborting parsing\\n\"));\n\t\t\t\tbreak;\n\t\t\t}\n\t\t\treturn e;\n\t\t} else {\n\t\t\treturn e;\n\t\t}\n\n\t\tswitch (a->type) {\n\t\t/*MOOV box*/\n\t\tcase GF_ISOM_BOX_TYPE_MOOV:\n\t\t\tif (mov->moov) {\n\t\t\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, (\"[iso file] Duplicate MOOV detected!\\n\"));\n\t\t\t\tgf_isom_box_del(a);\n\t\t\t\treturn GF_ISOM_INVALID_FILE;\n\t\t\t}\n\t\t\tmov->moov = (GF_MovieBox *)a;\n\t\t\tmov->original_moov_offset = mov->current_top_box_start;\n\t\t\t/*set our pointer to the movie*/\n\t\t\tmov->moov->mov = mov;\n#ifndef GPAC_DISABLE_ISOM_FRAGMENTS\n\t\t\tif (mov->moov->mvex) mov->moov->mvex->mov = mov;\n\n#ifdef GF_ENABLE_CTRN\n\t\t\tif (! (mov->FragmentsFlags & GF_ISOM_FRAG_READ_DEBUG)) {\n\t\t\t\tgf_isom_setup_traf_inheritance(mov);\n\t\t\t}\n#endif\n\n#endif\n\t\t\te = gf_list_add(mov->TopBoxes, a);\n\t\t\tif (e) return e;\n\n\t\t\ttotSize += a->size;\n\n if (!mov->moov->mvhd) {\n GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, (\"[iso file] Missing MovieHeaderBox\\n\"));\n return GF_ISOM_INVALID_FILE;\n }\n\n if (mov->meta) {\n\t\t\t\tgf_isom_meta_restore_items_ref(mov, mov->meta);\n\t\t\t}\n\n\t\t\t//dump senc info in dump mode\n\t\t\tif (mov->FragmentsFlags & GF_ISOM_FRAG_READ_DEBUG) {\n\t\t\t\tu32 k;\n\t\t\t\tfor (k=0; kmoov->trackList); k++) {\n\t\t\t\t\tGF_TrackBox *trak = (GF_TrackBox *)gf_list_get(mov->moov->trackList, k);\n\n\t\t\t\t\tif (trak->sample_encryption) {\n\t\t\t\t\t\te = senc_Parse(mov->movieFileMap->bs, trak, NULL, trak->sample_encryption);\n\t\t\t\t\t\tif (e) return e;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\tu32 k;\n\t\t\t\tfor (k=0; kmoov->trackList); k++) {\n\t\t\t\t\tGF_TrackBox *trak = (GF_TrackBox *)gf_list_get(mov->moov->trackList, k);\n\t\t\t\t\tif (trak->Media->information->sampleTable->sampleGroups) {\n\t\t\t\t\t\tconvert_compact_sample_groups(trak->Media->information->sampleTable->child_boxes, trak->Media->information->sampleTable->sampleGroups);\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\n if (mdat_end && mov->signal_frag_bounds && !(mov->FragmentsFlags & GF_ISOM_FRAG_READ_DEBUG) ) {\n gf_isom_push_mdat_end(mov, mdat_end);\n mdat_end=0;\n }\n\t\t\tbreak;\n\n\t\t/*META box*/\n\t\tcase GF_ISOM_BOX_TYPE_META:\n\t\t\tif (mov->meta) {\n\t\t\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, (\"[iso file] Duplicate META detected!\\n\"));\n\t\t\t\tgf_isom_box_del(a);\n\t\t\t\treturn GF_ISOM_INVALID_FILE;\n\t\t\t}\n\t\t\tmov->meta = (GF_MetaBox *)a;\n\t\t\tmov->original_meta_offset = mov->current_top_box_start;\n\t\t\te = gf_list_add(mov->TopBoxes, a);\n\t\t\tif (e) {\n\t\t\t\treturn e;\n\t\t\t}\n\t\t\ttotSize += a->size;\n if (mov->moov) {\n\t\t\t\tgf_isom_meta_restore_items_ref(mov, mov->meta);\n\t\t\t}\n\t\t\tbreak;\n\n\t\t/*we only keep the MDAT in READ for dump purposes*/\n\t\tcase GF_ISOM_BOX_TYPE_MDAT:\n\t\t\tif (!mov->first_data_toplevel_offset) {\n\t\t\t\tmov->first_data_toplevel_offset = mov->current_top_box_start;\n\t\t\t\tmov->first_data_toplevel_size = a->size;\n\t\t\t}\n\t\t\ttotSize += a->size;\n\t\t\tif (mov->openMode == GF_ISOM_OPEN_READ) {\n\t\t\t\tif (!mov->mdat) {\n\t\t\t\t\tmov->mdat = (GF_MediaDataBox *) a;\n\t\t\t\t\te = gf_list_add(mov->TopBoxes, mov->mdat);\n\t\t\t\t\tif (e) {\n\t\t\t\t\t\treturn e;\n\t\t\t\t\t}\n\t\t\t\t}\n#ifndef\tGPAC_DISABLE_ISOM_FRAGMENTS\n\t\t\t\telse if (mov->FragmentsFlags & GF_ISOM_FRAG_READ_DEBUG) gf_list_add(mov->TopBoxes, a);\n#endif\n\t\t\t\telse gf_isom_box_del(a); //in other modes we don't care\n\n\n\t\t\t\tif (mov->signal_frag_bounds && !(mov->FragmentsFlags & GF_ISOM_FRAG_READ_DEBUG) ) {\n mdat_end = gf_bs_get_position(mov->movieFileMap->bs);\n if (mov->moov) {\n gf_isom_push_mdat_end(mov, mdat_end);\n mdat_end=0;\n }\n\t\t\t\t}\n\t\t\t}\n\t\t\t/*if we don't have any MDAT yet, create one (edit-write mode)\n\t\t\tWe only work with one mdat, but we're puting it at the place\n\t\t\tof the first mdat found when opening a file for editing*/\n\t\t\telse if (!mov->mdat && (mov->openMode != GF_ISOM_OPEN_READ) && (mov->openMode != GF_ISOM_OPEN_KEEP_FRAGMENTS)) {\n\t\t\t\tgf_isom_box_del(a);\n\t\t\t\tmov->mdat = (GF_MediaDataBox *) gf_isom_box_new(GF_ISOM_BOX_TYPE_MDAT);\n\t\t\t\tif (!mov->mdat) return GF_OUT_OF_MEM;\n\t\t\t\te = gf_list_add(mov->TopBoxes, mov->mdat);\n\t\t\t\tif (e) {\n\t\t\t\t\treturn e;\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\tgf_isom_box_del(a);\n\t\t\t}\n\t\t\tbreak;\n\t\tcase GF_ISOM_BOX_TYPE_FTYP:\n\t\t\t/*ONE AND ONLY ONE FTYP*/\n\t\t\tif (mov->brand) {\n\t\t\t\tgf_isom_box_del(a);\n\t\t\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, (\"[iso file] Duplicate 'ftyp' detected!\\n\"));\n\t\t\t\treturn GF_ISOM_INVALID_FILE;\n\t\t\t}\n\t\t\tmov->brand = (GF_FileTypeBox *)a;\n\t\t\ttotSize += a->size;\n\t\t\te = gf_list_add(mov->TopBoxes, a);\n\t\t\tif (e) return e;\n\t\t\tbreak;\n\n\t\tcase GF_ISOM_BOX_TYPE_OTYP:\n\t\t\t/*ONE AND ONLY ONE FTYP*/\n\t\t\tif (mov->otyp) {\n\t\t\t\tgf_isom_box_del(a);\n\t\t\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, (\"[iso file] Duplicate 'otyp' detected!\\n\"));\n\t\t\t\treturn GF_ISOM_INVALID_FILE;\n\t\t\t}\n\n\t\t\tif (mov->FragmentsFlags & GF_ISOM_FRAG_READ_DEBUG) {\n\t\t\t\tmov->otyp = (GF_Box *)a;\n\t\t\t\ttotSize += a->size;\n\t\t\t\te = gf_list_add(mov->TopBoxes, a);\n\t\t\t\tif (e) return e;\n\t\t\t} else {\n\t\t\t\tGF_FileTypeBox *brand = (GF_FileTypeBox *) gf_isom_box_find_child(a->child_boxes, GF_ISOM_BOX_TYPE_FTYP);\n\t\t\t\tif (brand) {\n\t\t\t\t\ts32 pos;\n\t\t\t\t\tgf_list_del_item(a->child_boxes, brand);\n\t\t\t\t\tpos = gf_list_del_item(mov->TopBoxes, mov->brand);\n\t\t\t\t\tgf_isom_box_del((GF_Box *) mov->brand);\n\t\t\t\t\tmov->brand = brand;\n\t\t\t\t\tif (pos<0) pos=0;\n\t\t\t\t\tgf_list_insert(mov->TopBoxes, brand, pos);\n\t\t\t\t}\n\t\t\t\tgf_isom_box_del(a);\n\t\t\t}\n\t\t\tbreak;\n\n\t\tcase GF_ISOM_BOX_TYPE_PDIN:\n\t\t\t/*ONE AND ONLY ONE PDIN*/\n\t\t\tif (mov->pdin) {\n\t\t\t\tgf_isom_box_del(a);\n\t\t\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, (\"[iso file] Duplicate 'pdin'' detected!\\n\"));\n\t\t\t\treturn GF_ISOM_INVALID_FILE;\n\t\t\t}\n\t\t\tmov->pdin = (GF_ProgressiveDownloadBox *) a;\n\t\t\ttotSize += a->size;\n\t\t\te = gf_list_add(mov->TopBoxes, a);\n\t\t\tif (e) return e;\n\t\t\tbreak;\n\n\n#ifndef\tGPAC_DISABLE_ISOM_FRAGMENTS\n\t\tcase GF_ISOM_BOX_TYPE_STYP:\n\t\t{\n\t\t\tu32 brand = ((GF_FileTypeBox *)a)->majorBrand;\n\t\t\tswitch (brand) {\n\t\t\tcase GF_ISOM_BRAND_SISX:\n\t\t\tcase GF_ISOM_BRAND_RISX:\n\t\t\tcase GF_ISOM_BRAND_SSSS:\n\t\t\t\tmov->is_index_segment = GF_TRUE;\n\t\t\t\tbreak;\n\t\t\tdefault:\n\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\t\t/*fall-through*/\n\n\t\tcase GF_ISOM_BOX_TYPE_SIDX:\n\t\tcase GF_ISOM_BOX_TYPE_SSIX:\n\t\t\tif (mov->moov && !mov->first_data_toplevel_offset) {\n\t\t\t\tmov->first_data_toplevel_offset = mov->current_top_box_start;\n\t\t\t\tmov->first_data_toplevel_size = a->size;\n\t\t\t}\n\t\t\ttotSize += a->size;\n\t\t\tif (mov->FragmentsFlags & GF_ISOM_FRAG_READ_DEBUG) {\n\t\t\t\te = gf_list_add(mov->TopBoxes, a);\n\t\t\t\tif (e) return e;\n\t\t\t} else if (mov->signal_frag_bounds && !(mov->FragmentsFlags & GF_ISOM_FRAG_READ_DEBUG) && (mov->openMode!=GF_ISOM_OPEN_KEEP_FRAGMENTS)\n\t\t\t) {\n\t\t\t\tif (a->type==GF_ISOM_BOX_TYPE_SIDX) {\n\t\t\t\t\tif (mov->root_sidx) gf_isom_box_del( (GF_Box *) mov->root_sidx);\n\t\t\t\t\tmov->root_sidx = (GF_SegmentIndexBox *) a;\n\t\t\t\t\tmov->sidx_start_offset = mov->current_top_box_start;\n\t\t\t\t\tmov->sidx_end_offset = gf_bs_get_position(mov->movieFileMap->bs);\n\n\t\t\t\t}\n\t\t\t\telse if (a->type==GF_ISOM_BOX_TYPE_STYP) {\n\t\t\t\t\tmov->styp_start_offset = mov->current_top_box_start;\n\n\t\t\t\t\tif (mov->seg_styp) gf_isom_box_del(mov->seg_styp);\n\t\t\t\t\tmov->seg_styp = a;\n\t\t\t\t} else if (a->type==GF_ISOM_BOX_TYPE_SSIX) {\n\t\t\t\t\tif (mov->seg_ssix) gf_isom_box_del(mov->seg_ssix);\n\t\t\t\t\tmov->seg_ssix = a;\n\t\t\t\t} else {\n\t\t\t\t\tgf_isom_box_del(a);\n\t\t\t\t}\n\t\t\t\tgf_isom_push_mdat_end(mov, mov->current_top_box_start);\n\t\t\t} else if (!mov->NextMoofNumber && (a->type==GF_ISOM_BOX_TYPE_SIDX)) {\n\t\t\t\tif (mov->main_sidx) gf_isom_box_del( (GF_Box *) mov->main_sidx);\n\t\t\t\tmov->main_sidx = (GF_SegmentIndexBox *) a;\n\t\t\t\tmov->main_sidx_end_pos = mov->current_top_box_start + a->size;\n\t\t\t} else {\n\t\t\t\tgf_isom_box_del(a);\n\t\t\t}\n\t\t\tbreak;\n\n\t\tcase GF_ISOM_BOX_TYPE_MOOF:\n\t\t\t//no support for inplace rewrite for fragmented files\n\t\t\tgf_isom_disable_inplace_rewrite(mov);\n\t\t\tif (!mov->moov) {\n\t\t\t\tGF_LOG(GF_LOG_WARNING, GF_LOG_CONTAINER, (\"[iso file] Movie fragment but no moov (yet) - possibly broken parsing!\\n\"));\n\t\t\t}\n\t\t\tif (mov->single_moof_mode) {\n\t\t\t\tmov->single_moof_state++;\n\t\t\t\tif (mov->single_moof_state > 1) {\n\t\t\t\t\tgf_isom_box_del(a);\n\t\t\t\t\treturn GF_OK;\n\t\t\t\t}\n\t\t\t}\n\t\t\t((GF_MovieFragmentBox *)a)->mov = mov;\n\n\t\t\ttotSize += a->size;\n\t\t\tmov->moof = (GF_MovieFragmentBox *) a;\n\n\t\t\t/*some smooth streaming streams contain a SDTP under the TRAF: this is incorrect, convert it*/\n\t\t\tFixTrackID(mov);\n\t\t\tif (! (mov->FragmentsFlags & GF_ISOM_FRAG_READ_DEBUG)) {\n\t\t\t\tFixSDTPInTRAF(mov->moof);\n\t\t\t} else {\n\t\t\t\tu32 k;\n\t\t\t\tfor (k=0; kmoof->TrackList); k++) {\n\t\t\t\t\tGF_TrackFragmentBox *traf = (GF_TrackFragmentBox *)gf_list_get(mov->moof->TrackList, k);\n\t\t\t\t\tif (traf->sampleGroups) {\n\t\t\t\t\t\tconvert_compact_sample_groups(traf->child_boxes, traf->sampleGroups);\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\n\t\t\t/*read & debug: store at root level*/\n\t\t\tif (mov->FragmentsFlags & GF_ISOM_FRAG_READ_DEBUG) {\n\t\t\t\tu32 k;\n\t\t\t\tgf_list_add(mov->TopBoxes, a);\n\t\t\t\t/*also update pointers to trex for debug*/\n\t\t\t\tif (mov->moov) {\n\t\t\t\t\tfor (k=0; kmoof->TrackList); k++) {\n\t\t\t\t\t\tGF_TrackFragmentBox *traf = gf_list_get(mov->moof->TrackList, k);\n\t\t\t\t\t\tif (traf->tfhd && mov->moov->mvex && mov->moov->mvex->TrackExList) {\n\t\t\t\t\t\t\tGF_TrackBox *trak = gf_isom_get_track_from_id(mov->moov, traf->tfhd->trackID);\n\t\t\t\t\t\t\tu32 j=0;\n\t\t\t\t\t\t\twhile ((traf->trex = (GF_TrackExtendsBox*)gf_list_enum(mov->moov->mvex->TrackExList, &j))) {\n\t\t\t\t\t\t\t\tif (traf->trex->trackID == traf->tfhd->trackID) {\n\t\t\t\t\t\t\t\t\tif (!traf->trex->track) traf->trex->track = trak;\n\t\t\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\ttraf->trex = NULL;\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}\n\t\t\t\t\t\t//we should only parse senc/psec when no saiz/saio is present, otherwise we fetch the info directly\n\t\t\t\t\t\tif (traf->trex && traf->tfhd && traf->trex->track && traf->sample_encryption) {\n\t\t\t\t\t\t\tGF_TrackBox *trak = GetTrackbyID(mov->moov, traf->tfhd->trackID);\n\t\t\t\t\t\t\ttrak->current_traf_stsd_idx = traf->tfhd->sample_desc_index ? traf->tfhd->sample_desc_index : traf->trex->def_sample_desc_index;\n\t\t\t\t\t\t\te = senc_Parse(mov->movieFileMap->bs, trak, traf, traf->sample_encryption);\n\t\t\t\t\t\t\tif (e) return e;\n\t\t\t\t\t\t\ttrak->current_traf_stsd_idx = 0;\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t} else {\n\t\t\t\t\tfor (k=0; kmoof->TrackList); k++) {\n\t\t\t\t\t\tGF_TrackFragmentBox *traf = gf_list_get(mov->moof->TrackList, k);\n\t\t\t\t\t\tif (traf->sample_encryption) {\n\t\t\t\t\t\t\te = senc_Parse(mov->movieFileMap->bs, NULL, traf, traf->sample_encryption);\n\t\t\t\t\t\t\tif (e) return e;\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\n\t\t\t\t}\n\t\t\t} else if (mov->openMode==GF_ISOM_OPEN_KEEP_FRAGMENTS) {\n\t\t\t\tmov->NextMoofNumber = mov->moof->mfhd->sequence_number+1;\n\t\t\t\tmov->moof = NULL;\n\t\t\t\tgf_isom_box_del(a);\n\t\t\t} else {\n\t\t\t\t/*merge all info*/\n\t\t\t\te = MergeFragment((GF_MovieFragmentBox *)a, mov);\n\t\t\t\tgf_isom_box_del(a);\n\t\t\t\tif (e) return e;\n\t\t\t}\n\n\t\t\t//done with moov\n\t\t\tif (mov->root_sidx) {\n\t\t\t\tgf_isom_box_del((GF_Box *) mov->root_sidx);\n\t\t\t\tmov->root_sidx = NULL;\n\t\t\t}\n\t\t\tif (mov->root_ssix) {\n\t\t\t\tgf_isom_box_del(mov->seg_ssix);\n\t\t\t\tmov->root_ssix = NULL;\n\t\t\t}\n\t\t\tif (mov->seg_styp) {\n\t\t\t\tgf_isom_box_del(mov->seg_styp);\n\t\t\t\tmov->seg_styp = NULL;\n\t\t\t}\n\t\t\tmov->sidx_start_offset = 0;\n\t\t\tmov->sidx_end_offset = 0;\n\t\t\tmov->styp_start_offset = 0;\n\t\t\tbreak;\n#endif\n\t\tcase GF_ISOM_BOX_TYPE_UNKNOWN:\n\t\t{\n\t\t\tGF_UnknownBox *box = (GF_UnknownBox*)a;\n\t\t\tif (box->original_4cc == GF_ISOM_BOX_TYPE_JP) {\n\t\t\t\tu8 *c = (u8 *) box->data;\n\t\t\t\tif ((box->dataSize==4) && (GF_4CC(c[0],c[1],c[2],c[3])==(u32)0x0D0A870A))\n\t\t\t\t\tmov->is_jp2 = 1;\n\t\t\t\tgf_isom_box_del(a);\n\t\t\t} else {\n\t\t\t\te = gf_list_add(mov->TopBoxes, a);\n\t\t\t\tif (e) return e;\n\t\t\t}\n\t\t}\n\t\tbreak;\n\n\t\tcase GF_ISOM_BOX_TYPE_PRFT:\n#ifndef GPAC_DISABLE_ISOM_FRAGMENTS\n\t\t\tif (!(mov->FragmentsFlags & GF_ISOM_FRAG_READ_DEBUG)) {\n\t\t\t\t//keep the last one read\n\t\t\t\tif (mov->last_producer_ref_time)\n\t\t\t\t\tgf_isom_box_del(a);\n\t\t\t\telse\n\t\t\t\t\tmov->last_producer_ref_time = (GF_ProducerReferenceTimeBox *)a;\n\t\t\t\tbreak;\n\t\t\t}\n#endif\n\t\t//fallthrough\n\n\t\tdefault:\n\t\t\ttotSize += a->size;\n\t\t\te = gf_list_add(mov->TopBoxes, a);\n\t\t\tif (e) return e;\n\t\t\tbreak;\n\t\t}\n\n#ifndef\tGPAC_DISABLE_ISOM_FRAGMENTS\n\t\t/*remember where we left, in case we append an entire number of movie fragments*/\n\t\tmov->current_top_box_start = gf_bs_get_position(mov->movieFileMap->bs) + mov->bytes_removed;\n#endif\n\t}\n\n\t/*we need at least moov or meta*/\n\tif (!mov->moov && !mov->meta\n#ifndef GPAC_DISABLE_ISOM_FRAGMENTS\n\t && !mov->moof && !mov->is_index_segment\n#endif\n\t ) {\n\t\treturn GF_ISOM_INCOMPLETE_FILE;\n\t}\n\t/*we MUST have movie header*/\n\tif (!gf_opts_get_bool(\"core\", \"no-check\")) {\n\t\tif (mov->moov && !mov->moov->mvhd) {\n\t\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, (\"[iso file] Missing MVHD in MOOV!\\n\"));\n\t\t\treturn GF_ISOM_INVALID_FILE;\n\t\t}\n\n\t\t/*we MUST have meta handler*/\n\t\tif (mov->meta && !mov->meta->handler) {\n\t\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, (\"[iso file] Missing handler in META!\\n\"));\n\t\t\treturn GF_ISOM_INVALID_FILE;\n\t\t}\n\t}\n\n#ifndef GPAC_DISABLE_ISOM_WRITE\n\n\tif (mov->moov) {\n\t\t/*set the default interleaving time*/\n\t\tmov->interleavingTime = mov->moov->mvhd->timeScale;\n\n#ifndef\tGPAC_DISABLE_ISOM_FRAGMENTS\n\t\t/*in edit mode with successfully loaded fragments, delete all fragment signaling since\n\t\tfile is no longer fragmented*/\n\t\tif ((mov->openMode > GF_ISOM_OPEN_READ) && (mov->openMode != GF_ISOM_OPEN_KEEP_FRAGMENTS) && mov->moov->mvex) {\n\t\t\tgf_isom_box_del_parent(&mov->moov->child_boxes, (GF_Box *)mov->moov->mvex);\n\t\t\tmov->moov->mvex = NULL;\n\t\t}\n#endif\n\n\t}\n\n\t//create a default mdat if none was found\n\tif (!mov->mdat && (mov->openMode != GF_ISOM_OPEN_READ) && (mov->openMode != GF_ISOM_OPEN_KEEP_FRAGMENTS)) {\n\t\tmov->mdat = (GF_MediaDataBox *) gf_isom_box_new(GF_ISOM_BOX_TYPE_MDAT);\n\t\tif (!mov->mdat) return GF_OUT_OF_MEM;\n\t\te = gf_list_add(mov->TopBoxes, mov->mdat);\n\t\tif (e) return e;\n\t}\n#endif /*GPAC_DISABLE_ISOM_WRITE*/\n\n\treturn GF_OK;\n}", "project": "gpac", "hash": 61440798691784431491544950992000959629, "size": 475, "commit_id": "fe5155cf047252d1c4cb91602048bfa682af0ea7", "message": "fixed #1783 (fuzz)", "target": 0, "dataset": "other", "idx": 271715 }, { "func": "GF_Err gf_isom_vvc_config_new(GF_ISOFile *the_file, u32 trackNumber, GF_VVCConfig *cfg, const char *URLname, const char *URNname, u32 *outDescriptionIndex)\n{\n\tGF_TrackBox *trak;\n\tGF_Err e;\n\tu32 dataRefIndex;\n\tGF_SampleDescriptionBox *stsd;\n\tGF_MPEGVisualSampleEntryBox *entry;\n\n\te = CanAccessMovie(the_file, GF_ISOM_OPEN_WRITE);\n\tif (e) return e;\n\n\ttrak = gf_isom_get_track_from_file(the_file, trackNumber);\n\tif (!trak || !trak->Media || !cfg) return GF_BAD_PARAM;\n\n\t//get or create the data ref\n\te = Media_FindDataRef(trak->Media->information->dataInformation->dref, (char *)URLname, (char *)URNname, &dataRefIndex);\n\tif (e) return e;\n\tif (!dataRefIndex) {\n\t\te = Media_CreateDataRef(the_file, trak->Media->information->dataInformation->dref, (char *)URLname, (char *)URNname, &dataRefIndex);\n\t\tif (e) return e;\n\t}\n\tif (!the_file->keep_utc)\n\t\ttrak->Media->mediaHeader->modificationTime = gf_isom_get_mp4time();\n\n\tstsd = trak->Media->information->sampleTable->SampleDescription;\n\t//create a new entry\n\tentry = (GF_MPEGVisualSampleEntryBox *) gf_isom_box_new_parent(&stsd->child_boxes, GF_ISOM_BOX_TYPE_VVC1);\n\tif (!entry) return GF_OUT_OF_MEM;\n\tentry->vvc_config = (GF_VVCConfigurationBox*)gf_isom_box_new_parent(&entry->child_boxes, GF_ISOM_BOX_TYPE_VVCC);\n\tif (!entry->vvc_config) return GF_OUT_OF_MEM;\n\tentry->vvc_config->config = VVC_DuplicateConfig(cfg);\n\tif (!entry->vvc_config->config) return GF_OUT_OF_MEM;\n\tentry->dataReferenceIndex = dataRefIndex;\n\t*outDescriptionIndex = gf_list_count(stsd->child_boxes);\n\treturn e;\n}", "project": "gpac", "hash": 7163695478722625146371025909253980344, "size": 36, "commit_id": "0a85029d694f992f3631e2f249e4999daee15cbf", "message": "fixed #1785 (fuzz)", "target": 0, "dataset": "other", "idx": 237617 }, { "func": "GF_Err gf_isom_av1_config_new(GF_ISOFile *the_file, u32 trackNumber, GF_AV1Config *cfg, const char *URLname, const char *URNname, u32 *outDescriptionIndex)\n{\n\tGF_TrackBox *trak;\n\tGF_Err e;\n\tu32 dataRefIndex;\n\tGF_MPEGVisualSampleEntryBox *entry;\n\tGF_SampleDescriptionBox *stsd;\n\n\te = CanAccessMovie(the_file, GF_ISOM_OPEN_WRITE);\n\tif (e) return e;\n\n\ttrak = gf_isom_get_track_from_file(the_file, trackNumber);\n\tif (!trak || !trak->Media || !cfg) return GF_BAD_PARAM;\n\n\t//get or create the data ref\n\te = Media_FindDataRef(trak->Media->information->dataInformation->dref, (char *)URLname, (char *)URNname, &dataRefIndex);\n\tif (e) return e;\n\tif (!dataRefIndex) {\n\t\te = Media_CreateDataRef(the_file, trak->Media->information->dataInformation->dref, (char *)URLname, (char *)URNname, &dataRefIndex);\n\t\tif (e) return e;\n\t}\n\tif (!the_file->keep_utc)\n\t\ttrak->Media->mediaHeader->modificationTime = gf_isom_get_mp4time();\n\n\tstsd = trak->Media->information->sampleTable->SampleDescription;\n\t//create a new entry\n\tentry = (GF_MPEGVisualSampleEntryBox *)gf_isom_box_new_parent(&stsd->child_boxes, GF_ISOM_BOX_TYPE_AV01);\n\tif (!entry) return GF_OUT_OF_MEM;\n\tentry->av1_config = (GF_AV1ConfigurationBox*)gf_isom_box_new_parent(&entry->child_boxes, GF_ISOM_BOX_TYPE_AV1C);\n\tif (!entry->av1_config) return GF_OUT_OF_MEM;\n\tentry->av1_config->config = AV1_DuplicateConfig(cfg);\n\tif (!entry->av1_config->config) return GF_OUT_OF_MEM;\n\tentry->dataReferenceIndex = dataRefIndex;\n\t*outDescriptionIndex = gf_list_count(stsd->child_boxes);\n\treturn e;\n}", "project": "gpac", "hash": 21085261633421549277742333918230389016, "size": 36, "commit_id": "0a85029d694f992f3631e2f249e4999daee15cbf", "message": "fixed #1785 (fuzz)", "target": 0, "dataset": "other", "idx": 237574 }, { "func": "static GF_Err gf_isom_avc_config_update_ex(GF_ISOFile *the_file, u32 trackNumber, u32 DescriptionIndex, GF_AVCConfig *cfg, u32 op_type, Bool keep_xps)\n{\n\tGF_TrackBox *trak;\n\tGF_Err e;\n\tu32 i;\n\tGF_MPEGVisualSampleEntryBox *entry;\n\n\te = CanAccessMovie(the_file, GF_ISOM_OPEN_WRITE);\n\tif (e) return e;\n\ttrak = gf_isom_get_track_from_file(the_file, trackNumber);\n\tif (!trak || !trak->Media || !DescriptionIndex) return GF_BAD_PARAM;\n\tentry = (GF_MPEGVisualSampleEntryBox *)gf_list_get(trak->Media->information->sampleTable->SampleDescription->child_boxes, DescriptionIndex-1);\n\tif (!entry) return GF_BAD_PARAM;\n\tswitch (entry->type) {\n\tcase GF_ISOM_BOX_TYPE_AVC1:\n\tcase GF_ISOM_BOX_TYPE_AVC2:\n\tcase GF_ISOM_BOX_TYPE_AVC3:\n\tcase GF_ISOM_BOX_TYPE_AVC4:\n\tcase GF_ISOM_BOX_TYPE_SVC1:\n\tcase GF_ISOM_BOX_TYPE_MVC1:\n\t\tbreak;\n\tdefault:\n\t\treturn GF_BAD_PARAM;\n\t}\n\n\tswitch (op_type) {\n\t/*AVCC replacement*/\n\tcase 0:\n\t\tif (!cfg) return GF_BAD_PARAM;\n\t\tif (!entry->avc_config) {\n\t\t\tentry->avc_config = (GF_AVCConfigurationBox*)gf_isom_box_new_parent(&entry->child_boxes, GF_ISOM_BOX_TYPE_AVCC);\n\t\t\tif (!entry->avc_config) return GF_OUT_OF_MEM;\n\t\t}\n\t\tif (entry->avc_config->config) gf_odf_avc_cfg_del(entry->avc_config->config);\n\t\tentry->avc_config->config = AVC_DuplicateConfig(cfg);\n\t\tif (!entry->avc_config->config) return GF_OUT_OF_MEM;\n\t\tentry->type = GF_ISOM_BOX_TYPE_AVC1;\n\t\tbreak;\n\t/*SVCC replacement*/\n\tcase 1:\n\t\tif (!cfg) return GF_BAD_PARAM;\n\t\tif (!entry->svc_config) {\n\t\t\tentry->svc_config = (GF_AVCConfigurationBox*)gf_isom_box_new_parent(&entry->child_boxes, GF_ISOM_BOX_TYPE_SVCC);\n\t\t\tif (!entry->svc_config) return GF_OUT_OF_MEM;\n\t\t}\n\t\tif (entry->svc_config->config) gf_odf_avc_cfg_del(entry->svc_config->config);\n\t\tentry->svc_config->config = AVC_DuplicateConfig(cfg);\n\t\tif (!entry->svc_config->config) return GF_OUT_OF_MEM;\n\t\tentry->type = GF_ISOM_BOX_TYPE_AVC1;\n\t\tbreak;\n\t/*SVCC replacement and AVC removal*/\n\tcase 2:\n\t\tif (!cfg) return GF_BAD_PARAM;\n\t\tif (entry->avc_config) {\n\t\t\tgf_isom_box_del_parent(&entry->child_boxes, (GF_Box*)entry->avc_config);\n\t\t\tentry->avc_config = NULL;\n\t\t}\n\t\tif (!entry->svc_config) {\n\t\t\tentry->svc_config = (GF_AVCConfigurationBox*)gf_isom_box_new_parent(&entry->child_boxes, GF_ISOM_BOX_TYPE_SVCC);\n\t\t\tif (!entry->svc_config) return GF_OUT_OF_MEM;\n\t\t}\n\t\tif (entry->svc_config->config) gf_odf_avc_cfg_del(entry->svc_config->config);\n\t\tentry->svc_config->config = AVC_DuplicateConfig(cfg);\n\t\tif (!entry->svc_config->config) return GF_OUT_OF_MEM;\n\t\tentry->type = GF_ISOM_BOX_TYPE_SVC1;\n\t\tbreak;\n\t/*AVCC removal and switch to avc3*/\n\tcase 3:\n\t\tif (!entry->avc_config || !entry->avc_config->config)\n\t\t\treturn GF_BAD_PARAM;\n\t\tif (!keep_xps) {\n\t\t\tfor (i=0; i<3; i++) {\n\t\t\t\tGF_AVCConfigurationBox *a_cfg = entry->avc_config;\n\t\t\t\tif (i==1) a_cfg = entry->svc_config;\n\t\t\t\telse if (i==2) a_cfg = entry->mvc_config;\n\t\t\t\tif (!a_cfg) continue;\n\n\n\t\t\t\twhile (gf_list_count(a_cfg->config->sequenceParameterSets)) {\n\t\t\t\t\tGF_NALUFFParam *sl = (GF_NALUFFParam*)gf_list_get(a_cfg->config->sequenceParameterSets, 0);\n\t\t\t\t\tgf_list_rem(a_cfg->config->sequenceParameterSets, 0);\n\t\t\t\t\tif (sl->data) gf_free(sl->data);\n\t\t\t\t\tgf_free(sl);\n\t\t\t\t}\n\n\t\t\t\twhile (gf_list_count(a_cfg->config->pictureParameterSets)) {\n\t\t\t\t\tGF_NALUFFParam *sl = (GF_NALUFFParam*)gf_list_get(a_cfg->config->pictureParameterSets, 0);\n\t\t\t\t\tgf_list_rem(a_cfg->config->pictureParameterSets, 0);\n\t\t\t\t\tif (sl->data) gf_free(sl->data);\n\t\t\t\t\tgf_free(sl);\n\t\t\t\t}\n\n\t\t\t\twhile (gf_list_count(a_cfg->config->sequenceParameterSetExtensions)) {\n\t\t\t\t\tGF_NALUFFParam *sl = (GF_NALUFFParam*)gf_list_get(a_cfg->config->sequenceParameterSetExtensions, 0);\n\t\t\t\t\tgf_list_rem(a_cfg->config->sequenceParameterSetExtensions, 0);\n\t\t\t\t\tif (sl->data) gf_free(sl->data);\n\t\t\t\t\tgf_free(sl);\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\tif (entry->type == GF_ISOM_BOX_TYPE_AVC1)\n\t\t\tentry->type = GF_ISOM_BOX_TYPE_AVC3;\n\t\telse if (entry->type == GF_ISOM_BOX_TYPE_AVC2)\n\t\t\tentry->type = GF_ISOM_BOX_TYPE_AVC4;\n\t\tbreak;\n\t/*MVCC replacement*/\n\tcase 4:\n\t\tif (!cfg) return GF_BAD_PARAM;\n\t\tif (!entry->mvc_config) {\n\t\t\tentry->mvc_config = (GF_AVCConfigurationBox*)gf_isom_box_new_parent(&entry->child_boxes, GF_ISOM_BOX_TYPE_MVCC);\n\t\t\tif (!entry->mvc_config) return GF_OUT_OF_MEM;\n\t\t}\n\t\tif (entry->mvc_config->config) gf_odf_avc_cfg_del(entry->mvc_config->config);\n\t\tentry->mvc_config->config = AVC_DuplicateConfig(cfg);\n\t\tif (!entry->mvc_config->config) return GF_OUT_OF_MEM;\n\t\tentry->type = GF_ISOM_BOX_TYPE_AVC1;\n\t\te = gf_isom_check_mvc(the_file, trak, entry);\n\t\tif (e) return e;\n\t\tbreak;\n\t/*MVCC replacement and AVC removal*/\n\tcase 5:\n\t\tif (!cfg) return GF_BAD_PARAM;\n\t\tif (entry->avc_config) {\n\t\t\tgf_isom_box_del_parent(&entry->child_boxes, (GF_Box*)entry->avc_config);\n\t\t\tentry->avc_config = NULL;\n\t\t}\n\t\tif (!entry->mvc_config) {\n\t\t\tentry->mvc_config = (GF_AVCConfigurationBox*)gf_isom_box_new_parent(&entry->child_boxes, GF_ISOM_BOX_TYPE_MVCC);\n\t\t\tif (!entry->mvc_config) return GF_OUT_OF_MEM;\n\t\t}\n\t\tif (entry->mvc_config->config) gf_odf_avc_cfg_del(entry->mvc_config->config);\n\t\tentry->mvc_config->config = AVC_DuplicateConfig(cfg);\n\t\tif (!entry->mvc_config->config) return GF_OUT_OF_MEM;\n\t\tentry->type = GF_ISOM_BOX_TYPE_MVC1;\n\t\te = gf_isom_check_mvc(the_file, trak, entry);\n\t\tif (e) return e;\n\t\tbreak;\n\t}\n\tAVC_RewriteESDescriptor(entry);\n\treturn GF_OK;\n}", "project": "gpac", "hash": 42076054533264478677546357078287072685, "size": 142, "commit_id": "0a85029d694f992f3631e2f249e4999daee15cbf", "message": "fixed #1785 (fuzz)", "target": 0, "dataset": "other", "idx": 237553 }, { "func": "GF_EXPORT\nGF_Err gf_isom_apple_get_tag(GF_ISOFile *mov, GF_ISOiTunesTag tag, const u8 **data, u32 *data_len)\n{\n\tu32 i;\n\tGF_ListItemBox *info;\n\tGF_ItemListBox *ilst;\n\tGF_MetaBox *meta;\n\n\t*data = NULL;\n\t*data_len = 0;\n\n\tmeta = (GF_MetaBox *) gf_isom_get_meta_extensions(mov, GF_FALSE);\n\tif (!meta) return GF_URL_ERROR;\n\n\tilst = gf_ismo_locate_box(meta->child_boxes, GF_ISOM_BOX_TYPE_ILST, NULL);\n\tif (!ilst) return GF_URL_ERROR;\n\n\tif (tag==GF_ISOM_ITUNE_PROBE) return gf_list_count(ilst->child_boxes) ? GF_OK : GF_URL_ERROR;\n\n\ti=0;\n\twhile ( (info=(GF_ListItemBox*)gf_list_enum(ilst->child_boxes, &i))) {\n\t\tif (info->type==tag) break;\n\t\t/*special cases*/\n\t\tif ((tag==GF_ISOM_ITUNE_GENRE) && (info->type==(u32) GF_ISOM_ITUNE_GENRE_USER)) break;\n\t\tinfo = NULL;\n\t}\n\tif (!info || !info->data || !info->data->data) return GF_URL_ERROR;\n\n\tif ((tag == GF_ISOM_ITUNE_GENRE) && (info->data->flags == 0)) {\n\t\tif (info->data->dataSize && (info->data->dataSize>2) && (info->data->dataSize < 5)) {\n\t\t\tGF_BitStream* bs = gf_bs_new(info->data->data, info->data->dataSize, GF_BITSTREAM_READ);\n\t\t\t*data_len = gf_bs_read_int(bs, info->data->dataSize * 8);\n\t\t\tgf_bs_del(bs);\n\t\t\treturn GF_OK;\n\t\t}\n\t}\n//\tif (info->data->flags != 0x1) return GF_URL_ERROR;\n\t*data = info->data->data;\n\t*data_len = info->data->dataSize;\n\tif ((tag==GF_ISOM_ITUNE_COVER_ART) && (info->data->flags==14)) *data_len |= 0x80000000; //(1<<31);\n\treturn GF_OK;", "project": "gpac", "hash": 88795659724768972224635285010028374837, "size": 41, "commit_id": "984787de3d414a5f7d43d0b4584d9469dff2a5a5", "message": "fixed #1784 (fuzz)", "target": 0, "dataset": "other", "idx": 246819 }, { "func": "GF_Err stbl_GetSampleDepType(GF_SampleDependencyTypeBox *sdep, u32 SampleNumber, u32 *isLeading, u32 *dependsOn, u32 *dependedOn, u32 *redundant)\n{\n\tu8 flag;\n\n\tassert(dependsOn && dependedOn && redundant);\n\t*dependsOn = *dependedOn = *redundant = 0;\n\n\tif (SampleNumber > sdep->sampleCount) {\n\t\treturn GF_OK;\n\t}\n\tflag = sdep->sample_info[SampleNumber-1];\n\t*isLeading = (flag >> 6) & 3;\n\t*dependsOn = (flag >> 4) & 3;\n\t*dependedOn = (flag >> 2) & 3;\n\t*redundant = (flag) & 3;\n\treturn GF_OK;\n}", "project": "gpac", "hash": 129154241460964049559775093329868426125, "size": 17, "commit_id": "2da2f68bffd51d89b1d272d22aa8cc023c1c066e", "message": "fixed #1705", "target": 0, "dataset": "other", "idx": 258560 }, { "func": "GF_Err stbl_AppendSampleToChunk(GF_SampleTableBox *stbl, u32 DescIndex, u32 samplesInChunk)\n{\n\tu32 nextChunk;\n\tGF_SampleToChunkBox *stsc= stbl->SampleToChunk;\n\tGF_StscEntry *ent;\n\n\tnextChunk = ((GF_ChunkOffsetBox *) stbl->ChunkOffset)->nb_entries;\n\n\tif (stsc->nb_entries) {\n\t\tent = &stsc->entries[stsc->nb_entries-1];\n\t\t//good we can use this one\n\t\tif ( (ent->sampleDescriptionIndex == DescIndex) && (ent->samplesPerChunk==samplesInChunk))\n\t\t\treturn GF_OK;\n\n\t\t//set the next chunk btw ...\n\t\tent->nextChunk = nextChunk;\n\t}\n\tif (stsc->nb_entries==stsc->alloc_size) {\n\t\tALLOC_INC(stsc->alloc_size);\n\t\tstsc->entries = gf_realloc(stsc->entries, sizeof(GF_StscEntry)*stsc->alloc_size);\n\t\tif (!stsc->entries) return GF_OUT_OF_MEM;\n\t\tmemset(&stsc->entries[stsc->nb_entries], 0, sizeof(GF_StscEntry)*(stsc->alloc_size - stsc->nb_entries) );\n\t}\n\t//ok we need a new entry - this assumes this function is called AFTER AppendChunk\n\tent = &stsc->entries[stsc->nb_entries];\n\tent->firstChunk = nextChunk;\n\tent->sampleDescriptionIndex = DescIndex;\n\tent->samplesPerChunk = samplesInChunk;\n\tent->isEdited = 0;\n\tstsc->nb_entries++;\n\treturn GF_OK;\n}", "project": "gpac", "hash": 30747270135667918758883124915443163493, "size": 32, "commit_id": "77ed81c069e10b3861d88f72e1c6be1277ee7eae", "message": "fixed #1774 (fuzz)", "target": 0, "dataset": "other", "idx": 267902 }, { "func": "static GF_Err unpack_track(GF_TrackBox *trak)\n{\n\tGF_Err e = GF_OK;\n\tif (!trak->is_unpacked) {\n\t\te = stbl_UnpackOffsets(trak->Media->information->sampleTable);\n\t\tif (e) return e;\n\t\te = stbl_unpackCTS(trak->Media->information->sampleTable);\n\t\ttrak->is_unpacked = GF_TRUE;\n\t}\n\treturn e;\n}", "project": "gpac", "hash": 73946299311408532729029704385770651492, "size": 11, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267306 }, { "func": "\n\nGF_Err dump_isom_chapters(GF_ISOFile *file, char *inName, Bool is_final_name, u32 dump_mode)\n{\n\tFILE *t;\n\tu32 i, count;\n\tu32 chap_tk = 0;\n\tcount = gf_isom_get_chapter_count(file, 0);\n\n\tif (dump_mode==2) dump_mode = GF_TEXTDUMPTYPE_OGG_CHAP;\n\telse if (dump_mode==3) dump_mode = GF_TEXTDUMPTYPE_ZOOM_CHAP;\n\telse dump_mode = GF_TEXTDUMPTYPE_TTXT_CHAP;\n\n\tif (!count) {\n\t\tfor (i=0; i\\n\");\n\t\tfprintf(t, \"\\n\");\n\t\tfprintf(t, \"\\n\");\n\t\tfprintf(t, \"\\n\");\n\t\tfprintf(t, \"\\n\");\n\t}\n\n\tfor (i=0; i%s\\n\"\n\t\t\t\t, format_duration(chapter_time, 1000, szDur), name);\n\t\t}\n\t}\n\tif (dump_mode==GF_TEXTDUMPTYPE_TTXT_CHAP) {\n\t\tfprintf(t, \"\\n\");\n\t}\n\tif (inName) gf_fclose(t);", "project": "gpac", "hash": 56771494346431797919526769933135437525, "size": 76, "commit_id": "289ffce3e0d224d314f5f92a744d5fe35999f20b", "message": "fixed #1767 (fuzz)", "target": 0, "dataset": "other", "idx": 243208 }, { "func": "\n\nGF_Err dump_isom_chapters(GF_ISOFile *file, char *inName, Bool is_final_name, u32 dump_mode)\n{\n\tFILE *t;\n\tu32 i, count;\n\tu32 chap_tk = 0;\n\tcount = gf_isom_get_chapter_count(file, 0);\n\n\tif (dump_mode==2) dump_mode = GF_TEXTDUMPTYPE_OGG_CHAP;\n\telse if (dump_mode==3) dump_mode = GF_TEXTDUMPTYPE_ZOOM_CHAP;\n\telse dump_mode = GF_TEXTDUMPTYPE_TTXT_CHAP;\n\n\tif (!count) {\n\t\tfor (i=0; i\\n\");\n\t\tfprintf(t, \"\\n\");\n\t\tfprintf(t, \"\\n\");\n\t\tfprintf(t, \"\\n\");\n\t\tfprintf(t, \"\\n\");\n\t}\n\n\tfor (i=0; i%s\\n\"\n\t\t\t\t, format_duration(chapter_time, 1000, szDur), name);\n\t\t}\n\t}\n\tif (dump_mode==GF_TEXTDUMPTYPE_TTXT_CHAP) {\n\t\tfprintf(t, \"\\n\");\n\t}\n\tif (inName) gf_fclose(t);", "project": "gpac", "hash": 213703976878677770452469856511225159814, "size": 76, "commit_id": "ce01bd15f711d4575b7424b54b3a395ec64c1784", "message": "fixed #1566", "target": 0, "dataset": "other", "idx": 249532 }, { "func": "u32 gf_isom_find_od_id_for_track(GF_ISOFile *file, u32 track)\n{\n\tu32 i, j, di, the_od_id;\n\tGF_TrackBox *od_tk;\n\tGF_TrackBox *tk = gf_isom_get_track_from_file(file, track);\n\tif (!tk) return 0;\n\n\ti=0;\n\twhile ( (od_tk = (GF_TrackBox*)gf_list_enum(file->moov->trackList, &i))) {\n\t\tif (od_tk->Media->handler->handlerType != GF_ISOM_MEDIA_OD) continue;\n\n\t\tfor (j=0; jMedia->information->sampleTable->SampleSize->sampleCount; j++) {\n\t\t\tGF_ISOSample *samp = gf_isom_get_sample(file, i, j+1, &di);\n\t\t\tthe_od_id = Media_FindOD_ID(od_tk->Media, samp, tk->Header->trackID);\n\t\t\tgf_isom_sample_del(&samp);\n\t\t\tif (the_od_id) return the_od_id;\n\t\t}\n\t}\n\treturn 0;\n}", "project": "gpac", "hash": 102159453574047561271566824763060860634, "size": 20, "commit_id": "f0ba83717b6e4d7a15a1676d1fe06152e199b011", "message": "fixed #1772 (fuzz)", "target": 0, "dataset": "other", "idx": 265419 }, { "func": "static GF_Err process_extractor(GF_ISOFile *file, GF_MediaBox *mdia, u32 sampleNumber, u64 sampleDTS, u32 nal_size, u16 nal_hdr, u32 nal_unit_size_field, Bool is_hevc, Bool rewrite_ps, Bool rewrite_start_codes, u32 extractor_mode)\n{\n\tGF_Err e;\n\tu32 di, ref_track_index, ref_track_num, data_offset, data_length, cur_extract_mode, ref_extract_mode, ref_nalu_size, nb_bytes_nalh;\n\tGF_TrackReferenceTypeBox *dpnd;\n\tGF_TrackBox *ref_trak;\n\ts8 sample_offset;\n\tu32 last_byte, ref_sample_num, prev_ref_sample_num;\n\tBool header_written = GF_FALSE;\n\tnb_bytes_nalh = is_hevc ? 2 : 1;\n\n\tswitch (extractor_mode) {\n\tcase 0:\n\t\tlast_byte = (u32) gf_bs_get_position(mdia->nalu_parser) + nal_size - (is_hevc ? 2 : 1);\n\t\tif (!is_hevc) gf_bs_read_int(mdia->nalu_parser, 24); //1 byte for HEVC , 3 bytes for AVC of NALUHeader in extractor\n\t\twhile (gf_bs_get_position(mdia->nalu_parser) < last_byte) {\n\t\t\tu32 xmode = 0;\n\t\t\t//hevc extractors use constructors\n\t\t\tif (is_hevc) xmode = gf_bs_read_u8(mdia->nalu_parser);\n\t\t\tif (xmode) {\n\t\t\t\tu8 done=0, len = gf_bs_read_u8(mdia->nalu_parser);\n\t\t\t\twhile (donenalu_parser);\n\t\t\t\t\tdone++;\n\t\t\t\t\tif (header_written) {\n\t\t\t\t\t\tgf_bs_write_u8(mdia->nalu_out_bs, c);\n\t\t\t\t\t} else if (done==nal_unit_size_field) {\n\t\t\t\t\t\tif (rewrite_start_codes) {\n\t\t\t\t\t\t\tgf_bs_write_int(mdia->nalu_out_bs, 1, 32);\n\t\t\t\t\t\t} else {\n\t\t\t\t\t\t\tgf_bs_write_u8(mdia->nalu_out_bs, c);\n\t\t\t\t\t\t}\n\t\t\t\t\t\theader_written = GF_TRUE;\n\t\t\t\t\t} else if (!rewrite_start_codes) {\n\t\t\t\t\t\tgf_bs_write_u8(mdia->nalu_out_bs, c);\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\tcontinue;\n\t\t\t}\n\n\t\t\tref_track_index = gf_bs_read_u8(mdia->nalu_parser);\n\t\t\tsample_offset = (s8) gf_bs_read_int(mdia->nalu_parser, 8);\n\t\t\tdata_offset = gf_bs_read_int(mdia->nalu_parser, nal_unit_size_field*8);\n\t\t\tdata_length = gf_bs_read_int(mdia->nalu_parser, nal_unit_size_field*8);\n\n\t\t\tTrack_FindRef(mdia->mediaTrack, GF_ISOM_REF_SCAL, &dpnd);\n\t\t\tref_track_num = 0;\n\t\t\tif (dpnd && ref_track_index && (ref_track_index<=dpnd->trackIDCount))\n\t\t\t\tref_track_num = gf_isom_get_track_by_id(file, dpnd->trackIDs[ref_track_index-1]);\n\n\t\t\tif (!ref_track_num) {\n\t\t\t\tGF_LOG(GF_LOG_INFO, GF_LOG_CONTAINER, (\"ISOBMF: Extractor target track is not present in file - skipping.\\n\"));\n\t\t\t\treturn GF_OK;\n\t\t\t}\n\n\t\t\tcur_extract_mode = gf_isom_get_nalu_extract_mode(file, ref_track_num);\n\n\t\t\t//we must be in inspect mode only otherwise the reference sample will not be the one stored on file (change in start codes, PS inserted or other NALUs inserted)\n\t\t\t//and this will corrupt extraction (wrong data offsets)\n\t\t\tref_extract_mode = GF_ISOM_NALU_EXTRACT_INSPECT;\n\t\t\tgf_isom_set_nalu_extract_mode(file, ref_track_num, ref_extract_mode);\n\n\t\t\tref_trak = gf_isom_get_track_from_file(file, ref_track_num);\n\t\t\tif (!ref_trak) return GF_ISOM_INVALID_FILE;\n\n\t\t\tif (!mdia->extracted_samp) {\n\t\t\t\tmdia->extracted_samp = gf_isom_sample_new();\n\t\t\t\tif (!mdia->extracted_samp) return GF_IO_ERR;\n\t\t\t}\n\t\t\tif (!mdia->extracted_bs) {\n\t\t\t\tmdia->extracted_bs = gf_bs_new(\"a\", 1, GF_BITSTREAM_READ);\n\t\t\t\tif (!mdia->extracted_bs) return GF_IO_ERR;\n\t\t\t}\n\n\t\t\te = stbl_findEntryForTime(ref_trak->Media->information->sampleTable, sampleDTS, 0, &ref_sample_num, &prev_ref_sample_num);\n\t\t\tif (e) return e;\n\t\t\tif (!ref_sample_num) ref_sample_num = prev_ref_sample_num;\n\t\t\tif (!ref_sample_num) return GF_ISOM_INVALID_FILE;\n\t\t\tif ((sample_offset<0) && (ref_sample_num > (u32) -sample_offset)) return GF_ISOM_INVALID_FILE;\n\t\t\tref_sample_num = (u32) ( (s32) ref_sample_num + sample_offset);\n\n\t\t\te = Media_GetSample(ref_trak->Media, ref_sample_num, &mdia->extracted_samp, &di, GF_FALSE, NULL);\n\t\t\tif (e) return e;\n\t\t\tif (!mdia->extracted_samp->alloc_size)\n\t\t\t\tmdia->extracted_samp->alloc_size = mdia->extracted_samp->dataLength;\n#if 0\n\t\t\tif (!header_written && rewrite_start_codes) {\n\t\t\t\tgf_bs_write_int(dst_bs, 1, 32);\n\t\t\t\tif (is_hevc) {\n\t\t\t\t\tgf_bs_write_int(dst_bs, 0, 1);\n\t\t\t\t\tgf_bs_write_int(dst_bs, GF_HEVC_NALU_ACCESS_UNIT, 6);\n\t\t\t\t\tgf_bs_write_int(dst_bs, 0, 9);\n\t\t\t\t\t/*pic-type - by default we signal all slice types possible*/\n\t\t\t\t\tgf_bs_write_int(dst_bs, 2, 3);\n\t\t\t\t\tgf_bs_write_int(dst_bs, 0, 5);\n\t\t\t\t} else {\n\t\t\t\t\tgf_bs_write_int(dst_bs, (ref_samp->data[0] & 0x60) | GF_AVC_NALU_ACCESS_UNIT, 8);\n\t\t\t\t\tgf_bs_write_int(dst_bs, 0xF0 , 8); /*7 \"all supported NALUs\" (=111) + rbsp trailing (10000)*/;\n\t\t\t\t}\n\t\t\t}\n#endif\n\t\t\tgf_bs_reassign_buffer(mdia->extracted_bs, mdia->extracted_samp->data + data_offset, mdia->extracted_samp->dataLength - data_offset);\n\n\t\t\tif (mdia->extracted_samp->dataLength - data_offset >= data_length) {\n\n\t\t\t\twhile (data_length && gf_bs_available(mdia->extracted_bs)) {\n\t\t\t\t\tif (!header_written) {\n\t\t\t\t\t\tref_nalu_size = gf_bs_read_int(mdia->extracted_bs, 8*nal_unit_size_field);\n\n\t\t\t\t\t\tassert(data_length>nal_unit_size_field);\n\t\t\t\t\t\tdata_length -= nal_unit_size_field;\n\t\t\t\t\t\tif (data_length > gf_bs_available(mdia->extracted_bs)) {\n\t\t\t\t\t\t\tdata_length = (u32)gf_bs_available(mdia->extracted_bs);\n\t\t\t\t\t\t}\n\t\t\t\t\t} else {\n\t\t\t\t\t\tref_nalu_size = data_length;\n\t\t\t\t\t}\n\n\t\t\t\t\tif (ref_nalu_size > mdia->tmp_nal_copy_buffer_alloc) {\n\t\t\t\t\t\tmdia->tmp_nal_copy_buffer_alloc = ref_nalu_size;\n\t\t\t\t\t\tmdia->tmp_nal_copy_buffer = (char*) gf_realloc(mdia->tmp_nal_copy_buffer, sizeof(char) * ref_nalu_size );\n\t\t\t\t\t}\n\t\t\t\t\tgf_bs_read_data(mdia->extracted_bs, mdia->tmp_nal_copy_buffer, ref_nalu_size);\n\n\t\t\t\t\tif (!header_written) {\n\t\t\t\t\t\tif (rewrite_start_codes)\n\t\t\t\t\t\t\tgf_bs_write_u32(mdia->nalu_out_bs, 1);\n\t\t\t\t\t\telse\n\t\t\t\t\t\t\tgf_bs_write_int(mdia->nalu_out_bs, ref_nalu_size, 8*nal_unit_size_field);\n\t\t\t\t\t}\n\t\t\t\t\tassert(data_length >= ref_nalu_size);\n\t\t\t\t\tgf_bs_write_data(mdia->nalu_out_bs, mdia->tmp_nal_copy_buffer, ref_nalu_size);\n\t\t\t\t\tdata_length -= ref_nalu_size;\n\n\t\t\t\t\theader_written = GF_FALSE;\n\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, (\"ISOBMF: Extractor size is larger than referred sample size - skipping.\\n\"));\n\t\t\t}\n\t\t\tgf_isom_set_nalu_extract_mode(file, ref_track_num, cur_extract_mode);\n\n\t\t\tif (!is_hevc) break;\n\t\t}\n\t\tbreak;\n\tcase 1:\n\t\t//skip to end of this NALU\n\t\tgf_bs_skip_bytes(mdia->nalu_parser, nal_size - nb_bytes_nalh);\n\t\tbreak;\n\tcase 2:\n\t\tif (nal_size - nb_bytes_nalh > mdia->tmp_nal_copy_buffer_alloc) {\n\t\t\tmdia->tmp_nal_copy_buffer_alloc = nal_size - nb_bytes_nalh;\n\t\t\tmdia->tmp_nal_copy_buffer = (char*) gf_realloc(mdia->tmp_nal_copy_buffer, sizeof(char) * (nal_size - nb_bytes_nalh) );\n\t\t}\n\t\tgf_bs_read_data(mdia->nalu_parser, mdia->tmp_nal_copy_buffer, nal_size - nb_bytes_nalh);\n\t\tif (rewrite_start_codes)\n\t\t\tgf_bs_write_u32(mdia->nalu_out_bs, 1);\n\t\telse\n\t\t\tgf_bs_write_int(mdia->nalu_out_bs, nal_size, 8*nal_unit_size_field);\n\n\t\tgf_bs_write_u8(mdia->nalu_out_bs, nal_hdr);\n\t\tgf_bs_write_data(mdia->nalu_out_bs, mdia->tmp_nal_copy_buffer, nal_size - nb_bytes_nalh);\n\t\tbreak;\n\t}\n\treturn GF_OK;\n}", "project": "gpac", "hash": 49286742869013633139401366891195228409, "size": 166, "commit_id": "0a85029d694f992f3631e2f249e4999daee15cbf", "message": "fixed #1785 (fuzz)", "target": 0, "dataset": "other", "idx": 237578 }, { "func": "static u32 PrintHelpForArgs(char *arg_name, GF_GPACArg *args, u32 search_type)\n{\n\tu32 res=0;\n\tu32 i=0;\n\tu32 alen = (u32) strlen(arg_name);\n\twhile (args[i].name) {\n\t\tu32 flags=0;\n\t\tGF_GPACArg *arg = &args[i];\n\t\tGF_GPACArg an_arg;\n\t\tBool do_match = GF_FALSE;\n\n\t\tif (args==ImportFileOpts) {\n\t\t\tflags = GF_PRINTARG_COLON;\n\t\t\tif (!strncmp(arg_name, arg->name, alen) && ((arg->name[alen]==0) || (arg->name[alen]=='=')))\n\t\t\t\tdo_match = GF_TRUE;\n\t\t}\n\t\telse if (!strcmp(arg_name, arg->name))\n\t\t\tdo_match = GF_TRUE;\n\t\telse if ((alen < (u32) strlen(arg->name)) && (arg->name[alen]==' ') && !strncmp(arg_name, arg->name, alen))\n\t\t\tdo_match = GF_TRUE;\n\n\t\tif (arg_name[0] == '@')\n\t\t\tdo_match = GF_TRUE;\n\n\t\tif ((search_type==SEARCH_ARG_EXACT) && !do_match) {\n\t\t\ti++;\n\t\t\tcontinue;\n\t\t}\n\t\tif ((search_type==SEARCH_ARG_CLOSE) && !gf_sys_word_match(arg_name, arg->name)) {\n\t\t\ti++;\n\t\t\tcontinue;\n\t\t}\n\t\tif ((search_type==SEARCH_DESC) && !strstr_nocase(arg->description, arg_name, alen)) {\n\t\t\ti++;\n\t\t\tcontinue;\n\t\t}\n\n\t\tan_arg = *arg;\n\t\tif (search_type!=SEARCH_ARG_EXACT) {\n\t\t\tan_arg.description = NULL;\n\t\t\tan_arg.type = GF_ARG_BOOL;\n\t\t}\n\t\tgf_sys_print_arg(helpout, flags, &an_arg, \"\");\n\t\tres++;\n\t\ti++;\n\t}\n\treturn res;\n}", "project": "gpac", "hash": 222590724360829522078688314755601333391, "size": 48, "commit_id": "9eeac00b38348c664dfeae2525bba0cf1bc32349", "message": "fixed #1565", "target": 0, "dataset": "other", "idx": 244380 }, { "func": "void gf_isom_cenc_set_saiz_saio(GF_SampleEncryptionBox *senc, GF_SampleTableBox *stbl, GF_TrackFragmentBox *traf, u32 len, Bool saio_32bits, Bool use_multikey)\n{\n\tu32 i;\n\tGF_List **child_boxes = stbl ? &stbl->child_boxes : &traf->child_boxes;\n\tif (!senc->cenc_saiz) {\n\t\tsenc->cenc_saiz = (GF_SampleAuxiliaryInfoSizeBox *) gf_isom_box_new_parent(child_boxes, GF_ISOM_BOX_TYPE_SAIZ);\n\t\tif (!senc->cenc_saiz) return;\n\t\t//as per 3rd edition of cenc \"so content SHOULD be created omitting these optional fields\" ...\n\t\tsenc->cenc_saiz->aux_info_type = 0;\n\t\tsenc->cenc_saiz->aux_info_type_parameter = use_multikey ? 1 : 0;\n\t\tif (stbl)\n\t\t\tstbl_on_child_box((GF_Box*)stbl, (GF_Box *)senc->cenc_saiz, GF_FALSE);\n\t\telse\n\t\t\ttraf_on_child_box((GF_Box*)traf, (GF_Box *)senc->cenc_saiz, GF_FALSE);\n\t}\n\tif (!senc->cenc_saio) {\n\t\tsenc->cenc_saio = (GF_SampleAuxiliaryInfoOffsetBox *) gf_isom_box_new_parent(child_boxes, GF_ISOM_BOX_TYPE_SAIO);\n\t\tif (!senc->cenc_saio) return;\n\t\t//force using version 1 for saio box, it could be redundant when we use 64 bits for offset\n\t\tsenc->cenc_saio->version = saio_32bits ? 0 : 1;\n\t\t//as per 3rd edition of cenc \"so content SHOULD be created omitting these optional fields\" ...\n\t\tsenc->cenc_saio->aux_info_type = 0;\n\t\tsenc->cenc_saiz->aux_info_type_parameter = use_multikey ? 1 : 0;\n\t\tsenc->cenc_saio->entry_count = 1;\n\t\tif (stbl)\n\t\t\tstbl_on_child_box((GF_Box*)stbl, (GF_Box *)senc->cenc_saio, GF_FALSE);\n\t\telse\n\t\t\ttraf_on_child_box((GF_Box*)traf, (GF_Box *)senc->cenc_saio, GF_FALSE);\n\t}\n\n\tif (!senc->cenc_saiz->sample_count || ((senc->cenc_saiz->default_sample_info_size==len) && len) ) {\n\t\tsenc->cenc_saiz->sample_count ++;\n\t\tsenc->cenc_saiz->default_sample_info_size = len;\n\t} else {\n\t\tif (senc->cenc_saiz->sample_count + 1 > senc->cenc_saiz->sample_alloc) {\n\t\t\tif (!senc->cenc_saiz->sample_alloc) senc->cenc_saiz->sample_alloc = senc->cenc_saiz->sample_count+1;\n\t\t\telse senc->cenc_saiz->sample_alloc *= 2;\n\n\t\t\tsenc->cenc_saiz->sample_info_size = (u8*)gf_realloc(senc->cenc_saiz->sample_info_size, sizeof(u8)*(senc->cenc_saiz->sample_alloc));\n\t\t}\n\n\t\tif (senc->cenc_saiz->default_sample_info_size || (senc->cenc_saiz->sample_count==1)) {\n\t\t\tfor (i=0; icenc_saiz->sample_count; i++)\n\t\t\t\tsenc->cenc_saiz->sample_info_size[i] = senc->cenc_saiz->default_sample_info_size;\n\t\t\tsenc->cenc_saiz->default_sample_info_size = 0;\n\t\t}\n\t\tsenc->cenc_saiz->sample_info_size[senc->cenc_saiz->sample_count] = len;\n\t\tsenc->cenc_saiz->sample_count++;\n\t}\n}", "project": "gpac", "hash": 62036189772832913759283115687672212448, "size": 50, "commit_id": "3b84ffcbacf144ce35650df958432f472b6483f8", "message": "fixed #1735", "target": 0, "dataset": "other", "idx": 275441 }, { "func": "GF_Err gf_isom_set_edit_with_rate(GF_ISOFile *movie, u32 trackNumber, u64 EditTime, u64 EditDuration, u64 MediaTime, u32 media_rate)\n{\n\treturn gf_isom_set_edit_internal(movie, trackNumber, EditTime, EditDuration, MediaTime, media_rate, GF_ISOM_EDIT_NORMAL+1);\n\n}", "project": "gpac", "hash": 197664470835795349974355703685547173036, "size": 5, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267230 }, { "func": "GF_EXPORT\nBool gf_isom_needs_layer_reconstruction(GF_ISOFile *file)\n{\n\tu32 count, i;\n\tif (!file)\n\t\treturn GF_FALSE;\n\tcount = gf_isom_get_track_count(file);\n\tfor (i = 0; i < count; i++) {\n\t\tif (gf_isom_get_reference_count(file, i+1, GF_ISOM_REF_SCAL) > 0) {\n\t\t\treturn GF_TRUE;\n\t\t}\n\t\tif (gf_isom_get_reference_count(file, i+1, GF_ISOM_REF_SABT) > 0) {\n\t\t\treturn GF_TRUE;\n\t\t}\n\t\tswitch (gf_isom_get_media_subtype(file, i+1, 1)) {\n\t\tcase GF_ISOM_SUBTYPE_LHV1:\n\t\tcase GF_ISOM_SUBTYPE_LHE1:\n\t\tcase GF_ISOM_SUBTYPE_HVC2:\n\t\tcase GF_ISOM_SUBTYPE_HEV2:\n\t\t\tif (gf_isom_get_reference_count(file, i+1, GF_ISOM_REF_BASE) > 0) {\n\t\t\t\treturn GF_TRUE;\n\t\t\t}\n\t\t}\n\t}\n\treturn GF_FALSE;", "project": "gpac", "hash": 325434267007135666694676173028023756646, "size": 25, "commit_id": "984787de3d414a5f7d43d0b4584d9469dff2a5a5", "message": "fixed #1784 (fuzz)", "target": 0, "dataset": "other", "idx": 246830 }, { "func": "}\n\nGF_Err rip_mpd(const char *mpd_src, const char *output_dir)\n{\n\tGF_DownloadSession *sess;\n\tu32 i, connect_time, reply_time, download_time, req_hdr_size, rsp_hdr_size;\n\tGF_Err e;\n\tGF_DOMParser *mpd_parser=NULL;\n\tGF_MPD *mpd=NULL;\n\tGF_MPD_Period *period;\n\tGF_MPD_AdaptationSet *as;\n\tGF_MPD_Representation *rep;\n\tchar szName[GF_MAX_PATH];\n\tGF_DownloadManager *dm;\n\n\tif (output_dir) {\n\t\tchar *sep;\n\t\tstrcpy(szName, output_dir);\n\t\tsep = gf_file_basename(szName);\n\t\tif (sep) sep[0] = 0;\n\t\tgf_opts_set_key(\"temp\", \"cache\", szName);\n\t} else {\n\t\tgf_opts_set_key(\"temp\", \"cache\", \".\");\n\t}\n\tgf_opts_set_key(\"temp\", \"clean-cache\", \"true\");\n\tdm = gf_dm_new(NULL);\n\n/*\n\tchar *name = strrchr(mpd_src, '/');\n\tif (!name) name = strrchr(mpd_src, '\\\\');\n\tif (!name) name = \"manifest.mpd\";\n\telse name ++;\n\n\tif (strchr(name, '?') || strchr(name, '&')) name = \"manifest.mpd\";\n*/\n\n\tfprintf(stderr, \"Downloading %s\\n\", mpd_src);\n\tsess = get_file(mpd_src, dm, &e);\n\tif (!sess) {\n\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_APP, (\"Error downloading MPD file %s: %s\\n\", mpd_src, gf_error_to_string(e) ));\n\t\tgoto err_exit;\n\t}\n\tstrcpy(szName, gf_dm_sess_get_cache_name(sess) );\n\tgf_dm_sess_get_header_sizes_and_times(sess, &req_hdr_size, &rsp_hdr_size, &connect_time, &reply_time, &download_time);\n\tgf_dm_sess_del(sess);\n\n\tif (e) {\n\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_APP, (\"Error fetching MPD file %s: %s\\n\", mpd_src, gf_error_to_string(e)));\n\t\tgoto err_exit;\n\t}\n\telse {\n\t\tGF_LOG(GF_LOG_INFO, GF_LOG_APP, (\"Fetched file %s\\n\", mpd_src));\n\t}\n\tGF_LOG(GF_LOG_DEBUG, GF_LOG_APP, (\"GET Header size %d - Reply header size %d\\n\", req_hdr_size, rsp_hdr_size));\n\tGF_LOG(GF_LOG_DEBUG, GF_LOG_APP, (\"GET time: Connect Time %d - Reply Time %d - Download Time %d\\n\", connect_time, reply_time, download_time));\n\n\tmpd_parser = gf_xml_dom_new();\n\te = gf_xml_dom_parse(mpd_parser, szName, NULL, NULL);\n\n\tif (e != GF_OK) {\n\t\tgf_xml_dom_del(mpd_parser);\n\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_APP, (\"Error parsing MPD %s : %s\\n\", mpd_src, gf_error_to_string(e)));\n\t\treturn e;\n\t}\n\tmpd = gf_mpd_new();\n\te = gf_mpd_init_from_dom(gf_xml_dom_get_root(mpd_parser), mpd, mpd_src);\n\tgf_xml_dom_del(mpd_parser);\n\tmpd_parser=NULL;\n\tif (e) {\n\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_APP, (\"Error initializing MPD %s : %s\\n\", mpd_src, gf_error_to_string(e)));\n\t\tgoto err_exit;\n\t}\n\telse {\n\t\tGF_LOG(GF_LOG_DEBUG, GF_LOG_APP, (\"MPD %s initialized: %s\\n\", szName, gf_error_to_string(e)));\n\t}\n\n\trevert_cache_file(szName);\n\tif (mpd->type==GF_MPD_TYPE_DYNAMIC) {\n\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_APP, (\"MPD rip is not supported on live sources\\n\"));\n\t\te = GF_NOT_SUPPORTED;\n\t\tgoto err_exit;\n\t}\n\n\ti=0;\n\twhile ((period = (GF_MPD_Period *) gf_list_enum(mpd->periods, &i))) {\n\t\tchar *initTemplate = NULL;\n\t\tBool segment_base = GF_FALSE;\n\t\tu32 j=0;\n\n\t\tif (period->segment_base) segment_base=GF_TRUE;\n\n\t\tif (period->segment_template && period->segment_template->initialization) {\n\t\t\tinitTemplate = period->segment_template->initialization;\n\t\t}\n\n\t\twhile ((as = gf_list_enum(period->adaptation_sets, &j))) {\n\t\t\tu32 k=0;\n\t\t\tif (!initTemplate && as->segment_template && as->segment_template->initialization) {\n\t\t\t\tinitTemplate = as->segment_template->initialization;\n\t\t\t}\n\t\t\tif (as->segment_base) segment_base=GF_TRUE;\n\n\t\t\twhile ((rep = gf_list_enum(as->representations, &k))) {\n\t\t\t\tu64 out_range_start, out_range_end, segment_duration;\n\t\t\t\tBool is_in_base_url;\n\t\t\t\tchar *seg_url;\n\t\t\t\tu32 seg_idx=0;\n\t\t\t\tif (rep->segment_template && rep->segment_template->initialization) {\n\t\t\t\t\tinitTemplate = rep->segment_template->initialization;\n\t\t\t\t} else if (k>1) {\n\t\t\t\t\tinitTemplate = NULL;\n\t\t\t\t}\n\t\t\t\tif (rep->segment_base) segment_base=GF_TRUE;\n\n\t\t\t\te = gf_mpd_resolve_url(mpd, rep, as, period, mpd_src, 0, GF_MPD_RESOLVE_URL_INIT, 0, 0, &seg_url, &out_range_start, &out_range_end, &segment_duration, &is_in_base_url, NULL, NULL, NULL);\n\t\t\t\tif (e) {\n\t\t\t\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_APP, (\"Error resolving init segment name : %s\\n\", gf_error_to_string(e)));\n\t\t\t\t\tcontinue;\n\t\t\t\t}\n\t\t\t\t//not a byte range, replace URL\n\t\t\t\tif (segment_base) {\n\n\t\t\t\t} else if (out_range_start || out_range_end || !seg_url) {\n\t\t\t\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_APP, (\"byte range rip not yet implemented\\n\"));\n\t\t\t\t\tif (seg_url) gf_free(seg_url);\n\t\t\t\t\te = GF_NOT_SUPPORTED;\n\t\t\t\t\tgoto err_exit;\n\t\t\t\t}\n\n\t\t\t\tfprintf(stderr, \"Downloading %s\\n\", seg_url);\n\t\t\t\tsess = get_file(seg_url, dm, &e);\n\t\t\t\tif (e) {\n\t\t\t\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_APP, (\"Error downloading init segment %s from MPD %s : %s\\n\", seg_url, mpd_src, gf_error_to_string(e)));\n\t\t\t\t\tgoto err_exit;\n\t\t\t\t}\n\t\t\t\trevert_cache_file((char *) gf_dm_sess_get_cache_name(sess) );\n\t\t\t\tgf_free(seg_url);\n\t\t\t\tgf_dm_sess_del(sess);\n\n\t\t\t\tif (segment_base) continue;\n\n\t\t\t\twhile (1) {\n\t\t\t\t\te = gf_mpd_resolve_url(mpd, rep, as, period, mpd_src, 0, GF_MPD_RESOLVE_URL_MEDIA, seg_idx, 0, &seg_url, &out_range_start, &out_range_end, &segment_duration, NULL, NULL, NULL, NULL);\n\t\t\t\t\tif (e) {\n\t\t\t\t\t\tif (e<0) {\n\t\t\t\t\t\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_APP, (\"Error resolving segment name : %s\\n\", gf_error_to_string(e)));\n\t\t\t\t\t\t}\n\t\t\t\t\t\tbreak;\n\t\t\t\t\t}\n\n\t\t\t\t\tseg_idx++;\n\n\t\t\t\t\tif (out_range_start || out_range_end || !seg_url) {\n\t\t\t\t\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_APP, (\"byte range rip not yet implemented\\n\"));\n\t\t\t\t\t\tif (seg_url) gf_free(seg_url);\n\t\t\t\t\t\tbreak;\n\t\t\t\t\t}\n\t\t\t\t\tfprintf(stderr, \"Downloading %s\\n\", seg_url);\n\t\t\t\t\tsess = get_file(seg_url, dm, &e);\n\t\t\t\t\tif (e) {\n\t\t\t\t\t\tgf_free(seg_url);\n\t\t\t\t\t\tif (e != GF_URL_ERROR) {\n\t\t\t\t\t\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_APP, (\"Error downloading segment %s: %s\\n\", seg_url, gf_error_to_string(e)));\n\t\t\t\t\t\t} else {\n\t\t\t\t\t\t\t//todo, properly detect end of dash representation\n\t\t\t\t\t\t\te = GF_OK;\n\t\t\t\t\t\t}\n\t\t\t\t\t\tbreak;\n\t\t\t\t\t}\n\t\t\t\t\trevert_cache_file((char *) gf_dm_sess_get_cache_name(sess) );\n\t\t\t\t\tgf_free(seg_url);\n\t\t\t\t\tgf_dm_sess_del(sess);\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\nerr_exit:\n\tif (mpd) gf_mpd_del(mpd);\n\tgf_dm_del(dm);", "project": "gpac", "hash": 132444211119724964278789327649288213667, "size": 180, "commit_id": "289ffce3e0d224d314f5f92a744d5fe35999f20b", "message": "fixed #1767 (fuzz)", "target": 0, "dataset": "other", "idx": 243202 }, { "func": "}\n\nGF_Err rip_mpd(const char *mpd_src, const char *output_dir)\n{\n\tGF_DownloadSession *sess;\n\tu32 i, connect_time, reply_time, download_time, req_hdr_size, rsp_hdr_size;\n\tGF_Err e;\n\tGF_DOMParser *mpd_parser=NULL;\n\tGF_MPD *mpd=NULL;\n\tGF_MPD_Period *period;\n\tGF_MPD_AdaptationSet *as;\n\tGF_MPD_Representation *rep;\n\tchar szName[GF_MAX_PATH];\n\tGF_DownloadManager *dm;\n\n\tif (output_dir) {\n\t\tchar *sep;\n\t\tstrcpy(szName, output_dir);\n\t\tsep = gf_file_basename(szName);\n\t\tif (sep) sep[0] = 0;\n\t\tgf_opts_set_key(\"temp\", \"cache\", szName);\n\t} else {\n\t\tgf_opts_set_key(\"temp\", \"cache\", \".\");\n\t}\n\tgf_opts_set_key(\"temp\", \"clean-cache\", \"true\");\n\tdm = gf_dm_new(NULL);\n\n/*\n\tchar *name = strrchr(mpd_src, '/');\n\tif (!name) name = strrchr(mpd_src, '\\\\');\n\tif (!name) name = \"manifest.mpd\";\n\telse name ++;\n\n\tif (strchr(name, '?') || strchr(name, '&')) name = \"manifest.mpd\";\n*/\n\n\tfprintf(stderr, \"Downloading %s\\n\", mpd_src);\n\tsess = get_file(mpd_src, dm, &e);\n\tif (!sess) {\n\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_APP, (\"Error downloading MPD file %s: %s\\n\", mpd_src, gf_error_to_string(e) ));\n\t\tgoto err_exit;\n\t}\n\tstrcpy(szName, gf_dm_sess_get_cache_name(sess) );\n\tgf_dm_sess_get_header_sizes_and_times(sess, &req_hdr_size, &rsp_hdr_size, &connect_time, &reply_time, &download_time);\n\tgf_dm_sess_del(sess);\n\n\tif (e) {\n\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_APP, (\"Error fetching MPD file %s: %s\\n\", mpd_src, gf_error_to_string(e)));\n\t\tgoto err_exit;\n\t}\n\telse {\n\t\tGF_LOG(GF_LOG_INFO, GF_LOG_APP, (\"Fetched file %s\\n\", mpd_src));\n\t}\n\tGF_LOG(GF_LOG_DEBUG, GF_LOG_APP, (\"GET Header size %d - Reply header size %d\\n\", req_hdr_size, rsp_hdr_size));\n\tGF_LOG(GF_LOG_DEBUG, GF_LOG_APP, (\"GET time: Connect Time %d - Reply Time %d - Download Time %d\\n\", connect_time, reply_time, download_time));\n\n\tmpd_parser = gf_xml_dom_new();\n\te = gf_xml_dom_parse(mpd_parser, szName, NULL, NULL);\n\n\tif (e != GF_OK) {\n\t\tgf_xml_dom_del(mpd_parser);\n\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_APP, (\"Error parsing MPD %s : %s\\n\", mpd_src, gf_error_to_string(e)));\n\t\treturn e;\n\t}\n\tmpd = gf_mpd_new();\n\te = gf_mpd_init_from_dom(gf_xml_dom_get_root(mpd_parser), mpd, mpd_src);\n\tgf_xml_dom_del(mpd_parser);\n\tmpd_parser=NULL;\n\tif (e) {\n\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_APP, (\"Error initializing MPD %s : %s\\n\", mpd_src, gf_error_to_string(e)));\n\t\tgoto err_exit;\n\t}\n\telse {\n\t\tGF_LOG(GF_LOG_DEBUG, GF_LOG_APP, (\"MPD %s initialized: %s\\n\", szName, gf_error_to_string(e)));\n\t}\n\n\trevert_cache_file(szName);\n\tif (mpd->type==GF_MPD_TYPE_DYNAMIC) {\n\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_APP, (\"MPD rip is not supported on live sources\\n\"));\n\t\te = GF_NOT_SUPPORTED;\n\t\tgoto err_exit;\n\t}\n\n\ti=0;\n\twhile ((period = (GF_MPD_Period *) gf_list_enum(mpd->periods, &i))) {\n\t\tchar *initTemplate = NULL;\n\t\tBool segment_base = GF_FALSE;\n\t\tu32 j=0;\n\n\t\tif (period->segment_base) segment_base=GF_TRUE;\n\n\t\tif (period->segment_template && period->segment_template->initialization) {\n\t\t\tinitTemplate = period->segment_template->initialization;\n\t\t}\n\n\t\twhile ((as = gf_list_enum(period->adaptation_sets, &j))) {\n\t\t\tu32 k=0;\n\t\t\tif (!initTemplate && as->segment_template && as->segment_template->initialization) {\n\t\t\t\tinitTemplate = as->segment_template->initialization;\n\t\t\t}\n\t\t\tif (as->segment_base) segment_base=GF_TRUE;\n\n\t\t\twhile ((rep = gf_list_enum(as->representations, &k))) {\n\t\t\t\tu64 out_range_start, out_range_end, segment_duration;\n\t\t\t\tBool is_in_base_url;\n\t\t\t\tchar *seg_url;\n\t\t\t\tu32 seg_idx=0;\n\t\t\t\tif (rep->segment_template && rep->segment_template->initialization) {\n\t\t\t\t\tinitTemplate = rep->segment_template->initialization;\n\t\t\t\t} else if (k>1) {\n\t\t\t\t\tinitTemplate = NULL;\n\t\t\t\t}\n\t\t\t\tif (rep->segment_base) segment_base=GF_TRUE;\n\n\t\t\t\te = gf_mpd_resolve_url(mpd, rep, as, period, mpd_src, 0, GF_MPD_RESOLVE_URL_INIT, 0, 0, &seg_url, &out_range_start, &out_range_end, &segment_duration, &is_in_base_url, NULL, NULL);\n\t\t\t\tif (e) {\n\t\t\t\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_APP, (\"Error resolving init segment name : %s\\n\", gf_error_to_string(e)));\n\t\t\t\t\tcontinue;\n\t\t\t\t}\n\t\t\t\t//not a byte range, replace URL\n\t\t\t\tif (segment_base) {\n\n\t\t\t\t} else if (out_range_start || out_range_end || !seg_url) {\n\t\t\t\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_APP, (\"byte range rip not yet implemented\\n\"));\n\t\t\t\t\tif (seg_url) gf_free(seg_url);\n\t\t\t\t\te = GF_NOT_SUPPORTED;\n\t\t\t\t\tgoto err_exit;\n\t\t\t\t}\n\n\t\t\t\tfprintf(stderr, \"Downloading %s\\n\", seg_url);\n\t\t\t\tsess = get_file(seg_url, dm, &e);\n\t\t\t\tif (e) {\n\t\t\t\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_APP, (\"Error downloading init segment %s from MPD %s : %s\\n\", seg_url, mpd_src, gf_error_to_string(e)));\n\t\t\t\t\tgoto err_exit;\n\t\t\t\t}\n\t\t\t\trevert_cache_file((char *) gf_dm_sess_get_cache_name(sess) );\n\t\t\t\tgf_free(seg_url);\n\t\t\t\tgf_dm_sess_del(sess);\n\n\t\t\t\tif (segment_base) continue;\n\n\t\t\t\twhile (1) {\n\t\t\t\t\te = gf_mpd_resolve_url(mpd, rep, as, period, mpd_src, 0, GF_MPD_RESOLVE_URL_MEDIA, seg_idx, 0, &seg_url, &out_range_start, &out_range_end, &segment_duration, NULL, NULL, NULL);\n\t\t\t\t\tif (e) {\n\t\t\t\t\t\tif (e<0) {\n\t\t\t\t\t\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_APP, (\"Error resolving segment name : %s\\n\", gf_error_to_string(e)));\n\t\t\t\t\t\t}\n\t\t\t\t\t\tbreak;\n\t\t\t\t\t}\n\n\t\t\t\t\tseg_idx++;\n\n\t\t\t\t\tif (out_range_start || out_range_end || !seg_url) {\n\t\t\t\t\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_APP, (\"byte range rip not yet implemented\\n\"));\n\t\t\t\t\t\tif (seg_url) gf_free(seg_url);\n\t\t\t\t\t\tbreak;\n\t\t\t\t\t}\n\t\t\t\t\tfprintf(stderr, \"Downloading %s\\n\", seg_url);\n\t\t\t\t\tsess = get_file(seg_url, dm, &e);\n\t\t\t\t\tif (e) {\n\t\t\t\t\t\tgf_free(seg_url);\n\t\t\t\t\t\tif (e != GF_URL_ERROR) {\n\t\t\t\t\t\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_APP, (\"Error downloading segment %s: %s\\n\", seg_url, gf_error_to_string(e)));\n\t\t\t\t\t\t} else {\n\t\t\t\t\t\t\t//todo, properly detect end of dash representation\n\t\t\t\t\t\t\te = GF_OK;\n\t\t\t\t\t\t}\n\t\t\t\t\t\tbreak;\n\t\t\t\t\t}\n\t\t\t\t\trevert_cache_file((char *) gf_dm_sess_get_cache_name(sess) );\n\t\t\t\t\tgf_free(seg_url);\n\t\t\t\t\tgf_dm_sess_del(sess);\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\nerr_exit:\n\tif (mpd) gf_mpd_del(mpd);\n\tgf_dm_del(dm);", "project": "gpac", "hash": 56881010144082158930913696664143449242, "size": 180, "commit_id": "ce01bd15f711d4575b7424b54b3a395ec64c1784", "message": "fixed #1566", "target": 0, "dataset": "other", "idx": 249541 }, { "func": "GF_Err gf_isom_box_write_listing(GF_Box *a, GF_BitStream *bs)\n{\n\tif (!a) return GF_BAD_PARAM;\n\tif (!a->registry) {\n\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, (\"[iso file] Write invalid box type %s without registry\\n\", gf_4cc_to_str(a->type) ));\n\t\treturn GF_ISOM_INVALID_FILE;\n\t}\n\treturn a->registry->write_fn(a, bs);\n}", "project": "gpac", "hash": 98795241443807891042210777667565584457, "size": 9, "commit_id": "8e585e623b1d666b4ef736ed609264639cb27701", "message": "fixed potential crash - cf #1406", "target": 0, "dataset": "other", "idx": 224915 }, { "func": "GF_Err gf_isom_set_rvc_config(GF_ISOFile *movie, u32 track, u32 sampleDescriptionIndex, u16 rvc_predefined, char *mime, u8 *data, u32 size)\n{\n\tGF_MPEGVisualSampleEntryBox *entry;\n\tGF_Err e;\n\tGF_TrackBox *trak;\n\n\te = CanAccessMovie(movie, GF_ISOM_OPEN_WRITE);\n\tif (e) return e;\n\n\ttrak = gf_isom_get_track_from_file(movie, track);\n\tif (!trak) return GF_BAD_PARAM;\n\n\n\tentry = (GF_MPEGVisualSampleEntryBox *) gf_list_get(trak->Media->information->sampleTable->SampleDescription->child_boxes, sampleDescriptionIndex-1);\n\tif (!entry ) return GF_BAD_PARAM;\n\tif (entry->internal_type != GF_ISOM_SAMPLE_ENTRY_VIDEO) return GF_BAD_PARAM;\n\n\tGF_RVCConfigurationBox *rvcc = (GF_RVCConfigurationBox *) gf_isom_box_find_child(entry->child_boxes, GF_ISOM_BOX_TYPE_RVCC);\n\tif (rvcc && rvcc->rvc_meta_idx) {\n\t\tgf_isom_remove_meta_item(movie, GF_FALSE, track, rvcc->rvc_meta_idx);\n\t\trvcc->rvc_meta_idx = 0;\n\t}\n\n\tif (!rvcc) {\n\t\trvcc = (GF_RVCConfigurationBox *) gf_isom_box_new_parent(&entry->child_boxes, GF_ISOM_BOX_TYPE_RVCC);\n\t\tif (!rvcc) return GF_OUT_OF_MEM;\n\t}\n\trvcc->predefined_rvc_config = rvc_predefined;\n\tif (!rvc_predefined) {\n\t\tu32 it_id=0;\n\t\te = gf_isom_set_meta_type(movie, GF_FALSE, track, GF_META_TYPE_RVCI);\n\t\tif (e) return e;\n\t\tgf_isom_modify_alternate_brand(movie, GF_ISOM_BRAND_ISO2, GF_TRUE);\n\t\te = gf_isom_add_meta_item_memory(movie, GF_FALSE, track, \"rvcconfig.xml\", &it_id, GF_META_ITEM_TYPE_MIME, mime, NULL, NULL, data, size, NULL);\n\t\tif (e) return e;\n\t\trvcc->rvc_meta_idx = gf_isom_get_meta_item_count(movie, GF_FALSE, track);\n\t}\n\treturn GF_OK;\n}", "project": "gpac", "hash": 189731183654362064654685896625730003187, "size": 39, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267220 }, { "func": "GF_Err gf_isom_reset_alt_brands(GF_ISOFile *movie)\n{\n\treturn gf_isom_reset_alt_brands_ex(movie, GF_FALSE);\n}", "project": "gpac", "hash": 73848084825126853475538480891805563704, "size": 4, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267232 }, { "func": "GF_EXPORT\nGF_Err gf_isom_set_nalu_extract_mode(GF_ISOFile *the_file, u32 trackNumber, GF_ISONaluExtractMode nalu_extract_mode)\n{\n\tGF_TrackReferenceTypeBox *dpnd;\n\tGF_TrackBox *trak = gf_isom_get_track_from_file(the_file, trackNumber);\n\tif (!trak) return GF_BAD_PARAM;\n\ttrak->extractor_mode = nalu_extract_mode;\n\n\tif (!trak->References) return GF_OK;\n\n\t/*get base*/\n\tdpnd = NULL;\n\ttrak->has_base_layer = GF_FALSE;\n\tTrack_FindRef(trak, GF_ISOM_REF_SCAL, &dpnd);\n\tif (dpnd) trak->has_base_layer = GF_TRUE;\n\treturn GF_OK;", "project": "gpac", "hash": 208431121515412919964361999472623476529, "size": 16, "commit_id": "984787de3d414a5f7d43d0b4584d9469dff2a5a5", "message": "fixed #1784 (fuzz)", "target": 0, "dataset": "other", "idx": 246851 }, { "func": "GF_Err gf_isom_set_oma_protection(GF_ISOFile *the_file, u32 trackNumber, u32 desc_index,\n char *contentID, char *kms_URI, u32 encryption_type, u64 plainTextLength, char *textual_headers, u32 textual_headers_len,\n Bool selective_encryption, u32 KI_length, u32 IV_length)\n{\n\tGF_ProtectionSchemeInfoBox *sinf;\n\tGF_Err e;\n\n\t//setup generic protection\n\te = isom_set_protected_entry(the_file, trackNumber, desc_index, 0, 0, GF_ISOM_OMADRM_SCHEME, 0x00000200, NULL, GF_FALSE, &sinf);\n\tif (e) return e;\n\n\tsinf->info->odkm = (GF_OMADRMKMSBox *)gf_isom_box_new_parent(&sinf->info->child_boxes, GF_ISOM_BOX_TYPE_ODKM);\n\tif (!sinf->info->odkm) return GF_OUT_OF_MEM;\n\tsinf->info->odkm->fmt = (GF_OMADRMAUFormatBox*)gf_isom_box_new_parent(&sinf->info->odkm->child_boxes, GF_ISOM_BOX_TYPE_ODAF);\n\tif (!sinf->info->odkm->fmt) return GF_OUT_OF_MEM;\n\tsinf->info->odkm->fmt->selective_encryption = selective_encryption;\n\tsinf->info->odkm->fmt->key_indicator_length = KI_length;\n\tsinf->info->odkm->fmt->IV_length = IV_length;\n\n\tsinf->info->odkm->hdr = (GF_OMADRMCommonHeaderBox*)gf_isom_box_new_parent(&sinf->info->odkm->child_boxes, GF_ISOM_BOX_TYPE_OHDR);\n\tif (!sinf->info->odkm->hdr) return GF_OUT_OF_MEM;\n\tsinf->info->odkm->hdr->EncryptionMethod = encryption_type;\n\tsinf->info->odkm->hdr->PaddingScheme = (encryption_type==0x01) ? 1 : 0;\n\tsinf->info->odkm->hdr->PlaintextLength = plainTextLength;\n\tif (contentID) sinf->info->odkm->hdr->ContentID = gf_strdup(contentID);\n\tif (kms_URI) sinf->info->odkm->hdr->RightsIssuerURL = gf_strdup(kms_URI);\n\tif (textual_headers) {\n\t\tsinf->info->odkm->hdr->TextualHeaders = (char*)gf_malloc(sizeof(char)*textual_headers_len);\n\t\tif (!sinf->info->odkm->hdr->TextualHeaders) return GF_OUT_OF_MEM;\n\t\tmemcpy(sinf->info->odkm->hdr->TextualHeaders, textual_headers, sizeof(char)*textual_headers_len);\n\t\tsinf->info->odkm->hdr->TextualHeadersLen = textual_headers_len;\n\t}\n\treturn GF_OK;\n}", "project": "gpac", "hash": 236030732160121432785865274851352955014, "size": 34, "commit_id": "3b84ffcbacf144ce35650df958432f472b6483f8", "message": "fixed #1735", "target": 0, "dataset": "other", "idx": 275405 }, { "func": "GF_Err stbl_SetChunkOffset(GF_MediaBox *mdia, u32 sampleNumber, u64 offset)\n{\n\tGF_StscEntry *ent;\n\tu32 i;\n\tGF_ChunkLargeOffsetBox *co64;\n\tGF_SampleTableBox *stbl = mdia->information->sampleTable;\n\n\tif (!sampleNumber || !stbl) return GF_BAD_PARAM;\n\n\tent = &stbl->SampleToChunk->entries[sampleNumber - 1];\n\n\t//we edit our entry if self contained\n\tif (Media_IsSelfContained(mdia, ent->sampleDescriptionIndex))\n\t\tent->isEdited = 1;\n\n\t//and we change our offset\n\tif (stbl->ChunkOffset->type == GF_ISOM_BOX_TYPE_STCO) {\n\t\t//if the new offset is a large one, we have to rewrite our table...\n\t\tif (offset > 0xFFFFFFFF) {\n\t\t\tco64 = (GF_ChunkLargeOffsetBox *) gf_isom_box_new_parent(&stbl->child_boxes, GF_ISOM_BOX_TYPE_CO64);\n\t\t\tif (!co64) return GF_OUT_OF_MEM;\n\t\t\tco64->nb_entries = ((GF_ChunkOffsetBox *)stbl->ChunkOffset)->nb_entries;\n\t\t\tco64->alloc_size = co64->nb_entries;\n\t\t\tco64->offsets = (u64*)gf_malloc(sizeof(u64)*co64->nb_entries);\n\t\t\tif (!co64->offsets) return GF_OUT_OF_MEM;\n\t\t\tfor (i=0; inb_entries; i++) {\n\t\t\t\tco64->offsets[i] = (u64) ((GF_ChunkOffsetBox *)stbl->ChunkOffset)->offsets[i];\n\t\t\t}\n\t\t\tco64->offsets[ent->firstChunk - 1] = offset;\n\t\t\tgf_isom_box_del_parent(&stbl->child_boxes, stbl->ChunkOffset);\n\t\t\tstbl->ChunkOffset = (GF_Box *) co64;\n\t\t\treturn GF_OK;\n\t\t}\n\t\t((GF_ChunkOffsetBox *)stbl->ChunkOffset)->offsets[ent->firstChunk - 1] = (u32) offset;\n\t} else {\n\t\t((GF_ChunkLargeOffsetBox *)stbl->ChunkOffset)->offsets[ent->firstChunk - 1] = offset;\n\t}\n\treturn GF_OK;\n}", "project": "gpac", "hash": 205211428983467422336002846261070723164, "size": 39, "commit_id": "77ed81c069e10b3861d88f72e1c6be1277ee7eae", "message": "fixed #1774 (fuzz)", "target": 0, "dataset": "other", "idx": 267913 }, { "func": "GF_Err stbl_RemoveShadow(GF_SampleTableBox *stbl, u32 sampleNumber)\n{\n\tu32 i;\n\tGF_ShadowSyncBox *stsh;\n\tGF_StshEntry *ent;\n\tif (!stbl->ShadowSync) return GF_OK;\n\tstsh = stbl->ShadowSync;\n\n\t//we loop for the whole chain cause the spec doesn't say if we can have several\n\t//shadows for 1 sample...\n\ti=0;\n\twhile ((ent = (GF_StshEntry *)gf_list_enum(stsh->entries, &i))) {\n\t\tif (ent->shadowedSampleNumber == sampleNumber) {\n\t\t\ti--;\n\t\t\tgf_list_rem(stsh->entries, i);\n\t\t}\n\t}\n\t//reset the cache\n\tstsh->r_LastEntryIndex = 0;\n\tstsh->r_LastFoundSample = 0;\n\treturn GF_OK;\n}", "project": "gpac", "hash": 84104062787139841515925532436497984849, "size": 22, "commit_id": "77ed81c069e10b3861d88f72e1c6be1277ee7eae", "message": "fixed #1774 (fuzz)", "target": 0, "dataset": "other", "idx": 267873 }, { "func": "GF_Err gf_isom_modify_edit(GF_ISOFile *movie, u32 trackNumber, u32 seg_index, u64 EditDuration, u64 MediaTime, GF_ISOEditType EditMode)\n{\n\tGF_Err e;\n\tGF_TrackBox *trak;\n\tGF_EdtsEntry *ent;\n\ttrak = gf_isom_get_track_from_file(movie, trackNumber);\n\tif (!trak || !seg_index) return GF_BAD_PARAM;\n\te = CanAccessMovie(movie, GF_ISOM_OPEN_WRITE);\n\tif (e) return e;\n\n\tif (!trak->editBox || !trak->editBox->editList) return GF_OK;\n\tif (gf_list_count(trak->editBox->editList->entryList)editBox->editList->entryList, seg_index-1);\n\n\tent->segmentDuration = EditDuration;\n\tswitch (EditMode) {\n\tcase GF_ISOM_EDIT_EMPTY:\n\t\tent->mediaRate = 0x10000;\n\t\tent->mediaTime = -1;\n\t\tbreak;\n\tcase GF_ISOM_EDIT_DWELL:\n\t\tent->mediaRate = 0;\n\t\tent->mediaTime = MediaTime;\n\t\tbreak;\n\tdefault:\n\t\tent->mediaRate = 0x10000;\n\t\tent->mediaTime = MediaTime;\n\t\tbreak;\n\t}\n\treturn SetTrackDuration(trak);\n}", "project": "gpac", "hash": 2389925439277765511338055442874817885, "size": 31, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267251 }, { "func": "GF_Err gf_isom_box_read(GF_Box *a, GF_BitStream *bs)\n{\n\tif (!a) return GF_BAD_PARAM;\n\tif (!a->registry) {\n\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, (\"[iso file] Read invalid box type %s without registry\\n\", gf_4cc_to_str(a->type) ));\n\t\treturn GF_ISOM_INVALID_FILE;\n\t}\n\treturn a->registry->read_fn(a, bs);\n}", "project": "gpac", "hash": 165944456845553000996040223121863846490, "size": 9, "commit_id": "8e585e623b1d666b4ef736ed609264639cb27701", "message": "fixed potential crash - cf #1406", "target": 0, "dataset": "other", "idx": 224920 }, { "func": "static GF_Err gf_isom_check_mvc(GF_ISOFile *the_file, GF_TrackBox *trak, GF_MPEGVisualSampleEntryBox *entry)\n{\n\tu32 i;\n\tGF_Box *mvci;\n\tGF_MultiviewGroupBox *mvcg;\n\tGF_ViewIdentifierBox *vwid;\n\n\tif (entry->mvc_config) {}\n\telse if (entry->avc_config && entry->avc_config->config && entry->avc_config->config->sequenceParameterSetExtensions) {}\n\telse\n\t\treturn GF_OK;\n\n\tmvci = gf_isom_box_find_child(trak->Media->information->child_boxes, GF_ISOM_BOX_TYPE_MVCI);\n\tif (!mvci) {\n\t\tmvci = gf_isom_box_new_parent(&trak->Media->information->child_boxes, GF_ISOM_BOX_TYPE_MVCI);\n\t\tif (!mvci) return GF_OUT_OF_MEM;\n\t}\n\tmvcg = (GF_MultiviewGroupBox *) gf_isom_box_find_child(mvci->child_boxes, GF_ISOM_BOX_TYPE_MVCG);\n\tif (!mvcg) {\n\t\tmvcg = (GF_MultiviewGroupBox *)gf_isom_box_new_parent(&mvci->child_boxes, GF_ISOM_BOX_TYPE_MVCG);\n\t\tif (!mvcg) return GF_OUT_OF_MEM;\n\t}\n\t//this is very crude, we should try to parse the bitstream to fill these\n\tmvcg->num_entries = 0;\n\tif (mvcg->entries) {\n\t\tgf_free(mvcg->entries);\n\t\tmvcg->entries = NULL;\n\t}\n\tif (entry->avc_config) {\n\t\tif (gf_list_count(entry->avc_config->config->sequenceParameterSets))\n\t\t\tmvcg->num_entries += 1;\n\t\tmvcg->num_entries += gf_list_count(entry->avc_config->config->sequenceParameterSetExtensions);\n\t}\n\tif (entry->mvc_config && entry->mvc_config->config) {\n\t\tmvcg->num_entries += gf_list_count(entry->mvc_config->config->sequenceParameterSets);\n\t}\n\tmvcg->entries = gf_malloc(sizeof(MVCIEntry)*mvcg->num_entries);\n\tif (!mvcg->entries) return GF_OUT_OF_MEM;\n\tmemset(mvcg->entries, 0, sizeof(MVCIEntry)*mvcg->num_entries);\n\tfor (i=0; inum_entries; i++) {\n\t\tmvcg->entries[i].entry_type = 2;\n\t\tmvcg->entries[i].output_view_id = i;\n\t}\n\tvwid = (GF_ViewIdentifierBox *) gf_isom_box_find_child(entry->child_boxes, GF_ISOM_BOX_TYPE_VWID);\n\tif (!vwid) {\n\t\tvwid = (GF_ViewIdentifierBox *)gf_isom_box_new_parent(&entry->child_boxes, GF_ISOM_BOX_TYPE_VWID);\n\t\tif (!mvcg) return GF_OUT_OF_MEM;\n\t}\n\tif (vwid->views) gf_free(vwid->views);\n\tvwid->num_views = mvcg->num_entries;\n\tvwid->views = gf_malloc(sizeof(ViewIDEntry)*vwid->num_views);\n\tif (!vwid->views) return GF_OUT_OF_MEM;\n\tmemset(vwid->views, 0, sizeof(ViewIDEntry)*vwid->num_views);\n\n\tfor (i=0; inum_views; i++) {\n\t\tvwid->views[i].base_view_type = i ? 0 : 1;\n\t\tvwid->views[i].view_id = i;\n\t\tvwid->views[i].view_order_index = i;\n\t}\n\n\treturn GF_OK;\n}", "project": "gpac", "hash": 55282365399051018400710517557952222008, "size": 62, "commit_id": "0a85029d694f992f3631e2f249e4999daee15cbf", "message": "fixed #1785 (fuzz)", "target": 0, "dataset": "other", "idx": 237548 }, { "func": "GF_EXPORT\ns32 gf_isom_get_composition_offset_shift(GF_ISOFile *file, u32 track)\n{\n\tGF_TrackBox *trak = gf_isom_get_track_from_file(file, track);\n\tif (!trak) return 0;\n\tif (!trak->Media || !trak->Media->information || !trak->Media->information->sampleTable || !trak->Media->information->sampleTable->CompositionToDecode) return 0;\n\treturn trak->Media->information->sampleTable->CompositionToDecode->compositionToDTSShift;", "project": "gpac", "hash": 240893668432716955867750390072046193865, "size": 7, "commit_id": "984787de3d414a5f7d43d0b4584d9469dff2a5a5", "message": "fixed #1784 (fuzz)", "target": 0, "dataset": "other", "idx": 246817 }, { "func": "GF_Err moov_on_child_box(GF_Box *s, GF_Box *a)\n{\n\tGF_MovieBox *ptr = (GF_MovieBox *)s;\n\tswitch (a->type) {\n\tcase GF_ISOM_BOX_TYPE_IODS:\n\t\tif (ptr->iods) ERROR_ON_DUPLICATED_BOX(a, ptr)\n\t\tptr->iods = (GF_ObjectDescriptorBox *)a;\n\t\t//if no IOD, delete the box\n\t\tif (!ptr->iods->descriptor) {\n\t\t\tptr->iods = NULL;\n\t\t\tgf_isom_box_del_parent(&s->child_boxes, a);\n\t\t}\n\t\treturn GF_OK;\n\n\tcase GF_ISOM_BOX_TYPE_MVHD:\n\t\tif (ptr->mvhd) ERROR_ON_DUPLICATED_BOX(a, ptr)\n\t\tptr->mvhd = (GF_MovieHeaderBox *)a;\n\t\treturn GF_OK;\n\n\tcase GF_ISOM_BOX_TYPE_UDTA:\n\t\tif (ptr->udta) ERROR_ON_DUPLICATED_BOX(a, ptr)\n\t\tptr->udta = (GF_UserDataBox *)a;\n\t\treturn GF_OK;\n\n#ifndef\tGPAC_DISABLE_ISOM_FRAGMENTS\n\tcase GF_ISOM_BOX_TYPE_MVEX:\n\t\tif (ptr->mvex) ERROR_ON_DUPLICATED_BOX(a, ptr)\n\t\tptr->mvex = (GF_MovieExtendsBox *)a;\n\t\tptr->mvex->mov = ptr->mov;\n\t\treturn GF_OK;\n#endif\n\n\tcase GF_ISOM_BOX_TYPE_META:\n\t\tif (ptr->meta) ERROR_ON_DUPLICATED_BOX(a, ptr)\n\t\tptr->meta = (GF_MetaBox *)a;\n\t\treturn GF_OK;\n\n\tcase GF_ISOM_BOX_TYPE_TRAK:\n\t\t//set our pointer to this obj\n\t\t((GF_TrackBox *)a)->moov = ptr;\n\t\treturn gf_list_add(ptr->trackList, a);\n\t}\n\treturn GF_OK;\n}", "project": "gpac", "hash": 213484225993320509538689535568991631197, "size": 44, "commit_id": "388ecce75d05e11fc8496aa4857b91245007d26e", "message": "fixed #1587", "target": 0, "dataset": "other", "idx": 264866 }, { "func": "GF_Err gf_isom_hevc_config_new(GF_ISOFile *the_file, u32 trackNumber, GF_HEVCConfig *cfg, const char *URLname, const char *URNname, u32 *outDescriptionIndex)\n{\n\tGF_TrackBox *trak;\n\tGF_Err e;\n\tu32 dataRefIndex;\n\tGF_SampleDescriptionBox *stsd;\n\tGF_MPEGVisualSampleEntryBox *entry;\n\n\te = CanAccessMovie(the_file, GF_ISOM_OPEN_WRITE);\n\tif (e) return e;\n\n\ttrak = gf_isom_get_track_from_file(the_file, trackNumber);\n\tif (!trak || !trak->Media || !cfg) return GF_BAD_PARAM;\n\n\t//get or create the data ref\n\te = Media_FindDataRef(trak->Media->information->dataInformation->dref, (char *)URLname, (char *)URNname, &dataRefIndex);\n\tif (e) return e;\n\tif (!dataRefIndex) {\n\t\te = Media_CreateDataRef(the_file, trak->Media->information->dataInformation->dref, (char *)URLname, (char *)URNname, &dataRefIndex);\n\t\tif (e) return e;\n\t}\n\tif (!the_file->keep_utc)\n\t\ttrak->Media->mediaHeader->modificationTime = gf_isom_get_mp4time();\n\n\tstsd = trak->Media->information->sampleTable->SampleDescription;\n\t//create a new entry\n\tentry = (GF_MPEGVisualSampleEntryBox *) gf_isom_box_new_parent(&stsd->child_boxes, GF_ISOM_BOX_TYPE_HVC1);\n\tif (!entry) return GF_OUT_OF_MEM;\n\tentry->hevc_config = (GF_HEVCConfigurationBox*)gf_isom_box_new_parent(&entry->child_boxes, GF_ISOM_BOX_TYPE_HVCC);\n\tif (!entry->hevc_config) return GF_OUT_OF_MEM;\n\tentry->hevc_config->config = HEVC_DuplicateConfig(cfg);\n\tif (!entry->hevc_config->config) return GF_OUT_OF_MEM;\n\tentry->dataReferenceIndex = dataRefIndex;\n\t*outDescriptionIndex = gf_list_count(stsd->child_boxes);\n\tHEVC_RewriteESDescriptor(entry);\n\treturn e;\n}", "project": "gpac", "hash": 14587315272494536450006353856793153931, "size": 37, "commit_id": "0a85029d694f992f3631e2f249e4999daee15cbf", "message": "fixed #1785 (fuzz)", "target": 0, "dataset": "other", "idx": 237643 }, { "func": "GF_Err gf_isom_set_track_enabled(GF_ISOFile *movie, u32 trackNumber, Bool enableTrack)\n{\n\tGF_Err e;\n\tGF_TrackBox *trak;\n\n\te = CanAccessMovie(movie, GF_ISOM_OPEN_WRITE);\n\tif (e) return e;\n\n\ttrak = gf_isom_get_track_from_file(movie, trackNumber);\n\tif (!trak) return GF_BAD_PARAM;\n\n\tif (enableTrack) {\n\t\ttrak->Header->flags |= 1;\n\t} else {\n\t\ttrak->Header->flags &= ~1;\n\t}\n\treturn GF_OK;\n}", "project": "gpac", "hash": 61293745514421075286893169691708439195, "size": 18, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267289 }, { "func": "GF_EXPORT\nGF_Err gf_isom_release_segment(GF_ISOFile *movie, Bool reset_tables)\n{\n#ifndef\tGPAC_DISABLE_ISOM_FRAGMENTS\n\tu32 i, j, base_track_sample_count;\n\tBool has_scalable;\n\tGF_Box *a;\n\tif (!movie || !movie->moov || !movie->moov->mvex) return GF_BAD_PARAM;\n\thas_scalable = gf_isom_needs_layer_reconstruction(movie);\n\tbase_track_sample_count = 0;\n\tmovie->moov->compressed_diff = 0;\n\tfor (i=0; imoov->trackList); i++) {\n\t\tGF_TrackBox *trak = (GF_TrackBox*)gf_list_get(movie->moov->trackList, i);\n\t\ttrak->first_traf_merged = GF_FALSE;\n\t\tif (trak->Media->information->dataHandler == movie->movieFileMap) {\n\t\t\ttrak->Media->information->dataHandler = NULL;\n\t\t}\n\t\tif (trak->Media->information->scalableDataHandler == movie->movieFileMap) {\n\t\t\ttrak->Media->information->scalableDataHandler = NULL;\n\t\t} else {\n\t\t\tif (trak->Media->information->scalableDataHandler==trak->Media->information->dataHandler)\n\t\t\t\ttrak->Media->information->dataHandler = NULL;\n\n\t\t\tgf_isom_datamap_del(trak->Media->information->scalableDataHandler);\n\t\t\ttrak->Media->information->scalableDataHandler = NULL;\n\t\t}\n\n\n\t\tif (reset_tables) {\n\t\t\tu32 type, dur;\n\t\t\tu64 dts;\n\t\t\tGF_SampleTableBox *stbl = trak->Media->information->sampleTable;\n\n\t\t\tif (has_scalable) {\n\t\t\t\t//check if the base reference is in the file - if not, do not consider the track is scalable.\n\t\t\t\tif (gf_isom_get_reference_count(movie, i+1, GF_ISOM_REF_BASE) > 0) {\n\t\t\t\t\tu32 on_track=0;\n\t\t\t\t\tGF_TrackBox *base;\n\t\t\t\t\tgf_isom_get_reference(movie, i+1, GF_ISOM_REF_BASE, 1, &on_track);\n\n\t\t\t\t\tbase = gf_isom_get_track_from_file(movie, on_track);\n\t\t\t\t\tif (!base) {\n\t\t\t\t\t\tbase_track_sample_count=0;\n\t\t\t\t\t} else {\n\t\t\t\t\t\tbase_track_sample_count = base->Media->information->sampleTable->SampleSize->sampleCount;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\n\t\t\ttrak->sample_count_at_seg_start += base_track_sample_count ? base_track_sample_count : stbl->SampleSize->sampleCount;\n\n\t\t\tif (trak->sample_count_at_seg_start) {\n\t\t\t\tGF_Err e;\n\t\t\t\te = stbl_GetSampleDTS_and_Duration(stbl->TimeToSample, stbl->SampleSize->sampleCount, &dts, &dur);\n\t\t\t\tif (e == GF_OK) {\n\t\t\t\t\ttrak->dts_at_seg_start += dts + dur;\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tRECREATE_BOX(stbl->ChunkOffset, (GF_Box *));\n\t\t\tRECREATE_BOX(stbl->CompositionOffset, (GF_CompositionOffsetBox *));\n\t\t\tRECREATE_BOX(stbl->DegradationPriority, (GF_DegradationPriorityBox *));\n\t\t\tRECREATE_BOX(stbl->PaddingBits, (GF_PaddingBitsBox *));\n\t\t\tRECREATE_BOX(stbl->SampleDep, (GF_SampleDependencyTypeBox *));\n\t\t\tRECREATE_BOX(stbl->SampleSize, (GF_SampleSizeBox *));\n\t\t\tRECREATE_BOX(stbl->SampleToChunk, (GF_SampleToChunkBox *));\n\t\t\tRECREATE_BOX(stbl->ShadowSync, (GF_ShadowSyncBox *));\n\t\t\tRECREATE_BOX(stbl->SyncSample, (GF_SyncSampleBox *));\n\t\t\tRECREATE_BOX(stbl->TimeToSample, (GF_TimeToSampleBox *));\n\n\t\t\tgf_isom_box_array_del_parent(&stbl->child_boxes, stbl->sai_offsets);\n\t\t\tstbl->sai_offsets = NULL;\n\n\t\t\tgf_isom_box_array_del_parent(&stbl->child_boxes, stbl->sai_sizes);\n\t\t\tstbl->sai_sizes = NULL;\n\n\t\t\tgf_isom_box_array_del_parent(&stbl->child_boxes, stbl->sampleGroups);\n\t\t\tstbl->sampleGroups = NULL;\n\n\t\t\tif (trak->sample_encryption) {\n\t\t\t\tif (trak->Media->information->sampleTable->child_boxes) {\n\t\t\t\t\tgf_list_del_item(trak->Media->information->sampleTable->child_boxes, trak->sample_encryption);\n\t\t\t\t}\n\t\t\t\tgf_isom_box_del_parent(&trak->child_boxes, (GF_Box*)trak->sample_encryption);\n\t\t\t\ttrak->sample_encryption = NULL;\n\t\t\t}\n\n\t\t\tj = stbl->nb_sgpd_in_stbl;\n\t\t\twhile ((a = (GF_Box *)gf_list_enum(stbl->sampleGroupsDescription, &j))) {\n\t\t\t\tgf_isom_box_del_parent(&stbl->child_boxes, a);\n\t\t\t\tj--;\n\t\t\t\tgf_list_rem(stbl->sampleGroupsDescription, j);\n\t\t\t}\n\n\t\t\tif (stbl->traf_map) {\n\t\t\t\tfor (j=0; jtraf_map->nb_entries; j++) {\n\t\t\t\t\tif (stbl->traf_map->frag_starts[j].moof_template)\n\t\t\t\t\t\tgf_free(stbl->traf_map->frag_starts[j].moof_template);\n\t\t\t\t}\n\t\t\t\tmemset(stbl->traf_map->frag_starts, 0, sizeof(GF_TrafMapEntry)*stbl->traf_map->nb_alloc);\n\t\t\t\tstbl->traf_map->nb_entries = 0;\n\t\t\t}\n\n#if 0 // TO CHECK\n\t\t\tj = ptr->nb_stbl_boxes;\n\t\t\twhile ((a = (GF_Box *)gf_list_enum(stbl->child_boxes, &j))) {\n\t\t\t\tgf_isom_box_del_parent(&stbl->child_boxes, a);\n\t\t\t\tj--;\n\t\t\t}\n#endif\n\t\t}\n\n\n\t\tj = 0;\n\t\twhile ((a = (GF_Box *)gf_list_enum(movie->moov->child_boxes, &j))) {\n\t\t\tif (a->type == GF_ISOM_BOX_TYPE_PSSH) {\n\t\t\t\tgf_isom_box_del_parent(&movie->moov->child_boxes, a);\n\t\t\t\tj--;\n\t\t\t}\n\t\t}\n\t}\n\n\tgf_isom_datamap_del(movie->movieFileMap);\n\tmovie->movieFileMap = NULL;\n#endif\n\treturn GF_OK;", "project": "gpac", "hash": 134931007534780690173582985589862756796, "size": 126, "commit_id": "984787de3d414a5f7d43d0b4584d9469dff2a5a5", "message": "fixed #1784 (fuzz)", "target": 0, "dataset": "other", "idx": 246839 }, { "func": "\nGF_Err dac3_box_write(GF_Box *s, GF_BitStream *bs)\n{\n\tGF_Err e;\n\tGF_AC3ConfigBox *ptr = (GF_AC3ConfigBox *)s;\n\n\tif (ptr->cfg.is_ec3) s->type = GF_ISOM_BOX_TYPE_DEC3;\n\te = gf_isom_box_write_header(s, bs);\n\tif (ptr->cfg.is_ec3) s->type = GF_ISOM_BOX_TYPE_DAC3;\n\tif (e) return e;\n\n\tif (ptr->cfg.is_ec3) {\n\t\tu32 i;\n\t\tgf_bs_write_int(bs, ptr->cfg.brcode, 13);\n\t\tgf_bs_write_int(bs, ptr->cfg.nb_streams - 1, 3);\n\t\tfor (i=0; icfg.nb_streams; i++) {\n\t\t\tgf_bs_write_int(bs, ptr->cfg.streams[i].fscod, 2);\n\t\t\tgf_bs_write_int(bs, ptr->cfg.streams[i].bsid, 5);\n\t\t\tgf_bs_write_int(bs, ptr->cfg.streams[i].bsmod, 5);\n\t\t\tgf_bs_write_int(bs, ptr->cfg.streams[i].acmod, 3);\n\t\t\tgf_bs_write_int(bs, ptr->cfg.streams[i].lfon, 1);\n\t\t\tgf_bs_write_int(bs, 0, 3);\n\t\t\tgf_bs_write_int(bs, ptr->cfg.streams[i].nb_dep_sub, 4);\n\t\t\tif (ptr->cfg.streams[i].nb_dep_sub) {\n\t\t\t\tgf_bs_write_int(bs, ptr->cfg.streams[i].chan_loc, 9);\n\t\t\t} else {\n\t\t\t\tgf_bs_write_int(bs, 0, 1);\n\t\t\t}\n\t\t}\n\t} else {\n\t\tgf_bs_write_int(bs, ptr->cfg.streams[0].fscod, 2);\n\t\tgf_bs_write_int(bs, ptr->cfg.streams[0].bsid, 5);\n\t\tgf_bs_write_int(bs, ptr->cfg.streams[0].bsmod, 3);\n\t\tgf_bs_write_int(bs, ptr->cfg.streams[0].acmod, 3);\n\t\tgf_bs_write_int(bs, ptr->cfg.streams[0].lfon, 1);\n\t\tgf_bs_write_int(bs, ptr->cfg.brcode, 5);\n\t\tgf_bs_write_int(bs, 0, 5);\n\t}\n\treturn GF_OK;", "project": "gpac", "hash": 181673511786491947158651442399600539971, "size": 39, "commit_id": "388ecce75d05e11fc8496aa4857b91245007d26e", "message": "fixed #1587", "target": 0, "dataset": "other", "idx": 264854 }, { "func": "static GF_Err gf_isom_set_root_iod(GF_ISOFile *movie)\n{\n\tGF_IsomInitialObjectDescriptor *iod;\n\tGF_IsomObjectDescriptor *od;\n\tGF_Err e;\n\t\n\te = gf_isom_insert_moov(movie);\n\tif (e) return e;\n\tif (!movie->moov->iods) {\n\t\tAddMovieIOD(movie->moov, 1);\n\t\treturn GF_OK;\n\t}\n\t//if OD, switch to IOD\n\tif (movie->moov->iods->descriptor->tag == GF_ODF_ISOM_IOD_TAG) return GF_OK;\n\tod = (GF_IsomObjectDescriptor *) movie->moov->iods->descriptor;\n\tiod = (GF_IsomInitialObjectDescriptor*)gf_malloc(sizeof(GF_IsomInitialObjectDescriptor));\n\tif (!iod) return GF_OUT_OF_MEM;\n\n\tmemset(iod, 0, sizeof(GF_IsomInitialObjectDescriptor));\n\n\tiod->ES_ID_IncDescriptors = od->ES_ID_IncDescriptors;\n\tod->ES_ID_IncDescriptors = NULL;\n\t//not used in root OD\n\tiod->ES_ID_RefDescriptors = NULL;\n\tiod->extensionDescriptors = od->extensionDescriptors;\n\tod->extensionDescriptors = NULL;\n\tiod->IPMP_Descriptors = od->IPMP_Descriptors;\n\tod->IPMP_Descriptors = NULL;\n\tiod->objectDescriptorID = od->objectDescriptorID;\n\tiod->OCIDescriptors = od->OCIDescriptors;\n\tod->OCIDescriptors = NULL;\n\tiod->tag = GF_ODF_ISOM_IOD_TAG;\n\tiod->URLString = od->URLString;\n\tod->URLString = NULL;\n\n\tgf_odf_desc_del((GF_Descriptor *) od);\n\tmovie->moov->iods->descriptor = (GF_Descriptor *)iod;\n\treturn GF_OK;\n}", "project": "gpac", "hash": 72259523913994940147566280711001982082, "size": 39, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267273 }, { "func": "GF_Err gf_isom_cenc_merge_saiz_saio(GF_SampleEncryptionBox *senc, GF_SampleTableBox *stbl, u64 offset, u32 len)\n{\n\tu32 i;\n\tassert(stbl);\n\tif (!senc->cenc_saiz) {\n\t\tsenc->cenc_saiz = (GF_SampleAuxiliaryInfoSizeBox *) gf_isom_box_new_parent(&stbl->child_boxes, GF_ISOM_BOX_TYPE_SAIZ);\n\t\tif (!senc->cenc_saiz) return GF_OUT_OF_MEM;\n\t\tsenc->cenc_saiz->aux_info_type = GF_ISOM_CENC_SCHEME;\n\t\tsenc->cenc_saiz->aux_info_type_parameter = 0;\n\t\tstbl_on_child_box((GF_Box*)stbl, (GF_Box *)senc->cenc_saiz, GF_FALSE);\n\t}\n\tif (!senc->cenc_saio) {\n\t\tsenc->cenc_saio = (GF_SampleAuxiliaryInfoOffsetBox *) gf_isom_box_new_parent(&stbl->child_boxes, GF_ISOM_BOX_TYPE_SAIO);\n\t\tif (!senc->cenc_saio) return GF_OUT_OF_MEM;\n\t\t//force using version 1 for saio box, it could be redundant when we use 64 bits for offset\n\t\tsenc->cenc_saio->version = 1;\n\t\tsenc->cenc_saio->aux_info_type = GF_ISOM_CENC_SCHEME;\n\t\tsenc->cenc_saio->aux_info_type_parameter = 0;\n\t\tstbl_on_child_box((GF_Box*)stbl, (GF_Box *)senc->cenc_saio, GF_FALSE);\n\t}\n\n\tif (!senc->cenc_saiz->sample_count || (!senc->cenc_saiz->sample_alloc && (senc->cenc_saiz->default_sample_info_size==len))) {\n\t\tsenc->cenc_saiz->sample_count ++;\n\t\tsenc->cenc_saiz->default_sample_info_size = len;\n\t} else {\n\t\tif (senc->cenc_saiz->sample_count + 1 > senc->cenc_saiz->sample_alloc) {\n\t\t\tif (!senc->cenc_saiz->sample_alloc) senc->cenc_saiz->sample_alloc = senc->cenc_saiz->sample_count + 1;\n\t\t\telse senc->cenc_saiz->sample_alloc *= 2;\n\t\t\tsenc->cenc_saiz->sample_info_size = (u8*)gf_realloc(senc->cenc_saiz->sample_info_size, sizeof(u8)*(senc->cenc_saiz->sample_alloc));\n\t\t\tif (!senc->cenc_saiz->sample_info_size) return GF_OUT_OF_MEM;\n\t\t}\n\n\t\tif (senc->cenc_saiz->default_sample_info_size) {\n\t\t\tfor (i=0; icenc_saiz->sample_count; i++)\n\t\t\t\tsenc->cenc_saiz->sample_info_size[i] = senc->cenc_saiz->default_sample_info_size;\n\t\t\tsenc->cenc_saiz->default_sample_info_size = 0;\n\t\t}\n\t\tsenc->cenc_saiz->sample_info_size[senc->cenc_saiz->sample_count] = len;\n\t\tsenc->cenc_saiz->sample_count++;\n\t}\n\n\tif (!senc->cenc_saio->entry_count) {\n\t\tsenc->cenc_saio->offsets = (u64 *)gf_malloc(sizeof(u64));\n\t\tif (!senc->cenc_saio->offsets) return GF_OUT_OF_MEM;\n\t\tsenc->cenc_saio->offsets[0] = offset;\n\t\tsenc->cenc_saio->entry_count ++;\n\t\tsenc->cenc_saio->entry_alloc = 1;\n\t} else {\n\t\tif (senc->cenc_saio->entry_count >= senc->cenc_saio->entry_alloc) {\n\t\t\tsenc->cenc_saio->entry_alloc += 50;\n\t\t\tsenc->cenc_saio->offsets = (u64*)gf_realloc(senc->cenc_saio->offsets, sizeof(u64)*(senc->cenc_saio->entry_alloc));\n\t\t\tif (!senc->cenc_saio->offsets) return GF_OUT_OF_MEM;\n\t\t}\n\t\tsenc->cenc_saio->offsets[senc->cenc_saio->entry_count] = offset;\n\t\tsenc->cenc_saio->entry_count++;\n\t}\n\tif (offset > 0xFFFFFFFFUL)\n\t\tsenc->cenc_saio->version=1;\n\treturn GF_OK;\n}", "project": "gpac", "hash": 69088860426756387799005941017834973039, "size": 60, "commit_id": "3b84ffcbacf144ce35650df958432f472b6483f8", "message": "fixed #1735", "target": 0, "dataset": "other", "idx": 275424 }, { "func": "#ifndef GPAC_DISABLE_ISOM_WRITE\nGF_Err sgpd_box_write(GF_Box *s, GF_BitStream *bs)\n{\n\tu32 i;\n\tGF_SampleGroupDescriptionBox *p = (GF_SampleGroupDescriptionBox *)s;\n\tGF_Err e;\n\te = gf_isom_full_box_write(s, bs);\n\tif (e) return e;\n\n\tgf_bs_write_u32(bs, p->grouping_type);\n\tif (p->version>=1) gf_bs_write_u32(bs, p->default_length);\n\tif (p->version>=2) gf_bs_write_u32(bs, p->default_description_index);\n\tgf_bs_write_u32(bs, gf_list_count(p->group_descriptions) );\n\n\tfor (i=0; igroup_descriptions); i++) {\n\t\tvoid *ptr = gf_list_get(p->group_descriptions, i);\n\t\tif ((p->version >= 1) && !p->default_length) {\n\t\t\tu32 size = sgpd_size_entry(p->grouping_type, ptr);\n\t\t\tgf_bs_write_u32(bs, size);\n\t\t}\n\t\tsgpd_write_entry(p->grouping_type, ptr, bs);\n\t}\n\treturn GF_OK;", "project": "gpac", "hash": 327113241098479290431211826668103898652, "size": 23, "commit_id": "388ecce75d05e11fc8496aa4857b91245007d26e", "message": "fixed #1587", "target": 0, "dataset": "other", "idx": 264794 }, { "func": "GF_Err gf_isom_cenc_get_sample_aux_info(GF_ISOFile *the_file, u32 trackNumber, u32 sampleNumber, u32 sampleDescIndex, u32 *container_type, u8 **out_buffer, u32 *outSize)\n{\n\tGF_TrackBox *trak;\n\tGF_SampleTableBox *stbl;\n\tGF_SampleEncryptionBox *senc = NULL;\n\tu32 type, scheme_type = -1;\n\tGF_CENCSampleAuxInfo *a_sai;\n\n\ttrak = gf_isom_get_track_from_file(the_file, trackNumber);\n\tif (!trak) return GF_BAD_PARAM;\n\tstbl = trak->Media->information->sampleTable;\n\tif (!stbl)\n\t\treturn GF_BAD_PARAM;\n\n\ttype = 0;\n\tsenc = trak->sample_encryption;\n\t//no senc is OK\n\tif (senc) {\n\t\tif ((senc->type == GF_ISOM_BOX_TYPE_UUID) && (((GF_UUIDBox *)senc)->internal_4cc == GF_ISOM_BOX_UUID_PSEC)) {\n\t\t\ttype = GF_ISOM_BOX_UUID_PSEC;\n\t\t} else if (senc->type == GF_ISOM_BOX_TYPE_SENC) {\n\t\t\ttype = GF_ISOM_BOX_TYPE_SENC;\n\t\t}\n\n\t\tif (container_type) *container_type = type;\n\t}\n\n\tif (!out_buffer) return GF_OK; /*we need only container_type*/\n\n#ifndef\tGPAC_DISABLE_ISOM_FRAGMENTS\n\tsampleNumber -= trak->sample_count_at_seg_start;\n#endif\n\n\tgf_isom_get_cenc_info(the_file, trackNumber, sampleDescIndex, NULL, &scheme_type, NULL);\n\n\t/*get sample auxiliary information by saiz/saio rather than by parsing senc box*/\n\tif (gf_isom_cenc_has_saiz_saio_track(stbl, scheme_type)) {\n\t\treturn isom_cenc_get_sai_by_saiz_saio(trak->Media, sampleNumber, scheme_type, out_buffer, outSize);\n\t}\n\tif (!senc)\n\t\treturn GF_OK;\n\n\t//senc is not loaded by default, do it now\n\tif (!gf_list_count(senc->samp_aux_info)) {\n\t\tGF_Err e = senc_Parse(trak->Media->information->dataHandler->bs, trak, NULL, senc);\n\t\tif (e) return e;\n\t}\n\n\ta_sai = NULL;\n\tswitch (type) {\n\tcase GF_ISOM_BOX_UUID_PSEC:\n\t\tif (senc)\n\t\t\ta_sai = (GF_CENCSampleAuxInfo *)gf_list_get(senc->samp_aux_info, sampleNumber-1);\n\t\tbreak;\n\tcase GF_ISOM_BOX_TYPE_SENC:\n\t\tif (senc)\n\t\t\ta_sai = (GF_CENCSampleAuxInfo *)gf_list_get(senc->samp_aux_info, sampleNumber-1);\n\t\tbreak;\n\t}\n\t//not present, check we use constant IV and no IV size\n\tif (!a_sai) {\n\t\tconst u8 *key_info=NULL;\n\t\tu32 key_info_size=0;\n\t\tu8 IV_size=0, constant_IV_size=0;\n\t\tBool is_Protected;\n\n\t\tgf_isom_get_sample_cenc_info_internal(trak, NULL, senc, sampleNumber, &is_Protected, NULL, NULL, &key_info, &key_info_size);\n\t\tif (!key_info) {\n\t\t\tIV_size = key_info_size; //piff default\n\t\t} else {\n\t\t\tIV_size = key_info[3];\n\t\t\tif (!IV_size)\n\t\t\t\tconstant_IV_size = key_info[20];\n\t\t}\n\t\tif (!IV_size && constant_IV_size)\n\t\t\treturn GF_OK;\n\t\treturn GF_NOT_FOUND;\n\t}\n\n\tif (*outSize < a_sai->cenc_data_size) {\n\t\t*out_buffer = gf_realloc(*out_buffer, sizeof(char) * a_sai->cenc_data_size);\n\t\tif (! *out_buffer) return GF_OUT_OF_MEM;\n\t\t*outSize = a_sai->cenc_data_size;\n\t}\n\tmemcpy(*out_buffer, a_sai->cenc_data, a_sai->cenc_data_size);\n\treturn GF_OK;\n}", "project": "gpac", "hash": 196985177544289123236027948924725495984, "size": 87, "commit_id": "3b84ffcbacf144ce35650df958432f472b6483f8", "message": "fixed #1735", "target": 0, "dataset": "other", "idx": 275414 }, { "func": "static u32 read_nal_size_hdr(u8 *ptr, u32 nalh_size)\n{\n\tu32 nal_size=0;\n\tu32 v = nalh_size;\n\twhile (v) {\n\t\tnal_size |= (u8) *ptr;\n\t\tptr++;\n\t\tv-=1;\n\t\tif (v) nal_size <<= 8;\n\t}\n\treturn nal_size;\n}", "project": "gpac", "hash": 204915393376485434143277347736844295481, "size": 12, "commit_id": "289ffce3e0d224d314f5f92a744d5fe35999f20b", "message": "fixed #1767 (fuzz)", "target": 0, "dataset": "other", "idx": 243209 }, { "func": "void PrintEncodeUsage()\n{\n\tu32 i=0;\n\tgf_sys_format_help(helpout, help_flags, \"# MPEG-4 Scene Encoding Options\\n\"\n\t\t\"## General considerations\\n\"\n\t\t\"MP4Box supports encoding and decoding of of BT, XMT, VRML and (partially) X3D formats int MPEG-4 BIFS, and encoding and decoding of XSR and SVG into MPEG-4 LASeR\\n\"\n\t\t\"Any media track specified through a `MuxInfo` element will be imported in the resulting MP4 file.\\n\"\n\t\t\"See https://wiki.gpac.io/MPEG-4-BIFS-Textual-Format and related pages.\\n\"\n\t\t\"## Scene Random Access\\n\"\n\t\t\"MP4Box can encode BIFS or LASeR streams and insert random access points at a given frequency. This is useful when packaging content for broadcast, where users will not turn in the scene at the same time. In MPEG-4 terminology, this is called the __scene carousel__.\"\n\t\t\"## BIFS Chunk Processing\\n\"\n\t\t\"The BIFS chunk encoding mode alows encoding single BIFS access units from an initial context and a set of commands.\\n\"\n\t\t\"The generated AUs are raw BIFS (not SL-packetized), in files called FILE-ESID-AUIDX.bifs, with FILE the basename of the input file.\\n\"\n\t\t\"Commands with a timing of 0 in the input will modify the carousel version only (i.e. output context).\\n\"\n\t\t\"Commands with a timing different from 0 in the input will generate new AUs.\\n\"\n\t\t\" \\n\"\n\t\t\"Options:\\n\"\n\t);\n\n\twhile (m4b_senc_args[i].name) {\n\t\tGF_GPACArg *arg = &m4b_senc_args[i];\n\t\ti++;\n\t\tgf_sys_print_arg(helpout, help_flags, arg, \"mp4box-senc\");\n\t}\n}", "project": "gpac", "hash": 204414472760940934213569523004199205649, "size": 25, "commit_id": "9eeac00b38348c664dfeae2525bba0cf1bc32349", "message": "fixed #1565", "target": 0, "dataset": "other", "idx": 244410 }, { "func": "GF_Err gf_isom_mvc_config_new(GF_ISOFile *the_file, u32 trackNumber, GF_AVCConfig *cfg, const char *URLname, const char *URNname, u32 *outDescriptionIndex)\n{\n\treturn gf_isom_svc_mvc_config_new(the_file, trackNumber, cfg, GF_TRUE, (char *) URLname, (char *) URNname,outDescriptionIndex);\n}", "project": "gpac", "hash": 240123742261188040971588727710809280231, "size": 4, "commit_id": "0a85029d694f992f3631e2f249e4999daee15cbf", "message": "fixed #1785 (fuzz)", "target": 0, "dataset": "other", "idx": 237579 }, { "func": "GF_ISOMDataRefAllType Media_SelfContainedType(GF_MediaBox *mdia)\n{\n\tu32 nb_ext, nb_self;\n\tu32 i, count;\n\n\tnb_ext = nb_self = 0;\n\tcount = mdia->information->sampleTable->SampleDescription ? gf_list_count(mdia->information->sampleTable->SampleDescription->child_boxes) : 0;\n\tfor (i=0; iMedia->information->sampleTable->sampleGroups) return GF_OK;\n\n\tif (!sample_number) {\n\t\tcount = gf_list_count(trak->Media->information->sampleTable->sampleGroupsDescription);\n\t\tfor (i=0; iMedia->information->sampleTable->sampleGroupsDescription, i);\n\t\t\tswitch (sgdesc->grouping_type) {\n\t\t\tcase GF_ISOM_SAMPLE_GROUP_RAP:\n\t\t\tcase GF_ISOM_SAMPLE_GROUP_SYNC:\n\t\t\t\tif (is_rap) *is_rap = GF_TRUE;\n\t\t\t\tbreak;\n\t\t\tcase GF_ISOM_SAMPLE_GROUP_ROLL:\n\t\t\tcase GF_ISOM_SAMPLE_GROUP_PROL:\n\t\t\t\tif (roll_type)\n\t\t\t\t\t*roll_type = (sgdesc->grouping_type==GF_ISOM_SAMPLE_GROUP_PROL) ? GF_ISOM_SAMPLE_PREROLL : GF_ISOM_SAMPLE_ROLL;\n\t\t\t\tif (roll_distance) {\n\t\t\t\t\ts32 max_roll = 0;\n\t\t\t\t\tu32 j;\n\t\t\t\t\tfor (j=0; jgroup_descriptions); j++) {\n\t\t\t\t\t\tGF_RollRecoveryEntry *roll_entry = (GF_RollRecoveryEntry*)gf_list_get(sgdesc->group_descriptions, j);\n\t\t\t\t\t\tif (max_roll < roll_entry->roll_distance)\n\t\t\t\t\t\t\tmax_roll = roll_entry->roll_distance;\n\t\t\t\t\t}\n\t\t\t\t\tif (*roll_distance < max_roll) *roll_distance = max_roll;\n\t\t\t\t}\n\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\t\treturn GF_OK;\n\t}\n\n\tcount = gf_list_count(trak->Media->information->sampleTable->sampleGroups);\n\tfor (i=0; iMedia->information->sampleTable->sampleGroups, i);\n\t\tfor (j=0; jentry_count; j++) {\n\t\t\tlast_sample_in_entry = first_sample_in_entry + sg->sample_entries[j].sample_count - 1;\n\t\t\tif ((sample_numberlast_sample_in_entry)) {\n\t\t\t\tfirst_sample_in_entry = last_sample_in_entry+1;\n\t\t\t\tcontinue;\n\t\t\t}\n\t\t\t/*we found our sample*/\n\t\t\tgroup_desc_index = sg->sample_entries[j].group_description_index;\n\t\t\tbreak;\n\t\t}\n\t\t/*no sampleGroup info associated*/\n\t\tif (!group_desc_index) continue;\n\n\t\tsgdesc = NULL;\n\t\tfor (j=0; jMedia->information->sampleTable->sampleGroupsDescription); j++) {\n\t\t\tsgdesc = (GF_SampleGroupDescriptionBox*)gf_list_get(trak->Media->information->sampleTable->sampleGroupsDescription, j);\n\t\t\tif (sgdesc->grouping_type==sg->grouping_type) break;\n\t\t\tsgdesc = NULL;\n\t\t}\n\t\t/*no sampleGroup description found for this group (invalid file)*/\n\t\tif (!sgdesc) continue;\n\n\t\tswitch (sgdesc->grouping_type) {\n\t\tcase GF_ISOM_SAMPLE_GROUP_RAP:\n\t\tcase GF_ISOM_SAMPLE_GROUP_SYNC:\n\t\t\tif (is_rap) *is_rap = GF_TRUE;\n\t\t\tbreak;\n\t\tcase GF_ISOM_SAMPLE_GROUP_ROLL:\n\t\tcase GF_ISOM_SAMPLE_GROUP_PROL:\n\t\t\tif (roll_type)\n\t\t\t\t*roll_type = (sgdesc->grouping_type==GF_ISOM_SAMPLE_GROUP_PROL) ? GF_ISOM_SAMPLE_PREROLL : GF_ISOM_SAMPLE_ROLL;\n\n\t\t\tif (roll_distance) {\n\t\t\t\tGF_RollRecoveryEntry *roll_entry = (GF_RollRecoveryEntry *) gf_list_get(sgdesc->group_descriptions, group_desc_index - 1);\n\t\t\t\tif (roll_entry)\n\t\t\t\t\t*roll_distance = roll_entry->roll_distance;\n\t\t\t}\n\t\t\tbreak;\n\t\t}\n\t}\n\treturn GF_OK;", "project": "gpac", "hash": 310171206134763565088516492783745983015, "size": 93, "commit_id": "984787de3d414a5f7d43d0b4584d9469dff2a5a5", "message": "fixed #1784 (fuzz)", "target": 0, "dataset": "other", "idx": 246815 }, { "func": "void merge_hevc_config(GF_HEVCConfig *dst_cfg, GF_HEVCConfig *src_cfg, Bool force_insert)\n{\n\tGF_HEVCConfig *cfg = HEVC_DuplicateConfig(src_cfg);\n\t//merge all xPS\n\tu32 i, j, count = cfg->param_array ? gf_list_count(cfg->param_array) : 0;\n\tfor (i=0; iparam_array ? gf_list_count(dst_cfg->param_array) : 0;\n\t\tGF_NALUFFParamArray *ar = (GF_NALUFFParamArray*)gf_list_get(cfg->param_array, i);\n\t\tfor (j=0; jparam_array, j);\n\t\t\tif (ar_h->type==ar->type) {\n\t\t\t\tbreak;\n\t\t\t}\n\t\t\tar_h = NULL;\n\t\t}\n\t\tif (!ar_h) {\n\t\t\tgf_list_add(dst_cfg->param_array, ar);\n\t\t\tgf_list_rem(cfg->param_array, i);\n\t\t\tcount--;\n\t\t\ti--;\n\t\t} else {\n\t\t\twhile (gf_list_count(ar->nalus)) {\n\t\t\t\tGF_NALUFFParam *p = (GF_NALUFFParam*)gf_list_get(ar->nalus, 0);\n\t\t\t\tgf_list_rem(ar->nalus, 0);\n\t\t\t\tif (force_insert)\n\t\t\t\t\tgf_list_insert(ar_h->nalus, p, 0);\n\t\t\t\telse\n\t\t\t\t\tgf_list_add(ar_h->nalus, p);\n\t\t\t}\n\n\t\t}\n\t}\n\tgf_odf_hevc_cfg_del(cfg);\n\n#define CHECK_CODE(__code)\tif (dst_cfg->__code < src_cfg->__code) dst_cfg->__code = src_cfg->__code;\n\n\tCHECK_CODE(configurationVersion)\n\tCHECK_CODE(profile_idc)\n\tCHECK_CODE(profile_space)\n\tCHECK_CODE(tier_flag)\n\tCHECK_CODE(general_profile_compatibility_flags)\n\tCHECK_CODE(progressive_source_flag)\n\tCHECK_CODE(interlaced_source_flag)\n\tCHECK_CODE(constraint_indicator_flags)\n\tCHECK_CODE(level_idc)\n\tCHECK_CODE(min_spatial_segmentation_idc)\n\n}", "project": "gpac", "hash": 309639281530637697160257325084587278952, "size": 49, "commit_id": "0a85029d694f992f3631e2f249e4999daee15cbf", "message": "fixed #1785 (fuzz)", "target": 0, "dataset": "other", "idx": 237626 }, { "func": "GF_Err stbl_AddRedundant(GF_SampleTableBox *stbl, u32 sampleNumber)\n{\n\tGF_SampleDependencyTypeBox *sdtp;\n\n\tif (stbl->SampleDep == NULL) {\n\t\tstbl->SampleDep = (GF_SampleDependencyTypeBox *) gf_isom_box_new_parent(&stbl->child_boxes, GF_ISOM_BOX_TYPE_SDTP);\n\t\tif (!stbl->SampleDep) return GF_OUT_OF_MEM;\n\t}\n\tsdtp = stbl->SampleDep;\n\tif (sdtp->sampleCount + 1 < sampleNumber) {\n\t\tu32 missed = sampleNumber-1 - sdtp->sampleCount;\n\t\tsdtp->sample_info = (u8*) gf_realloc(sdtp->sample_info, sizeof(u8) * (sdtp->sampleCount+missed) );\n\t\tif (!sdtp->sample_info) return GF_OUT_OF_MEM;\n\t\tsdtp->sample_alloc = sdtp->sampleCount+missed;\n\t\tmemset(&sdtp->sample_info[sdtp->sampleCount], 0, sizeof(u8) * missed );\n\t\twhile (missed) {\n\t\t\tGF_ISOSAPType isRAP;\n\t\t\tif (stbl->SyncSample) stbl_GetSampleRAP(stbl->SyncSample, sdtp->sampleCount+1, &isRAP, NULL, NULL);\n\t\t\telse isRAP = 1;\n\t\t\tsdtp->sample_info[sdtp->sampleCount] = isRAP ? 0x20 : 0;\n\t\t\tsdtp->sampleCount++;\n\t\t\tmissed--;\n\t\t}\n\t}\n\n\tsdtp->sample_info = (u8*) gf_realloc(sdtp->sample_info, sizeof(u8) * (sdtp->sampleCount + 1));\n\tif (!sdtp->sample_info) return GF_OUT_OF_MEM;\n\tsdtp->sample_alloc = sdtp->sampleCount+1;\n\tif (sdtp->sampleCount < sampleNumber) {\n\t\tsdtp->sample_info[sdtp->sampleCount] = 0x29;\n\t} else {\n\t\tu32 snum = sampleNumber-1;\n\t\tmemmove(sdtp->sample_info+snum+1, sdtp->sample_info+snum, sizeof(u8) * (sdtp->sampleCount - snum) );\n\t\tsdtp->sample_info[snum] = 0x29;\n\t}\n\t//update our list\n\tsdtp->sampleCount ++;\n\treturn GF_OK;\n}", "project": "gpac", "hash": 3460895292102626297319808977734162677, "size": 39, "commit_id": "77ed81c069e10b3861d88f72e1c6be1277ee7eae", "message": "fixed #1774 (fuzz)", "target": 0, "dataset": "other", "idx": 267882 }, { "func": "\nBool gf_isom_is_identical_sgpd(void *ptr1, void *ptr2, u32 grouping_type)\n{\n\tBool res = GF_FALSE;\n#ifndef GPAC_DISABLE_ISOM_WRITE\n\tGF_BitStream *bs1, *bs2;\n\tu8 *buf1, *buf2;\n\tu32 len1, len2;\n\n\tif (!ptr1 || !ptr2)\n\t\treturn GF_FALSE;\n\n\tbs1 = gf_bs_new(NULL, 0, GF_BITSTREAM_WRITE);\n\tif (grouping_type) {\n\t\tsgpd_write_entry(grouping_type, ptr1, bs1);\n\t} else {\n\t\tgf_isom_box_size((GF_Box *)ptr1);\n\t\tgf_isom_box_write((GF_Box *)ptr1, bs1);\n\t}\n\tgf_bs_get_content(bs1, &buf1, &len1);\n\tgf_bs_del(bs1);\n\n\tbs2 = gf_bs_new(NULL, 0, GF_BITSTREAM_WRITE);\n\tif (grouping_type) {\n\t\tsgpd_write_entry(grouping_type, ptr2, bs2);\n\t} else {\n\t\tgf_isom_box_write((GF_Box *)ptr2, bs2);\n\t}\n\tgf_bs_get_content(bs2, &buf2, &len2);\n\tgf_bs_del(bs2);\n\n\n\tif ((len1==len2) && !memcmp(buf1, buf2, len1))\n\t\tres = GF_TRUE;\n\n\tgf_free(buf1);\n\tgf_free(buf2);\n#endif\n\treturn res;", "project": "gpac", "hash": 74389125017623092653746520281691825805, "size": 39, "commit_id": "984787de3d414a5f7d43d0b4584d9469dff2a5a5", "message": "fixed #1784 (fuzz)", "target": 0, "dataset": "other", "idx": 246820 }, { "func": "GF_Err gf_isom_hevc_config_update(GF_ISOFile *the_file, u32 trackNumber, u32 DescriptionIndex, GF_HEVCConfig *cfg)\n{\n\treturn gf_isom_hevc_config_update_ex(the_file, trackNumber, DescriptionIndex, cfg, GF_ISOM_HVCC_UPDATE, GF_FALSE);\n}", "project": "gpac", "hash": 258546299329332560044741170238201380450, "size": 4, "commit_id": "0a85029d694f992f3631e2f249e4999daee15cbf", "message": "fixed #1785 (fuzz)", "target": 0, "dataset": "other", "idx": 237539 }, { "func": "GF_Err Track_FindRef(GF_TrackBox *trak, u32 ReferenceType, GF_TrackReferenceTypeBox **dpnd)\n{\n\tGF_TrackReferenceBox *ref;\n\tGF_TrackReferenceTypeBox *a;\n\tu32 i;\n\tif (! trak) return GF_BAD_PARAM;\n\tif (! trak->References) {\n\t\t*dpnd = NULL;\n\t\treturn GF_OK;\n\t}\n\tref = trak->References;\n\ti=0;\n\twhile ((a = (GF_TrackReferenceTypeBox *)gf_list_enum(ref->child_boxes, &i))) {\n\t\tif (a->reference_type == ReferenceType) {\n\t\t\t*dpnd = a;\n\t\t\treturn GF_OK;\n\t\t}\n\t}\n\t*dpnd = NULL;\n\treturn GF_OK;\n}", "project": "gpac", "hash": 70521920613538011156754831965753465559, "size": 21, "commit_id": "df8fffd839fe5ae9acd82d26fd48280a397411d9", "message": "fixed #1736", "target": 0, "dataset": "other", "idx": 272328 }, { "func": "GF_Err Media_SetDrefURL(GF_DataEntryURLBox *dref_entry, const char *origName, const char *finalName)\n{\n\t//for now we only support dref created in same folder for relative URLs\n\tif (strstr(origName, \"://\") || ((origName[1]==':') && (origName[2]=='\\\\'))\n\t\t|| (origName[0]=='/') || (origName[0]=='\\\\')\n\t) {\n\t\tdref_entry->location = gf_strdup(origName);\n\t} else {\n\t\tchar *fname = strrchr(origName, '/');\n\t\tif (!fname) fname = strrchr(origName, '\\\\');\n\t\tif (fname) fname++;\n\n\t\tif (!fname) {\n\t\t\tdref_entry->location = gf_strdup(origName);\n\t\t} else {\n\t\t\tu32 len = (u32) (fname - origName);\n\t\t\tif (!finalName || strncmp(origName, finalName, len)) {\n\t\t\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, (\"Concatenation of relative path %s with relative path %s not supported, use absolute URLs\\n\", origName, finalName));\n\t\t\t\treturn GF_NOT_SUPPORTED;\n\t\t\t} else {\n\t\t\t\tdref_entry->location = gf_strdup(fname);\n\t\t\t}\n\t\t}\n\t}\n\treturn GF_OK;\n}", "project": "gpac", "hash": 16152566973178800338000268622642840893, "size": 26, "commit_id": "328def7d3b93847d64ecb6e9e0399684e57c3eca", "message": "fixed #1766 (fuzz)", "target": 0, "dataset": "other", "idx": 231614 }, { "func": "GF_EXPORT\nGF_Err gf_isom_get_audio_info(GF_ISOFile *movie, u32 trackNumber, u32 StreamDescriptionIndex, u32 *SampleRate, u32 *Channels, u32 *bitsPerSample)\n{\n\tGF_TrackBox *trak;\n\tGF_AudioSampleEntryBox *entry;\n\tGF_SampleDescriptionBox *stsd = NULL;\n\n\ttrak = gf_isom_get_track_from_file(movie, trackNumber);\n\tif (!trak) return GF_BAD_PARAM;\n\n\tif (trak->Media && trak->Media->information && trak->Media->information->sampleTable && trak->Media->information->sampleTable->SampleDescription)\n\t\tstsd = trak->Media->information->sampleTable->SampleDescription;\n\tif (!stsd) return movie->LastError = GF_ISOM_INVALID_FILE;\n\tif (!StreamDescriptionIndex || StreamDescriptionIndex > gf_list_count(stsd->child_boxes)) return movie->LastError = GF_BAD_PARAM;\n\n\tentry = (GF_AudioSampleEntryBox *)gf_list_get(stsd->child_boxes, StreamDescriptionIndex - 1);\n\t//no support for generic sample entries (eg, no MPEG4 descriptor)\n\tif (entry == NULL) return GF_BAD_PARAM;\n\n\tif (entry->internal_type != GF_ISOM_SAMPLE_ENTRY_AUDIO) return GF_BAD_PARAM;\n\n\tif (SampleRate) {\n\t\t(*SampleRate) = entry->samplerate_hi;\n\t\tif (entry->type==GF_ISOM_BOX_TYPE_MLPA) {\n\t\t\tu32 sr = entry->samplerate_hi;\n\t\t\tsr <<= 16;\n\t\t\tsr |= entry->samplerate_lo;\n\t\t\t(*SampleRate) = sr;\n\t\t}\n\t}\n\tif (Channels) (*Channels) = entry->channel_count;\n\tif (bitsPerSample) (*bitsPerSample) = (u8) entry->bitspersample;\n\n\treturn GF_OK;", "project": "gpac", "hash": 12984607054725248897599399902583865786, "size": 34, "commit_id": "984787de3d414a5f7d43d0b4584d9469dff2a5a5", "message": "fixed #1784 (fuzz)", "target": 0, "dataset": "other", "idx": 246811 }, { "func": "void merge_all_config(GF_AVCConfig *avc_cfg, GF_HEVCConfig *hevc_cfg, GF_MediaBox *mdia)\n{\n\tu32 i;\n\tGF_TrackReferenceTypeBox *scal = NULL;\n\tTrack_FindRef(mdia->mediaTrack, GF_ISOM_REF_SCAL, &scal);\n\n\tif (!scal) return;\n\n\tfor (i=0; itrackIDCount; i++) {\n\t\tGF_TrackBox *a_track = GetTrackbyID(mdia->mediaTrack->moov, scal->trackIDs[i]);\n\t\tGF_MPEGVisualSampleEntryBox *an_entry = NULL;\n\t\tif (a_track && a_track->Media && a_track->Media->information && a_track->Media->information->sampleTable && a_track->Media->information->sampleTable->SampleDescription)\n\t\t\tan_entry = (GF_MPEGVisualSampleEntryBox*)gf_list_get(a_track->Media->information->sampleTable->SampleDescription->child_boxes, 0);\n\n\t\tif (!an_entry) continue;\n\n\t\tif (avc_cfg && an_entry->svc_config && an_entry->svc_config->config)\n\t\t\tmerge_avc_config(avc_cfg, an_entry->svc_config->config);\n\n\t\tif (avc_cfg && an_entry->mvc_config && an_entry->mvc_config->config)\n\t\t\tmerge_avc_config(avc_cfg, an_entry->mvc_config->config);\n\n\t\tif (avc_cfg && an_entry->avc_config && an_entry->avc_config->config)\n\t\t\tmerge_avc_config(avc_cfg, an_entry->avc_config->config);\n\n\t\tif (hevc_cfg && an_entry->lhvc_config && an_entry->lhvc_config->config)\n\t\t\tmerge_hevc_config(hevc_cfg, an_entry->lhvc_config->config, GF_TRUE);\n\n\t\tif (hevc_cfg && an_entry->hevc_config && an_entry->hevc_config->config)\n\t\t\tmerge_hevc_config(hevc_cfg, an_entry->hevc_config->config, GF_TRUE);\n\t}\n\n\tif (hevc_cfg) hevc_cfg->is_lhvc = GF_FALSE;\n}", "project": "gpac", "hash": 29581706785570931908444108777069879180, "size": 34, "commit_id": "0a85029d694f992f3631e2f249e4999daee15cbf", "message": "fixed #1785 (fuzz)", "target": 0, "dataset": "other", "idx": 237573 }, { "func": "GF_Err gf_isom_set_last_sample_duration_ex(GF_ISOFile *movie, u32 trackNumber, u32 dur_num, u32 dur_den)\n{\n\treturn gf_isom_set_last_sample_duration_internal(movie, trackNumber, dur_num, dur_den, 1);\n}", "project": "gpac", "hash": 131461869811259593356463733725290547434, "size": 4, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267182 }, { "func": "void dump_isom_scene_stats(char *file, char *inName, Bool is_final_name, u32 stat_level)\n{\n\tGF_Err e;\n\tFILE *dump;\n\tBool close;\n\tu32 i, j, count;\n\tchar szBuf[1024];\n\tGF_SceneManager *ctx;\n\tGF_SceneLoader load;\n\tGF_StatManager *sm;\n\tGF_List *sample_list;\n\tGF_SceneGraph *scene_graph;\n\n\tdump = NULL;\n\tsm = NULL;\n\tsample_list = NULL;\n\n\tclose = 0;\n\n\tscene_graph = gf_sg_new();\n\tctx = gf_sm_new(scene_graph);\n\tmemset(&load, 0, sizeof(GF_SceneLoader));\n\tload.fileName = file;\n\tload.ctx = ctx;\n\n\tif (get_file_type_by_ext(file) == 1) {\n\t\tload.isom = gf_isom_open(file, GF_ISOM_OPEN_READ, NULL);\n\t\tif (!load.isom) {\n\t\t\tM4_LOG(GF_LOG_ERROR, (\"Cannot open file: %s\\n\", gf_error_to_string(gf_isom_last_error(NULL))));\n\t\t\tgf_sm_del(ctx);\n\t\t\tgf_sg_del(scene_graph);\n\t\t\treturn;\n\t\t}\n\t}\n\n\te = gf_sm_load_init(&load);\n\tif (!e) e = gf_sm_load_run(&load);\n\tgf_sm_load_done(&load);\n\tif (e<0) goto exit;\n\n\tif (inName) {\n\t\tstrcpy(szBuf, inName);\n\t\tif (!is_final_name) strcat(szBuf, \"_stat.xml\");\n\t\tdump = gf_fopen(szBuf, \"wt\");\n\t\tif (!dump) {\n\t\t\tM4_LOG(GF_LOG_ERROR, (\"Failed to open %s for dumping\\n\", szBuf));\n\t\t\treturn;\n\t\t}\n\t\tclose = 1;\n\t} else {\n\t\tdump = stdout;\n\t\tclose = 0;\n\t}\n\n\tfprintf(stderr, \"Analysing Scene\\n\");\n\n\tfprintf(dump, \"\\n\");\n\tfprintf(dump, \"\\n\");\n\n\tfprintf(dump, \"\\n\", gf_file_basename(file), (stat_level==1) ? \"full scene\" : ((stat_level==2) ? \"AccessUnit based\" : \"SceneGraph after each AU\"));\n\n\tsm = gf_sm_stats_new();\n\n\t/*stat level 1: complete scene stat*/\n\tif (stat_level == 1) {\n\t\te = gf_sm_stats_for_scene(sm, ctx);\n\t\tif (!e) dump_stats(dump, gf_sm_stats_get(sm) );\n\t\tgoto exit;\n\t}\n\t/*re_order all BIFS-AUs*/\n\tsample_list = gf_list_new();\n\t/*configure all systems streams we're dumping*/\n\tfor (i=0; istreams); i++) {\n\t\tGF_StreamContext *sc = gf_list_get(ctx->streams, i);\n\t\tif (sc->streamType != GF_STREAM_SCENE) continue;\n\t\tfor (j=0; jAUs); j++) {\n\t\t\tGF_AUContext *au = gf_list_get(sc->AUs, j);\n\t\t\tReorderAU(sample_list, au);\n\t\t}\n\t}\n\n\tcount = gf_list_count(sample_list);\n\tfor (i=0; icommands); j++) {\n\t\t\tGF_Command *com = gf_list_get(au->commands, j);\n\t\t\t/*stat level 2 - get command stats*/\n\t\t\tif (stat_level==2) {\n\t\t\t\te = gf_sm_stats_for_command(sm, com);\n\t\t\t\tif (e) goto exit;\n\t\t\t}\n\t\t\t/*stat level 3 - apply command*/\n\t\t\tif (stat_level==3) gf_sg_command_apply(scene_graph, com, 0);\n\t\t}\n\t\t/*stat level 3: get graph stat*/\n\t\tif (stat_level==3) {\n\t\t\te = gf_sm_stats_for_graph(sm, scene_graph);\n\t\t\tif (e) goto exit;\n\t\t}\n\t\tif (stat_level==2) {\n\t\t\tfprintf(dump, \"\\n\", au->owner->ESID, au->timing);\n\t\t} else {\n\t\t\tfprintf(dump, \"\\n\", au->owner->ESID, au->timing);\n\t\t}\n\t\t/*dump stats*/\n\t\tdump_stats(dump, gf_sm_stats_get(sm) );\n\t\t/*reset stats*/\n\t\tgf_sm_stats_reset(sm);\n\t\tif (stat_level==2) {\n\t\t\tfprintf(dump, \"\\n\");\n\t\t} else {\n\t\t\tfprintf(dump, \"\\n\");\n\t\t}\n\n\t\tgf_set_progress(\"Analysing AU\", i+1, count);\n\t}\n\n\nexit:\n\tif (sample_list) gf_list_del(sample_list);\n\tif (sm) gf_sm_stats_del(sm);\n\tgf_sm_del(ctx);\n\tgf_sg_del(scene_graph);\n\tif (load.isom) gf_isom_delete(load.isom);\n\tif (e) {\n\t\tM4_LOG(GF_LOG_ERROR, (\"Stats error: %s\\n\", gf_error_to_string(e)));\n\t} else {\n\t\tfprintf(dump, \"\\n\");\n\t}\n\tif (dump && close) gf_fclose(dump);\n\tfprintf(stderr, \"done\\n\");\n}", "project": "gpac", "hash": 258502178776589350809970802962677278118, "size": 136, "commit_id": "289ffce3e0d224d314f5f92a744d5fe35999f20b", "message": "fixed #1767 (fuzz)", "target": 0, "dataset": "other", "idx": 243204 }, { "func": "void dump_isom_scene_stats(char *file, char *inName, Bool is_final_name, u32 stat_level)\n{\n\tGF_Err e;\n\tFILE *dump;\n\tBool close;\n\tu32 i, j, count;\n\tchar szBuf[1024];\n\tGF_SceneManager *ctx;\n\tGF_SceneLoader load;\n\tGF_StatManager *sm;\n\tGF_List *sample_list;\n\tGF_SceneGraph *scene_graph;\n\n\tdump = NULL;\n\tsm = NULL;\n\tsample_list = NULL;\n\n\tclose = 0;\n\n\tscene_graph = gf_sg_new();\n\tctx = gf_sm_new(scene_graph);\n\tmemset(&load, 0, sizeof(GF_SceneLoader));\n\tload.fileName = file;\n\tload.ctx = ctx;\n\n\tif (get_file_type_by_ext(file) == 1) {\n\t\tload.isom = gf_isom_open(file, GF_ISOM_OPEN_READ, NULL);\n\t\tif (!load.isom) {\n\t\t\tfprintf(stderr, \"Cannot open file: %s\\n\", gf_error_to_string(gf_isom_last_error(NULL)));\n\t\t\tgf_sm_del(ctx);\n\t\t\tgf_sg_del(scene_graph);\n\t\t\treturn;\n\t\t}\n\t}\n\n\te = gf_sm_load_init(&load);\n\tif (!e) e = gf_sm_load_run(&load);\n\tgf_sm_load_done(&load);\n\tif (e<0) goto exit;\n\n\tif (inName) {\n\t\tstrcpy(szBuf, inName);\n\t\tif (!is_final_name) strcat(szBuf, \"_stat.xml\");\n\t\tdump = gf_fopen(szBuf, \"wt\");\n\t\tif (!dump) {\n\t\t\tfprintf(stderr, \"Failed to open %s for dumping\\n\", szBuf);\n\t\t\treturn;\n\t\t}\n\t\tclose = 1;\n\t} else {\n\t\tdump = stdout;\n\t\tclose = 0;\n\t}\n\n\tfprintf(stderr, \"Analysing Scene\\n\");\n\n\tfprintf(dump, \"\\n\");\n\tfprintf(dump, \"\\n\");\n\n\tfprintf(dump, \"\\n\", gf_file_basename(file), (stat_level==1) ? \"full scene\" : ((stat_level==2) ? \"AccessUnit based\" : \"SceneGraph after each AU\"));\n\n\tsm = gf_sm_stats_new();\n\n\t/*stat level 1: complete scene stat*/\n\tif (stat_level == 1) {\n\t\te = gf_sm_stats_for_scene(sm, ctx);\n\t\tif (!e) dump_stats(dump, gf_sm_stats_get(sm) );\n\t\tgoto exit;\n\t}\n\t/*re_order all BIFS-AUs*/\n\tsample_list = gf_list_new();\n\t/*configure all systems streams we're dumping*/\n\tfor (i=0; istreams); i++) {\n\t\tGF_StreamContext *sc = gf_list_get(ctx->streams, i);\n\t\tif (sc->streamType != GF_STREAM_SCENE) continue;\n\t\tfor (j=0; jAUs); j++) {\n\t\t\tGF_AUContext *au = gf_list_get(sc->AUs, j);\n\t\t\tReorderAU(sample_list, au);\n\t\t}\n\t}\n\n\tcount = gf_list_count(sample_list);\n\tfor (i=0; icommands); j++) {\n\t\t\tGF_Command *com = gf_list_get(au->commands, j);\n\t\t\t/*stat level 2 - get command stats*/\n\t\t\tif (stat_level==2) {\n\t\t\t\te = gf_sm_stats_for_command(sm, com);\n\t\t\t\tif (e) goto exit;\n\t\t\t}\n\t\t\t/*stat level 3 - apply command*/\n\t\t\tif (stat_level==3) gf_sg_command_apply(scene_graph, com, 0);\n\t\t}\n\t\t/*stat level 3: get graph stat*/\n\t\tif (stat_level==3) {\n\t\t\te = gf_sm_stats_for_graph(sm, scene_graph);\n\t\t\tif (e) goto exit;\n\t\t}\n\t\tif (stat_level==2) {\n\t\t\tfprintf(dump, \"\\n\", au->owner->ESID, au->timing);\n\t\t} else {\n\t\t\tfprintf(dump, \"\\n\", au->owner->ESID, au->timing);\n\t\t}\n\t\t/*dump stats*/\n\t\tdump_stats(dump, gf_sm_stats_get(sm) );\n\t\t/*reset stats*/\n\t\tgf_sm_stats_reset(sm);\n\t\tif (stat_level==2) {\n\t\t\tfprintf(dump, \"\\n\");\n\t\t} else {\n\t\t\tfprintf(dump, \"\\n\");\n\t\t}\n\n\t\tgf_set_progress(\"Analysing AU\", i+1, count);\n\t}\n\n\nexit:\n\tif (sample_list) gf_list_del(sample_list);\n\tif (sm) gf_sm_stats_del(sm);\n\tgf_sm_del(ctx);\n\tgf_sg_del(scene_graph);\n\tif (load.isom) gf_isom_delete(load.isom);\n\tif (e) {\n\t\tfprintf(stderr, \"%s\\n\", gf_error_to_string(e));\n\t} else {\n\t\tfprintf(dump, \"\\n\");\n\t}\n\tif (dump && close) gf_fclose(dump);\n\tfprintf(stderr, \"done\\n\");\n}", "project": "gpac", "hash": 249766407515409429417485193740359553054, "size": 136, "commit_id": "ce01bd15f711d4575b7424b54b3a395ec64c1784", "message": "fixed #1566", "target": 0, "dataset": "other", "idx": 249537 }, { "func": "GF_Err stsd_on_child_box(GF_Box *s, GF_Box *a)\n{\n\tGF_UnknownBox *def;\n\tif (!a) return GF_OK;\n\n\tif (gf_box_valid_in_parent(a, \"stsd\")) {\n\t\treturn GF_OK;\n\t}\n\tswitch (a->type) {\n\t//unknown sample description: we need a specific box to handle the data ref index\n\t//rather than a default box ...\n\tcase GF_ISOM_BOX_TYPE_UNKNOWN:\n\t\tdef = (GF_UnknownBox *)a;\n\t\t/*we need at least 8 bytes for unknown sample entries*/\n\t\tif (def->dataSize < 8) {\n\t\t\tgf_isom_box_del_parent(&s->child_boxes, a);\n\t\t\treturn GF_ISOM_INVALID_MEDIA;\n\t\t}\n\t\treturn GF_OK;\n\n\tdefault:\n\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, (\"[iso file] Cannot process box of type %s\\n\", gf_4cc_to_str(a->type)));\n\t\treturn GF_ISOM_INVALID_FILE;\n\t}\n}", "project": "gpac", "hash": 133641221244488132354845981772554278630, "size": 25, "commit_id": "388ecce75d05e11fc8496aa4857b91245007d26e", "message": "fixed #1587", "target": 0, "dataset": "other", "idx": 264805 }, { "func": "GF_Err dump_isom_cover_art(GF_ISOFile *file, char *inName, Bool is_final_name)\n{\n\tconst u8 *tag;\n\tFILE *t;\n\tu32 tag_len;\n\tGF_Err e = gf_isom_apple_get_tag(file, GF_ISOM_ITUNE_COVER_ART, &tag, &tag_len);\n\tif (e!=GF_OK) {\n\t\tif (e==GF_URL_ERROR) {\n\t\t\tM4_LOG(GF_LOG_WARNING, (\"No cover art found\\n\"));\n\t\t\treturn GF_OK;\n\t\t}\n\t\treturn e;\n\t}\n\n\tif (inName) {\n\t\tchar szName[1024];\n\t\tif (is_final_name) {\n\t\t\tstrcpy(szName, inName);\n\t\t} else {\n\t\t\tsprintf(szName, \"%s.%s\", inName, (tag_len>>31) ? \"png\" : \"jpg\");\n\t\t}\n\t\tt = gf_fopen(szName, \"wb\");\n\t\tif (!t) {\n\t\t\tM4_LOG(GF_LOG_ERROR, (\"Failed to open %s for dumping\\n\", szName));\n\t\t\treturn GF_IO_ERR;\n\t\t}\n\t} else {\n\t\tt = stdout;\n\t}\n\tgf_fwrite(tag, tag_len & 0x7FFFFFFF, t);\n\n\tif (inName) gf_fclose(t);\n\treturn GF_OK;\n}", "project": "gpac", "hash": 61035262079078767648924912242105801977, "size": 34, "commit_id": "289ffce3e0d224d314f5f92a744d5fe35999f20b", "message": "fixed #1767 (fuzz)", "target": 0, "dataset": "other", "idx": 243195 }, { "func": "GF_Err dump_isom_cover_art(GF_ISOFile *file, char *inName, Bool is_final_name)\n{\n\tconst u8 *tag;\n\tFILE *t;\n\tu32 tag_len;\n\tGF_Err e = gf_isom_apple_get_tag(file, GF_ISOM_ITUNE_COVER_ART, &tag, &tag_len);\n\tif (e!=GF_OK) {\n\t\tif (e==GF_URL_ERROR) {\n\t\t\tfprintf(stderr, \"No cover art found\\n\");\n\t\t\treturn GF_OK;\n\t\t}\n\t\treturn e;\n\t}\n\n\tif (inName) {\n\t\tchar szName[1024];\n\t\tif (is_final_name) {\n\t\t\tstrcpy(szName, inName);\n\t\t} else {\n\t\t\tsprintf(szName, \"%s.%s\", inName, (tag_len>>31) ? \"png\" : \"jpg\");\n\t\t}\n\t\tt = gf_fopen(szName, \"wb\");\n\t\tif (!t) {\n\t\t\tfprintf(stderr, \"Failed to open %s for dumping\\n\", szName);\n\t\t\treturn GF_IO_ERR;\n\t\t}\n\t} else {\n\t\tt = stdout;\n\t}\n\tgf_fwrite(tag, tag_len & 0x7FFFFFFF, t);\n\n\tif (inName) gf_fclose(t);\n\treturn GF_OK;\n}", "project": "gpac", "hash": 44800016319010223549166016962041369554, "size": 34, "commit_id": "ce01bd15f711d4575b7424b54b3a395ec64c1784", "message": "fixed #1566", "target": 0, "dataset": "other", "idx": 249538 }, { "func": "GF_Err HintFile(GF_ISOFile *file, u32 MTUSize, u32 max_ptime, u32 rtp_rate, u32 base_flags, Bool copy_data, Bool interleave, Bool regular_iod, Bool single_group, Bool hint_no_offset)\n{\n\tGF_ESD *esd;\n\tGF_InitialObjectDescriptor *iod;\n\tu32 i, val, res, streamType;\n\tu32 sl_mode, prev_ocr, single_ocr, nb_done, tot_bw, bw, flags, spec_type;\n\tGF_Err e;\n\tchar szPayload[30];\n\tGF_RTPHinter *hinter;\n\tBool copy, has_iod, single_av;\n\tu8 init_payt = BASE_PAYT;\n\tu32 mtype;\n\tGF_SDP_IODProfile iod_mode = GF_SDP_IOD_NONE;\n\tu32 media_group = 0;\n\tu8 media_prio = 0;\n\n\ttot_bw = 0;\n\tprev_ocr = 0;\n\tsingle_ocr = 1;\n\n\thas_iod = 1;\n\tiod = (GF_InitialObjectDescriptor *) gf_isom_get_root_od(file);\n\tif (!iod) has_iod = 0;\n\telse {\n\t\tif (!gf_list_count(iod->ESDescriptors)) has_iod = 0;\n\t\tgf_odf_desc_del((GF_Descriptor *) iod);\n\t}\n\n\tspec_type = gf_isom_guess_specification(file);\n\tsingle_av = single_group ? 1 : gf_isom_is_single_av(file);\n\n\t/*first make sure we use a systems track as base OCR*/\n\tfor (i=0; idecoderConfig->streamType;\n\t\t\tif (!prev_ocr) {\n\t\t\t\tprev_ocr = esd->OCRESID;\n\t\t\t\tif (!esd->OCRESID) prev_ocr = esd->ESID;\n\t\t\t} else if (esd->OCRESID && prev_ocr != esd->OCRESID) {\n\t\t\t\tsingle_ocr = 0;\n\t\t\t}\n\t\t\t/*OD MUST BE WITHOUT REFERENCES*/\n\t\t\tif (streamType==1) copy = 1;\n\t\t}\n\t\tgf_odf_desc_del((GF_Descriptor *) esd);\n\n\t\tif (!regular_iod && gf_isom_is_track_in_root_od(file, i+1)) {\n\t\t\t/*single AU - check if base64 would fit in ESD (consider 33% overhead of base64), otherwise stream*/\n\t\t\tif (gf_isom_get_sample_count(file, i+1)==1) {\n\t\t\t\tGF_ISOSample *samp = gf_isom_get_sample(file, i+1, 1, &val);\n\t\t\t\tif (streamType) {\n\t\t\t\t\tres = gf_hinter_can_embbed_data(samp->data, samp->dataLength, streamType);\n\t\t\t\t} else {\n\t\t\t\t\t/*not a system track, we shall hint it*/\n\t\t\t\t\tres = 0;\n\t\t\t\t}\n\t\t\t\tif (samp) gf_isom_sample_del(&samp);\n\t\t\t\tif (res) continue;\n\t\t\t}\n\t\t}\n\t\tif (interleave) sl_mode |= GP_RTP_PCK_USE_INTERLEAVING;\n\n\t\thinter = gf_hinter_track_new(file, i+1, MTUSize, max_ptime, rtp_rate, sl_mode, init_payt, copy, media_group, media_prio, &e);\n\n\t\tif (!hinter) {\n\t\t\tif (e) {\n\t\t\t\tfprintf(stderr, \"Cannot create hinter (%s)\\n\", gf_error_to_string(e));\n\t\t\t\tif (!nb_done) return e;\n\t\t\t}\n\t\t\tcontinue;\n\t\t}\n\n\t\tif (hint_no_offset)\n\t\t\tgf_hinter_track_force_no_offsets(hinter);\n\n\t\tbw = gf_hinter_track_get_bandwidth(hinter);\n\t\ttot_bw += bw;\n\t\tflags = gf_hinter_track_get_flags(hinter);\n\n\t\t//set extraction mode for AVC/SVC\n\t\tgf_isom_set_nalu_extract_mode(file, i+1, GF_ISOM_NALU_EXTRACT_LAYER_ONLY);\n\n\t\tgf_hinter_track_get_payload_name(hinter, szPayload);\n\t\tfprintf(stderr, \"Hinting track ID %d - Type \\\"%s:%s\\\" (%s) - BW %d kbps\\n\", gf_isom_get_track_id(file, i+1), gf_4cc_to_str(mtype), gf_4cc_to_str(mtype), szPayload, bw);\n\t\tif (flags & GP_RTP_PCK_SYSTEMS_CAROUSEL) fprintf(stderr, \"\\tMPEG-4 Systems stream carousel enabled\\n\");\n\t\t/*\n\t\t\t\tif (flags & GP_RTP_PCK_FORCE_MPEG4) fprintf(stderr, \"\\tMPEG4 transport forced\\n\");\n\t\t\t\tif (flags & GP_RTP_PCK_USE_MULTI) fprintf(stderr, \"\\tRTP aggregation enabled\\n\");\n\t\t*/\n\t\te = gf_hinter_track_process(hinter);\n\n\t\tif (!e) e = gf_hinter_track_finalize(hinter, has_iod);\n\t\tgf_hinter_track_del(hinter);\n\n\t\tif (e) {\n\t\t\tfprintf(stderr, \"Error while hinting (%s)\\n\", gf_error_to_string(e));\n\t\t\tif (!nb_done) return e;\n\t\t}\n\t\tinit_payt++;\n\t\tnb_done ++;\n\t}\n\n\tif (has_iod) {\n\t\tiod_mode = GF_SDP_IOD_ISMA;\n\t\tif (regular_iod) iod_mode = GF_SDP_IOD_REGULAR;\n\t} else {\n\t\tiod_mode = GF_SDP_IOD_NONE;\n\t}\n\tgf_hinter_finalize(file, iod_mode, tot_bw);\n\n\tif (!single_ocr)\n\t\tfprintf(stderr, \"Warning: at least 2 timelines found in the file\\nThis may not be supported by servers/players\\n\\n\");\n\n\treturn GF_OK;\n}", "project": "gpac", "hash": 220294580854900191009637234720111384993, "size": 178, "commit_id": "9eeac00b38348c664dfeae2525bba0cf1bc32349", "message": "fixed #1565", "target": 0, "dataset": "other", "idx": 244412 }, { "func": "void PrintMetaUsage()\n{\n\tu32 i=0;\n\tgf_sys_format_help(helpout, help_flags, \"# Meta and HEIF Options\\n\"\n\t\"IsoMedia files can be used as generic meta-data containers, for examples storing XML information and sample images for a movie. The resulting file may not always contain a movie as is the case with some HEIF files or MPEG-21 files.\\n\"\n\t\" \\n\"\n\t\"These information can be stored at the file root level, as is the case for HEIF/IFF and MPEG-21 file formats, or at the moovie or track level for a regular movie.\"\n\t\" \\n \\n\");\n\twhile (m4b_meta_args[i].name) {\n\t\tGF_GPACArg *arg = &m4b_meta_args[i];\n\t\ti++;\n\t\tgf_sys_print_arg(helpout, help_flags, arg, \"mp4box-extract\");\n\t}\n}", "project": "gpac", "hash": 239474006463764500266864173108910709886, "size": 14, "commit_id": "9eeac00b38348c664dfeae2525bba0cf1bc32349", "message": "fixed #1565", "target": 0, "dataset": "other", "idx": 244411 }, { "func": "GF_Err hvcc_box_write(GF_Box *s, GF_BitStream *bs)\n{\n\tGF_Err e;\n\tGF_HEVCConfigurationBox *ptr = (GF_HEVCConfigurationBox *) s;\n\tif (!s) return GF_BAD_PARAM;\n\tif (!ptr->config) return GF_OK;\n\te = gf_isom_box_write_header(s, bs);\n\tif (e) return e;\n\n\treturn gf_odf_hevc_cfg_write_bs(ptr->config, bs);\n}", "project": "gpac", "hash": 209559408413843528926219302014145103850, "size": 11, "commit_id": "0a85029d694f992f3631e2f249e4999daee15cbf", "message": "fixed #1785 (fuzz)", "target": 0, "dataset": "other", "idx": 237544 }, { "func": "GF_Err minf_on_child_box(GF_Box *s, GF_Box *a)\n{\n\tGF_MediaInformationBox *ptr = (GF_MediaInformationBox *)s;\n\tswitch (a->type) {\n\tcase GF_ISOM_BOX_TYPE_NMHD:\n\tcase GF_ISOM_BOX_TYPE_STHD:\n\tcase GF_ISOM_BOX_TYPE_VMHD:\n\tcase GF_ISOM_BOX_TYPE_SMHD:\n\tcase GF_ISOM_BOX_TYPE_HMHD:\n\tcase GF_ISOM_BOX_TYPE_GMHD:\n\t\tif (ptr->InfoHeader) ERROR_ON_DUPLICATED_BOX(a, ptr)\n\t\tptr->InfoHeader = a;\n\t\treturn GF_OK;\n\n\tcase GF_ISOM_BOX_TYPE_DINF:\n\t\tif (ptr->dataInformation) ERROR_ON_DUPLICATED_BOX(a, ptr)\n\t\tptr->dataInformation = (GF_DataInformationBox *)a;\n\t\treturn GF_OK;\n\n\tcase GF_ISOM_BOX_TYPE_STBL:\n\t\tif (ptr->sampleTable ) ERROR_ON_DUPLICATED_BOX(a, ptr)\n\t\tptr->sampleTable = (GF_SampleTableBox *)a;\n\t\treturn GF_OK;\n\t}\n\treturn GF_OK;\n}", "project": "gpac", "hash": 230375835222183016294115212718907745611, "size": 26, "commit_id": "388ecce75d05e11fc8496aa4857b91245007d26e", "message": "fixed #1587", "target": 0, "dataset": "other", "idx": 264867 }, { "func": "#endif\n\nstatic void dump_isom_obu(GF_ISOFile *file, GF_ISOTrackID trackID, FILE *dump, Bool dump_crc)\n{\n#ifndef GPAC_DISABLE_AV_PARSERS\n\tu32 i, count, track, timescale;\n\tAV1State av1;\n\tObuType obu_type;\n\tu64 obu_size;\n\tu32 hdr_size;\n\tGF_BitStream *bs;\n\tu32 idx;\n\n\ttrack = gf_isom_get_track_by_id(file, trackID);\n\n\tgf_av1_init_state(&av1);\n\tav1.config = gf_isom_av1_config_get(file, track, 1);\n\tif (!av1.config) {\n\t\tM4_LOG(GF_LOG_ERROR, (\"Error: Track #%d is not AV1!\\n\", trackID));\n\t\treturn;\n\t}\n\n\tcount = gf_isom_get_sample_count(file, track);\n\ttimescale = gf_isom_get_media_timescale(file, track);\n\n\tfprintf(dump, \"\\n\", trackID, count, timescale);\n\n\tfprintf(dump, \" \\n\");\n\n\tfor (i=0; iobu_array); i++) {\n\t\tGF_AV1_OBUArrayEntry *obu = gf_list_get(av1.config->obu_array, i);\n\t\tbs = gf_bs_new(obu->obu, (u32) obu->obu_length, GF_BITSTREAM_READ);\n\t\tgf_av1_parse_obu(bs, &obu_type, &obu_size, &hdr_size, &av1);\n\t\tgf_inspect_dump_obu(dump, &av1, obu->obu, obu->obu_length, obu_type, obu_size, hdr_size, dump_crc);\n\t\tgf_bs_del(bs);\n\t}\n\tfprintf(dump, \" \\n\");\n\n\tfprintf(dump, \" \\n\");\n\n\tfor (i=0; i\\n\", i+1);\n\t\t\tcontinue;\n\t\t}\n\t\tdts = samp->DTS;\n\t\tcts = dts + (s32) samp->CTS_Offset;\n\n\t\tfprintf(dump, \" \\n\", i+1, dts, cts, samp->dataLength, samp->IsRAP);\n\t\tif (cts\\n\");\n\n\t\tidx = 1;\n\t\tptr = samp->data;\n\t\tsize = samp->dataLength;\n\n\t\tbs = gf_bs_new(ptr, size, GF_BITSTREAM_READ);\n\t\twhile (size) {\n\t\t\tgf_av1_parse_obu(bs, &obu_type, &obu_size, &hdr_size, &av1);\n\t\t\tif (obu_size > size) {\n\t\t\t\tfprintf(dump, \" \\n\", idx, (u32) obu_size, size);\n\t\t\t\tbreak;\n\t\t\t}\n\t\t\tgf_inspect_dump_obu(dump, &av1, ptr, obu_size, obu_type, obu_size, hdr_size, dump_crc);\n\t\t\tptr += obu_size;\n\t\t\tsize -= (u32)obu_size;\n\t\t\tidx++;\n\t\t}\n\t\tgf_bs_del(bs);\n\t\tfprintf(dump, \" \\n\");\n\t\tgf_isom_sample_del(&samp);\n\n\t\tfprintf(dump, \"\\n\");\n\t\tgf_set_progress(\"Analysing Track OBUs\", i+1, count);\n\t}\n\tfprintf(dump, \" \\n\");\n\tfprintf(dump, \"\\n\");\n\n\tif (av1.config) gf_odf_av1_cfg_del(av1.config);\n\tgf_av1_reset_state(&av1, GF_TRUE);", "project": "gpac", "hash": 193037401308221088060411425361593517528, "size": 83, "commit_id": "289ffce3e0d224d314f5f92a744d5fe35999f20b", "message": "fixed #1767 (fuzz)", "target": 0, "dataset": "other", "idx": 243207 }, { "func": "#endif\n\nstatic void dump_isom_obu(GF_ISOFile *file, GF_ISOTrackID trackID, FILE *dump, Bool dump_crc)\n{\n#ifndef GPAC_DISABLE_AV_PARSERS\n\tu32 i, count, track, timescale;\n\tAV1State av1;\n\tObuType obu_type;\n\tu64 obu_size;\n\tu32 hdr_size;\n\tGF_BitStream *bs;\n\tu32 idx;\n\n\ttrack = gf_isom_get_track_by_id(file, trackID);\n\n\tgf_av1_init_state(&av1);\n\tav1.config = gf_isom_av1_config_get(file, track, 1);\n\tif (!av1.config) {\n\t\tfprintf(stderr, \"Error: Track #%d is not AV1!\\n\", trackID);\n\t\treturn;\n\t}\n\n\tcount = gf_isom_get_sample_count(file, track);\n\ttimescale = gf_isom_get_media_timescale(file, track);\n\n\tfprintf(dump, \"\\n\", trackID, count, timescale);\n\n\tfprintf(dump, \" \\n\");\n\n\tfor (i=0; iobu_array); i++) {\n\t\tGF_AV1_OBUArrayEntry *obu = gf_list_get(av1.config->obu_array, i);\n\t\tbs = gf_bs_new(obu->obu, (u32) obu->obu_length, GF_BITSTREAM_READ);\n\t\tgf_media_aom_av1_parse_obu(bs, &obu_type, &obu_size, &hdr_size, &av1);\n\t\tgf_inspect_dump_obu(dump, &av1, obu->obu, obu->obu_length, obu_type, obu_size, hdr_size, dump_crc);\n\t\tgf_bs_del(bs);\n\t}\n\tfprintf(dump, \" \\n\");\n\n\tfprintf(dump, \" \\n\");\n\n\tfor (i=0; i\\n\", i+1);\n\t\t\tcontinue;\n\t\t}\n\t\tdts = samp->DTS;\n\t\tcts = dts + (s32) samp->CTS_Offset;\n\n\t\tfprintf(dump, \" \\n\", i+1, dts, cts, samp->dataLength, samp->IsRAP);\n\t\tif (cts\\n\");\n\n\t\tidx = 1;\n\t\tptr = samp->data;\n\t\tsize = samp->dataLength;\n\n\t\tbs = gf_bs_new(ptr, size, GF_BITSTREAM_READ);\n\t\twhile (size) {\n\t\t\tgf_media_aom_av1_parse_obu(bs, &obu_type, &obu_size, &hdr_size, &av1);\n\t\t\tif (obu_size > size) {\n\t\t\t\tfprintf(dump, \" \\n\", idx, (u32) obu_size, size);\n\t\t\t\tbreak;\n\t\t\t}\n\t\t\tgf_inspect_dump_obu(dump, &av1, ptr, obu_size, obu_type, obu_size, hdr_size, dump_crc);\n\t\t\tptr += obu_size;\n\t\t\tsize -= (u32)obu_size;\n\t\t\tidx++;\n\t\t}\n\t\tgf_bs_del(bs);\n\t\tfprintf(dump, \" \\n\");\n\t\tgf_isom_sample_del(&samp);\n\n\t\tfprintf(dump, \"\\n\");\n\t\tgf_set_progress(\"Analysing Track OBUs\", i+1, count);\n\t}\n\tfprintf(dump, \" \\n\");\n\tfprintf(dump, \"\\n\");\n\n\tif (av1.config) gf_odf_av1_cfg_del(av1.config);\n\tgf_av1_reset_state(&av1, GF_TRUE);", "project": "gpac", "hash": 117025895455889039133458697787105416, "size": 83, "commit_id": "ce01bd15f711d4575b7424b54b3a395ec64c1784", "message": "fixed #1566", "target": 0, "dataset": "other", "idx": 249533 }, { "func": "u8 RequestTrack(GF_MovieBox *moov, GF_ISOTrackID TrackID)\n{\n\tu32 i;\n\tGF_TrackBox *trak;\n\n\ti=0;\n\twhile ((trak = (GF_TrackBox *)gf_list_enum(moov->trackList, &i))) {\n\t\tif (trak->Header->trackID == TrackID) {\n\t\t\tgf_isom_set_last_error(moov->mov, GF_BAD_PARAM);\n\t\t\treturn 0;\n\t\t}\n\t}\n\treturn 1;\n}", "project": "gpac", "hash": 14039743377905178758540868808879703280, "size": 14, "commit_id": "df8fffd839fe5ae9acd82d26fd48280a397411d9", "message": "fixed #1736", "target": 0, "dataset": "other", "idx": 272329 }, { "func": "GF_Err gf_isom_avc_config_new(GF_ISOFile *the_file, u32 trackNumber, GF_AVCConfig *cfg, const char *URLname, const char *URNname, u32 *outDescriptionIndex)\n{\n\tGF_TrackBox *trak;\n\tGF_Err e;\n\tGF_SampleDescriptionBox *stsd;\n\tu32 dataRefIndex;\n\tGF_MPEGVisualSampleEntryBox *entry;\n\n\te = CanAccessMovie(the_file, GF_ISOM_OPEN_WRITE);\n\tif (e) return e;\n\n\ttrak = gf_isom_get_track_from_file(the_file, trackNumber);\n\tif (!trak || !trak->Media || !cfg) return GF_BAD_PARAM;\n\n\t//get or create the data ref\n\te = Media_FindDataRef(trak->Media->information->dataInformation->dref, (char *)URLname, (char *)URNname, &dataRefIndex);\n\tif (e) return e;\n\tif (!dataRefIndex) {\n\t\te = Media_CreateDataRef(the_file, trak->Media->information->dataInformation->dref, (char *)URLname, (char *)URNname, &dataRefIndex);\n\t\tif (e) return e;\n\t}\n\tif (!the_file->keep_utc && !gf_sys_is_test_mode() )\n\t\ttrak->Media->mediaHeader->modificationTime = gf_isom_get_mp4time();\n\n\tstsd = trak->Media->information->sampleTable->SampleDescription;\n\n\t//create a new entry\n\tentry = (GF_MPEGVisualSampleEntryBox *) gf_isom_box_new_parent(&stsd->child_boxes, GF_ISOM_BOX_TYPE_AVC1);\n\tif (!entry) return GF_OUT_OF_MEM;\n\t*outDescriptionIndex = gf_list_count(stsd->child_boxes);\n\n\tentry->avc_config = (GF_AVCConfigurationBox*)gf_isom_box_new_parent(&entry->child_boxes, GF_ISOM_BOX_TYPE_AVCC);\n\tif (!entry->avc_config) return GF_OUT_OF_MEM;\n\tentry->avc_config->config = AVC_DuplicateConfig(cfg);\n\tif (!entry->avc_config->config) return GF_OUT_OF_MEM;\n\tentry->dataReferenceIndex = dataRefIndex;\n\tAVC_RewriteESDescriptor(entry);\n\treturn e;\n}", "project": "gpac", "hash": 91723100080658461247802253513923920355, "size": 39, "commit_id": "0a85029d694f992f3631e2f249e4999daee15cbf", "message": "fixed #1785 (fuzz)", "target": 0, "dataset": "other", "idx": 237546 }, { "func": "GF_Err gf_isom_set_track_creation_time(GF_ISOFile *movie,u32 trackNumber, u64 ctime, u64 mtime)\n{\n\tGF_TrackBox *trak;\n\ttrak = gf_isom_get_track_from_file(movie, trackNumber);\n\tif (!trak) return GF_BAD_PARAM;\n\n\ttrak->Header->creationTime = ctime;\n\ttrak->Header->modificationTime = mtime;\n\treturn GF_OK;\n}", "project": "gpac", "hash": 289530309750706572145337043953389428174, "size": 10, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267322 }, { "func": "GF_Err GetESD(GF_MovieBox *moov, GF_ISOTrackID trackID, u32 StreamDescIndex, GF_ESD **outESD)\n{\n\tGF_Err e;\n\tGF_ESD *esd;\n\tu32 track_num = 0;\n\tu32 k;\n\tGF_SampleTableBox *stbl;\n\tGF_TrackBox *trak, *OCRTrack;\n\tGF_TrackReferenceTypeBox *dpnd;\n\tGF_SLConfig *slc;\n\tGF_MPEGSampleEntryBox *entry;\n\n\tif (!moov) return GF_ISOM_INVALID_FILE;\n\n\ttrack_num = gf_isom_get_tracknum_from_id(moov, trackID);\n\tdpnd = NULL;\n\t*outESD = NULL;\n\n\ttrak = gf_isom_get_track(moov, track_num);\n\tif (!trak) return GF_ISOM_INVALID_FILE;\n\n\te = Media_GetESD(trak->Media, StreamDescIndex, &esd, 0);\n\tif (e) return e;\n\tif (!esd) return GF_NON_COMPLIANT_BITSTREAM;\n\n\te = Media_GetSampleDesc(trak->Media, StreamDescIndex, (GF_SampleEntryBox **) &entry, NULL);\n\tif (e) return e;\n\t//set the ID\n\tesd->ESID = trackID;\n\n\t//find stream dependencies: dpnd, sbas and scal\n\tfor (k=0; k<3; k++) {\n\t\tu32 ref = GF_ISOM_BOX_TYPE_DPND;\n\t\tif (k==1) ref = GF_ISOM_REF_BASE;\n\t\telse if (k==2) ref = GF_ISOM_REF_SCAL;\n\n\t\te = Track_FindRef(trak, ref , &dpnd);\n\t\tif (e) return e;\n\t\tif (dpnd) {\n\t\t\t//ONLY ONE STREAM DEPENDENCY IS ALLOWED\n\t\t\tif (!k && (dpnd->trackIDCount != 1)) return GF_ISOM_INVALID_MEDIA;\n\t\t\t//fix the spec: where is the index located ??\n\t\t\tesd->dependsOnESID = dpnd->trackIDs[0];\n\t\t\tbreak;\n\t\t} else {\n\t\t\tesd->dependsOnESID = 0;\n\t\t}\n\t}\n\n\tif (trak->udta) {\n\t\tGF_UserDataMap *map;\n\t\tu32 i = 0;\n\t\twhile ((map = (GF_UserDataMap*)gf_list_enum(trak->udta->recordList, &i))) {\n\t\t\tif (map->boxType == GF_ISOM_BOX_TYPE_AUXV) {\n\t\t\t\tGF_Descriptor *d = gf_odf_desc_new(GF_ODF_AUX_VIDEO_DATA);\n\t\t\t\tgf_list_add(esd->extensionDescriptors, d);\n\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\t}\n\n\t//OK, get the OCR (in a REAL MP4File, OCR is 0 in ESD and is specified through track reference\n\tdpnd = NULL;\n\tOCRTrack = NULL;\n\t//find OCR dependencies\n\te = Track_FindRef(trak, GF_ISOM_BOX_TYPE_SYNC, &dpnd);\n\tif (e) return e;\n\tif (dpnd) {\n\t\tif (dpnd->trackIDCount != 1) return GF_ISOM_INVALID_MEDIA;\n\t\tesd->OCRESID = dpnd->trackIDs[0];\n\t\tOCRTrack = gf_isom_get_track_from_id(trak->moov, dpnd->trackIDs[0]);\n\n\t\twhile (OCRTrack) {\n\t\t\t/*if we have a dependency on a track that doesn't have OCR dep, remove that dependency*/\n\t\t\te = Track_FindRef(OCRTrack, GF_ISOM_BOX_TYPE_SYNC, &dpnd);\n\t\t\tif (e || !dpnd || !dpnd->trackIDCount) {\n\t\t\t\tOCRTrack = NULL;\n\t\t\t\tgoto default_sync;\n\t\t\t}\n\t\t\t/*this is explicit desync*/\n\t\t\tif ((dpnd->trackIDs[0]==0) || (dpnd->trackIDs[0]==OCRTrack->Header->trackID))\n\t\t\t\tbreak;\n\t\t\t/*loop in OCRs, break it*/\n\t\t\tif (esd->ESID == (u16) OCRTrack->Header->trackID) {\n\t\t\t\tOCRTrack = NULL;\n\t\t\t\tgoto default_sync;\n\t\t\t}\n\t\t\t/*check next*/\n\t\t\tOCRTrack = gf_isom_get_track_from_id(trak->moov, dpnd->trackIDs[0]);\n\t\t}\n\t\tif (!OCRTrack) goto default_sync;\n\t} else {\ndefault_sync:\n\t\t/*all tracks are sync'ed by default*/\n\t\tif (trak->moov->mov->es_id_default_sync<0) {\n\t\t\tif (esd->OCRESID)\n\t\t\t\ttrak->moov->mov->es_id_default_sync = esd->OCRESID;\n\t\t\telse\n\t\t\t\ttrak->moov->mov->es_id_default_sync = esd->ESID;\n\t\t}\n\t\tif (trak->moov->mov->es_id_default_sync) esd->OCRESID = (u16) trak->moov->mov->es_id_default_sync;\n\t\t/*cf ESD writer*/\n\t\tif (esd->OCRESID == esd->ESID) esd->OCRESID = 0;\n\t}\n\n\n\n\t//update the IPI stuff if needed\n\tif (esd->ipiPtr != NULL) {\n\t\tdpnd = NULL;\n\t\te = Track_FindRef(trak, GF_ISOM_BOX_TYPE_IPIR, &dpnd);\n\t\tif (e) return e;\n\t\tif (dpnd) {\n\t\t\tif (esd->ipiPtr->tag != GF_ODF_ISOM_IPI_PTR_TAG) return GF_ISOM_INVALID_FILE;\n\t\t\t//OK, retrieve the ID: the IPI_ES_Id is currently the ref track\n\t\t\tesd->ipiPtr->IPI_ES_Id = dpnd->trackIDs[esd->ipiPtr->IPI_ES_Id - 1];\n\t\t\t//and change the tag\n\t\t\tesd->ipiPtr->tag = GF_ODF_IPI_PTR_TAG;\n\t\t} else {\n\t\t\treturn GF_ISOM_INVALID_FILE;\n\t\t}\n\t}\n\n\tif ((trak->Media->mediaHeader->packedLanguage[0] != 'u')\n\t || (trak->Media->mediaHeader->packedLanguage[1] != 'n')\n\t || (trak->Media->mediaHeader->packedLanguage[2] != 'd') ) {\n\t\tif (!esd->langDesc) esd->langDesc = (GF_Language *) gf_odf_desc_new(GF_ODF_LANG_TAG);\n\n\t\tesd->langDesc->langCode = trak->Media->mediaHeader->packedLanguage[0];\n\t\tesd->langDesc->langCode <<= 8;\n\t\tesd->langDesc->langCode |= trak->Media->mediaHeader->packedLanguage[1];\n\t\tesd->langDesc->langCode <<= 8;\n\t\tesd->langDesc->langCode |= trak->Media->mediaHeader->packedLanguage[2];\n\t}\n\n\n\t{\n\t\tu16 rvc_predefined;\n\t\tu8 *rvc_cfg_data;\n\t\tconst char *mime_type;\n\t\tu32 rvc_cfg_size;\n\t\te = gf_isom_get_rvc_config(moov->mov, track_num, 1, &rvc_predefined, &rvc_cfg_data, &rvc_cfg_size, &mime_type);\n\t\tif (e==GF_OK) {\n\t\t\tif (rvc_predefined) {\n\t\t\t\tesd->decoderConfig->predefined_rvc_config = rvc_predefined;\n\t\t\t} else {\n\t\t\t\tesd->decoderConfig->rvc_config = (GF_DefaultDescriptor *) gf_odf_desc_new(GF_ODF_DSI_TAG);\n\t\t\t\tif (mime_type && !strcmp(mime_type, \"application/rvc-config+xml+gz\") ) {\n#if !defined(GPAC_DISABLE_CORE_TOOLS) && !defined(GPAC_DISABLE_ZLIB)\n\t\t\t\t\tgf_gz_decompress_payload(rvc_cfg_data, rvc_cfg_size, &esd->decoderConfig->rvc_config->data, &esd->decoderConfig->rvc_config->dataLength);\n\t\t\t\t\tgf_free(rvc_cfg_data);\n#endif\n\t\t\t\t} else {\n\t\t\t\t\tesd->decoderConfig->rvc_config->data = rvc_cfg_data;\n\t\t\t\t\tesd->decoderConfig->rvc_config->dataLength = rvc_cfg_size;\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\n\n\t/*normally all files shall be stored with predefined=SLPredef_MP4, but of course some are broken (philips)\n\tso we just check the ESD_URL. If set, use the given cfg, otherwise always rewrite it*/\n\tif (esd->URLString != NULL) {\n\t\t*outESD = esd;\n\t\treturn GF_OK;\n\t}\n\n\t//if we are in publishing mode and we have an SLConfig specified, use it as is\n\tswitch (entry->type) {\n\tcase GF_ISOM_BOX_TYPE_MP4V:\n\t\tslc = ((GF_MPEGVisualSampleEntryBox *)entry)->slc;\n\t\tbreak;\n\tcase GF_ISOM_BOX_TYPE_MP4A:\n\t\tslc = ((GF_MPEGAudioSampleEntryBox *)entry)->slc;\n\t\tbreak;\n\tcase GF_ISOM_BOX_TYPE_MP4S:\n\t\tslc = entry->slc;\n\t\tbreak;\n\tdefault:\n\t\tslc = NULL;\n\t\tbreak;\n\t}\n\tif (slc) {\n\t\tgf_odf_desc_del((GF_Descriptor *)esd->slConfig);\n\t\tgf_odf_desc_copy((GF_Descriptor *)slc, (GF_Descriptor **)&esd->slConfig);\n\t\t*outESD = esd;\n\t\treturn GF_OK;\n\t}\n\t//otherwise use the regular mapping\n\n\tif (!esd->slConfig)\n\t\tesd->slConfig = (GF_SLConfig *) gf_odf_desc_new(GF_ODF_SLC_TAG);\n\n\t//this is a desc for a media in the file, let's rewrite some param\n\tesd->slConfig->timestampLength = 32;\n\tesd->slConfig->timestampResolution = trak->Media->mediaHeader->timeScale;\n\t//NO OCR from MP4File streams (eg, constant OC Res one)\n\tesd->slConfig->OCRLength = 0;\n\tesd->slConfig->OCRResolution = 0;\n//\tif (OCRTrack) esd->slConfig->OCRResolution = OCRTrack->Media->mediaHeader->timeScale;\n\n\tstbl = trak->Media->information->sampleTable;\n\t// a little optimization here: if all our samples are sync,\n\t//set the RAPOnly to true... for external users...\n\tif (! stbl->SyncSample) {\n\t\tif (\n#ifndef GPAC_DISABLE_ISOM_FRAGMENTS\n\t\t moov->mvex &&\n#endif\n\t\t esd->decoderConfig && esd->decoderConfig->streamType &&\n\t\t (esd->decoderConfig->streamType==GF_STREAM_VISUAL)\n\t\t) {\n\t\t\tesd->slConfig->hasRandomAccessUnitsOnlyFlag = 0;\n\t\t\tesd->slConfig->useRandomAccessPointFlag = 1;\n\t\t\tif (trak->moov->mov->openMode!=GF_ISOM_OPEN_READ) {\n\t\t\t\tstbl->SyncSample = (GF_SyncSampleBox *) gf_isom_box_new_parent(&stbl->child_boxes, GF_ISOM_BOX_TYPE_STSS);\n\t\t\t\tif (!stbl->SyncSample) return GF_OUT_OF_MEM;\n\t\t\t}\n\t\t} else {\n\t\t\tesd->slConfig->hasRandomAccessUnitsOnlyFlag = 1;\n\t\t\tesd->slConfig->useRandomAccessPointFlag = 0;\n\t\t}\n\t} else {\n\t\tesd->slConfig->hasRandomAccessUnitsOnlyFlag = 0;\n\t\t//signal we are NOT using sync points if no info is present in the table\n\t\tesd->slConfig->useRandomAccessPointFlag = stbl->SyncSample->nb_entries ? 1 : 0;\n\t}\n\t//change to support reflecting OD streams\n\tesd->slConfig->useAccessUnitEndFlag = 1;\n\tesd->slConfig->useAccessUnitStartFlag = 1;\n\n\t//signal we do have padding flag (since we only use logical SL packet\n\t//the user can decide whether to use the info or not\n\tesd->slConfig->usePaddingFlag = stbl->PaddingBits ? 1 : 0;\n\n\t//same with degradation priority\n\tesd->slConfig->degradationPriorityLength = stbl->DegradationPriority ? 32 : 0;\n\n\t//this new SL will be OUT OF THE FILE. Let's set its predefined to 0\n\tesd->slConfig->predefined = 0;\n\n\n\t*outESD = esd;\n\treturn GF_OK;\n}", "project": "gpac", "hash": 267838183772496514304318491985414505229, "size": 246, "commit_id": "df8fffd839fe5ae9acd82d26fd48280a397411d9", "message": "fixed #1736", "target": 0, "dataset": "other", "idx": 272320 }, { "func": "GF_Err gf_isom_set_root_od_url(GF_ISOFile *movie, const char *url_string)\n{\n\tGF_Err e;\n\te = CanAccessMovie(movie, GF_ISOM_OPEN_WRITE);\n\tif (e) return e;\n\te = gf_isom_insert_moov(movie);\n\tif (e) return e;\n\n\tif (!movie->moov->iods) {\n\t\te = AddMovieIOD(movie->moov, 0);\n\t\tif (e) return e;\n\t}\n\n\tswitch (movie->moov->iods->descriptor->tag) {\n\tcase GF_ODF_ISOM_OD_TAG:\n\t\tif (((GF_IsomObjectDescriptor *)movie->moov->iods->descriptor)->URLString) gf_free(((GF_IsomObjectDescriptor *)movie->moov->iods->descriptor)->URLString);\n\t\t((GF_IsomObjectDescriptor *)movie->moov->iods->descriptor)->URLString = url_string ? gf_strdup(url_string) : NULL;\n\t\tbreak;\n\tcase GF_ODF_ISOM_IOD_TAG:\n\t\tif (((GF_IsomInitialObjectDescriptor *)movie->moov->iods->descriptor)->URLString) gf_free(((GF_IsomInitialObjectDescriptor *)movie->moov->iods->descriptor)->URLString);\n\t\t((GF_IsomInitialObjectDescriptor *)movie->moov->iods->descriptor)->URLString = url_string ? gf_strdup(url_string) : NULL;\n\t\tbreak;\n\tdefault:\n\t\treturn GF_ISOM_INVALID_FILE;\n\t}\n\treturn GF_OK;\n}", "project": "gpac", "hash": 156536750023427882184413887140732400149, "size": 27, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267206 }, { "func": "}\n\nvoid dump_isom_saps(GF_ISOFile *file, GF_ISOTrackID trackID, u32 dump_saps_mode, char *inName, Bool is_final_name)\n{\n\tFILE *dump;\n\tu32 i, count;\n\ts64 media_offset=0;\n\tu32 track = gf_isom_get_track_by_id(file, trackID);\n\tif (inName) {\n\t\tchar szBuf[GF_MAX_PATH];\n\t\tstrcpy(szBuf, inName);\n\n\t\tif (!is_final_name) sprintf(szBuf, \"%s_%d_cues.xml\", inName, trackID);\n\t\tdump = gf_fopen(szBuf, \"wt\");\n\t\tif (!dump) {\n\t\t\tM4_LOG(GF_LOG_ERROR, (\"Failed to open %s for dumping\\n\", szBuf));\n\t\t\treturn;\n\t\t}\n\t} else {\n\t\tdump = stdout;\n\t}\n\n\tfprintf(dump, \"\\n\");\n\tfprintf(dump, \"\\n\");\n\tfprintf(dump, \"\\n\");\n\n\tcount = gf_isom_get_sample_count(file, track);\n\tfor (i=0; iIsRAP;\n\t\tif (!sap_type) {\n\t\t\tBool is_rap;\n\t\t\tGF_ISOSampleRollType roll_type;\n\t\t\ts32 roll_dist;\n\t\t\tgf_isom_get_sample_rap_roll_info(file, track, i+1, &is_rap, &roll_type, &roll_dist);\n\t\t\tif (roll_type) sap_type = SAP_TYPE_4;\n\t\t\telse if (is_rap) sap_type = SAP_TYPE_3;\n\t\t}\n\n\t\tif (!sap_type) {\n\t\t\tgf_isom_sample_del(&samp);\n\t\t\tcontinue;\n\t\t}\n\n\t\tdts = cts = samp->DTS;\n\t\tcts += samp->CTS_Offset;\n\t\tfprintf(dump, \"\\n\");\n\n\t\tgf_isom_sample_del(&samp);\n\t}\n\tfprintf(dump, \"\\n\");\n\tfprintf(dump, \"\\n\");", "project": "gpac", "hash": 122405642683373858894736452476628611309, "size": 79, "commit_id": "289ffce3e0d224d314f5f92a744d5fe35999f20b", "message": "fixed #1767 (fuzz)", "target": 0, "dataset": "other", "idx": 243196 }, { "func": "}\n\nvoid dump_isom_saps(GF_ISOFile *file, GF_ISOTrackID trackID, u32 dump_saps_mode, char *inName, Bool is_final_name)\n{\n\tFILE *dump;\n\tu32 i, count;\n\ts64 media_offset=0;\n\tu32 track = gf_isom_get_track_by_id(file, trackID);\n\tif (inName) {\n\t\tchar szBuf[GF_MAX_PATH];\n\t\tstrcpy(szBuf, inName);\n\n\t\tif (!is_final_name) sprintf(szBuf, \"%s_%d_cues.xml\", inName, trackID);\n\t\tdump = gf_fopen(szBuf, \"wt\");\n\t\tif (!dump) {\n\t\t\tfprintf(stderr, \"Failed to open %s for dumping\\n\", szBuf);\n\t\t\treturn;\n\t\t}\n\t} else {\n\t\tdump = stdout;\n\t}\n\n\tfprintf(dump, \"\\n\");\n\tfprintf(dump, \"\\n\");\n\tfprintf(dump, \"\\n\");\n\n\tcount = gf_isom_get_sample_count(file, track);\n\tfor (i=0; iIsRAP;\n\t\tif (!sap_type) {\n\t\t\tBool is_rap;\n\t\t\tGF_ISOSampleRollType roll_type;\n\t\t\ts32 roll_dist;\n\t\t\tgf_isom_get_sample_rap_roll_info(file, track, i+1, &is_rap, &roll_type, &roll_dist);\n\t\t\tif (roll_type) sap_type = SAP_TYPE_4;\n\t\t\telse if (is_rap) sap_type = SAP_TYPE_3;\n\t\t}\n\n\t\tif (!sap_type) {\n\t\t\tgf_isom_sample_del(&samp);\n\t\t\tcontinue;\n\t\t}\n\n\t\tdts = cts = samp->DTS;\n\t\tcts += samp->CTS_Offset;\n\t\tfprintf(dump, \"\\n\");\n\n\t\tgf_isom_sample_del(&samp);\n\t}\n\tfprintf(dump, \"\\n\");\n\tfprintf(dump, \"\\n\");", "project": "gpac", "hash": 40658136751991500472983002456506441726, "size": 79, "commit_id": "ce01bd15f711d4575b7424b54b3a395ec64c1784", "message": "fixed #1566", "target": 0, "dataset": "other", "idx": 249549 }, { "func": "GF_EXPORT\nBool gf_isom_get_sample_group_info(GF_ISOFile *the_file, u32 trackNumber, u32 sample_description_index, u32 grouping_type, u32 *default_index, const u8 **data, u32 *size)\n{\n\tGF_DefaultSampleGroupDescriptionEntry *sg_entry;\n\tGF_TrackBox *trak = gf_isom_get_track_from_file(the_file, trackNumber);\n\n\tif (default_index) *default_index = 0;\n\tif (size) *size = 0;\n\tif (data) *data = NULL;\n\n\tsg_entry = gf_isom_get_sample_group_info_entry(the_file, trak, grouping_type, sample_description_index, default_index, NULL);\n\tif (!sg_entry) return GF_FALSE;\n\n\tswitch (grouping_type) {\n\tcase GF_ISOM_SAMPLE_GROUP_RAP:\n\tcase GF_ISOM_SAMPLE_GROUP_SYNC:\n\tcase GF_ISOM_SAMPLE_GROUP_ROLL:\n\tcase GF_ISOM_SAMPLE_GROUP_SEIG:\n\tcase GF_ISOM_SAMPLE_GROUP_OINF:\n\tcase GF_ISOM_SAMPLE_GROUP_LINF:\n\t\treturn GF_TRUE;\n\tdefault:\n\t\tif (sg_entry && data) *data = (char *) sg_entry->data;\n\t\tif (sg_entry && size) *size = sg_entry->length;\n\t\treturn GF_TRUE;\n\t}\n\treturn GF_FALSE;", "project": "gpac", "hash": 277849425030234730296058907281126537147, "size": 27, "commit_id": "984787de3d414a5f7d43d0b4584d9469dff2a5a5", "message": "fixed #1784 (fuzz)", "target": 0, "dataset": "other", "idx": 246840 }, { "func": "static GF_Err xml_bs_to_bin(char *inName, char *outName, u32 dump_std)\n{\n\tGF_Err e;\n\tGF_XMLNode *root;\n\tu8 *data = NULL;\n\tu32 data_size;\n\n\tGF_DOMParser *dom = gf_xml_dom_new();\n\te = gf_xml_dom_parse(dom, inName, NULL, NULL);\n\tif (e) {\n\t\tgf_xml_dom_del(dom);\n\t\tfprintf(stderr, \"Failed to parse XML file: %s\\n\", gf_error_to_string(e));\n\t\treturn e;\n\t}\n\troot = gf_xml_dom_get_root_idx(dom, 0);\n\tif (!root) {\n\t\tgf_xml_dom_del(dom);\n\t\treturn GF_OK;\n\t}\n\n\te = gf_xml_parse_bit_sequence(root, inName, &data, &data_size);\n\tgf_xml_dom_del(dom);\n\n\tif (e) {\n\t\tfprintf(stderr, \"Failed to parse binary sequence: %s\\n\", gf_error_to_string(e));\n\t\treturn e;\n\t}\n\n\tif (dump_std) {\n\t\tgf_fwrite(data, data_size, stdout);\n\t} else {\n\t\tFILE *t;\n\t\tchar szFile[GF_MAX_PATH];\n\t\tif (outName) {\n\t\t\tstrcpy(szFile, outName);\n\t\t} else {\n\t\t\tstrcpy(szFile, inName);\n\t\t\tstrcat(szFile, \".bin\");\n\t\t}\n\t\tt = gf_fopen(szFile, \"wb\");\n\t\tif (!t) {\n\t\t\tfprintf(stderr, \"Failed to open file %s\\n\", szFile);\n\t\t\te = GF_IO_ERR;\n\t\t} else {\n\t\t\tif (gf_fwrite(data, data_size, t) != data_size) {\n\t\t\t\tfprintf(stderr, \"Failed to write output to file %s\\n\", szFile);\n\t\t\t\te = GF_IO_ERR;\n\t\t\t}\n\t\t\tgf_fclose(t);\n\t\t}\n\t}\n\tgf_free(data);\n\treturn e;\n}", "project": "gpac", "hash": 174749367672234710342572036002866052373, "size": 54, "commit_id": "9eeac00b38348c664dfeae2525bba0cf1bc32349", "message": "fixed #1565", "target": 0, "dataset": "other", "idx": 244413 }, { "func": "\nGF_Err trak_on_child_box(GF_Box *s, GF_Box *a)\n{\n\tGF_TrackBox *ptr = (GF_TrackBox *)s;\n\tif (!a) return GF_OK;\n\tswitch(a->type) {\n\tcase GF_ISOM_BOX_TYPE_TKHD:\n\t\tif (ptr->Header) ERROR_ON_DUPLICATED_BOX(a, ptr)\n\t\tptr->Header = (GF_TrackHeaderBox *)a;\n\t\treturn GF_OK;\n\tcase GF_ISOM_BOX_TYPE_EDTS:\n\t\tif (ptr->editBox) ERROR_ON_DUPLICATED_BOX(a, ptr)\n\t\tptr->editBox = (GF_EditBox *)a;\n\t\treturn GF_OK;\n\tcase GF_ISOM_BOX_TYPE_UDTA:\n\t\tif (ptr->udta) ERROR_ON_DUPLICATED_BOX(a, ptr)\n\t\tptr->udta = (GF_UserDataBox *)a;\n\t\treturn GF_OK;\n\tcase GF_ISOM_BOX_TYPE_META:\n\t\tif (ptr->meta) ERROR_ON_DUPLICATED_BOX(a, ptr)\n\t\tptr->meta = (GF_MetaBox *)a;\n\t\treturn GF_OK;\n\tcase GF_ISOM_BOX_TYPE_TREF:\n\t\tif (ptr->References) ERROR_ON_DUPLICATED_BOX(a, ptr)\n\t\tptr->References = (GF_TrackReferenceBox *)a;\n\t\treturn GF_OK;\n\tcase GF_ISOM_BOX_TYPE_MDIA:\n\t\tif (ptr->Media) ERROR_ON_DUPLICATED_BOX(a, ptr)\n\t\tptr->Media = (GF_MediaBox *)a;\n\t\t((GF_MediaBox *)a)->mediaTrack = ptr;\n\t\treturn GF_OK;\n\tcase GF_ISOM_BOX_TYPE_TRGR:\n\t\tif (ptr->groups) ERROR_ON_DUPLICATED_BOX(a, ptr)\n\t\tptr->groups = (GF_TrackGroupBox *)a;\n\t\treturn GF_OK;\n\tcase GF_QT_BOX_TYPE_TAPT:\n\t\tif (ptr->Aperture) ERROR_ON_DUPLICATED_BOX(a, ptr)\n\t\tptr->Aperture = (GF_Box *)a;\n\t\treturn GF_OK;\n\tcase GF_ISOM_BOX_TYPE_SENC:\n\t\tptr->sample_encryption = (GF_SampleEncryptionBox*)a;\n\t\treturn GF_OK;\n\tcase GF_ISOM_BOX_TYPE_UUID:\n\t\tif (((GF_UnknownUUIDBox *)a)->internal_4cc == GF_ISOM_BOX_UUID_PSEC) {\n\t\t\tptr->sample_encryption = (GF_SampleEncryptionBox*) a;\n\t\t\treturn GF_OK;\n\t\t}\n\t}\n\treturn GF_OK;", "project": "gpac", "hash": 39827509834788557811686707065335475959, "size": 49, "commit_id": "388ecce75d05e11fc8496aa4857b91245007d26e", "message": "fixed #1587", "target": 0, "dataset": "other", "idx": 264818 }, { "func": "GF_Err SmDm_box_write(GF_Box *s, GF_BitStream *bs)\n{\n\tGF_Err e;\n\tGF_SMPTE2086MasteringDisplayMetadataBox *p = (GF_SMPTE2086MasteringDisplayMetadataBox*)s;\n\te = gf_isom_full_box_write(s, bs);\n\tif (e) return e;\n\n\tgf_bs_write_u16(bs, p->primaryRChromaticity_x);\n\tgf_bs_write_u16(bs, p->primaryRChromaticity_y);\n\tgf_bs_write_u16(bs, p->primaryGChromaticity_x);\n\tgf_bs_write_u16(bs, p->primaryGChromaticity_y);\n\tgf_bs_write_u16(bs, p->primaryBChromaticity_x);\n\tgf_bs_write_u16(bs, p->primaryBChromaticity_y);\n\tgf_bs_write_u16(bs, p->whitePointChromaticity_x);\n\tgf_bs_write_u16(bs, p->whitePointChromaticity_y);\n\tgf_bs_write_u32(bs, p->luminanceMax);\n\tgf_bs_write_u32(bs, p->luminanceMin);\n\n\treturn GF_OK;\n}", "project": "gpac", "hash": 334941971191748060422525495038774096659, "size": 20, "commit_id": "0a85029d694f992f3631e2f249e4999daee15cbf", "message": "fixed #1785 (fuzz)", "target": 0, "dataset": "other", "idx": 237545 }, { "func": "GF_Err gf_isom_box_size(GF_Box *a)\n{\n\tGF_Err e;\n\tif (!a) return GF_BAD_PARAM;\n\tif (a->registry->disabled) {\n\t\ta->size = 0;\n\t\treturn GF_OK;\n\t}\n\te = gf_isom_box_size_listing(a);\n\tif (e) return e;\n\tif (a->other_boxes) {\n\t\te = gf_isom_box_array_size(a, a->other_boxes);\n\t\tif (e) return e;\n\t}\n\treturn GF_OK;\n}", "project": "gpac", "hash": 17007419130819676404033871135275917731, "size": 16, "commit_id": "8e585e623b1d666b4ef736ed609264639cb27701", "message": "fixed potential crash - cf #1406", "target": 0, "dataset": "other", "idx": 224923 }, { "func": "GF_Err gf_isom_add_track_to_root_od(GF_ISOFile *movie, u32 trackNumber)\n{\n\tGF_Err e;\n\tGF_ES_ID_Inc *inc;\n\n\te = CanAccessMovie(movie, GF_ISOM_OPEN_WRITE);\n\tif (e) return e;\n\te = gf_isom_insert_moov(movie);\n\tif (e) return e;\n\n\tif (!movie->moov->iods) AddMovieIOD(movie->moov, 0);\n\n\tif (gf_isom_is_track_in_root_od(movie, trackNumber) == 1) return GF_OK;\n\n\tinc = (GF_ES_ID_Inc *) gf_odf_desc_new(GF_ODF_ESD_INC_TAG);\n\tinc->trackID = gf_isom_get_track_id(movie, trackNumber);\n\tif (!inc->trackID) {\n\t\tgf_odf_desc_del((GF_Descriptor *)inc);\n\t\treturn movie->LastError;\n\t}\n\tif ( (movie->LastError = gf_isom_add_desc_to_root_od(movie, (GF_Descriptor *)inc) ) ) {\n\t\treturn movie->LastError;\n\t}\n\tgf_odf_desc_del((GF_Descriptor *)inc);\n\treturn GF_OK;\n}", "project": "gpac", "hash": 90790911132698189025403753314247167700, "size": 26, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267274 }, { "func": "GF_Err btrt_box_write(GF_Box *s, GF_BitStream *bs)\n{\n\tGF_Err e;\n\tGF_BitRateBox *ptr = (GF_BitRateBox *) s;\n\tif (!s) return GF_BAD_PARAM;\n\te = gf_isom_box_write_header(s, bs);\n\tif (e) return e;\n\tgf_bs_write_u32(bs, ptr->bufferSizeDB);\n\tgf_bs_write_u32(bs, ptr->maxBitrate);\n\tgf_bs_write_u32(bs, ptr->avgBitrate);\n\treturn GF_OK;\n}", "project": "gpac", "hash": 30116868032961776686366448208931510040, "size": 12, "commit_id": "0a85029d694f992f3631e2f249e4999daee15cbf", "message": "fixed #1785 (fuzz)", "target": 0, "dataset": "other", "idx": 237589 }, { "func": "static GF_Err CheckNoData(GF_ISOFile *movie)\n{\n\tif (movie->openMode != GF_ISOM_OPEN_WRITE) return GF_OK;\n\tif (gf_bs_get_position(movie->editFileMap->bs)) return GF_BAD_PARAM;\n\treturn GF_OK;\n}", "project": "gpac", "hash": 64536090007116590678738757916240755807, "size": 6, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267265 }, { "func": "#ifndef GPAC_DISABLE_ISOM_DUMP\n\nGF_Err dump_isom_xml(GF_ISOFile *file, char *inName, Bool is_final_name, Bool do_track_dump, Bool merge_vtt_cues, Bool skip_init, Bool skip_samples)\n{\n\tGF_Err e;\n\tFILE *dump = stdout;\n\tBool do_close=GF_FALSE;\n\tif (!file) return GF_ISOM_INVALID_FILE;\n\n\tif (inName) {\n\t\tchar szBuf[1024];\n\t\tstrcpy(szBuf, inName);\n\t\tif (!is_final_name) {\n\t\t\tstrcat(szBuf, do_track_dump ? \"_dump.xml\" : \"_info.xml\");\n\t\t}\n\t\tdump = gf_fopen(szBuf, \"wt\");\n\t\tif (!dump) {\n\t\t\tM4_LOG(GF_LOG_ERROR, (\"Failed to open %s\\n\", szBuf));\n\t\t\treturn GF_IO_ERR;\n\t\t}\n\t\tdo_close=GF_TRUE;\n\t}\n\n\tfprintf(dump, \"\\n\");\n\tif (do_track_dump) {\n\t\tfprintf(dump, \"\\n\");\n\t}\n\te = gf_isom_dump(file, dump, skip_init, skip_samples);\n\tif (e) {\n\t\tM4_LOG(GF_LOG_ERROR, (\"Error dumping ISO structure\\n\"));\n\t}\n\n\tif (do_track_dump) {\n#ifndef GPAC_DISABLE_MEDIA_EXPORT\n\t\tu32 i;\n\t\t//because of dump mode we need to reopen in regular read mode to avoid mem leaks\n\t\tGF_ISOFile *the_file = gf_isom_open(gf_isom_get_filename(file), GF_ISOM_OPEN_READ, NULL);\n\t\tu32 tcount = gf_isom_get_track_count(the_file);\n\t\tfprintf(dump, \"\\n\");\n\n\t\tfor (i=0; i\\n\", name, trackID);\n\n#ifndef GPAC_DISABLE_ISOM_HINTING\n\t\t\t\tu32 j, scount=gf_isom_get_sample_count(the_file, i+1);\n\t\t\t\tfor (j=0; j\\n\", name);\n\t\t\t\tfmt_handled = GF_TRUE;\n#endif /*GPAC_DISABLE_ISOM_HINTING*/\n\t\t\t}\n\t\t\telse if (gf_isom_get_avc_svc_type(the_file, i+1, 1) || gf_isom_get_hevc_lhvc_type(the_file, i+1, 1)) {\n\t\t\t\tdump_isom_nal_ex(the_file, trackID, dump, GF_FALSE);\n\t\t\t\tfmt_handled = GF_TRUE;\n\t\t\t} else if ((mtype==GF_ISOM_MEDIA_TEXT) || (mtype==GF_ISOM_MEDIA_SUBT) ) {\n\n\t\t\t\tif (msubtype==GF_ISOM_SUBTYPE_WVTT) {\n\t\t\t\t\tgf_webvtt_dump_iso_track(&dumper, i+1, merge_vtt_cues, GF_TRUE);\n\t\t\t\t\tfmt_handled = GF_TRUE;\n\t\t\t\t} else if ((msubtype==GF_ISOM_SUBTYPE_TX3G) || (msubtype==GF_ISOM_SUBTYPE_TEXT)) {\n\t\t\t\t\tgf_isom_text_dump(the_file, i+1, dump, GF_TEXTDUMPTYPE_TTXT_BOXES);\n\t\t\t\t\tfmt_handled = GF_TRUE;\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tif (!fmt_handled) {\n\t\t\t\tdumper.flags = GF_EXPORT_NHML | GF_EXPORT_NHML_FULL;\n\t\t\t\tdumper.print_stats_graph = fs_dump_flags;\n\t\t\t\tgf_media_export(&dumper);\n\t\t\t}\n\t\t}\n#else\n\t\treturn GF_NOT_SUPPORTED;\n#endif /*GPAC_DISABLE_MEDIA_EXPORT*/\n\t\tgf_isom_delete(the_file);\n\t\tfprintf(dump, \"\\n\");\n\t\tfprintf(dump, \"\\n\");\n\t}\n\tif (do_close) gf_fclose(dump);", "project": "gpac", "hash": 262543833230432403258562990561582811925, "size": 101, "commit_id": "289ffce3e0d224d314f5f92a744d5fe35999f20b", "message": "fixed #1767 (fuzz)", "target": 0, "dataset": "other", "idx": 243206 }, { "func": "#ifndef GPAC_DISABLE_ISOM_DUMP\n\nGF_Err dump_isom_xml(GF_ISOFile *file, char *inName, Bool is_final_name, Bool do_track_dump, Bool merge_vtt_cues, Bool skip_init, Bool skip_samples)\n{\n\tGF_Err e;\n\tFILE *dump = stdout;\n\tBool do_close=GF_FALSE;\n\tif (!file) return GF_ISOM_INVALID_FILE;\n\n\tif (inName) {\n\t\tchar szBuf[1024];\n\t\tstrcpy(szBuf, inName);\n\t\tif (!is_final_name) {\n\t\t\tstrcat(szBuf, do_track_dump ? \"_dump.xml\" : \"_info.xml\");\n\t\t}\n\t\tdump = gf_fopen(szBuf, \"wt\");\n\t\tif (!dump) {\n\t\t\tfprintf(stderr, \"Failed to open %s\\n\", szBuf);\n\t\t\treturn GF_IO_ERR;\n\t\t}\n\t\tdo_close=GF_TRUE;\n\t}\n\n\tfprintf(dump, \"\\n\");\n\tif (do_track_dump) {\n\t\tfprintf(dump, \"\\n\");\n\t}\n\te = gf_isom_dump(file, dump, skip_init, skip_samples);\n\tif (e) {\n\t\tfprintf(stderr, \"Error dumping ISO structure\\n\");\n\t}\n\n\tif (do_track_dump) {\n#ifndef GPAC_DISABLE_MEDIA_EXPORT\n\t\tu32 i;\n\t\t//because of dump mode we need to reopen in regular read mode to avoid mem leaks\n\t\tGF_ISOFile *the_file = gf_isom_open(gf_isom_get_filename(file), GF_ISOM_OPEN_READ, NULL);\n\t\tu32 tcount = gf_isom_get_track_count(the_file);\n\t\tfprintf(dump, \"\\n\");\n\n\t\tfor (i=0; i\\n\", name, trackID);\n\n#ifndef GPAC_DISABLE_ISOM_HINTING\n\t\t\t\tu32 j, scount=gf_isom_get_sample_count(the_file, i+1);\n\t\t\t\tfor (j=0; j\\n\", name);\n\t\t\t\tfmt_handled = GF_TRUE;\n#endif /*GPAC_DISABLE_ISOM_HINTING*/\n\t\t\t}\n\t\t\telse if (gf_isom_get_avc_svc_type(the_file, i+1, 1) || gf_isom_get_hevc_lhvc_type(the_file, i+1, 1)) {\n\t\t\t\tdump_isom_nal_ex(the_file, trackID, dump, GF_FALSE);\n\t\t\t\tfmt_handled = GF_TRUE;\n\t\t\t} else if ((mtype==GF_ISOM_MEDIA_TEXT) || (mtype==GF_ISOM_MEDIA_SUBT) ) {\n\n\t\t\t\tif (msubtype==GF_ISOM_SUBTYPE_WVTT) {\n\t\t\t\t\tgf_webvtt_dump_iso_track(&dumper, i+1, merge_vtt_cues, GF_TRUE);\n\t\t\t\t\tfmt_handled = GF_TRUE;\n\t\t\t\t} else if ((msubtype==GF_ISOM_SUBTYPE_TX3G) || (msubtype==GF_ISOM_SUBTYPE_TEXT)) {\n\t\t\t\t\tgf_isom_text_dump(the_file, i+1, dump, GF_TEXTDUMPTYPE_TTXT_BOXES);\n\t\t\t\t\tfmt_handled = GF_TRUE;\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tif (!fmt_handled) {\n\t\t\t\tdumper.flags = GF_EXPORT_NHML | GF_EXPORT_NHML_FULL;\n\t\t\t\tdumper.print_stats_graph = fs_dump_flags;\n\t\t\t\tgf_media_export(&dumper);\n\t\t\t}\n\t\t}\n#else\n\t\treturn GF_NOT_SUPPORTED;\n#endif /*GPAC_DISABLE_MEDIA_EXPORT*/\n\t\tgf_isom_delete(the_file);\n\t\tfprintf(dump, \"\\n\");\n\t\tfprintf(dump, \"\\n\");\n\t}\n\tif (do_close) gf_fclose(dump);", "project": "gpac", "hash": 10498700346510789356547647587275730283, "size": 101, "commit_id": "ce01bd15f711d4575b7424b54b3a395ec64c1784", "message": "fixed #1566", "target": 0, "dataset": "other", "idx": 249546 }, { "func": "void gf_isom_disable_odf_conversion(GF_ISOFile *movie, Bool disable)\n{\n\tif (movie) movie->disable_odf_translate = disable;\n}", "project": "gpac", "hash": 309255118134356208608837839662803401025, "size": 4, "commit_id": "984787de3d414a5f7d43d0b4584d9469dff2a5a5", "message": "fixed #1784 (fuzz)", "target": 0, "dataset": "other", "idx": 246796 }, { "func": "}\n\nstatic void revert_cache_file(char *item_path)\n{\n\tchar szPATH[GF_MAX_PATH];\n\tconst char *url;\n\tGF_Config *cached;\n\n\tif (!strstr(item_path, \"gpac_cache_\")) {\n\t\tfprintf(stderr, \"%s is not a gpac cache file\\n\", item_path);\n\t\treturn;\n\t}\n\tif (!strncmp(item_path, \"./\", 2) || !strncmp(item_path, \".\\\\\", 2))\n\t\t\titem_path += 2;\n\n \tstrcpy(szPATH, item_path);\n\tstrcat(szPATH, \".txt\");\n\n\tcached = gf_cfg_new(NULL, szPATH);\n\turl = gf_cfg_get_key(cached, \"cache\", \"url\");\n\tif (url) url = strstr(url, \"://\");\n\tif (url) {\n\t\tu32 i, len, dir_len=0, k=0;\n\t\tchar *sep;\n\t\tchar *dst_name;\n\t\tsep = strstr(item_path, \"gpac_cache_\");\n\t\tif (sep) {\n\t\t\tsep[0] = 0;\n\t\t\tdir_len = (u32) strlen(item_path);\n\t\t\tsep[0] = 'g';\n\t\t}\n\t\turl+=3;\n\t\tlen = (u32) strlen(url);\n\t\tdst_name = gf_malloc(len+dir_len+1);\n\t\tmemset(dst_name, 0, len+dir_len+1);\n\n\t\tstrncpy(dst_name, item_path, dir_len);\n\t\tk=dir_len;\n\t\tfor (i=0; ientries);\n\tfor (i=0; ientries, i);\n\t\tif (ent->shadowedSampleNumber == sampleNumber) {\n\t\t\tent->syncSampleNumber = syncSample;\n\t\t\treturn GF_OK;\n\t\t}\n\t\tif (ent->shadowedSampleNumber > sampleNumber) break;\n\t}\n\t//we need a new one...\n\tent = (GF_StshEntry*)gf_malloc(sizeof(GF_StshEntry));\n\tif (!ent) return GF_OUT_OF_MEM;\n\tent->shadowedSampleNumber = sampleNumber;\n\tent->syncSampleNumber = syncSample;\n\t//insert or append ?\n\tif (i == gf_list_count(stsh->entries)) {\n\t\t//don't update the cache ...\n\t\treturn gf_list_add(stsh->entries, ent);\n\t} else {\n\t\t//update the cache\n\t\tstsh->r_LastEntryIndex = i;\n\t\tstsh->r_LastFoundSample = sampleNumber;\n\t\treturn gf_list_insert(stsh->entries, ent, i);\n\t}\n}", "project": "gpac", "hash": 115296164924325312781571535323509592773, "size": 30, "commit_id": "77ed81c069e10b3861d88f72e1c6be1277ee7eae", "message": "fixed #1774 (fuzz)", "target": 0, "dataset": "other", "idx": 267906 }, { "func": "Bool gf_isom_cenc_has_saiz_saio_traf(GF_TrackFragmentBox *traf, u32 scheme_type)\n{\n\treturn gf_isom_cenc_has_saiz_saio_full(NULL, traf, scheme_type);\n}", "project": "gpac", "hash": 166188374588391651641514705851374702948, "size": 4, "commit_id": "3b84ffcbacf144ce35650df958432f472b6483f8", "message": "fixed #1735", "target": 0, "dataset": "other", "idx": 275429 }, { "func": "Bool gf_isom_get_edit_list_type(GF_ISOFile *the_file, u32 trackNumber, s64 *mediaOffset)\n{\n\tGF_EdtsEntry *ent;\n\tGF_TrackBox *trak;\n\tu32 count;\n\ttrak = gf_isom_get_track_from_file(the_file, trackNumber);\n\tif (!trak) return GF_FALSE;\n\t*mediaOffset = 0;\n\tif (!trak->editBox || !trak->editBox->editList) return GF_FALSE;\n\n\tcount = gf_list_count(trak->editBox->editList->entryList);\n\tent = (GF_EdtsEntry*)gf_list_get(trak->editBox->editList->entryList, 0);\n\tif (!ent) return GF_TRUE;\n\t/*mediaRate>0, the track playback shall start at media time>0 -> mediaOffset is < 0 */\n\tif ((count==1) && (ent->mediaRate == 0x10000)) {\n\t\t*mediaOffset = - ent->mediaTime;\n\t\treturn GF_FALSE;\n\t} else if (count==2) {\n\t\t/*mediaRate==-1, the track playback shall be empty for segmentDuration -> mediaOffset is > 0 */\n\t\tif ((ent->mediaRate == -0x10000) || (ent->mediaTime==-1)) {\n\t\t\tDouble time = (Double) ent->segmentDuration;\n\t\t\ttime /= trak->moov->mvhd->timeScale;\n\t\t\ttime *= trak->Media->mediaHeader->timeScale;\n\t\t\t*mediaOffset = (s64) time;\n\n\t\t\t//check next entry, if we start from mediaOffset > 0 this may still result in a skip\n\t\t\tent = (GF_EdtsEntry*)gf_list_get(trak->editBox->editList->entryList, 1);\n\t\t\t//next entry playback rate is not nominal, we need edit list handling\n\t\t\tif (ent->mediaRate != 0x10000)\n\t\t\t\treturn GF_TRUE;\n\n\t\t\tif (ent->mediaTime > 0) {\n\t\t\t\t*mediaOffset -= ent->mediaTime;\n\t\t\t}\n\t\t\treturn GF_FALSE;\n\t\t}\n\t}\n\treturn GF_TRUE;\n}", "project": "gpac", "hash": 218989015188411005277436111843924769301, "size": 39, "commit_id": "984787de3d414a5f7d43d0b4584d9469dff2a5a5", "message": "fixed #1784 (fuzz)", "target": 0, "dataset": "other", "idx": 246792 }, { "func": "GF_Err gf_isom_add_chapter(GF_ISOFile *movie, u32 trackNumber, u64 timestamp, char *name)\n{\n\tGF_Err e;\n\tGF_ChapterListBox *ptr;\n\tu32 i, count;\n\tGF_ChapterEntry *ce;\n\tGF_UserDataBox *udta;\n\tGF_UserDataMap *map;\n\n\te = CanAccessMovie(movie, GF_ISOM_OPEN_WRITE);\n\tif (e) return e;\n\n\te = gf_isom_insert_moov(movie);\n\tif (e) return e;\n\n\tif (trackNumber) {\n\t\tGF_TrackBox *trak = gf_isom_get_track_from_file(movie, trackNumber);\n\t\tif (!trak) return GF_BAD_PARAM;\n\t\tif (!trak->udta) {\n\t\t\te = trak_on_child_box((GF_Box*)trak, gf_isom_box_new_parent(&trak->child_boxes, GF_ISOM_BOX_TYPE_UDTA), GF_FALSE);\n\t\t\tif (e) return e;\n\t\t}\n\t\tudta = trak->udta;\n\t} else {\n\t\tif (!movie->moov->udta) {\n\t\t\te = moov_on_child_box((GF_Box*)movie->moov, gf_isom_box_new_parent(&movie->moov->child_boxes, GF_ISOM_BOX_TYPE_UDTA), GF_FALSE);\n\t\t\tif (e) return e;\n\t\t}\n\t\tudta = movie->moov->udta;\n\t}\n\n\tptr = NULL;\n\tmap = udta_getEntry(udta, GF_ISOM_BOX_TYPE_CHPL, NULL);\n\tif (!map) {\n\t\tptr = (GF_ChapterListBox *)gf_isom_box_new(GF_ISOM_BOX_TYPE_CHPL);\n\t\te = udta_on_child_box((GF_Box *)udta, (GF_Box *) ptr, GF_FALSE);\n\t\tif (e) return e;\n\t\tmap = udta_getEntry(udta, GF_ISOM_BOX_TYPE_CHPL, NULL);\n\t} else {\n\t\tptr = (GF_ChapterListBox*)gf_list_get(map->boxes, 0);\n\t}\n\tif (!map) return GF_OUT_OF_MEM;\n\n\t/*this may happen if original MP4 is not properly formatted*/\n\tif (!ptr) {\n\t\tptr = (GF_ChapterListBox *)gf_isom_box_new(GF_ISOM_BOX_TYPE_CHPL);\n\t\tif (!ptr) return GF_OUT_OF_MEM;\n\t\tgf_list_add(map->boxes, ptr);\n\t}\n\n\tGF_SAFEALLOC(ce, GF_ChapterEntry);\n\tif (!ce) return GF_OUT_OF_MEM;\n\n\tce->start_time = timestamp * 10000L;\n\tce->name = name ? gf_strdup(name) : NULL;\n\n\t/*insert in order*/\n\tcount = gf_list_count(ptr->list);\n\tfor (i=0; ilist, i);\n\t\tif (ace->start_time == ce->start_time) {\n\t\t\tif (ace->name) gf_free(ace->name);\n\t\t\tace->name = ce->name;\n\t\t\tgf_free(ce);\n\t\t\treturn GF_OK;\n\t\t}\n\t\tif (ace->start_time >= ce->start_time)\n\t\t\treturn gf_list_insert(ptr->list, ce, i);\n\t}\n\treturn gf_list_add(ptr->list, ce);\n}", "project": "gpac", "hash": 40341050803342345793065181687244368794, "size": 71, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267202 }, { "func": "Bool gf_isom_is_adobe_protection_media(GF_ISOFile *the_file, u32 trackNumber, u32 sampleDescriptionIndex)\n{\n\tGF_TrackBox *trak;\n\tGF_ProtectionSchemeInfoBox *sinf;\n\n\ttrak = gf_isom_get_track_from_file(the_file, trackNumber);\n\tif (!trak) return GF_FALSE;\n\n\tsinf = isom_get_sinf_entry(trak, sampleDescriptionIndex, GF_ISOM_ADOBE_SCHEME, NULL);\n\n\tif (!sinf) return GF_FALSE;\n\n\t/*non-encrypted or non-ADOBE*/\n\tif (!sinf->info || !sinf->info->adkm)\n\t\treturn GF_FALSE;\n\n\treturn GF_TRUE;\n}", "project": "gpac", "hash": 92485721768477342809847562103170987015, "size": 18, "commit_id": "3b84ffcbacf144ce35650df958432f472b6483f8", "message": "fixed #1735", "target": 0, "dataset": "other", "idx": 275399 }, { "func": "GF_Err stbl_AppendChunk(GF_SampleTableBox *stbl, u64 offset)\n{\n\tGF_ChunkOffsetBox *stco;\n\tGF_ChunkLargeOffsetBox *co64;\n\tu32 i;\n\t\n\t//we may have to convert the table...\n\tif (stbl->ChunkOffset->type==GF_ISOM_BOX_TYPE_STCO) {\n\t\tstco = (GF_ChunkOffsetBox *)stbl->ChunkOffset;\n\n\t\tif (offset>0xFFFFFFFF) {\n\t\t\tco64 = (GF_ChunkLargeOffsetBox *) gf_isom_box_new_parent(&stbl->child_boxes, GF_ISOM_BOX_TYPE_CO64);\n\t\t\tif (!co64) return GF_OUT_OF_MEM;\n\t\t\tco64->nb_entries = stco->nb_entries + 1;\n\t\t\tif (co64->nb_entries<=stco->nb_entries) return GF_OUT_OF_MEM;\n\t\t\tco64->alloc_size = co64->nb_entries;\n\t\t\tco64->offsets = (u64*)gf_malloc(sizeof(u64) * co64->nb_entries);\n\t\t\tif (!co64->offsets) return GF_OUT_OF_MEM;\n\t\t\tfor (i=0; inb_entries; i++) co64->offsets[i] = stco->offsets[i];\n\t\t\tco64->offsets[i] = offset;\n\t\t\tgf_isom_box_del_parent(&stbl->child_boxes, stbl->ChunkOffset);\n\t\t\tstbl->ChunkOffset = (GF_Box *) co64;\n\t\t\treturn GF_OK;\n\t\t}\n\t\t//we're fine\n\t\tstco->alloc_size = stco->nb_entries + 1;\n\t\tif (stco->alloc_size < stco->nb_entries + 1) return GF_OUT_OF_MEM;\n\t\tstco->offsets = gf_realloc(stco->offsets, sizeof(u32)*stco->alloc_size);\n\t\tif (!stco->offsets) return GF_OUT_OF_MEM;\n\t\tstco->offsets[stco->nb_entries] = (u32) offset;\n\t\tstco->nb_entries += 1;\n\t\treturn GF_OK;\n\t}\n\n\tco64 = (GF_ChunkLargeOffsetBox *)stbl->ChunkOffset;\n\tco64->alloc_size = co64->nb_entries+1;\n\tif (co64->alloc_size < co64->nb_entries + 1) return GF_OUT_OF_MEM;\n\n\tco64->offsets = gf_realloc(co64->offsets, sizeof(u64)*co64->alloc_size);\n\tif (!co64->offsets) return GF_OUT_OF_MEM;\n\tco64->offsets[co64->nb_entries] = offset;\n\tco64->alloc_size = co64->nb_entries;\n\treturn GF_OK;\n}", "project": "gpac", "hash": 204650862204909821745477024178141216742, "size": 44, "commit_id": "77ed81c069e10b3861d88f72e1c6be1277ee7eae", "message": "fixed #1774 (fuzz)", "target": 0, "dataset": "other", "idx": 267879 }, { "func": "GF_Err gf_isom_update_sample(GF_ISOFile *movie, u32 trackNumber, u32 sampleNumber, GF_ISOSample *sample, Bool data_only)\n{\n\tGF_Err e;\n\tGF_TrackBox *trak;\n\n\te = CanAccessMovie(movie, GF_ISOM_OPEN_EDIT);\n\tif (e) return e;\n\n\ttrak = gf_isom_get_track_from_file(movie, trackNumber);\n\tif (!trak) return GF_BAD_PARAM;\n\n\te = unpack_track(trak);\n\tif (e) return e;\n\n\t//block for hint tracks\n\tif (trak->Media->handler->handlerType == GF_ISOM_MEDIA_HINT) return GF_BAD_PARAM;\n\n\t//REWRITE ANY OD STUFF\n\tif (trak->Media->handler->handlerType == GF_ISOM_MEDIA_OD) {\n\t\tGF_ISOSample *od_sample = NULL;\n\t\te = Media_ParseODFrame(trak->Media, sample, &od_sample);\n\t\tif (!e) e = Media_UpdateSample(trak->Media, sampleNumber, od_sample, data_only);\n\t\tif (od_sample) gf_isom_sample_del(&od_sample);\n\t} else {\n\t\te = Media_UpdateSample(trak->Media, sampleNumber, sample, data_only);\n\t}\n\tif (e) return e;\n\tif (!movie->keep_utc)\n\t\ttrak->Media->mediaHeader->modificationTime = gf_isom_get_mp4time();\n\n\tgf_isom_disable_inplace_rewrite(movie);\n\treturn GF_OK;\n}", "project": "gpac", "hash": 82559204070410568083281336452424249523, "size": 33, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267219 }, { "func": "static Bool PrintHelpArg(char *arg_name, u32 search_type, GF_FilterSession *fs)\n{\n\tBool first=GF_TRUE;\n\tGF_GPACArg an_arg;\n\tu32 i, count;\n\tu32 res = 0;\n\tu32 alen = (u32) strlen(arg_name);\n\tres += PrintHelpForArgs(arg_name, m4b_gen_args, search_type);\n\tres += PrintHelpForArgs(arg_name, m4b_dash_args, search_type);\n\tres += PrintHelpForArgs(arg_name, m4b_imp_args, search_type);\n\tres += PrintHelpForArgs(arg_name, ImportFileOpts, search_type);\n\tres += PrintHelpForArgs(arg_name, m4b_senc_args, search_type);\n\tres += PrintHelpForArgs(arg_name, m4b_crypt_args, search_type);\n\tres += PrintHelpForArgs(arg_name, m4b_hint_args, search_type);\n\tres += PrintHelpForArgs(arg_name, m4b_extr_args, search_type);\n\tres += PrintHelpForArgs(arg_name, m4b_dump_args, search_type);\n\tres += PrintHelpForArgs(arg_name, m4b_meta_args, search_type);\n\tres += PrintHelpForArgs(arg_name, m4b_swf_args, search_type);\n\tres += PrintHelpForArgs(arg_name, m4b_liveenc_args, search_type);\n\tres += PrintHelpForArgs(arg_name, m4b_usage_args, search_type);\n\tres += PrintHelpForArgs(arg_name, (GF_GPACArg *) gf_sys_get_options(), search_type);\n\n\tif (!fs) return res;\n\n\tmemset(&an_arg, 0, sizeof(GF_GPACArg));\n\tcount = gf_fs_filters_registers_count(fs);\n\tfor (i=0; iargs) {\n\t\t\tu32 len;\n\t\t\tconst GF_FilterArgs *arg = ®->args[j];\n\t\t\tif (!arg || !arg->arg_name) break;\n\t\t\tj++;\n\t\t\tif ((search_type==SEARCH_ARG_EXACT) && strcmp(arg->arg_name, arg_name)) continue;\n\n\t\t\tif ((search_type==SEARCH_ARG_CLOSE) && !gf_sys_word_match(arg->arg_name, arg_name)) continue;\n\n\t\t\tif (search_type==SEARCH_DESC) {\n\t\t\t\tif (!strstr_nocase(arg->arg_desc, arg_name, alen)) continue;\n\t\t\t}\n\n\t\t\tan_arg.name = arg->arg_name;\n\t\t\tif (search_type==SEARCH_ARG_EXACT) {\n\t\t\t\tan_arg.description = arg->arg_desc;\n\t\t\t\tswitch (arg->arg_type) {\n\t\t\t\tcase GF_PROP_BOOL:\n\t\t\t\t\tan_arg.type = GF_ARG_BOOL;\n\t\t\t\t\tbreak;\n\t\t\t\tcase GF_PROP_UINT:\n\t\t\t\tcase GF_PROP_SINT:\n\t\t\t\t\tan_arg.type = GF_ARG_INT;\n\t\t\t\t\tbreak;\n\t\t\t\tcase GF_PROP_DOUBLE:\n\t\t\t\t\tan_arg.type = GF_ARG_DOUBLE;\n\t\t\t\t\tbreak;\n\t\t\t\tcase GF_PROP_STRING_LIST:\n\t\t\t\tcase GF_PROP_UINT_LIST:\n\t\t\t\t\tan_arg.type = GF_ARG_STRINGS;\n\t\t\t\t\tbreak;\n\t\t\t\tdefault:\n\t\t\t\t\tan_arg.type = GF_ARG_STRING;\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t\tif (first) {\n\t\t\t\t\tfirst = GF_FALSE;\n\t\t\t\t\tgf_sys_format_help(helpout, 0, \"\\nGlobal filter session arguments. Syntax is `--arg` or `--arg=VAL`. `[F]` indicates filter name. See `gpac -h` and `gpac -h F` for more info.\\n\");\n\t\t\t\t}\n\t\t\t\tfprintf(helpout, \"[%s]\", reg->name);\n\t\t\t\tlen = (u32)strlen(reg->name);\n\t\t\t\twhile (len<10) {\n\t\t\t\t\tlen++;\n\t\t\t\t\tfprintf(helpout, \" \");\n\t\t\t\t}\n\t\t\t\tfprintf(helpout, \" \");\n\t\t\t}\n\n\t\t\tgf_sys_print_arg(helpout, GF_PRINTARG_ADD_DASH, &an_arg, \"TEST\");\n\t\t\tres++;\n\t\t}\n\t}\n\tif (res) return GF_TRUE;\n\treturn GF_FALSE;\n}", "project": "gpac", "hash": 27237556382884765027335650959181181200, "size": 85, "commit_id": "9eeac00b38348c664dfeae2525bba0cf1bc32349", "message": "fixed #1565", "target": 0, "dataset": "other", "idx": 244391 }, { "func": "void PrintSWFUsage()\n{\n\tu32 i=0;\n\tgf_sys_format_help(helpout, help_flags, \"# SWF Importer Options\\n\"\n\t \"\\n\"\n\t \"MP4Box can import simple Macromedia Flash files (\\\".SWF\\\")\\n\"\n\t \"You can specify a SWF input file with \\'-bt\\', \\'-xmt\\' and \\'-mp4\\' options\\n\"\n\t \" \\n\"\n\t \"Options:\\n\"\n\t);\n\twhile (m4b_swf_args[i].name) {\n\t\tGF_GPACArg *arg = &m4b_swf_args[i];\n\t\ti++;\n\t\tgf_sys_print_arg(helpout, help_flags, arg, \"mp4box-extract\");\n\t}\n}", "project": "gpac", "hash": 219979715598298373313616418947906450901, "size": 16, "commit_id": "9eeac00b38348c664dfeae2525bba0cf1bc32349", "message": "fixed #1565", "target": 0, "dataset": "other", "idx": 244388 }, { "func": "GF_Err gf_hinter_track_finalize(GF_RTPHinter *tkHint, Bool AddSystemInfo)\n{\n\tu32 Width, Height;\n\tGF_ESD *esd;\n\tchar sdpLine[20000];\n\tchar mediaName[30], payloadName[30];\n u32 mtype;\n\n\tWidth = Height = 0;\n\tgf_isom_sdp_clean_track(tkHint->file, tkHint->TrackNum);\n mtype = gf_isom_get_media_type(tkHint->file, tkHint->TrackNum);\n if (gf_isom_is_video_handler_type(mtype))\n\t\tgf_isom_get_visual_info(tkHint->file, tkHint->TrackNum, 1, &Width, &Height);\n\n\tgf_rtp_builder_get_payload_name(tkHint->rtp_p, payloadName, mediaName);\n\n\t/*TODO- extract out of rtp_p for future live tools*/\n\tsprintf(sdpLine, \"m=%s 0 RTP/%s %d\", mediaName, tkHint->rtp_p->slMap.IV_length ? \"SAVP\" : \"AVP\", tkHint->rtp_p->PayloadType);\n\tgf_isom_sdp_add_track_line(tkHint->file, tkHint->HintTrack, sdpLine);\n\tif (tkHint->bandwidth) {\n\t\tsprintf(sdpLine, \"b=AS:%d\", tkHint->bandwidth);\n\t\tgf_isom_sdp_add_track_line(tkHint->file, tkHint->HintTrack, sdpLine);\n\t}\n\tif (tkHint->nb_chan) {\n\t\tsprintf(sdpLine, \"a=rtpmap:%d %s/%d/%d\", tkHint->rtp_p->PayloadType, payloadName, tkHint->rtp_p->sl_config.timestampResolution, tkHint->nb_chan);\n\t} else {\n\t\tsprintf(sdpLine, \"a=rtpmap:%d %s/%d\", tkHint->rtp_p->PayloadType, payloadName, tkHint->rtp_p->sl_config.timestampResolution);\n\t}\n\tgf_isom_sdp_add_track_line(tkHint->file, tkHint->HintTrack, sdpLine);\n\t/*control for MPEG-4*/\n\tif (AddSystemInfo) {\n\t\tsprintf(sdpLine, \"a=mpeg4-esid:%d\", gf_isom_get_track_id(tkHint->file, tkHint->TrackNum));\n\t\tgf_isom_sdp_add_track_line(tkHint->file, tkHint->HintTrack, sdpLine);\n\t}\n\t/*control for QTSS/DSS*/\n\tsprintf(sdpLine, \"a=control:trackID=%d\", gf_isom_get_track_id(tkHint->file, tkHint->HintTrack));\n\tgf_isom_sdp_add_track_line(tkHint->file, tkHint->HintTrack, sdpLine);\n\n\t/*H263 extensions*/\n\tif (tkHint->rtp_p->rtp_payt == GF_RTP_PAYT_H263) {\n\t\tsprintf(sdpLine, \"a=cliprect:0,0,%d,%d\", Height, Width);\n\t\tgf_isom_sdp_add_track_line(tkHint->file, tkHint->HintTrack, sdpLine);\n\t}\n\t/*AMR*/\n\telse if ((tkHint->rtp_p->rtp_payt == GF_RTP_PAYT_AMR) || (tkHint->rtp_p->rtp_payt == GF_RTP_PAYT_AMR_WB)) {\n\t\tsprintf(sdpLine, \"a=fmtp:%d octet-align=1\", tkHint->rtp_p->PayloadType);\n\t\tgf_isom_sdp_add_track_line(tkHint->file, tkHint->HintTrack, sdpLine);\n\t}\n\t/*Text*/\n\telse if (tkHint->rtp_p->rtp_payt == GF_RTP_PAYT_3GPP_TEXT) {\n\t\tu32 w, h, i, m_w, m_h;\n\t\ts32 tx, ty;\n\t\ts16 l;\n\n\t\tgf_isom_get_track_layout_info(tkHint->file, tkHint->TrackNum, &w, &h, &tx, &ty, &l);\n\t\tm_w = w;\n\t\tm_h = h;\n\t\tfor (i=0; ifile); i++) {\n\t\t\tswitch (gf_isom_get_media_type(tkHint->file, i+1)) {\n\t\t\tcase GF_ISOM_MEDIA_SCENE:\n\t\t\tcase GF_ISOM_MEDIA_VISUAL:\n\t\t\tcase GF_ISOM_MEDIA_AUXV:\n\t\t\tcase GF_ISOM_MEDIA_PICT:\n\t\t\t\tgf_isom_get_track_layout_info(tkHint->file, i+1, &w, &h, &tx, &ty, &l);\n\t\t\t\tif (w>m_w) m_w = w;\n\t\t\t\tif (h>m_h) m_h = h;\n\t\t\t\tbreak;\n\t\t\tdefault:\n\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\n\t\tgf_media_format_ttxt_sdp(tkHint->rtp_p, payloadName, sdpLine, w, h, tx, ty, l, m_w, m_h, NULL);\n\n\t\tstrcat(sdpLine, \"; tx3g=\");\n\t\tfor (i=0; ifile, tkHint->TrackNum); i++) {\n\t\t\tu8 *tx3g;\n\t\t\tchar buffer[2000];\n\t\t\tu32 tx3g_len, len;\n\t\t\tgf_isom_text_get_encoded_tx3g(tkHint->file, tkHint->TrackNum, i+1, GF_RTP_TX3G_SIDX_OFFSET, &tx3g, &tx3g_len);\n\t\t\tlen = gf_base64_encode(tx3g, tx3g_len, buffer, 2000);\n\t\t\tgf_free(tx3g);\n\t\t\tbuffer[len] = 0;\n\t\t\tif (i) strcat(sdpLine, \", \");\n\t\t\tstrcat(sdpLine, buffer);\n\t\t}\n\t\tgf_isom_sdp_add_track_line(tkHint->file, tkHint->HintTrack, sdpLine);\n\t}\n\t/*EVRC/SMV in non header-free mode*/\n\telse if ((tkHint->rtp_p->rtp_payt == GF_RTP_PAYT_EVRC_SMV) && (tkHint->rtp_p->auh_size>1)) {\n\t\tsprintf(sdpLine, \"a=fmtp:%d maxptime=%d\", tkHint->rtp_p->PayloadType, tkHint->rtp_p->auh_size*20);\n\t\tgf_isom_sdp_add_track_line(tkHint->file, tkHint->HintTrack, sdpLine);\n\t}\n\t/*H264/AVC*/\n\telse if ((tkHint->rtp_p->rtp_payt == GF_RTP_PAYT_H264_AVC) || (tkHint->rtp_p->rtp_payt == GF_RTP_PAYT_H264_SVC)) {\n\t\tGF_AVCConfig *avcc = gf_isom_avc_config_get(tkHint->file, tkHint->TrackNum, 1);\n\t\tGF_AVCConfig *svcc = gf_isom_svc_config_get(tkHint->file, tkHint->TrackNum, 1);\n\t\t/*TODO - check syntax for SVC (might be some extra signaling)*/\n\n\t\tif (avcc) {\n\t\t\tsprintf(sdpLine, \"a=fmtp:%d profile-level-id=%02X%02X%02X; packetization-mode=1\", tkHint->rtp_p->PayloadType, avcc->AVCProfileIndication, avcc->profile_compatibility, avcc->AVCLevelIndication);\n\t\t} else {\n\t\t\tsprintf(sdpLine, \"a=fmtp:%d profile-level-id=%02X%02X%02X; packetization-mode=1\", tkHint->rtp_p->PayloadType, svcc->AVCProfileIndication, svcc->profile_compatibility, svcc->AVCLevelIndication);\n\t\t}\n\n\t\twrite_avc_config(sdpLine, avcc, svcc);\n\n\t\tgf_isom_sdp_add_track_line(tkHint->file, tkHint->HintTrack, sdpLine);\n\t\tgf_odf_avc_cfg_del(avcc);\n\t\tgf_odf_avc_cfg_del(svcc);\n\t}\n\t/*MPEG-4 decoder config*/\n\telse if (tkHint->rtp_p->rtp_payt==GF_RTP_PAYT_MPEG4) {\n\t\tesd = gf_isom_get_esd(tkHint->file, tkHint->TrackNum, 1);\n\n\t\tif (esd && esd->decoderConfig && esd->decoderConfig->decoderSpecificInfo && esd->decoderConfig->decoderSpecificInfo->data) {\n\t\t\tgf_rtp_builder_format_sdp(tkHint->rtp_p, payloadName, sdpLine, esd->decoderConfig->decoderSpecificInfo->data, esd->decoderConfig->decoderSpecificInfo->dataLength);\n\t\t} else {\n\t\t\tgf_rtp_builder_format_sdp(tkHint->rtp_p, payloadName, sdpLine, NULL, 0);\n\t\t}\n\t\tif (esd) gf_odf_desc_del((GF_Descriptor *)esd);\n\n\t\tif (tkHint->rtp_p->slMap.IV_length) {\n\t\t\tconst char *kms;\n\t\t\tgf_isom_get_ismacryp_info(tkHint->file, tkHint->TrackNum, 1, NULL, NULL, NULL, NULL, &kms, NULL, NULL, NULL);\n\t\t\tif (!strnicmp(kms, \"(key)\", 5) || !strnicmp(kms, \"(ipmp)\", 6) || !strnicmp(kms, \"(uri)\", 5)) {\n\t\t\t\tstrcat(sdpLine, \"; ISMACrypKey=\");\n\t\t\t} else {\n\t\t\t\tstrcat(sdpLine, \"; ISMACrypKey=(uri)\");\n\t\t\t}\n\t\t\tstrcat(sdpLine, kms);\n\t\t}\n\n\t\tgf_isom_sdp_add_track_line(tkHint->file, tkHint->HintTrack, sdpLine);\n\t}\n\t/*MPEG-4 Audio LATM*/\n\telse if (tkHint->rtp_p->rtp_payt==GF_RTP_PAYT_LATM) {\n\t\tGF_BitStream *bs;\n\t\tu8 *config_bytes;\n\t\tu32 config_size;\n\n\t\t/* form config string */\n\t\tbs = gf_bs_new(NULL, 32, GF_BITSTREAM_WRITE);\n\t\tgf_bs_write_int(bs, 0, 1); /* AudioMuxVersion */\n\t\tgf_bs_write_int(bs, 1, 1); /* all streams same time */\n\t\tgf_bs_write_int(bs, 0, 6); /* numSubFrames */\n\t\tgf_bs_write_int(bs, 0, 4); /* numPrograms */\n\t\tgf_bs_write_int(bs, 0, 3); /* numLayer */\n\n\t\t/* audio-specific config */\n\t\tesd = gf_isom_get_esd(tkHint->file, tkHint->TrackNum, 1);\n\t\tif (esd && esd->decoderConfig && esd->decoderConfig->decoderSpecificInfo) {\n\t\t\t/*PacketVideo patch: don't signal SBR and PS stuff, not allowed in LATM with audioMuxVersion=0*/\n\t\t\tgf_bs_write_data(bs, esd->decoderConfig->decoderSpecificInfo->data, MIN(esd->decoderConfig->decoderSpecificInfo->dataLength, 2) );\n\t\t}\n\t\tif (esd) gf_odf_desc_del((GF_Descriptor *)esd);\n\n\t\t/* other data */\n\t\tgf_bs_write_int(bs, 0, 3); /* frameLengthType */\n\t\tgf_bs_write_int(bs, 0xff, 8); /* latmBufferFullness */\n\t\tgf_bs_write_int(bs, 0, 1); /* otherDataPresent */\n\t\tgf_bs_write_int(bs, 0, 1); /* crcCheckPresent */\n\t\tgf_bs_get_content(bs, &config_bytes, &config_size);\n\t\tgf_bs_del(bs);\n\n\t\tgf_rtp_builder_format_sdp(tkHint->rtp_p, payloadName, sdpLine, config_bytes, config_size);\n\t\tgf_isom_sdp_add_track_line(tkHint->file, tkHint->HintTrack, sdpLine);\n\t\tgf_free(config_bytes);\n\t}\n#if GPAC_ENABLE_3GPP_DIMS_RTP\n\t/*3GPP DIMS*/\n\telse if (tkHint->rtp_p->rtp_payt==GF_RTP_PAYT_3GPP_DIMS) {\n\t\tGF_DIMSDescription dims;\n\t\tgf_isom_get_visual_info(tkHint->file, tkHint->TrackNum, 1, &Width, &Height);\n\n\t\tgf_isom_get_dims_description(tkHint->file, tkHint->TrackNum, 1, &dims);\n\t\tsprintf(sdpLine, \"a=fmtp:%d Version-profile=%d\", tkHint->rtp_p->PayloadType, dims.profile);\n\t\tif (! dims.fullRequestHost) {\n\t\t\tchar fmt[200];\n\t\t\tstrcat(sdpLine, \";useFullRequestHost=0\");\n\t\t\tsprintf(fmt, \";pathComponents=%d\", dims.pathComponents);\n\t\t\tstrcat(sdpLine, fmt);\n\t\t}\n\t\tif (!dims.streamType) strcat(sdpLine, \";stream-type=secondary\");\n\t\tif (dims.containsRedundant == 1) strcat(sdpLine, \";contains-redundant=main\");\n\t\telse if (dims.containsRedundant == 2) strcat(sdpLine, \";contains-redundant=redundant\");\n\n\t\tif (dims.textEncoding && strlen(dims.textEncoding)) {\n\t\t\tstrcat(sdpLine, \";text-encoding=\");\n\t\t\tstrcat(sdpLine, dims.textEncoding);\n\t\t}\n\t\tif (dims.contentEncoding && strlen(dims.contentEncoding)) {\n\t\t\tstrcat(sdpLine, \";content-coding=\");\n\t\t\tstrcat(sdpLine, dims.contentEncoding);\n\t\t}\n\t\tif (dims.contentEncoding && dims.content_script_types && strlen(dims.content_script_types) ) {\n\t\t\tstrcat(sdpLine, \";content-script-types=\");\n\t\t\tstrcat(sdpLine, dims.contentEncoding);\n\t\t}\n\t\tgf_isom_sdp_add_track_line(tkHint->file, tkHint->HintTrack, sdpLine);\n\t}\n#endif\n\t/*extensions for some mobile phones*/\n\tif (Width && Height) {\n\t\tsprintf(sdpLine, \"a=framesize:%d %d-%d\", tkHint->rtp_p->PayloadType, Width, Height);\n\t\tgf_isom_sdp_add_track_line(tkHint->file, tkHint->HintTrack, sdpLine);\n\t}\n\n\tesd = gf_isom_get_esd(tkHint->file, tkHint->TrackNum, 1);\n\tif (esd && esd->decoderConfig && (esd->decoderConfig->rvc_config || esd->decoderConfig->predefined_rvc_config)) {\n\t\tif (esd->decoderConfig->predefined_rvc_config) {\n\t\t\tsprintf(sdpLine, \"a=rvc-config-predef:%d\", esd->decoderConfig->predefined_rvc_config);\n\t\t} else {\n\t\t\t/*temporary ...*/\n\t\t\tif ((esd->decoderConfig->objectTypeIndication==GF_CODECID_AVC) || (esd->decoderConfig->objectTypeIndication==GF_CODECID_SVC)) {\n\t\t\t\tsprintf(sdpLine, \"a=rvc-config:%s\", \"http://download.tsi.telecom-paristech.fr/gpac/RVC/rvc_config_avc.xml\");\n\t\t\t} else {\n\t\t\t\tsprintf(sdpLine, \"a=rvc-config:%s\", \"http://download.tsi.telecom-paristech.fr/gpac/RVC/rvc_config_sp.xml\");\n\t\t\t}\n\t\t}\n\t\tgf_isom_sdp_add_track_line(tkHint->file, tkHint->HintTrack, sdpLine);\n\t}\n\tif (esd) gf_odf_desc_del((GF_Descriptor *)esd);\n\n\tgf_isom_set_track_enabled(tkHint->file, tkHint->HintTrack, GF_TRUE);\n\treturn GF_OK;\n}", "project": "gpac", "hash": 116182023075832739556517645068926223912, "size": 227, "commit_id": "a4eb327049132359cae54b59faec9e2f14c5a619", "message": "fixed #1660", "target": 1, "dataset": "other", "idx": 197725 }, { "func": "GF_Err Media_UpdateSample(GF_MediaBox *mdia, u32 sampleNumber, GF_ISOSample *sample, Bool data_only)\n{\n\tGF_Err e;\n\tu32 drefIndex, chunkNum, descIndex;\n\tu64 newOffset, DTS;\n\tGF_DataEntryURLBox *Dentry;\n\tGF_SampleTableBox *stbl;\n\n\tif (!mdia || !sample || !sampleNumber || !mdia->mediaTrack->moov->mov->editFileMap)\n\t\treturn GF_BAD_PARAM;\n\n\tstbl = mdia->information->sampleTable;\n\n\tif (!data_only) {\n\t\t//check we have the sampe dts\n\t\te = stbl_GetSampleDTS(stbl->TimeToSample, sampleNumber, &DTS);\n\t\tif (e) return e;\n\t\tif (DTS != sample->DTS) return GF_BAD_PARAM;\n\t}\n\n\t//get our infos\n\tstbl_GetSampleInfos(stbl, sampleNumber, &newOffset, &chunkNum, &descIndex, NULL);\n\n\t//then check the data ref\n\te = Media_GetSampleDesc(mdia, descIndex, NULL, &drefIndex);\n\tif (e) return e;\n\tDentry = (GF_DataEntryURLBox*)gf_list_get(mdia->information->dataInformation->dref->child_boxes, drefIndex - 1);\n\tif (!Dentry) return GF_ISOM_INVALID_FILE;\n\n\tif (Dentry->flags != 1) return GF_BAD_PARAM;\n\n\t//MEDIA DATA EDIT: write this new sample to the edit temp file\n\tnewOffset = gf_isom_datamap_get_offset(mdia->mediaTrack->moov->mov->editFileMap);\n\tif (sample->dataLength) {\n\t\te = gf_isom_datamap_add_data(mdia->mediaTrack->moov->mov->editFileMap, sample->data, sample->dataLength);\n\t\tif (e) return e;\n\t}\n\n\tif (data_only) {\n\t\tstbl_SetSampleSize(stbl->SampleSize, sampleNumber, sample->dataLength);\n\t\treturn stbl_SetChunkOffset(mdia, sampleNumber, newOffset);\n\t}\n\treturn UpdateSample(mdia, sampleNumber, sample->dataLength, sample->CTS_Offset, newOffset, sample->IsRAP);\n}", "project": "gpac", "hash": 180369596394530716700344837541340450291, "size": 44, "commit_id": "328def7d3b93847d64ecb6e9e0399684e57c3eca", "message": "fixed #1766 (fuzz)", "target": 0, "dataset": "other", "idx": 231613 }, { "func": "GF_Err gf_isom_parse_root_box(GF_Box **outBox, GF_BitStream *bs, u64 *bytesExpected, Bool progressive_mode)\n{\n\tGF_Err ret;\n\tu64 start;\n\tstart = gf_bs_get_position(bs);\n\tret = gf_isom_box_parse_ex(outBox, bs, 0, GF_TRUE);\n\tif (ret == GF_ISOM_INCOMPLETE_FILE) {\n\t\tif (!*outBox) {\n\t\t\t// We could not even read the box size, we at least need 8 bytes\n\t\t\t*bytesExpected = 8;\n\t\t\tGF_LOG(progressive_mode ? GF_LOG_DEBUG : GF_LOG_ERROR, GF_LOG_CONTAINER, (\"[iso file] Incomplete box - start \"LLU\"\\n\", start));\n\t\t}\n\t\telse {\n\t\t\tu32 type = (*outBox)->type;\n\t\t\tif (type==GF_ISOM_BOX_TYPE_UNKNOWN)\n\t\t\t\ttype = ((GF_UnknownBox *) (*outBox))->original_4cc;\n\n\t\t\t*bytesExpected = (*outBox)->size;\n\t\t\tGF_LOG(progressive_mode ? GF_LOG_DEBUG : GF_LOG_ERROR, GF_LOG_CONTAINER, (\"[iso file] Incomplete box %s - start \"LLU\" size \"LLU\"\\n\", gf_4cc_to_str(type), start, (*outBox)->size));\n\t\t\tgf_isom_box_del(*outBox);\n\t\t\t*outBox = NULL;\n\t\t}\n\t\tgf_bs_seek(bs, start);\n\t}\n\treturn ret;\n}", "project": "gpac", "hash": 161617048411909912353470078993593702052, "size": 26, "commit_id": "8e585e623b1d666b4ef736ed609264639cb27701", "message": "fixed potential crash - cf #1406", "target": 0, "dataset": "other", "idx": 224903 }, { "func": "GF_Err stbl_AppendDependencyType(GF_SampleTableBox *stbl, u32 isLeading, u32 dependsOn, u32 dependedOn, u32 redundant)\n{\n\tGF_SampleDependencyTypeBox *sdtp;\n\tu32 flags;\n\tif (stbl->SampleDep == NULL) {\n\t\tstbl->SampleDep = (GF_SampleDependencyTypeBox *) gf_isom_box_new_parent(&stbl->child_boxes, GF_ISOM_BOX_TYPE_SDTP);\n\t\tif (!stbl->SampleDep) return GF_OUT_OF_MEM;\n\t}\n\tsdtp = stbl->SampleDep;\n\n\tflags = 0;\n\tflags |= isLeading << 6;\n\tflags |= dependsOn << 4;\n\tflags |= dependedOn << 2;\n\tflags |= redundant;\n\n\tif (sdtp->sampleCount >= sdtp->sample_alloc) {\n\t\tALLOC_INC(sdtp->sample_alloc);\n\t\tif (sdtp->sampleCount >= sdtp->sample_alloc) sdtp->sample_alloc = sdtp->sampleCount+1;\n\t\tsdtp->sample_info = (u8*) gf_realloc(sdtp->sample_info, sizeof(u8) * sdtp->sample_alloc);\n\t\tif (!sdtp->sample_info) return GF_OUT_OF_MEM;\n\t}\n\tsdtp->sample_info[sdtp->sampleCount] = flags;\n\tsdtp->sampleCount ++;\n\treturn GF_OK;\n}", "project": "gpac", "hash": 265230314458990845055633216756292927471, "size": 26, "commit_id": "77ed81c069e10b3861d88f72e1c6be1277ee7eae", "message": "fixed #1774 (fuzz)", "target": 0, "dataset": "other", "idx": 267876 }, { "func": "void gf_isom_ismacryp_delete_sample(GF_ISMASample *samp)\n{\n\tif (!samp) return;\n\tif (samp->data && samp->dataLength) gf_free(samp->data);\n\tif (samp->key_indicator) gf_free(samp->key_indicator);\n\tgf_free(samp);\n}", "project": "gpac", "hash": 197286740461525998072104659438335977420, "size": 7, "commit_id": "3b84ffcbacf144ce35650df958432f472b6483f8", "message": "fixed #1735", "target": 0, "dataset": "other", "idx": 275443 }, { "func": "GF_Err stbl_AppendPadding(GF_SampleTableBox *stbl, u8 padding)\n{\n\tif (!stbl->PaddingBits) {\n\t\tstbl->PaddingBits = (GF_PaddingBitsBox *) gf_isom_box_new_parent(&stbl->child_boxes, GF_ISOM_BOX_TYPE_PADB);\n\t\tif (!stbl->PaddingBits) return GF_OUT_OF_MEM;\n\t}\n\tstbl->PaddingBits->padbits = (u8*)gf_realloc(stbl->PaddingBits->padbits, sizeof(u8) * stbl->SampleSize->sampleCount);\n\tif (!stbl->PaddingBits->padbits) return GF_OUT_OF_MEM;\n\tstbl->PaddingBits->padbits[stbl->SampleSize->sampleCount-1] = padding;\n\tstbl->PaddingBits->SampleCount = stbl->SampleSize->sampleCount;\n\treturn GF_OK;\n}", "project": "gpac", "hash": 21685779084877401983504177791480551062, "size": 12, "commit_id": "77ed81c069e10b3861d88f72e1c6be1277ee7eae", "message": "fixed #1774 (fuzz)", "target": 0, "dataset": "other", "idx": 267897 }, { "func": "static GF_Err gf_isom_set_ctts_v0(GF_ISOFile *file, GF_TrackBox *trak)\n{\n\tu32 i;\n\ts32 shift;\n\tGF_CompositionOffsetBox *ctts;\n\tGF_CompositionToDecodeBox *cslg;\n\n\tctts = trak->Media->information->sampleTable->CompositionOffset;\n\n\tif (!trak->Media->information->sampleTable->CompositionToDecode)\n\t{\n\t\tshift = 0;\n\t\tfor (i=0; inb_entries; i++) {\n\t\t\tif (-ctts->entries[i].decodingOffset > shift)\n\t\t\t\tshift = -ctts->entries[i].decodingOffset;\n\t\t}\n\t\tif (shift > 0)\n\t\t{\n\t\t\tfor (i=0; inb_entries; i++) {\n\t\t\t\tctts->entries[i].decodingOffset += shift;\n\t\t\t}\n\t\t}\n\t}\n\telse\n\t{\n\t\tcslg = trak->Media->information->sampleTable->CompositionToDecode;\n\t\tshift = cslg->compositionToDTSShift;\n\t\tfor (i=0; inb_entries; i++) {\n\t\t\tctts->entries[i].decodingOffset += shift;\n\t\t}\n\t\tgf_isom_box_del_parent(&trak->Media->information->sampleTable->child_boxes, (GF_Box *)cslg);\n\t\ttrak->Media->information->sampleTable->CompositionToDecode = NULL;\n\t}\n\tif (shift>0) {\n\t\t//no edits, insert one\n\t\tif (! trak->editBox) {\n\t\t\tu64 dur = trak->Media->mediaHeader->duration;\n\t\t\tdur *= file->moov->mvhd->timeScale;\n\t\t\tdur /= trak->Media->mediaHeader->timeScale;\n\t\t\tgf_isom_set_edit(file, gf_list_find(file->moov->trackList, trak)+1, 0, dur, shift, GF_ISOM_EDIT_NORMAL);\n\t\t} else {\n\t\t\t//otherwise shift media times in all entries\n\t\t\tfor (i=0; ieditBox->editList->entryList); i++) {\n\t\t\t\tGF_EdtsEntry *ent = (GF_EdtsEntry*)gf_list_get(trak->editBox->editList->entryList, i);\n\t\t\t\t//empty edit\n\t\t\t\tif (ent->mediaTime<0) continue;\n\t\t\t\tent->mediaTime += shift;\n\t\t\t}\n\t\t\tSetTrackDuration(trak);\n\t\t}\n\t}\n\tctts->version = 0;\n\tgf_isom_modify_alternate_brand(file, GF_ISOM_BRAND_ISO4, GF_FALSE);\n\treturn GF_OK;\n}", "project": "gpac", "hash": 60866874836201742280604048906886859152, "size": 55, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267302 }, { "func": "GF_Err stbl_RemoveDTS(GF_SampleTableBox *stbl, u32 sampleNumber, u32 nb_samples, u32 LastAUDefDuration)\n{\n\tGF_SttsEntry *ent;\n\tGF_TimeToSampleBox *stts;\n\n\tif ((nb_samples>1) && (sampleNumber>1)) return GF_BAD_PARAM;\n\n\tstts = stbl->TimeToSample;\n\n\t//we're removing the only sample: empty the sample table\n\tif (stbl->SampleSize->sampleCount == 1) {\n\t\tstts->nb_entries = 0;\n\t\tstts->r_FirstSampleInEntry = stts->r_currentEntryIndex = 0;\n\t\tstts->r_CurrentDTS = 0;\n\t\treturn GF_OK;\n\t}\n\t//we're removing the last sample\n\tif ((nb_samples==1) && (sampleNumber == stbl->SampleSize->sampleCount)) {\n\t\tent = &stts->entries[stts->nb_entries-1];\n\t\tent->sampleCount--;\n\t\tif (!ent->sampleCount) stts->nb_entries--;\n\t} else {\n\t\tu64 *DTSs, curDTS;\n\t\tu32 i, j, k, sampNum;\n\t\tu32 tot_samples, nb_written=0;\n\t\t//unpack the DTSs...\n\t\tDTSs = (u64*)gf_malloc(sizeof(u64) * (stbl->SampleSize->sampleCount - 1));\n\t\tif (!DTSs) return GF_OUT_OF_MEM;\n\t\tmemset(DTSs, 0, sizeof(u64) * (stbl->SampleSize->sampleCount - 1) );\n\n\t\tcurDTS = 0;\n\t\tsampNum = 0;\n\t\tent = NULL;\n\t\tk=0;\n\n\t\tfor (i=0; inb_entries; i++) {\n\t\t\tent = & stts->entries[i];\n\t\t\tfor (j=0; jsampleCount; j++) {\n\t\t\t\tif (nb_samples==1) {\n\t\t\t\t\tif (sampNum == sampleNumber - 1) {\n\t\t\t\t\t\tk=1;\n\t\t\t\t\t} else {\n\t\t\t\t\t\tDTSs[sampNum-k] = curDTS;\n\t\t\t\t\t}\n\t\t\t\t} else if (sampNum >= nb_samples) {\n\t\t\t\t\tDTSs[sampNum - nb_samples] = curDTS;\n\t\t\t\t\tnb_written++;\n\t\t\t\t}\n\t\t\t\tcurDTS += ent->sampleDelta;\n\t\t\t\tsampNum ++;\n\t\t\t}\n\t\t}\n\n\t\tif (nb_samples>1) {\n\t\t\tassert(sampNum == stbl->SampleSize->sampleCount);\n\t\t\tassert(nb_written + nb_samples == stbl->SampleSize->sampleCount);\n\t\t}\n\t\tj=0;\n\n\t\tif (nb_samples==1) {\n\t\t\ttot_samples = stbl->SampleSize->sampleCount - 1;\n\t\t} else {\n\t\t\ttot_samples = stbl->SampleSize->sampleCount - nb_samples;\n\t\t}\n\t\tif (tot_samples) {\n\t\t\tsampNum = 1;\n\t\t\tstts->nb_entries = 1;\n\t\t\tstts->entries[0].sampleCount = 1;\n\t\t\tif (stbl->SampleSize->sampleCount == 2) {\n\t\t\t\tstts->entries[0].sampleDelta = LastAUDefDuration;\n\t\t\t} else {\n\t\t\t\tstts->entries[0].sampleDelta = (u32) DTSs[1] /*- DTSs[0]*/;\n\t\t\t}\n\t\t} else {\n\t\t\tsampNum = 0;\n\t\t\tstts->nb_entries = 0;\n\t\t}\n\n\t\tfor (i=1; ientries[j].sampleCount++;\n\t\t\t\tsampNum ++;\n\t\t\t} else if (DTSs[i+1] - DTSs[i] == stts->entries[j].sampleDelta) {\n\t\t\t\tstts->entries[j].sampleCount += 1;\n\t\t\t\tsampNum ++;\n\t\t\t} else {\n\t\t\t\tstts->nb_entries++;\n\t\t\t\tif (j+1==stts->alloc_size) {\n\t\t\t\t\tstts->alloc_size++;\n\t\t\t\t\tstts->entries = gf_realloc(stts->entries, sizeof(GF_SttsEntry) * stts->alloc_size);\n\t\t\t\t\tif (!stts->entries) return GF_OUT_OF_MEM;\n\t\t\t\t}\n\t\t\t\tj++;\n\t\t\t\tstts->entries[j].sampleCount = 1;\n\t\t\t\tstts->entries[j].sampleDelta = (u32) (DTSs[i+1] - DTSs[i]);\n\t\t\t\tassert(stts->entries[j].sampleDelta);\n\t\t\t\tsampNum ++;\n\t\t\t}\n\t\t}\n\t\tstts->w_LastDTS = tot_samples ? DTSs[tot_samples - 1] : 0;\n\t\tgf_free(DTSs);\n\t\tassert(sampNum == tot_samples);\n\t\tassert(sampNum + nb_samples == stbl->SampleSize->sampleCount);\n\t}\n\n\t//reset write the cache to the end\n\tstts->w_currentSampleNum = stbl->SampleSize->sampleCount - nb_samples;\n\t//reset read the cache to the beginning\n\tstts->r_FirstSampleInEntry = stts->r_currentEntryIndex = 0;\n\tstts->r_CurrentDTS = 0;\n\treturn GF_OK;\n}", "project": "gpac", "hash": 267586949684466304489387096806346439132, "size": 113, "commit_id": "77ed81c069e10b3861d88f72e1c6be1277ee7eae", "message": "fixed #1774 (fuzz)", "target": 0, "dataset": "other", "idx": 267896 }, { "func": "GF_Err gf_isom_lhvc_config_update(GF_ISOFile *the_file, u32 trackNumber, u32 DescriptionIndex, GF_HEVCConfig *cfg, GF_ISOMLHEVCTrackType track_type)\n{\n\tif (cfg) cfg->is_lhvc = GF_TRUE;\n\tswitch (track_type) {\n\tcase GF_ISOM_LEHVC_ONLY:\n\t\treturn gf_isom_hevc_config_update_ex(the_file, trackNumber, DescriptionIndex, cfg, GF_ISOM_HVCC_SET_LHVC, GF_FALSE);\n\tcase GF_ISOM_LEHVC_WITH_BASE:\n\t\treturn gf_isom_hevc_config_update_ex(the_file, trackNumber, DescriptionIndex, cfg, GF_ISOM_HVCC_SET_LHVC_WITH_BASE, GF_FALSE);\n\tcase GF_ISOM_LEHVC_WITH_BASE_BACKWARD:\n\t\treturn gf_isom_hevc_config_update_ex(the_file, trackNumber, DescriptionIndex, cfg, GF_ISOM_HVCC_SET_LHVC_WITH_BASE_BACKWARD, GF_FALSE);\n\tcase GF_ISOM_HEVC_TILE_BASE:\n\t\treturn gf_isom_hevc_config_update_ex(the_file, trackNumber, DescriptionIndex, cfg, GF_ISOM_HVCC_SET_HEVC_TILE_BASE, GF_FALSE);\n\tdefault:\n\t\treturn GF_BAD_PARAM;\n\t}\n}", "project": "gpac", "hash": 48073094552787626554415365056164060465, "size": 16, "commit_id": "0a85029d694f992f3631e2f249e4999daee15cbf", "message": "fixed #1785 (fuzz)", "target": 0, "dataset": "other", "idx": 237576 }, { "func": "GF_Err av1c_box_write(GF_Box *s, GF_BitStream *bs) {\n\tGF_Err e;\n\tGF_AV1ConfigurationBox *ptr = (GF_AV1ConfigurationBox*)s;\n\tif (!s) return GF_BAD_PARAM;\n\tif (!ptr->config) return GF_BAD_PARAM;\n\te = gf_isom_box_write_header(s, bs);\n\tif (e) return e;\n\n\treturn gf_odf_av1_cfg_write_bs(ptr->config, bs);\n}", "project": "gpac", "hash": 221995799776810365175777837934576821627, "size": 10, "commit_id": "0a85029d694f992f3631e2f249e4999daee15cbf", "message": "fixed #1785 (fuzz)", "target": 0, "dataset": "other", "idx": 237615 }, { "func": "\n\nvoid dump_isom_timed_text(GF_ISOFile *file, GF_ISOTrackID trackID, char *inName, Bool is_final_name, Bool is_convert, GF_TextDumpType dump_type)\n{\n\tFILE *dump;\n\tGF_Err e;\n\tu32 track;\n\n\ttrack = gf_isom_get_track_by_id(file, trackID);\n\tif (!track) {\n\t\tM4_LOG(GF_LOG_ERROR, (\"Cannot find track ID %d\\n\", trackID));\n\t\treturn;\n\t}\n\n\tswitch (gf_isom_get_media_type(file, track)) {\n\tcase GF_ISOM_MEDIA_TEXT:\n\tcase GF_ISOM_MEDIA_SUBT:\n\t\tbreak;\n\tdefault:\n\t\tM4_LOG(GF_LOG_ERROR, (\"Track ID %d is not a 3GPP text track\\n\", trackID));\n\t\treturn;\n\t}\n\n\tif (inName) {\n\t\tchar szBuf[1024];\n\t\tchar *ext;\n\t\text = ((dump_type==GF_TEXTDUMPTYPE_SVG) ? \"svg\" : ((dump_type==GF_TEXTDUMPTYPE_SRT) ? \"srt\" : \"ttxt\"));\n\t\tif (is_final_name) {\n\t\t\tstrcpy(szBuf, inName) ;\n\t\t} else if (is_convert)\n\t\t\tsprintf(szBuf, \"%s.%s\", inName, ext) ;\n\t\telse\n\t\t\tsprintf(szBuf, \"%s_%d_text.%s\", inName, trackID, ext);\n\n\t\tdump = gf_fopen(szBuf, \"wt\");\n\t\tif (!dump) {\n\t\t\tM4_LOG(GF_LOG_ERROR, (\"Failed to open %s for dumping\\n\", szBuf));\n\t\t\treturn;\n\t\t}\n\t} else {\n\t\tdump = stdout;\n\t}\n\te = gf_isom_text_dump(file, track, dump, dump_type);\n\tif (inName) gf_fclose(dump);\n\n\tif (e) {\n\t\tM4_LOG(GF_LOG_ERROR, (\"Conversion failed (%s)\\n\", gf_error_to_string(e)));\n\t} else {\n\t\tfprintf(stderr, \"Conversion done\\n\");", "project": "gpac", "hash": 228645553036662118718809945379988987271, "size": 49, "commit_id": "289ffce3e0d224d314f5f92a744d5fe35999f20b", "message": "fixed #1767 (fuzz)", "target": 0, "dataset": "other", "idx": 243212 }, { "func": "\n\nvoid dump_isom_timed_text(GF_ISOFile *file, GF_ISOTrackID trackID, char *inName, Bool is_final_name, Bool is_convert, GF_TextDumpType dump_type)\n{\n\tFILE *dump;\n\tGF_Err e;\n\tu32 track;\n\n\ttrack = gf_isom_get_track_by_id(file, trackID);\n\tif (!track) {\n\t\tfprintf(stderr, \"Cannot find track ID %d\\n\", trackID);\n\t\treturn;\n\t}\n\n\tswitch (gf_isom_get_media_type(file, track)) {\n\tcase GF_ISOM_MEDIA_TEXT:\n\tcase GF_ISOM_MEDIA_SUBT:\n\t\tbreak;\n\tdefault:\n\t\tfprintf(stderr, \"Track ID %d is not a 3GPP text track\\n\", trackID);\n\t\treturn;\n\t}\n\n\tif (inName) {\n\t\tchar szBuf[1024];\n\t\tchar *ext;\n\t\text = ((dump_type==GF_TEXTDUMPTYPE_SVG) ? \"svg\" : ((dump_type==GF_TEXTDUMPTYPE_SRT) ? \"srt\" : \"ttxt\"));\n\t\tif (is_final_name) {\n\t\t\tstrcpy(szBuf, inName) ;\n\t\t} else if (is_convert)\n\t\t\tsprintf(szBuf, \"%s.%s\", inName, ext) ;\n\t\telse\n\t\t\tsprintf(szBuf, \"%s_%d_text.%s\", inName, trackID, ext);\n\n\t\tdump = gf_fopen(szBuf, \"wt\");\n\t\tif (!dump) {\n\t\t\tfprintf(stderr, \"Failed to open %s for dumping\\n\", szBuf);\n\t\t\treturn;\n\t\t}\n\t} else {\n\t\tdump = stdout;\n\t}\n\te = gf_isom_text_dump(file, track, dump, dump_type);\n\tif (inName) gf_fclose(dump);\n\n\tif (e) fprintf(stderr, \"Conversion failed (%s)\\n\", gf_error_to_string(e));", "project": "gpac", "hash": 309495399283331097370271135802145345378, "size": 46, "commit_id": "ce01bd15f711d4575b7424b54b3a395ec64c1784", "message": "fixed #1566", "target": 0, "dataset": "other", "idx": 249550 }, { "func": "void VP9_RewriteESDescriptorEx(GF_MPEGVisualSampleEntryBox *vp9, GF_MediaBox *mdia)\n{\n\tGF_BitRateBox *btrt = gf_isom_sample_entry_get_bitrate((GF_SampleEntryBox *)vp9, GF_FALSE);\n\n\tif (vp9->emul_esd) gf_odf_desc_del((GF_Descriptor *)vp9->emul_esd);\n\tvp9->emul_esd = gf_odf_desc_esd_new(2);\n\tvp9->emul_esd->decoderConfig->streamType = GF_STREAM_VISUAL;\n\tif (vp9->type == GF_ISOM_BOX_TYPE_VP08)\n\t\tvp9->emul_esd->decoderConfig->objectTypeIndication = GF_CODECID_VP8;\n\telse\n\t\tvp9->emul_esd->decoderConfig->objectTypeIndication = GF_CODECID_VP9;\n\n\tif (btrt) {\n\t\tvp9->emul_esd->decoderConfig->bufferSizeDB = btrt->bufferSizeDB;\n\t\tvp9->emul_esd->decoderConfig->avgBitrate = btrt->avgBitrate;\n\t\tvp9->emul_esd->decoderConfig->maxBitrate = btrt->maxBitrate;\n\t}\n\n\tif (vp9->vp_config) {\n\t\tGF_VPConfig *vp9_cfg = VP_DuplicateConfig(vp9->vp_config->config);\n\t\tif (vp9_cfg) {\n\t\t\tgf_odf_vp_cfg_write(vp9_cfg, &vp9->emul_esd->decoderConfig->decoderSpecificInfo->data, &vp9->emul_esd->decoderConfig->decoderSpecificInfo->dataLength, GF_FALSE);\n\t\t\tgf_odf_vp_cfg_del(vp9_cfg);\n\t\t}\n\t}\n}", "project": "gpac", "hash": 269666144530337842999280126138905930526, "size": 26, "commit_id": "0a85029d694f992f3631e2f249e4999daee15cbf", "message": "fixed #1785 (fuzz)", "target": 0, "dataset": "other", "idx": 237624 }, { "func": "void gf_isom_box_array_del(GF_List *other_boxes)\n{\n\tu32 count, i;\n\tGF_Box *a;\n\tif (!other_boxes) return;\n\tcount = gf_list_count(other_boxes);\n\tfor (i = 0; i < count; i++) {\n\t\ta = (GF_Box *)gf_list_get(other_boxes, i);\n\t\tif (a) gf_isom_box_del(a);\n\t}\n\tgf_list_del(other_boxes);\n}", "project": "gpac", "hash": 164827501513280452869070111610966419702, "size": 12, "commit_id": "8e585e623b1d666b4ef736ed609264639cb27701", "message": "fixed potential crash - cf #1406", "target": 0, "dataset": "other", "idx": 224899 }, { "func": "GF_Err gf_isom_set_last_sample_duration(GF_ISOFile *movie, u32 trackNumber, u32 duration)\n{\n\treturn gf_isom_set_last_sample_duration_internal(movie, trackNumber, duration, 0, 0);\n}", "project": "gpac", "hash": 91414190179536382178572680732943467629, "size": 4, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267176 }, { "func": "GF_Err gf_isom_clone_movie(GF_ISOFile *orig_file, GF_ISOFile *dest_file, Bool clone_tracks, Bool keep_hint_tracks, Bool keep_pssh)\n{\n\tGF_Err e;\n\tu32 i;\n\tGF_Box *box;\n\n\te = CanAccessMovie(dest_file, GF_ISOM_OPEN_WRITE);\n\tif (e) return e;\n\n\tif (orig_file->brand) {\n\t\tgf_list_del_item(dest_file->TopBoxes, dest_file->brand);\n\t\tgf_isom_box_del((GF_Box *)dest_file->brand);\n\t\tdest_file->brand = NULL;\n\t\tgf_isom_clone_box((GF_Box *)orig_file->brand, (GF_Box **)&dest_file->brand);\n\t\tif (dest_file->brand) gf_list_add(dest_file->TopBoxes, dest_file->brand);\n\t}\n\n\tif (orig_file->meta) {\n\t\tgf_list_del_item(dest_file->TopBoxes, dest_file->meta);\n\t\tgf_isom_box_del((GF_Box *)dest_file->meta);\n\t\tdest_file->meta = NULL;\n\t\t/*fixme - check imports*/\n\t\tgf_isom_clone_box((GF_Box *)orig_file->meta, (GF_Box **)&dest_file->meta);\n\t\tif (dest_file->meta) gf_list_add(dest_file->TopBoxes, dest_file->meta);\n\t}\n\tif (orig_file->moov) {\n\t\tu32 i, dstTrack;\n\t\tGF_Box *iods;\n\t\tGF_List *tracks = gf_list_new();\n\t\tGF_List *old_tracks = orig_file->moov->trackList;\n\t\torig_file->moov->trackList = tracks;\n\t\tiods = (GF_Box*)orig_file->moov->iods;\n\t\torig_file->moov->iods = NULL;\n\t\te = gf_isom_clone_box((GF_Box *)orig_file->moov, (GF_Box **)&dest_file->moov);\n\t\tif (e) {\n\t\t\tgf_list_del(tracks);\n\t\t\torig_file->moov->trackList = old_tracks;\n\t\t\treturn e;\n\t\t}\n\t\torig_file->moov->trackList = old_tracks;\n\t\tgf_list_del(tracks);\n\t\torig_file->moov->iods = (GF_ObjectDescriptorBox*)iods;\n\t\tgf_list_add(dest_file->TopBoxes, dest_file->moov);\n\n#ifndef GPAC_DISABLE_ISOM_FRAGMENTS\n\t\tif (dest_file->moov->mvex) {\n\t\t\tgf_isom_box_del_parent(&dest_file->moov->child_boxes, (GF_Box *)dest_file->moov->mvex);\n\t\t\tdest_file->moov->mvex = NULL;\n\t\t}\n#endif\n\n\t\tif (clone_tracks) {\n\t\t\tfor (i=0; imoov->trackList); i++) {\n\t\t\t\tGF_TrackBox *trak = (GF_TrackBox*)gf_list_get( orig_file->moov->trackList, i);\n\t\t\t\tif (!trak) continue;\n\t\t\t\tif (keep_hint_tracks || (trak->Media->handler->handlerType != GF_ISOM_MEDIA_HINT)) {\n\t\t\t\t\te = gf_isom_clone_track(orig_file, i+1, dest_file, 0, &dstTrack);\n\t\t\t\t\tif (e) return e;\n\t\t\t\t}\n\t\t\t}\n\t\t\tif (iods)\n\t\t\t\tgf_isom_clone_box((GF_Box *)orig_file->moov->iods, (GF_Box **)dest_file->moov->iods);\n\t\t} else {\n\t\t\tdest_file->moov->mvhd->nextTrackID = 1;\n\t\t\tgf_isom_clone_pl_indications(orig_file, dest_file);\n\t\t}\n\t\tdest_file->moov->mov = dest_file;\n\t}\n\n\tif (!keep_pssh) {\n\t\ti=0;\n\t\twhile ((box = (GF_Box*)gf_list_get(dest_file->moov->child_boxes, i++))) {\n\t\t\tif (box->type == GF_ISOM_BOX_TYPE_PSSH) {\n\t\t\t\ti--;\n\t\t\t\tgf_isom_box_del_parent(&dest_file->moov->child_boxes, box);\n\t\t\t}\n\t\t}\n\t}\n\n\t//duplicate other boxes\n\ti=0;\n\twhile ((box = (GF_Box*)gf_list_get(orig_file->TopBoxes, i++))) {\n\t\tswitch(box->type) {\n\t\tcase GF_ISOM_BOX_TYPE_MOOV:\n\t\tcase GF_ISOM_BOX_TYPE_META:\n\t\tcase GF_ISOM_BOX_TYPE_MDAT:\n\t\tcase GF_ISOM_BOX_TYPE_FTYP:\n\t\tcase GF_ISOM_BOX_TYPE_PDIN:\n#ifndef\tGPAC_DISABLE_ISOM_FRAGMENTS\n\t\tcase GF_ISOM_BOX_TYPE_STYP:\n\t\tcase GF_ISOM_BOX_TYPE_SIDX:\n\t\tcase GF_ISOM_BOX_TYPE_SSIX:\n\t\tcase GF_ISOM_BOX_TYPE_MOOF:\n#endif\n\t\tcase GF_ISOM_BOX_TYPE_JP:\n\t\t\tbreak;\n\n\t\tcase GF_ISOM_BOX_TYPE_PSSH:\n\t\t\tif (!keep_pssh)\n\t\t\t\tbreak;\n\n\t\tdefault:\n\t\t{\n\t\t\tGF_Box *box2 = NULL;\n\t\t\tgf_isom_clone_box(box, &box2);\n\t\t\tgf_list_add(dest_file->TopBoxes, box2);\n\t\t}\n\t\tbreak;\n\t\t}\n\t}\n\n\treturn GF_OK;\n}", "project": "gpac", "hash": 153655645532065057800645286077374079254, "size": 113, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267221 }, { "func": "GF_Err afra_box_write(GF_Box *s, GF_BitStream *bs)\n{\n\tGF_Err e;\n\tunsigned int i;\n\tGF_AdobeFragRandomAccessBox *ptr = (GF_AdobeFragRandomAccessBox *)s;\n\n\te = gf_isom_full_box_write(s, bs);\n\tif (e) return e;\n\n\tgf_bs_write_int(bs, ptr->long_ids, 1);\n\tgf_bs_write_int(bs, ptr->long_offsets, 1);\n\tgf_bs_write_int(bs, ptr->global_entries, 1);\n\tgf_bs_write_int(bs, 0, 5);\n\tgf_bs_write_u32(bs, ptr->time_scale);\n\n\tgf_bs_write_u32(bs, ptr->entry_count);\n\tfor (i=0; ientry_count; i++) {\n\t\tGF_AfraEntry *ae = (GF_AfraEntry *)gf_list_get(ptr->local_access_entries, i);\n\t\tgf_bs_write_u64(bs, ae->time);\n\t\tif (ptr->long_offsets)\n\t\t\tgf_bs_write_u64(bs, ae->offset);\n\t\telse\n\t\t\tgf_bs_write_u32(bs, (u32)ae->offset);\n\t}\n\n\tif (ptr->global_entries) {\n\t\tgf_bs_write_u32(bs, ptr->global_entry_count);\n\t\tfor (i=0; iglobal_entry_count; i++) {\n\t\t\tGF_GlobalAfraEntry *gae = (GF_GlobalAfraEntry *)gf_list_get(ptr->global_access_entries, i);\n\t\t\tgf_bs_write_u64(bs, gae->time);\n\t\t\tif (ptr->long_ids) {\n\t\t\t\tgf_bs_write_u32(bs, gae->segment);\n\t\t\t\tgf_bs_write_u32(bs, gae->fragment);\n\t\t\t} else {\n\t\t\t\tgf_bs_write_u16(bs, (u16)gae->segment);\n\t\t\t\tgf_bs_write_u16(bs, (u16)gae->fragment);\n\t\t\t}\n\t\t\tif (ptr->long_offsets) {\n\t\t\t\tgf_bs_write_u64(bs, gae->afra_offset);\n\t\t\t\tgf_bs_write_u64(bs, gae->offset_from_afra);\n\t\t\t} else {\n\t\t\t\tgf_bs_write_u32(bs, (u32)gae->afra_offset);\n\t\t\t\tgf_bs_write_u32(bs, (u32)gae->offset_from_afra);\n\t\t\t}\n\t\t}\n\t}\n\n\treturn GF_OK;\n}", "project": "gpac", "hash": 141258262599904027102714073557763690387, "size": 49, "commit_id": "e74be5976a6fee059c638050a237893f7e9a3b23", "message": "fixed #1753", "target": 0, "dataset": "other", "idx": 230594 }, { "func": "void PrintLiveUsage()\n{\n\tu32 i=0;\n\tgf_sys_format_help(helpout, help_flags, \"# Live Scene Encoder Options\\n\"\n\t \"The options shall be specified as òpt_name=opt_val.\\n\"\n\t \"Options:\\n\"\n\t \"\\n\"\n\t);\n\twhile (m4b_liveenc_args[i].name) {\n\t\tGF_GPACArg *arg = &m4b_liveenc_args[i];\n\t\ti++;\n\t\tgf_sys_print_arg(helpout, help_flags, arg, \"mp4box-extract\");\n\t}\n\n\tgf_sys_format_help(helpout, help_flags, \" \\n\"\n\t\t\"Runtime options:\\n\"\n\t\t\"- q: quits\\n\"\n\t\t\"- u: inputs some commands to be sent\\n\"\n\t\t\"- U: same as u but signals the updates as critical\\n\"\n\t\t\"- e: inputs some commands to be sent without being aggregated\\n\"\n\t\t\"- E: same as e but signals the updates as critical\\n\"\n\t\t\"- f: forces RAP sending\\n\"\n\t\t\"- F: forces RAP regeneration and sending\\n\"\n\t\t\"- p: dumps current scene\\n\"\n\t);\n}", "project": "gpac", "hash": 66546332559507308294869708142397542561, "size": 26, "commit_id": "9eeac00b38348c664dfeae2525bba0cf1bc32349", "message": "fixed #1565", "target": 0, "dataset": "other", "idx": 244376 }, { "func": "void PrintGeneralUsage()\n{\n\tu32 i=0;\n\tgf_sys_format_help(helpout, help_flags, \"# General Options\\n\"\n\t\t\"MP4Box is a multimedia packager, with a vast number of functionalities: conversion, splitting, hinting, dumping, DASH-ing, encryption and others.\\n\"\n\t\t\"MP4Box provides a large set of options, classified by categories (see [-h]()). These options do not follow any particular ordering.\\n\"\n\t\t\"MP4Box performs in-place rewrite of IsoMedia files (the input file is overwritten). You can change this behaviour by using the [-out]() option.\\n\"\n\t\t\"MP4Box stores by default the file with 0.5 second interleaving and meta-data (`moov`...) at the beginning, making it suitable for HTTP streaming. This may however takes longer to store the file, use [-flat]() to change this behaviour.\\n\"\n\t\t\"MP4Box usually generates a temporary file when creating a new IsoMedia file. The location of this temporary file is OS-dependent, and it may happen that the drive/partition the temporary file is created on has not enough space or no write access. In such a case, you can specify a temporary file location with [-tmp]().\\n\"\n\t\t\"Note: Track operations identify tracks through their ID (usually refered as tkID in the help), not their order.\\n\"\n\t\t\"Option values:\\n\"\n\t\t\"Unless specified otherwise, an option of type `integer` expects a trackID value following it.\"\n\t\t\"An option of type `boolean` expects no following value.\"\n\t\t\" \\n\"\n\t\t\"# File Splitting and Concatenation\\n\"\n\t\t\"MP4Box can split IsoMedia files by size, duration or extract a given part of the file to new IsoMedia file(s). This process requires that at most one track in the input file has non random-access points (typically one video track at most). This process will also ignore all MPEG-4 Systems tracks and hint tracks, but will try to split private media tracks.\\n\"\n\t\t\"Note: The input file must have enough random access points in order to be split. This may not be the case with some video files where only the very first sample of the video track is a key frame (many 3GP files with H263 video are recorded that way). In order to split such files you will have to use a real video editor and re-encode the content.\\n\"\n\t\t\"Note: You can add media to a file and split it in the same pass. In this case, the destination file (the one which would be obtained without spliting) will not be stored.\\n\"\n\t\t\" \\n\"\n\t\t\"Options:\\n\"\n\t);\n\n\twhile (m4b_gen_args[i].name) {\n\t\tGF_GPACArg *arg = &m4b_gen_args[i];\n\t\ti++;\n\t\tgf_sys_print_arg(helpout, help_flags, arg, \"mp4box-gen\");\n\t}\n}", "project": "gpac", "hash": 273649953360442590894890983711169616906, "size": 28, "commit_id": "9eeac00b38348c664dfeae2525bba0cf1bc32349", "message": "fixed #1565", "target": 0, "dataset": "other", "idx": 244403 }, { "func": "GF_Err gf_isom_get_track_template(GF_ISOFile *file, u32 track, u8 **output, u32 *output_size)\n{\n\tGF_TrackBox *trak;\n\tGF_BitStream *bs;\n\tGF_DataReferenceBox *dref;\n\tGF_SampleTableBox *stbl, *stbl_temp;\n\tGF_SampleEncryptionBox *senc;\n\tu32 i, count;\n\n\t*output = NULL;\n\t*output_size = 0;\n\t/*get orig sample desc and clone it*/\n\ttrak = gf_isom_get_track_from_file(file, track);\n\tif (!trak || !trak->Media) return GF_BAD_PARAM;\n\n\t//don't serialize dref\n\tdref = NULL;\n\tif (trak->Media->information->dataInformation) {\n\t\tdref = trak->Media->information->dataInformation->dref;\n\t\ttrak->Media->information->dataInformation->dref = NULL;\n\t\tgf_list_del_item(trak->Media->information->dataInformation->child_boxes, dref);\n\t}\n\n\t//don't serialize stbl but create a temp one\n\tstbl_temp = (GF_SampleTableBox *) gf_isom_box_new(GF_ISOM_BOX_TYPE_STBL);\n\tif (!stbl_temp->child_boxes) stbl_temp->child_boxes = gf_list_new();\n\tstbl = trak->Media->information->sampleTable;\n\tgf_list_del_item(trak->Media->information->child_boxes, stbl);\n\n\ttrak->Media->information->sampleTable = stbl_temp;\n\tgf_list_add(trak->Media->information->child_boxes, stbl_temp);\n\n\t/*do not clone sampleDescription table but create an empty one*/\n\tstbl_temp->SampleDescription = (GF_SampleDescriptionBox *) gf_isom_box_new_parent(&stbl_temp->child_boxes, GF_ISOM_BOX_TYPE_STSD);\n\n\t/*clone sampleGroups description tables if any*/\n\tstbl_temp->sampleGroupsDescription = stbl->sampleGroupsDescription;\n\tcount = gf_list_count(stbl->sampleGroupsDescription);\n\tfor (i=0;isampleGroupsDescription, i);\n\t\tgf_list_add(stbl_temp->child_boxes, b);\n\t}\n\t/*clone CompositionToDecode table, we may remove it later*/\n\tstbl_temp->CompositionToDecode = stbl->CompositionToDecode;\n\tgf_list_add(stbl_temp->child_boxes, stbl->CompositionToDecode);\n\n\n\t//don't serialize senc\n\tsenc = trak->sample_encryption;\n\tif (senc) {\n\t\tassert(trak->child_boxes);\n\t\tgf_list_del_item(trak->child_boxes, senc);\n\t\ttrak->sample_encryption = NULL;\n\t}\n\n\tbs = gf_bs_new(NULL, 0, GF_BITSTREAM_WRITE);\n\n\tgf_isom_box_size( (GF_Box *) trak);\n\tgf_isom_box_write((GF_Box *) trak, bs);\n\tgf_bs_get_content(bs, output, output_size);\n\tgf_bs_del(bs);\n\n\t//restore our pointers\n\tif (dref) {\n\t\ttrak->Media->information->dataInformation->dref = dref;\n\t\tgf_list_add(trak->Media->information->dataInformation->child_boxes, dref);\n\t}\n\ttrak->Media->information->sampleTable = stbl;\n\tgf_list_add(trak->Media->information->child_boxes, stbl);\n\tgf_list_del_item(trak->Media->information->child_boxes, stbl_temp);\n\tif (senc) {\n\t\ttrak->sample_encryption = senc;\n\t\tgf_list_add(trak->child_boxes, senc);\n\t}\n\n\tstbl_temp->sampleGroupsDescription = NULL;\n\tcount = gf_list_count(stbl->sampleGroupsDescription);\n\tfor (i=0;isampleGroupsDescription, i);\n\t\tgf_list_del_item(stbl_temp->child_boxes, b);\n\t}\n\n\tstbl_temp->CompositionToDecode = NULL;\n\tgf_list_del_item(stbl_temp->child_boxes, stbl->CompositionToDecode);\n\tgf_isom_box_del((GF_Box *)stbl_temp);\n\treturn GF_OK;\n\n}", "project": "gpac", "hash": 65644457842754377099396620722725193952, "size": 88, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267169 }, { "func": "GF_Err edts_on_child_box(GF_Box *s, GF_Box *a)\n{\n\tGF_EditBox *ptr = (GF_EditBox *)s;\n\tif (a->type == GF_ISOM_BOX_TYPE_ELST) {\n\t\tif (ptr->editList) ERROR_ON_DUPLICATED_BOX(a, ptr)\n\t\tptr->editList = (GF_EditListBox *)a;\n\t\treturn GF_OK;\n\t} else {\n\t\treturn GF_OK;\n\t}\n\treturn GF_OK;\n}", "project": "gpac", "hash": 260437282425370894841096174390607694100, "size": 12, "commit_id": "388ecce75d05e11fc8496aa4857b91245007d26e", "message": "fixed #1587", "target": 0, "dataset": "other", "idx": 264846 }, { "func": "Bool gf_isom_is_nalu_based_entry(GF_MediaBox *mdia, GF_SampleEntryBox *_entry)\n{\n\tGF_MPEGVisualSampleEntryBox *entry;\n\tif (!gf_isom_is_video_handler_type(mdia->handler->handlerType))\n\t\treturn GF_FALSE;\n\tif (!_entry) return GF_FALSE;\n\tentry = (GF_MPEGVisualSampleEntryBox*)_entry;\n\n\tswitch (_entry->type) {\n\tcase GF_ISOM_BOX_TYPE_AVC1:\n\tcase GF_ISOM_BOX_TYPE_AVC2:\n\tcase GF_ISOM_BOX_TYPE_AVC3:\n\tcase GF_ISOM_BOX_TYPE_AVC4:\n\tcase GF_ISOM_BOX_TYPE_SVC1:\n\tcase GF_ISOM_BOX_TYPE_SVC2:\n\tcase GF_ISOM_BOX_TYPE_MVC1:\n\tcase GF_ISOM_BOX_TYPE_MVC2:\n\tcase GF_ISOM_BOX_TYPE_HVC1:\n\tcase GF_ISOM_BOX_TYPE_HEV1:\n\tcase GF_ISOM_BOX_TYPE_HVC2:\n\tcase GF_ISOM_BOX_TYPE_HEV2:\n\tcase GF_ISOM_BOX_TYPE_LHV1:\n\tcase GF_ISOM_BOX_TYPE_LHE1:\n\tcase GF_ISOM_BOX_TYPE_MHV1:\n\tcase GF_ISOM_BOX_TYPE_MHC1:\n\tcase GF_ISOM_BOX_TYPE_HVT1:\n\tcase GF_ISOM_BOX_TYPE_LHT1:\n\t\treturn GF_TRUE;\n\tcase GF_ISOM_BOX_TYPE_GNRV:\n\tcase GF_ISOM_BOX_TYPE_GNRA:\n\tcase GF_ISOM_BOX_TYPE_GNRM:\n\t\treturn GF_FALSE;\n\tdefault:\n\t\tbreak;\n\t}\n\n\tif (!gf_isom_is_video_handler_type(entry->internal_type))\n\t\treturn GF_FALSE;\n\n\tif (entry->avc_config || entry->svc_config || entry->mvc_config || entry->hevc_config || entry->lhvc_config) {\n\t\tGF_ProtectionSchemeInfoBox *schi = (GF_ProtectionSchemeInfoBox *) gf_isom_box_find_child(entry->child_boxes, GF_ISOM_BOX_TYPE_SINF);\n\t\tif (!schi || !schi->scheme_type) return GF_TRUE;\n\t\tswitch (schi->scheme_type->scheme_type) {\n\t\tcase GF_ISOM_CENC_SCHEME:\n\t\tcase GF_ISOM_CBC_SCHEME:\n\t\tcase GF_ISOM_CENS_SCHEME:\n\t\tcase GF_ISOM_CBCS_SCHEME:\n\t\t\treturn GF_TRUE;\n\t\tdefault:\n\t\t\tbreak;\n\t\t}\n\t}\n\treturn GF_FALSE;\n}", "project": "gpac", "hash": 154468737279496239159103405510487379231, "size": 54, "commit_id": "0a85029d694f992f3631e2f249e4999daee15cbf", "message": "fixed #1785 (fuzz)", "target": 0, "dataset": "other", "idx": 237645 }, { "func": "static void convert_compact_sample_groups(GF_List *child_boxes, GF_List *sampleGroups)\n{\n\tu32 i;\n\tfor (i=0; itype != GF_ISOM_BOX_TYPE_CSGP) continue;\n\n\t\tgf_list_rem(sampleGroups, i);\n\t\tgf_list_del_item(child_boxes, csgp);\n\n\t\tsbgp = (GF_SampleGroupBox *) gf_isom_box_new(GF_ISOM_BOX_TYPE_SBGP);\n\t\tgf_list_insert(sampleGroups, sbgp, i);\n\t\tgf_list_add(child_boxes, sbgp);\n\t\ti--;\n\n\t\tsbgp->grouping_type = csgp->grouping_type;\n\t\tif (csgp->grouping_type_parameter) {\n\t\t\tsbgp->grouping_type_parameter = csgp->grouping_type_parameter;\n\t\t\tsbgp->version = 1;\n\t\t}\n\t\tsbgp->entry_count = 0;\n\t\tfor (j=0; jpattern_count; j++) {\n\t\t\tu32 k=0;\n\t\t\tu32 nb_samples = csgp->patterns[j].sample_count;\n\t\t\t//unroll the pattern\n\t\t\twhile (nb_samples) {\n\t\t\t\tu32 nb_same_index=1;\n\t\t\t\tu32 sg_idx = csgp->patterns[j].sample_group_description_indices[k];\n\t\t\t\twhile (nb_same_index+kpatterns[j].length) {\n\t\t\t\t\tif (csgp->patterns[j].sample_group_description_indices[k+nb_same_index] != sg_idx)\n\t\t\t\t\t\tbreak;\n\t\t\t\t\tnb_same_index++;\n\t\t\t\t}\n\t\t\t\tsbgp->sample_entries = gf_realloc(sbgp->sample_entries, sizeof(GF_SampleGroupEntry) * (sbgp->entry_count+1));\n\t\t\t\tif (nb_same_index>nb_samples)\n\t\t\t\t\tnb_same_index = nb_samples;\n\n\t\t\t\tsbgp->sample_entries[sbgp->entry_count].sample_count = nb_same_index;\n\t\t\t\tsbgp->sample_entries[sbgp->entry_count].group_description_index = sg_idx;\n\t\t\t\tnb_samples -= nb_same_index;\n\t\t\t\tsbgp->entry_count++;\n\t\t\t\tk+= nb_same_index;\n\t\t\t\tif (k==csgp->patterns[j].length)\n\t\t\t\t\tk = 0;\n\t\t\t}\n\t\t}\n\t}\n}", "project": "gpac", "hash": 81083494890701829171588532334120016278, "size": 50, "commit_id": "fe5155cf047252d1c4cb91602048bfa682af0ea7", "message": "fixed #1783 (fuzz)", "target": 0, "dataset": "other", "idx": 271712 }, { "func": "GF_Err dinf_on_child_box(GF_Box *s, GF_Box *a)\n{\n\tGF_DataInformationBox *ptr = (GF_DataInformationBox *)s;\n\tswitch(a->type) {\n\tcase GF_ISOM_BOX_TYPE_DREF:\n\t\tif (ptr->dref) ERROR_ON_DUPLICATED_BOX(a, ptr)\n\t\tptr->dref = (GF_DataReferenceBox *)a;\n\t\treturn GF_OK;\n\t}\n\treturn GF_OK;\n}", "project": "gpac", "hash": 230249799059745223043345397059623269557, "size": 11, "commit_id": "388ecce75d05e11fc8496aa4857b91245007d26e", "message": "fixed #1587", "target": 0, "dataset": "other", "idx": 264797 }, { "func": "GF_Err gf_isom_set_track_switch_parameter(GF_ISOFile *movie, u32 trackNumber, u32 trackRefGroup, Bool is_switch_group, u32 *switchGroupID, u32 *criteriaList, u32 criteriaListCount)\n{\n\tGF_TrackSelectionBox *tsel;\n\tGF_TrackBox *trak;\n\tGF_UserDataMap *map;\n\tGF_Err e;\n\tu32 alternateGroupID = 0;\n\tu32 next_switch_group_id = 0;\n\n\ttrak = gf_isom_get_track_from_file(movie, trackNumber);\n\tif (!trak || !switchGroupID) return GF_BAD_PARAM;\n\n\n\tif (trackRefGroup) {\n\t\tGF_TrackBox *trak_ref = gf_isom_get_track_from_file(movie, trackRefGroup);\n\t\tif (trak_ref != trak) {\n\t\t\tif (!trak_ref || !trak_ref->Header->alternate_group) {\n\t\t\t\tGF_LOG(GF_LOG_WARNING, GF_LOG_CONTAINER, (\"Track %d has not an alternate group - skipping\\n\", trak_ref ? trak_ref->Header->trackID : 0));\n\t\t\t\treturn GF_BAD_PARAM;\n\t\t\t}\n\t\t\talternateGroupID = trak_ref->Header->alternate_group;\n\t\t} else {\n\t\t\talternateGroupID = trak->Header->alternate_group;\n\t\t}\n\t}\n\tif (!alternateGroupID) {\n\t\t/*there is a function for this ....*/\n\t\tif (trak->Header->alternate_group) {\n\t\t\tGF_LOG(GF_LOG_WARNING, GF_LOG_CONTAINER, (\"Track %d has already an alternate group - skipping\\n\", trak->Header->trackID));\n\t\t\treturn GF_BAD_PARAM;\n\t\t}\n\t\talternateGroupID = gf_isom_get_next_alternate_group_id(movie);\n\t}\n\n\tif (is_switch_group) {\n\t\tu32 i=0;\n\t\twhile (i< gf_isom_get_track_count(movie) ) {\n\t\t\t//locate first available ID\n\t\t\tGF_TrackBox *a_trak = gf_isom_get_track_from_file(movie, i+1);\n\n\t\t\tif (a_trak->udta) {\n\t\t\t\tu32 j, count;\n\t\t\t\tmap = udta_getEntry(a_trak->udta, GF_ISOM_BOX_TYPE_TSEL, NULL);\n\t\t\t\tif (map) {\n\t\t\t\t\tcount = gf_list_count(map->boxes);\n\t\t\t\t\tfor (j=0; jboxes, j);\n\n\t\t\t\t\t\tif (*switchGroupID) {\n\t\t\t\t\t\t\tif (tsel->switchGroup==next_switch_group_id) {\n\t\t\t\t\t\t\t\tif (a_trak->Header->alternate_group != alternateGroupID) return GF_BAD_PARAM;\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t} else {\n\t\t\t\t\t\t\tif (tsel->switchGroup && (tsel->switchGroup>=next_switch_group_id) )\n\t\t\t\t\t\t\t\tnext_switch_group_id = tsel->switchGroup;\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t}\n\n\t\t\t}\n\t\t\ti++;\n\t\t}\n\t\tif (! *switchGroupID) *switchGroupID = next_switch_group_id+1;\n\t}\n\n\n\ttrak->Header->alternate_group = alternateGroupID;\n\n\ttsel = NULL;\n\tif (*switchGroupID) {\n\t\tif (!trak->udta) {\n\t\t\te = trak_on_child_box((GF_Box*)trak, gf_isom_box_new_parent(&trak->child_boxes, GF_ISOM_BOX_TYPE_UDTA), GF_FALSE);\n\t\t\tif (e) return e;\n\t\t}\n\n\t\tmap = udta_getEntry(trak->udta, GF_ISOM_BOX_TYPE_TSEL, NULL);\n\n\t\t/*locate tsel box with no switch group*/\n\t\tif (map) {\n\t\t\tu32 j, count = gf_list_count(map->boxes);\n\t\t\tfor (j=0; jboxes, j);\n\t\t\t\tif (tsel->switchGroup == *switchGroupID) break;\n\t\t\t\ttsel = NULL;\n\t\t\t}\n\t\t}\n\t\tif (!tsel) {\n\t\t\ttsel = (GF_TrackSelectionBox *)gf_isom_box_new(GF_ISOM_BOX_TYPE_TSEL);\n\t\t\tif (!tsel) return GF_OUT_OF_MEM;\n\t\t\te = udta_on_child_box((GF_Box *)trak->udta, (GF_Box *) tsel, GF_FALSE);\n\t\t\tif (e) return e;\n\t\t}\n\n\t\ttsel->switchGroup = *switchGroupID;\n\t\ttsel->attributeListCount = criteriaListCount;\n\t\tif (tsel->attributeList) gf_free(tsel->attributeList);\n\t\ttsel->attributeList = (u32*)gf_malloc(sizeof(u32)*criteriaListCount);\n\t\tif (!tsel->attributeList) return GF_OUT_OF_MEM;\n\t\tmemcpy(tsel->attributeList, criteriaList, sizeof(u32)*criteriaListCount);\n\t}\n\treturn GF_OK;\n}", "project": "gpac", "hash": 329062228094615248467195478823419892094, "size": 102, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267199 }, { "func": "GF_Err GetESDForTime(GF_MovieBox *moov, GF_ISOTrackID trackID, u64 CTS, GF_ESD **outESD)\n{\n\tGF_Err e;\n\tu32 sampleDescIndex;\n\tGF_TrackBox *trak;\n\n\ttrak = gf_isom_get_track(moov, gf_isom_get_tracknum_from_id(moov, trackID));\n\tif (!trak) return GF_ISOM_INVALID_FILE;\n\n\te = Media_GetSampleDescIndex(trak->Media, CTS, &sampleDescIndex );\n\tif (e) return e;\n\treturn GetESD(moov, trackID, sampleDescIndex, outESD);\n}", "project": "gpac", "hash": 320928126748226372092011709228504610571, "size": 13, "commit_id": "df8fffd839fe5ae9acd82d26fd48280a397411d9", "message": "fixed #1736", "target": 0, "dataset": "other", "idx": 272316 }, { "func": "GF_Err stbl_RemoveSize(GF_SampleTableBox *stbl, u32 sampleNumber, u32 nb_samples)\n{\n\tGF_SampleSizeBox *stsz = stbl->SampleSize;\n\n\tif ((nb_samples>1) && (sampleNumber>1)) return GF_BAD_PARAM;\n\t//last sample\n\tif (stsz->sampleCount == 1) {\n\t\tif (stsz->sizes) gf_free(stsz->sizes);\n\t\tstsz->sizes = NULL;\n\t\tstsz->sampleCount = 0;\n\t\treturn GF_OK;\n\t}\n\t//one single size\n\tif (stsz->sampleSize) {\n\t\tstsz->sampleCount -= nb_samples;\n\t\treturn GF_OK;\n\t}\n\tif (nb_samples==1) {\n\t\tif (sampleNumber < stsz->sampleCount)\n\t\t\tmemmove(stsz->sizes + sampleNumber - 1, stsz->sizes + sampleNumber, sizeof(u32) * (stsz->sampleCount - sampleNumber));\n\t} else {\n\t\tif (nb_samples < stsz->sampleCount)\n\t\t\tmemmove(stsz->sizes, stsz->sizes + nb_samples, sizeof(u32) * (stsz->sampleCount - nb_samples));\n\t}\n\tstsz->sampleCount -= nb_samples;\n\treturn GF_OK;\n}", "project": "gpac", "hash": 100792737501052713061718792469515587848, "size": 27, "commit_id": "77ed81c069e10b3861d88f72e1c6be1277ee7eae", "message": "fixed #1774 (fuzz)", "target": 0, "dataset": "other", "idx": 267871 }, { "func": "GF_Err m4ds_box_write(GF_Box *s, GF_BitStream *bs)\n{\n\tGF_Err e;\n\tu8 *enc_ods;\n\tu32 enc_od_size;\n\tGF_MPEG4ExtensionDescriptorsBox *ptr = (GF_MPEG4ExtensionDescriptorsBox *) s;\n\tif (!s) return GF_BAD_PARAM;\n\te = gf_isom_box_write_header(s, bs);\n\tif (e) return e;\n\tenc_ods = NULL;\n\tenc_od_size = 0;\n\te = gf_odf_desc_list_write(ptr->descriptors, &enc_ods, &enc_od_size);\n\tif (e) return e;\n\tif (enc_od_size) {\n\t\tgf_bs_write_data(bs, enc_ods, enc_od_size);\n\t\tgf_free(enc_ods);\n\t}\n\treturn GF_OK;\n}", "project": "gpac", "hash": 225733311863435894204972518255072625903, "size": 19, "commit_id": "0a85029d694f992f3631e2f249e4999daee15cbf", "message": "fixed #1785 (fuzz)", "target": 0, "dataset": "other", "idx": 237651 }, { "func": "GF_Err gf_isom_get_ismacryp_info(GF_ISOFile *the_file, u32 trackNumber, u32 sampleDescriptionIndex, u32 *outOriginalFormat, u32 *outSchemeType, u32 *outSchemeVersion, const char **outSchemeURI, const char **outKMS_URI, Bool *outSelectiveEncryption, u32 *outIVLength, u32 *outKeyIndicationLength)\n{\n\tGF_TrackBox *trak;\n\tGF_ProtectionSchemeInfoBox *sinf;\n\n\ttrak = gf_isom_get_track_from_file(the_file, trackNumber);\n\tif (!trak) return GF_BAD_PARAM;\n\n\tsinf = isom_get_sinf_entry(trak, sampleDescriptionIndex, GF_ISOM_ISMACRYP_SCHEME, NULL);\n\tif (!sinf) return GF_OK;\n\n\tif (outOriginalFormat) {\n\t\t*outOriginalFormat = sinf->original_format->data_format;\n\t\tif (IsMP4Description(sinf->original_format->data_format)) *outOriginalFormat = GF_ISOM_SUBTYPE_MPEG4;\n\t}\n\tif (outSchemeType) *outSchemeType = sinf->scheme_type->scheme_type;\n\tif (outSchemeVersion) *outSchemeVersion = sinf->scheme_type->scheme_version;\n\tif (outSchemeURI) *outSchemeURI = sinf->scheme_type->URI;\n\n\tif (sinf->info && sinf->info->ikms) {\n\t\tif (outKMS_URI) *outKMS_URI = sinf->info->ikms->URI;\n\t} else {\n\t\tif (outKMS_URI) *outKMS_URI = NULL;\n\t}\n\tif (sinf->info && sinf->info->isfm) {\n\t\tif (outSelectiveEncryption) *outSelectiveEncryption = sinf->info->isfm->selective_encryption;\n\t\tif (outIVLength) *outIVLength = sinf->info->isfm->IV_length;\n\t\tif (outKeyIndicationLength) *outKeyIndicationLength = sinf->info->isfm->key_indicator_length;\n\t} else {\n\t\tif (outSelectiveEncryption) *outSelectiveEncryption = GF_FALSE;\n\t\tif (outIVLength) *outIVLength = 0;\n\t\tif (outKeyIndicationLength) *outKeyIndicationLength = 0;\n\t}\n\treturn GF_OK;\n}", "project": "gpac", "hash": 167664049379041082301968158622499698450, "size": 35, "commit_id": "3b84ffcbacf144ce35650df958432f472b6483f8", "message": "fixed #1735", "target": 0, "dataset": "other", "idx": 275398 }, { "func": "GF_Err gf_isom_get_trex_template(GF_ISOFile *file, u32 track, u8 **output, u32 *output_size)\n{\n\tGF_TrackBox *trak;\n\tGF_BitStream *bs;\n\tu32 i;\n\tGF_TrackExtendsBox *trex = NULL;\n\tGF_TrackExtensionPropertiesBox *trexprop = NULL;\n\n\t*output = NULL;\n\t*output_size = 0;\n\t/*get orig sample desc and clone it*/\n\ttrak = gf_isom_get_track_from_file(file, track);\n\tif (!trak || !trak->Media) return GF_BAD_PARAM;\n\tif (!file->moov->mvex) return GF_NOT_FOUND;\n\tfor (i=0; imoov->mvex->TrackExList); i++) {\n\t\ttrex = gf_list_get(file->moov->mvex->TrackExList, i);\n\t\tif (trex->trackID == trak->Header->trackID) break;\n\t\ttrex = NULL;\n\t}\n\tif (!trex) return GF_NOT_FOUND;\n\n\tfor (i=0; imoov->mvex->TrackExPropList); i++) {\n\t\ttrexprop = gf_list_get(file->moov->mvex->TrackExPropList, i);\n\t\tif (trexprop->trackID== trak->Header->trackID) break;\n\t\ttrexprop = NULL;\n\t}\n\tbs = gf_bs_new(NULL, 0, GF_BITSTREAM_WRITE);\n\tgf_isom_box_size( (GF_Box *) trex);\n\tgf_isom_box_write((GF_Box *) trex, bs);\n\n\tif (trexprop) {\n\t\tgf_isom_box_size( (GF_Box *) trexprop);\n\t\tgf_isom_box_write((GF_Box *) trexprop, bs);\n\t}\n\tgf_bs_get_content(bs, output, output_size);\n\tgf_bs_del(bs);\n\n\treturn GF_OK;\n\n}", "project": "gpac", "hash": 201289414811610058763425423392277115455, "size": 40, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267173 }, { "func": "void PrintDumpUsage()\n{\n\tu32 i=0;\n\tgf_sys_format_help(helpout, help_flags, \"# File Dumping\\n\"\n\t\" \\n\"\n\t\"MP4Box has many dump functionalities, from simple track listing to more complete reporting of special tracks.\\n\"\n\t\" \\n\"\n\t\"Options:\\n\"\n\t);\n\twhile (m4b_dump_args[i].name) {\n\t\tGF_GPACArg *arg = &m4b_dump_args[i];\n\t\ti++;\n\t\tgf_sys_print_arg(helpout, help_flags, arg, \"mp4box-extract\");\n\t}\n}", "project": "gpac", "hash": 166446577527476423687878717336062065698, "size": 15, "commit_id": "9eeac00b38348c664dfeae2525bba0cf1bc32349", "message": "fixed #1565", "target": 0, "dataset": "other", "idx": 244401 }, { "func": "GF_Err Media_GetESD(GF_MediaBox *mdia, u32 sampleDescIndex, GF_ESD **out_esd, Bool true_desc_only)\n{\n\tu32 type;\n\tGF_ESD *esd;\n\tGF_MPEGSampleEntryBox *entry = NULL;\n\tGF_ESDBox *ESDa;\n\tGF_ProtectionSchemeInfoBox *sinf;\n\tGF_SampleDescriptionBox *stsd = mdia->information->sampleTable->SampleDescription;\n\n\t*out_esd = NULL;\n\tif (!stsd || !stsd->child_boxes || !sampleDescIndex || (sampleDescIndex > gf_list_count(stsd->child_boxes)) )\n\t\treturn GF_BAD_PARAM;\n\n\tesd = NULL;\n\tentry = (GF_MPEGSampleEntryBox*)gf_list_get(stsd->child_boxes, sampleDescIndex - 1);\n\tif (! entry) return GF_ISOM_INVALID_MEDIA;\n\n\t*out_esd = NULL;\n\tESDa = NULL;\n\ttype = entry->type;\n\tswitch (type) {\n\tcase GF_ISOM_BOX_TYPE_ENCV:\n\tcase GF_ISOM_BOX_TYPE_ENCA:\n\tcase GF_ISOM_BOX_TYPE_ENCS:\n\tcase GF_ISOM_BOX_TYPE_ENCF:\n\tcase GF_ISOM_BOX_TYPE_ENCM:\n\tcase GF_ISOM_BOX_TYPE_ENCT:\n\t\tsinf = (GF_ProtectionSchemeInfoBox *) gf_isom_box_find_child(entry->child_boxes, GF_ISOM_BOX_TYPE_SINF);\n\t\tif (sinf && sinf->original_format) {\n\t\t\ttype = sinf->original_format->data_format;\n\t\t}\n\t\tbreak;\n\tcase GF_ISOM_BOX_TYPE_RESV:\n\t\tsinf = (GF_ProtectionSchemeInfoBox *) gf_isom_box_find_child(entry->child_boxes, GF_ISOM_BOX_TYPE_RINF);\n\t\tif (sinf && sinf->original_format) {\n\t\t\ttype = sinf->original_format->data_format;\n\t\t}\n\t\tbreak;\n\t}\n\n\n\tswitch (type) {\n\tcase GF_ISOM_BOX_TYPE_MP4V:\n\t\tif (entry->internal_type != GF_ISOM_SAMPLE_ENTRY_VIDEO)\n\t\t\treturn GF_ISOM_INVALID_MEDIA;\n\t\tESDa = ((GF_MPEGVisualSampleEntryBox*)entry)->esd;\n\t\tif (ESDa) esd = (GF_ESD *) ESDa->desc;\n\t\t/*avc1 encrypted*/\n\t\telse esd = ((GF_MPEGVisualSampleEntryBox*) entry)->emul_esd;\n\t\tbreak;\n\tcase GF_ISOM_BOX_TYPE_AVC1:\n\tcase GF_ISOM_BOX_TYPE_AVC2:\n\tcase GF_ISOM_BOX_TYPE_AVC3:\n\tcase GF_ISOM_BOX_TYPE_AVC4:\n\tcase GF_ISOM_BOX_TYPE_HVC1:\n\tcase GF_ISOM_BOX_TYPE_HEV1:\n\tcase GF_ISOM_BOX_TYPE_HVC2:\n\tcase GF_ISOM_BOX_TYPE_HEV2:\n\tcase GF_ISOM_BOX_TYPE_HVT1:\n\tcase GF_ISOM_BOX_TYPE_264B:\n\tcase GF_ISOM_BOX_TYPE_265B:\n\tcase GF_ISOM_BOX_TYPE_DVHE:\n\tcase GF_ISOM_BOX_TYPE_VVC1:\n\tcase GF_ISOM_BOX_TYPE_VVI1:\n\t\tif (entry->internal_type != GF_ISOM_SAMPLE_ENTRY_VIDEO)\n\t\t\treturn GF_ISOM_INVALID_MEDIA;\n\t\tesd = ((GF_MPEGVisualSampleEntryBox*) entry)->emul_esd;\n\t\tbreak;\n\tcase GF_ISOM_BOX_TYPE_SVC1:\n\tcase GF_ISOM_BOX_TYPE_MVC1:\n\t\tif (entry->internal_type != GF_ISOM_SAMPLE_ENTRY_VIDEO)\n\t\t\treturn GF_ISOM_INVALID_MEDIA;\n\t\tif ((mdia->mediaTrack->extractor_mode & 0x0000FFFF) != GF_ISOM_NALU_EXTRACT_INSPECT)\n\t\t\tAVC_RewriteESDescriptorEx((GF_MPEGVisualSampleEntryBox*) entry, mdia);\n\t\telse\n\t\t\tAVC_RewriteESDescriptorEx((GF_MPEGVisualSampleEntryBox*) entry, NULL);\n\t\tesd = ((GF_MPEGVisualSampleEntryBox*) entry)->emul_esd;\n\t\tbreak;\n\tcase GF_ISOM_BOX_TYPE_LHE1:\n\tcase GF_ISOM_BOX_TYPE_LHV1:\n\t\tif (entry->internal_type != GF_ISOM_SAMPLE_ENTRY_VIDEO)\n\t\t\treturn GF_ISOM_INVALID_MEDIA;\n\t\tif ((mdia->mediaTrack->extractor_mode & 0x0000FFFF) != GF_ISOM_NALU_EXTRACT_INSPECT)\n\t\t\tHEVC_RewriteESDescriptorEx((GF_MPEGVisualSampleEntryBox*) entry, mdia);\n\t\telse\n\t\t\tHEVC_RewriteESDescriptorEx((GF_MPEGVisualSampleEntryBox*) entry, NULL);\n\t\tesd = ((GF_MPEGVisualSampleEntryBox*) entry)->emul_esd;\n\t\tbreak;\n\tcase GF_ISOM_BOX_TYPE_AV01:\n\t\tif (entry->internal_type != GF_ISOM_SAMPLE_ENTRY_VIDEO)\n\t\t\treturn GF_ISOM_INVALID_MEDIA;\n\t\tAV1_RewriteESDescriptorEx((GF_MPEGVisualSampleEntryBox*)entry, mdia);\n\t\tesd = ((GF_MPEGVisualSampleEntryBox*)entry)->emul_esd;\n\t\tbreak;\n\tcase GF_ISOM_BOX_TYPE_VP08:\n\tcase GF_ISOM_BOX_TYPE_VP09:\n\t\tif (entry->internal_type != GF_ISOM_SAMPLE_ENTRY_VIDEO)\n\t\t\treturn GF_ISOM_INVALID_MEDIA;\n\t\tVP9_RewriteESDescriptorEx((GF_MPEGVisualSampleEntryBox*)entry, mdia);\n\t\tesd = ((GF_MPEGVisualSampleEntryBox*)entry)->emul_esd;\n\t\tbreak;\n\tcase GF_ISOM_BOX_TYPE_MP4A:\n\t\tif (entry->internal_type != GF_ISOM_SAMPLE_ENTRY_AUDIO)\n\t\t\treturn GF_ISOM_INVALID_MEDIA;\n {\n GF_MPEGAudioSampleEntryBox *ase = (GF_MPEGAudioSampleEntryBox*)entry;\n ESDa = ase->esd;\n if (ESDa) {\n\t\t\t\tesd = (GF_ESD *) ESDa->desc;\n } else if (!true_desc_only) {\n\t\t\t\tBool make_mp4a = GF_FALSE;\n\t\t\t\tsinf = (GF_ProtectionSchemeInfoBox *) gf_isom_box_find_child(entry->child_boxes, GF_ISOM_BOX_TYPE_SINF);\n\n\t\t\t\tif (sinf && sinf->original_format) {\n\t\t\t\t\tif (sinf->original_format->data_format==GF_ISOM_BOX_TYPE_MP4A) {\n\t\t\t\t\t\tmake_mp4a = GF_TRUE;\n\t\t\t\t\t}\n\t\t\t\t} else {\n\t\t\t\t\t// Assuming that if no ESD is provided the stream is Basic MPEG-4 AAC LC\n\t\t\t\t\tmake_mp4a = GF_TRUE;\n\t\t\t\t}\n\t\t\t\tif (make_mp4a) {\n\t\t\t\t\tGF_M4ADecSpecInfo aacinfo;\n\t\t\t\t\tmemset(&aacinfo, 0, sizeof(GF_M4ADecSpecInfo));\n\t\t\t\t\taacinfo.nb_chan = ase->channel_count;\n\t\t\t\t\taacinfo.base_object_type = GF_M4A_AAC_LC;\n\t\t\t\t\taacinfo.base_sr = ase->samplerate_hi;\n\t\t\t\t\t*out_esd = gf_odf_desc_esd_new(0);\n\t\t\t\t\t(*out_esd)->decoderConfig->streamType = GF_STREAM_AUDIO;\n\t\t\t\t\t(*out_esd)->decoderConfig->objectTypeIndication = GF_CODECID_AAC_MPEG4;\n\t\t\t\t\tgf_m4a_write_config(&aacinfo, &(*out_esd)->decoderConfig->decoderSpecificInfo->data, &(*out_esd)->decoderConfig->decoderSpecificInfo->dataLength);\n\t\t\t\t}\n }\n }\n\t\tbreak;\n\tcase GF_ISOM_BOX_TYPE_MP4S:\n\t\tif (entry->internal_type==GF_ISOM_SAMPLE_ENTRY_MP4S) {\n\t\t\tESDa = entry->esd;\n\t\t\tif (ESDa) esd = (GF_ESD *) ESDa->desc;\n\t\t}\n\t\tbreak;\n#ifndef GPAC_DISABLE_TTXT\n\tcase GF_ISOM_BOX_TYPE_TX3G:\n\tcase GF_ISOM_BOX_TYPE_TEXT:\n\t\tif (entry->internal_type != GF_ISOM_SAMPLE_ENTRY_MP4S)\n\t\t\treturn GF_ISOM_INVALID_MEDIA;\n\n\t\tif (!true_desc_only && mdia->mediaTrack->moov->mov->convert_streaming_text) {\n\t\t\tGF_Err e = gf_isom_get_ttxt_esd(mdia, out_esd);\n\t\t\tif (e) return e;\n\t\t\tbreak;\n\t\t}\n\t\telse\n\t\t\treturn GF_ISOM_INVALID_MEDIA;\n#endif\n#ifndef GPAC_DISABLE_VTT\n\tcase GF_ISOM_BOX_TYPE_WVTT:\n\t\tif (entry->internal_type != GF_ISOM_SAMPLE_ENTRY_MP4S)\n\t\t\treturn GF_ISOM_INVALID_MEDIA;\n\t{\n\t\tGF_WebVTTSampleEntryBox*vtte = (GF_WebVTTSampleEntryBox*)entry;\n\t\tesd = gf_odf_desc_esd_new(2);\n\t\t*out_esd = esd;\n\t\tesd->decoderConfig->streamType = GF_STREAM_TEXT;\n\t\tesd->decoderConfig->objectTypeIndication = GF_CODECID_WEBVTT;\n\t\tif (vtte->config) {\n\t\t\tesd->decoderConfig->decoderSpecificInfo->dataLength = (u32) strlen(vtte->config->string);\n\t\t\tesd->decoderConfig->decoderSpecificInfo->data = gf_malloc(sizeof(char)*esd->decoderConfig->decoderSpecificInfo->dataLength);\n\t\t\tmemcpy(esd->decoderConfig->decoderSpecificInfo->data, vtte->config->string, esd->decoderConfig->decoderSpecificInfo->dataLength);\n\t\t}\n\t}\n\t\tbreak;\n\tcase GF_ISOM_BOX_TYPE_STPP:\n\tcase GF_ISOM_BOX_TYPE_SBTT:\n\tcase GF_ISOM_BOX_TYPE_STXT:\n\t\tbreak;\n#endif\n\n\tcase GF_ISOM_SUBTYPE_3GP_AMR:\n\tcase GF_ISOM_SUBTYPE_3GP_AMR_WB:\n\tcase GF_ISOM_SUBTYPE_3GP_EVRC:\n\tcase GF_ISOM_SUBTYPE_3GP_QCELP:\n\tcase GF_ISOM_SUBTYPE_3GP_SMV:\n\t\tif (entry->internal_type != GF_ISOM_SAMPLE_ENTRY_AUDIO)\n\t\t\treturn GF_ISOM_INVALID_MEDIA;\n\t\tif (!true_desc_only) {\n\t\t\tGF_Err e = gf_isom_get_3gpp_audio_esd(mdia->information->sampleTable, type, (GF_GenericAudioSampleEntryBox*)entry, out_esd);\n\t\t\tif (e) return e;\n\t\t\tbreak;\n\t\t} else return GF_ISOM_INVALID_MEDIA;\n\n\tcase GF_ISOM_SUBTYPE_OPUS:\n\t\tif (entry->internal_type != GF_ISOM_SAMPLE_ENTRY_AUDIO)\n\t\t\treturn GF_ISOM_INVALID_MEDIA;\n\t{\n\t\tGF_OpusSpecificBox *e = ((GF_MPEGAudioSampleEntryBox*)entry)->cfg_opus;\n\t\tGF_BitStream *bs_out;\n\t\tif (!e) {\n\t\t\tGF_LOG(GF_LOG_WARNING, GF_LOG_CONTAINER, (\"ESD not found for Opus\\n)\"));\n\t\t\tbreak;\n\t\t}\n\n\t\t*out_esd = gf_odf_desc_esd_new(2);\n\t\t(*out_esd)->decoderConfig->streamType = GF_STREAM_AUDIO;\n\t\t(*out_esd)->decoderConfig->objectTypeIndication = GF_CODECID_OPUS;\n\n\t\t//serialize box with header - compatibility with ffmpeg\n\t\tbs_out = gf_bs_new(NULL, 0, GF_BITSTREAM_WRITE);\n\t\tgf_isom_box_size((GF_Box *) e);\n\t\tgf_isom_box_write((GF_Box *) e, bs_out);\n\t\tgf_bs_get_content(bs_out, & (*out_esd)->decoderConfig->decoderSpecificInfo->data, & (*out_esd)->decoderConfig->decoderSpecificInfo->dataLength);\n\t\tgf_bs_del(bs_out);\n\t\tbreak;\n\t}\n\tcase GF_ISOM_SUBTYPE_3GP_H263:\n\t\tif (entry->internal_type != GF_ISOM_SAMPLE_ENTRY_VIDEO)\n\t\t\treturn GF_ISOM_INVALID_MEDIA;\n\t\tif (true_desc_only) {\n\t\t\treturn GF_ISOM_INVALID_MEDIA;\n\t\t} else {\n\t\t\tesd = gf_odf_desc_esd_new(2);\n\t\t\t*out_esd = esd;\n\t\t\tesd->decoderConfig->streamType = GF_STREAM_VISUAL;\n\t\t\tesd->decoderConfig->objectTypeIndication = GF_CODECID_H263;\n\t\t\tbreak;\n\t\t}\n\n\tcase GF_ISOM_SUBTYPE_MP3:\n\t\tif (entry->internal_type != GF_ISOM_SAMPLE_ENTRY_AUDIO)\n\t\t\treturn GF_ISOM_INVALID_MEDIA;\n\t\tif (true_desc_only) {\n\t\t\treturn GF_ISOM_INVALID_MEDIA;\n\t\t} else {\n\t\t\tesd = gf_odf_desc_esd_new(2);\n\t\t\t*out_esd = esd;\n\t\t\tesd->decoderConfig->streamType = GF_STREAM_AUDIO;\n\t\t\tesd->decoderConfig->objectTypeIndication = GF_CODECID_MPEG_AUDIO;\n\t\t\tbreak;\n\t\t}\n\n\tcase GF_ISOM_SUBTYPE_LSR1:\n\t\tif (entry->internal_type != GF_ISOM_SAMPLE_ENTRY_MP4S)\n\t\t\treturn GF_ISOM_INVALID_MEDIA;\n\t\tif (true_desc_only) {\n\t\t\treturn GF_ISOM_INVALID_MEDIA;\n\t\t} else {\n\t\t\tGF_LASeRSampleEntryBox*ptr = (GF_LASeRSampleEntryBox*)entry;\n\t\t\tesd = gf_odf_desc_esd_new(2);\n\t\t\t*out_esd = esd;\n\t\t\tesd->decoderConfig->streamType = GF_STREAM_SCENE;\n\t\t\tesd->decoderConfig->objectTypeIndication = GF_CODECID_LASER;\n\t\t\tesd->decoderConfig->decoderSpecificInfo->dataLength = ptr->lsr_config->hdr_size;\n\t\t\tesd->decoderConfig->decoderSpecificInfo->data = gf_malloc(sizeof(char)*ptr->lsr_config->hdr_size);\n\t\t\tif (!esd->decoderConfig->decoderSpecificInfo->data) return GF_OUT_OF_MEM;\n\t\t\tmemcpy(esd->decoderConfig->decoderSpecificInfo->data, ptr->lsr_config->hdr, sizeof(char)*ptr->lsr_config->hdr_size);\n\t\t\tbreak;\n\t\t}\n\tcase GF_ISOM_SUBTYPE_MH3D_MHA1:\n\tcase GF_ISOM_SUBTYPE_MH3D_MHA2:\n\tcase GF_ISOM_SUBTYPE_MH3D_MHM1:\n\tcase GF_ISOM_SUBTYPE_MH3D_MHM2:\n\t\tif (entry->internal_type != GF_ISOM_SAMPLE_ENTRY_AUDIO)\n\t\t\treturn GF_ISOM_INVALID_MEDIA;\n\n\t\tif (true_desc_only) {\n\t\t\treturn GF_ISOM_INVALID_MEDIA;\n\t\t} else {\n\t\t\tGF_MPEGAudioSampleEntryBox*ptr = (GF_MPEGAudioSampleEntryBox*)entry;\n\t\t\tesd = gf_odf_desc_esd_new(2);\n\t\t\t*out_esd = esd;\n\t\t\tesd->decoderConfig->streamType = GF_STREAM_AUDIO;\n\t\t\tif ((type==GF_ISOM_SUBTYPE_MH3D_MHA1) || (type==GF_ISOM_SUBTYPE_MH3D_MHA2))\n\t\t\t\tesd->decoderConfig->objectTypeIndication = GF_CODECID_MPHA;\n\t\t\telse\n\t\t\t\tesd->decoderConfig->objectTypeIndication = GF_CODECID_MHAS;\n\t\t\tif (ptr->cfg_mha) {\n\t\t\t\tGF_BitStream *bs = gf_bs_new(NULL, 0, GF_BITSTREAM_WRITE);\n\n\t\t\t\tgf_bs_write_u8(bs, ptr->cfg_mha->configuration_version);\n\t\t\t\tgf_bs_write_u8(bs, ptr->cfg_mha->mha_pl_indication);\n\t\t\t\tgf_bs_write_u8(bs, ptr->cfg_mha->reference_channel_layout);\n\t\t\t\tgf_bs_write_u16(bs, ptr->cfg_mha->mha_config ? ptr->cfg_mha->mha_config_size : 0);\n\t\t\t\tif (ptr->cfg_mha->mha_config && ptr->cfg_mha->mha_config_size)\n\t\t\t\t\tgf_bs_write_data(bs, ptr->cfg_mha->mha_config, ptr->cfg_mha->mha_config_size);\n\n\t\t\t\tgf_bs_get_content(bs, &esd->decoderConfig->decoderSpecificInfo->data, &esd->decoderConfig->decoderSpecificInfo->dataLength);\n\t\t\t\tgf_bs_del(bs);\n\t\t\t}\n\t\t}\n\t\tbreak;\n\n\tdefault:\n\t\treturn GF_ISOM_INVALID_MEDIA;\n\t}\n\n\tif (true_desc_only) {\n\t\tif (!esd) return GF_ISOM_INVALID_MEDIA;\n\t\t*out_esd = esd;\n\t\treturn GF_OK;\n\t} else {\n\t\tif (!esd && !*out_esd) return GF_ISOM_INVALID_MEDIA;\n\t\tif (*out_esd == NULL) return gf_odf_desc_copy((GF_Descriptor *)esd, (GF_Descriptor **)out_esd);\n\t}\n\treturn GF_OK;\n}", "project": "gpac", "hash": 47164911148773131493599945982208629104, "size": 305, "commit_id": "328def7d3b93847d64ecb6e9e0399684e57c3eca", "message": "fixed #1766 (fuzz)", "target": 0, "dataset": "other", "idx": 231609 }, { "func": "GF_Err stbl_AddRAP(GF_SyncSampleBox *stss, u32 sampleNumber)\n{\n\tu32 i, k;\n\tu32 *newNumbers;\n\n\tif (!stss || !sampleNumber) return GF_BAD_PARAM;\n\n\tif (stss->sampleNumbers == NULL) {\n\t\tALLOC_INC(stss->alloc_size);\n\t\tstss->sampleNumbers = (u32*)gf_malloc(sizeof(u32)*stss->alloc_size);\n\t\tif (!stss->sampleNumbers) return GF_OUT_OF_MEM;\n\t\tstss->sampleNumbers[0] = sampleNumber;\n\t\tstss->nb_entries = 1;\n\t\treturn GF_OK;\n\t}\n\n\tif (stss->sampleNumbers[stss->nb_entries-1] == sampleNumber) return GF_OK;\n\n\tif (stss->sampleNumbers[stss->nb_entries-1] < sampleNumber) {\n\t\tif (stss->nb_entries==stss->alloc_size) {\n\t\t\tALLOC_INC(stss->alloc_size);\n\t\t\tstss->sampleNumbers = gf_realloc(stss->sampleNumbers, sizeof(u32) * stss->alloc_size);\n\t\t\tif (!stss->sampleNumbers) return GF_OUT_OF_MEM;\n\t\t\tmemset(&stss->sampleNumbers[stss->nb_entries], 0, sizeof(u32) * (stss->alloc_size-stss->nb_entries) );\n\t\t}\n\t\tstss->sampleNumbers[stss->nb_entries] = sampleNumber;\n\t} else {\n\t\tnewNumbers = (u32*)gf_malloc(sizeof(u32) * (stss->nb_entries + 1));\n\t\tif (!newNumbers) return GF_OUT_OF_MEM;\n\t\t//the table is in increasing order of sampleNumber\n\t\tk = 0;\n\t\tfor (i = 0; i < stss->nb_entries; i++) {\n\t\t\tif (stss->sampleNumbers[i] >= sampleNumber) {\n\t\t\t\tnewNumbers[i + k] = sampleNumber;\n\t\t\t\tk = 1;\n\t\t\t}\n\t\t\tnewNumbers[i + k] = stss->sampleNumbers[i] + k;\n\t\t}\n\t\tgf_free(stss->sampleNumbers);\n\t\tstss->sampleNumbers = newNumbers;\n\t\tstss->alloc_size = stss->nb_entries+1;\n\t}\n\t//update our list\n\tstss->nb_entries ++;\n\treturn GF_OK;\n}", "project": "gpac", "hash": 184655858310998485527075928506017395062, "size": 46, "commit_id": "77ed81c069e10b3861d88f72e1c6be1277ee7eae", "message": "fixed #1774 (fuzz)", "target": 0, "dataset": "other", "idx": 267890 }, { "func": "GF_EXPORT\nGF_Err gf_isom_get_fragmented_samples_info(GF_ISOFile *movie, GF_ISOTrackID trackID, u32 *nb_samples, u64 *duration)\n{\n\tu32 i=0;\n\tu32 k, l;\n\tGF_MovieFragmentBox *moof;\n\tGF_TrackFragmentBox *traf;\n\n\t*nb_samples = 0;\n\t*duration = 0;\n\twhile ((moof=(GF_MovieFragmentBox*)gf_list_enum(movie->TopBoxes, &i))) {\n\t\tu32 j=0;\n\t\tif (moof->type!=GF_ISOM_BOX_TYPE_MOOF) continue;\n\n\t\twhile ((traf=(GF_TrackFragmentBox*)gf_list_enum( moof->TrackList, &j))) {\n\t\t\tu64 def_duration, samp_dur=0;\n\n\t\t\tif (traf->tfhd->trackID != trackID)\n\t\t\t\tcontinue;\n\n\t\t\tdef_duration = 0;\n\t\t\tif (traf->tfhd->flags & GF_ISOM_TRAF_SAMPLE_DUR) def_duration = traf->tfhd->def_sample_duration;\n\t\t\telse if (traf->trex) def_duration = traf->trex->def_sample_duration;\n\n\t\t\tfor (k=0; kTrackRuns); k++) {\n\t\t\t\tGF_TrackFragmentRunBox *trun = (GF_TrackFragmentRunBox*)gf_list_get(traf->TrackRuns, k);\n\t\t\t\t*nb_samples += trun->sample_count;\n\n\t\t\t\tfor (l=0; lnb_samples; l++) {\n\t\t\t\t\tGF_TrunEntry *ent = &trun->samples[l];\n\n\t\t\t\t\tsamp_dur = def_duration;\n\t\t\t\t\tif (trun->flags & GF_ISOM_TRUN_DURATION) samp_dur = ent->Duration;\n\t\t\t\t\tif (trun->nb_samples == trun->sample_count)\n\t\t\t\t\t\t*duration += samp_dur;\n\t\t\t\t}\n\t\t\t\tif (trun->nb_samples != trun->sample_count)\n\t\t\t\t\t*duration += samp_dur * trun->sample_count;\n\t\t\t}\n\t\t}\n\t}\n\treturn GF_OK;", "project": "gpac", "hash": 176370139294012927893586635192699494897, "size": 42, "commit_id": "984787de3d414a5f7d43d0b4584d9469dff2a5a5", "message": "fixed #1784 (fuzz)", "target": 0, "dataset": "other", "idx": 246841 }, { "func": "static void merge_avc_config(GF_AVCConfig *dst_cfg, GF_AVCConfig *src_cfg)\n{\n\tGF_AVCConfig *cfg;\n\tif (!src_cfg || !dst_cfg) return;\n\tcfg = AVC_DuplicateConfig(src_cfg);\n\tif (!cfg) return;\n\t\n\twhile (gf_list_count(cfg->sequenceParameterSets)) {\n\t\tGF_NALUFFParam *p = (GF_NALUFFParam*)gf_list_get(cfg->sequenceParameterSets, 0);\n\t\tgf_list_rem(cfg->sequenceParameterSets, 0);\n\t\tgf_list_insert(dst_cfg->sequenceParameterSets, p, 0);\n\t}\n\twhile (gf_list_count(cfg->pictureParameterSets)) {\n\t\tGF_NALUFFParam *p = (GF_NALUFFParam*)gf_list_get(cfg->pictureParameterSets, 0);\n\t\tgf_list_rem(cfg->pictureParameterSets, 0);\n\t\tgf_list_insert(dst_cfg->pictureParameterSets, p, 0);\n\t}\n\tgf_odf_avc_cfg_del(cfg);\n}", "project": "gpac", "hash": 320628136604308866493164447372076059174, "size": 19, "commit_id": "0a85029d694f992f3631e2f249e4999daee15cbf", "message": "fixed #1785 (fuzz)", "target": 0, "dataset": "other", "idx": 237598 }, { "func": "GF_Err Media_RewriteODFrame(GF_MediaBox *mdia, GF_ISOSample *sample)\n{\n\tGF_Err e;\n\tGF_ODCodec *ODdecode;\n\tGF_ODCodec *ODencode;\n\tGF_ODCom *com;\n\n\t//the commands we proceed\n\tGF_ESDUpdate *esdU, *esdU2;\n\tGF_ESDRemove *esdR, *esdR2;\n\tGF_ODUpdate *odU, *odU2;\n\n\t//the desc they contain\n\tGF_ObjectDescriptor *od;\n\tGF_IsomObjectDescriptor *isom_od;\n\tGF_ESD *esd;\n\tGF_ES_ID_Ref *ref;\n\tGF_Descriptor *desc;\n\tGF_TrackReferenceTypeBox *mpod;\n\tu32 i, j, skipped;\n\n\tif (!mdia || !sample || !sample->data || !sample->dataLength) return GF_BAD_PARAM;\n\n\tmpod = NULL;\n\te = Track_FindRef(mdia->mediaTrack, GF_ISOM_BOX_TYPE_MPOD, &mpod);\n\tif (e) return e;\n\t//no references, nothing to do...\n\tif (!mpod || !mpod->trackIDs) return GF_OK;\n\n\tODdecode = gf_odf_codec_new();\n\tif (!ODdecode) return GF_OUT_OF_MEM;\n\tODencode = gf_odf_codec_new();\n\tif (!ODencode) {\n\t\tgf_odf_codec_del(ODdecode);\n\t\treturn GF_OUT_OF_MEM;\n\t}\n\te = gf_odf_codec_set_au(ODdecode, sample->data, sample->dataLength);\n\tif (e) goto err_exit;\n\te = gf_odf_codec_decode(ODdecode);\n\tif (e) goto err_exit;\n\n\twhile (1) {\n\t\tcom = gf_odf_codec_get_com(ODdecode);\n\t\tif (!com) break;\n\n\t\t//we only need to rewrite commands with ESDs inside: ESDUpdate and ODUpdate\n\t\tswitch (com->tag) {\n\t\tcase GF_ODF_OD_UPDATE_TAG:\n\t\t\todU = (GF_ODUpdate *) com;\n\t\t\todU2 = (GF_ODUpdate *) gf_odf_com_new(GF_ODF_OD_UPDATE_TAG);\n\n\t\t\ti=0;\n\t\t\twhile ((desc = (GF_Descriptor*)gf_list_enum(odU->objectDescriptors, &i))) {\n\t\t\t\tswitch (desc->tag) {\n\t\t\t\tcase GF_ODF_OD_TAG:\n\t\t\t\tcase GF_ODF_ISOM_OD_TAG:\n\t\t\t\t//IOD can be used in OD streams\n\t\t\t\tcase GF_ODF_ISOM_IOD_TAG:\n\t\t\t\t\tbreak;\n\t\t\t\tdefault:\n\t\t\t\t\treturn GF_ISOM_INVALID_FILE;\n\t\t\t\t}\n\t\t\t\te = gf_odf_desc_copy(desc, (GF_Descriptor **)&isom_od);\n\t\t\t\tif (e) goto err_exit;\n\n\t\t\t\t//create our OD...\n\t\t\t\tif (desc->tag == GF_ODF_ISOM_IOD_TAG) {\n\t\t\t\t\tod = (GF_ObjectDescriptor *) gf_malloc(sizeof(GF_InitialObjectDescriptor));\n\t\t\t\t} else {\n\t\t\t\t\tod = (GF_ObjectDescriptor *) gf_malloc(sizeof(GF_ObjectDescriptor));\n\t\t\t\t}\n\t\t\t\tif (!od) {\n\t\t\t\t\te = GF_OUT_OF_MEM;\n\t\t\t\t\tgoto err_exit;\n\t\t\t\t}\n\t\t\t\tod->ESDescriptors = gf_list_new();\n\t\t\t\t//and duplicate...\n\t\t\t\tod->objectDescriptorID = isom_od->objectDescriptorID;\n\t\t\t\tod->tag = GF_ODF_OD_TAG;\n\t\t\t\tod->URLString = isom_od->URLString;\n\t\t\t\tisom_od->URLString = NULL;\n\t\t\t\tod->extensionDescriptors = isom_od->extensionDescriptors;\n\t\t\t\tisom_od->extensionDescriptors = NULL;\n\t\t\t\tod->IPMP_Descriptors = isom_od->IPMP_Descriptors;\n\t\t\t\tisom_od->IPMP_Descriptors = NULL;\n\t\t\t\tod->OCIDescriptors = isom_od->OCIDescriptors;\n\t\t\t\tisom_od->OCIDescriptors = NULL;\n\n\t\t\t\t//init as IOD\n\t\t\t\tif (isom_od->tag == GF_ODF_ISOM_IOD_TAG) {\n\t\t\t\t\t((GF_InitialObjectDescriptor *)od)->audio_profileAndLevel = ((GF_IsomInitialObjectDescriptor *)isom_od)->audio_profileAndLevel;\n\t\t\t\t\t((GF_InitialObjectDescriptor *)od)->inlineProfileFlag = ((GF_IsomInitialObjectDescriptor *)isom_od)->inlineProfileFlag;\n\t\t\t\t\t((GF_InitialObjectDescriptor *)od)->graphics_profileAndLevel = ((GF_IsomInitialObjectDescriptor *)isom_od)->graphics_profileAndLevel;\n\t\t\t\t\t((GF_InitialObjectDescriptor *)od)->OD_profileAndLevel = ((GF_IsomInitialObjectDescriptor *)isom_od)->OD_profileAndLevel;\n\t\t\t\t\t((GF_InitialObjectDescriptor *)od)->scene_profileAndLevel = ((GF_IsomInitialObjectDescriptor *)isom_od)->scene_profileAndLevel;\n\t\t\t\t\t((GF_InitialObjectDescriptor *)od)->visual_profileAndLevel = ((GF_IsomInitialObjectDescriptor *)isom_od)->visual_profileAndLevel;\n\t\t\t\t\t((GF_InitialObjectDescriptor *)od)->IPMPToolList = ((GF_IsomInitialObjectDescriptor *)isom_od)->IPMPToolList;\n\t\t\t\t\t((GF_IsomInitialObjectDescriptor *)isom_od)->IPMPToolList = NULL;\n\t\t\t\t}\n\n\t\t\t\t//then rewrite the ESDesc\n\t\t\t\tj=0;\n\t\t\t\twhile ((ref = (GF_ES_ID_Ref*)gf_list_enum(isom_od->ES_ID_RefDescriptors, &j))) {\n\t\t\t\t\t//if the ref index is not valid, skip this desc...\n\t\t\t\t\tif (!mpod->trackIDs || gf_isom_get_track_from_id(mdia->mediaTrack->moov, mpod->trackIDs[ref->trackRef - 1]) == NULL) continue;\n\t\t\t\t\t//OK, get the esd\n\t\t\t\t\te = GetESDForTime(mdia->mediaTrack->moov, mpod->trackIDs[ref->trackRef - 1], sample->DTS, &esd);\n\t\t\t\t\tif (!e) e = gf_odf_desc_add_desc((GF_Descriptor *) od, (GF_Descriptor *) esd);\n\t\t\t\t\tif (e) {\n\t\t\t\t\t\tgf_odf_desc_del((GF_Descriptor *)od);\n\t\t\t\t\t\tgf_odf_com_del((GF_ODCom **)&odU2);\n\t\t\t\t\t\tgf_odf_desc_del((GF_Descriptor *)isom_od);\n\t\t\t\t\t\tgf_odf_com_del((GF_ODCom **)&odU);\n\t\t\t\t\t\tgoto err_exit;\n\t\t\t\t\t}\n\n\t\t\t\t}\n\t\t\t\t//delete our desc\n\t\t\t\tgf_odf_desc_del((GF_Descriptor *)isom_od);\n\t\t\t\tgf_list_add(odU2->objectDescriptors, od);\n\t\t\t}\n\t\t\t//clean a bit\n\t\t\tgf_odf_com_del((GF_ODCom **)&odU);\n\t\t\tgf_odf_codec_add_com(ODencode, (GF_ODCom *)odU2);\n\t\t\tbreak;\n\n\t\tcase GF_ODF_ESD_UPDATE_TAG:\n\t\t\tesdU = (GF_ESDUpdate *) com;\n\t\t\tesdU2 = (GF_ESDUpdate *) gf_odf_com_new(GF_ODF_ESD_UPDATE_TAG);\n\t\t\tesdU2->ODID = esdU->ODID;\n\t\t\ti=0;\n\t\t\twhile ((ref = (GF_ES_ID_Ref*)gf_list_enum(esdU->ESDescriptors, &i))) {\n\t\t\t\t//if the ref index is not valid, skip this desc...\n\t\t\t\tif (gf_isom_get_track_from_id(mdia->mediaTrack->moov, mpod->trackIDs[ref->trackRef - 1]) == NULL) continue;\n\t\t\t\t//OK, get the esd\n\t\t\t\te = GetESDForTime(mdia->mediaTrack->moov, mpod->trackIDs[ref->trackRef - 1], sample->DTS, &esd);\n\t\t\t\tif (e) goto err_exit;\n\t\t\t\tgf_list_add(esdU2->ESDescriptors, esd);\n\t\t\t}\n\t\t\tgf_odf_com_del((GF_ODCom **)&esdU);\n\t\t\tgf_odf_codec_add_com(ODencode, (GF_ODCom *)esdU2);\n\t\t\tbreak;\n\n\t\t//brand new case: the ESRemove follows the same principle according to the spec...\n\t\tcase GF_ODF_ESD_REMOVE_REF_TAG:\n\t\t\t//both commands have the same structure, only the tags change\n\t\t\tesdR = (GF_ESDRemove *) com;\n\t\t\tesdR2 = (GF_ESDRemove *) gf_odf_com_new(GF_ODF_ESD_REMOVE_TAG);\n\t\t\tesdR2->ODID = esdR->ODID;\n\t\t\tesdR2->NbESDs = esdR->NbESDs;\n\t\t\t//alloc our stuff\n\t\t\tesdR2->ES_ID = (unsigned short*)gf_malloc(sizeof(u32) * esdR->NbESDs);\n\t\t\tif (!esdR2->ES_ID) {\n\t\t\t\te = GF_OUT_OF_MEM;\n\t\t\t\tgoto err_exit;\n\t\t\t}\n\t\t\tskipped = 0;\n\t\t\t//get the ES_ID in the mpod indicated in the ES_ID[]\n\t\t\tfor (i = 0; i < esdR->NbESDs; i++) {\n\t\t\t\t//if the ref index is not valid, remove this desc...\n\t\t\t\tif (gf_isom_get_track_from_id(mdia->mediaTrack->moov, mpod->trackIDs[esdR->ES_ID[i] - 1]) == NULL) {\n\t\t\t\t\tskipped ++;\n\t\t\t\t} else {\n\t\t\t\t\t//the command in the file has the ref index of the trackID in the mpod\n\t\t\t\t\tesdR2->ES_ID[i - skipped] = mpod->trackIDs[esdR->ES_ID[i] - 1];\n\t\t\t\t}\n\t\t\t}\n\t\t\t//gf_realloc...\n\t\t\tif (skipped && (skipped != esdR2->NbESDs) ) {\n\t\t\t\tesdR2->NbESDs -= skipped;\n\t\t\t\tesdR2->ES_ID = (unsigned short*)gf_realloc(esdR2->ES_ID, sizeof(u32) * esdR2->NbESDs);\n\t\t\t}\n\t\t\tgf_odf_com_del((GF_ODCom **)&esdR);\n\t\t\tgf_odf_codec_add_com(ODencode, (GF_ODCom *)esdR2);\n\t\t\tbreak;\n\n\t\tdefault:\n\t\t\te = gf_odf_codec_add_com(ODencode, com);\n\t\t\tif (e) goto err_exit;\n\t\t}\n\t}\n\t//encode our new AU\n\te = gf_odf_codec_encode(ODencode, 1);\n\tif (e) goto err_exit;\n\n\t//and set the buffer in the sample\n\tgf_free(sample->data);\n\tsample->data = NULL;\n\tsample->dataLength = 0;\n\te = gf_odf_codec_get_au(ODencode, &sample->data, &sample->dataLength);\n\nerr_exit:\n\tgf_odf_codec_del(ODdecode);\n\tgf_odf_codec_del(ODencode);\n\treturn e;\n}", "project": "gpac", "hash": 257511211780956322541197733348730262940, "size": 196, "commit_id": "f0ba83717b6e4d7a15a1676d1fe06152e199b011", "message": "fixed #1772 (fuzz)", "target": 1, "dataset": "other", "idx": 197890 }, { "func": "GF_Err Media_RewriteODFrame(GF_MediaBox *mdia, GF_ISOSample *sample)\n{\n\tGF_Err e;\n\tGF_ODCodec *ODdecode;\n\tGF_ODCodec *ODencode;\n\tGF_ODCom *com;\n\n\t//the commands we proceed\n\tGF_ESDUpdate *esdU, *esdU2;\n\tGF_ESDRemove *esdR, *esdR2;\n\tGF_ODUpdate *odU, *odU2;\n\n\t//the desc they contain\n\tGF_ObjectDescriptor *od;\n\tGF_IsomObjectDescriptor *isom_od;\n\tGF_ESD *esd;\n\tGF_ES_ID_Ref *ref;\n\tGF_Descriptor *desc;\n\tGF_TrackReferenceTypeBox *mpod;\n\tu32 i, j, skipped;\n\n\tif (!mdia || !sample || !sample->data || !sample->dataLength) return GF_BAD_PARAM;\n\n\tmpod = NULL;\n\te = Track_FindRef(mdia->mediaTrack, GF_ISOM_BOX_TYPE_MPOD, &mpod);\n\tif (e) return e;\n\t//no references, nothing to do...\n\tif (!mpod || !mpod->trackIDs) return GF_OK;\n\n\tODdecode = gf_odf_codec_new();\n\tif (!ODdecode) return GF_OUT_OF_MEM;\n\tODencode = gf_odf_codec_new();\n\tif (!ODencode) {\n\t\tgf_odf_codec_del(ODdecode);\n\t\treturn GF_OUT_OF_MEM;\n\t}\n\te = gf_odf_codec_set_au(ODdecode, sample->data, sample->dataLength);\n\tif (e) goto err_exit;\n\te = gf_odf_codec_decode(ODdecode);\n\tif (e) goto err_exit;\n\n\twhile (1) {\n\t\tcom = gf_odf_codec_get_com(ODdecode);\n\t\tif (!com) break;\n\n\t\t//we only need to rewrite commands with ESDs inside: ESDUpdate and ODUpdate\n\t\tswitch (com->tag) {\n\t\tcase GF_ODF_OD_UPDATE_TAG:\n\t\t\todU = (GF_ODUpdate *) com;\n\t\t\todU2 = (GF_ODUpdate *) gf_odf_com_new(GF_ODF_OD_UPDATE_TAG);\n\n\t\t\ti=0;\n\t\t\twhile ((desc = (GF_Descriptor*)gf_list_enum(odU->objectDescriptors, &i))) {\n\t\t\t\tswitch (desc->tag) {\n\t\t\t\tcase GF_ODF_OD_TAG:\n\t\t\t\tcase GF_ODF_ISOM_OD_TAG:\n\t\t\t\t//IOD can be used in OD streams\n\t\t\t\tcase GF_ODF_ISOM_IOD_TAG:\n\t\t\t\t\tbreak;\n\t\t\t\tdefault:\n\t\t\t\t\treturn GF_ISOM_INVALID_FILE;\n\t\t\t\t}\n\t\t\t\te = gf_odf_desc_copy(desc, (GF_Descriptor **)&isom_od);\n\t\t\t\tif (e) goto err_exit;\n\n\t\t\t\t//create our OD...\n\t\t\t\tif (desc->tag == GF_ODF_ISOM_IOD_TAG) {\n\t\t\t\t\tod = (GF_ObjectDescriptor *) gf_malloc(sizeof(GF_InitialObjectDescriptor));\n\t\t\t\t} else {\n\t\t\t\t\tod = (GF_ObjectDescriptor *) gf_malloc(sizeof(GF_ObjectDescriptor));\n\t\t\t\t}\n\t\t\t\tif (!od) {\n\t\t\t\t\te = GF_OUT_OF_MEM;\n\t\t\t\t\tgoto err_exit;\n\t\t\t\t}\n\t\t\t\tod->ESDescriptors = gf_list_new();\n\t\t\t\t//and duplicate...\n\t\t\t\tod->objectDescriptorID = isom_od->objectDescriptorID;\n\t\t\t\tod->tag = GF_ODF_OD_TAG;\n\t\t\t\tod->URLString = isom_od->URLString;\n\t\t\t\tisom_od->URLString = NULL;\n\t\t\t\tod->extensionDescriptors = isom_od->extensionDescriptors;\n\t\t\t\tisom_od->extensionDescriptors = NULL;\n\t\t\t\tod->IPMP_Descriptors = isom_od->IPMP_Descriptors;\n\t\t\t\tisom_od->IPMP_Descriptors = NULL;\n\t\t\t\tod->OCIDescriptors = isom_od->OCIDescriptors;\n\t\t\t\tisom_od->OCIDescriptors = NULL;\n\n\t\t\t\t//init as IOD\n\t\t\t\tif (isom_od->tag == GF_ODF_ISOM_IOD_TAG) {\n\t\t\t\t\t((GF_InitialObjectDescriptor *)od)->audio_profileAndLevel = ((GF_IsomInitialObjectDescriptor *)isom_od)->audio_profileAndLevel;\n\t\t\t\t\t((GF_InitialObjectDescriptor *)od)->inlineProfileFlag = ((GF_IsomInitialObjectDescriptor *)isom_od)->inlineProfileFlag;\n\t\t\t\t\t((GF_InitialObjectDescriptor *)od)->graphics_profileAndLevel = ((GF_IsomInitialObjectDescriptor *)isom_od)->graphics_profileAndLevel;\n\t\t\t\t\t((GF_InitialObjectDescriptor *)od)->OD_profileAndLevel = ((GF_IsomInitialObjectDescriptor *)isom_od)->OD_profileAndLevel;\n\t\t\t\t\t((GF_InitialObjectDescriptor *)od)->scene_profileAndLevel = ((GF_IsomInitialObjectDescriptor *)isom_od)->scene_profileAndLevel;\n\t\t\t\t\t((GF_InitialObjectDescriptor *)od)->visual_profileAndLevel = ((GF_IsomInitialObjectDescriptor *)isom_od)->visual_profileAndLevel;\n\t\t\t\t\t((GF_InitialObjectDescriptor *)od)->IPMPToolList = ((GF_IsomInitialObjectDescriptor *)isom_od)->IPMPToolList;\n\t\t\t\t\t((GF_IsomInitialObjectDescriptor *)isom_od)->IPMPToolList = NULL;\n\t\t\t\t}\n\n\t\t\t\t//then rewrite the ESDesc\n\t\t\t\tj=0;\n\t\t\t\twhile ((ref = (GF_ES_ID_Ref*)gf_list_enum(isom_od->ES_ID_RefDescriptors, &j))) {\n\t\t\t\t\tif (!mpod->trackIDs || !ref->trackRef || (ref->trackRef>mpod->trackIDCount)) continue;\n\t\t\t\t\t//if the ref index is not valid, skip this desc...\n\t\t\t\t\tif (gf_isom_get_track_from_id(mdia->mediaTrack->moov, mpod->trackIDs[ref->trackRef - 1]) == NULL) continue;\n\t\t\t\t\t//OK, get the esd\n\t\t\t\t\te = GetESDForTime(mdia->mediaTrack->moov, mpod->trackIDs[ref->trackRef - 1], sample->DTS, &esd);\n\t\t\t\t\tif (!e) e = gf_odf_desc_add_desc((GF_Descriptor *) od, (GF_Descriptor *) esd);\n\t\t\t\t\tif (e) {\n\t\t\t\t\t\tgf_odf_desc_del((GF_Descriptor *)od);\n\t\t\t\t\t\tgf_odf_com_del((GF_ODCom **)&odU2);\n\t\t\t\t\t\tgf_odf_desc_del((GF_Descriptor *)isom_od);\n\t\t\t\t\t\tgf_odf_com_del((GF_ODCom **)&odU);\n\t\t\t\t\t\tgoto err_exit;\n\t\t\t\t\t}\n\n\t\t\t\t}\n\t\t\t\t//delete our desc\n\t\t\t\tgf_odf_desc_del((GF_Descriptor *)isom_od);\n\t\t\t\tgf_list_add(odU2->objectDescriptors, od);\n\t\t\t}\n\t\t\t//clean a bit\n\t\t\tgf_odf_com_del((GF_ODCom **)&odU);\n\t\t\tgf_odf_codec_add_com(ODencode, (GF_ODCom *)odU2);\n\t\t\tbreak;\n\n\t\tcase GF_ODF_ESD_UPDATE_TAG:\n\t\t\tesdU = (GF_ESDUpdate *) com;\n\t\t\tesdU2 = (GF_ESDUpdate *) gf_odf_com_new(GF_ODF_ESD_UPDATE_TAG);\n\t\t\tesdU2->ODID = esdU->ODID;\n\t\t\ti=0;\n\t\t\twhile ((ref = (GF_ES_ID_Ref*)gf_list_enum(esdU->ESDescriptors, &i))) {\n\t\t\t\tif (!mpod->trackIDs || !ref->trackRef || (ref->trackRef>mpod->trackIDCount)) continue;\n\t\t\t\t//if the ref index is not valid, skip this desc...\n\t\t\t\tif (gf_isom_get_track_from_id(mdia->mediaTrack->moov, mpod->trackIDs[ref->trackRef - 1]) == NULL) continue;\n\t\t\t\t//OK, get the esd\n\t\t\t\te = GetESDForTime(mdia->mediaTrack->moov, mpod->trackIDs[ref->trackRef - 1], sample->DTS, &esd);\n\t\t\t\tif (e) goto err_exit;\n\t\t\t\tgf_list_add(esdU2->ESDescriptors, esd);\n\t\t\t}\n\t\t\tgf_odf_com_del((GF_ODCom **)&esdU);\n\t\t\tgf_odf_codec_add_com(ODencode, (GF_ODCom *)esdU2);\n\t\t\tbreak;\n\n\t\t//brand new case: the ESRemove follows the same principle according to the spec...\n\t\tcase GF_ODF_ESD_REMOVE_REF_TAG:\n\t\t\t//both commands have the same structure, only the tags change\n\t\t\tesdR = (GF_ESDRemove *) com;\n\t\t\tesdR2 = (GF_ESDRemove *) gf_odf_com_new(GF_ODF_ESD_REMOVE_TAG);\n\t\t\tesdR2->ODID = esdR->ODID;\n\t\t\tesdR2->NbESDs = esdR->NbESDs;\n\t\t\t//alloc our stuff\n\t\t\tesdR2->ES_ID = (unsigned short*)gf_malloc(sizeof(u32) * esdR->NbESDs);\n\t\t\tif (!esdR2->ES_ID) {\n\t\t\t\te = GF_OUT_OF_MEM;\n\t\t\t\tgoto err_exit;\n\t\t\t}\n\t\t\tskipped = 0;\n\t\t\t//get the ES_ID in the mpod indicated in the ES_ID[]\n\t\t\tfor (i = 0; i < esdR->NbESDs; i++) {\n\t\t\t\tif (!mpod->trackIDs || !esdR->ES_ID[i] || (esdR->ES_ID[i]>mpod->trackIDCount)) continue;\n\t\t\t\t//if the ref index is not valid, remove this desc...\n\t\t\t\tif (gf_isom_get_track_from_id(mdia->mediaTrack->moov, mpod->trackIDs[esdR->ES_ID[i] - 1]) == NULL) {\n\t\t\t\t\tskipped ++;\n\t\t\t\t} else {\n\t\t\t\t\t//the command in the file has the ref index of the trackID in the mpod\n\t\t\t\t\tesdR2->ES_ID[i - skipped] = mpod->trackIDs[esdR->ES_ID[i] - 1];\n\t\t\t\t}\n\t\t\t}\n\t\t\t//gf_realloc...\n\t\t\tif (skipped && (skipped != esdR2->NbESDs) ) {\n\t\t\t\tesdR2->NbESDs -= skipped;\n\t\t\t\tesdR2->ES_ID = (unsigned short*)gf_realloc(esdR2->ES_ID, sizeof(u32) * esdR2->NbESDs);\n\t\t\t}\n\t\t\tgf_odf_com_del((GF_ODCom **)&esdR);\n\t\t\tgf_odf_codec_add_com(ODencode, (GF_ODCom *)esdR2);\n\t\t\tbreak;\n\n\t\tdefault:\n\t\t\te = gf_odf_codec_add_com(ODencode, com);\n\t\t\tif (e) goto err_exit;\n\t\t}\n\t}\n\t//encode our new AU\n\te = gf_odf_codec_encode(ODencode, 1);\n\tif (e) goto err_exit;\n\n\t//and set the buffer in the sample\n\tgf_free(sample->data);\n\tsample->data = NULL;\n\tsample->dataLength = 0;\n\te = gf_odf_codec_get_au(ODencode, &sample->data, &sample->dataLength);\n\nerr_exit:\n\tgf_odf_codec_del(ODdecode);\n\tgf_odf_codec_del(ODencode);\n\treturn e;\n}", "project": "gpac", "hash": 70307577295047254971344546776198646014, "size": 199, "commit_id": "f0ba83717b6e4d7a15a1676d1fe06152e199b011", "message": "fixed #1772 (fuzz)", "target": 0, "dataset": "other", "idx": 265416 }, { "func": "GF_SampleEncryptionBox * gf_isom_create_samp_enc_box(u8 version, u32 flags)\n{\n\tGF_SampleEncryptionBox *senc;\n\n\tsenc = (GF_SampleEncryptionBox *) gf_isom_box_new(GF_ISOM_BOX_TYPE_SENC);\n\tif (!senc)\n\t\treturn NULL;\n\tsenc->version = version;\n\tsenc->flags = flags;\n\tsenc->samp_aux_info = gf_list_new();\n\n\treturn senc;\n}", "project": "gpac", "hash": 337738687395696143158293509077800679494, "size": 13, "commit_id": "3b84ffcbacf144ce35650df958432f472b6483f8", "message": "fixed #1735", "target": 0, "dataset": "other", "idx": 275440 }, { "func": "GF_Err gf_isom_remove_user_data(GF_ISOFile *movie, u32 trackNumber, u32 UserDataType, bin128 UUID)\n{\n\tGF_UserDataMap *map;\n\tu32 i;\n\tGF_Err e;\n\tbin128 t;\n\tGF_TrackBox *trak;\n\tGF_UserDataBox *udta;\n\n\te = CanAccessMovie(movie, GF_ISOM_OPEN_WRITE);\n\tif (e) return e;\n\n\tif (UserDataType == GF_ISOM_BOX_TYPE_UUID) UserDataType = 0;\n\tmemset(t, 1, 16);\n\n\tif (trackNumber) {\n\t\ttrak = gf_isom_get_track_from_file(movie, trackNumber);\n\t\tif (!trak) return GF_EOS;\n\t\tudta = trak->udta;\n\t} else {\n\t\tudta = movie->moov->udta;\n\t}\n\t//do not return any error if no udta\n\tif (!udta) return GF_EOS;\n\n\ti=0;\n\twhile ((map = (GF_UserDataMap*)gf_list_enum(udta->recordList, &i))) {\n\t\tif ((map->boxType == GF_ISOM_BOX_TYPE_UUID) && !memcmp(map->uuid, UUID, 16)) goto found;\n\t\telse if (map->boxType == UserDataType) goto found;\n\t}\n\t//not found\n\treturn GF_OK;\n\nfound:\n\n\tgf_list_rem(udta->recordList, i-1);\n\tgf_isom_box_array_del(map->boxes);\n\tgf_free(map);\n\n\t//but we keep the UDTA no matter what\n\treturn GF_OK;\n}", "project": "gpac", "hash": 166803937771682294491215765246780340121, "size": 42, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267323 }, { "func": "GF_Err gf_isom_set_pl_indication(GF_ISOFile *movie, GF_ISOProfileLevelType PL_Code, u8 ProfileLevel)\n{\n\tGF_IsomInitialObjectDescriptor *iod;\n\tGF_Err e;\n\n\te = CanAccessMovie(movie, GF_ISOM_OPEN_WRITE);\n\tif (e) return e;\n\n\te = gf_isom_set_root_iod(movie);\n\tif (e) return e;\n\n\tiod = (GF_IsomInitialObjectDescriptor *)movie->moov->iods->descriptor;\n\n\tswitch (PL_Code) {\n\tcase GF_ISOM_PL_AUDIO:\n\t\tiod->audio_profileAndLevel = ProfileLevel;\n\t\tbreak;\n\tcase GF_ISOM_PL_GRAPHICS:\n\t\tiod->graphics_profileAndLevel = ProfileLevel;\n\t\tbreak;\n\tcase GF_ISOM_PL_OD:\n\t\tiod->OD_profileAndLevel = ProfileLevel;\n\t\tbreak;\n\tcase GF_ISOM_PL_SCENE:\n\t\tiod->scene_profileAndLevel = ProfileLevel;\n\t\tbreak;\n\tcase GF_ISOM_PL_VISUAL:\n\t\tiod->visual_profileAndLevel = ProfileLevel;\n\t\tbreak;\n\tcase GF_ISOM_PL_INLINE:\n\t\tiod->inlineProfileFlag = ProfileLevel ? 1 : 0;\n\t\tbreak;\n\tdefault:\n\t\tbreak;\n\t}\n\treturn GF_OK;\n}", "project": "gpac", "hash": 322422587737127247167477721516889457744, "size": 37, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267278 }, { "func": "GF_Err gf_isom_set_sync_shadow(GF_ISOFile *movie, u32 trackNumber, u32 sampleNumber, u32 syncSample)\n{\n\tGF_TrackBox *trak;\n\tGF_SampleTableBox *stbl;\n\tGF_ISOSAPType isRAP;\n\tGF_Err e;\n\n\tif (movie->openMode == GF_ISOM_OPEN_READ) return GF_ISOM_INVALID_MODE;\n\ttrak = gf_isom_get_track_from_file(movie, trackNumber);\n\tif (!trak || !sampleNumber || !syncSample) return GF_BAD_PARAM;\n\n\tstbl = trak->Media->information->sampleTable;\n\tif (!stbl->ShadowSync) {\n\t\tstbl->ShadowSync = (GF_ShadowSyncBox *) gf_isom_box_new_parent(&stbl->child_boxes, GF_ISOM_BOX_TYPE_STSH);\n\t\tif (!stbl->ShadowSync) return GF_OUT_OF_MEM;\n\t}\n\n\t//if no sync, skip\n\tif (!stbl->SyncSample) return GF_OK;\n\t//else set the sync shadow.\n\t//if the sample is sync, ignore\n\te = stbl_GetSampleRAP(stbl->SyncSample, sampleNumber, &isRAP, NULL, NULL);\n\tif (e) return e;\n\tif (isRAP) return GF_OK;\n\t//if the shadowing sample is not sync, error\n\te = stbl_GetSampleRAP(stbl->SyncSample, syncSample, &isRAP, NULL, NULL);\n\tif (e) return e;\n\tif (!isRAP) return GF_BAD_PARAM;\n\n\treturn stbl_SetSyncShadow(stbl->ShadowSync, sampleNumber, syncSample);\n}", "project": "gpac", "hash": 153738528658795249871498422300999264130, "size": 31, "commit_id": "ebfa346eff05049718f7b80041093b4c5581c24e", "message": "fixed #1706", "target": 0, "dataset": "other", "idx": 267234 }, { "func": "u32 mp4box_cleanup(u32 ret_code) {\n\tif (mpd_base_urls) {\n\t\tgf_free(mpd_base_urls);\n\t\tmpd_base_urls = NULL;\n\t}\n\tif (sdp_lines) {\n\t\tgf_free(sdp_lines);\n\t\tsdp_lines = NULL;\n\t}\n\tif (metas) {\n\t\tu32 i;\n\t\tfor (i=0; inb_baseURL) {\n\t\t\t\tfor (j = 0; jnb_baseURL; j++) {\n\t\t\t\t\tgf_free(di->baseURL[j]);\n\t\t\t\t}\n\t\t\t\tgf_free(di->baseURL);\n\t\t\t}\n\t\t\tif (di->rep_descs) {\n\t\t\t\tfor (j = 0; jnb_rep_descs; j++) {\n\t\t\t\t\tgf_free(di->rep_descs[j]);\n\t\t\t\t}\n\t\t\t\tgf_free(di->rep_descs);\n\t\t\t}\n\t\t\tif (di->as_descs) {\n\t\t\t\tfor (j = 0; jnb_as_descs; j++) {\n\t\t\t\t\tgf_free(di->as_descs[j]);\n\t\t\t\t}\n\t\t\t\tgf_free(di->as_descs);\n\t\t\t}\n\t\t\tif (di->as_c_descs) {\n\t\t\t\tfor (j = 0; jnb_as_c_descs; j++) {\n\t\t\t\t\tgf_free(di->as_c_descs[j]);\n\t\t\t\t}\n\t\t\t\tgf_free(di->as_c_descs);\n\t\t\t}\n\t\t\tif (di->p_descs) {\n\t\t\t\tfor (j = 0; jnb_p_descs; j++) {\n\t\t\t\t\tgf_free(di->p_descs[j]);\n\t\t\t\t}\n\t\t\t\tgf_free(di->p_descs);\n\t\t\t}\n\t\t\tif (di->representationID) gf_free(di->representationID);\n\t\t\tif (di->periodID) gf_free(di->periodID);\n\t\t\tif (di->xlink) gf_free(di->xlink);\n\t\t\tif (di->seg_template) gf_free(di->seg_template);\n\t\t\tif (di->hls_pl) gf_free(di->hls_pl);\n\t\t\tif (di->source_opts) gf_free(di->source_opts);\n\t\t\tif (di->filter_chain) gf_free(di->filter_chain);\n\n\t\t\tif (di->roles) {\n\t\t\t\tfor (j = 0; jnb_roles; j++) {\n\t\t\t\t\tgf_free(di->roles[j]);\n\t\t\t\t}\n\t\t\t\tgf_free(di->roles);\n\t\t\t}\n\t\t}\n\t\tgf_free(dash_inputs);\n\t\tdash_inputs = NULL;\n\t}\n\tif (logfile) gf_fclose(logfile);\n\tgf_sys_close();\n\treturn ret_code;\n}", "project": "gpac", "hash": 65629809646027644646598244155533265350, "size": 103, "commit_id": "9eeac00b38348c664dfeae2525bba0cf1bc32349", "message": "fixed #1565", "target": 0, "dataset": "other", "idx": 244399 }, { "func": "GF_Err gnrm_box_write(GF_Box *s, GF_BitStream *bs)\n{\n\tGF_Err e;\n\tGF_GenericSampleEntryBox *ptr = (GF_GenericSampleEntryBox *)s;\n\n\t//carefull we are not writing the box type but the entry type so switch for write\n\tptr->type = ptr->EntryType;\n\te = gf_isom_box_write_header(s, bs);\n\tif (e) return e;\n\tptr->type = GF_ISOM_BOX_TYPE_GNRM;\n\tgf_bs_write_data(bs, ptr->reserved, 6);\n\tgf_bs_write_u16(bs, ptr->dataReferenceIndex);\n\tgf_bs_write_data(bs, ptr->data, ptr->data_size);\n\treturn GF_OK;\n}", "project": "gpac", "hash": 83875917896421551074786339573308779096, "size": 15, "commit_id": "388ecce75d05e11fc8496aa4857b91245007d26e", "message": "fixed #1587", "target": 0, "dataset": "other", "idx": 264804 }, { "func": "GF_Err asrt_box_write(GF_Box *s, GF_BitStream *bs)\n{\n\tGF_Err e;\n\tunsigned int i;\n\tGF_AdobeSegmentRunTableBox *ptr = (GF_AdobeSegmentRunTableBox *)s;\n\n\te = gf_isom_full_box_write(s, bs);\n\tif (e) return e;\n\n\tgf_bs_write_u8(bs, ptr->quality_entry_count);\n\tfor (i=0; iquality_entry_count; i++) {\n\t\tchar *str = (char*)gf_list_get(ptr->quality_segment_url_modifiers, i);\n\t\tgf_bs_write_data(bs, str, (u32)strlen(str) + 1);\n\t}\n\n\tgf_bs_write_u32(bs, ptr->segment_run_entry_count);\n\tfor (i=0; isegment_run_entry_count; i++) {\n\t\tGF_AdobeSegmentRunEntry *sre = (GF_AdobeSegmentRunEntry *)gf_list_get(ptr->segment_run_entry_table, i);\n\t\tgf_bs_write_u32(bs, sre->first_segment);\n\t\tgf_bs_write_u32(bs, sre->fragment_per_segment);\n\t}\n\n\treturn GF_OK;\n}", "project": "gpac", "hash": 37111978424351087171268405783264270421, "size": 24, "commit_id": "e74be5976a6fee059c638050a237893f7e9a3b23", "message": "fixed #1753", "target": 0, "dataset": "other", "idx": 230596 }, { "func": "GF_Err stbl_RemoveRedundant(GF_SampleTableBox *stbl, u32 SampleNumber, u32 nb_samples)\n{\n\tu32 i;\n\n\tif (!stbl->SampleDep) return GF_OK;\n\tif (stbl->SampleDep->sampleCount < SampleNumber) return GF_BAD_PARAM;\n\tif ((nb_samples>1) && (SampleNumber>1)) return GF_BAD_PARAM;\n\n\tif (nb_samples==1) {\n\t\ti = stbl->SampleDep->sampleCount - SampleNumber;\n\t\tif (i) memmove(&stbl->SampleDep->sample_info[SampleNumber-1], & stbl->SampleDep->sample_info[SampleNumber], sizeof(u8)*i);\n\t\tstbl->SampleDep->sample_info = (u8*)gf_realloc(stbl->SampleDep->sample_info, sizeof(u8) * (stbl->SampleDep->sampleCount-1));\n\t\tif (!stbl->SampleDep->sample_info) return GF_OUT_OF_MEM;\n\t\tstbl->SampleDep->sample_alloc = stbl->SampleDep->sampleCount-1;\n\t\tstbl->SampleDep->sampleCount-=1;\n\t} else {\n\t\tmemmove(&stbl->SampleDep->sample_info[0], &stbl->SampleDep->sample_info[nb_samples], sizeof(u8) * (stbl->SampleDep->sampleCount - nb_samples) );\n\t\tstbl->SampleDep->sampleCount -= nb_samples;\n\t}\n\treturn GF_OK;\n}", "project": "gpac", "hash": 248273146121353422804269344246139115734, "size": 21, "commit_id": "77ed81c069e10b3861d88f72e1c6be1277ee7eae", "message": "fixed #1774 (fuzz)", "target": 0, "dataset": "other", "idx": 267903 }, { "func": "GF_Err gf_isom_svc_config_del(GF_ISOFile *the_file, u32 trackNumber, u32 DescriptionIndex)\n{\n\treturn gf_isom_svc_mvc_config_del(the_file, trackNumber, DescriptionIndex, GF_FALSE);\n}", "project": "gpac", "hash": 168918050226863914712953856639142162329, "size": 4, "commit_id": "0a85029d694f992f3631e2f249e4999daee15cbf", "message": "fixed #1785 (fuzz)", "target": 0, "dataset": "other", "idx": 237592 }, { "func": "u32 PrintLanguages(char *val, u32 opt)\n{\n\tu32 i=0, count = gf_lang_get_count();\n\tfprintf(stderr, \"Supported ISO 639 languages and codes:\\n\\n\");\n\tfor (i=0; ischeme_type->flags |= 0x000001;\n\t\tsinf->scheme_type->URI = gf_strdup(scheme_uri);\n\t}\n\n\tif (kms_URI) {\n\t\tsinf->info->ikms = (GF_ISMAKMSBox *)gf_isom_box_new_parent(&sinf->info->child_boxes, GF_ISOM_BOX_TYPE_IKMS);\n\t\tsinf->info->ikms->URI = gf_strdup(kms_URI);\n\t}\n\treturn GF_OK;\n}", "project": "gpac", "hash": 37513839214658671112130428258560082184, "size": 20, "commit_id": "3b84ffcbacf144ce35650df958432f472b6483f8", "message": "fixed #1735", "target": 0, "dataset": "other", "idx": 275412 }, { "func": "GF_EXPORT\nGF_Err gf_isom_get_visual_bit_depth(GF_ISOFile* movie, u32 trackNumber, u32 StreamDescriptionIndex, u16* bitDepth)\n{\n\tGF_TrackBox* trak;\n\tGF_SampleEntryBox* entry;\n\tGF_SampleDescriptionBox* stsd;\n\n\ttrak = gf_isom_get_track_from_file(movie, trackNumber);\n\tif (!trak) return GF_BAD_PARAM;\n\n\tstsd = trak->Media->information->sampleTable->SampleDescription;\n\tif (!stsd) return movie->LastError = GF_ISOM_INVALID_FILE;\n\tif (!StreamDescriptionIndex || StreamDescriptionIndex > gf_list_count(stsd->child_boxes)) return movie->LastError = GF_BAD_PARAM;\n\n\tentry = (GF_SampleEntryBox*)gf_list_get(stsd->child_boxes, StreamDescriptionIndex - 1);\n\n\t//no support for generic sample entries (eg, no MPEG4 descriptor)\n\tif (entry == NULL) return GF_BAD_PARAM;\n\n\t//valid for MPEG visual, JPG and 3GPP H263\n\tif (entry->internal_type == GF_ISOM_SAMPLE_ENTRY_VIDEO) {\n\t\t*bitDepth = ((GF_VisualSampleEntryBox*)entry)->bit_depth;\n\t} else {\n\t\treturn GF_BAD_PARAM;\n\t}\n\treturn GF_OK;", "project": "gpac", "hash": 324766911519137495698289530144740765178, "size": 26, "commit_id": "984787de3d414a5f7d43d0b4584d9469dff2a5a5", "message": "fixed #1784 (fuzz)", "target": 0, "dataset": "other", "idx": 246833 }, { "func": "GF_Err AVC_HEVC_UpdateESD(GF_MPEGVisualSampleEntryBox *avc, GF_ESD *esd)\n{\n\tGF_BitRateBox *btrt = gf_isom_sample_entry_get_bitrate((GF_SampleEntryBox *)avc, GF_TRUE);\n\n\tGF_MPEG4ExtensionDescriptorsBox *mdesc = (GF_MPEG4ExtensionDescriptorsBox *) gf_isom_box_find_child(avc->child_boxes, GF_ISOM_BOX_TYPE_M4DS);\n\tif (mdesc) {\n\t\tgf_isom_box_del_parent(&avc->child_boxes, (GF_Box *) mdesc);\n\t}\n\tbtrt->avgBitrate = esd->decoderConfig->avgBitrate;\n\tbtrt->maxBitrate = esd->decoderConfig->maxBitrate;\n\tbtrt->bufferSizeDB = esd->decoderConfig->bufferSizeDB;\n\n\tif (gf_list_count(esd->IPIDataSet)\n\t || gf_list_count(esd->IPMPDescriptorPointers)\n\t || esd->langDesc\n\t || gf_list_count(esd->extensionDescriptors)\n\t || esd->ipiPtr || esd->qos || esd->RegDescriptor) {\n\n\t\tmdesc = (GF_MPEG4ExtensionDescriptorsBox *) gf_isom_box_new_parent(&avc->child_boxes, GF_ISOM_BOX_TYPE_M4DS);\n\t\tif (!mdesc) return GF_OUT_OF_MEM;\n\n\t\tif (esd->RegDescriptor) {\n\t\t\tgf_list_add(mdesc->descriptors, esd->RegDescriptor);\n\t\t\tesd->RegDescriptor = NULL;\n\t\t}\n\t\tif (esd->qos) {\n\t\t\tgf_list_add(mdesc->descriptors, esd->qos);\n\t\t\tesd->qos = NULL;\n\t\t}\n\t\tif (esd->ipiPtr) {\n\t\t\tgf_list_add(mdesc->descriptors, esd->ipiPtr);\n\t\t\tesd->ipiPtr= NULL;\n\t\t}\n\n\t\twhile (gf_list_count(esd->IPIDataSet)) {\n\t\t\tGF_Descriptor *desc = (GF_Descriptor *)gf_list_get(esd->IPIDataSet, 0);\n\t\t\tgf_list_rem(esd->IPIDataSet, 0);\n\t\t\tgf_list_add(mdesc->descriptors, desc);\n\t\t}\n\t\twhile (gf_list_count(esd->IPMPDescriptorPointers)) {\n\t\t\tGF_Descriptor *desc = (GF_Descriptor *)gf_list_get(esd->IPMPDescriptorPointers, 0);\n\t\t\tgf_list_rem(esd->IPMPDescriptorPointers, 0);\n\t\t\tgf_list_add(mdesc->descriptors, desc);\n\t\t}\n\t\tif (esd->langDesc) {\n\t\t\tgf_list_add(mdesc->descriptors, esd->langDesc);\n\t\t\tesd->langDesc = NULL;\n\t\t}\n\t\twhile (gf_list_count(esd->extensionDescriptors)) {\n\t\t\tGF_Descriptor *desc = (GF_Descriptor *)gf_list_get(esd->extensionDescriptors, 0);\n\t\t\tgf_list_rem(esd->extensionDescriptors, 0);\n\t\t\tgf_list_add(mdesc->descriptors, desc);\n\t\t}\n\t}\n\n\n\tif (!avc->lhvc_config && (esd->decoderConfig->objectTypeIndication==GF_CODECID_HEVC)) {\n\t\tif (!avc->hevc_config) {\n\t\t\tavc->hevc_config = (GF_HEVCConfigurationBox *)gf_isom_box_new_parent(&avc->child_boxes, GF_ISOM_BOX_TYPE_HVCC);\n\t\t\tif (!avc->hevc_config) return GF_OUT_OF_MEM;\n\t\t}\n\t\tif (esd->decoderConfig->decoderSpecificInfo && esd->decoderConfig->decoderSpecificInfo->data) {\n\t\t\tif (avc->hevc_config->config) gf_odf_hevc_cfg_del(avc->hevc_config->config);\n\t\t\tavc->hevc_config->config = gf_odf_hevc_cfg_read(esd->decoderConfig->decoderSpecificInfo->data, esd->decoderConfig->decoderSpecificInfo->dataLength, GF_FALSE);\n\t\t}\n\t}\n\telse if (!avc->svc_config && !avc->mvc_config && (esd->decoderConfig->objectTypeIndication==GF_CODECID_AVC)) {\n\t\tif (!avc->avc_config) {\n\t\t\tavc->avc_config = (GF_AVCConfigurationBox *)gf_isom_box_new_parent(&avc->child_boxes, GF_ISOM_BOX_TYPE_AVCC);\n\t\t\tif (!avc->avc_config) return GF_OUT_OF_MEM;\n\t\t}\n\t\tif (esd->decoderConfig->decoderSpecificInfo && esd->decoderConfig->decoderSpecificInfo->data) {\n\t\t\tif (avc->avc_config->config) gf_odf_avc_cfg_del(avc->avc_config->config);\n\t\t\tavc->avc_config->config = gf_odf_avc_cfg_read(esd->decoderConfig->decoderSpecificInfo->data, esd->decoderConfig->decoderSpecificInfo->dataLength);\n\t\t}\n\t}\n\n\tgf_odf_desc_del((GF_Descriptor *)esd);\n\tif (avc->hevc_config) {\n\t\tHEVC_RewriteESDescriptor(avc);\n\t} else {\n\t\tAVC_RewriteESDescriptor(avc);\n\t}\n\treturn GF_OK;\n}", "project": "gpac", "hash": 142339315386620785385849480836306572357, "size": 85, "commit_id": "0a85029d694f992f3631e2f249e4999daee15cbf", "message": "fixed #1785 (fuzz)", "target": 0, "dataset": "other", "idx": 237647 }, { "func": "u32 gf_isom_get_num_supported_boxes()\n{\n\treturn sizeof(box_registry) / sizeof(struct box_registry_entry);\n}", "project": "gpac", "hash": 8433794093293541849685626260041260303, "size": 4, "commit_id": "8e585e623b1d666b4ef736ed609264639cb27701", "message": "fixed potential crash - cf #1406", "target": 0, "dataset": "other", "idx": 224907 }, { "func": "GF_Err gf_isom_vvc_config_update_ex(GF_ISOFile *the_file, u32 trackNumber, u32 DescriptionIndex, GF_VVCConfig *cfg, u32 operand_type, Bool keep_xps)\n{\n\tu32 array_incomplete;\n\tGF_TrackBox *trak;\n\tGF_Err e;\n\tGF_MPEGVisualSampleEntryBox *entry;\n\tGF_SampleDescriptionBox *stsd;\n\n\te = CanAccessMovie(the_file, GF_ISOM_OPEN_WRITE);\n\tif (e) return e;\n\ttrak = gf_isom_get_track_from_file(the_file, trackNumber);\n\tif (!trak || !trak->Media || !DescriptionIndex) return GF_BAD_PARAM;\n\tstsd = trak->Media->information->sampleTable->SampleDescription;\n\tentry = (GF_MPEGVisualSampleEntryBox *)gf_list_get(stsd->child_boxes, DescriptionIndex-1);\n\tif (!entry) return GF_BAD_PARAM;\n\tswitch (entry->type) {\n\tcase GF_ISOM_BOX_TYPE_VVC1:\n\tcase GF_ISOM_BOX_TYPE_VVI1:\n\t\tbreak;\n\tdefault:\n\t\treturn GF_BAD_PARAM;\n\t}\n\n\n\tif (operand_type <= GF_ISOM_VVCC_SET_INBAND) {\n\t\tif ((operand_type != GF_ISOM_VVCC_SET_INBAND) && !entry->hevc_config) {\n\t\t\tentry->vvc_config = (GF_VVCConfigurationBox*)gf_isom_box_new_parent(&entry->child_boxes, GF_ISOM_BOX_TYPE_VVCC);\n\t\t\tif (!entry->vvc_config) return GF_OUT_OF_MEM;\n\t\t}\n\n\t\tif (cfg) {\n\t\t\tif (entry->vvc_config->config) gf_odf_vvc_cfg_del(entry->vvc_config->config);\n\t\t\tentry->vvc_config->config = VVC_DuplicateConfig(cfg);\n\t\t} else {\n\t\t\toperand_type = GF_ISOM_VVCC_SET_INBAND;\n\t\t}\n\t\tarray_incomplete = (operand_type==GF_ISOM_VVCC_SET_INBAND) ? 1 : 0;\n\t\tif (entry->vvc_config && nalu_cleanup_config(entry->vvc_config->config ? entry->vvc_config->config->param_array : NULL,\n\t\t\t(operand_type==GF_ISOM_VVCC_SET_INBAND),\n\t\t\tkeep_xps)\n\t\t) {\n\t\t\tarray_incomplete=1;\n\t\t}\n\t\tswitch (entry->type) {\n\t\tcase GF_ISOM_BOX_TYPE_VVC1:\n\t\tcase GF_ISOM_BOX_TYPE_VVI1:\n\t\t\tentry->type = array_incomplete ? GF_ISOM_BOX_TYPE_VVI1 : GF_ISOM_BOX_TYPE_VVC1;\n\t\t\tbreak;\n\t\t}\n\t}\n\treturn GF_OK;\n}", "project": "gpac", "hash": 249865682097275109979573671645089741450, "size": 52, "commit_id": "0a85029d694f992f3631e2f249e4999daee15cbf", "message": "fixed #1785 (fuzz)", "target": 0, "dataset": "other", "idx": 237609 }, { "func": "s32 gf_mpegh_get_mhas_pl(u8 *ptr, u32 size, u64 *ch_layout)\n{\n\ts32 PL = -1;\n\tGF_BitStream *bs;\n\tu32 i;\n\ts32 sync_pos=-1;\n\tfor (i=0; i gf_bs_available(bs))\n\t\t\tbreak;\n\t\t//MHAS config\n\t\tif (type==1) {\n\t\t\tPL = gf_bs_read_int(bs, 8);\n\t\t\tif (ch_layout) {\n\t\t\t\tu32 idx = gf_bs_read_int(bs, 5);\n\t\t\t\tif (idx==0x1f)\n\t\t\t\t\tgf_bs_read_int(bs, 24);\n\t\t\t\t/*idx = */gf_bs_read_int(bs, 3);\n\t\t\t\tgf_bs_read_int(bs, 1);\n\t\t\t\tgf_bs_read_int(bs, 1);\n\n\t\t\t\t//speaker config\n\t\t\t\tidx = gf_bs_read_int(bs, 2);\n\t\t\t\tif (idx == 0) {\n\t\t\t\t\t*ch_layout = gf_audio_fmt_get_layout_from_cicp( gf_bs_read_int(bs, 6) );\n\t\t\t\t}\n\t\t\t}\n\t\t\tbreak;\n\t\t}\n\t\tgf_bs_skip_bytes(bs, mh_size);\n\t}\n\tgf_bs_del(bs);\n\treturn PL;\n}", "project": "gpac", "hash": 60000426028357928258838920819424278212, "size": 47, "commit_id": "1273cdc706eeedf8346d4b9faa5b33435056061d", "message": "fixed #1780 (fuzz)", "target": 0, "dataset": "other", "idx": 244368 }, { "func": "GF_Err gf_isom_avc_config_update(GF_ISOFile *the_file, u32 trackNumber, u32 DescriptionIndex, GF_AVCConfig *cfg)\n{\n\treturn gf_isom_avc_config_update_ex(the_file, trackNumber, DescriptionIndex, cfg, 0, GF_FALSE);\n}", "project": "gpac", "hash": 133306599808890620425222755910748206481, "size": 4, "commit_id": "0a85029d694f992f3631e2f249e4999daee15cbf", "message": "fixed #1785 (fuzz)", "target": 0, "dataset": "other", "idx": 237600 }, { "func": "GF_EXPORT\nBool gf_isom_get_oinf_info(GF_ISOFile *file, u32 trackNumber, GF_OperatingPointsInformation **ptr)\n{\n\tu32 oref_track, def_index=0;\n\tGF_TrackBox *trak = gf_isom_get_track_from_file(file, trackNumber);\n\n\tif (!ptr) return GF_FALSE;\n\n\toref_track=0;\n\tgf_isom_get_reference(file, trackNumber, GF_ISOM_REF_OREF, 1, &oref_track);\n\tif (oref_track) {\n\t\ttrak = gf_isom_get_track_from_file(file, oref_track);\n\t\tif (!trak) return GF_FALSE;\n\t}\n\n\t*ptr = (GF_OperatingPointsInformation *) gf_isom_get_sample_group_info_entry(file, trak, GF_ISOM_SAMPLE_GROUP_OINF, 1, &def_index, NULL);\n\n\treturn *ptr ? GF_TRUE : GF_FALSE;", "project": "gpac", "hash": 177871072001396244080670499569297715659, "size": 18, "commit_id": "984787de3d414a5f7d43d0b4584d9469dff2a5a5", "message": "fixed #1784 (fuzz)", "target": 0, "dataset": "other", "idx": 246829 }, { "func": "u32 gf_isom_get_supported_box_type(u32 idx)\n{\n\treturn box_registry[idx].box_4cc;\n}", "project": "gpac", "hash": 46173699343547730046606289560947156724, "size": 4, "commit_id": "8e585e623b1d666b4ef736ed609264639cb27701", "message": "fixed potential crash - cf #1406", "target": 0, "dataset": "other", "idx": 224921 }, { "func": "Bool mp4box_parse_args(int argc, char **argv)\n{\n\tu32 i;\n\t/*parse our args*/\n\tfor (i = 1; i < (u32)argc; i++) {\n\t\tchar *arg = argv[i];\n\t\t/*input file(s)*/\n\t\tif ((arg[0] != '-') || !stricmp(arg, \"--\")) {\n\t\t\tchar *arg_val = arg;\n\t\t\tif (!stricmp(arg, \"--\")) {\n\t\t\t\tCHECK_NEXT_ARG\n\t\t\t\targ_val = argv[i + 1];\n\t\t\t\ti++;\n\t\t\t}\n\t\t\tif (argc < 3) {\n\t\t\t\tfprintf(stderr, \"Error - only one input file found as argument, please check usage\\n\");\n\t\t\t\treturn 2;\n\t\t\t}\n\t\t\telse if (inName) {\n\t\t\t\tif (dash_duration) {\n\t\t\t\t\tif (!nb_dash_inputs) {\n\t\t\t\t\t\tdash_inputs = set_dash_input(dash_inputs, inName, &nb_dash_inputs);\n\t\t\t\t\t}\n\t\t\t\t\tdash_inputs = set_dash_input(dash_inputs, arg_val, &nb_dash_inputs);\n\t\t\t\t}\n\t\t\t\telse {\n\t\t\t\t\tfprintf(stderr, \"Error - 2 input names specified, please check usage\\n\");\n\t\t\t\t\treturn 2;\n\t\t\t\t}\n\t\t\t}\n\t\t\telse {\n\t\t\t\tinName = arg_val;\n\t\t\t}\n\t\t}\n\t\telse if (!stricmp(arg, \"-?\")) {\n\t\t\tPrintUsage();\n\t\t\treturn 1;\n\t\t}\n\t\telse if (!stricmp(arg, \"-version\")) {\n\t\t\tPrintVersion();\n\t\t\treturn 1;\n\t\t}\n\t\telse if (!stricmp(arg, \"-sdp\")) print_sdp = 1;\n else if (!strcmp(argv[i], \"-mem-track\")) continue;\n else if (!strcmp(argv[i], \"-mem-track-stack\")) continue;\n else if (!strcmp(argv[i], \"-p\")) {\n \ti++;\n \tcontinue;\n\t\t}\n else if (!strncmp(argv[i], \"-p=\", 3)) continue;\n\t\telse if (!stricmp(arg, \"-logs\") || !strcmp(arg, \"-log-file\") || !strcmp(arg, \"-lf\")) {\n\t\t\ti++;\n\t\t}\n\t\telse if (!stricmp(arg, \"-tracks\")) get_nb_tracks = 1;\n\t\telse if (!stricmp(arg, \"-info\") || !stricmp(arg, \"-infon\")) {\n\t\t\tprint_info = 1;\n\t\t\tif ((i + 1<(u32)argc) && (sscanf(argv[i + 1], \"%u\", &info_track_id) == 1)) {\n\t\t\t\tchar szTk[20];\n\t\t\t\tsprintf(szTk, \"%u\", info_track_id);\n\t\t\t\tif (!strcmp(szTk, argv[i + 1])) i++;\n\t\t\t\telse info_track_id = 0;\n\n\t\t\t\tif (!stricmp(arg, \"-infon\")) print_info = 2;\n\t\t\t}\n\t\t\telse {\n\t\t\t\tinfo_track_id = 0;\n\t\t\t}\n\t\t}\n\t\telse if (!stricmp(arg, \"-grab-ts\")) {\n\t\t\tfprintf(stderr, \"Deprecated option - use gpac application\\n\");\n\t\t\treturn mp4box_cleanup(2);\n\t\t}\n\t\telse if (!stricmp(arg, \"-atsc\")) {\n\t\t\tfprintf(stderr, \"Deprecated option - use gpac application\\n\");\n\t\t\treturn mp4box_cleanup(2);\n\t\t}\n#if !defined(GPAC_DISABLE_CORE_TOOLS)\n\t\telse if (!stricmp(arg, \"-wget\")) {\n\t\t\tCHECK_NEXT_ARG\n\t\t\tdo_wget = argv[i + 1];\n\t\t\ti++;\n\t\t}\n#endif\n\t\t/*******************************************************************************/\n\t\telse if (!stricmp(arg, \"-dvbhdemux\")) {\n\t\t\tdvbhdemux = GF_TRUE;\n\t\t}\n\t\t/********************************************************************************/\n#ifndef GPAC_DISABLE_MEDIA_EXPORT\n\t\telse if (!stricmp(arg, \"-raw\")) {\n\t\t\tCHECK_NEXT_ARG\n\t\t\ttrack_dump_type = create_new_track_action(argv[i + 1], &tracks, &nb_track_act, GF_EXPORT_NATIVE);\n\t\t\ti++;\n\t\t}\n\t\telse if (!stricmp(arg, \"-raw-layer\")) {\n\t\t\tCHECK_NEXT_ARG\n\t\t\ttrack_dump_type = create_new_track_action(argv[i + 1], &tracks, &nb_track_act, GF_EXPORT_NATIVE | GF_EXPORT_SVC_LAYER);\n\t\t\ti++;\n\t\t}\n\t\telse if (!stricmp(arg, \"-qcp\")) {\n\t\t\tCHECK_NEXT_ARG\n\t\t\ttrack_dump_type = create_new_track_action(argv[i + 1], &tracks, &nb_track_act, GF_EXPORT_NATIVE | GF_EXPORT_USE_QCP);\n\t\t\ti++;\n\t\t}\n\t\telse if (!stricmp(arg, \"-aviraw\")) {\n\t\t\tCHECK_NEXT_ARG\n\t\t\tif (argv[i + 1] && !stricmp(argv[i + 1], \"video\")) trackID = 1;\n\t\t\telse if (argv[i + 1] && !stricmp(argv[i + 1], \"audio\")) {\n\t\t\t\tif (strlen(argv[i + 1]) == 5) trackID = 2;\n\t\t\t\telse trackID = 1 + atoi(argv[i + 1] + 5);\n\t\t\t} else {\n\t\t\t\tfprintf(stderr, \"Usage: \\\"-aviraw video\\\" or \\\"-aviraw audio\\\"\\n\");\n\t\t\t\treturn 2;\n\t\t\t}\n\t\t\ttrack_dump_type = GF_EXPORT_AVI_NATIVE;\n\t\t\ti++;\n\t\t}\n\t\telse if (!stricmp(arg, \"-raws\")) {\n\t\t\tCHECK_NEXT_ARG\n\t\t\ttrack_dump_type = create_new_track_action(argv[i + 1], &tracks, &nb_track_act, GF_EXPORT_RAW_SAMPLES);\n\t\t\ti++;\n\t\t}\n\t\telse if (!stricmp(arg, \"-nhnt\")) {\n\t\t\tCHECK_NEXT_ARG\n\t\t\ttrack_dump_type = create_new_track_action(argv[i + 1], &tracks, &nb_track_act, GF_EXPORT_NHNT);\n\t\t\ti++;\n\t\t}\n\t\telse if (!stricmp(arg, \"-nhml\")) {\n\t\t\tCHECK_NEXT_ARG\n\t\t\ttrack_dump_type = create_new_track_action(argv[i + 1], &tracks, &nb_track_act, GF_EXPORT_NHML);\n\t\t\ti++;\n\t\t}\n\t\telse if (!stricmp(arg, \"-webvtt-raw\")) {\n\t\t\tCHECK_NEXT_ARG\n\t\t\ttrack_dump_type = create_new_track_action(argv[i + 1], &tracks, &nb_track_act, GF_EXPORT_WEBVTT_META);\n\t\t\ti++;\n\t\t}\n\t\telse if (!stricmp(arg, \"-six\")) {\n\t\t\tCHECK_NEXT_ARG\n\t\t\ttrack_dump_type = create_new_track_action(argv[i + 1], &tracks, &nb_track_act, GF_EXPORT_SIX);\n\t\t\ti++;\n\t\t}\n\t\telse if (!stricmp(arg, \"-avi\")) {\n\t\t\tCHECK_NEXT_ARG\n\t\t\ttrack_dump_type = create_new_track_action(argv[i + 1], &tracks, &nb_track_act, GF_EXPORT_AVI);\n\t\t\tif (tracks[nb_track_act-1].trackID)\n\t\t\t\ti++;\n\t\t}\n#endif /*GPAC_DISABLE_MEDIA_EXPORT*/\n#if !defined(GPAC_DISABLE_STREAMING) && !defined(GPAC_DISABLE_SENG)\n\t\telse if (!stricmp(arg, \"-rtp\")) {\n\t\t\tfprintf(stderr, \"Deprecated option - use gpac application\\n\");\n\t\t\treturn mp4box_cleanup(2);\n\t\t}\n\t\telse if (!stricmp(arg, \"-live\")) {\n\t\t\tlive_scene = GF_TRUE;\n\t\t}\n#endif\n\t\telse if (!stricmp(arg, \"-diod\")) {\n\t\t\tdump_iod = GF_TRUE;\n\t\t}\n#ifndef GPAC_DISABLE_VRML\n\t\telse if (!stricmp(arg, \"-node\")) {\n\t\t\tCHECK_NEXT_ARG\n\t\t\tPrintNode(argv[i + 1], 0);\n\t\t\treturn 1;\n\t\t}\n\t\telse if (!stricmp(arg, \"-xnode\")) {\n\t\t\tCHECK_NEXT_ARG\n\t\t\tPrintNode(argv[i + 1], 1);\n\t\t\treturn 1;\n\t\t}\n\t\telse if (!stricmp(arg, \"-nodes\") || !stricmp(arg, \"-nodex\")) {\n\t\t\tPrintBuiltInNodes(0, !stricmp(arg, \"-nodex\") ? GF_TRUE : GF_FALSE);\n\t\t\treturn 1;\n\t\t}\n\t\telse if (!stricmp(arg, \"-xnodes\") || !stricmp(arg, \"-xnodex\")) {\n\t\t\tPrintBuiltInNodes(1, !stricmp(arg, \"-xnodex\") ? GF_TRUE : GF_FALSE);\n\t\t\treturn 1;\n\t\t}\n#endif\n#ifndef GPAC_DISABLE_SVG\n\t\telse if (!stricmp(arg, \"-snodes\")) {\n\t\t\tPrintBuiltInNodes(2, GF_FALSE);\n\t\t\treturn 1;\n\t\t}\n#endif\n\t\telse if (!stricmp(arg, \"-boxcov\")) {\n\t\t\tgf_sys_set_args(argc, (const char **) argv);\n PrintBuiltInBoxes(GF_TRUE);\n\t\t\treturn 1;\n\t\t} else if (!stricmp(arg, \"-boxes\")) {\n\t\t\tPrintBuiltInBoxes(GF_FALSE);\n\t\t\treturn 1;\n\t\t}\n\t\telse if (!stricmp(arg, \"-std\")) dump_std = 2;\n\t\telse if (!stricmp(arg, \"-stdb\")) dump_std = 1;\n\t\telse if (!stricmp(arg, \"-fstat\")) fs_dump_flags |= 1;\n\t\telse if (!stricmp(arg, \"-fgraph\")) fs_dump_flags |= 1<<1;\n\n#if !defined(GPAC_DISABLE_MEDIA_EXPORT) && !defined(GPAC_DISABLE_SCENE_DUMP)\n\t\telse if (!stricmp(arg, \"-keep-ods\")) no_odf_conf = GF_TRUE;\n\t\telse if (!stricmp(arg, \"-bt\")) dump_mode = GF_SM_DUMP_BT;\n\t\telse if (!stricmp(arg, \"-xmt\")) dump_mode = GF_SM_DUMP_XMTA;\n\t\telse if (!stricmp(arg, \"-wrl\")) dump_mode = GF_SM_DUMP_VRML;\n\t\telse if (!stricmp(arg, \"-x3dv\")) dump_mode = GF_SM_DUMP_X3D_VRML;\n\t\telse if (!stricmp(arg, \"-x3d\")) dump_mode = GF_SM_DUMP_X3D_XML;\n\t\telse if (!stricmp(arg, \"-lsr\")) dump_mode = GF_SM_DUMP_LASER;\n\t\telse if (!stricmp(arg, \"-svg\")) dump_mode = GF_SM_DUMP_SVG;\n#endif /*defined(GPAC_DISABLE_MEDIA_EXPORT) && !defined(GPAC_DISABLE_SCENE_DUMP)*/\n\n\t\telse if (!stricmp(arg, \"-stat\")) stat_level = 1;\n\t\telse if (!stricmp(arg, \"-stats\")) stat_level = 2;\n\t\telse if (!stricmp(arg, \"-statx\")) stat_level = 3;\n\t\telse if (!stricmp(arg, \"-diso\")) dump_isom = 1;\n\t\telse if (!stricmp(arg, \"-dxml\")) dump_isom = 2;\n\t\telse if (!stricmp(arg, \"-disox\")) dump_isom = 3;\n\t\telse if (!stricmp(arg, \"-mergevtt\")) merge_vtt_cues = GF_TRUE;\n\t\telse if (!stricmp(arg, \"-dump-cover\")) dump_cart = 1;\n\t\telse if (!stricmp(arg, \"-dump-chap\")) dump_chap = 1;\n\t\telse if (!stricmp(arg, \"-dump-chap-ogg\")) dump_chap = 2;\n\t\telse if (!stricmp(arg, \"-dump-chap-zoom\")) dump_chap = 3;\n\t\telse if (!stricmp(arg, \"-hash\")) do_hash = GF_TRUE;\n\t\telse if (!strnicmp(arg, \"-comp\", 5)) {\n\t\t\tCHECK_NEXT_ARG\n\n\t\t\tif (strchr(arg, 'x')) comp_top_box_version = 1;\n\t\t\telse if (strchr(arg, 'f')) comp_top_box_version = 2;\n\n\t\t\tif (strchr(arg, 'l')) comp_lzma = GF_TRUE;\n\n\t\t\tcompress_top_boxes = argv[i + 1];\n\t\t\ti++;\n\t\t}\n\t\telse if (!strnicmp(arg, \"-topsize\", 8)) {\n\t\t\tCHECK_NEXT_ARG\n\t\t\tsize_top_box = 1;\n\t\t\tcompress_top_boxes = argv[i + 1];\n\t\t\ti++;\n\t\t}\n\t\telse if (!strnicmp(arg, \"-topcount\", 8)) {\n\t\t\tCHECK_NEXT_ARG\n\t\t\tsize_top_box = 2;\n\t\t\tcompress_top_boxes = argv[i + 1];\n\t\t\ti++;\n\t\t}\n\t\telse if (!stricmp(arg, \"-mpd-rip\")) do_mpd_rip = GF_TRUE;\n\t\telse if (!strcmp(arg, \"-init-seg\")) {\n\t\t\tCHECK_NEXT_ARG\n\t\t\tuse_init_seg = argv[i + 1];\n\t\t\ti += 1;\n\t\t}\n\n#ifndef GPAC_DISABLE_CORE_TOOLS\n\t\telse if (!stricmp(arg, \"-bin\")) do_bin_xml = GF_TRUE;\n#endif\n\t\telse if (!stricmp(arg, \"-dump-udta\")) {\n\t\t\tchar *sep, *code;\n\t\t\tCHECK_NEXT_ARG\n\t\t\tsep = strchr(argv[i + 1], ':');\n\t\t\tif (sep) {\n\t\t\t\tsep[0] = 0;\n\t\t\t\tdump_udta_track = atoi(argv[i + 1]);\n\t\t\t\tsep[0] = ':';\n\t\t\t\tcode = &sep[1];\n\t\t\t}\n\t\t\telse {\n\t\t\t\tcode = argv[i + 1];\n\t\t\t}\n\t\t\tif (strlen(code) == 4) {\n\t\t\t\tdump_udta_type = GF_4CC(code[0], code[1], code[2], code[3]);\n\t\t\t} else if (strlen(code) == 8) {\n\t\t\t\t// hex representation on 8 chars\n\t\t\t\tu32 hex1, hex2, hex3, hex4;\n\t\t\t\tif (sscanf(code, \"%02x%02x%02x%02x\", &hex1, &hex2, &hex3, &hex4) != 4) {\n\t\t\t\t\tfprintf(stderr, \"udta code is either a 4CC or 8 hex chars for non-printable 4CC\\n\");\n\t\t\t\t\treturn mp4box_cleanup(1);\n\t\t\t\t}\n\t\t\t\tdump_udta_type = GF_4CC(hex1, hex2, hex3, hex4);\n\t\t\t} else {\n\t\t\t\tfprintf(stderr, \"udta code is either a 4CC or 8 hex chars for non-printable 4CC\\n\");\n\t\t\t\treturn mp4box_cleanup(1);\n\t\t\t}\n\t\t\ti++;\n\t\t}\n\t\telse if (!stricmp(arg, \"-dmp4\")) {\n\t\t\tdump_isom = 1;\n\t\t\tfprintf(stderr, \"WARNING: \\\"-dmp4\\\" is deprecated - use \\\"-diso\\\" option\\n\");\n\t\t}\n\t\telse if (!stricmp(arg, \"-drtp\")) dump_rtp = 1;\n\t\telse if (!stricmp(arg, \"-dts\")) {\n\t\t\tdump_timestamps = 1;\n\t\t\tif (((i + 1<(u32)argc) && inName) || (i + 2<(u32)argc)) {\n\t\t\t\tif (isdigit(argv[i + 1][0])) {\n\t\t\t\t\tprogram_number = atoi(argv[i + 1]);\n\t\t\t\t\ti++;\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\telse if (!stricmp(arg, \"-dtsx\")) {\n\t\t\tdump_timestamps = 2;\n\t\t}\n\t\telse if (!stricmp(arg, \"-dtsc\")) {\n\t\t\tdump_timestamps = 3;\n\t\t}\n\t\telse if (!stricmp(arg, \"-dtsxc\")) {\n\t\t\tdump_timestamps = 4;\n\t\t}\n\t\telse if (!strnicmp(arg, \"-dnal\", 5)) {\n\t\t\tCHECK_NEXT_ARG\n\t\t\tdump_nal = atoi(argv[i + 1]);\n\t\t\tif (arg[5] == 'c') dump_nal_type |= 1;\n\t\t\telse if (arg[5] == 'd') dump_nal_type |= 2;\n\t\t\telse if (arg[5] == 'x') dump_nal_type |= 2|1;\n\t\t\ti++;\n\t\t}\n\t\telse if (!strnicmp(arg, \"-dsap\", 5)) {\n\t\t\tCHECK_NEXT_ARG\n\t\t\tdump_saps = atoi(argv[i + 1]);\n\t\t\tif (!stricmp(arg, \"-dsaps\")) dump_saps_mode = 1;\n\t\t\telse if (!stricmp(arg, \"-dsapc\")) dump_saps_mode = 2;\n\t\t\telse if (!stricmp(arg, \"-dsapd\")) dump_saps_mode = 3;\n\t\t\telse if (!stricmp(arg, \"-dsapp\")) dump_saps_mode = 4;\n\t\t\telse dump_saps_mode = 0;\n\t\t\ti++;\n\t\t}\n\t\telse if (!stricmp(arg, \"-dcr\")) dump_cr = 1;\n\t\telse if (!stricmp(arg, \"-ttxt\") || !stricmp(arg, \"-srt\")) {\n\t\t\tif ((i + 1<(u32)argc) && (sscanf(argv[i + 1], \"%u\", &trackID) == 1)) {\n\t\t\t\tchar szTk[20];\n\t\t\t\tsprintf(szTk, \"%d\", trackID);\n\t\t\t\tif (!strcmp(szTk, argv[i + 1])) i++;\n\t\t\t\telse trackID = 0;\n\t\t\t}\n\t\t\telse if ((i + 1<(u32)argc) && !strcmp(argv[i + 1], \"*\")) {\n\t\t\t\ttrackID = (u32)-1;\n\t\t\t\ti++;\n\t\t\t}\n\t\t\telse {\n\t\t\t\ttrackID = 0;\n\t\t\t}\n#ifdef GPAC_DISABLE_ISOM_WRITE\n\t\t\tif (trackID) {\n\t\t\t\tfprintf(stderr, \"Error: Read-Only version - subtitle conversion not available\\n\");\n\t\t\t\treturn 2;\n\t\t\t}\n#endif //GPAC_DISABLE_ISOM_WRITE\n\t\t\tif (!stricmp(arg, \"-ttxt\")) dump_ttxt = GF_TRUE;\n\t\t\telse dump_srt = GF_TRUE;\n\t\t\timport_subtitle = 1;\n\t\t}\n\t\telse if (!stricmp(arg, \"-dm2ts\")) {\n\t\t\tdump_m2ts = 1;\n\t\t\tif (((i + 1<(u32)argc) && inName) || (i + 2<(u32)argc)) {\n\t\t\t\tif (argv[i + 1][0] != '-') pes_dump = argv[i + 1];\n\t\t\t\ti++;\n\t\t\t}\n\t\t}\n\n#ifndef GPAC_DISABLE_SWF_IMPORT\n\t\t/*SWF importer options*/\n\t\telse if (!stricmp(arg, \"-global\")) swf_flags |= GF_SM_SWF_STATIC_DICT;\n\t\telse if (!stricmp(arg, \"-no-ctrl\")) swf_flags &= ~GF_SM_SWF_SPLIT_TIMELINE;\n\t\telse if (!stricmp(arg, \"-no-text\")) swf_flags |= GF_SM_SWF_NO_TEXT;\n\t\telse if (!stricmp(arg, \"-no-font\")) swf_flags |= GF_SM_SWF_NO_FONT;\n\t\telse if (!stricmp(arg, \"-no-line\")) swf_flags |= GF_SM_SWF_NO_LINE;\n\t\telse if (!stricmp(arg, \"-no-grad\")) swf_flags |= GF_SM_SWF_NO_GRADIENT;\n\t\telse if (!stricmp(arg, \"-quad\")) swf_flags |= GF_SM_SWF_QUAD_CURVE;\n\t\telse if (!stricmp(arg, \"-xlp\")) swf_flags |= GF_SM_SWF_SCALABLE_LINE;\n\t\telse if (!stricmp(arg, \"-ic2d\")) swf_flags |= GF_SM_SWF_USE_IC2D;\n\t\telse if (!stricmp(arg, \"-same-app\")) swf_flags |= GF_SM_SWF_REUSE_APPEARANCE;\n\t\telse if (!stricmp(arg, \"-flatten\")) {\n\t\t\tCHECK_NEXT_ARG\n\t\t\tswf_flatten_angle = (Float)atof(argv[i + 1]);\n\t\t\ti++;\n\t\t}\n#endif\n#ifndef GPAC_DISABLE_ISOM_WRITE\n\t\telse if (!stricmp(arg, \"-isma\")) {\n\t\t\tconv_type = GF_ISOM_CONV_TYPE_ISMA;\n\t\t\topen_edit = GF_TRUE;\n\t\t}\n\t\telse if (!stricmp(arg, \"-3gp\")) {\n\t\t\tconv_type = GF_ISOM_CONV_TYPE_3GPP;\n\t\t\topen_edit = GF_TRUE;\n\t\t}\n\t\telse if (!stricmp(arg, \"-ipod\")) {\n\t\t\tconv_type = GF_ISOM_CONV_TYPE_IPOD;\n\t\t\topen_edit = GF_TRUE;\n\t\t}\n\t\telse if (!stricmp(arg, \"-psp\")) {\n\t\t\tconv_type = GF_ISOM_CONV_TYPE_PSP;\n\t\t\topen_edit = GF_TRUE;\n\t\t}\n\t\telse if (!stricmp(arg, \"-ismax\")) {\n\t\t\tconv_type = GF_ISOM_CONV_TYPE_ISMA_EX;\n\t\t\topen_edit = GF_TRUE;\n\t\t}\n\n\t\telse if (!stricmp(arg, \"-no-sys\") || !stricmp(arg, \"-nosys\")) {\n\t\t\tremove_sys_tracks = 1;\n\t\t\topen_edit = GF_TRUE;\n\t\t}\n\t\telse if (!stricmp(arg, \"-no-iod\")) {\n\t\t\tremove_root_od = 1;\n\t\t\topen_edit = GF_TRUE;\n\t\t}\n\t\telse if (!stricmp(arg, \"-out\")) {\n\t\t\tCHECK_NEXT_ARG outName = argv[i + 1];\n\t\t\ti++;\n\t\t}\n\t\telse if (!stricmp(arg, \"-tmp\")) {\n\t\t\tCHECK_NEXT_ARG tmpdir = argv[i + 1];\n\t\t\ti++;\n\t\t}\n\t\telse if (!stricmp(arg, \"-co64\")) {\n\t\t\tforce_co64 = GF_TRUE;\n\t\t\topen_edit = GF_TRUE;\n\t\t}\n\t\telse if (!stricmp(arg, \"-write-buffer\")) {\n\t\t\tCHECK_NEXT_ARG\n\t\t\tfprintf(stderr, \"\\tWARNING: \\\"-write-buffer\\\" deprecated and will soon be removed, use -bs-cache-size=%s\\n\", argv[i + 1]);\n\t\t\tgf_opts_set_key(\"temp\", \"bs-cache-size\", argv[i + 1]);\n\t\t\ti++;\n\t\t}\n\t\telse if (!stricmp(arg, \"-cprt\")) {\n\t\t\tCHECK_NEXT_ARG cprt = argv[i + 1];\n\t\t\ti++;\n\t\t\tif (!dash_duration) open_edit = GF_TRUE;\n\t\t}\n\t\telse if (!stricmp(arg, \"-chap\") || !stricmp(arg, \"-chapqt\")) {\n\t\t\tCHECK_NEXT_ARG\n\t\t\tchap_file = argv[i + 1];\n\t\t\ti++;\n\t\t\topen_edit = GF_TRUE;\n\t\t\tif (!stricmp(arg, \"-chapqt\")) chap_qt = GF_TRUE;\n\t\t}\n\t\telse if (!stricmp(arg, \"-inter\") || !stricmp(arg, \"-old-inter\")) {\n\t\t\tCHECK_NEXT_ARG\n\t\t\tinterleaving_time = atof(argv[i + 1]) / 1000;\n\t\t\tif (!interleaving_time) do_flat = 2;\n\t\t\topen_edit = GF_TRUE;\n\t\t\tneedSave = GF_TRUE;\n\t\t\tif (!stricmp(arg, \"-old-inter\")) old_interleave = 1;\n\t\t\ti++;\n\t\t}\n\t\telse if (!stricmp(arg, \"-frag\")) {\n\t\t\tCHECK_NEXT_ARG\n\t\t\tinterleaving_time = atof(argv[i + 1]) / 1000;\n\t\t\tneedSave = GF_TRUE;\n\t\t\ti++;\n\t\t\tFrag = GF_TRUE;\n\t\t}\n\t\telse if (!stricmp(arg, \"-dash\")) {\n\t\t\tCHECK_NEXT_ARG\n\t\t\tdash_duration = atof(argv[i + 1]) / 1000;\n\t\t\tif (dash_duration == 0.0) {\n\t\t\t\tfprintf(stderr, \"\\tERROR: \\\"-dash-dash_duration\\\": invalid parameter %s\\n\", argv[i + 1]);\n\t\t\t\treturn 2;\n\t\t\t}\n\t\t\ti++;\n\t\t}\n\t\telse if (!stricmp(arg, \"-dash-strict\")) {\n\t\t\tCHECK_NEXT_ARG\n\t\t\tdash_duration = atof(argv[i + 1]) / 1000;\n\t\t\tif (dash_duration == 0.0) {\n\t\t\t\tfprintf(stderr, \"\\tERROR: \\\"-dash-dash_duration\\\": invalid parameter %s\\n\", argv[i + 1]);\n\t\t\t\treturn 2;\n\t\t\t}\n\t\t\tGF_LOG(GF_LOG_WARNING, GF_LOG_DASH, (\"[DASH] -dash-strict is deprecated, will behave like -dash\\n\"));\n\t\t\ti++;\n\t\t}\n\t\telse if (!stricmp(arg, \"-subdur\")) {\n\t\t\tCHECK_NEXT_ARG\n\t\t\tdash_subduration = atof(argv[i + 1]) / 1000;\n\t\t\ti++;\n\t\t}\n\t\telse if (!stricmp(arg, \"-dash-scale\")) {\n\t\t\tCHECK_NEXT_ARG\n\t\t\tdash_scale = atoi(argv[i + 1]);\n\t\t\tif (!dash_scale) {\n\t\t\t\tfprintf(stderr, \"\\tERROR: \\\"-dash-scale\\\": invalid parameter %s\\n\", argv[i + 1]);\n\t\t\t\treturn 2;\n\t\t\t}\n\t\t\ti++;\n\t\t}\n\t\telse if (!stricmp(arg, \"-dash-ts-prog\")) {\n\t\t\tCHECK_NEXT_ARG\n\t\t\tprogram_number = atoi(argv[i + 1]);\n\t\t\ti++;\n\t\t}\n\t\telse if (!stricmp(arg, \"-subsegs-per-sidx\") || !stricmp(arg, \"-frags-per-sidx\")) {\n\t\t\tCHECK_NEXT_ARG\n\t\t\tsubsegs_per_sidx = atoi(argv[i + 1]);\n\t\t\ti++;\n\t\t}\n\t\telse if (!stricmp(arg, \"-segment-name\")) {\n\t\t\tCHECK_NEXT_ARG\n\t\t\tseg_name = argv[i + 1];\n\t\t\ti++;\n\t\t}\n\t\telse if (!stricmp(arg, \"-run-for\")) {\n\t\t\tCHECK_NEXT_ARG\n\t\t\trun_for = atoi(argv[i + 1]);\n\t\t\ti++;\n\t\t}\n\t\telse if (!stricmp(arg, \"-no-cache\")) {\n\t\t\tno_cache = GF_TRUE;\n\t\t}\n\t\telse if (!stricmp(arg, \"-no-loop\")) {\n\t\t\tno_loop = GF_TRUE;\n\t\t}\n\t\telse if (!stricmp(arg, \"-hlsc\")) {\n\t\t\thls_clock = GF_TRUE;\n\t\t}\n\t\telse if (!stricmp(arg, \"-bound\")) {\n\t\t\tdash_split_mode = GF_DASH_SPLIT_IN;\n\t\t}\n\t\telse if (!stricmp(arg, \"-closest\")) {\n\t\t\tdash_split_mode = GF_DASH_SPLIT_CLOSEST;\n\t\t}\n\t\telse if (!stricmp(arg, \"-segment-ext\")) {\n\t\t\tCHECK_NEXT_ARG\n\t\t\tseg_ext = argv[i + 1];\n\t\t\ti++;\n\t\t}\n\t\telse if (!stricmp(arg, \"-init-segment-ext\")) {\n\t\t\tCHECK_NEXT_ARG\n\t\t\tinit_seg_ext = argv[i + 1];\n\t\t\ti++;\n\t\t}\n\t\telse if (!stricmp(arg, \"-bs-switching\")) {\n\t\t\tCHECK_NEXT_ARG\n\t\t\tif (!stricmp(argv[i + 1], \"no\") || !stricmp(argv[i + 1], \"off\")) bitstream_switching_mode = GF_DASH_BSMODE_NONE;\n\t\t\telse if (!stricmp(argv[i + 1], \"merge\")) bitstream_switching_mode = GF_DASH_BSMODE_MERGED;\n\t\t\telse if (!stricmp(argv[i + 1], \"multi\")) bitstream_switching_mode = GF_DASH_BSMODE_MULTIPLE_ENTRIES;\n\t\t\telse if (!stricmp(argv[i + 1], \"single\")) bitstream_switching_mode = GF_DASH_BSMODE_SINGLE;\n\t\t\telse if (!stricmp(argv[i + 1], \"inband\")) bitstream_switching_mode = GF_DASH_BSMODE_INBAND;\n\t\t\telse {\n\t\t\t\tfprintf(stderr, \"\\tWARNING: Unrecognized bitstream switchin mode \\\"%s\\\" - please check usage\\n\", argv[i + 1]);\n\t\t\t\treturn 2;\n\t\t\t}\n\t\t\ti++;\n\t\t}\n\t\telse if (!stricmp(arg, \"-dynamic\")) {\n\t\t\tdash_mode = GF_DASH_DYNAMIC;\n\t\t}\n\t\telse if (!stricmp(arg, \"-last-dynamic\")) {\n\t\t\tdash_mode = GF_DASH_DYNAMIC_LAST;\n\t\t}\n\t\telse if (!stricmp(arg, \"-frag-rt\")) {\n\t\t\tfrag_real_time = GF_TRUE;\n\t\t}\n\t\telse if (!stricmp(arg, \"-start-date\")) {\n\t\t\tdash_start_date = argv[i+1];\n\t\t\ti++;\n\t\t}\n\t\telse if (!strnicmp(arg, \"-cp-location=\", 13)) {\n\t\t\tif (strcmp(arg+13, \"both\")) cp_location_mode = GF_DASH_CPMODE_BOTH;\n\t\t\telse if (strcmp(arg+13, \"as\")) cp_location_mode = GF_DASH_CPMODE_ADAPTATION_SET;\n\t\t\telse if (strcmp(arg+13, \"rep\")) cp_location_mode = GF_DASH_CPMODE_REPRESENTATION;\n\t\t\telse {\n\t\t\t\tfprintf(stderr, \"\\tWARNING: Unrecognized ContentProtection loction mode \\\"%s\\\" - please check usage\\n\", argv[i + 13]);\n\t\t\t\treturn 2;\n\t\t\t}\n\t\t}\n\t\telse if (!strnicmp(arg, \"-dash-live\", 10) || !strnicmp(arg, \"-ddbg-live\", 10)) {\n\t\t\tdash_mode = !strnicmp(arg, \"-ddbg-live\", 10) ? GF_DASH_DYNAMIC_DEBUG : GF_DASH_DYNAMIC;\n\t\t\tdash_live = 1;\n\t\t\tif (arg[10] == '=') {\n\t\t\t\tdash_ctx_file = arg + 11;\n\t\t\t}\n\t\t\tCHECK_NEXT_ARG\n\t\t\tdash_duration = atof(argv[i + 1]) / 1000;\n\t\t\ti++;\n\t\t}\n\t\telse if (!stricmp(arg, \"-mpd-duration\")) {\n\t\t\tCHECK_NEXT_ARG mpd_live_duration = atof(argv[i + 1]);\n\t\t\ti++;\n\t\t}\n\t\telse if (!stricmp(arg, \"-mpd-refresh\")) {\n\t\t\tCHECK_NEXT_ARG mpd_update_time = atof(argv[i + 1]);\n\t\t\ti++;\n\t\t}\n\t\telse if (!stricmp(arg, \"-time-shift\")) {\n\t\t\tCHECK_NEXT_ARG\n\t\t\ttime_shift_depth = (u32)atoi(argv[i + 1]);\n\t\t\ti++;\n\t\t}\n\t\telse if (!stricmp(arg, \"-min-buffer\")) {\n\t\t\tCHECK_NEXT_ARG\n\t\t\tmin_buffer = atoi(argv[i + 1]);\n\t\t\tmin_buffer /= 1000;\n\t\t\ti++;\n\t\t}\n\t\telse if (!stricmp(arg, \"-ast-offset\")) {\n\t\t\tCHECK_NEXT_ARG\n\t\t\tast_offset_ms = atoi(argv[i + 1]);\n\t\t\ti++;\n\t\t}\n\t\telse if (!stricmp(arg, \"-moof-sn\")) {\n\t\t\tCHECK_NEXT_ARG\n\t\t\tinitial_moof_sn = (u32)atoi(argv[i + 1]);\n\t\t\ti++;\n\t\t}\n\t\telse if (!stricmp(arg, \"-tfdt\")) {\n\t\t\tCHECK_NEXT_ARG\n\t\t\tsscanf(argv[i + 1], LLU, &initial_tfdt);\n\t\t\ti++;\n\t\t}\n\t\telse if (!stricmp(arg, \"-no-frags-default\")) {\n\t\t\tno_fragments_defaults = 1;\n\t\t}\n\t\telse if (!stricmp(arg, \"-single-traf\")) {\n\t\t\tsingle_traf_per_moof = 1;\n\t\t}\n else if (!stricmp(arg, \"-tfdt-traf\")) {\n tfdt_per_traf = 1;\n }\n\t\telse if (!stricmp(arg, \"-mpd-title\")) {\n\t\t\tCHECK_NEXT_ARG dash_title = argv[i + 1];\n\t\t\ti++;\n\t\t}\n\t\telse if (!stricmp(arg, \"-mpd-source\")) {\n\t\t\tCHECK_NEXT_ARG dash_source = argv[i + 1];\n\t\t\ti++;\n\t\t}\n\t\telse if (!stricmp(arg, \"-mpd-info-url\")) {\n\t\t\tCHECK_NEXT_ARG dash_more_info = argv[i + 1];\n\t\t\ti++;\n\t\t}\n\t\telse if (!stricmp(arg, \"-base-url\")) {\n\t\t\tCHECK_NEXT_ARG\n\t\t\tdash_more_info = argv[i + 1];\n\t\t\tmpd_base_urls = gf_realloc(mpd_base_urls, (nb_mpd_base_urls + 1)*sizeof(char**));\n\t\t\tmpd_base_urls[nb_mpd_base_urls] = argv[i + 1];\n\t\t\tnb_mpd_base_urls++;\n\t\t\ti++;\n\t\t}\n\t\telse if (!stricmp(arg, \"-dash-ctx\")) {\n\t\t\tCHECK_NEXT_ARG\n\t\t\tdash_ctx_file = argv[i + 1];\n\t\t\ti++;\n\t\t}\n\t\telse if (!stricmp(arg, \"-ssix\")) {\n\t\t\tuse_ssix = 1;\n\t\t}\n\t\telse if (!stricmp(arg, \"-daisy-chain\")) {\n\t\t\tdaisy_chain_sidx = 1;\n\t\t}\n\t\telse if (!stricmp(arg, \"-single-segment\")) {\n\t\t\tsingle_segment = 1;\n\t\t}\n\t\telse if (!stricmp(arg, \"-single-file\")) {\n\t\t\tsingle_file = 1;\n\t\t}\n\t\telse if (!stricmp(arg, \"-pssh-moof\")) {\n\t\t\tpssh_mode = GF_DASH_PSSH_MOOF;\n\t\t}\n\t\telse if (!strnicmp(arg, \"-pssh=\", 6)) {\n\t\t\tif (!strcmp(arg+6, \"f\")) pssh_mode = GF_DASH_PSSH_MOOF;\n\t\t\telse if (!strcmp(arg+6, \"v\")) pssh_mode = GF_DASH_PSSH_MOOV;\n\t\t\telse if (!strcmp(arg+6, \"m\")) pssh_mode = GF_DASH_PSSH_MPD;\n\t\t\telse if (!strcmp(arg+6, \"mf\") || !strcmp(arg+6, \"fm\")) pssh_mode = GF_DASH_PSSH_MOOF_MPD;\n\t\t\telse if (!strcmp(arg+6, \"mv\") || !strcmp(arg+6, \"vm\")) pssh_mode = GF_DASH_PSSH_MOOV_MPD;\n\t\t\telse pssh_mode = GF_DASH_PSSH_MOOV;\n\t\t}\n\t\telse if (!stricmp(arg, \"-sample-groups-traf\")) {\n\t\t\tsamplegroups_in_traf = 1;\n\t\t}\n\t\telse if (!stricmp(arg, \"-mvex-after-traks\")) {\n\t\t\tmvex_after_traks = GF_TRUE;\n\t\t}\n\t\telse if (!stricmp(arg, \"-sdtp-traf\")) {\n\t\t\tCHECK_NEXT_ARG\n\t\t\tif (!stricmp(argv[i + 1], \"both\")) sdtp_in_traf = 2;\n\t\t\telse if (!stricmp(argv[i + 1], \"sdtp\")) sdtp_in_traf = 1;\n\t\t\telse sdtp_in_traf = 0;\n\t\t\ti++;\n\t\t}\n\t\telse if (!stricmp(arg, \"-dash-profile\") || !stricmp(arg, \"-profile\")) {\n\t\t\tCHECK_NEXT_ARG\n\t\t\tif (!stricmp(argv[i + 1], \"live\") || !stricmp(argv[i + 1], \"simple\")) dash_profile = GF_DASH_PROFILE_LIVE;\n\t\t\telse if (!stricmp(argv[i + 1], \"onDemand\")) dash_profile = GF_DASH_PROFILE_ONDEMAND;\n\t\t\telse if (!stricmp(argv[i + 1], \"hbbtv1.5:live\")) {\n\t\t\t\tdash_profile = GF_DASH_PROFILE_HBBTV_1_5_ISOBMF_LIVE;\n\t\t\t}\n\t\t\telse if (!stricmp(argv[i + 1], \"dashavc264:live\")) {\n\t\t\t\tdash_profile = GF_DASH_PROFILE_AVC264_LIVE;\n\t\t\t}\n\t\t\telse if (!stricmp(argv[i + 1], \"dashavc264:onDemand\")) {\n\t\t\t\tdash_profile = GF_DASH_PROFILE_AVC264_ONDEMAND;\n\t\t\t}\n\t\t\telse if (!stricmp(argv[i + 1], \"main\")) dash_profile = GF_DASH_PROFILE_MAIN;\n\t\t\telse if (!stricmp(argv[i + 1], \"full\")) dash_profile = GF_DASH_PROFILE_FULL;\n\t\t\telse {\n\t\t\t\tfprintf(stderr, \"\\tWARNING: Unrecognized DASH profile \\\"%s\\\" - please check usage\\n\", argv[i + 1]);\n\t\t\t\treturn 2;\n\t\t\t}\n\t\t\ti++;\n\t\t}\n\t\telse if (!stricmp(arg, \"-profile-ext\")) {\n\t\t\tCHECK_NEXT_ARG\n\t\t\tdash_profile_extension = argv[i + 1];\n\t\t\ti++;\n\t\t}\n\t\telse if (!strnicmp(arg, \"-url-template\", 13)) {\n\t\t\tuse_url_template = 1;\n\t\t\tif ((arg[13] == '=') && arg[14]) {\n\t\t\t\tif (!strcmp(&arg[14], \"simulate\")) use_url_template = 2;\n\t\t\t}\n\t\t}\n\t\telse if (!stricmp(arg, \"-segment-timeline\")) {\n\t\t\tsegment_timeline = 1;\n\t\t}\n\t\telse if (!stricmp(arg, \"-mem-frags\")) {\n\t\t\tmemory_frags = 1;\n\t\t}\n\t\telse if (!stricmp(arg, \"-segment-marker\")) {\n\t\t\tchar *m;\n\t\t\tCHECK_NEXT_ARG\n\t\t\tm = argv[i + 1];\n\t\t\tsegment_marker = GF_4CC(m[0], m[1], m[2], m[3]);\n\t\t\ti++;\n\t\t}\n\t\telse if (!stricmp(arg, \"-cues\")) {\n\t\t\tCHECK_NEXT_ARG\n\t\t\tdash_cues = argv[i + 1];\n\t\t\ti++;\n\t\t}\n\t\telse if (!stricmp(arg, \"-strict-cues\")) {\n\t\t\tstrict_cues = GF_TRUE;\n\t\t}\n\t\telse if (!stricmp(arg, \"-insert-utc\")) {\n\t\t\tinsert_utc = GF_TRUE;\n\t\t}\n#endif //GPAC_DISABLE_ISOM_WRITE\n\t\telse if (!stricmp(arg, \"-udp-write\")) {\n\t\t\tudp_dest = argv[i+1];\n\t\t\ti++;\n\t\t}\n\t\telse {\n\t\t\tu32 ret = mp4box_parse_args_continue(argc, argv, &i);\n\t\t\tif (ret) return ret;\n\t\t}\n\t}\n\treturn 0;\n}", "project": "gpac", "hash": 148121010327303567970924362545142958172, "size": 748, "commit_id": "9eeac00b38348c664dfeae2525bba0cf1bc32349", "message": "fixed #1565", "target": 0, "dataset": "other", "idx": 244394 }, { "func": "GF_Err Media_GetSampleDescIndex(GF_MediaBox *mdia, u64 DTS, u32 *sampleDescIndex)\n{\n\tGF_Err e;\n\tu32 sampleNumber, prevSampleNumber, num;\n\tu64 offset;\n\tif (sampleDescIndex == NULL) return GF_BAD_PARAM;\n\n\t//find the sample for this time\n\te = stbl_findEntryForTime(mdia->information->sampleTable, (u32) DTS, 0, &sampleNumber, &prevSampleNumber);\n\tif (e) return e;\n\n\tif (!sampleNumber && !prevSampleNumber) {\n\t\t//we have to assume the track was created to be used... If we have a sampleDesc, OK\n\t\tif (gf_list_count(mdia->information->sampleTable->SampleDescription->child_boxes)) {\n\t\t\t(*sampleDescIndex) = 1;\n\t\t\treturn GF_OK;\n\t\t}\n\t\treturn GF_BAD_PARAM;\n\t}\n\treturn stbl_GetSampleInfos(mdia->information->sampleTable, ( sampleNumber ? sampleNumber : prevSampleNumber), &offset, &num, sampleDescIndex, NULL);\n}", "project": "gpac", "hash": 155368736820179768181149614640957549063, "size": 21, "commit_id": "328def7d3b93847d64ecb6e9e0399684e57c3eca", "message": "fixed #1766 (fuzz)", "target": 0, "dataset": "other", "idx": 231623 }, { "func": "GF_Err Media_FindSyncSample(GF_SampleTableBox *stbl, u32 searchFromSample, u32 *sampleNumber, u8 mode)\n{\n\tGF_ISOSAPType isRAP;\n\tu32 next, prev, next_in_sap, prev_in_sap;\n\tif (!stbl || !stbl->SyncSample) return GF_BAD_PARAM;\n\n\t//set to current sample if we don't find a RAP\n\t*sampleNumber = searchFromSample;\n\n\t//this is not the exact sample, but the prev move to next sample if enough samples....\n\tif ( (mode == GF_ISOM_SEARCH_SYNC_FORWARD) && (searchFromSample == stbl->SampleSize->sampleCount) ) {\n\t\treturn GF_OK;\n\t}\n\tif ( (mode == GF_ISOM_SEARCH_SYNC_BACKWARD) && !searchFromSample) {\n\t\t*sampleNumber = 1;\n\t\treturn GF_OK;\n\t}\n\t//get the entry\n\tstbl_GetSampleRAP(stbl->SyncSample, searchFromSample, &isRAP, &prev, &next);\n\tif (isRAP) {\n\t\t(*sampleNumber) = searchFromSample;\n\t\treturn GF_OK;\n\t}\n\n\t/*check sample groups - prev & next are overwritten if RAP group is found, but are not re-initialized otherwise*/\n\tstbl_SearchSAPs(stbl, searchFromSample, &isRAP, &prev_in_sap, &next_in_sap);\n\tif (isRAP) {\n\t\t(*sampleNumber) = searchFromSample;\n\t\treturn GF_OK;\n\t}\n\n\tif (prev_in_sap > prev)\n\t\tprev = prev_in_sap;\n\tif (next_in_sap && next_in_sap < next)\n\t\tnext = next_in_sap;\n\n\t//nothing yet, go for next time...\n\tif (mode == GF_ISOM_SEARCH_SYNC_FORWARD) {\n\t\tif (next) *sampleNumber = next;\n\t} else {\n\t\tif (prev) *sampleNumber = prev;\n\t}\n\n\treturn GF_OK;\n}", "project": "gpac", "hash": 48718404268840719526607355748058860058, "size": 45, "commit_id": "328def7d3b93847d64ecb6e9e0399684e57c3eca", "message": "fixed #1766 (fuzz)", "target": 0, "dataset": "other", "idx": 231618 }, { "func": "GF_EXPORT\nu64 gf_isom_get_media_data_size(GF_ISOFile *movie, u32 trackNumber)\n{\n\tu32 i;\n\tu64 size;\n\tGF_SampleSizeBox *stsz;\n\tGF_TrackBox *tk = gf_isom_get_track_from_file(movie, trackNumber);\n\tif (!tk) return 0;\n\tstsz = tk->Media->information->sampleTable->SampleSize;\n\tif (!stsz) return 0;\n\tif (stsz->sampleSize) return stsz->sampleSize*stsz->sampleCount;\n\tsize = 0;\n\tfor (i=0; isampleCount; i++) size += stsz->sizes[i];\n\treturn size;", "project": "gpac", "hash": 271016271962362344349778254183330722266, "size": 14, "commit_id": "984787de3d414a5f7d43d0b4584d9469dff2a5a5", "message": "fixed #1784 (fuzz)", "target": 0, "dataset": "other", "idx": 246835 }, { "func": "static GF_AV1Config* AV1_DuplicateConfig(GF_AV1Config const * const cfg)\n{\n\tu32 i = 0;\n\tGF_AV1Config *out = gf_malloc(sizeof(GF_AV1Config));\n\n\tout->marker = cfg->marker;\n\tout->version = cfg->version;\n\tout->seq_profile = cfg->seq_profile;\n\tout->seq_level_idx_0 = cfg->seq_level_idx_0;\n\tout->seq_tier_0 = cfg->seq_tier_0;\n\tout->high_bitdepth = cfg->high_bitdepth;\n\tout->twelve_bit = cfg->twelve_bit;\n\tout->monochrome = cfg->monochrome;\n\tout->chroma_subsampling_x = cfg->chroma_subsampling_x;\n\tout->chroma_subsampling_y = cfg->chroma_subsampling_y;\n\tout->chroma_sample_position = cfg->chroma_sample_position;\n\n\tout->initial_presentation_delay_present = cfg->initial_presentation_delay_present;\n\tout->initial_presentation_delay_minus_one = cfg->initial_presentation_delay_minus_one;\n\tout->obu_array = gf_list_new();\n\tfor (i = 0; iobu_array); ++i) {\n\t\tGF_AV1_OBUArrayEntry *dst = gf_malloc(sizeof(GF_AV1_OBUArrayEntry)), *src = gf_list_get(cfg->obu_array, i);\n\t\tdst->obu_length = src->obu_length;\n\t\tdst->obu_type = src->obu_type;\n\t\tdst->obu = gf_malloc((size_t)dst->obu_length);\n\t\tmemcpy(dst->obu, src->obu, (size_t)src->obu_length);\n\t\tgf_list_add(out->obu_array, dst);\n\t}\n\treturn out;\n}", "project": "gpac", "hash": 194908190417455895128773886208841527743, "size": 30, "commit_id": "0a85029d694f992f3631e2f249e4999daee15cbf", "message": "fixed #1785 (fuzz)", "target": 0, "dataset": "other", "idx": 237631 }, { "func": "\nvoid gf_isom_parse_trif_info(const u8 *data, u32 size, u32 *id, u32 *independent, Bool *full_picture, u32 *x, u32 *y, u32 *w, u32 *h)\n{\n\tGF_BitStream *bs;\n\tbs = gf_bs_new(data, size, GF_BITSTREAM_READ);\n\t*id = gf_bs_read_u16(bs);\n\tif (! gf_bs_read_int(bs, 1)) {\n\t\t*independent=0;\n\t\t*full_picture=0;\n\t\t*x = *y = *w = *h = 0;\n\t} else {\n\t\t*independent = gf_bs_read_int(bs, 2);\n\t\t*full_picture = (Bool)gf_bs_read_int(bs, 1);\n\t\t/*filter_disabled*/ gf_bs_read_int(bs, 1);\n\t\t/*has_dependency_list*/ gf_bs_read_int(bs, 1);\n\t\tgf_bs_read_int(bs, 2);\n\t\t*x = *full_picture ? 0 : gf_bs_read_u16(bs);\n\t\t*y = *full_picture ? 0 : gf_bs_read_u16(bs);\n\t\t*w = gf_bs_read_u16(bs);\n\t\t*h = gf_bs_read_u16(bs);\n\t}\n\tgf_bs_del(bs);", "project": "gpac", "hash": 23697880846817587113963428599733405481, "size": 22, "commit_id": "984787de3d414a5f7d43d0b4584d9469dff2a5a5", "message": "fixed #1784 (fuzz)", "target": 0, "dataset": "other", "idx": 246780 } ] }, { "call_depth": 13, "longest_call_chain": [ "bpf_check", "do_check_main", "do_check_common", "do_check", "check_xadd", "check_mem_access", "check_stack_write", "mark_chain_precision", "__mark_chain_precision", "print_verifier_state", "print_liveness", "verbose", "bpf_verifier_vlog" ], "group_size": 286, "functions": [ { "func": "static int check_reference_leak(struct bpf_verifier_env *env)\n{\n\tstruct bpf_func_state *state = cur_func(env);\n\tint i;\n\n\tfor (i = 0; i < state->acquired_refs; i++) {\n\t\tverbose(env, \"Unreleased reference id=%d alloc_insn=%d\\n\",\n\t\t\tstate->refs[i].id, state->refs[i].insn_idx);\n\t}\n\treturn state->acquired_refs ? -EINVAL : 0;\n}", "project": "linux", "hash": 257871664491568438828095201169244702772, "size": 11, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232491 }, { "func": "static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env,\n\t\t\t\t struct bpf_insn *insn,\n\t\t\t\t const struct bpf_reg_state *ptr_reg,\n\t\t\t\t const struct bpf_reg_state *off_reg)\n{\n\tstruct bpf_verifier_state *vstate = env->cur_state;\n\tstruct bpf_func_state *state = vstate->frame[vstate->curframe];\n\tstruct bpf_reg_state *regs = state->regs, *dst_reg;\n\tbool known = tnum_is_const(off_reg->var_off);\n\ts64 smin_val = off_reg->smin_value, smax_val = off_reg->smax_value,\n\t smin_ptr = ptr_reg->smin_value, smax_ptr = ptr_reg->smax_value;\n\tu64 umin_val = off_reg->umin_value, umax_val = off_reg->umax_value,\n\t umin_ptr = ptr_reg->umin_value, umax_ptr = ptr_reg->umax_value;\n\tu32 dst = insn->dst_reg, src = insn->src_reg;\n\tu8 opcode = BPF_OP(insn->code);\n\tint ret;\n\n\tdst_reg = ®s[dst];\n\n\tif ((known && (smin_val != smax_val || umin_val != umax_val)) ||\n\t smin_val > smax_val || umin_val > umax_val) {\n\t\t/* Taint dst register if offset had invalid bounds derived from\n\t\t * e.g. dead branches.\n\t\t */\n\t\t__mark_reg_unknown(env, dst_reg);\n\t\treturn 0;\n\t}\n\n\tif (BPF_CLASS(insn->code) != BPF_ALU64) {\n\t\t/* 32-bit ALU ops on pointers produce (meaningless) scalars */\n\t\tverbose(env,\n\t\t\t\"R%d 32-bit pointer arithmetic prohibited\\n\",\n\t\t\tdst);\n\t\treturn -EACCES;\n\t}\n\n\tswitch (ptr_reg->type) {\n\tcase PTR_TO_MAP_VALUE_OR_NULL:\n\t\tverbose(env, \"R%d pointer arithmetic on %s prohibited, null-check it first\\n\",\n\t\t\tdst, reg_type_str[ptr_reg->type]);\n\t\treturn -EACCES;\n\tcase CONST_PTR_TO_MAP:\n\tcase PTR_TO_PACKET_END:\n\tcase PTR_TO_SOCKET:\n\tcase PTR_TO_SOCKET_OR_NULL:\n\tcase PTR_TO_SOCK_COMMON:\n\tcase PTR_TO_SOCK_COMMON_OR_NULL:\n\tcase PTR_TO_TCP_SOCK:\n\tcase PTR_TO_TCP_SOCK_OR_NULL:\n\tcase PTR_TO_XDP_SOCK:\n\t\tverbose(env, \"R%d pointer arithmetic on %s prohibited\\n\",\n\t\t\tdst, reg_type_str[ptr_reg->type]);\n\t\treturn -EACCES;\n\tcase PTR_TO_MAP_VALUE:\n\t\tif (!env->allow_ptr_leaks && !known && (smin_val < 0) != (smax_val < 0)) {\n\t\t\tverbose(env, \"R%d has unknown scalar with mixed signed bounds, pointer arithmetic with it prohibited for !root\\n\",\n\t\t\t\toff_reg == dst_reg ? dst : src);\n\t\t\treturn -EACCES;\n\t\t}\n\t\t/* fall-through */\n\tdefault:\n\t\tbreak;\n\t}\n\n\t/* In case of 'scalar += pointer', dst_reg inherits pointer type and id.\n\t * The id may be overwritten later if we create a new variable offset.\n\t */\n\tdst_reg->type = ptr_reg->type;\n\tdst_reg->id = ptr_reg->id;\n\n\tif (!check_reg_sane_offset(env, off_reg, ptr_reg->type) ||\n\t !check_reg_sane_offset(env, ptr_reg, ptr_reg->type))\n\t\treturn -EINVAL;\n\n\tswitch (opcode) {\n\tcase BPF_ADD:\n\t\tret = sanitize_ptr_alu(env, insn, ptr_reg, dst_reg, smin_val < 0);\n\t\tif (ret < 0) {\n\t\t\tverbose(env, \"R%d tried to add from different maps or paths\\n\", dst);\n\t\t\treturn ret;\n\t\t}\n\t\t/* We can take a fixed offset as long as it doesn't overflow\n\t\t * the s32 'off' field\n\t\t */\n\t\tif (known && (ptr_reg->off + smin_val ==\n\t\t\t (s64)(s32)(ptr_reg->off + smin_val))) {\n\t\t\t/* pointer += K. Accumulate it into fixed offset */\n\t\t\tdst_reg->smin_value = smin_ptr;\n\t\t\tdst_reg->smax_value = smax_ptr;\n\t\t\tdst_reg->umin_value = umin_ptr;\n\t\t\tdst_reg->umax_value = umax_ptr;\n\t\t\tdst_reg->var_off = ptr_reg->var_off;\n\t\t\tdst_reg->off = ptr_reg->off + smin_val;\n\t\t\tdst_reg->raw = ptr_reg->raw;\n\t\t\tbreak;\n\t\t}\n\t\t/* A new variable offset is created. Note that off_reg->off\n\t\t * == 0, since it's a scalar.\n\t\t * dst_reg gets the pointer type and since some positive\n\t\t * integer value was added to the pointer, give it a new 'id'\n\t\t * if it's a PTR_TO_PACKET.\n\t\t * this creates a new 'base' pointer, off_reg (variable) gets\n\t\t * added into the variable offset, and we copy the fixed offset\n\t\t * from ptr_reg.\n\t\t */\n\t\tif (signed_add_overflows(smin_ptr, smin_val) ||\n\t\t signed_add_overflows(smax_ptr, smax_val)) {\n\t\t\tdst_reg->smin_value = S64_MIN;\n\t\t\tdst_reg->smax_value = S64_MAX;\n\t\t} else {\n\t\t\tdst_reg->smin_value = smin_ptr + smin_val;\n\t\t\tdst_reg->smax_value = smax_ptr + smax_val;\n\t\t}\n\t\tif (umin_ptr + umin_val < umin_ptr ||\n\t\t umax_ptr + umax_val < umax_ptr) {\n\t\t\tdst_reg->umin_value = 0;\n\t\t\tdst_reg->umax_value = U64_MAX;\n\t\t} else {\n\t\t\tdst_reg->umin_value = umin_ptr + umin_val;\n\t\t\tdst_reg->umax_value = umax_ptr + umax_val;\n\t\t}\n\t\tdst_reg->var_off = tnum_add(ptr_reg->var_off, off_reg->var_off);\n\t\tdst_reg->off = ptr_reg->off;\n\t\tdst_reg->raw = ptr_reg->raw;\n\t\tif (reg_is_pkt_pointer(ptr_reg)) {\n\t\t\tdst_reg->id = ++env->id_gen;\n\t\t\t/* something was added to pkt_ptr, set range to zero */\n\t\t\tdst_reg->raw = 0;\n\t\t}\n\t\tbreak;\n\tcase BPF_SUB:\n\t\tret = sanitize_ptr_alu(env, insn, ptr_reg, dst_reg, smin_val < 0);\n\t\tif (ret < 0) {\n\t\t\tverbose(env, \"R%d tried to sub from different maps or paths\\n\", dst);\n\t\t\treturn ret;\n\t\t}\n\t\tif (dst_reg == off_reg) {\n\t\t\t/* scalar -= pointer. Creates an unknown scalar */\n\t\t\tverbose(env, \"R%d tried to subtract pointer from scalar\\n\",\n\t\t\t\tdst);\n\t\t\treturn -EACCES;\n\t\t}\n\t\t/* We don't allow subtraction from FP, because (according to\n\t\t * test_verifier.c test \"invalid fp arithmetic\", JITs might not\n\t\t * be able to deal with it.\n\t\t */\n\t\tif (ptr_reg->type == PTR_TO_STACK) {\n\t\t\tverbose(env, \"R%d subtraction from stack pointer prohibited\\n\",\n\t\t\t\tdst);\n\t\t\treturn -EACCES;\n\t\t}\n\t\tif (known && (ptr_reg->off - smin_val ==\n\t\t\t (s64)(s32)(ptr_reg->off - smin_val))) {\n\t\t\t/* pointer -= K. Subtract it from fixed offset */\n\t\t\tdst_reg->smin_value = smin_ptr;\n\t\t\tdst_reg->smax_value = smax_ptr;\n\t\t\tdst_reg->umin_value = umin_ptr;\n\t\t\tdst_reg->umax_value = umax_ptr;\n\t\t\tdst_reg->var_off = ptr_reg->var_off;\n\t\t\tdst_reg->id = ptr_reg->id;\n\t\t\tdst_reg->off = ptr_reg->off - smin_val;\n\t\t\tdst_reg->raw = ptr_reg->raw;\n\t\t\tbreak;\n\t\t}\n\t\t/* A new variable offset is created. If the subtrahend is known\n\t\t * nonnegative, then any reg->range we had before is still good.\n\t\t */\n\t\tif (signed_sub_overflows(smin_ptr, smax_val) ||\n\t\t signed_sub_overflows(smax_ptr, smin_val)) {\n\t\t\t/* Overflow possible, we know nothing */\n\t\t\tdst_reg->smin_value = S64_MIN;\n\t\t\tdst_reg->smax_value = S64_MAX;\n\t\t} else {\n\t\t\tdst_reg->smin_value = smin_ptr - smax_val;\n\t\t\tdst_reg->smax_value = smax_ptr - smin_val;\n\t\t}\n\t\tif (umin_ptr < umax_val) {\n\t\t\t/* Overflow possible, we know nothing */\n\t\t\tdst_reg->umin_value = 0;\n\t\t\tdst_reg->umax_value = U64_MAX;\n\t\t} else {\n\t\t\t/* Cannot overflow (as long as bounds are consistent) */\n\t\t\tdst_reg->umin_value = umin_ptr - umax_val;\n\t\t\tdst_reg->umax_value = umax_ptr - umin_val;\n\t\t}\n\t\tdst_reg->var_off = tnum_sub(ptr_reg->var_off, off_reg->var_off);\n\t\tdst_reg->off = ptr_reg->off;\n\t\tdst_reg->raw = ptr_reg->raw;\n\t\tif (reg_is_pkt_pointer(ptr_reg)) {\n\t\t\tdst_reg->id = ++env->id_gen;\n\t\t\t/* something was added to pkt_ptr, set range to zero */\n\t\t\tif (smin_val < 0)\n\t\t\t\tdst_reg->raw = 0;\n\t\t}\n\t\tbreak;\n\tcase BPF_AND:\n\tcase BPF_OR:\n\tcase BPF_XOR:\n\t\t/* bitwise ops on pointers are troublesome, prohibit. */\n\t\tverbose(env, \"R%d bitwise operator %s on pointer prohibited\\n\",\n\t\t\tdst, bpf_alu_string[opcode >> 4]);\n\t\treturn -EACCES;\n\tdefault:\n\t\t/* other operators (e.g. MUL,LSH) produce non-pointer results */\n\t\tverbose(env, \"R%d pointer arithmetic with %s operator prohibited\\n\",\n\t\t\tdst, bpf_alu_string[opcode >> 4]);\n\t\treturn -EACCES;\n\t}\n\n\tif (!check_reg_sane_offset(env, dst_reg, ptr_reg->type))\n\t\treturn -EINVAL;\n\n\t__update_reg_bounds(dst_reg);\n\t__reg_deduce_bounds(dst_reg);\n\t__reg_bound_offset(dst_reg);\n\n\t/* For unprivileged we require that resulting offset must be in bounds\n\t * in order to be able to sanitize access later on.\n\t */\n\tif (!env->allow_ptr_leaks) {\n\t\tif (dst_reg->type == PTR_TO_MAP_VALUE &&\n\t\t check_map_access(env, dst, dst_reg->off, 1, false)) {\n\t\t\tverbose(env, \"R%d pointer arithmetic of map value goes out of range, \"\n\t\t\t\t\"prohibited for !root\\n\", dst);\n\t\t\treturn -EACCES;\n\t\t} else if (dst_reg->type == PTR_TO_STACK &&\n\t\t\t check_stack_access(env, dst_reg, dst_reg->off +\n\t\t\t\t\t dst_reg->var_off.value, 1)) {\n\t\t\tverbose(env, \"R%d stack pointer arithmetic goes out of range, \"\n\t\t\t\t\"prohibited for !root\\n\", dst);\n\t\t\treturn -EACCES;\n\t\t}\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 74781762480431886941321087050847161067, "size": 236, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232593 }, { "func": "static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env,\n\t\t\t\t struct bpf_insn *insn,\n\t\t\t\t const struct bpf_reg_state *ptr_reg,\n\t\t\t\t const struct bpf_reg_state *off_reg)\n{\n\tstruct bpf_verifier_state *vstate = env->cur_state;\n\tstruct bpf_func_state *state = vstate->frame[vstate->curframe];\n\tstruct bpf_reg_state *regs = state->regs, *dst_reg;\n\tbool known = tnum_is_const(off_reg->var_off);\n\ts64 smin_val = off_reg->smin_value, smax_val = off_reg->smax_value,\n\t smin_ptr = ptr_reg->smin_value, smax_ptr = ptr_reg->smax_value;\n\tu64 umin_val = off_reg->umin_value, umax_val = off_reg->umax_value,\n\t umin_ptr = ptr_reg->umin_value, umax_ptr = ptr_reg->umax_value;\n\tu32 dst = insn->dst_reg, src = insn->src_reg;\n\tu8 opcode = BPF_OP(insn->code);\n\tint ret;\n\n\tdst_reg = ®s[dst];\n\n\tif ((known && (smin_val != smax_val || umin_val != umax_val)) ||\n\t smin_val > smax_val || umin_val > umax_val) {\n\t\t/* Taint dst register if offset had invalid bounds derived from\n\t\t * e.g. dead branches.\n\t\t */\n\t\t__mark_reg_unknown(env, dst_reg);\n\t\treturn 0;\n\t}\n\n\tif (BPF_CLASS(insn->code) != BPF_ALU64) {\n\t\t/* 32-bit ALU ops on pointers produce (meaningless) scalars */\n\t\tif (opcode == BPF_SUB && env->allow_ptr_leaks) {\n\t\t\t__mark_reg_unknown(env, dst_reg);\n\t\t\treturn 0;\n\t\t}\n\n\t\tverbose(env,\n\t\t\t\"R%d 32-bit pointer arithmetic prohibited\\n\",\n\t\t\tdst);\n\t\treturn -EACCES;\n\t}\n\n\tswitch (ptr_reg->type) {\n\tcase PTR_TO_MAP_VALUE_OR_NULL:\n\t\tverbose(env, \"R%d pointer arithmetic on %s prohibited, null-check it first\\n\",\n\t\t\tdst, reg_type_str[ptr_reg->type]);\n\t\treturn -EACCES;\n\tcase CONST_PTR_TO_MAP:\n\tcase PTR_TO_PACKET_END:\n\tcase PTR_TO_SOCKET:\n\tcase PTR_TO_SOCKET_OR_NULL:\n\tcase PTR_TO_SOCK_COMMON:\n\tcase PTR_TO_SOCK_COMMON_OR_NULL:\n\tcase PTR_TO_TCP_SOCK:\n\tcase PTR_TO_TCP_SOCK_OR_NULL:\n\tcase PTR_TO_XDP_SOCK:\n\t\tverbose(env, \"R%d pointer arithmetic on %s prohibited\\n\",\n\t\t\tdst, reg_type_str[ptr_reg->type]);\n\t\treturn -EACCES;\n\tcase PTR_TO_MAP_VALUE:\n\t\tif (!env->allow_ptr_leaks && !known && (smin_val < 0) != (smax_val < 0)) {\n\t\t\tverbose(env, \"R%d has unknown scalar with mixed signed bounds, pointer arithmetic with it prohibited for !root\\n\",\n\t\t\t\toff_reg == dst_reg ? dst : src);\n\t\t\treturn -EACCES;\n\t\t}\n\t\tfallthrough;\n\tdefault:\n\t\tbreak;\n\t}\n\n\t/* In case of 'scalar += pointer', dst_reg inherits pointer type and id.\n\t * The id may be overwritten later if we create a new variable offset.\n\t */\n\tdst_reg->type = ptr_reg->type;\n\tdst_reg->id = ptr_reg->id;\n\n\tif (!check_reg_sane_offset(env, off_reg, ptr_reg->type) ||\n\t !check_reg_sane_offset(env, ptr_reg, ptr_reg->type))\n\t\treturn -EINVAL;\n\n\t/* pointer types do not carry 32-bit bounds at the moment. */\n\t__mark_reg32_unbounded(dst_reg);\n\n\tswitch (opcode) {\n\tcase BPF_ADD:\n\t\tret = sanitize_ptr_alu(env, insn, ptr_reg, dst_reg, smin_val < 0);\n\t\tif (ret < 0) {\n\t\t\tverbose(env, \"R%d tried to add from different maps or paths\\n\", dst);\n\t\t\treturn ret;\n\t\t}\n\t\t/* We can take a fixed offset as long as it doesn't overflow\n\t\t * the s32 'off' field\n\t\t */\n\t\tif (known && (ptr_reg->off + smin_val ==\n\t\t\t (s64)(s32)(ptr_reg->off + smin_val))) {\n\t\t\t/* pointer += K. Accumulate it into fixed offset */\n\t\t\tdst_reg->smin_value = smin_ptr;\n\t\t\tdst_reg->smax_value = smax_ptr;\n\t\t\tdst_reg->umin_value = umin_ptr;\n\t\t\tdst_reg->umax_value = umax_ptr;\n\t\t\tdst_reg->var_off = ptr_reg->var_off;\n\t\t\tdst_reg->off = ptr_reg->off + smin_val;\n\t\t\tdst_reg->raw = ptr_reg->raw;\n\t\t\tbreak;\n\t\t}\n\t\t/* A new variable offset is created. Note that off_reg->off\n\t\t * == 0, since it's a scalar.\n\t\t * dst_reg gets the pointer type and since some positive\n\t\t * integer value was added to the pointer, give it a new 'id'\n\t\t * if it's a PTR_TO_PACKET.\n\t\t * this creates a new 'base' pointer, off_reg (variable) gets\n\t\t * added into the variable offset, and we copy the fixed offset\n\t\t * from ptr_reg.\n\t\t */\n\t\tif (signed_add_overflows(smin_ptr, smin_val) ||\n\t\t signed_add_overflows(smax_ptr, smax_val)) {\n\t\t\tdst_reg->smin_value = S64_MIN;\n\t\t\tdst_reg->smax_value = S64_MAX;\n\t\t} else {\n\t\t\tdst_reg->smin_value = smin_ptr + smin_val;\n\t\t\tdst_reg->smax_value = smax_ptr + smax_val;\n\t\t}\n\t\tif (umin_ptr + umin_val < umin_ptr ||\n\t\t umax_ptr + umax_val < umax_ptr) {\n\t\t\tdst_reg->umin_value = 0;\n\t\t\tdst_reg->umax_value = U64_MAX;\n\t\t} else {\n\t\t\tdst_reg->umin_value = umin_ptr + umin_val;\n\t\t\tdst_reg->umax_value = umax_ptr + umax_val;\n\t\t}\n\t\tdst_reg->var_off = tnum_add(ptr_reg->var_off, off_reg->var_off);\n\t\tdst_reg->off = ptr_reg->off;\n\t\tdst_reg->raw = ptr_reg->raw;\n\t\tif (reg_is_pkt_pointer(ptr_reg)) {\n\t\t\tdst_reg->id = ++env->id_gen;\n\t\t\t/* something was added to pkt_ptr, set range to zero */\n\t\t\tdst_reg->raw = 0;\n\t\t}\n\t\tbreak;\n\tcase BPF_SUB:\n\t\tret = sanitize_ptr_alu(env, insn, ptr_reg, dst_reg, smin_val < 0);\n\t\tif (ret < 0) {\n\t\t\tverbose(env, \"R%d tried to sub from different maps or paths\\n\", dst);\n\t\t\treturn ret;\n\t\t}\n\t\tif (dst_reg == off_reg) {\n\t\t\t/* scalar -= pointer. Creates an unknown scalar */\n\t\t\tverbose(env, \"R%d tried to subtract pointer from scalar\\n\",\n\t\t\t\tdst);\n\t\t\treturn -EACCES;\n\t\t}\n\t\t/* We don't allow subtraction from FP, because (according to\n\t\t * test_verifier.c test \"invalid fp arithmetic\", JITs might not\n\t\t * be able to deal with it.\n\t\t */\n\t\tif (ptr_reg->type == PTR_TO_STACK) {\n\t\t\tverbose(env, \"R%d subtraction from stack pointer prohibited\\n\",\n\t\t\t\tdst);\n\t\t\treturn -EACCES;\n\t\t}\n\t\tif (known && (ptr_reg->off - smin_val ==\n\t\t\t (s64)(s32)(ptr_reg->off - smin_val))) {\n\t\t\t/* pointer -= K. Subtract it from fixed offset */\n\t\t\tdst_reg->smin_value = smin_ptr;\n\t\t\tdst_reg->smax_value = smax_ptr;\n\t\t\tdst_reg->umin_value = umin_ptr;\n\t\t\tdst_reg->umax_value = umax_ptr;\n\t\t\tdst_reg->var_off = ptr_reg->var_off;\n\t\t\tdst_reg->id = ptr_reg->id;\n\t\t\tdst_reg->off = ptr_reg->off - smin_val;\n\t\t\tdst_reg->raw = ptr_reg->raw;\n\t\t\tbreak;\n\t\t}\n\t\t/* A new variable offset is created. If the subtrahend is known\n\t\t * nonnegative, then any reg->range we had before is still good.\n\t\t */\n\t\tif (signed_sub_overflows(smin_ptr, smax_val) ||\n\t\t signed_sub_overflows(smax_ptr, smin_val)) {\n\t\t\t/* Overflow possible, we know nothing */\n\t\t\tdst_reg->smin_value = S64_MIN;\n\t\t\tdst_reg->smax_value = S64_MAX;\n\t\t} else {\n\t\t\tdst_reg->smin_value = smin_ptr - smax_val;\n\t\t\tdst_reg->smax_value = smax_ptr - smin_val;\n\t\t}\n\t\tif (umin_ptr < umax_val) {\n\t\t\t/* Overflow possible, we know nothing */\n\t\t\tdst_reg->umin_value = 0;\n\t\t\tdst_reg->umax_value = U64_MAX;\n\t\t} else {\n\t\t\t/* Cannot overflow (as long as bounds are consistent) */\n\t\t\tdst_reg->umin_value = umin_ptr - umax_val;\n\t\t\tdst_reg->umax_value = umax_ptr - umin_val;\n\t\t}\n\t\tdst_reg->var_off = tnum_sub(ptr_reg->var_off, off_reg->var_off);\n\t\tdst_reg->off = ptr_reg->off;\n\t\tdst_reg->raw = ptr_reg->raw;\n\t\tif (reg_is_pkt_pointer(ptr_reg)) {\n\t\t\tdst_reg->id = ++env->id_gen;\n\t\t\t/* something was added to pkt_ptr, set range to zero */\n\t\t\tif (smin_val < 0)\n\t\t\t\tdst_reg->raw = 0;\n\t\t}\n\t\tbreak;\n\tcase BPF_AND:\n\tcase BPF_OR:\n\tcase BPF_XOR:\n\t\t/* bitwise ops on pointers are troublesome, prohibit. */\n\t\tverbose(env, \"R%d bitwise operator %s on pointer prohibited\\n\",\n\t\t\tdst, bpf_alu_string[opcode >> 4]);\n\t\treturn -EACCES;\n\tdefault:\n\t\t/* other operators (e.g. MUL,LSH) produce non-pointer results */\n\t\tverbose(env, \"R%d pointer arithmetic with %s operator prohibited\\n\",\n\t\t\tdst, bpf_alu_string[opcode >> 4]);\n\t\treturn -EACCES;\n\t}\n\n\tif (!check_reg_sane_offset(env, dst_reg, ptr_reg->type))\n\t\treturn -EINVAL;\n\n\t__update_reg_bounds(dst_reg);\n\t__reg_deduce_bounds(dst_reg);\n\t__reg_bound_offset(dst_reg);\n\n\t/* For unprivileged we require that resulting offset must be in bounds\n\t * in order to be able to sanitize access later on.\n\t */\n\tif (!env->bypass_spec_v1) {\n\t\tif (dst_reg->type == PTR_TO_MAP_VALUE &&\n\t\t check_map_access(env, dst, dst_reg->off, 1, false)) {\n\t\t\tverbose(env, \"R%d pointer arithmetic of map value goes out of range, \"\n\t\t\t\t\"prohibited for !root\\n\", dst);\n\t\t\treturn -EACCES;\n\t\t} else if (dst_reg->type == PTR_TO_STACK &&\n\t\t\t check_stack_access(env, dst_reg, dst_reg->off +\n\t\t\t\t\t dst_reg->var_off.value, 1)) {\n\t\t\tverbose(env, \"R%d stack pointer arithmetic goes out of range, \"\n\t\t\t\t\"prohibited for !root\\n\", dst);\n\t\t\treturn -EACCES;\n\t\t}\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 114502337056232765875065900920802334043, "size": 244, "commit_id": "5b9fbeb75b6a98955f628e205ac26689bcb1383e", "message": "bpf: Fix scalar32_min_max_or bounds tracking\n\nSimon reported an issue with the current scalar32_min_max_or() implementation.\nThat is, compared to the other 32 bit subreg tracking functions, the code in\nscalar32_min_max_or() stands out that it's using the 64 bit registers instead\nof 32 bit ones. This leads to bounds tracking issues, for example:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x1; 0x700000000),s32_max_value=1,u32_max_value=1) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nThe bound tests on the map value force the upper unsigned bound to be 25769803777\nin 64 bit (0b11000000000000000000000000000000001) and then lower one to be 1. By\nusing OR they are truncated and thus result in the range [1,1] for the 32 bit reg\ntracker. This is incorrect given the only thing we know is that the value must be\npositive and thus 2147483647 (0b1111111111111111111111111111111) at max for the\nsubregs. Fix it by using the {u,s}32_{min,max}_value vars instead. This also makes\nsense, for example, for the case where we update dst_reg->s32_{min,max}_value in\nthe else branch we need to use the newly computed dst_reg->u32_{min,max}_value as\nwe know that these are positive. Previously, in the else branch the 64 bit values\nof umin_value=1 and umax_value=32212254719 were used and latter got truncated to\nbe 1 as upper bound there. After the fix the subreg range is now correct:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nFixes: 3f50f132d840 (\"bpf: Verifier, do explicit ALU32 bounds tracking\")\nReported-by: Simon Scannell \nSigned-off-by: Daniel Borkmann \nReviewed-by: John Fastabend \nAcked-by: Alexei Starovoitov ", "target": 0, "dataset": "other", "idx": 328513 }, { "func": "static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env,\n\t\t\t\t struct bpf_insn *insn,\n\t\t\t\t const struct bpf_reg_state *ptr_reg,\n\t\t\t\t const struct bpf_reg_state *off_reg)\n{\n\tstruct bpf_verifier_state *vstate = env->cur_state;\n\tstruct bpf_func_state *state = vstate->frame[vstate->curframe];\n\tstruct bpf_reg_state *regs = state->regs, *dst_reg;\n\tbool known = tnum_is_const(off_reg->var_off);\n\ts64 smin_val = off_reg->smin_value, smax_val = off_reg->smax_value,\n\t smin_ptr = ptr_reg->smin_value, smax_ptr = ptr_reg->smax_value;\n\tu64 umin_val = off_reg->umin_value, umax_val = off_reg->umax_value,\n\t umin_ptr = ptr_reg->umin_value, umax_ptr = ptr_reg->umax_value;\n\tu32 dst = insn->dst_reg, src = insn->src_reg;\n\tu8 opcode = BPF_OP(insn->code);\n\tint ret;\n\n\tdst_reg = ®s[dst];\n\n\tif ((known && (smin_val != smax_val || umin_val != umax_val)) ||\n\t smin_val > smax_val || umin_val > umax_val) {\n\t\t/* Taint dst register if offset had invalid bounds derived from\n\t\t * e.g. dead branches.\n\t\t */\n\t\t__mark_reg_unknown(env, dst_reg);\n\t\treturn 0;\n\t}\n\n\tif (BPF_CLASS(insn->code) != BPF_ALU64) {\n\t\t/* 32-bit ALU ops on pointers produce (meaningless) scalars */\n\t\tif (opcode == BPF_SUB && env->allow_ptr_leaks) {\n\t\t\t__mark_reg_unknown(env, dst_reg);\n\t\t\treturn 0;\n\t\t}\n\n\t\tverbose(env,\n\t\t\t\"R%d 32-bit pointer arithmetic prohibited\\n\",\n\t\t\tdst);\n\t\treturn -EACCES;\n\t}\n\n\tswitch (ptr_reg->type) {\n\tcase PTR_TO_MAP_VALUE_OR_NULL:\n\t\tverbose(env, \"R%d pointer arithmetic on %s prohibited, null-check it first\\n\",\n\t\t\tdst, reg_type_str[ptr_reg->type]);\n\t\treturn -EACCES;\n\tcase CONST_PTR_TO_MAP:\n\t\t/* smin_val represents the known value */\n\t\tif (known && smin_val == 0 && opcode == BPF_ADD)\n\t\t\tbreak;\n\t\tfallthrough;\n\tcase PTR_TO_PACKET_END:\n\tcase PTR_TO_SOCKET:\n\tcase PTR_TO_SOCKET_OR_NULL:\n\tcase PTR_TO_SOCK_COMMON:\n\tcase PTR_TO_SOCK_COMMON_OR_NULL:\n\tcase PTR_TO_TCP_SOCK:\n\tcase PTR_TO_TCP_SOCK_OR_NULL:\n\tcase PTR_TO_XDP_SOCK:\n\t\tverbose(env, \"R%d pointer arithmetic on %s prohibited\\n\",\n\t\t\tdst, reg_type_str[ptr_reg->type]);\n\t\treturn -EACCES;\n\tcase PTR_TO_MAP_VALUE:\n\t\tif (!env->allow_ptr_leaks && !known && (smin_val < 0) != (smax_val < 0)) {\n\t\t\tverbose(env, \"R%d has unknown scalar with mixed signed bounds, pointer arithmetic with it prohibited for !root\\n\",\n\t\t\t\toff_reg == dst_reg ? dst : src);\n\t\t\treturn -EACCES;\n\t\t}\n\t\tfallthrough;\n\tdefault:\n\t\tbreak;\n\t}\n\n\t/* In case of 'scalar += pointer', dst_reg inherits pointer type and id.\n\t * The id may be overwritten later if we create a new variable offset.\n\t */\n\tdst_reg->type = ptr_reg->type;\n\tdst_reg->id = ptr_reg->id;\n\n\tif (!check_reg_sane_offset(env, off_reg, ptr_reg->type) ||\n\t !check_reg_sane_offset(env, ptr_reg, ptr_reg->type))\n\t\treturn -EINVAL;\n\n\t/* pointer types do not carry 32-bit bounds at the moment. */\n\t__mark_reg32_unbounded(dst_reg);\n\n\tswitch (opcode) {\n\tcase BPF_ADD:\n\t\tret = sanitize_ptr_alu(env, insn, ptr_reg, dst_reg, smin_val < 0);\n\t\tif (ret < 0) {\n\t\t\tverbose(env, \"R%d tried to add from different maps or paths\\n\", dst);\n\t\t\treturn ret;\n\t\t}\n\t\t/* We can take a fixed offset as long as it doesn't overflow\n\t\t * the s32 'off' field\n\t\t */\n\t\tif (known && (ptr_reg->off + smin_val ==\n\t\t\t (s64)(s32)(ptr_reg->off + smin_val))) {\n\t\t\t/* pointer += K. Accumulate it into fixed offset */\n\t\t\tdst_reg->smin_value = smin_ptr;\n\t\t\tdst_reg->smax_value = smax_ptr;\n\t\t\tdst_reg->umin_value = umin_ptr;\n\t\t\tdst_reg->umax_value = umax_ptr;\n\t\t\tdst_reg->var_off = ptr_reg->var_off;\n\t\t\tdst_reg->off = ptr_reg->off + smin_val;\n\t\t\tdst_reg->raw = ptr_reg->raw;\n\t\t\tbreak;\n\t\t}\n\t\t/* A new variable offset is created. Note that off_reg->off\n\t\t * == 0, since it's a scalar.\n\t\t * dst_reg gets the pointer type and since some positive\n\t\t * integer value was added to the pointer, give it a new 'id'\n\t\t * if it's a PTR_TO_PACKET.\n\t\t * this creates a new 'base' pointer, off_reg (variable) gets\n\t\t * added into the variable offset, and we copy the fixed offset\n\t\t * from ptr_reg.\n\t\t */\n\t\tif (signed_add_overflows(smin_ptr, smin_val) ||\n\t\t signed_add_overflows(smax_ptr, smax_val)) {\n\t\t\tdst_reg->smin_value = S64_MIN;\n\t\t\tdst_reg->smax_value = S64_MAX;\n\t\t} else {\n\t\t\tdst_reg->smin_value = smin_ptr + smin_val;\n\t\t\tdst_reg->smax_value = smax_ptr + smax_val;\n\t\t}\n\t\tif (umin_ptr + umin_val < umin_ptr ||\n\t\t umax_ptr + umax_val < umax_ptr) {\n\t\t\tdst_reg->umin_value = 0;\n\t\t\tdst_reg->umax_value = U64_MAX;\n\t\t} else {\n\t\t\tdst_reg->umin_value = umin_ptr + umin_val;\n\t\t\tdst_reg->umax_value = umax_ptr + umax_val;\n\t\t}\n\t\tdst_reg->var_off = tnum_add(ptr_reg->var_off, off_reg->var_off);\n\t\tdst_reg->off = ptr_reg->off;\n\t\tdst_reg->raw = ptr_reg->raw;\n\t\tif (reg_is_pkt_pointer(ptr_reg)) {\n\t\t\tdst_reg->id = ++env->id_gen;\n\t\t\t/* something was added to pkt_ptr, set range to zero */\n\t\t\tmemset(&dst_reg->raw, 0, sizeof(dst_reg->raw));\n\t\t}\n\t\tbreak;\n\tcase BPF_SUB:\n\t\tret = sanitize_ptr_alu(env, insn, ptr_reg, dst_reg, smin_val < 0);\n\t\tif (ret < 0) {\n\t\t\tverbose(env, \"R%d tried to sub from different maps or paths\\n\", dst);\n\t\t\treturn ret;\n\t\t}\n\t\tif (dst_reg == off_reg) {\n\t\t\t/* scalar -= pointer. Creates an unknown scalar */\n\t\t\tverbose(env, \"R%d tried to subtract pointer from scalar\\n\",\n\t\t\t\tdst);\n\t\t\treturn -EACCES;\n\t\t}\n\t\t/* We don't allow subtraction from FP, because (according to\n\t\t * test_verifier.c test \"invalid fp arithmetic\", JITs might not\n\t\t * be able to deal with it.\n\t\t */\n\t\tif (ptr_reg->type == PTR_TO_STACK) {\n\t\t\tverbose(env, \"R%d subtraction from stack pointer prohibited\\n\",\n\t\t\t\tdst);\n\t\t\treturn -EACCES;\n\t\t}\n\t\tif (known && (ptr_reg->off - smin_val ==\n\t\t\t (s64)(s32)(ptr_reg->off - smin_val))) {\n\t\t\t/* pointer -= K. Subtract it from fixed offset */\n\t\t\tdst_reg->smin_value = smin_ptr;\n\t\t\tdst_reg->smax_value = smax_ptr;\n\t\t\tdst_reg->umin_value = umin_ptr;\n\t\t\tdst_reg->umax_value = umax_ptr;\n\t\t\tdst_reg->var_off = ptr_reg->var_off;\n\t\t\tdst_reg->id = ptr_reg->id;\n\t\t\tdst_reg->off = ptr_reg->off - smin_val;\n\t\t\tdst_reg->raw = ptr_reg->raw;\n\t\t\tbreak;\n\t\t}\n\t\t/* A new variable offset is created. If the subtrahend is known\n\t\t * nonnegative, then any reg->range we had before is still good.\n\t\t */\n\t\tif (signed_sub_overflows(smin_ptr, smax_val) ||\n\t\t signed_sub_overflows(smax_ptr, smin_val)) {\n\t\t\t/* Overflow possible, we know nothing */\n\t\t\tdst_reg->smin_value = S64_MIN;\n\t\t\tdst_reg->smax_value = S64_MAX;\n\t\t} else {\n\t\t\tdst_reg->smin_value = smin_ptr - smax_val;\n\t\t\tdst_reg->smax_value = smax_ptr - smin_val;\n\t\t}\n\t\tif (umin_ptr < umax_val) {\n\t\t\t/* Overflow possible, we know nothing */\n\t\t\tdst_reg->umin_value = 0;\n\t\t\tdst_reg->umax_value = U64_MAX;\n\t\t} else {\n\t\t\t/* Cannot overflow (as long as bounds are consistent) */\n\t\t\tdst_reg->umin_value = umin_ptr - umax_val;\n\t\t\tdst_reg->umax_value = umax_ptr - umin_val;\n\t\t}\n\t\tdst_reg->var_off = tnum_sub(ptr_reg->var_off, off_reg->var_off);\n\t\tdst_reg->off = ptr_reg->off;\n\t\tdst_reg->raw = ptr_reg->raw;\n\t\tif (reg_is_pkt_pointer(ptr_reg)) {\n\t\t\tdst_reg->id = ++env->id_gen;\n\t\t\t/* something was added to pkt_ptr, set range to zero */\n\t\t\tif (smin_val < 0)\n\t\t\t\tmemset(&dst_reg->raw, 0, sizeof(dst_reg->raw));\n\t\t}\n\t\tbreak;\n\tcase BPF_AND:\n\tcase BPF_OR:\n\tcase BPF_XOR:\n\t\t/* bitwise ops on pointers are troublesome, prohibit. */\n\t\tverbose(env, \"R%d bitwise operator %s on pointer prohibited\\n\",\n\t\t\tdst, bpf_alu_string[opcode >> 4]);\n\t\treturn -EACCES;\n\tdefault:\n\t\t/* other operators (e.g. MUL,LSH) produce non-pointer results */\n\t\tverbose(env, \"R%d pointer arithmetic with %s operator prohibited\\n\",\n\t\t\tdst, bpf_alu_string[opcode >> 4]);\n\t\treturn -EACCES;\n\t}\n\n\tif (!check_reg_sane_offset(env, dst_reg, ptr_reg->type))\n\t\treturn -EINVAL;\n\n\t__update_reg_bounds(dst_reg);\n\t__reg_deduce_bounds(dst_reg);\n\t__reg_bound_offset(dst_reg);\n\n\t/* For unprivileged we require that resulting offset must be in bounds\n\t * in order to be able to sanitize access later on.\n\t */\n\tif (!env->bypass_spec_v1) {\n\t\tif (dst_reg->type == PTR_TO_MAP_VALUE &&\n\t\t check_map_access(env, dst, dst_reg->off, 1, false)) {\n\t\t\tverbose(env, \"R%d pointer arithmetic of map value goes out of range, \"\n\t\t\t\t\"prohibited for !root\\n\", dst);\n\t\t\treturn -EACCES;\n\t\t} else if (dst_reg->type == PTR_TO_STACK &&\n\t\t\t check_stack_access(env, dst_reg, dst_reg->off +\n\t\t\t\t\t dst_reg->var_off.value, 1)) {\n\t\t\tverbose(env, \"R%d stack pointer arithmetic goes out of range, \"\n\t\t\t\t\"prohibited for !root\\n\", dst);\n\t\t\treturn -EACCES;\n\t\t}\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 105594369169034492273382090284508855717, "size": 248, "commit_id": "9b00f1b78809309163dda2d044d9e94a3c0248a3", "message": "bpf: Fix truncation handling for mod32 dst reg wrt zero\n\nRecently noticed that when mod32 with a known src reg of 0 is performed,\nthen the dst register is 32-bit truncated in verifier:\n\n 0: R1=ctx(id=0,off=0,imm=0) R10=fp0\n 0: (b7) r0 = 0\n 1: R0_w=inv0 R1=ctx(id=0,off=0,imm=0) R10=fp0\n 1: (b7) r1 = -1\n 2: R0_w=inv0 R1_w=inv-1 R10=fp0\n 2: (b4) w2 = -1\n 3: R0_w=inv0 R1_w=inv-1 R2_w=inv4294967295 R10=fp0\n 3: (9c) w1 %= w0\n 4: R0_w=inv0 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0\n 4: (b7) r0 = 1\n 5: R0_w=inv1 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0\n 5: (1d) if r1 == r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0\n 6: R0_w=inv1 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0\n 6: (b7) r0 = 2\n 7: R0_w=inv2 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0\n 7: (95) exit\n 7: R0=inv1 R1=inv(id=0,umin_value=4294967295,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2=inv4294967295 R10=fp0\n 7: (95) exit\n\nHowever, as a runtime result, we get 2 instead of 1, meaning the dst\nregister does not contain (u32)-1 in this case. The reason is fairly\nstraight forward given the 0 test leaves the dst register as-is:\n\n # ./bpftool p d x i 23\n 0: (b7) r0 = 0\n 1: (b7) r1 = -1\n 2: (b4) w2 = -1\n 3: (16) if w0 == 0x0 goto pc+1\n 4: (9c) w1 %= w0\n 5: (b7) r0 = 1\n 6: (1d) if r1 == r2 goto pc+1\n 7: (b7) r0 = 2\n 8: (95) exit\n\nThis was originally not an issue given the dst register was marked as\ncompletely unknown (aka 64 bit unknown). However, after 468f6eafa6c4\n(\"bpf: fix 32-bit ALU op verification\") the verifier casts the register\noutput to 32 bit, and hence it becomes 32 bit unknown. Note that for\nthe case where the src register is unknown, the dst register is marked\n64 bit unknown. After the fix, the register is truncated by the runtime\nand the test passes:\n\n # ./bpftool p d x i 23\n 0: (b7) r0 = 0\n 1: (b7) r1 = -1\n 2: (b4) w2 = -1\n 3: (16) if w0 == 0x0 goto pc+2\n 4: (9c) w1 %= w0\n 5: (05) goto pc+1\n 6: (bc) w1 = w1\n 7: (b7) r0 = 1\n 8: (1d) if r1 == r2 goto pc+1\n 9: (b7) r0 = 2\n 10: (95) exit\n\nSemantics also match with {R,W}x mod{64,32} 0 -> {R,W}x. Invalid div\nhas always been {R,W}x div{64,32} 0 -> 0. Rewrites are as follows:\n\n mod32: mod64:\n\n (16) if w0 == 0x0 goto pc+2 (15) if r0 == 0x0 goto pc+1\n (9c) w1 %= w0 (9f) r1 %= r0\n (05) goto pc+1\n (bc) w1 = w1\n\nFixes: 468f6eafa6c4 (\"bpf: fix 32-bit ALU op verification\")\nSigned-off-by: Daniel Borkmann \nReviewed-by: John Fastabend \nAcked-by: Alexei Starovoitov ", "target": 0, "dataset": "other", "idx": 456521 }, { "func": "static void scalar32_min_max_rsh(struct bpf_reg_state *dst_reg,\n\t\t\t\t struct bpf_reg_state *src_reg)\n{\n\tstruct tnum subreg = tnum_subreg(dst_reg->var_off);\n\tu32 umax_val = src_reg->u32_max_value;\n\tu32 umin_val = src_reg->u32_min_value;\n\n\t/* BPF_RSH is an unsigned shift. If the value in dst_reg might\n\t * be negative, then either:\n\t * 1) src_reg might be zero, so the sign bit of the result is\n\t * unknown, so we lose our signed bounds\n\t * 2) it's known negative, thus the unsigned bounds capture the\n\t * signed bounds\n\t * 3) the signed bounds cross zero, so they tell us nothing\n\t * about the result\n\t * If the value in dst_reg is known nonnegative, then again the\n\t * unsigned bounts capture the signed bounds.\n\t * Thus, in all cases it suffices to blow away our signed bounds\n\t * and rely on inferring new ones from the unsigned bounds and\n\t * var_off of the result.\n\t */\n\tdst_reg->s32_min_value = S32_MIN;\n\tdst_reg->s32_max_value = S32_MAX;\n\n\tdst_reg->var_off = tnum_rshift(subreg, umin_val);\n\tdst_reg->u32_min_value >>= umax_val;\n\tdst_reg->u32_max_value >>= umin_val;\n\n\t__mark_reg64_unbounded(dst_reg);\n\t__update_reg32_bounds(dst_reg);\n}", "project": "linux", "hash": 86538237346265060130371586971411864083, "size": 31, "commit_id": "5b9fbeb75b6a98955f628e205ac26689bcb1383e", "message": "bpf: Fix scalar32_min_max_or bounds tracking\n\nSimon reported an issue with the current scalar32_min_max_or() implementation.\nThat is, compared to the other 32 bit subreg tracking functions, the code in\nscalar32_min_max_or() stands out that it's using the 64 bit registers instead\nof 32 bit ones. This leads to bounds tracking issues, for example:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x1; 0x700000000),s32_max_value=1,u32_max_value=1) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nThe bound tests on the map value force the upper unsigned bound to be 25769803777\nin 64 bit (0b11000000000000000000000000000000001) and then lower one to be 1. By\nusing OR they are truncated and thus result in the range [1,1] for the 32 bit reg\ntracker. This is incorrect given the only thing we know is that the value must be\npositive and thus 2147483647 (0b1111111111111111111111111111111) at max for the\nsubregs. Fix it by using the {u,s}32_{min,max}_value vars instead. This also makes\nsense, for example, for the case where we update dst_reg->s32_{min,max}_value in\nthe else branch we need to use the newly computed dst_reg->u32_{min,max}_value as\nwe know that these are positive. Previously, in the else branch the 64 bit values\nof umin_value=1 and umax_value=32212254719 were used and latter got truncated to\nbe 1 as upper bound there. After the fix the subreg range is now correct:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nFixes: 3f50f132d840 (\"bpf: Verifier, do explicit ALU32 bounds tracking\")\nReported-by: Simon Scannell \nSigned-off-by: Daniel Borkmann \nReviewed-by: John Fastabend \nAcked-by: Alexei Starovoitov ", "target": 0, "dataset": "other", "idx": 328506 }, { "func": "static int jit_subprogs(struct bpf_verifier_env *env)\n{\n\tstruct bpf_prog *prog = env->prog, **func, *tmp;\n\tint i, j, subprog_start, subprog_end = 0, len, subprog;\n\tstruct bpf_insn *insn;\n\tvoid *old_bpf_func;\n\tint err;\n\n\tif (env->subprog_cnt <= 1)\n\t\treturn 0;\n\n\tfor (i = 0, insn = prog->insnsi; i < prog->len; i++, insn++) {\n\t\tif (insn->code != (BPF_JMP | BPF_CALL) ||\n\t\t insn->src_reg != BPF_PSEUDO_CALL)\n\t\t\tcontinue;\n\t\t/* Upon error here we cannot fall back to interpreter but\n\t\t * need a hard reject of the program. Thus -EFAULT is\n\t\t * propagated in any case.\n\t\t */\n\t\tsubprog = find_subprog(env, i + insn->imm + 1);\n\t\tif (subprog < 0) {\n\t\t\tWARN_ONCE(1, \"verifier bug. No program starts at insn %d\\n\",\n\t\t\t\t i + insn->imm + 1);\n\t\t\treturn -EFAULT;\n\t\t}\n\t\t/* temporarily remember subprog id inside insn instead of\n\t\t * aux_data, since next loop will split up all insns into funcs\n\t\t */\n\t\tinsn->off = subprog;\n\t\t/* remember original imm in case JIT fails and fallback\n\t\t * to interpreter will be needed\n\t\t */\n\t\tenv->insn_aux_data[i].call_imm = insn->imm;\n\t\t/* point imm to __bpf_call_base+1 from JITs point of view */\n\t\tinsn->imm = 1;\n\t}\n\n\terr = bpf_prog_alloc_jited_linfo(prog);\n\tif (err)\n\t\tgoto out_undo_insn;\n\n\terr = -ENOMEM;\n\tfunc = kcalloc(env->subprog_cnt, sizeof(prog), GFP_KERNEL);\n\tif (!func)\n\t\tgoto out_undo_insn;\n\n\tfor (i = 0; i < env->subprog_cnt; i++) {\n\t\tsubprog_start = subprog_end;\n\t\tsubprog_end = env->subprog_info[i + 1].start;\n\n\t\tlen = subprog_end - subprog_start;\n\t\t/* BPF_PROG_RUN doesn't call subprogs directly,\n\t\t * hence main prog stats include the runtime of subprogs.\n\t\t * subprogs don't have IDs and not reachable via prog_get_next_id\n\t\t * func[i]->aux->stats will never be accessed and stays NULL\n\t\t */\n\t\tfunc[i] = bpf_prog_alloc_no_stats(bpf_prog_size(len), GFP_USER);\n\t\tif (!func[i])\n\t\t\tgoto out_free;\n\t\tmemcpy(func[i]->insnsi, &prog->insnsi[subprog_start],\n\t\t len * sizeof(struct bpf_insn));\n\t\tfunc[i]->type = prog->type;\n\t\tfunc[i]->len = len;\n\t\tif (bpf_prog_calc_tag(func[i]))\n\t\t\tgoto out_free;\n\t\tfunc[i]->is_func = 1;\n\t\tfunc[i]->aux->func_idx = i;\n\t\t/* the btf and func_info will be freed only at prog->aux */\n\t\tfunc[i]->aux->btf = prog->aux->btf;\n\t\tfunc[i]->aux->func_info = prog->aux->func_info;\n\n\t\t/* Use bpf_prog_F_tag to indicate functions in stack traces.\n\t\t * Long term would need debug info to populate names\n\t\t */\n\t\tfunc[i]->aux->name[0] = 'F';\n\t\tfunc[i]->aux->stack_depth = env->subprog_info[i].stack_depth;\n\t\tfunc[i]->jit_requested = 1;\n\t\tfunc[i]->aux->linfo = prog->aux->linfo;\n\t\tfunc[i]->aux->nr_linfo = prog->aux->nr_linfo;\n\t\tfunc[i]->aux->jited_linfo = prog->aux->jited_linfo;\n\t\tfunc[i]->aux->linfo_idx = env->subprog_info[i].linfo_idx;\n\t\tfunc[i] = bpf_int_jit_compile(func[i]);\n\t\tif (!func[i]->jited) {\n\t\t\terr = -ENOTSUPP;\n\t\t\tgoto out_free;\n\t\t}\n\t\tcond_resched();\n\t}\n\t/* at this point all bpf functions were successfully JITed\n\t * now populate all bpf_calls with correct addresses and\n\t * run last pass of JIT\n\t */\n\tfor (i = 0; i < env->subprog_cnt; i++) {\n\t\tinsn = func[i]->insnsi;\n\t\tfor (j = 0; j < func[i]->len; j++, insn++) {\n\t\t\tif (insn->code != (BPF_JMP | BPF_CALL) ||\n\t\t\t insn->src_reg != BPF_PSEUDO_CALL)\n\t\t\t\tcontinue;\n\t\t\tsubprog = insn->off;\n\t\t\tinsn->imm = BPF_CAST_CALL(func[subprog]->bpf_func) -\n\t\t\t\t __bpf_call_base;\n\t\t}\n\n\t\t/* we use the aux data to keep a list of the start addresses\n\t\t * of the JITed images for each function in the program\n\t\t *\n\t\t * for some architectures, such as powerpc64, the imm field\n\t\t * might not be large enough to hold the offset of the start\n\t\t * address of the callee's JITed image from __bpf_call_base\n\t\t *\n\t\t * in such cases, we can lookup the start address of a callee\n\t\t * by using its subprog id, available from the off field of\n\t\t * the call instruction, as an index for this list\n\t\t */\n\t\tfunc[i]->aux->func = func;\n\t\tfunc[i]->aux->func_cnt = env->subprog_cnt;\n\t}\n\tfor (i = 0; i < env->subprog_cnt; i++) {\n\t\told_bpf_func = func[i]->bpf_func;\n\t\ttmp = bpf_int_jit_compile(func[i]);\n\t\tif (tmp != func[i] || func[i]->bpf_func != old_bpf_func) {\n\t\t\tverbose(env, \"JIT doesn't support bpf-to-bpf calls\\n\");\n\t\t\terr = -ENOTSUPP;\n\t\t\tgoto out_free;\n\t\t}\n\t\tcond_resched();\n\t}\n\n\t/* finally lock prog and jit images for all functions and\n\t * populate kallsysm\n\t */\n\tfor (i = 0; i < env->subprog_cnt; i++) {\n\t\tbpf_prog_lock_ro(func[i]);\n\t\tbpf_prog_kallsyms_add(func[i]);\n\t}\n\n\t/* Last step: make now unused interpreter insns from main\n\t * prog consistent for later dump requests, so they can\n\t * later look the same as if they were interpreted only.\n\t */\n\tfor (i = 0, insn = prog->insnsi; i < prog->len; i++, insn++) {\n\t\tif (insn->code != (BPF_JMP | BPF_CALL) ||\n\t\t insn->src_reg != BPF_PSEUDO_CALL)\n\t\t\tcontinue;\n\t\tinsn->off = env->insn_aux_data[i].call_imm;\n\t\tsubprog = find_subprog(env, i + insn->off + 1);\n\t\tinsn->imm = subprog;\n\t}\n\n\tprog->jited = 1;\n\tprog->bpf_func = func[0]->bpf_func;\n\tprog->aux->func = func;\n\tprog->aux->func_cnt = env->subprog_cnt;\n\tbpf_prog_free_unused_jited_linfo(prog);\n\treturn 0;\nout_free:\n\tfor (i = 0; i < env->subprog_cnt; i++)\n\t\tif (func[i])\n\t\t\tbpf_jit_free(func[i]);\n\tkfree(func);\nout_undo_insn:\n\t/* cleanup main prog to be interpreted */\n\tprog->jit_requested = 0;\n\tfor (i = 0, insn = prog->insnsi; i < prog->len; i++, insn++) {\n\t\tif (insn->code != (BPF_JMP | BPF_CALL) ||\n\t\t insn->src_reg != BPF_PSEUDO_CALL)\n\t\t\tcontinue;\n\t\tinsn->off = 0;\n\t\tinsn->imm = env->insn_aux_data[i].call_imm;\n\t}\n\tbpf_prog_free_jited_linfo(prog);\n\treturn err;\n}", "project": "linux", "hash": 147308017931836189867996257630649835323, "size": 173, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232476 }, { "func": "static int jit_subprogs(struct bpf_verifier_env *env)\n{\n\tstruct bpf_prog *prog = env->prog, **func, *tmp;\n\tint i, j, subprog_start, subprog_end = 0, len, subprog;\n\tstruct bpf_insn *insn;\n\tvoid *old_bpf_func;\n\tint err, num_exentries;\n\n\tif (env->subprog_cnt <= 1)\n\t\treturn 0;\n\n\tfor (i = 0, insn = prog->insnsi; i < prog->len; i++, insn++) {\n\t\tif (insn->code != (BPF_JMP | BPF_CALL) ||\n\t\t insn->src_reg != BPF_PSEUDO_CALL)\n\t\t\tcontinue;\n\t\t/* Upon error here we cannot fall back to interpreter but\n\t\t * need a hard reject of the program. Thus -EFAULT is\n\t\t * propagated in any case.\n\t\t */\n\t\tsubprog = find_subprog(env, i + insn->imm + 1);\n\t\tif (subprog < 0) {\n\t\t\tWARN_ONCE(1, \"verifier bug. No program starts at insn %d\\n\",\n\t\t\t\t i + insn->imm + 1);\n\t\t\treturn -EFAULT;\n\t\t}\n\t\t/* temporarily remember subprog id inside insn instead of\n\t\t * aux_data, since next loop will split up all insns into funcs\n\t\t */\n\t\tinsn->off = subprog;\n\t\t/* remember original imm in case JIT fails and fallback\n\t\t * to interpreter will be needed\n\t\t */\n\t\tenv->insn_aux_data[i].call_imm = insn->imm;\n\t\t/* point imm to __bpf_call_base+1 from JITs point of view */\n\t\tinsn->imm = 1;\n\t}\n\n\terr = bpf_prog_alloc_jited_linfo(prog);\n\tif (err)\n\t\tgoto out_undo_insn;\n\n\terr = -ENOMEM;\n\tfunc = kcalloc(env->subprog_cnt, sizeof(prog), GFP_KERNEL);\n\tif (!func)\n\t\tgoto out_undo_insn;\n\n\tfor (i = 0; i < env->subprog_cnt; i++) {\n\t\tsubprog_start = subprog_end;\n\t\tsubprog_end = env->subprog_info[i + 1].start;\n\n\t\tlen = subprog_end - subprog_start;\n\t\t/* BPF_PROG_RUN doesn't call subprogs directly,\n\t\t * hence main prog stats include the runtime of subprogs.\n\t\t * subprogs don't have IDs and not reachable via prog_get_next_id\n\t\t * func[i]->aux->stats will never be accessed and stays NULL\n\t\t */\n\t\tfunc[i] = bpf_prog_alloc_no_stats(bpf_prog_size(len), GFP_USER);\n\t\tif (!func[i])\n\t\t\tgoto out_free;\n\t\tmemcpy(func[i]->insnsi, &prog->insnsi[subprog_start],\n\t\t len * sizeof(struct bpf_insn));\n\t\tfunc[i]->type = prog->type;\n\t\tfunc[i]->len = len;\n\t\tif (bpf_prog_calc_tag(func[i]))\n\t\t\tgoto out_free;\n\t\tfunc[i]->is_func = 1;\n\t\tfunc[i]->aux->func_idx = i;\n\t\t/* the btf and func_info will be freed only at prog->aux */\n\t\tfunc[i]->aux->btf = prog->aux->btf;\n\t\tfunc[i]->aux->func_info = prog->aux->func_info;\n\n\t\t/* Use bpf_prog_F_tag to indicate functions in stack traces.\n\t\t * Long term would need debug info to populate names\n\t\t */\n\t\tfunc[i]->aux->name[0] = 'F';\n\t\tfunc[i]->aux->stack_depth = env->subprog_info[i].stack_depth;\n\t\tfunc[i]->jit_requested = 1;\n\t\tfunc[i]->aux->linfo = prog->aux->linfo;\n\t\tfunc[i]->aux->nr_linfo = prog->aux->nr_linfo;\n\t\tfunc[i]->aux->jited_linfo = prog->aux->jited_linfo;\n\t\tfunc[i]->aux->linfo_idx = env->subprog_info[i].linfo_idx;\n\t\tnum_exentries = 0;\n\t\tinsn = func[i]->insnsi;\n\t\tfor (j = 0; j < func[i]->len; j++, insn++) {\n\t\t\tif (BPF_CLASS(insn->code) == BPF_LDX &&\n\t\t\t BPF_MODE(insn->code) == BPF_PROBE_MEM)\n\t\t\t\tnum_exentries++;\n\t\t}\n\t\tfunc[i]->aux->num_exentries = num_exentries;\n\t\tfunc[i] = bpf_int_jit_compile(func[i]);\n\t\tif (!func[i]->jited) {\n\t\t\terr = -ENOTSUPP;\n\t\t\tgoto out_free;\n\t\t}\n\t\tcond_resched();\n\t}\n\t/* at this point all bpf functions were successfully JITed\n\t * now populate all bpf_calls with correct addresses and\n\t * run last pass of JIT\n\t */\n\tfor (i = 0; i < env->subprog_cnt; i++) {\n\t\tinsn = func[i]->insnsi;\n\t\tfor (j = 0; j < func[i]->len; j++, insn++) {\n\t\t\tif (insn->code != (BPF_JMP | BPF_CALL) ||\n\t\t\t insn->src_reg != BPF_PSEUDO_CALL)\n\t\t\t\tcontinue;\n\t\t\tsubprog = insn->off;\n\t\t\tinsn->imm = BPF_CAST_CALL(func[subprog]->bpf_func) -\n\t\t\t\t __bpf_call_base;\n\t\t}\n\n\t\t/* we use the aux data to keep a list of the start addresses\n\t\t * of the JITed images for each function in the program\n\t\t *\n\t\t * for some architectures, such as powerpc64, the imm field\n\t\t * might not be large enough to hold the offset of the start\n\t\t * address of the callee's JITed image from __bpf_call_base\n\t\t *\n\t\t * in such cases, we can lookup the start address of a callee\n\t\t * by using its subprog id, available from the off field of\n\t\t * the call instruction, as an index for this list\n\t\t */\n\t\tfunc[i]->aux->func = func;\n\t\tfunc[i]->aux->func_cnt = env->subprog_cnt;\n\t}\n\tfor (i = 0; i < env->subprog_cnt; i++) {\n\t\told_bpf_func = func[i]->bpf_func;\n\t\ttmp = bpf_int_jit_compile(func[i]);\n\t\tif (tmp != func[i] || func[i]->bpf_func != old_bpf_func) {\n\t\t\tverbose(env, \"JIT doesn't support bpf-to-bpf calls\\n\");\n\t\t\terr = -ENOTSUPP;\n\t\t\tgoto out_free;\n\t\t}\n\t\tcond_resched();\n\t}\n\n\t/* finally lock prog and jit images for all functions and\n\t * populate kallsysm\n\t */\n\tfor (i = 0; i < env->subprog_cnt; i++) {\n\t\tbpf_prog_lock_ro(func[i]);\n\t\tbpf_prog_kallsyms_add(func[i]);\n\t}\n\n\t/* Last step: make now unused interpreter insns from main\n\t * prog consistent for later dump requests, so they can\n\t * later look the same as if they were interpreted only.\n\t */\n\tfor (i = 0, insn = prog->insnsi; i < prog->len; i++, insn++) {\n\t\tif (insn->code != (BPF_JMP | BPF_CALL) ||\n\t\t insn->src_reg != BPF_PSEUDO_CALL)\n\t\t\tcontinue;\n\t\tinsn->off = env->insn_aux_data[i].call_imm;\n\t\tsubprog = find_subprog(env, i + insn->off + 1);\n\t\tinsn->imm = subprog;\n\t}\n\n\tprog->jited = 1;\n\tprog->bpf_func = func[0]->bpf_func;\n\tprog->aux->func = func;\n\tprog->aux->func_cnt = env->subprog_cnt;\n\tbpf_prog_free_unused_jited_linfo(prog);\n\treturn 0;\nout_free:\n\tfor (i = 0; i < env->subprog_cnt; i++)\n\t\tif (func[i])\n\t\t\tbpf_jit_free(func[i]);\n\tkfree(func);\nout_undo_insn:\n\t/* cleanup main prog to be interpreted */\n\tprog->jit_requested = 0;\n\tfor (i = 0, insn = prog->insnsi; i < prog->len; i++, insn++) {\n\t\tif (insn->code != (BPF_JMP | BPF_CALL) ||\n\t\t insn->src_reg != BPF_PSEUDO_CALL)\n\t\t\tcontinue;\n\t\tinsn->off = 0;\n\t\tinsn->imm = env->insn_aux_data[i].call_imm;\n\t}\n\tbpf_prog_free_jited_linfo(prog);\n\treturn err;\n}", "project": "linux", "hash": 62969906582922269577415181821466864612, "size": 181, "commit_id": "5b9fbeb75b6a98955f628e205ac26689bcb1383e", "message": "bpf: Fix scalar32_min_max_or bounds tracking\n\nSimon reported an issue with the current scalar32_min_max_or() implementation.\nThat is, compared to the other 32 bit subreg tracking functions, the code in\nscalar32_min_max_or() stands out that it's using the 64 bit registers instead\nof 32 bit ones. This leads to bounds tracking issues, for example:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x1; 0x700000000),s32_max_value=1,u32_max_value=1) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nThe bound tests on the map value force the upper unsigned bound to be 25769803777\nin 64 bit (0b11000000000000000000000000000000001) and then lower one to be 1. By\nusing OR they are truncated and thus result in the range [1,1] for the 32 bit reg\ntracker. This is incorrect given the only thing we know is that the value must be\npositive and thus 2147483647 (0b1111111111111111111111111111111) at max for the\nsubregs. Fix it by using the {u,s}32_{min,max}_value vars instead. This also makes\nsense, for example, for the case where we update dst_reg->s32_{min,max}_value in\nthe else branch we need to use the newly computed dst_reg->u32_{min,max}_value as\nwe know that these are positive. Previously, in the else branch the 64 bit values\nof umin_value=1 and umax_value=32212254719 were used and latter got truncated to\nbe 1 as upper bound there. After the fix the subreg range is now correct:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nFixes: 3f50f132d840 (\"bpf: Verifier, do explicit ALU32 bounds tracking\")\nReported-by: Simon Scannell \nSigned-off-by: Daniel Borkmann \nReviewed-by: John Fastabend \nAcked-by: Alexei Starovoitov ", "target": 0, "dataset": "other", "idx": 328507 }, { "func": "static int jit_subprogs(struct bpf_verifier_env *env)\n{\n\tstruct bpf_prog *prog = env->prog, **func, *tmp;\n\tint i, j, subprog_start, subprog_end = 0, len, subprog;\n\tstruct bpf_map *map_ptr;\n\tstruct bpf_insn *insn;\n\tvoid *old_bpf_func;\n\tint err, num_exentries;\n\n\tif (env->subprog_cnt <= 1)\n\t\treturn 0;\n\n\tfor (i = 0, insn = prog->insnsi; i < prog->len; i++, insn++) {\n\t\tif (insn->code != (BPF_JMP | BPF_CALL) ||\n\t\t insn->src_reg != BPF_PSEUDO_CALL)\n\t\t\tcontinue;\n\t\t/* Upon error here we cannot fall back to interpreter but\n\t\t * need a hard reject of the program. Thus -EFAULT is\n\t\t * propagated in any case.\n\t\t */\n\t\tsubprog = find_subprog(env, i + insn->imm + 1);\n\t\tif (subprog < 0) {\n\t\t\tWARN_ONCE(1, \"verifier bug. No program starts at insn %d\\n\",\n\t\t\t\t i + insn->imm + 1);\n\t\t\treturn -EFAULT;\n\t\t}\n\t\t/* temporarily remember subprog id inside insn instead of\n\t\t * aux_data, since next loop will split up all insns into funcs\n\t\t */\n\t\tinsn->off = subprog;\n\t\t/* remember original imm in case JIT fails and fallback\n\t\t * to interpreter will be needed\n\t\t */\n\t\tenv->insn_aux_data[i].call_imm = insn->imm;\n\t\t/* point imm to __bpf_call_base+1 from JITs point of view */\n\t\tinsn->imm = 1;\n\t}\n\n\terr = bpf_prog_alloc_jited_linfo(prog);\n\tif (err)\n\t\tgoto out_undo_insn;\n\n\terr = -ENOMEM;\n\tfunc = kcalloc(env->subprog_cnt, sizeof(prog), GFP_KERNEL);\n\tif (!func)\n\t\tgoto out_undo_insn;\n\n\tfor (i = 0; i < env->subprog_cnt; i++) {\n\t\tsubprog_start = subprog_end;\n\t\tsubprog_end = env->subprog_info[i + 1].start;\n\n\t\tlen = subprog_end - subprog_start;\n\t\t/* BPF_PROG_RUN doesn't call subprogs directly,\n\t\t * hence main prog stats include the runtime of subprogs.\n\t\t * subprogs don't have IDs and not reachable via prog_get_next_id\n\t\t * func[i]->aux->stats will never be accessed and stays NULL\n\t\t */\n\t\tfunc[i] = bpf_prog_alloc_no_stats(bpf_prog_size(len), GFP_USER);\n\t\tif (!func[i])\n\t\t\tgoto out_free;\n\t\tmemcpy(func[i]->insnsi, &prog->insnsi[subprog_start],\n\t\t len * sizeof(struct bpf_insn));\n\t\tfunc[i]->type = prog->type;\n\t\tfunc[i]->len = len;\n\t\tif (bpf_prog_calc_tag(func[i]))\n\t\t\tgoto out_free;\n\t\tfunc[i]->is_func = 1;\n\t\tfunc[i]->aux->func_idx = i;\n\t\t/* the btf and func_info will be freed only at prog->aux */\n\t\tfunc[i]->aux->btf = prog->aux->btf;\n\t\tfunc[i]->aux->func_info = prog->aux->func_info;\n\n\t\tfor (j = 0; j < prog->aux->size_poke_tab; j++) {\n\t\t\tu32 insn_idx = prog->aux->poke_tab[j].insn_idx;\n\t\t\tint ret;\n\n\t\t\tif (!(insn_idx >= subprog_start &&\n\t\t\t insn_idx <= subprog_end))\n\t\t\t\tcontinue;\n\n\t\t\tret = bpf_jit_add_poke_descriptor(func[i],\n\t\t\t\t\t\t\t &prog->aux->poke_tab[j]);\n\t\t\tif (ret < 0) {\n\t\t\t\tverbose(env, \"adding tail call poke descriptor failed\\n\");\n\t\t\t\tgoto out_free;\n\t\t\t}\n\n\t\t\tfunc[i]->insnsi[insn_idx - subprog_start].imm = ret + 1;\n\n\t\t\tmap_ptr = func[i]->aux->poke_tab[ret].tail_call.map;\n\t\t\tret = map_ptr->ops->map_poke_track(map_ptr, func[i]->aux);\n\t\t\tif (ret < 0) {\n\t\t\t\tverbose(env, \"tracking tail call prog failed\\n\");\n\t\t\t\tgoto out_free;\n\t\t\t}\n\t\t}\n\n\t\t/* Use bpf_prog_F_tag to indicate functions in stack traces.\n\t\t * Long term would need debug info to populate names\n\t\t */\n\t\tfunc[i]->aux->name[0] = 'F';\n\t\tfunc[i]->aux->stack_depth = env->subprog_info[i].stack_depth;\n\t\tfunc[i]->jit_requested = 1;\n\t\tfunc[i]->aux->linfo = prog->aux->linfo;\n\t\tfunc[i]->aux->nr_linfo = prog->aux->nr_linfo;\n\t\tfunc[i]->aux->jited_linfo = prog->aux->jited_linfo;\n\t\tfunc[i]->aux->linfo_idx = env->subprog_info[i].linfo_idx;\n\t\tnum_exentries = 0;\n\t\tinsn = func[i]->insnsi;\n\t\tfor (j = 0; j < func[i]->len; j++, insn++) {\n\t\t\tif (BPF_CLASS(insn->code) == BPF_LDX &&\n\t\t\t BPF_MODE(insn->code) == BPF_PROBE_MEM)\n\t\t\t\tnum_exentries++;\n\t\t}\n\t\tfunc[i]->aux->num_exentries = num_exentries;\n\t\tfunc[i]->aux->tail_call_reachable = env->subprog_info[i].tail_call_reachable;\n\t\tfunc[i] = bpf_int_jit_compile(func[i]);\n\t\tif (!func[i]->jited) {\n\t\t\terr = -ENOTSUPP;\n\t\t\tgoto out_free;\n\t\t}\n\t\tcond_resched();\n\t}\n\n\t/* Untrack main program's aux structs so that during map_poke_run()\n\t * we will not stumble upon the unfilled poke descriptors; each\n\t * of the main program's poke descs got distributed across subprogs\n\t * and got tracked onto map, so we are sure that none of them will\n\t * be missed after the operation below\n\t */\n\tfor (i = 0; i < prog->aux->size_poke_tab; i++) {\n\t\tmap_ptr = prog->aux->poke_tab[i].tail_call.map;\n\n\t\tmap_ptr->ops->map_poke_untrack(map_ptr, prog->aux);\n\t}\n\n\t/* at this point all bpf functions were successfully JITed\n\t * now populate all bpf_calls with correct addresses and\n\t * run last pass of JIT\n\t */\n\tfor (i = 0; i < env->subprog_cnt; i++) {\n\t\tinsn = func[i]->insnsi;\n\t\tfor (j = 0; j < func[i]->len; j++, insn++) {\n\t\t\tif (insn->code != (BPF_JMP | BPF_CALL) ||\n\t\t\t insn->src_reg != BPF_PSEUDO_CALL)\n\t\t\t\tcontinue;\n\t\t\tsubprog = insn->off;\n\t\t\tinsn->imm = BPF_CAST_CALL(func[subprog]->bpf_func) -\n\t\t\t\t __bpf_call_base;\n\t\t}\n\n\t\t/* we use the aux data to keep a list of the start addresses\n\t\t * of the JITed images for each function in the program\n\t\t *\n\t\t * for some architectures, such as powerpc64, the imm field\n\t\t * might not be large enough to hold the offset of the start\n\t\t * address of the callee's JITed image from __bpf_call_base\n\t\t *\n\t\t * in such cases, we can lookup the start address of a callee\n\t\t * by using its subprog id, available from the off field of\n\t\t * the call instruction, as an index for this list\n\t\t */\n\t\tfunc[i]->aux->func = func;\n\t\tfunc[i]->aux->func_cnt = env->subprog_cnt;\n\t}\n\tfor (i = 0; i < env->subprog_cnt; i++) {\n\t\told_bpf_func = func[i]->bpf_func;\n\t\ttmp = bpf_int_jit_compile(func[i]);\n\t\tif (tmp != func[i] || func[i]->bpf_func != old_bpf_func) {\n\t\t\tverbose(env, \"JIT doesn't support bpf-to-bpf calls\\n\");\n\t\t\terr = -ENOTSUPP;\n\t\t\tgoto out_free;\n\t\t}\n\t\tcond_resched();\n\t}\n\n\t/* finally lock prog and jit images for all functions and\n\t * populate kallsysm\n\t */\n\tfor (i = 0; i < env->subprog_cnt; i++) {\n\t\tbpf_prog_lock_ro(func[i]);\n\t\tbpf_prog_kallsyms_add(func[i]);\n\t}\n\n\t/* Last step: make now unused interpreter insns from main\n\t * prog consistent for later dump requests, so they can\n\t * later look the same as if they were interpreted only.\n\t */\n\tfor (i = 0, insn = prog->insnsi; i < prog->len; i++, insn++) {\n\t\tif (insn->code != (BPF_JMP | BPF_CALL) ||\n\t\t insn->src_reg != BPF_PSEUDO_CALL)\n\t\t\tcontinue;\n\t\tinsn->off = env->insn_aux_data[i].call_imm;\n\t\tsubprog = find_subprog(env, i + insn->off + 1);\n\t\tinsn->imm = subprog;\n\t}\n\n\tprog->jited = 1;\n\tprog->bpf_func = func[0]->bpf_func;\n\tprog->aux->func = func;\n\tprog->aux->func_cnt = env->subprog_cnt;\n\tbpf_prog_free_unused_jited_linfo(prog);\n\treturn 0;\nout_free:\n\tfor (i = 0; i < env->subprog_cnt; i++) {\n\t\tif (!func[i])\n\t\t\tcontinue;\n\n\t\tfor (j = 0; j < func[i]->aux->size_poke_tab; j++) {\n\t\t\tmap_ptr = func[i]->aux->poke_tab[j].tail_call.map;\n\t\t\tmap_ptr->ops->map_poke_untrack(map_ptr, func[i]->aux);\n\t\t}\n\t\tbpf_jit_free(func[i]);\n\t}\n\tkfree(func);\nout_undo_insn:\n\t/* cleanup main prog to be interpreted */\n\tprog->jit_requested = 0;\n\tfor (i = 0, insn = prog->insnsi; i < prog->len; i++, insn++) {\n\t\tif (insn->code != (BPF_JMP | BPF_CALL) ||\n\t\t insn->src_reg != BPF_PSEUDO_CALL)\n\t\t\tcontinue;\n\t\tinsn->off = 0;\n\t\tinsn->imm = env->insn_aux_data[i].call_imm;\n\t}\n\tbpf_prog_free_jited_linfo(prog);\n\treturn err;\n}", "project": "linux", "hash": 129814830686115920767386056250778391623, "size": 228, "commit_id": "9b00f1b78809309163dda2d044d9e94a3c0248a3", "message": "bpf: Fix truncation handling for mod32 dst reg wrt zero\n\nRecently noticed that when mod32 with a known src reg of 0 is performed,\nthen the dst register is 32-bit truncated in verifier:\n\n 0: R1=ctx(id=0,off=0,imm=0) R10=fp0\n 0: (b7) r0 = 0\n 1: R0_w=inv0 R1=ctx(id=0,off=0,imm=0) R10=fp0\n 1: (b7) r1 = -1\n 2: R0_w=inv0 R1_w=inv-1 R10=fp0\n 2: (b4) w2 = -1\n 3: R0_w=inv0 R1_w=inv-1 R2_w=inv4294967295 R10=fp0\n 3: (9c) w1 %= w0\n 4: R0_w=inv0 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0\n 4: (b7) r0 = 1\n 5: R0_w=inv1 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0\n 5: (1d) if r1 == r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0\n 6: R0_w=inv1 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0\n 6: (b7) r0 = 2\n 7: R0_w=inv2 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0\n 7: (95) exit\n 7: R0=inv1 R1=inv(id=0,umin_value=4294967295,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2=inv4294967295 R10=fp0\n 7: (95) exit\n\nHowever, as a runtime result, we get 2 instead of 1, meaning the dst\nregister does not contain (u32)-1 in this case. The reason is fairly\nstraight forward given the 0 test leaves the dst register as-is:\n\n # ./bpftool p d x i 23\n 0: (b7) r0 = 0\n 1: (b7) r1 = -1\n 2: (b4) w2 = -1\n 3: (16) if w0 == 0x0 goto pc+1\n 4: (9c) w1 %= w0\n 5: (b7) r0 = 1\n 6: (1d) if r1 == r2 goto pc+1\n 7: (b7) r0 = 2\n 8: (95) exit\n\nThis was originally not an issue given the dst register was marked as\ncompletely unknown (aka 64 bit unknown). However, after 468f6eafa6c4\n(\"bpf: fix 32-bit ALU op verification\") the verifier casts the register\noutput to 32 bit, and hence it becomes 32 bit unknown. Note that for\nthe case where the src register is unknown, the dst register is marked\n64 bit unknown. After the fix, the register is truncated by the runtime\nand the test passes:\n\n # ./bpftool p d x i 23\n 0: (b7) r0 = 0\n 1: (b7) r1 = -1\n 2: (b4) w2 = -1\n 3: (16) if w0 == 0x0 goto pc+2\n 4: (9c) w1 %= w0\n 5: (05) goto pc+1\n 6: (bc) w1 = w1\n 7: (b7) r0 = 1\n 8: (1d) if r1 == r2 goto pc+1\n 9: (b7) r0 = 2\n 10: (95) exit\n\nSemantics also match with {R,W}x mod{64,32} 0 -> {R,W}x. Invalid div\nhas always been {R,W}x div{64,32} 0 -> 0. Rewrites are as follows:\n\n mod32: mod64:\n\n (16) if w0 == 0x0 goto pc+2 (15) if r0 == 0x0 goto pc+1\n (9c) w1 %= w0 (9f) r1 %= r0\n (05) goto pc+1\n (bc) w1 = w1\n\nFixes: 468f6eafa6c4 (\"bpf: fix 32-bit ALU op verification\")\nSigned-off-by: Daniel Borkmann \nReviewed-by: John Fastabend \nAcked-by: Alexei Starovoitov ", "target": 0, "dataset": "other", "idx": 456511 }, { "func": "static void print_verifier_state(struct bpf_verifier_env *env,\n\t\t\t\t const struct bpf_func_state *state)\n{\n\tconst struct bpf_reg_state *reg;\n\tenum bpf_reg_type t;\n\tint i;\n\n\tif (state->frameno)\n\t\tverbose(env, \" frame%d:\", state->frameno);\n\tfor (i = 0; i < MAX_BPF_REG; i++) {\n\t\treg = &state->regs[i];\n\t\tt = reg->type;\n\t\tif (t == NOT_INIT)\n\t\t\tcontinue;\n\t\tverbose(env, \" R%d\", i);\n\t\tprint_liveness(env, reg->live);\n\t\tverbose(env, \"=%s\", reg_type_str[t]);\n\t\tif (t == SCALAR_VALUE && reg->precise)\n\t\t\tverbose(env, \"P\");\n\t\tif ((t == SCALAR_VALUE || t == PTR_TO_STACK) &&\n\t\t tnum_is_const(reg->var_off)) {\n\t\t\t/* reg->off should be 0 for SCALAR_VALUE */\n\t\t\tverbose(env, \"%lld\", reg->var_off.value + reg->off);\n\t\t} else {\n\t\t\tif (t == PTR_TO_BTF_ID)\n\t\t\t\tverbose(env, \"%s\", kernel_type_name(reg->btf_id));\n\t\t\tverbose(env, \"(id=%d\", reg->id);\n\t\t\tif (reg_type_may_be_refcounted_or_null(t))\n\t\t\t\tverbose(env, \",ref_obj_id=%d\", reg->ref_obj_id);\n\t\t\tif (t != SCALAR_VALUE)\n\t\t\t\tverbose(env, \",off=%d\", reg->off);\n\t\t\tif (type_is_pkt_pointer(t))\n\t\t\t\tverbose(env, \",r=%d\", reg->range);\n\t\t\telse if (t == CONST_PTR_TO_MAP ||\n\t\t\t\t t == PTR_TO_MAP_VALUE ||\n\t\t\t\t t == PTR_TO_MAP_VALUE_OR_NULL)\n\t\t\t\tverbose(env, \",ks=%d,vs=%d\",\n\t\t\t\t\treg->map_ptr->key_size,\n\t\t\t\t\treg->map_ptr->value_size);\n\t\t\tif (tnum_is_const(reg->var_off)) {\n\t\t\t\t/* Typically an immediate SCALAR_VALUE, but\n\t\t\t\t * could be a pointer whose offset is too big\n\t\t\t\t * for reg->off\n\t\t\t\t */\n\t\t\t\tverbose(env, \",imm=%llx\", reg->var_off.value);\n\t\t\t} else {\n\t\t\t\tif (reg->smin_value != reg->umin_value &&\n\t\t\t\t reg->smin_value != S64_MIN)\n\t\t\t\t\tverbose(env, \",smin_value=%lld\",\n\t\t\t\t\t\t(long long)reg->smin_value);\n\t\t\t\tif (reg->smax_value != reg->umax_value &&\n\t\t\t\t reg->smax_value != S64_MAX)\n\t\t\t\t\tverbose(env, \",smax_value=%lld\",\n\t\t\t\t\t\t(long long)reg->smax_value);\n\t\t\t\tif (reg->umin_value != 0)\n\t\t\t\t\tverbose(env, \",umin_value=%llu\",\n\t\t\t\t\t\t(unsigned long long)reg->umin_value);\n\t\t\t\tif (reg->umax_value != U64_MAX)\n\t\t\t\t\tverbose(env, \",umax_value=%llu\",\n\t\t\t\t\t\t(unsigned long long)reg->umax_value);\n\t\t\t\tif (!tnum_is_unknown(reg->var_off)) {\n\t\t\t\t\tchar tn_buf[48];\n\n\t\t\t\t\ttnum_strn(tn_buf, sizeof(tn_buf), reg->var_off);\n\t\t\t\t\tverbose(env, \",var_off=%s\", tn_buf);\n\t\t\t\t}\n\t\t\t}\n\t\t\tverbose(env, \")\");\n\t\t}\n\t}\n\tfor (i = 0; i < state->allocated_stack / BPF_REG_SIZE; i++) {\n\t\tchar types_buf[BPF_REG_SIZE + 1];\n\t\tbool valid = false;\n\t\tint j;\n\n\t\tfor (j = 0; j < BPF_REG_SIZE; j++) {\n\t\t\tif (state->stack[i].slot_type[j] != STACK_INVALID)\n\t\t\t\tvalid = true;\n\t\t\ttypes_buf[j] = slot_type_char[\n\t\t\t\t\tstate->stack[i].slot_type[j]];\n\t\t}\n\t\ttypes_buf[BPF_REG_SIZE] = 0;\n\t\tif (!valid)\n\t\t\tcontinue;\n\t\tverbose(env, \" fp%d\", (-i - 1) * BPF_REG_SIZE);\n\t\tprint_liveness(env, state->stack[i].spilled_ptr.live);\n\t\tif (state->stack[i].slot_type[0] == STACK_SPILL) {\n\t\t\treg = &state->stack[i].spilled_ptr;\n\t\t\tt = reg->type;\n\t\t\tverbose(env, \"=%s\", reg_type_str[t]);\n\t\t\tif (t == SCALAR_VALUE && reg->precise)\n\t\t\t\tverbose(env, \"P\");\n\t\t\tif (t == SCALAR_VALUE && tnum_is_const(reg->var_off))\n\t\t\t\tverbose(env, \"%lld\", reg->var_off.value + reg->off);\n\t\t} else {\n\t\t\tverbose(env, \"=%s\", types_buf);\n\t\t}\n\t}\n\tif (state->acquired_refs && state->refs[0].id) {\n\t\tverbose(env, \" refs=%d\", state->refs[0].id);\n\t\tfor (i = 1; i < state->acquired_refs; i++)\n\t\t\tif (state->refs[i].id)\n\t\t\t\tverbose(env, \",%d\", state->refs[i].id);\n\t}\n\tverbose(env, \"\\n\");\n}", "project": "linux", "hash": 69974483809674111509845491090985312108, "size": 106, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232617 }, { "func": "static void print_verifier_state(struct bpf_verifier_env *env,\n\t\t\t\t const struct bpf_func_state *state)\n{\n\tconst struct bpf_reg_state *reg;\n\tenum bpf_reg_type t;\n\tint i;\n\n\tif (state->frameno)\n\t\tverbose(env, \" frame%d:\", state->frameno);\n\tfor (i = 0; i < MAX_BPF_REG; i++) {\n\t\treg = &state->regs[i];\n\t\tt = reg->type;\n\t\tif (t == NOT_INIT)\n\t\t\tcontinue;\n\t\tverbose(env, \" R%d\", i);\n\t\tprint_liveness(env, reg->live);\n\t\tverbose(env, \"=%s\", reg_type_str[t]);\n\t\tif (t == SCALAR_VALUE && reg->precise)\n\t\t\tverbose(env, \"P\");\n\t\tif ((t == SCALAR_VALUE || t == PTR_TO_STACK) &&\n\t\t tnum_is_const(reg->var_off)) {\n\t\t\t/* reg->off should be 0 for SCALAR_VALUE */\n\t\t\tverbose(env, \"%lld\", reg->var_off.value + reg->off);\n\t\t} else {\n\t\t\tif (t == PTR_TO_BTF_ID || t == PTR_TO_BTF_ID_OR_NULL)\n\t\t\t\tverbose(env, \"%s\", kernel_type_name(reg->btf_id));\n\t\t\tverbose(env, \"(id=%d\", reg->id);\n\t\t\tif (reg_type_may_be_refcounted_or_null(t))\n\t\t\t\tverbose(env, \",ref_obj_id=%d\", reg->ref_obj_id);\n\t\t\tif (t != SCALAR_VALUE)\n\t\t\t\tverbose(env, \",off=%d\", reg->off);\n\t\t\tif (type_is_pkt_pointer(t))\n\t\t\t\tverbose(env, \",r=%d\", reg->range);\n\t\t\telse if (t == CONST_PTR_TO_MAP ||\n\t\t\t\t t == PTR_TO_MAP_VALUE ||\n\t\t\t\t t == PTR_TO_MAP_VALUE_OR_NULL)\n\t\t\t\tverbose(env, \",ks=%d,vs=%d\",\n\t\t\t\t\treg->map_ptr->key_size,\n\t\t\t\t\treg->map_ptr->value_size);\n\t\t\tif (tnum_is_const(reg->var_off)) {\n\t\t\t\t/* Typically an immediate SCALAR_VALUE, but\n\t\t\t\t * could be a pointer whose offset is too big\n\t\t\t\t * for reg->off\n\t\t\t\t */\n\t\t\t\tverbose(env, \",imm=%llx\", reg->var_off.value);\n\t\t\t} else {\n\t\t\t\tif (reg->smin_value != reg->umin_value &&\n\t\t\t\t reg->smin_value != S64_MIN)\n\t\t\t\t\tverbose(env, \",smin_value=%lld\",\n\t\t\t\t\t\t(long long)reg->smin_value);\n\t\t\t\tif (reg->smax_value != reg->umax_value &&\n\t\t\t\t reg->smax_value != S64_MAX)\n\t\t\t\t\tverbose(env, \",smax_value=%lld\",\n\t\t\t\t\t\t(long long)reg->smax_value);\n\t\t\t\tif (reg->umin_value != 0)\n\t\t\t\t\tverbose(env, \",umin_value=%llu\",\n\t\t\t\t\t\t(unsigned long long)reg->umin_value);\n\t\t\t\tif (reg->umax_value != U64_MAX)\n\t\t\t\t\tverbose(env, \",umax_value=%llu\",\n\t\t\t\t\t\t(unsigned long long)reg->umax_value);\n\t\t\t\tif (!tnum_is_unknown(reg->var_off)) {\n\t\t\t\t\tchar tn_buf[48];\n\n\t\t\t\t\ttnum_strn(tn_buf, sizeof(tn_buf), reg->var_off);\n\t\t\t\t\tverbose(env, \",var_off=%s\", tn_buf);\n\t\t\t\t}\n\t\t\t\tif (reg->s32_min_value != reg->smin_value &&\n\t\t\t\t reg->s32_min_value != S32_MIN)\n\t\t\t\t\tverbose(env, \",s32_min_value=%d\",\n\t\t\t\t\t\t(int)(reg->s32_min_value));\n\t\t\t\tif (reg->s32_max_value != reg->smax_value &&\n\t\t\t\t reg->s32_max_value != S32_MAX)\n\t\t\t\t\tverbose(env, \",s32_max_value=%d\",\n\t\t\t\t\t\t(int)(reg->s32_max_value));\n\t\t\t\tif (reg->u32_min_value != reg->umin_value &&\n\t\t\t\t reg->u32_min_value != U32_MIN)\n\t\t\t\t\tverbose(env, \",u32_min_value=%d\",\n\t\t\t\t\t\t(int)(reg->u32_min_value));\n\t\t\t\tif (reg->u32_max_value != reg->umax_value &&\n\t\t\t\t reg->u32_max_value != U32_MAX)\n\t\t\t\t\tverbose(env, \",u32_max_value=%d\",\n\t\t\t\t\t\t(int)(reg->u32_max_value));\n\t\t\t}\n\t\t\tverbose(env, \")\");\n\t\t}\n\t}\n\tfor (i = 0; i < state->allocated_stack / BPF_REG_SIZE; i++) {\n\t\tchar types_buf[BPF_REG_SIZE + 1];\n\t\tbool valid = false;\n\t\tint j;\n\n\t\tfor (j = 0; j < BPF_REG_SIZE; j++) {\n\t\t\tif (state->stack[i].slot_type[j] != STACK_INVALID)\n\t\t\t\tvalid = true;\n\t\t\ttypes_buf[j] = slot_type_char[\n\t\t\t\t\tstate->stack[i].slot_type[j]];\n\t\t}\n\t\ttypes_buf[BPF_REG_SIZE] = 0;\n\t\tif (!valid)\n\t\t\tcontinue;\n\t\tverbose(env, \" fp%d\", (-i - 1) * BPF_REG_SIZE);\n\t\tprint_liveness(env, state->stack[i].spilled_ptr.live);\n\t\tif (state->stack[i].slot_type[0] == STACK_SPILL) {\n\t\t\treg = &state->stack[i].spilled_ptr;\n\t\t\tt = reg->type;\n\t\t\tverbose(env, \"=%s\", reg_type_str[t]);\n\t\t\tif (t == SCALAR_VALUE && reg->precise)\n\t\t\t\tverbose(env, \"P\");\n\t\t\tif (t == SCALAR_VALUE && tnum_is_const(reg->var_off))\n\t\t\t\tverbose(env, \"%lld\", reg->var_off.value + reg->off);\n\t\t} else {\n\t\t\tverbose(env, \"=%s\", types_buf);\n\t\t}\n\t}\n\tif (state->acquired_refs && state->refs[0].id) {\n\t\tverbose(env, \" refs=%d\", state->refs[0].id);\n\t\tfor (i = 1; i < state->acquired_refs; i++)\n\t\t\tif (state->refs[i].id)\n\t\t\t\tverbose(env, \",%d\", state->refs[i].id);\n\t}\n\tverbose(env, \"\\n\");\n}", "project": "linux", "hash": 338983108492299155927647767307851323058, "size": 122, "commit_id": "5b9fbeb75b6a98955f628e205ac26689bcb1383e", "message": "bpf: Fix scalar32_min_max_or bounds tracking\n\nSimon reported an issue with the current scalar32_min_max_or() implementation.\nThat is, compared to the other 32 bit subreg tracking functions, the code in\nscalar32_min_max_or() stands out that it's using the 64 bit registers instead\nof 32 bit ones. This leads to bounds tracking issues, for example:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x1; 0x700000000),s32_max_value=1,u32_max_value=1) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nThe bound tests on the map value force the upper unsigned bound to be 25769803777\nin 64 bit (0b11000000000000000000000000000000001) and then lower one to be 1. By\nusing OR they are truncated and thus result in the range [1,1] for the 32 bit reg\ntracker. This is incorrect given the only thing we know is that the value must be\npositive and thus 2147483647 (0b1111111111111111111111111111111) at max for the\nsubregs. Fix it by using the {u,s}32_{min,max}_value vars instead. This also makes\nsense, for example, for the case where we update dst_reg->s32_{min,max}_value in\nthe else branch we need to use the newly computed dst_reg->u32_{min,max}_value as\nwe know that these are positive. Previously, in the else branch the 64 bit values\nof umin_value=1 and umax_value=32212254719 were used and latter got truncated to\nbe 1 as upper bound there. After the fix the subreg range is now correct:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nFixes: 3f50f132d840 (\"bpf: Verifier, do explicit ALU32 bounds tracking\")\nReported-by: Simon Scannell \nSigned-off-by: Daniel Borkmann \nReviewed-by: John Fastabend \nAcked-by: Alexei Starovoitov ", "target": 0, "dataset": "other", "idx": 328528 }, { "func": "static bool insn_is_cond_jump(u8 code)\n{\n\tu8 op;\n\n\tif (BPF_CLASS(code) == BPF_JMP32)\n\t\treturn true;\n\n\tif (BPF_CLASS(code) != BPF_JMP)\n\t\treturn false;\n\n\top = BPF_OP(code);\n\treturn op != BPF_JA && op != BPF_EXIT && op != BPF_CALL;\n}", "project": "linux", "hash": 24028820836155254776306561768080795765, "size": 13, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232513 }, { "func": "static void release_maps(struct bpf_verifier_env *env)\n{\n\t__bpf_free_used_maps(env->prog->aux, env->used_maps,\n\t\t\t env->used_map_cnt);\n}", "project": "linux", "hash": 49831053633034702129620680120791646680, "size": 5, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232471 }, { "func": "static int do_check_common(struct bpf_verifier_env *env, int subprog)\n{\n\tstruct bpf_verifier_state *state;\n\tstruct bpf_reg_state *regs;\n\tint ret, i;\n\n\tenv->prev_linfo = NULL;\n\tenv->pass_cnt++;\n\n\tstate = kzalloc(sizeof(struct bpf_verifier_state), GFP_KERNEL);\n\tif (!state)\n\t\treturn -ENOMEM;\n\tstate->curframe = 0;\n\tstate->speculative = false;\n\tstate->branches = 1;\n\tstate->frame[0] = kzalloc(sizeof(struct bpf_func_state), GFP_KERNEL);\n\tif (!state->frame[0]) {\n\t\tkfree(state);\n\t\treturn -ENOMEM;\n\t}\n\tenv->cur_state = state;\n\tinit_func_state(env, state->frame[0],\n\t\t\tBPF_MAIN_FUNC /* callsite */,\n\t\t\t0 /* frameno */,\n\t\t\tsubprog);\n\n\tregs = state->frame[state->curframe]->regs;\n\tif (subprog || env->prog->type == BPF_PROG_TYPE_EXT) {\n\t\tret = btf_prepare_func_args(env, subprog, regs);\n\t\tif (ret)\n\t\t\tgoto out;\n\t\tfor (i = BPF_REG_1; i <= BPF_REG_5; i++) {\n\t\t\tif (regs[i].type == PTR_TO_CTX)\n\t\t\t\tmark_reg_known_zero(env, regs, i);\n\t\t\telse if (regs[i].type == SCALAR_VALUE)\n\t\t\t\tmark_reg_unknown(env, regs, i);\n\t\t}\n\t} else {\n\t\t/* 1st arg to a function */\n\t\tregs[BPF_REG_1].type = PTR_TO_CTX;\n\t\tmark_reg_known_zero(env, regs, BPF_REG_1);\n\t\tret = btf_check_func_arg_match(env, subprog, regs);\n\t\tif (ret == -EFAULT)\n\t\t\t/* unlikely verifier bug. abort.\n\t\t\t * ret == 0 and ret < 0 are sadly acceptable for\n\t\t\t * main() function due to backward compatibility.\n\t\t\t * Like socket filter program may be written as:\n\t\t\t * int bpf_prog(struct pt_regs *ctx)\n\t\t\t * and never dereference that ctx in the program.\n\t\t\t * 'struct pt_regs' is a type mismatch for socket\n\t\t\t * filter that should be using 'struct __sk_buff'.\n\t\t\t */\n\t\t\tgoto out;\n\t}\n\n\tret = do_check(env);\nout:\n\t/* check for NULL is necessary, since cur_state can be freed inside\n\t * do_check() under memory pressure.\n\t */\n\tif (env->cur_state) {\n\t\tfree_verifier_state(env->cur_state, true);\n\t\tenv->cur_state = NULL;\n\t}\n\twhile (!pop_stack(env, NULL, NULL));\n\tfree_states(env);\n\tif (ret)\n\t\t/* clean aux data in case subprog was rejected */\n\t\tsanitize_insn_aux_data(env);\n\treturn ret;\n}", "project": "linux", "hash": 284674761242913782593473222715875337926, "size": 71, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232508 }, { "func": "static int do_check_common(struct bpf_verifier_env *env, int subprog)\n{\n\tbool pop_log = !(env->log.level & BPF_LOG_LEVEL2);\n\tstruct bpf_verifier_state *state;\n\tstruct bpf_reg_state *regs;\n\tint ret, i;\n\n\tenv->prev_linfo = NULL;\n\tenv->pass_cnt++;\n\n\tstate = kzalloc(sizeof(struct bpf_verifier_state), GFP_KERNEL);\n\tif (!state)\n\t\treturn -ENOMEM;\n\tstate->curframe = 0;\n\tstate->speculative = false;\n\tstate->branches = 1;\n\tstate->frame[0] = kzalloc(sizeof(struct bpf_func_state), GFP_KERNEL);\n\tif (!state->frame[0]) {\n\t\tkfree(state);\n\t\treturn -ENOMEM;\n\t}\n\tenv->cur_state = state;\n\tinit_func_state(env, state->frame[0],\n\t\t\tBPF_MAIN_FUNC /* callsite */,\n\t\t\t0 /* frameno */,\n\t\t\tsubprog);\n\n\tregs = state->frame[state->curframe]->regs;\n\tif (subprog || env->prog->type == BPF_PROG_TYPE_EXT) {\n\t\tret = btf_prepare_func_args(env, subprog, regs);\n\t\tif (ret)\n\t\t\tgoto out;\n\t\tfor (i = BPF_REG_1; i <= BPF_REG_5; i++) {\n\t\t\tif (regs[i].type == PTR_TO_CTX)\n\t\t\t\tmark_reg_known_zero(env, regs, i);\n\t\t\telse if (regs[i].type == SCALAR_VALUE)\n\t\t\t\tmark_reg_unknown(env, regs, i);\n\t\t}\n\t} else {\n\t\t/* 1st arg to a function */\n\t\tregs[BPF_REG_1].type = PTR_TO_CTX;\n\t\tmark_reg_known_zero(env, regs, BPF_REG_1);\n\t\tret = btf_check_func_arg_match(env, subprog, regs);\n\t\tif (ret == -EFAULT)\n\t\t\t/* unlikely verifier bug. abort.\n\t\t\t * ret == 0 and ret < 0 are sadly acceptable for\n\t\t\t * main() function due to backward compatibility.\n\t\t\t * Like socket filter program may be written as:\n\t\t\t * int bpf_prog(struct pt_regs *ctx)\n\t\t\t * and never dereference that ctx in the program.\n\t\t\t * 'struct pt_regs' is a type mismatch for socket\n\t\t\t * filter that should be using 'struct __sk_buff'.\n\t\t\t */\n\t\t\tgoto out;\n\t}\n\n\tret = do_check(env);\nout:\n\t/* check for NULL is necessary, since cur_state can be freed inside\n\t * do_check() under memory pressure.\n\t */\n\tif (env->cur_state) {\n\t\tfree_verifier_state(env->cur_state, true);\n\t\tenv->cur_state = NULL;\n\t}\n\twhile (!pop_stack(env, NULL, NULL, false));\n\tif (!ret && pop_log)\n\t\tbpf_vlog_reset(&env->log, 0);\n\tfree_states(env);\n\tif (ret)\n\t\t/* clean aux data in case subprog was rejected */\n\t\tsanitize_insn_aux_data(env);\n\treturn ret;\n}", "project": "linux", "hash": 10582628833038187073893720781891999760, "size": 74, "commit_id": "5b9fbeb75b6a98955f628e205ac26689bcb1383e", "message": "bpf: Fix scalar32_min_max_or bounds tracking\n\nSimon reported an issue with the current scalar32_min_max_or() implementation.\nThat is, compared to the other 32 bit subreg tracking functions, the code in\nscalar32_min_max_or() stands out that it's using the 64 bit registers instead\nof 32 bit ones. This leads to bounds tracking issues, for example:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x1; 0x700000000),s32_max_value=1,u32_max_value=1) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nThe bound tests on the map value force the upper unsigned bound to be 25769803777\nin 64 bit (0b11000000000000000000000000000000001) and then lower one to be 1. By\nusing OR they are truncated and thus result in the range [1,1] for the 32 bit reg\ntracker. This is incorrect given the only thing we know is that the value must be\npositive and thus 2147483647 (0b1111111111111111111111111111111) at max for the\nsubregs. Fix it by using the {u,s}32_{min,max}_value vars instead. This also makes\nsense, for example, for the case where we update dst_reg->s32_{min,max}_value in\nthe else branch we need to use the newly computed dst_reg->u32_{min,max}_value as\nwe know that these are positive. Previously, in the else branch the 64 bit values\nof umin_value=1 and umax_value=32212254719 were used and latter got truncated to\nbe 1 as upper bound there. After the fix the subreg range is now correct:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nFixes: 3f50f132d840 (\"bpf: Verifier, do explicit ALU32 bounds tracking\")\nReported-by: Simon Scannell \nSigned-off-by: Daniel Borkmann \nReviewed-by: John Fastabend \nAcked-by: Alexei Starovoitov ", "target": 0, "dataset": "other", "idx": 328518 }, { "func": "void bpf_verifier_vlog(struct bpf_verifier_log *log, const char *fmt,\n\t\t va_list args)\n{\n\tunsigned int n;\n\n\tn = vscnprintf(log->kbuf, BPF_VERIFIER_TMP_LOG_SIZE, fmt, args);\n\n\tWARN_ONCE(n >= BPF_VERIFIER_TMP_LOG_SIZE - 1,\n\t\t \"verifier log line truncated - local buffer too short\\n\");\n\n\tn = min(log->len_total - log->len_used - 1, n);\n\tlog->kbuf[n] = '\\0';\n\n\tif (log->level == BPF_LOG_KERNEL) {\n\t\tpr_err(\"BPF:%s\\n\", log->kbuf);\n\t\treturn;\n\t}\n\tif (!copy_to_user(log->ubuf + log->len_used, log->kbuf, n + 1))\n\t\tlog->len_used += n;\n\telse\n\t\tlog->ubuf = NULL;\n}", "project": "linux", "hash": 227222057135077080656684668513009505609, "size": 22, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232589 }, { "func": "static void scalar32_min_max_or(struct bpf_reg_state *dst_reg,\n\t\t\t\tstruct bpf_reg_state *src_reg)\n{\n\tbool src_known = tnum_subreg_is_const(src_reg->var_off);\n\tbool dst_known = tnum_subreg_is_const(dst_reg->var_off);\n\tstruct tnum var32_off = tnum_subreg(dst_reg->var_off);\n\ts32 smin_val = src_reg->smin_value;\n\tu32 umin_val = src_reg->umin_value;\n\n\t/* Assuming scalar64_min_max_or will be called so it is safe\n\t * to skip updating register for known case.\n\t */\n\tif (src_known && dst_known)\n\t\treturn;\n\n\t/* We get our maximum from the var_off, and our minimum is the\n\t * maximum of the operands' minima\n\t */\n\tdst_reg->u32_min_value = max(dst_reg->u32_min_value, umin_val);\n\tdst_reg->u32_max_value = var32_off.value | var32_off.mask;\n\tif (dst_reg->s32_min_value < 0 || smin_val < 0) {\n\t\t/* Lose signed bounds when ORing negative numbers,\n\t\t * ain't nobody got time for that.\n\t\t */\n\t\tdst_reg->s32_min_value = S32_MIN;\n\t\tdst_reg->s32_max_value = S32_MAX;\n\t} else {\n\t\t/* ORing two positives gives a positive, so safe to\n\t\t * cast result into s64.\n\t\t */\n\t\tdst_reg->s32_min_value = dst_reg->umin_value;\n\t\tdst_reg->s32_max_value = dst_reg->umax_value;\n\t}\n}", "project": "linux", "hash": 165771617226406414034272893159919382683, "size": 34, "commit_id": "5b9fbeb75b6a98955f628e205ac26689bcb1383e", "message": "bpf: Fix scalar32_min_max_or bounds tracking\n\nSimon reported an issue with the current scalar32_min_max_or() implementation.\nThat is, compared to the other 32 bit subreg tracking functions, the code in\nscalar32_min_max_or() stands out that it's using the 64 bit registers instead\nof 32 bit ones. This leads to bounds tracking issues, for example:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x1; 0x700000000),s32_max_value=1,u32_max_value=1) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nThe bound tests on the map value force the upper unsigned bound to be 25769803777\nin 64 bit (0b11000000000000000000000000000000001) and then lower one to be 1. By\nusing OR they are truncated and thus result in the range [1,1] for the 32 bit reg\ntracker. This is incorrect given the only thing we know is that the value must be\npositive and thus 2147483647 (0b1111111111111111111111111111111) at max for the\nsubregs. Fix it by using the {u,s}32_{min,max}_value vars instead. This also makes\nsense, for example, for the case where we update dst_reg->s32_{min,max}_value in\nthe else branch we need to use the newly computed dst_reg->u32_{min,max}_value as\nwe know that these are positive. Previously, in the else branch the 64 bit values\nof umin_value=1 and umax_value=32212254719 were used and latter got truncated to\nbe 1 as upper bound there. After the fix the subreg range is now correct:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nFixes: 3f50f132d840 (\"bpf: Verifier, do explicit ALU32 bounds tracking\")\nReported-by: Simon Scannell \nSigned-off-by: Daniel Borkmann \nReviewed-by: John Fastabend \nAcked-by: Alexei Starovoitov ", "target": 1, "dataset": "other", "idx": 202076 }, { "func": "static bool __reg64_bound_s32(s64 a)\n{\n\tif (a > S32_MIN && a < S32_MAX)\n\t\treturn true;\n\treturn false;\n}", "project": "linux", "hash": 34299504435003231541120623857736853135, "size": 6, "commit_id": "5b9fbeb75b6a98955f628e205ac26689bcb1383e", "message": "bpf: Fix scalar32_min_max_or bounds tracking\n\nSimon reported an issue with the current scalar32_min_max_or() implementation.\nThat is, compared to the other 32 bit subreg tracking functions, the code in\nscalar32_min_max_or() stands out that it's using the 64 bit registers instead\nof 32 bit ones. This leads to bounds tracking issues, for example:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x1; 0x700000000),s32_max_value=1,u32_max_value=1) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nThe bound tests on the map value force the upper unsigned bound to be 25769803777\nin 64 bit (0b11000000000000000000000000000000001) and then lower one to be 1. By\nusing OR they are truncated and thus result in the range [1,1] for the 32 bit reg\ntracker. This is incorrect given the only thing we know is that the value must be\npositive and thus 2147483647 (0b1111111111111111111111111111111) at max for the\nsubregs. Fix it by using the {u,s}32_{min,max}_value vars instead. This also makes\nsense, for example, for the case where we update dst_reg->s32_{min,max}_value in\nthe else branch we need to use the newly computed dst_reg->u32_{min,max}_value as\nwe know that these are positive. Previously, in the else branch the 64 bit values\nof umin_value=1 and umax_value=32212254719 were used and latter got truncated to\nbe 1 as upper bound there. After the fix the subreg range is now correct:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nFixes: 3f50f132d840 (\"bpf: Verifier, do explicit ALU32 bounds tracking\")\nReported-by: Simon Scannell \nSigned-off-by: Daniel Borkmann \nReviewed-by: John Fastabend \nAcked-by: Alexei Starovoitov ", "target": 0, "dataset": "other", "idx": 328532 }, { "func": "static void clean_verifier_state(struct bpf_verifier_env *env,\n\t\t\t\t struct bpf_verifier_state *st)\n{\n\tint i;\n\n\tif (st->frame[0]->regs[0].live & REG_LIVE_DONE)\n\t\t/* all regs in this state in all frames were already marked */\n\t\treturn;\n\n\tfor (i = 0; i <= st->curframe; i++)\n\t\tclean_func_state(env, st->frame[i]);\n}", "project": "linux", "hash": 105300137154620734444009997882693679643, "size": 12, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232573 }, { "func": "static bool is_pointer_value(struct bpf_verifier_env *env, int regno)\n{\n\treturn __is_pointer_value(env->allow_ptr_leaks, reg_state(env, regno));\n}", "project": "linux", "hash": 300177508000146393312951215147670996078, "size": 4, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232603 }, { "func": "static void release_reg_references(struct bpf_verifier_env *env,\n\t\t\t\t struct bpf_func_state *state,\n\t\t\t\t int ref_obj_id)\n{\n\tstruct bpf_reg_state *regs = state->regs, *reg;\n\tint i;\n\n\tfor (i = 0; i < MAX_BPF_REG; i++)\n\t\tif (regs[i].ref_obj_id == ref_obj_id)\n\t\t\tmark_reg_unknown(env, regs, i);\n\n\tbpf_for_each_spilled_reg(i, state, reg) {\n\t\tif (!reg)\n\t\t\tcontinue;\n\t\tif (reg->ref_obj_id == ref_obj_id)\n\t\t\t__mark_reg_unknown(env, reg);\n\t}\n}", "project": "linux", "hash": 42255117395121411811306808632770115244, "size": 18, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232425 }, { "func": "static void clear_caller_saved_regs(struct bpf_verifier_env *env,\n\t\t\t\t struct bpf_reg_state *regs)\n{\n\tint i;\n\n\t/* after the call registers r0 - r5 were scratched */\n\tfor (i = 0; i < CALLER_SAVED_REGS; i++) {\n\t\tmark_reg_not_init(env, regs, caller_saved[i]);\n\t\tcheck_reg_arg(env, caller_saved[i], DST_OP_NO_MARK);\n\t}\n}", "project": "linux", "hash": 151173886857452249232806325296692807546, "size": 11, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232553 }, { "func": "static int propagate_liveness(struct bpf_verifier_env *env,\n\t\t\t const struct bpf_verifier_state *vstate,\n\t\t\t struct bpf_verifier_state *vparent)\n{\n\tstruct bpf_reg_state *state_reg, *parent_reg;\n\tstruct bpf_func_state *state, *parent;\n\tint i, frame, err = 0;\n\n\tif (vparent->curframe != vstate->curframe) {\n\t\tWARN(1, \"propagate_live: parent frame %d current frame %d\\n\",\n\t\t vparent->curframe, vstate->curframe);\n\t\treturn -EFAULT;\n\t}\n\t/* Propagate read liveness of registers... */\n\tBUILD_BUG_ON(BPF_REG_FP + 1 != MAX_BPF_REG);\n\tfor (frame = 0; frame <= vstate->curframe; frame++) {\n\t\tparent = vparent->frame[frame];\n\t\tstate = vstate->frame[frame];\n\t\tparent_reg = parent->regs;\n\t\tstate_reg = state->regs;\n\t\t/* We don't need to worry about FP liveness, it's read-only */\n\t\tfor (i = frame < vstate->curframe ? BPF_REG_6 : 0; i < BPF_REG_FP; i++) {\n\t\t\terr = propagate_liveness_reg(env, &state_reg[i],\n\t\t\t\t\t\t &parent_reg[i]);\n\t\t\tif (err < 0)\n\t\t\t\treturn err;\n\t\t\tif (err == REG_LIVE_READ64)\n\t\t\t\tmark_insn_zext(env, &parent_reg[i]);\n\t\t}\n\n\t\t/* Propagate stack slots. */\n\t\tfor (i = 0; i < state->allocated_stack / BPF_REG_SIZE &&\n\t\t\t i < parent->allocated_stack / BPF_REG_SIZE; i++) {\n\t\t\tparent_reg = &parent->stack[i].spilled_ptr;\n\t\t\tstate_reg = &state->stack[i].spilled_ptr;\n\t\t\terr = propagate_liveness_reg(env, state_reg,\n\t\t\t\t\t\t parent_reg);\n\t\t\tif (err < 0)\n\t\t\t\treturn err;\n\t\t}\n\t}\n\treturn 0;\n}", "project": "linux", "hash": 309474626326510395063319127326996439224, "size": 43, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232572 }, { "func": "static void scalar_min_max_lsh(struct bpf_reg_state *dst_reg,\n\t\t\t struct bpf_reg_state *src_reg)\n{\n\tu64 umax_val = src_reg->umax_value;\n\tu64 umin_val = src_reg->umin_value;\n\n\t/* We lose all sign bit information (except what we can pick\n\t * up from var_off)\n\t */\n\tdst_reg->smin_value = S64_MIN;\n\tdst_reg->smax_value = S64_MAX;\n\t/* If we might shift our top bit out, then we know nothing */\n\tif (dst_reg->umax_value > 1ULL << (63 - umax_val)) {\n\t\tdst_reg->umin_value = 0;\n\t\tdst_reg->umax_value = U64_MAX;\n\t} else {\n\t\tdst_reg->umin_value <<= umin_val;\n\t\tdst_reg->umax_value <<= umax_val;\n\t}\n\tdst_reg->var_off = tnum_lshift(dst_reg->var_off, umin_val);\n\t/* We may learn something more from the var_off */\n\t__update_reg_bounds(dst_reg);\n}", "project": "linux", "hash": 317459277694321705268301163026814851276, "size": 23, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232509 }, { "func": "static bool check_args_pair_invalid(enum bpf_arg_type arg_curr,\n\t\t\t\t enum bpf_arg_type arg_next)\n{\n\treturn (arg_type_is_mem_ptr(arg_curr) &&\n\t !arg_type_is_mem_size(arg_next)) ||\n\t (!arg_type_is_mem_ptr(arg_curr) &&\n\t\targ_type_is_mem_size(arg_next));\n}", "project": "linux", "hash": 25690438240709473215393749591986544369, "size": 8, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232575 }, { "func": "static int opt_remove_dead_code(struct bpf_verifier_env *env)\n{\n\tstruct bpf_insn_aux_data *aux_data = env->insn_aux_data;\n\tint insn_cnt = env->prog->len;\n\tint i, err;\n\n\tfor (i = 0; i < insn_cnt; i++) {\n\t\tint j;\n\n\t\tj = 0;\n\t\twhile (i + j < insn_cnt && !aux_data[i + j].seen)\n\t\t\tj++;\n\t\tif (!j)\n\t\t\tcontinue;\n\n\t\terr = verifier_remove_insns(env, i, j);\n\t\tif (err)\n\t\t\treturn err;\n\t\tinsn_cnt = env->prog->len;\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 185218595017376256991647134283625986260, "size": 23, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232618 }, { "func": "static int check_helper_mem_access(struct bpf_verifier_env *env, int regno,\n\t\t\t\t int access_size, bool zero_size_allowed,\n\t\t\t\t struct bpf_call_arg_meta *meta)\n{\n\tstruct bpf_reg_state *regs = cur_regs(env), *reg = ®s[regno];\n\n\tswitch (reg->type) {\n\tcase PTR_TO_PACKET:\n\tcase PTR_TO_PACKET_META:\n\t\treturn check_packet_access(env, regno, reg->off, access_size,\n\t\t\t\t\t zero_size_allowed);\n\tcase PTR_TO_MAP_VALUE:\n\t\tif (check_map_access_type(env, regno, reg->off, access_size,\n\t\t\t\t\t meta && meta->raw_mode ? BPF_WRITE :\n\t\t\t\t\t BPF_READ))\n\t\t\treturn -EACCES;\n\t\treturn check_map_access(env, regno, reg->off, access_size,\n\t\t\t\t\tzero_size_allowed);\n\tdefault: /* scalar_value|ptr_to_stack or invalid ptr */\n\t\treturn check_stack_boundary(env, regno, access_size,\n\t\t\t\t\t zero_size_allowed, meta);\n\t}\n}", "project": "linux", "hash": 64544892594411385391184773903922560136, "size": 23, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232538 }, { "func": "static int check_helper_mem_access(struct bpf_verifier_env *env, int regno,\n\t\t\t\t int access_size, bool zero_size_allowed,\n\t\t\t\t struct bpf_call_arg_meta *meta)\n{\n\tstruct bpf_reg_state *regs = cur_regs(env), *reg = ®s[regno];\n\n\tswitch (reg->type) {\n\tcase PTR_TO_PACKET:\n\tcase PTR_TO_PACKET_META:\n\t\treturn check_packet_access(env, regno, reg->off, access_size,\n\t\t\t\t\t zero_size_allowed);\n\tcase PTR_TO_MAP_VALUE:\n\t\tif (check_map_access_type(env, regno, reg->off, access_size,\n\t\t\t\t\t meta && meta->raw_mode ? BPF_WRITE :\n\t\t\t\t\t BPF_READ))\n\t\t\treturn -EACCES;\n\t\treturn check_map_access(env, regno, reg->off, access_size,\n\t\t\t\t\tzero_size_allowed);\n\tcase PTR_TO_MEM:\n\t\treturn check_mem_region_access(env, regno, reg->off,\n\t\t\t\t\t access_size, reg->mem_size,\n\t\t\t\t\t zero_size_allowed);\n\tcase PTR_TO_RDONLY_BUF:\n\t\tif (meta && meta->raw_mode)\n\t\t\treturn -EACCES;\n\t\treturn check_buffer_access(env, reg, regno, reg->off,\n\t\t\t\t\t access_size, zero_size_allowed,\n\t\t\t\t\t \"rdonly\",\n\t\t\t\t\t &env->prog->aux->max_rdonly_access);\n\tcase PTR_TO_RDWR_BUF:\n\t\treturn check_buffer_access(env, reg, regno, reg->off,\n\t\t\t\t\t access_size, zero_size_allowed,\n\t\t\t\t\t \"rdwr\",\n\t\t\t\t\t &env->prog->aux->max_rdwr_access);\n\tdefault: /* scalar_value|ptr_to_stack or invalid ptr */\n\t\treturn check_stack_boundary(env, regno, access_size,\n\t\t\t\t\t zero_size_allowed, meta);\n\t}\n}", "project": "linux", "hash": 42778820485613421309644383995586145795, "size": 39, "commit_id": "5b9fbeb75b6a98955f628e205ac26689bcb1383e", "message": "bpf: Fix scalar32_min_max_or bounds tracking\n\nSimon reported an issue with the current scalar32_min_max_or() implementation.\nThat is, compared to the other 32 bit subreg tracking functions, the code in\nscalar32_min_max_or() stands out that it's using the 64 bit registers instead\nof 32 bit ones. This leads to bounds tracking issues, for example:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x1; 0x700000000),s32_max_value=1,u32_max_value=1) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nThe bound tests on the map value force the upper unsigned bound to be 25769803777\nin 64 bit (0b11000000000000000000000000000000001) and then lower one to be 1. By\nusing OR they are truncated and thus result in the range [1,1] for the 32 bit reg\ntracker. This is incorrect given the only thing we know is that the value must be\npositive and thus 2147483647 (0b1111111111111111111111111111111) at max for the\nsubregs. Fix it by using the {u,s}32_{min,max}_value vars instead. This also makes\nsense, for example, for the case where we update dst_reg->s32_{min,max}_value in\nthe else branch we need to use the newly computed dst_reg->u32_{min,max}_value as\nwe know that these are positive. Previously, in the else branch the 64 bit values\nof umin_value=1 and umax_value=32212254719 were used and latter got truncated to\nbe 1 as upper bound there. After the fix the subreg range is now correct:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nFixes: 3f50f132d840 (\"bpf: Verifier, do explicit ALU32 bounds tracking\")\nReported-by: Simon Scannell \nSigned-off-by: Daniel Borkmann \nReviewed-by: John Fastabend \nAcked-by: Alexei Starovoitov ", "target": 0, "dataset": "other", "idx": 328516 }, { "func": "static int check_helper_mem_access(struct bpf_verifier_env *env, int regno,\n\t\t\t\t int access_size, bool zero_size_allowed,\n\t\t\t\t struct bpf_call_arg_meta *meta)\n{\n\tstruct bpf_reg_state *regs = cur_regs(env), *reg = ®s[regno];\n\n\tswitch (reg->type) {\n\tcase PTR_TO_PACKET:\n\tcase PTR_TO_PACKET_META:\n\t\treturn check_packet_access(env, regno, reg->off, access_size,\n\t\t\t\t\t zero_size_allowed);\n\tcase PTR_TO_MAP_VALUE:\n\t\tif (check_map_access_type(env, regno, reg->off, access_size,\n\t\t\t\t\t meta && meta->raw_mode ? BPF_WRITE :\n\t\t\t\t\t BPF_READ))\n\t\t\treturn -EACCES;\n\t\treturn check_map_access(env, regno, reg->off, access_size,\n\t\t\t\t\tzero_size_allowed);\n\tcase PTR_TO_MEM:\n\t\treturn check_mem_region_access(env, regno, reg->off,\n\t\t\t\t\t access_size, reg->mem_size,\n\t\t\t\t\t zero_size_allowed);\n\tcase PTR_TO_RDONLY_BUF:\n\t\tif (meta && meta->raw_mode)\n\t\t\treturn -EACCES;\n\t\treturn check_buffer_access(env, reg, regno, reg->off,\n\t\t\t\t\t access_size, zero_size_allowed,\n\t\t\t\t\t \"rdonly\",\n\t\t\t\t\t &env->prog->aux->max_rdonly_access);\n\tcase PTR_TO_RDWR_BUF:\n\t\treturn check_buffer_access(env, reg, regno, reg->off,\n\t\t\t\t\t access_size, zero_size_allowed,\n\t\t\t\t\t \"rdwr\",\n\t\t\t\t\t &env->prog->aux->max_rdwr_access);\n\tcase PTR_TO_STACK:\n\t\treturn check_stack_boundary(env, regno, access_size,\n\t\t\t\t\t zero_size_allowed, meta);\n\tdefault: /* scalar_value or invalid ptr */\n\t\t/* Allow zero-byte read from NULL, regardless of pointer type */\n\t\tif (zero_size_allowed && access_size == 0 &&\n\t\t register_is_null(reg))\n\t\t\treturn 0;\n\n\t\tverbose(env, \"R%d type=%s expected=%s\\n\", regno,\n\t\t\treg_type_str[reg->type],\n\t\t\treg_type_str[PTR_TO_STACK]);\n\t\treturn -EACCES;\n\t}\n}", "project": "linux", "hash": 33048823088754371966025794613573610295, "size": 49, "commit_id": "9b00f1b78809309163dda2d044d9e94a3c0248a3", "message": "bpf: Fix truncation handling for mod32 dst reg wrt zero\n\nRecently noticed that when mod32 with a known src reg of 0 is performed,\nthen the dst register is 32-bit truncated in verifier:\n\n 0: R1=ctx(id=0,off=0,imm=0) R10=fp0\n 0: (b7) r0 = 0\n 1: R0_w=inv0 R1=ctx(id=0,off=0,imm=0) R10=fp0\n 1: (b7) r1 = -1\n 2: R0_w=inv0 R1_w=inv-1 R10=fp0\n 2: (b4) w2 = -1\n 3: R0_w=inv0 R1_w=inv-1 R2_w=inv4294967295 R10=fp0\n 3: (9c) w1 %= w0\n 4: R0_w=inv0 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0\n 4: (b7) r0 = 1\n 5: R0_w=inv1 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0\n 5: (1d) if r1 == r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0\n 6: R0_w=inv1 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0\n 6: (b7) r0 = 2\n 7: R0_w=inv2 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0\n 7: (95) exit\n 7: R0=inv1 R1=inv(id=0,umin_value=4294967295,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2=inv4294967295 R10=fp0\n 7: (95) exit\n\nHowever, as a runtime result, we get 2 instead of 1, meaning the dst\nregister does not contain (u32)-1 in this case. The reason is fairly\nstraight forward given the 0 test leaves the dst register as-is:\n\n # ./bpftool p d x i 23\n 0: (b7) r0 = 0\n 1: (b7) r1 = -1\n 2: (b4) w2 = -1\n 3: (16) if w0 == 0x0 goto pc+1\n 4: (9c) w1 %= w0\n 5: (b7) r0 = 1\n 6: (1d) if r1 == r2 goto pc+1\n 7: (b7) r0 = 2\n 8: (95) exit\n\nThis was originally not an issue given the dst register was marked as\ncompletely unknown (aka 64 bit unknown). However, after 468f6eafa6c4\n(\"bpf: fix 32-bit ALU op verification\") the verifier casts the register\noutput to 32 bit, and hence it becomes 32 bit unknown. Note that for\nthe case where the src register is unknown, the dst register is marked\n64 bit unknown. After the fix, the register is truncated by the runtime\nand the test passes:\n\n # ./bpftool p d x i 23\n 0: (b7) r0 = 0\n 1: (b7) r1 = -1\n 2: (b4) w2 = -1\n 3: (16) if w0 == 0x0 goto pc+2\n 4: (9c) w1 %= w0\n 5: (05) goto pc+1\n 6: (bc) w1 = w1\n 7: (b7) r0 = 1\n 8: (1d) if r1 == r2 goto pc+1\n 9: (b7) r0 = 2\n 10: (95) exit\n\nSemantics also match with {R,W}x mod{64,32} 0 -> {R,W}x. Invalid div\nhas always been {R,W}x div{64,32} 0 -> 0. Rewrites are as follows:\n\n mod32: mod64:\n\n (16) if w0 == 0x0 goto pc+2 (15) if r0 == 0x0 goto pc+1\n (9c) w1 %= w0 (9f) r1 %= r0\n (05) goto pc+1\n (bc) w1 = w1\n\nFixes: 468f6eafa6c4 (\"bpf: fix 32-bit ALU op verification\")\nSigned-off-by: Daniel Borkmann \nReviewed-by: John Fastabend \nAcked-by: Alexei Starovoitov ", "target": 0, "dataset": "other", "idx": 456517 }, { "func": "static bool arg_type_is_mem_size(enum bpf_arg_type type)\n{\n\treturn type == ARG_CONST_SIZE ||\n\t type == ARG_CONST_SIZE_OR_ZERO;\n}", "project": "linux", "hash": 288541837472392698574791618236306724264, "size": 5, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232426 }, { "func": "static int check_attach_btf_id(struct bpf_verifier_env *env)\n{\n\tstruct bpf_prog *prog = env->prog;\n\tbool prog_extension = prog->type == BPF_PROG_TYPE_EXT;\n\tstruct bpf_prog *tgt_prog = prog->aux->linked_prog;\n\tu32 btf_id = prog->aux->attach_btf_id;\n\tconst char prefix[] = \"btf_trace_\";\n\tint ret = 0, subprog = -1, i;\n\tstruct bpf_trampoline *tr;\n\tconst struct btf_type *t;\n\tbool conservative = true;\n\tconst char *tname;\n\tstruct btf *btf;\n\tlong addr;\n\tu64 key;\n\n\tif (prog->type == BPF_PROG_TYPE_STRUCT_OPS)\n\t\treturn check_struct_ops_btf_id(env);\n\n\tif (prog->type != BPF_PROG_TYPE_TRACING && !prog_extension)\n\t\treturn 0;\n\n\tif (!btf_id) {\n\t\tverbose(env, \"Tracing programs must provide btf_id\\n\");\n\t\treturn -EINVAL;\n\t}\n\tbtf = bpf_prog_get_target_btf(prog);\n\tif (!btf) {\n\t\tverbose(env,\n\t\t\t\"FENTRY/FEXIT program can only be attached to another program annotated with BTF\\n\");\n\t\treturn -EINVAL;\n\t}\n\tt = btf_type_by_id(btf, btf_id);\n\tif (!t) {\n\t\tverbose(env, \"attach_btf_id %u is invalid\\n\", btf_id);\n\t\treturn -EINVAL;\n\t}\n\ttname = btf_name_by_offset(btf, t->name_off);\n\tif (!tname) {\n\t\tverbose(env, \"attach_btf_id %u doesn't have a name\\n\", btf_id);\n\t\treturn -EINVAL;\n\t}\n\tif (tgt_prog) {\n\t\tstruct bpf_prog_aux *aux = tgt_prog->aux;\n\n\t\tfor (i = 0; i < aux->func_info_cnt; i++)\n\t\t\tif (aux->func_info[i].type_id == btf_id) {\n\t\t\t\tsubprog = i;\n\t\t\t\tbreak;\n\t\t\t}\n\t\tif (subprog == -1) {\n\t\t\tverbose(env, \"Subprog %s doesn't exist\\n\", tname);\n\t\t\treturn -EINVAL;\n\t\t}\n\t\tconservative = aux->func_info_aux[subprog].unreliable;\n\t\tif (prog_extension) {\n\t\t\tif (conservative) {\n\t\t\t\tverbose(env,\n\t\t\t\t\t\"Cannot replace static functions\\n\");\n\t\t\t\treturn -EINVAL;\n\t\t\t}\n\t\t\tif (!prog->jit_requested) {\n\t\t\t\tverbose(env,\n\t\t\t\t\t\"Extension programs should be JITed\\n\");\n\t\t\t\treturn -EINVAL;\n\t\t\t}\n\t\t\tenv->ops = bpf_verifier_ops[tgt_prog->type];\n\t\t}\n\t\tif (!tgt_prog->jited) {\n\t\t\tverbose(env, \"Can attach to only JITed progs\\n\");\n\t\t\treturn -EINVAL;\n\t\t}\n\t\tif (tgt_prog->type == prog->type) {\n\t\t\t/* Cannot fentry/fexit another fentry/fexit program.\n\t\t\t * Cannot attach program extension to another extension.\n\t\t\t * It's ok to attach fentry/fexit to extension program.\n\t\t\t */\n\t\t\tverbose(env, \"Cannot recursively attach\\n\");\n\t\t\treturn -EINVAL;\n\t\t}\n\t\tif (tgt_prog->type == BPF_PROG_TYPE_TRACING &&\n\t\t prog_extension &&\n\t\t (tgt_prog->expected_attach_type == BPF_TRACE_FENTRY ||\n\t\t tgt_prog->expected_attach_type == BPF_TRACE_FEXIT)) {\n\t\t\t/* Program extensions can extend all program types\n\t\t\t * except fentry/fexit. The reason is the following.\n\t\t\t * The fentry/fexit programs are used for performance\n\t\t\t * analysis, stats and can be attached to any program\n\t\t\t * type except themselves. When extension program is\n\t\t\t * replacing XDP function it is necessary to allow\n\t\t\t * performance analysis of all functions. Both original\n\t\t\t * XDP program and its program extension. Hence\n\t\t\t * attaching fentry/fexit to BPF_PROG_TYPE_EXT is\n\t\t\t * allowed. If extending of fentry/fexit was allowed it\n\t\t\t * would be possible to create long call chain\n\t\t\t * fentry->extension->fentry->extension beyond\n\t\t\t * reasonable stack size. Hence extending fentry is not\n\t\t\t * allowed.\n\t\t\t */\n\t\t\tverbose(env, \"Cannot extend fentry/fexit\\n\");\n\t\t\treturn -EINVAL;\n\t\t}\n\t\tkey = ((u64)aux->id) << 32 | btf_id;\n\t} else {\n\t\tif (prog_extension) {\n\t\t\tverbose(env, \"Cannot replace kernel functions\\n\");\n\t\t\treturn -EINVAL;\n\t\t}\n\t\tkey = btf_id;\n\t}\n\n\tswitch (prog->expected_attach_type) {\n\tcase BPF_TRACE_RAW_TP:\n\t\tif (tgt_prog) {\n\t\t\tverbose(env,\n\t\t\t\t\"Only FENTRY/FEXIT progs are attachable to another BPF prog\\n\");\n\t\t\treturn -EINVAL;\n\t\t}\n\t\tif (!btf_type_is_typedef(t)) {\n\t\t\tverbose(env, \"attach_btf_id %u is not a typedef\\n\",\n\t\t\t\tbtf_id);\n\t\t\treturn -EINVAL;\n\t\t}\n\t\tif (strncmp(prefix, tname, sizeof(prefix) - 1)) {\n\t\t\tverbose(env, \"attach_btf_id %u points to wrong type name %s\\n\",\n\t\t\t\tbtf_id, tname);\n\t\t\treturn -EINVAL;\n\t\t}\n\t\ttname += sizeof(prefix) - 1;\n\t\tt = btf_type_by_id(btf, t->type);\n\t\tif (!btf_type_is_ptr(t))\n\t\t\t/* should never happen in valid vmlinux build */\n\t\t\treturn -EINVAL;\n\t\tt = btf_type_by_id(btf, t->type);\n\t\tif (!btf_type_is_func_proto(t))\n\t\t\t/* should never happen in valid vmlinux build */\n\t\t\treturn -EINVAL;\n\n\t\t/* remember two read only pointers that are valid for\n\t\t * the life time of the kernel\n\t\t */\n\t\tprog->aux->attach_func_name = tname;\n\t\tprog->aux->attach_func_proto = t;\n\t\tprog->aux->attach_btf_trace = true;\n\t\treturn 0;\n\tdefault:\n\t\tif (!prog_extension)\n\t\t\treturn -EINVAL;\n\t\t/* fallthrough */\n\tcase BPF_MODIFY_RETURN:\n\tcase BPF_TRACE_FENTRY:\n\tcase BPF_TRACE_FEXIT:\n\t\tif (!btf_type_is_func(t)) {\n\t\t\tverbose(env, \"attach_btf_id %u is not a function\\n\",\n\t\t\t\tbtf_id);\n\t\t\treturn -EINVAL;\n\t\t}\n\t\tif (prog_extension &&\n\t\t btf_check_type_match(env, prog, btf, t))\n\t\t\treturn -EINVAL;\n\t\tt = btf_type_by_id(btf, t->type);\n\t\tif (!btf_type_is_func_proto(t))\n\t\t\treturn -EINVAL;\n\t\ttr = bpf_trampoline_lookup(key);\n\t\tif (!tr)\n\t\t\treturn -ENOMEM;\n\t\tprog->aux->attach_func_name = tname;\n\t\t/* t is either vmlinux type or another program's type */\n\t\tprog->aux->attach_func_proto = t;\n\t\tmutex_lock(&tr->mutex);\n\t\tif (tr->func.addr) {\n\t\t\tprog->aux->trampoline = tr;\n\t\t\tgoto out;\n\t\t}\n\t\tif (tgt_prog && conservative) {\n\t\t\tprog->aux->attach_func_proto = NULL;\n\t\t\tt = NULL;\n\t\t}\n\t\tret = btf_distill_func_proto(&env->log, btf, t,\n\t\t\t\t\t tname, &tr->func.model);\n\t\tif (ret < 0)\n\t\t\tgoto out;\n\t\tif (tgt_prog) {\n\t\t\tif (subprog == 0)\n\t\t\t\taddr = (long) tgt_prog->bpf_func;\n\t\t\telse\n\t\t\t\taddr = (long) tgt_prog->aux->func[subprog]->bpf_func;\n\t\t} else {\n\t\t\taddr = kallsyms_lookup_name(tname);\n\t\t\tif (!addr) {\n\t\t\t\tverbose(env,\n\t\t\t\t\t\"The address of function %s cannot be found\\n\",\n\t\t\t\t\ttname);\n\t\t\t\tret = -ENOENT;\n\t\t\t\tgoto out;\n\t\t\t}\n\t\t}\n\t\ttr->func.addr = (void *)addr;\n\t\tprog->aux->trampoline = tr;\n\n\t\tif (prog->expected_attach_type == BPF_MODIFY_RETURN)\n\t\t\tret = check_attach_modify_return(env);\nout:\n\t\tmutex_unlock(&tr->mutex);\n\t\tif (ret)\n\t\t\tbpf_trampoline_put(tr);\n\t\treturn ret;\n\t}\n}", "project": "linux", "hash": 244622021713822927446281050907480062706, "size": 209, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232559 }, { "func": "static int check_attach_btf_id(struct bpf_verifier_env *env)\n{\n\tstruct bpf_prog *prog = env->prog;\n\tbool prog_extension = prog->type == BPF_PROG_TYPE_EXT;\n\tstruct bpf_prog *tgt_prog = prog->aux->linked_prog;\n\tu32 btf_id = prog->aux->attach_btf_id;\n\tconst char prefix[] = \"btf_trace_\";\n\tstruct btf_func_model fmodel;\n\tint ret = 0, subprog = -1, i;\n\tstruct bpf_trampoline *tr;\n\tconst struct btf_type *t;\n\tbool conservative = true;\n\tconst char *tname;\n\tstruct btf *btf;\n\tlong addr;\n\tu64 key;\n\n\tif (prog->type == BPF_PROG_TYPE_STRUCT_OPS)\n\t\treturn check_struct_ops_btf_id(env);\n\n\tif (prog->type != BPF_PROG_TYPE_TRACING &&\n\t prog->type != BPF_PROG_TYPE_LSM &&\n\t !prog_extension)\n\t\treturn 0;\n\n\tif (!btf_id) {\n\t\tverbose(env, \"Tracing programs must provide btf_id\\n\");\n\t\treturn -EINVAL;\n\t}\n\tbtf = bpf_prog_get_target_btf(prog);\n\tif (!btf) {\n\t\tverbose(env,\n\t\t\t\"FENTRY/FEXIT program can only be attached to another program annotated with BTF\\n\");\n\t\treturn -EINVAL;\n\t}\n\tt = btf_type_by_id(btf, btf_id);\n\tif (!t) {\n\t\tverbose(env, \"attach_btf_id %u is invalid\\n\", btf_id);\n\t\treturn -EINVAL;\n\t}\n\ttname = btf_name_by_offset(btf, t->name_off);\n\tif (!tname) {\n\t\tverbose(env, \"attach_btf_id %u doesn't have a name\\n\", btf_id);\n\t\treturn -EINVAL;\n\t}\n\tif (tgt_prog) {\n\t\tstruct bpf_prog_aux *aux = tgt_prog->aux;\n\n\t\tfor (i = 0; i < aux->func_info_cnt; i++)\n\t\t\tif (aux->func_info[i].type_id == btf_id) {\n\t\t\t\tsubprog = i;\n\t\t\t\tbreak;\n\t\t\t}\n\t\tif (subprog == -1) {\n\t\t\tverbose(env, \"Subprog %s doesn't exist\\n\", tname);\n\t\t\treturn -EINVAL;\n\t\t}\n\t\tconservative = aux->func_info_aux[subprog].unreliable;\n\t\tif (prog_extension) {\n\t\t\tif (conservative) {\n\t\t\t\tverbose(env,\n\t\t\t\t\t\"Cannot replace static functions\\n\");\n\t\t\t\treturn -EINVAL;\n\t\t\t}\n\t\t\tif (!prog->jit_requested) {\n\t\t\t\tverbose(env,\n\t\t\t\t\t\"Extension programs should be JITed\\n\");\n\t\t\t\treturn -EINVAL;\n\t\t\t}\n\t\t\tenv->ops = bpf_verifier_ops[tgt_prog->type];\n\t\t\tprog->expected_attach_type = tgt_prog->expected_attach_type;\n\t\t}\n\t\tif (!tgt_prog->jited) {\n\t\t\tverbose(env, \"Can attach to only JITed progs\\n\");\n\t\t\treturn -EINVAL;\n\t\t}\n\t\tif (tgt_prog->type == prog->type) {\n\t\t\t/* Cannot fentry/fexit another fentry/fexit program.\n\t\t\t * Cannot attach program extension to another extension.\n\t\t\t * It's ok to attach fentry/fexit to extension program.\n\t\t\t */\n\t\t\tverbose(env, \"Cannot recursively attach\\n\");\n\t\t\treturn -EINVAL;\n\t\t}\n\t\tif (tgt_prog->type == BPF_PROG_TYPE_TRACING &&\n\t\t prog_extension &&\n\t\t (tgt_prog->expected_attach_type == BPF_TRACE_FENTRY ||\n\t\t tgt_prog->expected_attach_type == BPF_TRACE_FEXIT)) {\n\t\t\t/* Program extensions can extend all program types\n\t\t\t * except fentry/fexit. The reason is the following.\n\t\t\t * The fentry/fexit programs are used for performance\n\t\t\t * analysis, stats and can be attached to any program\n\t\t\t * type except themselves. When extension program is\n\t\t\t * replacing XDP function it is necessary to allow\n\t\t\t * performance analysis of all functions. Both original\n\t\t\t * XDP program and its program extension. Hence\n\t\t\t * attaching fentry/fexit to BPF_PROG_TYPE_EXT is\n\t\t\t * allowed. If extending of fentry/fexit was allowed it\n\t\t\t * would be possible to create long call chain\n\t\t\t * fentry->extension->fentry->extension beyond\n\t\t\t * reasonable stack size. Hence extending fentry is not\n\t\t\t * allowed.\n\t\t\t */\n\t\t\tverbose(env, \"Cannot extend fentry/fexit\\n\");\n\t\t\treturn -EINVAL;\n\t\t}\n\t\tkey = ((u64)aux->id) << 32 | btf_id;\n\t} else {\n\t\tif (prog_extension) {\n\t\t\tverbose(env, \"Cannot replace kernel functions\\n\");\n\t\t\treturn -EINVAL;\n\t\t}\n\t\tkey = btf_id;\n\t}\n\n\tswitch (prog->expected_attach_type) {\n\tcase BPF_TRACE_RAW_TP:\n\t\tif (tgt_prog) {\n\t\t\tverbose(env,\n\t\t\t\t\"Only FENTRY/FEXIT progs are attachable to another BPF prog\\n\");\n\t\t\treturn -EINVAL;\n\t\t}\n\t\tif (!btf_type_is_typedef(t)) {\n\t\t\tverbose(env, \"attach_btf_id %u is not a typedef\\n\",\n\t\t\t\tbtf_id);\n\t\t\treturn -EINVAL;\n\t\t}\n\t\tif (strncmp(prefix, tname, sizeof(prefix) - 1)) {\n\t\t\tverbose(env, \"attach_btf_id %u points to wrong type name %s\\n\",\n\t\t\t\tbtf_id, tname);\n\t\t\treturn -EINVAL;\n\t\t}\n\t\ttname += sizeof(prefix) - 1;\n\t\tt = btf_type_by_id(btf, t->type);\n\t\tif (!btf_type_is_ptr(t))\n\t\t\t/* should never happen in valid vmlinux build */\n\t\t\treturn -EINVAL;\n\t\tt = btf_type_by_id(btf, t->type);\n\t\tif (!btf_type_is_func_proto(t))\n\t\t\t/* should never happen in valid vmlinux build */\n\t\t\treturn -EINVAL;\n\n\t\t/* remember two read only pointers that are valid for\n\t\t * the life time of the kernel\n\t\t */\n\t\tprog->aux->attach_func_name = tname;\n\t\tprog->aux->attach_func_proto = t;\n\t\tprog->aux->attach_btf_trace = true;\n\t\treturn 0;\n\tcase BPF_TRACE_ITER:\n\t\tif (!btf_type_is_func(t)) {\n\t\t\tverbose(env, \"attach_btf_id %u is not a function\\n\",\n\t\t\t\tbtf_id);\n\t\t\treturn -EINVAL;\n\t\t}\n\t\tt = btf_type_by_id(btf, t->type);\n\t\tif (!btf_type_is_func_proto(t))\n\t\t\treturn -EINVAL;\n\t\tprog->aux->attach_func_name = tname;\n\t\tprog->aux->attach_func_proto = t;\n\t\tif (!bpf_iter_prog_supported(prog))\n\t\t\treturn -EINVAL;\n\t\tret = btf_distill_func_proto(&env->log, btf, t,\n\t\t\t\t\t tname, &fmodel);\n\t\treturn ret;\n\tdefault:\n\t\tif (!prog_extension)\n\t\t\treturn -EINVAL;\n\t\tfallthrough;\n\tcase BPF_MODIFY_RETURN:\n\tcase BPF_LSM_MAC:\n\tcase BPF_TRACE_FENTRY:\n\tcase BPF_TRACE_FEXIT:\n\t\tprog->aux->attach_func_name = tname;\n\t\tif (prog->type == BPF_PROG_TYPE_LSM) {\n\t\t\tret = bpf_lsm_verify_prog(&env->log, prog);\n\t\t\tif (ret < 0)\n\t\t\t\treturn ret;\n\t\t}\n\n\t\tif (!btf_type_is_func(t)) {\n\t\t\tverbose(env, \"attach_btf_id %u is not a function\\n\",\n\t\t\t\tbtf_id);\n\t\t\treturn -EINVAL;\n\t\t}\n\t\tif (prog_extension &&\n\t\t btf_check_type_match(env, prog, btf, t))\n\t\t\treturn -EINVAL;\n\t\tt = btf_type_by_id(btf, t->type);\n\t\tif (!btf_type_is_func_proto(t))\n\t\t\treturn -EINVAL;\n\t\ttr = bpf_trampoline_lookup(key);\n\t\tif (!tr)\n\t\t\treturn -ENOMEM;\n\t\t/* t is either vmlinux type or another program's type */\n\t\tprog->aux->attach_func_proto = t;\n\t\tmutex_lock(&tr->mutex);\n\t\tif (tr->func.addr) {\n\t\t\tprog->aux->trampoline = tr;\n\t\t\tgoto out;\n\t\t}\n\t\tif (tgt_prog && conservative) {\n\t\t\tprog->aux->attach_func_proto = NULL;\n\t\t\tt = NULL;\n\t\t}\n\t\tret = btf_distill_func_proto(&env->log, btf, t,\n\t\t\t\t\t tname, &tr->func.model);\n\t\tif (ret < 0)\n\t\t\tgoto out;\n\t\tif (tgt_prog) {\n\t\t\tif (subprog == 0)\n\t\t\t\taddr = (long) tgt_prog->bpf_func;\n\t\t\telse\n\t\t\t\taddr = (long) tgt_prog->aux->func[subprog]->bpf_func;\n\t\t} else {\n\t\t\taddr = kallsyms_lookup_name(tname);\n\t\t\tif (!addr) {\n\t\t\t\tverbose(env,\n\t\t\t\t\t\"The address of function %s cannot be found\\n\",\n\t\t\t\t\ttname);\n\t\t\t\tret = -ENOENT;\n\t\t\t\tgoto out;\n\t\t\t}\n\t\t}\n\n\t\tif (prog->expected_attach_type == BPF_MODIFY_RETURN) {\n\t\t\tret = check_attach_modify_return(prog, addr);\n\t\t\tif (ret)\n\t\t\t\tverbose(env, \"%s() is not modifiable\\n\",\n\t\t\t\t\tprog->aux->attach_func_name);\n\t\t}\n\n\t\tif (ret)\n\t\t\tgoto out;\n\t\ttr->func.addr = (void *)addr;\n\t\tprog->aux->trampoline = tr;\nout:\n\t\tmutex_unlock(&tr->mutex);\n\t\tif (ret)\n\t\t\tbpf_trampoline_put(tr);\n\t\treturn ret;\n\t}\n}", "project": "linux", "hash": 156059764507875986580971748704666403517, "size": 243, "commit_id": "5b9fbeb75b6a98955f628e205ac26689bcb1383e", "message": "bpf: Fix scalar32_min_max_or bounds tracking\n\nSimon reported an issue with the current scalar32_min_max_or() implementation.\nThat is, compared to the other 32 bit subreg tracking functions, the code in\nscalar32_min_max_or() stands out that it's using the 64 bit registers instead\nof 32 bit ones. This leads to bounds tracking issues, for example:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x1; 0x700000000),s32_max_value=1,u32_max_value=1) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nThe bound tests on the map value force the upper unsigned bound to be 25769803777\nin 64 bit (0b11000000000000000000000000000000001) and then lower one to be 1. By\nusing OR they are truncated and thus result in the range [1,1] for the 32 bit reg\ntracker. This is incorrect given the only thing we know is that the value must be\npositive and thus 2147483647 (0b1111111111111111111111111111111) at max for the\nsubregs. Fix it by using the {u,s}32_{min,max}_value vars instead. This also makes\nsense, for example, for the case where we update dst_reg->s32_{min,max}_value in\nthe else branch we need to use the newly computed dst_reg->u32_{min,max}_value as\nwe know that these are positive. Previously, in the else branch the 64 bit values\nof umin_value=1 and umax_value=32212254719 were used and latter got truncated to\nbe 1 as upper bound there. After the fix the subreg range is now correct:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nFixes: 3f50f132d840 (\"bpf: Verifier, do explicit ALU32 bounds tracking\")\nReported-by: Simon Scannell \nSigned-off-by: Daniel Borkmann \nReviewed-by: John Fastabend \nAcked-by: Alexei Starovoitov ", "target": 0, "dataset": "other", "idx": 328491 }, { "func": "static bool insn_has_def32(struct bpf_verifier_env *env, struct bpf_insn *insn)\n{\n\tif (insn_no_def(insn))\n\t\treturn false;\n\n\treturn !is_reg64(env, insn, insn->dst_reg, NULL, DST_OP);\n}", "project": "linux", "hash": 49026737062317698008300484057703179142, "size": 7, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232447 }, { "func": "static int copy_func_state(struct bpf_func_state *dst,\n\t\t\t const struct bpf_func_state *src)\n{\n\tint err;\n\n\terr = realloc_func_state(dst, src->allocated_stack, src->acquired_refs,\n\t\t\t\t false);\n\tif (err)\n\t\treturn err;\n\tmemcpy(dst, src, offsetof(struct bpf_func_state, acquired_refs));\n\terr = copy_reference_state(dst, src);\n\tif (err)\n\t\treturn err;\n\treturn copy_stack_state(dst, src);\n}", "project": "linux", "hash": 317178793225434306055103445689540409636, "size": 15, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232413 }, { "func": "static int check_func_arg(struct bpf_verifier_env *env, u32 regno,\n\t\t\t enum bpf_arg_type arg_type,\n\t\t\t struct bpf_call_arg_meta *meta)\n{\n\tstruct bpf_reg_state *regs = cur_regs(env), *reg = ®s[regno];\n\tenum bpf_reg_type expected_type, type = reg->type;\n\tint err = 0;\n\n\tif (arg_type == ARG_DONTCARE)\n\t\treturn 0;\n\n\terr = check_reg_arg(env, regno, SRC_OP);\n\tif (err)\n\t\treturn err;\n\n\tif (arg_type == ARG_ANYTHING) {\n\t\tif (is_pointer_value(env, regno)) {\n\t\t\tverbose(env, \"R%d leaks addr into helper function\\n\",\n\t\t\t\tregno);\n\t\t\treturn -EACCES;\n\t\t}\n\t\treturn 0;\n\t}\n\n\tif (type_is_pkt_pointer(type) &&\n\t !may_access_direct_pkt_data(env, meta, BPF_READ)) {\n\t\tverbose(env, \"helper access to the packet is not allowed\\n\");\n\t\treturn -EACCES;\n\t}\n\n\tif (arg_type == ARG_PTR_TO_MAP_KEY ||\n\t arg_type == ARG_PTR_TO_MAP_VALUE ||\n\t arg_type == ARG_PTR_TO_UNINIT_MAP_VALUE ||\n\t arg_type == ARG_PTR_TO_MAP_VALUE_OR_NULL) {\n\t\texpected_type = PTR_TO_STACK;\n\t\tif (register_is_null(reg) &&\n\t\t arg_type == ARG_PTR_TO_MAP_VALUE_OR_NULL)\n\t\t\t/* final test in check_stack_boundary() */;\n\t\telse if (!type_is_pkt_pointer(type) &&\n\t\t\t type != PTR_TO_MAP_VALUE &&\n\t\t\t type != expected_type)\n\t\t\tgoto err_type;\n\t} else if (arg_type == ARG_CONST_SIZE ||\n\t\t arg_type == ARG_CONST_SIZE_OR_ZERO) {\n\t\texpected_type = SCALAR_VALUE;\n\t\tif (type != expected_type)\n\t\t\tgoto err_type;\n\t} else if (arg_type == ARG_CONST_MAP_PTR) {\n\t\texpected_type = CONST_PTR_TO_MAP;\n\t\tif (type != expected_type)\n\t\t\tgoto err_type;\n\t} else if (arg_type == ARG_PTR_TO_CTX) {\n\t\texpected_type = PTR_TO_CTX;\n\t\tif (type != expected_type)\n\t\t\tgoto err_type;\n\t\terr = check_ctx_reg(env, reg, regno);\n\t\tif (err < 0)\n\t\t\treturn err;\n\t} else if (arg_type == ARG_PTR_TO_SOCK_COMMON) {\n\t\texpected_type = PTR_TO_SOCK_COMMON;\n\t\t/* Any sk pointer can be ARG_PTR_TO_SOCK_COMMON */\n\t\tif (!type_is_sk_pointer(type))\n\t\t\tgoto err_type;\n\t\tif (reg->ref_obj_id) {\n\t\t\tif (meta->ref_obj_id) {\n\t\t\t\tverbose(env, \"verifier internal error: more than one arg with ref_obj_id R%d %u %u\\n\",\n\t\t\t\t\tregno, reg->ref_obj_id,\n\t\t\t\t\tmeta->ref_obj_id);\n\t\t\t\treturn -EFAULT;\n\t\t\t}\n\t\t\tmeta->ref_obj_id = reg->ref_obj_id;\n\t\t}\n\t} else if (arg_type == ARG_PTR_TO_SOCKET) {\n\t\texpected_type = PTR_TO_SOCKET;\n\t\tif (type != expected_type)\n\t\t\tgoto err_type;\n\t} else if (arg_type == ARG_PTR_TO_BTF_ID) {\n\t\texpected_type = PTR_TO_BTF_ID;\n\t\tif (type != expected_type)\n\t\t\tgoto err_type;\n\t\tif (reg->btf_id != meta->btf_id) {\n\t\t\tverbose(env, \"Helper has type %s got %s in R%d\\n\",\n\t\t\t\tkernel_type_name(meta->btf_id),\n\t\t\t\tkernel_type_name(reg->btf_id), regno);\n\n\t\t\treturn -EACCES;\n\t\t}\n\t\tif (!tnum_is_const(reg->var_off) || reg->var_off.value || reg->off) {\n\t\t\tverbose(env, \"R%d is a pointer to in-kernel struct with non-zero offset\\n\",\n\t\t\t\tregno);\n\t\t\treturn -EACCES;\n\t\t}\n\t} else if (arg_type == ARG_PTR_TO_SPIN_LOCK) {\n\t\tif (meta->func_id == BPF_FUNC_spin_lock) {\n\t\t\tif (process_spin_lock(env, regno, true))\n\t\t\t\treturn -EACCES;\n\t\t} else if (meta->func_id == BPF_FUNC_spin_unlock) {\n\t\t\tif (process_spin_lock(env, regno, false))\n\t\t\t\treturn -EACCES;\n\t\t} else {\n\t\t\tverbose(env, \"verifier internal error\\n\");\n\t\t\treturn -EFAULT;\n\t\t}\n\t} else if (arg_type_is_mem_ptr(arg_type)) {\n\t\texpected_type = PTR_TO_STACK;\n\t\t/* One exception here. In case function allows for NULL to be\n\t\t * passed in as argument, it's a SCALAR_VALUE type. Final test\n\t\t * happens during stack boundary checking.\n\t\t */\n\t\tif (register_is_null(reg) &&\n\t\t arg_type == ARG_PTR_TO_MEM_OR_NULL)\n\t\t\t/* final test in check_stack_boundary() */;\n\t\telse if (!type_is_pkt_pointer(type) &&\n\t\t\t type != PTR_TO_MAP_VALUE &&\n\t\t\t type != expected_type)\n\t\t\tgoto err_type;\n\t\tmeta->raw_mode = arg_type == ARG_PTR_TO_UNINIT_MEM;\n\t} else if (arg_type_is_int_ptr(arg_type)) {\n\t\texpected_type = PTR_TO_STACK;\n\t\tif (!type_is_pkt_pointer(type) &&\n\t\t type != PTR_TO_MAP_VALUE &&\n\t\t type != expected_type)\n\t\t\tgoto err_type;\n\t} else {\n\t\tverbose(env, \"unsupported arg_type %d\\n\", arg_type);\n\t\treturn -EFAULT;\n\t}\n\n\tif (arg_type == ARG_CONST_MAP_PTR) {\n\t\t/* bpf_map_xxx(map_ptr) call: remember that map_ptr */\n\t\tmeta->map_ptr = reg->map_ptr;\n\t} else if (arg_type == ARG_PTR_TO_MAP_KEY) {\n\t\t/* bpf_map_xxx(..., map_ptr, ..., key) call:\n\t\t * check that [key, key + map->key_size) are within\n\t\t * stack limits and initialized\n\t\t */\n\t\tif (!meta->map_ptr) {\n\t\t\t/* in function declaration map_ptr must come before\n\t\t\t * map_key, so that it's verified and known before\n\t\t\t * we have to check map_key here. Otherwise it means\n\t\t\t * that kernel subsystem misconfigured verifier\n\t\t\t */\n\t\t\tverbose(env, \"invalid map_ptr to access map->key\\n\");\n\t\t\treturn -EACCES;\n\t\t}\n\t\terr = check_helper_mem_access(env, regno,\n\t\t\t\t\t meta->map_ptr->key_size, false,\n\t\t\t\t\t NULL);\n\t} else if (arg_type == ARG_PTR_TO_MAP_VALUE ||\n\t\t (arg_type == ARG_PTR_TO_MAP_VALUE_OR_NULL &&\n\t\t !register_is_null(reg)) ||\n\t\t arg_type == ARG_PTR_TO_UNINIT_MAP_VALUE) {\n\t\t/* bpf_map_xxx(..., map_ptr, ..., value) call:\n\t\t * check [value, value + map->value_size) validity\n\t\t */\n\t\tif (!meta->map_ptr) {\n\t\t\t/* kernel subsystem misconfigured verifier */\n\t\t\tverbose(env, \"invalid map_ptr to access map->value\\n\");\n\t\t\treturn -EACCES;\n\t\t}\n\t\tmeta->raw_mode = (arg_type == ARG_PTR_TO_UNINIT_MAP_VALUE);\n\t\terr = check_helper_mem_access(env, regno,\n\t\t\t\t\t meta->map_ptr->value_size, false,\n\t\t\t\t\t meta);\n\t} else if (arg_type_is_mem_size(arg_type)) {\n\t\tbool zero_size_allowed = (arg_type == ARG_CONST_SIZE_OR_ZERO);\n\n\t\t/* remember the mem_size which may be used later\n\t\t * to refine return values.\n\t\t */\n\t\tmeta->msize_smax_value = reg->smax_value;\n\t\tmeta->msize_umax_value = reg->umax_value;\n\n\t\t/* The register is SCALAR_VALUE; the access check\n\t\t * happens using its boundaries.\n\t\t */\n\t\tif (!tnum_is_const(reg->var_off))\n\t\t\t/* For unprivileged variable accesses, disable raw\n\t\t\t * mode so that the program is required to\n\t\t\t * initialize all the memory that the helper could\n\t\t\t * just partially fill up.\n\t\t\t */\n\t\t\tmeta = NULL;\n\n\t\tif (reg->smin_value < 0) {\n\t\t\tverbose(env, \"R%d min value is negative, either use unsigned or 'var &= const'\\n\",\n\t\t\t\tregno);\n\t\t\treturn -EACCES;\n\t\t}\n\n\t\tif (reg->umin_value == 0) {\n\t\t\terr = check_helper_mem_access(env, regno - 1, 0,\n\t\t\t\t\t\t zero_size_allowed,\n\t\t\t\t\t\t meta);\n\t\t\tif (err)\n\t\t\t\treturn err;\n\t\t}\n\n\t\tif (reg->umax_value >= BPF_MAX_VAR_SIZ) {\n\t\t\tverbose(env, \"R%d unbounded memory access, use 'var &= const' or 'if (var < const)'\\n\",\n\t\t\t\tregno);\n\t\t\treturn -EACCES;\n\t\t}\n\t\terr = check_helper_mem_access(env, regno - 1,\n\t\t\t\t\t reg->umax_value,\n\t\t\t\t\t zero_size_allowed, meta);\n\t\tif (!err)\n\t\t\terr = mark_chain_precision(env, regno);\n\t} else if (arg_type_is_int_ptr(arg_type)) {\n\t\tint size = int_ptr_type_to_size(arg_type);\n\n\t\terr = check_helper_mem_access(env, regno, size, false, meta);\n\t\tif (err)\n\t\t\treturn err;\n\t\terr = check_ptr_alignment(env, reg, 0, size, true);\n\t}\n\n\treturn err;\nerr_type:\n\tverbose(env, \"R%d type=%s expected=%s\\n\", regno,\n\t\treg_type_str[type], reg_type_str[expected_type]);\n\treturn -EACCES;\n}", "project": "linux", "hash": 185842656807844436390875508587372362978, "size": 223, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232489 }, { "func": "static int check_func_arg(struct bpf_verifier_env *env, u32 arg,\n\t\t\t struct bpf_call_arg_meta *meta,\n\t\t\t const struct bpf_func_proto *fn)\n{\n\tu32 regno = BPF_REG_1 + arg;\n\tstruct bpf_reg_state *regs = cur_regs(env), *reg = ®s[regno];\n\tenum bpf_reg_type expected_type, type = reg->type;\n\tenum bpf_arg_type arg_type = fn->arg_type[arg];\n\tint err = 0;\n\n\tif (arg_type == ARG_DONTCARE)\n\t\treturn 0;\n\n\terr = check_reg_arg(env, regno, SRC_OP);\n\tif (err)\n\t\treturn err;\n\n\tif (arg_type == ARG_ANYTHING) {\n\t\tif (is_pointer_value(env, regno)) {\n\t\t\tverbose(env, \"R%d leaks addr into helper function\\n\",\n\t\t\t\tregno);\n\t\t\treturn -EACCES;\n\t\t}\n\t\treturn 0;\n\t}\n\n\tif (type_is_pkt_pointer(type) &&\n\t !may_access_direct_pkt_data(env, meta, BPF_READ)) {\n\t\tverbose(env, \"helper access to the packet is not allowed\\n\");\n\t\treturn -EACCES;\n\t}\n\n\tif (arg_type == ARG_PTR_TO_MAP_KEY ||\n\t arg_type == ARG_PTR_TO_MAP_VALUE ||\n\t arg_type == ARG_PTR_TO_UNINIT_MAP_VALUE ||\n\t arg_type == ARG_PTR_TO_MAP_VALUE_OR_NULL) {\n\t\texpected_type = PTR_TO_STACK;\n\t\tif (register_is_null(reg) &&\n\t\t arg_type == ARG_PTR_TO_MAP_VALUE_OR_NULL)\n\t\t\t/* final test in check_stack_boundary() */;\n\t\telse if (!type_is_pkt_pointer(type) &&\n\t\t\t type != PTR_TO_MAP_VALUE &&\n\t\t\t type != expected_type)\n\t\t\tgoto err_type;\n\t} else if (arg_type == ARG_CONST_SIZE ||\n\t\t arg_type == ARG_CONST_SIZE_OR_ZERO ||\n\t\t arg_type == ARG_CONST_ALLOC_SIZE_OR_ZERO) {\n\t\texpected_type = SCALAR_VALUE;\n\t\tif (type != expected_type)\n\t\t\tgoto err_type;\n\t} else if (arg_type == ARG_CONST_MAP_PTR) {\n\t\texpected_type = CONST_PTR_TO_MAP;\n\t\tif (type != expected_type)\n\t\t\tgoto err_type;\n\t} else if (arg_type == ARG_PTR_TO_CTX ||\n\t\t arg_type == ARG_PTR_TO_CTX_OR_NULL) {\n\t\texpected_type = PTR_TO_CTX;\n\t\tif (!(register_is_null(reg) &&\n\t\t arg_type == ARG_PTR_TO_CTX_OR_NULL)) {\n\t\t\tif (type != expected_type)\n\t\t\t\tgoto err_type;\n\t\t\terr = check_ctx_reg(env, reg, regno);\n\t\t\tif (err < 0)\n\t\t\t\treturn err;\n\t\t}\n\t} else if (arg_type == ARG_PTR_TO_SOCK_COMMON) {\n\t\texpected_type = PTR_TO_SOCK_COMMON;\n\t\t/* Any sk pointer can be ARG_PTR_TO_SOCK_COMMON */\n\t\tif (!type_is_sk_pointer(type))\n\t\t\tgoto err_type;\n\t\tif (reg->ref_obj_id) {\n\t\t\tif (meta->ref_obj_id) {\n\t\t\t\tverbose(env, \"verifier internal error: more than one arg with ref_obj_id R%d %u %u\\n\",\n\t\t\t\t\tregno, reg->ref_obj_id,\n\t\t\t\t\tmeta->ref_obj_id);\n\t\t\t\treturn -EFAULT;\n\t\t\t}\n\t\t\tmeta->ref_obj_id = reg->ref_obj_id;\n\t\t}\n\t} else if (arg_type == ARG_PTR_TO_SOCKET ||\n\t\t arg_type == ARG_PTR_TO_SOCKET_OR_NULL) {\n\t\texpected_type = PTR_TO_SOCKET;\n\t\tif (!(register_is_null(reg) &&\n\t\t arg_type == ARG_PTR_TO_SOCKET_OR_NULL)) {\n\t\t\tif (type != expected_type)\n\t\t\t\tgoto err_type;\n\t\t}\n\t} else if (arg_type == ARG_PTR_TO_BTF_ID) {\n\t\texpected_type = PTR_TO_BTF_ID;\n\t\tif (type != expected_type)\n\t\t\tgoto err_type;\n\t\tif (!fn->check_btf_id) {\n\t\t\tif (reg->btf_id != meta->btf_id) {\n\t\t\t\tverbose(env, \"Helper has type %s got %s in R%d\\n\",\n\t\t\t\t\tkernel_type_name(meta->btf_id),\n\t\t\t\t\tkernel_type_name(reg->btf_id), regno);\n\n\t\t\t\treturn -EACCES;\n\t\t\t}\n\t\t} else if (!fn->check_btf_id(reg->btf_id, arg)) {\n\t\t\tverbose(env, \"Helper does not support %s in R%d\\n\",\n\t\t\t\tkernel_type_name(reg->btf_id), regno);\n\n\t\t\treturn -EACCES;\n\t\t}\n\t\tif (!tnum_is_const(reg->var_off) || reg->var_off.value || reg->off) {\n\t\t\tverbose(env, \"R%d is a pointer to in-kernel struct with non-zero offset\\n\",\n\t\t\t\tregno);\n\t\t\treturn -EACCES;\n\t\t}\n\t} else if (arg_type == ARG_PTR_TO_SPIN_LOCK) {\n\t\tif (meta->func_id == BPF_FUNC_spin_lock) {\n\t\t\tif (process_spin_lock(env, regno, true))\n\t\t\t\treturn -EACCES;\n\t\t} else if (meta->func_id == BPF_FUNC_spin_unlock) {\n\t\t\tif (process_spin_lock(env, regno, false))\n\t\t\t\treturn -EACCES;\n\t\t} else {\n\t\t\tverbose(env, \"verifier internal error\\n\");\n\t\t\treturn -EFAULT;\n\t\t}\n\t} else if (arg_type_is_mem_ptr(arg_type)) {\n\t\texpected_type = PTR_TO_STACK;\n\t\t/* One exception here. In case function allows for NULL to be\n\t\t * passed in as argument, it's a SCALAR_VALUE type. Final test\n\t\t * happens during stack boundary checking.\n\t\t */\n\t\tif (register_is_null(reg) &&\n\t\t (arg_type == ARG_PTR_TO_MEM_OR_NULL ||\n\t\t arg_type == ARG_PTR_TO_ALLOC_MEM_OR_NULL))\n\t\t\t/* final test in check_stack_boundary() */;\n\t\telse if (!type_is_pkt_pointer(type) &&\n\t\t\t type != PTR_TO_MAP_VALUE &&\n\t\t\t type != PTR_TO_MEM &&\n\t\t\t type != PTR_TO_RDONLY_BUF &&\n\t\t\t type != PTR_TO_RDWR_BUF &&\n\t\t\t type != expected_type)\n\t\t\tgoto err_type;\n\t\tmeta->raw_mode = arg_type == ARG_PTR_TO_UNINIT_MEM;\n\t} else if (arg_type_is_alloc_mem_ptr(arg_type)) {\n\t\texpected_type = PTR_TO_MEM;\n\t\tif (register_is_null(reg) &&\n\t\t arg_type == ARG_PTR_TO_ALLOC_MEM_OR_NULL)\n\t\t\t/* final test in check_stack_boundary() */;\n\t\telse if (type != expected_type)\n\t\t\tgoto err_type;\n\t\tif (meta->ref_obj_id) {\n\t\t\tverbose(env, \"verifier internal error: more than one arg with ref_obj_id R%d %u %u\\n\",\n\t\t\t\tregno, reg->ref_obj_id,\n\t\t\t\tmeta->ref_obj_id);\n\t\t\treturn -EFAULT;\n\t\t}\n\t\tmeta->ref_obj_id = reg->ref_obj_id;\n\t} else if (arg_type_is_int_ptr(arg_type)) {\n\t\texpected_type = PTR_TO_STACK;\n\t\tif (!type_is_pkt_pointer(type) &&\n\t\t type != PTR_TO_MAP_VALUE &&\n\t\t type != expected_type)\n\t\t\tgoto err_type;\n\t} else {\n\t\tverbose(env, \"unsupported arg_type %d\\n\", arg_type);\n\t\treturn -EFAULT;\n\t}\n\n\tif (arg_type == ARG_CONST_MAP_PTR) {\n\t\t/* bpf_map_xxx(map_ptr) call: remember that map_ptr */\n\t\tmeta->map_ptr = reg->map_ptr;\n\t} else if (arg_type == ARG_PTR_TO_MAP_KEY) {\n\t\t/* bpf_map_xxx(..., map_ptr, ..., key) call:\n\t\t * check that [key, key + map->key_size) are within\n\t\t * stack limits and initialized\n\t\t */\n\t\tif (!meta->map_ptr) {\n\t\t\t/* in function declaration map_ptr must come before\n\t\t\t * map_key, so that it's verified and known before\n\t\t\t * we have to check map_key here. Otherwise it means\n\t\t\t * that kernel subsystem misconfigured verifier\n\t\t\t */\n\t\t\tverbose(env, \"invalid map_ptr to access map->key\\n\");\n\t\t\treturn -EACCES;\n\t\t}\n\t\terr = check_helper_mem_access(env, regno,\n\t\t\t\t\t meta->map_ptr->key_size, false,\n\t\t\t\t\t NULL);\n\t} else if (arg_type == ARG_PTR_TO_MAP_VALUE ||\n\t\t (arg_type == ARG_PTR_TO_MAP_VALUE_OR_NULL &&\n\t\t !register_is_null(reg)) ||\n\t\t arg_type == ARG_PTR_TO_UNINIT_MAP_VALUE) {\n\t\t/* bpf_map_xxx(..., map_ptr, ..., value) call:\n\t\t * check [value, value + map->value_size) validity\n\t\t */\n\t\tif (!meta->map_ptr) {\n\t\t\t/* kernel subsystem misconfigured verifier */\n\t\t\tverbose(env, \"invalid map_ptr to access map->value\\n\");\n\t\t\treturn -EACCES;\n\t\t}\n\t\tmeta->raw_mode = (arg_type == ARG_PTR_TO_UNINIT_MAP_VALUE);\n\t\terr = check_helper_mem_access(env, regno,\n\t\t\t\t\t meta->map_ptr->value_size, false,\n\t\t\t\t\t meta);\n\t} else if (arg_type_is_mem_size(arg_type)) {\n\t\tbool zero_size_allowed = (arg_type == ARG_CONST_SIZE_OR_ZERO);\n\n\t\t/* This is used to refine r0 return value bounds for helpers\n\t\t * that enforce this value as an upper bound on return values.\n\t\t * See do_refine_retval_range() for helpers that can refine\n\t\t * the return value. C type of helper is u32 so we pull register\n\t\t * bound from umax_value however, if negative verifier errors\n\t\t * out. Only upper bounds can be learned because retval is an\n\t\t * int type and negative retvals are allowed.\n\t\t */\n\t\tmeta->msize_max_value = reg->umax_value;\n\n\t\t/* The register is SCALAR_VALUE; the access check\n\t\t * happens using its boundaries.\n\t\t */\n\t\tif (!tnum_is_const(reg->var_off))\n\t\t\t/* For unprivileged variable accesses, disable raw\n\t\t\t * mode so that the program is required to\n\t\t\t * initialize all the memory that the helper could\n\t\t\t * just partially fill up.\n\t\t\t */\n\t\t\tmeta = NULL;\n\n\t\tif (reg->smin_value < 0) {\n\t\t\tverbose(env, \"R%d min value is negative, either use unsigned or 'var &= const'\\n\",\n\t\t\t\tregno);\n\t\t\treturn -EACCES;\n\t\t}\n\n\t\tif (reg->umin_value == 0) {\n\t\t\terr = check_helper_mem_access(env, regno - 1, 0,\n\t\t\t\t\t\t zero_size_allowed,\n\t\t\t\t\t\t meta);\n\t\t\tif (err)\n\t\t\t\treturn err;\n\t\t}\n\n\t\tif (reg->umax_value >= BPF_MAX_VAR_SIZ) {\n\t\t\tverbose(env, \"R%d unbounded memory access, use 'var &= const' or 'if (var < const)'\\n\",\n\t\t\t\tregno);\n\t\t\treturn -EACCES;\n\t\t}\n\t\terr = check_helper_mem_access(env, regno - 1,\n\t\t\t\t\t reg->umax_value,\n\t\t\t\t\t zero_size_allowed, meta);\n\t\tif (!err)\n\t\t\terr = mark_chain_precision(env, regno);\n\t} else if (arg_type_is_alloc_size(arg_type)) {\n\t\tif (!tnum_is_const(reg->var_off)) {\n\t\t\tverbose(env, \"R%d unbounded size, use 'var &= const' or 'if (var < const)'\\n\",\n\t\t\t\tregno);\n\t\t\treturn -EACCES;\n\t\t}\n\t\tmeta->mem_size = reg->var_off.value;\n\t} else if (arg_type_is_int_ptr(arg_type)) {\n\t\tint size = int_ptr_type_to_size(arg_type);\n\n\t\terr = check_helper_mem_access(env, regno, size, false, meta);\n\t\tif (err)\n\t\t\treturn err;\n\t\terr = check_ptr_alignment(env, reg, 0, size, true);\n\t}\n\n\treturn err;\nerr_type:\n\tverbose(env, \"R%d type=%s expected=%s\\n\", regno,\n\t\treg_type_str[type], reg_type_str[expected_type]);\n\treturn -EACCES;\n}", "project": "linux", "hash": 62632387522399464888362825631313335260, "size": 270, "commit_id": "5b9fbeb75b6a98955f628e205ac26689bcb1383e", "message": "bpf: Fix scalar32_min_max_or bounds tracking\n\nSimon reported an issue with the current scalar32_min_max_or() implementation.\nThat is, compared to the other 32 bit subreg tracking functions, the code in\nscalar32_min_max_or() stands out that it's using the 64 bit registers instead\nof 32 bit ones. This leads to bounds tracking issues, for example:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x1; 0x700000000),s32_max_value=1,u32_max_value=1) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nThe bound tests on the map value force the upper unsigned bound to be 25769803777\nin 64 bit (0b11000000000000000000000000000000001) and then lower one to be 1. By\nusing OR they are truncated and thus result in the range [1,1] for the 32 bit reg\ntracker. This is incorrect given the only thing we know is that the value must be\npositive and thus 2147483647 (0b1111111111111111111111111111111) at max for the\nsubregs. Fix it by using the {u,s}32_{min,max}_value vars instead. This also makes\nsense, for example, for the case where we update dst_reg->s32_{min,max}_value in\nthe else branch we need to use the newly computed dst_reg->u32_{min,max}_value as\nwe know that these are positive. Previously, in the else branch the 64 bit values\nof umin_value=1 and umax_value=32212254719 were used and latter got truncated to\nbe 1 as upper bound there. After the fix the subreg range is now correct:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nFixes: 3f50f132d840 (\"bpf: Verifier, do explicit ALU32 bounds tracking\")\nReported-by: Simon Scannell \nSigned-off-by: Daniel Borkmann \nReviewed-by: John Fastabend \nAcked-by: Alexei Starovoitov ", "target": 0, "dataset": "other", "idx": 328509 }, { "func": "static int check_func_arg(struct bpf_verifier_env *env, u32 arg,\n\t\t\t struct bpf_call_arg_meta *meta,\n\t\t\t const struct bpf_func_proto *fn)\n{\n\tu32 regno = BPF_REG_1 + arg;\n\tstruct bpf_reg_state *regs = cur_regs(env), *reg = ®s[regno];\n\tenum bpf_arg_type arg_type = fn->arg_type[arg];\n\tenum bpf_reg_type type = reg->type;\n\tint err = 0;\n\n\tif (arg_type == ARG_DONTCARE)\n\t\treturn 0;\n\n\terr = check_reg_arg(env, regno, SRC_OP);\n\tif (err)\n\t\treturn err;\n\n\tif (arg_type == ARG_ANYTHING) {\n\t\tif (is_pointer_value(env, regno)) {\n\t\t\tverbose(env, \"R%d leaks addr into helper function\\n\",\n\t\t\t\tregno);\n\t\t\treturn -EACCES;\n\t\t}\n\t\treturn 0;\n\t}\n\n\tif (type_is_pkt_pointer(type) &&\n\t !may_access_direct_pkt_data(env, meta, BPF_READ)) {\n\t\tverbose(env, \"helper access to the packet is not allowed\\n\");\n\t\treturn -EACCES;\n\t}\n\n\tif (arg_type == ARG_PTR_TO_MAP_VALUE ||\n\t arg_type == ARG_PTR_TO_UNINIT_MAP_VALUE ||\n\t arg_type == ARG_PTR_TO_MAP_VALUE_OR_NULL) {\n\t\terr = resolve_map_arg_type(env, meta, &arg_type);\n\t\tif (err)\n\t\t\treturn err;\n\t}\n\n\tif (register_is_null(reg) && arg_type_may_be_null(arg_type))\n\t\t/* A NULL register has a SCALAR_VALUE type, so skip\n\t\t * type checking.\n\t\t */\n\t\tgoto skip_type_check;\n\n\terr = check_reg_type(env, regno, arg_type, fn->arg_btf_id[arg]);\n\tif (err)\n\t\treturn err;\n\n\tif (type == PTR_TO_CTX) {\n\t\terr = check_ctx_reg(env, reg, regno);\n\t\tif (err < 0)\n\t\t\treturn err;\n\t}\n\nskip_type_check:\n\tif (reg->ref_obj_id) {\n\t\tif (meta->ref_obj_id) {\n\t\t\tverbose(env, \"verifier internal error: more than one arg with ref_obj_id R%d %u %u\\n\",\n\t\t\t\tregno, reg->ref_obj_id,\n\t\t\t\tmeta->ref_obj_id);\n\t\t\treturn -EFAULT;\n\t\t}\n\t\tmeta->ref_obj_id = reg->ref_obj_id;\n\t}\n\n\tif (arg_type == ARG_CONST_MAP_PTR) {\n\t\t/* bpf_map_xxx(map_ptr) call: remember that map_ptr */\n\t\tmeta->map_ptr = reg->map_ptr;\n\t} else if (arg_type == ARG_PTR_TO_MAP_KEY) {\n\t\t/* bpf_map_xxx(..., map_ptr, ..., key) call:\n\t\t * check that [key, key + map->key_size) are within\n\t\t * stack limits and initialized\n\t\t */\n\t\tif (!meta->map_ptr) {\n\t\t\t/* in function declaration map_ptr must come before\n\t\t\t * map_key, so that it's verified and known before\n\t\t\t * we have to check map_key here. Otherwise it means\n\t\t\t * that kernel subsystem misconfigured verifier\n\t\t\t */\n\t\t\tverbose(env, \"invalid map_ptr to access map->key\\n\");\n\t\t\treturn -EACCES;\n\t\t}\n\t\terr = check_helper_mem_access(env, regno,\n\t\t\t\t\t meta->map_ptr->key_size, false,\n\t\t\t\t\t NULL);\n\t} else if (arg_type == ARG_PTR_TO_MAP_VALUE ||\n\t\t (arg_type == ARG_PTR_TO_MAP_VALUE_OR_NULL &&\n\t\t !register_is_null(reg)) ||\n\t\t arg_type == ARG_PTR_TO_UNINIT_MAP_VALUE) {\n\t\t/* bpf_map_xxx(..., map_ptr, ..., value) call:\n\t\t * check [value, value + map->value_size) validity\n\t\t */\n\t\tif (!meta->map_ptr) {\n\t\t\t/* kernel subsystem misconfigured verifier */\n\t\t\tverbose(env, \"invalid map_ptr to access map->value\\n\");\n\t\t\treturn -EACCES;\n\t\t}\n\t\tmeta->raw_mode = (arg_type == ARG_PTR_TO_UNINIT_MAP_VALUE);\n\t\terr = check_helper_mem_access(env, regno,\n\t\t\t\t\t meta->map_ptr->value_size, false,\n\t\t\t\t\t meta);\n\t} else if (arg_type == ARG_PTR_TO_PERCPU_BTF_ID) {\n\t\tif (!reg->btf_id) {\n\t\t\tverbose(env, \"Helper has invalid btf_id in R%d\\n\", regno);\n\t\t\treturn -EACCES;\n\t\t}\n\t\tmeta->ret_btf = reg->btf;\n\t\tmeta->ret_btf_id = reg->btf_id;\n\t} else if (arg_type == ARG_PTR_TO_SPIN_LOCK) {\n\t\tif (meta->func_id == BPF_FUNC_spin_lock) {\n\t\t\tif (process_spin_lock(env, regno, true))\n\t\t\t\treturn -EACCES;\n\t\t} else if (meta->func_id == BPF_FUNC_spin_unlock) {\n\t\t\tif (process_spin_lock(env, regno, false))\n\t\t\t\treturn -EACCES;\n\t\t} else {\n\t\t\tverbose(env, \"verifier internal error\\n\");\n\t\t\treturn -EFAULT;\n\t\t}\n\t} else if (arg_type_is_mem_ptr(arg_type)) {\n\t\t/* The access to this pointer is only checked when we hit the\n\t\t * next is_mem_size argument below.\n\t\t */\n\t\tmeta->raw_mode = (arg_type == ARG_PTR_TO_UNINIT_MEM);\n\t} else if (arg_type_is_mem_size(arg_type)) {\n\t\tbool zero_size_allowed = (arg_type == ARG_CONST_SIZE_OR_ZERO);\n\n\t\t/* This is used to refine r0 return value bounds for helpers\n\t\t * that enforce this value as an upper bound on return values.\n\t\t * See do_refine_retval_range() for helpers that can refine\n\t\t * the return value. C type of helper is u32 so we pull register\n\t\t * bound from umax_value however, if negative verifier errors\n\t\t * out. Only upper bounds can be learned because retval is an\n\t\t * int type and negative retvals are allowed.\n\t\t */\n\t\tmeta->msize_max_value = reg->umax_value;\n\n\t\t/* The register is SCALAR_VALUE; the access check\n\t\t * happens using its boundaries.\n\t\t */\n\t\tif (!tnum_is_const(reg->var_off))\n\t\t\t/* For unprivileged variable accesses, disable raw\n\t\t\t * mode so that the program is required to\n\t\t\t * initialize all the memory that the helper could\n\t\t\t * just partially fill up.\n\t\t\t */\n\t\t\tmeta = NULL;\n\n\t\tif (reg->smin_value < 0) {\n\t\t\tverbose(env, \"R%d min value is negative, either use unsigned or 'var &= const'\\n\",\n\t\t\t\tregno);\n\t\t\treturn -EACCES;\n\t\t}\n\n\t\tif (reg->umin_value == 0) {\n\t\t\terr = check_helper_mem_access(env, regno - 1, 0,\n\t\t\t\t\t\t zero_size_allowed,\n\t\t\t\t\t\t meta);\n\t\t\tif (err)\n\t\t\t\treturn err;\n\t\t}\n\n\t\tif (reg->umax_value >= BPF_MAX_VAR_SIZ) {\n\t\t\tverbose(env, \"R%d unbounded memory access, use 'var &= const' or 'if (var < const)'\\n\",\n\t\t\t\tregno);\n\t\t\treturn -EACCES;\n\t\t}\n\t\terr = check_helper_mem_access(env, regno - 1,\n\t\t\t\t\t reg->umax_value,\n\t\t\t\t\t zero_size_allowed, meta);\n\t\tif (!err)\n\t\t\terr = mark_chain_precision(env, regno);\n\t} else if (arg_type_is_alloc_size(arg_type)) {\n\t\tif (!tnum_is_const(reg->var_off)) {\n\t\t\tverbose(env, \"R%d unbounded size, use 'var &= const' or 'if (var < const)'\\n\",\n\t\t\t\tregno);\n\t\t\treturn -EACCES;\n\t\t}\n\t\tmeta->mem_size = reg->var_off.value;\n\t} else if (arg_type_is_int_ptr(arg_type)) {\n\t\tint size = int_ptr_type_to_size(arg_type);\n\n\t\terr = check_helper_mem_access(env, regno, size, false, meta);\n\t\tif (err)\n\t\t\treturn err;\n\t\terr = check_ptr_alignment(env, reg, 0, size, true);\n\t}\n\n\treturn err;\n}", "project": "linux", "hash": 187482927135865210825538594612655051408, "size": 192, "commit_id": "9b00f1b78809309163dda2d044d9e94a3c0248a3", "message": "bpf: Fix truncation handling for mod32 dst reg wrt zero\n\nRecently noticed that when mod32 with a known src reg of 0 is performed,\nthen the dst register is 32-bit truncated in verifier:\n\n 0: R1=ctx(id=0,off=0,imm=0) R10=fp0\n 0: (b7) r0 = 0\n 1: R0_w=inv0 R1=ctx(id=0,off=0,imm=0) R10=fp0\n 1: (b7) r1 = -1\n 2: R0_w=inv0 R1_w=inv-1 R10=fp0\n 2: (b4) w2 = -1\n 3: R0_w=inv0 R1_w=inv-1 R2_w=inv4294967295 R10=fp0\n 3: (9c) w1 %= w0\n 4: R0_w=inv0 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0\n 4: (b7) r0 = 1\n 5: R0_w=inv1 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0\n 5: (1d) if r1 == r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0\n 6: R0_w=inv1 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0\n 6: (b7) r0 = 2\n 7: R0_w=inv2 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0\n 7: (95) exit\n 7: R0=inv1 R1=inv(id=0,umin_value=4294967295,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2=inv4294967295 R10=fp0\n 7: (95) exit\n\nHowever, as a runtime result, we get 2 instead of 1, meaning the dst\nregister does not contain (u32)-1 in this case. The reason is fairly\nstraight forward given the 0 test leaves the dst register as-is:\n\n # ./bpftool p d x i 23\n 0: (b7) r0 = 0\n 1: (b7) r1 = -1\n 2: (b4) w2 = -1\n 3: (16) if w0 == 0x0 goto pc+1\n 4: (9c) w1 %= w0\n 5: (b7) r0 = 1\n 6: (1d) if r1 == r2 goto pc+1\n 7: (b7) r0 = 2\n 8: (95) exit\n\nThis was originally not an issue given the dst register was marked as\ncompletely unknown (aka 64 bit unknown). However, after 468f6eafa6c4\n(\"bpf: fix 32-bit ALU op verification\") the verifier casts the register\noutput to 32 bit, and hence it becomes 32 bit unknown. Note that for\nthe case where the src register is unknown, the dst register is marked\n64 bit unknown. After the fix, the register is truncated by the runtime\nand the test passes:\n\n # ./bpftool p d x i 23\n 0: (b7) r0 = 0\n 1: (b7) r1 = -1\n 2: (b4) w2 = -1\n 3: (16) if w0 == 0x0 goto pc+2\n 4: (9c) w1 %= w0\n 5: (05) goto pc+1\n 6: (bc) w1 = w1\n 7: (b7) r0 = 1\n 8: (1d) if r1 == r2 goto pc+1\n 9: (b7) r0 = 2\n 10: (95) exit\n\nSemantics also match with {R,W}x mod{64,32} 0 -> {R,W}x. Invalid div\nhas always been {R,W}x div{64,32} 0 -> 0. Rewrites are as follows:\n\n mod32: mod64:\n\n (16) if w0 == 0x0 goto pc+2 (15) if r0 == 0x0 goto pc+1\n (9c) w1 %= w0 (9f) r1 %= r0\n (05) goto pc+1\n (bc) w1 = w1\n\nFixes: 468f6eafa6c4 (\"bpf: fix 32-bit ALU op verification\")\nSigned-off-by: Daniel Borkmann \nReviewed-by: John Fastabend \nAcked-by: Alexei Starovoitov ", "target": 0, "dataset": "other", "idx": 456510 }, { "func": "static bool __is_pointer_value(bool allow_ptr_leaks,\n\t\t\t const struct bpf_reg_state *reg)\n{\n\tif (allow_ptr_leaks)\n\t\treturn false;\n\n\treturn reg->type != SCALAR_VALUE;\n}", "project": "linux", "hash": 160434457535735080345618236102806723295, "size": 8, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232422 }, { "func": "static int check_ld_imm(struct bpf_verifier_env *env, struct bpf_insn *insn)\n{\n\tstruct bpf_insn_aux_data *aux = cur_aux(env);\n\tstruct bpf_reg_state *regs = cur_regs(env);\n\tstruct bpf_map *map;\n\tint err;\n\n\tif (BPF_SIZE(insn->code) != BPF_DW) {\n\t\tverbose(env, \"invalid BPF_LD_IMM insn\\n\");\n\t\treturn -EINVAL;\n\t}\n\tif (insn->off != 0) {\n\t\tverbose(env, \"BPF_LD_IMM64 uses reserved fields\\n\");\n\t\treturn -EINVAL;\n\t}\n\n\terr = check_reg_arg(env, insn->dst_reg, DST_OP);\n\tif (err)\n\t\treturn err;\n\n\tif (insn->src_reg == 0) {\n\t\tu64 imm = ((u64)(insn + 1)->imm << 32) | (u32)insn->imm;\n\n\t\tregs[insn->dst_reg].type = SCALAR_VALUE;\n\t\t__mark_reg_known(®s[insn->dst_reg], imm);\n\t\treturn 0;\n\t}\n\n\tmap = env->used_maps[aux->map_index];\n\tmark_reg_known_zero(env, regs, insn->dst_reg);\n\tregs[insn->dst_reg].map_ptr = map;\n\n\tif (insn->src_reg == BPF_PSEUDO_MAP_VALUE) {\n\t\tregs[insn->dst_reg].type = PTR_TO_MAP_VALUE;\n\t\tregs[insn->dst_reg].off = aux->map_off;\n\t\tif (map_value_has_spin_lock(map))\n\t\t\tregs[insn->dst_reg].id = ++env->id_gen;\n\t} else if (insn->src_reg == BPF_PSEUDO_MAP_FD) {\n\t\tregs[insn->dst_reg].type = CONST_PTR_TO_MAP;\n\t} else {\n\t\tverbose(env, \"bpf verifier is misconfigured\\n\");\n\t\treturn -EINVAL;\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 181236091921155726287771710892532587307, "size": 46, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232525 }, { "func": "static void mark_reg_not_init(struct bpf_verifier_env *env,\n\t\t\t struct bpf_reg_state *regs, u32 regno)\n{\n\tif (WARN_ON(regno >= MAX_BPF_REG)) {\n\t\tverbose(env, \"mark_reg_not_init(regs, %u)\\n\", regno);\n\t\t/* Something bad happened, let's kill all regs except FP */\n\t\tfor (regno = 0; regno < BPF_REG_FP; regno++)\n\t\t\t__mark_reg_not_init(env, regs + regno);\n\t\treturn;\n\t}\n\t__mark_reg_not_init(env, regs + regno);\n}", "project": "linux", "hash": 53966576477166034391246082877439306328, "size": 12, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232495 }, { "func": "static bool reg_type_may_be_null(enum bpf_reg_type type)\n{\n\treturn type == PTR_TO_MAP_VALUE_OR_NULL ||\n\t type == PTR_TO_SOCKET_OR_NULL ||\n\t type == PTR_TO_SOCK_COMMON_OR_NULL ||\n\t type == PTR_TO_TCP_SOCK_OR_NULL;\n}", "project": "linux", "hash": 37098412102054122518413793067446521927, "size": 7, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232547 }, { "func": "static bool bpf_map_ptr_unpriv(const struct bpf_insn_aux_data *aux)\n{\n\treturn aux->map_ptr_state & BPF_MAP_PTR_UNPRIV;\n}", "project": "linux", "hash": 196044659145935792072933480799621509499, "size": 4, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232550 }, { "func": "static void mark_btf_ld_reg(struct bpf_verifier_env *env,\n\t\t\t struct bpf_reg_state *regs, u32 regno,\n\t\t\t enum bpf_reg_type reg_type, u32 btf_id)\n{\n\tif (reg_type == SCALAR_VALUE) {\n\t\tmark_reg_unknown(env, regs, regno);\n\t\treturn;\n\t}\n\tmark_reg_known_zero(env, regs, regno);\n\tregs[regno].type = PTR_TO_BTF_ID;\n\tregs[regno].btf_id = btf_id;\n}", "project": "linux", "hash": 177419760591610039054960541635599885925, "size": 12, "commit_id": "5b9fbeb75b6a98955f628e205ac26689bcb1383e", "message": "bpf: Fix scalar32_min_max_or bounds tracking\n\nSimon reported an issue with the current scalar32_min_max_or() implementation.\nThat is, compared to the other 32 bit subreg tracking functions, the code in\nscalar32_min_max_or() stands out that it's using the 64 bit registers instead\nof 32 bit ones. This leads to bounds tracking issues, for example:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x1; 0x700000000),s32_max_value=1,u32_max_value=1) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nThe bound tests on the map value force the upper unsigned bound to be 25769803777\nin 64 bit (0b11000000000000000000000000000000001) and then lower one to be 1. By\nusing OR they are truncated and thus result in the range [1,1] for the 32 bit reg\ntracker. This is incorrect given the only thing we know is that the value must be\npositive and thus 2147483647 (0b1111111111111111111111111111111) at max for the\nsubregs. Fix it by using the {u,s}32_{min,max}_value vars instead. This also makes\nsense, for example, for the case where we update dst_reg->s32_{min,max}_value in\nthe else branch we need to use the newly computed dst_reg->u32_{min,max}_value as\nwe know that these are positive. Previously, in the else branch the 64 bit values\nof umin_value=1 and umax_value=32212254719 were used and latter got truncated to\nbe 1 as upper bound there. After the fix the subreg range is now correct:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nFixes: 3f50f132d840 (\"bpf: Verifier, do explicit ALU32 bounds tracking\")\nReported-by: Simon Scannell \nSigned-off-by: Daniel Borkmann \nReviewed-by: John Fastabend \nAcked-by: Alexei Starovoitov ", "target": 0, "dataset": "other", "idx": 328499 }, { "func": "static bool type_is_pkt_pointer(enum bpf_reg_type type)\n{\n\treturn type == PTR_TO_PACKET ||\n\t type == PTR_TO_PACKET_META;\n}", "project": "linux", "hash": 92065843614209155927095077897422802732, "size": 5, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232411 }, { "func": "static bool regsafe(struct bpf_reg_state *rold, struct bpf_reg_state *rcur,\n\t\t struct idpair *idmap)\n{\n\tbool equal;\n\n\tif (!(rold->live & REG_LIVE_READ))\n\t\t/* explored state didn't use this */\n\t\treturn true;\n\n\tequal = memcmp(rold, rcur, offsetof(struct bpf_reg_state, parent)) == 0;\n\n\tif (rold->type == PTR_TO_STACK)\n\t\t/* two stack pointers are equal only if they're pointing to\n\t\t * the same stack frame, since fp-8 in foo != fp-8 in bar\n\t\t */\n\t\treturn equal && rold->frameno == rcur->frameno;\n\n\tif (equal)\n\t\treturn true;\n\n\tif (rold->type == NOT_INIT)\n\t\t/* explored state can't have used this */\n\t\treturn true;\n\tif (rcur->type == NOT_INIT)\n\t\treturn false;\n\tswitch (rold->type) {\n\tcase SCALAR_VALUE:\n\t\tif (rcur->type == SCALAR_VALUE) {\n\t\t\tif (!rold->precise && !rcur->precise)\n\t\t\t\treturn true;\n\t\t\t/* new val must satisfy old val knowledge */\n\t\t\treturn range_within(rold, rcur) &&\n\t\t\t tnum_in(rold->var_off, rcur->var_off);\n\t\t} else {\n\t\t\t/* We're trying to use a pointer in place of a scalar.\n\t\t\t * Even if the scalar was unbounded, this could lead to\n\t\t\t * pointer leaks because scalars are allowed to leak\n\t\t\t * while pointers are not. We could make this safe in\n\t\t\t * special cases if root is calling us, but it's\n\t\t\t * probably not worth the hassle.\n\t\t\t */\n\t\t\treturn false;\n\t\t}\n\tcase PTR_TO_MAP_VALUE:\n\t\t/* If the new min/max/var_off satisfy the old ones and\n\t\t * everything else matches, we are OK.\n\t\t * 'id' is not compared, since it's only used for maps with\n\t\t * bpf_spin_lock inside map element and in such cases if\n\t\t * the rest of the prog is valid for one map element then\n\t\t * it's valid for all map elements regardless of the key\n\t\t * used in bpf_map_lookup()\n\t\t */\n\t\treturn memcmp(rold, rcur, offsetof(struct bpf_reg_state, id)) == 0 &&\n\t\t range_within(rold, rcur) &&\n\t\t tnum_in(rold->var_off, rcur->var_off);\n\tcase PTR_TO_MAP_VALUE_OR_NULL:\n\t\t/* a PTR_TO_MAP_VALUE could be safe to use as a\n\t\t * PTR_TO_MAP_VALUE_OR_NULL into the same map.\n\t\t * However, if the old PTR_TO_MAP_VALUE_OR_NULL then got NULL-\n\t\t * checked, doing so could have affected others with the same\n\t\t * id, and we can't check for that because we lost the id when\n\t\t * we converted to a PTR_TO_MAP_VALUE.\n\t\t */\n\t\tif (rcur->type != PTR_TO_MAP_VALUE_OR_NULL)\n\t\t\treturn false;\n\t\tif (memcmp(rold, rcur, offsetof(struct bpf_reg_state, id)))\n\t\t\treturn false;\n\t\t/* Check our ids match any regs they're supposed to */\n\t\treturn check_ids(rold->id, rcur->id, idmap);\n\tcase PTR_TO_PACKET_META:\n\tcase PTR_TO_PACKET:\n\t\tif (rcur->type != rold->type)\n\t\t\treturn false;\n\t\t/* We must have at least as much range as the old ptr\n\t\t * did, so that any accesses which were safe before are\n\t\t * still safe. This is true even if old range < old off,\n\t\t * since someone could have accessed through (ptr - k), or\n\t\t * even done ptr -= k in a register, to get a safe access.\n\t\t */\n\t\tif (rold->range > rcur->range)\n\t\t\treturn false;\n\t\t/* If the offsets don't match, we can't trust our alignment;\n\t\t * nor can we be sure that we won't fall out of range.\n\t\t */\n\t\tif (rold->off != rcur->off)\n\t\t\treturn false;\n\t\t/* id relations must be preserved */\n\t\tif (rold->id && !check_ids(rold->id, rcur->id, idmap))\n\t\t\treturn false;\n\t\t/* new val must satisfy old val knowledge */\n\t\treturn range_within(rold, rcur) &&\n\t\t tnum_in(rold->var_off, rcur->var_off);\n\tcase PTR_TO_CTX:\n\tcase CONST_PTR_TO_MAP:\n\tcase PTR_TO_PACKET_END:\n\tcase PTR_TO_FLOW_KEYS:\n\tcase PTR_TO_SOCKET:\n\tcase PTR_TO_SOCKET_OR_NULL:\n\tcase PTR_TO_SOCK_COMMON:\n\tcase PTR_TO_SOCK_COMMON_OR_NULL:\n\tcase PTR_TO_TCP_SOCK:\n\tcase PTR_TO_TCP_SOCK_OR_NULL:\n\tcase PTR_TO_XDP_SOCK:\n\t\t/* Only valid matches are exact, which memcmp() above\n\t\t * would have accepted\n\t\t */\n\tdefault:\n\t\t/* Don't know what's going on, just say it's not safe */\n\t\treturn false;\n\t}\n\n\t/* Shouldn't get here; if we do, say it's not safe */\n\tWARN_ON_ONCE(1);\n\treturn false;\n}", "project": "linux", "hash": 202465325860822127160187008792555551047, "size": 115, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232643 }, { "func": "static void __mark_reg_known_zero(struct bpf_reg_state *reg)\n{\n\t__mark_reg_known(reg, 0);\n}", "project": "linux", "hash": 226225865153862657947971162943508425213, "size": 4, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232516 }, { "func": "static bool arg_type_is_mem_ptr(enum bpf_arg_type type)\n{\n\treturn type == ARG_PTR_TO_MEM ||\n\t type == ARG_PTR_TO_MEM_OR_NULL ||\n\t type == ARG_PTR_TO_UNINIT_MEM;\n}", "project": "linux", "hash": 96893137037904201958053983624053581437, "size": 6, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232584 }, { "func": "static void clean_live_states(struct bpf_verifier_env *env, int insn,\n\t\t\t struct bpf_verifier_state *cur)\n{\n\tstruct bpf_verifier_state_list *sl;\n\tint i;\n\n\tsl = *explored_state(env, insn);\n\twhile (sl) {\n\t\tif (sl->state.branches)\n\t\t\tgoto next;\n\t\tif (sl->state.insn_idx != insn ||\n\t\t sl->state.curframe != cur->curframe)\n\t\t\tgoto next;\n\t\tfor (i = 0; i <= cur->curframe; i++)\n\t\t\tif (sl->state.frame[i]->callsite != cur->frame[i]->callsite)\n\t\t\t\tgoto next;\n\t\tclean_verifier_state(env, &sl->state);\nnext:\n\t\tsl = sl->next;\n\t}\n}", "project": "linux", "hash": 161457010585719665027791842706104255123, "size": 21, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232504 }, { "func": "static int check_func_proto(const struct bpf_func_proto *fn, int func_id)\n{\n\treturn check_raw_mode_ok(fn) &&\n\t check_arg_pair_ok(fn) &&\n\t check_refcount_ok(fn, func_id) ? 0 : -EINVAL;\n}", "project": "linux", "hash": 95435312834387613529898258854257994183, "size": 6, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232587 }, { "func": "static int update_alu_sanitation_state(struct bpf_insn_aux_data *aux,\n\t\t\t\t u32 alu_state, u32 alu_limit)\n{\n\t/* If we arrived here from different branches with different\n\t * state or limits to sanitize, then this won't work.\n\t */\n\tif (aux->alu_state &&\n\t (aux->alu_state != alu_state ||\n\t aux->alu_limit != alu_limit))\n\t\treturn -EACCES;\n\n\t/* Corresponding fixup done in fixup_bpf_calls(). */\n\taux->alu_state = alu_state;\n\taux->alu_limit = alu_limit;\n\treturn 0;\n}", "project": "linux", "hash": 57059833252740087360801445607200382637, "size": 16, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232526 }, { "func": "static int check_xadd(struct bpf_verifier_env *env, int insn_idx, struct bpf_insn *insn)\n{\n\tint err;\n\n\tif ((BPF_SIZE(insn->code) != BPF_W && BPF_SIZE(insn->code) != BPF_DW) ||\n\t insn->imm != 0) {\n\t\tverbose(env, \"BPF_XADD uses reserved fields\\n\");\n\t\treturn -EINVAL;\n\t}\n\n\t/* check src1 operand */\n\terr = check_reg_arg(env, insn->src_reg, SRC_OP);\n\tif (err)\n\t\treturn err;\n\n\t/* check src2 operand */\n\terr = check_reg_arg(env, insn->dst_reg, SRC_OP);\n\tif (err)\n\t\treturn err;\n\n\tif (is_pointer_value(env, insn->src_reg)) {\n\t\tverbose(env, \"R%d leaks addr into mem\\n\", insn->src_reg);\n\t\treturn -EACCES;\n\t}\n\n\tif (is_ctx_reg(env, insn->dst_reg) ||\n\t is_pkt_reg(env, insn->dst_reg) ||\n\t is_flow_key_reg(env, insn->dst_reg) ||\n\t is_sk_reg(env, insn->dst_reg)) {\n\t\tverbose(env, \"BPF_XADD stores into R%d %s is not allowed\\n\",\n\t\t\tinsn->dst_reg,\n\t\t\treg_type_str[reg_state(env, insn->dst_reg)->type]);\n\t\treturn -EACCES;\n\t}\n\n\t/* check whether atomic_add can read the memory */\n\terr = check_mem_access(env, insn_idx, insn->dst_reg, insn->off,\n\t\t\t BPF_SIZE(insn->code), BPF_READ, -1, true);\n\tif (err)\n\t\treturn err;\n\n\t/* check whether atomic_add can write into the same memory */\n\treturn check_mem_access(env, insn_idx, insn->dst_reg, insn->off,\n\t\t\t\tBPF_SIZE(insn->code), BPF_WRITE, -1, true);\n}", "project": "linux", "hash": 252801651242603373161829728909364586393, "size": 45, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232431 }, { "func": "static int check_max_stack_depth(struct bpf_verifier_env *env)\n{\n\tint depth = 0, frame = 0, idx = 0, i = 0, subprog_end;\n\tstruct bpf_subprog_info *subprog = env->subprog_info;\n\tstruct bpf_insn *insn = env->prog->insnsi;\n\tint ret_insn[MAX_CALL_FRAMES];\n\tint ret_prog[MAX_CALL_FRAMES];\n\nprocess_func:\n\t/* round up to 32-bytes, since this is granularity\n\t * of interpreter stack size\n\t */\n\tdepth += round_up(max_t(u32, subprog[idx].stack_depth, 1), 32);\n\tif (depth > MAX_BPF_STACK) {\n\t\tverbose(env, \"combined stack size of %d calls is %d. Too large\\n\",\n\t\t\tframe + 1, depth);\n\t\treturn -EACCES;\n\t}\ncontinue_func:\n\tsubprog_end = subprog[idx + 1].start;\n\tfor (; i < subprog_end; i++) {\n\t\tif (insn[i].code != (BPF_JMP | BPF_CALL))\n\t\t\tcontinue;\n\t\tif (insn[i].src_reg != BPF_PSEUDO_CALL)\n\t\t\tcontinue;\n\t\t/* remember insn and function to return to */\n\t\tret_insn[frame] = i + 1;\n\t\tret_prog[frame] = idx;\n\n\t\t/* find the callee */\n\t\ti = i + insn[i].imm + 1;\n\t\tidx = find_subprog(env, i);\n\t\tif (idx < 0) {\n\t\t\tWARN_ONCE(1, \"verifier bug. No program starts at insn %d\\n\",\n\t\t\t\t i);\n\t\t\treturn -EFAULT;\n\t\t}\n\t\tframe++;\n\t\tif (frame >= MAX_CALL_FRAMES) {\n\t\t\tverbose(env, \"the call stack of %d frames is too deep !\\n\",\n\t\t\t\tframe);\n\t\t\treturn -E2BIG;\n\t\t}\n\t\tgoto process_func;\n\t}\n\t/* end of for() loop means the last insn of the 'subprog'\n\t * was reached. Doesn't matter whether it was JA or EXIT\n\t */\n\tif (frame == 0)\n\t\treturn 0;\n\tdepth -= round_up(max_t(u32, subprog[idx].stack_depth, 1), 32);\n\tframe--;\n\ti = ret_insn[frame];\n\tidx = ret_prog[frame];\n\tgoto continue_func;\n}", "project": "linux", "hash": 196123675101311522199619879933185297547, "size": 56, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232480 }, { "func": "static int check_max_stack_depth(struct bpf_verifier_env *env)\n{\n\tint depth = 0, frame = 0, idx = 0, i = 0, subprog_end;\n\tstruct bpf_subprog_info *subprog = env->subprog_info;\n\tstruct bpf_insn *insn = env->prog->insnsi;\n\tbool tail_call_reachable = false;\n\tint ret_insn[MAX_CALL_FRAMES];\n\tint ret_prog[MAX_CALL_FRAMES];\n\tint j;\n\nprocess_func:\n\t/* protect against potential stack overflow that might happen when\n\t * bpf2bpf calls get combined with tailcalls. Limit the caller's stack\n\t * depth for such case down to 256 so that the worst case scenario\n\t * would result in 8k stack size (32 which is tailcall limit * 256 =\n\t * 8k).\n\t *\n\t * To get the idea what might happen, see an example:\n\t * func1 -> sub rsp, 128\n\t * subfunc1 -> sub rsp, 256\n\t * tailcall1 -> add rsp, 256\n\t * func2 -> sub rsp, 192 (total stack size = 128 + 192 = 320)\n\t * subfunc2 -> sub rsp, 64\n\t * subfunc22 -> sub rsp, 128\n\t * tailcall2 -> add rsp, 128\n\t * func3 -> sub rsp, 32 (total stack size 128 + 192 + 64 + 32 = 416)\n\t *\n\t * tailcall will unwind the current stack frame but it will not get rid\n\t * of caller's stack as shown on the example above.\n\t */\n\tif (idx && subprog[idx].has_tail_call && depth >= 256) {\n\t\tverbose(env,\n\t\t\t\"tail_calls are not allowed when call stack of previous frames is %d bytes. Too large\\n\",\n\t\t\tdepth);\n\t\treturn -EACCES;\n\t}\n\t/* round up to 32-bytes, since this is granularity\n\t * of interpreter stack size\n\t */\n\tdepth += round_up(max_t(u32, subprog[idx].stack_depth, 1), 32);\n\tif (depth > MAX_BPF_STACK) {\n\t\tverbose(env, \"combined stack size of %d calls is %d. Too large\\n\",\n\t\t\tframe + 1, depth);\n\t\treturn -EACCES;\n\t}\ncontinue_func:\n\tsubprog_end = subprog[idx + 1].start;\n\tfor (; i < subprog_end; i++) {\n\t\tif (insn[i].code != (BPF_JMP | BPF_CALL))\n\t\t\tcontinue;\n\t\tif (insn[i].src_reg != BPF_PSEUDO_CALL)\n\t\t\tcontinue;\n\t\t/* remember insn and function to return to */\n\t\tret_insn[frame] = i + 1;\n\t\tret_prog[frame] = idx;\n\n\t\t/* find the callee */\n\t\ti = i + insn[i].imm + 1;\n\t\tidx = find_subprog(env, i);\n\t\tif (idx < 0) {\n\t\t\tWARN_ONCE(1, \"verifier bug. No program starts at insn %d\\n\",\n\t\t\t\t i);\n\t\t\treturn -EFAULT;\n\t\t}\n\n\t\tif (subprog[idx].has_tail_call)\n\t\t\ttail_call_reachable = true;\n\n\t\tframe++;\n\t\tif (frame >= MAX_CALL_FRAMES) {\n\t\t\tverbose(env, \"the call stack of %d frames is too deep !\\n\",\n\t\t\t\tframe);\n\t\t\treturn -E2BIG;\n\t\t}\n\t\tgoto process_func;\n\t}\n\t/* if tail call got detected across bpf2bpf calls then mark each of the\n\t * currently present subprog frames as tail call reachable subprogs;\n\t * this info will be utilized by JIT so that we will be preserving the\n\t * tail call counter throughout bpf2bpf calls combined with tailcalls\n\t */\n\tif (tail_call_reachable)\n\t\tfor (j = 0; j < frame; j++)\n\t\t\tsubprog[ret_prog[j]].tail_call_reachable = true;\n\n\t/* end of for() loop means the last insn of the 'subprog'\n\t * was reached. Doesn't matter whether it was JA or EXIT\n\t */\n\tif (frame == 0)\n\t\treturn 0;\n\tdepth -= round_up(max_t(u32, subprog[idx].stack_depth, 1), 32);\n\tframe--;\n\ti = ret_insn[frame];\n\tidx = ret_prog[frame];\n\tgoto continue_func;\n}", "project": "linux", "hash": 321425832395113918886617397553451122583, "size": 96, "commit_id": "9b00f1b78809309163dda2d044d9e94a3c0248a3", "message": "bpf: Fix truncation handling for mod32 dst reg wrt zero\n\nRecently noticed that when mod32 with a known src reg of 0 is performed,\nthen the dst register is 32-bit truncated in verifier:\n\n 0: R1=ctx(id=0,off=0,imm=0) R10=fp0\n 0: (b7) r0 = 0\n 1: R0_w=inv0 R1=ctx(id=0,off=0,imm=0) R10=fp0\n 1: (b7) r1 = -1\n 2: R0_w=inv0 R1_w=inv-1 R10=fp0\n 2: (b4) w2 = -1\n 3: R0_w=inv0 R1_w=inv-1 R2_w=inv4294967295 R10=fp0\n 3: (9c) w1 %= w0\n 4: R0_w=inv0 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0\n 4: (b7) r0 = 1\n 5: R0_w=inv1 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0\n 5: (1d) if r1 == r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0\n 6: R0_w=inv1 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0\n 6: (b7) r0 = 2\n 7: R0_w=inv2 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0\n 7: (95) exit\n 7: R0=inv1 R1=inv(id=0,umin_value=4294967295,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2=inv4294967295 R10=fp0\n 7: (95) exit\n\nHowever, as a runtime result, we get 2 instead of 1, meaning the dst\nregister does not contain (u32)-1 in this case. The reason is fairly\nstraight forward given the 0 test leaves the dst register as-is:\n\n # ./bpftool p d x i 23\n 0: (b7) r0 = 0\n 1: (b7) r1 = -1\n 2: (b4) w2 = -1\n 3: (16) if w0 == 0x0 goto pc+1\n 4: (9c) w1 %= w0\n 5: (b7) r0 = 1\n 6: (1d) if r1 == r2 goto pc+1\n 7: (b7) r0 = 2\n 8: (95) exit\n\nThis was originally not an issue given the dst register was marked as\ncompletely unknown (aka 64 bit unknown). However, after 468f6eafa6c4\n(\"bpf: fix 32-bit ALU op verification\") the verifier casts the register\noutput to 32 bit, and hence it becomes 32 bit unknown. Note that for\nthe case where the src register is unknown, the dst register is marked\n64 bit unknown. After the fix, the register is truncated by the runtime\nand the test passes:\n\n # ./bpftool p d x i 23\n 0: (b7) r0 = 0\n 1: (b7) r1 = -1\n 2: (b4) w2 = -1\n 3: (16) if w0 == 0x0 goto pc+2\n 4: (9c) w1 %= w0\n 5: (05) goto pc+1\n 6: (bc) w1 = w1\n 7: (b7) r0 = 1\n 8: (1d) if r1 == r2 goto pc+1\n 9: (b7) r0 = 2\n 10: (95) exit\n\nSemantics also match with {R,W}x mod{64,32} 0 -> {R,W}x. Invalid div\nhas always been {R,W}x div{64,32} 0 -> 0. Rewrites are as follows:\n\n mod32: mod64:\n\n (16) if w0 == 0x0 goto pc+2 (15) if r0 == 0x0 goto pc+1\n (9c) w1 %= w0 (9f) r1 %= r0\n (05) goto pc+1\n (bc) w1 = w1\n\nFixes: 468f6eafa6c4 (\"bpf: fix 32-bit ALU op verification\")\nSigned-off-by: Daniel Borkmann \nReviewed-by: John Fastabend \nAcked-by: Alexei Starovoitov ", "target": 0, "dataset": "other", "idx": 456524 }, { "func": "static int __check_mem_access(struct bpf_verifier_env *env, int regno,\n\t\t\t int off, int size, u32 mem_size,\n\t\t\t bool zero_size_allowed)\n{\n\tbool size_ok = size > 0 || (size == 0 && zero_size_allowed);\n\tstruct bpf_reg_state *reg;\n\n\tif (off >= 0 && size_ok && (u64)off + size <= mem_size)\n\t\treturn 0;\n\n\treg = &cur_regs(env)[regno];\n\tswitch (reg->type) {\n\tcase PTR_TO_MAP_VALUE:\n\t\tverbose(env, \"invalid access to map value, value_size=%d off=%d size=%d\\n\",\n\t\t\tmem_size, off, size);\n\t\tbreak;\n\tcase PTR_TO_PACKET:\n\tcase PTR_TO_PACKET_META:\n\tcase PTR_TO_PACKET_END:\n\t\tverbose(env, \"invalid access to packet, off=%d size=%d, R%d(id=%d,off=%d,r=%d)\\n\",\n\t\t\toff, size, regno, reg->id, off, mem_size);\n\t\tbreak;\n\tcase PTR_TO_MEM:\n\tdefault:\n\t\tverbose(env, \"invalid access to memory, mem_size=%u off=%d size=%d\\n\",\n\t\t\tmem_size, off, size);\n\t}\n\n\treturn -EACCES;\n}", "project": "linux", "hash": 279117621560520597444743295579723715005, "size": 30, "commit_id": "5b9fbeb75b6a98955f628e205ac26689bcb1383e", "message": "bpf: Fix scalar32_min_max_or bounds tracking\n\nSimon reported an issue with the current scalar32_min_max_or() implementation.\nThat is, compared to the other 32 bit subreg tracking functions, the code in\nscalar32_min_max_or() stands out that it's using the 64 bit registers instead\nof 32 bit ones. This leads to bounds tracking issues, for example:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x1; 0x700000000),s32_max_value=1,u32_max_value=1) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nThe bound tests on the map value force the upper unsigned bound to be 25769803777\nin 64 bit (0b11000000000000000000000000000000001) and then lower one to be 1. By\nusing OR they are truncated and thus result in the range [1,1] for the 32 bit reg\ntracker. This is incorrect given the only thing we know is that the value must be\npositive and thus 2147483647 (0b1111111111111111111111111111111) at max for the\nsubregs. Fix it by using the {u,s}32_{min,max}_value vars instead. This also makes\nsense, for example, for the case where we update dst_reg->s32_{min,max}_value in\nthe else branch we need to use the newly computed dst_reg->u32_{min,max}_value as\nwe know that these are positive. Previously, in the else branch the 64 bit values\nof umin_value=1 and umax_value=32212254719 were used and latter got truncated to\nbe 1 as upper bound there. After the fix the subreg range is now correct:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nFixes: 3f50f132d840 (\"bpf: Verifier, do explicit ALU32 bounds tracking\")\nReported-by: Simon Scannell \nSigned-off-by: Daniel Borkmann \nReviewed-by: John Fastabend \nAcked-by: Alexei Starovoitov ", "target": 0, "dataset": "other", "idx": 328535 }, { "func": "static void print_verification_stats(struct bpf_verifier_env *env)\n{\n\tint i;\n\n\tif (env->log.level & BPF_LOG_STATS) {\n\t\tverbose(env, \"verification time %lld usec\\n\",\n\t\t\tdiv_u64(env->verification_time, 1000));\n\t\tverbose(env, \"stack depth \");\n\t\tfor (i = 0; i < env->subprog_cnt; i++) {\n\t\t\tu32 depth = env->subprog_info[i].stack_depth;\n\n\t\t\tverbose(env, \"%d\", depth);\n\t\t\tif (i + 1 < env->subprog_cnt)\n\t\t\t\tverbose(env, \"+\");\n\t\t}\n\t\tverbose(env, \"\\n\");\n\t}\n\tverbose(env, \"processed %d insns (limit %d) max_states_per_insn %d \"\n\t\t\"total_states %d peak_states %d mark_read %d\\n\",\n\t\tenv->insn_processed, BPF_COMPLEXITY_LIMIT_INSNS,\n\t\tenv->max_states_per_insn, env->total_states,\n\t\tenv->peak_states, env->longest_mark_read_walk);\n}", "project": "linux", "hash": 210086820049969538615550819029200068703, "size": 23, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232479 }, { "func": "static int process_spin_lock(struct bpf_verifier_env *env, int regno,\n\t\t\t bool is_lock)\n{\n\tstruct bpf_reg_state *regs = cur_regs(env), *reg = ®s[regno];\n\tstruct bpf_verifier_state *cur = env->cur_state;\n\tbool is_const = tnum_is_const(reg->var_off);\n\tstruct bpf_map *map = reg->map_ptr;\n\tu64 val = reg->var_off.value;\n\n\tif (reg->type != PTR_TO_MAP_VALUE) {\n\t\tverbose(env, \"R%d is not a pointer to map_value\\n\", regno);\n\t\treturn -EINVAL;\n\t}\n\tif (!is_const) {\n\t\tverbose(env,\n\t\t\t\"R%d doesn't have constant offset. bpf_spin_lock has to be at the constant offset\\n\",\n\t\t\tregno);\n\t\treturn -EINVAL;\n\t}\n\tif (!map->btf) {\n\t\tverbose(env,\n\t\t\t\"map '%s' has to have BTF in order to use bpf_spin_lock\\n\",\n\t\t\tmap->name);\n\t\treturn -EINVAL;\n\t}\n\tif (!map_value_has_spin_lock(map)) {\n\t\tif (map->spin_lock_off == -E2BIG)\n\t\t\tverbose(env,\n\t\t\t\t\"map '%s' has more than one 'struct bpf_spin_lock'\\n\",\n\t\t\t\tmap->name);\n\t\telse if (map->spin_lock_off == -ENOENT)\n\t\t\tverbose(env,\n\t\t\t\t\"map '%s' doesn't have 'struct bpf_spin_lock'\\n\",\n\t\t\t\tmap->name);\n\t\telse\n\t\t\tverbose(env,\n\t\t\t\t\"map '%s' is not a struct type or bpf_spin_lock is mangled\\n\",\n\t\t\t\tmap->name);\n\t\treturn -EINVAL;\n\t}\n\tif (map->spin_lock_off != val + reg->off) {\n\t\tverbose(env, \"off %lld doesn't point to 'struct bpf_spin_lock'\\n\",\n\t\t\tval + reg->off);\n\t\treturn -EINVAL;\n\t}\n\tif (is_lock) {\n\t\tif (cur->active_spin_lock) {\n\t\t\tverbose(env,\n\t\t\t\t\"Locking two bpf_spin_locks are not allowed\\n\");\n\t\t\treturn -EINVAL;\n\t\t}\n\t\tcur->active_spin_lock = reg->id;\n\t} else {\n\t\tif (!cur->active_spin_lock) {\n\t\t\tverbose(env, \"bpf_spin_unlock without taking a lock\\n\");\n\t\t\treturn -EINVAL;\n\t\t}\n\t\tif (cur->active_spin_lock != reg->id) {\n\t\t\tverbose(env, \"bpf_spin_unlock of different lock\\n\");\n\t\t\treturn -EINVAL;\n\t\t}\n\t\tcur->active_spin_lock = 0;\n\t}\n\treturn 0;\n}", "project": "linux", "hash": 93872621143610931548746522005704117657, "size": 65, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232535 }, { "func": "static void free_states(struct bpf_verifier_env *env)\n{\n\tstruct bpf_verifier_state_list *sl, *sln;\n\tint i;\n\n\tsl = env->free_list;\n\twhile (sl) {\n\t\tsln = sl->next;\n\t\tfree_verifier_state(&sl->state, false);\n\t\tkfree(sl);\n\t\tsl = sln;\n\t}\n\tenv->free_list = NULL;\n\n\tif (!env->explored_states)\n\t\treturn;\n\n\tfor (i = 0; i < state_htab_size(env); i++) {\n\t\tsl = env->explored_states[i];\n\n\t\twhile (sl) {\n\t\t\tsln = sl->next;\n\t\t\tfree_verifier_state(&sl->state, false);\n\t\t\tkfree(sl);\n\t\t\tsl = sln;\n\t\t}\n\t\tenv->explored_states[i] = NULL;\n\t}\n}", "project": "linux", "hash": 159086932051649409538516545100979713438, "size": 29, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232556 }, { "func": "static int convert_ctx_accesses(struct bpf_verifier_env *env)\n{\n\tconst struct bpf_verifier_ops *ops = env->ops;\n\tint i, cnt, size, ctx_field_size, delta = 0;\n\tconst int insn_cnt = env->prog->len;\n\tstruct bpf_insn insn_buf[16], *insn;\n\tu32 target_size, size_default, off;\n\tstruct bpf_prog *new_prog;\n\tenum bpf_access_type type;\n\tbool is_narrower_load;\n\n\tif (ops->gen_prologue || env->seen_direct_write) {\n\t\tif (!ops->gen_prologue) {\n\t\t\tverbose(env, \"bpf verifier is misconfigured\\n\");\n\t\t\treturn -EINVAL;\n\t\t}\n\t\tcnt = ops->gen_prologue(insn_buf, env->seen_direct_write,\n\t\t\t\t\tenv->prog);\n\t\tif (cnt >= ARRAY_SIZE(insn_buf)) {\n\t\t\tverbose(env, \"bpf verifier is misconfigured\\n\");\n\t\t\treturn -EINVAL;\n\t\t} else if (cnt) {\n\t\t\tnew_prog = bpf_patch_insn_data(env, 0, insn_buf, cnt);\n\t\t\tif (!new_prog)\n\t\t\t\treturn -ENOMEM;\n\n\t\t\tenv->prog = new_prog;\n\t\t\tdelta += cnt - 1;\n\t\t}\n\t}\n\n\tif (bpf_prog_is_dev_bound(env->prog->aux))\n\t\treturn 0;\n\n\tinsn = env->prog->insnsi + delta;\n\n\tfor (i = 0; i < insn_cnt; i++, insn++) {\n\t\tbpf_convert_ctx_access_t convert_ctx_access;\n\n\t\tif (insn->code == (BPF_LDX | BPF_MEM | BPF_B) ||\n\t\t insn->code == (BPF_LDX | BPF_MEM | BPF_H) ||\n\t\t insn->code == (BPF_LDX | BPF_MEM | BPF_W) ||\n\t\t insn->code == (BPF_LDX | BPF_MEM | BPF_DW))\n\t\t\ttype = BPF_READ;\n\t\telse if (insn->code == (BPF_STX | BPF_MEM | BPF_B) ||\n\t\t\t insn->code == (BPF_STX | BPF_MEM | BPF_H) ||\n\t\t\t insn->code == (BPF_STX | BPF_MEM | BPF_W) ||\n\t\t\t insn->code == (BPF_STX | BPF_MEM | BPF_DW))\n\t\t\ttype = BPF_WRITE;\n\t\telse\n\t\t\tcontinue;\n\n\t\tif (type == BPF_WRITE &&\n\t\t env->insn_aux_data[i + delta].sanitize_stack_off) {\n\t\t\tstruct bpf_insn patch[] = {\n\t\t\t\t/* Sanitize suspicious stack slot with zero.\n\t\t\t\t * There are no memory dependencies for this store,\n\t\t\t\t * since it's only using frame pointer and immediate\n\t\t\t\t * constant of zero\n\t\t\t\t */\n\t\t\t\tBPF_ST_MEM(BPF_DW, BPF_REG_FP,\n\t\t\t\t\t env->insn_aux_data[i + delta].sanitize_stack_off,\n\t\t\t\t\t 0),\n\t\t\t\t/* the original STX instruction will immediately\n\t\t\t\t * overwrite the same stack slot with appropriate value\n\t\t\t\t */\n\t\t\t\t*insn,\n\t\t\t};\n\n\t\t\tcnt = ARRAY_SIZE(patch);\n\t\t\tnew_prog = bpf_patch_insn_data(env, i + delta, patch, cnt);\n\t\t\tif (!new_prog)\n\t\t\t\treturn -ENOMEM;\n\n\t\t\tdelta += cnt - 1;\n\t\t\tenv->prog = new_prog;\n\t\t\tinsn = new_prog->insnsi + i + delta;\n\t\t\tcontinue;\n\t\t}\n\n\t\tswitch (env->insn_aux_data[i + delta].ptr_type) {\n\t\tcase PTR_TO_CTX:\n\t\t\tif (!ops->convert_ctx_access)\n\t\t\t\tcontinue;\n\t\t\tconvert_ctx_access = ops->convert_ctx_access;\n\t\t\tbreak;\n\t\tcase PTR_TO_SOCKET:\n\t\tcase PTR_TO_SOCK_COMMON:\n\t\t\tconvert_ctx_access = bpf_sock_convert_ctx_access;\n\t\t\tbreak;\n\t\tcase PTR_TO_TCP_SOCK:\n\t\t\tconvert_ctx_access = bpf_tcp_sock_convert_ctx_access;\n\t\t\tbreak;\n\t\tcase PTR_TO_XDP_SOCK:\n\t\t\tconvert_ctx_access = bpf_xdp_sock_convert_ctx_access;\n\t\t\tbreak;\n\t\tcase PTR_TO_BTF_ID:\n\t\t\tif (type == BPF_READ) {\n\t\t\t\tinsn->code = BPF_LDX | BPF_PROBE_MEM |\n\t\t\t\t\tBPF_SIZE((insn)->code);\n\t\t\t\tenv->prog->aux->num_exentries++;\n\t\t\t} else if (env->prog->type != BPF_PROG_TYPE_STRUCT_OPS) {\n\t\t\t\tverbose(env, \"Writes through BTF pointers are not allowed\\n\");\n\t\t\t\treturn -EINVAL;\n\t\t\t}\n\t\t\tcontinue;\n\t\tdefault:\n\t\t\tcontinue;\n\t\t}\n\n\t\tctx_field_size = env->insn_aux_data[i + delta].ctx_field_size;\n\t\tsize = BPF_LDST_BYTES(insn);\n\n\t\t/* If the read access is a narrower load of the field,\n\t\t * convert to a 4/8-byte load, to minimum program type specific\n\t\t * convert_ctx_access changes. If conversion is successful,\n\t\t * we will apply proper mask to the result.\n\t\t */\n\t\tis_narrower_load = size < ctx_field_size;\n\t\tsize_default = bpf_ctx_off_adjust_machine(ctx_field_size);\n\t\toff = insn->off;\n\t\tif (is_narrower_load) {\n\t\t\tu8 size_code;\n\n\t\t\tif (type == BPF_WRITE) {\n\t\t\t\tverbose(env, \"bpf verifier narrow ctx access misconfigured\\n\");\n\t\t\t\treturn -EINVAL;\n\t\t\t}\n\n\t\t\tsize_code = BPF_H;\n\t\t\tif (ctx_field_size == 4)\n\t\t\t\tsize_code = BPF_W;\n\t\t\telse if (ctx_field_size == 8)\n\t\t\t\tsize_code = BPF_DW;\n\n\t\t\tinsn->off = off & ~(size_default - 1);\n\t\t\tinsn->code = BPF_LDX | BPF_MEM | size_code;\n\t\t}\n\n\t\ttarget_size = 0;\n\t\tcnt = convert_ctx_access(type, insn, insn_buf, env->prog,\n\t\t\t\t\t &target_size);\n\t\tif (cnt == 0 || cnt >= ARRAY_SIZE(insn_buf) ||\n\t\t (ctx_field_size && !target_size)) {\n\t\t\tverbose(env, \"bpf verifier is misconfigured\\n\");\n\t\t\treturn -EINVAL;\n\t\t}\n\n\t\tif (is_narrower_load && size < target_size) {\n\t\t\tu8 shift = bpf_ctx_narrow_access_offset(\n\t\t\t\toff, size, size_default) * 8;\n\t\t\tif (ctx_field_size <= 4) {\n\t\t\t\tif (shift)\n\t\t\t\t\tinsn_buf[cnt++] = BPF_ALU32_IMM(BPF_RSH,\n\t\t\t\t\t\t\t\t\tinsn->dst_reg,\n\t\t\t\t\t\t\t\t\tshift);\n\t\t\t\tinsn_buf[cnt++] = BPF_ALU32_IMM(BPF_AND, insn->dst_reg,\n\t\t\t\t\t\t\t\t(1 << size * 8) - 1);\n\t\t\t} else {\n\t\t\t\tif (shift)\n\t\t\t\t\tinsn_buf[cnt++] = BPF_ALU64_IMM(BPF_RSH,\n\t\t\t\t\t\t\t\t\tinsn->dst_reg,\n\t\t\t\t\t\t\t\t\tshift);\n\t\t\t\tinsn_buf[cnt++] = BPF_ALU64_IMM(BPF_AND, insn->dst_reg,\n\t\t\t\t\t\t\t\t(1ULL << size * 8) - 1);\n\t\t\t}\n\t\t}\n\n\t\tnew_prog = bpf_patch_insn_data(env, i + delta, insn_buf, cnt);\n\t\tif (!new_prog)\n\t\t\treturn -ENOMEM;\n\n\t\tdelta += cnt - 1;\n\n\t\t/* keep walking new program and skip insns we just inserted */\n\t\tenv->prog = new_prog;\n\t\tinsn = new_prog->insnsi + i + delta;\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 294807575499922902470141887071372547609, "size": 181, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232630 }, { "func": "static int propagate_precision(struct bpf_verifier_env *env,\n\t\t\t const struct bpf_verifier_state *old)\n{\n\tstruct bpf_reg_state *state_reg;\n\tstruct bpf_func_state *state;\n\tint i, err = 0;\n\n\tstate = old->frame[old->curframe];\n\tstate_reg = state->regs;\n\tfor (i = 0; i < BPF_REG_FP; i++, state_reg++) {\n\t\tif (state_reg->type != SCALAR_VALUE ||\n\t\t !state_reg->precise)\n\t\t\tcontinue;\n\t\tif (env->log.level & BPF_LOG_LEVEL2)\n\t\t\tverbose(env, \"propagating r%d\\n\", i);\n\t\terr = mark_chain_precision(env, i);\n\t\tif (err < 0)\n\t\t\treturn err;\n\t}\n\n\tfor (i = 0; i < state->allocated_stack / BPF_REG_SIZE; i++) {\n\t\tif (state->stack[i].slot_type[0] != STACK_SPILL)\n\t\t\tcontinue;\n\t\tstate_reg = &state->stack[i].spilled_ptr;\n\t\tif (state_reg->type != SCALAR_VALUE ||\n\t\t !state_reg->precise)\n\t\t\tcontinue;\n\t\tif (env->log.level & BPF_LOG_LEVEL2)\n\t\t\tverbose(env, \"propagating fp%d\\n\",\n\t\t\t\t(-i - 1) * BPF_REG_SIZE);\n\t\terr = mark_chain_precision_stack(env, i);\n\t\tif (err < 0)\n\t\t\treturn err;\n\t}\n\treturn 0;\n}", "project": "linux", "hash": 47327396569600309892667617992067069752, "size": 36, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232621 }, { "func": "static int pop_stack(struct bpf_verifier_env *env, int *prev_insn_idx,\n\t\t int *insn_idx)\n{\n\tstruct bpf_verifier_state *cur = env->cur_state;\n\tstruct bpf_verifier_stack_elem *elem, *head = env->head;\n\tint err;\n\n\tif (env->head == NULL)\n\t\treturn -ENOENT;\n\n\tif (cur) {\n\t\terr = copy_verifier_state(cur, &head->st);\n\t\tif (err)\n\t\t\treturn err;\n\t}\n\tif (insn_idx)\n\t\t*insn_idx = head->insn_idx;\n\tif (prev_insn_idx)\n\t\t*prev_insn_idx = head->prev_insn_idx;\n\telem = head->next;\n\tfree_verifier_state(&head->st, false);\n\tkfree(head);\n\tenv->head = elem;\n\tenv->stack_size--;\n\treturn 0;\n}", "project": "linux", "hash": 294821729837674742212939250127541527756, "size": 26, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232641 }, { "func": "static bool states_maybe_looping(struct bpf_verifier_state *old,\n\t\t\t\t struct bpf_verifier_state *cur)\n{\n\tstruct bpf_func_state *fold, *fcur;\n\tint i, fr = cur->curframe;\n\n\tif (old->curframe != fr)\n\t\treturn false;\n\n\tfold = old->frame[fr];\n\tfcur = cur->frame[fr];\n\tfor (i = 0; i < MAX_BPF_REG; i++)\n\t\tif (memcmp(&fold->regs[i], &fcur->regs[i],\n\t\t\t offsetof(struct bpf_reg_state, parent)))\n\t\t\treturn false;\n\treturn true;\n}", "project": "linux", "hash": 78883632802080652403241431632432119105, "size": 17, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232558 }, { "func": "static bool arg_type_may_be_refcounted(enum bpf_arg_type type)\n{\n\treturn type == ARG_PTR_TO_SOCK_COMMON;\n}", "project": "linux", "hash": 120690467901906595992062669822620811303, "size": 4, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232444 }, { "func": "static struct bpf_reg_state *reg_state(struct bpf_verifier_env *env, int regno)\n{\n\treturn cur_regs(env) + regno;\n}", "project": "linux", "hash": 9567876609951028861929897608275328081, "size": 4, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232503 }, { "func": "int bpf_check(struct bpf_prog **prog, union bpf_attr *attr,\n\t union bpf_attr __user *uattr)\n{\n\tu64 start_time = ktime_get_ns();\n\tstruct bpf_verifier_env *env;\n\tstruct bpf_verifier_log *log;\n\tint i, len, ret = -EINVAL;\n\tbool is_priv;\n\n\t/* no program is valid */\n\tif (ARRAY_SIZE(bpf_verifier_ops) == 0)\n\t\treturn -EINVAL;\n\n\t/* 'struct bpf_verifier_env' can be global, but since it's not small,\n\t * allocate/free it every time bpf_check() is called\n\t */\n\tenv = kzalloc(sizeof(struct bpf_verifier_env), GFP_KERNEL);\n\tif (!env)\n\t\treturn -ENOMEM;\n\tlog = &env->log;\n\n\tlen = (*prog)->len;\n\tenv->insn_aux_data =\n\t\tvzalloc(array_size(sizeof(struct bpf_insn_aux_data), len));\n\tret = -ENOMEM;\n\tif (!env->insn_aux_data)\n\t\tgoto err_free_env;\n\tfor (i = 0; i < len; i++)\n\t\tenv->insn_aux_data[i].orig_idx = i;\n\tenv->prog = *prog;\n\tenv->ops = bpf_verifier_ops[env->prog->type];\n\tis_priv = capable(CAP_SYS_ADMIN);\n\n\tif (!btf_vmlinux && IS_ENABLED(CONFIG_DEBUG_INFO_BTF)) {\n\t\tmutex_lock(&bpf_verifier_lock);\n\t\tif (!btf_vmlinux)\n\t\t\tbtf_vmlinux = btf_parse_vmlinux();\n\t\tmutex_unlock(&bpf_verifier_lock);\n\t}\n\n\t/* grab the mutex to protect few globals used by verifier */\n\tif (!is_priv)\n\t\tmutex_lock(&bpf_verifier_lock);\n\n\tif (attr->log_level || attr->log_buf || attr->log_size) {\n\t\t/* user requested verbose verifier output\n\t\t * and supplied buffer to store the verification trace\n\t\t */\n\t\tlog->level = attr->log_level;\n\t\tlog->ubuf = (char __user *) (unsigned long) attr->log_buf;\n\t\tlog->len_total = attr->log_size;\n\n\t\tret = -EINVAL;\n\t\t/* log attributes have to be sane */\n\t\tif (log->len_total < 128 || log->len_total > UINT_MAX >> 2 ||\n\t\t !log->level || !log->ubuf || log->level & ~BPF_LOG_MASK)\n\t\t\tgoto err_unlock;\n\t}\n\n\tif (IS_ERR(btf_vmlinux)) {\n\t\t/* Either gcc or pahole or kernel are broken. */\n\t\tverbose(env, \"in-kernel BTF is malformed\\n\");\n\t\tret = PTR_ERR(btf_vmlinux);\n\t\tgoto skip_full_check;\n\t}\n\n\tenv->strict_alignment = !!(attr->prog_flags & BPF_F_STRICT_ALIGNMENT);\n\tif (!IS_ENABLED(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS))\n\t\tenv->strict_alignment = true;\n\tif (attr->prog_flags & BPF_F_ANY_ALIGNMENT)\n\t\tenv->strict_alignment = false;\n\n\tenv->allow_ptr_leaks = is_priv;\n\n\tif (is_priv)\n\t\tenv->test_state_freq = attr->prog_flags & BPF_F_TEST_STATE_FREQ;\n\n\tret = replace_map_fd_with_map_ptr(env);\n\tif (ret < 0)\n\t\tgoto skip_full_check;\n\n\tif (bpf_prog_is_dev_bound(env->prog->aux)) {\n\t\tret = bpf_prog_offload_verifier_prep(env->prog);\n\t\tif (ret)\n\t\t\tgoto skip_full_check;\n\t}\n\n\tenv->explored_states = kvcalloc(state_htab_size(env),\n\t\t\t\t sizeof(struct bpf_verifier_state_list *),\n\t\t\t\t GFP_USER);\n\tret = -ENOMEM;\n\tif (!env->explored_states)\n\t\tgoto skip_full_check;\n\n\tret = check_subprogs(env);\n\tif (ret < 0)\n\t\tgoto skip_full_check;\n\n\tret = check_btf_info(env, attr, uattr);\n\tif (ret < 0)\n\t\tgoto skip_full_check;\n\n\tret = check_attach_btf_id(env);\n\tif (ret)\n\t\tgoto skip_full_check;\n\n\tret = check_cfg(env);\n\tif (ret < 0)\n\t\tgoto skip_full_check;\n\n\tret = do_check_subprogs(env);\n\tret = ret ?: do_check_main(env);\n\n\tif (ret == 0 && bpf_prog_is_dev_bound(env->prog->aux))\n\t\tret = bpf_prog_offload_finalize(env);\n\nskip_full_check:\n\tkvfree(env->explored_states);\n\n\tif (ret == 0)\n\t\tret = check_max_stack_depth(env);\n\n\t/* instruction rewrites happen after this point */\n\tif (is_priv) {\n\t\tif (ret == 0)\n\t\t\topt_hard_wire_dead_code_branches(env);\n\t\tif (ret == 0)\n\t\t\tret = opt_remove_dead_code(env);\n\t\tif (ret == 0)\n\t\t\tret = opt_remove_nops(env);\n\t} else {\n\t\tif (ret == 0)\n\t\t\tsanitize_dead_code(env);\n\t}\n\n\tif (ret == 0)\n\t\t/* program is valid, convert *(u32*)(ctx + off) accesses */\n\t\tret = convert_ctx_accesses(env);\n\n\tif (ret == 0)\n\t\tret = fixup_bpf_calls(env);\n\n\t/* do 32-bit optimization after insn patching has done so those patched\n\t * insns could be handled correctly.\n\t */\n\tif (ret == 0 && !bpf_prog_is_dev_bound(env->prog->aux)) {\n\t\tret = opt_subreg_zext_lo32_rnd_hi32(env, attr);\n\t\tenv->prog->aux->verifier_zext = bpf_jit_needs_zext() ? !ret\n\t\t\t\t\t\t\t\t : false;\n\t}\n\n\tif (ret == 0)\n\t\tret = fixup_call_args(env);\n\n\tenv->verification_time = ktime_get_ns() - start_time;\n\tprint_verification_stats(env);\n\n\tif (log->level && bpf_verifier_log_full(log))\n\t\tret = -ENOSPC;\n\tif (log->level && !log->ubuf) {\n\t\tret = -EFAULT;\n\t\tgoto err_release_maps;\n\t}\n\n\tif (ret == 0 && env->used_map_cnt) {\n\t\t/* if program passed verifier, update used_maps in bpf_prog_info */\n\t\tenv->prog->aux->used_maps = kmalloc_array(env->used_map_cnt,\n\t\t\t\t\t\t\t sizeof(env->used_maps[0]),\n\t\t\t\t\t\t\t GFP_KERNEL);\n\n\t\tif (!env->prog->aux->used_maps) {\n\t\t\tret = -ENOMEM;\n\t\t\tgoto err_release_maps;\n\t\t}\n\n\t\tmemcpy(env->prog->aux->used_maps, env->used_maps,\n\t\t sizeof(env->used_maps[0]) * env->used_map_cnt);\n\t\tenv->prog->aux->used_map_cnt = env->used_map_cnt;\n\n\t\t/* program is valid. Convert pseudo bpf_ld_imm64 into generic\n\t\t * bpf_ld_imm64 instructions\n\t\t */\n\t\tconvert_pseudo_ld_imm64(env);\n\t}\n\n\tif (ret == 0)\n\t\tadjust_btf_func(env);\n\nerr_release_maps:\n\tif (!env->prog->aux->used_maps)\n\t\t/* if we didn't copy map pointers into bpf_prog_info, release\n\t\t * them now. Otherwise free_used_maps() will release them.\n\t\t */\n\t\trelease_maps(env);\n\t*prog = env->prog;\nerr_unlock:\n\tif (!is_priv)\n\t\tmutex_unlock(&bpf_verifier_lock);\n\tvfree(env->insn_aux_data);\nerr_free_env:\n\tkfree(env);\n\treturn ret;\n}", "project": "linux", "hash": 13031343210210386921605005547572569368, "size": 203, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232446 }, { "func": "int bpf_check(struct bpf_prog **prog, union bpf_attr *attr,\n\t union bpf_attr __user *uattr)\n{\n\tu64 start_time = ktime_get_ns();\n\tstruct bpf_verifier_env *env;\n\tstruct bpf_verifier_log *log;\n\tint i, len, ret = -EINVAL;\n\tbool is_priv;\n\n\t/* no program is valid */\n\tif (ARRAY_SIZE(bpf_verifier_ops) == 0)\n\t\treturn -EINVAL;\n\n\t/* 'struct bpf_verifier_env' can be global, but since it's not small,\n\t * allocate/free it every time bpf_check() is called\n\t */\n\tenv = kzalloc(sizeof(struct bpf_verifier_env), GFP_KERNEL);\n\tif (!env)\n\t\treturn -ENOMEM;\n\tlog = &env->log;\n\n\tlen = (*prog)->len;\n\tenv->insn_aux_data =\n\t\tvzalloc(array_size(sizeof(struct bpf_insn_aux_data), len));\n\tret = -ENOMEM;\n\tif (!env->insn_aux_data)\n\t\tgoto err_free_env;\n\tfor (i = 0; i < len; i++)\n\t\tenv->insn_aux_data[i].orig_idx = i;\n\tenv->prog = *prog;\n\tenv->ops = bpf_verifier_ops[env->prog->type];\n\tis_priv = bpf_capable();\n\n\tif (!btf_vmlinux && IS_ENABLED(CONFIG_DEBUG_INFO_BTF)) {\n\t\tmutex_lock(&bpf_verifier_lock);\n\t\tif (!btf_vmlinux)\n\t\t\tbtf_vmlinux = btf_parse_vmlinux();\n\t\tmutex_unlock(&bpf_verifier_lock);\n\t}\n\n\t/* grab the mutex to protect few globals used by verifier */\n\tif (!is_priv)\n\t\tmutex_lock(&bpf_verifier_lock);\n\n\tif (attr->log_level || attr->log_buf || attr->log_size) {\n\t\t/* user requested verbose verifier output\n\t\t * and supplied buffer to store the verification trace\n\t\t */\n\t\tlog->level = attr->log_level;\n\t\tlog->ubuf = (char __user *) (unsigned long) attr->log_buf;\n\t\tlog->len_total = attr->log_size;\n\n\t\tret = -EINVAL;\n\t\t/* log attributes have to be sane */\n\t\tif (log->len_total < 128 || log->len_total > UINT_MAX >> 2 ||\n\t\t !log->level || !log->ubuf || log->level & ~BPF_LOG_MASK)\n\t\t\tgoto err_unlock;\n\t}\n\n\tif (IS_ERR(btf_vmlinux)) {\n\t\t/* Either gcc or pahole or kernel are broken. */\n\t\tverbose(env, \"in-kernel BTF is malformed\\n\");\n\t\tret = PTR_ERR(btf_vmlinux);\n\t\tgoto skip_full_check;\n\t}\n\n\tenv->strict_alignment = !!(attr->prog_flags & BPF_F_STRICT_ALIGNMENT);\n\tif (!IS_ENABLED(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS))\n\t\tenv->strict_alignment = true;\n\tif (attr->prog_flags & BPF_F_ANY_ALIGNMENT)\n\t\tenv->strict_alignment = false;\n\n\tenv->allow_ptr_leaks = bpf_allow_ptr_leaks();\n\tenv->allow_ptr_to_map_access = bpf_allow_ptr_to_map_access();\n\tenv->bypass_spec_v1 = bpf_bypass_spec_v1();\n\tenv->bypass_spec_v4 = bpf_bypass_spec_v4();\n\tenv->bpf_capable = bpf_capable();\n\n\tif (is_priv)\n\t\tenv->test_state_freq = attr->prog_flags & BPF_F_TEST_STATE_FREQ;\n\n\tret = replace_map_fd_with_map_ptr(env);\n\tif (ret < 0)\n\t\tgoto skip_full_check;\n\n\tif (bpf_prog_is_dev_bound(env->prog->aux)) {\n\t\tret = bpf_prog_offload_verifier_prep(env->prog);\n\t\tif (ret)\n\t\t\tgoto skip_full_check;\n\t}\n\n\tenv->explored_states = kvcalloc(state_htab_size(env),\n\t\t\t\t sizeof(struct bpf_verifier_state_list *),\n\t\t\t\t GFP_USER);\n\tret = -ENOMEM;\n\tif (!env->explored_states)\n\t\tgoto skip_full_check;\n\n\tret = check_subprogs(env);\n\tif (ret < 0)\n\t\tgoto skip_full_check;\n\n\tret = check_btf_info(env, attr, uattr);\n\tif (ret < 0)\n\t\tgoto skip_full_check;\n\n\tret = check_attach_btf_id(env);\n\tif (ret)\n\t\tgoto skip_full_check;\n\n\tret = check_cfg(env);\n\tif (ret < 0)\n\t\tgoto skip_full_check;\n\n\tret = do_check_subprogs(env);\n\tret = ret ?: do_check_main(env);\n\n\tif (ret == 0 && bpf_prog_is_dev_bound(env->prog->aux))\n\t\tret = bpf_prog_offload_finalize(env);\n\nskip_full_check:\n\tkvfree(env->explored_states);\n\n\tif (ret == 0)\n\t\tret = check_max_stack_depth(env);\n\n\t/* instruction rewrites happen after this point */\n\tif (is_priv) {\n\t\tif (ret == 0)\n\t\t\topt_hard_wire_dead_code_branches(env);\n\t\tif (ret == 0)\n\t\t\tret = opt_remove_dead_code(env);\n\t\tif (ret == 0)\n\t\t\tret = opt_remove_nops(env);\n\t} else {\n\t\tif (ret == 0)\n\t\t\tsanitize_dead_code(env);\n\t}\n\n\tif (ret == 0)\n\t\t/* program is valid, convert *(u32*)(ctx + off) accesses */\n\t\tret = convert_ctx_accesses(env);\n\n\tif (ret == 0)\n\t\tret = fixup_bpf_calls(env);\n\n\t/* do 32-bit optimization after insn patching has done so those patched\n\t * insns could be handled correctly.\n\t */\n\tif (ret == 0 && !bpf_prog_is_dev_bound(env->prog->aux)) {\n\t\tret = opt_subreg_zext_lo32_rnd_hi32(env, attr);\n\t\tenv->prog->aux->verifier_zext = bpf_jit_needs_zext() ? !ret\n\t\t\t\t\t\t\t\t : false;\n\t}\n\n\tif (ret == 0)\n\t\tret = fixup_call_args(env);\n\n\tenv->verification_time = ktime_get_ns() - start_time;\n\tprint_verification_stats(env);\n\n\tif (log->level && bpf_verifier_log_full(log))\n\t\tret = -ENOSPC;\n\tif (log->level && !log->ubuf) {\n\t\tret = -EFAULT;\n\t\tgoto err_release_maps;\n\t}\n\n\tif (ret == 0 && env->used_map_cnt) {\n\t\t/* if program passed verifier, update used_maps in bpf_prog_info */\n\t\tenv->prog->aux->used_maps = kmalloc_array(env->used_map_cnt,\n\t\t\t\t\t\t\t sizeof(env->used_maps[0]),\n\t\t\t\t\t\t\t GFP_KERNEL);\n\n\t\tif (!env->prog->aux->used_maps) {\n\t\t\tret = -ENOMEM;\n\t\t\tgoto err_release_maps;\n\t\t}\n\n\t\tmemcpy(env->prog->aux->used_maps, env->used_maps,\n\t\t sizeof(env->used_maps[0]) * env->used_map_cnt);\n\t\tenv->prog->aux->used_map_cnt = env->used_map_cnt;\n\n\t\t/* program is valid. Convert pseudo bpf_ld_imm64 into generic\n\t\t * bpf_ld_imm64 instructions\n\t\t */\n\t\tconvert_pseudo_ld_imm64(env);\n\t}\n\n\tif (ret == 0)\n\t\tadjust_btf_func(env);\n\nerr_release_maps:\n\tif (!env->prog->aux->used_maps)\n\t\t/* if we didn't copy map pointers into bpf_prog_info, release\n\t\t * them now. Otherwise free_used_maps() will release them.\n\t\t */\n\t\trelease_maps(env);\n\n\t/* extension progs temporarily inherit the attach_type of their targets\n\t for verification purposes, so set it back to zero before returning\n\t */\n\tif (env->prog->type == BPF_PROG_TYPE_EXT)\n\t\tenv->prog->expected_attach_type = 0;\n\n\t*prog = env->prog;\nerr_unlock:\n\tif (!is_priv)\n\t\tmutex_unlock(&bpf_verifier_lock);\n\tvfree(env->insn_aux_data);\nerr_free_env:\n\tkfree(env);\n\treturn ret;\n}", "project": "linux", "hash": 274407755653618691180469430839676289037, "size": 214, "commit_id": "5b9fbeb75b6a98955f628e205ac26689bcb1383e", "message": "bpf: Fix scalar32_min_max_or bounds tracking\n\nSimon reported an issue with the current scalar32_min_max_or() implementation.\nThat is, compared to the other 32 bit subreg tracking functions, the code in\nscalar32_min_max_or() stands out that it's using the 64 bit registers instead\nof 32 bit ones. This leads to bounds tracking issues, for example:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x1; 0x700000000),s32_max_value=1,u32_max_value=1) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nThe bound tests on the map value force the upper unsigned bound to be 25769803777\nin 64 bit (0b11000000000000000000000000000000001) and then lower one to be 1. By\nusing OR they are truncated and thus result in the range [1,1] for the 32 bit reg\ntracker. This is incorrect given the only thing we know is that the value must be\npositive and thus 2147483647 (0b1111111111111111111111111111111) at max for the\nsubregs. Fix it by using the {u,s}32_{min,max}_value vars instead. This also makes\nsense, for example, for the case where we update dst_reg->s32_{min,max}_value in\nthe else branch we need to use the newly computed dst_reg->u32_{min,max}_value as\nwe know that these are positive. Previously, in the else branch the 64 bit values\nof umin_value=1 and umax_value=32212254719 were used and latter got truncated to\nbe 1 as upper bound there. After the fix the subreg range is now correct:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nFixes: 3f50f132d840 (\"bpf: Verifier, do explicit ALU32 bounds tracking\")\nReported-by: Simon Scannell \nSigned-off-by: Daniel Borkmann \nReviewed-by: John Fastabend \nAcked-by: Alexei Starovoitov ", "target": 0, "dataset": "other", "idx": 328527 }, { "func": "int bpf_check(struct bpf_prog **prog, union bpf_attr *attr,\n\t union bpf_attr __user *uattr)\n{\n\tu64 start_time = ktime_get_ns();\n\tstruct bpf_verifier_env *env;\n\tstruct bpf_verifier_log *log;\n\tint i, len, ret = -EINVAL;\n\tbool is_priv;\n\n\t/* no program is valid */\n\tif (ARRAY_SIZE(bpf_verifier_ops) == 0)\n\t\treturn -EINVAL;\n\n\t/* 'struct bpf_verifier_env' can be global, but since it's not small,\n\t * allocate/free it every time bpf_check() is called\n\t */\n\tenv = kzalloc(sizeof(struct bpf_verifier_env), GFP_KERNEL);\n\tif (!env)\n\t\treturn -ENOMEM;\n\tlog = &env->log;\n\n\tlen = (*prog)->len;\n\tenv->insn_aux_data =\n\t\tvzalloc(array_size(sizeof(struct bpf_insn_aux_data), len));\n\tret = -ENOMEM;\n\tif (!env->insn_aux_data)\n\t\tgoto err_free_env;\n\tfor (i = 0; i < len; i++)\n\t\tenv->insn_aux_data[i].orig_idx = i;\n\tenv->prog = *prog;\n\tenv->ops = bpf_verifier_ops[env->prog->type];\n\tis_priv = bpf_capable();\n\n\tbpf_get_btf_vmlinux();\n\n\t/* grab the mutex to protect few globals used by verifier */\n\tif (!is_priv)\n\t\tmutex_lock(&bpf_verifier_lock);\n\n\tif (attr->log_level || attr->log_buf || attr->log_size) {\n\t\t/* user requested verbose verifier output\n\t\t * and supplied buffer to store the verification trace\n\t\t */\n\t\tlog->level = attr->log_level;\n\t\tlog->ubuf = (char __user *) (unsigned long) attr->log_buf;\n\t\tlog->len_total = attr->log_size;\n\n\t\tret = -EINVAL;\n\t\t/* log attributes have to be sane */\n\t\tif (log->len_total < 128 || log->len_total > UINT_MAX >> 2 ||\n\t\t !log->level || !log->ubuf || log->level & ~BPF_LOG_MASK)\n\t\t\tgoto err_unlock;\n\t}\n\n\tif (IS_ERR(btf_vmlinux)) {\n\t\t/* Either gcc or pahole or kernel are broken. */\n\t\tverbose(env, \"in-kernel BTF is malformed\\n\");\n\t\tret = PTR_ERR(btf_vmlinux);\n\t\tgoto skip_full_check;\n\t}\n\n\tenv->strict_alignment = !!(attr->prog_flags & BPF_F_STRICT_ALIGNMENT);\n\tif (!IS_ENABLED(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS))\n\t\tenv->strict_alignment = true;\n\tif (attr->prog_flags & BPF_F_ANY_ALIGNMENT)\n\t\tenv->strict_alignment = false;\n\n\tenv->allow_ptr_leaks = bpf_allow_ptr_leaks();\n\tenv->allow_ptr_to_map_access = bpf_allow_ptr_to_map_access();\n\tenv->bypass_spec_v1 = bpf_bypass_spec_v1();\n\tenv->bypass_spec_v4 = bpf_bypass_spec_v4();\n\tenv->bpf_capable = bpf_capable();\n\n\tif (is_priv)\n\t\tenv->test_state_freq = attr->prog_flags & BPF_F_TEST_STATE_FREQ;\n\n\tif (bpf_prog_is_dev_bound(env->prog->aux)) {\n\t\tret = bpf_prog_offload_verifier_prep(env->prog);\n\t\tif (ret)\n\t\t\tgoto skip_full_check;\n\t}\n\n\tenv->explored_states = kvcalloc(state_htab_size(env),\n\t\t\t\t sizeof(struct bpf_verifier_state_list *),\n\t\t\t\t GFP_USER);\n\tret = -ENOMEM;\n\tif (!env->explored_states)\n\t\tgoto skip_full_check;\n\n\tret = check_subprogs(env);\n\tif (ret < 0)\n\t\tgoto skip_full_check;\n\n\tret = check_btf_info(env, attr, uattr);\n\tif (ret < 0)\n\t\tgoto skip_full_check;\n\n\tret = check_attach_btf_id(env);\n\tif (ret)\n\t\tgoto skip_full_check;\n\n\tret = resolve_pseudo_ldimm64(env);\n\tif (ret < 0)\n\t\tgoto skip_full_check;\n\n\tret = check_cfg(env);\n\tif (ret < 0)\n\t\tgoto skip_full_check;\n\n\tret = do_check_subprogs(env);\n\tret = ret ?: do_check_main(env);\n\n\tif (ret == 0 && bpf_prog_is_dev_bound(env->prog->aux))\n\t\tret = bpf_prog_offload_finalize(env);\n\nskip_full_check:\n\tkvfree(env->explored_states);\n\n\tif (ret == 0)\n\t\tret = check_max_stack_depth(env);\n\n\t/* instruction rewrites happen after this point */\n\tif (is_priv) {\n\t\tif (ret == 0)\n\t\t\topt_hard_wire_dead_code_branches(env);\n\t\tif (ret == 0)\n\t\t\tret = opt_remove_dead_code(env);\n\t\tif (ret == 0)\n\t\t\tret = opt_remove_nops(env);\n\t} else {\n\t\tif (ret == 0)\n\t\t\tsanitize_dead_code(env);\n\t}\n\n\tif (ret == 0)\n\t\t/* program is valid, convert *(u32*)(ctx + off) accesses */\n\t\tret = convert_ctx_accesses(env);\n\n\tif (ret == 0)\n\t\tret = fixup_bpf_calls(env);\n\n\t/* do 32-bit optimization after insn patching has done so those patched\n\t * insns could be handled correctly.\n\t */\n\tif (ret == 0 && !bpf_prog_is_dev_bound(env->prog->aux)) {\n\t\tret = opt_subreg_zext_lo32_rnd_hi32(env, attr);\n\t\tenv->prog->aux->verifier_zext = bpf_jit_needs_zext() ? !ret\n\t\t\t\t\t\t\t\t : false;\n\t}\n\n\tif (ret == 0)\n\t\tret = fixup_call_args(env);\n\n\tenv->verification_time = ktime_get_ns() - start_time;\n\tprint_verification_stats(env);\n\n\tif (log->level && bpf_verifier_log_full(log))\n\t\tret = -ENOSPC;\n\tif (log->level && !log->ubuf) {\n\t\tret = -EFAULT;\n\t\tgoto err_release_maps;\n\t}\n\n\tif (ret == 0 && env->used_map_cnt) {\n\t\t/* if program passed verifier, update used_maps in bpf_prog_info */\n\t\tenv->prog->aux->used_maps = kmalloc_array(env->used_map_cnt,\n\t\t\t\t\t\t\t sizeof(env->used_maps[0]),\n\t\t\t\t\t\t\t GFP_KERNEL);\n\n\t\tif (!env->prog->aux->used_maps) {\n\t\t\tret = -ENOMEM;\n\t\t\tgoto err_release_maps;\n\t\t}\n\n\t\tmemcpy(env->prog->aux->used_maps, env->used_maps,\n\t\t sizeof(env->used_maps[0]) * env->used_map_cnt);\n\t\tenv->prog->aux->used_map_cnt = env->used_map_cnt;\n\n\t\t/* program is valid. Convert pseudo bpf_ld_imm64 into generic\n\t\t * bpf_ld_imm64 instructions\n\t\t */\n\t\tconvert_pseudo_ld_imm64(env);\n\t}\n\n\tif (ret == 0)\n\t\tadjust_btf_func(env);\n\nerr_release_maps:\n\tif (!env->prog->aux->used_maps)\n\t\t/* if we didn't copy map pointers into bpf_prog_info, release\n\t\t * them now. Otherwise free_used_maps() will release them.\n\t\t */\n\t\trelease_maps(env);\n\n\t/* extension progs temporarily inherit the attach_type of their targets\n\t for verification purposes, so set it back to zero before returning\n\t */\n\tif (env->prog->type == BPF_PROG_TYPE_EXT)\n\t\tenv->prog->expected_attach_type = 0;\n\n\t*prog = env->prog;\nerr_unlock:\n\tif (!is_priv)\n\t\tmutex_unlock(&bpf_verifier_lock);\n\tvfree(env->insn_aux_data);\nerr_free_env:\n\tkfree(env);\n\treturn ret;\n}", "project": "linux", "hash": 265850050665289395148416013183796394625, "size": 209, "commit_id": "9b00f1b78809309163dda2d044d9e94a3c0248a3", "message": "bpf: Fix truncation handling for mod32 dst reg wrt zero\n\nRecently noticed that when mod32 with a known src reg of 0 is performed,\nthen the dst register is 32-bit truncated in verifier:\n\n 0: R1=ctx(id=0,off=0,imm=0) R10=fp0\n 0: (b7) r0 = 0\n 1: R0_w=inv0 R1=ctx(id=0,off=0,imm=0) R10=fp0\n 1: (b7) r1 = -1\n 2: R0_w=inv0 R1_w=inv-1 R10=fp0\n 2: (b4) w2 = -1\n 3: R0_w=inv0 R1_w=inv-1 R2_w=inv4294967295 R10=fp0\n 3: (9c) w1 %= w0\n 4: R0_w=inv0 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0\n 4: (b7) r0 = 1\n 5: R0_w=inv1 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0\n 5: (1d) if r1 == r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0\n 6: R0_w=inv1 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0\n 6: (b7) r0 = 2\n 7: R0_w=inv2 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0\n 7: (95) exit\n 7: R0=inv1 R1=inv(id=0,umin_value=4294967295,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2=inv4294967295 R10=fp0\n 7: (95) exit\n\nHowever, as a runtime result, we get 2 instead of 1, meaning the dst\nregister does not contain (u32)-1 in this case. The reason is fairly\nstraight forward given the 0 test leaves the dst register as-is:\n\n # ./bpftool p d x i 23\n 0: (b7) r0 = 0\n 1: (b7) r1 = -1\n 2: (b4) w2 = -1\n 3: (16) if w0 == 0x0 goto pc+1\n 4: (9c) w1 %= w0\n 5: (b7) r0 = 1\n 6: (1d) if r1 == r2 goto pc+1\n 7: (b7) r0 = 2\n 8: (95) exit\n\nThis was originally not an issue given the dst register was marked as\ncompletely unknown (aka 64 bit unknown). However, after 468f6eafa6c4\n(\"bpf: fix 32-bit ALU op verification\") the verifier casts the register\noutput to 32 bit, and hence it becomes 32 bit unknown. Note that for\nthe case where the src register is unknown, the dst register is marked\n64 bit unknown. After the fix, the register is truncated by the runtime\nand the test passes:\n\n # ./bpftool p d x i 23\n 0: (b7) r0 = 0\n 1: (b7) r1 = -1\n 2: (b4) w2 = -1\n 3: (16) if w0 == 0x0 goto pc+2\n 4: (9c) w1 %= w0\n 5: (05) goto pc+1\n 6: (bc) w1 = w1\n 7: (b7) r0 = 1\n 8: (1d) if r1 == r2 goto pc+1\n 9: (b7) r0 = 2\n 10: (95) exit\n\nSemantics also match with {R,W}x mod{64,32} 0 -> {R,W}x. Invalid div\nhas always been {R,W}x div{64,32} 0 -> 0. Rewrites are as follows:\n\n mod32: mod64:\n\n (16) if w0 == 0x0 goto pc+2 (15) if r0 == 0x0 goto pc+1\n (9c) w1 %= w0 (9f) r1 %= r0\n (05) goto pc+1\n (bc) w1 = w1\n\nFixes: 468f6eafa6c4 (\"bpf: fix 32-bit ALU op verification\")\nSigned-off-by: Daniel Borkmann \nReviewed-by: John Fastabend \nAcked-by: Alexei Starovoitov ", "target": 0, "dataset": "other", "idx": 456513 }, { "func": "static bool try_match_pkt_pointers(const struct bpf_insn *insn,\n\t\t\t\t struct bpf_reg_state *dst_reg,\n\t\t\t\t struct bpf_reg_state *src_reg,\n\t\t\t\t struct bpf_verifier_state *this_branch,\n\t\t\t\t struct bpf_verifier_state *other_branch)\n{\n\tif (BPF_SRC(insn->code) != BPF_X)\n\t\treturn false;\n\n\t/* Pointers are always 64-bit. */\n\tif (BPF_CLASS(insn->code) == BPF_JMP32)\n\t\treturn false;\n\n\tswitch (BPF_OP(insn->code)) {\n\tcase BPF_JGT:\n\t\tif ((dst_reg->type == PTR_TO_PACKET &&\n\t\t src_reg->type == PTR_TO_PACKET_END) ||\n\t\t (dst_reg->type == PTR_TO_PACKET_META &&\n\t\t reg_is_init_pkt_pointer(src_reg, PTR_TO_PACKET))) {\n\t\t\t/* pkt_data' > pkt_end, pkt_meta' > pkt_data */\n\t\t\tfind_good_pkt_pointers(this_branch, dst_reg,\n\t\t\t\t\t dst_reg->type, false);\n\t\t} else if ((dst_reg->type == PTR_TO_PACKET_END &&\n\t\t\t src_reg->type == PTR_TO_PACKET) ||\n\t\t\t (reg_is_init_pkt_pointer(dst_reg, PTR_TO_PACKET) &&\n\t\t\t src_reg->type == PTR_TO_PACKET_META)) {\n\t\t\t/* pkt_end > pkt_data', pkt_data > pkt_meta' */\n\t\t\tfind_good_pkt_pointers(other_branch, src_reg,\n\t\t\t\t\t src_reg->type, true);\n\t\t} else {\n\t\t\treturn false;\n\t\t}\n\t\tbreak;\n\tcase BPF_JLT:\n\t\tif ((dst_reg->type == PTR_TO_PACKET &&\n\t\t src_reg->type == PTR_TO_PACKET_END) ||\n\t\t (dst_reg->type == PTR_TO_PACKET_META &&\n\t\t reg_is_init_pkt_pointer(src_reg, PTR_TO_PACKET))) {\n\t\t\t/* pkt_data' < pkt_end, pkt_meta' < pkt_data */\n\t\t\tfind_good_pkt_pointers(other_branch, dst_reg,\n\t\t\t\t\t dst_reg->type, true);\n\t\t} else if ((dst_reg->type == PTR_TO_PACKET_END &&\n\t\t\t src_reg->type == PTR_TO_PACKET) ||\n\t\t\t (reg_is_init_pkt_pointer(dst_reg, PTR_TO_PACKET) &&\n\t\t\t src_reg->type == PTR_TO_PACKET_META)) {\n\t\t\t/* pkt_end < pkt_data', pkt_data > pkt_meta' */\n\t\t\tfind_good_pkt_pointers(this_branch, src_reg,\n\t\t\t\t\t src_reg->type, false);\n\t\t} else {\n\t\t\treturn false;\n\t\t}\n\t\tbreak;\n\tcase BPF_JGE:\n\t\tif ((dst_reg->type == PTR_TO_PACKET &&\n\t\t src_reg->type == PTR_TO_PACKET_END) ||\n\t\t (dst_reg->type == PTR_TO_PACKET_META &&\n\t\t reg_is_init_pkt_pointer(src_reg, PTR_TO_PACKET))) {\n\t\t\t/* pkt_data' >= pkt_end, pkt_meta' >= pkt_data */\n\t\t\tfind_good_pkt_pointers(this_branch, dst_reg,\n\t\t\t\t\t dst_reg->type, true);\n\t\t} else if ((dst_reg->type == PTR_TO_PACKET_END &&\n\t\t\t src_reg->type == PTR_TO_PACKET) ||\n\t\t\t (reg_is_init_pkt_pointer(dst_reg, PTR_TO_PACKET) &&\n\t\t\t src_reg->type == PTR_TO_PACKET_META)) {\n\t\t\t/* pkt_end >= pkt_data', pkt_data >= pkt_meta' */\n\t\t\tfind_good_pkt_pointers(other_branch, src_reg,\n\t\t\t\t\t src_reg->type, false);\n\t\t} else {\n\t\t\treturn false;\n\t\t}\n\t\tbreak;\n\tcase BPF_JLE:\n\t\tif ((dst_reg->type == PTR_TO_PACKET &&\n\t\t src_reg->type == PTR_TO_PACKET_END) ||\n\t\t (dst_reg->type == PTR_TO_PACKET_META &&\n\t\t reg_is_init_pkt_pointer(src_reg, PTR_TO_PACKET))) {\n\t\t\t/* pkt_data' <= pkt_end, pkt_meta' <= pkt_data */\n\t\t\tfind_good_pkt_pointers(other_branch, dst_reg,\n\t\t\t\t\t dst_reg->type, false);\n\t\t} else if ((dst_reg->type == PTR_TO_PACKET_END &&\n\t\t\t src_reg->type == PTR_TO_PACKET) ||\n\t\t\t (reg_is_init_pkt_pointer(dst_reg, PTR_TO_PACKET) &&\n\t\t\t src_reg->type == PTR_TO_PACKET_META)) {\n\t\t\t/* pkt_end <= pkt_data', pkt_data <= pkt_meta' */\n\t\t\tfind_good_pkt_pointers(this_branch, src_reg,\n\t\t\t\t\t src_reg->type, true);\n\t\t} else {\n\t\t\treturn false;\n\t\t}\n\t\tbreak;\n\tdefault:\n\t\treturn false;\n\t}\n\n\treturn true;\n}", "project": "linux", "hash": 72094590004061594693038138724448182848, "size": 96, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232568 }, { "func": "static bool reg_is_pkt_pointer(const struct bpf_reg_state *reg)\n{\n\treturn type_is_pkt_pointer(reg->type);\n}", "project": "linux", "hash": 339502203595762681746819355446817945052, "size": 4, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232551 }, { "func": "static int check_func_call(struct bpf_verifier_env *env, struct bpf_insn *insn,\n\t\t\t int *insn_idx)\n{\n\tstruct bpf_verifier_state *state = env->cur_state;\n\tstruct bpf_func_info_aux *func_info_aux;\n\tstruct bpf_func_state *caller, *callee;\n\tint i, err, subprog, target_insn;\n\tbool is_global = false;\n\n\tif (state->curframe + 1 >= MAX_CALL_FRAMES) {\n\t\tverbose(env, \"the call stack of %d frames is too deep\\n\",\n\t\t\tstate->curframe + 2);\n\t\treturn -E2BIG;\n\t}\n\n\ttarget_insn = *insn_idx + insn->imm;\n\tsubprog = find_subprog(env, target_insn + 1);\n\tif (subprog < 0) {\n\t\tverbose(env, \"verifier bug. No program starts at insn %d\\n\",\n\t\t\ttarget_insn + 1);\n\t\treturn -EFAULT;\n\t}\n\n\tcaller = state->frame[state->curframe];\n\tif (state->frame[state->curframe + 1]) {\n\t\tverbose(env, \"verifier bug. Frame %d already allocated\\n\",\n\t\t\tstate->curframe + 1);\n\t\treturn -EFAULT;\n\t}\n\n\tfunc_info_aux = env->prog->aux->func_info_aux;\n\tif (func_info_aux)\n\t\tis_global = func_info_aux[subprog].linkage == BTF_FUNC_GLOBAL;\n\terr = btf_check_func_arg_match(env, subprog, caller->regs);\n\tif (err == -EFAULT)\n\t\treturn err;\n\tif (is_global) {\n\t\tif (err) {\n\t\t\tverbose(env, \"Caller passes invalid args into func#%d\\n\",\n\t\t\t\tsubprog);\n\t\t\treturn err;\n\t\t} else {\n\t\t\tif (env->log.level & BPF_LOG_LEVEL)\n\t\t\t\tverbose(env,\n\t\t\t\t\t\"Func#%d is global and valid. Skipping.\\n\",\n\t\t\t\t\tsubprog);\n\t\t\tclear_caller_saved_regs(env, caller->regs);\n\n\t\t\t/* All global functions return SCALAR_VALUE */\n\t\t\tmark_reg_unknown(env, caller->regs, BPF_REG_0);\n\n\t\t\t/* continue with next insn after call */\n\t\t\treturn 0;\n\t\t}\n\t}\n\n\tcallee = kzalloc(sizeof(*callee), GFP_KERNEL);\n\tif (!callee)\n\t\treturn -ENOMEM;\n\tstate->frame[state->curframe + 1] = callee;\n\n\t/* callee cannot access r0, r6 - r9 for reading and has to write\n\t * into its own stack before reading from it.\n\t * callee can read/write into caller's stack\n\t */\n\tinit_func_state(env, callee,\n\t\t\t/* remember the callsite, it will be used by bpf_exit */\n\t\t\t*insn_idx /* callsite */,\n\t\t\tstate->curframe + 1 /* frameno within this callchain */,\n\t\t\tsubprog /* subprog number within this prog */);\n\n\t/* Transfer references to the callee */\n\terr = transfer_reference_state(callee, caller);\n\tif (err)\n\t\treturn err;\n\n\t/* copy r1 - r5 args that callee can access. The copy includes parent\n\t * pointers, which connects us up to the liveness chain\n\t */\n\tfor (i = BPF_REG_1; i <= BPF_REG_5; i++)\n\t\tcallee->regs[i] = caller->regs[i];\n\n\tclear_caller_saved_regs(env, caller->regs);\n\n\t/* only increment it after check_reg_arg() finished */\n\tstate->curframe++;\n\n\t/* and go analyze first insn of the callee */\n\t*insn_idx = target_insn;\n\n\tif (env->log.level & BPF_LOG_LEVEL) {\n\t\tverbose(env, \"caller:\\n\");\n\t\tprint_verifier_state(env, caller);\n\t\tverbose(env, \"callee:\\n\");\n\t\tprint_verifier_state(env, callee);\n\t}\n\treturn 0;\n}", "project": "linux", "hash": 44226911147133885404579115271695336660, "size": 98, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232511 }, { "func": "__printf(3, 4) static void verbose_linfo(struct bpf_verifier_env *env,\n\t\t\t\t\t u32 insn_off,\n\t\t\t\t\t const char *prefix_fmt, ...)\n{\n\tconst struct bpf_line_info *linfo;\n\n\tif (!bpf_verifier_log_needed(&env->log))\n\t\treturn;\n\n\tlinfo = find_linfo(env, insn_off);\n\tif (!linfo || linfo == env->prev_linfo)\n\t\treturn;\n\n\tif (prefix_fmt) {\n\t\tva_list args;\n\n\t\tva_start(args, prefix_fmt);\n\t\tbpf_verifier_vlog(&env->log, prefix_fmt, args);\n\t\tva_end(args);\n\t}\n\n\tverbose(env, \"%s\\n\",\n\t\tltrim(btf_name_by_offset(env->prog->aux->btf,\n\t\t\t\t\t linfo->line_off)));\n\n\tenv->prev_linfo = linfo;\n}", "project": "linux", "hash": 275262636111187587304212857115576169169, "size": 27, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232499 }, { "func": "static void save_register_state(struct bpf_func_state *state,\n\t\t\t\tint spi, struct bpf_reg_state *reg)\n{\n\tint i;\n\n\tstate->stack[spi].spilled_ptr = *reg;\n\tstate->stack[spi].spilled_ptr.live |= REG_LIVE_WRITTEN;\n\n\tfor (i = 0; i < BPF_REG_SIZE; i++)\n\t\tstate->stack[spi].slot_type[i] = STACK_SPILL;\n}", "project": "linux", "hash": 301989152714198877798626218286494431360, "size": 11, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232640 }, { "func": "static int check_ptr_to_btf_access(struct bpf_verifier_env *env,\n\t\t\t\t struct bpf_reg_state *regs,\n\t\t\t\t int regno, int off, int size,\n\t\t\t\t enum bpf_access_type atype,\n\t\t\t\t int value_regno)\n{\n\tstruct bpf_reg_state *reg = regs + regno;\n\tconst struct btf_type *t = btf_type_by_id(btf_vmlinux, reg->btf_id);\n\tconst char *tname = btf_name_by_offset(btf_vmlinux, t->name_off);\n\tu32 btf_id;\n\tint ret;\n\n\tif (off < 0) {\n\t\tverbose(env,\n\t\t\t\"R%d is ptr_%s invalid negative access: off=%d\\n\",\n\t\t\tregno, tname, off);\n\t\treturn -EACCES;\n\t}\n\tif (!tnum_is_const(reg->var_off) || reg->var_off.value) {\n\t\tchar tn_buf[48];\n\n\t\ttnum_strn(tn_buf, sizeof(tn_buf), reg->var_off);\n\t\tverbose(env,\n\t\t\t\"R%d is ptr_%s invalid variable offset: off=%d, var_off=%s\\n\",\n\t\t\tregno, tname, off, tn_buf);\n\t\treturn -EACCES;\n\t}\n\n\tif (env->ops->btf_struct_access) {\n\t\tret = env->ops->btf_struct_access(&env->log, t, off, size,\n\t\t\t\t\t\t atype, &btf_id);\n\t} else {\n\t\tif (atype != BPF_READ) {\n\t\t\tverbose(env, \"only read is supported\\n\");\n\t\t\treturn -EACCES;\n\t\t}\n\n\t\tret = btf_struct_access(&env->log, t, off, size, atype,\n\t\t\t\t\t&btf_id);\n\t}\n\n\tif (ret < 0)\n\t\treturn ret;\n\n\tif (atype == BPF_READ) {\n\t\tif (ret == SCALAR_VALUE) {\n\t\t\tmark_reg_unknown(env, regs, value_regno);\n\t\t\treturn 0;\n\t\t}\n\t\tmark_reg_known_zero(env, regs, value_regno);\n\t\tregs[value_regno].type = PTR_TO_BTF_ID;\n\t\tregs[value_regno].btf_id = btf_id;\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 49970226162528984561768939967841166, "size": 56, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232601 }, { "func": "static int check_ptr_to_btf_access(struct bpf_verifier_env *env,\n\t\t\t\t struct bpf_reg_state *regs,\n\t\t\t\t int regno, int off, int size,\n\t\t\t\t enum bpf_access_type atype,\n\t\t\t\t int value_regno)\n{\n\tstruct bpf_reg_state *reg = regs + regno;\n\tconst struct btf_type *t = btf_type_by_id(btf_vmlinux, reg->btf_id);\n\tconst char *tname = btf_name_by_offset(btf_vmlinux, t->name_off);\n\tu32 btf_id;\n\tint ret;\n\n\tif (off < 0) {\n\t\tverbose(env,\n\t\t\t\"R%d is ptr_%s invalid negative access: off=%d\\n\",\n\t\t\tregno, tname, off);\n\t\treturn -EACCES;\n\t}\n\tif (!tnum_is_const(reg->var_off) || reg->var_off.value) {\n\t\tchar tn_buf[48];\n\n\t\ttnum_strn(tn_buf, sizeof(tn_buf), reg->var_off);\n\t\tverbose(env,\n\t\t\t\"R%d is ptr_%s invalid variable offset: off=%d, var_off=%s\\n\",\n\t\t\tregno, tname, off, tn_buf);\n\t\treturn -EACCES;\n\t}\n\n\tif (env->ops->btf_struct_access) {\n\t\tret = env->ops->btf_struct_access(&env->log, t, off, size,\n\t\t\t\t\t\t atype, &btf_id);\n\t} else {\n\t\tif (atype != BPF_READ) {\n\t\t\tverbose(env, \"only read is supported\\n\");\n\t\t\treturn -EACCES;\n\t\t}\n\n\t\tret = btf_struct_access(&env->log, t, off, size, atype,\n\t\t\t\t\t&btf_id);\n\t}\n\n\tif (ret < 0)\n\t\treturn ret;\n\n\tif (atype == BPF_READ && value_regno >= 0)\n\t\tmark_btf_ld_reg(env, regs, value_regno, ret, btf_id);\n\n\treturn 0;\n}", "project": "linux", "hash": 276655852367498969969811131530416982953, "size": 49, "commit_id": "5b9fbeb75b6a98955f628e205ac26689bcb1383e", "message": "bpf: Fix scalar32_min_max_or bounds tracking\n\nSimon reported an issue with the current scalar32_min_max_or() implementation.\nThat is, compared to the other 32 bit subreg tracking functions, the code in\nscalar32_min_max_or() stands out that it's using the 64 bit registers instead\nof 32 bit ones. This leads to bounds tracking issues, for example:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x1; 0x700000000),s32_max_value=1,u32_max_value=1) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nThe bound tests on the map value force the upper unsigned bound to be 25769803777\nin 64 bit (0b11000000000000000000000000000000001) and then lower one to be 1. By\nusing OR they are truncated and thus result in the range [1,1] for the 32 bit reg\ntracker. This is incorrect given the only thing we know is that the value must be\npositive and thus 2147483647 (0b1111111111111111111111111111111) at max for the\nsubregs. Fix it by using the {u,s}32_{min,max}_value vars instead. This also makes\nsense, for example, for the case where we update dst_reg->s32_{min,max}_value in\nthe else branch we need to use the newly computed dst_reg->u32_{min,max}_value as\nwe know that these are positive. Previously, in the else branch the 64 bit values\nof umin_value=1 and umax_value=32212254719 were used and latter got truncated to\nbe 1 as upper bound there. After the fix the subreg range is now correct:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nFixes: 3f50f132d840 (\"bpf: Verifier, do explicit ALU32 bounds tracking\")\nReported-by: Simon Scannell \nSigned-off-by: Daniel Borkmann \nReviewed-by: John Fastabend \nAcked-by: Alexei Starovoitov ", "target": 0, "dataset": "other", "idx": 328496 }, { "func": "static void scalar_min_max_or(struct bpf_reg_state *dst_reg,\n\t\t\t struct bpf_reg_state *src_reg)\n{\n\ts64 smin_val = src_reg->smin_value;\n\tu64 umin_val = src_reg->umin_value;\n\n\t/* We get our maximum from the var_off, and our minimum is the\n\t * maximum of the operands' minima\n\t */\n\tdst_reg->var_off = tnum_or(dst_reg->var_off, src_reg->var_off);\n\tdst_reg->umin_value = max(dst_reg->umin_value, umin_val);\n\tdst_reg->umax_value = dst_reg->var_off.value | dst_reg->var_off.mask;\n\tif (dst_reg->smin_value < 0 || smin_val < 0) {\n\t\t/* Lose signed bounds when ORing negative numbers,\n\t\t * ain't nobody got time for that.\n\t\t */\n\t\tdst_reg->smin_value = S64_MIN;\n\t\tdst_reg->smax_value = S64_MAX;\n\t} else {\n\t\t/* ORing two positives gives a positive, so safe to\n\t\t * cast result into s64.\n\t\t */\n\t\tdst_reg->smin_value = dst_reg->umin_value;\n\t\tdst_reg->smax_value = dst_reg->umax_value;\n\t}\n\t/* We may learn something more from the var_off */\n\t__update_reg_bounds(dst_reg);\n}", "project": "linux", "hash": 25972685050817258882690499264331230646, "size": 28, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232537 }, { "func": "static void scalar_min_max_or(struct bpf_reg_state *dst_reg,\n\t\t\t struct bpf_reg_state *src_reg)\n{\n\tbool src_known = tnum_is_const(src_reg->var_off);\n\tbool dst_known = tnum_is_const(dst_reg->var_off);\n\ts64 smin_val = src_reg->smin_value;\n\tu64 umin_val = src_reg->umin_value;\n\n\tif (src_known && dst_known) {\n\t\t__mark_reg_known(dst_reg, dst_reg->var_off.value |\n\t\t\t\t\t src_reg->var_off.value);\n\t\treturn;\n\t}\n\n\t/* We get our maximum from the var_off, and our minimum is the\n\t * maximum of the operands' minima\n\t */\n\tdst_reg->umin_value = max(dst_reg->umin_value, umin_val);\n\tdst_reg->umax_value = dst_reg->var_off.value | dst_reg->var_off.mask;\n\tif (dst_reg->smin_value < 0 || smin_val < 0) {\n\t\t/* Lose signed bounds when ORing negative numbers,\n\t\t * ain't nobody got time for that.\n\t\t */\n\t\tdst_reg->smin_value = S64_MIN;\n\t\tdst_reg->smax_value = S64_MAX;\n\t} else {\n\t\t/* ORing two positives gives a positive, so safe to\n\t\t * cast result into s64.\n\t\t */\n\t\tdst_reg->smin_value = dst_reg->umin_value;\n\t\tdst_reg->smax_value = dst_reg->umax_value;\n\t}\n\t/* We may learn something more from the var_off */\n\t__update_reg_bounds(dst_reg);\n}", "project": "linux", "hash": 16041466753298829583829099804318410019, "size": 35, "commit_id": "5b9fbeb75b6a98955f628e205ac26689bcb1383e", "message": "bpf: Fix scalar32_min_max_or bounds tracking\n\nSimon reported an issue with the current scalar32_min_max_or() implementation.\nThat is, compared to the other 32 bit subreg tracking functions, the code in\nscalar32_min_max_or() stands out that it's using the 64 bit registers instead\nof 32 bit ones. This leads to bounds tracking issues, for example:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x1; 0x700000000),s32_max_value=1,u32_max_value=1) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nThe bound tests on the map value force the upper unsigned bound to be 25769803777\nin 64 bit (0b11000000000000000000000000000000001) and then lower one to be 1. By\nusing OR they are truncated and thus result in the range [1,1] for the 32 bit reg\ntracker. This is incorrect given the only thing we know is that the value must be\npositive and thus 2147483647 (0b1111111111111111111111111111111) at max for the\nsubregs. Fix it by using the {u,s}32_{min,max}_value vars instead. This also makes\nsense, for example, for the case where we update dst_reg->s32_{min,max}_value in\nthe else branch we need to use the newly computed dst_reg->u32_{min,max}_value as\nwe know that these are positive. Previously, in the else branch the 64 bit values\nof umin_value=1 and umax_value=32212254719 were used and latter got truncated to\nbe 1 as upper bound there. After the fix the subreg range is now correct:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nFixes: 3f50f132d840 (\"bpf: Verifier, do explicit ALU32 bounds tracking\")\nReported-by: Simon Scannell \nSigned-off-by: Daniel Borkmann \nReviewed-by: John Fastabend \nAcked-by: Alexei Starovoitov ", "target": 0, "dataset": "other", "idx": 328523 }, { "func": "static bool can_skip_alu_sanitation(const struct bpf_verifier_env *env,\n\t\t\t\t const struct bpf_insn *insn)\n{\n\treturn env->allow_ptr_leaks || BPF_SRC(insn->code) == BPF_K;\n}", "project": "linux", "hash": 153168298952997686190623173284343311631, "size": 5, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232534 }, { "func": "static int find_subprog(struct bpf_verifier_env *env, int off)\n{\n\tstruct bpf_subprog_info *p;\n\n\tp = bsearch(&off, env->subprog_info, env->subprog_cnt,\n\t\t sizeof(env->subprog_info[0]), cmp_subprogs);\n\tif (!p)\n\t\treturn -ENOENT;\n\treturn p - env->subprog_info;\n\n}", "project": "linux", "hash": 81390504074379015186489347853097160821, "size": 11, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232570 }, { "func": "static void coerce_reg_to_size(struct bpf_reg_state *reg, int size)\n{\n\tu64 mask;\n\n\t/* clear high bits in bit representation */\n\treg->var_off = tnum_cast(reg->var_off, size);\n\n\t/* fix arithmetic bounds */\n\tmask = ((u64)1 << (size * 8)) - 1;\n\tif ((reg->umin_value & ~mask) == (reg->umax_value & ~mask)) {\n\t\treg->umin_value &= mask;\n\t\treg->umax_value &= mask;\n\t} else {\n\t\treg->umin_value = 0;\n\t\treg->umax_value = mask;\n\t}\n\treg->smin_value = reg->umin_value;\n\treg->smax_value = reg->umax_value;\n}", "project": "linux", "hash": 290248484756654389008251286879000927850, "size": 19, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232610 }, { "func": "static void bpf_map_ptr_store(struct bpf_insn_aux_data *aux,\n\t\t\t const struct bpf_map *map, bool unpriv)\n{\n\tBUILD_BUG_ON((unsigned long)BPF_MAP_PTR_POISON & BPF_MAP_PTR_UNPRIV);\n\tunpriv |= bpf_map_ptr_unpriv(aux);\n\taux->map_ptr_state = (unsigned long)map |\n\t\t\t (unpriv ? BPF_MAP_PTR_UNPRIV : 0UL);\n}", "project": "linux", "hash": 240638175528098584856597217893470548962, "size": 8, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232530 }, { "func": "__printf(2, 3) static void verbose(void *private_data, const char *fmt, ...)\n{\n\tstruct bpf_verifier_env *env = private_data;\n\tva_list args;\n\n\tif (!bpf_verifier_log_needed(&env->log))\n\t\treturn;\n\n\tva_start(args, fmt);\n\tbpf_verifier_vlog(&env->log, fmt, args);\n\tva_end(args);\n}", "project": "linux", "hash": 179720527913614453165182613314253626139, "size": 12, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232546 }, { "func": "unsigned int get_random_int(void)\n{\n\t/*\n\t * Use IP's RNG. It suits our purpose perfectly: it re-keys itself\n\t * every second, from the entropy pool (and thus creates a limited\n\t * drain on it), and uses halfMD4Transform within the second. We\n\t * also mix it with jiffies and the PID:\n\t */\n\treturn secure_ip_id((__force __be32)(current->pid + jiffies));\n}", "target": 1, "cwe": [ "CWE-310" ], "project": "linux-2.6", "commit_id": "8a0a9bd4db63bc45e3017bedeafbd88d0eb84d02", "hash": 291941620665843470215173682867258940568, "size": 10, "message": "random: make get_random_int() more random\n\nIt's a really simple patch that basically just open-codes the current\n\"secure_ip_id()\" call, but when open-coding it we now use a _static_\nhashing area, so that it gets updated every time.\n\nAnd to make sure somebody can't just start from the same original seed of\nall-zeroes, and then do the \"half_md4_transform()\" over and over until\nthey get the same sequence as the kernel has, each iteration also mixes in\nthe same old \"current->pid + jiffies\" we used - so we should now have a\nregular strong pseudo-number generator, but we also have one that doesn't\nhave a single seed.\n\nNote: the \"pid + jiffies\" is just meant to be a tiny tiny bit of noise. It\nhas no real meaning. It could be anything. I just picked the previous\nseed, it's just that now we keep the state in between calls and that will\nfeed into the next result, and that should make all the difference.\n\nI made that hash be a per-cpu data just to avoid cache-line ping-pong:\nhaving multiple CPU's write to the same data would be fine for randomness,\nand add yet another layer of chaos to it, but since get_random_int() is\nsupposed to be a fast interface I did it that way instead. I considered\nusing \"__raw_get_cpu_var()\" to avoid any preemption overhead while still\ngetting the hash be _mostly_ ping-pong free, but in the end good taste won\nout.\n\nSigned-off-by: Ingo Molnar \nSigned-off-by: Linus Torvalds ", "dataset": "other", "idx": 216119 }, { "func": "unsigned int get_random_int(void)\n{\n\tstruct keydata *keyptr;\n\t__u32 *hash = get_cpu_var(get_random_int_hash);\n\tint ret;\n\n\tkeyptr = get_keyptr();\n\thash[0] += current->pid + jiffies + get_cycles() + (int)(long)&ret;\n\n\tret = half_md4_transform(hash, keyptr->secret);\n\tput_cpu_var(get_random_int_hash);\n\n\treturn ret;\n}", "target": 0, "cwe": [ "CWE-310" ], "project": "linux-2.6", "commit_id": "8a0a9bd4db63bc45e3017bedeafbd88d0eb84d02", "hash": 134018116402125477535352207466632733436, "size": 14, "message": "random: make get_random_int() more random\n\nIt's a really simple patch that basically just open-codes the current\n\"secure_ip_id()\" call, but when open-coding it we now use a _static_\nhashing area, so that it gets updated every time.\n\nAnd to make sure somebody can't just start from the same original seed of\nall-zeroes, and then do the \"half_md4_transform()\" over and over until\nthey get the same sequence as the kernel has, each iteration also mixes in\nthe same old \"current->pid + jiffies\" we used - so we should now have a\nregular strong pseudo-number generator, but we also have one that doesn't\nhave a single seed.\n\nNote: the \"pid + jiffies\" is just meant to be a tiny tiny bit of noise. It\nhas no real meaning. It could be anything. I just picked the previous\nseed, it's just that now we keep the state in between calls and that will\nfeed into the next result, and that should make all the difference.\n\nI made that hash be a per-cpu data just to avoid cache-line ping-pong:\nhaving multiple CPU's write to the same data would be fine for randomness,\nand add yet another layer of chaos to it, but since get_random_int() is\nsupposed to be a fast interface I did it that way instead. I considered\nusing \"__raw_get_cpu_var()\" to avoid any preemption overhead while still\ngetting the hash be _mostly_ ping-pong free, but in the end good taste won\nout.\n\nSigned-off-by: Ingo Molnar \nSigned-off-by: Linus Torvalds ", "dataset": "other", "idx": 499883 }, { "func": "static void mark_ptr_or_null_reg(struct bpf_func_state *state,\n\t\t\t\t struct bpf_reg_state *reg, u32 id,\n\t\t\t\t bool is_null)\n{\n\tif (reg_type_may_be_null(reg->type) && reg->id == id) {\n\t\t/* Old offset (both fixed and variable parts) should\n\t\t * have been known-zero, because we don't allow pointer\n\t\t * arithmetic on pointers that might be NULL.\n\t\t */\n\t\tif (WARN_ON_ONCE(reg->smin_value || reg->smax_value ||\n\t\t\t\t !tnum_equals_const(reg->var_off, 0) ||\n\t\t\t\t reg->off)) {\n\t\t\t__mark_reg_known_zero(reg);\n\t\t\treg->off = 0;\n\t\t}\n\t\tif (is_null) {\n\t\t\treg->type = SCALAR_VALUE;\n\t\t} else if (reg->type == PTR_TO_MAP_VALUE_OR_NULL) {\n\t\t\tif (reg->map_ptr->inner_map_meta) {\n\t\t\t\treg->type = CONST_PTR_TO_MAP;\n\t\t\t\treg->map_ptr = reg->map_ptr->inner_map_meta;\n\t\t\t} else if (reg->map_ptr->map_type ==\n\t\t\t\t BPF_MAP_TYPE_XSKMAP) {\n\t\t\t\treg->type = PTR_TO_XDP_SOCK;\n\t\t\t} else {\n\t\t\t\treg->type = PTR_TO_MAP_VALUE;\n\t\t\t}\n\t\t} else if (reg->type == PTR_TO_SOCKET_OR_NULL) {\n\t\t\treg->type = PTR_TO_SOCKET;\n\t\t} else if (reg->type == PTR_TO_SOCK_COMMON_OR_NULL) {\n\t\t\treg->type = PTR_TO_SOCK_COMMON;\n\t\t} else if (reg->type == PTR_TO_TCP_SOCK_OR_NULL) {\n\t\t\treg->type = PTR_TO_TCP_SOCK;\n\t\t}\n\t\tif (is_null) {\n\t\t\t/* We don't need id and ref_obj_id from this point\n\t\t\t * onwards anymore, thus we should better reset it,\n\t\t\t * so that state pruning has chances to take effect.\n\t\t\t */\n\t\t\treg->id = 0;\n\t\t\treg->ref_obj_id = 0;\n\t\t} else if (!reg_may_point_to_spin_lock(reg)) {\n\t\t\t/* For not-NULL ptr, reg->ref_obj_id will be reset\n\t\t\t * in release_reg_references().\n\t\t\t *\n\t\t\t * reg->id is still used by spin_lock ptr. Other\n\t\t\t * than spin_lock ptr type, reg->id can be reset.\n\t\t\t */\n\t\t\treg->id = 0;\n\t\t}\n\t}\n}", "project": "linux", "hash": 148509431294910055588368622336840693, "size": 52, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232505 }, { "func": "static void mark_ptr_or_null_reg(struct bpf_func_state *state,\n\t\t\t\t struct bpf_reg_state *reg, u32 id,\n\t\t\t\t bool is_null)\n{\n\tif (reg_type_may_be_null(reg->type) && reg->id == id) {\n\t\t/* Old offset (both fixed and variable parts) should\n\t\t * have been known-zero, because we don't allow pointer\n\t\t * arithmetic on pointers that might be NULL.\n\t\t */\n\t\tif (WARN_ON_ONCE(reg->smin_value || reg->smax_value ||\n\t\t\t\t !tnum_equals_const(reg->var_off, 0) ||\n\t\t\t\t reg->off)) {\n\t\t\t__mark_reg_known_zero(reg);\n\t\t\treg->off = 0;\n\t\t}\n\t\tif (is_null) {\n\t\t\treg->type = SCALAR_VALUE;\n\t\t} else if (reg->type == PTR_TO_MAP_VALUE_OR_NULL) {\n\t\t\tconst struct bpf_map *map = reg->map_ptr;\n\n\t\t\tif (map->inner_map_meta) {\n\t\t\t\treg->type = CONST_PTR_TO_MAP;\n\t\t\t\treg->map_ptr = map->inner_map_meta;\n\t\t\t} else if (map->map_type == BPF_MAP_TYPE_XSKMAP) {\n\t\t\t\treg->type = PTR_TO_XDP_SOCK;\n\t\t\t} else if (map->map_type == BPF_MAP_TYPE_SOCKMAP ||\n\t\t\t\t map->map_type == BPF_MAP_TYPE_SOCKHASH) {\n\t\t\t\treg->type = PTR_TO_SOCKET;\n\t\t\t} else {\n\t\t\t\treg->type = PTR_TO_MAP_VALUE;\n\t\t\t}\n\t\t} else if (reg->type == PTR_TO_SOCKET_OR_NULL) {\n\t\t\treg->type = PTR_TO_SOCKET;\n\t\t} else if (reg->type == PTR_TO_SOCK_COMMON_OR_NULL) {\n\t\t\treg->type = PTR_TO_SOCK_COMMON;\n\t\t} else if (reg->type == PTR_TO_TCP_SOCK_OR_NULL) {\n\t\t\treg->type = PTR_TO_TCP_SOCK;\n\t\t} else if (reg->type == PTR_TO_BTF_ID_OR_NULL) {\n\t\t\treg->type = PTR_TO_BTF_ID;\n\t\t} else if (reg->type == PTR_TO_MEM_OR_NULL) {\n\t\t\treg->type = PTR_TO_MEM;\n\t\t} else if (reg->type == PTR_TO_RDONLY_BUF_OR_NULL) {\n\t\t\treg->type = PTR_TO_RDONLY_BUF;\n\t\t} else if (reg->type == PTR_TO_RDWR_BUF_OR_NULL) {\n\t\t\treg->type = PTR_TO_RDWR_BUF;\n\t\t}\n\t\tif (is_null) {\n\t\t\t/* We don't need id and ref_obj_id from this point\n\t\t\t * onwards anymore, thus we should better reset it,\n\t\t\t * so that state pruning has chances to take effect.\n\t\t\t */\n\t\t\treg->id = 0;\n\t\t\treg->ref_obj_id = 0;\n\t\t} else if (!reg_may_point_to_spin_lock(reg)) {\n\t\t\t/* For not-NULL ptr, reg->ref_obj_id will be reset\n\t\t\t * in release_reg_references().\n\t\t\t *\n\t\t\t * reg->id is still used by spin_lock ptr. Other\n\t\t\t * than spin_lock ptr type, reg->id can be reset.\n\t\t\t */\n\t\t\treg->id = 0;\n\t\t}\n\t}\n}", "project": "linux", "hash": 11163335447011791595042960446964267521, "size": 64, "commit_id": "5b9fbeb75b6a98955f628e205ac26689bcb1383e", "message": "bpf: Fix scalar32_min_max_or bounds tracking\n\nSimon reported an issue with the current scalar32_min_max_or() implementation.\nThat is, compared to the other 32 bit subreg tracking functions, the code in\nscalar32_min_max_or() stands out that it's using the 64 bit registers instead\nof 32 bit ones. This leads to bounds tracking issues, for example:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x1; 0x700000000),s32_max_value=1,u32_max_value=1) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nThe bound tests on the map value force the upper unsigned bound to be 25769803777\nin 64 bit (0b11000000000000000000000000000000001) and then lower one to be 1. By\nusing OR they are truncated and thus result in the range [1,1] for the 32 bit reg\ntracker. This is incorrect given the only thing we know is that the value must be\npositive and thus 2147483647 (0b1111111111111111111111111111111) at max for the\nsubregs. Fix it by using the {u,s}32_{min,max}_value vars instead. This also makes\nsense, for example, for the case where we update dst_reg->s32_{min,max}_value in\nthe else branch we need to use the newly computed dst_reg->u32_{min,max}_value as\nwe know that these are positive. Previously, in the else branch the 64 bit values\nof umin_value=1 and umax_value=32212254719 were used and latter got truncated to\nbe 1 as upper bound there. After the fix the subreg range is now correct:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nFixes: 3f50f132d840 (\"bpf: Verifier, do explicit ALU32 bounds tracking\")\nReported-by: Simon Scannell \nSigned-off-by: Daniel Borkmann \nReviewed-by: John Fastabend \nAcked-by: Alexei Starovoitov ", "target": 0, "dataset": "other", "idx": 328525 }, { "func": "static void mark_ptr_or_null_reg(struct bpf_func_state *state,\n\t\t\t\t struct bpf_reg_state *reg, u32 id,\n\t\t\t\t bool is_null)\n{\n\tif (reg_type_may_be_null(reg->type) && reg->id == id &&\n\t !WARN_ON_ONCE(!reg->id)) {\n\t\t/* Old offset (both fixed and variable parts) should\n\t\t * have been known-zero, because we don't allow pointer\n\t\t * arithmetic on pointers that might be NULL.\n\t\t */\n\t\tif (WARN_ON_ONCE(reg->smin_value || reg->smax_value ||\n\t\t\t\t !tnum_equals_const(reg->var_off, 0) ||\n\t\t\t\t reg->off)) {\n\t\t\t__mark_reg_known_zero(reg);\n\t\t\treg->off = 0;\n\t\t}\n\t\tif (is_null) {\n\t\t\treg->type = SCALAR_VALUE;\n\t\t} else if (reg->type == PTR_TO_MAP_VALUE_OR_NULL) {\n\t\t\tconst struct bpf_map *map = reg->map_ptr;\n\n\t\t\tif (map->inner_map_meta) {\n\t\t\t\treg->type = CONST_PTR_TO_MAP;\n\t\t\t\treg->map_ptr = map->inner_map_meta;\n\t\t\t} else if (map->map_type == BPF_MAP_TYPE_XSKMAP) {\n\t\t\t\treg->type = PTR_TO_XDP_SOCK;\n\t\t\t} else if (map->map_type == BPF_MAP_TYPE_SOCKMAP ||\n\t\t\t\t map->map_type == BPF_MAP_TYPE_SOCKHASH) {\n\t\t\t\treg->type = PTR_TO_SOCKET;\n\t\t\t} else {\n\t\t\t\treg->type = PTR_TO_MAP_VALUE;\n\t\t\t}\n\t\t} else if (reg->type == PTR_TO_SOCKET_OR_NULL) {\n\t\t\treg->type = PTR_TO_SOCKET;\n\t\t} else if (reg->type == PTR_TO_SOCK_COMMON_OR_NULL) {\n\t\t\treg->type = PTR_TO_SOCK_COMMON;\n\t\t} else if (reg->type == PTR_TO_TCP_SOCK_OR_NULL) {\n\t\t\treg->type = PTR_TO_TCP_SOCK;\n\t\t} else if (reg->type == PTR_TO_BTF_ID_OR_NULL) {\n\t\t\treg->type = PTR_TO_BTF_ID;\n\t\t} else if (reg->type == PTR_TO_MEM_OR_NULL) {\n\t\t\treg->type = PTR_TO_MEM;\n\t\t} else if (reg->type == PTR_TO_RDONLY_BUF_OR_NULL) {\n\t\t\treg->type = PTR_TO_RDONLY_BUF;\n\t\t} else if (reg->type == PTR_TO_RDWR_BUF_OR_NULL) {\n\t\t\treg->type = PTR_TO_RDWR_BUF;\n\t\t}\n\t\tif (is_null) {\n\t\t\t/* We don't need id and ref_obj_id from this point\n\t\t\t * onwards anymore, thus we should better reset it,\n\t\t\t * so that state pruning has chances to take effect.\n\t\t\t */\n\t\t\treg->id = 0;\n\t\t\treg->ref_obj_id = 0;\n\t\t} else if (!reg_may_point_to_spin_lock(reg)) {\n\t\t\t/* For not-NULL ptr, reg->ref_obj_id will be reset\n\t\t\t * in release_reg_references().\n\t\t\t *\n\t\t\t * reg->id is still used by spin_lock ptr. Other\n\t\t\t * than spin_lock ptr type, reg->id can be reset.\n\t\t\t */\n\t\t\treg->id = 0;\n\t\t}\n\t}\n}", "project": "linux", "hash": 328621586278739525573519970367202456786, "size": 65, "commit_id": "9b00f1b78809309163dda2d044d9e94a3c0248a3", "message": "bpf: Fix truncation handling for mod32 dst reg wrt zero\n\nRecently noticed that when mod32 with a known src reg of 0 is performed,\nthen the dst register is 32-bit truncated in verifier:\n\n 0: R1=ctx(id=0,off=0,imm=0) R10=fp0\n 0: (b7) r0 = 0\n 1: R0_w=inv0 R1=ctx(id=0,off=0,imm=0) R10=fp0\n 1: (b7) r1 = -1\n 2: R0_w=inv0 R1_w=inv-1 R10=fp0\n 2: (b4) w2 = -1\n 3: R0_w=inv0 R1_w=inv-1 R2_w=inv4294967295 R10=fp0\n 3: (9c) w1 %= w0\n 4: R0_w=inv0 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0\n 4: (b7) r0 = 1\n 5: R0_w=inv1 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0\n 5: (1d) if r1 == r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0\n 6: R0_w=inv1 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0\n 6: (b7) r0 = 2\n 7: R0_w=inv2 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0\n 7: (95) exit\n 7: R0=inv1 R1=inv(id=0,umin_value=4294967295,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2=inv4294967295 R10=fp0\n 7: (95) exit\n\nHowever, as a runtime result, we get 2 instead of 1, meaning the dst\nregister does not contain (u32)-1 in this case. The reason is fairly\nstraight forward given the 0 test leaves the dst register as-is:\n\n # ./bpftool p d x i 23\n 0: (b7) r0 = 0\n 1: (b7) r1 = -1\n 2: (b4) w2 = -1\n 3: (16) if w0 == 0x0 goto pc+1\n 4: (9c) w1 %= w0\n 5: (b7) r0 = 1\n 6: (1d) if r1 == r2 goto pc+1\n 7: (b7) r0 = 2\n 8: (95) exit\n\nThis was originally not an issue given the dst register was marked as\ncompletely unknown (aka 64 bit unknown). However, after 468f6eafa6c4\n(\"bpf: fix 32-bit ALU op verification\") the verifier casts the register\noutput to 32 bit, and hence it becomes 32 bit unknown. Note that for\nthe case where the src register is unknown, the dst register is marked\n64 bit unknown. After the fix, the register is truncated by the runtime\nand the test passes:\n\n # ./bpftool p d x i 23\n 0: (b7) r0 = 0\n 1: (b7) r1 = -1\n 2: (b4) w2 = -1\n 3: (16) if w0 == 0x0 goto pc+2\n 4: (9c) w1 %= w0\n 5: (05) goto pc+1\n 6: (bc) w1 = w1\n 7: (b7) r0 = 1\n 8: (1d) if r1 == r2 goto pc+1\n 9: (b7) r0 = 2\n 10: (95) exit\n\nSemantics also match with {R,W}x mod{64,32} 0 -> {R,W}x. Invalid div\nhas always been {R,W}x div{64,32} 0 -> 0. Rewrites are as follows:\n\n mod32: mod64:\n\n (16) if w0 == 0x0 goto pc+2 (15) if r0 == 0x0 goto pc+1\n (9c) w1 %= w0 (9f) r1 %= r0\n (05) goto pc+1\n (bc) w1 = w1\n\nFixes: 468f6eafa6c4 (\"bpf: fix 32-bit ALU op verification\")\nSigned-off-by: Daniel Borkmann \nReviewed-by: John Fastabend \nAcked-by: Alexei Starovoitov ", "target": 0, "dataset": "other", "idx": 456523 }, { "func": "int check_ctx_reg(struct bpf_verifier_env *env,\n\t\t const struct bpf_reg_state *reg, int regno)\n{\n\t/* Access to ctx or passing it to a helper is only allowed in\n\t * its original, unmodified form.\n\t */\n\n\tif (reg->off) {\n\t\tverbose(env, \"dereference of modified ctx ptr R%d off=%d disallowed\\n\",\n\t\t\tregno, reg->off);\n\t\treturn -EACCES;\n\t}\n\n\tif (!tnum_is_const(reg->var_off) || reg->var_off.value) {\n\t\tchar tn_buf[48];\n\n\t\ttnum_strn(tn_buf, sizeof(tn_buf), reg->var_off);\n\t\tverbose(env, \"variable ctx access var_off=%s disallowed\\n\", tn_buf);\n\t\treturn -EACCES;\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 326246588349925400260431982442538961326, "size": 23, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232599 }, { "func": "const char *kernel_type_name(u32 id)\n{\n\treturn btf_name_by_offset(btf_vmlinux,\n\t\t\t\t btf_type_by_id(btf_vmlinux, id)->name_off);\n}", "project": "linux", "hash": 135072368077950469268361918990173136171, "size": 5, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232555 }, { "func": "static bool is_flow_key_reg(struct bpf_verifier_env *env, int regno)\n{\n\tconst struct bpf_reg_state *reg = reg_state(env, regno);\n\n\t/* Separate to is_ctx_reg() since we still want to allow BPF_ST here. */\n\treturn reg->type == PTR_TO_FLOW_KEYS;\n}", "project": "linux", "hash": 132149908781866270137116134119642318022, "size": 7, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232414 }, { "func": "static void mark_reg_unknown(struct bpf_verifier_env *env,\n\t\t\t struct bpf_reg_state *regs, u32 regno)\n{\n\tif (WARN_ON(regno >= MAX_BPF_REG)) {\n\t\tverbose(env, \"mark_reg_unknown(regs, %u)\\n\", regno);\n\t\t/* Something bad happened, let's kill all regs except FP */\n\t\tfor (regno = 0; regno < BPF_REG_FP; regno++)\n\t\t\t__mark_reg_not_init(env, regs + regno);\n\t\treturn;\n\t}\n\t__mark_reg_unknown(env, regs + regno);\n}", "project": "linux", "hash": 276992586816445587020981196123929793572, "size": 12, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232580 }, { "func": "static bool arg_type_is_int_ptr(enum bpf_arg_type type)\n{\n\treturn type == ARG_PTR_TO_INT ||\n\t type == ARG_PTR_TO_LONG;\n}", "project": "linux", "hash": 205076681386251411867666896664732453230, "size": 5, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232611 }, { "func": "static int __mark_chain_precision(struct bpf_verifier_env *env, int regno,\n\t\t\t\t int spi)\n{\n\tstruct bpf_verifier_state *st = env->cur_state;\n\tint first_idx = st->first_insn_idx;\n\tint last_idx = env->insn_idx;\n\tstruct bpf_func_state *func;\n\tstruct bpf_reg_state *reg;\n\tu32 reg_mask = regno >= 0 ? 1u << regno : 0;\n\tu64 stack_mask = spi >= 0 ? 1ull << spi : 0;\n\tbool skip_first = true;\n\tbool new_marks = false;\n\tint i, err;\n\n\tif (!env->allow_ptr_leaks)\n\t\t/* backtracking is root only for now */\n\t\treturn 0;\n\n\tfunc = st->frame[st->curframe];\n\tif (regno >= 0) {\n\t\treg = &func->regs[regno];\n\t\tif (reg->type != SCALAR_VALUE) {\n\t\t\tWARN_ONCE(1, \"backtracing misuse\");\n\t\t\treturn -EFAULT;\n\t\t}\n\t\tif (!reg->precise)\n\t\t\tnew_marks = true;\n\t\telse\n\t\t\treg_mask = 0;\n\t\treg->precise = true;\n\t}\n\n\twhile (spi >= 0) {\n\t\tif (func->stack[spi].slot_type[0] != STACK_SPILL) {\n\t\t\tstack_mask = 0;\n\t\t\tbreak;\n\t\t}\n\t\treg = &func->stack[spi].spilled_ptr;\n\t\tif (reg->type != SCALAR_VALUE) {\n\t\t\tstack_mask = 0;\n\t\t\tbreak;\n\t\t}\n\t\tif (!reg->precise)\n\t\t\tnew_marks = true;\n\t\telse\n\t\t\tstack_mask = 0;\n\t\treg->precise = true;\n\t\tbreak;\n\t}\n\n\tif (!new_marks)\n\t\treturn 0;\n\tif (!reg_mask && !stack_mask)\n\t\treturn 0;\n\tfor (;;) {\n\t\tDECLARE_BITMAP(mask, 64);\n\t\tu32 history = st->jmp_history_cnt;\n\n\t\tif (env->log.level & BPF_LOG_LEVEL)\n\t\t\tverbose(env, \"last_idx %d first_idx %d\\n\", last_idx, first_idx);\n\t\tfor (i = last_idx;;) {\n\t\t\tif (skip_first) {\n\t\t\t\terr = 0;\n\t\t\t\tskip_first = false;\n\t\t\t} else {\n\t\t\t\terr = backtrack_insn(env, i, ®_mask, &stack_mask);\n\t\t\t}\n\t\t\tif (err == -ENOTSUPP) {\n\t\t\t\tmark_all_scalars_precise(env, st);\n\t\t\t\treturn 0;\n\t\t\t} else if (err) {\n\t\t\t\treturn err;\n\t\t\t}\n\t\t\tif (!reg_mask && !stack_mask)\n\t\t\t\t/* Found assignment(s) into tracked register in this state.\n\t\t\t\t * Since this state is already marked, just return.\n\t\t\t\t * Nothing to be tracked further in the parent state.\n\t\t\t\t */\n\t\t\t\treturn 0;\n\t\t\tif (i == first_idx)\n\t\t\t\tbreak;\n\t\t\ti = get_prev_insn_idx(st, i, &history);\n\t\t\tif (i >= env->prog->len) {\n\t\t\t\t/* This can happen if backtracking reached insn 0\n\t\t\t\t * and there are still reg_mask or stack_mask\n\t\t\t\t * to backtrack.\n\t\t\t\t * It means the backtracking missed the spot where\n\t\t\t\t * particular register was initialized with a constant.\n\t\t\t\t */\n\t\t\t\tverbose(env, \"BUG backtracking idx %d\\n\", i);\n\t\t\t\tWARN_ONCE(1, \"verifier backtracking bug\");\n\t\t\t\treturn -EFAULT;\n\t\t\t}\n\t\t}\n\t\tst = st->parent;\n\t\tif (!st)\n\t\t\tbreak;\n\n\t\tnew_marks = false;\n\t\tfunc = st->frame[st->curframe];\n\t\tbitmap_from_u64(mask, reg_mask);\n\t\tfor_each_set_bit(i, mask, 32) {\n\t\t\treg = &func->regs[i];\n\t\t\tif (reg->type != SCALAR_VALUE) {\n\t\t\t\treg_mask &= ~(1u << i);\n\t\t\t\tcontinue;\n\t\t\t}\n\t\t\tif (!reg->precise)\n\t\t\t\tnew_marks = true;\n\t\t\treg->precise = true;\n\t\t}\n\n\t\tbitmap_from_u64(mask, stack_mask);\n\t\tfor_each_set_bit(i, mask, 64) {\n\t\t\tif (i >= func->allocated_stack / BPF_REG_SIZE) {\n\t\t\t\t/* the sequence of instructions:\n\t\t\t\t * 2: (bf) r3 = r10\n\t\t\t\t * 3: (7b) *(u64 *)(r3 -8) = r0\n\t\t\t\t * 4: (79) r4 = *(u64 *)(r10 -8)\n\t\t\t\t * doesn't contain jmps. It's backtracked\n\t\t\t\t * as a single block.\n\t\t\t\t * During backtracking insn 3 is not recognized as\n\t\t\t\t * stack access, so at the end of backtracking\n\t\t\t\t * stack slot fp-8 is still marked in stack_mask.\n\t\t\t\t * However the parent state may not have accessed\n\t\t\t\t * fp-8 and it's \"unallocated\" stack space.\n\t\t\t\t * In such case fallback to conservative.\n\t\t\t\t */\n\t\t\t\tmark_all_scalars_precise(env, st);\n\t\t\t\treturn 0;\n\t\t\t}\n\n\t\t\tif (func->stack[i].slot_type[0] != STACK_SPILL) {\n\t\t\t\tstack_mask &= ~(1ull << i);\n\t\t\t\tcontinue;\n\t\t\t}\n\t\t\treg = &func->stack[i].spilled_ptr;\n\t\t\tif (reg->type != SCALAR_VALUE) {\n\t\t\t\tstack_mask &= ~(1ull << i);\n\t\t\t\tcontinue;\n\t\t\t}\n\t\t\tif (!reg->precise)\n\t\t\t\tnew_marks = true;\n\t\t\treg->precise = true;\n\t\t}\n\t\tif (env->log.level & BPF_LOG_LEVEL) {\n\t\t\tprint_verifier_state(env, func);\n\t\t\tverbose(env, \"parent %s regs=%x stack=%llx marks\\n\",\n\t\t\t\tnew_marks ? \"didn't have\" : \"already had\",\n\t\t\t\treg_mask, stack_mask);\n\t\t}\n\n\t\tif (!reg_mask && !stack_mask)\n\t\t\tbreak;\n\t\tif (!new_marks)\n\t\t\tbreak;\n\n\t\tlast_idx = st->last_insn_idx;\n\t\tfirst_idx = st->first_insn_idx;\n\t}\n\treturn 0;\n}", "project": "linux", "hash": 3851777118315206188917742228730666466, "size": 162, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232512 }, { "func": "static void scalar_min_max_mul(struct bpf_reg_state *dst_reg,\n\t\t\t struct bpf_reg_state *src_reg)\n{\n\ts64 smin_val = src_reg->smin_value;\n\tu64 umin_val = src_reg->umin_value;\n\tu64 umax_val = src_reg->umax_value;\n\n\tdst_reg->var_off = tnum_mul(dst_reg->var_off, src_reg->var_off);\n\tif (smin_val < 0 || dst_reg->smin_value < 0) {\n\t\t/* Ain't nobody got time to multiply that sign */\n\t\t__mark_reg_unbounded(dst_reg);\n\t\t__update_reg_bounds(dst_reg);\n\t\treturn;\n\t}\n\t/* Both values are positive, so we can work with unsigned and\n\t * copy the result to signed (unless it exceeds S64_MAX).\n\t */\n\tif (umax_val > U32_MAX || dst_reg->umax_value > U32_MAX) {\n\t\t/* Potential overflow, we know nothing */\n\t\t__mark_reg_unbounded(dst_reg);\n\t\t/* (except what we can learn from the var_off) */\n\t\t__update_reg_bounds(dst_reg);\n\t\treturn;\n\t}\n\tdst_reg->umin_value *= umin_val;\n\tdst_reg->umax_value *= umax_val;\n\tif (dst_reg->umax_value > S64_MAX) {\n\t\t/* Overflow possible, we know nothing */\n\t\tdst_reg->smin_value = S64_MIN;\n\t\tdst_reg->smax_value = S64_MAX;\n\t} else {\n\t\tdst_reg->smin_value = dst_reg->umin_value;\n\t\tdst_reg->smax_value = dst_reg->umax_value;\n\t}\n}", "project": "linux", "hash": 305266281143365688136121613971555100354, "size": 35, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232596 }, { "func": "static int fixup_bpf_calls(struct bpf_verifier_env *env)\n{\n\tstruct bpf_prog *prog = env->prog;\n\tbool expect_blinding = bpf_jit_blinding_enabled(prog);\n\tstruct bpf_insn *insn = prog->insnsi;\n\tconst struct bpf_func_proto *fn;\n\tconst int insn_cnt = prog->len;\n\tconst struct bpf_map_ops *ops;\n\tstruct bpf_insn_aux_data *aux;\n\tstruct bpf_insn insn_buf[16];\n\tstruct bpf_prog *new_prog;\n\tstruct bpf_map *map_ptr;\n\tint i, ret, cnt, delta = 0;\n\n\tfor (i = 0; i < insn_cnt; i++, insn++) {\n\t\tif (insn->code == (BPF_ALU64 | BPF_MOD | BPF_X) ||\n\t\t insn->code == (BPF_ALU64 | BPF_DIV | BPF_X) ||\n\t\t insn->code == (BPF_ALU | BPF_MOD | BPF_X) ||\n\t\t insn->code == (BPF_ALU | BPF_DIV | BPF_X)) {\n\t\t\tbool is64 = BPF_CLASS(insn->code) == BPF_ALU64;\n\t\t\tbool isdiv = BPF_OP(insn->code) == BPF_DIV;\n\t\t\tstruct bpf_insn *patchlet;\n\t\t\tstruct bpf_insn chk_and_div[] = {\n\t\t\t\t/* Rx div 0 -> 0 */\n\t\t\t\tBPF_RAW_INSN((is64 ? BPF_JMP : BPF_JMP32) |\n\t\t\t\t\t BPF_JNE | BPF_K, insn->src_reg,\n\t\t\t\t\t 0, 2, 0),\n\t\t\t\tBPF_ALU32_REG(BPF_XOR, insn->dst_reg, insn->dst_reg),\n\t\t\t\tBPF_JMP_IMM(BPF_JA, 0, 0, 1),\n\t\t\t\t*insn,\n\t\t\t};\n\t\t\tstruct bpf_insn chk_and_mod[] = {\n\t\t\t\t/* Rx mod 0 -> Rx */\n\t\t\t\tBPF_RAW_INSN((is64 ? BPF_JMP : BPF_JMP32) |\n\t\t\t\t\t BPF_JEQ | BPF_K, insn->src_reg,\n\t\t\t\t\t 0, 1, 0),\n\t\t\t\t*insn,\n\t\t\t};\n\n\t\t\tpatchlet = isdiv ? chk_and_div : chk_and_mod;\n\t\t\tcnt = isdiv ? ARRAY_SIZE(chk_and_div) :\n\t\t\t\t ARRAY_SIZE(chk_and_mod);\n\n\t\t\tnew_prog = bpf_patch_insn_data(env, i + delta, patchlet, cnt);\n\t\t\tif (!new_prog)\n\t\t\t\treturn -ENOMEM;\n\n\t\t\tdelta += cnt - 1;\n\t\t\tenv->prog = prog = new_prog;\n\t\t\tinsn = new_prog->insnsi + i + delta;\n\t\t\tcontinue;\n\t\t}\n\n\t\tif (BPF_CLASS(insn->code) == BPF_LD &&\n\t\t (BPF_MODE(insn->code) == BPF_ABS ||\n\t\t BPF_MODE(insn->code) == BPF_IND)) {\n\t\t\tcnt = env->ops->gen_ld_abs(insn, insn_buf);\n\t\t\tif (cnt == 0 || cnt >= ARRAY_SIZE(insn_buf)) {\n\t\t\t\tverbose(env, \"bpf verifier is misconfigured\\n\");\n\t\t\t\treturn -EINVAL;\n\t\t\t}\n\n\t\t\tnew_prog = bpf_patch_insn_data(env, i + delta, insn_buf, cnt);\n\t\t\tif (!new_prog)\n\t\t\t\treturn -ENOMEM;\n\n\t\t\tdelta += cnt - 1;\n\t\t\tenv->prog = prog = new_prog;\n\t\t\tinsn = new_prog->insnsi + i + delta;\n\t\t\tcontinue;\n\t\t}\n\n\t\tif (insn->code == (BPF_ALU64 | BPF_ADD | BPF_X) ||\n\t\t insn->code == (BPF_ALU64 | BPF_SUB | BPF_X)) {\n\t\t\tconst u8 code_add = BPF_ALU64 | BPF_ADD | BPF_X;\n\t\t\tconst u8 code_sub = BPF_ALU64 | BPF_SUB | BPF_X;\n\t\t\tstruct bpf_insn insn_buf[16];\n\t\t\tstruct bpf_insn *patch = &insn_buf[0];\n\t\t\tbool issrc, isneg;\n\t\t\tu32 off_reg;\n\n\t\t\taux = &env->insn_aux_data[i + delta];\n\t\t\tif (!aux->alu_state ||\n\t\t\t aux->alu_state == BPF_ALU_NON_POINTER)\n\t\t\t\tcontinue;\n\n\t\t\tisneg = aux->alu_state & BPF_ALU_NEG_VALUE;\n\t\t\tissrc = (aux->alu_state & BPF_ALU_SANITIZE) ==\n\t\t\t\tBPF_ALU_SANITIZE_SRC;\n\n\t\t\toff_reg = issrc ? insn->src_reg : insn->dst_reg;\n\t\t\tif (isneg)\n\t\t\t\t*patch++ = BPF_ALU64_IMM(BPF_MUL, off_reg, -1);\n\t\t\t*patch++ = BPF_MOV32_IMM(BPF_REG_AX, aux->alu_limit - 1);\n\t\t\t*patch++ = BPF_ALU64_REG(BPF_SUB, BPF_REG_AX, off_reg);\n\t\t\t*patch++ = BPF_ALU64_REG(BPF_OR, BPF_REG_AX, off_reg);\n\t\t\t*patch++ = BPF_ALU64_IMM(BPF_NEG, BPF_REG_AX, 0);\n\t\t\t*patch++ = BPF_ALU64_IMM(BPF_ARSH, BPF_REG_AX, 63);\n\t\t\tif (issrc) {\n\t\t\t\t*patch++ = BPF_ALU64_REG(BPF_AND, BPF_REG_AX,\n\t\t\t\t\t\t\t off_reg);\n\t\t\t\tinsn->src_reg = BPF_REG_AX;\n\t\t\t} else {\n\t\t\t\t*patch++ = BPF_ALU64_REG(BPF_AND, off_reg,\n\t\t\t\t\t\t\t BPF_REG_AX);\n\t\t\t}\n\t\t\tif (isneg)\n\t\t\t\tinsn->code = insn->code == code_add ?\n\t\t\t\t\t code_sub : code_add;\n\t\t\t*patch++ = *insn;\n\t\t\tif (issrc && isneg)\n\t\t\t\t*patch++ = BPF_ALU64_IMM(BPF_MUL, off_reg, -1);\n\t\t\tcnt = patch - insn_buf;\n\n\t\t\tnew_prog = bpf_patch_insn_data(env, i + delta, insn_buf, cnt);\n\t\t\tif (!new_prog)\n\t\t\t\treturn -ENOMEM;\n\n\t\t\tdelta += cnt - 1;\n\t\t\tenv->prog = prog = new_prog;\n\t\t\tinsn = new_prog->insnsi + i + delta;\n\t\t\tcontinue;\n\t\t}\n\n\t\tif (insn->code != (BPF_JMP | BPF_CALL))\n\t\t\tcontinue;\n\t\tif (insn->src_reg == BPF_PSEUDO_CALL)\n\t\t\tcontinue;\n\n\t\tif (insn->imm == BPF_FUNC_get_route_realm)\n\t\t\tprog->dst_needed = 1;\n\t\tif (insn->imm == BPF_FUNC_get_prandom_u32)\n\t\t\tbpf_user_rnd_init_once();\n\t\tif (insn->imm == BPF_FUNC_override_return)\n\t\t\tprog->kprobe_override = 1;\n\t\tif (insn->imm == BPF_FUNC_tail_call) {\n\t\t\t/* If we tail call into other programs, we\n\t\t\t * cannot make any assumptions since they can\n\t\t\t * be replaced dynamically during runtime in\n\t\t\t * the program array.\n\t\t\t */\n\t\t\tprog->cb_access = 1;\n\t\t\tif (!allow_tail_call_in_subprogs(env))\n\t\t\t\tprog->aux->stack_depth = MAX_BPF_STACK;\n\t\t\tprog->aux->max_pkt_offset = MAX_PACKET_OFF;\n\n\t\t\t/* mark bpf_tail_call as different opcode to avoid\n\t\t\t * conditional branch in the interpeter for every normal\n\t\t\t * call and to prevent accidental JITing by JIT compiler\n\t\t\t * that doesn't support bpf_tail_call yet\n\t\t\t */\n\t\t\tinsn->imm = 0;\n\t\t\tinsn->code = BPF_JMP | BPF_TAIL_CALL;\n\n\t\t\taux = &env->insn_aux_data[i + delta];\n\t\t\tif (env->bpf_capable && !expect_blinding &&\n\t\t\t prog->jit_requested &&\n\t\t\t !bpf_map_key_poisoned(aux) &&\n\t\t\t !bpf_map_ptr_poisoned(aux) &&\n\t\t\t !bpf_map_ptr_unpriv(aux)) {\n\t\t\t\tstruct bpf_jit_poke_descriptor desc = {\n\t\t\t\t\t.reason = BPF_POKE_REASON_TAIL_CALL,\n\t\t\t\t\t.tail_call.map = BPF_MAP_PTR(aux->map_ptr_state),\n\t\t\t\t\t.tail_call.key = bpf_map_key_immediate(aux),\n\t\t\t\t\t.insn_idx = i + delta,\n\t\t\t\t};\n\n\t\t\t\tret = bpf_jit_add_poke_descriptor(prog, &desc);\n\t\t\t\tif (ret < 0) {\n\t\t\t\t\tverbose(env, \"adding tail call poke descriptor failed\\n\");\n\t\t\t\t\treturn ret;\n\t\t\t\t}\n\n\t\t\t\tinsn->imm = ret + 1;\n\t\t\t\tcontinue;\n\t\t\t}\n\n\t\t\tif (!bpf_map_ptr_unpriv(aux))\n\t\t\t\tcontinue;\n\n\t\t\t/* instead of changing every JIT dealing with tail_call\n\t\t\t * emit two extra insns:\n\t\t\t * if (index >= max_entries) goto out;\n\t\t\t * index &= array->index_mask;\n\t\t\t * to avoid out-of-bounds cpu speculation\n\t\t\t */\n\t\t\tif (bpf_map_ptr_poisoned(aux)) {\n\t\t\t\tverbose(env, \"tail_call abusing map_ptr\\n\");\n\t\t\t\treturn -EINVAL;\n\t\t\t}\n\n\t\t\tmap_ptr = BPF_MAP_PTR(aux->map_ptr_state);\n\t\t\tinsn_buf[0] = BPF_JMP_IMM(BPF_JGE, BPF_REG_3,\n\t\t\t\t\t\t map_ptr->max_entries, 2);\n\t\t\tinsn_buf[1] = BPF_ALU32_IMM(BPF_AND, BPF_REG_3,\n\t\t\t\t\t\t container_of(map_ptr,\n\t\t\t\t\t\t\t\t struct bpf_array,\n\t\t\t\t\t\t\t\t map)->index_mask);\n\t\t\tinsn_buf[2] = *insn;\n\t\t\tcnt = 3;\n\t\t\tnew_prog = bpf_patch_insn_data(env, i + delta, insn_buf, cnt);\n\t\t\tif (!new_prog)\n\t\t\t\treturn -ENOMEM;\n\n\t\t\tdelta += cnt - 1;\n\t\t\tenv->prog = prog = new_prog;\n\t\t\tinsn = new_prog->insnsi + i + delta;\n\t\t\tcontinue;\n\t\t}\n\n\t\t/* BPF_EMIT_CALL() assumptions in some of the map_gen_lookup\n\t\t * and other inlining handlers are currently limited to 64 bit\n\t\t * only.\n\t\t */\n\t\tif (prog->jit_requested && BITS_PER_LONG == 64 &&\n\t\t (insn->imm == BPF_FUNC_map_lookup_elem ||\n\t\t insn->imm == BPF_FUNC_map_update_elem ||\n\t\t insn->imm == BPF_FUNC_map_delete_elem ||\n\t\t insn->imm == BPF_FUNC_map_push_elem ||\n\t\t insn->imm == BPF_FUNC_map_pop_elem ||\n\t\t insn->imm == BPF_FUNC_map_peek_elem)) {\n\t\t\taux = &env->insn_aux_data[i + delta];\n\t\t\tif (bpf_map_ptr_poisoned(aux))\n\t\t\t\tgoto patch_call_imm;\n\n\t\t\tmap_ptr = BPF_MAP_PTR(aux->map_ptr_state);\n\t\t\tops = map_ptr->ops;\n\t\t\tif (insn->imm == BPF_FUNC_map_lookup_elem &&\n\t\t\t ops->map_gen_lookup) {\n\t\t\t\tcnt = ops->map_gen_lookup(map_ptr, insn_buf);\n\t\t\t\tif (cnt == -EOPNOTSUPP)\n\t\t\t\t\tgoto patch_map_ops_generic;\n\t\t\t\tif (cnt <= 0 || cnt >= ARRAY_SIZE(insn_buf)) {\n\t\t\t\t\tverbose(env, \"bpf verifier is misconfigured\\n\");\n\t\t\t\t\treturn -EINVAL;\n\t\t\t\t}\n\n\t\t\t\tnew_prog = bpf_patch_insn_data(env, i + delta,\n\t\t\t\t\t\t\t insn_buf, cnt);\n\t\t\t\tif (!new_prog)\n\t\t\t\t\treturn -ENOMEM;\n\n\t\t\t\tdelta += cnt - 1;\n\t\t\t\tenv->prog = prog = new_prog;\n\t\t\t\tinsn = new_prog->insnsi + i + delta;\n\t\t\t\tcontinue;\n\t\t\t}\n\n\t\t\tBUILD_BUG_ON(!__same_type(ops->map_lookup_elem,\n\t\t\t\t (void *(*)(struct bpf_map *map, void *key))NULL));\n\t\t\tBUILD_BUG_ON(!__same_type(ops->map_delete_elem,\n\t\t\t\t (int (*)(struct bpf_map *map, void *key))NULL));\n\t\t\tBUILD_BUG_ON(!__same_type(ops->map_update_elem,\n\t\t\t\t (int (*)(struct bpf_map *map, void *key, void *value,\n\t\t\t\t\t u64 flags))NULL));\n\t\t\tBUILD_BUG_ON(!__same_type(ops->map_push_elem,\n\t\t\t\t (int (*)(struct bpf_map *map, void *value,\n\t\t\t\t\t u64 flags))NULL));\n\t\t\tBUILD_BUG_ON(!__same_type(ops->map_pop_elem,\n\t\t\t\t (int (*)(struct bpf_map *map, void *value))NULL));\n\t\t\tBUILD_BUG_ON(!__same_type(ops->map_peek_elem,\n\t\t\t\t (int (*)(struct bpf_map *map, void *value))NULL));\npatch_map_ops_generic:\n\t\t\tswitch (insn->imm) {\n\t\t\tcase BPF_FUNC_map_lookup_elem:\n\t\t\t\tinsn->imm = BPF_CAST_CALL(ops->map_lookup_elem) -\n\t\t\t\t\t __bpf_call_base;\n\t\t\t\tcontinue;\n\t\t\tcase BPF_FUNC_map_update_elem:\n\t\t\t\tinsn->imm = BPF_CAST_CALL(ops->map_update_elem) -\n\t\t\t\t\t __bpf_call_base;\n\t\t\t\tcontinue;\n\t\t\tcase BPF_FUNC_map_delete_elem:\n\t\t\t\tinsn->imm = BPF_CAST_CALL(ops->map_delete_elem) -\n\t\t\t\t\t __bpf_call_base;\n\t\t\t\tcontinue;\n\t\t\tcase BPF_FUNC_map_push_elem:\n\t\t\t\tinsn->imm = BPF_CAST_CALL(ops->map_push_elem) -\n\t\t\t\t\t __bpf_call_base;\n\t\t\t\tcontinue;\n\t\t\tcase BPF_FUNC_map_pop_elem:\n\t\t\t\tinsn->imm = BPF_CAST_CALL(ops->map_pop_elem) -\n\t\t\t\t\t __bpf_call_base;\n\t\t\t\tcontinue;\n\t\t\tcase BPF_FUNC_map_peek_elem:\n\t\t\t\tinsn->imm = BPF_CAST_CALL(ops->map_peek_elem) -\n\t\t\t\t\t __bpf_call_base;\n\t\t\t\tcontinue;\n\t\t\t}\n\n\t\t\tgoto patch_call_imm;\n\t\t}\n\n\t\tif (prog->jit_requested && BITS_PER_LONG == 64 &&\n\t\t insn->imm == BPF_FUNC_jiffies64) {\n\t\t\tstruct bpf_insn ld_jiffies_addr[2] = {\n\t\t\t\tBPF_LD_IMM64(BPF_REG_0,\n\t\t\t\t\t (unsigned long)&jiffies),\n\t\t\t};\n\n\t\t\tinsn_buf[0] = ld_jiffies_addr[0];\n\t\t\tinsn_buf[1] = ld_jiffies_addr[1];\n\t\t\tinsn_buf[2] = BPF_LDX_MEM(BPF_DW, BPF_REG_0,\n\t\t\t\t\t\t BPF_REG_0, 0);\n\t\t\tcnt = 3;\n\n\t\t\tnew_prog = bpf_patch_insn_data(env, i + delta, insn_buf,\n\t\t\t\t\t\t cnt);\n\t\t\tif (!new_prog)\n\t\t\t\treturn -ENOMEM;\n\n\t\t\tdelta += cnt - 1;\n\t\t\tenv->prog = prog = new_prog;\n\t\t\tinsn = new_prog->insnsi + i + delta;\n\t\t\tcontinue;\n\t\t}\n\npatch_call_imm:\n\t\tfn = env->ops->get_func_proto(insn->imm, env->prog);\n\t\t/* all functions that have prototype and verifier allowed\n\t\t * programs to call them, must be real in-kernel functions\n\t\t */\n\t\tif (!fn->func) {\n\t\t\tverbose(env,\n\t\t\t\t\"kernel subsystem misconfigured func %s#%d\\n\",\n\t\t\t\tfunc_id_name(insn->imm), insn->imm);\n\t\t\treturn -EFAULT;\n\t\t}\n\t\tinsn->imm = fn->func - __bpf_call_base;\n\t}\n\n\t/* Since poke tab is now finalized, publish aux to tracker. */\n\tfor (i = 0; i < prog->aux->size_poke_tab; i++) {\n\t\tmap_ptr = prog->aux->poke_tab[i].tail_call.map;\n\t\tif (!map_ptr->ops->map_poke_track ||\n\t\t !map_ptr->ops->map_poke_untrack ||\n\t\t !map_ptr->ops->map_poke_run) {\n\t\t\tverbose(env, \"bpf verifier is misconfigured\\n\");\n\t\t\treturn -EINVAL;\n\t\t}\n\n\t\tret = map_ptr->ops->map_poke_track(map_ptr, prog->aux);\n\t\tif (ret < 0) {\n\t\t\tverbose(env, \"tracking tail call prog failed\\n\");\n\t\t\treturn ret;\n\t\t}\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 152615674230289523630558563935223050128, "size": 350, "commit_id": "9b00f1b78809309163dda2d044d9e94a3c0248a3", "message": "bpf: Fix truncation handling for mod32 dst reg wrt zero\n\nRecently noticed that when mod32 with a known src reg of 0 is performed,\nthen the dst register is 32-bit truncated in verifier:\n\n 0: R1=ctx(id=0,off=0,imm=0) R10=fp0\n 0: (b7) r0 = 0\n 1: R0_w=inv0 R1=ctx(id=0,off=0,imm=0) R10=fp0\n 1: (b7) r1 = -1\n 2: R0_w=inv0 R1_w=inv-1 R10=fp0\n 2: (b4) w2 = -1\n 3: R0_w=inv0 R1_w=inv-1 R2_w=inv4294967295 R10=fp0\n 3: (9c) w1 %= w0\n 4: R0_w=inv0 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0\n 4: (b7) r0 = 1\n 5: R0_w=inv1 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0\n 5: (1d) if r1 == r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0\n 6: R0_w=inv1 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0\n 6: (b7) r0 = 2\n 7: R0_w=inv2 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0\n 7: (95) exit\n 7: R0=inv1 R1=inv(id=0,umin_value=4294967295,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2=inv4294967295 R10=fp0\n 7: (95) exit\n\nHowever, as a runtime result, we get 2 instead of 1, meaning the dst\nregister does not contain (u32)-1 in this case. The reason is fairly\nstraight forward given the 0 test leaves the dst register as-is:\n\n # ./bpftool p d x i 23\n 0: (b7) r0 = 0\n 1: (b7) r1 = -1\n 2: (b4) w2 = -1\n 3: (16) if w0 == 0x0 goto pc+1\n 4: (9c) w1 %= w0\n 5: (b7) r0 = 1\n 6: (1d) if r1 == r2 goto pc+1\n 7: (b7) r0 = 2\n 8: (95) exit\n\nThis was originally not an issue given the dst register was marked as\ncompletely unknown (aka 64 bit unknown). However, after 468f6eafa6c4\n(\"bpf: fix 32-bit ALU op verification\") the verifier casts the register\noutput to 32 bit, and hence it becomes 32 bit unknown. Note that for\nthe case where the src register is unknown, the dst register is marked\n64 bit unknown. After the fix, the register is truncated by the runtime\nand the test passes:\n\n # ./bpftool p d x i 23\n 0: (b7) r0 = 0\n 1: (b7) r1 = -1\n 2: (b4) w2 = -1\n 3: (16) if w0 == 0x0 goto pc+2\n 4: (9c) w1 %= w0\n 5: (05) goto pc+1\n 6: (bc) w1 = w1\n 7: (b7) r0 = 1\n 8: (1d) if r1 == r2 goto pc+1\n 9: (b7) r0 = 2\n 10: (95) exit\n\nSemantics also match with {R,W}x mod{64,32} 0 -> {R,W}x. Invalid div\nhas always been {R,W}x div{64,32} 0 -> 0. Rewrites are as follows:\n\n mod32: mod64:\n\n (16) if w0 == 0x0 goto pc+2 (15) if r0 == 0x0 goto pc+1\n (9c) w1 %= w0 (9f) r1 %= r0\n (05) goto pc+1\n (bc) w1 = w1\n\nFixes: 468f6eafa6c4 (\"bpf: fix 32-bit ALU op verification\")\nSigned-off-by: Daniel Borkmann \nReviewed-by: John Fastabend \nAcked-by: Alexei Starovoitov ", "target": 1, "dataset": "other", "idx": 212215 }, { "func": "static int fixup_bpf_calls(struct bpf_verifier_env *env)\n{\n\tstruct bpf_prog *prog = env->prog;\n\tbool expect_blinding = bpf_jit_blinding_enabled(prog);\n\tstruct bpf_insn *insn = prog->insnsi;\n\tconst struct bpf_func_proto *fn;\n\tconst int insn_cnt = prog->len;\n\tconst struct bpf_map_ops *ops;\n\tstruct bpf_insn_aux_data *aux;\n\tstruct bpf_insn insn_buf[16];\n\tstruct bpf_prog *new_prog;\n\tstruct bpf_map *map_ptr;\n\tint i, ret, cnt, delta = 0;\n\n\tfor (i = 0; i < insn_cnt; i++, insn++) {\n\t\tif (insn->code == (BPF_ALU64 | BPF_MOD | BPF_X) ||\n\t\t insn->code == (BPF_ALU64 | BPF_DIV | BPF_X) ||\n\t\t insn->code == (BPF_ALU | BPF_MOD | BPF_X) ||\n\t\t insn->code == (BPF_ALU | BPF_DIV | BPF_X)) {\n\t\t\tbool is64 = BPF_CLASS(insn->code) == BPF_ALU64;\n\t\t\tstruct bpf_insn mask_and_div[] = {\n\t\t\t\tBPF_MOV32_REG(insn->src_reg, insn->src_reg),\n\t\t\t\t/* Rx div 0 -> 0 */\n\t\t\t\tBPF_JMP_IMM(BPF_JNE, insn->src_reg, 0, 2),\n\t\t\t\tBPF_ALU32_REG(BPF_XOR, insn->dst_reg, insn->dst_reg),\n\t\t\t\tBPF_JMP_IMM(BPF_JA, 0, 0, 1),\n\t\t\t\t*insn,\n\t\t\t};\n\t\t\tstruct bpf_insn mask_and_mod[] = {\n\t\t\t\tBPF_MOV32_REG(insn->src_reg, insn->src_reg),\n\t\t\t\t/* Rx mod 0 -> Rx */\n\t\t\t\tBPF_JMP_IMM(BPF_JEQ, insn->src_reg, 0, 1),\n\t\t\t\t*insn,\n\t\t\t};\n\t\t\tstruct bpf_insn *patchlet;\n\n\t\t\tif (insn->code == (BPF_ALU64 | BPF_DIV | BPF_X) ||\n\t\t\t insn->code == (BPF_ALU | BPF_DIV | BPF_X)) {\n\t\t\t\tpatchlet = mask_and_div + (is64 ? 1 : 0);\n\t\t\t\tcnt = ARRAY_SIZE(mask_and_div) - (is64 ? 1 : 0);\n\t\t\t} else {\n\t\t\t\tpatchlet = mask_and_mod + (is64 ? 1 : 0);\n\t\t\t\tcnt = ARRAY_SIZE(mask_and_mod) - (is64 ? 1 : 0);\n\t\t\t}\n\n\t\t\tnew_prog = bpf_patch_insn_data(env, i + delta, patchlet, cnt);\n\t\t\tif (!new_prog)\n\t\t\t\treturn -ENOMEM;\n\n\t\t\tdelta += cnt - 1;\n\t\t\tenv->prog = prog = new_prog;\n\t\t\tinsn = new_prog->insnsi + i + delta;\n\t\t\tcontinue;\n\t\t}\n\n\t\tif (BPF_CLASS(insn->code) == BPF_LD &&\n\t\t (BPF_MODE(insn->code) == BPF_ABS ||\n\t\t BPF_MODE(insn->code) == BPF_IND)) {\n\t\t\tcnt = env->ops->gen_ld_abs(insn, insn_buf);\n\t\t\tif (cnt == 0 || cnt >= ARRAY_SIZE(insn_buf)) {\n\t\t\t\tverbose(env, \"bpf verifier is misconfigured\\n\");\n\t\t\t\treturn -EINVAL;\n\t\t\t}\n\n\t\t\tnew_prog = bpf_patch_insn_data(env, i + delta, insn_buf, cnt);\n\t\t\tif (!new_prog)\n\t\t\t\treturn -ENOMEM;\n\n\t\t\tdelta += cnt - 1;\n\t\t\tenv->prog = prog = new_prog;\n\t\t\tinsn = new_prog->insnsi + i + delta;\n\t\t\tcontinue;\n\t\t}\n\n\t\tif (insn->code == (BPF_ALU64 | BPF_ADD | BPF_X) ||\n\t\t insn->code == (BPF_ALU64 | BPF_SUB | BPF_X)) {\n\t\t\tconst u8 code_add = BPF_ALU64 | BPF_ADD | BPF_X;\n\t\t\tconst u8 code_sub = BPF_ALU64 | BPF_SUB | BPF_X;\n\t\t\tstruct bpf_insn insn_buf[16];\n\t\t\tstruct bpf_insn *patch = &insn_buf[0];\n\t\t\tbool issrc, isneg;\n\t\t\tu32 off_reg;\n\n\t\t\taux = &env->insn_aux_data[i + delta];\n\t\t\tif (!aux->alu_state ||\n\t\t\t aux->alu_state == BPF_ALU_NON_POINTER)\n\t\t\t\tcontinue;\n\n\t\t\tisneg = aux->alu_state & BPF_ALU_NEG_VALUE;\n\t\t\tissrc = (aux->alu_state & BPF_ALU_SANITIZE) ==\n\t\t\t\tBPF_ALU_SANITIZE_SRC;\n\n\t\t\toff_reg = issrc ? insn->src_reg : insn->dst_reg;\n\t\t\tif (isneg)\n\t\t\t\t*patch++ = BPF_ALU64_IMM(BPF_MUL, off_reg, -1);\n\t\t\t*patch++ = BPF_MOV32_IMM(BPF_REG_AX, aux->alu_limit - 1);\n\t\t\t*patch++ = BPF_ALU64_REG(BPF_SUB, BPF_REG_AX, off_reg);\n\t\t\t*patch++ = BPF_ALU64_REG(BPF_OR, BPF_REG_AX, off_reg);\n\t\t\t*patch++ = BPF_ALU64_IMM(BPF_NEG, BPF_REG_AX, 0);\n\t\t\t*patch++ = BPF_ALU64_IMM(BPF_ARSH, BPF_REG_AX, 63);\n\t\t\tif (issrc) {\n\t\t\t\t*patch++ = BPF_ALU64_REG(BPF_AND, BPF_REG_AX,\n\t\t\t\t\t\t\t off_reg);\n\t\t\t\tinsn->src_reg = BPF_REG_AX;\n\t\t\t} else {\n\t\t\t\t*patch++ = BPF_ALU64_REG(BPF_AND, off_reg,\n\t\t\t\t\t\t\t BPF_REG_AX);\n\t\t\t}\n\t\t\tif (isneg)\n\t\t\t\tinsn->code = insn->code == code_add ?\n\t\t\t\t\t code_sub : code_add;\n\t\t\t*patch++ = *insn;\n\t\t\tif (issrc && isneg)\n\t\t\t\t*patch++ = BPF_ALU64_IMM(BPF_MUL, off_reg, -1);\n\t\t\tcnt = patch - insn_buf;\n\n\t\t\tnew_prog = bpf_patch_insn_data(env, i + delta, insn_buf, cnt);\n\t\t\tif (!new_prog)\n\t\t\t\treturn -ENOMEM;\n\n\t\t\tdelta += cnt - 1;\n\t\t\tenv->prog = prog = new_prog;\n\t\t\tinsn = new_prog->insnsi + i + delta;\n\t\t\tcontinue;\n\t\t}\n\n\t\tif (insn->code != (BPF_JMP | BPF_CALL))\n\t\t\tcontinue;\n\t\tif (insn->src_reg == BPF_PSEUDO_CALL)\n\t\t\tcontinue;\n\n\t\tif (insn->imm == BPF_FUNC_get_route_realm)\n\t\t\tprog->dst_needed = 1;\n\t\tif (insn->imm == BPF_FUNC_get_prandom_u32)\n\t\t\tbpf_user_rnd_init_once();\n\t\tif (insn->imm == BPF_FUNC_override_return)\n\t\t\tprog->kprobe_override = 1;\n\t\tif (insn->imm == BPF_FUNC_tail_call) {\n\t\t\t/* If we tail call into other programs, we\n\t\t\t * cannot make any assumptions since they can\n\t\t\t * be replaced dynamically during runtime in\n\t\t\t * the program array.\n\t\t\t */\n\t\t\tprog->cb_access = 1;\n\t\t\tenv->prog->aux->stack_depth = MAX_BPF_STACK;\n\t\t\tenv->prog->aux->max_pkt_offset = MAX_PACKET_OFF;\n\n\t\t\t/* mark bpf_tail_call as different opcode to avoid\n\t\t\t * conditional branch in the interpeter for every normal\n\t\t\t * call and to prevent accidental JITing by JIT compiler\n\t\t\t * that doesn't support bpf_tail_call yet\n\t\t\t */\n\t\t\tinsn->imm = 0;\n\t\t\tinsn->code = BPF_JMP | BPF_TAIL_CALL;\n\n\t\t\taux = &env->insn_aux_data[i + delta];\n\t\t\tif (env->allow_ptr_leaks && !expect_blinding &&\n\t\t\t prog->jit_requested &&\n\t\t\t !bpf_map_key_poisoned(aux) &&\n\t\t\t !bpf_map_ptr_poisoned(aux) &&\n\t\t\t !bpf_map_ptr_unpriv(aux)) {\n\t\t\t\tstruct bpf_jit_poke_descriptor desc = {\n\t\t\t\t\t.reason = BPF_POKE_REASON_TAIL_CALL,\n\t\t\t\t\t.tail_call.map = BPF_MAP_PTR(aux->map_ptr_state),\n\t\t\t\t\t.tail_call.key = bpf_map_key_immediate(aux),\n\t\t\t\t};\n\n\t\t\t\tret = bpf_jit_add_poke_descriptor(prog, &desc);\n\t\t\t\tif (ret < 0) {\n\t\t\t\t\tverbose(env, \"adding tail call poke descriptor failed\\n\");\n\t\t\t\t\treturn ret;\n\t\t\t\t}\n\n\t\t\t\tinsn->imm = ret + 1;\n\t\t\t\tcontinue;\n\t\t\t}\n\n\t\t\tif (!bpf_map_ptr_unpriv(aux))\n\t\t\t\tcontinue;\n\n\t\t\t/* instead of changing every JIT dealing with tail_call\n\t\t\t * emit two extra insns:\n\t\t\t * if (index >= max_entries) goto out;\n\t\t\t * index &= array->index_mask;\n\t\t\t * to avoid out-of-bounds cpu speculation\n\t\t\t */\n\t\t\tif (bpf_map_ptr_poisoned(aux)) {\n\t\t\t\tverbose(env, \"tail_call abusing map_ptr\\n\");\n\t\t\t\treturn -EINVAL;\n\t\t\t}\n\n\t\t\tmap_ptr = BPF_MAP_PTR(aux->map_ptr_state);\n\t\t\tinsn_buf[0] = BPF_JMP_IMM(BPF_JGE, BPF_REG_3,\n\t\t\t\t\t\t map_ptr->max_entries, 2);\n\t\t\tinsn_buf[1] = BPF_ALU32_IMM(BPF_AND, BPF_REG_3,\n\t\t\t\t\t\t container_of(map_ptr,\n\t\t\t\t\t\t\t\t struct bpf_array,\n\t\t\t\t\t\t\t\t map)->index_mask);\n\t\t\tinsn_buf[2] = *insn;\n\t\t\tcnt = 3;\n\t\t\tnew_prog = bpf_patch_insn_data(env, i + delta, insn_buf, cnt);\n\t\t\tif (!new_prog)\n\t\t\t\treturn -ENOMEM;\n\n\t\t\tdelta += cnt - 1;\n\t\t\tenv->prog = prog = new_prog;\n\t\t\tinsn = new_prog->insnsi + i + delta;\n\t\t\tcontinue;\n\t\t}\n\n\t\t/* BPF_EMIT_CALL() assumptions in some of the map_gen_lookup\n\t\t * and other inlining handlers are currently limited to 64 bit\n\t\t * only.\n\t\t */\n\t\tif (prog->jit_requested && BITS_PER_LONG == 64 &&\n\t\t (insn->imm == BPF_FUNC_map_lookup_elem ||\n\t\t insn->imm == BPF_FUNC_map_update_elem ||\n\t\t insn->imm == BPF_FUNC_map_delete_elem ||\n\t\t insn->imm == BPF_FUNC_map_push_elem ||\n\t\t insn->imm == BPF_FUNC_map_pop_elem ||\n\t\t insn->imm == BPF_FUNC_map_peek_elem)) {\n\t\t\taux = &env->insn_aux_data[i + delta];\n\t\t\tif (bpf_map_ptr_poisoned(aux))\n\t\t\t\tgoto patch_call_imm;\n\n\t\t\tmap_ptr = BPF_MAP_PTR(aux->map_ptr_state);\n\t\t\tops = map_ptr->ops;\n\t\t\tif (insn->imm == BPF_FUNC_map_lookup_elem &&\n\t\t\t ops->map_gen_lookup) {\n\t\t\t\tcnt = ops->map_gen_lookup(map_ptr, insn_buf);\n\t\t\t\tif (cnt == 0 || cnt >= ARRAY_SIZE(insn_buf)) {\n\t\t\t\t\tverbose(env, \"bpf verifier is misconfigured\\n\");\n\t\t\t\t\treturn -EINVAL;\n\t\t\t\t}\n\n\t\t\t\tnew_prog = bpf_patch_insn_data(env, i + delta,\n\t\t\t\t\t\t\t insn_buf, cnt);\n\t\t\t\tif (!new_prog)\n\t\t\t\t\treturn -ENOMEM;\n\n\t\t\t\tdelta += cnt - 1;\n\t\t\t\tenv->prog = prog = new_prog;\n\t\t\t\tinsn = new_prog->insnsi + i + delta;\n\t\t\t\tcontinue;\n\t\t\t}\n\n\t\t\tBUILD_BUG_ON(!__same_type(ops->map_lookup_elem,\n\t\t\t\t (void *(*)(struct bpf_map *map, void *key))NULL));\n\t\t\tBUILD_BUG_ON(!__same_type(ops->map_delete_elem,\n\t\t\t\t (int (*)(struct bpf_map *map, void *key))NULL));\n\t\t\tBUILD_BUG_ON(!__same_type(ops->map_update_elem,\n\t\t\t\t (int (*)(struct bpf_map *map, void *key, void *value,\n\t\t\t\t\t u64 flags))NULL));\n\t\t\tBUILD_BUG_ON(!__same_type(ops->map_push_elem,\n\t\t\t\t (int (*)(struct bpf_map *map, void *value,\n\t\t\t\t\t u64 flags))NULL));\n\t\t\tBUILD_BUG_ON(!__same_type(ops->map_pop_elem,\n\t\t\t\t (int (*)(struct bpf_map *map, void *value))NULL));\n\t\t\tBUILD_BUG_ON(!__same_type(ops->map_peek_elem,\n\t\t\t\t (int (*)(struct bpf_map *map, void *value))NULL));\n\n\t\t\tswitch (insn->imm) {\n\t\t\tcase BPF_FUNC_map_lookup_elem:\n\t\t\t\tinsn->imm = BPF_CAST_CALL(ops->map_lookup_elem) -\n\t\t\t\t\t __bpf_call_base;\n\t\t\t\tcontinue;\n\t\t\tcase BPF_FUNC_map_update_elem:\n\t\t\t\tinsn->imm = BPF_CAST_CALL(ops->map_update_elem) -\n\t\t\t\t\t __bpf_call_base;\n\t\t\t\tcontinue;\n\t\t\tcase BPF_FUNC_map_delete_elem:\n\t\t\t\tinsn->imm = BPF_CAST_CALL(ops->map_delete_elem) -\n\t\t\t\t\t __bpf_call_base;\n\t\t\t\tcontinue;\n\t\t\tcase BPF_FUNC_map_push_elem:\n\t\t\t\tinsn->imm = BPF_CAST_CALL(ops->map_push_elem) -\n\t\t\t\t\t __bpf_call_base;\n\t\t\t\tcontinue;\n\t\t\tcase BPF_FUNC_map_pop_elem:\n\t\t\t\tinsn->imm = BPF_CAST_CALL(ops->map_pop_elem) -\n\t\t\t\t\t __bpf_call_base;\n\t\t\t\tcontinue;\n\t\t\tcase BPF_FUNC_map_peek_elem:\n\t\t\t\tinsn->imm = BPF_CAST_CALL(ops->map_peek_elem) -\n\t\t\t\t\t __bpf_call_base;\n\t\t\t\tcontinue;\n\t\t\t}\n\n\t\t\tgoto patch_call_imm;\n\t\t}\n\n\t\tif (prog->jit_requested && BITS_PER_LONG == 64 &&\n\t\t insn->imm == BPF_FUNC_jiffies64) {\n\t\t\tstruct bpf_insn ld_jiffies_addr[2] = {\n\t\t\t\tBPF_LD_IMM64(BPF_REG_0,\n\t\t\t\t\t (unsigned long)&jiffies),\n\t\t\t};\n\n\t\t\tinsn_buf[0] = ld_jiffies_addr[0];\n\t\t\tinsn_buf[1] = ld_jiffies_addr[1];\n\t\t\tinsn_buf[2] = BPF_LDX_MEM(BPF_DW, BPF_REG_0,\n\t\t\t\t\t\t BPF_REG_0, 0);\n\t\t\tcnt = 3;\n\n\t\t\tnew_prog = bpf_patch_insn_data(env, i + delta, insn_buf,\n\t\t\t\t\t\t cnt);\n\t\t\tif (!new_prog)\n\t\t\t\treturn -ENOMEM;\n\n\t\t\tdelta += cnt - 1;\n\t\t\tenv->prog = prog = new_prog;\n\t\t\tinsn = new_prog->insnsi + i + delta;\n\t\t\tcontinue;\n\t\t}\n\npatch_call_imm:\n\t\tfn = env->ops->get_func_proto(insn->imm, env->prog);\n\t\t/* all functions that have prototype and verifier allowed\n\t\t * programs to call them, must be real in-kernel functions\n\t\t */\n\t\tif (!fn->func) {\n\t\t\tverbose(env,\n\t\t\t\t\"kernel subsystem misconfigured func %s#%d\\n\",\n\t\t\t\tfunc_id_name(insn->imm), insn->imm);\n\t\t\treturn -EFAULT;\n\t\t}\n\t\tinsn->imm = fn->func - __bpf_call_base;\n\t}\n\n\t/* Since poke tab is now finalized, publish aux to tracker. */\n\tfor (i = 0; i < prog->aux->size_poke_tab; i++) {\n\t\tmap_ptr = prog->aux->poke_tab[i].tail_call.map;\n\t\tif (!map_ptr->ops->map_poke_track ||\n\t\t !map_ptr->ops->map_poke_untrack ||\n\t\t !map_ptr->ops->map_poke_run) {\n\t\t\tverbose(env, \"bpf verifier is misconfigured\\n\");\n\t\t\treturn -EINVAL;\n\t\t}\n\n\t\tret = map_ptr->ops->map_poke_track(map_ptr, prog->aux);\n\t\tif (ret < 0) {\n\t\t\tverbose(env, \"tracking tail call prog failed\\n\");\n\t\t\treturn ret;\n\t\t}\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 19070982047136991752707985617376119721, "size": 348, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232419 }, { "func": "static int fixup_bpf_calls(struct bpf_verifier_env *env)\n{\n\tstruct bpf_prog *prog = env->prog;\n\tbool expect_blinding = bpf_jit_blinding_enabled(prog);\n\tstruct bpf_insn *insn = prog->insnsi;\n\tconst struct bpf_func_proto *fn;\n\tconst int insn_cnt = prog->len;\n\tconst struct bpf_map_ops *ops;\n\tstruct bpf_insn_aux_data *aux;\n\tstruct bpf_insn insn_buf[16];\n\tstruct bpf_prog *new_prog;\n\tstruct bpf_map *map_ptr;\n\tint i, ret, cnt, delta = 0;\n\n\tfor (i = 0; i < insn_cnt; i++, insn++) {\n\t\tif (insn->code == (BPF_ALU64 | BPF_MOD | BPF_X) ||\n\t\t insn->code == (BPF_ALU64 | BPF_DIV | BPF_X) ||\n\t\t insn->code == (BPF_ALU | BPF_MOD | BPF_X) ||\n\t\t insn->code == (BPF_ALU | BPF_DIV | BPF_X)) {\n\t\t\tbool is64 = BPF_CLASS(insn->code) == BPF_ALU64;\n\t\t\tstruct bpf_insn mask_and_div[] = {\n\t\t\t\tBPF_MOV32_REG(insn->src_reg, insn->src_reg),\n\t\t\t\t/* Rx div 0 -> 0 */\n\t\t\t\tBPF_JMP_IMM(BPF_JNE, insn->src_reg, 0, 2),\n\t\t\t\tBPF_ALU32_REG(BPF_XOR, insn->dst_reg, insn->dst_reg),\n\t\t\t\tBPF_JMP_IMM(BPF_JA, 0, 0, 1),\n\t\t\t\t*insn,\n\t\t\t};\n\t\t\tstruct bpf_insn mask_and_mod[] = {\n\t\t\t\tBPF_MOV32_REG(insn->src_reg, insn->src_reg),\n\t\t\t\t/* Rx mod 0 -> Rx */\n\t\t\t\tBPF_JMP_IMM(BPF_JEQ, insn->src_reg, 0, 1),\n\t\t\t\t*insn,\n\t\t\t};\n\t\t\tstruct bpf_insn *patchlet;\n\n\t\t\tif (insn->code == (BPF_ALU64 | BPF_DIV | BPF_X) ||\n\t\t\t insn->code == (BPF_ALU | BPF_DIV | BPF_X)) {\n\t\t\t\tpatchlet = mask_and_div + (is64 ? 1 : 0);\n\t\t\t\tcnt = ARRAY_SIZE(mask_and_div) - (is64 ? 1 : 0);\n\t\t\t} else {\n\t\t\t\tpatchlet = mask_and_mod + (is64 ? 1 : 0);\n\t\t\t\tcnt = ARRAY_SIZE(mask_and_mod) - (is64 ? 1 : 0);\n\t\t\t}\n\n\t\t\tnew_prog = bpf_patch_insn_data(env, i + delta, patchlet, cnt);\n\t\t\tif (!new_prog)\n\t\t\t\treturn -ENOMEM;\n\n\t\t\tdelta += cnt - 1;\n\t\t\tenv->prog = prog = new_prog;\n\t\t\tinsn = new_prog->insnsi + i + delta;\n\t\t\tcontinue;\n\t\t}\n\n\t\tif (BPF_CLASS(insn->code) == BPF_LD &&\n\t\t (BPF_MODE(insn->code) == BPF_ABS ||\n\t\t BPF_MODE(insn->code) == BPF_IND)) {\n\t\t\tcnt = env->ops->gen_ld_abs(insn, insn_buf);\n\t\t\tif (cnt == 0 || cnt >= ARRAY_SIZE(insn_buf)) {\n\t\t\t\tverbose(env, \"bpf verifier is misconfigured\\n\");\n\t\t\t\treturn -EINVAL;\n\t\t\t}\n\n\t\t\tnew_prog = bpf_patch_insn_data(env, i + delta, insn_buf, cnt);\n\t\t\tif (!new_prog)\n\t\t\t\treturn -ENOMEM;\n\n\t\t\tdelta += cnt - 1;\n\t\t\tenv->prog = prog = new_prog;\n\t\t\tinsn = new_prog->insnsi + i + delta;\n\t\t\tcontinue;\n\t\t}\n\n\t\tif (insn->code == (BPF_ALU64 | BPF_ADD | BPF_X) ||\n\t\t insn->code == (BPF_ALU64 | BPF_SUB | BPF_X)) {\n\t\t\tconst u8 code_add = BPF_ALU64 | BPF_ADD | BPF_X;\n\t\t\tconst u8 code_sub = BPF_ALU64 | BPF_SUB | BPF_X;\n\t\t\tstruct bpf_insn insn_buf[16];\n\t\t\tstruct bpf_insn *patch = &insn_buf[0];\n\t\t\tbool issrc, isneg;\n\t\t\tu32 off_reg;\n\n\t\t\taux = &env->insn_aux_data[i + delta];\n\t\t\tif (!aux->alu_state ||\n\t\t\t aux->alu_state == BPF_ALU_NON_POINTER)\n\t\t\t\tcontinue;\n\n\t\t\tisneg = aux->alu_state & BPF_ALU_NEG_VALUE;\n\t\t\tissrc = (aux->alu_state & BPF_ALU_SANITIZE) ==\n\t\t\t\tBPF_ALU_SANITIZE_SRC;\n\n\t\t\toff_reg = issrc ? insn->src_reg : insn->dst_reg;\n\t\t\tif (isneg)\n\t\t\t\t*patch++ = BPF_ALU64_IMM(BPF_MUL, off_reg, -1);\n\t\t\t*patch++ = BPF_MOV32_IMM(BPF_REG_AX, aux->alu_limit - 1);\n\t\t\t*patch++ = BPF_ALU64_REG(BPF_SUB, BPF_REG_AX, off_reg);\n\t\t\t*patch++ = BPF_ALU64_REG(BPF_OR, BPF_REG_AX, off_reg);\n\t\t\t*patch++ = BPF_ALU64_IMM(BPF_NEG, BPF_REG_AX, 0);\n\t\t\t*patch++ = BPF_ALU64_IMM(BPF_ARSH, BPF_REG_AX, 63);\n\t\t\tif (issrc) {\n\t\t\t\t*patch++ = BPF_ALU64_REG(BPF_AND, BPF_REG_AX,\n\t\t\t\t\t\t\t off_reg);\n\t\t\t\tinsn->src_reg = BPF_REG_AX;\n\t\t\t} else {\n\t\t\t\t*patch++ = BPF_ALU64_REG(BPF_AND, off_reg,\n\t\t\t\t\t\t\t BPF_REG_AX);\n\t\t\t}\n\t\t\tif (isneg)\n\t\t\t\tinsn->code = insn->code == code_add ?\n\t\t\t\t\t code_sub : code_add;\n\t\t\t*patch++ = *insn;\n\t\t\tif (issrc && isneg)\n\t\t\t\t*patch++ = BPF_ALU64_IMM(BPF_MUL, off_reg, -1);\n\t\t\tcnt = patch - insn_buf;\n\n\t\t\tnew_prog = bpf_patch_insn_data(env, i + delta, insn_buf, cnt);\n\t\t\tif (!new_prog)\n\t\t\t\treturn -ENOMEM;\n\n\t\t\tdelta += cnt - 1;\n\t\t\tenv->prog = prog = new_prog;\n\t\t\tinsn = new_prog->insnsi + i + delta;\n\t\t\tcontinue;\n\t\t}\n\n\t\tif (insn->code != (BPF_JMP | BPF_CALL))\n\t\t\tcontinue;\n\t\tif (insn->src_reg == BPF_PSEUDO_CALL)\n\t\t\tcontinue;\n\n\t\tif (insn->imm == BPF_FUNC_get_route_realm)\n\t\t\tprog->dst_needed = 1;\n\t\tif (insn->imm == BPF_FUNC_get_prandom_u32)\n\t\t\tbpf_user_rnd_init_once();\n\t\tif (insn->imm == BPF_FUNC_override_return)\n\t\t\tprog->kprobe_override = 1;\n\t\tif (insn->imm == BPF_FUNC_tail_call) {\n\t\t\t/* If we tail call into other programs, we\n\t\t\t * cannot make any assumptions since they can\n\t\t\t * be replaced dynamically during runtime in\n\t\t\t * the program array.\n\t\t\t */\n\t\t\tprog->cb_access = 1;\n\t\t\tenv->prog->aux->stack_depth = MAX_BPF_STACK;\n\t\t\tenv->prog->aux->max_pkt_offset = MAX_PACKET_OFF;\n\n\t\t\t/* mark bpf_tail_call as different opcode to avoid\n\t\t\t * conditional branch in the interpeter for every normal\n\t\t\t * call and to prevent accidental JITing by JIT compiler\n\t\t\t * that doesn't support bpf_tail_call yet\n\t\t\t */\n\t\t\tinsn->imm = 0;\n\t\t\tinsn->code = BPF_JMP | BPF_TAIL_CALL;\n\n\t\t\taux = &env->insn_aux_data[i + delta];\n\t\t\tif (env->bpf_capable && !expect_blinding &&\n\t\t\t prog->jit_requested &&\n\t\t\t !bpf_map_key_poisoned(aux) &&\n\t\t\t !bpf_map_ptr_poisoned(aux) &&\n\t\t\t !bpf_map_ptr_unpriv(aux)) {\n\t\t\t\tstruct bpf_jit_poke_descriptor desc = {\n\t\t\t\t\t.reason = BPF_POKE_REASON_TAIL_CALL,\n\t\t\t\t\t.tail_call.map = BPF_MAP_PTR(aux->map_ptr_state),\n\t\t\t\t\t.tail_call.key = bpf_map_key_immediate(aux),\n\t\t\t\t};\n\n\t\t\t\tret = bpf_jit_add_poke_descriptor(prog, &desc);\n\t\t\t\tif (ret < 0) {\n\t\t\t\t\tverbose(env, \"adding tail call poke descriptor failed\\n\");\n\t\t\t\t\treturn ret;\n\t\t\t\t}\n\n\t\t\t\tinsn->imm = ret + 1;\n\t\t\t\tcontinue;\n\t\t\t}\n\n\t\t\tif (!bpf_map_ptr_unpriv(aux))\n\t\t\t\tcontinue;\n\n\t\t\t/* instead of changing every JIT dealing with tail_call\n\t\t\t * emit two extra insns:\n\t\t\t * if (index >= max_entries) goto out;\n\t\t\t * index &= array->index_mask;\n\t\t\t * to avoid out-of-bounds cpu speculation\n\t\t\t */\n\t\t\tif (bpf_map_ptr_poisoned(aux)) {\n\t\t\t\tverbose(env, \"tail_call abusing map_ptr\\n\");\n\t\t\t\treturn -EINVAL;\n\t\t\t}\n\n\t\t\tmap_ptr = BPF_MAP_PTR(aux->map_ptr_state);\n\t\t\tinsn_buf[0] = BPF_JMP_IMM(BPF_JGE, BPF_REG_3,\n\t\t\t\t\t\t map_ptr->max_entries, 2);\n\t\t\tinsn_buf[1] = BPF_ALU32_IMM(BPF_AND, BPF_REG_3,\n\t\t\t\t\t\t container_of(map_ptr,\n\t\t\t\t\t\t\t\t struct bpf_array,\n\t\t\t\t\t\t\t\t map)->index_mask);\n\t\t\tinsn_buf[2] = *insn;\n\t\t\tcnt = 3;\n\t\t\tnew_prog = bpf_patch_insn_data(env, i + delta, insn_buf, cnt);\n\t\t\tif (!new_prog)\n\t\t\t\treturn -ENOMEM;\n\n\t\t\tdelta += cnt - 1;\n\t\t\tenv->prog = prog = new_prog;\n\t\t\tinsn = new_prog->insnsi + i + delta;\n\t\t\tcontinue;\n\t\t}\n\n\t\t/* BPF_EMIT_CALL() assumptions in some of the map_gen_lookup\n\t\t * and other inlining handlers are currently limited to 64 bit\n\t\t * only.\n\t\t */\n\t\tif (prog->jit_requested && BITS_PER_LONG == 64 &&\n\t\t (insn->imm == BPF_FUNC_map_lookup_elem ||\n\t\t insn->imm == BPF_FUNC_map_update_elem ||\n\t\t insn->imm == BPF_FUNC_map_delete_elem ||\n\t\t insn->imm == BPF_FUNC_map_push_elem ||\n\t\t insn->imm == BPF_FUNC_map_pop_elem ||\n\t\t insn->imm == BPF_FUNC_map_peek_elem)) {\n\t\t\taux = &env->insn_aux_data[i + delta];\n\t\t\tif (bpf_map_ptr_poisoned(aux))\n\t\t\t\tgoto patch_call_imm;\n\n\t\t\tmap_ptr = BPF_MAP_PTR(aux->map_ptr_state);\n\t\t\tops = map_ptr->ops;\n\t\t\tif (insn->imm == BPF_FUNC_map_lookup_elem &&\n\t\t\t ops->map_gen_lookup) {\n\t\t\t\tcnt = ops->map_gen_lookup(map_ptr, insn_buf);\n\t\t\t\tif (cnt == 0 || cnt >= ARRAY_SIZE(insn_buf)) {\n\t\t\t\t\tverbose(env, \"bpf verifier is misconfigured\\n\");\n\t\t\t\t\treturn -EINVAL;\n\t\t\t\t}\n\n\t\t\t\tnew_prog = bpf_patch_insn_data(env, i + delta,\n\t\t\t\t\t\t\t insn_buf, cnt);\n\t\t\t\tif (!new_prog)\n\t\t\t\t\treturn -ENOMEM;\n\n\t\t\t\tdelta += cnt - 1;\n\t\t\t\tenv->prog = prog = new_prog;\n\t\t\t\tinsn = new_prog->insnsi + i + delta;\n\t\t\t\tcontinue;\n\t\t\t}\n\n\t\t\tBUILD_BUG_ON(!__same_type(ops->map_lookup_elem,\n\t\t\t\t (void *(*)(struct bpf_map *map, void *key))NULL));\n\t\t\tBUILD_BUG_ON(!__same_type(ops->map_delete_elem,\n\t\t\t\t (int (*)(struct bpf_map *map, void *key))NULL));\n\t\t\tBUILD_BUG_ON(!__same_type(ops->map_update_elem,\n\t\t\t\t (int (*)(struct bpf_map *map, void *key, void *value,\n\t\t\t\t\t u64 flags))NULL));\n\t\t\tBUILD_BUG_ON(!__same_type(ops->map_push_elem,\n\t\t\t\t (int (*)(struct bpf_map *map, void *value,\n\t\t\t\t\t u64 flags))NULL));\n\t\t\tBUILD_BUG_ON(!__same_type(ops->map_pop_elem,\n\t\t\t\t (int (*)(struct bpf_map *map, void *value))NULL));\n\t\t\tBUILD_BUG_ON(!__same_type(ops->map_peek_elem,\n\t\t\t\t (int (*)(struct bpf_map *map, void *value))NULL));\n\n\t\t\tswitch (insn->imm) {\n\t\t\tcase BPF_FUNC_map_lookup_elem:\n\t\t\t\tinsn->imm = BPF_CAST_CALL(ops->map_lookup_elem) -\n\t\t\t\t\t __bpf_call_base;\n\t\t\t\tcontinue;\n\t\t\tcase BPF_FUNC_map_update_elem:\n\t\t\t\tinsn->imm = BPF_CAST_CALL(ops->map_update_elem) -\n\t\t\t\t\t __bpf_call_base;\n\t\t\t\tcontinue;\n\t\t\tcase BPF_FUNC_map_delete_elem:\n\t\t\t\tinsn->imm = BPF_CAST_CALL(ops->map_delete_elem) -\n\t\t\t\t\t __bpf_call_base;\n\t\t\t\tcontinue;\n\t\t\tcase BPF_FUNC_map_push_elem:\n\t\t\t\tinsn->imm = BPF_CAST_CALL(ops->map_push_elem) -\n\t\t\t\t\t __bpf_call_base;\n\t\t\t\tcontinue;\n\t\t\tcase BPF_FUNC_map_pop_elem:\n\t\t\t\tinsn->imm = BPF_CAST_CALL(ops->map_pop_elem) -\n\t\t\t\t\t __bpf_call_base;\n\t\t\t\tcontinue;\n\t\t\tcase BPF_FUNC_map_peek_elem:\n\t\t\t\tinsn->imm = BPF_CAST_CALL(ops->map_peek_elem) -\n\t\t\t\t\t __bpf_call_base;\n\t\t\t\tcontinue;\n\t\t\t}\n\n\t\t\tgoto patch_call_imm;\n\t\t}\n\n\t\tif (prog->jit_requested && BITS_PER_LONG == 64 &&\n\t\t insn->imm == BPF_FUNC_jiffies64) {\n\t\t\tstruct bpf_insn ld_jiffies_addr[2] = {\n\t\t\t\tBPF_LD_IMM64(BPF_REG_0,\n\t\t\t\t\t (unsigned long)&jiffies),\n\t\t\t};\n\n\t\t\tinsn_buf[0] = ld_jiffies_addr[0];\n\t\t\tinsn_buf[1] = ld_jiffies_addr[1];\n\t\t\tinsn_buf[2] = BPF_LDX_MEM(BPF_DW, BPF_REG_0,\n\t\t\t\t\t\t BPF_REG_0, 0);\n\t\t\tcnt = 3;\n\n\t\t\tnew_prog = bpf_patch_insn_data(env, i + delta, insn_buf,\n\t\t\t\t\t\t cnt);\n\t\t\tif (!new_prog)\n\t\t\t\treturn -ENOMEM;\n\n\t\t\tdelta += cnt - 1;\n\t\t\tenv->prog = prog = new_prog;\n\t\t\tinsn = new_prog->insnsi + i + delta;\n\t\t\tcontinue;\n\t\t}\n\npatch_call_imm:\n\t\tfn = env->ops->get_func_proto(insn->imm, env->prog);\n\t\t/* all functions that have prototype and verifier allowed\n\t\t * programs to call them, must be real in-kernel functions\n\t\t */\n\t\tif (!fn->func) {\n\t\t\tverbose(env,\n\t\t\t\t\"kernel subsystem misconfigured func %s#%d\\n\",\n\t\t\t\tfunc_id_name(insn->imm), insn->imm);\n\t\t\treturn -EFAULT;\n\t\t}\n\t\tinsn->imm = fn->func - __bpf_call_base;\n\t}\n\n\t/* Since poke tab is now finalized, publish aux to tracker. */\n\tfor (i = 0; i < prog->aux->size_poke_tab; i++) {\n\t\tmap_ptr = prog->aux->poke_tab[i].tail_call.map;\n\t\tif (!map_ptr->ops->map_poke_track ||\n\t\t !map_ptr->ops->map_poke_untrack ||\n\t\t !map_ptr->ops->map_poke_run) {\n\t\t\tverbose(env, \"bpf verifier is misconfigured\\n\");\n\t\t\treturn -EINVAL;\n\t\t}\n\n\t\tret = map_ptr->ops->map_poke_track(map_ptr, prog->aux);\n\t\tif (ret < 0) {\n\t\t\tverbose(env, \"tracking tail call prog failed\\n\");\n\t\t\treturn ret;\n\t\t}\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 97474563557485592697304919435807458761, "size": 348, "commit_id": "5b9fbeb75b6a98955f628e205ac26689bcb1383e", "message": "bpf: Fix scalar32_min_max_or bounds tracking\n\nSimon reported an issue with the current scalar32_min_max_or() implementation.\nThat is, compared to the other 32 bit subreg tracking functions, the code in\nscalar32_min_max_or() stands out that it's using the 64 bit registers instead\nof 32 bit ones. This leads to bounds tracking issues, for example:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x1; 0x700000000),s32_max_value=1,u32_max_value=1) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nThe bound tests on the map value force the upper unsigned bound to be 25769803777\nin 64 bit (0b11000000000000000000000000000000001) and then lower one to be 1. By\nusing OR they are truncated and thus result in the range [1,1] for the 32 bit reg\ntracker. This is incorrect given the only thing we know is that the value must be\npositive and thus 2147483647 (0b1111111111111111111111111111111) at max for the\nsubregs. Fix it by using the {u,s}32_{min,max}_value vars instead. This also makes\nsense, for example, for the case where we update dst_reg->s32_{min,max}_value in\nthe else branch we need to use the newly computed dst_reg->u32_{min,max}_value as\nwe know that these are positive. Previously, in the else branch the 64 bit values\nof umin_value=1 and umax_value=32212254719 were used and latter got truncated to\nbe 1 as upper bound there. After the fix the subreg range is now correct:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nFixes: 3f50f132d840 (\"bpf: Verifier, do explicit ALU32 bounds tracking\")\nReported-by: Simon Scannell \nSigned-off-by: Daniel Borkmann \nReviewed-by: John Fastabend \nAcked-by: Alexei Starovoitov ", "target": 0, "dataset": "other", "idx": 328490 }, { "func": "static void bpf_map_key_store(struct bpf_insn_aux_data *aux, u64 state)\n{\n\tbool poisoned = bpf_map_key_poisoned(aux);\n\n\taux->map_key_state = state | BPF_MAP_KEY_SEEN |\n\t\t\t (poisoned ? BPF_MAP_KEY_POISON : 0ULL);\n}", "project": "linux", "hash": 73082629641251793505323524293038579803, "size": 7, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232436 }, { "func": "static int mark_chain_precision_stack(struct bpf_verifier_env *env, int spi)\n{\n\treturn __mark_chain_precision(env, -1, spi);\n}", "project": "linux", "hash": 306958037336815239509297235318277043240, "size": 4, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232539 }, { "func": "static bool is_pkt_reg(struct bpf_verifier_env *env, int regno)\n{\n\tconst struct bpf_reg_state *reg = reg_state(env, regno);\n\n\treturn type_is_pkt_pointer(reg->type);\n}", "project": "linux", "hash": 270415346514080835489658335302221758536, "size": 6, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232410 }, { "func": "static int retrieve_ptr_limit(const struct bpf_reg_state *ptr_reg,\n\t\t\t u32 *ptr_limit, u8 opcode, bool off_is_neg)\n{\n\tbool mask_to_left = (opcode == BPF_ADD && off_is_neg) ||\n\t\t\t (opcode == BPF_SUB && !off_is_neg);\n\tu32 off;\n\n\tswitch (ptr_reg->type) {\n\tcase PTR_TO_STACK:\n\t\t/* Indirect variable offset stack access is prohibited in\n\t\t * unprivileged mode so it's not handled here.\n\t\t */\n\t\toff = ptr_reg->off + ptr_reg->var_off.value;\n\t\tif (mask_to_left)\n\t\t\t*ptr_limit = MAX_BPF_STACK + off;\n\t\telse\n\t\t\t*ptr_limit = -off;\n\t\treturn 0;\n\tcase PTR_TO_MAP_VALUE:\n\t\tif (mask_to_left) {\n\t\t\t*ptr_limit = ptr_reg->umax_value + ptr_reg->off;\n\t\t} else {\n\t\t\toff = ptr_reg->smin_value + ptr_reg->off;\n\t\t\t*ptr_limit = ptr_reg->map_ptr->value_size - off;\n\t\t}\n\t\treturn 0;\n\tdefault:\n\t\treturn -EINVAL;\n\t}\n}", "project": "linux", "hash": 222221598244980881094816831020874219418, "size": 30, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232486 }, { "func": "static int mark_reg_read(struct bpf_verifier_env *env,\n\t\t\t const struct bpf_reg_state *state,\n\t\t\t struct bpf_reg_state *parent, u8 flag)\n{\n\tbool writes = parent == state->parent; /* Observe write marks */\n\tint cnt = 0;\n\n\twhile (parent) {\n\t\t/* if read wasn't screened by an earlier write ... */\n\t\tif (writes && state->live & REG_LIVE_WRITTEN)\n\t\t\tbreak;\n\t\tif (parent->live & REG_LIVE_DONE) {\n\t\t\tverbose(env, \"verifier BUG type %s var_off %lld off %d\\n\",\n\t\t\t\treg_type_str[parent->type],\n\t\t\t\tparent->var_off.value, parent->off);\n\t\t\treturn -EFAULT;\n\t\t}\n\t\t/* The first condition is more likely to be true than the\n\t\t * second, checked it first.\n\t\t */\n\t\tif ((parent->live & REG_LIVE_READ) == flag ||\n\t\t parent->live & REG_LIVE_READ64)\n\t\t\t/* The parentage chain never changes and\n\t\t\t * this parent was already marked as LIVE_READ.\n\t\t\t * There is no need to keep walking the chain again and\n\t\t\t * keep re-marking all parents as LIVE_READ.\n\t\t\t * This case happens when the same register is read\n\t\t\t * multiple times without writes into it in-between.\n\t\t\t * Also, if parent has the stronger REG_LIVE_READ64 set,\n\t\t\t * then no need to set the weak REG_LIVE_READ32.\n\t\t\t */\n\t\t\tbreak;\n\t\t/* ... then we depend on parent's value */\n\t\tparent->live |= flag;\n\t\t/* REG_LIVE_READ64 overrides REG_LIVE_READ32. */\n\t\tif (flag == REG_LIVE_READ64)\n\t\t\tparent->live &= ~REG_LIVE_READ32;\n\t\tstate = parent;\n\t\tparent = state->parent;\n\t\twrites = true;\n\t\tcnt++;\n\t}\n\n\tif (env->longest_mark_read_walk < cnt)\n\t\tenv->longest_mark_read_walk = cnt;\n\treturn 0;\n}", "project": "linux", "hash": 288879937820507447312684592911562030545, "size": 47, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232607 }, { "func": "static bool check_refcount_ok(const struct bpf_func_proto *fn, int func_id)\n{\n\tint count = 0;\n\n\tif (arg_type_may_be_refcounted(fn->arg1_type))\n\t\tcount++;\n\tif (arg_type_may_be_refcounted(fn->arg2_type))\n\t\tcount++;\n\tif (arg_type_may_be_refcounted(fn->arg3_type))\n\t\tcount++;\n\tif (arg_type_may_be_refcounted(fn->arg4_type))\n\t\tcount++;\n\tif (arg_type_may_be_refcounted(fn->arg5_type))\n\t\tcount++;\n\n\t/* A reference acquiring function cannot acquire\n\t * another refcounted ptr.\n\t */\n\tif (is_acquire_function(func_id) && count)\n\t\treturn false;\n\n\t/* We only support one arg being unreferenced at the moment,\n\t * which is sufficient for the helper functions we have right now.\n\t */\n\treturn count <= 1;\n}", "project": "linux", "hash": 49202910566903135939699690759418883717, "size": 26, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232636 }, { "func": "static int do_check_main(struct bpf_verifier_env *env)\n{\n\tint ret;\n\n\tenv->insn_idx = 0;\n\tret = do_check_common(env, 0);\n\tif (!ret)\n\t\tenv->prog->aux->stack_depth = env->subprog_info[0].stack_depth;\n\treturn ret;\n}", "project": "linux", "hash": 269232699898068141611532821819733023664, "size": 10, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232424 }, { "func": "static int get_callee_stack_depth(struct bpf_verifier_env *env,\n\t\t\t\t const struct bpf_insn *insn, int idx)\n{\n\tint start = idx + insn->imm + 1, subprog;\n\n\tsubprog = find_subprog(env, start);\n\tif (subprog < 0) {\n\t\tWARN_ONCE(1, \"verifier bug. No program starts at insn %d\\n\",\n\t\t\t start);\n\t\treturn -EFAULT;\n\t}\n\treturn env->subprog_info[subprog].stack_depth;\n}", "project": "linux", "hash": 22912557079741985234281141147073082441, "size": 13, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232485 }, { "func": "static u32 state_htab_size(struct bpf_verifier_env *env)\n{\n\treturn env->prog->len;\n}", "project": "linux", "hash": 40763844074078227705013314650697055318, "size": 4, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232554 }, { "func": "static int is_state_visited(struct bpf_verifier_env *env, int insn_idx)\n{\n\tstruct bpf_verifier_state_list *new_sl;\n\tstruct bpf_verifier_state_list *sl, **pprev;\n\tstruct bpf_verifier_state *cur = env->cur_state, *new;\n\tint i, j, err, states_cnt = 0;\n\tbool add_new_state = env->test_state_freq ? true : false;\n\n\tcur->last_insn_idx = env->prev_insn_idx;\n\tif (!env->insn_aux_data[insn_idx].prune_point)\n\t\t/* this 'insn_idx' instruction wasn't marked, so we will not\n\t\t * be doing state search here\n\t\t */\n\t\treturn 0;\n\n\t/* bpf progs typically have pruning point every 4 instructions\n\t * http://vger.kernel.org/bpfconf2019.html#session-1\n\t * Do not add new state for future pruning if the verifier hasn't seen\n\t * at least 2 jumps and at least 8 instructions.\n\t * This heuristics helps decrease 'total_states' and 'peak_states' metric.\n\t * In tests that amounts to up to 50% reduction into total verifier\n\t * memory consumption and 20% verifier time speedup.\n\t */\n\tif (env->jmps_processed - env->prev_jmps_processed >= 2 &&\n\t env->insn_processed - env->prev_insn_processed >= 8)\n\t\tadd_new_state = true;\n\n\tpprev = explored_state(env, insn_idx);\n\tsl = *pprev;\n\n\tclean_live_states(env, insn_idx, cur);\n\n\twhile (sl) {\n\t\tstates_cnt++;\n\t\tif (sl->state.insn_idx != insn_idx)\n\t\t\tgoto next;\n\t\tif (sl->state.branches) {\n\t\t\tif (states_maybe_looping(&sl->state, cur) &&\n\t\t\t states_equal(env, &sl->state, cur)) {\n\t\t\t\tverbose_linfo(env, insn_idx, \"; \");\n\t\t\t\tverbose(env, \"infinite loop detected at insn %d\\n\", insn_idx);\n\t\t\t\treturn -EINVAL;\n\t\t\t}\n\t\t\t/* if the verifier is processing a loop, avoid adding new state\n\t\t\t * too often, since different loop iterations have distinct\n\t\t\t * states and may not help future pruning.\n\t\t\t * This threshold shouldn't be too low to make sure that\n\t\t\t * a loop with large bound will be rejected quickly.\n\t\t\t * The most abusive loop will be:\n\t\t\t * r1 += 1\n\t\t\t * if r1 < 1000000 goto pc-2\n\t\t\t * 1M insn_procssed limit / 100 == 10k peak states.\n\t\t\t * This threshold shouldn't be too high either, since states\n\t\t\t * at the end of the loop are likely to be useful in pruning.\n\t\t\t */\n\t\t\tif (env->jmps_processed - env->prev_jmps_processed < 20 &&\n\t\t\t env->insn_processed - env->prev_insn_processed < 100)\n\t\t\t\tadd_new_state = false;\n\t\t\tgoto miss;\n\t\t}\n\t\tif (states_equal(env, &sl->state, cur)) {\n\t\t\tsl->hit_cnt++;\n\t\t\t/* reached equivalent register/stack state,\n\t\t\t * prune the search.\n\t\t\t * Registers read by the continuation are read by us.\n\t\t\t * If we have any write marks in env->cur_state, they\n\t\t\t * will prevent corresponding reads in the continuation\n\t\t\t * from reaching our parent (an explored_state). Our\n\t\t\t * own state will get the read marks recorded, but\n\t\t\t * they'll be immediately forgotten as we're pruning\n\t\t\t * this state and will pop a new one.\n\t\t\t */\n\t\t\terr = propagate_liveness(env, &sl->state, cur);\n\n\t\t\t/* if previous state reached the exit with precision and\n\t\t\t * current state is equivalent to it (except precsion marks)\n\t\t\t * the precision needs to be propagated back in\n\t\t\t * the current state.\n\t\t\t */\n\t\t\terr = err ? : push_jmp_history(env, cur);\n\t\t\terr = err ? : propagate_precision(env, &sl->state);\n\t\t\tif (err)\n\t\t\t\treturn err;\n\t\t\treturn 1;\n\t\t}\nmiss:\n\t\t/* when new state is not going to be added do not increase miss count.\n\t\t * Otherwise several loop iterations will remove the state\n\t\t * recorded earlier. The goal of these heuristics is to have\n\t\t * states from some iterations of the loop (some in the beginning\n\t\t * and some at the end) to help pruning.\n\t\t */\n\t\tif (add_new_state)\n\t\t\tsl->miss_cnt++;\n\t\t/* heuristic to determine whether this state is beneficial\n\t\t * to keep checking from state equivalence point of view.\n\t\t * Higher numbers increase max_states_per_insn and verification time,\n\t\t * but do not meaningfully decrease insn_processed.\n\t\t */\n\t\tif (sl->miss_cnt > sl->hit_cnt * 3 + 3) {\n\t\t\t/* the state is unlikely to be useful. Remove it to\n\t\t\t * speed up verification\n\t\t\t */\n\t\t\t*pprev = sl->next;\n\t\t\tif (sl->state.frame[0]->regs[0].live & REG_LIVE_DONE) {\n\t\t\t\tu32 br = sl->state.branches;\n\n\t\t\t\tWARN_ONCE(br,\n\t\t\t\t\t \"BUG live_done but branches_to_explore %d\\n\",\n\t\t\t\t\t br);\n\t\t\t\tfree_verifier_state(&sl->state, false);\n\t\t\t\tkfree(sl);\n\t\t\t\tenv->peak_states--;\n\t\t\t} else {\n\t\t\t\t/* cannot free this state, since parentage chain may\n\t\t\t\t * walk it later. Add it for free_list instead to\n\t\t\t\t * be freed at the end of verification\n\t\t\t\t */\n\t\t\t\tsl->next = env->free_list;\n\t\t\t\tenv->free_list = sl;\n\t\t\t}\n\t\t\tsl = *pprev;\n\t\t\tcontinue;\n\t\t}\nnext:\n\t\tpprev = &sl->next;\n\t\tsl = *pprev;\n\t}\n\n\tif (env->max_states_per_insn < states_cnt)\n\t\tenv->max_states_per_insn = states_cnt;\n\n\tif (!env->allow_ptr_leaks && states_cnt > BPF_COMPLEXITY_LIMIT_STATES)\n\t\treturn push_jmp_history(env, cur);\n\n\tif (!add_new_state)\n\t\treturn push_jmp_history(env, cur);\n\n\t/* There were no equivalent states, remember the current one.\n\t * Technically the current state is not proven to be safe yet,\n\t * but it will either reach outer most bpf_exit (which means it's safe)\n\t * or it will be rejected. When there are no loops the verifier won't be\n\t * seeing this tuple (frame[0].callsite, frame[1].callsite, .. insn_idx)\n\t * again on the way to bpf_exit.\n\t * When looping the sl->state.branches will be > 0 and this state\n\t * will not be considered for equivalence until branches == 0.\n\t */\n\tnew_sl = kzalloc(sizeof(struct bpf_verifier_state_list), GFP_KERNEL);\n\tif (!new_sl)\n\t\treturn -ENOMEM;\n\tenv->total_states++;\n\tenv->peak_states++;\n\tenv->prev_jmps_processed = env->jmps_processed;\n\tenv->prev_insn_processed = env->insn_processed;\n\n\t/* add new state to the head of linked list */\n\tnew = &new_sl->state;\n\terr = copy_verifier_state(new, cur);\n\tif (err) {\n\t\tfree_verifier_state(new, false);\n\t\tkfree(new_sl);\n\t\treturn err;\n\t}\n\tnew->insn_idx = insn_idx;\n\tWARN_ONCE(new->branches != 1,\n\t\t \"BUG is_state_visited:branches_to_explore=%d insn %d\\n\", new->branches, insn_idx);\n\n\tcur->parent = new;\n\tcur->first_insn_idx = insn_idx;\n\tclear_jmp_history(cur);\n\tnew_sl->next = *explored_state(env, insn_idx);\n\t*explored_state(env, insn_idx) = new_sl;\n\t/* connect new state to parentage chain. Current frame needs all\n\t * registers connected. Only r6 - r9 of the callers are alive (pushed\n\t * to the stack implicitly by JITs) so in callers' frames connect just\n\t * r6 - r9 as an optimization. Callers will have r1 - r5 connected to\n\t * the state of the call instruction (with WRITTEN set), and r0 comes\n\t * from callee with its full parentage chain, anyway.\n\t */\n\t/* clear write marks in current state: the writes we did are not writes\n\t * our child did, so they don't screen off its reads from us.\n\t * (There are no read marks in current state, because reads always mark\n\t * their parent and current state never has children yet. Only\n\t * explored_states can get read marks.)\n\t */\n\tfor (j = 0; j <= cur->curframe; j++) {\n\t\tfor (i = j < cur->curframe ? BPF_REG_6 : 0; i < BPF_REG_FP; i++)\n\t\t\tcur->frame[j]->regs[i].parent = &new->frame[j]->regs[i];\n\t\tfor (i = 0; i < BPF_REG_FP; i++)\n\t\t\tcur->frame[j]->regs[i].live = REG_LIVE_NONE;\n\t}\n\n\t/* all stack frames are accessible from callee, clear them all */\n\tfor (j = 0; j <= cur->curframe; j++) {\n\t\tstruct bpf_func_state *frame = cur->frame[j];\n\t\tstruct bpf_func_state *newframe = new->frame[j];\n\n\t\tfor (i = 0; i < frame->allocated_stack / BPF_REG_SIZE; i++) {\n\t\t\tframe->stack[i].spilled_ptr.live = REG_LIVE_NONE;\n\t\t\tframe->stack[i].spilled_ptr.parent =\n\t\t\t\t\t\t&newframe->stack[i].spilled_ptr;\n\t\t}\n\t}\n\treturn 0;\n}", "project": "linux", "hash": 284374542287780921365114991180141517192, "size": 205, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232498 }, { "func": "static int check_flow_keys_access(struct bpf_verifier_env *env, int off,\n\t\t\t\t int size)\n{\n\tif (size < 0 || off < 0 ||\n\t (u64)off + size > sizeof(struct bpf_flow_keys)) {\n\t\tverbose(env, \"invalid access to flow keys off=%d size=%d\\n\",\n\t\t\toff, size);\n\t\treturn -EACCES;\n\t}\n\treturn 0;\n}", "project": "linux", "hash": 48082182278344894377124329336366810250, "size": 11, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232598 }, { "func": "static bool is_ptr_cast_function(enum bpf_func_id func_id)\n{\n\treturn func_id == BPF_FUNC_tcp_sock ||\n\t\tfunc_id == BPF_FUNC_sk_fullsock;\n}", "project": "linux", "hash": 272051800712101557170735690875906190053, "size": 5, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232482 }, { "func": "static int check_pseudo_btf_id(struct bpf_verifier_env *env,\n\t\t\t struct bpf_insn *insn,\n\t\t\t struct bpf_insn_aux_data *aux)\n{\n\tconst struct btf_var_secinfo *vsi;\n\tconst struct btf_type *datasec;\n\tconst struct btf_type *t;\n\tconst char *sym_name;\n\tbool percpu = false;\n\tu32 type, id = insn->imm;\n\ts32 datasec_id;\n\tu64 addr;\n\tint i;\n\n\tif (!btf_vmlinux) {\n\t\tverbose(env, \"kernel is missing BTF, make sure CONFIG_DEBUG_INFO_BTF=y is specified in Kconfig.\\n\");\n\t\treturn -EINVAL;\n\t}\n\n\tif (insn[1].imm != 0) {\n\t\tverbose(env, \"reserved field (insn[1].imm) is used in pseudo_btf_id ldimm64 insn.\\n\");\n\t\treturn -EINVAL;\n\t}\n\n\tt = btf_type_by_id(btf_vmlinux, id);\n\tif (!t) {\n\t\tverbose(env, \"ldimm64 insn specifies invalid btf_id %d.\\n\", id);\n\t\treturn -ENOENT;\n\t}\n\n\tif (!btf_type_is_var(t)) {\n\t\tverbose(env, \"pseudo btf_id %d in ldimm64 isn't KIND_VAR.\\n\",\n\t\t\tid);\n\t\treturn -EINVAL;\n\t}\n\n\tsym_name = btf_name_by_offset(btf_vmlinux, t->name_off);\n\taddr = kallsyms_lookup_name(sym_name);\n\tif (!addr) {\n\t\tverbose(env, \"ldimm64 failed to find the address for kernel symbol '%s'.\\n\",\n\t\t\tsym_name);\n\t\treturn -ENOENT;\n\t}\n\n\tdatasec_id = btf_find_by_name_kind(btf_vmlinux, \".data..percpu\",\n\t\t\t\t\t BTF_KIND_DATASEC);\n\tif (datasec_id > 0) {\n\t\tdatasec = btf_type_by_id(btf_vmlinux, datasec_id);\n\t\tfor_each_vsi(i, datasec, vsi) {\n\t\t\tif (vsi->type == id) {\n\t\t\t\tpercpu = true;\n\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\t}\n\n\tinsn[0].imm = (u32)addr;\n\tinsn[1].imm = addr >> 32;\n\n\ttype = t->type;\n\tt = btf_type_skip_modifiers(btf_vmlinux, type, NULL);\n\tif (percpu) {\n\t\taux->btf_var.reg_type = PTR_TO_PERCPU_BTF_ID;\n\t\taux->btf_var.btf = btf_vmlinux;\n\t\taux->btf_var.btf_id = type;\n\t} else if (!btf_type_is_struct(t)) {\n\t\tconst struct btf_type *ret;\n\t\tconst char *tname;\n\t\tu32 tsize;\n\n\t\t/* resolve the type size of ksym. */\n\t\tret = btf_resolve_size(btf_vmlinux, t, &tsize);\n\t\tif (IS_ERR(ret)) {\n\t\t\ttname = btf_name_by_offset(btf_vmlinux, t->name_off);\n\t\t\tverbose(env, \"ldimm64 unable to resolve the size of type '%s': %ld\\n\",\n\t\t\t\ttname, PTR_ERR(ret));\n\t\t\treturn -EINVAL;\n\t\t}\n\t\taux->btf_var.reg_type = PTR_TO_MEM;\n\t\taux->btf_var.mem_size = tsize;\n\t} else {\n\t\taux->btf_var.reg_type = PTR_TO_BTF_ID;\n\t\taux->btf_var.btf = btf_vmlinux;\n\t\taux->btf_var.btf_id = type;\n\t}\n\treturn 0;\n}", "project": "linux", "hash": 332028721808464813682515233682904876616, "size": 87, "commit_id": "9b00f1b78809309163dda2d044d9e94a3c0248a3", "message": "bpf: Fix truncation handling for mod32 dst reg wrt zero\n\nRecently noticed that when mod32 with a known src reg of 0 is performed,\nthen the dst register is 32-bit truncated in verifier:\n\n 0: R1=ctx(id=0,off=0,imm=0) R10=fp0\n 0: (b7) r0 = 0\n 1: R0_w=inv0 R1=ctx(id=0,off=0,imm=0) R10=fp0\n 1: (b7) r1 = -1\n 2: R0_w=inv0 R1_w=inv-1 R10=fp0\n 2: (b4) w2 = -1\n 3: R0_w=inv0 R1_w=inv-1 R2_w=inv4294967295 R10=fp0\n 3: (9c) w1 %= w0\n 4: R0_w=inv0 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0\n 4: (b7) r0 = 1\n 5: R0_w=inv1 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0\n 5: (1d) if r1 == r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0\n 6: R0_w=inv1 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0\n 6: (b7) r0 = 2\n 7: R0_w=inv2 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0\n 7: (95) exit\n 7: R0=inv1 R1=inv(id=0,umin_value=4294967295,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2=inv4294967295 R10=fp0\n 7: (95) exit\n\nHowever, as a runtime result, we get 2 instead of 1, meaning the dst\nregister does not contain (u32)-1 in this case. The reason is fairly\nstraight forward given the 0 test leaves the dst register as-is:\n\n # ./bpftool p d x i 23\n 0: (b7) r0 = 0\n 1: (b7) r1 = -1\n 2: (b4) w2 = -1\n 3: (16) if w0 == 0x0 goto pc+1\n 4: (9c) w1 %= w0\n 5: (b7) r0 = 1\n 6: (1d) if r1 == r2 goto pc+1\n 7: (b7) r0 = 2\n 8: (95) exit\n\nThis was originally not an issue given the dst register was marked as\ncompletely unknown (aka 64 bit unknown). However, after 468f6eafa6c4\n(\"bpf: fix 32-bit ALU op verification\") the verifier casts the register\noutput to 32 bit, and hence it becomes 32 bit unknown. Note that for\nthe case where the src register is unknown, the dst register is marked\n64 bit unknown. After the fix, the register is truncated by the runtime\nand the test passes:\n\n # ./bpftool p d x i 23\n 0: (b7) r0 = 0\n 1: (b7) r1 = -1\n 2: (b4) w2 = -1\n 3: (16) if w0 == 0x0 goto pc+2\n 4: (9c) w1 %= w0\n 5: (05) goto pc+1\n 6: (bc) w1 = w1\n 7: (b7) r0 = 1\n 8: (1d) if r1 == r2 goto pc+1\n 9: (b7) r0 = 2\n 10: (95) exit\n\nSemantics also match with {R,W}x mod{64,32} 0 -> {R,W}x. Invalid div\nhas always been {R,W}x div{64,32} 0 -> 0. Rewrites are as follows:\n\n mod32: mod64:\n\n (16) if w0 == 0x0 goto pc+2 (15) if r0 == 0x0 goto pc+1\n (9c) w1 %= w0 (9f) r1 %= r0\n (05) goto pc+1\n (bc) w1 = w1\n\nFixes: 468f6eafa6c4 (\"bpf: fix 32-bit ALU op verification\")\nSigned-off-by: Daniel Borkmann \nReviewed-by: John Fastabend \nAcked-by: Alexei Starovoitov ", "target": 0, "dataset": "other", "idx": 456518 }, { "func": "static bool bpf_map_key_poisoned(const struct bpf_insn_aux_data *aux)\n{\n\treturn aux->map_key_state & BPF_MAP_KEY_POISON;\n}", "project": "linux", "hash": 124433609790897606202232206935021730481, "size": 4, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232493 }, { "func": "static int sanitize_ptr_alu(struct bpf_verifier_env *env,\n\t\t\t struct bpf_insn *insn,\n\t\t\t const struct bpf_reg_state *ptr_reg,\n\t\t\t struct bpf_reg_state *dst_reg,\n\t\t\t bool off_is_neg)\n{\n\tstruct bpf_verifier_state *vstate = env->cur_state;\n\tstruct bpf_insn_aux_data *aux = cur_aux(env);\n\tbool ptr_is_dst_reg = ptr_reg == dst_reg;\n\tu8 opcode = BPF_OP(insn->code);\n\tu32 alu_state, alu_limit;\n\tstruct bpf_reg_state tmp;\n\tbool ret;\n\n\tif (can_skip_alu_sanitation(env, insn))\n\t\treturn 0;\n\n\t/* We already marked aux for masking from non-speculative\n\t * paths, thus we got here in the first place. We only care\n\t * to explore bad access from here.\n\t */\n\tif (vstate->speculative)\n\t\tgoto do_sim;\n\n\talu_state = off_is_neg ? BPF_ALU_NEG_VALUE : 0;\n\talu_state |= ptr_is_dst_reg ?\n\t\t BPF_ALU_SANITIZE_SRC : BPF_ALU_SANITIZE_DST;\n\n\tif (retrieve_ptr_limit(ptr_reg, &alu_limit, opcode, off_is_neg))\n\t\treturn 0;\n\tif (update_alu_sanitation_state(aux, alu_state, alu_limit))\n\t\treturn -EACCES;\ndo_sim:\n\t/* Simulate and find potential out-of-bounds access under\n\t * speculative execution from truncation as a result of\n\t * masking when off was not within expected range. If off\n\t * sits in dst, then we temporarily need to move ptr there\n\t * to simulate dst (== 0) +/-= ptr. Needed, for example,\n\t * for cases where we use K-based arithmetic in one direction\n\t * and truncated reg-based in the other in order to explore\n\t * bad access.\n\t */\n\tif (!ptr_is_dst_reg) {\n\t\ttmp = *dst_reg;\n\t\t*dst_reg = *ptr_reg;\n\t}\n\tret = push_stack(env, env->insn_idx + 1, env->insn_idx, true);\n\tif (!ptr_is_dst_reg && ret)\n\t\t*dst_reg = tmp;\n\treturn !ret ? -EFAULT : 0;\n}", "project": "linux", "hash": 174670051206303125528118281824445899278, "size": 51, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232566 }, { "func": "static int propagate_liveness_reg(struct bpf_verifier_env *env,\n\t\t\t\t struct bpf_reg_state *reg,\n\t\t\t\t struct bpf_reg_state *parent_reg)\n{\n\tu8 parent_flag = parent_reg->live & REG_LIVE_READ;\n\tu8 flag = reg->live & REG_LIVE_READ;\n\tint err;\n\n\t/* When comes here, read flags of PARENT_REG or REG could be any of\n\t * REG_LIVE_READ64, REG_LIVE_READ32, REG_LIVE_NONE. There is no need\n\t * of propagation if PARENT_REG has strongest REG_LIVE_READ64.\n\t */\n\tif (parent_flag == REG_LIVE_READ64 ||\n\t /* Or if there is no read flag from REG. */\n\t !flag ||\n\t /* Or if the read flag from REG is the same as PARENT_REG. */\n\t parent_flag == flag)\n\t\treturn 0;\n\n\terr = mark_reg_read(env, reg, parent_reg, flag);\n\tif (err)\n\t\treturn err;\n\n\treturn flag;\n}", "project": "linux", "hash": 101808686830205814646921744277583352727, "size": 25, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232467 }, { "func": "static int check_map_access(struct bpf_verifier_env *env, u32 regno,\n\t\t\t int off, int size, bool zero_size_allowed)\n{\n\tstruct bpf_verifier_state *vstate = env->cur_state;\n\tstruct bpf_func_state *state = vstate->frame[vstate->curframe];\n\tstruct bpf_reg_state *reg = &state->regs[regno];\n\tint err;\n\n\t/* We may have adjusted the register to this map value, so we\n\t * need to try adding each of min_value and max_value to off\n\t * to make sure our theoretical access will be safe.\n\t */\n\tif (env->log.level & BPF_LOG_LEVEL)\n\t\tprint_verifier_state(env, state);\n\n\t/* The minimum value is only important with signed\n\t * comparisons where we can't assume the floor of a\n\t * value is 0. If we are using signed variables for our\n\t * index'es we need to make sure that whatever we use\n\t * will have a set floor within our range.\n\t */\n\tif (reg->smin_value < 0 &&\n\t (reg->smin_value == S64_MIN ||\n\t (off + reg->smin_value != (s64)(s32)(off + reg->smin_value)) ||\n\t reg->smin_value + off < 0)) {\n\t\tverbose(env, \"R%d min value is negative, either use unsigned index or do a if (index >=0) check.\\n\",\n\t\t\tregno);\n\t\treturn -EACCES;\n\t}\n\terr = __check_map_access(env, regno, reg->smin_value + off, size,\n\t\t\t\t zero_size_allowed);\n\tif (err) {\n\t\tverbose(env, \"R%d min value is outside of the array range\\n\",\n\t\t\tregno);\n\t\treturn err;\n\t}\n\n\t/* If we haven't set a max value then we need to bail since we can't be\n\t * sure we won't do bad things.\n\t * If reg->umax_value + off could overflow, treat that as unbounded too.\n\t */\n\tif (reg->umax_value >= BPF_MAX_VAR_OFF) {\n\t\tverbose(env, \"R%d unbounded memory access, make sure to bounds check any array access into a map\\n\",\n\t\t\tregno);\n\t\treturn -EACCES;\n\t}\n\terr = __check_map_access(env, regno, reg->umax_value + off, size,\n\t\t\t\t zero_size_allowed);\n\tif (err)\n\t\tverbose(env, \"R%d max value is outside of the array range\\n\",\n\t\t\tregno);\n\n\tif (map_value_has_spin_lock(reg->map_ptr)) {\n\t\tu32 lock = reg->map_ptr->spin_lock_off;\n\n\t\t/* if any part of struct bpf_spin_lock can be touched by\n\t\t * load/store reject this program.\n\t\t * To check that [x1, x2) overlaps with [y1, y2)\n\t\t * it is sufficient to check x1 < y2 && y1 < x2.\n\t\t */\n\t\tif (reg->smin_value + off < lock + sizeof(struct bpf_spin_lock) &&\n\t\t lock < reg->umax_value + off + size) {\n\t\t\tverbose(env, \"bpf_spin_lock cannot be accessed directly by load/store\\n\");\n\t\t\treturn -EACCES;\n\t\t}\n\t}\n\treturn err;\n}", "project": "linux", "hash": 45491668123561476306222818876652263897, "size": 68, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232518 }, { "func": "static bool is_spillable_regtype(enum bpf_reg_type type)\n{\n\tswitch (type) {\n\tcase PTR_TO_MAP_VALUE:\n\tcase PTR_TO_MAP_VALUE_OR_NULL:\n\tcase PTR_TO_STACK:\n\tcase PTR_TO_CTX:\n\tcase PTR_TO_PACKET:\n\tcase PTR_TO_PACKET_META:\n\tcase PTR_TO_PACKET_END:\n\tcase PTR_TO_FLOW_KEYS:\n\tcase CONST_PTR_TO_MAP:\n\tcase PTR_TO_SOCKET:\n\tcase PTR_TO_SOCKET_OR_NULL:\n\tcase PTR_TO_SOCK_COMMON:\n\tcase PTR_TO_SOCK_COMMON_OR_NULL:\n\tcase PTR_TO_TCP_SOCK:\n\tcase PTR_TO_TCP_SOCK_OR_NULL:\n\tcase PTR_TO_XDP_SOCK:\n\tcase PTR_TO_BTF_ID:\n\t\treturn true;\n\tdefault:\n\t\treturn false;\n\t}\n}", "project": "linux", "hash": 329482475642889808210211052723802712245, "size": 25, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232548 }, { "func": "static bool is_spillable_regtype(enum bpf_reg_type type)\n{\n\tswitch (type) {\n\tcase PTR_TO_MAP_VALUE:\n\tcase PTR_TO_MAP_VALUE_OR_NULL:\n\tcase PTR_TO_STACK:\n\tcase PTR_TO_CTX:\n\tcase PTR_TO_PACKET:\n\tcase PTR_TO_PACKET_META:\n\tcase PTR_TO_PACKET_END:\n\tcase PTR_TO_FLOW_KEYS:\n\tcase CONST_PTR_TO_MAP:\n\tcase PTR_TO_SOCKET:\n\tcase PTR_TO_SOCKET_OR_NULL:\n\tcase PTR_TO_SOCK_COMMON:\n\tcase PTR_TO_SOCK_COMMON_OR_NULL:\n\tcase PTR_TO_TCP_SOCK:\n\tcase PTR_TO_TCP_SOCK_OR_NULL:\n\tcase PTR_TO_XDP_SOCK:\n\tcase PTR_TO_BTF_ID:\n\tcase PTR_TO_BTF_ID_OR_NULL:\n\tcase PTR_TO_RDONLY_BUF:\n\tcase PTR_TO_RDONLY_BUF_OR_NULL:\n\tcase PTR_TO_RDWR_BUF:\n\tcase PTR_TO_RDWR_BUF_OR_NULL:\n\t\treturn true;\n\tdefault:\n\t\treturn false;\n\t}\n}", "project": "linux", "hash": 33811561297109670476973474880138802412, "size": 30, "commit_id": "5b9fbeb75b6a98955f628e205ac26689bcb1383e", "message": "bpf: Fix scalar32_min_max_or bounds tracking\n\nSimon reported an issue with the current scalar32_min_max_or() implementation.\nThat is, compared to the other 32 bit subreg tracking functions, the code in\nscalar32_min_max_or() stands out that it's using the 64 bit registers instead\nof 32 bit ones. This leads to bounds tracking issues, for example:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x1; 0x700000000),s32_max_value=1,u32_max_value=1) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nThe bound tests on the map value force the upper unsigned bound to be 25769803777\nin 64 bit (0b11000000000000000000000000000000001) and then lower one to be 1. By\nusing OR they are truncated and thus result in the range [1,1] for the 32 bit reg\ntracker. This is incorrect given the only thing we know is that the value must be\npositive and thus 2147483647 (0b1111111111111111111111111111111) at max for the\nsubregs. Fix it by using the {u,s}32_{min,max}_value vars instead. This also makes\nsense, for example, for the case where we update dst_reg->s32_{min,max}_value in\nthe else branch we need to use the newly computed dst_reg->u32_{min,max}_value as\nwe know that these are positive. Previously, in the else branch the 64 bit values\nof umin_value=1 and umax_value=32212254719 were used and latter got truncated to\nbe 1 as upper bound there. After the fix the subreg range is now correct:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nFixes: 3f50f132d840 (\"bpf: Verifier, do explicit ALU32 bounds tracking\")\nReported-by: Simon Scannell \nSigned-off-by: Daniel Borkmann \nReviewed-by: John Fastabend \nAcked-by: Alexei Starovoitov ", "target": 0, "dataset": "other", "idx": 328488 }, { "func": "static void update_branch_counts(struct bpf_verifier_env *env, struct bpf_verifier_state *st)\n{\n\twhile (st) {\n\t\tu32 br = --st->branches;\n\n\t\t/* WARN_ON(br > 1) technically makes sense here,\n\t\t * but see comment in push_stack(), hence:\n\t\t */\n\t\tWARN_ONCE((int)br < 0,\n\t\t\t \"BUG update_branch_counts:branches_to_explore=%d\\n\",\n\t\t\t br);\n\t\tif (br)\n\t\t\tbreak;\n\t\tst = st->parent;\n\t}\n}", "project": "linux", "hash": 80142178563413138863923685911620593476, "size": 16, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232619 }, { "func": "__printf(2, 3) void bpf_verifier_log_write(struct bpf_verifier_env *env,\n\t\t\t\t\t const char *fmt, ...)\n{\n\tva_list args;\n\n\tif (!bpf_verifier_log_needed(&env->log))\n\t\treturn;\n\n\tva_start(args, fmt);\n\tbpf_verifier_vlog(&env->log, fmt, args);\n\tva_end(args);\n}", "project": "linux", "hash": 206462794861633933186920870850559833455, "size": 12, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232456 }, { "func": "static int release_reference_state(struct bpf_func_state *state, int ptr_id)\n{\n\tint i, last_idx;\n\n\tlast_idx = state->acquired_refs - 1;\n\tfor (i = 0; i < state->acquired_refs; i++) {\n\t\tif (state->refs[i].id == ptr_id) {\n\t\t\tif (last_idx && i != last_idx)\n\t\t\t\tmemcpy(&state->refs[i], &state->refs[last_idx],\n\t\t\t\t sizeof(*state->refs));\n\t\t\tmemset(&state->refs[last_idx], 0, sizeof(*state->refs));\n\t\t\tstate->acquired_refs--;\n\t\t\treturn 0;\n\t\t}\n\t}\n\treturn -EINVAL;\n}", "project": "linux", "hash": 32077302742161639325323589060974288084, "size": 17, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232583 }, { "func": "static int backtrack_insn(struct bpf_verifier_env *env, int idx,\n\t\t\t u32 *reg_mask, u64 *stack_mask)\n{\n\tconst struct bpf_insn_cbs cbs = {\n\t\t.cb_print\t= verbose,\n\t\t.private_data\t= env,\n\t};\n\tstruct bpf_insn *insn = env->prog->insnsi + idx;\n\tu8 class = BPF_CLASS(insn->code);\n\tu8 opcode = BPF_OP(insn->code);\n\tu8 mode = BPF_MODE(insn->code);\n\tu32 dreg = 1u << insn->dst_reg;\n\tu32 sreg = 1u << insn->src_reg;\n\tu32 spi;\n\n\tif (insn->code == 0)\n\t\treturn 0;\n\tif (env->log.level & BPF_LOG_LEVEL) {\n\t\tverbose(env, \"regs=%x stack=%llx before \", *reg_mask, *stack_mask);\n\t\tverbose(env, \"%d: \", idx);\n\t\tprint_bpf_insn(&cbs, insn, env->allow_ptr_leaks);\n\t}\n\n\tif (class == BPF_ALU || class == BPF_ALU64) {\n\t\tif (!(*reg_mask & dreg))\n\t\t\treturn 0;\n\t\tif (opcode == BPF_MOV) {\n\t\t\tif (BPF_SRC(insn->code) == BPF_X) {\n\t\t\t\t/* dreg = sreg\n\t\t\t\t * dreg needs precision after this insn\n\t\t\t\t * sreg needs precision before this insn\n\t\t\t\t */\n\t\t\t\t*reg_mask &= ~dreg;\n\t\t\t\t*reg_mask |= sreg;\n\t\t\t} else {\n\t\t\t\t/* dreg = K\n\t\t\t\t * dreg needs precision after this insn.\n\t\t\t\t * Corresponding register is already marked\n\t\t\t\t * as precise=true in this verifier state.\n\t\t\t\t * No further markings in parent are necessary\n\t\t\t\t */\n\t\t\t\t*reg_mask &= ~dreg;\n\t\t\t}\n\t\t} else {\n\t\t\tif (BPF_SRC(insn->code) == BPF_X) {\n\t\t\t\t/* dreg += sreg\n\t\t\t\t * both dreg and sreg need precision\n\t\t\t\t * before this insn\n\t\t\t\t */\n\t\t\t\t*reg_mask |= sreg;\n\t\t\t} /* else dreg += K\n\t\t\t * dreg still needs precision before this insn\n\t\t\t */\n\t\t}\n\t} else if (class == BPF_LDX) {\n\t\tif (!(*reg_mask & dreg))\n\t\t\treturn 0;\n\t\t*reg_mask &= ~dreg;\n\n\t\t/* scalars can only be spilled into stack w/o losing precision.\n\t\t * Load from any other memory can be zero extended.\n\t\t * The desire to keep that precision is already indicated\n\t\t * by 'precise' mark in corresponding register of this state.\n\t\t * No further tracking necessary.\n\t\t */\n\t\tif (insn->src_reg != BPF_REG_FP)\n\t\t\treturn 0;\n\t\tif (BPF_SIZE(insn->code) != BPF_DW)\n\t\t\treturn 0;\n\n\t\t/* dreg = *(u64 *)[fp - off] was a fill from the stack.\n\t\t * that [fp - off] slot contains scalar that needs to be\n\t\t * tracked with precision\n\t\t */\n\t\tspi = (-insn->off - 1) / BPF_REG_SIZE;\n\t\tif (spi >= 64) {\n\t\t\tverbose(env, \"BUG spi %d\\n\", spi);\n\t\t\tWARN_ONCE(1, \"verifier backtracking bug\");\n\t\t\treturn -EFAULT;\n\t\t}\n\t\t*stack_mask |= 1ull << spi;\n\t} else if (class == BPF_STX || class == BPF_ST) {\n\t\tif (*reg_mask & dreg)\n\t\t\t/* stx & st shouldn't be using _scalar_ dst_reg\n\t\t\t * to access memory. It means backtracking\n\t\t\t * encountered a case of pointer subtraction.\n\t\t\t */\n\t\t\treturn -ENOTSUPP;\n\t\t/* scalars can only be spilled into stack */\n\t\tif (insn->dst_reg != BPF_REG_FP)\n\t\t\treturn 0;\n\t\tif (BPF_SIZE(insn->code) != BPF_DW)\n\t\t\treturn 0;\n\t\tspi = (-insn->off - 1) / BPF_REG_SIZE;\n\t\tif (spi >= 64) {\n\t\t\tverbose(env, \"BUG spi %d\\n\", spi);\n\t\t\tWARN_ONCE(1, \"verifier backtracking bug\");\n\t\t\treturn -EFAULT;\n\t\t}\n\t\tif (!(*stack_mask & (1ull << spi)))\n\t\t\treturn 0;\n\t\t*stack_mask &= ~(1ull << spi);\n\t\tif (class == BPF_STX)\n\t\t\t*reg_mask |= sreg;\n\t} else if (class == BPF_JMP || class == BPF_JMP32) {\n\t\tif (opcode == BPF_CALL) {\n\t\t\tif (insn->src_reg == BPF_PSEUDO_CALL)\n\t\t\t\treturn -ENOTSUPP;\n\t\t\t/* regular helper call sets R0 */\n\t\t\t*reg_mask &= ~1;\n\t\t\tif (*reg_mask & 0x3f) {\n\t\t\t\t/* if backtracing was looking for registers R1-R5\n\t\t\t\t * they should have been found already.\n\t\t\t\t */\n\t\t\t\tverbose(env, \"BUG regs %x\\n\", *reg_mask);\n\t\t\t\tWARN_ONCE(1, \"verifier backtracking bug\");\n\t\t\t\treturn -EFAULT;\n\t\t\t}\n\t\t} else if (opcode == BPF_EXIT) {\n\t\t\treturn -ENOTSUPP;\n\t\t}\n\t} else if (class == BPF_LD) {\n\t\tif (!(*reg_mask & dreg))\n\t\t\treturn 0;\n\t\t*reg_mask &= ~dreg;\n\t\t/* It's ld_imm64 or ld_abs or ld_ind.\n\t\t * For ld_imm64 no further tracking of precision\n\t\t * into parent is necessary\n\t\t */\n\t\tif (mode == BPF_IND || mode == BPF_ABS)\n\t\t\t/* to be analyzed */\n\t\t\treturn -ENOTSUPP;\n\t}\n\treturn 0;\n}", "project": "linux", "hash": 153279991123034666621043498413499900030, "size": 135, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232626 }, { "func": "static void scalar_min_max_and(struct bpf_reg_state *dst_reg,\n\t\t\t struct bpf_reg_state *src_reg)\n{\n\ts64 smin_val = src_reg->smin_value;\n\tu64 umax_val = src_reg->umax_value;\n\n\t/* We get our minimum from the var_off, since that's inherently\n\t * bitwise. Our maximum is the minimum of the operands' maxima.\n\t */\n\tdst_reg->var_off = tnum_and(dst_reg->var_off, src_reg->var_off);\n\tdst_reg->umin_value = dst_reg->var_off.value;\n\tdst_reg->umax_value = min(dst_reg->umax_value, umax_val);\n\tif (dst_reg->smin_value < 0 || smin_val < 0) {\n\t\t/* Lose signed bounds when ANDing negative numbers,\n\t\t * ain't nobody got time for that.\n\t\t */\n\t\tdst_reg->smin_value = S64_MIN;\n\t\tdst_reg->smax_value = S64_MAX;\n\t} else {\n\t\t/* ANDing two positives gives a positive, so safe to\n\t\t * cast result into s64.\n\t\t */\n\t\tdst_reg->smin_value = dst_reg->umin_value;\n\t\tdst_reg->smax_value = dst_reg->umax_value;\n\t}\n\t/* We may learn something more from the var_off */\n\t__update_reg_bounds(dst_reg);\n}", "project": "linux", "hash": 8308157533927276493272516818447358736, "size": 28, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232592 }, { "func": "static void scalar_min_max_and(struct bpf_reg_state *dst_reg,\n\t\t\t struct bpf_reg_state *src_reg)\n{\n\tbool src_known = tnum_is_const(src_reg->var_off);\n\tbool dst_known = tnum_is_const(dst_reg->var_off);\n\ts64 smin_val = src_reg->smin_value;\n\tu64 umax_val = src_reg->umax_value;\n\n\tif (src_known && dst_known) {\n\t\t__mark_reg_known(dst_reg, dst_reg->var_off.value &\n\t\t\t\t\t src_reg->var_off.value);\n\t\treturn;\n\t}\n\n\t/* We get our minimum from the var_off, since that's inherently\n\t * bitwise. Our maximum is the minimum of the operands' maxima.\n\t */\n\tdst_reg->umin_value = dst_reg->var_off.value;\n\tdst_reg->umax_value = min(dst_reg->umax_value, umax_val);\n\tif (dst_reg->smin_value < 0 || smin_val < 0) {\n\t\t/* Lose signed bounds when ANDing negative numbers,\n\t\t * ain't nobody got time for that.\n\t\t */\n\t\tdst_reg->smin_value = S64_MIN;\n\t\tdst_reg->smax_value = S64_MAX;\n\t} else {\n\t\t/* ANDing two positives gives a positive, so safe to\n\t\t * cast result into s64.\n\t\t */\n\t\tdst_reg->smin_value = dst_reg->umin_value;\n\t\tdst_reg->smax_value = dst_reg->umax_value;\n\t}\n\t/* We may learn something more from the var_off */\n\t__update_reg_bounds(dst_reg);\n}", "project": "linux", "hash": 326273474863461475771084534061356494944, "size": 35, "commit_id": "5b9fbeb75b6a98955f628e205ac26689bcb1383e", "message": "bpf: Fix scalar32_min_max_or bounds tracking\n\nSimon reported an issue with the current scalar32_min_max_or() implementation.\nThat is, compared to the other 32 bit subreg tracking functions, the code in\nscalar32_min_max_or() stands out that it's using the 64 bit registers instead\nof 32 bit ones. This leads to bounds tracking issues, for example:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x1; 0x700000000),s32_max_value=1,u32_max_value=1) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nThe bound tests on the map value force the upper unsigned bound to be 25769803777\nin 64 bit (0b11000000000000000000000000000000001) and then lower one to be 1. By\nusing OR they are truncated and thus result in the range [1,1] for the 32 bit reg\ntracker. This is incorrect given the only thing we know is that the value must be\npositive and thus 2147483647 (0b1111111111111111111111111111111) at max for the\nsubregs. Fix it by using the {u,s}32_{min,max}_value vars instead. This also makes\nsense, for example, for the case where we update dst_reg->s32_{min,max}_value in\nthe else branch we need to use the newly computed dst_reg->u32_{min,max}_value as\nwe know that these are positive. Previously, in the else branch the 64 bit values\nof umin_value=1 and umax_value=32212254719 were used and latter got truncated to\nbe 1 as upper bound there. After the fix the subreg range is now correct:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nFixes: 3f50f132d840 (\"bpf: Verifier, do explicit ALU32 bounds tracking\")\nReported-by: Simon Scannell \nSigned-off-by: Daniel Borkmann \nReviewed-by: John Fastabend \nAcked-by: Alexei Starovoitov ", "target": 0, "dataset": "other", "idx": 328497 }, { "func": "static int transfer_reference_state(struct bpf_func_state *dst,\n\t\t\t\t struct bpf_func_state *src)\n{\n\tint err = realloc_reference_state(dst, src->acquired_refs, false);\n\tif (err)\n\t\treturn err;\n\terr = copy_reference_state(dst, src);\n\tif (err)\n\t\treturn err;\n\treturn 0;\n}", "project": "linux", "hash": 310300716599700664112253484496439054422, "size": 11, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232581 }, { "func": "static void adjust_btf_func(struct bpf_verifier_env *env)\n{\n\tstruct bpf_prog_aux *aux = env->prog->aux;\n\tint i;\n\n\tif (!aux->func_info)\n\t\treturn;\n\n\tfor (i = 0; i < env->subprog_cnt; i++)\n\t\taux->func_info[i].insn_off = env->subprog_info[i].start;\n}", "project": "linux", "hash": 123901750654108899711566910957361623824, "size": 11, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232487 }, { "func": "static int check_stack_read(struct bpf_verifier_env *env,\n\t\t\t struct bpf_func_state *reg_state /* func where register points to */,\n\t\t\t int off, int size, int value_regno)\n{\n\tstruct bpf_verifier_state *vstate = env->cur_state;\n\tstruct bpf_func_state *state = vstate->frame[vstate->curframe];\n\tint i, slot = -off - 1, spi = slot / BPF_REG_SIZE;\n\tstruct bpf_reg_state *reg;\n\tu8 *stype;\n\n\tif (reg_state->allocated_stack <= slot) {\n\t\tverbose(env, \"invalid read from stack off %d+0 size %d\\n\",\n\t\t\toff, size);\n\t\treturn -EACCES;\n\t}\n\tstype = reg_state->stack[spi].slot_type;\n\treg = ®_state->stack[spi].spilled_ptr;\n\n\tif (stype[0] == STACK_SPILL) {\n\t\tif (size != BPF_REG_SIZE) {\n\t\t\tif (reg->type != SCALAR_VALUE) {\n\t\t\t\tverbose_linfo(env, env->insn_idx, \"; \");\n\t\t\t\tverbose(env, \"invalid size of register fill\\n\");\n\t\t\t\treturn -EACCES;\n\t\t\t}\n\t\t\tif (value_regno >= 0) {\n\t\t\t\tmark_reg_unknown(env, state->regs, value_regno);\n\t\t\t\tstate->regs[value_regno].live |= REG_LIVE_WRITTEN;\n\t\t\t}\n\t\t\tmark_reg_read(env, reg, reg->parent, REG_LIVE_READ64);\n\t\t\treturn 0;\n\t\t}\n\t\tfor (i = 1; i < BPF_REG_SIZE; i++) {\n\t\t\tif (stype[(slot - i) % BPF_REG_SIZE] != STACK_SPILL) {\n\t\t\t\tverbose(env, \"corrupted spill memory\\n\");\n\t\t\t\treturn -EACCES;\n\t\t\t}\n\t\t}\n\n\t\tif (value_regno >= 0) {\n\t\t\t/* restore register state from stack */\n\t\t\tstate->regs[value_regno] = *reg;\n\t\t\t/* mark reg as written since spilled pointer state likely\n\t\t\t * has its liveness marks cleared by is_state_visited()\n\t\t\t * which resets stack/reg liveness for state transitions\n\t\t\t */\n\t\t\tstate->regs[value_regno].live |= REG_LIVE_WRITTEN;\n\t\t}\n\t\tmark_reg_read(env, reg, reg->parent, REG_LIVE_READ64);\n\t} else {\n\t\tint zeros = 0;\n\n\t\tfor (i = 0; i < size; i++) {\n\t\t\tif (stype[(slot - i) % BPF_REG_SIZE] == STACK_MISC)\n\t\t\t\tcontinue;\n\t\t\tif (stype[(slot - i) % BPF_REG_SIZE] == STACK_ZERO) {\n\t\t\t\tzeros++;\n\t\t\t\tcontinue;\n\t\t\t}\n\t\t\tverbose(env, \"invalid read from stack off %d+%d size %d\\n\",\n\t\t\t\toff, i, size);\n\t\t\treturn -EACCES;\n\t\t}\n\t\tmark_reg_read(env, reg, reg->parent, REG_LIVE_READ64);\n\t\tif (value_regno >= 0) {\n\t\t\tif (zeros == size) {\n\t\t\t\t/* any size read into register is zero extended,\n\t\t\t\t * so the whole register == const_zero\n\t\t\t\t */\n\t\t\t\t__mark_reg_const_zero(&state->regs[value_regno]);\n\t\t\t\t/* backtracking doesn't support STACK_ZERO yet,\n\t\t\t\t * so mark it precise here, so that later\n\t\t\t\t * backtracking can stop here.\n\t\t\t\t * Backtracking may not need this if this register\n\t\t\t\t * doesn't participate in pointer adjustment.\n\t\t\t\t * Forward propagation of precise flag is not\n\t\t\t\t * necessary either. This mark is only to stop\n\t\t\t\t * backtracking. Any register that contributed\n\t\t\t\t * to const 0 was marked precise before spill.\n\t\t\t\t */\n\t\t\t\tstate->regs[value_regno].precise = true;\n\t\t\t} else {\n\t\t\t\t/* have read misc data from the stack */\n\t\t\t\tmark_reg_unknown(env, state->regs, value_regno);\n\t\t\t}\n\t\t\tstate->regs[value_regno].live |= REG_LIVE_WRITTEN;\n\t\t}\n\t}\n\treturn 0;\n}", "project": "linux", "hash": 306527774686069070636110874334106312841, "size": 90, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232527 }, { "func": "static int check_stack_read(struct bpf_verifier_env *env,\n\t\t\t struct bpf_func_state *reg_state /* func where register points to */,\n\t\t\t int off, int size, int value_regno)\n{\n\tstruct bpf_verifier_state *vstate = env->cur_state;\n\tstruct bpf_func_state *state = vstate->frame[vstate->curframe];\n\tint i, slot = -off - 1, spi = slot / BPF_REG_SIZE;\n\tstruct bpf_reg_state *reg;\n\tu8 *stype;\n\n\tif (reg_state->allocated_stack <= slot) {\n\t\tverbose(env, \"invalid read from stack off %d+0 size %d\\n\",\n\t\t\toff, size);\n\t\treturn -EACCES;\n\t}\n\tstype = reg_state->stack[spi].slot_type;\n\treg = ®_state->stack[spi].spilled_ptr;\n\n\tif (stype[0] == STACK_SPILL) {\n\t\tif (size != BPF_REG_SIZE) {\n\t\t\tif (reg->type != SCALAR_VALUE) {\n\t\t\t\tverbose_linfo(env, env->insn_idx, \"; \");\n\t\t\t\tverbose(env, \"invalid size of register fill\\n\");\n\t\t\t\treturn -EACCES;\n\t\t\t}\n\t\t\tif (value_regno >= 0) {\n\t\t\t\tmark_reg_unknown(env, state->regs, value_regno);\n\t\t\t\tstate->regs[value_regno].live |= REG_LIVE_WRITTEN;\n\t\t\t}\n\t\t\tmark_reg_read(env, reg, reg->parent, REG_LIVE_READ64);\n\t\t\treturn 0;\n\t\t}\n\t\tfor (i = 1; i < BPF_REG_SIZE; i++) {\n\t\t\tif (stype[(slot - i) % BPF_REG_SIZE] != STACK_SPILL) {\n\t\t\t\tverbose(env, \"corrupted spill memory\\n\");\n\t\t\t\treturn -EACCES;\n\t\t\t}\n\t\t}\n\n\t\tif (value_regno >= 0) {\n\t\t\t/* restore register state from stack */\n\t\t\tstate->regs[value_regno] = *reg;\n\t\t\t/* mark reg as written since spilled pointer state likely\n\t\t\t * has its liveness marks cleared by is_state_visited()\n\t\t\t * which resets stack/reg liveness for state transitions\n\t\t\t */\n\t\t\tstate->regs[value_regno].live |= REG_LIVE_WRITTEN;\n\t\t} else if (__is_pointer_value(env->allow_ptr_leaks, reg)) {\n\t\t\t/* If value_regno==-1, the caller is asking us whether\n\t\t\t * it is acceptable to use this value as a SCALAR_VALUE\n\t\t\t * (e.g. for XADD).\n\t\t\t * We must not allow unprivileged callers to do that\n\t\t\t * with spilled pointers.\n\t\t\t */\n\t\t\tverbose(env, \"leaking pointer from stack off %d\\n\",\n\t\t\t\toff);\n\t\t\treturn -EACCES;\n\t\t}\n\t\tmark_reg_read(env, reg, reg->parent, REG_LIVE_READ64);\n\t} else {\n\t\tint zeros = 0;\n\n\t\tfor (i = 0; i < size; i++) {\n\t\t\tif (stype[(slot - i) % BPF_REG_SIZE] == STACK_MISC)\n\t\t\t\tcontinue;\n\t\t\tif (stype[(slot - i) % BPF_REG_SIZE] == STACK_ZERO) {\n\t\t\t\tzeros++;\n\t\t\t\tcontinue;\n\t\t\t}\n\t\t\tverbose(env, \"invalid read from stack off %d+%d size %d\\n\",\n\t\t\t\toff, i, size);\n\t\t\treturn -EACCES;\n\t\t}\n\t\tmark_reg_read(env, reg, reg->parent, REG_LIVE_READ64);\n\t\tif (value_regno >= 0) {\n\t\t\tif (zeros == size) {\n\t\t\t\t/* any size read into register is zero extended,\n\t\t\t\t * so the whole register == const_zero\n\t\t\t\t */\n\t\t\t\t__mark_reg_const_zero(&state->regs[value_regno]);\n\t\t\t\t/* backtracking doesn't support STACK_ZERO yet,\n\t\t\t\t * so mark it precise here, so that later\n\t\t\t\t * backtracking can stop here.\n\t\t\t\t * Backtracking may not need this if this register\n\t\t\t\t * doesn't participate in pointer adjustment.\n\t\t\t\t * Forward propagation of precise flag is not\n\t\t\t\t * necessary either. This mark is only to stop\n\t\t\t\t * backtracking. Any register that contributed\n\t\t\t\t * to const 0 was marked precise before spill.\n\t\t\t\t */\n\t\t\t\tstate->regs[value_regno].precise = true;\n\t\t\t} else {\n\t\t\t\t/* have read misc data from the stack */\n\t\t\t\tmark_reg_unknown(env, state->regs, value_regno);\n\t\t\t}\n\t\t\tstate->regs[value_regno].live |= REG_LIVE_WRITTEN;\n\t\t}\n\t}\n\treturn 0;\n}", "project": "linux", "hash": 301844829153467023400370020665432651873, "size": 100, "commit_id": "5b9fbeb75b6a98955f628e205ac26689bcb1383e", "message": "bpf: Fix scalar32_min_max_or bounds tracking\n\nSimon reported an issue with the current scalar32_min_max_or() implementation.\nThat is, compared to the other 32 bit subreg tracking functions, the code in\nscalar32_min_max_or() stands out that it's using the 64 bit registers instead\nof 32 bit ones. This leads to bounds tracking issues, for example:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x1; 0x700000000),s32_max_value=1,u32_max_value=1) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nThe bound tests on the map value force the upper unsigned bound to be 25769803777\nin 64 bit (0b11000000000000000000000000000000001) and then lower one to be 1. By\nusing OR they are truncated and thus result in the range [1,1] for the 32 bit reg\ntracker. This is incorrect given the only thing we know is that the value must be\npositive and thus 2147483647 (0b1111111111111111111111111111111) at max for the\nsubregs. Fix it by using the {u,s}32_{min,max}_value vars instead. This also makes\nsense, for example, for the case where we update dst_reg->s32_{min,max}_value in\nthe else branch we need to use the newly computed dst_reg->u32_{min,max}_value as\nwe know that these are positive. Previously, in the else branch the 64 bit values\nof umin_value=1 and umax_value=32212254719 were used and latter got truncated to\nbe 1 as upper bound there. After the fix the subreg range is now correct:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nFixes: 3f50f132d840 (\"bpf: Verifier, do explicit ALU32 bounds tracking\")\nReported-by: Simon Scannell \nSigned-off-by: Daniel Borkmann \nReviewed-by: John Fastabend \nAcked-by: Alexei Starovoitov ", "target": 0, "dataset": "other", "idx": 328492 }, { "func": "static int check_ptr_alignment(struct bpf_verifier_env *env,\n\t\t\t const struct bpf_reg_state *reg, int off,\n\t\t\t int size, bool strict_alignment_once)\n{\n\tbool strict = env->strict_alignment || strict_alignment_once;\n\tconst char *pointer_desc = \"\";\n\n\tswitch (reg->type) {\n\tcase PTR_TO_PACKET:\n\tcase PTR_TO_PACKET_META:\n\t\t/* Special case, because of NET_IP_ALIGN. Given metadata sits\n\t\t * right in front, treat it the very same way.\n\t\t */\n\t\treturn check_pkt_ptr_alignment(env, reg, off, size, strict);\n\tcase PTR_TO_FLOW_KEYS:\n\t\tpointer_desc = \"flow keys \";\n\t\tbreak;\n\tcase PTR_TO_MAP_VALUE:\n\t\tpointer_desc = \"value \";\n\t\tbreak;\n\tcase PTR_TO_CTX:\n\t\tpointer_desc = \"context \";\n\t\tbreak;\n\tcase PTR_TO_STACK:\n\t\tpointer_desc = \"stack \";\n\t\t/* The stack spill tracking logic in check_stack_write()\n\t\t * and check_stack_read() relies on stack accesses being\n\t\t * aligned.\n\t\t */\n\t\tstrict = true;\n\t\tbreak;\n\tcase PTR_TO_SOCKET:\n\t\tpointer_desc = \"sock \";\n\t\tbreak;\n\tcase PTR_TO_SOCK_COMMON:\n\t\tpointer_desc = \"sock_common \";\n\t\tbreak;\n\tcase PTR_TO_TCP_SOCK:\n\t\tpointer_desc = \"tcp_sock \";\n\t\tbreak;\n\tcase PTR_TO_XDP_SOCK:\n\t\tpointer_desc = \"xdp_sock \";\n\t\tbreak;\n\tdefault:\n\t\tbreak;\n\t}\n\treturn check_generic_ptr_alignment(env, reg, pointer_desc, off, size,\n\t\t\t\t\t strict);\n}", "project": "linux", "hash": 100339444522591123213904758632748870525, "size": 49, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232453 }, { "func": "static int get_prev_insn_idx(struct bpf_verifier_state *st, int i,\n\t\t\t u32 *history)\n{\n\tu32 cnt = *history;\n\n\tif (cnt && st->jmp_history[cnt - 1].idx == i) {\n\t\ti = st->jmp_history[cnt - 1].prev_idx;\n\t\t(*history)--;\n\t} else {\n\t\ti--;\n\t}\n\treturn i;\n}", "project": "linux", "hash": 206119637896226702730783948105425843321, "size": 13, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232628 }, { "func": "static int sanitize_val_alu(struct bpf_verifier_env *env,\n\t\t\t struct bpf_insn *insn)\n{\n\tstruct bpf_insn_aux_data *aux = cur_aux(env);\n\n\tif (can_skip_alu_sanitation(env, insn))\n\t\treturn 0;\n\n\treturn update_alu_sanitation_state(aux, BPF_ALU_NON_POINTER, 0);\n}", "project": "linux", "hash": 87592046110053939538889700164381957043, "size": 10, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232522 }, { "func": "static void reg_set_min_max(struct bpf_reg_state *true_reg,\n\t\t\t struct bpf_reg_state *false_reg, u64 val,\n\t\t\t u8 opcode, bool is_jmp32)\n{\n\ts64 sval;\n\n\t/* If the dst_reg is a pointer, we can't learn anything about its\n\t * variable offset from the compare (unless src_reg were a pointer into\n\t * the same object, but we don't bother with that.\n\t * Since false_reg and true_reg have the same type by construction, we\n\t * only need to check one of them for pointerness.\n\t */\n\tif (__is_pointer_value(false, false_reg))\n\t\treturn;\n\n\tval = is_jmp32 ? (u32)val : val;\n\tsval = is_jmp32 ? (s64)(s32)val : (s64)val;\n\n\tswitch (opcode) {\n\tcase BPF_JEQ:\n\tcase BPF_JNE:\n\t{\n\t\tstruct bpf_reg_state *reg =\n\t\t\topcode == BPF_JEQ ? true_reg : false_reg;\n\n\t\t/* For BPF_JEQ, if this is false we know nothing Jon Snow, but\n\t\t * if it is true we know the value for sure. Likewise for\n\t\t * BPF_JNE.\n\t\t */\n\t\tif (is_jmp32) {\n\t\t\tu64 old_v = reg->var_off.value;\n\t\t\tu64 hi_mask = ~0xffffffffULL;\n\n\t\t\treg->var_off.value = (old_v & hi_mask) | val;\n\t\t\treg->var_off.mask &= hi_mask;\n\t\t} else {\n\t\t\t__mark_reg_known(reg, val);\n\t\t}\n\t\tbreak;\n\t}\n\tcase BPF_JSET:\n\t\tfalse_reg->var_off = tnum_and(false_reg->var_off,\n\t\t\t\t\t tnum_const(~val));\n\t\tif (is_power_of_2(val))\n\t\t\ttrue_reg->var_off = tnum_or(true_reg->var_off,\n\t\t\t\t\t\t tnum_const(val));\n\t\tbreak;\n\tcase BPF_JGE:\n\tcase BPF_JGT:\n\t{\n\t\tu64 false_umax = opcode == BPF_JGT ? val : val - 1;\n\t\tu64 true_umin = opcode == BPF_JGT ? val + 1 : val;\n\n\t\tif (is_jmp32) {\n\t\t\tfalse_umax += gen_hi_max(false_reg->var_off);\n\t\t\ttrue_umin += gen_hi_min(true_reg->var_off);\n\t\t}\n\t\tfalse_reg->umax_value = min(false_reg->umax_value, false_umax);\n\t\ttrue_reg->umin_value = max(true_reg->umin_value, true_umin);\n\t\tbreak;\n\t}\n\tcase BPF_JSGE:\n\tcase BPF_JSGT:\n\t{\n\t\ts64 false_smax = opcode == BPF_JSGT ? sval : sval - 1;\n\t\ts64 true_smin = opcode == BPF_JSGT ? sval + 1 : sval;\n\n\t\t/* If the full s64 was not sign-extended from s32 then don't\n\t\t * deduct further info.\n\t\t */\n\t\tif (is_jmp32 && !cmp_val_with_extended_s64(sval, false_reg))\n\t\t\tbreak;\n\t\tfalse_reg->smax_value = min(false_reg->smax_value, false_smax);\n\t\ttrue_reg->smin_value = max(true_reg->smin_value, true_smin);\n\t\tbreak;\n\t}\n\tcase BPF_JLE:\n\tcase BPF_JLT:\n\t{\n\t\tu64 false_umin = opcode == BPF_JLT ? val : val + 1;\n\t\tu64 true_umax = opcode == BPF_JLT ? val - 1 : val;\n\n\t\tif (is_jmp32) {\n\t\t\tfalse_umin += gen_hi_min(false_reg->var_off);\n\t\t\ttrue_umax += gen_hi_max(true_reg->var_off);\n\t\t}\n\t\tfalse_reg->umin_value = max(false_reg->umin_value, false_umin);\n\t\ttrue_reg->umax_value = min(true_reg->umax_value, true_umax);\n\t\tbreak;\n\t}\n\tcase BPF_JSLE:\n\tcase BPF_JSLT:\n\t{\n\t\ts64 false_smin = opcode == BPF_JSLT ? sval : sval + 1;\n\t\ts64 true_smax = opcode == BPF_JSLT ? sval - 1 : sval;\n\n\t\tif (is_jmp32 && !cmp_val_with_extended_s64(sval, false_reg))\n\t\t\tbreak;\n\t\tfalse_reg->smin_value = max(false_reg->smin_value, false_smin);\n\t\ttrue_reg->smax_value = min(true_reg->smax_value, true_smax);\n\t\tbreak;\n\t}\n\tdefault:\n\t\tbreak;\n\t}\n\n\t__reg_deduce_bounds(false_reg);\n\t__reg_deduce_bounds(true_reg);\n\t/* We might have learned some bits from the bounds. */\n\t__reg_bound_offset(false_reg);\n\t__reg_bound_offset(true_reg);\n\tif (is_jmp32) {\n\t\t__reg_bound_offset32(false_reg);\n\t\t__reg_bound_offset32(true_reg);\n\t}\n\t/* Intersecting with the old var_off might have improved our bounds\n\t * slightly. e.g. if umax was 0x7f...f and var_off was (0; 0xf...fc),\n\t * then new var_off is (0; 0x7f...fc) which improves our umax.\n\t */\n\t__update_reg_bounds(false_reg);\n\t__update_reg_bounds(true_reg);\n}", "project": "linux", "hash": 232962259582531762024846093888584570061, "size": 122, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232604 }, { "func": "static void reg_set_min_max(struct bpf_reg_state *true_reg,\n\t\t\t struct bpf_reg_state *false_reg,\n\t\t\t u64 val, u32 val32,\n\t\t\t u8 opcode, bool is_jmp32)\n{\n\tstruct tnum false_32off = tnum_subreg(false_reg->var_off);\n\tstruct tnum false_64off = false_reg->var_off;\n\tstruct tnum true_32off = tnum_subreg(true_reg->var_off);\n\tstruct tnum true_64off = true_reg->var_off;\n\ts64 sval = (s64)val;\n\ts32 sval32 = (s32)val32;\n\n\t/* If the dst_reg is a pointer, we can't learn anything about its\n\t * variable offset from the compare (unless src_reg were a pointer into\n\t * the same object, but we don't bother with that.\n\t * Since false_reg and true_reg have the same type by construction, we\n\t * only need to check one of them for pointerness.\n\t */\n\tif (__is_pointer_value(false, false_reg))\n\t\treturn;\n\n\tswitch (opcode) {\n\tcase BPF_JEQ:\n\tcase BPF_JNE:\n\t{\n\t\tstruct bpf_reg_state *reg =\n\t\t\topcode == BPF_JEQ ? true_reg : false_reg;\n\n\t\t/* For BPF_JEQ, if this is false we know nothing Jon Snow, but\n\t\t * if it is true we know the value for sure. Likewise for\n\t\t * BPF_JNE.\n\t\t */\n\t\tif (is_jmp32)\n\t\t\t__mark_reg32_known(reg, val32);\n\t\telse\n\t\t\t__mark_reg_known(reg, val);\n\t\tbreak;\n\t}\n\tcase BPF_JSET:\n\t\tif (is_jmp32) {\n\t\t\tfalse_32off = tnum_and(false_32off, tnum_const(~val32));\n\t\t\tif (is_power_of_2(val32))\n\t\t\t\ttrue_32off = tnum_or(true_32off,\n\t\t\t\t\t\t tnum_const(val32));\n\t\t} else {\n\t\t\tfalse_64off = tnum_and(false_64off, tnum_const(~val));\n\t\t\tif (is_power_of_2(val))\n\t\t\t\ttrue_64off = tnum_or(true_64off,\n\t\t\t\t\t\t tnum_const(val));\n\t\t}\n\t\tbreak;\n\tcase BPF_JGE:\n\tcase BPF_JGT:\n\t{\n\t\tif (is_jmp32) {\n\t\t\tu32 false_umax = opcode == BPF_JGT ? val32 : val32 - 1;\n\t\t\tu32 true_umin = opcode == BPF_JGT ? val32 + 1 : val32;\n\n\t\t\tfalse_reg->u32_max_value = min(false_reg->u32_max_value,\n\t\t\t\t\t\t false_umax);\n\t\t\ttrue_reg->u32_min_value = max(true_reg->u32_min_value,\n\t\t\t\t\t\t true_umin);\n\t\t} else {\n\t\t\tu64 false_umax = opcode == BPF_JGT ? val : val - 1;\n\t\t\tu64 true_umin = opcode == BPF_JGT ? val + 1 : val;\n\n\t\t\tfalse_reg->umax_value = min(false_reg->umax_value, false_umax);\n\t\t\ttrue_reg->umin_value = max(true_reg->umin_value, true_umin);\n\t\t}\n\t\tbreak;\n\t}\n\tcase BPF_JSGE:\n\tcase BPF_JSGT:\n\t{\n\t\tif (is_jmp32) {\n\t\t\ts32 false_smax = opcode == BPF_JSGT ? sval32 : sval32 - 1;\n\t\t\ts32 true_smin = opcode == BPF_JSGT ? sval32 + 1 : sval32;\n\n\t\t\tfalse_reg->s32_max_value = min(false_reg->s32_max_value, false_smax);\n\t\t\ttrue_reg->s32_min_value = max(true_reg->s32_min_value, true_smin);\n\t\t} else {\n\t\t\ts64 false_smax = opcode == BPF_JSGT ? sval : sval - 1;\n\t\t\ts64 true_smin = opcode == BPF_JSGT ? sval + 1 : sval;\n\n\t\t\tfalse_reg->smax_value = min(false_reg->smax_value, false_smax);\n\t\t\ttrue_reg->smin_value = max(true_reg->smin_value, true_smin);\n\t\t}\n\t\tbreak;\n\t}\n\tcase BPF_JLE:\n\tcase BPF_JLT:\n\t{\n\t\tif (is_jmp32) {\n\t\t\tu32 false_umin = opcode == BPF_JLT ? val32 : val32 + 1;\n\t\t\tu32 true_umax = opcode == BPF_JLT ? val32 - 1 : val32;\n\n\t\t\tfalse_reg->u32_min_value = max(false_reg->u32_min_value,\n\t\t\t\t\t\t false_umin);\n\t\t\ttrue_reg->u32_max_value = min(true_reg->u32_max_value,\n\t\t\t\t\t\t true_umax);\n\t\t} else {\n\t\t\tu64 false_umin = opcode == BPF_JLT ? val : val + 1;\n\t\t\tu64 true_umax = opcode == BPF_JLT ? val - 1 : val;\n\n\t\t\tfalse_reg->umin_value = max(false_reg->umin_value, false_umin);\n\t\t\ttrue_reg->umax_value = min(true_reg->umax_value, true_umax);\n\t\t}\n\t\tbreak;\n\t}\n\tcase BPF_JSLE:\n\tcase BPF_JSLT:\n\t{\n\t\tif (is_jmp32) {\n\t\t\ts32 false_smin = opcode == BPF_JSLT ? sval32 : sval32 + 1;\n\t\t\ts32 true_smax = opcode == BPF_JSLT ? sval32 - 1 : sval32;\n\n\t\t\tfalse_reg->s32_min_value = max(false_reg->s32_min_value, false_smin);\n\t\t\ttrue_reg->s32_max_value = min(true_reg->s32_max_value, true_smax);\n\t\t} else {\n\t\t\ts64 false_smin = opcode == BPF_JSLT ? sval : sval + 1;\n\t\t\ts64 true_smax = opcode == BPF_JSLT ? sval - 1 : sval;\n\n\t\t\tfalse_reg->smin_value = max(false_reg->smin_value, false_smin);\n\t\t\ttrue_reg->smax_value = min(true_reg->smax_value, true_smax);\n\t\t}\n\t\tbreak;\n\t}\n\tdefault:\n\t\treturn;\n\t}\n\n\tif (is_jmp32) {\n\t\tfalse_reg->var_off = tnum_or(tnum_clear_subreg(false_64off),\n\t\t\t\t\t tnum_subreg(false_32off));\n\t\ttrue_reg->var_off = tnum_or(tnum_clear_subreg(true_64off),\n\t\t\t\t\t tnum_subreg(true_32off));\n\t\t__reg_combine_32_into_64(false_reg);\n\t\t__reg_combine_32_into_64(true_reg);\n\t} else {\n\t\tfalse_reg->var_off = false_64off;\n\t\ttrue_reg->var_off = true_64off;\n\t\t__reg_combine_64_into_32(false_reg);\n\t\t__reg_combine_64_into_32(true_reg);\n\t}\n}", "project": "linux", "hash": 209960935032769021696395440707585711483, "size": 145, "commit_id": "5b9fbeb75b6a98955f628e205ac26689bcb1383e", "message": "bpf: Fix scalar32_min_max_or bounds tracking\n\nSimon reported an issue with the current scalar32_min_max_or() implementation.\nThat is, compared to the other 32 bit subreg tracking functions, the code in\nscalar32_min_max_or() stands out that it's using the 64 bit registers instead\nof 32 bit ones. This leads to bounds tracking issues, for example:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x1; 0x700000000),s32_max_value=1,u32_max_value=1) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nThe bound tests on the map value force the upper unsigned bound to be 25769803777\nin 64 bit (0b11000000000000000000000000000000001) and then lower one to be 1. By\nusing OR they are truncated and thus result in the range [1,1] for the 32 bit reg\ntracker. This is incorrect given the only thing we know is that the value must be\npositive and thus 2147483647 (0b1111111111111111111111111111111) at max for the\nsubregs. Fix it by using the {u,s}32_{min,max}_value vars instead. This also makes\nsense, for example, for the case where we update dst_reg->s32_{min,max}_value in\nthe else branch we need to use the newly computed dst_reg->u32_{min,max}_value as\nwe know that these are positive. Previously, in the else branch the 64 bit values\nof umin_value=1 and umax_value=32212254719 were used and latter got truncated to\nbe 1 as upper bound there. After the fix the subreg range is now correct:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nFixes: 3f50f132d840 (\"bpf: Verifier, do explicit ALU32 bounds tracking\")\nReported-by: Simon Scannell \nSigned-off-by: Daniel Borkmann \nReviewed-by: John Fastabend \nAcked-by: Alexei Starovoitov ", "target": 0, "dataset": "other", "idx": 328531 }, { "func": "static bool is_reg64(struct bpf_verifier_env *env, struct bpf_insn *insn,\n\t\t u32 regno, struct bpf_reg_state *reg, enum reg_arg_type t)\n{\n\tu8 code, class, op;\n\n\tcode = insn->code;\n\tclass = BPF_CLASS(code);\n\top = BPF_OP(code);\n\tif (class == BPF_JMP) {\n\t\t/* BPF_EXIT for \"main\" will reach here. Return TRUE\n\t\t * conservatively.\n\t\t */\n\t\tif (op == BPF_EXIT)\n\t\t\treturn true;\n\t\tif (op == BPF_CALL) {\n\t\t\t/* BPF to BPF call will reach here because of marking\n\t\t\t * caller saved clobber with DST_OP_NO_MARK for which we\n\t\t\t * don't care the register def because they are anyway\n\t\t\t * marked as NOT_INIT already.\n\t\t\t */\n\t\t\tif (insn->src_reg == BPF_PSEUDO_CALL)\n\t\t\t\treturn false;\n\t\t\t/* Helper call will reach here because of arg type\n\t\t\t * check, conservatively return TRUE.\n\t\t\t */\n\t\t\tif (t == SRC_OP)\n\t\t\t\treturn true;\n\n\t\t\treturn false;\n\t\t}\n\t}\n\n\tif (class == BPF_ALU64 || class == BPF_JMP ||\n\t /* BPF_END always use BPF_ALU class. */\n\t (class == BPF_ALU && op == BPF_END && insn->imm == 64))\n\t\treturn true;\n\n\tif (class == BPF_ALU || class == BPF_JMP32)\n\t\treturn false;\n\n\tif (class == BPF_LDX) {\n\t\tif (t != SRC_OP)\n\t\t\treturn BPF_SIZE(code) == BPF_DW;\n\t\t/* LDX source must be ptr. */\n\t\treturn true;\n\t}\n\n\tif (class == BPF_STX) {\n\t\tif (reg->type != SCALAR_VALUE)\n\t\t\treturn true;\n\t\treturn BPF_SIZE(code) == BPF_DW;\n\t}\n\n\tif (class == BPF_LD) {\n\t\tu8 mode = BPF_MODE(code);\n\n\t\t/* LD_IMM64 */\n\t\tif (mode == BPF_IMM)\n\t\t\treturn true;\n\n\t\t/* Both LD_IND and LD_ABS return 32-bit data. */\n\t\tif (t != SRC_OP)\n\t\t\treturn false;\n\n\t\t/* Implicit ctx ptr. */\n\t\tif (regno == BPF_REG_6)\n\t\t\treturn true;\n\n\t\t/* Explicit source could be any width. */\n\t\treturn true;\n\t}\n\n\tif (class == BPF_ST)\n\t\t/* The only source register for BPF_ST is a ptr. */\n\t\treturn true;\n\n\t/* Conservatively return true at default. */\n\treturn true;\n}", "project": "linux", "hash": 127753967965111549466251821202194204820, "size": 79, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232608 }, { "func": "static bool stacksafe(struct bpf_func_state *old,\n\t\t struct bpf_func_state *cur,\n\t\t struct idpair *idmap)\n{\n\tint i, spi;\n\n\t/* walk slots of the explored stack and ignore any additional\n\t * slots in the current stack, since explored(safe) state\n\t * didn't use them\n\t */\n\tfor (i = 0; i < old->allocated_stack; i++) {\n\t\tspi = i / BPF_REG_SIZE;\n\n\t\tif (!(old->stack[spi].spilled_ptr.live & REG_LIVE_READ)) {\n\t\t\ti += BPF_REG_SIZE - 1;\n\t\t\t/* explored state didn't use this */\n\t\t\tcontinue;\n\t\t}\n\n\t\tif (old->stack[spi].slot_type[i % BPF_REG_SIZE] == STACK_INVALID)\n\t\t\tcontinue;\n\n\t\t/* explored stack has more populated slots than current stack\n\t\t * and these slots were used\n\t\t */\n\t\tif (i >= cur->allocated_stack)\n\t\t\treturn false;\n\n\t\t/* if old state was safe with misc data in the stack\n\t\t * it will be safe with zero-initialized stack.\n\t\t * The opposite is not true\n\t\t */\n\t\tif (old->stack[spi].slot_type[i % BPF_REG_SIZE] == STACK_MISC &&\n\t\t cur->stack[spi].slot_type[i % BPF_REG_SIZE] == STACK_ZERO)\n\t\t\tcontinue;\n\t\tif (old->stack[spi].slot_type[i % BPF_REG_SIZE] !=\n\t\t cur->stack[spi].slot_type[i % BPF_REG_SIZE])\n\t\t\t/* Ex: old explored (safe) state has STACK_SPILL in\n\t\t\t * this stack slot, but current has has STACK_MISC ->\n\t\t\t * this verifier states are not equivalent,\n\t\t\t * return false to continue verification of this path\n\t\t\t */\n\t\t\treturn false;\n\t\tif (i % BPF_REG_SIZE)\n\t\t\tcontinue;\n\t\tif (old->stack[spi].slot_type[0] != STACK_SPILL)\n\t\t\tcontinue;\n\t\tif (!regsafe(&old->stack[spi].spilled_ptr,\n\t\t\t &cur->stack[spi].spilled_ptr,\n\t\t\t idmap))\n\t\t\t/* when explored and current stack slot are both storing\n\t\t\t * spilled registers, check that stored pointers types\n\t\t\t * are the same as well.\n\t\t\t * Ex: explored safe path could have stored\n\t\t\t * (bpf_reg_state) {.type = PTR_TO_STACK, .off = -8}\n\t\t\t * but current path has stored:\n\t\t\t * (bpf_reg_state) {.type = PTR_TO_STACK, .off = -16}\n\t\t\t * such verifier states are not equivalent.\n\t\t\t * return false to continue verification of this path\n\t\t\t */\n\t\t\treturn false;\n\t}\n\treturn true;\n}", "project": "linux", "hash": 310381048998414455712804019535191332288, "size": 64, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232458 }, { "func": "static bool reg_type_may_be_refcounted_or_null(enum bpf_reg_type type)\n{\n\treturn type == PTR_TO_SOCKET ||\n\t\ttype == PTR_TO_SOCKET_OR_NULL ||\n\t\ttype == PTR_TO_TCP_SOCK ||\n\t\ttype == PTR_TO_TCP_SOCK_OR_NULL;\n}", "project": "linux", "hash": 154658709801074977980065478789495054741, "size": 7, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232474 }, { "func": "static void __clear_all_pkt_pointers(struct bpf_verifier_env *env,\n\t\t\t\t struct bpf_func_state *state)\n{\n\tstruct bpf_reg_state *regs = state->regs, *reg;\n\tint i;\n\n\tfor (i = 0; i < MAX_BPF_REG; i++)\n\t\tif (reg_is_pkt_pointer_any(®s[i]))\n\t\t\tmark_reg_unknown(env, regs, i);\n\n\tbpf_for_each_spilled_reg(i, state, reg) {\n\t\tif (!reg)\n\t\t\tcontinue;\n\t\tif (reg_is_pkt_pointer_any(reg))\n\t\t\t__mark_reg_unknown(env, reg);\n\t}\n}", "project": "linux", "hash": 43378957849087326166260485652896011959, "size": 17, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232463 }, { "func": "static int bpf_adj_linfo_after_remove(struct bpf_verifier_env *env, u32 off,\n\t\t\t\t u32 cnt)\n{\n\tstruct bpf_prog *prog = env->prog;\n\tu32 i, l_off, l_cnt, nr_linfo;\n\tstruct bpf_line_info *linfo;\n\n\tnr_linfo = prog->aux->nr_linfo;\n\tif (!nr_linfo)\n\t\treturn 0;\n\n\tlinfo = prog->aux->linfo;\n\n\t/* find first line info to remove, count lines to be removed */\n\tfor (i = 0; i < nr_linfo; i++)\n\t\tif (linfo[i].insn_off >= off)\n\t\t\tbreak;\n\n\tl_off = i;\n\tl_cnt = 0;\n\tfor (; i < nr_linfo; i++)\n\t\tif (linfo[i].insn_off < off + cnt)\n\t\t\tl_cnt++;\n\t\telse\n\t\t\tbreak;\n\n\t/* First live insn doesn't match first live linfo, it needs to \"inherit\"\n\t * last removed linfo. prog is already modified, so prog->len == off\n\t * means no live instructions after (tail of the program was removed).\n\t */\n\tif (prog->len != off && l_cnt &&\n\t (i == nr_linfo || linfo[i].insn_off != off + cnt)) {\n\t\tl_cnt--;\n\t\tlinfo[--i].insn_off = off + cnt;\n\t}\n\n\t/* remove the line info which refer to the removed instructions */\n\tif (l_cnt) {\n\t\tmemmove(linfo + l_off, linfo + i,\n\t\t\tsizeof(*linfo) * (nr_linfo - i));\n\n\t\tprog->aux->nr_linfo -= l_cnt;\n\t\tnr_linfo = prog->aux->nr_linfo;\n\t}\n\n\t/* pull all linfo[i].insn_off >= off + cnt in by cnt */\n\tfor (i = l_off; i < nr_linfo; i++)\n\t\tlinfo[i].insn_off -= cnt;\n\n\t/* fix up all subprogs (incl. 'exit') which start >= off */\n\tfor (i = 0; i <= env->subprog_cnt; i++)\n\t\tif (env->subprog_info[i].linfo_idx > l_off) {\n\t\t\t/* program may have started in the removed region but\n\t\t\t * may not be fully removed\n\t\t\t */\n\t\t\tif (env->subprog_info[i].linfo_idx >= l_off + l_cnt)\n\t\t\t\tenv->subprog_info[i].linfo_idx -= l_cnt;\n\t\t\telse\n\t\t\t\tenv->subprog_info[i].linfo_idx = l_off;\n\t\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 228299487345361262462768301549002922902, "size": 63, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232638 }, { "func": "static int prepare_func_exit(struct bpf_verifier_env *env, int *insn_idx)\n{\n\tstruct bpf_verifier_state *state = env->cur_state;\n\tstruct bpf_func_state *caller, *callee;\n\tstruct bpf_reg_state *r0;\n\tint err;\n\n\tcallee = state->frame[state->curframe];\n\tr0 = &callee->regs[BPF_REG_0];\n\tif (r0->type == PTR_TO_STACK) {\n\t\t/* technically it's ok to return caller's stack pointer\n\t\t * (or caller's caller's pointer) back to the caller,\n\t\t * since these pointers are valid. Only current stack\n\t\t * pointer will be invalid as soon as function exits,\n\t\t * but let's be conservative\n\t\t */\n\t\tverbose(env, \"cannot return stack pointer to the caller\\n\");\n\t\treturn -EINVAL;\n\t}\n\n\tstate->curframe--;\n\tcaller = state->frame[state->curframe];\n\t/* return to the caller whatever r0 had in the callee */\n\tcaller->regs[BPF_REG_0] = *r0;\n\n\t/* Transfer references to the caller */\n\terr = transfer_reference_state(caller, callee);\n\tif (err)\n\t\treturn err;\n\n\t*insn_idx = callee->callsite + 1;\n\tif (env->log.level & BPF_LOG_LEVEL) {\n\t\tverbose(env, \"returning from callee:\\n\");\n\t\tprint_verifier_state(env, callee);\n\t\tverbose(env, \"to caller at %d:\\n\", *insn_idx);\n\t\tprint_verifier_state(env, caller);\n\t}\n\t/* clear everything in the callee */\n\tfree_func_state(callee);\n\tstate->frame[state->curframe + 1] = NULL;\n\treturn 0;\n}", "project": "linux", "hash": 286444155304803729493618121178834607534, "size": 42, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232561 }, { "func": "static void sanitize_insn_aux_data(struct bpf_verifier_env *env)\n{\n\tstruct bpf_insn *insn = env->prog->insnsi;\n\tstruct bpf_insn_aux_data *aux;\n\tint i, class;\n\n\tfor (i = 0; i < env->prog->len; i++) {\n\t\tclass = BPF_CLASS(insn[i].code);\n\t\tif (class != BPF_LDX && class != BPF_STX)\n\t\t\tcontinue;\n\t\taux = &env->insn_aux_data[i];\n\t\tif (aux->seen != env->pass_cnt)\n\t\t\tcontinue;\n\t\tmemset(aux, 0, offsetof(typeof(*aux), orig_idx));\n\t}\n}", "project": "linux", "hash": 73984400632168182022843874481460162083, "size": 16, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232427 }, { "func": "static void convert_pseudo_ld_imm64(struct bpf_verifier_env *env)\n{\n\tstruct bpf_insn *insn = env->prog->insnsi;\n\tint insn_cnt = env->prog->len;\n\tint i;\n\n\tfor (i = 0; i < insn_cnt; i++, insn++)\n\t\tif (insn->code == (BPF_LD | BPF_IMM | BPF_DW))\n\t\t\tinsn->src_reg = 0;\n}", "project": "linux", "hash": 134190417557111936026080874217781518304, "size": 10, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232445 }, { "func": "static void __mark_reg_known(struct bpf_reg_state *reg, u64 imm)\n{\n\t/* Clear id, off, and union(map_ptr, range) */\n\tmemset(((u8 *)reg) + sizeof(reg->type), 0,\n\t offsetof(struct bpf_reg_state, var_off) - sizeof(reg->type));\n\treg->var_off = tnum_const(imm);\n\treg->smin_value = (s64)imm;\n\treg->smax_value = (s64)imm;\n\treg->umin_value = imm;\n\treg->umax_value = imm;\n}", "project": "linux", "hash": 177287471024918494183854985930663016178, "size": 11, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232615 }, { "func": "static void __mark_reg_known(struct bpf_reg_state *reg, u64 imm)\n{\n\t/* Clear id, off, and union(map_ptr, range) */\n\tmemset(((u8 *)reg) + sizeof(reg->type), 0,\n\t offsetof(struct bpf_reg_state, var_off) - sizeof(reg->type));\n\treg->var_off = tnum_const(imm);\n\treg->smin_value = (s64)imm;\n\treg->smax_value = (s64)imm;\n\treg->umin_value = imm;\n\treg->umax_value = imm;\n\n\treg->s32_min_value = (s32)imm;\n\treg->s32_max_value = (s32)imm;\n\treg->u32_min_value = (u32)imm;\n\treg->u32_max_value = (u32)imm;\n}", "project": "linux", "hash": 326916965014496857059930807581563588657, "size": 16, "commit_id": "5b9fbeb75b6a98955f628e205ac26689bcb1383e", "message": "bpf: Fix scalar32_min_max_or bounds tracking\n\nSimon reported an issue with the current scalar32_min_max_or() implementation.\nThat is, compared to the other 32 bit subreg tracking functions, the code in\nscalar32_min_max_or() stands out that it's using the 64 bit registers instead\nof 32 bit ones. This leads to bounds tracking issues, for example:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x1; 0x700000000),s32_max_value=1,u32_max_value=1) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nThe bound tests on the map value force the upper unsigned bound to be 25769803777\nin 64 bit (0b11000000000000000000000000000000001) and then lower one to be 1. By\nusing OR they are truncated and thus result in the range [1,1] for the 32 bit reg\ntracker. This is incorrect given the only thing we know is that the value must be\npositive and thus 2147483647 (0b1111111111111111111111111111111) at max for the\nsubregs. Fix it by using the {u,s}32_{min,max}_value vars instead. This also makes\nsense, for example, for the case where we update dst_reg->s32_{min,max}_value in\nthe else branch we need to use the newly computed dst_reg->u32_{min,max}_value as\nwe know that these are positive. Previously, in the else branch the 64 bit values\nof umin_value=1 and umax_value=32212254719 were used and latter got truncated to\nbe 1 as upper bound there. After the fix the subreg range is now correct:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nFixes: 3f50f132d840 (\"bpf: Verifier, do explicit ALU32 bounds tracking\")\nReported-by: Simon Scannell \nSigned-off-by: Daniel Borkmann \nReviewed-by: John Fastabend \nAcked-by: Alexei Starovoitov ", "target": 0, "dataset": "other", "idx": 328521 }, { "func": "static void mark_all_scalars_precise(struct bpf_verifier_env *env,\n\t\t\t\t struct bpf_verifier_state *st)\n{\n\tstruct bpf_func_state *func;\n\tstruct bpf_reg_state *reg;\n\tint i, j;\n\n\t/* big hammer: mark all scalars precise in this path.\n\t * pop_stack may still get !precise scalars.\n\t */\n\tfor (; st; st = st->parent)\n\t\tfor (i = 0; i <= st->curframe; i++) {\n\t\t\tfunc = st->frame[i];\n\t\t\tfor (j = 0; j < BPF_REG_FP; j++) {\n\t\t\t\treg = &func->regs[j];\n\t\t\t\tif (reg->type != SCALAR_VALUE)\n\t\t\t\t\tcontinue;\n\t\t\t\treg->precise = true;\n\t\t\t}\n\t\t\tfor (j = 0; j < func->allocated_stack / BPF_REG_SIZE; j++) {\n\t\t\t\tif (func->stack[j].slot_type[0] != STACK_SPILL)\n\t\t\t\t\tcontinue;\n\t\t\t\treg = &func->stack[j].spilled_ptr;\n\t\t\t\tif (reg->type != SCALAR_VALUE)\n\t\t\t\t\tcontinue;\n\t\t\t\treg->precise = true;\n\t\t\t}\n\t\t}\n}", "project": "linux", "hash": 16604828479880525033717358296756907766, "size": 29, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232492 }, { "func": "static bool reg_is_pkt_pointer_any(const struct bpf_reg_state *reg)\n{\n\treturn reg_is_pkt_pointer(reg) ||\n\t reg->type == PTR_TO_PACKET_END;\n}", "project": "linux", "hash": 58392334513482726791636672581385956753, "size": 5, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232440 }, { "func": "static int do_check_subprogs(struct bpf_verifier_env *env)\n{\n\tstruct bpf_prog_aux *aux = env->prog->aux;\n\tint i, ret;\n\n\tif (!aux->func_info)\n\t\treturn 0;\n\n\tfor (i = 1; i < env->subprog_cnt; i++) {\n\t\tif (aux->func_info_aux[i].linkage != BTF_FUNC_GLOBAL)\n\t\t\tcontinue;\n\t\tenv->insn_idx = env->subprog_info[i].start;\n\t\tWARN_ON_ONCE(env->insn_idx == 0);\n\t\tret = do_check_common(env, i);\n\t\tif (ret) {\n\t\t\treturn ret;\n\t\t} else if (env->log.level & BPF_LOG_LEVEL) {\n\t\t\tverbose(env,\n\t\t\t\t\"Func#%d is safe for any args that match its prototype\\n\",\n\t\t\t\ti);\n\t\t}\n\t}\n\treturn 0;\n}", "project": "linux", "hash": 207760700881037795773586571224839140029, "size": 24, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232470 }, { "func": "static int check_subprogs(struct bpf_verifier_env *env)\n{\n\tint i, ret, subprog_start, subprog_end, off, cur_subprog = 0;\n\tstruct bpf_subprog_info *subprog = env->subprog_info;\n\tstruct bpf_insn *insn = env->prog->insnsi;\n\tint insn_cnt = env->prog->len;\n\n\t/* Add entry function. */\n\tret = add_subprog(env, 0);\n\tif (ret < 0)\n\t\treturn ret;\n\n\t/* determine subprog starts. The end is one before the next starts */\n\tfor (i = 0; i < insn_cnt; i++) {\n\t\tif (insn[i].code != (BPF_JMP | BPF_CALL))\n\t\t\tcontinue;\n\t\tif (insn[i].src_reg != BPF_PSEUDO_CALL)\n\t\t\tcontinue;\n\t\tif (!env->allow_ptr_leaks) {\n\t\t\tverbose(env, \"function calls to other bpf functions are allowed for root only\\n\");\n\t\t\treturn -EPERM;\n\t\t}\n\t\tret = add_subprog(env, i + insn[i].imm + 1);\n\t\tif (ret < 0)\n\t\t\treturn ret;\n\t}\n\n\t/* Add a fake 'exit' subprog which could simplify subprog iteration\n\t * logic. 'subprog_cnt' should not be increased.\n\t */\n\tsubprog[env->subprog_cnt].start = insn_cnt;\n\n\tif (env->log.level & BPF_LOG_LEVEL2)\n\t\tfor (i = 0; i < env->subprog_cnt; i++)\n\t\t\tverbose(env, \"func#%d @%d\\n\", i, subprog[i].start);\n\n\t/* now check that all jumps are within the same subprog */\n\tsubprog_start = subprog[cur_subprog].start;\n\tsubprog_end = subprog[cur_subprog + 1].start;\n\tfor (i = 0; i < insn_cnt; i++) {\n\t\tu8 code = insn[i].code;\n\n\t\tif (BPF_CLASS(code) != BPF_JMP && BPF_CLASS(code) != BPF_JMP32)\n\t\t\tgoto next;\n\t\tif (BPF_OP(code) == BPF_EXIT || BPF_OP(code) == BPF_CALL)\n\t\t\tgoto next;\n\t\toff = i + insn[i].off + 1;\n\t\tif (off < subprog_start || off >= subprog_end) {\n\t\t\tverbose(env, \"jump out of range from insn %d to %d\\n\", i, off);\n\t\t\treturn -EINVAL;\n\t\t}\nnext:\n\t\tif (i == subprog_end - 1) {\n\t\t\t/* to avoid fall-through from one subprog into another\n\t\t\t * the last insn of the subprog should be either exit\n\t\t\t * or unconditional jump back\n\t\t\t */\n\t\t\tif (code != (BPF_JMP | BPF_EXIT) &&\n\t\t\t code != (BPF_JMP | BPF_JA)) {\n\t\t\t\tverbose(env, \"last insn is not an exit or jmp\\n\");\n\t\t\t\treturn -EINVAL;\n\t\t\t}\n\t\t\tsubprog_start = subprog_end;\n\t\t\tcur_subprog++;\n\t\t\tif (cur_subprog < env->subprog_cnt)\n\t\t\t\tsubprog_end = subprog[cur_subprog + 1].start;\n\t\t}\n\t}\n\treturn 0;\n}", "project": "linux", "hash": 125778697780668319423808632719594146033, "size": 70, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232542 }, { "func": "static int check_subprogs(struct bpf_verifier_env *env)\n{\n\tint i, ret, subprog_start, subprog_end, off, cur_subprog = 0;\n\tstruct bpf_subprog_info *subprog = env->subprog_info;\n\tstruct bpf_insn *insn = env->prog->insnsi;\n\tint insn_cnt = env->prog->len;\n\n\t/* Add entry function. */\n\tret = add_subprog(env, 0);\n\tif (ret < 0)\n\t\treturn ret;\n\n\t/* determine subprog starts. The end is one before the next starts */\n\tfor (i = 0; i < insn_cnt; i++) {\n\t\tif (insn[i].code != (BPF_JMP | BPF_CALL))\n\t\t\tcontinue;\n\t\tif (insn[i].src_reg != BPF_PSEUDO_CALL)\n\t\t\tcontinue;\n\t\tif (!env->bpf_capable) {\n\t\t\tverbose(env,\n\t\t\t\t\"function calls to other bpf functions are allowed for CAP_BPF and CAP_SYS_ADMIN\\n\");\n\t\t\treturn -EPERM;\n\t\t}\n\t\tret = add_subprog(env, i + insn[i].imm + 1);\n\t\tif (ret < 0)\n\t\t\treturn ret;\n\t}\n\n\t/* Add a fake 'exit' subprog which could simplify subprog iteration\n\t * logic. 'subprog_cnt' should not be increased.\n\t */\n\tsubprog[env->subprog_cnt].start = insn_cnt;\n\n\tif (env->log.level & BPF_LOG_LEVEL2)\n\t\tfor (i = 0; i < env->subprog_cnt; i++)\n\t\t\tverbose(env, \"func#%d @%d\\n\", i, subprog[i].start);\n\n\t/* now check that all jumps are within the same subprog */\n\tsubprog_start = subprog[cur_subprog].start;\n\tsubprog_end = subprog[cur_subprog + 1].start;\n\tfor (i = 0; i < insn_cnt; i++) {\n\t\tu8 code = insn[i].code;\n\n\t\tif (BPF_CLASS(code) != BPF_JMP && BPF_CLASS(code) != BPF_JMP32)\n\t\t\tgoto next;\n\t\tif (BPF_OP(code) == BPF_EXIT || BPF_OP(code) == BPF_CALL)\n\t\t\tgoto next;\n\t\toff = i + insn[i].off + 1;\n\t\tif (off < subprog_start || off >= subprog_end) {\n\t\t\tverbose(env, \"jump out of range from insn %d to %d\\n\", i, off);\n\t\t\treturn -EINVAL;\n\t\t}\nnext:\n\t\tif (i == subprog_end - 1) {\n\t\t\t/* to avoid fall-through from one subprog into another\n\t\t\t * the last insn of the subprog should be either exit\n\t\t\t * or unconditional jump back\n\t\t\t */\n\t\t\tif (code != (BPF_JMP | BPF_EXIT) &&\n\t\t\t code != (BPF_JMP | BPF_JA)) {\n\t\t\t\tverbose(env, \"last insn is not an exit or jmp\\n\");\n\t\t\t\treturn -EINVAL;\n\t\t\t}\n\t\t\tsubprog_start = subprog_end;\n\t\t\tcur_subprog++;\n\t\t\tif (cur_subprog < env->subprog_cnt)\n\t\t\t\tsubprog_end = subprog[cur_subprog + 1].start;\n\t\t}\n\t}\n\treturn 0;\n}", "project": "linux", "hash": 190613276036010301565450072227680532496, "size": 71, "commit_id": "5b9fbeb75b6a98955f628e205ac26689bcb1383e", "message": "bpf: Fix scalar32_min_max_or bounds tracking\n\nSimon reported an issue with the current scalar32_min_max_or() implementation.\nThat is, compared to the other 32 bit subreg tracking functions, the code in\nscalar32_min_max_or() stands out that it's using the 64 bit registers instead\nof 32 bit ones. This leads to bounds tracking issues, for example:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x1; 0x700000000),s32_max_value=1,u32_max_value=1) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nThe bound tests on the map value force the upper unsigned bound to be 25769803777\nin 64 bit (0b11000000000000000000000000000000001) and then lower one to be 1. By\nusing OR they are truncated and thus result in the range [1,1] for the 32 bit reg\ntracker. This is incorrect given the only thing we know is that the value must be\npositive and thus 2147483647 (0b1111111111111111111111111111111) at max for the\nsubregs. Fix it by using the {u,s}32_{min,max}_value vars instead. This also makes\nsense, for example, for the case where we update dst_reg->s32_{min,max}_value in\nthe else branch we need to use the newly computed dst_reg->u32_{min,max}_value as\nwe know that these are positive. Previously, in the else branch the 64 bit values\nof umin_value=1 and umax_value=32212254719 were used and latter got truncated to\nbe 1 as upper bound there. After the fix the subreg range is now correct:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nFixes: 3f50f132d840 (\"bpf: Verifier, do explicit ALU32 bounds tracking\")\nReported-by: Simon Scannell \nSigned-off-by: Daniel Borkmann \nReviewed-by: John Fastabend \nAcked-by: Alexei Starovoitov ", "target": 0, "dataset": "other", "idx": 328536 }, { "func": "static int check_subprogs(struct bpf_verifier_env *env)\n{\n\tint i, ret, subprog_start, subprog_end, off, cur_subprog = 0;\n\tstruct bpf_subprog_info *subprog = env->subprog_info;\n\tstruct bpf_insn *insn = env->prog->insnsi;\n\tint insn_cnt = env->prog->len;\n\n\t/* Add entry function. */\n\tret = add_subprog(env, 0);\n\tif (ret < 0)\n\t\treturn ret;\n\n\t/* determine subprog starts. The end is one before the next starts */\n\tfor (i = 0; i < insn_cnt; i++) {\n\t\tif (insn[i].code != (BPF_JMP | BPF_CALL))\n\t\t\tcontinue;\n\t\tif (insn[i].src_reg != BPF_PSEUDO_CALL)\n\t\t\tcontinue;\n\t\tif (!env->bpf_capable) {\n\t\t\tverbose(env,\n\t\t\t\t\"function calls to other bpf functions are allowed for CAP_BPF and CAP_SYS_ADMIN\\n\");\n\t\t\treturn -EPERM;\n\t\t}\n\t\tret = add_subprog(env, i + insn[i].imm + 1);\n\t\tif (ret < 0)\n\t\t\treturn ret;\n\t}\n\n\t/* Add a fake 'exit' subprog which could simplify subprog iteration\n\t * logic. 'subprog_cnt' should not be increased.\n\t */\n\tsubprog[env->subprog_cnt].start = insn_cnt;\n\n\tif (env->log.level & BPF_LOG_LEVEL2)\n\t\tfor (i = 0; i < env->subprog_cnt; i++)\n\t\t\tverbose(env, \"func#%d @%d\\n\", i, subprog[i].start);\n\n\t/* now check that all jumps are within the same subprog */\n\tsubprog_start = subprog[cur_subprog].start;\n\tsubprog_end = subprog[cur_subprog + 1].start;\n\tfor (i = 0; i < insn_cnt; i++) {\n\t\tu8 code = insn[i].code;\n\n\t\tif (code == (BPF_JMP | BPF_CALL) &&\n\t\t insn[i].imm == BPF_FUNC_tail_call &&\n\t\t insn[i].src_reg != BPF_PSEUDO_CALL)\n\t\t\tsubprog[cur_subprog].has_tail_call = true;\n\t\tif (BPF_CLASS(code) == BPF_LD &&\n\t\t (BPF_MODE(code) == BPF_ABS || BPF_MODE(code) == BPF_IND))\n\t\t\tsubprog[cur_subprog].has_ld_abs = true;\n\t\tif (BPF_CLASS(code) != BPF_JMP && BPF_CLASS(code) != BPF_JMP32)\n\t\t\tgoto next;\n\t\tif (BPF_OP(code) == BPF_EXIT || BPF_OP(code) == BPF_CALL)\n\t\t\tgoto next;\n\t\toff = i + insn[i].off + 1;\n\t\tif (off < subprog_start || off >= subprog_end) {\n\t\t\tverbose(env, \"jump out of range from insn %d to %d\\n\", i, off);\n\t\t\treturn -EINVAL;\n\t\t}\nnext:\n\t\tif (i == subprog_end - 1) {\n\t\t\t/* to avoid fall-through from one subprog into another\n\t\t\t * the last insn of the subprog should be either exit\n\t\t\t * or unconditional jump back\n\t\t\t */\n\t\t\tif (code != (BPF_JMP | BPF_EXIT) &&\n\t\t\t code != (BPF_JMP | BPF_JA)) {\n\t\t\t\tverbose(env, \"last insn is not an exit or jmp\\n\");\n\t\t\t\treturn -EINVAL;\n\t\t\t}\n\t\t\tsubprog_start = subprog_end;\n\t\t\tcur_subprog++;\n\t\t\tif (cur_subprog < env->subprog_cnt)\n\t\t\t\tsubprog_end = subprog[cur_subprog + 1].start;\n\t\t}\n\t}\n\treturn 0;\n}", "project": "linux", "hash": 283184901579825208671161182084296942640, "size": 78, "commit_id": "9b00f1b78809309163dda2d044d9e94a3c0248a3", "message": "bpf: Fix truncation handling for mod32 dst reg wrt zero\n\nRecently noticed that when mod32 with a known src reg of 0 is performed,\nthen the dst register is 32-bit truncated in verifier:\n\n 0: R1=ctx(id=0,off=0,imm=0) R10=fp0\n 0: (b7) r0 = 0\n 1: R0_w=inv0 R1=ctx(id=0,off=0,imm=0) R10=fp0\n 1: (b7) r1 = -1\n 2: R0_w=inv0 R1_w=inv-1 R10=fp0\n 2: (b4) w2 = -1\n 3: R0_w=inv0 R1_w=inv-1 R2_w=inv4294967295 R10=fp0\n 3: (9c) w1 %= w0\n 4: R0_w=inv0 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0\n 4: (b7) r0 = 1\n 5: R0_w=inv1 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0\n 5: (1d) if r1 == r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0\n 6: R0_w=inv1 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0\n 6: (b7) r0 = 2\n 7: R0_w=inv2 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0\n 7: (95) exit\n 7: R0=inv1 R1=inv(id=0,umin_value=4294967295,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2=inv4294967295 R10=fp0\n 7: (95) exit\n\nHowever, as a runtime result, we get 2 instead of 1, meaning the dst\nregister does not contain (u32)-1 in this case. The reason is fairly\nstraight forward given the 0 test leaves the dst register as-is:\n\n # ./bpftool p d x i 23\n 0: (b7) r0 = 0\n 1: (b7) r1 = -1\n 2: (b4) w2 = -1\n 3: (16) if w0 == 0x0 goto pc+1\n 4: (9c) w1 %= w0\n 5: (b7) r0 = 1\n 6: (1d) if r1 == r2 goto pc+1\n 7: (b7) r0 = 2\n 8: (95) exit\n\nThis was originally not an issue given the dst register was marked as\ncompletely unknown (aka 64 bit unknown). However, after 468f6eafa6c4\n(\"bpf: fix 32-bit ALU op verification\") the verifier casts the register\noutput to 32 bit, and hence it becomes 32 bit unknown. Note that for\nthe case where the src register is unknown, the dst register is marked\n64 bit unknown. After the fix, the register is truncated by the runtime\nand the test passes:\n\n # ./bpftool p d x i 23\n 0: (b7) r0 = 0\n 1: (b7) r1 = -1\n 2: (b4) w2 = -1\n 3: (16) if w0 == 0x0 goto pc+2\n 4: (9c) w1 %= w0\n 5: (05) goto pc+1\n 6: (bc) w1 = w1\n 7: (b7) r0 = 1\n 8: (1d) if r1 == r2 goto pc+1\n 9: (b7) r0 = 2\n 10: (95) exit\n\nSemantics also match with {R,W}x mod{64,32} 0 -> {R,W}x. Invalid div\nhas always been {R,W}x div{64,32} 0 -> 0. Rewrites are as follows:\n\n mod32: mod64:\n\n (16) if w0 == 0x0 goto pc+2 (15) if r0 == 0x0 goto pc+1\n (9c) w1 %= w0 (9f) r1 %= r0\n (05) goto pc+1\n (bc) w1 = w1\n\nFixes: 468f6eafa6c4 (\"bpf: fix 32-bit ALU op verification\")\nSigned-off-by: Daniel Borkmann \nReviewed-by: John Fastabend \nAcked-by: Alexei Starovoitov ", "target": 0, "dataset": "other", "idx": 456515 }, { "func": "static int check_tp_buffer_access(struct bpf_verifier_env *env,\n\t\t\t\t const struct bpf_reg_state *reg,\n\t\t\t\t int regno, int off, int size)\n{\n\tif (off < 0) {\n\t\tverbose(env,\n\t\t\t\"R%d invalid tracepoint buffer access: off=%d, size=%d\",\n\t\t\tregno, off, size);\n\t\treturn -EACCES;\n\t}\n\tif (!tnum_is_const(reg->var_off) || reg->var_off.value) {\n\t\tchar tn_buf[48];\n\n\t\ttnum_strn(tn_buf, sizeof(tn_buf), reg->var_off);\n\t\tverbose(env,\n\t\t\t\"R%d invalid variable buffer offset: off=%d, var_off=%s\",\n\t\t\tregno, off, tn_buf);\n\t\treturn -EACCES;\n\t}\n\tif (off + size > env->prog->aux->max_tp_access)\n\t\tenv->prog->aux->max_tp_access = off + size;\n\n\treturn 0;\n}", "project": "linux", "hash": 19324162504736572154752417762536018364, "size": 24, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232430 }, { "func": "static int check_stack_boundary(struct bpf_verifier_env *env, int regno,\n\t\t\t\tint access_size, bool zero_size_allowed,\n\t\t\t\tstruct bpf_call_arg_meta *meta)\n{\n\tstruct bpf_reg_state *reg = reg_state(env, regno);\n\tstruct bpf_func_state *state = func(env, reg);\n\tint err, min_off, max_off, i, j, slot, spi;\n\n\tif (reg->type != PTR_TO_STACK) {\n\t\t/* Allow zero-byte read from NULL, regardless of pointer type */\n\t\tif (zero_size_allowed && access_size == 0 &&\n\t\t register_is_null(reg))\n\t\t\treturn 0;\n\n\t\tverbose(env, \"R%d type=%s expected=%s\\n\", regno,\n\t\t\treg_type_str[reg->type],\n\t\t\treg_type_str[PTR_TO_STACK]);\n\t\treturn -EACCES;\n\t}\n\n\tif (tnum_is_const(reg->var_off)) {\n\t\tmin_off = max_off = reg->var_off.value + reg->off;\n\t\terr = __check_stack_boundary(env, regno, min_off, access_size,\n\t\t\t\t\t zero_size_allowed);\n\t\tif (err)\n\t\t\treturn err;\n\t} else {\n\t\t/* Variable offset is prohibited for unprivileged mode for\n\t\t * simplicity since it requires corresponding support in\n\t\t * Spectre masking for stack ALU.\n\t\t * See also retrieve_ptr_limit().\n\t\t */\n\t\tif (!env->allow_ptr_leaks) {\n\t\t\tchar tn_buf[48];\n\n\t\t\ttnum_strn(tn_buf, sizeof(tn_buf), reg->var_off);\n\t\t\tverbose(env, \"R%d indirect variable offset stack access prohibited for !root, var_off=%s\\n\",\n\t\t\t\tregno, tn_buf);\n\t\t\treturn -EACCES;\n\t\t}\n\t\t/* Only initialized buffer on stack is allowed to be accessed\n\t\t * with variable offset. With uninitialized buffer it's hard to\n\t\t * guarantee that whole memory is marked as initialized on\n\t\t * helper return since specific bounds are unknown what may\n\t\t * cause uninitialized stack leaking.\n\t\t */\n\t\tif (meta && meta->raw_mode)\n\t\t\tmeta = NULL;\n\n\t\tif (reg->smax_value >= BPF_MAX_VAR_OFF ||\n\t\t reg->smax_value <= -BPF_MAX_VAR_OFF) {\n\t\t\tverbose(env, \"R%d unbounded indirect variable offset stack access\\n\",\n\t\t\t\tregno);\n\t\t\treturn -EACCES;\n\t\t}\n\t\tmin_off = reg->smin_value + reg->off;\n\t\tmax_off = reg->smax_value + reg->off;\n\t\terr = __check_stack_boundary(env, regno, min_off, access_size,\n\t\t\t\t\t zero_size_allowed);\n\t\tif (err) {\n\t\t\tverbose(env, \"R%d min value is outside of stack bound\\n\",\n\t\t\t\tregno);\n\t\t\treturn err;\n\t\t}\n\t\terr = __check_stack_boundary(env, regno, max_off, access_size,\n\t\t\t\t\t zero_size_allowed);\n\t\tif (err) {\n\t\t\tverbose(env, \"R%d max value is outside of stack bound\\n\",\n\t\t\t\tregno);\n\t\t\treturn err;\n\t\t}\n\t}\n\n\tif (meta && meta->raw_mode) {\n\t\tmeta->access_size = access_size;\n\t\tmeta->regno = regno;\n\t\treturn 0;\n\t}\n\n\tfor (i = min_off; i < max_off + access_size; i++) {\n\t\tu8 *stype;\n\n\t\tslot = -i - 1;\n\t\tspi = slot / BPF_REG_SIZE;\n\t\tif (state->allocated_stack <= slot)\n\t\t\tgoto err;\n\t\tstype = &state->stack[spi].slot_type[slot % BPF_REG_SIZE];\n\t\tif (*stype == STACK_MISC)\n\t\t\tgoto mark;\n\t\tif (*stype == STACK_ZERO) {\n\t\t\t/* helper can write anything into the stack */\n\t\t\t*stype = STACK_MISC;\n\t\t\tgoto mark;\n\t\t}\n\t\tif (state->stack[spi].slot_type[0] == STACK_SPILL &&\n\t\t state->stack[spi].spilled_ptr.type == SCALAR_VALUE) {\n\t\t\t__mark_reg_unknown(env, &state->stack[spi].spilled_ptr);\n\t\t\tfor (j = 0; j < BPF_REG_SIZE; j++)\n\t\t\t\tstate->stack[spi].slot_type[j] = STACK_MISC;\n\t\t\tgoto mark;\n\t\t}\n\nerr:\n\t\tif (tnum_is_const(reg->var_off)) {\n\t\t\tverbose(env, \"invalid indirect read from stack off %d+%d size %d\\n\",\n\t\t\t\tmin_off, i - min_off, access_size);\n\t\t} else {\n\t\t\tchar tn_buf[48];\n\n\t\t\ttnum_strn(tn_buf, sizeof(tn_buf), reg->var_off);\n\t\t\tverbose(env, \"invalid indirect read from stack var_off %s+%d size %d\\n\",\n\t\t\t\ttn_buf, i - min_off, access_size);\n\t\t}\n\t\treturn -EACCES;\nmark:\n\t\t/* reading any byte out of 8-byte 'spill_slot' will cause\n\t\t * the whole slot to be marked as 'read'\n\t\t */\n\t\tmark_reg_read(env, &state->stack[spi].spilled_ptr,\n\t\t\t state->stack[spi].spilled_ptr.parent,\n\t\t\t REG_LIVE_READ64);\n\t}\n\treturn update_stack_depth(env, state, min_off);\n}", "project": "linux", "hash": 263552207612001050178829963800143850659, "size": 124, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232521 }, { "func": "static int check_stack_boundary(struct bpf_verifier_env *env, int regno,\n\t\t\t\tint access_size, bool zero_size_allowed,\n\t\t\t\tstruct bpf_call_arg_meta *meta)\n{\n\tstruct bpf_reg_state *reg = reg_state(env, regno);\n\tstruct bpf_func_state *state = func(env, reg);\n\tint err, min_off, max_off, i, j, slot, spi;\n\n\tif (reg->type != PTR_TO_STACK) {\n\t\t/* Allow zero-byte read from NULL, regardless of pointer type */\n\t\tif (zero_size_allowed && access_size == 0 &&\n\t\t register_is_null(reg))\n\t\t\treturn 0;\n\n\t\tverbose(env, \"R%d type=%s expected=%s\\n\", regno,\n\t\t\treg_type_str[reg->type],\n\t\t\treg_type_str[PTR_TO_STACK]);\n\t\treturn -EACCES;\n\t}\n\n\tif (tnum_is_const(reg->var_off)) {\n\t\tmin_off = max_off = reg->var_off.value + reg->off;\n\t\terr = __check_stack_boundary(env, regno, min_off, access_size,\n\t\t\t\t\t zero_size_allowed);\n\t\tif (err)\n\t\t\treturn err;\n\t} else {\n\t\t/* Variable offset is prohibited for unprivileged mode for\n\t\t * simplicity since it requires corresponding support in\n\t\t * Spectre masking for stack ALU.\n\t\t * See also retrieve_ptr_limit().\n\t\t */\n\t\tif (!env->bypass_spec_v1) {\n\t\t\tchar tn_buf[48];\n\n\t\t\ttnum_strn(tn_buf, sizeof(tn_buf), reg->var_off);\n\t\t\tverbose(env, \"R%d indirect variable offset stack access prohibited for !root, var_off=%s\\n\",\n\t\t\t\tregno, tn_buf);\n\t\t\treturn -EACCES;\n\t\t}\n\t\t/* Only initialized buffer on stack is allowed to be accessed\n\t\t * with variable offset. With uninitialized buffer it's hard to\n\t\t * guarantee that whole memory is marked as initialized on\n\t\t * helper return since specific bounds are unknown what may\n\t\t * cause uninitialized stack leaking.\n\t\t */\n\t\tif (meta && meta->raw_mode)\n\t\t\tmeta = NULL;\n\n\t\tif (reg->smax_value >= BPF_MAX_VAR_OFF ||\n\t\t reg->smax_value <= -BPF_MAX_VAR_OFF) {\n\t\t\tverbose(env, \"R%d unbounded indirect variable offset stack access\\n\",\n\t\t\t\tregno);\n\t\t\treturn -EACCES;\n\t\t}\n\t\tmin_off = reg->smin_value + reg->off;\n\t\tmax_off = reg->smax_value + reg->off;\n\t\terr = __check_stack_boundary(env, regno, min_off, access_size,\n\t\t\t\t\t zero_size_allowed);\n\t\tif (err) {\n\t\t\tverbose(env, \"R%d min value is outside of stack bound\\n\",\n\t\t\t\tregno);\n\t\t\treturn err;\n\t\t}\n\t\terr = __check_stack_boundary(env, regno, max_off, access_size,\n\t\t\t\t\t zero_size_allowed);\n\t\tif (err) {\n\t\t\tverbose(env, \"R%d max value is outside of stack bound\\n\",\n\t\t\t\tregno);\n\t\t\treturn err;\n\t\t}\n\t}\n\n\tif (meta && meta->raw_mode) {\n\t\tmeta->access_size = access_size;\n\t\tmeta->regno = regno;\n\t\treturn 0;\n\t}\n\n\tfor (i = min_off; i < max_off + access_size; i++) {\n\t\tu8 *stype;\n\n\t\tslot = -i - 1;\n\t\tspi = slot / BPF_REG_SIZE;\n\t\tif (state->allocated_stack <= slot)\n\t\t\tgoto err;\n\t\tstype = &state->stack[spi].slot_type[slot % BPF_REG_SIZE];\n\t\tif (*stype == STACK_MISC)\n\t\t\tgoto mark;\n\t\tif (*stype == STACK_ZERO) {\n\t\t\t/* helper can write anything into the stack */\n\t\t\t*stype = STACK_MISC;\n\t\t\tgoto mark;\n\t\t}\n\n\t\tif (state->stack[spi].slot_type[0] == STACK_SPILL &&\n\t\t state->stack[spi].spilled_ptr.type == PTR_TO_BTF_ID)\n\t\t\tgoto mark;\n\n\t\tif (state->stack[spi].slot_type[0] == STACK_SPILL &&\n\t\t state->stack[spi].spilled_ptr.type == SCALAR_VALUE) {\n\t\t\t__mark_reg_unknown(env, &state->stack[spi].spilled_ptr);\n\t\t\tfor (j = 0; j < BPF_REG_SIZE; j++)\n\t\t\t\tstate->stack[spi].slot_type[j] = STACK_MISC;\n\t\t\tgoto mark;\n\t\t}\n\nerr:\n\t\tif (tnum_is_const(reg->var_off)) {\n\t\t\tverbose(env, \"invalid indirect read from stack off %d+%d size %d\\n\",\n\t\t\t\tmin_off, i - min_off, access_size);\n\t\t} else {\n\t\t\tchar tn_buf[48];\n\n\t\t\ttnum_strn(tn_buf, sizeof(tn_buf), reg->var_off);\n\t\t\tverbose(env, \"invalid indirect read from stack var_off %s+%d size %d\\n\",\n\t\t\t\ttn_buf, i - min_off, access_size);\n\t\t}\n\t\treturn -EACCES;\nmark:\n\t\t/* reading any byte out of 8-byte 'spill_slot' will cause\n\t\t * the whole slot to be marked as 'read'\n\t\t */\n\t\tmark_reg_read(env, &state->stack[spi].spilled_ptr,\n\t\t\t state->stack[spi].spilled_ptr.parent,\n\t\t\t REG_LIVE_READ64);\n\t}\n\treturn update_stack_depth(env, state, min_off);\n}", "project": "linux", "hash": 111413346708384089689898611519403079285, "size": 129, "commit_id": "5b9fbeb75b6a98955f628e205ac26689bcb1383e", "message": "bpf: Fix scalar32_min_max_or bounds tracking\n\nSimon reported an issue with the current scalar32_min_max_or() implementation.\nThat is, compared to the other 32 bit subreg tracking functions, the code in\nscalar32_min_max_or() stands out that it's using the 64 bit registers instead\nof 32 bit ones. This leads to bounds tracking issues, for example:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x1; 0x700000000),s32_max_value=1,u32_max_value=1) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nThe bound tests on the map value force the upper unsigned bound to be 25769803777\nin 64 bit (0b11000000000000000000000000000000001) and then lower one to be 1. By\nusing OR they are truncated and thus result in the range [1,1] for the 32 bit reg\ntracker. This is incorrect given the only thing we know is that the value must be\npositive and thus 2147483647 (0b1111111111111111111111111111111) at max for the\nsubregs. Fix it by using the {u,s}32_{min,max}_value vars instead. This also makes\nsense, for example, for the case where we update dst_reg->s32_{min,max}_value in\nthe else branch we need to use the newly computed dst_reg->u32_{min,max}_value as\nwe know that these are positive. Previously, in the else branch the 64 bit values\nof umin_value=1 and umax_value=32212254719 were used and latter got truncated to\nbe 1 as upper bound there. After the fix the subreg range is now correct:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nFixes: 3f50f132d840 (\"bpf: Verifier, do explicit ALU32 bounds tracking\")\nReported-by: Simon Scannell \nSigned-off-by: Daniel Borkmann \nReviewed-by: John Fastabend \nAcked-by: Alexei Starovoitov ", "target": 0, "dataset": "other", "idx": 328520 }, { "func": "static int check_stack_boundary(struct bpf_verifier_env *env, int regno,\n\t\t\t\tint access_size, bool zero_size_allowed,\n\t\t\t\tstruct bpf_call_arg_meta *meta)\n{\n\tstruct bpf_reg_state *reg = reg_state(env, regno);\n\tstruct bpf_func_state *state = func(env, reg);\n\tint err, min_off, max_off, i, j, slot, spi;\n\n\tif (tnum_is_const(reg->var_off)) {\n\t\tmin_off = max_off = reg->var_off.value + reg->off;\n\t\terr = __check_stack_boundary(env, regno, min_off, access_size,\n\t\t\t\t\t zero_size_allowed);\n\t\tif (err)\n\t\t\treturn err;\n\t} else {\n\t\t/* Variable offset is prohibited for unprivileged mode for\n\t\t * simplicity since it requires corresponding support in\n\t\t * Spectre masking for stack ALU.\n\t\t * See also retrieve_ptr_limit().\n\t\t */\n\t\tif (!env->bypass_spec_v1) {\n\t\t\tchar tn_buf[48];\n\n\t\t\ttnum_strn(tn_buf, sizeof(tn_buf), reg->var_off);\n\t\t\tverbose(env, \"R%d indirect variable offset stack access prohibited for !root, var_off=%s\\n\",\n\t\t\t\tregno, tn_buf);\n\t\t\treturn -EACCES;\n\t\t}\n\t\t/* Only initialized buffer on stack is allowed to be accessed\n\t\t * with variable offset. With uninitialized buffer it's hard to\n\t\t * guarantee that whole memory is marked as initialized on\n\t\t * helper return since specific bounds are unknown what may\n\t\t * cause uninitialized stack leaking.\n\t\t */\n\t\tif (meta && meta->raw_mode)\n\t\t\tmeta = NULL;\n\n\t\tif (reg->smax_value >= BPF_MAX_VAR_OFF ||\n\t\t reg->smax_value <= -BPF_MAX_VAR_OFF) {\n\t\t\tverbose(env, \"R%d unbounded indirect variable offset stack access\\n\",\n\t\t\t\tregno);\n\t\t\treturn -EACCES;\n\t\t}\n\t\tmin_off = reg->smin_value + reg->off;\n\t\tmax_off = reg->smax_value + reg->off;\n\t\terr = __check_stack_boundary(env, regno, min_off, access_size,\n\t\t\t\t\t zero_size_allowed);\n\t\tif (err) {\n\t\t\tverbose(env, \"R%d min value is outside of stack bound\\n\",\n\t\t\t\tregno);\n\t\t\treturn err;\n\t\t}\n\t\terr = __check_stack_boundary(env, regno, max_off, access_size,\n\t\t\t\t\t zero_size_allowed);\n\t\tif (err) {\n\t\t\tverbose(env, \"R%d max value is outside of stack bound\\n\",\n\t\t\t\tregno);\n\t\t\treturn err;\n\t\t}\n\t}\n\n\tif (meta && meta->raw_mode) {\n\t\tmeta->access_size = access_size;\n\t\tmeta->regno = regno;\n\t\treturn 0;\n\t}\n\n\tfor (i = min_off; i < max_off + access_size; i++) {\n\t\tu8 *stype;\n\n\t\tslot = -i - 1;\n\t\tspi = slot / BPF_REG_SIZE;\n\t\tif (state->allocated_stack <= slot)\n\t\t\tgoto err;\n\t\tstype = &state->stack[spi].slot_type[slot % BPF_REG_SIZE];\n\t\tif (*stype == STACK_MISC)\n\t\t\tgoto mark;\n\t\tif (*stype == STACK_ZERO) {\n\t\t\t/* helper can write anything into the stack */\n\t\t\t*stype = STACK_MISC;\n\t\t\tgoto mark;\n\t\t}\n\n\t\tif (state->stack[spi].slot_type[0] == STACK_SPILL &&\n\t\t state->stack[spi].spilled_ptr.type == PTR_TO_BTF_ID)\n\t\t\tgoto mark;\n\n\t\tif (state->stack[spi].slot_type[0] == STACK_SPILL &&\n\t\t (state->stack[spi].spilled_ptr.type == SCALAR_VALUE ||\n\t\t env->allow_ptr_leaks)) {\n\t\t\t__mark_reg_unknown(env, &state->stack[spi].spilled_ptr);\n\t\t\tfor (j = 0; j < BPF_REG_SIZE; j++)\n\t\t\t\tstate->stack[spi].slot_type[j] = STACK_MISC;\n\t\t\tgoto mark;\n\t\t}\n\nerr:\n\t\tif (tnum_is_const(reg->var_off)) {\n\t\t\tverbose(env, \"invalid indirect read from stack off %d+%d size %d\\n\",\n\t\t\t\tmin_off, i - min_off, access_size);\n\t\t} else {\n\t\t\tchar tn_buf[48];\n\n\t\t\ttnum_strn(tn_buf, sizeof(tn_buf), reg->var_off);\n\t\t\tverbose(env, \"invalid indirect read from stack var_off %s+%d size %d\\n\",\n\t\t\t\ttn_buf, i - min_off, access_size);\n\t\t}\n\t\treturn -EACCES;\nmark:\n\t\t/* reading any byte out of 8-byte 'spill_slot' will cause\n\t\t * the whole slot to be marked as 'read'\n\t\t */\n\t\tmark_reg_read(env, &state->stack[spi].spilled_ptr,\n\t\t\t state->stack[spi].spilled_ptr.parent,\n\t\t\t REG_LIVE_READ64);\n\t}\n\treturn update_stack_depth(env, state, min_off);\n}", "project": "linux", "hash": 3036666451687164831482314089537427694, "size": 118, "commit_id": "9b00f1b78809309163dda2d044d9e94a3c0248a3", "message": "bpf: Fix truncation handling for mod32 dst reg wrt zero\n\nRecently noticed that when mod32 with a known src reg of 0 is performed,\nthen the dst register is 32-bit truncated in verifier:\n\n 0: R1=ctx(id=0,off=0,imm=0) R10=fp0\n 0: (b7) r0 = 0\n 1: R0_w=inv0 R1=ctx(id=0,off=0,imm=0) R10=fp0\n 1: (b7) r1 = -1\n 2: R0_w=inv0 R1_w=inv-1 R10=fp0\n 2: (b4) w2 = -1\n 3: R0_w=inv0 R1_w=inv-1 R2_w=inv4294967295 R10=fp0\n 3: (9c) w1 %= w0\n 4: R0_w=inv0 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0\n 4: (b7) r0 = 1\n 5: R0_w=inv1 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0\n 5: (1d) if r1 == r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0\n 6: R0_w=inv1 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0\n 6: (b7) r0 = 2\n 7: R0_w=inv2 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0\n 7: (95) exit\n 7: R0=inv1 R1=inv(id=0,umin_value=4294967295,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2=inv4294967295 R10=fp0\n 7: (95) exit\n\nHowever, as a runtime result, we get 2 instead of 1, meaning the dst\nregister does not contain (u32)-1 in this case. The reason is fairly\nstraight forward given the 0 test leaves the dst register as-is:\n\n # ./bpftool p d x i 23\n 0: (b7) r0 = 0\n 1: (b7) r1 = -1\n 2: (b4) w2 = -1\n 3: (16) if w0 == 0x0 goto pc+1\n 4: (9c) w1 %= w0\n 5: (b7) r0 = 1\n 6: (1d) if r1 == r2 goto pc+1\n 7: (b7) r0 = 2\n 8: (95) exit\n\nThis was originally not an issue given the dst register was marked as\ncompletely unknown (aka 64 bit unknown). However, after 468f6eafa6c4\n(\"bpf: fix 32-bit ALU op verification\") the verifier casts the register\noutput to 32 bit, and hence it becomes 32 bit unknown. Note that for\nthe case where the src register is unknown, the dst register is marked\n64 bit unknown. After the fix, the register is truncated by the runtime\nand the test passes:\n\n # ./bpftool p d x i 23\n 0: (b7) r0 = 0\n 1: (b7) r1 = -1\n 2: (b4) w2 = -1\n 3: (16) if w0 == 0x0 goto pc+2\n 4: (9c) w1 %= w0\n 5: (05) goto pc+1\n 6: (bc) w1 = w1\n 7: (b7) r0 = 1\n 8: (1d) if r1 == r2 goto pc+1\n 9: (b7) r0 = 2\n 10: (95) exit\n\nSemantics also match with {R,W}x mod{64,32} 0 -> {R,W}x. Invalid div\nhas always been {R,W}x div{64,32} 0 -> 0. Rewrites are as follows:\n\n mod32: mod64:\n\n (16) if w0 == 0x0 goto pc+2 (15) if r0 == 0x0 goto pc+1\n (9c) w1 %= w0 (9f) r1 %= r0\n (05) goto pc+1\n (bc) w1 = w1\n\nFixes: 468f6eafa6c4 (\"bpf: fix 32-bit ALU op verification\")\nSigned-off-by: Daniel Borkmann \nReviewed-by: John Fastabend \nAcked-by: Alexei Starovoitov ", "target": 0, "dataset": "other", "idx": 456520 }, { "func": "static void __mark_reg_not_init(const struct bpf_verifier_env *env,\n\t\t\t\tstruct bpf_reg_state *reg)\n{\n\t__mark_reg_unknown(env, reg);\n\treg->type = NOT_INIT;\n}", "project": "linux", "hash": 237644899000606679600063086625020590761, "size": 6, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232475 }, { "func": "static bool register_is_const(struct bpf_reg_state *reg)\n{\n\treturn reg->type == SCALAR_VALUE && tnum_is_const(reg->var_off);\n}", "project": "linux", "hash": 274038182428222536506735692584216565273, "size": 4, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232420 }, { "func": "static int copy_verifier_state(struct bpf_verifier_state *dst_state,\n\t\t\t const struct bpf_verifier_state *src)\n{\n\tstruct bpf_func_state *dst;\n\tu32 jmp_sz = sizeof(struct bpf_idx_pair) * src->jmp_history_cnt;\n\tint i, err;\n\n\tif (dst_state->jmp_history_cnt < src->jmp_history_cnt) {\n\t\tkfree(dst_state->jmp_history);\n\t\tdst_state->jmp_history = kmalloc(jmp_sz, GFP_USER);\n\t\tif (!dst_state->jmp_history)\n\t\t\treturn -ENOMEM;\n\t}\n\tmemcpy(dst_state->jmp_history, src->jmp_history, jmp_sz);\n\tdst_state->jmp_history_cnt = src->jmp_history_cnt;\n\n\t/* if dst has more stack frames then src frame, free them */\n\tfor (i = src->curframe + 1; i <= dst_state->curframe; i++) {\n\t\tfree_func_state(dst_state->frame[i]);\n\t\tdst_state->frame[i] = NULL;\n\t}\n\tdst_state->speculative = src->speculative;\n\tdst_state->curframe = src->curframe;\n\tdst_state->active_spin_lock = src->active_spin_lock;\n\tdst_state->branches = src->branches;\n\tdst_state->parent = src->parent;\n\tdst_state->first_insn_idx = src->first_insn_idx;\n\tdst_state->last_insn_idx = src->last_insn_idx;\n\tfor (i = 0; i <= src->curframe; i++) {\n\t\tdst = dst_state->frame[i];\n\t\tif (!dst) {\n\t\t\tdst = kzalloc(sizeof(*dst), GFP_KERNEL);\n\t\t\tif (!dst)\n\t\t\t\treturn -ENOMEM;\n\t\t\tdst_state->frame[i] = dst;\n\t\t}\n\t\terr = copy_func_state(dst, src->frame[i]);\n\t\tif (err)\n\t\t\treturn err;\n\t}\n\treturn 0;\n}", "project": "linux", "hash": 141853976619622275086577777632680986146, "size": 42, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232585 }, { "func": "static int add_subprog(struct bpf_verifier_env *env, int off)\n{\n\tint insn_cnt = env->prog->len;\n\tint ret;\n\n\tif (off >= insn_cnt || off < 0) {\n\t\tverbose(env, \"call to invalid destination\\n\");\n\t\treturn -EINVAL;\n\t}\n\tret = find_subprog(env, off);\n\tif (ret >= 0)\n\t\treturn 0;\n\tif (env->subprog_cnt >= BPF_MAX_SUBPROGS) {\n\t\tverbose(env, \"too many subprograms\\n\");\n\t\treturn -E2BIG;\n\t}\n\tenv->subprog_info[env->subprog_cnt++].start = off;\n\tsort(env->subprog_info, env->subprog_cnt,\n\t sizeof(env->subprog_info[0]), cmp_subprogs, NULL);\n\treturn 0;\n}", "project": "linux", "hash": 159559218986133774450669143683274487114, "size": 21, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232524 }, { "func": "static void scalar_min_max_arsh(struct bpf_reg_state *dst_reg,\n\t\t\t struct bpf_reg_state *src_reg,\n\t\t\t\tu64 insn_bitness)\n{\n\tu64 umin_val = src_reg->umin_value;\n\n\t/* Upon reaching here, src_known is true and\n\t * umax_val is equal to umin_val.\n\t */\n\tif (insn_bitness == 32) {\n\t\tdst_reg->smin_value = (u32)(((s32)dst_reg->smin_value) >> umin_val);\n\t\tdst_reg->smax_value = (u32)(((s32)dst_reg->smax_value) >> umin_val);\n\t} else {\n\t\tdst_reg->smin_value >>= umin_val;\n\t\tdst_reg->smax_value >>= umin_val;\n\t}\n\n\tdst_reg->var_off = tnum_arshift(dst_reg->var_off, umin_val,\n\t\t\t\t\tinsn_bitness);\n\n\t/* blow away the dst_reg umin_value/umax_value and rely on\n\t * dst_reg var_off to refine the result.\n\t */\n\tdst_reg->umin_value = 0;\n\tdst_reg->umax_value = U64_MAX;\n\t__update_reg_bounds(dst_reg);\n}", "project": "linux", "hash": 224897212264538382681020213066599346972, "size": 27, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232496 }, { "func": "static int __check_stack_boundary(struct bpf_verifier_env *env, u32 regno,\n\t\t\t\t int off, int access_size,\n\t\t\t\t bool zero_size_allowed)\n{\n\tstruct bpf_reg_state *reg = reg_state(env, regno);\n\n\tif (off >= 0 || off < -MAX_BPF_STACK || off + access_size > 0 ||\n\t access_size < 0 || (access_size == 0 && !zero_size_allowed)) {\n\t\tif (tnum_is_const(reg->var_off)) {\n\t\t\tverbose(env, \"invalid stack type R%d off=%d access_size=%d\\n\",\n\t\t\t\tregno, off, access_size);\n\t\t} else {\n\t\t\tchar tn_buf[48];\n\n\t\t\ttnum_strn(tn_buf, sizeof(tn_buf), reg->var_off);\n\t\t\tverbose(env, \"invalid stack type R%d var_off=%s access_size=%d\\n\",\n\t\t\t\tregno, tn_buf, access_size);\n\t\t}\n\t\treturn -EACCES;\n\t}\n\treturn 0;\n}", "project": "linux", "hash": 330785580702847604615919243220842034867, "size": 22, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232536 }, { "func": "static int is_branch_taken(struct bpf_reg_state *reg, u64 val, u8 opcode,\n\t\t\t bool is_jmp32)\n{\n\tstruct bpf_reg_state reg_lo;\n\ts64 sval;\n\n\tif (__is_pointer_value(false, reg))\n\t\treturn -1;\n\n\tif (is_jmp32) {\n\t\treg_lo = *reg;\n\t\treg = ®_lo;\n\t\t/* For JMP32, only low 32 bits are compared, coerce_reg_to_size\n\t\t * could truncate high bits and update umin/umax according to\n\t\t * information of low bits.\n\t\t */\n\t\tcoerce_reg_to_size(reg, 4);\n\t\t/* smin/smax need special handling. For example, after coerce,\n\t\t * if smin_value is 0x00000000ffffffffLL, the value is -1 when\n\t\t * used as operand to JMP32. It is a negative number from s32's\n\t\t * point of view, while it is a positive number when seen as\n\t\t * s64. The smin/smax are kept as s64, therefore, when used with\n\t\t * JMP32, they need to be transformed into s32, then sign\n\t\t * extended back to s64.\n\t\t *\n\t\t * Also, smin/smax were copied from umin/umax. If umin/umax has\n\t\t * different sign bit, then min/max relationship doesn't\n\t\t * maintain after casting into s32, for this case, set smin/smax\n\t\t * to safest range.\n\t\t */\n\t\tif ((reg->umax_value ^ reg->umin_value) &\n\t\t (1ULL << 31)) {\n\t\t\treg->smin_value = S32_MIN;\n\t\t\treg->smax_value = S32_MAX;\n\t\t}\n\t\treg->smin_value = (s64)(s32)reg->smin_value;\n\t\treg->smax_value = (s64)(s32)reg->smax_value;\n\n\t\tval = (u32)val;\n\t\tsval = (s64)(s32)val;\n\t} else {\n\t\tsval = (s64)val;\n\t}\n\n\tswitch (opcode) {\n\tcase BPF_JEQ:\n\t\tif (tnum_is_const(reg->var_off))\n\t\t\treturn !!tnum_equals_const(reg->var_off, val);\n\t\tbreak;\n\tcase BPF_JNE:\n\t\tif (tnum_is_const(reg->var_off))\n\t\t\treturn !tnum_equals_const(reg->var_off, val);\n\t\tbreak;\n\tcase BPF_JSET:\n\t\tif ((~reg->var_off.mask & reg->var_off.value) & val)\n\t\t\treturn 1;\n\t\tif (!((reg->var_off.mask | reg->var_off.value) & val))\n\t\t\treturn 0;\n\t\tbreak;\n\tcase BPF_JGT:\n\t\tif (reg->umin_value > val)\n\t\t\treturn 1;\n\t\telse if (reg->umax_value <= val)\n\t\t\treturn 0;\n\t\tbreak;\n\tcase BPF_JSGT:\n\t\tif (reg->smin_value > sval)\n\t\t\treturn 1;\n\t\telse if (reg->smax_value < sval)\n\t\t\treturn 0;\n\t\tbreak;\n\tcase BPF_JLT:\n\t\tif (reg->umax_value < val)\n\t\t\treturn 1;\n\t\telse if (reg->umin_value >= val)\n\t\t\treturn 0;\n\t\tbreak;\n\tcase BPF_JSLT:\n\t\tif (reg->smax_value < sval)\n\t\t\treturn 1;\n\t\telse if (reg->smin_value >= sval)\n\t\t\treturn 0;\n\t\tbreak;\n\tcase BPF_JGE:\n\t\tif (reg->umin_value >= val)\n\t\t\treturn 1;\n\t\telse if (reg->umax_value < val)\n\t\t\treturn 0;\n\t\tbreak;\n\tcase BPF_JSGE:\n\t\tif (reg->smin_value >= sval)\n\t\t\treturn 1;\n\t\telse if (reg->smax_value < sval)\n\t\t\treturn 0;\n\t\tbreak;\n\tcase BPF_JLE:\n\t\tif (reg->umax_value <= val)\n\t\t\treturn 1;\n\t\telse if (reg->umin_value > val)\n\t\t\treturn 0;\n\t\tbreak;\n\tcase BPF_JSLE:\n\t\tif (reg->smax_value <= sval)\n\t\t\treturn 1;\n\t\telse if (reg->smin_value > sval)\n\t\t\treturn 0;\n\t\tbreak;\n\t}\n\n\treturn -1;\n}", "project": "linux", "hash": 69284623599222449284503423157337812292, "size": 111, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232490 }, { "func": "static int check_ld_abs(struct bpf_verifier_env *env, struct bpf_insn *insn)\n{\n\tstruct bpf_reg_state *regs = cur_regs(env);\n\tstatic const int ctx_reg = BPF_REG_6;\n\tu8 mode = BPF_MODE(insn->code);\n\tint i, err;\n\n\tif (!may_access_skb(env->prog->type)) {\n\t\tverbose(env, \"BPF_LD_[ABS|IND] instructions not allowed for this program type\\n\");\n\t\treturn -EINVAL;\n\t}\n\n\tif (!env->ops->gen_ld_abs) {\n\t\tverbose(env, \"bpf verifier is misconfigured\\n\");\n\t\treturn -EINVAL;\n\t}\n\n\tif (env->subprog_cnt > 1) {\n\t\t/* when program has LD_ABS insn JITs and interpreter assume\n\t\t * that r1 == ctx == skb which is not the case for callees\n\t\t * that can have arbitrary arguments. It's problematic\n\t\t * for main prog as well since JITs would need to analyze\n\t\t * all functions in order to make proper register save/restore\n\t\t * decisions in the main prog. Hence disallow LD_ABS with calls\n\t\t */\n\t\tverbose(env, \"BPF_LD_[ABS|IND] instructions cannot be mixed with bpf-to-bpf calls\\n\");\n\t\treturn -EINVAL;\n\t}\n\n\tif (insn->dst_reg != BPF_REG_0 || insn->off != 0 ||\n\t BPF_SIZE(insn->code) == BPF_DW ||\n\t (mode == BPF_ABS && insn->src_reg != BPF_REG_0)) {\n\t\tverbose(env, \"BPF_LD_[ABS|IND] uses reserved fields\\n\");\n\t\treturn -EINVAL;\n\t}\n\n\t/* check whether implicit source operand (register R6) is readable */\n\terr = check_reg_arg(env, ctx_reg, SRC_OP);\n\tif (err)\n\t\treturn err;\n\n\t/* Disallow usage of BPF_LD_[ABS|IND] with reference tracking, as\n\t * gen_ld_abs() may terminate the program at runtime, leading to\n\t * reference leak.\n\t */\n\terr = check_reference_leak(env);\n\tif (err) {\n\t\tverbose(env, \"BPF_LD_[ABS|IND] cannot be mixed with socket references\\n\");\n\t\treturn err;\n\t}\n\n\tif (env->cur_state->active_spin_lock) {\n\t\tverbose(env, \"BPF_LD_[ABS|IND] cannot be used inside bpf_spin_lock-ed region\\n\");\n\t\treturn -EINVAL;\n\t}\n\n\tif (regs[ctx_reg].type != PTR_TO_CTX) {\n\t\tverbose(env,\n\t\t\t\"at the time of BPF_LD_ABS|IND R6 != pointer to skb\\n\");\n\t\treturn -EINVAL;\n\t}\n\n\tif (mode == BPF_IND) {\n\t\t/* check explicit source operand */\n\t\terr = check_reg_arg(env, insn->src_reg, SRC_OP);\n\t\tif (err)\n\t\t\treturn err;\n\t}\n\n\terr = check_ctx_reg(env, ®s[ctx_reg], ctx_reg);\n\tif (err < 0)\n\t\treturn err;\n\n\t/* reset caller saved regs to unreadable */\n\tfor (i = 0; i < CALLER_SAVED_REGS; i++) {\n\t\tmark_reg_not_init(env, regs, caller_saved[i]);\n\t\tcheck_reg_arg(env, caller_saved[i], DST_OP_NO_MARK);\n\t}\n\n\t/* mark destination R0 register as readable, since it contains\n\t * the value fetched from the packet.\n\t * Already marked as written above.\n\t */\n\tmark_reg_unknown(env, regs, BPF_REG_0);\n\t/* ld_abs load up to 32-bit skb data. */\n\tregs[BPF_REG_0].subreg_def = env->insn_idx + 1;\n\treturn 0;\n}", "project": "linux", "hash": 247995692894303801243629975722316932079, "size": 88, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232465 }, { "func": "static int check_map_prog_compatibility(struct bpf_verifier_env *env,\n\t\t\t\t\tstruct bpf_map *map,\n\t\t\t\t\tstruct bpf_prog *prog)\n\n{\n\t/*\n\t * Validate that trace type programs use preallocated hash maps.\n\t *\n\t * For programs attached to PERF events this is mandatory as the\n\t * perf NMI can hit any arbitrary code sequence.\n\t *\n\t * All other trace types using preallocated hash maps are unsafe as\n\t * well because tracepoint or kprobes can be inside locked regions\n\t * of the memory allocator or at a place where a recursion into the\n\t * memory allocator would see inconsistent state.\n\t *\n\t * On RT enabled kernels run-time allocation of all trace type\n\t * programs is strictly prohibited due to lock type constraints. On\n\t * !RT kernels it is allowed for backwards compatibility reasons for\n\t * now, but warnings are emitted so developers are made aware of\n\t * the unsafety and can fix their programs before this is enforced.\n\t */\n\tif (is_tracing_prog_type(prog->type) && !is_preallocated_map(map)) {\n\t\tif (prog->type == BPF_PROG_TYPE_PERF_EVENT) {\n\t\t\tverbose(env, \"perf_event programs can only use preallocated hash map\\n\");\n\t\t\treturn -EINVAL;\n\t\t}\n\t\tif (IS_ENABLED(CONFIG_PREEMPT_RT)) {\n\t\t\tverbose(env, \"trace type programs can only use preallocated hash map\\n\");\n\t\t\treturn -EINVAL;\n\t\t}\n\t\tWARN_ONCE(1, \"trace type BPF program uses run-time allocation\\n\");\n\t\tverbose(env, \"trace type programs with run-time allocated hash maps are unsafe. Switch to preallocated hash maps.\\n\");\n\t}\n\n\tif ((is_tracing_prog_type(prog->type) ||\n\t prog->type == BPF_PROG_TYPE_SOCKET_FILTER) &&\n\t map_value_has_spin_lock(map)) {\n\t\tverbose(env, \"tracing progs cannot use bpf_spin_lock yet\\n\");\n\t\treturn -EINVAL;\n\t}\n\n\tif ((bpf_prog_is_dev_bound(prog->aux) || bpf_map_is_dev_bound(map)) &&\n\t !bpf_offload_prog_map_match(prog, map)) {\n\t\tverbose(env, \"offload device mismatch between prog and map\\n\");\n\t\treturn -EINVAL;\n\t}\n\n\tif (map->map_type == BPF_MAP_TYPE_STRUCT_OPS) {\n\t\tverbose(env, \"bpf_struct_ops map cannot be used in prog\\n\");\n\t\treturn -EINVAL;\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 69393893947578075832174926087364203118, "size": 55, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232454 }, { "func": "static int check_map_prog_compatibility(struct bpf_verifier_env *env,\n\t\t\t\t\tstruct bpf_map *map,\n\t\t\t\t\tstruct bpf_prog *prog)\n\n{\n\tenum bpf_prog_type prog_type = resolve_prog_type(prog);\n\t/*\n\t * Validate that trace type programs use preallocated hash maps.\n\t *\n\t * For programs attached to PERF events this is mandatory as the\n\t * perf NMI can hit any arbitrary code sequence.\n\t *\n\t * All other trace types using preallocated hash maps are unsafe as\n\t * well because tracepoint or kprobes can be inside locked regions\n\t * of the memory allocator or at a place where a recursion into the\n\t * memory allocator would see inconsistent state.\n\t *\n\t * On RT enabled kernels run-time allocation of all trace type\n\t * programs is strictly prohibited due to lock type constraints. On\n\t * !RT kernels it is allowed for backwards compatibility reasons for\n\t * now, but warnings are emitted so developers are made aware of\n\t * the unsafety and can fix their programs before this is enforced.\n\t */\n\tif (is_tracing_prog_type(prog_type) && !is_preallocated_map(map)) {\n\t\tif (prog_type == BPF_PROG_TYPE_PERF_EVENT) {\n\t\t\tverbose(env, \"perf_event programs can only use preallocated hash map\\n\");\n\t\t\treturn -EINVAL;\n\t\t}\n\t\tif (IS_ENABLED(CONFIG_PREEMPT_RT)) {\n\t\t\tverbose(env, \"trace type programs can only use preallocated hash map\\n\");\n\t\t\treturn -EINVAL;\n\t\t}\n\t\tWARN_ONCE(1, \"trace type BPF program uses run-time allocation\\n\");\n\t\tverbose(env, \"trace type programs with run-time allocated hash maps are unsafe. Switch to preallocated hash maps.\\n\");\n\t}\n\n\tif (map_value_has_spin_lock(map)) {\n\t\tif (prog_type == BPF_PROG_TYPE_SOCKET_FILTER) {\n\t\t\tverbose(env, \"socket filter progs cannot use bpf_spin_lock yet\\n\");\n\t\t\treturn -EINVAL;\n\t\t}\n\n\t\tif (is_tracing_prog_type(prog_type)) {\n\t\t\tverbose(env, \"tracing progs cannot use bpf_spin_lock yet\\n\");\n\t\t\treturn -EINVAL;\n\t\t}\n\n\t\tif (prog->aux->sleepable) {\n\t\t\tverbose(env, \"sleepable progs cannot use bpf_spin_lock yet\\n\");\n\t\t\treturn -EINVAL;\n\t\t}\n\t}\n\n\tif ((bpf_prog_is_dev_bound(prog->aux) || bpf_map_is_dev_bound(map)) &&\n\t !bpf_offload_prog_map_match(prog, map)) {\n\t\tverbose(env, \"offload device mismatch between prog and map\\n\");\n\t\treturn -EINVAL;\n\t}\n\n\tif (map->map_type == BPF_MAP_TYPE_STRUCT_OPS) {\n\t\tverbose(env, \"bpf_struct_ops map cannot be used in prog\\n\");\n\t\treturn -EINVAL;\n\t}\n\n\tif (prog->aux->sleepable)\n\t\tswitch (map->map_type) {\n\t\tcase BPF_MAP_TYPE_HASH:\n\t\tcase BPF_MAP_TYPE_LRU_HASH:\n\t\tcase BPF_MAP_TYPE_ARRAY:\n\t\t\tif (!is_preallocated_map(map)) {\n\t\t\t\tverbose(env,\n\t\t\t\t\t\"Sleepable programs can only use preallocated hash maps\\n\");\n\t\t\t\treturn -EINVAL;\n\t\t\t}\n\t\t\tbreak;\n\t\tdefault:\n\t\t\tverbose(env,\n\t\t\t\t\"Sleepable programs can only use array and hash maps\\n\");\n\t\t\treturn -EINVAL;\n\t\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 275623199366580584303083689485169144856, "size": 83, "commit_id": "9b00f1b78809309163dda2d044d9e94a3c0248a3", "message": "bpf: Fix truncation handling for mod32 dst reg wrt zero\n\nRecently noticed that when mod32 with a known src reg of 0 is performed,\nthen the dst register is 32-bit truncated in verifier:\n\n 0: R1=ctx(id=0,off=0,imm=0) R10=fp0\n 0: (b7) r0 = 0\n 1: R0_w=inv0 R1=ctx(id=0,off=0,imm=0) R10=fp0\n 1: (b7) r1 = -1\n 2: R0_w=inv0 R1_w=inv-1 R10=fp0\n 2: (b4) w2 = -1\n 3: R0_w=inv0 R1_w=inv-1 R2_w=inv4294967295 R10=fp0\n 3: (9c) w1 %= w0\n 4: R0_w=inv0 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0\n 4: (b7) r0 = 1\n 5: R0_w=inv1 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0\n 5: (1d) if r1 == r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0\n 6: R0_w=inv1 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0\n 6: (b7) r0 = 2\n 7: R0_w=inv2 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0\n 7: (95) exit\n 7: R0=inv1 R1=inv(id=0,umin_value=4294967295,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2=inv4294967295 R10=fp0\n 7: (95) exit\n\nHowever, as a runtime result, we get 2 instead of 1, meaning the dst\nregister does not contain (u32)-1 in this case. The reason is fairly\nstraight forward given the 0 test leaves the dst register as-is:\n\n # ./bpftool p d x i 23\n 0: (b7) r0 = 0\n 1: (b7) r1 = -1\n 2: (b4) w2 = -1\n 3: (16) if w0 == 0x0 goto pc+1\n 4: (9c) w1 %= w0\n 5: (b7) r0 = 1\n 6: (1d) if r1 == r2 goto pc+1\n 7: (b7) r0 = 2\n 8: (95) exit\n\nThis was originally not an issue given the dst register was marked as\ncompletely unknown (aka 64 bit unknown). However, after 468f6eafa6c4\n(\"bpf: fix 32-bit ALU op verification\") the verifier casts the register\noutput to 32 bit, and hence it becomes 32 bit unknown. Note that for\nthe case where the src register is unknown, the dst register is marked\n64 bit unknown. After the fix, the register is truncated by the runtime\nand the test passes:\n\n # ./bpftool p d x i 23\n 0: (b7) r0 = 0\n 1: (b7) r1 = -1\n 2: (b4) w2 = -1\n 3: (16) if w0 == 0x0 goto pc+2\n 4: (9c) w1 %= w0\n 5: (05) goto pc+1\n 6: (bc) w1 = w1\n 7: (b7) r0 = 1\n 8: (1d) if r1 == r2 goto pc+1\n 9: (b7) r0 = 2\n 10: (95) exit\n\nSemantics also match with {R,W}x mod{64,32} 0 -> {R,W}x. Invalid div\nhas always been {R,W}x div{64,32} 0 -> 0. Rewrites are as follows:\n\n mod32: mod64:\n\n (16) if w0 == 0x0 goto pc+2 (15) if r0 == 0x0 goto pc+1\n (9c) w1 %= w0 (9f) r1 %= r0\n (05) goto pc+1\n (bc) w1 = w1\n\nFixes: 468f6eafa6c4 (\"bpf: fix 32-bit ALU op verification\")\nSigned-off-by: Daniel Borkmann \nReviewed-by: John Fastabend \nAcked-by: Alexei Starovoitov ", "target": 0, "dataset": "other", "idx": 456509 }, { "func": "static void do_refine_retval_range(struct bpf_reg_state *regs, int ret_type,\n\t\t\t\t int func_id,\n\t\t\t\t struct bpf_call_arg_meta *meta)\n{\n\tstruct bpf_reg_state *ret_reg = ®s[BPF_REG_0];\n\n\tif (ret_type != RET_INTEGER ||\n\t (func_id != BPF_FUNC_get_stack &&\n\t func_id != BPF_FUNC_probe_read_str))\n\t\treturn;\n\n\tret_reg->smax_value = meta->msize_smax_value;\n\tret_reg->umax_value = meta->msize_umax_value;\n\t__reg_deduce_bounds(ret_reg);\n\t__reg_bound_offset(ret_reg);\n}", "project": "linux", "hash": 140778886040250598457692627443947951351, "size": 16, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232595 }, { "func": "static void do_refine_retval_range(struct bpf_reg_state *regs, int ret_type,\n\t\t\t\t int func_id,\n\t\t\t\t struct bpf_call_arg_meta *meta)\n{\n\tstruct bpf_reg_state *ret_reg = ®s[BPF_REG_0];\n\n\tif (ret_type != RET_INTEGER ||\n\t (func_id != BPF_FUNC_get_stack &&\n\t func_id != BPF_FUNC_probe_read_str &&\n\t func_id != BPF_FUNC_probe_read_kernel_str &&\n\t func_id != BPF_FUNC_probe_read_user_str))\n\t\treturn;\n\n\tret_reg->smax_value = meta->msize_max_value;\n\tret_reg->s32_max_value = meta->msize_max_value;\n\t__reg_deduce_bounds(ret_reg);\n\t__reg_bound_offset(ret_reg);\n\t__update_reg_bounds(ret_reg);\n}", "project": "linux", "hash": 49140016926052289490441437795996755464, "size": 19, "commit_id": "5b9fbeb75b6a98955f628e205ac26689bcb1383e", "message": "bpf: Fix scalar32_min_max_or bounds tracking\n\nSimon reported an issue with the current scalar32_min_max_or() implementation.\nThat is, compared to the other 32 bit subreg tracking functions, the code in\nscalar32_min_max_or() stands out that it's using the 64 bit registers instead\nof 32 bit ones. This leads to bounds tracking issues, for example:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x1; 0x700000000),s32_max_value=1,u32_max_value=1) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nThe bound tests on the map value force the upper unsigned bound to be 25769803777\nin 64 bit (0b11000000000000000000000000000000001) and then lower one to be 1. By\nusing OR they are truncated and thus result in the range [1,1] for the 32 bit reg\ntracker. This is incorrect given the only thing we know is that the value must be\npositive and thus 2147483647 (0b1111111111111111111111111111111) at max for the\nsubregs. Fix it by using the {u,s}32_{min,max}_value vars instead. This also makes\nsense, for example, for the case where we update dst_reg->s32_{min,max}_value in\nthe else branch we need to use the newly computed dst_reg->u32_{min,max}_value as\nwe know that these are positive. Previously, in the else branch the 64 bit values\nof umin_value=1 and umax_value=32212254719 were used and latter got truncated to\nbe 1 as upper bound there. After the fix the subreg range is now correct:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nFixes: 3f50f132d840 (\"bpf: Verifier, do explicit ALU32 bounds tracking\")\nReported-by: Simon Scannell \nSigned-off-by: Daniel Borkmann \nReviewed-by: John Fastabend \nAcked-by: Alexei Starovoitov ", "target": 0, "dataset": "other", "idx": 328534 }, { "func": "static int replace_map_fd_with_map_ptr(struct bpf_verifier_env *env)\n{\n\tstruct bpf_insn *insn = env->prog->insnsi;\n\tint insn_cnt = env->prog->len;\n\tint i, j, err;\n\n\terr = bpf_prog_calc_tag(env->prog);\n\tif (err)\n\t\treturn err;\n\n\tfor (i = 0; i < insn_cnt; i++, insn++) {\n\t\tif (BPF_CLASS(insn->code) == BPF_LDX &&\n\t\t (BPF_MODE(insn->code) != BPF_MEM || insn->imm != 0)) {\n\t\t\tverbose(env, \"BPF_LDX uses reserved fields\\n\");\n\t\t\treturn -EINVAL;\n\t\t}\n\n\t\tif (BPF_CLASS(insn->code) == BPF_STX &&\n\t\t ((BPF_MODE(insn->code) != BPF_MEM &&\n\t\t BPF_MODE(insn->code) != BPF_XADD) || insn->imm != 0)) {\n\t\t\tverbose(env, \"BPF_STX uses reserved fields\\n\");\n\t\t\treturn -EINVAL;\n\t\t}\n\n\t\tif (insn[0].code == (BPF_LD | BPF_IMM | BPF_DW)) {\n\t\t\tstruct bpf_insn_aux_data *aux;\n\t\t\tstruct bpf_map *map;\n\t\t\tstruct fd f;\n\t\t\tu64 addr;\n\n\t\t\tif (i == insn_cnt - 1 || insn[1].code != 0 ||\n\t\t\t insn[1].dst_reg != 0 || insn[1].src_reg != 0 ||\n\t\t\t insn[1].off != 0) {\n\t\t\t\tverbose(env, \"invalid bpf_ld_imm64 insn\\n\");\n\t\t\t\treturn -EINVAL;\n\t\t\t}\n\n\t\t\tif (insn[0].src_reg == 0)\n\t\t\t\t/* valid generic load 64-bit imm */\n\t\t\t\tgoto next_insn;\n\n\t\t\t/* In final convert_pseudo_ld_imm64() step, this is\n\t\t\t * converted into regular 64-bit imm load insn.\n\t\t\t */\n\t\t\tif ((insn[0].src_reg != BPF_PSEUDO_MAP_FD &&\n\t\t\t insn[0].src_reg != BPF_PSEUDO_MAP_VALUE) ||\n\t\t\t (insn[0].src_reg == BPF_PSEUDO_MAP_FD &&\n\t\t\t insn[1].imm != 0)) {\n\t\t\t\tverbose(env,\n\t\t\t\t\t\"unrecognized bpf_ld_imm64 insn\\n\");\n\t\t\t\treturn -EINVAL;\n\t\t\t}\n\n\t\t\tf = fdget(insn[0].imm);\n\t\t\tmap = __bpf_map_get(f);\n\t\t\tif (IS_ERR(map)) {\n\t\t\t\tverbose(env, \"fd %d is not pointing to valid bpf_map\\n\",\n\t\t\t\t\tinsn[0].imm);\n\t\t\t\treturn PTR_ERR(map);\n\t\t\t}\n\n\t\t\terr = check_map_prog_compatibility(env, map, env->prog);\n\t\t\tif (err) {\n\t\t\t\tfdput(f);\n\t\t\t\treturn err;\n\t\t\t}\n\n\t\t\taux = &env->insn_aux_data[i];\n\t\t\tif (insn->src_reg == BPF_PSEUDO_MAP_FD) {\n\t\t\t\taddr = (unsigned long)map;\n\t\t\t} else {\n\t\t\t\tu32 off = insn[1].imm;\n\n\t\t\t\tif (off >= BPF_MAX_VAR_OFF) {\n\t\t\t\t\tverbose(env, \"direct value offset of %u is not allowed\\n\", off);\n\t\t\t\t\tfdput(f);\n\t\t\t\t\treturn -EINVAL;\n\t\t\t\t}\n\n\t\t\t\tif (!map->ops->map_direct_value_addr) {\n\t\t\t\t\tverbose(env, \"no direct value access support for this map type\\n\");\n\t\t\t\t\tfdput(f);\n\t\t\t\t\treturn -EINVAL;\n\t\t\t\t}\n\n\t\t\t\terr = map->ops->map_direct_value_addr(map, &addr, off);\n\t\t\t\tif (err) {\n\t\t\t\t\tverbose(env, \"invalid access to map value pointer, value_size=%u off=%u\\n\",\n\t\t\t\t\t\tmap->value_size, off);\n\t\t\t\t\tfdput(f);\n\t\t\t\t\treturn err;\n\t\t\t\t}\n\n\t\t\t\taux->map_off = off;\n\t\t\t\taddr += off;\n\t\t\t}\n\n\t\t\tinsn[0].imm = (u32)addr;\n\t\t\tinsn[1].imm = addr >> 32;\n\n\t\t\t/* check whether we recorded this map already */\n\t\t\tfor (j = 0; j < env->used_map_cnt; j++) {\n\t\t\t\tif (env->used_maps[j] == map) {\n\t\t\t\t\taux->map_index = j;\n\t\t\t\t\tfdput(f);\n\t\t\t\t\tgoto next_insn;\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tif (env->used_map_cnt >= MAX_USED_MAPS) {\n\t\t\t\tfdput(f);\n\t\t\t\treturn -E2BIG;\n\t\t\t}\n\n\t\t\t/* hold the map. If the program is rejected by verifier,\n\t\t\t * the map will be released by release_maps() or it\n\t\t\t * will be used by the valid program until it's unloaded\n\t\t\t * and all maps are released in free_used_maps()\n\t\t\t */\n\t\t\tbpf_map_inc(map);\n\n\t\t\taux->map_index = env->used_map_cnt;\n\t\t\tenv->used_maps[env->used_map_cnt++] = map;\n\n\t\t\tif (bpf_map_is_cgroup_storage(map) &&\n\t\t\t bpf_cgroup_storage_assign(env->prog->aux, map)) {\n\t\t\t\tverbose(env, \"only one cgroup storage of each type is allowed\\n\");\n\t\t\t\tfdput(f);\n\t\t\t\treturn -EBUSY;\n\t\t\t}\n\n\t\t\tfdput(f);\nnext_insn:\n\t\t\tinsn++;\n\t\t\ti++;\n\t\t\tcontinue;\n\t\t}\n\n\t\t/* Basic sanity check before we invest more work here. */\n\t\tif (!bpf_opcode_in_insntable(insn->code)) {\n\t\t\tverbose(env, \"unknown opcode %02x\\n\", insn->code);\n\t\t\treturn -EINVAL;\n\t\t}\n\t}\n\n\t/* now all pseudo BPF_LD_IMM64 instructions load valid\n\t * 'struct bpf_map *' into a register instead of user map_fd.\n\t * These pointers will be used later by verifier to validate map access.\n\t */\n\treturn 0;\n}", "project": "linux", "hash": 132192620431662207698016886760544913182, "size": 151, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232469 }, { "func": "static int check_stack_write(struct bpf_verifier_env *env,\n\t\t\t struct bpf_func_state *state, /* func where register points to */\n\t\t\t int off, int size, int value_regno, int insn_idx)\n{\n\tstruct bpf_func_state *cur; /* state of the current function */\n\tint i, slot = -off - 1, spi = slot / BPF_REG_SIZE, err;\n\tu32 dst_reg = env->prog->insnsi[insn_idx].dst_reg;\n\tstruct bpf_reg_state *reg = NULL;\n\n\terr = realloc_func_state(state, round_up(slot + 1, BPF_REG_SIZE),\n\t\t\t\t state->acquired_refs, true);\n\tif (err)\n\t\treturn err;\n\t/* caller checked that off % size == 0 and -MAX_BPF_STACK <= off < 0,\n\t * so it's aligned access and [off, off + size) are within stack limits\n\t */\n\tif (!env->allow_ptr_leaks &&\n\t state->stack[spi].slot_type[0] == STACK_SPILL &&\n\t size != BPF_REG_SIZE) {\n\t\tverbose(env, \"attempt to corrupt spilled pointer on stack\\n\");\n\t\treturn -EACCES;\n\t}\n\n\tcur = env->cur_state->frame[env->cur_state->curframe];\n\tif (value_regno >= 0)\n\t\treg = &cur->regs[value_regno];\n\n\tif (reg && size == BPF_REG_SIZE && register_is_const(reg) &&\n\t !register_is_null(reg) && env->allow_ptr_leaks) {\n\t\tif (dst_reg != BPF_REG_FP) {\n\t\t\t/* The backtracking logic can only recognize explicit\n\t\t\t * stack slot address like [fp - 8]. Other spill of\n\t\t\t * scalar via different register has to be conervative.\n\t\t\t * Backtrack from here and mark all registers as precise\n\t\t\t * that contributed into 'reg' being a constant.\n\t\t\t */\n\t\t\terr = mark_chain_precision(env, value_regno);\n\t\t\tif (err)\n\t\t\t\treturn err;\n\t\t}\n\t\tsave_register_state(state, spi, reg);\n\t} else if (reg && is_spillable_regtype(reg->type)) {\n\t\t/* register containing pointer is being spilled into stack */\n\t\tif (size != BPF_REG_SIZE) {\n\t\t\tverbose_linfo(env, insn_idx, \"; \");\n\t\t\tverbose(env, \"invalid size of register spill\\n\");\n\t\t\treturn -EACCES;\n\t\t}\n\n\t\tif (state != cur && reg->type == PTR_TO_STACK) {\n\t\t\tverbose(env, \"cannot spill pointers to stack into stack frame of the caller\\n\");\n\t\t\treturn -EINVAL;\n\t\t}\n\n\t\tif (!env->allow_ptr_leaks) {\n\t\t\tbool sanitize = false;\n\n\t\t\tif (state->stack[spi].slot_type[0] == STACK_SPILL &&\n\t\t\t register_is_const(&state->stack[spi].spilled_ptr))\n\t\t\t\tsanitize = true;\n\t\t\tfor (i = 0; i < BPF_REG_SIZE; i++)\n\t\t\t\tif (state->stack[spi].slot_type[i] == STACK_MISC) {\n\t\t\t\t\tsanitize = true;\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\tif (sanitize) {\n\t\t\t\tint *poff = &env->insn_aux_data[insn_idx].sanitize_stack_off;\n\t\t\t\tint soff = (-spi - 1) * BPF_REG_SIZE;\n\n\t\t\t\t/* detected reuse of integer stack slot with a pointer\n\t\t\t\t * which means either llvm is reusing stack slot or\n\t\t\t\t * an attacker is trying to exploit CVE-2018-3639\n\t\t\t\t * (speculative store bypass)\n\t\t\t\t * Have to sanitize that slot with preemptive\n\t\t\t\t * store of zero.\n\t\t\t\t */\n\t\t\t\tif (*poff && *poff != soff) {\n\t\t\t\t\t/* disallow programs where single insn stores\n\t\t\t\t\t * into two different stack slots, since verifier\n\t\t\t\t\t * cannot sanitize them\n\t\t\t\t\t */\n\t\t\t\t\tverbose(env,\n\t\t\t\t\t\t\"insn %d cannot access two stack slots fp%d and fp%d\",\n\t\t\t\t\t\tinsn_idx, *poff, soff);\n\t\t\t\t\treturn -EINVAL;\n\t\t\t\t}\n\t\t\t\t*poff = soff;\n\t\t\t}\n\t\t}\n\t\tsave_register_state(state, spi, reg);\n\t} else {\n\t\tu8 type = STACK_MISC;\n\n\t\t/* regular write of data into stack destroys any spilled ptr */\n\t\tstate->stack[spi].spilled_ptr.type = NOT_INIT;\n\t\t/* Mark slots as STACK_MISC if they belonged to spilled ptr. */\n\t\tif (state->stack[spi].slot_type[0] == STACK_SPILL)\n\t\t\tfor (i = 0; i < BPF_REG_SIZE; i++)\n\t\t\t\tstate->stack[spi].slot_type[i] = STACK_MISC;\n\n\t\t/* only mark the slot as written if all 8 bytes were written\n\t\t * otherwise read propagation may incorrectly stop too soon\n\t\t * when stack slots are partially written.\n\t\t * This heuristic means that read propagation will be\n\t\t * conservative, since it will add reg_live_read marks\n\t\t * to stack slots all the way to first state when programs\n\t\t * writes+reads less than 8 bytes\n\t\t */\n\t\tif (size == BPF_REG_SIZE)\n\t\t\tstate->stack[spi].spilled_ptr.live |= REG_LIVE_WRITTEN;\n\n\t\t/* when we zero initialize stack slots mark them as such */\n\t\tif (reg && register_is_null(reg)) {\n\t\t\t/* backtracking doesn't work for STACK_ZERO yet. */\n\t\t\terr = mark_chain_precision(env, value_regno);\n\t\t\tif (err)\n\t\t\t\treturn err;\n\t\t\ttype = STACK_ZERO;\n\t\t}\n\n\t\t/* Mark slots affected by this stack write. */\n\t\tfor (i = 0; i < size; i++)\n\t\t\tstate->stack[spi].slot_type[(slot - i) % BPF_REG_SIZE] =\n\t\t\t\ttype;\n\t}\n\treturn 0;\n}", "project": "linux", "hash": 293695723474210437804712087676692630902, "size": 127, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232477 }, { "func": "static int check_stack_write(struct bpf_verifier_env *env,\n\t\t\t struct bpf_func_state *state, /* func where register points to */\n\t\t\t int off, int size, int value_regno, int insn_idx)\n{\n\tstruct bpf_func_state *cur; /* state of the current function */\n\tint i, slot = -off - 1, spi = slot / BPF_REG_SIZE, err;\n\tu32 dst_reg = env->prog->insnsi[insn_idx].dst_reg;\n\tstruct bpf_reg_state *reg = NULL;\n\n\terr = realloc_func_state(state, round_up(slot + 1, BPF_REG_SIZE),\n\t\t\t\t state->acquired_refs, true);\n\tif (err)\n\t\treturn err;\n\t/* caller checked that off % size == 0 and -MAX_BPF_STACK <= off < 0,\n\t * so it's aligned access and [off, off + size) are within stack limits\n\t */\n\tif (!env->allow_ptr_leaks &&\n\t state->stack[spi].slot_type[0] == STACK_SPILL &&\n\t size != BPF_REG_SIZE) {\n\t\tverbose(env, \"attempt to corrupt spilled pointer on stack\\n\");\n\t\treturn -EACCES;\n\t}\n\n\tcur = env->cur_state->frame[env->cur_state->curframe];\n\tif (value_regno >= 0)\n\t\treg = &cur->regs[value_regno];\n\n\tif (reg && size == BPF_REG_SIZE && register_is_const(reg) &&\n\t !register_is_null(reg) && env->bpf_capable) {\n\t\tif (dst_reg != BPF_REG_FP) {\n\t\t\t/* The backtracking logic can only recognize explicit\n\t\t\t * stack slot address like [fp - 8]. Other spill of\n\t\t\t * scalar via different register has to be conervative.\n\t\t\t * Backtrack from here and mark all registers as precise\n\t\t\t * that contributed into 'reg' being a constant.\n\t\t\t */\n\t\t\terr = mark_chain_precision(env, value_regno);\n\t\t\tif (err)\n\t\t\t\treturn err;\n\t\t}\n\t\tsave_register_state(state, spi, reg);\n\t} else if (reg && is_spillable_regtype(reg->type)) {\n\t\t/* register containing pointer is being spilled into stack */\n\t\tif (size != BPF_REG_SIZE) {\n\t\t\tverbose_linfo(env, insn_idx, \"; \");\n\t\t\tverbose(env, \"invalid size of register spill\\n\");\n\t\t\treturn -EACCES;\n\t\t}\n\n\t\tif (state != cur && reg->type == PTR_TO_STACK) {\n\t\t\tverbose(env, \"cannot spill pointers to stack into stack frame of the caller\\n\");\n\t\t\treturn -EINVAL;\n\t\t}\n\n\t\tif (!env->bypass_spec_v4) {\n\t\t\tbool sanitize = false;\n\n\t\t\tif (state->stack[spi].slot_type[0] == STACK_SPILL &&\n\t\t\t register_is_const(&state->stack[spi].spilled_ptr))\n\t\t\t\tsanitize = true;\n\t\t\tfor (i = 0; i < BPF_REG_SIZE; i++)\n\t\t\t\tif (state->stack[spi].slot_type[i] == STACK_MISC) {\n\t\t\t\t\tsanitize = true;\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\tif (sanitize) {\n\t\t\t\tint *poff = &env->insn_aux_data[insn_idx].sanitize_stack_off;\n\t\t\t\tint soff = (-spi - 1) * BPF_REG_SIZE;\n\n\t\t\t\t/* detected reuse of integer stack slot with a pointer\n\t\t\t\t * which means either llvm is reusing stack slot or\n\t\t\t\t * an attacker is trying to exploit CVE-2018-3639\n\t\t\t\t * (speculative store bypass)\n\t\t\t\t * Have to sanitize that slot with preemptive\n\t\t\t\t * store of zero.\n\t\t\t\t */\n\t\t\t\tif (*poff && *poff != soff) {\n\t\t\t\t\t/* disallow programs where single insn stores\n\t\t\t\t\t * into two different stack slots, since verifier\n\t\t\t\t\t * cannot sanitize them\n\t\t\t\t\t */\n\t\t\t\t\tverbose(env,\n\t\t\t\t\t\t\"insn %d cannot access two stack slots fp%d and fp%d\",\n\t\t\t\t\t\tinsn_idx, *poff, soff);\n\t\t\t\t\treturn -EINVAL;\n\t\t\t\t}\n\t\t\t\t*poff = soff;\n\t\t\t}\n\t\t}\n\t\tsave_register_state(state, spi, reg);\n\t} else {\n\t\tu8 type = STACK_MISC;\n\n\t\t/* regular write of data into stack destroys any spilled ptr */\n\t\tstate->stack[spi].spilled_ptr.type = NOT_INIT;\n\t\t/* Mark slots as STACK_MISC if they belonged to spilled ptr. */\n\t\tif (state->stack[spi].slot_type[0] == STACK_SPILL)\n\t\t\tfor (i = 0; i < BPF_REG_SIZE; i++)\n\t\t\t\tstate->stack[spi].slot_type[i] = STACK_MISC;\n\n\t\t/* only mark the slot as written if all 8 bytes were written\n\t\t * otherwise read propagation may incorrectly stop too soon\n\t\t * when stack slots are partially written.\n\t\t * This heuristic means that read propagation will be\n\t\t * conservative, since it will add reg_live_read marks\n\t\t * to stack slots all the way to first state when programs\n\t\t * writes+reads less than 8 bytes\n\t\t */\n\t\tif (size == BPF_REG_SIZE)\n\t\t\tstate->stack[spi].spilled_ptr.live |= REG_LIVE_WRITTEN;\n\n\t\t/* when we zero initialize stack slots mark them as such */\n\t\tif (reg && register_is_null(reg)) {\n\t\t\t/* backtracking doesn't work for STACK_ZERO yet. */\n\t\t\terr = mark_chain_precision(env, value_regno);\n\t\t\tif (err)\n\t\t\t\treturn err;\n\t\t\ttype = STACK_ZERO;\n\t\t}\n\n\t\t/* Mark slots affected by this stack write. */\n\t\tfor (i = 0; i < size; i++)\n\t\t\tstate->stack[spi].slot_type[(slot - i) % BPF_REG_SIZE] =\n\t\t\t\ttype;\n\t}\n\treturn 0;\n}", "project": "linux", "hash": 136573424594644366062962198828235213965, "size": 127, "commit_id": "5b9fbeb75b6a98955f628e205ac26689bcb1383e", "message": "bpf: Fix scalar32_min_max_or bounds tracking\n\nSimon reported an issue with the current scalar32_min_max_or() implementation.\nThat is, compared to the other 32 bit subreg tracking functions, the code in\nscalar32_min_max_or() stands out that it's using the 64 bit registers instead\nof 32 bit ones. This leads to bounds tracking issues, for example:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x1; 0x700000000),s32_max_value=1,u32_max_value=1) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nThe bound tests on the map value force the upper unsigned bound to be 25769803777\nin 64 bit (0b11000000000000000000000000000000001) and then lower one to be 1. By\nusing OR they are truncated and thus result in the range [1,1] for the 32 bit reg\ntracker. This is incorrect given the only thing we know is that the value must be\npositive and thus 2147483647 (0b1111111111111111111111111111111) at max for the\nsubregs. Fix it by using the {u,s}32_{min,max}_value vars instead. This also makes\nsense, for example, for the case where we update dst_reg->s32_{min,max}_value in\nthe else branch we need to use the newly computed dst_reg->u32_{min,max}_value as\nwe know that these are positive. Previously, in the else branch the 64 bit values\nof umin_value=1 and umax_value=32212254719 were used and latter got truncated to\nbe 1 as upper bound there. After the fix the subreg range is now correct:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nFixes: 3f50f132d840 (\"bpf: Verifier, do explicit ALU32 bounds tracking\")\nReported-by: Simon Scannell \nSigned-off-by: Daniel Borkmann \nReviewed-by: John Fastabend \nAcked-by: Alexei Starovoitov ", "target": 0, "dataset": "other", "idx": 328494 }, { "func": "static int check_stack_write(struct bpf_verifier_env *env,\n\t\t\t struct bpf_func_state *state, /* func where register points to */\n\t\t\t int off, int size, int value_regno, int insn_idx)\n{\n\tstruct bpf_func_state *cur; /* state of the current function */\n\tint i, slot = -off - 1, spi = slot / BPF_REG_SIZE, err;\n\tu32 dst_reg = env->prog->insnsi[insn_idx].dst_reg;\n\tstruct bpf_reg_state *reg = NULL;\n\n\terr = realloc_func_state(state, round_up(slot + 1, BPF_REG_SIZE),\n\t\t\t\t state->acquired_refs, true);\n\tif (err)\n\t\treturn err;\n\t/* caller checked that off % size == 0 and -MAX_BPF_STACK <= off < 0,\n\t * so it's aligned access and [off, off + size) are within stack limits\n\t */\n\tif (!env->allow_ptr_leaks &&\n\t state->stack[spi].slot_type[0] == STACK_SPILL &&\n\t size != BPF_REG_SIZE) {\n\t\tverbose(env, \"attempt to corrupt spilled pointer on stack\\n\");\n\t\treturn -EACCES;\n\t}\n\n\tcur = env->cur_state->frame[env->cur_state->curframe];\n\tif (value_regno >= 0)\n\t\treg = &cur->regs[value_regno];\n\n\tif (reg && size == BPF_REG_SIZE && register_is_bounded(reg) &&\n\t !register_is_null(reg) && env->bpf_capable) {\n\t\tif (dst_reg != BPF_REG_FP) {\n\t\t\t/* The backtracking logic can only recognize explicit\n\t\t\t * stack slot address like [fp - 8]. Other spill of\n\t\t\t * scalar via different register has to be conervative.\n\t\t\t * Backtrack from here and mark all registers as precise\n\t\t\t * that contributed into 'reg' being a constant.\n\t\t\t */\n\t\t\terr = mark_chain_precision(env, value_regno);\n\t\t\tif (err)\n\t\t\t\treturn err;\n\t\t}\n\t\tsave_register_state(state, spi, reg);\n\t} else if (reg && is_spillable_regtype(reg->type)) {\n\t\t/* register containing pointer is being spilled into stack */\n\t\tif (size != BPF_REG_SIZE) {\n\t\t\tverbose_linfo(env, insn_idx, \"; \");\n\t\t\tverbose(env, \"invalid size of register spill\\n\");\n\t\t\treturn -EACCES;\n\t\t}\n\n\t\tif (state != cur && reg->type == PTR_TO_STACK) {\n\t\t\tverbose(env, \"cannot spill pointers to stack into stack frame of the caller\\n\");\n\t\t\treturn -EINVAL;\n\t\t}\n\n\t\tif (!env->bypass_spec_v4) {\n\t\t\tbool sanitize = false;\n\n\t\t\tif (state->stack[spi].slot_type[0] == STACK_SPILL &&\n\t\t\t register_is_const(&state->stack[spi].spilled_ptr))\n\t\t\t\tsanitize = true;\n\t\t\tfor (i = 0; i < BPF_REG_SIZE; i++)\n\t\t\t\tif (state->stack[spi].slot_type[i] == STACK_MISC) {\n\t\t\t\t\tsanitize = true;\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\tif (sanitize) {\n\t\t\t\tint *poff = &env->insn_aux_data[insn_idx].sanitize_stack_off;\n\t\t\t\tint soff = (-spi - 1) * BPF_REG_SIZE;\n\n\t\t\t\t/* detected reuse of integer stack slot with a pointer\n\t\t\t\t * which means either llvm is reusing stack slot or\n\t\t\t\t * an attacker is trying to exploit CVE-2018-3639\n\t\t\t\t * (speculative store bypass)\n\t\t\t\t * Have to sanitize that slot with preemptive\n\t\t\t\t * store of zero.\n\t\t\t\t */\n\t\t\t\tif (*poff && *poff != soff) {\n\t\t\t\t\t/* disallow programs where single insn stores\n\t\t\t\t\t * into two different stack slots, since verifier\n\t\t\t\t\t * cannot sanitize them\n\t\t\t\t\t */\n\t\t\t\t\tverbose(env,\n\t\t\t\t\t\t\"insn %d cannot access two stack slots fp%d and fp%d\",\n\t\t\t\t\t\tinsn_idx, *poff, soff);\n\t\t\t\t\treturn -EINVAL;\n\t\t\t\t}\n\t\t\t\t*poff = soff;\n\t\t\t}\n\t\t}\n\t\tsave_register_state(state, spi, reg);\n\t} else {\n\t\tu8 type = STACK_MISC;\n\n\t\t/* regular write of data into stack destroys any spilled ptr */\n\t\tstate->stack[spi].spilled_ptr.type = NOT_INIT;\n\t\t/* Mark slots as STACK_MISC if they belonged to spilled ptr. */\n\t\tif (state->stack[spi].slot_type[0] == STACK_SPILL)\n\t\t\tfor (i = 0; i < BPF_REG_SIZE; i++)\n\t\t\t\tstate->stack[spi].slot_type[i] = STACK_MISC;\n\n\t\t/* only mark the slot as written if all 8 bytes were written\n\t\t * otherwise read propagation may incorrectly stop too soon\n\t\t * when stack slots are partially written.\n\t\t * This heuristic means that read propagation will be\n\t\t * conservative, since it will add reg_live_read marks\n\t\t * to stack slots all the way to first state when programs\n\t\t * writes+reads less than 8 bytes\n\t\t */\n\t\tif (size == BPF_REG_SIZE)\n\t\t\tstate->stack[spi].spilled_ptr.live |= REG_LIVE_WRITTEN;\n\n\t\t/* when we zero initialize stack slots mark them as such */\n\t\tif (reg && register_is_null(reg)) {\n\t\t\t/* backtracking doesn't work for STACK_ZERO yet. */\n\t\t\terr = mark_chain_precision(env, value_regno);\n\t\t\tif (err)\n\t\t\t\treturn err;\n\t\t\ttype = STACK_ZERO;\n\t\t}\n\n\t\t/* Mark slots affected by this stack write. */\n\t\tfor (i = 0; i < size; i++)\n\t\t\tstate->stack[spi].slot_type[(slot - i) % BPF_REG_SIZE] =\n\t\t\t\ttype;\n\t}\n\treturn 0;\n}", "project": "linux", "hash": 260485043559703299534174991104526835758, "size": 127, "commit_id": "9b00f1b78809309163dda2d044d9e94a3c0248a3", "message": "bpf: Fix truncation handling for mod32 dst reg wrt zero\n\nRecently noticed that when mod32 with a known src reg of 0 is performed,\nthen the dst register is 32-bit truncated in verifier:\n\n 0: R1=ctx(id=0,off=0,imm=0) R10=fp0\n 0: (b7) r0 = 0\n 1: R0_w=inv0 R1=ctx(id=0,off=0,imm=0) R10=fp0\n 1: (b7) r1 = -1\n 2: R0_w=inv0 R1_w=inv-1 R10=fp0\n 2: (b4) w2 = -1\n 3: R0_w=inv0 R1_w=inv-1 R2_w=inv4294967295 R10=fp0\n 3: (9c) w1 %= w0\n 4: R0_w=inv0 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0\n 4: (b7) r0 = 1\n 5: R0_w=inv1 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0\n 5: (1d) if r1 == r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0\n 6: R0_w=inv1 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0\n 6: (b7) r0 = 2\n 7: R0_w=inv2 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0\n 7: (95) exit\n 7: R0=inv1 R1=inv(id=0,umin_value=4294967295,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2=inv4294967295 R10=fp0\n 7: (95) exit\n\nHowever, as a runtime result, we get 2 instead of 1, meaning the dst\nregister does not contain (u32)-1 in this case. The reason is fairly\nstraight forward given the 0 test leaves the dst register as-is:\n\n # ./bpftool p d x i 23\n 0: (b7) r0 = 0\n 1: (b7) r1 = -1\n 2: (b4) w2 = -1\n 3: (16) if w0 == 0x0 goto pc+1\n 4: (9c) w1 %= w0\n 5: (b7) r0 = 1\n 6: (1d) if r1 == r2 goto pc+1\n 7: (b7) r0 = 2\n 8: (95) exit\n\nThis was originally not an issue given the dst register was marked as\ncompletely unknown (aka 64 bit unknown). However, after 468f6eafa6c4\n(\"bpf: fix 32-bit ALU op verification\") the verifier casts the register\noutput to 32 bit, and hence it becomes 32 bit unknown. Note that for\nthe case where the src register is unknown, the dst register is marked\n64 bit unknown. After the fix, the register is truncated by the runtime\nand the test passes:\n\n # ./bpftool p d x i 23\n 0: (b7) r0 = 0\n 1: (b7) r1 = -1\n 2: (b4) w2 = -1\n 3: (16) if w0 == 0x0 goto pc+2\n 4: (9c) w1 %= w0\n 5: (05) goto pc+1\n 6: (bc) w1 = w1\n 7: (b7) r0 = 1\n 8: (1d) if r1 == r2 goto pc+1\n 9: (b7) r0 = 2\n 10: (95) exit\n\nSemantics also match with {R,W}x mod{64,32} 0 -> {R,W}x. Invalid div\nhas always been {R,W}x div{64,32} 0 -> 0. Rewrites are as follows:\n\n mod32: mod64:\n\n (16) if w0 == 0x0 goto pc+2 (15) if r0 == 0x0 goto pc+1\n (9c) w1 %= w0 (9f) r1 %= r0\n (05) goto pc+1\n (bc) w1 = w1\n\nFixes: 468f6eafa6c4 (\"bpf: fix 32-bit ALU op verification\")\nSigned-off-by: Daniel Borkmann \nReviewed-by: John Fastabend \nAcked-by: Alexei Starovoitov ", "target": 0, "dataset": "other", "idx": 456519 }, { "func": "static int check_map_func_compatibility(struct bpf_verifier_env *env,\n\t\t\t\t\tstruct bpf_map *map, int func_id)\n{\n\tif (!map)\n\t\treturn 0;\n\n\t/* We need a two way check, first is from map perspective ... */\n\tswitch (map->map_type) {\n\tcase BPF_MAP_TYPE_PROG_ARRAY:\n\t\tif (func_id != BPF_FUNC_tail_call)\n\t\t\tgoto error;\n\t\tbreak;\n\tcase BPF_MAP_TYPE_PERF_EVENT_ARRAY:\n\t\tif (func_id != BPF_FUNC_perf_event_read &&\n\t\t func_id != BPF_FUNC_perf_event_output &&\n\t\t func_id != BPF_FUNC_skb_output &&\n\t\t func_id != BPF_FUNC_perf_event_read_value &&\n\t\t func_id != BPF_FUNC_xdp_output)\n\t\t\tgoto error;\n\t\tbreak;\n\tcase BPF_MAP_TYPE_STACK_TRACE:\n\t\tif (func_id != BPF_FUNC_get_stackid)\n\t\t\tgoto error;\n\t\tbreak;\n\tcase BPF_MAP_TYPE_CGROUP_ARRAY:\n\t\tif (func_id != BPF_FUNC_skb_under_cgroup &&\n\t\t func_id != BPF_FUNC_current_task_under_cgroup)\n\t\t\tgoto error;\n\t\tbreak;\n\tcase BPF_MAP_TYPE_CGROUP_STORAGE:\n\tcase BPF_MAP_TYPE_PERCPU_CGROUP_STORAGE:\n\t\tif (func_id != BPF_FUNC_get_local_storage)\n\t\t\tgoto error;\n\t\tbreak;\n\tcase BPF_MAP_TYPE_DEVMAP:\n\tcase BPF_MAP_TYPE_DEVMAP_HASH:\n\t\tif (func_id != BPF_FUNC_redirect_map &&\n\t\t func_id != BPF_FUNC_map_lookup_elem)\n\t\t\tgoto error;\n\t\tbreak;\n\t/* Restrict bpf side of cpumap and xskmap, open when use-cases\n\t * appear.\n\t */\n\tcase BPF_MAP_TYPE_CPUMAP:\n\t\tif (func_id != BPF_FUNC_redirect_map)\n\t\t\tgoto error;\n\t\tbreak;\n\tcase BPF_MAP_TYPE_XSKMAP:\n\t\tif (func_id != BPF_FUNC_redirect_map &&\n\t\t func_id != BPF_FUNC_map_lookup_elem)\n\t\t\tgoto error;\n\t\tbreak;\n\tcase BPF_MAP_TYPE_ARRAY_OF_MAPS:\n\tcase BPF_MAP_TYPE_HASH_OF_MAPS:\n\t\tif (func_id != BPF_FUNC_map_lookup_elem)\n\t\t\tgoto error;\n\t\tbreak;\n\tcase BPF_MAP_TYPE_SOCKMAP:\n\t\tif (func_id != BPF_FUNC_sk_redirect_map &&\n\t\t func_id != BPF_FUNC_sock_map_update &&\n\t\t func_id != BPF_FUNC_map_delete_elem &&\n\t\t func_id != BPF_FUNC_msg_redirect_map &&\n\t\t func_id != BPF_FUNC_sk_select_reuseport)\n\t\t\tgoto error;\n\t\tbreak;\n\tcase BPF_MAP_TYPE_SOCKHASH:\n\t\tif (func_id != BPF_FUNC_sk_redirect_hash &&\n\t\t func_id != BPF_FUNC_sock_hash_update &&\n\t\t func_id != BPF_FUNC_map_delete_elem &&\n\t\t func_id != BPF_FUNC_msg_redirect_hash &&\n\t\t func_id != BPF_FUNC_sk_select_reuseport)\n\t\t\tgoto error;\n\t\tbreak;\n\tcase BPF_MAP_TYPE_REUSEPORT_SOCKARRAY:\n\t\tif (func_id != BPF_FUNC_sk_select_reuseport)\n\t\t\tgoto error;\n\t\tbreak;\n\tcase BPF_MAP_TYPE_QUEUE:\n\tcase BPF_MAP_TYPE_STACK:\n\t\tif (func_id != BPF_FUNC_map_peek_elem &&\n\t\t func_id != BPF_FUNC_map_pop_elem &&\n\t\t func_id != BPF_FUNC_map_push_elem)\n\t\t\tgoto error;\n\t\tbreak;\n\tcase BPF_MAP_TYPE_SK_STORAGE:\n\t\tif (func_id != BPF_FUNC_sk_storage_get &&\n\t\t func_id != BPF_FUNC_sk_storage_delete)\n\t\t\tgoto error;\n\t\tbreak;\n\tdefault:\n\t\tbreak;\n\t}\n\n\t/* ... and second from the function itself. */\n\tswitch (func_id) {\n\tcase BPF_FUNC_tail_call:\n\t\tif (map->map_type != BPF_MAP_TYPE_PROG_ARRAY)\n\t\t\tgoto error;\n\t\tif (env->subprog_cnt > 1) {\n\t\t\tverbose(env, \"tail_calls are not allowed in programs with bpf-to-bpf calls\\n\");\n\t\t\treturn -EINVAL;\n\t\t}\n\t\tbreak;\n\tcase BPF_FUNC_perf_event_read:\n\tcase BPF_FUNC_perf_event_output:\n\tcase BPF_FUNC_perf_event_read_value:\n\tcase BPF_FUNC_skb_output:\n\tcase BPF_FUNC_xdp_output:\n\t\tif (map->map_type != BPF_MAP_TYPE_PERF_EVENT_ARRAY)\n\t\t\tgoto error;\n\t\tbreak;\n\tcase BPF_FUNC_get_stackid:\n\t\tif (map->map_type != BPF_MAP_TYPE_STACK_TRACE)\n\t\t\tgoto error;\n\t\tbreak;\n\tcase BPF_FUNC_current_task_under_cgroup:\n\tcase BPF_FUNC_skb_under_cgroup:\n\t\tif (map->map_type != BPF_MAP_TYPE_CGROUP_ARRAY)\n\t\t\tgoto error;\n\t\tbreak;\n\tcase BPF_FUNC_redirect_map:\n\t\tif (map->map_type != BPF_MAP_TYPE_DEVMAP &&\n\t\t map->map_type != BPF_MAP_TYPE_DEVMAP_HASH &&\n\t\t map->map_type != BPF_MAP_TYPE_CPUMAP &&\n\t\t map->map_type != BPF_MAP_TYPE_XSKMAP)\n\t\t\tgoto error;\n\t\tbreak;\n\tcase BPF_FUNC_sk_redirect_map:\n\tcase BPF_FUNC_msg_redirect_map:\n\tcase BPF_FUNC_sock_map_update:\n\t\tif (map->map_type != BPF_MAP_TYPE_SOCKMAP)\n\t\t\tgoto error;\n\t\tbreak;\n\tcase BPF_FUNC_sk_redirect_hash:\n\tcase BPF_FUNC_msg_redirect_hash:\n\tcase BPF_FUNC_sock_hash_update:\n\t\tif (map->map_type != BPF_MAP_TYPE_SOCKHASH)\n\t\t\tgoto error;\n\t\tbreak;\n\tcase BPF_FUNC_get_local_storage:\n\t\tif (map->map_type != BPF_MAP_TYPE_CGROUP_STORAGE &&\n\t\t map->map_type != BPF_MAP_TYPE_PERCPU_CGROUP_STORAGE)\n\t\t\tgoto error;\n\t\tbreak;\n\tcase BPF_FUNC_sk_select_reuseport:\n\t\tif (map->map_type != BPF_MAP_TYPE_REUSEPORT_SOCKARRAY &&\n\t\t map->map_type != BPF_MAP_TYPE_SOCKMAP &&\n\t\t map->map_type != BPF_MAP_TYPE_SOCKHASH)\n\t\t\tgoto error;\n\t\tbreak;\n\tcase BPF_FUNC_map_peek_elem:\n\tcase BPF_FUNC_map_pop_elem:\n\tcase BPF_FUNC_map_push_elem:\n\t\tif (map->map_type != BPF_MAP_TYPE_QUEUE &&\n\t\t map->map_type != BPF_MAP_TYPE_STACK)\n\t\t\tgoto error;\n\t\tbreak;\n\tcase BPF_FUNC_sk_storage_get:\n\tcase BPF_FUNC_sk_storage_delete:\n\t\tif (map->map_type != BPF_MAP_TYPE_SK_STORAGE)\n\t\t\tgoto error;\n\t\tbreak;\n\tdefault:\n\t\tbreak;\n\t}\n\n\treturn 0;\nerror:\n\tverbose(env, \"cannot pass map_type %d into func %s#%d\\n\",\n\t\tmap->map_type, func_id_name(func_id), func_id);\n\treturn -EINVAL;\n}", "project": "linux", "hash": 81490636670337794863197848464839370624, "size": 172, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232533 }, { "func": "static int check_map_func_compatibility(struct bpf_verifier_env *env,\n\t\t\t\t\tstruct bpf_map *map, int func_id)\n{\n\tif (!map)\n\t\treturn 0;\n\n\t/* We need a two way check, first is from map perspective ... */\n\tswitch (map->map_type) {\n\tcase BPF_MAP_TYPE_PROG_ARRAY:\n\t\tif (func_id != BPF_FUNC_tail_call)\n\t\t\tgoto error;\n\t\tbreak;\n\tcase BPF_MAP_TYPE_PERF_EVENT_ARRAY:\n\t\tif (func_id != BPF_FUNC_perf_event_read &&\n\t\t func_id != BPF_FUNC_perf_event_output &&\n\t\t func_id != BPF_FUNC_skb_output &&\n\t\t func_id != BPF_FUNC_perf_event_read_value &&\n\t\t func_id != BPF_FUNC_xdp_output)\n\t\t\tgoto error;\n\t\tbreak;\n\tcase BPF_MAP_TYPE_RINGBUF:\n\t\tif (func_id != BPF_FUNC_ringbuf_output &&\n\t\t func_id != BPF_FUNC_ringbuf_reserve &&\n\t\t func_id != BPF_FUNC_ringbuf_submit &&\n\t\t func_id != BPF_FUNC_ringbuf_discard &&\n\t\t func_id != BPF_FUNC_ringbuf_query)\n\t\t\tgoto error;\n\t\tbreak;\n\tcase BPF_MAP_TYPE_STACK_TRACE:\n\t\tif (func_id != BPF_FUNC_get_stackid)\n\t\t\tgoto error;\n\t\tbreak;\n\tcase BPF_MAP_TYPE_CGROUP_ARRAY:\n\t\tif (func_id != BPF_FUNC_skb_under_cgroup &&\n\t\t func_id != BPF_FUNC_current_task_under_cgroup)\n\t\t\tgoto error;\n\t\tbreak;\n\tcase BPF_MAP_TYPE_CGROUP_STORAGE:\n\tcase BPF_MAP_TYPE_PERCPU_CGROUP_STORAGE:\n\t\tif (func_id != BPF_FUNC_get_local_storage)\n\t\t\tgoto error;\n\t\tbreak;\n\tcase BPF_MAP_TYPE_DEVMAP:\n\tcase BPF_MAP_TYPE_DEVMAP_HASH:\n\t\tif (func_id != BPF_FUNC_redirect_map &&\n\t\t func_id != BPF_FUNC_map_lookup_elem)\n\t\t\tgoto error;\n\t\tbreak;\n\t/* Restrict bpf side of cpumap and xskmap, open when use-cases\n\t * appear.\n\t */\n\tcase BPF_MAP_TYPE_CPUMAP:\n\t\tif (func_id != BPF_FUNC_redirect_map)\n\t\t\tgoto error;\n\t\tbreak;\n\tcase BPF_MAP_TYPE_XSKMAP:\n\t\tif (func_id != BPF_FUNC_redirect_map &&\n\t\t func_id != BPF_FUNC_map_lookup_elem)\n\t\t\tgoto error;\n\t\tbreak;\n\tcase BPF_MAP_TYPE_ARRAY_OF_MAPS:\n\tcase BPF_MAP_TYPE_HASH_OF_MAPS:\n\t\tif (func_id != BPF_FUNC_map_lookup_elem)\n\t\t\tgoto error;\n\t\tbreak;\n\tcase BPF_MAP_TYPE_SOCKMAP:\n\t\tif (func_id != BPF_FUNC_sk_redirect_map &&\n\t\t func_id != BPF_FUNC_sock_map_update &&\n\t\t func_id != BPF_FUNC_map_delete_elem &&\n\t\t func_id != BPF_FUNC_msg_redirect_map &&\n\t\t func_id != BPF_FUNC_sk_select_reuseport &&\n\t\t func_id != BPF_FUNC_map_lookup_elem)\n\t\t\tgoto error;\n\t\tbreak;\n\tcase BPF_MAP_TYPE_SOCKHASH:\n\t\tif (func_id != BPF_FUNC_sk_redirect_hash &&\n\t\t func_id != BPF_FUNC_sock_hash_update &&\n\t\t func_id != BPF_FUNC_map_delete_elem &&\n\t\t func_id != BPF_FUNC_msg_redirect_hash &&\n\t\t func_id != BPF_FUNC_sk_select_reuseport &&\n\t\t func_id != BPF_FUNC_map_lookup_elem)\n\t\t\tgoto error;\n\t\tbreak;\n\tcase BPF_MAP_TYPE_REUSEPORT_SOCKARRAY:\n\t\tif (func_id != BPF_FUNC_sk_select_reuseport)\n\t\t\tgoto error;\n\t\tbreak;\n\tcase BPF_MAP_TYPE_QUEUE:\n\tcase BPF_MAP_TYPE_STACK:\n\t\tif (func_id != BPF_FUNC_map_peek_elem &&\n\t\t func_id != BPF_FUNC_map_pop_elem &&\n\t\t func_id != BPF_FUNC_map_push_elem)\n\t\t\tgoto error;\n\t\tbreak;\n\tcase BPF_MAP_TYPE_SK_STORAGE:\n\t\tif (func_id != BPF_FUNC_sk_storage_get &&\n\t\t func_id != BPF_FUNC_sk_storage_delete)\n\t\t\tgoto error;\n\t\tbreak;\n\tdefault:\n\t\tbreak;\n\t}\n\n\t/* ... and second from the function itself. */\n\tswitch (func_id) {\n\tcase BPF_FUNC_tail_call:\n\t\tif (map->map_type != BPF_MAP_TYPE_PROG_ARRAY)\n\t\t\tgoto error;\n\t\tif (env->subprog_cnt > 1) {\n\t\t\tverbose(env, \"tail_calls are not allowed in programs with bpf-to-bpf calls\\n\");\n\t\t\treturn -EINVAL;\n\t\t}\n\t\tbreak;\n\tcase BPF_FUNC_perf_event_read:\n\tcase BPF_FUNC_perf_event_output:\n\tcase BPF_FUNC_perf_event_read_value:\n\tcase BPF_FUNC_skb_output:\n\tcase BPF_FUNC_xdp_output:\n\t\tif (map->map_type != BPF_MAP_TYPE_PERF_EVENT_ARRAY)\n\t\t\tgoto error;\n\t\tbreak;\n\tcase BPF_FUNC_get_stackid:\n\t\tif (map->map_type != BPF_MAP_TYPE_STACK_TRACE)\n\t\t\tgoto error;\n\t\tbreak;\n\tcase BPF_FUNC_current_task_under_cgroup:\n\tcase BPF_FUNC_skb_under_cgroup:\n\t\tif (map->map_type != BPF_MAP_TYPE_CGROUP_ARRAY)\n\t\t\tgoto error;\n\t\tbreak;\n\tcase BPF_FUNC_redirect_map:\n\t\tif (map->map_type != BPF_MAP_TYPE_DEVMAP &&\n\t\t map->map_type != BPF_MAP_TYPE_DEVMAP_HASH &&\n\t\t map->map_type != BPF_MAP_TYPE_CPUMAP &&\n\t\t map->map_type != BPF_MAP_TYPE_XSKMAP)\n\t\t\tgoto error;\n\t\tbreak;\n\tcase BPF_FUNC_sk_redirect_map:\n\tcase BPF_FUNC_msg_redirect_map:\n\tcase BPF_FUNC_sock_map_update:\n\t\tif (map->map_type != BPF_MAP_TYPE_SOCKMAP)\n\t\t\tgoto error;\n\t\tbreak;\n\tcase BPF_FUNC_sk_redirect_hash:\n\tcase BPF_FUNC_msg_redirect_hash:\n\tcase BPF_FUNC_sock_hash_update:\n\t\tif (map->map_type != BPF_MAP_TYPE_SOCKHASH)\n\t\t\tgoto error;\n\t\tbreak;\n\tcase BPF_FUNC_get_local_storage:\n\t\tif (map->map_type != BPF_MAP_TYPE_CGROUP_STORAGE &&\n\t\t map->map_type != BPF_MAP_TYPE_PERCPU_CGROUP_STORAGE)\n\t\t\tgoto error;\n\t\tbreak;\n\tcase BPF_FUNC_sk_select_reuseport:\n\t\tif (map->map_type != BPF_MAP_TYPE_REUSEPORT_SOCKARRAY &&\n\t\t map->map_type != BPF_MAP_TYPE_SOCKMAP &&\n\t\t map->map_type != BPF_MAP_TYPE_SOCKHASH)\n\t\t\tgoto error;\n\t\tbreak;\n\tcase BPF_FUNC_map_peek_elem:\n\tcase BPF_FUNC_map_pop_elem:\n\tcase BPF_FUNC_map_push_elem:\n\t\tif (map->map_type != BPF_MAP_TYPE_QUEUE &&\n\t\t map->map_type != BPF_MAP_TYPE_STACK)\n\t\t\tgoto error;\n\t\tbreak;\n\tcase BPF_FUNC_sk_storage_get:\n\tcase BPF_FUNC_sk_storage_delete:\n\t\tif (map->map_type != BPF_MAP_TYPE_SK_STORAGE)\n\t\t\tgoto error;\n\t\tbreak;\n\tdefault:\n\t\tbreak;\n\t}\n\n\treturn 0;\nerror:\n\tverbose(env, \"cannot pass map_type %d into func %s#%d\\n\",\n\t\tmap->map_type, func_id_name(func_id), func_id);\n\treturn -EINVAL;\n}", "project": "linux", "hash": 214772960002948692114259065139327647603, "size": 182, "commit_id": "5b9fbeb75b6a98955f628e205ac26689bcb1383e", "message": "bpf: Fix scalar32_min_max_or bounds tracking\n\nSimon reported an issue with the current scalar32_min_max_or() implementation.\nThat is, compared to the other 32 bit subreg tracking functions, the code in\nscalar32_min_max_or() stands out that it's using the 64 bit registers instead\nof 32 bit ones. This leads to bounds tracking issues, for example:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x1; 0x700000000),s32_max_value=1,u32_max_value=1) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nThe bound tests on the map value force the upper unsigned bound to be 25769803777\nin 64 bit (0b11000000000000000000000000000000001) and then lower one to be 1. By\nusing OR they are truncated and thus result in the range [1,1] for the 32 bit reg\ntracker. This is incorrect given the only thing we know is that the value must be\npositive and thus 2147483647 (0b1111111111111111111111111111111) at max for the\nsubregs. Fix it by using the {u,s}32_{min,max}_value vars instead. This also makes\nsense, for example, for the case where we update dst_reg->s32_{min,max}_value in\nthe else branch we need to use the newly computed dst_reg->u32_{min,max}_value as\nwe know that these are positive. Previously, in the else branch the 64 bit values\nof umin_value=1 and umax_value=32212254719 were used and latter got truncated to\nbe 1 as upper bound there. After the fix the subreg range is now correct:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nFixes: 3f50f132d840 (\"bpf: Verifier, do explicit ALU32 bounds tracking\")\nReported-by: Simon Scannell \nSigned-off-by: Daniel Borkmann \nReviewed-by: John Fastabend \nAcked-by: Alexei Starovoitov ", "target": 0, "dataset": "other", "idx": 328524 }, { "func": "static bool reg_type_mismatch_ok(enum bpf_reg_type type)\n{\n\tswitch (type) {\n\tcase PTR_TO_CTX:\n\tcase PTR_TO_SOCKET:\n\tcase PTR_TO_SOCKET_OR_NULL:\n\tcase PTR_TO_SOCK_COMMON:\n\tcase PTR_TO_SOCK_COMMON_OR_NULL:\n\tcase PTR_TO_TCP_SOCK:\n\tcase PTR_TO_TCP_SOCK_OR_NULL:\n\tcase PTR_TO_XDP_SOCK:\n\tcase PTR_TO_BTF_ID:\n\t\treturn false;\n\tdefault:\n\t\treturn true;\n\t}\n}", "project": "linux", "hash": 245434640910514712218334958830368308128, "size": 17, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232443 }, { "func": "static int check_btf_func(struct bpf_verifier_env *env,\n\t\t\t const union bpf_attr *attr,\n\t\t\t union bpf_attr __user *uattr)\n{\n\tu32 i, nfuncs, urec_size, min_size;\n\tu32 krec_size = sizeof(struct bpf_func_info);\n\tstruct bpf_func_info *krecord;\n\tstruct bpf_func_info_aux *info_aux = NULL;\n\tconst struct btf_type *type;\n\tstruct bpf_prog *prog;\n\tconst struct btf *btf;\n\tvoid __user *urecord;\n\tu32 prev_offset = 0;\n\tint ret = 0;\n\n\tnfuncs = attr->func_info_cnt;\n\tif (!nfuncs)\n\t\treturn 0;\n\n\tif (nfuncs != env->subprog_cnt) {\n\t\tverbose(env, \"number of funcs in func_info doesn't match number of subprogs\\n\");\n\t\treturn -EINVAL;\n\t}\n\n\turec_size = attr->func_info_rec_size;\n\tif (urec_size < MIN_BPF_FUNCINFO_SIZE ||\n\t urec_size > MAX_FUNCINFO_REC_SIZE ||\n\t urec_size % sizeof(u32)) {\n\t\tverbose(env, \"invalid func info rec size %u\\n\", urec_size);\n\t\treturn -EINVAL;\n\t}\n\n\tprog = env->prog;\n\tbtf = prog->aux->btf;\n\n\turecord = u64_to_user_ptr(attr->func_info);\n\tmin_size = min_t(u32, krec_size, urec_size);\n\n\tkrecord = kvcalloc(nfuncs, krec_size, GFP_KERNEL | __GFP_NOWARN);\n\tif (!krecord)\n\t\treturn -ENOMEM;\n\tinfo_aux = kcalloc(nfuncs, sizeof(*info_aux), GFP_KERNEL | __GFP_NOWARN);\n\tif (!info_aux)\n\t\tgoto err_free;\n\n\tfor (i = 0; i < nfuncs; i++) {\n\t\tret = bpf_check_uarg_tail_zero(urecord, krec_size, urec_size);\n\t\tif (ret) {\n\t\t\tif (ret == -E2BIG) {\n\t\t\t\tverbose(env, \"nonzero tailing record in func info\");\n\t\t\t\t/* set the size kernel expects so loader can zero\n\t\t\t\t * out the rest of the record.\n\t\t\t\t */\n\t\t\t\tif (put_user(min_size, &uattr->func_info_rec_size))\n\t\t\t\t\tret = -EFAULT;\n\t\t\t}\n\t\t\tgoto err_free;\n\t\t}\n\n\t\tif (copy_from_user(&krecord[i], urecord, min_size)) {\n\t\t\tret = -EFAULT;\n\t\t\tgoto err_free;\n\t\t}\n\n\t\t/* check insn_off */\n\t\tif (i == 0) {\n\t\t\tif (krecord[i].insn_off) {\n\t\t\t\tverbose(env,\n\t\t\t\t\t\"nonzero insn_off %u for the first func info record\",\n\t\t\t\t\tkrecord[i].insn_off);\n\t\t\t\tret = -EINVAL;\n\t\t\t\tgoto err_free;\n\t\t\t}\n\t\t} else if (krecord[i].insn_off <= prev_offset) {\n\t\t\tverbose(env,\n\t\t\t\t\"same or smaller insn offset (%u) than previous func info record (%u)\",\n\t\t\t\tkrecord[i].insn_off, prev_offset);\n\t\t\tret = -EINVAL;\n\t\t\tgoto err_free;\n\t\t}\n\n\t\tif (env->subprog_info[i].start != krecord[i].insn_off) {\n\t\t\tverbose(env, \"func_info BTF section doesn't match subprog layout in BPF program\\n\");\n\t\t\tret = -EINVAL;\n\t\t\tgoto err_free;\n\t\t}\n\n\t\t/* check type_id */\n\t\ttype = btf_type_by_id(btf, krecord[i].type_id);\n\t\tif (!type || !btf_type_is_func(type)) {\n\t\t\tverbose(env, \"invalid type id %d in func info\",\n\t\t\t\tkrecord[i].type_id);\n\t\t\tret = -EINVAL;\n\t\t\tgoto err_free;\n\t\t}\n\t\tinfo_aux[i].linkage = BTF_INFO_VLEN(type->info);\n\t\tprev_offset = krecord[i].insn_off;\n\t\turecord += urec_size;\n\t}\n\n\tprog->aux->func_info = krecord;\n\tprog->aux->func_info_cnt = nfuncs;\n\tprog->aux->func_info_aux = info_aux;\n\treturn 0;\n\nerr_free:\n\tkvfree(krecord);\n\tkfree(info_aux);\n\treturn ret;\n}", "project": "linux", "hash": 160087532463688741531944381956065780007, "size": 110, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232421 }, { "func": "static int check_btf_func(struct bpf_verifier_env *env,\n\t\t\t const union bpf_attr *attr,\n\t\t\t union bpf_attr __user *uattr)\n{\n\tu32 i, nfuncs, urec_size, min_size;\n\tu32 krec_size = sizeof(struct bpf_func_info);\n\tstruct bpf_func_info *krecord;\n\tstruct bpf_func_info_aux *info_aux = NULL;\n\tconst struct btf_type *type;\n\tstruct bpf_prog *prog;\n\tconst struct btf *btf;\n\tvoid __user *urecord;\n\tu32 prev_offset = 0;\n\tint ret = -ENOMEM;\n\n\tnfuncs = attr->func_info_cnt;\n\tif (!nfuncs)\n\t\treturn 0;\n\n\tif (nfuncs != env->subprog_cnt) {\n\t\tverbose(env, \"number of funcs in func_info doesn't match number of subprogs\\n\");\n\t\treturn -EINVAL;\n\t}\n\n\turec_size = attr->func_info_rec_size;\n\tif (urec_size < MIN_BPF_FUNCINFO_SIZE ||\n\t urec_size > MAX_FUNCINFO_REC_SIZE ||\n\t urec_size % sizeof(u32)) {\n\t\tverbose(env, \"invalid func info rec size %u\\n\", urec_size);\n\t\treturn -EINVAL;\n\t}\n\n\tprog = env->prog;\n\tbtf = prog->aux->btf;\n\n\turecord = u64_to_user_ptr(attr->func_info);\n\tmin_size = min_t(u32, krec_size, urec_size);\n\n\tkrecord = kvcalloc(nfuncs, krec_size, GFP_KERNEL | __GFP_NOWARN);\n\tif (!krecord)\n\t\treturn -ENOMEM;\n\tinfo_aux = kcalloc(nfuncs, sizeof(*info_aux), GFP_KERNEL | __GFP_NOWARN);\n\tif (!info_aux)\n\t\tgoto err_free;\n\n\tfor (i = 0; i < nfuncs; i++) {\n\t\tret = bpf_check_uarg_tail_zero(urecord, krec_size, urec_size);\n\t\tif (ret) {\n\t\t\tif (ret == -E2BIG) {\n\t\t\t\tverbose(env, \"nonzero tailing record in func info\");\n\t\t\t\t/* set the size kernel expects so loader can zero\n\t\t\t\t * out the rest of the record.\n\t\t\t\t */\n\t\t\t\tif (put_user(min_size, &uattr->func_info_rec_size))\n\t\t\t\t\tret = -EFAULT;\n\t\t\t}\n\t\t\tgoto err_free;\n\t\t}\n\n\t\tif (copy_from_user(&krecord[i], urecord, min_size)) {\n\t\t\tret = -EFAULT;\n\t\t\tgoto err_free;\n\t\t}\n\n\t\t/* check insn_off */\n\t\tif (i == 0) {\n\t\t\tif (krecord[i].insn_off) {\n\t\t\t\tverbose(env,\n\t\t\t\t\t\"nonzero insn_off %u for the first func info record\",\n\t\t\t\t\tkrecord[i].insn_off);\n\t\t\t\tret = -EINVAL;\n\t\t\t\tgoto err_free;\n\t\t\t}\n\t\t} else if (krecord[i].insn_off <= prev_offset) {\n\t\t\tverbose(env,\n\t\t\t\t\"same or smaller insn offset (%u) than previous func info record (%u)\",\n\t\t\t\tkrecord[i].insn_off, prev_offset);\n\t\t\tret = -EINVAL;\n\t\t\tgoto err_free;\n\t\t}\n\n\t\tif (env->subprog_info[i].start != krecord[i].insn_off) {\n\t\t\tverbose(env, \"func_info BTF section doesn't match subprog layout in BPF program\\n\");\n\t\t\tret = -EINVAL;\n\t\t\tgoto err_free;\n\t\t}\n\n\t\t/* check type_id */\n\t\ttype = btf_type_by_id(btf, krecord[i].type_id);\n\t\tif (!type || !btf_type_is_func(type)) {\n\t\t\tverbose(env, \"invalid type id %d in func info\",\n\t\t\t\tkrecord[i].type_id);\n\t\t\tret = -EINVAL;\n\t\t\tgoto err_free;\n\t\t}\n\t\tinfo_aux[i].linkage = BTF_INFO_VLEN(type->info);\n\t\tprev_offset = krecord[i].insn_off;\n\t\turecord += urec_size;\n\t}\n\n\tprog->aux->func_info = krecord;\n\tprog->aux->func_info_cnt = nfuncs;\n\tprog->aux->func_info_aux = info_aux;\n\treturn 0;\n\nerr_free:\n\tkvfree(krecord);\n\tkfree(info_aux);\n\treturn ret;\n}", "project": "linux", "hash": 121974925430019655526843253419878969508, "size": 110, "commit_id": "5b9fbeb75b6a98955f628e205ac26689bcb1383e", "message": "bpf: Fix scalar32_min_max_or bounds tracking\n\nSimon reported an issue with the current scalar32_min_max_or() implementation.\nThat is, compared to the other 32 bit subreg tracking functions, the code in\nscalar32_min_max_or() stands out that it's using the 64 bit registers instead\nof 32 bit ones. This leads to bounds tracking issues, for example:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x1; 0x700000000),s32_max_value=1,u32_max_value=1) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nThe bound tests on the map value force the upper unsigned bound to be 25769803777\nin 64 bit (0b11000000000000000000000000000000001) and then lower one to be 1. By\nusing OR they are truncated and thus result in the range [1,1] for the 32 bit reg\ntracker. This is incorrect given the only thing we know is that the value must be\npositive and thus 2147483647 (0b1111111111111111111111111111111) at max for the\nsubregs. Fix it by using the {u,s}32_{min,max}_value vars instead. This also makes\nsense, for example, for the case where we update dst_reg->s32_{min,max}_value in\nthe else branch we need to use the newly computed dst_reg->u32_{min,max}_value as\nwe know that these are positive. Previously, in the else branch the 64 bit values\nof umin_value=1 and umax_value=32212254719 were used and latter got truncated to\nbe 1 as upper bound there. After the fix the subreg range is now correct:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nFixes: 3f50f132d840 (\"bpf: Verifier, do explicit ALU32 bounds tracking\")\nReported-by: Simon Scannell \nSigned-off-by: Daniel Borkmann \nReviewed-by: John Fastabend \nAcked-by: Alexei Starovoitov ", "target": 0, "dataset": "other", "idx": 328493 }, { "func": "static bool insn_no_def(struct bpf_insn *insn)\n{\n\tu8 class = BPF_CLASS(insn->code);\n\n\treturn (class == BPF_JMP || class == BPF_JMP32 ||\n\t\tclass == BPF_STX || class == BPF_ST);\n}", "project": "linux", "hash": 304221810425413894036476142131014757930, "size": 7, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232501 }, { "func": "static int check_btf_line(struct bpf_verifier_env *env,\n\t\t\t const union bpf_attr *attr,\n\t\t\t union bpf_attr __user *uattr)\n{\n\tu32 i, s, nr_linfo, ncopy, expected_size, rec_size, prev_offset = 0;\n\tstruct bpf_subprog_info *sub;\n\tstruct bpf_line_info *linfo;\n\tstruct bpf_prog *prog;\n\tconst struct btf *btf;\n\tvoid __user *ulinfo;\n\tint err;\n\n\tnr_linfo = attr->line_info_cnt;\n\tif (!nr_linfo)\n\t\treturn 0;\n\n\trec_size = attr->line_info_rec_size;\n\tif (rec_size < MIN_BPF_LINEINFO_SIZE ||\n\t rec_size > MAX_LINEINFO_REC_SIZE ||\n\t rec_size & (sizeof(u32) - 1))\n\t\treturn -EINVAL;\n\n\t/* Need to zero it in case the userspace may\n\t * pass in a smaller bpf_line_info object.\n\t */\n\tlinfo = kvcalloc(nr_linfo, sizeof(struct bpf_line_info),\n\t\t\t GFP_KERNEL | __GFP_NOWARN);\n\tif (!linfo)\n\t\treturn -ENOMEM;\n\n\tprog = env->prog;\n\tbtf = prog->aux->btf;\n\n\ts = 0;\n\tsub = env->subprog_info;\n\tulinfo = u64_to_user_ptr(attr->line_info);\n\texpected_size = sizeof(struct bpf_line_info);\n\tncopy = min_t(u32, expected_size, rec_size);\n\tfor (i = 0; i < nr_linfo; i++) {\n\t\terr = bpf_check_uarg_tail_zero(ulinfo, expected_size, rec_size);\n\t\tif (err) {\n\t\t\tif (err == -E2BIG) {\n\t\t\t\tverbose(env, \"nonzero tailing record in line_info\");\n\t\t\t\tif (put_user(expected_size,\n\t\t\t\t\t &uattr->line_info_rec_size))\n\t\t\t\t\terr = -EFAULT;\n\t\t\t}\n\t\t\tgoto err_free;\n\t\t}\n\n\t\tif (copy_from_user(&linfo[i], ulinfo, ncopy)) {\n\t\t\terr = -EFAULT;\n\t\t\tgoto err_free;\n\t\t}\n\n\t\t/*\n\t\t * Check insn_off to ensure\n\t\t * 1) strictly increasing AND\n\t\t * 2) bounded by prog->len\n\t\t *\n\t\t * The linfo[0].insn_off == 0 check logically falls into\n\t\t * the later \"missing bpf_line_info for func...\" case\n\t\t * because the first linfo[0].insn_off must be the\n\t\t * first sub also and the first sub must have\n\t\t * subprog_info[0].start == 0.\n\t\t */\n\t\tif ((i && linfo[i].insn_off <= prev_offset) ||\n\t\t linfo[i].insn_off >= prog->len) {\n\t\t\tverbose(env, \"Invalid line_info[%u].insn_off:%u (prev_offset:%u prog->len:%u)\\n\",\n\t\t\t\ti, linfo[i].insn_off, prev_offset,\n\t\t\t\tprog->len);\n\t\t\terr = -EINVAL;\n\t\t\tgoto err_free;\n\t\t}\n\n\t\tif (!prog->insnsi[linfo[i].insn_off].code) {\n\t\t\tverbose(env,\n\t\t\t\t\"Invalid insn code at line_info[%u].insn_off\\n\",\n\t\t\t\ti);\n\t\t\terr = -EINVAL;\n\t\t\tgoto err_free;\n\t\t}\n\n\t\tif (!btf_name_by_offset(btf, linfo[i].line_off) ||\n\t\t !btf_name_by_offset(btf, linfo[i].file_name_off)) {\n\t\t\tverbose(env, \"Invalid line_info[%u].line_off or .file_name_off\\n\", i);\n\t\t\terr = -EINVAL;\n\t\t\tgoto err_free;\n\t\t}\n\n\t\tif (s != env->subprog_cnt) {\n\t\t\tif (linfo[i].insn_off == sub[s].start) {\n\t\t\t\tsub[s].linfo_idx = i;\n\t\t\t\ts++;\n\t\t\t} else if (sub[s].start < linfo[i].insn_off) {\n\t\t\t\tverbose(env, \"missing bpf_line_info for func#%u\\n\", s);\n\t\t\t\terr = -EINVAL;\n\t\t\t\tgoto err_free;\n\t\t\t}\n\t\t}\n\n\t\tprev_offset = linfo[i].insn_off;\n\t\tulinfo += rec_size;\n\t}\n\n\tif (s != env->subprog_cnt) {\n\t\tverbose(env, \"missing bpf_line_info for %u funcs starting from func#%u\\n\",\n\t\t\tenv->subprog_cnt - s, s);\n\t\terr = -EINVAL;\n\t\tgoto err_free;\n\t}\n\n\tprog->aux->linfo = linfo;\n\tprog->aux->nr_linfo = nr_linfo;\n\n\treturn 0;\n\nerr_free:\n\tkvfree(linfo);\n\treturn err;\n}", "project": "linux", "hash": 216083679988055846838452345786006067857, "size": 121, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232448 }, { "func": "static bool may_access_direct_pkt_data(struct bpf_verifier_env *env,\n\t\t\t\t const struct bpf_call_arg_meta *meta,\n\t\t\t\t enum bpf_access_type t)\n{\n\tswitch (env->prog->type) {\n\t/* Program types only with direct read access go here! */\n\tcase BPF_PROG_TYPE_LWT_IN:\n\tcase BPF_PROG_TYPE_LWT_OUT:\n\tcase BPF_PROG_TYPE_LWT_SEG6LOCAL:\n\tcase BPF_PROG_TYPE_SK_REUSEPORT:\n\tcase BPF_PROG_TYPE_FLOW_DISSECTOR:\n\tcase BPF_PROG_TYPE_CGROUP_SKB:\n\t\tif (t == BPF_WRITE)\n\t\t\treturn false;\n\t\t/* fallthrough */\n\n\t/* Program types with direct read + write access go here! */\n\tcase BPF_PROG_TYPE_SCHED_CLS:\n\tcase BPF_PROG_TYPE_SCHED_ACT:\n\tcase BPF_PROG_TYPE_XDP:\n\tcase BPF_PROG_TYPE_LWT_XMIT:\n\tcase BPF_PROG_TYPE_SK_SKB:\n\tcase BPF_PROG_TYPE_SK_MSG:\n\t\tif (meta)\n\t\t\treturn meta->pkt_access;\n\n\t\tenv->seen_direct_write = true;\n\t\treturn true;\n\n\tcase BPF_PROG_TYPE_CGROUP_SOCKOPT:\n\t\tif (t == BPF_WRITE)\n\t\t\tenv->seen_direct_write = true;\n\n\t\treturn true;\n\n\tdefault:\n\t\treturn false;\n\t}\n}", "project": "linux", "hash": 89520146200920507137374662147271221643, "size": 39, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232576 }, { "func": "static bool type_is_sk_pointer(enum bpf_reg_type type)\n{\n\treturn type == PTR_TO_SOCKET ||\n\t\ttype == PTR_TO_SOCK_COMMON ||\n\t\ttype == PTR_TO_TCP_SOCK ||\n\t\ttype == PTR_TO_XDP_SOCK;\n}", "project": "linux", "hash": 129893807979091735638075374701399196995, "size": 7, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232515 }, { "func": "static void scalar_min_max_add(struct bpf_reg_state *dst_reg,\n\t\t\t struct bpf_reg_state *src_reg)\n{\n\ts64 smin_val = src_reg->smin_value;\n\ts64 smax_val = src_reg->smax_value;\n\tu64 umin_val = src_reg->umin_value;\n\tu64 umax_val = src_reg->umax_value;\n\n\tif (signed_add_overflows(dst_reg->smin_value, smin_val) ||\n\t signed_add_overflows(dst_reg->smax_value, smax_val)) {\n\t\tdst_reg->smin_value = S64_MIN;\n\t\tdst_reg->smax_value = S64_MAX;\n\t} else {\n\t\tdst_reg->smin_value += smin_val;\n\t\tdst_reg->smax_value += smax_val;\n\t}\n\tif (dst_reg->umin_value + umin_val < umin_val ||\n\t dst_reg->umax_value + umax_val < umax_val) {\n\t\tdst_reg->umin_value = 0;\n\t\tdst_reg->umax_value = U64_MAX;\n\t} else {\n\t\tdst_reg->umin_value += umin_val;\n\t\tdst_reg->umax_value += umax_val;\n\t}\n\tdst_reg->var_off = tnum_add(dst_reg->var_off, src_reg->var_off);\n}", "project": "linux", "hash": 81470803245153412816751970045226802916, "size": 26, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232523 }, { "func": "static int check_reg_arg(struct bpf_verifier_env *env, u32 regno,\n\t\t\t enum reg_arg_type t)\n{\n\tstruct bpf_verifier_state *vstate = env->cur_state;\n\tstruct bpf_func_state *state = vstate->frame[vstate->curframe];\n\tstruct bpf_insn *insn = env->prog->insnsi + env->insn_idx;\n\tstruct bpf_reg_state *reg, *regs = state->regs;\n\tbool rw64;\n\n\tif (regno >= MAX_BPF_REG) {\n\t\tverbose(env, \"R%d is invalid\\n\", regno);\n\t\treturn -EINVAL;\n\t}\n\n\treg = ®s[regno];\n\trw64 = is_reg64(env, insn, regno, reg, t);\n\tif (t == SRC_OP) {\n\t\t/* check whether register used as source operand can be read */\n\t\tif (reg->type == NOT_INIT) {\n\t\t\tverbose(env, \"R%d !read_ok\\n\", regno);\n\t\t\treturn -EACCES;\n\t\t}\n\t\t/* We don't need to worry about FP liveness because it's read-only */\n\t\tif (regno == BPF_REG_FP)\n\t\t\treturn 0;\n\n\t\tif (rw64)\n\t\t\tmark_insn_zext(env, reg);\n\n\t\treturn mark_reg_read(env, reg, reg->parent,\n\t\t\t\t rw64 ? REG_LIVE_READ64 : REG_LIVE_READ32);\n\t} else {\n\t\t/* check whether register used as dest operand can be written to */\n\t\tif (regno == BPF_REG_FP) {\n\t\t\tverbose(env, \"frame pointer is read only\\n\");\n\t\t\treturn -EACCES;\n\t\t}\n\t\treg->live |= REG_LIVE_WRITTEN;\n\t\treg->subreg_def = rw64 ? DEF_NOT_SUBREG : env->insn_idx + 1;\n\t\tif (t == DST_OP)\n\t\t\tmark_reg_unknown(env, regs, regno);\n\t}\n\treturn 0;\n}", "project": "linux", "hash": 334318797722573027769965178462911560368, "size": 44, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232510 }, { "func": "static void __mark_ptr_or_null_regs(struct bpf_func_state *state, u32 id,\n\t\t\t\t bool is_null)\n{\n\tstruct bpf_reg_state *reg;\n\tint i;\n\n\tfor (i = 0; i < MAX_BPF_REG; i++)\n\t\tmark_ptr_or_null_reg(state, &state->regs[i], id, is_null);\n\n\tbpf_for_each_spilled_reg(i, state, reg) {\n\t\tif (!reg)\n\t\t\tcontinue;\n\t\tmark_ptr_or_null_reg(state, reg, id, is_null);\n\t}\n}", "project": "linux", "hash": 291463142034405090357207828986761391324, "size": 15, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232620 }, { "func": "static bool is_ctx_reg(struct bpf_verifier_env *env, int regno)\n{\n\tconst struct bpf_reg_state *reg = reg_state(env, regno);\n\n\treturn reg->type == PTR_TO_CTX;\n}", "project": "linux", "hash": 67770661603408458013685577401239661571, "size": 6, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232428 }, { "func": "static void find_good_pkt_pointers(struct bpf_verifier_state *vstate,\n\t\t\t\t struct bpf_reg_state *dst_reg,\n\t\t\t\t enum bpf_reg_type type,\n\t\t\t\t bool range_right_open)\n{\n\tu16 new_range;\n\tint i;\n\n\tif (dst_reg->off < 0 ||\n\t (dst_reg->off == 0 && range_right_open))\n\t\t/* This doesn't give us any range */\n\t\treturn;\n\n\tif (dst_reg->umax_value > MAX_PACKET_OFF ||\n\t dst_reg->umax_value + dst_reg->off > MAX_PACKET_OFF)\n\t\t/* Risk of overflow. For instance, ptr + (1<<63) may be less\n\t\t * than pkt_end, but that's because it's also less than pkt.\n\t\t */\n\t\treturn;\n\n\tnew_range = dst_reg->off;\n\tif (range_right_open)\n\t\tnew_range--;\n\n\t/* Examples for register markings:\n\t *\n\t * pkt_data in dst register:\n\t *\n\t * r2 = r3;\n\t * r2 += 8;\n\t * if (r2 > pkt_end) goto \n\t * \n\t *\n\t * r2 = r3;\n\t * r2 += 8;\n\t * if (r2 < pkt_end) goto \n\t * \n\t *\n\t * Where:\n\t * r2 == dst_reg, pkt_end == src_reg\n\t * r2=pkt(id=n,off=8,r=0)\n\t * r3=pkt(id=n,off=0,r=0)\n\t *\n\t * pkt_data in src register:\n\t *\n\t * r2 = r3;\n\t * r2 += 8;\n\t * if (pkt_end >= r2) goto \n\t * \n\t *\n\t * r2 = r3;\n\t * r2 += 8;\n\t * if (pkt_end <= r2) goto \n\t * \n\t *\n\t * Where:\n\t * pkt_end == dst_reg, r2 == src_reg\n\t * r2=pkt(id=n,off=8,r=0)\n\t * r3=pkt(id=n,off=0,r=0)\n\t *\n\t * Find register r3 and mark its range as r3=pkt(id=n,off=0,r=8)\n\t * or r3=pkt(id=n,off=0,r=8-1), so that range of bytes [r3, r3 + 8)\n\t * and [r3, r3 + 8-1) respectively is safe to access depending on\n\t * the check.\n\t */\n\n\t/* If our ids match, then we must have the same max_value. And we\n\t * don't care about the other reg's fixed offset, since if it's too big\n\t * the range won't allow anything.\n\t * dst_reg->off is known < MAX_PACKET_OFF, therefore it fits in a u16.\n\t */\n\tfor (i = 0; i <= vstate->curframe; i++)\n\t\t__find_good_pkt_pointers(vstate->frame[i], dst_reg, type,\n\t\t\t\t\t new_range);\n}", "project": "linux", "hash": 122571834368020362408045672672137743378, "size": 75, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232563 }, { "func": "static void free_verifier_state(struct bpf_verifier_state *state,\n\t\t\t\tbool free_self)\n{\n\tint i;\n\n\tfor (i = 0; i <= state->curframe; i++) {\n\t\tfree_func_state(state->frame[i]);\n\t\tstate->frame[i] = NULL;\n\t}\n\tclear_jmp_history(state);\n\tif (free_self)\n\t\tkfree(state);\n}", "project": "linux", "hash": 108165491171730415109120461077849859664, "size": 13, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232590 }, { "func": "static bool check_ids(u32 old_id, u32 cur_id, struct idpair *idmap)\n{\n\tunsigned int i;\n\n\tfor (i = 0; i < ID_MAP_SIZE; i++) {\n\t\tif (!idmap[i].old) {\n\t\t\t/* Reached an empty slot; haven't seen this id before */\n\t\t\tidmap[i].old = old_id;\n\t\t\tidmap[i].cur = cur_id;\n\t\t\treturn true;\n\t\t}\n\t\tif (idmap[i].old == old_id)\n\t\t\treturn idmap[i].cur == cur_id;\n\t}\n\t/* We ran out of idmap slots, which should be impossible */\n\tWARN_ON_ONCE(1);\n\treturn false;\n}", "project": "linux", "hash": 225630384756703376006195736956687955918, "size": 18, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232412 }, { "func": "static int check_btf_info(struct bpf_verifier_env *env,\n\t\t\t const union bpf_attr *attr,\n\t\t\t union bpf_attr __user *uattr)\n{\n\tstruct btf *btf;\n\tint err;\n\n\tif (!attr->func_info_cnt && !attr->line_info_cnt)\n\t\treturn 0;\n\n\tbtf = btf_get_by_fd(attr->prog_btf_fd);\n\tif (IS_ERR(btf))\n\t\treturn PTR_ERR(btf);\n\tenv->prog->aux->btf = btf;\n\n\terr = check_btf_func(env, attr, uattr);\n\tif (err)\n\t\treturn err;\n\n\terr = check_btf_line(env, attr, uattr);\n\tif (err)\n\t\treturn err;\n\n\treturn 0;\n}", "project": "linux", "hash": 153106592448774935390349165772886168180, "size": 25, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232497 }, { "func": "static bool is_acquire_function(enum bpf_func_id func_id)\n{\n\treturn func_id == BPF_FUNC_sk_lookup_tcp ||\n\t\tfunc_id == BPF_FUNC_sk_lookup_udp ||\n\t\tfunc_id == BPF_FUNC_skc_lookup_tcp;\n}", "project": "linux", "hash": 70193659703336162200275387799945443694, "size": 6, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232631 }, { "func": "static int mark_chain_precision(struct bpf_verifier_env *env, int regno)\n{\n\treturn __mark_chain_precision(env, regno, -1);\n}", "project": "linux", "hash": 237605576940561685404394378091879020345, "size": 4, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232415 }, { "func": "static void clear_jmp_history(struct bpf_verifier_state *state)\n{\n\tkfree(state->jmp_history);\n\tstate->jmp_history = NULL;\n\tstate->jmp_history_cnt = 0;\n}", "project": "linux", "hash": 299963914856486170266185552548645228135, "size": 6, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232562 }, { "func": "static int bpf_map_direct_read(struct bpf_map *map, int off, int size, u64 *val)\n{\n\tvoid *ptr;\n\tu64 addr;\n\tint err;\n\n\terr = map->ops->map_direct_value_addr(map, &addr, off);\n\tif (err)\n\t\treturn err;\n\tptr = (void *)(long)addr + off;\n\n\tswitch (size) {\n\tcase sizeof(u8):\n\t\t*val = (u64)*(u8 *)ptr;\n\t\tbreak;\n\tcase sizeof(u16):\n\t\t*val = (u64)*(u16 *)ptr;\n\t\tbreak;\n\tcase sizeof(u32):\n\t\t*val = (u64)*(u32 *)ptr;\n\t\tbreak;\n\tcase sizeof(u64):\n\t\t*val = *(u64 *)ptr;\n\t\tbreak;\n\tdefault:\n\t\treturn -EINVAL;\n\t}\n\treturn 0;\n}", "project": "linux", "hash": 185522426896688463240098029142811481482, "size": 29, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232452 }, { "func": "static int __check_packet_access(struct bpf_verifier_env *env, u32 regno,\n\t\t\t\t int off, int size, bool zero_size_allowed)\n{\n\tstruct bpf_reg_state *regs = cur_regs(env);\n\tstruct bpf_reg_state *reg = ®s[regno];\n\n\tif (off < 0 || size < 0 || (size == 0 && !zero_size_allowed) ||\n\t (u64)off + size > reg->range) {\n\t\tverbose(env, \"invalid access to packet, off=%d size=%d, R%d(id=%d,off=%d,r=%d)\\n\",\n\t\t\toff, size, regno, reg->id, reg->off, reg->range);\n\t\treturn -EACCES;\n\t}\n\treturn 0;\n}", "project": "linux", "hash": 338041403216129560284000444699122632417, "size": 14, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232529 }, { "func": "static int opt_subreg_zext_lo32_rnd_hi32(struct bpf_verifier_env *env,\n\t\t\t\t\t const union bpf_attr *attr)\n{\n\tstruct bpf_insn *patch, zext_patch[2], rnd_hi32_patch[4];\n\tstruct bpf_insn_aux_data *aux = env->insn_aux_data;\n\tint i, patch_len, delta = 0, len = env->prog->len;\n\tstruct bpf_insn *insns = env->prog->insnsi;\n\tstruct bpf_prog *new_prog;\n\tbool rnd_hi32;\n\n\trnd_hi32 = attr->prog_flags & BPF_F_TEST_RND_HI32;\n\tzext_patch[1] = BPF_ZEXT_REG(0);\n\trnd_hi32_patch[1] = BPF_ALU64_IMM(BPF_MOV, BPF_REG_AX, 0);\n\trnd_hi32_patch[2] = BPF_ALU64_IMM(BPF_LSH, BPF_REG_AX, 32);\n\trnd_hi32_patch[3] = BPF_ALU64_REG(BPF_OR, 0, BPF_REG_AX);\n\tfor (i = 0; i < len; i++) {\n\t\tint adj_idx = i + delta;\n\t\tstruct bpf_insn insn;\n\n\t\tinsn = insns[adj_idx];\n\t\tif (!aux[adj_idx].zext_dst) {\n\t\t\tu8 code, class;\n\t\t\tu32 imm_rnd;\n\n\t\t\tif (!rnd_hi32)\n\t\t\t\tcontinue;\n\n\t\t\tcode = insn.code;\n\t\t\tclass = BPF_CLASS(code);\n\t\t\tif (insn_no_def(&insn))\n\t\t\t\tcontinue;\n\n\t\t\t/* NOTE: arg \"reg\" (the fourth one) is only used for\n\t\t\t * BPF_STX which has been ruled out in above\n\t\t\t * check, it is safe to pass NULL here.\n\t\t\t */\n\t\t\tif (is_reg64(env, &insn, insn.dst_reg, NULL, DST_OP)) {\n\t\t\t\tif (class == BPF_LD &&\n\t\t\t\t BPF_MODE(code) == BPF_IMM)\n\t\t\t\t\ti++;\n\t\t\t\tcontinue;\n\t\t\t}\n\n\t\t\t/* ctx load could be transformed into wider load. */\n\t\t\tif (class == BPF_LDX &&\n\t\t\t aux[adj_idx].ptr_type == PTR_TO_CTX)\n\t\t\t\tcontinue;\n\n\t\t\timm_rnd = get_random_int();\n\t\t\trnd_hi32_patch[0] = insn;\n\t\t\trnd_hi32_patch[1].imm = imm_rnd;\n\t\t\trnd_hi32_patch[3].dst_reg = insn.dst_reg;\n\t\t\tpatch = rnd_hi32_patch;\n\t\t\tpatch_len = 4;\n\t\t\tgoto apply_patch_buffer;\n\t\t}\n\n\t\tif (!bpf_jit_needs_zext())\n\t\t\tcontinue;\n\n\t\tzext_patch[0] = insn;\n\t\tzext_patch[1].dst_reg = insn.dst_reg;\n\t\tzext_patch[1].src_reg = insn.dst_reg;\n\t\tpatch = zext_patch;\n\t\tpatch_len = 2;\napply_patch_buffer:\n\t\tnew_prog = bpf_patch_insn_data(env, adj_idx, patch, patch_len);\n\t\tif (!new_prog)\n\t\t\treturn -ENOMEM;\n\t\tenv->prog = new_prog;\n\t\tinsns = new_prog->insnsi;\n\t\taux = env->insn_aux_data;\n\t\tdelta += patch_len - 1;\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 187598197047693360847356593475425848743, "size": 77, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232644 }, { "func": "static bool range_within(struct bpf_reg_state *old,\n\t\t\t struct bpf_reg_state *cur)\n{\n\treturn old->umin_value <= cur->umin_value &&\n\t old->umax_value >= cur->umax_value &&\n\t old->smin_value <= cur->smin_value &&\n\t old->smax_value >= cur->smax_value;\n}", "project": "linux", "hash": 212873922435437675984930434539549793817, "size": 8, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232565 }, { "func": "static int realloc_func_state(struct bpf_func_state *state, int stack_size,\n\t\t\t int refs_size, bool copy_old)\n{\n\tint err = realloc_reference_state(state, refs_size, copy_old);\n\tif (err)\n\t\treturn err;\n\treturn realloc_stack_state(state, stack_size, copy_old);\n}", "project": "linux", "hash": 60266894054999203360123495066022292969, "size": 8, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232408 }, { "func": "static void reg_set_min_max_inv(struct bpf_reg_state *true_reg,\n\t\t\t\tstruct bpf_reg_state *false_reg, u64 val,\n\t\t\t\tu8 opcode, bool is_jmp32)\n{\n\ts64 sval;\n\n\tif (__is_pointer_value(false, false_reg))\n\t\treturn;\n\n\tval = is_jmp32 ? (u32)val : val;\n\tsval = is_jmp32 ? (s64)(s32)val : (s64)val;\n\n\tswitch (opcode) {\n\tcase BPF_JEQ:\n\tcase BPF_JNE:\n\t{\n\t\tstruct bpf_reg_state *reg =\n\t\t\topcode == BPF_JEQ ? true_reg : false_reg;\n\n\t\tif (is_jmp32) {\n\t\t\tu64 old_v = reg->var_off.value;\n\t\t\tu64 hi_mask = ~0xffffffffULL;\n\n\t\t\treg->var_off.value = (old_v & hi_mask) | val;\n\t\t\treg->var_off.mask &= hi_mask;\n\t\t} else {\n\t\t\t__mark_reg_known(reg, val);\n\t\t}\n\t\tbreak;\n\t}\n\tcase BPF_JSET:\n\t\tfalse_reg->var_off = tnum_and(false_reg->var_off,\n\t\t\t\t\t tnum_const(~val));\n\t\tif (is_power_of_2(val))\n\t\t\ttrue_reg->var_off = tnum_or(true_reg->var_off,\n\t\t\t\t\t\t tnum_const(val));\n\t\tbreak;\n\tcase BPF_JGE:\n\tcase BPF_JGT:\n\t{\n\t\tu64 false_umin = opcode == BPF_JGT ? val : val + 1;\n\t\tu64 true_umax = opcode == BPF_JGT ? val - 1 : val;\n\n\t\tif (is_jmp32) {\n\t\t\tfalse_umin += gen_hi_min(false_reg->var_off);\n\t\t\ttrue_umax += gen_hi_max(true_reg->var_off);\n\t\t}\n\t\tfalse_reg->umin_value = max(false_reg->umin_value, false_umin);\n\t\ttrue_reg->umax_value = min(true_reg->umax_value, true_umax);\n\t\tbreak;\n\t}\n\tcase BPF_JSGE:\n\tcase BPF_JSGT:\n\t{\n\t\ts64 false_smin = opcode == BPF_JSGT ? sval : sval + 1;\n\t\ts64 true_smax = opcode == BPF_JSGT ? sval - 1 : sval;\n\n\t\tif (is_jmp32 && !cmp_val_with_extended_s64(sval, false_reg))\n\t\t\tbreak;\n\t\tfalse_reg->smin_value = max(false_reg->smin_value, false_smin);\n\t\ttrue_reg->smax_value = min(true_reg->smax_value, true_smax);\n\t\tbreak;\n\t}\n\tcase BPF_JLE:\n\tcase BPF_JLT:\n\t{\n\t\tu64 false_umax = opcode == BPF_JLT ? val : val - 1;\n\t\tu64 true_umin = opcode == BPF_JLT ? val + 1 : val;\n\n\t\tif (is_jmp32) {\n\t\t\tfalse_umax += gen_hi_max(false_reg->var_off);\n\t\t\ttrue_umin += gen_hi_min(true_reg->var_off);\n\t\t}\n\t\tfalse_reg->umax_value = min(false_reg->umax_value, false_umax);\n\t\ttrue_reg->umin_value = max(true_reg->umin_value, true_umin);\n\t\tbreak;\n\t}\n\tcase BPF_JSLE:\n\tcase BPF_JSLT:\n\t{\n\t\ts64 false_smax = opcode == BPF_JSLT ? sval : sval - 1;\n\t\ts64 true_smin = opcode == BPF_JSLT ? sval + 1 : sval;\n\n\t\tif (is_jmp32 && !cmp_val_with_extended_s64(sval, false_reg))\n\t\t\tbreak;\n\t\tfalse_reg->smax_value = min(false_reg->smax_value, false_smax);\n\t\ttrue_reg->smin_value = max(true_reg->smin_value, true_smin);\n\t\tbreak;\n\t}\n\tdefault:\n\t\tbreak;\n\t}\n\n\t__reg_deduce_bounds(false_reg);\n\t__reg_deduce_bounds(true_reg);\n\t/* We might have learned some bits from the bounds. */\n\t__reg_bound_offset(false_reg);\n\t__reg_bound_offset(true_reg);\n\tif (is_jmp32) {\n\t\t__reg_bound_offset32(false_reg);\n\t\t__reg_bound_offset32(true_reg);\n\t}\n\t/* Intersecting with the old var_off might have improved our bounds\n\t * slightly. e.g. if umax was 0x7f...f and var_off was (0; 0xf...fc),\n\t * then new var_off is (0; 0x7f...fc) which improves our umax.\n\t */\n\t__update_reg_bounds(false_reg);\n\t__update_reg_bounds(true_reg);\n}", "project": "linux", "hash": 237731191592254204773122667947232237546, "size": 109, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232571 }, { "func": "static void reg_set_min_max_inv(struct bpf_reg_state *true_reg,\n\t\t\t\tstruct bpf_reg_state *false_reg,\n\t\t\t\tu64 val, u32 val32,\n\t\t\t\tu8 opcode, bool is_jmp32)\n{\n\t/* How can we transform \"a b\" into \"b a\"? */\n\tstatic const u8 opcode_flip[16] = {\n\t\t/* these stay the same */\n\t\t[BPF_JEQ >> 4] = BPF_JEQ,\n\t\t[BPF_JNE >> 4] = BPF_JNE,\n\t\t[BPF_JSET >> 4] = BPF_JSET,\n\t\t/* these swap \"lesser\" and \"greater\" (L and G in the opcodes) */\n\t\t[BPF_JGE >> 4] = BPF_JLE,\n\t\t[BPF_JGT >> 4] = BPF_JLT,\n\t\t[BPF_JLE >> 4] = BPF_JGE,\n\t\t[BPF_JLT >> 4] = BPF_JGT,\n\t\t[BPF_JSGE >> 4] = BPF_JSLE,\n\t\t[BPF_JSGT >> 4] = BPF_JSLT,\n\t\t[BPF_JSLE >> 4] = BPF_JSGE,\n\t\t[BPF_JSLT >> 4] = BPF_JSGT\n\t};\n\topcode = opcode_flip[opcode >> 4];\n\t/* This uses zero as \"not present in table\"; luckily the zero opcode,\n\t * BPF_JA, can't get here.\n\t */\n\tif (opcode)\n\t\treg_set_min_max(true_reg, false_reg, val, val32, opcode, is_jmp32);\n}", "project": "linux", "hash": 323404239808954366774590721456842385413, "size": 28, "commit_id": "5b9fbeb75b6a98955f628e205ac26689bcb1383e", "message": "bpf: Fix scalar32_min_max_or bounds tracking\n\nSimon reported an issue with the current scalar32_min_max_or() implementation.\nThat is, compared to the other 32 bit subreg tracking functions, the code in\nscalar32_min_max_or() stands out that it's using the 64 bit registers instead\nof 32 bit ones. This leads to bounds tracking issues, for example:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x1; 0x700000000),s32_max_value=1,u32_max_value=1) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nThe bound tests on the map value force the upper unsigned bound to be 25769803777\nin 64 bit (0b11000000000000000000000000000000001) and then lower one to be 1. By\nusing OR they are truncated and thus result in the range [1,1] for the 32 bit reg\ntracker. This is incorrect given the only thing we know is that the value must be\npositive and thus 2147483647 (0b1111111111111111111111111111111) at max for the\nsubregs. Fix it by using the {u,s}32_{min,max}_value vars instead. This also makes\nsense, for example, for the case where we update dst_reg->s32_{min,max}_value in\nthe else branch we need to use the newly computed dst_reg->u32_{min,max}_value as\nwe know that these are positive. Previously, in the else branch the 64 bit values\nof umin_value=1 and umax_value=32212254719 were used and latter got truncated to\nbe 1 as upper bound there. After the fix the subreg range is now correct:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nFixes: 3f50f132d840 (\"bpf: Verifier, do explicit ALU32 bounds tracking\")\nReported-by: Simon Scannell \nSigned-off-by: Daniel Borkmann \nReviewed-by: John Fastabend \nAcked-by: Alexei Starovoitov ", "target": 0, "dataset": "other", "idx": 328514 }, { "func": "static bool func_states_equal(struct bpf_func_state *old,\n\t\t\t struct bpf_func_state *cur)\n{\n\tstruct idpair *idmap;\n\tbool ret = false;\n\tint i;\n\n\tidmap = kcalloc(ID_MAP_SIZE, sizeof(struct idpair), GFP_KERNEL);\n\t/* If we failed to allocate the idmap, just say it's not safe */\n\tif (!idmap)\n\t\treturn false;\n\n\tfor (i = 0; i < MAX_BPF_REG; i++) {\n\t\tif (!regsafe(&old->regs[i], &cur->regs[i], idmap))\n\t\t\tgoto out_free;\n\t}\n\n\tif (!stacksafe(old, cur, idmap))\n\t\tgoto out_free;\n\n\tif (!refsafe(old, cur))\n\t\tgoto out_free;\n\tret = true;\nout_free:\n\tkfree(idmap);\n\treturn ret;\n}", "project": "linux", "hash": 139985873093200394992567871398338739340, "size": 27, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232560 }, { "func": "static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env,\n\t\t\t\t struct bpf_insn *insn,\n\t\t\t\t struct bpf_reg_state *dst_reg,\n\t\t\t\t struct bpf_reg_state src_reg)\n{\n\tstruct bpf_reg_state *regs = cur_regs(env);\n\tu8 opcode = BPF_OP(insn->code);\n\tbool src_known, dst_known;\n\ts64 smin_val, smax_val;\n\tu64 umin_val, umax_val;\n\tu64 insn_bitness = (BPF_CLASS(insn->code) == BPF_ALU64) ? 64 : 32;\n\tu32 dst = insn->dst_reg;\n\tint ret;\n\n\tif (insn_bitness == 32) {\n\t\t/* Relevant for 32-bit RSH: Information can propagate towards\n\t\t * LSB, so it isn't sufficient to only truncate the output to\n\t\t * 32 bits.\n\t\t */\n\t\tcoerce_reg_to_size(dst_reg, 4);\n\t\tcoerce_reg_to_size(&src_reg, 4);\n\t}\n\n\tsmin_val = src_reg.smin_value;\n\tsmax_val = src_reg.smax_value;\n\tumin_val = src_reg.umin_value;\n\tumax_val = src_reg.umax_value;\n\tsrc_known = tnum_is_const(src_reg.var_off);\n\tdst_known = tnum_is_const(dst_reg->var_off);\n\n\tif ((src_known && (smin_val != smax_val || umin_val != umax_val)) ||\n\t smin_val > smax_val || umin_val > umax_val) {\n\t\t/* Taint dst register if offset had invalid bounds derived from\n\t\t * e.g. dead branches.\n\t\t */\n\t\t__mark_reg_unknown(env, dst_reg);\n\t\treturn 0;\n\t}\n\n\tif (!src_known &&\n\t opcode != BPF_ADD && opcode != BPF_SUB && opcode != BPF_AND) {\n\t\t__mark_reg_unknown(env, dst_reg);\n\t\treturn 0;\n\t}\n\n\tswitch (opcode) {\n\tcase BPF_ADD:\n\t\tret = sanitize_val_alu(env, insn);\n\t\tif (ret < 0) {\n\t\t\tverbose(env, \"R%d tried to add from different pointers or scalars\\n\", dst);\n\t\t\treturn ret;\n\t\t}\n\t\tscalar_min_max_add(dst_reg, &src_reg);\n\t\tbreak;\n\tcase BPF_SUB:\n\t\tret = sanitize_val_alu(env, insn);\n\t\tif (ret < 0) {\n\t\t\tverbose(env, \"R%d tried to sub from different pointers or scalars\\n\", dst);\n\t\t\treturn ret;\n\t\t}\n\t\tscalar_min_max_sub(dst_reg, &src_reg);\n\t\tbreak;\n\tcase BPF_MUL:\n\t\tscalar_min_max_mul(dst_reg, &src_reg);\n\t\tbreak;\n\tcase BPF_AND:\n\t\tif (src_known && dst_known) {\n\t\t\t__mark_reg_known(dst_reg, dst_reg->var_off.value &\n\t\t\t\t\t\t src_reg.var_off.value);\n\t\t\tbreak;\n\t\t}\n\t\tscalar_min_max_and(dst_reg, &src_reg);\n\t\tbreak;\n\tcase BPF_OR:\n\t\tif (src_known && dst_known) {\n\t\t\t__mark_reg_known(dst_reg, dst_reg->var_off.value |\n\t\t\t\t\t\t src_reg.var_off.value);\n\t\t\tbreak;\n\t\t}\n\t\tscalar_min_max_or(dst_reg, &src_reg);\n\t\tbreak;\n\tcase BPF_LSH:\n\t\tif (umax_val >= insn_bitness) {\n\t\t\t/* Shifts greater than 31 or 63 are undefined.\n\t\t\t * This includes shifts by a negative number.\n\t\t\t */\n\t\t\tmark_reg_unknown(env, regs, insn->dst_reg);\n\t\t\tbreak;\n\t\t}\n\t\tscalar_min_max_lsh(dst_reg, &src_reg);\n\t\tbreak;\n\tcase BPF_RSH:\n\t\tif (umax_val >= insn_bitness) {\n\t\t\t/* Shifts greater than 31 or 63 are undefined.\n\t\t\t * This includes shifts by a negative number.\n\t\t\t */\n\t\t\tmark_reg_unknown(env, regs, insn->dst_reg);\n\t\t\tbreak;\n\t\t}\n\t\tscalar_min_max_rsh(dst_reg, &src_reg);\n\t\tbreak;\n\tcase BPF_ARSH:\n\t\tif (umax_val >= insn_bitness) {\n\t\t\t/* Shifts greater than 31 or 63 are undefined.\n\t\t\t * This includes shifts by a negative number.\n\t\t\t */\n\t\t\tmark_reg_unknown(env, regs, insn->dst_reg);\n\t\t\tbreak;\n\t\t}\n\t\tscalar_min_max_arsh(dst_reg, &src_reg, insn_bitness);\n\t\tbreak;\n\tdefault:\n\t\tmark_reg_unknown(env, regs, insn->dst_reg);\n\t\tbreak;\n\t}\n\n\tif (BPF_CLASS(insn->code) != BPF_ALU64) {\n\t\t/* 32-bit ALU ops are (32,32)->32 */\n\t\tcoerce_reg_to_size(dst_reg, 4);\n\t}\n\n\t__reg_deduce_bounds(dst_reg);\n\t__reg_bound_offset(dst_reg);\n\treturn 0;\n}", "project": "linux", "hash": 256853574586537399963383949255567066385, "size": 125, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 1, "dataset": "other", "idx": 195753 }, { "func": "static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env,\n\t\t\t\t struct bpf_insn *insn,\n\t\t\t\t struct bpf_reg_state *dst_reg,\n\t\t\t\t struct bpf_reg_state src_reg)\n{\n\tstruct bpf_reg_state *regs = cur_regs(env);\n\tu8 opcode = BPF_OP(insn->code);\n\tbool src_known, dst_known;\n\ts64 smin_val, smax_val;\n\tu64 umin_val, umax_val;\n\tu64 insn_bitness = (BPF_CLASS(insn->code) == BPF_ALU64) ? 64 : 32;\n\tu32 dst = insn->dst_reg;\n\tint ret;\n\n\tif (insn_bitness == 32) {\n\t\t/* Relevant for 32-bit RSH: Information can propagate towards\n\t\t * LSB, so it isn't sufficient to only truncate the output to\n\t\t * 32 bits.\n\t\t */\n\t\tcoerce_reg_to_size(dst_reg, 4);\n\t\tcoerce_reg_to_size(&src_reg, 4);\n\t}\n\n\tsmin_val = src_reg.smin_value;\n\tsmax_val = src_reg.smax_value;\n\tumin_val = src_reg.umin_value;\n\tumax_val = src_reg.umax_value;\n\tsrc_known = tnum_is_const(src_reg.var_off);\n\tdst_known = tnum_is_const(dst_reg->var_off);\n\n\tif ((src_known && (smin_val != smax_val || umin_val != umax_val)) ||\n\t smin_val > smax_val || umin_val > umax_val) {\n\t\t/* Taint dst register if offset had invalid bounds derived from\n\t\t * e.g. dead branches.\n\t\t */\n\t\t__mark_reg_unknown(env, dst_reg);\n\t\treturn 0;\n\t}\n\n\tif (!src_known &&\n\t opcode != BPF_ADD && opcode != BPF_SUB && opcode != BPF_AND) {\n\t\t__mark_reg_unknown(env, dst_reg);\n\t\treturn 0;\n\t}\n\n\tswitch (opcode) {\n\tcase BPF_ADD:\n\t\tret = sanitize_val_alu(env, insn);\n\t\tif (ret < 0) {\n\t\t\tverbose(env, \"R%d tried to add from different pointers or scalars\\n\", dst);\n\t\t\treturn ret;\n\t\t}\n\t\tscalar_min_max_add(dst_reg, &src_reg);\n\t\tbreak;\n\tcase BPF_SUB:\n\t\tret = sanitize_val_alu(env, insn);\n\t\tif (ret < 0) {\n\t\t\tverbose(env, \"R%d tried to sub from different pointers or scalars\\n\", dst);\n\t\t\treturn ret;\n\t\t}\n\t\tscalar_min_max_sub(dst_reg, &src_reg);\n\t\tbreak;\n\tcase BPF_MUL:\n\t\tscalar_min_max_mul(dst_reg, &src_reg);\n\t\tbreak;\n\tcase BPF_AND:\n\t\tif (src_known && dst_known) {\n\t\t\t__mark_reg_known(dst_reg, dst_reg->var_off.value &\n\t\t\t\t\t\t src_reg.var_off.value);\n\t\t\tbreak;\n\t\t}\n\t\tscalar_min_max_and(dst_reg, &src_reg);\n\t\tbreak;\n\tcase BPF_OR:\n\t\tif (src_known && dst_known) {\n\t\t\t__mark_reg_known(dst_reg, dst_reg->var_off.value |\n\t\t\t\t\t\t src_reg.var_off.value);\n\t\t\tbreak;\n\t\t}\n\t\tscalar_min_max_or(dst_reg, &src_reg);\n\t\tbreak;\n\tcase BPF_LSH:\n\t\tif (umax_val >= insn_bitness) {\n\t\t\t/* Shifts greater than 31 or 63 are undefined.\n\t\t\t * This includes shifts by a negative number.\n\t\t\t */\n\t\t\tmark_reg_unknown(env, regs, insn->dst_reg);\n\t\t\tbreak;\n\t\t}\n\t\tscalar_min_max_lsh(dst_reg, &src_reg);\n\t\tbreak;\n\tcase BPF_RSH:\n\t\tif (umax_val >= insn_bitness) {\n\t\t\t/* Shifts greater than 31 or 63 are undefined.\n\t\t\t * This includes shifts by a negative number.\n\t\t\t */\n\t\t\tmark_reg_unknown(env, regs, insn->dst_reg);\n\t\t\tbreak;\n\t\t}\n\t\tscalar_min_max_rsh(dst_reg, &src_reg);\n\t\tbreak;\n\tcase BPF_ARSH:\n\t\tif (umax_val >= insn_bitness) {\n\t\t\t/* Shifts greater than 31 or 63 are undefined.\n\t\t\t * This includes shifts by a negative number.\n\t\t\t */\n\t\t\tmark_reg_unknown(env, regs, insn->dst_reg);\n\t\t\tbreak;\n\t\t}\n\t\tscalar_min_max_arsh(dst_reg, &src_reg, insn_bitness);\n\t\tbreak;\n\tdefault:\n\t\tmark_reg_unknown(env, regs, insn->dst_reg);\n\t\tbreak;\n\t}\n\n\tif (BPF_CLASS(insn->code) != BPF_ALU64) {\n\t\t/* 32-bit ALU ops are (32,32)->32 */\n\t\tcoerce_reg_to_size(dst_reg, 4);\n\t}\n\n\t__update_reg_bounds(dst_reg);\n\t__reg_deduce_bounds(dst_reg);\n\t__reg_bound_offset(dst_reg);\n\treturn 0;\n}", "project": "linux", "hash": 201029413509759936437749590618667202456, "size": 126, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232639 }, { "func": "static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env,\n\t\t\t\t struct bpf_insn *insn,\n\t\t\t\t struct bpf_reg_state *dst_reg,\n\t\t\t\t struct bpf_reg_state src_reg)\n{\n\tstruct bpf_reg_state *regs = cur_regs(env);\n\tu8 opcode = BPF_OP(insn->code);\n\tbool src_known;\n\ts64 smin_val, smax_val;\n\tu64 umin_val, umax_val;\n\ts32 s32_min_val, s32_max_val;\n\tu32 u32_min_val, u32_max_val;\n\tu64 insn_bitness = (BPF_CLASS(insn->code) == BPF_ALU64) ? 64 : 32;\n\tu32 dst = insn->dst_reg;\n\tint ret;\n\tbool alu32 = (BPF_CLASS(insn->code) != BPF_ALU64);\n\n\tsmin_val = src_reg.smin_value;\n\tsmax_val = src_reg.smax_value;\n\tumin_val = src_reg.umin_value;\n\tumax_val = src_reg.umax_value;\n\n\ts32_min_val = src_reg.s32_min_value;\n\ts32_max_val = src_reg.s32_max_value;\n\tu32_min_val = src_reg.u32_min_value;\n\tu32_max_val = src_reg.u32_max_value;\n\n\tif (alu32) {\n\t\tsrc_known = tnum_subreg_is_const(src_reg.var_off);\n\t\tif ((src_known &&\n\t\t (s32_min_val != s32_max_val || u32_min_val != u32_max_val)) ||\n\t\t s32_min_val > s32_max_val || u32_min_val > u32_max_val) {\n\t\t\t/* Taint dst register if offset had invalid bounds\n\t\t\t * derived from e.g. dead branches.\n\t\t\t */\n\t\t\t__mark_reg_unknown(env, dst_reg);\n\t\t\treturn 0;\n\t\t}\n\t} else {\n\t\tsrc_known = tnum_is_const(src_reg.var_off);\n\t\tif ((src_known &&\n\t\t (smin_val != smax_val || umin_val != umax_val)) ||\n\t\t smin_val > smax_val || umin_val > umax_val) {\n\t\t\t/* Taint dst register if offset had invalid bounds\n\t\t\t * derived from e.g. dead branches.\n\t\t\t */\n\t\t\t__mark_reg_unknown(env, dst_reg);\n\t\t\treturn 0;\n\t\t}\n\t}\n\n\tif (!src_known &&\n\t opcode != BPF_ADD && opcode != BPF_SUB && opcode != BPF_AND) {\n\t\t__mark_reg_unknown(env, dst_reg);\n\t\treturn 0;\n\t}\n\n\t/* Calculate sign/unsigned bounds and tnum for alu32 and alu64 bit ops.\n\t * There are two classes of instructions: The first class we track both\n\t * alu32 and alu64 sign/unsigned bounds independently this provides the\n\t * greatest amount of precision when alu operations are mixed with jmp32\n\t * operations. These operations are BPF_ADD, BPF_SUB, BPF_MUL, BPF_ADD,\n\t * and BPF_OR. This is possible because these ops have fairly easy to\n\t * understand and calculate behavior in both 32-bit and 64-bit alu ops.\n\t * See alu32 verifier tests for examples. The second class of\n\t * operations, BPF_LSH, BPF_RSH, and BPF_ARSH, however are not so easy\n\t * with regards to tracking sign/unsigned bounds because the bits may\n\t * cross subreg boundaries in the alu64 case. When this happens we mark\n\t * the reg unbounded in the subreg bound space and use the resulting\n\t * tnum to calculate an approximation of the sign/unsigned bounds.\n\t */\n\tswitch (opcode) {\n\tcase BPF_ADD:\n\t\tret = sanitize_val_alu(env, insn);\n\t\tif (ret < 0) {\n\t\t\tverbose(env, \"R%d tried to add from different pointers or scalars\\n\", dst);\n\t\t\treturn ret;\n\t\t}\n\t\tscalar32_min_max_add(dst_reg, &src_reg);\n\t\tscalar_min_max_add(dst_reg, &src_reg);\n\t\tdst_reg->var_off = tnum_add(dst_reg->var_off, src_reg.var_off);\n\t\tbreak;\n\tcase BPF_SUB:\n\t\tret = sanitize_val_alu(env, insn);\n\t\tif (ret < 0) {\n\t\t\tverbose(env, \"R%d tried to sub from different pointers or scalars\\n\", dst);\n\t\t\treturn ret;\n\t\t}\n\t\tscalar32_min_max_sub(dst_reg, &src_reg);\n\t\tscalar_min_max_sub(dst_reg, &src_reg);\n\t\tdst_reg->var_off = tnum_sub(dst_reg->var_off, src_reg.var_off);\n\t\tbreak;\n\tcase BPF_MUL:\n\t\tdst_reg->var_off = tnum_mul(dst_reg->var_off, src_reg.var_off);\n\t\tscalar32_min_max_mul(dst_reg, &src_reg);\n\t\tscalar_min_max_mul(dst_reg, &src_reg);\n\t\tbreak;\n\tcase BPF_AND:\n\t\tdst_reg->var_off = tnum_and(dst_reg->var_off, src_reg.var_off);\n\t\tscalar32_min_max_and(dst_reg, &src_reg);\n\t\tscalar_min_max_and(dst_reg, &src_reg);\n\t\tbreak;\n\tcase BPF_OR:\n\t\tdst_reg->var_off = tnum_or(dst_reg->var_off, src_reg.var_off);\n\t\tscalar32_min_max_or(dst_reg, &src_reg);\n\t\tscalar_min_max_or(dst_reg, &src_reg);\n\t\tbreak;\n\tcase BPF_LSH:\n\t\tif (umax_val >= insn_bitness) {\n\t\t\t/* Shifts greater than 31 or 63 are undefined.\n\t\t\t * This includes shifts by a negative number.\n\t\t\t */\n\t\t\tmark_reg_unknown(env, regs, insn->dst_reg);\n\t\t\tbreak;\n\t\t}\n\t\tif (alu32)\n\t\t\tscalar32_min_max_lsh(dst_reg, &src_reg);\n\t\telse\n\t\t\tscalar_min_max_lsh(dst_reg, &src_reg);\n\t\tbreak;\n\tcase BPF_RSH:\n\t\tif (umax_val >= insn_bitness) {\n\t\t\t/* Shifts greater than 31 or 63 are undefined.\n\t\t\t * This includes shifts by a negative number.\n\t\t\t */\n\t\t\tmark_reg_unknown(env, regs, insn->dst_reg);\n\t\t\tbreak;\n\t\t}\n\t\tif (alu32)\n\t\t\tscalar32_min_max_rsh(dst_reg, &src_reg);\n\t\telse\n\t\t\tscalar_min_max_rsh(dst_reg, &src_reg);\n\t\tbreak;\n\tcase BPF_ARSH:\n\t\tif (umax_val >= insn_bitness) {\n\t\t\t/* Shifts greater than 31 or 63 are undefined.\n\t\t\t * This includes shifts by a negative number.\n\t\t\t */\n\t\t\tmark_reg_unknown(env, regs, insn->dst_reg);\n\t\t\tbreak;\n\t\t}\n\t\tif (alu32)\n\t\t\tscalar32_min_max_arsh(dst_reg, &src_reg);\n\t\telse\n\t\t\tscalar_min_max_arsh(dst_reg, &src_reg);\n\t\tbreak;\n\tdefault:\n\t\tmark_reg_unknown(env, regs, insn->dst_reg);\n\t\tbreak;\n\t}\n\n\t/* ALU32 ops are zero extended into 64bit register */\n\tif (alu32)\n\t\tzext_32_to_64(dst_reg);\n\n\t__update_reg_bounds(dst_reg);\n\t__reg_deduce_bounds(dst_reg);\n\t__reg_bound_offset(dst_reg);\n\treturn 0;\n}", "project": "linux", "hash": 195155261191334575613697399603721045852, "size": 160, "commit_id": "5b9fbeb75b6a98955f628e205ac26689bcb1383e", "message": "bpf: Fix scalar32_min_max_or bounds tracking\n\nSimon reported an issue with the current scalar32_min_max_or() implementation.\nThat is, compared to the other 32 bit subreg tracking functions, the code in\nscalar32_min_max_or() stands out that it's using the 64 bit registers instead\nof 32 bit ones. This leads to bounds tracking issues, for example:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x1; 0x700000000),s32_max_value=1,u32_max_value=1) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nThe bound tests on the map value force the upper unsigned bound to be 25769803777\nin 64 bit (0b11000000000000000000000000000000001) and then lower one to be 1. By\nusing OR they are truncated and thus result in the range [1,1] for the 32 bit reg\ntracker. This is incorrect given the only thing we know is that the value must be\npositive and thus 2147483647 (0b1111111111111111111111111111111) at max for the\nsubregs. Fix it by using the {u,s}32_{min,max}_value vars instead. This also makes\nsense, for example, for the case where we update dst_reg->s32_{min,max}_value in\nthe else branch we need to use the newly computed dst_reg->u32_{min,max}_value as\nwe know that these are positive. Previously, in the else branch the 64 bit values\nof umin_value=1 and umax_value=32212254719 were used and latter got truncated to\nbe 1 as upper bound there. After the fix the subreg range is now correct:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nFixes: 3f50f132d840 (\"bpf: Verifier, do explicit ALU32 bounds tracking\")\nReported-by: Simon Scannell \nSigned-off-by: Daniel Borkmann \nReviewed-by: John Fastabend \nAcked-by: Alexei Starovoitov ", "target": 0, "dataset": "other", "idx": 328508 }, { "func": "static int int_ptr_type_to_size(enum bpf_arg_type type)\n{\n\tif (type == ARG_PTR_TO_INT)\n\t\treturn sizeof(u32);\n\telse if (type == ARG_PTR_TO_LONG)\n\t\treturn sizeof(u64);\n\n\treturn -EINVAL;\n}", "project": "linux", "hash": 121515627748963440207487761433935022024, "size": 9, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232567 }, { "func": "static void __mark_reg_unknown(const struct bpf_verifier_env *env,\n\t\t\t struct bpf_reg_state *reg)\n{\n\t/*\n\t * Clear type, id, off, and union(map_ptr, range) and\n\t * padding between 'type' and union\n\t */\n\tmemset(reg, 0, offsetof(struct bpf_reg_state, var_off));\n\treg->type = SCALAR_VALUE;\n\treg->var_off = tnum_unknown;\n\treg->frameno = 0;\n\treg->precise = env->subprog_cnt > 1 || !env->allow_ptr_leaks ?\n\t\t true : false;\n\t__mark_reg_unbounded(reg);\n}", "project": "linux", "hash": 29586684319489051262225617044325010364, "size": 15, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232429 }, { "func": "static bool is_sk_reg(struct bpf_verifier_env *env, int regno)\n{\n\tconst struct bpf_reg_state *reg = reg_state(env, regno);\n\n\treturn type_is_sk_pointer(reg->type);\n}", "project": "linux", "hash": 252217707798001193515743225954293116125, "size": 6, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232605 }, { "func": "static int check_return_code(struct bpf_verifier_env *env)\n{\n\tstruct tnum enforce_attach_type_range = tnum_unknown;\n\tconst struct bpf_prog *prog = env->prog;\n\tstruct bpf_reg_state *reg;\n\tstruct tnum range = tnum_range(0, 1);\n\tint err;\n\n\t/* The struct_ops func-ptr's return type could be \"void\" */\n\tif (env->prog->type == BPF_PROG_TYPE_STRUCT_OPS &&\n\t !prog->aux->attach_func_proto->type)\n\t\treturn 0;\n\n\t/* eBPF calling convetion is such that R0 is used\n\t * to return the value from eBPF program.\n\t * Make sure that it's readable at this time\n\t * of bpf_exit, which means that program wrote\n\t * something into it earlier\n\t */\n\terr = check_reg_arg(env, BPF_REG_0, SRC_OP);\n\tif (err)\n\t\treturn err;\n\n\tif (is_pointer_value(env, BPF_REG_0)) {\n\t\tverbose(env, \"R0 leaks addr as return value\\n\");\n\t\treturn -EACCES;\n\t}\n\n\tswitch (env->prog->type) {\n\tcase BPF_PROG_TYPE_CGROUP_SOCK_ADDR:\n\t\tif (env->prog->expected_attach_type == BPF_CGROUP_UDP4_RECVMSG ||\n\t\t env->prog->expected_attach_type == BPF_CGROUP_UDP6_RECVMSG)\n\t\t\trange = tnum_range(1, 1);\n\t\tbreak;\n\tcase BPF_PROG_TYPE_CGROUP_SKB:\n\t\tif (env->prog->expected_attach_type == BPF_CGROUP_INET_EGRESS) {\n\t\t\trange = tnum_range(0, 3);\n\t\t\tenforce_attach_type_range = tnum_range(2, 3);\n\t\t}\n\t\tbreak;\n\tcase BPF_PROG_TYPE_CGROUP_SOCK:\n\tcase BPF_PROG_TYPE_SOCK_OPS:\n\tcase BPF_PROG_TYPE_CGROUP_DEVICE:\n\tcase BPF_PROG_TYPE_CGROUP_SYSCTL:\n\tcase BPF_PROG_TYPE_CGROUP_SOCKOPT:\n\t\tbreak;\n\tcase BPF_PROG_TYPE_RAW_TRACEPOINT:\n\t\tif (!env->prog->aux->attach_btf_id)\n\t\t\treturn 0;\n\t\trange = tnum_const(0);\n\t\tbreak;\n\tdefault:\n\t\treturn 0;\n\t}\n\n\treg = cur_regs(env) + BPF_REG_0;\n\tif (reg->type != SCALAR_VALUE) {\n\t\tverbose(env, \"At program exit the register R0 is not a known value (%s)\\n\",\n\t\t\treg_type_str[reg->type]);\n\t\treturn -EINVAL;\n\t}\n\n\tif (!tnum_in(range, reg->var_off)) {\n\t\tchar tn_buf[48];\n\n\t\tverbose(env, \"At program exit the register R0 \");\n\t\tif (!tnum_is_unknown(reg->var_off)) {\n\t\t\ttnum_strn(tn_buf, sizeof(tn_buf), reg->var_off);\n\t\t\tverbose(env, \"has value %s\", tn_buf);\n\t\t} else {\n\t\t\tverbose(env, \"has unknown scalar value\");\n\t\t}\n\t\ttnum_strn(tn_buf, sizeof(tn_buf), range);\n\t\tverbose(env, \" should have been in %s\\n\", tn_buf);\n\t\treturn -EINVAL;\n\t}\n\n\tif (!tnum_is_unknown(enforce_attach_type_range) &&\n\t tnum_in(enforce_attach_type_range, reg->var_off))\n\t\tenv->prog->enforce_expected_attach_type = 1;\n\treturn 0;\n}", "project": "linux", "hash": 201758946686976443634412292626746653332, "size": 82, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232432 }, { "func": "static int check_return_code(struct bpf_verifier_env *env)\n{\n\tstruct tnum enforce_attach_type_range = tnum_unknown;\n\tconst struct bpf_prog *prog = env->prog;\n\tstruct bpf_reg_state *reg;\n\tstruct tnum range = tnum_range(0, 1);\n\tint err;\n\n\t/* LSM and struct_ops func-ptr's return type could be \"void\" */\n\tif ((env->prog->type == BPF_PROG_TYPE_STRUCT_OPS ||\n\t env->prog->type == BPF_PROG_TYPE_LSM) &&\n\t !prog->aux->attach_func_proto->type)\n\t\treturn 0;\n\n\t/* eBPF calling convetion is such that R0 is used\n\t * to return the value from eBPF program.\n\t * Make sure that it's readable at this time\n\t * of bpf_exit, which means that program wrote\n\t * something into it earlier\n\t */\n\terr = check_reg_arg(env, BPF_REG_0, SRC_OP);\n\tif (err)\n\t\treturn err;\n\n\tif (is_pointer_value(env, BPF_REG_0)) {\n\t\tverbose(env, \"R0 leaks addr as return value\\n\");\n\t\treturn -EACCES;\n\t}\n\n\tswitch (env->prog->type) {\n\tcase BPF_PROG_TYPE_CGROUP_SOCK_ADDR:\n\t\tif (env->prog->expected_attach_type == BPF_CGROUP_UDP4_RECVMSG ||\n\t\t env->prog->expected_attach_type == BPF_CGROUP_UDP6_RECVMSG ||\n\t\t env->prog->expected_attach_type == BPF_CGROUP_INET4_GETPEERNAME ||\n\t\t env->prog->expected_attach_type == BPF_CGROUP_INET6_GETPEERNAME ||\n\t\t env->prog->expected_attach_type == BPF_CGROUP_INET4_GETSOCKNAME ||\n\t\t env->prog->expected_attach_type == BPF_CGROUP_INET6_GETSOCKNAME)\n\t\t\trange = tnum_range(1, 1);\n\t\tbreak;\n\tcase BPF_PROG_TYPE_CGROUP_SKB:\n\t\tif (env->prog->expected_attach_type == BPF_CGROUP_INET_EGRESS) {\n\t\t\trange = tnum_range(0, 3);\n\t\t\tenforce_attach_type_range = tnum_range(2, 3);\n\t\t}\n\t\tbreak;\n\tcase BPF_PROG_TYPE_CGROUP_SOCK:\n\tcase BPF_PROG_TYPE_SOCK_OPS:\n\tcase BPF_PROG_TYPE_CGROUP_DEVICE:\n\tcase BPF_PROG_TYPE_CGROUP_SYSCTL:\n\tcase BPF_PROG_TYPE_CGROUP_SOCKOPT:\n\t\tbreak;\n\tcase BPF_PROG_TYPE_RAW_TRACEPOINT:\n\t\tif (!env->prog->aux->attach_btf_id)\n\t\t\treturn 0;\n\t\trange = tnum_const(0);\n\t\tbreak;\n\tcase BPF_PROG_TYPE_TRACING:\n\t\tswitch (env->prog->expected_attach_type) {\n\t\tcase BPF_TRACE_FENTRY:\n\t\tcase BPF_TRACE_FEXIT:\n\t\t\trange = tnum_const(0);\n\t\t\tbreak;\n\t\tcase BPF_TRACE_RAW_TP:\n\t\tcase BPF_MODIFY_RETURN:\n\t\t\treturn 0;\n\t\tcase BPF_TRACE_ITER:\n\t\t\tbreak;\n\t\tdefault:\n\t\t\treturn -ENOTSUPP;\n\t\t}\n\t\tbreak;\n\tcase BPF_PROG_TYPE_SK_LOOKUP:\n\t\trange = tnum_range(SK_DROP, SK_PASS);\n\t\tbreak;\n\tcase BPF_PROG_TYPE_EXT:\n\t\t/* freplace program can return anything as its return value\n\t\t * depends on the to-be-replaced kernel func or bpf program.\n\t\t */\n\tdefault:\n\t\treturn 0;\n\t}\n\n\treg = cur_regs(env) + BPF_REG_0;\n\tif (reg->type != SCALAR_VALUE) {\n\t\tverbose(env, \"At program exit the register R0 is not a known value (%s)\\n\",\n\t\t\treg_type_str[reg->type]);\n\t\treturn -EINVAL;\n\t}\n\n\tif (!tnum_in(range, reg->var_off)) {\n\t\tchar tn_buf[48];\n\n\t\tverbose(env, \"At program exit the register R0 \");\n\t\tif (!tnum_is_unknown(reg->var_off)) {\n\t\t\ttnum_strn(tn_buf, sizeof(tn_buf), reg->var_off);\n\t\t\tverbose(env, \"has value %s\", tn_buf);\n\t\t} else {\n\t\t\tverbose(env, \"has unknown scalar value\");\n\t\t}\n\t\ttnum_strn(tn_buf, sizeof(tn_buf), range);\n\t\tverbose(env, \" should have been in %s\\n\", tn_buf);\n\t\treturn -EINVAL;\n\t}\n\n\tif (!tnum_is_unknown(enforce_attach_type_range) &&\n\t tnum_in(enforce_attach_type_range, reg->var_off))\n\t\tenv->prog->enforce_expected_attach_type = 1;\n\treturn 0;\n}", "project": "linux", "hash": 125193643854748658080900900129729156289, "size": 109, "commit_id": "5b9fbeb75b6a98955f628e205ac26689bcb1383e", "message": "bpf: Fix scalar32_min_max_or bounds tracking\n\nSimon reported an issue with the current scalar32_min_max_or() implementation.\nThat is, compared to the other 32 bit subreg tracking functions, the code in\nscalar32_min_max_or() stands out that it's using the 64 bit registers instead\nof 32 bit ones. This leads to bounds tracking issues, for example:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x1; 0x700000000),s32_max_value=1,u32_max_value=1) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nThe bound tests on the map value force the upper unsigned bound to be 25769803777\nin 64 bit (0b11000000000000000000000000000000001) and then lower one to be 1. By\nusing OR they are truncated and thus result in the range [1,1] for the 32 bit reg\ntracker. This is incorrect given the only thing we know is that the value must be\npositive and thus 2147483647 (0b1111111111111111111111111111111) at max for the\nsubregs. Fix it by using the {u,s}32_{min,max}_value vars instead. This also makes\nsense, for example, for the case where we update dst_reg->s32_{min,max}_value in\nthe else branch we need to use the newly computed dst_reg->u32_{min,max}_value as\nwe know that these are positive. Previously, in the else branch the 64 bit values\nof umin_value=1 and umax_value=32212254719 were used and latter got truncated to\nbe 1 as upper bound there. After the fix the subreg range is now correct:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nFixes: 3f50f132d840 (\"bpf: Verifier, do explicit ALU32 bounds tracking\")\nReported-by: Simon Scannell \nSigned-off-by: Daniel Borkmann \nReviewed-by: John Fastabend \nAcked-by: Alexei Starovoitov ", "target": 0, "dataset": "other", "idx": 328522 }, { "func": "static int check_return_code(struct bpf_verifier_env *env)\n{\n\tstruct tnum enforce_attach_type_range = tnum_unknown;\n\tconst struct bpf_prog *prog = env->prog;\n\tstruct bpf_reg_state *reg;\n\tstruct tnum range = tnum_range(0, 1);\n\tenum bpf_prog_type prog_type = resolve_prog_type(env->prog);\n\tint err;\n\tconst bool is_subprog = env->cur_state->frame[0]->subprogno;\n\n\t/* LSM and struct_ops func-ptr's return type could be \"void\" */\n\tif (!is_subprog &&\n\t (prog_type == BPF_PROG_TYPE_STRUCT_OPS ||\n\t prog_type == BPF_PROG_TYPE_LSM) &&\n\t !prog->aux->attach_func_proto->type)\n\t\treturn 0;\n\n\t/* eBPF calling convetion is such that R0 is used\n\t * to return the value from eBPF program.\n\t * Make sure that it's readable at this time\n\t * of bpf_exit, which means that program wrote\n\t * something into it earlier\n\t */\n\terr = check_reg_arg(env, BPF_REG_0, SRC_OP);\n\tif (err)\n\t\treturn err;\n\n\tif (is_pointer_value(env, BPF_REG_0)) {\n\t\tverbose(env, \"R0 leaks addr as return value\\n\");\n\t\treturn -EACCES;\n\t}\n\n\treg = cur_regs(env) + BPF_REG_0;\n\tif (is_subprog) {\n\t\tif (reg->type != SCALAR_VALUE) {\n\t\t\tverbose(env, \"At subprogram exit the register R0 is not a scalar value (%s)\\n\",\n\t\t\t\treg_type_str[reg->type]);\n\t\t\treturn -EINVAL;\n\t\t}\n\t\treturn 0;\n\t}\n\n\tswitch (prog_type) {\n\tcase BPF_PROG_TYPE_CGROUP_SOCK_ADDR:\n\t\tif (env->prog->expected_attach_type == BPF_CGROUP_UDP4_RECVMSG ||\n\t\t env->prog->expected_attach_type == BPF_CGROUP_UDP6_RECVMSG ||\n\t\t env->prog->expected_attach_type == BPF_CGROUP_INET4_GETPEERNAME ||\n\t\t env->prog->expected_attach_type == BPF_CGROUP_INET6_GETPEERNAME ||\n\t\t env->prog->expected_attach_type == BPF_CGROUP_INET4_GETSOCKNAME ||\n\t\t env->prog->expected_attach_type == BPF_CGROUP_INET6_GETSOCKNAME)\n\t\t\trange = tnum_range(1, 1);\n\t\tbreak;\n\tcase BPF_PROG_TYPE_CGROUP_SKB:\n\t\tif (env->prog->expected_attach_type == BPF_CGROUP_INET_EGRESS) {\n\t\t\trange = tnum_range(0, 3);\n\t\t\tenforce_attach_type_range = tnum_range(2, 3);\n\t\t}\n\t\tbreak;\n\tcase BPF_PROG_TYPE_CGROUP_SOCK:\n\tcase BPF_PROG_TYPE_SOCK_OPS:\n\tcase BPF_PROG_TYPE_CGROUP_DEVICE:\n\tcase BPF_PROG_TYPE_CGROUP_SYSCTL:\n\tcase BPF_PROG_TYPE_CGROUP_SOCKOPT:\n\t\tbreak;\n\tcase BPF_PROG_TYPE_RAW_TRACEPOINT:\n\t\tif (!env->prog->aux->attach_btf_id)\n\t\t\treturn 0;\n\t\trange = tnum_const(0);\n\t\tbreak;\n\tcase BPF_PROG_TYPE_TRACING:\n\t\tswitch (env->prog->expected_attach_type) {\n\t\tcase BPF_TRACE_FENTRY:\n\t\tcase BPF_TRACE_FEXIT:\n\t\t\trange = tnum_const(0);\n\t\t\tbreak;\n\t\tcase BPF_TRACE_RAW_TP:\n\t\tcase BPF_MODIFY_RETURN:\n\t\t\treturn 0;\n\t\tcase BPF_TRACE_ITER:\n\t\t\tbreak;\n\t\tdefault:\n\t\t\treturn -ENOTSUPP;\n\t\t}\n\t\tbreak;\n\tcase BPF_PROG_TYPE_SK_LOOKUP:\n\t\trange = tnum_range(SK_DROP, SK_PASS);\n\t\tbreak;\n\tcase BPF_PROG_TYPE_EXT:\n\t\t/* freplace program can return anything as its return value\n\t\t * depends on the to-be-replaced kernel func or bpf program.\n\t\t */\n\tdefault:\n\t\treturn 0;\n\t}\n\n\tif (reg->type != SCALAR_VALUE) {\n\t\tverbose(env, \"At program exit the register R0 is not a known value (%s)\\n\",\n\t\t\treg_type_str[reg->type]);\n\t\treturn -EINVAL;\n\t}\n\n\tif (!tnum_in(range, reg->var_off)) {\n\t\tchar tn_buf[48];\n\n\t\tverbose(env, \"At program exit the register R0 \");\n\t\tif (!tnum_is_unknown(reg->var_off)) {\n\t\t\ttnum_strn(tn_buf, sizeof(tn_buf), reg->var_off);\n\t\t\tverbose(env, \"has value %s\", tn_buf);\n\t\t} else {\n\t\t\tverbose(env, \"has unknown scalar value\");\n\t\t}\n\t\ttnum_strn(tn_buf, sizeof(tn_buf), range);\n\t\tverbose(env, \" should have been in %s\\n\", tn_buf);\n\t\treturn -EINVAL;\n\t}\n\n\tif (!tnum_is_unknown(enforce_attach_type_range) &&\n\t tnum_in(enforce_attach_type_range, reg->var_off))\n\t\tenv->prog->enforce_expected_attach_type = 1;\n\treturn 0;\n}", "project": "linux", "hash": 66339678949331582521238303701174447231, "size": 121, "commit_id": "9b00f1b78809309163dda2d044d9e94a3c0248a3", "message": "bpf: Fix truncation handling for mod32 dst reg wrt zero\n\nRecently noticed that when mod32 with a known src reg of 0 is performed,\nthen the dst register is 32-bit truncated in verifier:\n\n 0: R1=ctx(id=0,off=0,imm=0) R10=fp0\n 0: (b7) r0 = 0\n 1: R0_w=inv0 R1=ctx(id=0,off=0,imm=0) R10=fp0\n 1: (b7) r1 = -1\n 2: R0_w=inv0 R1_w=inv-1 R10=fp0\n 2: (b4) w2 = -1\n 3: R0_w=inv0 R1_w=inv-1 R2_w=inv4294967295 R10=fp0\n 3: (9c) w1 %= w0\n 4: R0_w=inv0 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0\n 4: (b7) r0 = 1\n 5: R0_w=inv1 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0\n 5: (1d) if r1 == r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0\n 6: R0_w=inv1 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0\n 6: (b7) r0 = 2\n 7: R0_w=inv2 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0\n 7: (95) exit\n 7: R0=inv1 R1=inv(id=0,umin_value=4294967295,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2=inv4294967295 R10=fp0\n 7: (95) exit\n\nHowever, as a runtime result, we get 2 instead of 1, meaning the dst\nregister does not contain (u32)-1 in this case. The reason is fairly\nstraight forward given the 0 test leaves the dst register as-is:\n\n # ./bpftool p d x i 23\n 0: (b7) r0 = 0\n 1: (b7) r1 = -1\n 2: (b4) w2 = -1\n 3: (16) if w0 == 0x0 goto pc+1\n 4: (9c) w1 %= w0\n 5: (b7) r0 = 1\n 6: (1d) if r1 == r2 goto pc+1\n 7: (b7) r0 = 2\n 8: (95) exit\n\nThis was originally not an issue given the dst register was marked as\ncompletely unknown (aka 64 bit unknown). However, after 468f6eafa6c4\n(\"bpf: fix 32-bit ALU op verification\") the verifier casts the register\noutput to 32 bit, and hence it becomes 32 bit unknown. Note that for\nthe case where the src register is unknown, the dst register is marked\n64 bit unknown. After the fix, the register is truncated by the runtime\nand the test passes:\n\n # ./bpftool p d x i 23\n 0: (b7) r0 = 0\n 1: (b7) r1 = -1\n 2: (b4) w2 = -1\n 3: (16) if w0 == 0x0 goto pc+2\n 4: (9c) w1 %= w0\n 5: (05) goto pc+1\n 6: (bc) w1 = w1\n 7: (b7) r0 = 1\n 8: (1d) if r1 == r2 goto pc+1\n 9: (b7) r0 = 2\n 10: (95) exit\n\nSemantics also match with {R,W}x mod{64,32} 0 -> {R,W}x. Invalid div\nhas always been {R,W}x div{64,32} 0 -> 0. Rewrites are as follows:\n\n mod32: mod64:\n\n (16) if w0 == 0x0 goto pc+2 (15) if r0 == 0x0 goto pc+1\n (9c) w1 %= w0 (9f) r1 %= r0\n (05) goto pc+1\n (bc) w1 = w1\n\nFixes: 468f6eafa6c4 (\"bpf: fix 32-bit ALU op verification\")\nSigned-off-by: Daniel Borkmann \nReviewed-by: John Fastabend \nAcked-by: Alexei Starovoitov ", "target": 0, "dataset": "other", "idx": 456514 }, { "func": "static void scalar_min_max_sub(struct bpf_reg_state *dst_reg,\n\t\t\t struct bpf_reg_state *src_reg)\n{\n\ts64 smin_val = src_reg->smin_value;\n\ts64 smax_val = src_reg->smax_value;\n\tu64 umin_val = src_reg->umin_value;\n\tu64 umax_val = src_reg->umax_value;\n\n\tif (signed_sub_overflows(dst_reg->smin_value, smax_val) ||\n\t signed_sub_overflows(dst_reg->smax_value, smin_val)) {\n\t\t/* Overflow possible, we know nothing */\n\t\tdst_reg->smin_value = S64_MIN;\n\t\tdst_reg->smax_value = S64_MAX;\n\t} else {\n\t\tdst_reg->smin_value -= smax_val;\n\t\tdst_reg->smax_value -= smin_val;\n\t}\n\tif (dst_reg->umin_value < umax_val) {\n\t\t/* Overflow possible, we know nothing */\n\t\tdst_reg->umin_value = 0;\n\t\tdst_reg->umax_value = U64_MAX;\n\t} else {\n\t\t/* Cannot overflow (as long as bounds are consistent) */\n\t\tdst_reg->umin_value -= umax_val;\n\t\tdst_reg->umax_value -= umin_val;\n\t}\n\tdst_reg->var_off = tnum_sub(dst_reg->var_off, src_reg->var_off);\n}", "project": "linux", "hash": 100744745507828493559731554432097851329, "size": 28, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232450 }, { "func": "static void __reg_deduce_bounds(struct bpf_reg_state *reg)\n{\n\t/* Learn sign from signed bounds.\n\t * If we cannot cross the sign boundary, then signed and unsigned bounds\n\t * are the same, so combine. This works even in the negative case, e.g.\n\t * -3 s<= x s<= -1 implies 0xf...fd u<= x u<= 0xf...ff.\n\t */\n\tif (reg->smin_value >= 0 || reg->smax_value < 0) {\n\t\treg->smin_value = reg->umin_value = max_t(u64, reg->smin_value,\n\t\t\t\t\t\t\t reg->umin_value);\n\t\treg->smax_value = reg->umax_value = min_t(u64, reg->smax_value,\n\t\t\t\t\t\t\t reg->umax_value);\n\t\treturn;\n\t}\n\t/* Learn sign from unsigned bounds. Signed bounds cross the sign\n\t * boundary, so we must be careful.\n\t */\n\tif ((s64)reg->umax_value >= 0) {\n\t\t/* Positive. We can't learn anything from the smin, but smax\n\t\t * is positive, hence safe.\n\t\t */\n\t\treg->smin_value = reg->umin_value;\n\t\treg->smax_value = reg->umax_value = min_t(u64, reg->smax_value,\n\t\t\t\t\t\t\t reg->umax_value);\n\t} else if ((s64)reg->umin_value < 0) {\n\t\t/* Negative. We can't learn anything from the smax, but smin\n\t\t * is negative, hence safe.\n\t\t */\n\t\treg->smin_value = reg->umin_value = max_t(u64, reg->smin_value,\n\t\t\t\t\t\t\t reg->umin_value);\n\t\treg->smax_value = reg->umax_value;\n\t}\n}", "project": "linux", "hash": 289481458451327048590725510576607643345, "size": 33, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232451 }, { "func": "static int check_sock_access(struct bpf_verifier_env *env, int insn_idx,\n\t\t\t u32 regno, int off, int size,\n\t\t\t enum bpf_access_type t)\n{\n\tstruct bpf_reg_state *regs = cur_regs(env);\n\tstruct bpf_reg_state *reg = ®s[regno];\n\tstruct bpf_insn_access_aux info = {};\n\tbool valid;\n\n\tif (reg->smin_value < 0) {\n\t\tverbose(env, \"R%d min value is negative, either use unsigned index or do a if (index >=0) check.\\n\",\n\t\t\tregno);\n\t\treturn -EACCES;\n\t}\n\n\tswitch (reg->type) {\n\tcase PTR_TO_SOCK_COMMON:\n\t\tvalid = bpf_sock_common_is_valid_access(off, size, t, &info);\n\t\tbreak;\n\tcase PTR_TO_SOCKET:\n\t\tvalid = bpf_sock_is_valid_access(off, size, t, &info);\n\t\tbreak;\n\tcase PTR_TO_TCP_SOCK:\n\t\tvalid = bpf_tcp_sock_is_valid_access(off, size, t, &info);\n\t\tbreak;\n\tcase PTR_TO_XDP_SOCK:\n\t\tvalid = bpf_xdp_sock_is_valid_access(off, size, t, &info);\n\t\tbreak;\n\tdefault:\n\t\tvalid = false;\n\t}\n\n\n\tif (valid) {\n\t\tenv->insn_aux_data[insn_idx].ctx_field_size =\n\t\t\tinfo.ctx_field_size;\n\t\treturn 0;\n\t}\n\n\tverbose(env, \"R%d invalid %s access off=%d size=%d\\n\",\n\t\tregno, reg_type_str[reg->type], off, size);\n\n\treturn -EACCES;\n}", "project": "linux", "hash": 171233556332346089873999464553622564941, "size": 44, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232455 }, { "func": "static bool states_equal(struct bpf_verifier_env *env,\n\t\t\t struct bpf_verifier_state *old,\n\t\t\t struct bpf_verifier_state *cur)\n{\n\tint i;\n\n\tif (old->curframe != cur->curframe)\n\t\treturn false;\n\n\t/* Verification state from speculative execution simulation\n\t * must never prune a non-speculative execution one.\n\t */\n\tif (old->speculative && !cur->speculative)\n\t\treturn false;\n\n\tif (old->active_spin_lock != cur->active_spin_lock)\n\t\treturn false;\n\n\t/* for states to be equal callsites have to be the same\n\t * and all frame states need to be equivalent\n\t */\n\tfor (i = 0; i <= old->curframe; i++) {\n\t\tif (old->frame[i]->callsite != cur->frame[i]->callsite)\n\t\t\treturn false;\n\t\tif (!func_states_equal(old->frame[i], cur->frame[i]))\n\t\t\treturn false;\n\t}\n\treturn true;\n}", "project": "linux", "hash": 200957743559178494002818856920131398333, "size": 29, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232468 }, { "func": "static int acquire_reference_state(struct bpf_verifier_env *env, int insn_idx)\n{\n\tstruct bpf_func_state *state = cur_func(env);\n\tint new_ofs = state->acquired_refs;\n\tint id, err;\n\n\terr = realloc_reference_state(state, state->acquired_refs + 1, true);\n\tif (err)\n\t\treturn err;\n\tid = ++env->id_gen;\n\tstate->refs[new_ofs].id = id;\n\tstate->refs[new_ofs].insn_idx = insn_idx;\n\n\treturn id;\n}", "project": "linux", "hash": 297868274482686662214377612344365492523, "size": 15, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232483 }, { "func": "static void __update_reg_bounds(struct bpf_reg_state *reg)\n{\n\t/* min signed is max(sign bit) | min(other bits) */\n\treg->smin_value = max_t(s64, reg->smin_value,\n\t\t\t\treg->var_off.value | (reg->var_off.mask & S64_MIN));\n\t/* max signed is min(sign bit) | max(other bits) */\n\treg->smax_value = min_t(s64, reg->smax_value,\n\t\t\t\treg->var_off.value | (reg->var_off.mask & S64_MAX));\n\treg->umin_value = max(reg->umin_value, reg->var_off.value);\n\treg->umax_value = min(reg->umax_value,\n\t\t\t reg->var_off.value | reg->var_off.mask);\n}", "project": "linux", "hash": 289922408565181440166598436291739671923, "size": 12, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232600 }, { "func": "static bool register_is_null(struct bpf_reg_state *reg)\n{\n\treturn reg->type == SCALAR_VALUE && tnum_equals_const(reg->var_off, 0);\n}", "project": "linux", "hash": 324869263669056130649433384106528694349, "size": 4, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232519 }, { "func": "static void __reg_bound_offset(struct bpf_reg_state *reg)\n{\n\treg->var_off = tnum_intersect(reg->var_off,\n\t\t\t\t tnum_range(reg->umin_value,\n\t\t\t\t\t\t reg->umax_value));\n}", "project": "linux", "hash": 96547079029032372111478318477921244673, "size": 6, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232588 }, { "func": "static int adjust_reg_min_max_vals(struct bpf_verifier_env *env,\n\t\t\t\t struct bpf_insn *insn)\n{\n\tstruct bpf_verifier_state *vstate = env->cur_state;\n\tstruct bpf_func_state *state = vstate->frame[vstate->curframe];\n\tstruct bpf_reg_state *regs = state->regs, *dst_reg, *src_reg;\n\tstruct bpf_reg_state *ptr_reg = NULL, off_reg = {0};\n\tu8 opcode = BPF_OP(insn->code);\n\tint err;\n\n\tdst_reg = ®s[insn->dst_reg];\n\tsrc_reg = NULL;\n\tif (dst_reg->type != SCALAR_VALUE)\n\t\tptr_reg = dst_reg;\n\tif (BPF_SRC(insn->code) == BPF_X) {\n\t\tsrc_reg = ®s[insn->src_reg];\n\t\tif (src_reg->type != SCALAR_VALUE) {\n\t\t\tif (dst_reg->type != SCALAR_VALUE) {\n\t\t\t\t/* Combining two pointers by any ALU op yields\n\t\t\t\t * an arbitrary scalar. Disallow all math except\n\t\t\t\t * pointer subtraction\n\t\t\t\t */\n\t\t\t\tif (opcode == BPF_SUB && env->allow_ptr_leaks) {\n\t\t\t\t\tmark_reg_unknown(env, regs, insn->dst_reg);\n\t\t\t\t\treturn 0;\n\t\t\t\t}\n\t\t\t\tverbose(env, \"R%d pointer %s pointer prohibited\\n\",\n\t\t\t\t\tinsn->dst_reg,\n\t\t\t\t\tbpf_alu_string[opcode >> 4]);\n\t\t\t\treturn -EACCES;\n\t\t\t} else {\n\t\t\t\t/* scalar += pointer\n\t\t\t\t * This is legal, but we have to reverse our\n\t\t\t\t * src/dest handling in computing the range\n\t\t\t\t */\n\t\t\t\terr = mark_chain_precision(env, insn->dst_reg);\n\t\t\t\tif (err)\n\t\t\t\t\treturn err;\n\t\t\t\treturn adjust_ptr_min_max_vals(env, insn,\n\t\t\t\t\t\t\t src_reg, dst_reg);\n\t\t\t}\n\t\t} else if (ptr_reg) {\n\t\t\t/* pointer += scalar */\n\t\t\terr = mark_chain_precision(env, insn->src_reg);\n\t\t\tif (err)\n\t\t\t\treturn err;\n\t\t\treturn adjust_ptr_min_max_vals(env, insn,\n\t\t\t\t\t\t dst_reg, src_reg);\n\t\t}\n\t} else {\n\t\t/* Pretend the src is a reg with a known value, since we only\n\t\t * need to be able to read from this state.\n\t\t */\n\t\toff_reg.type = SCALAR_VALUE;\n\t\t__mark_reg_known(&off_reg, insn->imm);\n\t\tsrc_reg = &off_reg;\n\t\tif (ptr_reg) /* pointer += K */\n\t\t\treturn adjust_ptr_min_max_vals(env, insn,\n\t\t\t\t\t\t ptr_reg, src_reg);\n\t}\n\n\t/* Got here implies adding two SCALAR_VALUEs */\n\tif (WARN_ON_ONCE(ptr_reg)) {\n\t\tprint_verifier_state(env, state);\n\t\tverbose(env, \"verifier internal error: unexpected ptr_reg\\n\");\n\t\treturn -EINVAL;\n\t}\n\tif (WARN_ON(!src_reg)) {\n\t\tprint_verifier_state(env, state);\n\t\tverbose(env, \"verifier internal error: no src_reg\\n\");\n\t\treturn -EINVAL;\n\t}\n\treturn adjust_scalar_min_max_vals(env, insn, dst_reg, *src_reg);\n}", "project": "linux", "hash": 240975203065104317891003537507060320190, "size": 74, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232462 }, { "func": "static void clear_all_pkt_pointers(struct bpf_verifier_env *env)\n{\n\tstruct bpf_verifier_state *vstate = env->cur_state;\n\tint i;\n\n\tfor (i = 0; i <= vstate->curframe; i++)\n\t\t__clear_all_pkt_pointers(env, vstate->frame[i]);\n}", "project": "linux", "hash": 124623423925108534080138878445241681851, "size": 8, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232579 }, { "func": "static int check_cfg(struct bpf_verifier_env *env)\n{\n\tstruct bpf_insn *insns = env->prog->insnsi;\n\tint insn_cnt = env->prog->len;\n\tint *insn_stack, *insn_state;\n\tint ret = 0;\n\tint i, t;\n\n\tinsn_state = env->cfg.insn_state = kvcalloc(insn_cnt, sizeof(int), GFP_KERNEL);\n\tif (!insn_state)\n\t\treturn -ENOMEM;\n\n\tinsn_stack = env->cfg.insn_stack = kvcalloc(insn_cnt, sizeof(int), GFP_KERNEL);\n\tif (!insn_stack) {\n\t\tkvfree(insn_state);\n\t\treturn -ENOMEM;\n\t}\n\n\tinsn_state[0] = DISCOVERED; /* mark 1st insn as discovered */\n\tinsn_stack[0] = 0; /* 0 is the first instruction */\n\tenv->cfg.cur_stack = 1;\n\npeek_stack:\n\tif (env->cfg.cur_stack == 0)\n\t\tgoto check_state;\n\tt = insn_stack[env->cfg.cur_stack - 1];\n\n\tif (BPF_CLASS(insns[t].code) == BPF_JMP ||\n\t BPF_CLASS(insns[t].code) == BPF_JMP32) {\n\t\tu8 opcode = BPF_OP(insns[t].code);\n\n\t\tif (opcode == BPF_EXIT) {\n\t\t\tgoto mark_explored;\n\t\t} else if (opcode == BPF_CALL) {\n\t\t\tret = push_insn(t, t + 1, FALLTHROUGH, env, false);\n\t\t\tif (ret == 1)\n\t\t\t\tgoto peek_stack;\n\t\t\telse if (ret < 0)\n\t\t\t\tgoto err_free;\n\t\t\tif (t + 1 < insn_cnt)\n\t\t\t\tinit_explored_state(env, t + 1);\n\t\t\tif (insns[t].src_reg == BPF_PSEUDO_CALL) {\n\t\t\t\tinit_explored_state(env, t);\n\t\t\t\tret = push_insn(t, t + insns[t].imm + 1, BRANCH,\n\t\t\t\t\t\tenv, false);\n\t\t\t\tif (ret == 1)\n\t\t\t\t\tgoto peek_stack;\n\t\t\t\telse if (ret < 0)\n\t\t\t\t\tgoto err_free;\n\t\t\t}\n\t\t} else if (opcode == BPF_JA) {\n\t\t\tif (BPF_SRC(insns[t].code) != BPF_K) {\n\t\t\t\tret = -EINVAL;\n\t\t\t\tgoto err_free;\n\t\t\t}\n\t\t\t/* unconditional jump with single edge */\n\t\t\tret = push_insn(t, t + insns[t].off + 1,\n\t\t\t\t\tFALLTHROUGH, env, true);\n\t\t\tif (ret == 1)\n\t\t\t\tgoto peek_stack;\n\t\t\telse if (ret < 0)\n\t\t\t\tgoto err_free;\n\t\t\t/* unconditional jmp is not a good pruning point,\n\t\t\t * but it's marked, since backtracking needs\n\t\t\t * to record jmp history in is_state_visited().\n\t\t\t */\n\t\t\tinit_explored_state(env, t + insns[t].off + 1);\n\t\t\t/* tell verifier to check for equivalent states\n\t\t\t * after every call and jump\n\t\t\t */\n\t\t\tif (t + 1 < insn_cnt)\n\t\t\t\tinit_explored_state(env, t + 1);\n\t\t} else {\n\t\t\t/* conditional jump with two edges */\n\t\t\tinit_explored_state(env, t);\n\t\t\tret = push_insn(t, t + 1, FALLTHROUGH, env, true);\n\t\t\tif (ret == 1)\n\t\t\t\tgoto peek_stack;\n\t\t\telse if (ret < 0)\n\t\t\t\tgoto err_free;\n\n\t\t\tret = push_insn(t, t + insns[t].off + 1, BRANCH, env, true);\n\t\t\tif (ret == 1)\n\t\t\t\tgoto peek_stack;\n\t\t\telse if (ret < 0)\n\t\t\t\tgoto err_free;\n\t\t}\n\t} else {\n\t\t/* all other non-branch instructions with single\n\t\t * fall-through edge\n\t\t */\n\t\tret = push_insn(t, t + 1, FALLTHROUGH, env, false);\n\t\tif (ret == 1)\n\t\t\tgoto peek_stack;\n\t\telse if (ret < 0)\n\t\t\tgoto err_free;\n\t}\n\nmark_explored:\n\tinsn_state[t] = EXPLORED;\n\tif (env->cfg.cur_stack-- <= 0) {\n\t\tverbose(env, \"pop stack internal bug\\n\");\n\t\tret = -EFAULT;\n\t\tgoto err_free;\n\t}\n\tgoto peek_stack;\n\ncheck_state:\n\tfor (i = 0; i < insn_cnt; i++) {\n\t\tif (insn_state[i] != EXPLORED) {\n\t\t\tverbose(env, \"unreachable insn %d\\n\", i);\n\t\t\tret = -EINVAL;\n\t\t\tgoto err_free;\n\t\t}\n\t}\n\tret = 0; /* cfg looks good */\n\nerr_free:\n\tkvfree(insn_state);\n\tkvfree(insn_stack);\n\tenv->cfg.insn_state = env->cfg.insn_stack = NULL;\n\treturn ret;\n}", "project": "linux", "hash": 314363835249998819839740453723444339103, "size": 123, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232417 }, { "func": "static void __mark_reg_unbounded(struct bpf_reg_state *reg)\n{\n\treg->smin_value = S64_MIN;\n\treg->smax_value = S64_MAX;\n\treg->umin_value = 0;\n\treg->umax_value = U64_MAX;\n}", "project": "linux", "hash": 64917896993404967184084314864972401653, "size": 7, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232625 }, { "func": "static void init_func_state(struct bpf_verifier_env *env,\n\t\t\t struct bpf_func_state *state,\n\t\t\t int callsite, int frameno, int subprogno)\n{\n\tstate->callsite = callsite;\n\tstate->frameno = frameno;\n\tstate->subprogno = subprogno;\n\tinit_reg_state(env, state);\n}", "project": "linux", "hash": 311195656271057664565579158157997947603, "size": 9, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232484 }, { "func": "static int check_packet_access(struct bpf_verifier_env *env, u32 regno, int off,\n\t\t\t int size, bool zero_size_allowed)\n{\n\tstruct bpf_reg_state *regs = cur_regs(env);\n\tstruct bpf_reg_state *reg = ®s[regno];\n\tint err;\n\n\t/* We may have added a variable offset to the packet pointer; but any\n\t * reg->range we have comes after that. We are only checking the fixed\n\t * offset.\n\t */\n\n\t/* We don't allow negative numbers, because we aren't tracking enough\n\t * detail to prove they're safe.\n\t */\n\tif (reg->smin_value < 0) {\n\t\tverbose(env, \"R%d min value is negative, either use unsigned index or do a if (index >=0) check.\\n\",\n\t\t\tregno);\n\t\treturn -EACCES;\n\t}\n\terr = __check_packet_access(env, regno, off, size, zero_size_allowed);\n\tif (err) {\n\t\tverbose(env, \"R%d offset is outside of the packet\\n\", regno);\n\t\treturn err;\n\t}\n\n\t/* __check_packet_access has made sure \"off + size - 1\" is within u16.\n\t * reg->umax_value can't be bigger than MAX_PACKET_OFF which is 0xffff,\n\t * otherwise find_good_pkt_pointers would have refused to set range info\n\t * that __check_packet_access would have rejected this pkt access.\n\t * Therefore, \"off + reg->umax_value + size - 1\" won't overflow u32.\n\t */\n\tenv->prog->aux->max_pkt_offset =\n\t\tmax_t(u32, env->prog->aux->max_pkt_offset,\n\t\t off + reg->umax_value + size - 1);\n\n\treturn err;\n}", "project": "linux", "hash": 97289006539524080542576397590234871282, "size": 38, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232549 }, { "func": "static int check_packet_access(struct bpf_verifier_env *env, u32 regno, int off,\n\t\t\t int size, bool zero_size_allowed)\n{\n\tstruct bpf_reg_state *regs = cur_regs(env);\n\tstruct bpf_reg_state *reg = ®s[regno];\n\tint err;\n\n\t/* We may have added a variable offset to the packet pointer; but any\n\t * reg->range we have comes after that. We are only checking the fixed\n\t * offset.\n\t */\n\n\t/* We don't allow negative numbers, because we aren't tracking enough\n\t * detail to prove they're safe.\n\t */\n\tif (reg->smin_value < 0) {\n\t\tverbose(env, \"R%d min value is negative, either use unsigned index or do a if (index >=0) check.\\n\",\n\t\t\tregno);\n\t\treturn -EACCES;\n\t}\n\terr = __check_mem_access(env, regno, off, size, reg->range,\n\t\t\t\t zero_size_allowed);\n\tif (err) {\n\t\tverbose(env, \"R%d offset is outside of the packet\\n\", regno);\n\t\treturn err;\n\t}\n\n\t/* __check_mem_access has made sure \"off + size - 1\" is within u16.\n\t * reg->umax_value can't be bigger than MAX_PACKET_OFF which is 0xffff,\n\t * otherwise find_good_pkt_pointers would have refused to set range info\n\t * that __check_mem_access would have rejected this pkt access.\n\t * Therefore, \"off + reg->umax_value + size - 1\" won't overflow u32.\n\t */\n\tenv->prog->aux->max_pkt_offset =\n\t\tmax_t(u32, env->prog->aux->max_pkt_offset,\n\t\t off + reg->umax_value + size - 1);\n\n\treturn err;\n}", "project": "linux", "hash": 11511172010388079279388836385276842022, "size": 39, "commit_id": "5b9fbeb75b6a98955f628e205ac26689bcb1383e", "message": "bpf: Fix scalar32_min_max_or bounds tracking\n\nSimon reported an issue with the current scalar32_min_max_or() implementation.\nThat is, compared to the other 32 bit subreg tracking functions, the code in\nscalar32_min_max_or() stands out that it's using the 64 bit registers instead\nof 32 bit ones. This leads to bounds tracking issues, for example:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x1; 0x700000000),s32_max_value=1,u32_max_value=1) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nThe bound tests on the map value force the upper unsigned bound to be 25769803777\nin 64 bit (0b11000000000000000000000000000000001) and then lower one to be 1. By\nusing OR they are truncated and thus result in the range [1,1] for the 32 bit reg\ntracker. This is incorrect given the only thing we know is that the value must be\npositive and thus 2147483647 (0b1111111111111111111111111111111) at max for the\nsubregs. Fix it by using the {u,s}32_{min,max}_value vars instead. This also makes\nsense, for example, for the case where we update dst_reg->s32_{min,max}_value in\nthe else branch we need to use the newly computed dst_reg->u32_{min,max}_value as\nwe know that these are positive. Previously, in the else branch the 64 bit values\nof umin_value=1 and umax_value=32212254719 were used and latter got truncated to\nbe 1 as upper bound there. After the fix the subreg range is now correct:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nFixes: 3f50f132d840 (\"bpf: Verifier, do explicit ALU32 bounds tracking\")\nReported-by: Simon Scannell \nSigned-off-by: Daniel Borkmann \nReviewed-by: John Fastabend \nAcked-by: Alexei Starovoitov ", "target": 0, "dataset": "other", "idx": 328489 }, { "func": "static void __reg_combine_64_into_32(struct bpf_reg_state *reg)\n{\n\t__mark_reg32_unbounded(reg);\n\n\tif (__reg64_bound_s32(reg->smin_value))\n\t\treg->s32_min_value = (s32)reg->smin_value;\n\tif (__reg64_bound_s32(reg->smax_value))\n\t\treg->s32_max_value = (s32)reg->smax_value;\n\tif (__reg64_bound_u32(reg->umin_value))\n\t\treg->u32_min_value = (u32)reg->umin_value;\n\tif (__reg64_bound_u32(reg->umax_value))\n\t\treg->u32_max_value = (u32)reg->umax_value;\n\n\t/* Intersecting with the old var_off might have improved our bounds\n\t * slightly. e.g. if umax was 0x7f...f and var_off was (0; 0xf...fc),\n\t * then new var_off is (0; 0x7f...fc) which improves our umax.\n\t */\n\t__reg_deduce_bounds(reg);\n\t__reg_bound_offset(reg);\n\t__update_reg_bounds(reg);\n}", "project": "linux", "hash": 132247545754232805662218603556923601940, "size": 21, "commit_id": "5b9fbeb75b6a98955f628e205ac26689bcb1383e", "message": "bpf: Fix scalar32_min_max_or bounds tracking\n\nSimon reported an issue with the current scalar32_min_max_or() implementation.\nThat is, compared to the other 32 bit subreg tracking functions, the code in\nscalar32_min_max_or() stands out that it's using the 64 bit registers instead\nof 32 bit ones. This leads to bounds tracking issues, for example:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x1; 0x700000000),s32_max_value=1,u32_max_value=1) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nThe bound tests on the map value force the upper unsigned bound to be 25769803777\nin 64 bit (0b11000000000000000000000000000000001) and then lower one to be 1. By\nusing OR they are truncated and thus result in the range [1,1] for the 32 bit reg\ntracker. This is incorrect given the only thing we know is that the value must be\npositive and thus 2147483647 (0b1111111111111111111111111111111) at max for the\nsubregs. Fix it by using the {u,s}32_{min,max}_value vars instead. This also makes\nsense, for example, for the case where we update dst_reg->s32_{min,max}_value in\nthe else branch we need to use the newly computed dst_reg->u32_{min,max}_value as\nwe know that these are positive. Previously, in the else branch the 64 bit values\nof umin_value=1 and umax_value=32212254719 were used and latter got truncated to\nbe 1 as upper bound there. After the fix the subreg range is now correct:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nFixes: 3f50f132d840 (\"bpf: Verifier, do explicit ALU32 bounds tracking\")\nReported-by: Simon Scannell \nSigned-off-by: Daniel Borkmann \nReviewed-by: John Fastabend \nAcked-by: Alexei Starovoitov ", "target": 0, "dataset": "other", "idx": 328515 }, { "func": "static bool refsafe(struct bpf_func_state *old, struct bpf_func_state *cur)\n{\n\tif (old->acquired_refs != cur->acquired_refs)\n\t\treturn false;\n\treturn !memcmp(old->refs, cur->refs,\n\t\t sizeof(*old->refs) * old->acquired_refs);\n}", "project": "linux", "hash": 193303817866775637908286545512084593472, "size": 7, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232543 }, { "func": "static bool bpf_map_ptr_poisoned(const struct bpf_insn_aux_data *aux)\n{\n\treturn BPF_MAP_PTR(aux->map_ptr_state) == BPF_MAP_PTR_POISON;\n}", "project": "linux", "hash": 12065715335939633085638444688043092313, "size": 4, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232433 }, { "func": "static int check_stack_access(struct bpf_verifier_env *env,\n\t\t\t const struct bpf_reg_state *reg,\n\t\t\t int off, int size)\n{\n\t/* Stack accesses must be at a fixed offset, so that we\n\t * can determine what type of data were returned. See\n\t * check_stack_read().\n\t */\n\tif (!tnum_is_const(reg->var_off)) {\n\t\tchar tn_buf[48];\n\n\t\ttnum_strn(tn_buf, sizeof(tn_buf), reg->var_off);\n\t\tverbose(env, \"variable stack access var_off=%s off=%d size=%d\\n\",\n\t\t\ttn_buf, off, size);\n\t\treturn -EACCES;\n\t}\n\n\tif (off >= 0 || off < -MAX_BPF_STACK) {\n\t\tverbose(env, \"invalid stack off=%d size=%d\\n\", off, size);\n\t\treturn -EACCES;\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 281614774099869070200153915280718349330, "size": 24, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232623 }, { "func": "static int adjust_subprog_starts_after_remove(struct bpf_verifier_env *env,\n\t\t\t\t\t u32 off, u32 cnt)\n{\n\tint i, j;\n\n\t/* find first prog starting at or after off (first to remove) */\n\tfor (i = 0; i < env->subprog_cnt; i++)\n\t\tif (env->subprog_info[i].start >= off)\n\t\t\tbreak;\n\t/* find first prog starting at or after off + cnt (first to stay) */\n\tfor (j = i; j < env->subprog_cnt; j++)\n\t\tif (env->subprog_info[j].start >= off + cnt)\n\t\t\tbreak;\n\t/* if j doesn't start exactly at off + cnt, we are just removing\n\t * the front of previous prog\n\t */\n\tif (env->subprog_info[j].start != off + cnt)\n\t\tj--;\n\n\tif (j > i) {\n\t\tstruct bpf_prog_aux *aux = env->prog->aux;\n\t\tint move;\n\n\t\t/* move fake 'exit' subprog as well */\n\t\tmove = env->subprog_cnt + 1 - j;\n\n\t\tmemmove(env->subprog_info + i,\n\t\t\tenv->subprog_info + j,\n\t\t\tsizeof(*env->subprog_info) * move);\n\t\tenv->subprog_cnt -= j - i;\n\n\t\t/* remove func_info */\n\t\tif (aux->func_info) {\n\t\t\tmove = aux->func_info_cnt - j;\n\n\t\t\tmemmove(aux->func_info + i,\n\t\t\t\taux->func_info + j,\n\t\t\t\tsizeof(*aux->func_info) * move);\n\t\t\taux->func_info_cnt -= j - i;\n\t\t\t/* func_info->insn_off is set after all code rewrites,\n\t\t\t * in adjust_btf_func() - no need to adjust\n\t\t\t */\n\t\t}\n\t} else {\n\t\t/* convert i from \"first prog to remove\" to \"first to adjust\" */\n\t\tif (env->subprog_info[i].start == off)\n\t\t\ti++;\n\t}\n\n\t/* update fake 'exit' subprog as well */\n\tfor (; i <= env->subprog_cnt; i++)\n\t\tenv->subprog_info[i].start -= cnt;\n\n\treturn 0;\n}", "project": "linux", "hash": 50024906774161930981474658234921751646, "size": 55, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232557 }, { "func": "static void mark_insn_zext(struct bpf_verifier_env *env,\n\t\t\t struct bpf_reg_state *reg)\n{\n\ts32 def_idx = reg->subreg_def;\n\n\tif (def_idx == DEF_NOT_SUBREG)\n\t\treturn;\n\n\tenv->insn_aux_data[def_idx - 1].zext_dst = true;\n\t/* The dst will be zero extended, so won't be sub-register anymore. */\n\treg->subreg_def = DEF_NOT_SUBREG;\n}", "project": "linux", "hash": 252778981495778277522850688425742485037, "size": 12, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232472 }, { "func": "static int check_map_prealloc(struct bpf_map *map)\n{\n\treturn (map->map_type != BPF_MAP_TYPE_HASH &&\n\t\tmap->map_type != BPF_MAP_TYPE_PERCPU_HASH &&\n\t\tmap->map_type != BPF_MAP_TYPE_HASH_OF_MAPS) ||\n\t\t!(map->map_flags & BPF_F_NO_PREALLOC);\n}", "project": "linux", "hash": 198068576435819648897542146134278063895, "size": 7, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232528 }, { "func": "static int push_jmp_history(struct bpf_verifier_env *env,\n\t\t\t struct bpf_verifier_state *cur)\n{\n\tu32 cnt = cur->jmp_history_cnt;\n\tstruct bpf_idx_pair *p;\n\n\tcnt++;\n\tp = krealloc(cur->jmp_history, cnt * sizeof(*p), GFP_USER);\n\tif (!p)\n\t\treturn -ENOMEM;\n\tp[cnt - 1].idx = env->insn_idx;\n\tp[cnt - 1].prev_idx = env->prev_insn_idx;\n\tcur->jmp_history = p;\n\tcur->jmp_history_cnt = cnt;\n\treturn 0;\n}", "project": "linux", "hash": 289915037603553174143533880178485006984, "size": 16, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232520 }, { "func": "static int check_map_access_type(struct bpf_verifier_env *env, u32 regno,\n\t\t\t\t int off, int size, enum bpf_access_type type)\n{\n\tstruct bpf_reg_state *regs = cur_regs(env);\n\tstruct bpf_map *map = regs[regno].map_ptr;\n\tu32 cap = bpf_map_flags_to_cap(map);\n\n\tif (type == BPF_WRITE && !(cap & BPF_MAP_CAN_WRITE)) {\n\t\tverbose(env, \"write into map forbidden, value_size=%d off=%d size=%d\\n\",\n\t\t\tmap->value_size, off, size);\n\t\treturn -EACCES;\n\t}\n\n\tif (type == BPF_READ && !(cap & BPF_MAP_CAN_READ)) {\n\t\tverbose(env, \"read from map forbidden, value_size=%d off=%d size=%d\\n\",\n\t\t\tmap->value_size, off, size);\n\t\treturn -EACCES;\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 65954778115152937491091346146016992245, "size": 21, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232478 }, { "func": "static int check_generic_ptr_alignment(struct bpf_verifier_env *env,\n\t\t\t\t const struct bpf_reg_state *reg,\n\t\t\t\t const char *pointer_desc,\n\t\t\t\t int off, int size, bool strict)\n{\n\tstruct tnum reg_off;\n\n\t/* Byte size accesses are always allowed. */\n\tif (!strict || size == 1)\n\t\treturn 0;\n\n\treg_off = tnum_add(reg->var_off, tnum_const(reg->off + off));\n\tif (!tnum_is_aligned(reg_off, size)) {\n\t\tchar tn_buf[48];\n\n\t\ttnum_strn(tn_buf, sizeof(tn_buf), reg->var_off);\n\t\tverbose(env, \"misaligned %saccess off %s+%d+%d size %d\\n\",\n\t\t\tpointer_desc, tn_buf, reg->off, off, size);\n\t\treturn -EACCES;\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 296866007566916210186499315578184103714, "size": 23, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232586 }, { "func": "static int __check_map_access(struct bpf_verifier_env *env, u32 regno, int off,\n\t\t\t int size, bool zero_size_allowed)\n{\n\tstruct bpf_reg_state *regs = cur_regs(env);\n\tstruct bpf_map *map = regs[regno].map_ptr;\n\n\tif (off < 0 || size < 0 || (size == 0 && !zero_size_allowed) ||\n\t off + size > map->value_size) {\n\t\tverbose(env, \"invalid access to map value, value_size=%d off=%d size=%d\\n\",\n\t\t\tmap->value_size, off, size);\n\t\treturn -EACCES;\n\t}\n\treturn 0;\n}", "project": "linux", "hash": 270341157927706235861748328121637061134, "size": 14, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232481 }, { "func": "static int do_check(struct bpf_verifier_env *env)\n{\n\tstruct bpf_verifier_state *state = env->cur_state;\n\tstruct bpf_insn *insns = env->prog->insnsi;\n\tstruct bpf_reg_state *regs;\n\tint insn_cnt = env->prog->len;\n\tbool do_print_state = false;\n\tint prev_insn_idx = -1;\n\n\tfor (;;) {\n\t\tstruct bpf_insn *insn;\n\t\tu8 class;\n\t\tint err;\n\n\t\tenv->prev_insn_idx = prev_insn_idx;\n\t\tif (env->insn_idx >= insn_cnt) {\n\t\t\tverbose(env, \"invalid insn idx %d insn_cnt %d\\n\",\n\t\t\t\tenv->insn_idx, insn_cnt);\n\t\t\treturn -EFAULT;\n\t\t}\n\n\t\tinsn = &insns[env->insn_idx];\n\t\tclass = BPF_CLASS(insn->code);\n\n\t\tif (++env->insn_processed > BPF_COMPLEXITY_LIMIT_INSNS) {\n\t\t\tverbose(env,\n\t\t\t\t\"BPF program is too large. Processed %d insn\\n\",\n\t\t\t\tenv->insn_processed);\n\t\t\treturn -E2BIG;\n\t\t}\n\n\t\terr = is_state_visited(env, env->insn_idx);\n\t\tif (err < 0)\n\t\t\treturn err;\n\t\tif (err == 1) {\n\t\t\t/* found equivalent state, can prune the search */\n\t\t\tif (env->log.level & BPF_LOG_LEVEL) {\n\t\t\t\tif (do_print_state)\n\t\t\t\t\tverbose(env, \"\\nfrom %d to %d%s: safe\\n\",\n\t\t\t\t\t\tenv->prev_insn_idx, env->insn_idx,\n\t\t\t\t\t\tenv->cur_state->speculative ?\n\t\t\t\t\t\t\" (speculative execution)\" : \"\");\n\t\t\t\telse\n\t\t\t\t\tverbose(env, \"%d: safe\\n\", env->insn_idx);\n\t\t\t}\n\t\t\tgoto process_bpf_exit;\n\t\t}\n\n\t\tif (signal_pending(current))\n\t\t\treturn -EAGAIN;\n\n\t\tif (need_resched())\n\t\t\tcond_resched();\n\n\t\tif (env->log.level & BPF_LOG_LEVEL2 ||\n\t\t (env->log.level & BPF_LOG_LEVEL && do_print_state)) {\n\t\t\tif (env->log.level & BPF_LOG_LEVEL2)\n\t\t\t\tverbose(env, \"%d:\", env->insn_idx);\n\t\t\telse\n\t\t\t\tverbose(env, \"\\nfrom %d to %d%s:\",\n\t\t\t\t\tenv->prev_insn_idx, env->insn_idx,\n\t\t\t\t\tenv->cur_state->speculative ?\n\t\t\t\t\t\" (speculative execution)\" : \"\");\n\t\t\tprint_verifier_state(env, state->frame[state->curframe]);\n\t\t\tdo_print_state = false;\n\t\t}\n\n\t\tif (env->log.level & BPF_LOG_LEVEL) {\n\t\t\tconst struct bpf_insn_cbs cbs = {\n\t\t\t\t.cb_print\t= verbose,\n\t\t\t\t.private_data\t= env,\n\t\t\t};\n\n\t\t\tverbose_linfo(env, env->insn_idx, \"; \");\n\t\t\tverbose(env, \"%d: \", env->insn_idx);\n\t\t\tprint_bpf_insn(&cbs, insn, env->allow_ptr_leaks);\n\t\t}\n\n\t\tif (bpf_prog_is_dev_bound(env->prog->aux)) {\n\t\t\terr = bpf_prog_offload_verify_insn(env, env->insn_idx,\n\t\t\t\t\t\t\t env->prev_insn_idx);\n\t\t\tif (err)\n\t\t\t\treturn err;\n\t\t}\n\n\t\tregs = cur_regs(env);\n\t\tenv->insn_aux_data[env->insn_idx].seen = env->pass_cnt;\n\t\tprev_insn_idx = env->insn_idx;\n\n\t\tif (class == BPF_ALU || class == BPF_ALU64) {\n\t\t\terr = check_alu_op(env, insn);\n\t\t\tif (err)\n\t\t\t\treturn err;\n\n\t\t} else if (class == BPF_LDX) {\n\t\t\tenum bpf_reg_type *prev_src_type, src_reg_type;\n\n\t\t\t/* check for reserved fields is already done */\n\n\t\t\t/* check src operand */\n\t\t\terr = check_reg_arg(env, insn->src_reg, SRC_OP);\n\t\t\tif (err)\n\t\t\t\treturn err;\n\n\t\t\terr = check_reg_arg(env, insn->dst_reg, DST_OP_NO_MARK);\n\t\t\tif (err)\n\t\t\t\treturn err;\n\n\t\t\tsrc_reg_type = regs[insn->src_reg].type;\n\n\t\t\t/* check that memory (src_reg + off) is readable,\n\t\t\t * the state of dst_reg will be updated by this func\n\t\t\t */\n\t\t\terr = check_mem_access(env, env->insn_idx, insn->src_reg,\n\t\t\t\t\t insn->off, BPF_SIZE(insn->code),\n\t\t\t\t\t BPF_READ, insn->dst_reg, false);\n\t\t\tif (err)\n\t\t\t\treturn err;\n\n\t\t\tprev_src_type = &env->insn_aux_data[env->insn_idx].ptr_type;\n\n\t\t\tif (*prev_src_type == NOT_INIT) {\n\t\t\t\t/* saw a valid insn\n\t\t\t\t * dst_reg = *(u32 *)(src_reg + off)\n\t\t\t\t * save type to validate intersecting paths\n\t\t\t\t */\n\t\t\t\t*prev_src_type = src_reg_type;\n\n\t\t\t} else if (reg_type_mismatch(src_reg_type, *prev_src_type)) {\n\t\t\t\t/* ABuser program is trying to use the same insn\n\t\t\t\t * dst_reg = *(u32*) (src_reg + off)\n\t\t\t\t * with different pointer types:\n\t\t\t\t * src_reg == ctx in one branch and\n\t\t\t\t * src_reg == stack|map in some other branch.\n\t\t\t\t * Reject it.\n\t\t\t\t */\n\t\t\t\tverbose(env, \"same insn cannot be used with different pointers\\n\");\n\t\t\t\treturn -EINVAL;\n\t\t\t}\n\n\t\t} else if (class == BPF_STX) {\n\t\t\tenum bpf_reg_type *prev_dst_type, dst_reg_type;\n\n\t\t\tif (BPF_MODE(insn->code) == BPF_XADD) {\n\t\t\t\terr = check_xadd(env, env->insn_idx, insn);\n\t\t\t\tif (err)\n\t\t\t\t\treturn err;\n\t\t\t\tenv->insn_idx++;\n\t\t\t\tcontinue;\n\t\t\t}\n\n\t\t\t/* check src1 operand */\n\t\t\terr = check_reg_arg(env, insn->src_reg, SRC_OP);\n\t\t\tif (err)\n\t\t\t\treturn err;\n\t\t\t/* check src2 operand */\n\t\t\terr = check_reg_arg(env, insn->dst_reg, SRC_OP);\n\t\t\tif (err)\n\t\t\t\treturn err;\n\n\t\t\tdst_reg_type = regs[insn->dst_reg].type;\n\n\t\t\t/* check that memory (dst_reg + off) is writeable */\n\t\t\terr = check_mem_access(env, env->insn_idx, insn->dst_reg,\n\t\t\t\t\t insn->off, BPF_SIZE(insn->code),\n\t\t\t\t\t BPF_WRITE, insn->src_reg, false);\n\t\t\tif (err)\n\t\t\t\treturn err;\n\n\t\t\tprev_dst_type = &env->insn_aux_data[env->insn_idx].ptr_type;\n\n\t\t\tif (*prev_dst_type == NOT_INIT) {\n\t\t\t\t*prev_dst_type = dst_reg_type;\n\t\t\t} else if (reg_type_mismatch(dst_reg_type, *prev_dst_type)) {\n\t\t\t\tverbose(env, \"same insn cannot be used with different pointers\\n\");\n\t\t\t\treturn -EINVAL;\n\t\t\t}\n\n\t\t} else if (class == BPF_ST) {\n\t\t\tif (BPF_MODE(insn->code) != BPF_MEM ||\n\t\t\t insn->src_reg != BPF_REG_0) {\n\t\t\t\tverbose(env, \"BPF_ST uses reserved fields\\n\");\n\t\t\t\treturn -EINVAL;\n\t\t\t}\n\t\t\t/* check src operand */\n\t\t\terr = check_reg_arg(env, insn->dst_reg, SRC_OP);\n\t\t\tif (err)\n\t\t\t\treturn err;\n\n\t\t\tif (is_ctx_reg(env, insn->dst_reg)) {\n\t\t\t\tverbose(env, \"BPF_ST stores into R%d %s is not allowed\\n\",\n\t\t\t\t\tinsn->dst_reg,\n\t\t\t\t\treg_type_str[reg_state(env, insn->dst_reg)->type]);\n\t\t\t\treturn -EACCES;\n\t\t\t}\n\n\t\t\t/* check that memory (dst_reg + off) is writeable */\n\t\t\terr = check_mem_access(env, env->insn_idx, insn->dst_reg,\n\t\t\t\t\t insn->off, BPF_SIZE(insn->code),\n\t\t\t\t\t BPF_WRITE, -1, false);\n\t\t\tif (err)\n\t\t\t\treturn err;\n\n\t\t} else if (class == BPF_JMP || class == BPF_JMP32) {\n\t\t\tu8 opcode = BPF_OP(insn->code);\n\n\t\t\tenv->jmps_processed++;\n\t\t\tif (opcode == BPF_CALL) {\n\t\t\t\tif (BPF_SRC(insn->code) != BPF_K ||\n\t\t\t\t insn->off != 0 ||\n\t\t\t\t (insn->src_reg != BPF_REG_0 &&\n\t\t\t\t insn->src_reg != BPF_PSEUDO_CALL) ||\n\t\t\t\t insn->dst_reg != BPF_REG_0 ||\n\t\t\t\t class == BPF_JMP32) {\n\t\t\t\t\tverbose(env, \"BPF_CALL uses reserved fields\\n\");\n\t\t\t\t\treturn -EINVAL;\n\t\t\t\t}\n\n\t\t\t\tif (env->cur_state->active_spin_lock &&\n\t\t\t\t (insn->src_reg == BPF_PSEUDO_CALL ||\n\t\t\t\t insn->imm != BPF_FUNC_spin_unlock)) {\n\t\t\t\t\tverbose(env, \"function calls are not allowed while holding a lock\\n\");\n\t\t\t\t\treturn -EINVAL;\n\t\t\t\t}\n\t\t\t\tif (insn->src_reg == BPF_PSEUDO_CALL)\n\t\t\t\t\terr = check_func_call(env, insn, &env->insn_idx);\n\t\t\t\telse\n\t\t\t\t\terr = check_helper_call(env, insn->imm, env->insn_idx);\n\t\t\t\tif (err)\n\t\t\t\t\treturn err;\n\n\t\t\t} else if (opcode == BPF_JA) {\n\t\t\t\tif (BPF_SRC(insn->code) != BPF_K ||\n\t\t\t\t insn->imm != 0 ||\n\t\t\t\t insn->src_reg != BPF_REG_0 ||\n\t\t\t\t insn->dst_reg != BPF_REG_0 ||\n\t\t\t\t class == BPF_JMP32) {\n\t\t\t\t\tverbose(env, \"BPF_JA uses reserved fields\\n\");\n\t\t\t\t\treturn -EINVAL;\n\t\t\t\t}\n\n\t\t\t\tenv->insn_idx += insn->off + 1;\n\t\t\t\tcontinue;\n\n\t\t\t} else if (opcode == BPF_EXIT) {\n\t\t\t\tif (BPF_SRC(insn->code) != BPF_K ||\n\t\t\t\t insn->imm != 0 ||\n\t\t\t\t insn->src_reg != BPF_REG_0 ||\n\t\t\t\t insn->dst_reg != BPF_REG_0 ||\n\t\t\t\t class == BPF_JMP32) {\n\t\t\t\t\tverbose(env, \"BPF_EXIT uses reserved fields\\n\");\n\t\t\t\t\treturn -EINVAL;\n\t\t\t\t}\n\n\t\t\t\tif (env->cur_state->active_spin_lock) {\n\t\t\t\t\tverbose(env, \"bpf_spin_unlock is missing\\n\");\n\t\t\t\t\treturn -EINVAL;\n\t\t\t\t}\n\n\t\t\t\tif (state->curframe) {\n\t\t\t\t\t/* exit from nested function */\n\t\t\t\t\terr = prepare_func_exit(env, &env->insn_idx);\n\t\t\t\t\tif (err)\n\t\t\t\t\t\treturn err;\n\t\t\t\t\tdo_print_state = true;\n\t\t\t\t\tcontinue;\n\t\t\t\t}\n\n\t\t\t\terr = check_reference_leak(env);\n\t\t\t\tif (err)\n\t\t\t\t\treturn err;\n\n\t\t\t\terr = check_return_code(env);\n\t\t\t\tif (err)\n\t\t\t\t\treturn err;\nprocess_bpf_exit:\n\t\t\t\tupdate_branch_counts(env, env->cur_state);\n\t\t\t\terr = pop_stack(env, &prev_insn_idx,\n\t\t\t\t\t\t&env->insn_idx);\n\t\t\t\tif (err < 0) {\n\t\t\t\t\tif (err != -ENOENT)\n\t\t\t\t\t\treturn err;\n\t\t\t\t\tbreak;\n\t\t\t\t} else {\n\t\t\t\t\tdo_print_state = true;\n\t\t\t\t\tcontinue;\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\terr = check_cond_jmp_op(env, insn, &env->insn_idx);\n\t\t\t\tif (err)\n\t\t\t\t\treturn err;\n\t\t\t}\n\t\t} else if (class == BPF_LD) {\n\t\t\tu8 mode = BPF_MODE(insn->code);\n\n\t\t\tif (mode == BPF_ABS || mode == BPF_IND) {\n\t\t\t\terr = check_ld_abs(env, insn);\n\t\t\t\tif (err)\n\t\t\t\t\treturn err;\n\n\t\t\t} else if (mode == BPF_IMM) {\n\t\t\t\terr = check_ld_imm(env, insn);\n\t\t\t\tif (err)\n\t\t\t\t\treturn err;\n\n\t\t\t\tenv->insn_idx++;\n\t\t\t\tenv->insn_aux_data[env->insn_idx].seen = env->pass_cnt;\n\t\t\t} else {\n\t\t\t\tverbose(env, \"invalid BPF_LD mode\\n\");\n\t\t\t\treturn -EINVAL;\n\t\t\t}\n\t\t} else {\n\t\t\tverbose(env, \"unknown insn class %d\\n\", class);\n\t\t\treturn -EINVAL;\n\t\t}\n\n\t\tenv->insn_idx++;\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 46007685625770912827312825933186460207, "size": 321, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232540 }, { "func": "static int do_check(struct bpf_verifier_env *env)\n{\n\tbool pop_log = !(env->log.level & BPF_LOG_LEVEL2);\n\tstruct bpf_verifier_state *state = env->cur_state;\n\tstruct bpf_insn *insns = env->prog->insnsi;\n\tstruct bpf_reg_state *regs;\n\tint insn_cnt = env->prog->len;\n\tbool do_print_state = false;\n\tint prev_insn_idx = -1;\n\n\tfor (;;) {\n\t\tstruct bpf_insn *insn;\n\t\tu8 class;\n\t\tint err;\n\n\t\tenv->prev_insn_idx = prev_insn_idx;\n\t\tif (env->insn_idx >= insn_cnt) {\n\t\t\tverbose(env, \"invalid insn idx %d insn_cnt %d\\n\",\n\t\t\t\tenv->insn_idx, insn_cnt);\n\t\t\treturn -EFAULT;\n\t\t}\n\n\t\tinsn = &insns[env->insn_idx];\n\t\tclass = BPF_CLASS(insn->code);\n\n\t\tif (++env->insn_processed > BPF_COMPLEXITY_LIMIT_INSNS) {\n\t\t\tverbose(env,\n\t\t\t\t\"BPF program is too large. Processed %d insn\\n\",\n\t\t\t\tenv->insn_processed);\n\t\t\treturn -E2BIG;\n\t\t}\n\n\t\terr = is_state_visited(env, env->insn_idx);\n\t\tif (err < 0)\n\t\t\treturn err;\n\t\tif (err == 1) {\n\t\t\t/* found equivalent state, can prune the search */\n\t\t\tif (env->log.level & BPF_LOG_LEVEL) {\n\t\t\t\tif (do_print_state)\n\t\t\t\t\tverbose(env, \"\\nfrom %d to %d%s: safe\\n\",\n\t\t\t\t\t\tenv->prev_insn_idx, env->insn_idx,\n\t\t\t\t\t\tenv->cur_state->speculative ?\n\t\t\t\t\t\t\" (speculative execution)\" : \"\");\n\t\t\t\telse\n\t\t\t\t\tverbose(env, \"%d: safe\\n\", env->insn_idx);\n\t\t\t}\n\t\t\tgoto process_bpf_exit;\n\t\t}\n\n\t\tif (signal_pending(current))\n\t\t\treturn -EAGAIN;\n\n\t\tif (need_resched())\n\t\t\tcond_resched();\n\n\t\tif (env->log.level & BPF_LOG_LEVEL2 ||\n\t\t (env->log.level & BPF_LOG_LEVEL && do_print_state)) {\n\t\t\tif (env->log.level & BPF_LOG_LEVEL2)\n\t\t\t\tverbose(env, \"%d:\", env->insn_idx);\n\t\t\telse\n\t\t\t\tverbose(env, \"\\nfrom %d to %d%s:\",\n\t\t\t\t\tenv->prev_insn_idx, env->insn_idx,\n\t\t\t\t\tenv->cur_state->speculative ?\n\t\t\t\t\t\" (speculative execution)\" : \"\");\n\t\t\tprint_verifier_state(env, state->frame[state->curframe]);\n\t\t\tdo_print_state = false;\n\t\t}\n\n\t\tif (env->log.level & BPF_LOG_LEVEL) {\n\t\t\tconst struct bpf_insn_cbs cbs = {\n\t\t\t\t.cb_print\t= verbose,\n\t\t\t\t.private_data\t= env,\n\t\t\t};\n\n\t\t\tverbose_linfo(env, env->insn_idx, \"; \");\n\t\t\tverbose(env, \"%d: \", env->insn_idx);\n\t\t\tprint_bpf_insn(&cbs, insn, env->allow_ptr_leaks);\n\t\t}\n\n\t\tif (bpf_prog_is_dev_bound(env->prog->aux)) {\n\t\t\terr = bpf_prog_offload_verify_insn(env, env->insn_idx,\n\t\t\t\t\t\t\t env->prev_insn_idx);\n\t\t\tif (err)\n\t\t\t\treturn err;\n\t\t}\n\n\t\tregs = cur_regs(env);\n\t\tenv->insn_aux_data[env->insn_idx].seen = env->pass_cnt;\n\t\tprev_insn_idx = env->insn_idx;\n\n\t\tif (class == BPF_ALU || class == BPF_ALU64) {\n\t\t\terr = check_alu_op(env, insn);\n\t\t\tif (err)\n\t\t\t\treturn err;\n\n\t\t} else if (class == BPF_LDX) {\n\t\t\tenum bpf_reg_type *prev_src_type, src_reg_type;\n\n\t\t\t/* check for reserved fields is already done */\n\n\t\t\t/* check src operand */\n\t\t\terr = check_reg_arg(env, insn->src_reg, SRC_OP);\n\t\t\tif (err)\n\t\t\t\treturn err;\n\n\t\t\terr = check_reg_arg(env, insn->dst_reg, DST_OP_NO_MARK);\n\t\t\tif (err)\n\t\t\t\treturn err;\n\n\t\t\tsrc_reg_type = regs[insn->src_reg].type;\n\n\t\t\t/* check that memory (src_reg + off) is readable,\n\t\t\t * the state of dst_reg will be updated by this func\n\t\t\t */\n\t\t\terr = check_mem_access(env, env->insn_idx, insn->src_reg,\n\t\t\t\t\t insn->off, BPF_SIZE(insn->code),\n\t\t\t\t\t BPF_READ, insn->dst_reg, false);\n\t\t\tif (err)\n\t\t\t\treturn err;\n\n\t\t\tprev_src_type = &env->insn_aux_data[env->insn_idx].ptr_type;\n\n\t\t\tif (*prev_src_type == NOT_INIT) {\n\t\t\t\t/* saw a valid insn\n\t\t\t\t * dst_reg = *(u32 *)(src_reg + off)\n\t\t\t\t * save type to validate intersecting paths\n\t\t\t\t */\n\t\t\t\t*prev_src_type = src_reg_type;\n\n\t\t\t} else if (reg_type_mismatch(src_reg_type, *prev_src_type)) {\n\t\t\t\t/* ABuser program is trying to use the same insn\n\t\t\t\t * dst_reg = *(u32*) (src_reg + off)\n\t\t\t\t * with different pointer types:\n\t\t\t\t * src_reg == ctx in one branch and\n\t\t\t\t * src_reg == stack|map in some other branch.\n\t\t\t\t * Reject it.\n\t\t\t\t */\n\t\t\t\tverbose(env, \"same insn cannot be used with different pointers\\n\");\n\t\t\t\treturn -EINVAL;\n\t\t\t}\n\n\t\t} else if (class == BPF_STX) {\n\t\t\tenum bpf_reg_type *prev_dst_type, dst_reg_type;\n\n\t\t\tif (BPF_MODE(insn->code) == BPF_XADD) {\n\t\t\t\terr = check_xadd(env, env->insn_idx, insn);\n\t\t\t\tif (err)\n\t\t\t\t\treturn err;\n\t\t\t\tenv->insn_idx++;\n\t\t\t\tcontinue;\n\t\t\t}\n\n\t\t\t/* check src1 operand */\n\t\t\terr = check_reg_arg(env, insn->src_reg, SRC_OP);\n\t\t\tif (err)\n\t\t\t\treturn err;\n\t\t\t/* check src2 operand */\n\t\t\terr = check_reg_arg(env, insn->dst_reg, SRC_OP);\n\t\t\tif (err)\n\t\t\t\treturn err;\n\n\t\t\tdst_reg_type = regs[insn->dst_reg].type;\n\n\t\t\t/* check that memory (dst_reg + off) is writeable */\n\t\t\terr = check_mem_access(env, env->insn_idx, insn->dst_reg,\n\t\t\t\t\t insn->off, BPF_SIZE(insn->code),\n\t\t\t\t\t BPF_WRITE, insn->src_reg, false);\n\t\t\tif (err)\n\t\t\t\treturn err;\n\n\t\t\tprev_dst_type = &env->insn_aux_data[env->insn_idx].ptr_type;\n\n\t\t\tif (*prev_dst_type == NOT_INIT) {\n\t\t\t\t*prev_dst_type = dst_reg_type;\n\t\t\t} else if (reg_type_mismatch(dst_reg_type, *prev_dst_type)) {\n\t\t\t\tverbose(env, \"same insn cannot be used with different pointers\\n\");\n\t\t\t\treturn -EINVAL;\n\t\t\t}\n\n\t\t} else if (class == BPF_ST) {\n\t\t\tif (BPF_MODE(insn->code) != BPF_MEM ||\n\t\t\t insn->src_reg != BPF_REG_0) {\n\t\t\t\tverbose(env, \"BPF_ST uses reserved fields\\n\");\n\t\t\t\treturn -EINVAL;\n\t\t\t}\n\t\t\t/* check src operand */\n\t\t\terr = check_reg_arg(env, insn->dst_reg, SRC_OP);\n\t\t\tif (err)\n\t\t\t\treturn err;\n\n\t\t\tif (is_ctx_reg(env, insn->dst_reg)) {\n\t\t\t\tverbose(env, \"BPF_ST stores into R%d %s is not allowed\\n\",\n\t\t\t\t\tinsn->dst_reg,\n\t\t\t\t\treg_type_str[reg_state(env, insn->dst_reg)->type]);\n\t\t\t\treturn -EACCES;\n\t\t\t}\n\n\t\t\t/* check that memory (dst_reg + off) is writeable */\n\t\t\terr = check_mem_access(env, env->insn_idx, insn->dst_reg,\n\t\t\t\t\t insn->off, BPF_SIZE(insn->code),\n\t\t\t\t\t BPF_WRITE, -1, false);\n\t\t\tif (err)\n\t\t\t\treturn err;\n\n\t\t} else if (class == BPF_JMP || class == BPF_JMP32) {\n\t\t\tu8 opcode = BPF_OP(insn->code);\n\n\t\t\tenv->jmps_processed++;\n\t\t\tif (opcode == BPF_CALL) {\n\t\t\t\tif (BPF_SRC(insn->code) != BPF_K ||\n\t\t\t\t insn->off != 0 ||\n\t\t\t\t (insn->src_reg != BPF_REG_0 &&\n\t\t\t\t insn->src_reg != BPF_PSEUDO_CALL) ||\n\t\t\t\t insn->dst_reg != BPF_REG_0 ||\n\t\t\t\t class == BPF_JMP32) {\n\t\t\t\t\tverbose(env, \"BPF_CALL uses reserved fields\\n\");\n\t\t\t\t\treturn -EINVAL;\n\t\t\t\t}\n\n\t\t\t\tif (env->cur_state->active_spin_lock &&\n\t\t\t\t (insn->src_reg == BPF_PSEUDO_CALL ||\n\t\t\t\t insn->imm != BPF_FUNC_spin_unlock)) {\n\t\t\t\t\tverbose(env, \"function calls are not allowed while holding a lock\\n\");\n\t\t\t\t\treturn -EINVAL;\n\t\t\t\t}\n\t\t\t\tif (insn->src_reg == BPF_PSEUDO_CALL)\n\t\t\t\t\terr = check_func_call(env, insn, &env->insn_idx);\n\t\t\t\telse\n\t\t\t\t\terr = check_helper_call(env, insn->imm, env->insn_idx);\n\t\t\t\tif (err)\n\t\t\t\t\treturn err;\n\n\t\t\t} else if (opcode == BPF_JA) {\n\t\t\t\tif (BPF_SRC(insn->code) != BPF_K ||\n\t\t\t\t insn->imm != 0 ||\n\t\t\t\t insn->src_reg != BPF_REG_0 ||\n\t\t\t\t insn->dst_reg != BPF_REG_0 ||\n\t\t\t\t class == BPF_JMP32) {\n\t\t\t\t\tverbose(env, \"BPF_JA uses reserved fields\\n\");\n\t\t\t\t\treturn -EINVAL;\n\t\t\t\t}\n\n\t\t\t\tenv->insn_idx += insn->off + 1;\n\t\t\t\tcontinue;\n\n\t\t\t} else if (opcode == BPF_EXIT) {\n\t\t\t\tif (BPF_SRC(insn->code) != BPF_K ||\n\t\t\t\t insn->imm != 0 ||\n\t\t\t\t insn->src_reg != BPF_REG_0 ||\n\t\t\t\t insn->dst_reg != BPF_REG_0 ||\n\t\t\t\t class == BPF_JMP32) {\n\t\t\t\t\tverbose(env, \"BPF_EXIT uses reserved fields\\n\");\n\t\t\t\t\treturn -EINVAL;\n\t\t\t\t}\n\n\t\t\t\tif (env->cur_state->active_spin_lock) {\n\t\t\t\t\tverbose(env, \"bpf_spin_unlock is missing\\n\");\n\t\t\t\t\treturn -EINVAL;\n\t\t\t\t}\n\n\t\t\t\tif (state->curframe) {\n\t\t\t\t\t/* exit from nested function */\n\t\t\t\t\terr = prepare_func_exit(env, &env->insn_idx);\n\t\t\t\t\tif (err)\n\t\t\t\t\t\treturn err;\n\t\t\t\t\tdo_print_state = true;\n\t\t\t\t\tcontinue;\n\t\t\t\t}\n\n\t\t\t\terr = check_reference_leak(env);\n\t\t\t\tif (err)\n\t\t\t\t\treturn err;\n\n\t\t\t\terr = check_return_code(env);\n\t\t\t\tif (err)\n\t\t\t\t\treturn err;\nprocess_bpf_exit:\n\t\t\t\tupdate_branch_counts(env, env->cur_state);\n\t\t\t\terr = pop_stack(env, &prev_insn_idx,\n\t\t\t\t\t\t&env->insn_idx, pop_log);\n\t\t\t\tif (err < 0) {\n\t\t\t\t\tif (err != -ENOENT)\n\t\t\t\t\t\treturn err;\n\t\t\t\t\tbreak;\n\t\t\t\t} else {\n\t\t\t\t\tdo_print_state = true;\n\t\t\t\t\tcontinue;\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\terr = check_cond_jmp_op(env, insn, &env->insn_idx);\n\t\t\t\tif (err)\n\t\t\t\t\treturn err;\n\t\t\t}\n\t\t} else if (class == BPF_LD) {\n\t\t\tu8 mode = BPF_MODE(insn->code);\n\n\t\t\tif (mode == BPF_ABS || mode == BPF_IND) {\n\t\t\t\terr = check_ld_abs(env, insn);\n\t\t\t\tif (err)\n\t\t\t\t\treturn err;\n\n\t\t\t} else if (mode == BPF_IMM) {\n\t\t\t\terr = check_ld_imm(env, insn);\n\t\t\t\tif (err)\n\t\t\t\t\treturn err;\n\n\t\t\t\tenv->insn_idx++;\n\t\t\t\tenv->insn_aux_data[env->insn_idx].seen = env->pass_cnt;\n\t\t\t} else {\n\t\t\t\tverbose(env, \"invalid BPF_LD mode\\n\");\n\t\t\t\treturn -EINVAL;\n\t\t\t}\n\t\t} else {\n\t\t\tverbose(env, \"unknown insn class %d\\n\", class);\n\t\t\treturn -EINVAL;\n\t\t}\n\n\t\tenv->insn_idx++;\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 185450139238423739113719076723068867690, "size": 322, "commit_id": "5b9fbeb75b6a98955f628e205ac26689bcb1383e", "message": "bpf: Fix scalar32_min_max_or bounds tracking\n\nSimon reported an issue with the current scalar32_min_max_or() implementation.\nThat is, compared to the other 32 bit subreg tracking functions, the code in\nscalar32_min_max_or() stands out that it's using the 64 bit registers instead\nof 32 bit ones. This leads to bounds tracking issues, for example:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x1; 0x700000000),s32_max_value=1,u32_max_value=1) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nThe bound tests on the map value force the upper unsigned bound to be 25769803777\nin 64 bit (0b11000000000000000000000000000000001) and then lower one to be 1. By\nusing OR they are truncated and thus result in the range [1,1] for the 32 bit reg\ntracker. This is incorrect given the only thing we know is that the value must be\npositive and thus 2147483647 (0b1111111111111111111111111111111) at max for the\nsubregs. Fix it by using the {u,s}32_{min,max}_value vars instead. This also makes\nsense, for example, for the case where we update dst_reg->s32_{min,max}_value in\nthe else branch we need to use the newly computed dst_reg->u32_{min,max}_value as\nwe know that these are positive. Previously, in the else branch the 64 bit values\nof umin_value=1 and umax_value=32212254719 were used and latter got truncated to\nbe 1 as upper bound there. After the fix the subreg range is now correct:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nFixes: 3f50f132d840 (\"bpf: Verifier, do explicit ALU32 bounds tracking\")\nReported-by: Simon Scannell \nSigned-off-by: Daniel Borkmann \nReviewed-by: John Fastabend \nAcked-by: Alexei Starovoitov ", "target": 0, "dataset": "other", "idx": 328505 }, { "func": "static void __mark_reg_const_zero(struct bpf_reg_state *reg)\n{\n\t__mark_reg_known(reg, 0);\n\treg->type = SCALAR_VALUE;\n}", "project": "linux", "hash": 256332150748866499517432287883559413815, "size": 5, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232461 }, { "func": "static int check_ctx_access(struct bpf_verifier_env *env, int insn_idx, int off, int size,\n\t\t\t enum bpf_access_type t, enum bpf_reg_type *reg_type,\n\t\t\t u32 *btf_id)\n{\n\tstruct bpf_insn_access_aux info = {\n\t\t.reg_type = *reg_type,\n\t\t.log = &env->log,\n\t};\n\n\tif (env->ops->is_valid_access &&\n\t env->ops->is_valid_access(off, size, t, env->prog, &info)) {\n\t\t/* A non zero info.ctx_field_size indicates that this field is a\n\t\t * candidate for later verifier transformation to load the whole\n\t\t * field and then apply a mask when accessed with a narrower\n\t\t * access than actual ctx access size. A zero info.ctx_field_size\n\t\t * will only allow for whole field access and rejects any other\n\t\t * type of narrower access.\n\t\t */\n\t\t*reg_type = info.reg_type;\n\n\t\tif (*reg_type == PTR_TO_BTF_ID)\n\t\t\t*btf_id = info.btf_id;\n\t\telse\n\t\t\tenv->insn_aux_data[insn_idx].ctx_field_size = info.ctx_field_size;\n\t\t/* remember the offset of last byte accessed in ctx */\n\t\tif (env->prog->aux->max_ctx_offset < off + size)\n\t\t\tenv->prog->aux->max_ctx_offset = off + size;\n\t\treturn 0;\n\t}\n\n\tverbose(env, \"invalid bpf_context access off=%d size=%d\\n\", off, size);\n\treturn -EACCES;\n}", "project": "linux", "hash": 32003190078746178979370225420313590738, "size": 33, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232577 }, { "func": "static int check_ctx_access(struct bpf_verifier_env *env, int insn_idx, int off, int size,\n\t\t\t enum bpf_access_type t, enum bpf_reg_type *reg_type,\n\t\t\t u32 *btf_id)\n{\n\tstruct bpf_insn_access_aux info = {\n\t\t.reg_type = *reg_type,\n\t\t.log = &env->log,\n\t};\n\n\tif (env->ops->is_valid_access &&\n\t env->ops->is_valid_access(off, size, t, env->prog, &info)) {\n\t\t/* A non zero info.ctx_field_size indicates that this field is a\n\t\t * candidate for later verifier transformation to load the whole\n\t\t * field and then apply a mask when accessed with a narrower\n\t\t * access than actual ctx access size. A zero info.ctx_field_size\n\t\t * will only allow for whole field access and rejects any other\n\t\t * type of narrower access.\n\t\t */\n\t\t*reg_type = info.reg_type;\n\n\t\tif (*reg_type == PTR_TO_BTF_ID || *reg_type == PTR_TO_BTF_ID_OR_NULL)\n\t\t\t*btf_id = info.btf_id;\n\t\telse\n\t\t\tenv->insn_aux_data[insn_idx].ctx_field_size = info.ctx_field_size;\n\t\t/* remember the offset of last byte accessed in ctx */\n\t\tif (env->prog->aux->max_ctx_offset < off + size)\n\t\t\tenv->prog->aux->max_ctx_offset = off + size;\n\t\treturn 0;\n\t}\n\n\tverbose(env, \"invalid bpf_context access off=%d size=%d\\n\", off, size);\n\treturn -EACCES;\n}", "project": "linux", "hash": 203557718749107061840780482015396950117, "size": 33, "commit_id": "5b9fbeb75b6a98955f628e205ac26689bcb1383e", "message": "bpf: Fix scalar32_min_max_or bounds tracking\n\nSimon reported an issue with the current scalar32_min_max_or() implementation.\nThat is, compared to the other 32 bit subreg tracking functions, the code in\nscalar32_min_max_or() stands out that it's using the 64 bit registers instead\nof 32 bit ones. This leads to bounds tracking issues, for example:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x1; 0x700000000),s32_max_value=1,u32_max_value=1) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nThe bound tests on the map value force the upper unsigned bound to be 25769803777\nin 64 bit (0b11000000000000000000000000000000001) and then lower one to be 1. By\nusing OR they are truncated and thus result in the range [1,1] for the 32 bit reg\ntracker. This is incorrect given the only thing we know is that the value must be\npositive and thus 2147483647 (0b1111111111111111111111111111111) at max for the\nsubregs. Fix it by using the {u,s}32_{min,max}_value vars instead. This also makes\nsense, for example, for the case where we update dst_reg->s32_{min,max}_value in\nthe else branch we need to use the newly computed dst_reg->u32_{min,max}_value as\nwe know that these are positive. Previously, in the else branch the 64 bit values\nof umin_value=1 and umax_value=32212254719 were used and latter got truncated to\nbe 1 as upper bound there. After the fix the subreg range is now correct:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nFixes: 3f50f132d840 (\"bpf: Verifier, do explicit ALU32 bounds tracking\")\nReported-by: Simon Scannell \nSigned-off-by: Daniel Borkmann \nReviewed-by: John Fastabend \nAcked-by: Alexei Starovoitov ", "target": 0, "dataset": "other", "idx": 328487 }, { "func": "__printf(2, 3) void bpf_log(struct bpf_verifier_log *log,\n\t\t\t const char *fmt, ...)\n{\n\tva_list args;\n\n\tif (!bpf_verifier_log_needed(log))\n\t\treturn;\n\n\tva_start(args, fmt);\n\tbpf_verifier_vlog(log, fmt, args);\n\tva_end(args);\n}", "project": "linux", "hash": 58125966391154392276578992176786829225, "size": 12, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232532 }, { "func": "static bool reg_may_point_to_spin_lock(const struct bpf_reg_state *reg)\n{\n\treturn reg->type == PTR_TO_MAP_VALUE &&\n\t\tmap_value_has_spin_lock(reg->map_ptr);\n}", "project": "linux", "hash": 274852682100048234354452355733613451188, "size": 5, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232500 }, { "func": "static int push_insn(int t, int w, int e, struct bpf_verifier_env *env,\n\t\t bool loop_ok)\n{\n\tint *insn_stack = env->cfg.insn_stack;\n\tint *insn_state = env->cfg.insn_state;\n\n\tif (e == FALLTHROUGH && insn_state[t] >= (DISCOVERED | FALLTHROUGH))\n\t\treturn 0;\n\n\tif (e == BRANCH && insn_state[t] >= (DISCOVERED | BRANCH))\n\t\treturn 0;\n\n\tif (w < 0 || w >= env->prog->len) {\n\t\tverbose_linfo(env, t, \"%d: \", t);\n\t\tverbose(env, \"jump out of range from insn %d to %d\\n\", t, w);\n\t\treturn -EINVAL;\n\t}\n\n\tif (e == BRANCH)\n\t\t/* mark branch target for state pruning */\n\t\tinit_explored_state(env, w);\n\n\tif (insn_state[w] == 0) {\n\t\t/* tree-edge */\n\t\tinsn_state[t] = DISCOVERED | e;\n\t\tinsn_state[w] = DISCOVERED;\n\t\tif (env->cfg.cur_stack >= env->prog->len)\n\t\t\treturn -E2BIG;\n\t\tinsn_stack[env->cfg.cur_stack++] = w;\n\t\treturn 1;\n\t} else if ((insn_state[w] & 0xF0) == DISCOVERED) {\n\t\tif (loop_ok && env->allow_ptr_leaks)\n\t\t\treturn 0;\n\t\tverbose_linfo(env, t, \"%d: \", t);\n\t\tverbose_linfo(env, w, \"%d: \", w);\n\t\tverbose(env, \"back-edge from insn %d to %d\\n\", t, w);\n\t\treturn -EINVAL;\n\t} else if (insn_state[w] == EXPLORED) {\n\t\t/* forward- or cross-edge */\n\t\tinsn_state[t] = DISCOVERED | e;\n\t} else {\n\t\tverbose(env, \"insn state internal bug\\n\");\n\t\treturn -EFAULT;\n\t}\n\treturn 0;\n}", "project": "linux", "hash": 252708016994494120497646768145413895149, "size": 46, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232578 }, { "func": "static int push_insn(int t, int w, int e, struct bpf_verifier_env *env,\n\t\t bool loop_ok)\n{\n\tint *insn_stack = env->cfg.insn_stack;\n\tint *insn_state = env->cfg.insn_state;\n\n\tif (e == FALLTHROUGH && insn_state[t] >= (DISCOVERED | FALLTHROUGH))\n\t\treturn 0;\n\n\tif (e == BRANCH && insn_state[t] >= (DISCOVERED | BRANCH))\n\t\treturn 0;\n\n\tif (w < 0 || w >= env->prog->len) {\n\t\tverbose_linfo(env, t, \"%d: \", t);\n\t\tverbose(env, \"jump out of range from insn %d to %d\\n\", t, w);\n\t\treturn -EINVAL;\n\t}\n\n\tif (e == BRANCH)\n\t\t/* mark branch target for state pruning */\n\t\tinit_explored_state(env, w);\n\n\tif (insn_state[w] == 0) {\n\t\t/* tree-edge */\n\t\tinsn_state[t] = DISCOVERED | e;\n\t\tinsn_state[w] = DISCOVERED;\n\t\tif (env->cfg.cur_stack >= env->prog->len)\n\t\t\treturn -E2BIG;\n\t\tinsn_stack[env->cfg.cur_stack++] = w;\n\t\treturn 1;\n\t} else if ((insn_state[w] & 0xF0) == DISCOVERED) {\n\t\tif (loop_ok && env->bpf_capable)\n\t\t\treturn 0;\n\t\tverbose_linfo(env, t, \"%d: \", t);\n\t\tverbose_linfo(env, w, \"%d: \", w);\n\t\tverbose(env, \"back-edge from insn %d to %d\\n\", t, w);\n\t\treturn -EINVAL;\n\t} else if (insn_state[w] == EXPLORED) {\n\t\t/* forward- or cross-edge */\n\t\tinsn_state[t] = DISCOVERED | e;\n\t} else {\n\t\tverbose(env, \"insn state internal bug\\n\");\n\t\treturn -EFAULT;\n\t}\n\treturn 0;\n}", "project": "linux", "hash": 240131385035624791501226984415306302891, "size": 46, "commit_id": "5b9fbeb75b6a98955f628e205ac26689bcb1383e", "message": "bpf: Fix scalar32_min_max_or bounds tracking\n\nSimon reported an issue with the current scalar32_min_max_or() implementation.\nThat is, compared to the other 32 bit subreg tracking functions, the code in\nscalar32_min_max_or() stands out that it's using the 64 bit registers instead\nof 32 bit ones. This leads to bounds tracking issues, for example:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x1; 0x700000000),s32_max_value=1,u32_max_value=1) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nThe bound tests on the map value force the upper unsigned bound to be 25769803777\nin 64 bit (0b11000000000000000000000000000000001) and then lower one to be 1. By\nusing OR they are truncated and thus result in the range [1,1] for the 32 bit reg\ntracker. This is incorrect given the only thing we know is that the value must be\npositive and thus 2147483647 (0b1111111111111111111111111111111) at max for the\nsubregs. Fix it by using the {u,s}32_{min,max}_value vars instead. This also makes\nsense, for example, for the case where we update dst_reg->s32_{min,max}_value in\nthe else branch we need to use the newly computed dst_reg->u32_{min,max}_value as\nwe know that these are positive. Previously, in the else branch the 64 bit values\nof umin_value=1 and umax_value=32212254719 were used and latter got truncated to\nbe 1 as upper bound there. After the fix the subreg range is now correct:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nFixes: 3f50f132d840 (\"bpf: Verifier, do explicit ALU32 bounds tracking\")\nReported-by: Simon Scannell \nSigned-off-by: Daniel Borkmann \nReviewed-by: John Fastabend \nAcked-by: Alexei Starovoitov ", "target": 0, "dataset": "other", "idx": 328526 }, { "func": "static int resolve_pseudo_ldimm64(struct bpf_verifier_env *env)\n{\n\tstruct bpf_insn *insn = env->prog->insnsi;\n\tint insn_cnt = env->prog->len;\n\tint i, j, err;\n\n\terr = bpf_prog_calc_tag(env->prog);\n\tif (err)\n\t\treturn err;\n\n\tfor (i = 0; i < insn_cnt; i++, insn++) {\n\t\tif (BPF_CLASS(insn->code) == BPF_LDX &&\n\t\t (BPF_MODE(insn->code) != BPF_MEM || insn->imm != 0)) {\n\t\t\tverbose(env, \"BPF_LDX uses reserved fields\\n\");\n\t\t\treturn -EINVAL;\n\t\t}\n\n\t\tif (BPF_CLASS(insn->code) == BPF_STX &&\n\t\t ((BPF_MODE(insn->code) != BPF_MEM &&\n\t\t BPF_MODE(insn->code) != BPF_XADD) || insn->imm != 0)) {\n\t\t\tverbose(env, \"BPF_STX uses reserved fields\\n\");\n\t\t\treturn -EINVAL;\n\t\t}\n\n\t\tif (insn[0].code == (BPF_LD | BPF_IMM | BPF_DW)) {\n\t\t\tstruct bpf_insn_aux_data *aux;\n\t\t\tstruct bpf_map *map;\n\t\t\tstruct fd f;\n\t\t\tu64 addr;\n\n\t\t\tif (i == insn_cnt - 1 || insn[1].code != 0 ||\n\t\t\t insn[1].dst_reg != 0 || insn[1].src_reg != 0 ||\n\t\t\t insn[1].off != 0) {\n\t\t\t\tverbose(env, \"invalid bpf_ld_imm64 insn\\n\");\n\t\t\t\treturn -EINVAL;\n\t\t\t}\n\n\t\t\tif (insn[0].src_reg == 0)\n\t\t\t\t/* valid generic load 64-bit imm */\n\t\t\t\tgoto next_insn;\n\n\t\t\tif (insn[0].src_reg == BPF_PSEUDO_BTF_ID) {\n\t\t\t\taux = &env->insn_aux_data[i];\n\t\t\t\terr = check_pseudo_btf_id(env, insn, aux);\n\t\t\t\tif (err)\n\t\t\t\t\treturn err;\n\t\t\t\tgoto next_insn;\n\t\t\t}\n\n\t\t\t/* In final convert_pseudo_ld_imm64() step, this is\n\t\t\t * converted into regular 64-bit imm load insn.\n\t\t\t */\n\t\t\tif ((insn[0].src_reg != BPF_PSEUDO_MAP_FD &&\n\t\t\t insn[0].src_reg != BPF_PSEUDO_MAP_VALUE) ||\n\t\t\t (insn[0].src_reg == BPF_PSEUDO_MAP_FD &&\n\t\t\t insn[1].imm != 0)) {\n\t\t\t\tverbose(env,\n\t\t\t\t\t\"unrecognized bpf_ld_imm64 insn\\n\");\n\t\t\t\treturn -EINVAL;\n\t\t\t}\n\n\t\t\tf = fdget(insn[0].imm);\n\t\t\tmap = __bpf_map_get(f);\n\t\t\tif (IS_ERR(map)) {\n\t\t\t\tverbose(env, \"fd %d is not pointing to valid bpf_map\\n\",\n\t\t\t\t\tinsn[0].imm);\n\t\t\t\treturn PTR_ERR(map);\n\t\t\t}\n\n\t\t\terr = check_map_prog_compatibility(env, map, env->prog);\n\t\t\tif (err) {\n\t\t\t\tfdput(f);\n\t\t\t\treturn err;\n\t\t\t}\n\n\t\t\taux = &env->insn_aux_data[i];\n\t\t\tif (insn->src_reg == BPF_PSEUDO_MAP_FD) {\n\t\t\t\taddr = (unsigned long)map;\n\t\t\t} else {\n\t\t\t\tu32 off = insn[1].imm;\n\n\t\t\t\tif (off >= BPF_MAX_VAR_OFF) {\n\t\t\t\t\tverbose(env, \"direct value offset of %u is not allowed\\n\", off);\n\t\t\t\t\tfdput(f);\n\t\t\t\t\treturn -EINVAL;\n\t\t\t\t}\n\n\t\t\t\tif (!map->ops->map_direct_value_addr) {\n\t\t\t\t\tverbose(env, \"no direct value access support for this map type\\n\");\n\t\t\t\t\tfdput(f);\n\t\t\t\t\treturn -EINVAL;\n\t\t\t\t}\n\n\t\t\t\terr = map->ops->map_direct_value_addr(map, &addr, off);\n\t\t\t\tif (err) {\n\t\t\t\t\tverbose(env, \"invalid access to map value pointer, value_size=%u off=%u\\n\",\n\t\t\t\t\t\tmap->value_size, off);\n\t\t\t\t\tfdput(f);\n\t\t\t\t\treturn err;\n\t\t\t\t}\n\n\t\t\t\taux->map_off = off;\n\t\t\t\taddr += off;\n\t\t\t}\n\n\t\t\tinsn[0].imm = (u32)addr;\n\t\t\tinsn[1].imm = addr >> 32;\n\n\t\t\t/* check whether we recorded this map already */\n\t\t\tfor (j = 0; j < env->used_map_cnt; j++) {\n\t\t\t\tif (env->used_maps[j] == map) {\n\t\t\t\t\taux->map_index = j;\n\t\t\t\t\tfdput(f);\n\t\t\t\t\tgoto next_insn;\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tif (env->used_map_cnt >= MAX_USED_MAPS) {\n\t\t\t\tfdput(f);\n\t\t\t\treturn -E2BIG;\n\t\t\t}\n\n\t\t\t/* hold the map. If the program is rejected by verifier,\n\t\t\t * the map will be released by release_maps() or it\n\t\t\t * will be used by the valid program until it's unloaded\n\t\t\t * and all maps are released in free_used_maps()\n\t\t\t */\n\t\t\tbpf_map_inc(map);\n\n\t\t\taux->map_index = env->used_map_cnt;\n\t\t\tenv->used_maps[env->used_map_cnt++] = map;\n\n\t\t\tif (bpf_map_is_cgroup_storage(map) &&\n\t\t\t bpf_cgroup_storage_assign(env->prog->aux, map)) {\n\t\t\t\tverbose(env, \"only one cgroup storage of each type is allowed\\n\");\n\t\t\t\tfdput(f);\n\t\t\t\treturn -EBUSY;\n\t\t\t}\n\n\t\t\tfdput(f);\nnext_insn:\n\t\t\tinsn++;\n\t\t\ti++;\n\t\t\tcontinue;\n\t\t}\n\n\t\t/* Basic sanity check before we invest more work here. */\n\t\tif (!bpf_opcode_in_insntable(insn->code)) {\n\t\t\tverbose(env, \"unknown opcode %02x\\n\", insn->code);\n\t\t\treturn -EINVAL;\n\t\t}\n\t}\n\n\t/* now all pseudo BPF_LD_IMM64 instructions load valid\n\t * 'struct bpf_map *' into a register instead of user map_fd.\n\t * These pointers will be used later by verifier to validate map access.\n\t */\n\treturn 0;\n}", "project": "linux", "hash": 267680939615385666261817704729970590666, "size": 159, "commit_id": "9b00f1b78809309163dda2d044d9e94a3c0248a3", "message": "bpf: Fix truncation handling for mod32 dst reg wrt zero\n\nRecently noticed that when mod32 with a known src reg of 0 is performed,\nthen the dst register is 32-bit truncated in verifier:\n\n 0: R1=ctx(id=0,off=0,imm=0) R10=fp0\n 0: (b7) r0 = 0\n 1: R0_w=inv0 R1=ctx(id=0,off=0,imm=0) R10=fp0\n 1: (b7) r1 = -1\n 2: R0_w=inv0 R1_w=inv-1 R10=fp0\n 2: (b4) w2 = -1\n 3: R0_w=inv0 R1_w=inv-1 R2_w=inv4294967295 R10=fp0\n 3: (9c) w1 %= w0\n 4: R0_w=inv0 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0\n 4: (b7) r0 = 1\n 5: R0_w=inv1 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0\n 5: (1d) if r1 == r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0\n 6: R0_w=inv1 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0\n 6: (b7) r0 = 2\n 7: R0_w=inv2 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0\n 7: (95) exit\n 7: R0=inv1 R1=inv(id=0,umin_value=4294967295,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2=inv4294967295 R10=fp0\n 7: (95) exit\n\nHowever, as a runtime result, we get 2 instead of 1, meaning the dst\nregister does not contain (u32)-1 in this case. The reason is fairly\nstraight forward given the 0 test leaves the dst register as-is:\n\n # ./bpftool p d x i 23\n 0: (b7) r0 = 0\n 1: (b7) r1 = -1\n 2: (b4) w2 = -1\n 3: (16) if w0 == 0x0 goto pc+1\n 4: (9c) w1 %= w0\n 5: (b7) r0 = 1\n 6: (1d) if r1 == r2 goto pc+1\n 7: (b7) r0 = 2\n 8: (95) exit\n\nThis was originally not an issue given the dst register was marked as\ncompletely unknown (aka 64 bit unknown). However, after 468f6eafa6c4\n(\"bpf: fix 32-bit ALU op verification\") the verifier casts the register\noutput to 32 bit, and hence it becomes 32 bit unknown. Note that for\nthe case where the src register is unknown, the dst register is marked\n64 bit unknown. After the fix, the register is truncated by the runtime\nand the test passes:\n\n # ./bpftool p d x i 23\n 0: (b7) r0 = 0\n 1: (b7) r1 = -1\n 2: (b4) w2 = -1\n 3: (16) if w0 == 0x0 goto pc+2\n 4: (9c) w1 %= w0\n 5: (05) goto pc+1\n 6: (bc) w1 = w1\n 7: (b7) r0 = 1\n 8: (1d) if r1 == r2 goto pc+1\n 9: (b7) r0 = 2\n 10: (95) exit\n\nSemantics also match with {R,W}x mod{64,32} 0 -> {R,W}x. Invalid div\nhas always been {R,W}x div{64,32} 0 -> 0. Rewrites are as follows:\n\n mod32: mod64:\n\n (16) if w0 == 0x0 goto pc+2 (15) if r0 == 0x0 goto pc+1\n (9c) w1 %= w0 (9f) r1 %= r0\n (05) goto pc+1\n (bc) w1 = w1\n\nFixes: 468f6eafa6c4 (\"bpf: fix 32-bit ALU op verification\")\nSigned-off-by: Daniel Borkmann \nReviewed-by: John Fastabend \nAcked-by: Alexei Starovoitov ", "target": 0, "dataset": "other", "idx": 456512 }, { "func": "static void sanitize_dead_code(struct bpf_verifier_env *env)\n{\n\tstruct bpf_insn_aux_data *aux_data = env->insn_aux_data;\n\tstruct bpf_insn trap = BPF_JMP_IMM(BPF_JA, 0, 0, -1);\n\tstruct bpf_insn *insn = env->prog->insnsi;\n\tconst int insn_cnt = env->prog->len;\n\tint i;\n\n\tfor (i = 0; i < insn_cnt; i++) {\n\t\tif (aux_data[i].seen)\n\t\t\tcontinue;\n\t\tmemcpy(insn + i, &trap, sizeof(trap));\n\t}\n}", "project": "linux", "hash": 65040683058580094687947187748789528307, "size": 14, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232531 }, { "func": "static int check_ptr_to_map_access(struct bpf_verifier_env *env,\n\t\t\t\t struct bpf_reg_state *regs,\n\t\t\t\t int regno, int off, int size,\n\t\t\t\t enum bpf_access_type atype,\n\t\t\t\t int value_regno)\n{\n\tstruct bpf_reg_state *reg = regs + regno;\n\tstruct bpf_map *map = reg->map_ptr;\n\tconst struct btf_type *t;\n\tconst char *tname;\n\tu32 btf_id;\n\tint ret;\n\n\tif (!btf_vmlinux) {\n\t\tverbose(env, \"map_ptr access not supported without CONFIG_DEBUG_INFO_BTF\\n\");\n\t\treturn -ENOTSUPP;\n\t}\n\n\tif (!map->ops->map_btf_id || !*map->ops->map_btf_id) {\n\t\tverbose(env, \"map_ptr access not supported for map type %d\\n\",\n\t\t\tmap->map_type);\n\t\treturn -ENOTSUPP;\n\t}\n\n\tt = btf_type_by_id(btf_vmlinux, *map->ops->map_btf_id);\n\ttname = btf_name_by_offset(btf_vmlinux, t->name_off);\n\n\tif (!env->allow_ptr_to_map_access) {\n\t\tverbose(env,\n\t\t\t\"%s access is allowed only to CAP_PERFMON and CAP_SYS_ADMIN\\n\",\n\t\t\ttname);\n\t\treturn -EPERM;\n\t}\n\n\tif (off < 0) {\n\t\tverbose(env, \"R%d is %s invalid negative access: off=%d\\n\",\n\t\t\tregno, tname, off);\n\t\treturn -EACCES;\n\t}\n\n\tif (atype != BPF_READ) {\n\t\tverbose(env, \"only read from %s is supported\\n\", tname);\n\t\treturn -EACCES;\n\t}\n\n\tret = btf_struct_access(&env->log, t, off, size, atype, &btf_id);\n\tif (ret < 0)\n\t\treturn ret;\n\n\tif (value_regno >= 0)\n\t\tmark_btf_ld_reg(env, regs, value_regno, ret, btf_id);\n\n\treturn 0;\n}", "project": "linux", "hash": 184274750828404443479000690698496378546, "size": 54, "commit_id": "5b9fbeb75b6a98955f628e205ac26689bcb1383e", "message": "bpf: Fix scalar32_min_max_or bounds tracking\n\nSimon reported an issue with the current scalar32_min_max_or() implementation.\nThat is, compared to the other 32 bit subreg tracking functions, the code in\nscalar32_min_max_or() stands out that it's using the 64 bit registers instead\nof 32 bit ones. This leads to bounds tracking issues, for example:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x1; 0x700000000),s32_max_value=1,u32_max_value=1) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nThe bound tests on the map value force the upper unsigned bound to be 25769803777\nin 64 bit (0b11000000000000000000000000000000001) and then lower one to be 1. By\nusing OR they are truncated and thus result in the range [1,1] for the 32 bit reg\ntracker. This is incorrect given the only thing we know is that the value must be\npositive and thus 2147483647 (0b1111111111111111111111111111111) at max for the\nsubregs. Fix it by using the {u,s}32_{min,max}_value vars instead. This also makes\nsense, for example, for the case where we update dst_reg->s32_{min,max}_value in\nthe else branch we need to use the newly computed dst_reg->u32_{min,max}_value as\nwe know that these are positive. Previously, in the else branch the 64 bit values\nof umin_value=1 and umax_value=32212254719 were used and latter got truncated to\nbe 1 as upper bound there. After the fix the subreg range is now correct:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nFixes: 3f50f132d840 (\"bpf: Verifier, do explicit ALU32 bounds tracking\")\nReported-by: Simon Scannell \nSigned-off-by: Daniel Borkmann \nReviewed-by: John Fastabend \nAcked-by: Alexei Starovoitov ", "target": 0, "dataset": "other", "idx": 328504 }, { "func": "static bool is_preallocated_map(struct bpf_map *map)\n{\n\tif (!check_map_prealloc(map))\n\t\treturn false;\n\tif (map->inner_map_meta && !check_map_prealloc(map->inner_map_meta))\n\t\treturn false;\n\treturn true;\n}", "project": "linux", "hash": 321993804534211278309355620807333950210, "size": 8, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232637 }, { "func": "static bool bpf_map_is_cgroup_storage(struct bpf_map *map)\n{\n\treturn (map->map_type == BPF_MAP_TYPE_CGROUP_STORAGE ||\n\t\tmap->map_type == BPF_MAP_TYPE_PERCPU_CGROUP_STORAGE);\n}", "project": "linux", "hash": 133431099994725197457076958480707033264, "size": 5, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232457 }, { "func": "static bool check_arg_pair_ok(const struct bpf_func_proto *fn)\n{\n\t/* bpf_xxx(..., buf, len) call will access 'len'\n\t * bytes from memory 'buf'. Both arg types need\n\t * to be paired, so make sure there's no buggy\n\t * helper function specification.\n\t */\n\tif (arg_type_is_mem_size(fn->arg1_type) ||\n\t arg_type_is_mem_ptr(fn->arg5_type) ||\n\t check_args_pair_invalid(fn->arg1_type, fn->arg2_type) ||\n\t check_args_pair_invalid(fn->arg2_type, fn->arg3_type) ||\n\t check_args_pair_invalid(fn->arg3_type, fn->arg4_type) ||\n\t check_args_pair_invalid(fn->arg4_type, fn->arg5_type))\n\t\treturn false;\n\n\treturn true;\n}", "project": "linux", "hash": 143275614782735065910395152408441271278, "size": 17, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232544 }, { "func": "static void scalar_min_max_rsh(struct bpf_reg_state *dst_reg,\n\t\t\t struct bpf_reg_state *src_reg)\n{\n\tu64 umax_val = src_reg->umax_value;\n\tu64 umin_val = src_reg->umin_value;\n\n\t/* BPF_RSH is an unsigned shift. If the value in dst_reg might\n\t * be negative, then either:\n\t * 1) src_reg might be zero, so the sign bit of the result is\n\t * unknown, so we lose our signed bounds\n\t * 2) it's known negative, thus the unsigned bounds capture the\n\t * signed bounds\n\t * 3) the signed bounds cross zero, so they tell us nothing\n\t * about the result\n\t * If the value in dst_reg is known nonnegative, then again the\n\t * unsigned bounts capture the signed bounds.\n\t * Thus, in all cases it suffices to blow away our signed bounds\n\t * and rely on inferring new ones from the unsigned bounds and\n\t * var_off of the result.\n\t */\n\tdst_reg->smin_value = S64_MIN;\n\tdst_reg->smax_value = S64_MAX;\n\tdst_reg->var_off = tnum_rshift(dst_reg->var_off, umin_val);\n\tdst_reg->umin_value >>= umax_val;\n\tdst_reg->umax_value >>= umin_val;\n\t/* We may learn something more from the var_off */\n\t__update_reg_bounds(dst_reg);\n}", "project": "linux", "hash": 230906742121325781375466990039478980070, "size": 28, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232459 }, { "func": "static void scalar_min_max_rsh(struct bpf_reg_state *dst_reg,\n\t\t\t struct bpf_reg_state *src_reg)\n{\n\tu64 umax_val = src_reg->umax_value;\n\tu64 umin_val = src_reg->umin_value;\n\n\t/* BPF_RSH is an unsigned shift. If the value in dst_reg might\n\t * be negative, then either:\n\t * 1) src_reg might be zero, so the sign bit of the result is\n\t * unknown, so we lose our signed bounds\n\t * 2) it's known negative, thus the unsigned bounds capture the\n\t * signed bounds\n\t * 3) the signed bounds cross zero, so they tell us nothing\n\t * about the result\n\t * If the value in dst_reg is known nonnegative, then again the\n\t * unsigned bounts capture the signed bounds.\n\t * Thus, in all cases it suffices to blow away our signed bounds\n\t * and rely on inferring new ones from the unsigned bounds and\n\t * var_off of the result.\n\t */\n\tdst_reg->smin_value = S64_MIN;\n\tdst_reg->smax_value = S64_MAX;\n\tdst_reg->var_off = tnum_rshift(dst_reg->var_off, umin_val);\n\tdst_reg->umin_value >>= umax_val;\n\tdst_reg->umax_value >>= umin_val;\n\n\t/* Its not easy to operate on alu32 bounds here because it depends\n\t * on bits being shifted in. Take easy way out and mark unbounded\n\t * so we can recalculate later from tnum.\n\t */\n\t__mark_reg32_unbounded(dst_reg);\n\t__update_reg_bounds(dst_reg);\n}", "project": "linux", "hash": 309296005363090249514031840028550672941, "size": 33, "commit_id": "5b9fbeb75b6a98955f628e205ac26689bcb1383e", "message": "bpf: Fix scalar32_min_max_or bounds tracking\n\nSimon reported an issue with the current scalar32_min_max_or() implementation.\nThat is, compared to the other 32 bit subreg tracking functions, the code in\nscalar32_min_max_or() stands out that it's using the 64 bit registers instead\nof 32 bit ones. This leads to bounds tracking issues, for example:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x1; 0x700000000),s32_max_value=1,u32_max_value=1) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nThe bound tests on the map value force the upper unsigned bound to be 25769803777\nin 64 bit (0b11000000000000000000000000000000001) and then lower one to be 1. By\nusing OR they are truncated and thus result in the range [1,1] for the 32 bit reg\ntracker. This is incorrect given the only thing we know is that the value must be\npositive and thus 2147483647 (0b1111111111111111111111111111111) at max for the\nsubregs. Fix it by using the {u,s}32_{min,max}_value vars instead. This also makes\nsense, for example, for the case where we update dst_reg->s32_{min,max}_value in\nthe else branch we need to use the newly computed dst_reg->u32_{min,max}_value as\nwe know that these are positive. Previously, in the else branch the 64 bit values\nof umin_value=1 and umax_value=32212254719 were used and latter got truncated to\nbe 1 as upper bound there. After the fix the subreg range is now correct:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nFixes: 3f50f132d840 (\"bpf: Verifier, do explicit ALU32 bounds tracking\")\nReported-by: Simon Scannell \nSigned-off-by: Daniel Borkmann \nReviewed-by: John Fastabend \nAcked-by: Alexei Starovoitov ", "target": 0, "dataset": "other", "idx": 328495 }, { "func": "static void free_func_state(struct bpf_func_state *state)\n{\n\tif (!state)\n\t\treturn;\n\tkfree(state->refs);\n\tkfree(state->stack);\n\tkfree(state);\n}", "project": "linux", "hash": 9796347001387691442355153699612325976, "size": 8, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232574 }, { "func": "static bool check_raw_mode_ok(const struct bpf_func_proto *fn)\n{\n\tint count = 0;\n\n\tif (fn->arg1_type == ARG_PTR_TO_UNINIT_MEM)\n\t\tcount++;\n\tif (fn->arg2_type == ARG_PTR_TO_UNINIT_MEM)\n\t\tcount++;\n\tif (fn->arg3_type == ARG_PTR_TO_UNINIT_MEM)\n\t\tcount++;\n\tif (fn->arg4_type == ARG_PTR_TO_UNINIT_MEM)\n\t\tcount++;\n\tif (fn->arg5_type == ARG_PTR_TO_UNINIT_MEM)\n\t\tcount++;\n\n\t/* We only support one arg being in raw mode at the moment,\n\t * which is sufficient for the helper functions we have\n\t * right now.\n\t */\n\treturn count <= 1;\n}", "project": "linux", "hash": 12660125182902153489100320668110271969, "size": 21, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232473 }, { "func": "static void __reg_combine_min_max(struct bpf_reg_state *src_reg,\n\t\t\t\t struct bpf_reg_state *dst_reg)\n{\n\tsrc_reg->umin_value = dst_reg->umin_value = max(src_reg->umin_value,\n\t\t\t\t\t\t\tdst_reg->umin_value);\n\tsrc_reg->umax_value = dst_reg->umax_value = min(src_reg->umax_value,\n\t\t\t\t\t\t\tdst_reg->umax_value);\n\tsrc_reg->smin_value = dst_reg->smin_value = max(src_reg->smin_value,\n\t\t\t\t\t\t\tdst_reg->smin_value);\n\tsrc_reg->smax_value = dst_reg->smax_value = min(src_reg->smax_value,\n\t\t\t\t\t\t\tdst_reg->smax_value);\n\tsrc_reg->var_off = dst_reg->var_off = tnum_intersect(src_reg->var_off,\n\t\t\t\t\t\t\t dst_reg->var_off);\n\t/* We might have learned new bounds from the var_off. */\n\t__update_reg_bounds(src_reg);\n\t__update_reg_bounds(dst_reg);\n\t/* We might have learned something about the sign bit. */\n\t__reg_deduce_bounds(src_reg);\n\t__reg_deduce_bounds(dst_reg);\n\t/* We might have learned some bits from the bounds. */\n\t__reg_bound_offset(src_reg);\n\t__reg_bound_offset(dst_reg);\n\t/* Intersecting with the old var_off might have improved our bounds\n\t * slightly. e.g. if umax was 0x7f...f and var_off was (0; 0xf...fc),\n\t * then new var_off is (0; 0x7f...fc) which improves our umax.\n\t */\n\t__update_reg_bounds(src_reg);\n\t__update_reg_bounds(dst_reg);\n}", "project": "linux", "hash": 230590859371231447301847885830134173422, "size": 29, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232442 }, { "func": "static int update_stack_depth(struct bpf_verifier_env *env,\n\t\t\t const struct bpf_func_state *func,\n\t\t\t int off)\n{\n\tu16 stack = env->subprog_info[func->subprogno].stack_depth;\n\n\tif (stack >= -off)\n\t\treturn 0;\n\n\t/* update known max for given subprogram */\n\tenv->subprog_info[func->subprogno].stack_depth = -off;\n\treturn 0;\n}", "project": "linux", "hash": 109375033738784375625836291032947306903, "size": 13, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232541 }, { "func": "static void init_explored_state(struct bpf_verifier_env *env, int idx)\n{\n\tenv->insn_aux_data[idx].prune_point = true;\n}", "project": "linux", "hash": 64003262637647472320200790837938711733, "size": 4, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232591 }, { "func": "static void clean_func_state(struct bpf_verifier_env *env,\n\t\t\t struct bpf_func_state *st)\n{\n\tenum bpf_reg_liveness live;\n\tint i, j;\n\n\tfor (i = 0; i < BPF_REG_FP; i++) {\n\t\tlive = st->regs[i].live;\n\t\t/* liveness must not touch this register anymore */\n\t\tst->regs[i].live |= REG_LIVE_DONE;\n\t\tif (!(live & REG_LIVE_READ))\n\t\t\t/* since the register is unused, clear its state\n\t\t\t * to make further comparison simpler\n\t\t\t */\n\t\t\t__mark_reg_not_init(env, &st->regs[i]);\n\t}\n\n\tfor (i = 0; i < st->allocated_stack / BPF_REG_SIZE; i++) {\n\t\tlive = st->stack[i].spilled_ptr.live;\n\t\t/* liveness must not touch this stack slot anymore */\n\t\tst->stack[i].spilled_ptr.live |= REG_LIVE_DONE;\n\t\tif (!(live & REG_LIVE_READ)) {\n\t\t\t__mark_reg_not_init(env, &st->stack[i].spilled_ptr);\n\t\t\tfor (j = 0; j < BPF_REG_SIZE; j++)\n\t\t\t\tst->stack[i].slot_type[j] = STACK_INVALID;\n\t\t}\n\t}\n}", "project": "linux", "hash": 157309955598950211878772905511361964929, "size": 28, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232502 }, { "func": "static void __find_good_pkt_pointers(struct bpf_func_state *state,\n\t\t\t\t struct bpf_reg_state *dst_reg,\n\t\t\t\t enum bpf_reg_type type, u16 new_range)\n{\n\tstruct bpf_reg_state *reg;\n\tint i;\n\n\tfor (i = 0; i < MAX_BPF_REG; i++) {\n\t\treg = &state->regs[i];\n\t\tif (reg->type == type && reg->id == dst_reg->id)\n\t\t\t/* keep the maximum range already checked */\n\t\t\treg->range = max(reg->range, new_range);\n\t}\n\n\tbpf_for_each_spilled_reg(i, state, reg) {\n\t\tif (!reg)\n\t\t\tcontinue;\n\t\tif (reg->type == type && reg->id == dst_reg->id)\n\t\t\treg->range = max(reg->range, new_range);\n\t}\n}", "project": "linux", "hash": 130232806227854420222216287901630241707, "size": 21, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232582 }, { "func": "static u64 bpf_map_key_immediate(const struct bpf_insn_aux_data *aux)\n{\n\treturn aux->map_key_state & ~(BPF_MAP_KEY_SEEN | BPF_MAP_KEY_POISON);\n}", "project": "linux", "hash": 7413690680249131526466905855565503823, "size": 4, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232507 }, { "func": "static bool is_tracing_prog_type(enum bpf_prog_type type)\n{\n\tswitch (type) {\n\tcase BPF_PROG_TYPE_KPROBE:\n\tcase BPF_PROG_TYPE_TRACEPOINT:\n\tcase BPF_PROG_TYPE_PERF_EVENT:\n\tcase BPF_PROG_TYPE_RAW_TRACEPOINT:\n\t\treturn true;\n\tdefault:\n\t\treturn false;\n\t}\n}", "project": "linux", "hash": 5389061764591322483290627945304853838, "size": 12, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232632 }, { "func": "static void mark_ptr_or_null_regs(struct bpf_verifier_state *vstate, u32 regno,\n\t\t\t\t bool is_null)\n{\n\tstruct bpf_func_state *state = vstate->frame[vstate->curframe];\n\tstruct bpf_reg_state *regs = state->regs;\n\tu32 ref_obj_id = regs[regno].ref_obj_id;\n\tu32 id = regs[regno].id;\n\tint i;\n\n\tif (ref_obj_id && ref_obj_id == id && is_null)\n\t\t/* regs[regno] is in the \" == NULL\" branch.\n\t\t * No one could have freed the reference state before\n\t\t * doing the NULL check.\n\t\t */\n\t\tWARN_ON_ONCE(release_reference_state(state, id));\n\n\tfor (i = 0; i <= vstate->curframe; i++)\n\t\t__mark_ptr_or_null_regs(vstate->frame[i], id, is_null);\n}", "project": "linux", "hash": 208114140071838357238417504425938608579, "size": 19, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232606 }, { "func": "static int check_pkt_ptr_alignment(struct bpf_verifier_env *env,\n\t\t\t\t const struct bpf_reg_state *reg,\n\t\t\t\t int off, int size, bool strict)\n{\n\tstruct tnum reg_off;\n\tint ip_align;\n\n\t/* Byte size accesses are always allowed. */\n\tif (!strict || size == 1)\n\t\treturn 0;\n\n\t/* For platforms that do not have a Kconfig enabling\n\t * CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS the value of\n\t * NET_IP_ALIGN is universally set to '2'. And on platforms\n\t * that do set CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS, we get\n\t * to this code only in strict mode where we want to emulate\n\t * the NET_IP_ALIGN==2 checking. Therefore use an\n\t * unconditional IP align value of '2'.\n\t */\n\tip_align = 2;\n\n\treg_off = tnum_add(reg->var_off, tnum_const(ip_align + reg->off + off));\n\tif (!tnum_is_aligned(reg_off, size)) {\n\t\tchar tn_buf[48];\n\n\t\ttnum_strn(tn_buf, sizeof(tn_buf), reg->var_off);\n\t\tverbose(env,\n\t\t\t\"misaligned packet access off %d+%s+%d+%d size %d\\n\",\n\t\t\tip_align, tn_buf, reg->off, off, size);\n\t\treturn -EACCES;\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 273385135239331057736122208047178475011, "size": 34, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232435 }, { "func": "static int check_mem_access(struct bpf_verifier_env *env, int insn_idx, u32 regno,\n\t\t\t int off, int bpf_size, enum bpf_access_type t,\n\t\t\t int value_regno, bool strict_alignment_once)\n{\n\tstruct bpf_reg_state *regs = cur_regs(env);\n\tstruct bpf_reg_state *reg = regs + regno;\n\tstruct bpf_func_state *state;\n\tint size, err = 0;\n\n\tsize = bpf_size_to_bytes(bpf_size);\n\tif (size < 0)\n\t\treturn size;\n\n\t/* alignment checks will add in reg->off themselves */\n\terr = check_ptr_alignment(env, reg, off, size, strict_alignment_once);\n\tif (err)\n\t\treturn err;\n\n\t/* for access checks, reg->off is just part of off */\n\toff += reg->off;\n\n\tif (reg->type == PTR_TO_MAP_VALUE) {\n\t\tif (t == BPF_WRITE && value_regno >= 0 &&\n\t\t is_pointer_value(env, value_regno)) {\n\t\t\tverbose(env, \"R%d leaks addr into map\\n\", value_regno);\n\t\t\treturn -EACCES;\n\t\t}\n\t\terr = check_map_access_type(env, regno, off, size, t);\n\t\tif (err)\n\t\t\treturn err;\n\t\terr = check_map_access(env, regno, off, size, false);\n\t\tif (!err && t == BPF_READ && value_regno >= 0) {\n\t\t\tstruct bpf_map *map = reg->map_ptr;\n\n\t\t\t/* if map is read-only, track its contents as scalars */\n\t\t\tif (tnum_is_const(reg->var_off) &&\n\t\t\t bpf_map_is_rdonly(map) &&\n\t\t\t map->ops->map_direct_value_addr) {\n\t\t\t\tint map_off = off + reg->var_off.value;\n\t\t\t\tu64 val = 0;\n\n\t\t\t\terr = bpf_map_direct_read(map, map_off, size,\n\t\t\t\t\t\t\t &val);\n\t\t\t\tif (err)\n\t\t\t\t\treturn err;\n\n\t\t\t\tregs[value_regno].type = SCALAR_VALUE;\n\t\t\t\t__mark_reg_known(®s[value_regno], val);\n\t\t\t} else {\n\t\t\t\tmark_reg_unknown(env, regs, value_regno);\n\t\t\t}\n\t\t}\n\t} else if (reg->type == PTR_TO_CTX) {\n\t\tenum bpf_reg_type reg_type = SCALAR_VALUE;\n\t\tu32 btf_id = 0;\n\n\t\tif (t == BPF_WRITE && value_regno >= 0 &&\n\t\t is_pointer_value(env, value_regno)) {\n\t\t\tverbose(env, \"R%d leaks addr into ctx\\n\", value_regno);\n\t\t\treturn -EACCES;\n\t\t}\n\n\t\terr = check_ctx_reg(env, reg, regno);\n\t\tif (err < 0)\n\t\t\treturn err;\n\n\t\terr = check_ctx_access(env, insn_idx, off, size, t, ®_type, &btf_id);\n\t\tif (err)\n\t\t\tverbose_linfo(env, insn_idx, \"; \");\n\t\tif (!err && t == BPF_READ && value_regno >= 0) {\n\t\t\t/* ctx access returns either a scalar, or a\n\t\t\t * PTR_TO_PACKET[_META,_END]. In the latter\n\t\t\t * case, we know the offset is zero.\n\t\t\t */\n\t\t\tif (reg_type == SCALAR_VALUE) {\n\t\t\t\tmark_reg_unknown(env, regs, value_regno);\n\t\t\t} else {\n\t\t\t\tmark_reg_known_zero(env, regs,\n\t\t\t\t\t\t value_regno);\n\t\t\t\tif (reg_type_may_be_null(reg_type))\n\t\t\t\t\tregs[value_regno].id = ++env->id_gen;\n\t\t\t\t/* A load of ctx field could have different\n\t\t\t\t * actual load size with the one encoded in the\n\t\t\t\t * insn. When the dst is PTR, it is for sure not\n\t\t\t\t * a sub-register.\n\t\t\t\t */\n\t\t\t\tregs[value_regno].subreg_def = DEF_NOT_SUBREG;\n\t\t\t\tif (reg_type == PTR_TO_BTF_ID)\n\t\t\t\t\tregs[value_regno].btf_id = btf_id;\n\t\t\t}\n\t\t\tregs[value_regno].type = reg_type;\n\t\t}\n\n\t} else if (reg->type == PTR_TO_STACK) {\n\t\toff += reg->var_off.value;\n\t\terr = check_stack_access(env, reg, off, size);\n\t\tif (err)\n\t\t\treturn err;\n\n\t\tstate = func(env, reg);\n\t\terr = update_stack_depth(env, state, off);\n\t\tif (err)\n\t\t\treturn err;\n\n\t\tif (t == BPF_WRITE)\n\t\t\terr = check_stack_write(env, state, off, size,\n\t\t\t\t\t\tvalue_regno, insn_idx);\n\t\telse\n\t\t\terr = check_stack_read(env, state, off, size,\n\t\t\t\t\t value_regno);\n\t} else if (reg_is_pkt_pointer(reg)) {\n\t\tif (t == BPF_WRITE && !may_access_direct_pkt_data(env, NULL, t)) {\n\t\t\tverbose(env, \"cannot write into packet\\n\");\n\t\t\treturn -EACCES;\n\t\t}\n\t\tif (t == BPF_WRITE && value_regno >= 0 &&\n\t\t is_pointer_value(env, value_regno)) {\n\t\t\tverbose(env, \"R%d leaks addr into packet\\n\",\n\t\t\t\tvalue_regno);\n\t\t\treturn -EACCES;\n\t\t}\n\t\terr = check_packet_access(env, regno, off, size, false);\n\t\tif (!err && t == BPF_READ && value_regno >= 0)\n\t\t\tmark_reg_unknown(env, regs, value_regno);\n\t} else if (reg->type == PTR_TO_FLOW_KEYS) {\n\t\tif (t == BPF_WRITE && value_regno >= 0 &&\n\t\t is_pointer_value(env, value_regno)) {\n\t\t\tverbose(env, \"R%d leaks addr into flow keys\\n\",\n\t\t\t\tvalue_regno);\n\t\t\treturn -EACCES;\n\t\t}\n\n\t\terr = check_flow_keys_access(env, off, size);\n\t\tif (!err && t == BPF_READ && value_regno >= 0)\n\t\t\tmark_reg_unknown(env, regs, value_regno);\n\t} else if (type_is_sk_pointer(reg->type)) {\n\t\tif (t == BPF_WRITE) {\n\t\t\tverbose(env, \"R%d cannot write into %s\\n\",\n\t\t\t\tregno, reg_type_str[reg->type]);\n\t\t\treturn -EACCES;\n\t\t}\n\t\terr = check_sock_access(env, insn_idx, regno, off, size, t);\n\t\tif (!err && value_regno >= 0)\n\t\t\tmark_reg_unknown(env, regs, value_regno);\n\t} else if (reg->type == PTR_TO_TP_BUFFER) {\n\t\terr = check_tp_buffer_access(env, reg, regno, off, size);\n\t\tif (!err && t == BPF_READ && value_regno >= 0)\n\t\t\tmark_reg_unknown(env, regs, value_regno);\n\t} else if (reg->type == PTR_TO_BTF_ID) {\n\t\terr = check_ptr_to_btf_access(env, regs, regno, off, size, t,\n\t\t\t\t\t value_regno);\n\t} else {\n\t\tverbose(env, \"R%d invalid mem access '%s'\\n\", regno,\n\t\t\treg_type_str[reg->type]);\n\t\treturn -EACCES;\n\t}\n\n\tif (!err && size < BPF_REG_SIZE && value_regno >= 0 && t == BPF_READ &&\n\t regs[value_regno].type == SCALAR_VALUE) {\n\t\t/* b/h/w load zero-extends, mark upper bits as known 0 */\n\t\tcoerce_reg_to_size(®s[value_regno], size);\n\t}\n\treturn err;\n}", "project": "linux", "hash": 150037160336691488027661386916760640406, "size": 164, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232616 }, { "func": "static int check_mem_access(struct bpf_verifier_env *env, int insn_idx, u32 regno,\n\t\t\t int off, int bpf_size, enum bpf_access_type t,\n\t\t\t int value_regno, bool strict_alignment_once)\n{\n\tstruct bpf_reg_state *regs = cur_regs(env);\n\tstruct bpf_reg_state *reg = regs + regno;\n\tstruct bpf_func_state *state;\n\tint size, err = 0;\n\n\tsize = bpf_size_to_bytes(bpf_size);\n\tif (size < 0)\n\t\treturn size;\n\n\t/* alignment checks will add in reg->off themselves */\n\terr = check_ptr_alignment(env, reg, off, size, strict_alignment_once);\n\tif (err)\n\t\treturn err;\n\n\t/* for access checks, reg->off is just part of off */\n\toff += reg->off;\n\n\tif (reg->type == PTR_TO_MAP_VALUE) {\n\t\tif (t == BPF_WRITE && value_regno >= 0 &&\n\t\t is_pointer_value(env, value_regno)) {\n\t\t\tverbose(env, \"R%d leaks addr into map\\n\", value_regno);\n\t\t\treturn -EACCES;\n\t\t}\n\t\terr = check_map_access_type(env, regno, off, size, t);\n\t\tif (err)\n\t\t\treturn err;\n\t\terr = check_map_access(env, regno, off, size, false);\n\t\tif (!err && t == BPF_READ && value_regno >= 0) {\n\t\t\tstruct bpf_map *map = reg->map_ptr;\n\n\t\t\t/* if map is read-only, track its contents as scalars */\n\t\t\tif (tnum_is_const(reg->var_off) &&\n\t\t\t bpf_map_is_rdonly(map) &&\n\t\t\t map->ops->map_direct_value_addr) {\n\t\t\t\tint map_off = off + reg->var_off.value;\n\t\t\t\tu64 val = 0;\n\n\t\t\t\terr = bpf_map_direct_read(map, map_off, size,\n\t\t\t\t\t\t\t &val);\n\t\t\t\tif (err)\n\t\t\t\t\treturn err;\n\n\t\t\t\tregs[value_regno].type = SCALAR_VALUE;\n\t\t\t\t__mark_reg_known(®s[value_regno], val);\n\t\t\t} else {\n\t\t\t\tmark_reg_unknown(env, regs, value_regno);\n\t\t\t}\n\t\t}\n\t} else if (reg->type == PTR_TO_MEM) {\n\t\tif (t == BPF_WRITE && value_regno >= 0 &&\n\t\t is_pointer_value(env, value_regno)) {\n\t\t\tverbose(env, \"R%d leaks addr into mem\\n\", value_regno);\n\t\t\treturn -EACCES;\n\t\t}\n\t\terr = check_mem_region_access(env, regno, off, size,\n\t\t\t\t\t reg->mem_size, false);\n\t\tif (!err && t == BPF_READ && value_regno >= 0)\n\t\t\tmark_reg_unknown(env, regs, value_regno);\n\t} else if (reg->type == PTR_TO_CTX) {\n\t\tenum bpf_reg_type reg_type = SCALAR_VALUE;\n\t\tu32 btf_id = 0;\n\n\t\tif (t == BPF_WRITE && value_regno >= 0 &&\n\t\t is_pointer_value(env, value_regno)) {\n\t\t\tverbose(env, \"R%d leaks addr into ctx\\n\", value_regno);\n\t\t\treturn -EACCES;\n\t\t}\n\n\t\terr = check_ctx_reg(env, reg, regno);\n\t\tif (err < 0)\n\t\t\treturn err;\n\n\t\terr = check_ctx_access(env, insn_idx, off, size, t, ®_type, &btf_id);\n\t\tif (err)\n\t\t\tverbose_linfo(env, insn_idx, \"; \");\n\t\tif (!err && t == BPF_READ && value_regno >= 0) {\n\t\t\t/* ctx access returns either a scalar, or a\n\t\t\t * PTR_TO_PACKET[_META,_END]. In the latter\n\t\t\t * case, we know the offset is zero.\n\t\t\t */\n\t\t\tif (reg_type == SCALAR_VALUE) {\n\t\t\t\tmark_reg_unknown(env, regs, value_regno);\n\t\t\t} else {\n\t\t\t\tmark_reg_known_zero(env, regs,\n\t\t\t\t\t\t value_regno);\n\t\t\t\tif (reg_type_may_be_null(reg_type))\n\t\t\t\t\tregs[value_regno].id = ++env->id_gen;\n\t\t\t\t/* A load of ctx field could have different\n\t\t\t\t * actual load size with the one encoded in the\n\t\t\t\t * insn. When the dst is PTR, it is for sure not\n\t\t\t\t * a sub-register.\n\t\t\t\t */\n\t\t\t\tregs[value_regno].subreg_def = DEF_NOT_SUBREG;\n\t\t\t\tif (reg_type == PTR_TO_BTF_ID ||\n\t\t\t\t reg_type == PTR_TO_BTF_ID_OR_NULL)\n\t\t\t\t\tregs[value_regno].btf_id = btf_id;\n\t\t\t}\n\t\t\tregs[value_regno].type = reg_type;\n\t\t}\n\n\t} else if (reg->type == PTR_TO_STACK) {\n\t\toff += reg->var_off.value;\n\t\terr = check_stack_access(env, reg, off, size);\n\t\tif (err)\n\t\t\treturn err;\n\n\t\tstate = func(env, reg);\n\t\terr = update_stack_depth(env, state, off);\n\t\tif (err)\n\t\t\treturn err;\n\n\t\tif (t == BPF_WRITE)\n\t\t\terr = check_stack_write(env, state, off, size,\n\t\t\t\t\t\tvalue_regno, insn_idx);\n\t\telse\n\t\t\terr = check_stack_read(env, state, off, size,\n\t\t\t\t\t value_regno);\n\t} else if (reg_is_pkt_pointer(reg)) {\n\t\tif (t == BPF_WRITE && !may_access_direct_pkt_data(env, NULL, t)) {\n\t\t\tverbose(env, \"cannot write into packet\\n\");\n\t\t\treturn -EACCES;\n\t\t}\n\t\tif (t == BPF_WRITE && value_regno >= 0 &&\n\t\t is_pointer_value(env, value_regno)) {\n\t\t\tverbose(env, \"R%d leaks addr into packet\\n\",\n\t\t\t\tvalue_regno);\n\t\t\treturn -EACCES;\n\t\t}\n\t\terr = check_packet_access(env, regno, off, size, false);\n\t\tif (!err && t == BPF_READ && value_regno >= 0)\n\t\t\tmark_reg_unknown(env, regs, value_regno);\n\t} else if (reg->type == PTR_TO_FLOW_KEYS) {\n\t\tif (t == BPF_WRITE && value_regno >= 0 &&\n\t\t is_pointer_value(env, value_regno)) {\n\t\t\tverbose(env, \"R%d leaks addr into flow keys\\n\",\n\t\t\t\tvalue_regno);\n\t\t\treturn -EACCES;\n\t\t}\n\n\t\terr = check_flow_keys_access(env, off, size);\n\t\tif (!err && t == BPF_READ && value_regno >= 0)\n\t\t\tmark_reg_unknown(env, regs, value_regno);\n\t} else if (type_is_sk_pointer(reg->type)) {\n\t\tif (t == BPF_WRITE) {\n\t\t\tverbose(env, \"R%d cannot write into %s\\n\",\n\t\t\t\tregno, reg_type_str[reg->type]);\n\t\t\treturn -EACCES;\n\t\t}\n\t\terr = check_sock_access(env, insn_idx, regno, off, size, t);\n\t\tif (!err && value_regno >= 0)\n\t\t\tmark_reg_unknown(env, regs, value_regno);\n\t} else if (reg->type == PTR_TO_TP_BUFFER) {\n\t\terr = check_tp_buffer_access(env, reg, regno, off, size);\n\t\tif (!err && t == BPF_READ && value_regno >= 0)\n\t\t\tmark_reg_unknown(env, regs, value_regno);\n\t} else if (reg->type == PTR_TO_BTF_ID) {\n\t\terr = check_ptr_to_btf_access(env, regs, regno, off, size, t,\n\t\t\t\t\t value_regno);\n\t} else if (reg->type == CONST_PTR_TO_MAP) {\n\t\terr = check_ptr_to_map_access(env, regs, regno, off, size, t,\n\t\t\t\t\t value_regno);\n\t} else if (reg->type == PTR_TO_RDONLY_BUF) {\n\t\tif (t == BPF_WRITE) {\n\t\t\tverbose(env, \"R%d cannot write into %s\\n\",\n\t\t\t\tregno, reg_type_str[reg->type]);\n\t\t\treturn -EACCES;\n\t\t}\n\t\terr = check_buffer_access(env, reg, regno, off, size, false,\n\t\t\t\t\t \"rdonly\",\n\t\t\t\t\t &env->prog->aux->max_rdonly_access);\n\t\tif (!err && value_regno >= 0)\n\t\t\tmark_reg_unknown(env, regs, value_regno);\n\t} else if (reg->type == PTR_TO_RDWR_BUF) {\n\t\terr = check_buffer_access(env, reg, regno, off, size, false,\n\t\t\t\t\t \"rdwr\",\n\t\t\t\t\t &env->prog->aux->max_rdwr_access);\n\t\tif (!err && t == BPF_READ && value_regno >= 0)\n\t\t\tmark_reg_unknown(env, regs, value_regno);\n\t} else {\n\t\tverbose(env, \"R%d invalid mem access '%s'\\n\", regno,\n\t\t\treg_type_str[reg->type]);\n\t\treturn -EACCES;\n\t}\n\n\tif (!err && size < BPF_REG_SIZE && value_regno >= 0 && t == BPF_READ &&\n\t regs[value_regno].type == SCALAR_VALUE) {\n\t\t/* b/h/w load zero-extends, mark upper bits as known 0 */\n\t\tcoerce_reg_to_size(®s[value_regno], size);\n\t}\n\treturn err;\n}", "project": "linux", "hash": 300774888677364410722824436408135616678, "size": 195, "commit_id": "5b9fbeb75b6a98955f628e205ac26689bcb1383e", "message": "bpf: Fix scalar32_min_max_or bounds tracking\n\nSimon reported an issue with the current scalar32_min_max_or() implementation.\nThat is, compared to the other 32 bit subreg tracking functions, the code in\nscalar32_min_max_or() stands out that it's using the 64 bit registers instead\nof 32 bit ones. This leads to bounds tracking issues, for example:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x1; 0x700000000),s32_max_value=1,u32_max_value=1) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nThe bound tests on the map value force the upper unsigned bound to be 25769803777\nin 64 bit (0b11000000000000000000000000000000001) and then lower one to be 1. By\nusing OR they are truncated and thus result in the range [1,1] for the 32 bit reg\ntracker. This is incorrect given the only thing we know is that the value must be\npositive and thus 2147483647 (0b1111111111111111111111111111111) at max for the\nsubregs. Fix it by using the {u,s}32_{min,max}_value vars instead. This also makes\nsense, for example, for the case where we update dst_reg->s32_{min,max}_value in\nthe else branch we need to use the newly computed dst_reg->u32_{min,max}_value as\nwe know that these are positive. Previously, in the else branch the 64 bit values\nof umin_value=1 and umax_value=32212254719 were used and latter got truncated to\nbe 1 as upper bound there. After the fix the subreg range is now correct:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nFixes: 3f50f132d840 (\"bpf: Verifier, do explicit ALU32 bounds tracking\")\nReported-by: Simon Scannell \nSigned-off-by: Daniel Borkmann \nReviewed-by: John Fastabend \nAcked-by: Alexei Starovoitov ", "target": 0, "dataset": "other", "idx": 328502 }, { "func": "static int check_mem_access(struct bpf_verifier_env *env, int insn_idx, u32 regno,\n\t\t\t int off, int bpf_size, enum bpf_access_type t,\n\t\t\t int value_regno, bool strict_alignment_once)\n{\n\tstruct bpf_reg_state *regs = cur_regs(env);\n\tstruct bpf_reg_state *reg = regs + regno;\n\tstruct bpf_func_state *state;\n\tint size, err = 0;\n\n\tsize = bpf_size_to_bytes(bpf_size);\n\tif (size < 0)\n\t\treturn size;\n\n\t/* alignment checks will add in reg->off themselves */\n\terr = check_ptr_alignment(env, reg, off, size, strict_alignment_once);\n\tif (err)\n\t\treturn err;\n\n\t/* for access checks, reg->off is just part of off */\n\toff += reg->off;\n\n\tif (reg->type == PTR_TO_MAP_VALUE) {\n\t\tif (t == BPF_WRITE && value_regno >= 0 &&\n\t\t is_pointer_value(env, value_regno)) {\n\t\t\tverbose(env, \"R%d leaks addr into map\\n\", value_regno);\n\t\t\treturn -EACCES;\n\t\t}\n\t\terr = check_map_access_type(env, regno, off, size, t);\n\t\tif (err)\n\t\t\treturn err;\n\t\terr = check_map_access(env, regno, off, size, false);\n\t\tif (!err && t == BPF_READ && value_regno >= 0) {\n\t\t\tstruct bpf_map *map = reg->map_ptr;\n\n\t\t\t/* if map is read-only, track its contents as scalars */\n\t\t\tif (tnum_is_const(reg->var_off) &&\n\t\t\t bpf_map_is_rdonly(map) &&\n\t\t\t map->ops->map_direct_value_addr) {\n\t\t\t\tint map_off = off + reg->var_off.value;\n\t\t\t\tu64 val = 0;\n\n\t\t\t\terr = bpf_map_direct_read(map, map_off, size,\n\t\t\t\t\t\t\t &val);\n\t\t\t\tif (err)\n\t\t\t\t\treturn err;\n\n\t\t\t\tregs[value_regno].type = SCALAR_VALUE;\n\t\t\t\t__mark_reg_known(®s[value_regno], val);\n\t\t\t} else {\n\t\t\t\tmark_reg_unknown(env, regs, value_regno);\n\t\t\t}\n\t\t}\n\t} else if (reg->type == PTR_TO_MEM) {\n\t\tif (t == BPF_WRITE && value_regno >= 0 &&\n\t\t is_pointer_value(env, value_regno)) {\n\t\t\tverbose(env, \"R%d leaks addr into mem\\n\", value_regno);\n\t\t\treturn -EACCES;\n\t\t}\n\t\terr = check_mem_region_access(env, regno, off, size,\n\t\t\t\t\t reg->mem_size, false);\n\t\tif (!err && t == BPF_READ && value_regno >= 0)\n\t\t\tmark_reg_unknown(env, regs, value_regno);\n\t} else if (reg->type == PTR_TO_CTX) {\n\t\tenum bpf_reg_type reg_type = SCALAR_VALUE;\n\t\tstruct btf *btf = NULL;\n\t\tu32 btf_id = 0;\n\n\t\tif (t == BPF_WRITE && value_regno >= 0 &&\n\t\t is_pointer_value(env, value_regno)) {\n\t\t\tverbose(env, \"R%d leaks addr into ctx\\n\", value_regno);\n\t\t\treturn -EACCES;\n\t\t}\n\n\t\terr = check_ctx_reg(env, reg, regno);\n\t\tif (err < 0)\n\t\t\treturn err;\n\n\t\terr = check_ctx_access(env, insn_idx, off, size, t, ®_type, &btf, &btf_id);\n\t\tif (err)\n\t\t\tverbose_linfo(env, insn_idx, \"; \");\n\t\tif (!err && t == BPF_READ && value_regno >= 0) {\n\t\t\t/* ctx access returns either a scalar, or a\n\t\t\t * PTR_TO_PACKET[_META,_END]. In the latter\n\t\t\t * case, we know the offset is zero.\n\t\t\t */\n\t\t\tif (reg_type == SCALAR_VALUE) {\n\t\t\t\tmark_reg_unknown(env, regs, value_regno);\n\t\t\t} else {\n\t\t\t\tmark_reg_known_zero(env, regs,\n\t\t\t\t\t\t value_regno);\n\t\t\t\tif (reg_type_may_be_null(reg_type))\n\t\t\t\t\tregs[value_regno].id = ++env->id_gen;\n\t\t\t\t/* A load of ctx field could have different\n\t\t\t\t * actual load size with the one encoded in the\n\t\t\t\t * insn. When the dst is PTR, it is for sure not\n\t\t\t\t * a sub-register.\n\t\t\t\t */\n\t\t\t\tregs[value_regno].subreg_def = DEF_NOT_SUBREG;\n\t\t\t\tif (reg_type == PTR_TO_BTF_ID ||\n\t\t\t\t reg_type == PTR_TO_BTF_ID_OR_NULL) {\n\t\t\t\t\tregs[value_regno].btf = btf;\n\t\t\t\t\tregs[value_regno].btf_id = btf_id;\n\t\t\t\t}\n\t\t\t}\n\t\t\tregs[value_regno].type = reg_type;\n\t\t}\n\n\t} else if (reg->type == PTR_TO_STACK) {\n\t\toff += reg->var_off.value;\n\t\terr = check_stack_access(env, reg, off, size);\n\t\tif (err)\n\t\t\treturn err;\n\n\t\tstate = func(env, reg);\n\t\terr = update_stack_depth(env, state, off);\n\t\tif (err)\n\t\t\treturn err;\n\n\t\tif (t == BPF_WRITE)\n\t\t\terr = check_stack_write(env, state, off, size,\n\t\t\t\t\t\tvalue_regno, insn_idx);\n\t\telse\n\t\t\terr = check_stack_read(env, state, off, size,\n\t\t\t\t\t value_regno);\n\t} else if (reg_is_pkt_pointer(reg)) {\n\t\tif (t == BPF_WRITE && !may_access_direct_pkt_data(env, NULL, t)) {\n\t\t\tverbose(env, \"cannot write into packet\\n\");\n\t\t\treturn -EACCES;\n\t\t}\n\t\tif (t == BPF_WRITE && value_regno >= 0 &&\n\t\t is_pointer_value(env, value_regno)) {\n\t\t\tverbose(env, \"R%d leaks addr into packet\\n\",\n\t\t\t\tvalue_regno);\n\t\t\treturn -EACCES;\n\t\t}\n\t\terr = check_packet_access(env, regno, off, size, false);\n\t\tif (!err && t == BPF_READ && value_regno >= 0)\n\t\t\tmark_reg_unknown(env, regs, value_regno);\n\t} else if (reg->type == PTR_TO_FLOW_KEYS) {\n\t\tif (t == BPF_WRITE && value_regno >= 0 &&\n\t\t is_pointer_value(env, value_regno)) {\n\t\t\tverbose(env, \"R%d leaks addr into flow keys\\n\",\n\t\t\t\tvalue_regno);\n\t\t\treturn -EACCES;\n\t\t}\n\n\t\terr = check_flow_keys_access(env, off, size);\n\t\tif (!err && t == BPF_READ && value_regno >= 0)\n\t\t\tmark_reg_unknown(env, regs, value_regno);\n\t} else if (type_is_sk_pointer(reg->type)) {\n\t\tif (t == BPF_WRITE) {\n\t\t\tverbose(env, \"R%d cannot write into %s\\n\",\n\t\t\t\tregno, reg_type_str[reg->type]);\n\t\t\treturn -EACCES;\n\t\t}\n\t\terr = check_sock_access(env, insn_idx, regno, off, size, t);\n\t\tif (!err && value_regno >= 0)\n\t\t\tmark_reg_unknown(env, regs, value_regno);\n\t} else if (reg->type == PTR_TO_TP_BUFFER) {\n\t\terr = check_tp_buffer_access(env, reg, regno, off, size);\n\t\tif (!err && t == BPF_READ && value_regno >= 0)\n\t\t\tmark_reg_unknown(env, regs, value_regno);\n\t} else if (reg->type == PTR_TO_BTF_ID) {\n\t\terr = check_ptr_to_btf_access(env, regs, regno, off, size, t,\n\t\t\t\t\t value_regno);\n\t} else if (reg->type == CONST_PTR_TO_MAP) {\n\t\terr = check_ptr_to_map_access(env, regs, regno, off, size, t,\n\t\t\t\t\t value_regno);\n\t} else if (reg->type == PTR_TO_RDONLY_BUF) {\n\t\tif (t == BPF_WRITE) {\n\t\t\tverbose(env, \"R%d cannot write into %s\\n\",\n\t\t\t\tregno, reg_type_str[reg->type]);\n\t\t\treturn -EACCES;\n\t\t}\n\t\terr = check_buffer_access(env, reg, regno, off, size, false,\n\t\t\t\t\t \"rdonly\",\n\t\t\t\t\t &env->prog->aux->max_rdonly_access);\n\t\tif (!err && value_regno >= 0)\n\t\t\tmark_reg_unknown(env, regs, value_regno);\n\t} else if (reg->type == PTR_TO_RDWR_BUF) {\n\t\terr = check_buffer_access(env, reg, regno, off, size, false,\n\t\t\t\t\t \"rdwr\",\n\t\t\t\t\t &env->prog->aux->max_rdwr_access);\n\t\tif (!err && t == BPF_READ && value_regno >= 0)\n\t\t\tmark_reg_unknown(env, regs, value_regno);\n\t} else {\n\t\tverbose(env, \"R%d invalid mem access '%s'\\n\", regno,\n\t\t\treg_type_str[reg->type]);\n\t\treturn -EACCES;\n\t}\n\n\tif (!err && size < BPF_REG_SIZE && value_regno >= 0 && t == BPF_READ &&\n\t regs[value_regno].type == SCALAR_VALUE) {\n\t\t/* b/h/w load zero-extends, mark upper bits as known 0 */\n\t\tcoerce_reg_to_size(®s[value_regno], size);\n\t}\n\treturn err;\n}", "project": "linux", "hash": 106887228402181288129734331356302045225, "size": 198, "commit_id": "9b00f1b78809309163dda2d044d9e94a3c0248a3", "message": "bpf: Fix truncation handling for mod32 dst reg wrt zero\n\nRecently noticed that when mod32 with a known src reg of 0 is performed,\nthen the dst register is 32-bit truncated in verifier:\n\n 0: R1=ctx(id=0,off=0,imm=0) R10=fp0\n 0: (b7) r0 = 0\n 1: R0_w=inv0 R1=ctx(id=0,off=0,imm=0) R10=fp0\n 1: (b7) r1 = -1\n 2: R0_w=inv0 R1_w=inv-1 R10=fp0\n 2: (b4) w2 = -1\n 3: R0_w=inv0 R1_w=inv-1 R2_w=inv4294967295 R10=fp0\n 3: (9c) w1 %= w0\n 4: R0_w=inv0 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0\n 4: (b7) r0 = 1\n 5: R0_w=inv1 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0\n 5: (1d) if r1 == r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0\n 6: R0_w=inv1 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0\n 6: (b7) r0 = 2\n 7: R0_w=inv2 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0\n 7: (95) exit\n 7: R0=inv1 R1=inv(id=0,umin_value=4294967295,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2=inv4294967295 R10=fp0\n 7: (95) exit\n\nHowever, as a runtime result, we get 2 instead of 1, meaning the dst\nregister does not contain (u32)-1 in this case. The reason is fairly\nstraight forward given the 0 test leaves the dst register as-is:\n\n # ./bpftool p d x i 23\n 0: (b7) r0 = 0\n 1: (b7) r1 = -1\n 2: (b4) w2 = -1\n 3: (16) if w0 == 0x0 goto pc+1\n 4: (9c) w1 %= w0\n 5: (b7) r0 = 1\n 6: (1d) if r1 == r2 goto pc+1\n 7: (b7) r0 = 2\n 8: (95) exit\n\nThis was originally not an issue given the dst register was marked as\ncompletely unknown (aka 64 bit unknown). However, after 468f6eafa6c4\n(\"bpf: fix 32-bit ALU op verification\") the verifier casts the register\noutput to 32 bit, and hence it becomes 32 bit unknown. Note that for\nthe case where the src register is unknown, the dst register is marked\n64 bit unknown. After the fix, the register is truncated by the runtime\nand the test passes:\n\n # ./bpftool p d x i 23\n 0: (b7) r0 = 0\n 1: (b7) r1 = -1\n 2: (b4) w2 = -1\n 3: (16) if w0 == 0x0 goto pc+2\n 4: (9c) w1 %= w0\n 5: (05) goto pc+1\n 6: (bc) w1 = w1\n 7: (b7) r0 = 1\n 8: (1d) if r1 == r2 goto pc+1\n 9: (b7) r0 = 2\n 10: (95) exit\n\nSemantics also match with {R,W}x mod{64,32} 0 -> {R,W}x. Invalid div\nhas always been {R,W}x div{64,32} 0 -> 0. Rewrites are as follows:\n\n mod32: mod64:\n\n (16) if w0 == 0x0 goto pc+2 (15) if r0 == 0x0 goto pc+1\n (9c) w1 %= w0 (9f) r1 %= r0\n (05) goto pc+1\n (bc) w1 = w1\n\nFixes: 468f6eafa6c4 (\"bpf: fix 32-bit ALU op verification\")\nSigned-off-by: Daniel Borkmann \nReviewed-by: John Fastabend \nAcked-by: Alexei Starovoitov ", "target": 0, "dataset": "other", "idx": 456516 }, { "func": "static void init_reg_state(struct bpf_verifier_env *env,\n\t\t\t struct bpf_func_state *state)\n{\n\tstruct bpf_reg_state *regs = state->regs;\n\tint i;\n\n\tfor (i = 0; i < MAX_BPF_REG; i++) {\n\t\tmark_reg_not_init(env, regs, i);\n\t\tregs[i].live = REG_LIVE_NONE;\n\t\tregs[i].parent = NULL;\n\t\tregs[i].subreg_def = DEF_NOT_SUBREG;\n\t}\n\n\t/* frame pointer */\n\tregs[BPF_REG_FP].type = PTR_TO_STACK;\n\tmark_reg_known_zero(env, regs, BPF_REG_FP);\n\tregs[BPF_REG_FP].frameno = state->frameno;\n}", "project": "linux", "hash": 289825490910676571181356605879482878185, "size": 18, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232627 }, { "func": "static bool check_reg_sane_offset(struct bpf_verifier_env *env,\n\t\t\t\t const struct bpf_reg_state *reg,\n\t\t\t\t enum bpf_reg_type type)\n{\n\tbool known = tnum_is_const(reg->var_off);\n\ts64 val = reg->var_off.value;\n\ts64 smin = reg->smin_value;\n\n\tif (known && (val >= BPF_MAX_VAR_OFF || val <= -BPF_MAX_VAR_OFF)) {\n\t\tverbose(env, \"math between %s pointer and %lld is not allowed\\n\",\n\t\t\treg_type_str[type], val);\n\t\treturn false;\n\t}\n\n\tif (reg->off >= BPF_MAX_VAR_OFF || reg->off <= -BPF_MAX_VAR_OFF) {\n\t\tverbose(env, \"%s pointer offset %d is not allowed\\n\",\n\t\t\treg_type_str[type], reg->off);\n\t\treturn false;\n\t}\n\n\tif (smin == S64_MIN) {\n\t\tverbose(env, \"math between %s pointer and register with unbounded min value is not allowed\\n\",\n\t\t\treg_type_str[type]);\n\t\treturn false;\n\t}\n\n\tif (smin >= BPF_MAX_VAR_OFF || smin <= -BPF_MAX_VAR_OFF) {\n\t\tverbose(env, \"value %lld makes %s pointer be out of bounds\\n\",\n\t\t\tsmin, reg_type_str[type]);\n\t\treturn false;\n\t}\n\n\treturn true;\n}", "project": "linux", "hash": 92067545927755098386353317102058184371, "size": 34, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232409 }, { "func": "static void reg_combine_min_max(struct bpf_reg_state *true_src,\n\t\t\t\tstruct bpf_reg_state *true_dst,\n\t\t\t\tstruct bpf_reg_state *false_src,\n\t\t\t\tstruct bpf_reg_state *false_dst,\n\t\t\t\tu8 opcode)\n{\n\tswitch (opcode) {\n\tcase BPF_JEQ:\n\t\t__reg_combine_min_max(true_src, true_dst);\n\t\tbreak;\n\tcase BPF_JNE:\n\t\t__reg_combine_min_max(false_src, false_dst);\n\t\tbreak;\n\t}\n}", "project": "linux", "hash": 68295714401162418785068131242070612836, "size": 15, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232506 }, { "func": "static void mark_reg_known_zero(struct bpf_verifier_env *env,\n\t\t\t\tstruct bpf_reg_state *regs, u32 regno)\n{\n\tif (WARN_ON(regno >= MAX_BPF_REG)) {\n\t\tverbose(env, \"mark_reg_known_zero(regs, %u)\\n\", regno);\n\t\t/* Something bad happened, let's kill all regs */\n\t\tfor (regno = 0; regno < MAX_BPF_REG; regno++)\n\t\t\t__mark_reg_not_init(env, regs + regno);\n\t\treturn;\n\t}\n\t__mark_reg_known_zero(regs + regno);\n}", "project": "linux", "hash": 116615299804389925519667041916077330612, "size": 12, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232645 }, { "func": "static void print_liveness(struct bpf_verifier_env *env,\n\t\t\t enum bpf_reg_liveness live)\n{\n\tif (live & (REG_LIVE_READ | REG_LIVE_WRITTEN | REG_LIVE_DONE))\n\t verbose(env, \"_\");\n\tif (live & REG_LIVE_READ)\n\t\tverbose(env, \"r\");\n\tif (live & REG_LIVE_WRITTEN)\n\t\tverbose(env, \"w\");\n\tif (live & REG_LIVE_DONE)\n\t\tverbose(env, \"D\");\n}", "project": "linux", "hash": 216981385040269907985168525280218217552, "size": 12, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232460 }, { "func": "static int check_helper_call(struct bpf_verifier_env *env, int func_id, int insn_idx)\n{\n\tconst struct bpf_func_proto *fn = NULL;\n\tstruct bpf_reg_state *regs;\n\tstruct bpf_call_arg_meta meta;\n\tbool changes_data;\n\tint i, err;\n\n\t/* find function prototype */\n\tif (func_id < 0 || func_id >= __BPF_FUNC_MAX_ID) {\n\t\tverbose(env, \"invalid func %s#%d\\n\", func_id_name(func_id),\n\t\t\tfunc_id);\n\t\treturn -EINVAL;\n\t}\n\n\tif (env->ops->get_func_proto)\n\t\tfn = env->ops->get_func_proto(func_id, env->prog);\n\tif (!fn) {\n\t\tverbose(env, \"unknown func %s#%d\\n\", func_id_name(func_id),\n\t\t\tfunc_id);\n\t\treturn -EINVAL;\n\t}\n\n\t/* eBPF programs must be GPL compatible to use GPL-ed functions */\n\tif (!env->prog->gpl_compatible && fn->gpl_only) {\n\t\tverbose(env, \"cannot call GPL-restricted function from non-GPL compatible program\\n\");\n\t\treturn -EINVAL;\n\t}\n\n\t/* With LD_ABS/IND some JITs save/restore skb from r1. */\n\tchanges_data = bpf_helper_changes_pkt_data(fn->func);\n\tif (changes_data && fn->arg1_type != ARG_PTR_TO_CTX) {\n\t\tverbose(env, \"kernel subsystem misconfigured func %s#%d: r1 != ctx\\n\",\n\t\t\tfunc_id_name(func_id), func_id);\n\t\treturn -EINVAL;\n\t}\n\n\tmemset(&meta, 0, sizeof(meta));\n\tmeta.pkt_access = fn->pkt_access;\n\n\terr = check_func_proto(fn, func_id);\n\tif (err) {\n\t\tverbose(env, \"kernel subsystem misconfigured func %s#%d\\n\",\n\t\t\tfunc_id_name(func_id), func_id);\n\t\treturn err;\n\t}\n\n\tmeta.func_id = func_id;\n\t/* check args */\n\tfor (i = 0; i < 5; i++) {\n\t\terr = btf_resolve_helper_id(&env->log, fn, i);\n\t\tif (err > 0)\n\t\t\tmeta.btf_id = err;\n\t\terr = check_func_arg(env, BPF_REG_1 + i, fn->arg_type[i], &meta);\n\t\tif (err)\n\t\t\treturn err;\n\t}\n\n\terr = record_func_map(env, &meta, func_id, insn_idx);\n\tif (err)\n\t\treturn err;\n\n\terr = record_func_key(env, &meta, func_id, insn_idx);\n\tif (err)\n\t\treturn err;\n\n\t/* Mark slots with STACK_MISC in case of raw mode, stack offset\n\t * is inferred from register state.\n\t */\n\tfor (i = 0; i < meta.access_size; i++) {\n\t\terr = check_mem_access(env, insn_idx, meta.regno, i, BPF_B,\n\t\t\t\t BPF_WRITE, -1, false);\n\t\tif (err)\n\t\t\treturn err;\n\t}\n\n\tif (func_id == BPF_FUNC_tail_call) {\n\t\terr = check_reference_leak(env);\n\t\tif (err) {\n\t\t\tverbose(env, \"tail_call would lead to reference leak\\n\");\n\t\t\treturn err;\n\t\t}\n\t} else if (is_release_function(func_id)) {\n\t\terr = release_reference(env, meta.ref_obj_id);\n\t\tif (err) {\n\t\t\tverbose(env, \"func %s#%d reference has not been acquired before\\n\",\n\t\t\t\tfunc_id_name(func_id), func_id);\n\t\t\treturn err;\n\t\t}\n\t}\n\n\tregs = cur_regs(env);\n\n\t/* check that flags argument in get_local_storage(map, flags) is 0,\n\t * this is required because get_local_storage() can't return an error.\n\t */\n\tif (func_id == BPF_FUNC_get_local_storage &&\n\t !register_is_null(®s[BPF_REG_2])) {\n\t\tverbose(env, \"get_local_storage() doesn't support non-zero flags\\n\");\n\t\treturn -EINVAL;\n\t}\n\n\t/* reset caller saved regs */\n\tfor (i = 0; i < CALLER_SAVED_REGS; i++) {\n\t\tmark_reg_not_init(env, regs, caller_saved[i]);\n\t\tcheck_reg_arg(env, caller_saved[i], DST_OP_NO_MARK);\n\t}\n\n\t/* helper call returns 64-bit value. */\n\tregs[BPF_REG_0].subreg_def = DEF_NOT_SUBREG;\n\n\t/* update return register (already marked as written above) */\n\tif (fn->ret_type == RET_INTEGER) {\n\t\t/* sets type to SCALAR_VALUE */\n\t\tmark_reg_unknown(env, regs, BPF_REG_0);\n\t} else if (fn->ret_type == RET_VOID) {\n\t\tregs[BPF_REG_0].type = NOT_INIT;\n\t} else if (fn->ret_type == RET_PTR_TO_MAP_VALUE_OR_NULL ||\n\t\t fn->ret_type == RET_PTR_TO_MAP_VALUE) {\n\t\t/* There is no offset yet applied, variable or fixed */\n\t\tmark_reg_known_zero(env, regs, BPF_REG_0);\n\t\t/* remember map_ptr, so that check_map_access()\n\t\t * can check 'value_size' boundary of memory access\n\t\t * to map element returned from bpf_map_lookup_elem()\n\t\t */\n\t\tif (meta.map_ptr == NULL) {\n\t\t\tverbose(env,\n\t\t\t\t\"kernel subsystem misconfigured verifier\\n\");\n\t\t\treturn -EINVAL;\n\t\t}\n\t\tregs[BPF_REG_0].map_ptr = meta.map_ptr;\n\t\tif (fn->ret_type == RET_PTR_TO_MAP_VALUE) {\n\t\t\tregs[BPF_REG_0].type = PTR_TO_MAP_VALUE;\n\t\t\tif (map_value_has_spin_lock(meta.map_ptr))\n\t\t\t\tregs[BPF_REG_0].id = ++env->id_gen;\n\t\t} else {\n\t\t\tregs[BPF_REG_0].type = PTR_TO_MAP_VALUE_OR_NULL;\n\t\t\tregs[BPF_REG_0].id = ++env->id_gen;\n\t\t}\n\t} else if (fn->ret_type == RET_PTR_TO_SOCKET_OR_NULL) {\n\t\tmark_reg_known_zero(env, regs, BPF_REG_0);\n\t\tregs[BPF_REG_0].type = PTR_TO_SOCKET_OR_NULL;\n\t\tregs[BPF_REG_0].id = ++env->id_gen;\n\t} else if (fn->ret_type == RET_PTR_TO_SOCK_COMMON_OR_NULL) {\n\t\tmark_reg_known_zero(env, regs, BPF_REG_0);\n\t\tregs[BPF_REG_0].type = PTR_TO_SOCK_COMMON_OR_NULL;\n\t\tregs[BPF_REG_0].id = ++env->id_gen;\n\t} else if (fn->ret_type == RET_PTR_TO_TCP_SOCK_OR_NULL) {\n\t\tmark_reg_known_zero(env, regs, BPF_REG_0);\n\t\tregs[BPF_REG_0].type = PTR_TO_TCP_SOCK_OR_NULL;\n\t\tregs[BPF_REG_0].id = ++env->id_gen;\n\t} else {\n\t\tverbose(env, \"unknown return type %d of func %s#%d\\n\",\n\t\t\tfn->ret_type, func_id_name(func_id), func_id);\n\t\treturn -EINVAL;\n\t}\n\n\tif (is_ptr_cast_function(func_id)) {\n\t\t/* For release_reference() */\n\t\tregs[BPF_REG_0].ref_obj_id = meta.ref_obj_id;\n\t} else if (is_acquire_function(func_id)) {\n\t\tint id = acquire_reference_state(env, insn_idx);\n\n\t\tif (id < 0)\n\t\t\treturn id;\n\t\t/* For mark_ptr_or_null_reg() */\n\t\tregs[BPF_REG_0].id = id;\n\t\t/* For release_reference() */\n\t\tregs[BPF_REG_0].ref_obj_id = id;\n\t}\n\n\tdo_refine_retval_range(regs, fn->ret_type, func_id, &meta);\n\n\terr = check_map_func_compatibility(env, meta.map_ptr, func_id);\n\tif (err)\n\t\treturn err;\n\n\tif (func_id == BPF_FUNC_get_stack && !env->prog->has_callchain_buf) {\n\t\tconst char *err_str;\n\n#ifdef CONFIG_PERF_EVENTS\n\t\terr = get_callchain_buffers(sysctl_perf_event_max_stack);\n\t\terr_str = \"cannot get callchain buffer for func %s#%d\\n\";\n#else\n\t\terr = -ENOTSUPP;\n\t\terr_str = \"func %s#%d not supported without CONFIG_PERF_EVENTS\\n\";\n#endif\n\t\tif (err) {\n\t\t\tverbose(env, err_str, func_id_name(func_id), func_id);\n\t\t\treturn err;\n\t\t}\n\n\t\tenv->prog->has_callchain_buf = true;\n\t}\n\n\tif (changes_data)\n\t\tclear_all_pkt_pointers(env);\n\treturn 0;\n}", "project": "linux", "hash": 108644852023251447085278607542350399934, "size": 199, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232624 }, { "func": "static int check_helper_call(struct bpf_verifier_env *env, int func_id, int insn_idx)\n{\n\tconst struct bpf_func_proto *fn = NULL;\n\tstruct bpf_reg_state *regs;\n\tstruct bpf_call_arg_meta meta;\n\tbool changes_data;\n\tint i, err;\n\n\t/* find function prototype */\n\tif (func_id < 0 || func_id >= __BPF_FUNC_MAX_ID) {\n\t\tverbose(env, \"invalid func %s#%d\\n\", func_id_name(func_id),\n\t\t\tfunc_id);\n\t\treturn -EINVAL;\n\t}\n\n\tif (env->ops->get_func_proto)\n\t\tfn = env->ops->get_func_proto(func_id, env->prog);\n\tif (!fn) {\n\t\tverbose(env, \"unknown func %s#%d\\n\", func_id_name(func_id),\n\t\t\tfunc_id);\n\t\treturn -EINVAL;\n\t}\n\n\t/* eBPF programs must be GPL compatible to use GPL-ed functions */\n\tif (!env->prog->gpl_compatible && fn->gpl_only) {\n\t\tverbose(env, \"cannot call GPL-restricted function from non-GPL compatible program\\n\");\n\t\treturn -EINVAL;\n\t}\n\n\t/* With LD_ABS/IND some JITs save/restore skb from r1. */\n\tchanges_data = bpf_helper_changes_pkt_data(fn->func);\n\tif (changes_data && fn->arg1_type != ARG_PTR_TO_CTX) {\n\t\tverbose(env, \"kernel subsystem misconfigured func %s#%d: r1 != ctx\\n\",\n\t\t\tfunc_id_name(func_id), func_id);\n\t\treturn -EINVAL;\n\t}\n\n\tmemset(&meta, 0, sizeof(meta));\n\tmeta.pkt_access = fn->pkt_access;\n\n\terr = check_func_proto(fn, func_id);\n\tif (err) {\n\t\tverbose(env, \"kernel subsystem misconfigured func %s#%d\\n\",\n\t\t\tfunc_id_name(func_id), func_id);\n\t\treturn err;\n\t}\n\n\tmeta.func_id = func_id;\n\t/* check args */\n\tfor (i = 0; i < 5; i++) {\n\t\tif (!fn->check_btf_id) {\n\t\t\terr = btf_resolve_helper_id(&env->log, fn, i);\n\t\t\tif (err > 0)\n\t\t\t\tmeta.btf_id = err;\n\t\t}\n\t\terr = check_func_arg(env, i, &meta, fn);\n\t\tif (err)\n\t\t\treturn err;\n\t}\n\n\terr = record_func_map(env, &meta, func_id, insn_idx);\n\tif (err)\n\t\treturn err;\n\n\terr = record_func_key(env, &meta, func_id, insn_idx);\n\tif (err)\n\t\treturn err;\n\n\t/* Mark slots with STACK_MISC in case of raw mode, stack offset\n\t * is inferred from register state.\n\t */\n\tfor (i = 0; i < meta.access_size; i++) {\n\t\terr = check_mem_access(env, insn_idx, meta.regno, i, BPF_B,\n\t\t\t\t BPF_WRITE, -1, false);\n\t\tif (err)\n\t\t\treturn err;\n\t}\n\n\tif (func_id == BPF_FUNC_tail_call) {\n\t\terr = check_reference_leak(env);\n\t\tif (err) {\n\t\t\tverbose(env, \"tail_call would lead to reference leak\\n\");\n\t\t\treturn err;\n\t\t}\n\t} else if (is_release_function(func_id)) {\n\t\terr = release_reference(env, meta.ref_obj_id);\n\t\tif (err) {\n\t\t\tverbose(env, \"func %s#%d reference has not been acquired before\\n\",\n\t\t\t\tfunc_id_name(func_id), func_id);\n\t\t\treturn err;\n\t\t}\n\t}\n\n\tregs = cur_regs(env);\n\n\t/* check that flags argument in get_local_storage(map, flags) is 0,\n\t * this is required because get_local_storage() can't return an error.\n\t */\n\tif (func_id == BPF_FUNC_get_local_storage &&\n\t !register_is_null(®s[BPF_REG_2])) {\n\t\tverbose(env, \"get_local_storage() doesn't support non-zero flags\\n\");\n\t\treturn -EINVAL;\n\t}\n\n\t/* reset caller saved regs */\n\tfor (i = 0; i < CALLER_SAVED_REGS; i++) {\n\t\tmark_reg_not_init(env, regs, caller_saved[i]);\n\t\tcheck_reg_arg(env, caller_saved[i], DST_OP_NO_MARK);\n\t}\n\n\t/* helper call returns 64-bit value. */\n\tregs[BPF_REG_0].subreg_def = DEF_NOT_SUBREG;\n\n\t/* update return register (already marked as written above) */\n\tif (fn->ret_type == RET_INTEGER) {\n\t\t/* sets type to SCALAR_VALUE */\n\t\tmark_reg_unknown(env, regs, BPF_REG_0);\n\t} else if (fn->ret_type == RET_VOID) {\n\t\tregs[BPF_REG_0].type = NOT_INIT;\n\t} else if (fn->ret_type == RET_PTR_TO_MAP_VALUE_OR_NULL ||\n\t\t fn->ret_type == RET_PTR_TO_MAP_VALUE) {\n\t\t/* There is no offset yet applied, variable or fixed */\n\t\tmark_reg_known_zero(env, regs, BPF_REG_0);\n\t\t/* remember map_ptr, so that check_map_access()\n\t\t * can check 'value_size' boundary of memory access\n\t\t * to map element returned from bpf_map_lookup_elem()\n\t\t */\n\t\tif (meta.map_ptr == NULL) {\n\t\t\tverbose(env,\n\t\t\t\t\"kernel subsystem misconfigured verifier\\n\");\n\t\t\treturn -EINVAL;\n\t\t}\n\t\tregs[BPF_REG_0].map_ptr = meta.map_ptr;\n\t\tif (fn->ret_type == RET_PTR_TO_MAP_VALUE) {\n\t\t\tregs[BPF_REG_0].type = PTR_TO_MAP_VALUE;\n\t\t\tif (map_value_has_spin_lock(meta.map_ptr))\n\t\t\t\tregs[BPF_REG_0].id = ++env->id_gen;\n\t\t} else {\n\t\t\tregs[BPF_REG_0].type = PTR_TO_MAP_VALUE_OR_NULL;\n\t\t\tregs[BPF_REG_0].id = ++env->id_gen;\n\t\t}\n\t} else if (fn->ret_type == RET_PTR_TO_SOCKET_OR_NULL) {\n\t\tmark_reg_known_zero(env, regs, BPF_REG_0);\n\t\tregs[BPF_REG_0].type = PTR_TO_SOCKET_OR_NULL;\n\t\tregs[BPF_REG_0].id = ++env->id_gen;\n\t} else if (fn->ret_type == RET_PTR_TO_SOCK_COMMON_OR_NULL) {\n\t\tmark_reg_known_zero(env, regs, BPF_REG_0);\n\t\tregs[BPF_REG_0].type = PTR_TO_SOCK_COMMON_OR_NULL;\n\t\tregs[BPF_REG_0].id = ++env->id_gen;\n\t} else if (fn->ret_type == RET_PTR_TO_TCP_SOCK_OR_NULL) {\n\t\tmark_reg_known_zero(env, regs, BPF_REG_0);\n\t\tregs[BPF_REG_0].type = PTR_TO_TCP_SOCK_OR_NULL;\n\t\tregs[BPF_REG_0].id = ++env->id_gen;\n\t} else if (fn->ret_type == RET_PTR_TO_ALLOC_MEM_OR_NULL) {\n\t\tmark_reg_known_zero(env, regs, BPF_REG_0);\n\t\tregs[BPF_REG_0].type = PTR_TO_MEM_OR_NULL;\n\t\tregs[BPF_REG_0].id = ++env->id_gen;\n\t\tregs[BPF_REG_0].mem_size = meta.mem_size;\n\t} else if (fn->ret_type == RET_PTR_TO_BTF_ID_OR_NULL) {\n\t\tint ret_btf_id;\n\n\t\tmark_reg_known_zero(env, regs, BPF_REG_0);\n\t\tregs[BPF_REG_0].type = PTR_TO_BTF_ID_OR_NULL;\n\t\tret_btf_id = *fn->ret_btf_id;\n\t\tif (ret_btf_id == 0) {\n\t\t\tverbose(env, \"invalid return type %d of func %s#%d\\n\",\n\t\t\t\tfn->ret_type, func_id_name(func_id), func_id);\n\t\t\treturn -EINVAL;\n\t\t}\n\t\tregs[BPF_REG_0].btf_id = ret_btf_id;\n\t} else {\n\t\tverbose(env, \"unknown return type %d of func %s#%d\\n\",\n\t\t\tfn->ret_type, func_id_name(func_id), func_id);\n\t\treturn -EINVAL;\n\t}\n\n\tif (is_ptr_cast_function(func_id)) {\n\t\t/* For release_reference() */\n\t\tregs[BPF_REG_0].ref_obj_id = meta.ref_obj_id;\n\t} else if (is_acquire_function(func_id, meta.map_ptr)) {\n\t\tint id = acquire_reference_state(env, insn_idx);\n\n\t\tif (id < 0)\n\t\t\treturn id;\n\t\t/* For mark_ptr_or_null_reg() */\n\t\tregs[BPF_REG_0].id = id;\n\t\t/* For release_reference() */\n\t\tregs[BPF_REG_0].ref_obj_id = id;\n\t}\n\n\tdo_refine_retval_range(regs, fn->ret_type, func_id, &meta);\n\n\terr = check_map_func_compatibility(env, meta.map_ptr, func_id);\n\tif (err)\n\t\treturn err;\n\n\tif ((func_id == BPF_FUNC_get_stack ||\n\t func_id == BPF_FUNC_get_task_stack) &&\n\t !env->prog->has_callchain_buf) {\n\t\tconst char *err_str;\n\n#ifdef CONFIG_PERF_EVENTS\n\t\terr = get_callchain_buffers(sysctl_perf_event_max_stack);\n\t\terr_str = \"cannot get callchain buffer for func %s#%d\\n\";\n#else\n\t\terr = -ENOTSUPP;\n\t\terr_str = \"func %s#%d not supported without CONFIG_PERF_EVENTS\\n\";\n#endif\n\t\tif (err) {\n\t\t\tverbose(env, err_str, func_id_name(func_id), func_id);\n\t\t\treturn err;\n\t\t}\n\n\t\tenv->prog->has_callchain_buf = true;\n\t}\n\n\tif (func_id == BPF_FUNC_get_stackid || func_id == BPF_FUNC_get_stack)\n\t\tenv->prog->call_get_stack = true;\n\n\tif (changes_data)\n\t\tclear_all_pkt_pointers(env);\n\treturn 0;\n}", "project": "linux", "hash": 130257280437581006435866099655984993986, "size": 223, "commit_id": "5b9fbeb75b6a98955f628e205ac26689bcb1383e", "message": "bpf: Fix scalar32_min_max_or bounds tracking\n\nSimon reported an issue with the current scalar32_min_max_or() implementation.\nThat is, compared to the other 32 bit subreg tracking functions, the code in\nscalar32_min_max_or() stands out that it's using the 64 bit registers instead\nof 32 bit ones. This leads to bounds tracking issues, for example:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x1; 0x700000000),s32_max_value=1,u32_max_value=1) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nThe bound tests on the map value force the upper unsigned bound to be 25769803777\nin 64 bit (0b11000000000000000000000000000000001) and then lower one to be 1. By\nusing OR they are truncated and thus result in the range [1,1] for the 32 bit reg\ntracker. This is incorrect given the only thing we know is that the value must be\npositive and thus 2147483647 (0b1111111111111111111111111111111) at max for the\nsubregs. Fix it by using the {u,s}32_{min,max}_value vars instead. This also makes\nsense, for example, for the case where we update dst_reg->s32_{min,max}_value in\nthe else branch we need to use the newly computed dst_reg->u32_{min,max}_value as\nwe know that these are positive. Previously, in the else branch the 64 bit values\nof umin_value=1 and umax_value=32212254719 were used and latter got truncated to\nbe 1 as upper bound there. After the fix the subreg range is now correct:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nFixes: 3f50f132d840 (\"bpf: Verifier, do explicit ALU32 bounds tracking\")\nReported-by: Simon Scannell \nSigned-off-by: Daniel Borkmann \nReviewed-by: John Fastabend \nAcked-by: Alexei Starovoitov ", "target": 0, "dataset": "other", "idx": 328512 }, { "func": "static int fixup_call_args(struct bpf_verifier_env *env)\n{\n#ifndef CONFIG_BPF_JIT_ALWAYS_ON\n\tstruct bpf_prog *prog = env->prog;\n\tstruct bpf_insn *insn = prog->insnsi;\n\tint i, depth;\n#endif\n\tint err = 0;\n\n\tif (env->prog->jit_requested &&\n\t !bpf_prog_is_dev_bound(env->prog->aux)) {\n\t\terr = jit_subprogs(env);\n\t\tif (err == 0)\n\t\t\treturn 0;\n\t\tif (err == -EFAULT)\n\t\t\treturn err;\n\t}\n#ifndef CONFIG_BPF_JIT_ALWAYS_ON\n\tfor (i = 0; i < prog->len; i++, insn++) {\n\t\tif (insn->code != (BPF_JMP | BPF_CALL) ||\n\t\t insn->src_reg != BPF_PSEUDO_CALL)\n\t\t\tcontinue;\n\t\tdepth = get_callee_stack_depth(env, insn, i);\n\t\tif (depth < 0)\n\t\t\treturn depth;\n\t\tbpf_patch_call_args(insn, depth);\n\t}\n\terr = 0;\n#endif\n\treturn err;\n}", "project": "linux", "hash": 288994677772015208122386248652021891850, "size": 31, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232609 }, { "func": "static int fixup_call_args(struct bpf_verifier_env *env)\n{\n#ifndef CONFIG_BPF_JIT_ALWAYS_ON\n\tstruct bpf_prog *prog = env->prog;\n\tstruct bpf_insn *insn = prog->insnsi;\n\tint i, depth;\n#endif\n\tint err = 0;\n\n\tif (env->prog->jit_requested &&\n\t !bpf_prog_is_dev_bound(env->prog->aux)) {\n\t\terr = jit_subprogs(env);\n\t\tif (err == 0)\n\t\t\treturn 0;\n\t\tif (err == -EFAULT)\n\t\t\treturn err;\n\t}\n#ifndef CONFIG_BPF_JIT_ALWAYS_ON\n\tif (env->subprog_cnt > 1 && env->prog->aux->tail_call_reachable) {\n\t\t/* When JIT fails the progs with bpf2bpf calls and tail_calls\n\t\t * have to be rejected, since interpreter doesn't support them yet.\n\t\t */\n\t\tverbose(env, \"tail_calls are not allowed in non-JITed programs with bpf-to-bpf calls\\n\");\n\t\treturn -EINVAL;\n\t}\n\tfor (i = 0; i < prog->len; i++, insn++) {\n\t\tif (insn->code != (BPF_JMP | BPF_CALL) ||\n\t\t insn->src_reg != BPF_PSEUDO_CALL)\n\t\t\tcontinue;\n\t\tdepth = get_callee_stack_depth(env, insn, i);\n\t\tif (depth < 0)\n\t\t\treturn depth;\n\t\tbpf_patch_call_args(insn, depth);\n\t}\n\terr = 0;\n#endif\n\treturn err;\n}", "project": "linux", "hash": 268405499406863915881646231724285983238, "size": 38, "commit_id": "9b00f1b78809309163dda2d044d9e94a3c0248a3", "message": "bpf: Fix truncation handling for mod32 dst reg wrt zero\n\nRecently noticed that when mod32 with a known src reg of 0 is performed,\nthen the dst register is 32-bit truncated in verifier:\n\n 0: R1=ctx(id=0,off=0,imm=0) R10=fp0\n 0: (b7) r0 = 0\n 1: R0_w=inv0 R1=ctx(id=0,off=0,imm=0) R10=fp0\n 1: (b7) r1 = -1\n 2: R0_w=inv0 R1_w=inv-1 R10=fp0\n 2: (b4) w2 = -1\n 3: R0_w=inv0 R1_w=inv-1 R2_w=inv4294967295 R10=fp0\n 3: (9c) w1 %= w0\n 4: R0_w=inv0 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0\n 4: (b7) r0 = 1\n 5: R0_w=inv1 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0\n 5: (1d) if r1 == r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0\n 6: R0_w=inv1 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0\n 6: (b7) r0 = 2\n 7: R0_w=inv2 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0\n 7: (95) exit\n 7: R0=inv1 R1=inv(id=0,umin_value=4294967295,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2=inv4294967295 R10=fp0\n 7: (95) exit\n\nHowever, as a runtime result, we get 2 instead of 1, meaning the dst\nregister does not contain (u32)-1 in this case. The reason is fairly\nstraight forward given the 0 test leaves the dst register as-is:\n\n # ./bpftool p d x i 23\n 0: (b7) r0 = 0\n 1: (b7) r1 = -1\n 2: (b4) w2 = -1\n 3: (16) if w0 == 0x0 goto pc+1\n 4: (9c) w1 %= w0\n 5: (b7) r0 = 1\n 6: (1d) if r1 == r2 goto pc+1\n 7: (b7) r0 = 2\n 8: (95) exit\n\nThis was originally not an issue given the dst register was marked as\ncompletely unknown (aka 64 bit unknown). However, after 468f6eafa6c4\n(\"bpf: fix 32-bit ALU op verification\") the verifier casts the register\noutput to 32 bit, and hence it becomes 32 bit unknown. Note that for\nthe case where the src register is unknown, the dst register is marked\n64 bit unknown. After the fix, the register is truncated by the runtime\nand the test passes:\n\n # ./bpftool p d x i 23\n 0: (b7) r0 = 0\n 1: (b7) r1 = -1\n 2: (b4) w2 = -1\n 3: (16) if w0 == 0x0 goto pc+2\n 4: (9c) w1 %= w0\n 5: (05) goto pc+1\n 6: (bc) w1 = w1\n 7: (b7) r0 = 1\n 8: (1d) if r1 == r2 goto pc+1\n 9: (b7) r0 = 2\n 10: (95) exit\n\nSemantics also match with {R,W}x mod{64,32} 0 -> {R,W}x. Invalid div\nhas always been {R,W}x div{64,32} 0 -> 0. Rewrites are as follows:\n\n mod32: mod64:\n\n (16) if w0 == 0x0 goto pc+2 (15) if r0 == 0x0 goto pc+1\n (9c) w1 %= w0 (9f) r1 %= r0\n (05) goto pc+1\n (bc) w1 = w1\n\nFixes: 468f6eafa6c4 (\"bpf: fix 32-bit ALU op verification\")\nSigned-off-by: Daniel Borkmann \nReviewed-by: John Fastabend \nAcked-by: Alexei Starovoitov ", "target": 0, "dataset": "other", "idx": 456522 }, { "func": "static int check_struct_ops_btf_id(struct bpf_verifier_env *env)\n{\n\tconst struct btf_type *t, *func_proto;\n\tconst struct bpf_struct_ops *st_ops;\n\tconst struct btf_member *member;\n\tstruct bpf_prog *prog = env->prog;\n\tu32 btf_id, member_idx;\n\tconst char *mname;\n\n\tbtf_id = prog->aux->attach_btf_id;\n\tst_ops = bpf_struct_ops_find(btf_id);\n\tif (!st_ops) {\n\t\tverbose(env, \"attach_btf_id %u is not a supported struct\\n\",\n\t\t\tbtf_id);\n\t\treturn -ENOTSUPP;\n\t}\n\n\tt = st_ops->type;\n\tmember_idx = prog->expected_attach_type;\n\tif (member_idx >= btf_type_vlen(t)) {\n\t\tverbose(env, \"attach to invalid member idx %u of struct %s\\n\",\n\t\t\tmember_idx, st_ops->name);\n\t\treturn -EINVAL;\n\t}\n\n\tmember = &btf_type_member(t)[member_idx];\n\tmname = btf_name_by_offset(btf_vmlinux, member->name_off);\n\tfunc_proto = btf_type_resolve_func_ptr(btf_vmlinux, member->type,\n\t\t\t\t\t NULL);\n\tif (!func_proto) {\n\t\tverbose(env, \"attach to invalid member %s(@idx %u) of struct %s\\n\",\n\t\t\tmname, member_idx, st_ops->name);\n\t\treturn -EINVAL;\n\t}\n\n\tif (st_ops->check_member) {\n\t\tint err = st_ops->check_member(t, member);\n\n\t\tif (err) {\n\t\t\tverbose(env, \"attach to unsupported member %s of struct %s\\n\",\n\t\t\t\tmname, st_ops->name);\n\t\t\treturn err;\n\t\t}\n\t}\n\n\tprog->aux->attach_func_proto = func_proto;\n\tprog->aux->attach_func_name = mname;\n\tenv->ops = st_ops->verifier_ops;\n\n\treturn 0;\n}", "project": "linux", "hash": 325970842249741158006944995375246259115, "size": 51, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232488 }, { "func": "static int opt_remove_nops(struct bpf_verifier_env *env)\n{\n\tconst struct bpf_insn ja = BPF_JMP_IMM(BPF_JA, 0, 0, 0);\n\tstruct bpf_insn *insn = env->prog->insnsi;\n\tint insn_cnt = env->prog->len;\n\tint i, err;\n\n\tfor (i = 0; i < insn_cnt; i++) {\n\t\tif (memcmp(&insn[i], &ja, sizeof(ja)))\n\t\t\tcontinue;\n\n\t\terr = verifier_remove_insns(env, i, 1);\n\t\tif (err)\n\t\t\treturn err;\n\t\tinsn_cnt--;\n\t\ti--;\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 69809283226876925203490453072549960618, "size": 20, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232514 }, { "func": "static void opt_hard_wire_dead_code_branches(struct bpf_verifier_env *env)\n{\n\tstruct bpf_insn_aux_data *aux_data = env->insn_aux_data;\n\tstruct bpf_insn ja = BPF_JMP_IMM(BPF_JA, 0, 0, 0);\n\tstruct bpf_insn *insn = env->prog->insnsi;\n\tconst int insn_cnt = env->prog->len;\n\tint i;\n\n\tfor (i = 0; i < insn_cnt; i++, insn++) {\n\t\tif (!insn_is_cond_jump(insn->code))\n\t\t\tcontinue;\n\n\t\tif (!aux_data[i + 1].seen)\n\t\t\tja.off = insn->off;\n\t\telse if (!aux_data[i + 1 + insn->off].seen)\n\t\t\tja.off = 0;\n\t\telse\n\t\t\tcontinue;\n\n\t\tif (bpf_prog_is_dev_bound(env->prog->aux))\n\t\t\tbpf_prog_offload_replace_insn(env, i, &ja);\n\n\t\tmemcpy(insn, &ja, sizeof(ja));\n\t}\n}", "project": "linux", "hash": 138824663641295607779211054669280987595, "size": 25, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232622 }, { "func": "static bool signed_add_overflows(s64 a, s64 b)\n{\n\t/* Do the add in u64, where overflow is well-defined */\n\ts64 res = (s64)((u64)a + (u64)b);\n\n\tif (b < 0)\n\t\treturn res > a;\n\treturn res < a;\n}", "project": "linux", "hash": 36551951930413540560602500892365504251, "size": 9, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232602 }, { "func": "static int adjust_insn_aux_data(struct bpf_verifier_env *env,\n\t\t\t\tstruct bpf_prog *new_prog, u32 off, u32 cnt)\n{\n\tstruct bpf_insn_aux_data *new_data, *old_data = env->insn_aux_data;\n\tstruct bpf_insn *insn = new_prog->insnsi;\n\tu32 prog_len;\n\tint i;\n\n\t/* aux info at OFF always needs adjustment, no matter fast path\n\t * (cnt == 1) is taken or not. There is no guarantee INSN at OFF is the\n\t * original insn at old prog.\n\t */\n\told_data[off].zext_dst = insn_has_def32(env, insn + off + cnt - 1);\n\n\tif (cnt == 1)\n\t\treturn 0;\n\tprog_len = new_prog->len;\n\tnew_data = vzalloc(array_size(prog_len,\n\t\t\t\t sizeof(struct bpf_insn_aux_data)));\n\tif (!new_data)\n\t\treturn -ENOMEM;\n\tmemcpy(new_data, old_data, sizeof(struct bpf_insn_aux_data) * off);\n\tmemcpy(new_data + off + cnt - 1, old_data + off,\n\t sizeof(struct bpf_insn_aux_data) * (prog_len - off - cnt + 1));\n\tfor (i = off; i < off + cnt - 1; i++) {\n\t\tnew_data[i].seen = env->pass_cnt;\n\t\tnew_data[i].zext_dst = insn_has_def32(env, insn + i);\n\t}\n\tenv->insn_aux_data = new_data;\n\tvfree(old_data);\n\treturn 0;\n}", "project": "linux", "hash": 235834669823158492055828569951128639368, "size": 32, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232597 }, { "func": "static int check_cond_jmp_op(struct bpf_verifier_env *env,\n\t\t\t struct bpf_insn *insn, int *insn_idx)\n{\n\tstruct bpf_verifier_state *this_branch = env->cur_state;\n\tstruct bpf_verifier_state *other_branch;\n\tstruct bpf_reg_state *regs = this_branch->frame[this_branch->curframe]->regs;\n\tstruct bpf_reg_state *dst_reg, *other_branch_regs, *src_reg = NULL;\n\tu8 opcode = BPF_OP(insn->code);\n\tbool is_jmp32;\n\tint pred = -1;\n\tint err;\n\n\t/* Only conditional jumps are expected to reach here. */\n\tif (opcode == BPF_JA || opcode > BPF_JSLE) {\n\t\tverbose(env, \"invalid BPF_JMP/JMP32 opcode %x\\n\", opcode);\n\t\treturn -EINVAL;\n\t}\n\n\tif (BPF_SRC(insn->code) == BPF_X) {\n\t\tif (insn->imm != 0) {\n\t\t\tverbose(env, \"BPF_JMP/JMP32 uses reserved fields\\n\");\n\t\t\treturn -EINVAL;\n\t\t}\n\n\t\t/* check src1 operand */\n\t\terr = check_reg_arg(env, insn->src_reg, SRC_OP);\n\t\tif (err)\n\t\t\treturn err;\n\n\t\tif (is_pointer_value(env, insn->src_reg)) {\n\t\t\tverbose(env, \"R%d pointer comparison prohibited\\n\",\n\t\t\t\tinsn->src_reg);\n\t\t\treturn -EACCES;\n\t\t}\n\t\tsrc_reg = ®s[insn->src_reg];\n\t} else {\n\t\tif (insn->src_reg != BPF_REG_0) {\n\t\t\tverbose(env, \"BPF_JMP/JMP32 uses reserved fields\\n\");\n\t\t\treturn -EINVAL;\n\t\t}\n\t}\n\n\t/* check src2 operand */\n\terr = check_reg_arg(env, insn->dst_reg, SRC_OP);\n\tif (err)\n\t\treturn err;\n\n\tdst_reg = ®s[insn->dst_reg];\n\tis_jmp32 = BPF_CLASS(insn->code) == BPF_JMP32;\n\n\tif (BPF_SRC(insn->code) == BPF_K)\n\t\tpred = is_branch_taken(dst_reg, insn->imm,\n\t\t\t\t opcode, is_jmp32);\n\telse if (src_reg->type == SCALAR_VALUE &&\n\t\t tnum_is_const(src_reg->var_off))\n\t\tpred = is_branch_taken(dst_reg, src_reg->var_off.value,\n\t\t\t\t opcode, is_jmp32);\n\tif (pred >= 0) {\n\t\terr = mark_chain_precision(env, insn->dst_reg);\n\t\tif (BPF_SRC(insn->code) == BPF_X && !err)\n\t\t\terr = mark_chain_precision(env, insn->src_reg);\n\t\tif (err)\n\t\t\treturn err;\n\t}\n\tif (pred == 1) {\n\t\t/* only follow the goto, ignore fall-through */\n\t\t*insn_idx += insn->off;\n\t\treturn 0;\n\t} else if (pred == 0) {\n\t\t/* only follow fall-through branch, since\n\t\t * that's where the program will go\n\t\t */\n\t\treturn 0;\n\t}\n\n\tother_branch = push_stack(env, *insn_idx + insn->off + 1, *insn_idx,\n\t\t\t\t false);\n\tif (!other_branch)\n\t\treturn -EFAULT;\n\tother_branch_regs = other_branch->frame[other_branch->curframe]->regs;\n\n\t/* detect if we are comparing against a constant value so we can adjust\n\t * our min/max values for our dst register.\n\t * this is only legit if both are scalars (or pointers to the same\n\t * object, I suppose, but we don't support that right now), because\n\t * otherwise the different base pointers mean the offsets aren't\n\t * comparable.\n\t */\n\tif (BPF_SRC(insn->code) == BPF_X) {\n\t\tstruct bpf_reg_state *src_reg = ®s[insn->src_reg];\n\t\tstruct bpf_reg_state lo_reg0 = *dst_reg;\n\t\tstruct bpf_reg_state lo_reg1 = *src_reg;\n\t\tstruct bpf_reg_state *src_lo, *dst_lo;\n\n\t\tdst_lo = &lo_reg0;\n\t\tsrc_lo = &lo_reg1;\n\t\tcoerce_reg_to_size(dst_lo, 4);\n\t\tcoerce_reg_to_size(src_lo, 4);\n\n\t\tif (dst_reg->type == SCALAR_VALUE &&\n\t\t src_reg->type == SCALAR_VALUE) {\n\t\t\tif (tnum_is_const(src_reg->var_off) ||\n\t\t\t (is_jmp32 && tnum_is_const(src_lo->var_off)))\n\t\t\t\treg_set_min_max(&other_branch_regs[insn->dst_reg],\n\t\t\t\t\t\tdst_reg,\n\t\t\t\t\t\tis_jmp32\n\t\t\t\t\t\t? src_lo->var_off.value\n\t\t\t\t\t\t: src_reg->var_off.value,\n\t\t\t\t\t\topcode, is_jmp32);\n\t\t\telse if (tnum_is_const(dst_reg->var_off) ||\n\t\t\t\t (is_jmp32 && tnum_is_const(dst_lo->var_off)))\n\t\t\t\treg_set_min_max_inv(&other_branch_regs[insn->src_reg],\n\t\t\t\t\t\t src_reg,\n\t\t\t\t\t\t is_jmp32\n\t\t\t\t\t\t ? dst_lo->var_off.value\n\t\t\t\t\t\t : dst_reg->var_off.value,\n\t\t\t\t\t\t opcode, is_jmp32);\n\t\t\telse if (!is_jmp32 &&\n\t\t\t\t (opcode == BPF_JEQ || opcode == BPF_JNE))\n\t\t\t\t/* Comparing for equality, we can combine knowledge */\n\t\t\t\treg_combine_min_max(&other_branch_regs[insn->src_reg],\n\t\t\t\t\t\t &other_branch_regs[insn->dst_reg],\n\t\t\t\t\t\t src_reg, dst_reg, opcode);\n\t\t}\n\t} else if (dst_reg->type == SCALAR_VALUE) {\n\t\treg_set_min_max(&other_branch_regs[insn->dst_reg],\n\t\t\t\t\tdst_reg, insn->imm, opcode, is_jmp32);\n\t}\n\n\t/* detect if R == 0 where R is returned from bpf_map_lookup_elem().\n\t * NOTE: these optimizations below are related with pointer comparison\n\t * which will never be JMP32.\n\t */\n\tif (!is_jmp32 && BPF_SRC(insn->code) == BPF_K &&\n\t insn->imm == 0 && (opcode == BPF_JEQ || opcode == BPF_JNE) &&\n\t reg_type_may_be_null(dst_reg->type)) {\n\t\t/* Mark all identical registers in each branch as either\n\t\t * safe or unknown depending R == 0 or R != 0 conditional.\n\t\t */\n\t\tmark_ptr_or_null_regs(this_branch, insn->dst_reg,\n\t\t\t\t opcode == BPF_JNE);\n\t\tmark_ptr_or_null_regs(other_branch, insn->dst_reg,\n\t\t\t\t opcode == BPF_JEQ);\n\t} else if (!try_match_pkt_pointers(insn, dst_reg, ®s[insn->src_reg],\n\t\t\t\t\t this_branch, other_branch) &&\n\t\t is_pointer_value(env, insn->dst_reg)) {\n\t\tverbose(env, \"R%d pointer comparison prohibited\\n\",\n\t\t\tinsn->dst_reg);\n\t\treturn -EACCES;\n\t}\n\tif (env->log.level & BPF_LOG_LEVEL)\n\t\tprint_verifier_state(env, this_branch->frame[this_branch->curframe]);\n\treturn 0;\n}", "project": "linux", "hash": 42036907400933033401163577023707955725, "size": 154, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232633 }, { "func": "static int check_cond_jmp_op(struct bpf_verifier_env *env,\n\t\t\t struct bpf_insn *insn, int *insn_idx)\n{\n\tstruct bpf_verifier_state *this_branch = env->cur_state;\n\tstruct bpf_verifier_state *other_branch;\n\tstruct bpf_reg_state *regs = this_branch->frame[this_branch->curframe]->regs;\n\tstruct bpf_reg_state *dst_reg, *other_branch_regs, *src_reg = NULL;\n\tu8 opcode = BPF_OP(insn->code);\n\tbool is_jmp32;\n\tint pred = -1;\n\tint err;\n\n\t/* Only conditional jumps are expected to reach here. */\n\tif (opcode == BPF_JA || opcode > BPF_JSLE) {\n\t\tverbose(env, \"invalid BPF_JMP/JMP32 opcode %x\\n\", opcode);\n\t\treturn -EINVAL;\n\t}\n\n\tif (BPF_SRC(insn->code) == BPF_X) {\n\t\tif (insn->imm != 0) {\n\t\t\tverbose(env, \"BPF_JMP/JMP32 uses reserved fields\\n\");\n\t\t\treturn -EINVAL;\n\t\t}\n\n\t\t/* check src1 operand */\n\t\terr = check_reg_arg(env, insn->src_reg, SRC_OP);\n\t\tif (err)\n\t\t\treturn err;\n\n\t\tif (is_pointer_value(env, insn->src_reg)) {\n\t\t\tverbose(env, \"R%d pointer comparison prohibited\\n\",\n\t\t\t\tinsn->src_reg);\n\t\t\treturn -EACCES;\n\t\t}\n\t\tsrc_reg = ®s[insn->src_reg];\n\t} else {\n\t\tif (insn->src_reg != BPF_REG_0) {\n\t\t\tverbose(env, \"BPF_JMP/JMP32 uses reserved fields\\n\");\n\t\t\treturn -EINVAL;\n\t\t}\n\t}\n\n\t/* check src2 operand */\n\terr = check_reg_arg(env, insn->dst_reg, SRC_OP);\n\tif (err)\n\t\treturn err;\n\n\tdst_reg = ®s[insn->dst_reg];\n\tis_jmp32 = BPF_CLASS(insn->code) == BPF_JMP32;\n\n\tif (BPF_SRC(insn->code) == BPF_K) {\n\t\tpred = is_branch_taken(dst_reg, insn->imm, opcode, is_jmp32);\n\t} else if (src_reg->type == SCALAR_VALUE &&\n\t\t is_jmp32 && tnum_is_const(tnum_subreg(src_reg->var_off))) {\n\t\tpred = is_branch_taken(dst_reg,\n\t\t\t\t tnum_subreg(src_reg->var_off).value,\n\t\t\t\t opcode,\n\t\t\t\t is_jmp32);\n\t} else if (src_reg->type == SCALAR_VALUE &&\n\t\t !is_jmp32 && tnum_is_const(src_reg->var_off)) {\n\t\tpred = is_branch_taken(dst_reg,\n\t\t\t\t src_reg->var_off.value,\n\t\t\t\t opcode,\n\t\t\t\t is_jmp32);\n\t}\n\n\tif (pred >= 0) {\n\t\t/* If we get here with a dst_reg pointer type it is because\n\t\t * above is_branch_taken() special cased the 0 comparison.\n\t\t */\n\t\tif (!__is_pointer_value(false, dst_reg))\n\t\t\terr = mark_chain_precision(env, insn->dst_reg);\n\t\tif (BPF_SRC(insn->code) == BPF_X && !err)\n\t\t\terr = mark_chain_precision(env, insn->src_reg);\n\t\tif (err)\n\t\t\treturn err;\n\t}\n\tif (pred == 1) {\n\t\t/* only follow the goto, ignore fall-through */\n\t\t*insn_idx += insn->off;\n\t\treturn 0;\n\t} else if (pred == 0) {\n\t\t/* only follow fall-through branch, since\n\t\t * that's where the program will go\n\t\t */\n\t\treturn 0;\n\t}\n\n\tother_branch = push_stack(env, *insn_idx + insn->off + 1, *insn_idx,\n\t\t\t\t false);\n\tif (!other_branch)\n\t\treturn -EFAULT;\n\tother_branch_regs = other_branch->frame[other_branch->curframe]->regs;\n\n\t/* detect if we are comparing against a constant value so we can adjust\n\t * our min/max values for our dst register.\n\t * this is only legit if both are scalars (or pointers to the same\n\t * object, I suppose, but we don't support that right now), because\n\t * otherwise the different base pointers mean the offsets aren't\n\t * comparable.\n\t */\n\tif (BPF_SRC(insn->code) == BPF_X) {\n\t\tstruct bpf_reg_state *src_reg = ®s[insn->src_reg];\n\n\t\tif (dst_reg->type == SCALAR_VALUE &&\n\t\t src_reg->type == SCALAR_VALUE) {\n\t\t\tif (tnum_is_const(src_reg->var_off) ||\n\t\t\t (is_jmp32 &&\n\t\t\t tnum_is_const(tnum_subreg(src_reg->var_off))))\n\t\t\t\treg_set_min_max(&other_branch_regs[insn->dst_reg],\n\t\t\t\t\t\tdst_reg,\n\t\t\t\t\t\tsrc_reg->var_off.value,\n\t\t\t\t\t\ttnum_subreg(src_reg->var_off).value,\n\t\t\t\t\t\topcode, is_jmp32);\n\t\t\telse if (tnum_is_const(dst_reg->var_off) ||\n\t\t\t\t (is_jmp32 &&\n\t\t\t\t tnum_is_const(tnum_subreg(dst_reg->var_off))))\n\t\t\t\treg_set_min_max_inv(&other_branch_regs[insn->src_reg],\n\t\t\t\t\t\t src_reg,\n\t\t\t\t\t\t dst_reg->var_off.value,\n\t\t\t\t\t\t tnum_subreg(dst_reg->var_off).value,\n\t\t\t\t\t\t opcode, is_jmp32);\n\t\t\telse if (!is_jmp32 &&\n\t\t\t\t (opcode == BPF_JEQ || opcode == BPF_JNE))\n\t\t\t\t/* Comparing for equality, we can combine knowledge */\n\t\t\t\treg_combine_min_max(&other_branch_regs[insn->src_reg],\n\t\t\t\t\t\t &other_branch_regs[insn->dst_reg],\n\t\t\t\t\t\t src_reg, dst_reg, opcode);\n\t\t}\n\t} else if (dst_reg->type == SCALAR_VALUE) {\n\t\treg_set_min_max(&other_branch_regs[insn->dst_reg],\n\t\t\t\t\tdst_reg, insn->imm, (u32)insn->imm,\n\t\t\t\t\topcode, is_jmp32);\n\t}\n\n\t/* detect if R == 0 where R is returned from bpf_map_lookup_elem().\n\t * NOTE: these optimizations below are related with pointer comparison\n\t * which will never be JMP32.\n\t */\n\tif (!is_jmp32 && BPF_SRC(insn->code) == BPF_K &&\n\t insn->imm == 0 && (opcode == BPF_JEQ || opcode == BPF_JNE) &&\n\t reg_type_may_be_null(dst_reg->type)) {\n\t\t/* Mark all identical registers in each branch as either\n\t\t * safe or unknown depending R == 0 or R != 0 conditional.\n\t\t */\n\t\tmark_ptr_or_null_regs(this_branch, insn->dst_reg,\n\t\t\t\t opcode == BPF_JNE);\n\t\tmark_ptr_or_null_regs(other_branch, insn->dst_reg,\n\t\t\t\t opcode == BPF_JEQ);\n\t} else if (!try_match_pkt_pointers(insn, dst_reg, ®s[insn->src_reg],\n\t\t\t\t\t this_branch, other_branch) &&\n\t\t is_pointer_value(env, insn->dst_reg)) {\n\t\tverbose(env, \"R%d pointer comparison prohibited\\n\",\n\t\t\tinsn->dst_reg);\n\t\treturn -EACCES;\n\t}\n\tif (env->log.level & BPF_LOG_LEVEL)\n\t\tprint_verifier_state(env, this_branch->frame[this_branch->curframe]);\n\treturn 0;\n}", "project": "linux", "hash": 683132148038671462679329697498471360, "size": 160, "commit_id": "5b9fbeb75b6a98955f628e205ac26689bcb1383e", "message": "bpf: Fix scalar32_min_max_or bounds tracking\n\nSimon reported an issue with the current scalar32_min_max_or() implementation.\nThat is, compared to the other 32 bit subreg tracking functions, the code in\nscalar32_min_max_or() stands out that it's using the 64 bit registers instead\nof 32 bit ones. This leads to bounds tracking issues, for example:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x1; 0x700000000),s32_max_value=1,u32_max_value=1) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nThe bound tests on the map value force the upper unsigned bound to be 25769803777\nin 64 bit (0b11000000000000000000000000000000001) and then lower one to be 1. By\nusing OR they are truncated and thus result in the range [1,1] for the 32 bit reg\ntracker. This is incorrect given the only thing we know is that the value must be\npositive and thus 2147483647 (0b1111111111111111111111111111111) at max for the\nsubregs. Fix it by using the {u,s}32_{min,max}_value vars instead. This also makes\nsense, for example, for the case where we update dst_reg->s32_{min,max}_value in\nthe else branch we need to use the newly computed dst_reg->u32_{min,max}_value as\nwe know that these are positive. Previously, in the else branch the 64 bit values\nof umin_value=1 and umax_value=32212254719 were used and latter got truncated to\nbe 1 as upper bound there. After the fix the subreg range is now correct:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nFixes: 3f50f132d840 (\"bpf: Verifier, do explicit ALU32 bounds tracking\")\nReported-by: Simon Scannell \nSigned-off-by: Daniel Borkmann \nReviewed-by: John Fastabend \nAcked-by: Alexei Starovoitov ", "target": 0, "dataset": "other", "idx": 328517 }, { "func": "static bool may_access_skb(enum bpf_prog_type type)\n{\n\tswitch (type) {\n\tcase BPF_PROG_TYPE_SOCKET_FILTER:\n\tcase BPF_PROG_TYPE_SCHED_CLS:\n\tcase BPF_PROG_TYPE_SCHED_ACT:\n\t\treturn true;\n\tdefault:\n\t\treturn false;\n\t}\n}", "project": "linux", "hash": 325636518221913331364893063691258100166, "size": 11, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232418 }, { "func": "static int release_reference(struct bpf_verifier_env *env,\n\t\t\t int ref_obj_id)\n{\n\tstruct bpf_verifier_state *vstate = env->cur_state;\n\tint err;\n\tint i;\n\n\terr = release_reference_state(cur_func(env), ref_obj_id);\n\tif (err)\n\t\treturn err;\n\n\tfor (i = 0; i <= vstate->curframe; i++)\n\t\trelease_reg_references(env, vstate->frame[i], ref_obj_id);\n\n\treturn 0;\n}", "project": "linux", "hash": 54161888618032617083918361700247777378, "size": 16, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232552 }, { "func": "static bool is_release_function(enum bpf_func_id func_id)\n{\n\treturn func_id == BPF_FUNC_sk_release;\n}", "project": "linux", "hash": 97597180665712729139763550433114404483, "size": 4, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232438 }, { "func": "static bool reg_type_mismatch(enum bpf_reg_type src, enum bpf_reg_type prev)\n{\n\treturn src != prev && (!reg_type_mismatch_ok(src) ||\n\t\t\t !reg_type_mismatch_ok(prev));\n}", "project": "linux", "hash": 74641943170109267318373422811564756075, "size": 5, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232466 }, { "func": "static bool signed_sub_overflows(s64 a, s64 b)\n{\n\t/* Do the sub in u64, where overflow is well-defined */\n\ts64 res = (s64)((u64)a - (u64)b);\n\n\tif (b < 0)\n\t\treturn res < a;\n\treturn res > a;\n}", "project": "linux", "hash": 313137845891718856100209286428662235151, "size": 9, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232416 }, { "func": "static bool signed_sub_overflows(s32 a, s32 b)\n{\n\t/* Do the sub in u64, where overflow is well-defined */\n\ts64 res = (s64)((u64)a - (u64)b);\n\n\tif (b < 0)\n\t\treturn res < a;\n\treturn res > a;\n}", "project": "linux", "hash": 203345576992522473671305776432479438468, "size": 9, "commit_id": "5b9fbeb75b6a98955f628e205ac26689bcb1383e", "message": "bpf: Fix scalar32_min_max_or bounds tracking\n\nSimon reported an issue with the current scalar32_min_max_or() implementation.\nThat is, compared to the other 32 bit subreg tracking functions, the code in\nscalar32_min_max_or() stands out that it's using the 64 bit registers instead\nof 32 bit ones. This leads to bounds tracking issues, for example:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x1; 0x700000000),s32_max_value=1,u32_max_value=1) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nThe bound tests on the map value force the upper unsigned bound to be 25769803777\nin 64 bit (0b11000000000000000000000000000000001) and then lower one to be 1. By\nusing OR they are truncated and thus result in the range [1,1] for the 32 bit reg\ntracker. This is incorrect given the only thing we know is that the value must be\npositive and thus 2147483647 (0b1111111111111111111111111111111) at max for the\nsubregs. Fix it by using the {u,s}32_{min,max}_value vars instead. This also makes\nsense, for example, for the case where we update dst_reg->s32_{min,max}_value in\nthe else branch we need to use the newly computed dst_reg->u32_{min,max}_value as\nwe know that these are positive. Previously, in the else branch the 64 bit values\nof umin_value=1 and umax_value=32212254719 were used and latter got truncated to\nbe 1 as upper bound there. After the fix the subreg range is now correct:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nFixes: 3f50f132d840 (\"bpf: Verifier, do explicit ALU32 bounds tracking\")\nReported-by: Simon Scannell \nSigned-off-by: Daniel Borkmann \nReviewed-by: John Fastabend \nAcked-by: Alexei Starovoitov ", "target": 0, "dataset": "other", "idx": 328533 }, { "func": "static bool reg_is_init_pkt_pointer(const struct bpf_reg_state *reg,\n\t\t\t\t enum bpf_reg_type which)\n{\n\t/* The register can already have a range from prior markings.\n\t * This is fine as long as it hasn't been advanced from its\n\t * origin.\n\t */\n\treturn reg->type == which &&\n\t reg->id == 0 &&\n\t reg->off == 0 &&\n\t tnum_equals_const(reg->var_off, 0);\n}", "project": "linux", "hash": 183660429926981294946684761992021011087, "size": 12, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232612 }, { "func": "static int verifier_remove_insns(struct bpf_verifier_env *env, u32 off, u32 cnt)\n{\n\tstruct bpf_insn_aux_data *aux_data = env->insn_aux_data;\n\tunsigned int orig_prog_len = env->prog->len;\n\tint err;\n\n\tif (bpf_prog_is_dev_bound(env->prog->aux))\n\t\tbpf_prog_offload_remove_insns(env, off, cnt);\n\n\terr = bpf_remove_insns(env->prog, off, cnt);\n\tif (err)\n\t\treturn err;\n\n\terr = adjust_subprog_starts_after_remove(env, off, cnt);\n\tif (err)\n\t\treturn err;\n\n\terr = bpf_adj_linfo_after_remove(env, off, cnt);\n\tif (err)\n\t\treturn err;\n\n\tmemmove(aux_data + off,\taux_data + off + cnt,\n\t\tsizeof(*aux_data) * (orig_prog_len - off - cnt));\n\n\treturn 0;\n}", "project": "linux", "hash": 60213705819336341188149119083399751439, "size": 26, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232594 }, { "func": "static int check_alu_op(struct bpf_verifier_env *env, struct bpf_insn *insn)\n{\n\tstruct bpf_reg_state *regs = cur_regs(env);\n\tu8 opcode = BPF_OP(insn->code);\n\tint err;\n\n\tif (opcode == BPF_END || opcode == BPF_NEG) {\n\t\tif (opcode == BPF_NEG) {\n\t\t\tif (BPF_SRC(insn->code) != 0 ||\n\t\t\t insn->src_reg != BPF_REG_0 ||\n\t\t\t insn->off != 0 || insn->imm != 0) {\n\t\t\t\tverbose(env, \"BPF_NEG uses reserved fields\\n\");\n\t\t\t\treturn -EINVAL;\n\t\t\t}\n\t\t} else {\n\t\t\tif (insn->src_reg != BPF_REG_0 || insn->off != 0 ||\n\t\t\t (insn->imm != 16 && insn->imm != 32 && insn->imm != 64) ||\n\t\t\t BPF_CLASS(insn->code) == BPF_ALU64) {\n\t\t\t\tverbose(env, \"BPF_END uses reserved fields\\n\");\n\t\t\t\treturn -EINVAL;\n\t\t\t}\n\t\t}\n\n\t\t/* check src operand */\n\t\terr = check_reg_arg(env, insn->dst_reg, SRC_OP);\n\t\tif (err)\n\t\t\treturn err;\n\n\t\tif (is_pointer_value(env, insn->dst_reg)) {\n\t\t\tverbose(env, \"R%d pointer arithmetic prohibited\\n\",\n\t\t\t\tinsn->dst_reg);\n\t\t\treturn -EACCES;\n\t\t}\n\n\t\t/* check dest operand */\n\t\terr = check_reg_arg(env, insn->dst_reg, DST_OP);\n\t\tif (err)\n\t\t\treturn err;\n\n\t} else if (opcode == BPF_MOV) {\n\n\t\tif (BPF_SRC(insn->code) == BPF_X) {\n\t\t\tif (insn->imm != 0 || insn->off != 0) {\n\t\t\t\tverbose(env, \"BPF_MOV uses reserved fields\\n\");\n\t\t\t\treturn -EINVAL;\n\t\t\t}\n\n\t\t\t/* check src operand */\n\t\t\terr = check_reg_arg(env, insn->src_reg, SRC_OP);\n\t\t\tif (err)\n\t\t\t\treturn err;\n\t\t} else {\n\t\t\tif (insn->src_reg != BPF_REG_0 || insn->off != 0) {\n\t\t\t\tverbose(env, \"BPF_MOV uses reserved fields\\n\");\n\t\t\t\treturn -EINVAL;\n\t\t\t}\n\t\t}\n\n\t\t/* check dest operand, mark as required later */\n\t\terr = check_reg_arg(env, insn->dst_reg, DST_OP_NO_MARK);\n\t\tif (err)\n\t\t\treturn err;\n\n\t\tif (BPF_SRC(insn->code) == BPF_X) {\n\t\t\tstruct bpf_reg_state *src_reg = regs + insn->src_reg;\n\t\t\tstruct bpf_reg_state *dst_reg = regs + insn->dst_reg;\n\n\t\t\tif (BPF_CLASS(insn->code) == BPF_ALU64) {\n\t\t\t\t/* case: R1 = R2\n\t\t\t\t * copy register state to dest reg\n\t\t\t\t */\n\t\t\t\t*dst_reg = *src_reg;\n\t\t\t\tdst_reg->live |= REG_LIVE_WRITTEN;\n\t\t\t\tdst_reg->subreg_def = DEF_NOT_SUBREG;\n\t\t\t} else {\n\t\t\t\t/* R1 = (u32) R2 */\n\t\t\t\tif (is_pointer_value(env, insn->src_reg)) {\n\t\t\t\t\tverbose(env,\n\t\t\t\t\t\t\"R%d partial copy of pointer\\n\",\n\t\t\t\t\t\tinsn->src_reg);\n\t\t\t\t\treturn -EACCES;\n\t\t\t\t} else if (src_reg->type == SCALAR_VALUE) {\n\t\t\t\t\t*dst_reg = *src_reg;\n\t\t\t\t\tdst_reg->live |= REG_LIVE_WRITTEN;\n\t\t\t\t\tdst_reg->subreg_def = env->insn_idx + 1;\n\t\t\t\t} else {\n\t\t\t\t\tmark_reg_unknown(env, regs,\n\t\t\t\t\t\t\t insn->dst_reg);\n\t\t\t\t}\n\t\t\t\tcoerce_reg_to_size(dst_reg, 4);\n\t\t\t}\n\t\t} else {\n\t\t\t/* case: R = imm\n\t\t\t * remember the value we stored into this reg\n\t\t\t */\n\t\t\t/* clear any state __mark_reg_known doesn't set */\n\t\t\tmark_reg_unknown(env, regs, insn->dst_reg);\n\t\t\tregs[insn->dst_reg].type = SCALAR_VALUE;\n\t\t\tif (BPF_CLASS(insn->code) == BPF_ALU64) {\n\t\t\t\t__mark_reg_known(regs + insn->dst_reg,\n\t\t\t\t\t\t insn->imm);\n\t\t\t} else {\n\t\t\t\t__mark_reg_known(regs + insn->dst_reg,\n\t\t\t\t\t\t (u32)insn->imm);\n\t\t\t}\n\t\t}\n\n\t} else if (opcode > BPF_END) {\n\t\tverbose(env, \"invalid BPF_ALU opcode %x\\n\", opcode);\n\t\treturn -EINVAL;\n\n\t} else {\t/* all other ALU ops: and, sub, xor, add, ... */\n\n\t\tif (BPF_SRC(insn->code) == BPF_X) {\n\t\t\tif (insn->imm != 0 || insn->off != 0) {\n\t\t\t\tverbose(env, \"BPF_ALU uses reserved fields\\n\");\n\t\t\t\treturn -EINVAL;\n\t\t\t}\n\t\t\t/* check src1 operand */\n\t\t\terr = check_reg_arg(env, insn->src_reg, SRC_OP);\n\t\t\tif (err)\n\t\t\t\treturn err;\n\t\t} else {\n\t\t\tif (insn->src_reg != BPF_REG_0 || insn->off != 0) {\n\t\t\t\tverbose(env, \"BPF_ALU uses reserved fields\\n\");\n\t\t\t\treturn -EINVAL;\n\t\t\t}\n\t\t}\n\n\t\t/* check src2 operand */\n\t\terr = check_reg_arg(env, insn->dst_reg, SRC_OP);\n\t\tif (err)\n\t\t\treturn err;\n\n\t\tif ((opcode == BPF_MOD || opcode == BPF_DIV) &&\n\t\t BPF_SRC(insn->code) == BPF_K && insn->imm == 0) {\n\t\t\tverbose(env, \"div by zero\\n\");\n\t\t\treturn -EINVAL;\n\t\t}\n\n\t\tif ((opcode == BPF_LSH || opcode == BPF_RSH ||\n\t\t opcode == BPF_ARSH) && BPF_SRC(insn->code) == BPF_K) {\n\t\t\tint size = BPF_CLASS(insn->code) == BPF_ALU64 ? 64 : 32;\n\n\t\t\tif (insn->imm < 0 || insn->imm >= size) {\n\t\t\t\tverbose(env, \"invalid shift %d\\n\", insn->imm);\n\t\t\t\treturn -EINVAL;\n\t\t\t}\n\t\t}\n\n\t\t/* check dest operand */\n\t\terr = check_reg_arg(env, insn->dst_reg, DST_OP_NO_MARK);\n\t\tif (err)\n\t\t\treturn err;\n\n\t\treturn adjust_reg_min_max_vals(env, insn);\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 139644965515876898966362496328000437700, "size": 160, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232564 }, { "func": "static int check_alu_op(struct bpf_verifier_env *env, struct bpf_insn *insn)\n{\n\tstruct bpf_reg_state *regs = cur_regs(env);\n\tu8 opcode = BPF_OP(insn->code);\n\tint err;\n\n\tif (opcode == BPF_END || opcode == BPF_NEG) {\n\t\tif (opcode == BPF_NEG) {\n\t\t\tif (BPF_SRC(insn->code) != 0 ||\n\t\t\t insn->src_reg != BPF_REG_0 ||\n\t\t\t insn->off != 0 || insn->imm != 0) {\n\t\t\t\tverbose(env, \"BPF_NEG uses reserved fields\\n\");\n\t\t\t\treturn -EINVAL;\n\t\t\t}\n\t\t} else {\n\t\t\tif (insn->src_reg != BPF_REG_0 || insn->off != 0 ||\n\t\t\t (insn->imm != 16 && insn->imm != 32 && insn->imm != 64) ||\n\t\t\t BPF_CLASS(insn->code) == BPF_ALU64) {\n\t\t\t\tverbose(env, \"BPF_END uses reserved fields\\n\");\n\t\t\t\treturn -EINVAL;\n\t\t\t}\n\t\t}\n\n\t\t/* check src operand */\n\t\terr = check_reg_arg(env, insn->dst_reg, SRC_OP);\n\t\tif (err)\n\t\t\treturn err;\n\n\t\tif (is_pointer_value(env, insn->dst_reg)) {\n\t\t\tverbose(env, \"R%d pointer arithmetic prohibited\\n\",\n\t\t\t\tinsn->dst_reg);\n\t\t\treturn -EACCES;\n\t\t}\n\n\t\t/* check dest operand */\n\t\terr = check_reg_arg(env, insn->dst_reg, DST_OP);\n\t\tif (err)\n\t\t\treturn err;\n\n\t} else if (opcode == BPF_MOV) {\n\n\t\tif (BPF_SRC(insn->code) == BPF_X) {\n\t\t\tif (insn->imm != 0 || insn->off != 0) {\n\t\t\t\tverbose(env, \"BPF_MOV uses reserved fields\\n\");\n\t\t\t\treturn -EINVAL;\n\t\t\t}\n\n\t\t\t/* check src operand */\n\t\t\terr = check_reg_arg(env, insn->src_reg, SRC_OP);\n\t\t\tif (err)\n\t\t\t\treturn err;\n\t\t} else {\n\t\t\tif (insn->src_reg != BPF_REG_0 || insn->off != 0) {\n\t\t\t\tverbose(env, \"BPF_MOV uses reserved fields\\n\");\n\t\t\t\treturn -EINVAL;\n\t\t\t}\n\t\t}\n\n\t\t/* check dest operand, mark as required later */\n\t\terr = check_reg_arg(env, insn->dst_reg, DST_OP_NO_MARK);\n\t\tif (err)\n\t\t\treturn err;\n\n\t\tif (BPF_SRC(insn->code) == BPF_X) {\n\t\t\tstruct bpf_reg_state *src_reg = regs + insn->src_reg;\n\t\t\tstruct bpf_reg_state *dst_reg = regs + insn->dst_reg;\n\n\t\t\tif (BPF_CLASS(insn->code) == BPF_ALU64) {\n\t\t\t\t/* case: R1 = R2\n\t\t\t\t * copy register state to dest reg\n\t\t\t\t */\n\t\t\t\t*dst_reg = *src_reg;\n\t\t\t\tdst_reg->live |= REG_LIVE_WRITTEN;\n\t\t\t\tdst_reg->subreg_def = DEF_NOT_SUBREG;\n\t\t\t} else {\n\t\t\t\t/* R1 = (u32) R2 */\n\t\t\t\tif (is_pointer_value(env, insn->src_reg)) {\n\t\t\t\t\tverbose(env,\n\t\t\t\t\t\t\"R%d partial copy of pointer\\n\",\n\t\t\t\t\t\tinsn->src_reg);\n\t\t\t\t\treturn -EACCES;\n\t\t\t\t} else if (src_reg->type == SCALAR_VALUE) {\n\t\t\t\t\t*dst_reg = *src_reg;\n\t\t\t\t\tdst_reg->live |= REG_LIVE_WRITTEN;\n\t\t\t\t\tdst_reg->subreg_def = env->insn_idx + 1;\n\t\t\t\t} else {\n\t\t\t\t\tmark_reg_unknown(env, regs,\n\t\t\t\t\t\t\t insn->dst_reg);\n\t\t\t\t}\n\t\t\t\tzext_32_to_64(dst_reg);\n\t\t\t}\n\t\t} else {\n\t\t\t/* case: R = imm\n\t\t\t * remember the value we stored into this reg\n\t\t\t */\n\t\t\t/* clear any state __mark_reg_known doesn't set */\n\t\t\tmark_reg_unknown(env, regs, insn->dst_reg);\n\t\t\tregs[insn->dst_reg].type = SCALAR_VALUE;\n\t\t\tif (BPF_CLASS(insn->code) == BPF_ALU64) {\n\t\t\t\t__mark_reg_known(regs + insn->dst_reg,\n\t\t\t\t\t\t insn->imm);\n\t\t\t} else {\n\t\t\t\t__mark_reg_known(regs + insn->dst_reg,\n\t\t\t\t\t\t (u32)insn->imm);\n\t\t\t}\n\t\t}\n\n\t} else if (opcode > BPF_END) {\n\t\tverbose(env, \"invalid BPF_ALU opcode %x\\n\", opcode);\n\t\treturn -EINVAL;\n\n\t} else {\t/* all other ALU ops: and, sub, xor, add, ... */\n\n\t\tif (BPF_SRC(insn->code) == BPF_X) {\n\t\t\tif (insn->imm != 0 || insn->off != 0) {\n\t\t\t\tverbose(env, \"BPF_ALU uses reserved fields\\n\");\n\t\t\t\treturn -EINVAL;\n\t\t\t}\n\t\t\t/* check src1 operand */\n\t\t\terr = check_reg_arg(env, insn->src_reg, SRC_OP);\n\t\t\tif (err)\n\t\t\t\treturn err;\n\t\t} else {\n\t\t\tif (insn->src_reg != BPF_REG_0 || insn->off != 0) {\n\t\t\t\tverbose(env, \"BPF_ALU uses reserved fields\\n\");\n\t\t\t\treturn -EINVAL;\n\t\t\t}\n\t\t}\n\n\t\t/* check src2 operand */\n\t\terr = check_reg_arg(env, insn->dst_reg, SRC_OP);\n\t\tif (err)\n\t\t\treturn err;\n\n\t\tif ((opcode == BPF_MOD || opcode == BPF_DIV) &&\n\t\t BPF_SRC(insn->code) == BPF_K && insn->imm == 0) {\n\t\t\tverbose(env, \"div by zero\\n\");\n\t\t\treturn -EINVAL;\n\t\t}\n\n\t\tif ((opcode == BPF_LSH || opcode == BPF_RSH ||\n\t\t opcode == BPF_ARSH) && BPF_SRC(insn->code) == BPF_K) {\n\t\t\tint size = BPF_CLASS(insn->code) == BPF_ALU64 ? 64 : 32;\n\n\t\t\tif (insn->imm < 0 || insn->imm >= size) {\n\t\t\t\tverbose(env, \"invalid shift %d\\n\", insn->imm);\n\t\t\t\treturn -EINVAL;\n\t\t\t}\n\t\t}\n\n\t\t/* check dest operand */\n\t\terr = check_reg_arg(env, insn->dst_reg, DST_OP_NO_MARK);\n\t\tif (err)\n\t\t\treturn err;\n\n\t\treturn adjust_reg_min_max_vals(env, insn);\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 34285873560078841767395486238971513197, "size": 160, "commit_id": "5b9fbeb75b6a98955f628e205ac26689bcb1383e", "message": "bpf: Fix scalar32_min_max_or bounds tracking\n\nSimon reported an issue with the current scalar32_min_max_or() implementation.\nThat is, compared to the other 32 bit subreg tracking functions, the code in\nscalar32_min_max_or() stands out that it's using the 64 bit registers instead\nof 32 bit ones. This leads to bounds tracking issues, for example:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x1; 0x700000000),s32_max_value=1,u32_max_value=1) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nThe bound tests on the map value force the upper unsigned bound to be 25769803777\nin 64 bit (0b11000000000000000000000000000000001) and then lower one to be 1. By\nusing OR they are truncated and thus result in the range [1,1] for the 32 bit reg\ntracker. This is incorrect given the only thing we know is that the value must be\npositive and thus 2147483647 (0b1111111111111111111111111111111) at max for the\nsubregs. Fix it by using the {u,s}32_{min,max}_value vars instead. This also makes\nsense, for example, for the case where we update dst_reg->s32_{min,max}_value in\nthe else branch we need to use the newly computed dst_reg->u32_{min,max}_value as\nwe know that these are positive. Previously, in the else branch the 64 bit values\nof umin_value=1 and umax_value=32212254719 were used and latter got truncated to\nbe 1 as upper bound there. After the fix the subreg range is now correct:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nFixes: 3f50f132d840 (\"bpf: Verifier, do explicit ALU32 bounds tracking\")\nReported-by: Simon Scannell \nSigned-off-by: Daniel Borkmann \nReviewed-by: John Fastabend \nAcked-by: Alexei Starovoitov ", "target": 0, "dataset": "other", "idx": 328530 }, { "func": "static int check_attach_modify_return(struct bpf_verifier_env *env)\n{\n\tstruct bpf_prog *prog = env->prog;\n\tunsigned long addr = (unsigned long) prog->aux->trampoline->func.addr;\n\n\t/* This is expected to be cleaned up in the future with the KRSI effort\n\t * introducing the LSM_HOOK macro for cleaning up lsm_hooks.h.\n\t */\n\tif (within_error_injection_list(addr) ||\n\t !strncmp(SECURITY_PREFIX, prog->aux->attach_func_name,\n\t\t sizeof(SECURITY_PREFIX) - 1))\n\t\treturn 0;\n\n\tverbose(env, \"fmod_ret attach_btf_id %u (%s) is not modifiable\\n\",\n\t\tprog->aux->attach_btf_id, prog->aux->attach_func_name);\n\n\treturn -EINVAL;\n}", "project": "linux", "hash": 89924583523080238290810378500601294719, "size": 18, "commit_id": "294f2fc6da27620a506e6c050241655459ccd6bd", "message": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()\n\nCurrently, for all op verification we call __red_deduce_bounds() and\n__red_bound_offset() but we only call __update_reg_bounds() in bitwise\nops. However, we could benefit from calling __update_reg_bounds() in\nBPF_ADD, BPF_SUB, and BPF_MUL cases as well.\n\nFor example, a register with state 'R1_w=invP0' when we subtract from\nit,\n\n w1 -= 2\n\nBefore coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX\nand unsigned bounds umin_value=0, umax_value=U64_MAX. These will then\nbe clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op\nas done in above example. However tnum will be a constant because the\nALU op is done on a constant.\n\nWithout update_reg_bounds() we have a scenario where tnum is a const\nbut our unsigned bounds do not reflect this. By calling update_reg_bounds\nafter coerce to 32bit we further refine the umin_value to U64_MAX in the\nalu64 case or U32_MAX in the alu32 case above.\n\nSigned-off-by: John Fastabend \nSigned-off-by: Alexei Starovoitov \nLink: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower", "target": 0, "dataset": "other", "idx": 232614 }, { "func": "static int check_attach_modify_return(struct bpf_prog *prog, unsigned long addr)\n{\n\tif (within_error_injection_list(addr) ||\n\t !strncmp(SECURITY_PREFIX, prog->aux->attach_func_name,\n\t\t sizeof(SECURITY_PREFIX) - 1))\n\t\treturn 0;\n\n\treturn -EINVAL;\n}", "project": "linux", "hash": 145017199520326559050633401743718771042, "size": 9, "commit_id": "5b9fbeb75b6a98955f628e205ac26689bcb1383e", "message": "bpf: Fix scalar32_min_max_or bounds tracking\n\nSimon reported an issue with the current scalar32_min_max_or() implementation.\nThat is, compared to the other 32 bit subreg tracking functions, the code in\nscalar32_min_max_or() stands out that it's using the 64 bit registers instead\nof 32 bit ones. This leads to bounds tracking issues, for example:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x1; 0x700000000),s32_max_value=1,u32_max_value=1) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nThe bound tests on the map value force the upper unsigned bound to be 25769803777\nin 64 bit (0b11000000000000000000000000000000001) and then lower one to be 1. By\nusing OR they are truncated and thus result in the range [1,1] for the 32 bit reg\ntracker. This is incorrect given the only thing we know is that the value must be\npositive and thus 2147483647 (0b1111111111111111111111111111111) at max for the\nsubregs. Fix it by using the {u,s}32_{min,max}_value vars instead. This also makes\nsense, for example, for the case where we update dst_reg->s32_{min,max}_value in\nthe else branch we need to use the newly computed dst_reg->u32_{min,max}_value as\nwe know that these are positive. Previously, in the else branch the 64 bit values\nof umin_value=1 and umax_value=32212254719 were used and latter got truncated to\nbe 1 as upper bound there. After the fix the subreg range is now correct:\n\n [...]\n 8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 8: (79) r1 = *(u64 *)(r0 +0)\n R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm\n 9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 9: (b7) r0 = 1\n 10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm\n 10: (18) r2 = 0x600000002\n 12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 12: (ad) if r1 < r2 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 13: (95) exit\n 14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 14: (25) if r1 > 0x0 goto pc+1\n R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 15: (95) exit\n 16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n 16: (47) r1 |= 0\n 17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm\n [...]\n\nFixes: 3f50f132d840 (\"bpf: Verifier, do explicit ALU32 bounds tracking\")\nReported-by: Simon Scannell \nSigned-off-by: Daniel Borkmann \nReviewed-by: John Fastabend \nAcked-by: Alexei Starovoitov ", "target": 0, "dataset": "other", "idx": 328511 } ] }, { "call_depth": 14, "longest_call_chain": [ "multiSelect", "generateWithRecursiveQuery", "sqlite3Select", "sqlite3WindowCodeStep", "windowCodeOp", "windowReturnOneRow", "windowFullScan", "windowAggStep", "sqlite3VdbeAddOp4", "sqlite3VdbeChangeP4", "vdbeChangeP4Full", "freeP4", "freeP4FuncCtx", "freeEphemeralFunction" ], "group_size": 211, "functions": [ { "func": "void sqlite3SelectReset(Parse *pParse, Select *p){\n if( ALWAYS(p) ){\n clearSelect(pParse->db, p, 0);\n memset(&p->iLimit, 0, sizeof(Select) - offsetof(Select,iLimit));\n p->pEList = sqlite3ExprListAppend(pParse, 0,\n sqlite3ExprAlloc(pParse->db,TK_NULL,0,0));\n p->pSrc = sqlite3DbMallocZero(pParse->db, sizeof(SrcList));\n }\n}", "project": "sqlite", "hash": 10019109963915055135534111000623874830, "size": 9, "commit_id": "5f69512404cd2e5153ddf90ea277fbba6dd58ab7", "message": "Early-out on the INTERSECT query processing following an error.\n\nFossilOrigin-Name: a67cf5b7d37d5b1484be32092635faafd8f76e5881898cd9435517c4b287d663", "target": 0, "dataset": "other", "idx": 246173 }, { "func": "void sqlite3SelectReset(Parse *pParse, Select *p){\n if( ALWAYS(p) ){\n clearSelect(pParse->db, p, 0);\n memset(&p->iLimit, 0, sizeof(Select) - offsetof(Select,iLimit));\n p->pEList = sqlite3ExprListAppend(pParse, 0,\n sqlite3ExprAlloc(pParse->db,TK_NULL,0,0));\n }\n}", "project": "sqlite", "hash": 76319188462378224723498484642162389737, "size": 8, "commit_id": "a6c1a71cde082e09750465d5675699062922e387", "message": "Do not attempt to unwind the WITH stack in the Parse object following an error. This fixes a separate case to [de6e6d68].\n\nFossilOrigin-Name: d29edef93451cc67a5d69c1cce1b1832d9ca8fff1f600afdd51338b74d077b92", "target": 0, "dataset": "other", "idx": 356313 }, { "func": "static void windowFullScan(WindowCodeArg *p){\n Window *pWin;\n Parse *pParse = p->pParse;\n Window *pMWin = p->pMWin;\n Vdbe *v = p->pVdbe;\n\n int regCRowid = 0; /* Current rowid value */\n int regCPeer = 0; /* Current peer values */\n int regRowid = 0; /* AggStep rowid value */\n int regPeer = 0; /* AggStep peer values */\n\n int nPeer;\n int lblNext;\n int lblBrk;\n int addrNext;\n int csr;\n\n VdbeModuleComment((v, \"windowFullScan begin\"));\n\n assert( pMWin!=0 );\n csr = pMWin->csrApp;\n nPeer = (pMWin->pOrderBy ? pMWin->pOrderBy->nExpr : 0);\n\n lblNext = sqlite3VdbeMakeLabel(pParse);\n lblBrk = sqlite3VdbeMakeLabel(pParse);\n\n regCRowid = sqlite3GetTempReg(pParse);\n regRowid = sqlite3GetTempReg(pParse);\n if( nPeer ){\n regCPeer = sqlite3GetTempRange(pParse, nPeer);\n regPeer = sqlite3GetTempRange(pParse, nPeer);\n }\n\n sqlite3VdbeAddOp2(v, OP_Rowid, pMWin->iEphCsr, regCRowid);\n windowReadPeerValues(p, pMWin->iEphCsr, regCPeer);\n\n for(pWin=pMWin; pWin; pWin=pWin->pNextWin){\n sqlite3VdbeAddOp2(v, OP_Null, 0, pWin->regAccum);\n }\n\n sqlite3VdbeAddOp3(v, OP_SeekGE, csr, lblBrk, pMWin->regStartRowid);\n VdbeCoverage(v);\n addrNext = sqlite3VdbeCurrentAddr(v);\n sqlite3VdbeAddOp2(v, OP_Rowid, csr, regRowid);\n sqlite3VdbeAddOp3(v, OP_Gt, pMWin->regEndRowid, lblBrk, regRowid);\n VdbeCoverageNeverNull(v);\n\n if( pMWin->eExclude==TK_CURRENT ){\n sqlite3VdbeAddOp3(v, OP_Eq, regCRowid, lblNext, regRowid);\n VdbeCoverageNeverNull(v);\n }else if( pMWin->eExclude!=TK_NO ){\n int addr;\n int addrEq = 0;\n KeyInfo *pKeyInfo = 0;\n\n if( pMWin->pOrderBy ){\n pKeyInfo = sqlite3KeyInfoFromExprList(pParse, pMWin->pOrderBy, 0, 0);\n }\n if( pMWin->eExclude==TK_TIES ){\n addrEq = sqlite3VdbeAddOp3(v, OP_Eq, regCRowid, 0, regRowid);\n VdbeCoverageNeverNull(v);\n }\n if( pKeyInfo ){\n windowReadPeerValues(p, csr, regPeer);\n sqlite3VdbeAddOp3(v, OP_Compare, regPeer, regCPeer, nPeer);\n sqlite3VdbeAppendP4(v, (void*)pKeyInfo, P4_KEYINFO);\n addr = sqlite3VdbeCurrentAddr(v)+1;\n sqlite3VdbeAddOp3(v, OP_Jump, addr, lblNext, addr);\n VdbeCoverageEqNe(v);\n }else{\n sqlite3VdbeAddOp2(v, OP_Goto, 0, lblNext);\n }\n if( addrEq ) sqlite3VdbeJumpHere(v, addrEq);\n }\n\n windowAggStep(p, pMWin, csr, 0, p->regArg);\n\n sqlite3VdbeResolveLabel(v, lblNext);\n sqlite3VdbeAddOp2(v, OP_Next, csr, addrNext);\n VdbeCoverage(v);\n sqlite3VdbeJumpHere(v, addrNext-1);\n sqlite3VdbeJumpHere(v, addrNext+1);\n sqlite3ReleaseTempReg(pParse, regRowid);\n sqlite3ReleaseTempReg(pParse, regCRowid);\n if( nPeer ){\n sqlite3ReleaseTempRange(pParse, regPeer, nPeer);\n sqlite3ReleaseTempRange(pParse, regCPeer, nPeer);\n }\n\n windowAggFinal(p, 1);\n VdbeModuleComment((v, \"windowFullScan end\"));\n}", "project": "sqlite", "hash": 258544055401452542916258256256895484199, "size": 92, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378624 }, { "func": "int sqlite3VdbeChangeToNoop(Vdbe *p, int addr){\n VdbeOp *pOp;\n if( p->db->mallocFailed ) return 0;\n assert( addr>=0 && addrnOp );\n pOp = &p->aOp[addr];\n freeP4(p->db, pOp->p4type, pOp->p4.p);\n pOp->p4type = P4_NOTUSED;\n pOp->p4.z = 0;\n pOp->opcode = OP_Noop;\n return 1;\n}", "project": "sqlite", "hash": 195041583248534459820904482382299655012, "size": 11, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378612 }, { "func": "static void computeLimitRegisters(Parse *pParse, Select *p, int iBreak){\n Vdbe *v = 0;\n int iLimit = 0;\n int iOffset;\n int n;\n Expr *pLimit = p->pLimit;\n\n if( p->iLimit ) return;\n\n /* \n ** \"LIMIT -1\" always shows all rows. There is some\n ** controversy about what the correct behavior should be.\n ** The current implementation interprets \"LIMIT 0\" to mean\n ** no rows.\n */\n if( pLimit ){\n assert( pLimit->op==TK_LIMIT );\n assert( pLimit->pLeft!=0 );\n p->iLimit = iLimit = ++pParse->nMem;\n v = sqlite3GetVdbe(pParse);\n assert( v!=0 );\n if( sqlite3ExprIsInteger(pLimit->pLeft, &n) ){\n sqlite3VdbeAddOp2(v, OP_Integer, n, iLimit);\n VdbeComment((v, \"LIMIT counter\"));\n if( n==0 ){\n sqlite3VdbeGoto(v, iBreak);\n }else if( n>=0 && p->nSelectRow>sqlite3LogEst((u64)n) ){\n p->nSelectRow = sqlite3LogEst((u64)n);\n p->selFlags |= SF_FixedLimit;\n }\n }else{\n sqlite3ExprCode(pParse, pLimit->pLeft, iLimit);\n sqlite3VdbeAddOp1(v, OP_MustBeInt, iLimit); VdbeCoverage(v);\n VdbeComment((v, \"LIMIT counter\"));\n sqlite3VdbeAddOp2(v, OP_IfNot, iLimit, iBreak); VdbeCoverage(v);\n }\n if( pLimit->pRight ){\n p->iOffset = iOffset = ++pParse->nMem;\n pParse->nMem++; /* Allocate an extra register for limit+offset */\n sqlite3ExprCode(pParse, pLimit->pRight, iOffset);\n sqlite3VdbeAddOp1(v, OP_MustBeInt, iOffset); VdbeCoverage(v);\n VdbeComment((v, \"OFFSET counter\"));\n sqlite3VdbeAddOp3(v, OP_OffsetLimit, iLimit, iOffset+1, iOffset);\n VdbeComment((v, \"LIMIT+OFFSET\"));\n }\n }\n}", "project": "sqlite", "hash": 233863310411562953288025877211725898045, "size": 47, "commit_id": "5f69512404cd2e5153ddf90ea277fbba6dd58ab7", "message": "Early-out on the INTERSECT query processing following an error.\n\nFossilOrigin-Name: a67cf5b7d37d5b1484be32092635faafd8f76e5881898cd9435517c4b287d663", "target": 0, "dataset": "other", "idx": 246139 }, { "func": "void sqlite3SelectPrep(\n Parse *pParse, /* The parser context */\n Select *p, /* The SELECT statement being coded. */\n NameContext *pOuterNC /* Name context for container */\n){\n assert( p!=0 || pParse->db->mallocFailed );\n if( pParse->db->mallocFailed ) return;\n if( p->selFlags & SF_HasTypeInfo ) return;\n sqlite3SelectExpand(pParse, p);\n if( pParse->nErr || pParse->db->mallocFailed ) return;\n sqlite3ResolveSelectNames(pParse, p, pOuterNC);\n if( pParse->nErr || pParse->db->mallocFailed ) return;\n sqlite3SelectAddTypeInfo(pParse, p);\n}", "project": "sqlite", "hash": 252766261672076848172031106240704905328, "size": 14, "commit_id": "5f69512404cd2e5153ddf90ea277fbba6dd58ab7", "message": "Early-out on the INTERSECT query processing following an error.\n\nFossilOrigin-Name: a67cf5b7d37d5b1484be32092635faafd8f76e5881898cd9435517c4b287d663", "target": 0, "dataset": "other", "idx": 246129 }, { "func": "int sqlite3VdbeList(\n Vdbe *p /* The VDBE */\n){\n int nRow; /* Stop when row count reaches this */\n int nSub = 0; /* Number of sub-vdbes seen so far */\n SubProgram **apSub = 0; /* Array of sub-vdbes */\n Mem *pSub = 0; /* Memory cell hold array of subprogs */\n sqlite3 *db = p->db; /* The database connection */\n int i; /* Loop counter */\n int rc = SQLITE_OK; /* Return code */\n Mem *pMem = &p->aMem[1]; /* First Mem of result set */\n int bListSubprogs = (p->explain==1 || (db->flags & SQLITE_TriggerEQP)!=0);\n Op *pOp = 0;\n\n assert( p->explain );\n assert( p->magic==VDBE_MAGIC_RUN );\n assert( p->rc==SQLITE_OK || p->rc==SQLITE_BUSY || p->rc==SQLITE_NOMEM );\n\n /* Even though this opcode does not use dynamic strings for\n ** the result, result columns may become dynamic if the user calls\n ** sqlite3_column_text16(), causing a translation to UTF-16 encoding.\n */\n releaseMemArray(pMem, 8);\n p->pResultSet = 0;\n\n if( p->rc==SQLITE_NOMEM ){\n /* This happens if a malloc() inside a call to sqlite3_column_text() or\n ** sqlite3_column_text16() failed. */\n sqlite3OomFault(db);\n return SQLITE_ERROR;\n }\n\n /* When the number of output rows reaches nRow, that means the\n ** listing has finished and sqlite3_step() should return SQLITE_DONE.\n ** nRow is the sum of the number of rows in the main program, plus\n ** the sum of the number of rows in all trigger subprograms encountered\n ** so far. The nRow value will increase as new trigger subprograms are\n ** encountered, but p->pc will eventually catch up to nRow.\n */\n nRow = p->nOp;\n if( bListSubprogs ){\n /* The first 8 memory cells are used for the result set. So we will\n ** commandeer the 9th cell to use as storage for an array of pointers\n ** to trigger subprograms. The VDBE is guaranteed to have at least 9\n ** cells. */\n assert( p->nMem>9 );\n pSub = &p->aMem[9];\n if( pSub->flags&MEM_Blob ){\n /* On the first call to sqlite3_step(), pSub will hold a NULL. It is\n ** initialized to a BLOB by the P4_SUBPROGRAM processing logic below */\n nSub = pSub->n/sizeof(Vdbe*);\n apSub = (SubProgram **)pSub->z;\n }\n for(i=0; inOp;\n }\n }\n\n while(1){ /* Loop exits via break */\n i = p->pc++;\n if( i>=nRow ){\n p->rc = SQLITE_OK;\n rc = SQLITE_DONE;\n break;\n }\n if( inOp ){\n /* The output line number is small enough that we are still in the\n ** main program. */\n pOp = &p->aOp[i];\n }else{\n /* We are currently listing subprograms. Figure out which one and\n ** pick up the appropriate opcode. */\n int j;\n i -= p->nOp;\n assert( apSub!=0 );\n assert( nSub>0 );\n for(j=0; i>=apSub[j]->nOp; j++){\n i -= apSub[j]->nOp;\n assert( inOp || j+1aOp[i];\n }\n\n /* When an OP_Program opcode is encounter (the only opcode that has\n ** a P4_SUBPROGRAM argument), expand the size of the array of subprograms\n ** kept in p->aMem[9].z to hold the new program - assuming this subprogram\n ** has not already been seen.\n */\n if( bListSubprogs && pOp->p4type==P4_SUBPROGRAM ){\n int nByte = (nSub+1)*sizeof(SubProgram*);\n int j;\n for(j=0; jp4.pProgram ) break;\n }\n if( j==nSub ){\n p->rc = sqlite3VdbeMemGrow(pSub, nByte, nSub!=0);\n if( p->rc!=SQLITE_OK ){\n rc = SQLITE_ERROR;\n break;\n }\n apSub = (SubProgram **)pSub->z;\n apSub[nSub++] = pOp->p4.pProgram;\n pSub->flags |= MEM_Blob;\n pSub->n = nSub*sizeof(SubProgram*);\n nRow += pOp->p4.pProgram->nOp;\n }\n }\n if( p->explain<2 ) break;\n if( pOp->opcode==OP_Explain ) break;\n if( pOp->opcode==OP_Init && p->pc>1 ) break;\n }\n\n if( rc==SQLITE_OK ){\n if( db->u1.isInterrupted ){\n p->rc = SQLITE_INTERRUPT;\n rc = SQLITE_ERROR;\n sqlite3VdbeError(p, sqlite3ErrStr(p->rc));\n }else{\n char *zP4;\n if( p->explain==1 ){\n pMem->flags = MEM_Int;\n pMem->u.i = i; /* Program counter */\n pMem++;\n \n pMem->flags = MEM_Static|MEM_Str|MEM_Term;\n pMem->z = (char*)sqlite3OpcodeName(pOp->opcode); /* Opcode */\n assert( pMem->z!=0 );\n pMem->n = sqlite3Strlen30(pMem->z);\n pMem->enc = SQLITE_UTF8;\n pMem++;\n }\n\n pMem->flags = MEM_Int;\n pMem->u.i = pOp->p1; /* P1 */\n pMem++;\n\n pMem->flags = MEM_Int;\n pMem->u.i = pOp->p2; /* P2 */\n pMem++;\n\n pMem->flags = MEM_Int;\n pMem->u.i = pOp->p3; /* P3 */\n pMem++;\n\n if( sqlite3VdbeMemClearAndResize(pMem, 100) ){ /* P4 */\n assert( p->db->mallocFailed );\n return SQLITE_ERROR;\n }\n pMem->flags = MEM_Str|MEM_Term;\n zP4 = displayP4(pOp, pMem->z, pMem->szMalloc);\n if( zP4!=pMem->z ){\n pMem->n = 0;\n sqlite3VdbeMemSetStr(pMem, zP4, -1, SQLITE_UTF8, 0);\n }else{\n assert( pMem->z!=0 );\n pMem->n = sqlite3Strlen30(pMem->z);\n pMem->enc = SQLITE_UTF8;\n }\n pMem++;\n\n if( p->explain==1 ){\n if( sqlite3VdbeMemClearAndResize(pMem, 4) ){\n assert( p->db->mallocFailed );\n return SQLITE_ERROR;\n }\n pMem->flags = MEM_Str|MEM_Term;\n pMem->n = 2;\n sqlite3_snprintf(3, pMem->z, \"%.2x\", pOp->p5); /* P5 */\n pMem->enc = SQLITE_UTF8;\n pMem++;\n \n#ifdef SQLITE_ENABLE_EXPLAIN_COMMENTS\n if( sqlite3VdbeMemClearAndResize(pMem, 500) ){\n assert( p->db->mallocFailed );\n return SQLITE_ERROR;\n }\n pMem->flags = MEM_Str|MEM_Term;\n pMem->n = displayComment(pOp, zP4, pMem->z, 500);\n pMem->enc = SQLITE_UTF8;\n#else\n pMem->flags = MEM_Null; /* Comment */\n#endif\n }\n\n p->nResColumn = 8 - 4*(p->explain-1);\n p->pResultSet = &p->aMem[1];\n p->rc = SQLITE_OK;\n rc = SQLITE_ROW;\n }\n }\n return rc;\n}", "project": "sqlite", "hash": 34070505609232192579394178769675383779, "size": 192, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378619 }, { "func": "int sqlite3IndexedByLookup(Parse *pParse, struct SrcList_item *pFrom){\n if( pFrom->pTab && pFrom->fg.isIndexedBy ){\n Table *pTab = pFrom->pTab;\n char *zIndexedBy = pFrom->u1.zIndexedBy;\n Index *pIdx;\n for(pIdx=pTab->pIndex; \n pIdx && sqlite3StrICmp(pIdx->zName, zIndexedBy); \n pIdx=pIdx->pNext\n );\n if( !pIdx ){\n sqlite3ErrorMsg(pParse, \"no such index: %s\", zIndexedBy, 0);\n pParse->checkSchema = 1;\n return SQLITE_ERROR;\n }\n pFrom->pIBIndex = pIdx;\n }\n return SQLITE_OK;\n}", "project": "sqlite", "hash": 35667792206325724766452476317632420313, "size": 18, "commit_id": "5f69512404cd2e5153ddf90ea277fbba6dd58ab7", "message": "Early-out on the INTERSECT query processing following an error.\n\nFossilOrigin-Name: a67cf5b7d37d5b1484be32092635faafd8f76e5881898cd9435517c4b287d663", "target": 0, "dataset": "other", "idx": 246178 }, { "func": "void sqlite3SelectDestInit(SelectDest *pDest, int eDest, int iParm){\n pDest->eDest = (u8)eDest;\n pDest->iSDParm = iParm;\n pDest->zAffSdst = 0;\n pDest->iSdst = 0;\n pDest->nSdst = 0;\n}", "project": "sqlite", "hash": 62588096928149400507759664601332493339, "size": 7, "commit_id": "5f69512404cd2e5153ddf90ea277fbba6dd58ab7", "message": "Early-out on the INTERSECT query processing following an error.\n\nFossilOrigin-Name: a67cf5b7d37d5b1484be32092635faafd8f76e5881898cd9435517c4b287d663", "target": 0, "dataset": "other", "idx": 246175 }, { "func": "void sqlite3VdbeEndCoroutine(Vdbe *v, int regYield){\n sqlite3VdbeAddOp1(v, OP_EndCoroutine, regYield);\n\n /* Clear the temporary register cache, thereby ensuring that each\n ** co-routine has its own independent set of registers, because co-routines\n ** might expect their registers to be preserved across an OP_Yield, and\n ** that could cause problems if two or more co-routines are using the same\n ** temporary register.\n */\n v->pParse->nTempReg = 0;\n v->pParse->nRangeReg = 0;\n}", "project": "sqlite", "hash": 75111390811014308639567120973632141787, "size": 12, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378657 }, { "func": "static SQLITE_NOINLINE void resizeResolveLabel(Parse *p, Vdbe *v, int j){\n int nNewSize = 10 - p->nLabel;\n p->aLabel = sqlite3DbReallocOrFree(p->db, p->aLabel,\n nNewSize*sizeof(p->aLabel[0]));\n if( p->aLabel==0 ){\n p->nLabelAlloc = 0;\n }else{\n#ifdef SQLITE_DEBUG\n int i;\n for(i=p->nLabelAlloc; iaLabel[i] = -1;\n#endif\n p->nLabelAlloc = nNewSize;\n p->aLabel[j] = v->nOp;\n }\n}", "project": "sqlite", "hash": 193800494530266255993762941080152839200, "size": 15, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378676 }, { "func": "static int selectExpander(Walker *pWalker, Select *p){\n Parse *pParse = pWalker->pParse;\n int i, j, k;\n SrcList *pTabList;\n ExprList *pEList;\n struct SrcList_item *pFrom;\n sqlite3 *db = pParse->db;\n Expr *pE, *pRight, *pExpr;\n u16 selFlags = p->selFlags;\n u32 elistFlags = 0;\n\n p->selFlags |= SF_Expanded;\n if( db->mallocFailed ){\n return WRC_Abort;\n }\n assert( p->pSrc!=0 );\n if( (selFlags & SF_Expanded)!=0 ){\n return WRC_Prune;\n }\n if( pWalker->eCode ){\n /* Renumber selId because it has been copied from a view */\n p->selId = ++pParse->nSelect;\n }\n pTabList = p->pSrc;\n pEList = p->pEList;\n sqlite3WithPush(pParse, p->pWith, 0);\n\n /* Make sure cursor numbers have been assigned to all entries in\n ** the FROM clause of the SELECT statement.\n */\n sqlite3SrcListAssignCursors(pParse, pTabList);\n\n /* Look up every table named in the FROM clause of the select. If\n ** an entry of the FROM clause is a subquery instead of a table or view,\n ** then create a transient table structure to describe the subquery.\n */\n for(i=0, pFrom=pTabList->a; inSrc; i++, pFrom++){\n Table *pTab;\n assert( pFrom->fg.isRecursive==0 || pFrom->pTab!=0 );\n if( pFrom->fg.isRecursive ) continue;\n assert( pFrom->pTab==0 );\n#ifndef SQLITE_OMIT_CTE\n if( withExpand(pWalker, pFrom) ) return WRC_Abort;\n if( pFrom->pTab ) {} else\n#endif\n if( pFrom->zName==0 ){\n#ifndef SQLITE_OMIT_SUBQUERY\n Select *pSel = pFrom->pSelect;\n /* A sub-query in the FROM clause of a SELECT */\n assert( pSel!=0 );\n assert( pFrom->pTab==0 );\n if( sqlite3WalkSelect(pWalker, pSel) ) return WRC_Abort;\n if( sqlite3ExpandSubquery(pParse, pFrom) ) return WRC_Abort;\n#endif\n }else{\n /* An ordinary table or view name in the FROM clause */\n assert( pFrom->pTab==0 );\n pFrom->pTab = pTab = sqlite3LocateTableItem(pParse, 0, pFrom);\n if( pTab==0 ) return WRC_Abort;\n if( pTab->nTabRef>=0xffff ){\n sqlite3ErrorMsg(pParse, \"too many references to \\\"%s\\\": max 65535\",\n pTab->zName);\n pFrom->pTab = 0;\n return WRC_Abort;\n }\n pTab->nTabRef++;\n if( !IsVirtual(pTab) && cannotBeFunction(pParse, pFrom) ){\n return WRC_Abort;\n }\n#if !defined(SQLITE_OMIT_VIEW) || !defined(SQLITE_OMIT_VIRTUALTABLE)\n if( IsVirtual(pTab) || pTab->pSelect ){\n i16 nCol;\n u8 eCodeOrig = pWalker->eCode;\n if( sqlite3ViewGetColumnNames(pParse, pTab) ) return WRC_Abort;\n assert( pFrom->pSelect==0 );\n if( pTab->pSelect && (db->flags & SQLITE_EnableView)==0 ){\n sqlite3ErrorMsg(pParse, \"access to view \\\"%s\\\" prohibited\",\n pTab->zName);\n }\n#ifndef SQLITE_OMIT_VIRTUALTABLE\n if( IsVirtual(pTab)\n && pFrom->fg.fromDDL\n && ALWAYS(pTab->pVTable!=0)\n && pTab->pVTable->eVtabRisk > ((db->flags & SQLITE_TrustedSchema)!=0)\n ){\n sqlite3ErrorMsg(pParse, \"unsafe use of virtual table \\\"%s\\\"\",\n pTab->zName);\n }\n#endif\n pFrom->pSelect = sqlite3SelectDup(db, pTab->pSelect, 0);\n nCol = pTab->nCol;\n pTab->nCol = -1;\n pWalker->eCode = 1; /* Turn on Select.selId renumbering */\n sqlite3WalkSelect(pWalker, pFrom->pSelect);\n pWalker->eCode = eCodeOrig;\n pTab->nCol = nCol;\n }\n#endif\n }\n\n /* Locate the index named by the INDEXED BY clause, if any. */\n if( sqlite3IndexedByLookup(pParse, pFrom) ){\n return WRC_Abort;\n }\n }\n\n /* Process NATURAL keywords, and ON and USING clauses of joins.\n */\n if( pParse->nErr || db->mallocFailed || sqliteProcessJoin(pParse, p) ){\n return WRC_Abort;\n }\n\n /* For every \"*\" that occurs in the column list, insert the names of\n ** all columns in all tables. And for every TABLE.* insert the names\n ** of all columns in TABLE. The parser inserted a special expression\n ** with the TK_ASTERISK operator for each \"*\" that it found in the column\n ** list. The following code just has to locate the TK_ASTERISK\n ** expressions and expand each one to the list of all columns in\n ** all tables.\n **\n ** The first loop just checks to see if there are any \"*\" operators\n ** that need expanding.\n */\n for(k=0; knExpr; k++){\n pE = pEList->a[k].pExpr;\n if( pE->op==TK_ASTERISK ) break;\n assert( pE->op!=TK_DOT || pE->pRight!=0 );\n assert( pE->op!=TK_DOT || (pE->pLeft!=0 && pE->pLeft->op==TK_ID) );\n if( pE->op==TK_DOT && pE->pRight->op==TK_ASTERISK ) break;\n elistFlags |= pE->flags;\n }\n if( knExpr ){\n /*\n ** If we get here it means the result set contains one or more \"*\"\n ** operators that need to be expanded. Loop through each expression\n ** in the result set and expand them one by one.\n */\n struct ExprList_item *a = pEList->a;\n ExprList *pNew = 0;\n int flags = pParse->db->flags;\n int longNames = (flags & SQLITE_FullColNames)!=0\n && (flags & SQLITE_ShortColNames)==0;\n\n for(k=0; knExpr; k++){\n pE = a[k].pExpr;\n elistFlags |= pE->flags;\n pRight = pE->pRight;\n assert( pE->op!=TK_DOT || pRight!=0 );\n if( pE->op!=TK_ASTERISK\n && (pE->op!=TK_DOT || pRight->op!=TK_ASTERISK)\n ){\n /* This particular expression does not need to be expanded.\n */\n pNew = sqlite3ExprListAppend(pParse, pNew, a[k].pExpr);\n if( pNew ){\n pNew->a[pNew->nExpr-1].zEName = a[k].zEName;\n pNew->a[pNew->nExpr-1].eEName = a[k].eEName;\n a[k].zEName = 0;\n }\n a[k].pExpr = 0;\n }else{\n /* This expression is a \"*\" or a \"TABLE.*\" and needs to be\n ** expanded. */\n int tableSeen = 0; /* Set to 1 when TABLE matches */\n char *zTName = 0; /* text of name of TABLE */\n if( pE->op==TK_DOT ){\n assert( pE->pLeft!=0 );\n assert( !ExprHasProperty(pE->pLeft, EP_IntValue) );\n zTName = pE->pLeft->u.zToken;\n }\n for(i=0, pFrom=pTabList->a; inSrc; i++, pFrom++){\n Table *pTab = pFrom->pTab;\n Select *pSub = pFrom->pSelect;\n char *zTabName = pFrom->zAlias;\n const char *zSchemaName = 0;\n int iDb;\n if( zTabName==0 ){\n zTabName = pTab->zName;\n }\n if( db->mallocFailed ) break;\n if( pSub==0 || (pSub->selFlags & SF_NestedFrom)==0 ){\n pSub = 0;\n if( zTName && sqlite3StrICmp(zTName, zTabName)!=0 ){\n continue;\n }\n iDb = sqlite3SchemaToIndex(db, pTab->pSchema);\n zSchemaName = iDb>=0 ? db->aDb[iDb].zDbSName : \"*\";\n }\n for(j=0; jnCol; j++){\n char *zName = pTab->aCol[j].zName;\n char *zColname; /* The computed column name */\n char *zToFree; /* Malloced string that needs to be freed */\n Token sColname; /* Computed column name as a token */\n\n assert( zName );\n if( zTName && pSub\n && sqlite3MatchEName(&pSub->pEList->a[j], 0, zTName, 0)==0\n ){\n continue;\n }\n\n /* If a column is marked as 'hidden', omit it from the expanded\n ** result-set list unless the SELECT has the SF_IncludeHidden\n ** bit set.\n */\n if( (p->selFlags & SF_IncludeHidden)==0\n && IsHiddenColumn(&pTab->aCol[j]) \n ){\n continue;\n }\n tableSeen = 1;\n\n if( i>0 && zTName==0 ){\n if( (pFrom->fg.jointype & JT_NATURAL)!=0\n && tableAndColumnIndex(pTabList, i, zName, 0, 0, 1)\n ){\n /* In a NATURAL join, omit the join columns from the \n ** table to the right of the join */\n continue;\n }\n if( sqlite3IdListIndex(pFrom->pUsing, zName)>=0 ){\n /* In a join with a USING clause, omit columns in the\n ** using clause from the table on the right. */\n continue;\n }\n }\n pRight = sqlite3Expr(db, TK_ID, zName);\n zColname = zName;\n zToFree = 0;\n if( longNames || pTabList->nSrc>1 ){\n Expr *pLeft;\n pLeft = sqlite3Expr(db, TK_ID, zTabName);\n pExpr = sqlite3PExpr(pParse, TK_DOT, pLeft, pRight);\n if( zSchemaName ){\n pLeft = sqlite3Expr(db, TK_ID, zSchemaName);\n pExpr = sqlite3PExpr(pParse, TK_DOT, pLeft, pExpr);\n }\n if( longNames ){\n zColname = sqlite3MPrintf(db, \"%s.%s\", zTabName, zName);\n zToFree = zColname;\n }\n }else{\n pExpr = pRight;\n }\n pNew = sqlite3ExprListAppend(pParse, pNew, pExpr);\n sqlite3TokenInit(&sColname, zColname);\n sqlite3ExprListSetName(pParse, pNew, &sColname, 0);\n if( pNew && (p->selFlags & SF_NestedFrom)!=0 ){\n struct ExprList_item *pX = &pNew->a[pNew->nExpr-1];\n sqlite3DbFree(db, pX->zEName);\n if( pSub ){\n pX->zEName = sqlite3DbStrDup(db, pSub->pEList->a[j].zEName);\n testcase( pX->zEName==0 );\n }else{\n pX->zEName = sqlite3MPrintf(db, \"%s.%s.%s\",\n zSchemaName, zTabName, zColname);\n testcase( pX->zEName==0 );\n }\n pX->eEName = ENAME_TAB;\n }\n sqlite3DbFree(db, zToFree);\n }\n }\n if( !tableSeen ){\n if( zTName ){\n sqlite3ErrorMsg(pParse, \"no such table: %s\", zTName);\n }else{\n sqlite3ErrorMsg(pParse, \"no tables specified\");\n }\n }\n }\n }\n sqlite3ExprListDelete(db, pEList);\n p->pEList = pNew;\n }\n if( p->pEList ){\n if( p->pEList->nExpr>db->aLimit[SQLITE_LIMIT_COLUMN] ){\n sqlite3ErrorMsg(pParse, \"too many columns in result set\");\n return WRC_Abort;\n }\n if( (elistFlags & (EP_HasFunc|EP_Subquery))!=0 ){\n p->selFlags |= SF_ComplexResult;\n }\n }\n return WRC_Continue;\n}", "project": "sqlite", "hash": 173018535421974116346089355628231803850, "size": 286, "commit_id": "0990c415f65d2556a5e4122cbe5727d500411aeb", "message": "Fix a problem with ALTER TABLE for views that have a nested FROM clause.\nTicket [f50af3e8a565776b].\n\nFossilOrigin-Name: c431b3fd8fd0f6a6974bba3e9366b0430ec003d570e7ce70ceefbcff5fe4b6fa", "target": 1, "dataset": "other", "idx": 197522 }, { "func": "static int selectExpander(Walker *pWalker, Select *p){\n Parse *pParse = pWalker->pParse;\n int i, j, k;\n SrcList *pTabList;\n ExprList *pEList;\n struct SrcList_item *pFrom;\n sqlite3 *db = pParse->db;\n Expr *pE, *pRight, *pExpr;\n u16 selFlags = p->selFlags;\n u32 elistFlags = 0;\n\n p->selFlags |= SF_Expanded;\n if( db->mallocFailed ){\n return WRC_Abort;\n }\n assert( p->pSrc!=0 );\n if( (selFlags & SF_Expanded)!=0 ){\n return WRC_Prune;\n }\n if( pWalker->eCode ){\n /* Renumber selId because it has been copied from a view */\n p->selId = ++pParse->nSelect;\n }\n pTabList = p->pSrc;\n pEList = p->pEList;\n sqlite3WithPush(pParse, p->pWith, 0);\n\n /* Make sure cursor numbers have been assigned to all entries in\n ** the FROM clause of the SELECT statement.\n */\n sqlite3SrcListAssignCursors(pParse, pTabList);\n\n /* Look up every table named in the FROM clause of the select. If\n ** an entry of the FROM clause is a subquery instead of a table or view,\n ** then create a transient table structure to describe the subquery.\n */\n for(i=0, pFrom=pTabList->a; inSrc; i++, pFrom++){\n Table *pTab;\n assert( pFrom->fg.isRecursive==0 || pFrom->pTab!=0 );\n if( pFrom->fg.isRecursive ) continue;\n assert( pFrom->pTab==0 );\n#ifndef SQLITE_OMIT_CTE\n if( withExpand(pWalker, pFrom) ) return WRC_Abort;\n if( pFrom->pTab ) {} else\n#endif\n if( pFrom->zName==0 ){\n#ifndef SQLITE_OMIT_SUBQUERY\n Select *pSel = pFrom->pSelect;\n /* A sub-query in the FROM clause of a SELECT */\n assert( pSel!=0 );\n assert( pFrom->pTab==0 );\n if( sqlite3WalkSelect(pWalker, pSel) ) return WRC_Abort;\n if( sqlite3ExpandSubquery(pParse, pFrom) ) return WRC_Abort;\n#endif\n }else{\n /* An ordinary table or view name in the FROM clause */\n assert( pFrom->pTab==0 );\n pFrom->pTab = pTab = sqlite3LocateTableItem(pParse, 0, pFrom);\n if( pTab==0 ) return WRC_Abort;\n if( pTab->nTabRef>=0xffff ){\n sqlite3ErrorMsg(pParse, \"too many references to \\\"%s\\\": max 65535\",\n pTab->zName);\n pFrom->pTab = 0;\n return WRC_Abort;\n }\n pTab->nTabRef++;\n if( !IsVirtual(pTab) && cannotBeFunction(pParse, pFrom) ){\n return WRC_Abort;\n }\n#if !defined(SQLITE_OMIT_VIEW) || !defined (SQLITE_OMIT_VIRTUALTABLE)\n if( IsVirtual(pTab) || pTab->pSelect ){\n i16 nCol;\n u8 eCodeOrig = pWalker->eCode;\n if( sqlite3ViewGetColumnNames(pParse, pTab) ) return WRC_Abort;\n assert( pFrom->pSelect==0 );\n if( pTab->pSelect && (db->flags & SQLITE_EnableView)==0 ){\n sqlite3ErrorMsg(pParse, \"access to view \\\"%s\\\" prohibited\",\n pTab->zName);\n }\n pFrom->pSelect = sqlite3SelectDup(db, pTab->pSelect, 0);\n nCol = pTab->nCol;\n pTab->nCol = -1;\n pWalker->eCode = 1; /* Turn on Select.selId renumbering */\n sqlite3WalkSelect(pWalker, pFrom->pSelect);\n pWalker->eCode = eCodeOrig;\n pTab->nCol = nCol;\n }\n#endif\n }\n\n /* Locate the index named by the INDEXED BY clause, if any. */\n if( sqlite3IndexedByLookup(pParse, pFrom) ){\n return WRC_Abort;\n }\n }\n\n /* Process NATURAL keywords, and ON and USING clauses of joins.\n */\n if( db->mallocFailed || sqliteProcessJoin(pParse, p) ){\n return WRC_Abort;\n }\n\n /* For every \"*\" that occurs in the column list, insert the names of\n ** all columns in all tables. And for every TABLE.* insert the names\n ** of all columns in TABLE. The parser inserted a special expression\n ** with the TK_ASTERISK operator for each \"*\" that it found in the column\n ** list. The following code just has to locate the TK_ASTERISK\n ** expressions and expand each one to the list of all columns in\n ** all tables.\n **\n ** The first loop just checks to see if there are any \"*\" operators\n ** that need expanding.\n */\n for(k=0; knExpr; k++){\n pE = pEList->a[k].pExpr;\n if( pE->op==TK_ASTERISK ) break;\n assert( pE->op!=TK_DOT || pE->pRight!=0 );\n assert( pE->op!=TK_DOT || (pE->pLeft!=0 && pE->pLeft->op==TK_ID) );\n if( pE->op==TK_DOT && pE->pRight->op==TK_ASTERISK ) break;\n elistFlags |= pE->flags;\n }\n if( knExpr ){\n /*\n ** If we get here it means the result set contains one or more \"*\"\n ** operators that need to be expanded. Loop through each expression\n ** in the result set and expand them one by one.\n */\n struct ExprList_item *a = pEList->a;\n ExprList *pNew = 0;\n int flags = pParse->db->flags;\n int longNames = (flags & SQLITE_FullColNames)!=0\n && (flags & SQLITE_ShortColNames)==0;\n\n for(k=0; knExpr; k++){\n pE = a[k].pExpr;\n elistFlags |= pE->flags;\n pRight = pE->pRight;\n assert( pE->op!=TK_DOT || pRight!=0 );\n if( pE->op!=TK_ASTERISK\n && (pE->op!=TK_DOT || pRight->op!=TK_ASTERISK)\n ){\n /* This particular expression does not need to be expanded.\n */\n pNew = sqlite3ExprListAppend(pParse, pNew, a[k].pExpr);\n if( pNew ){\n pNew->a[pNew->nExpr-1].zName = a[k].zName;\n pNew->a[pNew->nExpr-1].zSpan = a[k].zSpan;\n a[k].zName = 0;\n a[k].zSpan = 0;\n }\n a[k].pExpr = 0;\n }else{\n /* This expression is a \"*\" or a \"TABLE.*\" and needs to be\n ** expanded. */\n int tableSeen = 0; /* Set to 1 when TABLE matches */\n char *zTName = 0; /* text of name of TABLE */\n if( pE->op==TK_DOT ){\n assert( pE->pLeft!=0 );\n assert( !ExprHasProperty(pE->pLeft, EP_IntValue) );\n zTName = pE->pLeft->u.zToken;\n }\n for(i=0, pFrom=pTabList->a; inSrc; i++, pFrom++){\n Table *pTab = pFrom->pTab;\n Select *pSub = pFrom->pSelect;\n char *zTabName = pFrom->zAlias;\n const char *zSchemaName = 0;\n int iDb;\n if( zTabName==0 ){\n zTabName = pTab->zName;\n }\n if( db->mallocFailed ) break;\n if( pSub==0 || (pSub->selFlags & SF_NestedFrom)==0 ){\n pSub = 0;\n if( zTName && sqlite3StrICmp(zTName, zTabName)!=0 ){\n continue;\n }\n iDb = sqlite3SchemaToIndex(db, pTab->pSchema);\n zSchemaName = iDb>=0 ? db->aDb[iDb].zDbSName : \"*\";\n }\n for(j=0; jnCol; j++){\n char *zName = pTab->aCol[j].zName;\n char *zColname; /* The computed column name */\n char *zToFree; /* Malloced string that needs to be freed */\n Token sColname; /* Computed column name as a token */\n\n assert( zName );\n if( zTName && pSub\n && sqlite3MatchSpanName(pSub->pEList->a[j].zSpan, 0, zTName, 0)==0\n ){\n continue;\n }\n\n /* If a column is marked as 'hidden', omit it from the expanded\n ** result-set list unless the SELECT has the SF_IncludeHidden\n ** bit set.\n */\n if( (p->selFlags & SF_IncludeHidden)==0\n && IsHiddenColumn(&pTab->aCol[j]) \n ){\n continue;\n }\n tableSeen = 1;\n\n if( i>0 && zTName==0 ){\n if( (pFrom->fg.jointype & JT_NATURAL)!=0\n && tableAndColumnIndex(pTabList, i, zName, 0, 0)\n ){\n /* In a NATURAL join, omit the join columns from the \n ** table to the right of the join */\n continue;\n }\n if( sqlite3IdListIndex(pFrom->pUsing, zName)>=0 ){\n /* In a join with a USING clause, omit columns in the\n ** using clause from the table on the right. */\n continue;\n }\n }\n pRight = sqlite3Expr(db, TK_ID, zName);\n zColname = zName;\n zToFree = 0;\n if( longNames || pTabList->nSrc>1 ){\n Expr *pLeft;\n pLeft = sqlite3Expr(db, TK_ID, zTabName);\n pExpr = sqlite3PExpr(pParse, TK_DOT, pLeft, pRight);\n if( zSchemaName ){\n pLeft = sqlite3Expr(db, TK_ID, zSchemaName);\n pExpr = sqlite3PExpr(pParse, TK_DOT, pLeft, pExpr);\n }\n if( longNames ){\n zColname = sqlite3MPrintf(db, \"%s.%s\", zTabName, zName);\n zToFree = zColname;\n }\n }else{\n pExpr = pRight;\n }\n pNew = sqlite3ExprListAppend(pParse, pNew, pExpr);\n sqlite3TokenInit(&sColname, zColname);\n sqlite3ExprListSetName(pParse, pNew, &sColname, 0);\n if( pNew && (p->selFlags & SF_NestedFrom)!=0 ){\n struct ExprList_item *pX = &pNew->a[pNew->nExpr-1];\n if( pSub ){\n pX->zSpan = sqlite3DbStrDup(db, pSub->pEList->a[j].zSpan);\n testcase( pX->zSpan==0 );\n }else{\n pX->zSpan = sqlite3MPrintf(db, \"%s.%s.%s\",\n zSchemaName, zTabName, zColname);\n testcase( pX->zSpan==0 );\n }\n pX->bSpanIsTab = 1;\n }\n sqlite3DbFree(db, zToFree);\n }\n }\n if( !tableSeen ){\n if( zTName ){\n sqlite3ErrorMsg(pParse, \"no such table: %s\", zTName);\n }else{\n sqlite3ErrorMsg(pParse, \"no tables specified\");\n }\n }\n }\n }\n sqlite3ExprListDelete(db, pEList);\n p->pEList = pNew;\n }\n if( p->pEList ){\n if( p->pEList->nExpr>db->aLimit[SQLITE_LIMIT_COLUMN] ){\n sqlite3ErrorMsg(pParse, \"too many columns in result set\");\n return WRC_Abort;\n }\n if( (elistFlags & (EP_HasFunc|EP_Subquery))!=0 ){\n p->selFlags |= SF_ComplexResult;\n }\n }\n return WRC_Continue;\n}", "project": "sqlite", "hash": 306812494712022841209499043837047336891, "size": 276, "commit_id": "a6c1a71cde082e09750465d5675699062922e387", "message": "Do not attempt to unwind the WITH stack in the Parse object following an error. This fixes a separate case to [de6e6d68].\n\nFossilOrigin-Name: d29edef93451cc67a5d69c1cce1b1832d9ca8fff1f600afdd51338b74d077b92", "target": 1, "dataset": "other", "idx": 204285 }, { "func": "static int selectExpander(Walker *pWalker, Select *p){\n Parse *pParse = pWalker->pParse;\n int i, j, k;\n SrcList *pTabList;\n ExprList *pEList;\n struct SrcList_item *pFrom;\n sqlite3 *db = pParse->db;\n Expr *pE, *pRight, *pExpr;\n u16 selFlags = p->selFlags;\n u32 elistFlags = 0;\n\n p->selFlags |= SF_Expanded;\n if( db->mallocFailed ){\n return WRC_Abort;\n }\n assert( p->pSrc!=0 );\n if( (selFlags & SF_Expanded)!=0 ){\n return WRC_Prune;\n }\n if( pWalker->eCode ){\n /* Renumber selId because it has been copied from a view */\n p->selId = ++pParse->nSelect;\n }\n pTabList = p->pSrc;\n pEList = p->pEList;\n sqlite3WithPush(pParse, p->pWith, 0);\n\n /* Make sure cursor numbers have been assigned to all entries in\n ** the FROM clause of the SELECT statement.\n */\n sqlite3SrcListAssignCursors(pParse, pTabList);\n\n /* Look up every table named in the FROM clause of the select. If\n ** an entry of the FROM clause is a subquery instead of a table or view,\n ** then create a transient table structure to describe the subquery.\n */\n for(i=0, pFrom=pTabList->a; inSrc; i++, pFrom++){\n Table *pTab;\n assert( pFrom->fg.isRecursive==0 || pFrom->pTab!=0 );\n if( pFrom->fg.isRecursive ) continue;\n assert( pFrom->pTab==0 );\n#ifndef SQLITE_OMIT_CTE\n if( withExpand(pWalker, pFrom) ) return WRC_Abort;\n if( pFrom->pTab ) {} else\n#endif\n if( pFrom->zName==0 ){\n#ifndef SQLITE_OMIT_SUBQUERY\n Select *pSel = pFrom->pSelect;\n /* A sub-query in the FROM clause of a SELECT */\n assert( pSel!=0 );\n assert( pFrom->pTab==0 );\n if( sqlite3WalkSelect(pWalker, pSel) ) return WRC_Abort;\n if( sqlite3ExpandSubquery(pParse, pFrom) ) return WRC_Abort;\n#endif\n }else{\n /* An ordinary table or view name in the FROM clause */\n assert( pFrom->pTab==0 );\n pFrom->pTab = pTab = sqlite3LocateTableItem(pParse, 0, pFrom);\n if( pTab==0 ) return WRC_Abort;\n if( pTab->nTabRef>=0xffff ){\n sqlite3ErrorMsg(pParse, \"too many references to \\\"%s\\\": max 65535\",\n pTab->zName);\n pFrom->pTab = 0;\n return WRC_Abort;\n }\n pTab->nTabRef++;\n if( !IsVirtual(pTab) && cannotBeFunction(pParse, pFrom) ){\n return WRC_Abort;\n }\n#if !defined(SQLITE_OMIT_VIEW) || !defined(SQLITE_OMIT_VIRTUALTABLE)\n if( IsVirtual(pTab) || pTab->pSelect ){\n i16 nCol;\n u8 eCodeOrig = pWalker->eCode;\n if( sqlite3ViewGetColumnNames(pParse, pTab) ) return WRC_Abort;\n assert( pFrom->pSelect==0 );\n if( pTab->pSelect && (db->flags & SQLITE_EnableView)==0 ){\n sqlite3ErrorMsg(pParse, \"access to view \\\"%s\\\" prohibited\",\n pTab->zName);\n }\n#ifndef SQLITE_OMIT_VIRTUALTABLE\n if( IsVirtual(pTab)\n && pFrom->fg.fromDDL\n && ALWAYS(pTab->pVTable!=0)\n && pTab->pVTable->eVtabRisk > ((db->flags & SQLITE_TrustedSchema)!=0)\n ){\n sqlite3ErrorMsg(pParse, \"unsafe use of virtual table \\\"%s\\\"\",\n pTab->zName);\n }\n#endif\n pFrom->pSelect = sqlite3SelectDup(db, pTab->pSelect, 0);\n nCol = pTab->nCol;\n pTab->nCol = -1;\n pWalker->eCode = 1; /* Turn on Select.selId renumbering */\n sqlite3WalkSelect(pWalker, pFrom->pSelect);\n pWalker->eCode = eCodeOrig;\n pTab->nCol = nCol;\n }\n#endif\n }\n\n /* Locate the index named by the INDEXED BY clause, if any. */\n if( sqlite3IndexedByLookup(pParse, pFrom) ){\n return WRC_Abort;\n }\n }\n\n /* Process NATURAL keywords, and ON and USING clauses of joins.\n */\n if( pParse->nErr || db->mallocFailed || sqliteProcessJoin(pParse, p) ){\n return WRC_Abort;\n }\n\n /* For every \"*\" that occurs in the column list, insert the names of\n ** all columns in all tables. And for every TABLE.* insert the names\n ** of all columns in TABLE. The parser inserted a special expression\n ** with the TK_ASTERISK operator for each \"*\" that it found in the column\n ** list. The following code just has to locate the TK_ASTERISK\n ** expressions and expand each one to the list of all columns in\n ** all tables.\n **\n ** The first loop just checks to see if there are any \"*\" operators\n ** that need expanding.\n */\n for(k=0; knExpr; k++){\n pE = pEList->a[k].pExpr;\n if( pE->op==TK_ASTERISK ) break;\n assert( pE->op!=TK_DOT || pE->pRight!=0 );\n assert( pE->op!=TK_DOT || (pE->pLeft!=0 && pE->pLeft->op==TK_ID) );\n if( pE->op==TK_DOT && pE->pRight->op==TK_ASTERISK ) break;\n elistFlags |= pE->flags;\n }\n if( knExpr ){\n /*\n ** If we get here it means the result set contains one or more \"*\"\n ** operators that need to be expanded. Loop through each expression\n ** in the result set and expand them one by one.\n */\n struct ExprList_item *a = pEList->a;\n ExprList *pNew = 0;\n int flags = pParse->db->flags;\n int longNames = (flags & SQLITE_FullColNames)!=0\n && (flags & SQLITE_ShortColNames)==0;\n\n for(k=0; knExpr; k++){\n pE = a[k].pExpr;\n elistFlags |= pE->flags;\n pRight = pE->pRight;\n assert( pE->op!=TK_DOT || pRight!=0 );\n if( pE->op!=TK_ASTERISK\n && (pE->op!=TK_DOT || pRight->op!=TK_ASTERISK)\n ){\n /* This particular expression does not need to be expanded.\n */\n pNew = sqlite3ExprListAppend(pParse, pNew, a[k].pExpr);\n if( pNew ){\n pNew->a[pNew->nExpr-1].zEName = a[k].zEName;\n pNew->a[pNew->nExpr-1].eEName = a[k].eEName;\n a[k].zEName = 0;\n }\n a[k].pExpr = 0;\n }else{\n /* This expression is a \"*\" or a \"TABLE.*\" and needs to be\n ** expanded. */\n int tableSeen = 0; /* Set to 1 when TABLE matches */\n char *zTName = 0; /* text of name of TABLE */\n if( pE->op==TK_DOT ){\n assert( pE->pLeft!=0 );\n assert( !ExprHasProperty(pE->pLeft, EP_IntValue) );\n zTName = pE->pLeft->u.zToken;\n }\n for(i=0, pFrom=pTabList->a; inSrc; i++, pFrom++){\n Table *pTab = pFrom->pTab;\n Select *pSub = pFrom->pSelect;\n char *zTabName = pFrom->zAlias;\n const char *zSchemaName = 0;\n int iDb;\n if( zTabName==0 ){\n zTabName = pTab->zName;\n }\n if( db->mallocFailed ) break;\n if( pSub==0 || (pSub->selFlags & SF_NestedFrom)==0 ){\n pSub = 0;\n if( zTName && sqlite3StrICmp(zTName, zTabName)!=0 ){\n continue;\n }\n iDb = sqlite3SchemaToIndex(db, pTab->pSchema);\n zSchemaName = iDb>=0 ? db->aDb[iDb].zDbSName : \"*\";\n }\n for(j=0; jnCol; j++){\n char *zName = pTab->aCol[j].zName;\n char *zColname; /* The computed column name */\n char *zToFree; /* Malloced string that needs to be freed */\n Token sColname; /* Computed column name as a token */\n\n assert( zName );\n if( zTName && pSub\n && sqlite3MatchEName(&pSub->pEList->a[j], 0, zTName, 0)==0\n ){\n continue;\n }\n\n /* If a column is marked as 'hidden', omit it from the expanded\n ** result-set list unless the SELECT has the SF_IncludeHidden\n ** bit set.\n */\n if( (p->selFlags & SF_IncludeHidden)==0\n && IsHiddenColumn(&pTab->aCol[j]) \n ){\n continue;\n }\n tableSeen = 1;\n\n if( i>0 && zTName==0 ){\n if( (pFrom->fg.jointype & JT_NATURAL)!=0\n && tableAndColumnIndex(pTabList, i, zName, 0, 0, 1)\n ){\n /* In a NATURAL join, omit the join columns from the \n ** table to the right of the join */\n continue;\n }\n if( sqlite3IdListIndex(pFrom->pUsing, zName)>=0 ){\n /* In a join with a USING clause, omit columns in the\n ** using clause from the table on the right. */\n continue;\n }\n }\n pRight = sqlite3Expr(db, TK_ID, zName);\n zColname = zName;\n zToFree = 0;\n if( longNames || pTabList->nSrc>1 ){\n Expr *pLeft;\n pLeft = sqlite3Expr(db, TK_ID, zTabName);\n pExpr = sqlite3PExpr(pParse, TK_DOT, pLeft, pRight);\n if( zSchemaName ){\n pLeft = sqlite3Expr(db, TK_ID, zSchemaName);\n pExpr = sqlite3PExpr(pParse, TK_DOT, pLeft, pExpr);\n }\n if( longNames ){\n zColname = sqlite3MPrintf(db, \"%s.%s\", zTabName, zName);\n zToFree = zColname;\n }\n }else{\n pExpr = pRight;\n }\n pNew = sqlite3ExprListAppend(pParse, pNew, pExpr);\n sqlite3TokenInit(&sColname, zColname);\n sqlite3ExprListSetName(pParse, pNew, &sColname, 0);\n if( pNew && (p->selFlags & SF_NestedFrom)!=0 && !IN_RENAME_OBJECT ){\n struct ExprList_item *pX = &pNew->a[pNew->nExpr-1];\n sqlite3DbFree(db, pX->zEName);\n if( pSub ){\n pX->zEName = sqlite3DbStrDup(db, pSub->pEList->a[j].zEName);\n testcase( pX->zEName==0 );\n }else{\n pX->zEName = sqlite3MPrintf(db, \"%s.%s.%s\",\n zSchemaName, zTabName, zColname);\n testcase( pX->zEName==0 );\n }\n pX->eEName = ENAME_TAB;\n }\n sqlite3DbFree(db, zToFree);\n }\n }\n if( !tableSeen ){\n if( zTName ){\n sqlite3ErrorMsg(pParse, \"no such table: %s\", zTName);\n }else{\n sqlite3ErrorMsg(pParse, \"no tables specified\");\n }\n }\n }\n }\n sqlite3ExprListDelete(db, pEList);\n p->pEList = pNew;\n }\n if( p->pEList ){\n if( p->pEList->nExpr>db->aLimit[SQLITE_LIMIT_COLUMN] ){\n sqlite3ErrorMsg(pParse, \"too many columns in result set\");\n return WRC_Abort;\n }\n if( (elistFlags & (EP_HasFunc|EP_Subquery))!=0 ){\n p->selFlags |= SF_ComplexResult;\n }\n }\n return WRC_Continue;\n}", "project": "sqlite", "hash": 122260449153361052319909319985506822289, "size": 286, "commit_id": "0990c415f65d2556a5e4122cbe5727d500411aeb", "message": "Fix a problem with ALTER TABLE for views that have a nested FROM clause.\nTicket [f50af3e8a565776b].\n\nFossilOrigin-Name: c431b3fd8fd0f6a6974bba3e9366b0430ec003d570e7ce70ceefbcff5fe4b6fa", "target": 0, "dataset": "other", "idx": 259833 }, { "func": "static int selectExpander(Walker *pWalker, Select *p){\n Parse *pParse = pWalker->pParse;\n int i, j, k;\n SrcList *pTabList;\n ExprList *pEList;\n struct SrcList_item *pFrom;\n sqlite3 *db = pParse->db;\n Expr *pE, *pRight, *pExpr;\n u16 selFlags = p->selFlags;\n u32 elistFlags = 0;\n\n p->selFlags |= SF_Expanded;\n if( db->mallocFailed ){\n return WRC_Abort;\n }\n assert( p->pSrc!=0 );\n if( (selFlags & SF_Expanded)!=0 ){\n return WRC_Prune;\n }\n if( pWalker->eCode ){\n /* Renumber selId because it has been copied from a view */\n p->selId = ++pParse->nSelect;\n }\n pTabList = p->pSrc;\n pEList = p->pEList;\n sqlite3WithPush(pParse, p->pWith, 0);\n\n /* Make sure cursor numbers have been assigned to all entries in\n ** the FROM clause of the SELECT statement.\n */\n sqlite3SrcListAssignCursors(pParse, pTabList);\n\n /* Look up every table named in the FROM clause of the select. If\n ** an entry of the FROM clause is a subquery instead of a table or view,\n ** then create a transient table structure to describe the subquery.\n */\n for(i=0, pFrom=pTabList->a; inSrc; i++, pFrom++){\n Table *pTab;\n assert( pFrom->fg.isRecursive==0 || pFrom->pTab!=0 );\n if( pFrom->fg.isRecursive ) continue;\n assert( pFrom->pTab==0 );\n#ifndef SQLITE_OMIT_CTE\n if( withExpand(pWalker, pFrom) ) return WRC_Abort;\n if( pFrom->pTab ) {} else\n#endif\n if( pFrom->zName==0 ){\n#ifndef SQLITE_OMIT_SUBQUERY\n Select *pSel = pFrom->pSelect;\n /* A sub-query in the FROM clause of a SELECT */\n assert( pSel!=0 );\n assert( pFrom->pTab==0 );\n if( sqlite3WalkSelect(pWalker, pSel) ) return WRC_Abort;\n if( sqlite3ExpandSubquery(pParse, pFrom) ) return WRC_Abort;\n#endif\n }else{\n /* An ordinary table or view name in the FROM clause */\n assert( pFrom->pTab==0 );\n pFrom->pTab = pTab = sqlite3LocateTableItem(pParse, 0, pFrom);\n if( pTab==0 ) return WRC_Abort;\n if( pTab->nTabRef>=0xffff ){\n sqlite3ErrorMsg(pParse, \"too many references to \\\"%s\\\": max 65535\",\n pTab->zName);\n pFrom->pTab = 0;\n return WRC_Abort;\n }\n pTab->nTabRef++;\n if( !IsVirtual(pTab) && cannotBeFunction(pParse, pFrom) ){\n return WRC_Abort;\n }\n#if !defined(SQLITE_OMIT_VIEW) || !defined (SQLITE_OMIT_VIRTUALTABLE)\n if( IsVirtual(pTab) || pTab->pSelect ){\n i16 nCol;\n u8 eCodeOrig = pWalker->eCode;\n if( sqlite3ViewGetColumnNames(pParse, pTab) ) return WRC_Abort;\n assert( pFrom->pSelect==0 );\n if( pTab->pSelect && (db->flags & SQLITE_EnableView)==0 ){\n sqlite3ErrorMsg(pParse, \"access to view \\\"%s\\\" prohibited\",\n pTab->zName);\n }\n pFrom->pSelect = sqlite3SelectDup(db, pTab->pSelect, 0);\n nCol = pTab->nCol;\n pTab->nCol = -1;\n pWalker->eCode = 1; /* Turn on Select.selId renumbering */\n sqlite3WalkSelect(pWalker, pFrom->pSelect);\n pWalker->eCode = eCodeOrig;\n pTab->nCol = nCol;\n }\n#endif\n }\n\n /* Locate the index named by the INDEXED BY clause, if any. */\n if( sqlite3IndexedByLookup(pParse, pFrom) ){\n return WRC_Abort;\n }\n }\n\n /* Process NATURAL keywords, and ON and USING clauses of joins.\n */\n if( pParse->nErr || db->mallocFailed || sqliteProcessJoin(pParse, p) ){\n return WRC_Abort;\n }\n\n /* For every \"*\" that occurs in the column list, insert the names of\n ** all columns in all tables. And for every TABLE.* insert the names\n ** of all columns in TABLE. The parser inserted a special expression\n ** with the TK_ASTERISK operator for each \"*\" that it found in the column\n ** list. The following code just has to locate the TK_ASTERISK\n ** expressions and expand each one to the list of all columns in\n ** all tables.\n **\n ** The first loop just checks to see if there are any \"*\" operators\n ** that need expanding.\n */\n for(k=0; knExpr; k++){\n pE = pEList->a[k].pExpr;\n if( pE->op==TK_ASTERISK ) break;\n assert( pE->op!=TK_DOT || pE->pRight!=0 );\n assert( pE->op!=TK_DOT || (pE->pLeft!=0 && pE->pLeft->op==TK_ID) );\n if( pE->op==TK_DOT && pE->pRight->op==TK_ASTERISK ) break;\n elistFlags |= pE->flags;\n }\n if( knExpr ){\n /*\n ** If we get here it means the result set contains one or more \"*\"\n ** operators that need to be expanded. Loop through each expression\n ** in the result set and expand them one by one.\n */\n struct ExprList_item *a = pEList->a;\n ExprList *pNew = 0;\n int flags = pParse->db->flags;\n int longNames = (flags & SQLITE_FullColNames)!=0\n && (flags & SQLITE_ShortColNames)==0;\n\n for(k=0; knExpr; k++){\n pE = a[k].pExpr;\n elistFlags |= pE->flags;\n pRight = pE->pRight;\n assert( pE->op!=TK_DOT || pRight!=0 );\n if( pE->op!=TK_ASTERISK\n && (pE->op!=TK_DOT || pRight->op!=TK_ASTERISK)\n ){\n /* This particular expression does not need to be expanded.\n */\n pNew = sqlite3ExprListAppend(pParse, pNew, a[k].pExpr);\n if( pNew ){\n pNew->a[pNew->nExpr-1].zName = a[k].zName;\n pNew->a[pNew->nExpr-1].zSpan = a[k].zSpan;\n a[k].zName = 0;\n a[k].zSpan = 0;\n }\n a[k].pExpr = 0;\n }else{\n /* This expression is a \"*\" or a \"TABLE.*\" and needs to be\n ** expanded. */\n int tableSeen = 0; /* Set to 1 when TABLE matches */\n char *zTName = 0; /* text of name of TABLE */\n if( pE->op==TK_DOT ){\n assert( pE->pLeft!=0 );\n assert( !ExprHasProperty(pE->pLeft, EP_IntValue) );\n zTName = pE->pLeft->u.zToken;\n }\n for(i=0, pFrom=pTabList->a; inSrc; i++, pFrom++){\n Table *pTab = pFrom->pTab;\n Select *pSub = pFrom->pSelect;\n char *zTabName = pFrom->zAlias;\n const char *zSchemaName = 0;\n int iDb;\n if( zTabName==0 ){\n zTabName = pTab->zName;\n }\n if( db->mallocFailed ) break;\n if( pSub==0 || (pSub->selFlags & SF_NestedFrom)==0 ){\n pSub = 0;\n if( zTName && sqlite3StrICmp(zTName, zTabName)!=0 ){\n continue;\n }\n iDb = sqlite3SchemaToIndex(db, pTab->pSchema);\n zSchemaName = iDb>=0 ? db->aDb[iDb].zDbSName : \"*\";\n }\n for(j=0; jnCol; j++){\n char *zName = pTab->aCol[j].zName;\n char *zColname; /* The computed column name */\n char *zToFree; /* Malloced string that needs to be freed */\n Token sColname; /* Computed column name as a token */\n\n assert( zName );\n if( zTName && pSub\n && sqlite3MatchSpanName(pSub->pEList->a[j].zSpan, 0, zTName, 0)==0\n ){\n continue;\n }\n\n /* If a column is marked as 'hidden', omit it from the expanded\n ** result-set list unless the SELECT has the SF_IncludeHidden\n ** bit set.\n */\n if( (p->selFlags & SF_IncludeHidden)==0\n && IsHiddenColumn(&pTab->aCol[j]) \n ){\n continue;\n }\n tableSeen = 1;\n\n if( i>0 && zTName==0 ){\n if( (pFrom->fg.jointype & JT_NATURAL)!=0\n && tableAndColumnIndex(pTabList, i, zName, 0, 0)\n ){\n /* In a NATURAL join, omit the join columns from the \n ** table to the right of the join */\n continue;\n }\n if( sqlite3IdListIndex(pFrom->pUsing, zName)>=0 ){\n /* In a join with a USING clause, omit columns in the\n ** using clause from the table on the right. */\n continue;\n }\n }\n pRight = sqlite3Expr(db, TK_ID, zName);\n zColname = zName;\n zToFree = 0;\n if( longNames || pTabList->nSrc>1 ){\n Expr *pLeft;\n pLeft = sqlite3Expr(db, TK_ID, zTabName);\n pExpr = sqlite3PExpr(pParse, TK_DOT, pLeft, pRight);\n if( zSchemaName ){\n pLeft = sqlite3Expr(db, TK_ID, zSchemaName);\n pExpr = sqlite3PExpr(pParse, TK_DOT, pLeft, pExpr);\n }\n if( longNames ){\n zColname = sqlite3MPrintf(db, \"%s.%s\", zTabName, zName);\n zToFree = zColname;\n }\n }else{\n pExpr = pRight;\n }\n pNew = sqlite3ExprListAppend(pParse, pNew, pExpr);\n sqlite3TokenInit(&sColname, zColname);\n sqlite3ExprListSetName(pParse, pNew, &sColname, 0);\n if( pNew && (p->selFlags & SF_NestedFrom)!=0 ){\n struct ExprList_item *pX = &pNew->a[pNew->nExpr-1];\n if( pSub ){\n pX->zSpan = sqlite3DbStrDup(db, pSub->pEList->a[j].zSpan);\n testcase( pX->zSpan==0 );\n }else{\n pX->zSpan = sqlite3MPrintf(db, \"%s.%s.%s\",\n zSchemaName, zTabName, zColname);\n testcase( pX->zSpan==0 );\n }\n pX->bSpanIsTab = 1;\n }\n sqlite3DbFree(db, zToFree);\n }\n }\n if( !tableSeen ){\n if( zTName ){\n sqlite3ErrorMsg(pParse, \"no such table: %s\", zTName);\n }else{\n sqlite3ErrorMsg(pParse, \"no tables specified\");\n }\n }\n }\n }\n sqlite3ExprListDelete(db, pEList);\n p->pEList = pNew;\n }\n if( p->pEList ){\n if( p->pEList->nExpr>db->aLimit[SQLITE_LIMIT_COLUMN] ){\n sqlite3ErrorMsg(pParse, \"too many columns in result set\");\n return WRC_Abort;\n }\n if( (elistFlags & (EP_HasFunc|EP_Subquery))!=0 ){\n p->selFlags |= SF_ComplexResult;\n }\n }\n return WRC_Continue;\n}", "project": "sqlite", "hash": 27082898212798908738611756384964673964, "size": 276, "commit_id": "a6c1a71cde082e09750465d5675699062922e387", "message": "Do not attempt to unwind the WITH stack in the Parse object following an error. This fixes a separate case to [de6e6d68].\n\nFossilOrigin-Name: d29edef93451cc67a5d69c1cce1b1832d9ca8fff1f600afdd51338b74d077b92", "target": 0, "dataset": "other", "idx": 356309 }, { "func": "static int selectExpander(Walker *pWalker, Select *p){\n Parse *pParse = pWalker->pParse;\n int i, j, k;\n SrcList *pTabList;\n ExprList *pEList;\n struct SrcList_item *pFrom;\n sqlite3 *db = pParse->db;\n Expr *pE, *pRight, *pExpr;\n u16 selFlags = p->selFlags;\n u32 elistFlags = 0;\n\n p->selFlags |= SF_Expanded;\n if( db->mallocFailed ){\n return WRC_Abort;\n }\n assert( p->pSrc!=0 );\n if( (selFlags & SF_Expanded)!=0 ){\n return WRC_Prune;\n }\n if( pWalker->eCode ){\n /* Renumber selId because it has been copied from a view */\n p->selId = ++pParse->nSelect;\n }\n pTabList = p->pSrc;\n pEList = p->pEList;\n sqlite3WithPush(pParse, p->pWith, 0);\n\n /* Make sure cursor numbers have been assigned to all entries in\n ** the FROM clause of the SELECT statement.\n */\n sqlite3SrcListAssignCursors(pParse, pTabList);\n\n /* Look up every table named in the FROM clause of the select. If\n ** an entry of the FROM clause is a subquery instead of a table or view,\n ** then create a transient table structure to describe the subquery.\n */\n for(i=0, pFrom=pTabList->a; inSrc; i++, pFrom++){\n Table *pTab;\n assert( pFrom->fg.isRecursive==0 || pFrom->pTab!=0 );\n if( pFrom->fg.isRecursive ) continue;\n assert( pFrom->pTab==0 );\n#ifndef SQLITE_OMIT_CTE\n if( withExpand(pWalker, pFrom) ) return WRC_Abort;\n if( pFrom->pTab ) {} else\n#endif\n if( pFrom->zName==0 ){\n#ifndef SQLITE_OMIT_SUBQUERY\n Select *pSel = pFrom->pSelect;\n /* A sub-query in the FROM clause of a SELECT */\n assert( pSel!=0 );\n assert( pFrom->pTab==0 );\n if( sqlite3WalkSelect(pWalker, pSel) ) return WRC_Abort;\n if( sqlite3ExpandSubquery(pParse, pFrom) ) return WRC_Abort;\n#endif\n }else{\n /* An ordinary table or view name in the FROM clause */\n assert( pFrom->pTab==0 );\n pFrom->pTab = pTab = sqlite3LocateTableItem(pParse, 0, pFrom);\n if( pTab==0 ) return WRC_Abort;\n if( pTab->nTabRef>=0xffff ){\n sqlite3ErrorMsg(pParse, \"too many references to \\\"%s\\\": max 65535\",\n pTab->zName);\n pFrom->pTab = 0;\n return WRC_Abort;\n }\n pTab->nTabRef++;\n if( !IsVirtual(pTab) && cannotBeFunction(pParse, pFrom) ){\n return WRC_Abort;\n }\n#if !defined(SQLITE_OMIT_VIEW) || !defined (SQLITE_OMIT_VIRTUALTABLE)\n if( IsVirtual(pTab) || pTab->pSelect ){\n i16 nCol;\n u8 eCodeOrig = pWalker->eCode;\n if( sqlite3ViewGetColumnNames(pParse, pTab) ) return WRC_Abort;\n assert( pFrom->pSelect==0 );\n if( pTab->pSelect && (db->flags & SQLITE_EnableView)==0 ){\n sqlite3ErrorMsg(pParse, \"access to view \\\"%s\\\" prohibited\",\n pTab->zName);\n }\n if( IsVirtual(pTab)\n && pFrom->fg.fromDDL\n && ALWAYS(pTab->pVTable!=0)\n && pTab->pVTable->eVtabRisk > ((db->flags & SQLITE_TrustedSchema)!=0)\n ){\n sqlite3ErrorMsg(pParse, \"unsafe use of virtual table \\\"%s\\\"\",\n pTab->zName);\n }\n pFrom->pSelect = sqlite3SelectDup(db, pTab->pSelect, 0);\n nCol = pTab->nCol;\n pTab->nCol = -1;\n pWalker->eCode = 1; /* Turn on Select.selId renumbering */\n sqlite3WalkSelect(pWalker, pFrom->pSelect);\n pWalker->eCode = eCodeOrig;\n pTab->nCol = nCol;\n }\n#endif\n }\n\n /* Locate the index named by the INDEXED BY clause, if any. */\n if( sqlite3IndexedByLookup(pParse, pFrom) ){\n return WRC_Abort;\n }\n }\n\n /* Process NATURAL keywords, and ON and USING clauses of joins.\n */\n if( pParse->nErr || db->mallocFailed || sqliteProcessJoin(pParse, p) ){\n return WRC_Abort;\n }\n\n /* For every \"*\" that occurs in the column list, insert the names of\n ** all columns in all tables. And for every TABLE.* insert the names\n ** of all columns in TABLE. The parser inserted a special expression\n ** with the TK_ASTERISK operator for each \"*\" that it found in the column\n ** list. The following code just has to locate the TK_ASTERISK\n ** expressions and expand each one to the list of all columns in\n ** all tables.\n **\n ** The first loop just checks to see if there are any \"*\" operators\n ** that need expanding.\n */\n for(k=0; knExpr; k++){\n pE = pEList->a[k].pExpr;\n if( pE->op==TK_ASTERISK ) break;\n assert( pE->op!=TK_DOT || pE->pRight!=0 );\n assert( pE->op!=TK_DOT || (pE->pLeft!=0 && pE->pLeft->op==TK_ID) );\n if( pE->op==TK_DOT && pE->pRight->op==TK_ASTERISK ) break;\n elistFlags |= pE->flags;\n }\n if( knExpr ){\n /*\n ** If we get here it means the result set contains one or more \"*\"\n ** operators that need to be expanded. Loop through each expression\n ** in the result set and expand them one by one.\n */\n struct ExprList_item *a = pEList->a;\n ExprList *pNew = 0;\n int flags = pParse->db->flags;\n int longNames = (flags & SQLITE_FullColNames)!=0\n && (flags & SQLITE_ShortColNames)==0;\n\n for(k=0; knExpr; k++){\n pE = a[k].pExpr;\n elistFlags |= pE->flags;\n pRight = pE->pRight;\n assert( pE->op!=TK_DOT || pRight!=0 );\n if( pE->op!=TK_ASTERISK\n && (pE->op!=TK_DOT || pRight->op!=TK_ASTERISK)\n ){\n /* This particular expression does not need to be expanded.\n */\n pNew = sqlite3ExprListAppend(pParse, pNew, a[k].pExpr);\n if( pNew ){\n pNew->a[pNew->nExpr-1].zEName = a[k].zEName;\n pNew->a[pNew->nExpr-1].eEName = a[k].eEName;\n a[k].zEName = 0;\n }\n a[k].pExpr = 0;\n }else{\n /* This expression is a \"*\" or a \"TABLE.*\" and needs to be\n ** expanded. */\n int tableSeen = 0; /* Set to 1 when TABLE matches */\n char *zTName = 0; /* text of name of TABLE */\n if( pE->op==TK_DOT ){\n assert( pE->pLeft!=0 );\n assert( !ExprHasProperty(pE->pLeft, EP_IntValue) );\n zTName = pE->pLeft->u.zToken;\n }\n for(i=0, pFrom=pTabList->a; inSrc; i++, pFrom++){\n Table *pTab = pFrom->pTab;\n Select *pSub = pFrom->pSelect;\n char *zTabName = pFrom->zAlias;\n const char *zSchemaName = 0;\n int iDb;\n if( zTabName==0 ){\n zTabName = pTab->zName;\n }\n if( db->mallocFailed ) break;\n if( pSub==0 || (pSub->selFlags & SF_NestedFrom)==0 ){\n pSub = 0;\n if( zTName && sqlite3StrICmp(zTName, zTabName)!=0 ){\n continue;\n }\n iDb = sqlite3SchemaToIndex(db, pTab->pSchema);\n zSchemaName = iDb>=0 ? db->aDb[iDb].zDbSName : \"*\";\n }\n for(j=0; jnCol; j++){\n char *zName = pTab->aCol[j].zName;\n char *zColname; /* The computed column name */\n char *zToFree; /* Malloced string that needs to be freed */\n Token sColname; /* Computed column name as a token */\n\n assert( zName );\n if( zTName && pSub\n && sqlite3MatchEName(&pSub->pEList->a[j], 0, zTName, 0)==0\n ){\n continue;\n }\n\n /* If a column is marked as 'hidden', omit it from the expanded\n ** result-set list unless the SELECT has the SF_IncludeHidden\n ** bit set.\n */\n if( (p->selFlags & SF_IncludeHidden)==0\n && IsHiddenColumn(&pTab->aCol[j]) \n ){\n continue;\n }\n tableSeen = 1;\n\n if( i>0 && zTName==0 ){\n if( (pFrom->fg.jointype & JT_NATURAL)!=0\n && tableAndColumnIndex(pTabList, i, zName, 0, 0, 1)\n ){\n /* In a NATURAL join, omit the join columns from the \n ** table to the right of the join */\n continue;\n }\n if( sqlite3IdListIndex(pFrom->pUsing, zName)>=0 ){\n /* In a join with a USING clause, omit columns in the\n ** using clause from the table on the right. */\n continue;\n }\n }\n pRight = sqlite3Expr(db, TK_ID, zName);\n zColname = zName;\n zToFree = 0;\n if( longNames || pTabList->nSrc>1 ){\n Expr *pLeft;\n pLeft = sqlite3Expr(db, TK_ID, zTabName);\n pExpr = sqlite3PExpr(pParse, TK_DOT, pLeft, pRight);\n if( zSchemaName ){\n pLeft = sqlite3Expr(db, TK_ID, zSchemaName);\n pExpr = sqlite3PExpr(pParse, TK_DOT, pLeft, pExpr);\n }\n if( longNames ){\n zColname = sqlite3MPrintf(db, \"%s.%s\", zTabName, zName);\n zToFree = zColname;\n }\n }else{\n pExpr = pRight;\n }\n pNew = sqlite3ExprListAppend(pParse, pNew, pExpr);\n sqlite3TokenInit(&sColname, zColname);\n sqlite3ExprListSetName(pParse, pNew, &sColname, 0);\n if( pNew && (p->selFlags & SF_NestedFrom)!=0 ){\n struct ExprList_item *pX = &pNew->a[pNew->nExpr-1];\n sqlite3DbFree(db, pX->zEName);\n if( pSub ){\n pX->zEName = sqlite3DbStrDup(db, pSub->pEList->a[j].zEName);\n testcase( pX->zEName==0 );\n }else{\n pX->zEName = sqlite3MPrintf(db, \"%s.%s.%s\",\n zSchemaName, zTabName, zColname);\n testcase( pX->zEName==0 );\n }\n pX->eEName = ENAME_TAB;\n }\n sqlite3DbFree(db, zToFree);\n }\n }\n if( !tableSeen ){\n if( zTName ){\n sqlite3ErrorMsg(pParse, \"no such table: %s\", zTName);\n }else{\n sqlite3ErrorMsg(pParse, \"no tables specified\");\n }\n }\n }\n }\n sqlite3ExprListDelete(db, pEList);\n p->pEList = pNew;\n }\n if( p->pEList ){\n if( p->pEList->nExpr>db->aLimit[SQLITE_LIMIT_COLUMN] ){\n sqlite3ErrorMsg(pParse, \"too many columns in result set\");\n return WRC_Abort;\n }\n if( (elistFlags & (EP_HasFunc|EP_Subquery))!=0 ){\n p->selFlags |= SF_ComplexResult;\n }\n }\n return WRC_Continue;\n}", "project": "sqlite", "hash": 209354256929313054456132709378837870712, "size": 284, "commit_id": "39df24a3f02495e5ef6bb5ea8ce029a2c1e377e6", "message": "Do not allow the constant-propagation optimization to apple to ON/USING clause\nterms as it does not help and it might cause downstream problems.\n\nFossilOrigin-Name: 1bc783da63d58b05c690468b569cb2787846357b63c1100d11777666c5787bf4", "target": 0, "dataset": "other", "idx": 393391 }, { "func": "void sqlite3VdbeSetChanges(sqlite3 *db, int nChange){\n assert( sqlite3_mutex_held(db->mutex) );\n db->nChange = nChange;\n db->nTotalChange += nChange;\n}", "project": "sqlite", "hash": 191417023442651038511178189580931300239, "size": 5, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378584 }, { "func": "static void sqlite3SelectExpand(Parse *pParse, Select *pSelect){\n Walker w;\n w.xExprCallback = sqlite3ExprWalkNoop;\n w.pParse = pParse;\n if( OK_IF_ALWAYS_TRUE(pParse->hasCompound) ){\n w.xSelectCallback = convertCompoundSelectToSubquery;\n w.xSelectCallback2 = 0;\n sqlite3WalkSelect(&w, pSelect);\n }\n w.xSelectCallback = selectExpander;\n w.xSelectCallback2 = selectPopWith;\n w.eCode = 0;\n sqlite3WalkSelect(&w, pSelect);\n}", "project": "sqlite", "hash": 197927280453823682611030597633050062940, "size": 14, "commit_id": "5f69512404cd2e5153ddf90ea277fbba6dd58ab7", "message": "Early-out on the INTERSECT query processing following an error.\n\nFossilOrigin-Name: a67cf5b7d37d5b1484be32092635faafd8f76e5881898cd9435517c4b287d663", "target": 0, "dataset": "other", "idx": 246155 }, { "func": "static void vdbeFreeOpArray(sqlite3 *db, Op *aOp, int nOp){\n if( aOp ){\n Op *pOp;\n for(pOp=&aOp[nOp-1]; pOp>=aOp; pOp--){\n if( pOp->p4type <= P4_FREE_IF_LE ) freeP4(db, pOp->p4type, pOp->p4.p);\n#ifdef SQLITE_ENABLE_EXPLAIN_COMMENTS\n sqlite3DbFree(db, pOp->zComment);\n#endif \n }\n sqlite3DbFreeNN(db, aOp);\n }\n}", "project": "sqlite", "hash": 18235771121117085387646601519289891045, "size": 12, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378513 }, { "func": "int sqlite3VdbeCheckFk(Vdbe *p, int deferred){\n sqlite3 *db = p->db;\n if( (deferred && (db->nDeferredCons+db->nDeferredImmCons)>0) \n || (!deferred && p->nFkConstraint>0) \n ){\n p->rc = SQLITE_CONSTRAINT_FOREIGNKEY;\n p->errorAction = OE_Abort;\n sqlite3VdbeError(p, \"FOREIGN KEY constraint failed\");\n return SQLITE_ERROR;\n }\n return SQLITE_OK;\n}", "project": "sqlite", "hash": 292397684976394987707555700576432907955, "size": 12, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378485 }, { "func": "int MatchingArraySize(const ArrayType1& array1, int index1,\n const ArrayType2& array2, int index2) {\n TFLITE_DCHECK_EQ(ArraySize(array1, index1), ArraySize(array2, index2));\n return ArraySize(array1, index1);\n}", "project": "tensorflow", "hash": 286627079983162969091158510515044626798, "size": 5, "commit_id": "8ee24e7949a203d234489f9da2c5bf45a7d5157d", "message": "[tflite] Ensure `MatchingDim` does not allow buffer overflow.\n\nWe check in `MatchingDim` that both arguments have the same dimensionality, however that is a `DCHECK` only enabled if building in debug mode. Hence, it could be possible to cause buffer overflows by passing in a tensor with larger dimensions as the second argument. To fix, we now make `MatchingDim` return the minimum of the two sizes.\n\nA much better fix would be to return a status object but that requires refactoring a large part of the codebase for minor benefits.\n\nPiperOrigin-RevId: 332526127\nChange-Id: If627d0d2c80a685217b6e0d1e64b0872dbf1c5e4", "target": 0, "dataset": "other", "idx": 269140 }, { "func": "int MatchingArraySize(const ArrayType1& array1, int index1,\n const ArrayType2& array2, int index2, Args... args) {\n TFLITE_DCHECK_EQ(ArraySize(array1, index1), ArraySize(array2, index2));\n return MatchingArraySize(array1, index1, args...);\n}", "project": "tensorflow", "hash": 101786776944209665306896910582651652610, "size": 5, "commit_id": "8ee24e7949a203d234489f9da2c5bf45a7d5157d", "message": "[tflite] Ensure `MatchingDim` does not allow buffer overflow.\n\nWe check in `MatchingDim` that both arguments have the same dimensionality, however that is a `DCHECK` only enabled if building in debug mode. Hence, it could be possible to cause buffer overflows by passing in a tensor with larger dimensions as the second argument. To fix, we now make `MatchingDim` return the minimum of the two sizes.\n\nA much better fix would be to return a status object but that requires refactoring a large part of the codebase for minor benefits.\n\nPiperOrigin-RevId: 332526127\nChange-Id: If627d0d2c80a685217b6e0d1e64b0872dbf1c5e4", "target": 0, "dataset": "other", "idx": 269142 }, { "func": "static int displayComment(\n const Op *pOp, /* The opcode to be commented */\n const char *zP4, /* Previously obtained value for P4 */\n char *zTemp, /* Write result here */\n int nTemp /* Space available in zTemp[] */\n){\n const char *zOpName;\n const char *zSynopsis;\n int nOpName;\n int ii, jj;\n char zAlt[50];\n zOpName = sqlite3OpcodeName(pOp->opcode);\n nOpName = sqlite3Strlen30(zOpName);\n if( zOpName[nOpName+1] ){\n int seenCom = 0;\n char c;\n zSynopsis = zOpName += nOpName + 1;\n if( strncmp(zSynopsis,\"IF \",3)==0 ){\n if( pOp->p5 & SQLITE_STOREP2 ){\n sqlite3_snprintf(sizeof(zAlt), zAlt, \"r[P2] = (%s)\", zSynopsis+3);\n }else{\n sqlite3_snprintf(sizeof(zAlt), zAlt, \"if %s goto P2\", zSynopsis+3);\n }\n zSynopsis = zAlt;\n }\n for(ii=jj=0; jjzComment);\n seenCom = 1;\n }else{\n int v1 = translateP(c, pOp);\n int v2;\n sqlite3_snprintf(nTemp-jj, zTemp+jj, \"%d\", v1);\n if( strncmp(zSynopsis+ii+1, \"@P\", 2)==0 ){\n ii += 3;\n jj += sqlite3Strlen30(zTemp+jj);\n v2 = translateP(zSynopsis[ii], pOp);\n if( strncmp(zSynopsis+ii+1,\"+1\",2)==0 ){\n ii += 2;\n v2++;\n }\n if( v2>1 ){\n sqlite3_snprintf(nTemp-jj, zTemp+jj, \"..%d\", v1+v2-1);\n }\n }else if( strncmp(zSynopsis+ii+1, \"..P3\", 4)==0 && pOp->p3==0 ){\n ii += 4;\n }\n }\n jj += sqlite3Strlen30(zTemp+jj);\n }else{\n zTemp[jj++] = c;\n }\n }\n if( !seenCom && jjzComment ){\n sqlite3_snprintf(nTemp-jj, zTemp+jj, \"; %s\", pOp->zComment);\n jj += sqlite3Strlen30(zTemp+jj);\n }\n if( jjzComment ){\n sqlite3_snprintf(nTemp, zTemp, \"%s\", pOp->zComment);\n jj = sqlite3Strlen30(zTemp);\n }else{\n zTemp[0] = 0;\n jj = 0;\n }\n return jj;\n}", "project": "sqlite", "hash": 278694928631801598631033999312771326946, "size": 71, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378572 }, { "func": "void sqlite3VdbeFrameDelete(VdbeFrame *p){\n int i;\n Mem *aMem = VdbeFrameMem(p);\n VdbeCursor **apCsr = (VdbeCursor **)&aMem[p->nChildMem];\n assert( sqlite3VdbeFrameIsValid(p) );\n for(i=0; inChildCsr; i++){\n sqlite3VdbeFreeCursor(p->v, apCsr[i]);\n }\n releaseMemArray(aMem, p->nChildMem);\n sqlite3VdbeDeleteAuxData(p->v->db, &p->pAuxData, -1, 0);\n sqlite3DbFree(p->v->db, p);\n}", "project": "sqlite", "hash": 334225344861906862302678097674875321980, "size": 12, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378511 }, { "func": "void sqlite3SetJoinExpr(Expr *p, int iTable){\n while( p ){\n ExprSetProperty(p, EP_FromJoin);\n assert( !ExprHasProperty(p, EP_TokenOnly|EP_Reduced) );\n ExprSetVVAProperty(p, EP_NoReduce);\n p->iRightJoinTable = (i16)iTable;\n if( p->op==TK_FUNCTION && p->x.pList ){\n int i;\n for(i=0; ix.pList->nExpr; i++){\n sqlite3SetJoinExpr(p->x.pList->a[i].pExpr, iTable);\n }\n }\n sqlite3SetJoinExpr(p->pLeft, iTable);\n p = p->pRight;\n } \n}", "project": "sqlite", "hash": 238070764789848123318035933896751607365, "size": 16, "commit_id": "5f69512404cd2e5153ddf90ea277fbba6dd58ab7", "message": "Early-out on the INTERSECT query processing following an error.\n\nFossilOrigin-Name: a67cf5b7d37d5b1484be32092635faafd8f76e5881898cd9435517c4b287d663", "target": 0, "dataset": "other", "idx": 246133 }, { "func": "void sqlite3VdbeClearObject(sqlite3 *db, Vdbe *p){\n SubProgram *pSub, *pNext;\n assert( p->db==0 || p->db==db );\n releaseMemArray(p->aColName, p->nResColumn*COLNAME_N);\n for(pSub=p->pProgram; pSub; pSub=pNext){\n pNext = pSub->pNext;\n vdbeFreeOpArray(db, pSub->aOp, pSub->nOp);\n sqlite3DbFree(db, pSub);\n }\n if( p->magic!=VDBE_MAGIC_INIT ){\n releaseMemArray(p->aVar, p->nVar);\n sqlite3DbFree(db, p->pVList);\n sqlite3DbFree(db, p->pFree);\n }\n vdbeFreeOpArray(db, p->aOp, p->nOp);\n sqlite3DbFree(db, p->aColName);\n sqlite3DbFree(db, p->zSql);\n#ifdef SQLITE_ENABLE_NORMALIZE\n sqlite3DbFree(db, p->zNormSql);\n {\n DblquoteStr *pThis, *pNext;\n for(pThis=p->pDblStr; pThis; pThis=pNext){\n pNext = pThis->pNextStr;\n sqlite3DbFree(db, pThis);\n }\n }\n#endif\n#ifdef SQLITE_ENABLE_STMT_SCANSTATUS\n {\n int i;\n for(i=0; inScan; i++){\n sqlite3DbFree(db, p->aScan[i].zName);\n }\n sqlite3DbFree(db, p->aScan);\n }\n#endif\n}", "project": "sqlite", "hash": 16385366759724452217718985085200398406, "size": 37, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378667 }, { "func": "void sqlite3VdbeExplain(Parse *pParse, u8 bPush, const char *zFmt, ...){\n#ifndef SQLITE_DEBUG\n /* Always include the OP_Explain opcodes if SQLITE_DEBUG is defined.\n ** But omit them (for performance) during production builds */\n if( pParse->explain==2 )\n#endif\n {\n char *zMsg;\n Vdbe *v;\n va_list ap;\n int iThis;\n va_start(ap, zFmt);\n zMsg = sqlite3VMPrintf(pParse->db, zFmt, ap);\n va_end(ap);\n v = pParse->pVdbe;\n iThis = v->nOp;\n sqlite3VdbeAddOp4(v, OP_Explain, iThis, pParse->addrExplain, 0,\n zMsg, P4_DYNAMIC);\n sqlite3ExplainBreakpoint(bPush?\"PUSH\":\"\", sqlite3VdbeGetOp(v,-1)->p4.z);\n if( bPush){\n pParse->addrExplain = iThis;\n }\n }\n}", "project": "sqlite", "hash": 7125965146111173768838264208937249966, "size": 24, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378597 }, { "func": "static void finalizeAggFunctions(Parse *pParse, AggInfo *pAggInfo){\n Vdbe *v = pParse->pVdbe;\n int i;\n struct AggInfo_func *pF;\n for(i=0, pF=pAggInfo->aFunc; inFunc; i++, pF++){\n ExprList *pList = pF->pExpr->x.pList;\n assert( !ExprHasProperty(pF->pExpr, EP_xIsSelect) );\n sqlite3VdbeAddOp2(v, OP_AggFinal, pF->iMem, pList ? pList->nExpr : 0);\n sqlite3VdbeAppendP4(v, pF->pFunc, P4_FUNCDEF);\n }\n}", "project": "sqlite", "hash": 208613991449895164148061922062784544937, "size": 11, "commit_id": "5f69512404cd2e5153ddf90ea277fbba6dd58ab7", "message": "Early-out on the INTERSECT query processing following an error.\n\nFossilOrigin-Name: a67cf5b7d37d5b1484be32092635faafd8f76e5881898cd9435517c4b287d663", "target": 0, "dataset": "other", "idx": 246168 }, { "func": "static int growOpArray(Vdbe *v, int nOp){\n VdbeOp *pNew;\n Parse *p = v->pParse;\n\n /* The SQLITE_TEST_REALLOC_STRESS compile-time option is designed to force\n ** more frequent reallocs and hence provide more opportunities for \n ** simulated OOM faults. SQLITE_TEST_REALLOC_STRESS is generally used\n ** during testing only. With SQLITE_TEST_REALLOC_STRESS grow the op array\n ** by the minimum* amount required until the size reaches 512. Normal\n ** operation (without SQLITE_TEST_REALLOC_STRESS) is to double the current\n ** size of the op array or add 1KB of space, whichever is smaller. */\n#ifdef SQLITE_TEST_REALLOC_STRESS\n sqlite3_int64 nNew = (v->nOpAlloc>=512 ? 2*(sqlite3_int64)v->nOpAlloc\n : (sqlite3_int64)v->nOpAlloc+nOp);\n#else\n sqlite3_int64 nNew = (v->nOpAlloc ? 2*(sqlite3_int64)v->nOpAlloc\n : (sqlite3_int64)(1024/sizeof(Op)));\n UNUSED_PARAMETER(nOp);\n#endif\n\n /* Ensure that the size of a VDBE does not grow too large */\n if( nNew > p->db->aLimit[SQLITE_LIMIT_VDBE_OP] ){\n sqlite3OomFault(p->db);\n return SQLITE_NOMEM;\n }\n\n assert( nOp<=(1024/sizeof(Op)) );\n assert( nNew>=(v->nOpAlloc+nOp) );\n pNew = sqlite3DbRealloc(p->db, v->aOp, nNew*sizeof(Op));\n if( pNew ){\n p->szOpAlloc = sqlite3DbMallocSize(p->db, pNew);\n v->nOpAlloc = p->szOpAlloc/sizeof(Op);\n v->aOp = pNew;\n }\n return (pNew ? SQLITE_OK : SQLITE_NOMEM_BKPT);\n}", "project": "sqlite", "hash": 244382129786251718875160571657087186249, "size": 36, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378689 }, { "func": "void sqlite3VdbeChangeP4(Vdbe *p, int addr, const char *zP4, int n){\n Op *pOp;\n sqlite3 *db;\n assert( p!=0 );\n db = p->db;\n assert( p->magic==VDBE_MAGIC_INIT );\n assert( p->aOp!=0 || db->mallocFailed );\n if( db->mallocFailed ){\n if( n!=P4_VTAB ) freeP4(db, n, (void*)*(char**)&zP4);\n return;\n }\n assert( p->nOp>0 );\n assert( addrnOp );\n if( addr<0 ){\n addr = p->nOp - 1;\n }\n pOp = &p->aOp[addr];\n if( n>=0 || pOp->p4type ){\n vdbeChangeP4Full(p, pOp, zP4, n);\n return;\n }\n if( n==P4_INT32 ){\n /* Note: this cast is safe, because the origin data point was an int\n ** that was cast to a (const char *). */\n pOp->p4.i = SQLITE_PTR_TO_INT(zP4);\n pOp->p4type = P4_INT32;\n }else if( zP4!=0 ){\n assert( n<0 );\n pOp->p4.p = (void*)zP4;\n pOp->p4type = (signed char)n;\n if( n==P4_VTAB ) sqlite3VtabLock((VTable*)zP4);\n }\n}", "project": "sqlite", "hash": 323198932201332101115330669582763806459, "size": 33, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378680 }, { "func": "static void havingToWhere(Parse *pParse, Select *p){\n Walker sWalker;\n memset(&sWalker, 0, sizeof(sWalker));\n sWalker.pParse = pParse;\n sWalker.xExprCallback = havingToWhereExprCb;\n sWalker.u.pSelect = p;\n sqlite3WalkExpr(&sWalker, p->pHaving);\n#if SELECTTRACE_ENABLED\n if( sWalker.eCode && (sqlite3SelectTrace & 0x100)!=0 ){\n SELECTTRACE(0x100,pParse,p,(\"Move HAVING terms into WHERE:\\n\"));\n sqlite3TreeViewSelect(0, p, 0);\n }\n#endif\n}", "project": "sqlite", "hash": 112581367539307318527656727550529598803, "size": 14, "commit_id": "5f69512404cd2e5153ddf90ea277fbba6dd58ab7", "message": "Early-out on the INTERSECT query processing following an error.\n\nFossilOrigin-Name: a67cf5b7d37d5b1484be32092635faafd8f76e5881898cd9435517c4b287d663", "target": 0, "dataset": "other", "idx": 246195 }, { "func": "static void releaseMemArray(Mem *p, int N){\n if( p && N ){\n Mem *pEnd = &p[N];\n sqlite3 *db = p->db;\n if( db->pnBytesFreed ){\n do{\n if( p->szMalloc ) sqlite3DbFree(db, p->zMalloc);\n }while( (++p)flags & MEM_Agg );\n testcase( p->flags & MEM_Dyn );\n testcase( p->xDel==sqlite3VdbeFrameMemDel );\n if( p->flags&(MEM_Agg|MEM_Dyn) ){\n sqlite3VdbeMemRelease(p);\n }else if( p->szMalloc ){\n sqlite3DbFreeNN(db, p->zMalloc);\n p->szMalloc = 0;\n }\n\n p->flags = MEM_Undefined;\n }while( (++p)nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378563 }, { "func": "static SQLITE_NOINLINE int vdbeCloseStatement(Vdbe *p, int eOp){\n sqlite3 *const db = p->db;\n int rc = SQLITE_OK;\n int i;\n const int iSavepoint = p->iStatement-1;\n\n assert( eOp==SAVEPOINT_ROLLBACK || eOp==SAVEPOINT_RELEASE);\n assert( db->nStatement>0 );\n assert( p->iStatement==(db->nStatement+db->nSavepoint) );\n\n for(i=0; inDb; i++){ \n int rc2 = SQLITE_OK;\n Btree *pBt = db->aDb[i].pBt;\n if( pBt ){\n if( eOp==SAVEPOINT_ROLLBACK ){\n rc2 = sqlite3BtreeSavepoint(pBt, SAVEPOINT_ROLLBACK, iSavepoint);\n }\n if( rc2==SQLITE_OK ){\n rc2 = sqlite3BtreeSavepoint(pBt, SAVEPOINT_RELEASE, iSavepoint);\n }\n if( rc==SQLITE_OK ){\n rc = rc2;\n }\n }\n }\n db->nStatement--;\n p->iStatement = 0;\n\n if( rc==SQLITE_OK ){\n if( eOp==SAVEPOINT_ROLLBACK ){\n rc = sqlite3VtabSavepoint(db, SAVEPOINT_ROLLBACK, iSavepoint);\n }\n if( rc==SQLITE_OK ){\n rc = sqlite3VtabSavepoint(db, SAVEPOINT_RELEASE, iSavepoint);\n }\n }\n\n /* If the statement transaction is being rolled back, also restore the \n ** database handles deferred constraint counter to the value it had when \n ** the statement transaction was opened. */\n if( eOp==SAVEPOINT_ROLLBACK ){\n db->nDeferredCons = p->nStmtDefCons;\n db->nDeferredImmCons = p->nStmtDefImmCons;\n }\n return rc;\n}", "project": "sqlite", "hash": 216851652160156670441481447155118358202, "size": 46, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378632 }, { "func": "inline int MatchingFlatSizeSkipDim(const RuntimeShape& shape, int skip_dim,\n const RuntimeShape& check_shape_0,\n const RuntimeShape& check_shape_1,\n const RuntimeShape& check_shape_2,\n const RuntimeShape& check_shape_3) {\n const int dims_count = shape.DimensionsCount();\n for (int i = 0; i < dims_count; ++i) {\n if (i != skip_dim) {\n TFLITE_DCHECK_EQ(shape.Dims(i), check_shape_0.Dims(i));\n }\n }\n return MatchingFlatSizeSkipDim(shape, skip_dim, check_shape_1, check_shape_2,\n check_shape_3);\n}", "project": "tensorflow", "hash": 238081127879567203396504841825629320828, "size": 14, "commit_id": "8ee24e7949a203d234489f9da2c5bf45a7d5157d", "message": "[tflite] Ensure `MatchingDim` does not allow buffer overflow.\n\nWe check in `MatchingDim` that both arguments have the same dimensionality, however that is a `DCHECK` only enabled if building in debug mode. Hence, it could be possible to cause buffer overflows by passing in a tensor with larger dimensions as the second argument. To fix, we now make `MatchingDim` return the minimum of the two sizes.\n\nA much better fix would be to return a status object but that requires refactoring a large part of the codebase for minor benefits.\n\nPiperOrigin-RevId: 332526127\nChange-Id: If627d0d2c80a685217b6e0d1e64b0872dbf1c5e4", "target": 0, "dataset": "other", "idx": 269125 }, { "func": "inline int MatchingFlatSizeSkipDim(const Dims& dims, int skip_dim,\n const Dims& check_dims_0,\n const Dims& check_dims_1) {\n for (int i = 0; i < N; ++i) {\n if (i != skip_dim) {\n TFLITE_DCHECK_EQ(ArraySize(dims, i), ArraySize(check_dims_0, i));\n }\n }\n return MatchingFlatSizeSkipDim(dims, skip_dim, check_dims_1);\n}", "project": "tensorflow", "hash": 235274550364501182990216877649327102385, "size": 10, "commit_id": "8ee24e7949a203d234489f9da2c5bf45a7d5157d", "message": "[tflite] Ensure `MatchingDim` does not allow buffer overflow.\n\nWe check in `MatchingDim` that both arguments have the same dimensionality, however that is a `DCHECK` only enabled if building in debug mode. Hence, it could be possible to cause buffer overflows by passing in a tensor with larger dimensions as the second argument. To fix, we now make `MatchingDim` return the minimum of the two sizes.\n\nA much better fix would be to return a status object but that requires refactoring a large part of the codebase for minor benefits.\n\nPiperOrigin-RevId: 332526127\nChange-Id: If627d0d2c80a685217b6e0d1e64b0872dbf1c5e4", "target": 0, "dataset": "other", "idx": 269131 }, { "func": "inline int MatchingFlatSizeSkipDim(const RuntimeShape& shape, int skip_dim,\n const RuntimeShape& check_shape_0) {\n const int dims_count = shape.DimensionsCount();\n for (int i = 0; i < dims_count; ++i) {\n if (i != skip_dim) {\n TFLITE_DCHECK_EQ(shape.Dims(i), check_shape_0.Dims(i));\n }\n }\n return FlatSizeSkipDim(shape, skip_dim);\n}", "project": "tensorflow", "hash": 30177462917628125972875235888494706496, "size": 10, "commit_id": "8ee24e7949a203d234489f9da2c5bf45a7d5157d", "message": "[tflite] Ensure `MatchingDim` does not allow buffer overflow.\n\nWe check in `MatchingDim` that both arguments have the same dimensionality, however that is a `DCHECK` only enabled if building in debug mode. Hence, it could be possible to cause buffer overflows by passing in a tensor with larger dimensions as the second argument. To fix, we now make `MatchingDim` return the minimum of the two sizes.\n\nA much better fix would be to return a status object but that requires refactoring a large part of the codebase for minor benefits.\n\nPiperOrigin-RevId: 332526127\nChange-Id: If627d0d2c80a685217b6e0d1e64b0872dbf1c5e4", "target": 0, "dataset": "other", "idx": 269132 }, { "func": "inline int MatchingFlatSizeSkipDim(const Dims& dims, int skip_dim,\n const Dims& check_dims_0) {\n for (int i = 0; i < N; ++i) {\n if (i != skip_dim) {\n TFLITE_DCHECK_EQ(ArraySize(dims, i), ArraySize(check_dims_0, i));\n }\n }\n return FlatSizeSkipDim(dims, skip_dim);\n}", "project": "tensorflow", "hash": 181266595956228795277816141440001765730, "size": 9, "commit_id": "8ee24e7949a203d234489f9da2c5bf45a7d5157d", "message": "[tflite] Ensure `MatchingDim` does not allow buffer overflow.\n\nWe check in `MatchingDim` that both arguments have the same dimensionality, however that is a `DCHECK` only enabled if building in debug mode. Hence, it could be possible to cause buffer overflows by passing in a tensor with larger dimensions as the second argument. To fix, we now make `MatchingDim` return the minimum of the two sizes.\n\nA much better fix would be to return a status object but that requires refactoring a large part of the codebase for minor benefits.\n\nPiperOrigin-RevId: 332526127\nChange-Id: If627d0d2c80a685217b6e0d1e64b0872dbf1c5e4", "target": 0, "dataset": "other", "idx": 269136 }, { "func": "inline int MatchingFlatSizeSkipDim(const RuntimeShape& shape, int skip_dim,\n const RuntimeShape& check_shape_0,\n const RuntimeShape& check_shape_1) {\n const int dims_count = shape.DimensionsCount();\n for (int i = 0; i < dims_count; ++i) {\n if (i != skip_dim) {\n TFLITE_DCHECK_EQ(shape.Dims(i), check_shape_0.Dims(i));\n }\n }\n return MatchingFlatSizeSkipDim(shape, skip_dim, check_shape_1);\n}", "project": "tensorflow", "hash": 339942686018883969352317842166558965723, "size": 11, "commit_id": "8ee24e7949a203d234489f9da2c5bf45a7d5157d", "message": "[tflite] Ensure `MatchingDim` does not allow buffer overflow.\n\nWe check in `MatchingDim` that both arguments have the same dimensionality, however that is a `DCHECK` only enabled if building in debug mode. Hence, it could be possible to cause buffer overflows by passing in a tensor with larger dimensions as the second argument. To fix, we now make `MatchingDim` return the minimum of the two sizes.\n\nA much better fix would be to return a status object but that requires refactoring a large part of the codebase for minor benefits.\n\nPiperOrigin-RevId: 332526127\nChange-Id: If627d0d2c80a685217b6e0d1e64b0872dbf1c5e4", "target": 0, "dataset": "other", "idx": 269147 }, { "func": "inline int MatchingFlatSizeSkipDim(const RuntimeShape& shape, int skip_dim,\n const RuntimeShape& check_shape_0,\n const RuntimeShape& check_shape_1,\n const RuntimeShape& check_shape_2) {\n const int dims_count = shape.DimensionsCount();\n for (int i = 0; i < dims_count; ++i) {\n if (i != skip_dim) {\n TFLITE_DCHECK_EQ(shape.Dims(i), check_shape_0.Dims(i));\n }\n }\n return MatchingFlatSizeSkipDim(shape, skip_dim, check_shape_1, check_shape_2);\n}", "project": "tensorflow", "hash": 41243465828196011093208877487609437437, "size": 12, "commit_id": "8ee24e7949a203d234489f9da2c5bf45a7d5157d", "message": "[tflite] Ensure `MatchingDim` does not allow buffer overflow.\n\nWe check in `MatchingDim` that both arguments have the same dimensionality, however that is a `DCHECK` only enabled if building in debug mode. Hence, it could be possible to cause buffer overflows by passing in a tensor with larger dimensions as the second argument. To fix, we now make `MatchingDim` return the minimum of the two sizes.\n\nA much better fix would be to return a status object but that requires refactoring a large part of the codebase for minor benefits.\n\nPiperOrigin-RevId: 332526127\nChange-Id: If627d0d2c80a685217b6e0d1e64b0872dbf1c5e4", "target": 0, "dataset": "other", "idx": 269156 }, { "func": "inline int MatchingFlatSizeSkipDim(const Dims& dims, int skip_dim,\n const Dims& check_dims_0,\n const Dims& check_dims_1,\n const Dims& check_dims_2) {\n for (int i = 0; i < N; ++i) {\n if (i != skip_dim) {\n TFLITE_DCHECK_EQ(ArraySize(dims, i), ArraySize(check_dims_0, i));\n }\n }\n return MatchingFlatSizeSkipDim(dims, skip_dim, check_dims_1, check_dims_2);\n}", "project": "tensorflow", "hash": 72272843940717923221244265959236476361, "size": 11, "commit_id": "8ee24e7949a203d234489f9da2c5bf45a7d5157d", "message": "[tflite] Ensure `MatchingDim` does not allow buffer overflow.\n\nWe check in `MatchingDim` that both arguments have the same dimensionality, however that is a `DCHECK` only enabled if building in debug mode. Hence, it could be possible to cause buffer overflows by passing in a tensor with larger dimensions as the second argument. To fix, we now make `MatchingDim` return the minimum of the two sizes.\n\nA much better fix would be to return a status object but that requires refactoring a large part of the codebase for minor benefits.\n\nPiperOrigin-RevId: 332526127\nChange-Id: If627d0d2c80a685217b6e0d1e64b0872dbf1c5e4", "target": 0, "dataset": "other", "idx": 269169 }, { "func": "inline int MatchingFlatSizeSkipDim(const Dims& dims, int skip_dim,\n const Dims& check_dims_0,\n const Dims& check_dims_1,\n const Dims& check_dims_2,\n const Dims& check_dims_3) {\n for (int i = 0; i < N; ++i) {\n if (i != skip_dim) {\n TFLITE_DCHECK_EQ(ArraySize(dims, i), ArraySize(check_dims_0, i));\n }\n }\n return MatchingFlatSizeSkipDim(dims, skip_dim, check_dims_1, check_dims_2,\n check_dims_3);\n}", "project": "tensorflow", "hash": 90810469505935061187259687547386733107, "size": 13, "commit_id": "8ee24e7949a203d234489f9da2c5bf45a7d5157d", "message": "[tflite] Ensure `MatchingDim` does not allow buffer overflow.\n\nWe check in `MatchingDim` that both arguments have the same dimensionality, however that is a `DCHECK` only enabled if building in debug mode. Hence, it could be possible to cause buffer overflows by passing in a tensor with larger dimensions as the second argument. To fix, we now make `MatchingDim` return the minimum of the two sizes.\n\nA much better fix would be to return a status object but that requires refactoring a large part of the codebase for minor benefits.\n\nPiperOrigin-RevId: 332526127\nChange-Id: If627d0d2c80a685217b6e0d1e64b0872dbf1c5e4", "target": 0, "dataset": "other", "idx": 269179 }, { "func": "static int columnIndex(Table *pTab, const char *zCol){\n int i;\n for(i=0; inCol; i++){\n if( sqlite3StrICmp(pTab->aCol[i].zName, zCol)==0 ) return i;\n }\n return -1;\n}", "project": "sqlite", "hash": 80793088044710185377132637720840673892, "size": 7, "commit_id": "5f69512404cd2e5153ddf90ea277fbba6dd58ab7", "message": "Early-out on the INTERSECT query processing following an error.\n\nFossilOrigin-Name: a67cf5b7d37d5b1484be32092635faafd8f76e5881898cd9435517c4b287d663", "target": 0, "dataset": "other", "idx": 246188 }, { "func": "void sqlite3WindowLink(Select *pSel, Window *pWin){\n if( pSel!=0\n && (0==pSel->pWin || 0==sqlite3WindowCompare(0, pSel->pWin, pWin, 0))\n ){\n pWin->pNextWin = pSel->pWin;\n if( pSel->pWin ){\n pSel->pWin->ppThis = &pWin->pNextWin;\n }\n pSel->pWin = pWin;\n pWin->ppThis = &pSel->pWin;\n }\n}", "project": "sqlite", "hash": 55435413175296737873905555875034448321, "size": 12, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378478 }, { "func": "int sqlite3VdbeMakeLabel(Parse *pParse){\n return --pParse->nLabel;\n}", "project": "sqlite", "hash": 331955103644211058314530730488852136247, "size": 3, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378521 }, { "func": "void sqlite3WindowUnlinkFromSelect(Window *p){\n if( p->ppThis ){\n *p->ppThis = p->pNextWin;\n if( p->pNextWin ) p->pNextWin->ppThis = p->ppThis;\n p->ppThis = 0;\n }\n}", "project": "sqlite", "hash": 315218117348135382098373973365818667259, "size": 7, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378540 }, { "func": "int sqlite3ExpandSubquery(Parse *pParse, struct SrcList_item *pFrom){\n Select *pSel = pFrom->pSelect;\n Table *pTab;\n\n assert( pSel );\n pFrom->pTab = pTab = sqlite3DbMallocZero(pParse->db, sizeof(Table));\n if( pTab==0 ) return SQLITE_NOMEM;\n pTab->nTabRef = 1;\n if( pFrom->zAlias ){\n pTab->zName = sqlite3DbStrDup(pParse->db, pFrom->zAlias);\n }else{\n pTab->zName = sqlite3MPrintf(pParse->db, \"subquery_%u\", pSel->selId);\n }\n while( pSel->pPrior ){ pSel = pSel->pPrior; }\n sqlite3ColumnsFromExprList(pParse, pSel->pEList,&pTab->nCol,&pTab->aCol);\n pTab->iPKey = -1;\n pTab->nRowLogEst = 200; assert( 200==sqlite3LogEst(1048576) );\n pTab->tabFlags |= TF_Ephemeral;\n\n return pParse->nErr ? SQLITE_ERROR : SQLITE_OK;\n}", "project": "sqlite", "hash": 233933209214162646342219992111893850428, "size": 21, "commit_id": "5f69512404cd2e5153ddf90ea277fbba6dd58ab7", "message": "Early-out on the INTERSECT query processing following an error.\n\nFossilOrigin-Name: a67cf5b7d37d5b1484be32092635faafd8f76e5881898cd9435517c4b287d663", "target": 0, "dataset": "other", "idx": 246180 }, { "func": "int sqlite3VdbeAddOp3(Vdbe *p, int op, int p1, int p2, int p3){\n int i;\n VdbeOp *pOp;\n\n i = p->nOp;\n assert( p->magic==VDBE_MAGIC_INIT );\n assert( op>=0 && op<0xff );\n if( p->nOpAlloc<=i ){\n return growOp3(p, op, p1, p2, p3);\n }\n p->nOp++;\n pOp = &p->aOp[i];\n pOp->opcode = (u8)op;\n pOp->p5 = 0;\n pOp->p1 = p1;\n pOp->p2 = p2;\n pOp->p3 = p3;\n pOp->p4.p = 0;\n pOp->p4type = P4_NOTUSED;\n#ifdef SQLITE_ENABLE_EXPLAIN_COMMENTS\n pOp->zComment = 0;\n#endif\n#ifdef SQLITE_DEBUG\n if( p->db->flags & SQLITE_VdbeAddopTrace ){\n sqlite3VdbePrintOp(0, i, &p->aOp[i]);\n test_addop_breakpoint();\n }\n#endif\n#ifdef VDBE_PROFILE\n pOp->cycles = 0;\n pOp->cnt = 0;\n#endif\n#ifdef SQLITE_VDBE_COVERAGE\n pOp->iSrcLine = 0;\n#endif\n return i;\n}", "project": "sqlite", "hash": 92228713669309451174240228071488824484, "size": 37, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378688 }, { "func": "static int countOfViewOptimization(Parse *pParse, Select *p){\n Select *pSub, *pPrior;\n Expr *pExpr;\n Expr *pCount;\n sqlite3 *db;\n if( (p->selFlags & SF_Aggregate)==0 ) return 0; /* This is an aggregate */\n if( p->pEList->nExpr!=1 ) return 0; /* Single result column */\n if( p->pWhere ) return 0;\n if( p->pGroupBy ) return 0;\n pExpr = p->pEList->a[0].pExpr;\n if( pExpr->op!=TK_AGG_FUNCTION ) return 0; /* Result is an aggregate */\n if( sqlite3_stricmp(pExpr->u.zToken,\"count\") ) return 0; /* Is count() */\n if( pExpr->x.pList!=0 ) return 0; /* Must be count(*) */\n if( p->pSrc->nSrc!=1 ) return 0; /* One table in FROM */\n pSub = p->pSrc->a[0].pSelect;\n if( pSub==0 ) return 0; /* The FROM is a subquery */\n if( pSub->pPrior==0 ) return 0; /* Must be a compound ry */\n do{\n if( pSub->op!=TK_ALL && pSub->pPrior ) return 0; /* Must be UNION ALL */\n if( pSub->pWhere ) return 0; /* No WHERE clause */\n if( pSub->pLimit ) return 0; /* No LIMIT clause */\n if( pSub->selFlags & SF_Aggregate ) return 0; /* Not an aggregate */\n pSub = pSub->pPrior; /* Repeat over compound */\n }while( pSub );\n\n /* If we reach this point then it is OK to perform the transformation */\n\n db = pParse->db;\n pCount = pExpr;\n pExpr = 0;\n pSub = p->pSrc->a[0].pSelect;\n p->pSrc->a[0].pSelect = 0;\n sqlite3SrcListDelete(db, p->pSrc);\n p->pSrc = sqlite3DbMallocZero(pParse->db, sizeof(*p->pSrc));\n while( pSub ){\n Expr *pTerm;\n pPrior = pSub->pPrior;\n pSub->pPrior = 0;\n pSub->pNext = 0;\n pSub->selFlags |= SF_Aggregate;\n pSub->selFlags &= ~SF_Compound;\n pSub->nSelectRow = 0;\n sqlite3ExprListDelete(db, pSub->pEList);\n pTerm = pPrior ? sqlite3ExprDup(db, pCount, 0) : pCount;\n pSub->pEList = sqlite3ExprListAppend(pParse, 0, pTerm);\n pTerm = sqlite3PExpr(pParse, TK_SELECT, 0, 0);\n sqlite3PExprAddSelect(pParse, pTerm, pSub);\n if( pExpr==0 ){\n pExpr = pTerm;\n }else{\n pExpr = sqlite3PExpr(pParse, TK_PLUS, pTerm, pExpr);\n }\n pSub = pPrior;\n }\n p->pEList->a[0].pExpr = pExpr;\n p->selFlags &= ~SF_Aggregate;\n\n#if SELECTTRACE_ENABLED\n if( sqlite3SelectTrace & 0x400 ){\n SELECTTRACE(0x400,pParse,p,(\"After count-of-view optimization:\\n\"));\n sqlite3TreeViewSelect(0, p, 0);\n }\n#endif\n return 1;\n}", "project": "sqlite", "hash": 92210140327606006002496137177116922264, "size": 65, "commit_id": "5f69512404cd2e5153ddf90ea277fbba6dd58ab7", "message": "Early-out on the INTERSECT query processing following an error.\n\nFossilOrigin-Name: a67cf5b7d37d5b1484be32092635faafd8f76e5881898cd9435517c4b287d663", "target": 0, "dataset": "other", "idx": 246162 }, { "func": "void sqlite3VdbeResolveLabel(Vdbe *v, int x){\n Parse *p = v->pParse;\n int j = ADDR(x);\n assert( v->magic==VDBE_MAGIC_INIT );\n assert( j<-p->nLabel );\n assert( j>=0 );\n#ifdef SQLITE_DEBUG\n if( p->db->flags & SQLITE_VdbeAddopTrace ){\n printf(\"RESOLVE LABEL %d to %d\\n\", x, v->nOp);\n }\n#endif\n if( p->nLabelAlloc + p->nLabel < 0 ){\n resizeResolveLabel(p,v,j);\n }else{\n assert( p->aLabel[j]==(-1) ); /* Labels may only be resolved once */\n p->aLabel[j] = v->nOp;\n }\n}", "project": "sqlite", "hash": 243609484412957364599724442968388490287, "size": 18, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378610 }, { "func": "static void codeDistinct(\n Parse *pParse, /* Parsing and code generating context */\n int iTab, /* A sorting index used to test for distinctness */\n int addrRepeat, /* Jump to here if not distinct */\n int N, /* Number of elements */\n int iMem /* First element */\n){\n Vdbe *v;\n int r1;\n\n v = pParse->pVdbe;\n r1 = sqlite3GetTempReg(pParse);\n sqlite3VdbeAddOp4Int(v, OP_Found, iTab, addrRepeat, iMem, N); VdbeCoverage(v);\n sqlite3VdbeAddOp3(v, OP_MakeRecord, iMem, N, r1);\n sqlite3VdbeAddOp4Int(v, OP_IdxInsert, iTab, r1, iMem, N);\n sqlite3VdbeChangeP5(v, OPFLAG_USESEEKRESULT);\n sqlite3ReleaseTempReg(pParse, r1);\n}", "project": "sqlite", "hash": 49229972138808819856804831773573691662, "size": 18, "commit_id": "5f69512404cd2e5153ddf90ea277fbba6dd58ab7", "message": "Early-out on the INTERSECT query processing following an error.\n\nFossilOrigin-Name: a67cf5b7d37d5b1484be32092635faafd8f76e5881898cd9435517c4b287d663", "target": 0, "dataset": "other", "idx": 246170 }, { "func": "void sqlite3ExprCodeGeneratedColumn(\n Parse *pParse,\n Column *pCol,\n int regOut\n){\n int iAddr;\n Vdbe *v = pParse->pVdbe;\n assert( v!=0 );\n assert( pParse->iSelfTab!=0 );\n if( pParse->iSelfTab>0 ){\n iAddr = sqlite3VdbeAddOp3(v, OP_IfNullRow, pParse->iSelfTab-1, 0, regOut);\n }else{\n iAddr = 0;\n }\n sqlite3ExprCode(pParse, pCol->pDflt, regOut);\n if( pCol->affinity>=SQLITE_AFF_TEXT ){\n sqlite3VdbeAddOp4(v, OP_Affinity, regOut, 1, 0, &pCol->affinity, 1);\n }\n if( iAddr ) sqlite3VdbeJumpHere(v, iAddr);\n}", "project": "sqlite", "hash": 325702096545630190540489348417755011394, "size": 20, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378501 }, { "func": "void sqlite3VdbeEnter(Vdbe *p){\n int i;\n sqlite3 *db;\n Db *aDb;\n int nDb;\n if( DbMaskAllZero(p->lockMask) ) return; /* The common case */\n db = p->db;\n aDb = db->aDb;\n nDb = db->nDb;\n for(i=0; ilockMask,i) && ALWAYS(aDb[i].pBt!=0) ){\n sqlite3BtreeEnter(aDb[i].pBt);\n }\n }\n}", "project": "sqlite", "hash": 3910018341482919803999521991061237292, "size": 15, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378552 }, { "func": "static void generateWithRecursiveQuery(\n Parse *pParse, /* Parsing context */\n Select *p, /* The recursive SELECT to be coded */\n SelectDest *pDest /* What to do with query results */\n){\n SrcList *pSrc = p->pSrc; /* The FROM clause of the recursive query */\n int nCol = p->pEList->nExpr; /* Number of columns in the recursive table */\n Vdbe *v = pParse->pVdbe; /* The prepared statement under construction */\n Select *pSetup = p->pPrior; /* The setup query */\n int addrTop; /* Top of the loop */\n int addrCont, addrBreak; /* CONTINUE and BREAK addresses */\n int iCurrent = 0; /* The Current table */\n int regCurrent; /* Register holding Current table */\n int iQueue; /* The Queue table */\n int iDistinct = 0; /* To ensure unique results if UNION */\n int eDest = SRT_Fifo; /* How to write to Queue */\n SelectDest destQueue; /* SelectDest targetting the Queue table */\n int i; /* Loop counter */\n int rc; /* Result code */\n ExprList *pOrderBy; /* The ORDER BY clause */\n Expr *pLimit; /* Saved LIMIT and OFFSET */\n int regLimit, regOffset; /* Registers used by LIMIT and OFFSET */\n\n#ifndef SQLITE_OMIT_WINDOWFUNC\n if( p->pWin ){\n sqlite3ErrorMsg(pParse, \"cannot use window functions in recursive queries\");\n return;\n }\n#endif\n\n /* Obtain authorization to do a recursive query */\n if( sqlite3AuthCheck(pParse, SQLITE_RECURSIVE, 0, 0, 0) ) return;\n\n /* Process the LIMIT and OFFSET clauses, if they exist */\n addrBreak = sqlite3VdbeMakeLabel(pParse);\n p->nSelectRow = 320; /* 4 billion rows */\n computeLimitRegisters(pParse, p, addrBreak);\n pLimit = p->pLimit;\n regLimit = p->iLimit;\n regOffset = p->iOffset;\n p->pLimit = 0;\n p->iLimit = p->iOffset = 0;\n pOrderBy = p->pOrderBy;\n\n /* Locate the cursor number of the Current table */\n for(i=0; ALWAYS(inSrc); i++){\n if( pSrc->a[i].fg.isRecursive ){\n iCurrent = pSrc->a[i].iCursor;\n break;\n }\n }\n\n /* Allocate cursors numbers for Queue and Distinct. The cursor number for\n ** the Distinct table must be exactly one greater than Queue in order\n ** for the SRT_DistFifo and SRT_DistQueue destinations to work. */\n iQueue = pParse->nTab++;\n if( p->op==TK_UNION ){\n eDest = pOrderBy ? SRT_DistQueue : SRT_DistFifo;\n iDistinct = pParse->nTab++;\n }else{\n eDest = pOrderBy ? SRT_Queue : SRT_Fifo;\n }\n sqlite3SelectDestInit(&destQueue, eDest, iQueue);\n\n /* Allocate cursors for Current, Queue, and Distinct. */\n regCurrent = ++pParse->nMem;\n sqlite3VdbeAddOp3(v, OP_OpenPseudo, iCurrent, regCurrent, nCol);\n if( pOrderBy ){\n KeyInfo *pKeyInfo = multiSelectOrderByKeyInfo(pParse, p, 1);\n sqlite3VdbeAddOp4(v, OP_OpenEphemeral, iQueue, pOrderBy->nExpr+2, 0,\n (char*)pKeyInfo, P4_KEYINFO);\n destQueue.pOrderBy = pOrderBy;\n }else{\n sqlite3VdbeAddOp2(v, OP_OpenEphemeral, iQueue, nCol);\n }\n VdbeComment((v, \"Queue table\"));\n if( iDistinct ){\n p->addrOpenEphm[0] = sqlite3VdbeAddOp2(v, OP_OpenEphemeral, iDistinct, 0);\n p->selFlags |= SF_UsesEphemeral;\n }\n\n /* Detach the ORDER BY clause from the compound SELECT */\n p->pOrderBy = 0;\n\n /* Store the results of the setup-query in Queue. */\n pSetup->pNext = 0;\n ExplainQueryPlan((pParse, 1, \"SETUP\"));\n rc = sqlite3Select(pParse, pSetup, &destQueue);\n pSetup->pNext = p;\n if( rc ) goto end_of_recursive_query;\n\n /* Find the next row in the Queue and output that row */\n addrTop = sqlite3VdbeAddOp2(v, OP_Rewind, iQueue, addrBreak); VdbeCoverage(v);\n\n /* Transfer the next row in Queue over to Current */\n sqlite3VdbeAddOp1(v, OP_NullRow, iCurrent); /* To reset column cache */\n if( pOrderBy ){\n sqlite3VdbeAddOp3(v, OP_Column, iQueue, pOrderBy->nExpr+1, regCurrent);\n }else{\n sqlite3VdbeAddOp2(v, OP_RowData, iQueue, regCurrent);\n }\n sqlite3VdbeAddOp1(v, OP_Delete, iQueue);\n\n /* Output the single row in Current */\n addrCont = sqlite3VdbeMakeLabel(pParse);\n codeOffset(v, regOffset, addrCont);\n selectInnerLoop(pParse, p, iCurrent,\n 0, 0, pDest, addrCont, addrBreak);\n if( regLimit ){\n sqlite3VdbeAddOp2(v, OP_DecrJumpZero, regLimit, addrBreak);\n VdbeCoverage(v);\n }\n sqlite3VdbeResolveLabel(v, addrCont);\n\n /* Execute the recursive SELECT taking the single row in Current as\n ** the value for the recursive-table. Store the results in the Queue.\n */\n if( p->selFlags & SF_Aggregate ){\n sqlite3ErrorMsg(pParse, \"recursive aggregate queries not supported\");\n }else{\n p->pPrior = 0;\n ExplainQueryPlan((pParse, 1, \"RECURSIVE STEP\"));\n sqlite3Select(pParse, p, &destQueue);\n assert( p->pPrior==0 );\n p->pPrior = pSetup;\n }\n\n /* Keep running the loop until the Queue is empty */\n sqlite3VdbeGoto(v, addrTop);\n sqlite3VdbeResolveLabel(v, addrBreak);\n\nend_of_recursive_query:\n sqlite3ExprListDelete(pParse->db, p->pOrderBy);\n p->pOrderBy = pOrderBy;\n p->pLimit = pLimit;\n return;\n}", "project": "sqlite", "hash": 218890749155864288673860499110508464101, "size": 137, "commit_id": "5f69512404cd2e5153ddf90ea277fbba6dd58ab7", "message": "Early-out on the INTERSECT query processing following an error.\n\nFossilOrigin-Name: a67cf5b7d37d5b1484be32092635faafd8f76e5881898cd9435517c4b287d663", "target": 0, "dataset": "other", "idx": 246174 }, { "func": "void sqlite3VdbeSetNumCols(Vdbe *p, int nResColumn){\n int n;\n sqlite3 *db = p->db;\n\n if( p->nResColumn ){\n releaseMemArray(p->aColName, p->nResColumn*COLNAME_N);\n sqlite3DbFree(db, p->aColName);\n }\n n = nResColumn*COLNAME_N;\n p->nResColumn = (u16)nResColumn;\n p->aColName = (Mem*)sqlite3DbMallocRawNN(db, sizeof(Mem)*n );\n if( p->aColName==0 ) return;\n initMemArray(p->aColName, n, db, MEM_Null);\n}", "project": "sqlite", "hash": 125083954192506573799380340337089561703, "size": 14, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378628 }, { "func": "static SQLITE_NOINLINE int growOp3(Vdbe *p, int op, int p1, int p2, int p3){\n assert( p->nOpAlloc<=p->nOp );\n if( growOpArray(p, 1) ) return 1;\n assert( p->nOpAlloc>p->nOp );\n return sqlite3VdbeAddOp3(p, op, p1, p2, p3);\n}", "project": "sqlite", "hash": 189630272082387577980177206398546857506, "size": 6, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378516 }, { "func": "static int sqliteProcessJoin(Parse *pParse, Select *p){\n SrcList *pSrc; /* All tables in the FROM clause */\n int i, j; /* Loop counters */\n struct SrcList_item *pLeft; /* Left table being joined */\n struct SrcList_item *pRight; /* Right table being joined */\n\n pSrc = p->pSrc;\n pLeft = &pSrc->a[0];\n pRight = &pLeft[1];\n for(i=0; inSrc-1; i++, pRight++, pLeft++){\n Table *pRightTab = pRight->pTab;\n int isOuter;\n\n if( NEVER(pLeft->pTab==0 || pRightTab==0) ) continue;\n isOuter = (pRight->fg.jointype & JT_OUTER)!=0;\n\n /* When the NATURAL keyword is present, add WHERE clause terms for\n ** every column that the two tables have in common.\n */\n if( pRight->fg.jointype & JT_NATURAL ){\n if( pRight->pOn || pRight->pUsing ){\n sqlite3ErrorMsg(pParse, \"a NATURAL join may not have \"\n \"an ON or USING clause\", 0);\n return 1;\n }\n for(j=0; jnCol; j++){\n char *zName; /* Name of column in the right table */\n int iLeft; /* Matching left table */\n int iLeftCol; /* Matching column in the left table */\n\n if( IsHiddenColumn(&pRightTab->aCol[j]) ) continue;\n zName = pRightTab->aCol[j].zName;\n if( tableAndColumnIndex(pSrc, i+1, zName, &iLeft, &iLeftCol, 1) ){\n addWhereTerm(pParse, pSrc, iLeft, iLeftCol, i+1, j,\n isOuter, &p->pWhere);\n }\n }\n }\n\n /* Disallow both ON and USING clauses in the same join\n */\n if( pRight->pOn && pRight->pUsing ){\n sqlite3ErrorMsg(pParse, \"cannot have both ON and USING \"\n \"clauses in the same join\");\n return 1;\n }\n\n /* Add the ON clause to the end of the WHERE clause, connected by\n ** an AND operator.\n */\n if( pRight->pOn ){\n if( isOuter ) sqlite3SetJoinExpr(pRight->pOn, pRight->iCursor);\n p->pWhere = sqlite3ExprAnd(pParse, p->pWhere, pRight->pOn);\n pRight->pOn = 0;\n }\n\n /* Create extra terms on the WHERE clause for each column named\n ** in the USING clause. Example: If the two tables to be joined are \n ** A and B and the USING clause names X, Y, and Z, then add this\n ** to the WHERE clause: A.X=B.X AND A.Y=B.Y AND A.Z=B.Z\n ** Report an error if any column mentioned in the USING clause is\n ** not contained in both tables to be joined.\n */\n if( pRight->pUsing ){\n IdList *pList = pRight->pUsing;\n for(j=0; jnId; j++){\n char *zName; /* Name of the term in the USING clause */\n int iLeft; /* Table on the left with matching column name */\n int iLeftCol; /* Column number of matching column on the left */\n int iRightCol; /* Column number of matching column on the right */\n\n zName = pList->a[j].zName;\n iRightCol = columnIndex(pRightTab, zName);\n if( iRightCol<0\n || !tableAndColumnIndex(pSrc, i+1, zName, &iLeft, &iLeftCol, 0)\n ){\n sqlite3ErrorMsg(pParse, \"cannot join using column %s - column \"\n \"not present in both tables\", zName);\n return 1;\n }\n addWhereTerm(pParse, pSrc, iLeft, iLeftCol, i+1, iRightCol,\n isOuter, &p->pWhere);\n }\n }\n }\n return 0;\n}", "project": "sqlite", "hash": 115439296974585253548178108668927664921, "size": 87, "commit_id": "5f69512404cd2e5153ddf90ea277fbba6dd58ab7", "message": "Early-out on the INTERSECT query processing following an error.\n\nFossilOrigin-Name: a67cf5b7d37d5b1484be32092635faafd8f76e5881898cd9435517c4b287d663", "target": 0, "dataset": "other", "idx": 246134 }, { "func": "static int sqliteProcessJoin(Parse *pParse, Select *p){\n SrcList *pSrc; /* All tables in the FROM clause */\n int i, j; /* Loop counters */\n struct SrcList_item *pLeft; /* Left table being joined */\n struct SrcList_item *pRight; /* Right table being joined */\n\n pSrc = p->pSrc;\n pLeft = &pSrc->a[0];\n pRight = &pLeft[1];\n for(i=0; inSrc-1; i++, pRight++, pLeft++){\n Table *pRightTab = pRight->pTab;\n int isOuter;\n\n if( NEVER(pLeft->pTab==0 || pRightTab==0) ) continue;\n isOuter = (pRight->fg.jointype & JT_OUTER)!=0;\n\n /* When the NATURAL keyword is present, add WHERE clause terms for\n ** every column that the two tables have in common.\n */\n if( pRight->fg.jointype & JT_NATURAL ){\n if( pRight->pOn || pRight->pUsing ){\n sqlite3ErrorMsg(pParse, \"a NATURAL join may not have \"\n \"an ON or USING clause\", 0);\n return 1;\n }\n for(j=0; jnCol; j++){\n char *zName; /* Name of column in the right table */\n int iLeft; /* Matching left table */\n int iLeftCol; /* Matching column in the left table */\n\n zName = pRightTab->aCol[j].zName;\n if( tableAndColumnIndex(pSrc, i+1, zName, &iLeft, &iLeftCol) ){\n addWhereTerm(pParse, pSrc, iLeft, iLeftCol, i+1, j,\n isOuter, &p->pWhere);\n }\n }\n }\n\n /* Disallow both ON and USING clauses in the same join\n */\n if( pRight->pOn && pRight->pUsing ){\n sqlite3ErrorMsg(pParse, \"cannot have both ON and USING \"\n \"clauses in the same join\");\n return 1;\n }\n\n /* Add the ON clause to the end of the WHERE clause, connected by\n ** an AND operator.\n */\n if( pRight->pOn ){\n if( isOuter ) sqlite3SetJoinExpr(pRight->pOn, pRight->iCursor);\n p->pWhere = sqlite3ExprAnd(pParse, p->pWhere, pRight->pOn);\n pRight->pOn = 0;\n }\n\n /* Create extra terms on the WHERE clause for each column named\n ** in the USING clause. Example: If the two tables to be joined are \n ** A and B and the USING clause names X, Y, and Z, then add this\n ** to the WHERE clause: A.X=B.X AND A.Y=B.Y AND A.Z=B.Z\n ** Report an error if any column mentioned in the USING clause is\n ** not contained in both tables to be joined.\n */\n if( pRight->pUsing ){\n IdList *pList = pRight->pUsing;\n for(j=0; jnId; j++){\n char *zName; /* Name of the term in the USING clause */\n int iLeft; /* Table on the left with matching column name */\n int iLeftCol; /* Column number of matching column on the left */\n int iRightCol; /* Column number of matching column on the right */\n\n zName = pList->a[j].zName;\n iRightCol = columnIndex(pRightTab, zName);\n if( iRightCol<0\n || !tableAndColumnIndex(pSrc, i+1, zName, &iLeft, &iLeftCol)\n ){\n sqlite3ErrorMsg(pParse, \"cannot join using column %s - column \"\n \"not present in both tables\", zName);\n return 1;\n }\n addWhereTerm(pParse, pSrc, iLeft, iLeftCol, i+1, iRightCol,\n isOuter, &p->pWhere);\n }\n }\n }\n return 0;\n}", "project": "sqlite", "hash": 218570639161826107366497832993038264428, "size": 86, "commit_id": "a6c1a71cde082e09750465d5675699062922e387", "message": "Do not attempt to unwind the WITH stack in the Parse object following an error. This fixes a separate case to [de6e6d68].\n\nFossilOrigin-Name: d29edef93451cc67a5d69c1cce1b1832d9ca8fff1f600afdd51338b74d077b92", "target": 0, "dataset": "other", "idx": 356314 }, { "func": "void sqlite3WindowChain(Parse *pParse, Window *pWin, Window *pList){\n if( pWin->zBase ){\n sqlite3 *db = pParse->db;\n Window *pExist = windowFind(pParse, pList, pWin->zBase);\n if( pExist ){\n const char *zErr = 0;\n /* Check for errors */\n if( pWin->pPartition ){\n zErr = \"PARTITION clause\";\n }else if( pExist->pOrderBy && pWin->pOrderBy ){\n zErr = \"ORDER BY clause\";\n }else if( pExist->bImplicitFrame==0 ){\n zErr = \"frame specification\";\n }\n if( zErr ){\n sqlite3ErrorMsg(pParse, \n \"cannot override %s of window: %s\", zErr, pWin->zBase\n );\n }else{\n pWin->pPartition = sqlite3ExprListDup(db, pExist->pPartition, 0);\n if( pExist->pOrderBy ){\n assert( pWin->pOrderBy==0 );\n pWin->pOrderBy = sqlite3ExprListDup(db, pExist->pOrderBy, 0);\n }\n sqlite3DbFree(db, pWin->zBase);\n pWin->zBase = 0;\n }\n }\n }\n}", "project": "sqlite", "hash": 301311778442121776853248602119116560949, "size": 30, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378506 }, { "func": "void sqlite3WithPush(Parse *pParse, With *pWith, u8 bFree){\n assert( bFree==0 || (pParse->pWith==0 && pParse->pWithToFree==0) );\n if( pWith ){\n assert( pParse->pWith!=pWith );\n pWith->pOuter = pParse->pWith;\n pParse->pWith = pWith;\n if( bFree ) pParse->pWithToFree = pWith;\n }\n}", "project": "sqlite", "hash": 4073924225362223321111023038751282182, "size": 9, "commit_id": "5f69512404cd2e5153ddf90ea277fbba6dd58ab7", "message": "Early-out on the INTERSECT query processing following an error.\n\nFossilOrigin-Name: a67cf5b7d37d5b1484be32092635faafd8f76e5881898cd9435517c4b287d663", "target": 0, "dataset": "other", "idx": 246182 }, { "func": "static void resetAccumulator(Parse *pParse, AggInfo *pAggInfo){\n Vdbe *v = pParse->pVdbe;\n int i;\n struct AggInfo_func *pFunc;\n int nReg = pAggInfo->nFunc + pAggInfo->nColumn;\n if( nReg==0 ) return;\n#ifdef SQLITE_DEBUG\n /* Verify that all AggInfo registers are within the range specified by\n ** AggInfo.mnReg..AggInfo.mxReg */\n assert( nReg==pAggInfo->mxReg-pAggInfo->mnReg+1 );\n for(i=0; inColumn; i++){\n assert( pAggInfo->aCol[i].iMem>=pAggInfo->mnReg\n && pAggInfo->aCol[i].iMem<=pAggInfo->mxReg );\n }\n for(i=0; inFunc; i++){\n assert( pAggInfo->aFunc[i].iMem>=pAggInfo->mnReg\n && pAggInfo->aFunc[i].iMem<=pAggInfo->mxReg );\n }\n#endif\n sqlite3VdbeAddOp3(v, OP_Null, 0, pAggInfo->mnReg, pAggInfo->mxReg);\n for(pFunc=pAggInfo->aFunc, i=0; inFunc; i++, pFunc++){\n if( pFunc->iDistinct>=0 ){\n Expr *pE = pFunc->pExpr;\n assert( !ExprHasProperty(pE, EP_xIsSelect) );\n if( pE->x.pList==0 || pE->x.pList->nExpr!=1 ){\n sqlite3ErrorMsg(pParse, \"DISTINCT aggregates must have exactly one \"\n \"argument\");\n pFunc->iDistinct = -1;\n }else{\n KeyInfo *pKeyInfo = sqlite3KeyInfoFromExprList(pParse, pE->x.pList,0,0);\n sqlite3VdbeAddOp4(v, OP_OpenEphemeral, pFunc->iDistinct, 0, 0,\n (char*)pKeyInfo, P4_KEYINFO);\n }\n }\n }\n}", "project": "sqlite", "hash": 98893565247303411440264251766461869800, "size": 36, "commit_id": "5f69512404cd2e5153ddf90ea277fbba6dd58ab7", "message": "Early-out on the INTERSECT query processing following an error.\n\nFossilOrigin-Name: a67cf5b7d37d5b1484be32092635faafd8f76e5881898cd9435517c4b287d663", "target": 0, "dataset": "other", "idx": 246164 }, { "func": "int sqlite3ColumnsFromExprList(\n Parse *pParse, /* Parsing context */\n ExprList *pEList, /* Expr list from which to derive column names */\n i16 *pnCol, /* Write the number of columns here */\n Column **paCol /* Write the new column list here */\n){\n sqlite3 *db = pParse->db; /* Database connection */\n int i, j; /* Loop counters */\n u32 cnt; /* Index added to make the name unique */\n Column *aCol, *pCol; /* For looping over result columns */\n int nCol; /* Number of columns in the result set */\n char *zName; /* Column name */\n int nName; /* Size of name in zName[] */\n Hash ht; /* Hash table of column names */\n\n sqlite3HashInit(&ht);\n if( pEList ){\n nCol = pEList->nExpr;\n aCol = sqlite3DbMallocZero(db, sizeof(aCol[0])*nCol);\n testcase( aCol==0 );\n if( nCol>32767 ) nCol = 32767;\n }else{\n nCol = 0;\n aCol = 0;\n }\n assert( nCol==(i16)nCol );\n *pnCol = nCol;\n *paCol = aCol;\n\n for(i=0, pCol=aCol; imallocFailed; i++, pCol++){\n /* Get an appropriate name for the column\n */\n if( (zName = pEList->a[i].zEName)!=0 && pEList->a[i].eEName==ENAME_NAME ){\n /* If the column contains an \"AS \" phrase, use as the name */\n }else{\n Expr *pColExpr = sqlite3ExprSkipCollateAndLikely(pEList->a[i].pExpr);\n while( pColExpr->op==TK_DOT ){\n pColExpr = pColExpr->pRight;\n assert( pColExpr!=0 );\n }\n if( pColExpr->op==TK_COLUMN ){\n /* For columns use the column name name */\n int iCol = pColExpr->iColumn;\n Table *pTab = pColExpr->y.pTab;\n assert( pTab!=0 );\n if( iCol<0 ) iCol = pTab->iPKey;\n zName = iCol>=0 ? pTab->aCol[iCol].zName : \"rowid\";\n }else if( pColExpr->op==TK_ID ){\n assert( !ExprHasProperty(pColExpr, EP_IntValue) );\n zName = pColExpr->u.zToken;\n }else{\n /* Use the original text of the column expression as its name */\n zName = pEList->a[i].zEName;\n }\n }\n if( zName && !sqlite3IsTrueOrFalse(zName) ){\n zName = sqlite3DbStrDup(db, zName);\n }else{\n zName = sqlite3MPrintf(db,\"column%d\",i+1);\n }\n\n /* Make sure the column name is unique. If the name is not unique,\n ** append an integer to the name so that it becomes unique.\n */\n cnt = 0;\n while( zName && sqlite3HashFind(&ht, zName)!=0 ){\n nName = sqlite3Strlen30(zName);\n if( nName>0 ){\n for(j=nName-1; j>0 && sqlite3Isdigit(zName[j]); j--){}\n if( zName[j]==':' ) nName = j;\n }\n zName = sqlite3MPrintf(db, \"%.*z:%u\", nName, zName, ++cnt);\n if( cnt>3 ) sqlite3_randomness(sizeof(cnt), &cnt);\n }\n pCol->zName = zName;\n sqlite3ColumnPropertiesFromName(0, pCol);\n if( zName && sqlite3HashInsert(&ht, zName, pCol)==pCol ){\n sqlite3OomFault(db);\n }\n }\n sqlite3HashClear(&ht);\n if( db->mallocFailed ){\n for(j=0; jdb; /* Database connection */\n int i, j; /* Loop counters */\n u32 cnt; /* Index added to make the name unique */\n Column *aCol, *pCol; /* For looping over result columns */\n int nCol; /* Number of columns in the result set */\n char *zName; /* Column name */\n int nName; /* Size of name in zName[] */\n Hash ht; /* Hash table of column names */\n\n sqlite3HashInit(&ht);\n if( pEList ){\n nCol = pEList->nExpr;\n aCol = sqlite3DbMallocZero(db, sizeof(aCol[0])*nCol);\n testcase( aCol==0 );\n if( nCol>32767 ) nCol = 32767;\n }else{\n nCol = 0;\n aCol = 0;\n }\n assert( nCol==(i16)nCol );\n *pnCol = nCol;\n *paCol = aCol;\n\n for(i=0, pCol=aCol; imallocFailed; i++, pCol++){\n /* Get an appropriate name for the column\n */\n if( (zName = pEList->a[i].zName)!=0 ){\n /* If the column contains an \"AS \" phrase, use as the name */\n }else{\n Expr *pColExpr = sqlite3ExprSkipCollateAndLikely(pEList->a[i].pExpr);\n while( pColExpr->op==TK_DOT ){\n pColExpr = pColExpr->pRight;\n assert( pColExpr!=0 );\n }\n if( pColExpr->op==TK_COLUMN ){\n /* For columns use the column name name */\n int iCol = pColExpr->iColumn;\n Table *pTab = pColExpr->y.pTab;\n assert( pTab!=0 );\n if( iCol<0 ) iCol = pTab->iPKey;\n zName = iCol>=0 ? pTab->aCol[iCol].zName : \"rowid\";\n }else if( pColExpr->op==TK_ID ){\n assert( !ExprHasProperty(pColExpr, EP_IntValue) );\n zName = pColExpr->u.zToken;\n }else{\n /* Use the original text of the column expression as its name */\n zName = pEList->a[i].zSpan;\n }\n }\n if( zName ){\n zName = sqlite3DbStrDup(db, zName);\n }else{\n zName = sqlite3MPrintf(db,\"column%d\",i+1);\n }\n\n /* Make sure the column name is unique. If the name is not unique,\n ** append an integer to the name so that it becomes unique.\n */\n cnt = 0;\n while( zName && sqlite3HashFind(&ht, zName)!=0 ){\n nName = sqlite3Strlen30(zName);\n if( nName>0 ){\n for(j=nName-1; j>0 && sqlite3Isdigit(zName[j]); j--){}\n if( zName[j]==':' ) nName = j;\n }\n zName = sqlite3MPrintf(db, \"%.*z:%u\", nName, zName, ++cnt);\n if( cnt>3 ) sqlite3_randomness(sizeof(cnt), &cnt);\n }\n pCol->zName = zName;\n sqlite3ColumnPropertiesFromName(0, pCol);\n if( zName && sqlite3HashInsert(&ht, zName, pCol)==pCol ){\n sqlite3OomFault(db);\n }\n }\n sqlite3HashClear(&ht);\n if( db->mallocFailed ){\n for(j=0; jnExpr;\n KeyInfo *pKeyInfo = sqlite3KeyInfoFromExprList(pParse, pOrderBy, 0, 0);\n sqlite3VdbeAddOp3(v, OP_Compare, regOld, regNew, nVal);\n sqlite3VdbeAppendP4(v, (void*)pKeyInfo, P4_KEYINFO);\n sqlite3VdbeAddOp3(v, OP_Jump, \n sqlite3VdbeCurrentAddr(v)+1, addr, sqlite3VdbeCurrentAddr(v)+1\n );\n VdbeCoverageEqNe(v);\n sqlite3VdbeAddOp3(v, OP_Copy, regNew, regOld, nVal-1);\n }else{\n sqlite3VdbeAddOp2(v, OP_Goto, 0, addr);\n }\n}", "project": "sqlite", "hash": 155633484751677917925781823177474995815, "size": 22, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378647 }, { "func": "int sqlite3VdbeExplainParent(Parse *pParse){\n VdbeOp *pOp;\n if( pParse->addrExplain==0 ) return 0;\n pOp = sqlite3VdbeGetOp(pParse->pVdbe, pParse->addrExplain);\n return pOp->p2;\n}", "project": "sqlite", "hash": 32204880793151537590707805434665166777, "size": 6, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378608 }, { "func": "static void windowAggFinal(WindowCodeArg *p, int bFin){\n Parse *pParse = p->pParse;\n Window *pMWin = p->pMWin;\n Vdbe *v = sqlite3GetVdbe(pParse);\n Window *pWin;\n\n for(pWin=pMWin; pWin; pWin=pWin->pNextWin){\n if( pMWin->regStartRowid==0\n && (pWin->pFunc->funcFlags & SQLITE_FUNC_MINMAX) \n && (pWin->eStart!=TK_UNBOUNDED)\n ){\n sqlite3VdbeAddOp2(v, OP_Null, 0, pWin->regResult);\n sqlite3VdbeAddOp1(v, OP_Last, pWin->csrApp);\n VdbeCoverage(v);\n sqlite3VdbeAddOp3(v, OP_Column, pWin->csrApp, 0, pWin->regResult);\n sqlite3VdbeJumpHere(v, sqlite3VdbeCurrentAddr(v)-2);\n }else if( pWin->regApp ){\n assert( pMWin->regStartRowid==0 );\n }else{\n int nArg = windowArgCount(pWin);\n if( bFin ){\n sqlite3VdbeAddOp2(v, OP_AggFinal, pWin->regAccum, nArg);\n sqlite3VdbeAppendP4(v, pWin->pFunc, P4_FUNCDEF);\n sqlite3VdbeAddOp2(v, OP_Copy, pWin->regAccum, pWin->regResult);\n sqlite3VdbeAddOp2(v, OP_Null, 0, pWin->regAccum);\n }else{\n sqlite3VdbeAddOp3(v, OP_AggValue,pWin->regAccum,nArg,pWin->regResult);\n sqlite3VdbeAppendP4(v, pWin->pFunc, P4_FUNCDEF);\n }\n }\n }\n}", "project": "sqlite", "hash": 257717084778310134634365796607819579361, "size": 32, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378652 }, { "func": "int sqlite3WindowRewrite(Parse *pParse, Select *p){\n int rc = SQLITE_OK;\n if( p->pWin && p->pPrior==0 && (p->selFlags & SF_WinRewrite)==0 ){\n Vdbe *v = sqlite3GetVdbe(pParse);\n sqlite3 *db = pParse->db;\n Select *pSub = 0; /* The subquery */\n SrcList *pSrc = p->pSrc;\n Expr *pWhere = p->pWhere;\n ExprList *pGroupBy = p->pGroupBy;\n Expr *pHaving = p->pHaving;\n ExprList *pSort = 0;\n\n ExprList *pSublist = 0; /* Expression list for sub-query */\n Window *pMWin = p->pWin; /* Master window object */\n Window *pWin; /* Window object iterator */\n Table *pTab;\n\n pTab = sqlite3DbMallocZero(db, sizeof(Table));\n if( pTab==0 ){\n return SQLITE_NOMEM;\n }\n\n p->pSrc = 0;\n p->pWhere = 0;\n p->pGroupBy = 0;\n p->pHaving = 0;\n p->selFlags &= ~SF_Aggregate;\n p->selFlags |= SF_WinRewrite;\n\n /* Create the ORDER BY clause for the sub-select. This is the concatenation\n ** of the window PARTITION and ORDER BY clauses. Then, if this makes it\n ** redundant, remove the ORDER BY from the parent SELECT. */\n pSort = sqlite3ExprListDup(db, pMWin->pPartition, 0);\n pSort = exprListAppendList(pParse, pSort, pMWin->pOrderBy, 1);\n if( pSort && p->pOrderBy && p->pOrderBy->nExpr<=pSort->nExpr ){\n int nSave = pSort->nExpr;\n pSort->nExpr = p->pOrderBy->nExpr;\n if( sqlite3ExprListCompare(pSort, p->pOrderBy, -1)==0 ){\n sqlite3ExprListDelete(db, p->pOrderBy);\n p->pOrderBy = 0;\n }\n pSort->nExpr = nSave;\n }\n\n /* Assign a cursor number for the ephemeral table used to buffer rows.\n ** The OpenEphemeral instruction is coded later, after it is known how\n ** many columns the table will have. */\n pMWin->iEphCsr = pParse->nTab++;\n pParse->nTab += 3;\n\n selectWindowRewriteEList(pParse, pMWin, pSrc, p->pEList, pTab, &pSublist);\n selectWindowRewriteEList(pParse, pMWin, pSrc, p->pOrderBy, pTab, &pSublist);\n pMWin->nBufferCol = (pSublist ? pSublist->nExpr : 0);\n\n /* Append the PARTITION BY and ORDER BY expressions to the to the \n ** sub-select expression list. They are required to figure out where \n ** boundaries for partitions and sets of peer rows lie. */\n pSublist = exprListAppendList(pParse, pSublist, pMWin->pPartition, 0);\n pSublist = exprListAppendList(pParse, pSublist, pMWin->pOrderBy, 0);\n\n /* Append the arguments passed to each window function to the\n ** sub-select expression list. Also allocate two registers for each\n ** window function - one for the accumulator, another for interim\n ** results. */\n for(pWin=pMWin; pWin; pWin=pWin->pNextWin){\n ExprList *pArgs = pWin->pOwner->x.pList;\n if( pWin->pFunc->funcFlags & SQLITE_FUNC_SUBTYPE ){\n selectWindowRewriteEList(pParse, pMWin, pSrc, pArgs, pTab, &pSublist);\n pWin->iArgCol = (pSublist ? pSublist->nExpr : 0);\n pWin->bExprArgs = 1;\n }else{\n pWin->iArgCol = (pSublist ? pSublist->nExpr : 0);\n pSublist = exprListAppendList(pParse, pSublist, pArgs, 0);\n }\n if( pWin->pFilter ){\n Expr *pFilter = sqlite3ExprDup(db, pWin->pFilter, 0);\n pSublist = sqlite3ExprListAppend(pParse, pSublist, pFilter);\n }\n pWin->regAccum = ++pParse->nMem;\n pWin->regResult = ++pParse->nMem;\n sqlite3VdbeAddOp2(v, OP_Null, 0, pWin->regAccum);\n }\n\n /* If there is no ORDER BY or PARTITION BY clause, and the window\n ** function accepts zero arguments, and there are no other columns\n ** selected (e.g. \"SELECT row_number() OVER () FROM t1\"), it is possible\n ** that pSublist is still NULL here. Add a constant expression here to \n ** keep everything legal in this case. \n */\n if( pSublist==0 ){\n pSublist = sqlite3ExprListAppend(pParse, 0, \n sqlite3Expr(db, TK_INTEGER, \"0\")\n );\n }\n\n pSub = sqlite3SelectNew(\n pParse, pSublist, pSrc, pWhere, pGroupBy, pHaving, pSort, 0, 0\n );\n p->pSrc = sqlite3SrcListAppend(pParse, 0, 0, 0);\n if( p->pSrc ){\n Table *pTab2;\n p->pSrc->a[0].pSelect = pSub;\n sqlite3SrcListAssignCursors(pParse, p->pSrc);\n pSub->selFlags |= SF_Expanded;\n pTab2 = sqlite3ResultSetOfSelect(pParse, pSub, SQLITE_AFF_NONE);\n if( pTab2==0 ){\n rc = SQLITE_NOMEM;\n }else{\n memcpy(pTab, pTab2, sizeof(Table));\n pTab->tabFlags |= TF_Ephemeral;\n p->pSrc->a[0].pTab = pTab;\n pTab = pTab2;\n }\n sqlite3VdbeAddOp2(v, OP_OpenEphemeral, pMWin->iEphCsr, pSublist->nExpr);\n sqlite3VdbeAddOp2(v, OP_OpenDup, pMWin->iEphCsr+1, pMWin->iEphCsr);\n sqlite3VdbeAddOp2(v, OP_OpenDup, pMWin->iEphCsr+2, pMWin->iEphCsr);\n sqlite3VdbeAddOp2(v, OP_OpenDup, pMWin->iEphCsr+3, pMWin->iEphCsr);\n }else{\n sqlite3SelectDelete(db, pSub);\n }\n if( db->mallocFailed ) rc = SQLITE_NOMEM;\n sqlite3DbFree(db, pTab);\n }\n\n return rc;\n}", "project": "sqlite", "hash": 244312120903084545062595033064722321765, "size": 126, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 1, "dataset": "other", "idx": 206237 }, { "func": "int sqlite3WindowRewrite(Parse *pParse, Select *p){\n int rc = SQLITE_OK;\n if( p->pWin && p->pPrior==0 && (p->selFlags & SF_WinRewrite)==0 ){\n Vdbe *v = sqlite3GetVdbe(pParse);\n sqlite3 *db = pParse->db;\n Select *pSub = 0; /* The subquery */\n SrcList *pSrc = p->pSrc;\n Expr *pWhere = p->pWhere;\n ExprList *pGroupBy = p->pGroupBy;\n Expr *pHaving = p->pHaving;\n ExprList *pSort = 0;\n\n ExprList *pSublist = 0; /* Expression list for sub-query */\n Window *pMWin = p->pWin; /* Master window object */\n Window *pWin; /* Window object iterator */\n Table *pTab;\n\n pTab = sqlite3DbMallocZero(db, sizeof(Table));\n if( pTab==0 ){\n return sqlite3ErrorToParser(db, SQLITE_NOMEM);\n }\n\n p->pSrc = 0;\n p->pWhere = 0;\n p->pGroupBy = 0;\n p->pHaving = 0;\n p->selFlags &= ~SF_Aggregate;\n p->selFlags |= SF_WinRewrite;\n\n /* Create the ORDER BY clause for the sub-select. This is the concatenation\n ** of the window PARTITION and ORDER BY clauses. Then, if this makes it\n ** redundant, remove the ORDER BY from the parent SELECT. */\n pSort = sqlite3ExprListDup(db, pMWin->pPartition, 0);\n pSort = exprListAppendList(pParse, pSort, pMWin->pOrderBy, 1);\n if( pSort && p->pOrderBy && p->pOrderBy->nExpr<=pSort->nExpr ){\n int nSave = pSort->nExpr;\n pSort->nExpr = p->pOrderBy->nExpr;\n if( sqlite3ExprListCompare(pSort, p->pOrderBy, -1)==0 ){\n sqlite3ExprListDelete(db, p->pOrderBy);\n p->pOrderBy = 0;\n }\n pSort->nExpr = nSave;\n }\n\n /* Assign a cursor number for the ephemeral table used to buffer rows.\n ** The OpenEphemeral instruction is coded later, after it is known how\n ** many columns the table will have. */\n pMWin->iEphCsr = pParse->nTab++;\n pParse->nTab += 3;\n\n selectWindowRewriteEList(pParse, pMWin, pSrc, p->pEList, pTab, &pSublist);\n selectWindowRewriteEList(pParse, pMWin, pSrc, p->pOrderBy, pTab, &pSublist);\n pMWin->nBufferCol = (pSublist ? pSublist->nExpr : 0);\n\n /* Append the PARTITION BY and ORDER BY expressions to the to the \n ** sub-select expression list. They are required to figure out where \n ** boundaries for partitions and sets of peer rows lie. */\n pSublist = exprListAppendList(pParse, pSublist, pMWin->pPartition, 0);\n pSublist = exprListAppendList(pParse, pSublist, pMWin->pOrderBy, 0);\n\n /* Append the arguments passed to each window function to the\n ** sub-select expression list. Also allocate two registers for each\n ** window function - one for the accumulator, another for interim\n ** results. */\n for(pWin=pMWin; pWin; pWin=pWin->pNextWin){\n ExprList *pArgs = pWin->pOwner->x.pList;\n if( pWin->pFunc->funcFlags & SQLITE_FUNC_SUBTYPE ){\n selectWindowRewriteEList(pParse, pMWin, pSrc, pArgs, pTab, &pSublist);\n pWin->iArgCol = (pSublist ? pSublist->nExpr : 0);\n pWin->bExprArgs = 1;\n }else{\n pWin->iArgCol = (pSublist ? pSublist->nExpr : 0);\n pSublist = exprListAppendList(pParse, pSublist, pArgs, 0);\n }\n if( pWin->pFilter ){\n Expr *pFilter = sqlite3ExprDup(db, pWin->pFilter, 0);\n pSublist = sqlite3ExprListAppend(pParse, pSublist, pFilter);\n }\n pWin->regAccum = ++pParse->nMem;\n pWin->regResult = ++pParse->nMem;\n sqlite3VdbeAddOp2(v, OP_Null, 0, pWin->regAccum);\n }\n\n /* If there is no ORDER BY or PARTITION BY clause, and the window\n ** function accepts zero arguments, and there are no other columns\n ** selected (e.g. \"SELECT row_number() OVER () FROM t1\"), it is possible\n ** that pSublist is still NULL here. Add a constant expression here to \n ** keep everything legal in this case. \n */\n if( pSublist==0 ){\n pSublist = sqlite3ExprListAppend(pParse, 0, \n sqlite3Expr(db, TK_INTEGER, \"0\")\n );\n }\n\n pSub = sqlite3SelectNew(\n pParse, pSublist, pSrc, pWhere, pGroupBy, pHaving, pSort, 0, 0\n );\n p->pSrc = sqlite3SrcListAppend(pParse, 0, 0, 0);\n if( p->pSrc ){\n Table *pTab2;\n p->pSrc->a[0].pSelect = pSub;\n sqlite3SrcListAssignCursors(pParse, p->pSrc);\n pSub->selFlags |= SF_Expanded;\n pTab2 = sqlite3ResultSetOfSelect(pParse, pSub, SQLITE_AFF_NONE);\n if( pTab2==0 ){\n rc = SQLITE_NOMEM;\n }else{\n memcpy(pTab, pTab2, sizeof(Table));\n pTab->tabFlags |= TF_Ephemeral;\n p->pSrc->a[0].pTab = pTab;\n pTab = pTab2;\n }\n sqlite3VdbeAddOp2(v, OP_OpenEphemeral, pMWin->iEphCsr, pSublist->nExpr);\n sqlite3VdbeAddOp2(v, OP_OpenDup, pMWin->iEphCsr+1, pMWin->iEphCsr);\n sqlite3VdbeAddOp2(v, OP_OpenDup, pMWin->iEphCsr+2, pMWin->iEphCsr);\n sqlite3VdbeAddOp2(v, OP_OpenDup, pMWin->iEphCsr+3, pMWin->iEphCsr);\n }else{\n sqlite3SelectDelete(db, pSub);\n }\n if( db->mallocFailed ) rc = SQLITE_NOMEM;\n sqlite3DbFree(db, pTab);\n }\n\n if( rc && pParse->nErr==0 ){\n assert( pParse->db->mallocFailed );\n return sqlite3ErrorToParser(pParse->db, SQLITE_NOMEM);\n }\n return rc;\n}", "project": "sqlite", "hash": 244558507838888566010387300747909731042, "size": 130, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378646 }, { "func": "void sqlite3VdbeDelete(Vdbe *p){\n sqlite3 *db;\n\n assert( p!=0 );\n db = p->db;\n assert( sqlite3_mutex_held(db->mutex) );\n sqlite3VdbeClearObject(db, p);\n if( p->pPrev ){\n p->pPrev->pNext = p->pNext;\n }else{\n assert( db->pVdbe==p );\n db->pVdbe = p->pNext;\n }\n if( p->pNext ){\n p->pNext->pPrev = p->pPrev;\n }\n p->magic = VDBE_MAGIC_DEAD;\n p->db = 0;\n sqlite3DbFreeNN(db, p);\n}", "project": "sqlite", "hash": 38174297928382740156871111049836440155, "size": 20, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378596 }, { "func": "static void unsetJoinExpr(Expr *p, int iTable){\n while( p ){\n if( ExprHasProperty(p, EP_FromJoin)\n && (iTable<0 || p->iRightJoinTable==iTable) ){\n ExprClearProperty(p, EP_FromJoin);\n }\n if( p->op==TK_FUNCTION && p->x.pList ){\n int i;\n for(i=0; ix.pList->nExpr; i++){\n unsetJoinExpr(p->x.pList->a[i].pExpr, iTable);\n }\n }\n unsetJoinExpr(p->pLeft, iTable);\n p = p->pRight;\n } \n}", "project": "sqlite", "hash": 136361480145557696031491854344359840371, "size": 16, "commit_id": "5f69512404cd2e5153ddf90ea277fbba6dd58ab7", "message": "Early-out on the INTERSECT query processing following an error.\n\nFossilOrigin-Name: a67cf5b7d37d5b1484be32092635faafd8f76e5881898cd9435517c4b287d663", "target": 0, "dataset": "other", "idx": 246183 }, { "func": "static void substExprList(\n SubstContext *pSubst, /* Description of the substitution */\n ExprList *pList /* List to scan and in which to make substitutes */\n){\n int i;\n if( pList==0 ) return;\n for(i=0; inExpr; i++){\n pList->a[i].pExpr = substExpr(pSubst, pList->a[i].pExpr);\n }\n}", "project": "sqlite", "hash": 336994003740389695036704266113103958439, "size": 10, "commit_id": "5f69512404cd2e5153ddf90ea277fbba6dd58ab7", "message": "Early-out on the INTERSECT query processing following an error.\n\nFossilOrigin-Name: a67cf5b7d37d5b1484be32092635faafd8f76e5881898cd9435517c4b287d663", "target": 0, "dataset": "other", "idx": 246150 }, { "func": "int sqlite3VdbeFrameRestore(VdbeFrame *pFrame){\n Vdbe *v = pFrame->v;\n closeCursorsInFrame(v);\n#ifdef SQLITE_ENABLE_STMT_SCANSTATUS\n v->anExec = pFrame->anExec;\n#endif\n v->aOp = pFrame->aOp;\n v->nOp = pFrame->nOp;\n v->aMem = pFrame->aMem;\n v->nMem = pFrame->nMem;\n v->apCsr = pFrame->apCsr;\n v->nCursor = pFrame->nCursor;\n v->db->lastRowid = pFrame->lastRowid;\n v->nChange = pFrame->nChange;\n v->db->nChange = pFrame->nDbChange;\n sqlite3VdbeDeleteAuxData(v->db, &v->pAuxData, -1, 0);\n v->pAuxData = pFrame->pAuxData;\n pFrame->pAuxData = 0;\n return pFrame->pc;\n}", "project": "sqlite", "hash": 322929587782755755219081934151739016159, "size": 20, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378640 }, { "func": "static int pushDownWhereTerms(\n Parse *pParse, /* Parse context (for malloc() and error reporting) */\n Select *pSubq, /* The subquery whose WHERE clause is to be augmented */\n Expr *pWhere, /* The WHERE clause of the outer query */\n int iCursor, /* Cursor number of the subquery */\n int isLeftJoin /* True if pSubq is the right term of a LEFT JOIN */\n){\n Expr *pNew;\n int nChng = 0;\n if( pWhere==0 ) return 0;\n if( pSubq->selFlags & SF_Recursive ) return 0; /* restriction (2) */\n\n#ifndef SQLITE_OMIT_WINDOWFUNC\n if( pSubq->pWin ) return 0; /* restriction (6) */\n#endif\n\n#ifdef SQLITE_DEBUG\n /* Only the first term of a compound can have a WITH clause. But make\n ** sure no other terms are marked SF_Recursive in case something changes\n ** in the future.\n */\n {\n Select *pX; \n for(pX=pSubq; pX; pX=pX->pPrior){\n assert( (pX->selFlags & (SF_Recursive))==0 );\n }\n }\n#endif\n\n if( pSubq->pLimit!=0 ){\n return 0; /* restriction (3) */\n }\n while( pWhere->op==TK_AND ){\n nChng += pushDownWhereTerms(pParse, pSubq, pWhere->pRight,\n iCursor, isLeftJoin);\n pWhere = pWhere->pLeft;\n }\n if( isLeftJoin\n && (ExprHasProperty(pWhere,EP_FromJoin)==0\n || pWhere->iRightJoinTable!=iCursor)\n ){\n return 0; /* restriction (4) */\n }\n if( ExprHasProperty(pWhere,EP_FromJoin) && pWhere->iRightJoinTable!=iCursor ){\n return 0; /* restriction (5) */\n }\n if( sqlite3ExprIsTableConstant(pWhere, iCursor) ){\n nChng++;\n while( pSubq ){\n SubstContext x;\n pNew = sqlite3ExprDup(pParse->db, pWhere, 0);\n unsetJoinExpr(pNew, -1);\n x.pParse = pParse;\n x.iTable = iCursor;\n x.iNewTable = iCursor;\n x.isLeftJoin = 0;\n x.pEList = pSubq->pEList;\n pNew = substExpr(&x, pNew);\n if( pSubq->selFlags & SF_Aggregate ){\n pSubq->pHaving = sqlite3ExprAnd(pParse, pSubq->pHaving, pNew);\n }else{\n pSubq->pWhere = sqlite3ExprAnd(pParse, pSubq->pWhere, pNew);\n }\n pSubq = pSubq->pPrior;\n }\n }\n return nChng;\n}", "project": "sqlite", "hash": 12304438323537221941574437203014183263, "size": 68, "commit_id": "5f69512404cd2e5153ddf90ea277fbba6dd58ab7", "message": "Early-out on the INTERSECT query processing following an error.\n\nFossilOrigin-Name: a67cf5b7d37d5b1484be32092635faafd8f76e5881898cd9435517c4b287d663", "target": 0, "dataset": "other", "idx": 246176 }, { "func": "void sqlite3VdbeNoopComment(Vdbe *p, const char *zFormat, ...){\n va_list ap;\n if( p ){\n sqlite3VdbeAddOp0(p, OP_Noop);\n va_start(ap, zFormat);\n vdbeVComment(p, zFormat, ap);\n va_end(ap);\n }\n}", "project": "sqlite", "hash": 103756549210082119491231596755493037112, "size": 9, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378561 }, { "func": "static int vdbeCommit(sqlite3 *db, Vdbe *p){\n int i;\n int nTrans = 0; /* Number of databases with an active write-transaction\n ** that are candidates for a two-phase commit using a\n ** master-journal */\n int rc = SQLITE_OK;\n int needXcommit = 0;\n\n#ifdef SQLITE_OMIT_VIRTUALTABLE\n /* With this option, sqlite3VtabSync() is defined to be simply \n ** SQLITE_OK so p is not used. \n */\n UNUSED_PARAMETER(p);\n#endif\n\n /* Before doing anything else, call the xSync() callback for any\n ** virtual module tables written in this transaction. This has to\n ** be done before determining whether a master journal file is \n ** required, as an xSync() callback may add an attached database\n ** to the transaction.\n */\n rc = sqlite3VtabSync(db, p);\n\n /* This loop determines (a) if the commit hook should be invoked and\n ** (b) how many database files have open write transactions, not \n ** including the temp database. (b) is important because if more than \n ** one database file has an open write transaction, a master journal\n ** file is required for an atomic commit.\n */ \n for(i=0; rc==SQLITE_OK && inDb; i++){ \n Btree *pBt = db->aDb[i].pBt;\n if( sqlite3BtreeIsInTrans(pBt) ){\n /* Whether or not a database might need a master journal depends upon\n ** its journal mode (among other things). This matrix determines which\n ** journal modes use a master journal and which do not */\n static const u8 aMJNeeded[] = {\n /* DELETE */ 1,\n /* PERSIST */ 1,\n /* OFF */ 0,\n /* TRUNCATE */ 1,\n /* MEMORY */ 0,\n /* WAL */ 0\n };\n Pager *pPager; /* Pager associated with pBt */\n needXcommit = 1;\n sqlite3BtreeEnter(pBt);\n pPager = sqlite3BtreePager(pBt);\n if( db->aDb[i].safety_level!=PAGER_SYNCHRONOUS_OFF\n && aMJNeeded[sqlite3PagerGetJournalMode(pPager)]\n && sqlite3PagerIsMemdb(pPager)==0\n ){ \n assert( i!=1 );\n nTrans++;\n }\n rc = sqlite3PagerExclusiveLock(pPager);\n sqlite3BtreeLeave(pBt);\n }\n }\n if( rc!=SQLITE_OK ){\n return rc;\n }\n\n /* If there are any write-transactions at all, invoke the commit hook */\n if( needXcommit && db->xCommitCallback ){\n rc = db->xCommitCallback(db->pCommitArg);\n if( rc ){\n return SQLITE_CONSTRAINT_COMMITHOOK;\n }\n }\n\n /* The simple case - no more than one database file (not counting the\n ** TEMP database) has a transaction active. There is no need for the\n ** master-journal.\n **\n ** If the return value of sqlite3BtreeGetFilename() is a zero length\n ** string, it means the main database is :memory: or a temp file. In \n ** that case we do not support atomic multi-file commits, so use the \n ** simple case then too.\n */\n if( 0==sqlite3Strlen30(sqlite3BtreeGetFilename(db->aDb[0].pBt))\n || nTrans<=1\n ){\n for(i=0; rc==SQLITE_OK && inDb; i++){\n Btree *pBt = db->aDb[i].pBt;\n if( pBt ){\n rc = sqlite3BtreeCommitPhaseOne(pBt, 0);\n }\n }\n\n /* Do the commit only if all databases successfully complete phase 1. \n ** If one of the BtreeCommitPhaseOne() calls fails, this indicates an\n ** IO error while deleting or truncating a journal file. It is unlikely,\n ** but could happen. In this case abandon processing and return the error.\n */\n for(i=0; rc==SQLITE_OK && inDb; i++){\n Btree *pBt = db->aDb[i].pBt;\n if( pBt ){\n rc = sqlite3BtreeCommitPhaseTwo(pBt, 0);\n }\n }\n if( rc==SQLITE_OK ){\n sqlite3VtabCommit(db);\n }\n }\n\n /* The complex case - There is a multi-file write-transaction active.\n ** This requires a master journal file to ensure the transaction is\n ** committed atomically.\n */\n#ifndef SQLITE_OMIT_DISKIO\n else{\n sqlite3_vfs *pVfs = db->pVfs;\n char *zMaster = 0; /* File-name for the master journal */\n char const *zMainFile = sqlite3BtreeGetFilename(db->aDb[0].pBt);\n sqlite3_file *pMaster = 0;\n i64 offset = 0;\n int res;\n int retryCount = 0;\n int nMainFile;\n\n /* Select a master journal file name */\n nMainFile = sqlite3Strlen30(zMainFile);\n zMaster = sqlite3MPrintf(db, \"%s-mjXXXXXX9XXz%c%c\", zMainFile, 0, 0);\n if( zMaster==0 ) return SQLITE_NOMEM_BKPT;\n do {\n u32 iRandom;\n if( retryCount ){\n if( retryCount>100 ){\n sqlite3_log(SQLITE_FULL, \"MJ delete: %s\", zMaster);\n sqlite3OsDelete(pVfs, zMaster, 0);\n break;\n }else if( retryCount==1 ){\n sqlite3_log(SQLITE_FULL, \"MJ collide: %s\", zMaster);\n }\n }\n retryCount++;\n sqlite3_randomness(sizeof(iRandom), &iRandom);\n sqlite3_snprintf(13, &zMaster[nMainFile], \"-mj%06X9%02X\",\n (iRandom>>8)&0xffffff, iRandom&0xff);\n /* The antipenultimate character of the master journal name must\n ** be \"9\" to avoid name collisions when using 8+3 filenames. */\n assert( zMaster[sqlite3Strlen30(zMaster)-3]=='9' );\n sqlite3FileSuffix3(zMainFile, zMaster);\n rc = sqlite3OsAccess(pVfs, zMaster, SQLITE_ACCESS_EXISTS, &res);\n }while( rc==SQLITE_OK && res );\n if( rc==SQLITE_OK ){\n /* Open the master journal. */\n rc = sqlite3OsOpenMalloc(pVfs, zMaster, &pMaster, \n SQLITE_OPEN_READWRITE|SQLITE_OPEN_CREATE|\n SQLITE_OPEN_EXCLUSIVE|SQLITE_OPEN_MASTER_JOURNAL, 0\n );\n }\n if( rc!=SQLITE_OK ){\n sqlite3DbFree(db, zMaster);\n return rc;\n }\n \n /* Write the name of each database file in the transaction into the new\n ** master journal file. If an error occurs at this point close\n ** and delete the master journal file. All the individual journal files\n ** still have 'null' as the master journal pointer, so they will roll\n ** back independently if a failure occurs.\n */\n for(i=0; inDb; i++){\n Btree *pBt = db->aDb[i].pBt;\n if( sqlite3BtreeIsInTrans(pBt) ){\n char const *zFile = sqlite3BtreeGetJournalname(pBt);\n if( zFile==0 ){\n continue; /* Ignore TEMP and :memory: databases */\n }\n assert( zFile[0]!=0 );\n rc = sqlite3OsWrite(pMaster, zFile, sqlite3Strlen30(zFile)+1, offset);\n offset += sqlite3Strlen30(zFile)+1;\n if( rc!=SQLITE_OK ){\n sqlite3OsCloseFree(pMaster);\n sqlite3OsDelete(pVfs, zMaster, 0);\n sqlite3DbFree(db, zMaster);\n return rc;\n }\n }\n }\n\n /* Sync the master journal file. If the IOCAP_SEQUENTIAL device\n ** flag is set this is not required.\n */\n if( 0==(sqlite3OsDeviceCharacteristics(pMaster)&SQLITE_IOCAP_SEQUENTIAL)\n && SQLITE_OK!=(rc = sqlite3OsSync(pMaster, SQLITE_SYNC_NORMAL))\n ){\n sqlite3OsCloseFree(pMaster);\n sqlite3OsDelete(pVfs, zMaster, 0);\n sqlite3DbFree(db, zMaster);\n return rc;\n }\n\n /* Sync all the db files involved in the transaction. The same call\n ** sets the master journal pointer in each individual journal. If\n ** an error occurs here, do not delete the master journal file.\n **\n ** If the error occurs during the first call to\n ** sqlite3BtreeCommitPhaseOne(), then there is a chance that the\n ** master journal file will be orphaned. But we cannot delete it,\n ** in case the master journal file name was written into the journal\n ** file before the failure occurred.\n */\n for(i=0; rc==SQLITE_OK && inDb; i++){ \n Btree *pBt = db->aDb[i].pBt;\n if( pBt ){\n rc = sqlite3BtreeCommitPhaseOne(pBt, zMaster);\n }\n }\n sqlite3OsCloseFree(pMaster);\n assert( rc!=SQLITE_BUSY );\n if( rc!=SQLITE_OK ){\n sqlite3DbFree(db, zMaster);\n return rc;\n }\n\n /* Delete the master journal file. This commits the transaction. After\n ** doing this the directory is synced again before any individual\n ** transaction files are deleted.\n */\n rc = sqlite3OsDelete(pVfs, zMaster, 1);\n sqlite3DbFree(db, zMaster);\n zMaster = 0;\n if( rc ){\n return rc;\n }\n\n /* All files and directories have already been synced, so the following\n ** calls to sqlite3BtreeCommitPhaseTwo() are only closing files and\n ** deleting or truncating journals. If something goes wrong while\n ** this is happening we don't really care. The integrity of the\n ** transaction is already guaranteed, but some stray 'cold' journals\n ** may be lying around. Returning an error code won't help matters.\n */\n disable_simulated_io_errors();\n sqlite3BeginBenignMalloc();\n for(i=0; inDb; i++){ \n Btree *pBt = db->aDb[i].pBt;\n if( pBt ){\n sqlite3BtreeCommitPhaseTwo(pBt, 1);\n }\n }\n sqlite3EndBenignMalloc();\n enable_simulated_io_errors();\n\n sqlite3VtabCommit(db);\n }\n#endif\n\n return rc;\n}", "project": "sqlite", "hash": 111247248118330479079866846834394936046, "size": 252, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378603 }, { "func": "int sqlite3VdbeAddOp4Int(\n Vdbe *p, /* Add the opcode to this VM */\n int op, /* The new opcode */\n int p1, /* The P1 operand */\n int p2, /* The P2 operand */\n int p3, /* The P3 operand */\n int p4 /* The P4 operand as an integer */\n){\n int addr = sqlite3VdbeAddOp3(p, op, p1, p2, p3);\n if( p->db->mallocFailed==0 ){\n VdbeOp *pOp = &p->aOp[addr];\n pOp->p4type = P4_INT32;\n pOp->p4.i = p4;\n }\n return addr;\n}", "project": "sqlite", "hash": 12736791895395749663516274072104928825, "size": 16, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378574 }, { "func": "void sqlite3VdbeComment(Vdbe *p, const char *zFormat, ...){\n va_list ap;\n if( p ){\n va_start(ap, zFormat);\n vdbeVComment(p, zFormat, ap);\n va_end(ap);\n }\n}", "project": "sqlite", "hash": 3973401077059429126080154935936948251, "size": 8, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378523 }, { "func": "int sqlite3VdbeCloseStatement(Vdbe *p, int eOp){\n if( p->db->nStatement && p->iStatement ){\n return vdbeCloseStatement(p, eOp);\n }\n return SQLITE_OK;\n}", "project": "sqlite", "hash": 146656458177326577649090049699035393603, "size": 6, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378564 }, { "func": "static void selectWindowRewriteEList(\n Parse *pParse, \n Window *pWin,\n SrcList *pSrc,\n ExprList *pEList, /* Rewrite expressions in this list */\n Table *pTab,\n ExprList **ppSub /* IN/OUT: Sub-select expression-list */\n){\n Walker sWalker;\n WindowRewrite sRewrite;\n\n assert( pWin!=0 );\n memset(&sWalker, 0, sizeof(Walker));\n memset(&sRewrite, 0, sizeof(WindowRewrite));\n\n sRewrite.pSub = *ppSub;\n sRewrite.pWin = pWin;\n sRewrite.pSrc = pSrc;\n sRewrite.pTab = pTab;\n\n sWalker.pParse = pParse;\n sWalker.xExprCallback = selectWindowRewriteExprCb;\n sWalker.xSelectCallback = selectWindowRewriteSelectCb;\n sWalker.u.pRewrite = &sRewrite;\n\n (void)sqlite3WalkExprList(&sWalker, pEList);\n\n *ppSub = sRewrite.pSub;\n}", "project": "sqlite", "hash": 39312072319328232754260448393671684426, "size": 29, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378556 }, { "func": "void sqlite3VdbeFrameMemDel(void *pArg){\n VdbeFrame *pFrame = (VdbeFrame*)pArg;\n assert( sqlite3VdbeFrameIsValid(pFrame) );\n pFrame->pParent = pFrame->v->pDelFrame;\n pFrame->v->pDelFrame = pFrame;\n}", "project": "sqlite", "hash": 245530553041072408843437152680423850873, "size": 6, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378614 }, { "func": "void sqlite3WindowDelete(sqlite3 *db, Window *p){\n if( p ){\n sqlite3WindowUnlinkFromSelect(p);\n sqlite3ExprDelete(db, p->pFilter);\n sqlite3ExprListDelete(db, p->pPartition);\n sqlite3ExprListDelete(db, p->pOrderBy);\n sqlite3ExprDelete(db, p->pEnd);\n sqlite3ExprDelete(db, p->pStart);\n sqlite3DbFree(db, p->zName);\n sqlite3DbFree(db, p->zBase);\n sqlite3DbFree(db, p);\n }\n}", "project": "sqlite", "hash": 34015962190283540255626172708272385614, "size": 13, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378571 }, { "func": "void sqlite3VdbeError(Vdbe *p, const char *zFormat, ...){\n va_list ap;\n sqlite3DbFree(p->db, p->zErrMsg);\n va_start(ap, zFormat);\n p->zErrMsg = sqlite3VMPrintf(p->db, zFormat, ap);\n va_end(ap);\n}", "project": "sqlite", "hash": 5607792940191588490404834944900140366, "size": 7, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378653 }, { "func": "void sqlite3VdbeChangeP3(Vdbe *p, int addr, int val){\n sqlite3VdbeGetOp(p,addr)->p3 = val;\n}", "project": "sqlite", "hash": 115676196235842513429661380061890016632, "size": 3, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378592 }, { "func": "inline int MatchingFlatSize(const RuntimeShape& shape,\n const RuntimeShape& check_shape_0) {\n TFLITE_DCHECK_EQ(shape.DimensionsCount(), check_shape_0.DimensionsCount());\n const int dims_count = shape.DimensionsCount();\n for (int i = 0; i < dims_count; ++i) {\n TFLITE_DCHECK_EQ(shape.Dims(i), check_shape_0.Dims(i));\n }\n return shape.FlatSize();\n}", "project": "tensorflow", "hash": 255573565812224189815850791279064926163, "size": 9, "commit_id": "8ee24e7949a203d234489f9da2c5bf45a7d5157d", "message": "[tflite] Ensure `MatchingDim` does not allow buffer overflow.\n\nWe check in `MatchingDim` that both arguments have the same dimensionality, however that is a `DCHECK` only enabled if building in debug mode. Hence, it could be possible to cause buffer overflows by passing in a tensor with larger dimensions as the second argument. To fix, we now make `MatchingDim` return the minimum of the two sizes.\n\nA much better fix would be to return a status object but that requires refactoring a large part of the codebase for minor benefits.\n\nPiperOrigin-RevId: 332526127\nChange-Id: If627d0d2c80a685217b6e0d1e64b0872dbf1c5e4", "target": 0, "dataset": "other", "idx": 269122 }, { "func": "inline int MatchingFlatSize(const Dims& dims, const Dims& check_dims_0,\n const Dims& check_dims_1) {\n for (int i = 0; i < N; ++i) {\n TFLITE_DCHECK_EQ(ArraySize(dims, i), ArraySize(check_dims_0, i));\n }\n return MatchingFlatSize(dims, check_dims_1);\n}", "project": "tensorflow", "hash": 289490371555473010091854044333523777998, "size": 7, "commit_id": "8ee24e7949a203d234489f9da2c5bf45a7d5157d", "message": "[tflite] Ensure `MatchingDim` does not allow buffer overflow.\n\nWe check in `MatchingDim` that both arguments have the same dimensionality, however that is a `DCHECK` only enabled if building in debug mode. Hence, it could be possible to cause buffer overflows by passing in a tensor with larger dimensions as the second argument. To fix, we now make `MatchingDim` return the minimum of the two sizes.\n\nA much better fix would be to return a status object but that requires refactoring a large part of the codebase for minor benefits.\n\nPiperOrigin-RevId: 332526127\nChange-Id: If627d0d2c80a685217b6e0d1e64b0872dbf1c5e4", "target": 0, "dataset": "other", "idx": 269126 }, { "func": "inline int MatchingFlatSize(const Dims& dims, const Dims& check_dims_0,\n const Dims& check_dims_1,\n const Dims& check_dims_2) {\n for (int i = 0; i < N; ++i) {\n TFLITE_DCHECK_EQ(ArraySize(dims, i), ArraySize(check_dims_0, i));\n }\n return MatchingFlatSize(dims, check_dims_1, check_dims_2);\n}", "project": "tensorflow", "hash": 167138701167382994232794321657199912088, "size": 8, "commit_id": "8ee24e7949a203d234489f9da2c5bf45a7d5157d", "message": "[tflite] Ensure `MatchingDim` does not allow buffer overflow.\n\nWe check in `MatchingDim` that both arguments have the same dimensionality, however that is a `DCHECK` only enabled if building in debug mode. Hence, it could be possible to cause buffer overflows by passing in a tensor with larger dimensions as the second argument. To fix, we now make `MatchingDim` return the minimum of the two sizes.\n\nA much better fix would be to return a status object but that requires refactoring a large part of the codebase for minor benefits.\n\nPiperOrigin-RevId: 332526127\nChange-Id: If627d0d2c80a685217b6e0d1e64b0872dbf1c5e4", "target": 0, "dataset": "other", "idx": 269135 }, { "func": "inline int MatchingFlatSize(const RuntimeShape& shape,\n const RuntimeShape& check_shape_0,\n const RuntimeShape& check_shape_1,\n const RuntimeShape& check_shape_2) {\n TFLITE_DCHECK_EQ(shape.DimensionsCount(), check_shape_0.DimensionsCount());\n const int dims_count = shape.DimensionsCount();\n for (int i = 0; i < dims_count; ++i) {\n TFLITE_DCHECK_EQ(shape.Dims(i), check_shape_0.Dims(i));\n }\n return MatchingFlatSize(shape, check_shape_1, check_shape_2);\n}", "project": "tensorflow", "hash": 67543938487620771187791624705297766669, "size": 11, "commit_id": "8ee24e7949a203d234489f9da2c5bf45a7d5157d", "message": "[tflite] Ensure `MatchingDim` does not allow buffer overflow.\n\nWe check in `MatchingDim` that both arguments have the same dimensionality, however that is a `DCHECK` only enabled if building in debug mode. Hence, it could be possible to cause buffer overflows by passing in a tensor with larger dimensions as the second argument. To fix, we now make `MatchingDim` return the minimum of the two sizes.\n\nA much better fix would be to return a status object but that requires refactoring a large part of the codebase for minor benefits.\n\nPiperOrigin-RevId: 332526127\nChange-Id: If627d0d2c80a685217b6e0d1e64b0872dbf1c5e4", "target": 0, "dataset": "other", "idx": 269163 }, { "func": "inline int MatchingFlatSize(const Dims& dims, const Dims& check_dims_0) {\n for (int i = 0; i < N; ++i) {\n TFLITE_DCHECK_EQ(ArraySize(dims, i), ArraySize(check_dims_0, i));\n }\n return FlatSize(dims);\n}", "project": "tensorflow", "hash": 140869370673095305556206827153738415371, "size": 6, "commit_id": "8ee24e7949a203d234489f9da2c5bf45a7d5157d", "message": "[tflite] Ensure `MatchingDim` does not allow buffer overflow.\n\nWe check in `MatchingDim` that both arguments have the same dimensionality, however that is a `DCHECK` only enabled if building in debug mode. Hence, it could be possible to cause buffer overflows by passing in a tensor with larger dimensions as the second argument. To fix, we now make `MatchingDim` return the minimum of the two sizes.\n\nA much better fix would be to return a status object but that requires refactoring a large part of the codebase for minor benefits.\n\nPiperOrigin-RevId: 332526127\nChange-Id: If627d0d2c80a685217b6e0d1e64b0872dbf1c5e4", "target": 0, "dataset": "other", "idx": 269172 }, { "func": "inline int MatchingFlatSize(const RuntimeShape& shape,\n const RuntimeShape& check_shape_0,\n const RuntimeShape& check_shape_1) {\n TFLITE_DCHECK_EQ(shape.DimensionsCount(), check_shape_0.DimensionsCount());\n const int dims_count = shape.DimensionsCount();\n for (int i = 0; i < dims_count; ++i) {\n TFLITE_DCHECK_EQ(shape.Dims(i), check_shape_0.Dims(i));\n }\n return MatchingFlatSize(shape, check_shape_1);\n}", "project": "tensorflow", "hash": 223292559375314562514102180567467294846, "size": 10, "commit_id": "8ee24e7949a203d234489f9da2c5bf45a7d5157d", "message": "[tflite] Ensure `MatchingDim` does not allow buffer overflow.\n\nWe check in `MatchingDim` that both arguments have the same dimensionality, however that is a `DCHECK` only enabled if building in debug mode. Hence, it could be possible to cause buffer overflows by passing in a tensor with larger dimensions as the second argument. To fix, we now make `MatchingDim` return the minimum of the two sizes.\n\nA much better fix would be to return a status object but that requires refactoring a large part of the codebase for minor benefits.\n\nPiperOrigin-RevId: 332526127\nChange-Id: If627d0d2c80a685217b6e0d1e64b0872dbf1c5e4", "target": 0, "dataset": "other", "idx": 269178 }, { "func": "inline int MatchingFlatSize(const RuntimeShape& shape,\n const RuntimeShape& check_shape_0,\n const RuntimeShape& check_shape_1,\n const RuntimeShape& check_shape_2,\n const RuntimeShape& check_shape_3) {\n TFLITE_DCHECK_EQ(shape.DimensionsCount(), check_shape_0.DimensionsCount());\n const int dims_count = shape.DimensionsCount();\n for (int i = 0; i < dims_count; ++i) {\n TFLITE_DCHECK_EQ(shape.Dims(i), check_shape_0.Dims(i));\n }\n return MatchingFlatSize(shape, check_shape_1, check_shape_2, check_shape_3);\n}", "project": "tensorflow", "hash": 118855083410594256028359785055919899929, "size": 12, "commit_id": "8ee24e7949a203d234489f9da2c5bf45a7d5157d", "message": "[tflite] Ensure `MatchingDim` does not allow buffer overflow.\n\nWe check in `MatchingDim` that both arguments have the same dimensionality, however that is a `DCHECK` only enabled if building in debug mode. Hence, it could be possible to cause buffer overflows by passing in a tensor with larger dimensions as the second argument. To fix, we now make `MatchingDim` return the minimum of the two sizes.\n\nA much better fix would be to return a status object but that requires refactoring a large part of the codebase for minor benefits.\n\nPiperOrigin-RevId: 332526127\nChange-Id: If627d0d2c80a685217b6e0d1e64b0872dbf1c5e4", "target": 0, "dataset": "other", "idx": 269185 }, { "func": "inline int MatchingFlatSize(const Dims& dims, const Dims& check_dims_0,\n const Dims& check_dims_1,\n const Dims& check_dims_2,\n const Dims& check_dims_3) {\n for (int i = 0; i < N; ++i) {\n TFLITE_DCHECK_EQ(ArraySize(dims, i), ArraySize(check_dims_0, i));\n }\n return MatchingFlatSize(dims, check_dims_1, check_dims_2, check_dims_3);\n}", "project": "tensorflow", "hash": 50560072261454370540511571800907381546, "size": 9, "commit_id": "8ee24e7949a203d234489f9da2c5bf45a7d5157d", "message": "[tflite] Ensure `MatchingDim` does not allow buffer overflow.\n\nWe check in `MatchingDim` that both arguments have the same dimensionality, however that is a `DCHECK` only enabled if building in debug mode. Hence, it could be possible to cause buffer overflows by passing in a tensor with larger dimensions as the second argument. To fix, we now make `MatchingDim` return the minimum of the two sizes.\n\nA much better fix would be to return a status object but that requires refactoring a large part of the codebase for minor benefits.\n\nPiperOrigin-RevId: 332526127\nChange-Id: If627d0d2c80a685217b6e0d1e64b0872dbf1c5e4", "target": 0, "dataset": "other", "idx": 269186 }, { "func": "void sqlite3WindowUpdate(\n Parse *pParse, \n Window *pList, /* List of named windows for this SELECT */\n Window *pWin, /* Window frame to update */\n FuncDef *pFunc /* Window function definition */\n){\n if( pWin->zName && pWin->eFrmType==0 ){\n Window *p = windowFind(pParse, pList, pWin->zName);\n if( p==0 ) return;\n pWin->pPartition = sqlite3ExprListDup(pParse->db, p->pPartition, 0);\n pWin->pOrderBy = sqlite3ExprListDup(pParse->db, p->pOrderBy, 0);\n pWin->pStart = sqlite3ExprDup(pParse->db, p->pStart, 0);\n pWin->pEnd = sqlite3ExprDup(pParse->db, p->pEnd, 0);\n pWin->eStart = p->eStart;\n pWin->eEnd = p->eEnd;\n pWin->eFrmType = p->eFrmType;\n pWin->eExclude = p->eExclude;\n }else{\n sqlite3WindowChain(pParse, pWin, pList);\n }\n if( (pWin->eFrmType==TK_RANGE)\n && (pWin->pStart || pWin->pEnd) \n && (pWin->pOrderBy==0 || pWin->pOrderBy->nExpr!=1)\n ){\n sqlite3ErrorMsg(pParse, \n \"RANGE with offset PRECEDING/FOLLOWING requires one ORDER BY expression\"\n );\n }else\n if( pFunc->funcFlags & SQLITE_FUNC_WINDOW ){\n sqlite3 *db = pParse->db;\n if( pWin->pFilter ){\n sqlite3ErrorMsg(pParse, \n \"FILTER clause may only be used with aggregate window functions\"\n );\n }else{\n struct WindowUpdate {\n const char *zFunc;\n int eFrmType;\n int eStart;\n int eEnd;\n } aUp[] = {\n { row_numberName, TK_ROWS, TK_UNBOUNDED, TK_CURRENT }, \n { dense_rankName, TK_RANGE, TK_UNBOUNDED, TK_CURRENT }, \n { rankName, TK_RANGE, TK_UNBOUNDED, TK_CURRENT }, \n { percent_rankName, TK_GROUPS, TK_CURRENT, TK_UNBOUNDED }, \n { cume_distName, TK_GROUPS, TK_FOLLOWING, TK_UNBOUNDED }, \n { ntileName, TK_ROWS, TK_CURRENT, TK_UNBOUNDED }, \n { leadName, TK_ROWS, TK_UNBOUNDED, TK_UNBOUNDED }, \n { lagName, TK_ROWS, TK_UNBOUNDED, TK_CURRENT }, \n };\n int i;\n for(i=0; izName==aUp[i].zFunc ){\n sqlite3ExprDelete(db, pWin->pStart);\n sqlite3ExprDelete(db, pWin->pEnd);\n pWin->pEnd = pWin->pStart = 0;\n pWin->eFrmType = aUp[i].eFrmType;\n pWin->eStart = aUp[i].eStart;\n pWin->eEnd = aUp[i].eEnd;\n pWin->eExclude = 0;\n if( pWin->eStart==TK_FOLLOWING ){\n pWin->pStart = sqlite3Expr(db, TK_INTEGER, \"1\");\n }\n break;\n }\n }\n }\n }\n pWin->pFunc = pFunc;\n}", "project": "sqlite", "hash": 7294790952717922303998990467050114856, "size": 70, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378605 }, { "func": "static int withExpand(\n Walker *pWalker, \n struct SrcList_item *pFrom\n){\n Parse *pParse = pWalker->pParse;\n sqlite3 *db = pParse->db;\n struct Cte *pCte; /* Matched CTE (or NULL if no match) */\n With *pWith; /* WITH clause that pCte belongs to */\n\n assert( pFrom->pTab==0 );\n if( pParse->nErr ){\n return SQLITE_ERROR;\n }\n\n pCte = searchWith(pParse->pWith, pFrom, &pWith);\n if( pCte ){\n Table *pTab;\n ExprList *pEList;\n Select *pSel;\n Select *pLeft; /* Left-most SELECT statement */\n int bMayRecursive; /* True if compound joined by UNION [ALL] */\n With *pSavedWith; /* Initial value of pParse->pWith */\n\n /* If pCte->zCteErr is non-NULL at this point, then this is an illegal\n ** recursive reference to CTE pCte. Leave an error in pParse and return\n ** early. If pCte->zCteErr is NULL, then this is not a recursive reference.\n ** In this case, proceed. */\n if( pCte->zCteErr ){\n sqlite3ErrorMsg(pParse, pCte->zCteErr, pCte->zName);\n return SQLITE_ERROR;\n }\n if( cannotBeFunction(pParse, pFrom) ) return SQLITE_ERROR;\n\n assert( pFrom->pTab==0 );\n pFrom->pTab = pTab = sqlite3DbMallocZero(db, sizeof(Table));\n if( pTab==0 ) return WRC_Abort;\n pTab->nTabRef = 1;\n pTab->zName = sqlite3DbStrDup(db, pCte->zName);\n pTab->iPKey = -1;\n pTab->nRowLogEst = 200; assert( 200==sqlite3LogEst(1048576) );\n pTab->tabFlags |= TF_Ephemeral | TF_NoVisibleRowid;\n pFrom->pSelect = sqlite3SelectDup(db, pCte->pSelect, 0);\n if( db->mallocFailed ) return SQLITE_NOMEM_BKPT;\n assert( pFrom->pSelect );\n\n /* Check if this is a recursive CTE. */\n pSel = pFrom->pSelect;\n bMayRecursive = ( pSel->op==TK_ALL || pSel->op==TK_UNION );\n if( bMayRecursive ){\n int i;\n SrcList *pSrc = pFrom->pSelect->pSrc;\n for(i=0; inSrc; i++){\n struct SrcList_item *pItem = &pSrc->a[i];\n if( pItem->zDatabase==0 \n && pItem->zName!=0 \n && 0==sqlite3StrICmp(pItem->zName, pCte->zName)\n ){\n pItem->pTab = pTab;\n pItem->fg.isRecursive = 1;\n pTab->nTabRef++;\n pSel->selFlags |= SF_Recursive;\n }\n }\n }\n\n /* Only one recursive reference is permitted. */ \n if( pTab->nTabRef>2 ){\n sqlite3ErrorMsg(\n pParse, \"multiple references to recursive table: %s\", pCte->zName\n );\n return SQLITE_ERROR;\n }\n assert( pTab->nTabRef==1 || \n ((pSel->selFlags&SF_Recursive) && pTab->nTabRef==2 ));\n\n pCte->zCteErr = \"circular reference: %s\";\n pSavedWith = pParse->pWith;\n pParse->pWith = pWith;\n if( bMayRecursive ){\n Select *pPrior = pSel->pPrior;\n assert( pPrior->pWith==0 );\n pPrior->pWith = pSel->pWith;\n sqlite3WalkSelect(pWalker, pPrior);\n pPrior->pWith = 0;\n }else{\n sqlite3WalkSelect(pWalker, pSel);\n }\n pParse->pWith = pWith;\n\n for(pLeft=pSel; pLeft->pPrior; pLeft=pLeft->pPrior);\n pEList = pLeft->pEList;\n if( pCte->pCols ){\n if( pEList && pEList->nExpr!=pCte->pCols->nExpr ){\n sqlite3ErrorMsg(pParse, \"table %s has %d values for %d columns\",\n pCte->zName, pEList->nExpr, pCte->pCols->nExpr\n );\n pParse->pWith = pSavedWith;\n return SQLITE_ERROR;\n }\n pEList = pCte->pCols;\n }\n\n sqlite3ColumnsFromExprList(pParse, pEList, &pTab->nCol, &pTab->aCol);\n if( bMayRecursive ){\n if( pSel->selFlags & SF_Recursive ){\n pCte->zCteErr = \"multiple recursive references: %s\";\n }else{\n pCte->zCteErr = \"recursive reference in a subquery: %s\";\n }\n sqlite3WalkSelect(pWalker, pSel);\n }\n pCte->zCteErr = 0;\n pParse->pWith = pSavedWith;\n }\n\n return SQLITE_OK;\n}", "project": "sqlite", "hash": 239629785281987745085168386980948383319, "size": 117, "commit_id": "5f69512404cd2e5153ddf90ea277fbba6dd58ab7", "message": "Early-out on the INTERSECT query processing following an error.\n\nFossilOrigin-Name: a67cf5b7d37d5b1484be32092635faafd8f76e5881898cd9435517c4b287d663", "target": 0, "dataset": "other", "idx": 246200 }, { "func": "static void addWhereTerm(\n Parse *pParse, /* Parsing context */\n SrcList *pSrc, /* List of tables in FROM clause */\n int iLeft, /* Index of first table to join in pSrc */\n int iColLeft, /* Index of column in first table */\n int iRight, /* Index of second table in pSrc */\n int iColRight, /* Index of column in second table */\n int isOuterJoin, /* True if this is an OUTER join */\n Expr **ppWhere /* IN/OUT: The WHERE clause to add to */\n){\n sqlite3 *db = pParse->db;\n Expr *pE1;\n Expr *pE2;\n Expr *pEq;\n\n assert( iLeftnSrc>iRight );\n assert( pSrc->a[iLeft].pTab );\n assert( pSrc->a[iRight].pTab );\n\n pE1 = sqlite3CreateColumnExpr(db, pSrc, iLeft, iColLeft);\n pE2 = sqlite3CreateColumnExpr(db, pSrc, iRight, iColRight);\n\n pEq = sqlite3PExpr(pParse, TK_EQ, pE1, pE2);\n if( pEq && isOuterJoin ){\n ExprSetProperty(pEq, EP_FromJoin);\n assert( !ExprHasProperty(pEq, EP_TokenOnly|EP_Reduced) );\n ExprSetVVAProperty(pEq, EP_NoReduce);\n pEq->iRightJoinTable = (i16)pE2->iTable;\n }\n *ppWhere = sqlite3ExprAnd(pParse, *ppWhere, pEq);\n}", "project": "sqlite", "hash": 157261189248854019497377394348918501845, "size": 32, "commit_id": "5f69512404cd2e5153ddf90ea277fbba6dd58ab7", "message": "Early-out on the INTERSECT query processing following an error.\n\nFossilOrigin-Name: a67cf5b7d37d5b1484be32092635faafd8f76e5881898cd9435517c4b287d663", "target": 0, "dataset": "other", "idx": 246138 }, { "func": "static void windowCodeRangeTest(\n WindowCodeArg *p, \n int op, /* OP_Ge, OP_Gt, or OP_Le */\n int csr1, /* Cursor number for cursor 1 */\n int regVal, /* Register containing non-negative number */\n int csr2, /* Cursor number for cursor 2 */\n int lbl /* Jump destination if condition is true */\n){\n Parse *pParse = p->pParse;\n Vdbe *v = sqlite3GetVdbe(pParse);\n ExprList *pOrderBy = p->pMWin->pOrderBy; /* ORDER BY clause for window */\n int reg1 = sqlite3GetTempReg(pParse); /* Reg. for csr1.peerVal+regVal */\n int reg2 = sqlite3GetTempReg(pParse); /* Reg. for csr2.peerVal */\n int regString = ++pParse->nMem; /* Reg. for constant value '' */\n int arith = OP_Add; /* OP_Add or OP_Subtract */\n int addrGe; /* Jump destination */\n\n assert( op==OP_Ge || op==OP_Gt || op==OP_Le );\n assert( pOrderBy && pOrderBy->nExpr==1 );\n if( pOrderBy->a[0].sortFlags & KEYINFO_ORDER_DESC ){\n switch( op ){\n case OP_Ge: op = OP_Le; break;\n case OP_Gt: op = OP_Lt; break;\n default: assert( op==OP_Le ); op = OP_Ge; break;\n }\n arith = OP_Subtract;\n }\n\n /* Read the peer-value from each cursor into a register */\n windowReadPeerValues(p, csr1, reg1);\n windowReadPeerValues(p, csr2, reg2);\n\n VdbeModuleComment((v, \"CodeRangeTest: if( R%d %s R%d %s R%d ) goto lbl\",\n reg1, (arith==OP_Add ? \"+\" : \"-\"), regVal,\n ((op==OP_Ge) ? \">=\" : (op==OP_Le) ? \"<=\" : (op==OP_Gt) ? \">\" : \"<\"), reg2\n ));\n\n /* Register reg1 currently contains csr1.peerVal (the peer-value from csr1).\n ** This block adds (or subtracts for DESC) the numeric value in regVal\n ** from it. Or, if reg1 is not numeric (it is a NULL, a text value or a blob),\n ** then leave reg1 as it is. In pseudo-code, this is implemented as:\n **\n ** if( reg1>='' ) goto addrGe;\n ** reg1 = reg1 +/- regVal\n ** addrGe:\n **\n ** Since all strings and blobs are greater-than-or-equal-to an empty string,\n ** the add/subtract is skipped for these, as required. If reg1 is a NULL,\n ** then the arithmetic is performed, but since adding or subtracting from\n ** NULL is always NULL anyway, this case is handled as required too. */\n sqlite3VdbeAddOp4(v, OP_String8, 0, regString, 0, \"\", P4_STATIC);\n addrGe = sqlite3VdbeAddOp3(v, OP_Ge, regString, 0, reg1);\n VdbeCoverage(v);\n sqlite3VdbeAddOp3(v, arith, regVal, reg1, reg1);\n sqlite3VdbeJumpHere(v, addrGe);\n\n /* If the BIGNULL flag is set for the ORDER BY, then it is required to \n ** consider NULL values to be larger than all other values, instead of \n ** the usual smaller. The VDBE opcodes OP_Ge and so on do not handle this\n ** (and adding that capability causes a performance regression), so\n ** instead if the BIGNULL flag is set then cases where either reg1 or\n ** reg2 are NULL are handled separately in the following block. The code\n ** generated is equivalent to:\n **\n ** if( reg1 IS NULL ){\n ** if( op==OP_Ge ) goto lbl;\n ** if( op==OP_Gt && reg2 IS NOT NULL ) goto lbl;\n ** if( op==OP_Le && reg2 IS NULL ) goto lbl;\n ** }else if( reg2 IS NULL ){\n ** if( op==OP_Le ) goto lbl;\n ** }\n **\n ** Additionally, if either reg1 or reg2 are NULL but the jump to lbl is \n ** not taken, control jumps over the comparison operator coded below this\n ** block. */\n if( pOrderBy->a[0].sortFlags & KEYINFO_ORDER_BIGNULL ){\n /* This block runs if reg1 contains a NULL. */\n int addr = sqlite3VdbeAddOp1(v, OP_NotNull, reg1); VdbeCoverage(v);\n switch( op ){\n case OP_Ge: \n sqlite3VdbeAddOp2(v, OP_Goto, 0, lbl); \n break;\n case OP_Gt: \n sqlite3VdbeAddOp2(v, OP_NotNull, reg2, lbl); \n VdbeCoverage(v); \n break;\n case OP_Le: \n sqlite3VdbeAddOp2(v, OP_IsNull, reg2, lbl); \n VdbeCoverage(v); \n break;\n default: assert( op==OP_Lt ); /* no-op */ break;\n }\n sqlite3VdbeAddOp2(v, OP_Goto, 0, sqlite3VdbeCurrentAddr(v)+3);\n\n /* This block runs if reg1 is not NULL, but reg2 is. */\n sqlite3VdbeJumpHere(v, addr);\n sqlite3VdbeAddOp2(v, OP_IsNull, reg2, lbl); VdbeCoverage(v);\n if( op==OP_Gt || op==OP_Ge ){\n sqlite3VdbeChangeP2(v, -1, sqlite3VdbeCurrentAddr(v)+1);\n }\n }\n\n /* Compare registers reg2 and reg1, taking the jump if required. Note that\n ** control skips over this test if the BIGNULL flag is set and either\n ** reg1 or reg2 contain a NULL value. */\n sqlite3VdbeAddOp3(v, op, reg2, lbl, reg1); VdbeCoverage(v);\n sqlite3VdbeChangeP5(v, SQLITE_NULLEQ);\n\n assert( op==OP_Ge || op==OP_Gt || op==OP_Lt || op==OP_Le );\n testcase(op==OP_Ge); VdbeCoverageIf(v, op==OP_Ge);\n testcase(op==OP_Lt); VdbeCoverageIf(v, op==OP_Lt);\n testcase(op==OP_Le); VdbeCoverageIf(v, op==OP_Le);\n testcase(op==OP_Gt); VdbeCoverageIf(v, op==OP_Gt);\n sqlite3ReleaseTempReg(pParse, reg1);\n sqlite3ReleaseTempReg(pParse, reg2);\n\n VdbeModuleComment((v, \"CodeRangeTest: end\"));\n}", "project": "sqlite", "hash": 338567482449329304684359658434885079470, "size": 118, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378546 }, { "func": "void sqlite3VdbeExplainPop(Parse *pParse){\n sqlite3ExplainBreakpoint(\"POP\", 0);\n pParse->addrExplain = sqlite3VdbeExplainParent(pParse);\n}", "project": "sqlite", "hash": 160982373285256704456367559121942281601, "size": 4, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378620 }, { "func": "void sqlite3VdbeFreeCursor(Vdbe *p, VdbeCursor *pCx){\n if( pCx==0 ){\n return;\n }\n assert( pCx->pBtx==0 || pCx->eCurType==CURTYPE_BTREE );\n switch( pCx->eCurType ){\n case CURTYPE_SORTER: {\n sqlite3VdbeSorterClose(p->db, pCx);\n break;\n }\n case CURTYPE_BTREE: {\n if( pCx->isEphemeral ){\n if( pCx->pBtx ) sqlite3BtreeClose(pCx->pBtx);\n /* The pCx->pCursor will be close automatically, if it exists, by\n ** the call above. */\n }else{\n assert( pCx->uc.pCursor!=0 );\n sqlite3BtreeCloseCursor(pCx->uc.pCursor);\n }\n break;\n }\n#ifndef SQLITE_OMIT_VIRTUALTABLE\n case CURTYPE_VTAB: {\n sqlite3_vtab_cursor *pVCur = pCx->uc.pVCur;\n const sqlite3_module *pModule = pVCur->pVtab->pModule;\n assert( pVCur->pVtab->nRef>0 );\n pVCur->pVtab->nRef--;\n pModule->xClose(pVCur);\n break;\n }\n#endif\n }\n}", "project": "sqlite", "hash": 146084428378694893673636944333808766870, "size": 33, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378507 }, { "func": "static void substSelect(\n SubstContext *pSubst, /* Description of the substitution */\n Select *p, /* SELECT statement in which to make substitutions */\n int doPrior /* Do substitutes on p->pPrior too */\n){\n SrcList *pSrc;\n struct SrcList_item *pItem;\n int i;\n if( !p ) return;\n do{\n substExprList(pSubst, p->pEList);\n substExprList(pSubst, p->pGroupBy);\n substExprList(pSubst, p->pOrderBy);\n p->pHaving = substExpr(pSubst, p->pHaving);\n p->pWhere = substExpr(pSubst, p->pWhere);\n pSrc = p->pSrc;\n assert( pSrc!=0 );\n for(i=pSrc->nSrc, pItem=pSrc->a; i>0; i--, pItem++){\n substSelect(pSubst, pItem->pSelect, 1);\n if( pItem->fg.isTabFunc ){\n substExprList(pSubst, pItem->u1.pFuncArg);\n }\n }\n }while( doPrior && (p = p->pPrior)!=0 );\n}", "project": "sqlite", "hash": 13822432364068404985354970638529717493, "size": 25, "commit_id": "5f69512404cd2e5153ddf90ea277fbba6dd58ab7", "message": "Early-out on the INTERSECT query processing following an error.\n\nFossilOrigin-Name: a67cf5b7d37d5b1484be32092635faafd8f76e5881898cd9435517c4b287d663", "target": 0, "dataset": "other", "idx": 246144 }, { "func": "static void windowReadPeerValues(\n WindowCodeArg *p,\n int csr,\n int reg\n){\n Window *pMWin = p->pMWin;\n ExprList *pOrderBy = pMWin->pOrderBy;\n if( pOrderBy ){\n Vdbe *v = sqlite3GetVdbe(p->pParse);\n ExprList *pPart = pMWin->pPartition;\n int iColOff = pMWin->nBufferCol + (pPart ? pPart->nExpr : 0);\n int i;\n for(i=0; inExpr; i++){\n sqlite3VdbeAddOp3(v, OP_Column, csr, iColOff+i, reg+i);\n }\n }\n}", "project": "sqlite", "hash": 171437781677636027712985249477882604626, "size": 17, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378519 }, { "func": "static void updateAccumulator(Parse *pParse, int regAcc, AggInfo *pAggInfo){\n Vdbe *v = pParse->pVdbe;\n int i;\n int regHit = 0;\n int addrHitTest = 0;\n struct AggInfo_func *pF;\n struct AggInfo_col *pC;\n\n pAggInfo->directMode = 1;\n for(i=0, pF=pAggInfo->aFunc; inFunc; i++, pF++){\n int nArg;\n int addrNext = 0;\n int regAgg;\n ExprList *pList = pF->pExpr->x.pList;\n assert( !ExprHasProperty(pF->pExpr, EP_xIsSelect) );\n assert( !IsWindowFunc(pF->pExpr) );\n if( ExprHasProperty(pF->pExpr, EP_WinFunc) ){\n Expr *pFilter = pF->pExpr->y.pWin->pFilter;\n if( pAggInfo->nAccumulator \n && (pF->pFunc->funcFlags & SQLITE_FUNC_NEEDCOLL) \n ){\n if( regHit==0 ) regHit = ++pParse->nMem;\n /* If this is the first row of the group (regAcc==0), clear the\n ** \"magnet\" register regHit so that the accumulator registers\n ** are populated if the FILTER clause jumps over the the \n ** invocation of min() or max() altogether. Or, if this is not\n ** the first row (regAcc==1), set the magnet register so that the\n ** accumulators are not populated unless the min()/max() is invoked and\n ** indicates that they should be. */\n sqlite3VdbeAddOp2(v, OP_Copy, regAcc, regHit);\n }\n addrNext = sqlite3VdbeMakeLabel(pParse);\n sqlite3ExprIfFalse(pParse, pFilter, addrNext, SQLITE_JUMPIFNULL);\n }\n if( pList ){\n nArg = pList->nExpr;\n regAgg = sqlite3GetTempRange(pParse, nArg);\n sqlite3ExprCodeExprList(pParse, pList, regAgg, 0, SQLITE_ECEL_DUP);\n }else{\n nArg = 0;\n regAgg = 0;\n }\n if( pF->iDistinct>=0 ){\n if( addrNext==0 ){ \n addrNext = sqlite3VdbeMakeLabel(pParse);\n }\n testcase( nArg==0 ); /* Error condition */\n testcase( nArg>1 ); /* Also an error */\n codeDistinct(pParse, pF->iDistinct, addrNext, 1, regAgg);\n }\n if( pF->pFunc->funcFlags & SQLITE_FUNC_NEEDCOLL ){\n CollSeq *pColl = 0;\n struct ExprList_item *pItem;\n int j;\n assert( pList!=0 ); /* pList!=0 if pF->pFunc has NEEDCOLL */\n for(j=0, pItem=pList->a; !pColl && jpExpr);\n }\n if( !pColl ){\n pColl = pParse->db->pDfltColl;\n }\n if( regHit==0 && pAggInfo->nAccumulator ) regHit = ++pParse->nMem;\n sqlite3VdbeAddOp4(v, OP_CollSeq, regHit, 0, 0, (char *)pColl, P4_COLLSEQ);\n }\n sqlite3VdbeAddOp3(v, OP_AggStep, 0, regAgg, pF->iMem);\n sqlite3VdbeAppendP4(v, pF->pFunc, P4_FUNCDEF);\n sqlite3VdbeChangeP5(v, (u8)nArg);\n sqlite3ReleaseTempRange(pParse, regAgg, nArg);\n if( addrNext ){\n sqlite3VdbeResolveLabel(v, addrNext);\n }\n }\n if( regHit==0 && pAggInfo->nAccumulator ){\n regHit = regAcc;\n }\n if( regHit ){\n addrHitTest = sqlite3VdbeAddOp1(v, OP_If, regHit); VdbeCoverage(v);\n }\n for(i=0, pC=pAggInfo->aCol; inAccumulator; i++, pC++){\n sqlite3ExprCode(pParse, pC->pExpr, pC->iMem);\n }\n\n pAggInfo->directMode = 0;\n if( addrHitTest ){\n sqlite3VdbeJumpHereOrPopInst(v, addrHitTest);\n }\n}", "project": "sqlite", "hash": 214827517970958566536625295766939199938, "size": 87, "commit_id": "5f69512404cd2e5153ddf90ea277fbba6dd58ab7", "message": "Early-out on the INTERSECT query processing following an error.\n\nFossilOrigin-Name: a67cf5b7d37d5b1484be32092635faafd8f76e5881898cd9435517c4b287d663", "target": 0, "dataset": "other", "idx": 246152 }, { "func": "static void updateAccumulator(Parse *pParse, int regAcc, AggInfo *pAggInfo){\n Vdbe *v = pParse->pVdbe;\n int i;\n int regHit = 0;\n int addrHitTest = 0;\n struct AggInfo_func *pF;\n struct AggInfo_col *pC;\n\n pAggInfo->directMode = 1;\n for(i=0, pF=pAggInfo->aFunc; inFunc; i++, pF++){\n int nArg;\n int addrNext = 0;\n int regAgg;\n ExprList *pList = pF->pExpr->x.pList;\n assert( !ExprHasProperty(pF->pExpr, EP_xIsSelect) );\n assert( !IsWindowFunc(pF->pExpr) );\n if( ExprHasProperty(pF->pExpr, EP_WinFunc) ){\n Expr *pFilter = pF->pExpr->y.pWin->pFilter;\n if( pAggInfo->nAccumulator \n && (pF->pFunc->funcFlags & SQLITE_FUNC_NEEDCOLL) \n ){\n if( regHit==0 ) regHit = ++pParse->nMem;\n /* If this is the first row of the group (regAcc==0), clear the\n ** \"magnet\" register regHit so that the accumulator registers\n ** are populated if the FILTER clause jumps over the the \n ** invocation of min() or max() altogether. Or, if this is not\n ** the first row (regAcc==1), set the magnet register so that the\n ** accumulators are not populated unless the min()/max() is invoked and\n ** indicates that they should be. */\n sqlite3VdbeAddOp2(v, OP_Copy, regAcc, regHit);\n }\n addrNext = sqlite3VdbeMakeLabel(pParse);\n sqlite3ExprIfFalse(pParse, pFilter, addrNext, SQLITE_JUMPIFNULL);\n }\n if( pList ){\n nArg = pList->nExpr;\n regAgg = sqlite3GetTempRange(pParse, nArg);\n sqlite3ExprCodeExprList(pParse, pList, regAgg, 0, SQLITE_ECEL_DUP);\n }else{\n nArg = 0;\n regAgg = 0;\n }\n if( pF->iDistinct>=0 ){\n if( addrNext==0 ){ \n addrNext = sqlite3VdbeMakeLabel(pParse);\n }\n testcase( nArg==0 ); /* Error condition */\n testcase( nArg>1 ); /* Also an error */\n codeDistinct(pParse, pF->iDistinct, addrNext, 1, regAgg);\n }\n if( pF->pFunc->funcFlags & SQLITE_FUNC_NEEDCOLL ){\n CollSeq *pColl = 0;\n struct ExprList_item *pItem;\n int j;\n assert( pList!=0 ); /* pList!=0 if pF->pFunc has NEEDCOLL */\n for(j=0, pItem=pList->a; !pColl && jpExpr);\n }\n if( !pColl ){\n pColl = pParse->db->pDfltColl;\n }\n if( regHit==0 && pAggInfo->nAccumulator ) regHit = ++pParse->nMem;\n sqlite3VdbeAddOp4(v, OP_CollSeq, regHit, 0, 0, (char *)pColl, P4_COLLSEQ);\n }\n sqlite3VdbeAddOp3(v, OP_AggStep, 0, regAgg, pF->iMem);\n sqlite3VdbeAppendP4(v, pF->pFunc, P4_FUNCDEF);\n sqlite3VdbeChangeP5(v, (u8)nArg);\n sqlite3ReleaseTempRange(pParse, regAgg, nArg);\n if( addrNext ){\n sqlite3VdbeResolveLabel(v, addrNext);\n }\n }\n if( regHit==0 && pAggInfo->nAccumulator ){\n regHit = regAcc;\n }\n if( regHit ){\n addrHitTest = sqlite3VdbeAddOp1(v, OP_If, regHit); VdbeCoverage(v);\n }\n for(i=0, pC=pAggInfo->aCol; inAccumulator; i++, pC++){\n sqlite3ExprCode(pParse, pC->pExpr, pC->iMem);\n }\n\n pAggInfo->directMode = 0;\n if( addrHitTest ){\n sqlite3VdbeJumpHere(v, addrHitTest);\n }\n}", "project": "sqlite", "hash": 153596190066696035048262451513701083046, "size": 87, "commit_id": "a6c1a71cde082e09750465d5675699062922e387", "message": "Do not attempt to unwind the WITH stack in the Parse object following an error. This fixes a separate case to [de6e6d68].\n\nFossilOrigin-Name: d29edef93451cc67a5d69c1cce1b1832d9ca8fff1f600afdd51338b74d077b92", "target": 0, "dataset": "other", "idx": 356316 }, { "func": "int sqlite3VdbeTransferError(Vdbe *p){\n sqlite3 *db = p->db;\n int rc = p->rc;\n if( p->zErrMsg ){\n db->bBenignMalloc++;\n sqlite3BeginBenignMalloc();\n if( db->pErr==0 ) db->pErr = sqlite3ValueNew(db);\n sqlite3ValueSetStr(db->pErr, -1, p->zErrMsg, SQLITE_UTF8, SQLITE_TRANSIENT);\n sqlite3EndBenignMalloc();\n db->bBenignMalloc--;\n }else if( db->pErr ){\n sqlite3ValueSetNull(db->pErr);\n }\n db->errCode = rc;\n return rc;\n}", "project": "sqlite", "hash": 235422964941524349008935010995081591974, "size": 16, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378643 }, { "func": "static void closeCursorsInFrame(Vdbe *p){\n if( p->apCsr ){\n int i;\n for(i=0; inCursor; i++){\n VdbeCursor *pC = p->apCsr[i];\n if( pC ){\n sqlite3VdbeFreeCursor(p, pC);\n p->apCsr[i] = 0;\n }\n }\n }\n}", "project": "sqlite", "hash": 239359870519176847526033285595632297286, "size": 12, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378686 }, { "func": "void sqlite3WindowListDelete(sqlite3 *db, Window *p){\n while( p ){\n Window *pNext = p->pNextWin;\n sqlite3WindowDelete(db, p);\n p = pNext;\n }\n}", "project": "sqlite", "hash": 279200865868790977971952411319496206819, "size": 7, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378489 }, { "func": "void sqlite3KeyInfoUnref(KeyInfo *p){\n if( p ){\n assert( p->nRef>0 );\n p->nRef--;\n if( p->nRef==0 ) sqlite3DbFreeNN(p->db, p);\n }\n}", "project": "sqlite", "hash": 156493194540490775838534924323681579025, "size": 7, "commit_id": "5f69512404cd2e5153ddf90ea277fbba6dd58ab7", "message": "Early-out on the INTERSECT query processing following an error.\n\nFossilOrigin-Name: a67cf5b7d37d5b1484be32092635faafd8f76e5881898cd9435517c4b287d663", "target": 0, "dataset": "other", "idx": 246186 }, { "func": "static void pushOntoSorter(\n Parse *pParse, /* Parser context */\n SortCtx *pSort, /* Information about the ORDER BY clause */\n Select *pSelect, /* The whole SELECT statement */\n int regData, /* First register holding data to be sorted */\n int regOrigData, /* First register holding data before packing */\n int nData, /* Number of elements in the regData data array */\n int nPrefixReg /* No. of reg prior to regData available for use */\n){\n Vdbe *v = pParse->pVdbe; /* Stmt under construction */\n int bSeq = ((pSort->sortFlags & SORTFLAG_UseSorter)==0);\n int nExpr = pSort->pOrderBy->nExpr; /* No. of ORDER BY terms */\n int nBase = nExpr + bSeq + nData; /* Fields in sorter record */\n int regBase; /* Regs for sorter record */\n int regRecord = 0; /* Assembled sorter record */\n int nOBSat = pSort->nOBSat; /* ORDER BY terms to skip */\n int op; /* Opcode to add sorter record to sorter */\n int iLimit; /* LIMIT counter */\n int iSkip = 0; /* End of the sorter insert loop */\n\n assert( bSeq==0 || bSeq==1 );\n\n /* Three cases:\n ** (1) The data to be sorted has already been packed into a Record\n ** by a prior OP_MakeRecord. In this case nData==1 and regData\n ** will be completely unrelated to regOrigData.\n ** (2) All output columns are included in the sort record. In that\n ** case regData==regOrigData.\n ** (3) Some output columns are omitted from the sort record due to\n ** the SQLITE_ENABLE_SORTER_REFERENCE optimization, or due to the\n ** SQLITE_ECEL_OMITREF optimization, or due to the \n ** SortCtx.pDeferredRowLoad optimiation. In any of these cases\n ** regOrigData is 0 to prevent this routine from trying to copy\n ** values that might not yet exist.\n */\n assert( nData==1 || regData==regOrigData || regOrigData==0 );\n\n if( nPrefixReg ){\n assert( nPrefixReg==nExpr+bSeq );\n regBase = regData - nPrefixReg;\n }else{\n regBase = pParse->nMem + 1;\n pParse->nMem += nBase;\n }\n assert( pSelect->iOffset==0 || pSelect->iLimit!=0 );\n iLimit = pSelect->iOffset ? pSelect->iOffset+1 : pSelect->iLimit;\n pSort->labelDone = sqlite3VdbeMakeLabel(pParse);\n sqlite3ExprCodeExprList(pParse, pSort->pOrderBy, regBase, regOrigData,\n SQLITE_ECEL_DUP | (regOrigData? SQLITE_ECEL_REF : 0));\n if( bSeq ){\n sqlite3VdbeAddOp2(v, OP_Sequence, pSort->iECursor, regBase+nExpr);\n }\n if( nPrefixReg==0 && nData>0 ){\n sqlite3ExprCodeMove(pParse, regData, regBase+nExpr+bSeq, nData);\n }\n if( nOBSat>0 ){\n int regPrevKey; /* The first nOBSat columns of the previous row */\n int addrFirst; /* Address of the OP_IfNot opcode */\n int addrJmp; /* Address of the OP_Jump opcode */\n VdbeOp *pOp; /* Opcode that opens the sorter */\n int nKey; /* Number of sorting key columns, including OP_Sequence */\n KeyInfo *pKI; /* Original KeyInfo on the sorter table */\n\n regRecord = makeSorterRecord(pParse, pSort, pSelect, regBase, nBase);\n regPrevKey = pParse->nMem+1;\n pParse->nMem += pSort->nOBSat;\n nKey = nExpr - pSort->nOBSat + bSeq;\n if( bSeq ){\n addrFirst = sqlite3VdbeAddOp1(v, OP_IfNot, regBase+nExpr); \n }else{\n addrFirst = sqlite3VdbeAddOp1(v, OP_SequenceTest, pSort->iECursor);\n }\n VdbeCoverage(v);\n sqlite3VdbeAddOp3(v, OP_Compare, regPrevKey, regBase, pSort->nOBSat);\n pOp = sqlite3VdbeGetOp(v, pSort->addrSortIndex);\n if( pParse->db->mallocFailed ) return;\n pOp->p2 = nKey + nData;\n pKI = pOp->p4.pKeyInfo;\n memset(pKI->aSortFlags, 0, pKI->nKeyField); /* Makes OP_Jump testable */\n sqlite3VdbeChangeP4(v, -1, (char*)pKI, P4_KEYINFO);\n testcase( pKI->nAllField > pKI->nKeyField+2 );\n pOp->p4.pKeyInfo = sqlite3KeyInfoFromExprList(pParse,pSort->pOrderBy,nOBSat,\n pKI->nAllField-pKI->nKeyField-1);\n pOp = 0; /* Ensure pOp not used after sqltie3VdbeAddOp3() */\n addrJmp = sqlite3VdbeCurrentAddr(v);\n sqlite3VdbeAddOp3(v, OP_Jump, addrJmp+1, 0, addrJmp+1); VdbeCoverage(v);\n pSort->labelBkOut = sqlite3VdbeMakeLabel(pParse);\n pSort->regReturn = ++pParse->nMem;\n sqlite3VdbeAddOp2(v, OP_Gosub, pSort->regReturn, pSort->labelBkOut);\n sqlite3VdbeAddOp1(v, OP_ResetSorter, pSort->iECursor);\n if( iLimit ){\n sqlite3VdbeAddOp2(v, OP_IfNot, iLimit, pSort->labelDone);\n VdbeCoverage(v);\n }\n sqlite3VdbeJumpHere(v, addrFirst);\n sqlite3ExprCodeMove(pParse, regBase, regPrevKey, pSort->nOBSat);\n sqlite3VdbeJumpHere(v, addrJmp);\n }\n if( iLimit ){\n /* At this point the values for the new sorter entry are stored\n ** in an array of registers. They need to be composed into a record\n ** and inserted into the sorter if either (a) there are currently\n ** less than LIMIT+OFFSET items or (b) the new record is smaller than \n ** the largest record currently in the sorter. If (b) is true and there\n ** are already LIMIT+OFFSET items in the sorter, delete the largest\n ** entry before inserting the new one. This way there are never more \n ** than LIMIT+OFFSET items in the sorter.\n **\n ** If the new record does not need to be inserted into the sorter,\n ** jump to the next iteration of the loop. If the pSort->labelOBLopt\n ** value is not zero, then it is a label of where to jump. Otherwise,\n ** just bypass the row insert logic. See the header comment on the\n ** sqlite3WhereOrderByLimitOptLabel() function for additional info.\n */\n int iCsr = pSort->iECursor;\n sqlite3VdbeAddOp2(v, OP_IfNotZero, iLimit, sqlite3VdbeCurrentAddr(v)+4);\n VdbeCoverage(v);\n sqlite3VdbeAddOp2(v, OP_Last, iCsr, 0);\n iSkip = sqlite3VdbeAddOp4Int(v, OP_IdxLE,\n iCsr, 0, regBase+nOBSat, nExpr-nOBSat);\n VdbeCoverage(v);\n sqlite3VdbeAddOp1(v, OP_Delete, iCsr);\n }\n if( regRecord==0 ){\n regRecord = makeSorterRecord(pParse, pSort, pSelect, regBase, nBase);\n }\n if( pSort->sortFlags & SORTFLAG_UseSorter ){\n op = OP_SorterInsert;\n }else{\n op = OP_IdxInsert;\n }\n sqlite3VdbeAddOp4Int(v, op, pSort->iECursor, regRecord,\n regBase+nOBSat, nBase-nOBSat);\n if( iSkip ){\n sqlite3VdbeChangeP2(v, iSkip,\n pSort->labelOBLopt ? pSort->labelOBLopt : sqlite3VdbeCurrentAddr(v));\n }\n}", "project": "sqlite", "hash": 109362186382892719090475218546312811439, "size": 138, "commit_id": "5f69512404cd2e5153ddf90ea277fbba6dd58ab7", "message": "Early-out on the INTERSECT query processing following an error.\n\nFossilOrigin-Name: a67cf5b7d37d5b1484be32092635faafd8f76e5881898cd9435517c4b287d663", "target": 0, "dataset": "other", "idx": 246157 }, { "func": "static void generateSortTail(\n Parse *pParse, /* Parsing context */\n Select *p, /* The SELECT statement */\n SortCtx *pSort, /* Information on the ORDER BY clause */\n int nColumn, /* Number of columns of data */\n SelectDest *pDest /* Write the sorted results here */\n){\n Vdbe *v = pParse->pVdbe; /* The prepared statement */\n int addrBreak = pSort->labelDone; /* Jump here to exit loop */\n int addrContinue = sqlite3VdbeMakeLabel(pParse);/* Jump here for next cycle */\n int addr; /* Top of output loop. Jump for Next. */\n int addrOnce = 0;\n int iTab;\n ExprList *pOrderBy = pSort->pOrderBy;\n int eDest = pDest->eDest;\n int iParm = pDest->iSDParm;\n int regRow;\n int regRowid;\n int iCol;\n int nKey; /* Number of key columns in sorter record */\n int iSortTab; /* Sorter cursor to read from */\n int i;\n int bSeq; /* True if sorter record includes seq. no. */\n int nRefKey = 0;\n struct ExprList_item *aOutEx = p->pEList->a;\n\n assert( addrBreak<0 );\n if( pSort->labelBkOut ){\n sqlite3VdbeAddOp2(v, OP_Gosub, pSort->regReturn, pSort->labelBkOut);\n sqlite3VdbeGoto(v, addrBreak);\n sqlite3VdbeResolveLabel(v, pSort->labelBkOut);\n }\n\n#ifdef SQLITE_ENABLE_SORTER_REFERENCES\n /* Open any cursors needed for sorter-reference expressions */\n for(i=0; inDefer; i++){\n Table *pTab = pSort->aDefer[i].pTab;\n int iDb = sqlite3SchemaToIndex(pParse->db, pTab->pSchema);\n sqlite3OpenTable(pParse, pSort->aDefer[i].iCsr, iDb, pTab, OP_OpenRead);\n nRefKey = MAX(nRefKey, pSort->aDefer[i].nKey);\n }\n#endif\n\n iTab = pSort->iECursor;\n if( eDest==SRT_Output || eDest==SRT_Coroutine || eDest==SRT_Mem ){\n regRowid = 0;\n regRow = pDest->iSdst;\n }else{\n regRowid = sqlite3GetTempReg(pParse);\n if( eDest==SRT_EphemTab || eDest==SRT_Table ){\n regRow = sqlite3GetTempReg(pParse);\n nColumn = 0;\n }else{\n regRow = sqlite3GetTempRange(pParse, nColumn);\n }\n }\n nKey = pOrderBy->nExpr - pSort->nOBSat;\n if( pSort->sortFlags & SORTFLAG_UseSorter ){\n int regSortOut = ++pParse->nMem;\n iSortTab = pParse->nTab++;\n if( pSort->labelBkOut ){\n addrOnce = sqlite3VdbeAddOp0(v, OP_Once); VdbeCoverage(v);\n }\n sqlite3VdbeAddOp3(v, OP_OpenPseudo, iSortTab, regSortOut, \n nKey+1+nColumn+nRefKey);\n if( addrOnce ) sqlite3VdbeJumpHere(v, addrOnce);\n addr = 1 + sqlite3VdbeAddOp2(v, OP_SorterSort, iTab, addrBreak);\n VdbeCoverage(v);\n codeOffset(v, p->iOffset, addrContinue);\n sqlite3VdbeAddOp3(v, OP_SorterData, iTab, regSortOut, iSortTab);\n bSeq = 0;\n }else{\n addr = 1 + sqlite3VdbeAddOp2(v, OP_Sort, iTab, addrBreak); VdbeCoverage(v);\n codeOffset(v, p->iOffset, addrContinue);\n iSortTab = iTab;\n bSeq = 1;\n }\n for(i=0, iCol=nKey+bSeq-1; inDefer ){\n int iKey = iCol+1;\n int regKey = sqlite3GetTempRange(pParse, nRefKey);\n\n for(i=0; inDefer; i++){\n int iCsr = pSort->aDefer[i].iCsr;\n Table *pTab = pSort->aDefer[i].pTab;\n int nKey = pSort->aDefer[i].nKey;\n\n sqlite3VdbeAddOp1(v, OP_NullRow, iCsr);\n if( HasRowid(pTab) ){\n sqlite3VdbeAddOp3(v, OP_Column, iSortTab, iKey++, regKey);\n sqlite3VdbeAddOp3(v, OP_SeekRowid, iCsr, \n sqlite3VdbeCurrentAddr(v)+1, regKey);\n }else{\n int k;\n int iJmp;\n assert( sqlite3PrimaryKeyIndex(pTab)->nKeyCol==nKey );\n for(k=0; k=0; i--){\n#ifdef SQLITE_ENABLE_SORTER_REFERENCES\n if( aOutEx[i].bSorterRef ){\n sqlite3ExprCode(pParse, aOutEx[i].pExpr, regRow+i);\n }else\n#endif\n {\n int iRead;\n if( aOutEx[i].u.x.iOrderByCol ){\n iRead = aOutEx[i].u.x.iOrderByCol-1;\n }else{\n iRead = iCol--;\n }\n sqlite3VdbeAddOp3(v, OP_Column, iSortTab, iRead, regRow+i);\n VdbeComment((v, \"%s\", aOutEx[i].zEName));\n }\n }\n switch( eDest ){\n case SRT_Table:\n case SRT_EphemTab: {\n sqlite3VdbeAddOp3(v, OP_Column, iSortTab, nKey+bSeq, regRow);\n sqlite3VdbeAddOp2(v, OP_NewRowid, iParm, regRowid);\n sqlite3VdbeAddOp3(v, OP_Insert, iParm, regRow, regRowid);\n sqlite3VdbeChangeP5(v, OPFLAG_APPEND);\n break;\n }\n#ifndef SQLITE_OMIT_SUBQUERY\n case SRT_Set: {\n assert( nColumn==sqlite3Strlen30(pDest->zAffSdst) );\n sqlite3VdbeAddOp4(v, OP_MakeRecord, regRow, nColumn, regRowid,\n pDest->zAffSdst, nColumn);\n sqlite3VdbeAddOp4Int(v, OP_IdxInsert, iParm, regRowid, regRow, nColumn);\n break;\n }\n case SRT_Mem: {\n /* The LIMIT clause will terminate the loop for us */\n break;\n }\n#endif\n default: {\n assert( eDest==SRT_Output || eDest==SRT_Coroutine ); \n testcase( eDest==SRT_Output );\n testcase( eDest==SRT_Coroutine );\n if( eDest==SRT_Output ){\n sqlite3VdbeAddOp2(v, OP_ResultRow, pDest->iSdst, nColumn);\n }else{\n sqlite3VdbeAddOp1(v, OP_Yield, pDest->iSDParm);\n }\n break;\n }\n }\n if( regRowid ){\n if( eDest==SRT_Set ){\n sqlite3ReleaseTempRange(pParse, regRow, nColumn);\n }else{\n sqlite3ReleaseTempReg(pParse, regRow);\n }\n sqlite3ReleaseTempReg(pParse, regRowid);\n }\n /* The bottom of the loop\n */\n sqlite3VdbeResolveLabel(v, addrContinue);\n if( pSort->sortFlags & SORTFLAG_UseSorter ){\n sqlite3VdbeAddOp2(v, OP_SorterNext, iTab, addr); VdbeCoverage(v);\n }else{\n sqlite3VdbeAddOp2(v, OP_Next, iTab, addr); VdbeCoverage(v);\n }\n if( pSort->regReturn ) sqlite3VdbeAddOp1(v, OP_Return, pSort->regReturn);\n sqlite3VdbeResolveLabel(v, addrBreak);\n}", "project": "sqlite", "hash": 158345202324018221351328192065326619373, "size": 184, "commit_id": "5f69512404cd2e5153ddf90ea277fbba6dd58ab7", "message": "Early-out on the INTERSECT query processing following an error.\n\nFossilOrigin-Name: a67cf5b7d37d5b1484be32092635faafd8f76e5881898cd9435517c4b287d663", "target": 0, "dataset": "other", "idx": 246159 }, { "func": "static void generateSortTail(\n Parse *pParse, /* Parsing context */\n Select *p, /* The SELECT statement */\n SortCtx *pSort, /* Information on the ORDER BY clause */\n int nColumn, /* Number of columns of data */\n SelectDest *pDest /* Write the sorted results here */\n){\n Vdbe *v = pParse->pVdbe; /* The prepared statement */\n int addrBreak = pSort->labelDone; /* Jump here to exit loop */\n int addrContinue = sqlite3VdbeMakeLabel(pParse);/* Jump here for next cycle */\n int addr; /* Top of output loop. Jump for Next. */\n int addrOnce = 0;\n int iTab;\n ExprList *pOrderBy = pSort->pOrderBy;\n int eDest = pDest->eDest;\n int iParm = pDest->iSDParm;\n int regRow;\n int regRowid;\n int iCol;\n int nKey; /* Number of key columns in sorter record */\n int iSortTab; /* Sorter cursor to read from */\n int i;\n int bSeq; /* True if sorter record includes seq. no. */\n int nRefKey = 0;\n struct ExprList_item *aOutEx = p->pEList->a;\n\n assert( addrBreak<0 );\n if( pSort->labelBkOut ){\n sqlite3VdbeAddOp2(v, OP_Gosub, pSort->regReturn, pSort->labelBkOut);\n sqlite3VdbeGoto(v, addrBreak);\n sqlite3VdbeResolveLabel(v, pSort->labelBkOut);\n }\n\n#ifdef SQLITE_ENABLE_SORTER_REFERENCES\n /* Open any cursors needed for sorter-reference expressions */\n for(i=0; inDefer; i++){\n Table *pTab = pSort->aDefer[i].pTab;\n int iDb = sqlite3SchemaToIndex(pParse->db, pTab->pSchema);\n sqlite3OpenTable(pParse, pSort->aDefer[i].iCsr, iDb, pTab, OP_OpenRead);\n nRefKey = MAX(nRefKey, pSort->aDefer[i].nKey);\n }\n#endif\n\n iTab = pSort->iECursor;\n if( eDest==SRT_Output || eDest==SRT_Coroutine || eDest==SRT_Mem ){\n regRowid = 0;\n regRow = pDest->iSdst;\n }else{\n regRowid = sqlite3GetTempReg(pParse);\n if( eDest==SRT_EphemTab || eDest==SRT_Table ){\n regRow = sqlite3GetTempReg(pParse);\n nColumn = 0;\n }else{\n regRow = sqlite3GetTempRange(pParse, nColumn);\n }\n }\n nKey = pOrderBy->nExpr - pSort->nOBSat;\n if( pSort->sortFlags & SORTFLAG_UseSorter ){\n int regSortOut = ++pParse->nMem;\n iSortTab = pParse->nTab++;\n if( pSort->labelBkOut ){\n addrOnce = sqlite3VdbeAddOp0(v, OP_Once); VdbeCoverage(v);\n }\n sqlite3VdbeAddOp3(v, OP_OpenPseudo, iSortTab, regSortOut, \n nKey+1+nColumn+nRefKey);\n if( addrOnce ) sqlite3VdbeJumpHere(v, addrOnce);\n addr = 1 + sqlite3VdbeAddOp2(v, OP_SorterSort, iTab, addrBreak);\n VdbeCoverage(v);\n codeOffset(v, p->iOffset, addrContinue);\n sqlite3VdbeAddOp3(v, OP_SorterData, iTab, regSortOut, iSortTab);\n bSeq = 0;\n }else{\n addr = 1 + sqlite3VdbeAddOp2(v, OP_Sort, iTab, addrBreak); VdbeCoverage(v);\n codeOffset(v, p->iOffset, addrContinue);\n iSortTab = iTab;\n bSeq = 1;\n }\n for(i=0, iCol=nKey+bSeq-1; inDefer ){\n int iKey = iCol+1;\n int regKey = sqlite3GetTempRange(pParse, nRefKey);\n\n for(i=0; inDefer; i++){\n int iCsr = pSort->aDefer[i].iCsr;\n Table *pTab = pSort->aDefer[i].pTab;\n int nKey = pSort->aDefer[i].nKey;\n\n sqlite3VdbeAddOp1(v, OP_NullRow, iCsr);\n if( HasRowid(pTab) ){\n sqlite3VdbeAddOp3(v, OP_Column, iSortTab, iKey++, regKey);\n sqlite3VdbeAddOp3(v, OP_SeekRowid, iCsr, \n sqlite3VdbeCurrentAddr(v)+1, regKey);\n }else{\n int k;\n int iJmp;\n assert( sqlite3PrimaryKeyIndex(pTab)->nKeyCol==nKey );\n for(k=0; k=0; i--){\n#ifdef SQLITE_ENABLE_SORTER_REFERENCES\n if( aOutEx[i].bSorterRef ){\n sqlite3ExprCode(pParse, aOutEx[i].pExpr, regRow+i);\n }else\n#endif\n {\n int iRead;\n if( aOutEx[i].u.x.iOrderByCol ){\n iRead = aOutEx[i].u.x.iOrderByCol-1;\n }else{\n iRead = iCol--;\n }\n sqlite3VdbeAddOp3(v, OP_Column, iSortTab, iRead, regRow+i);\n VdbeComment((v, \"%s\", aOutEx[i].zName?aOutEx[i].zName : aOutEx[i].zSpan));\n }\n }\n switch( eDest ){\n case SRT_Table:\n case SRT_EphemTab: {\n sqlite3VdbeAddOp3(v, OP_Column, iSortTab, nKey+bSeq, regRow);\n sqlite3VdbeAddOp2(v, OP_NewRowid, iParm, regRowid);\n sqlite3VdbeAddOp3(v, OP_Insert, iParm, regRow, regRowid);\n sqlite3VdbeChangeP5(v, OPFLAG_APPEND);\n break;\n }\n#ifndef SQLITE_OMIT_SUBQUERY\n case SRT_Set: {\n assert( nColumn==sqlite3Strlen30(pDest->zAffSdst) );\n sqlite3VdbeAddOp4(v, OP_MakeRecord, regRow, nColumn, regRowid,\n pDest->zAffSdst, nColumn);\n sqlite3VdbeAddOp4Int(v, OP_IdxInsert, iParm, regRowid, regRow, nColumn);\n break;\n }\n case SRT_Mem: {\n /* The LIMIT clause will terminate the loop for us */\n break;\n }\n#endif\n default: {\n assert( eDest==SRT_Output || eDest==SRT_Coroutine ); \n testcase( eDest==SRT_Output );\n testcase( eDest==SRT_Coroutine );\n if( eDest==SRT_Output ){\n sqlite3VdbeAddOp2(v, OP_ResultRow, pDest->iSdst, nColumn);\n }else{\n sqlite3VdbeAddOp1(v, OP_Yield, pDest->iSDParm);\n }\n break;\n }\n }\n if( regRowid ){\n if( eDest==SRT_Set ){\n sqlite3ReleaseTempRange(pParse, regRow, nColumn);\n }else{\n sqlite3ReleaseTempReg(pParse, regRow);\n }\n sqlite3ReleaseTempReg(pParse, regRowid);\n }\n /* The bottom of the loop\n */\n sqlite3VdbeResolveLabel(v, addrContinue);\n if( pSort->sortFlags & SORTFLAG_UseSorter ){\n sqlite3VdbeAddOp2(v, OP_SorterNext, iTab, addr); VdbeCoverage(v);\n }else{\n sqlite3VdbeAddOp2(v, OP_Next, iTab, addr); VdbeCoverage(v);\n }\n if( pSort->regReturn ) sqlite3VdbeAddOp1(v, OP_Return, pSort->regReturn);\n sqlite3VdbeResolveLabel(v, addrBreak);\n}", "project": "sqlite", "hash": 103987343273147154282599015527270036540, "size": 184, "commit_id": "a6c1a71cde082e09750465d5675699062922e387", "message": "Do not attempt to unwind the WITH stack in the Parse object following an error. This fixes a separate case to [de6e6d68].\n\nFossilOrigin-Name: d29edef93451cc67a5d69c1cce1b1832d9ca8fff1f600afdd51338b74d077b92", "target": 0, "dataset": "other", "idx": 356308 }, { "func": "void sqlite3VdbeChangeOpcode(Vdbe *p, int addr, u8 iNewOpcode){\n sqlite3VdbeGetOp(p,addr)->opcode = iNewOpcode;\n}", "project": "sqlite", "hash": 267071599860387490931230103491162002033, "size": 3, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378483 }, { "func": "int sqlite3VdbeAddOp1(Vdbe *p, int op, int p1){\n return sqlite3VdbeAddOp3(p, op, p1, 0, 0);\n}", "project": "sqlite", "hash": 202745363475134730766989992680270627724, "size": 3, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378514 }, { "func": "void sqlite3VdbeChangeP2(Vdbe *p, int addr, int val){\n sqlite3VdbeGetOp(p,addr)->p2 = val;\n}", "project": "sqlite", "hash": 136380028319791357377150098842599929826, "size": 3, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378607 }, { "func": "static void selectInnerLoop(\n Parse *pParse, /* The parser context */\n Select *p, /* The complete select statement being coded */\n int srcTab, /* Pull data from this table if non-negative */\n SortCtx *pSort, /* If not NULL, info on how to process ORDER BY */\n DistinctCtx *pDistinct, /* If not NULL, info on how to process DISTINCT */\n SelectDest *pDest, /* How to dispose of the results */\n int iContinue, /* Jump here to continue with next row */\n int iBreak /* Jump here to break out of the inner loop */\n){\n Vdbe *v = pParse->pVdbe;\n int i;\n int hasDistinct; /* True if the DISTINCT keyword is present */\n int eDest = pDest->eDest; /* How to dispose of results */\n int iParm = pDest->iSDParm; /* First argument to disposal method */\n int nResultCol; /* Number of result columns */\n int nPrefixReg = 0; /* Number of extra registers before regResult */\n RowLoadInfo sRowLoadInfo; /* Info for deferred row loading */\n\n /* Usually, regResult is the first cell in an array of memory cells\n ** containing the current result row. In this case regOrig is set to the\n ** same value. However, if the results are being sent to the sorter, the\n ** values for any expressions that are also part of the sort-key are omitted\n ** from this array. In this case regOrig is set to zero. */\n int regResult; /* Start of memory holding current results */\n int regOrig; /* Start of memory holding full result (or 0) */\n\n assert( v );\n assert( p->pEList!=0 );\n hasDistinct = pDistinct ? pDistinct->eTnctType : WHERE_DISTINCT_NOOP;\n if( pSort && pSort->pOrderBy==0 ) pSort = 0;\n if( pSort==0 && !hasDistinct ){\n assert( iContinue!=0 );\n codeOffset(v, p->iOffset, iContinue);\n }\n\n /* Pull the requested columns.\n */\n nResultCol = p->pEList->nExpr;\n\n if( pDest->iSdst==0 ){\n if( pSort ){\n nPrefixReg = pSort->pOrderBy->nExpr;\n if( !(pSort->sortFlags & SORTFLAG_UseSorter) ) nPrefixReg++;\n pParse->nMem += nPrefixReg;\n }\n pDest->iSdst = pParse->nMem+1;\n pParse->nMem += nResultCol;\n }else if( pDest->iSdst+nResultCol > pParse->nMem ){\n /* This is an error condition that can result, for example, when a SELECT\n ** on the right-hand side of an INSERT contains more result columns than\n ** there are columns in the table on the left. The error will be caught\n ** and reported later. But we need to make sure enough memory is allocated\n ** to avoid other spurious errors in the meantime. */\n pParse->nMem += nResultCol;\n }\n pDest->nSdst = nResultCol;\n regOrig = regResult = pDest->iSdst;\n if( srcTab>=0 ){\n for(i=0; ipEList->a[i].zEName));\n }\n }else if( eDest!=SRT_Exists ){\n#ifdef SQLITE_ENABLE_SORTER_REFERENCES\n ExprList *pExtra = 0;\n#endif\n /* If the destination is an EXISTS(...) expression, the actual\n ** values returned by the SELECT are not required.\n */\n u8 ecelFlags; /* \"ecel\" is an abbreviation of \"ExprCodeExprList\" */\n ExprList *pEList;\n if( eDest==SRT_Mem || eDest==SRT_Output || eDest==SRT_Coroutine ){\n ecelFlags = SQLITE_ECEL_DUP;\n }else{\n ecelFlags = 0;\n }\n if( pSort && hasDistinct==0 && eDest!=SRT_EphemTab && eDest!=SRT_Table ){\n /* For each expression in p->pEList that is a copy of an expression in\n ** the ORDER BY clause (pSort->pOrderBy), set the associated \n ** iOrderByCol value to one more than the index of the ORDER BY \n ** expression within the sort-key that pushOntoSorter() will generate.\n ** This allows the p->pEList field to be omitted from the sorted record,\n ** saving space and CPU cycles. */\n ecelFlags |= (SQLITE_ECEL_OMITREF|SQLITE_ECEL_REF);\n\n for(i=pSort->nOBSat; ipOrderBy->nExpr; i++){\n int j;\n if( (j = pSort->pOrderBy->a[i].u.x.iOrderByCol)>0 ){\n p->pEList->a[j-1].u.x.iOrderByCol = i+1-pSort->nOBSat;\n }\n }\n#ifdef SQLITE_ENABLE_SORTER_REFERENCES\n selectExprDefer(pParse, pSort, p->pEList, &pExtra);\n if( pExtra && pParse->db->mallocFailed==0 ){\n /* If there are any extra PK columns to add to the sorter records,\n ** allocate extra memory cells and adjust the OpenEphemeral \n ** instruction to account for the larger records. This is only\n ** required if there are one or more WITHOUT ROWID tables with\n ** composite primary keys in the SortCtx.aDefer[] array. */\n VdbeOp *pOp = sqlite3VdbeGetOp(v, pSort->addrSortIndex);\n pOp->p2 += (pExtra->nExpr - pSort->nDefer);\n pOp->p4.pKeyInfo->nAllField += (pExtra->nExpr - pSort->nDefer);\n pParse->nMem += pExtra->nExpr;\n }\n#endif\n\n /* Adjust nResultCol to account for columns that are omitted\n ** from the sorter by the optimizations in this branch */\n pEList = p->pEList;\n for(i=0; inExpr; i++){\n if( pEList->a[i].u.x.iOrderByCol>0\n#ifdef SQLITE_ENABLE_SORTER_REFERENCES\n || pEList->a[i].bSorterRef\n#endif\n ){\n nResultCol--;\n regOrig = 0;\n }\n }\n\n testcase( regOrig );\n testcase( eDest==SRT_Set );\n testcase( eDest==SRT_Mem );\n testcase( eDest==SRT_Coroutine );\n testcase( eDest==SRT_Output );\n assert( eDest==SRT_Set || eDest==SRT_Mem \n || eDest==SRT_Coroutine || eDest==SRT_Output );\n }\n sRowLoadInfo.regResult = regResult;\n sRowLoadInfo.ecelFlags = ecelFlags;\n#ifdef SQLITE_ENABLE_SORTER_REFERENCES\n sRowLoadInfo.pExtra = pExtra;\n sRowLoadInfo.regExtraResult = regResult + nResultCol;\n if( pExtra ) nResultCol += pExtra->nExpr;\n#endif\n if( p->iLimit\n && (ecelFlags & SQLITE_ECEL_OMITREF)!=0 \n && nPrefixReg>0\n ){\n assert( pSort!=0 );\n assert( hasDistinct==0 );\n pSort->pDeferredRowLoad = &sRowLoadInfo;\n regOrig = 0;\n }else{\n innerLoopLoadRow(pParse, p, &sRowLoadInfo);\n }\n }\n\n /* If the DISTINCT keyword was present on the SELECT statement\n ** and this row has been seen before, then do not make this row\n ** part of the result.\n */\n if( hasDistinct ){\n switch( pDistinct->eTnctType ){\n case WHERE_DISTINCT_ORDERED: {\n VdbeOp *pOp; /* No longer required OpenEphemeral instr. */\n int iJump; /* Jump destination */\n int regPrev; /* Previous row content */\n\n /* Allocate space for the previous row */\n regPrev = pParse->nMem+1;\n pParse->nMem += nResultCol;\n\n /* Change the OP_OpenEphemeral coded earlier to an OP_Null\n ** sets the MEM_Cleared bit on the first register of the\n ** previous value. This will cause the OP_Ne below to always\n ** fail on the first iteration of the loop even if the first\n ** row is all NULLs.\n */\n sqlite3VdbeChangeToNoop(v, pDistinct->addrTnct);\n pOp = sqlite3VdbeGetOp(v, pDistinct->addrTnct);\n pOp->opcode = OP_Null;\n pOp->p1 = 1;\n pOp->p2 = regPrev;\n pOp = 0; /* Ensure pOp is not used after sqlite3VdbeAddOp() */\n\n iJump = sqlite3VdbeCurrentAddr(v) + nResultCol;\n for(i=0; ipEList->a[i].pExpr);\n if( idb->mallocFailed );\n sqlite3VdbeAddOp3(v, OP_Copy, regResult, regPrev, nResultCol-1);\n break;\n }\n\n case WHERE_DISTINCT_UNIQUE: {\n sqlite3VdbeChangeToNoop(v, pDistinct->addrTnct);\n break;\n }\n\n default: {\n assert( pDistinct->eTnctType==WHERE_DISTINCT_UNORDERED );\n codeDistinct(pParse, pDistinct->tabTnct, iContinue, nResultCol,\n regResult);\n break;\n }\n }\n if( pSort==0 ){\n codeOffset(v, p->iOffset, iContinue);\n }\n }\n\n switch( eDest ){\n /* In this mode, write each query result to the key of the temporary\n ** table iParm.\n */\n#ifndef SQLITE_OMIT_COMPOUND_SELECT\n case SRT_Union: {\n int r1;\n r1 = sqlite3GetTempReg(pParse);\n sqlite3VdbeAddOp3(v, OP_MakeRecord, regResult, nResultCol, r1);\n sqlite3VdbeAddOp4Int(v, OP_IdxInsert, iParm, r1, regResult, nResultCol);\n sqlite3ReleaseTempReg(pParse, r1);\n break;\n }\n\n /* Construct a record from the query result, but instead of\n ** saving that record, use it as a key to delete elements from\n ** the temporary table iParm.\n */\n case SRT_Except: {\n sqlite3VdbeAddOp3(v, OP_IdxDelete, iParm, regResult, nResultCol);\n break;\n }\n#endif /* SQLITE_OMIT_COMPOUND_SELECT */\n\n /* Store the result as data using a unique key.\n */\n case SRT_Fifo:\n case SRT_DistFifo:\n case SRT_Table:\n case SRT_EphemTab: {\n int r1 = sqlite3GetTempRange(pParse, nPrefixReg+1);\n testcase( eDest==SRT_Table );\n testcase( eDest==SRT_EphemTab );\n testcase( eDest==SRT_Fifo );\n testcase( eDest==SRT_DistFifo );\n sqlite3VdbeAddOp3(v, OP_MakeRecord, regResult, nResultCol, r1+nPrefixReg);\n#ifndef SQLITE_OMIT_CTE\n if( eDest==SRT_DistFifo ){\n /* If the destination is DistFifo, then cursor (iParm+1) is open\n ** on an ephemeral index. If the current row is already present\n ** in the index, do not write it to the output. If not, add the\n ** current row to the index and proceed with writing it to the\n ** output table as well. */\n int addr = sqlite3VdbeCurrentAddr(v) + 4;\n sqlite3VdbeAddOp4Int(v, OP_Found, iParm+1, addr, r1, 0);\n VdbeCoverage(v);\n sqlite3VdbeAddOp4Int(v, OP_IdxInsert, iParm+1, r1,regResult,nResultCol);\n assert( pSort==0 );\n }\n#endif\n if( pSort ){\n assert( regResult==regOrig );\n pushOntoSorter(pParse, pSort, p, r1+nPrefixReg, regOrig, 1, nPrefixReg);\n }else{\n int r2 = sqlite3GetTempReg(pParse);\n sqlite3VdbeAddOp2(v, OP_NewRowid, iParm, r2);\n sqlite3VdbeAddOp3(v, OP_Insert, iParm, r1, r2);\n sqlite3VdbeChangeP5(v, OPFLAG_APPEND);\n sqlite3ReleaseTempReg(pParse, r2);\n }\n sqlite3ReleaseTempRange(pParse, r1, nPrefixReg+1);\n break;\n }\n\n#ifndef SQLITE_OMIT_SUBQUERY\n /* If we are creating a set for an \"expr IN (SELECT ...)\" construct,\n ** then there should be a single item on the stack. Write this\n ** item into the set table with bogus data.\n */\n case SRT_Set: {\n if( pSort ){\n /* At first glance you would think we could optimize out the\n ** ORDER BY in this case since the order of entries in the set\n ** does not matter. But there might be a LIMIT clause, in which\n ** case the order does matter */\n pushOntoSorter(\n pParse, pSort, p, regResult, regOrig, nResultCol, nPrefixReg);\n }else{\n int r1 = sqlite3GetTempReg(pParse);\n assert( sqlite3Strlen30(pDest->zAffSdst)==nResultCol );\n sqlite3VdbeAddOp4(v, OP_MakeRecord, regResult, nResultCol, \n r1, pDest->zAffSdst, nResultCol);\n sqlite3VdbeAddOp4Int(v, OP_IdxInsert, iParm, r1, regResult, nResultCol);\n sqlite3ReleaseTempReg(pParse, r1);\n }\n break;\n }\n\n /* If any row exist in the result set, record that fact and abort.\n */\n case SRT_Exists: {\n sqlite3VdbeAddOp2(v, OP_Integer, 1, iParm);\n /* The LIMIT clause will terminate the loop for us */\n break;\n }\n\n /* If this is a scalar select that is part of an expression, then\n ** store the results in the appropriate memory cell or array of \n ** memory cells and break out of the scan loop.\n */\n case SRT_Mem: {\n if( pSort ){\n assert( nResultCol<=pDest->nSdst );\n pushOntoSorter(\n pParse, pSort, p, regResult, regOrig, nResultCol, nPrefixReg);\n }else{\n assert( nResultCol==pDest->nSdst );\n assert( regResult==iParm );\n /* The LIMIT clause will jump out of the loop for us */\n }\n break;\n }\n#endif /* #ifndef SQLITE_OMIT_SUBQUERY */\n\n case SRT_Coroutine: /* Send data to a co-routine */\n case SRT_Output: { /* Return the results */\n testcase( eDest==SRT_Coroutine );\n testcase( eDest==SRT_Output );\n if( pSort ){\n pushOntoSorter(pParse, pSort, p, regResult, regOrig, nResultCol,\n nPrefixReg);\n }else if( eDest==SRT_Coroutine ){\n sqlite3VdbeAddOp1(v, OP_Yield, pDest->iSDParm);\n }else{\n sqlite3VdbeAddOp2(v, OP_ResultRow, regResult, nResultCol);\n }\n break;\n }\n\n#ifndef SQLITE_OMIT_CTE\n /* Write the results into a priority queue that is order according to\n ** pDest->pOrderBy (in pSO). pDest->iSDParm (in iParm) is the cursor for an\n ** index with pSO->nExpr+2 columns. Build a key using pSO for the first\n ** pSO->nExpr columns, then make sure all keys are unique by adding a\n ** final OP_Sequence column. The last column is the record as a blob.\n */\n case SRT_DistQueue:\n case SRT_Queue: {\n int nKey;\n int r1, r2, r3;\n int addrTest = 0;\n ExprList *pSO;\n pSO = pDest->pOrderBy;\n assert( pSO );\n nKey = pSO->nExpr;\n r1 = sqlite3GetTempReg(pParse);\n r2 = sqlite3GetTempRange(pParse, nKey+2);\n r3 = r2+nKey+1;\n if( eDest==SRT_DistQueue ){\n /* If the destination is DistQueue, then cursor (iParm+1) is open\n ** on a second ephemeral index that holds all values every previously\n ** added to the queue. */\n addrTest = sqlite3VdbeAddOp4Int(v, OP_Found, iParm+1, 0, \n regResult, nResultCol);\n VdbeCoverage(v);\n }\n sqlite3VdbeAddOp3(v, OP_MakeRecord, regResult, nResultCol, r3);\n if( eDest==SRT_DistQueue ){\n sqlite3VdbeAddOp2(v, OP_IdxInsert, iParm+1, r3);\n sqlite3VdbeChangeP5(v, OPFLAG_USESEEKRESULT);\n }\n for(i=0; ia[i].u.x.iOrderByCol - 1,\n r2+i);\n }\n sqlite3VdbeAddOp2(v, OP_Sequence, iParm, r2+nKey);\n sqlite3VdbeAddOp3(v, OP_MakeRecord, r2, nKey+2, r1);\n sqlite3VdbeAddOp4Int(v, OP_IdxInsert, iParm, r1, r2, nKey+2);\n if( addrTest ) sqlite3VdbeJumpHere(v, addrTest);\n sqlite3ReleaseTempReg(pParse, r1);\n sqlite3ReleaseTempRange(pParse, r2, nKey+2);\n break;\n }\n#endif /* SQLITE_OMIT_CTE */\n\n\n\n#if !defined(SQLITE_OMIT_TRIGGER)\n /* Discard the results. This is used for SELECT statements inside\n ** the body of a TRIGGER. The purpose of such selects is to call\n ** user-defined functions that have side effects. We do not care\n ** about the actual results of the select.\n */\n default: {\n assert( eDest==SRT_Discard );\n break;\n }\n#endif\n }\n\n /* Jump to the end of the loop if the LIMIT is reached. Except, if\n ** there is a sorter, in which case the sorter has already limited\n ** the output for us.\n */\n if( pSort==0 && p->iLimit ){\n sqlite3VdbeAddOp2(v, OP_DecrJumpZero, p->iLimit, iBreak); VdbeCoverage(v);\n }\n}", "project": "sqlite", "hash": 221917346064551002545394443368662722340, "size": 411, "commit_id": "5f69512404cd2e5153ddf90ea277fbba6dd58ab7", "message": "Early-out on the INTERSECT query processing following an error.\n\nFossilOrigin-Name: a67cf5b7d37d5b1484be32092635faafd8f76e5881898cd9435517c4b287d663", "target": 0, "dataset": "other", "idx": 246160 }, { "func": "static void selectInnerLoop(\n Parse *pParse, /* The parser context */\n Select *p, /* The complete select statement being coded */\n int srcTab, /* Pull data from this table if non-negative */\n SortCtx *pSort, /* If not NULL, info on how to process ORDER BY */\n DistinctCtx *pDistinct, /* If not NULL, info on how to process DISTINCT */\n SelectDest *pDest, /* How to dispose of the results */\n int iContinue, /* Jump here to continue with next row */\n int iBreak /* Jump here to break out of the inner loop */\n){\n Vdbe *v = pParse->pVdbe;\n int i;\n int hasDistinct; /* True if the DISTINCT keyword is present */\n int eDest = pDest->eDest; /* How to dispose of results */\n int iParm = pDest->iSDParm; /* First argument to disposal method */\n int nResultCol; /* Number of result columns */\n int nPrefixReg = 0; /* Number of extra registers before regResult */\n RowLoadInfo sRowLoadInfo; /* Info for deferred row loading */\n\n /* Usually, regResult is the first cell in an array of memory cells\n ** containing the current result row. In this case regOrig is set to the\n ** same value. However, if the results are being sent to the sorter, the\n ** values for any expressions that are also part of the sort-key are omitted\n ** from this array. In this case regOrig is set to zero. */\n int regResult; /* Start of memory holding current results */\n int regOrig; /* Start of memory holding full result (or 0) */\n\n assert( v );\n assert( p->pEList!=0 );\n hasDistinct = pDistinct ? pDistinct->eTnctType : WHERE_DISTINCT_NOOP;\n if( pSort && pSort->pOrderBy==0 ) pSort = 0;\n if( pSort==0 && !hasDistinct ){\n assert( iContinue!=0 );\n codeOffset(v, p->iOffset, iContinue);\n }\n\n /* Pull the requested columns.\n */\n nResultCol = p->pEList->nExpr;\n\n if( pDest->iSdst==0 ){\n if( pSort ){\n nPrefixReg = pSort->pOrderBy->nExpr;\n if( !(pSort->sortFlags & SORTFLAG_UseSorter) ) nPrefixReg++;\n pParse->nMem += nPrefixReg;\n }\n pDest->iSdst = pParse->nMem+1;\n pParse->nMem += nResultCol;\n }else if( pDest->iSdst+nResultCol > pParse->nMem ){\n /* This is an error condition that can result, for example, when a SELECT\n ** on the right-hand side of an INSERT contains more result columns than\n ** there are columns in the table on the left. The error will be caught\n ** and reported later. But we need to make sure enough memory is allocated\n ** to avoid other spurious errors in the meantime. */\n pParse->nMem += nResultCol;\n }\n pDest->nSdst = nResultCol;\n regOrig = regResult = pDest->iSdst;\n if( srcTab>=0 ){\n for(i=0; ipEList->a[i].zName));\n }\n }else if( eDest!=SRT_Exists ){\n#ifdef SQLITE_ENABLE_SORTER_REFERENCES\n ExprList *pExtra = 0;\n#endif\n /* If the destination is an EXISTS(...) expression, the actual\n ** values returned by the SELECT are not required.\n */\n u8 ecelFlags; /* \"ecel\" is an abbreviation of \"ExprCodeExprList\" */\n ExprList *pEList;\n if( eDest==SRT_Mem || eDest==SRT_Output || eDest==SRT_Coroutine ){\n ecelFlags = SQLITE_ECEL_DUP;\n }else{\n ecelFlags = 0;\n }\n if( pSort && hasDistinct==0 && eDest!=SRT_EphemTab && eDest!=SRT_Table ){\n /* For each expression in p->pEList that is a copy of an expression in\n ** the ORDER BY clause (pSort->pOrderBy), set the associated \n ** iOrderByCol value to one more than the index of the ORDER BY \n ** expression within the sort-key that pushOntoSorter() will generate.\n ** This allows the p->pEList field to be omitted from the sorted record,\n ** saving space and CPU cycles. */\n ecelFlags |= (SQLITE_ECEL_OMITREF|SQLITE_ECEL_REF);\n\n for(i=pSort->nOBSat; ipOrderBy->nExpr; i++){\n int j;\n if( (j = pSort->pOrderBy->a[i].u.x.iOrderByCol)>0 ){\n p->pEList->a[j-1].u.x.iOrderByCol = i+1-pSort->nOBSat;\n }\n }\n#ifdef SQLITE_ENABLE_SORTER_REFERENCES\n selectExprDefer(pParse, pSort, p->pEList, &pExtra);\n if( pExtra && pParse->db->mallocFailed==0 ){\n /* If there are any extra PK columns to add to the sorter records,\n ** allocate extra memory cells and adjust the OpenEphemeral \n ** instruction to account for the larger records. This is only\n ** required if there are one or more WITHOUT ROWID tables with\n ** composite primary keys in the SortCtx.aDefer[] array. */\n VdbeOp *pOp = sqlite3VdbeGetOp(v, pSort->addrSortIndex);\n pOp->p2 += (pExtra->nExpr - pSort->nDefer);\n pOp->p4.pKeyInfo->nAllField += (pExtra->nExpr - pSort->nDefer);\n pParse->nMem += pExtra->nExpr;\n }\n#endif\n\n /* Adjust nResultCol to account for columns that are omitted\n ** from the sorter by the optimizations in this branch */\n pEList = p->pEList;\n for(i=0; inExpr; i++){\n if( pEList->a[i].u.x.iOrderByCol>0\n#ifdef SQLITE_ENABLE_SORTER_REFERENCES\n || pEList->a[i].bSorterRef\n#endif\n ){\n nResultCol--;\n regOrig = 0;\n }\n }\n\n testcase( regOrig );\n testcase( eDest==SRT_Set );\n testcase( eDest==SRT_Mem );\n testcase( eDest==SRT_Coroutine );\n testcase( eDest==SRT_Output );\n assert( eDest==SRT_Set || eDest==SRT_Mem \n || eDest==SRT_Coroutine || eDest==SRT_Output );\n }\n sRowLoadInfo.regResult = regResult;\n sRowLoadInfo.ecelFlags = ecelFlags;\n#ifdef SQLITE_ENABLE_SORTER_REFERENCES\n sRowLoadInfo.pExtra = pExtra;\n sRowLoadInfo.regExtraResult = regResult + nResultCol;\n if( pExtra ) nResultCol += pExtra->nExpr;\n#endif\n if( p->iLimit\n && (ecelFlags & SQLITE_ECEL_OMITREF)!=0 \n && nPrefixReg>0\n ){\n assert( pSort!=0 );\n assert( hasDistinct==0 );\n pSort->pDeferredRowLoad = &sRowLoadInfo;\n regOrig = 0;\n }else{\n innerLoopLoadRow(pParse, p, &sRowLoadInfo);\n }\n }\n\n /* If the DISTINCT keyword was present on the SELECT statement\n ** and this row has been seen before, then do not make this row\n ** part of the result.\n */\n if( hasDistinct ){\n switch( pDistinct->eTnctType ){\n case WHERE_DISTINCT_ORDERED: {\n VdbeOp *pOp; /* No longer required OpenEphemeral instr. */\n int iJump; /* Jump destination */\n int regPrev; /* Previous row content */\n\n /* Allocate space for the previous row */\n regPrev = pParse->nMem+1;\n pParse->nMem += nResultCol;\n\n /* Change the OP_OpenEphemeral coded earlier to an OP_Null\n ** sets the MEM_Cleared bit on the first register of the\n ** previous value. This will cause the OP_Ne below to always\n ** fail on the first iteration of the loop even if the first\n ** row is all NULLs.\n */\n sqlite3VdbeChangeToNoop(v, pDistinct->addrTnct);\n pOp = sqlite3VdbeGetOp(v, pDistinct->addrTnct);\n pOp->opcode = OP_Null;\n pOp->p1 = 1;\n pOp->p2 = regPrev;\n pOp = 0; /* Ensure pOp is not used after sqlite3VdbeAddOp() */\n\n iJump = sqlite3VdbeCurrentAddr(v) + nResultCol;\n for(i=0; ipEList->a[i].pExpr);\n if( idb->mallocFailed );\n sqlite3VdbeAddOp3(v, OP_Copy, regResult, regPrev, nResultCol-1);\n break;\n }\n\n case WHERE_DISTINCT_UNIQUE: {\n sqlite3VdbeChangeToNoop(v, pDistinct->addrTnct);\n break;\n }\n\n default: {\n assert( pDistinct->eTnctType==WHERE_DISTINCT_UNORDERED );\n codeDistinct(pParse, pDistinct->tabTnct, iContinue, nResultCol,\n regResult);\n break;\n }\n }\n if( pSort==0 ){\n codeOffset(v, p->iOffset, iContinue);\n }\n }\n\n switch( eDest ){\n /* In this mode, write each query result to the key of the temporary\n ** table iParm.\n */\n#ifndef SQLITE_OMIT_COMPOUND_SELECT\n case SRT_Union: {\n int r1;\n r1 = sqlite3GetTempReg(pParse);\n sqlite3VdbeAddOp3(v, OP_MakeRecord, regResult, nResultCol, r1);\n sqlite3VdbeAddOp4Int(v, OP_IdxInsert, iParm, r1, regResult, nResultCol);\n sqlite3ReleaseTempReg(pParse, r1);\n break;\n }\n\n /* Construct a record from the query result, but instead of\n ** saving that record, use it as a key to delete elements from\n ** the temporary table iParm.\n */\n case SRT_Except: {\n sqlite3VdbeAddOp3(v, OP_IdxDelete, iParm, regResult, nResultCol);\n break;\n }\n#endif /* SQLITE_OMIT_COMPOUND_SELECT */\n\n /* Store the result as data using a unique key.\n */\n case SRT_Fifo:\n case SRT_DistFifo:\n case SRT_Table:\n case SRT_EphemTab: {\n int r1 = sqlite3GetTempRange(pParse, nPrefixReg+1);\n testcase( eDest==SRT_Table );\n testcase( eDest==SRT_EphemTab );\n testcase( eDest==SRT_Fifo );\n testcase( eDest==SRT_DistFifo );\n sqlite3VdbeAddOp3(v, OP_MakeRecord, regResult, nResultCol, r1+nPrefixReg);\n#ifndef SQLITE_OMIT_CTE\n if( eDest==SRT_DistFifo ){\n /* If the destination is DistFifo, then cursor (iParm+1) is open\n ** on an ephemeral index. If the current row is already present\n ** in the index, do not write it to the output. If not, add the\n ** current row to the index and proceed with writing it to the\n ** output table as well. */\n int addr = sqlite3VdbeCurrentAddr(v) + 4;\n sqlite3VdbeAddOp4Int(v, OP_Found, iParm+1, addr, r1, 0);\n VdbeCoverage(v);\n sqlite3VdbeAddOp4Int(v, OP_IdxInsert, iParm+1, r1,regResult,nResultCol);\n assert( pSort==0 );\n }\n#endif\n if( pSort ){\n assert( regResult==regOrig );\n pushOntoSorter(pParse, pSort, p, r1+nPrefixReg, regOrig, 1, nPrefixReg);\n }else{\n int r2 = sqlite3GetTempReg(pParse);\n sqlite3VdbeAddOp2(v, OP_NewRowid, iParm, r2);\n sqlite3VdbeAddOp3(v, OP_Insert, iParm, r1, r2);\n sqlite3VdbeChangeP5(v, OPFLAG_APPEND);\n sqlite3ReleaseTempReg(pParse, r2);\n }\n sqlite3ReleaseTempRange(pParse, r1, nPrefixReg+1);\n break;\n }\n\n#ifndef SQLITE_OMIT_SUBQUERY\n /* If we are creating a set for an \"expr IN (SELECT ...)\" construct,\n ** then there should be a single item on the stack. Write this\n ** item into the set table with bogus data.\n */\n case SRT_Set: {\n if( pSort ){\n /* At first glance you would think we could optimize out the\n ** ORDER BY in this case since the order of entries in the set\n ** does not matter. But there might be a LIMIT clause, in which\n ** case the order does matter */\n pushOntoSorter(\n pParse, pSort, p, regResult, regOrig, nResultCol, nPrefixReg);\n }else{\n int r1 = sqlite3GetTempReg(pParse);\n assert( sqlite3Strlen30(pDest->zAffSdst)==nResultCol );\n sqlite3VdbeAddOp4(v, OP_MakeRecord, regResult, nResultCol, \n r1, pDest->zAffSdst, nResultCol);\n sqlite3VdbeAddOp4Int(v, OP_IdxInsert, iParm, r1, regResult, nResultCol);\n sqlite3ReleaseTempReg(pParse, r1);\n }\n break;\n }\n\n /* If any row exist in the result set, record that fact and abort.\n */\n case SRT_Exists: {\n sqlite3VdbeAddOp2(v, OP_Integer, 1, iParm);\n /* The LIMIT clause will terminate the loop for us */\n break;\n }\n\n /* If this is a scalar select that is part of an expression, then\n ** store the results in the appropriate memory cell or array of \n ** memory cells and break out of the scan loop.\n */\n case SRT_Mem: {\n if( pSort ){\n assert( nResultCol<=pDest->nSdst );\n pushOntoSorter(\n pParse, pSort, p, regResult, regOrig, nResultCol, nPrefixReg);\n }else{\n assert( nResultCol==pDest->nSdst );\n assert( regResult==iParm );\n /* The LIMIT clause will jump out of the loop for us */\n }\n break;\n }\n#endif /* #ifndef SQLITE_OMIT_SUBQUERY */\n\n case SRT_Coroutine: /* Send data to a co-routine */\n case SRT_Output: { /* Return the results */\n testcase( eDest==SRT_Coroutine );\n testcase( eDest==SRT_Output );\n if( pSort ){\n pushOntoSorter(pParse, pSort, p, regResult, regOrig, nResultCol,\n nPrefixReg);\n }else if( eDest==SRT_Coroutine ){\n sqlite3VdbeAddOp1(v, OP_Yield, pDest->iSDParm);\n }else{\n sqlite3VdbeAddOp2(v, OP_ResultRow, regResult, nResultCol);\n }\n break;\n }\n\n#ifndef SQLITE_OMIT_CTE\n /* Write the results into a priority queue that is order according to\n ** pDest->pOrderBy (in pSO). pDest->iSDParm (in iParm) is the cursor for an\n ** index with pSO->nExpr+2 columns. Build a key using pSO for the first\n ** pSO->nExpr columns, then make sure all keys are unique by adding a\n ** final OP_Sequence column. The last column is the record as a blob.\n */\n case SRT_DistQueue:\n case SRT_Queue: {\n int nKey;\n int r1, r2, r3;\n int addrTest = 0;\n ExprList *pSO;\n pSO = pDest->pOrderBy;\n assert( pSO );\n nKey = pSO->nExpr;\n r1 = sqlite3GetTempReg(pParse);\n r2 = sqlite3GetTempRange(pParse, nKey+2);\n r3 = r2+nKey+1;\n if( eDest==SRT_DistQueue ){\n /* If the destination is DistQueue, then cursor (iParm+1) is open\n ** on a second ephemeral index that holds all values every previously\n ** added to the queue. */\n addrTest = sqlite3VdbeAddOp4Int(v, OP_Found, iParm+1, 0, \n regResult, nResultCol);\n VdbeCoverage(v);\n }\n sqlite3VdbeAddOp3(v, OP_MakeRecord, regResult, nResultCol, r3);\n if( eDest==SRT_DistQueue ){\n sqlite3VdbeAddOp2(v, OP_IdxInsert, iParm+1, r3);\n sqlite3VdbeChangeP5(v, OPFLAG_USESEEKRESULT);\n }\n for(i=0; ia[i].u.x.iOrderByCol - 1,\n r2+i);\n }\n sqlite3VdbeAddOp2(v, OP_Sequence, iParm, r2+nKey);\n sqlite3VdbeAddOp3(v, OP_MakeRecord, r2, nKey+2, r1);\n sqlite3VdbeAddOp4Int(v, OP_IdxInsert, iParm, r1, r2, nKey+2);\n if( addrTest ) sqlite3VdbeJumpHere(v, addrTest);\n sqlite3ReleaseTempReg(pParse, r1);\n sqlite3ReleaseTempRange(pParse, r2, nKey+2);\n break;\n }\n#endif /* SQLITE_OMIT_CTE */\n\n\n\n#if !defined(SQLITE_OMIT_TRIGGER)\n /* Discard the results. This is used for SELECT statements inside\n ** the body of a TRIGGER. The purpose of such selects is to call\n ** user-defined functions that have side effects. We do not care\n ** about the actual results of the select.\n */\n default: {\n assert( eDest==SRT_Discard );\n break;\n }\n#endif\n }\n\n /* Jump to the end of the loop if the LIMIT is reached. Except, if\n ** there is a sorter, in which case the sorter has already limited\n ** the output for us.\n */\n if( pSort==0 && p->iLimit ){\n sqlite3VdbeAddOp2(v, OP_DecrJumpZero, p->iLimit, iBreak); VdbeCoverage(v);\n }\n}", "project": "sqlite", "hash": 286753363423543415797988810598659173166, "size": 411, "commit_id": "a6c1a71cde082e09750465d5675699062922e387", "message": "Do not attempt to unwind the WITH stack in the Parse object following an error. This fixes a separate case to [de6e6d68].\n\nFossilOrigin-Name: d29edef93451cc67a5d69c1cce1b1832d9ca8fff1f600afdd51338b74d077b92", "target": 0, "dataset": "other", "idx": 356315 }, { "func": "void sqlite3VdbeMultiLoad(Vdbe *p, int iDest, const char *zTypes, ...){\n va_list ap;\n int i;\n char c;\n va_start(ap, zTypes);\n for(i=0; (c = zTypes[i])!=0; i++){\n if( c=='s' ){\n const char *z = va_arg(ap, const char*);\n sqlite3VdbeAddOp4(p, z==0 ? OP_Null : OP_String8, 0, iDest+i, 0, z, 0);\n }else if( c=='i' ){\n sqlite3VdbeAddOp2(p, OP_Integer, va_arg(ap, int), iDest+i);\n }else{\n goto skip_op_resultrow;\n }\n }\n sqlite3VdbeAddOp2(p, OP_ResultRow, iDest, i);\nskip_op_resultrow:\n va_end(ap);\n}", "project": "sqlite", "hash": 73114231488164158065900318687491358477, "size": 19, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378487 }, { "func": "static void initMemArray(Mem *p, int N, sqlite3 *db, u16 flags){\n while( (N--)>0 ){\n p->db = db;\n p->flags = flags;\n p->szMalloc = 0;\n#ifdef SQLITE_DEBUG\n p->pScopyFrom = 0;\n#endif\n p++;\n }\n}", "project": "sqlite", "hash": 321610772949466230928567409458599263334, "size": 11, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378672 }, { "func": "static void explainSimpleCount(\n Parse *pParse, /* Parse context */\n Table *pTab, /* Table being queried */\n Index *pIdx /* Index used to optimize scan, or NULL */\n){\n if( pParse->explain==2 ){\n int bCover = (pIdx!=0 && (HasRowid(pTab) || !IsPrimaryKeyIndex(pIdx)));\n sqlite3VdbeExplain(pParse, 0, \"SCAN TABLE %s%s%s\",\n pTab->zName,\n bCover ? \" USING COVERING INDEX \" : \"\",\n bCover ? pIdx->zName : \"\"\n );\n }\n}", "project": "sqlite", "hash": 130496768177895493593020712202501915593, "size": 14, "commit_id": "5f69512404cd2e5153ddf90ea277fbba6dd58ab7", "message": "Early-out on the INTERSECT query processing following an error.\n\nFossilOrigin-Name: a67cf5b7d37d5b1484be32092635faafd8f76e5881898cd9435517c4b287d663", "target": 0, "dataset": "other", "idx": 246197 }, { "func": "void sqlite3WindowFunctions(void){\n static FuncDef aWindowFuncs[] = {\n WINDOWFUNCX(row_number, 0, 0),\n WINDOWFUNCX(dense_rank, 0, 0),\n WINDOWFUNCX(rank, 0, 0),\n WINDOWFUNCALL(percent_rank, 0, 0),\n WINDOWFUNCALL(cume_dist, 0, 0),\n WINDOWFUNCALL(ntile, 1, 0),\n WINDOWFUNCALL(last_value, 1, 0),\n WINDOWFUNCALL(nth_value, 2, 0),\n WINDOWFUNCALL(first_value, 1, 0),\n WINDOWFUNCNOOP(lead, 1, 0),\n WINDOWFUNCNOOP(lead, 2, 0),\n WINDOWFUNCNOOP(lead, 3, 0),\n WINDOWFUNCNOOP(lag, 1, 0),\n WINDOWFUNCNOOP(lag, 2, 0),\n WINDOWFUNCNOOP(lag, 3, 0),\n };\n sqlite3InsertBuiltinFuncs(aWindowFuncs, ArraySize(aWindowFuncs));\n}", "project": "sqlite", "hash": 298507056624946596362814575103787859674, "size": 20, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378670 }, { "func": "void sqlite3ExplainBreakpoint(const char *z1, const char *z2){\n (void)z1;\n (void)z2;\n}", "project": "sqlite", "hash": 135642952628259862310823582972107653739, "size": 4, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378555 }, { "func": "static int multiSelectValues(\n Parse *pParse, /* Parsing context */\n Select *p, /* The right-most of SELECTs to be coded */\n SelectDest *pDest /* What to do with query results */\n){\n int nRow = 1;\n int rc = 0;\n int bShowAll = p->pLimit==0;\n assert( p->selFlags & SF_MultiValue );\n do{\n assert( p->selFlags & SF_Values );\n assert( p->op==TK_ALL || (p->op==TK_SELECT && p->pPrior==0) );\n assert( p->pNext==0 || p->pEList->nExpr==p->pNext->pEList->nExpr );\n#ifndef SQLITE_OMIT_WINDOWFUNC\n if( p->pWin ) return -1;\n#endif\n if( p->pPrior==0 ) break;\n assert( p->pPrior->pNext==p );\n p = p->pPrior;\n nRow += bShowAll;\n }while(1);\n ExplainQueryPlan((pParse, 0, \"SCAN %d CONSTANT ROW%s\", nRow,\n nRow==1 ? \"\" : \"S\"));\n while( p ){\n selectInnerLoop(pParse, p, -1, 0, 0, pDest, 1, 1);\n if( !bShowAll ) break;\n p->nSelectRow = nRow;\n p = p->pNext;\n }\n return rc;\n}", "project": "sqlite", "hash": 44717397647203420412666505888290471195, "size": 31, "commit_id": "5f69512404cd2e5153ddf90ea277fbba6dd58ab7", "message": "Early-out on the INTERSECT query processing following an error.\n\nFossilOrigin-Name: a67cf5b7d37d5b1484be32092635faafd8f76e5881898cd9435517c4b287d663", "target": 0, "dataset": "other", "idx": 246167 }, { "func": "static int multiSelectValues(\n Parse *pParse, /* Parsing context */\n Select *p, /* The right-most of SELECTs to be coded */\n SelectDest *pDest /* What to do with query results */\n){\n int nRow = 1;\n int rc = 0;\n int bShowAll = p->pLimit==0;\n assert( p->selFlags & SF_MultiValue );\n do{\n assert( p->selFlags & SF_Values );\n assert( p->op==TK_ALL || (p->op==TK_SELECT && p->pPrior==0) );\n assert( p->pNext==0 || p->pEList->nExpr==p->pNext->pEList->nExpr );\n if( p->pWin ) return -1;\n if( p->pPrior==0 ) break;\n assert( p->pPrior->pNext==p );\n p = p->pPrior;\n nRow += bShowAll;\n }while(1);\n ExplainQueryPlan((pParse, 0, \"SCAN %d CONSTANT ROW%s\", nRow,\n nRow==1 ? \"\" : \"S\"));\n while( p ){\n selectInnerLoop(pParse, p, -1, 0, 0, pDest, 1, 1);\n if( !bShowAll ) break;\n p->nSelectRow = nRow;\n p = p->pNext;\n }\n return rc;\n}", "project": "sqlite", "hash": 206243115207583620629950953407880715861, "size": 29, "commit_id": "a6c1a71cde082e09750465d5675699062922e387", "message": "Do not attempt to unwind the WITH stack in the Parse object following an error. This fixes a separate case to [de6e6d68].\n\nFossilOrigin-Name: d29edef93451cc67a5d69c1cce1b1832d9ca8fff1f600afdd51338b74d077b92", "target": 0, "dataset": "other", "idx": 356317 }, { "func": "int sqlite3VdbeFrameIsValid(VdbeFrame *pFrame){\n if( pFrame->iFrameMagic!=SQLITE_FRAME_MAGIC ) return 0;\n return 1;\n}", "project": "sqlite", "hash": 133454376433093485018797129393544048379, "size": 4, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378636 }, { "func": "int sqlite3ExprCodeTarget(Parse *pParse, Expr *pExpr, int target){\n Vdbe *v = pParse->pVdbe; /* The VM under construction */\n int op; /* The opcode being coded */\n int inReg = target; /* Results stored in register inReg */\n int regFree1 = 0; /* If non-zero free this temporary register */\n int regFree2 = 0; /* If non-zero free this temporary register */\n int r1, r2; /* Various register numbers */\n Expr tempX; /* Temporary expression node */\n int p5 = 0;\n\n assert( target>0 && target<=pParse->nMem );\n if( v==0 ){\n assert( pParse->db->mallocFailed );\n return 0;\n }\n\nexpr_code_doover:\n if( pExpr==0 ){\n op = TK_NULL;\n }else{\n op = pExpr->op;\n }\n switch( op ){\n case TK_AGG_COLUMN: {\n AggInfo *pAggInfo = pExpr->pAggInfo;\n struct AggInfo_col *pCol = &pAggInfo->aCol[pExpr->iAgg];\n if( !pAggInfo->directMode ){\n assert( pCol->iMem>0 );\n return pCol->iMem;\n }else if( pAggInfo->useSortingIdx ){\n sqlite3VdbeAddOp3(v, OP_Column, pAggInfo->sortingIdxPTab,\n pCol->iSorterColumn, target);\n return target;\n }\n /* Otherwise, fall thru into the TK_COLUMN case */\n }\n case TK_COLUMN: {\n int iTab = pExpr->iTable;\n if( ExprHasProperty(pExpr, EP_FixedCol) ){\n /* This COLUMN expression is really a constant due to WHERE clause\n ** constraints, and that constant is coded by the pExpr->pLeft\n ** expresssion. However, make sure the constant has the correct\n ** datatype by applying the Affinity of the table column to the\n ** constant.\n */\n int iReg = sqlite3ExprCodeTarget(pParse, pExpr->pLeft,target);\n int aff;\n if( pExpr->y.pTab ){\n aff = sqlite3TableColumnAffinity(pExpr->y.pTab, pExpr->iColumn);\n }else{\n aff = pExpr->affExpr;\n }\n if( aff>SQLITE_AFF_BLOB ){\n static const char zAff[] = \"B\\000C\\000D\\000E\";\n assert( SQLITE_AFF_BLOB=='A' );\n assert( SQLITE_AFF_TEXT=='B' );\n if( iReg!=target ){\n sqlite3VdbeAddOp2(v, OP_SCopy, iReg, target);\n iReg = target;\n }\n sqlite3VdbeAddOp4(v, OP_Affinity, iReg, 1, 0,\n &zAff[(aff-'B')*2], P4_STATIC);\n }\n return iReg;\n }\n if( iTab<0 ){\n if( pParse->iSelfTab<0 ){\n /* Other columns in the same row for CHECK constraints or\n ** generated columns or for inserting into partial index.\n ** The row is unpacked into registers beginning at\n ** 0-(pParse->iSelfTab). The rowid (if any) is in a register\n ** immediately prior to the first column.\n */\n Column *pCol;\n Table *pTab = pExpr->y.pTab;\n int iSrc;\n int iCol = pExpr->iColumn;\n assert( pTab!=0 );\n assert( iCol>=XN_ROWID );\n assert( iColy.pTab->nCol );\n if( iCol<0 ){\n return -1-pParse->iSelfTab;\n }\n pCol = pTab->aCol + iCol;\n testcase( iCol!=sqlite3TableColumnToStorage(pTab,iCol) );\n iSrc = sqlite3TableColumnToStorage(pTab, iCol) - pParse->iSelfTab;\n#ifndef SQLITE_OMIT_GENERATED_COLUMNS\n if( pCol->colFlags & COLFLAG_GENERATED ){\n if( pCol->colFlags & COLFLAG_BUSY ){\n sqlite3ErrorMsg(pParse, \"generated column loop on \\\"%s\\\"\",\n pCol->zName);\n return 0;\n }\n pCol->colFlags |= COLFLAG_BUSY;\n if( pCol->colFlags & COLFLAG_NOTAVAIL ){\n sqlite3ExprCodeGeneratedColumn(pParse, pCol, iSrc);\n }\n pCol->colFlags &= ~(COLFLAG_BUSY|COLFLAG_NOTAVAIL);\n return iSrc;\n }else\n#endif /* SQLITE_OMIT_GENERATED_COLUMNS */\n if( pCol->affinity==SQLITE_AFF_REAL ){\n sqlite3VdbeAddOp2(v, OP_SCopy, iSrc, target);\n sqlite3VdbeAddOp1(v, OP_RealAffinity, target);\n return target;\n }else{\n return iSrc;\n }\n }else{\n /* Coding an expression that is part of an index where column names\n ** in the index refer to the table to which the index belongs */\n iTab = pParse->iSelfTab - 1;\n }\n }\n return sqlite3ExprCodeGetColumn(pParse, pExpr->y.pTab,\n pExpr->iColumn, iTab, target,\n pExpr->op2);\n }\n case TK_INTEGER: {\n codeInteger(pParse, pExpr, 0, target);\n return target;\n }\n case TK_TRUEFALSE: {\n sqlite3VdbeAddOp2(v, OP_Integer, sqlite3ExprTruthValue(pExpr), target);\n return target;\n }\n#ifndef SQLITE_OMIT_FLOATING_POINT\n case TK_FLOAT: {\n assert( !ExprHasProperty(pExpr, EP_IntValue) );\n codeReal(v, pExpr->u.zToken, 0, target);\n return target;\n }\n#endif\n case TK_STRING: {\n assert( !ExprHasProperty(pExpr, EP_IntValue) );\n sqlite3VdbeLoadString(v, target, pExpr->u.zToken);\n return target;\n }\n default: {\n /* Make NULL the default case so that if a bug causes an illegal\n ** Expr node to be passed into this function, it will be handled\n ** sanely and not crash. But keep an assert() to bring the problem\n ** to the attention of the developers. */\n assert( op==TK_NULL );\n sqlite3VdbeAddOp2(v, OP_Null, 0, target);\n return target;\n }\n#ifndef SQLITE_OMIT_BLOB_LITERAL\n case TK_BLOB: {\n int n;\n const char *z;\n char *zBlob;\n assert( !ExprHasProperty(pExpr, EP_IntValue) );\n assert( pExpr->u.zToken[0]=='x' || pExpr->u.zToken[0]=='X' );\n assert( pExpr->u.zToken[1]=='\\'' );\n z = &pExpr->u.zToken[2];\n n = sqlite3Strlen30(z) - 1;\n assert( z[n]=='\\'' );\n zBlob = sqlite3HexToBlob(sqlite3VdbeDb(v), z, n);\n sqlite3VdbeAddOp4(v, OP_Blob, n/2, target, 0, zBlob, P4_DYNAMIC);\n return target;\n }\n#endif\n case TK_VARIABLE: {\n assert( !ExprHasProperty(pExpr, EP_IntValue) );\n assert( pExpr->u.zToken!=0 );\n assert( pExpr->u.zToken[0]!=0 );\n sqlite3VdbeAddOp2(v, OP_Variable, pExpr->iColumn, target);\n if( pExpr->u.zToken[1]!=0 ){\n const char *z = sqlite3VListNumToName(pParse->pVList, pExpr->iColumn);\n assert( pExpr->u.zToken[0]=='?' || strcmp(pExpr->u.zToken, z)==0 );\n pParse->pVList[0] = 0; /* Indicate VList may no longer be enlarged */\n sqlite3VdbeAppendP4(v, (char*)z, P4_STATIC);\n }\n return target;\n }\n case TK_REGISTER: {\n return pExpr->iTable;\n }\n#ifndef SQLITE_OMIT_CAST\n case TK_CAST: {\n /* Expressions of the form: CAST(pLeft AS token) */\n inReg = sqlite3ExprCodeTarget(pParse, pExpr->pLeft, target);\n if( inReg!=target ){\n sqlite3VdbeAddOp2(v, OP_SCopy, inReg, target);\n inReg = target;\n }\n sqlite3VdbeAddOp2(v, OP_Cast, target,\n sqlite3AffinityType(pExpr->u.zToken, 0));\n return inReg;\n }\n#endif /* SQLITE_OMIT_CAST */\n case TK_IS:\n case TK_ISNOT:\n op = (op==TK_IS) ? TK_EQ : TK_NE;\n p5 = SQLITE_NULLEQ;\n /* fall-through */\n case TK_LT:\n case TK_LE:\n case TK_GT:\n case TK_GE:\n case TK_NE:\n case TK_EQ: {\n Expr *pLeft = pExpr->pLeft;\n if( sqlite3ExprIsVector(pLeft) ){\n codeVectorCompare(pParse, pExpr, target, op, p5);\n }else{\n r1 = sqlite3ExprCodeTemp(pParse, pLeft, ®Free1);\n r2 = sqlite3ExprCodeTemp(pParse, pExpr->pRight, ®Free2);\n codeCompare(pParse, pLeft, pExpr->pRight, op,\n r1, r2, inReg, SQLITE_STOREP2 | p5,\n ExprHasProperty(pExpr,EP_Commuted));\n assert(TK_LT==OP_Lt); testcase(op==OP_Lt); VdbeCoverageIf(v,op==OP_Lt);\n assert(TK_LE==OP_Le); testcase(op==OP_Le); VdbeCoverageIf(v,op==OP_Le);\n assert(TK_GT==OP_Gt); testcase(op==OP_Gt); VdbeCoverageIf(v,op==OP_Gt);\n assert(TK_GE==OP_Ge); testcase(op==OP_Ge); VdbeCoverageIf(v,op==OP_Ge);\n assert(TK_EQ==OP_Eq); testcase(op==OP_Eq); VdbeCoverageIf(v,op==OP_Eq);\n assert(TK_NE==OP_Ne); testcase(op==OP_Ne); VdbeCoverageIf(v,op==OP_Ne);\n testcase( regFree1==0 );\n testcase( regFree2==0 );\n }\n break;\n }\n case TK_AND:\n case TK_OR:\n case TK_PLUS:\n case TK_STAR:\n case TK_MINUS:\n case TK_REM:\n case TK_BITAND:\n case TK_BITOR:\n case TK_SLASH:\n case TK_LSHIFT:\n case TK_RSHIFT: \n case TK_CONCAT: {\n assert( TK_AND==OP_And ); testcase( op==TK_AND );\n assert( TK_OR==OP_Or ); testcase( op==TK_OR );\n assert( TK_PLUS==OP_Add ); testcase( op==TK_PLUS );\n assert( TK_MINUS==OP_Subtract ); testcase( op==TK_MINUS );\n assert( TK_REM==OP_Remainder ); testcase( op==TK_REM );\n assert( TK_BITAND==OP_BitAnd ); testcase( op==TK_BITAND );\n assert( TK_BITOR==OP_BitOr ); testcase( op==TK_BITOR );\n assert( TK_SLASH==OP_Divide ); testcase( op==TK_SLASH );\n assert( TK_LSHIFT==OP_ShiftLeft ); testcase( op==TK_LSHIFT );\n assert( TK_RSHIFT==OP_ShiftRight ); testcase( op==TK_RSHIFT );\n assert( TK_CONCAT==OP_Concat ); testcase( op==TK_CONCAT );\n r1 = sqlite3ExprCodeTemp(pParse, pExpr->pLeft, ®Free1);\n r2 = sqlite3ExprCodeTemp(pParse, pExpr->pRight, ®Free2);\n sqlite3VdbeAddOp3(v, op, r2, r1, target);\n testcase( regFree1==0 );\n testcase( regFree2==0 );\n break;\n }\n case TK_UMINUS: {\n Expr *pLeft = pExpr->pLeft;\n assert( pLeft );\n if( pLeft->op==TK_INTEGER ){\n codeInteger(pParse, pLeft, 1, target);\n return target;\n#ifndef SQLITE_OMIT_FLOATING_POINT\n }else if( pLeft->op==TK_FLOAT ){\n assert( !ExprHasProperty(pExpr, EP_IntValue) );\n codeReal(v, pLeft->u.zToken, 1, target);\n return target;\n#endif\n }else{\n tempX.op = TK_INTEGER;\n tempX.flags = EP_IntValue|EP_TokenOnly;\n tempX.u.iValue = 0;\n r1 = sqlite3ExprCodeTemp(pParse, &tempX, ®Free1);\n r2 = sqlite3ExprCodeTemp(pParse, pExpr->pLeft, ®Free2);\n sqlite3VdbeAddOp3(v, OP_Subtract, r2, r1, target);\n testcase( regFree2==0 );\n }\n break;\n }\n case TK_BITNOT:\n case TK_NOT: {\n assert( TK_BITNOT==OP_BitNot ); testcase( op==TK_BITNOT );\n assert( TK_NOT==OP_Not ); testcase( op==TK_NOT );\n r1 = sqlite3ExprCodeTemp(pParse, pExpr->pLeft, ®Free1);\n testcase( regFree1==0 );\n sqlite3VdbeAddOp2(v, op, r1, inReg);\n break;\n }\n case TK_TRUTH: {\n int isTrue; /* IS TRUE or IS NOT TRUE */\n int bNormal; /* IS TRUE or IS FALSE */\n r1 = sqlite3ExprCodeTemp(pParse, pExpr->pLeft, ®Free1);\n testcase( regFree1==0 );\n isTrue = sqlite3ExprTruthValue(pExpr->pRight);\n bNormal = pExpr->op2==TK_IS;\n testcase( isTrue && bNormal);\n testcase( !isTrue && bNormal);\n sqlite3VdbeAddOp4Int(v, OP_IsTrue, r1, inReg, !isTrue, isTrue ^ bNormal);\n break;\n }\n case TK_ISNULL:\n case TK_NOTNULL: {\n int addr;\n assert( TK_ISNULL==OP_IsNull ); testcase( op==TK_ISNULL );\n assert( TK_NOTNULL==OP_NotNull ); testcase( op==TK_NOTNULL );\n sqlite3VdbeAddOp2(v, OP_Integer, 1, target);\n r1 = sqlite3ExprCodeTemp(pParse, pExpr->pLeft, ®Free1);\n testcase( regFree1==0 );\n addr = sqlite3VdbeAddOp1(v, op, r1);\n VdbeCoverageIf(v, op==TK_ISNULL);\n VdbeCoverageIf(v, op==TK_NOTNULL);\n sqlite3VdbeAddOp2(v, OP_Integer, 0, target);\n sqlite3VdbeJumpHere(v, addr);\n break;\n }\n case TK_AGG_FUNCTION: {\n AggInfo *pInfo = pExpr->pAggInfo;\n if( pInfo==0 ){\n assert( !ExprHasProperty(pExpr, EP_IntValue) );\n sqlite3ErrorMsg(pParse, \"misuse of aggregate: %s()\", pExpr->u.zToken);\n }else{\n return pInfo->aFunc[pExpr->iAgg].iMem;\n }\n break;\n }\n case TK_FUNCTION: {\n ExprList *pFarg; /* List of function arguments */\n int nFarg; /* Number of function arguments */\n FuncDef *pDef; /* The function definition object */\n const char *zId; /* The function name */\n u32 constMask = 0; /* Mask of function arguments that are constant */\n int i; /* Loop counter */\n sqlite3 *db = pParse->db; /* The database connection */\n u8 enc = ENC(db); /* The text encoding used by this database */\n CollSeq *pColl = 0; /* A collating sequence */\n\n#ifndef SQLITE_OMIT_WINDOWFUNC\n if( ExprHasProperty(pExpr, EP_WinFunc) ){\n return pExpr->y.pWin->regResult;\n }\n#endif\n\n if( ConstFactorOk(pParse) && sqlite3ExprIsConstantNotJoin(pExpr) ){\n /* SQL functions can be expensive. So try to move constant functions\n ** out of the inner loop, even if that means an extra OP_Copy. */\n return sqlite3ExprCodeAtInit(pParse, pExpr, -1);\n }\n assert( !ExprHasProperty(pExpr, EP_xIsSelect) );\n if( ExprHasProperty(pExpr, EP_TokenOnly) ){\n pFarg = 0;\n }else{\n pFarg = pExpr->x.pList;\n }\n nFarg = pFarg ? pFarg->nExpr : 0;\n assert( !ExprHasProperty(pExpr, EP_IntValue) );\n zId = pExpr->u.zToken;\n pDef = sqlite3FindFunction(db, zId, nFarg, enc, 0);\n#ifdef SQLITE_ENABLE_UNKNOWN_SQL_FUNCTION\n if( pDef==0 && pParse->explain ){\n pDef = sqlite3FindFunction(db, \"unknown\", nFarg, enc, 0);\n }\n#endif\n if( pDef==0 || pDef->xFinalize!=0 ){\n sqlite3ErrorMsg(pParse, \"unknown function: %s()\", zId);\n break;\n }\n\n /* Attempt a direct implementation of the built-in COALESCE() and\n ** IFNULL() functions. This avoids unnecessary evaluation of\n ** arguments past the first non-NULL argument.\n */\n if( pDef->funcFlags & SQLITE_FUNC_COALESCE ){\n int endCoalesce = sqlite3VdbeMakeLabel(pParse);\n assert( nFarg>=2 );\n sqlite3ExprCode(pParse, pFarg->a[0].pExpr, target);\n for(i=1; ia[i].pExpr, target);\n }\n sqlite3VdbeResolveLabel(v, endCoalesce);\n break;\n }\n\n /* The UNLIKELY() function is a no-op. The result is the value\n ** of the first argument.\n */\n if( pDef->funcFlags & SQLITE_FUNC_UNLIKELY ){\n assert( nFarg>=1 );\n return sqlite3ExprCodeTarget(pParse, pFarg->a[0].pExpr, target);\n }\n\n#ifdef SQLITE_DEBUG\n /* The AFFINITY() function evaluates to a string that describes\n ** the type affinity of the argument. This is used for testing of\n ** the SQLite type logic.\n */\n if( pDef->funcFlags & SQLITE_FUNC_AFFINITY ){\n const char *azAff[] = { \"blob\", \"text\", \"numeric\", \"integer\", \"real\" };\n char aff;\n assert( nFarg==1 );\n aff = sqlite3ExprAffinity(pFarg->a[0].pExpr);\n sqlite3VdbeLoadString(v, target, \n (aff<=SQLITE_AFF_NONE) ? \"none\" : azAff[aff-SQLITE_AFF_BLOB]);\n return target;\n }\n#endif\n\n for(i=0; ia[i].pExpr) ){\n testcase( i==31 );\n constMask |= MASKBIT32(i);\n }\n if( (pDef->funcFlags & SQLITE_FUNC_NEEDCOLL)!=0 && !pColl ){\n pColl = sqlite3ExprCollSeq(pParse, pFarg->a[i].pExpr);\n }\n }\n if( pFarg ){\n if( constMask ){\n r1 = pParse->nMem+1;\n pParse->nMem += nFarg;\n }else{\n r1 = sqlite3GetTempRange(pParse, nFarg);\n }\n\n /* For length() and typeof() functions with a column argument,\n ** set the P5 parameter to the OP_Column opcode to OPFLAG_LENGTHARG\n ** or OPFLAG_TYPEOFARG respectively, to avoid unnecessary data\n ** loading.\n */\n if( (pDef->funcFlags & (SQLITE_FUNC_LENGTH|SQLITE_FUNC_TYPEOF))!=0 ){\n u8 exprOp;\n assert( nFarg==1 );\n assert( pFarg->a[0].pExpr!=0 );\n exprOp = pFarg->a[0].pExpr->op;\n if( exprOp==TK_COLUMN || exprOp==TK_AGG_COLUMN ){\n assert( SQLITE_FUNC_LENGTH==OPFLAG_LENGTHARG );\n assert( SQLITE_FUNC_TYPEOF==OPFLAG_TYPEOFARG );\n testcase( pDef->funcFlags & OPFLAG_LENGTHARG );\n pFarg->a[0].pExpr->op2 = \n pDef->funcFlags & (OPFLAG_LENGTHARG|OPFLAG_TYPEOFARG);\n }\n }\n\n sqlite3ExprCodeExprList(pParse, pFarg, r1, 0,\n SQLITE_ECEL_DUP|SQLITE_ECEL_FACTOR);\n }else{\n r1 = 0;\n }\n#ifndef SQLITE_OMIT_VIRTUALTABLE\n /* Possibly overload the function if the first argument is\n ** a virtual table column.\n **\n ** For infix functions (LIKE, GLOB, REGEXP, and MATCH) use the\n ** second argument, not the first, as the argument to test to\n ** see if it is a column in a virtual table. This is done because\n ** the left operand of infix functions (the operand we want to\n ** control overloading) ends up as the second argument to the\n ** function. The expression \"A glob B\" is equivalent to \n ** \"glob(B,A). We want to use the A in \"A glob B\" to test\n ** for function overloading. But we use the B term in \"glob(B,A)\".\n */\n if( nFarg>=2 && ExprHasProperty(pExpr, EP_InfixFunc) ){\n pDef = sqlite3VtabOverloadFunction(db, pDef, nFarg, pFarg->a[1].pExpr);\n }else if( nFarg>0 ){\n pDef = sqlite3VtabOverloadFunction(db, pDef, nFarg, pFarg->a[0].pExpr);\n }\n#endif\n if( pDef->funcFlags & SQLITE_FUNC_NEEDCOLL ){\n if( !pColl ) pColl = db->pDfltColl; \n sqlite3VdbeAddOp4(v, OP_CollSeq, 0, 0, 0, (char *)pColl, P4_COLLSEQ);\n }\n#ifdef SQLITE_ENABLE_OFFSET_SQL_FUNC\n if( pDef->funcFlags & SQLITE_FUNC_OFFSET ){\n Expr *pArg = pFarg->a[0].pExpr;\n if( pArg->op==TK_COLUMN ){\n sqlite3VdbeAddOp3(v, OP_Offset, pArg->iTable, pArg->iColumn, target);\n }else{\n sqlite3VdbeAddOp2(v, OP_Null, 0, target);\n }\n }else\n#endif\n {\n sqlite3VdbeAddFunctionCall(pParse, constMask, r1, target, nFarg,\n pDef, pExpr->op2);\n }\n if( nFarg && constMask==0 ){\n sqlite3ReleaseTempRange(pParse, r1, nFarg);\n }\n return target;\n }\n#ifndef SQLITE_OMIT_SUBQUERY\n case TK_EXISTS:\n case TK_SELECT: {\n int nCol;\n testcase( op==TK_EXISTS );\n testcase( op==TK_SELECT );\n if( op==TK_SELECT && (nCol = pExpr->x.pSelect->pEList->nExpr)!=1 ){\n sqlite3SubselectError(pParse, nCol, 1);\n }else{\n return sqlite3CodeSubselect(pParse, pExpr);\n }\n break;\n }\n case TK_SELECT_COLUMN: {\n int n;\n if( pExpr->pLeft->iTable==0 ){\n pExpr->pLeft->iTable = sqlite3CodeSubselect(pParse, pExpr->pLeft);\n }\n assert( pExpr->iTable==0 || pExpr->pLeft->op==TK_SELECT );\n if( pExpr->iTable!=0\n && pExpr->iTable!=(n = sqlite3ExprVectorSize(pExpr->pLeft))\n ){\n sqlite3ErrorMsg(pParse, \"%d columns assigned %d values\",\n pExpr->iTable, n);\n }\n return pExpr->pLeft->iTable + pExpr->iColumn;\n }\n case TK_IN: {\n int destIfFalse = sqlite3VdbeMakeLabel(pParse);\n int destIfNull = sqlite3VdbeMakeLabel(pParse);\n sqlite3VdbeAddOp2(v, OP_Null, 0, target);\n sqlite3ExprCodeIN(pParse, pExpr, destIfFalse, destIfNull);\n sqlite3VdbeAddOp2(v, OP_Integer, 1, target);\n sqlite3VdbeResolveLabel(v, destIfFalse);\n sqlite3VdbeAddOp2(v, OP_AddImm, target, 0);\n sqlite3VdbeResolveLabel(v, destIfNull);\n return target;\n }\n#endif /* SQLITE_OMIT_SUBQUERY */\n\n\n /*\n ** x BETWEEN y AND z\n **\n ** This is equivalent to\n **\n ** x>=y AND x<=z\n **\n ** X is stored in pExpr->pLeft.\n ** Y is stored in pExpr->pList->a[0].pExpr.\n ** Z is stored in pExpr->pList->a[1].pExpr.\n */\n case TK_BETWEEN: {\n exprCodeBetween(pParse, pExpr, target, 0, 0);\n return target;\n }\n case TK_SPAN:\n case TK_COLLATE: \n case TK_UPLUS: {\n pExpr = pExpr->pLeft;\n goto expr_code_doover; /* 2018-04-28: Prevent deep recursion. OSSFuzz. */\n }\n\n case TK_TRIGGER: {\n /* If the opcode is TK_TRIGGER, then the expression is a reference\n ** to a column in the new.* or old.* pseudo-tables available to\n ** trigger programs. In this case Expr.iTable is set to 1 for the\n ** new.* pseudo-table, or 0 for the old.* pseudo-table. Expr.iColumn\n ** is set to the column of the pseudo-table to read, or to -1 to\n ** read the rowid field.\n **\n ** The expression is implemented using an OP_Param opcode. The p1\n ** parameter is set to 0 for an old.rowid reference, or to (i+1)\n ** to reference another column of the old.* pseudo-table, where \n ** i is the index of the column. For a new.rowid reference, p1 is\n ** set to (n+1), where n is the number of columns in each pseudo-table.\n ** For a reference to any other column in the new.* pseudo-table, p1\n ** is set to (n+2+i), where n and i are as defined previously. For\n ** example, if the table on which triggers are being fired is\n ** declared as:\n **\n ** CREATE TABLE t1(a, b);\n **\n ** Then p1 is interpreted as follows:\n **\n ** p1==0 -> old.rowid p1==3 -> new.rowid\n ** p1==1 -> old.a p1==4 -> new.a\n ** p1==2 -> old.b p1==5 -> new.b \n */\n Table *pTab = pExpr->y.pTab;\n int iCol = pExpr->iColumn;\n int p1 = pExpr->iTable * (pTab->nCol+1) + 1 \n + sqlite3TableColumnToStorage(pTab, iCol);\n\n assert( pExpr->iTable==0 || pExpr->iTable==1 );\n assert( iCol>=-1 && iColnCol );\n assert( pTab->iPKey<0 || iCol!=pTab->iPKey );\n assert( p1>=0 && p1<(pTab->nCol*2+2) );\n\n sqlite3VdbeAddOp2(v, OP_Param, p1, target);\n VdbeComment((v, \"r[%d]=%s.%s\", target,\n (pExpr->iTable ? \"new\" : \"old\"),\n (pExpr->iColumn<0 ? \"rowid\" : pExpr->y.pTab->aCol[iCol].zName)\n ));\n\n#ifndef SQLITE_OMIT_FLOATING_POINT\n /* If the column has REAL affinity, it may currently be stored as an\n ** integer. Use OP_RealAffinity to make sure it is really real.\n **\n ** EVIDENCE-OF: R-60985-57662 SQLite will convert the value back to\n ** floating point when extracting it from the record. */\n if( iCol>=0 && pTab->aCol[iCol].affinity==SQLITE_AFF_REAL ){\n sqlite3VdbeAddOp1(v, OP_RealAffinity, target);\n }\n#endif\n break;\n }\n\n case TK_VECTOR: {\n sqlite3ErrorMsg(pParse, \"row value misused\");\n break;\n }\n\n /* TK_IF_NULL_ROW Expr nodes are inserted ahead of expressions\n ** that derive from the right-hand table of a LEFT JOIN. The\n ** Expr.iTable value is the table number for the right-hand table.\n ** The expression is only evaluated if that table is not currently\n ** on a LEFT JOIN NULL row.\n */\n case TK_IF_NULL_ROW: {\n int addrINR;\n u8 okConstFactor = pParse->okConstFactor;\n addrINR = sqlite3VdbeAddOp1(v, OP_IfNullRow, pExpr->iTable);\n /* Temporarily disable factoring of constant expressions, since\n ** even though expressions may appear to be constant, they are not\n ** really constant because they originate from the right-hand side\n ** of a LEFT JOIN. */\n pParse->okConstFactor = 0;\n inReg = sqlite3ExprCodeTarget(pParse, pExpr->pLeft, target);\n pParse->okConstFactor = okConstFactor;\n sqlite3VdbeJumpHere(v, addrINR);\n sqlite3VdbeChangeP3(v, addrINR, inReg);\n break;\n }\n\n /*\n ** Form A:\n ** CASE x WHEN e1 THEN r1 WHEN e2 THEN r2 ... WHEN eN THEN rN ELSE y END\n **\n ** Form B:\n ** CASE WHEN e1 THEN r1 WHEN e2 THEN r2 ... WHEN eN THEN rN ELSE y END\n **\n ** Form A is can be transformed into the equivalent form B as follows:\n ** CASE WHEN x=e1 THEN r1 WHEN x=e2 THEN r2 ...\n ** WHEN x=eN THEN rN ELSE y END\n **\n ** X (if it exists) is in pExpr->pLeft.\n ** Y is in the last element of pExpr->x.pList if pExpr->x.pList->nExpr is\n ** odd. The Y is also optional. If the number of elements in x.pList\n ** is even, then Y is omitted and the \"otherwise\" result is NULL.\n ** Ei is in pExpr->pList->a[i*2] and Ri is pExpr->pList->a[i*2+1].\n **\n ** The result of the expression is the Ri for the first matching Ei,\n ** or if there is no matching Ei, the ELSE term Y, or if there is\n ** no ELSE term, NULL.\n */\n case TK_CASE: {\n int endLabel; /* GOTO label for end of CASE stmt */\n int nextCase; /* GOTO label for next WHEN clause */\n int nExpr; /* 2x number of WHEN terms */\n int i; /* Loop counter */\n ExprList *pEList; /* List of WHEN terms */\n struct ExprList_item *aListelem; /* Array of WHEN terms */\n Expr opCompare; /* The X==Ei expression */\n Expr *pX; /* The X expression */\n Expr *pTest = 0; /* X==Ei (form A) or just Ei (form B) */\n Expr *pDel = 0;\n sqlite3 *db = pParse->db;\n\n assert( !ExprHasProperty(pExpr, EP_xIsSelect) && pExpr->x.pList );\n assert(pExpr->x.pList->nExpr > 0);\n pEList = pExpr->x.pList;\n aListelem = pEList->a;\n nExpr = pEList->nExpr;\n endLabel = sqlite3VdbeMakeLabel(pParse);\n if( (pX = pExpr->pLeft)!=0 ){\n pDel = sqlite3ExprDup(db, pX, 0);\n if( db->mallocFailed ){\n sqlite3ExprDelete(db, pDel);\n break;\n }\n testcase( pX->op==TK_COLUMN );\n exprToRegister(pDel, exprCodeVector(pParse, pDel, ®Free1));\n testcase( regFree1==0 );\n memset(&opCompare, 0, sizeof(opCompare));\n opCompare.op = TK_EQ;\n opCompare.pLeft = pDel;\n pTest = &opCompare;\n /* Ticket b351d95f9cd5ef17e9d9dbae18f5ca8611190001:\n ** The value in regFree1 might get SCopy-ed into the file result.\n ** So make sure that the regFree1 register is not reused for other\n ** purposes and possibly overwritten. */\n regFree1 = 0;\n }\n for(i=0; iop==TK_COLUMN );\n sqlite3ExprIfFalse(pParse, pTest, nextCase, SQLITE_JUMPIFNULL);\n testcase( aListelem[i+1].pExpr->op==TK_COLUMN );\n sqlite3ExprCode(pParse, aListelem[i+1].pExpr, target);\n sqlite3VdbeGoto(v, endLabel);\n sqlite3VdbeResolveLabel(v, nextCase);\n }\n if( (nExpr&1)!=0 ){\n sqlite3ExprCode(pParse, pEList->a[nExpr-1].pExpr, target);\n }else{\n sqlite3VdbeAddOp2(v, OP_Null, 0, target);\n }\n sqlite3ExprDelete(db, pDel);\n sqlite3VdbeResolveLabel(v, endLabel);\n break;\n }\n#ifndef SQLITE_OMIT_TRIGGER\n case TK_RAISE: {\n assert( pExpr->affExpr==OE_Rollback \n || pExpr->affExpr==OE_Abort\n || pExpr->affExpr==OE_Fail\n || pExpr->affExpr==OE_Ignore\n );\n if( !pParse->pTriggerTab ){\n sqlite3ErrorMsg(pParse,\n \"RAISE() may only be used within a trigger-program\");\n return 0;\n }\n if( pExpr->affExpr==OE_Abort ){\n sqlite3MayAbort(pParse);\n }\n assert( !ExprHasProperty(pExpr, EP_IntValue) );\n if( pExpr->affExpr==OE_Ignore ){\n sqlite3VdbeAddOp4(\n v, OP_Halt, SQLITE_OK, OE_Ignore, 0, pExpr->u.zToken,0);\n VdbeCoverage(v);\n }else{\n sqlite3HaltConstraint(pParse, SQLITE_CONSTRAINT_TRIGGER,\n pExpr->affExpr, pExpr->u.zToken, 0, 0);\n }\n\n break;\n }\n#endif\n }\n sqlite3ReleaseTempReg(pParse, regFree1);\n sqlite3ReleaseTempReg(pParse, regFree2);\n return inReg;\n}", "project": "sqlite", "hash": 316738896429402012167205999188445993189, "size": 749, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378543 }, { "func": "void sqlite3VdbeUsesBtree(Vdbe *p, int i){\n assert( i>=0 && idb->nDb && i<(int)sizeof(yDbMask)*8 );\n assert( i<(int)sizeof(p->btreeMask)*8 );\n DbMaskSet(p->btreeMask, i);\n if( i!=1 && sqlite3BtreeSharable(p->db->aDb[i].pBt) ){\n DbMaskSet(p->lockMask, i);\n }\n}", "project": "sqlite", "hash": 24461281954769157252854311355854121653, "size": 8, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378479 }, { "func": "void sqlite3VdbeAppendP4(Vdbe *p, void *pP4, int n){\n VdbeOp *pOp;\n assert( n!=P4_INT32 && n!=P4_VTAB );\n assert( n<=0 );\n if( p->db->mallocFailed ){\n freeP4(p->db, n, pP4);\n }else{\n assert( pP4!=0 );\n assert( p->nOp>0 );\n pOp = &p->aOp[p->nOp-1];\n assert( pOp->p4type==P4_NOTUSED );\n pOp->p4type = n;\n pOp->p4.p = pP4;\n }\n}", "project": "sqlite", "hash": 228501569465161637945718320790398276782, "size": 15, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378508 }, { "func": "void sqlite3VdbeDeleteAuxData(sqlite3 *db, AuxData **pp, int iOp, int mask){\n while( *pp ){\n AuxData *pAux = *pp;\n if( (iOp<0)\n || (pAux->iAuxOp==iOp\n && pAux->iAuxArg>=0\n && (pAux->iAuxArg>31 || !(mask & MASKBIT32(pAux->iAuxArg))))\n ){\n testcase( pAux->iAuxArg==31 );\n if( pAux->xDeleteAux ){\n pAux->xDeleteAux(pAux->pAux);\n }\n *pp = pAux->pNextAux;\n sqlite3DbFree(db, pAux);\n }else{\n pp= &pAux->pNextAux;\n }\n }\n}", "project": "sqlite", "hash": 310645167785882294029101206178995336964, "size": 19, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378618 }, { "func": "static int windowExprGtZero(Parse *pParse, Expr *pExpr){\n int ret = 0;\n sqlite3 *db = pParse->db;\n sqlite3_value *pVal = 0;\n sqlite3ValueFromExpr(db, pExpr, db->enc, SQLITE_AFF_NUMERIC, &pVal);\n if( pVal && sqlite3_value_int(pVal)>0 ){\n ret = 1;\n }\n sqlite3ValueFree(pVal);\n return ret;\n}", "project": "sqlite", "hash": 264801010562518134672883699636492879751, "size": 11, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378544 }, { "func": "void sqlite3VdbeLeave(Vdbe *p){\n if( DbMaskAllZero(p->lockMask) ) return; /* The common case */\n vdbeLeave(p);\n}", "project": "sqlite", "hash": 226593278117904728848984352394548310015, "size": 4, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378579 }, { "func": "static int generateOutputSubroutine(\n Parse *pParse, /* Parsing context */\n Select *p, /* The SELECT statement */\n SelectDest *pIn, /* Coroutine supplying data */\n SelectDest *pDest, /* Where to send the data */\n int regReturn, /* The return address register */\n int regPrev, /* Previous result register. No uniqueness if 0 */\n KeyInfo *pKeyInfo, /* For comparing with previous entry */\n int iBreak /* Jump here if we hit the LIMIT */\n){\n Vdbe *v = pParse->pVdbe;\n int iContinue;\n int addr;\n\n addr = sqlite3VdbeCurrentAddr(v);\n iContinue = sqlite3VdbeMakeLabel(pParse);\n\n /* Suppress duplicates for UNION, EXCEPT, and INTERSECT \n */\n if( regPrev ){\n int addr1, addr2;\n addr1 = sqlite3VdbeAddOp1(v, OP_IfNot, regPrev); VdbeCoverage(v);\n addr2 = sqlite3VdbeAddOp4(v, OP_Compare, pIn->iSdst, regPrev+1, pIn->nSdst,\n (char*)sqlite3KeyInfoRef(pKeyInfo), P4_KEYINFO);\n sqlite3VdbeAddOp3(v, OP_Jump, addr2+2, iContinue, addr2+2); VdbeCoverage(v);\n sqlite3VdbeJumpHere(v, addr1);\n sqlite3VdbeAddOp3(v, OP_Copy, pIn->iSdst, regPrev+1, pIn->nSdst-1);\n sqlite3VdbeAddOp2(v, OP_Integer, 1, regPrev);\n }\n if( pParse->db->mallocFailed ) return 0;\n\n /* Suppress the first OFFSET entries if there is an OFFSET clause\n */\n codeOffset(v, p->iOffset, iContinue);\n\n assert( pDest->eDest!=SRT_Exists );\n assert( pDest->eDest!=SRT_Table );\n switch( pDest->eDest ){\n /* Store the result as data using a unique key.\n */\n case SRT_EphemTab: {\n int r1 = sqlite3GetTempReg(pParse);\n int r2 = sqlite3GetTempReg(pParse);\n sqlite3VdbeAddOp3(v, OP_MakeRecord, pIn->iSdst, pIn->nSdst, r1);\n sqlite3VdbeAddOp2(v, OP_NewRowid, pDest->iSDParm, r2);\n sqlite3VdbeAddOp3(v, OP_Insert, pDest->iSDParm, r1, r2);\n sqlite3VdbeChangeP5(v, OPFLAG_APPEND);\n sqlite3ReleaseTempReg(pParse, r2);\n sqlite3ReleaseTempReg(pParse, r1);\n break;\n }\n\n#ifndef SQLITE_OMIT_SUBQUERY\n /* If we are creating a set for an \"expr IN (SELECT ...)\".\n */\n case SRT_Set: {\n int r1;\n testcase( pIn->nSdst>1 );\n r1 = sqlite3GetTempReg(pParse);\n sqlite3VdbeAddOp4(v, OP_MakeRecord, pIn->iSdst, pIn->nSdst, \n r1, pDest->zAffSdst, pIn->nSdst);\n sqlite3VdbeAddOp4Int(v, OP_IdxInsert, pDest->iSDParm, r1,\n pIn->iSdst, pIn->nSdst);\n sqlite3ReleaseTempReg(pParse, r1);\n break;\n }\n\n /* If this is a scalar select that is part of an expression, then\n ** store the results in the appropriate memory cell and break out\n ** of the scan loop. Note that the select might return multiple columns\n ** if it is the RHS of a row-value IN operator.\n */\n case SRT_Mem: {\n if( pParse->nErr==0 ){\n testcase( pIn->nSdst>1 );\n sqlite3ExprCodeMove(pParse, pIn->iSdst, pDest->iSDParm, pIn->nSdst);\n }\n /* The LIMIT clause will jump out of the loop for us */\n break;\n }\n#endif /* #ifndef SQLITE_OMIT_SUBQUERY */\n\n /* The results are stored in a sequence of registers\n ** starting at pDest->iSdst. Then the co-routine yields.\n */\n case SRT_Coroutine: {\n if( pDest->iSdst==0 ){\n pDest->iSdst = sqlite3GetTempRange(pParse, pIn->nSdst);\n pDest->nSdst = pIn->nSdst;\n }\n sqlite3ExprCodeMove(pParse, pIn->iSdst, pDest->iSdst, pIn->nSdst);\n sqlite3VdbeAddOp1(v, OP_Yield, pDest->iSDParm);\n break;\n }\n\n /* If none of the above, then the result destination must be\n ** SRT_Output. This routine is never called with any other\n ** destination other than the ones handled above or SRT_Output.\n **\n ** For SRT_Output, results are stored in a sequence of registers. \n ** Then the OP_ResultRow opcode is used to cause sqlite3_step() to\n ** return the next row of result.\n */\n default: {\n assert( pDest->eDest==SRT_Output );\n sqlite3VdbeAddOp2(v, OP_ResultRow, pIn->iSdst, pIn->nSdst);\n break;\n }\n }\n\n /* Jump to the end of the loop if the LIMIT is reached.\n */\n if( p->iLimit ){\n sqlite3VdbeAddOp2(v, OP_DecrJumpZero, p->iLimit, iBreak); VdbeCoverage(v);\n }\n\n /* Generate the subroutine return\n */\n sqlite3VdbeResolveLabel(v, iContinue);\n sqlite3VdbeAddOp1(v, OP_Return, regReturn);\n\n return addr;\n}", "project": "sqlite", "hash": 74830700346430747596776436346867546886, "size": 123, "commit_id": "5f69512404cd2e5153ddf90ea277fbba6dd58ab7", "message": "Early-out on the INTERSECT query processing following an error.\n\nFossilOrigin-Name: a67cf5b7d37d5b1484be32092635faafd8f76e5881898cd9435517c4b287d663", "target": 0, "dataset": "other", "idx": 246177 }, { "func": "static int multiSelect(\n Parse *pParse, /* Parsing context */\n Select *p, /* The right-most of SELECTs to be coded */\n SelectDest *pDest /* What to do with query results */\n){\n int rc = SQLITE_OK; /* Success code from a subroutine */\n Select *pPrior; /* Another SELECT immediately to our left */\n Vdbe *v; /* Generate code to this VDBE */\n SelectDest dest; /* Alternative data destination */\n Select *pDelete = 0; /* Chain of simple selects to delete */\n sqlite3 *db; /* Database connection */\n\n /* Make sure there is no ORDER BY or LIMIT clause on prior SELECTs. Only\n ** the last (right-most) SELECT in the series may have an ORDER BY or LIMIT.\n */\n assert( p && p->pPrior ); /* Calling function guarantees this much */\n assert( (p->selFlags & SF_Recursive)==0 || p->op==TK_ALL || p->op==TK_UNION );\n assert( p->selFlags & SF_Compound );\n db = pParse->db;\n pPrior = p->pPrior;\n dest = *pDest;\n if( pPrior->pOrderBy || pPrior->pLimit ){\n sqlite3ErrorMsg(pParse,\"%s clause should come after %s not before\",\n pPrior->pOrderBy!=0 ? \"ORDER BY\" : \"LIMIT\", selectOpName(p->op));\n rc = 1;\n goto multi_select_end;\n }\n\n v = sqlite3GetVdbe(pParse);\n assert( v!=0 ); /* The VDBE already created by calling function */\n\n /* Create the destination temporary table if necessary\n */\n if( dest.eDest==SRT_EphemTab ){\n assert( p->pEList );\n sqlite3VdbeAddOp2(v, OP_OpenEphemeral, dest.iSDParm, p->pEList->nExpr);\n dest.eDest = SRT_Table;\n }\n\n /* Special handling for a compound-select that originates as a VALUES clause.\n */\n if( p->selFlags & SF_MultiValue ){\n rc = multiSelectValues(pParse, p, &dest);\n if( rc>=0 ) goto multi_select_end;\n rc = SQLITE_OK;\n }\n\n /* Make sure all SELECTs in the statement have the same number of elements\n ** in their result sets.\n */\n assert( p->pEList && pPrior->pEList );\n assert( p->pEList->nExpr==pPrior->pEList->nExpr );\n\n#ifndef SQLITE_OMIT_CTE\n if( p->selFlags & SF_Recursive ){\n generateWithRecursiveQuery(pParse, p, &dest);\n }else\n#endif\n\n /* Compound SELECTs that have an ORDER BY clause are handled separately.\n */\n if( p->pOrderBy ){\n return multiSelectOrderBy(pParse, p, pDest);\n }else{\n\n#ifndef SQLITE_OMIT_EXPLAIN\n if( pPrior->pPrior==0 ){\n ExplainQueryPlan((pParse, 1, \"COMPOUND QUERY\"));\n ExplainQueryPlan((pParse, 1, \"LEFT-MOST SUBQUERY\"));\n }\n#endif\n\n /* Generate code for the left and right SELECT statements.\n */\n switch( p->op ){\n case TK_ALL: {\n int addr = 0;\n int nLimit;\n assert( !pPrior->pLimit );\n pPrior->iLimit = p->iLimit;\n pPrior->iOffset = p->iOffset;\n pPrior->pLimit = p->pLimit;\n rc = sqlite3Select(pParse, pPrior, &dest);\n p->pLimit = 0;\n if( rc ){\n goto multi_select_end;\n }\n p->pPrior = 0;\n p->iLimit = pPrior->iLimit;\n p->iOffset = pPrior->iOffset;\n if( p->iLimit ){\n addr = sqlite3VdbeAddOp1(v, OP_IfNot, p->iLimit); VdbeCoverage(v);\n VdbeComment((v, \"Jump ahead if LIMIT reached\"));\n if( p->iOffset ){\n sqlite3VdbeAddOp3(v, OP_OffsetLimit,\n p->iLimit, p->iOffset+1, p->iOffset);\n }\n }\n ExplainQueryPlan((pParse, 1, \"UNION ALL\"));\n rc = sqlite3Select(pParse, p, &dest);\n testcase( rc!=SQLITE_OK );\n pDelete = p->pPrior;\n p->pPrior = pPrior;\n p->nSelectRow = sqlite3LogEstAdd(p->nSelectRow, pPrior->nSelectRow);\n if( pPrior->pLimit\n && sqlite3ExprIsInteger(pPrior->pLimit->pLeft, &nLimit)\n && nLimit>0 && p->nSelectRow > sqlite3LogEst((u64)nLimit) \n ){\n p->nSelectRow = sqlite3LogEst((u64)nLimit);\n }\n if( addr ){\n sqlite3VdbeJumpHere(v, addr);\n }\n break;\n }\n case TK_EXCEPT:\n case TK_UNION: {\n int unionTab; /* Cursor number of the temp table holding result */\n u8 op = 0; /* One of the SRT_ operations to apply to self */\n int priorOp; /* The SRT_ operation to apply to prior selects */\n Expr *pLimit; /* Saved values of p->nLimit */\n int addr;\n SelectDest uniondest;\n \n testcase( p->op==TK_EXCEPT );\n testcase( p->op==TK_UNION );\n priorOp = SRT_Union;\n if( dest.eDest==priorOp ){\n /* We can reuse a temporary table generated by a SELECT to our\n ** right.\n */\n assert( p->pLimit==0 ); /* Not allowed on leftward elements */\n unionTab = dest.iSDParm;\n }else{\n /* We will need to create our own temporary table to hold the\n ** intermediate results.\n */\n unionTab = pParse->nTab++;\n assert( p->pOrderBy==0 );\n addr = sqlite3VdbeAddOp2(v, OP_OpenEphemeral, unionTab, 0);\n assert( p->addrOpenEphm[0] == -1 );\n p->addrOpenEphm[0] = addr;\n findRightmost(p)->selFlags |= SF_UsesEphemeral;\n assert( p->pEList );\n }\n \n /* Code the SELECT statements to our left\n */\n assert( !pPrior->pOrderBy );\n sqlite3SelectDestInit(&uniondest, priorOp, unionTab);\n rc = sqlite3Select(pParse, pPrior, &uniondest);\n if( rc ){\n goto multi_select_end;\n }\n \n /* Code the current SELECT statement\n */\n if( p->op==TK_EXCEPT ){\n op = SRT_Except;\n }else{\n assert( p->op==TK_UNION );\n op = SRT_Union;\n }\n p->pPrior = 0;\n pLimit = p->pLimit;\n p->pLimit = 0;\n uniondest.eDest = op;\n ExplainQueryPlan((pParse, 1, \"%s USING TEMP B-TREE\",\n selectOpName(p->op)));\n rc = sqlite3Select(pParse, p, &uniondest);\n testcase( rc!=SQLITE_OK );\n /* Query flattening in sqlite3Select() might refill p->pOrderBy.\n ** Be sure to delete p->pOrderBy, therefore, to avoid a memory leak. */\n sqlite3ExprListDelete(db, p->pOrderBy);\n pDelete = p->pPrior;\n p->pPrior = pPrior;\n p->pOrderBy = 0;\n if( p->op==TK_UNION ){\n p->nSelectRow = sqlite3LogEstAdd(p->nSelectRow, pPrior->nSelectRow);\n }\n sqlite3ExprDelete(db, p->pLimit);\n p->pLimit = pLimit;\n p->iLimit = 0;\n p->iOffset = 0;\n \n /* Convert the data in the temporary table into whatever form\n ** it is that we currently need.\n */\n assert( unionTab==dest.iSDParm || dest.eDest!=priorOp );\n assert( p->pEList || db->mallocFailed );\n if( dest.eDest!=priorOp && db->mallocFailed==0 ){\n int iCont, iBreak, iStart;\n iBreak = sqlite3VdbeMakeLabel(pParse);\n iCont = sqlite3VdbeMakeLabel(pParse);\n computeLimitRegisters(pParse, p, iBreak);\n sqlite3VdbeAddOp2(v, OP_Rewind, unionTab, iBreak); VdbeCoverage(v);\n iStart = sqlite3VdbeCurrentAddr(v);\n selectInnerLoop(pParse, p, unionTab,\n 0, 0, &dest, iCont, iBreak);\n sqlite3VdbeResolveLabel(v, iCont);\n sqlite3VdbeAddOp2(v, OP_Next, unionTab, iStart); VdbeCoverage(v);\n sqlite3VdbeResolveLabel(v, iBreak);\n sqlite3VdbeAddOp2(v, OP_Close, unionTab, 0);\n }\n break;\n }\n default: assert( p->op==TK_INTERSECT ); {\n int tab1, tab2;\n int iCont, iBreak, iStart;\n Expr *pLimit;\n int addr;\n SelectDest intersectdest;\n int r1;\n \n /* INTERSECT is different from the others since it requires\n ** two temporary tables. Hence it has its own case. Begin\n ** by allocating the tables we will need.\n */\n tab1 = pParse->nTab++;\n tab2 = pParse->nTab++;\n assert( p->pOrderBy==0 );\n \n addr = sqlite3VdbeAddOp2(v, OP_OpenEphemeral, tab1, 0);\n assert( p->addrOpenEphm[0] == -1 );\n p->addrOpenEphm[0] = addr;\n findRightmost(p)->selFlags |= SF_UsesEphemeral;\n assert( p->pEList );\n \n /* Code the SELECTs to our left into temporary table \"tab1\".\n */\n sqlite3SelectDestInit(&intersectdest, SRT_Union, tab1);\n rc = sqlite3Select(pParse, pPrior, &intersectdest);\n if( rc ){\n goto multi_select_end;\n }\n \n /* Code the current SELECT into temporary table \"tab2\"\n */\n addr = sqlite3VdbeAddOp2(v, OP_OpenEphemeral, tab2, 0);\n assert( p->addrOpenEphm[1] == -1 );\n p->addrOpenEphm[1] = addr;\n p->pPrior = 0;\n pLimit = p->pLimit;\n p->pLimit = 0;\n intersectdest.iSDParm = tab2;\n ExplainQueryPlan((pParse, 1, \"%s USING TEMP B-TREE\",\n selectOpName(p->op)));\n rc = sqlite3Select(pParse, p, &intersectdest);\n testcase( rc!=SQLITE_OK );\n pDelete = p->pPrior;\n p->pPrior = pPrior;\n if( p->nSelectRow>pPrior->nSelectRow ){\n p->nSelectRow = pPrior->nSelectRow;\n }\n sqlite3ExprDelete(db, p->pLimit);\n p->pLimit = pLimit;\n \n /* Generate code to take the intersection of the two temporary\n ** tables.\n */\n assert( p->pEList );\n iBreak = sqlite3VdbeMakeLabel(pParse);\n iCont = sqlite3VdbeMakeLabel(pParse);\n computeLimitRegisters(pParse, p, iBreak);\n sqlite3VdbeAddOp2(v, OP_Rewind, tab1, iBreak); VdbeCoverage(v);\n r1 = sqlite3GetTempReg(pParse);\n iStart = sqlite3VdbeAddOp2(v, OP_RowData, tab1, r1);\n sqlite3VdbeAddOp4Int(v, OP_NotFound, tab2, iCont, r1, 0);\n VdbeCoverage(v);\n sqlite3ReleaseTempReg(pParse, r1);\n selectInnerLoop(pParse, p, tab1,\n 0, 0, &dest, iCont, iBreak);\n sqlite3VdbeResolveLabel(v, iCont);\n sqlite3VdbeAddOp2(v, OP_Next, tab1, iStart); VdbeCoverage(v);\n sqlite3VdbeResolveLabel(v, iBreak);\n sqlite3VdbeAddOp2(v, OP_Close, tab2, 0);\n sqlite3VdbeAddOp2(v, OP_Close, tab1, 0);\n break;\n }\n }\n \n #ifndef SQLITE_OMIT_EXPLAIN\n if( p->pNext==0 ){\n ExplainQueryPlanPop(pParse);\n }\n #endif\n }\n if( pParse->nErr ) goto multi_select_end;\n \n /* Compute collating sequences used by \n ** temporary tables needed to implement the compound select.\n ** Attach the KeyInfo structure to all temporary tables.\n **\n ** This section is run by the right-most SELECT statement only.\n ** SELECT statements to the left always skip this part. The right-most\n ** SELECT might also skip this part if it has no ORDER BY clause and\n ** no temp tables are required.\n */\n if( p->selFlags & SF_UsesEphemeral ){\n int i; /* Loop counter */\n KeyInfo *pKeyInfo; /* Collating sequence for the result set */\n Select *pLoop; /* For looping through SELECT statements */\n CollSeq **apColl; /* For looping through pKeyInfo->aColl[] */\n int nCol; /* Number of columns in result set */\n\n assert( p->pNext==0 );\n nCol = p->pEList->nExpr;\n pKeyInfo = sqlite3KeyInfoAlloc(db, nCol, 1);\n if( !pKeyInfo ){\n rc = SQLITE_NOMEM_BKPT;\n goto multi_select_end;\n }\n for(i=0, apColl=pKeyInfo->aColl; ipDfltColl;\n }\n }\n\n for(pLoop=p; pLoop; pLoop=pLoop->pPrior){\n for(i=0; i<2; i++){\n int addr = pLoop->addrOpenEphm[i];\n if( addr<0 ){\n /* If [0] is unused then [1] is also unused. So we can\n ** always safely abort as soon as the first unused slot is found */\n assert( pLoop->addrOpenEphm[1]<0 );\n break;\n }\n sqlite3VdbeChangeP2(v, addr, nCol);\n sqlite3VdbeChangeP4(v, addr, (char*)sqlite3KeyInfoRef(pKeyInfo),\n P4_KEYINFO);\n pLoop->addrOpenEphm[i] = -1;\n }\n }\n sqlite3KeyInfoUnref(pKeyInfo);\n }\n\nmulti_select_end:\n pDest->iSdst = dest.iSdst;\n pDest->nSdst = dest.nSdst;\n sqlite3SelectDelete(db, pDelete);\n return rc;\n}", "project": "sqlite", "hash": 200791527881523564389362957209573506757, "size": 343, "commit_id": "5f69512404cd2e5153ddf90ea277fbba6dd58ab7", "message": "Early-out on the INTERSECT query processing following an error.\n\nFossilOrigin-Name: a67cf5b7d37d5b1484be32092635faafd8f76e5881898cd9435517c4b287d663", "target": 1, "dataset": "other", "idx": 196833 }, { "func": "static int multiSelect(\n Parse *pParse, /* Parsing context */\n Select *p, /* The right-most of SELECTs to be coded */\n SelectDest *pDest /* What to do with query results */\n){\n int rc = SQLITE_OK; /* Success code from a subroutine */\n Select *pPrior; /* Another SELECT immediately to our left */\n Vdbe *v; /* Generate code to this VDBE */\n SelectDest dest; /* Alternative data destination */\n Select *pDelete = 0; /* Chain of simple selects to delete */\n sqlite3 *db; /* Database connection */\n\n /* Make sure there is no ORDER BY or LIMIT clause on prior SELECTs. Only\n ** the last (right-most) SELECT in the series may have an ORDER BY or LIMIT.\n */\n assert( p && p->pPrior ); /* Calling function guarantees this much */\n assert( (p->selFlags & SF_Recursive)==0 || p->op==TK_ALL || p->op==TK_UNION );\n assert( p->selFlags & SF_Compound );\n db = pParse->db;\n pPrior = p->pPrior;\n dest = *pDest;\n if( pPrior->pOrderBy || pPrior->pLimit ){\n sqlite3ErrorMsg(pParse,\"%s clause should come after %s not before\",\n pPrior->pOrderBy!=0 ? \"ORDER BY\" : \"LIMIT\", selectOpName(p->op));\n rc = 1;\n goto multi_select_end;\n }\n\n v = sqlite3GetVdbe(pParse);\n assert( v!=0 ); /* The VDBE already created by calling function */\n\n /* Create the destination temporary table if necessary\n */\n if( dest.eDest==SRT_EphemTab ){\n assert( p->pEList );\n sqlite3VdbeAddOp2(v, OP_OpenEphemeral, dest.iSDParm, p->pEList->nExpr);\n dest.eDest = SRT_Table;\n }\n\n /* Special handling for a compound-select that originates as a VALUES clause.\n */\n if( p->selFlags & SF_MultiValue ){\n rc = multiSelectValues(pParse, p, &dest);\n if( rc>=0 ) goto multi_select_end;\n rc = SQLITE_OK;\n }\n\n /* Make sure all SELECTs in the statement have the same number of elements\n ** in their result sets.\n */\n assert( p->pEList && pPrior->pEList );\n assert( p->pEList->nExpr==pPrior->pEList->nExpr );\n\n#ifndef SQLITE_OMIT_CTE\n if( p->selFlags & SF_Recursive ){\n generateWithRecursiveQuery(pParse, p, &dest);\n }else\n#endif\n\n /* Compound SELECTs that have an ORDER BY clause are handled separately.\n */\n if( p->pOrderBy ){\n return multiSelectOrderBy(pParse, p, pDest);\n }else{\n\n#ifndef SQLITE_OMIT_EXPLAIN\n if( pPrior->pPrior==0 ){\n ExplainQueryPlan((pParse, 1, \"COMPOUND QUERY\"));\n ExplainQueryPlan((pParse, 1, \"LEFT-MOST SUBQUERY\"));\n }\n#endif\n\n /* Generate code for the left and right SELECT statements.\n */\n switch( p->op ){\n case TK_ALL: {\n int addr = 0;\n int nLimit;\n assert( !pPrior->pLimit );\n pPrior->iLimit = p->iLimit;\n pPrior->iOffset = p->iOffset;\n pPrior->pLimit = p->pLimit;\n rc = sqlite3Select(pParse, pPrior, &dest);\n p->pLimit = 0;\n if( rc ){\n goto multi_select_end;\n }\n p->pPrior = 0;\n p->iLimit = pPrior->iLimit;\n p->iOffset = pPrior->iOffset;\n if( p->iLimit ){\n addr = sqlite3VdbeAddOp1(v, OP_IfNot, p->iLimit); VdbeCoverage(v);\n VdbeComment((v, \"Jump ahead if LIMIT reached\"));\n if( p->iOffset ){\n sqlite3VdbeAddOp3(v, OP_OffsetLimit,\n p->iLimit, p->iOffset+1, p->iOffset);\n }\n }\n ExplainQueryPlan((pParse, 1, \"UNION ALL\"));\n rc = sqlite3Select(pParse, p, &dest);\n testcase( rc!=SQLITE_OK );\n pDelete = p->pPrior;\n p->pPrior = pPrior;\n p->nSelectRow = sqlite3LogEstAdd(p->nSelectRow, pPrior->nSelectRow);\n if( pPrior->pLimit\n && sqlite3ExprIsInteger(pPrior->pLimit->pLeft, &nLimit)\n && nLimit>0 && p->nSelectRow > sqlite3LogEst((u64)nLimit) \n ){\n p->nSelectRow = sqlite3LogEst((u64)nLimit);\n }\n if( addr ){\n sqlite3VdbeJumpHere(v, addr);\n }\n break;\n }\n case TK_EXCEPT:\n case TK_UNION: {\n int unionTab; /* Cursor number of the temp table holding result */\n u8 op = 0; /* One of the SRT_ operations to apply to self */\n int priorOp; /* The SRT_ operation to apply to prior selects */\n Expr *pLimit; /* Saved values of p->nLimit */\n int addr;\n SelectDest uniondest;\n \n testcase( p->op==TK_EXCEPT );\n testcase( p->op==TK_UNION );\n priorOp = SRT_Union;\n if( dest.eDest==priorOp ){\n /* We can reuse a temporary table generated by a SELECT to our\n ** right.\n */\n assert( p->pLimit==0 ); /* Not allowed on leftward elements */\n unionTab = dest.iSDParm;\n }else{\n /* We will need to create our own temporary table to hold the\n ** intermediate results.\n */\n unionTab = pParse->nTab++;\n assert( p->pOrderBy==0 );\n addr = sqlite3VdbeAddOp2(v, OP_OpenEphemeral, unionTab, 0);\n assert( p->addrOpenEphm[0] == -1 );\n p->addrOpenEphm[0] = addr;\n findRightmost(p)->selFlags |= SF_UsesEphemeral;\n assert( p->pEList );\n }\n \n /* Code the SELECT statements to our left\n */\n assert( !pPrior->pOrderBy );\n sqlite3SelectDestInit(&uniondest, priorOp, unionTab);\n rc = sqlite3Select(pParse, pPrior, &uniondest);\n if( rc ){\n goto multi_select_end;\n }\n \n /* Code the current SELECT statement\n */\n if( p->op==TK_EXCEPT ){\n op = SRT_Except;\n }else{\n assert( p->op==TK_UNION );\n op = SRT_Union;\n }\n p->pPrior = 0;\n pLimit = p->pLimit;\n p->pLimit = 0;\n uniondest.eDest = op;\n ExplainQueryPlan((pParse, 1, \"%s USING TEMP B-TREE\",\n selectOpName(p->op)));\n rc = sqlite3Select(pParse, p, &uniondest);\n testcase( rc!=SQLITE_OK );\n /* Query flattening in sqlite3Select() might refill p->pOrderBy.\n ** Be sure to delete p->pOrderBy, therefore, to avoid a memory leak. */\n sqlite3ExprListDelete(db, p->pOrderBy);\n pDelete = p->pPrior;\n p->pPrior = pPrior;\n p->pOrderBy = 0;\n if( p->op==TK_UNION ){\n p->nSelectRow = sqlite3LogEstAdd(p->nSelectRow, pPrior->nSelectRow);\n }\n sqlite3ExprDelete(db, p->pLimit);\n p->pLimit = pLimit;\n p->iLimit = 0;\n p->iOffset = 0;\n \n /* Convert the data in the temporary table into whatever form\n ** it is that we currently need.\n */\n assert( unionTab==dest.iSDParm || dest.eDest!=priorOp );\n if( dest.eDest!=priorOp ){\n int iCont, iBreak, iStart;\n assert( p->pEList );\n iBreak = sqlite3VdbeMakeLabel(pParse);\n iCont = sqlite3VdbeMakeLabel(pParse);\n computeLimitRegisters(pParse, p, iBreak);\n sqlite3VdbeAddOp2(v, OP_Rewind, unionTab, iBreak); VdbeCoverage(v);\n iStart = sqlite3VdbeCurrentAddr(v);\n selectInnerLoop(pParse, p, unionTab,\n 0, 0, &dest, iCont, iBreak);\n sqlite3VdbeResolveLabel(v, iCont);\n sqlite3VdbeAddOp2(v, OP_Next, unionTab, iStart); VdbeCoverage(v);\n sqlite3VdbeResolveLabel(v, iBreak);\n sqlite3VdbeAddOp2(v, OP_Close, unionTab, 0);\n }\n break;\n }\n default: assert( p->op==TK_INTERSECT ); {\n int tab1, tab2;\n int iCont, iBreak, iStart;\n Expr *pLimit;\n int addr;\n SelectDest intersectdest;\n int r1;\n \n /* INTERSECT is different from the others since it requires\n ** two temporary tables. Hence it has its own case. Begin\n ** by allocating the tables we will need.\n */\n tab1 = pParse->nTab++;\n tab2 = pParse->nTab++;\n assert( p->pOrderBy==0 );\n \n addr = sqlite3VdbeAddOp2(v, OP_OpenEphemeral, tab1, 0);\n assert( p->addrOpenEphm[0] == -1 );\n p->addrOpenEphm[0] = addr;\n findRightmost(p)->selFlags |= SF_UsesEphemeral;\n assert( p->pEList );\n \n /* Code the SELECTs to our left into temporary table \"tab1\".\n */\n sqlite3SelectDestInit(&intersectdest, SRT_Union, tab1);\n rc = sqlite3Select(pParse, pPrior, &intersectdest);\n if( rc ){\n goto multi_select_end;\n }\n \n /* Code the current SELECT into temporary table \"tab2\"\n */\n addr = sqlite3VdbeAddOp2(v, OP_OpenEphemeral, tab2, 0);\n assert( p->addrOpenEphm[1] == -1 );\n p->addrOpenEphm[1] = addr;\n p->pPrior = 0;\n pLimit = p->pLimit;\n p->pLimit = 0;\n intersectdest.iSDParm = tab2;\n ExplainQueryPlan((pParse, 1, \"%s USING TEMP B-TREE\",\n selectOpName(p->op)));\n rc = sqlite3Select(pParse, p, &intersectdest);\n testcase( rc!=SQLITE_OK );\n pDelete = p->pPrior;\n p->pPrior = pPrior;\n if( p->nSelectRow>pPrior->nSelectRow ){\n p->nSelectRow = pPrior->nSelectRow;\n }\n sqlite3ExprDelete(db, p->pLimit);\n p->pLimit = pLimit;\n \n /* Generate code to take the intersection of the two temporary\n ** tables.\n */\n assert( p->pEList );\n iBreak = sqlite3VdbeMakeLabel(pParse);\n iCont = sqlite3VdbeMakeLabel(pParse);\n computeLimitRegisters(pParse, p, iBreak);\n sqlite3VdbeAddOp2(v, OP_Rewind, tab1, iBreak); VdbeCoverage(v);\n r1 = sqlite3GetTempReg(pParse);\n iStart = sqlite3VdbeAddOp2(v, OP_RowData, tab1, r1);\n sqlite3VdbeAddOp4Int(v, OP_NotFound, tab2, iCont, r1, 0);\n VdbeCoverage(v);\n sqlite3ReleaseTempReg(pParse, r1);\n selectInnerLoop(pParse, p, tab1,\n 0, 0, &dest, iCont, iBreak);\n sqlite3VdbeResolveLabel(v, iCont);\n sqlite3VdbeAddOp2(v, OP_Next, tab1, iStart); VdbeCoverage(v);\n sqlite3VdbeResolveLabel(v, iBreak);\n sqlite3VdbeAddOp2(v, OP_Close, tab2, 0);\n sqlite3VdbeAddOp2(v, OP_Close, tab1, 0);\n break;\n }\n }\n \n #ifndef SQLITE_OMIT_EXPLAIN\n if( p->pNext==0 ){\n ExplainQueryPlanPop(pParse);\n }\n #endif\n }\n \n /* Compute collating sequences used by \n ** temporary tables needed to implement the compound select.\n ** Attach the KeyInfo structure to all temporary tables.\n **\n ** This section is run by the right-most SELECT statement only.\n ** SELECT statements to the left always skip this part. The right-most\n ** SELECT might also skip this part if it has no ORDER BY clause and\n ** no temp tables are required.\n */\n if( p->selFlags & SF_UsesEphemeral ){\n int i; /* Loop counter */\n KeyInfo *pKeyInfo; /* Collating sequence for the result set */\n Select *pLoop; /* For looping through SELECT statements */\n CollSeq **apColl; /* For looping through pKeyInfo->aColl[] */\n int nCol; /* Number of columns in result set */\n\n assert( p->pNext==0 );\n nCol = p->pEList->nExpr;\n pKeyInfo = sqlite3KeyInfoAlloc(db, nCol, 1);\n if( !pKeyInfo ){\n rc = SQLITE_NOMEM_BKPT;\n goto multi_select_end;\n }\n for(i=0, apColl=pKeyInfo->aColl; ipDfltColl;\n }\n }\n\n for(pLoop=p; pLoop; pLoop=pLoop->pPrior){\n for(i=0; i<2; i++){\n int addr = pLoop->addrOpenEphm[i];\n if( addr<0 ){\n /* If [0] is unused then [1] is also unused. So we can\n ** always safely abort as soon as the first unused slot is found */\n assert( pLoop->addrOpenEphm[1]<0 );\n break;\n }\n sqlite3VdbeChangeP2(v, addr, nCol);\n sqlite3VdbeChangeP4(v, addr, (char*)sqlite3KeyInfoRef(pKeyInfo),\n P4_KEYINFO);\n pLoop->addrOpenEphm[i] = -1;\n }\n }\n sqlite3KeyInfoUnref(pKeyInfo);\n }\n\nmulti_select_end:\n pDest->iSdst = dest.iSdst;\n pDest->nSdst = dest.nSdst;\n sqlite3SelectDelete(db, pDelete);\n return rc;\n}", "project": "sqlite", "hash": 129135244890151070904216177945464072400, "size": 342, "commit_id": "8428b3b437569338a9d1e10c4cd8154acbe33089", "message": "Continuation of [e2bddcd4c55ba3cb]: Add another spot where it is necessary\nto abort early due to prior errors in sqlite3WindowRewrite().\n\nFossilOrigin-Name: cba2a2a44cdf138a629109bb0ad088ed4ef67fc66bed3e0373554681a39615d2", "target": 1, "dataset": "other", "idx": 210816 }, { "func": "static int multiSelect(\n Parse *pParse, /* Parsing context */\n Select *p, /* The right-most of SELECTs to be coded */\n SelectDest *pDest /* What to do with query results */\n){\n int rc = SQLITE_OK; /* Success code from a subroutine */\n Select *pPrior; /* Another SELECT immediately to our left */\n Vdbe *v; /* Generate code to this VDBE */\n SelectDest dest; /* Alternative data destination */\n Select *pDelete = 0; /* Chain of simple selects to delete */\n sqlite3 *db; /* Database connection */\n\n /* Make sure there is no ORDER BY or LIMIT clause on prior SELECTs. Only\n ** the last (right-most) SELECT in the series may have an ORDER BY or LIMIT.\n */\n assert( p && p->pPrior ); /* Calling function guarantees this much */\n assert( (p->selFlags & SF_Recursive)==0 || p->op==TK_ALL || p->op==TK_UNION );\n assert( p->selFlags & SF_Compound );\n db = pParse->db;\n pPrior = p->pPrior;\n dest = *pDest;\n if( pPrior->pOrderBy || pPrior->pLimit ){\n sqlite3ErrorMsg(pParse,\"%s clause should come after %s not before\",\n pPrior->pOrderBy!=0 ? \"ORDER BY\" : \"LIMIT\", selectOpName(p->op));\n rc = 1;\n goto multi_select_end;\n }\n\n v = sqlite3GetVdbe(pParse);\n assert( v!=0 ); /* The VDBE already created by calling function */\n\n /* Create the destination temporary table if necessary\n */\n if( dest.eDest==SRT_EphemTab ){\n assert( p->pEList );\n sqlite3VdbeAddOp2(v, OP_OpenEphemeral, dest.iSDParm, p->pEList->nExpr);\n dest.eDest = SRT_Table;\n }\n\n /* Special handling for a compound-select that originates as a VALUES clause.\n */\n if( p->selFlags & SF_MultiValue ){\n rc = multiSelectValues(pParse, p, &dest);\n if( rc>=0 ) goto multi_select_end;\n rc = SQLITE_OK;\n }\n\n /* Make sure all SELECTs in the statement have the same number of elements\n ** in their result sets.\n */\n assert( p->pEList && pPrior->pEList );\n assert( p->pEList->nExpr==pPrior->pEList->nExpr );\n\n#ifndef SQLITE_OMIT_CTE\n if( p->selFlags & SF_Recursive ){\n generateWithRecursiveQuery(pParse, p, &dest);\n }else\n#endif\n\n /* Compound SELECTs that have an ORDER BY clause are handled separately.\n */\n if( p->pOrderBy ){\n return multiSelectOrderBy(pParse, p, pDest);\n }else{\n\n#ifndef SQLITE_OMIT_EXPLAIN\n if( pPrior->pPrior==0 ){\n ExplainQueryPlan((pParse, 1, \"COMPOUND QUERY\"));\n ExplainQueryPlan((pParse, 1, \"LEFT-MOST SUBQUERY\"));\n }\n#endif\n\n /* Generate code for the left and right SELECT statements.\n */\n switch( p->op ){\n case TK_ALL: {\n int addr = 0;\n int nLimit;\n assert( !pPrior->pLimit );\n pPrior->iLimit = p->iLimit;\n pPrior->iOffset = p->iOffset;\n pPrior->pLimit = p->pLimit;\n rc = sqlite3Select(pParse, pPrior, &dest);\n p->pLimit = 0;\n if( rc ){\n goto multi_select_end;\n }\n p->pPrior = 0;\n p->iLimit = pPrior->iLimit;\n p->iOffset = pPrior->iOffset;\n if( p->iLimit ){\n addr = sqlite3VdbeAddOp1(v, OP_IfNot, p->iLimit); VdbeCoverage(v);\n VdbeComment((v, \"Jump ahead if LIMIT reached\"));\n if( p->iOffset ){\n sqlite3VdbeAddOp3(v, OP_OffsetLimit,\n p->iLimit, p->iOffset+1, p->iOffset);\n }\n }\n ExplainQueryPlan((pParse, 1, \"UNION ALL\"));\n rc = sqlite3Select(pParse, p, &dest);\n testcase( rc!=SQLITE_OK );\n pDelete = p->pPrior;\n p->pPrior = pPrior;\n p->nSelectRow = sqlite3LogEstAdd(p->nSelectRow, pPrior->nSelectRow);\n if( pPrior->pLimit\n && sqlite3ExprIsInteger(pPrior->pLimit->pLeft, &nLimit)\n && nLimit>0 && p->nSelectRow > sqlite3LogEst((u64)nLimit) \n ){\n p->nSelectRow = sqlite3LogEst((u64)nLimit);\n }\n if( addr ){\n sqlite3VdbeJumpHere(v, addr);\n }\n break;\n }\n case TK_EXCEPT:\n case TK_UNION: {\n int unionTab; /* Cursor number of the temp table holding result */\n u8 op = 0; /* One of the SRT_ operations to apply to self */\n int priorOp; /* The SRT_ operation to apply to prior selects */\n Expr *pLimit; /* Saved values of p->nLimit */\n int addr;\n SelectDest uniondest;\n \n testcase( p->op==TK_EXCEPT );\n testcase( p->op==TK_UNION );\n priorOp = SRT_Union;\n if( dest.eDest==priorOp ){\n /* We can reuse a temporary table generated by a SELECT to our\n ** right.\n */\n assert( p->pLimit==0 ); /* Not allowed on leftward elements */\n unionTab = dest.iSDParm;\n }else{\n /* We will need to create our own temporary table to hold the\n ** intermediate results.\n */\n unionTab = pParse->nTab++;\n assert( p->pOrderBy==0 );\n addr = sqlite3VdbeAddOp2(v, OP_OpenEphemeral, unionTab, 0);\n assert( p->addrOpenEphm[0] == -1 );\n p->addrOpenEphm[0] = addr;\n findRightmost(p)->selFlags |= SF_UsesEphemeral;\n assert( p->pEList );\n }\n \n /* Code the SELECT statements to our left\n */\n assert( !pPrior->pOrderBy );\n sqlite3SelectDestInit(&uniondest, priorOp, unionTab);\n rc = sqlite3Select(pParse, pPrior, &uniondest);\n if( rc ){\n goto multi_select_end;\n }\n \n /* Code the current SELECT statement\n */\n if( p->op==TK_EXCEPT ){\n op = SRT_Except;\n }else{\n assert( p->op==TK_UNION );\n op = SRT_Union;\n }\n p->pPrior = 0;\n pLimit = p->pLimit;\n p->pLimit = 0;\n uniondest.eDest = op;\n ExplainQueryPlan((pParse, 1, \"%s USING TEMP B-TREE\",\n selectOpName(p->op)));\n rc = sqlite3Select(pParse, p, &uniondest);\n testcase( rc!=SQLITE_OK );\n /* Query flattening in sqlite3Select() might refill p->pOrderBy.\n ** Be sure to delete p->pOrderBy, therefore, to avoid a memory leak. */\n sqlite3ExprListDelete(db, p->pOrderBy);\n pDelete = p->pPrior;\n p->pPrior = pPrior;\n p->pOrderBy = 0;\n if( p->op==TK_UNION ){\n p->nSelectRow = sqlite3LogEstAdd(p->nSelectRow, pPrior->nSelectRow);\n }\n sqlite3ExprDelete(db, p->pLimit);\n p->pLimit = pLimit;\n p->iLimit = 0;\n p->iOffset = 0;\n \n /* Convert the data in the temporary table into whatever form\n ** it is that we currently need.\n */\n assert( unionTab==dest.iSDParm || dest.eDest!=priorOp );\n assert( p->pEList || db->mallocFailed );\n if( dest.eDest!=priorOp && db->mallocFailed==0 ){\n int iCont, iBreak, iStart;\n iBreak = sqlite3VdbeMakeLabel(pParse);\n iCont = sqlite3VdbeMakeLabel(pParse);\n computeLimitRegisters(pParse, p, iBreak);\n sqlite3VdbeAddOp2(v, OP_Rewind, unionTab, iBreak); VdbeCoverage(v);\n iStart = sqlite3VdbeCurrentAddr(v);\n selectInnerLoop(pParse, p, unionTab,\n 0, 0, &dest, iCont, iBreak);\n sqlite3VdbeResolveLabel(v, iCont);\n sqlite3VdbeAddOp2(v, OP_Next, unionTab, iStart); VdbeCoverage(v);\n sqlite3VdbeResolveLabel(v, iBreak);\n sqlite3VdbeAddOp2(v, OP_Close, unionTab, 0);\n }\n break;\n }\n default: assert( p->op==TK_INTERSECT ); {\n int tab1, tab2;\n int iCont, iBreak, iStart;\n Expr *pLimit;\n int addr;\n SelectDest intersectdest;\n int r1;\n \n /* INTERSECT is different from the others since it requires\n ** two temporary tables. Hence it has its own case. Begin\n ** by allocating the tables we will need.\n */\n tab1 = pParse->nTab++;\n tab2 = pParse->nTab++;\n assert( p->pOrderBy==0 );\n \n addr = sqlite3VdbeAddOp2(v, OP_OpenEphemeral, tab1, 0);\n assert( p->addrOpenEphm[0] == -1 );\n p->addrOpenEphm[0] = addr;\n findRightmost(p)->selFlags |= SF_UsesEphemeral;\n assert( p->pEList );\n \n /* Code the SELECTs to our left into temporary table \"tab1\".\n */\n sqlite3SelectDestInit(&intersectdest, SRT_Union, tab1);\n rc = sqlite3Select(pParse, pPrior, &intersectdest);\n if( rc ){\n goto multi_select_end;\n }\n \n /* Code the current SELECT into temporary table \"tab2\"\n */\n addr = sqlite3VdbeAddOp2(v, OP_OpenEphemeral, tab2, 0);\n assert( p->addrOpenEphm[1] == -1 );\n p->addrOpenEphm[1] = addr;\n p->pPrior = 0;\n pLimit = p->pLimit;\n p->pLimit = 0;\n intersectdest.iSDParm = tab2;\n ExplainQueryPlan((pParse, 1, \"%s USING TEMP B-TREE\",\n selectOpName(p->op)));\n rc = sqlite3Select(pParse, p, &intersectdest);\n testcase( rc!=SQLITE_OK );\n pDelete = p->pPrior;\n p->pPrior = pPrior;\n if( p->nSelectRow>pPrior->nSelectRow ){\n p->nSelectRow = pPrior->nSelectRow;\n }\n sqlite3ExprDelete(db, p->pLimit);\n p->pLimit = pLimit;\n \n /* Generate code to take the intersection of the two temporary\n ** tables.\n */\n if( rc ) break;\n assert( p->pEList );\n iBreak = sqlite3VdbeMakeLabel(pParse);\n iCont = sqlite3VdbeMakeLabel(pParse);\n computeLimitRegisters(pParse, p, iBreak);\n sqlite3VdbeAddOp2(v, OP_Rewind, tab1, iBreak); VdbeCoverage(v);\n r1 = sqlite3GetTempReg(pParse);\n iStart = sqlite3VdbeAddOp2(v, OP_RowData, tab1, r1);\n sqlite3VdbeAddOp4Int(v, OP_NotFound, tab2, iCont, r1, 0);\n VdbeCoverage(v);\n sqlite3ReleaseTempReg(pParse, r1);\n selectInnerLoop(pParse, p, tab1,\n 0, 0, &dest, iCont, iBreak);\n sqlite3VdbeResolveLabel(v, iCont);\n sqlite3VdbeAddOp2(v, OP_Next, tab1, iStart); VdbeCoverage(v);\n sqlite3VdbeResolveLabel(v, iBreak);\n sqlite3VdbeAddOp2(v, OP_Close, tab2, 0);\n sqlite3VdbeAddOp2(v, OP_Close, tab1, 0);\n break;\n }\n }\n \n #ifndef SQLITE_OMIT_EXPLAIN\n if( p->pNext==0 ){\n ExplainQueryPlanPop(pParse);\n }\n #endif\n }\n if( pParse->nErr ) goto multi_select_end;\n \n /* Compute collating sequences used by \n ** temporary tables needed to implement the compound select.\n ** Attach the KeyInfo structure to all temporary tables.\n **\n ** This section is run by the right-most SELECT statement only.\n ** SELECT statements to the left always skip this part. The right-most\n ** SELECT might also skip this part if it has no ORDER BY clause and\n ** no temp tables are required.\n */\n if( p->selFlags & SF_UsesEphemeral ){\n int i; /* Loop counter */\n KeyInfo *pKeyInfo; /* Collating sequence for the result set */\n Select *pLoop; /* For looping through SELECT statements */\n CollSeq **apColl; /* For looping through pKeyInfo->aColl[] */\n int nCol; /* Number of columns in result set */\n\n assert( p->pNext==0 );\n nCol = p->pEList->nExpr;\n pKeyInfo = sqlite3KeyInfoAlloc(db, nCol, 1);\n if( !pKeyInfo ){\n rc = SQLITE_NOMEM_BKPT;\n goto multi_select_end;\n }\n for(i=0, apColl=pKeyInfo->aColl; ipDfltColl;\n }\n }\n\n for(pLoop=p; pLoop; pLoop=pLoop->pPrior){\n for(i=0; i<2; i++){\n int addr = pLoop->addrOpenEphm[i];\n if( addr<0 ){\n /* If [0] is unused then [1] is also unused. So we can\n ** always safely abort as soon as the first unused slot is found */\n assert( pLoop->addrOpenEphm[1]<0 );\n break;\n }\n sqlite3VdbeChangeP2(v, addr, nCol);\n sqlite3VdbeChangeP4(v, addr, (char*)sqlite3KeyInfoRef(pKeyInfo),\n P4_KEYINFO);\n pLoop->addrOpenEphm[i] = -1;\n }\n }\n sqlite3KeyInfoUnref(pKeyInfo);\n }\n\nmulti_select_end:\n pDest->iSdst = dest.iSdst;\n pDest->nSdst = dest.nSdst;\n sqlite3SelectDelete(db, pDelete);\n return rc;\n}", "project": "sqlite", "hash": 222304138699688756475020408719005629756, "size": 344, "commit_id": "5f69512404cd2e5153ddf90ea277fbba6dd58ab7", "message": "Early-out on the INTERSECT query processing following an error.\n\nFossilOrigin-Name: a67cf5b7d37d5b1484be32092635faafd8f76e5881898cd9435517c4b287d663", "target": 0, "dataset": "other", "idx": 246169 }, { "func": "static int multiSelect(\n Parse *pParse, /* Parsing context */\n Select *p, /* The right-most of SELECTs to be coded */\n SelectDest *pDest /* What to do with query results */\n){\n int rc = SQLITE_OK; /* Success code from a subroutine */\n Select *pPrior; /* Another SELECT immediately to our left */\n Vdbe *v; /* Generate code to this VDBE */\n SelectDest dest; /* Alternative data destination */\n Select *pDelete = 0; /* Chain of simple selects to delete */\n sqlite3 *db; /* Database connection */\n\n /* Make sure there is no ORDER BY or LIMIT clause on prior SELECTs. Only\n ** the last (right-most) SELECT in the series may have an ORDER BY or LIMIT.\n */\n assert( p && p->pPrior ); /* Calling function guarantees this much */\n assert( (p->selFlags & SF_Recursive)==0 || p->op==TK_ALL || p->op==TK_UNION );\n assert( p->selFlags & SF_Compound );\n db = pParse->db;\n pPrior = p->pPrior;\n dest = *pDest;\n if( pPrior->pOrderBy || pPrior->pLimit ){\n sqlite3ErrorMsg(pParse,\"%s clause should come after %s not before\",\n pPrior->pOrderBy!=0 ? \"ORDER BY\" : \"LIMIT\", selectOpName(p->op));\n rc = 1;\n goto multi_select_end;\n }\n\n v = sqlite3GetVdbe(pParse);\n assert( v!=0 ); /* The VDBE already created by calling function */\n\n /* Create the destination temporary table if necessary\n */\n if( dest.eDest==SRT_EphemTab ){\n assert( p->pEList );\n sqlite3VdbeAddOp2(v, OP_OpenEphemeral, dest.iSDParm, p->pEList->nExpr);\n dest.eDest = SRT_Table;\n }\n\n /* Special handling for a compound-select that originates as a VALUES clause.\n */\n if( p->selFlags & SF_MultiValue ){\n rc = multiSelectValues(pParse, p, &dest);\n if( rc>=0 ) goto multi_select_end;\n rc = SQLITE_OK;\n }\n\n /* Make sure all SELECTs in the statement have the same number of elements\n ** in their result sets.\n */\n assert( p->pEList && pPrior->pEList );\n assert( p->pEList->nExpr==pPrior->pEList->nExpr );\n\n#ifndef SQLITE_OMIT_CTE\n if( p->selFlags & SF_Recursive ){\n generateWithRecursiveQuery(pParse, p, &dest);\n }else\n#endif\n\n /* Compound SELECTs that have an ORDER BY clause are handled separately.\n */\n if( p->pOrderBy ){\n return multiSelectOrderBy(pParse, p, pDest);\n }else{\n\n#ifndef SQLITE_OMIT_EXPLAIN\n if( pPrior->pPrior==0 ){\n ExplainQueryPlan((pParse, 1, \"COMPOUND QUERY\"));\n ExplainQueryPlan((pParse, 1, \"LEFT-MOST SUBQUERY\"));\n }\n#endif\n\n /* Generate code for the left and right SELECT statements.\n */\n switch( p->op ){\n case TK_ALL: {\n int addr = 0;\n int nLimit;\n assert( !pPrior->pLimit );\n pPrior->iLimit = p->iLimit;\n pPrior->iOffset = p->iOffset;\n pPrior->pLimit = p->pLimit;\n rc = sqlite3Select(pParse, pPrior, &dest);\n p->pLimit = 0;\n if( rc ){\n goto multi_select_end;\n }\n p->pPrior = 0;\n p->iLimit = pPrior->iLimit;\n p->iOffset = pPrior->iOffset;\n if( p->iLimit ){\n addr = sqlite3VdbeAddOp1(v, OP_IfNot, p->iLimit); VdbeCoverage(v);\n VdbeComment((v, \"Jump ahead if LIMIT reached\"));\n if( p->iOffset ){\n sqlite3VdbeAddOp3(v, OP_OffsetLimit,\n p->iLimit, p->iOffset+1, p->iOffset);\n }\n }\n ExplainQueryPlan((pParse, 1, \"UNION ALL\"));\n rc = sqlite3Select(pParse, p, &dest);\n testcase( rc!=SQLITE_OK );\n pDelete = p->pPrior;\n p->pPrior = pPrior;\n p->nSelectRow = sqlite3LogEstAdd(p->nSelectRow, pPrior->nSelectRow);\n if( pPrior->pLimit\n && sqlite3ExprIsInteger(pPrior->pLimit->pLeft, &nLimit)\n && nLimit>0 && p->nSelectRow > sqlite3LogEst((u64)nLimit) \n ){\n p->nSelectRow = sqlite3LogEst((u64)nLimit);\n }\n if( addr ){\n sqlite3VdbeJumpHere(v, addr);\n }\n break;\n }\n case TK_EXCEPT:\n case TK_UNION: {\n int unionTab; /* Cursor number of the temp table holding result */\n u8 op = 0; /* One of the SRT_ operations to apply to self */\n int priorOp; /* The SRT_ operation to apply to prior selects */\n Expr *pLimit; /* Saved values of p->nLimit */\n int addr;\n SelectDest uniondest;\n \n testcase( p->op==TK_EXCEPT );\n testcase( p->op==TK_UNION );\n priorOp = SRT_Union;\n if( dest.eDest==priorOp ){\n /* We can reuse a temporary table generated by a SELECT to our\n ** right.\n */\n assert( p->pLimit==0 ); /* Not allowed on leftward elements */\n unionTab = dest.iSDParm;\n }else{\n /* We will need to create our own temporary table to hold the\n ** intermediate results.\n */\n unionTab = pParse->nTab++;\n assert( p->pOrderBy==0 );\n addr = sqlite3VdbeAddOp2(v, OP_OpenEphemeral, unionTab, 0);\n assert( p->addrOpenEphm[0] == -1 );\n p->addrOpenEphm[0] = addr;\n findRightmost(p)->selFlags |= SF_UsesEphemeral;\n assert( p->pEList );\n }\n \n /* Code the SELECT statements to our left\n */\n assert( !pPrior->pOrderBy );\n sqlite3SelectDestInit(&uniondest, priorOp, unionTab);\n rc = sqlite3Select(pParse, pPrior, &uniondest);\n if( rc ){\n goto multi_select_end;\n }\n \n /* Code the current SELECT statement\n */\n if( p->op==TK_EXCEPT ){\n op = SRT_Except;\n }else{\n assert( p->op==TK_UNION );\n op = SRT_Union;\n }\n p->pPrior = 0;\n pLimit = p->pLimit;\n p->pLimit = 0;\n uniondest.eDest = op;\n ExplainQueryPlan((pParse, 1, \"%s USING TEMP B-TREE\",\n selectOpName(p->op)));\n rc = sqlite3Select(pParse, p, &uniondest);\n testcase( rc!=SQLITE_OK );\n /* Query flattening in sqlite3Select() might refill p->pOrderBy.\n ** Be sure to delete p->pOrderBy, therefore, to avoid a memory leak. */\n sqlite3ExprListDelete(db, p->pOrderBy);\n pDelete = p->pPrior;\n p->pPrior = pPrior;\n p->pOrderBy = 0;\n if( p->op==TK_UNION ){\n p->nSelectRow = sqlite3LogEstAdd(p->nSelectRow, pPrior->nSelectRow);\n }\n sqlite3ExprDelete(db, p->pLimit);\n p->pLimit = pLimit;\n p->iLimit = 0;\n p->iOffset = 0;\n \n /* Convert the data in the temporary table into whatever form\n ** it is that we currently need.\n */\n assert( unionTab==dest.iSDParm || dest.eDest!=priorOp );\n if( dest.eDest!=priorOp ){\n int iCont, iBreak, iStart;\n assert( p->pEList );\n iBreak = sqlite3VdbeMakeLabel(pParse);\n iCont = sqlite3VdbeMakeLabel(pParse);\n computeLimitRegisters(pParse, p, iBreak);\n sqlite3VdbeAddOp2(v, OP_Rewind, unionTab, iBreak); VdbeCoverage(v);\n iStart = sqlite3VdbeCurrentAddr(v);\n selectInnerLoop(pParse, p, unionTab,\n 0, 0, &dest, iCont, iBreak);\n sqlite3VdbeResolveLabel(v, iCont);\n sqlite3VdbeAddOp2(v, OP_Next, unionTab, iStart); VdbeCoverage(v);\n sqlite3VdbeResolveLabel(v, iBreak);\n sqlite3VdbeAddOp2(v, OP_Close, unionTab, 0);\n }\n break;\n }\n default: assert( p->op==TK_INTERSECT ); {\n int tab1, tab2;\n int iCont, iBreak, iStart;\n Expr *pLimit;\n int addr;\n SelectDest intersectdest;\n int r1;\n \n /* INTERSECT is different from the others since it requires\n ** two temporary tables. Hence it has its own case. Begin\n ** by allocating the tables we will need.\n */\n tab1 = pParse->nTab++;\n tab2 = pParse->nTab++;\n assert( p->pOrderBy==0 );\n \n addr = sqlite3VdbeAddOp2(v, OP_OpenEphemeral, tab1, 0);\n assert( p->addrOpenEphm[0] == -1 );\n p->addrOpenEphm[0] = addr;\n findRightmost(p)->selFlags |= SF_UsesEphemeral;\n assert( p->pEList );\n \n /* Code the SELECTs to our left into temporary table \"tab1\".\n */\n sqlite3SelectDestInit(&intersectdest, SRT_Union, tab1);\n rc = sqlite3Select(pParse, pPrior, &intersectdest);\n if( rc ){\n goto multi_select_end;\n }\n \n /* Code the current SELECT into temporary table \"tab2\"\n */\n addr = sqlite3VdbeAddOp2(v, OP_OpenEphemeral, tab2, 0);\n assert( p->addrOpenEphm[1] == -1 );\n p->addrOpenEphm[1] = addr;\n p->pPrior = 0;\n pLimit = p->pLimit;\n p->pLimit = 0;\n intersectdest.iSDParm = tab2;\n ExplainQueryPlan((pParse, 1, \"%s USING TEMP B-TREE\",\n selectOpName(p->op)));\n rc = sqlite3Select(pParse, p, &intersectdest);\n testcase( rc!=SQLITE_OK );\n pDelete = p->pPrior;\n p->pPrior = pPrior;\n if( p->nSelectRow>pPrior->nSelectRow ){\n p->nSelectRow = pPrior->nSelectRow;\n }\n sqlite3ExprDelete(db, p->pLimit);\n p->pLimit = pLimit;\n \n /* Generate code to take the intersection of the two temporary\n ** tables.\n */\n assert( p->pEList );\n iBreak = sqlite3VdbeMakeLabel(pParse);\n iCont = sqlite3VdbeMakeLabel(pParse);\n computeLimitRegisters(pParse, p, iBreak);\n sqlite3VdbeAddOp2(v, OP_Rewind, tab1, iBreak); VdbeCoverage(v);\n r1 = sqlite3GetTempReg(pParse);\n iStart = sqlite3VdbeAddOp2(v, OP_RowData, tab1, r1);\n sqlite3VdbeAddOp4Int(v, OP_NotFound, tab2, iCont, r1, 0);\n VdbeCoverage(v);\n sqlite3ReleaseTempReg(pParse, r1);\n selectInnerLoop(pParse, p, tab1,\n 0, 0, &dest, iCont, iBreak);\n sqlite3VdbeResolveLabel(v, iCont);\n sqlite3VdbeAddOp2(v, OP_Next, tab1, iStart); VdbeCoverage(v);\n sqlite3VdbeResolveLabel(v, iBreak);\n sqlite3VdbeAddOp2(v, OP_Close, tab2, 0);\n sqlite3VdbeAddOp2(v, OP_Close, tab1, 0);\n break;\n }\n }\n \n #ifndef SQLITE_OMIT_EXPLAIN\n if( p->pNext==0 ){\n ExplainQueryPlanPop(pParse);\n }\n #endif\n }\n if( pParse->nErr ) goto multi_select_end;\n \n /* Compute collating sequences used by \n ** temporary tables needed to implement the compound select.\n ** Attach the KeyInfo structure to all temporary tables.\n **\n ** This section is run by the right-most SELECT statement only.\n ** SELECT statements to the left always skip this part. The right-most\n ** SELECT might also skip this part if it has no ORDER BY clause and\n ** no temp tables are required.\n */\n if( p->selFlags & SF_UsesEphemeral ){\n int i; /* Loop counter */\n KeyInfo *pKeyInfo; /* Collating sequence for the result set */\n Select *pLoop; /* For looping through SELECT statements */\n CollSeq **apColl; /* For looping through pKeyInfo->aColl[] */\n int nCol; /* Number of columns in result set */\n\n assert( p->pNext==0 );\n nCol = p->pEList->nExpr;\n pKeyInfo = sqlite3KeyInfoAlloc(db, nCol, 1);\n if( !pKeyInfo ){\n rc = SQLITE_NOMEM_BKPT;\n goto multi_select_end;\n }\n for(i=0, apColl=pKeyInfo->aColl; ipDfltColl;\n }\n }\n\n for(pLoop=p; pLoop; pLoop=pLoop->pPrior){\n for(i=0; i<2; i++){\n int addr = pLoop->addrOpenEphm[i];\n if( addr<0 ){\n /* If [0] is unused then [1] is also unused. So we can\n ** always safely abort as soon as the first unused slot is found */\n assert( pLoop->addrOpenEphm[1]<0 );\n break;\n }\n sqlite3VdbeChangeP2(v, addr, nCol);\n sqlite3VdbeChangeP4(v, addr, (char*)sqlite3KeyInfoRef(pKeyInfo),\n P4_KEYINFO);\n pLoop->addrOpenEphm[i] = -1;\n }\n }\n sqlite3KeyInfoUnref(pKeyInfo);\n }\n\nmulti_select_end:\n pDest->iSdst = dest.iSdst;\n pDest->nSdst = dest.nSdst;\n sqlite3SelectDelete(db, pDelete);\n return rc;\n}", "project": "sqlite", "hash": 142655477716831857820189871529105126571, "size": 343, "commit_id": "8428b3b437569338a9d1e10c4cd8154acbe33089", "message": "Continuation of [e2bddcd4c55ba3cb]: Add another spot where it is necessary\nto abort early due to prior errors in sqlite3WindowRewrite().\n\nFossilOrigin-Name: cba2a2a44cdf138a629109bb0ad088ed4ef67fc66bed3e0373554681a39615d2", "target": 0, "dataset": "other", "idx": 440749 }, { "func": "static void vdbeVComment(Vdbe *p, const char *zFormat, va_list ap){\n assert( p->nOp>0 || p->aOp==0 );\n assert( p->aOp==0 || p->aOp[p->nOp-1].zComment==0 || p->db->mallocFailed );\n if( p->nOp ){\n assert( p->aOp );\n sqlite3DbFree(p->db, p->aOp[p->nOp-1].zComment);\n p->aOp[p->nOp-1].zComment = sqlite3VMPrintf(p->db, zFormat, ap);\n }\n}", "project": "sqlite", "hash": 297573905934146601478250262407134446540, "size": 9, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 1, "dataset": "other", "idx": 206236 }, { "func": "static void vdbeVComment(Vdbe *p, const char *zFormat, va_list ap){\n assert( p->nOp>0 || p->aOp==0 );\n assert( p->aOp==0 || p->aOp[p->nOp-1].zComment==0 || p->db->mallocFailed\n || p->pParse->nErr>0 );\n if( p->nOp ){\n assert( p->aOp );\n sqlite3DbFree(p->db, p->aOp[p->nOp-1].zComment);\n p->aOp[p->nOp-1].zComment = sqlite3VMPrintf(p->db, zFormat, ap);\n }\n}", "project": "sqlite", "hash": 94525444203276371802552918193620025307, "size": 10, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378537 }, { "func": "void sqlite3VdbeChangeP5(Vdbe *p, u16 p5){\n assert( p->nOp>0 || p->db->mallocFailed );\n if( p->nOp>0 ) p->aOp[p->nOp-1].p5 = p5;\n}", "project": "sqlite", "hash": 277270658738475373253501348440485285543, "size": 4, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378499 }, { "func": "void sqlite3VdbeRewind(Vdbe *p){\n#if defined(SQLITE_DEBUG) || defined(VDBE_PROFILE)\n int i;\n#endif\n assert( p!=0 );\n assert( p->magic==VDBE_MAGIC_INIT || p->magic==VDBE_MAGIC_RESET );\n\n /* There should be at least one opcode.\n */\n assert( p->nOp>0 );\n\n /* Set the magic to VDBE_MAGIC_RUN sooner rather than later. */\n p->magic = VDBE_MAGIC_RUN;\n\n#ifdef SQLITE_DEBUG\n for(i=0; inMem; i++){\n assert( p->aMem[i].db==p->db );\n }\n#endif\n p->pc = -1;\n p->rc = SQLITE_OK;\n p->errorAction = OE_Abort;\n p->nChange = 0;\n p->cacheCtr = 1;\n p->minWriteFileFormat = 255;\n p->iStatement = 0;\n p->nFkConstraint = 0;\n#ifdef VDBE_PROFILE\n for(i=0; inOp; i++){\n p->aOp[i].cnt = 0;\n p->aOp[i].cycles = 0;\n }\n#endif\n}", "project": "sqlite", "hash": 73366885095706457996364300121120247455, "size": 34, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378685 }, { "func": "static void generateColumnNames(\n Parse *pParse, /* Parser context */\n Select *pSelect /* Generate column names for this SELECT statement */\n){\n Vdbe *v = pParse->pVdbe;\n int i;\n Table *pTab;\n SrcList *pTabList;\n ExprList *pEList;\n sqlite3 *db = pParse->db;\n int fullName; /* TABLE.COLUMN if no AS clause and is a direct table ref */\n int srcName; /* COLUMN or TABLE.COLUMN if no AS clause and is direct */\n\n#ifndef SQLITE_OMIT_EXPLAIN\n /* If this is an EXPLAIN, skip this step */\n if( pParse->explain ){\n return;\n }\n#endif\n\n if( pParse->colNamesSet ) return;\n /* Column names are determined by the left-most term of a compound select */\n while( pSelect->pPrior ) pSelect = pSelect->pPrior;\n SELECTTRACE(1,pParse,pSelect,(\"generating column names\\n\"));\n pTabList = pSelect->pSrc;\n pEList = pSelect->pEList;\n assert( v!=0 );\n assert( pTabList!=0 );\n pParse->colNamesSet = 1;\n fullName = (db->flags & SQLITE_FullColNames)!=0;\n srcName = (db->flags & SQLITE_ShortColNames)!=0 || fullName;\n sqlite3VdbeSetNumCols(v, pEList->nExpr);\n for(i=0; inExpr; i++){\n Expr *p = pEList->a[i].pExpr;\n\n assert( p!=0 );\n assert( p->op!=TK_AGG_COLUMN ); /* Agg processing has not run yet */\n assert( p->op!=TK_COLUMN || p->y.pTab!=0 ); /* Covering idx not yet coded */\n if( pEList->a[i].zEName && pEList->a[i].eEName==ENAME_NAME ){\n /* An AS clause always takes first priority */\n char *zName = pEList->a[i].zEName;\n sqlite3VdbeSetColName(v, i, COLNAME_NAME, zName, SQLITE_TRANSIENT);\n }else if( srcName && p->op==TK_COLUMN ){\n char *zCol;\n int iCol = p->iColumn;\n pTab = p->y.pTab;\n assert( pTab!=0 );\n if( iCol<0 ) iCol = pTab->iPKey;\n assert( iCol==-1 || (iCol>=0 && iColnCol) );\n if( iCol<0 ){\n zCol = \"rowid\";\n }else{\n zCol = pTab->aCol[iCol].zName;\n }\n if( fullName ){\n char *zName = 0;\n zName = sqlite3MPrintf(db, \"%s.%s\", pTab->zName, zCol);\n sqlite3VdbeSetColName(v, i, COLNAME_NAME, zName, SQLITE_DYNAMIC);\n }else{\n sqlite3VdbeSetColName(v, i, COLNAME_NAME, zCol, SQLITE_TRANSIENT);\n }\n }else{\n const char *z = pEList->a[i].zEName;\n z = z==0 ? sqlite3MPrintf(db, \"column%d\", i+1) : sqlite3DbStrDup(db, z);\n sqlite3VdbeSetColName(v, i, COLNAME_NAME, z, SQLITE_DYNAMIC);\n }\n }\n generateColumnTypes(pParse, pTabList, pEList);\n}", "project": "sqlite", "hash": 222688526781822729068572321862879184817, "size": 69, "commit_id": "5f69512404cd2e5153ddf90ea277fbba6dd58ab7", "message": "Early-out on the INTERSECT query processing following an error.\n\nFossilOrigin-Name: a67cf5b7d37d5b1484be32092635faafd8f76e5881898cd9435517c4b287d663", "target": 0, "dataset": "other", "idx": 246189 }, { "func": "static void generateColumnNames(\n Parse *pParse, /* Parser context */\n Select *pSelect /* Generate column names for this SELECT statement */\n){\n Vdbe *v = pParse->pVdbe;\n int i;\n Table *pTab;\n SrcList *pTabList;\n ExprList *pEList;\n sqlite3 *db = pParse->db;\n int fullName; /* TABLE.COLUMN if no AS clause and is a direct table ref */\n int srcName; /* COLUMN or TABLE.COLUMN if no AS clause and is direct */\n\n#ifndef SQLITE_OMIT_EXPLAIN\n /* If this is an EXPLAIN, skip this step */\n if( pParse->explain ){\n return;\n }\n#endif\n\n if( pParse->colNamesSet ) return;\n /* Column names are determined by the left-most term of a compound select */\n while( pSelect->pPrior ) pSelect = pSelect->pPrior;\n SELECTTRACE(1,pParse,pSelect,(\"generating column names\\n\"));\n pTabList = pSelect->pSrc;\n pEList = pSelect->pEList;\n assert( v!=0 );\n assert( pTabList!=0 );\n pParse->colNamesSet = 1;\n fullName = (db->flags & SQLITE_FullColNames)!=0;\n srcName = (db->flags & SQLITE_ShortColNames)!=0 || fullName;\n sqlite3VdbeSetNumCols(v, pEList->nExpr);\n for(i=0; inExpr; i++){\n Expr *p = pEList->a[i].pExpr;\n\n assert( p!=0 );\n assert( p->op!=TK_AGG_COLUMN ); /* Agg processing has not run yet */\n assert( p->op!=TK_COLUMN || p->y.pTab!=0 ); /* Covering idx not yet coded */\n if( pEList->a[i].zName ){\n /* An AS clause always takes first priority */\n char *zName = pEList->a[i].zName;\n sqlite3VdbeSetColName(v, i, COLNAME_NAME, zName, SQLITE_TRANSIENT);\n }else if( srcName && p->op==TK_COLUMN ){\n char *zCol;\n int iCol = p->iColumn;\n pTab = p->y.pTab;\n assert( pTab!=0 );\n if( iCol<0 ) iCol = pTab->iPKey;\n assert( iCol==-1 || (iCol>=0 && iColnCol) );\n if( iCol<0 ){\n zCol = \"rowid\";\n }else{\n zCol = pTab->aCol[iCol].zName;\n }\n if( fullName ){\n char *zName = 0;\n zName = sqlite3MPrintf(db, \"%s.%s\", pTab->zName, zCol);\n sqlite3VdbeSetColName(v, i, COLNAME_NAME, zName, SQLITE_DYNAMIC);\n }else{\n sqlite3VdbeSetColName(v, i, COLNAME_NAME, zCol, SQLITE_TRANSIENT);\n }\n }else{\n const char *z = pEList->a[i].zSpan;\n z = z==0 ? sqlite3MPrintf(db, \"column%d\", i+1) : sqlite3DbStrDup(db, z);\n sqlite3VdbeSetColName(v, i, COLNAME_NAME, z, SQLITE_DYNAMIC);\n }\n }\n generateColumnTypes(pParse, pTabList, pEList);\n}", "project": "sqlite", "hash": 112379949909629365530860804143760654165, "size": 69, "commit_id": "a6c1a71cde082e09750465d5675699062922e387", "message": "Do not attempt to unwind the WITH stack in the Parse object following an error. This fixes a separate case to [de6e6d68].\n\nFossilOrigin-Name: d29edef93451cc67a5d69c1cce1b1832d9ca8fff1f600afdd51338b74d077b92", "target": 0, "dataset": "other", "idx": 356305 }, { "func": "static void windowAggStep(\n WindowCodeArg *p,\n Window *pMWin, /* Linked list of window functions */\n int csr, /* Read arguments from this cursor */\n int bInverse, /* True to invoke xInverse instead of xStep */\n int reg /* Array of registers */\n){\n Parse *pParse = p->pParse;\n Vdbe *v = sqlite3GetVdbe(pParse);\n Window *pWin;\n for(pWin=pMWin; pWin; pWin=pWin->pNextWin){\n FuncDef *pFunc = pWin->pFunc;\n int regArg;\n int nArg = pWin->bExprArgs ? 0 : windowArgCount(pWin);\n int i;\n\n assert( bInverse==0 || pWin->eStart!=TK_UNBOUNDED );\n\n /* All OVER clauses in the same window function aggregate step must\n ** be the same. */\n assert( pWin==pMWin || sqlite3WindowCompare(pParse,pWin,pMWin,0)==0 );\n\n for(i=0; izName!=nth_valueName ){\n sqlite3VdbeAddOp3(v, OP_Column, csr, pWin->iArgCol+i, reg+i);\n }else{\n sqlite3VdbeAddOp3(v, OP_Column, pMWin->iEphCsr, pWin->iArgCol+i, reg+i);\n }\n }\n regArg = reg;\n\n if( pMWin->regStartRowid==0\n && (pFunc->funcFlags & SQLITE_FUNC_MINMAX) \n && (pWin->eStart!=TK_UNBOUNDED)\n ){\n int addrIsNull = sqlite3VdbeAddOp1(v, OP_IsNull, regArg);\n VdbeCoverage(v);\n if( bInverse==0 ){\n sqlite3VdbeAddOp2(v, OP_AddImm, pWin->regApp+1, 1);\n sqlite3VdbeAddOp2(v, OP_SCopy, regArg, pWin->regApp);\n sqlite3VdbeAddOp3(v, OP_MakeRecord, pWin->regApp, 2, pWin->regApp+2);\n sqlite3VdbeAddOp2(v, OP_IdxInsert, pWin->csrApp, pWin->regApp+2);\n }else{\n sqlite3VdbeAddOp4Int(v, OP_SeekGE, pWin->csrApp, 0, regArg, 1);\n VdbeCoverageNeverTaken(v);\n sqlite3VdbeAddOp1(v, OP_Delete, pWin->csrApp);\n sqlite3VdbeJumpHere(v, sqlite3VdbeCurrentAddr(v)-2);\n }\n sqlite3VdbeJumpHere(v, addrIsNull);\n }else if( pWin->regApp ){\n assert( pFunc->zName==nth_valueName\n || pFunc->zName==first_valueName\n );\n assert( bInverse==0 || bInverse==1 );\n sqlite3VdbeAddOp2(v, OP_AddImm, pWin->regApp+1-bInverse, 1);\n }else if( pFunc->xSFunc!=noopStepFunc ){\n int addrIf = 0;\n if( pWin->pFilter ){\n int regTmp;\n assert( pWin->bExprArgs || !nArg ||nArg==pWin->pOwner->x.pList->nExpr );\n assert( pWin->bExprArgs || nArg ||pWin->pOwner->x.pList==0 );\n regTmp = sqlite3GetTempReg(pParse);\n sqlite3VdbeAddOp3(v, OP_Column, csr, pWin->iArgCol+nArg,regTmp);\n addrIf = sqlite3VdbeAddOp3(v, OP_IfNot, regTmp, 0, 1);\n VdbeCoverage(v);\n sqlite3ReleaseTempReg(pParse, regTmp);\n }\n \n if( pWin->bExprArgs ){\n int iStart = sqlite3VdbeCurrentAddr(v);\n VdbeOp *pOp, *pEnd;\n\n nArg = pWin->pOwner->x.pList->nExpr;\n regArg = sqlite3GetTempRange(pParse, nArg);\n sqlite3ExprCodeExprList(pParse, pWin->pOwner->x.pList, regArg, 0, 0);\n\n pEnd = sqlite3VdbeGetOp(v, -1);\n for(pOp=sqlite3VdbeGetOp(v, iStart); pOp<=pEnd; pOp++){\n if( pOp->opcode==OP_Column && pOp->p1==pWin->iEphCsr ){\n pOp->p1 = csr;\n }\n }\n }\n if( pFunc->funcFlags & SQLITE_FUNC_NEEDCOLL ){\n CollSeq *pColl;\n assert( nArg>0 );\n pColl = sqlite3ExprNNCollSeq(pParse, pWin->pOwner->x.pList->a[0].pExpr);\n sqlite3VdbeAddOp4(v, OP_CollSeq, 0,0,0, (const char*)pColl, P4_COLLSEQ);\n }\n sqlite3VdbeAddOp3(v, bInverse? OP_AggInverse : OP_AggStep, \n bInverse, regArg, pWin->regAccum);\n sqlite3VdbeAppendP4(v, pFunc, P4_FUNCDEF);\n sqlite3VdbeChangeP5(v, (u8)nArg);\n if( pWin->bExprArgs ){\n sqlite3ReleaseTempRange(pParse, regArg, nArg);\n }\n if( addrIf ) sqlite3VdbeJumpHere(v, addrIf);\n }\n }\n}", "project": "sqlite", "hash": 324688043484406341408869432439419382442, "size": 100, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378671 }, { "func": "static SQLITE_NOINLINE void freeP4FuncCtx(sqlite3 *db, sqlite3_context *p){\n freeEphemeralFunction(db, p->pFunc);\n sqlite3DbFreeNN(db, p);\n}", "project": "sqlite", "hash": 91512657649695925202268531647708631372, "size": 4, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378656 }, { "func": "void sqlite3VdbeAddParseSchemaOp(Vdbe *p, int iDb, char *zWhere){\n int j;\n sqlite3VdbeAddOp4(p, OP_ParseSchema, iDb, 0, 0, zWhere, P4_DYNAMIC);\n for(j=0; jdb->nDb; j++) sqlite3VdbeUsesBtree(p, j);\n}", "project": "sqlite", "hash": 196787228532319211208936893458796345668, "size": 5, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378609 }, { "func": "static int codeCompare(\n Parse *pParse, /* The parsing (and code generating) context */\n Expr *pLeft, /* The left operand */\n Expr *pRight, /* The right operand */\n int opcode, /* The comparison opcode */\n int in1, int in2, /* Register holding operands */\n int dest, /* Jump here if true. */\n int jumpIfNull, /* If true, jump if either operand is NULL */\n int isCommuted /* The comparison has been commuted */\n){\n int p5;\n int addr;\n CollSeq *p4;\n\n if( isCommuted ){\n p4 = sqlite3BinaryCompareCollSeq(pParse, pRight, pLeft);\n }else{\n p4 = sqlite3BinaryCompareCollSeq(pParse, pLeft, pRight);\n }\n p5 = binaryCompareP5(pLeft, pRight, jumpIfNull);\n addr = sqlite3VdbeAddOp4(pParse->pVdbe, opcode, in2, dest, in1,\n (void*)p4, P4_COLLSEQ);\n sqlite3VdbeChangeP5(pParse->pVdbe, (u8)p5);\n return addr;\n}", "project": "sqlite", "hash": 208208245522129666857516610065395604656, "size": 25, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 1, "dataset": "other", "idx": 206235 }, { "func": "static int codeCompare(\n Parse *pParse, /* The parsing (and code generating) context */\n Expr *pLeft, /* The left operand */\n Expr *pRight, /* The right operand */\n int opcode, /* The comparison opcode */\n int in1, int in2, /* Register holding operands */\n int dest, /* Jump here if true. */\n int jumpIfNull, /* If true, jump if either operand is NULL */\n int isCommuted /* The comparison has been commuted */\n){\n int p5;\n int addr;\n CollSeq *p4;\n\n if( pParse->nErr ) return 0;\n if( isCommuted ){\n p4 = sqlite3BinaryCompareCollSeq(pParse, pRight, pLeft);\n }else{\n p4 = sqlite3BinaryCompareCollSeq(pParse, pLeft, pRight);\n }\n p5 = binaryCompareP5(pLeft, pRight, jumpIfNull);\n addr = sqlite3VdbeAddOp4(pParse->pVdbe, opcode, in2, dest, in1,\n (void*)p4, P4_COLLSEQ);\n sqlite3VdbeChangeP5(pParse->pVdbe, (u8)p5);\n return addr;\n}", "project": "sqlite", "hash": 122085921151462389183406220419053423593, "size": 26, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378666 }, { "func": "static void freeEphemeralFunction(sqlite3 *db, FuncDef *pDef){\n if( (pDef->funcFlags & SQLITE_FUNC_EPHEM)!=0 ){\n sqlite3DbFreeNN(db, pDef);\n }\n}", "project": "sqlite", "hash": 205981371089442647570859312893600292656, "size": 5, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378669 }, { "func": "static void resolveP2Values(Vdbe *p, int *pMaxFuncArgs){\n int nMaxArgs = *pMaxFuncArgs;\n Op *pOp;\n Parse *pParse = p->pParse;\n int *aLabel = pParse->aLabel;\n p->readOnly = 1;\n p->bIsReader = 0;\n pOp = &p->aOp[p->nOp-1];\n while(1){\n\n /* Only JUMP opcodes and the short list of special opcodes in the switch\n ** below need to be considered. The mkopcodeh.tcl generator script groups\n ** all these opcodes together near the front of the opcode list. Skip\n ** any opcode that does not need processing by virtual of the fact that\n ** it is larger than SQLITE_MX_JUMP_OPCODE, as a performance optimization.\n */\n if( pOp->opcode<=SQLITE_MX_JUMP_OPCODE ){\n /* NOTE: Be sure to update mkopcodeh.tcl when adding or removing\n ** cases from this switch! */\n switch( pOp->opcode ){\n case OP_Transaction: {\n if( pOp->p2!=0 ) p->readOnly = 0;\n /* fall thru */\n }\n case OP_AutoCommit:\n case OP_Savepoint: {\n p->bIsReader = 1;\n break;\n }\n#ifndef SQLITE_OMIT_WAL\n case OP_Checkpoint:\n#endif\n case OP_Vacuum:\n case OP_JournalMode: {\n p->readOnly = 0;\n p->bIsReader = 1;\n break;\n }\n case OP_Next:\n case OP_SorterNext: {\n pOp->p4.xAdvance = sqlite3BtreeNext;\n pOp->p4type = P4_ADVANCE;\n /* The code generator never codes any of these opcodes as a jump\n ** to a label. They are always coded as a jump backwards to a \n ** known address */\n assert( pOp->p2>=0 );\n break;\n }\n case OP_Prev: {\n pOp->p4.xAdvance = sqlite3BtreePrevious;\n pOp->p4type = P4_ADVANCE;\n /* The code generator never codes any of these opcodes as a jump\n ** to a label. They are always coded as a jump backwards to a \n ** known address */\n assert( pOp->p2>=0 );\n break;\n }\n#ifndef SQLITE_OMIT_VIRTUALTABLE\n case OP_VUpdate: {\n if( pOp->p2>nMaxArgs ) nMaxArgs = pOp->p2;\n break;\n }\n case OP_VFilter: {\n int n;\n assert( (pOp - p->aOp) >= 3 );\n assert( pOp[-1].opcode==OP_Integer );\n n = pOp[-1].p1;\n if( n>nMaxArgs ) nMaxArgs = n;\n /* Fall through into the default case */\n }\n#endif\n default: {\n if( pOp->p2<0 ){\n /* The mkopcodeh.tcl script has so arranged things that the only\n ** non-jump opcodes less than SQLITE_MX_JUMP_CODE are guaranteed to\n ** have non-negative values for P2. */\n assert( (sqlite3OpcodeProperty[pOp->opcode] & OPFLG_JUMP)!=0 );\n assert( ADDR(pOp->p2)<-pParse->nLabel );\n pOp->p2 = aLabel[ADDR(pOp->p2)];\n }\n break;\n }\n }\n /* The mkopcodeh.tcl script has so arranged things that the only\n ** non-jump opcodes less than SQLITE_MX_JUMP_CODE are guaranteed to\n ** have non-negative values for P2. */\n assert( (sqlite3OpcodeProperty[pOp->opcode]&OPFLG_JUMP)==0 || pOp->p2>=0);\n }\n if( pOp==p->aOp ) break;\n pOp--;\n }\n sqlite3DbFree(p->db, pParse->aLabel);\n pParse->aLabel = 0;\n pParse->nLabel = 0;\n *pMaxFuncArgs = nMaxArgs;\n assert( p->bIsReader!=0 || DbMaskAllZero(p->btreeMask) );\n}", "project": "sqlite", "hash": 311527377953818842833234356344433600602, "size": 97, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378582 }, { "func": "int sqlite3JoinType(Parse *pParse, Token *pA, Token *pB, Token *pC){\n int jointype = 0;\n Token *apAll[3];\n Token *p;\n /* 0123456789 123456789 123456789 123 */\n static const char zKeyText[] = \"naturaleftouterightfullinnercross\";\n static const struct {\n u8 i; /* Beginning of keyword text in zKeyText[] */\n u8 nChar; /* Length of the keyword in characters */\n u8 code; /* Join type mask */\n } aKeyword[] = {\n /* natural */ { 0, 7, JT_NATURAL },\n /* left */ { 6, 4, JT_LEFT|JT_OUTER },\n /* outer */ { 10, 5, JT_OUTER },\n /* right */ { 14, 5, JT_RIGHT|JT_OUTER },\n /* full */ { 19, 4, JT_LEFT|JT_RIGHT|JT_OUTER },\n /* inner */ { 23, 5, JT_INNER },\n /* cross */ { 28, 5, JT_INNER|JT_CROSS },\n };\n int i, j;\n apAll[0] = pA;\n apAll[1] = pB;\n apAll[2] = pC;\n for(i=0; i<3 && apAll[i]; i++){\n p = apAll[i];\n for(j=0; jn==aKeyword[j].nChar \n && sqlite3StrNICmp((char*)p->z, &zKeyText[aKeyword[j].i], p->n)==0 ){\n jointype |= aKeyword[j].code;\n break;\n }\n }\n testcase( j==0 || j==1 || j==2 || j==3 || j==4 || j==5 || j==6 );\n if( j>=ArraySize(aKeyword) ){\n jointype |= JT_ERROR;\n break;\n }\n }\n if(\n (jointype & (JT_INNER|JT_OUTER))==(JT_INNER|JT_OUTER) ||\n (jointype & JT_ERROR)!=0\n ){\n const char *zSp = \" \";\n assert( pB!=0 );\n if( pC==0 ){ zSp++; }\n sqlite3ErrorMsg(pParse, \"unknown or unsupported join type: \"\n \"%T %T%s%T\", pA, pB, zSp, pC);\n jointype = JT_INNER;\n }else if( (jointype & JT_OUTER)!=0 \n && (jointype & (JT_LEFT|JT_RIGHT))!=JT_LEFT ){\n sqlite3ErrorMsg(pParse, \n \"RIGHT and FULL OUTER JOINs are not currently supported\");\n jointype = JT_INNER;\n }\n return jointype;\n}", "project": "sqlite", "hash": 73963102399259539455438967763837091191, "size": 56, "commit_id": "5f69512404cd2e5153ddf90ea277fbba6dd58ab7", "message": "Early-out on the INTERSECT query processing following an error.\n\nFossilOrigin-Name: a67cf5b7d37d5b1484be32092635faafd8f76e5881898cd9435517c4b287d663", "target": 0, "dataset": "other", "idx": 246163 }, { "func": "void sqlite3ExprCodeMove(Parse *pParse, int iFrom, int iTo, int nReg){\n sqlite3VdbeAddOp3(pParse->pVdbe, OP_Move, iFrom, iTo, nReg);\n}", "project": "sqlite", "hash": 60082139255478772449545744596810528035, "size": 3, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378586 }, { "func": "int sqlite3VdbeReset(Vdbe *p){\n#if defined(SQLITE_DEBUG) || defined(VDBE_PROFILE)\n int i;\n#endif\n\n sqlite3 *db;\n db = p->db;\n\n /* If the VM did not run to completion or if it encountered an\n ** error, then it might not have been halted properly. So halt\n ** it now.\n */\n sqlite3VdbeHalt(p);\n\n /* If the VDBE has been run even partially, then transfer the error code\n ** and error message from the VDBE into the main database structure. But\n ** if the VDBE has just been set to run but has not actually executed any\n ** instructions yet, leave the main database error information unchanged.\n */\n if( p->pc>=0 ){\n vdbeInvokeSqllog(p);\n sqlite3VdbeTransferError(p);\n if( p->runOnlyOnce ) p->expired = 1;\n }else if( p->rc && p->expired ){\n /* The expired flag was set on the VDBE before the first call\n ** to sqlite3_step(). For consistency (since sqlite3_step() was\n ** called), set the database error in this case as well.\n */\n sqlite3ErrorWithMsg(db, p->rc, p->zErrMsg ? \"%s\" : 0, p->zErrMsg);\n }\n\n /* Reset register contents and reclaim error message memory.\n */\n#ifdef SQLITE_DEBUG\n /* Execute assert() statements to ensure that the Vdbe.apCsr[] and \n ** Vdbe.aMem[] arrays have already been cleaned up. */\n if( p->apCsr ) for(i=0; inCursor; i++) assert( p->apCsr[i]==0 );\n if( p->aMem ){\n for(i=0; inMem; i++) assert( p->aMem[i].flags==MEM_Undefined );\n }\n#endif\n sqlite3DbFree(db, p->zErrMsg);\n p->zErrMsg = 0;\n p->pResultSet = 0;\n#ifdef SQLITE_DEBUG\n p->nWrite = 0;\n#endif\n\n /* Save profiling information from this VDBE run.\n */\n#ifdef VDBE_PROFILE\n {\n FILE *out = fopen(\"vdbe_profile.out\", \"a\");\n if( out ){\n fprintf(out, \"---- \");\n for(i=0; inOp; i++){\n fprintf(out, \"%02x\", p->aOp[i].opcode);\n }\n fprintf(out, \"\\n\");\n if( p->zSql ){\n char c, pc = 0;\n fprintf(out, \"-- \");\n for(i=0; (c = p->zSql[i])!=0; i++){\n if( pc=='\\n' ) fprintf(out, \"-- \");\n putc(c, out);\n pc = c;\n }\n if( pc!='\\n' ) fprintf(out, \"\\n\");\n }\n for(i=0; inOp; i++){\n char zHdr[100];\n sqlite3_snprintf(sizeof(zHdr), zHdr, \"%6u %12llu %8llu \",\n p->aOp[i].cnt,\n p->aOp[i].cycles,\n p->aOp[i].cnt>0 ? p->aOp[i].cycles/p->aOp[i].cnt : 0\n );\n fprintf(out, \"%s\", zHdr);\n sqlite3VdbePrintOp(out, i, &p->aOp[i]);\n }\n fclose(out);\n }\n }\n#endif\n p->magic = VDBE_MAGIC_RESET;\n return p->rc & db->errMask;\n}", "project": "sqlite", "hash": 21795549376148766472473542460312036735, "size": 86, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378490 }, { "func": "static void windowCheckValue(Parse *pParse, int reg, int eCond){\n static const char *azErr[] = {\n \"frame starting offset must be a non-negative integer\",\n \"frame ending offset must be a non-negative integer\",\n \"second argument to nth_value must be a positive integer\",\n \"frame starting offset must be a non-negative number\",\n \"frame ending offset must be a non-negative number\",\n };\n static int aOp[] = { OP_Ge, OP_Ge, OP_Gt, OP_Ge, OP_Ge };\n Vdbe *v = sqlite3GetVdbe(pParse);\n int regZero = sqlite3GetTempReg(pParse);\n assert( eCond>=0 && eCond=WINDOW_STARTING_NUM ){\n int regString = sqlite3GetTempReg(pParse);\n sqlite3VdbeAddOp4(v, OP_String8, 0, regString, 0, \"\", P4_STATIC);\n sqlite3VdbeAddOp3(v, OP_Ge, regString, sqlite3VdbeCurrentAddr(v)+2, reg);\n sqlite3VdbeChangeP5(v, SQLITE_AFF_NUMERIC|SQLITE_JUMPIFNULL);\n VdbeCoverage(v);\n assert( eCond==3 || eCond==4 );\n VdbeCoverageIf(v, eCond==3);\n VdbeCoverageIf(v, eCond==4);\n }else{\n sqlite3VdbeAddOp2(v, OP_MustBeInt, reg, sqlite3VdbeCurrentAddr(v)+2);\n VdbeCoverage(v);\n assert( eCond==0 || eCond==1 || eCond==2 );\n VdbeCoverageIf(v, eCond==0);\n VdbeCoverageIf(v, eCond==1);\n VdbeCoverageIf(v, eCond==2);\n }\n sqlite3VdbeAddOp3(v, aOp[eCond], regZero, sqlite3VdbeCurrentAddr(v)+2, reg);\n VdbeCoverageNeverNullIf(v, eCond==0); /* NULL case captured by */\n VdbeCoverageNeverNullIf(v, eCond==1); /* the OP_MustBeInt */\n VdbeCoverageNeverNullIf(v, eCond==2);\n VdbeCoverageNeverNullIf(v, eCond==3); /* NULL case caught by */\n VdbeCoverageNeverNullIf(v, eCond==4); /* the OP_Ge */\n sqlite3MayAbort(pParse);\n sqlite3VdbeAddOp2(v, OP_Halt, SQLITE_ERROR, OE_Abort);\n sqlite3VdbeAppendP4(v, (void*)azErr[eCond], P4_STATIC);\n sqlite3ReleaseTempReg(pParse, regZero);\n}", "project": "sqlite", "hash": 159768797761402211756493815192602950614, "size": 41, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378663 }, { "func": "static void freeP4(sqlite3 *db, int p4type, void *p4){\n assert( db );\n switch( p4type ){\n case P4_FUNCCTX: {\n freeP4FuncCtx(db, (sqlite3_context*)p4);\n break;\n }\n case P4_REAL:\n case P4_INT64:\n case P4_DYNAMIC:\n case P4_DYNBLOB:\n case P4_INTARRAY: {\n sqlite3DbFree(db, p4);\n break;\n }\n case P4_KEYINFO: {\n if( db->pnBytesFreed==0 ) sqlite3KeyInfoUnref((KeyInfo*)p4);\n break;\n }\n#ifdef SQLITE_ENABLE_CURSOR_HINTS\n case P4_EXPR: {\n sqlite3ExprDelete(db, (Expr*)p4);\n break;\n }\n#endif\n case P4_FUNCDEF: {\n freeEphemeralFunction(db, (FuncDef*)p4);\n break;\n }\n case P4_MEM: {\n if( db->pnBytesFreed==0 ){\n sqlite3ValueFree((sqlite3_value*)p4);\n }else{\n freeP4Mem(db, (Mem*)p4);\n }\n break;\n }\n case P4_VTAB : {\n if( db->pnBytesFreed==0 ) sqlite3VtabUnlock((VTable *)p4);\n break;\n }\n }\n}", "project": "sqlite", "hash": 67956437178859488798311495411835773781, "size": 43, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378588 }, { "func": "static SQLITE_NOINLINE void vdbeLeave(Vdbe *p){\n int i;\n sqlite3 *db;\n Db *aDb;\n int nDb;\n db = p->db;\n aDb = db->aDb;\n nDb = db->nDb;\n for(i=0; ilockMask,i) && ALWAYS(aDb[i].pBt!=0) ){\n sqlite3BtreeLeave(aDb[i].pBt);\n }\n }\n}", "project": "sqlite", "hash": 184492647137948491509329784354041646380, "size": 14, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378673 }, { "func": "static void explainTempTable(Parse *pParse, const char *zUsage){\n ExplainQueryPlan((pParse, 0, \"USE TEMP B-TREE FOR %s\", zUsage));\n}", "project": "sqlite", "hash": 258688633736462082785573378314076744620, "size": 3, "commit_id": "5f69512404cd2e5153ddf90ea277fbba6dd58ab7", "message": "Early-out on the INTERSECT query processing following an error.\n\nFossilOrigin-Name: a67cf5b7d37d5b1484be32092635faafd8f76e5881898cd9435517c4b287d663", "target": 0, "dataset": "other", "idx": 246201 }, { "func": "static int tableAndColumnIndex(\n SrcList *pSrc, /* Array of tables to search */\n int N, /* Number of tables in pSrc->a[] to search */\n const char *zCol, /* Name of the column we are looking for */\n int *piTab, /* Write index of pSrc->a[] here */\n int *piCol, /* Write index of pSrc->a[*piTab].pTab->aCol[] here */\n int bIgnoreHidden /* True to ignore hidden columns */\n){\n int i; /* For looping over tables in pSrc */\n int iCol; /* Index of column matching zCol */\n\n assert( (piTab==0)==(piCol==0) ); /* Both or neither are NULL */\n for(i=0; ia[i].pTab, zCol);\n if( iCol>=0 \n && (bIgnoreHidden==0 || IsHiddenColumn(&pSrc->a[i].pTab->aCol[iCol])==0)\n ){\n if( piTab ){\n *piTab = i;\n *piCol = iCol;\n }\n return 1;\n }\n }\n return 0;\n}", "project": "sqlite", "hash": 226207691798299141626952164944358471810, "size": 26, "commit_id": "5f69512404cd2e5153ddf90ea277fbba6dd58ab7", "message": "Early-out on the INTERSECT query processing following an error.\n\nFossilOrigin-Name: a67cf5b7d37d5b1484be32092635faafd8f76e5881898cd9435517c4b287d663", "target": 0, "dataset": "other", "idx": 246161 }, { "func": "static int propagateConstants(\n Parse *pParse, /* The parsing context */\n Select *p /* The query in which to propagate constants */\n){\n WhereConst x;\n Walker w;\n int nChng = 0;\n x.pParse = pParse;\n do{\n x.nConst = 0;\n x.nChng = 0;\n x.apExpr = 0;\n findConstInWhere(&x, p->pWhere);\n if( x.nConst ){\n memset(&w, 0, sizeof(w));\n w.pParse = pParse;\n w.xExprCallback = propagateConstantExprRewrite;\n w.xSelectCallback = sqlite3SelectWalkNoop;\n w.xSelectCallback2 = 0;\n w.walkerDepth = 0;\n w.u.pConst = &x;\n sqlite3WalkExpr(&w, p->pWhere);\n sqlite3DbFree(x.pParse->db, x.apExpr);\n nChng += x.nChng;\n }\n }while( x.nChng ); \n return nChng;\n}", "project": "sqlite", "hash": 201929972886979063588654790320360907106, "size": 28, "commit_id": "5f69512404cd2e5153ddf90ea277fbba6dd58ab7", "message": "Early-out on the INTERSECT query processing following an error.\n\nFossilOrigin-Name: a67cf5b7d37d5b1484be32092635faafd8f76e5881898cd9435517c4b287d663", "target": 0, "dataset": "other", "idx": 246128 }, { "func": "static void vdbeInvokeSqllog(Vdbe *v){\n if( sqlite3GlobalConfig.xSqllog && v->rc==SQLITE_OK && v->zSql && v->pc>=0 ){\n char *zExpanded = sqlite3VdbeExpandSql(v, v->zSql);\n assert( v->db->init.busy==0 );\n if( zExpanded ){\n sqlite3GlobalConfig.xSqllog(\n sqlite3GlobalConfig.pSqllogArg, v->db, zExpanded, 1\n );\n sqlite3DbFree(v->db, zExpanded);\n }\n }\n}", "project": "sqlite", "hash": 36413446740928434422920850832688486433, "size": 12, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378578 }, { "func": "static void closeAllCursors(Vdbe *p){\n if( p->pFrame ){\n VdbeFrame *pFrame;\n for(pFrame=p->pFrame; pFrame->pParent; pFrame=pFrame->pParent);\n sqlite3VdbeFrameRestore(pFrame);\n p->pFrame = 0;\n p->nFrame = 0;\n }\n assert( p->nFrame==0 );\n closeCursorsInFrame(p);\n if( p->aMem ){\n releaseMemArray(p->aMem, p->nMem);\n }\n while( p->pDelFrame ){\n VdbeFrame *pDel = p->pDelFrame;\n p->pDelFrame = pDel->pParent;\n sqlite3VdbeFrameDelete(pDel);\n }\n\n /* Delete any auxdata allocations made by the VM */\n if( p->pAuxData ) sqlite3VdbeDeleteAuxData(p->db, &p->pAuxData, -1, 0);\n assert( p->pAuxData==0 );\n}", "project": "sqlite", "hash": 12617066934658000557312566973790796665, "size": 23, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378622 }, { "func": "static void generateColumnTypes(\n Parse *pParse, /* Parser context */\n SrcList *pTabList, /* List of tables */\n ExprList *pEList /* Expressions defining the result set */\n){\n#ifndef SQLITE_OMIT_DECLTYPE\n Vdbe *v = pParse->pVdbe;\n int i;\n NameContext sNC;\n sNC.pSrcList = pTabList;\n sNC.pParse = pParse;\n sNC.pNext = 0;\n for(i=0; inExpr; i++){\n Expr *p = pEList->a[i].pExpr;\n const char *zType;\n#ifdef SQLITE_ENABLE_COLUMN_METADATA\n const char *zOrigDb = 0;\n const char *zOrigTab = 0;\n const char *zOrigCol = 0;\n zType = columnType(&sNC, p, &zOrigDb, &zOrigTab, &zOrigCol);\n\n /* The vdbe must make its own copy of the column-type and other \n ** column specific strings, in case the schema is reset before this\n ** virtual machine is deleted.\n */\n sqlite3VdbeSetColName(v, i, COLNAME_DATABASE, zOrigDb, SQLITE_TRANSIENT);\n sqlite3VdbeSetColName(v, i, COLNAME_TABLE, zOrigTab, SQLITE_TRANSIENT);\n sqlite3VdbeSetColName(v, i, COLNAME_COLUMN, zOrigCol, SQLITE_TRANSIENT);\n#else\n zType = columnType(&sNC, p, 0, 0, 0);\n#endif\n sqlite3VdbeSetColName(v, i, COLNAME_DECLTYPE, zType, SQLITE_TRANSIENT);\n }\n#endif /* !defined(SQLITE_OMIT_DECLTYPE) */\n}", "project": "sqlite", "hash": 126855746002451384494536231980555310253, "size": 35, "commit_id": "5f69512404cd2e5153ddf90ea277fbba6dd58ab7", "message": "Early-out on the INTERSECT query processing following an error.\n\nFossilOrigin-Name: a67cf5b7d37d5b1484be32092635faafd8f76e5881898cd9435517c4b287d663", "target": 0, "dataset": "other", "idx": 246171 }, { "func": "static void selectExprDefer(\n Parse *pParse, /* Leave any error here */\n SortCtx *pSort, /* Sorter context */\n ExprList *pEList, /* Expressions destined for sorter */\n ExprList **ppExtra /* Expressions to append to sorter record */\n){\n int i;\n int nDefer = 0;\n ExprList *pExtra = 0;\n for(i=0; inExpr; i++){\n struct ExprList_item *pItem = &pEList->a[i];\n if( pItem->u.x.iOrderByCol==0 ){\n Expr *pExpr = pItem->pExpr;\n Table *pTab = pExpr->y.pTab;\n if( pExpr->op==TK_COLUMN && pExpr->iColumn>=0 && pTab && !IsVirtual(pTab)\n && (pTab->aCol[pExpr->iColumn].colFlags & COLFLAG_SORTERREF)\n ){\n int j;\n for(j=0; jaDefer[j].iCsr==pExpr->iTable ) break;\n }\n if( j==nDefer ){\n if( nDefer==ArraySize(pSort->aDefer) ){\n continue;\n }else{\n int nKey = 1;\n int k;\n Index *pPk = 0;\n if( !HasRowid(pTab) ){\n pPk = sqlite3PrimaryKeyIndex(pTab);\n nKey = pPk->nKeyCol;\n }\n for(k=0; kiTable = pExpr->iTable;\n pNew->y.pTab = pExpr->y.pTab;\n pNew->iColumn = pPk ? pPk->aiColumn[k] : -1;\n pExtra = sqlite3ExprListAppend(pParse, pExtra, pNew);\n }\n }\n pSort->aDefer[nDefer].pTab = pExpr->y.pTab;\n pSort->aDefer[nDefer].iCsr = pExpr->iTable;\n pSort->aDefer[nDefer].nKey = nKey;\n nDefer++;\n }\n }\n pItem->bSorterRef = 1;\n }\n }\n }\n pSort->nDefer = (u8)nDefer;\n *ppExtra = pExtra;\n}", "project": "sqlite", "hash": 101798145243218946619393059416869511961, "size": 54, "commit_id": "5f69512404cd2e5153ddf90ea277fbba6dd58ab7", "message": "Early-out on the INTERSECT query processing following an error.\n\nFossilOrigin-Name: a67cf5b7d37d5b1484be32092635faafd8f76e5881898cd9435517c4b287d663", "target": 0, "dataset": "other", "idx": 246146 }, { "func": "void sqlite3VdbeJumpHere(Vdbe *p, int addr){\n sqlite3VdbeChangeP2(p, addr, p->nOp);\n}", "project": "sqlite", "hash": 336826960800841917652092166220209510187, "size": 3, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378633 }, { "func": "int sqlite3VdbeCurrentAddr(Vdbe *p){\n assert( p->magic==VDBE_MAGIC_INIT );\n return p->nOp;\n}", "project": "sqlite", "hash": 31950536446388317424303299122495763246, "size": 4, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378517 }, { "func": "int sqlite3KeyInfoIsWriteable(KeyInfo *p){ return p->nRef==1; }", "project": "sqlite", "hash": 51614606130873707315754956497822586331, "size": 1, "commit_id": "5f69512404cd2e5153ddf90ea277fbba6dd58ab7", "message": "Early-out on the INTERSECT query processing following an error.\n\nFossilOrigin-Name: a67cf5b7d37d5b1484be32092635faafd8f76e5881898cd9435517c4b287d663", "target": 0, "dataset": "other", "idx": 246193 }, { "func": "static void checkActiveVdbeCnt(sqlite3 *db){\n Vdbe *p;\n int cnt = 0;\n int nWrite = 0;\n int nRead = 0;\n p = db->pVdbe;\n while( p ){\n if( sqlite3_stmt_busy((sqlite3_stmt*)p) ){\n cnt++;\n if( p->readOnly==0 ) nWrite++;\n if( p->bIsReader ) nRead++;\n }\n p = p->pNext;\n }\n assert( cnt==db->nVdbeActive );\n assert( nWrite==db->nVdbeWrite );\n assert( nRead==db->nVdbeRead );\n}", "project": "sqlite", "hash": 123325776858035512847229247631944290050, "size": 18, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378590 }, { "func": "int sqlite3VdbeDeletePriorOpcode(Vdbe *p, u8 op){\n if( p->nOp>0 && p->aOp[p->nOp-1].opcode==op ){\n return sqlite3VdbeChangeToNoop(p, p->nOp-1);\n }else{\n return 0;\n }\n}", "project": "sqlite", "hash": 335985366607558702688199177784514949151, "size": 7, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378615 }, { "func": "int sqlite3WindowCompare(Parse *pParse, Window *p1, Window *p2, int bFilter){\n if( NEVER(p1==0) || NEVER(p2==0) ) return 1;\n if( p1->eFrmType!=p2->eFrmType ) return 1;\n if( p1->eStart!=p2->eStart ) return 1;\n if( p1->eEnd!=p2->eEnd ) return 1;\n if( p1->eExclude!=p2->eExclude ) return 1;\n if( sqlite3ExprCompare(pParse, p1->pStart, p2->pStart, -1) ) return 1;\n if( sqlite3ExprCompare(pParse, p1->pEnd, p2->pEnd, -1) ) return 1;\n if( sqlite3ExprListCompare(p1->pPartition, p2->pPartition, -1) ) return 1;\n if( sqlite3ExprListCompare(p1->pOrderBy, p2->pOrderBy, -1) ) return 1;\n if( bFilter ){\n if( sqlite3ExprCompare(pParse, p1->pFilter, p2->pFilter, -1) ) return 1;\n }\n return 0;\n}", "project": "sqlite", "hash": 245013182368875148128994097138996218831, "size": 15, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378661 }, { "func": "static void SQLITE_NOINLINE vdbeChangeP4Full(\n Vdbe *p,\n Op *pOp,\n const char *zP4,\n int n\n){\n if( pOp->p4type ){\n freeP4(p->db, pOp->p4type, pOp->p4.p);\n pOp->p4type = 0;\n pOp->p4.p = 0;\n }\n if( n<0 ){\n sqlite3VdbeChangeP4(p, (int)(pOp - p->aOp), zP4, n);\n }else{\n if( n==0 ) n = sqlite3Strlen30(zP4);\n pOp->p4.z = sqlite3DbStrNDup(p->db, zP4, n);\n pOp->p4type = P4_DYNAMIC;\n }\n}", "project": "sqlite", "hash": 34401579850344821074916759484059217701, "size": 19, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378510 }, { "func": "int sqlite3VdbeHalt(Vdbe *p){\n int rc; /* Used to store transient return codes */\n sqlite3 *db = p->db;\n\n /* This function contains the logic that determines if a statement or\n ** transaction will be committed or rolled back as a result of the\n ** execution of this virtual machine. \n **\n ** If any of the following errors occur:\n **\n ** SQLITE_NOMEM\n ** SQLITE_IOERR\n ** SQLITE_FULL\n ** SQLITE_INTERRUPT\n **\n ** Then the internal cache might have been left in an inconsistent\n ** state. We need to rollback the statement transaction, if there is\n ** one, or the complete transaction if there is no statement transaction.\n */\n\n if( p->magic!=VDBE_MAGIC_RUN ){\n return SQLITE_OK;\n }\n if( db->mallocFailed ){\n p->rc = SQLITE_NOMEM_BKPT;\n }\n closeAllCursors(p);\n checkActiveVdbeCnt(db);\n\n /* No commit or rollback needed if the program never started or if the\n ** SQL statement does not read or write a database file. */\n if( p->pc>=0 && p->bIsReader ){\n int mrc; /* Primary error code from p->rc */\n int eStatementOp = 0;\n int isSpecialError; /* Set to true if a 'special' error */\n\n /* Lock all btrees used by the statement */\n sqlite3VdbeEnter(p);\n\n /* Check for one of the special errors */\n mrc = p->rc & 0xff;\n isSpecialError = mrc==SQLITE_NOMEM || mrc==SQLITE_IOERR\n || mrc==SQLITE_INTERRUPT || mrc==SQLITE_FULL;\n if( isSpecialError ){\n /* If the query was read-only and the error code is SQLITE_INTERRUPT, \n ** no rollback is necessary. Otherwise, at least a savepoint \n ** transaction must be rolled back to restore the database to a \n ** consistent state.\n **\n ** Even if the statement is read-only, it is important to perform\n ** a statement or transaction rollback operation. If the error \n ** occurred while writing to the journal, sub-journal or database\n ** file as part of an effort to free up cache space (see function\n ** pagerStress() in pager.c), the rollback is required to restore \n ** the pager to a consistent state.\n */\n if( !p->readOnly || mrc!=SQLITE_INTERRUPT ){\n if( (mrc==SQLITE_NOMEM || mrc==SQLITE_FULL) && p->usesStmtJournal ){\n eStatementOp = SAVEPOINT_ROLLBACK;\n }else{\n /* We are forced to roll back the active transaction. Before doing\n ** so, abort any other statements this handle currently has active.\n */\n sqlite3RollbackAll(db, SQLITE_ABORT_ROLLBACK);\n sqlite3CloseSavepoints(db);\n db->autoCommit = 1;\n p->nChange = 0;\n }\n }\n }\n\n /* Check for immediate foreign key violations. */\n if( p->rc==SQLITE_OK || (p->errorAction==OE_Fail && !isSpecialError) ){\n sqlite3VdbeCheckFk(p, 0);\n }\n \n /* If the auto-commit flag is set and this is the only active writer \n ** VM, then we do either a commit or rollback of the current transaction. \n **\n ** Note: This block also runs if one of the special errors handled \n ** above has occurred. \n */\n if( !sqlite3VtabInSync(db) \n && db->autoCommit \n && db->nVdbeWrite==(p->readOnly==0) \n ){\n if( p->rc==SQLITE_OK || (p->errorAction==OE_Fail && !isSpecialError) ){\n rc = sqlite3VdbeCheckFk(p, 1);\n if( rc!=SQLITE_OK ){\n if( NEVER(p->readOnly) ){\n sqlite3VdbeLeave(p);\n return SQLITE_ERROR;\n }\n rc = SQLITE_CONSTRAINT_FOREIGNKEY;\n }else{ \n /* The auto-commit flag is true, the vdbe program was successful \n ** or hit an 'OR FAIL' constraint and there are no deferred foreign\n ** key constraints to hold up the transaction. This means a commit \n ** is required. */\n rc = vdbeCommit(db, p);\n }\n if( rc==SQLITE_BUSY && p->readOnly ){\n sqlite3VdbeLeave(p);\n return SQLITE_BUSY;\n }else if( rc!=SQLITE_OK ){\n p->rc = rc;\n sqlite3RollbackAll(db, SQLITE_OK);\n p->nChange = 0;\n }else{\n db->nDeferredCons = 0;\n db->nDeferredImmCons = 0;\n db->flags &= ~(u64)SQLITE_DeferFKs;\n sqlite3CommitInternalChanges(db);\n }\n }else{\n sqlite3RollbackAll(db, SQLITE_OK);\n p->nChange = 0;\n }\n db->nStatement = 0;\n }else if( eStatementOp==0 ){\n if( p->rc==SQLITE_OK || p->errorAction==OE_Fail ){\n eStatementOp = SAVEPOINT_RELEASE;\n }else if( p->errorAction==OE_Abort ){\n eStatementOp = SAVEPOINT_ROLLBACK;\n }else{\n sqlite3RollbackAll(db, SQLITE_ABORT_ROLLBACK);\n sqlite3CloseSavepoints(db);\n db->autoCommit = 1;\n p->nChange = 0;\n }\n }\n \n /* If eStatementOp is non-zero, then a statement transaction needs to\n ** be committed or rolled back. Call sqlite3VdbeCloseStatement() to\n ** do so. If this operation returns an error, and the current statement\n ** error code is SQLITE_OK or SQLITE_CONSTRAINT, then promote the\n ** current statement error code.\n */\n if( eStatementOp ){\n rc = sqlite3VdbeCloseStatement(p, eStatementOp);\n if( rc ){\n if( p->rc==SQLITE_OK || (p->rc&0xff)==SQLITE_CONSTRAINT ){\n p->rc = rc;\n sqlite3DbFree(db, p->zErrMsg);\n p->zErrMsg = 0;\n }\n sqlite3RollbackAll(db, SQLITE_ABORT_ROLLBACK);\n sqlite3CloseSavepoints(db);\n db->autoCommit = 1;\n p->nChange = 0;\n }\n }\n \n /* If this was an INSERT, UPDATE or DELETE and no statement transaction\n ** has been rolled back, update the database connection change-counter. \n */\n if( p->changeCntOn ){\n if( eStatementOp!=SAVEPOINT_ROLLBACK ){\n sqlite3VdbeSetChanges(db, p->nChange);\n }else{\n sqlite3VdbeSetChanges(db, 0);\n }\n p->nChange = 0;\n }\n\n /* Release the locks */\n sqlite3VdbeLeave(p);\n }\n\n /* We have successfully halted and closed the VM. Record this fact. */\n if( p->pc>=0 ){\n db->nVdbeActive--;\n if( !p->readOnly ) db->nVdbeWrite--;\n if( p->bIsReader ) db->nVdbeRead--;\n assert( db->nVdbeActive>=db->nVdbeRead );\n assert( db->nVdbeRead>=db->nVdbeWrite );\n assert( db->nVdbeWrite>=0 );\n }\n p->magic = VDBE_MAGIC_HALT;\n checkActiveVdbeCnt(db);\n if( db->mallocFailed ){\n p->rc = SQLITE_NOMEM_BKPT;\n }\n\n /* If the auto-commit flag is set to true, then any locks that were held\n ** by connection db have now been released. Call sqlite3ConnectionUnlocked() \n ** to invoke any required unlock-notify callbacks.\n */\n if( db->autoCommit ){\n sqlite3ConnectionUnlocked(db);\n }\n\n assert( db->nVdbeActive>0 || db->autoCommit==0 || db->nStatement==0 );\n return (p->rc==SQLITE_BUSY ? SQLITE_BUSY : SQLITE_OK);\n}", "project": "sqlite", "hash": 209917992319456888129254375907644224509, "size": 195, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378594 }, { "func": "static int makeSorterRecord(\n Parse *pParse,\n SortCtx *pSort,\n Select *pSelect,\n int regBase,\n int nBase\n){\n int nOBSat = pSort->nOBSat;\n Vdbe *v = pParse->pVdbe;\n int regOut = ++pParse->nMem;\n if( pSort->pDeferredRowLoad ){\n innerLoopLoadRow(pParse, pSelect, pSort->pDeferredRowLoad);\n }\n sqlite3VdbeAddOp3(v, OP_MakeRecord, regBase+nOBSat, nBase-nOBSat, regOut);\n return regOut;\n}", "project": "sqlite", "hash": 10208224769871263822661795391361440543, "size": 16, "commit_id": "5f69512404cd2e5153ddf90ea277fbba6dd58ab7", "message": "Early-out on the INTERSECT query processing following an error.\n\nFossilOrigin-Name: a67cf5b7d37d5b1484be32092635faafd8f76e5881898cd9435517c4b287d663", "target": 0, "dataset": "other", "idx": 246142 }, { "func": "int sqlite3VdbeAddOp4Dup8(\n Vdbe *p, /* Add the opcode to this VM */\n int op, /* The new opcode */\n int p1, /* The P1 operand */\n int p2, /* The P2 operand */\n int p3, /* The P3 operand */\n const u8 *zP4, /* The P4 operand */\n int p4type /* P4 operand type */\n){\n char *p4copy = sqlite3DbMallocRawNN(sqlite3VdbeDb(p), 8);\n if( p4copy ) memcpy(p4copy, zP4, 8);\n return sqlite3VdbeAddOp4(p, op, p1, p2, p3, p4copy, p4type);\n}", "project": "sqlite", "hash": 228507271927841016455668532383045719535, "size": 13, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378583 }, { "func": "int sqlite3VdbeAddOp0(Vdbe *p, int op){\n return sqlite3VdbeAddOp3(p, op, 0, 0, 0);\n}", "project": "sqlite", "hash": 2639822107341081985899195863556212559, "size": 3, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378545 }, { "func": "static SQLITE_NOINLINE void freeP4Mem(sqlite3 *db, Mem *p){\n if( p->szMalloc ) sqlite3DbFree(db, p->zMalloc);\n sqlite3DbFreeNN(db, p);\n}", "project": "sqlite", "hash": 251574117487282742152352249259675147533, "size": 4, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378602 }, { "func": "void sqlite3SelectDelete(sqlite3 *db, Select *p){\n if( OK_IF_ALWAYS_TRUE(p) ) clearSelect(db, p, 1);\n}", "project": "sqlite", "hash": 204423012976590035940130129712684912272, "size": 3, "commit_id": "5f69512404cd2e5153ddf90ea277fbba6dd58ab7", "message": "Early-out on the INTERSECT query processing following an error.\n\nFossilOrigin-Name: a67cf5b7d37d5b1484be32092635faafd8f76e5881898cd9435517c4b287d663", "target": 0, "dataset": "other", "idx": 246204 }, { "func": "static int flattenSubquery(\n Parse *pParse, /* Parsing context */\n Select *p, /* The parent or outer SELECT statement */\n int iFrom, /* Index in p->pSrc->a[] of the inner subquery */\n int isAgg /* True if outer SELECT uses aggregate functions */\n){\n const char *zSavedAuthContext = pParse->zAuthContext;\n Select *pParent; /* Current UNION ALL term of the other query */\n Select *pSub; /* The inner query or \"subquery\" */\n Select *pSub1; /* Pointer to the rightmost select in sub-query */\n SrcList *pSrc; /* The FROM clause of the outer query */\n SrcList *pSubSrc; /* The FROM clause of the subquery */\n int iParent; /* VDBE cursor number of the pSub result set temp table */\n int iNewParent = -1;/* Replacement table for iParent */\n int isLeftJoin = 0; /* True if pSub is the right side of a LEFT JOIN */ \n int i; /* Loop counter */\n Expr *pWhere; /* The WHERE clause */\n struct SrcList_item *pSubitem; /* The subquery */\n sqlite3 *db = pParse->db;\n\n /* Check to see if flattening is permitted. Return 0 if not.\n */\n assert( p!=0 );\n assert( p->pPrior==0 );\n if( OptimizationDisabled(db, SQLITE_QueryFlattener) ) return 0;\n pSrc = p->pSrc;\n assert( pSrc && iFrom>=0 && iFromnSrc );\n pSubitem = &pSrc->a[iFrom];\n iParent = pSubitem->iCursor;\n pSub = pSubitem->pSelect;\n assert( pSub!=0 );\n\n#ifndef SQLITE_OMIT_WINDOWFUNC\n if( p->pWin || pSub->pWin ) return 0; /* Restriction (25) */\n#endif\n\n pSubSrc = pSub->pSrc;\n assert( pSubSrc );\n /* Prior to version 3.1.2, when LIMIT and OFFSET had to be simple constants,\n ** not arbitrary expressions, we allowed some combining of LIMIT and OFFSET\n ** because they could be computed at compile-time. But when LIMIT and OFFSET\n ** became arbitrary expressions, we were forced to add restrictions (13)\n ** and (14). */\n if( pSub->pLimit && p->pLimit ) return 0; /* Restriction (13) */\n if( pSub->pLimit && pSub->pLimit->pRight ) return 0; /* Restriction (14) */\n if( (p->selFlags & SF_Compound)!=0 && pSub->pLimit ){\n return 0; /* Restriction (15) */\n }\n if( pSubSrc->nSrc==0 ) return 0; /* Restriction (7) */\n if( pSub->selFlags & SF_Distinct ) return 0; /* Restriction (4) */\n if( pSub->pLimit && (pSrc->nSrc>1 || isAgg) ){\n return 0; /* Restrictions (8)(9) */\n }\n if( p->pOrderBy && pSub->pOrderBy ){\n return 0; /* Restriction (11) */\n }\n if( isAgg && pSub->pOrderBy ) return 0; /* Restriction (16) */\n if( pSub->pLimit && p->pWhere ) return 0; /* Restriction (19) */\n if( pSub->pLimit && (p->selFlags & SF_Distinct)!=0 ){\n return 0; /* Restriction (21) */\n }\n if( pSub->selFlags & (SF_Recursive) ){\n return 0; /* Restrictions (22) */\n }\n\n /*\n ** If the subquery is the right operand of a LEFT JOIN, then the\n ** subquery may not be a join itself (3a). Example of why this is not\n ** allowed:\n **\n ** t1 LEFT OUTER JOIN (t2 JOIN t3)\n **\n ** If we flatten the above, we would get\n **\n ** (t1 LEFT OUTER JOIN t2) JOIN t3\n **\n ** which is not at all the same thing.\n **\n ** If the subquery is the right operand of a LEFT JOIN, then the outer\n ** query cannot be an aggregate. (3c) This is an artifact of the way\n ** aggregates are processed - there is no mechanism to determine if\n ** the LEFT JOIN table should be all-NULL.\n **\n ** See also tickets #306, #350, and #3300.\n */\n if( (pSubitem->fg.jointype & JT_OUTER)!=0 ){\n isLeftJoin = 1;\n if( pSubSrc->nSrc>1 || isAgg || IsVirtual(pSubSrc->a[0].pTab) ){\n /* (3a) (3c) (3b) */\n return 0;\n }\n }\n#ifdef SQLITE_EXTRA_IFNULLROW\n else if( iFrom>0 && !isAgg ){\n /* Setting isLeftJoin to -1 causes OP_IfNullRow opcodes to be generated for\n ** every reference to any result column from subquery in a join, even\n ** though they are not necessary. This will stress-test the OP_IfNullRow \n ** opcode. */\n isLeftJoin = -1;\n }\n#endif\n\n /* Restriction (17): If the sub-query is a compound SELECT, then it must\n ** use only the UNION ALL operator. And none of the simple select queries\n ** that make up the compound SELECT are allowed to be aggregate or distinct\n ** queries.\n */\n if( pSub->pPrior ){\n if( pSub->pOrderBy ){\n return 0; /* Restriction (20) */\n }\n if( isAgg || (p->selFlags & SF_Distinct)!=0 || pSrc->nSrc!=1 ){\n return 0; /* (17d1), (17d2), or (17d3) */\n }\n for(pSub1=pSub; pSub1; pSub1=pSub1->pPrior){\n testcase( (pSub1->selFlags & (SF_Distinct|SF_Aggregate))==SF_Distinct );\n testcase( (pSub1->selFlags & (SF_Distinct|SF_Aggregate))==SF_Aggregate );\n assert( pSub->pSrc!=0 );\n assert( pSub->pEList->nExpr==pSub1->pEList->nExpr );\n if( (pSub1->selFlags & (SF_Distinct|SF_Aggregate))!=0 /* (17b) */\n || (pSub1->pPrior && pSub1->op!=TK_ALL) /* (17a) */\n || pSub1->pSrc->nSrc<1 /* (17c) */\n ){\n return 0;\n }\n testcase( pSub1->pSrc->nSrc>1 );\n }\n\n /* Restriction (18). */\n if( p->pOrderBy ){\n int ii;\n for(ii=0; iipOrderBy->nExpr; ii++){\n if( p->pOrderBy->a[ii].u.x.iOrderByCol==0 ) return 0;\n }\n }\n }\n\n /* Ex-restriction (23):\n ** The only way that the recursive part of a CTE can contain a compound\n ** subquery is for the subquery to be one term of a join. But if the\n ** subquery is a join, then the flattening has already been stopped by\n ** restriction (17d3)\n */\n assert( (p->selFlags & SF_Recursive)==0 || pSub->pPrior==0 );\n\n /***** If we reach this point, flattening is permitted. *****/\n SELECTTRACE(1,pParse,p,(\"flatten %u.%p from term %d\\n\",\n pSub->selId, pSub, iFrom));\n\n /* Authorize the subquery */\n pParse->zAuthContext = pSubitem->zName;\n TESTONLY(i =) sqlite3AuthCheck(pParse, SQLITE_SELECT, 0, 0, 0);\n testcase( i==SQLITE_DENY );\n pParse->zAuthContext = zSavedAuthContext;\n\n /* If the sub-query is a compound SELECT statement, then (by restrictions\n ** 17 and 18 above) it must be a UNION ALL and the parent query must \n ** be of the form:\n **\n ** SELECT FROM () \n **\n ** followed by any ORDER BY, LIMIT and/or OFFSET clauses. This block\n ** creates N-1 copies of the parent query without any ORDER BY, LIMIT or \n ** OFFSET clauses and joins them to the left-hand-side of the original\n ** using UNION ALL operators. In this case N is the number of simple\n ** select statements in the compound sub-query.\n **\n ** Example:\n **\n ** SELECT a+1 FROM (\n ** SELECT x FROM tab\n ** UNION ALL\n ** SELECT y FROM tab\n ** UNION ALL\n ** SELECT abs(z*2) FROM tab2\n ** ) WHERE a!=5 ORDER BY 1\n **\n ** Transformed into:\n **\n ** SELECT x+1 FROM tab WHERE x+1!=5\n ** UNION ALL\n ** SELECT y+1 FROM tab WHERE y+1!=5\n ** UNION ALL\n ** SELECT abs(z*2)+1 FROM tab2 WHERE abs(z*2)+1!=5\n ** ORDER BY 1\n **\n ** We call this the \"compound-subquery flattening\".\n */\n for(pSub=pSub->pPrior; pSub; pSub=pSub->pPrior){\n Select *pNew;\n ExprList *pOrderBy = p->pOrderBy;\n Expr *pLimit = p->pLimit;\n Select *pPrior = p->pPrior;\n p->pOrderBy = 0;\n p->pSrc = 0;\n p->pPrior = 0;\n p->pLimit = 0;\n pNew = sqlite3SelectDup(db, p, 0);\n p->pLimit = pLimit;\n p->pOrderBy = pOrderBy;\n p->pSrc = pSrc;\n p->op = TK_ALL;\n if( pNew==0 ){\n p->pPrior = pPrior;\n }else{\n pNew->pPrior = pPrior;\n if( pPrior ) pPrior->pNext = pNew;\n pNew->pNext = p;\n p->pPrior = pNew;\n SELECTTRACE(2,pParse,p,(\"compound-subquery flattener\"\n \" creates %u as peer\\n\",pNew->selId));\n }\n if( db->mallocFailed ) return 1;\n }\n\n /* Begin flattening the iFrom-th entry of the FROM clause \n ** in the outer query.\n */\n pSub = pSub1 = pSubitem->pSelect;\n\n /* Delete the transient table structure associated with the\n ** subquery\n */\n sqlite3DbFree(db, pSubitem->zDatabase);\n sqlite3DbFree(db, pSubitem->zName);\n sqlite3DbFree(db, pSubitem->zAlias);\n pSubitem->zDatabase = 0;\n pSubitem->zName = 0;\n pSubitem->zAlias = 0;\n pSubitem->pSelect = 0;\n\n /* Defer deleting the Table object associated with the\n ** subquery until code generation is\n ** complete, since there may still exist Expr.pTab entries that\n ** refer to the subquery even after flattening. Ticket #3346.\n **\n ** pSubitem->pTab is always non-NULL by test restrictions and tests above.\n */\n if( ALWAYS(pSubitem->pTab!=0) ){\n Table *pTabToDel = pSubitem->pTab;\n if( pTabToDel->nTabRef==1 ){\n Parse *pToplevel = sqlite3ParseToplevel(pParse);\n pTabToDel->pNextZombie = pToplevel->pZombieTab;\n pToplevel->pZombieTab = pTabToDel;\n }else{\n pTabToDel->nTabRef--;\n }\n pSubitem->pTab = 0;\n }\n\n /* The following loop runs once for each term in a compound-subquery\n ** flattening (as described above). If we are doing a different kind\n ** of flattening - a flattening other than a compound-subquery flattening -\n ** then this loop only runs once.\n **\n ** This loop moves all of the FROM elements of the subquery into the\n ** the FROM clause of the outer query. Before doing this, remember\n ** the cursor number for the original outer query FROM element in\n ** iParent. The iParent cursor will never be used. Subsequent code\n ** will scan expressions looking for iParent references and replace\n ** those references with expressions that resolve to the subquery FROM\n ** elements we are now copying in.\n */\n for(pParent=p; pParent; pParent=pParent->pPrior, pSub=pSub->pPrior){\n int nSubSrc;\n u8 jointype = 0;\n assert( pSub!=0 );\n pSubSrc = pSub->pSrc; /* FROM clause of subquery */\n nSubSrc = pSubSrc->nSrc; /* Number of terms in subquery FROM clause */\n pSrc = pParent->pSrc; /* FROM clause of the outer query */\n\n if( pSrc ){\n assert( pParent==p ); /* First time through the loop */\n jointype = pSubitem->fg.jointype;\n }else{\n assert( pParent!=p ); /* 2nd and subsequent times through the loop */\n pSrc = sqlite3SrcListAppend(pParse, 0, 0, 0);\n if( pSrc==0 ) break;\n pParent->pSrc = pSrc;\n }\n\n /* The subquery uses a single slot of the FROM clause of the outer\n ** query. If the subquery has more than one element in its FROM clause,\n ** then expand the outer query to make space for it to hold all elements\n ** of the subquery.\n **\n ** Example:\n **\n ** SELECT * FROM tabA, (SELECT * FROM sub1, sub2), tabB;\n **\n ** The outer query has 3 slots in its FROM clause. One slot of the\n ** outer query (the middle slot) is used by the subquery. The next\n ** block of code will expand the outer query FROM clause to 4 slots.\n ** The middle slot is expanded to two slots in order to make space\n ** for the two elements in the FROM clause of the subquery.\n */\n if( nSubSrc>1 ){\n pSrc = sqlite3SrcListEnlarge(pParse, pSrc, nSubSrc-1,iFrom+1);\n if( pSrc==0 ) break;\n pParent->pSrc = pSrc;\n }\n\n /* Transfer the FROM clause terms from the subquery into the\n ** outer query.\n */\n for(i=0; ia[i+iFrom].pUsing);\n assert( pSrc->a[i+iFrom].fg.isTabFunc==0 );\n pSrc->a[i+iFrom] = pSubSrc->a[i];\n iNewParent = pSubSrc->a[i].iCursor;\n memset(&pSubSrc->a[i], 0, sizeof(pSubSrc->a[i]));\n }\n pSrc->a[iFrom].fg.jointype = jointype;\n \n /* Now begin substituting subquery result set expressions for \n ** references to the iParent in the outer query.\n ** \n ** Example:\n **\n ** SELECT a+5, b*10 FROM (SELECT x*3 AS a, y+10 AS b FROM t1) WHERE a>b;\n ** \\ \\_____________ subquery __________/ /\n ** \\_____________________ outer query ______________________________/\n **\n ** We look at every expression in the outer query and every place we see\n ** \"a\" we substitute \"x*3\" and every place we see \"b\" we substitute \"y+10\".\n */\n if( pSub->pOrderBy ){\n /* At this point, any non-zero iOrderByCol values indicate that the\n ** ORDER BY column expression is identical to the iOrderByCol'th\n ** expression returned by SELECT statement pSub. Since these values\n ** do not necessarily correspond to columns in SELECT statement pParent,\n ** zero them before transfering the ORDER BY clause.\n **\n ** Not doing this may cause an error if a subsequent call to this\n ** function attempts to flatten a compound sub-query into pParent\n ** (the only way this can happen is if the compound sub-query is\n ** currently part of pSub->pSrc). See ticket [d11a6e908f]. */\n ExprList *pOrderBy = pSub->pOrderBy;\n for(i=0; inExpr; i++){\n pOrderBy->a[i].u.x.iOrderByCol = 0;\n }\n assert( pParent->pOrderBy==0 );\n pParent->pOrderBy = pOrderBy;\n pSub->pOrderBy = 0;\n }\n pWhere = pSub->pWhere;\n pSub->pWhere = 0;\n if( isLeftJoin>0 ){\n sqlite3SetJoinExpr(pWhere, iNewParent);\n }\n pParent->pWhere = sqlite3ExprAnd(pParse, pWhere, pParent->pWhere);\n if( db->mallocFailed==0 ){\n SubstContext x;\n x.pParse = pParse;\n x.iTable = iParent;\n x.iNewTable = iNewParent;\n x.isLeftJoin = isLeftJoin;\n x.pEList = pSub->pEList;\n substSelect(&x, pParent, 0);\n }\n \n /* The flattened query is a compound if either the inner or the\n ** outer query is a compound. */\n pParent->selFlags |= pSub->selFlags & SF_Compound;\n assert( (pSub->selFlags & SF_Distinct)==0 ); /* restriction (17b) */\n \n /*\n ** SELECT ... FROM (SELECT ... LIMIT a OFFSET b) LIMIT x OFFSET y;\n **\n ** One is tempted to try to add a and b to combine the limits. But this\n ** does not work if either limit is negative.\n */\n if( pSub->pLimit ){\n pParent->pLimit = pSub->pLimit;\n pSub->pLimit = 0;\n }\n }\n\n /* Finially, delete what is left of the subquery and return\n ** success.\n */\n sqlite3SelectDelete(db, pSub1);\n\n#if SELECTTRACE_ENABLED\n if( sqlite3SelectTrace & 0x100 ){\n SELECTTRACE(0x100,pParse,p,(\"After flattening:\\n\"));\n sqlite3TreeViewSelect(0, p, 0);\n }\n#endif\n\n return 1;\n}", "project": "sqlite", "hash": 182577294779276176182498132337544084346, "size": 392, "commit_id": "396afe6f6aa90a31303c183e11b2b2d4b7956b35", "message": "Continue to back away from the LEFT JOIN optimization of check-in [41c27bc0ff1d3135]\nby disallowing query flattening if the outer query is DISTINCT. Without this fix,\nif an index scan is run on the table within the view on the right-hand side of the\nLEFT JOIN, stale result registers might be accessed yielding incorrect results,\nand/or an OP_IfNullRow opcode might be invoked on the un-opened table, resulting\nin a NULL-pointer dereference. This problem was found by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: 862974312edf00e9d1068115d1a39b7235b7db68b6d86b81d38a12f025a4748e", "target": 1, "dataset": "other", "idx": 208276 }, { "func": "static int flattenSubquery(\n Parse *pParse, /* Parsing context */\n Select *p, /* The parent or outer SELECT statement */\n int iFrom, /* Index in p->pSrc->a[] of the inner subquery */\n int isAgg /* True if outer SELECT uses aggregate functions */\n){\n const char *zSavedAuthContext = pParse->zAuthContext;\n Select *pParent; /* Current UNION ALL term of the other query */\n Select *pSub; /* The inner query or \"subquery\" */\n Select *pSub1; /* Pointer to the rightmost select in sub-query */\n SrcList *pSrc; /* The FROM clause of the outer query */\n SrcList *pSubSrc; /* The FROM clause of the subquery */\n int iParent; /* VDBE cursor number of the pSub result set temp table */\n int iNewParent = -1;/* Replacement table for iParent */\n int isLeftJoin = 0; /* True if pSub is the right side of a LEFT JOIN */ \n int i; /* Loop counter */\n Expr *pWhere; /* The WHERE clause */\n struct SrcList_item *pSubitem; /* The subquery */\n sqlite3 *db = pParse->db;\n\n /* Check to see if flattening is permitted. Return 0 if not.\n */\n assert( p!=0 );\n assert( p->pPrior==0 );\n if( OptimizationDisabled(db, SQLITE_QueryFlattener) ) return 0;\n pSrc = p->pSrc;\n assert( pSrc && iFrom>=0 && iFromnSrc );\n pSubitem = &pSrc->a[iFrom];\n iParent = pSubitem->iCursor;\n pSub = pSubitem->pSelect;\n assert( pSub!=0 );\n\n#ifndef SQLITE_OMIT_WINDOWFUNC\n if( p->pWin || pSub->pWin ) return 0; /* Restriction (25) */\n#endif\n\n pSubSrc = pSub->pSrc;\n assert( pSubSrc );\n /* Prior to version 3.1.2, when LIMIT and OFFSET had to be simple constants,\n ** not arbitrary expressions, we allowed some combining of LIMIT and OFFSET\n ** because they could be computed at compile-time. But when LIMIT and OFFSET\n ** became arbitrary expressions, we were forced to add restrictions (13)\n ** and (14). */\n if( pSub->pLimit && p->pLimit ) return 0; /* Restriction (13) */\n if( pSub->pLimit && pSub->pLimit->pRight ) return 0; /* Restriction (14) */\n if( (p->selFlags & SF_Compound)!=0 && pSub->pLimit ){\n return 0; /* Restriction (15) */\n }\n if( pSubSrc->nSrc==0 ) return 0; /* Restriction (7) */\n if( pSub->selFlags & SF_Distinct ) return 0; /* Restriction (4) */\n if( pSub->pLimit && (pSrc->nSrc>1 || isAgg) ){\n return 0; /* Restrictions (8)(9) */\n }\n if( p->pOrderBy && pSub->pOrderBy ){\n return 0; /* Restriction (11) */\n }\n if( isAgg && pSub->pOrderBy ) return 0; /* Restriction (16) */\n if( pSub->pLimit && p->pWhere ) return 0; /* Restriction (19) */\n if( pSub->pLimit && (p->selFlags & SF_Distinct)!=0 ){\n return 0; /* Restriction (21) */\n }\n if( pSub->selFlags & (SF_Recursive) ){\n return 0; /* Restrictions (22) */\n }\n\n /*\n ** If the subquery is the right operand of a LEFT JOIN, then the\n ** subquery may not be a join itself (3a). Example of why this is not\n ** allowed:\n **\n ** t1 LEFT OUTER JOIN (t2 JOIN t3)\n **\n ** If we flatten the above, we would get\n **\n ** (t1 LEFT OUTER JOIN t2) JOIN t3\n **\n ** which is not at all the same thing.\n **\n ** If the subquery is the right operand of a LEFT JOIN, then the outer\n ** query cannot be an aggregate. (3c) This is an artifact of the way\n ** aggregates are processed - there is no mechanism to determine if\n ** the LEFT JOIN table should be all-NULL.\n **\n ** See also tickets #306, #350, and #3300.\n */\n if( (pSubitem->fg.jointype & JT_OUTER)!=0 ){\n isLeftJoin = 1;\n if( pSubSrc->nSrc>1 /* (3a) */\n || isAgg /* (3b) */\n || IsVirtual(pSubSrc->a[0].pTab) /* (3c) */\n || (p->selFlags & SF_Distinct)!=0 /* (3d) */\n ){\n return 0;\n }\n }\n#ifdef SQLITE_EXTRA_IFNULLROW\n else if( iFrom>0 && !isAgg ){\n /* Setting isLeftJoin to -1 causes OP_IfNullRow opcodes to be generated for\n ** every reference to any result column from subquery in a join, even\n ** though they are not necessary. This will stress-test the OP_IfNullRow \n ** opcode. */\n isLeftJoin = -1;\n }\n#endif\n\n /* Restriction (17): If the sub-query is a compound SELECT, then it must\n ** use only the UNION ALL operator. And none of the simple select queries\n ** that make up the compound SELECT are allowed to be aggregate or distinct\n ** queries.\n */\n if( pSub->pPrior ){\n if( pSub->pOrderBy ){\n return 0; /* Restriction (20) */\n }\n if( isAgg || (p->selFlags & SF_Distinct)!=0 || pSrc->nSrc!=1 ){\n return 0; /* (17d1), (17d2), or (17d3) */\n }\n for(pSub1=pSub; pSub1; pSub1=pSub1->pPrior){\n testcase( (pSub1->selFlags & (SF_Distinct|SF_Aggregate))==SF_Distinct );\n testcase( (pSub1->selFlags & (SF_Distinct|SF_Aggregate))==SF_Aggregate );\n assert( pSub->pSrc!=0 );\n assert( pSub->pEList->nExpr==pSub1->pEList->nExpr );\n if( (pSub1->selFlags & (SF_Distinct|SF_Aggregate))!=0 /* (17b) */\n || (pSub1->pPrior && pSub1->op!=TK_ALL) /* (17a) */\n || pSub1->pSrc->nSrc<1 /* (17c) */\n#ifndef SQLITE_OMIT_WINDOWFUNC\n || pSub1->pWin /* (17e) */\n#endif\n ){\n return 0;\n }\n testcase( pSub1->pSrc->nSrc>1 );\n }\n\n /* Restriction (18). */\n if( p->pOrderBy ){\n int ii;\n for(ii=0; iipOrderBy->nExpr; ii++){\n if( p->pOrderBy->a[ii].u.x.iOrderByCol==0 ) return 0;\n }\n }\n }\n\n /* Ex-restriction (23):\n ** The only way that the recursive part of a CTE can contain a compound\n ** subquery is for the subquery to be one term of a join. But if the\n ** subquery is a join, then the flattening has already been stopped by\n ** restriction (17d3)\n */\n assert( (p->selFlags & SF_Recursive)==0 || pSub->pPrior==0 );\n\n /***** If we reach this point, flattening is permitted. *****/\n SELECTTRACE(1,pParse,p,(\"flatten %u.%p from term %d\\n\",\n pSub->selId, pSub, iFrom));\n\n /* Authorize the subquery */\n pParse->zAuthContext = pSubitem->zName;\n TESTONLY(i =) sqlite3AuthCheck(pParse, SQLITE_SELECT, 0, 0, 0);\n testcase( i==SQLITE_DENY );\n pParse->zAuthContext = zSavedAuthContext;\n\n /* If the sub-query is a compound SELECT statement, then (by restrictions\n ** 17 and 18 above) it must be a UNION ALL and the parent query must \n ** be of the form:\n **\n ** SELECT FROM () \n **\n ** followed by any ORDER BY, LIMIT and/or OFFSET clauses. This block\n ** creates N-1 copies of the parent query without any ORDER BY, LIMIT or \n ** OFFSET clauses and joins them to the left-hand-side of the original\n ** using UNION ALL operators. In this case N is the number of simple\n ** select statements in the compound sub-query.\n **\n ** Example:\n **\n ** SELECT a+1 FROM (\n ** SELECT x FROM tab\n ** UNION ALL\n ** SELECT y FROM tab\n ** UNION ALL\n ** SELECT abs(z*2) FROM tab2\n ** ) WHERE a!=5 ORDER BY 1\n **\n ** Transformed into:\n **\n ** SELECT x+1 FROM tab WHERE x+1!=5\n ** UNION ALL\n ** SELECT y+1 FROM tab WHERE y+1!=5\n ** UNION ALL\n ** SELECT abs(z*2)+1 FROM tab2 WHERE abs(z*2)+1!=5\n ** ORDER BY 1\n **\n ** We call this the \"compound-subquery flattening\".\n */\n for(pSub=pSub->pPrior; pSub; pSub=pSub->pPrior){\n Select *pNew;\n ExprList *pOrderBy = p->pOrderBy;\n Expr *pLimit = p->pLimit;\n Select *pPrior = p->pPrior;\n p->pOrderBy = 0;\n p->pSrc = 0;\n p->pPrior = 0;\n p->pLimit = 0;\n pNew = sqlite3SelectDup(db, p, 0);\n p->pLimit = pLimit;\n p->pOrderBy = pOrderBy;\n p->pSrc = pSrc;\n p->op = TK_ALL;\n if( pNew==0 ){\n p->pPrior = pPrior;\n }else{\n pNew->pPrior = pPrior;\n if( pPrior ) pPrior->pNext = pNew;\n pNew->pNext = p;\n p->pPrior = pNew;\n SELECTTRACE(2,pParse,p,(\"compound-subquery flattener\"\n \" creates %u as peer\\n\",pNew->selId));\n }\n if( db->mallocFailed ) return 1;\n }\n\n /* Begin flattening the iFrom-th entry of the FROM clause \n ** in the outer query.\n */\n pSub = pSub1 = pSubitem->pSelect;\n\n /* Delete the transient table structure associated with the\n ** subquery\n */\n sqlite3DbFree(db, pSubitem->zDatabase);\n sqlite3DbFree(db, pSubitem->zName);\n sqlite3DbFree(db, pSubitem->zAlias);\n pSubitem->zDatabase = 0;\n pSubitem->zName = 0;\n pSubitem->zAlias = 0;\n pSubitem->pSelect = 0;\n\n /* Defer deleting the Table object associated with the\n ** subquery until code generation is\n ** complete, since there may still exist Expr.pTab entries that\n ** refer to the subquery even after flattening. Ticket #3346.\n **\n ** pSubitem->pTab is always non-NULL by test restrictions and tests above.\n */\n if( ALWAYS(pSubitem->pTab!=0) ){\n Table *pTabToDel = pSubitem->pTab;\n if( pTabToDel->nTabRef==1 ){\n Parse *pToplevel = sqlite3ParseToplevel(pParse);\n pTabToDel->pNextZombie = pToplevel->pZombieTab;\n pToplevel->pZombieTab = pTabToDel;\n }else{\n pTabToDel->nTabRef--;\n }\n pSubitem->pTab = 0;\n }\n\n /* The following loop runs once for each term in a compound-subquery\n ** flattening (as described above). If we are doing a different kind\n ** of flattening - a flattening other than a compound-subquery flattening -\n ** then this loop only runs once.\n **\n ** This loop moves all of the FROM elements of the subquery into the\n ** the FROM clause of the outer query. Before doing this, remember\n ** the cursor number for the original outer query FROM element in\n ** iParent. The iParent cursor will never be used. Subsequent code\n ** will scan expressions looking for iParent references and replace\n ** those references with expressions that resolve to the subquery FROM\n ** elements we are now copying in.\n */\n for(pParent=p; pParent; pParent=pParent->pPrior, pSub=pSub->pPrior){\n int nSubSrc;\n u8 jointype = 0;\n assert( pSub!=0 );\n pSubSrc = pSub->pSrc; /* FROM clause of subquery */\n nSubSrc = pSubSrc->nSrc; /* Number of terms in subquery FROM clause */\n pSrc = pParent->pSrc; /* FROM clause of the outer query */\n\n if( pSrc ){\n assert( pParent==p ); /* First time through the loop */\n jointype = pSubitem->fg.jointype;\n }else{\n assert( pParent!=p ); /* 2nd and subsequent times through the loop */\n pSrc = sqlite3SrcListAppend(pParse, 0, 0, 0);\n if( pSrc==0 ) break;\n pParent->pSrc = pSrc;\n }\n\n /* The subquery uses a single slot of the FROM clause of the outer\n ** query. If the subquery has more than one element in its FROM clause,\n ** then expand the outer query to make space for it to hold all elements\n ** of the subquery.\n **\n ** Example:\n **\n ** SELECT * FROM tabA, (SELECT * FROM sub1, sub2), tabB;\n **\n ** The outer query has 3 slots in its FROM clause. One slot of the\n ** outer query (the middle slot) is used by the subquery. The next\n ** block of code will expand the outer query FROM clause to 4 slots.\n ** The middle slot is expanded to two slots in order to make space\n ** for the two elements in the FROM clause of the subquery.\n */\n if( nSubSrc>1 ){\n pSrc = sqlite3SrcListEnlarge(pParse, pSrc, nSubSrc-1,iFrom+1);\n if( pSrc==0 ) break;\n pParent->pSrc = pSrc;\n }\n\n /* Transfer the FROM clause terms from the subquery into the\n ** outer query.\n */\n for(i=0; ia[i+iFrom].pUsing);\n assert( pSrc->a[i+iFrom].fg.isTabFunc==0 );\n pSrc->a[i+iFrom] = pSubSrc->a[i];\n iNewParent = pSubSrc->a[i].iCursor;\n memset(&pSubSrc->a[i], 0, sizeof(pSubSrc->a[i]));\n }\n pSrc->a[iFrom].fg.jointype = jointype;\n \n /* Now begin substituting subquery result set expressions for \n ** references to the iParent in the outer query.\n ** \n ** Example:\n **\n ** SELECT a+5, b*10 FROM (SELECT x*3 AS a, y+10 AS b FROM t1) WHERE a>b;\n ** \\ \\_____________ subquery __________/ /\n ** \\_____________________ outer query ______________________________/\n **\n ** We look at every expression in the outer query and every place we see\n ** \"a\" we substitute \"x*3\" and every place we see \"b\" we substitute \"y+10\".\n */\n if( pSub->pOrderBy ){\n /* At this point, any non-zero iOrderByCol values indicate that the\n ** ORDER BY column expression is identical to the iOrderByCol'th\n ** expression returned by SELECT statement pSub. Since these values\n ** do not necessarily correspond to columns in SELECT statement pParent,\n ** zero them before transfering the ORDER BY clause.\n **\n ** Not doing this may cause an error if a subsequent call to this\n ** function attempts to flatten a compound sub-query into pParent\n ** (the only way this can happen is if the compound sub-query is\n ** currently part of pSub->pSrc). See ticket [d11a6e908f]. */\n ExprList *pOrderBy = pSub->pOrderBy;\n for(i=0; inExpr; i++){\n pOrderBy->a[i].u.x.iOrderByCol = 0;\n }\n assert( pParent->pOrderBy==0 );\n pParent->pOrderBy = pOrderBy;\n pSub->pOrderBy = 0;\n }\n pWhere = pSub->pWhere;\n pSub->pWhere = 0;\n if( isLeftJoin>0 ){\n sqlite3SetJoinExpr(pWhere, iNewParent);\n }\n pParent->pWhere = sqlite3ExprAnd(pParse, pWhere, pParent->pWhere);\n if( db->mallocFailed==0 ){\n SubstContext x;\n x.pParse = pParse;\n x.iTable = iParent;\n x.iNewTable = iNewParent;\n x.isLeftJoin = isLeftJoin;\n x.pEList = pSub->pEList;\n substSelect(&x, pParent, 0);\n }\n \n /* The flattened query is a compound if either the inner or the\n ** outer query is a compound. */\n pParent->selFlags |= pSub->selFlags & SF_Compound;\n assert( (pSub->selFlags & SF_Distinct)==0 ); /* restriction (17b) */\n \n /*\n ** SELECT ... FROM (SELECT ... LIMIT a OFFSET b) LIMIT x OFFSET y;\n **\n ** One is tempted to try to add a and b to combine the limits. But this\n ** does not work if either limit is negative.\n */\n if( pSub->pLimit ){\n pParent->pLimit = pSub->pLimit;\n pSub->pLimit = 0;\n }\n }\n\n /* Finially, delete what is left of the subquery and return\n ** success.\n */\n sqlite3SelectDelete(db, pSub1);\n\n#if SELECTTRACE_ENABLED\n if( sqlite3SelectTrace & 0x100 ){\n SELECTTRACE(0x100,pParse,p,(\"After flattening:\\n\"));\n sqlite3TreeViewSelect(0, p, 0);\n }\n#endif\n\n return 1;\n}", "project": "sqlite", "hash": 65221345529901163432298353283881151085, "size": 398, "commit_id": "5f69512404cd2e5153ddf90ea277fbba6dd58ab7", "message": "Early-out on the INTERSECT query processing following an error.\n\nFossilOrigin-Name: a67cf5b7d37d5b1484be32092635faafd8f76e5881898cd9435517c4b287d663", "target": 0, "dataset": "other", "idx": 246194 }, { "func": "static int flattenSubquery(\n Parse *pParse, /* Parsing context */\n Select *p, /* The parent or outer SELECT statement */\n int iFrom, /* Index in p->pSrc->a[] of the inner subquery */\n int isAgg /* True if outer SELECT uses aggregate functions */\n){\n const char *zSavedAuthContext = pParse->zAuthContext;\n Select *pParent; /* Current UNION ALL term of the other query */\n Select *pSub; /* The inner query or \"subquery\" */\n Select *pSub1; /* Pointer to the rightmost select in sub-query */\n SrcList *pSrc; /* The FROM clause of the outer query */\n SrcList *pSubSrc; /* The FROM clause of the subquery */\n int iParent; /* VDBE cursor number of the pSub result set temp table */\n int iNewParent = -1;/* Replacement table for iParent */\n int isLeftJoin = 0; /* True if pSub is the right side of a LEFT JOIN */ \n int i; /* Loop counter */\n Expr *pWhere; /* The WHERE clause */\n struct SrcList_item *pSubitem; /* The subquery */\n sqlite3 *db = pParse->db;\n\n /* Check to see if flattening is permitted. Return 0 if not.\n */\n assert( p!=0 );\n assert( p->pPrior==0 );\n if( OptimizationDisabled(db, SQLITE_QueryFlattener) ) return 0;\n pSrc = p->pSrc;\n assert( pSrc && iFrom>=0 && iFromnSrc );\n pSubitem = &pSrc->a[iFrom];\n iParent = pSubitem->iCursor;\n pSub = pSubitem->pSelect;\n assert( pSub!=0 );\n\n#ifndef SQLITE_OMIT_WINDOWFUNC\n if( p->pWin || pSub->pWin ) return 0; /* Restriction (25) */\n#endif\n\n pSubSrc = pSub->pSrc;\n assert( pSubSrc );\n /* Prior to version 3.1.2, when LIMIT and OFFSET had to be simple constants,\n ** not arbitrary expressions, we allowed some combining of LIMIT and OFFSET\n ** because they could be computed at compile-time. But when LIMIT and OFFSET\n ** became arbitrary expressions, we were forced to add restrictions (13)\n ** and (14). */\n if( pSub->pLimit && p->pLimit ) return 0; /* Restriction (13) */\n if( pSub->pLimit && pSub->pLimit->pRight ) return 0; /* Restriction (14) */\n if( (p->selFlags & SF_Compound)!=0 && pSub->pLimit ){\n return 0; /* Restriction (15) */\n }\n if( pSubSrc->nSrc==0 ) return 0; /* Restriction (7) */\n if( pSub->selFlags & SF_Distinct ) return 0; /* Restriction (4) */\n if( pSub->pLimit && (pSrc->nSrc>1 || isAgg) ){\n return 0; /* Restrictions (8)(9) */\n }\n if( p->pOrderBy && pSub->pOrderBy ){\n return 0; /* Restriction (11) */\n }\n if( isAgg && pSub->pOrderBy ) return 0; /* Restriction (16) */\n if( pSub->pLimit && p->pWhere ) return 0; /* Restriction (19) */\n if( pSub->pLimit && (p->selFlags & SF_Distinct)!=0 ){\n return 0; /* Restriction (21) */\n }\n if( pSub->selFlags & (SF_Recursive) ){\n return 0; /* Restrictions (22) */\n }\n\n /*\n ** If the subquery is the right operand of a LEFT JOIN, then the\n ** subquery may not be a join itself (3a). Example of why this is not\n ** allowed:\n **\n ** t1 LEFT OUTER JOIN (t2 JOIN t3)\n **\n ** If we flatten the above, we would get\n **\n ** (t1 LEFT OUTER JOIN t2) JOIN t3\n **\n ** which is not at all the same thing.\n **\n ** If the subquery is the right operand of a LEFT JOIN, then the outer\n ** query cannot be an aggregate. (3c) This is an artifact of the way\n ** aggregates are processed - there is no mechanism to determine if\n ** the LEFT JOIN table should be all-NULL.\n **\n ** See also tickets #306, #350, and #3300.\n */\n if( (pSubitem->fg.jointype & JT_OUTER)!=0 ){\n isLeftJoin = 1;\n if( pSubSrc->nSrc>1 /* (3a) */\n || isAgg /* (3b) */\n || IsVirtual(pSubSrc->a[0].pTab) /* (3c) */\n || (p->selFlags & SF_Distinct)!=0 /* (3d) */\n ){\n return 0;\n }\n }\n#ifdef SQLITE_EXTRA_IFNULLROW\n else if( iFrom>0 && !isAgg ){\n /* Setting isLeftJoin to -1 causes OP_IfNullRow opcodes to be generated for\n ** every reference to any result column from subquery in a join, even\n ** though they are not necessary. This will stress-test the OP_IfNullRow \n ** opcode. */\n isLeftJoin = -1;\n }\n#endif\n\n /* Restriction (17): If the sub-query is a compound SELECT, then it must\n ** use only the UNION ALL operator. And none of the simple select queries\n ** that make up the compound SELECT are allowed to be aggregate or distinct\n ** queries.\n */\n if( pSub->pPrior ){\n if( pSub->pOrderBy ){\n return 0; /* Restriction (20) */\n }\n if( isAgg || (p->selFlags & SF_Distinct)!=0 || pSrc->nSrc!=1 ){\n return 0; /* (17d1), (17d2), or (17d3) */\n }\n for(pSub1=pSub; pSub1; pSub1=pSub1->pPrior){\n testcase( (pSub1->selFlags & (SF_Distinct|SF_Aggregate))==SF_Distinct );\n testcase( (pSub1->selFlags & (SF_Distinct|SF_Aggregate))==SF_Aggregate );\n assert( pSub->pSrc!=0 );\n assert( pSub->pEList->nExpr==pSub1->pEList->nExpr );\n if( (pSub1->selFlags & (SF_Distinct|SF_Aggregate))!=0 /* (17b) */\n || (pSub1->pPrior && pSub1->op!=TK_ALL) /* (17a) */\n || pSub1->pSrc->nSrc<1 /* (17c) */\n ){\n return 0;\n }\n testcase( pSub1->pSrc->nSrc>1 );\n }\n\n /* Restriction (18). */\n if( p->pOrderBy ){\n int ii;\n for(ii=0; iipOrderBy->nExpr; ii++){\n if( p->pOrderBy->a[ii].u.x.iOrderByCol==0 ) return 0;\n }\n }\n }\n\n /* Ex-restriction (23):\n ** The only way that the recursive part of a CTE can contain a compound\n ** subquery is for the subquery to be one term of a join. But if the\n ** subquery is a join, then the flattening has already been stopped by\n ** restriction (17d3)\n */\n assert( (p->selFlags & SF_Recursive)==0 || pSub->pPrior==0 );\n\n /***** If we reach this point, flattening is permitted. *****/\n SELECTTRACE(1,pParse,p,(\"flatten %u.%p from term %d\\n\",\n pSub->selId, pSub, iFrom));\n\n /* Authorize the subquery */\n pParse->zAuthContext = pSubitem->zName;\n TESTONLY(i =) sqlite3AuthCheck(pParse, SQLITE_SELECT, 0, 0, 0);\n testcase( i==SQLITE_DENY );\n pParse->zAuthContext = zSavedAuthContext;\n\n /* If the sub-query is a compound SELECT statement, then (by restrictions\n ** 17 and 18 above) it must be a UNION ALL and the parent query must \n ** be of the form:\n **\n ** SELECT FROM () \n **\n ** followed by any ORDER BY, LIMIT and/or OFFSET clauses. This block\n ** creates N-1 copies of the parent query without any ORDER BY, LIMIT or \n ** OFFSET clauses and joins them to the left-hand-side of the original\n ** using UNION ALL operators. In this case N is the number of simple\n ** select statements in the compound sub-query.\n **\n ** Example:\n **\n ** SELECT a+1 FROM (\n ** SELECT x FROM tab\n ** UNION ALL\n ** SELECT y FROM tab\n ** UNION ALL\n ** SELECT abs(z*2) FROM tab2\n ** ) WHERE a!=5 ORDER BY 1\n **\n ** Transformed into:\n **\n ** SELECT x+1 FROM tab WHERE x+1!=5\n ** UNION ALL\n ** SELECT y+1 FROM tab WHERE y+1!=5\n ** UNION ALL\n ** SELECT abs(z*2)+1 FROM tab2 WHERE abs(z*2)+1!=5\n ** ORDER BY 1\n **\n ** We call this the \"compound-subquery flattening\".\n */\n for(pSub=pSub->pPrior; pSub; pSub=pSub->pPrior){\n Select *pNew;\n ExprList *pOrderBy = p->pOrderBy;\n Expr *pLimit = p->pLimit;\n Select *pPrior = p->pPrior;\n p->pOrderBy = 0;\n p->pSrc = 0;\n p->pPrior = 0;\n p->pLimit = 0;\n pNew = sqlite3SelectDup(db, p, 0);\n p->pLimit = pLimit;\n p->pOrderBy = pOrderBy;\n p->pSrc = pSrc;\n p->op = TK_ALL;\n if( pNew==0 ){\n p->pPrior = pPrior;\n }else{\n pNew->pPrior = pPrior;\n if( pPrior ) pPrior->pNext = pNew;\n pNew->pNext = p;\n p->pPrior = pNew;\n SELECTTRACE(2,pParse,p,(\"compound-subquery flattener\"\n \" creates %u as peer\\n\",pNew->selId));\n }\n if( db->mallocFailed ) return 1;\n }\n\n /* Begin flattening the iFrom-th entry of the FROM clause \n ** in the outer query.\n */\n pSub = pSub1 = pSubitem->pSelect;\n\n /* Delete the transient table structure associated with the\n ** subquery\n */\n sqlite3DbFree(db, pSubitem->zDatabase);\n sqlite3DbFree(db, pSubitem->zName);\n sqlite3DbFree(db, pSubitem->zAlias);\n pSubitem->zDatabase = 0;\n pSubitem->zName = 0;\n pSubitem->zAlias = 0;\n pSubitem->pSelect = 0;\n\n /* Defer deleting the Table object associated with the\n ** subquery until code generation is\n ** complete, since there may still exist Expr.pTab entries that\n ** refer to the subquery even after flattening. Ticket #3346.\n **\n ** pSubitem->pTab is always non-NULL by test restrictions and tests above.\n */\n if( ALWAYS(pSubitem->pTab!=0) ){\n Table *pTabToDel = pSubitem->pTab;\n if( pTabToDel->nTabRef==1 ){\n Parse *pToplevel = sqlite3ParseToplevel(pParse);\n pTabToDel->pNextZombie = pToplevel->pZombieTab;\n pToplevel->pZombieTab = pTabToDel;\n }else{\n pTabToDel->nTabRef--;\n }\n pSubitem->pTab = 0;\n }\n\n /* The following loop runs once for each term in a compound-subquery\n ** flattening (as described above). If we are doing a different kind\n ** of flattening - a flattening other than a compound-subquery flattening -\n ** then this loop only runs once.\n **\n ** This loop moves all of the FROM elements of the subquery into the\n ** the FROM clause of the outer query. Before doing this, remember\n ** the cursor number for the original outer query FROM element in\n ** iParent. The iParent cursor will never be used. Subsequent code\n ** will scan expressions looking for iParent references and replace\n ** those references with expressions that resolve to the subquery FROM\n ** elements we are now copying in.\n */\n for(pParent=p; pParent; pParent=pParent->pPrior, pSub=pSub->pPrior){\n int nSubSrc;\n u8 jointype = 0;\n assert( pSub!=0 );\n pSubSrc = pSub->pSrc; /* FROM clause of subquery */\n nSubSrc = pSubSrc->nSrc; /* Number of terms in subquery FROM clause */\n pSrc = pParent->pSrc; /* FROM clause of the outer query */\n\n if( pSrc ){\n assert( pParent==p ); /* First time through the loop */\n jointype = pSubitem->fg.jointype;\n }else{\n assert( pParent!=p ); /* 2nd and subsequent times through the loop */\n pSrc = sqlite3SrcListAppend(pParse, 0, 0, 0);\n if( pSrc==0 ) break;\n pParent->pSrc = pSrc;\n }\n\n /* The subquery uses a single slot of the FROM clause of the outer\n ** query. If the subquery has more than one element in its FROM clause,\n ** then expand the outer query to make space for it to hold all elements\n ** of the subquery.\n **\n ** Example:\n **\n ** SELECT * FROM tabA, (SELECT * FROM sub1, sub2), tabB;\n **\n ** The outer query has 3 slots in its FROM clause. One slot of the\n ** outer query (the middle slot) is used by the subquery. The next\n ** block of code will expand the outer query FROM clause to 4 slots.\n ** The middle slot is expanded to two slots in order to make space\n ** for the two elements in the FROM clause of the subquery.\n */\n if( nSubSrc>1 ){\n pSrc = sqlite3SrcListEnlarge(pParse, pSrc, nSubSrc-1,iFrom+1);\n if( pSrc==0 ) break;\n pParent->pSrc = pSrc;\n }\n\n /* Transfer the FROM clause terms from the subquery into the\n ** outer query.\n */\n for(i=0; ia[i+iFrom].pUsing);\n assert( pSrc->a[i+iFrom].fg.isTabFunc==0 );\n pSrc->a[i+iFrom] = pSubSrc->a[i];\n iNewParent = pSubSrc->a[i].iCursor;\n memset(&pSubSrc->a[i], 0, sizeof(pSubSrc->a[i]));\n }\n pSrc->a[iFrom].fg.jointype = jointype;\n \n /* Now begin substituting subquery result set expressions for \n ** references to the iParent in the outer query.\n ** \n ** Example:\n **\n ** SELECT a+5, b*10 FROM (SELECT x*3 AS a, y+10 AS b FROM t1) WHERE a>b;\n ** \\ \\_____________ subquery __________/ /\n ** \\_____________________ outer query ______________________________/\n **\n ** We look at every expression in the outer query and every place we see\n ** \"a\" we substitute \"x*3\" and every place we see \"b\" we substitute \"y+10\".\n */\n if( pSub->pOrderBy ){\n /* At this point, any non-zero iOrderByCol values indicate that the\n ** ORDER BY column expression is identical to the iOrderByCol'th\n ** expression returned by SELECT statement pSub. Since these values\n ** do not necessarily correspond to columns in SELECT statement pParent,\n ** zero them before transfering the ORDER BY clause.\n **\n ** Not doing this may cause an error if a subsequent call to this\n ** function attempts to flatten a compound sub-query into pParent\n ** (the only way this can happen is if the compound sub-query is\n ** currently part of pSub->pSrc). See ticket [d11a6e908f]. */\n ExprList *pOrderBy = pSub->pOrderBy;\n for(i=0; inExpr; i++){\n pOrderBy->a[i].u.x.iOrderByCol = 0;\n }\n assert( pParent->pOrderBy==0 );\n pParent->pOrderBy = pOrderBy;\n pSub->pOrderBy = 0;\n }\n pWhere = pSub->pWhere;\n pSub->pWhere = 0;\n if( isLeftJoin>0 ){\n sqlite3SetJoinExpr(pWhere, iNewParent);\n }\n pParent->pWhere = sqlite3ExprAnd(pParse, pWhere, pParent->pWhere);\n if( db->mallocFailed==0 ){\n SubstContext x;\n x.pParse = pParse;\n x.iTable = iParent;\n x.iNewTable = iNewParent;\n x.isLeftJoin = isLeftJoin;\n x.pEList = pSub->pEList;\n substSelect(&x, pParent, 0);\n }\n \n /* The flattened query is a compound if either the inner or the\n ** outer query is a compound. */\n pParent->selFlags |= pSub->selFlags & SF_Compound;\n assert( (pSub->selFlags & SF_Distinct)==0 ); /* restriction (17b) */\n \n /*\n ** SELECT ... FROM (SELECT ... LIMIT a OFFSET b) LIMIT x OFFSET y;\n **\n ** One is tempted to try to add a and b to combine the limits. But this\n ** does not work if either limit is negative.\n */\n if( pSub->pLimit ){\n pParent->pLimit = pSub->pLimit;\n pSub->pLimit = 0;\n }\n }\n\n /* Finially, delete what is left of the subquery and return\n ** success.\n */\n sqlite3SelectDelete(db, pSub1);\n\n#if SELECTTRACE_ENABLED\n if( sqlite3SelectTrace & 0x100 ){\n SELECTTRACE(0x100,pParse,p,(\"After flattening:\\n\"));\n sqlite3TreeViewSelect(0, p, 0);\n }\n#endif\n\n return 1;\n}", "project": "sqlite", "hash": 72132402538504386911626092992418851741, "size": 395, "commit_id": "a6c1a71cde082e09750465d5675699062922e387", "message": "Do not attempt to unwind the WITH stack in the Parse object following an error. This fixes a separate case to [de6e6d68].\n\nFossilOrigin-Name: d29edef93451cc67a5d69c1cce1b1832d9ca8fff1f600afdd51338b74d077b92", "target": 0, "dataset": "other", "idx": 356312 }, { "func": "static int flattenSubquery(\n Parse *pParse, /* Parsing context */\n Select *p, /* The parent or outer SELECT statement */\n int iFrom, /* Index in p->pSrc->a[] of the inner subquery */\n int isAgg /* True if outer SELECT uses aggregate functions */\n){\n const char *zSavedAuthContext = pParse->zAuthContext;\n Select *pParent; /* Current UNION ALL term of the other query */\n Select *pSub; /* The inner query or \"subquery\" */\n Select *pSub1; /* Pointer to the rightmost select in sub-query */\n SrcList *pSrc; /* The FROM clause of the outer query */\n SrcList *pSubSrc; /* The FROM clause of the subquery */\n int iParent; /* VDBE cursor number of the pSub result set temp table */\n int iNewParent = -1;/* Replacement table for iParent */\n int isLeftJoin = 0; /* True if pSub is the right side of a LEFT JOIN */ \n int i; /* Loop counter */\n Expr *pWhere; /* The WHERE clause */\n struct SrcList_item *pSubitem; /* The subquery */\n sqlite3 *db = pParse->db;\n\n /* Check to see if flattening is permitted. Return 0 if not.\n */\n assert( p!=0 );\n assert( p->pPrior==0 );\n if( OptimizationDisabled(db, SQLITE_QueryFlattener) ) return 0;\n pSrc = p->pSrc;\n assert( pSrc && iFrom>=0 && iFromnSrc );\n pSubitem = &pSrc->a[iFrom];\n iParent = pSubitem->iCursor;\n pSub = pSubitem->pSelect;\n assert( pSub!=0 );\n\n#ifndef SQLITE_OMIT_WINDOWFUNC\n if( p->pWin || pSub->pWin ) return 0; /* Restriction (25) */\n#endif\n\n pSubSrc = pSub->pSrc;\n assert( pSubSrc );\n /* Prior to version 3.1.2, when LIMIT and OFFSET had to be simple constants,\n ** not arbitrary expressions, we allowed some combining of LIMIT and OFFSET\n ** because they could be computed at compile-time. But when LIMIT and OFFSET\n ** became arbitrary expressions, we were forced to add restrictions (13)\n ** and (14). */\n if( pSub->pLimit && p->pLimit ) return 0; /* Restriction (13) */\n if( pSub->pLimit && pSub->pLimit->pRight ) return 0; /* Restriction (14) */\n if( (p->selFlags & SF_Compound)!=0 && pSub->pLimit ){\n return 0; /* Restriction (15) */\n }\n if( pSubSrc->nSrc==0 ) return 0; /* Restriction (7) */\n if( pSub->selFlags & SF_Distinct ) return 0; /* Restriction (4) */\n if( pSub->pLimit && (pSrc->nSrc>1 || isAgg) ){\n return 0; /* Restrictions (8)(9) */\n }\n if( p->pOrderBy && pSub->pOrderBy ){\n return 0; /* Restriction (11) */\n }\n if( isAgg && pSub->pOrderBy ) return 0; /* Restriction (16) */\n if( pSub->pLimit && p->pWhere ) return 0; /* Restriction (19) */\n if( pSub->pLimit && (p->selFlags & SF_Distinct)!=0 ){\n return 0; /* Restriction (21) */\n }\n if( pSub->selFlags & (SF_Recursive) ){\n return 0; /* Restrictions (22) */\n }\n\n /*\n ** If the subquery is the right operand of a LEFT JOIN, then the\n ** subquery may not be a join itself (3a). Example of why this is not\n ** allowed:\n **\n ** t1 LEFT OUTER JOIN (t2 JOIN t3)\n **\n ** If we flatten the above, we would get\n **\n ** (t1 LEFT OUTER JOIN t2) JOIN t3\n **\n ** which is not at all the same thing.\n **\n ** If the subquery is the right operand of a LEFT JOIN, then the outer\n ** query cannot be an aggregate. (3c) This is an artifact of the way\n ** aggregates are processed - there is no mechanism to determine if\n ** the LEFT JOIN table should be all-NULL.\n **\n ** See also tickets #306, #350, and #3300.\n */\n if( (pSubitem->fg.jointype & JT_OUTER)!=0 ){\n isLeftJoin = 1;\n if( pSubSrc->nSrc>1 /* (3a) */\n || isAgg /* (3b) */\n || IsVirtual(pSubSrc->a[0].pTab) /* (3c) */\n || (p->selFlags & SF_Distinct)!=0 /* (3d) */\n ){\n return 0;\n }\n }\n#ifdef SQLITE_EXTRA_IFNULLROW\n else if( iFrom>0 && !isAgg ){\n /* Setting isLeftJoin to -1 causes OP_IfNullRow opcodes to be generated for\n ** every reference to any result column from subquery in a join, even\n ** though they are not necessary. This will stress-test the OP_IfNullRow \n ** opcode. */\n isLeftJoin = -1;\n }\n#endif\n\n /* Restriction (17): If the sub-query is a compound SELECT, then it must\n ** use only the UNION ALL operator. And none of the simple select queries\n ** that make up the compound SELECT are allowed to be aggregate or distinct\n ** queries.\n */\n if( pSub->pPrior ){\n if( pSub->pOrderBy ){\n return 0; /* Restriction (20) */\n }\n if( isAgg || (p->selFlags & SF_Distinct)!=0 || pSrc->nSrc!=1 ){\n return 0; /* (17d1), (17d2), or (17d3) */\n }\n for(pSub1=pSub; pSub1; pSub1=pSub1->pPrior){\n testcase( (pSub1->selFlags & (SF_Distinct|SF_Aggregate))==SF_Distinct );\n testcase( (pSub1->selFlags & (SF_Distinct|SF_Aggregate))==SF_Aggregate );\n assert( pSub->pSrc!=0 );\n assert( pSub->pEList->nExpr==pSub1->pEList->nExpr );\n if( (pSub1->selFlags & (SF_Distinct|SF_Aggregate))!=0 /* (17b) */\n || (pSub1->pPrior && pSub1->op!=TK_ALL) /* (17a) */\n || pSub1->pSrc->nSrc<1 /* (17c) */\n || pSub1->pWin /* (17e) */\n ){\n return 0;\n }\n testcase( pSub1->pSrc->nSrc>1 );\n }\n\n /* Restriction (18). */\n if( p->pOrderBy ){\n int ii;\n for(ii=0; iipOrderBy->nExpr; ii++){\n if( p->pOrderBy->a[ii].u.x.iOrderByCol==0 ) return 0;\n }\n }\n }\n\n /* Ex-restriction (23):\n ** The only way that the recursive part of a CTE can contain a compound\n ** subquery is for the subquery to be one term of a join. But if the\n ** subquery is a join, then the flattening has already been stopped by\n ** restriction (17d3)\n */\n assert( (p->selFlags & SF_Recursive)==0 || pSub->pPrior==0 );\n\n /***** If we reach this point, flattening is permitted. *****/\n SELECTTRACE(1,pParse,p,(\"flatten %u.%p from term %d\\n\",\n pSub->selId, pSub, iFrom));\n\n /* Authorize the subquery */\n pParse->zAuthContext = pSubitem->zName;\n TESTONLY(i =) sqlite3AuthCheck(pParse, SQLITE_SELECT, 0, 0, 0);\n testcase( i==SQLITE_DENY );\n pParse->zAuthContext = zSavedAuthContext;\n\n /* If the sub-query is a compound SELECT statement, then (by restrictions\n ** 17 and 18 above) it must be a UNION ALL and the parent query must \n ** be of the form:\n **\n ** SELECT FROM () \n **\n ** followed by any ORDER BY, LIMIT and/or OFFSET clauses. This block\n ** creates N-1 copies of the parent query without any ORDER BY, LIMIT or \n ** OFFSET clauses and joins them to the left-hand-side of the original\n ** using UNION ALL operators. In this case N is the number of simple\n ** select statements in the compound sub-query.\n **\n ** Example:\n **\n ** SELECT a+1 FROM (\n ** SELECT x FROM tab\n ** UNION ALL\n ** SELECT y FROM tab\n ** UNION ALL\n ** SELECT abs(z*2) FROM tab2\n ** ) WHERE a!=5 ORDER BY 1\n **\n ** Transformed into:\n **\n ** SELECT x+1 FROM tab WHERE x+1!=5\n ** UNION ALL\n ** SELECT y+1 FROM tab WHERE y+1!=5\n ** UNION ALL\n ** SELECT abs(z*2)+1 FROM tab2 WHERE abs(z*2)+1!=5\n ** ORDER BY 1\n **\n ** We call this the \"compound-subquery flattening\".\n */\n for(pSub=pSub->pPrior; pSub; pSub=pSub->pPrior){\n Select *pNew;\n ExprList *pOrderBy = p->pOrderBy;\n Expr *pLimit = p->pLimit;\n Select *pPrior = p->pPrior;\n p->pOrderBy = 0;\n p->pSrc = 0;\n p->pPrior = 0;\n p->pLimit = 0;\n pNew = sqlite3SelectDup(db, p, 0);\n p->pLimit = pLimit;\n p->pOrderBy = pOrderBy;\n p->pSrc = pSrc;\n p->op = TK_ALL;\n if( pNew==0 ){\n p->pPrior = pPrior;\n }else{\n pNew->pPrior = pPrior;\n if( pPrior ) pPrior->pNext = pNew;\n pNew->pNext = p;\n p->pPrior = pNew;\n SELECTTRACE(2,pParse,p,(\"compound-subquery flattener\"\n \" creates %u as peer\\n\",pNew->selId));\n }\n if( db->mallocFailed ) return 1;\n }\n\n /* Begin flattening the iFrom-th entry of the FROM clause \n ** in the outer query.\n */\n pSub = pSub1 = pSubitem->pSelect;\n\n /* Delete the transient table structure associated with the\n ** subquery\n */\n sqlite3DbFree(db, pSubitem->zDatabase);\n sqlite3DbFree(db, pSubitem->zName);\n sqlite3DbFree(db, pSubitem->zAlias);\n pSubitem->zDatabase = 0;\n pSubitem->zName = 0;\n pSubitem->zAlias = 0;\n pSubitem->pSelect = 0;\n\n /* Defer deleting the Table object associated with the\n ** subquery until code generation is\n ** complete, since there may still exist Expr.pTab entries that\n ** refer to the subquery even after flattening. Ticket #3346.\n **\n ** pSubitem->pTab is always non-NULL by test restrictions and tests above.\n */\n if( ALWAYS(pSubitem->pTab!=0) ){\n Table *pTabToDel = pSubitem->pTab;\n if( pTabToDel->nTabRef==1 ){\n Parse *pToplevel = sqlite3ParseToplevel(pParse);\n pTabToDel->pNextZombie = pToplevel->pZombieTab;\n pToplevel->pZombieTab = pTabToDel;\n }else{\n pTabToDel->nTabRef--;\n }\n pSubitem->pTab = 0;\n }\n\n /* The following loop runs once for each term in a compound-subquery\n ** flattening (as described above). If we are doing a different kind\n ** of flattening - a flattening other than a compound-subquery flattening -\n ** then this loop only runs once.\n **\n ** This loop moves all of the FROM elements of the subquery into the\n ** the FROM clause of the outer query. Before doing this, remember\n ** the cursor number for the original outer query FROM element in\n ** iParent. The iParent cursor will never be used. Subsequent code\n ** will scan expressions looking for iParent references and replace\n ** those references with expressions that resolve to the subquery FROM\n ** elements we are now copying in.\n */\n for(pParent=p; pParent; pParent=pParent->pPrior, pSub=pSub->pPrior){\n int nSubSrc;\n u8 jointype = 0;\n assert( pSub!=0 );\n pSubSrc = pSub->pSrc; /* FROM clause of subquery */\n nSubSrc = pSubSrc->nSrc; /* Number of terms in subquery FROM clause */\n pSrc = pParent->pSrc; /* FROM clause of the outer query */\n\n if( pSrc ){\n assert( pParent==p ); /* First time through the loop */\n jointype = pSubitem->fg.jointype;\n }else{\n assert( pParent!=p ); /* 2nd and subsequent times through the loop */\n pSrc = sqlite3SrcListAppend(pParse, 0, 0, 0);\n if( pSrc==0 ) break;\n pParent->pSrc = pSrc;\n }\n\n /* The subquery uses a single slot of the FROM clause of the outer\n ** query. If the subquery has more than one element in its FROM clause,\n ** then expand the outer query to make space for it to hold all elements\n ** of the subquery.\n **\n ** Example:\n **\n ** SELECT * FROM tabA, (SELECT * FROM sub1, sub2), tabB;\n **\n ** The outer query has 3 slots in its FROM clause. One slot of the\n ** outer query (the middle slot) is used by the subquery. The next\n ** block of code will expand the outer query FROM clause to 4 slots.\n ** The middle slot is expanded to two slots in order to make space\n ** for the two elements in the FROM clause of the subquery.\n */\n if( nSubSrc>1 ){\n pSrc = sqlite3SrcListEnlarge(pParse, pSrc, nSubSrc-1,iFrom+1);\n if( pSrc==0 ) break;\n pParent->pSrc = pSrc;\n }\n\n /* Transfer the FROM clause terms from the subquery into the\n ** outer query.\n */\n for(i=0; ia[i+iFrom].pUsing);\n assert( pSrc->a[i+iFrom].fg.isTabFunc==0 );\n pSrc->a[i+iFrom] = pSubSrc->a[i];\n iNewParent = pSubSrc->a[i].iCursor;\n memset(&pSubSrc->a[i], 0, sizeof(pSubSrc->a[i]));\n }\n pSrc->a[iFrom].fg.jointype = jointype;\n \n /* Now begin substituting subquery result set expressions for \n ** references to the iParent in the outer query.\n ** \n ** Example:\n **\n ** SELECT a+5, b*10 FROM (SELECT x*3 AS a, y+10 AS b FROM t1) WHERE a>b;\n ** \\ \\_____________ subquery __________/ /\n ** \\_____________________ outer query ______________________________/\n **\n ** We look at every expression in the outer query and every place we see\n ** \"a\" we substitute \"x*3\" and every place we see \"b\" we substitute \"y+10\".\n */\n if( pSub->pOrderBy ){\n /* At this point, any non-zero iOrderByCol values indicate that the\n ** ORDER BY column expression is identical to the iOrderByCol'th\n ** expression returned by SELECT statement pSub. Since these values\n ** do not necessarily correspond to columns in SELECT statement pParent,\n ** zero them before transfering the ORDER BY clause.\n **\n ** Not doing this may cause an error if a subsequent call to this\n ** function attempts to flatten a compound sub-query into pParent\n ** (the only way this can happen is if the compound sub-query is\n ** currently part of pSub->pSrc). See ticket [d11a6e908f]. */\n ExprList *pOrderBy = pSub->pOrderBy;\n for(i=0; inExpr; i++){\n pOrderBy->a[i].u.x.iOrderByCol = 0;\n }\n assert( pParent->pOrderBy==0 );\n pParent->pOrderBy = pOrderBy;\n pSub->pOrderBy = 0;\n }\n pWhere = pSub->pWhere;\n pSub->pWhere = 0;\n if( isLeftJoin>0 ){\n sqlite3SetJoinExpr(pWhere, iNewParent);\n }\n pParent->pWhere = sqlite3ExprAnd(pParse, pWhere, pParent->pWhere);\n if( db->mallocFailed==0 ){\n SubstContext x;\n x.pParse = pParse;\n x.iTable = iParent;\n x.iNewTable = iNewParent;\n x.isLeftJoin = isLeftJoin;\n x.pEList = pSub->pEList;\n substSelect(&x, pParent, 0);\n }\n \n /* The flattened query is a compound if either the inner or the\n ** outer query is a compound. */\n pParent->selFlags |= pSub->selFlags & SF_Compound;\n assert( (pSub->selFlags & SF_Distinct)==0 ); /* restriction (17b) */\n \n /*\n ** SELECT ... FROM (SELECT ... LIMIT a OFFSET b) LIMIT x OFFSET y;\n **\n ** One is tempted to try to add a and b to combine the limits. But this\n ** does not work if either limit is negative.\n */\n if( pSub->pLimit ){\n pParent->pLimit = pSub->pLimit;\n pSub->pLimit = 0;\n }\n }\n\n /* Finially, delete what is left of the subquery and return\n ** success.\n */\n sqlite3SelectDelete(db, pSub1);\n\n#if SELECTTRACE_ENABLED\n if( sqlite3SelectTrace & 0x100 ){\n SELECTTRACE(0x100,pParse,p,(\"After flattening:\\n\"));\n sqlite3TreeViewSelect(0, p, 0);\n }\n#endif\n\n return 1;\n}", "project": "sqlite", "hash": 303664689482227526231871926888636323227, "size": 396, "commit_id": "39df24a3f02495e5ef6bb5ea8ce029a2c1e377e6", "message": "Do not allow the constant-propagation optimization to apple to ON/USING clause\nterms as it does not help and it might cause downstream problems.\n\nFossilOrigin-Name: 1bc783da63d58b05c690468b569cb2787846357b63c1100d11777666c5787bf4", "target": 0, "dataset": "other", "idx": 393390 }, { "func": "void sqlite3VdbeMakeReady(\n Vdbe *p, /* The VDBE */\n Parse *pParse /* Parsing context */\n){\n sqlite3 *db; /* The database connection */\n int nVar; /* Number of parameters */\n int nMem; /* Number of VM memory registers */\n int nCursor; /* Number of cursors required */\n int nArg; /* Number of arguments in subprograms */\n int n; /* Loop counter */\n struct ReusableSpace x; /* Reusable bulk memory */\n\n assert( p!=0 );\n assert( p->nOp>0 );\n assert( pParse!=0 );\n assert( p->magic==VDBE_MAGIC_INIT );\n assert( pParse==p->pParse );\n db = p->db;\n assert( db->mallocFailed==0 );\n nVar = pParse->nVar;\n nMem = pParse->nMem;\n nCursor = pParse->nTab;\n nArg = pParse->nMaxArg;\n \n /* Each cursor uses a memory cell. The first cursor (cursor 0) can\n ** use aMem[0] which is not otherwise used by the VDBE program. Allocate\n ** space at the end of aMem[] for cursors 1 and greater.\n ** See also: allocateCursor().\n */\n nMem += nCursor;\n if( nCursor==0 && nMem>0 ) nMem++; /* Space for aMem[0] even if not used */\n\n /* Figure out how much reusable memory is available at the end of the\n ** opcode array. This extra memory will be reallocated for other elements\n ** of the prepared statement.\n */\n n = ROUND8(sizeof(Op)*p->nOp); /* Bytes of opcode memory used */\n x.pSpace = &((u8*)p->aOp)[n]; /* Unused opcode memory */\n assert( EIGHT_BYTE_ALIGNMENT(x.pSpace) );\n x.nFree = ROUNDDOWN8(pParse->szOpAlloc - n); /* Bytes of unused memory */\n assert( x.nFree>=0 );\n assert( EIGHT_BYTE_ALIGNMENT(&x.pSpace[x.nFree]) );\n\n resolveP2Values(p, &nArg);\n p->usesStmtJournal = (u8)(pParse->isMultiWrite && pParse->mayAbort);\n if( pParse->explain ){\n static const char * const azColName[] = {\n \"addr\", \"opcode\", \"p1\", \"p2\", \"p3\", \"p4\", \"p5\", \"comment\",\n \"id\", \"parent\", \"notused\", \"detail\"\n };\n int iFirst, mx, i;\n if( nMem<10 ) nMem = 10;\n if( pParse->explain==2 ){\n sqlite3VdbeSetNumCols(p, 4);\n iFirst = 8;\n mx = 12;\n }else{\n sqlite3VdbeSetNumCols(p, 8);\n iFirst = 0;\n mx = 8;\n }\n for(i=iFirst; iexpired = 0;\n\n /* Memory for registers, parameters, cursor, etc, is allocated in one or two\n ** passes. On the first pass, we try to reuse unused memory at the \n ** end of the opcode array. If we are unable to satisfy all memory\n ** requirements by reusing the opcode array tail, then the second\n ** pass will fill in the remainder using a fresh memory allocation. \n **\n ** This two-pass approach that reuses as much memory as possible from\n ** the leftover memory at the end of the opcode array. This can significantly\n ** reduce the amount of memory held by a prepared statement.\n */\n x.nNeeded = 0;\n p->aMem = allocSpace(&x, 0, nMem*sizeof(Mem));\n p->aVar = allocSpace(&x, 0, nVar*sizeof(Mem));\n p->apArg = allocSpace(&x, 0, nArg*sizeof(Mem*));\n p->apCsr = allocSpace(&x, 0, nCursor*sizeof(VdbeCursor*));\n#ifdef SQLITE_ENABLE_STMT_SCANSTATUS\n p->anExec = allocSpace(&x, 0, p->nOp*sizeof(i64));\n#endif\n if( x.nNeeded ){\n x.pSpace = p->pFree = sqlite3DbMallocRawNN(db, x.nNeeded);\n x.nFree = x.nNeeded;\n if( !db->mallocFailed ){\n p->aMem = allocSpace(&x, p->aMem, nMem*sizeof(Mem));\n p->aVar = allocSpace(&x, p->aVar, nVar*sizeof(Mem));\n p->apArg = allocSpace(&x, p->apArg, nArg*sizeof(Mem*));\n p->apCsr = allocSpace(&x, p->apCsr, nCursor*sizeof(VdbeCursor*));\n#ifdef SQLITE_ENABLE_STMT_SCANSTATUS\n p->anExec = allocSpace(&x, p->anExec, p->nOp*sizeof(i64));\n#endif\n }\n }\n\n p->pVList = pParse->pVList;\n pParse->pVList = 0;\n p->explain = pParse->explain;\n if( db->mallocFailed ){\n p->nVar = 0;\n p->nCursor = 0;\n p->nMem = 0;\n }else{\n p->nCursor = nCursor;\n p->nVar = (ynVar)nVar;\n initMemArray(p->aVar, nVar, db, MEM_Null);\n p->nMem = nMem;\n initMemArray(p->aMem, nMem, db, MEM_Undefined);\n memset(p->apCsr, 0, nCursor*sizeof(VdbeCursor*));\n#ifdef SQLITE_ENABLE_STMT_SCANSTATUS\n memset(p->anExec, 0, p->nOp*sizeof(i64));\n#endif\n }\n sqlite3VdbeRewind(p);\n}", "project": "sqlite", "hash": 199697502596007106997975725958509802100, "size": 120, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378589 }, { "func": "int sqlite3ExprCodeGetColumn(\n Parse *pParse, /* Parsing and code generating context */\n Table *pTab, /* Description of the table we are reading from */\n int iColumn, /* Index of the table column */\n int iTable, /* The cursor pointing to the table */\n int iReg, /* Store results here */\n u8 p5 /* P5 value for OP_Column + FLAGS */\n){\n assert( pParse->pVdbe!=0 );\n sqlite3ExprCodeGetColumnOfTable(pParse->pVdbe, pTab, iTable, iColumn, iReg);\n if( p5 ){\n VdbeOp *pOp = sqlite3VdbeGetOp(pParse->pVdbe,-1);\n if( pOp->opcode==OP_Column ) pOp->p5 = p5;\n }\n return iReg;\n}", "project": "sqlite", "hash": 100034218971292435013085100911195392046, "size": 16, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378687 }, { "func": "static int windowInitAccum(Parse *pParse, Window *pMWin){\n Vdbe *v = sqlite3GetVdbe(pParse);\n int regArg;\n int nArg = 0;\n Window *pWin;\n for(pWin=pMWin; pWin; pWin=pWin->pNextWin){\n FuncDef *pFunc = pWin->pFunc;\n sqlite3VdbeAddOp2(v, OP_Null, 0, pWin->regAccum);\n nArg = MAX(nArg, windowArgCount(pWin));\n if( pMWin->regStartRowid==0 ){\n if( pFunc->zName==nth_valueName || pFunc->zName==first_valueName ){\n sqlite3VdbeAddOp2(v, OP_Integer, 0, pWin->regApp);\n sqlite3VdbeAddOp2(v, OP_Integer, 0, pWin->regApp+1);\n }\n\n if( (pFunc->funcFlags & SQLITE_FUNC_MINMAX) && pWin->csrApp ){\n assert( pWin->eStart!=TK_UNBOUNDED );\n sqlite3VdbeAddOp1(v, OP_ResetSorter, pWin->csrApp);\n sqlite3VdbeAddOp2(v, OP_Integer, 0, pWin->regApp+1);\n }\n }\n }\n regArg = pParse->nMem+1;\n pParse->nMem += nArg;\n return regArg;\n}", "project": "sqlite", "hash": 70964873190690506188877836872927647902, "size": 26, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378535 }, { "func": "static void test_addop_breakpoint(void){\n static int n = 0;\n n++;\n}", "project": "sqlite", "hash": 186223868406232338208376749517154377522, "size": 4, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378587 }, { "func": "static void innerLoopLoadRow(\n Parse *pParse, /* Statement under construction */\n Select *pSelect, /* The query being coded */\n RowLoadInfo *pInfo /* Info needed to complete the row load */\n){\n sqlite3ExprCodeExprList(pParse, pSelect->pEList, pInfo->regResult,\n 0, pInfo->ecelFlags);\n#ifdef SQLITE_ENABLE_SORTER_REFERENCES\n if( pInfo->pExtra ){\n sqlite3ExprCodeExprList(pParse, pInfo->pExtra, pInfo->regExtraResult, 0, 0);\n sqlite3ExprListDelete(pParse->db, pInfo->pExtra);\n }\n#endif\n}", "project": "sqlite", "hash": 146810098783755812479341774055186114980, "size": 14, "commit_id": "5f69512404cd2e5153ddf90ea277fbba6dd58ab7", "message": "Early-out on the INTERSECT query processing following an error.\n\nFossilOrigin-Name: a67cf5b7d37d5b1484be32092635faafd8f76e5881898cd9435517c4b287d663", "target": 0, "dataset": "other", "idx": 246140 }, { "func": "void sqlite3WindowCodeStep(\n Parse *pParse, /* Parse context */\n Select *p, /* Rewritten SELECT statement */\n WhereInfo *pWInfo, /* Context returned by sqlite3WhereBegin() */\n int regGosub, /* Register for OP_Gosub */\n int addrGosub /* OP_Gosub here to return each row */\n){\n Window *pMWin = p->pWin;\n ExprList *pOrderBy = pMWin->pOrderBy;\n Vdbe *v = sqlite3GetVdbe(pParse);\n int csrWrite; /* Cursor used to write to eph. table */\n int csrInput = p->pSrc->a[0].iCursor; /* Cursor of sub-select */\n int nInput = p->pSrc->a[0].pTab->nCol; /* Number of cols returned by sub */\n int iInput; /* To iterate through sub cols */\n int addrNe; /* Address of OP_Ne */\n int addrGosubFlush = 0; /* Address of OP_Gosub to flush: */\n int addrInteger = 0; /* Address of OP_Integer */\n int addrEmpty; /* Address of OP_Rewind in flush: */\n int regNew; /* Array of registers holding new input row */\n int regRecord; /* regNew array in record form */\n int regRowid; /* Rowid for regRecord in eph table */\n int regNewPeer = 0; /* Peer values for new row (part of regNew) */\n int regPeer = 0; /* Peer values for current row */\n int regFlushPart = 0; /* Register for \"Gosub flush_partition\" */\n WindowCodeArg s; /* Context object for sub-routines */\n int lblWhereEnd; /* Label just before sqlite3WhereEnd() code */\n int regStart = 0; /* Value of PRECEDING */\n int regEnd = 0; /* Value of FOLLOWING */\n\n assert( pMWin->eStart==TK_PRECEDING || pMWin->eStart==TK_CURRENT \n || pMWin->eStart==TK_FOLLOWING || pMWin->eStart==TK_UNBOUNDED \n );\n assert( pMWin->eEnd==TK_FOLLOWING || pMWin->eEnd==TK_CURRENT \n || pMWin->eEnd==TK_UNBOUNDED || pMWin->eEnd==TK_PRECEDING \n );\n assert( pMWin->eExclude==0 || pMWin->eExclude==TK_CURRENT\n || pMWin->eExclude==TK_GROUP || pMWin->eExclude==TK_TIES\n || pMWin->eExclude==TK_NO\n );\n\n lblWhereEnd = sqlite3VdbeMakeLabel(pParse);\n\n /* Fill in the context object */\n memset(&s, 0, sizeof(WindowCodeArg));\n s.pParse = pParse;\n s.pMWin = pMWin;\n s.pVdbe = v;\n s.regGosub = regGosub;\n s.addrGosub = addrGosub;\n s.current.csr = pMWin->iEphCsr;\n csrWrite = s.current.csr+1;\n s.start.csr = s.current.csr+2;\n s.end.csr = s.current.csr+3;\n\n /* Figure out when rows may be deleted from the ephemeral table. There\n ** are four options - they may never be deleted (eDelete==0), they may \n ** be deleted as soon as they are no longer part of the window frame\n ** (eDelete==WINDOW_AGGINVERSE), they may be deleted as after the row \n ** has been returned to the caller (WINDOW_RETURN_ROW), or they may\n ** be deleted after they enter the frame (WINDOW_AGGSTEP). */\n switch( pMWin->eStart ){\n case TK_FOLLOWING:\n if( pMWin->eFrmType!=TK_RANGE\n && windowExprGtZero(pParse, pMWin->pStart)\n ){\n s.eDelete = WINDOW_RETURN_ROW;\n }\n break;\n case TK_UNBOUNDED:\n if( windowCacheFrame(pMWin)==0 ){\n if( pMWin->eEnd==TK_PRECEDING ){\n if( pMWin->eFrmType!=TK_RANGE\n && windowExprGtZero(pParse, pMWin->pEnd)\n ){\n s.eDelete = WINDOW_AGGSTEP;\n }\n }else{\n s.eDelete = WINDOW_RETURN_ROW;\n }\n }\n break;\n default:\n s.eDelete = WINDOW_AGGINVERSE;\n break;\n }\n\n /* Allocate registers for the array of values from the sub-query, the\n ** samve values in record form, and the rowid used to insert said record\n ** into the ephemeral table. */\n regNew = pParse->nMem+1;\n pParse->nMem += nInput;\n regRecord = ++pParse->nMem;\n regRowid = ++pParse->nMem;\n\n /* If the window frame contains an \" PRECEDING\" or \" FOLLOWING\"\n ** clause, allocate registers to store the results of evaluating each\n ** . */\n if( pMWin->eStart==TK_PRECEDING || pMWin->eStart==TK_FOLLOWING ){\n regStart = ++pParse->nMem;\n }\n if( pMWin->eEnd==TK_PRECEDING || pMWin->eEnd==TK_FOLLOWING ){\n regEnd = ++pParse->nMem;\n }\n\n /* If this is not a \"ROWS BETWEEN ...\" frame, then allocate arrays of\n ** registers to store copies of the ORDER BY expressions (peer values) \n ** for the main loop, and for each cursor (start, current and end). */\n if( pMWin->eFrmType!=TK_ROWS ){\n int nPeer = (pOrderBy ? pOrderBy->nExpr : 0);\n regNewPeer = regNew + pMWin->nBufferCol;\n if( pMWin->pPartition ) regNewPeer += pMWin->pPartition->nExpr;\n regPeer = pParse->nMem+1; pParse->nMem += nPeer;\n s.start.reg = pParse->nMem+1; pParse->nMem += nPeer;\n s.current.reg = pParse->nMem+1; pParse->nMem += nPeer;\n s.end.reg = pParse->nMem+1; pParse->nMem += nPeer;\n }\n\n /* Load the column values for the row returned by the sub-select\n ** into an array of registers starting at regNew. Assemble them into\n ** a record in register regRecord. */\n for(iInput=0; iInputpPartition ){\n int addr;\n ExprList *pPart = pMWin->pPartition;\n int nPart = pPart->nExpr;\n int regNewPart = regNew + pMWin->nBufferCol;\n KeyInfo *pKeyInfo = sqlite3KeyInfoFromExprList(pParse, pPart, 0, 0);\n\n regFlushPart = ++pParse->nMem;\n addr = sqlite3VdbeAddOp3(v, OP_Compare, regNewPart, pMWin->regPart, nPart);\n sqlite3VdbeAppendP4(v, (void*)pKeyInfo, P4_KEYINFO);\n sqlite3VdbeAddOp3(v, OP_Jump, addr+2, addr+4, addr+2);\n VdbeCoverageEqNe(v);\n addrGosubFlush = sqlite3VdbeAddOp1(v, OP_Gosub, regFlushPart);\n VdbeComment((v, \"call flush_partition\"));\n sqlite3VdbeAddOp3(v, OP_Copy, regNewPart, pMWin->regPart, nPart-1);\n }\n\n /* Insert the new row into the ephemeral table */\n sqlite3VdbeAddOp2(v, OP_NewRowid, csrWrite, regRowid);\n sqlite3VdbeAddOp3(v, OP_Insert, csrWrite, regRecord, regRowid);\n addrNe = sqlite3VdbeAddOp3(v, OP_Ne, pMWin->regOne, 0, regRowid);\n VdbeCoverageNeverNull(v);\n\n /* This block is run for the first row of each partition */\n s.regArg = windowInitAccum(pParse, pMWin);\n\n if( regStart ){\n sqlite3ExprCode(pParse, pMWin->pStart, regStart);\n windowCheckValue(pParse, regStart, 0 + (pMWin->eFrmType==TK_RANGE?3:0));\n }\n if( regEnd ){\n sqlite3ExprCode(pParse, pMWin->pEnd, regEnd);\n windowCheckValue(pParse, regEnd, 1 + (pMWin->eFrmType==TK_RANGE?3:0));\n }\n\n if( pMWin->eFrmType!=TK_RANGE && pMWin->eStart==pMWin->eEnd && regStart ){\n int op = ((pMWin->eStart==TK_FOLLOWING) ? OP_Ge : OP_Le);\n int addrGe = sqlite3VdbeAddOp3(v, op, regStart, 0, regEnd);\n VdbeCoverageNeverNullIf(v, op==OP_Ge); /* NeverNull because bound */\n VdbeCoverageNeverNullIf(v, op==OP_Le); /* values previously checked */\n windowAggFinal(&s, 0);\n sqlite3VdbeAddOp2(v, OP_Rewind, s.current.csr, 1);\n VdbeCoverageNeverTaken(v);\n windowReturnOneRow(&s);\n sqlite3VdbeAddOp1(v, OP_ResetSorter, s.current.csr);\n sqlite3VdbeAddOp2(v, OP_Goto, 0, lblWhereEnd);\n sqlite3VdbeJumpHere(v, addrGe);\n }\n if( pMWin->eStart==TK_FOLLOWING && pMWin->eFrmType!=TK_RANGE && regEnd ){\n assert( pMWin->eEnd==TK_FOLLOWING );\n sqlite3VdbeAddOp3(v, OP_Subtract, regStart, regEnd, regStart);\n }\n\n if( pMWin->eStart!=TK_UNBOUNDED ){\n sqlite3VdbeAddOp2(v, OP_Rewind, s.start.csr, 1);\n VdbeCoverageNeverTaken(v);\n }\n sqlite3VdbeAddOp2(v, OP_Rewind, s.current.csr, 1);\n VdbeCoverageNeverTaken(v);\n sqlite3VdbeAddOp2(v, OP_Rewind, s.end.csr, 1);\n VdbeCoverageNeverTaken(v);\n if( regPeer && pOrderBy ){\n sqlite3VdbeAddOp3(v, OP_Copy, regNewPeer, regPeer, pOrderBy->nExpr-1);\n sqlite3VdbeAddOp3(v, OP_Copy, regPeer, s.start.reg, pOrderBy->nExpr-1);\n sqlite3VdbeAddOp3(v, OP_Copy, regPeer, s.current.reg, pOrderBy->nExpr-1);\n sqlite3VdbeAddOp3(v, OP_Copy, regPeer, s.end.reg, pOrderBy->nExpr-1);\n }\n\n sqlite3VdbeAddOp2(v, OP_Goto, 0, lblWhereEnd);\n\n sqlite3VdbeJumpHere(v, addrNe);\n\n /* Beginning of the block executed for the second and subsequent rows. */\n if( regPeer ){\n windowIfNewPeer(pParse, pOrderBy, regNewPeer, regPeer, lblWhereEnd);\n }\n if( pMWin->eStart==TK_FOLLOWING ){\n windowCodeOp(&s, WINDOW_AGGSTEP, 0, 0);\n if( pMWin->eEnd!=TK_UNBOUNDED ){\n if( pMWin->eFrmType==TK_RANGE ){\n int lbl = sqlite3VdbeMakeLabel(pParse);\n int addrNext = sqlite3VdbeCurrentAddr(v);\n windowCodeRangeTest(&s, OP_Ge, s.current.csr, regEnd, s.end.csr, lbl);\n windowCodeOp(&s, WINDOW_AGGINVERSE, regStart, 0);\n windowCodeOp(&s, WINDOW_RETURN_ROW, 0, 0);\n sqlite3VdbeAddOp2(v, OP_Goto, 0, addrNext);\n sqlite3VdbeResolveLabel(v, lbl);\n }else{\n windowCodeOp(&s, WINDOW_RETURN_ROW, regEnd, 0);\n windowCodeOp(&s, WINDOW_AGGINVERSE, regStart, 0);\n }\n }\n }else\n if( pMWin->eEnd==TK_PRECEDING ){\n int bRPS = (pMWin->eStart==TK_PRECEDING && pMWin->eFrmType==TK_RANGE);\n windowCodeOp(&s, WINDOW_AGGSTEP, regEnd, 0);\n if( bRPS ) windowCodeOp(&s, WINDOW_AGGINVERSE, regStart, 0);\n windowCodeOp(&s, WINDOW_RETURN_ROW, 0, 0);\n if( !bRPS ) windowCodeOp(&s, WINDOW_AGGINVERSE, regStart, 0);\n }else{\n int addr = 0;\n windowCodeOp(&s, WINDOW_AGGSTEP, 0, 0);\n if( pMWin->eEnd!=TK_UNBOUNDED ){\n if( pMWin->eFrmType==TK_RANGE ){\n int lbl = 0;\n addr = sqlite3VdbeCurrentAddr(v);\n if( regEnd ){\n lbl = sqlite3VdbeMakeLabel(pParse);\n windowCodeRangeTest(&s, OP_Ge, s.current.csr, regEnd, s.end.csr, lbl);\n }\n windowCodeOp(&s, WINDOW_RETURN_ROW, 0, 0);\n windowCodeOp(&s, WINDOW_AGGINVERSE, regStart, 0);\n if( regEnd ){\n sqlite3VdbeAddOp2(v, OP_Goto, 0, addr);\n sqlite3VdbeResolveLabel(v, lbl);\n }\n }else{\n if( regEnd ){\n addr = sqlite3VdbeAddOp3(v, OP_IfPos, regEnd, 0, 1);\n VdbeCoverage(v);\n }\n windowCodeOp(&s, WINDOW_RETURN_ROW, 0, 0);\n windowCodeOp(&s, WINDOW_AGGINVERSE, regStart, 0);\n if( regEnd ) sqlite3VdbeJumpHere(v, addr);\n }\n }\n }\n\n /* End of the main input loop */\n sqlite3VdbeResolveLabel(v, lblWhereEnd);\n sqlite3WhereEnd(pWInfo);\n\n /* Fall through */\n if( pMWin->pPartition ){\n addrInteger = sqlite3VdbeAddOp2(v, OP_Integer, 0, regFlushPart);\n sqlite3VdbeJumpHere(v, addrGosubFlush);\n }\n\n addrEmpty = sqlite3VdbeAddOp1(v, OP_Rewind, csrWrite);\n VdbeCoverage(v);\n if( pMWin->eEnd==TK_PRECEDING ){\n int bRPS = (pMWin->eStart==TK_PRECEDING && pMWin->eFrmType==TK_RANGE);\n windowCodeOp(&s, WINDOW_AGGSTEP, regEnd, 0);\n if( bRPS ) windowCodeOp(&s, WINDOW_AGGINVERSE, regStart, 0);\n windowCodeOp(&s, WINDOW_RETURN_ROW, 0, 0);\n }else if( pMWin->eStart==TK_FOLLOWING ){\n int addrStart;\n int addrBreak1;\n int addrBreak2;\n int addrBreak3;\n windowCodeOp(&s, WINDOW_AGGSTEP, 0, 0);\n if( pMWin->eFrmType==TK_RANGE ){\n addrStart = sqlite3VdbeCurrentAddr(v);\n addrBreak2 = windowCodeOp(&s, WINDOW_AGGINVERSE, regStart, 1);\n addrBreak1 = windowCodeOp(&s, WINDOW_RETURN_ROW, 0, 1);\n }else\n if( pMWin->eEnd==TK_UNBOUNDED ){\n addrStart = sqlite3VdbeCurrentAddr(v);\n addrBreak1 = windowCodeOp(&s, WINDOW_RETURN_ROW, regStart, 1);\n addrBreak2 = windowCodeOp(&s, WINDOW_AGGINVERSE, 0, 1);\n }else{\n assert( pMWin->eEnd==TK_FOLLOWING );\n addrStart = sqlite3VdbeCurrentAddr(v);\n addrBreak1 = windowCodeOp(&s, WINDOW_RETURN_ROW, regEnd, 1);\n addrBreak2 = windowCodeOp(&s, WINDOW_AGGINVERSE, regStart, 1);\n }\n sqlite3VdbeAddOp2(v, OP_Goto, 0, addrStart);\n sqlite3VdbeJumpHere(v, addrBreak2);\n addrStart = sqlite3VdbeCurrentAddr(v);\n addrBreak3 = windowCodeOp(&s, WINDOW_RETURN_ROW, 0, 1);\n sqlite3VdbeAddOp2(v, OP_Goto, 0, addrStart);\n sqlite3VdbeJumpHere(v, addrBreak1);\n sqlite3VdbeJumpHere(v, addrBreak3);\n }else{\n int addrBreak;\n int addrStart;\n windowCodeOp(&s, WINDOW_AGGSTEP, 0, 0);\n addrStart = sqlite3VdbeCurrentAddr(v);\n addrBreak = windowCodeOp(&s, WINDOW_RETURN_ROW, 0, 1);\n windowCodeOp(&s, WINDOW_AGGINVERSE, regStart, 0);\n sqlite3VdbeAddOp2(v, OP_Goto, 0, addrStart);\n sqlite3VdbeJumpHere(v, addrBreak);\n }\n sqlite3VdbeJumpHere(v, addrEmpty);\n\n sqlite3VdbeAddOp1(v, OP_ResetSorter, s.current.csr);\n if( pMWin->pPartition ){\n if( pMWin->regStartRowid ){\n sqlite3VdbeAddOp2(v, OP_Integer, 1, pMWin->regStartRowid);\n sqlite3VdbeAddOp2(v, OP_Integer, 0, pMWin->regEndRowid);\n }\n sqlite3VdbeChangeP1(v, addrInteger, sqlite3VdbeCurrentAddr(v));\n sqlite3VdbeAddOp1(v, OP_Return, regFlushPart);\n }\n}", "project": "sqlite", "hash": 263977577040073778231969618234594854797, "size": 325, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378668 }, { "func": "int sqlite3VdbeAddOp4(\n Vdbe *p, /* Add the opcode to this VM */\n int op, /* The new opcode */\n int p1, /* The P1 operand */\n int p2, /* The P2 operand */\n int p3, /* The P3 operand */\n const char *zP4, /* The P4 operand */\n int p4type /* P4 operand type */\n){\n int addr = sqlite3VdbeAddOp3(p, op, p1, p2, p3);\n sqlite3VdbeChangeP4(p, addr, zP4, p4type);\n return addr;\n}", "project": "sqlite", "hash": 278058498556147969574953241885443471254, "size": 13, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378477 }, { "func": "void sqlite3VdbeSetP4KeyInfo(Parse *pParse, Index *pIdx){\n Vdbe *v = pParse->pVdbe;\n KeyInfo *pKeyInfo;\n assert( v!=0 );\n assert( pIdx!=0 );\n pKeyInfo = sqlite3KeyInfoOfIndex(pParse, pIdx);\n if( pKeyInfo ) sqlite3VdbeAppendP4(v, pKeyInfo, P4_KEYINFO);\n}", "project": "sqlite", "hash": 84274529794980046069464308400761745988, "size": 8, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378554 }, { "func": "int sqlite3VdbeGoto(Vdbe *p, int iDest){\n return sqlite3VdbeAddOp3(p, OP_Goto, 0, iDest, 0);\n}", "project": "sqlite", "hash": 311841192524341475648222339293351450135, "size": 3, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378565 }, { "func": "void sqlite3VdbePrintOp(FILE *pOut, int pc, VdbeOp *pOp){\n char *zP4;\n char zPtr[50];\n char zCom[100];\n static const char *zFormat1 = \"%4d %-13s %4d %4d %4d %-13s %.2X %s\\n\";\n if( pOut==0 ) pOut = stdout;\n zP4 = displayP4(pOp, zPtr, sizeof(zPtr));\n#ifdef SQLITE_ENABLE_EXPLAIN_COMMENTS\n displayComment(pOp, zP4, zCom, sizeof(zCom));\n#else\n zCom[0] = 0;\n#endif\n /* NB: The sqlite3OpcodeName() function is implemented by code created\n ** by the mkopcodeh.awk and mkopcodec.awk scripts which extract the\n ** information from the vdbe.c source text */\n fprintf(pOut, zFormat1, pc, \n sqlite3OpcodeName(pOp->opcode), pOp->p1, pOp->p2, pOp->p3, zP4, pOp->p5,\n zCom\n );\n fflush(pOut);\n}", "project": "sqlite", "hash": 302056405472022288393643343223206571420, "size": 21, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378497 }, { "func": "void sqlite3VdbeChangeP1(Vdbe *p, int addr, int val){\n sqlite3VdbeGetOp(p,addr)->p1 = val;\n}", "project": "sqlite", "hash": 62909079397990975342316385857677015024, "size": 3, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378617 }, { "func": "static void clearSelect(sqlite3 *db, Select *p, int bFree){\n while( p ){\n Select *pPrior = p->pPrior;\n sqlite3ExprListDelete(db, p->pEList);\n sqlite3SrcListDelete(db, p->pSrc);\n sqlite3ExprDelete(db, p->pWhere);\n sqlite3ExprListDelete(db, p->pGroupBy);\n sqlite3ExprDelete(db, p->pHaving);\n sqlite3ExprListDelete(db, p->pOrderBy);\n sqlite3ExprDelete(db, p->pLimit);\n#ifndef SQLITE_OMIT_WINDOWFUNC\n if( OK_IF_ALWAYS_TRUE(p->pWinDefn) ){\n sqlite3WindowListDelete(db, p->pWinDefn);\n }\n assert( p->pWin==0 );\n#endif\n if( OK_IF_ALWAYS_TRUE(p->pWith) ) sqlite3WithDelete(db, p->pWith);\n if( bFree ) sqlite3DbFreeNN(db, p);\n p = pPrior;\n bFree = 1;\n }\n}", "project": "sqlite", "hash": 19205543020337356767665391637370781269, "size": 22, "commit_id": "5f69512404cd2e5153ddf90ea277fbba6dd58ab7", "message": "Early-out on the INTERSECT query processing following an error.\n\nFossilOrigin-Name: a67cf5b7d37d5b1484be32092635faafd8f76e5881898cd9435517c4b287d663", "target": 0, "dataset": "other", "idx": 246145 }, { "func": "void sqlite3WindowAttach(Parse *pParse, Expr *p, Window *pWin){\n if( p ){\n assert( p->op==TK_FUNCTION );\n assert( pWin );\n p->y.pWin = pWin;\n ExprSetProperty(p, EP_WinFunc);\n pWin->pOwner = p;\n if( (p->flags & EP_Distinct) && pWin->eFrmType!=TK_FILTER ){\n sqlite3ErrorMsg(pParse,\n \"DISTINCT is not supported for window functions\"\n );\n }\n }else{\n sqlite3WindowDelete(pParse->db, pWin);\n }\n}", "project": "sqlite", "hash": 174149053831398850957321130191934190503, "size": 16, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378660 }, { "func": "static int windowArgCount(Window *pWin){\n ExprList *pList = pWin->pOwner->x.pList;\n return (pList ? pList->nExpr : 0);\n}", "project": "sqlite", "hash": 106595291810816934474542863714163217403, "size": 4, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378496 }, { "func": "static int cannotBeFunction(Parse *pParse, struct SrcList_item *pFrom){\n if( pFrom->fg.isTabFunc ){\n sqlite3ErrorMsg(pParse, \"'%s' is not a function\", pFrom->zName);\n return 1;\n }\n return 0;\n}", "project": "sqlite", "hash": 71196272504261907227830957525438774267, "size": 7, "commit_id": "5f69512404cd2e5153ddf90ea277fbba6dd58ab7", "message": "Early-out on the INTERSECT query processing following an error.\n\nFossilOrigin-Name: a67cf5b7d37d5b1484be32092635faafd8f76e5881898cd9435517c4b287d663", "target": 0, "dataset": "other", "idx": 246154 }, { "func": "static u8 minMaxQuery(sqlite3 *db, Expr *pFunc, ExprList **ppMinMax){\n int eRet = WHERE_ORDERBY_NORMAL; /* Return value */\n ExprList *pEList = pFunc->x.pList; /* Arguments to agg function */\n const char *zFunc; /* Name of aggregate function pFunc */\n ExprList *pOrderBy;\n u8 sortFlags;\n\n assert( *ppMinMax==0 );\n assert( pFunc->op==TK_AGG_FUNCTION );\n assert( !IsWindowFunc(pFunc) );\n if( pEList==0 || pEList->nExpr!=1 || ExprHasProperty(pFunc, EP_WinFunc) ){\n return eRet;\n }\n zFunc = pFunc->u.zToken;\n if( sqlite3StrICmp(zFunc, \"min\")==0 ){\n eRet = WHERE_ORDERBY_MIN;\n sortFlags = KEYINFO_ORDER_BIGNULL;\n }else if( sqlite3StrICmp(zFunc, \"max\")==0 ){\n eRet = WHERE_ORDERBY_MAX;\n sortFlags = KEYINFO_ORDER_DESC;\n }else{\n return eRet;\n }\n *ppMinMax = pOrderBy = sqlite3ExprListDup(db, pEList, 0);\n assert( pOrderBy!=0 || db->mallocFailed );\n if( pOrderBy ) pOrderBy->a[0].sortFlags = sortFlags;\n return eRet;\n}", "project": "sqlite", "hash": 111518932480061993751824989370464539507, "size": 28, "commit_id": "5f69512404cd2e5153ddf90ea277fbba6dd58ab7", "message": "Early-out on the INTERSECT query processing following an error.\n\nFossilOrigin-Name: a67cf5b7d37d5b1484be32092635faafd8f76e5881898cd9435517c4b287d663", "target": 0, "dataset": "other", "idx": 246206 }, { "func": "static int windowCacheFrame(Window *pMWin){\n Window *pWin;\n if( pMWin->regStartRowid ) return 1;\n for(pWin=pMWin; pWin; pWin=pWin->pNextWin){\n FuncDef *pFunc = pWin->pFunc;\n if( (pFunc->zName==nth_valueName)\n || (pFunc->zName==first_valueName)\n || (pFunc->zName==leadName)\n || (pFunc->zName==lagName)\n ){\n return 1;\n }\n }\n return 0;\n}", "project": "sqlite", "hash": 57087239547146696105344222629169608242, "size": 15, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378638 }, { "func": "static void codeOffset(\n Vdbe *v, /* Generate code into this VM */\n int iOffset, /* Register holding the offset counter */\n int iContinue /* Jump here to skip the current record */\n){\n if( iOffset>0 ){\n sqlite3VdbeAddOp3(v, OP_IfPos, iOffset, iContinue, 1); VdbeCoverage(v);\n VdbeComment((v, \"OFFSET\"));\n }\n}", "project": "sqlite", "hash": 297422670057293857461954278599715649168, "size": 10, "commit_id": "5f69512404cd2e5153ddf90ea277fbba6dd58ab7", "message": "Early-out on the INTERSECT query processing following an error.\n\nFossilOrigin-Name: a67cf5b7d37d5b1484be32092635faafd8f76e5881898cd9435517c4b287d663", "target": 0, "dataset": "other", "idx": 246192 }, { "func": "static int multiSelectOrderBy(\n Parse *pParse, /* Parsing context */\n Select *p, /* The right-most of SELECTs to be coded */\n SelectDest *pDest /* What to do with query results */\n){\n int i, j; /* Loop counters */\n Select *pPrior; /* Another SELECT immediately to our left */\n Vdbe *v; /* Generate code to this VDBE */\n SelectDest destA; /* Destination for coroutine A */\n SelectDest destB; /* Destination for coroutine B */\n int regAddrA; /* Address register for select-A coroutine */\n int regAddrB; /* Address register for select-B coroutine */\n int addrSelectA; /* Address of the select-A coroutine */\n int addrSelectB; /* Address of the select-B coroutine */\n int regOutA; /* Address register for the output-A subroutine */\n int regOutB; /* Address register for the output-B subroutine */\n int addrOutA; /* Address of the output-A subroutine */\n int addrOutB = 0; /* Address of the output-B subroutine */\n int addrEofA; /* Address of the select-A-exhausted subroutine */\n int addrEofA_noB; /* Alternate addrEofA if B is uninitialized */\n int addrEofB; /* Address of the select-B-exhausted subroutine */\n int addrAltB; /* Address of the AB subroutine */\n int regLimitA; /* Limit register for select-A */\n int regLimitB; /* Limit register for select-A */\n int regPrev; /* A range of registers to hold previous output */\n int savedLimit; /* Saved value of p->iLimit */\n int savedOffset; /* Saved value of p->iOffset */\n int labelCmpr; /* Label for the start of the merge algorithm */\n int labelEnd; /* Label for the end of the overall SELECT stmt */\n int addr1; /* Jump instructions that get retargetted */\n int op; /* One of TK_ALL, TK_UNION, TK_EXCEPT, TK_INTERSECT */\n KeyInfo *pKeyDup = 0; /* Comparison information for duplicate removal */\n KeyInfo *pKeyMerge; /* Comparison information for merging rows */\n sqlite3 *db; /* Database connection */\n ExprList *pOrderBy; /* The ORDER BY clause */\n int nOrderBy; /* Number of terms in the ORDER BY clause */\n int *aPermute; /* Mapping from ORDER BY terms to result set columns */\n\n assert( p->pOrderBy!=0 );\n assert( pKeyDup==0 ); /* \"Managed\" code needs this. Ticket #3382. */\n db = pParse->db;\n v = pParse->pVdbe;\n assert( v!=0 ); /* Already thrown the error if VDBE alloc failed */\n labelEnd = sqlite3VdbeMakeLabel(pParse);\n labelCmpr = sqlite3VdbeMakeLabel(pParse);\n\n\n /* Patch up the ORDER BY clause\n */\n op = p->op; \n pPrior = p->pPrior;\n assert( pPrior->pOrderBy==0 );\n pOrderBy = p->pOrderBy;\n assert( pOrderBy );\n nOrderBy = pOrderBy->nExpr;\n\n /* For operators other than UNION ALL we have to make sure that\n ** the ORDER BY clause covers every term of the result set. Add\n ** terms to the ORDER BY clause as necessary.\n */\n if( op!=TK_ALL ){\n for(i=1; db->mallocFailed==0 && i<=p->pEList->nExpr; i++){\n struct ExprList_item *pItem;\n for(j=0, pItem=pOrderBy->a; ju.x.iOrderByCol>0 );\n if( pItem->u.x.iOrderByCol==i ) break;\n }\n if( j==nOrderBy ){\n Expr *pNew = sqlite3Expr(db, TK_INTEGER, 0);\n if( pNew==0 ) return SQLITE_NOMEM_BKPT;\n pNew->flags |= EP_IntValue;\n pNew->u.iValue = i;\n p->pOrderBy = pOrderBy = sqlite3ExprListAppend(pParse, pOrderBy, pNew);\n if( pOrderBy ) pOrderBy->a[nOrderBy++].u.x.iOrderByCol = (u16)i;\n }\n }\n }\n\n /* Compute the comparison permutation and keyinfo that is used with\n ** the permutation used to determine if the next\n ** row of results comes from selectA or selectB. Also add explicit\n ** collations to the ORDER BY clause terms so that when the subqueries\n ** to the right and the left are evaluated, they use the correct\n ** collation.\n */\n aPermute = sqlite3DbMallocRawNN(db, sizeof(int)*(nOrderBy + 1));\n if( aPermute ){\n struct ExprList_item *pItem;\n aPermute[0] = nOrderBy;\n for(i=1, pItem=pOrderBy->a; i<=nOrderBy; i++, pItem++){\n assert( pItem->u.x.iOrderByCol>0 );\n assert( pItem->u.x.iOrderByCol<=p->pEList->nExpr );\n aPermute[i] = pItem->u.x.iOrderByCol - 1;\n }\n pKeyMerge = multiSelectOrderByKeyInfo(pParse, p, 1);\n }else{\n pKeyMerge = 0;\n }\n\n /* Reattach the ORDER BY clause to the query.\n */\n p->pOrderBy = pOrderBy;\n pPrior->pOrderBy = sqlite3ExprListDup(pParse->db, pOrderBy, 0);\n\n /* Allocate a range of temporary registers and the KeyInfo needed\n ** for the logic that removes duplicate result rows when the\n ** operator is UNION, EXCEPT, or INTERSECT (but not UNION ALL).\n */\n if( op==TK_ALL ){\n regPrev = 0;\n }else{\n int nExpr = p->pEList->nExpr;\n assert( nOrderBy>=nExpr || db->mallocFailed );\n regPrev = pParse->nMem+1;\n pParse->nMem += nExpr+1;\n sqlite3VdbeAddOp2(v, OP_Integer, 0, regPrev);\n pKeyDup = sqlite3KeyInfoAlloc(db, nExpr, 1);\n if( pKeyDup ){\n assert( sqlite3KeyInfoIsWriteable(pKeyDup) );\n for(i=0; iaColl[i] = multiSelectCollSeq(pParse, p, i);\n pKeyDup->aSortFlags[i] = 0;\n }\n }\n }\n \n /* Separate the left and the right query from one another\n */\n p->pPrior = 0;\n pPrior->pNext = 0;\n sqlite3ResolveOrderGroupBy(pParse, p, p->pOrderBy, \"ORDER\");\n if( pPrior->pPrior==0 ){\n sqlite3ResolveOrderGroupBy(pParse, pPrior, pPrior->pOrderBy, \"ORDER\");\n }\n\n /* Compute the limit registers */\n computeLimitRegisters(pParse, p, labelEnd);\n if( p->iLimit && op==TK_ALL ){\n regLimitA = ++pParse->nMem;\n regLimitB = ++pParse->nMem;\n sqlite3VdbeAddOp2(v, OP_Copy, p->iOffset ? p->iOffset+1 : p->iLimit,\n regLimitA);\n sqlite3VdbeAddOp2(v, OP_Copy, regLimitA, regLimitB);\n }else{\n regLimitA = regLimitB = 0;\n }\n sqlite3ExprDelete(db, p->pLimit);\n p->pLimit = 0;\n\n regAddrA = ++pParse->nMem;\n regAddrB = ++pParse->nMem;\n regOutA = ++pParse->nMem;\n regOutB = ++pParse->nMem;\n sqlite3SelectDestInit(&destA, SRT_Coroutine, regAddrA);\n sqlite3SelectDestInit(&destB, SRT_Coroutine, regAddrB);\n\n ExplainQueryPlan((pParse, 1, \"MERGE (%s)\", selectOpName(p->op)));\n\n /* Generate a coroutine to evaluate the SELECT statement to the\n ** left of the compound operator - the \"A\" select.\n */\n addrSelectA = sqlite3VdbeCurrentAddr(v) + 1;\n addr1 = sqlite3VdbeAddOp3(v, OP_InitCoroutine, regAddrA, 0, addrSelectA);\n VdbeComment((v, \"left SELECT\"));\n pPrior->iLimit = regLimitA;\n ExplainQueryPlan((pParse, 1, \"LEFT\"));\n sqlite3Select(pParse, pPrior, &destA);\n sqlite3VdbeEndCoroutine(v, regAddrA);\n sqlite3VdbeJumpHere(v, addr1);\n\n /* Generate a coroutine to evaluate the SELECT statement on \n ** the right - the \"B\" select\n */\n addrSelectB = sqlite3VdbeCurrentAddr(v) + 1;\n addr1 = sqlite3VdbeAddOp3(v, OP_InitCoroutine, regAddrB, 0, addrSelectB);\n VdbeComment((v, \"right SELECT\"));\n savedLimit = p->iLimit;\n savedOffset = p->iOffset;\n p->iLimit = regLimitB;\n p->iOffset = 0; \n ExplainQueryPlan((pParse, 1, \"RIGHT\"));\n sqlite3Select(pParse, p, &destB);\n p->iLimit = savedLimit;\n p->iOffset = savedOffset;\n sqlite3VdbeEndCoroutine(v, regAddrB);\n\n /* Generate a subroutine that outputs the current row of the A\n ** select as the next output row of the compound select.\n */\n VdbeNoopComment((v, \"Output routine for A\"));\n addrOutA = generateOutputSubroutine(pParse,\n p, &destA, pDest, regOutA,\n regPrev, pKeyDup, labelEnd);\n \n /* Generate a subroutine that outputs the current row of the B\n ** select as the next output row of the compound select.\n */\n if( op==TK_ALL || op==TK_UNION ){\n VdbeNoopComment((v, \"Output routine for B\"));\n addrOutB = generateOutputSubroutine(pParse,\n p, &destB, pDest, regOutB,\n regPrev, pKeyDup, labelEnd);\n }\n sqlite3KeyInfoUnref(pKeyDup);\n\n /* Generate a subroutine to run when the results from select A\n ** are exhausted and only data in select B remains.\n */\n if( op==TK_EXCEPT || op==TK_INTERSECT ){\n addrEofA_noB = addrEofA = labelEnd;\n }else{ \n VdbeNoopComment((v, \"eof-A subroutine\"));\n addrEofA = sqlite3VdbeAddOp2(v, OP_Gosub, regOutB, addrOutB);\n addrEofA_noB = sqlite3VdbeAddOp2(v, OP_Yield, regAddrB, labelEnd);\n VdbeCoverage(v);\n sqlite3VdbeGoto(v, addrEofA);\n p->nSelectRow = sqlite3LogEstAdd(p->nSelectRow, pPrior->nSelectRow);\n }\n\n /* Generate a subroutine to run when the results from select B\n ** are exhausted and only data in select A remains.\n */\n if( op==TK_INTERSECT ){\n addrEofB = addrEofA;\n if( p->nSelectRow > pPrior->nSelectRow ) p->nSelectRow = pPrior->nSelectRow;\n }else{ \n VdbeNoopComment((v, \"eof-B subroutine\"));\n addrEofB = sqlite3VdbeAddOp2(v, OP_Gosub, regOutA, addrOutA);\n sqlite3VdbeAddOp2(v, OP_Yield, regAddrA, labelEnd); VdbeCoverage(v);\n sqlite3VdbeGoto(v, addrEofB);\n }\n\n /* Generate code to handle the case of AB\n */\n VdbeNoopComment((v, \"A-gt-B subroutine\"));\n addrAgtB = sqlite3VdbeCurrentAddr(v);\n if( op==TK_ALL || op==TK_UNION ){\n sqlite3VdbeAddOp2(v, OP_Gosub, regOutB, addrOutB);\n }\n sqlite3VdbeAddOp2(v, OP_Yield, regAddrB, addrEofB); VdbeCoverage(v);\n sqlite3VdbeGoto(v, labelCmpr);\n\n /* This code runs once to initialize everything.\n */\n sqlite3VdbeJumpHere(v, addr1);\n sqlite3VdbeAddOp2(v, OP_Yield, regAddrA, addrEofA_noB); VdbeCoverage(v);\n sqlite3VdbeAddOp2(v, OP_Yield, regAddrB, addrEofB); VdbeCoverage(v);\n\n /* Implement the main merge loop\n */\n sqlite3VdbeResolveLabel(v, labelCmpr);\n sqlite3VdbeAddOp4(v, OP_Permutation, 0, 0, 0, (char*)aPermute, P4_INTARRAY);\n sqlite3VdbeAddOp4(v, OP_Compare, destA.iSdst, destB.iSdst, nOrderBy,\n (char*)pKeyMerge, P4_KEYINFO);\n sqlite3VdbeChangeP5(v, OPFLAG_PERMUTE);\n sqlite3VdbeAddOp3(v, OP_Jump, addrAltB, addrAeqB, addrAgtB); VdbeCoverage(v);\n\n /* Jump to the this point in order to terminate the query.\n */\n sqlite3VdbeResolveLabel(v, labelEnd);\n\n /* Reassembly the compound query so that it will be freed correctly\n ** by the calling function */\n if( p->pPrior ){\n sqlite3SelectDelete(db, p->pPrior);\n }\n p->pPrior = pPrior;\n pPrior->pNext = p;\n\n /*** TBD: Insert subroutine calls to close cursors on incomplete\n **** subqueries ****/\n ExplainQueryPlanPop(pParse);\n return pParse->nErr!=0;\n}", "project": "sqlite", "hash": 101944833754141798591445996206809193971, "size": 297, "commit_id": "5f69512404cd2e5153ddf90ea277fbba6dd58ab7", "message": "Early-out on the INTERSECT query processing following an error.\n\nFossilOrigin-Name: a67cf5b7d37d5b1484be32092635faafd8f76e5881898cd9435517c4b287d663", "target": 0, "dataset": "other", "idx": 246135 }, { "func": "int sqlite3VdbeLoadString(Vdbe *p, int iDest, const char *zStr){\n return sqlite3VdbeAddOp4(p, OP_String8, 0, iDest, 0, zStr, 0);\n}", "project": "sqlite", "hash": 124161172371431830845237287871720096404, "size": 3, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378684 }, { "func": "int sqlite3Select(\n Parse *pParse, /* The parser context */\n Select *p, /* The SELECT statement being coded. */\n SelectDest *pDest /* What to do with the query results */\n){\n int i, j; /* Loop counters */\n WhereInfo *pWInfo; /* Return from sqlite3WhereBegin() */\n Vdbe *v; /* The virtual machine under construction */\n int isAgg; /* True for select lists like \"count(*)\" */\n ExprList *pEList = 0; /* List of columns to extract. */\n SrcList *pTabList; /* List of tables to select from */\n Expr *pWhere; /* The WHERE clause. May be NULL */\n ExprList *pGroupBy; /* The GROUP BY clause. May be NULL */\n Expr *pHaving; /* The HAVING clause. May be NULL */\n int rc = 1; /* Value to return from this function */\n DistinctCtx sDistinct; /* Info on how to code the DISTINCT keyword */\n SortCtx sSort; /* Info on how to code the ORDER BY clause */\n AggInfo sAggInfo; /* Information used by aggregate queries */\n int iEnd; /* Address of the end of the query */\n sqlite3 *db; /* The database connection */\n ExprList *pMinMaxOrderBy = 0; /* Added ORDER BY for min/max queries */\n u8 minMaxFlag; /* Flag for min/max queries */\n\n db = pParse->db;\n v = sqlite3GetVdbe(pParse);\n if( p==0 || db->mallocFailed || pParse->nErr ){\n return 1;\n }\n if( sqlite3AuthCheck(pParse, SQLITE_SELECT, 0, 0, 0) ) return 1;\n memset(&sAggInfo, 0, sizeof(sAggInfo));\n#if SELECTTRACE_ENABLED\n SELECTTRACE(1,pParse,p, (\"begin processing:\\n\", pParse->addrExplain));\n if( sqlite3SelectTrace & 0x100 ){\n sqlite3TreeViewSelect(0, p, 0);\n }\n#endif\n\n assert( p->pOrderBy==0 || pDest->eDest!=SRT_DistFifo );\n assert( p->pOrderBy==0 || pDest->eDest!=SRT_Fifo );\n assert( p->pOrderBy==0 || pDest->eDest!=SRT_DistQueue );\n assert( p->pOrderBy==0 || pDest->eDest!=SRT_Queue );\n if( IgnorableOrderby(pDest) ){\n assert(pDest->eDest==SRT_Exists || pDest->eDest==SRT_Union || \n pDest->eDest==SRT_Except || pDest->eDest==SRT_Discard ||\n pDest->eDest==SRT_Queue || pDest->eDest==SRT_DistFifo ||\n pDest->eDest==SRT_DistQueue || pDest->eDest==SRT_Fifo);\n /* If ORDER BY makes no difference in the output then neither does\n ** DISTINCT so it can be removed too. */\n sqlite3ExprListDelete(db, p->pOrderBy);\n p->pOrderBy = 0;\n p->selFlags &= ~SF_Distinct;\n }\n sqlite3SelectPrep(pParse, p, 0);\n if( pParse->nErr || db->mallocFailed ){\n goto select_end;\n }\n assert( p->pEList!=0 );\n#if SELECTTRACE_ENABLED\n if( sqlite3SelectTrace & 0x104 ){\n SELECTTRACE(0x104,pParse,p, (\"after name resolution:\\n\"));\n sqlite3TreeViewSelect(0, p, 0);\n }\n#endif\n\n if( pDest->eDest==SRT_Output ){\n generateColumnNames(pParse, p);\n }\n\n#ifndef SQLITE_OMIT_WINDOWFUNC\n rc = sqlite3WindowRewrite(pParse, p);\n if( rc ){\n assert( db->mallocFailed || pParse->nErr>0 );\n goto select_end;\n }\n#if SELECTTRACE_ENABLED\n if( p->pWin && (sqlite3SelectTrace & 0x108)!=0 ){\n SELECTTRACE(0x104,pParse,p, (\"after window rewrite:\\n\"));\n sqlite3TreeViewSelect(0, p, 0);\n }\n#endif\n#endif /* SQLITE_OMIT_WINDOWFUNC */\n pTabList = p->pSrc;\n isAgg = (p->selFlags & SF_Aggregate)!=0;\n memset(&sSort, 0, sizeof(sSort));\n sSort.pOrderBy = p->pOrderBy;\n\n /* Try to various optimizations (flattening subqueries, and strength\n ** reduction of join operators) in the FROM clause up into the main query\n */\n#if !defined(SQLITE_OMIT_SUBQUERY) || !defined(SQLITE_OMIT_VIEW)\n for(i=0; !p->pPrior && inSrc; i++){\n struct SrcList_item *pItem = &pTabList->a[i];\n Select *pSub = pItem->pSelect;\n Table *pTab = pItem->pTab;\n\n /* Convert LEFT JOIN into JOIN if there are terms of the right table\n ** of the LEFT JOIN used in the WHERE clause.\n */\n if( (pItem->fg.jointype & JT_LEFT)!=0\n && sqlite3ExprImpliesNonNullRow(p->pWhere, pItem->iCursor)\n && OptimizationEnabled(db, SQLITE_SimplifyJoin)\n ){\n SELECTTRACE(0x100,pParse,p,\n (\"LEFT-JOIN simplifies to JOIN on term %d\\n\",i));\n pItem->fg.jointype &= ~(JT_LEFT|JT_OUTER);\n unsetJoinExpr(p->pWhere, pItem->iCursor);\n }\n\n /* No futher action if this term of the FROM clause is no a subquery */\n if( pSub==0 ) continue;\n\n /* Catch mismatch in the declared columns of a view and the number of\n ** columns in the SELECT on the RHS */\n if( pTab->nCol!=pSub->pEList->nExpr ){\n sqlite3ErrorMsg(pParse, \"expected %d columns for '%s' but got %d\",\n pTab->nCol, pTab->zName, pSub->pEList->nExpr);\n goto select_end;\n }\n\n /* Do not try to flatten an aggregate subquery.\n **\n ** Flattening an aggregate subquery is only possible if the outer query\n ** is not a join. But if the outer query is not a join, then the subquery\n ** will be implemented as a co-routine and there is no advantage to\n ** flattening in that case.\n */\n if( (pSub->selFlags & SF_Aggregate)!=0 ) continue;\n assert( pSub->pGroupBy==0 );\n\n /* If the outer query contains a \"complex\" result set (that is,\n ** if the result set of the outer query uses functions or subqueries)\n ** and if the subquery contains an ORDER BY clause and if\n ** it will be implemented as a co-routine, then do not flatten. This\n ** restriction allows SQL constructs like this:\n **\n ** SELECT expensive_function(x)\n ** FROM (SELECT x FROM tab ORDER BY y LIMIT 10);\n **\n ** The expensive_function() is only computed on the 10 rows that\n ** are output, rather than every row of the table.\n **\n ** The requirement that the outer query have a complex result set\n ** means that flattening does occur on simpler SQL constraints without\n ** the expensive_function() like:\n **\n ** SELECT x FROM (SELECT x FROM tab ORDER BY y LIMIT 10);\n */\n if( pSub->pOrderBy!=0\n && i==0\n && (p->selFlags & SF_ComplexResult)!=0\n && (pTabList->nSrc==1\n || (pTabList->a[1].fg.jointype&(JT_LEFT|JT_CROSS))!=0)\n ){\n continue;\n }\n\n if( flattenSubquery(pParse, p, i, isAgg) ){\n if( pParse->nErr ) goto select_end;\n /* This subquery can be absorbed into its parent. */\n i = -1;\n }\n pTabList = p->pSrc;\n if( db->mallocFailed ) goto select_end;\n if( !IgnorableOrderby(pDest) ){\n sSort.pOrderBy = p->pOrderBy;\n }\n }\n#endif\n\n#ifndef SQLITE_OMIT_COMPOUND_SELECT\n /* Handle compound SELECT statements using the separate multiSelect()\n ** procedure.\n */\n if( p->pPrior ){\n rc = multiSelect(pParse, p, pDest);\n#if SELECTTRACE_ENABLED\n SELECTTRACE(0x1,pParse,p,(\"end compound-select processing\\n\"));\n if( (sqlite3SelectTrace & 0x2000)!=0 && ExplainQueryPlanParent(pParse)==0 ){\n sqlite3TreeViewSelect(0, p, 0);\n }\n#endif\n if( p->pNext==0 ) ExplainQueryPlanPop(pParse);\n return rc;\n }\n#endif\n\n /* Do the WHERE-clause constant propagation optimization if this is\n ** a join. No need to speed time on this operation for non-join queries\n ** as the equivalent optimization will be handled by query planner in\n ** sqlite3WhereBegin().\n */\n if( pTabList->nSrc>1\n && OptimizationEnabled(db, SQLITE_PropagateConst)\n && propagateConstants(pParse, p)\n ){\n#if SELECTTRACE_ENABLED\n if( sqlite3SelectTrace & 0x100 ){\n SELECTTRACE(0x100,pParse,p,(\"After constant propagation:\\n\"));\n sqlite3TreeViewSelect(0, p, 0);\n }\n#endif\n }else{\n SELECTTRACE(0x100,pParse,p,(\"Constant propagation not helpful\\n\"));\n }\n\n#ifdef SQLITE_COUNTOFVIEW_OPTIMIZATION\n if( OptimizationEnabled(db, SQLITE_QueryFlattener|SQLITE_CountOfView)\n && countOfViewOptimization(pParse, p)\n ){\n if( db->mallocFailed ) goto select_end;\n pEList = p->pEList;\n pTabList = p->pSrc;\n }\n#endif\n\n /* For each term in the FROM clause, do two things:\n ** (1) Authorized unreferenced tables\n ** (2) Generate code for all sub-queries\n */\n for(i=0; inSrc; i++){\n struct SrcList_item *pItem = &pTabList->a[i];\n SelectDest dest;\n Select *pSub;\n#if !defined(SQLITE_OMIT_SUBQUERY) || !defined(SQLITE_OMIT_VIEW)\n const char *zSavedAuthContext;\n#endif\n\n /* Issue SQLITE_READ authorizations with a fake column name for any\n ** tables that are referenced but from which no values are extracted.\n ** Examples of where these kinds of null SQLITE_READ authorizations\n ** would occur:\n **\n ** SELECT count(*) FROM t1; -- SQLITE_READ t1.\"\"\n ** SELECT t1.* FROM t1, t2; -- SQLITE_READ t2.\"\"\n **\n ** The fake column name is an empty string. It is possible for a table to\n ** have a column named by the empty string, in which case there is no way to\n ** distinguish between an unreferenced table and an actual reference to the\n ** \"\" column. The original design was for the fake column name to be a NULL,\n ** which would be unambiguous. But legacy authorization callbacks might\n ** assume the column name is non-NULL and segfault. The use of an empty\n ** string for the fake column name seems safer.\n */\n if( pItem->colUsed==0 && pItem->zName!=0 ){\n sqlite3AuthCheck(pParse, SQLITE_READ, pItem->zName, \"\", pItem->zDatabase);\n }\n\n#if !defined(SQLITE_OMIT_SUBQUERY) || !defined(SQLITE_OMIT_VIEW)\n /* Generate code for all sub-queries in the FROM clause\n */\n pSub = pItem->pSelect;\n if( pSub==0 ) continue;\n\n /* The code for a subquery should only be generated once, though it is\n ** technically harmless for it to be generated multiple times. The\n ** following assert() will detect if something changes to cause\n ** the same subquery to be coded multiple times, as a signal to the\n ** developers to try to optimize the situation.\n **\n ** Update 2019-07-24:\n ** See ticket https://sqlite.org/src/tktview/c52b09c7f38903b1311cec40.\n ** The dbsqlfuzz fuzzer found a case where the same subquery gets\n ** coded twice. So this assert() now becomes a testcase(). It should\n ** be very rare, though.\n */\n testcase( pItem->addrFillSub!=0 );\n\n /* Increment Parse.nHeight by the height of the largest expression\n ** tree referred to by this, the parent select. The child select\n ** may contain expression trees of at most\n ** (SQLITE_MAX_EXPR_DEPTH-Parse.nHeight) height. This is a bit\n ** more conservative than necessary, but much easier than enforcing\n ** an exact limit.\n */\n pParse->nHeight += sqlite3SelectExprHeight(p);\n\n /* Make copies of constant WHERE-clause terms in the outer query down\n ** inside the subquery. This can help the subquery to run more efficiently.\n */\n if( OptimizationEnabled(db, SQLITE_PushDown)\n && pushDownWhereTerms(pParse, pSub, p->pWhere, pItem->iCursor,\n (pItem->fg.jointype & JT_OUTER)!=0)\n ){\n#if SELECTTRACE_ENABLED\n if( sqlite3SelectTrace & 0x100 ){\n SELECTTRACE(0x100,pParse,p,\n (\"After WHERE-clause push-down into subquery %d:\\n\", pSub->selId));\n sqlite3TreeViewSelect(0, p, 0);\n }\n#endif\n }else{\n SELECTTRACE(0x100,pParse,p,(\"Push-down not possible\\n\"));\n }\n\n zSavedAuthContext = pParse->zAuthContext;\n pParse->zAuthContext = pItem->zName;\n\n /* Generate code to implement the subquery\n **\n ** The subquery is implemented as a co-routine if the subquery is\n ** guaranteed to be the outer loop (so that it does not need to be\n ** computed more than once)\n **\n ** TODO: Are there other reasons beside (1) to use a co-routine\n ** implementation?\n */\n if( i==0\n && (pTabList->nSrc==1\n || (pTabList->a[1].fg.jointype&(JT_LEFT|JT_CROSS))!=0) /* (1) */\n ){\n /* Implement a co-routine that will return a single row of the result\n ** set on each invocation.\n */\n int addrTop = sqlite3VdbeCurrentAddr(v)+1;\n \n pItem->regReturn = ++pParse->nMem;\n sqlite3VdbeAddOp3(v, OP_InitCoroutine, pItem->regReturn, 0, addrTop);\n VdbeComment((v, \"%s\", pItem->pTab->zName));\n pItem->addrFillSub = addrTop;\n sqlite3SelectDestInit(&dest, SRT_Coroutine, pItem->regReturn);\n ExplainQueryPlan((pParse, 1, \"CO-ROUTINE %u\", pSub->selId));\n sqlite3Select(pParse, pSub, &dest);\n pItem->pTab->nRowLogEst = pSub->nSelectRow;\n pItem->fg.viaCoroutine = 1;\n pItem->regResult = dest.iSdst;\n sqlite3VdbeEndCoroutine(v, pItem->regReturn);\n sqlite3VdbeJumpHere(v, addrTop-1);\n sqlite3ClearTempRegCache(pParse);\n }else{\n /* Generate a subroutine that will fill an ephemeral table with\n ** the content of this subquery. pItem->addrFillSub will point\n ** to the address of the generated subroutine. pItem->regReturn\n ** is a register allocated to hold the subroutine return address\n */\n int topAddr;\n int onceAddr = 0;\n int retAddr;\n struct SrcList_item *pPrior;\n\n testcase( pItem->addrFillSub==0 ); /* Ticket c52b09c7f38903b1311 */\n pItem->regReturn = ++pParse->nMem;\n topAddr = sqlite3VdbeAddOp2(v, OP_Integer, 0, pItem->regReturn);\n pItem->addrFillSub = topAddr+1;\n if( pItem->fg.isCorrelated==0 ){\n /* If the subquery is not correlated and if we are not inside of\n ** a trigger, then we only need to compute the value of the subquery\n ** once. */\n onceAddr = sqlite3VdbeAddOp0(v, OP_Once); VdbeCoverage(v);\n VdbeComment((v, \"materialize \\\"%s\\\"\", pItem->pTab->zName));\n }else{\n VdbeNoopComment((v, \"materialize \\\"%s\\\"\", pItem->pTab->zName));\n }\n pPrior = isSelfJoinView(pTabList, pItem);\n if( pPrior ){\n sqlite3VdbeAddOp2(v, OP_OpenDup, pItem->iCursor, pPrior->iCursor);\n assert( pPrior->pSelect!=0 );\n pSub->nSelectRow = pPrior->pSelect->nSelectRow;\n }else{\n sqlite3SelectDestInit(&dest, SRT_EphemTab, pItem->iCursor);\n ExplainQueryPlan((pParse, 1, \"MATERIALIZE %u\", pSub->selId));\n sqlite3Select(pParse, pSub, &dest);\n }\n pItem->pTab->nRowLogEst = pSub->nSelectRow;\n if( onceAddr ) sqlite3VdbeJumpHere(v, onceAddr);\n retAddr = sqlite3VdbeAddOp1(v, OP_Return, pItem->regReturn);\n VdbeComment((v, \"end %s\", pItem->pTab->zName));\n sqlite3VdbeChangeP1(v, topAddr, retAddr);\n sqlite3ClearTempRegCache(pParse);\n }\n if( db->mallocFailed ) goto select_end;\n pParse->nHeight -= sqlite3SelectExprHeight(p);\n pParse->zAuthContext = zSavedAuthContext;\n#endif\n }\n\n /* Various elements of the SELECT copied into local variables for\n ** convenience */\n pEList = p->pEList;\n pWhere = p->pWhere;\n pGroupBy = p->pGroupBy;\n pHaving = p->pHaving;\n sDistinct.isTnct = (p->selFlags & SF_Distinct)!=0;\n\n#if SELECTTRACE_ENABLED\n if( sqlite3SelectTrace & 0x400 ){\n SELECTTRACE(0x400,pParse,p,(\"After all FROM-clause analysis:\\n\"));\n sqlite3TreeViewSelect(0, p, 0);\n }\n#endif\n\n /* If the query is DISTINCT with an ORDER BY but is not an aggregate, and \n ** if the select-list is the same as the ORDER BY list, then this query\n ** can be rewritten as a GROUP BY. In other words, this:\n **\n ** SELECT DISTINCT xyz FROM ... ORDER BY xyz\n **\n ** is transformed to:\n **\n ** SELECT xyz FROM ... GROUP BY xyz ORDER BY xyz\n **\n ** The second form is preferred as a single index (or temp-table) may be \n ** used for both the ORDER BY and DISTINCT processing. As originally \n ** written the query must use a temp-table for at least one of the ORDER \n ** BY and DISTINCT, and an index or separate temp-table for the other.\n */\n if( (p->selFlags & (SF_Distinct|SF_Aggregate))==SF_Distinct \n && sqlite3ExprListCompare(sSort.pOrderBy, pEList, -1)==0\n#ifndef SQLITE_OMIT_WINDOWFUNC\n && p->pWin==0\n#endif\n ){\n p->selFlags &= ~SF_Distinct;\n pGroupBy = p->pGroupBy = sqlite3ExprListDup(db, pEList, 0);\n p->selFlags |= SF_Aggregate;\n /* Notice that even thought SF_Distinct has been cleared from p->selFlags,\n ** the sDistinct.isTnct is still set. Hence, isTnct represents the\n ** original setting of the SF_Distinct flag, not the current setting */\n assert( sDistinct.isTnct );\n\n#if SELECTTRACE_ENABLED\n if( sqlite3SelectTrace & 0x400 ){\n SELECTTRACE(0x400,pParse,p,(\"Transform DISTINCT into GROUP BY:\\n\"));\n sqlite3TreeViewSelect(0, p, 0);\n }\n#endif\n }\n\n /* If there is an ORDER BY clause, then create an ephemeral index to\n ** do the sorting. But this sorting ephemeral index might end up\n ** being unused if the data can be extracted in pre-sorted order.\n ** If that is the case, then the OP_OpenEphemeral instruction will be\n ** changed to an OP_Noop once we figure out that the sorting index is\n ** not needed. The sSort.addrSortIndex variable is used to facilitate\n ** that change.\n */\n if( sSort.pOrderBy ){\n KeyInfo *pKeyInfo;\n pKeyInfo = sqlite3KeyInfoFromExprList(\n pParse, sSort.pOrderBy, 0, pEList->nExpr);\n sSort.iECursor = pParse->nTab++;\n sSort.addrSortIndex =\n sqlite3VdbeAddOp4(v, OP_OpenEphemeral,\n sSort.iECursor, sSort.pOrderBy->nExpr+1+pEList->nExpr, 0,\n (char*)pKeyInfo, P4_KEYINFO\n );\n }else{\n sSort.addrSortIndex = -1;\n }\n\n /* If the output is destined for a temporary table, open that table.\n */\n if( pDest->eDest==SRT_EphemTab ){\n sqlite3VdbeAddOp2(v, OP_OpenEphemeral, pDest->iSDParm, pEList->nExpr);\n }\n\n /* Set the limiter.\n */\n iEnd = sqlite3VdbeMakeLabel(pParse);\n if( (p->selFlags & SF_FixedLimit)==0 ){\n p->nSelectRow = 320; /* 4 billion rows */\n }\n computeLimitRegisters(pParse, p, iEnd);\n if( p->iLimit==0 && sSort.addrSortIndex>=0 ){\n sqlite3VdbeChangeOpcode(v, sSort.addrSortIndex, OP_SorterOpen);\n sSort.sortFlags |= SORTFLAG_UseSorter;\n }\n\n /* Open an ephemeral index to use for the distinct set.\n */\n if( p->selFlags & SF_Distinct ){\n sDistinct.tabTnct = pParse->nTab++;\n sDistinct.addrTnct = sqlite3VdbeAddOp4(v, OP_OpenEphemeral,\n sDistinct.tabTnct, 0, 0,\n (char*)sqlite3KeyInfoFromExprList(pParse, p->pEList,0,0),\n P4_KEYINFO);\n sqlite3VdbeChangeP5(v, BTREE_UNORDERED);\n sDistinct.eTnctType = WHERE_DISTINCT_UNORDERED;\n }else{\n sDistinct.eTnctType = WHERE_DISTINCT_NOOP;\n }\n\n if( !isAgg && pGroupBy==0 ){\n /* No aggregate functions and no GROUP BY clause */\n u16 wctrlFlags = (sDistinct.isTnct ? WHERE_WANT_DISTINCT : 0)\n | (p->selFlags & SF_FixedLimit);\n#ifndef SQLITE_OMIT_WINDOWFUNC\n Window *pWin = p->pWin; /* Master window object (or NULL) */\n if( pWin ){\n sqlite3WindowCodeInit(pParse, p);\n }\n#endif\n assert( WHERE_USE_LIMIT==SF_FixedLimit );\n\n\n /* Begin the database scan. */\n SELECTTRACE(1,pParse,p,(\"WhereBegin\\n\"));\n pWInfo = sqlite3WhereBegin(pParse, pTabList, pWhere, sSort.pOrderBy,\n p->pEList, wctrlFlags, p->nSelectRow);\n if( pWInfo==0 ) goto select_end;\n if( sqlite3WhereOutputRowCount(pWInfo) < p->nSelectRow ){\n p->nSelectRow = sqlite3WhereOutputRowCount(pWInfo);\n }\n if( sDistinct.isTnct && sqlite3WhereIsDistinct(pWInfo) ){\n sDistinct.eTnctType = sqlite3WhereIsDistinct(pWInfo);\n }\n if( sSort.pOrderBy ){\n sSort.nOBSat = sqlite3WhereIsOrdered(pWInfo);\n sSort.labelOBLopt = sqlite3WhereOrderByLimitOptLabel(pWInfo);\n if( sSort.nOBSat==sSort.pOrderBy->nExpr ){\n sSort.pOrderBy = 0;\n }\n }\n\n /* If sorting index that was created by a prior OP_OpenEphemeral \n ** instruction ended up not being needed, then change the OP_OpenEphemeral\n ** into an OP_Noop.\n */\n if( sSort.addrSortIndex>=0 && sSort.pOrderBy==0 ){\n sqlite3VdbeChangeToNoop(v, sSort.addrSortIndex);\n }\n\n assert( p->pEList==pEList );\n#ifndef SQLITE_OMIT_WINDOWFUNC\n if( pWin ){\n int addrGosub = sqlite3VdbeMakeLabel(pParse);\n int iCont = sqlite3VdbeMakeLabel(pParse);\n int iBreak = sqlite3VdbeMakeLabel(pParse);\n int regGosub = ++pParse->nMem;\n\n sqlite3WindowCodeStep(pParse, p, pWInfo, regGosub, addrGosub);\n\n sqlite3VdbeAddOp2(v, OP_Goto, 0, iBreak);\n sqlite3VdbeResolveLabel(v, addrGosub);\n VdbeNoopComment((v, \"inner-loop subroutine\"));\n sSort.labelOBLopt = 0;\n selectInnerLoop(pParse, p, -1, &sSort, &sDistinct, pDest, iCont, iBreak);\n sqlite3VdbeResolveLabel(v, iCont);\n sqlite3VdbeAddOp1(v, OP_Return, regGosub);\n VdbeComment((v, \"end inner-loop subroutine\"));\n sqlite3VdbeResolveLabel(v, iBreak);\n }else\n#endif /* SQLITE_OMIT_WINDOWFUNC */\n {\n /* Use the standard inner loop. */\n selectInnerLoop(pParse, p, -1, &sSort, &sDistinct, pDest,\n sqlite3WhereContinueLabel(pWInfo),\n sqlite3WhereBreakLabel(pWInfo));\n\n /* End the database scan loop.\n */\n sqlite3WhereEnd(pWInfo);\n }\n }else{\n /* This case when there exist aggregate functions or a GROUP BY clause\n ** or both */\n NameContext sNC; /* Name context for processing aggregate information */\n int iAMem; /* First Mem address for storing current GROUP BY */\n int iBMem; /* First Mem address for previous GROUP BY */\n int iUseFlag; /* Mem address holding flag indicating that at least\n ** one row of the input to the aggregator has been\n ** processed */\n int iAbortFlag; /* Mem address which causes query abort if positive */\n int groupBySort; /* Rows come from source in GROUP BY order */\n int addrEnd; /* End of processing for this SELECT */\n int sortPTab = 0; /* Pseudotable used to decode sorting results */\n int sortOut = 0; /* Output register from the sorter */\n int orderByGrp = 0; /* True if the GROUP BY and ORDER BY are the same */\n\n /* Remove any and all aliases between the result set and the\n ** GROUP BY clause.\n */\n if( pGroupBy ){\n int k; /* Loop counter */\n struct ExprList_item *pItem; /* For looping over expression in a list */\n\n for(k=p->pEList->nExpr, pItem=p->pEList->a; k>0; k--, pItem++){\n pItem->u.x.iAlias = 0;\n }\n for(k=pGroupBy->nExpr, pItem=pGroupBy->a; k>0; k--, pItem++){\n pItem->u.x.iAlias = 0;\n }\n assert( 66==sqlite3LogEst(100) );\n if( p->nSelectRow>66 ) p->nSelectRow = 66;\n\n /* If there is both a GROUP BY and an ORDER BY clause and they are\n ** identical, then it may be possible to disable the ORDER BY clause \n ** on the grounds that the GROUP BY will cause elements to come out \n ** in the correct order. It also may not - the GROUP BY might use a\n ** database index that causes rows to be grouped together as required\n ** but not actually sorted. Either way, record the fact that the\n ** ORDER BY and GROUP BY clauses are the same by setting the orderByGrp\n ** variable. */\n if( sSort.pOrderBy && pGroupBy->nExpr==sSort.pOrderBy->nExpr ){\n int ii;\n /* The GROUP BY processing doesn't care whether rows are delivered in\n ** ASC or DESC order - only that each group is returned contiguously.\n ** So set the ASC/DESC flags in the GROUP BY to match those in the \n ** ORDER BY to maximize the chances of rows being delivered in an \n ** order that makes the ORDER BY redundant. */\n for(ii=0; iinExpr; ii++){\n u8 sortFlags = sSort.pOrderBy->a[ii].sortFlags & KEYINFO_ORDER_DESC;\n pGroupBy->a[ii].sortFlags = sortFlags;\n }\n if( sqlite3ExprListCompare(pGroupBy, sSort.pOrderBy, -1)==0 ){\n orderByGrp = 1;\n }\n }\n }else{\n assert( 0==sqlite3LogEst(1) );\n p->nSelectRow = 0;\n }\n\n /* Create a label to jump to when we want to abort the query */\n addrEnd = sqlite3VdbeMakeLabel(pParse);\n\n /* Convert TK_COLUMN nodes into TK_AGG_COLUMN and make entries in\n ** sAggInfo for all TK_AGG_FUNCTION nodes in expressions of the\n ** SELECT statement.\n */\n memset(&sNC, 0, sizeof(sNC));\n sNC.pParse = pParse;\n sNC.pSrcList = pTabList;\n sNC.uNC.pAggInfo = &sAggInfo;\n VVA_ONLY( sNC.ncFlags = NC_UAggInfo; )\n sAggInfo.mnReg = pParse->nMem+1;\n sAggInfo.nSortingColumn = pGroupBy ? pGroupBy->nExpr : 0;\n sAggInfo.pGroupBy = pGroupBy;\n sqlite3ExprAnalyzeAggList(&sNC, pEList);\n sqlite3ExprAnalyzeAggList(&sNC, sSort.pOrderBy);\n if( pHaving ){\n if( pGroupBy ){\n assert( pWhere==p->pWhere );\n assert( pHaving==p->pHaving );\n assert( pGroupBy==p->pGroupBy );\n havingToWhere(pParse, p);\n pWhere = p->pWhere;\n }\n sqlite3ExprAnalyzeAggregates(&sNC, pHaving);\n }\n sAggInfo.nAccumulator = sAggInfo.nColumn;\n if( p->pGroupBy==0 && p->pHaving==0 && sAggInfo.nFunc==1 ){\n minMaxFlag = minMaxQuery(db, sAggInfo.aFunc[0].pExpr, &pMinMaxOrderBy);\n }else{\n minMaxFlag = WHERE_ORDERBY_NORMAL;\n }\n for(i=0; ix.pList);\n#ifndef SQLITE_OMIT_WINDOWFUNC\n assert( !IsWindowFunc(pExpr) );\n if( ExprHasProperty(pExpr, EP_WinFunc) ){\n sqlite3ExprAnalyzeAggregates(&sNC, pExpr->y.pWin->pFilter);\n }\n#endif\n sNC.ncFlags &= ~NC_InAggFunc;\n }\n sAggInfo.mxReg = pParse->nMem;\n if( db->mallocFailed ) goto select_end;\n#if SELECTTRACE_ENABLED\n if( sqlite3SelectTrace & 0x400 ){\n int ii;\n SELECTTRACE(0x400,pParse,p,(\"After aggregate analysis:\\n\"));\n sqlite3TreeViewSelect(0, p, 0);\n for(ii=0; iinTab++;\n pKeyInfo = sqlite3KeyInfoFromExprList(pParse,pGroupBy,0,sAggInfo.nColumn);\n addrSortingIdx = sqlite3VdbeAddOp4(v, OP_SorterOpen, \n sAggInfo.sortingIdx, sAggInfo.nSortingColumn, \n 0, (char*)pKeyInfo, P4_KEYINFO);\n\n /* Initialize memory locations used by GROUP BY aggregate processing\n */\n iUseFlag = ++pParse->nMem;\n iAbortFlag = ++pParse->nMem;\n regOutputRow = ++pParse->nMem;\n addrOutputRow = sqlite3VdbeMakeLabel(pParse);\n regReset = ++pParse->nMem;\n addrReset = sqlite3VdbeMakeLabel(pParse);\n iAMem = pParse->nMem + 1;\n pParse->nMem += pGroupBy->nExpr;\n iBMem = pParse->nMem + 1;\n pParse->nMem += pGroupBy->nExpr;\n sqlite3VdbeAddOp2(v, OP_Integer, 0, iAbortFlag);\n VdbeComment((v, \"clear abort flag\"));\n sqlite3VdbeAddOp3(v, OP_Null, 0, iAMem, iAMem+pGroupBy->nExpr-1);\n\n /* Begin a loop that will extract all source rows in GROUP BY order.\n ** This might involve two separate loops with an OP_Sort in between, or\n ** it might be a single loop that uses an index to extract information\n ** in the right order to begin with.\n */\n sqlite3VdbeAddOp2(v, OP_Gosub, regReset, addrReset);\n SELECTTRACE(1,pParse,p,(\"WhereBegin\\n\"));\n pWInfo = sqlite3WhereBegin(pParse, pTabList, pWhere, pGroupBy, 0,\n WHERE_GROUPBY | (orderByGrp ? WHERE_SORTBYGROUP : 0), 0\n );\n if( pWInfo==0 ) goto select_end;\n if( sqlite3WhereIsOrdered(pWInfo)==pGroupBy->nExpr ){\n /* The optimizer is able to deliver rows in group by order so\n ** we do not have to sort. The OP_OpenEphemeral table will be\n ** cancelled later because we still need to use the pKeyInfo\n */\n groupBySort = 0;\n }else{\n /* Rows are coming out in undetermined order. We have to push\n ** each row into a sorting index, terminate the first loop,\n ** then loop over the sorting index in order to get the output\n ** in sorted order\n */\n int regBase;\n int regRecord;\n int nCol;\n int nGroupBy;\n\n explainTempTable(pParse, \n (sDistinct.isTnct && (p->selFlags&SF_Distinct)==0) ?\n \"DISTINCT\" : \"GROUP BY\");\n\n groupBySort = 1;\n nGroupBy = pGroupBy->nExpr;\n nCol = nGroupBy;\n j = nGroupBy;\n for(i=0; i=j ){\n nCol++;\n j++;\n }\n }\n regBase = sqlite3GetTempRange(pParse, nCol);\n sqlite3ExprCodeExprList(pParse, pGroupBy, regBase, 0, 0);\n j = nGroupBy;\n for(i=0; iiSorterColumn>=j ){\n int r1 = j + regBase;\n sqlite3ExprCodeGetColumnOfTable(v,\n pCol->pTab, pCol->iTable, pCol->iColumn, r1);\n j++;\n }\n }\n regRecord = sqlite3GetTempReg(pParse);\n sqlite3VdbeAddOp3(v, OP_MakeRecord, regBase, nCol, regRecord);\n sqlite3VdbeAddOp2(v, OP_SorterInsert, sAggInfo.sortingIdx, regRecord);\n sqlite3ReleaseTempReg(pParse, regRecord);\n sqlite3ReleaseTempRange(pParse, regBase, nCol);\n sqlite3WhereEnd(pWInfo);\n sAggInfo.sortingIdxPTab = sortPTab = pParse->nTab++;\n sortOut = sqlite3GetTempReg(pParse);\n sqlite3VdbeAddOp3(v, OP_OpenPseudo, sortPTab, sortOut, nCol);\n sqlite3VdbeAddOp2(v, OP_SorterSort, sAggInfo.sortingIdx, addrEnd);\n VdbeComment((v, \"GROUP BY sort\")); VdbeCoverage(v);\n sAggInfo.useSortingIdx = 1;\n }\n\n /* If the index or temporary table used by the GROUP BY sort\n ** will naturally deliver rows in the order required by the ORDER BY\n ** clause, cancel the ephemeral table open coded earlier.\n **\n ** This is an optimization - the correct answer should result regardless.\n ** Use the SQLITE_GroupByOrder flag with SQLITE_TESTCTRL_OPTIMIZER to \n ** disable this optimization for testing purposes. */\n if( orderByGrp && OptimizationEnabled(db, SQLITE_GroupByOrder) \n && (groupBySort || sqlite3WhereIsSorted(pWInfo))\n ){\n sSort.pOrderBy = 0;\n sqlite3VdbeChangeToNoop(v, sSort.addrSortIndex);\n }\n\n /* Evaluate the current GROUP BY terms and store in b0, b1, b2...\n ** (b0 is memory location iBMem+0, b1 is iBMem+1, and so forth)\n ** Then compare the current GROUP BY terms against the GROUP BY terms\n ** from the previous row currently stored in a0, a1, a2...\n */\n addrTopOfLoop = sqlite3VdbeCurrentAddr(v);\n if( groupBySort ){\n sqlite3VdbeAddOp3(v, OP_SorterData, sAggInfo.sortingIdx,\n sortOut, sortPTab);\n }\n for(j=0; jnExpr; j++){\n if( groupBySort ){\n sqlite3VdbeAddOp3(v, OP_Column, sortPTab, j, iBMem+j);\n }else{\n sAggInfo.directMode = 1;\n sqlite3ExprCode(pParse, pGroupBy->a[j].pExpr, iBMem+j);\n }\n }\n sqlite3VdbeAddOp4(v, OP_Compare, iAMem, iBMem, pGroupBy->nExpr,\n (char*)sqlite3KeyInfoRef(pKeyInfo), P4_KEYINFO);\n addr1 = sqlite3VdbeCurrentAddr(v);\n sqlite3VdbeAddOp3(v, OP_Jump, addr1+1, 0, addr1+1); VdbeCoverage(v);\n\n /* Generate code that runs whenever the GROUP BY changes.\n ** Changes in the GROUP BY are detected by the previous code\n ** block. If there were no changes, this block is skipped.\n **\n ** This code copies current group by terms in b0,b1,b2,...\n ** over to a0,a1,a2. It then calls the output subroutine\n ** and resets the aggregate accumulator registers in preparation\n ** for the next GROUP BY batch.\n */\n sqlite3ExprCodeMove(pParse, iBMem, iAMem, pGroupBy->nExpr);\n sqlite3VdbeAddOp2(v, OP_Gosub, regOutputRow, addrOutputRow);\n VdbeComment((v, \"output one row\"));\n sqlite3VdbeAddOp2(v, OP_IfPos, iAbortFlag, addrEnd); VdbeCoverage(v);\n VdbeComment((v, \"check abort flag\"));\n sqlite3VdbeAddOp2(v, OP_Gosub, regReset, addrReset);\n VdbeComment((v, \"reset accumulator\"));\n\n /* Update the aggregate accumulators based on the content of\n ** the current row\n */\n sqlite3VdbeJumpHere(v, addr1);\n updateAccumulator(pParse, iUseFlag, &sAggInfo);\n sqlite3VdbeAddOp2(v, OP_Integer, 1, iUseFlag);\n VdbeComment((v, \"indicate data in accumulator\"));\n\n /* End of the loop\n */\n if( groupBySort ){\n sqlite3VdbeAddOp2(v, OP_SorterNext, sAggInfo.sortingIdx, addrTopOfLoop);\n VdbeCoverage(v);\n }else{\n sqlite3WhereEnd(pWInfo);\n sqlite3VdbeChangeToNoop(v, addrSortingIdx);\n }\n\n /* Output the final row of result\n */\n sqlite3VdbeAddOp2(v, OP_Gosub, regOutputRow, addrOutputRow);\n VdbeComment((v, \"output final row\"));\n\n /* Jump over the subroutines\n */\n sqlite3VdbeGoto(v, addrEnd);\n\n /* Generate a subroutine that outputs a single row of the result\n ** set. This subroutine first looks at the iUseFlag. If iUseFlag\n ** is less than or equal to zero, the subroutine is a no-op. If\n ** the processing calls for the query to abort, this subroutine\n ** increments the iAbortFlag memory location before returning in\n ** order to signal the caller to abort.\n */\n addrSetAbort = sqlite3VdbeCurrentAddr(v);\n sqlite3VdbeAddOp2(v, OP_Integer, 1, iAbortFlag);\n VdbeComment((v, \"set abort flag\"));\n sqlite3VdbeAddOp1(v, OP_Return, regOutputRow);\n sqlite3VdbeResolveLabel(v, addrOutputRow);\n addrOutputRow = sqlite3VdbeCurrentAddr(v);\n sqlite3VdbeAddOp2(v, OP_IfPos, iUseFlag, addrOutputRow+2);\n VdbeCoverage(v);\n VdbeComment((v, \"Groupby result generator entry point\"));\n sqlite3VdbeAddOp1(v, OP_Return, regOutputRow);\n finalizeAggFunctions(pParse, &sAggInfo);\n sqlite3ExprIfFalse(pParse, pHaving, addrOutputRow+1, SQLITE_JUMPIFNULL);\n selectInnerLoop(pParse, p, -1, &sSort,\n &sDistinct, pDest,\n addrOutputRow+1, addrSetAbort);\n sqlite3VdbeAddOp1(v, OP_Return, regOutputRow);\n VdbeComment((v, \"end groupby result generator\"));\n\n /* Generate a subroutine that will reset the group-by accumulator\n */\n sqlite3VdbeResolveLabel(v, addrReset);\n resetAccumulator(pParse, &sAggInfo);\n sqlite3VdbeAddOp2(v, OP_Integer, 0, iUseFlag);\n VdbeComment((v, \"indicate accumulator empty\"));\n sqlite3VdbeAddOp1(v, OP_Return, regReset);\n \n } /* endif pGroupBy. Begin aggregate queries without GROUP BY: */\n else {\n#ifndef SQLITE_OMIT_BTREECOUNT\n Table *pTab;\n if( (pTab = isSimpleCount(p, &sAggInfo))!=0 ){\n /* If isSimpleCount() returns a pointer to a Table structure, then\n ** the SQL statement is of the form:\n **\n ** SELECT count(*) FROM \n **\n ** where the Table structure returned represents table .\n **\n ** This statement is so common that it is optimized specially. The\n ** OP_Count instruction is executed either on the intkey table that\n ** contains the data for table or on one of its indexes. It\n ** is better to execute the op on an index, as indexes are almost\n ** always spread across less pages than their corresponding tables.\n */\n const int iDb = sqlite3SchemaToIndex(pParse->db, pTab->pSchema);\n const int iCsr = pParse->nTab++; /* Cursor to scan b-tree */\n Index *pIdx; /* Iterator variable */\n KeyInfo *pKeyInfo = 0; /* Keyinfo for scanned index */\n Index *pBest = 0; /* Best index found so far */\n int iRoot = pTab->tnum; /* Root page of scanned b-tree */\n\n sqlite3CodeVerifySchema(pParse, iDb);\n sqlite3TableLock(pParse, iDb, pTab->tnum, 0, pTab->zName);\n\n /* Search for the index that has the lowest scan cost.\n **\n ** (2011-04-15) Do not do a full scan of an unordered index.\n **\n ** (2013-10-03) Do not count the entries in a partial index.\n **\n ** In practice the KeyInfo structure will not be used. It is only \n ** passed to keep OP_OpenRead happy.\n */\n if( !HasRowid(pTab) ) pBest = sqlite3PrimaryKeyIndex(pTab);\n for(pIdx=pTab->pIndex; pIdx; pIdx=pIdx->pNext){\n if( pIdx->bUnordered==0\n && pIdx->szIdxRowszTabRow\n && pIdx->pPartIdxWhere==0\n && (!pBest || pIdx->szIdxRowszIdxRow)\n ){\n pBest = pIdx;\n }\n }\n if( pBest ){\n iRoot = pBest->tnum;\n pKeyInfo = sqlite3KeyInfoOfIndex(pParse, pBest);\n }\n\n /* Open a read-only cursor, execute the OP_Count, close the cursor. */\n sqlite3VdbeAddOp4Int(v, OP_OpenRead, iCsr, iRoot, iDb, 1);\n if( pKeyInfo ){\n sqlite3VdbeChangeP4(v, -1, (char *)pKeyInfo, P4_KEYINFO);\n }\n sqlite3VdbeAddOp2(v, OP_Count, iCsr, sAggInfo.aFunc[0].iMem);\n sqlite3VdbeAddOp1(v, OP_Close, iCsr);\n explainSimpleCount(pParse, pTab, pBest);\n }else\n#endif /* SQLITE_OMIT_BTREECOUNT */\n {\n int regAcc = 0; /* \"populate accumulators\" flag */\n\n /* If there are accumulator registers but no min() or max() functions\n ** without FILTER clauses, allocate register regAcc. Register regAcc\n ** will contain 0 the first time the inner loop runs, and 1 thereafter.\n ** The code generated by updateAccumulator() uses this to ensure\n ** that the accumulator registers are (a) updated only once if\n ** there are no min() or max functions or (b) always updated for the\n ** first row visited by the aggregate, so that they are updated at\n ** least once even if the FILTER clause means the min() or max() \n ** function visits zero rows. */\n if( sAggInfo.nAccumulator ){\n for(i=0; ifuncFlags&SQLITE_FUNC_NEEDCOLL ) break;\n }\n if( i==sAggInfo.nFunc ){\n regAcc = ++pParse->nMem;\n sqlite3VdbeAddOp2(v, OP_Integer, 0, regAcc);\n }\n }\n\n /* This case runs if the aggregate has no GROUP BY clause. The\n ** processing is much simpler since there is only a single row\n ** of output.\n */\n assert( p->pGroupBy==0 );\n resetAccumulator(pParse, &sAggInfo);\n\n /* If this query is a candidate for the min/max optimization, then\n ** minMaxFlag will have been previously set to either\n ** WHERE_ORDERBY_MIN or WHERE_ORDERBY_MAX and pMinMaxOrderBy will\n ** be an appropriate ORDER BY expression for the optimization.\n */\n assert( minMaxFlag==WHERE_ORDERBY_NORMAL || pMinMaxOrderBy!=0 );\n assert( pMinMaxOrderBy==0 || pMinMaxOrderBy->nExpr==1 );\n\n SELECTTRACE(1,pParse,p,(\"WhereBegin\\n\"));\n pWInfo = sqlite3WhereBegin(pParse, pTabList, pWhere, pMinMaxOrderBy,\n 0, minMaxFlag, 0);\n if( pWInfo==0 ){\n goto select_end;\n }\n updateAccumulator(pParse, regAcc, &sAggInfo);\n if( regAcc ) sqlite3VdbeAddOp2(v, OP_Integer, 1, regAcc);\n if( sqlite3WhereIsOrdered(pWInfo)>0 ){\n sqlite3VdbeGoto(v, sqlite3WhereBreakLabel(pWInfo));\n VdbeComment((v, \"%s() by index\",\n (minMaxFlag==WHERE_ORDERBY_MIN?\"min\":\"max\")));\n }\n sqlite3WhereEnd(pWInfo);\n finalizeAggFunctions(pParse, &sAggInfo);\n }\n\n sSort.pOrderBy = 0;\n sqlite3ExprIfFalse(pParse, pHaving, addrEnd, SQLITE_JUMPIFNULL);\n selectInnerLoop(pParse, p, -1, 0, 0, \n pDest, addrEnd, addrEnd);\n }\n sqlite3VdbeResolveLabel(v, addrEnd);\n \n } /* endif aggregate query */\n\n if( sDistinct.eTnctType==WHERE_DISTINCT_UNORDERED ){\n explainTempTable(pParse, \"DISTINCT\");\n }\n\n /* If there is an ORDER BY clause, then we need to sort the results\n ** and send them to the callback one by one.\n */\n if( sSort.pOrderBy ){\n explainTempTable(pParse,\n sSort.nOBSat>0 ? \"RIGHT PART OF ORDER BY\":\"ORDER BY\");\n assert( p->pEList==pEList );\n generateSortTail(pParse, p, &sSort, pEList->nExpr, pDest);\n }\n\n /* Jump here to skip this query\n */\n sqlite3VdbeResolveLabel(v, iEnd);\n\n /* The SELECT has been coded. If there is an error in the Parse structure,\n ** set the return code to 1. Otherwise 0. */\n rc = (pParse->nErr>0);\n\n /* Control jumps to here if an error is encountered above, or upon\n ** successful coding of the SELECT.\n */\nselect_end:\n sqlite3ExprListDelete(db, pMinMaxOrderBy);\n sqlite3DbFree(db, sAggInfo.aCol);\n sqlite3DbFree(db, sAggInfo.aFunc);\n#if SELECTTRACE_ENABLED\n SELECTTRACE(0x1,pParse,p,(\"end processing\\n\"));\n if( (sqlite3SelectTrace & 0x2000)!=0 && ExplainQueryPlanParent(pParse)==0 ){\n sqlite3TreeViewSelect(0, p, 0);\n }\n#endif\n ExplainQueryPlanPop(pParse);\n return rc;\n}", "project": "sqlite", "hash": 7187115285907858912676520137988181424, "size": 1066, "commit_id": "5f69512404cd2e5153ddf90ea277fbba6dd58ab7", "message": "Early-out on the INTERSECT query processing following an error.\n\nFossilOrigin-Name: a67cf5b7d37d5b1484be32092635faafd8f76e5881898cd9435517c4b287d663", "target": 0, "dataset": "other", "idx": 246151 }, { "func": "int sqlite3Select(\n Parse *pParse, /* The parser context */\n Select *p, /* The SELECT statement being coded. */\n SelectDest *pDest /* What to do with the query results */\n){\n int i, j; /* Loop counters */\n WhereInfo *pWInfo; /* Return from sqlite3WhereBegin() */\n Vdbe *v; /* The virtual machine under construction */\n int isAgg; /* True for select lists like \"count(*)\" */\n ExprList *pEList = 0; /* List of columns to extract. */\n SrcList *pTabList; /* List of tables to select from */\n Expr *pWhere; /* The WHERE clause. May be NULL */\n ExprList *pGroupBy; /* The GROUP BY clause. May be NULL */\n Expr *pHaving; /* The HAVING clause. May be NULL */\n int rc = 1; /* Value to return from this function */\n DistinctCtx sDistinct; /* Info on how to code the DISTINCT keyword */\n SortCtx sSort; /* Info on how to code the ORDER BY clause */\n AggInfo sAggInfo; /* Information used by aggregate queries */\n int iEnd; /* Address of the end of the query */\n sqlite3 *db; /* The database connection */\n ExprList *pMinMaxOrderBy = 0; /* Added ORDER BY for min/max queries */\n u8 minMaxFlag; /* Flag for min/max queries */\n\n db = pParse->db;\n v = sqlite3GetVdbe(pParse);\n if( p==0 || db->mallocFailed || pParse->nErr ){\n return 1;\n }\n if( sqlite3AuthCheck(pParse, SQLITE_SELECT, 0, 0, 0) ) return 1;\n memset(&sAggInfo, 0, sizeof(sAggInfo));\n#if SELECTTRACE_ENABLED\n SELECTTRACE(1,pParse,p, (\"begin processing:\\n\", pParse->addrExplain));\n if( sqlite3SelectTrace & 0x100 ){\n sqlite3TreeViewSelect(0, p, 0);\n }\n#endif\n\n assert( p->pOrderBy==0 || pDest->eDest!=SRT_DistFifo );\n assert( p->pOrderBy==0 || pDest->eDest!=SRT_Fifo );\n assert( p->pOrderBy==0 || pDest->eDest!=SRT_DistQueue );\n assert( p->pOrderBy==0 || pDest->eDest!=SRT_Queue );\n if( IgnorableOrderby(pDest) ){\n assert(pDest->eDest==SRT_Exists || pDest->eDest==SRT_Union || \n pDest->eDest==SRT_Except || pDest->eDest==SRT_Discard ||\n pDest->eDest==SRT_Queue || pDest->eDest==SRT_DistFifo ||\n pDest->eDest==SRT_DistQueue || pDest->eDest==SRT_Fifo);\n /* If ORDER BY makes no difference in the output then neither does\n ** DISTINCT so it can be removed too. */\n sqlite3ExprListDelete(db, p->pOrderBy);\n p->pOrderBy = 0;\n p->selFlags &= ~SF_Distinct;\n }\n sqlite3SelectPrep(pParse, p, 0);\n if( pParse->nErr || db->mallocFailed ){\n goto select_end;\n }\n assert( p->pEList!=0 );\n#if SELECTTRACE_ENABLED\n if( sqlite3SelectTrace & 0x104 ){\n SELECTTRACE(0x104,pParse,p, (\"after name resolution:\\n\"));\n sqlite3TreeViewSelect(0, p, 0);\n }\n#endif\n\n if( pDest->eDest==SRT_Output ){\n generateColumnNames(pParse, p);\n }\n\n#ifndef SQLITE_OMIT_WINDOWFUNC\n rc = sqlite3WindowRewrite(pParse, p);\n if( rc ){\n assert( db->mallocFailed || pParse->nErr>0 );\n goto select_end;\n }\n#if SELECTTRACE_ENABLED\n if( p->pWin && (sqlite3SelectTrace & 0x108)!=0 ){\n SELECTTRACE(0x104,pParse,p, (\"after window rewrite:\\n\"));\n sqlite3TreeViewSelect(0, p, 0);\n }\n#endif\n#endif /* SQLITE_OMIT_WINDOWFUNC */\n pTabList = p->pSrc;\n isAgg = (p->selFlags & SF_Aggregate)!=0;\n memset(&sSort, 0, sizeof(sSort));\n sSort.pOrderBy = p->pOrderBy;\n\n /* Try to various optimizations (flattening subqueries, and strength\n ** reduction of join operators) in the FROM clause up into the main query\n */\n#if !defined(SQLITE_OMIT_SUBQUERY) || !defined(SQLITE_OMIT_VIEW)\n for(i=0; !p->pPrior && inSrc; i++){\n struct SrcList_item *pItem = &pTabList->a[i];\n Select *pSub = pItem->pSelect;\n Table *pTab = pItem->pTab;\n\n /* Convert LEFT JOIN into JOIN if there are terms of the right table\n ** of the LEFT JOIN used in the WHERE clause.\n */\n if( (pItem->fg.jointype & JT_LEFT)!=0\n && sqlite3ExprImpliesNonNullRow(p->pWhere, pItem->iCursor)\n && OptimizationEnabled(db, SQLITE_SimplifyJoin)\n ){\n SELECTTRACE(0x100,pParse,p,\n (\"LEFT-JOIN simplifies to JOIN on term %d\\n\",i));\n pItem->fg.jointype &= ~(JT_LEFT|JT_OUTER);\n unsetJoinExpr(p->pWhere, pItem->iCursor);\n }\n\n /* No futher action if this term of the FROM clause is no a subquery */\n if( pSub==0 ) continue;\n\n /* Catch mismatch in the declared columns of a view and the number of\n ** columns in the SELECT on the RHS */\n if( pTab->nCol!=pSub->pEList->nExpr ){\n sqlite3ErrorMsg(pParse, \"expected %d columns for '%s' but got %d\",\n pTab->nCol, pTab->zName, pSub->pEList->nExpr);\n goto select_end;\n }\n\n /* Do not try to flatten an aggregate subquery.\n **\n ** Flattening an aggregate subquery is only possible if the outer query\n ** is not a join. But if the outer query is not a join, then the subquery\n ** will be implemented as a co-routine and there is no advantage to\n ** flattening in that case.\n */\n if( (pSub->selFlags & SF_Aggregate)!=0 ) continue;\n assert( pSub->pGroupBy==0 );\n\n /* If the outer query contains a \"complex\" result set (that is,\n ** if the result set of the outer query uses functions or subqueries)\n ** and if the subquery contains an ORDER BY clause and if\n ** it will be implemented as a co-routine, then do not flatten. This\n ** restriction allows SQL constructs like this:\n **\n ** SELECT expensive_function(x)\n ** FROM (SELECT x FROM tab ORDER BY y LIMIT 10);\n **\n ** The expensive_function() is only computed on the 10 rows that\n ** are output, rather than every row of the table.\n **\n ** The requirement that the outer query have a complex result set\n ** means that flattening does occur on simpler SQL constraints without\n ** the expensive_function() like:\n **\n ** SELECT x FROM (SELECT x FROM tab ORDER BY y LIMIT 10);\n */\n if( pSub->pOrderBy!=0\n && i==0\n && (p->selFlags & SF_ComplexResult)!=0\n && (pTabList->nSrc==1\n || (pTabList->a[1].fg.jointype&(JT_LEFT|JT_CROSS))!=0)\n ){\n continue;\n }\n\n if( flattenSubquery(pParse, p, i, isAgg) ){\n if( pParse->nErr ) goto select_end;\n /* This subquery can be absorbed into its parent. */\n i = -1;\n }\n pTabList = p->pSrc;\n if( db->mallocFailed ) goto select_end;\n if( !IgnorableOrderby(pDest) ){\n sSort.pOrderBy = p->pOrderBy;\n }\n }\n#endif\n\n#ifndef SQLITE_OMIT_COMPOUND_SELECT\n /* Handle compound SELECT statements using the separate multiSelect()\n ** procedure.\n */\n if( p->pPrior ){\n rc = multiSelect(pParse, p, pDest);\n#if SELECTTRACE_ENABLED\n SELECTTRACE(0x1,pParse,p,(\"end compound-select processing\\n\"));\n if( (sqlite3SelectTrace & 0x2000)!=0 && ExplainQueryPlanParent(pParse)==0 ){\n sqlite3TreeViewSelect(0, p, 0);\n }\n#endif\n if( p->pNext==0 ) ExplainQueryPlanPop(pParse);\n return rc;\n }\n#endif\n\n /* Do the WHERE-clause constant propagation optimization if this is\n ** a join. No need to speed time on this operation for non-join queries\n ** as the equivalent optimization will be handled by query planner in\n ** sqlite3WhereBegin().\n */\n if( pTabList->nSrc>1\n && OptimizationEnabled(db, SQLITE_PropagateConst)\n && propagateConstants(pParse, p)\n ){\n#if SELECTTRACE_ENABLED\n if( sqlite3SelectTrace & 0x100 ){\n SELECTTRACE(0x100,pParse,p,(\"After constant propagation:\\n\"));\n sqlite3TreeViewSelect(0, p, 0);\n }\n#endif\n }else{\n SELECTTRACE(0x100,pParse,p,(\"Constant propagation not helpful\\n\"));\n }\n\n#ifdef SQLITE_COUNTOFVIEW_OPTIMIZATION\n if( OptimizationEnabled(db, SQLITE_QueryFlattener|SQLITE_CountOfView)\n && countOfViewOptimization(pParse, p)\n ){\n if( db->mallocFailed ) goto select_end;\n pEList = p->pEList;\n pTabList = p->pSrc;\n }\n#endif\n\n /* For each term in the FROM clause, do two things:\n ** (1) Authorized unreferenced tables\n ** (2) Generate code for all sub-queries\n */\n for(i=0; inSrc; i++){\n struct SrcList_item *pItem = &pTabList->a[i];\n SelectDest dest;\n Select *pSub;\n#if !defined(SQLITE_OMIT_SUBQUERY) || !defined(SQLITE_OMIT_VIEW)\n const char *zSavedAuthContext;\n#endif\n\n /* Issue SQLITE_READ authorizations with a fake column name for any\n ** tables that are referenced but from which no values are extracted.\n ** Examples of where these kinds of null SQLITE_READ authorizations\n ** would occur:\n **\n ** SELECT count(*) FROM t1; -- SQLITE_READ t1.\"\"\n ** SELECT t1.* FROM t1, t2; -- SQLITE_READ t2.\"\"\n **\n ** The fake column name is an empty string. It is possible for a table to\n ** have a column named by the empty string, in which case there is no way to\n ** distinguish between an unreferenced table and an actual reference to the\n ** \"\" column. The original design was for the fake column name to be a NULL,\n ** which would be unambiguous. But legacy authorization callbacks might\n ** assume the column name is non-NULL and segfault. The use of an empty\n ** string for the fake column name seems safer.\n */\n if( pItem->colUsed==0 && pItem->zName!=0 ){\n sqlite3AuthCheck(pParse, SQLITE_READ, pItem->zName, \"\", pItem->zDatabase);\n }\n\n#if !defined(SQLITE_OMIT_SUBQUERY) || !defined(SQLITE_OMIT_VIEW)\n /* Generate code for all sub-queries in the FROM clause\n */\n pSub = pItem->pSelect;\n if( pSub==0 ) continue;\n\n /* The code for a subquery should only be generated once, though it is\n ** technically harmless for it to be generated multiple times. The\n ** following assert() will detect if something changes to cause\n ** the same subquery to be coded multiple times, as a signal to the\n ** developers to try to optimize the situation.\n **\n ** Update 2019-07-24:\n ** See ticket https://sqlite.org/src/tktview/c52b09c7f38903b1311cec40.\n ** The dbsqlfuzz fuzzer found a case where the same subquery gets\n ** coded twice. So this assert() now becomes a testcase(). It should\n ** be very rare, though.\n */\n testcase( pItem->addrFillSub!=0 );\n\n /* Increment Parse.nHeight by the height of the largest expression\n ** tree referred to by this, the parent select. The child select\n ** may contain expression trees of at most\n ** (SQLITE_MAX_EXPR_DEPTH-Parse.nHeight) height. This is a bit\n ** more conservative than necessary, but much easier than enforcing\n ** an exact limit.\n */\n pParse->nHeight += sqlite3SelectExprHeight(p);\n\n /* Make copies of constant WHERE-clause terms in the outer query down\n ** inside the subquery. This can help the subquery to run more efficiently.\n */\n if( OptimizationEnabled(db, SQLITE_PushDown)\n && pushDownWhereTerms(pParse, pSub, p->pWhere, pItem->iCursor,\n (pItem->fg.jointype & JT_OUTER)!=0)\n ){\n#if SELECTTRACE_ENABLED\n if( sqlite3SelectTrace & 0x100 ){\n SELECTTRACE(0x100,pParse,p,\n (\"After WHERE-clause push-down into subquery %d:\\n\", pSub->selId));\n sqlite3TreeViewSelect(0, p, 0);\n }\n#endif\n }else{\n SELECTTRACE(0x100,pParse,p,(\"Push-down not possible\\n\"));\n }\n\n zSavedAuthContext = pParse->zAuthContext;\n pParse->zAuthContext = pItem->zName;\n\n /* Generate code to implement the subquery\n **\n ** The subquery is implemented as a co-routine if the subquery is\n ** guaranteed to be the outer loop (so that it does not need to be\n ** computed more than once)\n **\n ** TODO: Are there other reasons beside (1) to use a co-routine\n ** implementation?\n */\n if( i==0\n && (pTabList->nSrc==1\n || (pTabList->a[1].fg.jointype&(JT_LEFT|JT_CROSS))!=0) /* (1) */\n ){\n /* Implement a co-routine that will return a single row of the result\n ** set on each invocation.\n */\n int addrTop = sqlite3VdbeCurrentAddr(v)+1;\n \n pItem->regReturn = ++pParse->nMem;\n sqlite3VdbeAddOp3(v, OP_InitCoroutine, pItem->regReturn, 0, addrTop);\n VdbeComment((v, \"%s\", pItem->pTab->zName));\n pItem->addrFillSub = addrTop;\n sqlite3SelectDestInit(&dest, SRT_Coroutine, pItem->regReturn);\n ExplainQueryPlan((pParse, 1, \"CO-ROUTINE %u\", pSub->selId));\n sqlite3Select(pParse, pSub, &dest);\n pItem->pTab->nRowLogEst = pSub->nSelectRow;\n pItem->fg.viaCoroutine = 1;\n pItem->regResult = dest.iSdst;\n sqlite3VdbeEndCoroutine(v, pItem->regReturn);\n sqlite3VdbeJumpHere(v, addrTop-1);\n sqlite3ClearTempRegCache(pParse);\n }else{\n /* Generate a subroutine that will fill an ephemeral table with\n ** the content of this subquery. pItem->addrFillSub will point\n ** to the address of the generated subroutine. pItem->regReturn\n ** is a register allocated to hold the subroutine return address\n */\n int topAddr;\n int onceAddr = 0;\n int retAddr;\n struct SrcList_item *pPrior;\n\n testcase( pItem->addrFillSub==0 ); /* Ticket c52b09c7f38903b1311 */\n pItem->regReturn = ++pParse->nMem;\n topAddr = sqlite3VdbeAddOp2(v, OP_Integer, 0, pItem->regReturn);\n pItem->addrFillSub = topAddr+1;\n if( pItem->fg.isCorrelated==0 ){\n /* If the subquery is not correlated and if we are not inside of\n ** a trigger, then we only need to compute the value of the subquery\n ** once. */\n onceAddr = sqlite3VdbeAddOp0(v, OP_Once); VdbeCoverage(v);\n VdbeComment((v, \"materialize \\\"%s\\\"\", pItem->pTab->zName));\n }else{\n VdbeNoopComment((v, \"materialize \\\"%s\\\"\", pItem->pTab->zName));\n }\n pPrior = isSelfJoinView(pTabList, pItem);\n if( pPrior ){\n sqlite3VdbeAddOp2(v, OP_OpenDup, pItem->iCursor, pPrior->iCursor);\n assert( pPrior->pSelect!=0 );\n pSub->nSelectRow = pPrior->pSelect->nSelectRow;\n }else{\n sqlite3SelectDestInit(&dest, SRT_EphemTab, pItem->iCursor);\n ExplainQueryPlan((pParse, 1, \"MATERIALIZE %u\", pSub->selId));\n sqlite3Select(pParse, pSub, &dest);\n }\n pItem->pTab->nRowLogEst = pSub->nSelectRow;\n if( onceAddr ) sqlite3VdbeJumpHere(v, onceAddr);\n retAddr = sqlite3VdbeAddOp1(v, OP_Return, pItem->regReturn);\n VdbeComment((v, \"end %s\", pItem->pTab->zName));\n sqlite3VdbeChangeP1(v, topAddr, retAddr);\n sqlite3ClearTempRegCache(pParse);\n }\n if( db->mallocFailed ) goto select_end;\n pParse->nHeight -= sqlite3SelectExprHeight(p);\n pParse->zAuthContext = zSavedAuthContext;\n#endif\n }\n\n /* Various elements of the SELECT copied into local variables for\n ** convenience */\n pEList = p->pEList;\n pWhere = p->pWhere;\n pGroupBy = p->pGroupBy;\n pHaving = p->pHaving;\n sDistinct.isTnct = (p->selFlags & SF_Distinct)!=0;\n\n#if SELECTTRACE_ENABLED\n if( sqlite3SelectTrace & 0x400 ){\n SELECTTRACE(0x400,pParse,p,(\"After all FROM-clause analysis:\\n\"));\n sqlite3TreeViewSelect(0, p, 0);\n }\n#endif\n\n /* If the query is DISTINCT with an ORDER BY but is not an aggregate, and \n ** if the select-list is the same as the ORDER BY list, then this query\n ** can be rewritten as a GROUP BY. In other words, this:\n **\n ** SELECT DISTINCT xyz FROM ... ORDER BY xyz\n **\n ** is transformed to:\n **\n ** SELECT xyz FROM ... GROUP BY xyz ORDER BY xyz\n **\n ** The second form is preferred as a single index (or temp-table) may be \n ** used for both the ORDER BY and DISTINCT processing. As originally \n ** written the query must use a temp-table for at least one of the ORDER \n ** BY and DISTINCT, and an index or separate temp-table for the other.\n */\n if( (p->selFlags & (SF_Distinct|SF_Aggregate))==SF_Distinct \n && sqlite3ExprListCompare(sSort.pOrderBy, pEList, -1)==0\n && p->pWin==0\n ){\n p->selFlags &= ~SF_Distinct;\n pGroupBy = p->pGroupBy = sqlite3ExprListDup(db, pEList, 0);\n /* Notice that even thought SF_Distinct has been cleared from p->selFlags,\n ** the sDistinct.isTnct is still set. Hence, isTnct represents the\n ** original setting of the SF_Distinct flag, not the current setting */\n assert( sDistinct.isTnct );\n\n#if SELECTTRACE_ENABLED\n if( sqlite3SelectTrace & 0x400 ){\n SELECTTRACE(0x400,pParse,p,(\"Transform DISTINCT into GROUP BY:\\n\"));\n sqlite3TreeViewSelect(0, p, 0);\n }\n#endif\n }\n\n /* If there is an ORDER BY clause, then create an ephemeral index to\n ** do the sorting. But this sorting ephemeral index might end up\n ** being unused if the data can be extracted in pre-sorted order.\n ** If that is the case, then the OP_OpenEphemeral instruction will be\n ** changed to an OP_Noop once we figure out that the sorting index is\n ** not needed. The sSort.addrSortIndex variable is used to facilitate\n ** that change.\n */\n if( sSort.pOrderBy ){\n KeyInfo *pKeyInfo;\n pKeyInfo = sqlite3KeyInfoFromExprList(\n pParse, sSort.pOrderBy, 0, pEList->nExpr);\n sSort.iECursor = pParse->nTab++;\n sSort.addrSortIndex =\n sqlite3VdbeAddOp4(v, OP_OpenEphemeral,\n sSort.iECursor, sSort.pOrderBy->nExpr+1+pEList->nExpr, 0,\n (char*)pKeyInfo, P4_KEYINFO\n );\n }else{\n sSort.addrSortIndex = -1;\n }\n\n /* If the output is destined for a temporary table, open that table.\n */\n if( pDest->eDest==SRT_EphemTab ){\n sqlite3VdbeAddOp2(v, OP_OpenEphemeral, pDest->iSDParm, pEList->nExpr);\n }\n\n /* Set the limiter.\n */\n iEnd = sqlite3VdbeMakeLabel(pParse);\n if( (p->selFlags & SF_FixedLimit)==0 ){\n p->nSelectRow = 320; /* 4 billion rows */\n }\n computeLimitRegisters(pParse, p, iEnd);\n if( p->iLimit==0 && sSort.addrSortIndex>=0 ){\n sqlite3VdbeChangeOpcode(v, sSort.addrSortIndex, OP_SorterOpen);\n sSort.sortFlags |= SORTFLAG_UseSorter;\n }\n\n /* Open an ephemeral index to use for the distinct set.\n */\n if( p->selFlags & SF_Distinct ){\n sDistinct.tabTnct = pParse->nTab++;\n sDistinct.addrTnct = sqlite3VdbeAddOp4(v, OP_OpenEphemeral,\n sDistinct.tabTnct, 0, 0,\n (char*)sqlite3KeyInfoFromExprList(pParse, p->pEList,0,0),\n P4_KEYINFO);\n sqlite3VdbeChangeP5(v, BTREE_UNORDERED);\n sDistinct.eTnctType = WHERE_DISTINCT_UNORDERED;\n }else{\n sDistinct.eTnctType = WHERE_DISTINCT_NOOP;\n }\n\n if( !isAgg && pGroupBy==0 ){\n /* No aggregate functions and no GROUP BY clause */\n u16 wctrlFlags = (sDistinct.isTnct ? WHERE_WANT_DISTINCT : 0)\n | (p->selFlags & SF_FixedLimit);\n#ifndef SQLITE_OMIT_WINDOWFUNC\n Window *pWin = p->pWin; /* Master window object (or NULL) */\n if( pWin ){\n sqlite3WindowCodeInit(pParse, pWin);\n }\n#endif\n assert( WHERE_USE_LIMIT==SF_FixedLimit );\n\n\n /* Begin the database scan. */\n SELECTTRACE(1,pParse,p,(\"WhereBegin\\n\"));\n pWInfo = sqlite3WhereBegin(pParse, pTabList, pWhere, sSort.pOrderBy,\n p->pEList, wctrlFlags, p->nSelectRow);\n if( pWInfo==0 ) goto select_end;\n if( sqlite3WhereOutputRowCount(pWInfo) < p->nSelectRow ){\n p->nSelectRow = sqlite3WhereOutputRowCount(pWInfo);\n }\n if( sDistinct.isTnct && sqlite3WhereIsDistinct(pWInfo) ){\n sDistinct.eTnctType = sqlite3WhereIsDistinct(pWInfo);\n }\n if( sSort.pOrderBy ){\n sSort.nOBSat = sqlite3WhereIsOrdered(pWInfo);\n sSort.labelOBLopt = sqlite3WhereOrderByLimitOptLabel(pWInfo);\n if( sSort.nOBSat==sSort.pOrderBy->nExpr ){\n sSort.pOrderBy = 0;\n }\n }\n\n /* If sorting index that was created by a prior OP_OpenEphemeral \n ** instruction ended up not being needed, then change the OP_OpenEphemeral\n ** into an OP_Noop.\n */\n if( sSort.addrSortIndex>=0 && sSort.pOrderBy==0 ){\n sqlite3VdbeChangeToNoop(v, sSort.addrSortIndex);\n }\n\n assert( p->pEList==pEList );\n#ifndef SQLITE_OMIT_WINDOWFUNC\n if( pWin ){\n int addrGosub = sqlite3VdbeMakeLabel(pParse);\n int iCont = sqlite3VdbeMakeLabel(pParse);\n int iBreak = sqlite3VdbeMakeLabel(pParse);\n int regGosub = ++pParse->nMem;\n\n sqlite3WindowCodeStep(pParse, p, pWInfo, regGosub, addrGosub);\n\n sqlite3VdbeAddOp2(v, OP_Goto, 0, iBreak);\n sqlite3VdbeResolveLabel(v, addrGosub);\n VdbeNoopComment((v, \"inner-loop subroutine\"));\n sSort.labelOBLopt = 0;\n selectInnerLoop(pParse, p, -1, &sSort, &sDistinct, pDest, iCont, iBreak);\n sqlite3VdbeResolveLabel(v, iCont);\n sqlite3VdbeAddOp1(v, OP_Return, regGosub);\n VdbeComment((v, \"end inner-loop subroutine\"));\n sqlite3VdbeResolveLabel(v, iBreak);\n }else\n#endif /* SQLITE_OMIT_WINDOWFUNC */\n {\n /* Use the standard inner loop. */\n selectInnerLoop(pParse, p, -1, &sSort, &sDistinct, pDest,\n sqlite3WhereContinueLabel(pWInfo),\n sqlite3WhereBreakLabel(pWInfo));\n\n /* End the database scan loop.\n */\n sqlite3WhereEnd(pWInfo);\n }\n }else{\n /* This case when there exist aggregate functions or a GROUP BY clause\n ** or both */\n NameContext sNC; /* Name context for processing aggregate information */\n int iAMem; /* First Mem address for storing current GROUP BY */\n int iBMem; /* First Mem address for previous GROUP BY */\n int iUseFlag; /* Mem address holding flag indicating that at least\n ** one row of the input to the aggregator has been\n ** processed */\n int iAbortFlag; /* Mem address which causes query abort if positive */\n int groupBySort; /* Rows come from source in GROUP BY order */\n int addrEnd; /* End of processing for this SELECT */\n int sortPTab = 0; /* Pseudotable used to decode sorting results */\n int sortOut = 0; /* Output register from the sorter */\n int orderByGrp = 0; /* True if the GROUP BY and ORDER BY are the same */\n\n /* Remove any and all aliases between the result set and the\n ** GROUP BY clause.\n */\n if( pGroupBy ){\n int k; /* Loop counter */\n struct ExprList_item *pItem; /* For looping over expression in a list */\n\n for(k=p->pEList->nExpr, pItem=p->pEList->a; k>0; k--, pItem++){\n pItem->u.x.iAlias = 0;\n }\n for(k=pGroupBy->nExpr, pItem=pGroupBy->a; k>0; k--, pItem++){\n pItem->u.x.iAlias = 0;\n }\n assert( 66==sqlite3LogEst(100) );\n if( p->nSelectRow>66 ) p->nSelectRow = 66;\n\n /* If there is both a GROUP BY and an ORDER BY clause and they are\n ** identical, then it may be possible to disable the ORDER BY clause \n ** on the grounds that the GROUP BY will cause elements to come out \n ** in the correct order. It also may not - the GROUP BY might use a\n ** database index that causes rows to be grouped together as required\n ** but not actually sorted. Either way, record the fact that the\n ** ORDER BY and GROUP BY clauses are the same by setting the orderByGrp\n ** variable. */\n if( sSort.pOrderBy && pGroupBy->nExpr==sSort.pOrderBy->nExpr ){\n int ii;\n /* The GROUP BY processing doesn't care whether rows are delivered in\n ** ASC or DESC order - only that each group is returned contiguously.\n ** So set the ASC/DESC flags in the GROUP BY to match those in the \n ** ORDER BY to maximize the chances of rows being delivered in an \n ** order that makes the ORDER BY redundant. */\n for(ii=0; iinExpr; ii++){\n u8 sortFlags = sSort.pOrderBy->a[ii].sortFlags & KEYINFO_ORDER_DESC;\n pGroupBy->a[ii].sortFlags = sortFlags;\n }\n if( sqlite3ExprListCompare(pGroupBy, sSort.pOrderBy, -1)==0 ){\n orderByGrp = 1;\n }\n }\n }else{\n assert( 0==sqlite3LogEst(1) );\n p->nSelectRow = 0;\n }\n\n /* Create a label to jump to when we want to abort the query */\n addrEnd = sqlite3VdbeMakeLabel(pParse);\n\n /* Convert TK_COLUMN nodes into TK_AGG_COLUMN and make entries in\n ** sAggInfo for all TK_AGG_FUNCTION nodes in expressions of the\n ** SELECT statement.\n */\n memset(&sNC, 0, sizeof(sNC));\n sNC.pParse = pParse;\n sNC.pSrcList = pTabList;\n sNC.uNC.pAggInfo = &sAggInfo;\n VVA_ONLY( sNC.ncFlags = NC_UAggInfo; )\n sAggInfo.mnReg = pParse->nMem+1;\n sAggInfo.nSortingColumn = pGroupBy ? pGroupBy->nExpr : 0;\n sAggInfo.pGroupBy = pGroupBy;\n sqlite3ExprAnalyzeAggList(&sNC, pEList);\n sqlite3ExprAnalyzeAggList(&sNC, sSort.pOrderBy);\n if( pHaving ){\n if( pGroupBy ){\n assert( pWhere==p->pWhere );\n assert( pHaving==p->pHaving );\n assert( pGroupBy==p->pGroupBy );\n havingToWhere(pParse, p);\n pWhere = p->pWhere;\n }\n sqlite3ExprAnalyzeAggregates(&sNC, pHaving);\n }\n sAggInfo.nAccumulator = sAggInfo.nColumn;\n if( p->pGroupBy==0 && p->pHaving==0 && sAggInfo.nFunc==1 ){\n minMaxFlag = minMaxQuery(db, sAggInfo.aFunc[0].pExpr, &pMinMaxOrderBy);\n }else{\n minMaxFlag = WHERE_ORDERBY_NORMAL;\n }\n for(i=0; ix.pList);\n#ifndef SQLITE_OMIT_WINDOWFUNC\n assert( !IsWindowFunc(pExpr) );\n if( ExprHasProperty(pExpr, EP_WinFunc) ){\n sqlite3ExprAnalyzeAggregates(&sNC, pExpr->y.pWin->pFilter);\n }\n#endif\n sNC.ncFlags &= ~NC_InAggFunc;\n }\n sAggInfo.mxReg = pParse->nMem;\n if( db->mallocFailed ) goto select_end;\n#if SELECTTRACE_ENABLED\n if( sqlite3SelectTrace & 0x400 ){\n int ii;\n SELECTTRACE(0x400,pParse,p,(\"After aggregate analysis:\\n\"));\n sqlite3TreeViewSelect(0, p, 0);\n for(ii=0; iinTab++;\n pKeyInfo = sqlite3KeyInfoFromExprList(pParse,pGroupBy,0,sAggInfo.nColumn);\n addrSortingIdx = sqlite3VdbeAddOp4(v, OP_SorterOpen, \n sAggInfo.sortingIdx, sAggInfo.nSortingColumn, \n 0, (char*)pKeyInfo, P4_KEYINFO);\n\n /* Initialize memory locations used by GROUP BY aggregate processing\n */\n iUseFlag = ++pParse->nMem;\n iAbortFlag = ++pParse->nMem;\n regOutputRow = ++pParse->nMem;\n addrOutputRow = sqlite3VdbeMakeLabel(pParse);\n regReset = ++pParse->nMem;\n addrReset = sqlite3VdbeMakeLabel(pParse);\n iAMem = pParse->nMem + 1;\n pParse->nMem += pGroupBy->nExpr;\n iBMem = pParse->nMem + 1;\n pParse->nMem += pGroupBy->nExpr;\n sqlite3VdbeAddOp2(v, OP_Integer, 0, iAbortFlag);\n VdbeComment((v, \"clear abort flag\"));\n sqlite3VdbeAddOp3(v, OP_Null, 0, iAMem, iAMem+pGroupBy->nExpr-1);\n\n /* Begin a loop that will extract all source rows in GROUP BY order.\n ** This might involve two separate loops with an OP_Sort in between, or\n ** it might be a single loop that uses an index to extract information\n ** in the right order to begin with.\n */\n sqlite3VdbeAddOp2(v, OP_Gosub, regReset, addrReset);\n SELECTTRACE(1,pParse,p,(\"WhereBegin\\n\"));\n pWInfo = sqlite3WhereBegin(pParse, pTabList, pWhere, pGroupBy, 0,\n WHERE_GROUPBY | (orderByGrp ? WHERE_SORTBYGROUP : 0), 0\n );\n if( pWInfo==0 ) goto select_end;\n if( sqlite3WhereIsOrdered(pWInfo)==pGroupBy->nExpr ){\n /* The optimizer is able to deliver rows in group by order so\n ** we do not have to sort. The OP_OpenEphemeral table will be\n ** cancelled later because we still need to use the pKeyInfo\n */\n groupBySort = 0;\n }else{\n /* Rows are coming out in undetermined order. We have to push\n ** each row into a sorting index, terminate the first loop,\n ** then loop over the sorting index in order to get the output\n ** in sorted order\n */\n int regBase;\n int regRecord;\n int nCol;\n int nGroupBy;\n\n explainTempTable(pParse, \n (sDistinct.isTnct && (p->selFlags&SF_Distinct)==0) ?\n \"DISTINCT\" : \"GROUP BY\");\n\n groupBySort = 1;\n nGroupBy = pGroupBy->nExpr;\n nCol = nGroupBy;\n j = nGroupBy;\n for(i=0; i=j ){\n nCol++;\n j++;\n }\n }\n regBase = sqlite3GetTempRange(pParse, nCol);\n sqlite3ExprCodeExprList(pParse, pGroupBy, regBase, 0, 0);\n j = nGroupBy;\n for(i=0; iiSorterColumn>=j ){\n int r1 = j + regBase;\n sqlite3ExprCodeGetColumnOfTable(v,\n pCol->pTab, pCol->iTable, pCol->iColumn, r1);\n j++;\n }\n }\n regRecord = sqlite3GetTempReg(pParse);\n sqlite3VdbeAddOp3(v, OP_MakeRecord, regBase, nCol, regRecord);\n sqlite3VdbeAddOp2(v, OP_SorterInsert, sAggInfo.sortingIdx, regRecord);\n sqlite3ReleaseTempReg(pParse, regRecord);\n sqlite3ReleaseTempRange(pParse, regBase, nCol);\n sqlite3WhereEnd(pWInfo);\n sAggInfo.sortingIdxPTab = sortPTab = pParse->nTab++;\n sortOut = sqlite3GetTempReg(pParse);\n sqlite3VdbeAddOp3(v, OP_OpenPseudo, sortPTab, sortOut, nCol);\n sqlite3VdbeAddOp2(v, OP_SorterSort, sAggInfo.sortingIdx, addrEnd);\n VdbeComment((v, \"GROUP BY sort\")); VdbeCoverage(v);\n sAggInfo.useSortingIdx = 1;\n }\n\n /* If the index or temporary table used by the GROUP BY sort\n ** will naturally deliver rows in the order required by the ORDER BY\n ** clause, cancel the ephemeral table open coded earlier.\n **\n ** This is an optimization - the correct answer should result regardless.\n ** Use the SQLITE_GroupByOrder flag with SQLITE_TESTCTRL_OPTIMIZER to \n ** disable this optimization for testing purposes. */\n if( orderByGrp && OptimizationEnabled(db, SQLITE_GroupByOrder) \n && (groupBySort || sqlite3WhereIsSorted(pWInfo))\n ){\n sSort.pOrderBy = 0;\n sqlite3VdbeChangeToNoop(v, sSort.addrSortIndex);\n }\n\n /* Evaluate the current GROUP BY terms and store in b0, b1, b2...\n ** (b0 is memory location iBMem+0, b1 is iBMem+1, and so forth)\n ** Then compare the current GROUP BY terms against the GROUP BY terms\n ** from the previous row currently stored in a0, a1, a2...\n */\n addrTopOfLoop = sqlite3VdbeCurrentAddr(v);\n if( groupBySort ){\n sqlite3VdbeAddOp3(v, OP_SorterData, sAggInfo.sortingIdx,\n sortOut, sortPTab);\n }\n for(j=0; jnExpr; j++){\n if( groupBySort ){\n sqlite3VdbeAddOp3(v, OP_Column, sortPTab, j, iBMem+j);\n }else{\n sAggInfo.directMode = 1;\n sqlite3ExprCode(pParse, pGroupBy->a[j].pExpr, iBMem+j);\n }\n }\n sqlite3VdbeAddOp4(v, OP_Compare, iAMem, iBMem, pGroupBy->nExpr,\n (char*)sqlite3KeyInfoRef(pKeyInfo), P4_KEYINFO);\n addr1 = sqlite3VdbeCurrentAddr(v);\n sqlite3VdbeAddOp3(v, OP_Jump, addr1+1, 0, addr1+1); VdbeCoverage(v);\n\n /* Generate code that runs whenever the GROUP BY changes.\n ** Changes in the GROUP BY are detected by the previous code\n ** block. If there were no changes, this block is skipped.\n **\n ** This code copies current group by terms in b0,b1,b2,...\n ** over to a0,a1,a2. It then calls the output subroutine\n ** and resets the aggregate accumulator registers in preparation\n ** for the next GROUP BY batch.\n */\n sqlite3ExprCodeMove(pParse, iBMem, iAMem, pGroupBy->nExpr);\n sqlite3VdbeAddOp2(v, OP_Gosub, regOutputRow, addrOutputRow);\n VdbeComment((v, \"output one row\"));\n sqlite3VdbeAddOp2(v, OP_IfPos, iAbortFlag, addrEnd); VdbeCoverage(v);\n VdbeComment((v, \"check abort flag\"));\n sqlite3VdbeAddOp2(v, OP_Gosub, regReset, addrReset);\n VdbeComment((v, \"reset accumulator\"));\n\n /* Update the aggregate accumulators based on the content of\n ** the current row\n */\n sqlite3VdbeJumpHere(v, addr1);\n updateAccumulator(pParse, iUseFlag, &sAggInfo);\n sqlite3VdbeAddOp2(v, OP_Integer, 1, iUseFlag);\n VdbeComment((v, \"indicate data in accumulator\"));\n\n /* End of the loop\n */\n if( groupBySort ){\n sqlite3VdbeAddOp2(v, OP_SorterNext, sAggInfo.sortingIdx, addrTopOfLoop);\n VdbeCoverage(v);\n }else{\n sqlite3WhereEnd(pWInfo);\n sqlite3VdbeChangeToNoop(v, addrSortingIdx);\n }\n\n /* Output the final row of result\n */\n sqlite3VdbeAddOp2(v, OP_Gosub, regOutputRow, addrOutputRow);\n VdbeComment((v, \"output final row\"));\n\n /* Jump over the subroutines\n */\n sqlite3VdbeGoto(v, addrEnd);\n\n /* Generate a subroutine that outputs a single row of the result\n ** set. This subroutine first looks at the iUseFlag. If iUseFlag\n ** is less than or equal to zero, the subroutine is a no-op. If\n ** the processing calls for the query to abort, this subroutine\n ** increments the iAbortFlag memory location before returning in\n ** order to signal the caller to abort.\n */\n addrSetAbort = sqlite3VdbeCurrentAddr(v);\n sqlite3VdbeAddOp2(v, OP_Integer, 1, iAbortFlag);\n VdbeComment((v, \"set abort flag\"));\n sqlite3VdbeAddOp1(v, OP_Return, regOutputRow);\n sqlite3VdbeResolveLabel(v, addrOutputRow);\n addrOutputRow = sqlite3VdbeCurrentAddr(v);\n sqlite3VdbeAddOp2(v, OP_IfPos, iUseFlag, addrOutputRow+2);\n VdbeCoverage(v);\n VdbeComment((v, \"Groupby result generator entry point\"));\n sqlite3VdbeAddOp1(v, OP_Return, regOutputRow);\n finalizeAggFunctions(pParse, &sAggInfo);\n sqlite3ExprIfFalse(pParse, pHaving, addrOutputRow+1, SQLITE_JUMPIFNULL);\n selectInnerLoop(pParse, p, -1, &sSort,\n &sDistinct, pDest,\n addrOutputRow+1, addrSetAbort);\n sqlite3VdbeAddOp1(v, OP_Return, regOutputRow);\n VdbeComment((v, \"end groupby result generator\"));\n\n /* Generate a subroutine that will reset the group-by accumulator\n */\n sqlite3VdbeResolveLabel(v, addrReset);\n resetAccumulator(pParse, &sAggInfo);\n sqlite3VdbeAddOp2(v, OP_Integer, 0, iUseFlag);\n VdbeComment((v, \"indicate accumulator empty\"));\n sqlite3VdbeAddOp1(v, OP_Return, regReset);\n \n } /* endif pGroupBy. Begin aggregate queries without GROUP BY: */\n else {\n#ifndef SQLITE_OMIT_BTREECOUNT\n Table *pTab;\n if( (pTab = isSimpleCount(p, &sAggInfo))!=0 ){\n /* If isSimpleCount() returns a pointer to a Table structure, then\n ** the SQL statement is of the form:\n **\n ** SELECT count(*) FROM \n **\n ** where the Table structure returned represents table .\n **\n ** This statement is so common that it is optimized specially. The\n ** OP_Count instruction is executed either on the intkey table that\n ** contains the data for table or on one of its indexes. It\n ** is better to execute the op on an index, as indexes are almost\n ** always spread across less pages than their corresponding tables.\n */\n const int iDb = sqlite3SchemaToIndex(pParse->db, pTab->pSchema);\n const int iCsr = pParse->nTab++; /* Cursor to scan b-tree */\n Index *pIdx; /* Iterator variable */\n KeyInfo *pKeyInfo = 0; /* Keyinfo for scanned index */\n Index *pBest = 0; /* Best index found so far */\n int iRoot = pTab->tnum; /* Root page of scanned b-tree */\n\n sqlite3CodeVerifySchema(pParse, iDb);\n sqlite3TableLock(pParse, iDb, pTab->tnum, 0, pTab->zName);\n\n /* Search for the index that has the lowest scan cost.\n **\n ** (2011-04-15) Do not do a full scan of an unordered index.\n **\n ** (2013-10-03) Do not count the entries in a partial index.\n **\n ** In practice the KeyInfo structure will not be used. It is only \n ** passed to keep OP_OpenRead happy.\n */\n if( !HasRowid(pTab) ) pBest = sqlite3PrimaryKeyIndex(pTab);\n for(pIdx=pTab->pIndex; pIdx; pIdx=pIdx->pNext){\n if( pIdx->bUnordered==0\n && pIdx->szIdxRowszTabRow\n && pIdx->pPartIdxWhere==0\n && (!pBest || pIdx->szIdxRowszIdxRow)\n ){\n pBest = pIdx;\n }\n }\n if( pBest ){\n iRoot = pBest->tnum;\n pKeyInfo = sqlite3KeyInfoOfIndex(pParse, pBest);\n }\n\n /* Open a read-only cursor, execute the OP_Count, close the cursor. */\n sqlite3VdbeAddOp4Int(v, OP_OpenRead, iCsr, iRoot, iDb, 1);\n if( pKeyInfo ){\n sqlite3VdbeChangeP4(v, -1, (char *)pKeyInfo, P4_KEYINFO);\n }\n sqlite3VdbeAddOp2(v, OP_Count, iCsr, sAggInfo.aFunc[0].iMem);\n sqlite3VdbeAddOp1(v, OP_Close, iCsr);\n explainSimpleCount(pParse, pTab, pBest);\n }else\n#endif /* SQLITE_OMIT_BTREECOUNT */\n {\n int regAcc = 0; /* \"populate accumulators\" flag */\n\n /* If there are accumulator registers but no min() or max() functions\n ** without FILTER clauses, allocate register regAcc. Register regAcc\n ** will contain 0 the first time the inner loop runs, and 1 thereafter.\n ** The code generated by updateAccumulator() uses this to ensure\n ** that the accumulator registers are (a) updated only once if\n ** there are no min() or max functions or (b) always updated for the\n ** first row visited by the aggregate, so that they are updated at\n ** least once even if the FILTER clause means the min() or max() \n ** function visits zero rows. */\n if( sAggInfo.nAccumulator ){\n for(i=0; ifuncFlags&SQLITE_FUNC_NEEDCOLL ) break;\n }\n if( i==sAggInfo.nFunc ){\n regAcc = ++pParse->nMem;\n sqlite3VdbeAddOp2(v, OP_Integer, 0, regAcc);\n }\n }\n\n /* This case runs if the aggregate has no GROUP BY clause. The\n ** processing is much simpler since there is only a single row\n ** of output.\n */\n assert( p->pGroupBy==0 );\n resetAccumulator(pParse, &sAggInfo);\n\n /* If this query is a candidate for the min/max optimization, then\n ** minMaxFlag will have been previously set to either\n ** WHERE_ORDERBY_MIN or WHERE_ORDERBY_MAX and pMinMaxOrderBy will\n ** be an appropriate ORDER BY expression for the optimization.\n */\n assert( minMaxFlag==WHERE_ORDERBY_NORMAL || pMinMaxOrderBy!=0 );\n assert( pMinMaxOrderBy==0 || pMinMaxOrderBy->nExpr==1 );\n\n SELECTTRACE(1,pParse,p,(\"WhereBegin\\n\"));\n pWInfo = sqlite3WhereBegin(pParse, pTabList, pWhere, pMinMaxOrderBy,\n 0, minMaxFlag, 0);\n if( pWInfo==0 ){\n goto select_end;\n }\n updateAccumulator(pParse, regAcc, &sAggInfo);\n if( regAcc ) sqlite3VdbeAddOp2(v, OP_Integer, 1, regAcc);\n if( sqlite3WhereIsOrdered(pWInfo)>0 ){\n sqlite3VdbeGoto(v, sqlite3WhereBreakLabel(pWInfo));\n VdbeComment((v, \"%s() by index\",\n (minMaxFlag==WHERE_ORDERBY_MIN?\"min\":\"max\")));\n }\n sqlite3WhereEnd(pWInfo);\n finalizeAggFunctions(pParse, &sAggInfo);\n }\n\n sSort.pOrderBy = 0;\n sqlite3ExprIfFalse(pParse, pHaving, addrEnd, SQLITE_JUMPIFNULL);\n selectInnerLoop(pParse, p, -1, 0, 0, \n pDest, addrEnd, addrEnd);\n }\n sqlite3VdbeResolveLabel(v, addrEnd);\n \n } /* endif aggregate query */\n\n if( sDistinct.eTnctType==WHERE_DISTINCT_UNORDERED ){\n explainTempTable(pParse, \"DISTINCT\");\n }\n\n /* If there is an ORDER BY clause, then we need to sort the results\n ** and send them to the callback one by one.\n */\n if( sSort.pOrderBy ){\n explainTempTable(pParse,\n sSort.nOBSat>0 ? \"RIGHT PART OF ORDER BY\":\"ORDER BY\");\n assert( p->pEList==pEList );\n generateSortTail(pParse, p, &sSort, pEList->nExpr, pDest);\n }\n\n /* Jump here to skip this query\n */\n sqlite3VdbeResolveLabel(v, iEnd);\n\n /* The SELECT has been coded. If there is an error in the Parse structure,\n ** set the return code to 1. Otherwise 0. */\n rc = (pParse->nErr>0);\n\n /* Control jumps to here if an error is encountered above, or upon\n ** successful coding of the SELECT.\n */\nselect_end:\n sqlite3ExprListDelete(db, pMinMaxOrderBy);\n sqlite3DbFree(db, sAggInfo.aCol);\n sqlite3DbFree(db, sAggInfo.aFunc);\n#if SELECTTRACE_ENABLED\n SELECTTRACE(0x1,pParse,p,(\"end processing\\n\"));\n if( (sqlite3SelectTrace & 0x2000)!=0 && ExplainQueryPlanParent(pParse)==0 ){\n sqlite3TreeViewSelect(0, p, 0);\n }\n#endif\n ExplainQueryPlanPop(pParse);\n return rc;\n}", "project": "sqlite", "hash": 121671767460016761218570571235305857577, "size": 1063, "commit_id": "a6c1a71cde082e09750465d5675699062922e387", "message": "Do not attempt to unwind the WITH stack in the Parse object following an error. This fixes a separate case to [de6e6d68].\n\nFossilOrigin-Name: d29edef93451cc67a5d69c1cce1b1832d9ca8fff1f600afdd51338b74d077b92", "target": 0, "dataset": "other", "idx": 356306 }, { "func": "int sqlite3Select(\n Parse *pParse, /* The parser context */\n Select *p, /* The SELECT statement being coded. */\n SelectDest *pDest /* What to do with the query results */\n){\n int i, j; /* Loop counters */\n WhereInfo *pWInfo; /* Return from sqlite3WhereBegin() */\n Vdbe *v; /* The virtual machine under construction */\n int isAgg; /* True for select lists like \"count(*)\" */\n ExprList *pEList = 0; /* List of columns to extract. */\n SrcList *pTabList; /* List of tables to select from */\n Expr *pWhere; /* The WHERE clause. May be NULL */\n ExprList *pGroupBy; /* The GROUP BY clause. May be NULL */\n Expr *pHaving; /* The HAVING clause. May be NULL */\n int rc = 1; /* Value to return from this function */\n DistinctCtx sDistinct; /* Info on how to code the DISTINCT keyword */\n SortCtx sSort; /* Info on how to code the ORDER BY clause */\n AggInfo sAggInfo; /* Information used by aggregate queries */\n int iEnd; /* Address of the end of the query */\n sqlite3 *db; /* The database connection */\n ExprList *pMinMaxOrderBy = 0; /* Added ORDER BY for min/max queries */\n u8 minMaxFlag; /* Flag for min/max queries */\n\n db = pParse->db;\n v = sqlite3GetVdbe(pParse);\n if( p==0 || db->mallocFailed || pParse->nErr ){\n return 1;\n }\n if( sqlite3AuthCheck(pParse, SQLITE_SELECT, 0, 0, 0) ) return 1;\n memset(&sAggInfo, 0, sizeof(sAggInfo));\n#if SELECTTRACE_ENABLED\n SELECTTRACE(1,pParse,p, (\"begin processing:\\n\", pParse->addrExplain));\n if( sqlite3SelectTrace & 0x100 ){\n sqlite3TreeViewSelect(0, p, 0);\n }\n#endif\n\n assert( p->pOrderBy==0 || pDest->eDest!=SRT_DistFifo );\n assert( p->pOrderBy==0 || pDest->eDest!=SRT_Fifo );\n assert( p->pOrderBy==0 || pDest->eDest!=SRT_DistQueue );\n assert( p->pOrderBy==0 || pDest->eDest!=SRT_Queue );\n if( IgnorableOrderby(pDest) ){\n assert(pDest->eDest==SRT_Exists || pDest->eDest==SRT_Union || \n pDest->eDest==SRT_Except || pDest->eDest==SRT_Discard ||\n pDest->eDest==SRT_Queue || pDest->eDest==SRT_DistFifo ||\n pDest->eDest==SRT_DistQueue || pDest->eDest==SRT_Fifo);\n /* If ORDER BY makes no difference in the output then neither does\n ** DISTINCT so it can be removed too. */\n sqlite3ExprListDelete(db, p->pOrderBy);\n p->pOrderBy = 0;\n p->selFlags &= ~SF_Distinct;\n }\n sqlite3SelectPrep(pParse, p, 0);\n if( pParse->nErr || db->mallocFailed ){\n goto select_end;\n }\n assert( p->pEList!=0 );\n#if SELECTTRACE_ENABLED\n if( sqlite3SelectTrace & 0x104 ){\n SELECTTRACE(0x104,pParse,p, (\"after name resolution:\\n\"));\n sqlite3TreeViewSelect(0, p, 0);\n }\n#endif\n\n if( pDest->eDest==SRT_Output ){\n generateColumnNames(pParse, p);\n }\n\n#ifndef SQLITE_OMIT_WINDOWFUNC\n rc = sqlite3WindowRewrite(pParse, p);\n if( rc ){\n assert( db->mallocFailed || pParse->nErr>0 );\n goto select_end;\n }\n#if SELECTTRACE_ENABLED\n if( p->pWin && (sqlite3SelectTrace & 0x108)!=0 ){\n SELECTTRACE(0x104,pParse,p, (\"after window rewrite:\\n\"));\n sqlite3TreeViewSelect(0, p, 0);\n }\n#endif\n#endif /* SQLITE_OMIT_WINDOWFUNC */\n pTabList = p->pSrc;\n isAgg = (p->selFlags & SF_Aggregate)!=0;\n memset(&sSort, 0, sizeof(sSort));\n sSort.pOrderBy = p->pOrderBy;\n\n /* Try to various optimizations (flattening subqueries, and strength\n ** reduction of join operators) in the FROM clause up into the main query\n */\n#if !defined(SQLITE_OMIT_SUBQUERY) || !defined(SQLITE_OMIT_VIEW)\n for(i=0; !p->pPrior && inSrc; i++){\n struct SrcList_item *pItem = &pTabList->a[i];\n Select *pSub = pItem->pSelect;\n Table *pTab = pItem->pTab;\n\n /* Convert LEFT JOIN into JOIN if there are terms of the right table\n ** of the LEFT JOIN used in the WHERE clause.\n */\n if( (pItem->fg.jointype & JT_LEFT)!=0\n && sqlite3ExprImpliesNonNullRow(p->pWhere, pItem->iCursor)\n && OptimizationEnabled(db, SQLITE_SimplifyJoin)\n ){\n SELECTTRACE(0x100,pParse,p,\n (\"LEFT-JOIN simplifies to JOIN on term %d\\n\",i));\n pItem->fg.jointype &= ~(JT_LEFT|JT_OUTER);\n unsetJoinExpr(p->pWhere, pItem->iCursor);\n }\n\n /* No futher action if this term of the FROM clause is no a subquery */\n if( pSub==0 ) continue;\n\n /* Catch mismatch in the declared columns of a view and the number of\n ** columns in the SELECT on the RHS */\n if( pTab->nCol!=pSub->pEList->nExpr ){\n sqlite3ErrorMsg(pParse, \"expected %d columns for '%s' but got %d\",\n pTab->nCol, pTab->zName, pSub->pEList->nExpr);\n goto select_end;\n }\n\n /* Do not try to flatten an aggregate subquery.\n **\n ** Flattening an aggregate subquery is only possible if the outer query\n ** is not a join. But if the outer query is not a join, then the subquery\n ** will be implemented as a co-routine and there is no advantage to\n ** flattening in that case.\n */\n if( (pSub->selFlags & SF_Aggregate)!=0 ) continue;\n assert( pSub->pGroupBy==0 );\n\n /* If the outer query contains a \"complex\" result set (that is,\n ** if the result set of the outer query uses functions or subqueries)\n ** and if the subquery contains an ORDER BY clause and if\n ** it will be implemented as a co-routine, then do not flatten. This\n ** restriction allows SQL constructs like this:\n **\n ** SELECT expensive_function(x)\n ** FROM (SELECT x FROM tab ORDER BY y LIMIT 10);\n **\n ** The expensive_function() is only computed on the 10 rows that\n ** are output, rather than every row of the table.\n **\n ** The requirement that the outer query have a complex result set\n ** means that flattening does occur on simpler SQL constraints without\n ** the expensive_function() like:\n **\n ** SELECT x FROM (SELECT x FROM tab ORDER BY y LIMIT 10);\n */\n if( pSub->pOrderBy!=0\n && i==0\n && (p->selFlags & SF_ComplexResult)!=0\n && (pTabList->nSrc==1\n || (pTabList->a[1].fg.jointype&(JT_LEFT|JT_CROSS))!=0)\n ){\n continue;\n }\n\n if( flattenSubquery(pParse, p, i, isAgg) ){\n if( pParse->nErr ) goto select_end;\n /* This subquery can be absorbed into its parent. */\n i = -1;\n }\n pTabList = p->pSrc;\n if( db->mallocFailed ) goto select_end;\n if( !IgnorableOrderby(pDest) ){\n sSort.pOrderBy = p->pOrderBy;\n }\n }\n#endif\n\n#ifndef SQLITE_OMIT_COMPOUND_SELECT\n /* Handle compound SELECT statements using the separate multiSelect()\n ** procedure.\n */\n if( p->pPrior ){\n rc = multiSelect(pParse, p, pDest);\n#if SELECTTRACE_ENABLED\n SELECTTRACE(0x1,pParse,p,(\"end compound-select processing\\n\"));\n if( (sqlite3SelectTrace & 0x2000)!=0 && ExplainQueryPlanParent(pParse)==0 ){\n sqlite3TreeViewSelect(0, p, 0);\n }\n#endif\n if( p->pNext==0 ) ExplainQueryPlanPop(pParse);\n return rc;\n }\n#endif\n\n /* Do the WHERE-clause constant propagation optimization if this is\n ** a join. No need to speed time on this operation for non-join queries\n ** as the equivalent optimization will be handled by query planner in\n ** sqlite3WhereBegin().\n */\n if( pTabList->nSrc>1\n && OptimizationEnabled(db, SQLITE_PropagateConst)\n && propagateConstants(pParse, p)\n ){\n#if SELECTTRACE_ENABLED\n if( sqlite3SelectTrace & 0x100 ){\n SELECTTRACE(0x100,pParse,p,(\"After constant propagation:\\n\"));\n sqlite3TreeViewSelect(0, p, 0);\n }\n#endif\n }else{\n SELECTTRACE(0x100,pParse,p,(\"Constant propagation not helpful\\n\"));\n }\n\n#ifdef SQLITE_COUNTOFVIEW_OPTIMIZATION\n if( OptimizationEnabled(db, SQLITE_QueryFlattener|SQLITE_CountOfView)\n && countOfViewOptimization(pParse, p)\n ){\n if( db->mallocFailed ) goto select_end;\n pEList = p->pEList;\n pTabList = p->pSrc;\n }\n#endif\n\n /* For each term in the FROM clause, do two things:\n ** (1) Authorized unreferenced tables\n ** (2) Generate code for all sub-queries\n */\n for(i=0; inSrc; i++){\n struct SrcList_item *pItem = &pTabList->a[i];\n SelectDest dest;\n Select *pSub;\n#if !defined(SQLITE_OMIT_SUBQUERY) || !defined(SQLITE_OMIT_VIEW)\n const char *zSavedAuthContext;\n#endif\n\n /* Issue SQLITE_READ authorizations with a fake column name for any\n ** tables that are referenced but from which no values are extracted.\n ** Examples of where these kinds of null SQLITE_READ authorizations\n ** would occur:\n **\n ** SELECT count(*) FROM t1; -- SQLITE_READ t1.\"\"\n ** SELECT t1.* FROM t1, t2; -- SQLITE_READ t2.\"\"\n **\n ** The fake column name is an empty string. It is possible for a table to\n ** have a column named by the empty string, in which case there is no way to\n ** distinguish between an unreferenced table and an actual reference to the\n ** \"\" column. The original design was for the fake column name to be a NULL,\n ** which would be unambiguous. But legacy authorization callbacks might\n ** assume the column name is non-NULL and segfault. The use of an empty\n ** string for the fake column name seems safer.\n */\n if( pItem->colUsed==0 && pItem->zName!=0 ){\n sqlite3AuthCheck(pParse, SQLITE_READ, pItem->zName, \"\", pItem->zDatabase);\n }\n\n#if !defined(SQLITE_OMIT_SUBQUERY) || !defined(SQLITE_OMIT_VIEW)\n /* Generate code for all sub-queries in the FROM clause\n */\n pSub = pItem->pSelect;\n if( pSub==0 ) continue;\n\n /* The code for a subquery should only be generated once, though it is\n ** technically harmless for it to be generated multiple times. The\n ** following assert() will detect if something changes to cause\n ** the same subquery to be coded multiple times, as a signal to the\n ** developers to try to optimize the situation.\n **\n ** Update 2019-07-24:\n ** See ticket https://sqlite.org/src/tktview/c52b09c7f38903b1311cec40.\n ** The dbsqlfuzz fuzzer found a case where the same subquery gets\n ** coded twice. So this assert() now becomes a testcase(). It should\n ** be very rare, though.\n */\n testcase( pItem->addrFillSub!=0 );\n\n /* Increment Parse.nHeight by the height of the largest expression\n ** tree referred to by this, the parent select. The child select\n ** may contain expression trees of at most\n ** (SQLITE_MAX_EXPR_DEPTH-Parse.nHeight) height. This is a bit\n ** more conservative than necessary, but much easier than enforcing\n ** an exact limit.\n */\n pParse->nHeight += sqlite3SelectExprHeight(p);\n\n /* Make copies of constant WHERE-clause terms in the outer query down\n ** inside the subquery. This can help the subquery to run more efficiently.\n */\n if( OptimizationEnabled(db, SQLITE_PushDown)\n && pushDownWhereTerms(pParse, pSub, p->pWhere, pItem->iCursor,\n (pItem->fg.jointype & JT_OUTER)!=0)\n ){\n#if SELECTTRACE_ENABLED\n if( sqlite3SelectTrace & 0x100 ){\n SELECTTRACE(0x100,pParse,p,\n (\"After WHERE-clause push-down into subquery %d:\\n\", pSub->selId));\n sqlite3TreeViewSelect(0, p, 0);\n }\n#endif\n }else{\n SELECTTRACE(0x100,pParse,p,(\"Push-down not possible\\n\"));\n }\n\n zSavedAuthContext = pParse->zAuthContext;\n pParse->zAuthContext = pItem->zName;\n\n /* Generate code to implement the subquery\n **\n ** The subquery is implemented as a co-routine if the subquery is\n ** guaranteed to be the outer loop (so that it does not need to be\n ** computed more than once)\n **\n ** TODO: Are there other reasons beside (1) to use a co-routine\n ** implementation?\n */\n if( i==0\n && (pTabList->nSrc==1\n || (pTabList->a[1].fg.jointype&(JT_LEFT|JT_CROSS))!=0) /* (1) */\n ){\n /* Implement a co-routine that will return a single row of the result\n ** set on each invocation.\n */\n int addrTop = sqlite3VdbeCurrentAddr(v)+1;\n \n pItem->regReturn = ++pParse->nMem;\n sqlite3VdbeAddOp3(v, OP_InitCoroutine, pItem->regReturn, 0, addrTop);\n VdbeComment((v, \"%s\", pItem->pTab->zName));\n pItem->addrFillSub = addrTop;\n sqlite3SelectDestInit(&dest, SRT_Coroutine, pItem->regReturn);\n ExplainQueryPlan((pParse, 1, \"CO-ROUTINE %u\", pSub->selId));\n sqlite3Select(pParse, pSub, &dest);\n pItem->pTab->nRowLogEst = pSub->nSelectRow;\n pItem->fg.viaCoroutine = 1;\n pItem->regResult = dest.iSdst;\n sqlite3VdbeEndCoroutine(v, pItem->regReturn);\n sqlite3VdbeJumpHere(v, addrTop-1);\n sqlite3ClearTempRegCache(pParse);\n }else{\n /* Generate a subroutine that will fill an ephemeral table with\n ** the content of this subquery. pItem->addrFillSub will point\n ** to the address of the generated subroutine. pItem->regReturn\n ** is a register allocated to hold the subroutine return address\n */\n int topAddr;\n int onceAddr = 0;\n int retAddr;\n struct SrcList_item *pPrior;\n\n testcase( pItem->addrFillSub==0 ); /* Ticket c52b09c7f38903b1311 */\n pItem->regReturn = ++pParse->nMem;\n topAddr = sqlite3VdbeAddOp2(v, OP_Integer, 0, pItem->regReturn);\n pItem->addrFillSub = topAddr+1;\n if( pItem->fg.isCorrelated==0 ){\n /* If the subquery is not correlated and if we are not inside of\n ** a trigger, then we only need to compute the value of the subquery\n ** once. */\n onceAddr = sqlite3VdbeAddOp0(v, OP_Once); VdbeCoverage(v);\n VdbeComment((v, \"materialize \\\"%s\\\"\", pItem->pTab->zName));\n }else{\n VdbeNoopComment((v, \"materialize \\\"%s\\\"\", pItem->pTab->zName));\n }\n pPrior = isSelfJoinView(pTabList, pItem);\n if( pPrior ){\n sqlite3VdbeAddOp2(v, OP_OpenDup, pItem->iCursor, pPrior->iCursor);\n assert( pPrior->pSelect!=0 );\n pSub->nSelectRow = pPrior->pSelect->nSelectRow;\n }else{\n sqlite3SelectDestInit(&dest, SRT_EphemTab, pItem->iCursor);\n ExplainQueryPlan((pParse, 1, \"MATERIALIZE %u\", pSub->selId));\n sqlite3Select(pParse, pSub, &dest);\n }\n pItem->pTab->nRowLogEst = pSub->nSelectRow;\n if( onceAddr ) sqlite3VdbeJumpHere(v, onceAddr);\n retAddr = sqlite3VdbeAddOp1(v, OP_Return, pItem->regReturn);\n VdbeComment((v, \"end %s\", pItem->pTab->zName));\n sqlite3VdbeChangeP1(v, topAddr, retAddr);\n sqlite3ClearTempRegCache(pParse);\n }\n if( db->mallocFailed ) goto select_end;\n pParse->nHeight -= sqlite3SelectExprHeight(p);\n pParse->zAuthContext = zSavedAuthContext;\n#endif\n }\n\n /* Various elements of the SELECT copied into local variables for\n ** convenience */\n pEList = p->pEList;\n pWhere = p->pWhere;\n pGroupBy = p->pGroupBy;\n pHaving = p->pHaving;\n sDistinct.isTnct = (p->selFlags & SF_Distinct)!=0;\n\n#if SELECTTRACE_ENABLED\n if( sqlite3SelectTrace & 0x400 ){\n SELECTTRACE(0x400,pParse,p,(\"After all FROM-clause analysis:\\n\"));\n sqlite3TreeViewSelect(0, p, 0);\n }\n#endif\n\n /* If the query is DISTINCT with an ORDER BY but is not an aggregate, and \n ** if the select-list is the same as the ORDER BY list, then this query\n ** can be rewritten as a GROUP BY. In other words, this:\n **\n ** SELECT DISTINCT xyz FROM ... ORDER BY xyz\n **\n ** is transformed to:\n **\n ** SELECT xyz FROM ... GROUP BY xyz ORDER BY xyz\n **\n ** The second form is preferred as a single index (or temp-table) may be \n ** used for both the ORDER BY and DISTINCT processing. As originally \n ** written the query must use a temp-table for at least one of the ORDER \n ** BY and DISTINCT, and an index or separate temp-table for the other.\n */\n if( (p->selFlags & (SF_Distinct|SF_Aggregate))==SF_Distinct \n && sqlite3ExprListCompare(sSort.pOrderBy, pEList, -1)==0\n && p->pWin==0\n ){\n p->selFlags &= ~SF_Distinct;\n pGroupBy = p->pGroupBy = sqlite3ExprListDup(db, pEList, 0);\n p->selFlags |= SF_Aggregate;\n /* Notice that even thought SF_Distinct has been cleared from p->selFlags,\n ** the sDistinct.isTnct is still set. Hence, isTnct represents the\n ** original setting of the SF_Distinct flag, not the current setting */\n assert( sDistinct.isTnct );\n\n#if SELECTTRACE_ENABLED\n if( sqlite3SelectTrace & 0x400 ){\n SELECTTRACE(0x400,pParse,p,(\"Transform DISTINCT into GROUP BY:\\n\"));\n sqlite3TreeViewSelect(0, p, 0);\n }\n#endif\n }\n\n /* If there is an ORDER BY clause, then create an ephemeral index to\n ** do the sorting. But this sorting ephemeral index might end up\n ** being unused if the data can be extracted in pre-sorted order.\n ** If that is the case, then the OP_OpenEphemeral instruction will be\n ** changed to an OP_Noop once we figure out that the sorting index is\n ** not needed. The sSort.addrSortIndex variable is used to facilitate\n ** that change.\n */\n if( sSort.pOrderBy ){\n KeyInfo *pKeyInfo;\n pKeyInfo = sqlite3KeyInfoFromExprList(\n pParse, sSort.pOrderBy, 0, pEList->nExpr);\n sSort.iECursor = pParse->nTab++;\n sSort.addrSortIndex =\n sqlite3VdbeAddOp4(v, OP_OpenEphemeral,\n sSort.iECursor, sSort.pOrderBy->nExpr+1+pEList->nExpr, 0,\n (char*)pKeyInfo, P4_KEYINFO\n );\n }else{\n sSort.addrSortIndex = -1;\n }\n\n /* If the output is destined for a temporary table, open that table.\n */\n if( pDest->eDest==SRT_EphemTab ){\n sqlite3VdbeAddOp2(v, OP_OpenEphemeral, pDest->iSDParm, pEList->nExpr);\n }\n\n /* Set the limiter.\n */\n iEnd = sqlite3VdbeMakeLabel(pParse);\n if( (p->selFlags & SF_FixedLimit)==0 ){\n p->nSelectRow = 320; /* 4 billion rows */\n }\n computeLimitRegisters(pParse, p, iEnd);\n if( p->iLimit==0 && sSort.addrSortIndex>=0 ){\n sqlite3VdbeChangeOpcode(v, sSort.addrSortIndex, OP_SorterOpen);\n sSort.sortFlags |= SORTFLAG_UseSorter;\n }\n\n /* Open an ephemeral index to use for the distinct set.\n */\n if( p->selFlags & SF_Distinct ){\n sDistinct.tabTnct = pParse->nTab++;\n sDistinct.addrTnct = sqlite3VdbeAddOp4(v, OP_OpenEphemeral,\n sDistinct.tabTnct, 0, 0,\n (char*)sqlite3KeyInfoFromExprList(pParse, p->pEList,0,0),\n P4_KEYINFO);\n sqlite3VdbeChangeP5(v, BTREE_UNORDERED);\n sDistinct.eTnctType = WHERE_DISTINCT_UNORDERED;\n }else{\n sDistinct.eTnctType = WHERE_DISTINCT_NOOP;\n }\n\n if( !isAgg && pGroupBy==0 ){\n /* No aggregate functions and no GROUP BY clause */\n u16 wctrlFlags = (sDistinct.isTnct ? WHERE_WANT_DISTINCT : 0)\n | (p->selFlags & SF_FixedLimit);\n#ifndef SQLITE_OMIT_WINDOWFUNC\n Window *pWin = p->pWin; /* Master window object (or NULL) */\n if( pWin ){\n sqlite3WindowCodeInit(pParse, p);\n }\n#endif\n assert( WHERE_USE_LIMIT==SF_FixedLimit );\n\n\n /* Begin the database scan. */\n SELECTTRACE(1,pParse,p,(\"WhereBegin\\n\"));\n pWInfo = sqlite3WhereBegin(pParse, pTabList, pWhere, sSort.pOrderBy,\n p->pEList, wctrlFlags, p->nSelectRow);\n if( pWInfo==0 ) goto select_end;\n if( sqlite3WhereOutputRowCount(pWInfo) < p->nSelectRow ){\n p->nSelectRow = sqlite3WhereOutputRowCount(pWInfo);\n }\n if( sDistinct.isTnct && sqlite3WhereIsDistinct(pWInfo) ){\n sDistinct.eTnctType = sqlite3WhereIsDistinct(pWInfo);\n }\n if( sSort.pOrderBy ){\n sSort.nOBSat = sqlite3WhereIsOrdered(pWInfo);\n sSort.labelOBLopt = sqlite3WhereOrderByLimitOptLabel(pWInfo);\n if( sSort.nOBSat==sSort.pOrderBy->nExpr ){\n sSort.pOrderBy = 0;\n }\n }\n\n /* If sorting index that was created by a prior OP_OpenEphemeral \n ** instruction ended up not being needed, then change the OP_OpenEphemeral\n ** into an OP_Noop.\n */\n if( sSort.addrSortIndex>=0 && sSort.pOrderBy==0 ){\n sqlite3VdbeChangeToNoop(v, sSort.addrSortIndex);\n }\n\n assert( p->pEList==pEList );\n#ifndef SQLITE_OMIT_WINDOWFUNC\n if( pWin ){\n int addrGosub = sqlite3VdbeMakeLabel(pParse);\n int iCont = sqlite3VdbeMakeLabel(pParse);\n int iBreak = sqlite3VdbeMakeLabel(pParse);\n int regGosub = ++pParse->nMem;\n\n sqlite3WindowCodeStep(pParse, p, pWInfo, regGosub, addrGosub);\n\n sqlite3VdbeAddOp2(v, OP_Goto, 0, iBreak);\n sqlite3VdbeResolveLabel(v, addrGosub);\n VdbeNoopComment((v, \"inner-loop subroutine\"));\n sSort.labelOBLopt = 0;\n selectInnerLoop(pParse, p, -1, &sSort, &sDistinct, pDest, iCont, iBreak);\n sqlite3VdbeResolveLabel(v, iCont);\n sqlite3VdbeAddOp1(v, OP_Return, regGosub);\n VdbeComment((v, \"end inner-loop subroutine\"));\n sqlite3VdbeResolveLabel(v, iBreak);\n }else\n#endif /* SQLITE_OMIT_WINDOWFUNC */\n {\n /* Use the standard inner loop. */\n selectInnerLoop(pParse, p, -1, &sSort, &sDistinct, pDest,\n sqlite3WhereContinueLabel(pWInfo),\n sqlite3WhereBreakLabel(pWInfo));\n\n /* End the database scan loop.\n */\n sqlite3WhereEnd(pWInfo);\n }\n }else{\n /* This case when there exist aggregate functions or a GROUP BY clause\n ** or both */\n NameContext sNC; /* Name context for processing aggregate information */\n int iAMem; /* First Mem address for storing current GROUP BY */\n int iBMem; /* First Mem address for previous GROUP BY */\n int iUseFlag; /* Mem address holding flag indicating that at least\n ** one row of the input to the aggregator has been\n ** processed */\n int iAbortFlag; /* Mem address which causes query abort if positive */\n int groupBySort; /* Rows come from source in GROUP BY order */\n int addrEnd; /* End of processing for this SELECT */\n int sortPTab = 0; /* Pseudotable used to decode sorting results */\n int sortOut = 0; /* Output register from the sorter */\n int orderByGrp = 0; /* True if the GROUP BY and ORDER BY are the same */\n\n /* Remove any and all aliases between the result set and the\n ** GROUP BY clause.\n */\n if( pGroupBy ){\n int k; /* Loop counter */\n struct ExprList_item *pItem; /* For looping over expression in a list */\n\n for(k=p->pEList->nExpr, pItem=p->pEList->a; k>0; k--, pItem++){\n pItem->u.x.iAlias = 0;\n }\n for(k=pGroupBy->nExpr, pItem=pGroupBy->a; k>0; k--, pItem++){\n pItem->u.x.iAlias = 0;\n }\n assert( 66==sqlite3LogEst(100) );\n if( p->nSelectRow>66 ) p->nSelectRow = 66;\n\n /* If there is both a GROUP BY and an ORDER BY clause and they are\n ** identical, then it may be possible to disable the ORDER BY clause \n ** on the grounds that the GROUP BY will cause elements to come out \n ** in the correct order. It also may not - the GROUP BY might use a\n ** database index that causes rows to be grouped together as required\n ** but not actually sorted. Either way, record the fact that the\n ** ORDER BY and GROUP BY clauses are the same by setting the orderByGrp\n ** variable. */\n if( sSort.pOrderBy && pGroupBy->nExpr==sSort.pOrderBy->nExpr ){\n int ii;\n /* The GROUP BY processing doesn't care whether rows are delivered in\n ** ASC or DESC order - only that each group is returned contiguously.\n ** So set the ASC/DESC flags in the GROUP BY to match those in the \n ** ORDER BY to maximize the chances of rows being delivered in an \n ** order that makes the ORDER BY redundant. */\n for(ii=0; iinExpr; ii++){\n u8 sortFlags = sSort.pOrderBy->a[ii].sortFlags & KEYINFO_ORDER_DESC;\n pGroupBy->a[ii].sortFlags = sortFlags;\n }\n if( sqlite3ExprListCompare(pGroupBy, sSort.pOrderBy, -1)==0 ){\n orderByGrp = 1;\n }\n }\n }else{\n assert( 0==sqlite3LogEst(1) );\n p->nSelectRow = 0;\n }\n\n /* Create a label to jump to when we want to abort the query */\n addrEnd = sqlite3VdbeMakeLabel(pParse);\n\n /* Convert TK_COLUMN nodes into TK_AGG_COLUMN and make entries in\n ** sAggInfo for all TK_AGG_FUNCTION nodes in expressions of the\n ** SELECT statement.\n */\n memset(&sNC, 0, sizeof(sNC));\n sNC.pParse = pParse;\n sNC.pSrcList = pTabList;\n sNC.uNC.pAggInfo = &sAggInfo;\n VVA_ONLY( sNC.ncFlags = NC_UAggInfo; )\n sAggInfo.mnReg = pParse->nMem+1;\n sAggInfo.nSortingColumn = pGroupBy ? pGroupBy->nExpr : 0;\n sAggInfo.pGroupBy = pGroupBy;\n sqlite3ExprAnalyzeAggList(&sNC, pEList);\n sqlite3ExprAnalyzeAggList(&sNC, sSort.pOrderBy);\n if( pHaving ){\n if( pGroupBy ){\n assert( pWhere==p->pWhere );\n assert( pHaving==p->pHaving );\n assert( pGroupBy==p->pGroupBy );\n havingToWhere(pParse, p);\n pWhere = p->pWhere;\n }\n sqlite3ExprAnalyzeAggregates(&sNC, pHaving);\n }\n sAggInfo.nAccumulator = sAggInfo.nColumn;\n if( p->pGroupBy==0 && p->pHaving==0 && sAggInfo.nFunc==1 ){\n minMaxFlag = minMaxQuery(db, sAggInfo.aFunc[0].pExpr, &pMinMaxOrderBy);\n }else{\n minMaxFlag = WHERE_ORDERBY_NORMAL;\n }\n for(i=0; ix.pList);\n#ifndef SQLITE_OMIT_WINDOWFUNC\n assert( !IsWindowFunc(pExpr) );\n if( ExprHasProperty(pExpr, EP_WinFunc) ){\n sqlite3ExprAnalyzeAggregates(&sNC, pExpr->y.pWin->pFilter);\n }\n#endif\n sNC.ncFlags &= ~NC_InAggFunc;\n }\n sAggInfo.mxReg = pParse->nMem;\n if( db->mallocFailed ) goto select_end;\n#if SELECTTRACE_ENABLED\n if( sqlite3SelectTrace & 0x400 ){\n int ii;\n SELECTTRACE(0x400,pParse,p,(\"After aggregate analysis:\\n\"));\n sqlite3TreeViewSelect(0, p, 0);\n for(ii=0; iinTab++;\n pKeyInfo = sqlite3KeyInfoFromExprList(pParse,pGroupBy,0,sAggInfo.nColumn);\n addrSortingIdx = sqlite3VdbeAddOp4(v, OP_SorterOpen, \n sAggInfo.sortingIdx, sAggInfo.nSortingColumn, \n 0, (char*)pKeyInfo, P4_KEYINFO);\n\n /* Initialize memory locations used by GROUP BY aggregate processing\n */\n iUseFlag = ++pParse->nMem;\n iAbortFlag = ++pParse->nMem;\n regOutputRow = ++pParse->nMem;\n addrOutputRow = sqlite3VdbeMakeLabel(pParse);\n regReset = ++pParse->nMem;\n addrReset = sqlite3VdbeMakeLabel(pParse);\n iAMem = pParse->nMem + 1;\n pParse->nMem += pGroupBy->nExpr;\n iBMem = pParse->nMem + 1;\n pParse->nMem += pGroupBy->nExpr;\n sqlite3VdbeAddOp2(v, OP_Integer, 0, iAbortFlag);\n VdbeComment((v, \"clear abort flag\"));\n sqlite3VdbeAddOp3(v, OP_Null, 0, iAMem, iAMem+pGroupBy->nExpr-1);\n\n /* Begin a loop that will extract all source rows in GROUP BY order.\n ** This might involve two separate loops with an OP_Sort in between, or\n ** it might be a single loop that uses an index to extract information\n ** in the right order to begin with.\n */\n sqlite3VdbeAddOp2(v, OP_Gosub, regReset, addrReset);\n SELECTTRACE(1,pParse,p,(\"WhereBegin\\n\"));\n pWInfo = sqlite3WhereBegin(pParse, pTabList, pWhere, pGroupBy, 0,\n WHERE_GROUPBY | (orderByGrp ? WHERE_SORTBYGROUP : 0), 0\n );\n if( pWInfo==0 ) goto select_end;\n if( sqlite3WhereIsOrdered(pWInfo)==pGroupBy->nExpr ){\n /* The optimizer is able to deliver rows in group by order so\n ** we do not have to sort. The OP_OpenEphemeral table will be\n ** cancelled later because we still need to use the pKeyInfo\n */\n groupBySort = 0;\n }else{\n /* Rows are coming out in undetermined order. We have to push\n ** each row into a sorting index, terminate the first loop,\n ** then loop over the sorting index in order to get the output\n ** in sorted order\n */\n int regBase;\n int regRecord;\n int nCol;\n int nGroupBy;\n\n explainTempTable(pParse, \n (sDistinct.isTnct && (p->selFlags&SF_Distinct)==0) ?\n \"DISTINCT\" : \"GROUP BY\");\n\n groupBySort = 1;\n nGroupBy = pGroupBy->nExpr;\n nCol = nGroupBy;\n j = nGroupBy;\n for(i=0; i=j ){\n nCol++;\n j++;\n }\n }\n regBase = sqlite3GetTempRange(pParse, nCol);\n sqlite3ExprCodeExprList(pParse, pGroupBy, regBase, 0, 0);\n j = nGroupBy;\n for(i=0; iiSorterColumn>=j ){\n int r1 = j + regBase;\n sqlite3ExprCodeGetColumnOfTable(v,\n pCol->pTab, pCol->iTable, pCol->iColumn, r1);\n j++;\n }\n }\n regRecord = sqlite3GetTempReg(pParse);\n sqlite3VdbeAddOp3(v, OP_MakeRecord, regBase, nCol, regRecord);\n sqlite3VdbeAddOp2(v, OP_SorterInsert, sAggInfo.sortingIdx, regRecord);\n sqlite3ReleaseTempReg(pParse, regRecord);\n sqlite3ReleaseTempRange(pParse, regBase, nCol);\n sqlite3WhereEnd(pWInfo);\n sAggInfo.sortingIdxPTab = sortPTab = pParse->nTab++;\n sortOut = sqlite3GetTempReg(pParse);\n sqlite3VdbeAddOp3(v, OP_OpenPseudo, sortPTab, sortOut, nCol);\n sqlite3VdbeAddOp2(v, OP_SorterSort, sAggInfo.sortingIdx, addrEnd);\n VdbeComment((v, \"GROUP BY sort\")); VdbeCoverage(v);\n sAggInfo.useSortingIdx = 1;\n }\n\n /* If the index or temporary table used by the GROUP BY sort\n ** will naturally deliver rows in the order required by the ORDER BY\n ** clause, cancel the ephemeral table open coded earlier.\n **\n ** This is an optimization - the correct answer should result regardless.\n ** Use the SQLITE_GroupByOrder flag with SQLITE_TESTCTRL_OPTIMIZER to \n ** disable this optimization for testing purposes. */\n if( orderByGrp && OptimizationEnabled(db, SQLITE_GroupByOrder) \n && (groupBySort || sqlite3WhereIsSorted(pWInfo))\n ){\n sSort.pOrderBy = 0;\n sqlite3VdbeChangeToNoop(v, sSort.addrSortIndex);\n }\n\n /* Evaluate the current GROUP BY terms and store in b0, b1, b2...\n ** (b0 is memory location iBMem+0, b1 is iBMem+1, and so forth)\n ** Then compare the current GROUP BY terms against the GROUP BY terms\n ** from the previous row currently stored in a0, a1, a2...\n */\n addrTopOfLoop = sqlite3VdbeCurrentAddr(v);\n if( groupBySort ){\n sqlite3VdbeAddOp3(v, OP_SorterData, sAggInfo.sortingIdx,\n sortOut, sortPTab);\n }\n for(j=0; jnExpr; j++){\n if( groupBySort ){\n sqlite3VdbeAddOp3(v, OP_Column, sortPTab, j, iBMem+j);\n }else{\n sAggInfo.directMode = 1;\n sqlite3ExprCode(pParse, pGroupBy->a[j].pExpr, iBMem+j);\n }\n }\n sqlite3VdbeAddOp4(v, OP_Compare, iAMem, iBMem, pGroupBy->nExpr,\n (char*)sqlite3KeyInfoRef(pKeyInfo), P4_KEYINFO);\n addr1 = sqlite3VdbeCurrentAddr(v);\n sqlite3VdbeAddOp3(v, OP_Jump, addr1+1, 0, addr1+1); VdbeCoverage(v);\n\n /* Generate code that runs whenever the GROUP BY changes.\n ** Changes in the GROUP BY are detected by the previous code\n ** block. If there were no changes, this block is skipped.\n **\n ** This code copies current group by terms in b0,b1,b2,...\n ** over to a0,a1,a2. It then calls the output subroutine\n ** and resets the aggregate accumulator registers in preparation\n ** for the next GROUP BY batch.\n */\n sqlite3ExprCodeMove(pParse, iBMem, iAMem, pGroupBy->nExpr);\n sqlite3VdbeAddOp2(v, OP_Gosub, regOutputRow, addrOutputRow);\n VdbeComment((v, \"output one row\"));\n sqlite3VdbeAddOp2(v, OP_IfPos, iAbortFlag, addrEnd); VdbeCoverage(v);\n VdbeComment((v, \"check abort flag\"));\n sqlite3VdbeAddOp2(v, OP_Gosub, regReset, addrReset);\n VdbeComment((v, \"reset accumulator\"));\n\n /* Update the aggregate accumulators based on the content of\n ** the current row\n */\n sqlite3VdbeJumpHere(v, addr1);\n updateAccumulator(pParse, iUseFlag, &sAggInfo);\n sqlite3VdbeAddOp2(v, OP_Integer, 1, iUseFlag);\n VdbeComment((v, \"indicate data in accumulator\"));\n\n /* End of the loop\n */\n if( groupBySort ){\n sqlite3VdbeAddOp2(v, OP_SorterNext, sAggInfo.sortingIdx, addrTopOfLoop);\n VdbeCoverage(v);\n }else{\n sqlite3WhereEnd(pWInfo);\n sqlite3VdbeChangeToNoop(v, addrSortingIdx);\n }\n\n /* Output the final row of result\n */\n sqlite3VdbeAddOp2(v, OP_Gosub, regOutputRow, addrOutputRow);\n VdbeComment((v, \"output final row\"));\n\n /* Jump over the subroutines\n */\n sqlite3VdbeGoto(v, addrEnd);\n\n /* Generate a subroutine that outputs a single row of the result\n ** set. This subroutine first looks at the iUseFlag. If iUseFlag\n ** is less than or equal to zero, the subroutine is a no-op. If\n ** the processing calls for the query to abort, this subroutine\n ** increments the iAbortFlag memory location before returning in\n ** order to signal the caller to abort.\n */\n addrSetAbort = sqlite3VdbeCurrentAddr(v);\n sqlite3VdbeAddOp2(v, OP_Integer, 1, iAbortFlag);\n VdbeComment((v, \"set abort flag\"));\n sqlite3VdbeAddOp1(v, OP_Return, regOutputRow);\n sqlite3VdbeResolveLabel(v, addrOutputRow);\n addrOutputRow = sqlite3VdbeCurrentAddr(v);\n sqlite3VdbeAddOp2(v, OP_IfPos, iUseFlag, addrOutputRow+2);\n VdbeCoverage(v);\n VdbeComment((v, \"Groupby result generator entry point\"));\n sqlite3VdbeAddOp1(v, OP_Return, regOutputRow);\n finalizeAggFunctions(pParse, &sAggInfo);\n sqlite3ExprIfFalse(pParse, pHaving, addrOutputRow+1, SQLITE_JUMPIFNULL);\n selectInnerLoop(pParse, p, -1, &sSort,\n &sDistinct, pDest,\n addrOutputRow+1, addrSetAbort);\n sqlite3VdbeAddOp1(v, OP_Return, regOutputRow);\n VdbeComment((v, \"end groupby result generator\"));\n\n /* Generate a subroutine that will reset the group-by accumulator\n */\n sqlite3VdbeResolveLabel(v, addrReset);\n resetAccumulator(pParse, &sAggInfo);\n sqlite3VdbeAddOp2(v, OP_Integer, 0, iUseFlag);\n VdbeComment((v, \"indicate accumulator empty\"));\n sqlite3VdbeAddOp1(v, OP_Return, regReset);\n \n } /* endif pGroupBy. Begin aggregate queries without GROUP BY: */\n else {\n#ifndef SQLITE_OMIT_BTREECOUNT\n Table *pTab;\n if( (pTab = isSimpleCount(p, &sAggInfo))!=0 ){\n /* If isSimpleCount() returns a pointer to a Table structure, then\n ** the SQL statement is of the form:\n **\n ** SELECT count(*) FROM \n **\n ** where the Table structure returned represents table .\n **\n ** This statement is so common that it is optimized specially. The\n ** OP_Count instruction is executed either on the intkey table that\n ** contains the data for table or on one of its indexes. It\n ** is better to execute the op on an index, as indexes are almost\n ** always spread across less pages than their corresponding tables.\n */\n const int iDb = sqlite3SchemaToIndex(pParse->db, pTab->pSchema);\n const int iCsr = pParse->nTab++; /* Cursor to scan b-tree */\n Index *pIdx; /* Iterator variable */\n KeyInfo *pKeyInfo = 0; /* Keyinfo for scanned index */\n Index *pBest = 0; /* Best index found so far */\n int iRoot = pTab->tnum; /* Root page of scanned b-tree */\n\n sqlite3CodeVerifySchema(pParse, iDb);\n sqlite3TableLock(pParse, iDb, pTab->tnum, 0, pTab->zName);\n\n /* Search for the index that has the lowest scan cost.\n **\n ** (2011-04-15) Do not do a full scan of an unordered index.\n **\n ** (2013-10-03) Do not count the entries in a partial index.\n **\n ** In practice the KeyInfo structure will not be used. It is only \n ** passed to keep OP_OpenRead happy.\n */\n if( !HasRowid(pTab) ) pBest = sqlite3PrimaryKeyIndex(pTab);\n for(pIdx=pTab->pIndex; pIdx; pIdx=pIdx->pNext){\n if( pIdx->bUnordered==0\n && pIdx->szIdxRowszTabRow\n && pIdx->pPartIdxWhere==0\n && (!pBest || pIdx->szIdxRowszIdxRow)\n ){\n pBest = pIdx;\n }\n }\n if( pBest ){\n iRoot = pBest->tnum;\n pKeyInfo = sqlite3KeyInfoOfIndex(pParse, pBest);\n }\n\n /* Open a read-only cursor, execute the OP_Count, close the cursor. */\n sqlite3VdbeAddOp4Int(v, OP_OpenRead, iCsr, iRoot, iDb, 1);\n if( pKeyInfo ){\n sqlite3VdbeChangeP4(v, -1, (char *)pKeyInfo, P4_KEYINFO);\n }\n sqlite3VdbeAddOp2(v, OP_Count, iCsr, sAggInfo.aFunc[0].iMem);\n sqlite3VdbeAddOp1(v, OP_Close, iCsr);\n explainSimpleCount(pParse, pTab, pBest);\n }else\n#endif /* SQLITE_OMIT_BTREECOUNT */\n {\n int regAcc = 0; /* \"populate accumulators\" flag */\n\n /* If there are accumulator registers but no min() or max() functions\n ** without FILTER clauses, allocate register regAcc. Register regAcc\n ** will contain 0 the first time the inner loop runs, and 1 thereafter.\n ** The code generated by updateAccumulator() uses this to ensure\n ** that the accumulator registers are (a) updated only once if\n ** there are no min() or max functions or (b) always updated for the\n ** first row visited by the aggregate, so that they are updated at\n ** least once even if the FILTER clause means the min() or max() \n ** function visits zero rows. */\n if( sAggInfo.nAccumulator ){\n for(i=0; ifuncFlags&SQLITE_FUNC_NEEDCOLL ) break;\n }\n if( i==sAggInfo.nFunc ){\n regAcc = ++pParse->nMem;\n sqlite3VdbeAddOp2(v, OP_Integer, 0, regAcc);\n }\n }\n\n /* This case runs if the aggregate has no GROUP BY clause. The\n ** processing is much simpler since there is only a single row\n ** of output.\n */\n assert( p->pGroupBy==0 );\n resetAccumulator(pParse, &sAggInfo);\n\n /* If this query is a candidate for the min/max optimization, then\n ** minMaxFlag will have been previously set to either\n ** WHERE_ORDERBY_MIN or WHERE_ORDERBY_MAX and pMinMaxOrderBy will\n ** be an appropriate ORDER BY expression for the optimization.\n */\n assert( minMaxFlag==WHERE_ORDERBY_NORMAL || pMinMaxOrderBy!=0 );\n assert( pMinMaxOrderBy==0 || pMinMaxOrderBy->nExpr==1 );\n\n SELECTTRACE(1,pParse,p,(\"WhereBegin\\n\"));\n pWInfo = sqlite3WhereBegin(pParse, pTabList, pWhere, pMinMaxOrderBy,\n 0, minMaxFlag, 0);\n if( pWInfo==0 ){\n goto select_end;\n }\n updateAccumulator(pParse, regAcc, &sAggInfo);\n if( regAcc ) sqlite3VdbeAddOp2(v, OP_Integer, 1, regAcc);\n if( sqlite3WhereIsOrdered(pWInfo)>0 ){\n sqlite3VdbeGoto(v, sqlite3WhereBreakLabel(pWInfo));\n VdbeComment((v, \"%s() by index\",\n (minMaxFlag==WHERE_ORDERBY_MIN?\"min\":\"max\")));\n }\n sqlite3WhereEnd(pWInfo);\n finalizeAggFunctions(pParse, &sAggInfo);\n }\n\n sSort.pOrderBy = 0;\n sqlite3ExprIfFalse(pParse, pHaving, addrEnd, SQLITE_JUMPIFNULL);\n selectInnerLoop(pParse, p, -1, 0, 0, \n pDest, addrEnd, addrEnd);\n }\n sqlite3VdbeResolveLabel(v, addrEnd);\n \n } /* endif aggregate query */\n\n if( sDistinct.eTnctType==WHERE_DISTINCT_UNORDERED ){\n explainTempTable(pParse, \"DISTINCT\");\n }\n\n /* If there is an ORDER BY clause, then we need to sort the results\n ** and send them to the callback one by one.\n */\n if( sSort.pOrderBy ){\n explainTempTable(pParse,\n sSort.nOBSat>0 ? \"RIGHT PART OF ORDER BY\":\"ORDER BY\");\n assert( p->pEList==pEList );\n generateSortTail(pParse, p, &sSort, pEList->nExpr, pDest);\n }\n\n /* Jump here to skip this query\n */\n sqlite3VdbeResolveLabel(v, iEnd);\n\n /* The SELECT has been coded. If there is an error in the Parse structure,\n ** set the return code to 1. Otherwise 0. */\n rc = (pParse->nErr>0);\n\n /* Control jumps to here if an error is encountered above, or upon\n ** successful coding of the SELECT.\n */\nselect_end:\n sqlite3ExprListDelete(db, pMinMaxOrderBy);\n sqlite3DbFree(db, sAggInfo.aCol);\n sqlite3DbFree(db, sAggInfo.aFunc);\n#if SELECTTRACE_ENABLED\n SELECTTRACE(0x1,pParse,p,(\"end processing\\n\"));\n if( (sqlite3SelectTrace & 0x2000)!=0 && ExplainQueryPlanParent(pParse)==0 ){\n sqlite3TreeViewSelect(0, p, 0);\n }\n#endif\n ExplainQueryPlanPop(pParse);\n return rc;\n}", "project": "sqlite", "hash": 49789135348208346391755731524477191422, "size": 1064, "commit_id": "39df24a3f02495e5ef6bb5ea8ce029a2c1e377e6", "message": "Do not allow the constant-propagation optimization to apple to ON/USING clause\nterms as it does not help and it might cause downstream problems.\n\nFossilOrigin-Name: 1bc783da63d58b05c690468b569cb2787846357b63c1100d11777666c5787bf4", "target": 0, "dataset": "other", "idx": 393393 }, { "func": "static void sqlite3SelectAddTypeInfo(Parse *pParse, Select *pSelect){\n#ifndef SQLITE_OMIT_SUBQUERY\n Walker w;\n w.xSelectCallback = sqlite3SelectWalkNoop;\n w.xSelectCallback2 = selectAddSubqueryTypeInfo;\n w.xExprCallback = sqlite3ExprWalkNoop;\n w.pParse = pParse;\n sqlite3WalkSelect(&w, pSelect);\n#endif\n}", "project": "sqlite", "hash": 40265831802304252649355716930317997790, "size": 10, "commit_id": "5f69512404cd2e5153ddf90ea277fbba6dd58ab7", "message": "Early-out on the INTERSECT query processing following an error.\n\nFossilOrigin-Name: a67cf5b7d37d5b1484be32092635faafd8f76e5881898cd9435517c4b287d663", "target": 0, "dataset": "other", "idx": 246181 }, { "func": "static void constInsert(\n WhereConst *pConst, /* The WhereConst into which we are inserting */\n Expr *pColumn, /* The COLUMN part of the constraint */\n Expr *pValue, /* The VALUE part of the constraint */\n Expr *pExpr /* Overall expression: COLUMN=VALUE or VALUE=COLUMN */\n){\n int i;\n assert( pColumn->op==TK_COLUMN );\n assert( sqlite3ExprIsConstant(pValue) );\n\n if( ExprHasProperty(pColumn, EP_FixedCol) ) return;\n if( sqlite3ExprAffinity(pValue)!=0 ) return;\n if( !sqlite3IsBinary(sqlite3ExprCompareCollSeq(pConst->pParse,pExpr)) ){\n return;\n }\n\n /* 2018-10-25 ticket [cf5ed20f]\n ** Make sure the same pColumn is not inserted more than once */\n for(i=0; inConst; i++){\n const Expr *pE2 = pConst->apExpr[i*2];\n assert( pE2->op==TK_COLUMN );\n if( pE2->iTable==pColumn->iTable\n && pE2->iColumn==pColumn->iColumn\n ){\n return; /* Already present. Return without doing anything. */\n }\n }\n\n pConst->nConst++;\n pConst->apExpr = sqlite3DbReallocOrFree(pConst->pParse->db, pConst->apExpr,\n pConst->nConst*2*sizeof(Expr*));\n if( pConst->apExpr==0 ){\n pConst->nConst = 0;\n }else{\n pConst->apExpr[pConst->nConst*2-2] = pColumn;\n pConst->apExpr[pConst->nConst*2-1] = pValue;\n }\n}", "project": "sqlite", "hash": 8701658902591393504342947939544950945, "size": 38, "commit_id": "5f69512404cd2e5153ddf90ea277fbba6dd58ab7", "message": "Early-out on the INTERSECT query processing following an error.\n\nFossilOrigin-Name: a67cf5b7d37d5b1484be32092635faafd8f76e5881898cd9435517c4b287d663", "target": 0, "dataset": "other", "idx": 246136 }, { "func": "static void constInsert(\n WhereConst *pConst, /* The WhereConst into which we are inserting */\n Expr *pColumn, /* The COLUMN part of the constraint */\n Expr *pValue /* The VALUE part of the constraint */\n){\n int i;\n assert( pColumn->op==TK_COLUMN );\n\n /* 2018-10-25 ticket [cf5ed20f]\n ** Make sure the same pColumn is not inserted more than once */\n for(i=0; inConst; i++){\n const Expr *pExpr = pConst->apExpr[i*2];\n assert( pExpr->op==TK_COLUMN );\n if( pExpr->iTable==pColumn->iTable\n && pExpr->iColumn==pColumn->iColumn\n ){\n return; /* Already present. Return without doing anything. */\n }\n }\n\n pConst->nConst++;\n pConst->apExpr = sqlite3DbReallocOrFree(pConst->pParse->db, pConst->apExpr,\n pConst->nConst*2*sizeof(Expr*));\n if( pConst->apExpr==0 ){\n pConst->nConst = 0;\n }else{\n if( ExprHasProperty(pValue, EP_FixedCol) ) pValue = pValue->pLeft;\n pConst->apExpr[pConst->nConst*2-2] = pColumn;\n pConst->apExpr[pConst->nConst*2-1] = pValue;\n }\n}", "project": "sqlite", "hash": 85805507566142328838200252960465900320, "size": 31, "commit_id": "a6c1a71cde082e09750465d5675699062922e387", "message": "Do not attempt to unwind the WITH stack in the Parse object following an error. This fixes a separate case to [de6e6d68].\n\nFossilOrigin-Name: d29edef93451cc67a5d69c1cce1b1832d9ca8fff1f600afdd51338b74d077b92", "target": 0, "dataset": "other", "idx": 356311 }, { "func": "static void constInsert(\n WhereConst *pConst, /* The WhereConst into which we are inserting */\n Expr *pColumn, /* The COLUMN part of the constraint */\n Expr *pValue, /* The VALUE part of the constraint */\n Expr *pExpr /* Overall expression: COLUMN=VALUE or VALUE=COLUMN */\n){\n int i;\n assert( pColumn->op==TK_COLUMN );\n assert( sqlite3ExprIsConstant(pValue) );\n\n if( !ExprHasProperty(pValue, EP_FixedCol) && sqlite3ExprAffinity(pValue)!=0 ){\n return;\n }\n if( !sqlite3IsBinary(sqlite3ExprCompareCollSeq(pConst->pParse,pExpr)) ){\n return;\n }\n\n /* 2018-10-25 ticket [cf5ed20f]\n ** Make sure the same pColumn is not inserted more than once */\n for(i=0; inConst; i++){\n const Expr *pE2 = pConst->apExpr[i*2];\n assert( pE2->op==TK_COLUMN );\n if( pE2->iTable==pColumn->iTable\n && pE2->iColumn==pColumn->iColumn\n ){\n return; /* Already present. Return without doing anything. */\n }\n }\n\n pConst->nConst++;\n pConst->apExpr = sqlite3DbReallocOrFree(pConst->pParse->db, pConst->apExpr,\n pConst->nConst*2*sizeof(Expr*));\n if( pConst->apExpr==0 ){\n pConst->nConst = 0;\n }else{\n if( ExprHasProperty(pValue, EP_FixedCol) ){\n pValue = pValue->pLeft;\n }\n pConst->apExpr[pConst->nConst*2-2] = pColumn;\n pConst->apExpr[pConst->nConst*2-1] = pValue;\n }\n}", "project": "sqlite", "hash": 246627192045639071493473485183961346637, "size": 42, "commit_id": "39df24a3f02495e5ef6bb5ea8ce029a2c1e377e6", "message": "Do not allow the constant-propagation optimization to apple to ON/USING clause\nterms as it does not help and it might cause downstream problems.\n\nFossilOrigin-Name: 1bc783da63d58b05c690468b569cb2787846357b63c1100d11777666c5787bf4", "target": 0, "dataset": "other", "idx": 393389 }, { "func": "void sqlite3VdbeVerifyAbortable(Vdbe *p, int onError){\n if( onError==OE_Abort ) sqlite3VdbeAddOp0(p, OP_Abortable);\n}", "project": "sqlite", "hash": 47821009251272677849111602407458122245, "size": 3, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378493 }, { "func": "int ArraySize(const Dims& array, int index) {\n TFLITE_DCHECK(index >= 0 && index < N);\n return array.sizes[index];\n}", "project": "tensorflow", "hash": 34015514687197236380796821033149146932, "size": 4, "commit_id": "8ee24e7949a203d234489f9da2c5bf45a7d5157d", "message": "[tflite] Ensure `MatchingDim` does not allow buffer overflow.\n\nWe check in `MatchingDim` that both arguments have the same dimensionality, however that is a `DCHECK` only enabled if building in debug mode. Hence, it could be possible to cause buffer overflows by passing in a tensor with larger dimensions as the second argument. To fix, we now make `MatchingDim` return the minimum of the two sizes.\n\nA much better fix would be to return a status object but that requires refactoring a large part of the codebase for minor benefits.\n\nPiperOrigin-RevId: 332526127\nChange-Id: If627d0d2c80a685217b6e0d1e64b0872dbf1c5e4", "target": 0, "dataset": "other", "idx": 269157 }, { "func": "static void windowReturnOneRow(WindowCodeArg *p){\n Window *pMWin = p->pMWin;\n Vdbe *v = p->pVdbe;\n\n if( pMWin->regStartRowid ){\n windowFullScan(p);\n }else{\n Parse *pParse = p->pParse;\n Window *pWin;\n\n for(pWin=pMWin; pWin; pWin=pWin->pNextWin){\n FuncDef *pFunc = pWin->pFunc;\n if( pFunc->zName==nth_valueName\n || pFunc->zName==first_valueName\n ){\n int csr = pWin->csrApp;\n int lbl = sqlite3VdbeMakeLabel(pParse);\n int tmpReg = sqlite3GetTempReg(pParse);\n sqlite3VdbeAddOp2(v, OP_Null, 0, pWin->regResult);\n \n if( pFunc->zName==nth_valueName ){\n sqlite3VdbeAddOp3(v, OP_Column,pMWin->iEphCsr,pWin->iArgCol+1,tmpReg);\n windowCheckValue(pParse, tmpReg, 2);\n }else{\n sqlite3VdbeAddOp2(v, OP_Integer, 1, tmpReg);\n }\n sqlite3VdbeAddOp3(v, OP_Add, tmpReg, pWin->regApp, tmpReg);\n sqlite3VdbeAddOp3(v, OP_Gt, pWin->regApp+1, lbl, tmpReg);\n VdbeCoverageNeverNull(v);\n sqlite3VdbeAddOp3(v, OP_SeekRowid, csr, 0, tmpReg);\n VdbeCoverageNeverTaken(v);\n sqlite3VdbeAddOp3(v, OP_Column, csr, pWin->iArgCol, pWin->regResult);\n sqlite3VdbeResolveLabel(v, lbl);\n sqlite3ReleaseTempReg(pParse, tmpReg);\n }\n else if( pFunc->zName==leadName || pFunc->zName==lagName ){\n int nArg = pWin->pOwner->x.pList->nExpr;\n int csr = pWin->csrApp;\n int lbl = sqlite3VdbeMakeLabel(pParse);\n int tmpReg = sqlite3GetTempReg(pParse);\n int iEph = pMWin->iEphCsr;\n \n if( nArg<3 ){\n sqlite3VdbeAddOp2(v, OP_Null, 0, pWin->regResult);\n }else{\n sqlite3VdbeAddOp3(v, OP_Column, iEph,pWin->iArgCol+2,pWin->regResult);\n }\n sqlite3VdbeAddOp2(v, OP_Rowid, iEph, tmpReg);\n if( nArg<2 ){\n int val = (pFunc->zName==leadName ? 1 : -1);\n sqlite3VdbeAddOp2(v, OP_AddImm, tmpReg, val);\n }else{\n int op = (pFunc->zName==leadName ? OP_Add : OP_Subtract);\n int tmpReg2 = sqlite3GetTempReg(pParse);\n sqlite3VdbeAddOp3(v, OP_Column, iEph, pWin->iArgCol+1, tmpReg2);\n sqlite3VdbeAddOp3(v, op, tmpReg2, tmpReg, tmpReg);\n sqlite3ReleaseTempReg(pParse, tmpReg2);\n }\n \n sqlite3VdbeAddOp3(v, OP_SeekRowid, csr, lbl, tmpReg);\n VdbeCoverage(v);\n sqlite3VdbeAddOp3(v, OP_Column, csr, pWin->iArgCol, pWin->regResult);\n sqlite3VdbeResolveLabel(v, lbl);\n sqlite3ReleaseTempReg(pParse, tmpReg);\n }\n }\n }\n sqlite3VdbeAddOp2(v, OP_Gosub, p->regGosub, p->addrGosub);\n}", "project": "sqlite", "hash": 129345712068111361989004882340318275607, "size": 69, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378500 }, { "func": "static void findConstInWhere(WhereConst *pConst, Expr *pExpr){\n Expr *pRight, *pLeft;\n if( pExpr==0 ) return;\n if( ExprHasProperty(pExpr, EP_FromJoin) ) return;\n if( pExpr->op==TK_AND ){\n findConstInWhere(pConst, pExpr->pRight);\n findConstInWhere(pConst, pExpr->pLeft);\n return;\n }\n if( pExpr->op!=TK_EQ ) return;\n pRight = pExpr->pRight;\n pLeft = pExpr->pLeft;\n assert( pRight!=0 );\n assert( pLeft!=0 );\n if( pRight->op==TK_COLUMN && sqlite3ExprIsConstant(pLeft) ){\n constInsert(pConst,pRight,pLeft,pExpr);\n }\n if( pLeft->op==TK_COLUMN && sqlite3ExprIsConstant(pRight) ){\n constInsert(pConst,pLeft,pRight,pExpr);\n }\n}", "project": "sqlite", "hash": 12124088695982405015244464369704559141, "size": 21, "commit_id": "5f69512404cd2e5153ddf90ea277fbba6dd58ab7", "message": "Early-out on the INTERSECT query processing following an error.\n\nFossilOrigin-Name: a67cf5b7d37d5b1484be32092635faafd8f76e5881898cd9435517c4b287d663", "target": 0, "dataset": "other", "idx": 246190 }, { "func": "static void findConstInWhere(WhereConst *pConst, Expr *pExpr){\n Expr *pRight, *pLeft;\n if( pExpr==0 ) return;\n if( ExprHasProperty(pExpr, EP_FromJoin) ) return;\n if( pExpr->op==TK_AND ){\n findConstInWhere(pConst, pExpr->pRight);\n findConstInWhere(pConst, pExpr->pLeft);\n return;\n }\n if( pExpr->op!=TK_EQ ) return;\n pRight = pExpr->pRight;\n pLeft = pExpr->pLeft;\n assert( pRight!=0 );\n assert( pLeft!=0 );\n if( pRight->op==TK_COLUMN\n && !ExprHasProperty(pRight, EP_FixedCol)\n && sqlite3ExprIsConstant(pLeft)\n && sqlite3IsBinary(sqlite3ExprCompareCollSeq(pConst->pParse,pExpr))\n ){\n constInsert(pConst, pRight, pLeft);\n }else\n if( pLeft->op==TK_COLUMN\n && !ExprHasProperty(pLeft, EP_FixedCol)\n && sqlite3ExprIsConstant(pRight)\n && sqlite3IsBinary(sqlite3ExprCompareCollSeq(pConst->pParse,pExpr))\n ){\n constInsert(pConst, pLeft, pRight);\n }\n}", "project": "sqlite", "hash": 122427144324109880471680260935731524550, "size": 29, "commit_id": "a6c1a71cde082e09750465d5675699062922e387", "message": "Do not attempt to unwind the WITH stack in the Parse object following an error. This fixes a separate case to [de6e6d68].\n\nFossilOrigin-Name: d29edef93451cc67a5d69c1cce1b1832d9ca8fff1f600afdd51338b74d077b92", "target": 0, "dataset": "other", "idx": 356310 }, { "func": "int sqlite3VdbeFinalize(Vdbe *p){\n int rc = SQLITE_OK;\n if( p->magic==VDBE_MAGIC_RUN || p->magic==VDBE_MAGIC_HALT ){\n rc = sqlite3VdbeReset(p);\n assert( (rc & p->db->errMask)==rc );\n }\n sqlite3VdbeDelete(p);\n return rc;\n}", "project": "sqlite", "hash": 214934379129159093627102977832395708607, "size": 9, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378648 }, { "func": "void sqlite3WindowCodeInit(Parse *pParse, Window *pMWin){\n Window *pWin;\n Vdbe *v = sqlite3GetVdbe(pParse);\n\n /* Allocate registers to use for PARTITION BY values, if any. Initialize\n ** said registers to NULL. */\n if( pMWin->pPartition ){\n int nExpr = pMWin->pPartition->nExpr;\n pMWin->regPart = pParse->nMem+1;\n pParse->nMem += nExpr;\n sqlite3VdbeAddOp3(v, OP_Null, 0, pMWin->regPart, pMWin->regPart+nExpr-1);\n }\n\n pMWin->regOne = ++pParse->nMem;\n sqlite3VdbeAddOp2(v, OP_Integer, 1, pMWin->regOne);\n\n if( pMWin->eExclude ){\n pMWin->regStartRowid = ++pParse->nMem;\n pMWin->regEndRowid = ++pParse->nMem;\n pMWin->csrApp = pParse->nTab++;\n sqlite3VdbeAddOp2(v, OP_Integer, 1, pMWin->regStartRowid);\n sqlite3VdbeAddOp2(v, OP_Integer, 0, pMWin->regEndRowid);\n sqlite3VdbeAddOp2(v, OP_OpenDup, pMWin->csrApp, pMWin->iEphCsr);\n return;\n }\n\n for(pWin=pMWin; pWin; pWin=pWin->pNextWin){\n FuncDef *p = pWin->pFunc;\n if( (p->funcFlags & SQLITE_FUNC_MINMAX) && pWin->eStart!=TK_UNBOUNDED ){\n /* The inline versions of min() and max() require a single ephemeral\n ** table and 3 registers. The registers are used as follows:\n **\n ** regApp+0: slot to copy min()/max() argument to for MakeRecord\n ** regApp+1: integer value used to ensure keys are unique\n ** regApp+2: output of MakeRecord\n */\n ExprList *pList = pWin->pOwner->x.pList;\n KeyInfo *pKeyInfo = sqlite3KeyInfoFromExprList(pParse, pList, 0, 0);\n pWin->csrApp = pParse->nTab++;\n pWin->regApp = pParse->nMem+1;\n pParse->nMem += 3;\n if( pKeyInfo && pWin->pFunc->zName[1]=='i' ){\n assert( pKeyInfo->aSortFlags[0]==0 );\n pKeyInfo->aSortFlags[0] = KEYINFO_ORDER_DESC;\n }\n sqlite3VdbeAddOp2(v, OP_OpenEphemeral, pWin->csrApp, 2);\n sqlite3VdbeAppendP4(v, pKeyInfo, P4_KEYINFO);\n sqlite3VdbeAddOp2(v, OP_Integer, 0, pWin->regApp+1);\n }\n else if( p->zName==nth_valueName || p->zName==first_valueName ){\n /* Allocate two registers at pWin->regApp. These will be used to\n ** store the start and end index of the current frame. */\n pWin->regApp = pParse->nMem+1;\n pWin->csrApp = pParse->nTab++;\n pParse->nMem += 2;\n sqlite3VdbeAddOp2(v, OP_OpenDup, pWin->csrApp, pMWin->iEphCsr);\n }\n else if( p->zName==leadName || p->zName==lagName ){\n pWin->csrApp = pParse->nTab++;\n sqlite3VdbeAddOp2(v, OP_OpenDup, pWin->csrApp, pMWin->iEphCsr);\n }\n }\n}", "project": "sqlite", "hash": 108809579602314091418532353958839865415, "size": 63, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378658 }, { "func": "int sqlite3VdbeAddFunctionCall(\n Parse *pParse, /* Parsing context */\n int p1, /* Constant argument mask */\n int p2, /* First argument register */\n int p3, /* Register into which results are written */\n int nArg, /* Number of argument */\n const FuncDef *pFunc, /* The function to be invoked */\n int eCallCtx /* Calling context */\n){\n Vdbe *v = pParse->pVdbe;\n int nByte;\n int addr;\n sqlite3_context *pCtx;\n assert( v );\n nByte = sizeof(*pCtx) + (nArg-1)*sizeof(sqlite3_value*);\n pCtx = sqlite3DbMallocRawNN(pParse->db, nByte);\n if( pCtx==0 ){\n assert( pParse->db->mallocFailed );\n freeEphemeralFunction(pParse->db, (FuncDef*)pFunc);\n return 0;\n }\n pCtx->pOut = 0;\n pCtx->pFunc = (FuncDef*)pFunc;\n pCtx->pVdbe = 0;\n pCtx->isError = 0;\n pCtx->argc = nArg;\n pCtx->iOp = sqlite3VdbeCurrentAddr(v);\n addr = sqlite3VdbeAddOp4(v, eCallCtx ? OP_PureFunc : OP_Function,\n p1, p2, p3, (char*)pCtx, P4_FUNCCTX);\n sqlite3VdbeChangeP5(v, eCallCtx & NC_SelfRef);\n return addr;\n}", "project": "sqlite", "hash": 119871076081114327594394653031738373275, "size": 32, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378481 }, { "func": "static int windowCodeOp(\n WindowCodeArg *p, /* Context object */\n int op, /* WINDOW_RETURN_ROW, AGGSTEP or AGGINVERSE */\n int regCountdown, /* Register for OP_IfPos countdown */\n int jumpOnEof /* Jump here if stepped cursor reaches EOF */\n){\n int csr, reg;\n Parse *pParse = p->pParse;\n Window *pMWin = p->pMWin;\n int ret = 0;\n Vdbe *v = p->pVdbe;\n int addrContinue = 0;\n int bPeer = (pMWin->eFrmType!=TK_ROWS);\n\n int lblDone = sqlite3VdbeMakeLabel(pParse);\n int addrNextRange = 0;\n\n /* Special case - WINDOW_AGGINVERSE is always a no-op if the frame\n ** starts with UNBOUNDED PRECEDING. */\n if( op==WINDOW_AGGINVERSE && pMWin->eStart==TK_UNBOUNDED ){\n assert( regCountdown==0 && jumpOnEof==0 );\n return 0;\n }\n\n if( regCountdown>0 ){\n if( pMWin->eFrmType==TK_RANGE ){\n addrNextRange = sqlite3VdbeCurrentAddr(v);\n assert( op==WINDOW_AGGINVERSE || op==WINDOW_AGGSTEP );\n if( op==WINDOW_AGGINVERSE ){\n if( pMWin->eStart==TK_FOLLOWING ){\n windowCodeRangeTest(\n p, OP_Le, p->current.csr, regCountdown, p->start.csr, lblDone\n );\n }else{\n windowCodeRangeTest(\n p, OP_Ge, p->start.csr, regCountdown, p->current.csr, lblDone\n );\n }\n }else{\n windowCodeRangeTest(\n p, OP_Gt, p->end.csr, regCountdown, p->current.csr, lblDone\n );\n }\n }else{\n sqlite3VdbeAddOp3(v, OP_IfPos, regCountdown, lblDone, 1);\n VdbeCoverage(v);\n }\n }\n\n if( op==WINDOW_RETURN_ROW && pMWin->regStartRowid==0 ){\n windowAggFinal(p, 0);\n }\n addrContinue = sqlite3VdbeCurrentAddr(v);\n\n /* If this is a (RANGE BETWEEN a FOLLOWING AND b FOLLOWING) or\n ** (RANGE BETWEEN b PRECEDING AND a PRECEDING) frame, ensure the \n ** start cursor does not advance past the end cursor within the \n ** temporary table. It otherwise might, if (a>b). */\n if( pMWin->eStart==pMWin->eEnd && regCountdown\n && pMWin->eFrmType==TK_RANGE && op==WINDOW_AGGINVERSE\n ){\n int regRowid1 = sqlite3GetTempReg(pParse);\n int regRowid2 = sqlite3GetTempReg(pParse);\n sqlite3VdbeAddOp2(v, OP_Rowid, p->start.csr, regRowid1);\n sqlite3VdbeAddOp2(v, OP_Rowid, p->end.csr, regRowid2);\n sqlite3VdbeAddOp3(v, OP_Ge, regRowid2, lblDone, regRowid1);\n VdbeCoverage(v);\n sqlite3ReleaseTempReg(pParse, regRowid1);\n sqlite3ReleaseTempReg(pParse, regRowid2);\n assert( pMWin->eStart==TK_PRECEDING || pMWin->eStart==TK_FOLLOWING );\n }\n\n switch( op ){\n case WINDOW_RETURN_ROW:\n csr = p->current.csr;\n reg = p->current.reg;\n windowReturnOneRow(p);\n break;\n\n case WINDOW_AGGINVERSE:\n csr = p->start.csr;\n reg = p->start.reg;\n if( pMWin->regStartRowid ){\n assert( pMWin->regEndRowid );\n sqlite3VdbeAddOp2(v, OP_AddImm, pMWin->regStartRowid, 1);\n }else{\n windowAggStep(p, pMWin, csr, 1, p->regArg);\n }\n break;\n\n default:\n assert( op==WINDOW_AGGSTEP );\n csr = p->end.csr;\n reg = p->end.reg;\n if( pMWin->regStartRowid ){\n assert( pMWin->regEndRowid );\n sqlite3VdbeAddOp2(v, OP_AddImm, pMWin->regEndRowid, 1);\n }else{\n windowAggStep(p, pMWin, csr, 0, p->regArg);\n }\n break;\n }\n\n if( op==p->eDelete ){\n sqlite3VdbeAddOp1(v, OP_Delete, csr);\n sqlite3VdbeChangeP5(v, OPFLAG_SAVEPOSITION);\n }\n\n if( jumpOnEof ){\n sqlite3VdbeAddOp2(v, OP_Next, csr, sqlite3VdbeCurrentAddr(v)+2);\n VdbeCoverage(v);\n ret = sqlite3VdbeAddOp0(v, OP_Goto);\n }else{\n sqlite3VdbeAddOp2(v, OP_Next, csr, sqlite3VdbeCurrentAddr(v)+1+bPeer);\n VdbeCoverage(v);\n if( bPeer ){\n sqlite3VdbeAddOp2(v, OP_Goto, 0, lblDone);\n }\n }\n\n if( bPeer ){\n int nReg = (pMWin->pOrderBy ? pMWin->pOrderBy->nExpr : 0);\n int regTmp = (nReg ? sqlite3GetTempRange(pParse, nReg) : 0);\n windowReadPeerValues(p, csr, regTmp);\n windowIfNewPeer(pParse, pMWin->pOrderBy, regTmp, reg, addrContinue);\n sqlite3ReleaseTempRange(pParse, regTmp, nReg);\n }\n\n if( addrNextRange ){\n sqlite3VdbeAddOp2(v, OP_Goto, 0, addrNextRange);\n }\n sqlite3VdbeResolveLabel(v, lblDone);\n return ret;\n}", "project": "sqlite", "hash": 163722292140714692907937049738404978100, "size": 134, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378635 }, { "func": "static int translateP(char c, const Op *pOp){\n if( c=='1' ) return pOp->p1;\n if( c=='2' ) return pOp->p2;\n if( c=='3' ) return pOp->p3;\n if( c=='4' ) return pOp->p4.i;\n return pOp->p5;\n}", "project": "sqlite", "hash": 118943472779847200433060838851832085580, "size": 7, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378486 } ] }, { "call_depth": 5, "longest_call_chain": [ "msusb_msconfig_read", "msusb_msinterface_read_list", "msusb_msinterface_read", "msusb_msinterface_free", "msusb_mspipes_free" ], "group_size": 14, "functions": [ { "func": "static MSUSB_PIPE_DESCRIPTOR** msusb_mspipes_read(wStream* s, UINT32 NumberOfPipes)\n{\n\tUINT32 pnum;\n\tMSUSB_PIPE_DESCRIPTOR** MsPipes;\n\n\tif (Stream_GetRemainingCapacity(s) < 12 * NumberOfPipes)\n\t\treturn NULL;\n\n\tMsPipes = (MSUSB_PIPE_DESCRIPTOR**)calloc(NumberOfPipes, sizeof(MSUSB_PIPE_DESCRIPTOR*));\n\n\tif (!MsPipes)\n\t\treturn NULL;\n\n\tfor (pnum = 0; pnum < NumberOfPipes; pnum++)\n\t{\n\t\tMSUSB_PIPE_DESCRIPTOR* MsPipe = msusb_mspipe_new();\n\n\t\tif (!MsPipe)\n\t\t\tgoto out_error;\n\n\t\tStream_Read_UINT16(s, MsPipe->MaximumPacketSize);\n\t\tStream_Seek(s, 2);\n\t\tStream_Read_UINT32(s, MsPipe->MaximumTransferSize);\n\t\tStream_Read_UINT32(s, MsPipe->PipeFlags);\n\t\t/* Already set to zero by memset\n\t\t MsPipe->PipeHandle\t = 0;\n\t\t MsPipe->bEndpointAddress = 0;\n\t\t MsPipe->bInterval\t\t= 0;\n\t\t MsPipe->PipeType\t\t = 0;\n\t\t MsPipe->InitCompleted\t= 0;\n\t\t*/\n\t\tMsPipes[pnum] = MsPipe;\n\t}\n\n\treturn MsPipes;\nout_error:\n\n\tfor (pnum = 0; pnum < NumberOfPipes; pnum++)\n\t\tfree(MsPipes[pnum]);\n\n\tfree(MsPipes);\n\treturn NULL;\n}", "project": "FreeRDP", "hash": 43522950749896036127664697861930743417, "size": 43, "commit_id": "9f77fc3dd2394373e1be753952b00dafa1a9b7da", "message": "Fixed int overflow in msusb_mspipes_read\n\nThanks to hac425", "target": 1, "dataset": "other", "idx": 205671 }, { "func": "static MSUSB_PIPE_DESCRIPTOR** msusb_mspipes_read(wStream* s, UINT32 NumberOfPipes)\n{\n\tUINT32 pnum;\n\tMSUSB_PIPE_DESCRIPTOR** MsPipes;\n\n\tif (Stream_GetRemainingCapacity(s) / 12 < NumberOfPipes)\n\t\treturn NULL;\n\n\tMsPipes = (MSUSB_PIPE_DESCRIPTOR**)calloc(NumberOfPipes, sizeof(MSUSB_PIPE_DESCRIPTOR*));\n\n\tif (!MsPipes)\n\t\treturn NULL;\n\n\tfor (pnum = 0; pnum < NumberOfPipes; pnum++)\n\t{\n\t\tMSUSB_PIPE_DESCRIPTOR* MsPipe = msusb_mspipe_new();\n\n\t\tif (!MsPipe)\n\t\t\tgoto out_error;\n\n\t\tStream_Read_UINT16(s, MsPipe->MaximumPacketSize);\n\t\tStream_Seek(s, 2);\n\t\tStream_Read_UINT32(s, MsPipe->MaximumTransferSize);\n\t\tStream_Read_UINT32(s, MsPipe->PipeFlags);\n\t\t/* Already set to zero by memset\n\t\t MsPipe->PipeHandle\t = 0;\n\t\t MsPipe->bEndpointAddress = 0;\n\t\t MsPipe->bInterval\t\t= 0;\n\t\t MsPipe->PipeType\t\t = 0;\n\t\t MsPipe->InitCompleted\t= 0;\n\t\t*/\n\t\tMsPipes[pnum] = MsPipe;\n\t}\n\n\treturn MsPipes;\nout_error:\n\n\tfor (pnum = 0; pnum < NumberOfPipes; pnum++)\n\t\tfree(MsPipes[pnum]);\n\n\tfree(MsPipes);\n\treturn NULL;\n}", "project": "FreeRDP", "hash": 327097256253608261746407166636662999864, "size": 43, "commit_id": "9f77fc3dd2394373e1be753952b00dafa1a9b7da", "message": "Fixed int overflow in msusb_mspipes_read\n\nThanks to hac425", "target": 0, "dataset": "other", "idx": 370198 }, { "func": "static void msusb_msinterface_free(MSUSB_INTERFACE_DESCRIPTOR* MsInterface)\n{\n\tif (MsInterface)\n\t{\n\t\tmsusb_mspipes_free(MsInterface->MsPipes, MsInterface->NumberOfPipes);\n\t\tMsInterface->MsPipes = NULL;\n\t\tfree(MsInterface);\n\t}\n}", "project": "FreeRDP", "hash": 111719313818634845962432534061650784720, "size": 9, "commit_id": "9f77fc3dd2394373e1be753952b00dafa1a9b7da", "message": "Fixed int overflow in msusb_mspipes_read\n\nThanks to hac425", "target": 0, "dataset": "other", "idx": 370195 }, { "func": "static MSUSB_INTERFACE_DESCRIPTOR* msusb_msinterface_new()\n{\n\treturn (MSUSB_INTERFACE_DESCRIPTOR*)calloc(1, sizeof(MSUSB_INTERFACE_DESCRIPTOR));\n}", "project": "FreeRDP", "hash": 195102358277270166636371095078324614685, "size": 4, "commit_id": "9f77fc3dd2394373e1be753952b00dafa1a9b7da", "message": "Fixed int overflow in msusb_mspipes_read\n\nThanks to hac425", "target": 0, "dataset": "other", "idx": 370190 }, { "func": "static MSUSB_PIPE_DESCRIPTOR* msusb_mspipe_new()\n{\n\treturn (MSUSB_PIPE_DESCRIPTOR*)calloc(1, sizeof(MSUSB_PIPE_DESCRIPTOR));\n}", "project": "FreeRDP", "hash": 286269363881544208550715036997896416778, "size": 4, "commit_id": "9f77fc3dd2394373e1be753952b00dafa1a9b7da", "message": "Fixed int overflow in msusb_mspipes_read\n\nThanks to hac425", "target": 0, "dataset": "other", "idx": 370185 }, { "func": "static void msusb_mspipes_free(MSUSB_PIPE_DESCRIPTOR** MsPipes, UINT32 NumberOfPipes)\n{\n\tUINT32 pnum = 0;\n\n\tif (MsPipes)\n\t{\n\t\tfor (pnum = 0; pnum < NumberOfPipes && MsPipes[pnum]; pnum++)\n\t\t\tfree(MsPipes[pnum]);\n\n\t\tfree(MsPipes);\n\t}\n}", "project": "FreeRDP", "hash": 298850235727179719739936200735090397102, "size": 12, "commit_id": "9f77fc3dd2394373e1be753952b00dafa1a9b7da", "message": "Fixed int overflow in msusb_mspipes_read\n\nThanks to hac425", "target": 0, "dataset": "other", "idx": 370194 }, { "func": "MSUSB_CONFIG_DESCRIPTOR* msusb_msconfig_new(void)\n{\n\treturn (MSUSB_CONFIG_DESCRIPTOR*)calloc(1, sizeof(MSUSB_CONFIG_DESCRIPTOR));\n}", "project": "FreeRDP", "hash": 116475666787466662372093513378582272026, "size": 4, "commit_id": "9f77fc3dd2394373e1be753952b00dafa1a9b7da", "message": "Fixed int overflow in msusb_mspipes_read\n\nThanks to hac425", "target": 0, "dataset": "other", "idx": 370189 }, { "func": "BOOL msusb_msinterface_replace(MSUSB_CONFIG_DESCRIPTOR* MsConfig, BYTE InterfaceNumber,\n MSUSB_INTERFACE_DESCRIPTOR* NewMsInterface)\n{\n\tif (!MsConfig || !MsConfig->MsInterfaces)\n\t\treturn FALSE;\n\n\tmsusb_msinterface_free(MsConfig->MsInterfaces[InterfaceNumber]);\n\tMsConfig->MsInterfaces[InterfaceNumber] = NewMsInterface;\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 163043333955182832460253605601479340365, "size": 10, "commit_id": "9f77fc3dd2394373e1be753952b00dafa1a9b7da", "message": "Fixed int overflow in msusb_mspipes_read\n\nThanks to hac425", "target": 0, "dataset": "other", "idx": 370192 }, { "func": "static MSUSB_INTERFACE_DESCRIPTOR** msusb_msinterface_read_list(wStream* s, UINT32 NumInterfaces)\n{\n\tUINT32 inum;\n\tMSUSB_INTERFACE_DESCRIPTOR** MsInterfaces;\n\tMsInterfaces =\n\t (MSUSB_INTERFACE_DESCRIPTOR**)calloc(NumInterfaces, sizeof(MSUSB_INTERFACE_DESCRIPTOR*));\n\n\tif (!MsInterfaces)\n\t\treturn NULL;\n\n\tfor (inum = 0; inum < NumInterfaces; inum++)\n\t{\n\t\tMsInterfaces[inum] = msusb_msinterface_read(s);\n\n\t\tif (!MsInterfaces[inum])\n\t\t\tgoto fail;\n\t}\n\n\treturn MsInterfaces;\nfail:\n\n\tfor (inum = 0; inum < NumInterfaces; inum++)\n\t\tmsusb_msinterface_free(MsInterfaces[inum]);\n\n\tfree(MsInterfaces);\n\treturn NULL;\n}", "project": "FreeRDP", "hash": 301570211779473080394701095071166755889, "size": 27, "commit_id": "9f77fc3dd2394373e1be753952b00dafa1a9b7da", "message": "Fixed int overflow in msusb_mspipes_read\n\nThanks to hac425", "target": 0, "dataset": "other", "idx": 370184 }, { "func": "static void msusb_msinterface_free_list(MSUSB_INTERFACE_DESCRIPTOR** MsInterfaces,\n UINT32 NumInterfaces)\n{\n\tUINT32 inum = 0;\n\n\tif (MsInterfaces)\n\t{\n\t\tfor (inum = 0; inum < NumInterfaces; inum++)\n\t\t{\n\t\t\tmsusb_msinterface_free(MsInterfaces[inum]);\n\t\t}\n\n\t\tfree(MsInterfaces);\n\t}\n}", "project": "FreeRDP", "hash": 255545382072794521231443556625399604321, "size": 15, "commit_id": "9f77fc3dd2394373e1be753952b00dafa1a9b7da", "message": "Fixed int overflow in msusb_mspipes_read\n\nThanks to hac425", "target": 0, "dataset": "other", "idx": 370196 }, { "func": "void msusb_msconfig_free(MSUSB_CONFIG_DESCRIPTOR* MsConfig)\n{\n\tif (MsConfig)\n\t{\n\t\tmsusb_msinterface_free_list(MsConfig->MsInterfaces, MsConfig->NumInterfaces);\n\t\tMsConfig->MsInterfaces = NULL;\n\t\tfree(MsConfig);\n\t}\n}", "project": "FreeRDP", "hash": 247496999087104528986755682952452432422, "size": 9, "commit_id": "9f77fc3dd2394373e1be753952b00dafa1a9b7da", "message": "Fixed int overflow in msusb_mspipes_read\n\nThanks to hac425", "target": 0, "dataset": "other", "idx": 370186 }, { "func": "BOOL msusb_mspipes_replace(MSUSB_INTERFACE_DESCRIPTOR* MsInterface,\n MSUSB_PIPE_DESCRIPTOR** NewMsPipes, UINT32 NewNumberOfPipes)\n{\n\tif (!MsInterface || !NewMsPipes)\n\t\treturn FALSE;\n\n\t/* free orignal MsPipes */\n\tmsusb_mspipes_free(MsInterface->MsPipes, MsInterface->NumberOfPipes);\n\t/* And replace it */\n\tMsInterface->MsPipes = NewMsPipes;\n\tMsInterface->NumberOfPipes = NewNumberOfPipes;\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 272826545862192184139368934588135834022, "size": 13, "commit_id": "9f77fc3dd2394373e1be753952b00dafa1a9b7da", "message": "Fixed int overflow in msusb_mspipes_read\n\nThanks to hac425", "target": 0, "dataset": "other", "idx": 370188 }, { "func": "MSUSB_INTERFACE_DESCRIPTOR* msusb_msinterface_read(wStream* s)\n{\n\tMSUSB_INTERFACE_DESCRIPTOR* MsInterface;\n\n\tif (Stream_GetRemainingCapacity(s) < 12)\n\t\treturn NULL;\n\n\tMsInterface = msusb_msinterface_new();\n\n\tif (!MsInterface)\n\t\treturn NULL;\n\n\tStream_Read_UINT16(s, MsInterface->Length);\n\tStream_Read_UINT16(s, MsInterface->NumberOfPipesExpected);\n\tStream_Read_UINT8(s, MsInterface->InterfaceNumber);\n\tStream_Read_UINT8(s, MsInterface->AlternateSetting);\n\tStream_Seek(s, 2);\n\tStream_Read_UINT32(s, MsInterface->NumberOfPipes);\n\tMsInterface->InterfaceHandle = 0;\n\tMsInterface->bInterfaceClass = 0;\n\tMsInterface->bInterfaceSubClass = 0;\n\tMsInterface->bInterfaceProtocol = 0;\n\tMsInterface->InitCompleted = 0;\n\tMsInterface->MsPipes = NULL;\n\n\tif (MsInterface->NumberOfPipes > 0)\n\t{\n\t\tMsInterface->MsPipes = msusb_mspipes_read(s, MsInterface->NumberOfPipes);\n\n\t\tif (!MsInterface->MsPipes)\n\t\t\tgoto out_error;\n\t}\n\n\treturn MsInterface;\nout_error:\n\tmsusb_msinterface_free(MsInterface);\n\treturn NULL;\n}", "project": "FreeRDP", "hash": 315713004236029849064051996144827842346, "size": 38, "commit_id": "9f77fc3dd2394373e1be753952b00dafa1a9b7da", "message": "Fixed int overflow in msusb_mspipes_read\n\nThanks to hac425", "target": 0, "dataset": "other", "idx": 370197 }, { "func": "MSUSB_CONFIG_DESCRIPTOR* msusb_msconfig_read(wStream* s, UINT32 NumInterfaces)\n{\n\tMSUSB_CONFIG_DESCRIPTOR* MsConfig;\n\tBYTE lenConfiguration, typeConfiguration;\n\n\tif (Stream_GetRemainingCapacity(s) < 6ULL + NumInterfaces * 2ULL)\n\t\treturn NULL;\n\n\tMsConfig = msusb_msconfig_new();\n\n\tif (!MsConfig)\n\t\tgoto fail;\n\n\tMsConfig->MsInterfaces = msusb_msinterface_read_list(s, NumInterfaces);\n\n\tif (!MsConfig->MsInterfaces)\n\t\tgoto fail;\n\n\tStream_Read_UINT8(s, lenConfiguration);\n\tStream_Read_UINT8(s, typeConfiguration);\n\n\tif (lenConfiguration != 0x9 || typeConfiguration != 0x2)\n\t{\n\t\tWLog_ERR(TAG, \"len and type must be 0x9 and 0x2 , but it is 0x%\" PRIx8 \" and 0x%\" PRIx8 \"\",\n\t\t lenConfiguration, typeConfiguration);\n\t\tgoto fail;\n\t}\n\n\tStream_Read_UINT16(s, MsConfig->wTotalLength);\n\tStream_Seek(s, 1);\n\tStream_Read_UINT8(s, MsConfig->bConfigurationValue);\n\tMsConfig->NumInterfaces = NumInterfaces;\n\treturn MsConfig;\nfail:\n\tmsusb_msconfig_free(MsConfig);\n\treturn NULL;\n}", "project": "FreeRDP", "hash": 5241623909507677207100469971939005727, "size": 37, "commit_id": "9f77fc3dd2394373e1be753952b00dafa1a9b7da", "message": "Fixed int overflow in msusb_mspipes_read\n\nThanks to hac425", "target": 0, "dataset": "other", "idx": 370187 } ] }, { "call_depth": 2, "longest_call_chain": [ "ReplaceThumbnail", "FindSection" ], "group_size": 3, "functions": [ { "func": "int ReplaceThumbnail(const char * ThumbFileName)\r\n{\r\n FILE * ThumbnailFile;\r\n int ThumbLen, NewExifSize;\r\n Section_t * ExifSection;\r\n uchar * ThumbnailPointer;\r\n\r\n if (ImageInfo.ThumbnailOffset == 0 || ImageInfo.ThumbnailAtEnd == FALSE){\r\n if (ThumbFileName == NULL){\r\n // Delete of nonexistent thumbnail (not even pointers present)\r\n // No action, no error.\r\n return FALSE;\r\n }\r\n\r\n // Adding or removing of thumbnail is not possible - that would require rearranging\r\n // of the exif header, which is risky, and jhad doesn't know how to do.\r\n fprintf(stderr,\"Image contains no thumbnail to replace - add is not possible\\n\");\r\n return FALSE;\r\n }\r\n\r\n if (ThumbFileName){\r\n ThumbnailFile = fopen(ThumbFileName,\"rb\");\r\n\r\n if (ThumbnailFile == NULL){\r\n noread:\r\n ErrFatal(\"Could not read thumbnail file\");\r\n return FALSE;\r\n }\r\n\r\n // get length\r\n fseek(ThumbnailFile, 0, SEEK_END);\r\n\r\n ThumbLen = ftell(ThumbnailFile);\r\n fseek(ThumbnailFile, 0, SEEK_SET);\r\n\r\n if (ThumbLen + ImageInfo.ThumbnailOffset > 0x10000-20){\r\n ErrFatal(\"Thumbnail is too large to insert into exif header\");\r\n }\r\n }else{\r\n if (ImageInfo.ThumbnailSize == 0){\r\n return FALSE;\r\n }\r\n\r\n ThumbLen = 0;\r\r\r\n ThumbnailFile = NULL;\r\n }\r\n\r\n ExifSection = FindSection(M_EXIF);\r\n\r\n NewExifSize = ImageInfo.ThumbnailOffset+8+ThumbLen;\r\n ExifSection->Data = (uchar *)realloc(ExifSection->Data, NewExifSize);\r\n\r\n ThumbnailPointer = ExifSection->Data+ImageInfo.ThumbnailOffset+8;\r\n\r\n if (ThumbnailFile){\r\n if (fread(ThumbnailPointer, 1, ThumbLen, ThumbnailFile) != ThumbLen){\r\n goto noread;\r\n }\r\n fclose(ThumbnailFile);\r\n }\r\n\r\n ImageInfo.ThumbnailSize = ThumbLen;\r\n\r\n Put32u(ExifSection->Data+ImageInfo.ThumbnailSizeOffset+8, ThumbLen);\r\n\r\n ExifSection->Data[0] = (uchar)(NewExifSize >> 8);\r\n ExifSection->Data[1] = (uchar)NewExifSize;\r\n ExifSection->Size = NewExifSize;\r\n\r\n return TRUE;\r\n}\r", "project": "jhead", "hash": 27990850366750374086987638276485171272, "size": 71, "commit_id": "b8d78e5ec982e86cdd70ebfc1ebbb2273c982eea", "message": "Same error as previous checking in different function", "target": 0, "dataset": "other", "idx": 261978 }, { "func": "int SaveThumbnail(char * ThumbFileName)\r\n{\r\n FILE * ThumbnailFile;\r\n\r\n if (ImageInfo.ThumbnailOffset == 0 || ImageInfo.ThumbnailSize == 0){\r\n fprintf(stderr,\"Image contains no thumbnail\\n\");\r\n return FALSE;\r\n }\r\n\r\n if (strcmp(ThumbFileName, \"-\") == 0){\r\n // A filename of '-' indicates thumbnail goes to stdout.\r\n // This doesn't make much sense under Windows, so this feature is unix only.\r\n ThumbnailFile = stdout;\r\n }else{\r\n ThumbnailFile = fopen(ThumbFileName,\"wb\");\r\n }\r\n\r\n if (ThumbnailFile){\r\n uchar * ThumbnailPointer;\r\n Section_t * ExifSection;\r\n ExifSection = FindSection(M_EXIF);\r\n ThumbnailPointer = ExifSection->Data+ImageInfo.ThumbnailOffset+8;\r\n\r\n fwrite(ThumbnailPointer, ImageInfo.ThumbnailSize ,1, ThumbnailFile);\r\n fclose(ThumbnailFile);\r\n return TRUE;\r\n }else{\r\n ErrFatal(\"Could not write thumbnail file\");\r\n return FALSE;\r\n }\r\n}\r", "project": "jhead", "hash": 215335735612559319365770324499386063565, "size": 31, "commit_id": "b8d78e5ec982e86cdd70ebfc1ebbb2273c982eea", "message": "Same error as previous checking in different function", "target": 0, "dataset": "other", "idx": 261977 }, { "func": "Section_t * FindSection(int SectionType)\r\n{\r\n int a;\r\n\r\n for (a=0;aconns;\n\n\tif (-1 == con->ndx) return;\n\tuint32_t i = (uint32_t)con->ndx;\n\n\t/* not last element */\n\n\tif (i != --conns->used) {\n\t\tconnection * const temp = conns->ptr[i];\n\t\tconns->ptr[i] = conns->ptr[conns->used];\n\t\tconns->ptr[conns->used] = temp;\n\n\t\tconns->ptr[i]->ndx = i;\n\t\tconns->ptr[conns->used]->ndx = -1;\n\t}\n\n\tcon->ndx = -1;\n#if 0\n\tfprintf(stderr, \"%s.%d: del: (%d)\", __FILE__, __LINE__, conns->used);\n\tfor (i = 0; i < conns->used; i++) {\n\t\tfprintf(stderr, \"%d \", conns->ptr[i]->fd);\n\t}\n\tfprintf(stderr, \"\\n\");\n#endif\n}", "project": "lighttpd1.4", "hash": 293826043051460842477498553569986639498, "size": 26, "commit_id": "b03b86f47b0d5a553137f081fadc482b4af1372d", "message": "[core] fix merging large headers across mult reads (fixes #3059)\n\n(thx mitd)\n\nx-ref:\n \"Connections stuck in Close_Wait causing 100% cpu usage\"\n https://redmine.lighttpd.net/issues/3059", "target": 0, "dataset": "other", "idx": 251486 }, { "func": "static void connection_handle_response_end_state(request_st * const r, connection * const con) {\n\tif (r->http_version > HTTP_VERSION_1_1) {\n\t\th2_retire_con(r, con);\n\t\tr->keep_alive = 0;\n\t\t/* set a status so that mod_accesslog, mod_rrdtool hooks are called\n\t\t * in plugins_call_handle_request_done() (XXX: or set to 0 to omit) */\n\t\tr->http_status = 100; /* XXX: what if con->state == CON_STATE_ERROR? */\n\t}\n\n\t/* call request_done hook if http_status set (e.g. to log request) */\n\t/* (even if error, connection dropped, as long as http_status is set) */\n\tif (r->http_status) plugins_call_handle_request_done(r);\n\n\tif (r->state != CON_STATE_ERROR) ++con->srv->con_written;\n\n\tif (r->reqbody_length != r->reqbody_queue.bytes_in\n\t || r->state == CON_STATE_ERROR) {\n\t\t/* request body may not have been read completely */\n\t\tr->keep_alive = 0;\n\t\t/* clean up failed partial write of 1xx intermediate responses*/\n\t\tif (&r->write_queue != con->write_queue) { /*(for HTTP/1.1)*/\n\t\t\tchunkqueue_free(con->write_queue);\n\t\t\tcon->write_queue = &r->write_queue;\n\t\t}\n\t}\n\n if (r->keep_alive) {\n\t\trequest_reset(r);\n\t\tconfig_reset_config(r);\n\t\tcon->is_readable = 1; /* potentially trigger optimistic read */\n\t\t/*(accounting used by mod_accesslog for HTTP/1.0 and HTTP/1.1)*/\n\t\tr->bytes_read_ckpt = con->bytes_read;\n\t\tr->bytes_written_ckpt = con->bytes_written;\n#if 0\n\t\tr->start_hp.tv_sec = con->read_idle_ts = log_epoch_secs;\n#endif\n\t\tconnection_set_state(r, CON_STATE_REQUEST_START);\n\t} else {\n\t\tconnection_handle_shutdown(con);\n\t}\n}", "project": "lighttpd1.4", "hash": 185013160382800285177977165992108687517, "size": 41, "commit_id": "b03b86f47b0d5a553137f081fadc482b4af1372d", "message": "[core] fix merging large headers across mult reads (fixes #3059)\n\n(thx mitd)\n\nx-ref:\n \"Connections stuck in Close_Wait causing 100% cpu usage\"\n https://redmine.lighttpd.net/issues/3059", "target": 0, "dataset": "other", "idx": 251505 }, { "func": "void connection_graceful_shutdown_maint (server *srv) {\n connections * const conns = &srv->conns;\n const int graceful_expire =\n (srv->graceful_expire_ts && srv->graceful_expire_ts < log_epoch_secs);\n for (uint32_t ndx = 0; ndx < conns->used; ++ndx) {\n connection * const con = conns->ptr[ndx];\n int changed = 0;\n\n request_st * const r = &con->request;\n if (r->state == CON_STATE_CLOSE) {\n /* reduce remaining linger timeout to be\n * (from zero) *up to* one more second, but no more */\n if (HTTP_LINGER_TIMEOUT > 1)\n con->close_timeout_ts -= (HTTP_LINGER_TIMEOUT - 1);\n if (log_epoch_secs - con->close_timeout_ts > HTTP_LINGER_TIMEOUT)\n changed = 1;\n }\n else if (con->h2 && r->state == CON_STATE_WRITE) {\n h2_send_goaway(con, H2_E_NO_ERROR);\n if (0 == con->h2->rused && chunkqueue_is_empty(con->write_queue)) {\n connection_set_state(r, CON_STATE_RESPONSE_END);\n changed = 1;\n }\n }\n else if (r->state == CON_STATE_READ && con->request_count > 1\n && chunkqueue_is_empty(con->read_queue)) {\n /* close connections in keep-alive waiting for next request */\n connection_set_state_error(r, CON_STATE_ERROR);\n changed = 1;\n }\n\n if (graceful_expire) {\n connection_set_state_error(r, CON_STATE_ERROR);\n changed = 1;\n }\n\n r->keep_alive = 0; /* disable keep-alive */\n\n r->conf.bytes_per_second = 0; /* disable rate limit */\n r->conf.global_bytes_per_second = 0; /* disable rate limit */\n if (con->traffic_limit_reached) {\n con->traffic_limit_reached = 0;\n changed = 1;\n }\n\n if (changed) {\n connection_state_machine(con);\n }\n }\n}", "project": "lighttpd1.4", "hash": 32920880273627245692498519321054245939, "size": 50, "commit_id": "b03b86f47b0d5a553137f081fadc482b4af1372d", "message": "[core] fix merging large headers across mult reads (fixes #3059)\n\n(thx mitd)\n\nx-ref:\n \"Connections stuck in Close_Wait causing 100% cpu usage\"\n https://redmine.lighttpd.net/issues/3059", "target": 0, "dataset": "other", "idx": 251460 }, { "func": "static chunk * connection_read_header_more(connection *con, chunkqueue *cq, chunk *c, const size_t olen) {\n /*(should not be reached by HTTP/2 streams)*/\n /*if (r->http_version == HTTP_VERSION_2) return NULL;*/\n /*(However, new connections over TLS may become HTTP/2 connections via ALPN\n * and return from this routine with r->http_version == HTTP_VERSION_2) */\n\n if ((NULL == c || NULL == c->next) && con->is_readable > 0) {\n con->read_idle_ts = log_epoch_secs;\n if (0 != con->network_read(con, cq, MAX_READ_LIMIT)) {\n request_st * const r = &con->request;\n connection_set_state_error(r, CON_STATE_ERROR);\n }\n /* check if switched to HTTP/2 (ALPN \"h2\" during TLS negotiation) */\n request_st * const r = &con->request;\n if (r->http_version == HTTP_VERSION_2) return NULL;\n }\n\n if (cq->first != cq->last && 0 != olen) {\n const size_t clen = chunkqueue_length(cq);\n size_t block = (olen + (16384-1)) & (16384-1);\n block += (block - olen > 1024 ? 0 : 16384);\n chunkqueue_compact_mem(cq, block > clen ? clen : block);\n }\n\n /* detect if data is added to chunk */\n c = cq->first;\n return (c && (size_t)c->offset + olen < buffer_string_length(c->mem))\n ? c\n : NULL;\n}", "project": "lighttpd1.4", "hash": 58630683850731888391551309485472068258, "size": 30, "commit_id": "b03b86f47b0d5a553137f081fadc482b4af1372d", "message": "[core] fix merging large headers across mult reads (fixes #3059)\n\n(thx mitd)\n\nx-ref:\n \"Connections stuck in Close_Wait causing 100% cpu usage\"\n https://redmine.lighttpd.net/issues/3059", "target": 1, "dataset": "other", "idx": 197066 }, { "func": "static chunk * connection_read_header_more(connection *con, chunkqueue *cq, chunk *c, const size_t olen) {\n /*(should not be reached by HTTP/2 streams)*/\n /*if (r->http_version == HTTP_VERSION_2) return NULL;*/\n /*(However, new connections over TLS may become HTTP/2 connections via ALPN\n * and return from this routine with r->http_version == HTTP_VERSION_2) */\n\n if ((NULL == c || NULL == c->next) && con->is_readable > 0) {\n con->read_idle_ts = log_epoch_secs;\n if (0 != con->network_read(con, cq, MAX_READ_LIMIT)) {\n request_st * const r = &con->request;\n connection_set_state_error(r, CON_STATE_ERROR);\n }\n /* check if switched to HTTP/2 (ALPN \"h2\" during TLS negotiation) */\n request_st * const r = &con->request;\n if (r->http_version == HTTP_VERSION_2) return NULL;\n }\n\n if (cq->first != cq->last && 0 != olen) {\n const size_t clen = chunkqueue_length(cq);\n size_t block = (olen + (16384-1)) & ~(16384-1);\n block += (block - olen > 1024 ? 0 : 16384);\n chunkqueue_compact_mem(cq, block > clen ? clen : block);\n }\n\n /* detect if data is added to chunk */\n c = cq->first;\n return (c && (size_t)c->offset + olen < buffer_string_length(c->mem))\n ? c\n : NULL;\n}", "project": "lighttpd1.4", "hash": 161459326522428992863096627223237510818, "size": 30, "commit_id": "b03b86f47b0d5a553137f081fadc482b4af1372d", "message": "[core] fix merging large headers across mult reads (fixes #3059)\n\n(thx mitd)\n\nx-ref:\n \"Connections stuck in Close_Wait causing 100% cpu usage\"\n https://redmine.lighttpd.net/issues/3059", "target": 0, "dataset": "other", "idx": 251461 }, { "func": "static int connection_read_cq(connection *con, chunkqueue *cq, off_t max_bytes) {\n ssize_t len;\n size_t mem_len = 0;\n\n do {\n /* obtain chunk memory into which to read\n * fill previous chunk if it has a reasonable amount of space available\n * (use mem_len=0 to obtain large buffer at least half of chunk_buf_sz)\n */\n chunk *ckpt = cq->last;\n char * const mem = chunkqueue_get_memory(cq, &mem_len);\n if (mem_len > (size_t)max_bytes) mem_len = (size_t)max_bytes;\n\n #if defined(__WIN32)\n len = recv(con->fd, mem, mem_len, 0);\n #else\n len = read(con->fd, mem, mem_len);\n #endif\n\n chunkqueue_use_memory(cq, ckpt, len > 0 ? len : 0);\n\n if (len != (ssize_t)mem_len) {\n /* we got less then expected, wait for the next fd-event */\n con->is_readable = 0;\n\n if (len > 0) {\n con->bytes_read += len;\n return 0;\n }\n else if (0 == len) /* other end close connection -> KEEP-ALIVE */\n return -2; /* (pipelining) */\n else\n return connection_read_cq_err(con);\n }\n\n con->bytes_read += len;\n max_bytes -= len;\n\n int frd;\n mem_len = (0 == fdevent_ioctl_fionread(con->fd, S_IFSOCK, &frd))\n ? (frd < max_bytes) ? (size_t)frd : (size_t)max_bytes\n : 0;\n } while (max_bytes);\n return 0;\n}", "project": "lighttpd1.4", "hash": 284270832223616541642730468761658953588, "size": 45, "commit_id": "b03b86f47b0d5a553137f081fadc482b4af1372d", "message": "[core] fix merging large headers across mult reads (fixes #3059)\n\n(thx mitd)\n\nx-ref:\n \"Connections stuck in Close_Wait causing 100% cpu usage\"\n https://redmine.lighttpd.net/issues/3059", "target": 0, "dataset": "other", "idx": 251493 }, { "func": "void connections_free(server *srv) {\n\tconnections * const conns = &srv->conns;\n\tfor (uint32_t i = 0; i < conns->size; ++i) {\n\t\tconnection *con = conns->ptr[i];\n\t\trequest_st * const r = &con->request;\n\n\t\tconnection_reset(con);\n\t\tif (con->write_queue != &r->write_queue)\n\t\t\tchunkqueue_free(con->write_queue);\n\t\tif (con->read_queue != &r->read_queue)\n\t\t\tchunkqueue_free(con->read_queue);\n\t\trequest_free_data(r);\n\n\t\tfree(con->plugin_ctx);\n\t\tbuffer_free(con->dst_addr_buf);\n\n\t\tfree(con);\n\t}\n\n\tfree(conns->ptr);\n\tconns->ptr = NULL;\n}", "project": "lighttpd1.4", "hash": 244491624546804324633220657337605566821, "size": 22, "commit_id": "b03b86f47b0d5a553137f081fadc482b4af1372d", "message": "[core] fix merging large headers across mult reads (fixes #3059)\n\n(thx mitd)\n\nx-ref:\n \"Connections stuck in Close_Wait causing 100% cpu usage\"\n https://redmine.lighttpd.net/issues/3059", "target": 0, "dataset": "other", "idx": 251466 }, { "func": "static void ssl_disconnect(struct tunnel *tunnel)\n{\n\tif (!tunnel->ssl_handle)\n\t\treturn;\n\n\tSSL_shutdown(tunnel->ssl_handle);\n\tSSL_free(tunnel->ssl_handle);\n\tSSL_CTX_free(tunnel->ssl_context);\n\tclose(tunnel->ssl_socket);\n\n\ttunnel->ssl_handle = NULL;\n\ttunnel->ssl_context = NULL;\n}", "project": "openfortivpn", "hash": 52797867477005753801249610736615879521, "size": 13, "commit_id": "6328a070ddaab16faaf008cb9a8a62439c30f2a8", "message": "fix TLS Certificate CommonName NULL Byte Vulnerability\n\nCVE-2020-7043 TLS Certificate CommonName NULL Byte Vulnerability is fixed\nwith this commit\n\nwith #8 hostname validation for the certificate was introduced\nbut unfortunately strncasecmp() was used to compare the byte array\nagainst the expected hostname. This does not correctly treat a CN\nwhich contains a NULL byte. In order to fix this vulnerability\nthe reference implementation from iSECPartners has been included\ninto the code.", "target": 0, "dataset": "other", "idx": 258444 }, { "func": "static int connection_handle_write_state(request_st * const r, connection * const con) {\n do {\n /* only try to write if we have something in the queue */\n if (!chunkqueue_is_empty(&r->write_queue)) {\n if (r->http_version <= HTTP_VERSION_1_1) {\n int rc = connection_handle_write(r, con);\n if (rc != CON_STATE_WRITE) return rc;\n }\n } else if (r->resp_body_finished) {\n connection_set_state(r, CON_STATE_RESPONSE_END);\n return CON_STATE_RESPONSE_END;\n }\n\n if (r->handler_module && !r->resp_body_finished) {\n const plugin * const p = r->handler_module;\n int rc = p->handle_subrequest(r, p->data);\n switch(rc) {\n case HANDLER_WAIT_FOR_EVENT:\n case HANDLER_FINISHED:\n case HANDLER_GO_ON:\n break;\n case HANDLER_WAIT_FOR_FD:\n /* (In addition to waiting for dispatch from fdwaitqueue,\n * HTTP/2 connections may retry more frequently after any\n * activity occurs on connection or on other streams) */\n connection_fdwaitqueue_append(con);\n break;\n case HANDLER_COMEBACK:\n default:\n log_error(r->conf.errh, __FILE__, __LINE__,\n \"unexpected subrequest handler ret-value: %d %d\",\n con->fd, rc);\n __attribute_fallthrough__\n case HANDLER_ERROR:\n connection_set_state_error(r, CON_STATE_ERROR);\n return CON_STATE_ERROR;\n }\n }\n } while (r->http_version <= HTTP_VERSION_1_1\n && (!chunkqueue_is_empty(&r->write_queue)\n ? con->is_writable > 0 && 0 == con->traffic_limit_reached\n : r->resp_body_finished));\n\n return CON_STATE_WRITE;\n}", "project": "lighttpd1.4", "hash": 273019647895384478600891642524071094367, "size": 45, "commit_id": "b03b86f47b0d5a553137f081fadc482b4af1372d", "message": "[core] fix merging large headers across mult reads (fixes #3059)\n\n(thx mitd)\n\nx-ref:\n \"Connections stuck in Close_Wait causing 100% cpu usage\"\n https://redmine.lighttpd.net/issues/3059", "target": 0, "dataset": "other", "idx": 251459 }, { "func": "static void connection_handle_shutdown(connection *con) {\n\tplugins_call_handle_connection_shut_wr(con);\n\n\tconnection_reset(con);\n\t++con->srv->con_closed;\n\n\t/* close the connection */\n\tif (con->fd >= 0\n\t && (con->is_ssl_sock || 0 == shutdown(con->fd, SHUT_WR))) {\n\t\tcon->close_timeout_ts = log_epoch_secs;\n\n\t\trequest_st * const r = &con->request;\n\t\tconnection_set_state(r, CON_STATE_CLOSE);\n\t\tif (r->conf.log_state_handling) {\n\t\t\tlog_error(r->conf.errh, __FILE__, __LINE__,\n\t\t\t \"shutdown for fd %d\", con->fd);\n\t\t}\n\t} else {\n\t\tconnection_close(con);\n\t}\n}", "project": "lighttpd1.4", "hash": 122939348764667853489371174932924508166, "size": 21, "commit_id": "b03b86f47b0d5a553137f081fadc482b4af1372d", "message": "[core] fix merging large headers across mult reads (fixes #3059)\n\n(thx mitd)\n\nx-ref:\n \"Connections stuck in Close_Wait causing 100% cpu usage\"\n https://redmine.lighttpd.net/issues/3059", "target": 0, "dataset": "other", "idx": 251488 }, { "func": "static int connection_handle_read_state(connection * const con) {\n /*(should not be reached by HTTP/2 streams)*/\n chunkqueue * const cq = con->read_queue;\n chunk *c = cq->first;\n uint32_t clen = 0;\n uint32_t header_len = 0;\n request_st * const r = &con->request;\n uint8_t keepalive_request_start = 0;\n uint8_t pipelined_request_start = 0;\n uint8_t discard_blank = 0;\n unsigned short hoff[8192]; /* max num header lines + 3; 16k on stack */\n\n if (con->request_count > 1) {\n discard_blank = 1;\n if (con->bytes_read == r->bytes_read_ckpt) {\n keepalive_request_start = 1;\n if (NULL != c) { /* !chunkqueue_is_empty(cq)) */\n pipelined_request_start = 1;\n /* partial header of next request has already been read,\n * so optimistically check for more data received on\n * socket while processing the previous request */\n con->is_readable = 1;\n /*(if partially read next request and unable to read any bytes,\n * then will unnecessarily scan again before subsequent read)*/\n }\n }\n }\n\n do {\n if (NULL == c) continue;\n clen = buffer_string_length(c->mem) - c->offset;\n if (0 == clen) continue;\n if (c->offset > USHRT_MAX) /*(highly unlikely)*/\n chunkqueue_compact_mem_offset(cq);\n\n hoff[0] = 1; /* number of lines */\n hoff[1] = (unsigned short)c->offset; /* base offset for all lines */\n /*hoff[2] = ...;*/ /* offset from base for 2nd line */\n\n header_len = http_header_parse_hoff(c->mem->ptr + c->offset,clen,hoff);\n\n /* casting to (unsigned short) might truncate, and the hoff[]\n * addition might overflow, but max_request_field_size is USHRT_MAX,\n * so failure will be detected below */\n const uint32_t max_request_field_size=r->conf.max_request_field_size;\n if ((header_len ? header_len : clen) > max_request_field_size\n || hoff[0] >= sizeof(hoff)/sizeof(hoff[0])-1) {\n log_error(r->conf.errh, __FILE__, __LINE__, \"%s\",\n \"oversized request-header -> sending Status 431\");\n r->http_status = 431; /* Request Header Fields Too Large */\n r->keep_alive = 0;\n connection_set_state(r, CON_STATE_REQUEST_END);\n return 1;\n }\n\n if (0 != header_len) {\n if (hoff[0] > 1) break; /* common case; request headers complete */\n\n if (discard_blank) { /* skip one blank line e.g. following POST */\n if (header_len == clen) continue;\n const int ch = c->mem->ptr[c->offset+header_len];\n if (ch != '\\r' && ch != '\\n') {\n /* discard prior blank line if next line is not blank */\n discard_blank = 0;\n clen = 0;/*(for connection_read_header_more() to return c)*/\n c = connection_discard_blank_line(cq, header_len);/*cold*/\n continue;\n } /*(else fall through to error out in next block)*/\n }\n }\n\n if (((unsigned char *)c->mem->ptr)[c->offset] < 32) {\n /* expecting ASCII method beginning with alpha char\n * or HTTP/2 pseudo-header beginning with ':' */\n /*(TLS handshake begins with SYN 0x16 (decimal 22))*/\n log_error(r->conf.errh, __FILE__, __LINE__, \"%s\",\n \"invalid request-line -> sending Status 400\");\n r->http_status = 400; /* Bad Request */\n r->keep_alive = 0;\n connection_set_state(r, CON_STATE_REQUEST_END);\n return 1;\n }\n } while ((c = connection_read_header_more(con, cq, c, clen)));\n\n if (keepalive_request_start) {\n if (con->bytes_read > r->bytes_read_ckpt) {\n /* update r->start_hp.tv_sec timestamp when first byte of\n * next request is received on a keep-alive connection */\n r->start_hp.tv_sec = log_epoch_secs;\n if (r->conf.high_precision_timestamps)\n log_clock_gettime_realtime(&r->start_hp);\n }\n if (pipelined_request_start && c) con->read_idle_ts = log_epoch_secs;\n }\n\n if (NULL == c) return 0; /* incomplete request headers */\n\n #ifdef __COVERITY__\n if (buffer_string_length(c->mem) < hoff[1]) {\n return 1;\n }\n #endif\n\n char * const hdrs = c->mem->ptr + hoff[1];\n\n if (con->request_count > 1) {\n /* clear buffers which may have been kept for reporting on keep-alive,\n * (e.g. mod_status) */\n request_reset_ex(r);\n }\n /* RFC7540 3.5 HTTP/2 Connection Preface\n * \"PRI * HTTP/2.0\\r\\n\\r\\nSM\\r\\n\\r\\n\"\n * (Connection Preface MUST be exact match)\n * If ALT-SVC used to advertise HTTP/2, then client might start\n * http connection (not TLS) sending HTTP/2 connection preface.\n * (note: intentionally checking only on initial request) */\n else if (!con->is_ssl_sock && r->conf.h2proto\n && hoff[0] == 2 && hoff[2] == 16\n && hdrs[0]=='P' && hdrs[1]=='R' && hdrs[2]=='I' && hdrs[3]==' ') {\n r->http_version = HTTP_VERSION_2;\n return 0;\n }\n\n r->rqst_header_len = header_len;\n if (r->conf.log_request_header)\n log_error(r->conf.errh, __FILE__, __LINE__,\n \"fd: %d request-len: %d\\n%.*s\", con->fd,\n (int)header_len, (int)header_len, hdrs);\n http_request_headers_process(r, hdrs, hoff, con->proto_default_port);\n chunkqueue_mark_written(cq, r->rqst_header_len);\n connection_set_state(r, CON_STATE_REQUEST_END);\n\n if (!con->is_ssl_sock && r->conf.h2proto && 0 == r->http_status\n && h2_check_con_upgrade_h2c(r)) {\n /*(Upgrade: h2c over cleartext does not have SNI; no COMP_HTTP_HOST)*/\n r->conditional_is_valid = (1 << COMP_SERVER_SOCKET)\n | (1 << COMP_HTTP_REMOTE_IP);\n /*connection_handle_write(r, con);*//* defer write to network */\n return 0;\n }\n\n return 1;\n}", "project": "lighttpd1.4", "hash": 337545900969995769623474873495353942303, "size": 143, "commit_id": "b03b86f47b0d5a553137f081fadc482b4af1372d", "message": "[core] fix merging large headers across mult reads (fixes #3059)\n\n(thx mitd)\n\nx-ref:\n \"Connections stuck in Close_Wait causing 100% cpu usage\"\n https://redmine.lighttpd.net/issues/3059", "target": 0, "dataset": "other", "idx": 251478 }, { "func": "static int tcp_connect(struct tunnel *tunnel)\n{\n\tint ret, handle;\n\tstruct sockaddr_in server;\n\tchar *env_proxy;\n\n\thandle = socket(AF_INET, SOCK_STREAM, 0);\n\tif (handle == -1) {\n\t\tlog_error(\"socket: %s\\n\", strerror(errno));\n\t\tgoto err_socket;\n\t}\n\tenv_proxy = getenv(\"https_proxy\");\n\tif (env_proxy == NULL)\n\t\tenv_proxy = getenv(\"HTTPS_PROXY\");\n\tif (env_proxy == NULL)\n\t\tenv_proxy = getenv(\"all_proxy\");\n\tif (env_proxy == NULL)\n\t\tenv_proxy = getenv(\"ALL_PROXY\");\n\tif (env_proxy != NULL) {\n\t\tchar *proxy_host, *proxy_port;\n\t\t// protect the original environment from modifications\n\t\tenv_proxy = strdup(env_proxy);\n\t\tif (env_proxy == NULL) {\n\t\t\tlog_error(\"strdup: %s\\n\", strerror(errno));\n\t\t\tgoto err_strdup;\n\t\t}\n\t\t// get rid of a trailing slash\n\t\tif (*env_proxy && env_proxy[strlen(env_proxy) - 1] == '/')\n\t\t\tenv_proxy[strlen(env_proxy) - 1] = '\\0';\n\t\t// get rid of a http(s):// prefix in env_proxy\n\t\tproxy_host = strstr(env_proxy, \"://\");\n\t\tif (proxy_host == NULL)\n\t\t\tproxy_host = env_proxy;\n\t\telse\n\t\t\tproxy_host += 3;\n\t\t// split host and port\n\t\tproxy_port = index(proxy_host, ':');\n\t\tif (proxy_port != NULL) {\n\t\t\tproxy_port[0] = '\\0';\n\t\t\tproxy_port++;\n\t\t\tserver.sin_port = htons(strtoul(proxy_port, NULL, 10));\n\t\t} else {\n\t\t\tserver.sin_port = htons(tunnel->config->gateway_port);\n\t\t}\n\t\t// get rid of a trailing slash\n\t\tif (*proxy_host && proxy_host[strlen(proxy_host) - 1] == '/')\n\t\t\tproxy_host[strlen(proxy_host) - 1] = '\\0';\n\t\tlog_debug(\"proxy_host: %s\\n\", proxy_host);\n\t\tlog_debug(\"proxy_port: %s\\n\", proxy_port);\n\t\tserver.sin_addr.s_addr = inet_addr(proxy_host);\n\t\t// if host is given as a FQDN we have to do a DNS lookup\n\t\tif (server.sin_addr.s_addr == INADDR_NONE) {\n\t\t\tconst struct addrinfo hints = { .ai_family = AF_INET };\n\t\t\tstruct addrinfo *result = NULL;\n\n\t\t\tret = getaddrinfo(proxy_host, NULL, &hints, &result);\n\t\t\tif (ret) {\n\t\t\t\tif (ret == EAI_SYSTEM)\n\t\t\t\t\tlog_error(\"getaddrinfo: %s\\n\", strerror(errno));\n\t\t\t\telse\n\t\t\t\t\tlog_error(\"getaddrinfo: %s\\n\", gai_strerror(ret));\n\t\t\t\tgoto err_connect;\n\t\t\t}\n\n\t\t\tserver.sin_addr = ((struct sockaddr_in *)\n\t\t\t result->ai_addr)->sin_addr;\n\t\t\tfreeaddrinfo(result);\n\t\t}\n\t} else {\n\t\tserver.sin_port = htons(tunnel->config->gateway_port);\n\t\tserver.sin_addr = tunnel->config->gateway_ip;\n\t}\n\n\tlog_debug(\"server_addr: %s\\n\", inet_ntoa(server.sin_addr));\n\tlog_debug(\"server_port: %u\\n\", ntohs(server.sin_port));\n\tserver.sin_family = AF_INET;\n\tmemset(&(server.sin_zero), '\\0', 8);\n\tlog_debug(\"gateway_addr: %s\\n\", inet_ntoa(tunnel->config->gateway_ip));\n\tlog_debug(\"gateway_port: %u\\n\", tunnel->config->gateway_port);\n\n\tret = connect(handle, (struct sockaddr *) &server, sizeof(server));\n\tif (ret) {\n\t\tlog_error(\"connect: %s\\n\", strerror(errno));\n\t\tgoto err_connect;\n\t}\n\n\tif (env_proxy != NULL) {\n\t\tchar request[128];\n\n\t\t// https://tools.ietf.org/html/rfc7231#section-4.3.6\n\t\tsprintf(request, \"CONNECT %s:%u HTTP/1.1\\r\\nHost: %s:%u\\r\\n\\r\\n\",\n\t\t inet_ntoa(tunnel->config->gateway_ip),\n\t\t tunnel->config->gateway_port,\n\t\t inet_ntoa(tunnel->config->gateway_ip),\n\t\t tunnel->config->gateway_port);\n\t\tssize_t bytes_written = write(handle, request, strlen(request));\n\t\tif (bytes_written != strlen(request)) {\n\t\t\tlog_error(\"write error while talking to proxy: %s\\n\",\n\t\t\t strerror(errno));\n\t\t\tgoto err_connect;\n\t\t}\n\n\t\t// wait for a \"200 OK\" reply from the proxy,\n\t\t// be careful not to fetch too many bytes at once\n\t\tconst char *response = NULL;\n\n\t\tmemset(&(request), '\\0', sizeof(request));\n\t\tfor (int j = 0; response == NULL; j++) {\n\t\t\t/*\n\t\t\t * Coverity detected a defect:\n\t\t\t * CID 200508: String not null terminated (STRING_NULL)\n\t\t\t *\n\t\t\t * It is actually a false positive:\n\t\t\t * • Function memset() initializes 'request' with '\\0'\n\t\t\t * • Function read() gets a single char into: request[j]\n\t\t\t * • The final '\\0' cannot be overwritten because:\n\t\t\t * \tj < ARRAY_SIZE(request) - 1\n\t\t\t */\n\t\t\tssize_t bytes_read = read(handle, &(request[j]), 1);\n\t\t\tif (bytes_read < 1) {\n\t\t\t\tlog_error(\"Proxy response is unexpectedly large and cannot fit in the %lu-bytes buffer.\\n\",\n\t\t\t\t ARRAY_SIZE(request));\n\t\t\t\tgoto err_proxy_response;\n\t\t\t}\n\n\t\t\t// detect \"200\"\n\t\t\tstatic const char HTTP_STATUS_200[] = \"200\";\n\t\t\tresponse = strstr(request, HTTP_STATUS_200);\n\n\t\t\t// detect end-of-line after \"200\"\n\t\t\tif (response != NULL) {\n\t\t\t\t/*\n\t\t\t\t * RFC2616 states in section 2.2 Basic Rules:\n\t\t\t\t * \tCR = \n\t\t\t\t * \tLF = \n\t\t\t\t * \tHTTP/1.1 defines the sequence CR LF as the\n\t\t\t\t * \tend-of-line marker for all protocol elements\n\t\t\t\t * \texcept the entity-body (see appendix 19.3\n\t\t\t\t * \tfor tolerant applications).\n\t\t\t\t * \t\tCRLF = CR LF\n\t\t\t\t *\n\t\t\t\t * RFC2616 states in section 19.3 Tolerant Applications:\n\t\t\t\t * \tThe line terminator for message-header fields\n\t\t\t\t * \tis the sequence CRLF. However, we recommend\n\t\t\t\t * \tthat applications, when parsing such headers,\n\t\t\t\t * \trecognize a single LF as a line terminator\n\t\t\t\t * \tand ignore the leading CR.\n\t\t\t\t */\n\t\t\t\tstatic const char *const HTTP_EOL[] = {\n\t\t\t\t\t\"\\r\\n\\r\\n\",\n\t\t\t\t\t\"\\n\\n\"\n\t\t\t\t};\n\t\t\t\tconst char *eol = NULL;\n\t\t\t\tfor (int i = 0; (i < ARRAY_SIZE(HTTP_EOL)) &&\n\t\t\t\t (eol == NULL); i++)\n\t\t\t\t\teol = strstr(response, HTTP_EOL[i]);\n\t\t\t\tresponse = eol;\n\t\t\t}\n\n\t\t\tif (j > ARRAY_SIZE(request) - 2) {\n\t\t\t\tlog_error(\"Proxy response does not contain \\\"%s\\\" as expected.\\n\",\n\t\t\t\t HTTP_STATUS_200);\n\t\t\t\tgoto err_proxy_response;\n\t\t\t}\n\t\t}\n\n\t\tfree(env_proxy); // release memory allocated by strdup()\n\t}\n\n\treturn handle;\n\nerr_proxy_response:\nerr_connect:\n\tfree(env_proxy); // release memory allocated by strdup()\nerr_strdup:\n\tclose(handle);\nerr_socket:\n\treturn -1;\n}", "project": "openfortivpn", "hash": 92430937958836333054945632482632495064, "size": 179, "commit_id": "6328a070ddaab16faaf008cb9a8a62439c30f2a8", "message": "fix TLS Certificate CommonName NULL Byte Vulnerability\n\nCVE-2020-7043 TLS Certificate CommonName NULL Byte Vulnerability is fixed\nwith this commit\n\nwith #8 hostname validation for the certificate was introduced\nbut unfortunately strncasecmp() was used to compare the byte array\nagainst the expected hostname. This does not correctly treat a CN\nwhich contains a NULL byte. In order to fix this vulnerability\nthe reference implementation from iSECPartners has been included\ninto the code.", "target": 0, "dataset": "other", "idx": 258443 }, { "func": "static void connection_handle_close_state(connection *con) {\n\tconnection_read_for_eos(con);\n\n\tif (log_epoch_secs - con->close_timeout_ts > HTTP_LINGER_TIMEOUT) {\n\t\tconnection_close(con);\n\t}\n}", "project": "lighttpd1.4", "hash": 290425278741011965774367375409659734771, "size": 7, "commit_id": "b03b86f47b0d5a553137f081fadc482b4af1372d", "message": "[core] fix merging large headers across mult reads (fixes #3059)\n\n(thx mitd)\n\nx-ref:\n \"Connections stuck in Close_Wait causing 100% cpu usage\"\n https://redmine.lighttpd.net/issues/3059", "target": 0, "dataset": "other", "idx": 251468 }, { "func": "int ppp_interface_is_up(struct tunnel *tunnel)\n{\n\tstruct ifaddrs *ifap, *ifa;\n\n\tlog_debug(\"Got Address: %s\\n\", inet_ntoa(tunnel->ipv4.ip_addr));\n\n\tif (getifaddrs(&ifap)) {\n\t\tlog_error(\"getifaddrs: %s\\n\", strerror(errno));\n\t\treturn 0;\n\t}\n\n\tfor (ifa = ifap; ifa != NULL; ifa = ifa->ifa_next) {\n\t\tif ((\n#if HAVE_USR_SBIN_PPPD\n\t\t (tunnel->config->pppd_ifname\n\t\t && strstr(ifa->ifa_name, tunnel->config->pppd_ifname)\n\t\t != NULL)\n\t\t || strstr(ifa->ifa_name, \"ppp\") != NULL\n#endif\n#if HAVE_USR_SBIN_PPP\n\t\t strstr(ifa->ifa_name, \"tun\") != NULL\n#endif\n\t\t ) && ifa->ifa_flags & IFF_UP) {\n\t\t\tif (&(ifa->ifa_addr->sa_family) != NULL\n\t\t\t && ifa->ifa_addr->sa_family == AF_INET) {\n\t\t\t\tstruct in_addr if_ip_addr =\n\t\t\t\t cast_addr(ifa->ifa_addr)->sin_addr;\n\n\t\t\t\tlog_debug(\"Interface Name: %s\\n\", ifa->ifa_name);\n\t\t\t\tlog_debug(\"Interface Addr: %s\\n\", inet_ntoa(if_ip_addr));\n\n\t\t\t\tif (tunnel->ipv4.ip_addr.s_addr == if_ip_addr.s_addr) {\n\t\t\t\t\tstrncpy(tunnel->ppp_iface, ifa->ifa_name,\n\t\t\t\t\t ROUTE_IFACE_LEN - 1);\n\t\t\t\t\tfreeifaddrs(ifap);\n\t\t\t\t\treturn 1;\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\tfreeifaddrs(ifap);\n\n\treturn 0;\n}", "project": "openfortivpn", "hash": 289083185566316162908685336439308365695, "size": 44, "commit_id": "6328a070ddaab16faaf008cb9a8a62439c30f2a8", "message": "fix TLS Certificate CommonName NULL Byte Vulnerability\n\nCVE-2020-7043 TLS Certificate CommonName NULL Byte Vulnerability is fixed\nwith this commit\n\nwith #8 hostname validation for the certificate was introduced\nbut unfortunately strncasecmp() was used to compare the byte array\nagainst the expected hostname. This does not correctly treat a CN\nwhich contains a NULL byte. In order to fix this vulnerability\nthe reference implementation from iSECPartners has been included\ninto the code.", "target": 0, "dataset": "other", "idx": 258440 }, { "func": "static void connection_read_for_eos_plain(connection * const con) {\n\t/* we have to do the linger_on_close stuff regardless\n\t * of r->keep_alive; even non-keepalive sockets\n\t * may still have unread data, and closing before reading\n\t * it will make the client not see all our output.\n\t */\n\tssize_t len;\n\tconst int type = sock_addr_get_family(&con->dst_addr);\n\tchar buf[16384];\n\tdo {\n\t\tlen = fdevent_socket_read_discard(con->fd, buf, sizeof(buf),\n\t\t\t\t\t\t type, SOCK_STREAM);\n\t} while (len > 0 || (len < 0 && errno == EINTR));\n\n\tif (len < 0 && errno == EAGAIN) return;\n #if defined(EWOULDBLOCK) && EWOULDBLOCK != EAGAIN\n\tif (len < 0 && errno == EWOULDBLOCK) return;\n #endif\n\n\t/* 0 == len || (len < 0 && (errno is a non-recoverable error)) */\n\t\tcon->close_timeout_ts = log_epoch_secs - (HTTP_LINGER_TIMEOUT+1);\n}", "project": "lighttpd1.4", "hash": 247133566326507244599637111441952671736, "size": 22, "commit_id": "b03b86f47b0d5a553137f081fadc482b4af1372d", "message": "[core] fix merging large headers across mult reads (fixes #3059)\n\n(thx mitd)\n\nx-ref:\n \"Connections stuck in Close_Wait causing 100% cpu usage\"\n https://redmine.lighttpd.net/issues/3059", "target": 0, "dataset": "other", "idx": 251495 }, { "func": "static int get_gateway_host_ip(struct tunnel *tunnel)\n{\n\tconst struct addrinfo hints = { .ai_family = AF_INET };\n\tstruct addrinfo *result = NULL;\n\n\tint ret = getaddrinfo(tunnel->config->gateway_host, NULL, &hints, &result);\n\n\tif (ret) {\n\t\tif (ret == EAI_SYSTEM)\n\t\t\tlog_error(\"getaddrinfo: %s\\n\", strerror(errno));\n\t\telse\n\t\t\tlog_error(\"getaddrinfo: %s\\n\", gai_strerror(ret));\n\t\treturn 1;\n\t}\n\n\ttunnel->config->gateway_ip = ((struct sockaddr_in *)\n\t result->ai_addr)->sin_addr;\n\tfreeaddrinfo(result);\n\n\tsetenv(\"VPN_GATEWAY\", inet_ntoa(tunnel->config->gateway_ip), 0);\n\n\treturn 0;\n}", "project": "openfortivpn", "hash": 62920309310924663645437958387397725453, "size": 23, "commit_id": "6328a070ddaab16faaf008cb9a8a62439c30f2a8", "message": "fix TLS Certificate CommonName NULL Byte Vulnerability\n\nCVE-2020-7043 TLS Certificate CommonName NULL Byte Vulnerability is fixed\nwith this commit\n\nwith #8 hostname validation for the certificate was introduced\nbut unfortunately strncasecmp() was used to compare the byte array\nagainst the expected hostname. This does not correctly treat a CN\nwhich contains a NULL byte. In order to fix this vulnerability\nthe reference implementation from iSECPartners has been included\ninto the code.", "target": 0, "dataset": "other", "idx": 258442 }, { "func": "static void connection_read_for_eos_ssl(connection * const con) {\n\tif (con->network_read(con, con->read_queue, MAX_READ_LIMIT) < 0)\n\t\tcon->close_timeout_ts = log_epoch_secs - (HTTP_LINGER_TIMEOUT+1);\n\tchunkqueue_reset(con->read_queue);\n}", "project": "lighttpd1.4", "hash": 158547549501425005515679418286017301390, "size": 5, "commit_id": "b03b86f47b0d5a553137f081fadc482b4af1372d", "message": "[core] fix merging large headers across mult reads (fixes #3059)\n\n(thx mitd)\n\nx-ref:\n \"Connections stuck in Close_Wait causing 100% cpu usage\"\n https://redmine.lighttpd.net/issues/3059", "target": 0, "dataset": "other", "idx": 251499 }, { "func": "static int pppd_terminate(struct tunnel *tunnel)\n{\n\tclose(tunnel->pppd_pty);\n\n\tlog_debug(\"Waiting for %s to exit...\\n\", PPP_DAEMON);\n\n\tint status;\n\tif (waitpid(tunnel->pppd_pid, &status, 0) == -1) {\n\t\tlog_error(\"waitpid: %s\\n\", strerror(errno));\n\t\treturn 1;\n\t}\n\tif (WIFEXITED(status)) {\n\t\tint exit_status = WEXITSTATUS(status);\n\t\tlog_debug(\"waitpid: %s exit status code %d\\n\",\n\t\t PPP_DAEMON, exit_status);\n#if HAVE_USR_SBIN_PPPD\n\t\tif (exit_status >= ARRAY_SIZE(pppd_message) || exit_status < 0) {\n\t\t\tlog_error(\"%s: Returned an unknown exit status: %d\\n\",\n\t\t\t PPP_DAEMON, exit_status);\n\t\t} else {\n\t\t\tswitch (exit_status) {\n\t\t\tcase 0: // success\n\t\t\t\tlog_debug(\"%s: %s\\n\",\n\t\t\t\t PPP_DAEMON, pppd_message[exit_status]);\n\t\t\t\tbreak;\n\t\t\tcase 16: // emitted when exiting normally\n\t\t\t\tlog_info(\"%s: %s\\n\",\n\t\t\t\t PPP_DAEMON, pppd_message[exit_status]);\n\t\t\t\tbreak;\n\t\t\tdefault:\n\t\t\t\tlog_error(\"%s: %s\\n\",\n\t\t\t\t PPP_DAEMON, pppd_message[exit_status]);\n\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n#else\n\t\t// ppp exit codes in the FreeBSD case\n\t\tswitch (exit_status) {\n\t\tcase 0: // success and EX_NORMAL as defined in ppp source directly\n\t\t\tlog_debug(\"%s: %s\\n\", PPP_DAEMON, pppd_message[exit_status]);\n\t\t\tbreak;\n\t\tcase 1:\n\t\tcase 127:\n\t\tcase 255: // abnormal exit with hard-coded error codes in ppp\n\t\t\tlog_error(\"%s: exited with return value of %d\\n\",\n\t\t\t PPP_DAEMON, exit_status);\n\t\t\tbreak;\n\t\tdefault:\n\t\t\tlog_error(\"%s: %s (%d)\\n\", PPP_DAEMON, strerror(exit_status),\n\t\t\t exit_status);\n\t\t\tbreak;\n\t\t}\n#endif\n\t} else if (WIFSIGNALED(status)) {\n\t\tint signal_number = WTERMSIG(status);\n\t\tlog_debug(\"waitpid: %s terminated by signal %d\\n\",\n\t\t PPP_DAEMON, signal_number);\n\t\tlog_error(\"%s: terminated by signal: %s\\n\",\n\t\t PPP_DAEMON, strsignal(signal_number));\n\t}\n\n\treturn 0;\n}", "project": "openfortivpn", "hash": 203595910544530653540580069860871061472, "size": 63, "commit_id": "6328a070ddaab16faaf008cb9a8a62439c30f2a8", "message": "fix TLS Certificate CommonName NULL Byte Vulnerability\n\nCVE-2020-7043 TLS Certificate CommonName NULL Byte Vulnerability is fixed\nwith this commit\n\nwith #8 hostname validation for the certificate was introduced\nbut unfortunately strncasecmp() was used to compare the byte array\nagainst the expected hostname. This does not correctly treat a CN\nwhich contains a NULL byte. In order to fix this vulnerability\nthe reference implementation from iSECPartners has been included\ninto the code.", "target": 0, "dataset": "other", "idx": 258441 }, { "func": "static int on_ppp_if_down(struct tunnel *tunnel)\n{\n\tlog_info(\"Setting ppp interface down.\\n\");\n\n\tif (tunnel->config->set_routes) {\n\t\tlog_info(\"Restoring routes...\\n\");\n\t\tipv4_restore_routes(tunnel);\n\t}\n\n\tif (tunnel->config->set_dns) {\n\t\tlog_info(\"Removing VPN nameservers...\\n\");\n\t\tipv4_del_nameservers_from_resolv_conf(tunnel);\n\t}\n\n\treturn 0;\n}", "project": "openfortivpn", "hash": 218877227883514937751724799406893069710, "size": 16, "commit_id": "6328a070ddaab16faaf008cb9a8a62439c30f2a8", "message": "fix TLS Certificate CommonName NULL Byte Vulnerability\n\nCVE-2020-7043 TLS Certificate CommonName NULL Byte Vulnerability is fixed\nwith this commit\n\nwith #8 hostname validation for the certificate was introduced\nbut unfortunately strncasecmp() was used to compare the byte array\nagainst the expected hostname. This does not correctly treat a CN\nwhich contains a NULL byte. In order to fix this vulnerability\nthe reference implementation from iSECPartners has been included\ninto the code.", "target": 0, "dataset": "other", "idx": 258448 }, { "func": "static int connection_read_cq_err(connection *con) {\n request_st * const r = &con->request;\n #if defined(__WIN32)\n int lastError = WSAGetLastError();\n switch (lastError) {\n case EAGAIN:\n return 0;\n case EINTR:\n /* we have been interrupted before we could read */\n con->is_readable = 1;\n return 0;\n case ECONNRESET:\n /* suppress logging for this error, expected for keep-alive */\n break;\n default:\n log_error(r->conf.errh, __FILE__, __LINE__,\n \"connection closed - recv failed: %d\", lastError);\n break;\n }\n #else /* __WIN32 */\n switch (errno) {\n case EAGAIN:\n return 0;\n case EINTR:\n /* we have been interrupted before we could read */\n con->is_readable = 1;\n return 0;\n case ECONNRESET:\n /* suppress logging for this error, expected for keep-alive */\n break;\n default:\n log_perror(r->conf.errh, __FILE__, __LINE__,\n \"connection closed - read failed\");\n break;\n }\n #endif /* __WIN32 */\n\n connection_set_state_error(r, CON_STATE_ERROR);\n return -1;\n}", "project": "lighttpd1.4", "hash": 47116704662993832407379739624627837469, "size": 40, "commit_id": "b03b86f47b0d5a553137f081fadc482b4af1372d", "message": "[core] fix merging large headers across mult reads (fixes #3059)\n\n(thx mitd)\n\nx-ref:\n \"Connections stuck in Close_Wait causing 100% cpu usage\"\n https://redmine.lighttpd.net/issues/3059", "target": 0, "dataset": "other", "idx": 251506 }, { "func": "static int ssl_verify_cert(struct tunnel *tunnel)\n{\n\tint ret = -1;\n\tint cert_valid = 0;\n\tunsigned char digest[SHA256LEN];\n\tunsigned int len;\n\tstruct x509_digest *elem;\n\tchar digest_str[SHA256STRLEN], *subject, *issuer;\n\tchar *line;\n\tint i;\n\tX509_NAME *subj;\n\n\tSSL_set_verify(tunnel->ssl_handle, SSL_VERIFY_PEER, NULL);\n\n\tX509 *cert = SSL_get_peer_certificate(tunnel->ssl_handle);\n\tif (cert == NULL) {\n\t\tlog_error(\"Unable to get gateway certificate.\\n\");\n\t\treturn 1;\n\t}\n\n\tsubj = X509_get_subject_name(cert);\n\n#ifdef HAVE_X509_CHECK_HOST\n\t// Use OpenSSL native host validation if v >= 1.0.2.\n\t// compare against gateway_host and correctly check return value\n\t// to fix piror Incorrect use of X509_check_host\n\tif (X509_check_host(cert, tunnel->config->gateway_host,\n\t 0, 0, NULL) == 1)\n\t\tcert_valid = 1;\n#else\n\tchar common_name[FIELD_SIZE + 1];\n\t// Use explicit Common Name check if native validation not available.\n\t// Note: this will ignore Subject Alternative Name fields.\n\tif (subj\n\t && X509_NAME_get_text_by_NID(subj, NID_commonName, common_name,\n\t FIELD_SIZE) > 0\n\t && strncasecmp(common_name, tunnel->config->gateway_host,\n\t FIELD_SIZE) == 0)\n\t\tcert_valid = 1;\n#endif\n\n\t// Try to validate certificate using local PKI\n\tif (cert_valid\n\t && SSL_get_verify_result(tunnel->ssl_handle) == X509_V_OK) {\n\t\tlog_debug(\"Gateway certificate validation succeeded.\\n\");\n\t\tret = 0;\n\t\tgoto free_cert;\n\t}\n\tlog_debug(\"Gateway certificate validation failed.\\n\");\n\n\t// If validation failed, check if cert is in the white list\n\tif (X509_digest(cert, EVP_sha256(), digest, &len) <= 0\n\t || len != SHA256LEN) {\n\t\tlog_error(\"Could not compute certificate sha256 digest.\\n\");\n\t\tgoto free_cert;\n\t}\n\t// Encode digest in base16\n\tfor (i = 0; i < SHA256LEN; i++)\n\t\tsprintf(&digest_str[2 * i], \"%02x\", digest[i]);\n\tdigest_str[SHA256STRLEN - 1] = '\\0';\n\t// Is it in whitelist?\n\tfor (elem = tunnel->config->cert_whitelist; elem != NULL;\n\t elem = elem->next)\n\t\tif (memcmp(digest_str, elem->data, SHA256STRLEN - 1) == 0)\n\t\t\tbreak;\n\tif (elem != NULL) { // break before end of loop\n\t\tlog_debug(\"Gateway certificate digest found in white list.\\n\");\n\t\tret = 0;\n\t\tgoto free_cert;\n\t}\n\n\tsubject = X509_NAME_oneline(subj, NULL, 0);\n\tissuer = X509_NAME_oneline(X509_get_issuer_name(cert), NULL, 0);\n\n\tlog_error(\"Gateway certificate validation failed, and the certificate digest in not in the local whitelist. If you trust it, rerun with:\\n\");\n\tlog_error(\" --trusted-cert %s\\n\", digest_str);\n\tlog_error(\"or add this line to your config file:\\n\");\n\tlog_error(\" trusted-cert = %s\\n\", digest_str);\n\tlog_error(\"Gateway certificate:\\n\");\n\tlog_error(\" subject:\\n\");\n\tfor (line = strtok(subject, \"/\"); line != NULL;\n\t line = strtok(NULL, \"/\"))\n\t\tlog_error(\" %s\\n\", line);\n\tlog_error(\" issuer:\\n\");\n\tfor (line = strtok(issuer, \"/\"); line != NULL;\n\t line = strtok(NULL, \"/\"))\n\t\tlog_error(\" %s\\n\", line);\n\tlog_error(\" sha256 digest:\\n\");\n\tlog_error(\" %s\\n\", digest_str);\n\nfree_cert:\n\tX509_free(cert);\n\treturn ret;\n}", "project": "openfortivpn", "hash": 231422686038679305050128276823575782422, "size": 94, "commit_id": "6328a070ddaab16faaf008cb9a8a62439c30f2a8", "message": "fix TLS Certificate CommonName NULL Byte Vulnerability\n\nCVE-2020-7043 TLS Certificate CommonName NULL Byte Vulnerability is fixed\nwith this commit\n\nwith #8 hostname validation for the certificate was introduced\nbut unfortunately strncasecmp() was used to compare the byte array\nagainst the expected hostname. This does not correctly treat a CN\nwhich contains a NULL byte. In order to fix this vulnerability\nthe reference implementation from iSECPartners has been included\ninto the code.", "target": 1, "dataset": "other", "idx": 197415 }, { "func": "static int ssl_verify_cert(struct tunnel *tunnel)\n{\n\tint ret = -1;\n\tint cert_valid = 0;\n\tunsigned char digest[SHA256LEN];\n\tunsigned int len;\n\tstruct x509_digest *elem;\n\tchar digest_str[SHA256STRLEN], *subject, *issuer;\n\tchar *line;\n\tint i;\n\tX509_NAME *subj;\n\n\tSSL_set_verify(tunnel->ssl_handle, SSL_VERIFY_PEER, NULL);\n\n\tX509 *cert = SSL_get_peer_certificate(tunnel->ssl_handle);\n\tif (cert == NULL) {\n\t\tlog_error(\"Unable to get gateway certificate.\\n\");\n\t\treturn 1;\n\t}\n\n\tsubj = X509_get_subject_name(cert);\n\n#ifdef HAVE_X509_CHECK_HOST\n\t// Use OpenSSL native host validation if v >= 1.0.2.\n\t// compare against gateway_host and correctly check return value\n\t// to fix piror Incorrect use of X509_check_host\n\tif (X509_check_host(cert, tunnel->config->gateway_host,\n\t 0, 0, NULL) == 1)\n\t\tcert_valid = 1;\n#else\n\t// Use validate_hostname form iSECPartners if native validation not available\n\t// in order to avoid TLS Certificate CommonName NULL Byte Vulnerability\n\tif (validate_hostname(tunnel->config->gateway_host, cert) == MatchFound)\n \t\tcert_valid = 1;\n#endif\n\n\t// Try to validate certificate using local PKI\n\tif (cert_valid\n\t && SSL_get_verify_result(tunnel->ssl_handle) == X509_V_OK) {\n\t\tlog_debug(\"Gateway certificate validation succeeded.\\n\");\n\t\tret = 0;\n\t\tgoto free_cert;\n\t}\n\tlog_debug(\"Gateway certificate validation failed.\\n\");\n\n\t// If validation failed, check if cert is in the white list\n\tif (X509_digest(cert, EVP_sha256(), digest, &len) <= 0\n\t || len != SHA256LEN) {\n\t\tlog_error(\"Could not compute certificate sha256 digest.\\n\");\n\t\tgoto free_cert;\n\t}\n\t// Encode digest in base16\n\tfor (i = 0; i < SHA256LEN; i++)\n\t\tsprintf(&digest_str[2 * i], \"%02x\", digest[i]);\n\tdigest_str[SHA256STRLEN - 1] = '\\0';\n\t// Is it in whitelist?\n\tfor (elem = tunnel->config->cert_whitelist; elem != NULL;\n\t elem = elem->next)\n\t\tif (memcmp(digest_str, elem->data, SHA256STRLEN - 1) == 0)\n\t\t\tbreak;\n\tif (elem != NULL) { // break before end of loop\n\t\tlog_debug(\"Gateway certificate digest found in white list.\\n\");\n\t\tret = 0;\n\t\tgoto free_cert;\n\t}\n\n\tsubject = X509_NAME_oneline(subj, NULL, 0);\n\tissuer = X509_NAME_oneline(X509_get_issuer_name(cert), NULL, 0);\n\n\tlog_error(\"Gateway certificate validation failed, and the certificate digest in not in the local whitelist. If you trust it, rerun with:\\n\");\n\tlog_error(\" --trusted-cert %s\\n\", digest_str);\n\tlog_error(\"or add this line to your config file:\\n\");\n\tlog_error(\" trusted-cert = %s\\n\", digest_str);\n\tlog_error(\"Gateway certificate:\\n\");\n\tlog_error(\" subject:\\n\");\n\tfor (line = strtok(subject, \"/\"); line != NULL;\n\t line = strtok(NULL, \"/\"))\n\t\tlog_error(\" %s\\n\", line);\n\tlog_error(\" issuer:\\n\");\n\tfor (line = strtok(issuer, \"/\"); line != NULL;\n\t line = strtok(NULL, \"/\"))\n\t\tlog_error(\" %s\\n\", line);\n\tlog_error(\" sha256 digest:\\n\");\n\tlog_error(\" %s\\n\", digest_str);\n\nfree_cert:\n\tX509_free(cert);\n\treturn ret;\n}", "project": "openfortivpn", "hash": 135184877244989477016611417442939527322, "size": 89, "commit_id": "6328a070ddaab16faaf008cb9a8a62439c30f2a8", "message": "fix TLS Certificate CommonName NULL Byte Vulnerability\n\nCVE-2020-7043 TLS Certificate CommonName NULL Byte Vulnerability is fixed\nwith this commit\n\nwith #8 hostname validation for the certificate was introduced\nbut unfortunately strncasecmp() was used to compare the byte array\nagainst the expected hostname. This does not correctly treat a CN\nwhich contains a NULL byte. In order to fix this vulnerability\nthe reference implementation from iSECPartners has been included\ninto the code.", "target": 0, "dataset": "other", "idx": 258435 }, { "func": "int ssl_connect(struct tunnel *tunnel)\n{\n\tssl_disconnect(tunnel);\n\n\ttunnel->ssl_socket = tcp_connect(tunnel);\n\tif (tunnel->ssl_socket == -1)\n\t\treturn 1;\n\n\t// registration is deprecated from OpenSSL 1.1.0 onward\n#if OPENSSL_API_COMPAT < 0x10100000L\n\t// Register the error strings for libcrypto & libssl\n\tSSL_load_error_strings();\n\t// Register the available ciphers and digests\n\tSSL_library_init();\n#endif\n\n\ttunnel->ssl_context = SSL_CTX_new(SSLv23_client_method());\n\tif (tunnel->ssl_context == NULL) {\n\t\tlog_error(\"SSL_CTX_new: %s\\n\",\n\t\t ERR_error_string(ERR_peek_last_error(), NULL));\n\t\treturn 1;\n\t}\n\n\t// Load the OS default CA files\n\tif (!SSL_CTX_set_default_verify_paths(tunnel->ssl_context))\n\t\tlog_error(\"Could not load OS OpenSSL files.\\n\");\n\n\tif (tunnel->config->ca_file) {\n\t\tif (!SSL_CTX_load_verify_locations(\n\t\t tunnel->ssl_context,\n\t\t tunnel->config->ca_file, NULL)) {\n\t\t\tlog_error(\"SSL_CTX_load_verify_locations: %s\\n\",\n\t\t\t ERR_error_string(ERR_peek_last_error(), NULL));\n\t\t\treturn 1;\n\t\t}\n\t}\n\n\t/* Use engine for PIV if user-cert config starts with pkcs11 URI: */\n\tif (tunnel->config->use_engine > 0) {\n\n\t\tENGINE *e;\n\t\tENGINE_load_builtin_engines();\n\t\te = ENGINE_by_id(\"pkcs11\");\n\t\tif (!e) {\n\t\t\tlog_error(\"Could not load pkcs11 Engine: %s\\n\",\n\t\t\t ERR_error_string(ERR_peek_last_error(), NULL));\n\t\t\treturn 1;\n\t\t}\n\t\tif (!ENGINE_init(e)) {\n\t\t\tlog_error(\"Could not init pkcs11 Engine: %s\\n\",\n\t\t\t ERR_error_string(ERR_peek_last_error(), NULL));\n\t\t\tENGINE_free(e);\n\t\t\treturn 1;\n\t\t}\n\t\tif (!ENGINE_set_default_RSA(e))\n\t\t\tabort();\n\n\t\tENGINE_finish(e);\n\t\tENGINE_free(e);\n\n\t\tstruct token parms;\n\t\tparms.uri = tunnel->config->user_cert;\n\t\tparms.cert = NULL;\n\n\t\tif (!ENGINE_ctrl_cmd(e, \"LOAD_CERT_CTRL\", 0, &parms, NULL, 1)) {\n\t\t\tlog_error(\"PKCS11 ENGINE_ctrl_cmd: %s\\n\",\n\t\t\t ERR_error_string(ERR_peek_last_error(), NULL));\n\t\t\treturn 1;\n\t\t}\n\n\t\tif (!SSL_CTX_use_certificate(tunnel->ssl_context, parms.cert)) {\n\t\t\tlog_error(\"PKCS11 SSL_CTX_use_certificate: %s\\n\",\n\t\t\t ERR_error_string(ERR_peek_last_error(), NULL));\n\t\t\treturn 1;\n\t\t}\n\n\t\tEVP_PKEY * privkey = ENGINE_load_private_key(\n\t\t e, parms.uri, UI_OpenSSL(), NULL);\n\t\tif (!privkey) {\n\t\t\tlog_error(\"PKCS11 ENGINE_load_private_key: %s\\n\",\n\t\t\t ERR_error_string(ERR_peek_last_error(), NULL));\n\t\t\treturn 1;\n\t\t}\n\n\t\tif (!SSL_CTX_use_PrivateKey(tunnel->ssl_context, privkey)) {\n\t\t\tlog_error(\"PKCS11 SSL_CTX_use_PrivateKey_file: %s\\n\",\n\t\t\t ERR_error_string(ERR_peek_last_error(), NULL));\n\t\t\treturn 1;\n\t\t}\n\n\t\tif (!SSL_CTX_check_private_key(tunnel->ssl_context)) {\n\t\t\tlog_error(\"PKCS11 SSL_CTX_check_private_key: %s\\n\",\n\t\t\t ERR_error_string(ERR_peek_last_error(), NULL));\n\t\t\treturn 1;\n\t\t}\n\n\t} else { /* end PKCS11-engine */\n\n\t\tif (tunnel->config->user_cert) {\n\t\t\tif (!SSL_CTX_use_certificate_file(\n\t\t\t tunnel->ssl_context, tunnel->config->user_cert,\n\t\t\t SSL_FILETYPE_PEM)) {\n\t\t\t\tlog_error(\"SSL_CTX_use_certificate_file: %s\\n\",\n\t\t\t\t ERR_error_string(ERR_peek_last_error(), NULL));\n\t\t\t\treturn 1;\n\t\t\t}\n\t\t}\n\n\t\tif (tunnel->config->user_key) {\n\t\t\tif (!SSL_CTX_use_PrivateKey_file(\n\t\t\t tunnel->ssl_context, tunnel->config->user_key,\n\t\t\t SSL_FILETYPE_PEM)) {\n\t\t\t\tlog_error(\"SSL_CTX_use_PrivateKey_file: %s\\n\",\n\t\t\t\t ERR_error_string(ERR_peek_last_error(), NULL));\n\t\t\t\treturn 1;\n\t\t\t}\n\t\t}\n\n\t\tif (tunnel->config->user_cert && tunnel->config->user_key) {\n\t\t\tif (!SSL_CTX_check_private_key(tunnel->ssl_context)) {\n\t\t\t\tlog_error(\"SSL_CTX_check_private_key: %s\\n\",\n\t\t\t\t ERR_error_string(ERR_peek_last_error(), NULL));\n\t\t\t\treturn 1;\n\t\t\t}\n\t\t}\n\t}\n\n\tif (!tunnel->config->insecure_ssl) {\n\t\tlong sslctxopt = SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION;\n\t\tlong checkopt;\n\n\t\tcheckopt = SSL_CTX_set_options(tunnel->ssl_context, sslctxopt);\n\t\tif ((checkopt & sslctxopt) != sslctxopt) {\n\t\t\tlog_error(\"SSL_CTX_set_options didn't set opt: %s\\n\",\n\t\t\t ERR_error_string(ERR_peek_last_error(), NULL));\n\t\t\treturn 1;\n\t\t}\n\t}\n\n\ttunnel->ssl_handle = SSL_new(tunnel->ssl_context);\n\tif (tunnel->ssl_handle == NULL) {\n\t\tlog_error(\"SSL_new: %s\\n\",\n\t\t ERR_error_string(ERR_peek_last_error(), NULL));\n\t\treturn 1;\n\t}\n\n\tif (!tunnel->config->insecure_ssl) {\n\t\tif (!tunnel->config->cipher_list) {\n\t\t\tconst char *cipher_list;\n\t\t\tif (tunnel->config->seclevel_1)\n\t\t\t\tcipher_list = \"HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4@SECLEVEL=1\";\n\t\t\telse\n\t\t\t\tcipher_list = \"HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4\";\n\t\t\ttunnel->config->cipher_list = strdup(cipher_list);\n\t\t}\n\t} else {\n#if OPENSSL_VERSION_NUMBER >= 0x10100000L\n\t\tif (tunnel->config->min_tls <= 0)\n\t\t\ttunnel->config->min_tls = TLS1_VERSION;\n#endif\n\t\tif (!tunnel->config->cipher_list && tunnel->config->seclevel_1) {\n\t\t\tconst char *cipher_list = \"DEFAULT@SECLEVEL=1\";\n\t\t\ttunnel->config->cipher_list = strdup(cipher_list);\n\t\t}\n\t}\n\n\tif (tunnel->config->cipher_list) {\n\t\tlog_debug(\"Setting cipher list to: %s\\n\", tunnel->config->cipher_list);\n\t\tif (!SSL_set_cipher_list(tunnel->ssl_handle,\n\t\t tunnel->config->cipher_list)) {\n\t\t\tlog_error(\"SSL_set_cipher_list failed: %s\\n\",\n\t\t\t ERR_error_string(ERR_peek_last_error(), NULL));\n\t\t\treturn 1;\n\t\t}\n\t}\n\n#if OPENSSL_VERSION_NUMBER >= 0x10100000L\n\tif (tunnel->config->min_tls > 0) {\n\t\tlog_debug(\"Setting min proto version to: 0x%x\\n\",\n\t\t tunnel->config->min_tls);\n\t\tif (!SSL_set_min_proto_version(tunnel->ssl_handle,\n\t\t tunnel->config->min_tls)) {\n\t\t\tlog_error(\"SSL_set_min_proto_version failed: %s\\n\",\n\t\t\t ERR_error_string(ERR_peek_last_error(), NULL));\n\t\t\treturn 1;\n\t\t}\n\t}\n#endif\n\n\tif (!SSL_set_fd(tunnel->ssl_handle, tunnel->ssl_socket)) {\n\t\tlog_error(\"SSL_set_fd: %s\\n\",\n\t\t ERR_error_string(ERR_peek_last_error(), NULL));\n\t\treturn 1;\n\t}\n\tSSL_set_mode(tunnel->ssl_handle, SSL_MODE_AUTO_RETRY);\n\n\t// Initiate SSL handshake\n\tif (SSL_connect(tunnel->ssl_handle) != 1) {\n\t\tlog_error(\"SSL_connect: %s\\n\"\n\t\t \"You might want to try --insecure-ssl or specify a different --cipher-list\\n\",\n\t\t ERR_error_string(ERR_peek_last_error(), NULL));\n\t\treturn 1;\n\t}\n\tSSL_set_mode(tunnel->ssl_handle, SSL_MODE_AUTO_RETRY);\n\n\tif (ssl_verify_cert(tunnel))\n\t\treturn 1;\n\n\t// Disable SIGPIPE (occurs when trying to write to an already-closed\n\t// socket).\n\tsignal(SIGPIPE, SIG_IGN);\n\n\treturn 0;\n}", "project": "openfortivpn", "hash": 324852872044591375424320563448343555464, "size": 214, "commit_id": "6328a070ddaab16faaf008cb9a8a62439c30f2a8", "message": "fix TLS Certificate CommonName NULL Byte Vulnerability\n\nCVE-2020-7043 TLS Certificate CommonName NULL Byte Vulnerability is fixed\nwith this commit\n\nwith #8 hostname validation for the certificate was introduced\nbut unfortunately strncasecmp() was used to compare the byte array\nagainst the expected hostname. This does not correctly treat a CN\nwhich contains a NULL byte. In order to fix this vulnerability\nthe reference implementation from iSECPartners has been included\ninto the code.", "target": 0, "dataset": "other", "idx": 258446 }, { "func": "int run_tunnel(struct vpn_config *config)\n{\n\tint ret;\n\tstruct tunnel tunnel = {\n\t\t.config = config,\n\t\t.state = STATE_DOWN,\n\t\t.ssl_context = NULL,\n\t\t.ssl_handle = NULL,\n\t\t.ipv4.ns1_addr.s_addr = 0,\n\t\t.ipv4.ns2_addr.s_addr = 0,\n\t\t.ipv4.dns_suffix = NULL,\n\t\t.on_ppp_if_up = on_ppp_if_up,\n\t\t.on_ppp_if_down = on_ppp_if_down\n\t};\n\n\t// Step 0: get gateway host IP\n\tlog_debug(\"Resolving gateway host ip\\n\");\n\tret = get_gateway_host_ip(&tunnel);\n\tif (ret)\n\t\tgoto err_tunnel;\n\n\t// Step 1: open a SSL connection to the gateway\n\tlog_debug(\"Establishing ssl connection\\n\");\n\tret = ssl_connect(&tunnel);\n\tif (ret)\n\t\tgoto err_tunnel;\n\tlog_info(\"Connected to gateway.\\n\");\n\n\t// Step 2: connect to the HTTP interface and authenticate to get a\n\t// cookie\n\tret = auth_log_in(&tunnel);\n\tif (ret != 1) {\n\t\tlog_error(\"Could not authenticate to gateway. Please check the password, client certificate, etc.\\n\");\n\t\tlog_debug(\"%s %d\\n\", err_http_str(ret), ret);\n\t\tret = 1;\n\t\tgoto err_tunnel;\n\t}\n\tlog_info(\"Authenticated.\\n\");\n\tlog_debug(\"Cookie: %s\\n\", tunnel.cookie);\n\n\tret = auth_request_vpn_allocation(&tunnel);\n\tif (ret != 1) {\n\t\tlog_error(\"VPN allocation request failed (%s).\\n\",\n\t\t err_http_str(ret));\n\t\tret = 1;\n\t\tgoto err_tunnel;\n\t}\n\tlog_info(\"Remote gateway has allocated a VPN.\\n\");\n\n\tret = ssl_connect(&tunnel);\n\tif (ret)\n\t\tgoto err_tunnel;\n\n\t// Step 3: get configuration\n\tlog_debug(\"Retrieving configuration\\n\");\n\tret = auth_get_config(&tunnel);\n\tif (ret != 1) {\n\t\tlog_error(\"Could not get VPN configuration (%s).\\n\",\n\t\t err_http_str(ret));\n\t\tret = 1;\n\t\tgoto err_tunnel;\n\t}\n\n\t// Step 4: run a pppd process\n\tlog_debug(\"Establishing the tunnel\\n\");\n\tret = pppd_run(&tunnel);\n\tif (ret)\n\t\tgoto err_tunnel;\n\n\t// Step 5: ask gateway to start tunneling\n\tlog_debug(\"Switch to tunneling mode\\n\");\n\tret = http_send(&tunnel,\n\t \"GET /remote/sslvpn-tunnel HTTP/1.1\\r\\n\"\n\t \"Host: sslvpn\\r\\n\"\n\t \"Cookie: %s\\r\\n\\r\\n\",\n\t tunnel.cookie);\n\tif (ret != 1) {\n\t\tlog_error(\"Could not start tunnel (%s).\\n\", err_http_str(ret));\n\t\tret = 1;\n\t\tgoto err_start_tunnel;\n\t}\n\n\ttunnel.state = STATE_CONNECTING;\n\tret = 0;\n\n\t// Step 6: perform io between pppd and the gateway, while tunnel is up\n\tlog_debug(\"Starting IO through the tunnel\\n\");\n\tio_loop(&tunnel);\n\n\tlog_debug(\"disconnecting\\n\");\n\tif (tunnel.state == STATE_UP)\n\t\tif (tunnel.on_ppp_if_down != NULL)\n\t\t\ttunnel.on_ppp_if_down(&tunnel);\n\n\ttunnel.state = STATE_DISCONNECTING;\n\nerr_start_tunnel:\n\tpppd_terminate(&tunnel);\n\tlog_info(\"Terminated %s.\\n\", PPP_DAEMON);\nerr_tunnel:\n\tlog_info(\"Closed connection to gateway.\\n\");\n\ttunnel.state = STATE_DOWN;\n\n\tif (ssl_connect(&tunnel)) {\n\t\tlog_info(\"Could not log out.\\n\");\n\t} else {\n\t\tauth_log_out(&tunnel);\n\t\tlog_info(\"Logged out.\\n\");\n\t}\n\n\t// explicitly free the buffer allocated for split routes of the ipv4 config\n\tif (tunnel.ipv4.split_rt != NULL) {\n\t\tfree(tunnel.ipv4.split_rt);\n\t\ttunnel.ipv4.split_rt = NULL;\n\t}\n\treturn ret;\n}", "project": "openfortivpn", "hash": 5883140083044183184695570733899457257, "size": 117, "commit_id": "6328a070ddaab16faaf008cb9a8a62439c30f2a8", "message": "fix TLS Certificate CommonName NULL Byte Vulnerability\n\nCVE-2020-7043 TLS Certificate CommonName NULL Byte Vulnerability is fixed\nwith this commit\n\nwith #8 hostname validation for the certificate was introduced\nbut unfortunately strncasecmp() was used to compare the byte array\nagainst the expected hostname. This does not correctly treat a CN\nwhich contains a NULL byte. In order to fix this vulnerability\nthe reference implementation from iSECPartners has been included\ninto the code.", "target": 0, "dataset": "other", "idx": 258449 }, { "func": "static HostnameValidationResult matches_common_name(const char *hostname, const X509 *server_cert) {\n\tint common_name_loc = -1;\n\tX509_NAME_ENTRY *common_name_entry = NULL;\n\tASN1_STRING *common_name_asn1 = NULL;\n\tchar *common_name_str = NULL;\n\n\t// Find the position of the CN field in the Subject field of the certificate\n\tcommon_name_loc = X509_NAME_get_index_by_NID(X509_get_subject_name((X509 *) server_cert), NID_commonName, -1);\n\tif (common_name_loc < 0) {\n\t\treturn Error;\n\t}\n\n\t// Extract the CN field\n\tcommon_name_entry = X509_NAME_get_entry(X509_get_subject_name((X509 *) server_cert), common_name_loc);\n\tif (common_name_entry == NULL) {\n\t\treturn Error;\n\t}\n\n\t// Convert the CN field to a C string\n\tcommon_name_asn1 = X509_NAME_ENTRY_get_data(common_name_entry);\n\tif (common_name_asn1 == NULL) {\n\t\treturn Error;\n\t}\t\t\t\n\tcommon_name_str = (char *) ASN1_STRING_data(common_name_asn1);\n\n\t// Make sure there isn't an embedded NUL character in the CN\n\tif (ASN1_STRING_length(common_name_asn1) != strlen(common_name_str)) {\n\t\treturn MalformedCertificate;\n\t}\n\n\t// Compare expected hostname with the CN\n\tif (strcasecmp(hostname, common_name_str) == 0) {\n\t\treturn MatchFound;\n\t}\n\telse {\n\t\treturn MatchNotFound;\n\t}\n}", "project": "openfortivpn", "hash": 33226936282821591397613512864812214111, "size": 38, "commit_id": "6328a070ddaab16faaf008cb9a8a62439c30f2a8", "message": "fix TLS Certificate CommonName NULL Byte Vulnerability\n\nCVE-2020-7043 TLS Certificate CommonName NULL Byte Vulnerability is fixed\nwith this commit\n\nwith #8 hostname validation for the certificate was introduced\nbut unfortunately strncasecmp() was used to compare the byte array\nagainst the expected hostname. This does not correctly treat a CN\nwhich contains a NULL byte. In order to fix this vulnerability\nthe reference implementation from iSECPartners has been included\ninto the code.", "target": 0, "dataset": "other", "idx": 258439 }, { "func": "static void connection_fdwaitqueue_append(connection *con) {\n connection_list_append(&con->srv->fdwaitqueue, con);\n}", "project": "lighttpd1.4", "hash": 246881210774842215167474879371836068769, "size": 3, "commit_id": "b03b86f47b0d5a553137f081fadc482b4af1372d", "message": "[core] fix merging large headers across mult reads (fixes #3059)\n\n(thx mitd)\n\nx-ref:\n \"Connections stuck in Close_Wait causing 100% cpu usage\"\n https://redmine.lighttpd.net/issues/3059", "target": 0, "dataset": "other", "idx": 251489 }, { "func": "static HostnameValidationResult matches_subject_alternative_name(const char *hostname, const X509 *server_cert) {\n\tHostnameValidationResult result = MatchNotFound;\n\tint i;\n\tint san_names_nb = -1;\n\tSTACK_OF(GENERAL_NAME) *san_names = NULL;\n\n\t// Try to extract the names within the SAN extension from the certificate\n\tsan_names = X509_get_ext_d2i((X509 *) server_cert, NID_subject_alt_name, NULL, NULL);\n\tif (san_names == NULL) {\n\t\treturn NoSANPresent;\n\t}\n\tsan_names_nb = sk_GENERAL_NAME_num(san_names);\n\n\t// Check each name within the extension\n\tfor (i=0; itype == GEN_DNS) {\n\t\t\t// Current name is a DNS name, let's check it\n\t\t\tchar *dns_name = (char *) ASN1_STRING_data(current_name->d.dNSName);\n\n\t\t\t// Make sure there isn't an embedded NUL character in the DNS name\n\t\t\tif (ASN1_STRING_length(current_name->d.dNSName) != strlen(dns_name)) {\n\t\t\t\tresult = MalformedCertificate;\n\t\t\t\tbreak;\n\t\t\t}\n\t\t\telse { // Compare expected hostname with the DNS name\n\t\t\t\tif (strcasecmp(hostname, dns_name) == 0) {\n\t\t\t\t\tresult = MatchFound;\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\tsk_GENERAL_NAME_pop_free(san_names, GENERAL_NAME_free);\n\n\treturn result;\n}", "project": "openfortivpn", "hash": 232180728765391904444891929676696612755, "size": 38, "commit_id": "6328a070ddaab16faaf008cb9a8a62439c30f2a8", "message": "fix TLS Certificate CommonName NULL Byte Vulnerability\n\nCVE-2020-7043 TLS Certificate CommonName NULL Byte Vulnerability is fixed\nwith this commit\n\nwith #8 hostname validation for the certificate was introduced\nbut unfortunately strncasecmp() was used to compare the byte array\nagainst the expected hostname. This does not correctly treat a CN\nwhich contains a NULL byte. In order to fix this vulnerability\nthe reference implementation from iSECPartners has been included\ninto the code.", "target": 0, "dataset": "other", "idx": 258445 }, { "func": "static void connection_reset(connection *con) {\n\trequest_st * const r = &con->request;\n\trequest_reset(r);\n\tconfig_reset_config(r);\n\tr->bytes_read_ckpt = 0;\n\tr->bytes_written_ckpt = 0;\n\tcon->is_readable = 1;\n\n\tcon->bytes_written = 0;\n\tcon->bytes_written_cur_second = 0;\n\tcon->bytes_read = 0;\n}", "project": "lighttpd1.4", "hash": 39614769648465725964028882909974497207, "size": 12, "commit_id": "b03b86f47b0d5a553137f081fadc482b4af1372d", "message": "[core] fix merging large headers across mult reads (fixes #3059)\n\n(thx mitd)\n\nx-ref:\n \"Connections stuck in Close_Wait causing 100% cpu usage\"\n https://redmine.lighttpd.net/issues/3059", "target": 0, "dataset": "other", "idx": 251464 }, { "func": "void connection_periodic_maint (server * const srv, const time_t cur_ts) {\n /* check all connections for timeouts */\n connections * const conns = &srv->conns;\n for (size_t ndx = 0; ndx < conns->used; ++ndx) {\n connection_check_timeout(conns->ptr[ndx], cur_ts);\n }\n}", "project": "lighttpd1.4", "hash": 250481434634153476756038205487402157434, "size": 7, "commit_id": "b03b86f47b0d5a553137f081fadc482b4af1372d", "message": "[core] fix merging large headers across mult reads (fixes #3059)\n\n(thx mitd)\n\nx-ref:\n \"Connections stuck in Close_Wait causing 100% cpu usage\"\n https://redmine.lighttpd.net/issues/3059", "target": 0, "dataset": "other", "idx": 251475 }, { "func": "connection_discard_blank_line (chunkqueue * const cq, uint32_t header_len)\n{\n /*(separate func only to be able to mark with compiler hint as cold)*/\n chunkqueue_mark_written(cq, header_len);\n return cq->first; /* refresh c after chunkqueue_mark_written() */\n}", "project": "lighttpd1.4", "hash": 200702740067443306794313715705386662859, "size": 6, "commit_id": "b03b86f47b0d5a553137f081fadc482b4af1372d", "message": "[core] fix merging large headers across mult reads (fixes #3059)\n\n(thx mitd)\n\nx-ref:\n \"Connections stuck in Close_Wait causing 100% cpu usage\"\n https://redmine.lighttpd.net/issues/3059", "target": 0, "dataset": "other", "idx": 251474 }, { "func": "static void connection_set_state_error(request_st * const r, const request_state_t state) {\n connection_set_state(r, state);\n}", "project": "lighttpd1.4", "hash": 144909509125092304739117342127087763504, "size": 3, "commit_id": "b03b86f47b0d5a553137f081fadc482b4af1372d", "message": "[core] fix merging large headers across mult reads (fixes #3059)\n\n(thx mitd)\n\nx-ref:\n \"Connections stuck in Close_Wait causing 100% cpu usage\"\n https://redmine.lighttpd.net/issues/3059", "target": 0, "dataset": "other", "idx": 251500 }, { "func": "static void connection_check_timeout (connection * const con, const time_t cur_ts) {\n const int waitevents = fdevent_fdnode_interest(con->fdn);\n int changed = 0;\n int t_diff;\n\n request_st * const r = &con->request;\n if (r->state == CON_STATE_CLOSE) {\n if (cur_ts - con->close_timeout_ts > HTTP_LINGER_TIMEOUT) {\n changed = 1;\n }\n }\n else if (con->h2 && r->state == CON_STATE_WRITE) {\n h2con * const h2c = con->h2;\n if (h2c->rused) {\n for (uint32_t i = 0; i < h2c->rused; ++i) {\n request_st * const rr = h2c->r[i];\n if (rr->state == CON_STATE_ERROR) { /*(should not happen)*/\n changed = 1;\n continue;\n }\n if (rr->reqbody_length != rr->reqbody_queue.bytes_in) {\n /* XXX: should timeout apply if not trying to read on h2con?\n * (still applying timeout to catch stuck connections) */\n /* XXX: con->read_idle_ts is not per-request, so timeout\n * will not occur if other read activity occurs on h2con\n * (future: might keep separate timestamp per-request) */\n if (cur_ts - con->read_idle_ts > rr->conf.max_read_idle) {\n /* time - out */\n if (rr->conf.log_request_handling) {\n log_error(rr->conf.errh, __FILE__, __LINE__,\n \"request aborted - read timeout: %d\", con->fd);\n }\n connection_set_state_error(r, CON_STATE_ERROR);\n changed = 1;\n }\n }\n\n if (rr->state != CON_STATE_READ_POST\n && con->write_request_ts != 0) {\n /* XXX: con->write_request_ts is not per-request, so timeout\n * will not occur if other write activity occurs on h2con\n * (future: might keep separate timestamp per-request) */\n if (cur_ts - con->write_request_ts\n > r->conf.max_write_idle) {\n /*(see comment further down about max_write_idle)*/\n /* time - out */\n if (r->conf.log_timeouts) {\n log_error(r->conf.errh, __FILE__, __LINE__,\n \"NOTE: a request from %.*s for %.*s timed out \"\n \"after writing %lld bytes. We waited %d seconds. \"\n \"If this is a problem, increase \"\n \"server.max-write-idle\",\n BUFFER_INTLEN_PTR(con->dst_addr_buf),\n BUFFER_INTLEN_PTR(&r->target),\n (long long)r->write_queue.bytes_out,\n (int)r->conf.max_write_idle);\n }\n connection_set_state_error(r, CON_STATE_ERROR);\n changed = 1;\n }\n }\n }\n }\n else {\n if (cur_ts - con->read_idle_ts > con->keep_alive_idle) {\n /* time - out */\n if (r->conf.log_request_handling) {\n log_error(r->conf.errh, __FILE__, __LINE__,\n \"connection closed - keep-alive timeout: %d\",\n con->fd);\n }\n connection_set_state(r, CON_STATE_RESPONSE_END);\n changed = 1;\n }\n }\n }\n else if (waitevents & FDEVENT_IN) {\n if (con->request_count == 1 || r->state != CON_STATE_READ) {\n /* e.g. CON_STATE_READ_POST || CON_STATE_WRITE */\n if (cur_ts - con->read_idle_ts > r->conf.max_read_idle) {\n /* time - out */\n if (r->conf.log_request_handling) {\n log_error(r->conf.errh, __FILE__, __LINE__,\n \"connection closed - read timeout: %d\", con->fd);\n }\n\n connection_set_state_error(r, CON_STATE_ERROR);\n changed = 1;\n }\n } else {\n if (cur_ts - con->read_idle_ts > con->keep_alive_idle) {\n /* time - out */\n if (r->conf.log_request_handling) {\n log_error(r->conf.errh, __FILE__, __LINE__,\n \"connection closed - keep-alive timeout: %d\",\n con->fd);\n }\n\n connection_set_state_error(r, CON_STATE_ERROR);\n changed = 1;\n }\n }\n }\n\n /* max_write_idle timeout currently functions as backend timeout,\n * too, after response has been started.\n * future: have separate backend timeout, and then change this\n * to check for write interest before checking for timeout */\n /*if (waitevents & FDEVENT_OUT)*/\n if (r->http_version <= HTTP_VERSION_1_1\n && r->state == CON_STATE_WRITE && con->write_request_ts != 0) {\n #if 0\n if (cur_ts - con->write_request_ts > 60) {\n log_error(r->conf.errh, __FILE__, __LINE__,\n \"connection closed - pre-write-request-timeout: %d %d\",\n con->fd, cur_ts - con->write_request_ts);\n }\n #endif\n\n if (cur_ts - con->write_request_ts > r->conf.max_write_idle) {\n /* time - out */\n if (r->conf.log_timeouts) {\n log_error(r->conf.errh, __FILE__, __LINE__,\n \"NOTE: a request from %.*s for %.*s timed out after writing \"\n \"%lld bytes. We waited %d seconds. If this is a problem, \"\n \"increase server.max-write-idle\",\n BUFFER_INTLEN_PTR(con->dst_addr_buf),\n BUFFER_INTLEN_PTR(&r->target),\n (long long)con->bytes_written, (int)r->conf.max_write_idle);\n }\n connection_set_state_error(r, CON_STATE_ERROR);\n changed = 1;\n }\n }\n\n /* lighttpd HTTP/2 limitation: rate limit config r->conf.bytes_per_second\n * (currently) taken only from top-level config (socket), with host if SNI\n * used, but not any other config conditions, e.g. not per-file-type */\n\n if (0 == (t_diff = cur_ts - con->connection_start)) t_diff = 1;\n\n if (con->traffic_limit_reached &&\n (r->conf.bytes_per_second == 0 ||\n con->bytes_written < (off_t)r->conf.bytes_per_second * t_diff)) {\n /* enable connection again */\n con->traffic_limit_reached = 0;\n\n changed = 1;\n }\n\n con->bytes_written_cur_second = 0;\n\n if (changed) {\n connection_state_machine(con);\n }\n}", "project": "lighttpd1.4", "hash": 185772952407915541021838254781622042037, "size": 156, "commit_id": "b03b86f47b0d5a553137f081fadc482b4af1372d", "message": "[core] fix merging large headers across mult reads (fixes #3059)\n\n(thx mitd)\n\nx-ref:\n \"Connections stuck in Close_Wait causing 100% cpu usage\"\n https://redmine.lighttpd.net/issues/3059", "target": 0, "dataset": "other", "idx": 251502 }, { "func": "static int ofv_append_varr(struct ofv_varr *p, const char *x)\n{\n\tif (p->off + 1 >= p->cap) {\n\t\tconst char **ndata;\n\t\tunsigned int ncap = (p->off + 1) * 2;\n\t\tif (p->off + 1 >= ncap) {\n\t\t\tlog_error(\"%s: ncap exceeded\\n\", __func__);\n\t\t\treturn 1;\n\t\t};\n\t\tndata = realloc(p->data, ncap * sizeof(const char *));\n\t\tif (ndata) {\n\t\t\tp->data = ndata;\n\t\t\tp->cap = ncap;\n\t\t} else {\n\t\t\tlog_error(\"realloc: %s\\n\", strerror(errno));\n\t\t\treturn 1;\n\t\t}\n\t}\n\tif (p->data == NULL) {\n\t\tlog_error(\"%s: NULL data\\n\", __func__);\n\t\treturn 1;\n\t}\n\tif (p->off + 1 >= p->cap) {\n\t\tlog_error(\"%s: cap exceeded in p\\n\", __func__);\n\t\treturn 1;\n\t}\n\tp->data[p->off] = x;\n\tp->data[++p->off] = NULL;\n\treturn 0;\n}", "project": "openfortivpn", "hash": 85454674027971386429996947400734450026, "size": 30, "commit_id": "6328a070ddaab16faaf008cb9a8a62439c30f2a8", "message": "fix TLS Certificate CommonName NULL Byte Vulnerability\n\nCVE-2020-7043 TLS Certificate CommonName NULL Byte Vulnerability is fixed\nwith this commit\n\nwith #8 hostname validation for the certificate was introduced\nbut unfortunately strncasecmp() was used to compare the byte array\nagainst the expected hostname. This does not correctly treat a CN\nwhich contains a NULL byte. In order to fix this vulnerability\nthe reference implementation from iSECPartners has been included\ninto the code.", "target": 0, "dataset": "other", "idx": 258438 }, { "func": "static int connection_handle_write(request_st * const r, connection * const con) {\n\t/*assert(!chunkqueue_is_empty(cq));*//* checked by callers */\n\n\tif (con->is_writable <= 0) return CON_STATE_WRITE;\n\tint rc = connection_write_chunkqueue(con, con->write_queue, MAX_WRITE_LIMIT);\n\tswitch (rc) {\n\tcase 0:\n\t\tif (r->resp_body_finished) {\n\t\t\tconnection_set_state(r, CON_STATE_RESPONSE_END);\n\t\t\treturn CON_STATE_RESPONSE_END;\n\t\t}\n\t\tbreak;\n\tcase -1: /* error on our side */\n\t\tlog_error(r->conf.errh, __FILE__, __LINE__,\n\t\t \"connection closed: write failed on fd %d\", con->fd);\n\t\tconnection_set_state_error(r, CON_STATE_ERROR);\n\t\treturn CON_STATE_ERROR;\n\tcase -2: /* remote close */\n\t\tconnection_set_state_error(r, CON_STATE_ERROR);\n\t\treturn CON_STATE_ERROR;\n\tcase 1:\n\t\t/* do not spin trying to send HTTP/2 server Connection Preface\n\t\t * while waiting for TLS negotiation to complete */\n\t\tif (con->write_queue->bytes_out)\n\t\t\tcon->is_writable = 0;\n\n\t\t/* not finished yet -> WRITE */\n\t\tbreak;\n\t}\n\n\treturn CON_STATE_WRITE; /*(state did not change)*/\n}", "project": "lighttpd1.4", "hash": 131145946002636593610672157614938419524, "size": 32, "commit_id": "b03b86f47b0d5a553137f081fadc482b4af1372d", "message": "[core] fix merging large headers across mult reads (fixes #3059)\n\n(thx mitd)\n\nx-ref:\n \"Connections stuck in Close_Wait causing 100% cpu usage\"\n https://redmine.lighttpd.net/issues/3059", "target": 0, "dataset": "other", "idx": 251491 }, { "func": "HostnameValidationResult validate_hostname(const char *hostname, const X509 *server_cert) {\n\tHostnameValidationResult result;\n\n\tif((hostname == NULL) || (server_cert == NULL))\n\t\treturn Error;\n\n\t// First try the Subject Alternative Names extension\n\tresult = matches_subject_alternative_name(hostname, server_cert);\n\tif (result == NoSANPresent) {\n\t\t// Extension was not found: try the Common Name\n\t\tresult = matches_common_name(hostname, server_cert);\n\t}\n\n\treturn result;\n}", "project": "openfortivpn", "hash": 237845236604191759733726881516225911314, "size": 15, "commit_id": "6328a070ddaab16faaf008cb9a8a62439c30f2a8", "message": "fix TLS Certificate CommonName NULL Byte Vulnerability\n\nCVE-2020-7043 TLS Certificate CommonName NULL Byte Vulnerability is fixed\nwith this commit\n\nwith #8 hostname validation for the certificate was introduced\nbut unfortunately strncasecmp() was used to compare the byte array\nagainst the expected hostname. This does not correctly treat a CN\nwhich contains a NULL byte. In order to fix this vulnerability\nthe reference implementation from iSECPartners has been included\ninto the code.", "target": 0, "dataset": "other", "idx": 258436 }, { "func": "static void connection_read_for_eos(connection * const con) {\n\t!con->is_ssl_sock\n\t ? connection_read_for_eos_plain(con)\n\t : connection_read_for_eos_ssl(con);\n}", "project": "lighttpd1.4", "hash": 117154304726964967748899401669309166042, "size": 5, "commit_id": "b03b86f47b0d5a553137f081fadc482b4af1372d", "message": "[core] fix merging large headers across mult reads (fixes #3059)\n\n(thx mitd)\n\nx-ref:\n \"Connections stuck in Close_Wait causing 100% cpu usage\"\n https://redmine.lighttpd.net/issues/3059", "target": 0, "dataset": "other", "idx": 251462 }, { "func": "connection *connection_accepted(server *srv, server_socket *srv_socket, sock_addr *cnt_addr, int cnt) {\n\t\tconnection *con;\n\n\t\tsrv->cur_fds++;\n\n\t\t/* ok, we have the connection, register it */\n#if 0\n\t\tlog_error(srv->errh, __FILE__, __LINE__, \"accepted() %d\", cnt);\n#endif\n\t\tsrv->con_opened++;\n\n\t\tcon = connections_get_new_connection(srv);\n\n\t\tcon->fd = cnt;\n\t\tcon->fdn = fdevent_register(srv->ev, con->fd, connection_handle_fdevent, con);\n\t\tcon->network_read = connection_read_cq;\n\t\tcon->network_write = connection_write_cq;\n\t\tcon->reqbody_read = connection_handle_read_post_state;\n\n\t\trequest_st * const r = &con->request;\n\t\tconnection_set_state(r, CON_STATE_REQUEST_START);\n\n\t\tcon->connection_start = log_epoch_secs;\n\t\tcon->dst_addr = *cnt_addr;\n\t\tsock_addr_cache_inet_ntop_copy_buffer(con->dst_addr_buf,&con->dst_addr);\n\t\tcon->srv_socket = srv_socket;\n\t\tcon->is_ssl_sock = srv_socket->is_ssl;\n\t\tcon->proto_default_port = 80; /* \"http\" */\n\n\t\tconfig_cond_cache_reset(r);\n\t\tr->conditional_is_valid = (1 << COMP_SERVER_SOCKET)\n\t\t | (1 << COMP_HTTP_REMOTE_IP);\n\n\t\tif (HANDLER_GO_ON != plugins_call_handle_connection_accept(con)) {\n\t\t\tconnection_reset(con);\n\t\t\tconnection_close(con);\n\t\t\treturn NULL;\n\t\t}\n\t\tif (r->http_status < 0) connection_set_state(r, CON_STATE_WRITE);\n\t\treturn con;\n}", "project": "lighttpd1.4", "hash": 193184371286978848415697850853555567779, "size": 41, "commit_id": "b03b86f47b0d5a553137f081fadc482b4af1372d", "message": "[core] fix merging large headers across mult reads (fixes #3059)\n\n(thx mitd)\n\nx-ref:\n \"Connections stuck in Close_Wait causing 100% cpu usage\"\n https://redmine.lighttpd.net/issues/3059", "target": 0, "dataset": "other", "idx": 251481 }, { "func": "static void connection_close(connection *con) {\n\tif (con->fd < 0) con->fd = -con->fd;\n\n\tplugins_call_handle_connection_close(con);\n\n\tserver * const srv = con->srv;\n\trequest_st * const r = &con->request;\n\trequest_reset_ex(r); /*(r->conf.* is still valid below)*/\n\tconnection_set_state(r, CON_STATE_CONNECT);\n\n\tchunkqueue_reset(con->read_queue);\n\tcon->request_count = 0;\n\tcon->is_ssl_sock = 0;\n\tcon->revents_err = 0;\n\n\tfdevent_fdnode_event_del(srv->ev, con->fdn);\n\tfdevent_unregister(srv->ev, con->fd);\n\tcon->fdn = NULL;\n#ifdef __WIN32\n\tif (0 == closesocket(con->fd))\n#else\n\tif (0 == close(con->fd))\n#endif\n\t\t--srv->cur_fds;\n\telse\n\t\tlog_perror(r->conf.errh, __FILE__, __LINE__,\n\t\t \"(warning) close: %d\", con->fd);\n\n\tif (r->conf.log_state_handling) {\n\t\tlog_error(r->conf.errh, __FILE__, __LINE__,\n\t\t \"connection closed for fd %d\", con->fd);\n\t}\n\tcon->fd = -1;\n\n\tconnection_del(srv, con);\n}", "project": "lighttpd1.4", "hash": 295260793061737623439190150194655457090, "size": 36, "commit_id": "b03b86f47b0d5a553137f081fadc482b4af1372d", "message": "[core] fix merging large headers across mult reads (fixes #3059)\n\n(thx mitd)\n\nx-ref:\n \"Connections stuck in Close_Wait causing 100% cpu usage\"\n https://redmine.lighttpd.net/issues/3059", "target": 0, "dataset": "other", "idx": 251477 }, { "func": "static int pppd_run(struct tunnel *tunnel)\n{\n\tpid_t pid;\n\tint amaster;\n\tint slave_stderr;\n\n#ifdef HAVE_STRUCT_TERMIOS\n\tstruct termios termp = {\n\t\t.c_cflag = B9600,\n\t\t.c_cc[VTIME] = 0,\n\t\t.c_cc[VMIN] = 1\n\t};\n#endif\n\n\tstatic const char ppp_path[] = PPP_PATH;\n\tif (access(ppp_path, F_OK) != 0) {\n\t\tlog_error(\"%s: %s.\\n\", ppp_path, strerror(errno));\n\t\treturn 1;\n\t}\n\tlog_debug(\"ppp_path: %s\\n\", ppp_path);\n\n\tslave_stderr = dup(STDERR_FILENO);\n\n\tif (slave_stderr < 0) {\n\t\tlog_error(\"slave stderr %s\\n\", strerror(errno));\n\t\treturn 1;\n\t}\n\n#ifdef HAVE_STRUCT_TERMIOS\n\tpid = forkpty(&amaster, NULL, &termp, NULL);\n#else\n\tpid = forkpty(&amaster, NULL, NULL, NULL);\n#endif\n\n\tif (pid == 0) { // child process\n\n\t\tstruct ofv_varr pppd_args = { 0, 0, NULL };\n\n\t\tdup2(slave_stderr, STDERR_FILENO);\n\t\tclose(slave_stderr);\n\n#if HAVE_USR_SBIN_PPP\n\t\t/*\n\t\t * assume there is a default configuration to start.\n\t\t * Support for taking options from the command line\n\t\t * e.g. the name of the configuration or options\n\t\t * to send interactively to ppp will be added later\n\t\t */\n\t\tstatic const char *const v[] = {\n\t\t\tppp_path,\n\t\t\t\"-direct\"\n\t\t};\n\t\tfor (unsigned int i = 0; i < ARRAY_SIZE(v); i++)\n\t\t\tif (ofv_append_varr(&pppd_args, v[i]))\n\t\t\t\treturn 1;\n#endif\n#if HAVE_USR_SBIN_PPPD\n\t\tif (tunnel->config->pppd_call) {\n\t\t\tif (ofv_append_varr(&pppd_args, ppp_path))\n\t\t\t\treturn 1;\n\t\t\tif (ofv_append_varr(&pppd_args, \"call\"))\n\t\t\t\treturn 1;\n\t\t\tif (ofv_append_varr(&pppd_args, tunnel->config->pppd_call))\n\t\t\t\treturn 1;\n\t\t} else {\n\t\t\tstatic const char *const v[] = {\n\t\t\t\tppp_path,\n\t\t\t\t\"115200\", // speed\n\t\t\t\t\":192.0.2.1\", // :\n\t\t\t\t\"noipdefault\",\n\t\t\t\t\"noaccomp\",\n\t\t\t\t\"noauth\",\n\t\t\t\t\"default-asyncmap\",\n\t\t\t\t\"nopcomp\",\n\t\t\t\t\"receive-all\",\n\t\t\t\t\"nodefaultroute\",\n\t\t\t\t\"nodetach\",\n\t\t\t\t\"lcp-max-configure\", \"40\",\n\t\t\t\t\"mru\", \"1354\"\n\t\t\t};\n\t\t\tfor (unsigned int i = 0; i < ARRAY_SIZE(v); i++)\n\t\t\t\tif (ofv_append_varr(&pppd_args, v[i]))\n\t\t\t\t\treturn 1;\n\t\t}\n\t\tif (tunnel->config->pppd_use_peerdns)\n\t\t\tif (ofv_append_varr(&pppd_args, \"usepeerdns\"))\n\t\t\t\treturn 1;\n\t\tif (tunnel->config->pppd_log) {\n\t\t\tif (ofv_append_varr(&pppd_args, \"debug\"))\n\t\t\t\treturn 1;\n\t\t\tif (ofv_append_varr(&pppd_args, \"logfile\"))\n\t\t\t\treturn 1;\n\t\t\tif (ofv_append_varr(&pppd_args, tunnel->config->pppd_log))\n\t\t\t\treturn 1;\n\t\t} else {\n\t\t\t/*\n\t\t\t * pppd defaults to logging to fd=1, clobbering the\n\t\t\t * actual PPP data\n\t\t\t */\n\t\t\tif (ofv_append_varr(&pppd_args, \"logfd\"))\n\t\t\t\treturn 1;\n\t\t\tif (ofv_append_varr(&pppd_args, \"2\"))\n\t\t\t\treturn 1;\n\t\t}\n\t\tif (tunnel->config->pppd_plugin) {\n\t\t\tif (ofv_append_varr(&pppd_args, \"plugin\"))\n\t\t\t\treturn 1;\n\t\t\tif (ofv_append_varr(&pppd_args, tunnel->config->pppd_plugin))\n\t\t\t\treturn 1;\n\t\t}\n\t\tif (tunnel->config->pppd_ipparam) {\n\t\t\tif (ofv_append_varr(&pppd_args, \"ipparam\"))\n\t\t\t\treturn 1;\n\t\t\tif (ofv_append_varr(&pppd_args, tunnel->config->pppd_ipparam))\n\t\t\t\treturn 1;\n\t\t}\n\t\tif (tunnel->config->pppd_ifname) {\n\t\t\tif (ofv_append_varr(&pppd_args, \"ifname\"))\n\t\t\t\treturn 1;\n\t\t\tif (ofv_append_varr(&pppd_args, tunnel->config->pppd_ifname))\n\t\t\t\treturn 1;\n\t\t}\n#endif\n#if HAVE_USR_SBIN_PPP\n\t\tif (tunnel->config->ppp_system) {\n\t\t\tif (ofv_append_varr(&pppd_args, tunnel->config->ppp_system))\n\t\t\t\treturn 1;\n\t\t}\n#endif\n\n\t\tclose(tunnel->ssl_socket);\n\t\texecv(pppd_args.data[0], (char *const *)pppd_args.data);\n\t\tfree(pppd_args.data);\n\n\t\tfprintf(stderr, \"execvp: %s\\n\", strerror(errno));\n\t\t_exit(EXIT_FAILURE);\n\t} else {\n\t\tclose(slave_stderr);\n\t\tif (pid == -1) {\n\t\t\tlog_error(\"forkpty: %s\\n\", strerror(errno));\n\t\t\treturn 1;\n\t\t}\n\t}\n\n\t// Set non-blocking\n\tint flags = fcntl(amaster, F_GETFL, 0);\n\tif (flags == -1)\n\t\tflags = 0;\n\tif (fcntl(amaster, F_SETFL, flags | O_NONBLOCK) == -1) {\n\t\tlog_error(\"fcntl: %s\\n\", strerror(errno));\n\t\treturn 1;\n\t}\n\n\ttunnel->pppd_pid = pid;\n\ttunnel->pppd_pty = amaster;\n\n\treturn 0;\n}", "project": "openfortivpn", "hash": 9287660413456285241545260466089184700, "size": 158, "commit_id": "6328a070ddaab16faaf008cb9a8a62439c30f2a8", "message": "fix TLS Certificate CommonName NULL Byte Vulnerability\n\nCVE-2020-7043 TLS Certificate CommonName NULL Byte Vulnerability is fixed\nwith this commit\n\nwith #8 hostname validation for the certificate was introduced\nbut unfortunately strncasecmp() was used to compare the byte array\nagainst the expected hostname. This does not correctly treat a CN\nwhich contains a NULL byte. In order to fix this vulnerability\nthe reference implementation from iSECPartners has been included\ninto the code.", "target": 0, "dataset": "other", "idx": 258447 } ] }, { "call_depth": 2, "longest_call_chain": [ "parse_connect_url", "url_is_local_not_ssh" ], "group_size": 4, "functions": [ { "func": "static enum protocol parse_connect_url(const char *url_orig, char **ret_host,\n\t\t\t\t char **ret_path)\n{\n\tchar *url;\n\tchar *host, *path;\n\tchar *end;\n\tint separator = '/';\n\tenum protocol protocol = PROTO_LOCAL;\n\n\tif (is_url(url_orig))\n\t\turl = url_decode(url_orig);\n\telse\n\t\turl = xstrdup(url_orig);\n\n\thost = strstr(url, \"://\");\n\tif (host) {\n\t\t*host = '\\0';\n\t\tprotocol = get_protocol(url);\n\t\thost += 3;\n\t} else {\n\t\thost = url;\n\t\tif (!url_is_local_not_ssh(url)) {\n\t\t\tprotocol = PROTO_SSH;\n\t\t\tseparator = ':';\n\t\t}\n\t}\n\n\t/*\n\t * Don't do destructive transforms as protocol code does\n\t * '[]' unwrapping in get_host_and_port()\n\t */\n\tend = host_end(&host, 0);\n\n\tif (protocol == PROTO_LOCAL)\n\t\tpath = end;\n\telse if (protocol == PROTO_FILE && has_dos_drive_prefix(end))\n\t\tpath = end; /* \"file://$(pwd)\" may be \"file://C:/projects/repo\" */\n\telse\n\t\tpath = strchr(end, separator);\n\n\tif (!path || !*path)\n\t\tdie(\"No path specified. See 'man git-pull' for valid url syntax\");\n\n\t/*\n\t * null-terminate hostname and point path to ~ for URL's like this:\n\t * ssh://host.xz/~user/repo\n\t */\n\n\tend = path; /* Need to \\0 terminate host here */\n\tif (separator == ':')\n\t\tpath++; /* path starts after ':' */\n\tif (protocol == PROTO_GIT || protocol == PROTO_SSH) {\n\t\tif (path[1] == '~')\n\t\t\tpath++;\n\t}\n\n\tpath = xstrdup(path);\n\t*end = '\\0';\n\n\t*ret_host = xstrdup(host);\n\t*ret_path = path;\n\tfree(url);\n\treturn protocol;\n}", "project": "git", "hash": 61382454691409150028723344149975455335, "size": 64, "commit_id": "f82a97eb9197c1e3768e72648f37ce0ca3233734", "message": "mingw: handle `subst`-ed \"DOS drives\"\n\nOver a decade ago, in 25fe217b86c (Windows: Treat Windows style path\nnames., 2008-03-05), Git was taught to handle absolute Windows paths,\ni.e. paths that start with a drive letter and a colon.\n\nUnbeknownst to us, while drive letters of physical drives are limited to\nletters of the English alphabet, there is a way to assign virtual drive\nletters to arbitrary directories, via the `subst` command, which is\n_not_ limited to English letters.\n\nIt is therefore possible to have absolute Windows paths of the form\n`1:\\what\\the\\hex.txt`. Even \"better\": pretty much arbitrary Unicode\nletters can also be used, e.g. `ä:\\tschibät.sch`.\n\nWhile it can be sensibly argued that users who set up such funny drive\nletters really seek adverse consequences, the Windows Operating System\nis known to be a platform where many users are at the mercy of\nadministrators who have their very own idea of what constitutes a\nreasonable setup.\n\nTherefore, let's just make sure that such funny paths are still\nconsidered absolute paths by Git, on Windows.\n\nIn addition to Unicode characters, pretty much any character is a valid\ndrive letter, as far as `subst` is concerned, even `:` and `\"` or even a\nspace character. While it is probably the opposite of smart to use them,\nlet's safeguard `is_dos_drive_prefix()` against all of them.\n\nNote: `[::1]:repo` is a valid URL, but not a valid path on Windows.\nAs `[` is now considered a valid drive letter, we need to be very\ncareful to avoid misinterpreting such a string as valid local path in\n`url_is_local_not_ssh()`. To do that, we use the just-introduced\nfunction `is_valid_path()` (which will label the string as invalid file\nname because of the colon characters).\n\nThis fixes CVE-2019-1351.\n\nReported-by: Nicolas Joly \nSigned-off-by: Johannes Schindelin ", "target": 0, "dataset": "other", "idx": 376258 }, { "func": "int url_is_local_not_ssh(const char *url)\n{\n\tconst char *colon = strchr(url, ':');\n\tconst char *slash = strchr(url, '/');\n\treturn !colon || (slash && slash < colon) ||\n\t\thas_dos_drive_prefix(url);\n}", "project": "git", "hash": 93761688030965830881707145604603054740, "size": 7, "commit_id": "f82a97eb9197c1e3768e72648f37ce0ca3233734", "message": "mingw: handle `subst`-ed \"DOS drives\"\n\nOver a decade ago, in 25fe217b86c (Windows: Treat Windows style path\nnames., 2008-03-05), Git was taught to handle absolute Windows paths,\ni.e. paths that start with a drive letter and a colon.\n\nUnbeknownst to us, while drive letters of physical drives are limited to\nletters of the English alphabet, there is a way to assign virtual drive\nletters to arbitrary directories, via the `subst` command, which is\n_not_ limited to English letters.\n\nIt is therefore possible to have absolute Windows paths of the form\n`1:\\what\\the\\hex.txt`. Even \"better\": pretty much arbitrary Unicode\nletters can also be used, e.g. `ä:\\tschibät.sch`.\n\nWhile it can be sensibly argued that users who set up such funny drive\nletters really seek adverse consequences, the Windows Operating System\nis known to be a platform where many users are at the mercy of\nadministrators who have their very own idea of what constitutes a\nreasonable setup.\n\nTherefore, let's just make sure that such funny paths are still\nconsidered absolute paths by Git, on Windows.\n\nIn addition to Unicode characters, pretty much any character is a valid\ndrive letter, as far as `subst` is concerned, even `:` and `\"` or even a\nspace character. While it is probably the opposite of smart to use them,\nlet's safeguard `is_dos_drive_prefix()` against all of them.\n\nNote: `[::1]:repo` is a valid URL, but not a valid path on Windows.\nAs `[` is now considered a valid drive letter, we need to be very\ncareful to avoid misinterpreting such a string as valid local path in\n`url_is_local_not_ssh()`. To do that, we use the just-introduced\nfunction `is_valid_path()` (which will label the string as invalid file\nname because of the colon characters).\n\nThis fixes CVE-2019-1351.\n\nReported-by: Nicolas Joly \nSigned-off-by: Johannes Schindelin ", "target": 1, "dataset": "other", "idx": 206023 }, { "func": "int url_is_local_not_ssh(const char *url)\n{\n\tconst char *colon = strchr(url, ':');\n\tconst char *slash = strchr(url, '/');\n\treturn !colon || (slash && slash < colon) ||\n\t\t(has_dos_drive_prefix(url) && is_valid_path(url));\n}", "project": "git", "hash": 322711509457870301529370883808295524605, "size": 7, "commit_id": "f82a97eb9197c1e3768e72648f37ce0ca3233734", "message": "mingw: handle `subst`-ed \"DOS drives\"\n\nOver a decade ago, in 25fe217b86c (Windows: Treat Windows style path\nnames., 2008-03-05), Git was taught to handle absolute Windows paths,\ni.e. paths that start with a drive letter and a colon.\n\nUnbeknownst to us, while drive letters of physical drives are limited to\nletters of the English alphabet, there is a way to assign virtual drive\nletters to arbitrary directories, via the `subst` command, which is\n_not_ limited to English letters.\n\nIt is therefore possible to have absolute Windows paths of the form\n`1:\\what\\the\\hex.txt`. Even \"better\": pretty much arbitrary Unicode\nletters can also be used, e.g. `ä:\\tschibät.sch`.\n\nWhile it can be sensibly argued that users who set up such funny drive\nletters really seek adverse consequences, the Windows Operating System\nis known to be a platform where many users are at the mercy of\nadministrators who have their very own idea of what constitutes a\nreasonable setup.\n\nTherefore, let's just make sure that such funny paths are still\nconsidered absolute paths by Git, on Windows.\n\nIn addition to Unicode characters, pretty much any character is a valid\ndrive letter, as far as `subst` is concerned, even `:` and `\"` or even a\nspace character. While it is probably the opposite of smart to use them,\nlet's safeguard `is_dos_drive_prefix()` against all of them.\n\nNote: `[::1]:repo` is a valid URL, but not a valid path on Windows.\nAs `[` is now considered a valid drive letter, we need to be very\ncareful to avoid misinterpreting such a string as valid local path in\n`url_is_local_not_ssh()`. To do that, we use the just-introduced\nfunction `is_valid_path()` (which will label the string as invalid file\nname because of the colon characters).\n\nThis fixes CVE-2019-1351.\n\nReported-by: Nicolas Joly \nSigned-off-by: Johannes Schindelin ", "target": 0, "dataset": "other", "idx": 376250 }, { "func": "static enum protocol get_protocol(const char *name)\n{\n\tif (!strcmp(name, \"ssh\"))\n\t\treturn PROTO_SSH;\n\tif (!strcmp(name, \"git\"))\n\t\treturn PROTO_GIT;\n\tif (!strcmp(name, \"git+ssh\")) /* deprecated - do not use */\n\t\treturn PROTO_SSH;\n\tif (!strcmp(name, \"ssh+git\")) /* deprecated - do not use */\n\t\treturn PROTO_SSH;\n\tif (!strcmp(name, \"file\"))\n\t\treturn PROTO_FILE;\n\tdie(\"I don't handle protocol '%s'\", name);\n}", "project": "git", "hash": 55285994154757596922843263083946824571, "size": 14, "commit_id": "f82a97eb9197c1e3768e72648f37ce0ca3233734", "message": "mingw: handle `subst`-ed \"DOS drives\"\n\nOver a decade ago, in 25fe217b86c (Windows: Treat Windows style path\nnames., 2008-03-05), Git was taught to handle absolute Windows paths,\ni.e. paths that start with a drive letter and a colon.\n\nUnbeknownst to us, while drive letters of physical drives are limited to\nletters of the English alphabet, there is a way to assign virtual drive\nletters to arbitrary directories, via the `subst` command, which is\n_not_ limited to English letters.\n\nIt is therefore possible to have absolute Windows paths of the form\n`1:\\what\\the\\hex.txt`. Even \"better\": pretty much arbitrary Unicode\nletters can also be used, e.g. `ä:\\tschibät.sch`.\n\nWhile it can be sensibly argued that users who set up such funny drive\nletters really seek adverse consequences, the Windows Operating System\nis known to be a platform where many users are at the mercy of\nadministrators who have their very own idea of what constitutes a\nreasonable setup.\n\nTherefore, let's just make sure that such funny paths are still\nconsidered absolute paths by Git, on Windows.\n\nIn addition to Unicode characters, pretty much any character is a valid\ndrive letter, as far as `subst` is concerned, even `:` and `\"` or even a\nspace character. While it is probably the opposite of smart to use them,\nlet's safeguard `is_dos_drive_prefix()` against all of them.\n\nNote: `[::1]:repo` is a valid URL, but not a valid path on Windows.\nAs `[` is now considered a valid drive letter, we need to be very\ncareful to avoid misinterpreting such a string as valid local path in\n`url_is_local_not_ssh()`. To do that, we use the just-introduced\nfunction `is_valid_path()` (which will label the string as invalid file\nname because of the colon characters).\n\nThis fixes CVE-2019-1351.\n\nReported-by: Nicolas Joly \nSigned-off-by: Johannes Schindelin ", "target": 0, "dataset": "other", "idx": 376260 } ] }, { "call_depth": 5, "longest_call_chain": [ "rdp_send_demand_active", "rdp_write_demand_active", "rdp_print_capability_sets", "rdp_print_glyph_cache_capability_set", "rdp_read_cache_definition" ], "group_size": 112, "functions": [ { "func": "static BOOL rdp_write_remote_programs_capability_set(wStream* s, const rdpSettings* settings)\n{\n\tsize_t header;\n\tUINT32 railSupportLevel;\n\n\tif (!Stream_EnsureRemainingCapacity(s, 64))\n\t\treturn FALSE;\n\n\theader = rdp_capability_set_start(s);\n\trailSupportLevel = RAIL_LEVEL_SUPPORTED;\n\n\tif (settings->RemoteApplicationSupportLevel & RAIL_LEVEL_DOCKED_LANGBAR_SUPPORTED)\n\t{\n\t\tif (settings->RemoteAppLanguageBarSupported)\n\t\t\trailSupportLevel |= RAIL_LEVEL_DOCKED_LANGBAR_SUPPORTED;\n\t}\n\n\trailSupportLevel |= RAIL_LEVEL_SHELL_INTEGRATION_SUPPORTED;\n\trailSupportLevel |= RAIL_LEVEL_LANGUAGE_IME_SYNC_SUPPORTED;\n\trailSupportLevel |= RAIL_LEVEL_SERVER_TO_CLIENT_IME_SYNC_SUPPORTED;\n\trailSupportLevel |= RAIL_LEVEL_HIDE_MINIMIZED_APPS_SUPPORTED;\n\trailSupportLevel |= RAIL_LEVEL_WINDOW_CLOAKING_SUPPORTED;\n\trailSupportLevel |= RAIL_LEVEL_HANDSHAKE_EX_SUPPORTED;\n\t/* Mask out everything the server does not support. */\n\trailSupportLevel &= settings->RemoteApplicationSupportLevel;\n\tStream_Write_UINT32(s, railSupportLevel); /* railSupportLevel (4 bytes) */\n\trdp_capability_set_finish(s, header, CAPSET_TYPE_RAIL);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 193709063470865603451783243875991335784, "size": 29, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409659 }, { "func": "static BOOL rdp_print_font_capability_set(wStream* s, UINT16 length)\n{\n\tUINT16 fontSupportFlags = 0;\n\tUINT16 pad2Octets = 0;\n\tWLog_INFO(TAG, \"FontCapabilitySet (length %\" PRIu16 \"):\", length);\n\n\tif (length > 4)\n\t\tStream_Read_UINT16(s, fontSupportFlags); /* fontSupportFlags (2 bytes) */\n\n\tif (length > 6)\n\t\tStream_Read_UINT16(s, pad2Octets); /* pad2Octets (2 bytes) */\n\n\tWLog_INFO(TAG, \"\\tfontSupportFlags: 0x%04\" PRIX16 \"\", fontSupportFlags);\n\tWLog_INFO(TAG, \"\\tpad2Octets: 0x%04\" PRIX16 \"\", pad2Octets);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 287219390919017726670088650927058088376, "size": 16, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409619 }, { "func": "static BOOL rdp_read_glyph_cache_capability_set(wStream* s, UINT16 length, rdpSettings* settings)\n{\n\tif (length < 52)\n\t\treturn FALSE;\n\n\t/* glyphCache (40 bytes) */\n\trdp_read_cache_definition(s, &(settings->GlyphCache[0])); /* glyphCache0 (4 bytes) */\n\trdp_read_cache_definition(s, &(settings->GlyphCache[1])); /* glyphCache1 (4 bytes) */\n\trdp_read_cache_definition(s, &(settings->GlyphCache[2])); /* glyphCache2 (4 bytes) */\n\trdp_read_cache_definition(s, &(settings->GlyphCache[3])); /* glyphCache3 (4 bytes) */\n\trdp_read_cache_definition(s, &(settings->GlyphCache[4])); /* glyphCache4 (4 bytes) */\n\trdp_read_cache_definition(s, &(settings->GlyphCache[5])); /* glyphCache5 (4 bytes) */\n\trdp_read_cache_definition(s, &(settings->GlyphCache[6])); /* glyphCache6 (4 bytes) */\n\trdp_read_cache_definition(s, &(settings->GlyphCache[7])); /* glyphCache7 (4 bytes) */\n\trdp_read_cache_definition(s, &(settings->GlyphCache[8])); /* glyphCache8 (4 bytes) */\n\trdp_read_cache_definition(s, &(settings->GlyphCache[9])); /* glyphCache9 (4 bytes) */\n\trdp_read_cache_definition(s, settings->FragCache); /* fragCache (4 bytes) */\n\tStream_Read_UINT16(s, settings->GlyphSupportLevel); /* glyphSupportLevel (2 bytes) */\n\tStream_Seek_UINT16(s); /* pad2Octets (2 bytes) */\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 290575542386525663549333405388088029038, "size": 21, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409625 }, { "func": "static BOOL rdp_read_capability_sets(wStream* s, rdpSettings* settings, UINT16 numberCapabilities,\n UINT16 totalLength)\n{\n\tBOOL treated;\n\tsize_t start, end, len;\n\tUINT16 count = numberCapabilities;\n\n\tstart = Stream_GetPosition(s);\n\twhile (numberCapabilities > 0 && Stream_GetRemainingLength(s) >= 4)\n\t{\n\t\tUINT16 type;\n\t\tUINT16 length;\n\t\tBYTE* em;\n\t\tBYTE* bm = Stream_Pointer(s);\n\t\trdp_read_capability_set_header(s, &length, &type);\n\n\t\tif (type < 32)\n\t\t{\n\t\t\tsettings->ReceivedCapabilities[type] = TRUE;\n\t\t}\n\t\telse\n\t\t{\n\t\t\tWLog_WARN(TAG, \"not handling capability type %\" PRIu16 \" yet\", type);\n\t\t}\n\n\t\tem = bm + length;\n\n\t\tif (Stream_GetRemainingLength(s) + 4 < ((size_t)length))\n\t\t{\n\t\t\tWLog_ERR(TAG, \"error processing stream\");\n\t\t\treturn FALSE;\n\t\t}\n\n\t\ttreated = TRUE;\n\n\t\tswitch (type)\n\t\t{\n\t\t\tcase CAPSET_TYPE_GENERAL:\n\t\t\t\tif (!rdp_read_general_capability_set(s, length, settings))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_BITMAP:\n\t\t\t\tif (!rdp_read_bitmap_capability_set(s, length, settings))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_ORDER:\n\t\t\t\tif (!rdp_read_order_capability_set(s, length, settings))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_POINTER:\n\t\t\t\tif (!rdp_read_pointer_capability_set(s, length, settings))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_INPUT:\n\t\t\t\tif (!rdp_read_input_capability_set(s, length, settings))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_VIRTUAL_CHANNEL:\n\t\t\t\tif (!rdp_read_virtual_channel_capability_set(s, length, settings))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_SHARE:\n\t\t\t\tif (!rdp_read_share_capability_set(s, length, settings))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_COLOR_CACHE:\n\t\t\t\tif (!rdp_read_color_cache_capability_set(s, length, settings))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_FONT:\n\t\t\t\tif (!rdp_read_font_capability_set(s, length, settings))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_DRAW_GDI_PLUS:\n\t\t\t\tif (!rdp_read_draw_gdiplus_cache_capability_set(s, length, settings))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_RAIL:\n\t\t\t\tif (!rdp_read_remote_programs_capability_set(s, length, settings))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_WINDOW:\n\t\t\t\tif (!rdp_read_window_list_capability_set(s, length, settings))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_MULTI_FRAGMENT_UPDATE:\n\t\t\t\tif (!rdp_read_multifragment_update_capability_set(s, length, settings))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_LARGE_POINTER:\n\t\t\t\tif (!rdp_read_large_pointer_capability_set(s, length, settings))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_COMP_DESK:\n\t\t\t\tif (!rdp_read_desktop_composition_capability_set(s, length, settings))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_SURFACE_COMMANDS:\n\t\t\t\tif (!rdp_read_surface_commands_capability_set(s, length, settings))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_BITMAP_CODECS:\n\t\t\t\tif (!rdp_read_bitmap_codecs_capability_set(s, length, settings))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_FRAME_ACKNOWLEDGE:\n\t\t\t\tif (!rdp_read_frame_acknowledge_capability_set(s, length, settings))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_BITMAP_CACHE_V3_CODEC_ID:\n\t\t\t\tif (!rdp_read_bitmap_cache_v3_codec_id_capability_set(s, length, settings))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tdefault:\n\t\t\t\ttreated = FALSE;\n\t\t\t\tbreak;\n\t\t}\n\n\t\tif (!treated)\n\t\t{\n\t\t\tif (settings->ServerMode)\n\t\t\t{\n\t\t\t\t/* treating capabilities that are supposed to be send only from the client */\n\t\t\t\tswitch (type)\n\t\t\t\t{\n\t\t\t\t\tcase CAPSET_TYPE_BITMAP_CACHE:\n\t\t\t\t\t\tif (!rdp_read_bitmap_cache_capability_set(s, length, settings))\n\t\t\t\t\t\t\treturn FALSE;\n\n\t\t\t\t\t\tbreak;\n\n\t\t\t\t\tcase CAPSET_TYPE_BITMAP_CACHE_V2:\n\t\t\t\t\t\tif (!rdp_read_bitmap_cache_v2_capability_set(s, length, settings))\n\t\t\t\t\t\t\treturn FALSE;\n\n\t\t\t\t\t\tbreak;\n\n\t\t\t\t\tcase CAPSET_TYPE_BRUSH:\n\t\t\t\t\t\tif (!rdp_read_brush_capability_set(s, length, settings))\n\t\t\t\t\t\t\treturn FALSE;\n\n\t\t\t\t\t\tbreak;\n\n\t\t\t\t\tcase CAPSET_TYPE_GLYPH_CACHE:\n\t\t\t\t\t\tif (!rdp_read_glyph_cache_capability_set(s, length, settings))\n\t\t\t\t\t\t\treturn FALSE;\n\n\t\t\t\t\t\tbreak;\n\n\t\t\t\t\tcase CAPSET_TYPE_OFFSCREEN_CACHE:\n\t\t\t\t\t\tif (!rdp_read_offscreen_bitmap_cache_capability_set(s, length, settings))\n\t\t\t\t\t\t\treturn FALSE;\n\n\t\t\t\t\t\tbreak;\n\n\t\t\t\t\tcase CAPSET_TYPE_SOUND:\n\t\t\t\t\t\tif (!rdp_read_sound_capability_set(s, length, settings))\n\t\t\t\t\t\t\treturn FALSE;\n\n\t\t\t\t\t\tbreak;\n\n\t\t\t\t\tcase CAPSET_TYPE_CONTROL:\n\t\t\t\t\t\tif (!rdp_read_control_capability_set(s, length, settings))\n\t\t\t\t\t\t\treturn FALSE;\n\n\t\t\t\t\t\tbreak;\n\n\t\t\t\t\tcase CAPSET_TYPE_ACTIVATION:\n\t\t\t\t\t\tif (!rdp_read_window_activation_capability_set(s, length, settings))\n\t\t\t\t\t\t\treturn FALSE;\n\n\t\t\t\t\t\tbreak;\n\n\t\t\t\t\tcase CAPSET_TYPE_DRAW_NINE_GRID_CACHE:\n\t\t\t\t\t\tif (!rdp_read_draw_nine_grid_cache_capability_set(s, length, settings))\n\t\t\t\t\t\t\treturn FALSE;\n\n\t\t\t\t\t\tbreak;\n\n\t\t\t\t\tdefault:\n\t\t\t\t\t\tWLog_ERR(TAG, \"capability %s(%\" PRIu16 \") not expected from client\",\n\t\t\t\t\t\t get_capability_name(type), type);\n\t\t\t\t\t\treturn FALSE;\n\t\t\t\t}\n\t\t\t}\n\t\t\telse\n\t\t\t{\n\t\t\t\t/* treating capabilities that are supposed to be send only from the server */\n\t\t\t\tswitch (type)\n\t\t\t\t{\n\t\t\t\t\tcase CAPSET_TYPE_BITMAP_CACHE_HOST_SUPPORT:\n\t\t\t\t\t\tif (!rdp_read_bitmap_cache_host_support_capability_set(s, length, settings))\n\t\t\t\t\t\t\treturn FALSE;\n\n\t\t\t\t\t\tbreak;\n\n\t\t\t\t\tdefault:\n\t\t\t\t\t\tWLog_ERR(TAG, \"capability %s(%\" PRIu16 \") not expected from server\",\n\t\t\t\t\t\t get_capability_name(type), type);\n\t\t\t\t\t\treturn FALSE;\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\tif (Stream_Pointer(s) != em)\n\t\t{\n\t\t\tWLog_ERR(TAG,\n\t\t\t \"incorrect offset, type:0x%04\" PRIX16 \" actual:%\" PRIuz \" expected:%\" PRIuz \"\",\n\t\t\t type, Stream_Pointer(s) - bm, em - bm);\n\t\t\tStream_SetPointer(s, em);\n\t\t}\n\n\t\tnumberCapabilities--;\n\t}\n\n\tend = Stream_GetPosition(s);\n\tlen = end - start;\n\n\tif (numberCapabilities)\n\t{\n\t\tWLog_ERR(TAG,\n\t\t \"strange we haven't read the number of announced capacity sets, read=%d \"\n\t\t \"expected=%\" PRIu16 \"\",\n\t\t count - numberCapabilities, count);\n\t}\n\n#ifdef WITH_DEBUG_CAPABILITIES\n\t{\n\t\tStream_SetPosition(s, start);\n\t\tnumberCapabilities = count;\n\t\trdp_print_capability_sets(s, numberCapabilities, TRUE);\n\t\tStream_SetPosition(s, end);\n\t}\n#endif\n\n\tif (len > totalLength)\n\t{\n\t\tWLog_ERR(TAG, \"Capability length expected %\" PRIu16 \", actual %\" PRIdz, totalLength, len);\n\t\treturn FALSE;\n\t}\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 67779701891338520668353647467913614405, "size": 280, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409685 }, { "func": "static BOOL rdp_read_color_cache_capability_set(wStream* s, UINT16 length, rdpSettings* settings)\n{\n\tWINPR_UNUSED(settings);\n\tif (length < 8)\n\t\treturn FALSE;\n\n\tStream_Seek_UINT16(s); /* colorTableCacheSize (2 bytes) */\n\tStream_Seek_UINT16(s); /* pad2Octets (2 bytes) */\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 170743954534991278023661558618450335809, "size": 10, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409683 }, { "func": "static void rdp_write_bitmap_cache_cell_info(wStream* s, BITMAP_CACHE_V2_CELL_INFO* cellInfo)\n{\n\tUINT32 info;\n\t/**\n\t * numEntries is in the first 31 bits, while the last bit (k)\n\t * is used to indicate a persistent bitmap cache.\n\t */\n\tinfo = (cellInfo->numEntries | (cellInfo->persistent << 31));\n\tStream_Write_UINT32(s, info);\n}", "project": "FreeRDP", "hash": 315141264147868383992564277570837036722, "size": 10, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409626 }, { "func": "static BOOL rdp_read_offscreen_bitmap_cache_capability_set(wStream* s, UINT16 length,\n rdpSettings* settings)\n{\n\tUINT32 offscreenSupportLevel;\n\n\tif (length < 12)\n\t\treturn FALSE;\n\n\tStream_Read_UINT32(s, offscreenSupportLevel); /* offscreenSupportLevel (4 bytes) */\n\tStream_Read_UINT16(s, settings->OffscreenCacheSize); /* offscreenCacheSize (2 bytes) */\n\tStream_Read_UINT16(s, settings->OffscreenCacheEntries); /* offscreenCacheEntries (2 bytes) */\n\n\tif (offscreenSupportLevel & TRUE)\n\t\tsettings->OffscreenSupportLevel = TRUE;\n\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 62983332440671309324742543335528050053, "size": 17, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409615 }, { "func": "static BOOL rdp_write_color_cache_capability_set(wStream* s, const rdpSettings* settings)\n{\n\tsize_t header;\n\n\tWINPR_UNUSED(settings);\n\tif (!Stream_EnsureRemainingCapacity(s, 32))\n\t\treturn FALSE;\n\n\theader = rdp_capability_set_start(s);\n\tif (header > UINT16_MAX)\n\t\treturn FALSE;\n\tStream_Write_UINT16(s, 6); /* colorTableCacheSize (2 bytes) */\n\tStream_Write_UINT16(s, 0); /* pad2Octets (2 bytes) */\n\trdp_capability_set_finish(s, (UINT16)header, CAPSET_TYPE_COLOR_CACHE);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 278164959863837085932912697446259628534, "size": 16, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409652 }, { "func": "static BOOL rdp_print_window_activation_capability_set(wStream* s, UINT16 length)\n{\n\tUINT16 helpKeyFlag;\n\tUINT16 helpKeyIndexFlag;\n\tUINT16 helpExtendedKeyFlag;\n\tUINT16 windowManagerKeyFlag;\n\tWLog_INFO(TAG, \"WindowActivationCapabilitySet (length %\" PRIu16 \"):\", length);\n\n\tif (length < 12)\n\t\treturn FALSE;\n\n\tStream_Read_UINT16(s, helpKeyFlag); /* helpKeyFlag (2 bytes) */\n\tStream_Read_UINT16(s, helpKeyIndexFlag); /* helpKeyIndexFlag (2 bytes) */\n\tStream_Read_UINT16(s, helpExtendedKeyFlag); /* helpExtendedKeyFlag (2 bytes) */\n\tStream_Read_UINT16(s, windowManagerKeyFlag); /* windowManagerKeyFlag (2 bytes) */\n\tWLog_INFO(TAG, \"\\thelpKeyFlag: 0x%04\" PRIX16 \"\", helpKeyFlag);\n\tWLog_INFO(TAG, \"\\thelpKeyIndexFlag: 0x%04\" PRIX16 \"\", helpKeyIndexFlag);\n\tWLog_INFO(TAG, \"\\thelpExtendedKeyFlag: 0x%04\" PRIX16 \"\", helpExtendedKeyFlag);\n\tWLog_INFO(TAG, \"\\twindowManagerKeyFlag: 0x%04\" PRIX16 \"\", windowManagerKeyFlag);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 153479571757899139175602773326518312374, "size": 21, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409628 }, { "func": "static BOOL rdp_print_remote_programs_capability_set(wStream* s, UINT16 length)\n{\n\tUINT32 railSupportLevel;\n\tWLog_INFO(TAG, \"RemoteProgramsCapabilitySet (length %\" PRIu16 \"):\", length);\n\n\tif (length < 8)\n\t\treturn FALSE;\n\n\tStream_Read_UINT32(s, railSupportLevel); /* railSupportLevel (4 bytes) */\n\tWLog_INFO(TAG, \"\\trailSupportLevel: 0x%08\" PRIX32 \"\", railSupportLevel);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 72639172899165116266830345752544775949, "size": 12, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409587 }, { "func": "BOOL rdp_send_demand_active(rdpRdp* rdp)\n{\n\twStream* s = rdp_send_stream_pdu_init(rdp);\n\tBOOL status;\n\n\tif (!s)\n\t\treturn FALSE;\n\n\trdp->settings->ShareId = 0x10000 + rdp->mcs->userId;\n\tstatus = rdp_write_demand_active(s, rdp->settings) &&\n\t rdp_send_pdu(rdp, s, PDU_TYPE_DEMAND_ACTIVE, rdp->mcs->userId);\n\tStream_Release(s);\n\treturn status;\n}", "project": "FreeRDP", "hash": 205696353185449835056499661961516775413, "size": 14, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409586 }, { "func": "static BOOL rdp_read_window_list_capability_set(wStream* s, UINT16 length, rdpSettings* settings)\n{\n\tif (length < 11)\n\t\treturn FALSE;\n\n\tStream_Read_UINT32(s, settings->RemoteWndSupportLevel); /* wndSupportLevel (4 bytes) */\n\tStream_Read_UINT8(s, settings->RemoteAppNumIconCaches); /* numIconCaches (1 byte) */\n\tStream_Read_UINT16(s,\n\t settings->RemoteAppNumIconCacheEntries); /* numIconCacheEntries (2 bytes) */\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 67896909242570986520479535524505651635, "size": 11, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409665 }, { "func": "static BOOL rdp_write_rfx_client_capability_container(wStream* s, const rdpSettings* settings)\n{\n\tUINT32 captureFlags;\n\tBYTE codecMode;\n\n\tif (!Stream_EnsureRemainingCapacity(s, 64))\n\t\treturn FALSE;\n\n\tcaptureFlags = settings->RemoteFxOnly ? 0 : CARDP_CAPS_CAPTURE_NON_CAC;\n\tcodecMode = settings->RemoteFxCodecMode;\n\tStream_Write_UINT16(s, 49); /* codecPropertiesLength */\n\t/* TS_RFX_CLNT_CAPS_CONTAINER */\n\tStream_Write_UINT32(s, 49); /* length */\n\tStream_Write_UINT32(s, captureFlags); /* captureFlags */\n\tStream_Write_UINT32(s, 37); /* capsLength */\n\t/* TS_RFX_CAPS */\n\tStream_Write_UINT16(s, CBY_CAPS); /* blockType */\n\tStream_Write_UINT32(s, 8); /* blockLen */\n\tStream_Write_UINT16(s, 1); /* numCapsets */\n\t/* TS_RFX_CAPSET */\n\tStream_Write_UINT16(s, CBY_CAPSET); /* blockType */\n\tStream_Write_UINT32(s, 29); /* blockLen */\n\tStream_Write_UINT8(s, 0x01); /* codecId (MUST be set to 0x01) */\n\tStream_Write_UINT16(s, CLY_CAPSET); /* capsetType */\n\tStream_Write_UINT16(s, 2); /* numIcaps */\n\tStream_Write_UINT16(s, 8); /* icapLen */\n\t/* TS_RFX_ICAP (RLGR1) */\n\tStream_Write_UINT16(s, CLW_VERSION_1_0); /* version */\n\tStream_Write_UINT16(s, CT_TILE_64x64); /* tileSize */\n\tStream_Write_UINT8(s, codecMode); /* flags */\n\tStream_Write_UINT8(s, CLW_COL_CONV_ICT); /* colConvBits */\n\tStream_Write_UINT8(s, CLW_XFORM_DWT_53_A); /* transformBits */\n\tStream_Write_UINT8(s, CLW_ENTROPY_RLGR1); /* entropyBits */\n\t/* TS_RFX_ICAP (RLGR3) */\n\tStream_Write_UINT16(s, CLW_VERSION_1_0); /* version */\n\tStream_Write_UINT16(s, CT_TILE_64x64); /* tileSize */\n\tStream_Write_UINT8(s, codecMode); /* flags */\n\tStream_Write_UINT8(s, CLW_COL_CONV_ICT); /* colConvBits */\n\tStream_Write_UINT8(s, CLW_XFORM_DWT_53_A); /* transformBits */\n\tStream_Write_UINT8(s, CLW_ENTROPY_RLGR3); /* entropyBits */\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 200878113568940200705345537700818220319, "size": 42, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409602 }, { "func": "BOOL rdp_send_confirm_active(rdpRdp* rdp)\n{\n\twStream* s = rdp_send_stream_pdu_init(rdp);\n\tBOOL status;\n\n\tif (!s)\n\t\treturn FALSE;\n\n\tstatus = rdp_write_confirm_active(s, rdp->settings) &&\n\t rdp_send_pdu(rdp, s, PDU_TYPE_CONFIRM_ACTIVE, rdp->mcs->userId);\n\tStream_Release(s);\n\treturn status;\n}", "project": "FreeRDP", "hash": 303361272103618703355733933078905733598, "size": 13, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409681 }, { "func": "static BOOL rdp_write_virtual_channel_capability_set(wStream* s, const rdpSettings* settings)\n{\n\tsize_t header;\n\tUINT32 flags;\n\n\tif (!Stream_EnsureRemainingCapacity(s, 32))\n\t\treturn FALSE;\n\n\theader = rdp_capability_set_start(s);\n\tflags = VCCAPS_NO_COMPR;\n\tStream_Write_UINT32(s, flags); /* flags (4 bytes) */\n\tStream_Write_UINT32(s, settings->VirtualChannelChunkSize); /* VCChunkSize (4 bytes) */\n\trdp_capability_set_finish(s, header, CAPSET_TYPE_VIRTUAL_CHANNEL);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 307084930192072983573817185031030778059, "size": 15, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409688 }, { "func": "BOOL rdp_recv_confirm_active(rdpRdp* rdp, wStream* s, UINT16 pduLength)\n{\n\trdpSettings* settings;\n\tUINT16 lengthSourceDescriptor;\n\tUINT16 lengthCombinedCapabilities;\n\tUINT16 numberCapabilities;\n\tsettings = rdp->settings;\n\n\tif (Stream_GetRemainingLength(s) < 10)\n\t\treturn FALSE;\n\n\tStream_Seek_UINT32(s); /* shareId (4 bytes) */\n\tStream_Seek_UINT16(s); /* originatorId (2 bytes) */\n\tStream_Read_UINT16(s, lengthSourceDescriptor); /* lengthSourceDescriptor (2 bytes) */\n\tStream_Read_UINT16(s, lengthCombinedCapabilities); /* lengthCombinedCapabilities (2 bytes) */\n\n\tif (Stream_GetRemainingLength(s) < lengthSourceDescriptor + 4U)\n\t\treturn FALSE;\n\n\tStream_Seek(s, lengthSourceDescriptor); /* sourceDescriptor */\n\tStream_Read_UINT16(s, numberCapabilities); /* numberCapabilities (2 bytes) */\n\tStream_Seek(s, 2); /* pad2Octets (2 bytes) */\n\tif (!rdp_read_capability_sets(s, rdp->settings, numberCapabilities, lengthCombinedCapabilities))\n\t\treturn FALSE;\n\n\tif (!settings->ReceivedCapabilities[CAPSET_TYPE_SURFACE_COMMANDS])\n\t{\n\t\t/* client does not support surface commands */\n\t\tsettings->SurfaceCommandsEnabled = FALSE;\n\t\tsettings->SurfaceFrameMarkerEnabled = FALSE;\n\t}\n\n\tif (!settings->ReceivedCapabilities[CAPSET_TYPE_FRAME_ACKNOWLEDGE])\n\t{\n\t\t/* client does not support frame acks */\n\t\tsettings->FrameAcknowledge = 0;\n\t}\n\n\tif (!settings->ReceivedCapabilities[CAPSET_TYPE_BITMAP_CACHE_V3_CODEC_ID])\n\t{\n\t\t/* client does not support bitmap cache v3 */\n\t\tsettings->BitmapCacheV3Enabled = FALSE;\n\t}\n\n\tif (!settings->ReceivedCapabilities[CAPSET_TYPE_BITMAP_CODECS])\n\t{\n\t\t/* client does not support bitmap codecs */\n\t\tsettings->RemoteFxCodec = FALSE;\n\t\tsettings->NSCodec = FALSE;\n\t\tsettings->JpegCodec = FALSE;\n\t}\n\n\tif (!settings->ReceivedCapabilities[CAPSET_TYPE_MULTI_FRAGMENT_UPDATE])\n\t{\n\t\t/* client does not support multi fragment updates - make sure packages are not fragmented */\n\t\tsettings->MultifragMaxRequestSize = FASTPATH_FRAGMENT_SAFE_SIZE;\n\t}\n\n\tif (!settings->ReceivedCapabilities[CAPSET_TYPE_LARGE_POINTER])\n\t{\n\t\t/* client does not support large pointers */\n\t\tsettings->LargePointerFlag = 0;\n\t}\n\n\treturn tpkt_ensure_stream_consumed(s, pduLength);\n}", "project": "FreeRDP", "hash": 91493289017108646570943692625390752372, "size": 66, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409640 }, { "func": "static BOOL rdp_write_large_pointer_capability_set(wStream* s, const rdpSettings* settings)\n{\n\tsize_t header;\n\tUINT16 largePointerSupportFlags;\n\n\tif (!Stream_EnsureRemainingCapacity(s, 32))\n\t\treturn FALSE;\n\n\theader = rdp_capability_set_start(s);\n\tlargePointerSupportFlags =\n\t settings->LargePointerFlag & (LARGE_POINTER_FLAG_96x96 | LARGE_POINTER_FLAG_384x384);\n\tStream_Write_UINT16(s, largePointerSupportFlags); /* largePointerSupportFlags (2 bytes) */\n\trdp_capability_set_finish(s, header, CAPSET_TYPE_LARGE_POINTER);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 109685188564620579761907320676178023525, "size": 15, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409616 }, { "func": "static BOOL rdp_write_frame_acknowledge_capability_set(wStream* s, const rdpSettings* settings)\n{\n\tsize_t header;\n\n\tif (!Stream_EnsureRemainingCapacity(s, 32))\n\t\treturn FALSE;\n\n\theader = rdp_capability_set_start(s);\n\tif (header > UINT16_MAX)\n\t\treturn FALSE;\n\tStream_Write_UINT32(s, settings->FrameAcknowledge); /* (4 bytes) */\n\trdp_capability_set_finish(s, (UINT16)header, CAPSET_TYPE_FRAME_ACKNOWLEDGE);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 191472304007744135114926456006727424452, "size": 14, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409591 }, { "func": "static BOOL rdp_print_sound_capability_set(wStream* s, UINT16 length)\n{\n\tUINT16 soundFlags;\n\tUINT16 pad2OctetsA;\n\tWLog_INFO(TAG, \"SoundCapabilitySet (length %\" PRIu16 \"):\", length);\n\n\tif (length < 8)\n\t\treturn FALSE;\n\n\tStream_Read_UINT16(s, soundFlags); /* soundFlags (2 bytes) */\n\tStream_Read_UINT16(s, pad2OctetsA); /* pad2OctetsA (2 bytes) */\n\tWLog_INFO(TAG, \"\\tsoundFlags: 0x%04\" PRIX16 \"\", soundFlags);\n\tWLog_INFO(TAG, \"\\tpad2OctetsA: 0x%04\" PRIX16 \"\", pad2OctetsA);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 270468318396106321627842466475171868710, "size": 15, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409690 }, { "func": "static BOOL rdp_print_offscreen_bitmap_cache_capability_set(wStream* s, UINT16 length)\n{\n\tUINT32 offscreenSupportLevel;\n\tUINT16 offscreenCacheSize;\n\tUINT16 offscreenCacheEntries;\n\tWLog_INFO(TAG, \"OffscreenBitmapCacheCapabilitySet (length %\" PRIu16 \"):\", length);\n\n\tif (length < 12)\n\t\treturn FALSE;\n\n\tStream_Read_UINT32(s, offscreenSupportLevel); /* offscreenSupportLevel (4 bytes) */\n\tStream_Read_UINT16(s, offscreenCacheSize); /* offscreenCacheSize (2 bytes) */\n\tStream_Read_UINT16(s, offscreenCacheEntries); /* offscreenCacheEntries (2 bytes) */\n\tWLog_INFO(TAG, \"\\toffscreenSupportLevel: 0x%08\" PRIX32 \"\", offscreenSupportLevel);\n\tWLog_INFO(TAG, \"\\toffscreenCacheSize: 0x%04\" PRIX16 \"\", offscreenCacheSize);\n\tWLog_INFO(TAG, \"\\toffscreenCacheEntries: 0x%04\" PRIX16 \"\", offscreenCacheEntries);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 52430610983265653194826083004421839498, "size": 18, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409663 }, { "func": "static void rdp_read_bitmap_codec_guid(wStream* s, GUID* guid)\n{\n\tBYTE g[16];\n\tStream_Read(s, g, 16);\n\tguid->Data1 = (g[3] << 24) | (g[2] << 16) | (g[1] << 8) | g[0];\n\tguid->Data2 = (g[5] << 8) | g[4];\n\tguid->Data3 = (g[7] << 8) | g[6];\n\tguid->Data4[0] = g[8];\n\tguid->Data4[1] = g[9];\n\tguid->Data4[2] = g[10];\n\tguid->Data4[3] = g[11];\n\tguid->Data4[4] = g[12];\n\tguid->Data4[5] = g[13];\n\tguid->Data4[6] = g[14];\n\tguid->Data4[7] = g[15];\n}", "project": "FreeRDP", "hash": 4886774312460546608647694875224936828, "size": 16, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409620 }, { "func": "static BOOL rdp_print_frame_acknowledge_capability_set(wStream* s, UINT16 length)\n{\n\tUINT32 frameAcknowledge;\n\tWLog_INFO(TAG, \"FrameAcknowledgeCapabilitySet (length %\" PRIu16 \"):\", length);\n\n\tif (length < 8)\n\t\treturn FALSE;\n\n\tStream_Read_UINT32(s, frameAcknowledge); /* frameAcknowledge (4 bytes) */\n\tWLog_INFO(TAG, \"\\tframeAcknowledge: 0x%08\" PRIX32 \"\", frameAcknowledge);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 160917538292160124231779813896302866645, "size": 12, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409678 }, { "func": "static void rdp_write_cache_definition(wStream* s, GLYPH_CACHE_DEFINITION* cache_definition)\n{\n\tStream_Write_UINT16(s, cache_definition->cacheEntries); /* cacheEntries (2 bytes) */\n\tStream_Write_UINT16(\n\t s, cache_definition->cacheMaximumCellSize); /* cacheMaximumCellSize (2 bytes) */\n}", "project": "FreeRDP", "hash": 242617420166332381831381736771931983231, "size": 6, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409593 }, { "func": "static BOOL rdp_write_confirm_active(wStream* s, rdpSettings* settings)\n{\n\tsize_t bm, em, lm;\n\tUINT16 numberCapabilities;\n\tUINT16 lengthSourceDescriptor;\n\tsize_t lengthCombinedCapabilities;\n\tBOOL ret;\n\tlengthSourceDescriptor = sizeof(SOURCE_DESCRIPTOR);\n\tStream_Write_UINT32(s, settings->ShareId); /* shareId (4 bytes) */\n\tStream_Write_UINT16(s, 0x03EA); /* originatorId (2 bytes) */\n\tStream_Write_UINT16(s, lengthSourceDescriptor); /* lengthSourceDescriptor (2 bytes) */\n\tlm = Stream_GetPosition(s);\n\tStream_Seek_UINT16(s); /* lengthCombinedCapabilities (2 bytes) */\n\tStream_Write(s, SOURCE_DESCRIPTOR, lengthSourceDescriptor); /* sourceDescriptor */\n\tbm = Stream_GetPosition(s);\n\tStream_Seek_UINT16(s); /* numberCapabilities (2 bytes) */\n\tStream_Write_UINT16(s, 0); /* pad2Octets (2 bytes) */\n\t/* Capability Sets */\n\tnumberCapabilities = 15;\n\n\tif (!rdp_write_general_capability_set(s, settings) ||\n\t !rdp_write_bitmap_capability_set(s, settings) ||\n\t !rdp_write_order_capability_set(s, settings))\n\t\treturn FALSE;\n\n\tif (settings->RdpVersion >= RDP_VERSION_5_PLUS)\n\t\tret = rdp_write_bitmap_cache_v2_capability_set(s, settings);\n\telse\n\t\tret = rdp_write_bitmap_cache_capability_set(s, settings);\n\n\tif (!ret)\n\t\treturn FALSE;\n\n\tif (!rdp_write_pointer_capability_set(s, settings) ||\n\t !rdp_write_input_capability_set(s, settings) ||\n\t !rdp_write_brush_capability_set(s, settings) ||\n\t !rdp_write_glyph_cache_capability_set(s, settings) ||\n\t !rdp_write_virtual_channel_capability_set(s, settings) ||\n\t !rdp_write_sound_capability_set(s, settings) ||\n\t !rdp_write_share_capability_set(s, settings) ||\n\t !rdp_write_font_capability_set(s, settings) ||\n\t !rdp_write_control_capability_set(s, settings) ||\n\t !rdp_write_color_cache_capability_set(s, settings) ||\n\t !rdp_write_window_activation_capability_set(s, settings))\n\t{\n\t\treturn FALSE;\n\t}\n\n\tif (settings->OffscreenSupportLevel)\n\t{\n\t\tnumberCapabilities++;\n\n\t\tif (!rdp_write_offscreen_bitmap_cache_capability_set(s, settings))\n\t\t\treturn FALSE;\n\t}\n\n\tif (settings->DrawNineGridEnabled)\n\t{\n\t\tnumberCapabilities++;\n\n\t\tif (!rdp_write_draw_nine_grid_cache_capability_set(s, settings))\n\t\t\treturn FALSE;\n\t}\n\n\tif (settings->ReceivedCapabilities[CAPSET_TYPE_LARGE_POINTER])\n\t{\n\t\tif (settings->LargePointerFlag)\n\t\t{\n\t\t\tnumberCapabilities++;\n\n\t\t\tif (!rdp_write_large_pointer_capability_set(s, settings))\n\t\t\t\treturn FALSE;\n\t\t}\n\t}\n\n\tif (settings->RemoteApplicationMode)\n\t{\n\t\tnumberCapabilities += 2;\n\n\t\tif (!rdp_write_remote_programs_capability_set(s, settings) ||\n\t\t !rdp_write_window_list_capability_set(s, settings))\n\t\t\treturn FALSE;\n\t}\n\n\tif (settings->ReceivedCapabilities[CAPSET_TYPE_MULTI_FRAGMENT_UPDATE])\n\t{\n\t\tnumberCapabilities++;\n\n\t\tif (!rdp_write_multifragment_update_capability_set(s, settings))\n\t\t\treturn FALSE;\n\t}\n\n\tif (settings->ReceivedCapabilities[CAPSET_TYPE_SURFACE_COMMANDS])\n\t{\n\t\tnumberCapabilities++;\n\n\t\tif (!rdp_write_surface_commands_capability_set(s, settings))\n\t\t\treturn FALSE;\n\t}\n\n\tif (settings->ReceivedCapabilities[CAPSET_TYPE_BITMAP_CODECS])\n\t{\n\t\tnumberCapabilities++;\n\n\t\tif (!rdp_write_bitmap_codecs_capability_set(s, settings))\n\t\t\treturn FALSE;\n\t}\n\n\tif (!settings->ReceivedCapabilities[CAPSET_TYPE_FRAME_ACKNOWLEDGE])\n\t\tsettings->FrameAcknowledge = 0;\n\n\tif (settings->FrameAcknowledge)\n\t{\n\t\tnumberCapabilities++;\n\n\t\tif (!rdp_write_frame_acknowledge_capability_set(s, settings))\n\t\t\treturn FALSE;\n\t}\n\n\tif (settings->ReceivedCapabilities[CAPSET_TYPE_BITMAP_CACHE_V3_CODEC_ID])\n\t{\n\t\tif (settings->BitmapCacheV3CodecId != 0)\n\t\t{\n\t\t\tnumberCapabilities++;\n\n\t\t\tif (!rdp_write_bitmap_cache_v3_codec_id_capability_set(s, settings))\n\t\t\t\treturn FALSE;\n\t\t}\n\t}\n\n\tem = Stream_GetPosition(s);\n\tStream_SetPosition(s, lm); /* go back to lengthCombinedCapabilities */\n\tlengthCombinedCapabilities = (em - bm);\n\tif (lengthCombinedCapabilities > UINT16_MAX)\n\t\treturn FALSE;\n\tStream_Write_UINT16(\n\t s, (UINT16)lengthCombinedCapabilities); /* lengthCombinedCapabilities (2 bytes) */\n\tStream_SetPosition(s, bm); /* go back to numberCapabilities */\n\tStream_Write_UINT16(s, numberCapabilities); /* numberCapabilities (2 bytes) */\n#ifdef WITH_DEBUG_CAPABILITIES\n\tStream_Seek_UINT16(s);\n\trdp_print_capability_sets(s, numberCapabilities, FALSE);\n\tStream_SetPosition(s, bm);\n\tStream_Seek_UINT16(s);\n#endif\n\tStream_SetPosition(s, em);\n\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 327946317814750375154764007246473998380, "size": 149, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409592 }, { "func": "static BOOL rdp_write_surface_commands_capability_set(wStream* s, const rdpSettings* settings)\n{\n\tsize_t header;\n\tUINT32 cmdFlags;\n\n\tif (!Stream_EnsureRemainingCapacity(s, 32))\n\t\treturn FALSE;\n\n\theader = rdp_capability_set_start(s);\n\tcmdFlags = SURFCMDS_SET_SURFACE_BITS | SURFCMDS_STREAM_SURFACE_BITS;\n\n\tif (settings->SurfaceFrameMarkerEnabled)\n\t\tcmdFlags |= SURFCMDS_FRAME_MARKER;\n\n\tStream_Write_UINT32(s, cmdFlags); /* cmdFlags (4 bytes) */\n\tStream_Write_UINT32(s, 0); /* reserved (4 bytes) */\n\trdp_capability_set_finish(s, header, CAPSET_TYPE_SURFACE_COMMANDS);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 265887635769419825443180195929426885533, "size": 19, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409621 }, { "func": "static char* rdp_get_bitmap_codec_guid_name(const GUID* guid)\n{\n\tRPC_STATUS rpc_status;\n\n\tif (UuidEqual(guid, &CODEC_GUID_REMOTEFX, &rpc_status))\n\t\treturn \"CODEC_GUID_REMOTEFX\";\n\telse if (UuidEqual(guid, &CODEC_GUID_NSCODEC, &rpc_status))\n\t\treturn \"CODEC_GUID_NSCODEC\";\n\telse if (UuidEqual(guid, &CODEC_GUID_IGNORE, &rpc_status))\n\t\treturn \"CODEC_GUID_IGNORE\";\n\telse if (UuidEqual(guid, &CODEC_GUID_IMAGE_REMOTEFX, &rpc_status))\n\t\treturn \"CODEC_GUID_IMAGE_REMOTEFX\";\n\n#if defined(WITH_JPEG)\n\telse if (UuidEqual(guid, &CODEC_GUID_JPEG, &rpc_status))\n\t\treturn \"CODEC_GUID_JPEG\";\n\n#endif\n\treturn \"CODEC_GUID_UNKNOWN\";\n}", "project": "FreeRDP", "hash": 155254763281841975956016535383696375092, "size": 20, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409680 }, { "func": "static BOOL rdp_read_control_capability_set(wStream* s, UINT16 length, rdpSettings* settings)\n{\n\tWINPR_UNUSED(settings);\n\tif (length < 12)\n\t\treturn FALSE;\n\n\tStream_Seek_UINT16(s); /* controlFlags (2 bytes) */\n\tStream_Seek_UINT16(s); /* remoteDetachFlag (2 bytes) */\n\tStream_Seek_UINT16(s); /* controlInterest (2 bytes) */\n\tStream_Seek_UINT16(s); /* detachInterest (2 bytes) */\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 246788064512336968283169931181073093043, "size": 12, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409614 }, { "func": "static BOOL rdp_print_draw_nine_grid_cache_capability_set(wStream* s, UINT16 length)\n{\n\tUINT32 drawNineGridSupportLevel;\n\tUINT16 DrawNineGridCacheSize;\n\tUINT16 DrawNineGridCacheEntries;\n\tWLog_INFO(TAG, \"DrawNineGridCacheCapabilitySet (length %\" PRIu16 \"):\", length);\n\n\tif (length < 12)\n\t\treturn FALSE;\n\n\tStream_Read_UINT32(s, drawNineGridSupportLevel); /* drawNineGridSupportLevel (4 bytes) */\n\tStream_Read_UINT16(s, DrawNineGridCacheSize); /* drawNineGridCacheSize (2 bytes) */\n\tStream_Read_UINT16(s, DrawNineGridCacheEntries); /* drawNineGridCacheEntries (2 bytes) */\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 99697391840067480834853895868286238230, "size": 15, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409579 }, { "func": "static BOOL rdp_read_font_capability_set(wStream* s, UINT16 length, rdpSettings* settings)\n{\n\tWINPR_UNUSED(settings);\n\tif (length > 4)\n\t\tStream_Seek_UINT16(s); /* fontSupportFlags (2 bytes) */\n\n\tif (length > 6)\n\t\tStream_Seek_UINT16(s); /* pad2Octets (2 bytes) */\n\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 63945765978373457675419959857261610616, "size": 11, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 1, "dataset": "other", "idx": 208417 }, { "func": "static BOOL rdp_read_font_capability_set(wStream* s, UINT16 length, rdpSettings* settings)\n{\n\tWINPR_UNUSED(settings);\n\tif (length > 5)\n\t\tStream_Seek_UINT16(s); /* fontSupportFlags (2 bytes) */\n\n\tif (length > 7)\n\t\tStream_Seek_UINT16(s); /* pad2Octets (2 bytes) */\n\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 92561895110037279576315503246460434637, "size": 11, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409646 }, { "func": "static BOOL rdp_print_large_pointer_capability_set(wStream* s, UINT16 length)\n{\n\tUINT16 largePointerSupportFlags;\n\tWLog_INFO(TAG, \"LargePointerCapabilitySet (length %\" PRIu16 \"):\", length);\n\n\tif (length < 6)\n\t\treturn FALSE;\n\n\tStream_Read_UINT16(s, largePointerSupportFlags); /* largePointerSupportFlags (2 bytes) */\n\tWLog_INFO(TAG, \"\\tlargePointerSupportFlags: 0x%04\" PRIX16 \"\", largePointerSupportFlags);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 339958623772639294175049811240387745622, "size": 12, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409623 }, { "func": "static BOOL rdp_read_window_activation_capability_set(wStream* s, UINT16 length,\n rdpSettings* settings)\n{\n\tWINPR_UNUSED(settings);\n\tif (length < 12)\n\t\treturn FALSE;\n\n\tStream_Seek_UINT16(s); /* helpKeyFlag (2 bytes) */\n\tStream_Seek_UINT16(s); /* helpKeyIndexFlag (2 bytes) */\n\tStream_Seek_UINT16(s); /* helpExtendedKeyFlag (2 bytes) */\n\tStream_Seek_UINT16(s); /* windowManagerKeyFlag (2 bytes) */\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 92929385624240835162166734974587379320, "size": 13, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409684 }, { "func": "static void rdp_print_bitmap_codec_guid(const GUID* guid)\n{\n\tWLog_INFO(TAG,\n\t \"%08\" PRIX32 \"%04\" PRIX16 \"%04\" PRIX16 \"%02\" PRIX8 \"%02\" PRIX8 \"%02\" PRIX8 \"%02\" PRIX8\n\t \"%02\" PRIX8 \"%02\" PRIX8 \"%02\" PRIX8 \"%02\" PRIX8 \"\",\n\t guid->Data1, guid->Data2, guid->Data3, guid->Data4[0], guid->Data4[1], guid->Data4[2],\n\t guid->Data4[3], guid->Data4[4], guid->Data4[5], guid->Data4[6], guid->Data4[7]);\n}", "project": "FreeRDP", "hash": 77099897294778299773712257711439024635, "size": 8, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409651 }, { "func": "static BOOL rdp_print_window_list_capability_set(wStream* s, UINT16 length)\n{\n\tUINT32 wndSupportLevel;\n\tBYTE numIconCaches;\n\tUINT16 numIconCacheEntries;\n\tWLog_INFO(TAG, \"WindowListCapabilitySet (length %\" PRIu16 \"):\", length);\n\n\tif (length < 11)\n\t\treturn FALSE;\n\n\tStream_Read_UINT32(s, wndSupportLevel); /* wndSupportLevel (4 bytes) */\n\tStream_Read_UINT8(s, numIconCaches); /* numIconCaches (1 byte) */\n\tStream_Read_UINT16(s, numIconCacheEntries); /* numIconCacheEntries (2 bytes) */\n\tWLog_INFO(TAG, \"\\twndSupportLevel: 0x%08\" PRIX32 \"\", wndSupportLevel);\n\tWLog_INFO(TAG, \"\\tnumIconCaches: 0x%02\" PRIX8 \"\", numIconCaches);\n\tWLog_INFO(TAG, \"\\tnumIconCacheEntries: 0x%04\" PRIX16 \"\", numIconCacheEntries);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 56084745407537054957836216665066621553, "size": 18, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409638 }, { "func": "static BOOL rdp_write_share_capability_set(wStream* s, const rdpSettings* settings)\n{\n\tsize_t header;\n\tUINT16 nodeId;\n\n\tif (!Stream_EnsureRemainingCapacity(s, 32))\n\t\treturn FALSE;\n\n\theader = rdp_capability_set_start(s);\n\tif (header > UINT16_MAX)\n\t\treturn FALSE;\n\tnodeId = (settings->ServerMode) ? 0x03EA : 0;\n\tStream_Write_UINT16(s, nodeId); /* nodeId (2 bytes) */\n\tStream_Write_UINT16(s, 0); /* pad2Octets (2 bytes) */\n\trdp_capability_set_finish(s, (UINT16)header, CAPSET_TYPE_SHARE);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 26910384615262271113922396983420701080, "size": 17, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409596 }, { "func": "static BOOL rdp_print_brush_capability_set(wStream* s, UINT16 length)\n{\n\tUINT32 brushSupportLevel;\n\tWLog_INFO(TAG, \"BrushCapabilitySet (length %\" PRIu16 \"):\", length);\n\n\tif (length < 8)\n\t\treturn FALSE;\n\n\tStream_Read_UINT32(s, brushSupportLevel); /* brushSupportLevel (4 bytes) */\n\tWLog_INFO(TAG, \"\\tbrushSupportLevel: 0x%08\" PRIX32 \"\", brushSupportLevel);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 285436586425045297137013893498254341233, "size": 12, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409581 }, { "func": "static BOOL rdp_read_desktop_composition_capability_set(wStream* s, UINT16 length,\n rdpSettings* settings)\n{\n\tif (length < 6)\n\t\treturn FALSE;\n\n\tStream_Seek_UINT16(s); /* compDeskSupportLevel (2 bytes) */\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 257896305155583954962696210326662575434, "size": 9, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409612 }, { "func": "static BOOL rdp_write_offscreen_bitmap_cache_capability_set(wStream* s, const rdpSettings* settings)\n{\n\tsize_t header;\n\tUINT32 offscreenSupportLevel = 0x00;\n\n\tif (!Stream_EnsureRemainingCapacity(s, 32))\n\t\treturn FALSE;\n\n\theader = rdp_capability_set_start(s);\n\tif (header > UINT16_MAX)\n\t\treturn FALSE;\n\tif (settings->OffscreenSupportLevel)\n\t{\n\t\toffscreenSupportLevel = 0x01;\n\t\tStream_Write_UINT32(s, offscreenSupportLevel); /* offscreenSupportLevel (4 bytes) */\n\t\tStream_Write_UINT16(s, settings->OffscreenCacheSize); /* offscreenCacheSize (2 bytes) */\n\t\tStream_Write_UINT16(s,\n\t\t settings->OffscreenCacheEntries); /* offscreenCacheEntries (2 bytes) */\n\t}\n\telse\n\t\tStream_Zero(s, 8);\n\n\trdp_capability_set_finish(s, (UINT16)header, CAPSET_TYPE_OFFSCREEN_CACHE);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 34976567181626346706020341189913124378, "size": 25, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409672 }, { "func": "static BOOL rdp_print_bitmap_cache_v2_capability_set(wStream* s, UINT16 length)\n{\n\tUINT16 cacheFlags;\n\tBYTE pad2;\n\tBYTE numCellCaches;\n\tBITMAP_CACHE_V2_CELL_INFO bitmapCacheV2CellInfo[5];\n\tWLog_INFO(TAG, \"BitmapCacheV2CapabilitySet (length %\" PRIu16 \"):\", length);\n\n\tif (length < 40)\n\t\treturn FALSE;\n\n\tStream_Read_UINT16(s, cacheFlags); /* cacheFlags (2 bytes) */\n\tStream_Read_UINT8(s, pad2); /* pad2 (1 byte) */\n\tStream_Read_UINT8(s, numCellCaches); /* numCellCaches (1 byte) */\n\trdp_read_bitmap_cache_cell_info(s,\n\t &bitmapCacheV2CellInfo[0]); /* bitmapCache0CellInfo (4 bytes) */\n\trdp_read_bitmap_cache_cell_info(s,\n\t &bitmapCacheV2CellInfo[1]); /* bitmapCache1CellInfo (4 bytes) */\n\trdp_read_bitmap_cache_cell_info(s,\n\t &bitmapCacheV2CellInfo[2]); /* bitmapCache2CellInfo (4 bytes) */\n\trdp_read_bitmap_cache_cell_info(s,\n\t &bitmapCacheV2CellInfo[3]); /* bitmapCache3CellInfo (4 bytes) */\n\trdp_read_bitmap_cache_cell_info(s,\n\t &bitmapCacheV2CellInfo[4]); /* bitmapCache4CellInfo (4 bytes) */\n\tStream_Seek(s, 12); /* pad3 (12 bytes) */\n\tWLog_INFO(TAG, \"\\tcacheFlags: 0x%04\" PRIX16 \"\", cacheFlags);\n\tWLog_INFO(TAG, \"\\tpad2: 0x%02\" PRIX8 \"\", pad2);\n\tWLog_INFO(TAG, \"\\tnumCellCaches: 0x%02\" PRIX8 \"\", numCellCaches);\n\tWLog_INFO(TAG, \"\\tbitmapCache0CellInfo: numEntries: %\" PRIu32 \" persistent: %\" PRId32 \"\",\n\t bitmapCacheV2CellInfo[0].numEntries, bitmapCacheV2CellInfo[0].persistent);\n\tWLog_INFO(TAG, \"\\tbitmapCache1CellInfo: numEntries: %\" PRIu32 \" persistent: %\" PRId32 \"\",\n\t bitmapCacheV2CellInfo[1].numEntries, bitmapCacheV2CellInfo[1].persistent);\n\tWLog_INFO(TAG, \"\\tbitmapCache2CellInfo: numEntries: %\" PRIu32 \" persistent: %\" PRId32 \"\",\n\t bitmapCacheV2CellInfo[2].numEntries, bitmapCacheV2CellInfo[2].persistent);\n\tWLog_INFO(TAG, \"\\tbitmapCache3CellInfo: numEntries: %\" PRIu32 \" persistent: %\" PRId32 \"\",\n\t bitmapCacheV2CellInfo[3].numEntries, bitmapCacheV2CellInfo[3].persistent);\n\tWLog_INFO(TAG, \"\\tbitmapCache4CellInfo: numEntries: %\" PRIu32 \" persistent: %\" PRId32 \"\",\n\t bitmapCacheV2CellInfo[4].numEntries, bitmapCacheV2CellInfo[4].persistent);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 296655781578711417366859937464765040063, "size": 40, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409608 }, { "func": "static BOOL rdp_read_general_capability_set(wStream* s, UINT16 length, rdpSettings* settings)\n{\n\tUINT16 extraFlags;\n\tBYTE refreshRectSupport;\n\tBYTE suppressOutputSupport;\n\n\tif (length < 24)\n\t\treturn FALSE;\n\n\tif (settings->ServerMode)\n\t{\n\t\tStream_Read_UINT16(s, settings->OsMajorType); /* osMajorType (2 bytes) */\n\t\tStream_Read_UINT16(s, settings->OsMinorType); /* osMinorType (2 bytes) */\n\t}\n\telse\n\t{\n\t\tStream_Seek_UINT16(s); /* osMajorType (2 bytes) */\n\t\tStream_Seek_UINT16(s); /* osMinorType (2 bytes) */\n\t}\n\n\tStream_Seek_UINT16(s); /* protocolVersion (2 bytes) */\n\tStream_Seek_UINT16(s); /* pad2OctetsA (2 bytes) */\n\tStream_Seek_UINT16(s); /* generalCompressionTypes (2 bytes) */\n\tStream_Read_UINT16(s, extraFlags); /* extraFlags (2 bytes) */\n\tStream_Seek_UINT16(s); /* updateCapabilityFlag (2 bytes) */\n\tStream_Seek_UINT16(s); /* remoteUnshareFlag (2 bytes) */\n\tStream_Seek_UINT16(s); /* generalCompressionLevel (2 bytes) */\n\tStream_Read_UINT8(s, refreshRectSupport); /* refreshRectSupport (1 byte) */\n\tStream_Read_UINT8(s, suppressOutputSupport); /* suppressOutputSupport (1 byte) */\n\tsettings->NoBitmapCompressionHeader = (extraFlags & NO_BITMAP_COMPRESSION_HDR) ? TRUE : FALSE;\n\tsettings->LongCredentialsSupported = (extraFlags & LONG_CREDENTIALS_SUPPORTED) ? TRUE : FALSE;\n\n\tif (!(extraFlags & FASTPATH_OUTPUT_SUPPORTED))\n\t\tsettings->FastPathOutput = FALSE;\n\n\tif (!(extraFlags & ENC_SALTED_CHECKSUM))\n\t\tsettings->SaltedChecksum = FALSE;\n\n\tif (!settings->ServerMode)\n\t{\n\t\t/**\n\t\t * Note: refreshRectSupport and suppressOutputSupport are\n\t\t * server-only flags indicating to the client weather the\n\t\t * respective PDUs are supported. See MS-RDPBCGR 2.2.7.1.1\n\t\t */\n\t\tif (!refreshRectSupport)\n\t\t\tsettings->RefreshRect = FALSE;\n\n\t\tif (!suppressOutputSupport)\n\t\t\tsettings->SuppressOutput = FALSE;\n\t}\n\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 849871180783904750462910493265742730, "size": 54, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409649 }, { "func": "static BOOL rdp_write_rfx_server_capability_container(wStream* s, const rdpSettings* settings)\n{\n\tWINPR_UNUSED(settings);\n\tif (!Stream_EnsureRemainingCapacity(s, 8))\n\t\treturn FALSE;\n\n\tStream_Write_UINT16(s, 4); /* codecPropertiesLength */\n\tStream_Write_UINT32(s, 0); /* reserved */\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 30381998541812809023414048959611680622, "size": 10, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409647 }, { "func": "static BOOL rdp_print_color_cache_capability_set(wStream* s, UINT16 length)\n{\n\tUINT16 colorTableCacheSize;\n\tUINT16 pad2Octets;\n\tWLog_INFO(TAG, \"ColorCacheCapabilitySet (length %\" PRIu16 \"):\", length);\n\n\tif (length < 8)\n\t\treturn FALSE;\n\n\tStream_Read_UINT16(s, colorTableCacheSize); /* colorTableCacheSize (2 bytes) */\n\tStream_Read_UINT16(s, pad2Octets); /* pad2Octets (2 bytes) */\n\tWLog_INFO(TAG, \"\\tcolorTableCacheSize: 0x%04\" PRIX16 \"\", colorTableCacheSize);\n\tWLog_INFO(TAG, \"\\tpad2Octets: 0x%04\" PRIX16 \"\", pad2Octets);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 147412173596886311190003265789714347848, "size": 15, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409682 }, { "func": "static BOOL rdp_read_virtual_channel_capability_set(wStream* s, UINT16 length,\n rdpSettings* settings)\n{\n\tUINT32 flags;\n\tUINT32 VCChunkSize;\n\n\tif (length < 8)\n\t\treturn FALSE;\n\n\tStream_Read_UINT32(s, flags); /* flags (4 bytes) */\n\n\tif (length > 8)\n\t\tStream_Read_UINT32(s, VCChunkSize); /* VCChunkSize (4 bytes) */\n\telse\n\t\tVCChunkSize = 1600;\n\n\tif (settings->ServerMode != TRUE)\n\t\tsettings->VirtualChannelChunkSize = VCChunkSize;\n\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 290598108437996799579687211407031343101, "size": 21, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409597 }, { "func": "static BOOL rdp_read_order_capability_set(wStream* s, UINT16 length, rdpSettings* settings)\n{\n\tint i;\n\tUINT16 orderFlags;\n\tBYTE orderSupport[32];\n\tUINT16 orderSupportExFlags;\n\tBOOL BitmapCacheV3Enabled = FALSE;\n\tBOOL FrameMarkerCommandEnabled = FALSE;\n\n\tif (length < 88)\n\t\treturn FALSE;\n\n\tStream_Seek(s, 16); /* terminalDescriptor (16 bytes) */\n\tStream_Seek_UINT32(s); /* pad4OctetsA (4 bytes) */\n\tStream_Seek_UINT16(s); /* desktopSaveXGranularity (2 bytes) */\n\tStream_Seek_UINT16(s); /* desktopSaveYGranularity (2 bytes) */\n\tStream_Seek_UINT16(s); /* pad2OctetsA (2 bytes) */\n\tStream_Seek_UINT16(s); /* maximumOrderLevel (2 bytes) */\n\tStream_Seek_UINT16(s); /* numberFonts (2 bytes) */\n\tStream_Read_UINT16(s, orderFlags); /* orderFlags (2 bytes) */\n\tStream_Read(s, orderSupport, 32); /* orderSupport (32 bytes) */\n\tStream_Seek_UINT16(s); /* textFlags (2 bytes) */\n\tStream_Read_UINT16(s, orderSupportExFlags); /* orderSupportExFlags (2 bytes) */\n\tStream_Seek_UINT32(s); /* pad4OctetsB (4 bytes) */\n\tStream_Seek_UINT32(s); /* desktopSaveSize (4 bytes) */\n\tStream_Seek_UINT16(s); /* pad2OctetsC (2 bytes) */\n\tStream_Seek_UINT16(s); /* pad2OctetsD (2 bytes) */\n\tStream_Seek_UINT16(s); /* textANSICodePage (2 bytes) */\n\tStream_Seek_UINT16(s); /* pad2OctetsE (2 bytes) */\n\n\tfor (i = 0; i < 32; i++)\n\t{\n\t\tif (orderSupport[i] == FALSE)\n\t\t\tsettings->OrderSupport[i] = FALSE;\n\t}\n\n\tif (orderFlags & ORDER_FLAGS_EXTRA_SUPPORT)\n\t{\n\t\tif (orderSupportExFlags & CACHE_BITMAP_V3_SUPPORT)\n\t\t\tBitmapCacheV3Enabled = TRUE;\n\n\t\tif (orderSupportExFlags & ALTSEC_FRAME_MARKER_SUPPORT)\n\t\t\tFrameMarkerCommandEnabled = TRUE;\n\t}\n\n\tif (settings->BitmapCacheV3Enabled && BitmapCacheV3Enabled)\n\t\tsettings->BitmapCacheVersion = 3;\n\telse\n\t\tsettings->BitmapCacheV3Enabled = FALSE;\n\n\tif (settings->FrameMarkerCommandEnabled && !FrameMarkerCommandEnabled)\n\t\tsettings->FrameMarkerCommandEnabled = FALSE;\n\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 189672869918992028391314712470791613301, "size": 55, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409676 }, { "func": "static BOOL rdp_write_nsc_server_capability_container(wStream* s, const rdpSettings* settings)\n{\n\tWINPR_UNUSED(settings);\n\tif (!Stream_EnsureRemainingCapacity(s, 8))\n\t\treturn FALSE;\n\n\tStream_Write_UINT16(s, 4); /* codecPropertiesLength */\n\tStream_Write_UINT32(s, 0); /* reserved */\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 60725325689248985919258800414909485501, "size": 10, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409601 }, { "func": "static BOOL rdp_write_bitmap_cache_capability_set(wStream* s, const rdpSettings* settings)\n{\n\tUINT32 bpp;\n\tsize_t header;\n\tUINT32 size;\n\n\tif (!Stream_EnsureRemainingCapacity(s, 64))\n\t\treturn FALSE;\n\n\theader = rdp_capability_set_start(s);\n\tif (header > UINT16_MAX)\n\t\treturn FALSE;\n\tbpp = (settings->ColorDepth + 7) / 8;\n\tif (bpp > UINT16_MAX)\n\t\treturn FALSE;\n\tStream_Write_UINT32(s, 0); /* pad1 (4 bytes) */\n\tStream_Write_UINT32(s, 0); /* pad2 (4 bytes) */\n\tStream_Write_UINT32(s, 0); /* pad3 (4 bytes) */\n\tStream_Write_UINT32(s, 0); /* pad4 (4 bytes) */\n\tStream_Write_UINT32(s, 0); /* pad5 (4 bytes) */\n\tStream_Write_UINT32(s, 0); /* pad6 (4 bytes) */\n\tsize = bpp * 256;\n\tif (size > UINT16_MAX)\n\t\treturn FALSE;\n\tStream_Write_UINT16(s, 200); /* Cache0Entries (2 bytes) */\n\tStream_Write_UINT16(s, (UINT16)size); /* Cache0MaximumCellSize (2 bytes) */\n\tsize = bpp * 1024;\n\tif (size > UINT16_MAX)\n\t\treturn FALSE;\n\tStream_Write_UINT16(s, 600); /* Cache1Entries (2 bytes) */\n\tStream_Write_UINT16(s, (UINT16)size); /* Cache1MaximumCellSize (2 bytes) */\n\tsize = bpp * 4096;\n\tif (size > UINT16_MAX)\n\t\treturn FALSE;\n\tStream_Write_UINT16(s, 1000); /* Cache2Entries (2 bytes) */\n\tStream_Write_UINT16(s, (UINT16)size); /* Cache2MaximumCellSize (2 bytes) */\n\trdp_capability_set_finish(s, (UINT16)header, CAPSET_TYPE_BITMAP_CACHE);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 121157721180275409455921259823027389764, "size": 39, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409648 }, { "func": "static BOOL rdp_read_brush_capability_set(wStream* s, UINT16 length, rdpSettings* settings)\n{\n\tWINPR_UNUSED(settings);\n\tif (length < 8)\n\t\treturn FALSE;\n\n\tStream_Seek_UINT32(s); /* brushSupportLevel (4 bytes) */\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 201932960273049902456905707665273606852, "size": 9, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409603 }, { "func": "static BOOL rdp_write_nsc_client_capability_container(wStream* s, const rdpSettings* settings)\n{\n\tBYTE colorLossLevel;\n\tBYTE fAllowSubsampling;\n\tBYTE fAllowDynamicFidelity;\n\tfAllowDynamicFidelity = settings->NSCodecAllowDynamicColorFidelity;\n\tfAllowSubsampling = settings->NSCodecAllowSubsampling;\n\tcolorLossLevel = settings->NSCodecColorLossLevel;\n\n\tif (colorLossLevel < 1)\n\t\tcolorLossLevel = 1;\n\n\tif (colorLossLevel > 7)\n\t\tcolorLossLevel = 7;\n\n\tif (!Stream_EnsureRemainingCapacity(s, 8))\n\t\treturn FALSE;\n\n\tStream_Write_UINT16(s, 3); /* codecPropertiesLength */\n\t/* TS_NSCODEC_CAPABILITYSET */\n\tStream_Write_UINT8(s, fAllowDynamicFidelity); /* fAllowDynamicFidelity (1 byte) */\n\tStream_Write_UINT8(s, fAllowSubsampling); /* fAllowSubsampling (1 byte) */\n\tStream_Write_UINT8(s, colorLossLevel); /* colorLossLevel (1 byte) */\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 42897287390959164091468957982836296378, "size": 25, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409657 }, { "func": "static BOOL rdp_print_input_capability_set(wStream* s, UINT16 length)\n{\n\tUINT16 inputFlags;\n\tUINT16 pad2OctetsA;\n\tUINT32 keyboardLayout;\n\tUINT32 keyboardType;\n\tUINT32 keyboardSubType;\n\tUINT32 keyboardFunctionKey;\n\tWLog_INFO(TAG, \"InputCapabilitySet (length %\" PRIu16 \")\", length);\n\n\tif (length < 88)\n\t\treturn FALSE;\n\n\tStream_Read_UINT16(s, inputFlags); /* inputFlags (2 bytes) */\n\tStream_Read_UINT16(s, pad2OctetsA); /* pad2OctetsA (2 bytes) */\n\tStream_Read_UINT32(s, keyboardLayout); /* keyboardLayout (4 bytes) */\n\tStream_Read_UINT32(s, keyboardType); /* keyboardType (4 bytes) */\n\tStream_Read_UINT32(s, keyboardSubType); /* keyboardSubType (4 bytes) */\n\tStream_Read_UINT32(s, keyboardFunctionKey); /* keyboardFunctionKeys (4 bytes) */\n\tStream_Seek(s, 64); /* imeFileName (64 bytes) */\n\tWLog_INFO(TAG, \"\\tinputFlags: 0x%04\" PRIX16 \"\", inputFlags);\n\tWLog_INFO(TAG, \"\\tpad2OctetsA: 0x%04\" PRIX16 \"\", pad2OctetsA);\n\tWLog_INFO(TAG, \"\\tkeyboardLayout: 0x%08\" PRIX32 \"\", keyboardLayout);\n\tWLog_INFO(TAG, \"\\tkeyboardType: 0x%08\" PRIX32 \"\", keyboardType);\n\tWLog_INFO(TAG, \"\\tkeyboardSubType: 0x%08\" PRIX32 \"\", keyboardSubType);\n\tWLog_INFO(TAG, \"\\tkeyboardFunctionKey: 0x%08\" PRIX32 \"\", keyboardFunctionKey);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 92834056900707877098460532450876414616, "size": 28, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409650 }, { "func": "static BOOL rdp_write_pointer_capability_set(wStream* s, const rdpSettings* settings)\n{\n\tsize_t header;\n\tUINT16 colorPointerFlag;\n\n\tif (!Stream_EnsureRemainingCapacity(s, 32))\n\t\treturn FALSE;\n\n\theader = rdp_capability_set_start(s);\n\tif (header > UINT16_MAX)\n\t\treturn FALSE;\n\tif (settings->PointerCacheSize > UINT16_MAX)\n\t\treturn FALSE;\n\n\tcolorPointerFlag = (settings->ColorPointerFlag) ? 1 : 0;\n\tStream_Write_UINT16(s, colorPointerFlag); /* colorPointerFlag (2 bytes) */\n\tStream_Write_UINT16(s,\n\t (UINT16)settings->PointerCacheSize); /* colorPointerCacheSize (2 bytes) */\n\n\tif (settings->LargePointerFlag)\n\t{\n\t\tStream_Write_UINT16(s, (UINT16)settings->PointerCacheSize); /* pointerCacheSize (2 bytes) */\n\t}\n\n\trdp_capability_set_finish(s, (UINT16)header, CAPSET_TYPE_POINTER);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 149417436358850467055827054446942927975, "size": 27, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409610 }, { "func": "static BOOL rdp_write_desktop_composition_capability_set(wStream* s, const rdpSettings* settings)\n{\n\tsize_t header;\n\tUINT16 compDeskSupportLevel;\n\n\tif (!Stream_EnsureRemainingCapacity(s, 32))\n\t\treturn FALSE;\n\n\theader = rdp_capability_set_start(s);\n\tcompDeskSupportLevel =\n\t (settings->AllowDesktopComposition) ? COMPDESK_SUPPORTED : COMPDESK_NOT_SUPPORTED;\n\tStream_Write_UINT16(s, compDeskSupportLevel); /* compDeskSupportLevel (2 bytes) */\n\trdp_capability_set_finish(s, header, CAPSET_TYPE_COMP_DESK);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 273318921816338668560055755973757610116, "size": 15, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409643 }, { "func": "static BOOL rdp_write_bitmap_cache_host_support_capability_set(wStream* s,\n const rdpSettings* settings)\n{\n\tsize_t header;\n\n\tWINPR_UNUSED(settings);\n\tif (!Stream_EnsureRemainingCapacity(s, 32))\n\t\treturn FALSE;\n\n\theader = rdp_capability_set_start(s);\n\tif (header > UINT16_MAX)\n\t\treturn FALSE;\n\tStream_Write_UINT8(s, BITMAP_CACHE_V2); /* cacheVersion (1 byte) */\n\tStream_Write_UINT8(s, 0); /* pad1 (1 byte) */\n\tStream_Write_UINT16(s, 0); /* pad2 (2 bytes) */\n\trdp_capability_set_finish(s, (UINT16)header, CAPSET_TYPE_BITMAP_CACHE_HOST_SUPPORT);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 135633036669097795306427700527407315652, "size": 18, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409673 }, { "func": "static BOOL rdp_write_bitmap_cache_v3_codec_id_capability_set(wStream* s,\n const rdpSettings* settings)\n{\n\tsize_t header;\n\n\tif (!Stream_EnsureRemainingCapacity(s, 32))\n\t\treturn FALSE;\n\n\theader = rdp_capability_set_start(s);\n\tif (header > UINT16_MAX)\n\t\treturn FALSE;\n\tif (settings->BitmapCacheV3CodecId > UINT8_MAX)\n\t\treturn FALSE;\n\tStream_Write_UINT8(s, (UINT8)settings->BitmapCacheV3CodecId);\n\trdp_capability_set_finish(s, (UINT16)header, CAPSET_TYPE_BITMAP_CACHE_V3_CODEC_ID);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 10452923046637731164141377400720189331, "size": 17, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409624 }, { "func": "static BOOL rdp_read_bitmap_codecs_capability_set(wStream* s, UINT16 length, rdpSettings* settings)\n{\n\tBYTE codecId;\n\tGUID codecGuid;\n\tRPC_STATUS rpc_status;\n\tBYTE bitmapCodecCount;\n\tUINT16 codecPropertiesLength;\n\tUINT16 remainingLength;\n\tBOOL guidNSCodec = FALSE;\n\tBOOL guidRemoteFx = FALSE;\n\tBOOL guidRemoteFxImage = FALSE;\n\n\tif (length < 5)\n\t\treturn FALSE;\n\n\tStream_Read_UINT8(s, bitmapCodecCount); /* bitmapCodecCount (1 byte) */\n\tremainingLength = length - 5;\n\n\twhile (bitmapCodecCount > 0)\n\t{\n\t\tif (remainingLength < 19)\n\t\t\treturn FALSE;\n\n\t\trdp_read_bitmap_codec_guid(s, &codecGuid); /* codecGuid (16 bytes) */\n\t\tStream_Read_UINT8(s, codecId); /* codecId (1 byte) */\n\t\tStream_Read_UINT16(s, codecPropertiesLength); /* codecPropertiesLength (2 bytes) */\n\t\tremainingLength -= 19;\n\n\t\tif (remainingLength < codecPropertiesLength)\n\t\t\treturn FALSE;\n\n\t\tif (settings->ServerMode)\n\t\t{\n\t\t\tUINT32 beg;\n\t\t\tUINT32 end;\n\t\t\tbeg = (UINT32)Stream_GetPosition(s);\n\t\t\tend = beg + codecPropertiesLength;\n\n\t\t\tif (UuidEqual(&codecGuid, &CODEC_GUID_REMOTEFX, &rpc_status))\n\t\t\t{\n\t\t\t\tUINT32 rfxCapsLength;\n\t\t\t\tUINT32 rfxPropsLength;\n\t\t\t\tUINT32 captureFlags;\n\t\t\t\tguidRemoteFx = TRUE;\n\t\t\t\tsettings->RemoteFxCodecId = codecId;\n\t\t\t\tStream_Read_UINT32(s, rfxPropsLength); /* length (4 bytes) */\n\t\t\t\tStream_Read_UINT32(s, captureFlags); /* captureFlags (4 bytes) */\n\t\t\t\tStream_Read_UINT32(s, rfxCapsLength); /* capsLength (4 bytes) */\n\t\t\t\tsettings->RemoteFxCaptureFlags = captureFlags;\n\t\t\t\tsettings->RemoteFxOnly = (captureFlags & CARDP_CAPS_CAPTURE_NON_CAC) ? TRUE : FALSE;\n\n\t\t\t\tif (rfxCapsLength)\n\t\t\t\t{\n\t\t\t\t\tUINT16 blockType;\n\t\t\t\t\tUINT32 blockLen;\n\t\t\t\t\tUINT16 numCapsets;\n\t\t\t\t\tBYTE rfxCodecId;\n\t\t\t\t\tUINT16 capsetType;\n\t\t\t\t\tUINT16 numIcaps;\n\t\t\t\t\tUINT16 icapLen;\n\t\t\t\t\t/* TS_RFX_CAPS */\n\t\t\t\t\tStream_Read_UINT16(s, blockType); /* blockType (2 bytes) */\n\t\t\t\t\tStream_Read_UINT32(s, blockLen); /* blockLen (4 bytes) */\n\t\t\t\t\tStream_Read_UINT16(s, numCapsets); /* numCapsets (2 bytes) */\n\n\t\t\t\t\tif (blockType != 0xCBC0)\n\t\t\t\t\t\treturn FALSE;\n\n\t\t\t\t\tif (blockLen != 8)\n\t\t\t\t\t\treturn FALSE;\n\n\t\t\t\t\tif (numCapsets != 1)\n\t\t\t\t\t\treturn FALSE;\n\n\t\t\t\t\t/* TS_RFX_CAPSET */\n\t\t\t\t\tStream_Read_UINT16(s, blockType); /* blockType (2 bytes) */\n\t\t\t\t\tStream_Read_UINT32(s, blockLen); /* blockLen (4 bytes) */\n\t\t\t\t\tStream_Read_UINT8(s, rfxCodecId); /* codecId (1 byte) */\n\t\t\t\t\tStream_Read_UINT16(s, capsetType); /* capsetType (2 bytes) */\n\t\t\t\t\tStream_Read_UINT16(s, numIcaps); /* numIcaps (2 bytes) */\n\t\t\t\t\tStream_Read_UINT16(s, icapLen); /* icapLen (2 bytes) */\n\n\t\t\t\t\tif (blockType != 0xCBC1)\n\t\t\t\t\t\treturn FALSE;\n\n\t\t\t\t\tif (rfxCodecId != 1)\n\t\t\t\t\t\treturn FALSE;\n\n\t\t\t\t\tif (capsetType != 0xCFC0)\n\t\t\t\t\t\treturn FALSE;\n\n\t\t\t\t\twhile (numIcaps--)\n\t\t\t\t\t{\n\t\t\t\t\t\tUINT16 version;\n\t\t\t\t\t\tUINT16 tileSize;\n\t\t\t\t\t\tBYTE codecFlags;\n\t\t\t\t\t\tBYTE colConvBits;\n\t\t\t\t\t\tBYTE transformBits;\n\t\t\t\t\t\tBYTE entropyBits;\n\t\t\t\t\t\t/* TS_RFX_ICAP */\n\t\t\t\t\t\tStream_Read_UINT16(s, version); /* version (2 bytes) */\n\t\t\t\t\t\tStream_Read_UINT16(s, tileSize); /* tileSize (2 bytes) */\n\t\t\t\t\t\tStream_Read_UINT8(s, codecFlags); /* flags (1 byte) */\n\t\t\t\t\t\tStream_Read_UINT8(s, colConvBits); /* colConvBits (1 byte) */\n\t\t\t\t\t\tStream_Read_UINT8(s, transformBits); /* transformBits (1 byte) */\n\t\t\t\t\t\tStream_Read_UINT8(s, entropyBits); /* entropyBits (1 byte) */\n\n\t\t\t\t\t\tif (version == 0x0009)\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\t/* Version 0.9 */\n\t\t\t\t\t\t\tif (tileSize != 0x0080)\n\t\t\t\t\t\t\t\treturn FALSE;\n\t\t\t\t\t\t}\n\t\t\t\t\t\telse if (version == 0x0100)\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\t/* Version 1.0 */\n\t\t\t\t\t\t\tif (tileSize != 0x0040)\n\t\t\t\t\t\t\t\treturn FALSE;\n\t\t\t\t\t\t}\n\t\t\t\t\t\telse\n\t\t\t\t\t\t\treturn FALSE;\n\n\t\t\t\t\t\tif (colConvBits != 1)\n\t\t\t\t\t\t\treturn FALSE;\n\n\t\t\t\t\t\tif (transformBits != 1)\n\t\t\t\t\t\t\treturn FALSE;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t\telse if (UuidEqual(&codecGuid, &CODEC_GUID_IMAGE_REMOTEFX, &rpc_status))\n\t\t\t{\n\t\t\t\t/* Microsoft RDP servers ignore CODEC_GUID_IMAGE_REMOTEFX codec properties */\n\t\t\t\tguidRemoteFxImage = TRUE;\n\t\t\t\tStream_Seek(s, codecPropertiesLength); /* codecProperties */\n\t\t\t}\n\t\t\telse if (UuidEqual(&codecGuid, &CODEC_GUID_NSCODEC, &rpc_status))\n\t\t\t{\n\t\t\t\tBYTE colorLossLevel;\n\t\t\t\tBYTE fAllowSubsampling;\n\t\t\t\tBYTE fAllowDynamicFidelity;\n\t\t\t\tguidNSCodec = TRUE;\n\t\t\t\tsettings->NSCodecId = codecId;\n\t\t\t\tStream_Read_UINT8(s, fAllowDynamicFidelity); /* fAllowDynamicFidelity (1 byte) */\n\t\t\t\tStream_Read_UINT8(s, fAllowSubsampling); /* fAllowSubsampling (1 byte) */\n\t\t\t\tStream_Read_UINT8(s, colorLossLevel); /* colorLossLevel (1 byte) */\n\n\t\t\t\tif (colorLossLevel < 1)\n\t\t\t\t\tcolorLossLevel = 1;\n\n\t\t\t\tif (colorLossLevel > 7)\n\t\t\t\t\tcolorLossLevel = 7;\n\n\t\t\t\tsettings->NSCodecAllowDynamicColorFidelity = fAllowDynamicFidelity;\n\t\t\t\tsettings->NSCodecAllowSubsampling = fAllowSubsampling;\n\t\t\t\tsettings->NSCodecColorLossLevel = colorLossLevel;\n\t\t\t}\n\t\t\telse if (UuidEqual(&codecGuid, &CODEC_GUID_IGNORE, &rpc_status))\n\t\t\t{\n\t\t\t\tStream_Seek(s, codecPropertiesLength); /* codecProperties */\n\t\t\t}\n\t\t\telse\n\t\t\t{\n\t\t\t\tStream_Seek(s, codecPropertiesLength); /* codecProperties */\n\t\t\t}\n\n\t\t\tif (Stream_GetPosition(s) != end)\n\t\t\t{\n\t\t\t\tWLog_ERR(TAG,\n\t\t\t\t \"error while reading codec properties: actual offset: %\" PRIuz\n\t\t\t\t \" expected offset: %\" PRIu32 \"\",\n\t\t\t\t Stream_GetPosition(s), end);\n\t\t\t\tStream_SetPosition(s, end);\n\t\t\t}\n\n\t\t\tremainingLength -= codecPropertiesLength;\n\t\t}\n\t\telse\n\t\t{\n\t\t\tStream_Seek(s, codecPropertiesLength); /* codecProperties */\n\t\t\tremainingLength -= codecPropertiesLength;\n\t\t}\n\n\t\tbitmapCodecCount--;\n\t}\n\n\tif (settings->ServerMode)\n\t{\n\t\t/* only enable a codec if we've announced/enabled it before */\n\t\tsettings->RemoteFxCodec = settings->RemoteFxCodec && guidRemoteFx;\n\t\tsettings->RemoteFxImageCodec = settings->RemoteFxImageCodec && guidRemoteFxImage;\n\t\tsettings->NSCodec = settings->NSCodec && guidNSCodec;\n\t\tsettings->JpegCodec = FALSE;\n\t}\n\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 211558337571308508511556254604496342865, "size": 197, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409580 }, { "func": "static BOOL rdp_write_input_capability_set(wStream* s, const rdpSettings* settings)\n{\n\tsize_t header;\n\tUINT16 inputFlags;\n\n\tif (!Stream_EnsureRemainingCapacity(s, 128))\n\t\treturn FALSE;\n\n\theader = rdp_capability_set_start(s);\n\tif (header > UINT16_MAX)\n\t\treturn FALSE;\n\tinputFlags = INPUT_FLAG_SCANCODES;\n\n\tif (settings->FastPathInput)\n\t{\n\t\tinputFlags |= INPUT_FLAG_FASTPATH_INPUT;\n\t\tinputFlags |= INPUT_FLAG_FASTPATH_INPUT2;\n\t}\n\n\tif (settings->HasHorizontalWheel)\n\t\tinputFlags |= TS_INPUT_FLAG_MOUSE_HWHEEL;\n\n\tif (settings->UnicodeInput)\n\t\tinputFlags |= INPUT_FLAG_UNICODE;\n\n\tif (settings->HasExtendedMouseEvent)\n\t\tinputFlags |= INPUT_FLAG_MOUSEX;\n\n\tStream_Write_UINT16(s, inputFlags); /* inputFlags (2 bytes) */\n\tStream_Write_UINT16(s, 0); /* pad2OctetsA (2 bytes) */\n\tStream_Write_UINT32(s, settings->KeyboardLayout); /* keyboardLayout (4 bytes) */\n\tStream_Write_UINT32(s, settings->KeyboardType); /* keyboardType (4 bytes) */\n\tStream_Write_UINT32(s, settings->KeyboardSubType); /* keyboardSubType (4 bytes) */\n\tStream_Write_UINT32(s, settings->KeyboardFunctionKey); /* keyboardFunctionKeys (4 bytes) */\n\tStream_Zero(s, 64); /* imeFileName (64 bytes) */\n\trdp_capability_set_finish(s, (UINT16)header, CAPSET_TYPE_INPUT);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 338872550335327331413384147382884031144, "size": 38, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409679 }, { "func": "BOOL rdp_recv_get_active_header(rdpRdp* rdp, wStream* s, UINT16* pChannelId, UINT16* length)\n{\n\tUINT16 securityFlags = 0;\n\n\tif (!rdp_read_header(rdp, s, length, pChannelId))\n\t\treturn FALSE;\n\n\tif (freerdp_shall_disconnect(rdp->instance))\n\t\treturn TRUE;\n\n\tif (rdp->settings->UseRdpSecurityLayer)\n\t{\n\t\tif (!rdp_read_security_header(s, &securityFlags, length))\n\t\t\treturn FALSE;\n\n\t\tif (securityFlags & SEC_ENCRYPT)\n\t\t{\n\t\t\tif (!rdp_decrypt(rdp, s, length, securityFlags))\n\t\t\t{\n\t\t\t\tWLog_ERR(TAG, \"rdp_decrypt failed\");\n\t\t\t\treturn FALSE;\n\t\t\t}\n\t\t}\n\t}\n\n\tif (*pChannelId != MCS_GLOBAL_CHANNEL_ID)\n\t{\n\t\tUINT16 mcsMessageChannelId = rdp->mcs->messageChannelId;\n\n\t\tif ((mcsMessageChannelId == 0) || (*pChannelId != mcsMessageChannelId))\n\t\t{\n\t\t\tWLog_ERR(TAG, \"unexpected MCS channel id %04\" PRIx16 \" received\", *pChannelId);\n\t\t\treturn FALSE;\n\t\t}\n\t}\n\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 69761426746625133711469800190507649484, "size": 38, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409606 }, { "func": "static BOOL rdp_print_bitmap_cache_v3_codec_id_capability_set(wStream* s, UINT16 length)\n{\n\tBYTE bitmapCacheV3CodecId;\n\tWLog_INFO(TAG, \"BitmapCacheV3CodecIdCapabilitySet (length %\" PRIu16 \"):\", length);\n\n\tif (length < 5)\n\t\treturn FALSE;\n\n\tStream_Read_UINT8(s, bitmapCacheV3CodecId); /* bitmapCacheV3CodecId (1 byte) */\n\tWLog_INFO(TAG, \"\\tbitmapCacheV3CodecId: 0x%02\" PRIX8 \"\", bitmapCacheV3CodecId);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 200222901722079828895109214050225335139, "size": 12, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409618 }, { "func": "static BOOL rdp_read_surface_commands_capability_set(wStream* s, UINT16 length,\n rdpSettings* settings)\n{\n\tUINT32 cmdFlags;\n\n\tif (length < 12)\n\t\treturn FALSE;\n\n\tStream_Read_UINT32(s, cmdFlags); /* cmdFlags (4 bytes) */\n\tStream_Seek_UINT32(s); /* reserved (4 bytes) */\n\tsettings->SurfaceCommandsEnabled = TRUE;\n\tsettings->SurfaceFrameMarkerEnabled = (cmdFlags & SURFCMDS_FRAME_MARKER) ? TRUE : FALSE;\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 63310942064729278467171666552306282666, "size": 14, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409656 }, { "func": "static BOOL rdp_write_window_list_capability_set(wStream* s, const rdpSettings* settings)\n{\n\tsize_t header;\n\n\tif (!Stream_EnsureRemainingCapacity(s, 32))\n\t\treturn FALSE;\n\n\theader = rdp_capability_set_start(s);\n\tStream_Write_UINT32(s, settings->RemoteWndSupportLevel); /* wndSupportLevel (4 bytes) */\n\tStream_Write_UINT8(s, settings->RemoteAppNumIconCaches); /* numIconCaches (1 byte) */\n\tStream_Write_UINT16(s,\n\t settings->RemoteAppNumIconCacheEntries); /* numIconCacheEntries (2 bytes) */\n\trdp_capability_set_finish(s, header, CAPSET_TYPE_WINDOW);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 269751178337665990773470592456743275364, "size": 15, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409675 }, { "func": "static BOOL rdp_read_bitmap_cache_v2_capability_set(wStream* s, UINT16 length,\n rdpSettings* settings)\n{\n\tWINPR_UNUSED(settings);\n\tif (length < 40)\n\t\treturn FALSE;\n\n\tStream_Seek_UINT16(s); /* cacheFlags (2 bytes) */\n\tStream_Seek_UINT8(s); /* pad2 (1 byte) */\n\tStream_Seek_UINT8(s); /* numCellCaches (1 byte) */\n\tStream_Seek(s, 4); /* bitmapCache0CellInfo (4 bytes) */\n\tStream_Seek(s, 4); /* bitmapCache1CellInfo (4 bytes) */\n\tStream_Seek(s, 4); /* bitmapCache2CellInfo (4 bytes) */\n\tStream_Seek(s, 4); /* bitmapCache3CellInfo (4 bytes) */\n\tStream_Seek(s, 4); /* bitmapCache4CellInfo (4 bytes) */\n\tStream_Seek(s, 12); /* pad3 (12 bytes) */\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 263490146809338800269291031396967779750, "size": 18, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409636 }, { "func": "static BOOL rdp_write_sound_capability_set(wStream* s, const rdpSettings* settings)\n{\n\tsize_t header;\n\tUINT16 soundFlags;\n\n\tif (!Stream_EnsureRemainingCapacity(s, 32))\n\t\treturn FALSE;\n\n\theader = rdp_capability_set_start(s);\n\tif (header > UINT16_MAX)\n\t\treturn FALSE;\n\tsoundFlags = (settings->SoundBeepsEnabled) ? SOUND_BEEPS_FLAG : 0;\n\tStream_Write_UINT16(s, soundFlags); /* soundFlags (2 bytes) */\n\tStream_Write_UINT16(s, 0); /* pad2OctetsA (2 bytes) */\n\trdp_capability_set_finish(s, (UINT16)header, CAPSET_TYPE_SOUND);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 158780408568565551652650021789085155322, "size": 17, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409677 }, { "func": "static BOOL rdp_write_bitmap_cache_v2_capability_set(wStream* s, const rdpSettings* settings)\n{\n\tsize_t header;\n\tUINT16 cacheFlags;\n\n\tif (!Stream_EnsureRemainingCapacity(s, 64))\n\t\treturn FALSE;\n\n\theader = rdp_capability_set_start(s);\n\tcacheFlags = ALLOW_CACHE_WAITING_LIST_FLAG;\n\n\tif (settings->BitmapCachePersistEnabled)\n\t\tcacheFlags |= PERSISTENT_KEYS_EXPECTED_FLAG;\n\n\tStream_Write_UINT16(s, cacheFlags); /* cacheFlags (2 bytes) */\n\tStream_Write_UINT8(s, 0); /* pad2 (1 byte) */\n\tStream_Write_UINT8(s, settings->BitmapCacheV2NumCells); /* numCellCaches (1 byte) */\n\trdp_write_bitmap_cache_cell_info(\n\t s, &settings->BitmapCacheV2CellInfo[0]); /* bitmapCache0CellInfo (4 bytes) */\n\trdp_write_bitmap_cache_cell_info(\n\t s, &settings->BitmapCacheV2CellInfo[1]); /* bitmapCache1CellInfo (4 bytes) */\n\trdp_write_bitmap_cache_cell_info(\n\t s, &settings->BitmapCacheV2CellInfo[2]); /* bitmapCache2CellInfo (4 bytes) */\n\trdp_write_bitmap_cache_cell_info(\n\t s, &settings->BitmapCacheV2CellInfo[3]); /* bitmapCache3CellInfo (4 bytes) */\n\trdp_write_bitmap_cache_cell_info(\n\t s, &settings->BitmapCacheV2CellInfo[4]); /* bitmapCache4CellInfo (4 bytes) */\n\tStream_Zero(s, 12); /* pad3 (12 bytes) */\n\trdp_capability_set_finish(s, header, CAPSET_TYPE_BITMAP_CACHE_V2);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 7403566936328765357261527626239563020, "size": 31, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409671 }, { "func": "static BOOL rdp_write_control_capability_set(wStream* s, const rdpSettings* settings)\n{\n\tsize_t header;\n\n\tWINPR_UNUSED(settings);\n\tif (!Stream_EnsureRemainingCapacity(s, 32))\n\t\treturn FALSE;\n\n\theader = rdp_capability_set_start(s);\n\tif (header > UINT16_MAX)\n\t\treturn FALSE;\n\tStream_Write_UINT16(s, 0); /* controlFlags (2 bytes) */\n\tStream_Write_UINT16(s, 0); /* remoteDetachFlag (2 bytes) */\n\tStream_Write_UINT16(s, 2); /* controlInterest (2 bytes) */\n\tStream_Write_UINT16(s, 2); /* detachInterest (2 bytes) */\n\trdp_capability_set_finish(s, (UINT16)header, CAPSET_TYPE_CONTROL);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 135483827949982748357864462755091453961, "size": 18, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409645 }, { "func": "static BOOL rdp_read_frame_acknowledge_capability_set(wStream* s, UINT16 length,\n rdpSettings* settings)\n{\n\tif (length < 8)\n\t\treturn FALSE;\n\n\tif (settings->ServerMode)\n\t{\n\t\tStream_Read_UINT32(s, settings->FrameAcknowledge); /* (4 bytes) */\n\t}\n\telse\n\t{\n\t\tStream_Seek_UINT32(s); /* (4 bytes) */\n\t}\n\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 284070112210894721326557355488230804603, "size": 17, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409627 }, { "func": "static BOOL rdp_write_brush_capability_set(wStream* s, const rdpSettings* settings)\n{\n\tsize_t header;\n\n\tif (!Stream_EnsureRemainingCapacity(s, 32))\n\t\treturn FALSE;\n\n\theader = rdp_capability_set_start(s);\n\tif (header > UINT16_MAX)\n\t\treturn FALSE;\n\tStream_Write_UINT32(s, settings->BrushSupportLevel); /* brushSupportLevel (4 bytes) */\n\trdp_capability_set_finish(s, (UINT16)header, CAPSET_TYPE_BRUSH);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 93963722394653772517521252922174557981, "size": 14, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409599 }, { "func": "static BOOL rdp_read_multifragment_update_capability_set(wStream* s, UINT16 length,\n rdpSettings* settings)\n{\n\tUINT32 multifragMaxRequestSize;\n\n\tif (length < 8)\n\t\treturn FALSE;\n\n\tStream_Read_UINT32(s, multifragMaxRequestSize); /* MaxRequestSize (4 bytes) */\n\n\tif (settings->ServerMode)\n\t{\n\t\t/*\n\t\t * Special case: The client announces multifragment update support but sets the maximum\n\t\t * request size to something smaller than maximum size for *one* fast-path PDU. In this case\n\t\t * behave like no multifragment updates were supported and make sure no fragmentation\n\t\t * happens by setting FASTPATH_FRAGMENT_SAFE_SIZE.\n\t\t *\n\t\t * This behaviour was observed with some windows ce rdp clients.\n\t\t */\n\t\tif (multifragMaxRequestSize < FASTPATH_MAX_PACKET_SIZE)\n\t\t\tmultifragMaxRequestSize = FASTPATH_FRAGMENT_SAFE_SIZE;\n\n\t\tif (settings->RemoteFxCodec)\n\t\t{\n\t\t\t/**\n\t\t\t * If we are using RemoteFX the client MUST use a value greater\n\t\t\t * than or equal to the value we've previously sent in the server to\n\t\t\t * client multi-fragment update capability set (MS-RDPRFX 1.5)\n\t\t\t */\n\t\t\tif (multifragMaxRequestSize < settings->MultifragMaxRequestSize)\n\t\t\t{\n\t\t\t\t/**\n\t\t\t\t * If it happens to be smaller we honor the client's value but\n\t\t\t\t * have to disable RemoteFX\n\t\t\t\t */\n\t\t\t\tsettings->RemoteFxCodec = FALSE;\n\t\t\t\tsettings->MultifragMaxRequestSize = multifragMaxRequestSize;\n\t\t\t}\n\t\t\telse\n\t\t\t{\n\t\t\t\t/* no need to increase server's max request size setting here */\n\t\t\t}\n\t\t}\n\t\telse\n\t\t{\n\t\t\tsettings->MultifragMaxRequestSize = multifragMaxRequestSize;\n\t\t}\n\t}\n\telse\n\t{\n\t\t/**\n\t\t * In client mode we keep up with the server's capabilites.\n\t\t * In RemoteFX mode we MUST do this but it might also be useful to\n\t\t * receive larger related bitmap updates.\n\t\t */\n\t\tif (multifragMaxRequestSize > settings->MultifragMaxRequestSize)\n\t\t\tsettings->MultifragMaxRequestSize = multifragMaxRequestSize;\n\t}\n\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 37401917209807069896060133616819073503, "size": 62, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409584 }, { "func": "static const char* get_capability_name(UINT16 type)\n{\n\tif (type > CAPSET_TYPE_FRAME_ACKNOWLEDGE)\n\t\treturn \"\";\n\n\treturn CAPSET_TYPE_STRINGS[type];\n}", "project": "FreeRDP", "hash": 16777793439146057316455334333971045236, "size": 7, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409629 }, { "func": "static BOOL rdp_write_draw_nine_grid_cache_capability_set(wStream* s, const rdpSettings* settings)\n{\n\tsize_t header;\n\tUINT32 drawNineGridSupportLevel;\n\n\tif (!Stream_EnsureRemainingCapacity(s, 32))\n\t\treturn FALSE;\n\n\theader = rdp_capability_set_start(s);\n\tdrawNineGridSupportLevel =\n\t (settings->DrawNineGridEnabled) ? DRAW_NINEGRID_SUPPORTED_V2 : DRAW_NINEGRID_NO_SUPPORT;\n\tStream_Write_UINT32(s, drawNineGridSupportLevel); /* drawNineGridSupportLevel (4 bytes) */\n\tStream_Write_UINT16(s, settings->DrawNineGridCacheSize); /* drawNineGridCacheSize (2 bytes) */\n\tStream_Write_UINT16(\n\t s, settings->DrawNineGridCacheEntries); /* drawNineGridCacheEntries (2 bytes) */\n\trdp_capability_set_finish(s, header, CAPSET_TYPE_DRAW_NINE_GRID_CACHE);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 35511811275078158737832815679711271274, "size": 18, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409674 }, { "func": "static BOOL rdp_write_demand_active(wStream* s, rdpSettings* settings)\n{\n\tsize_t bm, em, lm;\n\tUINT16 numberCapabilities;\n\tsize_t lengthCombinedCapabilities;\n\n\tif (!Stream_EnsureRemainingCapacity(s, 64))\n\t\treturn FALSE;\n\n\tStream_Write_UINT32(s, settings->ShareId); /* shareId (4 bytes) */\n\tStream_Write_UINT16(s, 4); /* lengthSourceDescriptor (2 bytes) */\n\tlm = Stream_GetPosition(s);\n\tStream_Seek_UINT16(s); /* lengthCombinedCapabilities (2 bytes) */\n\tStream_Write(s, \"RDP\", 4); /* sourceDescriptor */\n\tbm = Stream_GetPosition(s);\n\tStream_Seek_UINT16(s); /* numberCapabilities (2 bytes) */\n\tStream_Write_UINT16(s, 0); /* pad2Octets (2 bytes) */\n\tnumberCapabilities = 14;\n\n\tif (!rdp_write_general_capability_set(s, settings) ||\n\t !rdp_write_bitmap_capability_set(s, settings) ||\n\t !rdp_write_order_capability_set(s, settings) ||\n\t !rdp_write_pointer_capability_set(s, settings) ||\n\t !rdp_write_input_capability_set(s, settings) ||\n\t !rdp_write_virtual_channel_capability_set(s, settings) ||\n\t !rdp_write_share_capability_set(s, settings) ||\n\t !rdp_write_font_capability_set(s, settings) ||\n\t !rdp_write_multifragment_update_capability_set(s, settings) ||\n\t !rdp_write_large_pointer_capability_set(s, settings) ||\n\t !rdp_write_desktop_composition_capability_set(s, settings) ||\n\t !rdp_write_surface_commands_capability_set(s, settings) ||\n\t !rdp_write_bitmap_codecs_capability_set(s, settings) ||\n\t !rdp_write_frame_acknowledge_capability_set(s, settings))\n\t{\n\t\treturn FALSE;\n\t}\n\n\tif (settings->BitmapCachePersistEnabled)\n\t{\n\t\tnumberCapabilities++;\n\n\t\tif (!rdp_write_bitmap_cache_host_support_capability_set(s, settings))\n\t\t\treturn FALSE;\n\t}\n\n\tif (settings->RemoteApplicationMode)\n\t{\n\t\tnumberCapabilities += 2;\n\n\t\tif (!rdp_write_remote_programs_capability_set(s, settings) ||\n\t\t !rdp_write_window_list_capability_set(s, settings))\n\t\t\treturn FALSE;\n\t}\n\n\tem = Stream_GetPosition(s);\n\tStream_SetPosition(s, lm); /* go back to lengthCombinedCapabilities */\n\tlengthCombinedCapabilities = (em - bm);\n\tif (lengthCombinedCapabilities > UINT16_MAX)\n\t\treturn FALSE;\n\tStream_Write_UINT16(\n\t s, (UINT16)lengthCombinedCapabilities); /* lengthCombinedCapabilities (2 bytes) */\n\tStream_SetPosition(s, bm); /* go back to numberCapabilities */\n\tStream_Write_UINT16(s, numberCapabilities); /* numberCapabilities (2 bytes) */\n#ifdef WITH_DEBUG_CAPABILITIES\n\tStream_Seek_UINT16(s);\n\trdp_print_capability_sets(s, numberCapabilities, FALSE);\n\tStream_SetPosition(s, bm);\n\tStream_Seek_UINT16(s);\n#endif\n\tStream_SetPosition(s, em);\n\tStream_Write_UINT32(s, 0); /* sessionId */\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 200964485296716695117994736252941627244, "size": 73, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409689 }, { "func": "static BOOL rdp_read_bitmap_cache_host_support_capability_set(wStream* s, UINT16 length,\n rdpSettings* settings)\n{\n\tBYTE cacheVersion;\n\n\tif (length < 8)\n\t\treturn FALSE;\n\n\tStream_Read_UINT8(s, cacheVersion); /* cacheVersion (1 byte) */\n\tStream_Seek_UINT8(s); /* pad1 (1 byte) */\n\tStream_Seek_UINT16(s); /* pad2 (2 bytes) */\n\n\tif (cacheVersion & BITMAP_CACHE_V2)\n\t\tsettings->BitmapCachePersistEnabled = TRUE;\n\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 194862320568674981995591289915994818222, "size": 17, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409654 }, { "func": "static BOOL rdp_read_input_capability_set(wStream* s, UINT16 length, rdpSettings* settings)\n{\n\tUINT16 inputFlags;\n\n\tif (length < 88)\n\t\treturn FALSE;\n\n\tStream_Read_UINT16(s, inputFlags); /* inputFlags (2 bytes) */\n\tStream_Seek_UINT16(s); /* pad2OctetsA (2 bytes) */\n\n\tif (settings->ServerMode)\n\t{\n\t\tStream_Read_UINT32(s, settings->KeyboardLayout); /* keyboardLayout (4 bytes) */\n\t\tStream_Read_UINT32(s, settings->KeyboardType); /* keyboardType (4 bytes) */\n\t\tStream_Read_UINT32(s, settings->KeyboardSubType); /* keyboardSubType (4 bytes) */\n\t\tStream_Read_UINT32(s, settings->KeyboardFunctionKey); /* keyboardFunctionKeys (4 bytes) */\n\t}\n\telse\n\t{\n\t\tStream_Seek_UINT32(s); /* keyboardLayout (4 bytes) */\n\t\tStream_Seek_UINT32(s); /* keyboardType (4 bytes) */\n\t\tStream_Seek_UINT32(s); /* keyboardSubType (4 bytes) */\n\t\tStream_Seek_UINT32(s); /* keyboardFunctionKeys (4 bytes) */\n\t}\n\n\tStream_Seek(s, 64); /* imeFileName (64 bytes) */\n\n\tif (!settings->ServerMode)\n\t{\n\t\tif (inputFlags & INPUT_FLAG_FASTPATH_INPUT)\n\t\t{\n\t\t\t/* advertised by RDP 5.0 and 5.1 servers */\n\t\t}\n\t\telse if (inputFlags & INPUT_FLAG_FASTPATH_INPUT2)\n\t\t{\n\t\t\t/* advertised by RDP 5.2, 6.0, 6.1 and 7.0 servers */\n\t\t}\n\t\telse\n\t\t{\n\t\t\t/* server does not support fastpath input */\n\t\t\tsettings->FastPathInput = FALSE;\n\t\t}\n\n\t\tif (inputFlags & TS_INPUT_FLAG_MOUSE_HWHEEL)\n\t\t\tsettings->HasHorizontalWheel = TRUE;\n\n\t\tif (inputFlags & INPUT_FLAG_UNICODE)\n\t\t\tsettings->UnicodeInput = TRUE;\n\n\t\tif (inputFlags & INPUT_FLAG_MOUSEX)\n\t\t\tsettings->HasExtendedMouseEvent = TRUE;\n\t}\n\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 126033178202274719085086663919529272091, "size": 55, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409609 }, { "func": "static BOOL rdp_print_bitmap_capability_set(wStream* s, UINT16 length)\n{\n\tUINT16 preferredBitsPerPixel;\n\tUINT16 receive1BitPerPixel;\n\tUINT16 receive4BitsPerPixel;\n\tUINT16 receive8BitsPerPixel;\n\tUINT16 desktopWidth;\n\tUINT16 desktopHeight;\n\tUINT16 pad2Octets;\n\tUINT16 desktopResizeFlag;\n\tUINT16 bitmapCompressionFlag;\n\tBYTE highColorFlags;\n\tBYTE drawingFlags;\n\tUINT16 multipleRectangleSupport;\n\tUINT16 pad2OctetsB;\n\tWLog_INFO(TAG, \"BitmapCapabilitySet (length %\" PRIu16 \"):\", length);\n\n\tif (length < 28)\n\t\treturn FALSE;\n\n\tStream_Read_UINT16(s, preferredBitsPerPixel); /* preferredBitsPerPixel (2 bytes) */\n\tStream_Read_UINT16(s, receive1BitPerPixel); /* receive1BitPerPixel (2 bytes) */\n\tStream_Read_UINT16(s, receive4BitsPerPixel); /* receive4BitsPerPixel (2 bytes) */\n\tStream_Read_UINT16(s, receive8BitsPerPixel); /* receive8BitsPerPixel (2 bytes) */\n\tStream_Read_UINT16(s, desktopWidth); /* desktopWidth (2 bytes) */\n\tStream_Read_UINT16(s, desktopHeight); /* desktopHeight (2 bytes) */\n\tStream_Read_UINT16(s, pad2Octets); /* pad2Octets (2 bytes) */\n\tStream_Read_UINT16(s, desktopResizeFlag); /* desktopResizeFlag (2 bytes) */\n\tStream_Read_UINT16(s, bitmapCompressionFlag); /* bitmapCompressionFlag (2 bytes) */\n\tStream_Read_UINT8(s, highColorFlags); /* highColorFlags (1 byte) */\n\tStream_Read_UINT8(s, drawingFlags); /* drawingFlags (1 byte) */\n\tStream_Read_UINT16(s, multipleRectangleSupport); /* multipleRectangleSupport (2 bytes) */\n\tStream_Read_UINT16(s, pad2OctetsB); /* pad2OctetsB (2 bytes) */\n\tWLog_INFO(TAG, \"\\tpreferredBitsPerPixel: 0x%04\" PRIX16 \"\", preferredBitsPerPixel);\n\tWLog_INFO(TAG, \"\\treceive1BitPerPixel: 0x%04\" PRIX16 \"\", receive1BitPerPixel);\n\tWLog_INFO(TAG, \"\\treceive4BitsPerPixel: 0x%04\" PRIX16 \"\", receive4BitsPerPixel);\n\tWLog_INFO(TAG, \"\\treceive8BitsPerPixel: 0x%04\" PRIX16 \"\", receive8BitsPerPixel);\n\tWLog_INFO(TAG, \"\\tdesktopWidth: 0x%04\" PRIX16 \"\", desktopWidth);\n\tWLog_INFO(TAG, \"\\tdesktopHeight: 0x%04\" PRIX16 \"\", desktopHeight);\n\tWLog_INFO(TAG, \"\\tpad2Octets: 0x%04\" PRIX16 \"\", pad2Octets);\n\tWLog_INFO(TAG, \"\\tdesktopResizeFlag: 0x%04\" PRIX16 \"\", desktopResizeFlag);\n\tWLog_INFO(TAG, \"\\tbitmapCompressionFlag: 0x%04\" PRIX16 \"\", bitmapCompressionFlag);\n\tWLog_INFO(TAG, \"\\thighColorFlags: 0x%02\" PRIX8 \"\", highColorFlags);\n\tWLog_INFO(TAG, \"\\tdrawingFlags: 0x%02\" PRIX8 \"\", drawingFlags);\n\tWLog_INFO(TAG, \"\\tmultipleRectangleSupport: 0x%04\" PRIX16 \"\", multipleRectangleSupport);\n\tWLog_INFO(TAG, \"\\tpad2OctetsB: 0x%04\" PRIX16 \"\", pad2OctetsB);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 126081365899131686923850704232043707399, "size": 48, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409585 }, { "func": "static BOOL rdp_print_capability_sets(wStream* s, UINT16 numberCapabilities, BOOL receiving)\n{\n\tUINT16 type;\n\tUINT16 length;\n\tBYTE *bm, *em;\n\n\twhile (numberCapabilities > 0)\n\t{\n\t\tStream_GetPointer(s, bm);\n\t\trdp_read_capability_set_header(s, &length, &type);\n\t\tWLog_INFO(TAG, \"%s \", receiving ? \"Receiving\" : \"Sending\");\n\t\tem = bm + length;\n\n\t\tif (Stream_GetRemainingLength(s) < (size_t)(length - 4))\n\t\t{\n\t\t\tWLog_ERR(TAG, \"error processing stream\");\n\t\t\treturn FALSE;\n\t\t}\n\n\t\tswitch (type)\n\t\t{\n\t\t\tcase CAPSET_TYPE_GENERAL:\n\t\t\t\tif (!rdp_print_general_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_BITMAP:\n\t\t\t\tif (!rdp_print_bitmap_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_ORDER:\n\t\t\t\tif (!rdp_print_order_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_BITMAP_CACHE:\n\t\t\t\tif (!rdp_print_bitmap_cache_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_CONTROL:\n\t\t\t\tif (!rdp_print_control_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_ACTIVATION:\n\t\t\t\tif (!rdp_print_window_activation_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_POINTER:\n\t\t\t\tif (!rdp_print_pointer_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_SHARE:\n\t\t\t\tif (!rdp_print_share_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_COLOR_CACHE:\n\t\t\t\tif (!rdp_print_color_cache_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_SOUND:\n\t\t\t\tif (!rdp_print_sound_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_INPUT:\n\t\t\t\tif (!rdp_print_input_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_FONT:\n\t\t\t\tif (!rdp_print_font_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_BRUSH:\n\t\t\t\tif (!rdp_print_brush_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_GLYPH_CACHE:\n\t\t\t\tif (!rdp_print_glyph_cache_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_OFFSCREEN_CACHE:\n\t\t\t\tif (!rdp_print_offscreen_bitmap_cache_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_BITMAP_CACHE_HOST_SUPPORT:\n\t\t\t\tif (!rdp_print_bitmap_cache_host_support_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_BITMAP_CACHE_V2:\n\t\t\t\tif (!rdp_print_bitmap_cache_v2_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_VIRTUAL_CHANNEL:\n\t\t\t\tif (!rdp_print_virtual_channel_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_DRAW_NINE_GRID_CACHE:\n\t\t\t\tif (!rdp_print_draw_nine_grid_cache_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_DRAW_GDI_PLUS:\n\t\t\t\tif (!rdp_print_draw_gdiplus_cache_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_RAIL:\n\t\t\t\tif (!rdp_print_remote_programs_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_WINDOW:\n\t\t\t\tif (!rdp_print_window_list_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_COMP_DESK:\n\t\t\t\tif (!rdp_print_desktop_composition_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_MULTI_FRAGMENT_UPDATE:\n\t\t\t\tif (!rdp_print_multifragment_update_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_LARGE_POINTER:\n\t\t\t\tif (!rdp_print_large_pointer_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_SURFACE_COMMANDS:\n\t\t\t\tif (!rdp_print_surface_commands_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_BITMAP_CODECS:\n\t\t\t\tif (!rdp_print_bitmap_codecs_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_FRAME_ACKNOWLEDGE:\n\t\t\t\tif (!rdp_print_frame_acknowledge_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_BITMAP_CACHE_V3_CODEC_ID:\n\t\t\t\tif (!rdp_print_bitmap_cache_v3_codec_id_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tdefault:\n\t\t\t\tWLog_ERR(TAG, \"unknown capability type %\" PRIu16 \"\", type);\n\t\t\t\tbreak;\n\t\t}\n\n\t\tif (Stream_Pointer(s) != em)\n\t\t{\n\t\t\tWLog_ERR(TAG,\n\t\t\t \"incorrect offset, type:0x%04\" PRIX16 \" actual:%\" PRIuz \" expected:%\" PRIuz \"\",\n\t\t\t type, Stream_Pointer(s) - bm, em - bm);\n\t\t}\n\n\t\tStream_SetPointer(s, em);\n\t\tnumberCapabilities--;\n\t}\n\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 105372768838707288001971402184306047802, "size": 213, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409611 }, { "func": "static BOOL rdp_print_share_capability_set(wStream* s, UINT16 length)\n{\n\tUINT16 nodeId;\n\tUINT16 pad2Octets;\n\tWLog_INFO(TAG, \"ShareCapabilitySet (length %\" PRIu16 \"):\", length);\n\n\tif (length < 8)\n\t\treturn FALSE;\n\n\tStream_Read_UINT16(s, nodeId); /* nodeId (2 bytes) */\n\tStream_Read_UINT16(s, pad2Octets); /* pad2Octets (2 bytes) */\n\tWLog_INFO(TAG, \"\\tnodeId: 0x%04\" PRIX16 \"\", nodeId);\n\tWLog_INFO(TAG, \"\\tpad2Octets: 0x%04\" PRIX16 \"\", pad2Octets);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 82707890459590975223038772323618896983, "size": 15, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409635 }, { "func": "static BOOL rdp_write_order_capability_set(wStream* s, const rdpSettings* settings)\n{\n\tsize_t header;\n\tUINT16 orderFlags;\n\tUINT16 orderSupportExFlags;\n\tUINT16 textANSICodePage = 0;\n\n\tif (!Stream_EnsureRemainingCapacity(s, 64))\n\t\treturn FALSE;\n\n\theader = rdp_capability_set_start(s);\n\tif (header > UINT16_MAX)\n\t\treturn FALSE;\n\t/* see [MSDN-CP]: http://msdn.microsoft.com/en-us/library/dd317756 */\n\tif (!settings->ServerMode)\n\t\ttextANSICodePage = CP_UTF8; /* Unicode (UTF-8) */\n\n\torderSupportExFlags = 0;\n\torderFlags = NEGOTIATE_ORDER_SUPPORT | ZERO_BOUNDS_DELTA_SUPPORT | COLOR_INDEX_SUPPORT;\n\n\tif (settings->BitmapCacheV3Enabled)\n\t{\n\t\torderSupportExFlags |= CACHE_BITMAP_V3_SUPPORT;\n\t\torderFlags |= ORDER_FLAGS_EXTRA_SUPPORT;\n\t}\n\n\tif (settings->FrameMarkerCommandEnabled)\n\t{\n\t\torderSupportExFlags |= ALTSEC_FRAME_MARKER_SUPPORT;\n\t\torderFlags |= ORDER_FLAGS_EXTRA_SUPPORT;\n\t}\n\n\tStream_Zero(s, 16); /* terminalDescriptor (16 bytes) */\n\tStream_Write_UINT32(s, 0); /* pad4OctetsA (4 bytes) */\n\tStream_Write_UINT16(s, 1); /* desktopSaveXGranularity (2 bytes) */\n\tStream_Write_UINT16(s, 20); /* desktopSaveYGranularity (2 bytes) */\n\tStream_Write_UINT16(s, 0); /* pad2OctetsA (2 bytes) */\n\tStream_Write_UINT16(s, 1); /* maximumOrderLevel (2 bytes) */\n\tStream_Write_UINT16(s, 0); /* numberFonts (2 bytes) */\n\tStream_Write_UINT16(s, orderFlags); /* orderFlags (2 bytes) */\n\tStream_Write(s, settings->OrderSupport, 32); /* orderSupport (32 bytes) */\n\tStream_Write_UINT16(s, 0); /* textFlags (2 bytes) */\n\tStream_Write_UINT16(s, orderSupportExFlags); /* orderSupportExFlags (2 bytes) */\n\tStream_Write_UINT32(s, 0); /* pad4OctetsB (4 bytes) */\n\tStream_Write_UINT32(s, 230400); /* desktopSaveSize (4 bytes) */\n\tStream_Write_UINT16(s, 0); /* pad2OctetsC (2 bytes) */\n\tStream_Write_UINT16(s, 0); /* pad2OctetsD (2 bytes) */\n\tStream_Write_UINT16(s, textANSICodePage); /* textANSICodePage (2 bytes) */\n\tStream_Write_UINT16(s, 0); /* pad2OctetsE (2 bytes) */\n\trdp_capability_set_finish(s, (UINT16)header, CAPSET_TYPE_ORDER);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 62966291564570637375163967456258879772, "size": 52, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409577 }, { "func": "static BOOL rdp_write_general_capability_set(wStream* s, const rdpSettings* settings)\n{\n\tsize_t header;\n\tUINT16 extraFlags;\n\n\tif (!Stream_EnsureRemainingCapacity(s, 64))\n\t\treturn FALSE;\n\n\theader = rdp_capability_set_start(s);\n\tif (header > UINT16_MAX)\n\t\treturn FALSE;\n\textraFlags = 0;\n\n\tif (settings->LongCredentialsSupported)\n\t\textraFlags |= LONG_CREDENTIALS_SUPPORTED;\n\n\tif (settings->NoBitmapCompressionHeader)\n\t\textraFlags |= NO_BITMAP_COMPRESSION_HDR;\n\n\tif (settings->AutoReconnectionEnabled)\n\t\textraFlags |= AUTORECONNECT_SUPPORTED;\n\n\tif (settings->FastPathOutput)\n\t\textraFlags |= FASTPATH_OUTPUT_SUPPORTED;\n\n\tif (settings->SaltedChecksum)\n\t\textraFlags |= ENC_SALTED_CHECKSUM;\n\n\tif ((settings->OsMajorType > UINT16_MAX) || (settings->OsMinorType > UINT16_MAX))\n\t{\n\t\tWLog_ERR(TAG,\n\t\t \"OsMajorType=%08\" PRIx32 \", OsMinorType=%08\" PRIx32\n\t\t \" they need to be smaller %04\" PRIx16,\n\t\t settings->OsMajorType, settings->OsMinorType, UINT16_MAX);\n\t\treturn FALSE;\n\t}\n\tStream_Write_UINT16(s, (UINT16)settings->OsMajorType); /* osMajorType (2 bytes) */\n\tStream_Write_UINT16(s, (UINT16)settings->OsMinorType); /* osMinorType (2 bytes) */\n\tStream_Write_UINT16(s, CAPS_PROTOCOL_VERSION); /* protocolVersion (2 bytes) */\n\tStream_Write_UINT16(s, 0); /* pad2OctetsA (2 bytes) */\n\tStream_Write_UINT16(s, 0); /* generalCompressionTypes (2 bytes) */\n\tStream_Write_UINT16(s, extraFlags); /* extraFlags (2 bytes) */\n\tStream_Write_UINT16(s, 0); /* updateCapabilityFlag (2 bytes) */\n\tStream_Write_UINT16(s, 0); /* remoteUnshareFlag (2 bytes) */\n\tStream_Write_UINT16(s, 0); /* generalCompressionLevel (2 bytes) */\n\tStream_Write_UINT8(s, settings->RefreshRect ? 1 : 0); /* refreshRectSupport (1 byte) */\n\tStream_Write_UINT8(s, settings->SuppressOutput ? 1 : 0); /* suppressOutputSupport (1 byte) */\n\trdp_capability_set_finish(s, (UINT16)header, CAPSET_TYPE_GENERAL);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 73312758503643501467084662633560847526, "size": 50, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409637 }, { "func": "static BOOL rdp_print_bitmap_cache_host_support_capability_set(wStream* s, UINT16 length)\n{\n\tBYTE cacheVersion;\n\tBYTE pad1;\n\tUINT16 pad2;\n\tWLog_INFO(TAG, \"BitmapCacheHostSupportCapabilitySet (length %\" PRIu16 \"):\", length);\n\n\tif (length < 8)\n\t\treturn FALSE;\n\n\tStream_Read_UINT8(s, cacheVersion); /* cacheVersion (1 byte) */\n\tStream_Read_UINT8(s, pad1); /* pad1 (1 byte) */\n\tStream_Read_UINT16(s, pad2); /* pad2 (2 bytes) */\n\tWLog_INFO(TAG, \"\\tcacheVersion: 0x%02\" PRIX8 \"\", cacheVersion);\n\tWLog_INFO(TAG, \"\\tpad1: 0x%02\" PRIX8 \"\", pad1);\n\tWLog_INFO(TAG, \"\\tpad2: 0x%04\" PRIX16 \"\", pad2);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 160808522847092520296495320523643539377, "size": 18, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409575 }, { "func": "static BOOL rdp_write_jpeg_server_capability_container(wStream* s, const rdpSettings* settings)\n{\n\tWINPR_UNUSED(settings);\n\tif (!Stream_EnsureRemainingCapacity(s, 8))\n\t\treturn FALSE;\n\n\tStream_Write_UINT16(s, 1); /* codecPropertiesLength */\n\tStream_Write_UINT8(s, 75);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 333617504875696343154040639255234735592, "size": 10, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409600 }, { "func": "static BOOL rdp_read_sound_capability_set(wStream* s, UINT16 length, rdpSettings* settings)\n{\n\tUINT16 soundFlags;\n\n\tif (length < 8)\n\t\treturn FALSE;\n\n\tStream_Read_UINT16(s, soundFlags); /* soundFlags (2 bytes) */\n\tStream_Seek_UINT16(s); /* pad2OctetsA (2 bytes) */\n\tsettings->SoundBeepsEnabled = (soundFlags & SOUND_BEEPS_FLAG) ? TRUE : FALSE;\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 168130594877741834723027781386436848480, "size": 12, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409613 }, { "func": "static BOOL rdp_write_window_activation_capability_set(wStream* s, const rdpSettings* settings)\n{\n\tsize_t header;\n\n\tWINPR_UNUSED(settings);\n\tif (!Stream_EnsureRemainingCapacity(s, 32))\n\t\treturn FALSE;\n\n\theader = rdp_capability_set_start(s);\n\tif (header > UINT16_MAX)\n\t\treturn FALSE;\n\tStream_Write_UINT16(s, 0); /* helpKeyFlag (2 bytes) */\n\tStream_Write_UINT16(s, 0); /* helpKeyIndexFlag (2 bytes) */\n\tStream_Write_UINT16(s, 0); /* helpExtendedKeyFlag (2 bytes) */\n\tStream_Write_UINT16(s, 0); /* windowManagerKeyFlag (2 bytes) */\n\trdp_capability_set_finish(s, (UINT16)header, CAPSET_TYPE_ACTIVATION);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 39519253932521963435868974399763685508, "size": 18, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409639 }, { "func": "static BOOL rdp_print_general_capability_set(wStream* s, UINT16 length)\n{\n\tUINT16 osMajorType;\n\tUINT16 osMinorType;\n\tUINT16 protocolVersion;\n\tUINT16 pad2OctetsA;\n\tUINT16 generalCompressionTypes;\n\tUINT16 extraFlags;\n\tUINT16 updateCapabilityFlag;\n\tUINT16 remoteUnshareFlag;\n\tUINT16 generalCompressionLevel;\n\tBYTE refreshRectSupport;\n\tBYTE suppressOutputSupport;\n\n\tif (length < 24)\n\t\treturn FALSE;\n\n\tWLog_INFO(TAG, \"GeneralCapabilitySet (length %\" PRIu16 \"):\", length);\n\tStream_Read_UINT16(s, osMajorType); /* osMajorType (2 bytes) */\n\tStream_Read_UINT16(s, osMinorType); /* osMinorType (2 bytes) */\n\tStream_Read_UINT16(s, protocolVersion); /* protocolVersion (2 bytes) */\n\tStream_Read_UINT16(s, pad2OctetsA); /* pad2OctetsA (2 bytes) */\n\tStream_Read_UINT16(s, generalCompressionTypes); /* generalCompressionTypes (2 bytes) */\n\tStream_Read_UINT16(s, extraFlags); /* extraFlags (2 bytes) */\n\tStream_Read_UINT16(s, updateCapabilityFlag); /* updateCapabilityFlag (2 bytes) */\n\tStream_Read_UINT16(s, remoteUnshareFlag); /* remoteUnshareFlag (2 bytes) */\n\tStream_Read_UINT16(s, generalCompressionLevel); /* generalCompressionLevel (2 bytes) */\n\tStream_Read_UINT8(s, refreshRectSupport); /* refreshRectSupport (1 byte) */\n\tStream_Read_UINT8(s, suppressOutputSupport); /* suppressOutputSupport (1 byte) */\n\tWLog_INFO(TAG, \"\\tosMajorType: 0x%04\" PRIX16 \"\", osMajorType);\n\tWLog_INFO(TAG, \"\\tosMinorType: 0x%04\" PRIX16 \"\", osMinorType);\n\tWLog_INFO(TAG, \"\\tprotocolVersion: 0x%04\" PRIX16 \"\", protocolVersion);\n\tWLog_INFO(TAG, \"\\tpad2OctetsA: 0x%04\" PRIX16 \"\", pad2OctetsA);\n\tWLog_INFO(TAG, \"\\tgeneralCompressionTypes: 0x%04\" PRIX16 \"\", generalCompressionTypes);\n\tWLog_INFO(TAG, \"\\textraFlags: 0x%04\" PRIX16 \"\", extraFlags);\n\tWLog_INFO(TAG, \"\\tupdateCapabilityFlag: 0x%04\" PRIX16 \"\", updateCapabilityFlag);\n\tWLog_INFO(TAG, \"\\tremoteUnshareFlag: 0x%04\" PRIX16 \"\", remoteUnshareFlag);\n\tWLog_INFO(TAG, \"\\tgeneralCompressionLevel: 0x%04\" PRIX16 \"\", generalCompressionLevel);\n\tWLog_INFO(TAG, \"\\trefreshRectSupport: 0x%02\" PRIX8 \"\", refreshRectSupport);\n\tWLog_INFO(TAG, \"\\tsuppressOutputSupport: 0x%02\" PRIX8 \"\", suppressOutputSupport);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 5500072580712139778494173931145880946, "size": 42, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409631 }, { "func": "static BOOL rdp_read_remote_programs_capability_set(wStream* s, UINT16 length,\n rdpSettings* settings)\n{\n\tUINT32 railSupportLevel;\n\n\tif (length < 8)\n\t\treturn FALSE;\n\n\tStream_Read_UINT32(s, railSupportLevel); /* railSupportLevel (4 bytes) */\n\n\tif ((railSupportLevel & RAIL_LEVEL_SUPPORTED) == 0)\n\t{\n\t\tif (settings->RemoteApplicationMode == TRUE)\n\t\t{\n\t\t\t/* RemoteApp Failure! */\n\t\t\tsettings->RemoteApplicationMode = FALSE;\n\t\t}\n\t}\n\n\t/* 2.2.2.2.3 HandshakeEx PDU (TS_RAIL_ORDER_HANDSHAKE_EX)\n\t * the handshake ex pdu is supported when both, client and server announce\n\t * it OR if we are ready to begin enhanced remoteAPP mode. */\n\tif (settings->RemoteApplicationMode)\n\t\trailSupportLevel |= RAIL_LEVEL_HANDSHAKE_EX_SUPPORTED;\n\n\tsettings->RemoteApplicationSupportLevel =\n\t railSupportLevel & settings->RemoteApplicationSupportMask;\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 133850945589594759190444119473191077444, "size": 29, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409595 }, { "func": "static BOOL rdp_print_multifragment_update_capability_set(wStream* s, UINT16 length)\n{\n\tUINT32 maxRequestSize;\n\tWLog_INFO(TAG, \"MultifragmentUpdateCapabilitySet (length %\" PRIu16 \"):\", length);\n\n\tif (length < 8)\n\t\treturn FALSE;\n\n\tStream_Read_UINT32(s, maxRequestSize); /* maxRequestSize (4 bytes) */\n\tWLog_INFO(TAG, \"\\tmaxRequestSize: 0x%08\" PRIX32 \"\", maxRequestSize);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 249919513915138150249317489840873024684, "size": 12, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409691 }, { "func": "static BOOL rdp_print_bitmap_codecs_capability_set(wStream* s, UINT16 length)\n{\n\tGUID codecGuid;\n\tBYTE bitmapCodecCount;\n\tBYTE codecId;\n\tUINT16 codecPropertiesLength;\n\tUINT16 remainingLength;\n\tWLog_INFO(TAG, \"BitmapCodecsCapabilitySet (length %\" PRIu16 \"):\", length);\n\n\tif (length < 5)\n\t\treturn FALSE;\n\n\tStream_Read_UINT8(s, bitmapCodecCount); /* bitmapCodecCount (1 byte) */\n\tremainingLength = length - 5;\n\tWLog_INFO(TAG, \"\\tbitmapCodecCount: %\" PRIu8 \"\", bitmapCodecCount);\n\n\twhile (bitmapCodecCount > 0)\n\t{\n\t\tif (remainingLength < 19)\n\t\t\treturn FALSE;\n\n\t\trdp_read_bitmap_codec_guid(s, &codecGuid); /* codecGuid (16 bytes) */\n\t\tStream_Read_UINT8(s, codecId); /* codecId (1 byte) */\n\t\tWLog_INFO(TAG, \"\\tcodecGuid: 0x\");\n\t\trdp_print_bitmap_codec_guid(&codecGuid);\n\t\tWLog_INFO(TAG, \" (%s)\", rdp_get_bitmap_codec_guid_name(&codecGuid));\n\t\tWLog_INFO(TAG, \"\\tcodecId: %\" PRIu8 \"\", codecId);\n\t\tStream_Read_UINT16(s, codecPropertiesLength); /* codecPropertiesLength (2 bytes) */\n\t\tWLog_INFO(TAG, \"\\tcodecPropertiesLength: %\" PRIu16 \"\", codecPropertiesLength);\n\t\tremainingLength -= 19;\n\n\t\tif (remainingLength < codecPropertiesLength)\n\t\t\treturn FALSE;\n\n\t\tStream_Seek(s, codecPropertiesLength); /* codecProperties */\n\t\tremainingLength -= codecPropertiesLength;\n\t\tbitmapCodecCount--;\n\t}\n\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 24114546032535399803500638112004720719, "size": 41, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409582 }, { "func": "static BOOL rdp_print_order_capability_set(wStream* s, UINT16 length)\n{\n\tBYTE terminalDescriptor[16];\n\tUINT32 pad4OctetsA;\n\tUINT16 desktopSaveXGranularity;\n\tUINT16 desktopSaveYGranularity;\n\tUINT16 pad2OctetsA;\n\tUINT16 maximumOrderLevel;\n\tUINT16 numberFonts;\n\tUINT16 orderFlags;\n\tBYTE orderSupport[32];\n\tUINT16 textFlags;\n\tUINT16 orderSupportExFlags;\n\tUINT32 pad4OctetsB;\n\tUINT32 desktopSaveSize;\n\tUINT16 pad2OctetsC;\n\tUINT16 pad2OctetsD;\n\tUINT16 textANSICodePage;\n\tUINT16 pad2OctetsE;\n\tWLog_INFO(TAG, \"OrderCapabilitySet (length %\" PRIu16 \"):\", length);\n\n\tif (length < 88)\n\t\treturn FALSE;\n\n\tStream_Read(s, terminalDescriptor, 16); /* terminalDescriptor (16 bytes) */\n\tStream_Read_UINT32(s, pad4OctetsA); /* pad4OctetsA (4 bytes) */\n\tStream_Read_UINT16(s, desktopSaveXGranularity); /* desktopSaveXGranularity (2 bytes) */\n\tStream_Read_UINT16(s, desktopSaveYGranularity); /* desktopSaveYGranularity (2 bytes) */\n\tStream_Read_UINT16(s, pad2OctetsA); /* pad2OctetsA (2 bytes) */\n\tStream_Read_UINT16(s, maximumOrderLevel); /* maximumOrderLevel (2 bytes) */\n\tStream_Read_UINT16(s, numberFonts); /* numberFonts (2 bytes) */\n\tStream_Read_UINT16(s, orderFlags); /* orderFlags (2 bytes) */\n\tStream_Read(s, orderSupport, 32); /* orderSupport (32 bytes) */\n\tStream_Read_UINT16(s, textFlags); /* textFlags (2 bytes) */\n\tStream_Read_UINT16(s, orderSupportExFlags); /* orderSupportExFlags (2 bytes) */\n\tStream_Read_UINT32(s, pad4OctetsB); /* pad4OctetsB (4 bytes) */\n\tStream_Read_UINT32(s, desktopSaveSize); /* desktopSaveSize (4 bytes) */\n\tStream_Read_UINT16(s, pad2OctetsC); /* pad2OctetsC (2 bytes) */\n\tStream_Read_UINT16(s, pad2OctetsD); /* pad2OctetsD (2 bytes) */\n\tStream_Read_UINT16(s, textANSICodePage); /* textANSICodePage (2 bytes) */\n\tStream_Read_UINT16(s, pad2OctetsE); /* pad2OctetsE (2 bytes) */\n\tWLog_INFO(TAG, \"\\tpad4OctetsA: 0x%08\" PRIX32 \"\", pad4OctetsA);\n\tWLog_INFO(TAG, \"\\tdesktopSaveXGranularity: 0x%04\" PRIX16 \"\", desktopSaveXGranularity);\n\tWLog_INFO(TAG, \"\\tdesktopSaveYGranularity: 0x%04\" PRIX16 \"\", desktopSaveYGranularity);\n\tWLog_INFO(TAG, \"\\tpad2OctetsA: 0x%04\" PRIX16 \"\", pad2OctetsA);\n\tWLog_INFO(TAG, \"\\tmaximumOrderLevel: 0x%04\" PRIX16 \"\", maximumOrderLevel);\n\tWLog_INFO(TAG, \"\\tnumberFonts: 0x%04\" PRIX16 \"\", numberFonts);\n\tWLog_INFO(TAG, \"\\torderFlags: 0x%04\" PRIX16 \"\", orderFlags);\n\tWLog_INFO(TAG, \"\\torderSupport:\");\n\tWLog_INFO(TAG, \"\\t\\tDSTBLT: %\" PRIu8 \"\", orderSupport[NEG_DSTBLT_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tPATBLT: %\" PRIu8 \"\", orderSupport[NEG_PATBLT_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tSCRBLT: %\" PRIu8 \"\", orderSupport[NEG_SCRBLT_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tMEMBLT: %\" PRIu8 \"\", orderSupport[NEG_MEMBLT_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tMEM3BLT: %\" PRIu8 \"\", orderSupport[NEG_MEM3BLT_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tATEXTOUT: %\" PRIu8 \"\", orderSupport[NEG_ATEXTOUT_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tAEXTTEXTOUT: %\" PRIu8 \"\", orderSupport[NEG_AEXTTEXTOUT_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tDRAWNINEGRID: %\" PRIu8 \"\", orderSupport[NEG_DRAWNINEGRID_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tLINETO: %\" PRIu8 \"\", orderSupport[NEG_LINETO_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tMULTI_DRAWNINEGRID: %\" PRIu8 \"\",\n\t orderSupport[NEG_MULTI_DRAWNINEGRID_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tOPAQUE_RECT: %\" PRIu8 \"\", orderSupport[NEG_OPAQUE_RECT_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tSAVEBITMAP: %\" PRIu8 \"\", orderSupport[NEG_SAVEBITMAP_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tWTEXTOUT: %\" PRIu8 \"\", orderSupport[NEG_WTEXTOUT_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tMEMBLT_V2: %\" PRIu8 \"\", orderSupport[NEG_MEMBLT_V2_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tMEM3BLT_V2: %\" PRIu8 \"\", orderSupport[NEG_MEM3BLT_V2_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tMULTIDSTBLT: %\" PRIu8 \"\", orderSupport[NEG_MULTIDSTBLT_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tMULTIPATBLT: %\" PRIu8 \"\", orderSupport[NEG_MULTIPATBLT_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tMULTISCRBLT: %\" PRIu8 \"\", orderSupport[NEG_MULTISCRBLT_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tMULTIOPAQUERECT: %\" PRIu8 \"\", orderSupport[NEG_MULTIOPAQUERECT_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tFAST_INDEX: %\" PRIu8 \"\", orderSupport[NEG_FAST_INDEX_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tPOLYGON_SC: %\" PRIu8 \"\", orderSupport[NEG_POLYGON_SC_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tPOLYGON_CB: %\" PRIu8 \"\", orderSupport[NEG_POLYGON_CB_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tPOLYLINE: %\" PRIu8 \"\", orderSupport[NEG_POLYLINE_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tUNUSED23: %\" PRIu8 \"\", orderSupport[NEG_UNUSED23_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tFAST_GLYPH: %\" PRIu8 \"\", orderSupport[NEG_FAST_GLYPH_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tELLIPSE_SC: %\" PRIu8 \"\", orderSupport[NEG_ELLIPSE_SC_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tELLIPSE_CB: %\" PRIu8 \"\", orderSupport[NEG_ELLIPSE_CB_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tGLYPH_INDEX: %\" PRIu8 \"\", orderSupport[NEG_GLYPH_INDEX_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tGLYPH_WEXTTEXTOUT: %\" PRIu8 \"\", orderSupport[NEG_GLYPH_WEXTTEXTOUT_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tGLYPH_WLONGTEXTOUT: %\" PRIu8 \"\",\n\t orderSupport[NEG_GLYPH_WLONGTEXTOUT_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tGLYPH_WLONGEXTTEXTOUT: %\" PRIu8 \"\",\n\t orderSupport[NEG_GLYPH_WLONGEXTTEXTOUT_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tUNUSED31: %\" PRIu8 \"\", orderSupport[NEG_UNUSED31_INDEX]);\n\tWLog_INFO(TAG, \"\\ttextFlags: 0x%04\" PRIX16 \"\", textFlags);\n\tWLog_INFO(TAG, \"\\torderSupportExFlags: 0x%04\" PRIX16 \"\", orderSupportExFlags);\n\tWLog_INFO(TAG, \"\\tpad4OctetsB: 0x%08\" PRIX32 \"\", pad4OctetsB);\n\tWLog_INFO(TAG, \"\\tdesktopSaveSize: 0x%08\" PRIX32 \"\", desktopSaveSize);\n\tWLog_INFO(TAG, \"\\tpad2OctetsC: 0x%04\" PRIX16 \"\", pad2OctetsC);\n\tWLog_INFO(TAG, \"\\tpad2OctetsD: 0x%04\" PRIX16 \"\", pad2OctetsD);\n\tWLog_INFO(TAG, \"\\ttextANSICodePage: 0x%04\" PRIX16 \"\", textANSICodePage);\n\tWLog_INFO(TAG, \"\\tpad2OctetsE: 0x%04\" PRIX16 \"\", pad2OctetsE);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 314984488369612595242281546417973409324, "size": 94, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409634 }, { "func": "static BOOL rdp_write_bitmap_capability_set(wStream* s, const rdpSettings* settings)\n{\n\tsize_t header;\n\tBYTE drawingFlags = 0;\n\tUINT16 preferredBitsPerPixel;\n\n\tif (!Stream_EnsureRemainingCapacity(s, 64))\n\t\treturn FALSE;\n\n\theader = rdp_capability_set_start(s);\n\tif (header > UINT16_MAX)\n\t\treturn FALSE;\n\tif (settings->DrawAllowSkipAlpha)\n\t\tdrawingFlags |= DRAW_ALLOW_SKIP_ALPHA;\n\n\tif (settings->DrawAllowDynamicColorFidelity)\n\t\tdrawingFlags |= DRAW_ALLOW_DYNAMIC_COLOR_FIDELITY;\n\n\tif (settings->DrawAllowColorSubsampling)\n\t\tdrawingFlags |= DRAW_ALLOW_COLOR_SUBSAMPLING; /* currently unimplemented */\n\n\t/* While bitmap_decode.c now implements YCoCg, in turning it\n\t * on we have found Microsoft is inconsistent on whether to invert R & B.\n\t * And it's not only from one server to another; on Win7/2008R2, it appears\n\t * to send the main content with a different inversion than the Windows\n\t * button! So... don't advertise that we support YCoCg and the server\n\t * will not send it. YCoCg is still needed for EGFX, but it at least\n\t * appears consistent in its use.\n\t */\n\n\tif ((settings->ColorDepth > UINT16_MAX) || (settings->DesktopWidth > UINT16_MAX) ||\n\t (settings->DesktopHeight > UINT16_MAX) || (settings->DesktopResize > UINT16_MAX))\n\t\treturn FALSE;\n\n\tif (settings->RdpVersion >= RDP_VERSION_5_PLUS)\n\t\tpreferredBitsPerPixel = (UINT16)settings->ColorDepth;\n\telse\n\t\tpreferredBitsPerPixel = 8;\n\n\tStream_Write_UINT16(s, preferredBitsPerPixel); /* preferredBitsPerPixel (2 bytes) */\n\tStream_Write_UINT16(s, 1); /* receive1BitPerPixel (2 bytes) */\n\tStream_Write_UINT16(s, 1); /* receive4BitsPerPixel (2 bytes) */\n\tStream_Write_UINT16(s, 1); /* receive8BitsPerPixel (2 bytes) */\n\tStream_Write_UINT16(s, (UINT16)settings->DesktopWidth); /* desktopWidth (2 bytes) */\n\tStream_Write_UINT16(s, (UINT16)settings->DesktopHeight); /* desktopHeight (2 bytes) */\n\tStream_Write_UINT16(s, 0); /* pad2Octets (2 bytes) */\n\tStream_Write_UINT16(s, (UINT16)settings->DesktopResize); /* desktopResizeFlag (2 bytes) */\n\tStream_Write_UINT16(s, 1); /* bitmapCompressionFlag (2 bytes) */\n\tStream_Write_UINT8(s, 0); /* highColorFlags (1 byte) */\n\tStream_Write_UINT8(s, drawingFlags); /* drawingFlags (1 byte) */\n\tStream_Write_UINT16(s, 1); /* multipleRectangleSupport (2 bytes) */\n\tStream_Write_UINT16(s, 0); /* pad2OctetsB (2 bytes) */\n\trdp_capability_set_finish(s, (UINT16)header, CAPSET_TYPE_BITMAP);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 214825058683404299590112235974415655493, "size": 55, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409633 }, { "func": "static void rdp_read_capability_set_header(wStream* s, UINT16* length, UINT16* type)\n{\n\tStream_Read_UINT16(s, *type); /* capabilitySetType */\n\tStream_Read_UINT16(s, *length); /* lengthCapability */\n}", "project": "FreeRDP", "hash": 80707266597010700872327549120082707400, "size": 5, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409594 }, { "func": "static BOOL rdp_write_bitmap_codecs_capability_set(wStream* s, const rdpSettings* settings)\n{\n\tsize_t header;\n\tBYTE bitmapCodecCount;\n\n\tif (!Stream_EnsureRemainingCapacity(s, 64))\n\t\treturn FALSE;\n\n\theader = rdp_capability_set_start(s);\n\tbitmapCodecCount = 0;\n\n\tif (settings->RemoteFxCodec)\n\t\tbitmapCodecCount++;\n\n\tif (settings->NSCodec)\n\t\tbitmapCodecCount++;\n\n#if defined(WITH_JPEG)\n\n\tif (settings->JpegCodec)\n\t\tbitmapCodecCount++;\n\n#endif\n\n\tif (settings->RemoteFxImageCodec)\n\t\tbitmapCodecCount++;\n\n\tStream_Write_UINT8(s, bitmapCodecCount);\n\n\tif (settings->RemoteFxCodec)\n\t{\n\t\trdp_write_bitmap_codec_guid(s, &CODEC_GUID_REMOTEFX); /* codecGUID */\n\n\t\tif (settings->ServerMode)\n\t\t{\n\t\t\tStream_Write_UINT8(s, 0); /* codecID is defined by the client */\n\n\t\t\tif (!rdp_write_rfx_server_capability_container(s, settings))\n\t\t\t\treturn FALSE;\n\t\t}\n\t\telse\n\t\t{\n\t\t\tStream_Write_UINT8(s, RDP_CODEC_ID_REMOTEFX); /* codecID */\n\n\t\t\tif (!rdp_write_rfx_client_capability_container(s, settings))\n\t\t\t\treturn FALSE;\n\t\t}\n\t}\n\n\tif (settings->NSCodec)\n\t{\n\t\trdp_write_bitmap_codec_guid(s, &CODEC_GUID_NSCODEC); /* codecGUID */\n\n\t\tif (settings->ServerMode)\n\t\t{\n\t\t\tStream_Write_UINT8(s, 0); /* codecID is defined by the client */\n\n\t\t\tif (!rdp_write_nsc_server_capability_container(s, settings))\n\t\t\t\treturn FALSE;\n\t\t}\n\t\telse\n\t\t{\n\t\t\tStream_Write_UINT8(s, RDP_CODEC_ID_NSCODEC); /* codecID */\n\n\t\t\tif (!rdp_write_nsc_client_capability_container(s, settings))\n\t\t\t\treturn FALSE;\n\t\t}\n\t}\n\n#if defined(WITH_JPEG)\n\n\tif (settings->JpegCodec)\n\t{\n\t\trdp_write_bitmap_codec_guid(s, &CODEC_GUID_JPEG); /* codecGUID */\n\n\t\tif (settings->ServerMode)\n\t\t{\n\t\t\tStream_Write_UINT8(s, 0); /* codecID is defined by the client */\n\n\t\t\tif (!rdp_write_jpeg_server_capability_container(s, settings))\n\t\t\t\treturn FALSE;\n\t\t}\n\t\telse\n\t\t{\n\t\t\tStream_Write_UINT8(s, RDP_CODEC_ID_JPEG); /* codecID */\n\n\t\t\tif (!rdp_write_jpeg_client_capability_container(s, settings))\n\t\t\t\treturn FALSE;\n\t\t}\n\t}\n\n#endif\n\n\tif (settings->RemoteFxImageCodec)\n\t{\n\t\trdp_write_bitmap_codec_guid(s, &CODEC_GUID_IMAGE_REMOTEFX); /* codecGUID */\n\n\t\tif (settings->ServerMode)\n\t\t{\n\t\t\tStream_Write_UINT8(s, 0); /* codecID is defined by the client */\n\n\t\t\tif (!rdp_write_rfx_server_capability_container(s, settings))\n\t\t\t\treturn FALSE;\n\t\t}\n\t\telse\n\t\t{\n\t\t\tStream_Write_UINT8(s, RDP_CODEC_ID_IMAGE_REMOTEFX); /* codecID */\n\n\t\t\tif (!rdp_write_rfx_client_capability_container(s, settings))\n\t\t\t\treturn FALSE;\n\t\t}\n\t}\n\n\trdp_capability_set_finish(s, header, CAPSET_TYPE_BITMAP_CODECS);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 332928462654213428990596858954074010072, "size": 116, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409660 }, { "func": "static BOOL rdp_write_jpeg_client_capability_container(wStream* s, const rdpSettings* settings)\n{\n\tif (!Stream_EnsureRemainingCapacity(s, 8))\n\t\treturn FALSE;\n\n\tStream_Write_UINT16(s, 1); /* codecPropertiesLength */\n\tStream_Write_UINT8(s, settings->JpegQuality);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 230066296694265455843662918473236864709, "size": 9, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409664 }, { "func": "static void rdp_read_cache_definition(wStream* s, GLYPH_CACHE_DEFINITION* cache_definition)\n{\n\tStream_Read_UINT16(s, cache_definition->cacheEntries); /* cacheEntries (2 bytes) */\n\tStream_Read_UINT16(s,\n\t cache_definition->cacheMaximumCellSize); /* cacheMaximumCellSize (2 bytes) */\n}", "project": "FreeRDP", "hash": 45805913852648643995751491508146469984, "size": 6, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409666 }, { "func": "static BOOL rdp_read_draw_nine_grid_cache_capability_set(wStream* s, UINT16 length,\n rdpSettings* settings)\n{\n\tUINT32 drawNineGridSupportLevel;\n\n\tif (length < 12)\n\t\treturn FALSE;\n\n\tStream_Read_UINT32(s, drawNineGridSupportLevel); /* drawNineGridSupportLevel (4 bytes) */\n\tStream_Read_UINT16(s, settings->DrawNineGridCacheSize); /* drawNineGridCacheSize (2 bytes) */\n\tStream_Read_UINT16(s,\n\t settings->DrawNineGridCacheEntries); /* drawNineGridCacheEntries (2 bytes) */\n\n\tif ((drawNineGridSupportLevel & DRAW_NINEGRID_SUPPORTED) ||\n\t (drawNineGridSupportLevel & DRAW_NINEGRID_SUPPORTED_V2))\n\t\tsettings->DrawNineGridEnabled = TRUE;\n\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 40633978534520824703644583410869744929, "size": 19, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409632 }, { "func": "static BOOL rdp_print_desktop_composition_capability_set(wStream* s, UINT16 length)\n{\n\tUINT16 compDeskSupportLevel;\n\tWLog_INFO(TAG, \"DesktopCompositionCapabilitySet (length %\" PRIu16 \"):\", length);\n\n\tif (length < 6)\n\t\treturn FALSE;\n\n\tStream_Read_UINT16(s, compDeskSupportLevel); /* compDeskSupportLevel (2 bytes) */\n\tWLog_INFO(TAG, \"\\tcompDeskSupportLevel: 0x%04\" PRIX16 \"\", compDeskSupportLevel);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 210379168711159173994520293055281545595, "size": 12, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409641 }, { "func": "static void rdp_write_bitmap_codec_guid(wStream* s, const GUID* guid)\n{\n\tBYTE g[16];\n\tg[0] = guid->Data1 & 0xFF;\n\tg[1] = (guid->Data1 >> 8) & 0xFF;\n\tg[2] = (guid->Data1 >> 16) & 0xFF;\n\tg[3] = (guid->Data1 >> 24) & 0xFF;\n\tg[4] = (guid->Data2) & 0xFF;\n\tg[5] = (guid->Data2 >> 8) & 0xFF;\n\tg[6] = (guid->Data3) & 0xFF;\n\tg[7] = (guid->Data3 >> 8) & 0xFF;\n\tg[8] = guid->Data4[0];\n\tg[9] = guid->Data4[1];\n\tg[10] = guid->Data4[2];\n\tg[11] = guid->Data4[3];\n\tg[12] = guid->Data4[4];\n\tg[13] = guid->Data4[5];\n\tg[14] = guid->Data4[6];\n\tg[15] = guid->Data4[7];\n\tStream_Write(s, g, 16);\n}", "project": "FreeRDP", "hash": 325767040754059587070181348175035488638, "size": 21, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409668 }, { "func": "static BOOL rdp_print_draw_gdiplus_cache_capability_set(wStream* s, UINT16 length)\n{\n\tUINT32 drawGdiPlusSupportLevel;\n\tUINT32 GdipVersion;\n\tUINT32 drawGdiplusCacheLevel;\n\tWLog_INFO(TAG, \"DrawGdiPlusCacheCapabilitySet (length %\" PRIu16 \"):\", length);\n\n\tif (length < 40)\n\t\treturn FALSE;\n\n\tStream_Read_UINT32(s, drawGdiPlusSupportLevel); /* drawGdiPlusSupportLevel (4 bytes) */\n\tStream_Read_UINT32(s, GdipVersion); /* GdipVersion (4 bytes) */\n\tStream_Read_UINT32(s, drawGdiplusCacheLevel); /* drawGdiPlusCacheLevel (4 bytes) */\n\tStream_Seek(s, 10); /* GdipCacheEntries (10 bytes) */\n\tStream_Seek(s, 8); /* GdipCacheChunkSize (8 bytes) */\n\tStream_Seek(s, 6); /* GdipImageCacheProperties (6 bytes) */\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 2012687523423089845955647994143606739, "size": 18, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409644 }, { "func": "static BOOL rdp_write_glyph_cache_capability_set(wStream* s, const rdpSettings* settings)\n{\n\tsize_t header;\n\n\tif (!Stream_EnsureRemainingCapacity(s, 64))\n\t\treturn FALSE;\n\n\theader = rdp_capability_set_start(s);\n\tif (header > UINT16_MAX)\n\t\treturn FALSE;\n\tif (settings->GlyphSupportLevel > UINT16_MAX)\n\t\treturn FALSE;\n\t/* glyphCache (40 bytes) */\n\trdp_write_cache_definition(s, &(settings->GlyphCache[0])); /* glyphCache0 (4 bytes) */\n\trdp_write_cache_definition(s, &(settings->GlyphCache[1])); /* glyphCache1 (4 bytes) */\n\trdp_write_cache_definition(s, &(settings->GlyphCache[2])); /* glyphCache2 (4 bytes) */\n\trdp_write_cache_definition(s, &(settings->GlyphCache[3])); /* glyphCache3 (4 bytes) */\n\trdp_write_cache_definition(s, &(settings->GlyphCache[4])); /* glyphCache4 (4 bytes) */\n\trdp_write_cache_definition(s, &(settings->GlyphCache[5])); /* glyphCache5 (4 bytes) */\n\trdp_write_cache_definition(s, &(settings->GlyphCache[6])); /* glyphCache6 (4 bytes) */\n\trdp_write_cache_definition(s, &(settings->GlyphCache[7])); /* glyphCache7 (4 bytes) */\n\trdp_write_cache_definition(s, &(settings->GlyphCache[8])); /* glyphCache8 (4 bytes) */\n\trdp_write_cache_definition(s, &(settings->GlyphCache[9])); /* glyphCache9 (4 bytes) */\n\trdp_write_cache_definition(s, settings->FragCache); /* fragCache (4 bytes) */\n\tStream_Write_UINT16(s, (UINT16)settings->GlyphSupportLevel); /* glyphSupportLevel (2 bytes) */\n\tStream_Write_UINT16(s, 0); /* pad2Octets (2 bytes) */\n\trdp_capability_set_finish(s, (UINT16)header, CAPSET_TYPE_GLYPH_CACHE);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 147467838726629004619531519247747352656, "size": 29, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409653 }, { "func": "BOOL rdp_recv_demand_active(rdpRdp* rdp, wStream* s)\n{\n\tUINT16 channelId;\n\tUINT16 pduType;\n\tUINT16 pduLength;\n\tUINT16 pduSource;\n\tUINT16 length;\n\tUINT16 numberCapabilities;\n\tUINT16 lengthSourceDescriptor;\n\tUINT16 lengthCombinedCapabilities;\n\n\tif (!rdp_recv_get_active_header(rdp, s, &channelId, &length))\n\t\treturn FALSE;\n\n\tif (freerdp_shall_disconnect(rdp->instance))\n\t\treturn TRUE;\n\n\tif (!rdp_read_share_control_header(s, &pduLength, &pduType, &pduSource))\n\t{\n\t\tWLog_ERR(TAG, \"rdp_read_share_control_header failed\");\n\t\treturn FALSE;\n\t}\n\n\tif (pduType == PDU_TYPE_DATA)\n\t{\n\t\t/**\n\t\t * We can receive a Save Session Info Data PDU containing a LogonErrorInfo\n\t\t * structure at this point from the server to indicate a connection error.\n\t\t */\n\t\tif (rdp_recv_data_pdu(rdp, s) < 0)\n\t\t\treturn FALSE;\n\n\t\treturn FALSE;\n\t}\n\n\tif (pduType != PDU_TYPE_DEMAND_ACTIVE)\n\t{\n\t\tif (pduType != PDU_TYPE_SERVER_REDIRECTION)\n\t\t\tWLog_ERR(TAG, \"expected PDU_TYPE_DEMAND_ACTIVE %04x, got %04\" PRIx16 \"\",\n\t\t\t PDU_TYPE_DEMAND_ACTIVE, pduType);\n\n\t\treturn FALSE;\n\t}\n\n\trdp->settings->PduSource = pduSource;\n\n\tif (Stream_GetRemainingLength(s) < 8)\n\t\treturn FALSE;\n\n\tStream_Read_UINT32(s, rdp->settings->ShareId); /* shareId (4 bytes) */\n\tStream_Read_UINT16(s, lengthSourceDescriptor); /* lengthSourceDescriptor (2 bytes) */\n\tStream_Read_UINT16(s, lengthCombinedCapabilities); /* lengthCombinedCapabilities (2 bytes) */\n\n\tif (!Stream_SafeSeek(s, lengthSourceDescriptor) ||\n\t Stream_GetRemainingLength(s) < 4) /* sourceDescriptor */\n\t\treturn FALSE;\n\n\tStream_Read_UINT16(s, numberCapabilities); /* numberCapabilities (2 bytes) */\n\tStream_Seek(s, 2); /* pad2Octets (2 bytes) */\n\n\t/* capabilitySets */\n\tif (!rdp_read_capability_sets(s, rdp->settings, numberCapabilities, lengthCombinedCapabilities))\n\t{\n\t\tWLog_ERR(TAG, \"rdp_read_capability_sets failed\");\n\t\treturn FALSE;\n\t}\n\n\tif (!Stream_SafeSeek(s, 4)) /* SessionId */\n\t\treturn FALSE;\n\n\trdp->update->secondary->glyph_v2 = (rdp->settings->GlyphSupportLevel > GLYPH_SUPPORT_FULL);\n\treturn tpkt_ensure_stream_consumed(s, length);\n}", "project": "FreeRDP", "hash": 44339431169826735119172547471406906347, "size": 73, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409604 }, { "func": "static BOOL rdp_read_bitmap_cache_v3_codec_id_capability_set(wStream* s, UINT16 length,\n rdpSettings* settings)\n{\n\tBYTE bitmapCacheV3CodecId;\n\n\tWINPR_UNUSED(settings);\n\tif (length < 5)\n\t\treturn FALSE;\n\n\tStream_Read_UINT8(s, bitmapCacheV3CodecId); /* bitmapCacheV3CodecId (1 byte) */\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 86826559054972396148544906904831060639, "size": 12, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409658 }, { "func": "static BOOL rdp_print_glyph_cache_capability_set(wStream* s, UINT16 length)\n{\n\tGLYPH_CACHE_DEFINITION glyphCache[10];\n\tGLYPH_CACHE_DEFINITION fragCache;\n\tUINT16 glyphSupportLevel;\n\tUINT16 pad2Octets;\n\tWLog_INFO(TAG, \"GlyphCacheCapabilitySet (length %\" PRIu16 \"):\", length);\n\n\tif (length < 52)\n\t\treturn FALSE;\n\n\t/* glyphCache (40 bytes) */\n\trdp_read_cache_definition(s, &glyphCache[0]); /* glyphCache0 (4 bytes) */\n\trdp_read_cache_definition(s, &glyphCache[1]); /* glyphCache1 (4 bytes) */\n\trdp_read_cache_definition(s, &glyphCache[2]); /* glyphCache2 (4 bytes) */\n\trdp_read_cache_definition(s, &glyphCache[3]); /* glyphCache3 (4 bytes) */\n\trdp_read_cache_definition(s, &glyphCache[4]); /* glyphCache4 (4 bytes) */\n\trdp_read_cache_definition(s, &glyphCache[5]); /* glyphCache5 (4 bytes) */\n\trdp_read_cache_definition(s, &glyphCache[6]); /* glyphCache6 (4 bytes) */\n\trdp_read_cache_definition(s, &glyphCache[7]); /* glyphCache7 (4 bytes) */\n\trdp_read_cache_definition(s, &glyphCache[8]); /* glyphCache8 (4 bytes) */\n\trdp_read_cache_definition(s, &glyphCache[9]); /* glyphCache9 (4 bytes) */\n\trdp_read_cache_definition(s, &fragCache); /* fragCache (4 bytes) */\n\tStream_Read_UINT16(s, glyphSupportLevel); /* glyphSupportLevel (2 bytes) */\n\tStream_Read_UINT16(s, pad2Octets); /* pad2Octets (2 bytes) */\n\tWLog_INFO(TAG, \"\\tglyphCache0: Entries: %\" PRIu16 \" MaximumCellSize: %\" PRIu16 \"\",\n\t glyphCache[0].cacheEntries, glyphCache[0].cacheMaximumCellSize);\n\tWLog_INFO(TAG, \"\\tglyphCache1: Entries: %\" PRIu16 \" MaximumCellSize: %\" PRIu16 \"\",\n\t glyphCache[1].cacheEntries, glyphCache[1].cacheMaximumCellSize);\n\tWLog_INFO(TAG, \"\\tglyphCache2: Entries: %\" PRIu16 \" MaximumCellSize: %\" PRIu16 \"\",\n\t glyphCache[2].cacheEntries, glyphCache[2].cacheMaximumCellSize);\n\tWLog_INFO(TAG, \"\\tglyphCache3: Entries: %\" PRIu16 \" MaximumCellSize: %\" PRIu16 \"\",\n\t glyphCache[3].cacheEntries, glyphCache[3].cacheMaximumCellSize);\n\tWLog_INFO(TAG, \"\\tglyphCache4: Entries: %\" PRIu16 \" MaximumCellSize: %\" PRIu16 \"\",\n\t glyphCache[4].cacheEntries, glyphCache[4].cacheMaximumCellSize);\n\tWLog_INFO(TAG, \"\\tglyphCache5: Entries: %\" PRIu16 \" MaximumCellSize: %\" PRIu16 \"\",\n\t glyphCache[5].cacheEntries, glyphCache[5].cacheMaximumCellSize);\n\tWLog_INFO(TAG, \"\\tglyphCache6: Entries: %\" PRIu16 \" MaximumCellSize: %\" PRIu16 \"\",\n\t glyphCache[6].cacheEntries, glyphCache[6].cacheMaximumCellSize);\n\tWLog_INFO(TAG, \"\\tglyphCache7: Entries: %\" PRIu16 \" MaximumCellSize: %\" PRIu16 \"\",\n\t glyphCache[7].cacheEntries, glyphCache[7].cacheMaximumCellSize);\n\tWLog_INFO(TAG, \"\\tglyphCache8: Entries: %\" PRIu16 \" MaximumCellSize: %\" PRIu16 \"\",\n\t glyphCache[8].cacheEntries, glyphCache[8].cacheMaximumCellSize);\n\tWLog_INFO(TAG, \"\\tglyphCache9: Entries: %\" PRIu16 \" MaximumCellSize: %\" PRIu16 \"\",\n\t glyphCache[9].cacheEntries, glyphCache[9].cacheMaximumCellSize);\n\tWLog_INFO(TAG, \"\\tfragCache: Entries: %\" PRIu16 \" MaximumCellSize: %\" PRIu16 \"\",\n\t fragCache.cacheEntries, fragCache.cacheMaximumCellSize);\n\tWLog_INFO(TAG, \"\\tglyphSupportLevel: 0x%04\" PRIX16 \"\", glyphSupportLevel);\n\tWLog_INFO(TAG, \"\\tpad2Octets: 0x%04\" PRIX16 \"\", pad2Octets);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 327012898936376103726124817366633874691, "size": 51, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409630 }, { "func": "static BOOL rdp_print_pointer_capability_set(wStream* s, UINT16 length)\n{\n\tUINT16 colorPointerFlag;\n\tUINT16 colorPointerCacheSize;\n\tUINT16 pointerCacheSize;\n\n\tif (length < 10)\n\t\treturn FALSE;\n\n\tWLog_INFO(TAG, \"PointerCapabilitySet (length %\" PRIu16 \"):\", length);\n\tStream_Read_UINT16(s, colorPointerFlag); /* colorPointerFlag (2 bytes) */\n\tStream_Read_UINT16(s, colorPointerCacheSize); /* colorPointerCacheSize (2 bytes) */\n\tStream_Read_UINT16(s, pointerCacheSize); /* pointerCacheSize (2 bytes) */\n\tWLog_INFO(TAG, \"\\tcolorPointerFlag: 0x%04\" PRIX16 \"\", colorPointerFlag);\n\tWLog_INFO(TAG, \"\\tcolorPointerCacheSize: 0x%04\" PRIX16 \"\", colorPointerCacheSize);\n\tWLog_INFO(TAG, \"\\tpointerCacheSize: 0x%04\" PRIX16 \"\", pointerCacheSize);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 303759523317706528285641459907488762007, "size": 18, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409662 }, { "func": "static BOOL rdp_write_font_capability_set(wStream* s, const rdpSettings* settings)\n{\n\tsize_t header;\n\n\tWINPR_UNUSED(settings);\n\tif (!Stream_EnsureRemainingCapacity(s, 32))\n\t\treturn FALSE;\n\n\theader = rdp_capability_set_start(s);\n\tif (header > UINT16_MAX)\n\t\treturn FALSE;\n\tStream_Write_UINT16(s, FONTSUPPORT_FONTLIST); /* fontSupportFlags (2 bytes) */\n\tStream_Write_UINT16(s, 0); /* pad2Octets (2 bytes) */\n\trdp_capability_set_finish(s, (UINT16)header, CAPSET_TYPE_FONT);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 77739938369199003807908763104333147952, "size": 16, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409669 }, { "func": "static BOOL rdp_read_share_capability_set(wStream* s, UINT16 length, rdpSettings* settings)\n{\n\tWINPR_UNUSED(settings);\n\tif (length < 8)\n\t\treturn FALSE;\n\n\tStream_Seek_UINT16(s); /* nodeId (2 bytes) */\n\tStream_Seek_UINT16(s); /* pad2Octets (2 bytes) */\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 110630546321384895699149838140537479494, "size": 10, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409686 }, { "func": "static void rdp_read_bitmap_cache_cell_info(wStream* s, BITMAP_CACHE_V2_CELL_INFO* cellInfo)\n{\n\tUINT32 info;\n\t/**\n\t * numEntries is in the first 31 bits, while the last bit (k)\n\t * is used to indicate a persistent bitmap cache.\n\t */\n\tStream_Read_UINT32(s, info);\n\tcellInfo->numEntries = (info & 0x7FFFFFFF);\n\tcellInfo->persistent = (info & 0x80000000) ? 1 : 0;\n}", "project": "FreeRDP", "hash": 243003567530089132513265118318891886949, "size": 11, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409578 }, { "func": "static BOOL rdp_print_control_capability_set(wStream* s, UINT16 length)\n{\n\tUINT16 controlFlags;\n\tUINT16 remoteDetachFlag;\n\tUINT16 controlInterest;\n\tUINT16 detachInterest;\n\tWLog_INFO(TAG, \"ControlCapabilitySet (length %\" PRIu16 \"):\", length);\n\n\tif (length < 12)\n\t\treturn FALSE;\n\n\tStream_Read_UINT16(s, controlFlags); /* controlFlags (2 bytes) */\n\tStream_Read_UINT16(s, remoteDetachFlag); /* remoteDetachFlag (2 bytes) */\n\tStream_Read_UINT16(s, controlInterest); /* controlInterest (2 bytes) */\n\tStream_Read_UINT16(s, detachInterest); /* detachInterest (2 bytes) */\n\tWLog_INFO(TAG, \"\\tcontrolFlags: 0x%04\" PRIX16 \"\", controlFlags);\n\tWLog_INFO(TAG, \"\\tremoteDetachFlag: 0x%04\" PRIX16 \"\", remoteDetachFlag);\n\tWLog_INFO(TAG, \"\\tcontrolInterest: 0x%04\" PRIX16 \"\", controlInterest);\n\tWLog_INFO(TAG, \"\\tdetachInterest: 0x%04\" PRIX16 \"\", detachInterest);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 112568296590823747751147846820589701696, "size": 21, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409670 }, { "func": "static BOOL rdp_write_multifragment_update_capability_set(wStream* s, rdpSettings* settings)\n{\n\tsize_t header;\n\n\tif (!Stream_EnsureRemainingCapacity(s, 32))\n\t\treturn FALSE;\n\n\tif (settings->ServerMode && settings->MultifragMaxRequestSize == 0)\n\t{\n\t\t/**\n\t\t * In server mode we prefer to use the highest useful request size that\n\t\t * will allow us to pack a complete screen update into a single fast\n\t\t * path PDU using any of the supported codecs.\n\t\t * However, the client is completely free to accept our proposed\n\t\t * max request size or send a different value in the client-to-server\n\t\t * multi-fragment update capability set and we have to accept that,\n\t\t * unless we are using RemoteFX where the client MUST announce a value\n\t\t * greater than or equal to the value we're sending here.\n\t\t * See [MS-RDPRFX 1.5 capability #2]\n\t\t */\n\t\tUINT32 tileNumX = (settings->DesktopWidth + 63) / 64;\n\t\tUINT32 tileNumY = (settings->DesktopHeight + 63) / 64;\n\t\tsettings->MultifragMaxRequestSize = tileNumX * tileNumY * 16384;\n\t\t/* and add room for headers, regions, frame markers, etc. */\n\t\tsettings->MultifragMaxRequestSize += 16384;\n\t}\n\n\theader = rdp_capability_set_start(s);\n\tStream_Write_UINT32(s, settings->MultifragMaxRequestSize); /* MaxRequestSize (4 bytes) */\n\trdp_capability_set_finish(s, header, CAPSET_TYPE_MULTI_FRAGMENT_UPDATE);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 284673504598250299343184535298414746342, "size": 32, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409667 }, { "func": "static BOOL rdp_read_draw_gdiplus_cache_capability_set(wStream* s, UINT16 length,\n rdpSettings* settings)\n{\n\tUINT32 drawGDIPlusSupportLevel;\n\tUINT32 drawGdiplusCacheLevel;\n\n\tif (length < 40)\n\t\treturn FALSE;\n\n\tStream_Read_UINT32(s, drawGDIPlusSupportLevel); /* drawGDIPlusSupportLevel (4 bytes) */\n\tStream_Seek_UINT32(s); /* GdipVersion (4 bytes) */\n\tStream_Read_UINT32(s, drawGdiplusCacheLevel); /* drawGdiplusCacheLevel (4 bytes) */\n\tStream_Seek(s, 10); /* GdipCacheEntries (10 bytes) */\n\tStream_Seek(s, 8); /* GdipCacheChunkSize (8 bytes) */\n\tStream_Seek(s, 6); /* GdipImageCacheProperties (6 bytes) */\n\n\tif (drawGDIPlusSupportLevel & DRAW_GDIPLUS_SUPPORTED)\n\t\tsettings->DrawGdiPlusEnabled = TRUE;\n\n\tif (drawGdiplusCacheLevel & DRAW_GDIPLUS_CACHE_LEVEL_ONE)\n\t\tsettings->DrawGdiPlusCacheEnabled = TRUE;\n\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 234991757575908276803722590129707796626, "size": 24, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409590 }, { "func": "static BOOL rdp_print_bitmap_cache_capability_set(wStream* s, UINT16 length)\n{\n\tUINT32 pad1, pad2, pad3;\n\tUINT32 pad4, pad5, pad6;\n\tUINT16 Cache0Entries;\n\tUINT16 Cache0MaximumCellSize;\n\tUINT16 Cache1Entries;\n\tUINT16 Cache1MaximumCellSize;\n\tUINT16 Cache2Entries;\n\tUINT16 Cache2MaximumCellSize;\n\tWLog_INFO(TAG, \"BitmapCacheCapabilitySet (length %\" PRIu16 \"):\", length);\n\n\tif (length < 40)\n\t\treturn FALSE;\n\n\tStream_Read_UINT32(s, pad1); /* pad1 (4 bytes) */\n\tStream_Read_UINT32(s, pad2); /* pad2 (4 bytes) */\n\tStream_Read_UINT32(s, pad3); /* pad3 (4 bytes) */\n\tStream_Read_UINT32(s, pad4); /* pad4 (4 bytes) */\n\tStream_Read_UINT32(s, pad5); /* pad5 (4 bytes) */\n\tStream_Read_UINT32(s, pad6); /* pad6 (4 bytes) */\n\tStream_Read_UINT16(s, Cache0Entries); /* Cache0Entries (2 bytes) */\n\tStream_Read_UINT16(s, Cache0MaximumCellSize); /* Cache0MaximumCellSize (2 bytes) */\n\tStream_Read_UINT16(s, Cache1Entries); /* Cache1Entries (2 bytes) */\n\tStream_Read_UINT16(s, Cache1MaximumCellSize); /* Cache1MaximumCellSize (2 bytes) */\n\tStream_Read_UINT16(s, Cache2Entries); /* Cache2Entries (2 bytes) */\n\tStream_Read_UINT16(s, Cache2MaximumCellSize); /* Cache2MaximumCellSize (2 bytes) */\n\tWLog_INFO(TAG, \"\\tpad1: 0x%08\" PRIX32 \"\", pad1);\n\tWLog_INFO(TAG, \"\\tpad2: 0x%08\" PRIX32 \"\", pad2);\n\tWLog_INFO(TAG, \"\\tpad3: 0x%08\" PRIX32 \"\", pad3);\n\tWLog_INFO(TAG, \"\\tpad4: 0x%08\" PRIX32 \"\", pad4);\n\tWLog_INFO(TAG, \"\\tpad5: 0x%08\" PRIX32 \"\", pad5);\n\tWLog_INFO(TAG, \"\\tpad6: 0x%08\" PRIX32 \"\", pad6);\n\tWLog_INFO(TAG, \"\\tCache0Entries: 0x%04\" PRIX16 \"\", Cache0Entries);\n\tWLog_INFO(TAG, \"\\tCache0MaximumCellSize: 0x%04\" PRIX16 \"\", Cache0MaximumCellSize);\n\tWLog_INFO(TAG, \"\\tCache1Entries: 0x%04\" PRIX16 \"\", Cache1Entries);\n\tWLog_INFO(TAG, \"\\tCache1MaximumCellSize: 0x%04\" PRIX16 \"\", Cache1MaximumCellSize);\n\tWLog_INFO(TAG, \"\\tCache2Entries: 0x%04\" PRIX16 \"\", Cache2Entries);\n\tWLog_INFO(TAG, \"\\tCache2MaximumCellSize: 0x%04\" PRIX16 \"\", Cache2MaximumCellSize);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 263214705750533080366269336572526014100, "size": 41, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409574 }, { "func": "static BOOL rdp_read_bitmap_capability_set(wStream* s, UINT16 length, rdpSettings* settings)\n{\n\tBYTE drawingFlags;\n\tUINT16 desktopWidth;\n\tUINT16 desktopHeight;\n\tUINT16 desktopResizeFlag;\n\tUINT16 preferredBitsPerPixel;\n\n\tif (length < 28)\n\t\treturn FALSE;\n\n\tStream_Read_UINT16(s, preferredBitsPerPixel); /* preferredBitsPerPixel (2 bytes) */\n\tStream_Seek_UINT16(s); /* receive1BitPerPixel (2 bytes) */\n\tStream_Seek_UINT16(s); /* receive4BitsPerPixel (2 bytes) */\n\tStream_Seek_UINT16(s); /* receive8BitsPerPixel (2 bytes) */\n\tStream_Read_UINT16(s, desktopWidth); /* desktopWidth (2 bytes) */\n\tStream_Read_UINT16(s, desktopHeight); /* desktopHeight (2 bytes) */\n\tStream_Seek_UINT16(s); /* pad2Octets (2 bytes) */\n\tStream_Read_UINT16(s, desktopResizeFlag); /* desktopResizeFlag (2 bytes) */\n\tStream_Seek_UINT16(s); /* bitmapCompressionFlag (2 bytes) */\n\tStream_Seek_UINT8(s); /* highColorFlags (1 byte) */\n\tStream_Read_UINT8(s, drawingFlags); /* drawingFlags (1 byte) */\n\tStream_Seek_UINT16(s); /* multipleRectangleSupport (2 bytes) */\n\tStream_Seek_UINT16(s); /* pad2OctetsB (2 bytes) */\n\n\tif (!settings->ServerMode && (preferredBitsPerPixel != settings->ColorDepth))\n\t{\n\t\t/* The client must respect the actual color depth used by the server */\n\t\tsettings->ColorDepth = preferredBitsPerPixel;\n\t}\n\n\tif (desktopResizeFlag == FALSE)\n\t\tsettings->DesktopResize = FALSE;\n\n\tif (!settings->ServerMode && settings->DesktopResize)\n\t{\n\t\t/* The server may request a different desktop size during Deactivation-Reactivation sequence\n\t\t */\n\t\tsettings->DesktopWidth = desktopWidth;\n\t\tsettings->DesktopHeight = desktopHeight;\n\t}\n\n\tif (settings->DrawAllowSkipAlpha)\n\t\tsettings->DrawAllowSkipAlpha = (drawingFlags & DRAW_ALLOW_SKIP_ALPHA) ? TRUE : FALSE;\n\n\tif (settings->DrawAllowDynamicColorFidelity)\n\t\tsettings->DrawAllowDynamicColorFidelity =\n\t\t (drawingFlags & DRAW_ALLOW_DYNAMIC_COLOR_FIDELITY) ? TRUE : FALSE;\n\n\tif (settings->DrawAllowColorSubsampling)\n\t\tsettings->DrawAllowColorSubsampling =\n\t\t (drawingFlags & DRAW_ALLOW_COLOR_SUBSAMPLING) ? TRUE : FALSE;\n\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 32241820168842739652588766287689298066, "size": 55, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409605 }, { "func": "static BOOL rdp_read_large_pointer_capability_set(wStream* s, UINT16 length, rdpSettings* settings)\n{\n\tUINT16 largePointerSupportFlags;\n\n\tif (length < 6)\n\t\treturn FALSE;\n\n\tStream_Read_UINT16(s, largePointerSupportFlags); /* largePointerSupportFlags (2 bytes) */\n\tsettings->LargePointerFlag =\n\t largePointerSupportFlags & (LARGE_POINTER_FLAG_96x96 | LARGE_POINTER_FLAG_384x384);\n\tif ((largePointerSupportFlags & ~(LARGE_POINTER_FLAG_96x96 | LARGE_POINTER_FLAG_384x384)) != 0)\n\t{\n\t\tWLog_WARN(\n\t\t TAG,\n\t\t \"TS_LARGE_POINTER_CAPABILITYSET with unsupported flags %04X (all flags %04X) received\",\n\t\t largePointerSupportFlags & ~(LARGE_POINTER_FLAG_96x96 | LARGE_POINTER_FLAG_384x384),\n\t\t largePointerSupportFlags);\n\t}\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 31411261199554286081134639045069445801, "size": 20, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409617 }, { "func": "static BOOL rdp_print_virtual_channel_capability_set(wStream* s, UINT16 length)\n{\n\tUINT32 flags;\n\tUINT32 VCChunkSize;\n\tWLog_INFO(TAG, \"VirtualChannelCapabilitySet (length %\" PRIu16 \"):\", length);\n\n\tif (length < 8)\n\t\treturn FALSE;\n\n\tStream_Read_UINT32(s, flags); /* flags (4 bytes) */\n\n\tif (length > 8)\n\t\tStream_Read_UINT32(s, VCChunkSize); /* VCChunkSize (4 bytes) */\n\telse\n\t\tVCChunkSize = 1600;\n\n\tWLog_INFO(TAG, \"\\tflags: 0x%08\" PRIX32 \"\", flags);\n\tWLog_INFO(TAG, \"\\tVCChunkSize: 0x%08\" PRIX32 \"\", VCChunkSize);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 284706245349848953715070998125660485821, "size": 20, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409583 }, { "func": "static BOOL rdp_print_surface_commands_capability_set(wStream* s, UINT16 length)\n{\n\tUINT32 cmdFlags;\n\tUINT32 reserved;\n\tWLog_INFO(TAG, \"SurfaceCommandsCapabilitySet (length %\" PRIu16 \"):\", length);\n\n\tif (length < 12)\n\t\treturn FALSE;\n\n\tStream_Read_UINT32(s, cmdFlags); /* cmdFlags (4 bytes) */\n\tStream_Read_UINT32(s, reserved); /* reserved (4 bytes) */\n\tWLog_INFO(TAG, \"\\tcmdFlags: 0x%08\" PRIX32 \"\", cmdFlags);\n\tWLog_INFO(TAG, \"\\treserved: 0x%08\" PRIX32 \"\", reserved);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 201233689125804826922744190824697797071, "size": 15, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409607 }, { "func": "static BOOL rdp_read_pointer_capability_set(wStream* s, UINT16 length, rdpSettings* settings)\n{\n\tUINT16 colorPointerFlag;\n\tUINT16 colorPointerCacheSize;\n\tUINT16 pointerCacheSize;\n\n\tif (length < 8)\n\t\treturn FALSE;\n\n\tStream_Read_UINT16(s, colorPointerFlag); /* colorPointerFlag (2 bytes) */\n\tStream_Read_UINT16(s, colorPointerCacheSize); /* colorPointerCacheSize (2 bytes) */\n\n\t/* pointerCacheSize is optional */\n\tif (length >= 10)\n\t\tStream_Read_UINT16(s, pointerCacheSize); /* pointerCacheSize (2 bytes) */\n\telse\n\t\tpointerCacheSize = 0;\n\n\tif (colorPointerFlag == FALSE)\n\t\tsettings->ColorPointerFlag = FALSE;\n\n\tif (settings->ServerMode)\n\t{\n\t\tsettings->PointerCacheSize = pointerCacheSize;\n\t}\n\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 298168098402171989438387105409127129458, "size": 28, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409622 }, { "func": "static BOOL rdp_read_bitmap_cache_capability_set(wStream* s, UINT16 length, rdpSettings* settings)\n{\n\tWINPR_UNUSED(settings);\n\tif (length < 40)\n\t\treturn FALSE;\n\n\tStream_Seek_UINT32(s); /* pad1 (4 bytes) */\n\tStream_Seek_UINT32(s); /* pad2 (4 bytes) */\n\tStream_Seek_UINT32(s); /* pad3 (4 bytes) */\n\tStream_Seek_UINT32(s); /* pad4 (4 bytes) */\n\tStream_Seek_UINT32(s); /* pad5 (4 bytes) */\n\tStream_Seek_UINT32(s); /* pad6 (4 bytes) */\n\tStream_Seek_UINT16(s); /* Cache0Entries (2 bytes) */\n\tStream_Seek_UINT16(s); /* Cache0MaximumCellSize (2 bytes) */\n\tStream_Seek_UINT16(s); /* Cache1Entries (2 bytes) */\n\tStream_Seek_UINT16(s); /* Cache1MaximumCellSize (2 bytes) */\n\tStream_Seek_UINT16(s); /* Cache2Entries (2 bytes) */\n\tStream_Seek_UINT16(s); /* Cache2MaximumCellSize (2 bytes) */\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 126632303879958348471370508278569584777, "size": 20, "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf", "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set", "target": 0, "dataset": "other", "idx": 409687 } ] }, { "call_depth": 3, "longest_call_chain": [ "irda_connect", "irda_discover_daddr_and_lsap_sel", "irda_find_lsap_sel" ], "group_size": 3, "functions": [ { "func": "static int irda_connect(struct socket *sock, struct sockaddr *uaddr,\n\t\t\tint addr_len, int flags)\n{\n\tstruct sock *sk = sock->sk;\n\tstruct sockaddr_irda *addr = (struct sockaddr_irda *) uaddr;\n\tstruct irda_sock *self = irda_sk(sk);\n\tint err;\n\n\tIRDA_DEBUG(2, \"%s(%p)\\n\", __func__, self);\n\n\t/* Don't allow connect for Ultra sockets */\n\tif ((sk->sk_type == SOCK_DGRAM) && (sk->sk_protocol == IRDAPROTO_ULTRA))\n\t\treturn -ESOCKTNOSUPPORT;\n\n\tif (sk->sk_state == TCP_ESTABLISHED && sock->state == SS_CONNECTING) {\n\t\tsock->state = SS_CONNECTED;\n\t\treturn 0; /* Connect completed during a ERESTARTSYS event */\n\t}\n\n\tif (sk->sk_state == TCP_CLOSE && sock->state == SS_CONNECTING) {\n\t\tsock->state = SS_UNCONNECTED;\n\t\treturn -ECONNREFUSED;\n\t}\n\n\tif (sk->sk_state == TCP_ESTABLISHED)\n\t\treturn -EISCONN; /* No reconnect on a seqpacket socket */\n\n\tsk->sk_state = TCP_CLOSE;\n\tsock->state = SS_UNCONNECTED;\n\n\tif (addr_len != sizeof(struct sockaddr_irda))\n\t\treturn -EINVAL;\n\n\t/* Check if user supplied any destination device address */\n\tif ((!addr->sir_addr) || (addr->sir_addr == DEV_ADDR_ANY)) {\n\t\t/* Try to find one suitable */\n\t\terr = irda_discover_daddr_and_lsap_sel(self, addr->sir_name);\n\t\tif (err) {\n\t\t\tIRDA_DEBUG(0, \"%s(), auto-connect failed!\\n\", __func__);\n\t\t\treturn err;\n\t\t}\n\t} else {\n\t\t/* Use the one provided by the user */\n\t\tself->daddr = addr->sir_addr;\n\t\tIRDA_DEBUG(1, \"%s(), daddr = %08x\\n\", __func__, self->daddr);\n\n\t\t/* If we don't have a valid service name, we assume the\n\t\t * user want to connect on a specific LSAP. Prevent\n\t\t * the use of invalid LSAPs (IrLMP 1.1 p10). Jean II */\n\t\tif((addr->sir_name[0] != '\\0') ||\n\t\t (addr->sir_lsap_sel >= 0x70)) {\n\t\t\t/* Query remote LM-IAS using service name */\n\t\t\terr = irda_find_lsap_sel(self, addr->sir_name);\n\t\t\tif (err) {\n\t\t\t\tIRDA_DEBUG(0, \"%s(), connect failed!\\n\", __func__);\n\t\t\t\treturn err;\n\t\t\t}\n\t\t} else {\n\t\t\t/* Directly connect to the remote LSAP\n\t\t\t * specified by the sir_lsap field.\n\t\t\t * Please use with caution, in IrDA LSAPs are\n\t\t\t * dynamic and there is no \"well-known\" LSAP. */\n\t\t\tself->dtsap_sel = addr->sir_lsap_sel;\n\t\t}\n\t}\n\n\t/* Check if we have opened a local TSAP */\n\tif (!self->tsap)\n\t\tirda_open_tsap(self, LSAP_ANY, addr->sir_name);\n\n\t/* Move to connecting socket, start sending Connect Requests */\n\tsock->state = SS_CONNECTING;\n\tsk->sk_state = TCP_SYN_SENT;\n\n\t/* Connect to remote device */\n\terr = irttp_connect_request(self->tsap, self->dtsap_sel,\n\t\t\t\t self->saddr, self->daddr, NULL,\n\t\t\t\t self->max_sdu_size_rx, NULL);\n\tif (err) {\n\t\tIRDA_DEBUG(0, \"%s(), connect failed!\\n\", __func__);\n\t\treturn err;\n\t}\n\n\t/* Now the loop */\n\tif (sk->sk_state != TCP_ESTABLISHED && (flags & O_NONBLOCK))\n\t\treturn -EINPROGRESS;\n\n\tif (wait_event_interruptible(*(sk->sk_sleep),\n\t\t\t\t (sk->sk_state != TCP_SYN_SENT)))\n\t\treturn -ERESTARTSYS;\n\n\tif (sk->sk_state != TCP_ESTABLISHED) {\n\t\tsock->state = SS_UNCONNECTED;\n\t\terr = sock_error(sk);\n\t\treturn err? err : -ECONNRESET;\n\t}\n\n\tsock->state = SS_CONNECTED;\n\n\t/* At this point, IrLMP has assigned our source address */\n\tself->saddr = irttp_get_saddr(self->tsap);\n\n\treturn 0;\n}", "target": 0, "cwe": [ "CWE-200" ], "project": "linux-2.6", "commit_id": "09384dfc76e526c3993c09c42e016372dc9dd22c", "hash": 178099908447917320051948600173125641407, "size": 104, "message": "irda: Fix irda_getname() leak\n\nirda_getname() can leak kernel memory to user.\n\nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "dataset": "other", "idx": 490851 }, { "func": "static int irda_discover_daddr_and_lsap_sel(struct irda_sock *self, char *name)\n{\n\tdiscinfo_t *discoveries;\t/* Copy of the discovery log */\n\tint\tnumber;\t\t\t/* Number of nodes in the log */\n\tint\ti;\n\tint\terr = -ENETUNREACH;\n\t__u32\tdaddr = DEV_ADDR_ANY;\t/* Address we found the service on */\n\t__u8\tdtsap_sel = 0x0;\t/* TSAP associated with it */\n\n\tIRDA_DEBUG(2, \"%s(), name=%s\\n\", __func__, name);\n\n\t/* Ask lmp for the current discovery log\n\t * Note : we have to use irlmp_get_discoveries(), as opposed\n\t * to play with the cachelog directly, because while we are\n\t * making our ias query, le log might change... */\n\tdiscoveries = irlmp_get_discoveries(&number, self->mask.word,\n\t\t\t\t\t self->nslots);\n\t/* Check if the we got some results */\n\tif (discoveries == NULL)\n\t\treturn -ENETUNREACH;\t/* No nodes discovered */\n\n\t/*\n\t * Now, check all discovered devices (if any), and connect\n\t * client only about the services that the client is\n\t * interested in...\n\t */\n\tfor(i = 0; i < number; i++) {\n\t\t/* Try the address in the log */\n\t\tself->daddr = discoveries[i].daddr;\n\t\tself->saddr = 0x0;\n\t\tIRDA_DEBUG(1, \"%s(), trying daddr = %08x\\n\",\n\t\t\t __func__, self->daddr);\n\n\t\t/* Query remote LM-IAS for this service */\n\t\terr = irda_find_lsap_sel(self, name);\n\t\tswitch (err) {\n\t\tcase 0:\n\t\t\t/* We found the requested service */\n\t\t\tif(daddr != DEV_ADDR_ANY) {\n\t\t\t\tIRDA_DEBUG(1, \"%s(), discovered service ''%s'' in two different devices !!!\\n\",\n\t\t\t\t\t __func__, name);\n\t\t\t\tself->daddr = DEV_ADDR_ANY;\n\t\t\t\tkfree(discoveries);\n\t\t\t\treturn(-ENOTUNIQ);\n\t\t\t}\n\t\t\t/* First time we found that one, save it ! */\n\t\t\tdaddr = self->daddr;\n\t\t\tdtsap_sel = self->dtsap_sel;\n\t\t\tbreak;\n\t\tcase -EADDRNOTAVAIL:\n\t\t\t/* Requested service simply doesn't exist on this node */\n\t\t\tbreak;\n\t\tdefault:\n\t\t\t/* Something bad did happen :-( */\n\t\t\tIRDA_DEBUG(0, \"%s(), unexpected IAS query failure\\n\", __func__);\n\t\t\tself->daddr = DEV_ADDR_ANY;\n\t\t\tkfree(discoveries);\n\t\t\treturn(-EHOSTUNREACH);\n\t\t\tbreak;\n\t\t}\n\t}\n\t/* Cleanup our copy of the discovery log */\n\tkfree(discoveries);\n\n\t/* Check out what we found */\n\tif(daddr == DEV_ADDR_ANY) {\n\t\tIRDA_DEBUG(1, \"%s(), cannot discover service ''%s'' in any device !!!\\n\",\n\t\t\t __func__, name);\n\t\tself->daddr = DEV_ADDR_ANY;\n\t\treturn(-EADDRNOTAVAIL);\n\t}\n\n\t/* Revert back to discovered device & service */\n\tself->daddr = daddr;\n\tself->saddr = 0x0;\n\tself->dtsap_sel = dtsap_sel;\n\n\tIRDA_DEBUG(1, \"%s(), discovered requested service ''%s'' at address %08x\\n\",\n\t\t __func__, name, self->daddr);\n\n\treturn 0;\n}", "target": 0, "cwe": [ "CWE-200" ], "project": "linux-2.6", "commit_id": "09384dfc76e526c3993c09c42e016372dc9dd22c", "hash": 318581748965276480005084377565136724550, "size": 82, "message": "irda: Fix irda_getname() leak\n\nirda_getname() can leak kernel memory to user.\n\nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "dataset": "other", "idx": 490850 }, { "func": "static int irda_find_lsap_sel(struct irda_sock *self, char *name)\n{\n\tIRDA_DEBUG(2, \"%s(%p, %s)\\n\", __func__, self, name);\n\n\tif (self->iriap) {\n\t\tIRDA_WARNING(\"%s(): busy with a previous query\\n\",\n\t\t\t __func__);\n\t\treturn -EBUSY;\n\t}\n\n\tself->iriap = iriap_open(LSAP_ANY, IAS_CLIENT, self,\n\t\t\t\t irda_getvalue_confirm);\n\tif(self->iriap == NULL)\n\t\treturn -ENOMEM;\n\n\t/* Treat unexpected wakeup as disconnect */\n\tself->errno = -EHOSTUNREACH;\n\n\t/* Query remote LM-IAS */\n\tiriap_getvaluebyclass_request(self->iriap, self->saddr, self->daddr,\n\t\t\t\t name, \"IrDA:TinyTP:LsapSel\");\n\n\t/* Wait for answer, if not yet finished (or failed) */\n\tif (wait_event_interruptible(self->query_wait, (self->iriap==NULL)))\n\t\t/* Treat signals as disconnect */\n\t\treturn -EHOSTUNREACH;\n\n\t/* Check what happened */\n\tif (self->errno)\n\t{\n\t\t/* Requested object/attribute doesn't exist */\n\t\tif((self->errno == IAS_CLASS_UNKNOWN) ||\n\t\t (self->errno == IAS_ATTRIB_UNKNOWN))\n\t\t\treturn (-EADDRNOTAVAIL);\n\t\telse\n\t\t\treturn (-EHOSTUNREACH);\n\t}\n\n\t/* Get the remote TSAP selector */\n\tswitch (self->ias_result->type) {\n\tcase IAS_INTEGER:\n\t\tIRDA_DEBUG(4, \"%s() int=%d\\n\",\n\t\t\t __func__, self->ias_result->t.integer);\n\n\t\tif (self->ias_result->t.integer != -1)\n\t\t\tself->dtsap_sel = self->ias_result->t.integer;\n\t\telse\n\t\t\tself->dtsap_sel = 0;\n\t\tbreak;\n\tdefault:\n\t\tself->dtsap_sel = 0;\n\t\tIRDA_DEBUG(0, \"%s(), bad type!\\n\", __func__);\n\t\tbreak;\n\t}\n\tif (self->ias_result)\n\t\tirias_delete_value(self->ias_result);\n\n\tif (self->dtsap_sel)\n\t\treturn 0;\n\n\treturn -EADDRNOTAVAIL;\n}", "target": 0, "cwe": [ "CWE-200" ], "project": "linux-2.6", "commit_id": "09384dfc76e526c3993c09c42e016372dc9dd22c", "hash": 165698805698786493552979841809667640579, "size": 62, "message": "irda: Fix irda_getname() leak\n\nirda_getname() can leak kernel memory to user.\n\nSigned-off-by: Eric Dumazet \nSigned-off-by: David S. Miller ", "dataset": "other", "idx": 490844 } ] }, { "call_depth": 2, "longest_call_chain": [ "_php_image_type", "skipheader" ], "group_size": 3, "functions": [ { "func": "int skipheader (gdIOCtx *ctx) {\n int i;\n\n do {\n i = (ctx->getC)(ctx);\n if (i < 0) return (-1);\n }\n while (i & 0x80);\n\n return (0);\n}", "project": "hhvm", "hash": 187799634434809486741645095400908348570, "size": 11, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219373 }, { "func": "static int _php_image_type (char data[8]) {\n if (data == nullptr) {\n return -1;\n }\n\n if (!memcmp(data, php_sig_gd2, 3)) {\n return PHP_GDIMG_TYPE_GD2;\n } else if (!memcmp(data, php_sig_jpg, 3)) {\n return PHP_GDIMG_TYPE_JPG;\n } else if (!memcmp(data, php_sig_png, 3)) {\n if (!memcmp(data, php_sig_png, 8)) {\n return PHP_GDIMG_TYPE_PNG;\n }\n } else if (!memcmp(data, php_sig_gif, 3)) {\n return PHP_GDIMG_TYPE_GIF;\n }\n else {\n gdIOCtx *io_ctx;\n io_ctx = gdNewDynamicCtxEx(8, data, 0);\n if (io_ctx) {\n if (getmbi(io_ctx) == 0 &&\n skipheader(io_ctx) == 0 ) {\n io_ctx->gd_free(io_ctx);\n return PHP_GDIMG_TYPE_WBM;\n } else {\n io_ctx->gd_free(io_ctx);\n }\n }\n }\n return -1;\n}", "project": "hhvm", "hash": 157281697426707675187694641404679671507, "size": 31, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219494 }, { "func": "static int getmbi(gdIOCtx *ctx) {\n int i, mbi = 0;\n\n do {\n i = (ctx->getC)(ctx);\n if (i < 0)\n return (-1);\n mbi = (mbi << 7) | (i & 0x7f);\n } while (i & 0x80);\n\n return (mbi);\n}", "project": "hhvm", "hash": 119345514998941191308558049555640204155, "size": 12, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219510 } ] }, { "call_depth": 3, "longest_call_chain": [ "php_openssl_csr_free", "X509_REQ_free", "CSRequest" ], "group_size": 3, "functions": [ { "func": "static void php_openssl_csr_free(zend_resource *rsrc)\n{\n\tX509_REQ * csr = (X509_REQ*)rsrc->ptr;\n\tX509_REQ_free(csr);\n}", "project": "php-src", "hash": 203588433657896308178929799818659920108, "size": 5, "commit_id": "0216630ea2815a5789a24279a1211ac398d4de79", "message": "Fix bug #79601 (Wrong ciphertext/tag in AES-CCM encryption for a 12 bytes IV)", "target": 0, "dataset": "other", "idx": 291401 }, { "func": " explicit CSRequest(X509_REQ *csr) : m_csr(csr) {\n assertx(m_csr);\n }", "project": "hhvm", "hash": 185152408263537532527205151501544474583, "size": 3, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219423 }, { "func": " ~CSRequest() override {\n // X509_REQ_free(nullptr) is a no-op\n X509_REQ_free(m_csr);\n }", "project": "hhvm", "hash": 172788866518608369448304811034265826884, "size": 4, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219893 } ] }, { "call_depth": 4, "longest_call_chain": [ "crypto_cert_print_info", "crypto_cert_fingerprint", "crypto_cert_fingerprint_by_hash", "crypto_cert_hash" ], "group_size": 9, "functions": [ { "func": "char* crypto_cert_issuer(X509* xcert)\n{\n\treturn crypto_print_name(X509_get_issuer_name(xcert));\n}", "project": "FreeRDP", "hash": 205497471462573990909815156371579244197, "size": 4, "commit_id": "8305349a943c68b1bc8c158f431dc607655aadea", "message": "Fixed GHSL-2020-102 heap overflow\n\n(cherry picked from commit 197b16cc15a12813c2e4fa2d6ae9cd9c4a57e581)", "target": 0, "dataset": "other", "idx": 473452 }, { "func": "char* crypto_cert_fingerprint_by_hash(X509* xcert, const char* hash)\n{\n\tUINT32 fp_len, i;\n\tBYTE* fp;\n\tchar* p;\n\tchar* fp_buffer;\n\n\tfp = crypto_cert_hash(xcert, hash, &fp_len);\n\tif (!fp)\n\t\treturn NULL;\n\n\tfp_buffer = calloc(fp_len * 3 + 1, sizeof(char));\n\tif (!fp_buffer)\n\t\tgoto fail;\n\n\tp = fp_buffer;\n\n\tfor (i = 0; i < (fp_len - 1); i++)\n\t{\n\t\tsprintf_s(p, (fp_len - i) * 3, \"%02\" PRIx8 \":\", fp[i]);\n\t\tp = &fp_buffer[(i + 1) * 3];\n\t}\n\n\tsprintf_s(p, (fp_len - i) * 3, \"%02\" PRIx8 \"\", fp[i]);\nfail:\n\tfree(fp);\n\n\treturn fp_buffer;\n}", "project": "FreeRDP", "hash": 137722397787957957021174819917513700282, "size": 29, "commit_id": "8305349a943c68b1bc8c158f431dc607655aadea", "message": "Fixed GHSL-2020-102 heap overflow\n\n(cherry picked from commit 197b16cc15a12813c2e4fa2d6ae9cd9c4a57e581)", "target": 0, "dataset": "other", "idx": 473456 }, { "func": "char* crypto_cert_fingerprint(X509* xcert)\n{\n\treturn crypto_cert_fingerprint_by_hash(xcert, \"sha256\");\n}", "project": "FreeRDP", "hash": 115650122252764947943603801708902861010, "size": 4, "commit_id": "8305349a943c68b1bc8c158f431dc607655aadea", "message": "Fixed GHSL-2020-102 heap overflow\n\n(cherry picked from commit 197b16cc15a12813c2e4fa2d6ae9cd9c4a57e581)", "target": 0, "dataset": "other", "idx": 473462 }, { "func": "static int verify_cb(int ok, X509_STORE_CTX* csc)\n{\n\tif (ok != 1)\n\t{\n\t\tint err = X509_STORE_CTX_get_error(csc);\n\t\tint derr = X509_STORE_CTX_get_error_depth(csc);\n\t\tX509* where = X509_STORE_CTX_get_current_cert(csc);\n\t\tconst char* what = X509_verify_cert_error_string(err);\n\t\tchar* name = crypto_cert_subject(where);\n\n\t\tWLog_WARN(TAG, \"Certificate verification failure '%s (%d)' at stack position %d\", what, err,\n\t\t derr);\n\t\tWLog_WARN(TAG, \"%s\", name);\n\n\t\tfree(name);\n\t}\n\treturn ok;\n}", "project": "FreeRDP", "hash": 75265801506247543146779012995879849204, "size": 18, "commit_id": "8305349a943c68b1bc8c158f431dc607655aadea", "message": "Fixed GHSL-2020-102 heap overflow\n\n(cherry picked from commit 197b16cc15a12813c2e4fa2d6ae9cd9c4a57e581)", "target": 0, "dataset": "other", "idx": 473427 }, { "func": "void crypto_cert_print_info(X509* xcert)\n{\n\tchar* fp;\n\tchar* issuer;\n\tchar* subject;\n\tsubject = crypto_cert_subject(xcert);\n\tissuer = crypto_cert_issuer(xcert);\n\tfp = crypto_cert_fingerprint(xcert);\n\n\tif (!fp)\n\t{\n\t\tWLog_ERR(TAG, \"error computing fingerprint\");\n\t\tgoto out_free_issuer;\n\t}\n\n\tWLog_INFO(TAG, \"Certificate details:\");\n\tWLog_INFO(TAG, \"\\tSubject: %s\", subject);\n\tWLog_INFO(TAG, \"\\tIssuer: %s\", issuer);\n\tWLog_INFO(TAG, \"\\tThumbprint: %s\", fp);\n\tWLog_INFO(TAG,\n\t \"The above X.509 certificate could not be verified, possibly because you do not have \"\n\t \"the CA certificate in your certificate store, or the certificate has expired. \"\n\t \"Please look at the OpenSSL documentation on how to add a private CA to the store.\");\n\tfree(fp);\nout_free_issuer:\n\tfree(issuer);\n\tfree(subject);\n}", "project": "FreeRDP", "hash": 64076208521481089131010558823372035251, "size": 28, "commit_id": "8305349a943c68b1bc8c158f431dc607655aadea", "message": "Fixed GHSL-2020-102 heap overflow\n\n(cherry picked from commit 197b16cc15a12813c2e4fa2d6ae9cd9c4a57e581)", "target": 0, "dataset": "other", "idx": 473432 }, { "func": "char* crypto_cert_subject(X509* xcert)\n{\n\treturn crypto_print_name(X509_get_subject_name(xcert));\n}", "project": "FreeRDP", "hash": 177180604460491566370377171358096486095, "size": 4, "commit_id": "8305349a943c68b1bc8c158f431dc607655aadea", "message": "Fixed GHSL-2020-102 heap overflow\n\n(cherry picked from commit 197b16cc15a12813c2e4fa2d6ae9cd9c4a57e581)", "target": 0, "dataset": "other", "idx": 473454 }, { "func": "rdpCertificateData* crypto_get_certificate_data(X509* xcert, const char* hostname, UINT16 port)\n{\n\tchar* issuer;\n\tchar* subject;\n\tchar* fp;\n\trdpCertificateData* certdata;\n\tfp = crypto_cert_fingerprint(xcert);\n\n\tif (!fp)\n\t\treturn NULL;\n\n\tissuer = crypto_cert_issuer(xcert);\n\tsubject = crypto_cert_subject(xcert);\n\tcertdata = certificate_data_new(hostname, port, issuer, subject, fp);\n\tfree(subject);\n\tfree(issuer);\n\tfree(fp);\n\treturn certdata;\n}", "project": "FreeRDP", "hash": 170554719668291881438898249097327745004, "size": 19, "commit_id": "8305349a943c68b1bc8c158f431dc607655aadea", "message": "Fixed GHSL-2020-102 heap overflow\n\n(cherry picked from commit 197b16cc15a12813c2e4fa2d6ae9cd9c4a57e581)", "target": 0, "dataset": "other", "idx": 473455 }, { "func": "BYTE* crypto_cert_hash(X509* xcert, const char* hash, UINT32* length)\n{\n\tUINT32 fp_len = EVP_MAX_MD_SIZE;\n\tBYTE* fp;\n\tconst EVP_MD* md = EVP_get_digestbyname(hash);\n\tif (!md)\n\t\treturn NULL;\n\tif (!length)\n\t\treturn NULL;\n\tif (!xcert)\n\t\treturn NULL;\n\n\tfp = calloc(fp_len, sizeof(BYTE));\n\tif (!fp)\n\t\treturn NULL;\n\n\tif (X509_digest(xcert, md, fp, &fp_len) != 1)\n\t{\n\t\tfree(fp);\n\t\treturn NULL;\n\t}\n\n\t*length = fp_len;\n\treturn fp;\n}", "project": "FreeRDP", "hash": 258407869867369743474326334091914072928, "size": 25, "commit_id": "8305349a943c68b1bc8c158f431dc607655aadea", "message": "Fixed GHSL-2020-102 heap overflow\n\n(cherry picked from commit 197b16cc15a12813c2e4fa2d6ae9cd9c4a57e581)", "target": 0, "dataset": "other", "idx": 473451 }, { "func": "static char* crypto_print_name(X509_NAME* name)\n{\n\tchar* buffer = NULL;\n\tBIO* outBIO = BIO_new(BIO_s_mem());\n\n\tif (X509_NAME_print_ex(outBIO, name, 0, XN_FLAG_ONELINE) > 0)\n\t{\n\t\tunsigned long size = BIO_number_written(outBIO);\n\t\tbuffer = calloc(1, size + 1);\n\n\t\tif (!buffer)\n\t\t\treturn NULL;\n\n\t\tBIO_read(outBIO, buffer, size);\n\t}\n\n\tBIO_free_all(outBIO);\n\treturn buffer;\n}", "project": "FreeRDP", "hash": 89260255256165807681288006501973762861, "size": 19, "commit_id": "8305349a943c68b1bc8c158f431dc607655aadea", "message": "Fixed GHSL-2020-102 heap overflow\n\n(cherry picked from commit 197b16cc15a12813c2e4fa2d6ae9cd9c4a57e581)", "target": 0, "dataset": "other", "idx": 473437 } ] }, { "call_depth": 2, "longest_call_chain": [ "dlpar_sysfs_init", "dlpar_workqueue_init" ], "group_size": 2, "functions": [ { "func": "static int __init dlpar_sysfs_init(void)\n{\n\tint rc;\n\n\trc = dlpar_workqueue_init();\n\tif (rc)\n\t\treturn rc;\n\n\treturn sysfs_create_file(kernel_kobj, &class_attr_dlpar.attr);\n}", "project": "linux", "hash": 209788643476034665718452243613347975618, "size": 10, "commit_id": "efa9ace68e487ddd29c2b4d6dd23242158f1f607", "message": "powerpc/pseries/dlpar: Fix a missing check in dlpar_parse_cc_property()\n\nIn dlpar_parse_cc_property(), 'prop->name' is allocated by kstrdup().\nkstrdup() may return NULL, so it should be checked and handle error.\nAnd prop should be freed if 'prop->name' is NULL.\n\nSigned-off-by: Gen Zhang \nSigned-off-by: Michael Ellerman ", "target": 0, "dataset": "other", "idx": 380139 }, { "func": "int __init dlpar_workqueue_init(void)\n{\n\tif (pseries_hp_wq)\n\t\treturn 0;\n\n\tpseries_hp_wq = alloc_workqueue(\"pseries hotplug workqueue\",\n\t\t\tWQ_UNBOUND, 1);\n\n\treturn pseries_hp_wq ? 0 : -ENOMEM;\n}", "project": "linux", "hash": 49058453018835600520332409099580989527, "size": 10, "commit_id": "efa9ace68e487ddd29c2b4d6dd23242158f1f607", "message": "powerpc/pseries/dlpar: Fix a missing check in dlpar_parse_cc_property()\n\nIn dlpar_parse_cc_property(), 'prop->name' is allocated by kstrdup().\nkstrdup() may return NULL, so it should be checked and handle error.\nAnd prop should be freed if 'prop->name' is NULL.\n\nSigned-off-by: Gen Zhang \nSigned-off-by: Michael Ellerman ", "target": 0, "dataset": "other", "idx": 380146 } ] }, { "call_depth": 3, "longest_call_chain": [ "parallel_thread_func", "parallel_process_irp", "parallel_process_irp_close" ], "group_size": 8, "functions": [ { "func": "static UINT parallel_process_irp_device_control(PARALLEL_DEVICE* parallel, IRP* irp)\n{\n\tStream_Write_UINT32(irp->output, 0); /* OutputBufferLength */\n\treturn irp->Complete(irp);\n}", "project": "FreeRDP", "hash": 50777945177459684828193623428436628095, "size": 5, "commit_id": "795842f4096501fcefc1a7f535ccc8132feb31d7", "message": "Fixed oob read in parallel_process_irp_create", "target": 0, "dataset": "other", "idx": 403463 }, { "func": "static UINT parallel_process_irp_close(PARALLEL_DEVICE* parallel, IRP* irp)\n{\n\tif (close(parallel->file) < 0)\n\t{\n\t}\n\telse\n\t{\n\t}\n\n\tStream_Zero(irp->output, 5); /* Padding(5) */\n\treturn irp->Complete(irp);\n}", "project": "FreeRDP", "hash": 229960397322034469489633522376896104471, "size": 12, "commit_id": "795842f4096501fcefc1a7f535ccc8132feb31d7", "message": "Fixed oob read in parallel_process_irp_create", "target": 0, "dataset": "other", "idx": 403460 }, { "func": "static UINT parallel_process_irp_create(PARALLEL_DEVICE* parallel, IRP* irp)\n{\n\tchar* path = NULL;\n\tint status;\n\tUINT32 PathLength;\n\tStream_Seek(irp->input, 28);\n\t/* DesiredAccess(4) AllocationSize(8), FileAttributes(4) */\n\t/* SharedAccess(4) CreateDisposition(4), CreateOptions(4) */\n\tStream_Read_UINT32(irp->input, PathLength);\n\tstatus = ConvertFromUnicode(CP_UTF8, 0, (WCHAR*)Stream_Pointer(irp->input), PathLength / 2,\n\t &path, 0, NULL, NULL);\n\n\tif (status < 1)\n\t\tif (!(path = (char*)calloc(1, 1)))\n\t\t{\n\t\t\tWLog_ERR(TAG, \"calloc failed!\");\n\t\t\treturn CHANNEL_RC_NO_MEMORY;\n\t\t}\n\n\tparallel->id = irp->devman->id_sequence++;\n\tparallel->file = open(parallel->path, O_RDWR);\n\n\tif (parallel->file < 0)\n\t{\n\t\tirp->IoStatus = STATUS_ACCESS_DENIED;\n\t\tparallel->id = 0;\n\t}\n\telse\n\t{\n\t\t/* all read and write operations should be non-blocking */\n\t\tif (fcntl(parallel->file, F_SETFL, O_NONBLOCK) == -1)\n\t\t{\n\t\t}\n\t}\n\n\tStream_Write_UINT32(irp->output, parallel->id);\n\tStream_Write_UINT8(irp->output, 0);\n\tfree(path);\n\treturn irp->Complete(irp);\n}", "project": "FreeRDP", "hash": 91654068438972054959889615095747233707, "size": 40, "commit_id": "795842f4096501fcefc1a7f535ccc8132feb31d7", "message": "Fixed oob read in parallel_process_irp_create", "target": 1, "dataset": "other", "idx": 207960 }, { "func": "static UINT parallel_process_irp_create(PARALLEL_DEVICE* parallel, IRP* irp)\n{\n\tchar* path = NULL;\n\tint status;\n\tWCHAR* ptr;\n\tUINT32 PathLength;\n\tif (!Stream_SafeSeek(irp->input, 28))\n\t\treturn ERROR_INVALID_DATA;\n\t/* DesiredAccess(4) AllocationSize(8), FileAttributes(4) */\n\t/* SharedAccess(4) CreateDisposition(4), CreateOptions(4) */\n\tif (Stream_GetRemainingLength(irp->input) < 4)\n\t\treturn ERROR_INVALID_DATA;\n\tStream_Read_UINT32(irp->input, PathLength);\n\tptr = (WCHAR*)Stream_Pointer(irp->input);\n\tif (!Stream_SafeSeek(irp->input, PathLength))\n\t\treturn ERROR_INVALID_DATA;\n\tstatus = ConvertFromUnicode(CP_UTF8, 0, ptr, PathLength / 2, &path, 0, NULL, NULL);\n\n\tif (status < 1)\n\t\tif (!(path = (char*)calloc(1, 1)))\n\t\t{\n\t\t\tWLog_ERR(TAG, \"calloc failed!\");\n\t\t\treturn CHANNEL_RC_NO_MEMORY;\n\t\t}\n\n\tparallel->id = irp->devman->id_sequence++;\n\tparallel->file = open(parallel->path, O_RDWR);\n\n\tif (parallel->file < 0)\n\t{\n\t\tirp->IoStatus = STATUS_ACCESS_DENIED;\n\t\tparallel->id = 0;\n\t}\n\telse\n\t{\n\t\t/* all read and write operations should be non-blocking */\n\t\tif (fcntl(parallel->file, F_SETFL, O_NONBLOCK) == -1)\n\t\t{\n\t\t}\n\t}\n\n\tStream_Write_UINT32(irp->output, parallel->id);\n\tStream_Write_UINT8(irp->output, 0);\n\tfree(path);\n\treturn irp->Complete(irp);\n}", "project": "FreeRDP", "hash": 213401734041482676778583216895571372326, "size": 46, "commit_id": "795842f4096501fcefc1a7f535ccc8132feb31d7", "message": "Fixed oob read in parallel_process_irp_create", "target": 0, "dataset": "other", "idx": 403469 }, { "func": "static UINT parallel_process_irp_write(PARALLEL_DEVICE* parallel, IRP* irp)\n{\n\tUINT32 len;\n\tUINT32 Length;\n\tUINT64 Offset;\n\tssize_t status;\n\tvoid* ptr;\n\tif (Stream_GetRemainingLength(irp->input) > 12)\n\t\treturn ERROR_INVALID_DATA;\n\n\tStream_Read_UINT32(irp->input, Length);\n\tStream_Read_UINT64(irp->input, Offset);\n\tif (!Stream_SafeSeek(irp->input, 20)) /* Padding */\n\t\treturn ERROR_INVALID_DATA;\n\tptr = Stream_Pointer(irp->input);\n\tif (!Stream_SafeSeek(irp->input, Length))\n\t\treturn ERROR_INVALID_DATA;\n\tlen = Length;\n\n\twhile (len > 0)\n\t{\n\t\tstatus = write(parallel->file, ptr, len);\n\n\t\tif (status < 0)\n\t\t{\n\t\t\tirp->IoStatus = STATUS_UNSUCCESSFUL;\n\t\t\tLength = 0;\n\t\t\tbreak;\n\t\t}\n\n\t\tStream_Seek(irp->input, status);\n\t\tlen -= status;\n\t}\n\n\tStream_Write_UINT32(irp->output, Length);\n\tStream_Write_UINT8(irp->output, 0); /* Padding */\n\treturn irp->Complete(irp);\n}", "project": "FreeRDP", "hash": 124029001936116716333431833342807537455, "size": 38, "commit_id": "795842f4096501fcefc1a7f535ccc8132feb31d7", "message": "Fixed oob read in parallel_process_irp_create", "target": 0, "dataset": "other", "idx": 403462 }, { "func": "static DWORD WINAPI parallel_thread_func(LPVOID arg)\n{\n\tIRP* irp;\n\twMessage message;\n\tPARALLEL_DEVICE* parallel = (PARALLEL_DEVICE*)arg;\n\tUINT error = CHANNEL_RC_OK;\n\n\twhile (1)\n\t{\n\t\tif (!MessageQueue_Wait(parallel->queue))\n\t\t{\n\t\t\tWLog_ERR(TAG, \"MessageQueue_Wait failed!\");\n\t\t\terror = ERROR_INTERNAL_ERROR;\n\t\t\tbreak;\n\t\t}\n\n\t\tif (!MessageQueue_Peek(parallel->queue, &message, TRUE))\n\t\t{\n\t\t\tWLog_ERR(TAG, \"MessageQueue_Peek failed!\");\n\t\t\terror = ERROR_INTERNAL_ERROR;\n\t\t\tbreak;\n\t\t}\n\n\t\tif (message.id == WMQ_QUIT)\n\t\t\tbreak;\n\n\t\tirp = (IRP*)message.wParam;\n\n\t\tif ((error = parallel_process_irp(parallel, irp)))\n\t\t{\n\t\t\tWLog_ERR(TAG, \"parallel_process_irp failed with error %\" PRIu32 \"!\", error);\n\t\t\tbreak;\n\t\t}\n\t}\n\n\tif (error && parallel->rdpcontext)\n\t\tsetChannelError(parallel->rdpcontext, error, \"parallel_thread_func reported an error\");\n\n\tExitThread(error);\n\treturn error;\n}", "project": "FreeRDP", "hash": 175202737362833470892243463098338728512, "size": 41, "commit_id": "795842f4096501fcefc1a7f535ccc8132feb31d7", "message": "Fixed oob read in parallel_process_irp_create", "target": 0, "dataset": "other", "idx": 403464 }, { "func": "static UINT parallel_process_irp(PARALLEL_DEVICE* parallel, IRP* irp)\n{\n\tUINT error;\n\n\tswitch (irp->MajorFunction)\n\t{\n\t\tcase IRP_MJ_CREATE:\n\t\t\tif ((error = parallel_process_irp_create(parallel, irp)))\n\t\t\t{\n\t\t\t\tWLog_ERR(TAG, \"parallel_process_irp_create failed with error %\" PRIu32 \"!\", error);\n\t\t\t\treturn error;\n\t\t\t}\n\n\t\t\tbreak;\n\n\t\tcase IRP_MJ_CLOSE:\n\t\t\tif ((error = parallel_process_irp_close(parallel, irp)))\n\t\t\t{\n\t\t\t\tWLog_ERR(TAG, \"parallel_process_irp_close failed with error %\" PRIu32 \"!\", error);\n\t\t\t\treturn error;\n\t\t\t}\n\n\t\t\tbreak;\n\n\t\tcase IRP_MJ_READ:\n\t\t\tif ((error = parallel_process_irp_read(parallel, irp)))\n\t\t\t{\n\t\t\t\tWLog_ERR(TAG, \"parallel_process_irp_read failed with error %\" PRIu32 \"!\", error);\n\t\t\t\treturn error;\n\t\t\t}\n\n\t\t\tbreak;\n\n\t\tcase IRP_MJ_WRITE:\n\t\t\tif ((error = parallel_process_irp_write(parallel, irp)))\n\t\t\t{\n\t\t\t\tWLog_ERR(TAG, \"parallel_process_irp_write failed with error %\" PRIu32 \"!\", error);\n\t\t\t\treturn error;\n\t\t\t}\n\n\t\t\tbreak;\n\n\t\tcase IRP_MJ_DEVICE_CONTROL:\n\t\t\tif ((error = parallel_process_irp_device_control(parallel, irp)))\n\t\t\t{\n\t\t\t\tWLog_ERR(TAG, \"parallel_process_irp_device_control failed with error %\" PRIu32 \"!\",\n\t\t\t\t error);\n\t\t\t\treturn error;\n\t\t\t}\n\n\t\t\tbreak;\n\n\t\tdefault:\n\t\t\tirp->IoStatus = STATUS_NOT_SUPPORTED;\n\t\t\treturn irp->Complete(irp);\n\t\t\tbreak;\n\t}\n\n\treturn CHANNEL_RC_OK;\n}", "project": "FreeRDP", "hash": 152328085319883643300033889459899429830, "size": 60, "commit_id": "795842f4096501fcefc1a7f535ccc8132feb31d7", "message": "Fixed oob read in parallel_process_irp_create", "target": 0, "dataset": "other", "idx": 403465 }, { "func": "static UINT parallel_process_irp_read(PARALLEL_DEVICE* parallel, IRP* irp)\n{\n\tUINT32 Length;\n\tUINT64 Offset;\n\tssize_t status;\n\tBYTE* buffer = NULL;\n\tif (Stream_GetRemainingLength(irp->input) < 12)\n\t\treturn ERROR_INVALID_DATA;\n\tStream_Read_UINT32(irp->input, Length);\n\tStream_Read_UINT64(irp->input, Offset);\n\tbuffer = (BYTE*)malloc(Length);\n\n\tif (!buffer)\n\t{\n\t\tWLog_ERR(TAG, \"malloc failed!\");\n\t\treturn CHANNEL_RC_NO_MEMORY;\n\t}\n\n\tstatus = read(parallel->file, buffer, Length);\n\n\tif (status < 0)\n\t{\n\t\tirp->IoStatus = STATUS_UNSUCCESSFUL;\n\t\tfree(buffer);\n\t\tbuffer = NULL;\n\t\tLength = 0;\n\t}\n\telse\n\t{\n\t}\n\n\tStream_Write_UINT32(irp->output, Length);\n\n\tif (Length > 0)\n\t{\n\t\tif (!Stream_EnsureRemainingCapacity(irp->output, Length))\n\t\t{\n\t\t\tWLog_ERR(TAG, \"Stream_EnsureRemainingCapacity failed!\");\n\t\t\tfree(buffer);\n\t\t\treturn CHANNEL_RC_NO_MEMORY;\n\t\t}\n\n\t\tStream_Write(irp->output, buffer, Length);\n\t}\n\n\tfree(buffer);\n\treturn irp->Complete(irp);\n}", "project": "FreeRDP", "hash": 325410391065857413900691400019655670752, "size": 48, "commit_id": "795842f4096501fcefc1a7f535ccc8132feb31d7", "message": "Fixed oob read in parallel_process_irp_create", "target": 0, "dataset": "other", "idx": 403468 } ] }, { "call_depth": 3, "longest_call_chain": [ "rsi_indicate_pkt_to_os", "rsi_fill_rx_status", "rsi_is_cipher_wep" ], "group_size": 4, "functions": [ { "func": "static void rsi_perform_cqm(struct rsi_common *common,\n\t\t\t u8 *bssid,\n\t\t\t s8 rssi,\n\t\t\t struct ieee80211_vif *vif)\n{\n\ts8 last_event = common->cqm_info.last_cqm_event_rssi;\n\tint thold = common->cqm_info.rssi_thold;\n\tu32 hyst = common->cqm_info.rssi_hyst;\n\tenum nl80211_cqm_rssi_threshold_event event;\n\n\tif (rssi < thold && (last_event == 0 || rssi < (last_event - hyst)))\n\t\tevent = NL80211_CQM_RSSI_THRESHOLD_EVENT_LOW;\n\telse if (rssi > thold &&\n\t\t (last_event == 0 || rssi > (last_event + hyst)))\n\t\tevent = NL80211_CQM_RSSI_THRESHOLD_EVENT_HIGH;\n\telse\n\t\treturn;\n\n\tcommon->cqm_info.last_cqm_event_rssi = rssi;\n\trsi_dbg(INFO_ZONE, \"CQM: Notifying event: %d\\n\", event);\n\tieee80211_cqm_rssi_notify(vif, event, rssi, GFP_KERNEL);\n\n\treturn;\n}", "project": "linux", "hash": 114860442925680819795552771010927514880, "size": 24, "commit_id": "abd39c6ded9db53aa44c2540092bdd5fb6590fa8", "message": "rsi: add fix for crash during assertions\n\nObserved crash in some scenarios when assertion has occurred,\nthis is because hw structure is freed and is tried to get\naccessed in some functions where null check is already\npresent. So, avoided the crash by making the hw to NULL after\nfreeing.\n\nSigned-off-by: Sanjay Konduri \nSigned-off-by: Sushant Kumar Mishra \nSigned-off-by: Kalle Valo ", "target": 0, "dataset": "other", "idx": 461645 }, { "func": "bool rsi_is_cipher_wep(struct rsi_common *common)\n{\n\tif (((common->secinfo.gtk_cipher == WLAN_CIPHER_SUITE_WEP104) ||\n\t (common->secinfo.gtk_cipher == WLAN_CIPHER_SUITE_WEP40)) &&\n\t (!common->secinfo.ptk_cipher))\n\t\treturn true;\n\telse\n\t\treturn false;\n}", "project": "linux", "hash": 338508583178677526423454936430516132884, "size": 9, "commit_id": "abd39c6ded9db53aa44c2540092bdd5fb6590fa8", "message": "rsi: add fix for crash during assertions\n\nObserved crash in some scenarios when assertion has occurred,\nthis is because hw structure is freed and is tried to get\naccessed in some functions where null check is already\npresent. So, avoided the crash by making the hw to NULL after\nfreeing.\n\nSigned-off-by: Sanjay Konduri \nSigned-off-by: Sushant Kumar Mishra \nSigned-off-by: Kalle Valo ", "target": 0, "dataset": "other", "idx": 461648 }, { "func": "static void rsi_fill_rx_status(struct ieee80211_hw *hw,\n\t\t\t struct sk_buff *skb,\n\t\t\t struct rsi_common *common,\n\t\t\t struct ieee80211_rx_status *rxs)\n{\n\tstruct rsi_hw *adapter = common->priv;\n\tstruct ieee80211_vif *vif;\n\tstruct ieee80211_bss_conf *bss = NULL;\n\tstruct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);\n\tstruct skb_info *rx_params = (struct skb_info *)info->driver_data;\n\tstruct ieee80211_hdr *hdr;\n\tchar rssi = rx_params->rssi;\n\tu8 hdrlen = 0;\n\tu8 channel = rx_params->channel;\n\ts32 freq;\n\tint i;\n\n\thdr = ((struct ieee80211_hdr *)(skb->data));\n\thdrlen = ieee80211_hdrlen(hdr->frame_control);\n\n\tmemset(info, 0, sizeof(struct ieee80211_tx_info));\n\n\trxs->signal = -(rssi);\n\n\trxs->band = common->band;\n\n\tfreq = ieee80211_channel_to_frequency(channel, rxs->band);\n\n\tif (freq)\n\t\trxs->freq = freq;\n\n\tif (ieee80211_has_protected(hdr->frame_control)) {\n\t\tif (rsi_is_cipher_wep(common)) {\n\t\t\tmemmove(skb->data + 4, skb->data, hdrlen);\n\t\t\tskb_pull(skb, 4);\n\t\t} else {\n\t\t\tmemmove(skb->data + 8, skb->data, hdrlen);\n\t\t\tskb_pull(skb, 8);\n\t\t\trxs->flag |= RX_FLAG_MMIC_STRIPPED;\n\t\t}\n\t\trxs->flag |= RX_FLAG_DECRYPTED;\n\t\trxs->flag |= RX_FLAG_IV_STRIPPED;\n\t}\n\n\tfor (i = 0; i < RSI_MAX_VIFS; i++) {\n\t\tvif = adapter->vifs[i];\n\t\tif (!vif)\n\t\t\tcontinue;\n\t\tif (vif->type == NL80211_IFTYPE_STATION) {\n\t\t\tbss = &vif->bss_conf;\n\t\t\tbreak;\n\t\t}\n\t}\n\tif (!bss)\n\t\treturn;\n\t/* CQM only for connected AP beacons, the RSSI is a weighted avg */\n\tif (bss->assoc && !(memcmp(bss->bssid, hdr->addr2, ETH_ALEN))) {\n\t\tif (ieee80211_is_beacon(hdr->frame_control))\n\t\t\trsi_perform_cqm(common, hdr->addr2, rxs->signal, vif);\n\t}\n\n\treturn;\n}", "project": "linux", "hash": 233364692912996660136397716324401509067, "size": 63, "commit_id": "abd39c6ded9db53aa44c2540092bdd5fb6590fa8", "message": "rsi: add fix for crash during assertions\n\nObserved crash in some scenarios when assertion has occurred,\nthis is because hw structure is freed and is tried to get\naccessed in some functions where null check is already\npresent. So, avoided the crash by making the hw to NULL after\nfreeing.\n\nSigned-off-by: Sanjay Konduri \nSigned-off-by: Sushant Kumar Mishra \nSigned-off-by: Kalle Valo ", "target": 0, "dataset": "other", "idx": 461634 }, { "func": "void rsi_indicate_pkt_to_os(struct rsi_common *common,\n\t\t\t struct sk_buff *skb)\n{\n\tstruct rsi_hw *adapter = common->priv;\n\tstruct ieee80211_hw *hw = adapter->hw;\n\tstruct ieee80211_rx_status *rx_status = IEEE80211_SKB_RXCB(skb);\n\n\tif ((common->iface_down) || (!adapter->sc_nvifs)) {\n\t\tdev_kfree_skb(skb);\n\t\treturn;\n\t}\n\n\t/* filling in the ieee80211_rx_status flags */\n\trsi_fill_rx_status(hw, skb, common, rx_status);\n\n\tieee80211_rx_irqsafe(hw, skb);\n}", "project": "linux", "hash": 258292985604746670436233766317101138975, "size": 17, "commit_id": "abd39c6ded9db53aa44c2540092bdd5fb6590fa8", "message": "rsi: add fix for crash during assertions\n\nObserved crash in some scenarios when assertion has occurred,\nthis is because hw structure is freed and is tried to get\naccessed in some functions where null check is already\npresent. So, avoided the crash by making the hw to NULL after\nfreeing.\n\nSigned-off-by: Sanjay Konduri \nSigned-off-by: Sushant Kumar Mishra \nSigned-off-by: Kalle Valo ", "target": 0, "dataset": "other", "idx": 461655 } ] }, { "call_depth": 5, "longest_call_chain": [ "usb_host_handle_packet", "do_token_setup", "usb_host_handle_control", "usb_host_set_interface", "ctrl_error" ], "group_size": 24, "functions": [ { "func": "static int usb_linux_update_endp_table(USBHostDevice *s)\n{\n uint8_t *descriptors;\n uint8_t devep, type, configuration, alt_interface;\n struct usb_ctrltransfer ct;\n int interface, ret, length, i;\n\n ct.bRequestType = USB_DIR_IN;\n ct.bRequest = USB_REQ_GET_CONFIGURATION;\n ct.wValue = 0;\n ct.wIndex = 0;\n ct.wLength = 1;\n ct.data = &configuration;\n ct.timeout = 50;\n\n ret = ioctl(s->fd, USBDEVFS_CONTROL, &ct);\n if (ret < 0) {\n perror(\"usb_linux_update_endp_table\");\n return 1;\n }\n\n /* in address state */\n if (configuration == 0)\n return 1;\n\n /* get the desired configuration, interface, and endpoint descriptors\n * from device description */\n descriptors = &s->descr[18];\n length = s->descr_len - 18;\n i = 0;\n\n if (descriptors[i + 1] != USB_DT_CONFIG ||\n descriptors[i + 5] != configuration) {\n dprintf(\"invalid descriptor data - configuration\\n\");\n return 1;\n }\n i += descriptors[i];\n\n while (i < length) {\n if (descriptors[i + 1] != USB_DT_INTERFACE ||\n (descriptors[i + 1] == USB_DT_INTERFACE &&\n descriptors[i + 4] == 0)) {\n i += descriptors[i];\n continue;\n }\n\n interface = descriptors[i + 2];\n\n ct.bRequestType = USB_DIR_IN | USB_RECIP_INTERFACE;\n ct.bRequest = USB_REQ_GET_INTERFACE;\n ct.wValue = 0;\n ct.wIndex = interface;\n ct.wLength = 1;\n ct.data = &alt_interface;\n ct.timeout = 50;\n\n ret = ioctl(s->fd, USBDEVFS_CONTROL, &ct);\n if (ret < 0) {\n alt_interface = interface;\n }\n\n /* the current interface descriptor is the active interface\n * and has endpoints */\n if (descriptors[i + 3] != alt_interface) {\n i += descriptors[i];\n continue;\n }\n\n /* advance to the endpoints */\n while (i < length && descriptors[i +1] != USB_DT_ENDPOINT)\n i += descriptors[i];\n\n if (i >= length)\n break;\n\n while (i < length) {\n if (descriptors[i + 1] != USB_DT_ENDPOINT)\n break;\n\n devep = descriptors[i + 2];\n switch (descriptors[i + 3] & 0x3) {\n case 0x00:\n type = USBDEVFS_URB_TYPE_CONTROL;\n break;\n case 0x01:\n type = USBDEVFS_URB_TYPE_ISO;\n break;\n case 0x02:\n type = USBDEVFS_URB_TYPE_BULK;\n break;\n case 0x03:\n type = USBDEVFS_URB_TYPE_INTERRUPT;\n break;\n default:\n dprintf(\"usb_host: malformed endpoint type\\n\");\n type = USBDEVFS_URB_TYPE_BULK;\n }\n s->endp_table[(devep & 0xf) - 1].type = type;\n s->endp_table[(devep & 0xf) - 1].halted = 0;\n\n i += descriptors[i];\n }\n }\n return 0;\n}", "project": "qemu", "hash": 294133560509132520784444631812479704822, "size": 105, "commit_id": "babd03fde68093482528010a5435c14ce9128e3f", "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel. However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris \nSigned-off-by: Anthony Liguori ", "target": 0, "dataset": "other", "idx": 346310 }, { "func": "static int usb_host_claim_interfaces(USBHostDevice *dev, int configuration)\n{\n int dev_descr_len, config_descr_len;\n int interface, nb_interfaces, nb_configurations;\n int ret, i;\n\n if (configuration == 0) /* address state - ignore */\n return 1;\n\n dprintf(\"husb: claiming interfaces. config %d\\n\", configuration);\n\n i = 0;\n dev_descr_len = dev->descr[0];\n if (dev_descr_len > dev->descr_len)\n goto fail;\n nb_configurations = dev->descr[17];\n\n i += dev_descr_len;\n while (i < dev->descr_len) {\n dprintf(\"husb: i is %d, descr_len is %d, dl %d, dt %d\\n\", i, dev->descr_len,\n dev->descr[i], dev->descr[i+1]);\n\n if (dev->descr[i+1] != USB_DT_CONFIG) {\n i += dev->descr[i];\n continue;\n }\n config_descr_len = dev->descr[i];\n\n\tprintf(\"husb: config #%d need %d\\n\", dev->descr[i + 5], configuration); \n\n if (configuration < 0 || configuration == dev->descr[i + 5]) {\n configuration = dev->descr[i + 5];\n break;\n }\n\n i += config_descr_len;\n }\n\n if (i >= dev->descr_len) {\n fprintf(stderr, \"husb: update iface failed. no matching configuration\\n\");\n goto fail;\n }\n nb_interfaces = dev->descr[i + 4];\n\n#ifdef USBDEVFS_DISCONNECT\n /* earlier Linux 2.4 do not support that */\n {\n struct usbdevfs_ioctl ctrl;\n for (interface = 0; interface < nb_interfaces; interface++) {\n ctrl.ioctl_code = USBDEVFS_DISCONNECT;\n ctrl.ifno = interface;\n ret = ioctl(dev->fd, USBDEVFS_IOCTL, &ctrl);\n if (ret < 0 && errno != ENODATA) {\n perror(\"USBDEVFS_DISCONNECT\");\n goto fail;\n }\n }\n }\n#endif\n\n /* XXX: only grab if all interfaces are free */\n for (interface = 0; interface < nb_interfaces; interface++) {\n ret = ioctl(dev->fd, USBDEVFS_CLAIMINTERFACE, &interface);\n if (ret < 0) {\n if (errno == EBUSY) {\n printf(\"husb: update iface. device already grabbed\\n\");\n } else {\n perror(\"husb: failed to claim interface\");\n }\n fail:\n return 0;\n }\n }\n\n printf(\"husb: %d interfaces claimed for configuration %d\\n\",\n nb_interfaces, configuration);\n\n dev->ninterfaces = nb_interfaces;\n dev->configuration = configuration;\n return 1;\n}", "project": "qemu", "hash": 153735582378435081792665043612689386780, "size": 81, "commit_id": "babd03fde68093482528010a5435c14ce9128e3f", "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel. However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris \nSigned-off-by: Anthony Liguori ", "target": 0, "dataset": "other", "idx": 346283 }, { "func": "static void set_halt(USBHostDevice *s, int ep)\n{\n s->endp_table[ep - 1].halted = 1;\n}", "project": "qemu", "hash": 247708798741636311330547718736677043664, "size": 4, "commit_id": "babd03fde68093482528010a5435c14ce9128e3f", "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel. However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris \nSigned-off-by: Anthony Liguori ", "target": 0, "dataset": "other", "idx": 346295 }, { "func": "static int usb_host_handle_packet(USBDevice *s, USBPacket *p)\n{\n switch(p->pid) {\n case USB_MSG_ATTACH:\n s->state = USB_STATE_ATTACHED;\n return 0;\n\n case USB_MSG_DETACH:\n s->state = USB_STATE_NOTATTACHED;\n return 0;\n\n case USB_MSG_RESET:\n s->remote_wakeup = 0;\n s->addr = 0;\n s->state = USB_STATE_DEFAULT;\n s->handle_reset(s);\n return 0;\n }\n\n /* Rest of the PIDs must match our address */\n if (s->state < USB_STATE_DEFAULT || p->devaddr != s->addr)\n return USB_RET_NODEV;\n\n switch (p->pid) {\n case USB_TOKEN_SETUP:\n return do_token_setup(s, p);\n\n case USB_TOKEN_IN:\n return do_token_in(s, p);\n\n case USB_TOKEN_OUT:\n return do_token_out(s, p);\n \n default:\n return USB_RET_STALL;\n }\n}", "project": "qemu", "hash": 337945081411076701300585326701484725167, "size": 37, "commit_id": "babd03fde68093482528010a5435c14ce9128e3f", "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel. However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris \nSigned-off-by: Anthony Liguori ", "target": 0, "dataset": "other", "idx": 346317 }, { "func": "static int do_token_setup(USBDevice *dev, USBPacket *p)\n{\n USBHostDevice *s = (USBHostDevice *) dev;\n int ret = 0;\n\n if (p->len != 8)\n return USB_RET_STALL;\n \n memcpy(&s->ctrl.req, p->data, 8);\n s->ctrl.len = le16_to_cpu(s->ctrl.req.wLength);\n s->ctrl.offset = 0;\n s->ctrl.state = CTRL_STATE_SETUP;\n\n if (s->ctrl.req.bRequestType & USB_DIR_IN) {\n ret = usb_host_handle_control(s, p);\n if (ret < 0)\n return ret;\n\n if (ret < s->ctrl.len)\n s->ctrl.len = ret;\n s->ctrl.state = CTRL_STATE_DATA;\n } else {\n if (s->ctrl.len == 0)\n s->ctrl.state = CTRL_STATE_ACK;\n else\n s->ctrl.state = CTRL_STATE_DATA;\n }\n\n return ret;\n}", "project": "qemu", "hash": 183077943275491077374975960370940318614, "size": 30, "commit_id": "babd03fde68093482528010a5435c14ce9128e3f", "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel. However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris \nSigned-off-by: Anthony Liguori ", "target": 0, "dataset": "other", "idx": 346300 }, { "func": "static void async_complete(void *opaque)\n{\n USBHostDevice *s = opaque;\n AsyncURB *aurb;\n\n while (1) {\n \tUSBPacket *p;\n\n\tint r = ioctl(s->fd, USBDEVFS_REAPURBNDELAY, &aurb);\n if (r < 0) {\n if (errno == EAGAIN)\n return;\n\n if (errno == ENODEV && !s->closing) {\n printf(\"husb: device %d.%d disconnected\\n\", s->bus_num, s->addr);\n\t usb_device_del_addr(0, s->dev.addr);\n return;\n }\n\n dprintf(\"husb: async. reap urb failed errno %d\\n\", errno);\n return;\n }\n\n p = aurb->packet;\n\n\tdprintf(\"husb: async completed. aurb %p status %d alen %d\\n\", \n aurb, aurb->urb.status, aurb->urb.actual_length);\n\n\tif (p) {\n switch (aurb->urb.status) {\n case 0:\n p->len = aurb->urb.actual_length;\n if (aurb->urb.type == USBDEVFS_URB_TYPE_CONTROL)\n async_complete_ctrl(s, p);\n break;\n\n case -EPIPE:\n set_halt(s, p->devep);\n /* fall through */\n default:\n p->len = USB_RET_NAK;\n break;\n }\n\n usb_packet_complete(p);\n\t}\n\n async_free(aurb);\n }\n}", "project": "qemu", "hash": 307285342249293311693830213041718549309, "size": 50, "commit_id": "babd03fde68093482528010a5435c14ce9128e3f", "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel. However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris \nSigned-off-by: Anthony Liguori ", "target": 0, "dataset": "other", "idx": 346323 }, { "func": "static int usb_host_handle_control(USBHostDevice *s, USBPacket *p)\n{\n struct usbdevfs_urb *urb;\n AsyncURB *aurb;\n int ret, value, index;\n\n /* \n * Process certain standard device requests.\n * These are infrequent and are processed synchronously.\n */\n value = le16_to_cpu(s->ctrl.req.wValue);\n index = le16_to_cpu(s->ctrl.req.wIndex);\n\n dprintf(\"husb: ctrl type 0x%x req 0x%x val 0x%x index %u len %u\\n\",\n s->ctrl.req.bRequestType, s->ctrl.req.bRequest, value, index, \n s->ctrl.len);\n\n if (s->ctrl.req.bRequestType == 0) {\n switch (s->ctrl.req.bRequest) {\n case USB_REQ_SET_ADDRESS:\n return usb_host_set_address(s, value);\n\n case USB_REQ_SET_CONFIGURATION:\n return usb_host_set_config(s, value & 0xff);\n }\n }\n\n if (s->ctrl.req.bRequestType == 1 &&\n s->ctrl.req.bRequest == USB_REQ_SET_INTERFACE)\n return usb_host_set_interface(s, index, value);\n\n /* The rest are asynchronous */\n\n aurb = async_alloc();\n aurb->hdev = s;\n aurb->packet = p;\n\n /* \n * Setup ctrl transfer.\n *\n * s->ctrl is layed out such that data buffer immediately follows\n * 'req' struct which is exactly what usbdevfs expects.\n */ \n urb = &aurb->urb;\n\n urb->type = USBDEVFS_URB_TYPE_CONTROL;\n urb->endpoint = p->devep;\n\n urb->buffer = &s->ctrl.req;\n urb->buffer_length = 8 + s->ctrl.len;\n\n urb->usercontext = s;\n\n ret = ioctl(s->fd, USBDEVFS_SUBMITURB, urb);\n\n dprintf(\"husb: submit ctrl. len %u aurb %p\\n\", urb->buffer_length, aurb);\n\n if (ret < 0) {\n dprintf(\"husb: submit failed. errno %d\\n\", errno);\n async_free(aurb);\n\n switch(errno) {\n case ETIMEDOUT:\n return USB_RET_NAK;\n case EPIPE:\n default:\n return USB_RET_STALL;\n }\n }\n\n usb_defer_packet(p, async_cancel, aurb);\n return USB_RET_ASYNC;\n}", "project": "qemu", "hash": 312416163750000928776897162836846138475, "size": 73, "commit_id": "babd03fde68093482528010a5435c14ce9128e3f", "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel. However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris \nSigned-off-by: Anthony Liguori ", "target": 1, "dataset": "other", "idx": 203887 }, { "func": "static int usb_host_handle_control(USBHostDevice *s, USBPacket *p)\n{\n struct usbdevfs_urb *urb;\n AsyncURB *aurb;\n int ret, value, index;\n int buffer_len;\n\n /* \n * Process certain standard device requests.\n * These are infrequent and are processed synchronously.\n */\n value = le16_to_cpu(s->ctrl.req.wValue);\n index = le16_to_cpu(s->ctrl.req.wIndex);\n\n dprintf(\"husb: ctrl type 0x%x req 0x%x val 0x%x index %u len %u\\n\",\n s->ctrl.req.bRequestType, s->ctrl.req.bRequest, value, index, \n s->ctrl.len);\n\n if (s->ctrl.req.bRequestType == 0) {\n switch (s->ctrl.req.bRequest) {\n case USB_REQ_SET_ADDRESS:\n return usb_host_set_address(s, value);\n\n case USB_REQ_SET_CONFIGURATION:\n return usb_host_set_config(s, value & 0xff);\n }\n }\n\n if (s->ctrl.req.bRequestType == 1 &&\n s->ctrl.req.bRequest == USB_REQ_SET_INTERFACE)\n return usb_host_set_interface(s, index, value);\n\n /* The rest are asynchronous */\n\n buffer_len = 8 + s->ctrl.len;\n if (buffer_len > sizeof(s->ctrl.buffer)) {\n\t fprintf(stderr, \"husb: ctrl buffer too small (%u > %lu)\\n\",\n\t\t buffer_len, sizeof(s->ctrl.buffer));\n\t return USB_RET_STALL;\n }\n\n aurb = async_alloc();\n aurb->hdev = s;\n aurb->packet = p;\n\n /* \n * Setup ctrl transfer.\n *\n * s->ctrl is layed out such that data buffer immediately follows\n * 'req' struct which is exactly what usbdevfs expects.\n */ \n urb = &aurb->urb;\n\n urb->type = USBDEVFS_URB_TYPE_CONTROL;\n urb->endpoint = p->devep;\n\n urb->buffer = &s->ctrl.req;\n urb->buffer_length = buffer_len;\n\n urb->usercontext = s;\n\n ret = ioctl(s->fd, USBDEVFS_SUBMITURB, urb);\n\n dprintf(\"husb: submit ctrl. len %u aurb %p\\n\", urb->buffer_length, aurb);\n\n if (ret < 0) {\n dprintf(\"husb: submit failed. errno %d\\n\", errno);\n async_free(aurb);\n\n switch(errno) {\n case ETIMEDOUT:\n return USB_RET_NAK;\n case EPIPE:\n default:\n return USB_RET_STALL;\n }\n }\n\n usb_defer_packet(p, async_cancel, aurb);\n return USB_RET_ASYNC;\n}", "project": "qemu", "hash": 135771876040172573855391231658010318081, "size": 81, "commit_id": "babd03fde68093482528010a5435c14ce9128e3f", "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel. However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris \nSigned-off-by: Anthony Liguori ", "target": 0, "dataset": "other", "idx": 346299 }, { "func": "static int usb_host_set_address(USBHostDevice *s, int addr)\n{\n dprintf(\"husb: ctrl set addr %u\\n\", addr);\n s->dev.addr = addr;\n return 0;\n}", "project": "qemu", "hash": 113370853030229899911807824336189717767, "size": 6, "commit_id": "babd03fde68093482528010a5435c14ce9128e3f", "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel. However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris \nSigned-off-by: Anthony Liguori ", "target": 0, "dataset": "other", "idx": 346285 }, { "func": "static int is_isoc(USBHostDevice *s, int ep)\n{\n return s->endp_table[ep - 1].type == USBDEVFS_URB_TYPE_ISO;\n}", "project": "qemu", "hash": 245743564542705731360863902738396199787, "size": 4, "commit_id": "babd03fde68093482528010a5435c14ce9128e3f", "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel. However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris \nSigned-off-by: Anthony Liguori ", "target": 0, "dataset": "other", "idx": 346309 }, { "func": "static void clear_halt(USBHostDevice *s, int ep)\n{\n s->endp_table[ep - 1].halted = 0;\n}", "project": "qemu", "hash": 155880021257183729490116277729697816473, "size": 4, "commit_id": "babd03fde68093482528010a5435c14ce9128e3f", "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel. However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris \nSigned-off-by: Anthony Liguori ", "target": 0, "dataset": "other", "idx": 346297 }, { "func": "static int is_halted(USBHostDevice *s, int ep)\n{\n return s->endp_table[ep - 1].halted;\n}", "project": "qemu", "hash": 11767855805536563648164313742639211905, "size": 4, "commit_id": "babd03fde68093482528010a5435c14ce9128e3f", "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel. However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris \nSigned-off-by: Anthony Liguori ", "target": 0, "dataset": "other", "idx": 346305 }, { "func": "static int ctrl_error(void)\n{\n if (errno == ETIMEDOUT)\n return USB_RET_NAK;\n else \n return USB_RET_STALL;\n}", "project": "qemu", "hash": 272773737625285826548635814501419541680, "size": 7, "commit_id": "babd03fde68093482528010a5435c14ce9128e3f", "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel. However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris \nSigned-off-by: Anthony Liguori ", "target": 0, "dataset": "other", "idx": 346301 }, { "func": "static void async_free(AsyncURB *aurb)\n{\n qemu_free(aurb);\n}", "project": "qemu", "hash": 89699221103379724954608670537657524735, "size": 4, "commit_id": "babd03fde68093482528010a5435c14ce9128e3f", "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel. However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris \nSigned-off-by: Anthony Liguori ", "target": 0, "dataset": "other", "idx": 346313 }, { "func": "static void usb_host_handle_reset(USBDevice *dev)\n{\n USBHostDevice *s = (USBHostDevice *) dev;\n\n dprintf(\"husb: reset device %u.%u\\n\", s->bus_num, s->addr);\n\n ioctl(s->fd, USBDEVFS_RESET);\n\n usb_host_claim_interfaces(s, s->configuration);\n}", "project": "qemu", "hash": 302977581251084120225864181457936049770, "size": 10, "commit_id": "babd03fde68093482528010a5435c14ce9128e3f", "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel. However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris \nSigned-off-by: Anthony Liguori ", "target": 0, "dataset": "other", "idx": 346298 }, { "func": "static int usb_host_set_interface(USBHostDevice *s, int iface, int alt)\n{\n struct usbdevfs_setinterface si;\n int ret;\n\n si.interface = iface;\n si.altsetting = alt;\n ret = ioctl(s->fd, USBDEVFS_SETINTERFACE, &si);\n \n dprintf(\"husb: ctrl set iface %d altset %d ret %d errno %d\\n\", \n \tiface, alt, ret, errno);\n \n if (ret < 0)\n return ctrl_error();\n\n usb_linux_update_endp_table(s);\n return 0;\n}", "project": "qemu", "hash": 230817216566451332220731094414568773639, "size": 18, "commit_id": "babd03fde68093482528010a5435c14ce9128e3f", "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel. However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris \nSigned-off-by: Anthony Liguori ", "target": 0, "dataset": "other", "idx": 346306 }, { "func": "static int do_token_in(USBDevice *dev, USBPacket *p)\n{\n USBHostDevice *s = (USBHostDevice *) dev;\n int ret = 0;\n\n if (p->devep != 0)\n return usb_host_handle_data(s, p);\n\n switch(s->ctrl.state) {\n case CTRL_STATE_ACK:\n if (!(s->ctrl.req.bRequestType & USB_DIR_IN)) {\n ret = usb_host_handle_control(s, p);\n if (ret == USB_RET_ASYNC)\n return USB_RET_ASYNC;\n\n s->ctrl.state = CTRL_STATE_IDLE;\n return ret > 0 ? 0 : ret;\n }\n\n return 0;\n\n case CTRL_STATE_DATA:\n if (s->ctrl.req.bRequestType & USB_DIR_IN) {\n int len = s->ctrl.len - s->ctrl.offset;\n if (len > p->len)\n len = p->len;\n memcpy(p->data, s->ctrl.buffer + s->ctrl.offset, len);\n s->ctrl.offset += len;\n if (s->ctrl.offset >= s->ctrl.len)\n s->ctrl.state = CTRL_STATE_ACK;\n return len;\n }\n\n s->ctrl.state = CTRL_STATE_IDLE;\n return USB_RET_STALL;\n\n default:\n return USB_RET_STALL;\n }\n}", "project": "qemu", "hash": 274624244059630894410186848673918387785, "size": 40, "commit_id": "babd03fde68093482528010a5435c14ce9128e3f", "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel. However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris \nSigned-off-by: Anthony Liguori ", "target": 0, "dataset": "other", "idx": 346280 }, { "func": "static void async_complete_ctrl(USBHostDevice *s, USBPacket *p)\n{\n switch(s->ctrl.state) {\n case CTRL_STATE_SETUP:\n if (p->len < s->ctrl.len)\n s->ctrl.len = p->len;\n s->ctrl.state = CTRL_STATE_DATA;\n p->len = 8;\n break;\n\n case CTRL_STATE_ACK:\n s->ctrl.state = CTRL_STATE_IDLE;\n p->len = 0;\n break;\n\n default:\n break;\n }\n}", "project": "qemu", "hash": 87659848107630241316717948393842358765, "size": 19, "commit_id": "babd03fde68093482528010a5435c14ce9128e3f", "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel. However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris \nSigned-off-by: Anthony Liguori ", "target": 0, "dataset": "other", "idx": 346321 }, { "func": "static int usb_host_release_interfaces(USBHostDevice *s)\n{\n int ret, i;\n\n dprintf(\"husb: releasing interfaces\\n\");\n\n for (i = 0; i < s->ninterfaces; i++) {\n ret = ioctl(s->fd, USBDEVFS_RELEASEINTERFACE, &i);\n if (ret < 0) {\n perror(\"husb: failed to release interface\");\n return 0;\n }\n }\n\n return 1;\n}", "project": "qemu", "hash": 265975219865408593507728601152949169306, "size": 16, "commit_id": "babd03fde68093482528010a5435c14ce9128e3f", "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel. However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris \nSigned-off-by: Anthony Liguori ", "target": 0, "dataset": "other", "idx": 346312 }, { "func": "static void hostdev_unlink(USBHostDevice *dev)\n{\n USBHostDevice *pdev = hostdev_list;\n USBHostDevice **prev = &hostdev_list;\n\n while (pdev) {\n\tif (pdev == dev) {\n *prev = dev->next;\n return;\n }\n\n prev = &pdev->next;\n pdev = pdev->next;\n }\n}", "project": "qemu", "hash": 77907681220802418117040092144753015476, "size": 15, "commit_id": "babd03fde68093482528010a5435c14ce9128e3f", "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel. However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris \nSigned-off-by: Anthony Liguori ", "target": 0, "dataset": "other", "idx": 346302 }, { "func": "static int usb_host_set_config(USBHostDevice *s, int config)\n{\n usb_host_release_interfaces(s);\n\n int ret = ioctl(s->fd, USBDEVFS_SETCONFIGURATION, &config);\n \n dprintf(\"husb: ctrl set config %d ret %d errno %d\\n\", config, ret, errno);\n \n if (ret < 0)\n return ctrl_error();\n \n usb_host_claim_interfaces(s, config);\n return 0;\n}", "project": "qemu", "hash": 77581754423656411130094475642397550764, "size": 14, "commit_id": "babd03fde68093482528010a5435c14ce9128e3f", "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel. However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris \nSigned-off-by: Anthony Liguori ", "target": 0, "dataset": "other", "idx": 346294 }, { "func": "static int usb_host_handle_data(USBHostDevice *s, USBPacket *p)\n{\n struct usbdevfs_urb *urb;\n AsyncURB *aurb;\n int ret;\n\n aurb = async_alloc();\n aurb->hdev = s;\n aurb->packet = p;\n\n urb = &aurb->urb;\n\n if (p->pid == USB_TOKEN_IN)\n \turb->endpoint = p->devep | 0x80;\n else\n \turb->endpoint = p->devep;\n\n if (is_halted(s, p->devep)) {\n\tret = ioctl(s->fd, USBDEVFS_CLEAR_HALT, &urb->endpoint);\n if (ret < 0) {\n dprintf(\"husb: failed to clear halt. ep 0x%x errno %d\\n\", \n urb->endpoint, errno);\n return USB_RET_NAK;\n }\n clear_halt(s, p->devep);\n }\n\n urb->buffer = p->data;\n urb->buffer_length = p->len;\n\n if (is_isoc(s, p->devep)) {\n /* Setup ISOC transfer */\n urb->type = USBDEVFS_URB_TYPE_ISO;\n urb->flags = USBDEVFS_URB_ISO_ASAP;\n urb->number_of_packets = 1;\n urb->iso_frame_desc[0].length = p->len;\n } else {\n /* Setup bulk transfer */\n urb->type = USBDEVFS_URB_TYPE_BULK;\n }\n\n urb->usercontext = s;\n\n ret = ioctl(s->fd, USBDEVFS_SUBMITURB, urb);\n\n dprintf(\"husb: data submit. ep 0x%x len %u aurb %p\\n\", urb->endpoint, p->len, aurb);\n\n if (ret < 0) {\n dprintf(\"husb: submit failed. errno %d\\n\", errno);\n async_free(aurb);\n\n switch(errno) {\n case ETIMEDOUT:\n return USB_RET_NAK;\n case EPIPE:\n default:\n return USB_RET_STALL;\n }\n }\n\n usb_defer_packet(p, async_cancel, aurb);\n return USB_RET_ASYNC;\n}", "project": "qemu", "hash": 260559233680984221214785940519308902612, "size": 63, "commit_id": "babd03fde68093482528010a5435c14ce9128e3f", "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel. However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris \nSigned-off-by: Anthony Liguori ", "target": 0, "dataset": "other", "idx": 346278 }, { "func": "static void usb_host_handle_destroy(USBDevice *dev)\n{\n USBHostDevice *s = (USBHostDevice *)dev;\n\n s->closing = 1;\n\n qemu_set_fd_handler(s->fd, NULL, NULL, NULL);\n\n hostdev_unlink(s);\n\n async_complete(s);\n\n if (s->fd >= 0)\n close(s->fd);\n\n qemu_free(s);\n}", "project": "qemu", "hash": 331783873263838536495355729159893109559, "size": 17, "commit_id": "babd03fde68093482528010a5435c14ce9128e3f", "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel. However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris \nSigned-off-by: Anthony Liguori ", "target": 0, "dataset": "other", "idx": 346276 }, { "func": "static int do_token_out(USBDevice *dev, USBPacket *p)\n{\n USBHostDevice *s = (USBHostDevice *) dev;\n\n if (p->devep != 0)\n return usb_host_handle_data(s, p);\n\n switch(s->ctrl.state) {\n case CTRL_STATE_ACK:\n if (s->ctrl.req.bRequestType & USB_DIR_IN) {\n s->ctrl.state = CTRL_STATE_IDLE;\n /* transfer OK */\n } else {\n /* ignore additional output */\n }\n return 0;\n\n case CTRL_STATE_DATA:\n if (!(s->ctrl.req.bRequestType & USB_DIR_IN)) {\n int len = s->ctrl.len - s->ctrl.offset;\n if (len > p->len)\n len = p->len;\n memcpy(s->ctrl.buffer + s->ctrl.offset, p->data, len);\n s->ctrl.offset += len;\n if (s->ctrl.offset >= s->ctrl.len)\n s->ctrl.state = CTRL_STATE_ACK;\n return len;\n }\n\n s->ctrl.state = CTRL_STATE_IDLE;\n return USB_RET_STALL;\n\n default:\n return USB_RET_STALL;\n }\n}", "project": "qemu", "hash": 102876530187197055695706708439996412226, "size": 36, "commit_id": "babd03fde68093482528010a5435c14ce9128e3f", "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel. However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris \nSigned-off-by: Anthony Liguori ", "target": 0, "dataset": "other", "idx": 346282 } ] }, { "call_depth": 7, "longest_call_chain": [ "yaffsfs_inode_walk", "yaffs_inode_lookup", "yaffs_make_unlinked", "yaffs_make_directory", "yaffs_is_version_allocated", "yaffscache_version_find_by_inode", "yaffscache_object_find" ], "group_size": 37, "functions": [ { "func": " yaffscache_object_add_version(YaffsCacheObject *obj, YaffsCacheChunk *chunk)\n{\n uint32_t ver_number;\n YaffsCacheChunk *header_chunk = NULL;\n YaffsCacheVersion *version;\n\n // Going to try ignoring unlinked/deleted headers (objID 3 and 4)\n if ((chunk->ycc_chunk_id == 0) && (chunk->ycc_parent_id != YAFFS_OBJECT_UNLINKED) \n &&(chunk->ycc_parent_id != YAFFS_OBJECT_DELETED)) {\n header_chunk = chunk;\n }\n\n /* If this is the second version (since last header_chunk is not NULL) and no\n * header was added, get rid of this incomplete old version -- can't be\n * reasonably recovered.\n *\n * TODO: These chunks are still in the structure and can be walked,\n * but I'm not sure how to represent this set of data chunks\n * with no metadata under TSK. This is rare and we don't have\n * a testcase for it now. Punting right now.\n *\n * Edit: Shouldn't get to this point anymore. Changes to \n * yaffscache_versions_insert_chunk make a version continue until it\n * has a header block.\n */\n if (obj->yco_latest != NULL) {\n if (obj->yco_latest->ycv_header_chunk == NULL) {\n YaffsCacheVersion *incomplete = obj->yco_latest;\n\n if (tsk_verbose)\n tsk_fprintf(stderr, \"yaffscache_object_add_version: \"\n \"removed an incomplete first version (no header)\\n\");\n\n obj->yco_latest = obj->yco_latest->ycv_prior;\n free(incomplete);\n }\n }\n\n if (obj->yco_latest != NULL) {\n ver_number = obj->yco_latest->ycv_version + 1;\n\n /* Until a new header is given, use the last seen header. */\n if (header_chunk == NULL) {\n header_chunk = obj->yco_latest->ycv_header_chunk;\n\n // If we haven't seen a good header yet and we have a deleted/unlinked one, use it\n if((header_chunk == NULL) && (chunk->ycc_chunk_id == 0)){\n header_chunk = chunk;\n }\n }\n }\n else {\n ver_number = 1;\n }\n\n if ((version = (YaffsCacheVersion *) tsk_malloc(sizeof(YaffsCacheVersion))) == NULL) {\n return TSK_ERR;\n }\n\n version->ycv_prior = obj->yco_latest;\n version->ycv_version = ver_number;\n version->ycv_seq_number = chunk->ycc_seq_number;\n version->ycv_header_chunk = header_chunk;\n version->ycv_first_chunk = chunk;\n version->ycv_last_chunk = chunk;\n\n obj->yco_latest = version;\n\n return TSK_OK;\n}", "project": "sleuthkit", "hash": 20425647747851923940032979281485062881, "size": 70, "commit_id": "459ae818fc8dae717549810150de4d191ce158f1", "message": "Fix stack buffer overflow in yaffsfs_istat\n\nPrevent a stack buffer overflow in yaffsfs_istat by increasing the buffer size to the size required by tsk_fs_time_to_str.", "target": 0, "dataset": "other", "idx": 299160 }, { "func": " yaffs_dir_open_meta_cb(YaffsCacheObject * /*obj*/, YaffsCacheVersion *version, void *args) {\n dir_open_cb_args *cb_args = (dir_open_cb_args *) args;\n YaffsCacheChunk *chunk = version->ycv_header_chunk;\n TSK_INUM_T curr_inode = 0;\n uint32_t obj_id = chunk->ycc_obj_id;\n uint32_t chunk_id = chunk->ycc_chunk_id;\n uint32_t vnum = version->ycv_version;\n YaffsHeader *header = NULL;\n TSK_FS_NAME * fs_name;\n char *file_ext;\n char version_string[64]; // Allow a max of 64 bytes in the version string\n\n yaffscache_obj_id_and_version_to_inode(obj_id, vnum, &curr_inode);\n\n if (chunk_id != 0) {\n return TSK_ERR;\n }\n\n if (tsk_verbose)\n fprintf(stderr, \"dir_open_find_children_cb: %08\" PRIxINUM \" -> %08\" PRIx32 \":%d\\n\", cb_args->parent_addr, obj_id, vnum);\n\n\n if (yaffsfs_read_header(cb_args->yfs, &header, chunk->ycc_offset) != TSK_OK) {\n return TSK_ERR;\n }\n\n if ((fs_name = tsk_fs_name_alloc(YAFFSFS_MAXNAMLEN + 64, 0)) == NULL) {\n free(header);\n return TSK_ERR;\n }\n\n switch (obj_id) {\n case YAFFS_OBJECT_LOSTNFOUND:\n strncpy(fs_name->name, YAFFS_OBJECT_LOSTNFOUND_NAME,\n fs_name->name_size - 64);\n break;\n case YAFFS_OBJECT_UNLINKED:\n strncpy(fs_name->name, YAFFS_OBJECT_UNLINKED_NAME,\n fs_name->name_size - 64);\n break;\n case YAFFS_OBJECT_DELETED:\n strncpy(fs_name->name, YAFFS_OBJECT_DELETED_NAME,\n fs_name->name_size - 64);\n break;\n default:\n strncpy(fs_name->name, header->name, fs_name->name_size - 64);\n break;\n }\n fs_name->name[fs_name->name_size - 65] = 0;\n\n // Only put object/version string onto unallocated versions\n if(! yaffs_is_version_allocated(cb_args->yfs, curr_inode)){ \n // Also copy the extension so that it also shows up after the version string, which allows\n // easier searching by file extension. Max extension length is 5 characters after the dot,\n // and require at least one character before the dot\n file_ext = strrchr(fs_name->name, '.');\n if((file_ext != NULL) && (file_ext != fs_name->name) && (strlen(file_ext) < 7)){\n snprintf(version_string, 64, \"#%d,%d%s\", obj_id, vnum, file_ext);\n }\n else{\n snprintf(version_string, 64, \"#%d,%d\", obj_id, vnum);\n }\n strncat(fs_name->name, version_string, 64);\n fs_name->flags = TSK_FS_NAME_FLAG_UNALLOC;\n }\n else{\n fs_name->flags = TSK_FS_NAME_FLAG_ALLOC;\n }\n\n fs_name->meta_addr = curr_inode;\n\n switch (header->obj_type) {\n case YAFFS_TYPE_FILE:\n fs_name->type = TSK_FS_NAME_TYPE_REG;\n break;\n\n case YAFFS_TYPE_DIRECTORY:\n fs_name->type = TSK_FS_NAME_TYPE_DIR;\n break;\n\n case YAFFS_TYPE_SOFTLINK:\n case YAFFS_TYPE_HARDLINK:\n fs_name->type = TSK_FS_NAME_TYPE_LNK;\n break;\n\n case YAFFS_TYPE_SPECIAL:\n fs_name->type = TSK_FS_NAME_TYPE_UNDEF; // Could be a socket\n break;\n\n default:\n if (tsk_verbose)\n fprintf(stderr, \"yaffs_dir_open_meta_cb: unhandled object type\\n\");\n fs_name->type = TSK_FS_NAME_TYPE_UNDEF;\n break;\n }\n\n free(header);\n\n if (tsk_fs_dir_add(cb_args->dir, fs_name)) {\n tsk_fs_name_free(fs_name);\n return TSK_ERR;\n }\n\n /* A copy is made in tsk_fs_dir_add, so we can free this one */\n tsk_fs_name_free(fs_name);\n\n return TSK_OK;\n}", "project": "sleuthkit", "hash": 28148945869572850741677032501240108224, "size": 108, "commit_id": "459ae818fc8dae717549810150de4d191ce158f1", "message": "Fix stack buffer overflow in yaffsfs_istat\n\nPrevent a stack buffer overflow in yaffsfs_istat by increasing the buffer size to the size required by tsk_fs_time_to_str.", "target": 0, "dataset": "other", "idx": 299145 }, { "func": " yaffscache_versions_insert_chunk(YAFFSFS_INFO *yfs, YaffsCacheChunk *chunk)\n{\n YaffsCacheObject *obj;\n TSK_RETVAL_ENUM result;\n YaffsCacheVersion *version;\n\n // Building a list in yfs->cache_objects, sorted by obj_id\n result = yaffscache_object_find_or_add(yfs, chunk->ycc_obj_id, &obj);\n if (result != TSK_OK) {\n return TSK_ERR;\n }\n version = obj->yco_latest;\n\n /* First chunk in this object? */\n if (version == NULL) {\n yaffscache_object_add_version(obj, chunk);\n }\n else {\n /* Chunk in the same update? */\n if (chunk->ycc_seq_number == version->ycv_seq_number) {\n version->ycv_last_chunk = chunk;\n if ((chunk->ycc_chunk_id == 0) && (chunk->ycc_parent_id != YAFFS_OBJECT_UNLINKED) \n &&(chunk->ycc_parent_id != YAFFS_OBJECT_DELETED)) {\n version->ycv_header_chunk = chunk;\n }\n else if((chunk->ycc_chunk_id == 0) && (version->ycv_header_chunk == NULL)){\n version->ycv_header_chunk = chunk;\n }\n }\n // If there was no header for the last version, continue adding to it instead\n // of starting a new version. \n else if(version->ycv_header_chunk == NULL){\n version->ycv_seq_number = chunk->ycc_seq_number;\n version->ycv_last_chunk = chunk;\n if ((chunk->ycc_chunk_id == 0) && (chunk->ycc_parent_id != YAFFS_OBJECT_UNLINKED) \n &&(chunk->ycc_parent_id != YAFFS_OBJECT_DELETED)) {\n version->ycv_header_chunk = chunk;\n }\n else if((chunk->ycc_chunk_id == 0) && (version->ycv_header_chunk == NULL)){\n version->ycv_header_chunk = chunk;\n }\n }\n else if(chunk->ycc_chunk_id == 0){ // Directories only have a header block\n // If we're looking at a new version of a directory where the previous version had the same name, \n // leave everything in the same version. Multiple versions of the same directory aren't really giving us \n // any information.\n YaffsHeader * newHeader;\n yaffsfs_read_header(yfs, &newHeader, chunk->ycc_offset);\n if((newHeader != NULL) && (newHeader->obj_type == YAFFS_TYPE_DIRECTORY)){\n // Read in the old header\n YaffsHeader * oldHeader;\n yaffsfs_read_header(yfs, &oldHeader, version->ycv_header_chunk->ycc_offset);\n if((oldHeader != NULL) && (oldHeader->obj_type == YAFFS_TYPE_DIRECTORY) &&\n (0 == strncmp(oldHeader->name, newHeader->name, YAFFS_HEADER_NAME_LENGTH))){\n version->ycv_seq_number = chunk->ycc_seq_number;\n version->ycv_last_chunk = chunk;\n version->ycv_header_chunk = chunk;\n }\n else{\n // The older header either isn't a directory or it doesn't have the same name, so leave it\n // as its own version\n yaffscache_object_add_version(obj, chunk);\n }\n }\n else{\n // Not a directory\n yaffscache_object_add_version(obj, chunk);\n }\n }\n else{\n // Otherwise, add this chunk as the start of a new version\n yaffscache_object_add_version(obj, chunk);\n }\n }\n\n return TSK_OK;\n}", "project": "sleuthkit", "hash": 175166065106909605541266109814135299412, "size": 77, "commit_id": "459ae818fc8dae717549810150de4d191ce158f1", "message": "Fix stack buffer overflow in yaffsfs_istat\n\nPrevent a stack buffer overflow in yaffsfs_istat by increasing the buffer size to the size required by tsk_fs_time_to_str.", "target": 0, "dataset": "other", "idx": 299155 }, { "func": " yaffsfs_block_getflags(TSK_FS_INFO *fs, TSK_DADDR_T a_addr)\n{\n YAFFSFS_INFO *yfs = (YAFFSFS_INFO *)fs;\n TSK_FS_BLOCK_FLAG_ENUM flags = TSK_FS_BLOCK_FLAG_UNUSED;\n\n TSK_OFF_T offset = (a_addr * (fs->block_pre_size + fs->block_size + fs->block_post_size)) + yfs->page_size;\n YaffsSpare *spare = NULL;\n YaffsHeader *header = NULL;\n if (yaffsfs_read_spare(yfs, &spare, offset) != TSK_OK) {\n /* NOTE: Uh, how do we signal error? */\n return flags;\n }\n\n if (yaffsfs_is_spare_valid(yfs, spare) == TSK_OK) {\n /* XXX: Do we count blocks of older versions unallocated?\n * If so, we need a smarter way to do this :/\n *\n * Walk the object from this block and see if this\n * block is used in the latest version. Could pre-\n * calculate this at cache time as well.\n */\n\n\n if (spare->chunk_id == 0) {\n flags = (TSK_FS_BLOCK_FLAG_ENUM)(flags | TSK_FS_BLOCK_FLAG_META);\n } else {\n flags = (TSK_FS_BLOCK_FLAG_ENUM)(flags | TSK_FS_BLOCK_FLAG_CONT);\n }\n\n // Have obj id and offset\n // 1. Is the current version of this object allocated?\n // 2. If this is a header, is it the header of the current version?\n // 3. Is the chunk id too big given the current header?\n // 4. Is there a more recent version of this chunk id?\n YaffsCacheObject * obj = NULL;\n yaffscache_object_find(yfs, spare->object_id, &obj);\n\n // The result really shouldn't be NULL since we loaded every chunk\n if(obj != NULL){\n if(! yaffs_is_version_allocated(yfs, spare->object_id)){\n // If the current version isn't allocated, then no chunks in it are\n flags = (TSK_FS_BLOCK_FLAG_ENUM)(flags | TSK_FS_BLOCK_FLAG_UNALLOC);\n }\n else if (obj->yco_latest == NULL || obj->yco_latest->ycv_header_chunk == NULL) { \n flags = (TSK_FS_BLOCK_FLAG_ENUM)(flags | TSK_FS_BLOCK_FLAG_UNALLOC); \n }\n else if(spare->chunk_id == 0){\n if(obj->yco_latest->ycv_header_chunk->ycc_offset == offset - yfs->page_size){\n // Have header chunk and it's the most recent header chunk\n flags = (TSK_FS_BLOCK_FLAG_ENUM)(flags | TSK_FS_BLOCK_FLAG_ALLOC);\n }\n else{\n // Have header chunk but isn't the most recent\n flags = (TSK_FS_BLOCK_FLAG_ENUM)(flags | TSK_FS_BLOCK_FLAG_UNALLOC);\n }\n }\n else{\n // Read in the full header\n yaffsfs_read_header(yfs, &header, obj->yco_latest->ycv_header_chunk->ycc_offset);\n\n // chunk_id is 1-based, so for example chunk id 2 would be too big for a file\n // 500 bytes long\n if(header->file_size <= ((spare->chunk_id - 1) * (fs->block_size))){\n flags = (TSK_FS_BLOCK_FLAG_ENUM)(flags | TSK_FS_BLOCK_FLAG_UNALLOC);\n }\n else{\n // Since at this point we know there should be a chunk with this chunk id in the file, if\n // this is the most recent version of the chunk assume it's part of the current version of the object.\n YaffsCacheChunk * curr = obj->yco_latest->ycv_last_chunk;\n while(curr != NULL){ // curr should really never make it to the beginning of the list\n\n // Did we find our chunk?\n if(curr->ycc_offset == offset - yfs->page_size){\n flags = (TSK_FS_BLOCK_FLAG_ENUM)(flags | TSK_FS_BLOCK_FLAG_ALLOC);\n break;\n }\n\n // Did we find a different chunk with our chunk id?\n if(curr->ycc_chunk_id == spare->chunk_id){\n flags = (TSK_FS_BLOCK_FLAG_ENUM)(flags | TSK_FS_BLOCK_FLAG_UNALLOC);\n break;\n }\n curr = curr->ycc_prev;\n }\n }\n }\n }\n\n } else {\n flags = (TSK_FS_BLOCK_FLAG_ENUM)(flags | TSK_FS_BLOCK_FLAG_UNUSED | TSK_FS_BLOCK_FLAG_UNALLOC);\n }\n\n free(spare);\n free(header);\n return flags;\n}", "project": "sleuthkit", "hash": 6777673745709563293963894895269429238, "size": 96, "commit_id": "459ae818fc8dae717549810150de4d191ce158f1", "message": "Fix stack buffer overflow in yaffsfs_istat\n\nPrevent a stack buffer overflow in yaffsfs_istat by increasing the buffer size to the size required by tsk_fs_time_to_str.", "target": 0, "dataset": "other", "idx": 299130 }, { "func": " yaffscache_chunk_compare(YaffsCacheChunk *curr, uint32_t addee_obj_id, TSK_OFF_T addee_offset, uint32_t addee_seq_number)\n{\n if (curr->ycc_obj_id == addee_obj_id) {\n if (curr->ycc_seq_number == addee_seq_number) {\n if (curr->ycc_offset == addee_offset) {\n return 0;\n }\n else if (curr->ycc_offset < addee_offset) {\n return -1;\n }\n else {\n return 1;\n }\n }\n else if (curr->ycc_seq_number < addee_seq_number) {\n return -1;\n }\n else {\n return 1;\n }\n }\n else if (curr->ycc_obj_id < addee_obj_id) {\n return -1;\n }\n else {\n return 1;\n }\n}", "project": "sleuthkit", "hash": 92861314050999401093047975444086141549, "size": 28, "commit_id": "459ae818fc8dae717549810150de4d191ce158f1", "message": "Fix stack buffer overflow in yaffsfs_istat\n\nPrevent a stack buffer overflow in yaffsfs_istat by increasing the buffer size to the size required by tsk_fs_time_to_str.", "target": 0, "dataset": "other", "idx": 299162 }, { "func": " yaffs_make_regularfile( YAFFSFS_INFO * yaffsfs, TSK_FS_FILE * a_fs_file, \n TSK_INUM_T inode, const char * name )\n{\n TSK_FS_FILE *fs_file = a_fs_file;\n\n fs_file->meta->type = TSK_FS_META_TYPE_REG;\n fs_file->meta->mode = (TSK_FS_META_MODE_ENUM)0;\n fs_file->meta->nlink =1;\n\n if(yaffs_is_version_allocated(yaffsfs, inode)){\n fs_file->meta->flags =\n (TSK_FS_META_FLAG_ENUM)(TSK_FS_META_FLAG_USED | TSK_FS_META_FLAG_ALLOC);\n }\n else{\n fs_file->meta->flags =\n (TSK_FS_META_FLAG_ENUM)(TSK_FS_META_FLAG_USED | TSK_FS_META_FLAG_UNALLOC);\n }\n\n fs_file->meta->uid = fs_file->meta->gid = 0;\n fs_file->meta->mtime = fs_file->meta->atime = fs_file->meta->ctime =\n fs_file->meta->crtime = 0;\n fs_file->meta->mtime_nano = fs_file->meta->atime_nano =\n fs_file->meta->ctime_nano = fs_file->meta->crtime_nano = 0;\n\n if (fs_file->meta->name2 == NULL) {\n if ((fs_file->meta->name2 = (TSK_FS_META_NAME_LIST *)\n tsk_malloc(sizeof(TSK_FS_META_NAME_LIST))) == NULL)\n return 1;\n fs_file->meta->name2->next = NULL;\n }\n\n if (fs_file->meta->attr != NULL) {\n tsk_fs_attrlist_markunused(fs_file->meta->attr);\n }\n else {\n fs_file->meta->attr = tsk_fs_attrlist_alloc();\n }\n\n fs_file->meta->addr = inode;\n strncpy(fs_file->meta->name2->name, name,\n TSK_FS_META_NAME_LIST_NSIZE);\n\n fs_file->meta->size = 0;\n fs_file->meta->attr_state = TSK_FS_META_ATTR_EMPTY;\n\n return 0;\n}", "project": "sleuthkit", "hash": 217676971643583908072228240631370030450, "size": 47, "commit_id": "459ae818fc8dae717549810150de4d191ce158f1", "message": "Fix stack buffer overflow in yaffsfs_istat\n\nPrevent a stack buffer overflow in yaffsfs_istat by increasing the buffer size to the size required by tsk_fs_time_to_str.", "target": 0, "dataset": "other", "idx": 299146 }, { "func": " yaffscache_chunk_add(YAFFSFS_INFO *yfs, TSK_OFF_T offset, uint32_t seq_number,\n uint32_t obj_id, uint32_t chunk_id, uint32_t parent_id)\n{\n TSK_RETVAL_ENUM result;\n YaffsCacheChunk *prev;\n YaffsCacheChunk *chunk;\n if ((chunk = (YaffsCacheChunk*)tsk_malloc(sizeof(YaffsCacheChunk))) == NULL) {\n return TSK_ERR;\n }\n\n chunk->ycc_offset = offset;\n chunk->ycc_seq_number = seq_number;\n chunk->ycc_obj_id = obj_id;\n chunk->ycc_chunk_id = chunk_id;\n chunk->ycc_parent_id = parent_id;\n\n // Bit of a hack here. In some images, the root directory (obj_id = 1) lists iself as its parent\n // directory, which can cause issues later when we get directory contents. To prevent this,\n // if a chunk comes in with obj_id = 1 and parent_id = 1, manually set the parent ID to zero.\n if((obj_id == 1) && (parent_id == 1)){\n chunk->ycc_parent_id = 0;\n }\n\n // Find the chunk that should go right before the new chunk\n result = yaffscache_chunk_find_insertion_point(yfs, obj_id, offset, seq_number, &prev);\n\n if (result == TSK_ERR) {\n return TSK_ERR;\n }\n\n if (prev == NULL) {\n // No previous chunk - new chunk is the lowest we've seen and the new start of the list\n chunk->ycc_prev = NULL;\n chunk->ycc_next = yfs->chunkMap->operator[](obj_id).cache_chunks_head;\n }\n else {\n chunk->ycc_prev = prev;\n chunk->ycc_next = prev->ycc_next;\n }\n\n if (chunk->ycc_next != NULL) {\n // If we're not at the end, set the prev pointer on the next chunk to point to our new one\n chunk->ycc_next->ycc_prev = chunk;\n }\n else {\n yfs->chunkMap->operator[](obj_id).cache_chunks_tail = chunk;\n }\n\n if (chunk->ycc_prev != NULL) {\n // If we're not at the beginning, set the next pointer on the previous chunk to point at our new one\n chunk->ycc_prev->ycc_next = chunk;\n }\n else {\n yfs->chunkMap->operator[](obj_id).cache_chunks_head = chunk;\n }\n\n return TSK_OK;\n}", "project": "sleuthkit", "hash": 241677138696918800147101768356282894722, "size": 58, "commit_id": "459ae818fc8dae717549810150de4d191ce158f1", "message": "Fix stack buffer overflow in yaffsfs_istat\n\nPrevent a stack buffer overflow in yaffsfs_istat by increasing the buffer size to the size required by tsk_fs_time_to_str.", "target": 0, "dataset": "other", "idx": 299148 }, { "func": " yaffsfs_block_walk(TSK_FS_INFO *a_fs, TSK_DADDR_T a_start_blk,\n TSK_DADDR_T a_end_blk, TSK_FS_BLOCK_WALK_FLAG_ENUM a_flags,\n TSK_FS_BLOCK_WALK_CB a_action, void *a_ptr)\n{\n TSK_FS_BLOCK *fs_block;\n TSK_DADDR_T addr;\n\n // clean up any error messages that are lying around\n tsk_error_reset();\n\n /*\n * Sanity checks.\n */\n if (a_start_blk < a_fs->first_block || a_start_blk > a_fs->last_block) {\n tsk_error_reset();\n tsk_error_set_errno(TSK_ERR_FS_WALK_RNG);\n tsk_error_set_errstr(\"yaffsfs_block_walk: start block: %\" PRIuDADDR,\n a_start_blk);\n return 1;\n }\n if (a_end_blk < a_fs->first_block || a_end_blk > a_fs->last_block\n || a_end_blk < a_start_blk) {\n tsk_error_reset();\n tsk_error_set_errno(TSK_ERR_FS_WALK_RNG);\n tsk_error_set_errstr(\"yaffsfs_block_walk: end block: %\" PRIuDADDR ,\n a_end_blk);\n return 1;\n }\n\n /* Sanity check on a_flags -- make sure at least one ALLOC is set */\n if (((a_flags & TSK_FS_BLOCK_WALK_FLAG_ALLOC) == 0) &&\n ((a_flags & TSK_FS_BLOCK_WALK_FLAG_UNALLOC) == 0)) {\n a_flags = (TSK_FS_BLOCK_WALK_FLAG_ENUM)\n (a_flags | TSK_FS_BLOCK_WALK_FLAG_ALLOC |\n TSK_FS_BLOCK_WALK_FLAG_UNALLOC);\n }\n if (((a_flags & TSK_FS_BLOCK_WALK_FLAG_META) == 0) &&\n ((a_flags & TSK_FS_BLOCK_WALK_FLAG_CONT) == 0)) {\n a_flags = (TSK_FS_BLOCK_WALK_FLAG_ENUM)\n (a_flags | TSK_FS_BLOCK_WALK_FLAG_CONT | TSK_FS_BLOCK_WALK_FLAG_META);\n }\n\n\n if ((fs_block = tsk_fs_block_alloc(a_fs)) == NULL) {\n return 1;\n }\n\n for (addr = a_start_blk; addr <= a_end_blk; addr++) {\n int retval;\n int myflags;\n\n myflags = yaffsfs_block_getflags(a_fs, addr);\n\n // test if we should call the callback with this one\n if ((myflags & TSK_FS_BLOCK_FLAG_META)\n && (!(a_flags & TSK_FS_BLOCK_WALK_FLAG_META)))\n continue;\n else if ((myflags & TSK_FS_BLOCK_FLAG_CONT)\n && (!(a_flags & TSK_FS_BLOCK_WALK_FLAG_CONT)))\n continue;\n else if ((myflags & TSK_FS_BLOCK_FLAG_ALLOC)\n && (!(a_flags & TSK_FS_BLOCK_WALK_FLAG_ALLOC)))\n continue;\n else if ((myflags & TSK_FS_BLOCK_FLAG_UNALLOC)\n && (!(a_flags & TSK_FS_BLOCK_WALK_FLAG_UNALLOC)))\n continue;\n\n if (tsk_fs_block_get(a_fs, fs_block, addr) == NULL) {\n tsk_error_set_errstr2(\"yaffsfs_block_walk: block %\" PRIuDADDR,\n addr);\n tsk_fs_block_free(fs_block);\n return 1;\n }\n\n retval = a_action(fs_block, a_ptr);\n if (retval == TSK_WALK_STOP) {\n break;\n }\n else if (retval == TSK_WALK_ERROR) {\n tsk_fs_block_free(fs_block);\n return 1;\n }\n }\n\n /*\n * Cleanup.\n */\n tsk_fs_block_free(fs_block);\n return 0;\n}", "project": "sleuthkit", "hash": 203317413381357990491991650061109144253, "size": 90, "commit_id": "459ae818fc8dae717549810150de4d191ce158f1", "message": "Fix stack buffer overflow in yaffsfs_istat\n\nPrevent a stack buffer overflow in yaffsfs_istat by increasing the buffer size to the size required by tsk_fs_time_to_str.", "target": 0, "dataset": "other", "idx": 299137 }, { "func": " yaffscache_chunks_free(YAFFSFS_INFO *yfs)\n{\n if((yfs != NULL) && (yfs->chunkMap != NULL)){\n // Free the YaffsCacheChunks in each ChunkGroup\n std::map::iterator iter;\n for( iter = yfs->chunkMap->begin(); iter != yfs->chunkMap->end(); ++iter ) {\n YaffsCacheChunk *chunk = yfs->chunkMap->operator[](iter->first).cache_chunks_head;\n while(chunk != NULL) {\n YaffsCacheChunk *to_free = chunk;\n chunk = chunk->ycc_next;\n free(to_free);\n }\n }\n\n // Free the map\n yfs->chunkMap->clear();\n delete yfs->chunkMap;\n }\n\n}", "project": "sleuthkit", "hash": 158453746263973912959682391379190247163, "size": 20, "commit_id": "459ae818fc8dae717549810150de4d191ce158f1", "message": "Fix stack buffer overflow in yaffsfs_istat\n\nPrevent a stack buffer overflow in yaffsfs_istat by increasing the buffer size to the size required by tsk_fs_time_to_str.", "target": 0, "dataset": "other", "idx": 299132 }, { "func": " yaffs_make_orphan_dir( YAFFSFS_INFO * yaffsfs, TSK_FS_FILE * a_fs_file )\n{\n TSK_FS_FILE * fs_file = a_fs_file;\n TSK_FS_NAME *fs_name = tsk_fs_name_alloc(256, 0);\n if (fs_name == NULL)\n return TSK_ERR;\n\n if (tsk_verbose)\n tsk_fprintf(stderr, \"yaffs_make_orphan_dir: Making orphan dir node\\n\");\n\n if (tsk_fs_dir_make_orphan_dir_name(&(yaffsfs->fs_info), fs_name)) {\n tsk_fs_name_free(fs_name);\n return TSK_ERR;\n }\n\n if (yaffs_make_directory(yaffsfs, fs_file, yaffsfs->fs_info.last_inum, (char *)fs_name)){\n tsk_fs_name_free(fs_name);\n return 1;\n }\n tsk_fs_name_free(fs_name);\n return 0;\n}", "project": "sleuthkit", "hash": 312775996476906995850090834137178090790, "size": 22, "commit_id": "459ae818fc8dae717549810150de4d191ce158f1", "message": "Fix stack buffer overflow in yaffsfs_istat\n\nPrevent a stack buffer overflow in yaffsfs_istat by increasing the buffer size to the size required by tsk_fs_time_to_str.", "target": 0, "dataset": "other", "idx": 299149 }, { "func": " yaffsfs_read_spare(YAFFSFS_INFO *yfs, YaffsSpare ** spare, TSK_OFF_T offset)\n{\n unsigned char *spr;\n ssize_t cnt;\n YaffsSpare *sp;\n TSK_FS_INFO *fs = &(yfs->fs_info);\n\n uint32_t seq_number;\n uint32_t object_id;\n uint32_t chunk_id;\n\n // Should have checked this by now, but just in case\n if((yfs->spare_seq_offset + 4 > yfs->spare_size) ||\n (yfs->spare_obj_id_offset + 4 > yfs->spare_size) ||\n (yfs->spare_chunk_id_offset + 4 > yfs->spare_size)){\n return 1;\n }\n\n if ((spr = (unsigned char*) tsk_malloc(yfs->spare_size)) == NULL) {\n return 1;\n }\n\n if (yfs->spare_size < 46) { // Why is this 46?\n tsk_error_reset();\n tsk_error_set_errno(TSK_ERR_FS_ARG);\n tsk_error_set_errstr(\"yaffsfs_read_spare: spare size is too small\");\n free(spr);\n return 1;\n }\n\n cnt = tsk_img_read(fs->img_info, offset, (char*) spr, yfs->spare_size);\n if ((cnt < 0) || ((unsigned int)cnt < yfs->spare_size)) {\n // couldn't read sufficient bytes...\n if (spare) {\n free(spr);\n *spare = NULL;\n }\n return 1;\n }\n\n if ((sp = (YaffsSpare*) tsk_malloc(sizeof(YaffsSpare))) == NULL) {\n return 1;\n }\n\n memset(sp, 0, sizeof(YaffsSpare));\n\n /*\n * Complete read of the YAFFS2 spare\n */\n\n\n // The format of the spare area should have been determined earlier\n memcpy(&seq_number, &spr[yfs->spare_seq_offset], 4);\n memcpy(&object_id, &spr[yfs->spare_obj_id_offset], 4);\n memcpy(&chunk_id, &spr[yfs->spare_chunk_id_offset], 4);\n\n if ((YAFFS_SPARE_FLAGS_IS_HEADER & chunk_id) != 0) {\n\n sp->seq_number = seq_number;\n sp->object_id = object_id & ~YAFFS_SPARE_OBJECT_TYPE_MASK;\n sp->chunk_id = 0;\n\n sp->has_extra_fields = 1;\n sp->extra_parent_id = chunk_id & YAFFS_SPARE_PARENT_ID_MASK;\n sp->extra_object_type =\n (object_id & YAFFS_SPARE_OBJECT_TYPE_MASK)\n >> YAFFS_SPARE_OBJECT_TYPE_SHIFT;\n }\n else {\n sp->seq_number = seq_number;\n sp->object_id = object_id;\n sp->chunk_id = chunk_id;\n\n sp->has_extra_fields = 0;\n }\n\n free(spr);\n *spare = sp;\n\n return 0;\n}", "project": "sleuthkit", "hash": 235988737145882664622385319119343241097, "size": 81, "commit_id": "459ae818fc8dae717549810150de4d191ce158f1", "message": "Fix stack buffer overflow in yaffsfs_istat\n\nPrevent a stack buffer overflow in yaffsfs_istat by increasing the buffer size to the size required by tsk_fs_time_to_str.", "target": 0, "dataset": "other", "idx": 299157 }, { "func": " yaffsfs_inode_walk(TSK_FS_INFO *fs, TSK_INUM_T start_inum,\n TSK_INUM_T end_inum, TSK_FS_META_FLAG_ENUM flags,\n TSK_FS_META_WALK_CB a_action, void *a_ptr)\n{\n YAFFSFS_INFO *yfs = (YAFFSFS_INFO *)fs;\n TSK_FS_FILE *fs_file;\n TSK_RETVAL_ENUM result;\n\n uint32_t start_obj_id;\n uint32_t start_ver_number;\n uint32_t end_obj_id;\n uint32_t end_ver_number;\n\n uint32_t obj_id;\n\n YaffsCacheObject *curr_obj;\n YaffsCacheVersion *curr_version;\n\n result = yaffscache_inode_to_obj_id_and_version(start_inum, &start_obj_id, &start_ver_number);\n\n result = yaffscache_inode_to_obj_id_and_version(end_inum, &end_obj_id, &end_ver_number);\n\n if (end_obj_id < start_obj_id) {\n tsk_error_reset();\n tsk_error_set_errno(TSK_ERR_FS_WALK_RNG);\n tsk_error_set_errstr(\"yaffsfs_inode_walk: end object id must be >= start object id: \"\n \"%\" PRIx32 \" must be >= %\" PRIx32 \"\",\n end_obj_id, start_obj_id);\n return 1;\n }\n\n /* The ORPHAN flag is unsupported for YAFFS2 */\n if (flags & TSK_FS_META_FLAG_ORPHAN) {\n if (tsk_verbose){\n tsk_fprintf(stderr, \"yaffsfs_inode_walk: ORPHAN flag unsupported by YAFFS2\");\n }\n }\n\n if (((flags & TSK_FS_META_FLAG_ALLOC) == 0) &&\n ((flags & TSK_FS_META_FLAG_UNALLOC) == 0)) {\n flags = (TSK_FS_META_FLAG_ENUM)(flags | TSK_FS_META_FLAG_ALLOC | TSK_FS_META_FLAG_UNALLOC);\n }\n\n /* If neither of the USED or UNUSED flags are set, then set them\n * both\n */\n if (((flags & TSK_FS_META_FLAG_USED) == 0) &&\n ((flags & TSK_FS_META_FLAG_UNUSED) == 0)) {\n flags = (TSK_FS_META_FLAG_ENUM)(flags | TSK_FS_META_FLAG_USED | TSK_FS_META_FLAG_UNUSED);\n }\n\n if ((fs_file = tsk_fs_file_alloc(fs)) == NULL)\n return 1;\n if ((fs_file->meta =\n tsk_fs_meta_alloc(YAFFS_FILE_CONTENT_LEN)) == NULL)\n return 1;\n\n\n for (obj_id = start_obj_id; obj_id <= end_obj_id; obj_id++) {\n int retval;\n\n result = yaffscache_version_find_by_inode(yfs, obj_id, &curr_version, &curr_obj);\n if (result == TSK_OK) {\n\n TSK_INUM_T curr_inode;\n YaffsCacheVersion *version;\n\n // ALLOC, UNALLOC, or both are set at this point \n if (flags & TSK_FS_META_FLAG_ALLOC) {\n // Allocated only - just look at current version\n if (yaffscache_obj_id_and_version_to_inode(obj_id, curr_obj->yco_latest->ycv_version, &curr_inode) != TSK_OK) {\n tsk_fs_file_close(fs_file);\n return 1;\n }\n\n // It's possible for the current version to be unallocated if the last header was a deleted or unlinked header\n if(yaffs_is_version_allocated(yfs, curr_inode)){\n if (yaffs_inode_lookup(fs, fs_file, curr_inode) != TSK_OK) {\n tsk_fs_file_close(fs_file);\n return 1;\n }\n\n retval = a_action(fs_file, a_ptr);\n if (retval == TSK_WALK_STOP) {\n tsk_fs_file_close(fs_file);\n return 0;\n }\n else if (retval == TSK_WALK_ERROR) {\n tsk_fs_file_close(fs_file);\n return 1;\n }\n }\n }\n if (flags & TSK_FS_META_FLAG_UNALLOC){\n for (version = curr_obj->yco_latest; version != NULL; version = version->ycv_prior) {\n if (yaffscache_obj_id_and_version_to_inode(obj_id, version->ycv_version, &curr_inode) != TSK_OK) {\n tsk_fs_file_close(fs_file);\n return 1;\n }\n\n if(! yaffs_is_version_allocated(yfs, curr_inode)){\n if (yaffs_inode_lookup(fs, fs_file, curr_inode) != TSK_OK) {\n tsk_fs_file_close(fs_file);\n return 1;\n }\n\n retval = a_action(fs_file, a_ptr);\n if (retval == TSK_WALK_STOP) {\n tsk_fs_file_close(fs_file);\n return 0;\n }\n else if (retval == TSK_WALK_ERROR) {\n tsk_fs_file_close(fs_file);\n return 1;\n }\n }\n }\n }\n\n curr_obj = curr_obj->yco_next;\n }\n }\n\n /*\n * Cleanup.\n */\n tsk_fs_file_close(fs_file);\n return 0;\n}", "project": "sleuthkit", "hash": 24632597820718023420149089400225202399, "size": 129, "commit_id": "459ae818fc8dae717549810150de4d191ce158f1", "message": "Fix stack buffer overflow in yaffsfs_istat\n\nPrevent a stack buffer overflow in yaffsfs_istat by increasing the buffer size to the size required by tsk_fs_time_to_str.", "target": 0, "dataset": "other", "idx": 299126 }, { "func": " yaffsfs_parse_image_load_cache(YAFFSFS_INFO * yfs)\n{\n uint8_t status = TSK_OK;\n uint32_t nentries = 0;\n YaffsSpare *spare = NULL;\n\n uint8_t tempBuf[8];\n uint32_t parentID;\n\n if (yfs->cache_objects)\n return 0;\n\n for(TSK_OFF_T offset = 0;offset < yfs->fs_info.img_info->size;offset += yfs->page_size + yfs->spare_size){\n status = yaffsfs_read_spare( yfs, &spare, offset + yfs->page_size);\n if (status != TSK_OK) {\n break;\n }\n\n if (yaffsfs_is_spare_valid(yfs, spare) == TSK_OK) {\n\n\n if((spare->has_extra_fields) || (spare->chunk_id != 0)){\n yaffscache_chunk_add(yfs,\n offset, \n spare->seq_number, \n spare->object_id, \n spare->chunk_id, \n spare->extra_parent_id);\n }\n else{\n // If we have a header block and didn't extract it already from the spare, get the parent ID from\n // the non-spare data\n if(8 == tsk_img_read(yfs->fs_info.img_info, offset, (char*) tempBuf, 8)){\n memcpy(&parentID, &tempBuf[4], 4);\n\n yaffscache_chunk_add(yfs,\n offset, \n spare->seq_number, \n spare->object_id, \n spare->chunk_id, \n parentID);\n }\n else{\n // Really shouldn't happen\n fprintf(stderr, \"Error reading header to get parent id at offset %\" PRIxOFF \"\\n\", offset);\n yaffscache_chunk_add(yfs,\n offset, \n spare->seq_number, \n spare->object_id, \n spare->chunk_id, \n 0);\n }\n }\n }\n\n free(spare);\n spare = NULL;\n\n ++nentries;\n }\n\n if (tsk_verbose)\n fprintf(stderr, \"yaffsfs_parse_image_load_cache: read %d entries\\n\", nentries);\n\n if (tsk_verbose)\n fprintf(stderr, \"yaffsfs_parse_image_load_cache: started processing chunks for version cache...\\n\");\n fflush(stderr);\n\n // At this point, we have a list of chunks sorted by obj id, seq number, and offset\n // This makes the list of objects in cache_objects, which link to different versions\n yaffscache_versions_compute(yfs);\n\n if (tsk_verbose)\n fprintf(stderr, \"yaffsfs_parse_image_load_cache: done version cache!\\n\");\n fflush(stderr);\n\n\n // Having multiple inodes point to the same object seems to cause trouble in TSK, especially in orphan file detection,\n // so set the version number of the final one to zero.\n // While we're at it, find the highest obj_id and the highest version (before resetting to zero)\n YaffsCacheObject * currObj = yfs->cache_objects;\n YaffsCacheVersion * currVer;\n while(currObj != NULL){\n if(currObj->yco_obj_id > yfs->max_obj_id){\n yfs->max_obj_id = currObj->yco_obj_id;\n }\n\n currVer = currObj->yco_latest;\n if(currVer->ycv_version > yfs->max_version){\n yfs->max_version = currVer->ycv_version;\n }\n\n currVer->ycv_version = 0;\n currObj = currObj->yco_next;\n }\n\n // Use the max object id and version number to construct an upper bound on the inode\n TSK_INUM_T max_inum = 0;\n if (TSK_OK != yaffscache_obj_id_and_version_to_inode(yfs->max_obj_id, yfs->max_version, &max_inum)) {\n return TSK_ERR;\n }\n yfs->fs_info.last_inum = max_inum + 1; // One more for the orphan dir\n\n // Make sure the orphan dir is greater than the root dir\n if (yfs->fs_info.last_inum <= yfs->fs_info.root_inum) {\n tsk_error_reset();\n tsk_error_set_errno(TSK_ERR_FS);\n tsk_error_set_errstr(\n \"yaffsfs_parse_image_load_cache: Maximum inum %\" PRIuINUM \" is not greater than the root inum\", yfs->fs_info.last_inum);\n return TSK_ERR;\n }\n\n return TSK_OK;\n}", "project": "sleuthkit", "hash": 336838978219719396446793976081762333915, "size": 114, "commit_id": "459ae818fc8dae717549810150de4d191ce158f1", "message": "Fix stack buffer overflow in yaffsfs_istat\n\nPrevent a stack buffer overflow in yaffsfs_istat by increasing the buffer size to the size required by tsk_fs_time_to_str.", "target": 0, "dataset": "other", "idx": 299120 }, { "func": " yaffs_make_deleted( YAFFSFS_INFO * yaffsfs, TSK_FS_FILE * a_fs_file )\n{\n TSK_FS_FILE *fs_file = a_fs_file;\n\n if (tsk_verbose)\n tsk_fprintf(stderr, \"yaffs_make_deleted: Making virtual deleted node\\n\");\n\n if (yaffs_make_directory(yaffsfs, fs_file, YAFFS_OBJECT_DELETED, YAFFS_OBJECT_DELETED_NAME))\n return 1;\n\n return 0;\n}", "project": "sleuthkit", "hash": 186550800674831880056715994402095362085, "size": 12, "commit_id": "459ae818fc8dae717549810150de4d191ce158f1", "message": "Fix stack buffer overflow in yaffsfs_istat\n\nPrevent a stack buffer overflow in yaffsfs_istat by increasing the buffer size to the size required by tsk_fs_time_to_str.", "target": 0, "dataset": "other", "idx": 299154 }, { "func": " yaffsfs_istat(TSK_FS_INFO *fs, TSK_FS_ISTAT_FLAG_ENUM flags, FILE * hFile, TSK_INUM_T inum,\n TSK_DADDR_T numblock, int32_t sec_skew)\n{\n TSK_FS_META *fs_meta;\n TSK_FS_FILE *fs_file;\n YAFFSFS_INFO *yfs = (YAFFSFS_INFO *)fs;\n char ls[12];\n YAFFSFS_PRINT_ADDR print;\n char timeBuf[32];\n YaffsCacheObject * obj = NULL;\n YaffsCacheVersion * version = NULL;\n YaffsHeader * header = NULL;\n\n yaffscache_version_find_by_inode(yfs, inum, &version, &obj);\n\n if ((fs_file = tsk_fs_file_open_meta(fs, NULL, inum)) == NULL) {\n return 1;\n }\n fs_meta = fs_file->meta;\n\n tsk_fprintf(hFile, \"inode: %\" PRIuINUM \"\\n\", inum);\n tsk_fprintf(hFile, \"%sAllocated\\n\",\n (fs_meta->flags & TSK_FS_META_FLAG_ALLOC) ? \"\" : \"Not \");\n\n if (fs_meta->link)\n tsk_fprintf(hFile, \"symbolic link to: %s\\n\", fs_meta->link);\n\n tsk_fprintf(hFile, \"uid / gid: %\" PRIuUID \" / %\" PRIuGID \"\\n\",\n fs_meta->uid, fs_meta->gid);\n\n tsk_fs_meta_make_ls(fs_meta, ls, sizeof(ls));\n tsk_fprintf(hFile, \"mode: %s\\n\", ls);\n\n tsk_fprintf(hFile, \"size: %\" PRIdOFF \"\\n\", fs_meta->size);\n tsk_fprintf(hFile, \"num of links: %d\\n\", fs_meta->nlink);\n\n if(version != NULL){\n yaffsfs_read_header(yfs, &header, version->ycv_header_chunk->ycc_offset);\n if(header != NULL){\n tsk_fprintf(hFile, \"Name: %s\\n\", header->name);\n }\n }\n\n if (sec_skew != 0) {\n tsk_fprintf(hFile, \"\\nAdjusted Inode Times:\\n\");\n fs_meta->mtime -= sec_skew;\n fs_meta->atime -= sec_skew;\n fs_meta->ctime -= sec_skew;\n\n tsk_fprintf(hFile, \"Accessed:\\t%s\\n\",\n tsk_fs_time_to_str(fs_meta->atime, timeBuf));\n tsk_fprintf(hFile, \"File Modified:\\t%s\\n\",\n tsk_fs_time_to_str(fs_meta->mtime, timeBuf));\n tsk_fprintf(hFile, \"Inode Modified:\\t%s\\n\",\n tsk_fs_time_to_str(fs_meta->ctime, timeBuf));\n\n fs_meta->mtime += sec_skew;\n fs_meta->atime += sec_skew;\n fs_meta->ctime += sec_skew;\n\n tsk_fprintf(hFile, \"\\nOriginal Inode Times:\\n\");\n }\n else {\n tsk_fprintf(hFile, \"\\nInode Times:\\n\");\n }\n\n tsk_fprintf(hFile, \"Accessed:\\t%s\\n\",\n tsk_fs_time_to_str(fs_meta->atime, timeBuf));\n tsk_fprintf(hFile, \"File Modified:\\t%s\\n\",\n tsk_fs_time_to_str(fs_meta->mtime, timeBuf));\n tsk_fprintf(hFile, \"Inode Modified:\\t%s\\n\",\n tsk_fs_time_to_str(fs_meta->ctime, timeBuf));\n\n if(version != NULL){\n tsk_fprintf(hFile, \"\\nHeader Chunk:\\n\");\n tsk_fprintf(hFile, \"%\" PRIuDADDR \"\\n\", (version->ycv_header_chunk->ycc_offset / (yfs->page_size + yfs->spare_size)));\n }\n\n if (numblock > 0) {\n TSK_OFF_T lower_size = numblock * fs->block_size;\n fs_meta->size = (lower_size < fs_meta->size)?(lower_size):(fs_meta->size);\n }\n tsk_fprintf(hFile, \"\\nData Chunks:\\n\");\n\n\n if (flags & TSK_FS_ISTAT_RUNLIST){\n const TSK_FS_ATTR *fs_attr_default =\n tsk_fs_file_attr_get_type(fs_file,\n TSK_FS_ATTR_TYPE_DEFAULT, 0, 0);\n if (fs_attr_default && (fs_attr_default->flags & TSK_FS_ATTR_NONRES)) {\n if (tsk_fs_attr_print(fs_attr_default, hFile)) {\n tsk_fprintf(hFile, \"\\nError creating run lists \");\n tsk_error_print(hFile);\n tsk_error_reset();\n }\n }\n }\n else {\n print.idx = 0;\n print.hFile = hFile;\n\n if (tsk_fs_file_walk(fs_file, TSK_FS_FILE_WALK_FLAG_AONLY,\n (TSK_FS_FILE_WALK_CB)print_addr_act, (void *)&print)) {\n tsk_fprintf(hFile, \"\\nError reading file: \");\n tsk_error_print(hFile);\n tsk_error_reset();\n }\n else if (print.idx != 0) {\n tsk_fprintf(hFile, \"\\n\");\n }\n }\n\n tsk_fs_file_close(fs_file);\n\n return 0;\n}", "project": "sleuthkit", "hash": 315622372000357176371289570991066181436, "size": 116, "commit_id": "459ae818fc8dae717549810150de4d191ce158f1", "message": "Fix stack buffer overflow in yaffsfs_istat\n\nPrevent a stack buffer overflow in yaffsfs_istat by increasing the buffer size to the size required by tsk_fs_time_to_str.", "target": 1, "dataset": "other", "idx": 200108 }, { "func": " yaffsfs_istat(TSK_FS_INFO *fs, TSK_FS_ISTAT_FLAG_ENUM flags, FILE * hFile, TSK_INUM_T inum,\n TSK_DADDR_T numblock, int32_t sec_skew)\n{\n TSK_FS_META *fs_meta;\n TSK_FS_FILE *fs_file;\n YAFFSFS_INFO *yfs = (YAFFSFS_INFO *)fs;\n char ls[12];\n YAFFSFS_PRINT_ADDR print;\n char timeBuf[128];\n YaffsCacheObject * obj = NULL;\n YaffsCacheVersion * version = NULL;\n YaffsHeader * header = NULL;\n\n yaffscache_version_find_by_inode(yfs, inum, &version, &obj);\n\n if ((fs_file = tsk_fs_file_open_meta(fs, NULL, inum)) == NULL) {\n return 1;\n }\n fs_meta = fs_file->meta;\n\n tsk_fprintf(hFile, \"inode: %\" PRIuINUM \"\\n\", inum);\n tsk_fprintf(hFile, \"%sAllocated\\n\",\n (fs_meta->flags & TSK_FS_META_FLAG_ALLOC) ? \"\" : \"Not \");\n\n if (fs_meta->link)\n tsk_fprintf(hFile, \"symbolic link to: %s\\n\", fs_meta->link);\n\n tsk_fprintf(hFile, \"uid / gid: %\" PRIuUID \" / %\" PRIuGID \"\\n\",\n fs_meta->uid, fs_meta->gid);\n\n tsk_fs_meta_make_ls(fs_meta, ls, sizeof(ls));\n tsk_fprintf(hFile, \"mode: %s\\n\", ls);\n\n tsk_fprintf(hFile, \"size: %\" PRIdOFF \"\\n\", fs_meta->size);\n tsk_fprintf(hFile, \"num of links: %d\\n\", fs_meta->nlink);\n\n if(version != NULL){\n yaffsfs_read_header(yfs, &header, version->ycv_header_chunk->ycc_offset);\n if(header != NULL){\n tsk_fprintf(hFile, \"Name: %s\\n\", header->name);\n }\n }\n\n if (sec_skew != 0) {\n tsk_fprintf(hFile, \"\\nAdjusted Inode Times:\\n\");\n fs_meta->mtime -= sec_skew;\n fs_meta->atime -= sec_skew;\n fs_meta->ctime -= sec_skew;\n\n tsk_fprintf(hFile, \"Accessed:\\t%s\\n\",\n tsk_fs_time_to_str(fs_meta->atime, timeBuf));\n tsk_fprintf(hFile, \"File Modified:\\t%s\\n\",\n tsk_fs_time_to_str(fs_meta->mtime, timeBuf));\n tsk_fprintf(hFile, \"Inode Modified:\\t%s\\n\",\n tsk_fs_time_to_str(fs_meta->ctime, timeBuf));\n\n fs_meta->mtime += sec_skew;\n fs_meta->atime += sec_skew;\n fs_meta->ctime += sec_skew;\n\n tsk_fprintf(hFile, \"\\nOriginal Inode Times:\\n\");\n }\n else {\n tsk_fprintf(hFile, \"\\nInode Times:\\n\");\n }\n\n tsk_fprintf(hFile, \"Accessed:\\t%s\\n\",\n tsk_fs_time_to_str(fs_meta->atime, timeBuf));\n tsk_fprintf(hFile, \"File Modified:\\t%s\\n\",\n tsk_fs_time_to_str(fs_meta->mtime, timeBuf));\n tsk_fprintf(hFile, \"Inode Modified:\\t%s\\n\",\n tsk_fs_time_to_str(fs_meta->ctime, timeBuf));\n\n if(version != NULL){\n tsk_fprintf(hFile, \"\\nHeader Chunk:\\n\");\n tsk_fprintf(hFile, \"%\" PRIuDADDR \"\\n\", (version->ycv_header_chunk->ycc_offset / (yfs->page_size + yfs->spare_size)));\n }\n\n if (numblock > 0) {\n TSK_OFF_T lower_size = numblock * fs->block_size;\n fs_meta->size = (lower_size < fs_meta->size)?(lower_size):(fs_meta->size);\n }\n tsk_fprintf(hFile, \"\\nData Chunks:\\n\");\n\n\n if (flags & TSK_FS_ISTAT_RUNLIST){\n const TSK_FS_ATTR *fs_attr_default =\n tsk_fs_file_attr_get_type(fs_file,\n TSK_FS_ATTR_TYPE_DEFAULT, 0, 0);\n if (fs_attr_default && (fs_attr_default->flags & TSK_FS_ATTR_NONRES)) {\n if (tsk_fs_attr_print(fs_attr_default, hFile)) {\n tsk_fprintf(hFile, \"\\nError creating run lists \");\n tsk_error_print(hFile);\n tsk_error_reset();\n }\n }\n }\n else {\n print.idx = 0;\n print.hFile = hFile;\n\n if (tsk_fs_file_walk(fs_file, TSK_FS_FILE_WALK_FLAG_AONLY,\n (TSK_FS_FILE_WALK_CB)print_addr_act, (void *)&print)) {\n tsk_fprintf(hFile, \"\\nError reading file: \");\n tsk_error_print(hFile);\n tsk_error_reset();\n }\n else if (print.idx != 0) {\n tsk_fprintf(hFile, \"\\n\");\n }\n }\n\n tsk_fs_file_close(fs_file);\n\n return 0;\n}", "project": "sleuthkit", "hash": 172760896741279150306338467662761860668, "size": 116, "commit_id": "459ae818fc8dae717549810150de4d191ce158f1", "message": "Fix stack buffer overflow in yaffsfs_istat\n\nPrevent a stack buffer overflow in yaffsfs_istat by increasing the buffer size to the size required by tsk_fs_time_to_str.", "target": 0, "dataset": "other", "idx": 299134 }, { "func": " yaffsfs_load_attrs(TSK_FS_FILE *file)\n{\n TSK_FS_ATTR *attr;\n TSK_FS_META *meta;\n TSK_FS_INFO *fs;\n YAFFSFS_INFO *yfs;\n TSK_FS_ATTR_RUN *data_run;\n TSK_DADDR_T file_block_count;\n YaffsCacheObject *obj;\n YaffsCacheVersion *version;\n TSK_RETVAL_ENUM result;\n TSK_LIST *chunks_seen = NULL;\n YaffsCacheChunk *curr;\n TSK_FS_ATTR_RUN *data_run_new;\n\n\n if (file == NULL || file->meta == NULL || file->fs_info == NULL)\n {\n tsk_error_set_errno(TSK_ERR_FS_ARG);\n tsk_error_set_errstr\n (\"yaffsfs_load_attrs: called with NULL pointers\");\n return 1;\n }\n\n meta = file->meta;\n yfs = (YAFFSFS_INFO *)file->fs_info;\n fs = &yfs->fs_info;\n\n // see if we have already loaded the runs\n if ((meta->attr != NULL)\n && (meta->attr_state == TSK_FS_META_ATTR_STUDIED)) {\n return 0;\n }\n else if (meta->attr_state == TSK_FS_META_ATTR_ERROR) {\n return 1;\n }\n // not sure why this would ever happen, but...\n else if (meta->attr != NULL) {\n tsk_fs_attrlist_markunused(meta->attr);\n }\n else if (meta->attr == NULL) {\n meta->attr = tsk_fs_attrlist_alloc();\n }\n\n attr = tsk_fs_attrlist_getnew(meta->attr, TSK_FS_ATTR_NONRES);\n if (attr == NULL) {\n meta->attr_state = TSK_FS_META_ATTR_ERROR;\n return 1;\n }\n\n if (meta->size == 0) {\n data_run = NULL;\n }\n else {\n /* BC: I'm not entirely sure this is needed. My guess is that\n * this was done instead of maintaining the head of the list of \n * runs. In theory, the tsk_fs_attr_add_run() method should handle\n * the fillers. */\n data_run = tsk_fs_attr_run_alloc();\n if (data_run == NULL) {\n tsk_fs_attr_run_free(data_run);\n meta->attr_state = TSK_FS_META_ATTR_ERROR;\n return 1;\n }\n\n data_run->offset = 0;\n data_run->addr = 0;\n data_run->len = (meta->size + fs->block_size - 1) / fs->block_size;\n data_run->flags = TSK_FS_ATTR_RUN_FLAG_FILLER;\n }\n \n\n // initialize the data run\n if (tsk_fs_attr_set_run(file, attr, data_run, NULL,\n TSK_FS_ATTR_TYPE_DEFAULT, TSK_FS_ATTR_ID_DEFAULT,\n meta->size, meta->size, roundup(meta->size, fs->block_size), (TSK_FS_ATTR_FLAG_ENUM)0, 0)) {\n meta->attr_state = TSK_FS_META_ATTR_ERROR;\n return 1;\n }\n\n // If the file has size zero, return now\n if(meta->size == 0){\n meta->attr_state = TSK_FS_META_ATTR_STUDIED;\n return 0;\n }\n\n\n /* Get the version for the given object. */\n result = yaffscache_version_find_by_inode(yfs, meta->addr, &version, &obj);\n if (result != TSK_OK || version == NULL) {\n if (tsk_verbose)\n tsk_fprintf(stderr, \"yaffsfs_load_attrs: yaffscache_version_find_by_inode failed!\\n\");\n meta->attr_state = TSK_FS_META_ATTR_ERROR;\n return 1;\n }\n\n if (tsk_verbose)\n yaffscache_object_dump(stderr, obj);\n\n file_block_count = data_run->len;\n /* Cycle through the chunks for this version of this object */\n curr = version->ycv_last_chunk;\n while (curr != NULL && curr->ycc_obj_id == obj->yco_obj_id) {\n\n if (curr->ycc_chunk_id == 0) {\n if (tsk_verbose)\n tsk_fprintf(stderr, \"yaffsfs_load_attrs: skipping header chunk\\n\");\n }\n else if (tsk_list_find(chunks_seen, curr->ycc_chunk_id)) {\n if (tsk_verbose)\n tsk_fprintf(stderr, \"yaffsfs_load_attrs: skipping duplicate chunk\\n\");\n }\n else if (curr->ycc_chunk_id > file_block_count) {\n if (tsk_verbose)\n tsk_fprintf(stderr, \"yaffsfs_load_attrs: skipping chunk past end\\n\");\n }\n /* We like this chunk */\n else {\n // add it to our internal list\n if (tsk_list_add(&chunks_seen, curr->ycc_chunk_id)) {\n meta->attr_state = TSK_FS_META_ATTR_ERROR;\n tsk_list_free(chunks_seen);\n chunks_seen = NULL;\n return 1;\n }\n\n data_run_new = tsk_fs_attr_run_alloc();\n if (data_run_new == NULL) {\n tsk_fs_attr_run_free(data_run_new);\n meta->attr_state = TSK_FS_META_ATTR_ERROR;\n return 1;\n }\n\n data_run_new->offset = (curr->ycc_chunk_id - 1);\n data_run_new->addr = curr->ycc_offset / (fs->block_pre_size + fs->block_size + fs->block_post_size);\n data_run_new->len = 1;\n data_run_new->flags = TSK_FS_ATTR_RUN_FLAG_NONE;\n\n if (tsk_verbose)\n tsk_fprintf(stderr, \"yaffsfs_load_attrs: @@@ Chunk %d : %08x is at offset 0x%016llx\\n\",\n curr->ycc_chunk_id, curr->ycc_seq_number, curr->ycc_offset);\n\n tsk_fs_attr_add_run(fs, attr, data_run_new);\n }\n\n curr = curr->ycc_prev;\n }\n\n tsk_list_free(chunks_seen);\n meta->attr_state = TSK_FS_META_ATTR_STUDIED;\n return 0;\n}", "project": "sleuthkit", "hash": 81698446164859823700444855536389860375, "size": 152, "commit_id": "459ae818fc8dae717549810150de4d191ce158f1", "message": "Fix stack buffer overflow in yaffsfs_istat\n\nPrevent a stack buffer overflow in yaffsfs_istat by increasing the buffer size to the size required by tsk_fs_time_to_str.", "target": 0, "dataset": "other", "idx": 299140 }, { "func": " yaffscache_object_dump(FILE *fp, YaffsCacheObject *obj)\n{\n YaffsCacheVersion *next_version = obj->yco_latest;\n YaffsCacheChunk *chunk = next_version->ycv_last_chunk;\n\n fprintf(fp, \"Object %d\\n\", obj->yco_obj_id);\n while(chunk != NULL && chunk->ycc_obj_id == obj->yco_obj_id) {\n if (next_version != NULL && \n chunk == next_version->ycv_last_chunk) {\n fprintf(fp, \" @%d: %p %p %p\\n\", \n next_version->ycv_version, \n (void*) next_version->ycv_header_chunk,\n (void*) next_version->ycv_first_chunk,\n (void*)next_version->ycv_last_chunk);\n next_version = next_version->ycv_prior;\n }\n\n fprintf(fp, \" + %p %08x %08x %0\" PRIxOFF \"\\n\",\n (void*) chunk,\n chunk->ycc_chunk_id,\n chunk->ycc_seq_number,\n chunk->ycc_offset);\n\n chunk = chunk->ycc_prev;\n }\n}", "project": "sleuthkit", "hash": 219702799286886068649903474662880803675, "size": 26, "commit_id": "459ae818fc8dae717549810150de4d191ce158f1", "message": "Fix stack buffer overflow in yaffsfs_istat\n\nPrevent a stack buffer overflow in yaffsfs_istat by increasing the buffer size to the size required by tsk_fs_time_to_str.", "target": 0, "dataset": "other", "idx": 299125 }, { "func": " yaffscache_find_children(YAFFSFS_INFO *yfs, TSK_INUM_T parent_inode, yc_find_children_cb cb, void *args)\n{\n YaffsCacheObject *obj;\n\n uint32_t parent_id, version_num;\n if (yaffscache_inode_to_obj_id_and_version(parent_inode, &parent_id, &version_num) != TSK_OK) {\n return TSK_ERR;\n }\n\n /* Iterate over all objects and all versions of the objects to see if one is the child\n * of the given parent. */\n for (obj = yfs->cache_objects; obj != NULL; obj = obj->yco_next) {\n YaffsCacheVersion *version;\n for (version = obj->yco_latest; version != NULL; version = version->ycv_prior) {\n /* Is this an incomplete version? */\n if (version->ycv_header_chunk == NULL) {\n continue;\n }\n\n if (version->ycv_header_chunk->ycc_parent_id == parent_id) {\n TSK_RETVAL_ENUM result = cb(obj, version, args);\n if (result != TSK_OK)\n return result;\n }\n }\n }\n\n return TSK_OK;\n}", "project": "sleuthkit", "hash": 203383111195374223394729548184455296546, "size": 29, "commit_id": "459ae818fc8dae717549810150de4d191ce158f1", "message": "Fix stack buffer overflow in yaffsfs_istat\n\nPrevent a stack buffer overflow in yaffsfs_istat by increasing the buffer size to the size required by tsk_fs_time_to_str.", "target": 0, "dataset": "other", "idx": 299156 }, { "func": " yaffsfs_read_header(YAFFSFS_INFO *yfs, YaffsHeader ** header, TSK_OFF_T offset)\n{\n unsigned char *hdr;\n ssize_t cnt;\n YaffsHeader *head;\n TSK_FS_INFO *fs = &(yfs->fs_info);\n\n if ((hdr = (unsigned char*) tsk_malloc(yfs->page_size)) == NULL) {\n return 1;\n }\n\n cnt = tsk_img_read(fs->img_info, offset, (char *) hdr,\n yfs->page_size);\n if ((cnt < 0) || ((unsigned int)cnt < yfs->page_size)) {\n free(hdr);\n return 1;\n }\n\n if ((head = (YaffsHeader*) tsk_malloc( sizeof(YaffsHeader))) == NULL) {\n free(hdr);\n return 1;\n }\n\n memcpy(&head->obj_type, hdr, 4);\n memcpy(&head->parent_id, &hdr[4], 4);\n memcpy(head->name, (char*) &hdr[0xA], YAFFS_HEADER_NAME_LENGTH);\n memcpy(&head->file_mode, &hdr[0x10C], 4);\n memcpy(&head->user_id, &hdr[0x110], 4);\n memcpy(&head->group_id, &hdr[0x114], 4);\n memcpy(&head->atime, &hdr[0x118], 4);\n memcpy(&head->mtime, &hdr[0x11C], 4);\n memcpy(&head->ctime, &hdr[0x120], 4);\n memcpy(&head->file_size, &hdr[0x124], 4);\n memcpy(&head->equivalent_id, &hdr[0x128], 4);\n memcpy(head->alias, (char*) &hdr[0x12C], YAFFS_HEADER_ALIAS_LENGTH);\n\n //memcpy(&head->rdev_mode, &hdr[0x1CC], 4);\n //memcpy(&head->win_ctime, &hdr[0x1D0], 8);\n //memcpy(&head->win_atime, &hdr[0x1D8], 8);\n //memcpy(&head->win_mtime, &hdr[0x1E0], 8);\n //memcpy(&head->inband_obj_id, &hdr[0x1E8], 4);\n //memcpy(&head->inband_is_shrink, &hdr[0x1EC], 4);\n\n // NOTE: This isn't in Android 3.3 kernel but is in YAFFS2 git\n //memcpy(&head->file_size_high, &hdr[0x1F0], 4);\n\n free(hdr);\n\n *header = head;\n return 0;\n}", "project": "sleuthkit", "hash": 248697001007478312924169983288427483717, "size": 51, "commit_id": "459ae818fc8dae717549810150de4d191ce158f1", "message": "Fix stack buffer overflow in yaffsfs_istat\n\nPrevent a stack buffer overflow in yaffsfs_istat by increasing the buffer size to the size required by tsk_fs_time_to_str.", "target": 0, "dataset": "other", "idx": 299138 }, { "func": " yaffsfs_dir_open_meta(TSK_FS_INFO *a_fs, TSK_FS_DIR ** a_fs_dir,\n TSK_INUM_T a_addr)\n{\n TSK_FS_DIR *fs_dir;\n TSK_FS_NAME *fs_name;\n YAFFSFS_INFO *yfs = (YAFFSFS_INFO *)a_fs;\n int should_walk_children = 0;\n uint32_t obj_id;\n uint32_t ver_number;\n\n if (a_addr < a_fs->first_inum || a_addr > a_fs->last_inum) { \n tsk_error_reset();\n tsk_error_set_errno(TSK_ERR_FS_WALK_RNG);\n tsk_error_set_errstr(\"yaffs_dir_open_meta: Invalid inode value: %\"\n PRIuINUM, a_addr);\n return TSK_ERR;\n }\n else if (a_fs_dir == NULL) {\n tsk_error_reset();\n tsk_error_set_errno(TSK_ERR_FS_ARG);\n tsk_error_set_errstr(\"yaffs_dir_open_meta: NULL fs_dir argument given\");\n return TSK_ERR;\n }\n\n fs_dir = *a_fs_dir;\n\n if (fs_dir) {\n tsk_fs_dir_reset(fs_dir);\n fs_dir->addr = a_addr;\n }\n else if ((*a_fs_dir = fs_dir = tsk_fs_dir_alloc(a_fs, a_addr, 128)) == NULL) {\n return TSK_ERR;\n }\n\n if (tsk_verbose)\n fprintf(stderr,\"yaffs_dir_open_meta: called for directory %\" PRIu32 \"\\n\", (uint32_t) a_addr);\n\n // handle the orphan directory if its contents were requested\n if (a_addr == TSK_FS_ORPHANDIR_INUM(a_fs)) {\n return tsk_fs_dir_find_orphans(a_fs, fs_dir);\n }\n\n if ((fs_name = tsk_fs_name_alloc(YAFFSFS_MAXNAMLEN, 0)) == NULL) {\n return TSK_ERR;\n }\n\n\n if ((fs_dir->fs_file = \n tsk_fs_file_open_meta(a_fs, NULL, a_addr)) == NULL) {\n tsk_error_errstr2_concat(\" - yaffs_dir_open_meta\");\n tsk_fs_name_free(fs_name);\n return TSK_ERR;\n }\n\n // extract obj_id and ver_number from inum\n yaffscache_inode_to_obj_id_and_version(a_addr, &obj_id, &ver_number);\n\n // Decide if we should walk the directory structure\n if (obj_id == YAFFS_OBJECT_DELETED ||\n obj_id == YAFFS_OBJECT_UNLINKED) {\n should_walk_children = 1;\n }\n else {\n YaffsCacheObject *obj;\n YaffsCacheVersion *versionFound;\n TSK_RETVAL_ENUM result = yaffscache_version_find_by_inode(yfs, a_addr, &versionFound, &obj);\n if (result != TSK_OK) {\n if (tsk_verbose)\n tsk_fprintf(stderr, \"yaffsfs_dir_open_meta: yaffscache_version_find_by_inode failed! (inode: %d\\n\", a_addr);\n tsk_fs_name_free(fs_name);\n return TSK_ERR;\n }\n\n /* Only attach files onto the latest version of the directory */\n should_walk_children = (obj->yco_latest == versionFound);\n }\n\n // Search the cache for the children of this object and add them to fs_dir\n if (should_walk_children) {\n dir_open_cb_args args;\n args.yfs = yfs;\n args.dir = fs_dir;\n args.parent_addr = a_addr;\n yaffscache_find_children(yfs, a_addr, yaffs_dir_open_meta_cb, &args);\n }\n\n // add special entries to root directory\n if (obj_id == YAFFS_OBJECT_ROOT) {\n strncpy(fs_name->name, YAFFS_OBJECT_UNLINKED_NAME, fs_name->name_size);\n fs_name->meta_addr = YAFFS_OBJECT_UNLINKED;\n fs_name->type = TSK_FS_NAME_TYPE_DIR;\n fs_name->flags = TSK_FS_NAME_FLAG_ALLOC;\n if (tsk_fs_dir_add(fs_dir, fs_name)) {\n tsk_fs_name_free(fs_name);\n return TSK_ERR;\n }\n\n strncpy(fs_name->name, YAFFS_OBJECT_DELETED_NAME, fs_name->name_size);\n fs_name->meta_addr = YAFFS_OBJECT_DELETED;\n fs_name->type = TSK_FS_NAME_TYPE_DIR;\n fs_name->flags = TSK_FS_NAME_FLAG_ALLOC;\n if (tsk_fs_dir_add(fs_dir, fs_name)) {\n tsk_fs_name_free(fs_name);\n return TSK_ERR;\n }\n\n // orphan directory\n if (tsk_fs_dir_make_orphan_dir_name(a_fs, fs_name)) {\n tsk_fs_name_free(fs_name);\n return TSK_ERR;\n }\n fs_name->meta_addr = yfs->fs_info.last_inum;\n fs_name->type = TSK_FS_NAME_TYPE_DIR;\n fs_name->flags = TSK_FS_NAME_FLAG_ALLOC;\n if (tsk_fs_dir_add(fs_dir, fs_name)) {\n tsk_fs_name_free(fs_name);\n return TSK_ERR;\n }\n }\n\n tsk_fs_name_free(fs_name);\n return TSK_OK;\n}", "project": "sleuthkit", "hash": 218448705481900852911485599877380971624, "size": 123, "commit_id": "459ae818fc8dae717549810150de4d191ce158f1", "message": "Fix stack buffer overflow in yaffsfs_istat\n\nPrevent a stack buffer overflow in yaffsfs_istat by increasing the buffer size to the size required by tsk_fs_time_to_str.", "target": 0, "dataset": "other", "idx": 299139 }, { "func": " yaffsfs_is_spare_valid(YAFFSFS_INFO * /*yfs*/, YaffsSpare *spare)\n{\n if (spare == NULL) {\n return 1;\n }\n\n if ((spare->object_id > YAFFS_MAX_OBJECT_ID) ||\n (spare->seq_number < YAFFS_LOWEST_SEQUENCE_NUMBER) ||\n (spare->seq_number > YAFFS_HIGHEST_SEQUENCE_NUMBER)) {\n return 1;\n }\n\n return 0;\n}", "project": "sleuthkit", "hash": 130675918105434967993891433658352057685, "size": 14, "commit_id": "459ae818fc8dae717549810150de4d191ce158f1", "message": "Fix stack buffer overflow in yaffsfs_istat\n\nPrevent a stack buffer overflow in yaffsfs_istat by increasing the buffer size to the size required by tsk_fs_time_to_str.", "target": 0, "dataset": "other", "idx": 299135 }, { "func": "static uint8_t yaffs_is_version_allocated(YAFFSFS_INFO * yfs, TSK_INUM_T inode){\n YaffsCacheObject * obj;\n YaffsCacheVersion * version;\n YaffsCacheChunk * curr;\n\n TSK_RETVAL_ENUM result = yaffscache_version_find_by_inode(yfs, inode, &version, &obj);\n if (result != TSK_OK) {\n if (tsk_verbose)\n tsk_fprintf(stderr, \"yaffs_is_version_allocated: yaffscache_version_find_by_inode failed! (inode: %d)\\n\", inode);\n return 0;\n }\n\n if(obj->yco_latest == version){\n curr = obj->yco_latest->ycv_header_chunk;\n while(curr != NULL){\n // We're looking for a newer unlinked or deleted header. If one exists, then this object should be considered unallocated\n if((curr->ycc_parent_id == YAFFS_OBJECT_UNLINKED) || (curr->ycc_parent_id == YAFFS_OBJECT_DELETED)){\n return 0;\n }\n curr = curr ->ycc_next;\n }\n return 1;\n }\n else{\n return 0;\n }\n\n}", "project": "sleuthkit", "hash": 67440269326265525915145934425692102520, "size": 28, "commit_id": "459ae818fc8dae717549810150de4d191ce158f1", "message": "Fix stack buffer overflow in yaffsfs_istat\n\nPrevent a stack buffer overflow in yaffsfs_istat by increasing the buffer size to the size required by tsk_fs_time_to_str.", "target": 0, "dataset": "other", "idx": 299159 }, { "func": " yaffscache_object_find_or_add(YAFFSFS_INFO *yfs, uint32_t obj_id, YaffsCacheObject **obj)\n{\n YaffsCacheObject *prev;\n TSK_RETVAL_ENUM result;\n\n if (obj == NULL) {\n return TSK_ERR;\n }\n\n // Look for this obj_id in yfs->cache_objects\n // If not found, add it in the correct spot\n // yaffscache_object_find returns the last object with obj_id less than the one\n // we were searching for, so use that to insert the new one in the list\n result = yaffscache_object_find(yfs, obj_id, &prev);\n if (result == TSK_OK) {\n *obj = prev;\n return TSK_OK;\n }\n else if (result == TSK_STOP) {\n *obj = (YaffsCacheObject *) tsk_malloc(sizeof(YaffsCacheObject));\n (*obj)->yco_obj_id = obj_id;\n if (prev == NULL) {\n (*obj)->yco_next = yfs->cache_objects;\n yfs->cache_objects = *obj;\n }\n else {\n (*obj)->yco_next = prev->yco_next;\n prev->yco_next = (*obj);\n }\n return TSK_OK;\n }\n else {\n *obj = NULL;\n return TSK_ERR;\n }\n}", "project": "sleuthkit", "hash": 240908424395145686860377180929775093511, "size": 36, "commit_id": "459ae818fc8dae717549810150de4d191ce158f1", "message": "Fix stack buffer overflow in yaffsfs_istat\n\nPrevent a stack buffer overflow in yaffsfs_istat by increasing the buffer size to the size required by tsk_fs_time_to_str.", "target": 0, "dataset": "other", "idx": 299163 }, { "func": " yaffscache_versions_compute(YAFFSFS_INFO *yfs)\n{\n std::map::iterator iter;\n for( iter = yfs->chunkMap->begin(); iter != yfs->chunkMap->end(); ++iter ) {\n YaffsCacheChunk *chunk_curr = yfs->chunkMap->operator[](iter->first).cache_chunks_head;\n\n while(chunk_curr != NULL) {\n if (yaffscache_versions_insert_chunk(yfs, chunk_curr) != TSK_OK) {\n return TSK_ERR;\n }\n\n chunk_curr = chunk_curr->ycc_next;\n }\n }\n\n return TSK_OK;\n}", "project": "sleuthkit", "hash": 184051434212114951377998509149338267834, "size": 17, "commit_id": "459ae818fc8dae717549810150de4d191ce158f1", "message": "Fix stack buffer overflow in yaffsfs_istat\n\nPrevent a stack buffer overflow in yaffsfs_istat by increasing the buffer size to the size required by tsk_fs_time_to_str.", "target": 0, "dataset": "other", "idx": 299133 }, { "func": " yaffscache_chunk_find_insertion_point(YAFFSFS_INFO *yfs, uint32_t obj_id, TSK_OFF_T offset, uint32_t seq_number, YaffsCacheChunk **chunk)\n{\n YaffsCacheChunk *curr, *prev;\n\n // Have we seen this obj_id? If not, add an entry for it\n if(yfs->chunkMap->find(obj_id) == yfs->chunkMap->end()){\n fflush(stderr);\n YaffsCacheChunkGroup chunkGroup;\n chunkGroup.cache_chunks_head = NULL;\n chunkGroup.cache_chunks_tail = NULL;\n yfs->chunkMap->insert(std::make_pair(obj_id, chunkGroup));\n }\n\n curr = yfs->chunkMap->operator[](obj_id).cache_chunks_head;\n prev = NULL;\n\n if (chunk == NULL) {\n return TSK_ERR;\n }\n\n while(curr != NULL) {\n // Compares obj id, then seq num, then offset. -1 => current < new\n int cmp = yaffscache_chunk_compare(curr, obj_id, offset, seq_number);\n\n if (cmp == 0) {\n *chunk = curr;\n return TSK_OK;\n }\n else if (cmp == 1) {\n *chunk = prev;\n return TSK_STOP;\n }\n\n prev = curr;\n curr = curr->ycc_next;\n }\n\n *chunk = prev;\n return TSK_STOP;\n}", "project": "sleuthkit", "hash": 114523940032032213276368368113062651303, "size": 40, "commit_id": "459ae818fc8dae717549810150de4d191ce158f1", "message": "Fix stack buffer overflow in yaffsfs_istat\n\nPrevent a stack buffer overflow in yaffsfs_istat by increasing the buffer size to the size required by tsk_fs_time_to_str.", "target": 0, "dataset": "other", "idx": 299122 }, { "func": " yaffsfs_read_chunk(YAFFSFS_INFO *yfs,\n YaffsHeader **header, YaffsSpare **spare, TSK_OFF_T offset)\n{\n TSK_OFF_T header_offset = offset;\n TSK_OFF_T spare_offset = offset + yfs->page_size; \n\n if (header == NULL || spare == NULL) {\n return 1;\n }\n\n if (yaffsfs_read_header(yfs, header, header_offset) != 0) {\n return 1;\n }\n\n if (yaffsfs_read_spare(yfs, spare, spare_offset) != 0) {\n free(*header);\n *header = NULL;\n return 1;\n }\n\n return 0;\n}", "project": "sleuthkit", "hash": 240679951570827351095142411661815455312, "size": 22, "commit_id": "459ae818fc8dae717549810150de4d191ce158f1", "message": "Fix stack buffer overflow in yaffsfs_istat\n\nPrevent a stack buffer overflow in yaffsfs_istat by increasing the buffer size to the size required by tsk_fs_time_to_str.", "target": 0, "dataset": "other", "idx": 299158 }, { "func": " yaffscache_obj_id_and_version_to_inode(uint32_t obj_id, uint32_t version_num, TSK_INUM_T *inode) {\n if ((obj_id & ~YAFFS_OBJECT_ID_MASK) != 0) {\n tsk_error_reset();\n tsk_error_set_errno(TSK_ERR_FS);\n tsk_error_set_errstr(\n \"yaffsfs_parse_image_load_cache: Max object ID %\" PRIu32 \" is invalid\", obj_id);\n return TSK_ERR;\n }\n\n if ((version_num & ~YAFFS_VERSION_NUM_MASK) != 0) {\n tsk_error_reset();\n tsk_error_set_errno(TSK_ERR_FS);\n tsk_error_set_errstr(\n \"yaffsfs_parse_image_load_cache: Max version number %\" PRIu32 \" is invalid\", version_num);\n return TSK_ERR;\n }\n\n *inode = obj_id | (version_num << YAFFS_VERSION_NUM_SHIFT);\n return TSK_OK;\n}", "project": "sleuthkit", "hash": 188395027171404522855068073725974164672, "size": 20, "commit_id": "459ae818fc8dae717549810150de4d191ce158f1", "message": "Fix stack buffer overflow in yaffsfs_istat\n\nPrevent a stack buffer overflow in yaffsfs_istat by increasing the buffer size to the size required by tsk_fs_time_to_str.", "target": 0, "dataset": "other", "idx": 299136 }, { "func": " yaffs_inode_lookup(TSK_FS_INFO *a_fs, TSK_FS_FILE * a_fs_file,\n TSK_INUM_T inum)\n{\n YAFFSFS_INFO *yfs = (YAFFSFS_INFO *)a_fs;\n YaffsCacheObject *obj;\n YaffsCacheVersion *version;\n YaffsHeader *header = NULL;\n YaffsSpare *spare = NULL;\n TSK_RETVAL_ENUM result;\n uint8_t type;\n const char *real_name;\n\n if (a_fs_file == NULL) {\n tsk_error_set_errno(TSK_ERR_FS_ARG);\n tsk_error_set_errstr(\"yaffsfs_inode_lookup: fs_file is NULL\");\n return 1;\n }\n\n if (a_fs_file->meta == NULL) {\n if ((a_fs_file->meta =\n tsk_fs_meta_alloc(YAFFS_FILE_CONTENT_LEN)) == NULL)\n return 1;\n }\n else {\n tsk_fs_meta_reset(a_fs_file->meta);\n }\n\n if (tsk_verbose)\n tsk_fprintf(stderr, \"yaffs_inode_lookup: looking up %\" PRIuINUM \"\\n\",inum);\n\n switch(inum) {\n case YAFFS_OBJECT_UNLINKED:\n yaffs_make_unlinked(yfs, a_fs_file);\n return 0;\n\n case YAFFS_OBJECT_DELETED:\n yaffs_make_deleted(yfs, a_fs_file);\n return 0;\n }\n\n if(inum == yfs->fs_info.last_inum){\n yaffs_make_orphan_dir(yfs, a_fs_file);\n return 0;\n }\n\n result = yaffscache_version_find_by_inode(yfs, inum, &version, &obj);\n if (result != TSK_OK) {\n if (tsk_verbose)\n tsk_fprintf(stderr, \"yaffs_inode_lookup: yaffscache_version_find_by_inode failed! (inode = %d)\\n\", inum);\n return 1;\n }\n\n if(version->ycv_header_chunk == NULL){\n return 1;\n }\n\n if (yaffsfs_read_chunk(yfs, &header, &spare, version->ycv_header_chunk->ycc_offset) != TSK_OK) {\n if (tsk_verbose)\n tsk_fprintf(stderr, \"yaffs_inode_lookup: yaffsfs_read_chunk failed!\\n\");\n return 1;\n }\n\n type = header->obj_type;\n\n switch(inum) {\n case YAFFS_OBJECT_LOSTNFOUND:\n real_name = YAFFS_OBJECT_LOSTNFOUND_NAME;\n break;\n case YAFFS_OBJECT_UNLINKED:\n real_name = YAFFS_OBJECT_UNLINKED_NAME;\n break;\n case YAFFS_OBJECT_DELETED:\n real_name = YAFFS_OBJECT_DELETED_NAME;\n break;\n default:\n real_name = header->name;\n break;\n }\n\n switch(type) {\n case YAFFS_TYPE_FILE:\n if (tsk_verbose)\n tsk_fprintf(stderr, \"yaffs_inode_lookup: is a file\\n\");\n yaffs_make_regularfile(yfs, a_fs_file, inum, real_name);\n break;\n\n case YAFFS_TYPE_DIRECTORY:\n if (tsk_verbose)\n tsk_fprintf(stderr, \"yaffs_inode_lookup: is a directory\\n\");\n yaffs_make_directory(yfs, a_fs_file, inum, real_name);\n break;\n\n case YAFFS_TYPE_SOFTLINK:\n if (tsk_verbose)\n tsk_fprintf(stderr, \"yaffs_inode_lookup: is a symbolic link\\n\");\n yaffs_make_regularfile(yfs, a_fs_file, inum, real_name);\n a_fs_file->meta->type = TSK_FS_META_TYPE_LNK;\n break;\n\n case YAFFS_TYPE_HARDLINK:\n case YAFFS_TYPE_UNKNOWN:\n default:\n if (tsk_verbose)\n tsk_fprintf(stderr, \"yaffs_inode_lookup: is *** UNHANDLED *** (type %d, header at 0x%x)\\n\", type, version->ycv_header_chunk->ycc_offset);\n // We can still set a few things\n a_fs_file->meta->type = TSK_FS_META_TYPE_UNDEF;\n a_fs_file->meta->addr = inum;\n if(yaffs_is_version_allocated(yfs, inum)){\n a_fs_file->meta->flags =\n (TSK_FS_META_FLAG_ENUM)(TSK_FS_META_FLAG_USED | TSK_FS_META_FLAG_ALLOC);\n }\n else{\n a_fs_file->meta->flags =\n (TSK_FS_META_FLAG_ENUM)(TSK_FS_META_FLAG_USED | TSK_FS_META_FLAG_UNALLOC);\n }\n if (a_fs_file->meta->name2 == NULL) {\n if ((a_fs_file->meta->name2 = (TSK_FS_META_NAME_LIST *)\n tsk_malloc(sizeof(TSK_FS_META_NAME_LIST))) == NULL){\n return 1;\n }\n a_fs_file->meta->name2->next = NULL;\n }\n strncpy(a_fs_file->meta->name2->name, real_name,\n TSK_FS_META_NAME_LIST_NSIZE);\n break;\n }\n\n /* Who owns this? I'm following the way FATFS does it by freeing + NULLing \n * this and mallocing if used. \n */\n free(a_fs_file->meta->link);\n a_fs_file->meta->link = NULL;\n\n if (type != YAFFS_TYPE_HARDLINK) {\n a_fs_file->meta->mode = (TSK_FS_META_MODE_ENUM)(header->file_mode & TWELVE_BITS_MASK); // chop at 12 bits;\n a_fs_file->meta->uid = header->user_id;\n a_fs_file->meta->gid = header->group_id;\n a_fs_file->meta->mtime = header->mtime;\n a_fs_file->meta->atime = header->atime;\n a_fs_file->meta->ctime = header->ctime;\n }\n\n if (type == YAFFS_TYPE_FILE) {\n a_fs_file->meta->size = header->file_size;\n // NOTE: This isn't in Android 3.3 kernel but is in YAFFS2 git\n //a_fs_file->meta->size |= ((TSK_OFF_T) header->file_size_high) << 32;\n }\n\n if (type == YAFFS_TYPE_HARDLINK) {\n // TODO: Store equivalent_id somewhere? */\n }\n\n if (type == YAFFS_TYPE_SOFTLINK) {\n a_fs_file->meta->link = (char*)tsk_malloc(YAFFS_HEADER_ALIAS_LENGTH);\n if (a_fs_file->meta->link == NULL) {\n free(header);\n free(spare);\n return 1;\n }\n\n memcpy(a_fs_file->meta->link, header->alias, YAFFS_HEADER_ALIAS_LENGTH);\n }\n\n free(header);\n free(spare);\n return 0;\n}", "project": "sleuthkit", "hash": 98327656626368013319552742486431409419, "size": 167, "commit_id": "459ae818fc8dae717549810150de4d191ce158f1", "message": "Fix stack buffer overflow in yaffsfs_istat\n\nPrevent a stack buffer overflow in yaffsfs_istat by increasing the buffer size to the size required by tsk_fs_time_to_str.", "target": 0, "dataset": "other", "idx": 299141 }, { "func": " yaffscache_inode_to_obj_id_and_version(TSK_INUM_T inode, uint32_t *obj_id, uint32_t *version_num) {\n *obj_id = inode & YAFFS_OBJECT_ID_MASK;\n *version_num = (inode >> YAFFS_VERSION_NUM_SHIFT) & YAFFS_VERSION_NUM_MASK;\n\n return TSK_OK;\n}", "project": "sleuthkit", "hash": 327125701005853403776269894545932289287, "size": 6, "commit_id": "459ae818fc8dae717549810150de4d191ce158f1", "message": "Fix stack buffer overflow in yaffsfs_istat\n\nPrevent a stack buffer overflow in yaffsfs_istat by increasing the buffer size to the size required by tsk_fs_time_to_str.", "target": 0, "dataset": "other", "idx": 299153 }, { "func": " yaffs_make_unlinked( YAFFSFS_INFO * yaffsfs, TSK_FS_FILE * a_fs_file )\n{\n TSK_FS_FILE * fs_file = a_fs_file;\n\n if (tsk_verbose)\n tsk_fprintf(stderr, \"yaffs_make_unlinked: Making virtual unlinked node\\n\");\n\n if (yaffs_make_directory(yaffsfs, fs_file, YAFFS_OBJECT_UNLINKED, YAFFS_OBJECT_UNLINKED_NAME))\n return 1;\n\n return 0;\n}", "project": "sleuthkit", "hash": 128457212225824032557027537664900192991, "size": 12, "commit_id": "459ae818fc8dae717549810150de4d191ce158f1", "message": "Fix stack buffer overflow in yaffsfs_istat\n\nPrevent a stack buffer overflow in yaffsfs_istat by increasing the buffer size to the size required by tsk_fs_time_to_str.", "target": 0, "dataset": "other", "idx": 299151 }, { "func": " yaffsfs_close(TSK_FS_INFO *fs)\n{\n if(fs != NULL){\n YAFFSFS_INFO *yfs = (YAFFSFS_INFO *)fs;\n\n fs->tag = 0;\n\n // Walk and free the cache structures\n yaffscache_objects_free(yfs);\n yaffscache_chunks_free(yfs);\n\n //tsk_deinit_lock(&yaffsfs->lock);\n tsk_fs_free(fs);\n\t}\n}", "project": "sleuthkit", "hash": 283529075464220675100208170756222784266, "size": 15, "commit_id": "459ae818fc8dae717549810150de4d191ce158f1", "message": "Fix stack buffer overflow in yaffsfs_istat\n\nPrevent a stack buffer overflow in yaffsfs_istat by increasing the buffer size to the size required by tsk_fs_time_to_str.", "target": 0, "dataset": "other", "idx": 299161 }, { "func": " yaffs_make_directory(YAFFSFS_INFO *yaffsfs, TSK_FS_FILE *a_fs_file, \n TSK_INUM_T inode, const char *name)\n{\n TSK_FS_FILE *fs_file = a_fs_file;\n\n\n fs_file->meta->type = TSK_FS_META_TYPE_DIR;\n fs_file->meta->mode = (TSK_FS_META_MODE_ENUM)0;\n fs_file->meta->nlink = 1;\n\n if((inode == YAFFS_OBJECT_UNLINKED) || (inode == YAFFS_OBJECT_DELETED) ||\n (inode == yaffsfs->fs_info.last_inum)){\n fs_file->meta->flags =\n (TSK_FS_META_FLAG_ENUM)(TSK_FS_META_FLAG_USED | TSK_FS_META_FLAG_ALLOC);\n }\n else{\n if(yaffs_is_version_allocated(yaffsfs, inode)){\n fs_file->meta->flags =\n (TSK_FS_META_FLAG_ENUM)(TSK_FS_META_FLAG_USED | TSK_FS_META_FLAG_ALLOC);\n }\n else{\n fs_file->meta->flags =\n (TSK_FS_META_FLAG_ENUM)(TSK_FS_META_FLAG_USED | TSK_FS_META_FLAG_UNALLOC);\n }\n }\n fs_file->meta->uid = fs_file->meta->gid = 0;\n fs_file->meta->mtime = fs_file->meta->atime = fs_file->meta->ctime =\n fs_file->meta->crtime = 0;\n fs_file->meta->mtime_nano = fs_file->meta->atime_nano =\n fs_file->meta->ctime_nano = fs_file->meta->crtime_nano = 0;\n\n if (fs_file->meta->name2 == NULL) {\n if ((fs_file->meta->name2 = (TSK_FS_META_NAME_LIST *)\n tsk_malloc(sizeof(TSK_FS_META_NAME_LIST))) == NULL) {\n return 1;\n }\n fs_file->meta->name2->next = NULL;\n }\n\n if (fs_file->meta->attr != NULL) {\n tsk_fs_attrlist_markunused(fs_file->meta->attr);\n }\n else {\n fs_file->meta->attr = tsk_fs_attrlist_alloc();\n }\n\n strncpy(fs_file->meta->name2->name, name,\n TSK_FS_META_NAME_LIST_NSIZE);\n\n fs_file->meta->size = 0;\n fs_file->meta->attr_state = TSK_FS_META_ATTR_EMPTY;\n fs_file->meta->addr = inode;\n return 0;\n}", "project": "sleuthkit", "hash": 115258719037552174192728763385027107445, "size": 54, "commit_id": "459ae818fc8dae717549810150de4d191ce158f1", "message": "Fix stack buffer overflow in yaffsfs_istat\n\nPrevent a stack buffer overflow in yaffsfs_istat by increasing the buffer size to the size required by tsk_fs_time_to_str.", "target": 0, "dataset": "other", "idx": 299123 }, { "func": " yaffscache_object_find(YAFFSFS_INFO *yfs, uint32_t obj_id, YaffsCacheObject **obj)\n{\n YaffsCacheObject *curr, *prev;\n curr = yfs->cache_objects;\n prev = NULL;\n\n if (obj == NULL) {\n return TSK_ERR;\n }\n\n while(curr != NULL) {\n if (curr->yco_obj_id == obj_id) {\n *obj = curr;\n return TSK_OK;\n }\n else if (curr->yco_obj_id > obj_id) {\n *obj = prev;\n return TSK_STOP;\n }\n\n prev = curr;\n curr = curr->yco_next;\n }\n\n *obj = prev;\n return TSK_STOP;\n}", "project": "sleuthkit", "hash": 90332401320396783095696494391400687766, "size": 27, "commit_id": "459ae818fc8dae717549810150de4d191ce158f1", "message": "Fix stack buffer overflow in yaffsfs_istat\n\nPrevent a stack buffer overflow in yaffsfs_istat by increasing the buffer size to the size required by tsk_fs_time_to_str.", "target": 0, "dataset": "other", "idx": 299121 }, { "func": " yaffscache_objects_free(YAFFSFS_INFO *yfs)\n{\n if((yfs != NULL) && (yfs->cache_objects != NULL)){\n YaffsCacheObject *obj = yfs->cache_objects;\n while(obj != NULL) {\n YaffsCacheObject *to_free = obj;\n\n YaffsCacheVersion *ver = obj->yco_latest;\n while(ver != NULL) {\n YaffsCacheVersion *v_to_free = ver;\n ver = ver->ycv_prior;\n free(v_to_free);\n }\n\n obj = obj->yco_next;\n free(to_free);\n }\n }\n}", "project": "sleuthkit", "hash": 88826494388924437027344343608682099675, "size": 19, "commit_id": "459ae818fc8dae717549810150de4d191ce158f1", "message": "Fix stack buffer overflow in yaffsfs_istat\n\nPrevent a stack buffer overflow in yaffsfs_istat by increasing the buffer size to the size required by tsk_fs_time_to_str.", "target": 0, "dataset": "other", "idx": 299119 }, { "func": " yaffs2_open(TSK_IMG_INFO * img_info, TSK_OFF_T offset,\n TSK_FS_TYPE_ENUM ftype, uint8_t test)\n{\n YAFFSFS_INFO *yaffsfs = NULL;\n TSK_FS_INFO *fs = NULL;\n const unsigned int psize = img_info->page_size;\n const unsigned int ssize = img_info->spare_size;\n YaffsHeader * first_header = NULL;\n TSK_FS_DIR *test_dir;\n std::map configParams;\n YAFFS_CONFIG_STATUS config_file_status;\n\n // clean up any error messages that are lying around\n tsk_error_reset();\n\n if (TSK_FS_TYPE_ISYAFFS2(ftype) == 0) {\n tsk_error_reset();\n tsk_error_set_errno(TSK_ERR_FS_ARG);\n tsk_error_set_errstr(\"Invalid FS Type in yaffsfs_open\");\n return NULL;\n }\n\n if (img_info->sector_size == 0) {\n tsk_error_reset();\n tsk_error_set_errno(TSK_ERR_FS_ARG);\n tsk_error_set_errstr(\"yaffs2_open: sector size is 0\");\n return NULL;\n }\n\n \n\n if ((yaffsfs = (YAFFSFS_INFO *) tsk_fs_malloc(sizeof(YAFFSFS_INFO))) == NULL)\n return NULL;\n yaffsfs->cache_objects = NULL;\n yaffsfs->chunkMap = NULL;\n\n fs = &(yaffsfs->fs_info);\n\n fs->tag = TSK_FS_INFO_TAG;\n fs->ftype = ftype;\n fs->flags = (TSK_FS_INFO_FLAG_ENUM)0;\n fs->img_info = img_info;\n fs->offset = offset;\n fs->endian = TSK_LIT_ENDIAN;\n\n // Read config file (if it exists)\n config_file_status = yaffs_load_config_file(img_info, configParams);\n // BL-6929(JTS): When using external readers, this call will fail.\n // Not having a config should not be a fatal error.\n /*if(config_file_status == YAFFS_CONFIG_ERROR){\n // tsk_error was set by yaffs_load_config\n goto on_error;\n }\n else*/ if(config_file_status == YAFFS_CONFIG_OK){\n // Validate the input\n // If it fails validation, return (tsk_error will be set up already)\n if(1 == yaffs_validate_config_file(configParams)){\n goto on_error;\n }\n }\n\n // If we read these fields from the config file, use those values. Otherwise use the defaults\n if(configParams.find(YAFFS_CONFIG_PAGE_SIZE_STR) != configParams.end()){\n yaffsfs->page_size = atoi(configParams[YAFFS_CONFIG_PAGE_SIZE_STR].c_str());\n }\n else{\n yaffsfs->page_size = psize == 0 ? YAFFS_DEFAULT_PAGE_SIZE : psize;\n }\n\n if(configParams.find(YAFFS_CONFIG_SPARE_SIZE_STR) != configParams.end()){\n yaffsfs->spare_size = atoi(configParams[YAFFS_CONFIG_SPARE_SIZE_STR].c_str());\n }\n else{\n yaffsfs->spare_size = ssize == 0 ? YAFFS_DEFAULT_SPARE_SIZE : ssize;\n }\n\n if(configParams.find(YAFFS_CONFIG_CHUNKS_PER_BLOCK_STR) != configParams.end()){\n yaffsfs->chunks_per_block = atoi(configParams[YAFFS_CONFIG_CHUNKS_PER_BLOCK_STR].c_str());\n }\n else{\n yaffsfs->chunks_per_block = 64;\n }\n\n // TODO: Why are 2 different memory allocation methods used in the same code?\n // This makes things unnecessary complex.\n yaffsfs->max_obj_id = 1;\n yaffsfs->max_version = 0;\n\n // Keep track of whether we're doing auto-detection of the file system\n if(test){\n yaffsfs->autoDetect = 1;\n }\n else{\n yaffsfs->autoDetect = 0;\n }\n\n // Determine the layout of the spare area\n // If it was specified in the config file, use those values. Otherwise do the auto-detection\n if(configParams.find(YAFFS_CONFIG_SEQ_NUM_STR) != configParams.end()){\n // In the validation step, we ensured that if one of the offsets was set, we have all of them\n yaffsfs->spare_seq_offset = atoi(configParams[YAFFS_CONFIG_SEQ_NUM_STR].c_str());\n yaffsfs->spare_obj_id_offset = atoi(configParams[YAFFS_CONFIG_OBJ_ID_STR].c_str());\n yaffsfs->spare_chunk_id_offset = atoi(configParams[YAFFS_CONFIG_CHUNK_ID_STR].c_str());\n\n // Check that the offsets are valid for the given spare area size (fields are 4 bytes long)\n if((yaffsfs->spare_seq_offset + 4 > yaffsfs->spare_size) ||\n (yaffsfs->spare_obj_id_offset + 4 > yaffsfs->spare_size) ||\n (yaffsfs->spare_chunk_id_offset + 4 > yaffsfs->spare_size)){\n tsk_error_reset();\n tsk_error_set_errno(TSK_ERR_FS);\n tsk_error_set_errstr(\"yaffs2_open: Offset(s) in config file too large for spare area (size %d). %s\", yaffsfs->spare_size, YAFFS_HELP_MESSAGE);\n goto on_error;\n }\n\n\n // nBytes isn't currently used, so just set to zero\n yaffsfs->spare_nbytes_offset = 0;\n }\n else{\n // Decide how many blocks to test. If we're not doing auto-detection, set to zero (no limit)\n unsigned int maxBlocksToTest;\n if(yaffsfs->autoDetect){\n maxBlocksToTest = YAFFS_DEFAULT_MAX_TEST_BLOCKS;\n }\n else{\n maxBlocksToTest = 0;\n }\n\n if(yaffs_initialize_spare_format(yaffsfs, maxBlocksToTest) != TSK_OK){\n tsk_error_reset();\n tsk_error_set_errno(TSK_ERR_FS_MAGIC);\n tsk_error_set_errstr(\"not a YAFFS file system (bad spare format). %s\", YAFFS_HELP_MESSAGE);\n if (tsk_verbose)\n fprintf(stderr, \"yaffsfs_open: could not find valid spare area format\\n%s\\n\", YAFFS_HELP_MESSAGE);\n goto on_error;\n }\n }\n\n /*\n * Read the first record, make sure it's a valid header...\n *\n * Used for verification and autodetection of\n * the FS type.\n */\n if (yaffsfs_read_header(yaffsfs, &first_header, 0)) {\n tsk_error_reset();\n tsk_error_set_errno(TSK_ERR_FS_MAGIC);\n tsk_error_set_errstr(\"not a YAFFS file system (first record). %s\", YAFFS_HELP_MESSAGE);\n if (tsk_verbose)\n fprintf(stderr, \"yaffsfs_open: invalid first record\\n%s\\n\", YAFFS_HELP_MESSAGE);\n goto on_error;\n }\n free(first_header);\n first_header = NULL;\n\n fs->duname = \"Chunk\";\n\n /*\n * Calculate the meta data info\n */\n //fs->last_inum = 0xffffffff; // Will update this as we go\n fs->last_inum = 0;\n fs->root_inum = YAFFS_OBJECT_ROOT;\n fs->first_inum = YAFFS_OBJECT_FIRST;\n //fs->inum_count = fs->last_inum; // For now this will be the last_inum - 1 (after we calculate it)\n\n /*\n * Calculate the block info\n */\n fs->dev_bsize = img_info->sector_size;\n fs->block_size = yaffsfs->page_size;\n fs->block_pre_size = 0;\n fs->block_post_size = yaffsfs->spare_size;\n fs->block_count = img_info->size / (fs->block_pre_size + fs->block_size + fs->block_post_size);\n fs->first_block = 0;\n fs->last_block_act = fs->last_block = fs->block_count ? fs->block_count - 1 : 0;\n\n /* Set the generic function pointers */\n fs->inode_walk = yaffsfs_inode_walk;\n fs->block_walk = yaffsfs_block_walk;\n fs->block_getflags = yaffsfs_block_getflags;\n\n fs->get_default_attr_type = yaffsfs_get_default_attr_type;\n fs->load_attrs = yaffsfs_load_attrs;\n\n fs->file_add_meta = yaffs_inode_lookup;\n fs->dir_open_meta = yaffsfs_dir_open_meta;\n fs->fsstat = yaffsfs_fsstat;\n fs->fscheck = yaffsfs_fscheck;\n fs->istat = yaffsfs_istat;\n fs->name_cmp = tsk_fs_unix_name_cmp;\n\n fs->close = yaffsfs_close;\n\n /* Journal */\n fs->jblk_walk = yaffsfs_jblk_walk;\n fs->jentry_walk = yaffsfs_jentry_walk;\n fs->jopen = yaffsfs_jopen;\n\n /* Initialize the caches */\n if (tsk_verbose)\n fprintf(stderr, \"yaffsfs_open: building cache...\\n\");\n\n /* Build cache */\n /* NOTE: The only modifications to the cache happen here, during at \n * the open. Should be fine with no lock, even if access to the\n * cache is shared among threads.\n */\n //tsk_init_lock(&yaffsfs->lock);\n yaffsfs->chunkMap = new std::map;\n if (TSK_OK != yaffsfs_parse_image_load_cache(yaffsfs)) {\n goto on_error;\n }\n\n if (tsk_verbose) {\n fprintf(stderr, \"yaffsfs_open: done building cache!\\n\");\n //yaffscache_objects_dump(yaffsfs, stderr);\n }\n\n // Update the number of inums now that we've read in the file system\n fs->inum_count = fs->last_inum - 1;\n\n test_dir = tsk_fs_dir_open_meta(fs, fs->root_inum);\n if (test_dir == NULL) {\n tsk_error_reset();\n tsk_error_set_errno(TSK_ERR_FS_MAGIC);\n tsk_error_set_errstr(\"not a YAFFS file system (no root directory). %s\", YAFFS_HELP_MESSAGE);\n if (tsk_verbose)\n fprintf(stderr, \"yaffsfs_open: invalid file system\\n%s\\n\", YAFFS_HELP_MESSAGE);\n goto on_error;\n }\n tsk_fs_dir_close(test_dir);\n\n return fs;\n\non_error:\n // yaffsfs_close frees all the cache objects\n yaffsfs_close(fs);\n\n return NULL;\n}", "project": "sleuthkit", "hash": 110573874781678843492537982461675407951, "size": 241, "commit_id": "459ae818fc8dae717549810150de4d191ce158f1", "message": "Fix stack buffer overflow in yaffsfs_istat\n\nPrevent a stack buffer overflow in yaffsfs_istat by increasing the buffer size to the size required by tsk_fs_time_to_str.", "target": 0, "dataset": "other", "idx": 299118 }, { "func": " yaffscache_version_find_by_inode(YAFFSFS_INFO *yfs, TSK_INUM_T inode, YaffsCacheVersion **version, YaffsCacheObject **obj_ret) {\n uint32_t obj_id, version_num;\n YaffsCacheObject *obj;\n YaffsCacheVersion *curr;\n\n if (version == NULL) {\n return TSK_ERR;\n }\n\n // convert inode to obj and version and find it in cache\n if (yaffscache_inode_to_obj_id_and_version(inode, &obj_id, &version_num) != TSK_OK) {\n *version = NULL;\n return TSK_ERR;\n }\n\n if (yaffscache_object_find(yfs, obj_id, &obj) != TSK_OK) {\n *version = NULL;\n return TSK_ERR;\n }\n\n if (version_num == 0) {\n if (obj_ret != NULL) {\n *obj_ret = obj;\n }\n *version = obj->yco_latest;\n return TSK_OK;\n }\n\n // Find the requested version in the list. \n for(curr = obj->yco_latest; curr != NULL; curr = curr->ycv_prior) {\n if (curr->ycv_version == version_num) {\n if (obj_ret != NULL) {\n *obj_ret = obj;\n }\n *version = curr;\n return TSK_OK;\n }\n }\n\n if (obj_ret != NULL) {\n *obj_ret = NULL;\n }\n *version = NULL;\n return TSK_ERR;\n}", "project": "sleuthkit", "hash": 72247942369164838949376419259068245027, "size": 45, "commit_id": "459ae818fc8dae717549810150de4d191ce158f1", "message": "Fix stack buffer overflow in yaffsfs_istat\n\nPrevent a stack buffer overflow in yaffsfs_istat by increasing the buffer size to the size required by tsk_fs_time_to_str.", "target": 0, "dataset": "other", "idx": 299128 } ] }, { "call_depth": 2, "longest_call_chain": [ "execlists_context_alloc", "__execlists_context_alloc" ], "group_size": 2, "functions": [ { "func": "static int __execlists_context_alloc(struct intel_context *ce,\n\t\t\t\t struct intel_engine_cs *engine)\n{\n\tstruct drm_i915_gem_object *ctx_obj;\n\tstruct intel_ring *ring;\n\tstruct i915_vma *vma;\n\tu32 context_size;\n\tint ret;\n\n\tGEM_BUG_ON(ce->state);\n\tcontext_size = round_up(engine->context_size, I915_GTT_PAGE_SIZE);\n\n\tif (IS_ENABLED(CONFIG_DRM_I915_DEBUG_GEM))\n\t\tcontext_size += I915_GTT_PAGE_SIZE; /* for redzone */\n\n\tctx_obj = i915_gem_object_create_shmem(engine->i915, context_size);\n\tif (IS_ERR(ctx_obj))\n\t\treturn PTR_ERR(ctx_obj);\n\n\tvma = i915_vma_instance(ctx_obj, &engine->gt->ggtt->vm, NULL);\n\tif (IS_ERR(vma)) {\n\t\tret = PTR_ERR(vma);\n\t\tgoto error_deref_obj;\n\t}\n\n\tif (!ce->timeline) {\n\t\tstruct intel_timeline *tl;\n\n\t\ttl = intel_timeline_create(engine->gt, NULL);\n\t\tif (IS_ERR(tl)) {\n\t\t\tret = PTR_ERR(tl);\n\t\t\tgoto error_deref_obj;\n\t\t}\n\n\t\tce->timeline = tl;\n\t}\n\n\tring = intel_engine_create_ring(engine, (unsigned long)ce->ring);\n\tif (IS_ERR(ring)) {\n\t\tret = PTR_ERR(ring);\n\t\tgoto error_deref_obj;\n\t}\n\n\tret = populate_lr_context(ce, ctx_obj, engine, ring);\n\tif (ret) {\n\t\tDRM_DEBUG_DRIVER(\"Failed to populate LRC: %d\\n\", ret);\n\t\tgoto error_ring_free;\n\t}\n\n\tce->ring = ring;\n\tce->state = vma;\n\n\treturn 0;\n\nerror_ring_free:\n\tintel_ring_put(ring);\nerror_deref_obj:\n\ti915_gem_object_put(ctx_obj);\n\treturn ret;\n}", "project": "linux", "hash": 37091832623196937639875277667994129000, "size": 60, "commit_id": "bc8a76a152c5f9ef3b48104154a65a68a8b76946", "message": "drm/i915/gen9: Clear residual context state on context switch\n\nIntel ID: PSIRT-TA-201910-001\nCVEID: CVE-2019-14615\n\nIntel GPU Hardware prior to Gen11 does not clear EU state\nduring a context switch. This can result in information\nleakage between contexts.\n\nFor Gen8 and Gen9, hardware provides a mechanism for\nfast cleardown of the EU state, by issuing a PIPE_CONTROL\nwith bit 27 set. We can use this in a context batch buffer\nto explicitly cleardown the state on every context switch.\n\nAs this workaround is already in place for gen8, we can borrow\nthe code verbatim for Gen9.\n\nSigned-off-by: Mika Kuoppala \nSigned-off-by: Akeem G Abodunrin \nCc: Kumar Valsan Prathap \nCc: Chris Wilson \nCc: Balestrieri Francesco \nCc: Bloomfield Jon \nCc: Dutt Sudeep ", "target": 0, "dataset": "other", "idx": 281558 }, { "func": "static int execlists_context_alloc(struct intel_context *ce)\n{\n\treturn __execlists_context_alloc(ce, ce->engine);\n}", "project": "linux", "hash": 156328306801118031997845219158151047620, "size": 4, "commit_id": "bc8a76a152c5f9ef3b48104154a65a68a8b76946", "message": "drm/i915/gen9: Clear residual context state on context switch\n\nIntel ID: PSIRT-TA-201910-001\nCVEID: CVE-2019-14615\n\nIntel GPU Hardware prior to Gen11 does not clear EU state\nduring a context switch. This can result in information\nleakage between contexts.\n\nFor Gen8 and Gen9, hardware provides a mechanism for\nfast cleardown of the EU state, by issuing a PIPE_CONTROL\nwith bit 27 set. We can use this in a context batch buffer\nto explicitly cleardown the state on every context switch.\n\nAs this workaround is already in place for gen8, we can borrow\nthe code verbatim for Gen9.\n\nSigned-off-by: Mika Kuoppala \nSigned-off-by: Akeem G Abodunrin \nCc: Kumar Valsan Prathap \nCc: Chris Wilson \nCc: Balestrieri Francesco \nCc: Bloomfield Jon \nCc: Dutt Sudeep ", "target": 0, "dataset": "other", "idx": 281437 } ] }, { "call_depth": 7, "longest_call_chain": [ "ptirq_remove_configured_intx_remappings", "ptirq_remove_intx_remapping", "remove_intx_remapping", "dmar_free_irte", "dmar_invalid_iec", "dmar_issue_qi_request", "iommu_write32" ], "group_size": 66, "functions": [ { "func": "static void dmar_disable_qi(struct dmar_drhd_rt *dmar_unit)\n{\n\tuint32_t status = 0;\n\n\tspinlock_obtain(&(dmar_unit->lock));\n\n\tif ((dmar_unit->gcmd & DMA_GCMD_QIE) == DMA_GCMD_QIE) {\n\t\tdmar_unit->gcmd &= ~DMA_GCMD_QIE;\n\t\tiommu_write32(dmar_unit, DMAR_GCMD_REG,\tdmar_unit->gcmd);\n\t\tdmar_wait_completion(dmar_unit, DMAR_GSTS_REG, DMA_GSTS_QIES, DMA_GSTS_QIES, &status);\n\t}\n\n\tspinlock_release(&(dmar_unit->lock));\n}", "project": "acrn-hypervisor", "hash": 31862018921293568856988535663691221986, "size": 14, "commit_id": "25c0e3817eb332660dd63d1d4522e63dcc94e79a", "message": "hv: validate input for dmar_free_irte function\n\n Malicious input 'index' may trigger buffer\n overflow on array 'irte_alloc_bitmap[]'.\n\n This patch validate that 'index' shall be\n less than 'CONFIG_MAX_IR_ENTRIES' and also\n remove unnecessary check on 'index' in\n 'ptirq_free_irte()' function with this fix.\n\nTracked-On: #6132\nSigned-off-by: Yonghua Huang ", "target": 0, "dataset": "other", "idx": 262850 }, { "func": "static void dmar_fault_event_unmask(struct dmar_drhd_rt *dmar_unit)\n{\n\tspinlock_obtain(&(dmar_unit->lock));\n\tiommu_write32(dmar_unit, DMAR_FECTL_REG, 0U);\n\tspinlock_release(&(dmar_unit->lock));\n}", "project": "acrn-hypervisor", "hash": 53021411351059196789157270218026624796, "size": 6, "commit_id": "25c0e3817eb332660dd63d1d4522e63dcc94e79a", "message": "hv: validate input for dmar_free_irte function\n\n Malicious input 'index' may trigger buffer\n overflow on array 'irte_alloc_bitmap[]'.\n\n This patch validate that 'index' shall be\n less than 'CONFIG_MAX_IR_ENTRIES' and also\n remove unnecessary check on 'index' in\n 'ptirq_free_irte()' function with this fix.\n\nTracked-On: #6132\nSigned-off-by: Yonghua Huang ", "target": 0, "dataset": "other", "idx": 262880 }, { "func": "static bool is_irte_reserved(const struct dmar_drhd_rt *dmar_unit, uint16_t index)\n{\n\treturn ((dmar_unit->irte_reserved_bitmap[index >> 6U] & (1UL << (index & 0x3FU))) != 0UL);\n}", "project": "acrn-hypervisor", "hash": 311658453237875256332772557151122082040, "size": 4, "commit_id": "25c0e3817eb332660dd63d1d4522e63dcc94e79a", "message": "hv: validate input for dmar_free_irte function\n\n Malicious input 'index' may trigger buffer\n overflow on array 'irte_alloc_bitmap[]'.\n\n This patch validate that 'index' shall be\n less than 'CONFIG_MAX_IR_ENTRIES' and also\n remove unnecessary check on 'index' in\n 'ptirq_free_irte()' function with this fix.\n\nTracked-On: #6132\nSigned-off-by: Yonghua Huang ", "target": 0, "dataset": "other", "idx": 262835 }, { "func": "static void prepare_dmar(struct dmar_drhd_rt *dmar_unit)\n{\n\tdev_dbg(DBG_LEVEL_IOMMU, \"enable dmar uint [0x%x]\", dmar_unit->drhd->reg_base_addr);\n\tdmar_setup_interrupt(dmar_unit);\n\tdmar_set_root_table(dmar_unit);\n\tdmar_enable_qi(dmar_unit);\n\tdmar_set_intr_remap_table(dmar_unit);\n}", "project": "acrn-hypervisor", "hash": 120458011876852477354139267313036222567, "size": 8, "commit_id": "25c0e3817eb332660dd63d1d4522e63dcc94e79a", "message": "hv: validate input for dmar_free_irte function\n\n Malicious input 'index' may trigger buffer\n overflow on array 'irte_alloc_bitmap[]'.\n\n This patch validate that 'index' shall be\n less than 'CONFIG_MAX_IR_ENTRIES' and also\n remove unnecessary check on 'index' in\n 'ptirq_free_irte()' function with this fix.\n\nTracked-On: #6132\nSigned-off-by: Yonghua Huang ", "target": 0, "dataset": "other", "idx": 262852 }, { "func": "static void iommu_write32(const struct dmar_drhd_rt *dmar_unit, uint32_t offset, uint32_t value)\n{\n\tmmio_write32(value, hpa2hva(dmar_unit->drhd->reg_base_addr + offset));\n}", "project": "acrn-hypervisor", "hash": 250952528887743686366131940374564456527, "size": 4, "commit_id": "25c0e3817eb332660dd63d1d4522e63dcc94e79a", "message": "hv: validate input for dmar_free_irte function\n\n Malicious input 'index' may trigger buffer\n overflow on array 'irte_alloc_bitmap[]'.\n\n This patch validate that 'index' shall be\n less than 'CONFIG_MAX_IR_ENTRIES' and also\n remove unnecessary check on 'index' in\n 'ptirq_free_irte()' function with this fix.\n\nTracked-On: #6132\nSigned-off-by: Yonghua Huang ", "target": 0, "dataset": "other", "idx": 262859 }, { "func": "static void dmar_unit_show_capability(struct dmar_drhd_rt *dmar_unit)\n{\n\tpr_info(\"dmar unit[0x%x]\", dmar_unit->drhd->reg_base_addr);\n\tpr_info(\"\\tNumDomain:%d\", iommu_cap_ndoms(dmar_unit->cap));\n\tpr_info(\"\\tAdvancedFaultLogging:%d\", iommu_cap_afl(dmar_unit->cap));\n\tpr_info(\"\\tRequiredWBFlush:%d\", iommu_cap_rwbf(dmar_unit->cap));\n\tpr_info(\"\\tProtectedLowMemRegion:%d\", iommu_cap_plmr(dmar_unit->cap));\n\tpr_info(\"\\tProtectedHighMemRegion:%d\", iommu_cap_phmr(dmar_unit->cap));\n\tpr_info(\"\\tCachingMode:%d\", iommu_cap_caching_mode(dmar_unit->cap));\n\tpr_info(\"\\tSAGAW:0x%x\", iommu_cap_sagaw(dmar_unit->cap));\n\tpr_info(\"\\tMGAW:%d\", iommu_cap_mgaw(dmar_unit->cap));\n\tpr_info(\"\\tZeroLenRead:%d\", iommu_cap_zlr(dmar_unit->cap));\n\tpr_info(\"\\tLargePageSupport:0x%x\", iommu_cap_super_page_val(dmar_unit->cap));\n\tpr_info(\"\\tPageSelectiveInvalidation:%d\", iommu_cap_pgsel_inv(dmar_unit->cap));\n\tpr_info(\"\\tPageSelectInvalidation:%d\", iommu_cap_pgsel_inv(dmar_unit->cap));\n\tpr_info(\"\\tNumOfFaultRecordingReg:%d\", iommu_cap_num_fault_regs(dmar_unit->cap));\n\tpr_info(\"\\tMAMV:0x%x\", iommu_cap_max_amask_val(dmar_unit->cap));\n\tpr_info(\"\\tWriteDraining:%d\", iommu_cap_write_drain(dmar_unit->cap));\n\tpr_info(\"\\tReadDraining:%d\", iommu_cap_read_drain(dmar_unit->cap));\n\tpr_info(\"\\tPostInterrupts:%d\\n\", iommu_cap_pi(dmar_unit->cap));\n\tpr_info(\"\\tPage-walk Coherency:%d\", iommu_ecap_c(dmar_unit->ecap));\n\tpr_info(\"\\tQueuedInvalidation:%d\", iommu_ecap_qi(dmar_unit->ecap));\n\tpr_info(\"\\tDeviceTLB:%d\", iommu_ecap_dt(dmar_unit->ecap));\n\tpr_info(\"\\tInterruptRemapping:%d\", iommu_ecap_ir(dmar_unit->ecap));\n\tpr_info(\"\\tExtendedInterruptMode:%d\", iommu_ecap_eim(dmar_unit->ecap));\n\tpr_info(\"\\tPassThrough:%d\", iommu_ecap_pt(dmar_unit->ecap));\n\tpr_info(\"\\tSnoopControl:%d\", iommu_ecap_sc(dmar_unit->ecap));\n\tpr_info(\"\\tIOTLB RegOffset:0x%x\", iommu_ecap_iro(dmar_unit->ecap));\n\tpr_info(\"\\tMHMV:0x%x\", iommu_ecap_mhmv(dmar_unit->ecap));\n\tpr_info(\"\\tECS:%d\", iommu_ecap_ecs(dmar_unit->ecap));\n\tpr_info(\"\\tMTS:%d\", iommu_ecap_mts(dmar_unit->ecap));\n\tpr_info(\"\\tNEST:%d\", iommu_ecap_nest(dmar_unit->ecap));\n\tpr_info(\"\\tDIS:%d\", iommu_ecap_dis(dmar_unit->ecap));\n\tpr_info(\"\\tPRS:%d\", iommu_ecap_prs(dmar_unit->ecap));\n\tpr_info(\"\\tERS:%d\", iommu_ecap_ers(dmar_unit->ecap));\n\tpr_info(\"\\tSRS:%d\", iommu_ecap_srs(dmar_unit->ecap));\n\tpr_info(\"\\tNWFS:%d\", iommu_ecap_nwfs(dmar_unit->ecap));\n\tpr_info(\"\\tEAFS:%d\", iommu_ecap_eafs(dmar_unit->ecap));\n\tpr_info(\"\\tPSS:0x%x\", iommu_ecap_pss(dmar_unit->ecap));\n\tpr_info(\"\\tPASID:%d\", iommu_ecap_pasid(dmar_unit->ecap));\n\tpr_info(\"\\tDIT:%d\", iommu_ecap_dit(dmar_unit->ecap));\n\tpr_info(\"\\tPDS:%d\\n\", iommu_ecap_pds(dmar_unit->ecap));\n}", "project": "acrn-hypervisor", "hash": 268157737251981890962373221981108081084, "size": 43, "commit_id": "25c0e3817eb332660dd63d1d4522e63dcc94e79a", "message": "hv: validate input for dmar_free_irte function\n\n Malicious input 'index' may trigger buffer\n overflow on array 'irte_alloc_bitmap[]'.\n\n This patch validate that 'index' shall be\n less than 'CONFIG_MAX_IR_ENTRIES' and also\n remove unnecessary check on 'index' in\n 'ptirq_free_irte()' function with this fix.\n\nTracked-On: #6132\nSigned-off-by: Yonghua Huang ", "target": 0, "dataset": "other", "idx": 262816 }, { "func": "void ptirq_remove_intx_remapping(const struct acrn_vm *vm, uint32_t virt_gsi, bool pic_pin)\n{\n\tenum intx_ctlr vgsi_ctlr = pic_pin ? INTX_CTLR_PIC : INTX_CTLR_IOAPIC;\n\n\tspinlock_obtain(&ptdev_lock);\n\tremove_intx_remapping(vm, virt_gsi, vgsi_ctlr);\n\tspinlock_release(&ptdev_lock);\n}", "project": "acrn-hypervisor", "hash": 333991623125850631040314943922625097913, "size": 8, "commit_id": "25c0e3817eb332660dd63d1d4522e63dcc94e79a", "message": "hv: validate input for dmar_free_irte function\n\n Malicious input 'index' may trigger buffer\n overflow on array 'irte_alloc_bitmap[]'.\n\n This patch validate that 'index' shall be\n less than 'CONFIG_MAX_IR_ENTRIES' and also\n remove unnecessary check on 'index' in\n 'ptirq_free_irte()' function with this fix.\n\nTracked-On: #6132\nSigned-off-by: Yonghua Huang ", "target": 0, "dataset": "other", "idx": 262861 }, { "func": "static void dmar_disable_translation(struct dmar_drhd_rt *dmar_unit)\n{\n\tuint32_t status;\n\n\tspinlock_obtain(&(dmar_unit->lock));\n\tif ((dmar_unit->gcmd & DMA_GCMD_TE) != 0U) {\n\t\tdmar_unit->gcmd &= ~DMA_GCMD_TE;\n\t\tiommu_write32(dmar_unit, DMAR_GCMD_REG, dmar_unit->gcmd);\n\t\t/* 32-bit register */\n\t\tdmar_wait_completion(dmar_unit, DMAR_GSTS_REG, DMA_GSTS_TES, DMA_GSTS_TES, &status);\n\t}\n\n\tspinlock_release(&(dmar_unit->lock));\n}", "project": "acrn-hypervisor", "hash": 46077375303393546973652331929719597661, "size": 14, "commit_id": "25c0e3817eb332660dd63d1d4522e63dcc94e79a", "message": "hv: validate input for dmar_free_irte function\n\n Malicious input 'index' may trigger buffer\n overflow on array 'irte_alloc_bitmap[]'.\n\n This patch validate that 'index' shall be\n less than 'CONFIG_MAX_IR_ENTRIES' and also\n remove unnecessary check on 'index' in\n 'ptirq_free_irte()' function with this fix.\n\nTracked-On: #6132\nSigned-off-by: Yonghua Huang ", "target": 0, "dataset": "other", "idx": 262857 }, { "func": "static int32_t iommu_detach_device(const struct iommu_domain *domain, uint8_t bus, uint8_t devfun)\n{\n\tstruct dmar_drhd_rt *dmar_unit;\n\tstruct dmar_entry *root_table;\n\tuint64_t context_table_addr;\n\tstruct dmar_entry *context;\n\tstruct dmar_entry *root_entry;\n\tstruct dmar_entry *context_entry;\n\t/* source id */\n\tunion pci_bdf sid;\n\tint32_t ret = -EINVAL;\n\n\tdmar_unit = device_to_dmaru(bus, devfun);\n\n\tsid.fields.bus = bus;\n\tsid.fields.devfun = devfun;\n\n\tif (is_dmar_unit_valid(dmar_unit, sid)) {\n\t\troot_table = (struct dmar_entry *)hpa2hva(dmar_unit->root_table_addr);\n\t\troot_entry = root_table + bus;\n\t\tret = 0;\n\n\t\tcontext_table_addr = dmar_get_bitslice(root_entry->lo_64, ROOT_ENTRY_LOWER_CTP_MASK,\n\t\t\t\t\t\t\tROOT_ENTRY_LOWER_CTP_POS);\n\t\tcontext_table_addr = context_table_addr << PAGE_SHIFT;\n\t\tcontext = (struct dmar_entry *)hpa2hva(context_table_addr);\n\n\t\tcontext_entry = context + devfun;\n\n\t\tif ((context == NULL) || (context_entry == NULL)) {\n\t\t\tpr_err(\"dmar context entry is invalid\");\n\t\t\tret = -EINVAL;\n\t\t} else if ((uint16_t)dmar_get_bitslice(context_entry->hi_64, CTX_ENTRY_UPPER_DID_MASK,\n\t\t\t\t\t\tCTX_ENTRY_UPPER_DID_POS) != vmid_to_domainid(domain->vm_id)) {\n\t\t\tpr_err(\"%s: domain id mismatch\", __func__);\n\t\t\tret = -EPERM;\n\t\t} else {\n\t\t\t/* clear the present bit first */\n\t\t\tcontext_entry->lo_64 = 0UL;\n\t\t\tcontext_entry->hi_64 = 0UL;\n\t\t\tiommu_flush_cache(context_entry, sizeof(struct dmar_entry));\n\n\t\t\tdmar_invalid_context_cache(dmar_unit, vmid_to_domainid(domain->vm_id), sid.value, 0U,\n\t\t\t\t\t\t\tDMAR_CIRG_DEVICE);\n\t\t\tdmar_invalid_iotlb(dmar_unit, vmid_to_domainid(domain->vm_id), 0UL, 0U, false,\n\t\t\t\t\t\t\tDMAR_IIRG_DOMAIN);\n\t\t}\n\t} else if (is_dmar_unit_ignored(dmar_unit)) {\n\t ret = 0;\n\t}\n\n\treturn ret;\n}", "project": "acrn-hypervisor", "hash": 114852550606638336670389367729361649632, "size": 53, "commit_id": "25c0e3817eb332660dd63d1d4522e63dcc94e79a", "message": "hv: validate input for dmar_free_irte function\n\n Malicious input 'index' may trigger buffer\n overflow on array 'irte_alloc_bitmap[]'.\n\n This patch validate that 'index' shall be\n less than 'CONFIG_MAX_IR_ENTRIES' and also\n remove unnecessary check on 'index' in\n 'ptirq_free_irte()' function with this fix.\n\nTracked-On: #6132\nSigned-off-by: Yonghua Huang ", "target": 0, "dataset": "other", "idx": 262812 }, { "func": "static inline uint8_t width_to_level(uint32_t width)\n{\n\treturn (uint8_t)(((width - 12U) + (LEVEL_WIDTH)-1U) / (LEVEL_WIDTH));\n}", "project": "acrn-hypervisor", "hash": 156551372445883519251657535440819184725, "size": 4, "commit_id": "25c0e3817eb332660dd63d1d4522e63dcc94e79a", "message": "hv: validate input for dmar_free_irte function\n\n Malicious input 'index' may trigger buffer\n overflow on array 'irte_alloc_bitmap[]'.\n\n This patch validate that 'index' shall be\n less than 'CONFIG_MAX_IR_ENTRIES' and also\n remove unnecessary check on 'index' in\n 'ptirq_free_irte()' function with this fix.\n\nTracked-On: #6132\nSigned-off-by: Yonghua Huang ", "target": 0, "dataset": "other", "idx": 262851 }, { "func": "static inline bool is_dmar_unit_ignored(const struct dmar_drhd_rt *dmar_unit)\n{\n\tbool ignored = false;\n\n\tif ((dmar_unit != NULL) && (dmar_unit->drhd->ignore)) {\n\t\tignored = true;\n\t}\n\n\treturn ignored;\n}", "project": "acrn-hypervisor", "hash": 322061988381266474424488591187116275429, "size": 10, "commit_id": "25c0e3817eb332660dd63d1d4522e63dcc94e79a", "message": "hv: validate input for dmar_free_irte function\n\n Malicious input 'index' may trigger buffer\n overflow on array 'irte_alloc_bitmap[]'.\n\n This patch validate that 'index' shall be\n less than 'CONFIG_MAX_IR_ENTRIES' and also\n remove unnecessary check on 'index' in\n 'ptirq_free_irte()' function with this fix.\n\nTracked-On: #6132\nSigned-off-by: Yonghua Huang ", "target": 0, "dataset": "other", "idx": 262845 }, { "func": "static void enable_dmar(struct dmar_drhd_rt *dmar_unit)\n{\n\tdev_dbg(DBG_LEVEL_IOMMU, \"enable dmar uint [0x%x]\", dmar_unit->drhd->reg_base_addr);\n\tdmar_invalid_context_cache_global(dmar_unit);\n\tdmar_invalid_iotlb_global(dmar_unit);\n\tdmar_invalid_iec_global(dmar_unit);\n\tdmar_enable_translation(dmar_unit);\n}", "project": "acrn-hypervisor", "hash": 325661042270863996118330581812459497230, "size": 8, "commit_id": "25c0e3817eb332660dd63d1d4522e63dcc94e79a", "message": "hv: validate input for dmar_free_irte function\n\n Malicious input 'index' may trigger buffer\n overflow on array 'irte_alloc_bitmap[]'.\n\n This patch validate that 'index' shall be\n less than 'CONFIG_MAX_IR_ENTRIES' and also\n remove unnecessary check on 'index' in\n 'ptirq_free_irte()' function with this fix.\n\nTracked-On: #6132\nSigned-off-by: Yonghua Huang ", "target": 0, "dataset": "other", "idx": 262865 }, { "func": "static void fault_status_analysis(uint32_t status)\n{\n\tif (dma_fsts_pfo(status)) {\n\t\tpr_info(\"Primary Fault Overflow\");\n\t}\n\n\tif (dma_fsts_ppf(status)) {\n\t\tpr_info(\"Primary Pending Fault\");\n\t}\n\n\tif (dma_fsts_afo(status)) {\n\t\tpr_info(\"Advanced Fault Overflow\");\n\t}\n\n\tif (dma_fsts_apf(status)) {\n\t\tpr_info(\"Advanced Pending Fault\");\n\t}\n\n\tif (dma_fsts_iqe(status)) {\n\t\tpr_info(\"Invalidation Queue Error\");\n\t}\n\n\tif (dma_fsts_ice(status)) {\n\t\tpr_info(\"Invalidation Completion Error\");\n\t}\n\n\tif (dma_fsts_ite(status)) {\n\t\tpr_info(\"Invalidation Time-out Error\");\n\t}\n\n\tif (dma_fsts_pro(status)) {\n\t\tpr_info(\"Page Request Overflow\");\n\t}\n}", "project": "acrn-hypervisor", "hash": 99349364213728670563830213479252881976, "size": 34, "commit_id": "25c0e3817eb332660dd63d1d4522e63dcc94e79a", "message": "hv: validate input for dmar_free_irte function\n\n Malicious input 'index' may trigger buffer\n overflow on array 'irte_alloc_bitmap[]'.\n\n This patch validate that 'index' shall be\n less than 'CONFIG_MAX_IR_ENTRIES' and also\n remove unnecessary check on 'index' in\n 'ptirq_free_irte()' function with this fix.\n\nTracked-On: #6132\nSigned-off-by: Yonghua Huang ", "target": 0, "dataset": "other", "idx": 262814 }, { "func": "static void dmar_fault_msi_write(struct dmar_drhd_rt *dmar_unit,\n\t\t\tuint32_t vector)\n{\n\tuint32_t data;\n\tuint32_t addr_low;\n\tuint32_t lapic_id = get_cur_lapic_id();\n\n\tdata = DMAR_MSI_DELIVERY_LOWPRI | vector;\n\t/* redirection hint: 0\n\t * destination mode: 0\n\t */\n\taddr_low = 0xFEE00000U | ((uint32_t)(lapic_id) << 12U);\n\n\tspinlock_obtain(&(dmar_unit->lock));\n\tiommu_write32(dmar_unit, DMAR_FEDATA_REG, data);\n\tiommu_write32(dmar_unit, DMAR_FEADDR_REG, addr_low);\n\tspinlock_release(&(dmar_unit->lock));\n}", "project": "acrn-hypervisor", "hash": 337429684966814480227544919769258704173, "size": 18, "commit_id": "25c0e3817eb332660dd63d1d4522e63dcc94e79a", "message": "hv: validate input for dmar_free_irte function\n\n Malicious input 'index' may trigger buffer\n overflow on array 'irte_alloc_bitmap[]'.\n\n This patch validate that 'index' shall be\n less than 'CONFIG_MAX_IR_ENTRIES' and also\n remove unnecessary check on 'index' in\n 'ptirq_free_irte()' function with this fix.\n\nTracked-On: #6132\nSigned-off-by: Yonghua Huang ", "target": 0, "dataset": "other", "idx": 262873 }, { "func": "int32_t init_iommu(void)\n{\n\tint32_t ret = 0;\n\n\tplatform_dmar_info = get_dmar_info();\n\n\tif ((platform_dmar_info == NULL) || (platform_dmar_info->drhd_count == 0U)) {\n\t\tpr_fatal(\"%s: can't find dmar info\\n\", __func__);\n\t\tret = -ENODEV;\n\t} else if (platform_dmar_info->drhd_count > CONFIG_MAX_IOMMU_NUM) {\n\t\tpr_fatal(\"%s: dmar count(%d) beyond the limitation(%d)\\n\",\n\t\t\t\t__func__, platform_dmar_info->drhd_count, CONFIG_MAX_IOMMU_NUM);\n\t\tret = -EINVAL;\n\t} else {\n\t\tret = register_hrhd_units();\n\t\tif (ret == 0) {\n\t\t\tdo_action_for_iommus(prepare_dmar);\n\t\t}\n\t}\n\treturn ret;\n}", "project": "acrn-hypervisor", "hash": 29861065572125041380241858021672615148, "size": 21, "commit_id": "25c0e3817eb332660dd63d1d4522e63dcc94e79a", "message": "hv: validate input for dmar_free_irte function\n\n Malicious input 'index' may trigger buffer\n overflow on array 'irte_alloc_bitmap[]'.\n\n This patch validate that 'index' shall be\n less than 'CONFIG_MAX_IR_ENTRIES' and also\n remove unnecessary check on 'index' in\n 'ptirq_free_irte()' function with this fix.\n\nTracked-On: #6132\nSigned-off-by: Yonghua Huang ", "target": 0, "dataset": "other", "idx": 262818 }, { "func": "static bool dmar_unit_support_aw(const struct dmar_drhd_rt *dmar_unit, uint32_t addr_width)\n{\n\tuint8_t aw;\n\n\taw = width_to_agaw(addr_width);\n\n\treturn (((1U << aw) & iommu_cap_sagaw(dmar_unit->cap)) != 0U);\n}", "project": "acrn-hypervisor", "hash": 174521943895784297551517641194399805214, "size": 8, "commit_id": "25c0e3817eb332660dd63d1d4522e63dcc94e79a", "message": "hv: validate input for dmar_free_irte function\n\n Malicious input 'index' may trigger buffer\n overflow on array 'irte_alloc_bitmap[]'.\n\n This patch validate that 'index' shall be\n less than 'CONFIG_MAX_IR_ENTRIES' and also\n remove unnecessary check on 'index' in\n 'ptirq_free_irte()' function with this fix.\n\nTracked-On: #6132\nSigned-off-by: Yonghua Huang ", "target": 0, "dataset": "other", "idx": 262853 }, { "func": "static void dmar_invalid_iotlb(struct dmar_drhd_rt *dmar_unit, uint16_t did, uint64_t address, uint8_t am,\n\t\t\t bool hint, enum dmar_iirg_type iirg)\n{\n\t/* set Drain Reads & Drain Writes,\n\t * if hardware doesn't support it, will be ignored by hardware\n\t */\n\tstruct dmar_entry invalidate_desc;\n\tuint64_t addr = 0UL;\n\n\tinvalidate_desc.hi_64 = 0UL;\n\n\tinvalidate_desc.lo_64 = DMA_IOTLB_DR | DMA_IOTLB_DW | DMAR_INV_IOTLB_DESC;\n\n\tswitch (iirg) {\n\tcase DMAR_IIRG_GLOBAL:\n\t\tinvalidate_desc.lo_64 |= DMA_IOTLB_GLOBAL_INVL;\n\t\tbreak;\n\tcase DMAR_IIRG_DOMAIN:\n\t\tinvalidate_desc.lo_64 |= DMA_IOTLB_DOMAIN_INVL | dma_iotlb_did(did);\n\t\tbreak;\n\tcase DMAR_IIRG_PAGE:\n\t\tinvalidate_desc.lo_64 |= DMA_IOTLB_PAGE_INVL | dma_iotlb_did(did);\n\t\taddr = address | dma_iotlb_invl_addr_am(am);\n\t\tif (hint) {\n\t\t\taddr |= DMA_IOTLB_INVL_ADDR_IH_UNMODIFIED;\n\t\t}\n\t\tinvalidate_desc.hi_64 |= addr;\n\t\tbreak;\n\tdefault:\n\t\tinvalidate_desc.lo_64 = 0UL;\n\t\tpr_err(\"unknown IIRG type\");\n\t}\n\n\tif (invalidate_desc.lo_64 != 0UL) {\n\t\tdmar_issue_qi_request(dmar_unit, invalidate_desc);\n\t}\n}", "project": "acrn-hypervisor", "hash": 178766537489085075020668641394305909595, "size": 37, "commit_id": "25c0e3817eb332660dd63d1d4522e63dcc94e79a", "message": "hv: validate input for dmar_free_irte function\n\n Malicious input 'index' may trigger buffer\n overflow on array 'irte_alloc_bitmap[]'.\n\n This patch validate that 'index' shall be\n less than 'CONFIG_MAX_IR_ENTRIES' and also\n remove unnecessary check on 'index' in\n 'ptirq_free_irte()' function with this fix.\n\nTracked-On: #6132\nSigned-off-by: Yonghua Huang ", "target": 0, "dataset": "other", "idx": 262819 }, { "func": "static void dmar_set_intr_remap_table(struct dmar_drhd_rt *dmar_unit)\n{\n\tuint64_t address;\n\tuint32_t status;\n\tuint8_t size;\n\n\tspinlock_obtain(&(dmar_unit->lock));\n\n\t/* Set number of bits needed to represent the entries minus 1 */\n\tsize = (uint8_t) fls32(CONFIG_MAX_IR_ENTRIES) - 1U;\n\taddress = dmar_unit->ir_table_addr | DMAR_IR_ENABLE_EIM | size;\n\n\tiommu_write64(dmar_unit, DMAR_IRTA_REG, address);\n\n\tiommu_write32(dmar_unit, DMAR_GCMD_REG, dmar_unit->gcmd | DMA_GCMD_SIRTP);\n\n\tdmar_wait_completion(dmar_unit, DMAR_GSTS_REG, DMA_GSTS_IRTPS, 0U, &status);\n\n\tspinlock_release(&(dmar_unit->lock));\n}", "project": "acrn-hypervisor", "hash": 231935548975345266189522066747932182020, "size": 20, "commit_id": "25c0e3817eb332660dd63d1d4522e63dcc94e79a", "message": "hv: validate input for dmar_free_irte function\n\n Malicious input 'index' may trigger buffer\n overflow on array 'irte_alloc_bitmap[]'.\n\n This patch validate that 'index' shall be\n less than 'CONFIG_MAX_IR_ENTRIES' and also\n remove unnecessary check on 'index' in\n 'ptirq_free_irte()' function with this fix.\n\nTracked-On: #6132\nSigned-off-by: Yonghua Huang ", "target": 0, "dataset": "other", "idx": 262834 }, { "func": "static void dmar_set_root_table(struct dmar_drhd_rt *dmar_unit)\n{\n\tuint32_t status;\n\n\tspinlock_obtain(&(dmar_unit->lock));\n\tiommu_write64(dmar_unit, DMAR_RTADDR_REG, dmar_unit->root_table_addr);\n\n\tiommu_write32(dmar_unit, DMAR_GCMD_REG, dmar_unit->gcmd | DMA_GCMD_SRTP);\n\n\t/* 32-bit register */\n\tdmar_wait_completion(dmar_unit, DMAR_GSTS_REG, DMA_GSTS_RTPS, 0U, &status);\n\tspinlock_release(&(dmar_unit->lock));\n}", "project": "acrn-hypervisor", "hash": 32067341953317491125650502552386283170, "size": 13, "commit_id": "25c0e3817eb332660dd63d1d4522e63dcc94e79a", "message": "hv: validate input for dmar_free_irte function\n\n Malicious input 'index' may trigger buffer\n overflow on array 'irte_alloc_bitmap[]'.\n\n This patch validate that 'index' shall be\n less than 'CONFIG_MAX_IR_ENTRIES' and also\n remove unnecessary check on 'index' in\n 'ptirq_free_irte()' function with this fix.\n\nTracked-On: #6132\nSigned-off-by: Yonghua Huang ", "target": 0, "dataset": "other", "idx": 262842 }, { "func": "static void dmar_enable_qi(struct dmar_drhd_rt *dmar_unit)\n{\n\tuint32_t status = 0;\n\n\tspinlock_obtain(&(dmar_unit->lock));\n\n\tdmar_unit->qi_queue = hva2hpa(get_qi_queue(dmar_unit->index));\n\tiommu_write64(dmar_unit, DMAR_IQA_REG, dmar_unit->qi_queue);\n\n\tiommu_write32(dmar_unit, DMAR_IQT_REG, 0U);\n\n\tif ((dmar_unit->gcmd & DMA_GCMD_QIE) == 0U) {\n\t\tdmar_unit->gcmd |= DMA_GCMD_QIE;\n\t\tiommu_write32(dmar_unit, DMAR_GCMD_REG,\tdmar_unit->gcmd);\n\t\tdmar_wait_completion(dmar_unit, DMAR_GSTS_REG, DMA_GSTS_QIES, 0U, &status);\n\t}\n\n\tspinlock_release(&(dmar_unit->lock));\n}", "project": "acrn-hypervisor", "hash": 72803069764193129915018326145347418923, "size": 19, "commit_id": "25c0e3817eb332660dd63d1d4522e63dcc94e79a", "message": "hv: validate input for dmar_free_irte function\n\n Malicious input 'index' may trigger buffer\n overflow on array 'irte_alloc_bitmap[]'.\n\n This patch validate that 'index' shall be\n less than 'CONFIG_MAX_IR_ENTRIES' and also\n remove unnecessary check on 'index' in\n 'ptirq_free_irte()' function with this fix.\n\nTracked-On: #6132\nSigned-off-by: Yonghua Huang ", "target": 0, "dataset": "other", "idx": 262863 }, { "func": "int32_t dmar_reserve_irte(const struct intr_source *intr_src, uint16_t num, uint16_t *start_id)\n{\n\tstruct dmar_drhd_rt *dmar_unit;\n\tunion pci_bdf sid;\n\tuint64_t mask = (1UL << num) - 1U;\n\tint32_t ret = -EINVAL;\n\n\tif (intr_src->is_msi) {\n\t\tdmar_unit = device_to_dmaru((uint8_t)intr_src->src.msi.bits.b, intr_src->src.msi.fields.devfun);\n\t\tsid.value = (uint16_t)(intr_src->src.msi.value);\n\t} else {\n\t\tdmar_unit = ioapic_to_dmaru(intr_src->src.ioapic_id, &sid);\n\t}\n\n\tif (is_dmar_unit_valid(dmar_unit, sid)) {\n\t\t*start_id = alloc_irtes(dmar_unit, num);\n\t\tif (*start_id < CONFIG_MAX_IR_ENTRIES) {\n\t\t\tdmar_unit->irte_reserved_bitmap[*start_id >> 6U] |= mask << (*start_id & 0x3FU);\n\t\t}\n\t\tret = 0;\n\t}\n\n\tpr_dbg(\"%s: for dev 0x%x:%x.%x, reserve %u entry for MSI(%d), start from %d\",\n\t\t__func__, sid.bits.b, sid.bits.d, sid.bits.f, num, intr_src->is_msi, *start_id);\n\treturn ret;\n}", "project": "acrn-hypervisor", "hash": 230543647036484957934436575218396617347, "size": 26, "commit_id": "25c0e3817eb332660dd63d1d4522e63dcc94e79a", "message": "hv: validate input for dmar_free_irte function\n\n Malicious input 'index' may trigger buffer\n overflow on array 'irte_alloc_bitmap[]'.\n\n This patch validate that 'index' shall be\n less than 'CONFIG_MAX_IR_ENTRIES' and also\n remove unnecessary check on 'index' in\n 'ptirq_free_irte()' function with this fix.\n\nTracked-On: #6132\nSigned-off-by: Yonghua Huang ", "target": 0, "dataset": "other", "idx": 262886 }, { "func": "int32_t ptirq_prepare_msix_remap(struct acrn_vm *vm, uint16_t virt_bdf, uint16_t phys_bdf,\n\t\t\t\tuint16_t entry_nr, struct msi_info *info, uint16_t irte_idx)\n{\n\tstruct ptirq_remapping_info *entry;\n\tint32_t ret = -ENODEV;\n\tunion pci_bdf vbdf;\n\n\t/*\n\t * adds the mapping entries at runtime, if the\n\t * entry already be held by others, return error.\n\t */\n\tspinlock_obtain(&ptdev_lock);\n\tentry = add_msix_remapping(vm, virt_bdf, phys_bdf, entry_nr);\n\tspinlock_release(&ptdev_lock);\n\n\tif (entry != NULL) {\n\t\tret = 0;\n\t\tentry->vmsi = *info;\n\n\t\t/* build physical config MSI, update to info->pmsi_xxx */\n\t\tif (is_lapic_pt_configured(vm)) {\n\t\t\tenum vm_vlapic_mode vlapic_mode = check_vm_vlapic_mode(vm);\n\n\t\t\tif (vlapic_mode == VM_VLAPIC_X2APIC) {\n\t\t\t\t/*\n\t\t\t\t * All the vCPUs are in x2APIC mode and LAPIC is Pass-through\n\t\t\t\t * Use guest vector to program the interrupt source\n\t\t\t\t */\n\t\t\t\tptirq_build_physical_msi(vm, entry, (uint32_t)info->data.bits.vector, 0UL, irte_idx);\n\t\t\t} else if (vlapic_mode == VM_VLAPIC_XAPIC) {\n\t\t\t\t/*\n\t\t\t\t * All the vCPUs are in xAPIC mode and LAPIC is emulated\n\t\t\t\t * Use host vector to program the interrupt source\n\t\t\t\t */\n\t\t\t\tptirq_build_physical_msi(vm, entry, irq_to_vector(entry->allocated_pirq), 0UL, irte_idx);\n\t\t\t} else if (vlapic_mode == VM_VLAPIC_TRANSITION) {\n\t\t\t\t/*\n\t\t\t\t * vCPUs are in middle of transition, so do not program interrupt source\n\t\t\t\t * TODO: Devices programmed during transistion do not work after transition\n\t\t\t\t * as device is not programmed with interrupt info. Need to implement a\n\t\t\t\t * method to get interrupts working after transition.\n\t\t\t\t */\n\t\t\t\tret = -EFAULT;\n\t\t\t} else {\n\t\t\t\t/* Do nothing for VM_VLAPIC_DISABLED */\n\t\t\t\tret = -EFAULT;\n\t\t\t}\n\t\t} else {\n\t\t\tstruct acrn_vcpu *vcpu = is_single_destination(vm, info);\n\n\t\t\tif (is_pi_capable(vm) && (vcpu != NULL)) {\n\t\t\t\tptirq_build_physical_msi(vm, entry,\n\t\t\t\t\t(uint32_t)info->data.bits.vector, hva2hpa(get_pi_desc(vcpu)), irte_idx);\n\t\t\t} else {\n\t\t\t\t/* Go with remapped mode if we cannot handle it in posted mode */\n\t\t\t\tptirq_build_physical_msi(vm, entry, irq_to_vector(entry->allocated_pirq), 0UL, irte_idx);\n\t\t\t}\n\t\t}\n\n\t\tif (ret == 0) {\n\t\t\t*info = entry->pmsi;\n\t\t\tvbdf.value = virt_bdf;\n\t\t\tdev_dbg(DBG_LEVEL_IRQ, \"PCI %x:%x.%x MSI VR[%d] 0x%x->0x%x assigned to vm%d\",\n\t\t\t\tvbdf.bits.b, vbdf.bits.d, vbdf.bits.f, entry_nr, entry->vmsi.data.bits.vector,\n\t\t\t\tirq_to_vector(entry->allocated_pirq), entry->vm->vm_id);\n\t\t}\n\t}\n\n\treturn ret;\n}", "project": "acrn-hypervisor", "hash": 309584936284279016015747559546304200020, "size": 70, "commit_id": "25c0e3817eb332660dd63d1d4522e63dcc94e79a", "message": "hv: validate input for dmar_free_irte function\n\n Malicious input 'index' may trigger buffer\n overflow on array 'irte_alloc_bitmap[]'.\n\n This patch validate that 'index' shall be\n less than 'CONFIG_MAX_IR_ENTRIES' and also\n remove unnecessary check on 'index' in\n 'ptirq_free_irte()' function with this fix.\n\nTracked-On: #6132\nSigned-off-by: Yonghua Huang ", "target": 0, "dataset": "other", "idx": 262872 }, { "func": "static void remove_intx_remapping(const struct acrn_vm *vm, uint32_t virt_gsi, enum intx_ctlr vgsi_ctlr)\n{\n\tuint32_t phys_irq;\n\tstruct ptirq_remapping_info *entry;\n\tstruct intr_source intr_src;\n\tDEFINE_INTX_SID(virt_sid, virt_gsi, vgsi_ctlr);\n\n\tentry = find_ptirq_entry(PTDEV_INTR_INTX, &virt_sid, vm);\n\tif (entry != NULL) {\n\t\tif (is_entry_active(entry)) {\n\t\t\tphys_irq = entry->allocated_pirq;\n\t\t\t/* disable interrupt */\n\t\t\tioapic_gsi_mask_irq(phys_irq);\n\n\t\t\tptirq_deactivate_entry(entry);\n\t\t\tintr_src.is_msi = false;\n\t\t\tintr_src.src.ioapic_id = ioapic_irq_to_ioapic_id(phys_irq);\n\n\t\t\tdmar_free_irte(&intr_src, entry->irte_idx);\n\t\t\tdev_dbg(DBG_LEVEL_IRQ,\n\t\t\t\t\"deactive %s intx entry:pgsi=%d, pirq=%d \",\n\t\t\t\t(vgsi_ctlr == INTX_CTLR_PIC) ? \"vPIC\" : \"vIOAPIC\",\n\t\t\t\tentry->phys_sid.intx_id.gsi, phys_irq);\n\t\t\tdev_dbg(DBG_LEVEL_IRQ, \"from vm%d vgsi=%d\\n\",\n\t\t\t\tentry->vm->vm_id, virt_gsi);\n\t\t}\n\n\t\tptirq_release_entry(entry);\n\t}\n}", "project": "acrn-hypervisor", "hash": 293169252057181832526249031297802483183, "size": 30, "commit_id": "25c0e3817eb332660dd63d1d4522e63dcc94e79a", "message": "hv: validate input for dmar_free_irte function\n\n Malicious input 'index' may trigger buffer\n overflow on array 'irte_alloc_bitmap[]'.\n\n This patch validate that 'index' shall be\n less than 'CONFIG_MAX_IR_ENTRIES' and also\n remove unnecessary check on 'index' in\n 'ptirq_free_irte()' function with this fix.\n\nTracked-On: #6132\nSigned-off-by: Yonghua Huang ", "target": 0, "dataset": "other", "idx": 262849 }, { "func": "int32_t dmar_assign_irte(const struct intr_source *intr_src, union dmar_ir_entry *irte,\n\tuint16_t idx_in, uint16_t *idx_out)\n{\n\tstruct dmar_drhd_rt *dmar_unit;\n\tunion dmar_ir_entry *ir_table, *ir_entry;\n\tunion pci_bdf sid;\n\tuint64_t trigger_mode;\n\tint32_t ret = -EINVAL;\n\n\tif (intr_src->is_msi) {\n\t\tdmar_unit = device_to_dmaru((uint8_t)intr_src->src.msi.bits.b, intr_src->src.msi.fields.devfun);\n\t\tsid.value = (uint16_t)(intr_src->src.msi.value);\n\t\ttrigger_mode = 0x0UL;\n\t} else {\n\t\tdmar_unit = ioapic_to_dmaru(intr_src->src.ioapic_id, &sid);\n\t\ttrigger_mode = irte->bits.remap.trigger_mode;\n\t}\n\n\tif (is_dmar_unit_valid(dmar_unit, sid)) {\n\t\tdmar_enable_intr_remapping(dmar_unit);\n\n\t\tir_table = (union dmar_ir_entry *)hpa2hva(dmar_unit->ir_table_addr);\n\t\t*idx_out = idx_in;\n\t\tif (idx_in == INVALID_IRTE_ID) {\n\t\t\t*idx_out = alloc_irtes(dmar_unit, 1U);\n\t\t}\n\t\tif (*idx_out < CONFIG_MAX_IR_ENTRIES) {\n\t\t\tir_entry = ir_table + *idx_out;\n\n\t\t\tif (intr_src->pid_paddr != 0UL) {\n\t\t\t\tunion dmar_ir_entry irte_pi;\n\n\t\t\t\t/* irte is in remapped mode format, convert to posted mode format */\n\t\t\t\tirte_pi.value.lo_64 = 0UL;\n\t\t\t\tirte_pi.value.hi_64 = 0UL;\n\n\t\t\t\tirte_pi.bits.post.vector = irte->bits.remap.vector;\n\n\t\t\t\tirte_pi.bits.post.svt = 0x1UL;\n\t\t\t\tirte_pi.bits.post.sid = sid.value;\n\t\t\t\tirte_pi.bits.post.present = 0x1UL;\n\t\t\t\tirte_pi.bits.post.mode = 0x1UL;\n\n\t\t\t\tirte_pi.bits.post.pda_l = (intr_src->pid_paddr) >> 6U;\n\t\t\t\tirte_pi.bits.post.pda_h = (intr_src->pid_paddr) >> 32U;\n\n\t\t\t\t*ir_entry = irte_pi;\n\t\t\t} else {\n\t\t\t\t/* Fields that have not been initialized explicitly default to 0 */\n\t\t\t\tirte->bits.remap.svt = 0x1UL;\n\t\t\t\tirte->bits.remap.sid = sid.value;\n\t\t\t\tirte->bits.remap.present = 0x1UL;\n\t\t\t\tirte->bits.remap.trigger_mode = trigger_mode;\n\n\t\t\t\t*ir_entry = *irte;\n\t\t\t}\n\t\t\tiommu_flush_cache(ir_entry, sizeof(union dmar_ir_entry));\n\t\t\tdmar_invalid_iec(dmar_unit, *idx_out, 0U, false);\n\t\t}\n\t\tret = 0;\n\t}\n\n\treturn ret;\n}", "project": "acrn-hypervisor", "hash": 233461942279521003410634779631164703936, "size": 64, "commit_id": "25c0e3817eb332660dd63d1d4522e63dcc94e79a", "message": "hv: validate input for dmar_free_irte function\n\n Malicious input 'index' may trigger buffer\n overflow on array 'irte_alloc_bitmap[]'.\n\n This patch validate that 'index' shall be\n less than 'CONFIG_MAX_IR_ENTRIES' and also\n remove unnecessary check on 'index' in\n 'ptirq_free_irte()' function with this fix.\n\nTracked-On: #6132\nSigned-off-by: Yonghua Huang ", "target": 0, "dataset": "other", "idx": 262843 }, { "func": "static void activate_physical_ioapic(struct acrn_vm *vm,\n\t\tstruct ptirq_remapping_info *entry)\n{\n\tunion ioapic_rte rte;\n\tuint32_t phys_irq = entry->allocated_pirq;\n\tuint64_t intr_mask;\n\tbool is_lvl_trigger = false;\n\n\t/* disable interrupt */\n\tioapic_gsi_mask_irq(phys_irq);\n\n\t/* build physical IOAPIC RTE */\n\trte = ptirq_build_physical_rte(vm, entry);\n\tintr_mask = rte.bits.intr_mask;\n\n\t/* update irq trigger mode according to info in guest */\n\tif (rte.bits.trigger_mode == IOAPIC_RTE_TRGRMODE_LEVEL) {\n\t\tis_lvl_trigger = true;\n\t}\n\tset_irq_trigger_mode(phys_irq, is_lvl_trigger);\n\n\t/* set rte entry when masked */\n\trte.bits.intr_mask = IOAPIC_RTE_MASK_SET;\n\tioapic_set_rte(phys_irq, rte);\n\n\tif (intr_mask == IOAPIC_RTE_MASK_CLR) {\n\t\tioapic_gsi_unmask_irq(phys_irq);\n\t}\n}", "project": "acrn-hypervisor", "hash": 328395691271851614783793775487344080556, "size": 29, "commit_id": "25c0e3817eb332660dd63d1d4522e63dcc94e79a", "message": "hv: validate input for dmar_free_irte function\n\n Malicious input 'index' may trigger buffer\n overflow on array 'irte_alloc_bitmap[]'.\n\n This patch validate that 'index' shall be\n less than 'CONFIG_MAX_IR_ENTRIES' and also\n remove unnecessary check on 'index' in\n 'ptirq_free_irte()' function with this fix.\n\nTracked-On: #6132\nSigned-off-by: Yonghua Huang ", "target": 0, "dataset": "other", "idx": 262813 }, { "func": "static void dmar_setup_interrupt(struct dmar_drhd_rt *dmar_unit)\n{\n\tuint32_t vector;\n\tint32_t retval = 0;\n\n\tspinlock_obtain(&(dmar_unit->lock));\n\tif (dmar_unit->dmar_irq == IRQ_INVALID) {\n\t\tretval = request_irq(IRQ_INVALID, dmar_fault_handler, dmar_unit, IRQF_NONE);\n\t\tdmar_unit->dmar_irq = (uint32_t)retval;\n\t}\n\tspinlock_release(&(dmar_unit->lock));\n\t/* the panic will only happen before any VM starts running */\n\tif (retval < 0) {\n\t\tpanic(\"dmar[%d] fail to setup interrupt\", dmar_unit->index);\n\t}\n\n\tvector = irq_to_vector(dmar_unit->dmar_irq);\n\tdev_dbg(DBG_LEVEL_IOMMU, \"irq#%d vector#%d for dmar_unit\", dmar_unit->dmar_irq, vector);\n\n\tdmar_fault_msi_write(dmar_unit, vector);\n\tdmar_fault_event_unmask(dmar_unit);\n}", "project": "acrn-hypervisor", "hash": 125824865388773855756475209821973890081, "size": 22, "commit_id": "25c0e3817eb332660dd63d1d4522e63dcc94e79a", "message": "hv: validate input for dmar_free_irte function\n\n Malicious input 'index' may trigger buffer\n overflow on array 'irte_alloc_bitmap[]'.\n\n This patch validate that 'index' shall be\n less than 'CONFIG_MAX_IR_ENTRIES' and also\n remove unnecessary check on 'index' in\n 'ptirq_free_irte()' function with this fix.\n\nTracked-On: #6132\nSigned-off-by: Yonghua Huang ", "target": 0, "dataset": "other", "idx": 262820 }, { "func": "static void disable_dmar(struct dmar_drhd_rt *dmar_unit)\n{\n\tdmar_disable_qi(dmar_unit);\n\tdmar_disable_translation(dmar_unit);\n\tdmar_fault_event_mask(dmar_unit);\n\tdmar_disable_intr_remapping(dmar_unit);\n}", "project": "acrn-hypervisor", "hash": 1173508976041884956545400242487809732, "size": 7, "commit_id": "25c0e3817eb332660dd63d1d4522e63dcc94e79a", "message": "hv: validate input for dmar_free_irte function\n\n Malicious input 'index' may trigger buffer\n overflow on array 'irte_alloc_bitmap[]'.\n\n This patch validate that 'index' shall be\n less than 'CONFIG_MAX_IR_ENTRIES' and also\n remove unnecessary check on 'index' in\n 'ptirq_free_irte()' function with this fix.\n\nTracked-On: #6132\nSigned-off-by: Yonghua Huang ", "target": 0, "dataset": "other", "idx": 262877 }, { "func": "static void suspend_dmar(struct dmar_drhd_rt *dmar_unit)\n{\n\tuint32_t i;\n\n\tdmar_invalid_context_cache_global(dmar_unit);\n\tdmar_invalid_iotlb_global(dmar_unit);\n\tdmar_invalid_iec_global(dmar_unit);\n\n\tdisable_dmar(dmar_unit);\n\n\t/* save IOMMU fault register state */\n\tfor (i = 0U; i < IOMMU_FAULT_REGISTER_STATE_NUM; i++) {\n\t\tdmar_unit->fault_state[i] = iommu_read32(dmar_unit, DMAR_FECTL_REG + (i * IOMMU_FAULT_REGISTER_SIZE));\n\t}\n}", "project": "acrn-hypervisor", "hash": 297933284204136080707356521076243656752, "size": 15, "commit_id": "25c0e3817eb332660dd63d1d4522e63dcc94e79a", "message": "hv: validate input for dmar_free_irte function\n\n Malicious input 'index' may trigger buffer\n overflow on array 'irte_alloc_bitmap[]'.\n\n This patch validate that 'index' shall be\n less than 'CONFIG_MAX_IR_ENTRIES' and also\n remove unnecessary check on 'index' in\n 'ptirq_free_irte()' function with this fix.\n\nTracked-On: #6132\nSigned-off-by: Yonghua Huang ", "target": 0, "dataset": "other", "idx": 262891 }, { "func": "int32_t move_pt_device(const struct iommu_domain *from_domain, const struct iommu_domain *to_domain, uint8_t bus, uint8_t devfun)\n{\n\tint32_t status = 0;\n\tuint16_t bus_local = bus;\n\n\t/* TODO: check if the device assigned */\n\n\tif (bus_local < CONFIG_IOMMU_BUS_NUM) {\n\t\tif (from_domain != NULL) {\n\t\t\tstatus = iommu_detach_device(from_domain, bus, devfun);\n\t\t}\n\n\t\tif ((status == 0) && (to_domain != NULL)) {\n\t\t\tstatus = iommu_attach_device(to_domain, bus, devfun);\n\t\t}\n\t} else {\n\t\tstatus = -EINVAL;\n\t}\n\n\treturn status;\n}", "project": "acrn-hypervisor", "hash": 7241169551569104435020063122192986732, "size": 21, "commit_id": "25c0e3817eb332660dd63d1d4522e63dcc94e79a", "message": "hv: validate input for dmar_free_irte function\n\n Malicious input 'index' may trigger buffer\n overflow on array 'irte_alloc_bitmap[]'.\n\n This patch validate that 'index' shall be\n less than 'CONFIG_MAX_IR_ENTRIES' and also\n remove unnecessary check on 'index' in\n 'ptirq_free_irte()' function with this fix.\n\nTracked-On: #6132\nSigned-off-by: Yonghua Huang ", "target": 0, "dataset": "other", "idx": 262825 }, { "func": "static void dmar_invalid_context_cache(struct dmar_drhd_rt *dmar_unit,\n\tuint16_t did, uint16_t sid, uint8_t fm, enum dmar_cirg_type cirg)\n{\n\tstruct dmar_entry invalidate_desc;\n\n\tinvalidate_desc.hi_64 = 0UL;\n\tinvalidate_desc.lo_64 = DMAR_INV_CONTEXT_CACHE_DESC;\n\tswitch (cirg) {\n\tcase DMAR_CIRG_GLOBAL:\n\t\tinvalidate_desc.lo_64 |= DMA_CONTEXT_GLOBAL_INVL;\n\t\tbreak;\n\tcase DMAR_CIRG_DOMAIN:\n\t\tinvalidate_desc.lo_64 |= DMA_CONTEXT_DOMAIN_INVL | dma_ccmd_did(did);\n\t\tbreak;\n\tcase DMAR_CIRG_DEVICE:\n\t\tinvalidate_desc.lo_64 |= DMA_CONTEXT_DEVICE_INVL | dma_ccmd_did(did) | dma_ccmd_sid(sid) | dma_ccmd_fm(fm);\n\t\tbreak;\n\tdefault:\n\t\tinvalidate_desc.lo_64 = 0UL;\n\t\tpr_err(\"unknown CIRG type\");\n\t\tbreak;\n\t}\n\n\tif (invalidate_desc.lo_64 != 0UL) {\n\t\tdmar_issue_qi_request(dmar_unit, invalidate_desc);\n\t}\n}", "project": "acrn-hypervisor", "hash": 39337534930288086899520375536194958762, "size": 27, "commit_id": "25c0e3817eb332660dd63d1d4522e63dcc94e79a", "message": "hv: validate input for dmar_free_irte function\n\n Malicious input 'index' may trigger buffer\n overflow on array 'irte_alloc_bitmap[]'.\n\n This patch validate that 'index' shall be\n less than 'CONFIG_MAX_IR_ENTRIES' and also\n remove unnecessary check on 'index' in\n 'ptirq_free_irte()' function with this fix.\n\nTracked-On: #6132\nSigned-off-by: Yonghua Huang ", "target": 0, "dataset": "other", "idx": 262848 }, { "func": "static void dmar_invalid_iec_global(struct dmar_drhd_rt *dmar_unit)\n{\n\tdmar_invalid_iec(dmar_unit, 0U, 0U, true);\n}", "project": "acrn-hypervisor", "hash": 124568749352672220954877230938085457061, "size": 4, "commit_id": "25c0e3817eb332660dd63d1d4522e63dcc94e79a", "message": "hv: validate input for dmar_free_irte function\n\n Malicious input 'index' may trigger buffer\n overflow on array 'irte_alloc_bitmap[]'.\n\n This patch validate that 'index' shall be\n less than 'CONFIG_MAX_IR_ENTRIES' and also\n remove unnecessary check on 'index' in\n 'ptirq_free_irte()' function with this fix.\n\nTracked-On: #6132\nSigned-off-by: Yonghua Huang ", "target": 0, "dataset": "other", "idx": 262854 }, { "func": "static inline uint8_t width_to_agaw(uint32_t width)\n{\n\treturn width_to_level(width) - 2U;\n}", "project": "acrn-hypervisor", "hash": 55913358665759391336356957377713613873, "size": 4, "commit_id": "25c0e3817eb332660dd63d1d4522e63dcc94e79a", "message": "hv: validate input for dmar_free_irte function\n\n Malicious input 'index' may trigger buffer\n overflow on array 'irte_alloc_bitmap[]'.\n\n This patch validate that 'index' shall be\n less than 'CONFIG_MAX_IR_ENTRIES' and also\n remove unnecessary check on 'index' in\n 'ptirq_free_irte()' function with this fix.\n\nTracked-On: #6132\nSigned-off-by: Yonghua Huang ", "target": 0, "dataset": "other", "idx": 262827 }, { "func": "static void dmar_enable_translation(struct dmar_drhd_rt *dmar_unit)\n{\n\tuint32_t status = 0;\n\n\tspinlock_obtain(&(dmar_unit->lock));\n\tif ((dmar_unit->gcmd & DMA_GCMD_TE) == 0U) {\n\t\tdmar_unit->gcmd |= DMA_GCMD_TE;\n\t\tiommu_write32(dmar_unit, DMAR_GCMD_REG, dmar_unit->gcmd);\n\t\t/* 32-bit register */\n\t\tdmar_wait_completion(dmar_unit, DMAR_GSTS_REG, DMA_GSTS_TES, 0U, &status);\n#if DBG_IOMMU\n\t\tstatus = iommu_read32(dmar_unit, DMAR_GSTS_REG);\n#endif\n\t}\n\n\tspinlock_release(&(dmar_unit->lock));\n\n\tdev_dbg(DBG_LEVEL_IOMMU, \"%s: gsr:0x%x\", __func__, status);\n}", "project": "acrn-hypervisor", "hash": 148281933701853208293084833918216918636, "size": 19, "commit_id": "25c0e3817eb332660dd63d1d4522e63dcc94e79a", "message": "hv: validate input for dmar_free_irte function\n\n Malicious input 'index' may trigger buffer\n overflow on array 'irte_alloc_bitmap[]'.\n\n This patch validate that 'index' shall be\n less than 'CONFIG_MAX_IR_ENTRIES' and also\n remove unnecessary check on 'index' in\n 'ptirq_free_irte()' function with this fix.\n\nTracked-On: #6132\nSigned-off-by: Yonghua Huang ", "target": 0, "dataset": "other", "idx": 262881 }, { "func": "void iommu_flush_cache(const void *p, uint32_t size)\n{\n\t/* if vtd support page-walk coherency, no need to flush cacheline */\n\tif (!iommu_page_walk_coherent) {\n\t\tflush_cache_range(p, size);\n\t}\n}", "project": "acrn-hypervisor", "hash": 308765045784002203011860769743918643856, "size": 7, "commit_id": "25c0e3817eb332660dd63d1d4522e63dcc94e79a", "message": "hv: validate input for dmar_free_irte function\n\n Malicious input 'index' may trigger buffer\n overflow on array 'irte_alloc_bitmap[]'.\n\n This patch validate that 'index' shall be\n less than 'CONFIG_MAX_IR_ENTRIES' and also\n remove unnecessary check on 'index' in\n 'ptirq_free_irte()' function with this fix.\n\nTracked-On: #6132\nSigned-off-by: Yonghua Huang ", "target": 0, "dataset": "other", "idx": 262878 }, { "func": "static inline uint64_t dmar_get_bitslice(uint64_t var, uint64_t mask, uint32_t pos)\n{\n\treturn ((var & mask) >> pos);\n}", "project": "acrn-hypervisor", "hash": 241595629466914413001743023753733521243, "size": 4, "commit_id": "25c0e3817eb332660dd63d1d4522e63dcc94e79a", "message": "hv: validate input for dmar_free_irte function\n\n Malicious input 'index' may trigger buffer\n overflow on array 'irte_alloc_bitmap[]'.\n\n This patch validate that 'index' shall be\n less than 'CONFIG_MAX_IR_ENTRIES' and also\n remove unnecessary check on 'index' in\n 'ptirq_free_irte()' function with this fix.\n\nTracked-On: #6132\nSigned-off-by: Yonghua Huang ", "target": 0, "dataset": "other", "idx": 262822 }, { "func": "static bool is_dmar_unit_valid(const struct dmar_drhd_rt *dmar_unit, union pci_bdf sid)\n{\n\tbool valid = false;\n\n\tif (dmar_unit == NULL) {\n\t\tpr_err(\"no dmar unit found for device: %x:%x.%x\", sid.bits.b, sid.bits.d, sid.bits.f);\n\t} else if (dmar_unit->drhd->ignore) {\n\t\tdev_dbg(DBG_LEVEL_IOMMU, \"device is ignored : %x:%x.%x\", sid.bits.b, sid.bits.d, sid.bits.f);\n\t} else {\n\t\tvalid = true;\n\t}\n\n\treturn valid;\n}", "project": "acrn-hypervisor", "hash": 258817031410145504898658515995524029117, "size": 14, "commit_id": "25c0e3817eb332660dd63d1d4522e63dcc94e79a", "message": "hv: validate input for dmar_free_irte function\n\n Malicious input 'index' may trigger buffer\n overflow on array 'irte_alloc_bitmap[]'.\n\n This patch validate that 'index' shall be\n less than 'CONFIG_MAX_IR_ENTRIES' and also\n remove unnecessary check on 'index' in\n 'ptirq_free_irte()' function with this fix.\n\nTracked-On: #6132\nSigned-off-by: Yonghua Huang ", "target": 0, "dataset": "other", "idx": 262894 }, { "func": "static void iommu_write64(const struct dmar_drhd_rt *dmar_unit, uint32_t offset, uint64_t value)\n{\n\tmmio_write64(value, hpa2hva(dmar_unit->drhd->reg_base_addr + offset));\n}", "project": "acrn-hypervisor", "hash": 18701324026409409664790143391337629122, "size": 4, "commit_id": "25c0e3817eb332660dd63d1d4522e63dcc94e79a", "message": "hv: validate input for dmar_free_irte function\n\n Malicious input 'index' may trigger buffer\n overflow on array 'irte_alloc_bitmap[]'.\n\n This patch validate that 'index' shall be\n less than 'CONFIG_MAX_IR_ENTRIES' and also\n remove unnecessary check on 'index' in\n 'ptirq_free_irte()' function with this fix.\n\nTracked-On: #6132\nSigned-off-by: Yonghua Huang ", "target": 0, "dataset": "other", "idx": 262815 }, { "func": "static void dmar_enable_intr_remapping(struct dmar_drhd_rt *dmar_unit)\n{\n\tuint32_t status = 0;\n\n\tspinlock_obtain(&(dmar_unit->lock));\n\tif ((dmar_unit->gcmd & DMA_GCMD_IRE) == 0U) {\n\t\tdmar_unit->gcmd |= DMA_GCMD_IRE;\n\t\tiommu_write32(dmar_unit, DMAR_GCMD_REG, dmar_unit->gcmd);\n\t\t/* 32-bit register */\n\t\tdmar_wait_completion(dmar_unit, DMAR_GSTS_REG, DMA_GSTS_IRES, 0U, &status);\n#if DBG_IOMMU\n\t\tstatus = iommu_read32(dmar_unit, DMAR_GSTS_REG);\n#endif\n\t}\n\n\tspinlock_release(&(dmar_unit->lock));\n\tdev_dbg(DBG_LEVEL_IOMMU, \"%s: gsr:0x%x\", __func__, status);\n}", "project": "acrn-hypervisor", "hash": 308947311529098635196717559214739137252, "size": 18, "commit_id": "25c0e3817eb332660dd63d1d4522e63dcc94e79a", "message": "hv: validate input for dmar_free_irte function\n\n Malicious input 'index' may trigger buffer\n overflow on array 'irte_alloc_bitmap[]'.\n\n This patch validate that 'index' shall be\n less than 'CONFIG_MAX_IR_ENTRIES' and also\n remove unnecessary check on 'index' in\n 'ptirq_free_irte()' function with this fix.\n\nTracked-On: #6132\nSigned-off-by: Yonghua Huang ", "target": 0, "dataset": "other", "idx": 262874 }, { "func": "static int32_t iommu_attach_device(const struct iommu_domain *domain, uint8_t bus, uint8_t devfun)\n{\n\tstruct dmar_drhd_rt *dmar_unit;\n\tstruct dmar_entry *root_table;\n\tuint64_t context_table_addr;\n\tstruct dmar_entry *context;\n\tstruct dmar_entry *root_entry;\n\tstruct dmar_entry *context_entry;\n\tuint64_t hi_64 = 0UL;\n\tuint64_t lo_64 = 0UL;\n\tint32_t ret = -EINVAL;\n\t/* source id */\n\tunion pci_bdf sid;\n\n\tsid.fields.bus = bus;\n\tsid.fields.devfun = devfun;\n\n\tdmar_unit = device_to_dmaru(bus, devfun);\n\tif (is_dmar_unit_valid(dmar_unit, sid) && dmar_unit_support_aw(dmar_unit, domain->addr_width)) {\n\t\troot_table = (struct dmar_entry *)hpa2hva(dmar_unit->root_table_addr);\n\t\troot_entry = root_table + bus;\n\n\t\tif (dmar_get_bitslice(root_entry->lo_64,\n\t\t\t\t\tROOT_ENTRY_LOWER_PRESENT_MASK,\n\t\t\t\t\tROOT_ENTRY_LOWER_PRESENT_POS) == 0UL) {\n\t\t\t/* create context table for the bus if not present */\n\t\t\tcontext_table_addr = hva2hpa(get_ctx_table(dmar_unit->index, bus));\n\n\t\t\tcontext_table_addr = context_table_addr >> PAGE_SHIFT;\n\n\t\t\tlo_64 = dmar_set_bitslice(lo_64,\n\t\t\t\t\tROOT_ENTRY_LOWER_CTP_MASK, ROOT_ENTRY_LOWER_CTP_POS, context_table_addr);\n\t\t\tlo_64 = dmar_set_bitslice(lo_64,\n\t\t\t\t\tROOT_ENTRY_LOWER_PRESENT_MASK, ROOT_ENTRY_LOWER_PRESENT_POS, 1UL);\n\n\t\t\troot_entry->hi_64 = 0UL;\n\t\t\troot_entry->lo_64 = lo_64;\n\t\t\tiommu_flush_cache(root_entry, sizeof(struct dmar_entry));\n\t\t} else {\n\t\t\tcontext_table_addr = dmar_get_bitslice(root_entry->lo_64,\n\t\t\t\t\tROOT_ENTRY_LOWER_CTP_MASK, ROOT_ENTRY_LOWER_CTP_POS);\n\t\t}\n\n\t\tcontext_table_addr = context_table_addr << PAGE_SHIFT;\n\n\t\tcontext = (struct dmar_entry *)hpa2hva(context_table_addr);\n\t\tcontext_entry = context + devfun;\n\n\t\tif (dmar_get_bitslice(context_entry->lo_64, CTX_ENTRY_LOWER_P_MASK, CTX_ENTRY_LOWER_P_POS) != 0UL) {\n\t\t\t/* the context entry should not be present */\n\t\t\tpr_err(\"%s: context entry@0x%lx (Lower:%x) \", __func__, context_entry, context_entry->lo_64);\n\t\t\tpr_err(\"already present for %x:%x.%x\", bus, sid.bits.d, sid.bits.f);\n\t\t\tret = -EBUSY;\n\t\t} else {\n\t\t\t/* setup context entry for the devfun */\n\t\t\t/* TODO: add Device TLB support */\n\t\t\thi_64 = dmar_set_bitslice(hi_64, CTX_ENTRY_UPPER_AW_MASK, CTX_ENTRY_UPPER_AW_POS,\n\t\t\t\t\t(uint64_t)width_to_agaw(domain->addr_width));\n\t\t\tlo_64 = dmar_set_bitslice(lo_64, CTX_ENTRY_LOWER_TT_MASK, CTX_ENTRY_LOWER_TT_POS,\n\t\t\t\t\tDMAR_CTX_TT_UNTRANSLATED);\n\t\t\thi_64 = dmar_set_bitslice(hi_64, CTX_ENTRY_UPPER_DID_MASK, CTX_ENTRY_UPPER_DID_POS,\n\t\t\t\t(uint64_t)vmid_to_domainid(domain->vm_id));\n\t\t\tlo_64 = dmar_set_bitslice(lo_64, CTX_ENTRY_LOWER_SLPTPTR_MASK, CTX_ENTRY_LOWER_SLPTPTR_POS,\n\t\t\t\tdomain->trans_table_ptr >> PAGE_SHIFT);\n\t\t\tlo_64 = dmar_set_bitslice(lo_64, CTX_ENTRY_LOWER_P_MASK, CTX_ENTRY_LOWER_P_POS, 1UL);\n\n\t\t\tcontext_entry->hi_64 = hi_64;\n\t\t\tcontext_entry->lo_64 = lo_64;\n\t\t\tiommu_flush_cache(context_entry, sizeof(struct dmar_entry));\n\t\t\tret = 0;\n\t\t}\n\t} else if (is_dmar_unit_ignored(dmar_unit)) {\n\t ret = 0;\n\t}\n\n\treturn ret;\n}", "project": "acrn-hypervisor", "hash": 271743868463431143027661072960236092090, "size": 77, "commit_id": "25c0e3817eb332660dd63d1d4522e63dcc94e79a", "message": "hv: validate input for dmar_free_irte function\n\n Malicious input 'index' may trigger buffer\n overflow on array 'irte_alloc_bitmap[]'.\n\n This patch validate that 'index' shall be\n less than 'CONFIG_MAX_IR_ENTRIES' and also\n remove unnecessary check on 'index' in\n 'ptirq_free_irte()' function with this fix.\n\nTracked-On: #6132\nSigned-off-by: Yonghua Huang ", "target": 0, "dataset": "other", "idx": 262828 }, { "func": "void ptirq_remove_configured_intx_remappings(const struct acrn_vm *vm)\n{\n\tconst struct acrn_vm_config *vm_config = get_vm_config(vm->vm_id);\n\tuint32_t i;\n\n\tfor (i = 0; i < vm_config->pt_intx_num; i++) {\n\t\tptirq_remove_intx_remapping(vm, vm_config->pt_intx[i].virt_gsi, false);\n\t}\n}", "project": "acrn-hypervisor", "hash": 132245054502948575968294399407288381304, "size": 9, "commit_id": "25c0e3817eb332660dd63d1d4522e63dcc94e79a", "message": "hv: validate input for dmar_free_irte function\n\n Malicious input 'index' may trigger buffer\n overflow on array 'irte_alloc_bitmap[]'.\n\n This patch validate that 'index' shall be\n less than 'CONFIG_MAX_IR_ENTRIES' and also\n remove unnecessary check on 'index' in\n 'ptirq_free_irte()' function with this fix.\n\nTracked-On: #6132\nSigned-off-by: Yonghua Huang ", "target": 0, "dataset": "other", "idx": 262841 }, { "func": "static void fault_record_analysis(__unused uint64_t low, uint64_t high)\n{\n\tunion pci_bdf dmar_bdf;\n\n\tif (!dma_frcd_up_f(high)) {\n\t\tdmar_bdf.value = dma_frcd_up_sid(high);\n\t\t/* currently skip PASID related parsing */\n\t\tpr_info(\"%s, Reason: 0x%x, SID: %x.%x.%x @0x%lx\",\n\t\t\t(dma_frcd_up_t(high) != 0U) ? \"Read/Atomic\" : \"Write\", dma_frcd_up_fr(high),\n\t\t\tdmar_bdf.bits.b, dmar_bdf.bits.d, dmar_bdf.bits.f, low);\n#if DBG_IOMMU\n\t\tif (iommu_ecap_dt(dmar_unit->ecap) != 0U) {\n\t\t\tpr_info(\"Address Type: 0x%x\", dma_frcd_up_at(high));\n\t\t}\n#endif\n\t}\n}", "project": "acrn-hypervisor", "hash": 83091811966183411785160251800406602010, "size": 17, "commit_id": "25c0e3817eb332660dd63d1d4522e63dcc94e79a", "message": "hv: validate input for dmar_free_irte function\n\n Malicious input 'index' may trigger buffer\n overflow on array 'irte_alloc_bitmap[]'.\n\n This patch validate that 'index' shall be\n less than 'CONFIG_MAX_IR_ENTRIES' and also\n remove unnecessary check on 'index' in\n 'ptirq_free_irte()' function with this fix.\n\nTracked-On: #6132\nSigned-off-by: Yonghua Huang ", "target": 0, "dataset": "other", "idx": 262879 }, { "func": "static uint32_t iommu_read32(const struct dmar_drhd_rt *dmar_unit, uint32_t offset)\n{\n\treturn mmio_read32(hpa2hva(dmar_unit->drhd->reg_base_addr + offset));\n}", "project": "acrn-hypervisor", "hash": 122541747987228239873581781426103396909, "size": 4, "commit_id": "25c0e3817eb332660dd63d1d4522e63dcc94e79a", "message": "hv: validate input for dmar_free_irte function\n\n Malicious input 'index' may trigger buffer\n overflow on array 'irte_alloc_bitmap[]'.\n\n This patch validate that 'index' shall be\n less than 'CONFIG_MAX_IR_ENTRIES' and also\n remove unnecessary check on 'index' in\n 'ptirq_free_irte()' function with this fix.\n\nTracked-On: #6132\nSigned-off-by: Yonghua Huang ", "target": 0, "dataset": "other", "idx": 262811 }, { "func": "int32_t ptirq_intx_pin_remap(struct acrn_vm *vm, uint32_t virt_gsi, enum intx_ctlr vgsi_ctlr)\n{\n\tint32_t status = 0;\n\tstruct ptirq_remapping_info *entry = NULL;\n\tDEFINE_INTX_SID(virt_sid, virt_gsi, vgsi_ctlr);\n\tDEFINE_INTX_SID(alt_virt_sid, virt_gsi, vgsi_ctlr);\n\n\t/*\n\t * virt pin could come from primary vPIC, secondary vPIC or vIOAPIC\n\t * while phys pin is always means for physical IOAPIC.\n\t *\n\t * Device Model should pre-hold the mapping entries by calling\n\t * ptirq_add_intx_remapping for UOS.\n\t *\n\t * For SOS(sos_vm), it adds the mapping entries at runtime, if the\n\t * entry already be held by others, return error.\n\t */\n\n\t/* no remap for vuart intx */\n\tif (!is_vuart_intx(vm, virt_sid.intx_id.gsi)) {\n\t\t/* query if we have virt to phys mapping */\n\t\tspinlock_obtain(&ptdev_lock);\n\t\tentry = find_ptirq_entry(PTDEV_INTR_INTX, &virt_sid, vm);\n\t\tif (entry == NULL) {\n\t\t\tif (is_sos_vm(vm)) {\n\n\t\t\t\t/* for sos_vm, there is chance of vpin source switch\n\t\t\t\t * between vPIC & vIOAPIC for one legacy phys_pin.\n\t\t\t\t *\n\t\t\t\t * here checks if there is already mapping entry from\n\t\t\t\t * the other vpin source for legacy pin. If yes, then\n\t\t\t\t * switch vpin source is needed\n\t\t\t\t */\n\t\t\t\tif (virt_gsi < NR_LEGACY_PIN) {\n\n\t\t\t\t\tif (vgsi_ctlr == INTX_CTLR_PIC) {\n\t\t\t\t\t\talt_virt_sid.intx_id.ctlr = INTX_CTLR_IOAPIC;\n\t\t\t\t\t} else {\n\t\t\t\t\t\talt_virt_sid.intx_id.ctlr = INTX_CTLR_PIC;\n\t\t\t\t\t}\n\n\t\t\t\t\tentry = find_ptirq_entry(PTDEV_INTR_INTX, &alt_virt_sid, vm);\n\t\t\t\t\tif (entry != NULL) {\n\t\t\t\t\t\tuint32_t phys_gsi = virt_gsi;\n\n\t\t\t\t\t\tremove_intx_remapping(vm, alt_virt_sid.intx_id.gsi,\n\t\t\t\t\t\t\talt_virt_sid.intx_id.ctlr);\n\t\t\t\t\t\tentry = add_intx_remapping(vm, virt_gsi, phys_gsi, vgsi_ctlr);\n\t\t\t\t\t\tif (entry == NULL) {\n\t\t\t\t\t\t\tpr_err(\"%s, add intx remapping failed\", __func__);\n\t\t\t\t\t\t\tstatus = -ENODEV;\n\t\t\t\t\t\t} else {\n\t\t\t\t\t\t\tdev_dbg(DBG_LEVEL_IRQ,\n\t\t\t\t\t\t\t\t\"IOAPIC gsi=%hhu pirq=%u vgsi=%d from %s to %s for vm%d\",\n\t\t\t\t\t\t\t\tentry->phys_sid.intx_id.gsi,\n\t\t\t\t\t\t\t\tentry->allocated_pirq, entry->virt_sid.intx_id.gsi,\n\t\t\t\t\t\t\t\t(vgsi_ctlr == INTX_CTLR_IOAPIC) ? \"vPIC\" : \"vIOAPIC\",\n\t\t\t\t\t\t\t\t(vgsi_ctlr == INTX_CTLR_IOAPIC) ? \"vIOPIC\" : \"vPIC\",\n\t\t\t\t\t\t\t\tentry->vm->vm_id);\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t}\n\n\t\t\t\t/* entry could be updated by above switch check */\n\t\t\t\tif (entry == NULL) {\n\t\t\t\t\tuint32_t phys_gsi = virt_gsi;\n\n\t\t\t\t\tentry = add_intx_remapping(vm, virt_gsi, phys_gsi, vgsi_ctlr);\n\t\t\t\t\tif (entry == NULL) {\n\t\t\t\t\t\tpr_err(\"%s, add intx remapping failed\",\n\t\t\t\t\t\t\t\t__func__);\n\t\t\t\t\t\tstatus = -ENODEV;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\t/* ptirq_intx_pin_remap is triggered by vPIC/vIOAPIC\n\t\t\t\t * everytime a pin get unmask, here filter out pins\n\t\t\t\t * not get mapped.\n\t\t\t\t */\n\t\t\t\tstatus = -ENODEV;\n\t\t\t}\n\t\t}\n\t\tspinlock_release(&ptdev_lock);\n\t} else {\n\t\tstatus = -EINVAL;\n\t}\n\n\tif (status == 0) {\n\t\tactivate_physical_ioapic(vm, entry);\n\t}\n\n\treturn status;\n}", "project": "acrn-hypervisor", "hash": 107811208812090823728006383503975735443, "size": 93, "commit_id": "25c0e3817eb332660dd63d1d4522e63dcc94e79a", "message": "hv: validate input for dmar_free_irte function\n\n Malicious input 'index' may trigger buffer\n overflow on array 'irte_alloc_bitmap[]'.\n\n This patch validate that 'index' shall be\n less than 'CONFIG_MAX_IR_ENTRIES' and also\n remove unnecessary check on 'index' in\n 'ptirq_free_irte()' function with this fix.\n\nTracked-On: #6132\nSigned-off-by: Yonghua Huang ", "target": 0, "dataset": "other", "idx": 262855 }, { "func": "static inline uint64_t dmar_set_bitslice(uint64_t var, uint64_t mask, uint32_t pos, uint64_t val)\n{\n\treturn ((var & ~mask) | ((val << pos) & mask));\n}", "project": "acrn-hypervisor", "hash": 138021970740466497500343611160422325122, "size": 4, "commit_id": "25c0e3817eb332660dd63d1d4522e63dcc94e79a", "message": "hv: validate input for dmar_free_irte function\n\n Malicious input 'index' may trigger buffer\n overflow on array 'irte_alloc_bitmap[]'.\n\n This patch validate that 'index' shall be\n less than 'CONFIG_MAX_IR_ENTRIES' and also\n remove unnecessary check on 'index' in\n 'ptirq_free_irte()' function with this fix.\n\nTracked-On: #6132\nSigned-off-by: Yonghua Huang ", "target": 0, "dataset": "other", "idx": 262830 }, { "func": "static void ptirq_build_physical_msi(struct acrn_vm *vm,\n\tstruct ptirq_remapping_info *entry, uint32_t vector, uint64_t pid_paddr, uint16_t irte_idx)\n{\n\tuint64_t vdmask, pdmask;\n\tuint32_t dest, delmode, dest_mask;\n\tbool phys;\n\tunion dmar_ir_entry irte;\n\tunion irte_index ir_index;\n\tint32_t ret;\n\tstruct intr_source intr_src;\n\n\t/* get physical destination cpu mask */\n\tdest = entry->vmsi.addr.bits.dest_field;\n\tphys = (entry->vmsi.addr.bits.dest_mode == MSI_ADDR_DESTMODE_PHYS);\n\n\tvdmask = vlapic_calc_dest_noshort(vm, false, dest, phys, false);\n\tpdmask = vcpumask2pcpumask(vm, vdmask);\n\n\t/* get physical delivery mode */\n\tdelmode = entry->vmsi.data.bits.delivery_mode;\n\tif ((delmode != MSI_DATA_DELMODE_FIXED) && (delmode != MSI_DATA_DELMODE_LOPRI)) {\n\t\tdelmode = MSI_DATA_DELMODE_LOPRI;\n\t}\n\n\tdest_mask = calculate_logical_dest_mask(pdmask);\n\n\t/* Using phys_irq as index in the corresponding IOMMU */\n\tirte.value.lo_64 = 0UL;\n\tirte.value.hi_64 = 0UL;\n\tirte.bits.remap.vector = vector;\n\tirte.bits.remap.delivery_mode = delmode;\n\tirte.bits.remap.dest_mode = MSI_ADDR_DESTMODE_LOGICAL;\n\tirte.bits.remap.rh = MSI_ADDR_RH;\n\tirte.bits.remap.dest = dest_mask;\n\n\tintr_src.is_msi = true;\n\tintr_src.pid_paddr = pid_paddr;\n\tintr_src.src.msi.value = entry->phys_sid.msi_id.bdf;\n\tif (entry->irte_idx == INVALID_IRTE_ID) {\n\t\tentry->irte_idx = irte_idx;\n\t}\n\tret = dmar_assign_irte(&intr_src, &irte, entry->irte_idx, &ir_index.index);\n\n\tif (ret == 0) {\n\t\tentry->pmsi.data.full = 0U;\n\t\tentry->pmsi.addr.full = 0UL;\n\t\tentry->irte_idx = ir_index.index;\n\t\tif (ir_index.index != INVALID_IRTE_ID) {\n\t\t\t/*\n\t\t\t * Update the MSI interrupt source to point to the IRTE\n\t\t\t * SHV is set to 0 as ACRN disables MMC (Multi-Message Capable\n\t\t\t * for MSI devices.\n\t\t\t */\n\t\t\tentry->pmsi.addr.ir_bits.intr_index_high = ir_index.bits.index_high;\n\t\t\tentry->pmsi.addr.ir_bits.shv = 0U;\n\t\t\tentry->pmsi.addr.ir_bits.intr_format = 0x1U;\n\t\t\tentry->pmsi.addr.ir_bits.intr_index_low = ir_index.bits.index_low;\n\t\t\tentry->pmsi.addr.ir_bits.constant = 0xFEEU;\n\t\t}\n\t} else {\n\t\t/* In case there is no corresponding IOMMU, for example, if the\n\t\t * IOMMU is ignored, pass the MSI info in Compatibility Format\n\t\t */\n\t\tentry->pmsi.data = entry->vmsi.data;\n\t\tentry->pmsi.data.bits.delivery_mode = delmode;\n\t\tentry->pmsi.data.bits.vector = vector;\n\n\t\tentry->pmsi.addr = entry->vmsi.addr;\n\t\tentry->pmsi.addr.bits.dest_field = dest_mask;\n\t\tentry->pmsi.addr.bits.rh = MSI_ADDR_RH;\n\t\tentry->pmsi.addr.bits.dest_mode = MSI_ADDR_DESTMODE_LOGICAL;\n\t}\n\tdev_dbg(DBG_LEVEL_IRQ, \"MSI %s addr:data = 0x%lx:%x(V) -> 0x%lx:%x(P)\",\n\t\t(entry->pmsi.addr.ir_bits.intr_format != 0U) ? \" Remappable Format\" : \"Compatibility Format\",\n\t\tentry->vmsi.addr.full, entry->vmsi.data.full,\n\t\tentry->pmsi.addr.full, entry->pmsi.data.full);\n}", "project": "acrn-hypervisor", "hash": 33726172734294357992535218358538551669, "size": 77, "commit_id": "25c0e3817eb332660dd63d1d4522e63dcc94e79a", "message": "hv: validate input for dmar_free_irte function\n\n Malicious input 'index' may trigger buffer\n overflow on array 'irte_alloc_bitmap[]'.\n\n This patch validate that 'index' shall be\n less than 'CONFIG_MAX_IR_ENTRIES' and also\n remove unnecessary check on 'index' in\n 'ptirq_free_irte()' function with this fix.\n\nTracked-On: #6132\nSigned-off-by: Yonghua Huang ", "target": 0, "dataset": "other", "idx": 262893 }, { "func": "static void resume_dmar(struct dmar_drhd_rt *dmar_unit)\n{\n\tuint32_t i;\n\n\t/* restore IOMMU fault register state */\n\tfor (i = 0U; i < IOMMU_FAULT_REGISTER_STATE_NUM; i++) {\n\t\tiommu_write32(dmar_unit, DMAR_FECTL_REG + (i * IOMMU_FAULT_REGISTER_SIZE), dmar_unit->fault_state[i]);\n\t}\n\tprepare_dmar(dmar_unit);\n\tenable_dmar(dmar_unit);\n\tdmar_enable_intr_remapping(dmar_unit);\n}", "project": "acrn-hypervisor", "hash": 300672466865212401422958531957336273999, "size": 12, "commit_id": "25c0e3817eb332660dd63d1d4522e63dcc94e79a", "message": "hv: validate input for dmar_free_irte function\n\n Malicious input 'index' may trigger buffer\n overflow on array 'irte_alloc_bitmap[]'.\n\n This patch validate that 'index' shall be\n less than 'CONFIG_MAX_IR_ENTRIES' and also\n remove unnecessary check on 'index' in\n 'ptirq_free_irte()' function with this fix.\n\nTracked-On: #6132\nSigned-off-by: Yonghua Huang ", "target": 0, "dataset": "other", "idx": 262837 }, { "func": "static uint32_t calculate_logical_dest_mask(uint64_t pdmask)\n{\n\tuint32_t dest_mask = 0UL;\n\tuint64_t pcpu_mask = pdmask;\n\tuint16_t pcpu_id;\n\n\tpcpu_id = ffs64(pcpu_mask);\n\twhile (pcpu_id < MAX_PCPU_NUM) {\n\t\tbitmap_clear_nolock(pcpu_id, &pcpu_mask);\n\t\tdest_mask |= per_cpu(lapic_ldr, pcpu_id);\n\t\tpcpu_id = ffs64(pcpu_mask);\n\t}\n\treturn dest_mask;\n}", "project": "acrn-hypervisor", "hash": 114373734495820095368231132381021477382, "size": 14, "commit_id": "25c0e3817eb332660dd63d1d4522e63dcc94e79a", "message": "hv: validate input for dmar_free_irte function\n\n Malicious input 'index' may trigger buffer\n overflow on array 'irte_alloc_bitmap[]'.\n\n This patch validate that 'index' shall be\n less than 'CONFIG_MAX_IR_ENTRIES' and also\n remove unnecessary check on 'index' in\n 'ptirq_free_irte()' function with this fix.\n\nTracked-On: #6132\nSigned-off-by: Yonghua Huang ", "target": 0, "dataset": "other", "idx": 262847 }, { "func": "static void dmar_invalid_iec(struct dmar_drhd_rt *dmar_unit, uint16_t intr_index,\n\t\t\t\tuint8_t index_mask, bool is_global)\n{\n\tstruct dmar_entry invalidate_desc;\n\n\tinvalidate_desc.hi_64 = 0UL;\n\tinvalidate_desc.lo_64 = DMAR_INV_IEC_DESC;\n\n\tif (is_global) {\n\t\tinvalidate_desc.lo_64 |= DMAR_IEC_GLOBAL_INVL;\n\t} else {\n\t\tinvalidate_desc.lo_64 |= DMAR_IECI_INDEXED | dma_iec_index(intr_index, index_mask);\n\t}\n\n\tif (invalidate_desc.lo_64 != 0UL) {\n\t\tdmar_issue_qi_request(dmar_unit, invalidate_desc);\n\t}\n}", "project": "acrn-hypervisor", "hash": 330041240916212031575247144961332073958, "size": 18, "commit_id": "25c0e3817eb332660dd63d1d4522e63dcc94e79a", "message": "hv: validate input for dmar_free_irte function\n\n Malicious input 'index' may trigger buffer\n overflow on array 'irte_alloc_bitmap[]'.\n\n This patch validate that 'index' shall be\n less than 'CONFIG_MAX_IR_ENTRIES' and also\n remove unnecessary check on 'index' in\n 'ptirq_free_irte()' function with this fix.\n\nTracked-On: #6132\nSigned-off-by: Yonghua Huang ", "target": 0, "dataset": "other", "idx": 262876 }, { "func": "static void dmar_fault_event_mask(struct dmar_drhd_rt *dmar_unit)\n{\n\tspinlock_obtain(&(dmar_unit->lock));\n\tiommu_write32(dmar_unit, DMAR_FECTL_REG, DMA_FECTL_IM);\n\tspinlock_release(&(dmar_unit->lock));\n}", "project": "acrn-hypervisor", "hash": 159652419545719004997323243596144479063, "size": 6, "commit_id": "25c0e3817eb332660dd63d1d4522e63dcc94e79a", "message": "hv: validate input for dmar_free_irte function\n\n Malicious input 'index' may trigger buffer\n overflow on array 'irte_alloc_bitmap[]'.\n\n This patch validate that 'index' shall be\n less than 'CONFIG_MAX_IR_ENTRIES' and also\n remove unnecessary check on 'index' in\n 'ptirq_free_irte()' function with this fix.\n\nTracked-On: #6132\nSigned-off-by: Yonghua Huang ", "target": 0, "dataset": "other", "idx": 262809 }, { "func": "static uint64_t iommu_read64(const struct dmar_drhd_rt *dmar_unit, uint32_t offset)\n{\n\treturn mmio_read64(hpa2hva(dmar_unit->drhd->reg_base_addr + offset));\n}", "project": "acrn-hypervisor", "hash": 307791062171500976586735833681220559963, "size": 4, "commit_id": "25c0e3817eb332660dd63d1d4522e63dcc94e79a", "message": "hv: validate input for dmar_free_irte function\n\n Malicious input 'index' may trigger buffer\n overflow on array 'irte_alloc_bitmap[]'.\n\n This patch validate that 'index' shall be\n less than 'CONFIG_MAX_IR_ENTRIES' and also\n remove unnecessary check on 'index' in\n 'ptirq_free_irte()' function with this fix.\n\nTracked-On: #6132\nSigned-off-by: Yonghua Huang ", "target": 0, "dataset": "other", "idx": 262889 }, { "func": "static inline uint16_t vmid_to_domainid(uint16_t vm_id)\n{\n\treturn vm_id + 1U;\n}", "project": "acrn-hypervisor", "hash": 259416095190879261342947608859226706914, "size": 4, "commit_id": "25c0e3817eb332660dd63d1d4522e63dcc94e79a", "message": "hv: validate input for dmar_free_irte function\n\n Malicious input 'index' may trigger buffer\n overflow on array 'irte_alloc_bitmap[]'.\n\n This patch validate that 'index' shall be\n less than 'CONFIG_MAX_IR_ENTRIES' and also\n remove unnecessary check on 'index' in\n 'ptirq_free_irte()' function with this fix.\n\nTracked-On: #6132\nSigned-off-by: Yonghua Huang ", "target": 0, "dataset": "other", "idx": 262869 }, { "func": "static uint8_t dmar_unit_get_msagw(const struct dmar_drhd_rt *dmar_unit)\n{\n\tuint8_t i;\n\tuint8_t sgaw = iommu_cap_sagaw(dmar_unit->cap);\n\n\tfor (i = 5U; i > 0U; ) {\n\t\ti--;\n\t\tif (((1U << i) & sgaw) != 0U) {\n\t\t\tbreak;\n\t\t}\n\t}\n\treturn i;\n}", "project": "acrn-hypervisor", "hash": 17599732425246227151177199762906206985, "size": 13, "commit_id": "25c0e3817eb332660dd63d1d4522e63dcc94e79a", "message": "hv: validate input for dmar_free_irte function\n\n Malicious input 'index' may trigger buffer\n overflow on array 'irte_alloc_bitmap[]'.\n\n This patch validate that 'index' shall be\n less than 'CONFIG_MAX_IR_ENTRIES' and also\n remove unnecessary check on 'index' in\n 'ptirq_free_irte()' function with this fix.\n\nTracked-On: #6132\nSigned-off-by: Yonghua Huang ", "target": 0, "dataset": "other", "idx": 262836 }, { "func": "static void dmar_issue_qi_request(struct dmar_drhd_rt *dmar_unit, struct dmar_entry invalidate_desc)\n{\n\tstruct dmar_entry *invalidate_desc_ptr;\n\tuint32_t qi_status = 0U;\n\tuint64_t start;\n\n\tspinlock_obtain(&(dmar_unit->lock));\n\n\tinvalidate_desc_ptr = (struct dmar_entry *)(dmar_unit->qi_queue + dmar_unit->qi_tail);\n\n\tinvalidate_desc_ptr->hi_64 = invalidate_desc.hi_64;\n\tinvalidate_desc_ptr->lo_64 = invalidate_desc.lo_64;\n\tdmar_unit->qi_tail = (dmar_unit->qi_tail + DMAR_QI_INV_ENTRY_SIZE) % DMAR_INVALIDATION_QUEUE_SIZE;\n\n\tinvalidate_desc_ptr++;\n\n\tinvalidate_desc_ptr->hi_64 = hva2hpa(&qi_status);\n\tinvalidate_desc_ptr->lo_64 = DMAR_INV_WAIT_DESC_LOWER;\n\tdmar_unit->qi_tail = (dmar_unit->qi_tail + DMAR_QI_INV_ENTRY_SIZE) % DMAR_INVALIDATION_QUEUE_SIZE;\n\n\tqi_status = DMAR_INV_STATUS_INCOMPLETE;\n\tiommu_write32(dmar_unit, DMAR_IQT_REG, dmar_unit->qi_tail);\n\n\tstart = cpu_ticks();\n\twhile (qi_status != DMAR_INV_STATUS_COMPLETED) {\n\t\tif ((cpu_ticks() - start) > TICKS_PER_MS) {\n\t\t\tpr_err(\"DMAR OP Timeout! @ %s\", __func__);\n\t\t\tbreak;\n\t\t}\n\t\tasm_pause();\n\t}\n\n\tspinlock_release(&(dmar_unit->lock));\n}", "project": "acrn-hypervisor", "hash": 234984670043639029914891305244884528732, "size": 34, "commit_id": "25c0e3817eb332660dd63d1d4522e63dcc94e79a", "message": "hv: validate input for dmar_free_irte function\n\n Malicious input 'index' may trigger buffer\n overflow on array 'irte_alloc_bitmap[]'.\n\n This patch validate that 'index' shall be\n less than 'CONFIG_MAX_IR_ENTRIES' and also\n remove unnecessary check on 'index' in\n 'ptirq_free_irte()' function with this fix.\n\nTracked-On: #6132\nSigned-off-by: Yonghua Huang ", "target": 0, "dataset": "other", "idx": 262844 }, { "func": "static void ptirq_free_irte(const struct ptirq_remapping_info *entry)\n{\n\tstruct intr_source intr_src;\n\n\tif (entry->intr_type == PTDEV_INTR_MSI) {\n\t\tintr_src.is_msi = true;\n\t\tintr_src.src.msi.value = entry->phys_sid.msi_id.bdf;\n\t} else {\n\t\tintr_src.is_msi = false;\n\t\tintr_src.src.ioapic_id = ioapic_irq_to_ioapic_id(entry->allocated_pirq);\n\t}\n\tdmar_free_irte(&intr_src, entry->irte_idx);\n}", "project": "acrn-hypervisor", "hash": 67067200374995389975897852263995410080, "size": 13, "commit_id": "25c0e3817eb332660dd63d1d4522e63dcc94e79a", "message": "hv: validate input for dmar_free_irte function\n\n Malicious input 'index' may trigger buffer\n overflow on array 'irte_alloc_bitmap[]'.\n\n This patch validate that 'index' shall be\n less than 'CONFIG_MAX_IR_ENTRIES' and also\n remove unnecessary check on 'index' in\n 'ptirq_free_irte()' function with this fix.\n\nTracked-On: #6132\nSigned-off-by: Yonghua Huang ", "target": 0, "dataset": "other", "idx": 262856 }, { "func": "static int32_t register_hrhd_units(void)\n{\n\tstruct dmar_drhd_rt *drhd_rt;\n\tuint32_t i;\n\tint32_t ret = 0;\n\n\tfor (i = 0U; i < platform_dmar_info->drhd_count; i++) {\n\t\tdrhd_rt = &dmar_drhd_units[i];\n\t\tdrhd_rt->index = i;\n\t\tdrhd_rt->drhd = &platform_dmar_info->drhd_units[i];\n\t\tdrhd_rt->dmar_irq = IRQ_INVALID;\n\n\t\tset_paging_supervisor(drhd_rt->drhd->reg_base_addr, PAGE_SIZE);\n\n\t\tret = dmar_register_hrhd(drhd_rt);\n\t\tif (ret != 0) {\n\t\t\tbreak;\n\t\t}\n\n\t\tif ((iommu_cap_pi(drhd_rt->cap) == 0U) || (!is_apicv_advanced_feature_supported())) {\n\t\t\tplatform_caps.pi = false;\n\t\t}\n\t}\n\n\treturn ret;\n}", "project": "acrn-hypervisor", "hash": 263353085767692689266109677163067636071, "size": 26, "commit_id": "25c0e3817eb332660dd63d1d4522e63dcc94e79a", "message": "hv: validate input for dmar_free_irte function\n\n Malicious input 'index' may trigger buffer\n overflow on array 'irte_alloc_bitmap[]'.\n\n This patch validate that 'index' shall be\n less than 'CONFIG_MAX_IR_ENTRIES' and also\n remove unnecessary check on 'index' in\n 'ptirq_free_irte()' function with this fix.\n\nTracked-On: #6132\nSigned-off-by: Yonghua Huang ", "target": 0, "dataset": "other", "idx": 262895 }, { "func": "static uint16_t alloc_irtes(struct dmar_drhd_rt *dmar_unit, const uint16_t num)\n{\n\tuint16_t irte_idx;\n\tuint64_t mask = (1UL << num) - 1U;\n\tuint64_t test_mask;\n\n\tASSERT((bitmap_weight(num) == 1U) && (num <= 32U));\n\n\tspinlock_obtain(&dmar_unit->lock);\n\tfor (irte_idx = 0U; irte_idx < CONFIG_MAX_IR_ENTRIES; irte_idx += num) {\n\t\ttest_mask = mask << (irte_idx & 0x3FU);\n\t\tif ((dmar_unit->irte_alloc_bitmap[irte_idx >> 6U] & test_mask) == 0UL) {\n\t\t\tdmar_unit->irte_alloc_bitmap[irte_idx >> 6U] |= test_mask;\n\t\t\tbreak;\n\t\t}\n\t}\n\tspinlock_release(&dmar_unit->lock);\n\n\treturn (irte_idx < CONFIG_MAX_IR_ENTRIES) ? irte_idx: INVALID_IRTE_ID;\n}", "project": "acrn-hypervisor", "hash": 257918513953198463543102336876624700283, "size": 20, "commit_id": "25c0e3817eb332660dd63d1d4522e63dcc94e79a", "message": "hv: validate input for dmar_free_irte function\n\n Malicious input 'index' may trigger buffer\n overflow on array 'irte_alloc_bitmap[]'.\n\n This patch validate that 'index' shall be\n less than 'CONFIG_MAX_IR_ENTRIES' and also\n remove unnecessary check on 'index' in\n 'ptirq_free_irte()' function with this fix.\n\nTracked-On: #6132\nSigned-off-by: Yonghua Huang ", "target": 0, "dataset": "other", "idx": 262833 }, { "func": "static inline uint8_t iommu_ecap_sc(uint64_t ecap)\n{\n\treturn ((uint8_t)(ecap >> 7U) & 1U);\n}", "project": "acrn-hypervisor", "hash": 55125489580783325810470323032616366434, "size": 4, "commit_id": "25c0e3817eb332660dd63d1d4522e63dcc94e79a", "message": "hv: validate input for dmar_free_irte function\n\n Malicious input 'index' may trigger buffer\n overflow on array 'irte_alloc_bitmap[]'.\n\n This patch validate that 'index' shall be\n less than 'CONFIG_MAX_IR_ENTRIES' and also\n remove unnecessary check on 'index' in\n 'ptirq_free_irte()' function with this fix.\n\nTracked-On: #6132\nSigned-off-by: Yonghua Huang ", "target": 0, "dataset": "other", "idx": 262882 }, { "func": "static void dmar_disable_intr_remapping(struct dmar_drhd_rt *dmar_unit)\n{\n\tuint32_t status;\n\n\tspinlock_obtain(&(dmar_unit->lock));\n\tif ((dmar_unit->gcmd & DMA_GCMD_IRE) != 0U) {\n\t\tdmar_unit->gcmd &= ~DMA_GCMD_IRE;\n\t\tiommu_write32(dmar_unit, DMAR_GCMD_REG, dmar_unit->gcmd);\n\t\t/* 32-bit register */\n\t\tdmar_wait_completion(dmar_unit, DMAR_GSTS_REG, DMA_GSTS_IRES, DMA_GSTS_IRES, &status);\n\t}\n\n\tspinlock_release(&(dmar_unit->lock));\n}", "project": "acrn-hypervisor", "hash": 103180329711441067172855923524978809106, "size": 14, "commit_id": "25c0e3817eb332660dd63d1d4522e63dcc94e79a", "message": "hv: validate input for dmar_free_irte function\n\n Malicious input 'index' may trigger buffer\n overflow on array 'irte_alloc_bitmap[]'.\n\n This patch validate that 'index' shall be\n less than 'CONFIG_MAX_IR_ENTRIES' and also\n remove unnecessary check on 'index' in\n 'ptirq_free_irte()' function with this fix.\n\nTracked-On: #6132\nSigned-off-by: Yonghua Huang ", "target": 0, "dataset": "other", "idx": 262867 }, { "func": "void dmar_free_irte(const struct intr_source *intr_src, uint16_t index)\n{\n\tstruct dmar_drhd_rt *dmar_unit;\n\tunion dmar_ir_entry *ir_table, *ir_entry;\n\tunion pci_bdf sid;\n\n\tif (intr_src->is_msi) {\n\t\tdmar_unit = device_to_dmaru((uint8_t)intr_src->src.msi.bits.b, intr_src->src.msi.fields.devfun);\n\t} else {\n\t\tdmar_unit = ioapic_to_dmaru(intr_src->src.ioapic_id, &sid);\n\t}\n\n\tif (is_dmar_unit_valid(dmar_unit, sid)) {\n\t\tir_table = (union dmar_ir_entry *)hpa2hva(dmar_unit->ir_table_addr);\n\t\tir_entry = ir_table + index;\n\t\tir_entry->bits.remap.present = 0x0UL;\n\n\t\tiommu_flush_cache(ir_entry, sizeof(union dmar_ir_entry));\n\t\tdmar_invalid_iec(dmar_unit, index, 0U, false);\n\n\t\tif (!is_irte_reserved(dmar_unit, index)) {\n\t\t\tspinlock_obtain(&dmar_unit->lock);\n\t\t\tbitmap_clear_nolock(index & 0x3FU, &dmar_unit->irte_alloc_bitmap[index >> 6U]);\n\t\t\tspinlock_release(&dmar_unit->lock);\n\t\t}\n\t}\n\n}", "project": "acrn-hypervisor", "hash": 138533968807108358104095755982502807971, "size": 28, "commit_id": "25c0e3817eb332660dd63d1d4522e63dcc94e79a", "message": "hv: validate input for dmar_free_irte function\n\n Malicious input 'index' may trigger buffer\n overflow on array 'irte_alloc_bitmap[]'.\n\n This patch validate that 'index' shall be\n less than 'CONFIG_MAX_IR_ENTRIES' and also\n remove unnecessary check on 'index' in\n 'ptirq_free_irte()' function with this fix.\n\nTracked-On: #6132\nSigned-off-by: Yonghua Huang ", "target": 1, "dataset": "other", "idx": 197721 }, { "func": "void dmar_free_irte(const struct intr_source *intr_src, uint16_t index)\n{\n\tstruct dmar_drhd_rt *dmar_unit;\n\tunion dmar_ir_entry *ir_table, *ir_entry;\n\tunion pci_bdf sid;\n\n\tif (intr_src->is_msi) {\n\t\tdmar_unit = device_to_dmaru((uint8_t)intr_src->src.msi.bits.b, intr_src->src.msi.fields.devfun);\n\t} else {\n\t\tdmar_unit = ioapic_to_dmaru(intr_src->src.ioapic_id, &sid);\n\t}\n\n\tif (is_dmar_unit_valid(dmar_unit, sid) && (index < CONFIG_MAX_IR_ENTRIES)) {\n\t\tir_table = (union dmar_ir_entry *)hpa2hva(dmar_unit->ir_table_addr);\n\t\tir_entry = ir_table + index;\n\t\tir_entry->bits.remap.present = 0x0UL;\n\n\t\tiommu_flush_cache(ir_entry, sizeof(union dmar_ir_entry));\n\t\tdmar_invalid_iec(dmar_unit, index, 0U, false);\n\n\t\tif (!is_irte_reserved(dmar_unit, index)) {\n\t\t\tspinlock_obtain(&dmar_unit->lock);\n\t\t\tbitmap_clear_nolock(index & 0x3FU, &dmar_unit->irte_alloc_bitmap[index >> 6U]);\n\t\t\tspinlock_release(&dmar_unit->lock);\n\t\t}\n\t}\n\n}", "project": "acrn-hypervisor", "hash": 50934453175337732283896052884663765142, "size": 28, "commit_id": "25c0e3817eb332660dd63d1d4522e63dcc94e79a", "message": "hv: validate input for dmar_free_irte function\n\n Malicious input 'index' may trigger buffer\n overflow on array 'irte_alloc_bitmap[]'.\n\n This patch validate that 'index' shall be\n less than 'CONFIG_MAX_IR_ENTRIES' and also\n remove unnecessary check on 'index' in\n 'ptirq_free_irte()' function with this fix.\n\nTracked-On: #6132\nSigned-off-by: Yonghua Huang ", "target": 0, "dataset": "other", "idx": 262864 }, { "func": "static inline uint8_t iommu_cap_rwbf(uint64_t cap)\n{\n\treturn ((uint8_t)(cap >> 4U) & 1U);\n}", "project": "acrn-hypervisor", "hash": 178357928351455646643734823497910260335, "size": 4, "commit_id": "25c0e3817eb332660dd63d1d4522e63dcc94e79a", "message": "hv: validate input for dmar_free_irte function\n\n Malicious input 'index' may trigger buffer\n overflow on array 'irte_alloc_bitmap[]'.\n\n This patch validate that 'index' shall be\n less than 'CONFIG_MAX_IR_ENTRIES' and also\n remove unnecessary check on 'index' in\n 'ptirq_free_irte()' function with this fix.\n\nTracked-On: #6132\nSigned-off-by: Yonghua Huang ", "target": 0, "dataset": "other", "idx": 262831 }, { "func": "static inline void dmar_wait_completion(const struct dmar_drhd_rt *dmar_unit, uint32_t offset,\n\tuint32_t mask, uint32_t pre_condition, uint32_t *status)\n{\n\t/* variable start isn't used when built as release version */\n\t__unused uint64_t start = cpu_ticks();\n\n\tdo {\n\t\t*status = iommu_read32(dmar_unit, offset);\n\t\tASSERT(((cpu_ticks() - start) < TICKS_PER_MS),\n\t\t\t\"DMAR OP Timeout!\");\n\t\tasm_pause();\n\t} while( (*status & mask) == pre_condition);\n}", "project": "acrn-hypervisor", "hash": 26352405084761864105289855545203166106, "size": 13, "commit_id": "25c0e3817eb332660dd63d1d4522e63dcc94e79a", "message": "hv: validate input for dmar_free_irte function\n\n Malicious input 'index' may trigger buffer\n overflow on array 'irte_alloc_bitmap[]'.\n\n This patch validate that 'index' shall be\n less than 'CONFIG_MAX_IR_ENTRIES' and also\n remove unnecessary check on 'index' in\n 'ptirq_free_irte()' function with this fix.\n\nTracked-On: #6132\nSigned-off-by: Yonghua Huang ", "target": 0, "dataset": "other", "idx": 262883 }, { "func": "static void dmar_invalid_context_cache_global(struct dmar_drhd_rt *dmar_unit)\n{\n\tdmar_invalid_context_cache(dmar_unit, 0U, 0U, 0U, DMAR_CIRG_GLOBAL);\n}", "project": "acrn-hypervisor", "hash": 97669726240410996293457208564429610758, "size": 4, "commit_id": "25c0e3817eb332660dd63d1d4522e63dcc94e79a", "message": "hv: validate input for dmar_free_irte function\n\n Malicious input 'index' may trigger buffer\n overflow on array 'irte_alloc_bitmap[]'.\n\n This patch validate that 'index' shall be\n less than 'CONFIG_MAX_IR_ENTRIES' and also\n remove unnecessary check on 'index' in\n 'ptirq_free_irte()' function with this fix.\n\nTracked-On: #6132\nSigned-off-by: Yonghua Huang ", "target": 0, "dataset": "other", "idx": 262885 }, { "func": "static int32_t dmar_register_hrhd(struct dmar_drhd_rt *dmar_unit)\n{\n\tint32_t ret = 0;\n\n\tdev_dbg(DBG_LEVEL_IOMMU, \"Register dmar uint [%d] @0x%lx\", dmar_unit->index, dmar_unit->drhd->reg_base_addr);\n\n\tspinlock_init(&dmar_unit->lock);\n\n\tdmar_unit->cap = iommu_read64(dmar_unit, DMAR_CAP_REG);\n\tdmar_unit->ecap = iommu_read64(dmar_unit, DMAR_ECAP_REG);\n\n\t/*\n\t * The initialization of \"dmar_unit->gcmd\" shall be done via reading from Global Status Register rather than\n\t * Global Command Register.\n\t * According to Chapter 10.4.4 Global Command Register in VT-d spec, Global Command Register is a write-only\n\t * register to control remapping hardware. Global Status Register is the corresponding read-only register to\n\t * report remapping hardware status.\n\t */\n\tdmar_unit->gcmd = iommu_read32(dmar_unit, DMAR_GSTS_REG);\n\n\tdmar_unit->cap_msagaw = dmar_unit_get_msagw(dmar_unit);\n\n\tdmar_unit->cap_num_fault_regs = iommu_cap_num_fault_regs(dmar_unit->cap);\n\tdmar_unit->cap_fault_reg_offset = iommu_cap_fault_reg_offset(dmar_unit->cap);\n\tdmar_unit->ecap_iotlb_offset = iommu_ecap_iro(dmar_unit->ecap) * 16U;\n\tdmar_unit->root_table_addr = hva2hpa(get_root_table(dmar_unit->index));\n\tdmar_unit->ir_table_addr = hva2hpa(get_ir_table(dmar_unit->index));\n\n#if DBG_IOMMU\n\tpr_info(\"version:0x%x, cap:0x%lx, ecap:0x%lx\",\n\t\tiommu_read32(dmar_unit, DMAR_VER_REG), dmar_unit->cap, dmar_unit->ecap);\n\tpr_info(\"sagaw:0x%x, msagaw:0x%x, iotlb offset 0x%x\",\n\t\tiommu_cap_sagaw(dmar_unit->cap), dmar_unit->cap_msagaw, dmar_unit->ecap_iotlb_offset);\n\n\tdmar_unit_show_capability(dmar_unit);\n#endif\n\n\t/* check capability */\n\tif ((iommu_cap_super_page_val(dmar_unit->cap) & 0x1U) == 0U) {\n\t\tpr_fatal(\"%s: dmar uint doesn't support 2MB page!\\n\", __func__);\n\t\tret = -ENODEV;\n\t} else if ((iommu_cap_super_page_val(dmar_unit->cap) & 0x2U) == 0U) {\n\t\tpr_fatal(\"%s: dmar uint doesn't support 1GB page!\\n\", __func__);\n\t\tret = -ENODEV;\n\t} else if (iommu_ecap_qi(dmar_unit->ecap) == 0U) {\n\t\tpr_fatal(\"%s: dmar unit doesn't support Queued Invalidation!\", __func__);\n\t\tret = -ENODEV;\n\t} else if (iommu_ecap_ir(dmar_unit->ecap) == 0U) {\n\t\tpr_fatal(\"%s: dmar unit doesn't support Interrupt Remapping!\", __func__);\n\t\tret = -ENODEV;\n\t} else if (iommu_ecap_eim(dmar_unit->ecap) == 0U) {\n\t\tpr_fatal(\"%s: dmar unit doesn't support Extended Interrupt Mode!\", __func__);\n\t\tret = -ENODEV;\n\t} else {\n\t\tif ((iommu_ecap_c(dmar_unit->ecap) == 0U) && (!dmar_unit->drhd->ignore)) {\n\t\t\tiommu_page_walk_coherent = false;\n\t\t}\n\t\tdmar_disable_translation(dmar_unit);\n\t}\n\n\treturn ret;\n}", "project": "acrn-hypervisor", "hash": 47820234086572192003282431581194845005, "size": 62, "commit_id": "25c0e3817eb332660dd63d1d4522e63dcc94e79a", "message": "hv: validate input for dmar_free_irte function\n\n Malicious input 'index' may trigger buffer\n overflow on array 'irte_alloc_bitmap[]'.\n\n This patch validate that 'index' shall be\n less than 'CONFIG_MAX_IR_ENTRIES' and also\n remove unnecessary check on 'index' in\n 'ptirq_free_irte()' function with this fix.\n\nTracked-On: #6132\nSigned-off-by: Yonghua Huang ", "target": 0, "dataset": "other", "idx": 262884 }, { "func": "static void dmar_fault_handler(uint32_t irq, void *data)\n{\n\tstruct dmar_drhd_rt *dmar_unit = (struct dmar_drhd_rt *)data;\n\tuint32_t fsr;\n\tuint32_t index;\n\tuint32_t record_reg_offset;\n\tstruct dmar_entry fault_record;\n\tint32_t loop = 0;\n\n\tdev_dbg(DBG_LEVEL_IOMMU, \"%s: irq = %d\", __func__, irq);\n\n\tfsr = iommu_read32(dmar_unit, DMAR_FSTS_REG);\n\n#if DBG_IOMMU\n\tfault_status_analysis(fsr);\n#endif\n\n\twhile (dma_fsts_ppf(fsr)) {\n\t\tloop++;\n\t\tindex = dma_fsts_fri(fsr);\n\t\trecord_reg_offset = (uint32_t)dmar_unit->cap_fault_reg_offset + (index * 16U);\n\t\tif (index >= dmar_unit->cap_num_fault_regs) {\n\t\t\tdev_dbg(DBG_LEVEL_IOMMU, \"%s: invalid FR Index\", __func__);\n\t\t\tbreak;\n\t\t}\n\n\t\t/* read 128-bit fault recording register */\n\t\tfault_record.lo_64 = iommu_read64(dmar_unit, record_reg_offset);\n\t\tfault_record.hi_64 = iommu_read64(dmar_unit, record_reg_offset + 8U);\n\n\t\tdev_dbg(DBG_LEVEL_IOMMU, \"%s: record[%d] @0x%x: 0x%lx, 0x%lx\",\n\t\t\t__func__, index, record_reg_offset, fault_record.lo_64, fault_record.hi_64);\n\n\t\tfault_record_analysis(fault_record.lo_64, fault_record.hi_64);\n\n\t\t/* write to clear */\n\t\tiommu_write64(dmar_unit, record_reg_offset, fault_record.lo_64);\n\t\tiommu_write64(dmar_unit, record_reg_offset + 8U, fault_record.hi_64);\n\n#ifdef DMAR_FAULT_LOOP_MAX\n\t\tif (loop > DMAR_FAULT_LOOP_MAX) {\n\t\t\tdev_dbg(DBG_LEVEL_IOMMU, \"%s: loop more than %d times\", __func__, DMAR_FAULT_LOOP_MAX);\n\t\t\tbreak;\n\t\t}\n#endif\n\n\t\tfsr = iommu_read32(dmar_unit, DMAR_FSTS_REG);\n\t}\n}", "project": "acrn-hypervisor", "hash": 131326322428652271154762202171324994461, "size": 49, "commit_id": "25c0e3817eb332660dd63d1d4522e63dcc94e79a", "message": "hv: validate input for dmar_free_irte function\n\n Malicious input 'index' may trigger buffer\n overflow on array 'irte_alloc_bitmap[]'.\n\n This patch validate that 'index' shall be\n less than 'CONFIG_MAX_IR_ENTRIES' and also\n remove unnecessary check on 'index' in\n 'ptirq_free_irte()' function with this fix.\n\nTracked-On: #6132\nSigned-off-by: Yonghua Huang ", "target": 0, "dataset": "other", "idx": 262870 }, { "func": "static void dmar_invalid_iotlb_global(struct dmar_drhd_rt *dmar_unit)\n{\n\tdmar_invalid_iotlb(dmar_unit, 0U, 0UL, 0U, false, DMAR_IIRG_GLOBAL);\n}", "project": "acrn-hypervisor", "hash": 39982096750574730332446818101270455351, "size": 4, "commit_id": "25c0e3817eb332660dd63d1d4522e63dcc94e79a", "message": "hv: validate input for dmar_free_irte function\n\n Malicious input 'index' may trigger buffer\n overflow on array 'irte_alloc_bitmap[]'.\n\n This patch validate that 'index' shall be\n less than 'CONFIG_MAX_IR_ENTRIES' and also\n remove unnecessary check on 'index' in\n 'ptirq_free_irte()' function with this fix.\n\nTracked-On: #6132\nSigned-off-by: Yonghua Huang ", "target": 0, "dataset": "other", "idx": 262866 } ] }, { "call_depth": 2, "longest_call_chain": [ "debug2_f", "debug_f" ], "group_size": 7, "functions": [ { "func": "process_remove_all_identities(SocketEntry *e)\n{\n\tIdentity *id;\n\n\tdebug2_f(\"entering\");\n\t/* Loop over all identities and clear the keys. */\n\tfor (id = TAILQ_FIRST(&idtab->idlist); id;\n\t id = TAILQ_FIRST(&idtab->idlist)) {\n\t\tTAILQ_REMOVE(&idtab->idlist, id, next);\n\t\tfree_identity(id);\n\t}\n\n\t/* Mark that there are no identities. */\n\tidtab->nentries = 0;\n\n\t/* Send success. */\n\tsend_status(e, 1);\n}", "project": "openssh-portable", "hash": 275837520665930495131465882145410561086, "size": 18, "commit_id": "e04fd6dde16de1cdc5a4d9946397ff60d96568db", "message": "upstream: factor SSH_AGENT_CONSTRAIN_EXTENSION parsing into its own\n\nfunction and remove an unused variable; ok dtucker@\n\nOpenBSD-Commit-ID: e1a938657fbf7ef0ba5e73b30365734a0cc96559", "target": 0, "dataset": "other", "idx": 400203 }, { "func": "process_remove_smartcard_key(SocketEntry *e)\n{\n\tchar *provider = NULL, *pin = NULL, canonical_provider[PATH_MAX];\n\tint r, success = 0;\n\tIdentity *id, *nxt;\n\n\tdebug2_f(\"entering\");\n\tif ((r = sshbuf_get_cstring(e->request, &provider, NULL)) != 0 ||\n\t (r = sshbuf_get_cstring(e->request, &pin, NULL)) != 0) {\n\t\terror_fr(r, \"parse\");\n\t\tgoto send;\n\t}\n\tfree(pin);\n\n\tif (realpath(provider, canonical_provider) == NULL) {\n\t\tverbose(\"failed PKCS#11 add of \\\"%.100s\\\": realpath: %s\",\n\t\t provider, strerror(errno));\n\t\tgoto send;\n\t}\n\n\tdebug_f(\"remove %.100s\", canonical_provider);\n\tfor (id = TAILQ_FIRST(&idtab->idlist); id; id = nxt) {\n\t\tnxt = TAILQ_NEXT(id, next);\n\t\t/* Skip file--based keys */\n\t\tif (id->provider == NULL)\n\t\t\tcontinue;\n\t\tif (!strcmp(canonical_provider, id->provider)) {\n\t\t\tTAILQ_REMOVE(&idtab->idlist, id, next);\n\t\t\tfree_identity(id);\n\t\t\tidtab->nentries--;\n\t\t}\n\t}\n\tif (pkcs11_del_provider(canonical_provider) == 0)\n\t\tsuccess = 1;\n\telse\n\t\terror_f(\"pkcs11_del_provider failed\");\nsend:\n\tfree(provider);\n\tsend_status(e, success);\n}", "project": "openssh-portable", "hash": 261217069644634353000324757692276618805, "size": 40, "commit_id": "e04fd6dde16de1cdc5a4d9946397ff60d96568db", "message": "upstream: factor SSH_AGENT_CONSTRAIN_EXTENSION parsing into its own\n\nfunction and remove an unused variable; ok dtucker@\n\nOpenBSD-Commit-ID: e1a938657fbf7ef0ba5e73b30365734a0cc96559", "target": 0, "dataset": "other", "idx": 400212 }, { "func": "process_remove_identity(SocketEntry *e)\n{\n\tint r, success = 0;\n\tstruct sshkey *key = NULL;\n\tIdentity *id;\n\n\tdebug2_f(\"entering\");\n\tif ((r = sshkey_froms(e->request, &key)) != 0) {\n\t\terror_fr(r, \"parse key\");\n\t\tgoto done;\n\t}\n\tif ((id = lookup_identity(key)) == NULL) {\n\t\tdebug_f(\"key not found\");\n\t\tgoto done;\n\t}\n\t/* We have this key, free it. */\n\tif (idtab->nentries < 1)\n\t\tfatal_f(\"internal error: nentries %d\", idtab->nentries);\n\tTAILQ_REMOVE(&idtab->idlist, id, next);\n\tfree_identity(id);\n\tidtab->nentries--;\n\tsuccess = 1;\n done:\n\tsshkey_free(key);\n\tsend_status(e, success);\n}", "project": "openssh-portable", "hash": 233418217744327733471628825300568326798, "size": 26, "commit_id": "e04fd6dde16de1cdc5a4d9946397ff60d96568db", "message": "upstream: factor SSH_AGENT_CONSTRAIN_EXTENSION parsing into its own\n\nfunction and remove an unused variable; ok dtucker@\n\nOpenBSD-Commit-ID: e1a938657fbf7ef0ba5e73b30365734a0cc96559", "target": 0, "dataset": "other", "idx": 400215 }, { "func": "void RGWDeleteMultiObj_ObjStore_S3::begin_response()\n{\n\n if (!status_dumped) {\n send_status();\n }\n\n dump_start(s);\n // Explicitly use chunked transfer encoding so that we can stream the result\n // to the user without having to wait for the full length of it.\n end_header(s, this, \"application/xml\", CHUNKED_TRANSFER_ENCODING);\n s->formatter->open_object_section_in_ns(\"DeleteResult\", XMLNS_AWS_S3);\n\n rgw_flush_formatter(s, s->formatter);\n}", "project": "ceph", "hash": 332660078588225218675937152850419892417, "size": 15, "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 281304 }, { "func": "check_websafe_message_contents(struct sshkey *key, struct sshbuf *data)\n{\n\tif (parse_userauth_request(data, key, NULL, NULL) == 0) {\n\t\tdebug_f(\"signed data matches public key userauth request\");\n\t\treturn 1;\n\t}\n\tif (parse_sshsig_request(data) == 0) {\n\t\tdebug_f(\"signed data matches SSHSIG signature request\");\n\t\treturn 1;\n\t}\n\n\t/* XXX check CA signature operation */\n\n\terror(\"web-origin key attempting to sign non-SSH message\");\n\treturn 0;\n}", "project": "openssh-portable", "hash": 94414650975989015401343188559328850583, "size": 16, "commit_id": "e04fd6dde16de1cdc5a4d9946397ff60d96568db", "message": "upstream: factor SSH_AGENT_CONSTRAIN_EXTENSION parsing into its own\n\nfunction and remove an unused variable; ok dtucker@\n\nOpenBSD-Commit-ID: e1a938657fbf7ef0ba5e73b30365734a0cc96559", "target": 0, "dataset": "other", "idx": 400205 }, { "func": "void RGWDeleteMultiObj_ObjStore_S3::send_status()\n{\n if (! status_dumped) {\n if (op_ret < 0)\n set_req_state_err(s, op_ret);\n dump_errno(s);\n status_dumped = true;\n }\n}", "project": "ceph", "hash": 95896404765574947139478229686403816768, "size": 9, "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9", "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin \nReviewed-by: Casey Bodley \n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)", "target": 0, "dataset": "other", "idx": 281343 }, { "func": "cleanup_socket(void)\n{\n\tif (cleanup_pid != 0 && getpid() != cleanup_pid)\n\t\treturn;\n\tdebug_f(\"cleanup\");\n\tif (socket_name[0])\n\t\tunlink(socket_name);\n\tif (socket_dir[0])\n\t\trmdir(socket_dir);\n}", "project": "openssh-portable", "hash": 87121643524217193124657239811359304178, "size": 10, "commit_id": "e04fd6dde16de1cdc5a4d9946397ff60d96568db", "message": "upstream: factor SSH_AGENT_CONSTRAIN_EXTENSION parsing into its own\n\nfunction and remove an unused variable; ok dtucker@\n\nOpenBSD-Commit-ID: e1a938657fbf7ef0ba5e73b30365734a0cc96559", "target": 0, "dataset": "other", "idx": 400218 } ] }, { "call_depth": 2, "longest_call_chain": [ "ptirq_softirq", "ptirq_handle_intx" ], "group_size": 2, "functions": [ { "func": "void ptirq_softirq(uint16_t pcpu_id)\n{\n\twhile (1) {\n\t\tstruct ptirq_remapping_info *entry = ptirq_dequeue_softirq(pcpu_id);\n\t\tstruct msi_info *vmsi;\n\n\t\tif (entry == NULL) {\n\t\t\tbreak;\n\t\t}\n\n\t\tvmsi = &entry->vmsi;\n\n\t\t/* skip any inactive entry */\n\t\tif (!is_entry_active(entry)) {\n\t\t\t/* service next item */\n\t\t\tcontinue;\n\t\t}\n\n\t\t/* handle real request */\n\t\tif (entry->intr_type == PTDEV_INTR_INTX) {\n\t\t\tptirq_handle_intx(entry->vm, entry);\n\t\t} else {\n\t\t\tif (vmsi != NULL) {\n\t\t\t\t/* TODO: vmsi destmode check required */\n\t\t\t\t(void)vlapic_inject_msi(entry->vm, vmsi->addr.full, vmsi->data.full);\n\t\t\t\tdev_dbg(DBG_LEVEL_PTIRQ, \"dev-assign: irq=0x%x MSI VR: 0x%x-0x%x\",\n\t\t\t\t\tentry->allocated_pirq, vmsi->data.bits.vector,\n\t\t\t\t\tirq_to_vector(entry->allocated_pirq));\n\t\t\t\tdev_dbg(DBG_LEVEL_PTIRQ, \" vmsi_addr: 0x%lx vmsi_data: 0x%x\",\n\t\t\t\t\tvmsi->addr.full, vmsi->data.full);\n\t\t\t}\n\t\t}\n\t}\n}", "project": "acrn-hypervisor", "hash": 167870194102671047047732573790010397887, "size": 34, "commit_id": "25c0e3817eb332660dd63d1d4522e63dcc94e79a", "message": "hv: validate input for dmar_free_irte function\n\n Malicious input 'index' may trigger buffer\n overflow on array 'irte_alloc_bitmap[]'.\n\n This patch validate that 'index' shall be\n less than 'CONFIG_MAX_IR_ENTRIES' and also\n remove unnecessary check on 'index' in\n 'ptirq_free_irte()' function with this fix.\n\nTracked-On: #6132\nSigned-off-by: Yonghua Huang ", "target": 0, "dataset": "other", "idx": 262868 }, { "func": "static void ptirq_handle_intx(struct acrn_vm *vm,\n\t\tconst struct ptirq_remapping_info *entry)\n{\n\tconst union source_id *virt_sid = &entry->virt_sid;\n\n\tswitch (virt_sid->intx_id.ctlr) {\n\tcase INTX_CTLR_IOAPIC:\n\t{\n\t\tunion ioapic_rte rte;\n\t\tbool trigger_lvl = false;\n\n\t\t/* INTX_CTLR_IOAPIC means we have vioapic enabled */\n\t\tvioapic_get_rte(vm, (uint32_t)virt_sid->intx_id.gsi, &rte);\n\t\tif (rte.bits.trigger_mode == IOAPIC_RTE_TRGRMODE_LEVEL) {\n\t\t\ttrigger_lvl = true;\n\t\t}\n\n\t\tif (trigger_lvl) {\n\t\t\tif (entry->polarity != 0U) {\n\t\t\t\tvioapic_set_irqline_lock(vm, virt_sid->intx_id.gsi, GSI_SET_LOW);\n\t\t\t} else {\n\t\t\t\tvioapic_set_irqline_lock(vm, virt_sid->intx_id.gsi, GSI_SET_HIGH);\n\t\t\t}\n\t\t} else {\n\t\t\tif (entry->polarity != 0U) {\n\t\t\t\tvioapic_set_irqline_lock(vm, virt_sid->intx_id.gsi, GSI_FALLING_PULSE);\n\t\t\t} else {\n\t\t\t\tvioapic_set_irqline_lock(vm, virt_sid->intx_id.gsi, GSI_RAISING_PULSE);\n\t\t\t}\n\t\t}\n\n\t\tdev_dbg(DBG_LEVEL_PTIRQ,\n\t\t\t\"dev-assign: irq=0x%x assert vr: 0x%x vRTE=0x%lx\",\n\t\t\tentry->allocated_pirq,\n\t\t\tirq_to_vector(entry->allocated_pirq),\n\t\t\trte.full);\n\t\tbreak;\n\t}\n\tcase INTX_CTLR_PIC:\n\t{\n\t\tenum vpic_trigger trigger;\n\n\t\t/* INTX_CTLR_PIC means we have vpic enabled */\n\t\tvpic_get_irqline_trigger_mode(vm_pic(vm), virt_sid->intx_id.gsi, &trigger);\n\t\tif (trigger == LEVEL_TRIGGER) {\n\t\t\tvpic_set_irqline(vm_pic(vm), virt_sid->intx_id.gsi, GSI_SET_HIGH);\n\t\t} else {\n\t\t\tvpic_set_irqline(vm_pic(vm), virt_sid->intx_id.gsi, GSI_RAISING_PULSE);\n\t\t}\n\t\tbreak;\n\t}\n\tdefault:\n\t\t/*\n\t\t * In this switch statement, virt_sid->intx_id.ctlr shall\n\t\t * either be INTX_CTLR_IOAPIC or INTX_CTLR_PIC.\n\t\t * Gracefully return if prior case clauses have not been met.\n\t\t */\n\t\tbreak;\n\t}\n}", "project": "acrn-hypervisor", "hash": 40687691057550918067436248302085994150, "size": 60, "commit_id": "25c0e3817eb332660dd63d1d4522e63dcc94e79a", "message": "hv: validate input for dmar_free_irte function\n\n Malicious input 'index' may trigger buffer\n overflow on array 'irte_alloc_bitmap[]'.\n\n This patch validate that 'index' shall be\n less than 'CONFIG_MAX_IR_ENTRIES' and also\n remove unnecessary check on 'index' in\n 'ptirq_free_irte()' function with this fix.\n\nTracked-On: #6132\nSigned-off-by: Yonghua Huang ", "target": 0, "dataset": "other", "idx": 262817 } ] }, { "call_depth": 3, "longest_call_chain": [ "log", "active", "isXenonActive" ], "group_size": 6, "functions": [ { "func": "void onStrobelightSignal(int signo) {\n if (!RuntimeOption::StrobelightEnabled) {\n // Handle the signal so we don't crash, but do nothing.\n return;\n }\n\n if (signo == strobelight::kSignumCurrent) {\n // sets on only current thread\n if (rds::isFullyInitialized()) {\n // Ignore threads that are not serving requests, otherwise this segfaults\n if (!Strobelight::isXenonActive()) {\n // Do not set the flag if Xenon is actively profiling this request\n setSurpriseFlag(XenonSignalFlag);\n }\n }\n }\n\n // surpriseAll currently has an issue where the isXenonActive() check will\n // try to access s_xenonData->getIsProfiledRequest() to check if the current\n // request is profiling. The problem is that you really want to check if the\n // request t is profiling. The current thread may not even be a request thread.\n // If we ever want to start using this signal for profiling,\n // we will need to figure out how to work around that problem.\n // if (signo == strobelight::kSignumAll) {\n // // sets on ALL threads\n // Strobelight::getInstance().surpriseAll();\n // }\n}", "project": "hhvm", "hash": 275356761552801735383089492999709697288, "size": 28, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219168 }, { "func": "void Strobelight::surpriseAll() {\n RequestInfo::ExecutePerRequest(\n [] (RequestInfo* t) {\n // TODO: get a dedicated surprise flag to avoid colliding with xenon\n // Set the strobelight flag to collect a sample\n // TODO: isXenonActive() needs to check the request thread and not the\n // current thread (which may not even be a request)\n if (!isXenonActive()) {\n // Xenon has first crack at profiling requests. If a request\n // is marked as being profiled, we do not allow strobelight to\n // interfere with Xenon's profiling. In practice, collisions\n // should be extremely rare.\n t->m_reqInjectionData.setFlag(XenonSignalFlag);\n }\n }\n );\n}", "project": "hhvm", "hash": 297838356118481566379107800693703058065, "size": 17, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219308 }, { "func": "bool Strobelight::isXenonActive() {\n if (RuntimeOption::XenonForceAlwaysOn) {\n return true;\n }\n\n bool xenonProfiled = Xenon::getInstance().getIsProfiledRequest();\n if (xenonProfiled) {\n return true;\n }\n\n return false;\n}", "project": "hhvm", "hash": 297123363444453326010313011470616629324, "size": 12, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219684 }, { "func": "void Strobelight::log(c_WaitableWaitHandle* wh) const {\n if (RuntimeOption::XenonForceAlwaysOn) {\n // Disable strobelight if Xenon forced on\n // TODO remove this when strobelight has its own surpriseFlag\n return;\n }\n\n if (getSurpriseFlag(XenonSignalFlag)) {\n // TODO remove this when strobelight has its own surpriseFlag\n clearSurpriseFlag(XenonSignalFlag);\n }\n\n TRACE(1, \"Strobelight::log\\n\");\n if (active()) {\n // TODO We should filter only to hhvm samples which directly\n // caused a PMU event to fire. This is doable by storing hhvm\n // request IDs in a bpf map and checking for an entry here.\n auto bt = createBacktrace(BacktraceArgs()\n .fromWaitHandle(wh)\n // TODO\n // .withMetadata()\n .ignoreArgs());\n logToUSDT(bt);\n }\n}", "project": "hhvm", "hash": 65802561629527027805702110319424733976, "size": 25, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219486 }, { "func": "bool Strobelight::active() {\n if (rds::isFullyInitialized() && isXenonActive()) {\n // if Xenon owns this request, back off\n return false;\n }\n\n // return true if a USDT probe function is listening\n return FOLLY_SDT_IS_ENABLED(hhvm, hhvm_stack);\n}", "project": "hhvm", "hash": 237208956696650508551097277908650710808, "size": 9, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219288 }, { "func": "bool logToUSDT(const Array& bt) {\n std::lock_guard lock(usdt_mutex);\n\n memset(&bt_slab, 0, sizeof(bt_slab));\n\n int i = 0;\n IterateVNoInc(\n bt.get(),\n [&](TypedValue tv) -> bool {\n\n if (i >= strobelight::kMaxStackframes) {\n return true;\n }\n\n assertx(isArrayLikeType(type(tv)));\n ArrayData* bt_frame = val(tv).parr;\n strobelight::backtrace_frame_t* frame = &bt_slab.frames[i];\n\n auto const line = bt_frame->get(s_line.get());\n if (line.is_init()) {\n assertx(isIntType(type(line)));\n frame->line = val(line).num;\n }\n\n auto const file_name = bt_frame->get(s_file.get());\n if (file_name.is_init()) {\n assertx(isStringType(type(file_name)));\n strncpy(frame->file_name,\n val(file_name).pstr->data(),\n std::min(\n val(file_name).pstr->size(),\n strobelight::kFileNameMax\n ));\n frame->file_name[strobelight::kFileNameMax - 1] = '\\0';\n }\n\n auto const class_name = bt_frame->get(s_class.get());\n if (class_name.is_init()) {\n assertx(isStringType(type(class_name)));\n strncpy(frame->class_name,\n val(class_name).pstr->data(),\n std::min(\n val(class_name).pstr->size(),\n strobelight::kClassNameMax\n ));\n frame->class_name[strobelight::kClassNameMax - 1] = '\\0';\n }\n\n auto const function_name = bt_frame->get(s_function.get());\n if (function_name.is_init()) {\n assertx(isStringType(type(function_name)));\n strncpy(frame->function,\n val(function_name).pstr->data(),\n std::min(\n val(function_name).pstr->size(),\n strobelight::kFunctionMax\n ));\n frame->function[strobelight::kFunctionMax - 1] = '\\0';\n }\n\n i++;\n return false;\n }\n );\n bt_slab.len = i;\n\n // Allow BPF to read the now-formatted stacktrace\n FOLLY_SDT_WITH_SEMAPHORE(hhvm, hhvm_stack, &bt_slab);\n\n return true;\n}", "project": "hhvm", "hash": 255038990099362447895056929601605394109, "size": 71, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219687 } ] }, { "call_depth": 2, "longest_call_chain": [ "ip6_finish_output", "ip6_finish_output2" ], "group_size": 2, "functions": [ { "func": "static int ip6_finish_output(struct net *net, struct sock *sk, struct sk_buff *skb)\n{\n\tint ret;\n\n\tret = BPF_CGROUP_RUN_PROG_INET_EGRESS(sk, skb);\n\tif (ret) {\n\t\tkfree_skb(skb);\n\t\treturn ret;\n\t}\n\n\tif ((skb->len > ip6_skb_dst_mtu(skb) && !skb_is_gso(skb)) ||\n\t dst_allfrag(skb_dst(skb)) ||\n\t (IP6CB(skb)->frag_max_size && skb->len > IP6CB(skb)->frag_max_size))\n\t\treturn ip6_fragment(net, sk, skb, ip6_finish_output2);\n\telse\n\t\treturn ip6_finish_output2(net, sk, skb);\n}", "project": "net", "hash": 173391233394261615101596866343974653547, "size": 17, "commit_id": "85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa", "message": "udp: consistently apply ufo or fragmentation\n\nWhen iteratively building a UDP datagram with MSG_MORE and that\ndatagram exceeds MTU, consistently choose UFO or fragmentation.\n\nOnce skb_is_gso, always apply ufo. Conversely, once a datagram is\nsplit across multiple skbs, do not consider ufo.\n\nSendpage already maintains the first invariant, only add the second.\nIPv6 does not have a sendpage implementation to modify.\n\nA gso skb must have a partial checksum, do not follow sk_no_check_tx\nin udp_send_skb.\n\nFound by syzkaller.\n\nFixes: e89e9cf539a2 (\"[IPv4/IPv6]: UFO Scatter-gather approach\")\nReported-by: Andrey Konovalov \nSigned-off-by: Willem de Bruijn \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 468972 }, { "func": "static int ip6_finish_output2(struct net *net, struct sock *sk, struct sk_buff *skb)\n{\n\tstruct dst_entry *dst = skb_dst(skb);\n\tstruct net_device *dev = dst->dev;\n\tstruct neighbour *neigh;\n\tstruct in6_addr *nexthop;\n\tint ret;\n\n\tif (ipv6_addr_is_multicast(&ipv6_hdr(skb)->daddr)) {\n\t\tstruct inet6_dev *idev = ip6_dst_idev(skb_dst(skb));\n\n\t\tif (!(dev->flags & IFF_LOOPBACK) && sk_mc_loop(sk) &&\n\t\t ((mroute6_socket(net, skb) &&\n\t\t !(IP6CB(skb)->flags & IP6SKB_FORWARDED)) ||\n\t\t ipv6_chk_mcast_addr(dev, &ipv6_hdr(skb)->daddr,\n\t\t\t\t\t &ipv6_hdr(skb)->saddr))) {\n\t\t\tstruct sk_buff *newskb = skb_clone(skb, GFP_ATOMIC);\n\n\t\t\t/* Do not check for IFF_ALLMULTI; multicast routing\n\t\t\t is not supported in any case.\n\t\t\t */\n\t\t\tif (newskb)\n\t\t\t\tNF_HOOK(NFPROTO_IPV6, NF_INET_POST_ROUTING,\n\t\t\t\t\tnet, sk, newskb, NULL, newskb->dev,\n\t\t\t\t\tdev_loopback_xmit);\n\n\t\t\tif (ipv6_hdr(skb)->hop_limit == 0) {\n\t\t\t\tIP6_INC_STATS(net, idev,\n\t\t\t\t\t IPSTATS_MIB_OUTDISCARDS);\n\t\t\t\tkfree_skb(skb);\n\t\t\t\treturn 0;\n\t\t\t}\n\t\t}\n\n\t\tIP6_UPD_PO_STATS(net, idev, IPSTATS_MIB_OUTMCAST, skb->len);\n\n\t\tif (IPV6_ADDR_MC_SCOPE(&ipv6_hdr(skb)->daddr) <=\n\t\t IPV6_ADDR_SCOPE_NODELOCAL &&\n\t\t !(dev->flags & IFF_LOOPBACK)) {\n\t\t\tkfree_skb(skb);\n\t\t\treturn 0;\n\t\t}\n\t}\n\n\tif (lwtunnel_xmit_redirect(dst->lwtstate)) {\n\t\tint res = lwtunnel_xmit(skb);\n\n\t\tif (res < 0 || res == LWTUNNEL_XMIT_DONE)\n\t\t\treturn res;\n\t}\n\n\trcu_read_lock_bh();\n\tnexthop = rt6_nexthop((struct rt6_info *)dst, &ipv6_hdr(skb)->daddr);\n\tneigh = __ipv6_neigh_lookup_noref(dst->dev, nexthop);\n\tif (unlikely(!neigh))\n\t\tneigh = __neigh_create(&nd_tbl, nexthop, dst->dev, false);\n\tif (!IS_ERR(neigh)) {\n\t\tsock_confirm_neigh(skb, neigh);\n\t\tret = neigh_output(neigh, skb);\n\t\trcu_read_unlock_bh();\n\t\treturn ret;\n\t}\n\trcu_read_unlock_bh();\n\n\tIP6_INC_STATS(net, ip6_dst_idev(dst), IPSTATS_MIB_OUTNOROUTES);\n\tkfree_skb(skb);\n\treturn -EINVAL;\n}", "project": "net", "hash": 269156094465471502493401818799647528413, "size": 68, "commit_id": "85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa", "message": "udp: consistently apply ufo or fragmentation\n\nWhen iteratively building a UDP datagram with MSG_MORE and that\ndatagram exceeds MTU, consistently choose UFO or fragmentation.\n\nOnce skb_is_gso, always apply ufo. Conversely, once a datagram is\nsplit across multiple skbs, do not consider ufo.\n\nSendpage already maintains the first invariant, only add the second.\nIPv6 does not have a sendpage implementation to modify.\n\nA gso skb must have a partial checksum, do not follow sk_no_check_tx\nin udp_send_skb.\n\nFound by syzkaller.\n\nFixes: e89e9cf539a2 (\"[IPv4/IPv6]: UFO Scatter-gather approach\")\nReported-by: Andrey Konovalov \nSigned-off-by: Willem de Bruijn \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 468995 } ] }, { "call_depth": 4, "longest_call_chain": [ "zend_throw_exception_object", "zend_throw_exception_internal", "zend_exception_error", "zend_error_va" ], "group_size": 7, "functions": [ { "func": "ZEND_API void zend_exception_error(zval *exception, int severity TSRMLS_DC) /* {{{ */\n{\n\tzend_class_entry *ce_exception = Z_OBJCE_P(exception);\n\tif (instanceof_function(ce_exception, default_exception_ce TSRMLS_CC)) {\n\t\tzval *str, *file, *line;\n\n\t\tEG(exception) = NULL;\n\n\t\tzend_call_method_with_0_params(&exception, ce_exception, NULL, \"__tostring\", &str);\n\t\tif (!EG(exception)) {\n\t\t\tif (Z_TYPE_P(str) != IS_STRING) {\n\t\t\t\tzend_error(E_WARNING, \"%s::__toString() must return a string\", ce_exception->name);\n\t\t\t} else {\n\t\t\t\tzend_update_property_string(default_exception_ce, exception, \"string\", sizeof(\"string\")-1, EG(exception) ? ce_exception->name : Z_STRVAL_P(str) TSRMLS_CC);\n\t\t\t}\n\t\t}\n\t\tzval_ptr_dtor(&str);\n\n\t\tif (EG(exception)) {\n\t\t\t/* do the best we can to inform about the inner exception */\n\t\t\tif (instanceof_function(ce_exception, default_exception_ce TSRMLS_CC)) {\n\t\t\t\tfile = zend_read_property(default_exception_ce, EG(exception), \"file\", sizeof(\"file\")-1, 1 TSRMLS_CC);\n\t\t\t\tline = zend_read_property(default_exception_ce, EG(exception), \"line\", sizeof(\"line\")-1, 1 TSRMLS_CC);\n\n\t\t\t\tconvert_to_string(file);\n\t\t\t\tfile = (Z_STRLEN_P(file) > 0) ? file : NULL;\n\t\t\t\tline = (Z_TYPE_P(line) == IS_LONG) ? line : NULL;\n\t\t\t} else {\n\t\t\t\tfile = NULL;\n\t\t\t\tline = NULL;\n\t\t\t}\n\t\t\tzend_error_va(E_WARNING, file ? Z_STRVAL_P(file) : NULL, line ? Z_LVAL_P(line) : 0, \"Uncaught %s in exception handling during call to %s::__tostring()\", Z_OBJCE_P(EG(exception))->name, ce_exception->name);\n\t\t}\n\n\t\tstr = zend_read_property(default_exception_ce, exception, \"string\", sizeof(\"string\")-1, 1 TSRMLS_CC);\n\t\tfile = zend_read_property(default_exception_ce, exception, \"file\", sizeof(\"file\")-1, 1 TSRMLS_CC);\n\t\tline = zend_read_property(default_exception_ce, exception, \"line\", sizeof(\"line\")-1, 1 TSRMLS_CC);\n\n\t\tconvert_to_string(str);\n\t\tconvert_to_string(file);\n\t\tconvert_to_long(line);\n\n\t\tzend_error_va(severity, (Z_STRLEN_P(file) > 0) ? Z_STRVAL_P(file) : NULL, Z_LVAL_P(line), \"Uncaught %s\\n thrown\", Z_STRVAL_P(str));\n\t} else {\n\t\tzend_error(severity, \"Uncaught exception '%s'\", ce_exception->name);\n\t}\n}", "project": "php-src", "hash": 233019637263204593162642334084906168743, "size": 47, "commit_id": "a894a8155fab068d68a04bf181dbaddfa01ccbb0", "message": "More fixes for bug #69152", "target": 0, "dataset": "other", "idx": 374469 }, { "func": "ZEND_API void zend_throw_exception_object(zval *exception TSRMLS_DC) /* {{{ */\n{\n\tzend_class_entry *exception_ce;\n\n\tif (exception == NULL || Z_TYPE_P(exception) != IS_OBJECT) {\n\t\tzend_error(E_ERROR, \"Need to supply an object when throwing an exception\");\n\t}\n\n\texception_ce = Z_OBJCE_P(exception);\n\n\tif (!exception_ce || !instanceof_function(exception_ce, default_exception_ce TSRMLS_CC)) {\n\t\tzend_error(E_ERROR, \"Exceptions must be valid objects derived from the Exception base class\");\n\t}\n\tzend_throw_exception_internal(exception TSRMLS_CC);\n}", "project": "php-src", "hash": 168358188494444651132316427800666457773, "size": 15, "commit_id": "a894a8155fab068d68a04bf181dbaddfa01ccbb0", "message": "More fixes for bug #69152", "target": 0, "dataset": "other", "idx": 374451 }, { "func": "static void zend_error_va(int type, const char *file, uint lineno, const char *format, ...) /* {{{ */\n{\n\tva_list args;\n\n\tva_start(args, format);\n\tzend_error_cb(type, file, lineno, format, args);\n\tva_end(args);\n}", "project": "php-src", "hash": 313633724532951233240989058937036034067, "size": 8, "commit_id": "a894a8155fab068d68a04bf181dbaddfa01ccbb0", "message": "More fixes for bug #69152", "target": 0, "dataset": "other", "idx": 374463 }, { "func": "void zend_exception_restore(TSRMLS_D) /* {{{ */\n{\n\tif (EG(prev_exception)) {\n\t\tif (EG(exception)) {\n\t\t\tzend_exception_set_previous(EG(exception), EG(prev_exception) TSRMLS_CC);\n\t\t} else {\n\t\t\tEG(exception) = EG(prev_exception);\n\t\t}\n\t\tEG(prev_exception) = NULL;\n\t}\n}", "project": "php-src", "hash": 65940455749340376476088943638997947991, "size": 11, "commit_id": "a894a8155fab068d68a04bf181dbaddfa01ccbb0", "message": "More fixes for bug #69152", "target": 0, "dataset": "other", "idx": 374462 }, { "func": "void zend_exception_set_previous(zval *exception, zval *add_previous TSRMLS_DC)\n{\n\tzval *previous;\n\n\tif (exception == add_previous || !add_previous || !exception) {\n\t\treturn;\n\t}\n\tif (Z_TYPE_P(add_previous) != IS_OBJECT && !instanceof_function(Z_OBJCE_P(add_previous), default_exception_ce TSRMLS_CC)) {\n\t\tzend_error(E_ERROR, \"Cannot set non exception as previous exception\");\n\t\treturn;\n\t}\n\twhile (exception && exception != add_previous && Z_OBJ_HANDLE_P(exception) != Z_OBJ_HANDLE_P(add_previous)) {\n\t\tprevious = zend_read_property(default_exception_ce, exception, \"previous\", sizeof(\"previous\")-1, 1 TSRMLS_CC);\n\t\tif (Z_TYPE_P(previous) == IS_NULL) {\n\t\t\tzend_update_property(default_exception_ce, exception, \"previous\", sizeof(\"previous\")-1, add_previous TSRMLS_CC);\n\t\t\tZ_DELREF_P(add_previous);\n\t\t\treturn;\n\t\t}\n\t\texception = previous;\n\t}\n}", "project": "php-src", "hash": 159666285129417513959591408876495337624, "size": 21, "commit_id": "a894a8155fab068d68a04bf181dbaddfa01ccbb0", "message": "More fixes for bug #69152", "target": 0, "dataset": "other", "idx": 374466 }, { "func": "void zend_throw_exception_internal(zval *exception TSRMLS_DC) /* {{{ */\n{\n#ifdef HAVE_DTRACE\n\tif (DTRACE_EXCEPTION_THROWN_ENABLED()) {\n\t\tconst char *classname;\n\t\tzend_uint name_len;\n\n\t\tif (exception != NULL) {\n\t\t\tzend_get_object_classname(exception, &classname, &name_len TSRMLS_CC);\n\t\t\tDTRACE_EXCEPTION_THROWN((char *)classname);\n\t\t} else {\n\t\t\tDTRACE_EXCEPTION_THROWN(NULL);\n\t\t}\n\t}\n#endif /* HAVE_DTRACE */\n\n\tif (exception != NULL) {\n\t\tzval *previous = EG(exception);\n\t\tzend_exception_set_previous(exception, EG(exception) TSRMLS_CC);\n\t\tEG(exception) = exception;\n\t\tif (previous) {\n\t\t\treturn;\n\t\t}\n\t}\n\tif (!EG(current_execute_data)) {\n\t\tif(EG(exception)) {\n\t\t\tzend_exception_error(EG(exception), E_ERROR TSRMLS_CC);\n\t\t}\n\t\tzend_error(E_ERROR, \"Exception thrown without a stack frame\");\n\t}\n\n\tif (zend_throw_exception_hook) {\n\t\tzend_throw_exception_hook(exception TSRMLS_CC);\n\t}\n\n\tif (EG(current_execute_data)->opline == NULL ||\n\t (EG(current_execute_data)->opline+1)->opcode == ZEND_HANDLE_EXCEPTION) {\n\t\t/* no need to rethrow the exception */\n\t\treturn;\n\t}\n\tEG(opline_before_exception) = EG(current_execute_data)->opline;\n\tEG(current_execute_data)->opline = EG(exception_op);\n}", "project": "php-src", "hash": 247917911400170479938783393940056166910, "size": 43, "commit_id": "a894a8155fab068d68a04bf181dbaddfa01ccbb0", "message": "More fixes for bug #69152", "target": 0, "dataset": "other", "idx": 374455 }, { "func": "void zend_exception_save(TSRMLS_D) /* {{{ */\n{\n\tif (EG(prev_exception)) {\n\t\tzend_exception_set_previous(EG(exception), EG(prev_exception) TSRMLS_CC);\n\t}\n\tif (EG(exception)) {\n\t\tEG(prev_exception) = EG(exception);\n\t}\n\tEG(exception) = NULL;\n}", "project": "php-src", "hash": 116066607902918107578657479066223949823, "size": 10, "commit_id": "a894a8155fab068d68a04bf181dbaddfa01ccbb0", "message": "More fixes for bug #69152", "target": 0, "dataset": "other", "idx": 374448 } ] }, { "call_depth": 2, "longest_call_chain": [ "gdi_CopyOverlap", "gdi_CRgnToRect" ], "group_size": 6, "functions": [ { "func": "INLINE void gdi_CRgnToRect(INT64 x, INT64 y, INT32 w, INT32 h, HGDI_RECT rect)\n{\n\tBOOL invalid = FALSE;\n\tconst INT64 r = x + w - 1;\n\tconst INT64 b = y + h - 1;\n\trect->left = (x > 0) ? x : 0;\n\trect->top = (y > 0) ? y : 0;\n\trect->right = rect->left;\n\trect->bottom = rect->top;\n\n\tif (r > 0)\n\t\trect->right = r;\n\telse\n\t\tinvalid = TRUE;\n\n\tif (b > 0)\n\t\trect->bottom = b;\n\telse\n\t\tinvalid = TRUE;\n\n\tif (invalid)\n\t{\n\t\tWLog_DBG(TAG, \"Invisible rectangle %\" PRId64 \"x%\" PRId64 \"-%\" PRId64 \"x%\" PRId64, x, y, r,\n\t\t b);\n\t}\n}", "project": "FreeRDP", "hash": 61189896804485669784081172505842312170, "size": 26, "commit_id": "ce21b9d7ecd967e0bc98ed31a6b3757848aa6c9e", "message": "Fix CVE-2020-11523: clamp invalid rectangles to size 0\n\nThanks to Sunglin and HuanGMz from Knownsec 404", "target": 0, "dataset": "other", "idx": 462470 }, { "func": "INLINE BOOL gdi_CopyOverlap(INT32 x, INT32 y, INT32 width, INT32 height, INT32 srcx, INT32 srcy)\n{\n\tGDI_RECT dst;\n\tGDI_RECT src;\n\tgdi_CRgnToRect(x, y, width, height, &dst);\n\tgdi_CRgnToRect(srcx, srcy, width, height, &src);\n\treturn (dst.right >= src.left && dst.left <= src.right && dst.bottom >= src.top &&\n\t dst.top <= src.bottom)\n\t ? TRUE\n\t : FALSE;\n}", "project": "FreeRDP", "hash": 76708270201662566501891084675298056378, "size": 11, "commit_id": "ce21b9d7ecd967e0bc98ed31a6b3757848aa6c9e", "message": "Fix CVE-2020-11523: clamp invalid rectangles to size 0\n\nThanks to Sunglin and HuanGMz from Knownsec 404", "target": 0, "dataset": "other", "idx": 462468 }, { "func": "INLINE BOOL gdi_SetRgn(HGDI_RGN hRgn, INT32 nXLeft, INT32 nYLeft, INT32 nWidth, INT32 nHeight)\n{\n\thRgn->x = nXLeft;\n\thRgn->y = nYLeft;\n\thRgn->w = nWidth;\n\thRgn->h = nHeight;\n\thRgn->null = FALSE;\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 168615724484910871577766693455073713352, "size": 9, "commit_id": "ce21b9d7ecd967e0bc98ed31a6b3757848aa6c9e", "message": "Fix CVE-2020-11523: clamp invalid rectangles to size 0\n\nThanks to Sunglin and HuanGMz from Knownsec 404", "target": 0, "dataset": "other", "idx": 462473 }, { "func": "INLINE BOOL gdi_InvalidateRegion(HGDI_DC hdc, INT32 x, INT32 y, INT32 w, INT32 h)\n{\n\tGDI_RECT inv;\n\tGDI_RECT rgn;\n\tHGDI_RGN invalid;\n\tHGDI_RGN cinvalid;\n\n\tif (!hdc->hwnd)\n\t\treturn TRUE;\n\n\tif (!hdc->hwnd->invalid)\n\t\treturn TRUE;\n\n\tif (w == 0 || h == 0)\n\t\treturn TRUE;\n\n\tcinvalid = hdc->hwnd->cinvalid;\n\n\tif ((hdc->hwnd->ninvalid + 1) > (INT64)hdc->hwnd->count)\n\t{\n\t\tint new_cnt;\n\t\tHGDI_RGN new_rgn;\n\t\tnew_cnt = hdc->hwnd->count * 2;\n\t\tnew_rgn = (HGDI_RGN)realloc(cinvalid, sizeof(GDI_RGN) * new_cnt);\n\n\t\tif (!new_rgn)\n\t\t\treturn FALSE;\n\n\t\thdc->hwnd->count = new_cnt;\n\t\tcinvalid = new_rgn;\n\t}\n\n\tgdi_SetRgn(&cinvalid[hdc->hwnd->ninvalid++], x, y, w, h);\n\thdc->hwnd->cinvalid = cinvalid;\n\tinvalid = hdc->hwnd->invalid;\n\n\tif (invalid->null)\n\t{\n\t\tinvalid->x = x;\n\t\tinvalid->y = y;\n\t\tinvalid->w = w;\n\t\tinvalid->h = h;\n\t\tinvalid->null = FALSE;\n\t\treturn TRUE;\n\t}\n\n\tgdi_CRgnToRect(x, y, w, h, &rgn);\n\tgdi_RgnToRect(invalid, &inv);\n\n\tif (rgn.left < inv.left)\n\t\tinv.left = rgn.left;\n\n\tif (rgn.top < inv.top)\n\t\tinv.top = rgn.top;\n\n\tif (rgn.right > inv.right)\n\t\tinv.right = rgn.right;\n\n\tif (rgn.bottom > inv.bottom)\n\t\tinv.bottom = rgn.bottom;\n\n\tgdi_RectToRgn(&inv, invalid);\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 39755302717667709010632090006354316055, "size": 64, "commit_id": "ce21b9d7ecd967e0bc98ed31a6b3757848aa6c9e", "message": "Fix CVE-2020-11523: clamp invalid rectangles to size 0\n\nThanks to Sunglin and HuanGMz from Knownsec 404", "target": 0, "dataset": "other", "idx": 462466 }, { "func": "INLINE void gdi_RectToRgn(HGDI_RECT rect, HGDI_RGN rgn)\n{\n\trgn->x = rect->left;\n\trgn->y = rect->top;\n\trgn->w = rect->right - rect->left + 1;\n\trgn->h = rect->bottom - rect->top + 1;\n}", "project": "FreeRDP", "hash": 282322436390722434711482192909845070013, "size": 7, "commit_id": "ce21b9d7ecd967e0bc98ed31a6b3757848aa6c9e", "message": "Fix CVE-2020-11523: clamp invalid rectangles to size 0\n\nThanks to Sunglin and HuanGMz from Knownsec 404", "target": 0, "dataset": "other", "idx": 462482 }, { "func": "INLINE void gdi_RgnToRect(HGDI_RGN rgn, HGDI_RECT rect)\n{\n\trect->left = rgn->x;\n\trect->top = rgn->y;\n\trect->right = rgn->x + rgn->w - 1;\n\trect->bottom = rgn->y + rgn->h - 1;\n}", "project": "FreeRDP", "hash": 70141755543186839224009583300813485204, "size": 7, "commit_id": "ce21b9d7ecd967e0bc98ed31a6b3757848aa6c9e", "message": "Fix CVE-2020-11523: clamp invalid rectangles to size 0\n\nThanks to Sunglin and HuanGMz from Knownsec 404", "target": 0, "dataset": "other", "idx": 462474 } ] }, { "call_depth": 2, "longest_call_chain": [ "nfs4_xdr_enc_commit", "encode_commit" ], "group_size": 2, "functions": [ { "func": "static void encode_commit(struct xdr_stream *xdr, const struct nfs_commitargs *args, struct compound_hdr *hdr)\n{\n\t__be32 *p;\n\n\tencode_op_hdr(xdr, OP_COMMIT, decode_commit_maxsz, hdr);\n\tp = reserve_space(xdr, 12);\n\tp = xdr_encode_hyper(p, args->offset);\n\t*p = cpu_to_be32(args->count);\n}", "project": "linux", "hash": 322080463953781989834096307231376568348, "size": 9, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431366 }, { "func": "static void nfs4_xdr_enc_commit(struct rpc_rqst *req, struct xdr_stream *xdr,\n\t\t\t\tconst void *data)\n{\n\tconst struct nfs_commitargs *args = data;\n\tstruct compound_hdr hdr = {\n\t\t.minorversion = nfs4_xdr_minorversion(&args->seq_args),\n\t};\n\n\tencode_compound_hdr(xdr, req, &hdr);\n\tencode_sequence(xdr, &args->seq_args, &hdr);\n\tencode_putfh(xdr, args->fh, &hdr);\n\tencode_commit(xdr, args, &hdr);\n\tencode_nops(&hdr);\n}", "project": "linux", "hash": 26759693686374871672781085999406177913, "size": 14, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431429 } ] }, { "call_depth": 2, "longest_call_chain": [ "svm_hardware_enable", "has_svm" ], "group_size": 3, "functions": [ { "func": "static int has_svm(void)\n{\n\tconst char *msg;\n\n\tif (!cpu_has_svm(&msg)) {\n\t\tprintk(KERN_INFO \"has_svm: %s\\n\", msg);\n\t\treturn 0;\n\t}\n\n\treturn 1;\n}", "project": "linux", "hash": 57184997451680453473848324173508339649, "size": 11, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432524 }, { "func": "static int svm_hardware_enable(void)\n{\n\n\tstruct svm_cpu_data *sd;\n\tuint64_t efer;\n\tstruct desc_struct *gdt;\n\tint me = raw_smp_processor_id();\n\n\trdmsrl(MSR_EFER, efer);\n\tif (efer & EFER_SVME)\n\t\treturn -EBUSY;\n\n\tif (!has_svm()) {\n\t\tpr_err(\"%s: err EOPNOTSUPP on %d\\n\", __func__, me);\n\t\treturn -EINVAL;\n\t}\n\tsd = per_cpu(svm_data, me);\n\tif (!sd) {\n\t\tpr_err(\"%s: svm_data is NULL on %d\\n\", __func__, me);\n\t\treturn -EINVAL;\n\t}\n\n\tsd->asid_generation = 1;\n\tsd->max_asid = cpuid_ebx(SVM_CPUID_FUNC) - 1;\n\tsd->next_asid = sd->max_asid + 1;\n\tsd->min_asid = max_sev_asid + 1;\n\n\tgdt = get_current_gdt_rw();\n\tsd->tss_desc = (struct kvm_ldttss_desc *)(gdt + GDT_ENTRY_TSS);\n\n\twrmsrl(MSR_EFER, efer | EFER_SVME);\n\n\twrmsrl(MSR_VM_HSAVE_PA, page_to_pfn(sd->save_area) << PAGE_SHIFT);\n\n\tif (static_cpu_has(X86_FEATURE_TSCRATEMSR)) {\n\t\twrmsrl(MSR_AMD64_TSC_RATIO, TSC_RATIO_DEFAULT);\n\t\t__this_cpu_write(current_tsc_ratio, TSC_RATIO_DEFAULT);\n\t}\n\n\n\t/*\n\t * Get OSVW bits.\n\t *\n\t * Note that it is possible to have a system with mixed processor\n\t * revisions and therefore different OSVW bits. If bits are not the same\n\t * on different processors then choose the worst case (i.e. if erratum\n\t * is present on one processor and not on another then assume that the\n\t * erratum is present everywhere).\n\t */\n\tif (cpu_has(&boot_cpu_data, X86_FEATURE_OSVW)) {\n\t\tuint64_t len, status = 0;\n\t\tint err;\n\n\t\tlen = native_read_msr_safe(MSR_AMD64_OSVW_ID_LENGTH, &err);\n\t\tif (!err)\n\t\t\tstatus = native_read_msr_safe(MSR_AMD64_OSVW_STATUS,\n\t\t\t\t\t\t &err);\n\n\t\tif (err)\n\t\t\tosvw_status = osvw_len = 0;\n\t\telse {\n\t\t\tif (len < osvw_len)\n\t\t\t\tosvw_len = len;\n\t\t\tosvw_status |= status;\n\t\t\tosvw_status &= (1ULL << osvw_len) - 1;\n\t\t}\n\t} else\n\t\tosvw_status = osvw_len = 0;\n\n\tsvm_init_erratum_383();\n\n\tamd_pmu_enable_virt();\n\n\treturn 0;\n}", "project": "linux", "hash": 11330339317198700229563086205181817655, "size": 75, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432460 }, { "func": "static int svm_hardware_enable(void)\n{\n\n\tstruct svm_cpu_data *sd;\n\tuint64_t efer;\n\tstruct desc_ptr gdt_descr;\n\tstruct desc_struct *gdt;\n\tint me = raw_smp_processor_id();\n\n\trdmsrl(MSR_EFER, efer);\n\tif (efer & EFER_SVME)\n\t\treturn -EBUSY;\n\n\tif (!has_svm()) {\n\t\tpr_err(\"%s: err EOPNOTSUPP on %d\\n\", __func__, me);\n\t\treturn -EINVAL;\n\t}\n\tsd = per_cpu(svm_data, me);\n\tif (!sd) {\n\t\tpr_err(\"%s: svm_data is NULL on %d\\n\", __func__, me);\n\t\treturn -EINVAL;\n\t}\n\n\tsd->asid_generation = 1;\n\tsd->max_asid = cpuid_ebx(SVM_CPUID_FUNC) - 1;\n\tsd->next_asid = sd->max_asid + 1;\n\n\tnative_store_gdt(&gdt_descr);\n\tgdt = (struct desc_struct *)gdt_descr.address;\n\tsd->tss_desc = (struct kvm_ldttss_desc *)(gdt + GDT_ENTRY_TSS);\n\n\twrmsrl(MSR_EFER, efer | EFER_SVME);\n\n\twrmsrl(MSR_VM_HSAVE_PA, page_to_pfn(sd->save_area) << PAGE_SHIFT);\n\n\tif (static_cpu_has(X86_FEATURE_TSCRATEMSR)) {\n\t\twrmsrl(MSR_AMD64_TSC_RATIO, TSC_RATIO_DEFAULT);\n\t\t__this_cpu_write(current_tsc_ratio, TSC_RATIO_DEFAULT);\n\t}\n\n\n\t/*\n\t * Get OSVW bits.\n\t *\n\t * Note that it is possible to have a system with mixed processor\n\t * revisions and therefore different OSVW bits. If bits are not the same\n\t * on different processors then choose the worst case (i.e. if erratum\n\t * is present on one processor and not on another then assume that the\n\t * erratum is present everywhere).\n\t */\n\tif (cpu_has(&boot_cpu_data, X86_FEATURE_OSVW)) {\n\t\tuint64_t len, status = 0;\n\t\tint err;\n\n\t\tlen = native_read_msr_safe(MSR_AMD64_OSVW_ID_LENGTH, &err);\n\t\tif (!err)\n\t\t\tstatus = native_read_msr_safe(MSR_AMD64_OSVW_STATUS,\n\t\t\t\t\t\t &err);\n\n\t\tif (err)\n\t\t\tosvw_status = osvw_len = 0;\n\t\telse {\n\t\t\tif (len < osvw_len)\n\t\t\t\tosvw_len = len;\n\t\t\tosvw_status |= status;\n\t\t\tosvw_status &= (1ULL << osvw_len) - 1;\n\t\t}\n\t} else\n\t\tosvw_status = osvw_len = 0;\n\n\tsvm_init_erratum_383();\n\n\tamd_pmu_enable_virt();\n\n\treturn 0;\n}", "project": "kvm", "hash": 88661948458235124336122280363266684156, "size": 76, "commit_id": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "message": "KVM: x86: Check non-canonical addresses upon WRMSR\n\nUpon WRMSR, the CPU should inject #GP if a non-canonical value (address) is\nwritten to certain MSRs. The behavior is \"almost\" identical for AMD and Intel\n(ignoring MSRs that are not implemented in either architecture since they would\nanyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if\nnon-canonical address is written on Intel but not on AMD (which ignores the top\n32-bits).\n\nAccordingly, this patch injects a #GP on the MSRs which behave identically on\nIntel and AMD. To eliminate the differences between the architecutres, the\nvalue which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to\ncanonical value before writing instead of injecting a #GP.\n\nSome references from Intel and AMD manuals:\n\nAccording to Intel SDM description of WRMSR instruction #GP is expected on\nWRMSR \"If the source register contains a non-canonical address and ECX\nspecifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,\nIA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP.\"\n\nAccording to AMD manual instruction manual:\nLSTAR/CSTAR (SYSCALL): \"The WRMSR instruction loads the target RIP into the\nLSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical\nform, a general-protection exception (#GP) occurs.\"\nIA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): \"The address written to the\nbase field must be in canonical form or a #GP fault will occur.\"\nIA32_KERNEL_GS_BASE (SWAPGS): \"The address stored in the KernelGSbase MSR must\nbe in canonical form.\"\n\nThis patch fixes CVE-2014-3610.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Nadav Amit \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 437660 } ] }, { "call_depth": 7, "longest_call_chain": [ "jsi_ObjNew", "jsi_ValueDebugUpdate", "Jsi_ObjNew", "jsi_AllObjOp", "Jsi_ObjDecrRefCount", "Jsi_ObjFree", "Jsi_IterObjFree" ], "group_size": 364, "functions": [ { "project": "jsish", "commit_id": "858da537bde4de9d8c92466d5a866505310bc328", "target": 1, "func": "int Jsi_ObjArraySizer(Jsi_Interp *interp, Jsi_Obj *obj, uint len)\n{\n int nsiz = len + 1, mod = ALLOC_MOD_SIZE;\n assert(obj->isarrlist);\n if (mod>1)\n nsiz = nsiz + ((mod-1) - (nsiz + mod - 1)%mod);\n if (nsiz > MAX_ARRAY_LIST) {\n Jsi_LogError(\"array size too large\");\n return 0;\n }\n if (len >= obj->arrMaxSize) {\n int oldsz = (nsiz-obj->arrMaxSize);\n obj->arr = (Jsi_Value**)Jsi_Realloc(obj->arr, nsiz*sizeof(Jsi_Value*));\n memset(obj->arr+obj->arrMaxSize, 0, oldsz*sizeof(Jsi_Value*));\n obj->arrMaxSize = nsiz;\n }\n if (len>obj->arrCnt)\n obj->arrCnt = len;\n return nsiz;\n}", "idx": 217321, "cwe": "CWE-190", "hash": 172155516843930203788657327116633597249, "dataset": "other" }, { "project": "jsish", "commit_id": "858da537bde4de9d8c92466d5a866505310bc328", "target": 0, "func": "int Jsi_ObjArraySizer(Jsi_Interp *interp, Jsi_Obj *obj, uint len)\n{\n uint nsiz = len + 1, mod = ALLOC_MOD_SIZE;\n assert(obj->isarrlist);\n if (mod>1)\n nsiz = nsiz + ((mod-1) - (nsiz + mod - 1)%mod);\n if (len >= interp->maxArrayList || nsiz > interp->maxArrayList) {\n Jsi_LogError(\"array size too big: %u >= %u\", len, interp->maxArrayList);\n return 0;\n }\n if (len >= obj->arrMaxSize) {\n int oldsz = (nsiz-obj->arrMaxSize);\n obj->arr = (Jsi_Value**)Jsi_Realloc(obj->arr, nsiz*sizeof(Jsi_Value*));\n memset(obj->arr+obj->arrMaxSize, 0, oldsz*sizeof(Jsi_Value*));\n obj->arrMaxSize = nsiz;\n }\n if (len>obj->arrCnt)\n obj->arrCnt = len;\n return nsiz;\n}", "idx": 520950, "cwe": "CWE-190", "hash": 185362943759358555372661991746152891573, "dataset": "other" }, { "project": "jsish", "commit_id": "858da537bde4de9d8c92466d5a866505310bc328", "target": 0, "func": "static Jsi_RC jsi_csSetupEnum(Jsi_Interp *interp, Jsi_EnumSpec *sl, Jsi_FieldSpec *sf, Jsi_OptionTypedef* st) {\n bool isNew;\n int cnt = 0;\n if (Jsi_HashEntryFind(interp->CTypeHash, sl->name))\n return Jsi_LogError(\"enum is c-type: %s\", sl->name);\n Jsi_HashEntry *entry = Jsi_HashEntryNew(interp->EnumHash, sl->name, &isNew);\n if (!isNew)\n return Jsi_LogError(\"duplicate enum: %s\", sl->name);\n Jsi_HashValueSet(entry, sl);\n //Jsi_Number val = 0;\n sl->extData = (uchar*)sf;\n Jsi_Wide maxVal = 0, aval;\n while (sf && sf->id != JSI_OPTION_END) {\n sf->idx = cnt;\n Jsi_HashSet(interp->EnumItemHash, sf->name, sf);\n sf->extData = (uchar*)sl;\n aval = sf->value;\n if (aval<0) aval = -aval;\n if (aval>maxVal) maxVal = aval;\n sf++, cnt++;\n }\n Jsi_HashSet(interp->EnumHash, sl->name, sl);\n sl->idx = cnt;\n if (!sl->size) \n sl->size = cnt;\n if (!st) {\n st = (typeof(st))Jsi_Calloc(1, sizeof(*st));\n SIGINIT(st, TYPEDEF);\n }\n st->cName = sl->name;\n st->idName = \"CUSTOM\";\n st->id = JSI_OPTION_CUSTOM;\n st->size = jsi_NumWideBytes(aval);\n st->flags = jsi_CTYP_DYN_MEMORY|jsi_CTYP_ENUM;\n st->extData = (uchar*)sl;\n Jsi_HashSet(interp->CTypeHash, st->cName, st);\n return JSI_OK;\n}", "idx": 520878, "cwe": "CWE-190", "hash": 180806671873107458178509185930352980482, "dataset": "other" }, { "project": "jsish", "commit_id": "858da537bde4de9d8c92466d5a866505310bc328", "target": 0, "func": "static Jsi_RC CDataStructFieldConfCmd(Jsi_Interp *interp, Jsi_Value *args, Jsi_Value *_this,\n Jsi_Value **ret, Jsi_Func *funcPtr)\n{\n \n char *arg1 = Jsi_ValueArrayIndexToStr(interp, args, 0, NULL);\n Jsi_StructSpec *sf, *sl = jsi_csStructGet(interp, arg1);\n if (!sl)\n return Jsi_LogError(\"unknown struct: %s\", arg1);\n char *arg2 = Jsi_ValueArrayIndexToStr(interp, args, 1, NULL);\n if (!arg2 || !(sf = jsi_csFieldGet(interp, arg2, sl)))\n return Jsi_LogError(\"unknown field: %s\", arg2);\n return CDataOptionsConf(interp, StructFieldOptions, args, sf, ret, 0, 2);\n}", "idx": 520889, "cwe": "CWE-190", "hash": 62170257915672016024237948812028903521, "dataset": "other" }, { "project": "jsish", "commit_id": "858da537bde4de9d8c92466d5a866505310bc328", "target": 0, "func": "int Jsi_ObjDecrRefCount(Jsi_Interp *interp, Jsi_Obj *obj) {\n // if (interp->cleanup && !jsi_AllObjOp(interp, obj, 2))\n // return 0;\n SIGASSERT(obj,OBJ);\n if (obj->refcnt<=0) {\n#ifdef JSI_MEM_DEBUG\n fprintf(stderr, \"Obj decr with ref %d: VD.Idx=%d\\n\", obj->refcnt, obj->VD.Idx);\n#endif\n return -2;\n }\n jsi_DebugObj(obj,\"Decr\", jsi_DebugValueCallIdx(), interp);\n int nref;\n if ((nref = --obj->refcnt) <= 0) {\n obj->refcnt = -1;\n Jsi_ObjFree(interp, obj);\n }\n return nref;\n}", "idx": 520917, "cwe": "CWE-190", "hash": 56406942957259844303552517730834381112, "dataset": "other" }, { "project": "jsish", "commit_id": "858da537bde4de9d8c92466d5a866505310bc328", "target": 0, "func": "Jsi_RC Jsi_ObjArrayAdd(Jsi_Interp *interp, Jsi_Obj *o, Jsi_Value *v)\n{\n if (o->isarrlist == 0)\n return JSI_ERROR;\n if (!o->arr)\n Jsi_ObjListifyArray(interp, o);\n int len = o->arrCnt;\n if (Jsi_ObjArraySizer(interp, o, len+1) <= 0)\n return JSI_ERROR;\n o->arr[len] = v;\n if (v)\n Jsi_IncrRefCount(interp, v);\n assert(o->arrCnt<=o->arrMaxSize);\n return JSI_OK;\n}", "idx": 520872, "cwe": "CWE-190", "hash": 150983515012304175617029522207139416761, "dataset": "other" }, { "project": "jsish", "commit_id": "858da537bde4de9d8c92466d5a866505310bc328", "target": 0, "func": "static int jsi_NumWideBytes(Jsi_Wide val) {\n if (val < 0x10000)\n return (val < 0x100 ? 1 : 2);\n return(val < 0x100000000L ? 4 : 8);\n}", "idx": 520893, "cwe": "CWE-190", "hash": 310023814410196988576084139426973171277, "dataset": "other" }, { "project": "jsish", "commit_id": "858da537bde4de9d8c92466d5a866505310bc328", "target": 0, "func": "static Jsi_RC CDataGetCmd(Jsi_Interp *interp, Jsi_Value *args, Jsi_Value *_this,\n Jsi_Value **ret, Jsi_Func *funcPtr)\n{\n UdcGet(cd, _this, funcPtr);\n uchar *dptr = NULL;\n Jsi_Value *karg = Jsi_ValueArrayIndex(interp, args, 0);\n char kbuf[BUFSIZ];\n void *key = kbuf;\n bool isNull = (!karg || Jsi_ValueIsNull(interp, karg));\n if (isNull) {\n if (cd->mapPtr || cd->arrSize>1)\n return Jsi_LogError(\"null key used with c-array/map\");\n } else {\n if (!cd->mapPtr && cd->arrSize<=0)\n return Jsi_LogError(\"must be array/map\");\n if (JSI_OK != jsi_csGetKey(interp, cd, karg, &key, sizeof(kbuf), 1))\n return JSI_ERROR;\n }\n\n dptr = (uchar*)cd->data;\n if (isNull) {\n } else if (cd->mapPtr) {\n Jsi_MapEntry *mPtr = Jsi_MapEntryFind(*cd->mapPtr, key);\n if (mPtr)\n dptr = (uchar*)Jsi_MapValueGet(mPtr);\n else\n return Jsi_LogError(\"arg 1: key not found [%s]\", Jsi_ValueToString(interp, karg, NULL));\n } /*else if (!cd->arrSize)\n return Jsi_LogError(\"arg 2: expected a c-array or map\");*/\n else {\n uint kind = (intptr_t)key;\n if (kind>=cd->arrSize)\n return Jsi_LogError(\"array index out of bounds: %d not in 0,%d\", kind, cd->arrSize-1);\n\n dptr = ((uchar*)cd->data) + cd->sl->size*kind;\n if (cd->isPtrs)\n dptr = ((uchar*)cd->data) + sizeof(void*)*kind;\n else if (cd->isPtr2) {\n dptr = (uchar*)(*(void**)dptr);\n dptr += sizeof(void*)*kind;\n }\n }\n int argc = Jsi_ValueGetLength(interp, args);\n if (argc > 2)\n return Jsi_LogError(\"expected 0 - 2 args\");\n Jsi_Value *arg2 = Jsi_ValueArrayIndex(interp, args, 1);\n return Jsi_OptionsConf(interp, (Jsi_OptionSpec*)cd->sf, dptr, arg2, ret, 0);\n}", "idx": 520866, "cwe": "CWE-190", "hash": 170461893658812638724484008682164181208, "dataset": "other" }, { "project": "jsish", "commit_id": "858da537bde4de9d8c92466d5a866505310bc328", "target": 0, "func": "Jsi_Value *jsi_ObjValueNew(Jsi_Interp *interp)\n{\n return Jsi_ValueMakeObject(interp, NULL, Jsi_ObjNew(interp));\n}", "idx": 520871, "cwe": "CWE-190", "hash": 17932785035045602928251981018286570179, "dataset": "other" }, { "project": "jsish", "commit_id": "858da537bde4de9d8c92466d5a866505310bc328", "target": 0, "func": "static Jsi_RC CDataInfoCmd(Jsi_Interp *interp, Jsi_Value *args, Jsi_Value *_this,\n Jsi_Value **ret, Jsi_Func *funcPtr)\n{\n UdcGet(cd, _this, funcPtr);\n Jsi_StructSpec *sl = cd->sl;\n Jsi_DString dStr= {};\n const char *sptr = Jsi_DSPrintf(&dStr, \"{struct:\\\"%s\\\", label:\\\"%s\\\"}\", sl->name, cd->help?cd->help:\"\");\n Jsi_RC rc = JSI_ERROR;\n if (!sptr)\n return Jsi_LogError(\"format failed\");\n else\n rc = Jsi_JSONParse(interp, sptr, ret, 0);\n Jsi_DSFree(&dStr);\n if (rc != JSI_OK)\n return rc;\n Jsi_Obj *sobj;\n Jsi_Value *svalue;\n if (cd->sf) {\n sobj = Jsi_ObjNewType(interp, JSI_OT_ARRAY);\n svalue = Jsi_ValueMakeObject(interp, NULL, sobj);\n jsi_DumpOptionSpecs(interp, sobj,(Jsi_OptionSpec*) cd->sf);\n sobj = (*ret)->d.obj;\n Jsi_ObjInsert(interp, sobj, \"spec\", svalue, 0);\n }\n if (cd->slKey) {\n sobj = Jsi_ObjNewType(interp, JSI_OT_ARRAY);\n svalue = Jsi_ValueMakeObject(interp, NULL, sobj);\n jsi_DumpOptionSpecs(interp, sobj, (Jsi_OptionSpec*)cd->slKey);\n sobj = (*ret)->d.obj;\n Jsi_ObjInsert(interp, sobj, \"keySpec\", svalue, 0);\n } return JSI_OK;\n}", "idx": 520868, "cwe": "CWE-190", "hash": 19296980570225920851321897114926711315, "dataset": "other" }, { "project": "jsish", "commit_id": "858da537bde4de9d8c92466d5a866505310bc328", "target": 0, "func": "void jsi_csInitType(Jsi_Interp *interp)\n{\n if (interp->CTypeHash->numEntries) return;\n bool isNew;\n Jsi_HashEntry *entry;\n const Jsi_OptionTypedef *tl;\n if (!interp->typeInit) {\n int i;\n for (i = JSI_OPTION_BOOL; i!=JSI_OPTION_END; i++) {\n tl = Jsi_OptionTypeInfo((Jsi_OptionId)i);\n entry = Jsi_HashEntryNew(interp->TYPEHash, tl->idName, &isNew);\n if (!isNew)\n Jsi_LogBug(\"duplicate type: %s\", tl->idName);\n Jsi_HashValueSet(entry, (void*)tl);\n if (tl->cName && tl->cName[0])\n Jsi_HashSet(interp->CTypeHash, tl->cName, (void*)tl);\n }\n }\n interp->typeInit = 1;\n}", "idx": 520859, "cwe": "CWE-190", "hash": 173424688923287701204340437114734089184, "dataset": "other" }, { "project": "jsish", "commit_id": "858da537bde4de9d8c92466d5a866505310bc328", "target": 0, "func": "static Jsi_RC jsi_csObjFree(Jsi_Interp *interp, void *data)\n{\n CDataObj *cd = (CDataObj *)data;\n cd->sl->value--;\n if (cd->slKey)\n cd->slKey->value--;\n if (cd->isAlloc) {\n if (cd->mapPtr && *cd->mapPtr) {\n Jsi_MapDelete(*cd->mapPtr);\n *cd->mapPtr = NULL;\n }\n else if (cd->data) Jsi_Free(cd->data);\n }\n Jsi_Free(cd);\n return JSI_OK;\n}", "idx": 520941, "cwe": "CWE-190", "hash": 287140422127475396661398691319069854120, "dataset": "other" }, { "project": "jsish", "commit_id": "858da537bde4de9d8c92466d5a866505310bc328", "target": 0, "func": "static Jsi_RC CDataOptionsConf(Jsi_Interp *interp, Jsi_OptionSpec *specs, Jsi_Value *args,\n void *rec, Jsi_Value **ret, int flags, int skipArgs)\n{\n int argc = Jsi_ValueGetLength(interp, args);\n Jsi_Value *val;\n flags |= JSI_OPTS_IS_UPDATE;\n\n if (argc == skipArgs)\n return Jsi_OptionsDump(interp, specs, rec, ret, flags);\n val = Jsi_ValueArrayIndex(interp, args, skipArgs);\n Jsi_vtype vtyp = Jsi_ValueTypeGet(val);\n if (vtyp == JSI_VT_STRING) {\n char *str = Jsi_ValueString(interp, val, NULL);\n return Jsi_OptionsGet(interp, specs, rec, str, ret, flags);\n }\n if (vtyp != JSI_VT_OBJECT && vtyp != JSI_VT_NULL)\n return Jsi_LogError(\"expected string, object, or null\");\n if (Jsi_OptionsProcess(interp, specs, rec, val, JSI_OPTS_IS_UPDATE) < 0)\n return JSI_ERROR;\n return JSI_OK;\n}", "idx": 520900, "cwe": "CWE-190", "hash": 3671315512361847229444198412912385471, "dataset": "other" }, { "project": "jsish", "commit_id": "858da537bde4de9d8c92466d5a866505310bc328", "target": 0, "func": "static Jsi_RC CDataUnsetCmd(Jsi_Interp *interp, Jsi_Value *args, Jsi_Value *_this,\n Jsi_Value **ret, Jsi_Func *funcPtr)\n{\n UdcGet(cd, _this, funcPtr);\n Jsi_Value *arg2 = Jsi_ValueArrayIndex(interp, args, 0); \n char kbuf[BUFSIZ];\n void *key = kbuf;\n if (!cd->mapPtr && cd->arrSize<=0)\n return Jsi_LogError(\"can not call unset on non map/array\");\n if (JSI_OK != jsi_csGetKey(interp, cd, arg2, &key, sizeof(kbuf), 2)) {\n return JSI_ERROR;\n }\n uchar *dptr = NULL;\n Jsi_MapEntry *mPtr = Jsi_MapEntryFind(*cd->mapPtr, key);\n if (mPtr)\n dptr = (uchar*)Jsi_MapValueGet(mPtr);\n if (!dptr) {\n if (cd->keyType != JSI_KEYS_ONEWORD)\n return Jsi_LogError(\"no data in map: %s\", (char*)key);\n else\n return Jsi_LogError(\"no data in map: %p\", key);\n return JSI_ERROR;\n }\n Jsi_Free(dptr);\n Jsi_MapEntryDelete(mPtr);\n return JSI_OK;\n\n}", "idx": 520858, "cwe": "CWE-190", "hash": 108127813520794476421401979721172205048, "dataset": "other" }, { "project": "jsish", "commit_id": "858da537bde4de9d8c92466d5a866505310bc328", "target": 0, "func": "static Jsi_RC CDataStructConfCmd(Jsi_Interp *interp, Jsi_Value *args, Jsi_Value *_this,\n Jsi_Value **ret, Jsi_Func *funcPtr)\n{\n \n char *arg1 = Jsi_ValueArrayIndexToStr(interp, args, 0, NULL);\n Jsi_StructSpec *sl = jsi_csStructGet(interp, arg1);\n if (!sl)\n return Jsi_LogError(\"unknown struct: %s\", arg1);\n return CDataOptionsConf(interp, StructOptions, args, sl, ret, 0, 1);\n}", "idx": 520869, "cwe": "CWE-190", "hash": 6508845903621632353494648331252457138, "dataset": "other" }, { "project": "jsish", "commit_id": "858da537bde4de9d8c92466d5a866505310bc328", "target": 0, "func": "void Jsi_ObjSetLength(Jsi_Interp *interp, Jsi_Obj *obj, uint len)\n{\n if (obj->isarrlist) {\n assert(len<=obj->arrMaxSize);\n obj->arrCnt = len;\n return;\n }\n Jsi_Value *r = Jsi_TreeObjGetValue(obj,\"length\", 0);\n if (!r) {\n Jsi_Value *n = Jsi_ValueMakeNumber(interp, NULL, len);\n Jsi_ObjInsert(interp, obj, \"length\", n, JSI_OM_DONTDEL | JSI_OM_DONTENUM | JSI_OM_READONLY);\n } else {\n Jsi_ValueReset(interp, &r);\n Jsi_ValueMakeNumber(interp, &r, len);\n }\n}", "idx": 520890, "cwe": "CWE-190", "hash": 12363648785525660425819733327546436558, "dataset": "other" }, { "project": "jsish", "commit_id": "858da537bde4de9d8c92466d5a866505310bc328", "target": 0, "func": "static Jsi_RC CDataIncrCmd(Jsi_Interp *interp, Jsi_Value *args, Jsi_Value *_this,\n Jsi_Value **ret, Jsi_Func *funcPtr) {\n return CDataSetCmd_(interp, args, _this, ret, funcPtr, 2);\n}", "idx": 520911, "cwe": "CWE-190", "hash": 20427456467665741031094803024591376474, "dataset": "other" }, { "project": "jsish", "commit_id": "858da537bde4de9d8c92466d5a866505310bc328", "target": 0, "func": "static Jsi_RC jsi_csGetKey(Jsi_Interp *interp, CDataObj *cd, Jsi_Value *arg, void **kPtr, size_t ksize, int anum)\n{\n void *kBuf = *kPtr;\n *kPtr = NULL;\n if (!arg)\n return Jsi_LogError(\"missing key arg\");;\n Jsi_Number nval = 0;\n switch (cd->keyType) {\n case JSI_KEYS_STRING:\n case JSI_KEYS_STRINGKEY:\n *kPtr = (void*)Jsi_ValueString(interp, arg, NULL);\n if (!*kPtr)\n return Jsi_LogError(\"arg %d: expected string key\", anum);\n break;\n case JSI_KEYS_ONEWORD:\n if (Jsi_ValueGetNumber(interp, arg, &nval) != JSI_OK)\n return Jsi_LogError(\"arg %d: expected number key\", anum);\n *kPtr = (void*)(uintptr_t)nval;\n break;\n default: {\n if (!cd->slKey) {\nbadkey:\n return Jsi_LogError(\"arg %d: expected struct key\", anum);\n }\n if (arg->vt == JSI_VT_OBJECT && arg->d.obj->ot == JSI_OT_OBJECT) {\n if (cd->slKey->size>ksize || !kBuf)\n goto badkey;\n memset(kBuf, 0, cd->slKey->size);\n if (Jsi_OptionsConf(interp, (Jsi_OptionSpec*)cd->keysf, kBuf, arg, NULL, 0) != JSI_OK)\n return JSI_ERROR;\n *kPtr = kBuf;\n } else\n return Jsi_LogError(\"arg %d: expected object key\", anum);\n }\n }\n return JSI_OK;\n}", "idx": 520897, "cwe": "CWE-190", "hash": 93581596782482220918433310715004606274, "dataset": "other" }, { "project": "jsish", "commit_id": "858da537bde4de9d8c92466d5a866505310bc328", "target": 0, "func": "void Jsi_IterObjFree(Jsi_IterObj *iobj)\n{\n if (!iobj->isArrayList) {\n uint i;\n for (i = 0; i < iobj->count; i++) {\n if (iobj->keys[i]) {\n /*Jsi_TreeDecrRef(iobj->keys[i]); TODO: ??? */\n }\n }\n Jsi_Free(iobj->keys);\n }\n Jsi_Free(iobj);\n}", "idx": 520883, "cwe": "CWE-190", "hash": 222693794829016445677937609576208232935, "dataset": "other" }, { "project": "jsish", "commit_id": "858da537bde4de9d8c92466d5a866505310bc328", "target": 0, "func": "static Jsi_RC jsi_csStructInit(Jsi_StructSpec * sl, uchar * data)\n{\n /* Jsi_OptionSpec *sf; */\n assert(sl);\n if (!data) {\n fprintf(stderr, \"missing data at %s:%d\", __FILE__, __LINE__);\n return JSI_ERROR;\n }\n if (sl->custom)\n memcpy(data, sl->custom, sl->size);\n else if (sl->type && sl->type->extra)\n memcpy(data, sl->type->extra, sl->size);\n else\n memset(data, 0, sl->size);\n\n if (sl->ssig)\n *(Jsi_Sig *) data = sl->ssig;\n return JSI_OK;\n}", "idx": 520964, "cwe": "CWE-190", "hash": 109273764698931143048578533427636438353, "dataset": "other" }, { "project": "jsish", "commit_id": "858da537bde4de9d8c92466d5a866505310bc328", "target": 0, "func": "Jsi_RC Jsi_ObjArraySet(Jsi_Interp *interp, Jsi_Obj *obj, Jsi_Value *value, int arrayindex)\n{\n int m, n = arrayindex;\n if (Jsi_ObjArraySizer(interp, obj, n) <= 0)\n return JSI_ERROR;\n if (obj->arr[n] == value)\n return JSI_OK;\n if (obj->arr[n])\n Jsi_DecrRefCount(interp, obj->arr[n]);\n Assert(obj->arrCnt<=obj->arrMaxSize);\n obj->arr[n] = value;\n if (value)\n Jsi_IncrRefCount(interp, value);\n m = Jsi_ObjGetLength(interp, obj);\n if ((n+1) > m)\n Jsi_ObjSetLength(interp, obj, n+1);\n return JSI_OK;\n}", "idx": 520920, "cwe": "CWE-190", "hash": 21330315444491481978862067791886142220, "dataset": "other" }, { "project": "jsish", "commit_id": "858da537bde4de9d8c92466d5a866505310bc328", "target": 0, "func": "Jsi_RC Jsi_ValueInsertArray(Jsi_Interp *interp, Jsi_Value *target, int key, Jsi_Value *val, int flags)\n{\n if (target->vt != JSI_VT_OBJECT) {\n if (interp->strict)\n Jsi_LogWarn(\"Target is not object\");\n return JSI_ERROR;\n }\n Jsi_Obj *obj = target->d.obj;\n \n if (obj->isarrlist) {\n if (key >= 0 && (uint)key < interp->maxArrayList) {\n Jsi_ObjArraySet(interp, obj, val, key);\n return JSI_OK;\n }\n return JSI_ERROR;\n }\n char unibuf[JSI_MAX_NUMBER_STRING];\n Jsi_NumberItoA10(key, unibuf, sizeof(unibuf));\n Jsi_ObjInsert(interp, obj, unibuf, val, flags);\n return JSI_OK;\n}", "idx": 520948, "cwe": "CWE-190", "hash": 237167485202736884642501494747305511287, "dataset": "other" }, { "project": "jsish", "commit_id": "858da537bde4de9d8c92466d5a866505310bc328", "target": 0, "func": "static Jsi_RC jsi_csSetupStruct(Jsi_Interp *interp, Jsi_StructSpec *sl, Jsi_FieldSpec *sf, \n Jsi_StructSpec* recs, int flen, Jsi_OptionTypedef** stPtr, int arrCnt) {\n bool isNew;\n int i, cnt = 0, boffset = 0;\n Jsi_HashEntry *entry, *hPtr;\n if (!(hPtr=Jsi_HashEntryNew(interp->CTypeHash, sl->name, &isNew)) || !isNew)\n return Jsi_LogError(\"struct is c-type: %s\", sl->name);\n entry = Jsi_HashEntryNew(interp->StructHash, sl->name, &isNew);\n if (!isNew)\n return Jsi_LogError(\"duplicate struct: %s\", sl->name);\n Jsi_FieldSpec *asf = NULL, *osf = sf;\n while (sf && sf->id != JSI_OPTION_END) {\n if (!sf->type)\n sf->type = Jsi_OptionTypeInfo(sf->id);\n if (!sf->type && sf->tname)\n sf->type = Jsi_TypeLookup(interp, sf->tname);\n int isbitset = ((sf->flags&JSI_OPT_BITSET_ENUM)!=0);\n if (sf->type && sf->type->extData && (sf->type->flags&(jsi_CTYP_ENUM|jsi_CTYP_STRUCT))) {\n // A struct sub-field or a bit field mapped to an ENUM.\n Jsi_OptionSpec *es = (typeof(es))sf->type->extData;\n es->value++;\n if ((sf->type->flags&jsi_CTYP_ENUM)) {\n if (sf->bits)\n return Jsi_LogError(\"enum of bits unsupported: %s\", sl->name); //TODO: get working again...\n sf->custom = (isbitset ? Jsi_Opt_SwitchBitset : Jsi_Opt_SwitchEnum);\n sf->data = (void*)es->data;\n sf->id = JSI_OPTION_CUSTOM;\n }\n else if (sf->type->flags & jsi_CTYP_STRUCT) {\n sf->custom = Jsi_Opt_SwitchSuboption;\n sf->data = es->extData;\n sf->id = JSI_OPTION_CUSTOM;\n }\n }\n if (recs) {\n if (!sf->type)\n return Jsi_LogError(\"unknown id\");\n sf->tname = sf->type->cName;\n sf->size = (isbitset?(int)sizeof(int):sf->type->size);\n if (sf->arrSize)\n sf->size *= sf->arrSize;\n sf->idx = cnt;\n sf->boffset = boffset;\n if (sf->bits) {\n if (sf->bits>=64)\n return Jsi_LogError(\"bits too large\");\n boffset += sf->bits;\n sf->id = JSI_OPTION_CUSTOM;\n sf->custom=Jsi_Opt_SwitchBitfield;\n sf->init.OPT_BITS=&jsi_csBitGetSet;\n } else {\n sf->offset = (boffset+7)/8;\n boffset += sf->size*8;\n }\n } else {\n boffset += sf->size*8;\n }\n sf->extData = (uchar*)sl;\n sf++, cnt++;\n }\n sl->idx = cnt;\n if (!sl->size) \n sl->size = (boffset+7)/8;\n if (sl->ssig)\n Jsi_HashSet(interp->SigHash, (void*)(uintptr_t)sl->ssig, sl);\n int extra = 0;\n if (flen)\n extra = sl->size + ((flen+2+arrCnt*2)*sizeof(Jsi_StructSpec));\n Jsi_OptionTypedef *st = (typeof(st))Jsi_Calloc(1, sizeof(*st) + extra);\n SIGINIT(st, TYPEDEF);\n if (!recs) \n sf = osf;\n else {\n st->extra = (uchar*)(st+1); // Space for struct initializer.\n sf = (typeof(sf))(st->extra + sl->size);\n memcpy(sf, recs, sizeof(*sf)*(flen+1));\n sl = sf+flen+1;\n if (arrCnt)\n asf = sl+1;\n memcpy(sl, recs+flen+1, sizeof(*sl));\n for (i=0; iid;\n if (sf[i].arrSize) {\n asf[0] = sf[i];\n asf[1] = sf[flen];\n asf->arrSize = asf->offset = 0;\n //asf->size = asf->type->size;\n sf[i].id = JSI_OPTION_CUSTOM;\n sf[i].custom=Jsi_Opt_SwitchCArray;\n sf[i].init.OPT_CARRAY = asf;\n asf += 2;\n //sf[i].extData = \n // {.sig=JSI_SIG_OPTS_FIELD, .name=sf[i].name, \n // JSI_OPT_CARRAY_ITEM_(JSI_SIG_OPTS_FIELD,'+otype+', '+name+', sf[i].name, .help=sf[i].help, .flags='+fflags+rest+'),\\n'\n // JSI_OPT_END_(JSI_SIG_OPTS_FIELD,'+name+', .help=\"Options for array field '+name+'.'+fname+'\")\\n };\\n\\n';\n // JSI_OPT_CARRAY_(JSI_SIG_OPTS_FIELD,'+name+', '+fname+', \"'+fdescr+'\", '+fflags+', '+arnam+', '+f.asize+', \"'+type+'\", '+csinit+'),\\n';\n }\n }\n }\n st->extData = (uchar*)sl;\n sl->extData = (uchar*)sf;\n sl->type = st;\n st->cName = sl->name;\n st->idName = \"CUSTOM\";\n st->id = JSI_OPTION_CUSTOM;\n st->size = sl->size;\n st->flags = jsi_CTYP_DYN_MEMORY|jsi_CTYP_STRUCT;\n Jsi_HashValueSet(entry, sl);\n Jsi_HashValueSet(hPtr, st);\n st->hPtr = hPtr;\n if (stPtr)\n *stPtr = st;\n return JSI_OK;\n}", "idx": 520902, "cwe": "CWE-190", "hash": 6671780104289539364966885547442197421, "dataset": "other" }, { "project": "jsish", "commit_id": "858da537bde4de9d8c92466d5a866505310bc328", "target": 0, "func": "Jsi_Obj * Jsi_ObjNew(Jsi_Interp *interp) {\n Jsi_Obj *obj = jsi_ObjNew_(interp);\n jsi_AllObjOp(interp, obj, 1);\n return obj;\n}", "idx": 520947, "cwe": "CWE-190", "hash": 320048887260729906280236716395416084537, "dataset": "other" }, { "project": "jsish", "commit_id": "858da537bde4de9d8c92466d5a866505310bc328", "target": 0, "func": "int Jsi_ObjGetLength(Jsi_Interp *interp, Jsi_Obj *obj)\n{\n if (obj->tree && obj->tree->numEntries) {\n Jsi_Value *r = Jsi_TreeObjGetValue(obj, \"length\", 0);\n Jsi_Number nr;\n if (r && Jsi_GetNumberFromValue(interp,r, &nr) == JSI_OK) {\n if (Jsi_NumberIsInteger(nr))\n return nr;\n }\n }\n if (obj->arr)\n return obj->arrCnt;\n\n return 0;\n}", "idx": 520945, "cwe": "CWE-190", "hash": 292870823408908776521355798157895900105, "dataset": "other" }, { "project": "jsish", "commit_id": "858da537bde4de9d8c92466d5a866505310bc328", "target": 0, "func": "static Jsi_FieldSpec* jsi_csStructFields(Jsi_Interp *interp, const char *name) {\n Jsi_StructSpec* sp = jsi_csStructGet(interp, name);\n if (!sp)\n return NULL;\n return jsi_csGetFieldSpec(sp->extData);\n}", "idx": 520938, "cwe": "CWE-190", "hash": 155765814590432916094183403986363841334, "dataset": "other" }, { "project": "jsish", "commit_id": "858da537bde4de9d8c92466d5a866505310bc328", "target": 0, "func": "Jsi_Obj *Jsi_ObjNew(Jsi_Interp *interp) {\n Jsi_Obj* obj = jsi_ObjNew_(interp);\n#ifdef JSI_MEM_DEBUG\n jsi_ValueDebugUpdate(interp, obj, objDebugTbl, NULL, 0, NULL);\n#endif\n jsi_AllObjOp(interp, obj, 1);\n return obj;\n}", "idx": 520921, "cwe": "CWE-190", "hash": 284019227864492442560611441970764661313, "dataset": "other" }, { "project": "jsish", "commit_id": "858da537bde4de9d8c92466d5a866505310bc328", "target": 0, "func": "static Jsi_RC CDataTypeNamesCmd(Jsi_Interp *interp, Jsi_Value *args, Jsi_Value *_this,\n Jsi_Value **ret, Jsi_Func *funcPtr)\n{\n \n jsi_csInitType(interp);\n int argc = Jsi_ValueGetLength(interp, args);\n return Jsi_HashKeysDump(interp, (argc?interp->CTypeHash:interp->TYPEHash), ret, 0);\n}", "idx": 520961, "cwe": "CWE-190", "hash": 147630722789096756541196668931086135872, "dataset": "other" }, { "project": "jsish", "commit_id": "858da537bde4de9d8c92466d5a866505310bc328", "target": 0, "func": "static Jsi_RC CDataConstructor(Jsi_Interp *interp, Jsi_Value *args, Jsi_Value *_this,\n Jsi_Value **ret, Jsi_Func *funcPtr)\n{\n Jsi_Value *that = _this;\n Jsi_Obj *nobj;\n \n if (!Jsi_FunctionIsConstructor(funcPtr)) {\n Jsi_Obj *o = Jsi_ObjNew(interp);\n Jsi_PrototypeObjSet(interp, \"CData\", o);\n Jsi_ValueMakeObject(interp, ret, o);\n that = *ret;\n }\n\n CDataObj *cd = (typeof(cd))Jsi_Calloc(1,sizeof(*cd));\n cd->interp = interp;\n Jsi_Value *val = Jsi_ValueArrayIndex(interp, args, 0);\n Jsi_vtype vtyp = Jsi_ValueTypeGet(val);\n int vlen, isNew = 0;\n const char *vstr = Jsi_ValueString(interp, val, &vlen);\n Jsi_DString dStr = {};\n Jsi_Value *ival = Jsi_ValueArrayIndex(interp, args, 1);\n if (ival && Jsi_ValueIsUndef(interp, ival))\n ival = NULL;\n else if (ival && !Jsi_ValueIsObjType(interp, ival, JSI_OT_OBJECT))\n return Jsi_LogError(\"arg 2: expected object or undef\");\n if (vstr && vlen) {\n char ech = 0;\n const char *nstr = vstr, *cp = vstr;\n while (*cp && (isalnum(*cp) || *cp=='_')) cp++;\n if (*cp) {\n int slen = cp-vstr;\n Jsi_DString sStr = {};\n nstr = Jsi_DSAppendLen(&dStr, vstr, slen);\n if (*cp == '[')\n ech = ']';\n else if (*cp == '{')\n ech = '}';\n if (!ech || vstr[vlen-1] != ech) {\n Jsi_LogError(\"malformed var form is not: STRUCT, STRUCT{...}, STRUCT[...]\");\n goto errout;\n }\n //cp++;\n cd->varParam = Jsi_KeyAdd(interp, Jsi_DSAppendLen(&sStr, cp, vlen-slen));\n }\n cd->structName = Jsi_KeyAdd(interp, nstr);\n val = NULL;\n } else if (vtyp != JSI_VT_OBJECT) {\n Jsi_LogError(\"expected string, object\");\n goto errout;\n }\n if (val && Jsi_OptionsProcess(interp, CDataOptions, cd, val, 0) < 0)\n goto errout;\n\n if (ival && (cd->mapPtr || cd->arrSize)) {\n Jsi_LogError(\"init can not be used with c-array/map\");\n goto errout;\n }\n \n if (JSI_OK != jsi_csNewCData(interp, cd, JSI_OPT_NO_SIG))\n goto errout;\n\n if (ival) {\n interp->callerErr = 1;\n Jsi_RC rc = Jsi_OptionsConf(interp, (Jsi_OptionSpec*)cd->sf, cd->data, ival, ret, 0);\n interp->callerErr = 0;\n if (rc != JSI_OK) {\n isNew = 1;\n goto errout;\n }\n }\n \n nobj = (Jsi_Obj*)Jsi_ValueGetObj(interp, that);\n cd->objId = Jsi_UserObjNew(interp, &cdataobject, nobj, cd);\n if (cd->objId<0) {\n goto errout;\n }\n cd->fobj = nobj;\n return JSI_OK;\n \nerrout:\n Jsi_DSFree(&dStr);\n Jsi_OptionsFree(interp, CDataOptions, cd, 0);\n if (isNew)\n jsi_csObjFree(interp, cd);\n else\n Jsi_Free(cd);\n return JSI_ERROR;\n\n}", "idx": 520909, "cwe": "CWE-190", "hash": 61038997857020927733959685697981521304, "dataset": "other" }, { "project": "jsish", "commit_id": "858da537bde4de9d8c92466d5a866505310bc328", "target": 0, "func": "void Jsi_ObjListifyArray(Jsi_Interp *interp, Jsi_Obj *obj)\n{\n if (!obj->isarrlist) {\n Jsi_LogBug(\"Can not listify a non-array\");\n return;\n }\n if (obj->arr) return;\n Jsi_TreeWalk(obj->tree, ObjListifyCallback, obj, 0);\n\n do {\n interp->delRBCnt = 0;\n Jsi_TreeWalk(obj->tree, ObjListifyArrayCallback, obj, 0);\n } while (interp->delRBCnt);\n}", "idx": 520901, "cwe": "CWE-190", "hash": 189327903429812222504615267749703820608, "dataset": "other" }, { "project": "jsish", "commit_id": "858da537bde4de9d8c92466d5a866505310bc328", "target": 0, "func": "Jsi_Obj * jsi_ObjNew(Jsi_Interp *interp, const char *fname, int line, const char *func) {\n Jsi_Obj *obj = jsi_ObjNew_(interp);\n jsi_ValueDebugUpdate(interp, obj, objDebugTbl, fname, line, func);\n jsi_AllObjOp(interp, obj, 1);\n return obj;\n}", "idx": 520877, "cwe": "CWE-190", "hash": 22602536578097940628839596425135394989, "dataset": "other" }, { "project": "jsish", "commit_id": "858da537bde4de9d8c92466d5a866505310bc328", "target": 0, "func": "static void jsi_csInitStructTables(Jsi_Interp *interp)\n{\n Jsi_StructSpec *sf, *sl = interp->statics->structs;\n while (sl && sl->name) {\n sf = (typeof(sf))sl->data;\n jsi_csSetupStruct(interp, sl, sf, NULL, 0, NULL, 0);\n sl++;\n }\n}", "idx": 520931, "cwe": "CWE-190", "hash": 199232441963552792749224657585876009054, "dataset": "other" }, { "project": "jsish", "commit_id": "858da537bde4de9d8c92466d5a866505310bc328", "target": 0, "func": "static Jsi_RC CDataEnumConfCmd(Jsi_Interp *interp, Jsi_Value *args, Jsi_Value *_this,\n Jsi_Value **ret, Jsi_Func *funcPtr)\n{\n \n Jsi_EnumSpec *sl;\n char *arg1 = Jsi_ValueArrayIndexToStr(interp, args, 0, NULL);\n if (!(sl = jsi_csEnumGet(interp, arg1)))\n return Jsi_LogError(\"unknown enum: %s\", arg1);\n return CDataOptionsConf(interp, EnumOptions, args, sl, ret, 0, 1);\n}", "idx": 520957, "cwe": "CWE-190", "hash": 124223584336560639825569408472068251585, "dataset": "other" }, { "project": "jsish", "commit_id": "858da537bde4de9d8c92466d5a866505310bc328", "target": 0, "func": "static Jsi_RC CDataConfCmd(Jsi_Interp *interp, Jsi_Value *args, Jsi_Value *_this,\n Jsi_Value **ret, Jsi_Func *funcPtr)\n{\n UdcGet(cd, _this, funcPtr);\n return CDataOptionsConf(interp, CDataOptions, args, cd, ret, 0, 0);\n}", "idx": 520928, "cwe": "CWE-190", "hash": 147216812375596661638032688934425347928, "dataset": "other" }, { "project": "jsish", "commit_id": "858da537bde4de9d8c92466d5a866505310bc328", "target": 0, "func": "int jsi_AllObjOp(Jsi_Interp *interp, Jsi_Obj* obj, int op) {\n if (op==2) {\n Jsi_Obj* o = interp->allObjs;\n while (o) {\n if (o==obj) return 1;\n o = o->next;\n }\n return 0;\n }\n if (op==1) {\n //printf(\"ADD: %p : %p : %d\\n\", interp, obj, obj->VD.Idx);\n assert(interp->allObjs!=obj);\n obj->next = interp->allObjs;\n if (interp->allObjs)\n interp->allObjs->prev = obj;\n interp->allObjs = obj;\n return 0;\n }\n if (op==0) {\n //printf(\"DEL: %p : %p\\n\", interp, obj);\n if (!obj || !interp->allObjs) return 0;\n if (obj == interp->allObjs)\n interp->allObjs = obj->next;\n if (obj->next)\n obj->next->prev = obj->prev;\n if (obj->prev) \n obj->prev->next = obj->next; \n return 0;\n }\n if (op == -1) {\n // TODO: fix cleanup for recursive bug, eg: x=[]; x.push(x);\n // Perhaps use python approach??: http://www.arctrix.com/nas/python/gc/\n while (0 && interp->allObjs) {\n printf(\"NEED CLEANUP: %p\\n\", interp->allObjs);\n Jsi_ObjDecrRefCount(interp, interp->allObjs);\n }\n return 0;\n }\n#if JSI__MEMDEBUG\n assert(0);\n abort();\n#endif\n return 0;\n}", "idx": 520899, "cwe": "CWE-190", "hash": 22738373817916249246474188054072224425, "dataset": "other" }, { "project": "jsish", "commit_id": "858da537bde4de9d8c92466d5a866505310bc328", "target": 0, "func": "static Jsi_RC jsi_ArrayFlatSub(Jsi_Interp *interp, Jsi_Obj* nobj, Jsi_Value *arr, int depth) {\n \n int i, n = 0, len = jsi_SizeOfArray(interp, arr->d.obj);\n if (len <= 0) return JSI_OK;\n Jsi_RC rc = JSI_OK;\n int clen = jsi_SizeOfArray(interp, nobj);\n for (i = 0; i < len && rc == JSI_OK; i++) {\n Jsi_Value *t = Jsi_ValueArrayIndex(interp, arr, i);\n if (t && depth>0 && Jsi_ValueIsArray(interp, t))\n rc = jsi_ArrayFlatSub(interp, nobj, t , depth-1);\n else if (!Jsi_ValueIsUndef(interp, t))\n Jsi_ObjArrayAdd(interp, nobj, t);\n if ((uint)(++n + clen)>interp->maxArrayList)\n return Jsi_LogError(\"array size exceeded\");\n }\n return rc;\n}", "idx": 520949, "cwe": "CWE-190", "hash": 41607345411191242660683694504578815418, "dataset": "other" }, { "project": "jsish", "commit_id": "858da537bde4de9d8c92466d5a866505310bc328", "target": 0, "func": "static Jsi_RC ObjListifyCallback(Jsi_Tree *tree, Jsi_TreeEntry *hPtr, void *data)\n{\n Jsi_Interp *interp = tree->opts.interp;\n Jsi_Obj *obj = (Jsi_Obj*)data;\n int n;\n if (!hPtr->f.bits.dontenum) {\n char *ep = NULL, *cp = (char*)Jsi_TreeKeyGet(hPtr);\n if (!cp || !isdigit(*cp))\n return JSI_OK;\n n = (int)strtol(cp, &ep, 0);\n if (n<0 || (uint)n >= interp->maxArrayList)\n return JSI_OK;\n hPtr->f.bits.isarrlist = 1;\n if (Jsi_ObjArraySizer(interp, obj, n) <= 0) \n return Jsi_LogError(\"too long\");\n obj->arr[n] = (Jsi_Value*)Jsi_TreeValueGet(hPtr);\n // obj->arrCnt++;\n }\n return JSI_OK;\n}", "idx": 520943, "cwe": "CWE-190", "hash": 158044502359559896305619380574731661209, "dataset": "other" }, { "project": "jsish", "commit_id": "858da537bde4de9d8c92466d5a866505310bc328", "target": 0, "func": "static Jsi_RC CDataEnumFieldConfCmd(Jsi_Interp *interp, Jsi_Value *args, Jsi_Value *_this,\n Jsi_Value **ret, Jsi_Func *funcPtr)\n{\n \n Jsi_EnumSpec *ei, *sf;\n char *arg1 = Jsi_ValueArrayIndexToStr(interp, args, 0, NULL);\n if (!(sf = jsi_csEnumGet(interp, arg1)))\n return Jsi_LogError(\"unknown enum item: %s\", arg1);\n ei = 0;\n char *arg2 = Jsi_ValueArrayIndexToStr(interp, args, 1, NULL);\n if (!(ei = jsi_csEnumGetItem(interp, arg2, sf)))\n return JSI_OK;\n\n return CDataOptionsConf(interp, EnumFieldOptions, args, ei, ret, 0, 2);\n}", "idx": 520922, "cwe": "CWE-190", "hash": 139508763001212177773375169075584262359, "dataset": "other" }, { "project": "jsish", "commit_id": "858da537bde4de9d8c92466d5a866505310bc328", "target": 0, "func": "static Jsi_RC CDataStructSchemaCmd(Jsi_Interp *interp, Jsi_Value *args, Jsi_Value *_this,\n Jsi_Value **ret, Jsi_Func *funcPtr) {\n char *arg1 = Jsi_ValueArrayIndexToStr(interp, args, 0, NULL);\n Jsi_StructSpec *sf = jsi_csStructFields(interp, arg1);\n\n if (!sf)\n return Jsi_LogError(\"unkown struct: %s\", arg1);;\n\n Jsi_DString dStr = {};\n Jsi_OptionsData(interp, (Jsi_OptionSpec*)sf, &dStr, 1);\n Jsi_ValueFromDS(interp, &dStr, ret);\n Jsi_DSFree(&dStr);\n return JSI_OK;\n}", "idx": 520926, "cwe": "CWE-190", "hash": 84634184256951815307985206529457626780, "dataset": "other" }, { "project": "jsish", "commit_id": "858da537bde4de9d8c92466d5a866505310bc328", "target": 0, "func": "static Jsi_Interp* jsi_InterpNew(Jsi_Interp *parent, Jsi_Value *opts, Jsi_InterpOpts *iopts)\n{\n Jsi_Interp* interp;\n if (parent && parent->noSubInterps) {\n interp = parent;\n Jsi_LogError(\"subinterps disallowed\");\n return NULL;\n }\n if (opts && parent && (Jsi_ValueIsObjType(parent, opts, JSI_OT_OBJECT)==0 ||\n Jsi_TreeSize(opts->d.obj->tree)<=0))\n opts = NULL;\n interp = (Jsi_Interp *)Jsi_Calloc(1,sizeof(*interp) + sizeof(jsi_Frame));\n interp->framePtr = (jsi_Frame*)(((uchar*)interp)+sizeof(*interp));\n if (!parent)\n interp->maxInterpDepth = JSI_MAX_SUBINTERP_DEPTH;\n else {\n interp->maxInterpDepth = parent->maxInterpDepth;\n interp->interpDepth = parent->interpDepth+1;\n if (interp->interpDepth > interp->maxInterpDepth) {\n Jsi_Free(interp);\n interp = parent;\n Jsi_LogError(\"exceeded max subinterp depth\");\n return NULL;\n }\n }\n interp->maxDepth = JSI_MAX_EVAL_DEPTH;\n interp->maxIncDepth = JSI_MAX_INCLUDE_DEPTH;\n interp->maxArrayList = MAX_ARRAY_LIST;\n interp->typeWarnMax = 50;\n interp->subOpts.dblPrec = __DBL_DECIMAL_DIG__-1;\n interp->subOpts.prompt = \"$ \";\n interp->subOpts.prompt2 = \"> \";\n\n int iocnt;\n if (iopts) {\n iopts->interp = interp;\n interp->opts = *iopts;\n }\n interp->logOpts.file = 1;\n interp->logOpts.func = 1;\n interp->logOpts.Info = 1;\n interp->logOpts.Warn = 1;\n interp->logOpts.Error = 1;\n int argc = interp->opts.argc;\n char **argv = interp->opts.argv;\n char *argv0 = (argv?argv[0]:NULL);\n interp->parent = parent;\n interp->topInterp = (parent == NULL ? interp: parent->topInterp);\n if (jsiIntData.mainInterp == NULL)\n jsiIntData.mainInterp = interp->topInterp;\n interp->mainInterp = jsiIntData.mainInterp; // The first interps handles exit.\n interp->memDebug = interp->opts.mem_debug;\n if (parent) {\n interp->dbPtr = parent->dbPtr;\n } else {\n interp->dbPtr = &interp->dbStatic;\n }\n#ifdef JSI_MEM_DEBUG\n if (!interp->dbPtr->valueDebugTbl) {\n interp->dbPtr->valueDebugTbl = Jsi_HashNew(interp, JSI_KEYS_ONEWORD, NULL);\n interp->dbPtr->objDebugTbl = Jsi_HashNew(interp, JSI_KEYS_ONEWORD, NULL);\n }\n#endif\n if (parent) {\n if (parent->pkgDirs)\n interp->pkgDirs = Jsi_ValueDupJSON(interp, parent->pkgDirs);\n } else {\n#ifdef JSI_PKG_DIRS\n interp->pkgDirs = Jsi_StringSplit(interp, JSI_PKG_DIRS, \",\");\n Jsi_IncrRefCount(interp, interp->pkgDirs);\n#endif\n }\n#ifdef JSI_USE_COMPAT\n interp->compat = JSI_USE_COMPAT;\n#endif\n#ifndef JSI_CONF_ARGS\n#define JSI_CONF_ARGS \"\"\n#endif\n interp->confArgs = JSI_CONF_ARGS;\n for (iocnt = 1; (iocnt+1)memDebug=strtol(aio2+sizeof(\"memDebug\"), NULL, 0);\n else if (!Jsi_Strncmp(\"compat\", aio2, sizeof(\"compat\")))\n interp->subOpts.compat=strtol(aio2+sizeof(\"compat\"), NULL, 0);\n continue;\n }\n break;\n }\n SIGINIT(interp,INTERP);\n interp->NullValue = Jsi_ValueNewNull(interp);\n Jsi_IncrRefCount(interp, interp->NullValue);\n#ifdef __WIN32\n Jsi_DString cwdStr;\n Jsi_DSInit(&cwdStr);\n interp->curDir = Jsi_Strdup(Jsi_GetCwd(interp, &cwdStr));\n Jsi_DSFree(&cwdStr);\n#else\n char buf[JSI_BUFSIZ];\n interp->curDir = getcwd(buf, sizeof(buf));\n interp->curDir = Jsi_Strdup(interp->curDir?interp->curDir:\".\");\n#endif\n interp->onDeleteTbl = Jsi_HashNew(interp, JSI_KEYS_ONEWORD, freeOnDeleteTbl);\n interp->assocTbl = Jsi_HashNew(interp, JSI_KEYS_STRING, freeAssocTbl);\n interp->cmdSpecTbl = Jsi_MapNew(interp, JSI_MAP_TREE, JSI_KEYS_STRING, freeCmdSpecTbl);\n interp->eventTbl = Jsi_HashNew(interp, JSI_KEYS_ONEWORD, freeEventTbl);\n interp->fileTbl = Jsi_HashNew(interp, JSI_KEYS_STRING, jsi_HashFree);\n interp->funcObjTbl = Jsi_HashNew(interp, JSI_KEYS_ONEWORD, freeFuncObjTbl);\n interp->funcsTbl = Jsi_HashNew(interp, JSI_KEYS_ONEWORD, freeFuncsTbl);\n interp->bindTbl = Jsi_HashNew(interp, JSI_KEYS_ONEWORD, freeBindObjTbl);\n interp->protoTbl = Jsi_HashNew(interp, JSI_KEYS_STRING, NULL/*freeValueTbl*/);\n interp->regexpTbl = Jsi_HashNew(interp, JSI_KEYS_STRING, regExpFree);\n interp->preserveTbl = Jsi_HashNew(interp, JSI_KEYS_ONEWORD, jsi_HashFree);\n interp->loadTbl = (parent?parent->loadTbl:Jsi_HashNew(interp, JSI_KEYS_STRING, jsi_FreeOneLoadHandle));\n interp->packageHash = Jsi_HashNew(interp, JSI_KEYS_STRING, packageHashFree);\n interp->aliasHash = Jsi_HashNew(interp, JSI_KEYS_STRING, jsi_AliasFree);\n\n interp->lockTimeout = -1;\n#ifdef JSI_LOCK_TIMEOUT\n interp->lockTimeout JSI_LOCK_TIMEOUT;\n#endif\n#ifndef JSI_DO_UNLOCK\n#define JSI_DO_UNLOCK 1\n#endif\n interp->subOpts.mutexUnlock = JSI_DO_UNLOCK;\n Jsi_Map_Type mapType = JSI_MAP_HASH;\n#ifdef JSI_USE_MANY_STRKEY\n mapType = JSI_MAP_TREE;\n#endif\n\n if (interp == jsiIntData.mainInterp || interp->threadId != jsiIntData.mainInterp->threadId) {\n interp->strKeyTbl = Jsi_MapNew(interp, mapType, JSI_KEYS_STRING, NULL);\n interp->subOpts.privKeys = 1;\n }\n // Handle interp options: -T value and -Ixxx value\n for (iocnt = 1; (iocnt+1)parent; iocnt+=2)\n {\n const char *aio = argv[iocnt];\n if (Jsi_Strcmp(aio, \"--F\") == 0) {\n interp->traceCall |= (jsi_callTraceFuncs |jsi_callTraceArgs |jsi_callTraceReturn | jsi_callTraceBefore | jsi_callTraceFullPath);\n iocnt--;\n interp->iskips++;\n continue;\n }\n if (Jsi_Strcmp(aio, \"--U\") == 0) {\n interp->asserts = 1;\n interp->unitTest = 1;\n iocnt--;\n interp->iskips++;\n continue;\n }\n if (Jsi_Strcmp(aio, \"--V\") == 0) {\n interp->asserts = 1;\n interp->unitTest = 5;\n interp->tracePuts = 1;\n iocnt--;\n interp->iskips++;\n continue;\n }\n if (Jsi_Strcmp(aio, \"--C\") == 0) {\n if (interp->confFile)\n Jsi_LogWarn(\"overriding confFile: %s\", interp->confFile);\n interp->confFile = argv[iocnt+1];\n interp->iskips+=2;\n continue;\n }\n if (Jsi_Strcmp(aio, \"--L\") == 0) {\n struct stat sb;\n const char* path = argv[iocnt+1]; //TODO: convert to Jsi_Value first?\n if (!path || stat(path, &sb)\n || !((S_ISREG(sb.st_mode) && !access(path, W_OK)) || (S_ISDIR(sb.st_mode) && !access(path, X_OK)))) {\n Jsi_LogError(\"Lockdown path must exist and be a writable file or executable dir: %s\", path);\n Jsi_InterpDelete(interp);\n return NULL;\n }\n interp->isSafe = true;\n interp->safeMode = jsi_safe_Lockdown;\n if (interp->safeWriteDirs) {\n Jsi_LogWarn(\"Overriding safeWriteDirs\");\n Jsi_DecrRefCount(interp, interp->safeWriteDirs);\n }\n const char *vda[2] = {};\n char npath[PATH_MAX];\n vda[0] = Jsi_FileRealpathStr(interp, path, npath);\n interp->safeWriteDirs = Jsi_ValueNewArray(interp, vda, 1);\n Jsi_IncrRefCount(interp, interp->safeWriteDirs);\n if (!interp->safeReadDirs) {\n interp->safeReadDirs = interp->safeWriteDirs;\n Jsi_IncrRefCount(interp, interp->safeReadDirs);\n }\n interp->iskips+=2;\n continue;\n }\n if (Jsi_Strcmp(aio, \"--T\") == 0) {\n if (jsi_ParseTypeCheckStr(interp, argv[iocnt+1]) != JSI_OK) {\n Jsi_InterpDelete(interp);\n return NULL;\n }\n interp->iskips+=2;\n continue;\n }\n if (!Jsi_Strcmp(aio, \"--I\")) {\n bool bv = 1;\n char *aio2 = argv[iocnt+1], *aioc = Jsi_Strchr(aio2, ':'),\n argNamS[50], *argNam = aio2;\n const char *argVal;\n if (!Jsi_Strcmp(\"traceCall\", aio2))\n interp->traceCall |= (jsi_callTraceFuncs |jsi_callTraceArgs |jsi_callTraceReturn | jsi_callTraceBefore | jsi_callTraceFullPath);\n else {\n if (aioc) {\n argNam = argNamS;\n argVal = aioc+1;\n snprintf(argNamS, sizeof(argNamS), \"%.*s\", (int)(aioc-aio2), aio2);\n }\n \n DECL_VALINIT(argV);\n Jsi_Value *argValue = &argV;\n Jsi_Number dv;\n if (!aioc || Jsi_GetBool(interp, argVal, &bv) == JSI_OK) {\n Jsi_ValueMakeBool(interp, &argValue, bv);\n } else if (!Jsi_Strcmp(\"null\", argVal)) {\n Jsi_ValueMakeNull(interp, &argValue);\n } else if (Jsi_GetDouble(interp, argVal, &dv) == JSI_OK) {\n Jsi_ValueMakeNumber(interp, &argValue, dv);\n } else {\n Jsi_ValueMakeStringKey(interp, &argValue, argVal);\n }\n if (JSI_OK != Jsi_OptionsSet(interp, InterpOptions, interp, argNam, argValue, 0)) {\n Jsi_InterpDelete(interp);\n return NULL;\n }\n }\n interp->iskips+=2;\n continue;\n }\n break;\n }\n if (!interp->strKeyTbl)\n interp->strKeyTbl = jsiIntData.mainInterp->strKeyTbl;\n if (opts) {\n interp->inopts = opts = Jsi_ValueDupJSON(interp, opts);\n if (Jsi_OptionsProcess(interp, InterpOptions, interp, opts, 0) < 0) {\n Jsi_DecrRefCount(interp, opts);\n interp->inopts = NULL;\n Jsi_InterpDelete(interp);\n return NULL;\n }\n }\n if (interp == jsiIntData.mainInterp) {\n interp->subthread = 0;\n } else {\n if (opts) {\n if (interp->subOpts.privKeys && interp->strKeyTbl == jsiIntData.mainInterp->strKeyTbl) {\n //Jsi_HashDelete(interp->strKeyTbl);\n Jsi_OptionsFree(interp, InterpOptions, interp, 0); /* Reparse options to populate new key table. */\n interp->strKeyTbl = Jsi_MapNew(interp, mapType, JSI_KEYS_STRING, NULL);\n if (opts->vt != JSI_VT_NULL) Jsi_OptionsProcess(interp, InterpOptions, interp, opts, 0);\n } else if (interp->subOpts.privKeys == 0 && interp->strKeyTbl != jsiIntData.mainInterp->strKeyTbl) {\n Jsi_OptionsFree(interp, InterpOptions, interp, 0); /* Reparse options to populate new key table. */\n Jsi_MapDelete(interp->strKeyTbl);\n interp->strKeyTbl = jsiIntData.mainInterp->strKeyTbl;\n if (opts->vt != JSI_VT_NULL) Jsi_OptionsProcess(interp, InterpOptions, interp, opts, 0);\n }\n }\n if (parent && parent->isSafe) {\n interp->isSafe = 1;\n interp->safeMode = parent->safeMode;\n }\n if (interp->subthread && interp->isSafe) {\n interp->subthread = 0;\n Jsi_LogError(\"threading disallowed in safe mode\");\n Jsi_InterpDelete(interp);\n return NULL;\n }\n if (interp->subthread)\n jsiIntData.mainInterp->threadCnt++;\n if (interp->subthread && interp->strKeyTbl == jsiIntData.mainInterp->strKeyTbl)\n jsiIntData.mainInterp->threadShrCnt++;\n if (jsiIntData.mainInterp->threadShrCnt)\n#ifdef JSI_USE_MANY_STRKEY\n jsiIntData.mainInterp->strKeyTbl->v.tree->opts.lockTreeProc = KeyLockerTree;\n#else\n jsiIntData.mainInterp->strKeyTbl->v.hash->opts.lockHashProc = KeyLocker;\n#endif\n }\n if (parent && parent->isSafe) {\n interp->isSafe = 1;\n interp->safeMode = parent->safeMode;\n interp->maxOpCnt = parent->maxOpCnt;\n if (interp->safeWriteDirs || interp->safeReadDirs || interp->safeExecPattern) {\n Jsi_LogWarn(\"ignoring safe* options in safe sub-sub-interp\");\n if (interp->safeWriteDirs) Jsi_DecrRefCount(interp, interp->safeWriteDirs);\n if (interp->safeReadDirs) Jsi_DecrRefCount(interp, interp->safeReadDirs);\n interp->safeWriteDirs = interp->safeReadDirs = NULL;\n interp->safeExecPattern = NULL;\n }\n }\n\n jsi_InterpConfFiles(interp);\n if (!interp->udata) {\n interp->udata = Jsi_ValueNewObj(interp, NULL);\n Jsi_IncrRefCount(interp, interp->udata);\n }\n if (interp->subthread && !interp->scriptStr && !interp->scriptFile) {\n Jsi_LogError(\"subthread interp must be specify either scriptFile or scriptStr\");\n Jsi_InterpDelete(interp);\n return NULL;\n }\n#ifndef JSI_MEM_DEBUG\n static int warnNoDebug = 0;\n if (interp->memDebug && warnNoDebug == 0) {\n Jsi_LogWarn(\"ignoring memDebug as jsi was compiled without memory debugging\");\n warnNoDebug = 1;\n }\n#endif\n interp->threadId = Jsi_CurrentThread();\n if (interp->parent && interp->subthread==0 && interp->threadId != interp->parent->threadId) {\n interp->threadId = interp->parent->threadId;\n#ifndef JSI_MEM_DEBUG\n Jsi_LogWarn(\"non-threaded sub-interp created by different thread than parent\");\n#endif\n }\n if (interp->safeMode != jsi_safe_None)\n interp->isSafe = interp->startSafe = 1;\n if (!interp->parent) {\n if (interp->isSafe)\n interp->startSafe = 1;\n if (interp->debugOpts.msgCallback)\n Jsi_LogWarn(\"ignoring msgCallback\");\n if (interp->debugOpts.putsCallback)\n Jsi_LogWarn(\"ignoring putsCallback\");\n if (interp->busyCallback)\n Jsi_LogWarn(\"ignoring busyCallback\");\n if (interp->debugOpts.traceCallback)\n Jsi_LogWarn(\"ignoring traceCallback\");\n } else if (interp->busyCallback && interp->threadId != interp->parent->threadId) {\n Jsi_LogWarn(\"disabling busyCallback due to threads\");\n interp->busyCallback = NULL;\n }\n if (interp == jsiIntData.mainInterp)\n interp->lexkeyTbl = Jsi_HashNew(interp, JSI_KEYS_STRING, NULL);\n else\n interp->lexkeyTbl = jsiIntData.mainInterp->lexkeyTbl;\n interp->thisTbl = Jsi_HashNew(interp, JSI_KEYS_ONEWORD, freeValueTbl);\n interp->userdataTbl = Jsi_HashNew(interp, JSI_KEYS_STRING, freeUserdataTbl);\n interp->varTbl = Jsi_HashNew(interp, JSI_KEYS_STRING, NULL);\n interp->codeTbl = Jsi_HashNew(interp, JSI_KEYS_STRING, freeCodeTbl);\n interp->genValueTbl = Jsi_HashNew(interp, JSI_KEYS_ONEWORD,freeValueTbl);\n interp->genObjTbl = Jsi_HashNew(interp, JSI_KEYS_ONEWORD, freeGenObjTbl);\n#ifdef JSI_MEM_DEBUG\n interp->codesTbl = (interp == jsiIntData.mainInterp ? Jsi_HashNew(interp, JSI_KEYS_ONEWORD, NULL) : jsiIntData.mainInterp->codesTbl);\n#endif\n if (interp->typeCheck.all|interp->typeCheck.parse|interp->typeCheck.funcsig)\n interp->staticFuncsTbl = Jsi_HashNew(interp, JSI_KEYS_STRING, NULL);\n if (!jsiIntData.isInit) {\n jsiIntData.isInit = 1;\n jsi_InitValue(interp, 0);\n jsiIntData.interpsTbl = Jsi_HashNew(interp, JSI_KEYS_ONEWORD, 0);\n }\n\n /* current scope, also global */\n interp->csc = Jsi_ValueNew1(interp);\n Jsi_ValueMakeObject(interp, &interp->csc, Jsi_ObjNew(interp));\n interp->framePtr->incsc = interp->csc;\n\n#define JSIDOINIT(nam) if (!jsi_ModBlacklisted(interp,#nam)) { if (jsi_Init##nam(interp, 0) != JSI_OK) { Jsi_LogBug(\"Init failure in %s\", #nam); } }\n#define JSIDOINIT2(nam) if (!jsi_ModBlacklisted(interp,#nam)) { if (Jsi_Init##nam(interp, 0) != JSI_OK) { Jsi_LogBug(\"Init failure in %s\", #nam); } }\n\n JSIDOINIT(Proto);\n\n if (interp->pkgDirs) // Fix-up because above, array was not yet initialized.\n interp->pkgDirs->d.obj->__proto__ = interp->Array_prototype;\n\n Jsi_Value *modObj = Jsi_ValueNewObj(interp, Jsi_ObjNewType(interp, JSI_OT_OBJECT));\n Jsi_ValueInsert(interp, interp->csc, \"Jsi_Auto\", modObj, JSI_OM_DONTDEL);\n\n /* initial scope chain, nothing */\n interp->framePtr->ingsc = interp->gsc = jsi_ScopeChainNew(interp, 0);\n\n interp->ps = jsi_PstateNew(interp); /* Default parser. */\n if (interp->unitTest&2) {\n interp->logOpts.before = 1;\n interp->logOpts.full = 1;\n interp->tracePuts = 1;\n interp->noStderr = 1;\n }\n if (interp->args && argc) {\n Jsi_LogBug(\"args may not be specified both as options and parameter\");\n Jsi_InterpDelete(interp);\n return NULL;\n }\n if (interp->maxDepth>JSI_MAX_EVAL_DEPTH)\n interp->maxDepth = JSI_MAX_EVAL_DEPTH;\n\n // Create the args array.\n if (argc >= 0 && !interp->args) {\n Jsi_Value *iargs = Jsi_ValueNew1(interp);\n iargs->f.bits.dontdel = 1;\n iargs->f.bits.readonly = 1;\n Jsi_Obj *iobj = Jsi_ObjNew(interp);\n Jsi_ValueMakeArrayObject(interp, &iargs, iobj);\n int i = 1, ii = (iocnt>1 ? iocnt : 1);\n int msiz = (argc?argc-iocnt:0);\n Jsi_ObjArraySizer(interp, iobj, msiz);\n iobj->arrMaxSize = msiz;\n iocnt--;\n iobj->arrCnt = argc-iocnt;\n for (i = 1; ii < argc; ++ii, i++) {\n iobj->arr[i-1] = Jsi_ValueNewStringKey(interp, argv[ii]);\n Jsi_IncrRefCount(interp, iobj->arr[i-1]);\n jsi_ValueDebugLabel(iobj->arr[i-1], \"InterpCreate\", \"args\");\n }\n Jsi_ObjSetLength(interp, iobj, msiz);\n interp->args = iargs;\n } else if (interp->parent && interp->args) {\n // Avoid strings from sneeking in with options from parent...\n Jsi_Value *nar = Jsi_ValueDupJSON(interp, interp->args);\n Jsi_DecrRefCount(interp, interp->args);\n interp->args = nar;\n }\n JSIDOINIT(Options);\n JSIDOINIT(Cmds);\n JSIDOINIT(Interp);\n JSIDOINIT(JSON);\n\n interp->retValue = Jsi_ValueNew1(interp);\n interp->Mutex = Jsi_MutexNew(interp, -1, JSI_MUTEX_RECURSIVE);\n if (1 || interp->subthread) {\n interp->QMutex = Jsi_MutexNew(interp, -1, JSI_MUTEX_RECURSIVE);\n //Jsi_DSInit(&interp->interpEvalQ);\n }\n JSIDOINIT(Lexer);\n if (interp != jsiIntData.mainInterp && !parent)\n Jsi_HashSet(jsiIntData.interpsTbl, interp, NULL);\n\n if (!interp->isSafe) {\n JSIDOINIT(Load);\n#if JSI__SIGNAL==1\n JSIDOINIT(Signal);\n#endif\n }\n if (interp->isSafe == 0 || interp->startSafe || interp->safeWriteDirs!=NULL || interp->safeReadDirs!=NULL) {\n#if JSI__FILESYS==1\n JSIDOINIT(FileCmds);\n JSIDOINIT(Filesys);\n#endif\n }\n#if JSI__SQLITE==1\n JSIDOINIT2(Sqlite);\n#else\n Jsi_initSqlite(interp, 0);\n#endif\n#if JSI__MYSQL==1\n if (!interp->noNetwork) {\n JSIDOINIT2(MySql);\n }\n#endif\n#if JSI__SOCKET==1\n JSIDOINIT2(Socket);\n#endif\n#if JSI__WEBSOCKET==1\n JSIDOINIT2(WebSocket);\n#endif\n\n#if JSI__CDATA==1\n JSIDOINIT(CData);\n#endif\n\n#ifdef JSI_USER_EXTENSION\n extern int JSI_USER_EXTENSION(Jsi_Interp *interp, int release);\n if (JSI_USER_EXTENSION (interp, 0) != JSI_OK) {\n fprintf(stderr, \"extension load failed\");\n return jsi_DoExit(interp, 1);\n }\n#endif\n Jsi_PkgProvide(interp, \"Jsi\", JSI_VERSION, NULL);\n if (argc > 0) {\n char *ss = argv0;\n char epath[PATH_MAX] = \"\"; // Path of executable\n#ifdef __WIN32\n\n if (GetModuleFileName(NULL, epath, sizeof(epath))>0)\n ss = epath;\n#else\n#ifndef PROC_SELF_DIR\n#define PROC_SELF_DIR \"/proc/self/exe\"\n#endif\n if (ss && *ss != '/' && readlink(PROC_SELF_DIR, epath, sizeof(epath)) && epath[0])\n ss = epath;\n#endif\n Jsi_Value *src = Jsi_ValueNewStringDup(interp, ss);\n Jsi_IncrRefCount(interp, src);\n jsiIntData.execName = Jsi_Realpath(interp, src, NULL);\n Jsi_DecrRefCount(interp, src);\n if (!jsiIntData.execName) jsiIntData.execName = Jsi_Strdup(\"\");\n jsiIntData.execValue = Jsi_ValueNewString(interp, jsiIntData.execName, -1);\n Jsi_IncrRefCount(interp, jsiIntData.execValue);\n Jsi_HashSet(interp->genValueTbl, jsiIntData.execValue, jsiIntData.execValue);\n }\n\n //interp->nocacheOpCodes = 1;\n if (interp->debugOpts.debugCallback && !interp->debugOpts.hook) {\n interp->debugOpts.hook = jsi_InterpDebugHook;\n }\n interp->startTime = jsi_GetTimestamp();\n#ifdef JSI_INTERP_EXTENSION_CODE // For extending interp from jsi.c\n JSI_INTERP_EXTENSION_CODE\n#endif\n if (interp->opts.initProc && (*interp->opts.initProc)(interp, 0) != JSI_OK)\n Jsi_LogBug(\"Init failure in initProc\");\n\n return interp;\n}", "idx": 520864, "cwe": "CWE-190", "hash": 264696466856536611834445671814671257515, "dataset": "other" }, { "project": "jsish", "commit_id": "858da537bde4de9d8c92466d5a866505310bc328", "target": 0, "func": "static Jsi_RC CDataEnumDefineCmd(Jsi_Interp *interp, Jsi_Value *args, Jsi_Value *_this,\n Jsi_Value **ret, Jsi_Func *funcPtr)\n{\n Jsi_RC rc = JSI_OK;\n char **argv = NULL, *cmt, *cp;\n Jsi_OptionTypedef *st = NULL;\n jsi_csInitType(interp);\n Jsi_Value *val = Jsi_ValueArrayIndex(interp, args, 0),\n *flds = Jsi_ValueArrayIndex(interp, args, 1);\n int vlen, flen, i, argc;\n Jsi_DString fStr = {};\n const char **el, *vstr = Jsi_ValueString(interp, val, &vlen),\n *fstr = Jsi_ValueString(interp, flds, &flen);\n if (vstr) {\n cmt = Jsi_Strstr(fstr, \"//\");\n Jsi_DString tStr = {fstr};\n fstr=jsi_TrimStr(Jsi_DSValue(&tStr));\n Jsi_SplitStr(fstr, &argc, &argv, (cmt?\"\\n\":\",\"), &fStr);\n Jsi_DSFree(&tStr);\n } else if (!Jsi_ValueIsArray(interp,flds) || (argc=Jsi_ValueGetLength(interp, flds))<1)\n return Jsi_LogError(\"arg 2 must be string or non-empty array\");\n\n Jsi_EnumSpec *sl, *sf, recs[argc+1];\n memset(recs, 0, sizeof(recs));\n sl = recs+argc;\n SIGINIT(sl, OPTS_ENUM);\n if (vstr) {\n sl->name = Jsi_KeyAdd(interp, vstr);\n } else if (Jsi_OptionsProcess(interp, EnumOptions, sl, val, 0) < 0) {\n rc = JSI_ERROR;\n goto bail;\n }\n if (!Jsi_StrIsAlnum(sl->name)) {\n rc = Jsi_LogError(\"invalid enum name: %s\", sl->name);\n goto bail;\n }\n if (jsi_csEnumGet(interp, sl->name)) {\n rc = Jsi_LogError(\"enum already exists: %s\", sl->name);\n goto bail;\n }\n for (i = 0; iidx = i;\n if (i)\n sf->value = recs[i-1].value+1;\n if (!argv)\n val = Jsi_ValueArrayIndex(interp, flds, i);\n else {\n if (cmt) {\n cp = Jsi_Strstr(argv[i], \"//\"); \n if (cp) {\n *cp = 0;\n cp += 2;\n cp = jsi_TrimStr(cp);\n sf->help = Jsi_KeyAdd(interp, cp);\n }\n }\n cp = Jsi_Strchr(argv[i], ','); \n if (cp) *cp = 0;\n cp = Jsi_Strchr(argv[i], '='); \n if (cp) {\n *cp++ = 0;\n cp = jsi_TrimStr(cp);\n if (Jsi_GetWide(interp, cp, &sf->value, 0) != JSI_OK) {\n rc = Jsi_LogError(\"Bad value\");\n goto bail;\n }\n }\n cp = jsi_TrimStr(argv[i]);\n sf->name = Jsi_KeyAdd(interp, cp);\n val = NULL;\n }\n if (val && Jsi_OptionsProcess(interp, EnumFieldOptions, sf, val, 0) < 0) {\n rc = JSI_ERROR;\n goto bail;\n }\n if (Jsi_HashGet(interp->EnumItemHash, sf->name, 0)) {\n rc = Jsi_LogError(\"duplicate enum item: %s\", sf->name);\n goto bail;\n }\n if (!Jsi_StrIsAlnum(sf->name)) {\n rc = Jsi_LogError(\"invalid enum item name: %s\", sf->name);\n goto bail;\n }\n }\n st = (typeof(st))Jsi_Calloc(1, sizeof(*st) + sizeof(char*)*(argc+1)+sizeof(recs));\n SIGINIT(st, TYPEDEF);\n sf = (typeof(sf))((uchar*)(st + 1));\n sl = sf+argc;\n el = (typeof(el))(sl + 1);\n memcpy(sf, recs, sizeof(recs));\n for (i = 0; iid = JSI_OPTION_END;\n sl->extData = (uchar*)sf;\n sl->data = el;\n rc = jsi_csSetupEnum(interp, sl, sf, st);\nbail:\n Jsi_DSFree(&fStr);\n if (rc != JSI_OK && st)\n Jsi_Free(st);\n return rc;\n}", "idx": 520884, "cwe": "CWE-190", "hash": 301431964815621137247697731226807555007, "dataset": "other" }, { "func": "_libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,\n size_t datalen, int macstate)\n{\n int rc = 0;\n char *message = NULL;\n char *language = NULL;\n size_t message_len = 0;\n size_t language_len = 0;\n LIBSSH2_CHANNEL *channelp = NULL;\n size_t data_head = 0;\n unsigned char msg = data[0];\n\n switch(session->packAdd_state) {\n case libssh2_NB_state_idle:\n _libssh2_debug(session, LIBSSH2_TRACE_TRANS,\n \"Packet type %d received, length=%d\",\n (int) msg, (int) datalen);\n\n if((macstate == LIBSSH2_MAC_INVALID) &&\n (!session->macerror ||\n LIBSSH2_MACERROR(session, (char *) data, datalen))) {\n /* Bad MAC input, but no callback set or non-zero return from the\n callback */\n\n LIBSSH2_FREE(session, data);\n return _libssh2_error(session, LIBSSH2_ERROR_INVALID_MAC,\n \"Invalid MAC received\");\n }\n session->packAdd_state = libssh2_NB_state_allocated;\n break;\n case libssh2_NB_state_jump1:\n goto libssh2_packet_add_jump_point1;\n case libssh2_NB_state_jump2:\n goto libssh2_packet_add_jump_point2;\n case libssh2_NB_state_jump3:\n goto libssh2_packet_add_jump_point3;\n case libssh2_NB_state_jump4:\n goto libssh2_packet_add_jump_point4;\n case libssh2_NB_state_jump5:\n goto libssh2_packet_add_jump_point5;\n default: /* nothing to do */\n break;\n }\n\n if(session->packAdd_state == libssh2_NB_state_allocated) {\n /* A couple exceptions to the packet adding rule: */\n switch(msg) {\n\n /*\n byte SSH_MSG_DISCONNECT\n uint32 reason code\n string description in ISO-10646 UTF-8 encoding [RFC3629]\n string language tag [RFC3066]\n */\n\n case SSH_MSG_DISCONNECT:\n if(datalen >= 5) {\n size_t reason = _libssh2_ntohu32(data + 1);\n\n if(datalen >= 9) {\n message_len = _libssh2_ntohu32(data + 5);\n\n if(message_len < datalen-13) {\n /* 9 = packet_type(1) + reason(4) + message_len(4) */\n message = (char *) data + 9;\n\n language_len =\n _libssh2_ntohu32(data + 9 + message_len);\n language = (char *) data + 9 + message_len + 4;\n\n if(language_len > (datalen-13-message_len)) {\n /* bad input, clear info */\n language = message = NULL;\n language_len = message_len = 0;\n }\n }\n else\n /* bad size, clear it */\n message_len = 0;\n }\n if(session->ssh_msg_disconnect) {\n LIBSSH2_DISCONNECT(session, reason, message,\n message_len, language, language_len);\n }\n _libssh2_debug(session, LIBSSH2_TRACE_TRANS,\n \"Disconnect(%d): %s(%s)\", reason,\n message, language);\n }\n\n LIBSSH2_FREE(session, data);\n session->socket_state = LIBSSH2_SOCKET_DISCONNECTED;\n session->packAdd_state = libssh2_NB_state_idle;\n return _libssh2_error(session, LIBSSH2_ERROR_SOCKET_DISCONNECT,\n \"socket disconnect\");\n /*\n byte SSH_MSG_IGNORE\n string data\n */\n\n case SSH_MSG_IGNORE:\n if(datalen >= 2) {\n if(session->ssh_msg_ignore) {\n LIBSSH2_IGNORE(session, (char *) data + 1, datalen - 1);\n }\n }\n else if(session->ssh_msg_ignore) {\n LIBSSH2_IGNORE(session, \"\", 0);\n }\n LIBSSH2_FREE(session, data);\n session->packAdd_state = libssh2_NB_state_idle;\n return 0;\n\n /*\n byte SSH_MSG_DEBUG\n boolean always_display\n string message in ISO-10646 UTF-8 encoding [RFC3629]\n string language tag [RFC3066]\n */\n\n case SSH_MSG_DEBUG:\n if(datalen >= 2) {\n int always_display = data[1];\n\n if(datalen >= 6) {\n message_len = _libssh2_ntohu32(data + 2);\n\n if(message_len <= (datalen - 10)) {\n /* 6 = packet_type(1) + display(1) + message_len(4) */\n message = (char *) data + 6;\n language_len = _libssh2_ntohu32(data + 6 +\n message_len);\n\n if(language_len <= (datalen - 10 - message_len))\n language = (char *) data + 10 + message_len;\n }\n }\n\n if(session->ssh_msg_debug) {\n LIBSSH2_DEBUG(session, always_display, message,\n message_len, language, language_len);\n }\n }\n /*\n * _libssh2_debug will actually truncate this for us so\n * that it's not an inordinate about of data\n */\n _libssh2_debug(session, LIBSSH2_TRACE_TRANS,\n \"Debug Packet: %s\", message);\n LIBSSH2_FREE(session, data);\n session->packAdd_state = libssh2_NB_state_idle;\n return 0;\n\n /*\n byte SSH_MSG_GLOBAL_REQUEST\n string request name in US-ASCII only\n boolean want reply\n .... request-specific data follows\n */\n\n case SSH_MSG_GLOBAL_REQUEST:\n if(datalen >= 5) {\n uint32_t len = 0;\n unsigned char want_reply = 0;\n len = _libssh2_ntohu32(data + 1);\n if(datalen >= (6 + len)) {\n want_reply = data[5 + len];\n _libssh2_debug(session,\n LIBSSH2_TRACE_CONN,\n \"Received global request type %.*s (wr %X)\",\n len, data + 5, want_reply);\n }\n\n\n if(want_reply) {\n static const unsigned char packet =\n SSH_MSG_REQUEST_FAILURE;\n libssh2_packet_add_jump_point5:\n session->packAdd_state = libssh2_NB_state_jump5;\n rc = _libssh2_transport_send(session, &packet, 1, NULL, 0);\n if(rc == LIBSSH2_ERROR_EAGAIN)\n return rc;\n }\n }\n LIBSSH2_FREE(session, data);\n session->packAdd_state = libssh2_NB_state_idle;\n return 0;\n\n /*\n byte SSH_MSG_CHANNEL_EXTENDED_DATA\n uint32 recipient channel\n uint32 data_type_code\n string data\n */\n\n case SSH_MSG_CHANNEL_EXTENDED_DATA:\n /* streamid(4) */\n data_head += 4;\n\n /* fall-through */\n\n /*\n byte SSH_MSG_CHANNEL_DATA\n uint32 recipient channel\n string data\n */\n\n case SSH_MSG_CHANNEL_DATA:\n /* packet_type(1) + channelno(4) + datalen(4) */\n data_head += 9;\n\n if(datalen >= data_head)\n channelp =\n _libssh2_channel_locate(session,\n _libssh2_ntohu32(data + 1));\n\n if(!channelp) {\n _libssh2_error(session, LIBSSH2_ERROR_CHANNEL_UNKNOWN,\n \"Packet received for unknown channel\");\n LIBSSH2_FREE(session, data);\n session->packAdd_state = libssh2_NB_state_idle;\n return 0;\n }\n#ifdef LIBSSH2DEBUG\n {\n uint32_t stream_id = 0;\n if(msg == SSH_MSG_CHANNEL_EXTENDED_DATA)\n stream_id = _libssh2_ntohu32(data + 5);\n\n _libssh2_debug(session, LIBSSH2_TRACE_CONN,\n \"%d bytes packet_add() for %lu/%lu/%lu\",\n (int) (datalen - data_head),\n channelp->local.id,\n channelp->remote.id,\n stream_id);\n }\n#endif\n if((channelp->remote.extended_data_ignore_mode ==\n LIBSSH2_CHANNEL_EXTENDED_DATA_IGNORE) &&\n (msg == SSH_MSG_CHANNEL_EXTENDED_DATA)) {\n /* Pretend we didn't receive this */\n LIBSSH2_FREE(session, data);\n\n _libssh2_debug(session, LIBSSH2_TRACE_CONN,\n \"Ignoring extended data and refunding %d bytes\",\n (int) (datalen - 13));\n if(channelp->read_avail + datalen - data_head >=\n channelp->remote.window_size)\n datalen = channelp->remote.window_size -\n channelp->read_avail + data_head;\n\n channelp->remote.window_size -= datalen - data_head;\n _libssh2_debug(session, LIBSSH2_TRACE_CONN,\n \"shrinking window size by %lu bytes to %lu, \"\n \"read_avail %lu\",\n datalen - data_head,\n channelp->remote.window_size,\n channelp->read_avail);\n\n session->packAdd_channelp = channelp;\n\n /* Adjust the window based on the block we just freed */\n libssh2_packet_add_jump_point1:\n session->packAdd_state = libssh2_NB_state_jump1;\n rc = _libssh2_channel_receive_window_adjust(session->\n packAdd_channelp,\n datalen - 13,\n 1, NULL);\n if(rc == LIBSSH2_ERROR_EAGAIN)\n return rc;\n\n session->packAdd_state = libssh2_NB_state_idle;\n return 0;\n }\n\n /*\n * REMEMBER! remote means remote as source of data,\n * NOT remote window!\n */\n if(channelp->remote.packet_size < (datalen - data_head)) {\n /*\n * Spec says we MAY ignore bytes sent beyond\n * packet_size\n */\n _libssh2_error(session,\n LIBSSH2_ERROR_CHANNEL_PACKET_EXCEEDED,\n \"Packet contains more data than we offered\"\n \" to receive, truncating\");\n datalen = channelp->remote.packet_size + data_head;\n }\n if(channelp->remote.window_size <= channelp->read_avail) {\n /*\n * Spec says we MAY ignore bytes sent beyond\n * window_size\n */\n _libssh2_error(session,\n LIBSSH2_ERROR_CHANNEL_WINDOW_EXCEEDED,\n \"The current receive window is full,\"\n \" data ignored\");\n LIBSSH2_FREE(session, data);\n session->packAdd_state = libssh2_NB_state_idle;\n return 0;\n }\n /* Reset EOF status */\n channelp->remote.eof = 0;\n\n if(channelp->read_avail + datalen - data_head >\n channelp->remote.window_size) {\n _libssh2_error(session,\n LIBSSH2_ERROR_CHANNEL_WINDOW_EXCEEDED,\n \"Remote sent more data than current \"\n \"window allows, truncating\");\n datalen = channelp->remote.window_size -\n channelp->read_avail + data_head;\n }\n\n /* Update the read_avail counter. The window size will be\n * updated once the data is actually read from the queue\n * from an upper layer */\n channelp->read_avail += datalen - data_head;\n\n _libssh2_debug(session, LIBSSH2_TRACE_CONN,\n \"increasing read_avail by %lu bytes to %lu/%lu\",\n (long)(datalen - data_head),\n (long)channelp->read_avail,\n (long)channelp->remote.window_size);\n\n break;\n\n /*\n byte SSH_MSG_CHANNEL_EOF\n uint32 recipient channel\n */\n\n case SSH_MSG_CHANNEL_EOF:\n if(datalen >= 5)\n channelp =\n _libssh2_channel_locate(session,\n _libssh2_ntohu32(data + 1));\n if(!channelp)\n /* We may have freed already, just quietly ignore this... */\n ;\n else {\n _libssh2_debug(session,\n LIBSSH2_TRACE_CONN,\n \"EOF received for channel %lu/%lu\",\n channelp->local.id,\n channelp->remote.id);\n channelp->remote.eof = 1;\n }\n LIBSSH2_FREE(session, data);\n session->packAdd_state = libssh2_NB_state_idle;\n return 0;\n\n /*\n byte SSH_MSG_CHANNEL_REQUEST\n uint32 recipient channel\n string request type in US-ASCII characters only\n boolean want reply\n .... type-specific data follows\n */\n\n case SSH_MSG_CHANNEL_REQUEST:\n if(datalen >= 9) {\n uint32_t channel = _libssh2_ntohu32(data + 1);\n uint32_t len = _libssh2_ntohu32(data + 5);\n unsigned char want_reply = 1;\n\n if((len + 9) < datalen)\n want_reply = data[len + 9];\n\n _libssh2_debug(session,\n LIBSSH2_TRACE_CONN,\n \"Channel %d received request type %.*s (wr %X)\",\n channel, len, data + 9, want_reply);\n\n if(len == sizeof(\"exit-status\") - 1\n && (sizeof(\"exit-status\") - 1 + 9) <= datalen\n && !memcmp(\"exit-status\", data + 9,\n sizeof(\"exit-status\") - 1)) {\n\n /* we've got \"exit-status\" packet. Set the session value */\n if(datalen >= 20)\n channelp =\n _libssh2_channel_locate(session, channel);\n\n if(channelp && (sizeof(\"exit-status\") + 13) <= datalen) {\n channelp->exit_status =\n _libssh2_ntohu32(data + 9 + sizeof(\"exit-status\"));\n _libssh2_debug(session, LIBSSH2_TRACE_CONN,\n \"Exit status %lu received for \"\n \"channel %lu/%lu\",\n channelp->exit_status,\n channelp->local.id,\n channelp->remote.id);\n }\n\n }\n else if(len == sizeof(\"exit-signal\") - 1\n && (sizeof(\"exit-signal\") - 1 + 9) <= datalen\n && !memcmp(\"exit-signal\", data + 9,\n sizeof(\"exit-signal\") - 1)) {\n /* command terminated due to signal */\n if(datalen >= 20)\n channelp = _libssh2_channel_locate(session, channel);\n\n if(channelp && (sizeof(\"exit-signal\") + 13) <= datalen) {\n /* set signal name (without SIG prefix) */\n uint32_t namelen =\n _libssh2_ntohu32(data + 9 + sizeof(\"exit-signal\"));\n\n if(namelen <= UINT_MAX - 1) {\n channelp->exit_signal =\n LIBSSH2_ALLOC(session, namelen + 1);\n }\n else {\n channelp->exit_signal = NULL;\n }\n\n if(!channelp->exit_signal)\n rc = _libssh2_error(session, LIBSSH2_ERROR_ALLOC,\n \"memory for signal name\");\n else if((sizeof(\"exit-signal\") + 13 + namelen <=\n datalen)) {\n memcpy(channelp->exit_signal,\n data + 13 + sizeof(\"exit-signal\"), namelen);\n channelp->exit_signal[namelen] = '\\0';\n /* TODO: save error message and language tag */\n _libssh2_debug(session, LIBSSH2_TRACE_CONN,\n \"Exit signal %s received for \"\n \"channel %lu/%lu\",\n channelp->exit_signal,\n channelp->local.id,\n channelp->remote.id);\n }\n }\n }\n\n\n if(want_reply) {\n unsigned char packet[5];\n libssh2_packet_add_jump_point4:\n session->packAdd_state = libssh2_NB_state_jump4;\n packet[0] = SSH_MSG_CHANNEL_FAILURE;\n memcpy(&packet[1], data + 1, 4);\n rc = _libssh2_transport_send(session, packet, 5, NULL, 0);\n if(rc == LIBSSH2_ERROR_EAGAIN)\n return rc;\n }\n }\n LIBSSH2_FREE(session, data);\n session->packAdd_state = libssh2_NB_state_idle;\n return rc;\n\n /*\n byte SSH_MSG_CHANNEL_CLOSE\n uint32 recipient channel\n */\n\n case SSH_MSG_CHANNEL_CLOSE:\n if(datalen >= 5)\n channelp =\n _libssh2_channel_locate(session,\n _libssh2_ntohu32(data + 1));\n if(!channelp) {\n /* We may have freed already, just quietly ignore this... */\n LIBSSH2_FREE(session, data);\n session->packAdd_state = libssh2_NB_state_idle;\n return 0;\n }\n _libssh2_debug(session, LIBSSH2_TRACE_CONN,\n \"Close received for channel %lu/%lu\",\n channelp->local.id,\n channelp->remote.id);\n\n channelp->remote.close = 1;\n channelp->remote.eof = 1;\n\n LIBSSH2_FREE(session, data);\n session->packAdd_state = libssh2_NB_state_idle;\n return 0;\n\n /*\n byte SSH_MSG_CHANNEL_OPEN\n string \"session\"\n uint32 sender channel\n uint32 initial window size\n uint32 maximum packet size\n */\n\n case SSH_MSG_CHANNEL_OPEN:\n if(datalen < 17)\n ;\n else if((datalen >= (sizeof(\"forwarded-tcpip\") + 4)) &&\n ((sizeof(\"forwarded-tcpip\") - 1) ==\n _libssh2_ntohu32(data + 1))\n &&\n (memcmp(data + 5, \"forwarded-tcpip\",\n sizeof(\"forwarded-tcpip\") - 1) == 0)) {\n\n /* init the state struct */\n memset(&session->packAdd_Qlstn_state, 0,\n sizeof(session->packAdd_Qlstn_state));\n\n libssh2_packet_add_jump_point2:\n session->packAdd_state = libssh2_NB_state_jump2;\n rc = packet_queue_listener(session, data, datalen,\n &session->packAdd_Qlstn_state);\n }\n else if((datalen >= (sizeof(\"x11\") + 4)) &&\n ((sizeof(\"x11\") - 1) == _libssh2_ntohu32(data + 1)) &&\n (memcmp(data + 5, \"x11\", sizeof(\"x11\") - 1) == 0)) {\n\n /* init the state struct */\n memset(&session->packAdd_x11open_state, 0,\n sizeof(session->packAdd_x11open_state));\n\n libssh2_packet_add_jump_point3:\n session->packAdd_state = libssh2_NB_state_jump3;\n rc = packet_x11_open(session, data, datalen,\n &session->packAdd_x11open_state);\n }\n if(rc == LIBSSH2_ERROR_EAGAIN)\n return rc;\n\n LIBSSH2_FREE(session, data);\n session->packAdd_state = libssh2_NB_state_idle;\n return rc;\n\n /*\n byte SSH_MSG_CHANNEL_WINDOW_ADJUST\n uint32 recipient channel\n uint32 bytes to add\n */\n case SSH_MSG_CHANNEL_WINDOW_ADJUST:\n if(datalen < 9)\n ;\n else {\n uint32_t bytestoadd = _libssh2_ntohu32(data + 5);\n channelp =\n _libssh2_channel_locate(session,\n _libssh2_ntohu32(data + 1));\n if(channelp) {\n channelp->local.window_size += bytestoadd;\n\n _libssh2_debug(session, LIBSSH2_TRACE_CONN,\n \"Window adjust for channel %lu/%lu, \"\n \"adding %lu bytes, new window_size=%lu\",\n channelp->local.id,\n channelp->remote.id,\n bytestoadd,\n channelp->local.window_size);\n }\n }\n LIBSSH2_FREE(session, data);\n session->packAdd_state = libssh2_NB_state_idle;\n return 0;\n default:\n break;\n }\n\n session->packAdd_state = libssh2_NB_state_sent;\n }\n\n if(session->packAdd_state == libssh2_NB_state_sent) {\n LIBSSH2_PACKET *packetp =\n LIBSSH2_ALLOC(session, sizeof(LIBSSH2_PACKET));\n if(!packetp) {\n _libssh2_debug(session, LIBSSH2_ERROR_ALLOC,\n \"memory for packet\");\n LIBSSH2_FREE(session, data);\n session->packAdd_state = libssh2_NB_state_idle;\n return LIBSSH2_ERROR_ALLOC;\n }\n packetp->data = data;\n packetp->data_len = datalen;\n packetp->data_head = data_head;\n\n _libssh2_list_add(&session->packets, &packetp->node);\n\n session->packAdd_state = libssh2_NB_state_sent1;\n }\n\n if((msg == SSH_MSG_KEXINIT &&\n !(session->state & LIBSSH2_STATE_EXCHANGING_KEYS)) ||\n (session->packAdd_state == libssh2_NB_state_sent2)) {\n if(session->packAdd_state == libssh2_NB_state_sent1) {\n /*\n * Remote wants new keys\n * Well, it's already in the brigade,\n * let's just call back into ourselves\n */\n _libssh2_debug(session, LIBSSH2_TRACE_TRANS, \"Renegotiating Keys\");\n\n session->packAdd_state = libssh2_NB_state_sent2;\n }\n\n /*\n * The KEXINIT message has been added to the queue. The packAdd and\n * readPack states need to be reset because _libssh2_kex_exchange\n * (eventually) calls upon _libssh2_transport_read to read the rest of\n * the key exchange conversation.\n */\n session->readPack_state = libssh2_NB_state_idle;\n session->packet.total_num = 0;\n session->packAdd_state = libssh2_NB_state_idle;\n session->fullpacket_state = libssh2_NB_state_idle;\n\n memset(&session->startup_key_state, 0, sizeof(key_exchange_state_t));\n\n /*\n * If there was a key reexchange failure, let's just hope we didn't\n * send NEWKEYS yet, otherwise remote will drop us like a rock\n */\n rc = _libssh2_kex_exchange(session, 1, &session->startup_key_state);\n if(rc == LIBSSH2_ERROR_EAGAIN)\n return rc;\n }\n\n session->packAdd_state = libssh2_NB_state_idle;\n return 0;\n}", "project": "libssh2", "hash": 1170263160591633863198263904436599036, "size": 621, "commit_id": "dedcbd106f8e52d5586b0205bc7677e4c9868f9c", "message": "packet.c: improve message parsing (#402)\n\n* packet.c: improve parsing of packets\r\n\r\nfile: packet.c\r\n\r\nnotes:\r\nUse _libssh2_get_string API in SSH_MSG_DEBUG/SSH_MSG_DISCONNECT. Additional uint32 bounds check in SSH_MSG_GLOBAL_REQUEST.", "target": 1, "dataset": "other", "idx": 195648 }, { "func": " void Compute(OpKernelContext *ctx) override {\n const Tensor *indices_t, *values_t, *shape_t, *dense_t;\n OP_REQUIRES_OK(ctx, ctx->input(\"sp_indices\", &indices_t));\n OP_REQUIRES_OK(ctx, ctx->input(\"sp_values\", &values_t));\n OP_REQUIRES_OK(ctx, ctx->input(\"sp_shape\", &shape_t));\n OP_REQUIRES_OK(ctx, ctx->input(\"dense\", &dense_t));\n\n // Validations.\n OP_REQUIRES(ctx, TensorShapeUtils::IsMatrix(indices_t->shape()),\n errors::InvalidArgument(\n \"Input sp_indices should be a matrix but received shape: \",\n indices_t->shape().DebugString()));\n OP_REQUIRES(ctx,\n TensorShapeUtils::IsVector(values_t->shape()) &&\n TensorShapeUtils::IsVector(shape_t->shape()),\n errors::InvalidArgument(\n \"Inputs sp_values and sp_shape should be vectors \"\n \"but received shapes: \",\n values_t->shape().DebugString(), \" and \",\n shape_t->shape().DebugString()));\n OP_REQUIRES(\n ctx, values_t->dim_size(0) == indices_t->dim_size(0),\n errors::InvalidArgument(\n \"The first dimension of values and indices should match. (\",\n values_t->dim_size(0), \" vs. \", indices_t->dim_size(0), \")\"));\n\n const auto indices_mat = indices_t->matrix();\n const auto shape_vec = shape_t->vec();\n const auto lhs_dims = BCast::FromShape(TensorShape(shape_vec));\n const auto rhs_dims = BCast::FromShape(dense_t->shape());\n BCast b(lhs_dims, rhs_dims, false); // false for keeping the same num dims.\n\n // True iff (size(lhs) >= size(rhs)) and all dims in lhs is greater or equal\n // to dims in rhs (from right to left).\n auto VecGreaterEq = [](ArraySlice lhs, ArraySlice rhs) {\n if (lhs.size() < rhs.size()) return false;\n for (size_t i = 0; i < rhs.size(); ++i) {\n if (lhs[lhs.size() - 1 - i] < rhs[rhs.size() - 1 - i]) return false;\n }\n return true;\n };\n OP_REQUIRES(ctx, VecGreaterEq(lhs_dims, rhs_dims) && b.IsValid(),\n errors::InvalidArgument(\n \"SparseDenseBinaryOpShared broadcasts dense to sparse \"\n \"only; got incompatible shapes: [\",\n absl::StrJoin(lhs_dims, \",\"), \"] vs. [\",\n absl::StrJoin(rhs_dims, \",\"), \"]\"));\n\n Tensor *output_values = nullptr;\n Tensor dense_gathered;\n const int64 nnz = indices_t->dim_size(0);\n OP_REQUIRES_OK(ctx,\n ctx->allocate_output(0, TensorShape({nnz}), &output_values));\n OP_REQUIRES_OK(\n ctx, ctx->allocate_temp(DataTypeToEnum::value, TensorShape({nnz}),\n &dense_gathered));\n\n // Pulls relevant entries from the dense side, with reshape and broadcasting\n // *of the dense side* taken into account. Use a TensorRef to avoid blowing\n // up memory.\n //\n // We can directly use the sparse indices to look up dense side, because\n // \"b.y_reshape()\" and \"b.y_bcast()\" are guaranteed to have rank \"ndims\".\n auto dense_gathered_flat = dense_gathered.flat();\n const int ndims = lhs_dims.size();\n switch (ndims) {\n#define CASE(NDIM) \\\n case NDIM: { \\\n TensorRef> rhs_ref = \\\n dense_t->shaped(b.y_reshape()) \\\n .broadcast(BCast::ToIndexArray(b.y_bcast())); \\\n Eigen::array idx; \\\n bool indices_valid = true; \\\n for (int i = 0; i < nnz; ++i) { \\\n for (int d = 0; d < NDIM; ++d) { \\\n idx[d] = internal::SubtleMustCopy(indices_mat(i, d)); \\\n if (!FastBoundsCheck(idx[d], rhs_ref.dimension(d))) { \\\n indices_valid = false; \\\n } \\\n } \\\n OP_REQUIRES( \\\n ctx, indices_valid, \\\n errors::InvalidArgument(\"Provided indices are out-of-bounds w.r.t. \" \\\n \"dense side with broadcasted shape\")); \\\n dense_gathered_flat(i) = rhs_ref.coeff(idx); \\\n } \\\n break; \\\n }\n\n CASE(1);\n CASE(2);\n CASE(3);\n CASE(4);\n CASE(5);\n default:\n OP_REQUIRES(\n ctx, false,\n errors::InvalidArgument(\"Only tensors with ranks between 1 and 5 \"\n \"are currently supported. Tensor rank: \",\n ndims));\n#undef CASE\n }\n\n output_values->flat().device(ctx->eigen_device()) =\n values_t->flat().binaryExpr(dense_gathered_flat,\n typename Functor::func());\n }", "project": "tensorflow", "hash": 157920771574414128903170642379842966624, "size": 107, "commit_id": "d9204be9f49520cdaaeb2541d1dc5187b23f31d9", "message": "Disallow division by zero FPE in tf.raw_ops.SparseDenseCwiseDiv\n\nPiperOrigin-RevId: 383959809\nChange-Id: Ibe88458bdf66a686c93e354b8255dec94285c560", "target": 1, "dataset": "other", "idx": 195972 }, { "func": "main(int argc, char **argv)\n{\n\tconst char *safepath = \"/bin:/sbin:/usr/bin:/usr/sbin:\"\n\t \"/usr/local/bin:/usr/local/sbin\";\n\tconst char *confpath = NULL;\n\tchar *shargv[] = { NULL, NULL };\n\tchar *sh;\n\tconst char *p;\n\tconst char *cmd;\n\tchar cmdline[LINE_MAX];\n\tstruct passwd mypwstore, targpwstore;\n\tstruct passwd *mypw, *targpw;\n\tconst struct rule *rule;\n\tuid_t uid;\n\tuid_t target = 0;\n\tgid_t groups[NGROUPS_MAX + 1];\n\tint ngroups;\n\tint i, ch, rv;\n\tint sflag = 0;\n\tint nflag = 0;\n\tchar cwdpath[PATH_MAX];\n\tconst char *cwd;\n\tchar **envp;\n\n\tsetprogname(\"doas\");\n\n\tclosefrom(STDERR_FILENO + 1);\n\n\tuid = getuid();\n\n\twhile ((ch = getopt(argc, argv, \"+C:Lnsu:\")) != -1) {\n\t\tswitch (ch) {\n\t\tcase 'C':\n\t\t\tconfpath = optarg;\n\t\t\tbreak;\n\t\tcase 'L':\n#if defined(USE_TIMESTAMP)\n\t\t\texit(timestamp_clear() == -1);\n#else\n\t\t\texit(0);\n#endif\n\t\tcase 'u':\n\t\t\tif (parseuid(optarg, &target) != 0)\n\t\t\t\terrx(1, \"unknown user\");\n\t\t\tbreak;\n\t\tcase 'n':\n\t\t\tnflag = 1;\n\t\t\tbreak;\n\t\tcase 's':\n\t\t\tsflag = 1;\n\t\t\tbreak;\n\t\tdefault:\n\t\t\tusage();\n\t\t\tbreak;\n\t\t}\n\t}\n\targv += optind;\n\targc -= optind;\n\n\tif (confpath) {\n\t\tif (sflag)\n\t\t\tusage();\n\t} else if ((!sflag && !argc) || (sflag && argc))\n\t\tusage();\n\n\trv = mygetpwuid_r(uid, &mypwstore, &mypw);\n\tif (rv != 0)\n\t\terr(1, \"getpwuid_r failed\");\n\tif (mypw == NULL)\n\t\terrx(1, \"no passwd entry for self\");\n\tngroups = getgroups(NGROUPS_MAX, groups);\n\tif (ngroups == -1)\n\t\terr(1, \"can't get groups\");\n\tgroups[ngroups++] = getgid();\n\n\tif (sflag) {\n\t\tsh = getenv(\"SHELL\");\n\t\tif (sh == NULL || *sh == '\\0') {\n\t\t\tshargv[0] = mypw->pw_shell;\n\t\t} else\n\t\t\tshargv[0] = sh;\n\t\targv = shargv;\n\t\targc = 1;\n\t}\n\n\tif (confpath) {\n\t\tcheckconfig(confpath, argc, argv, uid, groups, ngroups,\n\t\t target);\n\t\texit(1);\t/* fail safe */\n\t}\n\n\tif (geteuid())\n\t\terrx(1, \"not installed setuid\");\n\n\tparseconfig(DOAS_CONF, 1);\n\n\t/* cmdline is used only for logging, no need to abort on truncate */\n\t(void)strlcpy(cmdline, argv[0], sizeof(cmdline));\n\tfor (i = 1; i < argc; i++) {\n\t\tif (strlcat(cmdline, \" \", sizeof(cmdline)) >= sizeof(cmdline))\n\t\t\tbreak;\n\t\tif (strlcat(cmdline, argv[i], sizeof(cmdline)) >= sizeof(cmdline))\n\t\t\tbreak;\n\t}\n\n\tcmd = argv[0];\n\tif (!permit(uid, groups, ngroups, &rule, target, cmd,\n\t (const char **)argv + 1)) {\n\t\tsyslog(LOG_AUTHPRIV | LOG_NOTICE,\n\t\t \"command not permitted for %s: %s\", mypw->pw_name, cmdline);\n\t\terrc(1, EPERM, NULL);\n\t}\n\n#if defined(USE_SHADOW)\n\tif (!(rule->options & NOPASS)) {\n\t\tif (nflag)\n\t\t\terrx(1, \"Authorization required\");\n\n\t\tshadowauth(mypw->pw_name, rule->options & PERSIST);\n\t}\n#elif !defined(USE_PAM)\n\t/* no authentication provider, only allow NOPASS rules */\n\t(void) nflag;\n\tif (!(rule->options & NOPASS))\n\t\terrx(1, \"Authorization required\");\n#endif\n\n\tif ((p = getenv(\"PATH\")) != NULL)\n\t\tformerpath = strdup(p);\n\tif (formerpath == NULL)\n\t\tformerpath = \"\";\n\n\tif (rule->cmd) {\n\t\tif (setenv(\"PATH\", safepath, 1) == -1)\n\t\t\terr(1, \"failed to set PATH '%s'\", safepath);\n\t}\n\n\trv = mygetpwuid_r(target, &targpwstore, &targpw);\n\tif (rv != 0)\n\t\terr(1, \"getpwuid_r failed\");\n\tif (targpw == NULL)\n\t\terrx(1, \"no passwd entry for target\");\n\n#if defined(USE_PAM)\n\tpamauth(targpw->pw_name, mypw->pw_name, !nflag, rule->options & NOPASS,\n\t rule->options & PERSIST);\n#endif\n\n#ifdef HAVE_LOGIN_CAP_H\n\tif (setusercontext(NULL, targpw, target, LOGIN_SETGROUP |\n\t LOGIN_SETPRIORITY | LOGIN_SETRESOURCES | LOGIN_SETUMASK |\n\t LOGIN_SETUSER) != 0)\n\t\terrx(1, \"failed to set user context for target\");\n#else\n\tif (setresgid(targpw->pw_gid, targpw->pw_gid, targpw->pw_gid) != 0)\n\t\terr(1, \"setresgid\");\n\tif (initgroups(targpw->pw_name, targpw->pw_gid) != 0)\n\t\terr(1, \"initgroups\");\n\tif (setresuid(target, target, target) != 0)\n\t\terr(1, \"setresuid\");\n#endif\n\n\tif (getcwd(cwdpath, sizeof(cwdpath)) == NULL)\n\t\tcwd = \"(failed)\";\n\telse\n\t\tcwd = cwdpath;\n\n\tif (!(rule->options & NOLOG)) {\n\t\tsyslog(LOG_AUTHPRIV | LOG_INFO,\n\t\t \"%s ran command %s as %s from %s\",\n\t\t mypw->pw_name, cmdline, targpw->pw_name, cwd);\n\t}\n\n\tenvp = prepenv(rule, mypw, targpw);\n\n\t/* setusercontext set path for the next process, so reset it for us */\n\tif (rule->cmd) {\n\t\tif (setenv(\"PATH\", safepath, 1) == -1)\n\t\t\terr(1, \"failed to set PATH '%s'\", safepath);\n\t} else {\n\t\tif (setenv(\"PATH\", formerpath, 1) == -1)\n\t\t\terr(1, \"failed to set PATH '%s'\", formerpath);\n\t}\n\texecvpe(cmd, argv, envp);\n\tif (errno == ENOENT)\n\t\terrx(1, \"%s: command not found\", cmd);\n\terr(1, \"%s\", cmd);\n}", "project": "OpenDoas", "hash": 321353994930714283258779977752854978365, "size": 188, "commit_id": "d5acd52e2a15c36a8e06f9103d35622933aa422d", "message": "correctly reset path for rules without specific command\n\nThis is a fixup for commit 01c658f8c45cb92a343be5f32aa6da70b2032168\nwhere the behaviour was changed to not inherit the PATH variable\nby default.", "target": 1, "dataset": "other", "idx": 196601 }, { "func": " void Compute(OpKernelContext *ctx) override {\n const Tensor *indices_t, *values_t, *shape_t, *dense_t;\n OP_REQUIRES_OK(ctx, ctx->input(\"sp_indices\", &indices_t));\n OP_REQUIRES_OK(ctx, ctx->input(\"sp_values\", &values_t));\n OP_REQUIRES_OK(ctx, ctx->input(\"sp_shape\", &shape_t));\n OP_REQUIRES_OK(ctx, ctx->input(\"dense\", &dense_t));\n\n // Validations.\n OP_REQUIRES(ctx, TensorShapeUtils::IsMatrix(indices_t->shape()),\n errors::InvalidArgument(\n \"Input sp_indices should be a matrix but received shape: \",\n indices_t->shape().DebugString()));\n OP_REQUIRES(ctx,\n TensorShapeUtils::IsVector(values_t->shape()) &&\n TensorShapeUtils::IsVector(shape_t->shape()),\n errors::InvalidArgument(\n \"Inputs sp_values and sp_shape should be vectors \"\n \"but received shapes: \",\n values_t->shape().DebugString(), \" and \",\n shape_t->shape().DebugString()));\n\n const auto indices_mat = indices_t->matrix();\n const auto shape_vec = shape_t->vec();\n const auto lhs_dims = BCast::FromShape(TensorShape(shape_vec));\n const auto rhs_dims = BCast::FromShape(dense_t->shape());\n BCast b(lhs_dims, rhs_dims, false); // false for keeping the same num dims.\n\n // True iff (size(lhs) >= size(rhs)) and all dims in lhs is greater or equal\n // to dims in rhs (from right to left).\n auto VecGreaterEq = [](ArraySlice lhs, ArraySlice rhs) {\n if (lhs.size() < rhs.size()) return false;\n for (size_t i = 0; i < rhs.size(); ++i) {\n if (lhs[lhs.size() - 1 - i] < rhs[rhs.size() - 1 - i]) return false;\n }\n return true;\n };\n OP_REQUIRES(ctx, VecGreaterEq(lhs_dims, rhs_dims) && b.IsValid(),\n errors::InvalidArgument(\n \"SparseDenseBinaryOpShared broadcasts dense to sparse \"\n \"only; got incompatible shapes: [\",\n absl::StrJoin(lhs_dims, \",\"), \"] vs. [\",\n absl::StrJoin(rhs_dims, \",\"), \"]\"));\n\n Tensor *output_values = nullptr;\n Tensor dense_gathered;\n const int64 nnz = indices_t->dim_size(0);\n OP_REQUIRES_OK(ctx,\n ctx->allocate_output(0, TensorShape({nnz}), &output_values));\n OP_REQUIRES_OK(\n ctx, ctx->allocate_temp(DataTypeToEnum::value, TensorShape({nnz}),\n &dense_gathered));\n\n // Pulls relevant entries from the dense side, with reshape and broadcasting\n // *of the dense side* taken into account. Use a TensorRef to avoid blowing\n // up memory.\n //\n // We can directly use the sparse indices to look up dense side, because\n // \"b.y_reshape()\" and \"b.y_bcast()\" are guaranteed to have rank \"ndims\".\n auto dense_gathered_flat = dense_gathered.flat();\n const int ndims = lhs_dims.size();\n switch (ndims) {\n#define CASE(NDIM) \\\n case NDIM: { \\\n TensorRef> rhs_ref = \\\n dense_t->shaped(b.y_reshape()) \\\n .broadcast(BCast::ToIndexArray(b.y_bcast())); \\\n Eigen::array idx; \\\n bool indices_valid = true; \\\n for (int i = 0; i < nnz; ++i) { \\\n for (int d = 0; d < NDIM; ++d) { \\\n idx[d] = internal::SubtleMustCopy(indices_mat(i, d)); \\\n if (!FastBoundsCheck(idx[d], rhs_ref.dimension(d))) { \\\n indices_valid = false; \\\n } \\\n } \\\n OP_REQUIRES( \\\n ctx, indices_valid, \\\n errors::InvalidArgument(\"Provided indices are out-of-bounds w.r.t. \" \\\n \"dense side with broadcasted shape\")); \\\n dense_gathered_flat(i) = rhs_ref.coeff(idx); \\\n } \\\n break; \\\n }\n\n CASE(1);\n CASE(2);\n CASE(3);\n CASE(4);\n CASE(5);\n default:\n OP_REQUIRES(\n ctx, false,\n errors::InvalidArgument(\"Only tensors with ranks between 1 and 5 \"\n \"are currently supported. Tensor rank: \",\n ndims));\n#undef CASE\n }\n\n output_values->flat().device(ctx->eigen_device()) =\n values_t->flat().binaryExpr(dense_gathered_flat,\n typename Functor::func());\n }", "project": "tensorflow", "hash": 76233224947528884002584063556146989556, "size": 102, "commit_id": "7ae2af34087fb4b5c8915279efd03da3b81028bc", "message": "Fix heap-buffer-overflow issue with `tf.raw_ops.SparseDenseCwiseMul`.\n\nPiperOrigin-RevId: 372054410\nChange-Id: Ifcce0491e2e3816838c87e73be30a1e61b65174d", "target": 1, "dataset": "other", "idx": 197756 }, { "func": "nosy_ioctl(struct file *file, unsigned int cmd, unsigned long arg)\n{\n\tstruct client *client = file->private_data;\n\tspinlock_t *client_list_lock = &client->lynx->client_list_lock;\n\tstruct nosy_stats stats;\n\n\tswitch (cmd) {\n\tcase NOSY_IOC_GET_STATS:\n\t\tspin_lock_irq(client_list_lock);\n\t\tstats.total_packet_count = client->buffer.total_packet_count;\n\t\tstats.lost_packet_count = client->buffer.lost_packet_count;\n\t\tspin_unlock_irq(client_list_lock);\n\n\t\tif (copy_to_user((void __user *) arg, &stats, sizeof stats))\n\t\t\treturn -EFAULT;\n\t\telse\n\t\t\treturn 0;\n\n\tcase NOSY_IOC_START:\n\t\tspin_lock_irq(client_list_lock);\n\t\tlist_add_tail(&client->link, &client->lynx->client_list);\n\t\tspin_unlock_irq(client_list_lock);\n\n\t\treturn 0;\n\n\tcase NOSY_IOC_STOP:\n\t\tspin_lock_irq(client_list_lock);\n\t\tlist_del_init(&client->link);\n\t\tspin_unlock_irq(client_list_lock);\n\n\t\treturn 0;\n\n\tcase NOSY_IOC_FILTER:\n\t\tspin_lock_irq(client_list_lock);\n\t\tclient->tcode_mask = arg;\n\t\tspin_unlock_irq(client_list_lock);\n\n\t\treturn 0;\n\n\tdefault:\n\t\treturn -EINVAL;\n\t\t/* Flush buffer, configure filter. */\n\t}\n}", "project": "linux", "hash": 195769529492278534124032952899358865154, "size": 44, "commit_id": "829933ef05a951c8ff140e814656d73e74915faf", "message": "firewire: nosy: Fix a use-after-free bug in nosy_ioctl()\n\nFor each device, the nosy driver allocates a pcilynx structure.\nA use-after-free might happen in the following scenario:\n\n 1. Open nosy device for the first time and call ioctl with command\n NOSY_IOC_START, then a new client A will be malloced and added to\n doubly linked list.\n 2. Open nosy device for the second time and call ioctl with command\n NOSY_IOC_START, then a new client B will be malloced and added to\n doubly linked list.\n 3. Call ioctl with command NOSY_IOC_START for client A, then client A\n will be readded to the doubly linked list. Now the doubly linked\n list is messed up.\n 4. Close the first nosy device and nosy_release will be called. In\n nosy_release, client A will be unlinked and freed.\n 5. Close the second nosy device, and client A will be referenced,\n resulting in UAF.\n\nThe root cause of this bug is that the element in the doubly linked list\nis reentered into the list.\n\nFix this bug by adding a check before inserting a client. If a client\nis already in the linked list, don't insert it.\n\nThe following KASAN report reveals it:\n\n BUG: KASAN: use-after-free in nosy_release+0x1ea/0x210\n Write of size 8 at addr ffff888102ad7360 by task poc\n CPU: 3 PID: 337 Comm: poc Not tainted 5.12.0-rc5+ #6\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014\n Call Trace:\n nosy_release+0x1ea/0x210\n __fput+0x1e2/0x840\n task_work_run+0xe8/0x180\n exit_to_user_mode_prepare+0x114/0x120\n syscall_exit_to_user_mode+0x1d/0x40\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\n Allocated by task 337:\n nosy_open+0x154/0x4d0\n misc_open+0x2ec/0x410\n chrdev_open+0x20d/0x5a0\n do_dentry_open+0x40f/0xe80\n path_openat+0x1cf9/0x37b0\n do_filp_open+0x16d/0x390\n do_sys_openat2+0x11d/0x360\n __x64_sys_open+0xfd/0x1a0\n do_syscall_64+0x33/0x40\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\n Freed by task 337:\n kfree+0x8f/0x210\n nosy_release+0x158/0x210\n __fput+0x1e2/0x840\n task_work_run+0xe8/0x180\n exit_to_user_mode_prepare+0x114/0x120\n syscall_exit_to_user_mode+0x1d/0x40\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\n The buggy address belongs to the object at ffff888102ad7300 which belongs to the cache kmalloc-128 of size 128\n The buggy address is located 96 bytes inside of 128-byte region [ffff888102ad7300, ffff888102ad7380)\n\n[ Modified to use 'list_empty()' inside proper lock - Linus ]\n\nLink: https://lore.kernel.org/lkml/1617433116-5930-1-git-send-email-zheyuma97@gmail.com/\nReported-and-tested-by: 马哲宇 (Zheyu Ma) \nSigned-off-by: Zheyu Ma \nCc: Greg Kroah-Hartman \nCc: Stefan Richter \nSigned-off-by: Linus Torvalds ", "target": 1, "dataset": "other", "idx": 198639 }, { "func": "exif_entry_get_value (ExifEntry *e, char *val, unsigned int maxlen)\n{\n\tunsigned int i, j, k;\n\tExifShort v_short, v_short2, v_short3, v_short4;\n\tExifByte v_byte;\n\tExifRational v_rat;\n\tExifSRational v_srat;\n\tchar b[64];\n\tconst char *c;\n\tExifByteOrder o;\n\tdouble d;\n\tExifEntry *entry;\n\tstatic const struct {\n\t\tchar label[5];\n\t\tchar major, minor;\n\t} versions[] = {\n\t\t{\"0110\", 1, 1},\n\t\t{\"0120\", 1, 2},\n\t\t{\"0200\", 2, 0},\n\t\t{\"0210\", 2, 1},\n\t\t{\"0220\", 2, 2},\n\t\t{\"0221\", 2, 21},\n\t\t{\"0230\", 2, 3},\n\t\t{\"\" , 0, 0}\n\t};\n\n\t(void) bindtextdomain (GETTEXT_PACKAGE, LOCALEDIR);\n\n\tif (!e || !e->parent || !e->parent->parent || !maxlen || !val)\n\t\treturn val;\n\n\t/* make sure the returned string is zero terminated */\n\t/* FIXME: this is inefficient in the case of long buffers and should\n\t * instead be taken care of on each write instead. */\n\tmemset (val, 0, maxlen);\n\n\t/* We need the byte order */\n\to = exif_data_get_byte_order (e->parent->parent);\n\n\t/* Sanity check */\n\tif (e->size != e->components * exif_format_get_size (e->format)) {\n\t\tsnprintf (val, maxlen, _(\"Invalid size of entry (%i, \"\n\t\t\t\"expected %li x %i).\"), e->size, e->components,\n\t\t\t\texif_format_get_size (e->format));\n\t\treturn val;\n\t}\n\n\tswitch (e->tag) {\n\tcase EXIF_TAG_USER_COMMENT:\n\n\t\t/*\n\t\t * The specification says UNDEFINED, but some\n\t\t * manufacturers don't care and use ASCII. If this is the\n\t\t * case here, only refuse to read it if there is no chance\n\t\t * of finding readable data.\n\t\t */\n\t\tif ((e->format != EXIF_FORMAT_ASCII) || \n\t\t (e->size <= 8) ||\n\t\t ( memcmp (e->data, \"ASCII\\0\\0\\0\" , 8) &&\n\t\t memcmp (e->data, \"UNICODE\\0\" , 8) &&\n\t\t memcmp (e->data, \"JIS\\0\\0\\0\\0\\0\", 8) &&\n\t\t memcmp (e->data, \"\\0\\0\\0\\0\\0\\0\\0\\0\", 8)))\n\t\t\tCF (e, EXIF_FORMAT_UNDEFINED, val, maxlen);\n\n\t\t/*\n\t\t * Note that, according to the specification (V2.1, p 40),\n\t\t * the user comment field does not have to be \n\t\t * NULL terminated.\n\t\t */\n\t\tif ((e->size >= 8) && !memcmp (e->data, \"ASCII\\0\\0\\0\", 8)) {\n\t\t\tstrncpy (val, (char *) e->data + 8, MIN (e->size - 8, maxlen-1));\n\t\t\tbreak;\n\t\t}\n\t\tif ((e->size >= 8) && !memcmp (e->data, \"UNICODE\\0\", 8)) {\n\t\t\tstrncpy (val, _(\"Unsupported UNICODE string\"), maxlen-1);\n\t\t/* FIXME: use iconv to convert into the locale encoding.\n\t\t * EXIF 2.2 implies (but does not say) that this encoding is\n\t\t * UCS-2.\n\t\t */\n\t\t\tbreak;\n\t\t}\n\t\tif ((e->size >= 8) && !memcmp (e->data, \"JIS\\0\\0\\0\\0\\0\", 8)) {\n\t\t\tstrncpy (val, _(\"Unsupported JIS string\"), maxlen-1);\n\t\t/* FIXME: use iconv to convert into the locale encoding */\n\t\t\tbreak;\n\t\t}\n\n\t\t/* Check if there is really some information in the tag. */\n\t\tfor (i = 0; (i < e->size) &&\n\t\t\t (!e->data[i] || (e->data[i] == ' ')); i++);\n\t\tif (i == e->size) break;\n\n\t\t/*\n\t\t * If we reach this point, the tag does not\n \t\t * comply with the standard but seems to contain data.\n\t\t * Print as much as possible.\n\t\t * Note: make sure we do not overwrite the final \\0 at maxlen-1\n\t\t */\n\t\texif_entry_log (e, EXIF_LOG_CODE_DEBUG,\n\t\t\t_(\"Tag UserComment contains data but is \"\n\t\t\t \"against specification.\"));\n \t\tfor (j = 0; (i < e->size) && (j < maxlen-1); i++, j++) {\n\t\t\texif_entry_log (e, EXIF_LOG_CODE_DEBUG,\n\t\t\t\t_(\"Byte at position %i: 0x%02x\"), i, e->data[i]);\n \t\t\tval[j] = isprint (e->data[i]) ? e->data[i] : '.';\n\t\t}\n\t\tbreak;\n\n\tcase EXIF_TAG_EXIF_VERSION:\n\t\tCF (e, EXIF_FORMAT_UNDEFINED, val, maxlen);\n\t\tCC (e, 4, val, maxlen);\n\t\tstrncpy (val, _(\"Unknown Exif Version\"), maxlen-1);\n\t\tfor (i = 0; *versions[i].label; i++) {\n\t\t\tif (!memcmp (e->data, versions[i].label, 4)) {\n \t\t\t\tsnprintf (val, maxlen,\n\t\t\t\t\t_(\"Exif Version %d.%d\"),\n\t\t\t\t\tversions[i].major,\n\t\t\t\t\tversions[i].minor);\n \t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\t\tbreak;\n\tcase EXIF_TAG_FLASH_PIX_VERSION:\n\t\tCF (e, EXIF_FORMAT_UNDEFINED, val, maxlen);\n\t\tCC (e, 4, val, maxlen);\n\t\tif (!memcmp (e->data, \"0100\", 4))\n\t\t\tstrncpy (val, _(\"FlashPix Version 1.0\"), maxlen-1);\n\t\telse if (!memcmp (e->data, \"0101\", 4))\n\t\t\tstrncpy (val, _(\"FlashPix Version 1.01\"), maxlen-1);\n\t\telse\n\t\t\tstrncpy (val, _(\"Unknown FlashPix Version\"), maxlen-1);\n\t\tbreak;\n\tcase EXIF_TAG_COPYRIGHT:\n\t\tCF (e, EXIF_FORMAT_ASCII, val, maxlen);\n\n\t\t/*\n\t\t * First part: Photographer.\n\t\t * Some cameras store a string like \" \" here. Ignore it.\n\t\t * Remember that a corrupted tag might not be NUL-terminated\n\t\t */\n\t\tif (e->size && e->data && match_repeated_char(e->data, ' ', e->size))\n\t\t\tstrncpy (val, (char *) e->data, MIN (maxlen-1, e->size));\n\t\telse\n\t\t\tstrncpy (val, _(\"[None]\"), maxlen-1);\n\t\tstrncat (val, \" \", maxlen-1 - strlen (val));\n\t\tstrncat (val, _(\"(Photographer)\"), maxlen-1 - strlen (val));\n\n\t\t/* Second part: Editor. */\n\t\tstrncat (val, \" - \", maxlen-1 - strlen (val));\n\t\tk = 0;\n\t\tif (e->size && e->data) {\n\t\t\tconst unsigned char *tagdata = memchr(e->data, 0, e->size);\n\t\t\tif (tagdata++) {\n\t\t\t\tunsigned int editor_ofs = tagdata - e->data;\n\t\t\t\tunsigned int remaining = e->size - editor_ofs;\n\t\t\t\tif (match_repeated_char(tagdata, ' ', remaining)) {\n\t\t\t\t\tstrncat (val, (const char*)tagdata, MIN (maxlen-1 - strlen (val), remaining));\n\t\t\t\t\t++k;\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\tif (!k)\n\t\t\tstrncat (val, _(\"[None]\"), maxlen-1 - strlen (val));\n\t\tstrncat (val, \" \", maxlen-1 - strlen (val));\n\t\tstrncat (val, _(\"(Editor)\"), maxlen-1 - strlen (val));\n\n\t\tbreak;\n\tcase EXIF_TAG_FNUMBER:\n\t\tCF (e, EXIF_FORMAT_RATIONAL, val, maxlen);\n\t\tCC (e, 1, val, maxlen);\n\t\tv_rat = exif_get_rational (e->data, o);\n\t\tif (!v_rat.denominator) {\n\t\t\texif_entry_format_value(e, val, maxlen);\n\t\t\tbreak;\n\t\t}\n\t\td = (double) v_rat.numerator / (double) v_rat.denominator;\n\t\tsnprintf (val, maxlen, \"f/%.01f\", d);\n\t\tbreak;\n\tcase EXIF_TAG_APERTURE_VALUE:\n\tcase EXIF_TAG_MAX_APERTURE_VALUE:\n\t\tCF (e, EXIF_FORMAT_RATIONAL, val, maxlen);\n\t\tCC (e, 1, val, maxlen);\n\t\tv_rat = exif_get_rational (e->data, o);\n\t\tif (!v_rat.denominator || (0x80000000 == v_rat.numerator)) {\n\t\t\texif_entry_format_value(e, val, maxlen);\n\t\t\tbreak;\n\t\t}\n\t\td = (double) v_rat.numerator / (double) v_rat.denominator;\n\t\tsnprintf (val, maxlen, _(\"%.02f EV\"), d);\n\t\tsnprintf (b, sizeof (b), _(\" (f/%.01f)\"), pow (2, d / 2.));\n\t\tstrncat (val, b, maxlen-1 - strlen (val));\n\t\tbreak;\n\tcase EXIF_TAG_FOCAL_LENGTH:\n\t\tCF (e, EXIF_FORMAT_RATIONAL, val, maxlen);\n\t\tCC (e, 1, val, maxlen);\n\t\tv_rat = exif_get_rational (e->data, o);\n\t\tif (!v_rat.denominator) {\n\t\t\texif_entry_format_value(e, val, maxlen);\n\t\t\tbreak;\n\t\t}\n\n\t\t/*\n\t\t * For calculation of the 35mm equivalent,\n\t\t * Minolta cameras need a multiplier that depends on the\n\t\t * camera model.\n\t\t */\n\t\td = 0.;\n\t\tentry = exif_content_get_entry (\n\t\t\te->parent->parent->ifd[EXIF_IFD_0], EXIF_TAG_MAKE);\n\t\tif (entry && entry->data && entry->size >= 7 &&\n\t\t !strncmp ((char *)entry->data, \"Minolta\", 7)) {\n\t\t\tentry = exif_content_get_entry (\n\t\t\t\t\te->parent->parent->ifd[EXIF_IFD_0],\n\t\t\t\t\tEXIF_TAG_MODEL);\n\t\t\tif (entry && entry->data && entry->size >= 8) {\n\t\t\t\tif (!strncmp ((char *)entry->data, \"DiMAGE 7\", 8))\n\t\t\t\t\td = 3.9;\n\t\t\t\telse if (!strncmp ((char *)entry->data, \"DiMAGE 5\", 8))\n\t\t\t\t\td = 4.9;\n\t\t\t}\n\t\t}\n\t\tif (d)\n\t\t\tsnprintf (b, sizeof (b), _(\" (35 equivalent: %.0f mm)\"),\n\t\t\t\t (d * (double) v_rat.numerator /\n\t\t\t\t (double) v_rat.denominator));\n\t\telse\n\t\t\tb[0] = 0;\n\n\t\td = (double) v_rat.numerator / (double) v_rat.denominator;\n\t\tsnprintf (val, maxlen, \"%.1f mm\", d);\n\t\tstrncat (val, b, maxlen-1 - strlen (val));\n\t\tbreak;\n\tcase EXIF_TAG_SUBJECT_DISTANCE:\n\t\tCF (e, EXIF_FORMAT_RATIONAL, val, maxlen);\n\t\tCC (e, 1, val, maxlen);\n\t\tv_rat = exif_get_rational (e->data, o);\n\t\tif (!v_rat.denominator) {\n\t\t\texif_entry_format_value(e, val, maxlen);\n\t\t\tbreak;\n\t\t}\n\t\td = (double) v_rat.numerator / (double) v_rat.denominator;\n\t\tsnprintf (val, maxlen, \"%.1f m\", d);\n\t\tbreak;\n\tcase EXIF_TAG_EXPOSURE_TIME:\n\t\tCF (e, EXIF_FORMAT_RATIONAL, val, maxlen);\n\t\tCC (e, 1, val, maxlen);\n\t\tv_rat = exif_get_rational (e->data, o);\n\t\tif (!v_rat.denominator) {\n\t\t\texif_entry_format_value(e, val, maxlen);\n\t\t\tbreak;\n\t\t}\n\t\td = (double) v_rat.numerator / (double) v_rat.denominator;\n\t\tif (d < 1 && d)\n\t\t\tsnprintf (val, maxlen, _(\"1/%.0f\"), 1. / d);\n\t\telse\n\t\t\tsnprintf (val, maxlen, \"%.0f\", d);\n\t\tstrncat (val, _(\" sec.\"), maxlen-1 - strlen (val));\n\t\tbreak;\n\tcase EXIF_TAG_SHUTTER_SPEED_VALUE:\n\t\tCF (e, EXIF_FORMAT_SRATIONAL, val, maxlen);\n\t\tCC (e, 1, val, maxlen);\n\t\tv_srat = exif_get_srational (e->data, o);\n\t\tif (!v_srat.denominator) {\n\t\t\texif_entry_format_value(e, val, maxlen);\n\t\t\tbreak;\n\t\t}\n\t\td = (double) v_srat.numerator / (double) v_srat.denominator;\n\t\tsnprintf (val, maxlen, _(\"%.02f EV\"), d);\n\t\tif (pow (2, d))\n\t\t\td = 1. / pow (2, d);\n\t\tif (d < 1 && d)\n\t\t snprintf (b, sizeof (b), _(\" (1/%.0f sec.)\"), 1. / d);\n\t\telse\n\t\t snprintf (b, sizeof (b), _(\" (%.0f sec.)\"), d);\n\t\tstrncat (val, b, maxlen-1 - strlen (val));\n\t\tbreak;\n\tcase EXIF_TAG_BRIGHTNESS_VALUE:\n\t\tCF (e, EXIF_FORMAT_SRATIONAL, val, maxlen);\n\t\tCC (e, 1, val, maxlen);\n\t\tv_srat = exif_get_srational (e->data, o);\n\t\tif (!v_srat.denominator) {\n\t\t\texif_entry_format_value(e, val, maxlen);\n\t\t\tbreak;\n\t\t}\n\t\td = (double) v_srat.numerator / (double) v_srat.denominator;\n\t\tsnprintf (val, maxlen, _(\"%.02f EV\"), d);\n\t\tsnprintf (b, sizeof (b), _(\" (%.02f cd/m^2)\"),\n\t\t\t1. / (M_PI * 0.3048 * 0.3048) * pow (2, d));\n\t\tstrncat (val, b, maxlen-1 - strlen (val));\n\t\tbreak;\n\tcase EXIF_TAG_FILE_SOURCE:\n\t\tCF (e, EXIF_FORMAT_UNDEFINED, val, maxlen);\n\t\tCC (e, 1, val, maxlen);\n\t\tv_byte = e->data[0];\n\t\tif (v_byte == 3)\n\t\t\tstrncpy (val, _(\"DSC\"), maxlen-1);\n\t\telse\n\t\t\tsnprintf (val, maxlen, _(\"Internal error (unknown \"\n\t\t\t\t \"value %i)\"), v_byte);\n\t\tbreak;\n\tcase EXIF_TAG_COMPONENTS_CONFIGURATION:\n\t\tCF (e, EXIF_FORMAT_UNDEFINED, val, maxlen);\n\t\tCC (e, 4, val, maxlen);\n\t\tfor (i = 0; i < 4; i++) {\n\t\t\tswitch (e->data[i]) {\n\t\t\tcase 0: c = _(\"-\"); break;\n\t\t\tcase 1: c = _(\"Y\"); break;\n\t\t\tcase 2: c = _(\"Cb\"); break;\n\t\t\tcase 3: c = _(\"Cr\"); break;\n\t\t\tcase 4: c = _(\"R\"); break;\n\t\t\tcase 5: c = _(\"G\"); break;\n\t\t\tcase 6: c = _(\"B\"); break;\n\t\t\tdefault: c = _(\"Reserved\"); break;\n\t\t\t}\n\t\t\tstrncat (val, c, maxlen-1 - strlen (val));\n\t\t\tif (i < 3)\n\t\t\t\tstrncat (val, \" \", maxlen-1 - strlen (val));\n\t\t}\n\t\tbreak;\n\tcase EXIF_TAG_EXPOSURE_BIAS_VALUE:\n\t\tCF (e, EXIF_FORMAT_SRATIONAL, val, maxlen);\n\t\tCC (e, 1, val, maxlen);\n\t\tv_srat = exif_get_srational (e->data, o);\n\t\tif (!v_srat.denominator) {\n\t\t\texif_entry_format_value(e, val, maxlen);\n\t\t\tbreak;\n\t\t}\n\t\td = (double) v_srat.numerator / (double) v_srat.denominator;\n\t\tsnprintf (val, maxlen, _(\"%.02f EV\"), d);\n\t\tbreak;\n\tcase EXIF_TAG_SCENE_TYPE:\n\t\tCF (e, EXIF_FORMAT_UNDEFINED, val, maxlen);\n\t\tCC (e, 1, val, maxlen);\n\t\tv_byte = e->data[0];\n\t\tif (v_byte == 1)\n\t\t\tstrncpy (val, _(\"Directly photographed\"), maxlen-1);\n\t\telse\n\t\t\tsnprintf (val, maxlen, _(\"Internal error (unknown \"\n\t\t\t\t \"value %i)\"), v_byte);\n\t\tbreak;\n\tcase EXIF_TAG_YCBCR_SUB_SAMPLING:\n\t\tCF (e, EXIF_FORMAT_SHORT, val, maxlen);\n\t\tCC (e, 2, val, maxlen);\n\t\tv_short = exif_get_short (e->data, o);\n\t\tv_short2 = exif_get_short (\n\t\t\te->data + exif_format_get_size (e->format),\n\t\t\to);\n\t\tif ((v_short == 2) && (v_short2 == 1))\n\t\t\tstrncpy (val, _(\"YCbCr4:2:2\"), maxlen-1);\n\t\telse if ((v_short == 2) && (v_short2 == 2))\n\t\t\tstrncpy (val, _(\"YCbCr4:2:0\"), maxlen-1);\n\t\telse\n\t\t\tsnprintf (val, maxlen, \"%u, %u\", v_short, v_short2);\n\t\tbreak;\n\tcase EXIF_TAG_SUBJECT_AREA:\n\t\tCF (e, EXIF_FORMAT_SHORT, val, maxlen);\n\t\tswitch (e->components) {\n\t\tcase 2:\n\t\t\tv_short = exif_get_short (e->data, o);\n\t\t\tv_short2 = exif_get_short (e->data + 2, o);\n\t\t\tsnprintf (val, maxlen, \"(x,y) = (%i,%i)\",\n\t\t\t\t v_short, v_short2);\n\t\t\tbreak;\n\t\tcase 3:\n\t\t\tv_short = exif_get_short (e->data, o);\n\t\t\tv_short2 = exif_get_short (e->data + 2, o);\n\t\t\tv_short3 = exif_get_short (e->data + 4, o);\n\t\t\tsnprintf (val, maxlen, _(\"Within distance %i of \"\n\t\t\t\t\"(x,y) = (%i,%i)\"), v_short3, v_short,\n\t\t\t\tv_short2);\n\t\t\tbreak;\n\t\tcase 4:\n\t\t\tv_short = exif_get_short (e->data, o);\n\t\t\tv_short2 = exif_get_short (e->data + 2, o);\n\t\t\tv_short3 = exif_get_short (e->data + 4, o);\n\t\t\tv_short4 = exif_get_short (e->data + 6, o);\n\t\t\tsnprintf (val, maxlen, _(\"Within rectangle \"\n\t\t\t\t\"(width %i, height %i) around \"\n\t\t\t\t\"(x,y) = (%i,%i)\"), v_short3, v_short4,\n\t\t\t\tv_short, v_short2);\n\t\t\tbreak;\n\t\tdefault:\n\t\t\tsnprintf (val, maxlen, _(\"Unexpected number \"\n\t\t\t\t\"of components (%li, expected 2, 3, or 4).\"),\n\t\t\t\te->components);\t\n\t\t}\n\t\tbreak;\n\tcase EXIF_TAG_GPS_VERSION_ID:\n\t\t/* This is only valid in the GPS IFD */\n\t\tCF (e, EXIF_FORMAT_BYTE, val, maxlen);\n\t\tCC (e, 4, val, maxlen);\n\t\tv_byte = e->data[0];\n\t\tsnprintf (val, maxlen, \"%u\", v_byte);\n\t\tfor (i = 1; i < e->components; i++) {\n\t\t\tv_byte = e->data[i];\n\t\t\tsnprintf (b, sizeof (b), \".%u\", v_byte);\n\t\t\tstrncat (val, b, maxlen-1 - strlen (val));\n\t\t}\n\t\tbreak;\n\tcase EXIF_TAG_INTEROPERABILITY_VERSION:\n\t/* a.k.a. case EXIF_TAG_GPS_LATITUDE: */\n\t\t/* This tag occurs in EXIF_IFD_INTEROPERABILITY */\n\t\tif (e->format == EXIF_FORMAT_UNDEFINED) {\n\t\t\tstrncpy (val, (char *) e->data, MIN (maxlen-1, e->size));\n\t\t\tbreak;\n\t\t}\n\t\t/* EXIF_TAG_GPS_LATITUDE is the same numerically as\n\t\t * EXIF_TAG_INTEROPERABILITY_VERSION but in EXIF_IFD_GPS\n\t\t */\n\t\texif_entry_format_value(e, val, maxlen);\n\t\tbreak;\n\tcase EXIF_TAG_GPS_ALTITUDE_REF:\n\t\t/* This is only valid in the GPS IFD */\n\t\tCF (e, EXIF_FORMAT_BYTE, val, maxlen);\n\t\tCC (e, 1, val, maxlen);\n\t\tv_byte = e->data[0];\n\t\tif (v_byte == 0)\n\t\t\tstrncpy (val, _(\"Sea level\"), maxlen-1);\n\t\telse if (v_byte == 1)\n\t\t\tstrncpy (val, _(\"Sea level reference\"), maxlen-1);\n\t\telse\n\t\t\tsnprintf (val, maxlen, _(\"Internal error (unknown \"\n\t\t\t\t \"value %i)\"), v_byte);\n\t\tbreak;\n\tcase EXIF_TAG_GPS_TIME_STAMP:\n\t\t/* This is only valid in the GPS IFD */\n\t\tCF (e, EXIF_FORMAT_RATIONAL, val, maxlen);\n\t\tCC (e, 3, val, maxlen);\n\n\t\tv_rat = exif_get_rational (e->data, o);\n\t\tif (!v_rat.denominator) {\n\t\t\texif_entry_format_value(e, val, maxlen);\n\t\t\tbreak;\n\t\t}\n\t\ti = v_rat.numerator / v_rat.denominator;\n\n\t\tv_rat = exif_get_rational (e->data +\n\t\t\t\t\t exif_format_get_size (e->format),\n\t\t\t\t\t o);\n\t\tif (!v_rat.denominator) {\n\t\t\texif_entry_format_value(e, val, maxlen);\n\t\t\tbreak;\n\t\t}\n\t\tj = v_rat.numerator / v_rat.denominator;\n\n\t\tv_rat = exif_get_rational (e->data +\n\t\t\t\t\t 2*exif_format_get_size (e->format),\n\t\t\t\t\t o);\n\t\tif (!v_rat.denominator) {\n\t\t\texif_entry_format_value(e, val, maxlen);\n\t\t\tbreak;\n\t\t}\n\t\td = (double) v_rat.numerator / (double) v_rat.denominator;\n\t\tsnprintf (val, maxlen, \"%02u:%02u:%05.2f\", i, j, d);\n\t\tbreak;\n\n\tcase EXIF_TAG_METERING_MODE:\n\tcase EXIF_TAG_COMPRESSION:\n\tcase EXIF_TAG_LIGHT_SOURCE:\n\tcase EXIF_TAG_FOCAL_PLANE_RESOLUTION_UNIT:\n\tcase EXIF_TAG_RESOLUTION_UNIT:\n\tcase EXIF_TAG_EXPOSURE_PROGRAM:\n\tcase EXIF_TAG_FLASH:\n\tcase EXIF_TAG_SUBJECT_DISTANCE_RANGE:\n\tcase EXIF_TAG_COLOR_SPACE:\n\t\tCF (e,EXIF_FORMAT_SHORT, val, maxlen);\n\t\tCC (e, 1, val, maxlen);\n\t\tv_short = exif_get_short (e->data, o);\n\n\t\t/* Search the tag */\n\t\tfor (i = 0; list2[i].tag && (list2[i].tag != e->tag); i++);\n\t\tif (!list2[i].tag) {\n\t\t\tsnprintf (val, maxlen, _(\"Internal error (unknown \"\n\t\t\t\t \"value %i)\"), v_short);\n\t\t\tbreak;\n\t\t}\n\n\t\t/* Find the value */\n\t\tfor (j = 0; list2[i].elem[j].values[0] &&\n\t\t\t (list2[i].elem[j].index < v_short); j++);\n\t\tif (list2[i].elem[j].index != v_short) {\n\t\t\tsnprintf (val, maxlen, _(\"Internal error (unknown \"\n\t\t\t\t \"value %i)\"), v_short);\n\t\t\tbreak;\n\t\t}\n\n\t\t/* Find a short enough value */\n\t\tmemset (val, 0, maxlen);\n\t\tfor (k = 0; list2[i].elem[j].values[k]; k++) {\n\t\t\tsize_t l = strlen (_(list2[i].elem[j].values[k]));\n\t\t\tif ((maxlen > l) && (strlen (val) < l))\n\t\t\t\tstrncpy (val, _(list2[i].elem[j].values[k]), maxlen-1);\n\t\t}\n\t\tif (!val[0]) snprintf (val, maxlen, \"%i\", v_short);\n\n\t\tbreak;\n\n\tcase EXIF_TAG_PLANAR_CONFIGURATION:\n\tcase EXIF_TAG_SENSING_METHOD:\n\tcase EXIF_TAG_ORIENTATION:\n\tcase EXIF_TAG_YCBCR_POSITIONING:\n\tcase EXIF_TAG_PHOTOMETRIC_INTERPRETATION:\n\tcase EXIF_TAG_CUSTOM_RENDERED:\n\tcase EXIF_TAG_EXPOSURE_MODE:\n\tcase EXIF_TAG_WHITE_BALANCE:\n\tcase EXIF_TAG_SCENE_CAPTURE_TYPE:\n\tcase EXIF_TAG_GAIN_CONTROL:\n\tcase EXIF_TAG_SATURATION:\n\tcase EXIF_TAG_CONTRAST:\n\tcase EXIF_TAG_SHARPNESS:\n\t\tCF (e, EXIF_FORMAT_SHORT, val, maxlen);\n\t\tCC (e, 1, val, maxlen);\n\t\tv_short = exif_get_short (e->data, o);\n\n\t\t/* Search the tag */\n\t\tfor (i = 0; list[i].tag && (list[i].tag != e->tag); i++);\n\t\tif (!list[i].tag) {\n\t\t\tsnprintf (val, maxlen, _(\"Internal error (unknown \"\n\t\t\t\t \"value %i)\"), v_short);\n\t\t\tbreak;\n\t\t}\n\n\t\t/* Find the value */\n\t\tfor (j = 0; list[i].strings[j] && (j < v_short); j++);\n\t\tif (!list[i].strings[j])\n\t\t\tsnprintf (val, maxlen, \"%i\", v_short);\n\t\telse if (!*list[i].strings[j])\n\t\t\tsnprintf (val, maxlen, _(\"Unknown value %i\"), v_short);\n\t\telse\n\t\t\tstrncpy (val, _(list[i].strings[j]), maxlen-1);\n\t\tbreak;\n\n\tcase EXIF_TAG_XP_TITLE:\n\tcase EXIF_TAG_XP_COMMENT:\n\tcase EXIF_TAG_XP_AUTHOR:\n\tcase EXIF_TAG_XP_KEYWORDS:\n\tcase EXIF_TAG_XP_SUBJECT:\n\t{\n\t\tunsigned char *utf16;\n\n\t\t/* Sanity check the size to prevent overflow */\n\t\tif (e->size+sizeof(uint16_t)+1 < e->size) break;\n\n\t\t/* The tag may not be U+0000-terminated , so make a local\n\t\t U+0000-terminated copy before converting it */\n\t\tutf16 = exif_mem_alloc (e->priv->mem, e->size+sizeof(uint16_t)+1);\n\t\tif (!utf16) break;\n\t\tmemcpy(utf16, e->data, e->size);\n\n\t\t/* NUL terminate the string. If the size is odd (which isn't possible\n\t\t * for a valid UTF16 string), then this will overwrite the high byte of\n\t\t * the final half word, plus add a full zero NUL word at the end.\n\t\t */\n\t\tutf16[e->size] = 0;\n\t\tutf16[e->size+1] = 0;\n\t\tutf16[e->size+2] = 0;\n\n\t\t/* Warning! The texts are converted from UTF16 to UTF8 */\n\t\t/* FIXME: use iconv to convert into the locale encoding */\n\t\texif_convert_utf16_to_utf8(val, utf16, maxlen);\n\t\texif_mem_free(e->priv->mem, utf16);\n\t\tbreak;\n\t}\n\n\tdefault:\n\t\t/* Use a generic value formatting */\n\t\texif_entry_format_value(e, val, maxlen);\n\t}\n\n\treturn val;\n}", "project": "libexif", "hash": 41736839540103750314907754428693931445, "size": 571, "commit_id": "9266d14b5ca4e29b970fa03272318e5f99386e06", "message": "fixed a incorrect overflow check that could be optimized away.\n\ninspired by:\nhttps://android.googlesource.com/platform/external/libexif/+/8e7345f3bc0bad06ac369d6cbc1124c8ceaf7d4b\n\nhttps://source.android.com/security/bulletin/2020-11-01\n\nCVE-2020-0452", "target": 1, "dataset": "other", "idx": 206645 }, { "func": "ipmi_get_session_info(struct ipmi_intf * intf,\n\t\t\t\t\t Ipmi_Session_Request_Type session_request_type,\n\t\t\t\t\t uint32_t id_or_handle)\n{\n\tint i, retval = 0;\n\n\tstruct ipmi_rs * rsp;\n\tstruct ipmi_rq req;\n\tuint8_t rqdata[5]; // max length of the variable length request\n\tstruct get_session_info_rsp session_info;\n\n\tmemset(&req, 0, sizeof(req));\n\tmemset(&session_info, 0, sizeof(session_info));\n\treq.msg.netfn = IPMI_NETFN_APP; // 0x06\n\treq.msg.cmd = IPMI_GET_SESSION_INFO; // 0x3D\n\treq.msg.data = rqdata;\n\n\tswitch (session_request_type)\n\t{\n\t\t\n\tcase IPMI_SESSION_REQUEST_CURRENT:\n\tcase IPMI_SESSION_REQUEST_BY_ID:\t\n\tcase IPMI_SESSION_REQUEST_BY_HANDLE:\n\t\tswitch (session_request_type)\n\t\t{\n\t\tcase IPMI_SESSION_REQUEST_CURRENT:\n\t\t\trqdata[0] = 0x00;\n\t\t\treq.msg.data_len = 1;\n\t\t\tbreak;\n\t\tcase IPMI_SESSION_REQUEST_BY_ID:\t\n\t\t\trqdata[0] = 0xFF;\n\t\t\trqdata[1] = id_or_handle & 0x000000FF;\n\t\t\trqdata[2] = (id_or_handle >> 8) & 0x000000FF;\n\t\t\trqdata[3] = (id_or_handle >> 16) & 0x000000FF;\n\t\t\trqdata[4] = (id_or_handle >> 24) & 0x000000FF;\n\t\t\treq.msg.data_len = 5;\n\t\t\tbreak;\n\t\tcase IPMI_SESSION_REQUEST_BY_HANDLE:\n\t\t\trqdata[0] = 0xFE;\n\t\t\trqdata[1] = (uint8_t)id_or_handle;\n\t\t\treq.msg.data_len = 2;\n\t\t\tbreak;\n\t\tcase IPMI_SESSION_REQUEST_ALL:\n\t\t\tbreak;\n\t\t}\n\n\t\trsp = intf->sendrecv(intf, &req);\n\t\tif (!rsp)\n\t\t{\n\t\t\tlprintf(LOG_ERR, \"Get Session Info command failed\");\n\t\t\tretval = -1;\n\t\t}\n\t\telse if (rsp->ccode)\n\t\t{\n\t\t\tlprintf(LOG_ERR, \"Get Session Info command failed: %s\",\n\t\t\t\tval2str(rsp->ccode, completion_code_vals));\n\t\t\tretval = -1;\n\t\t}\n\n\t\tif (retval < 0)\n\t\t{\n\t\t\tif ((session_request_type == IPMI_SESSION_REQUEST_CURRENT) &&\n\t\t\t (strncmp(intf->name, \"lan\", 3) != 0))\n\t\t\t\tlprintf(LOG_ERR, \"It is likely that the channel in use \"\n\t\t\t\t\t\"does not support sessions\");\n\t\t}\n\t\telse\n\t\t{\n\t\t\tmemcpy(&session_info, rsp->data, rsp->data_len);\n\t\t\tprint_session_info(&session_info, rsp->data_len);\n\t\t}\n\t\tbreak;\n\t\t\n\tcase IPMI_SESSION_REQUEST_ALL:\n\t\treq.msg.data_len = 1;\n\t\ti = 1;\n\t\tdo\n\t\t{\n\t\t\trqdata[0] = i++;\n\t\t\trsp = intf->sendrecv(intf, &req);\n\t\t\t\n\t\t\tif (!rsp)\n\t\t\t{\n\t\t\t\tlprintf(LOG_ERR, \"Get Session Info command failed\");\n\t\t\t\tretval = -1;\n\t\t\t\tbreak;\n\t\t\t}\n\t\t\telse if (rsp->ccode && rsp->ccode != 0xCC && rsp->ccode != 0xCB)\n\t\t\t{\n\t\t\t\tlprintf(LOG_ERR, \"Get Session Info command failed: %s\",\n\t\t\t\t\tval2str(rsp->ccode, completion_code_vals));\n\t\t\t\tretval = -1;\n\t\t\t\tbreak;\n\t\t\t}\n\t\t\telse if (rsp->data_len < 3)\n\t\t\t{\n\t\t\t\tretval = -1;\n\t\t\t\tbreak;\n\t\t\t}\n\n\t\t\tmemcpy(&session_info, rsp->data, rsp->data_len);\n\t\t\tprint_session_info(&session_info, rsp->data_len);\n\t\t\t\n\t\t} while (i <= session_info.session_slot_count);\n\t\tbreak;\n\t}\n\n\treturn retval;\n}", "project": "ipmitool", "hash": 224137137758231083307007282464002439869, "size": 109, "commit_id": "41d7026946fafbd4d1ec0bcaca3ea30a6e8eed22", "message": "session: Fix buffer overflow in ipmi_get_session_info\n\nPartial fix for CVE-2020-5208, see\nhttps://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp\n\nThe `ipmi_get_session_info` function does not properly check the\nresponse `data_len`, which is used as a copy size, allowing stack buffer\noverflow.", "target": 1, "dataset": "other", "idx": 207463 }, { "func": "parse_key_constraints(struct sshbuf *m, struct sshkey *k, time_t *deathp,\n u_int *secondsp, int *confirmp, char **sk_providerp)\n{\n\tu_char ctype;\n\tint r;\n\tu_int seconds, maxsign = 0;\n\tchar *ext_name = NULL;\n\tstruct sshbuf *b = NULL;\n\n\twhile (sshbuf_len(m)) {\n\t\tif ((r = sshbuf_get_u8(m, &ctype)) != 0) {\n\t\t\terror_fr(r, \"parse constraint type\");\n\t\t\tgoto err;\n\t\t}\n\t\tswitch (ctype) {\n\t\tcase SSH_AGENT_CONSTRAIN_LIFETIME:\n\t\t\tif (*deathp != 0) {\n\t\t\t\terror_f(\"lifetime already set\");\n\t\t\t\tgoto err;\n\t\t\t}\n\t\t\tif ((r = sshbuf_get_u32(m, &seconds)) != 0) {\n\t\t\t\terror_fr(r, \"parse lifetime constraint\");\n\t\t\t\tgoto err;\n\t\t\t}\n\t\t\t*deathp = monotime() + seconds;\n\t\t\t*secondsp = seconds;\n\t\t\tbreak;\n\t\tcase SSH_AGENT_CONSTRAIN_CONFIRM:\n\t\t\tif (*confirmp != 0) {\n\t\t\t\terror_f(\"confirm already set\");\n\t\t\t\tgoto err;\n\t\t\t}\n\t\t\t*confirmp = 1;\n\t\t\tbreak;\n\t\tcase SSH_AGENT_CONSTRAIN_MAXSIGN:\n\t\t\tif (k == NULL) {\n\t\t\t\terror_f(\"maxsign not valid here\");\n\t\t\t\tgoto err;\n\t\t\t}\n\t\t\tif (maxsign != 0) {\n\t\t\t\terror_f(\"maxsign already set\");\n\t\t\t\tgoto err;\n\t\t\t}\n\t\t\tif ((r = sshbuf_get_u32(m, &maxsign)) != 0) {\n\t\t\t\terror_fr(r, \"parse maxsign constraint\");\n\t\t\t\tgoto err;\n\t\t\t}\n\t\t\tif ((r = sshkey_enable_maxsign(k, maxsign)) != 0) {\n\t\t\t\terror_fr(r, \"enable maxsign\");\n\t\t\t\tgoto err;\n\t\t\t}\n\t\t\tbreak;\n\t\tcase SSH_AGENT_CONSTRAIN_EXTENSION:\n\t\t\tif ((r = sshbuf_get_cstring(m, &ext_name, NULL)) != 0) {\n\t\t\t\terror_fr(r, \"parse constraint extension\");\n\t\t\t\tgoto err;\n\t\t\t}\n\t\t\tdebug_f(\"constraint ext %s\", ext_name);\n\t\t\tif (strcmp(ext_name, \"sk-provider@openssh.com\") == 0) {\n\t\t\t\tif (sk_providerp == NULL) {\n\t\t\t\t\terror_f(\"%s not valid here\", ext_name);\n\t\t\t\t\tgoto err;\n\t\t\t\t}\n\t\t\t\tif (*sk_providerp != NULL) {\n\t\t\t\t\terror_f(\"%s already set\", ext_name);\n\t\t\t\t\tgoto err;\n\t\t\t\t}\n\t\t\t\tif ((r = sshbuf_get_cstring(m,\n\t\t\t\t sk_providerp, NULL)) != 0) {\n\t\t\t\t\terror_fr(r, \"parse %s\", ext_name);\n\t\t\t\t\tgoto err;\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\terror_f(\"unsupported constraint \\\"%s\\\"\",\n\t\t\t\t ext_name);\n\t\t\t\tgoto err;\n\t\t\t}\n\t\t\tfree(ext_name);\n\t\t\tbreak;\n\t\tdefault:\n\t\t\terror_f(\"Unknown constraint %d\", ctype);\n err:\n\t\t\tfree(ext_name);\n\t\t\tsshbuf_free(b);\n\t\t\treturn -1;\n\t\t}\n\t}\n\t/* success */\n\treturn 0;\n}", "project": "openssh-portable", "hash": 68211468467426422101137350916636802558, "size": 90, "commit_id": "e04fd6dde16de1cdc5a4d9946397ff60d96568db", "message": "upstream: factor SSH_AGENT_CONSTRAIN_EXTENSION parsing into its own\n\nfunction and remove an unused variable; ok dtucker@\n\nOpenBSD-Commit-ID: e1a938657fbf7ef0ba5e73b30365734a0cc96559", "target": 1, "dataset": "other", "idx": 207709 }, { "func": "CryptRsaDecrypt(\n\t\tTPM2B *dOut, // OUT: the decrypted data\n\t\tTPM2B *cIn, // IN: the data to decrypt\n\t\tOBJECT *key, // IN: the key to use for decryption\n\t\tTPMT_RSA_DECRYPT *scheme, // IN: the padding scheme\n\t\tconst TPM2B *label // IN: in case it is needed for the scheme\n\t\t)\n{\n TPM_RC retVal;\n EVP_PKEY *pkey = NULL;\n EVP_PKEY_CTX *ctx = NULL;\n const EVP_MD *md = NULL;\n const char *digestname;\n size_t outlen;\n unsigned char *tmp = NULL;\n\n // Make sure that the necessary parameters are provided\n pAssert(cIn != NULL && dOut != NULL && key != NULL);\n // Size is checked to make sure that the encrypted value is the right size\n if(cIn->size != key->publicArea.unique.rsa.t.size)\n ERROR_RETURN(TPM_RC_SIZE);\n TEST(scheme->scheme);\n\n retVal = InitOpenSSLRSAPrivateKey(key, &pkey);\n if (retVal != TPM_RC_SUCCESS)\n return retVal;\n\n ctx = EVP_PKEY_CTX_new(pkey, NULL);\n if (ctx == NULL ||\n EVP_PKEY_decrypt_init(ctx) <= 0)\n ERROR_RETURN(TPM_RC_FAILURE);\n\n switch(scheme->scheme)\n\t{\n\t case ALG_NULL_VALUE: // 'raw' encryption\n if (EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_NO_PADDING) <= 0)\n ERROR_RETURN(TPM_RC_FAILURE);\n break;\n\t case ALG_RSAES_VALUE:\n if (EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) <= 0)\n ERROR_RETURN(TPM_RC_FAILURE);\n break;\n\t case ALG_OAEP_VALUE:\n digestname = GetDigestNameByHashAlg(scheme->details.oaep.hashAlg);\n if (digestname == NULL)\n ERROR_RETURN(TPM_RC_VALUE);\n\n md = EVP_get_digestbyname(digestname);\n if (md == NULL ||\n EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_OAEP_PADDING) <= 0 ||\n EVP_PKEY_CTX_set_rsa_oaep_md(ctx, md) <= 0)\n ERROR_RETURN(TPM_RC_FAILURE);\n\n if (label->size > 0) {\n tmp = malloc(label->size);\n if (tmp == NULL)\n ERROR_RETURN(TPM_RC_FAILURE);\n memcpy(tmp, label->buffer, label->size);\n }\n\n if (EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, tmp, label->size) <= 0)\n ERROR_RETURN(TPM_RC_FAILURE);\n tmp = NULL;\n break;\n\t default:\n ERROR_RETURN(TPM_RC_SCHEME);\n break;\n\t}\n\n outlen = cIn->size;\n if (EVP_PKEY_decrypt(ctx, dOut->buffer, &outlen,\n cIn->buffer, cIn->size) <= 0)\n ERROR_RETURN(TPM_RC_FAILURE);\n\n dOut->size = outlen;\n\n retVal = TPM_RC_SUCCESS;\n\n Exit:\n EVP_PKEY_free(pkey);\n EVP_PKEY_CTX_free(ctx);\n free(tmp);\n\n return retVal;\n}", "project": "libtpms", "hash": 336056029318474660269537136446607856601, "size": 85, "commit_id": "40cfe134c017d3aeaaed05ce71eaf9bfbe556b16", "message": "tpm2: Fix output buffer parameter and size for RSA decryption\n\nFor the RSA decryption we have to use an output buffer of the size of the\n(largest possible) RSA key for the decryption to always work.\n\nThis fixes a stack corruption bug that caused a SIGBUS and termination of\n'swtpm'.\n\nSigned-off-by: Stefan Berger ", "target": 1, "dataset": "other", "idx": 208069 }, { "func": "filter_session_io(struct io *io, int evt, void *arg)\n{\n\tstruct filter_session *fs = arg;\n\tchar *line = NULL;\n\tssize_t len;\n\n\tlog_trace(TRACE_IO, \"filter session: %p: %s %s\", fs, io_strevent(evt),\n\t io_strio(io));\n\n\tswitch (evt) {\n\tcase IO_DATAIN:\n\tnextline:\n\t\tline = io_getline(fs->io, &len);\n\t\t/* No complete line received */\n\t\tif (line == NULL)\n\t\t\treturn;\n\n\t\tfilter_data(fs->id, line);\n\n\t\tgoto nextline;\n\n\tcase IO_DISCONNECTED:\n\t\tio_free(fs->io);\n\t\tfs->io = NULL;\n\t\tbreak;\n\t}\n}", "project": "src", "hash": 83839070917012004449638635653379607384, "size": 27, "commit_id": "6c3220444ed06b5796dedfd53a0f4becd903c0d1", "message": "smtpd's filter state machine can prematurely release resources\nleading to a crash. From gilles@", "target": 1, "dataset": "other", "idx": 209807 }, { "func": "HandleRFBServerMessage(rfbClient* client)\n{\n rfbServerToClientMsg msg;\n\n if (client->serverPort==-1)\n client->vncRec->readTimestamp = TRUE;\n if (!ReadFromRFBServer(client, (char *)&msg, 1))\n return FALSE;\n\n switch (msg.type) {\n\n case rfbSetColourMapEntries:\n {\n /* TODO:\n int i;\n uint16_t rgb[3];\n XColor xc;\n\n if (!ReadFromRFBServer(client, ((char *)&msg) + 1,\n\t\t\t sz_rfbSetColourMapEntriesMsg - 1))\n return FALSE;\n\n msg.scme.firstColour = rfbClientSwap16IfLE(msg.scme.firstColour);\n msg.scme.nColours = rfbClientSwap16IfLE(msg.scme.nColours);\n\n for (i = 0; i < msg.scme.nColours; i++) {\n if (!ReadFromRFBServer(client, (char *)rgb, 6))\n\treturn FALSE;\n xc.pixel = msg.scme.firstColour + i;\n xc.red = rfbClientSwap16IfLE(rgb[0]);\n xc.green = rfbClientSwap16IfLE(rgb[1]);\n xc.blue = rfbClientSwap16IfLE(rgb[2]);\n xc.flags = DoRed|DoGreen|DoBlue;\n XStoreColor(dpy, cmap, &xc);\n }\n */\n\n break;\n }\n\n case rfbFramebufferUpdate:\n {\n rfbFramebufferUpdateRectHeader rect;\n int linesToRead;\n int bytesPerLine;\n int i;\n\n if (!ReadFromRFBServer(client, ((char *)&msg.fu) + 1,\n\t\t\t sz_rfbFramebufferUpdateMsg - 1))\n return FALSE;\n\n msg.fu.nRects = rfbClientSwap16IfLE(msg.fu.nRects);\n\n for (i = 0; i < msg.fu.nRects; i++) {\n if (!ReadFromRFBServer(client, (char *)&rect, sz_rfbFramebufferUpdateRectHeader))\n\treturn FALSE;\n\n rect.encoding = rfbClientSwap32IfLE(rect.encoding);\n if (rect.encoding == rfbEncodingLastRect)\n\tbreak;\n\n rect.r.x = rfbClientSwap16IfLE(rect.r.x);\n rect.r.y = rfbClientSwap16IfLE(rect.r.y);\n rect.r.w = rfbClientSwap16IfLE(rect.r.w);\n rect.r.h = rfbClientSwap16IfLE(rect.r.h);\n\n\n if (rect.encoding == rfbEncodingXCursor ||\n\t rect.encoding == rfbEncodingRichCursor) {\n\n\tif (!HandleCursorShape(client,\n\t\t\t rect.r.x, rect.r.y, rect.r.w, rect.r.h,\n\t\t\t rect.encoding)) {\n\t return FALSE;\n\t}\n\tcontinue;\n }\n\n if (rect.encoding == rfbEncodingPointerPos) {\n\tif (!client->HandleCursorPos(client,rect.r.x, rect.r.y)) {\n\t return FALSE;\n\t}\n\tcontinue;\n }\n \n if (rect.encoding == rfbEncodingKeyboardLedState) {\n /* OK! We have received a keyboard state message!!! */\n client->KeyboardLedStateEnabled = 1;\n if (client->HandleKeyboardLedState!=NULL)\n client->HandleKeyboardLedState(client, rect.r.x, 0);\n /* stash it for the future */\n client->CurrentKeyboardLedState = rect.r.x;\n continue;\n }\n\n if (rect.encoding == rfbEncodingNewFBSize) {\n\tclient->width = rect.r.w;\n\tclient->height = rect.r.h;\n\tclient->updateRect.x = client->updateRect.y = 0;\n\tclient->updateRect.w = client->width;\n\tclient->updateRect.h = client->height;\n\tif (!client->MallocFrameBuffer(client))\n\t return FALSE;\n\tSendFramebufferUpdateRequest(client, 0, 0, rect.r.w, rect.r.h, FALSE);\n\trfbClientLog(\"Got new framebuffer size: %dx%d\\n\", rect.r.w, rect.r.h);\n\tcontinue;\n }\n\n /* rect.r.w=byte count */\n if (rect.encoding == rfbEncodingSupportedMessages) {\n int loop;\n if (!ReadFromRFBServer(client, (char *)&client->supportedMessages, sz_rfbSupportedMessages))\n return FALSE;\n\n /* msgs is two sets of bit flags of supported messages client2server[] and server2client[] */\n /* currently ignored by this library */\n\n rfbClientLog(\"client2server supported messages (bit flags)\\n\");\n for (loop=0;loop<32;loop+=8)\n rfbClientLog(\"%02X: %04x %04x %04x %04x - %04x %04x %04x %04x\\n\", loop,\n client->supportedMessages.client2server[loop], client->supportedMessages.client2server[loop+1],\n client->supportedMessages.client2server[loop+2], client->supportedMessages.client2server[loop+3],\n client->supportedMessages.client2server[loop+4], client->supportedMessages.client2server[loop+5],\n client->supportedMessages.client2server[loop+6], client->supportedMessages.client2server[loop+7]);\n\n rfbClientLog(\"server2client supported messages (bit flags)\\n\");\n for (loop=0;loop<32;loop+=8)\n rfbClientLog(\"%02X: %04x %04x %04x %04x - %04x %04x %04x %04x\\n\", loop,\n client->supportedMessages.server2client[loop], client->supportedMessages.server2client[loop+1],\n client->supportedMessages.server2client[loop+2], client->supportedMessages.server2client[loop+3],\n client->supportedMessages.server2client[loop+4], client->supportedMessages.server2client[loop+5],\n client->supportedMessages.server2client[loop+6], client->supportedMessages.server2client[loop+7]);\n continue;\n }\n\n /* rect.r.w=byte count, rect.r.h=# of encodings */\n if (rect.encoding == rfbEncodingSupportedEncodings) {\n char *buffer;\n buffer = malloc(rect.r.w);\n if (!ReadFromRFBServer(client, buffer, rect.r.w))\n {\n free(buffer);\n return FALSE;\n }\n\n /* buffer now contains rect.r.h # of uint32_t encodings that the server supports */\n /* currently ignored by this library */\n free(buffer);\n continue;\n }\n\n /* rect.r.w=byte count */\n if (rect.encoding == rfbEncodingServerIdentity) {\n char *buffer;\n buffer = malloc(rect.r.w+1);\n if (!ReadFromRFBServer(client, buffer, rect.r.w))\n {\n free(buffer);\n return FALSE;\n }\n buffer[rect.r.w]=0; /* null terminate, just in case */\n rfbClientLog(\"Connected to Server \\\"%s\\\"\\n\", buffer);\n free(buffer);\n continue;\n }\n\n /* rfbEncodingUltraZip is a collection of subrects. x = # of subrects, and h is always 0 */\n if (rect.encoding != rfbEncodingUltraZip)\n {\n if ((rect.r.x + rect.r.w > client->width) ||\n\t (rect.r.y + rect.r.h > client->height))\n\t {\n\t rfbClientLog(\"Rect too large: %dx%d at (%d, %d)\\n\",\n\t \t rect.r.w, rect.r.h, rect.r.x, rect.r.y);\n\t return FALSE;\n }\n\n /* UltraVNC with scaling, will send rectangles with a zero W or H\n *\n if ((rect.encoding != rfbEncodingTight) && \n (rect.r.h * rect.r.w == 0))\n {\n\t rfbClientLog(\"Zero size rect - ignoring (encoding=%d (0x%08x) %dx, %dy, %dw, %dh)\\n\", rect.encoding, rect.encoding, rect.r.x, rect.r.y, rect.r.w, rect.r.h);\n\t continue;\n }\n */\n \n /* If RichCursor encoding is used, we should prevent collisions\n\t between framebuffer updates and cursor drawing operations. */\n client->SoftCursorLockArea(client, rect.r.x, rect.r.y, rect.r.w, rect.r.h);\n }\n\n switch (rect.encoding) {\n\n case rfbEncodingRaw: {\n\tint y=rect.r.y, h=rect.r.h;\n\n\tbytesPerLine = rect.r.w * client->format.bitsPerPixel / 8;\n\t/* RealVNC 4.x-5.x on OSX can induce bytesPerLine==0, \n\t usually during GPU accel. */\n\t/* Regardless of cause, do not divide by zero. */\n\tlinesToRead = bytesPerLine ? (RFB_BUFFER_SIZE / bytesPerLine) : 0;\n\n\twhile (linesToRead && h > 0) {\n\t if (linesToRead > h)\n\t linesToRead = h;\n\n\t if (!ReadFromRFBServer(client, client->buffer,bytesPerLine * linesToRead))\n\t return FALSE;\n\n\t client->GotBitmap(client, (uint8_t *)client->buffer,\n\t\t\t rect.r.x, y, rect.r.w,linesToRead);\n\n\t h -= linesToRead;\n\t y += linesToRead;\n\n\t}\n\tbreak;\n } \n\n case rfbEncodingCopyRect:\n {\n\trfbCopyRect cr;\n\n\tif (!ReadFromRFBServer(client, (char *)&cr, sz_rfbCopyRect))\n\t return FALSE;\n\n\tcr.srcX = rfbClientSwap16IfLE(cr.srcX);\n\tcr.srcY = rfbClientSwap16IfLE(cr.srcY);\n\n\t/* If RichCursor encoding is used, we should extend our\n\t \"cursor lock area\" (previously set to destination\n\t rectangle) to the source rectangle as well. */\n\tclient->SoftCursorLockArea(client,\n\t\t\t\t cr.srcX, cr.srcY, rect.r.w, rect.r.h);\n\n client->GotCopyRect(client, cr.srcX, cr.srcY, rect.r.w, rect.r.h,\n rect.r.x, rect.r.y);\n\n\tbreak;\n }\n\n case rfbEncodingRRE:\n {\n\tswitch (client->format.bitsPerPixel) {\n\tcase 8:\n\t if (!HandleRRE8(client, rect.r.x,rect.r.y,rect.r.w,rect.r.h))\n\t return FALSE;\n\t break;\n\tcase 16:\n\t if (!HandleRRE16(client, rect.r.x,rect.r.y,rect.r.w,rect.r.h))\n\t return FALSE;\n\t break;\n\tcase 32:\n\t if (!HandleRRE32(client, rect.r.x,rect.r.y,rect.r.w,rect.r.h))\n\t return FALSE;\n\t break;\n\t}\n\tbreak;\n }\n\n case rfbEncodingCoRRE:\n {\n\tswitch (client->format.bitsPerPixel) {\n\tcase 8:\n\t if (!HandleCoRRE8(client, rect.r.x,rect.r.y,rect.r.w,rect.r.h))\n\t return FALSE;\n\t break;\n\tcase 16:\n\t if (!HandleCoRRE16(client, rect.r.x,rect.r.y,rect.r.w,rect.r.h))\n\t return FALSE;\n\t break;\n\tcase 32:\n\t if (!HandleCoRRE32(client, rect.r.x,rect.r.y,rect.r.w,rect.r.h))\n\t return FALSE;\n\t break;\n\t}\n\tbreak;\n }\n\n case rfbEncodingHextile:\n {\n\tswitch (client->format.bitsPerPixel) {\n\tcase 8:\n\t if (!HandleHextile8(client, rect.r.x,rect.r.y,rect.r.w,rect.r.h))\n\t return FALSE;\n\t break;\n\tcase 16:\n\t if (!HandleHextile16(client, rect.r.x,rect.r.y,rect.r.w,rect.r.h))\n\t return FALSE;\n\t break;\n\tcase 32:\n\t if (!HandleHextile32(client, rect.r.x,rect.r.y,rect.r.w,rect.r.h))\n\t return FALSE;\n\t break;\n\t}\n\tbreak;\n }\n\n case rfbEncodingUltra:\n {\n switch (client->format.bitsPerPixel) {\n case 8:\n if (!HandleUltra8(client, rect.r.x,rect.r.y,rect.r.w,rect.r.h))\n return FALSE;\n break;\n case 16:\n if (!HandleUltra16(client, rect.r.x,rect.r.y,rect.r.w,rect.r.h))\n return FALSE;\n break;\n case 32:\n if (!HandleUltra32(client, rect.r.x,rect.r.y,rect.r.w,rect.r.h))\n return FALSE;\n break;\n }\n break;\n }\n case rfbEncodingUltraZip:\n {\n switch (client->format.bitsPerPixel) {\n case 8:\n if (!HandleUltraZip8(client, rect.r.x,rect.r.y,rect.r.w,rect.r.h))\n return FALSE;\n break;\n case 16:\n if (!HandleUltraZip16(client, rect.r.x,rect.r.y,rect.r.w,rect.r.h))\n return FALSE;\n break;\n case 32:\n if (!HandleUltraZip32(client, rect.r.x,rect.r.y,rect.r.w,rect.r.h))\n return FALSE;\n break;\n }\n break;\n }\n\n case rfbEncodingTRLE:\n\t {\n switch (client->format.bitsPerPixel) {\n case 8:\n if (!HandleTRLE8(client, rect.r.x, rect.r.y, rect.r.w, rect.r.h))\n return FALSE;\n break;\n case 16:\n if (client->si.format.greenMax > 0x1F) {\n if (!HandleTRLE16(client, rect.r.x, rect.r.y, rect.r.w, rect.r.h))\n return FALSE;\n } else {\n if (!HandleTRLE15(client, rect.r.x, rect.r.y, rect.r.w, rect.r.h))\n return FALSE;\n }\n break;\n case 32: {\n uint32_t maxColor =\n (client->format.redMax << client->format.redShift) |\n (client->format.greenMax << client->format.greenShift) |\n (client->format.blueMax << client->format.blueShift);\n if ((client->format.bigEndian && (maxColor & 0xff) == 0) ||\n (!client->format.bigEndian && (maxColor & 0xff000000) == 0)) {\n if (!HandleTRLE24(client, rect.r.x, rect.r.y, rect.r.w, rect.r.h))\n return FALSE;\n } else if (!client->format.bigEndian && (maxColor & 0xff) == 0) {\n if (!HandleTRLE24Up(client, rect.r.x, rect.r.y, rect.r.w, rect.r.h))\n return FALSE;\n } else if (client->format.bigEndian && (maxColor & 0xff000000) == 0) {\n if (!HandleTRLE24Down(client, rect.r.x, rect.r.y, rect.r.w,\n rect.r.h))\n return FALSE;\n } else if (!HandleTRLE32(client, rect.r.x, rect.r.y, rect.r.w,\n rect.r.h))\n return FALSE;\n break;\n }\n }\n break;\n }\n\n#ifdef LIBVNCSERVER_HAVE_LIBZ\n case rfbEncodingZlib:\n {\n\tswitch (client->format.bitsPerPixel) {\n\tcase 8:\n\t if (!HandleZlib8(client, rect.r.x,rect.r.y,rect.r.w,rect.r.h))\n\t return FALSE;\n\t break;\n\tcase 16:\n\t if (!HandleZlib16(client, rect.r.x,rect.r.y,rect.r.w,rect.r.h))\n\t return FALSE;\n\t break;\n\tcase 32:\n\t if (!HandleZlib32(client, rect.r.x,rect.r.y,rect.r.w,rect.r.h))\n\t return FALSE;\n\t break;\n\t}\n\tbreak;\n }\n\n#ifdef LIBVNCSERVER_HAVE_LIBJPEG\n case rfbEncodingTight:\n {\n\tswitch (client->format.bitsPerPixel) {\n\tcase 8:\n\t if (!HandleTight8(client, rect.r.x,rect.r.y,rect.r.w,rect.r.h))\n\t return FALSE;\n\t break;\n\tcase 16:\n\t if (!HandleTight16(client, rect.r.x,rect.r.y,rect.r.w,rect.r.h))\n\t return FALSE;\n\t break;\n\tcase 32:\n\t if (!HandleTight32(client, rect.r.x,rect.r.y,rect.r.w,rect.r.h))\n\t return FALSE;\n\t break;\n\t}\n\tbreak;\n }\n#endif\n case rfbEncodingZRLE:\n\t/* Fail safe for ZYWRLE unsupport VNC server. */\n\tclient->appData.qualityLevel = 9;\n\t/* fall through */\n case rfbEncodingZYWRLE:\n {\n\tswitch (client->format.bitsPerPixel) {\n\tcase 8:\n\t if (!HandleZRLE8(client, rect.r.x,rect.r.y,rect.r.w,rect.r.h))\n\t return FALSE;\n\t break;\n\tcase 16:\n\t if (client->si.format.greenMax > 0x1F) {\n\t if (!HandleZRLE16(client, rect.r.x,rect.r.y,rect.r.w,rect.r.h))\n\t return FALSE;\n\t } else {\n\t if (!HandleZRLE15(client, rect.r.x,rect.r.y,rect.r.w,rect.r.h))\n\t return FALSE;\n\t }\n\t break;\n\tcase 32:\n\t{\n\t uint32_t maxColor=(client->format.redMax<format.redShift)|\n\t\t(client->format.greenMax<format.greenShift)|\n\t\t(client->format.blueMax<format.blueShift);\n\t if ((client->format.bigEndian && (maxColor&0xff)==0) ||\n\t (!client->format.bigEndian && (maxColor&0xff000000)==0)) {\n\t if (!HandleZRLE24(client, rect.r.x,rect.r.y,rect.r.w,rect.r.h))\n\t return FALSE;\n\t } else if (!client->format.bigEndian && (maxColor&0xff)==0) {\n\t if (!HandleZRLE24Up(client, rect.r.x,rect.r.y,rect.r.w,rect.r.h))\n\t return FALSE;\n\t } else if (client->format.bigEndian && (maxColor&0xff000000)==0) {\n\t if (!HandleZRLE24Down(client, rect.r.x,rect.r.y,rect.r.w,rect.r.h))\n\t return FALSE;\n\t } else if (!HandleZRLE32(client, rect.r.x,rect.r.y,rect.r.w,rect.r.h))\n\t return FALSE;\n\t break;\n\t}\n\t}\n\tbreak;\n }\n\n#endif\n\n default:\n\t {\n\t rfbBool handled = FALSE;\n\t rfbClientProtocolExtension* e;\n\n\t for(e = rfbClientExtensions; !handled && e; e = e->next)\n\t if(e->handleEncoding && e->handleEncoding(client, &rect))\n\t handled = TRUE;\n\n\t if(!handled) {\n\t rfbClientLog(\"Unknown rect encoding %d\\n\",\n\t\t (int)rect.encoding);\n\t return FALSE;\n\t }\n\t }\n }\n\n /* Now we may discard \"soft cursor locks\". */\n client->SoftCursorUnlockScreen(client);\n\n client->GotFrameBufferUpdate(client, rect.r.x, rect.r.y, rect.r.w, rect.r.h);\n }\n\n if (!SendIncrementalFramebufferUpdateRequest(client))\n return FALSE;\n\n if (client->FinishedFrameBufferUpdate)\n client->FinishedFrameBufferUpdate(client);\n\n break;\n }\n\n case rfbBell:\n {\n client->Bell(client);\n\n break;\n }\n\n case rfbServerCutText:\n {\n char *buffer;\n\n if (!ReadFromRFBServer(client, ((char *)&msg) + 1,\n\t\t\t sz_rfbServerCutTextMsg - 1))\n return FALSE;\n\n msg.sct.length = rfbClientSwap32IfLE(msg.sct.length);\n\n if (msg.sct.length > 1<<20) {\n\t rfbClientErr(\"Ignoring too big cut text length sent by server: %u B > 1 MB\\n\", (unsigned int)msg.sct.length);\n\t return FALSE;\n } \n\n buffer = malloc(msg.sct.length+1);\n\n if (!ReadFromRFBServer(client, buffer, msg.sct.length)) {\n free(buffer);\n return FALSE;\n }\n\n buffer[msg.sct.length] = 0;\n\n if (client->GotXCutText)\n client->GotXCutText(client, buffer, msg.sct.length);\n\n free(buffer);\n\n break;\n }\n\n case rfbTextChat:\n {\n char *buffer=NULL;\n if (!ReadFromRFBServer(client, ((char *)&msg) + 1,\n sz_rfbTextChatMsg- 1))\n return FALSE;\n msg.tc.length = rfbClientSwap32IfLE(msg.sct.length);\n switch(msg.tc.length) {\n case rfbTextChatOpen:\n rfbClientLog(\"Received TextChat Open\\n\");\n if (client->HandleTextChat!=NULL)\n client->HandleTextChat(client, (int)rfbTextChatOpen, NULL);\n break;\n case rfbTextChatClose:\n rfbClientLog(\"Received TextChat Close\\n\");\n if (client->HandleTextChat!=NULL)\n client->HandleTextChat(client, (int)rfbTextChatClose, NULL);\n break;\n case rfbTextChatFinished:\n rfbClientLog(\"Received TextChat Finished\\n\");\n if (client->HandleTextChat!=NULL)\n client->HandleTextChat(client, (int)rfbTextChatFinished, NULL);\n break;\n default:\n buffer=malloc(msg.tc.length+1);\n if (!ReadFromRFBServer(client, buffer, msg.tc.length))\n {\n free(buffer);\n return FALSE;\n }\n /* Null Terminate */\n buffer[msg.tc.length]=0;\n rfbClientLog(\"Received TextChat \\\"%s\\\"\\n\", buffer);\n if (client->HandleTextChat!=NULL)\n client->HandleTextChat(client, (int)msg.tc.length, buffer);\n free(buffer);\n break;\n }\n break;\n }\n\n case rfbXvp:\n {\n if (!ReadFromRFBServer(client, ((char *)&msg) + 1,\n sz_rfbXvpMsg -1))\n return FALSE;\n\n SetClient2Server(client, rfbXvp);\n /* technically, we only care what we can *send* to the server\n * but, we set Server2Client Just in case it ever becomes useful\n */\n SetServer2Client(client, rfbXvp);\n\n if(client->HandleXvpMsg)\n client->HandleXvpMsg(client, msg.xvp.version, msg.xvp.code);\n\n break;\n }\n\n case rfbResizeFrameBuffer:\n {\n if (!ReadFromRFBServer(client, ((char *)&msg) + 1,\n sz_rfbResizeFrameBufferMsg -1))\n return FALSE;\n client->width = rfbClientSwap16IfLE(msg.rsfb.framebufferWidth);\n client->height = rfbClientSwap16IfLE(msg.rsfb.framebufferHeigth);\n client->updateRect.x = client->updateRect.y = 0;\n client->updateRect.w = client->width;\n client->updateRect.h = client->height;\n if (!client->MallocFrameBuffer(client))\n return FALSE;\n\n SendFramebufferUpdateRequest(client, 0, 0, client->width, client->height, FALSE);\n rfbClientLog(\"Got new framebuffer size: %dx%d\\n\", client->width, client->height);\n break;\n }\n\n case rfbPalmVNCReSizeFrameBuffer:\n {\n if (!ReadFromRFBServer(client, ((char *)&msg) + 1,\n sz_rfbPalmVNCReSizeFrameBufferMsg -1))\n return FALSE;\n client->width = rfbClientSwap16IfLE(msg.prsfb.buffer_w);\n client->height = rfbClientSwap16IfLE(msg.prsfb.buffer_h);\n client->updateRect.x = client->updateRect.y = 0;\n client->updateRect.w = client->width;\n client->updateRect.h = client->height;\n if (!client->MallocFrameBuffer(client))\n return FALSE;\n SendFramebufferUpdateRequest(client, 0, 0, client->width, client->height, FALSE);\n rfbClientLog(\"Got new framebuffer size: %dx%d\\n\", client->width, client->height);\n break;\n }\n\n default:\n {\n rfbBool handled = FALSE;\n rfbClientProtocolExtension* e;\n\n for(e = rfbClientExtensions; !handled && e; e = e->next)\n\tif(e->handleMessage && e->handleMessage(client, &msg))\n\t handled = TRUE;\n\n if(!handled) {\n\tchar buffer[256];\n\trfbClientLog(\"Unknown message type %d from VNC server\\n\",msg.type);\n\tReadFromRFBServer(client, buffer, 256);\n\treturn FALSE;\n }\n }\n }\n\n return TRUE;\n}", "project": "libvncserver", "hash": 44266049748697724692186048641152756144, "size": 647, "commit_id": "8937203441ee241c4ace85da687b7d6633a12365", "message": "libvncclient/rfbproto: limit max textchat size\n\nAddresses GitHub Security Lab (GHSL) Vulnerability Report\n`GHSL-2020-063`.\n\nRe #275", "target": 1, "dataset": "other", "idx": 212390 }, { "func": "static const char *GetMagickPropertyLetter(const ImageInfo *image_info,\n Image *image,const char letter)\n{\n char\n value[MaxTextExtent];\n\n const char\n *string;\n\n assert(image != (Image *) NULL);\n assert(image->signature == MagickCoreSignature);\n if (image->debug != MagickFalse)\n (void) LogMagickEvent(TraceEvent,GetMagickModule(),\"%s\",image->filename);\n *value='\\0';\n string=(char *) NULL;\n switch (letter)\n {\n case 'b':\n {\n /*\n Image size read in - in bytes.\n */\n (void) FormatMagickSize(image->extent,MagickFalse,value);\n if (image->extent == 0)\n (void) FormatMagickSize(GetBlobSize(image),MagickFalse,value);\n break;\n }\n case 'c':\n {\n /*\n Image comment property - empty string by default.\n */\n string=GetImageProperty(image,\"comment\");\n if (string == (const char *) NULL)\n string=\"\";\n break;\n }\n case 'd':\n {\n /*\n Directory component of filename.\n */\n GetPathComponent(image->magick_filename,HeadPath,value);\n if (*value == '\\0')\n string=\"\";\n break;\n }\n case 'e':\n {\n /*\n Filename extension (suffix) of image file.\n */\n GetPathComponent(image->magick_filename,ExtensionPath,value);\n if (*value == '\\0')\n string=\"\";\n break;\n }\n case 'f':\n {\n /*\n Filename without directory component.\n */\n GetPathComponent(image->magick_filename,TailPath,value);\n if (*value == '\\0')\n string=\"\";\n break;\n }\n case 'g':\n {\n /*\n Image geometry, canvas and offset %Wx%H+%X+%Y.\n */\n (void) FormatLocaleString(value,MaxTextExtent,\"%.20gx%.20g%+.20g%+.20g\",\n (double) image->page.width,(double) image->page.height,\n (double) image->page.x,(double) image->page.y);\n break;\n }\n case 'h':\n {\n /*\n Image height (current).\n */\n (void) FormatLocaleString(value,MaxTextExtent,\"%.20g\",(double)\n (image->rows != 0 ? image->rows : image->magick_rows));\n break;\n }\n case 'i':\n {\n /*\n Filename last used for image (read or write).\n */\n string=image->filename;\n break;\n }\n case 'k':\n {\n /*\n Number of unique colors.\n */\n (void) FormatLocaleString(value,MaxTextExtent,\"%.20g\",(double)\n GetNumberColors(image,(FILE *) NULL,&image->exception));\n break;\n }\n case 'l':\n {\n /*\n Image label property - empty string by default.\n */\n string=GetImageProperty(image,\"label\");\n if (string == (const char *) NULL)\n string=\"\";\n break;\n }\n case 'm':\n {\n /*\n Image format (file magick).\n */\n string=image->magick;\n break;\n }\n case 'n':\n {\n /*\n Number of images in the list.\n */\n (void) FormatLocaleString(value,MaxTextExtent,\"%.20g\",(double)\n GetImageListLength(image));\n break;\n }\n case 'o':\n {\n /*\n Output Filename - for delegate use only\n */\n string=image_info->filename;\n break;\n }\n case 'p':\n {\n /*\n Image index in current image list -- As 'n' OBSOLETE.\n */\n (void) FormatLocaleString(value,MaxTextExtent,\"%.20g\",(double)\n GetImageIndexInList(image));\n break;\n }\n case 'q':\n {\n /*\n Quantum depth of image in memory.\n */\n (void) FormatLocaleString(value,MaxTextExtent,\"%.20g\",(double)\n MAGICKCORE_QUANTUM_DEPTH);\n break;\n }\n case 'r':\n {\n ColorspaceType\n colorspace;\n\n /*\n Image storage class and colorspace.\n */\n colorspace=image->colorspace;\n if ((image->columns != 0) && (image->rows != 0) &&\n (SetImageGray(image,&image->exception) != MagickFalse))\n colorspace=GRAYColorspace;\n (void) FormatLocaleString(value,MaxTextExtent,\"%s %s %s\",\n CommandOptionToMnemonic(MagickClassOptions,(ssize_t)\n image->storage_class),CommandOptionToMnemonic(MagickColorspaceOptions,\n (ssize_t) colorspace),image->matte != MagickFalse ? \"Matte\" : \"\" );\n break;\n }\n case 's':\n {\n /*\n Image scene number.\n */\n if (image_info->number_scenes != 0)\n (void) FormatLocaleString(value,MaxTextExtent,\"%.20g\",(double)\n image_info->scene);\n else\n (void) FormatLocaleString(value,MaxTextExtent,\"%.20g\",(double)\n image->scene);\n break;\n }\n case 't':\n {\n /*\n Base filename without directory or extension.\n */\n GetPathComponent(image->magick_filename,BasePath,value);\n break;\n }\n case 'u':\n {\n /*\n Unique filename.\n */\n string=image_info->unique;\n break;\n }\n case 'w':\n {\n /*\n Image width (current).\n */\n (void) FormatLocaleString(value,MaxTextExtent,\"%.20g\",(double)\n (image->columns != 0 ? image->columns : image->magick_columns));\n break;\n }\n case 'x':\n {\n /*\n Image horizontal resolution.\n */\n (void) FormatLocaleString(value,MaxTextExtent,\"%.20g\",\n fabs(image->x_resolution) > MagickEpsilon ? image->x_resolution : 72.0);\n break;\n }\n case 'y':\n {\n /*\n Image vertical resolution.\n */\n (void) FormatLocaleString(value,MaxTextExtent,\"%.20g\",\n fabs(image->y_resolution) > MagickEpsilon ? image->y_resolution : 72.0);\n break;\n }\n case 'z':\n {\n /*\n Image depth.\n */\n (void) FormatLocaleString(value,MaxTextExtent,\"%.20g\",(double)\n image->depth);\n break;\n }\n case 'A':\n {\n /*\n Image alpha channel.\n */\n (void) FormatLocaleString(value,MaxTextExtent,\"%s\",\n CommandOptionToMnemonic(MagickBooleanOptions,(ssize_t) image->matte));\n break;\n }\n case 'B':\n {\n /*\n Image size read in - in bytes.\n */\n (void) FormatLocaleString(value,MaxTextExtent,\"%.20g\",(double)\n image->extent);\n if (image->extent == 0)\n (void) FormatLocaleString(value,MaxTextExtent,\"%.20g\",(double)\n GetBlobSize(image));\n break;\n }\n case 'C':\n {\n /*\n Image compression method.\n */\n (void) FormatLocaleString(value,MaxTextExtent,\"%s\",\n CommandOptionToMnemonic(MagickCompressOptions,(ssize_t)\n image->compression));\n break;\n }\n case 'D':\n {\n /*\n Image dispose method.\n */\n (void) FormatLocaleString(value,MaxTextExtent,\"%s\",\n CommandOptionToMnemonic(MagickDisposeOptions,(ssize_t) image->dispose));\n break;\n }\n case 'F':\n {\n const char\n *q;\n\n register char\n *p;\n\n static char\n whitelist[] =\n \"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 \"\n \"$-_.+!*'(),{}|\\\\^~[]`\\\"><#%;/?:@&=\";\n\n /*\n Magick filename (sanitized) - filename given incl. coder & read mods.\n */\n (void) CopyMagickString(value,image->magick_filename,MaxTextExtent);\n p=value;\n q=value+strlen(value);\n for (p+=strspn(p,whitelist); p != q; p+=strspn(p,whitelist))\n *p='_';\n break;\n }\n case 'G':\n {\n /*\n Image size as geometry = \"%wx%h\".\n */\n (void) FormatLocaleString(value,MaxTextExtent,\"%.20gx%.20g\",(double)\n image->magick_columns,(double) image->magick_rows);\n break;\n }\n case 'H':\n {\n /*\n Layer canvas height.\n */\n (void) FormatLocaleString(value,MaxTextExtent,\"%.20g\",(double)\n image->page.height);\n break;\n }\n case 'M':\n {\n /*\n Magick filename - filename given incl. coder & read mods.\n */\n string=image->magick_filename;\n break;\n }\n case 'O':\n {\n /*\n Layer canvas offset with sign = \"+%X+%Y\".\n */\n (void) FormatLocaleString(value,MaxTextExtent,\"%+ld%+ld\",(long)\n image->page.x,(long) image->page.y);\n break;\n }\n case 'P':\n {\n /*\n Layer canvas page size = \"%Wx%H\".\n */\n (void) FormatLocaleString(value,MaxTextExtent,\"%.20gx%.20g\",(double)\n image->page.width,(double) image->page.height);\n break;\n }\n case 'Q':\n {\n /*\n Image compression quality.\n */\n (void) FormatLocaleString(value,MaxTextExtent,\"%.20g\",(double)\n (image->quality == 0 ? 92 : image->quality));\n break;\n }\n case 'S':\n {\n /*\n Image scenes.\n */\n if (image_info->number_scenes == 0)\n string=\"2147483647\";\n else\n (void) FormatLocaleString(value,MaxTextExtent,\"%.20g\",(double)\n image_info->scene+image_info->number_scenes);\n break;\n }\n case 'T':\n {\n /*\n Image time delay for animations.\n */\n (void) FormatLocaleString(value,MaxTextExtent,\"%.20g\",(double)\n image->delay);\n break;\n }\n case 'U':\n {\n /*\n Image resolution units.\n */\n (void) FormatLocaleString(value,MaxTextExtent,\"%s\",\n CommandOptionToMnemonic(MagickResolutionOptions,(ssize_t)\n image->units));\n break;\n }\n case 'W':\n {\n /*\n Layer canvas width.\n */\n (void) FormatLocaleString(value,MaxTextExtent,\"%.20g\",(double)\n image->page.width);\n break;\n }\n case 'X':\n {\n /*\n Layer canvas X offset.\n */\n (void) FormatLocaleString(value,MaxTextExtent,\"%+.20g\",(double)\n image->page.x);\n break;\n }\n case 'Y':\n {\n /*\n Layer canvas Y offset.\n */\n (void) FormatLocaleString(value,MaxTextExtent,\"%+.20g\",(double)\n image->page.y);\n break;\n }\n case 'Z':\n {\n /*\n Zero filename.\n */\n string=image_info->zero;\n break;\n }\n case '@':\n {\n RectangleInfo\n page;\n\n /*\n Image bounding box.\n */\n page=GetImageBoundingBox(image,&image->exception);\n (void) FormatLocaleString(value,MaxTextExtent,\"%.20gx%.20g%+.20g%+.20g\",\n (double) page.width,(double) page.height,(double) page.x,(double)\n page.y);\n break;\n }\n case '#':\n {\n /*\n Image signature.\n */\n if ((image->columns != 0) && (image->rows != 0))\n (void) SignatureImage(image);\n string=GetImageProperty(image,\"signature\");\n break;\n }\n case '%':\n {\n /*\n Percent escaped.\n */\n string=\"%\";\n break;\n }\n }\n if (*value != '\\0')\n string=value;\n if (string != (char *) NULL)\n {\n (void) SetImageArtifact(image,\"get-property\",string);\n return(GetImageArtifact(image,\"get-property\"));\n }\n return((char *) NULL);\n}", "project": "ImageMagick6", "hash": 81789685423307343026163762196655100181, "size": 463, "commit_id": "5bf7ff59c8ada957d6a681a0a2cc29f3813ad4bc", "message": "https://github.com/ImageMagick/ImageMagick/issues/1225", "target": 1, "dataset": "other", "idx": 212909 }, { "func": "formUpdateBuffer(Anchor *a, Buffer *buf, FormItemList *form)\n{\n Buffer save;\n char *p;\n int spos, epos, rows, c_rows, pos, col = 0;\n Line *l;\n\n copyBuffer(&save, buf);\n gotoLine(buf, a->start.line);\n switch (form->type) {\n case FORM_TEXTAREA:\n case FORM_INPUT_TEXT:\n case FORM_INPUT_FILE:\n case FORM_INPUT_PASSWORD:\n case FORM_INPUT_CHECKBOX:\n case FORM_INPUT_RADIO:\n#ifdef MENU_SELECT\n case FORM_SELECT:\n#endif\t\t\t\t/* MENU_SELECT */\n\tspos = a->start.pos;\n\tepos = a->end.pos;\n\tbreak;\n default:\n\tspos = a->start.pos + 1;\n\tepos = a->end.pos - 1;\n }\n switch (form->type) {\n case FORM_INPUT_CHECKBOX:\n case FORM_INPUT_RADIO:\n\tif (spos >= buf->currentLine->len || spos < 0)\n\t break;\n\tif (form->checked)\n\t buf->currentLine->lineBuf[spos] = '*';\n\telse\n\t buf->currentLine->lineBuf[spos] = ' ';\n\tbreak;\n case FORM_INPUT_TEXT:\n case FORM_INPUT_FILE:\n case FORM_INPUT_PASSWORD:\n case FORM_TEXTAREA:\n#ifdef MENU_SELECT\n case FORM_SELECT:\n\tif (form->type == FORM_SELECT) {\n\t p = form->label->ptr;\n\t updateSelectOption(form, form->select_option);\n\t}\n\telse\n#endif\t\t\t\t/* MENU_SELECT */\n\t{\n\t if (!form->value)\n\t\tbreak;\n\t p = form->value->ptr;\n\t}\n\tl = buf->currentLine;\n\tif (!l)\n\t break;\n\tif (form->type == FORM_TEXTAREA) {\n\t int n = a->y - buf->currentLine->linenumber;\n\t if (n > 0)\n\t\tfor (; l && n; l = l->prev, n--) ;\n\t else if (n < 0)\n\t\tfor (; l && n; l = l->prev, n++) ;\n\t if (!l)\n\t\tbreak;\n\t}\n\trows = form->rows ? form->rows : 1;\n\tcol = COLPOS(l, a->start.pos);\n\tfor (c_rows = 0; c_rows < rows; c_rows++, l = l->next) {\n\t if (rows > 1) {\n\t\tpos = columnPos(l, col);\n\t\ta = retrieveAnchor(buf->formitem, l->linenumber, pos);\n\t\tif (a == NULL)\n\t\t break;\n\t\tspos = a->start.pos;\n\t\tepos = a->end.pos;\n\t }\n\t if (a->start.line != a->end.line || spos > epos || epos >= l->len || spos < 0 || epos < 0)\n\t\tbreak;\n\t pos = form_update_line(l, &p, spos, epos, COLPOS(l, epos) - col,\n\t\t\t\t rows > 1,\n\t\t\t\t form->type == FORM_INPUT_PASSWORD);\n\t if (pos != epos) {\n\t\tshiftAnchorPosition(buf->href, buf->hmarklist,\n\t\t\t\t a->start.line, spos, pos - epos);\n\t\tshiftAnchorPosition(buf->name, buf->hmarklist,\n\t\t\t\t a->start.line, spos, pos - epos);\n\t\tshiftAnchorPosition(buf->img, buf->hmarklist,\n\t\t\t\t a->start.line, spos, pos - epos);\n\t\tshiftAnchorPosition(buf->formitem, buf->hmarklist,\n\t\t\t\t a->start.line, spos, pos - epos);\n\t }\n\t}\n\tbreak;\n }\n copyBuffer(buf, &save);\n arrangeLine(buf);\n}", "project": "w3m", "hash": 15956644405726083189492084201505214654, "size": 97, "commit_id": "e2c7ecec6f9b730ad3c9bf8c8df9212970f183d7", "message": "Prevent dereference near-null pointer in formUpdateBuffer\n\nBug-Debian: https://github.com/tats/w3m/issues/35", "target": 1, "dataset": "other", "idx": 212915 }, { "func": "main(int argc, char *argv[])\n{\n\tchar pidstr[16];\n\tssize_t ret;\n\tint c, log_method;\n\tchar *logfile, *pidfile;\n\tint facility, fd;\n\tchar *username = NULL;\n\tchar *chrootdir = NULL;\n\tint configtest = 0;\n\tint singleprocess = 0;\n#ifdef HAVE_GETOPT_LONG\n\tint opt_idx;\n#endif\n\n\tpname = ((pname=strrchr(argv[0],'/')) != NULL)?pname+1:argv[0];\n\n\tsrand((unsigned int)time(NULL));\n\n\tlog_method = L_STDERR_SYSLOG;\n\tlogfile = PATH_RADVD_LOG;\n\tconf_file = PATH_RADVD_CONF;\n\tfacility = LOG_FACILITY;\n\tpidfile = PATH_RADVD_PID;\n\n\t/* parse args */\n#define OPTIONS_STR \"d:C:l:m:p:t:u:vhcs\"\n#ifdef HAVE_GETOPT_LONG\n\twhile ((c = getopt_long(argc, argv, OPTIONS_STR, prog_opt, &opt_idx)) > 0)\n#else\n\twhile ((c = getopt(argc, argv, OPTIONS_STR)) > 0)\n#endif\n\t{\n\t\tswitch (c) {\n\t\tcase 'C':\n\t\t\tconf_file = optarg;\n\t\t\tbreak;\n\t\tcase 'd':\n\t\t\tset_debuglevel(atoi(optarg));\n\t\t\tbreak;\n\t\tcase 'f':\n\t\t\tfacility = atoi(optarg);\n\t\t\tbreak;\n\t\tcase 'l':\n\t\t\tlogfile = optarg;\n\t\t\tbreak;\n\t\tcase 'p':\n\t\t\tpidfile = optarg;\n\t\t\tbreak;\n\t\tcase 'm':\n\t\t\tif (!strcmp(optarg, \"syslog\"))\n\t\t\t{\n\t\t\t\tlog_method = L_SYSLOG;\n\t\t\t}\n\t\t\telse if (!strcmp(optarg, \"stderr_syslog\"))\n\t\t\t{\n\t\t\t\tlog_method = L_STDERR_SYSLOG;\n\t\t\t}\n\t\t\telse if (!strcmp(optarg, \"stderr\"))\n\t\t\t{\n\t\t\t\tlog_method = L_STDERR;\n\t\t\t}\n\t\t\telse if (!strcmp(optarg, \"logfile\"))\n\t\t\t{\n\t\t\t\tlog_method = L_LOGFILE;\n\t\t\t}\n\t\t\telse if (!strcmp(optarg, \"none\"))\n\t\t\t{\n\t\t\t\tlog_method = L_NONE;\n\t\t\t}\n\t\t\telse\n\t\t\t{\n\t\t\t\tfprintf(stderr, \"%s: unknown log method: %s\\n\", pname, optarg);\n\t\t\t\texit(1);\n\t\t\t}\n\t\t\tbreak;\n\t\tcase 't':\n\t\t\tchrootdir = strdup(optarg);\n\t\t\tbreak;\n\t\tcase 'u':\n\t\t\tusername = strdup(optarg);\n\t\t\tbreak;\n\t\tcase 'v':\n\t\t\tversion();\n\t\t\tbreak;\n\t\tcase 'c':\n\t\t\tconfigtest = 1;\n\t\t\tbreak;\n\t\tcase 's':\n\t\t\tsingleprocess = 1;\n\t\t\tbreak;\n\t\tcase 'h':\n\t\t\tusage();\n#ifdef HAVE_GETOPT_LONG\n\t\tcase ':':\n\t\t\tfprintf(stderr, \"%s: option %s: parameter expected\\n\", pname,\n\t\t\t\tprog_opt[opt_idx].name);\n\t\t\texit(1);\n#endif\n\t\tcase '?':\n\t\t\texit(1);\n\t\t}\n\t}\n\n\tif (chrootdir) {\n\t\tif (!username) {\n\t\t\tfprintf(stderr, \"Chroot as root is not safe, exiting\\n\");\n\t\t\texit(1);\n\t\t}\n\n\t\tif (chroot(chrootdir) == -1) {\n\t\t\tperror(\"chroot\");\n\t\t\texit (1);\n\t\t}\n\n\t\tif (chdir(\"/\") == -1) {\n\t\t\tperror(\"chdir\");\n\t\t\texit (1);\n\t\t}\n\t\t/* username will be switched later */\n\t}\n\n\tif (configtest) {\n\t\tlog_method = L_STDERR;\n\t}\n\n\tif (log_open(log_method, pname, logfile, facility) < 0) {\n\t\tperror(\"log_open\");\n\t\texit(1);\n\t}\n\n\tif (!configtest) {\n\t\tflog(LOG_INFO, \"version %s started\", VERSION);\n\t}\n\n\t/* get a raw socket for sending and receiving ICMPv6 messages */\n\tsock = open_icmpv6_socket();\n\tif (sock < 0) {\n\t\tperror(\"open_icmpv6_socket\");\n\t\texit(1);\n\t}\n\n\t/* check that 'other' cannot write the file\n * for non-root, also that self/own group can't either\n */\n\tif (check_conffile_perm(username, conf_file) < 0) {\n\t\tif (get_debuglevel() == 0) {\n\t\t\tflog(LOG_ERR, \"Exiting, permissions on conf_file invalid.\\n\");\n\t\t\texit(1);\n\t\t}\n\t\telse\n\t\t\tflog(LOG_WARNING, \"Insecure file permissions, but continuing anyway\");\n\t}\n\n\t/* if we know how to do it, check whether forwarding is enabled */\n\tif (check_ip6_forwarding()) {\n\t\tflog(LOG_WARNING, \"IPv6 forwarding seems to be disabled, but continuing anyway.\");\n\t}\n\n\t/* parse config file */\n\tif (readin_config(conf_file) < 0) {\n\t\tflog(LOG_ERR, \"Exiting, failed to read config file.\\n\");\n\t\texit(1);\n\t}\n\n\tif (configtest) {\n\t\tfprintf(stderr, \"Syntax OK\\n\");\n\t\texit(0);\n\t}\n\n\t/* drop root privileges if requested. */\n\tif (username) {\n\t\tif (!singleprocess) {\n\t\t \tdlog(LOG_DEBUG, 3, \"Initializing privsep\");\n\t\t \tif (privsep_init() < 0)\n\t\t\t\tflog(LOG_WARNING, \"Failed to initialize privsep.\");\n\t\t}\n\n\t\tif (drop_root_privileges(username) < 0) {\n\t\t\tperror(\"drop_root_privileges\");\n\t\t\texit(1);\n\t\t}\n\t}\n\n\tif ((fd = open(pidfile, O_RDONLY, 0)) > 0)\n\t{\n\t\tret = read(fd, pidstr, sizeof(pidstr) - 1);\n\t\tif (ret < 0)\n\t\t{\n\t\t\tflog(LOG_ERR, \"cannot read radvd pid file, terminating: %s\", strerror(errno));\n\t\t\texit(1);\n\t\t}\n\t\tpidstr[ret] = '\\0';\n\t\tif (!kill((pid_t)atol(pidstr), 0))\n\t\t{\n\t\t\tflog(LOG_ERR, \"radvd already running, terminating.\");\n\t\t\texit(1);\n\t\t}\n\t\tclose(fd);\n\t\tfd = open(pidfile, O_CREAT|O_TRUNC|O_WRONLY, 0644);\n\t}\n\telse\t/* FIXME: not atomic if pidfile is on an NFS mounted volume */\n\t\tfd = open(pidfile, O_CREAT|O_EXCL|O_WRONLY, 0644);\n\n\tif (fd < 0)\n\t{\n\t\tflog(LOG_ERR, \"cannot create radvd pid file, terminating: %s\", strerror(errno));\n\t\texit(1);\n\t}\n\n\t/*\n\t * okay, config file is read in, socket and stuff is setup, so\n\t * lets fork now...\n\t */\n\n\tif (get_debuglevel() == 0) {\n\n\t\t/* Detach from controlling terminal */\n\t\tif (daemon(0, 0) < 0)\n\t\t\tperror(\"daemon\");\n\n\t\t/* close old logfiles, including stderr */\n\t\tlog_close();\n\n\t\t/* reopen logfiles, but don't log to stderr unless explicitly requested */\n\t\tif (log_method == L_STDERR_SYSLOG)\n\t\t\tlog_method = L_SYSLOG;\n\t\tif (log_open(log_method, pname, logfile, facility) < 0) {\n\t\t\tperror(\"log_open\");\n\t\t\texit(1);\n\t\t}\n\n\t}\n\n\t/*\n\t *\tconfig signal handlers\n\t */\n\tsignal(SIGHUP, sighup_handler);\n\tsignal(SIGTERM, sigterm_handler);\n\tsignal(SIGINT, sigint_handler);\n\tsignal(SIGUSR1, sigusr1_handler);\n\n\tsnprintf(pidstr, sizeof(pidstr), \"%ld\\n\", (long)getpid());\n\n\tret = write(fd, pidstr, strlen(pidstr));\n\tif (ret != strlen(pidstr))\n\t{\n\t\tflog(LOG_ERR, \"cannot write radvd pid file, terminating: %s\", strerror(errno));\n\t\texit(1);\n\t}\n\n\tclose(fd);\n\n\tconfig_interface();\n\tkickoff_adverts();\n\tmain_loop();\n\tstop_adverts();\n\tunlink(pidfile);\n\n\treturn 0;\n}", "project": "radvd", "hash": 326133475241548036011768434567846365611, "size": 261, "commit_id": "2c50375043186e133f15135f4c93ca964238ee60", "message": "main() must fail on privsep_init() errors, it must not run\nwithout privilege separation as privsep is expected.", "target": 1, "dataset": "other", "idx": 213483 }, { "func": "sbni_ioctl( struct net_device *dev, struct ifreq *ifr, int cmd )\n{\n\tstruct net_local *nl = (struct net_local *) dev->priv; \n\tstruct sbni_flags flags;\n\tint error = 0;\n\n#ifdef CONFIG_SBNI_MULTILINE\n\tstruct net_device *slave_dev;\n\tchar slave_name[ 8 ];\n#endif\n \n\tswitch( cmd ) {\n\tcase SIOCDEVGETINSTATS :\n\t\tif (copy_to_user( ifr->ifr_data, &nl->in_stats,\n\t\t\t\t\tsizeof(struct sbni_in_stats) ))\n\t\t\terror = -EFAULT;\n\t\tbreak;\n\n\tcase SIOCDEVRESINSTATS :\n\t\tif( current->euid != 0 )\t/* root only */\n\t\t\treturn -EPERM;\n\t\tmemset( &nl->in_stats, 0, sizeof(struct sbni_in_stats) );\n\t\tbreak;\n\n\tcase SIOCDEVGHWSTATE :\n\t\tflags.mac_addr\t= *(u32 *)(dev->dev_addr + 3);\n\t\tflags.rate\t= nl->csr1.rate;\n\t\tflags.slow_mode\t= (nl->state & FL_SLOW_MODE) != 0;\n\t\tflags.rxl\t= nl->cur_rxl_index;\n\t\tflags.fixed_rxl\t= nl->delta_rxl == 0;\n\n\t\tif (copy_to_user( ifr->ifr_data, &flags, sizeof flags ))\n\t\t\terror = -EFAULT;\n\t\tbreak;\n\n\tcase SIOCDEVSHWSTATE :\n\t\tif( current->euid != 0 )\t/* root only */\n\t\t\treturn -EPERM;\n\n\t\tspin_lock( &nl->lock );\n\t\tflags = *(struct sbni_flags*) &ifr->ifr_ifru;\n\t\tif( flags.fixed_rxl )\n\t\t\tnl->delta_rxl = 0,\n\t\t\tnl->cur_rxl_index = flags.rxl;\n\t\telse\n\t\t\tnl->delta_rxl = DEF_RXL_DELTA,\n\t\t\tnl->cur_rxl_index = DEF_RXL;\n\n\t\tnl->csr1.rxl = rxl_tab[ nl->cur_rxl_index ];\n\t\tnl->csr1.rate = flags.rate;\n\t\toutb( *(u8 *)&nl->csr1 | PR_RES, dev->base_addr + CSR1 );\n\t\tspin_unlock( &nl->lock );\n\t\tbreak;\n\n#ifdef CONFIG_SBNI_MULTILINE\n\n\tcase SIOCDEVENSLAVE :\n\t\tif( current->euid != 0 )\t/* root only */\n\t\t\treturn -EPERM;\n\n\t\tif (copy_from_user( slave_name, ifr->ifr_data, sizeof slave_name ))\n\t\t\treturn -EFAULT;\n\t\tslave_dev = dev_get_by_name(&init_net, slave_name );\n\t\tif( !slave_dev || !(slave_dev->flags & IFF_UP) ) {\n\t\t\tprintk( KERN_ERR \"%s: trying to enslave non-active \"\n\t\t\t\t\"device %s\\n\", dev->name, slave_name );\n\t\t\treturn -EPERM;\n\t\t}\n\n\t\treturn enslave( dev, slave_dev );\n\n\tcase SIOCDEVEMANSIPATE :\n\t\tif( current->euid != 0 )\t/* root only */\n\t\t\treturn -EPERM;\n\n\t\treturn emancipate( dev );\n\n#endif\t/* CONFIG_SBNI_MULTILINE */\n\n\tdefault :\n\t\treturn -EOPNOTSUPP;\n\t}\n\n\treturn error;\n}", "target": 1, "cwe": [ "CWE-264" ], "project": "linux-2.6", "commit_id": "f2455eb176ac87081bbfc9a44b21c7cd2bc1967e", "hash": 334362285214514794810840380680596988050, "size": 85, "message": "wan: Missing capability checks in sbni_ioctl()\n\nThere are missing capability checks in the following code:\n\n1300 static int\n1301 sbni_ioctl( struct net_device *dev, struct ifreq *ifr, int cmd)\n1302 {\n[...]\n1319 case SIOCDEVRESINSTATS :\n1320 if( current->euid != 0 ) /* root only */\n1321 return -EPERM;\n[...]\n1336 case SIOCDEVSHWSTATE :\n1337 if( current->euid != 0 ) /* root only */\n1338 return -EPERM;\n[...]\n1357 case SIOCDEVENSLAVE :\n1358 if( current->euid != 0 ) /* root only */\n1359 return -EPERM;\n[...]\n1372 case SIOCDEVEMANSIPATE :\n1373 if( current->euid != 0 ) /* root only */\n1374 return -EPERM;\n\nHere's my proposed fix:\n\nMissing capability checks.\n\nSigned-off-by: Eugene Teo \nSigned-off-by: David S. Miller ", "dataset": "other", "idx": 215379 }, { "func": "Agraph_t *agroot(void* obj)\n{\n switch (AGTYPE(obj)) {\n case AGINEDGE:\n case AGOUTEDGE:\n\treturn ((Agedge_t *) obj)->node->root;\n case AGNODE:\n\treturn ((Agnode_t *) obj)->root;\n case AGRAPH:\n\treturn ((Agraph_t *) obj)->root;\n default:\t\t\t/* actually can't occur if only 2 bit tags */\n\tagerr(AGERR, \"agroot of a bad object\");\n\treturn NILgraph;\n }\n}", "target": 1, "cwe": [ "CWE-476" ], "project": "graphviz", "commit_id": "839085f8026afd6f6920a0c31ad2a9d880d97932", "hash": 285926376776107496641309642772781622865, "size": 15, "message": "attempted fix for null pointer deference on malformed input", "dataset": "other", "idx": 216728 }, { "func": "static char *php_image_type_to_mime_type(int image_type) {\n switch( image_type) {\n case IMAGE_FILETYPE_GIF:\n return \"image/gif\";\n case IMAGE_FILETYPE_JPEG:\n return \"image/jpeg\";\n case IMAGE_FILETYPE_PNG:\n return \"image/png\";\n case IMAGE_FILETYPE_SWF:\n case IMAGE_FILETYPE_SWC:\n return \"application/x-shockwave-flash\";\n case IMAGE_FILETYPE_PSD:\n return \"image/psd\";\n case IMAGE_FILETYPE_BMP:\n return \"image/x-ms-bmp\";\n case IMAGE_FILETYPE_TIFF_II:\n case IMAGE_FILETYPE_TIFF_MM:\n return \"image/tiff\";\n case IMAGE_FILETYPE_IFF:\n return \"image/iff\";\n case IMAGE_FILETYPE_WBMP:\n return \"image/vnd.wap.wbmp\";\n case IMAGE_FILETYPE_JPC:\n return \"application/octet-stream\";\n case IMAGE_FILETYPE_JP2:\n return \"image/jp2\";\n case IMAGE_FILETYPE_XBM:\n return \"image/xbm\";\n case IMAGE_FILETYPE_ICO:\n return \"image/vnd.microsoft.icon\";\n default:\n case IMAGE_FILETYPE_UNKNOWN:\n return \"application/octet-stream\"; /* suppose binary format */\n }\n}", "project": "hhvm", "hash": 26922450668977660443715922564159938458, "size": 35, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219546 }, { "func": " Accessor& operator=(EntryPtr&& ep) {\n switch (m_kind) {\n case Kind::AccessorKind:\n m_u.accessor.~ConstAccessor();\n case Kind::Empty:\n case Kind::Ptr:\n m_kind = Kind::SmartPtr;\n new (&m_u.smart_ptr) EntryPtr(std::move(ep));\n break;\n case Kind::SmartPtr:\n m_u.smart_ptr = std::move(ep);\n break;\n }\n return *this;\n }", "project": "hhvm", "hash": 315520937267973020307125618972058517547, "size": 15, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219596 }, { "func": " ~Accessor() {\n switch (m_kind) {\n case Kind::Empty:\n case Kind::Ptr:\n break;\n case Kind::SmartPtr:\n m_u.smart_ptr.~EntryPtr();\n break;\n case Kind::AccessorKind:\n m_u.accessor.~ConstAccessor();\n break;\n }\n }", "project": "hhvm", "hash": 209073242655932725762524088999931927034, "size": 13, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219634 }, { "func": "const char *json_get_last_error_msg() {\n switch (s_json_parser->error_code) {\n case JSON_ERROR_NONE:\n return \"No error\";\n case JSON_ERROR_DEPTH:\n return \"Maximum stack depth exceeded\";\n case JSON_ERROR_STATE_MISMATCH:\n return \"State mismatch (invalid or malformed JSON)\";\n case JSON_ERROR_CTRL_CHAR:\n return \"Control character error, possibly incorrectly encoded\";\n case JSON_ERROR_SYNTAX:\n return \"Syntax error\";\n case JSON_ERROR_UTF8:\n return \"Malformed UTF-8 characters, possibly incorrectly encoded\";\n case json_error_codes::JSON_ERROR_RECURSION:\n return \"Recursion detected\";\n case json_error_codes::JSON_ERROR_INF_OR_NAN:\n return \"Inf and NaN cannot be JSON encoded\";\n case json_error_codes::JSON_ERROR_UNSUPPORTED_TYPE:\n return \"Type is not supported\";\n default:\n return \"Unknown error\";\n }\n}", "project": "hhvm", "hash": 172979454997733452840330963514992637576, "size": 24, "commit_id": "b3679121bb3c7017ff04b4c08402ffff5cf59b13", "message": "Fix buffer overrun in SimpleParser::handleBackslash\n\nSummary:\nIt read 4 chars, then checked for validity, but any of them could have\nbeen the end of the string, so check after each one instead.\n\nReviewed By: oulgen\n\nDifferential Revision: D19611163\n\nfbshipit-source-id: 3da0a39555cb85a93f4fd98048368f17cf37e2e4", "target": 0, "dataset": "other", "idx": 227300 }, { "func": "_libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,\n size_t datalen, int macstate)\n{\n int rc = 0;\n unsigned char *message = NULL;\n unsigned char *language = NULL;\n size_t message_len = 0;\n size_t language_len = 0;\n LIBSSH2_CHANNEL *channelp = NULL;\n size_t data_head = 0;\n unsigned char msg = data[0];\n\n switch(session->packAdd_state) {\n case libssh2_NB_state_idle:\n _libssh2_debug(session, LIBSSH2_TRACE_TRANS,\n \"Packet type %d received, length=%d\",\n (int) msg, (int) datalen);\n\n if((macstate == LIBSSH2_MAC_INVALID) &&\n (!session->macerror ||\n LIBSSH2_MACERROR(session, (char *) data, datalen))) {\n /* Bad MAC input, but no callback set or non-zero return from the\n callback */\n\n LIBSSH2_FREE(session, data);\n return _libssh2_error(session, LIBSSH2_ERROR_INVALID_MAC,\n \"Invalid MAC received\");\n }\n session->packAdd_state = libssh2_NB_state_allocated;\n break;\n case libssh2_NB_state_jump1:\n goto libssh2_packet_add_jump_point1;\n case libssh2_NB_state_jump2:\n goto libssh2_packet_add_jump_point2;\n case libssh2_NB_state_jump3:\n goto libssh2_packet_add_jump_point3;\n case libssh2_NB_state_jump4:\n goto libssh2_packet_add_jump_point4;\n case libssh2_NB_state_jump5:\n goto libssh2_packet_add_jump_point5;\n default: /* nothing to do */\n break;\n }\n\n if(session->packAdd_state == libssh2_NB_state_allocated) {\n /* A couple exceptions to the packet adding rule: */\n switch(msg) {\n\n /*\n byte SSH_MSG_DISCONNECT\n uint32 reason code\n string description in ISO-10646 UTF-8 encoding [RFC3629]\n string language tag [RFC3066]\n */\n\n case SSH_MSG_DISCONNECT:\n if(datalen >= 5) {\n uint32_t reason = 0;\n struct string_buf buf;\n buf.data = (unsigned char *)data;\n buf.dataptr = buf.data;\n buf.len = datalen;\n buf.dataptr++; /* advance past type */\n\n _libssh2_get_u32(&buf, &reason);\n _libssh2_get_string(&buf, &message, &message_len);\n _libssh2_get_string(&buf, &language, &language_len);\n\n if(session->ssh_msg_disconnect) {\n LIBSSH2_DISCONNECT(session, reason, (const char *)message,\n message_len, (const char *)language,\n language_len);\n }\n\n _libssh2_debug(session, LIBSSH2_TRACE_TRANS,\n \"Disconnect(%d): %s(%s)\", reason,\n message, language);\n }\n\n LIBSSH2_FREE(session, data);\n session->socket_state = LIBSSH2_SOCKET_DISCONNECTED;\n session->packAdd_state = libssh2_NB_state_idle;\n return _libssh2_error(session, LIBSSH2_ERROR_SOCKET_DISCONNECT,\n \"socket disconnect\");\n /*\n byte SSH_MSG_IGNORE\n string data\n */\n\n case SSH_MSG_IGNORE:\n if(datalen >= 2) {\n if(session->ssh_msg_ignore) {\n LIBSSH2_IGNORE(session, (char *) data + 1, datalen - 1);\n }\n }\n else if(session->ssh_msg_ignore) {\n LIBSSH2_IGNORE(session, \"\", 0);\n }\n LIBSSH2_FREE(session, data);\n session->packAdd_state = libssh2_NB_state_idle;\n return 0;\n\n /*\n byte SSH_MSG_DEBUG\n boolean always_display\n string message in ISO-10646 UTF-8 encoding [RFC3629]\n string language tag [RFC3066]\n */\n\n case SSH_MSG_DEBUG:\n if(datalen >= 2) {\n int always_display = data[1];\n\n if(datalen >= 6) {\n struct string_buf buf;\n buf.data = (unsigned char *)data;\n buf.dataptr = buf.data;\n buf.len = datalen;\n buf.dataptr += 2; /* advance past type & always display */\n\n _libssh2_get_string(&buf, &message, &message_len);\n _libssh2_get_string(&buf, &language, &language_len);\n }\n\n if(session->ssh_msg_debug) {\n LIBSSH2_DEBUG(session, always_display,\n (const char *)message,\n message_len, (const char *)language,\n language_len);\n }\n }\n\n /*\n * _libssh2_debug will actually truncate this for us so\n * that it's not an inordinate about of data\n */\n _libssh2_debug(session, LIBSSH2_TRACE_TRANS,\n \"Debug Packet: %s\", message);\n LIBSSH2_FREE(session, data);\n session->packAdd_state = libssh2_NB_state_idle;\n return 0;\n\n /*\n byte SSH_MSG_GLOBAL_REQUEST\n string request name in US-ASCII only\n boolean want reply\n .... request-specific data follows\n */\n\n case SSH_MSG_GLOBAL_REQUEST:\n if(datalen >= 5) {\n uint32_t len = 0;\n unsigned char want_reply = 0;\n len = _libssh2_ntohu32(data + 1);\n if((len <= (UINT_MAX - 6)) && (datalen >= (6 + len))) {\n want_reply = data[5 + len];\n _libssh2_debug(session,\n LIBSSH2_TRACE_CONN,\n \"Received global request type %.*s (wr %X)\",\n len, data + 5, want_reply);\n }\n\n\n if(want_reply) {\n static const unsigned char packet =\n SSH_MSG_REQUEST_FAILURE;\n libssh2_packet_add_jump_point5:\n session->packAdd_state = libssh2_NB_state_jump5;\n rc = _libssh2_transport_send(session, &packet, 1, NULL, 0);\n if(rc == LIBSSH2_ERROR_EAGAIN)\n return rc;\n }\n }\n LIBSSH2_FREE(session, data);\n session->packAdd_state = libssh2_NB_state_idle;\n return 0;\n\n /*\n byte SSH_MSG_CHANNEL_EXTENDED_DATA\n uint32 recipient channel\n uint32 data_type_code\n string data\n */\n\n case SSH_MSG_CHANNEL_EXTENDED_DATA:\n /* streamid(4) */\n data_head += 4;\n\n /* fall-through */\n\n /*\n byte SSH_MSG_CHANNEL_DATA\n uint32 recipient channel\n string data\n */\n\n case SSH_MSG_CHANNEL_DATA:\n /* packet_type(1) + channelno(4) + datalen(4) */\n data_head += 9;\n\n if(datalen >= data_head)\n channelp =\n _libssh2_channel_locate(session,\n _libssh2_ntohu32(data + 1));\n\n if(!channelp) {\n _libssh2_error(session, LIBSSH2_ERROR_CHANNEL_UNKNOWN,\n \"Packet received for unknown channel\");\n LIBSSH2_FREE(session, data);\n session->packAdd_state = libssh2_NB_state_idle;\n return 0;\n }\n#ifdef LIBSSH2DEBUG\n {\n uint32_t stream_id = 0;\n if(msg == SSH_MSG_CHANNEL_EXTENDED_DATA)\n stream_id = _libssh2_ntohu32(data + 5);\n\n _libssh2_debug(session, LIBSSH2_TRACE_CONN,\n \"%d bytes packet_add() for %lu/%lu/%lu\",\n (int) (datalen - data_head),\n channelp->local.id,\n channelp->remote.id,\n stream_id);\n }\n#endif\n if((channelp->remote.extended_data_ignore_mode ==\n LIBSSH2_CHANNEL_EXTENDED_DATA_IGNORE) &&\n (msg == SSH_MSG_CHANNEL_EXTENDED_DATA)) {\n /* Pretend we didn't receive this */\n LIBSSH2_FREE(session, data);\n\n _libssh2_debug(session, LIBSSH2_TRACE_CONN,\n \"Ignoring extended data and refunding %d bytes\",\n (int) (datalen - 13));\n if(channelp->read_avail + datalen - data_head >=\n channelp->remote.window_size)\n datalen = channelp->remote.window_size -\n channelp->read_avail + data_head;\n\n channelp->remote.window_size -= datalen - data_head;\n _libssh2_debug(session, LIBSSH2_TRACE_CONN,\n \"shrinking window size by %lu bytes to %lu, \"\n \"read_avail %lu\",\n datalen - data_head,\n channelp->remote.window_size,\n channelp->read_avail);\n\n session->packAdd_channelp = channelp;\n\n /* Adjust the window based on the block we just freed */\n libssh2_packet_add_jump_point1:\n session->packAdd_state = libssh2_NB_state_jump1;\n rc = _libssh2_channel_receive_window_adjust(session->\n packAdd_channelp,\n datalen - 13,\n 1, NULL);\n if(rc == LIBSSH2_ERROR_EAGAIN)\n return rc;\n\n session->packAdd_state = libssh2_NB_state_idle;\n return 0;\n }\n\n /*\n * REMEMBER! remote means remote as source of data,\n * NOT remote window!\n */\n if(channelp->remote.packet_size < (datalen - data_head)) {\n /*\n * Spec says we MAY ignore bytes sent beyond\n * packet_size\n */\n _libssh2_error(session,\n LIBSSH2_ERROR_CHANNEL_PACKET_EXCEEDED,\n \"Packet contains more data than we offered\"\n \" to receive, truncating\");\n datalen = channelp->remote.packet_size + data_head;\n }\n if(channelp->remote.window_size <= channelp->read_avail) {\n /*\n * Spec says we MAY ignore bytes sent beyond\n * window_size\n */\n _libssh2_error(session,\n LIBSSH2_ERROR_CHANNEL_WINDOW_EXCEEDED,\n \"The current receive window is full,\"\n \" data ignored\");\n LIBSSH2_FREE(session, data);\n session->packAdd_state = libssh2_NB_state_idle;\n return 0;\n }\n /* Reset EOF status */\n channelp->remote.eof = 0;\n\n if(channelp->read_avail + datalen - data_head >\n channelp->remote.window_size) {\n _libssh2_error(session,\n LIBSSH2_ERROR_CHANNEL_WINDOW_EXCEEDED,\n \"Remote sent more data than current \"\n \"window allows, truncating\");\n datalen = channelp->remote.window_size -\n channelp->read_avail + data_head;\n }\n\n /* Update the read_avail counter. The window size will be\n * updated once the data is actually read from the queue\n * from an upper layer */\n channelp->read_avail += datalen - data_head;\n\n _libssh2_debug(session, LIBSSH2_TRACE_CONN,\n \"increasing read_avail by %lu bytes to %lu/%lu\",\n (long)(datalen - data_head),\n (long)channelp->read_avail,\n (long)channelp->remote.window_size);\n\n break;\n\n /*\n byte SSH_MSG_CHANNEL_EOF\n uint32 recipient channel\n */\n\n case SSH_MSG_CHANNEL_EOF:\n if(datalen >= 5)\n channelp =\n _libssh2_channel_locate(session,\n _libssh2_ntohu32(data + 1));\n if(!channelp)\n /* We may have freed already, just quietly ignore this... */\n ;\n else {\n _libssh2_debug(session,\n LIBSSH2_TRACE_CONN,\n \"EOF received for channel %lu/%lu\",\n channelp->local.id,\n channelp->remote.id);\n channelp->remote.eof = 1;\n }\n LIBSSH2_FREE(session, data);\n session->packAdd_state = libssh2_NB_state_idle;\n return 0;\n\n /*\n byte SSH_MSG_CHANNEL_REQUEST\n uint32 recipient channel\n string request type in US-ASCII characters only\n boolean want reply\n .... type-specific data follows\n */\n\n case SSH_MSG_CHANNEL_REQUEST:\n if(datalen >= 9) {\n uint32_t channel = _libssh2_ntohu32(data + 1);\n uint32_t len = _libssh2_ntohu32(data + 5);\n unsigned char want_reply = 1;\n\n if((len + 9) < datalen)\n want_reply = data[len + 9];\n\n _libssh2_debug(session,\n LIBSSH2_TRACE_CONN,\n \"Channel %d received request type %.*s (wr %X)\",\n channel, len, data + 9, want_reply);\n\n if(len == sizeof(\"exit-status\") - 1\n && (sizeof(\"exit-status\") - 1 + 9) <= datalen\n && !memcmp(\"exit-status\", data + 9,\n sizeof(\"exit-status\") - 1)) {\n\n /* we've got \"exit-status\" packet. Set the session value */\n if(datalen >= 20)\n channelp =\n _libssh2_channel_locate(session, channel);\n\n if(channelp && (sizeof(\"exit-status\") + 13) <= datalen) {\n channelp->exit_status =\n _libssh2_ntohu32(data + 9 + sizeof(\"exit-status\"));\n _libssh2_debug(session, LIBSSH2_TRACE_CONN,\n \"Exit status %lu received for \"\n \"channel %lu/%lu\",\n channelp->exit_status,\n channelp->local.id,\n channelp->remote.id);\n }\n\n }\n else if(len == sizeof(\"exit-signal\") - 1\n && (sizeof(\"exit-signal\") - 1 + 9) <= datalen\n && !memcmp(\"exit-signal\", data + 9,\n sizeof(\"exit-signal\") - 1)) {\n /* command terminated due to signal */\n if(datalen >= 20)\n channelp = _libssh2_channel_locate(session, channel);\n\n if(channelp && (sizeof(\"exit-signal\") + 13) <= datalen) {\n /* set signal name (without SIG prefix) */\n uint32_t namelen =\n _libssh2_ntohu32(data + 9 + sizeof(\"exit-signal\"));\n\n if(namelen <= UINT_MAX - 1) {\n channelp->exit_signal =\n LIBSSH2_ALLOC(session, namelen + 1);\n }\n else {\n channelp->exit_signal = NULL;\n }\n\n if(!channelp->exit_signal)\n rc = _libssh2_error(session, LIBSSH2_ERROR_ALLOC,\n \"memory for signal name\");\n else if((sizeof(\"exit-signal\") + 13 + namelen <=\n datalen)) {\n memcpy(channelp->exit_signal,\n data + 13 + sizeof(\"exit-signal\"), namelen);\n channelp->exit_signal[namelen] = '\\0';\n /* TODO: save error message and language tag */\n _libssh2_debug(session, LIBSSH2_TRACE_CONN,\n \"Exit signal %s received for \"\n \"channel %lu/%lu\",\n channelp->exit_signal,\n channelp->local.id,\n channelp->remote.id);\n }\n }\n }\n\n\n if(want_reply) {\n unsigned char packet[5];\n libssh2_packet_add_jump_point4:\n session->packAdd_state = libssh2_NB_state_jump4;\n packet[0] = SSH_MSG_CHANNEL_FAILURE;\n memcpy(&packet[1], data + 1, 4);\n rc = _libssh2_transport_send(session, packet, 5, NULL, 0);\n if(rc == LIBSSH2_ERROR_EAGAIN)\n return rc;\n }\n }\n LIBSSH2_FREE(session, data);\n session->packAdd_state = libssh2_NB_state_idle;\n return rc;\n\n /*\n byte SSH_MSG_CHANNEL_CLOSE\n uint32 recipient channel\n */\n\n case SSH_MSG_CHANNEL_CLOSE:\n if(datalen >= 5)\n channelp =\n _libssh2_channel_locate(session,\n _libssh2_ntohu32(data + 1));\n if(!channelp) {\n /* We may have freed already, just quietly ignore this... */\n LIBSSH2_FREE(session, data);\n session->packAdd_state = libssh2_NB_state_idle;\n return 0;\n }\n _libssh2_debug(session, LIBSSH2_TRACE_CONN,\n \"Close received for channel %lu/%lu\",\n channelp->local.id,\n channelp->remote.id);\n\n channelp->remote.close = 1;\n channelp->remote.eof = 1;\n\n LIBSSH2_FREE(session, data);\n session->packAdd_state = libssh2_NB_state_idle;\n return 0;\n\n /*\n byte SSH_MSG_CHANNEL_OPEN\n string \"session\"\n uint32 sender channel\n uint32 initial window size\n uint32 maximum packet size\n */\n\n case SSH_MSG_CHANNEL_OPEN:\n if(datalen < 17)\n ;\n else if((datalen >= (sizeof(\"forwarded-tcpip\") + 4)) &&\n ((sizeof(\"forwarded-tcpip\") - 1) ==\n _libssh2_ntohu32(data + 1))\n &&\n (memcmp(data + 5, \"forwarded-tcpip\",\n sizeof(\"forwarded-tcpip\") - 1) == 0)) {\n\n /* init the state struct */\n memset(&session->packAdd_Qlstn_state, 0,\n sizeof(session->packAdd_Qlstn_state));\n\n libssh2_packet_add_jump_point2:\n session->packAdd_state = libssh2_NB_state_jump2;\n rc = packet_queue_listener(session, data, datalen,\n &session->packAdd_Qlstn_state);\n }\n else if((datalen >= (sizeof(\"x11\") + 4)) &&\n ((sizeof(\"x11\") - 1) == _libssh2_ntohu32(data + 1)) &&\n (memcmp(data + 5, \"x11\", sizeof(\"x11\") - 1) == 0)) {\n\n /* init the state struct */\n memset(&session->packAdd_x11open_state, 0,\n sizeof(session->packAdd_x11open_state));\n\n libssh2_packet_add_jump_point3:\n session->packAdd_state = libssh2_NB_state_jump3;\n rc = packet_x11_open(session, data, datalen,\n &session->packAdd_x11open_state);\n }\n if(rc == LIBSSH2_ERROR_EAGAIN)\n return rc;\n\n LIBSSH2_FREE(session, data);\n session->packAdd_state = libssh2_NB_state_idle;\n return rc;\n\n /*\n byte SSH_MSG_CHANNEL_WINDOW_ADJUST\n uint32 recipient channel\n uint32 bytes to add\n */\n case SSH_MSG_CHANNEL_WINDOW_ADJUST:\n if(datalen < 9)\n ;\n else {\n uint32_t bytestoadd = _libssh2_ntohu32(data + 5);\n channelp =\n _libssh2_channel_locate(session,\n _libssh2_ntohu32(data + 1));\n if(channelp) {\n channelp->local.window_size += bytestoadd;\n\n _libssh2_debug(session, LIBSSH2_TRACE_CONN,\n \"Window adjust for channel %lu/%lu, \"\n \"adding %lu bytes, new window_size=%lu\",\n channelp->local.id,\n channelp->remote.id,\n bytestoadd,\n channelp->local.window_size);\n }\n }\n LIBSSH2_FREE(session, data);\n session->packAdd_state = libssh2_NB_state_idle;\n return 0;\n default:\n break;\n }\n\n session->packAdd_state = libssh2_NB_state_sent;\n }\n\n if(session->packAdd_state == libssh2_NB_state_sent) {\n LIBSSH2_PACKET *packetp =\n LIBSSH2_ALLOC(session, sizeof(LIBSSH2_PACKET));\n if(!packetp) {\n _libssh2_debug(session, LIBSSH2_ERROR_ALLOC,\n \"memory for packet\");\n LIBSSH2_FREE(session, data);\n session->packAdd_state = libssh2_NB_state_idle;\n return LIBSSH2_ERROR_ALLOC;\n }\n packetp->data = data;\n packetp->data_len = datalen;\n packetp->data_head = data_head;\n\n _libssh2_list_add(&session->packets, &packetp->node);\n\n session->packAdd_state = libssh2_NB_state_sent1;\n }\n\n if((msg == SSH_MSG_KEXINIT &&\n !(session->state & LIBSSH2_STATE_EXCHANGING_KEYS)) ||\n (session->packAdd_state == libssh2_NB_state_sent2)) {\n if(session->packAdd_state == libssh2_NB_state_sent1) {\n /*\n * Remote wants new keys\n * Well, it's already in the brigade,\n * let's just call back into ourselves\n */\n _libssh2_debug(session, LIBSSH2_TRACE_TRANS, \"Renegotiating Keys\");\n\n session->packAdd_state = libssh2_NB_state_sent2;\n }\n\n /*\n * The KEXINIT message has been added to the queue. The packAdd and\n * readPack states need to be reset because _libssh2_kex_exchange\n * (eventually) calls upon _libssh2_transport_read to read the rest of\n * the key exchange conversation.\n */\n session->readPack_state = libssh2_NB_state_idle;\n session->packet.total_num = 0;\n session->packAdd_state = libssh2_NB_state_idle;\n session->fullpacket_state = libssh2_NB_state_idle;\n\n memset(&session->startup_key_state, 0, sizeof(key_exchange_state_t));\n\n /*\n * If there was a key reexchange failure, let's just hope we didn't\n * send NEWKEYS yet, otherwise remote will drop us like a rock\n */\n rc = _libssh2_kex_exchange(session, 1, &session->startup_key_state);\n if(rc == LIBSSH2_ERROR_EAGAIN)\n return rc;\n }\n\n session->packAdd_state = libssh2_NB_state_idle;\n return 0;\n}", "project": "libssh2", "hash": 132242532710662252043866474126087535393, "size": 611, "commit_id": "dedcbd106f8e52d5586b0205bc7677e4c9868f9c", "message": "packet.c: improve message parsing (#402)\n\n* packet.c: improve parsing of packets\r\n\r\nfile: packet.c\r\n\r\nnotes:\r\nUse _libssh2_get_string API in SSH_MSG_DEBUG/SSH_MSG_DISCONNECT. Additional uint32 bounds check in SSH_MSG_GLOBAL_REQUEST.", "target": 0, "dataset": "other", "idx": 229853 }, { "func": "R_API RBuffer *r_core_syscall (RCore *core, const char *name, const char *args) {\n\tRBuffer *b = NULL;\n\tchar code[1024];\n\tint num;\n\n\t//arch check\n\tif (strcmp (core->anal->cur->arch, \"x86\")) {\n\t\teprintf (\"architecture not yet supported!\\n\");\n\t\treturn 0;\n\t}\n\n\tnum = r_syscall_get_num (core->anal->syscall, name);\n\n\t//bits check\n\tswitch (core->assembler->bits) {\n\tcase 32:\n\t\tif (strcmp (name, \"setup\") && !num ) {\n\t\t\teprintf (\"syscall not found!\\n\");\n\t\t\treturn 0;\n\t\t}\n\t\tbreak;\n\tcase 64:\n\t\tif (strcmp (name, \"read\") && !num ) {\n\t\t\teprintf (\"syscall not found!\\n\");\n\t\t\treturn 0;\n\t\t}\n\t\tbreak;\n\tdefault:\n\t\teprintf (\"syscall not found!\\n\");\n\t\treturn 0;\n\t}\n\n\tsnprintf (code, sizeof (code),\n\t\t\"sc@syscall(%d);\\n\"\n\t\t\"main@global(0) { sc(%s);\\n\"\n\t\t\":int3\\n\" /// XXX USE trap\n\t\t\"}\\n\", num, args);\n\tr_egg_reset (core->egg);\n\t// TODO: setup arch/bits/os?\n\tr_egg_load (core->egg, code, 0);\n\n\tif (!r_egg_compile (core->egg)) {\n\t\teprintf (\"Cannot compile.\\n\");\n\t}\n\tif (!r_egg_assemble (core->egg)) {\n\t\teprintf (\"r_egg_assemble: invalid assembly\\n\");\n\t}\n\tif ((b = r_egg_get_bin (core->egg))) {\n#if 0\n\t\tif (b->length > 0) {\n\t\t\tfor (i = 0; i < b->length; i++) {\n\t\t\t\tr_cons_printf (\"%02x\", b->buf[i]);\n\t\t\t}\n\t\t\tr_cons_printf (\"\\n\");\n\t\t}\n#endif\n\t}\n\treturn b;\n}", "project": "radare2", "hash": 251716502461466913743663817530491515785, "size": 59, "commit_id": "cb8b683758edddae2d2f62e8e63a738c39f92683", "message": "Fix #16303 - c->table_query double free (#16318)", "target": 0, "dataset": "other", "idx": 232188 }, { "func": "ff_layout_encode_netaddr(struct xdr_stream *xdr, struct nfs4_pnfs_ds_addr *da)\n{\n\tstruct sockaddr *sap = (struct sockaddr *)&da->da_addr;\n\tchar portbuf[RPCBIND_MAXUADDRPLEN];\n\tchar addrbuf[RPCBIND_MAXUADDRLEN];\n\tunsigned short port;\n\tint len, netid_len;\n\t__be32 *p;\n\n\tswitch (sap->sa_family) {\n\tcase AF_INET:\n\t\tif (ff_layout_ntop4(sap, addrbuf, sizeof(addrbuf)) == 0)\n\t\t\treturn;\n\t\tport = ntohs(((struct sockaddr_in *)sap)->sin_port);\n\t\tbreak;\n\tcase AF_INET6:\n\t\tif (ff_layout_ntop6_noscopeid(sap, addrbuf, sizeof(addrbuf)) == 0)\n\t\t\treturn;\n\t\tport = ntohs(((struct sockaddr_in6 *)sap)->sin6_port);\n\t\tbreak;\n\tdefault:\n\t\tWARN_ON_ONCE(1);\n\t\treturn;\n\t}\n\n\tsnprintf(portbuf, sizeof(portbuf), \".%u.%u\", port >> 8, port & 0xff);\n\tlen = strlcat(addrbuf, portbuf, sizeof(addrbuf));\n\n\tnetid_len = strlen(da->da_netid);\n\tp = xdr_reserve_space(xdr, 4 + netid_len);\n\txdr_encode_opaque(p, da->da_netid, netid_len);\n\n\tp = xdr_reserve_space(xdr, 4 + len);\n\txdr_encode_opaque(p, addrbuf, len);\n}", "project": "linux", "hash": 254461680868607746386020947441904990315, "size": 35, "commit_id": "ed34695e15aba74f45247f1ee2cf7e09d449f925", "message": "pNFS/flexfiles: fix incorrect size check in decode_nfs_fh()\n\nWe (adam zabrocki, alexander matrosov, alexander tereshkin, maksym\nbazalii) observed the check:\n\n\tif (fh->size > sizeof(struct nfs_fh))\n\nshould not use the size of the nfs_fh struct which includes an extra two\nbytes from the size field.\n\nstruct nfs_fh {\n\tunsigned short size;\n\tunsigned char data[NFS_MAXFHSIZE];\n}\n\nbut should determine the size from data[NFS_MAXFHSIZE] so the memcpy\nwill not write 2 bytes beyond destination. The proposed fix is to\ncompare against the NFS_MAXFHSIZE directly, as is done elsewhere in fs\ncode base.\n\nFixes: d67ae825a59d (\"pnfs/flexfiles: Add the FlexFile Layout Driver\")\nSigned-off-by: Nikola Livic \nSigned-off-by: Dan Carpenter \nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 234459 }, { "func": " void Compute(OpKernelContext *ctx) override {\n const Tensor *indices_t, *values_t, *shape_t, *dense_t;\n OP_REQUIRES_OK(ctx, ctx->input(\"sp_indices\", &indices_t));\n OP_REQUIRES_OK(ctx, ctx->input(\"sp_values\", &values_t));\n OP_REQUIRES_OK(ctx, ctx->input(\"sp_shape\", &shape_t));\n OP_REQUIRES_OK(ctx, ctx->input(\"dense\", &dense_t));\n\n // Validations.\n OP_REQUIRES(ctx, TensorShapeUtils::IsMatrix(indices_t->shape()),\n errors::InvalidArgument(\n \"Input sp_indices should be a matrix but received shape: \",\n indices_t->shape().DebugString()));\n OP_REQUIRES(ctx,\n TensorShapeUtils::IsVector(values_t->shape()) &&\n TensorShapeUtils::IsVector(shape_t->shape()),\n errors::InvalidArgument(\n \"Inputs sp_values and sp_shape should be vectors \"\n \"but received shapes: \",\n values_t->shape().DebugString(), \" and \",\n shape_t->shape().DebugString()));\n OP_REQUIRES(\n ctx, values_t->dim_size(0) == indices_t->dim_size(0),\n errors::InvalidArgument(\n \"The first dimension of values and indices should match. (\",\n values_t->dim_size(0), \" vs. \", indices_t->dim_size(0), \")\"));\n\n const auto indices_mat = indices_t->matrix();\n const auto shape_vec = shape_t->vec();\n const auto lhs_dims = BCast::FromShape(TensorShape(shape_vec));\n const auto rhs_dims = BCast::FromShape(dense_t->shape());\n BCast b(lhs_dims, rhs_dims, false); // false for keeping the same num dims.\n\n // True iff (size(lhs) >= size(rhs)) and all dims in lhs is greater or equal\n // to dims in rhs (from right to left).\n auto VecGreaterEq = [](ArraySlice lhs, ArraySlice rhs) {\n if (lhs.size() < rhs.size()) return false;\n for (size_t i = 0; i < rhs.size(); ++i) {\n if (lhs[lhs.size() - 1 - i] < rhs[rhs.size() - 1 - i]) return false;\n }\n return true;\n };\n OP_REQUIRES(ctx, VecGreaterEq(lhs_dims, rhs_dims) && b.IsValid(),\n errors::InvalidArgument(\n \"SparseDenseBinaryOpShared broadcasts dense to sparse \"\n \"only; got incompatible shapes: [\",\n absl::StrJoin(lhs_dims, \",\"), \"] vs. [\",\n absl::StrJoin(rhs_dims, \",\"), \"]\"));\n\n Tensor *output_values = nullptr;\n Tensor dense_gathered;\n const int64 nnz = indices_t->dim_size(0);\n OP_REQUIRES_OK(ctx,\n ctx->allocate_output(0, TensorShape({nnz}), &output_values));\n OP_REQUIRES_OK(\n ctx, ctx->allocate_temp(DataTypeToEnum::value, TensorShape({nnz}),\n &dense_gathered));\n bool op_is_div = false;\n if (absl::StrContains(ctx->op_kernel().type_string_view(), \"Div\")) {\n op_is_div = true;\n }\n // Pulls relevant entries from the dense side, with reshape and broadcasting\n // *of the dense side* taken into account. Use a TensorRef to avoid blowing\n // up memory.\n //\n // We can directly use the sparse indices to look up dense side, because\n // \"b.y_reshape()\" and \"b.y_bcast()\" are guaranteed to have rank \"ndims\".\n auto dense_gathered_flat = dense_gathered.flat();\n const int ndims = lhs_dims.size();\n switch (ndims) {\n#define CASE(NDIM) \\\n case NDIM: { \\\n TensorRef> rhs_ref = \\\n dense_t->shaped(b.y_reshape()) \\\n .broadcast(BCast::ToIndexArray(b.y_bcast())); \\\n Eigen::array idx; \\\n bool indices_valid = true; \\\n for (int i = 0; i < nnz; ++i) { \\\n for (int d = 0; d < NDIM; ++d) { \\\n idx[d] = internal::SubtleMustCopy(indices_mat(i, d)); \\\n if (!FastBoundsCheck(idx[d], rhs_ref.dimension(d))) { \\\n indices_valid = false; \\\n } \\\n } \\\n OP_REQUIRES( \\\n ctx, indices_valid, \\\n errors::InvalidArgument(\"Provided indices are out-of-bounds w.r.t. \" \\\n \"dense side with broadcasted shape\")); \\\n dense_gathered_flat(i) = rhs_ref.coeff(idx); \\\n if (op_is_div) { \\\n OP_REQUIRES(ctx, dense_gathered_flat(i) != 0, \\\n errors::InvalidArgument( \\\n \"SparseDenseCwiseDiv cannot divide by zero,\" \\\n \"but input dense tensor contains zero \")); \\\n } \\\n } \\\n break; \\\n }\n\n CASE(1);\n CASE(2);\n CASE(3);\n CASE(4);\n CASE(5);\n default:\n OP_REQUIRES(\n ctx, false,\n errors::InvalidArgument(\"Only tensors with ranks between 1 and 5 \"\n \"are currently supported. Tensor rank: \",\n ndims));\n#undef CASE\n }\n\n output_values->flat().device(ctx->eigen_device()) =\n values_t->flat().binaryExpr(dense_gathered_flat,\n typename Functor::func());\n }", "project": "tensorflow", "hash": 76360371434450887584761667916814072129, "size": 116, "commit_id": "d9204be9f49520cdaaeb2541d1dc5187b23f31d9", "message": "Disallow division by zero FPE in tf.raw_ops.SparseDenseCwiseDiv\n\nPiperOrigin-RevId: 383959809\nChange-Id: Ibe88458bdf66a686c93e354b8255dec94285c560", "target": 0, "dataset": "other", "idx": 235840 }, { "func": "ecma_op_container_free_entries (ecma_object_t *object_p) /**< collection object pointer */\n{\n JERRY_ASSERT (object_p != NULL);\n\n ecma_extended_object_t *map_object_p = (ecma_extended_object_t *) object_p;\n ecma_collection_t *container_p = ECMA_GET_INTERNAL_VALUE_POINTER (ecma_collection_t,\n map_object_p->u.class_prop.u.value);\n\n switch (map_object_p->u.class_prop.class_id)\n {\n#if ENABLED (JERRY_ES2015_BUILTIN_WEAKSET)\n case LIT_MAGIC_STRING_WEAKSET_UL:\n {\n ecma_op_container_free_weakset_entries (object_p, container_p);\n break;\n }\n#endif /* ENABLED (JERRY_ES2015_BUILTIN_WEAKSET) */\n#if ENABLED (JERRY_ES2015_BUILTIN_WEAKMAP)\n case LIT_MAGIC_STRING_WEAKMAP_UL:\n {\n ecma_op_container_free_weakmap_entries (object_p, container_p);\n break;\n }\n#endif /* ENABLED (JERRY_ES2015_BUILTIN_WEAKMAP) */\n#if ENABLED (JERRY_ES2015_BUILTIN_SET)\n case LIT_MAGIC_STRING_SET_UL:\n {\n ecma_op_container_free_set_entries (container_p);\n break;\n }\n#endif /* ENABLED (JERRY_ES2015_BUILTIN_SET) */\n#if ENABLED (JERRY_ES2015_BUILTIN_MAP)\n case LIT_MAGIC_STRING_MAP_UL:\n {\n ecma_op_container_free_map_entries (container_p);\n break;\n }\n#endif /* ENABLED (JERRY_ES2015_BUILTIN_MAP) */\n default:\n {\n break;\n }\n }\n\n ECMA_CONTAINER_SET_SIZE (container_p, 0);\n} /* ecma_op_container_free_entries */", "project": "jerryscript", "hash": 307928277935464486753857008806228642080, "size": 46, "commit_id": "c2b662170245a16f46ce02eae68815c325d99821", "message": "Fix adding entries to the internal buffer of a Map object (#3805)\n\nWhen appending the key/value pair separately, garbage collection could be\r\ntriggered before the value is added, which could cause problems during\r\nmarking. This patch changes insertion to add both values at the same\r\ntime, which prevents partial entries from being present in the internal\r\nbuffer.\r\n\r\nFixes #3804.\r\n\r\nJerryScript-DCO-1.0-Signed-off-by: Dániel Bátyai dbatyai@inf.u-szeged.hu", "target": 0, "dataset": "other", "idx": 238738 }, { "func": "main(int argc, char **argv)\n{\n\tconst char *safepath = \"/bin:/sbin:/usr/bin:/usr/sbin:\"\n\t \"/usr/local/bin:/usr/local/sbin\";\n\tconst char *confpath = NULL;\n\tchar *shargv[] = { NULL, NULL };\n\tchar *sh;\n\tconst char *p;\n\tconst char *cmd;\n\tchar cmdline[LINE_MAX];\n\tstruct passwd mypwstore, targpwstore;\n\tstruct passwd *mypw, *targpw;\n\tconst struct rule *rule;\n\tuid_t uid;\n\tuid_t target = 0;\n\tgid_t groups[NGROUPS_MAX + 1];\n\tint ngroups;\n\tint i, ch, rv;\n\tint sflag = 0;\n\tint nflag = 0;\n\tchar cwdpath[PATH_MAX];\n\tconst char *cwd;\n\tchar **envp;\n\n\tsetprogname(\"doas\");\n\n\tclosefrom(STDERR_FILENO + 1);\n\n\tuid = getuid();\n\n\twhile ((ch = getopt(argc, argv, \"+C:Lnsu:\")) != -1) {\n\t\tswitch (ch) {\n\t\tcase 'C':\n\t\t\tconfpath = optarg;\n\t\t\tbreak;\n\t\tcase 'L':\n#if defined(USE_TIMESTAMP)\n\t\t\texit(timestamp_clear() == -1);\n#else\n\t\t\texit(0);\n#endif\n\t\tcase 'u':\n\t\t\tif (parseuid(optarg, &target) != 0)\n\t\t\t\terrx(1, \"unknown user\");\n\t\t\tbreak;\n\t\tcase 'n':\n\t\t\tnflag = 1;\n\t\t\tbreak;\n\t\tcase 's':\n\t\t\tsflag = 1;\n\t\t\tbreak;\n\t\tdefault:\n\t\t\tusage();\n\t\t\tbreak;\n\t\t}\n\t}\n\targv += optind;\n\targc -= optind;\n\n\tif (confpath) {\n\t\tif (sflag)\n\t\t\tusage();\n\t} else if ((!sflag && !argc) || (sflag && argc))\n\t\tusage();\n\n\trv = mygetpwuid_r(uid, &mypwstore, &mypw);\n\tif (rv != 0)\n\t\terr(1, \"getpwuid_r failed\");\n\tif (mypw == NULL)\n\t\terrx(1, \"no passwd entry for self\");\n\tngroups = getgroups(NGROUPS_MAX, groups);\n\tif (ngroups == -1)\n\t\terr(1, \"can't get groups\");\n\tgroups[ngroups++] = getgid();\n\n\tif (sflag) {\n\t\tsh = getenv(\"SHELL\");\n\t\tif (sh == NULL || *sh == '\\0') {\n\t\t\tshargv[0] = mypw->pw_shell;\n\t\t} else\n\t\t\tshargv[0] = sh;\n\t\targv = shargv;\n\t\targc = 1;\n\t}\n\n\tif (confpath) {\n\t\tcheckconfig(confpath, argc, argv, uid, groups, ngroups,\n\t\t target);\n\t\texit(1);\t/* fail safe */\n\t}\n\n\tif (geteuid())\n\t\terrx(1, \"not installed setuid\");\n\n\tparseconfig(DOAS_CONF, 1);\n\n\t/* cmdline is used only for logging, no need to abort on truncate */\n\t(void)strlcpy(cmdline, argv[0], sizeof(cmdline));\n\tfor (i = 1; i < argc; i++) {\n\t\tif (strlcat(cmdline, \" \", sizeof(cmdline)) >= sizeof(cmdline))\n\t\t\tbreak;\n\t\tif (strlcat(cmdline, argv[i], sizeof(cmdline)) >= sizeof(cmdline))\n\t\t\tbreak;\n\t}\n\n\tcmd = argv[0];\n\tif (!permit(uid, groups, ngroups, &rule, target, cmd,\n\t (const char **)argv + 1)) {\n\t\tsyslog(LOG_AUTHPRIV | LOG_NOTICE,\n\t\t \"command not permitted for %s: %s\", mypw->pw_name, cmdline);\n\t\terrc(1, EPERM, NULL);\n\t}\n\n#if defined(USE_SHADOW)\n\tif (!(rule->options & NOPASS)) {\n\t\tif (nflag)\n\t\t\terrx(1, \"Authorization required\");\n\n\t\tshadowauth(mypw->pw_name, rule->options & PERSIST);\n\t}\n#elif !defined(USE_PAM)\n\t/* no authentication provider, only allow NOPASS rules */\n\t(void) nflag;\n\tif (!(rule->options & NOPASS))\n\t\terrx(1, \"Authorization required\");\n#endif\n\n\tif ((p = getenv(\"PATH\")) != NULL)\n\t\tformerpath = strdup(p);\n\tif (formerpath == NULL)\n\t\tformerpath = \"\";\n\n\tif (rule->cmd) {\n\t\tif (setenv(\"PATH\", safepath, 1) == -1)\n\t\t\terr(1, \"failed to set PATH '%s'\", safepath);\n\t}\n\n\trv = mygetpwuid_r(target, &targpwstore, &targpw);\n\tif (rv != 0)\n\t\terr(1, \"getpwuid_r failed\");\n\tif (targpw == NULL)\n\t\terrx(1, \"no passwd entry for target\");\n\n#if defined(USE_PAM)\n\tpamauth(targpw->pw_name, mypw->pw_name, !nflag, rule->options & NOPASS,\n\t rule->options & PERSIST);\n#endif\n\n#ifdef HAVE_LOGIN_CAP_H\n\tif (setusercontext(NULL, targpw, target, LOGIN_SETGROUP |\n\t LOGIN_SETPATH |\n\t LOGIN_SETPRIORITY | LOGIN_SETRESOURCES | LOGIN_SETUMASK |\n\t LOGIN_SETUSER) != 0)\n\t\terrx(1, \"failed to set user context for target\");\n#else\n\tif (setresgid(targpw->pw_gid, targpw->pw_gid, targpw->pw_gid) != 0)\n\t\terr(1, \"setresgid\");\n\tif (initgroups(targpw->pw_name, targpw->pw_gid) != 0)\n\t\terr(1, \"initgroups\");\n\tif (setresuid(target, target, target) != 0)\n\t\terr(1, \"setresuid\");\n\tif (setenv(\"PATH\", safepath, 1) == -1)\n\t\terr(1, \"failed to set PATH '%s'\", safepath);\n#endif\n\n\tif (getcwd(cwdpath, sizeof(cwdpath)) == NULL)\n\t\tcwd = \"(failed)\";\n\telse\n\t\tcwd = cwdpath;\n\n\tif (!(rule->options & NOLOG)) {\n\t\tsyslog(LOG_AUTHPRIV | LOG_INFO,\n\t\t \"%s ran command %s as %s from %s\",\n\t\t mypw->pw_name, cmdline, targpw->pw_name, cwd);\n\t}\n\n\tenvp = prepenv(rule, mypw, targpw);\n\n\t/* setusercontext set path for the next process, so reset it for us */\n\tif (rule->cmd) {\n\t\tif (setenv(\"PATH\", safepath, 1) == -1)\n\t\t\terr(1, \"failed to set PATH '%s'\", safepath);\n\t} else {\n\t\tif (setenv(\"PATH\", formerpath, 1) == -1)\n\t\t\terr(1, \"failed to set PATH '%s'\", formerpath);\n\t}\n\texecvpe(cmd, argv, envp);\n\tif (errno == ENOENT)\n\t\terrx(1, \"%s: command not found\", cmd);\n\terr(1, \"%s\", cmd);\n}", "project": "OpenDoas", "hash": 292077285564712260600228001977188221108, "size": 191, "commit_id": "d5acd52e2a15c36a8e06f9103d35622933aa422d", "message": "correctly reset path for rules without specific command\n\nThis is a fixup for commit 01c658f8c45cb92a343be5f32aa6da70b2032168\nwhere the behaviour was changed to not inherit the PATH variable\nby default.", "target": 0, "dataset": "other", "idx": 240829 }, { "func": "static const char *columnTypeImpl(\n NameContext *pNC, \n#ifndef SQLITE_ENABLE_COLUMN_METADATA\n Expr *pExpr\n#else\n Expr *pExpr,\n const char **pzOrigDb,\n const char **pzOrigTab,\n const char **pzOrigCol\n#endif\n){\n char const *zType = 0;\n int j;\n#ifdef SQLITE_ENABLE_COLUMN_METADATA\n char const *zOrigDb = 0;\n char const *zOrigTab = 0;\n char const *zOrigCol = 0;\n#endif\n\n assert( pExpr!=0 );\n assert( pNC->pSrcList!=0 );\n switch( pExpr->op ){\n case TK_COLUMN: {\n /* The expression is a column. Locate the table the column is being\n ** extracted from in NameContext.pSrcList. This table may be real\n ** database table or a subquery.\n */\n Table *pTab = 0; /* Table structure column is extracted from */\n Select *pS = 0; /* Select the column is extracted from */\n int iCol = pExpr->iColumn; /* Index of column in pTab */\n while( pNC && !pTab ){\n SrcList *pTabList = pNC->pSrcList;\n for(j=0;jnSrc && pTabList->a[j].iCursor!=pExpr->iTable;j++);\n if( jnSrc ){\n pTab = pTabList->a[j].pTab;\n pS = pTabList->a[j].pSelect;\n }else{\n pNC = pNC->pNext;\n }\n }\n\n if( pTab==0 ){\n /* At one time, code such as \"SELECT new.x\" within a trigger would\n ** cause this condition to run. Since then, we have restructured how\n ** trigger code is generated and so this condition is no longer \n ** possible. However, it can still be true for statements like\n ** the following:\n **\n ** CREATE TABLE t1(col INTEGER);\n ** SELECT (SELECT t1.col) FROM FROM t1;\n **\n ** when columnType() is called on the expression \"t1.col\" in the \n ** sub-select. In this case, set the column type to NULL, even\n ** though it should really be \"INTEGER\".\n **\n ** This is not a problem, as the column type of \"t1.col\" is never\n ** used. When columnType() is called on the expression \n ** \"(SELECT t1.col)\", the correct type is returned (see the TK_SELECT\n ** branch below. */\n break;\n }\n\n assert( pTab && pExpr->y.pTab==pTab );\n if( pS ){\n /* The \"table\" is actually a sub-select or a view in the FROM clause\n ** of the SELECT statement. Return the declaration type and origin\n ** data for the result-set column of the sub-select.\n */\n if( iCol>=0 && iColpEList->nExpr ){\n /* If iCol is less than zero, then the expression requests the\n ** rowid of the sub-select or view. This expression is legal (see \n ** test case misc2.2.2) - it always evaluates to NULL.\n */\n NameContext sNC;\n Expr *p = pS->pEList->a[iCol].pExpr;\n sNC.pSrcList = pS->pSrc;\n sNC.pNext = pNC;\n sNC.pParse = pNC->pParse;\n zType = columnType(&sNC, p,&zOrigDb,&zOrigTab,&zOrigCol); \n }\n }else{\n /* A real table or a CTE table */\n assert( !pS );\n#ifdef SQLITE_ENABLE_COLUMN_METADATA\n if( iCol<0 ) iCol = pTab->iPKey;\n assert( iCol==XN_ROWID || (iCol>=0 && iColnCol) );\n if( iCol<0 ){\n zType = \"INTEGER\";\n zOrigCol = \"rowid\";\n }else{\n zOrigCol = pTab->aCol[iCol].zName;\n zType = sqlite3ColumnType(&pTab->aCol[iCol],0);\n }\n zOrigTab = pTab->zName;\n if( pNC->pParse && pTab->pSchema ){\n int iDb = sqlite3SchemaToIndex(pNC->pParse->db, pTab->pSchema);\n zOrigDb = pNC->pParse->db->aDb[iDb].zDbSName;\n }\n#else\n assert( iCol==XN_ROWID || (iCol>=0 && iColnCol) );\n if( iCol<0 ){\n zType = \"INTEGER\";\n }else{\n zType = sqlite3ColumnType(&pTab->aCol[iCol],0);\n }\n#endif\n }\n break;\n }\n#ifndef SQLITE_OMIT_SUBQUERY\n case TK_SELECT: {\n /* The expression is a sub-select. Return the declaration type and\n ** origin info for the single column in the result set of the SELECT\n ** statement.\n */\n NameContext sNC;\n Select *pS = pExpr->x.pSelect;\n Expr *p = pS->pEList->a[0].pExpr;\n assert( ExprHasProperty(pExpr, EP_xIsSelect) );\n sNC.pSrcList = pS->pSrc;\n sNC.pNext = pNC;\n sNC.pParse = pNC->pParse;\n zType = columnType(&sNC, p, &zOrigDb, &zOrigTab, &zOrigCol); \n break;\n }\n#endif\n }\n\n#ifdef SQLITE_ENABLE_COLUMN_METADATA \n if( pzOrigDb ){\n assert( pzOrigTab && pzOrigCol );\n *pzOrigDb = zOrigDb;\n *pzOrigTab = zOrigTab;\n *pzOrigCol = zOrigCol;\n }\n#endif\n return zType;\n}", "project": "sqlite", "hash": 110967134761565832309122069186759818047, "size": 138, "commit_id": "5f69512404cd2e5153ddf90ea277fbba6dd58ab7", "message": "Early-out on the INTERSECT query processing following an error.\n\nFossilOrigin-Name: a67cf5b7d37d5b1484be32092635faafd8f76e5881898cd9435517c4b287d663", "target": 0, "dataset": "other", "idx": 246165 }, { "func": "static const char *selectOpName(int id){\n char *z;\n switch( id ){\n case TK_ALL: z = \"UNION ALL\"; break;\n case TK_INTERSECT: z = \"INTERSECT\"; break;\n case TK_EXCEPT: z = \"EXCEPT\"; break;\n default: z = \"UNION\"; break;\n }\n return z;\n}", "project": "sqlite", "hash": 35223973233851567032039396435707034300, "size": 10, "commit_id": "5f69512404cd2e5153ddf90ea277fbba6dd58ab7", "message": "Early-out on the INTERSECT query processing following an error.\n\nFossilOrigin-Name: a67cf5b7d37d5b1484be32092635faafd8f76e5881898cd9435517c4b287d663", "target": 0, "dataset": "other", "idx": 246172 }, { "func": "AP_DECLARE(apr_port_t) ap_get_server_port(const request_rec *r)\n{\n apr_port_t port;\n core_dir_config *d =\n (core_dir_config *)ap_get_core_module_config(r->per_dir_config);\n\n switch (d->use_canonical_name) {\n case USE_CANONICAL_NAME_OFF:\n case USE_CANONICAL_NAME_DNS:\n case USE_CANONICAL_NAME_UNSET:\n if (d->use_canonical_phys_port == USE_CANONICAL_PHYS_PORT_ON)\n port = r->parsed_uri.port_str ? r->parsed_uri.port :\n r->connection->local_addr->port ? r->connection->local_addr->port :\n r->server->port ? r->server->port :\n ap_default_port(r);\n else /* USE_CANONICAL_PHYS_PORT_OFF or USE_CANONICAL_PHYS_PORT_UNSET */\n port = r->parsed_uri.port_str ? r->parsed_uri.port :\n r->server->port ? r->server->port :\n ap_default_port(r);\n break;\n case USE_CANONICAL_NAME_ON:\n /* With UseCanonicalName on (and in all versions prior to 1.3)\n * Apache will use the hostname and port specified in the\n * ServerName directive to construct a canonical name for the\n * server. (If no port was specified in the ServerName\n * directive, Apache uses the port supplied by the client if\n * any is supplied, and finally the default port for the protocol\n * used.\n */\n if (d->use_canonical_phys_port == USE_CANONICAL_PHYS_PORT_ON)\n port = r->server->port ? r->server->port :\n r->connection->local_addr->port ? r->connection->local_addr->port :\n ap_default_port(r);\n else /* USE_CANONICAL_PHYS_PORT_OFF or USE_CANONICAL_PHYS_PORT_UNSET */\n port = r->server->port ? r->server->port :\n ap_default_port(r);\n break;\n default:\n ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(00110)\n \"ap_get_server_port: Invalid UCN Option somehow\");\n port = ap_default_port(r);\n break;\n }\n\n return port;\n}", "project": "httpd", "hash": 67811033963417238378984130983113612540, "size": 46, "commit_id": "4cc27823899e070268b906ca677ee838d07cf67a", "message": "core: Disallow Methods' registration at run time (.htaccess), they may be\nused only if registered at init time (httpd.conf).\n\nCalling ap_method_register() in children processes is not the right scope\nsince it won't be shared for all requests.\n\n\ngit-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1807655 13f79535-47bb-0310-9956-ffa450edef68", "target": 0, "dataset": "other", "idx": 246271 }, { "func": "AP_DECLARE(int) ap_state_query(int query)\n{\n switch (query) {\n case AP_SQ_MAIN_STATE:\n return ap_main_state;\n case AP_SQ_RUN_MODE:\n return ap_run_mode;\n case AP_SQ_CONFIG_GEN:\n return ap_config_generation;\n default:\n return AP_SQ_NOT_SUPPORTED;\n }\n}", "project": "httpd", "hash": 332273874681954218101942411839968782433, "size": 13, "commit_id": "4cc27823899e070268b906ca677ee838d07cf67a", "message": "core: Disallow Methods' registration at run time (.htaccess), they may be\nused only if registered at init time (httpd.conf).\n\nCalling ap_method_register() in children processes is not the right scope\nsince it won't be shared for all requests.\n\n\ngit-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1807655 13f79535-47bb-0310-9956-ffa450edef68", "target": 0, "dataset": "other", "idx": 246283 }, { "func": "AP_DECLARE(const char *) ap_get_server_name(request_rec *r)\n{\n conn_rec *conn = r->connection;\n core_dir_config *d;\n const char *retval;\n\n d = (core_dir_config *)ap_get_core_module_config(r->per_dir_config);\n\n switch (d->use_canonical_name) {\n case USE_CANONICAL_NAME_ON:\n retval = r->server->server_hostname;\n break;\n case USE_CANONICAL_NAME_DNS:\n if (conn->local_host == NULL) {\n if (apr_getnameinfo(&conn->local_host,\n conn->local_addr, 0) != APR_SUCCESS)\n conn->local_host = apr_pstrdup(conn->pool,\n r->server->server_hostname);\n else {\n ap_str_tolower(conn->local_host);\n }\n }\n retval = conn->local_host;\n break;\n case USE_CANONICAL_NAME_OFF:\n case USE_CANONICAL_NAME_UNSET:\n retval = r->hostname ? r->hostname : r->server->server_hostname;\n break;\n default:\n ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(00109)\n \"ap_get_server_name: Invalid UCN Option somehow\");\n retval = \"localhost\";\n break;\n }\n return retval;\n}", "project": "httpd", "hash": 68147864042691929112202686424230082180, "size": 36, "commit_id": "4cc27823899e070268b906ca677ee838d07cf67a", "message": "core: Disallow Methods' registration at run time (.htaccess), they may be\nused only if registered at init time (httpd.conf).\n\nCalling ap_method_register() in children processes is not the right scope\nsince it won't be shared for all requests.\n\n\ngit-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1807655 13f79535-47bb-0310-9956-ffa450edef68", "target": 0, "dataset": "other", "idx": 246316 }, { "func": "GF_EXPORT\nGF_GenericSampleDescription *gf_isom_get_generic_sample_description(GF_ISOFile *movie, u32 trackNumber, u32 StreamDescriptionIndex)\n{\n\tGF_GenericVisualSampleEntryBox *entry;\n\tGF_GenericAudioSampleEntryBox *gena;\n\tGF_GenericSampleEntryBox *genm;\n\tGF_TrackBox *trak;\n\tGF_GenericSampleDescription *udesc;\n\ttrak = gf_isom_get_track_from_file(movie, trackNumber);\n\tif (!trak || !StreamDescriptionIndex || !trak->Media || !trak->Media->information || !trak->Media->information->sampleTable) return 0;\n\n\tentry = (GF_GenericVisualSampleEntryBox *)gf_list_get(trak->Media->information->sampleTable->SampleDescription->child_boxes, StreamDescriptionIndex-1);\n\t//no entry or MPEG entry:\n\tif (!entry || IsMP4Description(entry->type) ) return NULL;\n\t//if we handle the description return false\n\tswitch (entry->type) {\n\tcase GF_ISOM_SUBTYPE_3GP_AMR:\n\tcase GF_ISOM_SUBTYPE_3GP_AMR_WB:\n\tcase GF_ISOM_SUBTYPE_3GP_EVRC:\n\tcase GF_ISOM_SUBTYPE_3GP_QCELP:\n\tcase GF_ISOM_SUBTYPE_3GP_SMV:\n\tcase GF_ISOM_SUBTYPE_3GP_H263:\n\t\treturn NULL;\n\tcase GF_ISOM_BOX_TYPE_GNRV:\n\t\tGF_SAFEALLOC(udesc, GF_GenericSampleDescription);\n\t\tif (!udesc) return NULL;\n\t\tif (entry->EntryType == GF_ISOM_BOX_TYPE_UUID) {\n\t\t\tmemcpy(udesc->UUID, ((GF_UUIDBox*)entry)->uuid, sizeof(bin128));\n\t\t} else {\n\t\t\tudesc->codec_tag = entry->EntryType;\n\t\t}\n\t\tudesc->version = entry->version;\n\t\tudesc->revision = entry->revision;\n\t\tudesc->vendor_code = entry->vendor;\n\t\tudesc->temporal_quality = entry->temporal_quality;\n\t\tudesc->spatial_quality = entry->spatial_quality;\n\t\tudesc->width = entry->Width;\n\t\tudesc->height = entry->Height;\n\t\tudesc->h_res = entry->horiz_res;\n\t\tudesc->v_res = entry->vert_res;\n\t\tstrcpy(udesc->compressor_name, entry->compressor_name);\n\t\tudesc->depth = entry->bit_depth;\n\t\tudesc->color_table_index = entry->color_table_index;\n\t\tif (entry->data_size) {\n\t\t\tudesc->extension_buf_size = entry->data_size;\n\t\t\tudesc->extension_buf = (char*)gf_malloc(sizeof(char) * entry->data_size);\n\t\t\tif (!udesc->extension_buf) {\n\t\t\t\tgf_free(udesc);\n\t\t\t\treturn NULL;\n\t\t\t}\n\t\t\tmemcpy(udesc->extension_buf, entry->data, entry->data_size);\n\t\t}\n\t\treturn udesc;\n\tcase GF_ISOM_BOX_TYPE_GNRA:\n\t\tgena = (GF_GenericAudioSampleEntryBox *)entry;\n\t\tGF_SAFEALLOC(udesc, GF_GenericSampleDescription);\n\t\tif (!udesc) return NULL;\n\t\tif (gena->EntryType == GF_ISOM_BOX_TYPE_UUID) {\n\t\t\tmemcpy(udesc->UUID, ((GF_UUIDBox*)gena)->uuid, sizeof(bin128));\n\t\t} else {\n\t\t\tudesc->codec_tag = gena->EntryType;\n\t\t}\n\t\tudesc->version = gena->version;\n\t\tudesc->revision = gena->revision;\n\t\tudesc->vendor_code = gena->vendor;\n\t\tudesc->samplerate = gena->samplerate_hi;\n\t\tudesc->bits_per_sample = gena->bitspersample;\n\t\tudesc->nb_channels = gena->channel_count;\n\t\tif (gena->data_size) {\n\t\t\tudesc->extension_buf_size = gena->data_size;\n\t\t\tudesc->extension_buf = (char*)gf_malloc(sizeof(char) * gena->data_size);\n\t\t\tif (!udesc->extension_buf) {\n\t\t\t\tgf_free(udesc);\n\t\t\t\treturn NULL;\n\t\t\t}\n\t\t\tmemcpy(udesc->extension_buf, gena->data, gena->data_size);\n\t\t}\n\t\treturn udesc;\n\tcase GF_ISOM_BOX_TYPE_GNRM:\n\t\tgenm = (GF_GenericSampleEntryBox *)entry;\n\t\tGF_SAFEALLOC(udesc, GF_GenericSampleDescription);\n\t\tif (!udesc) return NULL;\n\t\tif (genm->EntryType == GF_ISOM_BOX_TYPE_UUID) {\n\t\t\tmemcpy(udesc->UUID, ((GF_UUIDBox*)genm)->uuid, sizeof(bin128));\n\t\t} else {\n\t\t\tudesc->codec_tag = genm->EntryType;\n\t\t}\n\t\tif (genm->data_size) {\n\t\t\tudesc->extension_buf_size = genm->data_size;\n\t\t\tudesc->extension_buf = (char*)gf_malloc(sizeof(char) * genm->data_size);\n\t\t\tif (!udesc->extension_buf) {\n\t\t\t\tgf_free(udesc);\n\t\t\t\treturn NULL;\n\t\t\t}\n\t\t\tmemcpy(udesc->extension_buf, genm->data, genm->data_size);\n\t\t}\n\t\treturn udesc;\n\t}\n\treturn NULL;", "project": "gpac", "hash": 194295898800021935461285267675065852201, "size": 99, "commit_id": "984787de3d414a5f7d43d0b4584d9469dff2a5a5", "message": "fixed #1784 (fuzz)", "target": 0, "dataset": "other", "idx": 246828 }, { "func": "connection_get_state (request_state_t state)\n{\n switch (state) {\n case CON_STATE_CONNECT: return \"connect\";\n case CON_STATE_READ: return \"read\";\n case CON_STATE_READ_POST: return \"readpost\";\n case CON_STATE_WRITE: return \"write\";\n case CON_STATE_CLOSE: return \"close\";\n case CON_STATE_ERROR: return \"error\";\n case CON_STATE_HANDLE_REQUEST: return \"handle-req\";\n case CON_STATE_REQUEST_START: return \"req-start\";\n case CON_STATE_REQUEST_END: return \"req-end\";\n case CON_STATE_RESPONSE_START: return \"resp-start\";\n case CON_STATE_RESPONSE_END: return \"resp-end\";\n default: return \"(unknown)\";\n }\n}", "project": "lighttpd1.4", "hash": 106259017360068847832381420207124453069, "size": 17, "commit_id": "b03b86f47b0d5a553137f081fadc482b4af1372d", "message": "[core] fix merging large headers across mult reads (fixes #3059)\n\n(thx mitd)\n\nx-ref:\n \"Connections stuck in Close_Wait causing 100% cpu usage\"\n https://redmine.lighttpd.net/issues/3059", "target": 0, "dataset": "other", "idx": 251482 }, { "func": " void Compute(OpKernelContext* context) override {\n const Tensor& input = context->input(0);\n const Tensor& seq_lengths = context->input(1);\n\n // Preliminary validation of sizes.\n OP_REQUIRES(context, TensorShapeUtils::IsVector(seq_lengths.shape()),\n errors::InvalidArgument(\"seq_lengths must be 1-dim, not \",\n seq_lengths.dims()));\n\n auto seq_lens_t = seq_lengths.vec();\n\n CheckErrors(context, batch_dim_, seq_dim_);\n if (!context->status().ok()) return;\n\n const int input_dims = input.dims();\n\n Tensor* output = nullptr;\n OP_REQUIRES_OK(context,\n context->allocate_output(0, input.shape(), &output));\n\n#define HANDLE_DIM(NDIM) \\\n case NDIM: \\\n functor::ReverseSequence::Compute( \\\n context->eigen_device(), input.tensor(), batch_dim_, \\\n seq_dim_, seq_lens_t, output->tensor()); \\\n break;\n\n switch (input_dims) {\n HANDLE_DIM(2);\n HANDLE_DIM(3);\n HANDLE_DIM(4);\n HANDLE_DIM(5);\n\n default:\n OP_REQUIRES(context, false,\n errors::InvalidArgument(\n \"ReverseSequenceOp : Unhandled input dimensions: \",\n input_dims));\n }\n }", "project": "tensorflow", "hash": 59180093989860695722256660376750900318, "size": 40, "commit_id": "ecf768cbe50cedc0a45ce1ee223146a3d3d26d23", "message": "Add missing validations to reverse_sequence_op\n\nPiperOrigin-RevId: 372178683\nChange-Id: Iac97ebab5b342f1262c77a7d9bcb4267b305ce5b", "target": 0, "dataset": "other", "idx": 258255 }, { "func": "iasecc_card_ctl(struct sc_card *card, unsigned long cmd, void *ptr)\n{\n\tstruct sc_context *ctx = card->ctx;\n\tstruct iasecc_sdo *sdo = (struct iasecc_sdo *) ptr;\n\n\tswitch (cmd) {\n\tcase SC_CARDCTL_GET_SERIALNR:\n\t\treturn iasecc_get_serialnr(card, (struct sc_serial_number *)ptr);\n\tcase SC_CARDCTL_IASECC_SDO_CREATE:\n\t\tsc_log(ctx, \"CMD SC_CARDCTL_IASECC_SDO_CREATE: sdo_class %X\", sdo->sdo_class);\n\t\treturn iasecc_sdo_create(card, (struct iasecc_sdo *) ptr);\n\tcase SC_CARDCTL_IASECC_SDO_DELETE:\n\t\tsc_log(ctx, \"CMD SC_CARDCTL_IASECC_SDO_DELETE: sdo_class %X\", sdo->sdo_class);\n\t\treturn iasecc_sdo_delete(card, (struct iasecc_sdo *) ptr);\n\tcase SC_CARDCTL_IASECC_SDO_PUT_DATA:\n\t\tsc_log(ctx, \"CMD SC_CARDCTL_IASECC_SDO_PUT_DATA: sdo_class %X\", sdo->sdo_class);\n\t\treturn iasecc_sdo_put_data(card, (struct iasecc_sdo_update *) ptr);\n\tcase SC_CARDCTL_IASECC_SDO_KEY_RSA_PUT_DATA:\n\t\tsc_log(ctx, \"CMD SC_CARDCTL_IASECC_SDO_KEY_RSA_PUT_DATA\");\n\t\treturn iasecc_sdo_key_rsa_put_data(card, (struct iasecc_sdo_rsa_update *) ptr);\n\tcase SC_CARDCTL_IASECC_SDO_GET_DATA:\n\t\tsc_log(ctx, \"CMD SC_CARDCTL_IASECC_SDO_GET_DATA: sdo_class %X\", sdo->sdo_class);\n\t\treturn iasecc_sdo_get_data(card, (struct iasecc_sdo *) ptr);\n\tcase SC_CARDCTL_IASECC_SDO_GENERATE:\n\t\tsc_log(ctx, \"CMD SC_CARDCTL_IASECC_SDO_GET_DATA: sdo_class %X\", sdo->sdo_class);\n\t\treturn iasecc_sdo_generate(card, (struct iasecc_sdo *) ptr);\n\tcase SC_CARDCTL_GET_SE_INFO:\n\t\tsc_log(ctx, \"CMD SC_CARDCTL_GET_SE_INFO: sdo_class %X\", sdo->sdo_class);\n\t\treturn iasecc_se_get_info(card, (struct iasecc_se_info *) ptr);\n\tcase SC_CARDCTL_GET_CHV_REFERENCE_IN_SE:\n\t\tsc_log(ctx, \"CMD SC_CARDCTL_GET_CHV_REFERENCE_IN_SE\");\n\t\treturn iasecc_get_chv_reference_from_se(card, (int *)ptr);\n\tcase SC_CARDCTL_IASECC_GET_FREE_KEY_REFERENCE:\n\t\tsc_log(ctx, \"CMD SC_CARDCTL_IASECC_GET_FREE_KEY_REFERENCE\");\n\t\treturn iasecc_get_free_reference(card, (struct iasecc_ctl_get_free_reference *)ptr);\n\t}\n\treturn SC_ERROR_NOT_SUPPORTED;\n}", "project": "OpenSC", "hash": 72998734851917176293238755493584766764, "size": 38, "commit_id": "ae1cf0be90396fb6c0be95829bf0d3eecbd2fd1c", "message": "iasecc: Prevent stack buffer overflow when empty ACL is returned\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30800", "target": 0, "dataset": "other", "idx": 263061 }, { "func": "iasecc_sdo_tag_from_class(unsigned sdo_class)\n{\n\tswitch (sdo_class & ~IASECC_OBJECT_REF_LOCAL) {\n\tcase IASECC_SDO_CLASS_CHV:\n\t\treturn IASECC_SDO_CHV_TAG;\n\tcase IASECC_SDO_CLASS_RSA_PRIVATE:\n\t\treturn IASECC_SDO_PRVKEY_TAG;\n\tcase IASECC_SDO_CLASS_RSA_PUBLIC:\n\t\treturn IASECC_SDO_PUBKEY_TAG;\n\tcase IASECC_SDO_CLASS_SE:\n\t\treturn IASECC_SDO_CLASS_SE;\n\tcase IASECC_SDO_CLASS_KEYSET:\n\t\treturn IASECC_SDO_KEYSET_TAG;\n\t}\n\n\treturn -1;\n}", "project": "OpenSC", "hash": 332947271983121803194249464976275618109, "size": 17, "commit_id": "ae1cf0be90396fb6c0be95829bf0d3eecbd2fd1c", "message": "iasecc: Prevent stack buffer overflow when empty ACL is returned\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30800", "target": 0, "dataset": "other", "idx": 263088 }, { "func": "iasecc_pin_cmd(struct sc_card *card, struct sc_pin_cmd_data *data, int *tries_left)\n{\n\tstruct sc_context *ctx = card->ctx;\n\tint rv;\n\n\tLOG_FUNC_CALLED(ctx);\n\tsc_log(ctx, \"iasecc_pin_cmd() cmd 0x%X, PIN type 0x%X, PIN reference %i, PIN-1 %p:%i, PIN-2 %p:%i\",\n\t\t\tdata->cmd, data->pin_type, data->pin_reference,\n\t\t\tdata->pin1.data, data->pin1.len, data->pin2.data, data->pin2.len);\n\n\tswitch (data->cmd) {\n\tcase SC_PIN_CMD_VERIFY:\n\t\trv = iasecc_pin_verify(card, data, tries_left);\n\t\tbreak;\n\tcase SC_PIN_CMD_CHANGE:\n\t\tif (data->pin_type == SC_AC_AUT)\n\t\t\trv = iasecc_keyset_change(card, data, tries_left);\n\t\telse\n\t\t\trv = iasecc_pin_change(card, data, tries_left);\n\t\tbreak;\n\tcase SC_PIN_CMD_UNBLOCK:\n\t\trv = iasecc_pin_reset(card, data, tries_left);\n\t\tbreak;\n\tcase SC_PIN_CMD_GET_INFO:\n\t\trv = iasecc_pin_get_info(card, data, tries_left);\n\t\tbreak;\n\tdefault:\n\t\tsc_log(ctx, \"Other pin commands not supported yet: 0x%X\", data->cmd);\n\t\trv = SC_ERROR_NOT_SUPPORTED;\n\t}\n\n\tLOG_FUNC_RETURN(ctx, rv);\n}", "project": "OpenSC", "hash": 151679784781007544795276635858439944398, "size": 33, "commit_id": "ae1cf0be90396fb6c0be95829bf0d3eecbd2fd1c", "message": "iasecc: Prevent stack buffer overflow when empty ACL is returned\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30800", "target": 0, "dataset": "other", "idx": 263098 }, { "func": "\nstatic void *sgpd_parse_entry(u32 grouping_type, GF_BitStream *bs, u32 entry_size, u32 *total_bytes)\n{\n\tBool null_size_ok = GF_FALSE;\n\tGF_DefaultSampleGroupDescriptionEntry *def_ptr;\n\n\tswitch (grouping_type) {\n\tcase GF_ISOM_SAMPLE_GROUP_ROLL:\n\tcase GF_ISOM_SAMPLE_GROUP_PROL:\n\t{\n\t\tGF_RollRecoveryEntry *ptr;\n\t\tGF_SAFEALLOC(ptr, GF_RollRecoveryEntry);\n\t\tif (!ptr) return NULL;\n\t\tptr->roll_distance = gf_bs_read_int(bs, 16);\n\t\t*total_bytes = 2;\n\t\treturn ptr;\n\t}\n\tcase GF_ISOM_SAMPLE_GROUP_RAP:\n\t{\n\t\tGF_VisualRandomAccessEntry *ptr;\n\t\tGF_SAFEALLOC(ptr, GF_VisualRandomAccessEntry);\n\t\tif (!ptr) return NULL;\n\t\tptr->num_leading_samples_known = gf_bs_read_int(bs, 1);\n\t\tptr->num_leading_samples = gf_bs_read_int(bs, 7);\n\t\t*total_bytes = 1;\n\t\treturn ptr;\n\t}\n\tcase GF_ISOM_SAMPLE_GROUP_SAP:\n\t{\n\t\tGF_SAPEntry *ptr;\n\t\tGF_SAFEALLOC(ptr, GF_SAPEntry);\n\t\tif (!ptr) return NULL;\n\t\tptr->dependent_flag = gf_bs_read_int(bs, 1);\n\t\tgf_bs_read_int(bs, 3);\n\t\tptr->SAP_type = gf_bs_read_int(bs, 4);\n\t\t*total_bytes = 1;\n\t\treturn ptr;\n\t}\n\tcase GF_ISOM_SAMPLE_GROUP_SYNC:\n\t{\n\t\tGF_SYNCEntry *ptr;\n\t\tGF_SAFEALLOC(ptr, GF_SYNCEntry);\n\t\tif (!ptr) return NULL;\n\t\tgf_bs_read_int(bs, 2);\n\t\tptr->NALU_type = gf_bs_read_int(bs, 6);\n\t\t*total_bytes = 1;\n\t\treturn ptr;\n\t}\n\tcase GF_ISOM_SAMPLE_GROUP_TELE:\n\t{\n\t\tGF_TemporalLevelEntry *ptr;\n\t\tGF_SAFEALLOC(ptr, GF_TemporalLevelEntry);\n\t\tif (!ptr) return NULL;\n\t\tptr->level_independently_decodable = gf_bs_read_int(bs, 1);\n\t\tgf_bs_read_int(bs, 7);\n\t\t*total_bytes = 1;\n\t\treturn ptr;\n\t}\n\tcase GF_ISOM_SAMPLE_GROUP_SEIG:\n\t{\n\t\tGF_CENCSampleEncryptionGroupEntry *ptr;\n\t\tGF_SAFEALLOC(ptr, GF_CENCSampleEncryptionGroupEntry);\n\t\tif (!ptr) return NULL;\n\t\tgf_bs_read_u8(bs); //reserved\n\t\tptr->crypt_byte_block = gf_bs_read_int(bs, 4);\n\t\tptr->skip_byte_block = gf_bs_read_int(bs, 4);\n\t\tptr->IsProtected = gf_bs_read_u8(bs);\n\t\tptr->Per_Sample_IV_size = gf_bs_read_u8(bs);\n\t\tgf_bs_read_data(bs, (char *)ptr->KID, 16);\n\t\t*total_bytes = 20;\n\t\tif ((ptr->IsProtected == 1) && !ptr->Per_Sample_IV_size) {\n\t\t\tptr->constant_IV_size = gf_bs_read_u8(bs);\n\t\t\tif ((ptr->constant_IV_size != 8) && (ptr->constant_IV_size != 16)) {\n\t\t\t\tGF_LOG(GF_LOG_WARNING, GF_LOG_CONTAINER, (\"[iso file] seig sample group have invalid constant_IV size\\n\"));\n\t\t\t\tgf_free(ptr);\n\t\t\t\treturn NULL;\n\t\t\t}\n\t\t\tgf_bs_read_data(bs, (char *)ptr->constant_IV, ptr->constant_IV_size);\n\t\t\t*total_bytes += 1 + ptr->constant_IV_size;\n\t\t}\n\t\tif (!entry_size) {\n\t\t\tGF_LOG(GF_LOG_WARNING, GF_LOG_CONTAINER, (\"[iso file] seig sample group does not indicate entry size, deprecated in spec\\n\"));\n\t\t}\n\t\treturn ptr;\n\t}\n\tcase GF_ISOM_SAMPLE_GROUP_OINF:\n\t{\n\t\tGF_OperatingPointsInformation *ptr = gf_isom_oinf_new_entry();\n\t\tu32 s = (u32) gf_bs_get_position(bs);\n\t\tgf_isom_oinf_read_entry(ptr, bs);\n\t\t*total_bytes = (u32) gf_bs_get_position(bs) - s;\n\t\tif (!entry_size) {\n\t\t\tGF_LOG(GF_LOG_WARNING, GF_LOG_CONTAINER, (\"[iso file] oinf sample group does not indicate entry size, deprecated in spec\\n\"));\n\t\t}\n\t\treturn ptr;\n\t}\n\tcase GF_ISOM_SAMPLE_GROUP_LINF:\n\t{\n\t\tGF_LHVCLayerInformation *ptr = gf_isom_linf_new_entry();\n\t\tu32 s = (u32) gf_bs_get_position(bs);\n\t\tgf_isom_linf_read_entry(ptr, bs);\n\t\t*total_bytes = (u32) gf_bs_get_position(bs) - s;\n\t\tif (!entry_size) {\n\t\t\tGF_LOG(GF_LOG_WARNING, GF_LOG_CONTAINER, (\"[iso file] linf sample group does not indicate entry size, deprecated in spec\\n\"));\n\t\t}\n\t\treturn ptr;\n\t}\n\n\tcase GF_ISOM_SAMPLE_GROUP_TRIF:\n\t\tif (! entry_size) {\n\t\t\tu32 flags = gf_bs_peek_bits(bs, 24, 0);\n\t\t\tif (flags & 0x10000) entry_size=3;\n\t\t\telse {\n\t\t\t\tif (flags & 0x80000) entry_size=7;\n\t\t\t\telse entry_size=11;\n\t\t\t\t//have dependency list\n\t\t\t\tif (flags & 0x200000) {\n\t\t\t\t\tu32 nb_entries = gf_bs_peek_bits(bs, 16, entry_size);\n\t\t\t\t\tentry_size += 2 + 2*nb_entries;\n\t\t\t\t}\n\t\t\t}\n\t\t\tGF_LOG(GF_LOG_WARNING, GF_LOG_CONTAINER, (\"[iso file] trif sample group does not indicate entry size, deprecated in spec\\n\"));\n\t\t}\n\t\tbreak;\n\tcase GF_ISOM_SAMPLE_GROUP_NALM:\n\t\tif (! entry_size) {\n\t\t\tu64 start = gf_bs_get_position(bs);\n\t\t\tBool rle, large_size;\n\t\t\tu32 entry_count;\n\t\t\tgf_bs_read_int(bs, 6);\n\t\t\tlarge_size = gf_bs_read_int(bs, 1);\n\t\t\trle = gf_bs_read_int(bs, 1);\n\t\t\tentry_count = gf_bs_read_int(bs, large_size ? 16 : 8);\n\t\t\tgf_bs_seek(bs, start);\n\t\t\tentry_size = 1 + (large_size ? 2 : 1);\n\t\t\tentry_size += entry_count * 2;\n\t\t\tif (rle) entry_size += entry_count * (large_size ? 2 : 1);\n\t\t\tGF_LOG(GF_LOG_WARNING, GF_LOG_CONTAINER, (\"[iso file] nalm sample group does not indicate entry size, deprecated in spec\\n\"));\n\t\t}\n\t\tbreak;\n\n\tcase GF_ISOM_SAMPLE_GROUP_TSAS:\n\tcase GF_ISOM_SAMPLE_GROUP_STSA:\n\t\tnull_size_ok = GF_TRUE;\n\t\tbreak;\n\t//TODO, add support for these ones ?\n\tcase GF_ISOM_SAMPLE_GROUP_TSCL:\n\t\tentry_size = 20;\n\t\tbreak;\n\tcase GF_ISOM_SAMPLE_GROUP_LBLI:\n\t\tentry_size = 2;\n\t\tbreak;\n\tdefault:\n\t\tbreak;\n\t}\n\n\tif (!entry_size && !null_size_ok) {\n\t\tGF_LOG(GF_LOG_WARNING, GF_LOG_CONTAINER, (\"[iso file] %s sample group does not indicate entry size and is not implemented, cannot parse!\\n\", gf_4cc_to_str( grouping_type) ));\n\t\treturn NULL;\n\t}\n\tGF_SAFEALLOC(def_ptr, GF_DefaultSampleGroupDescriptionEntry);\n\tif (!def_ptr) return NULL;\n\tif (entry_size) {\n\t\tdef_ptr->length = entry_size;\n\t\tdef_ptr->data = (u8 *) gf_malloc(sizeof(u8)*def_ptr->length);\n\t\tif (!def_ptr->data) {\n\t\t\tgf_free(def_ptr);\n\t\t\treturn NULL;\n\t\t}\n\t\tgf_bs_read_data(bs, (char *) def_ptr->data, def_ptr->length);\n\t\t*total_bytes = entry_size;\n\t}\n\treturn def_ptr;", "project": "gpac", "hash": 31932051793300972311683797123417242105, "size": 173, "commit_id": "388ecce75d05e11fc8496aa4857b91245007d26e", "message": "fixed #1587", "target": 0, "dataset": "other", "idx": 264852 }, { "func": "static struct xfrm_policy *pfkey_compile_policy(struct sock *sk, int opt,\n\t\t\t\t\t\tu8 *data, int len, int *dir)\n{\n\tstruct net *net = sock_net(sk);\n\tstruct xfrm_policy *xp;\n\tstruct sadb_x_policy *pol = (struct sadb_x_policy*)data;\n\tstruct sadb_x_sec_ctx *sec_ctx;\n\n\tswitch (sk->sk_family) {\n\tcase AF_INET:\n\t\tif (opt != IP_IPSEC_POLICY) {\n\t\t\t*dir = -EOPNOTSUPP;\n\t\t\treturn NULL;\n\t\t}\n\t\tbreak;\n#if IS_ENABLED(CONFIG_IPV6)\n\tcase AF_INET6:\n\t\tif (opt != IPV6_IPSEC_POLICY) {\n\t\t\t*dir = -EOPNOTSUPP;\n\t\t\treturn NULL;\n\t\t}\n\t\tbreak;\n#endif\n\tdefault:\n\t\t*dir = -EINVAL;\n\t\treturn NULL;\n\t}\n\n\t*dir = -EINVAL;\n\n\tif (len < sizeof(struct sadb_x_policy) ||\n\t pol->sadb_x_policy_len*8 > len ||\n\t pol->sadb_x_policy_type > IPSEC_POLICY_BYPASS ||\n\t (!pol->sadb_x_policy_dir || pol->sadb_x_policy_dir > IPSEC_DIR_OUTBOUND))\n\t\treturn NULL;\n\n\txp = xfrm_policy_alloc(net, GFP_ATOMIC);\n\tif (xp == NULL) {\n\t\t*dir = -ENOBUFS;\n\t\treturn NULL;\n\t}\n\n\txp->action = (pol->sadb_x_policy_type == IPSEC_POLICY_DISCARD ?\n\t\t XFRM_POLICY_BLOCK : XFRM_POLICY_ALLOW);\n\n\txp->lft.soft_byte_limit = XFRM_INF;\n\txp->lft.hard_byte_limit = XFRM_INF;\n\txp->lft.soft_packet_limit = XFRM_INF;\n\txp->lft.hard_packet_limit = XFRM_INF;\n\txp->family = sk->sk_family;\n\n\txp->xfrm_nr = 0;\n\tif (pol->sadb_x_policy_type == IPSEC_POLICY_IPSEC &&\n\t (*dir = parse_ipsecrequests(xp, pol)) < 0)\n\t\tgoto out;\n\n\t/* security context too */\n\tif (len >= (pol->sadb_x_policy_len*8 +\n\t sizeof(struct sadb_x_sec_ctx))) {\n\t\tchar *p = (char *)pol;\n\t\tstruct xfrm_user_sec_ctx *uctx;\n\n\t\tp += pol->sadb_x_policy_len*8;\n\t\tsec_ctx = (struct sadb_x_sec_ctx *)p;\n\t\tif (len < pol->sadb_x_policy_len*8 +\n\t\t sec_ctx->sadb_x_sec_len*8) {\n\t\t\t*dir = -EINVAL;\n\t\t\tgoto out;\n\t\t}\n\t\tif ((*dir = verify_sec_ctx_len(p)))\n\t\t\tgoto out;\n\t\tuctx = pfkey_sadb2xfrm_user_sec_ctx(sec_ctx, GFP_ATOMIC);\n\t\t*dir = security_xfrm_policy_alloc(&xp->security, uctx, GFP_ATOMIC);\n\t\tkfree(uctx);\n\n\t\tif (*dir)\n\t\t\tgoto out;\n\t}\n\n\t*dir = pol->sadb_x_policy_dir-1;\n\treturn xp;\n\nout:\n\txp->walk.dead = 1;\n\txfrm_policy_destroy(xp);\n\treturn NULL;\n}", "project": "linux", "hash": 41850599007027904392631976270763348257, "size": 87, "commit_id": "9a564bccb78a76740ea9d75a259942df8143d02c", "message": "af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\n\nAdd __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\nto initialize the buffer of supp_skb to fix a kernel-info-leak issue.\n1) Function pfkey_register calls compose_sadb_supported to request\na sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate\na sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then\ncompose_sadb_supported treats the memory as a struct sadb_supported and\nbegins to initialize. But it just initializes the field sadb_supported_len\nand field sadb_supported_exttype without field sadb_supported_reserved.\n\nReported-by: TCS Robot \nSigned-off-by: Haimin Zhang \nSigned-off-by: Steffen Klassert ", "target": 0, "dataset": "other", "idx": 268032 }, { "func": "pfkey_satype2proto(uint8_t satype)\n{\n\tswitch (satype) {\n\tcase SADB_SATYPE_UNSPEC:\n\t\treturn IPSEC_PROTO_ANY;\n\tcase SADB_SATYPE_AH:\n\t\treturn IPPROTO_AH;\n\tcase SADB_SATYPE_ESP:\n\t\treturn IPPROTO_ESP;\n\tcase SADB_X_SATYPE_IPCOMP:\n\t\treturn IPPROTO_COMP;\n\tdefault:\n\t\treturn 0;\n\t}\n\t/* NOTREACHED */\n}", "project": "linux", "hash": 168503135020871623538963289939855804592, "size": 16, "commit_id": "9a564bccb78a76740ea9d75a259942df8143d02c", "message": "af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\n\nAdd __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\nto initialize the buffer of supp_skb to fix a kernel-info-leak issue.\n1) Function pfkey_register calls compose_sadb_supported to request\na sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate\na sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then\ncompose_sadb_supported treats the memory as a struct sadb_supported and\nbegins to initialize. But it just initializes the field sadb_supported_len\nand field sadb_supported_exttype without field sadb_supported_reserved.\n\nReported-by: TCS Robot \nSigned-off-by: Haimin Zhang \nSigned-off-by: Steffen Klassert ", "target": 0, "dataset": "other", "idx": 268047 }, { "func": "pfkey_proto2satype(uint16_t proto)\n{\n\tswitch (proto) {\n\tcase IPPROTO_AH:\n\t\treturn SADB_SATYPE_AH;\n\tcase IPPROTO_ESP:\n\t\treturn SADB_SATYPE_ESP;\n\tcase IPPROTO_COMP:\n\t\treturn SADB_X_SATYPE_IPCOMP;\n\tdefault:\n\t\treturn 0;\n\t}\n\t/* NOTREACHED */\n}", "project": "linux", "hash": 36247537782274679487733404191484610791, "size": 14, "commit_id": "9a564bccb78a76740ea9d75a259942df8143d02c", "message": "af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\n\nAdd __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\nto initialize the buffer of supp_skb to fix a kernel-info-leak issue.\n1) Function pfkey_register calls compose_sadb_supported to request\na sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate\na sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then\ncompose_sadb_supported treats the memory as a struct sadb_supported and\nbegins to initialize. But it just initializes the field sadb_supported_len\nand field sadb_supported_exttype without field sadb_supported_reserved.\n\nReported-by: TCS Robot \nSigned-off-by: Haimin Zhang \nSigned-off-by: Steffen Klassert ", "target": 0, "dataset": "other", "idx": 268061 }, { "func": "static struct xfrm_state *pfkey_xfrm_state_lookup(struct net *net, const struct sadb_msg *hdr, void * const *ext_hdrs)\n{\n\tconst struct sadb_sa *sa;\n\tconst struct sadb_address *addr;\n\tuint16_t proto;\n\tunsigned short family;\n\txfrm_address_t *xaddr;\n\n\tsa = ext_hdrs[SADB_EXT_SA - 1];\n\tif (sa == NULL)\n\t\treturn NULL;\n\n\tproto = pfkey_satype2proto(hdr->sadb_msg_satype);\n\tif (proto == 0)\n\t\treturn NULL;\n\n\t/* sadb_address_len should be checked by caller */\n\taddr = ext_hdrs[SADB_EXT_ADDRESS_DST - 1];\n\tif (addr == NULL)\n\t\treturn NULL;\n\n\tfamily = ((const struct sockaddr *)(addr + 1))->sa_family;\n\tswitch (family) {\n\tcase AF_INET:\n\t\txaddr = (xfrm_address_t *)&((const struct sockaddr_in *)(addr + 1))->sin_addr;\n\t\tbreak;\n#if IS_ENABLED(CONFIG_IPV6)\n\tcase AF_INET6:\n\t\txaddr = (xfrm_address_t *)&((const struct sockaddr_in6 *)(addr + 1))->sin6_addr;\n\t\tbreak;\n#endif\n\tdefault:\n\t\txaddr = NULL;\n\t}\n\n\tif (!xaddr)\n\t\treturn NULL;\n\n\treturn xfrm_state_lookup(net, DUMMY_MARK, xaddr, sa->sadb_sa_spi, proto, family);\n}", "project": "linux", "hash": 150430795809414232994992111797790463046, "size": 40, "commit_id": "9a564bccb78a76740ea9d75a259942df8143d02c", "message": "af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\n\nAdd __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\nto initialize the buffer of supp_skb to fix a kernel-info-leak issue.\n1) Function pfkey_register calls compose_sadb_supported to request\na sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate\na sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then\ncompose_sadb_supported treats the memory as a struct sadb_supported and\nbegins to initialize. But it just initializes the field sadb_supported_len\nand field sadb_supported_exttype without field sadb_supported_reserved.\n\nReported-by: TCS Robot \nSigned-off-by: Haimin Zhang \nSigned-off-by: Steffen Klassert ", "target": 0, "dataset": "other", "idx": 268087 }, { "func": "R_API const char *r_str_sysbits(const int v) {\n\tswitch (v) {\n\tcase R_SYS_BITS_8: return \"8\";\n\tcase R_SYS_BITS_16: return \"16\";\n\tcase R_SYS_BITS_32: return \"32\";\n\tcase R_SYS_BITS_64: return \"64\";\n\tcase R_SYS_BITS_16 | R_SYS_BITS_32: return \"16,32\";\n\tcase R_SYS_BITS_16 | R_SYS_BITS_32 | R_SYS_BITS_64: return \"16,32,64\";\n\tcase R_SYS_BITS_32 | R_SYS_BITS_64: return \"32,64\";\n\t}\n\treturn \"?\";\n}", "project": "radare2", "hash": 293897541751532136411477101525522443405, "size": 12, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 0, "dataset": "other", "idx": 268862 }, { "func": "const char *Commissioner::StateToString(otCommissionerState aState)\n{\n const char *str = \"Unknown\";\n\n switch (aState)\n {\n case OT_COMMISSIONER_STATE_DISABLED:\n str = \"disabled\";\n break;\n case OT_COMMISSIONER_STATE_PETITION:\n str = \"petition\";\n break;\n case OT_COMMISSIONER_STATE_ACTIVE:\n str = \"active\";\n break;\n default:\n break;\n }\n\n return str;\n}", "project": "openthread", "hash": 1930010485146281491629469090231664333, "size": 21, "commit_id": "c3a3a0c424322009fec3ab735fb20ce8f6e19e70", "message": "[commissioner] use strnlen instead of strlen (#4404)", "target": 0, "dataset": "other", "idx": 269866 }, { "func": "cardos_card_ctl(sc_card_t *card, unsigned long cmd, void *ptr)\n{\n\tswitch (cmd) {\n\tcase SC_CARDCTL_CARDOS_PUT_DATA_FCI:\n\t\tbreak;\n\tcase SC_CARDCTL_CARDOS_PUT_DATA_OCI:\n\t\treturn cardos_put_data_oci(card,\n\t\t\t(struct sc_cardctl_cardos_obj_info *) ptr);\n\t\tbreak;\n\tcase SC_CARDCTL_CARDOS_PUT_DATA_SECI:\n\t\treturn cardos_put_data_seci(card,\n\t\t\t(struct sc_cardctl_cardos_obj_info *) ptr);\n\t\tbreak;\n\tcase SC_CARDCTL_CARDOS_GENERATE_KEY:\n\t\treturn cardos_generate_key(card,\n\t\t\t(struct sc_cardctl_cardos_genkey_info *) ptr);\n\tcase SC_CARDCTL_CARDOS_PASS_ALGO_FLAGS:\n\t\treturn cardos_pass_algo_flags(card,\n\t\t\t(struct sc_cardctl_cardos_pass_algo_flags *) ptr);\n\tcase SC_CARDCTL_LIFECYCLE_GET:\n\t\treturn cardos_lifecycle_get(card, (int *) ptr);\n\tcase SC_CARDCTL_LIFECYCLE_SET:\n\t\treturn cardos_lifecycle_set(card, (int *) ptr);\n\tcase SC_CARDCTL_GET_SERIALNR:\n\t\treturn cardos_get_serialnr(card, (sc_serial_number_t *)ptr);\n\t}\n\treturn SC_ERROR_NOT_SUPPORTED;\n}", "project": "OpenSC", "hash": 226954139493038915232935041063281782422, "size": 28, "commit_id": "1252aca9f10771ef5ba8405e73cf2da50827958f", "message": "cardos: Correctly calculate the left bytes to avoid buffer overrun\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29912", "target": 0, "dataset": "other", "idx": 270680 }, { "func": "GF_EdtsEntry *CreateEditEntry(u64 EditDuration, u64 MediaTime, u8 EditMode)\n{\n\tGF_EdtsEntry *ent;\n\n\tent = (GF_EdtsEntry*)gf_malloc(sizeof(GF_EdtsEntry));\n\tif (!ent) return NULL;\n\n\tswitch (EditMode) {\n\tcase GF_ISOM_EDIT_EMPTY:\n\t\tent->mediaRate = 0x10000;\n\t\tent->mediaTime = -1;\n\t\tbreak;\n\n\tcase GF_ISOM_EDIT_DWELL:\n\t\tent->mediaRate = 0;\n\t\tent->mediaTime = MediaTime;\n\t\tbreak;\n\tdefault:\n\t\tent->mediaRate = 0x10000;\n\t\tent->mediaTime = MediaTime;\n\t\tbreak;\n\t}\n\tent->segmentDuration = EditDuration;\n\treturn ent;\n}", "project": "gpac", "hash": 175731278679126821792531473489986429645, "size": 25, "commit_id": "fe5155cf047252d1c4cb91602048bfa682af0ea7", "message": "fixed #1783 (fuzz)", "target": 0, "dataset": "other", "idx": 271710 }, { "func": "gc_gray_counts(mrb_state *mrb, mrb_gc *gc, struct RBasic *obj)\n{\n size_t children = 0;\n\n switch (obj->tt) {\n case MRB_TT_ICLASS:\n children++;\n break;\n\n case MRB_TT_CLASS:\n case MRB_TT_SCLASS:\n case MRB_TT_MODULE:\n {\n struct RClass *c = (struct RClass*)obj;\n\n children += mrb_gc_mark_iv_size(mrb, (struct RObject*)obj);\n children += mrb_gc_mark_mt_size(mrb, c);\n children++;\n }\n break;\n\n case MRB_TT_OBJECT:\n case MRB_TT_DATA:\n case MRB_TT_EXCEPTION:\n children += mrb_gc_mark_iv_size(mrb, (struct RObject*)obj);\n break;\n\n case MRB_TT_ENV:\n children += MRB_ENV_LEN(obj);\n break;\n\n case MRB_TT_FIBER:\n {\n struct mrb_context *c = ((struct RFiber*)obj)->cxt;\n size_t i;\n mrb_callinfo *ci;\n\n if (!c || c->status == MRB_FIBER_TERMINATED) break;\n\n /* mark stack */\n i = c->stack - c->stbase;\n\n if (c->ci) {\n i += ci_nregs(c->ci);\n }\n if (c->stbase + i > c->stend) i = c->stend - c->stbase;\n children += i;\n\n /* mark ensure stack */\n children += c->eidx;\n\n /* mark closure */\n if (c->cibase) {\n for (i=0, ci = c->cibase; ci <= c->ci; i++, ci++)\n ;\n }\n children += i;\n }\n break;\n\n case MRB_TT_ARRAY:\n {\n struct RArray *a = (struct RArray*)obj;\n children += ARY_LEN(a);\n }\n break;\n\n case MRB_TT_HASH:\n children += mrb_gc_mark_iv_size(mrb, (struct RObject*)obj);\n children += mrb_gc_mark_hash_size(mrb, (struct RHash*)obj);\n break;\n\n case MRB_TT_PROC:\n case MRB_TT_RANGE:\n children+=2;\n break;\n\n default:\n break;\n }\n return children;\n}", "project": "mruby", "hash": 262156648040300095838110975787992052943, "size": 82, "commit_id": "97319697c8f9f6ff27b32589947e1918e3015503", "message": "Cancel 9cdf439\n\nShould not free the pointer in `realloc` since it can cause\nuse-after-free problem.", "target": 0, "dataset": "other", "idx": 273979 }, { "func": "incremental_gc(mrb_state *mrb, mrb_gc *gc, size_t limit)\n{\n switch (gc->state) {\n case MRB_GC_STATE_ROOT:\n root_scan_phase(mrb, gc);\n gc->state = MRB_GC_STATE_MARK;\n flip_white_part(gc);\n return 0;\n case MRB_GC_STATE_MARK:\n if (gc->gray_list) {\n return incremental_marking_phase(mrb, gc, limit);\n }\n else {\n final_marking_phase(mrb, gc);\n prepare_incremental_sweep(mrb, gc);\n return 0;\n }\n case MRB_GC_STATE_SWEEP: {\n size_t tried_sweep = 0;\n tried_sweep = incremental_sweep_phase(mrb, gc, limit);\n if (tried_sweep == 0)\n gc->state = MRB_GC_STATE_ROOT;\n return tried_sweep;\n }\n default:\n /* unknown state */\n mrb_assert(0);\n return 0;\n }\n}", "project": "mruby", "hash": 200932525351859130616573683259431691640, "size": 30, "commit_id": "97319697c8f9f6ff27b32589947e1918e3015503", "message": "Cancel 9cdf439\n\nShould not free the pointer in `realloc` since it can cause\nuse-after-free problem.", "target": 0, "dataset": "other", "idx": 273998 }, { "func": "obj_free(mrb_state *mrb, struct RBasic *obj, int end)\n{\n DEBUG(fprintf(stderr, \"obj_free(%p,tt=%d)\\n\",obj,obj->tt));\n switch (obj->tt) {\n /* immediate - no mark */\n case MRB_TT_TRUE:\n case MRB_TT_FIXNUM:\n case MRB_TT_SYMBOL:\n /* cannot happen */\n return;\n\n#ifndef MRB_WITHOUT_FLOAT\n case MRB_TT_FLOAT:\n#ifdef MRB_WORD_BOXING\n break;\n#else\n return;\n#endif\n#endif\n\n case MRB_TT_OBJECT:\n mrb_gc_free_iv(mrb, (struct RObject*)obj);\n break;\n\n case MRB_TT_EXCEPTION:\n mrb_gc_free_iv(mrb, (struct RObject*)obj);\n break;\n\n case MRB_TT_CLASS:\n case MRB_TT_MODULE:\n case MRB_TT_SCLASS:\n mrb_gc_free_mt(mrb, (struct RClass*)obj);\n mrb_gc_free_iv(mrb, (struct RObject*)obj);\n mrb_mc_clear_by_class(mrb, (struct RClass*)obj);\n break;\n case MRB_TT_ICLASS:\n if (MRB_FLAG_TEST(obj, MRB_FL_CLASS_IS_ORIGIN))\n mrb_gc_free_mt(mrb, (struct RClass*)obj);\n mrb_mc_clear_by_class(mrb, (struct RClass*)obj);\n break;\n case MRB_TT_ENV:\n {\n struct REnv *e = (struct REnv*)obj;\n\n if (MRB_ENV_ONSTACK_P(e)) {\n /* cannot be freed */\n e->stack = NULL;\n break;\n }\n mrb_free(mrb, e->stack);\n e->stack = NULL;\n }\n break;\n\n case MRB_TT_FIBER:\n {\n struct mrb_context *c = ((struct RFiber*)obj)->cxt;\n\n if (c && c != mrb->root_c) {\n if (!end && c->status != MRB_FIBER_TERMINATED) {\n mrb_callinfo *ci = c->ci;\n mrb_callinfo *ce = c->cibase;\n\n while (ce <= ci) {\n struct REnv *e = ci->env;\n if (e && !mrb_object_dead_p(mrb, (struct RBasic*)e) &&\n e->tt == MRB_TT_ENV && MRB_ENV_ONSTACK_P(e)) {\n mrb_env_unshare(mrb, e);\n }\n ci--;\n }\n }\n mrb_free_context(mrb, c);\n }\n }\n break;\n\n case MRB_TT_ARRAY:\n if (ARY_SHARED_P(obj))\n mrb_ary_decref(mrb, ((struct RArray*)obj)->as.heap.aux.shared);\n else if (!ARY_EMBED_P(obj))\n mrb_free(mrb, ((struct RArray*)obj)->as.heap.ptr);\n break;\n\n case MRB_TT_HASH:\n mrb_gc_free_iv(mrb, (struct RObject*)obj);\n mrb_gc_free_hash(mrb, (struct RHash*)obj);\n break;\n\n case MRB_TT_STRING:\n mrb_gc_free_str(mrb, (struct RString*)obj);\n break;\n\n case MRB_TT_PROC:\n {\n struct RProc *p = (struct RProc*)obj;\n\n if (!MRB_PROC_CFUNC_P(p) && p->body.irep) {\n mrb_irep *irep = p->body.irep;\n if (end) {\n mrb_irep_cutref(mrb, irep);\n }\n mrb_irep_decref(mrb, irep);\n }\n }\n break;\n\n case MRB_TT_RANGE:\n mrb_gc_free_range(mrb, ((struct RRange*)obj));\n break;\n\n case MRB_TT_DATA:\n {\n struct RData *d = (struct RData*)obj;\n if (d->type && d->type->dfree) {\n d->type->dfree(mrb, d->data);\n }\n mrb_gc_free_iv(mrb, (struct RObject*)obj);\n }\n break;\n\n default:\n break;\n }\n obj->tt = MRB_TT_FREE;\n}", "project": "mruby", "hash": 147701015182020172631856776949899808831, "size": 126, "commit_id": "97319697c8f9f6ff27b32589947e1918e3015503", "message": "Cancel 9cdf439\n\nShould not free the pointer in `realloc` since it can cause\nuse-after-free problem.", "target": 0, "dataset": "other", "idx": 274002 }, { "func": "gc_mark_children(mrb_state *mrb, mrb_gc *gc, struct RBasic *obj)\n{\n mrb_assert(is_gray(obj));\n paint_black(obj);\n gc->gray_list = obj->gcnext;\n mrb_gc_mark(mrb, (struct RBasic*)obj->c);\n switch (obj->tt) {\n case MRB_TT_ICLASS:\n {\n struct RClass *c = (struct RClass*)obj;\n if (MRB_FLAG_TEST(c, MRB_FL_CLASS_IS_ORIGIN))\n mrb_gc_mark_mt(mrb, c);\n mrb_gc_mark(mrb, (struct RBasic*)((struct RClass*)obj)->super);\n }\n break;\n\n case MRB_TT_CLASS:\n case MRB_TT_MODULE:\n case MRB_TT_SCLASS:\n {\n struct RClass *c = (struct RClass*)obj;\n\n mrb_gc_mark_mt(mrb, c);\n mrb_gc_mark(mrb, (struct RBasic*)c->super);\n }\n /* fall through */\n\n case MRB_TT_OBJECT:\n case MRB_TT_DATA:\n case MRB_TT_EXCEPTION:\n mrb_gc_mark_iv(mrb, (struct RObject*)obj);\n break;\n\n case MRB_TT_PROC:\n {\n struct RProc *p = (struct RProc*)obj;\n\n mrb_gc_mark(mrb, (struct RBasic*)p->upper);\n mrb_gc_mark(mrb, (struct RBasic*)p->e.env);\n }\n break;\n\n case MRB_TT_ENV:\n {\n struct REnv *e = (struct REnv*)obj;\n mrb_int i, len;\n\n if (MRB_ENV_ONSTACK_P(e) && e->cxt && e->cxt->fib) {\n mrb_gc_mark(mrb, (struct RBasic*)e->cxt->fib);\n }\n len = MRB_ENV_LEN(e);\n for (i=0; istack[i]);\n }\n }\n break;\n\n case MRB_TT_FIBER:\n {\n struct mrb_context *c = ((struct RFiber*)obj)->cxt;\n\n if (c) mark_context(mrb, c);\n }\n break;\n\n case MRB_TT_ARRAY:\n {\n struct RArray *a = (struct RArray*)obj;\n size_t i, e;\n\n for (i=0,e=ARY_LEN(a); ias.heap.aux.fshared);\n }\n break;\n\n case MRB_TT_RANGE:\n mrb_gc_mark_range(mrb, (struct RRange*)obj);\n break;\n\n default:\n break;\n }\n}", "project": "mruby", "hash": 197149973040587426796603837485024603341, "size": 96, "commit_id": "97319697c8f9f6ff27b32589947e1918e3015503", "message": "Cancel 9cdf439\n\nShould not free the pointer in `realloc` since it can cause\nuse-after-free problem.", "target": 0, "dataset": "other", "idx": 274036 }, { "func": "scanner_scan_post_primary_expression (parser_context_t *context_p, /**< context */\n scanner_context_t *scanner_context_p, /**< scanner context */\n lexer_token_type_t type, /**< current token type */\n scan_stack_modes_t stack_top) /**< current stack top */\n{\n switch (type)\n {\n case LEXER_DOT:\n {\n lexer_scan_identifier (context_p);\n\n if (context_p->token.type != LEXER_LITERAL\n || context_p->token.lit_location.type != LEXER_IDENT_LITERAL)\n {\n scanner_raise_error (context_p);\n }\n\n return true;\n }\n case LEXER_LEFT_PAREN:\n {\n parser_stack_push_uint8 (context_p, SCAN_STACK_PAREN_EXPRESSION);\n scanner_context_p->mode = SCAN_MODE_PRIMARY_EXPRESSION;\n return true;\n }\n#if ENABLED (JERRY_ES2015)\n case LEXER_TEMPLATE_LITERAL:\n {\n if (JERRY_UNLIKELY (context_p->source_p[-1] != LIT_CHAR_GRAVE_ACCENT))\n {\n scanner_context_p->mode = SCAN_MODE_PRIMARY_EXPRESSION;\n parser_stack_push_uint8 (context_p, SCAN_STACK_TAGGED_TEMPLATE_LITERAL);\n }\n return true;\n }\n#endif /* ENABLED (JERRY_ES2015) */\n case LEXER_LEFT_SQUARE:\n {\n parser_stack_push_uint8 (context_p, SCAN_STACK_PROPERTY_ACCESSOR);\n scanner_context_p->mode = SCAN_MODE_PRIMARY_EXPRESSION;\n return true;\n }\n case LEXER_INCREASE:\n case LEXER_DECREASE:\n {\n scanner_context_p->mode = SCAN_MODE_PRIMARY_EXPRESSION_END;\n\n if (context_p->token.flags & LEXER_WAS_NEWLINE)\n {\n return false;\n }\n\n lexer_next_token (context_p);\n type = (lexer_token_type_t) context_p->token.type;\n\n if (type != LEXER_QUESTION_MARK)\n {\n break;\n }\n /* FALLTHRU */\n }\n case LEXER_QUESTION_MARK:\n {\n parser_stack_push_uint8 (context_p, SCAN_STACK_COLON_EXPRESSION);\n scanner_context_p->mode = SCAN_MODE_PRIMARY_EXPRESSION;\n return true;\n }\n default:\n {\n break;\n }\n }\n\n if (LEXER_IS_BINARY_OP_TOKEN (type)\n && (type != LEXER_KEYW_IN || !SCANNER_IS_FOR_START (stack_top)))\n {\n scanner_context_p->mode = SCAN_MODE_PRIMARY_EXPRESSION;\n return true;\n }\n\n return false;\n} /* scanner_scan_post_primary_expression */", "project": "jerryscript", "hash": 123614422951049872525306362008933089785, "size": 82, "commit_id": "69f8e78c2f8d562bd6d8002b5488f1662ac30d24", "message": "Fix error handling in scanner when in case of OOM (#3793)\n\nThis patch fixes #3786 and fixes #3788.\r\n\r\nJerryScript-DCO-1.0-Signed-off-by: Robert Fancsik frobert@inf.u-szeged.hu", "target": 0, "dataset": "other", "idx": 274774 }, { "func": "scanner_scan_statement (parser_context_t *context_p, /**< context */\n scanner_context_t *scanner_context_p, /**< scanner context */\n lexer_token_type_t type, /**< current token type */\n scan_stack_modes_t stack_top) /**< current stack top */\n{\n switch (type)\n {\n case LEXER_SEMICOLON:\n {\n scanner_context_p->mode = SCAN_MODE_STATEMENT_END;\n return SCAN_KEEP_TOKEN;\n }\n case LEXER_LEFT_BRACE:\n {\n#if ENABLED (JERRY_ES2015)\n scanner_literal_pool_t *literal_pool_p;\n literal_pool_p = scanner_push_literal_pool (context_p,\n scanner_context_p,\n SCANNER_LITERAL_POOL_BLOCK);\n literal_pool_p->source_p = context_p->source_p;\n#endif /* ENABLED (JERRY_ES2015) */\n\n scanner_context_p->mode = SCAN_MODE_STATEMENT_OR_TERMINATOR;\n parser_stack_push_uint8 (context_p, SCAN_STACK_BLOCK_STATEMENT);\n return SCAN_NEXT_TOKEN;\n }\n case LEXER_KEYW_DO:\n {\n scanner_context_p->mode = SCAN_MODE_STATEMENT;\n parser_stack_push_uint8 (context_p, SCAN_STACK_DO_STATEMENT);\n return SCAN_NEXT_TOKEN;\n }\n case LEXER_KEYW_TRY:\n {\n lexer_next_token (context_p);\n\n if (context_p->token.type != LEXER_LEFT_BRACE)\n {\n scanner_raise_error (context_p);\n }\n\n#if ENABLED (JERRY_ES2015)\n scanner_literal_pool_t *literal_pool_p;\n literal_pool_p = scanner_push_literal_pool (context_p,\n scanner_context_p,\n SCANNER_LITERAL_POOL_BLOCK);\n literal_pool_p->source_p = context_p->source_p;\n#endif /* ENABLED (JERRY_ES2015) */\n\n scanner_context_p->mode = SCAN_MODE_STATEMENT_OR_TERMINATOR;\n parser_stack_push_uint8 (context_p, SCAN_STACK_TRY_STATEMENT);\n return SCAN_NEXT_TOKEN;\n }\n case LEXER_KEYW_DEBUGGER:\n {\n scanner_context_p->mode = SCAN_MODE_STATEMENT_END;\n return SCAN_NEXT_TOKEN;\n }\n case LEXER_KEYW_IF:\n case LEXER_KEYW_WITH:\n case LEXER_KEYW_SWITCH:\n {\n lexer_next_token (context_p);\n if (context_p->token.type != LEXER_LEFT_PAREN)\n {\n scanner_raise_error (context_p);\n }\n\n uint8_t mode = SCAN_STACK_STATEMENT_WITH_EXPR;\n\n if (type == LEXER_KEYW_IF)\n {\n parser_stack_push_uint8 (context_p, SCAN_STACK_IF_STATEMENT);\n }\n else if (type == LEXER_KEYW_WITH)\n {\n mode = SCAN_STACK_WITH_EXPRESSION;\n }\n else if (type == LEXER_KEYW_SWITCH)\n {\n mode = SCAN_STACK_SWITCH_EXPRESSION;\n }\n\n scanner_context_p->mode = SCAN_MODE_PRIMARY_EXPRESSION;\n parser_stack_push_uint8 (context_p, mode);\n return SCAN_NEXT_TOKEN;\n }\n case LEXER_KEYW_WHILE:\n {\n lexer_next_token (context_p);\n\n if (context_p->token.type != LEXER_LEFT_PAREN)\n {\n scanner_raise_error (context_p);\n }\n\n scanner_context_p->mode = SCAN_MODE_PRIMARY_EXPRESSION;\n\n scanner_source_start_t source_start;\n source_start.source_p = context_p->source_p;\n\n parser_stack_push (context_p, &source_start, sizeof (scanner_source_start_t));\n parser_stack_push_uint8 (context_p, SCAN_STACK_WHILE_EXPRESSION);\n return SCAN_NEXT_TOKEN;\n }\n case LEXER_KEYW_FOR:\n {\n lexer_next_token (context_p);\n if (context_p->token.type != LEXER_LEFT_PAREN)\n {\n scanner_raise_error (context_p);\n }\n\n scanner_for_statement_t for_statement;\n for_statement.u.source_p = context_p->source_p;\n uint8_t stack_mode = SCAN_STACK_FOR_START;\n scan_return_types_t return_type = SCAN_KEEP_TOKEN;\n\n lexer_next_token (context_p);\n scanner_context_p->mode = SCAN_MODE_PRIMARY_EXPRESSION;\n\n#if ENABLED (JERRY_ES2015)\n const uint8_t *source_p = context_p->source_p;\n#endif /* ENABLED (JERRY_ES2015) */\n\n switch (context_p->token.type)\n {\n case LEXER_SEMICOLON:\n {\n scanner_context_p->mode = SCAN_MODE_PRIMARY_EXPRESSION_END;\n break;\n }\n case LEXER_KEYW_VAR:\n {\n scanner_context_p->mode = SCAN_MODE_VAR_STATEMENT;\n stack_mode = SCAN_STACK_FOR_VAR_START;\n return_type = SCAN_NEXT_TOKEN;\n break;\n }\n#if ENABLED (JERRY_ES2015)\n case LEXER_LITERAL:\n {\n if (!lexer_token_is_let (context_p))\n {\n break;\n }\n\n parser_line_counter_t line = context_p->line;\n parser_line_counter_t column = context_p->column;\n\n if (lexer_check_arrow (context_p))\n {\n context_p->source_p = source_p;\n context_p->line = line;\n context_p->column = column;\n context_p->token.flags &= (uint8_t) ~LEXER_NO_SKIP_SPACES;\n break;\n }\n\n lexer_next_token (context_p);\n\n type = (lexer_token_type_t) context_p->token.type;\n\n if (type != LEXER_LEFT_SQUARE\n && type != LEXER_LEFT_BRACE\n && (type != LEXER_LITERAL || context_p->token.lit_location.type != LEXER_IDENT_LITERAL))\n {\n scanner_info_t *info_p = scanner_insert_info (context_p, source_p, sizeof (scanner_info_t));\n info_p->type = SCANNER_TYPE_LET_EXPRESSION;\n\n scanner_context_p->mode = SCAN_MODE_POST_PRIMARY_EXPRESSION;\n break;\n }\n\n scanner_context_p->mode = SCAN_MODE_VAR_STATEMENT;\n /* FALLTHRU */\n }\n case LEXER_KEYW_LET:\n case LEXER_KEYW_CONST:\n {\n scanner_literal_pool_t *literal_pool_p;\n literal_pool_p = scanner_push_literal_pool (context_p, scanner_context_p, SCANNER_LITERAL_POOL_BLOCK);\n literal_pool_p->source_p = source_p;\n\n if (scanner_context_p->mode == SCAN_MODE_PRIMARY_EXPRESSION)\n {\n scanner_context_p->mode = SCAN_MODE_VAR_STATEMENT;\n return_type = SCAN_NEXT_TOKEN;\n }\n\n stack_mode = ((context_p->token.type == LEXER_KEYW_CONST) ? SCAN_STACK_FOR_CONST_START\n : SCAN_STACK_FOR_LET_START);\n break;\n }\n#endif /* ENABLED (JERRY_ES2015) */\n }\n\n parser_stack_push (context_p, &for_statement, sizeof (scanner_for_statement_t));\n parser_stack_push_uint8 (context_p, stack_mode);\n return return_type;\n }\n case LEXER_KEYW_VAR:\n {\n scanner_context_p->mode = SCAN_MODE_VAR_STATEMENT;\n parser_stack_push_uint8 (context_p, SCAN_STACK_VAR);\n return SCAN_NEXT_TOKEN;\n }\n#if ENABLED (JERRY_ES2015)\n case LEXER_KEYW_LET:\n {\n scanner_context_p->mode = SCAN_MODE_VAR_STATEMENT;\n parser_stack_push_uint8 (context_p, SCAN_STACK_LET);\n return SCAN_NEXT_TOKEN;\n }\n case LEXER_KEYW_CONST:\n {\n scanner_context_p->mode = SCAN_MODE_VAR_STATEMENT;\n parser_stack_push_uint8 (context_p, SCAN_STACK_CONST);\n return SCAN_NEXT_TOKEN;\n }\n#endif /* ENABLED (JERRY_ES2015) */\n case LEXER_KEYW_THROW:\n {\n scanner_context_p->mode = SCAN_MODE_PRIMARY_EXPRESSION;\n return SCAN_NEXT_TOKEN;\n }\n case LEXER_KEYW_RETURN:\n {\n lexer_next_token (context_p);\n\n if (!(context_p->token.flags & LEXER_WAS_NEWLINE)\n && context_p->token.type != LEXER_SEMICOLON\n && context_p->token.type != LEXER_EOS\n && context_p->token.type != LEXER_RIGHT_BRACE)\n {\n scanner_context_p->mode = SCAN_MODE_PRIMARY_EXPRESSION;\n return SCAN_KEEP_TOKEN;\n }\n\n scanner_context_p->mode = SCAN_MODE_STATEMENT_END;\n return SCAN_KEEP_TOKEN;\n }\n case LEXER_KEYW_BREAK:\n case LEXER_KEYW_CONTINUE:\n {\n lexer_next_token (context_p);\n scanner_context_p->mode = SCAN_MODE_STATEMENT_END;\n\n if (!(context_p->token.flags & LEXER_WAS_NEWLINE)\n && context_p->token.type == LEXER_LITERAL\n && context_p->token.lit_location.type == LEXER_IDENT_LITERAL)\n {\n return SCAN_NEXT_TOKEN;\n }\n return SCAN_KEEP_TOKEN;\n }\n case LEXER_KEYW_CASE:\n case LEXER_KEYW_DEFAULT:\n {\n if (stack_top != SCAN_STACK_SWITCH_BLOCK)\n {\n scanner_raise_error (context_p);\n }\n\n scanner_case_info_t *case_info_p;\n case_info_p = (scanner_case_info_t *) scanner_malloc (context_p, sizeof (scanner_case_info_t));\n\n *(scanner_context_p->active_switch_statement.last_case_p) = case_info_p;\n scanner_context_p->active_switch_statement.last_case_p = &case_info_p->next_p;\n\n case_info_p->next_p = NULL;\n scanner_get_location (&case_info_p->location, context_p);\n\n if (type == LEXER_KEYW_DEFAULT)\n {\n lexer_next_token (context_p);\n\n if (context_p->token.type != LEXER_COLON)\n {\n scanner_raise_error (context_p);\n }\n\n scanner_context_p->mode = SCAN_MODE_STATEMENT_OR_TERMINATOR;\n return SCAN_NEXT_TOKEN;\n }\n\n scanner_source_start_t source_start;\n source_start.source_p = context_p->source_p;\n\n parser_stack_push (context_p, &source_start, sizeof (scanner_source_start_t));\n parser_stack_push_uint8 (context_p, SCAN_STACK_CASE_STATEMENT);\n\n scanner_context_p->mode = SCAN_MODE_PRIMARY_EXPRESSION;\n return SCAN_NEXT_TOKEN;\n }\n case LEXER_KEYW_FUNCTION:\n {\n#if ENABLED (JERRY_ES2015)\n uint16_t status_flags = SCANNER_LITERAL_POOL_FUNCTION | SCANNER_LITERAL_POOL_FUNCTION_STATEMENT;\n\n if (scanner_context_p->async_source_p != NULL)\n {\n scanner_context_p->status_flags |= SCANNER_CONTEXT_THROW_ERR_ASYNC_FUNCTION;\n status_flags |= SCANNER_LITERAL_POOL_ASYNC;\n }\n#endif /* ENABLED (JERRY_ES2015) */\n\n lexer_next_token (context_p);\n\n#if ENABLED (JERRY_ES2015)\n if (context_p->token.type == LEXER_MULTIPLY)\n {\n status_flags |= SCANNER_LITERAL_POOL_GENERATOR;\n lexer_next_token (context_p);\n }\n#endif /* ENABLED (JERRY_ES2015) */\n\n if (context_p->token.type != LEXER_LITERAL\n || context_p->token.lit_location.type != LEXER_IDENT_LITERAL)\n {\n scanner_raise_error (context_p);\n }\n\n lexer_lit_location_t *literal_p = scanner_add_literal (context_p, scanner_context_p);\n\n#if ENABLED (JERRY_ES2015)\n const uint8_t mask = (SCANNER_LITERAL_IS_ARG | SCANNER_LITERAL_IS_FUNC | SCANNER_LITERAL_IS_LOCAL);\n\n if ((literal_p->type & SCANNER_LITERAL_IS_LOCAL)\n && (literal_p->type & mask) != (SCANNER_LITERAL_IS_ARG | SCANNER_LITERAL_IS_DESTRUCTURED_ARG)\n && (literal_p->type & mask) != (SCANNER_LITERAL_IS_FUNC | SCANNER_LITERAL_IS_FUNC_DECLARATION))\n {\n scanner_raise_redeclaration_error (context_p);\n }\n\n literal_p->type |= SCANNER_LITERAL_IS_FUNC | SCANNER_LITERAL_IS_FUNC_DECLARATION;\n\n scanner_context_p->status_flags &= (uint16_t) ~SCANNER_CONTEXT_THROW_ERR_ASYNC_FUNCTION;\n#else\n literal_p->type |= SCANNER_LITERAL_IS_VAR | SCANNER_LITERAL_IS_FUNC;\n\n uint16_t status_flags = SCANNER_LITERAL_POOL_FUNCTION;\n#endif /* ENABLED (JERRY_ES2015) */\n\n scanner_push_literal_pool (context_p, scanner_context_p, status_flags);\n\n scanner_context_p->mode = SCAN_MODE_FUNCTION_ARGUMENTS;\n parser_stack_push_uint8 (context_p, SCAN_STACK_FUNCTION_STATEMENT);\n return SCAN_NEXT_TOKEN;\n }\n#if ENABLED (JERRY_ES2015)\n case LEXER_KEYW_CLASS:\n {\n scanner_push_class_declaration (context_p, scanner_context_p, SCAN_STACK_CLASS_STATEMENT);\n\n if (context_p->token.type != LEXER_LITERAL || context_p->token.lit_location.type != LEXER_IDENT_LITERAL)\n {\n scanner_raise_error (context_p);\n }\n\n lexer_lit_location_t *literal_p = scanner_add_literal (context_p, scanner_context_p);\n\n scanner_detect_invalid_let (context_p, literal_p);\n literal_p->type |= SCANNER_LITERAL_IS_LET;\n\n#if ENABLED (JERRY_ES2015_MODULE_SYSTEM)\n if (scanner_context_p->active_literal_pool_p->status_flags & SCANNER_LITERAL_POOL_IN_EXPORT)\n {\n literal_p->type |= SCANNER_LITERAL_NO_REG;\n scanner_context_p->active_literal_pool_p->status_flags &= (uint16_t) ~SCANNER_LITERAL_POOL_IN_EXPORT;\n }\n#endif /* ENABLED (JERRY_ES2015_MODULE_SYSTEM) */\n\n return SCAN_NEXT_TOKEN;\n }\n#endif /* ENABLED (JERRY_ES2015) */\n#if ENABLED (JERRY_ES2015_MODULE_SYSTEM)\n case LEXER_KEYW_IMPORT:\n {\n if (stack_top != SCAN_STACK_SCRIPT)\n {\n scanner_raise_error (context_p);\n }\n\n context_p->global_status_flags |= ECMA_PARSE_MODULE;\n\n scanner_context_p->mode = SCAN_MODE_STATEMENT_END;\n lexer_next_token (context_p);\n\n if (context_p->token.type == LEXER_LITERAL\n && context_p->token.lit_location.type == LEXER_STRING_LITERAL)\n {\n return SCAN_NEXT_TOKEN;\n }\n\n bool parse_imports = true;\n\n if (context_p->token.type == LEXER_LITERAL\n && context_p->token.lit_location.type == LEXER_IDENT_LITERAL)\n {\n lexer_lit_location_t *literal_p = scanner_add_literal (context_p, scanner_context_p);\n\n#if ENABLED (JERRY_ES2015)\n scanner_detect_invalid_let (context_p, literal_p);\n literal_p->type |= SCANNER_LITERAL_IS_LOCAL | SCANNER_LITERAL_NO_REG;\n#else /* !ENABLED (JERRY_ES2015) */\n literal_p->type |= SCANNER_LITERAL_IS_VAR | SCANNER_LITERAL_NO_REG;\n#endif /* ENABLED (JERRY_ES2015) */\n\n lexer_next_token (context_p);\n\n if (context_p->token.type == LEXER_COMMA)\n {\n lexer_next_token (context_p);\n }\n else\n {\n parse_imports = false;\n }\n }\n\n if (parse_imports)\n {\n if (context_p->token.type == LEXER_MULTIPLY)\n {\n lexer_next_token (context_p);\n if (!lexer_token_is_identifier (context_p, \"as\", 2))\n {\n scanner_raise_error (context_p);\n }\n\n lexer_next_token (context_p);\n\n if (context_p->token.type != LEXER_LITERAL\n && context_p->token.lit_location.type == LEXER_IDENT_LITERAL)\n {\n scanner_raise_error (context_p);\n }\n\n lexer_lit_location_t *literal_p = scanner_add_literal (context_p, scanner_context_p);\n\n#if ENABLED (JERRY_ES2015)\n scanner_detect_invalid_let (context_p, literal_p);\n literal_p->type |= SCANNER_LITERAL_IS_LOCAL | SCANNER_LITERAL_NO_REG;\n#else /* !ENABLED (JERRY_ES2015) */\n literal_p->type |= SCANNER_LITERAL_IS_VAR | SCANNER_LITERAL_NO_REG;\n#endif /* ENABLED (JERRY_ES2015) */\n\n lexer_next_token (context_p);\n }\n else if (context_p->token.type == LEXER_LEFT_BRACE)\n {\n lexer_next_token (context_p);\n\n while (context_p->token.type != LEXER_RIGHT_BRACE)\n {\n if (context_p->token.type != LEXER_LITERAL\n || context_p->token.lit_location.type != LEXER_IDENT_LITERAL)\n {\n scanner_raise_error (context_p);\n }\n\n#if ENABLED (JERRY_ES2015)\n const uint8_t *source_p = context_p->source_p;\n#endif /* ENABLED (JERRY_ES2015) */\n\n if (lexer_check_next_character (context_p, LIT_CHAR_LOWERCASE_A))\n {\n lexer_next_token (context_p);\n\n if (!lexer_token_is_identifier (context_p, \"as\", 2))\n {\n scanner_raise_error (context_p);\n }\n\n lexer_next_token (context_p);\n\n if (context_p->token.type != LEXER_LITERAL\n && context_p->token.lit_location.type == LEXER_IDENT_LITERAL)\n {\n scanner_raise_error (context_p);\n }\n\n#if ENABLED (JERRY_ES2015)\n source_p = context_p->source_p;\n#endif /* ENABLED (JERRY_ES2015) */\n }\n\n lexer_lit_location_t *literal_p = scanner_add_literal (context_p, scanner_context_p);\n\n#if ENABLED (JERRY_ES2015)\n if (literal_p->type & (SCANNER_LITERAL_IS_ARG\n | SCANNER_LITERAL_IS_VAR\n | SCANNER_LITERAL_IS_LOCAL))\n {\n context_p->source_p = source_p;\n scanner_raise_redeclaration_error (context_p);\n }\n\n if (literal_p->type & SCANNER_LITERAL_IS_FUNC)\n {\n literal_p->type &= (uint8_t) ~SCANNER_LITERAL_IS_FUNC;\n }\n\n literal_p->type |= SCANNER_LITERAL_IS_LOCAL | SCANNER_LITERAL_NO_REG;\n#else /* !ENABLED (JERRY_ES2015) */\n literal_p->type |= SCANNER_LITERAL_IS_VAR | SCANNER_LITERAL_NO_REG;\n#endif /* ENABLED (JERRY_ES2015) */\n\n lexer_next_token (context_p);\n\n if (context_p->token.type != LEXER_RIGHT_BRACE)\n {\n if (context_p->token.type != LEXER_COMMA)\n {\n scanner_raise_error (context_p);\n }\n\n lexer_next_token (context_p);\n }\n }\n\n lexer_next_token (context_p);\n }\n else\n {\n scanner_raise_error (context_p);\n }\n }\n\n if (!lexer_token_is_identifier (context_p, \"from\", 4))\n {\n scanner_raise_error (context_p);\n }\n\n lexer_next_token (context_p);\n\n if (context_p->token.type != LEXER_LITERAL\n && context_p->token.lit_location.type != LEXER_STRING_LITERAL)\n {\n scanner_raise_error (context_p);\n }\n\n return SCAN_NEXT_TOKEN;\n }\n case LEXER_KEYW_EXPORT:\n {\n if (stack_top != SCAN_STACK_SCRIPT)\n {\n scanner_raise_error (context_p);\n }\n\n context_p->global_status_flags |= ECMA_PARSE_MODULE;\n\n lexer_next_token (context_p);\n\n if (context_p->token.type == LEXER_KEYW_DEFAULT)\n {\n lexer_next_token (context_p);\n\n if (context_p->token.type == LEXER_KEYW_FUNCTION)\n {\n lexer_next_token (context_p);\n if (context_p->token.type == LEXER_LITERAL\n && context_p->token.lit_location.type == LEXER_IDENT_LITERAL)\n {\n lexer_lit_location_t *location_p = scanner_add_literal (context_p, scanner_context_p);\n\n#if ENABLED (JERRY_ES2015)\n if (location_p->type & SCANNER_LITERAL_IS_LOCAL\n && !(location_p->type & SCANNER_LITERAL_IS_FUNC))\n {\n scanner_raise_redeclaration_error (context_p);\n }\n location_p->type |= SCANNER_LITERAL_IS_FUNC | SCANNER_LITERAL_IS_LET;\n#else /* !ENABLED (JERRY_ES2015) */\n location_p->type |= SCANNER_LITERAL_IS_VAR | SCANNER_LITERAL_IS_FUNC;\n#endif /* ENABLED (JERRY_ES2015) */\n\n lexer_next_token (context_p);\n }\n else\n {\n lexer_lit_location_t *location_p;\n location_p = scanner_add_custom_literal (context_p,\n scanner_context_p->active_literal_pool_p,\n &lexer_default_literal);\n#if ENABLED (JERRY_ES2015)\n location_p->type |= SCANNER_LITERAL_IS_FUNC | SCANNER_LITERAL_IS_LET;\n#else /* !ENABLED (JERRY_ES2015) */\n location_p->type |= SCANNER_LITERAL_IS_VAR | SCANNER_LITERAL_IS_FUNC;\n#endif /* ENABLED (JERRY_ES2015) */\n }\n\n scanner_push_literal_pool (context_p, scanner_context_p, SCANNER_LITERAL_POOL_FUNCTION);\n\n parser_stack_push_uint8 (context_p, SCAN_STACK_FUNCTION_STATEMENT);\n scanner_context_p->mode = SCAN_MODE_FUNCTION_ARGUMENTS;\n return SCAN_KEEP_TOKEN;\n }\n#if ENABLED (JERRY_ES2015)\n if (context_p->token.type == LEXER_KEYW_CLASS)\n {\n scanner_push_class_declaration (context_p, scanner_context_p, SCAN_STACK_CLASS_STATEMENT);\n\n if (context_p->token.type == LEXER_LITERAL && context_p->token.lit_location.type == LEXER_IDENT_LITERAL)\n {\n lexer_lit_location_t *literal_p = scanner_add_literal (context_p, scanner_context_p);\n\n scanner_detect_invalid_let (context_p, literal_p);\n\n literal_p->type |= SCANNER_LITERAL_IS_LET | SCANNER_LITERAL_NO_REG;\n return SCAN_NEXT_TOKEN;\n }\n\n lexer_lit_location_t *literal_p;\n literal_p = scanner_add_custom_literal (context_p,\n scanner_context_p->active_literal_pool_p,\n &lexer_default_literal);\n literal_p->type |= SCANNER_LITERAL_IS_LET | SCANNER_LITERAL_NO_REG;\n return SCAN_KEEP_TOKEN;\n }\n#endif /* ENABLED (JERRY_ES2015) */\n\n /* Assignment expression. */\n lexer_lit_location_t *location_p;\n location_p = scanner_add_custom_literal (context_p,\n scanner_context_p->active_literal_pool_p,\n &lexer_default_literal);\n location_p->type |= SCANNER_LITERAL_IS_VAR;\n scanner_context_p->mode = SCAN_MODE_PRIMARY_EXPRESSION;\n\n if (context_p->token.type != LEXER_LITERAL || context_p->token.lit_location.type != LEXER_IDENT_LITERAL)\n {\n return SCAN_KEEP_TOKEN;\n }\n\n location_p = scanner_add_literal (context_p, scanner_context_p);\n location_p->type |= SCANNER_LITERAL_IS_VAR;\n scanner_context_p->mode = SCAN_MODE_POST_PRIMARY_EXPRESSION;\n return SCAN_NEXT_TOKEN;\n }\n\n scanner_context_p->mode = SCAN_MODE_STATEMENT_END;\n\n if (context_p->token.type == LEXER_MULTIPLY)\n {\n lexer_next_token (context_p);\n if (!lexer_token_is_identifier (context_p, \"from\", 4))\n {\n scanner_raise_error (context_p);\n }\n\n lexer_next_token (context_p);\n\n if (context_p->token.type != LEXER_LITERAL\n && context_p->token.lit_location.type == LEXER_STRING_LITERAL)\n {\n scanner_raise_error (context_p);\n }\n\n return SCAN_NEXT_TOKEN;\n }\n\n if (context_p->token.type == LEXER_LEFT_BRACE)\n {\n lexer_next_token (context_p);\n\n while (context_p->token.type != LEXER_RIGHT_BRACE)\n {\n if (context_p->token.type != LEXER_LITERAL\n || context_p->token.lit_location.type != LEXER_IDENT_LITERAL)\n {\n scanner_raise_error (context_p);\n }\n\n lexer_next_token (context_p);\n\n if (lexer_token_is_identifier (context_p, \"as\", 2))\n {\n lexer_next_token (context_p);\n\n if (context_p->token.type != LEXER_LITERAL\n && context_p->token.lit_location.type == LEXER_IDENT_LITERAL)\n {\n scanner_raise_error (context_p);\n }\n\n lexer_next_token (context_p);\n }\n\n if (context_p->token.type != LEXER_RIGHT_BRACE)\n {\n if (context_p->token.type != LEXER_COMMA)\n {\n scanner_raise_error (context_p);\n }\n\n lexer_next_token (context_p);\n }\n }\n\n lexer_next_token (context_p);\n\n if (!lexer_token_is_identifier (context_p, \"from\", 4))\n {\n return SCAN_KEEP_TOKEN;\n }\n\n lexer_next_token (context_p);\n\n if (context_p->token.type != LEXER_LITERAL\n && context_p->token.lit_location.type == LEXER_STRING_LITERAL)\n {\n scanner_raise_error (context_p);\n }\n\n return SCAN_NEXT_TOKEN;\n }\n\n switch (context_p->token.type)\n {\n#if ENABLED (JERRY_ES2015)\n case LEXER_KEYW_CLASS:\n case LEXER_KEYW_LET:\n case LEXER_KEYW_CONST:\n#endif /* ENABLED (JERRY_ES2015) */\n case LEXER_KEYW_VAR:\n {\n scanner_context_p->active_literal_pool_p->status_flags |= SCANNER_LITERAL_POOL_IN_EXPORT;\n break;\n }\n }\n\n scanner_context_p->mode = SCAN_MODE_STATEMENT;\n return SCAN_KEEP_TOKEN;\n }\n#endif /* ENABLED (JERRY_ES2015_MODULE_SYSTEM) */\n default:\n {\n break;\n }\n }\n\n scanner_context_p->mode = SCAN_MODE_PRIMARY_EXPRESSION;\n\n if (type == LEXER_LITERAL\n && context_p->token.lit_location.type == LEXER_IDENT_LITERAL)\n {\n if (JERRY_UNLIKELY (lexer_check_next_character (context_p, LIT_CHAR_COLON)))\n {\n lexer_consume_next_character (context_p);\n scanner_context_p->mode = SCAN_MODE_STATEMENT;\n return SCAN_NEXT_TOKEN;\n }\n\n JERRY_ASSERT (context_p->token.flags & LEXER_NO_SKIP_SPACES);\n\n#if ENABLED (JERRY_ES2015)\n /* The colon needs to be checked first because the parser also checks\n * it first, and this check skips the spaces which affects source_p. */\n if (JERRY_UNLIKELY (lexer_check_arrow (context_p)))\n {\n scanner_scan_simple_arrow (context_p, scanner_context_p, context_p->source_p);\n return SCAN_KEEP_TOKEN;\n }\n\n if (JERRY_UNLIKELY (lexer_token_is_let (context_p)))\n {\n lexer_lit_location_t let_literal = context_p->token.lit_location;\n const uint8_t *source_p = context_p->source_p;\n\n lexer_next_token (context_p);\n\n type = (lexer_token_type_t) context_p->token.type;\n\n if (type == LEXER_LEFT_SQUARE\n || type == LEXER_LEFT_BRACE\n || (type == LEXER_LITERAL && context_p->token.lit_location.type == LEXER_IDENT_LITERAL))\n {\n scanner_context_p->mode = SCAN_MODE_VAR_STATEMENT;\n parser_stack_push_uint8 (context_p, SCAN_STACK_LET);\n return SCAN_KEEP_TOKEN;\n }\n\n scanner_info_t *info_p = scanner_insert_info (context_p, source_p, sizeof (scanner_info_t));\n info_p->type = SCANNER_TYPE_LET_EXPRESSION;\n\n lexer_lit_location_t *lit_location_p = scanner_add_custom_literal (context_p,\n scanner_context_p->active_literal_pool_p,\n &let_literal);\n lit_location_p->type |= SCANNER_LITERAL_IS_USED;\n\n if (scanner_context_p->active_literal_pool_p->status_flags & SCANNER_LITERAL_POOL_IN_WITH)\n {\n lit_location_p->type |= SCANNER_LITERAL_NO_REG;\n }\n\n scanner_context_p->mode = SCAN_MODE_POST_PRIMARY_EXPRESSION;\n return SCAN_KEEP_TOKEN;\n }\n\n if (JERRY_UNLIKELY (lexer_token_is_async (context_p)))\n {\n scanner_context_p->async_source_p = context_p->source_p;\n\n if (scanner_check_async_function (context_p, scanner_context_p))\n {\n scanner_context_p->mode = SCAN_MODE_STATEMENT;\n }\n return SCAN_KEEP_TOKEN;\n }\n#endif /* ENABLED (JERRY_ES2015) */\n\n scanner_add_reference (context_p, scanner_context_p);\n\n scanner_context_p->mode = SCAN_MODE_POST_PRIMARY_EXPRESSION;\n return SCAN_NEXT_TOKEN;\n }\n\n return SCAN_KEEP_TOKEN;\n} /* scanner_scan_statement */", "project": "jerryscript", "hash": 58151765943309886832164600896549520509, "size": 822, "commit_id": "69f8e78c2f8d562bd6d8002b5488f1662ac30d24", "message": "Fix error handling in scanner when in case of OOM (#3793)\n\nThis patch fixes #3786 and fixes #3788.\r\n\r\nJerryScript-DCO-1.0-Signed-off-by: Robert Fancsik frobert@inf.u-szeged.hu", "target": 0, "dataset": "other", "idx": 274778 }, { "func": "scanner_scan_primary_expression (parser_context_t *context_p, /**< context */\n scanner_context_t *scanner_context_p, /* scanner context */\n lexer_token_type_t type, /**< current token type */\n scan_stack_modes_t stack_top) /**< current stack top */\n{\n switch (type)\n {\n case LEXER_KEYW_NEW:\n {\n scanner_context_p->mode = SCAN_MODE_PRIMARY_EXPRESSION_AFTER_NEW;\n\n#if ENABLED (JERRY_ES2015)\n if (scanner_try_scan_new_target (context_p))\n {\n scanner_context_p->mode = SCAN_MODE_POST_PRIMARY_EXPRESSION;\n }\n#endif /* ENABLED (JERRY_ES2015) */\n break;\n }\n case LEXER_DIVIDE:\n case LEXER_ASSIGN_DIVIDE:\n {\n lexer_construct_regexp_object (context_p, true);\n scanner_context_p->mode = SCAN_MODE_POST_PRIMARY_EXPRESSION;\n break;\n }\n case LEXER_KEYW_FUNCTION:\n {\n uint16_t status_flags = SCANNER_LITERAL_POOL_FUNCTION;\n\n#if ENABLED (JERRY_ES2015)\n if (scanner_context_p->async_source_p != NULL)\n {\n status_flags |= SCANNER_LITERAL_POOL_ASYNC;\n }\n\n if (lexer_consume_generator (context_p))\n {\n status_flags |= SCANNER_LITERAL_POOL_GENERATOR;\n }\n#endif /* ENABLED (JERRY_ES2015) */\n\n scanner_push_literal_pool (context_p, scanner_context_p, status_flags);\n\n lexer_next_token (context_p);\n\n if (context_p->token.type == LEXER_LITERAL\n && context_p->token.lit_location.type == LEXER_IDENT_LITERAL)\n {\n lexer_next_token (context_p);\n }\n\n parser_stack_push_uint8 (context_p, SCAN_STACK_FUNCTION_EXPRESSION);\n scanner_context_p->mode = SCAN_MODE_FUNCTION_ARGUMENTS;\n return SCAN_KEEP_TOKEN;\n }\n case LEXER_LEFT_PAREN:\n {\n scanner_scan_bracket (context_p, scanner_context_p);\n return SCAN_KEEP_TOKEN;\n }\n case LEXER_LEFT_SQUARE:\n {\n#if ENABLED (JERRY_ES2015)\n scanner_push_destructuring_pattern (context_p, scanner_context_p, SCANNER_BINDING_NONE, false);\n#endif /* ENABLED (JERRY_ES2015) */\n\n parser_stack_push_uint8 (context_p, SCAN_STACK_ARRAY_LITERAL);\n scanner_context_p->mode = SCAN_MODE_PRIMARY_EXPRESSION;\n break;\n }\n case LEXER_LEFT_BRACE:\n {\n#if ENABLED (JERRY_ES2015)\n scanner_push_destructuring_pattern (context_p, scanner_context_p, SCANNER_BINDING_NONE, false);\n#endif /* ENABLED (JERRY_ES2015) */\n\n parser_stack_push_uint8 (context_p, SCAN_STACK_OBJECT_LITERAL);\n scanner_context_p->mode = SCAN_MODE_PROPERTY_NAME;\n return SCAN_KEEP_TOKEN;\n }\n#if ENABLED (JERRY_ES2015)\n case LEXER_TEMPLATE_LITERAL:\n {\n if (context_p->source_p[-1] != LIT_CHAR_GRAVE_ACCENT)\n {\n parser_stack_push_uint8 (context_p, SCAN_STACK_TEMPLATE_STRING);\n scanner_context_p->mode = SCAN_MODE_PRIMARY_EXPRESSION;\n break;\n }\n\n /* The string is a normal string literal. */\n /* FALLTHRU */\n }\n#endif /* ENABLED (JERRY_ES2015) */\n case LEXER_LITERAL:\n {\n#if ENABLED (JERRY_ES2015)\n const uint8_t *source_p = context_p->source_p;\n\n if (context_p->token.lit_location.type == LEXER_IDENT_LITERAL\n && lexer_check_arrow (context_p))\n {\n scanner_scan_simple_arrow (context_p, scanner_context_p, source_p);\n return SCAN_KEEP_TOKEN;\n }\n else if (JERRY_UNLIKELY (lexer_token_is_async (context_p)))\n {\n scanner_context_p->async_source_p = source_p;\n scanner_check_async_function (context_p, scanner_context_p);\n return SCAN_KEEP_TOKEN;\n }\n#endif /* ENABLED (JERRY_ES2015) */\n\n if (context_p->token.lit_location.type == LEXER_IDENT_LITERAL)\n {\n scanner_add_reference (context_p, scanner_context_p);\n }\n /* FALLTHRU */\n }\n case LEXER_KEYW_THIS:\n case LEXER_KEYW_SUPER:\n case LEXER_LIT_TRUE:\n case LEXER_LIT_FALSE:\n case LEXER_LIT_NULL:\n {\n scanner_context_p->mode = SCAN_MODE_POST_PRIMARY_EXPRESSION;\n break;\n }\n#if ENABLED (JERRY_ES2015)\n case LEXER_KEYW_CLASS:\n {\n scanner_push_class_declaration (context_p, scanner_context_p, SCAN_STACK_CLASS_EXPRESSION);\n\n if (context_p->token.type != LEXER_LITERAL || context_p->token.lit_location.type != LEXER_IDENT_LITERAL)\n {\n return SCAN_KEEP_TOKEN;\n }\n break;\n }\n#endif /* ENABLED (JERRY_ES2015) */\n case LEXER_RIGHT_SQUARE:\n {\n if (stack_top != SCAN_STACK_ARRAY_LITERAL)\n {\n scanner_raise_error (context_p);\n }\n\n scanner_context_p->mode = SCAN_MODE_PRIMARY_EXPRESSION_END;\n return SCAN_KEEP_TOKEN;\n }\n#if ENABLED (JERRY_ES2015)\n case LEXER_THREE_DOTS:\n {\n /* Elision or spread arguments */\n if (stack_top != SCAN_STACK_PAREN_EXPRESSION && stack_top != SCAN_STACK_ARRAY_LITERAL)\n {\n scanner_raise_error (context_p);\n }\n scanner_context_p->mode = SCAN_MODE_PRIMARY_EXPRESSION;\n break;\n }\n#endif /* ENABLED (JERRY_ES2015) */\n case LEXER_COMMA:\n {\n if (stack_top != SCAN_STACK_ARRAY_LITERAL)\n {\n scanner_raise_error (context_p);\n }\n scanner_context_p->mode = SCAN_MODE_PRIMARY_EXPRESSION;\n\n#if ENABLED (JERRY_ES2015)\n if (scanner_context_p->binding_type != SCANNER_BINDING_NONE)\n {\n scanner_context_p->mode = SCAN_MODE_BINDING;\n }\n#endif /* ENABLED (JERRY_ES2015) */\n break;\n }\n#if ENABLED (JERRY_ES2015)\n case LEXER_KEYW_YIELD:\n {\n lexer_next_token (context_p);\n\n if (lexer_check_yield_no_arg (context_p))\n {\n scanner_context_p->mode = SCAN_MODE_PRIMARY_EXPRESSION_END;\n }\n\n if (context_p->token.type == LEXER_MULTIPLY)\n {\n return SCAN_NEXT_TOKEN;\n }\n return SCAN_KEEP_TOKEN;\n }\n#endif /* ENABLED (JERRY_ES2015) */\n case LEXER_RIGHT_PAREN:\n {\n if (stack_top == SCAN_STACK_PAREN_EXPRESSION)\n {\n scanner_context_p->mode = SCAN_MODE_POST_PRIMARY_EXPRESSION;\n parser_stack_pop_uint8 (context_p);\n break;\n }\n /* FALLTHRU */\n }\n default:\n {\n scanner_raise_error (context_p);\n }\n }\n return SCAN_NEXT_TOKEN;\n} /* scanner_scan_primary_expression */", "project": "jerryscript", "hash": 175098288631348423689707295420535660630, "size": 213, "commit_id": "69f8e78c2f8d562bd6d8002b5488f1662ac30d24", "message": "Fix error handling in scanner when in case of OOM (#3793)\n\nThis patch fixes #3786 and fixes #3788.\r\n\r\nJerryScript-DCO-1.0-Signed-off-by: Robert Fancsik frobert@inf.u-szeged.hu", "target": 0, "dataset": "other", "idx": 274779 }, { "func": "parse_file_access_string(const ref *op, char file_access[4])\n{\n const byte *astr;\n\n check_read_type(*op, t_string);\n astr = op->value.const_bytes;\n switch (r_size(op)) {\n case 2:\n if (astr[1] != '+')\n return_error(gs_error_invalidfileaccess);\n file_access[1] = '+';\n file_access[2] = 0;\n break;\n case 1:\n file_access[1] = 0;\n break;\n default:\n return_error(gs_error_invalidfileaccess);\n }\n switch (astr[0]) {\n case 'r':\n case 'w':\n case 'a':\n break;\n default:\n return_error(gs_error_invalidfileaccess);\n }\n file_access[0] = astr[0];\n return 0;\n}", "project": "ghostpdl", "hash": 138104943793680174396538668770610440551, "size": 30, "commit_id": "ab109aaeb3ddba59518b036fb288402a65cf7ce8", "message": "Bug 694724: Have filenameforall and getenv honor SAFER", "target": 0, "dataset": "other", "idx": 277041 }, { "func": "calculateNumYLevels (const TileDescription& tileDesc,\n\t\t int minX, int maxX,\n\t\t int minY, int maxY)\n{\n int num = 0;\n\n switch (tileDesc.mode)\n {\n case ONE_LEVEL:\n\n\tnum = 1;\n\tbreak;\n\n case MIPMAP_LEVELS:\n\n\t{\n\t int w = maxX - minX + 1;\n\t int h = maxY - minY + 1;\n\t num = roundLog2 (std::max (w, h), tileDesc.roundingMode) + 1;\n\t}\n break;\n\n case RIPMAP_LEVELS:\n\n\t{\n\t int h = maxY - minY + 1;\n\t num = roundLog2 (h, tileDesc.roundingMode) + 1;\n\t}\n\tbreak;\n\n default:\n\n\tthrow IEX_NAMESPACE::ArgExc (\"Unknown LevelMode format.\");\n }\n\n return num;\n}", "project": "openexr", "hash": 310093628111702745623094856010099282965, "size": 37, "commit_id": "2a18ed424a854598c2a20b5dd7e782b436a1e753", "message": "Avoid overflow in calculateNumTiles when size=MAX_INT (#825)\n\n* Avoid overflow in calculateNumTiles when size=MAX_INT\r\n\r\nSigned-off-by: Cary Phillips \r\n\r\n* Compute level size with 64 bits to avoid overflow\r\n\r\nSigned-off-by: Cary Phillips ", "target": 0, "dataset": "other", "idx": 277653 }, { "func": "getTiledChunkOffsetTableSize(const Header& header)\n{\n //\n // Save the dataWindow information\n //\n\n const Box2i &dataWindow = header.dataWindow();\n \n //\n // Precompute level and tile information.\n //\n\n int* numXTiles=nullptr;\n int* numYTiles=nullptr;\n int numXLevels;\n int numYLevels;\n try\n {\n precalculateTileInfo (header.tileDescription(),\n dataWindow.min.x, dataWindow.max.x,\n dataWindow.min.y, dataWindow.max.y,\n numXTiles, numYTiles,\n numXLevels, numYLevels);\n\n //\n // Calculate lineOffsetSize.\n //\n Int64 lineOffsetSize = 0;\n const TileDescription &desc = header.tileDescription();\n switch (desc.mode)\n {\n case ONE_LEVEL:\n case MIPMAP_LEVELS:\n for (int i = 0; i < numXLevels; i++)\n {\n lineOffsetSize += static_cast(numXTiles[i]) * static_cast(numYTiles[i]);\n if ( lineOffsetSize > static_cast(std::numeric_limits::max()) )\n {\n throw IEX_NAMESPACE::LogicExc(\"Maximum number of tiles exceeded\");\n }\n }\n break;\n case RIPMAP_LEVELS:\n for (int i = 0; i < numXLevels; i++)\n {\n for (int j = 0; j < numYLevels; j++)\n {\n lineOffsetSize += static_cast(numXTiles[i]) * static_cast(numYTiles[j]);\n if ( lineOffsetSize > static_cast(std::numeric_limits::max()) )\n {\n throw IEX_NAMESPACE::LogicExc(\"Maximum number of tiles exceeded\");\n }\n }\n }\n break;\n case NUM_LEVELMODES :\n throw IEX_NAMESPACE::LogicExc(\"Bad level mode getting chunk offset table size\");\n }\n delete[] numXTiles;\n delete[] numYTiles;\n\n return static_cast(lineOffsetSize);\n\n }\n catch(...)\n {\n delete[] numXTiles;\n delete[] numYTiles;\n\n throw;\n }\n\n}", "project": "openexr", "hash": 247094005871962123231599386710206673434, "size": 73, "commit_id": "2a18ed424a854598c2a20b5dd7e782b436a1e753", "message": "Avoid overflow in calculateNumTiles when size=MAX_INT (#825)\n\n* Avoid overflow in calculateNumTiles when size=MAX_INT\r\n\r\nSigned-off-by: Cary Phillips \r\n\r\n* Compute level size with 64 bits to avoid overflow\r\n\r\nSigned-off-by: Cary Phillips ", "target": 0, "dataset": "other", "idx": 277656 }, { "func": "calculateNumXLevels (const TileDescription& tileDesc,\n\t\t int minX, int maxX,\n\t\t int minY, int maxY)\n{\n int num = 0;\n\n switch (tileDesc.mode)\n {\n case ONE_LEVEL:\n\n\tnum = 1;\n\tbreak;\n\n case MIPMAP_LEVELS:\n\n\t{\n\t int w = maxX - minX + 1;\n\t int h = maxY - minY + 1;\n\t num = roundLog2 (std::max (w, h), tileDesc.roundingMode) + 1;\n\t}\n break;\n\n case RIPMAP_LEVELS:\n\n\t{\n\t int w = maxX - minX + 1;\n\t num = roundLog2 (w, tileDesc.roundingMode) + 1;\n\t}\n\tbreak;\n\n default:\n\n\tthrow IEX_NAMESPACE::ArgExc (\"Unknown LevelMode format.\");\n }\n\n return num;\n}", "project": "openexr", "hash": 262605228049446100795171753485227597697, "size": 37, "commit_id": "2a18ed424a854598c2a20b5dd7e782b436a1e753", "message": "Avoid overflow in calculateNumTiles when size=MAX_INT (#825)\n\n* Avoid overflow in calculateNumTiles when size=MAX_INT\r\n\r\nSigned-off-by: Cary Phillips \r\n\r\n* Compute level size with 64 bits to avoid overflow\r\n\r\nSigned-off-by: Cary Phillips ", "target": 0, "dataset": "other", "idx": 277664 }, { "func": "get_complete_funcname(int type)\n{\n switch (type)\n {\n\tcase CTRL_X_FUNCTION:\n\t return curbuf->b_p_cfu;\n\tcase CTRL_X_OMNI:\n\t return curbuf->b_p_ofu;\n\tcase CTRL_X_THESAURUS:\n\t return *curbuf->b_p_tsrfu == NUL ? p_tsrfu : curbuf->b_p_tsrfu;\n\tdefault:\n\t return (char_u *)\"\";\n }\n}", "project": "vim", "hash": 138135699541359901413174179471899251548, "size": 14, "commit_id": "a6f9e300161f4cb54713da22f65b261595e8e614", "message": "patch 9.0.0102: reading past end of line with insert mode completion\n\nProblem: Reading past end of line with insert mode completion.\nSolution: Check text length.", "target": 0, "dataset": "other", "idx": 277908 }, { "func": "ins_compl_use_match(int c)\n{\n switch (c)\n {\n\tcase K_UP:\n\tcase K_DOWN:\n\tcase K_PAGEDOWN:\n\tcase K_KPAGEDOWN:\n\tcase K_S_DOWN:\n\tcase K_PAGEUP:\n\tcase K_KPAGEUP:\n\tcase K_S_UP:\n\t return FALSE;\n }\n return TRUE;\n}", "project": "vim", "hash": 200028237957869441823970158197789654040, "size": 16, "commit_id": "a6f9e300161f4cb54713da22f65b261595e8e614", "message": "patch 9.0.0102: reading past end of line with insert mode completion\n\nProblem: Reading past end of line with insert mode completion.\nSolution: Check text length.", "target": 0, "dataset": "other", "idx": 277935 }, { "func": "set_ctrl_x_mode(int c)\n{\n int retval = FALSE;\n\n switch (c)\n {\n\tcase Ctrl_E:\n\tcase Ctrl_Y:\n\t // scroll the window one line up or down\n\t ctrl_x_mode = CTRL_X_SCROLL;\n\t if (!(State & REPLACE_FLAG))\n\t\tedit_submode = (char_u *)_(\" (insert) Scroll (^E/^Y)\");\n\t else\n\t\tedit_submode = (char_u *)_(\" (replace) Scroll (^E/^Y)\");\n\t edit_submode_pre = NULL;\n\t showmode();\n\t break;\n\tcase Ctrl_L:\n\t // complete whole line\n\t ctrl_x_mode = CTRL_X_WHOLE_LINE;\n\t break;\n\tcase Ctrl_F:\n\t // complete filenames\n\t ctrl_x_mode = CTRL_X_FILES;\n\t break;\n\tcase Ctrl_K:\n\t // complete words from a dictinoary\n\t ctrl_x_mode = CTRL_X_DICTIONARY;\n\t break;\n\tcase Ctrl_R:\n\t // Register insertion without exiting CTRL-X mode\n\t // Simply allow ^R to happen without affecting ^X mode\n\t break;\n\tcase Ctrl_T:\n\t // complete words from a thesaurus\n\t ctrl_x_mode = CTRL_X_THESAURUS;\n\t break;\n#ifdef FEAT_COMPL_FUNC\n\tcase Ctrl_U:\n\t // user defined completion\n\t ctrl_x_mode = CTRL_X_FUNCTION;\n\t break;\n\tcase Ctrl_O:\n\t // omni completion\n\t ctrl_x_mode = CTRL_X_OMNI;\n\t break;\n#endif\n\tcase 's':\n\tcase Ctrl_S:\n\t // complete spelling suggestions\n\t ctrl_x_mode = CTRL_X_SPELL;\n#ifdef FEAT_SPELL\n\t ++emsg_off;\t// Avoid getting the E756 error twice.\n\t spell_back_to_badword();\n\t --emsg_off;\n#endif\n\t break;\n\tcase Ctrl_RSB:\n\t // complete tag names\n\t ctrl_x_mode = CTRL_X_TAGS;\n\t break;\n#ifdef FEAT_FIND_ID\n\tcase Ctrl_I:\n\tcase K_S_TAB:\n\t // complete keywords from included files\n\t ctrl_x_mode = CTRL_X_PATH_PATTERNS;\n\t break;\n\tcase Ctrl_D:\n\t // complete definitions from included files\n\t ctrl_x_mode = CTRL_X_PATH_DEFINES;\n\t break;\n#endif\n\tcase Ctrl_V:\n\tcase Ctrl_Q:\n\t // complete vim commands\n\t ctrl_x_mode = CTRL_X_CMDLINE;\n\t break;\n\tcase Ctrl_Z:\n\t // stop completion\n\t ctrl_x_mode = CTRL_X_NORMAL;\n\t edit_submode = NULL;\n\t showmode();\n\t retval = TRUE;\n\t break;\n\tcase Ctrl_P:\n\tcase Ctrl_N:\n\t // ^X^P means LOCAL expansion if nothing interrupted (eg we\n\t // just started ^X mode, or there were enough ^X's to cancel\n\t // the previous mode, say ^X^F^X^X^P or ^P^X^X^X^P, see below)\n\t // do normal expansion when interrupting a different mode (say\n\t // ^X^F^X^P or ^P^X^X^P, see below)\n\t // nothing changes if interrupting mode 0, (eg, the flag\n\t // doesn't change when going to ADDING mode -- Acevedo\n\t if (!(compl_cont_status & CONT_INTRPT))\n\t\tcompl_cont_status |= CONT_LOCAL;\n\t else if (compl_cont_mode != 0)\n\t\tcompl_cont_status &= ~CONT_LOCAL;\n\t // FALLTHROUGH\n\tdefault:\n\t // If we have typed at least 2 ^X's... for modes != 0, we set\n\t // compl_cont_status = 0 (eg, as if we had just started ^X\n\t // mode).\n\t // For mode 0, we set \"compl_cont_mode\" to an impossible\n\t // value, in both cases ^X^X can be used to restart the same\n\t // mode (avoiding ADDING mode).\n\t // Undocumented feature: In a mode != 0 ^X^P and ^X^X^P start\n\t // 'complete' and local ^P expansions respectively.\n\t // In mode 0 an extra ^X is needed since ^X^P goes to ADDING\n\t // mode -- Acevedo\n\t if (c == Ctrl_X)\n\t {\n\t\tif (compl_cont_mode != 0)\n\t\t compl_cont_status = 0;\n\t\telse\n\t\t compl_cont_mode = CTRL_X_NOT_DEFINED_YET;\n\t }\n\t ctrl_x_mode = CTRL_X_NORMAL;\n\t edit_submode = NULL;\n\t showmode();\n\t break;\n }\n\n return retval;\n}", "project": "vim", "hash": 173462575852305376610154040073652686305, "size": 124, "commit_id": "a6f9e300161f4cb54713da22f65b261595e8e614", "message": "patch 9.0.0102: reading past end of line with insert mode completion\n\nProblem: Reading past end of line with insert mode completion.\nSolution: Check text length.", "target": 0, "dataset": "other", "idx": 277982 }, { "func": "vim_is_ctrl_x_key(int c)\n{\n // Always allow ^R - let its results then be checked\n if (c == Ctrl_R)\n\treturn TRUE;\n\n // Accept and if the popup menu is visible.\n if (ins_compl_pum_key(c))\n\treturn TRUE;\n\n switch (ctrl_x_mode)\n {\n\tcase 0:\t\t // Not in any CTRL-X mode\n\t return (c == Ctrl_N || c == Ctrl_P || c == Ctrl_X);\n\tcase CTRL_X_NOT_DEFINED_YET:\n\tcase CTRL_X_CMDLINE_CTRL_X:\n\t return ( c == Ctrl_X || c == Ctrl_Y || c == Ctrl_E\n\t\t || c == Ctrl_L || c == Ctrl_F || c == Ctrl_RSB\n\t\t || c == Ctrl_I || c == Ctrl_D || c == Ctrl_P\n\t\t || c == Ctrl_N || c == Ctrl_T || c == Ctrl_V\n\t\t || c == Ctrl_Q || c == Ctrl_U || c == Ctrl_O\n\t\t || c == Ctrl_S || c == Ctrl_K || c == 's'\n\t\t || c == Ctrl_Z);\n\tcase CTRL_X_SCROLL:\n\t return (c == Ctrl_Y || c == Ctrl_E);\n\tcase CTRL_X_WHOLE_LINE:\n\t return (c == Ctrl_L || c == Ctrl_P || c == Ctrl_N);\n\tcase CTRL_X_FILES:\n\t return (c == Ctrl_F || c == Ctrl_P || c == Ctrl_N);\n\tcase CTRL_X_DICTIONARY:\n\t return (c == Ctrl_K || c == Ctrl_P || c == Ctrl_N);\n\tcase CTRL_X_THESAURUS:\n\t return (c == Ctrl_T || c == Ctrl_P || c == Ctrl_N);\n\tcase CTRL_X_TAGS:\n\t return (c == Ctrl_RSB || c == Ctrl_P || c == Ctrl_N);\n#ifdef FEAT_FIND_ID\n\tcase CTRL_X_PATH_PATTERNS:\n\t return (c == Ctrl_P || c == Ctrl_N);\n\tcase CTRL_X_PATH_DEFINES:\n\t return (c == Ctrl_D || c == Ctrl_P || c == Ctrl_N);\n#endif\n\tcase CTRL_X_CMDLINE:\n\t return (c == Ctrl_V || c == Ctrl_Q || c == Ctrl_P || c == Ctrl_N\n\t\t || c == Ctrl_X);\n#ifdef FEAT_COMPL_FUNC\n\tcase CTRL_X_FUNCTION:\n\t return (c == Ctrl_U || c == Ctrl_P || c == Ctrl_N);\n\tcase CTRL_X_OMNI:\n\t return (c == Ctrl_O || c == Ctrl_P || c == Ctrl_N);\n#endif\n\tcase CTRL_X_SPELL:\n\t return (c == Ctrl_S || c == Ctrl_P || c == Ctrl_N);\n\tcase CTRL_X_EVAL:\n\t return (c == Ctrl_P || c == Ctrl_N);\n }\n internal_error(\"vim_is_ctrl_x_key()\");\n return FALSE;\n}", "project": "vim", "hash": 311729850977622480624302196854646391991, "size": 58, "commit_id": "a6f9e300161f4cb54713da22f65b261595e8e614", "message": "patch 9.0.0102: reading past end of line with insert mode completion\n\nProblem: Reading past end of line with insert mode completion.\nSolution: Check text length.", "target": 0, "dataset": "other", "idx": 278008 }, { "func": "get_next_completion_match(int type, ins_compl_next_state_T *st, pos_T *ini)\n{\n int\tfound_new_match = FALSE;\n\n switch (type)\n {\n\tcase -1:\n\t break;\n#ifdef FEAT_FIND_ID\n\tcase CTRL_X_PATH_PATTERNS:\n\tcase CTRL_X_PATH_DEFINES:\n\t get_next_include_file_completion(type);\n\t break;\n#endif\n\n\tcase CTRL_X_DICTIONARY:\n\tcase CTRL_X_THESAURUS:\n\t get_next_dict_tsr_completion(type, st->dict, st->dict_f);\n\t st->dict = NULL;\n\t break;\n\n\tcase CTRL_X_TAGS:\n\t get_next_tag_completion();\n\t break;\n\n\tcase CTRL_X_FILES:\n\t get_next_filename_completion();\n\t break;\n\n\tcase CTRL_X_CMDLINE:\n\tcase CTRL_X_CMDLINE_CTRL_X:\n\t get_next_cmdline_completion();\n\t break;\n\n#ifdef FEAT_COMPL_FUNC\n\tcase CTRL_X_FUNCTION:\n\tcase CTRL_X_OMNI:\n\t expand_by_function(type, compl_pattern);\n\t break;\n#endif\n\n\tcase CTRL_X_SPELL:\n\t get_next_spell_completion(st->first_match_pos.lnum);\n\t break;\n\n\tdefault:\t// normal ^P/^N and ^X^L\n\t found_new_match = get_next_default_completion(st, ini);\n\t if (found_new_match == FAIL && st->ins_buf == curbuf)\n\t\tst->found_all = TRUE;\n }\n\n // check if compl_curr_match has changed, (e.g. other type of\n // expansion added something)\n if (type != 0 && compl_curr_match != compl_old_match)\n\tfound_new_match = OK;\n\n return found_new_match;\n}", "project": "vim", "hash": 186811320118153716924976836232673809330, "size": 58, "commit_id": "a6f9e300161f4cb54713da22f65b261595e8e614", "message": "patch 9.0.0102: reading past end of line with insert mode completion\n\nProblem: Reading past end of line with insert mode completion.\nSolution: Check text length.", "target": 0, "dataset": "other", "idx": 278023 }, { "func": "ins_compl_accept_char(int c)\n{\n if (ctrl_x_mode & CTRL_X_WANT_IDENT)\n\t// When expanding an identifier only accept identifier chars.\n\treturn vim_isIDc(c);\n\n switch (ctrl_x_mode)\n {\n\tcase CTRL_X_FILES:\n\t // When expanding file name only accept file name chars. But not\n\t // path separators, so that \"proto/\" expands files in\n\t // \"proto\", not \"proto/\" as a whole\n\t return vim_isfilec(c) && !vim_ispathsep(c);\n\n\tcase CTRL_X_CMDLINE:\n\tcase CTRL_X_CMDLINE_CTRL_X:\n\tcase CTRL_X_OMNI:\n\t // Command line and Omni completion can work with just about any\n\t // printable character, but do stop at white space.\n\t return vim_isprintc(c) && !VIM_ISWHITE(c);\n\n\tcase CTRL_X_WHOLE_LINE:\n\t // For while line completion a space can be part of the line.\n\t return vim_isprintc(c);\n }\n return vim_iswordc(c);\n}", "project": "vim", "hash": 69405104769354316588986738957393901120, "size": 27, "commit_id": "a6f9e300161f4cb54713da22f65b261595e8e614", "message": "patch 9.0.0102: reading past end of line with insert mode completion\n\nProblem: Reading past end of line with insert mode completion.\nSolution: Check text length.", "target": 0, "dataset": "other", "idx": 278028 }, { "func": "nosy_ioctl(struct file *file, unsigned int cmd, unsigned long arg)\n{\n\tstruct client *client = file->private_data;\n\tspinlock_t *client_list_lock = &client->lynx->client_list_lock;\n\tstruct nosy_stats stats;\n\tint ret;\n\n\tswitch (cmd) {\n\tcase NOSY_IOC_GET_STATS:\n\t\tspin_lock_irq(client_list_lock);\n\t\tstats.total_packet_count = client->buffer.total_packet_count;\n\t\tstats.lost_packet_count = client->buffer.lost_packet_count;\n\t\tspin_unlock_irq(client_list_lock);\n\n\t\tif (copy_to_user((void __user *) arg, &stats, sizeof stats))\n\t\t\treturn -EFAULT;\n\t\telse\n\t\t\treturn 0;\n\n\tcase NOSY_IOC_START:\n\t\tret = -EBUSY;\n\t\tspin_lock_irq(client_list_lock);\n\t\tif (list_empty(&client->link)) {\n\t\t\tlist_add_tail(&client->link, &client->lynx->client_list);\n\t\t\tret = 0;\n\t\t}\n\t\tspin_unlock_irq(client_list_lock);\n\n\t\treturn ret;\n\n\tcase NOSY_IOC_STOP:\n\t\tspin_lock_irq(client_list_lock);\n\t\tlist_del_init(&client->link);\n\t\tspin_unlock_irq(client_list_lock);\n\n\t\treturn 0;\n\n\tcase NOSY_IOC_FILTER:\n\t\tspin_lock_irq(client_list_lock);\n\t\tclient->tcode_mask = arg;\n\t\tspin_unlock_irq(client_list_lock);\n\n\t\treturn 0;\n\n\tdefault:\n\t\treturn -EINVAL;\n\t\t/* Flush buffer, configure filter. */\n\t}\n}", "project": "linux", "hash": 228155701602816497915464580422124821519, "size": 49, "commit_id": "829933ef05a951c8ff140e814656d73e74915faf", "message": "firewire: nosy: Fix a use-after-free bug in nosy_ioctl()\n\nFor each device, the nosy driver allocates a pcilynx structure.\nA use-after-free might happen in the following scenario:\n\n 1. Open nosy device for the first time and call ioctl with command\n NOSY_IOC_START, then a new client A will be malloced and added to\n doubly linked list.\n 2. Open nosy device for the second time and call ioctl with command\n NOSY_IOC_START, then a new client B will be malloced and added to\n doubly linked list.\n 3. Call ioctl with command NOSY_IOC_START for client A, then client A\n will be readded to the doubly linked list. Now the doubly linked\n list is messed up.\n 4. Close the first nosy device and nosy_release will be called. In\n nosy_release, client A will be unlinked and freed.\n 5. Close the second nosy device, and client A will be referenced,\n resulting in UAF.\n\nThe root cause of this bug is that the element in the doubly linked list\nis reentered into the list.\n\nFix this bug by adding a check before inserting a client. If a client\nis already in the linked list, don't insert it.\n\nThe following KASAN report reveals it:\n\n BUG: KASAN: use-after-free in nosy_release+0x1ea/0x210\n Write of size 8 at addr ffff888102ad7360 by task poc\n CPU: 3 PID: 337 Comm: poc Not tainted 5.12.0-rc5+ #6\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014\n Call Trace:\n nosy_release+0x1ea/0x210\n __fput+0x1e2/0x840\n task_work_run+0xe8/0x180\n exit_to_user_mode_prepare+0x114/0x120\n syscall_exit_to_user_mode+0x1d/0x40\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\n Allocated by task 337:\n nosy_open+0x154/0x4d0\n misc_open+0x2ec/0x410\n chrdev_open+0x20d/0x5a0\n do_dentry_open+0x40f/0xe80\n path_openat+0x1cf9/0x37b0\n do_filp_open+0x16d/0x390\n do_sys_openat2+0x11d/0x360\n __x64_sys_open+0xfd/0x1a0\n do_syscall_64+0x33/0x40\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\n Freed by task 337:\n kfree+0x8f/0x210\n nosy_release+0x158/0x210\n __fput+0x1e2/0x840\n task_work_run+0xe8/0x180\n exit_to_user_mode_prepare+0x114/0x120\n syscall_exit_to_user_mode+0x1d/0x40\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\n The buggy address belongs to the object at ffff888102ad7300 which belongs to the cache kmalloc-128 of size 128\n The buggy address is located 96 bytes inside of 128-byte region [ffff888102ad7300, ffff888102ad7380)\n\n[ Modified to use 'list_empty()' inside proper lock - Linus ]\n\nLink: https://lore.kernel.org/lkml/1617433116-5930-1-git-send-email-zheyuma97@gmail.com/\nReported-and-tested-by: 马哲宇 (Zheyu Ma) \nSigned-off-by: Zheyu Ma \nCc: Greg Kroah-Hartman \nCc: Stefan Richter \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 279632 }, { "func": "MagickExport Image *StatisticImageChannel(const Image *image,\n const ChannelType channel,const StatisticType type,const size_t width,\n const size_t height,ExceptionInfo *exception)\n{\n#define StatisticImageTag \"Statistic/Image\"\n\n CacheView\n *image_view,\n *statistic_view;\n\n Image\n *statistic_image;\n\n MagickBooleanType\n status;\n\n MagickOffsetType\n progress;\n\n PixelList\n **magick_restrict pixel_list;\n\n size_t\n neighbor_height,\n neighbor_width;\n\n ssize_t\n y;\n\n /*\n Initialize statistics image attributes.\n */\n assert(image != (Image *) NULL);\n assert(image->signature == MagickCoreSignature);\n if (image->debug != MagickFalse)\n (void) LogMagickEvent(TraceEvent,GetMagickModule(),\"%s\",image->filename);\n assert(exception != (ExceptionInfo *) NULL);\n assert(exception->signature == MagickCoreSignature);\n statistic_image=CloneImage(image,0,0,MagickTrue,exception);\n if (statistic_image == (Image *) NULL)\n return((Image *) NULL);\n if (SetImageStorageClass(statistic_image,DirectClass) == MagickFalse)\n {\n InheritException(exception,&statistic_image->exception);\n statistic_image=DestroyImage(statistic_image);\n return((Image *) NULL);\n }\n neighbor_width=width == 0 ? GetOptimalKernelWidth2D((double) width,0.5) :\n width;\n neighbor_height=height == 0 ? GetOptimalKernelWidth2D((double) height,0.5) :\n height;\n pixel_list=AcquirePixelListThreadSet(neighbor_width,neighbor_height);\n if (pixel_list == (PixelList **) NULL)\n {\n statistic_image=DestroyImage(statistic_image);\n ThrowImageException(ResourceLimitError,\"MemoryAllocationFailed\");\n }\n /*\n Make each pixel the min / max / median / mode / etc. of the neighborhood.\n */\n status=MagickTrue;\n progress=0;\n image_view=AcquireVirtualCacheView(image,exception);\n statistic_view=AcquireAuthenticCacheView(statistic_image,exception);\n#if defined(MAGICKCORE_OPENMP_SUPPORT)\n #pragma omp parallel for schedule(static) shared(progress,status) \\\n magick_number_threads(image,statistic_image,statistic_image->rows,1)\n#endif\n for (y=0; y < (ssize_t) statistic_image->rows; y++)\n {\n const int\n id = GetOpenMPThreadId();\n\n const IndexPacket\n *magick_restrict indexes;\n\n const PixelPacket\n *magick_restrict p;\n\n IndexPacket\n *magick_restrict statistic_indexes;\n\n PixelPacket\n *magick_restrict q;\n\n ssize_t\n x;\n\n if (status == MagickFalse)\n continue;\n p=GetCacheViewVirtualPixels(image_view,-((ssize_t) neighbor_width/2L),y-\n (ssize_t) (neighbor_height/2L),image->columns+neighbor_width,\n neighbor_height,exception);\n q=QueueCacheViewAuthenticPixels(statistic_view,0,y,statistic_image->columns, 1,exception);\n if ((p == (const PixelPacket *) NULL) || (q == (PixelPacket *) NULL))\n {\n status=MagickFalse;\n continue;\n }\n indexes=GetCacheViewVirtualIndexQueue(image_view);\n statistic_indexes=GetCacheViewAuthenticIndexQueue(statistic_view);\n for (x=0; x < (ssize_t) statistic_image->columns; x++)\n {\n MagickPixelPacket\n pixel;\n\n const IndexPacket\n *magick_restrict s;\n\n const PixelPacket\n *magick_restrict r;\n\n ssize_t\n u,\n v;\n\n r=p;\n s=indexes+x;\n ResetPixelList(pixel_list[id]);\n for (v=0; v < (ssize_t) neighbor_height; v++)\n {\n for (u=0; u < (ssize_t) neighbor_width; u++)\n InsertPixelList(image,r+u,s+u,pixel_list[id]);\n r+=image->columns+neighbor_width;\n s+=image->columns+neighbor_width;\n }\n GetMagickPixelPacket(image,&pixel);\n SetMagickPixelPacket(image,p+neighbor_width*neighbor_height/2,indexes+x+\n neighbor_width*neighbor_height/2,&pixel);\n switch (type)\n {\n case GradientStatistic:\n {\n MagickPixelPacket\n maximum,\n minimum;\n\n GetMinimumPixelList(pixel_list[id],&pixel);\n minimum=pixel;\n GetMaximumPixelList(pixel_list[id],&pixel);\n maximum=pixel;\n pixel.red=MagickAbsoluteValue(maximum.red-minimum.red);\n pixel.green=MagickAbsoluteValue(maximum.green-minimum.green);\n pixel.blue=MagickAbsoluteValue(maximum.blue-minimum.blue);\n pixel.opacity=MagickAbsoluteValue(maximum.opacity-minimum.opacity);\n if (image->colorspace == CMYKColorspace)\n pixel.index=MagickAbsoluteValue(maximum.index-minimum.index);\n break;\n }\n case MaximumStatistic:\n {\n GetMaximumPixelList(pixel_list[id],&pixel);\n break;\n }\n case MeanStatistic:\n {\n GetMeanPixelList(pixel_list[id],&pixel);\n break;\n }\n case MedianStatistic:\n default:\n {\n GetMedianPixelList(pixel_list[id],&pixel);\n break;\n }\n case MinimumStatistic:\n {\n GetMinimumPixelList(pixel_list[id],&pixel);\n break;\n }\n case ModeStatistic:\n {\n GetModePixelList(pixel_list[id],&pixel);\n break;\n }\n case NonpeakStatistic:\n {\n GetNonpeakPixelList(pixel_list[id],&pixel);\n break;\n }\n case RootMeanSquareStatistic:\n {\n GetRootMeanSquarePixelList(pixel_list[id],&pixel);\n break;\n }\n case StandardDeviationStatistic:\n {\n GetStandardDeviationPixelList(pixel_list[id],&pixel);\n break;\n }\n }\n if ((channel & RedChannel) != 0)\n SetPixelRed(q,ClampToQuantum(pixel.red));\n if ((channel & GreenChannel) != 0)\n SetPixelGreen(q,ClampToQuantum(pixel.green));\n if ((channel & BlueChannel) != 0)\n SetPixelBlue(q,ClampToQuantum(pixel.blue));\n if ((channel & OpacityChannel) != 0)\n SetPixelOpacity(q,ClampToQuantum(pixel.opacity));\n if (((channel & IndexChannel) != 0) &&\n (image->colorspace == CMYKColorspace))\n SetPixelIndex(statistic_indexes+x,ClampToQuantum(pixel.index));\n p++;\n q++;\n }\n if (SyncCacheViewAuthenticPixels(statistic_view,exception) == MagickFalse)\n status=MagickFalse;\n if (image->progress_monitor != (MagickProgressMonitor) NULL)\n {\n MagickBooleanType\n proceed;\n\n proceed=SetImageProgress(image,StatisticImageTag,progress++,\n image->rows);\n if (proceed == MagickFalse)\n status=MagickFalse;\n }\n }\n statistic_view=DestroyCacheView(statistic_view);\n image_view=DestroyCacheView(image_view);\n pixel_list=DestroyPixelListThreadSet(pixel_list);\n if (status == MagickFalse)\n statistic_image=DestroyImage(statistic_image);\n return(statistic_image);\n}", "project": "ImageMagick6", "hash": 61727360178280006374443353017333524289, "size": 225, "commit_id": "072d7b10dbe74d1cf4ec0d008990c1a28c076f9e", "message": "https://github.com/ImageMagick/ImageMagick/issues/3332", "target": 0, "dataset": "other", "idx": 279681 }, { "func": "ofpact_parse(enum ofpact_type type, char *value,\n const struct ofpact_parse_params *pp)\n{\n switch (type) {\n#define OFPACT(ENUM, STRUCT, MEMBER, NAME) \\\n case OFPACT_##ENUM: \\\n return parse_##ENUM(value, pp);\n OFPACTS\n#undef OFPACT\n default:\n OVS_NOT_REACHED();\n }\n}", "project": "ovs", "hash": 20964743774376710722815228135144369347, "size": 13, "commit_id": "65c61b0c23a0d474696d7b1cea522a5016a8aeb3", "message": "ofp-actions: Fix use-after-free while decoding RAW_ENCAP.\n\nWhile decoding RAW_ENCAP action, decode_ed_prop() might re-allocate\nofpbuf if there is no enough space left. However, function\n'decode_NXAST_RAW_ENCAP' continues to use old pointer to 'encap'\nstructure leading to write-after-free and incorrect decoding.\n\n ==3549105==ERROR: AddressSanitizer: heap-use-after-free on address\n 0x60600000011a at pc 0x0000005f6cc6 bp 0x7ffc3a2d4410 sp 0x7ffc3a2d4408\n WRITE of size 2 at 0x60600000011a thread T0\n #0 0x5f6cc5 in decode_NXAST_RAW_ENCAP lib/ofp-actions.c:4461:20\n #1 0x5f0551 in ofpact_decode ./lib/ofp-actions.inc2:4777:16\n #2 0x5ed17c in ofpacts_decode lib/ofp-actions.c:7752:21\n #3 0x5eba9a in ofpacts_pull_openflow_actions__ lib/ofp-actions.c:7791:13\n #4 0x5eb9fc in ofpacts_pull_openflow_actions lib/ofp-actions.c:7835:12\n #5 0x64bb8b in ofputil_decode_packet_out lib/ofp-packet.c:1113:17\n #6 0x65b6f4 in ofp_print_packet_out lib/ofp-print.c:148:13\n #7 0x659e3f in ofp_to_string__ lib/ofp-print.c:1029:16\n #8 0x659b24 in ofp_to_string lib/ofp-print.c:1244:21\n #9 0x65a28c in ofp_print lib/ofp-print.c:1288:28\n #10 0x540d11 in ofctl_ofp_parse utilities/ovs-ofctl.c:2814:9\n #11 0x564228 in ovs_cmdl_run_command__ lib/command-line.c:247:17\n #12 0x56408a in ovs_cmdl_run_command lib/command-line.c:278:5\n #13 0x5391ae in main utilities/ovs-ofctl.c:179:9\n #14 0x7f6911ce9081 in __libc_start_main (/lib64/libc.so.6+0x27081)\n #15 0x461fed in _start (utilities/ovs-ofctl+0x461fed)\n\nFix that by getting a new pointer before using.\n\nCredit to OSS-Fuzz.\n\nFuzzer regression test will fail only with AddressSanitizer enabled.\n\nReported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27851\nFixes: f839892a206a (\"OF support and translation of generic encap and decap\")\nAcked-by: William Tu \nSigned-off-by: Ilya Maximets ", "target": 0, "dataset": "other", "idx": 280515 }, { "func": "ofpact_check_output_port(ofp_port_t port, ofp_port_t max_ports)\n{\n switch (port) {\n case OFPP_IN_PORT:\n case OFPP_TABLE:\n case OFPP_NORMAL:\n case OFPP_FLOOD:\n case OFPP_ALL:\n case OFPP_CONTROLLER:\n case OFPP_LOCAL:\n return 0;\n\n case OFPP_NONE:\n return OFPERR_OFPBAC_BAD_OUT_PORT;\n\n default:\n if (ofp_to_u16(port) < ofp_to_u16(max_ports)) {\n return 0;\n }\n return OFPERR_OFPBAC_BAD_OUT_PORT;\n }\n}", "project": "ovs", "hash": 58020863304590970816441051068222634111, "size": 22, "commit_id": "65c61b0c23a0d474696d7b1cea522a5016a8aeb3", "message": "ofp-actions: Fix use-after-free while decoding RAW_ENCAP.\n\nWhile decoding RAW_ENCAP action, decode_ed_prop() might re-allocate\nofpbuf if there is no enough space left. However, function\n'decode_NXAST_RAW_ENCAP' continues to use old pointer to 'encap'\nstructure leading to write-after-free and incorrect decoding.\n\n ==3549105==ERROR: AddressSanitizer: heap-use-after-free on address\n 0x60600000011a at pc 0x0000005f6cc6 bp 0x7ffc3a2d4410 sp 0x7ffc3a2d4408\n WRITE of size 2 at 0x60600000011a thread T0\n #0 0x5f6cc5 in decode_NXAST_RAW_ENCAP lib/ofp-actions.c:4461:20\n #1 0x5f0551 in ofpact_decode ./lib/ofp-actions.inc2:4777:16\n #2 0x5ed17c in ofpacts_decode lib/ofp-actions.c:7752:21\n #3 0x5eba9a in ofpacts_pull_openflow_actions__ lib/ofp-actions.c:7791:13\n #4 0x5eb9fc in ofpacts_pull_openflow_actions lib/ofp-actions.c:7835:12\n #5 0x64bb8b in ofputil_decode_packet_out lib/ofp-packet.c:1113:17\n #6 0x65b6f4 in ofp_print_packet_out lib/ofp-print.c:148:13\n #7 0x659e3f in ofp_to_string__ lib/ofp-print.c:1029:16\n #8 0x659b24 in ofp_to_string lib/ofp-print.c:1244:21\n #9 0x65a28c in ofp_print lib/ofp-print.c:1288:28\n #10 0x540d11 in ofctl_ofp_parse utilities/ovs-ofctl.c:2814:9\n #11 0x564228 in ovs_cmdl_run_command__ lib/command-line.c:247:17\n #12 0x56408a in ovs_cmdl_run_command lib/command-line.c:278:5\n #13 0x5391ae in main utilities/ovs-ofctl.c:179:9\n #14 0x7f6911ce9081 in __libc_start_main (/lib64/libc.so.6+0x27081)\n #15 0x461fed in _start (utilities/ovs-ofctl+0x461fed)\n\nFix that by getting a new pointer before using.\n\nCredit to OSS-Fuzz.\n\nFuzzer regression test will fail only with AddressSanitizer enabled.\n\nReported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27851\nFixes: f839892a206a (\"OF support and translation of generic encap and decap\")\nAcked-by: William Tu \nSigned-off-by: Ilya Maximets ", "target": 0, "dataset": "other", "idx": 280555 }, { "func": "encode_ofpact(const struct ofpact *a, enum ofp_version ofp_version,\n struct ofpbuf *out)\n{\n switch (a->type) {\n#define OFPACT(ENUM, STRUCT, MEMBER, NAME) \\\n case OFPACT_##ENUM: \\\n encode_##ENUM(ofpact_get_##ENUM(a), ofp_version, out); \\\n return;\n OFPACTS\n#undef OFPACT\n default:\n OVS_NOT_REACHED();\n }\n}", "project": "ovs", "hash": 347542977678789506720000451091515459, "size": 14, "commit_id": "65c61b0c23a0d474696d7b1cea522a5016a8aeb3", "message": "ofp-actions: Fix use-after-free while decoding RAW_ENCAP.\n\nWhile decoding RAW_ENCAP action, decode_ed_prop() might re-allocate\nofpbuf if there is no enough space left. However, function\n'decode_NXAST_RAW_ENCAP' continues to use old pointer to 'encap'\nstructure leading to write-after-free and incorrect decoding.\n\n ==3549105==ERROR: AddressSanitizer: heap-use-after-free on address\n 0x60600000011a at pc 0x0000005f6cc6 bp 0x7ffc3a2d4410 sp 0x7ffc3a2d4408\n WRITE of size 2 at 0x60600000011a thread T0\n #0 0x5f6cc5 in decode_NXAST_RAW_ENCAP lib/ofp-actions.c:4461:20\n #1 0x5f0551 in ofpact_decode ./lib/ofp-actions.inc2:4777:16\n #2 0x5ed17c in ofpacts_decode lib/ofp-actions.c:7752:21\n #3 0x5eba9a in ofpacts_pull_openflow_actions__ lib/ofp-actions.c:7791:13\n #4 0x5eb9fc in ofpacts_pull_openflow_actions lib/ofp-actions.c:7835:12\n #5 0x64bb8b in ofputil_decode_packet_out lib/ofp-packet.c:1113:17\n #6 0x65b6f4 in ofp_print_packet_out lib/ofp-print.c:148:13\n #7 0x659e3f in ofp_to_string__ lib/ofp-print.c:1029:16\n #8 0x659b24 in ofp_to_string lib/ofp-print.c:1244:21\n #9 0x65a28c in ofp_print lib/ofp-print.c:1288:28\n #10 0x540d11 in ofctl_ofp_parse utilities/ovs-ofctl.c:2814:9\n #11 0x564228 in ovs_cmdl_run_command__ lib/command-line.c:247:17\n #12 0x56408a in ovs_cmdl_run_command lib/command-line.c:278:5\n #13 0x5391ae in main utilities/ovs-ofctl.c:179:9\n #14 0x7f6911ce9081 in __libc_start_main (/lib64/libc.so.6+0x27081)\n #15 0x461fed in _start (utilities/ovs-ofctl+0x461fed)\n\nFix that by getting a new pointer before using.\n\nCredit to OSS-Fuzz.\n\nFuzzer regression test will fail only with AddressSanitizer enabled.\n\nReported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27851\nFixes: f839892a206a (\"OF support and translation of generic encap and decap\")\nAcked-by: William Tu \nSigned-off-by: Ilya Maximets ", "target": 0, "dataset": "other", "idx": 280556 }, { "func": "ofpact_put_raw(struct ofpbuf *buf, enum ofp_version ofp_version,\n enum ofp_raw_action_type raw, uint64_t arg)\n{\n const struct ofpact_raw_instance *inst;\n struct ofp_action_header *oah;\n const struct ofpact_hdrs *hdrs;\n\n inst = ofpact_raw_lookup(ofp_version, raw);\n hdrs = &inst->hdrs;\n\n oah = ofpbuf_put_zeros(buf, inst->min_length);\n oah->type = htons(hdrs->vendor ? OFPAT_VENDOR : hdrs->type);\n oah->len = htons(inst->min_length);\n oah->vendor = htonl(hdrs->vendor);\n\n switch (hdrs->vendor) {\n case 0:\n break;\n\n case NX_VENDOR_ID:\n case ONF_VENDOR_ID: {\n struct ext_action_header *nah = (struct ext_action_header *) oah;\n nah->subtype = htons(hdrs->type);\n break;\n }\n\n default:\n OVS_NOT_REACHED();\n }\n\n if (inst->arg_len) {\n uint8_t *p = (uint8_t *) oah + inst->arg_ofs + inst->arg_len;\n int i;\n\n for (i = 0; i < inst->arg_len; i++) {\n *--p = arg;\n arg >>= 8;\n }\n } else {\n ovs_assert(!arg);\n }\n\n return oah;\n}", "project": "ovs", "hash": 164197341852481271803838566807068529600, "size": 44, "commit_id": "65c61b0c23a0d474696d7b1cea522a5016a8aeb3", "message": "ofp-actions: Fix use-after-free while decoding RAW_ENCAP.\n\nWhile decoding RAW_ENCAP action, decode_ed_prop() might re-allocate\nofpbuf if there is no enough space left. However, function\n'decode_NXAST_RAW_ENCAP' continues to use old pointer to 'encap'\nstructure leading to write-after-free and incorrect decoding.\n\n ==3549105==ERROR: AddressSanitizer: heap-use-after-free on address\n 0x60600000011a at pc 0x0000005f6cc6 bp 0x7ffc3a2d4410 sp 0x7ffc3a2d4408\n WRITE of size 2 at 0x60600000011a thread T0\n #0 0x5f6cc5 in decode_NXAST_RAW_ENCAP lib/ofp-actions.c:4461:20\n #1 0x5f0551 in ofpact_decode ./lib/ofp-actions.inc2:4777:16\n #2 0x5ed17c in ofpacts_decode lib/ofp-actions.c:7752:21\n #3 0x5eba9a in ofpacts_pull_openflow_actions__ lib/ofp-actions.c:7791:13\n #4 0x5eb9fc in ofpacts_pull_openflow_actions lib/ofp-actions.c:7835:12\n #5 0x64bb8b in ofputil_decode_packet_out lib/ofp-packet.c:1113:17\n #6 0x65b6f4 in ofp_print_packet_out lib/ofp-print.c:148:13\n #7 0x659e3f in ofp_to_string__ lib/ofp-print.c:1029:16\n #8 0x659b24 in ofp_to_string lib/ofp-print.c:1244:21\n #9 0x65a28c in ofp_print lib/ofp-print.c:1288:28\n #10 0x540d11 in ofctl_ofp_parse utilities/ovs-ofctl.c:2814:9\n #11 0x564228 in ovs_cmdl_run_command__ lib/command-line.c:247:17\n #12 0x56408a in ovs_cmdl_run_command lib/command-line.c:278:5\n #13 0x5391ae in main utilities/ovs-ofctl.c:179:9\n #14 0x7f6911ce9081 in __libc_start_main (/lib64/libc.so.6+0x27081)\n #15 0x461fed in _start (utilities/ovs-ofctl+0x461fed)\n\nFix that by getting a new pointer before using.\n\nCredit to OSS-Fuzz.\n\nFuzzer regression test will fail only with AddressSanitizer enabled.\n\nReported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27851\nFixes: f839892a206a (\"OF support and translation of generic encap and decap\")\nAcked-by: William Tu \nSigned-off-by: Ilya Maximets ", "target": 0, "dataset": "other", "idx": 280579 }, { "func": "decode_openflow11_instruction(const struct ofp11_instruction *inst,\n enum ovs_instruction_type *type)\n{\n uint16_t len = ntohs(inst->len);\n\n switch (inst->type) {\n case CONSTANT_HTONS(OFPIT11_EXPERIMENTER):\n return OFPERR_OFPBIC_BAD_EXPERIMENTER;\n\n#define DEFINE_INST(ENUM, STRUCT, EXTENSIBLE, NAME) \\\n case CONSTANT_HTONS(ENUM): \\\n if (EXTENSIBLE \\\n ? len >= sizeof(struct STRUCT) \\\n : len == sizeof(struct STRUCT)) { \\\n *type = OVSINST_##ENUM; \\\n return 0; \\\n } else { \\\n return OFPERR_OFPBIC_BAD_LEN; \\\n }\nOVS_INSTRUCTIONS\n#undef DEFINE_INST\n\n default:\n return OFPERR_OFPBIC_UNKNOWN_INST;\n }\n}", "project": "ovs", "hash": 300031507637878310178036615187828196107, "size": 26, "commit_id": "65c61b0c23a0d474696d7b1cea522a5016a8aeb3", "message": "ofp-actions: Fix use-after-free while decoding RAW_ENCAP.\n\nWhile decoding RAW_ENCAP action, decode_ed_prop() might re-allocate\nofpbuf if there is no enough space left. However, function\n'decode_NXAST_RAW_ENCAP' continues to use old pointer to 'encap'\nstructure leading to write-after-free and incorrect decoding.\n\n ==3549105==ERROR: AddressSanitizer: heap-use-after-free on address\n 0x60600000011a at pc 0x0000005f6cc6 bp 0x7ffc3a2d4410 sp 0x7ffc3a2d4408\n WRITE of size 2 at 0x60600000011a thread T0\n #0 0x5f6cc5 in decode_NXAST_RAW_ENCAP lib/ofp-actions.c:4461:20\n #1 0x5f0551 in ofpact_decode ./lib/ofp-actions.inc2:4777:16\n #2 0x5ed17c in ofpacts_decode lib/ofp-actions.c:7752:21\n #3 0x5eba9a in ofpacts_pull_openflow_actions__ lib/ofp-actions.c:7791:13\n #4 0x5eb9fc in ofpacts_pull_openflow_actions lib/ofp-actions.c:7835:12\n #5 0x64bb8b in ofputil_decode_packet_out lib/ofp-packet.c:1113:17\n #6 0x65b6f4 in ofp_print_packet_out lib/ofp-print.c:148:13\n #7 0x659e3f in ofp_to_string__ lib/ofp-print.c:1029:16\n #8 0x659b24 in ofp_to_string lib/ofp-print.c:1244:21\n #9 0x65a28c in ofp_print lib/ofp-print.c:1288:28\n #10 0x540d11 in ofctl_ofp_parse utilities/ovs-ofctl.c:2814:9\n #11 0x564228 in ovs_cmdl_run_command__ lib/command-line.c:247:17\n #12 0x56408a in ovs_cmdl_run_command lib/command-line.c:278:5\n #13 0x5391ae in main utilities/ovs-ofctl.c:179:9\n #14 0x7f6911ce9081 in __libc_start_main (/lib64/libc.so.6+0x27081)\n #15 0x461fed in _start (utilities/ovs-ofctl+0x461fed)\n\nFix that by getting a new pointer before using.\n\nCredit to OSS-Fuzz.\n\nFuzzer regression test will fail only with AddressSanitizer enabled.\n\nReported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27851\nFixes: f839892a206a (\"OF support and translation of generic encap and decap\")\nAcked-by: William Tu \nSigned-off-by: Ilya Maximets ", "target": 0, "dataset": "other", "idx": 280604 }, { "func": "ofpact_name(enum ofpact_type type)\n{\n switch (type) {\n#define OFPACT(ENUM, STRUCT, MEMBER, NAME) case OFPACT_##ENUM: return NAME;\n OFPACTS\n#undef OFPACT\n }\n return \"\";\n}", "project": "ovs", "hash": 276807343014469984125756864097786944497, "size": 9, "commit_id": "65c61b0c23a0d474696d7b1cea522a5016a8aeb3", "message": "ofp-actions: Fix use-after-free while decoding RAW_ENCAP.\n\nWhile decoding RAW_ENCAP action, decode_ed_prop() might re-allocate\nofpbuf if there is no enough space left. However, function\n'decode_NXAST_RAW_ENCAP' continues to use old pointer to 'encap'\nstructure leading to write-after-free and incorrect decoding.\n\n ==3549105==ERROR: AddressSanitizer: heap-use-after-free on address\n 0x60600000011a at pc 0x0000005f6cc6 bp 0x7ffc3a2d4410 sp 0x7ffc3a2d4408\n WRITE of size 2 at 0x60600000011a thread T0\n #0 0x5f6cc5 in decode_NXAST_RAW_ENCAP lib/ofp-actions.c:4461:20\n #1 0x5f0551 in ofpact_decode ./lib/ofp-actions.inc2:4777:16\n #2 0x5ed17c in ofpacts_decode lib/ofp-actions.c:7752:21\n #3 0x5eba9a in ofpacts_pull_openflow_actions__ lib/ofp-actions.c:7791:13\n #4 0x5eb9fc in ofpacts_pull_openflow_actions lib/ofp-actions.c:7835:12\n #5 0x64bb8b in ofputil_decode_packet_out lib/ofp-packet.c:1113:17\n #6 0x65b6f4 in ofp_print_packet_out lib/ofp-print.c:148:13\n #7 0x659e3f in ofp_to_string__ lib/ofp-print.c:1029:16\n #8 0x659b24 in ofp_to_string lib/ofp-print.c:1244:21\n #9 0x65a28c in ofp_print lib/ofp-print.c:1288:28\n #10 0x540d11 in ofctl_ofp_parse utilities/ovs-ofctl.c:2814:9\n #11 0x564228 in ovs_cmdl_run_command__ lib/command-line.c:247:17\n #12 0x56408a in ovs_cmdl_run_command lib/command-line.c:278:5\n #13 0x5391ae in main utilities/ovs-ofctl.c:179:9\n #14 0x7f6911ce9081 in __libc_start_main (/lib64/libc.so.6+0x27081)\n #15 0x461fed in _start (utilities/ovs-ofctl+0x461fed)\n\nFix that by getting a new pointer before using.\n\nCredit to OSS-Fuzz.\n\nFuzzer regression test will fail only with AddressSanitizer enabled.\n\nReported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27851\nFixes: f839892a206a (\"OF support and translation of generic encap and decap\")\nAcked-by: William Tu \nSigned-off-by: Ilya Maximets ", "target": 0, "dataset": "other", "idx": 280624 }, { "func": "ofpact_check__(struct ofpact *a, struct ofpact_check_params *cp)\n{\n switch (a->type) {\n#define OFPACT(ENUM, STRUCT, MEMBER, NAME) \\\n case OFPACT_##ENUM: \\\n return check_##ENUM(ofpact_get_##ENUM(a), cp);\n OFPACTS\n#undef OFPACT\n default:\n OVS_NOT_REACHED();\n }\n}", "project": "ovs", "hash": 326709791163789238126019692192670993687, "size": 12, "commit_id": "65c61b0c23a0d474696d7b1cea522a5016a8aeb3", "message": "ofp-actions: Fix use-after-free while decoding RAW_ENCAP.\n\nWhile decoding RAW_ENCAP action, decode_ed_prop() might re-allocate\nofpbuf if there is no enough space left. However, function\n'decode_NXAST_RAW_ENCAP' continues to use old pointer to 'encap'\nstructure leading to write-after-free and incorrect decoding.\n\n ==3549105==ERROR: AddressSanitizer: heap-use-after-free on address\n 0x60600000011a at pc 0x0000005f6cc6 bp 0x7ffc3a2d4410 sp 0x7ffc3a2d4408\n WRITE of size 2 at 0x60600000011a thread T0\n #0 0x5f6cc5 in decode_NXAST_RAW_ENCAP lib/ofp-actions.c:4461:20\n #1 0x5f0551 in ofpact_decode ./lib/ofp-actions.inc2:4777:16\n #2 0x5ed17c in ofpacts_decode lib/ofp-actions.c:7752:21\n #3 0x5eba9a in ofpacts_pull_openflow_actions__ lib/ofp-actions.c:7791:13\n #4 0x5eb9fc in ofpacts_pull_openflow_actions lib/ofp-actions.c:7835:12\n #5 0x64bb8b in ofputil_decode_packet_out lib/ofp-packet.c:1113:17\n #6 0x65b6f4 in ofp_print_packet_out lib/ofp-print.c:148:13\n #7 0x659e3f in ofp_to_string__ lib/ofp-print.c:1029:16\n #8 0x659b24 in ofp_to_string lib/ofp-print.c:1244:21\n #9 0x65a28c in ofp_print lib/ofp-print.c:1288:28\n #10 0x540d11 in ofctl_ofp_parse utilities/ovs-ofctl.c:2814:9\n #11 0x564228 in ovs_cmdl_run_command__ lib/command-line.c:247:17\n #12 0x56408a in ovs_cmdl_run_command lib/command-line.c:278:5\n #13 0x5391ae in main utilities/ovs-ofctl.c:179:9\n #14 0x7f6911ce9081 in __libc_start_main (/lib64/libc.so.6+0x27081)\n #15 0x461fed in _start (utilities/ovs-ofctl+0x461fed)\n\nFix that by getting a new pointer before using.\n\nCredit to OSS-Fuzz.\n\nFuzzer regression test will fail only with AddressSanitizer enabled.\n\nReported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27851\nFixes: f839892a206a (\"OF support and translation of generic encap and decap\")\nAcked-by: William Tu \nSigned-off-by: Ilya Maximets ", "target": 0, "dataset": "other", "idx": 280649 }, { "func": "format_alg(int port, struct ds *s)\n{\n switch(port) {\n case IPPORT_FTP:\n ds_put_format(s, \"%salg=%sftp,\", colors.param, colors.end);\n break;\n case IPPORT_TFTP:\n ds_put_format(s, \"%salg=%stftp,\", colors.param, colors.end);\n break;\n case 0:\n /* Don't print. */\n break;\n default:\n ds_put_format(s, \"%salg=%s%d,\", colors.param, colors.end, port);\n break;\n }\n}", "project": "ovs", "hash": 95504098344620801917909757125567832534, "size": 17, "commit_id": "65c61b0c23a0d474696d7b1cea522a5016a8aeb3", "message": "ofp-actions: Fix use-after-free while decoding RAW_ENCAP.\n\nWhile decoding RAW_ENCAP action, decode_ed_prop() might re-allocate\nofpbuf if there is no enough space left. However, function\n'decode_NXAST_RAW_ENCAP' continues to use old pointer to 'encap'\nstructure leading to write-after-free and incorrect decoding.\n\n ==3549105==ERROR: AddressSanitizer: heap-use-after-free on address\n 0x60600000011a at pc 0x0000005f6cc6 bp 0x7ffc3a2d4410 sp 0x7ffc3a2d4408\n WRITE of size 2 at 0x60600000011a thread T0\n #0 0x5f6cc5 in decode_NXAST_RAW_ENCAP lib/ofp-actions.c:4461:20\n #1 0x5f0551 in ofpact_decode ./lib/ofp-actions.inc2:4777:16\n #2 0x5ed17c in ofpacts_decode lib/ofp-actions.c:7752:21\n #3 0x5eba9a in ofpacts_pull_openflow_actions__ lib/ofp-actions.c:7791:13\n #4 0x5eb9fc in ofpacts_pull_openflow_actions lib/ofp-actions.c:7835:12\n #5 0x64bb8b in ofputil_decode_packet_out lib/ofp-packet.c:1113:17\n #6 0x65b6f4 in ofp_print_packet_out lib/ofp-print.c:148:13\n #7 0x659e3f in ofp_to_string__ lib/ofp-print.c:1029:16\n #8 0x659b24 in ofp_to_string lib/ofp-print.c:1244:21\n #9 0x65a28c in ofp_print lib/ofp-print.c:1288:28\n #10 0x540d11 in ofctl_ofp_parse utilities/ovs-ofctl.c:2814:9\n #11 0x564228 in ovs_cmdl_run_command__ lib/command-line.c:247:17\n #12 0x56408a in ovs_cmdl_run_command lib/command-line.c:278:5\n #13 0x5391ae in main utilities/ovs-ofctl.c:179:9\n #14 0x7f6911ce9081 in __libc_start_main (/lib64/libc.so.6+0x27081)\n #15 0x461fed in _start (utilities/ovs-ofctl+0x461fed)\n\nFix that by getting a new pointer before using.\n\nCredit to OSS-Fuzz.\n\nFuzzer regression test will fail only with AddressSanitizer enabled.\n\nReported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27851\nFixes: f839892a206a (\"OF support and translation of generic encap and decap\")\nAcked-by: William Tu \nSigned-off-by: Ilya Maximets ", "target": 0, "dataset": "other", "idx": 280660 }, { "func": "ovs_instruction_type_from_ofpact_type(enum ofpact_type type)\n{\n switch (type) {\n case OFPACT_METER:\n return OVSINST_OFPIT13_METER;\n case OFPACT_CLEAR_ACTIONS:\n return OVSINST_OFPIT11_CLEAR_ACTIONS;\n case OFPACT_WRITE_ACTIONS:\n return OVSINST_OFPIT11_WRITE_ACTIONS;\n case OFPACT_WRITE_METADATA:\n return OVSINST_OFPIT11_WRITE_METADATA;\n case OFPACT_GOTO_TABLE:\n return OVSINST_OFPIT11_GOTO_TABLE;\n case OFPACT_OUTPUT:\n case OFPACT_GROUP:\n case OFPACT_CLONE:\n case OFPACT_CONTROLLER:\n case OFPACT_ENQUEUE:\n case OFPACT_OUTPUT_REG:\n case OFPACT_OUTPUT_TRUNC:\n case OFPACT_BUNDLE:\n case OFPACT_SET_VLAN_VID:\n case OFPACT_SET_VLAN_PCP:\n case OFPACT_STRIP_VLAN:\n case OFPACT_PUSH_VLAN:\n case OFPACT_SET_ETH_SRC:\n case OFPACT_SET_ETH_DST:\n case OFPACT_SET_IPV4_SRC:\n case OFPACT_SET_IPV4_DST:\n case OFPACT_SET_IP_DSCP:\n case OFPACT_SET_IP_ECN:\n case OFPACT_SET_IP_TTL:\n case OFPACT_SET_L4_SRC_PORT:\n case OFPACT_SET_L4_DST_PORT:\n case OFPACT_REG_MOVE:\n case OFPACT_SET_FIELD:\n case OFPACT_STACK_PUSH:\n case OFPACT_STACK_POP:\n case OFPACT_DEC_TTL:\n case OFPACT_SET_MPLS_LABEL:\n case OFPACT_SET_MPLS_TC:\n case OFPACT_SET_MPLS_TTL:\n case OFPACT_DEC_MPLS_TTL:\n case OFPACT_PUSH_MPLS:\n case OFPACT_POP_MPLS:\n case OFPACT_SET_TUNNEL:\n case OFPACT_SET_QUEUE:\n case OFPACT_POP_QUEUE:\n case OFPACT_FIN_TIMEOUT:\n case OFPACT_RESUBMIT:\n case OFPACT_LEARN:\n case OFPACT_CONJUNCTION:\n case OFPACT_MULTIPATH:\n case OFPACT_NOTE:\n case OFPACT_EXIT:\n case OFPACT_UNROLL_XLATE:\n case OFPACT_SAMPLE:\n case OFPACT_DEBUG_RECIRC:\n case OFPACT_DEBUG_SLOW:\n case OFPACT_CT:\n case OFPACT_CT_CLEAR:\n case OFPACT_NAT:\n case OFPACT_ENCAP:\n case OFPACT_DECAP:\n case OFPACT_DEC_NSH_TTL:\n default:\n return OVSINST_OFPIT11_APPLY_ACTIONS;\n }\n}", "project": "ovs", "hash": 14687905183443930542204706102114985424, "size": 69, "commit_id": "65c61b0c23a0d474696d7b1cea522a5016a8aeb3", "message": "ofp-actions: Fix use-after-free while decoding RAW_ENCAP.\n\nWhile decoding RAW_ENCAP action, decode_ed_prop() might re-allocate\nofpbuf if there is no enough space left. However, function\n'decode_NXAST_RAW_ENCAP' continues to use old pointer to 'encap'\nstructure leading to write-after-free and incorrect decoding.\n\n ==3549105==ERROR: AddressSanitizer: heap-use-after-free on address\n 0x60600000011a at pc 0x0000005f6cc6 bp 0x7ffc3a2d4410 sp 0x7ffc3a2d4408\n WRITE of size 2 at 0x60600000011a thread T0\n #0 0x5f6cc5 in decode_NXAST_RAW_ENCAP lib/ofp-actions.c:4461:20\n #1 0x5f0551 in ofpact_decode ./lib/ofp-actions.inc2:4777:16\n #2 0x5ed17c in ofpacts_decode lib/ofp-actions.c:7752:21\n #3 0x5eba9a in ofpacts_pull_openflow_actions__ lib/ofp-actions.c:7791:13\n #4 0x5eb9fc in ofpacts_pull_openflow_actions lib/ofp-actions.c:7835:12\n #5 0x64bb8b in ofputil_decode_packet_out lib/ofp-packet.c:1113:17\n #6 0x65b6f4 in ofp_print_packet_out lib/ofp-print.c:148:13\n #7 0x659e3f in ofp_to_string__ lib/ofp-print.c:1029:16\n #8 0x659b24 in ofp_to_string lib/ofp-print.c:1244:21\n #9 0x65a28c in ofp_print lib/ofp-print.c:1288:28\n #10 0x540d11 in ofctl_ofp_parse utilities/ovs-ofctl.c:2814:9\n #11 0x564228 in ovs_cmdl_run_command__ lib/command-line.c:247:17\n #12 0x56408a in ovs_cmdl_run_command lib/command-line.c:278:5\n #13 0x5391ae in main utilities/ovs-ofctl.c:179:9\n #14 0x7f6911ce9081 in __libc_start_main (/lib64/libc.so.6+0x27081)\n #15 0x461fed in _start (utilities/ovs-ofctl+0x461fed)\n\nFix that by getting a new pointer before using.\n\nCredit to OSS-Fuzz.\n\nFuzzer regression test will fail only with AddressSanitizer enabled.\n\nReported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27851\nFixes: f839892a206a (\"OF support and translation of generic encap and decap\")\nAcked-by: William Tu \nSigned-off-by: Ilya Maximets ", "target": 0, "dataset": "other", "idx": 280669 }, { "func": "ovs_instruction_type_from_inst_type(enum ovs_instruction_type *instruction_type,\n const uint16_t inst_type)\n{\n switch (inst_type) {\n\n#define DEFINE_INST(ENUM, STRUCT, EXTENSIBLE, NAME) \\\n case ENUM: \\\n *instruction_type = OVSINST_##ENUM; \\\n return 0;\nOVS_INSTRUCTIONS\n#undef DEFINE_INST\n\n default:\n return OFPERR_OFPBIC_UNKNOWN_INST;\n }\n}", "project": "ovs", "hash": 43853632712499669798264954613560118000, "size": 16, "commit_id": "65c61b0c23a0d474696d7b1cea522a5016a8aeb3", "message": "ofp-actions: Fix use-after-free while decoding RAW_ENCAP.\n\nWhile decoding RAW_ENCAP action, decode_ed_prop() might re-allocate\nofpbuf if there is no enough space left. However, function\n'decode_NXAST_RAW_ENCAP' continues to use old pointer to 'encap'\nstructure leading to write-after-free and incorrect decoding.\n\n ==3549105==ERROR: AddressSanitizer: heap-use-after-free on address\n 0x60600000011a at pc 0x0000005f6cc6 bp 0x7ffc3a2d4410 sp 0x7ffc3a2d4408\n WRITE of size 2 at 0x60600000011a thread T0\n #0 0x5f6cc5 in decode_NXAST_RAW_ENCAP lib/ofp-actions.c:4461:20\n #1 0x5f0551 in ofpact_decode ./lib/ofp-actions.inc2:4777:16\n #2 0x5ed17c in ofpacts_decode lib/ofp-actions.c:7752:21\n #3 0x5eba9a in ofpacts_pull_openflow_actions__ lib/ofp-actions.c:7791:13\n #4 0x5eb9fc in ofpacts_pull_openflow_actions lib/ofp-actions.c:7835:12\n #5 0x64bb8b in ofputil_decode_packet_out lib/ofp-packet.c:1113:17\n #6 0x65b6f4 in ofp_print_packet_out lib/ofp-print.c:148:13\n #7 0x659e3f in ofp_to_string__ lib/ofp-print.c:1029:16\n #8 0x659b24 in ofp_to_string lib/ofp-print.c:1244:21\n #9 0x65a28c in ofp_print lib/ofp-print.c:1288:28\n #10 0x540d11 in ofctl_ofp_parse utilities/ovs-ofctl.c:2814:9\n #11 0x564228 in ovs_cmdl_run_command__ lib/command-line.c:247:17\n #12 0x56408a in ovs_cmdl_run_command lib/command-line.c:278:5\n #13 0x5391ae in main utilities/ovs-ofctl.c:179:9\n #14 0x7f6911ce9081 in __libc_start_main (/lib64/libc.so.6+0x27081)\n #15 0x461fed in _start (utilities/ovs-ofctl+0x461fed)\n\nFix that by getting a new pointer before using.\n\nCredit to OSS-Fuzz.\n\nFuzzer regression test will fail only with AddressSanitizer enabled.\n\nReported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27851\nFixes: f839892a206a (\"OF support and translation of generic encap and decap\")\nAcked-by: William Tu \nSigned-off-by: Ilya Maximets ", "target": 0, "dataset": "other", "idx": 280718 }, { "func": "ofpact_format(const struct ofpact *a,\n const struct ofpact_format_params *fp)\n{\n switch (a->type) {\n#define OFPACT(ENUM, STRUCT, MEMBER, NAME) \\\n case OFPACT_##ENUM: \\\n format_##ENUM(ALIGNED_CAST(const struct STRUCT *, a), fp); \\\n break;\n OFPACTS\n#undef OFPACT\n default:\n OVS_NOT_REACHED();\n }\n}", "project": "ovs", "hash": 91325412476098848428612823392374463030, "size": 14, "commit_id": "65c61b0c23a0d474696d7b1cea522a5016a8aeb3", "message": "ofp-actions: Fix use-after-free while decoding RAW_ENCAP.\n\nWhile decoding RAW_ENCAP action, decode_ed_prop() might re-allocate\nofpbuf if there is no enough space left. However, function\n'decode_NXAST_RAW_ENCAP' continues to use old pointer to 'encap'\nstructure leading to write-after-free and incorrect decoding.\n\n ==3549105==ERROR: AddressSanitizer: heap-use-after-free on address\n 0x60600000011a at pc 0x0000005f6cc6 bp 0x7ffc3a2d4410 sp 0x7ffc3a2d4408\n WRITE of size 2 at 0x60600000011a thread T0\n #0 0x5f6cc5 in decode_NXAST_RAW_ENCAP lib/ofp-actions.c:4461:20\n #1 0x5f0551 in ofpact_decode ./lib/ofp-actions.inc2:4777:16\n #2 0x5ed17c in ofpacts_decode lib/ofp-actions.c:7752:21\n #3 0x5eba9a in ofpacts_pull_openflow_actions__ lib/ofp-actions.c:7791:13\n #4 0x5eb9fc in ofpacts_pull_openflow_actions lib/ofp-actions.c:7835:12\n #5 0x64bb8b in ofputil_decode_packet_out lib/ofp-packet.c:1113:17\n #6 0x65b6f4 in ofp_print_packet_out lib/ofp-print.c:148:13\n #7 0x659e3f in ofp_to_string__ lib/ofp-print.c:1029:16\n #8 0x659b24 in ofp_to_string lib/ofp-print.c:1244:21\n #9 0x65a28c in ofp_print lib/ofp-print.c:1288:28\n #10 0x540d11 in ofctl_ofp_parse utilities/ovs-ofctl.c:2814:9\n #11 0x564228 in ovs_cmdl_run_command__ lib/command-line.c:247:17\n #12 0x56408a in ovs_cmdl_run_command lib/command-line.c:278:5\n #13 0x5391ae in main utilities/ovs-ofctl.c:179:9\n #14 0x7f6911ce9081 in __libc_start_main (/lib64/libc.so.6+0x27081)\n #15 0x461fed in _start (utilities/ovs-ofctl+0x461fed)\n\nFix that by getting a new pointer before using.\n\nCredit to OSS-Fuzz.\n\nFuzzer regression test will fail only with AddressSanitizer enabled.\n\nReported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27851\nFixes: f839892a206a (\"OF support and translation of generic encap and decap\")\nAcked-by: William Tu \nSigned-off-by: Ilya Maximets ", "target": 0, "dataset": "other", "idx": 280732 }, { "func": "format_encap_pkt_type(const ovs_be32 pkt_type)\n{\n switch (ntohl(pkt_type)) {\n case PT_ETH:\n return \"ethernet\";\n case PT_NSH:\n return \"nsh\";\n default:\n return \"UNKNOWN\";\n }\n}", "project": "ovs", "hash": 211864302325936227397683586360565987210, "size": 11, "commit_id": "65c61b0c23a0d474696d7b1cea522a5016a8aeb3", "message": "ofp-actions: Fix use-after-free while decoding RAW_ENCAP.\n\nWhile decoding RAW_ENCAP action, decode_ed_prop() might re-allocate\nofpbuf if there is no enough space left. However, function\n'decode_NXAST_RAW_ENCAP' continues to use old pointer to 'encap'\nstructure leading to write-after-free and incorrect decoding.\n\n ==3549105==ERROR: AddressSanitizer: heap-use-after-free on address\n 0x60600000011a at pc 0x0000005f6cc6 bp 0x7ffc3a2d4410 sp 0x7ffc3a2d4408\n WRITE of size 2 at 0x60600000011a thread T0\n #0 0x5f6cc5 in decode_NXAST_RAW_ENCAP lib/ofp-actions.c:4461:20\n #1 0x5f0551 in ofpact_decode ./lib/ofp-actions.inc2:4777:16\n #2 0x5ed17c in ofpacts_decode lib/ofp-actions.c:7752:21\n #3 0x5eba9a in ofpacts_pull_openflow_actions__ lib/ofp-actions.c:7791:13\n #4 0x5eb9fc in ofpacts_pull_openflow_actions lib/ofp-actions.c:7835:12\n #5 0x64bb8b in ofputil_decode_packet_out lib/ofp-packet.c:1113:17\n #6 0x65b6f4 in ofp_print_packet_out lib/ofp-print.c:148:13\n #7 0x659e3f in ofp_to_string__ lib/ofp-print.c:1029:16\n #8 0x659b24 in ofp_to_string lib/ofp-print.c:1244:21\n #9 0x65a28c in ofp_print lib/ofp-print.c:1288:28\n #10 0x540d11 in ofctl_ofp_parse utilities/ovs-ofctl.c:2814:9\n #11 0x564228 in ovs_cmdl_run_command__ lib/command-line.c:247:17\n #12 0x56408a in ovs_cmdl_run_command lib/command-line.c:278:5\n #13 0x5391ae in main utilities/ovs-ofctl.c:179:9\n #14 0x7f6911ce9081 in __libc_start_main (/lib64/libc.so.6+0x27081)\n #15 0x461fed in _start (utilities/ovs-ofctl+0x461fed)\n\nFix that by getting a new pointer before using.\n\nCredit to OSS-Fuzz.\n\nFuzzer regression test will fail only with AddressSanitizer enabled.\n\nReported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27851\nFixes: f839892a206a (\"OF support and translation of generic encap and decap\")\nAcked-by: William Tu \nSigned-off-by: Ilya Maximets ", "target": 0, "dataset": "other", "idx": 280754 }, { "func": "ofpact_next_flattened(const struct ofpact *ofpact)\n{\n switch (ofpact->type) {\n case OFPACT_OUTPUT:\n case OFPACT_GROUP:\n case OFPACT_CONTROLLER:\n case OFPACT_ENQUEUE:\n case OFPACT_OUTPUT_REG:\n case OFPACT_OUTPUT_TRUNC:\n case OFPACT_BUNDLE:\n case OFPACT_SET_FIELD:\n case OFPACT_SET_VLAN_VID:\n case OFPACT_SET_VLAN_PCP:\n case OFPACT_STRIP_VLAN:\n case OFPACT_PUSH_VLAN:\n case OFPACT_SET_ETH_SRC:\n case OFPACT_SET_ETH_DST:\n case OFPACT_SET_IPV4_SRC:\n case OFPACT_SET_IPV4_DST:\n case OFPACT_SET_IP_DSCP:\n case OFPACT_SET_IP_ECN:\n case OFPACT_SET_IP_TTL:\n case OFPACT_SET_L4_SRC_PORT:\n case OFPACT_SET_L4_DST_PORT:\n case OFPACT_REG_MOVE:\n case OFPACT_STACK_PUSH:\n case OFPACT_STACK_POP:\n case OFPACT_DEC_TTL:\n case OFPACT_SET_MPLS_LABEL:\n case OFPACT_SET_MPLS_TC:\n case OFPACT_SET_MPLS_TTL:\n case OFPACT_DEC_MPLS_TTL:\n case OFPACT_PUSH_MPLS:\n case OFPACT_POP_MPLS:\n case OFPACT_SET_TUNNEL:\n case OFPACT_SET_QUEUE:\n case OFPACT_POP_QUEUE:\n case OFPACT_FIN_TIMEOUT:\n case OFPACT_RESUBMIT:\n case OFPACT_LEARN:\n case OFPACT_CONJUNCTION:\n case OFPACT_MULTIPATH:\n case OFPACT_NOTE:\n case OFPACT_EXIT:\n case OFPACT_SAMPLE:\n case OFPACT_UNROLL_XLATE:\n case OFPACT_CT_CLEAR:\n case OFPACT_DEBUG_RECIRC:\n case OFPACT_DEBUG_SLOW:\n case OFPACT_METER:\n case OFPACT_CLEAR_ACTIONS:\n case OFPACT_WRITE_METADATA:\n case OFPACT_GOTO_TABLE:\n case OFPACT_NAT:\n case OFPACT_ENCAP:\n case OFPACT_DECAP:\n case OFPACT_DEC_NSH_TTL:\n return ofpact_next(ofpact);\n\n case OFPACT_CLONE:\n return ofpact_get_CLONE(ofpact)->actions;\n\n case OFPACT_CT:\n return ofpact_get_CT(ofpact)->actions;\n\n case OFPACT_WRITE_ACTIONS:\n return ofpact_get_WRITE_ACTIONS(ofpact)->actions;\n }\n\n OVS_NOT_REACHED();\n}", "project": "ovs", "hash": 270584464443760299695717818420543439567, "size": 71, "commit_id": "65c61b0c23a0d474696d7b1cea522a5016a8aeb3", "message": "ofp-actions: Fix use-after-free while decoding RAW_ENCAP.\n\nWhile decoding RAW_ENCAP action, decode_ed_prop() might re-allocate\nofpbuf if there is no enough space left. However, function\n'decode_NXAST_RAW_ENCAP' continues to use old pointer to 'encap'\nstructure leading to write-after-free and incorrect decoding.\n\n ==3549105==ERROR: AddressSanitizer: heap-use-after-free on address\n 0x60600000011a at pc 0x0000005f6cc6 bp 0x7ffc3a2d4410 sp 0x7ffc3a2d4408\n WRITE of size 2 at 0x60600000011a thread T0\n #0 0x5f6cc5 in decode_NXAST_RAW_ENCAP lib/ofp-actions.c:4461:20\n #1 0x5f0551 in ofpact_decode ./lib/ofp-actions.inc2:4777:16\n #2 0x5ed17c in ofpacts_decode lib/ofp-actions.c:7752:21\n #3 0x5eba9a in ofpacts_pull_openflow_actions__ lib/ofp-actions.c:7791:13\n #4 0x5eb9fc in ofpacts_pull_openflow_actions lib/ofp-actions.c:7835:12\n #5 0x64bb8b in ofputil_decode_packet_out lib/ofp-packet.c:1113:17\n #6 0x65b6f4 in ofp_print_packet_out lib/ofp-print.c:148:13\n #7 0x659e3f in ofp_to_string__ lib/ofp-print.c:1029:16\n #8 0x659b24 in ofp_to_string lib/ofp-print.c:1244:21\n #9 0x65a28c in ofp_print lib/ofp-print.c:1288:28\n #10 0x540d11 in ofctl_ofp_parse utilities/ovs-ofctl.c:2814:9\n #11 0x564228 in ovs_cmdl_run_command__ lib/command-line.c:247:17\n #12 0x56408a in ovs_cmdl_run_command lib/command-line.c:278:5\n #13 0x5391ae in main utilities/ovs-ofctl.c:179:9\n #14 0x7f6911ce9081 in __libc_start_main (/lib64/libc.so.6+0x27081)\n #15 0x461fed in _start (utilities/ovs-ofctl+0x461fed)\n\nFix that by getting a new pointer before using.\n\nCredit to OSS-Fuzz.\n\nFuzzer regression test will fail only with AddressSanitizer enabled.\n\nReported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27851\nFixes: f839892a206a (\"OF support and translation of generic encap and decap\")\nAcked-by: William Tu \nSigned-off-by: Ilya Maximets ", "target": 0, "dataset": "other", "idx": 280782 }, { "func": "get_ofpact_map(enum ofp_version version)\n{\n /* OpenFlow 1.0 actions. */\n static const struct ofpact_map of10[] = {\n { OFPACT_OUTPUT, 0 },\n { OFPACT_SET_VLAN_VID, 1 },\n { OFPACT_SET_VLAN_PCP, 2 },\n { OFPACT_STRIP_VLAN, 3 },\n { OFPACT_SET_ETH_SRC, 4 },\n { OFPACT_SET_ETH_DST, 5 },\n { OFPACT_SET_IPV4_SRC, 6 },\n { OFPACT_SET_IPV4_DST, 7 },\n { OFPACT_SET_IP_DSCP, 8 },\n { OFPACT_SET_L4_SRC_PORT, 9 },\n { OFPACT_SET_L4_DST_PORT, 10 },\n { OFPACT_ENQUEUE, 11 },\n { 0, -1 },\n };\n\n /* OpenFlow 1.1 actions. */\n static const struct ofpact_map of11[] = {\n { OFPACT_OUTPUT, 0 },\n { OFPACT_SET_VLAN_VID, 1 },\n { OFPACT_SET_VLAN_PCP, 2 },\n { OFPACT_SET_ETH_SRC, 3 },\n { OFPACT_SET_ETH_DST, 4 },\n { OFPACT_SET_IPV4_SRC, 5 },\n { OFPACT_SET_IPV4_DST, 6 },\n { OFPACT_SET_IP_DSCP, 7 },\n { OFPACT_SET_IP_ECN, 8 },\n { OFPACT_SET_L4_SRC_PORT, 9 },\n { OFPACT_SET_L4_DST_PORT, 10 },\n /* OFPAT_COPY_TTL_OUT (11) not supported. */\n /* OFPAT_COPY_TTL_IN (12) not supported. */\n { OFPACT_SET_MPLS_LABEL, 13 },\n { OFPACT_SET_MPLS_TC, 14 },\n { OFPACT_SET_MPLS_TTL, 15 },\n { OFPACT_DEC_MPLS_TTL, 16 },\n { OFPACT_PUSH_VLAN, 17 },\n { OFPACT_STRIP_VLAN, 18 },\n { OFPACT_PUSH_MPLS, 19 },\n { OFPACT_POP_MPLS, 20 },\n { OFPACT_SET_QUEUE, 21 },\n { OFPACT_GROUP, 22 },\n { OFPACT_SET_IP_TTL, 23 },\n { OFPACT_DEC_TTL, 24 },\n { 0, -1 },\n };\n\n /* OpenFlow 1.2, 1.3, and 1.4 actions. */\n static const struct ofpact_map of12[] = {\n { OFPACT_OUTPUT, 0 },\n /* OFPAT_COPY_TTL_OUT (11) not supported. */\n /* OFPAT_COPY_TTL_IN (12) not supported. */\n { OFPACT_SET_MPLS_TTL, 15 },\n { OFPACT_DEC_MPLS_TTL, 16 },\n { OFPACT_PUSH_VLAN, 17 },\n { OFPACT_STRIP_VLAN, 18 },\n { OFPACT_PUSH_MPLS, 19 },\n { OFPACT_POP_MPLS, 20 },\n { OFPACT_SET_QUEUE, 21 },\n { OFPACT_GROUP, 22 },\n { OFPACT_SET_IP_TTL, 23 },\n { OFPACT_DEC_TTL, 24 },\n { OFPACT_SET_FIELD, 25 },\n /* OF1.3+ OFPAT_PUSH_PBB (26) not supported. */\n /* OF1.3+ OFPAT_POP_PBB (27) not supported. */\n { 0, -1 },\n };\n\n switch (version) {\n case OFP10_VERSION:\n return of10;\n\n case OFP11_VERSION:\n return of11;\n\n case OFP12_VERSION:\n case OFP13_VERSION:\n case OFP14_VERSION:\n case OFP15_VERSION:\n case OFP16_VERSION:\n default:\n return of12;\n }\n}", "project": "ovs", "hash": 148792958015404001161339398486928976211, "size": 86, "commit_id": "65c61b0c23a0d474696d7b1cea522a5016a8aeb3", "message": "ofp-actions: Fix use-after-free while decoding RAW_ENCAP.\n\nWhile decoding RAW_ENCAP action, decode_ed_prop() might re-allocate\nofpbuf if there is no enough space left. However, function\n'decode_NXAST_RAW_ENCAP' continues to use old pointer to 'encap'\nstructure leading to write-after-free and incorrect decoding.\n\n ==3549105==ERROR: AddressSanitizer: heap-use-after-free on address\n 0x60600000011a at pc 0x0000005f6cc6 bp 0x7ffc3a2d4410 sp 0x7ffc3a2d4408\n WRITE of size 2 at 0x60600000011a thread T0\n #0 0x5f6cc5 in decode_NXAST_RAW_ENCAP lib/ofp-actions.c:4461:20\n #1 0x5f0551 in ofpact_decode ./lib/ofp-actions.inc2:4777:16\n #2 0x5ed17c in ofpacts_decode lib/ofp-actions.c:7752:21\n #3 0x5eba9a in ofpacts_pull_openflow_actions__ lib/ofp-actions.c:7791:13\n #4 0x5eb9fc in ofpacts_pull_openflow_actions lib/ofp-actions.c:7835:12\n #5 0x64bb8b in ofputil_decode_packet_out lib/ofp-packet.c:1113:17\n #6 0x65b6f4 in ofp_print_packet_out lib/ofp-print.c:148:13\n #7 0x659e3f in ofp_to_string__ lib/ofp-print.c:1029:16\n #8 0x659b24 in ofp_to_string lib/ofp-print.c:1244:21\n #9 0x65a28c in ofp_print lib/ofp-print.c:1288:28\n #10 0x540d11 in ofctl_ofp_parse utilities/ovs-ofctl.c:2814:9\n #11 0x564228 in ovs_cmdl_run_command__ lib/command-line.c:247:17\n #12 0x56408a in ovs_cmdl_run_command lib/command-line.c:278:5\n #13 0x5391ae in main utilities/ovs-ofctl.c:179:9\n #14 0x7f6911ce9081 in __libc_start_main (/lib64/libc.so.6+0x27081)\n #15 0x461fed in _start (utilities/ovs-ofctl+0x461fed)\n\nFix that by getting a new pointer before using.\n\nCredit to OSS-Fuzz.\n\nFuzzer regression test will fail only with AddressSanitizer enabled.\n\nReported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27851\nFixes: f839892a206a (\"OF support and translation of generic encap and decap\")\nAcked-by: William Tu \nSigned-off-by: Ilya Maximets ", "target": 0, "dataset": "other", "idx": 280820 }, { "func": "ofpact_outputs_to_port(const struct ofpact *ofpact, ofp_port_t port)\n{\n switch (ofpact->type) {\n case OFPACT_OUTPUT:\n return ofpact_get_OUTPUT(ofpact)->port == port;\n case OFPACT_ENQUEUE:\n return ofpact_get_ENQUEUE(ofpact)->port == port;\n case OFPACT_CONTROLLER:\n return port == OFPP_CONTROLLER;\n\n case OFPACT_OUTPUT_REG:\n case OFPACT_OUTPUT_TRUNC:\n case OFPACT_BUNDLE:\n case OFPACT_SET_VLAN_VID:\n case OFPACT_SET_VLAN_PCP:\n case OFPACT_STRIP_VLAN:\n case OFPACT_PUSH_VLAN:\n case OFPACT_SET_ETH_SRC:\n case OFPACT_SET_ETH_DST:\n case OFPACT_SET_IPV4_SRC:\n case OFPACT_SET_IPV4_DST:\n case OFPACT_SET_IP_DSCP:\n case OFPACT_SET_IP_ECN:\n case OFPACT_SET_IP_TTL:\n case OFPACT_SET_L4_SRC_PORT:\n case OFPACT_SET_L4_DST_PORT:\n case OFPACT_REG_MOVE:\n case OFPACT_SET_FIELD:\n case OFPACT_STACK_PUSH:\n case OFPACT_STACK_POP:\n case OFPACT_DEC_TTL:\n case OFPACT_SET_MPLS_LABEL:\n case OFPACT_SET_MPLS_TC:\n case OFPACT_SET_MPLS_TTL:\n case OFPACT_DEC_MPLS_TTL:\n case OFPACT_SET_TUNNEL:\n case OFPACT_WRITE_METADATA:\n case OFPACT_SET_QUEUE:\n case OFPACT_POP_QUEUE:\n case OFPACT_FIN_TIMEOUT:\n case OFPACT_RESUBMIT:\n case OFPACT_LEARN:\n case OFPACT_CONJUNCTION:\n case OFPACT_MULTIPATH:\n case OFPACT_NOTE:\n case OFPACT_EXIT:\n case OFPACT_UNROLL_XLATE:\n case OFPACT_PUSH_MPLS:\n case OFPACT_POP_MPLS:\n case OFPACT_SAMPLE:\n case OFPACT_CLEAR_ACTIONS:\n case OFPACT_CLONE:\n case OFPACT_WRITE_ACTIONS:\n case OFPACT_GOTO_TABLE:\n case OFPACT_METER:\n case OFPACT_GROUP:\n case OFPACT_DEBUG_RECIRC:\n case OFPACT_DEBUG_SLOW:\n case OFPACT_CT:\n case OFPACT_CT_CLEAR:\n case OFPACT_NAT:\n case OFPACT_ENCAP:\n case OFPACT_DECAP:\n case OFPACT_DEC_NSH_TTL:\n default:\n return false;\n }\n}", "project": "ovs", "hash": 11328785797183743266453075865538042914, "size": 68, "commit_id": "65c61b0c23a0d474696d7b1cea522a5016a8aeb3", "message": "ofp-actions: Fix use-after-free while decoding RAW_ENCAP.\n\nWhile decoding RAW_ENCAP action, decode_ed_prop() might re-allocate\nofpbuf if there is no enough space left. However, function\n'decode_NXAST_RAW_ENCAP' continues to use old pointer to 'encap'\nstructure leading to write-after-free and incorrect decoding.\n\n ==3549105==ERROR: AddressSanitizer: heap-use-after-free on address\n 0x60600000011a at pc 0x0000005f6cc6 bp 0x7ffc3a2d4410 sp 0x7ffc3a2d4408\n WRITE of size 2 at 0x60600000011a thread T0\n #0 0x5f6cc5 in decode_NXAST_RAW_ENCAP lib/ofp-actions.c:4461:20\n #1 0x5f0551 in ofpact_decode ./lib/ofp-actions.inc2:4777:16\n #2 0x5ed17c in ofpacts_decode lib/ofp-actions.c:7752:21\n #3 0x5eba9a in ofpacts_pull_openflow_actions__ lib/ofp-actions.c:7791:13\n #4 0x5eb9fc in ofpacts_pull_openflow_actions lib/ofp-actions.c:7835:12\n #5 0x64bb8b in ofputil_decode_packet_out lib/ofp-packet.c:1113:17\n #6 0x65b6f4 in ofp_print_packet_out lib/ofp-print.c:148:13\n #7 0x659e3f in ofp_to_string__ lib/ofp-print.c:1029:16\n #8 0x659b24 in ofp_to_string lib/ofp-print.c:1244:21\n #9 0x65a28c in ofp_print lib/ofp-print.c:1288:28\n #10 0x540d11 in ofctl_ofp_parse utilities/ovs-ofctl.c:2814:9\n #11 0x564228 in ovs_cmdl_run_command__ lib/command-line.c:247:17\n #12 0x56408a in ovs_cmdl_run_command lib/command-line.c:278:5\n #13 0x5391ae in main utilities/ovs-ofctl.c:179:9\n #14 0x7f6911ce9081 in __libc_start_main (/lib64/libc.so.6+0x27081)\n #15 0x461fed in _start (utilities/ovs-ofctl+0x461fed)\n\nFix that by getting a new pointer before using.\n\nCredit to OSS-Fuzz.\n\nFuzzer regression test will fail only with AddressSanitizer enabled.\n\nReported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27851\nFixes: f839892a206a (\"OF support and translation of generic encap and decap\")\nAcked-by: William Tu \nSigned-off-by: Ilya Maximets ", "target": 0, "dataset": "other", "idx": 280839 }, { "func": "action_set_classify(const struct ofpact *a)\n{\n switch (a->type) {\n#define SLOT(OFPACT) case OFPACT: return ACTION_SLOT_##OFPACT;\n ACTION_SET_ORDER\n#undef SLOT\n\n#define FINAL(OFPACT) case OFPACT: return ACTION_SLOT_##OFPACT;\n ACTION_SET_FINAL_PRIORITY\n#undef FINAL\n\n case OFPACT_SET_FIELD:\n case OFPACT_REG_MOVE:\n case OFPACT_SET_ETH_DST:\n case OFPACT_SET_ETH_SRC:\n case OFPACT_SET_IP_DSCP:\n case OFPACT_SET_IP_ECN:\n case OFPACT_SET_IP_TTL:\n case OFPACT_SET_IPV4_DST:\n case OFPACT_SET_IPV4_SRC:\n case OFPACT_SET_L4_DST_PORT:\n case OFPACT_SET_L4_SRC_PORT:\n case OFPACT_SET_MPLS_LABEL:\n case OFPACT_SET_MPLS_TC:\n case OFPACT_SET_MPLS_TTL:\n case OFPACT_SET_QUEUE:\n case OFPACT_SET_TUNNEL:\n case OFPACT_SET_VLAN_PCP:\n case OFPACT_SET_VLAN_VID:\n return ACTION_SLOT_SET_OR_MOVE;\n\n case OFPACT_BUNDLE:\n case OFPACT_CLEAR_ACTIONS:\n case OFPACT_CLONE:\n case OFPACT_NAT:\n case OFPACT_CONTROLLER:\n case OFPACT_ENQUEUE:\n case OFPACT_EXIT:\n case OFPACT_UNROLL_XLATE:\n case OFPACT_FIN_TIMEOUT:\n case OFPACT_GOTO_TABLE:\n case OFPACT_LEARN:\n case OFPACT_CONJUNCTION:\n case OFPACT_METER:\n case OFPACT_MULTIPATH:\n case OFPACT_NOTE:\n case OFPACT_OUTPUT_REG:\n case OFPACT_OUTPUT_TRUNC:\n case OFPACT_POP_QUEUE:\n case OFPACT_SAMPLE:\n case OFPACT_STACK_POP:\n case OFPACT_STACK_PUSH:\n case OFPACT_WRITE_ACTIONS:\n case OFPACT_WRITE_METADATA:\n case OFPACT_DEBUG_RECIRC:\n case OFPACT_DEBUG_SLOW:\n return ACTION_SLOT_INVALID;\n\n default:\n OVS_NOT_REACHED();\n }\n}", "project": "ovs", "hash": 279949624032618215871901731428501473123, "size": 62, "commit_id": "65c61b0c23a0d474696d7b1cea522a5016a8aeb3", "message": "ofp-actions: Fix use-after-free while decoding RAW_ENCAP.\n\nWhile decoding RAW_ENCAP action, decode_ed_prop() might re-allocate\nofpbuf if there is no enough space left. However, function\n'decode_NXAST_RAW_ENCAP' continues to use old pointer to 'encap'\nstructure leading to write-after-free and incorrect decoding.\n\n ==3549105==ERROR: AddressSanitizer: heap-use-after-free on address\n 0x60600000011a at pc 0x0000005f6cc6 bp 0x7ffc3a2d4410 sp 0x7ffc3a2d4408\n WRITE of size 2 at 0x60600000011a thread T0\n #0 0x5f6cc5 in decode_NXAST_RAW_ENCAP lib/ofp-actions.c:4461:20\n #1 0x5f0551 in ofpact_decode ./lib/ofp-actions.inc2:4777:16\n #2 0x5ed17c in ofpacts_decode lib/ofp-actions.c:7752:21\n #3 0x5eba9a in ofpacts_pull_openflow_actions__ lib/ofp-actions.c:7791:13\n #4 0x5eb9fc in ofpacts_pull_openflow_actions lib/ofp-actions.c:7835:12\n #5 0x64bb8b in ofputil_decode_packet_out lib/ofp-packet.c:1113:17\n #6 0x65b6f4 in ofp_print_packet_out lib/ofp-print.c:148:13\n #7 0x659e3f in ofp_to_string__ lib/ofp-print.c:1029:16\n #8 0x659b24 in ofp_to_string lib/ofp-print.c:1244:21\n #9 0x65a28c in ofp_print lib/ofp-print.c:1288:28\n #10 0x540d11 in ofctl_ofp_parse utilities/ovs-ofctl.c:2814:9\n #11 0x564228 in ovs_cmdl_run_command__ lib/command-line.c:247:17\n #12 0x56408a in ovs_cmdl_run_command lib/command-line.c:278:5\n #13 0x5391ae in main utilities/ovs-ofctl.c:179:9\n #14 0x7f6911ce9081 in __libc_start_main (/lib64/libc.so.6+0x27081)\n #15 0x461fed in _start (utilities/ovs-ofctl+0x461fed)\n\nFix that by getting a new pointer before using.\n\nCredit to OSS-Fuzz.\n\nFuzzer regression test will fail only with AddressSanitizer enabled.\n\nReported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27851\nFixes: f839892a206a (\"OF support and translation of generic encap and decap\")\nAcked-by: William Tu \nSigned-off-by: Ilya Maximets ", "target": 0, "dataset": "other", "idx": 280852 }, { "func": "static const char *h2_ss_str(h2_stream_state_t state)\n{\n switch (state) {\n case H2_SS_IDLE:\n return \"IDLE\";\n case H2_SS_RSVD_L:\n return \"RESERVED_LOCAL\";\n case H2_SS_RSVD_R:\n return \"RESERVED_REMOTE\";\n case H2_SS_OPEN:\n return \"OPEN\";\n case H2_SS_CLOSED_L:\n return \"HALF_CLOSED_LOCAL\";\n case H2_SS_CLOSED_R:\n return \"HALF_CLOSED_REMOTE\";\n case H2_SS_CLOSED:\n return \"CLOSED\";\n case H2_SS_CLEANUP:\n return \"CLEANUP\";\n default:\n return \"UNKNOWN\";\n }\n}", "project": "httpd", "hash": 313021249549311209159738120959390726992, "size": 23, "commit_id": "f990e5ecad40b100a8a5c7c1033c46044a9cb244", "message": "mod_htt2: fix incomplete sync with latest changes in github, adjust version number.\n\n\n\ngit-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1889119 13f79535-47bb-0310-9956-ffa450edef68", "target": 0, "dataset": "other", "idx": 284254 }, { "func": "calc_next (void *extra, bin_tree_t *node)\n{\n switch (node->token.type)\n {\n case OP_DUP_ASTERISK:\n node->left->next = node;\n break;\n case CONCAT:\n node->left->next = node->right->first;\n node->right->next = node->next;\n break;\n default:\n if (node->left)\n\tnode->left->next = node->next;\n if (node->right)\n\tnode->right->next = node->next;\n break;\n }\n return REG_NOERROR;\n}", "project": "gnulib", "hash": 62955518754046858564731953289784306824, "size": 20, "commit_id": "5513b40999149090987a0341c018d05d3eea1272", "message": "Diagnose ERE '()|\\1'\n\nProblem reported by Hanno Böck in: http://bugs.gnu.org/21513\n* lib/regcomp.c (parse_reg_exp): While parsing alternatives, keep\ntrack of the set of previously-completed subexpressions available\nbefore the first alternative, and restore this set just before\nparsing each subsequent alternative. This lets us diagnose the\ninvalid back-reference in the ERE '()|\\1'.", "target": 0, "dataset": "other", "idx": 285533 }, { "func": "optimize_utf8 (re_dfa_t *dfa)\n{\n Idx node;\n int i;\n bool mb_chars = false;\n bool has_period = false;\n\n for (node = 0; node < dfa->nodes_len; ++node)\n switch (dfa->nodes[node].type)\n {\n case CHARACTER:\n\tif (dfa->nodes[node].opr.c >= ASCII_CHARS)\n\t mb_chars = true;\n\tbreak;\n case ANCHOR:\n\tswitch (dfa->nodes[node].opr.ctx_type)\n\t {\n\t case LINE_FIRST:\n\t case LINE_LAST:\n\t case BUF_FIRST:\n\t case BUF_LAST:\n\t break;\n\t default:\n\t /* Word anchors etc. cannot be handled. It's okay to test\n\t opr.ctx_type since constraints (for all DFA nodes) are\n\t created by ORing one or more opr.ctx_type values. */\n\t return;\n\t }\n\tbreak;\n case OP_PERIOD:\n\thas_period = true;\n\tbreak;\n case OP_BACK_REF:\n case OP_ALT:\n case END_OF_RE:\n case OP_DUP_ASTERISK:\n case OP_OPEN_SUBEXP:\n case OP_CLOSE_SUBEXP:\n\tbreak;\n case COMPLEX_BRACKET:\n\treturn;\n case SIMPLE_BRACKET:\n\t/* Just double check. */\n\t{\n\t int rshift = (ASCII_CHARS % BITSET_WORD_BITS == 0\n\t\t\t? 0\n\t\t\t: BITSET_WORD_BITS - ASCII_CHARS % BITSET_WORD_BITS);\n\t for (i = ASCII_CHARS / BITSET_WORD_BITS; i < BITSET_WORDS; ++i)\n\t {\n\t if (dfa->nodes[node].opr.sbcset[i] >> rshift != 0)\n\t\treturn;\n\t rshift = 0;\n\t }\n\t}\n\tbreak;\n default:\n\tabort ();\n }\n\n if (mb_chars || has_period)\n for (node = 0; node < dfa->nodes_len; ++node)\n {\n\tif (dfa->nodes[node].type == CHARACTER\n\t && dfa->nodes[node].opr.c >= ASCII_CHARS)\n\t dfa->nodes[node].mb_partial = 0;\n\telse if (dfa->nodes[node].type == OP_PERIOD)\n\t dfa->nodes[node].type = OP_UTF8_PERIOD;\n }\n\n /* The search can be in single byte locale. */\n dfa->mb_cur_max = 1;\n dfa->is_utf8 = 0;\n dfa->has_mb_node = dfa->nbackref > 0 || has_period;\n}", "project": "gnulib", "hash": 292279800397329491018869297184523476137, "size": 74, "commit_id": "5513b40999149090987a0341c018d05d3eea1272", "message": "Diagnose ERE '()|\\1'\n\nProblem reported by Hanno Böck in: http://bugs.gnu.org/21513\n* lib/regcomp.c (parse_reg_exp): While parsing alternatives, keep\ntrack of the set of previously-completed subexpressions available\nbefore the first alternative, and restore this set just before\nparsing each subsequent alternative. This lets us diagnose the\ninvalid back-reference in the ERE '()|\\1'.", "target": 0, "dataset": "other", "idx": 285542 }, { "func": "link_nfa_nodes (void *extra, bin_tree_t *node)\n{\n re_dfa_t *dfa = (re_dfa_t *) extra;\n Idx idx = node->node_idx;\n reg_errcode_t err = REG_NOERROR;\n\n switch (node->token.type)\n {\n case CONCAT:\n break;\n\n case END_OF_RE:\n assert (node->next == NULL);\n break;\n\n case OP_DUP_ASTERISK:\n case OP_ALT:\n {\n\tIdx left, right;\n\tdfa->has_plural_match = 1;\n\tif (node->left != NULL)\n\t left = node->left->first->node_idx;\n\telse\n\t left = node->next->node_idx;\n\tif (node->right != NULL)\n\t right = node->right->first->node_idx;\n\telse\n\t right = node->next->node_idx;\n\tassert (REG_VALID_INDEX (left));\n\tassert (REG_VALID_INDEX (right));\n\terr = re_node_set_init_2 (dfa->edests + idx, left, right);\n }\n break;\n\n case ANCHOR:\n case OP_OPEN_SUBEXP:\n case OP_CLOSE_SUBEXP:\n err = re_node_set_init_1 (dfa->edests + idx, node->next->node_idx);\n break;\n\n case OP_BACK_REF:\n dfa->nexts[idx] = node->next->node_idx;\n if (node->token.type == OP_BACK_REF)\n\terr = re_node_set_init_1 (dfa->edests + idx, dfa->nexts[idx]);\n break;\n\n default:\n assert (!IS_EPSILON_NODE (node->token.type));\n dfa->nexts[idx] = node->next->node_idx;\n break;\n }\n\n return err;\n}", "project": "gnulib", "hash": 242083062443900500666911230342059751429, "size": 54, "commit_id": "5513b40999149090987a0341c018d05d3eea1272", "message": "Diagnose ERE '()|\\1'\n\nProblem reported by Hanno Böck in: http://bugs.gnu.org/21513\n* lib/regcomp.c (parse_reg_exp): While parsing alternatives, keep\ntrack of the set of previously-completed subexpressions available\nbefore the first alternative, and restore this set just before\nparsing each subsequent alternative. This lets us diagnose the\ninvalid back-reference in the ERE '()|\\1'.", "target": 0, "dataset": "other", "idx": 285560 }, { "func": "parse_expression (re_string_t *regexp, regex_t *preg, re_token_t *token,\n\t\t reg_syntax_t syntax, Idx nest, reg_errcode_t *err)\n{\n re_dfa_t *dfa = preg->buffer;\n bin_tree_t *tree;\n switch (token->type)\n {\n case CHARACTER:\n tree = create_token_tree (dfa, NULL, NULL, token);\n if (BE (tree == NULL, 0))\n\t{\n\t *err = REG_ESPACE;\n\t return NULL;\n\t}\n#ifdef RE_ENABLE_I18N\n if (dfa->mb_cur_max > 1)\n\t{\n\t while (!re_string_eoi (regexp)\n\t\t && !re_string_first_byte (regexp, re_string_cur_idx (regexp)))\n\t {\n\t bin_tree_t *mbc_remain;\n\t fetch_token (token, regexp, syntax);\n\t mbc_remain = create_token_tree (dfa, NULL, NULL, token);\n\t tree = create_tree (dfa, tree, mbc_remain, CONCAT);\n\t if (BE (mbc_remain == NULL || tree == NULL, 0))\n\t\t{\n\t\t *err = REG_ESPACE;\n\t\t return NULL;\n\t\t}\n\t }\n\t}\n#endif\n break;\n case OP_OPEN_SUBEXP:\n tree = parse_sub_exp (regexp, preg, token, syntax, nest + 1, err);\n if (BE (*err != REG_NOERROR && tree == NULL, 0))\n\treturn NULL;\n break;\n case OP_OPEN_BRACKET:\n tree = parse_bracket_exp (regexp, dfa, token, syntax, err);\n if (BE (*err != REG_NOERROR && tree == NULL, 0))\n\treturn NULL;\n break;\n case OP_BACK_REF:\n if (!BE (dfa->completed_bkref_map & (1 << token->opr.idx), 1))\n\t{\n\t *err = REG_ESUBREG;\n\t return NULL;\n\t}\n dfa->used_bkref_map |= 1 << token->opr.idx;\n tree = create_token_tree (dfa, NULL, NULL, token);\n if (BE (tree == NULL, 0))\n\t{\n\t *err = REG_ESPACE;\n\t return NULL;\n\t}\n ++dfa->nbackref;\n dfa->has_mb_node = 1;\n break;\n case OP_OPEN_DUP_NUM:\n if (syntax & RE_CONTEXT_INVALID_DUP)\n\t{\n\t *err = REG_BADRPT;\n\t return NULL;\n\t}\n /* FALLTHROUGH */\n case OP_DUP_ASTERISK:\n case OP_DUP_PLUS:\n case OP_DUP_QUESTION:\n if (syntax & RE_CONTEXT_INVALID_OPS)\n\t{\n\t *err = REG_BADRPT;\n\t return NULL;\n\t}\n else if (syntax & RE_CONTEXT_INDEP_OPS)\n\t{\n\t fetch_token (token, regexp, syntax);\n\t return parse_expression (regexp, preg, token, syntax, nest, err);\n\t}\n /* else fall through */\n case OP_CLOSE_SUBEXP:\n if ((token->type == OP_CLOSE_SUBEXP) &&\n\t !(syntax & RE_UNMATCHED_RIGHT_PAREN_ORD))\n\t{\n\t *err = REG_ERPAREN;\n\t return NULL;\n\t}\n /* else fall through */\n case OP_CLOSE_DUP_NUM:\n /* We treat it as a normal character. */\n\n /* Then we can these characters as normal characters. */\n token->type = CHARACTER;\n /* mb_partial and word_char bits should be initialized already\n\t by peek_token. */\n tree = create_token_tree (dfa, NULL, NULL, token);\n if (BE (tree == NULL, 0))\n\t{\n\t *err = REG_ESPACE;\n\t return NULL;\n\t}\n break;\n case ANCHOR:\n if ((token->opr.ctx_type\n\t & (WORD_DELIM | NOT_WORD_DELIM | WORD_FIRST | WORD_LAST))\n\t && dfa->word_ops_used == 0)\n\tinit_word_char (dfa);\n if (token->opr.ctx_type == WORD_DELIM\n\t || token->opr.ctx_type == NOT_WORD_DELIM)\n\t{\n\t bin_tree_t *tree_first, *tree_last;\n\t if (token->opr.ctx_type == WORD_DELIM)\n\t {\n\t token->opr.ctx_type = WORD_FIRST;\n\t tree_first = create_token_tree (dfa, NULL, NULL, token);\n\t token->opr.ctx_type = WORD_LAST;\n\t }\n\t else\n\t {\n\t token->opr.ctx_type = INSIDE_WORD;\n\t tree_first = create_token_tree (dfa, NULL, NULL, token);\n\t token->opr.ctx_type = INSIDE_NOTWORD;\n\t }\n\t tree_last = create_token_tree (dfa, NULL, NULL, token);\n\t tree = create_tree (dfa, tree_first, tree_last, OP_ALT);\n\t if (BE (tree_first == NULL || tree_last == NULL || tree == NULL, 0))\n\t {\n\t *err = REG_ESPACE;\n\t return NULL;\n\t }\n\t}\n else\n\t{\n\t tree = create_token_tree (dfa, NULL, NULL, token);\n\t if (BE (tree == NULL, 0))\n\t {\n\t *err = REG_ESPACE;\n\t return NULL;\n\t }\n\t}\n /* We must return here, since ANCHORs can't be followed\n\t by repetition operators.\n\t eg. RE\"^*\" is invalid or \"\",\n\t it must not be \"\". */\n fetch_token (token, regexp, syntax);\n return tree;\n case OP_PERIOD:\n tree = create_token_tree (dfa, NULL, NULL, token);\n if (BE (tree == NULL, 0))\n\t{\n\t *err = REG_ESPACE;\n\t return NULL;\n\t}\n if (dfa->mb_cur_max > 1)\n\tdfa->has_mb_node = 1;\n break;\n case OP_WORD:\n case OP_NOTWORD:\n tree = build_charclass_op (dfa, regexp->trans,\n\t\t\t\t \"alnum\",\n\t\t\t\t \"_\",\n\t\t\t\t token->type == OP_NOTWORD, err);\n if (BE (*err != REG_NOERROR && tree == NULL, 0))\n\treturn NULL;\n break;\n case OP_SPACE:\n case OP_NOTSPACE:\n tree = build_charclass_op (dfa, regexp->trans,\n\t\t\t\t \"space\",\n\t\t\t\t \"\",\n\t\t\t\t token->type == OP_NOTSPACE, err);\n if (BE (*err != REG_NOERROR && tree == NULL, 0))\n\treturn NULL;\n break;\n case OP_ALT:\n case END_OF_RE:\n return NULL;\n case BACK_SLASH:\n *err = REG_EESCAPE;\n return NULL;\n default:\n /* Must not happen? */\n#ifdef DEBUG\n assert (0);\n#endif\n return NULL;\n }\n fetch_token (token, regexp, syntax);\n\n while (token->type == OP_DUP_ASTERISK || token->type == OP_DUP_PLUS\n\t || token->type == OP_DUP_QUESTION || token->type == OP_OPEN_DUP_NUM)\n {\n bin_tree_t *dup_tree = parse_dup_op (tree, regexp, dfa, token,\n\t\t\t\t\t syntax, err);\n if (BE (*err != REG_NOERROR && dup_tree == NULL, 0))\n\t{\n\t if (tree != NULL)\n\t postorder (tree, free_tree, NULL);\n\t return NULL;\n\t}\n tree = dup_tree;\n /* In BRE consecutive duplications are not allowed. */\n if ((syntax & RE_CONTEXT_INVALID_DUP)\n\t && (token->type == OP_DUP_ASTERISK\n\t || token->type == OP_OPEN_DUP_NUM))\n\t{\n\t if (tree != NULL)\n\t postorder (tree, free_tree, NULL);\n\t *err = REG_BADRPT;\n\t return NULL;\n\t}\n }\n\n return tree;\n}", "project": "gnulib", "hash": 115160071702512889418198944173631187070, "size": 215, "commit_id": "5513b40999149090987a0341c018d05d3eea1272", "message": "Diagnose ERE '()|\\1'\n\nProblem reported by Hanno Böck in: http://bugs.gnu.org/21513\n* lib/regcomp.c (parse_reg_exp): While parsing alternatives, keep\ntrack of the set of previously-completed subexpressions available\nbefore the first alternative, and restore this set just before\nparsing each subsequent alternative. This lets us diagnose the\ninvalid back-reference in the ERE '()|\\1'.", "target": 0, "dataset": "other", "idx": 285579 }, { "func": "check_hostname_unix (guestfs_h *g, struct inspect_fs *fs)\n{\n switch (fs->type) {\n case OS_TYPE_LINUX:\n case OS_TYPE_HURD:\n /* Red Hat-derived would be in /etc/sysconfig/network or\n * /etc/hostname (RHEL 7+, F18+). Debian-derived in the file\n * /etc/hostname. Very old Debian and SUSE use /etc/HOSTNAME.\n * It's best to just look for each of these files in turn, rather\n * than try anything clever based on distro.\n */\n if (guestfs_is_file (g, \"/etc/HOSTNAME\")) {\n fs->hostname = guestfs___first_line_of_file (g, \"/etc/HOSTNAME\");\n if (fs->hostname == NULL)\n return -1;\n if (STREQ (fs->hostname, \"\")) {\n free (fs->hostname);\n fs->hostname = NULL;\n }\n }\n\n if (!fs->hostname && guestfs_is_file (g, \"/etc/hostname\")) {\n fs->hostname = guestfs___first_line_of_file (g, \"/etc/hostname\");\n if (fs->hostname == NULL)\n return -1;\n if (STREQ (fs->hostname, \"\")) {\n free (fs->hostname);\n fs->hostname = NULL;\n }\n }\n\n if (!fs->hostname && guestfs_is_file (g, \"/etc/sysconfig/network\")) {\n const char *configfiles[] = { \"/etc/sysconfig/network\", NULL };\n if (inspect_with_augeas (g, fs, configfiles,\n check_hostname_redhat) == -1)\n return -1;\n }\n break;\n\n case OS_TYPE_FREEBSD:\n case OS_TYPE_NETBSD:\n /* /etc/rc.conf contains the hostname, but there is no Augeas lens\n * for this file.\n */\n if (guestfs_is_file (g, \"/etc/rc.conf\")) {\n if (check_hostname_freebsd (g, fs) == -1)\n return -1;\n }\n break;\n\n case OS_TYPE_WINDOWS: /* not here, see check_windows_system_registry */\n case OS_TYPE_DOS:\n case OS_TYPE_OPENBSD:\n case OS_TYPE_UNKNOWN:\n /* nothing */;\n }\n\n return 0;\n}", "project": "libguestfs", "hash": 101244692105134796811595758476571336674, "size": 59, "commit_id": "ae8bb84ecd46d7b6ef557a87725923ac8d09dce0", "message": "inspection: Don't segfault if /etc/SuSE-release is an empty file.\n\nRelated to CVE-2013-2124.\n\nThanks: Olaf Hering.", "target": 0, "dataset": "other", "idx": 293588 }, { "func": "rfbProcessClientMessage(rfbClientPtr cl)\n{\n switch (cl->state) {\n case RFB_PROTOCOL_VERSION:\n rfbProcessClientProtocolVersion(cl);\n return;\n case RFB_SECURITY_TYPE:\n rfbProcessClientSecurityType(cl);\n return;\n case RFB_AUTHENTICATION:\n rfbAuthProcessClientMessage(cl);\n return;\n case RFB_INITIALISATION:\n case RFB_INITIALISATION_SHARED:\n rfbProcessClientInitMessage(cl);\n return;\n default:\n rfbProcessClientNormalMessage(cl);\n return;\n }\n}", "project": "libvncserver", "hash": 138357018458400853661411763452388684012, "size": 21, "commit_id": "673c07a75ed844d74676f3ccdcfdc706a7052dba", "message": "libvncserver/rfbserver: fix possible divide-by-zero\n\nCloses #409", "target": 0, "dataset": "other", "idx": 295850 }, { "func": "rfbProcessClientNormalMessage(rfbClientPtr cl)\n{\n int n=0;\n rfbClientToServerMsg msg;\n char *str;\n int i;\n uint32_t enc=0;\n uint32_t lastPreferredEncoding = -1;\n char encBuf[64];\n char encBuf2[64];\n rfbExtDesktopScreen *extDesktopScreens;\n rfbClientIteratorPtr iterator;\n rfbClientPtr clp;\n\n if ((n = rfbReadExact(cl, (char *)&msg, 1)) <= 0) {\n if (n != 0)\n rfbLogPerror(\"rfbProcessClientNormalMessage: read\");\n rfbCloseClient(cl);\n return;\n }\n\n switch (msg.type) {\n\n case rfbSetPixelFormat:\n\n if ((n = rfbReadExact(cl, ((char *)&msg) + 1,\n sz_rfbSetPixelFormatMsg - 1)) <= 0) {\n if (n != 0)\n rfbLogPerror(\"rfbProcessClientNormalMessage: read\");\n rfbCloseClient(cl);\n return;\n }\n\n cl->format.bitsPerPixel = msg.spf.format.bitsPerPixel;\n cl->format.depth = msg.spf.format.depth;\n cl->format.bigEndian = (msg.spf.format.bigEndian ? TRUE : FALSE);\n cl->format.trueColour = (msg.spf.format.trueColour ? TRUE : FALSE);\n cl->format.redMax = Swap16IfLE(msg.spf.format.redMax);\n cl->format.greenMax = Swap16IfLE(msg.spf.format.greenMax);\n cl->format.blueMax = Swap16IfLE(msg.spf.format.blueMax);\n cl->format.redShift = msg.spf.format.redShift;\n cl->format.greenShift = msg.spf.format.greenShift;\n cl->format.blueShift = msg.spf.format.blueShift;\n\n\tcl->readyForSetColourMapEntries = TRUE;\n cl->screen->setTranslateFunction(cl);\n\n rfbStatRecordMessageRcvd(cl, msg.type, sz_rfbSetPixelFormatMsg, sz_rfbSetPixelFormatMsg);\n\n return;\n\n\n case rfbFixColourMapEntries:\n if ((n = rfbReadExact(cl, ((char *)&msg) + 1,\n sz_rfbFixColourMapEntriesMsg - 1)) <= 0) {\n if (n != 0)\n rfbLogPerror(\"rfbProcessClientNormalMessage: read\");\n rfbCloseClient(cl);\n return;\n }\n rfbStatRecordMessageRcvd(cl, msg.type, sz_rfbSetPixelFormatMsg, sz_rfbSetPixelFormatMsg);\n rfbLog(\"rfbProcessClientNormalMessage: %s\",\n \"FixColourMapEntries unsupported\\n\");\n rfbCloseClient(cl);\n return;\n\n\n /* NOTE: Some clients send us a set of encodings (ie: PointerPos) designed to enable/disable features...\n * We may want to look into this...\n * Example:\n * case rfbEncodingXCursor:\n * cl->enableCursorShapeUpdates = TRUE;\n *\n * Currently: cl->enableCursorShapeUpdates can *never* be turned off...\n */\n case rfbSetEncodings:\n {\n\n if ((n = rfbReadExact(cl, ((char *)&msg) + 1,\n sz_rfbSetEncodingsMsg - 1)) <= 0) {\n if (n != 0)\n rfbLogPerror(\"rfbProcessClientNormalMessage: read\");\n rfbCloseClient(cl);\n return;\n }\n\n msg.se.nEncodings = Swap16IfLE(msg.se.nEncodings);\n\n rfbStatRecordMessageRcvd(cl, msg.type, sz_rfbSetEncodingsMsg+(msg.se.nEncodings*4),sz_rfbSetEncodingsMsg+(msg.se.nEncodings*4));\n\n /*\n * UltraVNC Client has the ability to adapt to changing network environments\n * So, let's give it a change to tell us what it wants now!\n */\n if (cl->preferredEncoding!=-1)\n lastPreferredEncoding = cl->preferredEncoding;\n\n /* Reset all flags to defaults (allows us to switch between PointerPos and Server Drawn Cursors) */\n cl->preferredEncoding=-1;\n cl->useCopyRect = FALSE;\n cl->useNewFBSize = FALSE;\n cl->useExtDesktopSize = FALSE;\n cl->cursorWasChanged = FALSE;\n cl->useRichCursorEncoding = FALSE;\n cl->enableCursorPosUpdates = FALSE;\n cl->enableCursorShapeUpdates = FALSE;\n cl->enableCursorShapeUpdates = FALSE;\n cl->enableLastRectEncoding = FALSE;\n cl->enableKeyboardLedState = FALSE;\n cl->enableSupportedMessages = FALSE;\n cl->enableSupportedEncodings = FALSE;\n cl->enableServerIdentity = FALSE;\n#if defined(LIBVNCSERVER_HAVE_LIBZ) || defined(LIBVNCSERVER_HAVE_LIBPNG)\n cl->tightQualityLevel = -1;\n#ifdef LIBVNCSERVER_HAVE_LIBJPEG\n cl->tightCompressLevel = TIGHT_DEFAULT_COMPRESSION;\n cl->turboSubsampLevel = TURBO_DEFAULT_SUBSAMP;\n cl->turboQualityLevel = -1;\n#endif\n#endif\n\n\n for (i = 0; i < msg.se.nEncodings; i++) {\n if ((n = rfbReadExact(cl, (char *)&enc, 4)) <= 0) {\n if (n != 0)\n rfbLogPerror(\"rfbProcessClientNormalMessage: read\");\n rfbCloseClient(cl);\n return;\n }\n enc = Swap32IfLE(enc);\n\n switch (enc) {\n\n case rfbEncodingCopyRect:\n\t\tcl->useCopyRect = TRUE;\n break;\n case rfbEncodingRaw:\n case rfbEncodingRRE:\n case rfbEncodingCoRRE:\n case rfbEncodingHextile:\n case rfbEncodingUltra:\n#ifdef LIBVNCSERVER_HAVE_LIBZ\n\t case rfbEncodingZlib:\n case rfbEncodingZRLE:\n case rfbEncodingZYWRLE:\n#ifdef LIBVNCSERVER_HAVE_LIBJPEG\n\t case rfbEncodingTight:\n#endif\n#endif\n#ifdef LIBVNCSERVER_HAVE_LIBPNG\n\t case rfbEncodingTightPng:\n#endif\n /* The first supported encoding is the 'preferred' encoding */\n if (cl->preferredEncoding == -1)\n cl->preferredEncoding = enc;\n\n\n break;\n\t case rfbEncodingXCursor:\n\t\tif(!cl->screen->dontConvertRichCursorToXCursor) {\n\t\t rfbLog(\"Enabling X-style cursor updates for client %s\\n\",\n\t\t\t cl->host);\n\t\t /* if cursor was drawn, hide the cursor */\n\t\t if(!cl->enableCursorShapeUpdates)\n\t\t rfbRedrawAfterHideCursor(cl,NULL);\n\n\t\t cl->enableCursorShapeUpdates = TRUE;\n\t\t cl->cursorWasChanged = TRUE;\n\t\t}\n\t\tbreak;\n\t case rfbEncodingRichCursor:\n\t rfbLog(\"Enabling full-color cursor updates for client %s\\n\",\n\t\t cl->host);\n\t\t/* if cursor was drawn, hide the cursor */\n\t\tif(!cl->enableCursorShapeUpdates)\n\t\t rfbRedrawAfterHideCursor(cl,NULL);\n\n\t cl->enableCursorShapeUpdates = TRUE;\n\t cl->useRichCursorEncoding = TRUE;\n\t cl->cursorWasChanged = TRUE;\n\t break;\n\t case rfbEncodingPointerPos:\n\t\tif (!cl->enableCursorPosUpdates) {\n\t\t rfbLog(\"Enabling cursor position updates for client %s\\n\",\n\t\t\t cl->host);\n\t\t cl->enableCursorPosUpdates = TRUE;\n\t\t cl->cursorWasMoved = TRUE;\n\t\t}\n\t break;\n\t case rfbEncodingLastRect:\n\t\tif (!cl->enableLastRectEncoding) {\n\t\t rfbLog(\"Enabling LastRect protocol extension for client \"\n\t\t\t \"%s\\n\", cl->host);\n\t\t cl->enableLastRectEncoding = TRUE;\n\t\t}\n\t\tbreak;\n\t case rfbEncodingNewFBSize:\n\t\tif (!cl->useNewFBSize) {\n\t\t rfbLog(\"Enabling NewFBSize protocol extension for client \"\n\t\t\t \"%s\\n\", cl->host);\n\t\t cl->useNewFBSize = TRUE;\n\t\t}\n\t\tbreak;\n case rfbEncodingExtDesktopSize:\n if (!cl->useExtDesktopSize) {\n rfbLog(\"Enabling ExtDesktopSize protocol extension for client \"\n \"%s\\n\", cl->host);\n cl->useExtDesktopSize = TRUE;\n cl->useNewFBSize = TRUE;\n }\n break;\n case rfbEncodingKeyboardLedState:\n if (!cl->enableKeyboardLedState) {\n rfbLog(\"Enabling KeyboardLedState protocol extension for client \"\n \"%s\\n\", cl->host);\n cl->enableKeyboardLedState = TRUE;\n }\n break; \n case rfbEncodingSupportedMessages:\n if (!cl->enableSupportedMessages) {\n rfbLog(\"Enabling SupportedMessages protocol extension for client \"\n \"%s\\n\", cl->host);\n cl->enableSupportedMessages = TRUE;\n }\n break; \n case rfbEncodingSupportedEncodings:\n if (!cl->enableSupportedEncodings) {\n rfbLog(\"Enabling SupportedEncodings protocol extension for client \"\n \"%s\\n\", cl->host);\n cl->enableSupportedEncodings = TRUE;\n }\n break; \n case rfbEncodingServerIdentity:\n if (!cl->enableServerIdentity) {\n rfbLog(\"Enabling ServerIdentity protocol extension for client \"\n \"%s\\n\", cl->host);\n cl->enableServerIdentity = TRUE;\n }\n break;\n case rfbEncodingXvp:\n if (cl->screen->xvpHook) {\n rfbLog(\"Enabling Xvp protocol extension for client \"\n \"%s\\n\", cl->host);\n if (!rfbSendXvp(cl, 1, rfbXvp_Init)) {\n rfbCloseClient(cl);\n return;\n }\n }\n break;\n default:\n#if defined(LIBVNCSERVER_HAVE_LIBZ) || defined(LIBVNCSERVER_HAVE_LIBPNG)\n\t\tif ( enc >= (uint32_t)rfbEncodingCompressLevel0 &&\n\t\t enc <= (uint32_t)rfbEncodingCompressLevel9 ) {\n\t\t cl->zlibCompressLevel = enc & 0x0F;\n#ifdef LIBVNCSERVER_HAVE_LIBJPEG\n\t\t cl->tightCompressLevel = enc & 0x0F;\n\t\t rfbLog(\"Using compression level %d for client %s\\n\",\n\t\t\t cl->tightCompressLevel, cl->host);\n#endif\n\t\t} else if ( enc >= (uint32_t)rfbEncodingQualityLevel0 &&\n\t\t\t enc <= (uint32_t)rfbEncodingQualityLevel9 ) {\n\t\t cl->tightQualityLevel = enc & 0x0F;\n\t\t rfbLog(\"Using image quality level %d for client %s\\n\",\n\t\t\t cl->tightQualityLevel, cl->host);\n#ifdef LIBVNCSERVER_HAVE_LIBJPEG\n\t\t cl->turboQualityLevel = tight2turbo_qual[enc & 0x0F];\n\t\t cl->turboSubsampLevel = tight2turbo_subsamp[enc & 0x0F];\n\t\t rfbLog(\"Using JPEG subsampling %d, Q%d for client %s\\n\",\n\t\t\t cl->turboSubsampLevel, cl->turboQualityLevel, cl->host);\n\t\t} else if ( enc >= (uint32_t)rfbEncodingFineQualityLevel0 + 1 &&\n\t\t\t enc <= (uint32_t)rfbEncodingFineQualityLevel100 ) {\n\t\t cl->turboQualityLevel = enc & 0xFF;\n\t\t rfbLog(\"Using fine quality level %d for client %s\\n\",\n\t\t\t cl->turboQualityLevel, cl->host);\n\t\t} else if ( enc >= (uint32_t)rfbEncodingSubsamp1X &&\n\t\t\t enc <= (uint32_t)rfbEncodingSubsampGray ) {\n\t\t cl->turboSubsampLevel = enc & 0xFF;\n\t\t rfbLog(\"Using subsampling level %d for client %s\\n\",\n\t\t\t cl->turboSubsampLevel, cl->host);\n#endif\n\t\t} else\n#endif\n\t\t{\n\t\t\trfbExtensionData* e;\n\t\t\tfor(e = cl->extensions; e;) {\n\t\t\t\trfbExtensionData* next = e->next;\n\t\t\t\tif(e->extension->enablePseudoEncoding &&\n\t\t\t\t\te->extension->enablePseudoEncoding(cl,\n\t\t\t\t\t\t&e->data, (int)enc))\n\t\t\t\t\t/* ext handles this encoding */\n\t\t\t\t\tbreak;\n\t\t\t\te = next;\n\t\t\t}\n\t\t\tif(e == NULL) {\n\t\t\t\trfbBool handled = FALSE;\n\t\t\t\t/* if the pseudo encoding is not handled by the\n\t\t\t\t enabled extensions, search through all\n\t\t\t\t extensions. */\n\t\t\t\trfbProtocolExtension* e;\n\n\t\t\t\tfor(e = rfbGetExtensionIterator(); e;) {\n\t\t\t\t\tint* encs = e->pseudoEncodings;\n\t\t\t\t\twhile(encs && *encs!=0) {\n\t\t\t\t\t\tif(*encs==(int)enc) {\n\t\t\t\t\t\t\tvoid* data = NULL;\n\t\t\t\t\t\t\tif(!e->enablePseudoEncoding(cl, &data, (int)enc)) {\n\t\t\t\t\t\t\t\trfbLog(\"Installed extension pretends to handle pseudo encoding 0x%x, but does not!\\n\",(int)enc);\n\t\t\t\t\t\t\t} else {\n\t\t\t\t\t\t\t\trfbEnableExtension(cl, e, data);\n\t\t\t\t\t\t\t\thandled = TRUE;\n\t\t\t\t\t\t\t\te = NULL;\n\t\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}\n\t\t\t\t\t\tencs++;\n\t\t\t\t\t}\n\n\t\t\t\t\tif(e)\n\t\t\t\t\t\te = e->next;\n\t\t\t\t}\n\t\t\t\trfbReleaseExtensionIterator();\n\n\t\t\t\tif(!handled)\n\t\t\t\t\trfbLog(\"rfbProcessClientNormalMessage: \"\n\t\t\t\t\t \"ignoring unsupported encoding type %s\\n\",\n\t\t\t\t\t encodingName(enc,encBuf,sizeof(encBuf)));\n\t\t\t}\n\t\t}\n }\n }\n\n\n\n if (cl->preferredEncoding == -1) {\n if (lastPreferredEncoding==-1) {\n cl->preferredEncoding = rfbEncodingRaw;\n rfbLog(\"Defaulting to %s encoding for client %s\\n\", encodingName(cl->preferredEncoding,encBuf,sizeof(encBuf)),cl->host);\n }\n else {\n cl->preferredEncoding = lastPreferredEncoding;\n rfbLog(\"Sticking with %s encoding for client %s\\n\", encodingName(cl->preferredEncoding,encBuf,sizeof(encBuf)),cl->host);\n }\n }\n else\n {\n if (lastPreferredEncoding==-1) {\n rfbLog(\"Using %s encoding for client %s\\n\", encodingName(cl->preferredEncoding,encBuf,sizeof(encBuf)),cl->host);\n } else {\n rfbLog(\"Switching from %s to %s Encoding for client %s\\n\", \n encodingName(lastPreferredEncoding,encBuf2,sizeof(encBuf2)),\n encodingName(cl->preferredEncoding,encBuf,sizeof(encBuf)), cl->host);\n }\n }\n \n\tif (cl->enableCursorPosUpdates && !cl->enableCursorShapeUpdates) {\n\t rfbLog(\"Disabling cursor position updates for client %s\\n\",\n\t\t cl->host);\n\t cl->enableCursorPosUpdates = FALSE;\n\t}\n\n return;\n }\n\n\n case rfbFramebufferUpdateRequest:\n {\n sraRegionPtr tmpRegion;\n\n if ((n = rfbReadExact(cl, ((char *)&msg) + 1,\n sz_rfbFramebufferUpdateRequestMsg-1)) <= 0) {\n if (n != 0)\n rfbLogPerror(\"rfbProcessClientNormalMessage: read\");\n rfbCloseClient(cl);\n return;\n }\n\n rfbStatRecordMessageRcvd(cl, msg.type, sz_rfbFramebufferUpdateRequestMsg,sz_rfbFramebufferUpdateRequestMsg);\n\n /* The values come in based on the scaled screen, we need to convert them to\n * values based on the main screen's coordinate system\n */\n\tif(!rectSwapIfLEAndClip(&msg.fur.x,&msg.fur.y,&msg.fur.w,&msg.fur.h,cl))\n\t{\n\t rfbLog(\"Warning, ignoring rfbFramebufferUpdateRequest: %dXx%dY-%dWx%dH\\n\",msg.fur.x, msg.fur.y, msg.fur.w, msg.fur.h);\n\t\treturn;\n }\n\n if (cl->clientFramebufferUpdateRequestHook)\n cl->clientFramebufferUpdateRequestHook(cl, &msg.fur);\n\n\ttmpRegion =\n\t sraRgnCreateRect(msg.fur.x,\n\t\t\t msg.fur.y,\n\t\t\t msg.fur.x+msg.fur.w,\n\t\t\t msg.fur.y+msg.fur.h);\n\n LOCK(cl->updateMutex);\n\tsraRgnOr(cl->requestedRegion,tmpRegion);\n\n\tif (!cl->readyForSetColourMapEntries) {\n\t /* client hasn't sent a SetPixelFormat so is using server's */\n\t cl->readyForSetColourMapEntries = TRUE;\n\t if (!cl->format.trueColour) {\n\t\tif (!rfbSetClientColourMap(cl, 0, 0)) {\n\t\t sraRgnDestroy(tmpRegion);\n\t\t TSIGNAL(cl->updateCond);\n\t\t UNLOCK(cl->updateMutex);\n\t\t return;\n\t\t}\n\t }\n\t}\n\n if (!msg.fur.incremental) {\n\t sraRgnOr(cl->modifiedRegion,tmpRegion);\n\t sraRgnSubtract(cl->copyRegion,tmpRegion);\n if (cl->useExtDesktopSize)\n cl->newFBSizePending = TRUE;\n }\n TSIGNAL(cl->updateCond);\n UNLOCK(cl->updateMutex);\n\n sraRgnDestroy(tmpRegion);\n\n return;\n }\n\n case rfbKeyEvent:\n\n\tif ((n = rfbReadExact(cl, ((char *)&msg) + 1,\n\t\t\t sz_rfbKeyEventMsg - 1)) <= 0) {\n\t if (n != 0)\n\t\trfbLogPerror(\"rfbProcessClientNormalMessage: read\");\n\t rfbCloseClient(cl);\n\t return;\n\t}\n\n\trfbStatRecordMessageRcvd(cl, msg.type, sz_rfbKeyEventMsg, sz_rfbKeyEventMsg);\n\n\tif(!cl->viewOnly) {\n\t cl->screen->kbdAddEvent(msg.ke.down, (rfbKeySym)Swap32IfLE(msg.ke.key), cl);\n\t}\n\n return;\n\n\n case rfbPointerEvent:\n\n\tif ((n = rfbReadExact(cl, ((char *)&msg) + 1,\n\t\t\t sz_rfbPointerEventMsg - 1)) <= 0) {\n\t if (n != 0)\n\t\trfbLogPerror(\"rfbProcessClientNormalMessage: read\");\n\t rfbCloseClient(cl);\n\t return;\n\t}\n\n\trfbStatRecordMessageRcvd(cl, msg.type, sz_rfbPointerEventMsg, sz_rfbPointerEventMsg);\n\t\n\tif (cl->screen->pointerClient && cl->screen->pointerClient != cl)\n\t return;\n\n\tif (msg.pe.buttonMask == 0)\n\t cl->screen->pointerClient = NULL;\n\telse\n\t cl->screen->pointerClient = cl;\n\n\tif(!cl->viewOnly) {\n\t if (msg.pe.buttonMask != cl->lastPtrButtons ||\n\t\t cl->screen->deferPtrUpdateTime == 0) {\n\t\tcl->screen->ptrAddEvent(msg.pe.buttonMask,\n\t\t\tScaleX(cl->scaledScreen, cl->screen, Swap16IfLE(msg.pe.x)), \n\t\t\tScaleY(cl->scaledScreen, cl->screen, Swap16IfLE(msg.pe.y)),\n\t\t\tcl);\n\t\tcl->lastPtrButtons = msg.pe.buttonMask;\n\t } else {\n\t\tcl->lastPtrX = ScaleX(cl->scaledScreen, cl->screen, Swap16IfLE(msg.pe.x));\n\t\tcl->lastPtrY = ScaleY(cl->scaledScreen, cl->screen, Swap16IfLE(msg.pe.y));\n\t\tcl->lastPtrButtons = msg.pe.buttonMask;\n\t }\n } \n return;\n\n\n case rfbFileTransfer:\n if ((n = rfbReadExact(cl, ((char *)&msg) + 1,\n sz_rfbFileTransferMsg - 1)) <= 0) {\n if (n != 0)\n rfbLogPerror(\"rfbProcessClientNormalMessage: read\");\n rfbCloseClient(cl);\n return;\n }\n msg.ft.size = Swap32IfLE(msg.ft.size);\n msg.ft.length = Swap32IfLE(msg.ft.length);\n /* record statistics in rfbProcessFileTransfer as length is filled with garbage when it is not valid */\n rfbProcessFileTransfer(cl, msg.ft.contentType, msg.ft.contentParam, msg.ft.size, msg.ft.length);\n return;\n\n case rfbSetSW:\n if ((n = rfbReadExact(cl, ((char *)&msg) + 1,\n sz_rfbSetSWMsg - 1)) <= 0) {\n if (n != 0)\n rfbLogPerror(\"rfbProcessClientNormalMessage: read\");\n rfbCloseClient(cl);\n return;\n }\n msg.sw.x = Swap16IfLE(msg.sw.x);\n msg.sw.y = Swap16IfLE(msg.sw.y);\n rfbStatRecordMessageRcvd(cl, msg.type, sz_rfbSetSWMsg, sz_rfbSetSWMsg);\n /* msg.sw.status is not initialized in the ultraVNC viewer and contains random numbers (why???) */\n\n rfbLog(\"Received a rfbSetSingleWindow(%d x, %d y)\\n\", msg.sw.x, msg.sw.y);\n if (cl->screen->setSingleWindow!=NULL)\n cl->screen->setSingleWindow(cl, msg.sw.x, msg.sw.y);\n return;\n\n case rfbSetServerInput:\n if ((n = rfbReadExact(cl, ((char *)&msg) + 1,\n sz_rfbSetServerInputMsg - 1)) <= 0) {\n if (n != 0)\n rfbLogPerror(\"rfbProcessClientNormalMessage: read\");\n rfbCloseClient(cl);\n return;\n }\n rfbStatRecordMessageRcvd(cl, msg.type, sz_rfbSetServerInputMsg, sz_rfbSetServerInputMsg);\n\n /* msg.sim.pad is not initialized in the ultraVNC viewer and contains random numbers (why???) */\n /* msg.sim.pad = Swap16IfLE(msg.sim.pad); */\n\n rfbLog(\"Received a rfbSetServerInput(%d status)\\n\", msg.sim.status);\n if (cl->screen->setServerInput!=NULL)\n cl->screen->setServerInput(cl, msg.sim.status);\n return;\n \n case rfbTextChat:\n if ((n = rfbReadExact(cl, ((char *)&msg) + 1,\n sz_rfbTextChatMsg - 1)) <= 0) {\n if (n != 0)\n rfbLogPerror(\"rfbProcessClientNormalMessage: read\");\n rfbCloseClient(cl);\n return;\n }\n \n msg.tc.pad2 = Swap16IfLE(msg.tc.pad2);\n msg.tc.length = Swap32IfLE(msg.tc.length);\n\n switch (msg.tc.length) {\n case rfbTextChatOpen:\n case rfbTextChatClose:\n case rfbTextChatFinished:\n /* commands do not have text following */\n /* Why couldn't they have used the pad byte??? */\n str=NULL;\n rfbStatRecordMessageRcvd(cl, msg.type, sz_rfbTextChatMsg, sz_rfbTextChatMsg);\n break;\n default:\n if ((msg.tc.length>0) && (msg.tc.length%d\\n\", msg.tc.length, rfbTextMaxSize);\n rfbCloseClient(cl);\n return;\n }\n }\n\n /* Note: length can be commands: rfbTextChatOpen, rfbTextChatClose, and rfbTextChatFinished\n * at which point, the str is NULL (as it is not sent)\n */\n if (cl->screen->setTextChat!=NULL)\n cl->screen->setTextChat(cl, msg.tc.length, str);\n\n free(str);\n return;\n\n\n case rfbClientCutText:\n\n\tif ((n = rfbReadExact(cl, ((char *)&msg) + 1,\n\t\t\t sz_rfbClientCutTextMsg - 1)) <= 0) {\n\t if (n != 0)\n\t\trfbLogPerror(\"rfbProcessClientNormalMessage: read\");\n\t rfbCloseClient(cl);\n\t return;\n\t}\n\n\tmsg.cct.length = Swap32IfLE(msg.cct.length);\n\n\t/* uint32_t input is passed to malloc()'s size_t argument,\n\t * to rfbReadExact()'s int argument, to rfbStatRecordMessageRcvd()'s int\n\t * argument increased of sz_rfbClientCutTextMsg, and to setXCutText()'s int\n\t * argument. Here we impose a limit of 1 MB so that the value fits\n\t * into all of the types to prevent from misinterpretation and thus\n\t * from accessing uninitialized memory (CVE-2018-7225) and also to\n\t * prevent from a denial-of-service by allocating too much memory in\n\t * the server. */\n\tif (msg.cct.length > 1<<20) {\n\t rfbLog(\"rfbClientCutText: too big cut text length requested: %u B > 1 MB\\n\", (unsigned int)msg.cct.length);\n\t rfbCloseClient(cl);\n\t return;\n\t}\n\n\t/* Allow zero-length client cut text. */\n\tstr = (char *)calloc(msg.cct.length ? msg.cct.length : 1, 1);\n\tif (str == NULL) {\n\t\trfbLogPerror(\"rfbProcessClientNormalMessage: not enough memory\");\n\t\trfbCloseClient(cl);\n\t\treturn;\n\t}\n\n\tif ((n = rfbReadExact(cl, str, msg.cct.length)) <= 0) {\n\t if (n != 0)\n\t rfbLogPerror(\"rfbProcessClientNormalMessage: read\");\n\t free(str);\n\t rfbCloseClient(cl);\n\t return;\n\t}\n\trfbStatRecordMessageRcvd(cl, msg.type, sz_rfbClientCutTextMsg+msg.cct.length, sz_rfbClientCutTextMsg+msg.cct.length);\n\tif(!cl->viewOnly) {\n\t cl->screen->setXCutText(str, msg.cct.length, cl);\n\t}\n\tfree(str);\n\n return;\n\n case rfbPalmVNCSetScaleFactor:\n cl->PalmVNC = TRUE;\n if ((n = rfbReadExact(cl, ((char *)&msg) + 1,\n sz_rfbSetScaleMsg - 1)) <= 0) {\n if (n != 0)\n rfbLogPerror(\"rfbProcessClientNormalMessage: read\");\n rfbCloseClient(cl);\n return;\n }\n\n if (msg.ssc.scale == 0) {\n rfbLogPerror(\"rfbProcessClientNormalMessage: will not accept a scale factor of zero\");\n rfbCloseClient(cl);\n return;\n }\n\n rfbStatRecordMessageRcvd(cl, msg.type, sz_rfbSetScaleMsg, sz_rfbSetScaleMsg);\n rfbLog(\"rfbSetScale(%d)\\n\", msg.ssc.scale);\n rfbScalingSetup(cl,cl->screen->width/msg.ssc.scale, cl->screen->height/msg.ssc.scale);\n\n rfbSendNewScaleSize(cl);\n return;\n \n case rfbSetScale:\n\n if ((n = rfbReadExact(cl, ((char *)&msg) + 1,\n sz_rfbSetScaleMsg - 1)) <= 0) {\n if (n != 0)\n rfbLogPerror(\"rfbProcessClientNormalMessage: read\");\n rfbCloseClient(cl);\n return;\n }\n\n if (msg.ssc.scale == 0) {\n rfbLogPerror(\"rfbProcessClientNormalMessage: will not accept a scale factor of zero\");\n rfbCloseClient(cl);\n return;\n }\n\n rfbStatRecordMessageRcvd(cl, msg.type, sz_rfbSetScaleMsg, sz_rfbSetScaleMsg);\n rfbLog(\"rfbSetScale(%d)\\n\", msg.ssc.scale);\n rfbScalingSetup(cl,cl->screen->width/msg.ssc.scale, cl->screen->height/msg.ssc.scale);\n\n rfbSendNewScaleSize(cl);\n return;\n\n case rfbXvp:\n\n if ((n = rfbReadExact(cl, ((char *)&msg) + 1,\n sz_rfbXvpMsg - 1)) <= 0) {\n if (n != 0)\n rfbLogPerror(\"rfbProcessClientNormalMessage: read\");\n rfbCloseClient(cl);\n return;\n }\n rfbStatRecordMessageRcvd(cl, msg.type, sz_rfbXvpMsg, sz_rfbXvpMsg);\n\n /* only version when is defined, so echo back a fail */\n if(msg.xvp.version != 1) {\n\trfbSendXvp(cl, msg.xvp.version, rfbXvp_Fail);\n }\n else {\n\t/* if the hook exists and fails, send a fail msg */\n\tif(cl->screen->xvpHook && !cl->screen->xvpHook(cl, msg.xvp.version, msg.xvp.code))\n\t rfbSendXvp(cl, 1, rfbXvp_Fail);\n }\n return;\n\n case rfbSetDesktopSize:\n\n if ((n = rfbReadExact(cl, ((char *)&msg) + 1,\n sz_rfbSetDesktopSizeMsg - 1)) <= 0) {\n if (n != 0)\n rfbLogPerror(\"rfbProcessClientNormalMessage: read\");\n rfbCloseClient(cl);\n return;\n }\n\n if (msg.sdm.numberOfScreens == 0) {\n rfbLog(\"Ignoring setDesktopSize message from client that defines zero screens\\n\");\n return;\n }\n\n extDesktopScreens = (rfbExtDesktopScreen *) malloc(msg.sdm.numberOfScreens * sz_rfbExtDesktopScreen);\n if (extDesktopScreens == NULL) {\n rfbLogPerror(\"rfbProcessClientNormalMessage: not enough memory\");\n rfbCloseClient(cl);\n return;\n }\n\n if ((n = rfbReadExact(cl, ((char *)extDesktopScreens), msg.sdm.numberOfScreens * sz_rfbExtDesktopScreen)) <= 0) {\n if (n != 0)\n rfbLogPerror(\"rfbProcessClientNormalMessage: read\");\n free(extDesktopScreens);\n rfbCloseClient(cl);\n return;\n }\n rfbStatRecordMessageRcvd(cl, msg.type, sz_rfbSetDesktopSizeMsg + msg.sdm.numberOfScreens * sz_rfbExtDesktopScreen,\n sz_rfbSetDesktopSizeMsg + msg.sdm.numberOfScreens * sz_rfbExtDesktopScreen);\n\n for (i=0; i < msg.sdm.numberOfScreens; i++) {\n extDesktopScreens[i].id = Swap32IfLE(extDesktopScreens[i].id);\n extDesktopScreens[i].x = Swap16IfLE(extDesktopScreens[i].x);\n extDesktopScreens[i].y = Swap16IfLE(extDesktopScreens[i].y);\n extDesktopScreens[i].width = Swap16IfLE(extDesktopScreens[i].width);\n extDesktopScreens[i].height = Swap16IfLE(extDesktopScreens[i].height);\n extDesktopScreens[i].flags = Swap32IfLE(extDesktopScreens[i].flags);\n }\n msg.sdm.width = Swap16IfLE(msg.sdm.width);\n msg.sdm.height = Swap16IfLE(msg.sdm.height);\n\n rfbLog(\"Client requested resolution change to (%dx%d)\\n\", msg.sdm.width, msg.sdm.height);\n cl->requestedDesktopSizeChange = rfbExtDesktopSize_ClientRequestedChange;\n cl->lastDesktopSizeChangeError = cl->screen->setDesktopSizeHook(msg.sdm.width, msg.sdm.height, msg.sdm.numberOfScreens,\n extDesktopScreens, cl);\n\n if (cl->lastDesktopSizeChangeError == 0) {\n /* Let other clients know it was this client that requested the change */\n iterator = rfbGetClientIterator(cl->screen);\n while ((clp = rfbClientIteratorNext(iterator)) != NULL) {\n LOCK(clp->updateMutex);\n if (clp != cl)\n clp->requestedDesktopSizeChange = rfbExtDesktopSize_OtherClientRequestedChange;\n UNLOCK(clp->updateMutex);\n }\n }\n else\n {\n /* Force ExtendedDesktopSize message to be sent with result code in case of error.\n (In case of success, it is delayed until the new framebuffer is created) */\n cl->newFBSizePending = TRUE;\n }\n\n free(extDesktopScreens);\n return;\n\n default:\n\t{\n\t rfbExtensionData *e,*next;\n\n\t for(e=cl->extensions; e;) {\n\t\tnext = e->next;\n\t\tif(e->extension->handleMessage &&\n\t\t\te->extension->handleMessage(cl, e->data, &msg))\n {\n rfbStatRecordMessageRcvd(cl, msg.type, 0, 0); /* Extension should handle this */\n\t\t return;\n }\n\t\te = next;\n\t }\n\n\t rfbLog(\"rfbProcessClientNormalMessage: unknown message type %d\\n\",\n\t\t msg.type);\n\t rfbLog(\" ... closing connection\\n\");\n\t rfbCloseClient(cl);\n\t return;\n\t}\n }\n}", "project": "libvncserver", "hash": 224838032124696139555922012358029319437, "size": 799, "commit_id": "673c07a75ed844d74676f3ccdcfdc706a7052dba", "message": "libvncserver/rfbserver: fix possible divide-by-zero\n\nCloses #409", "target": 0, "dataset": "other", "idx": 295852 }, { "func": "makeRGBToIndexTables(l_int32 cqlevels,\n l_uint32 **prtab,\n l_uint32 **pgtab,\n l_uint32 **pbtab)\n{\nl_int32 i;\nl_uint32 *rtab, *gtab, *btab;\n\n PROCNAME(\"makeRGBToIndexTables\");\n\n if (cqlevels < 1 || cqlevels > 6)\n return ERROR_INT(\"cqlevels must be in {1,...6}\", procName, 1);\n if (!prtab || !pgtab || !pbtab)\n return ERROR_INT(\"not all &tabs defined\", procName, 1);\n\n rtab = (l_uint32 *)LEPT_CALLOC(256, sizeof(l_uint32));\n gtab = (l_uint32 *)LEPT_CALLOC(256, sizeof(l_uint32));\n btab = (l_uint32 *)LEPT_CALLOC(256, sizeof(l_uint32));\n if (!rtab || !gtab || !btab)\n return ERROR_INT(\"calloc fail for tab\", procName, 1);\n *prtab = rtab;\n *pgtab = gtab;\n *pbtab = btab;\n\n switch (cqlevels)\n {\n case 1:\n for (i = 0; i < 256; i++) {\n rtab[i] = (i >> 5) & 0x0004;\n gtab[i] = (i >> 6) & 0x0002;\n btab[i] = (i >> 7);\n }\n break;\n case 2:\n for (i = 0; i < 256; i++) {\n rtab[i] = ((i >> 2) & 0x0020) | ((i >> 4) & 0x0004);\n gtab[i] = ((i >> 3) & 0x0010) | ((i >> 5) & 0x0002);\n btab[i] = ((i >> 4) & 0x0008) | ((i >> 6) & 0x0001);\n }\n break;\n case 3:\n for (i = 0; i < 256; i++) {\n rtab[i] = ((i << 1) & 0x0100) | ((i >> 1) & 0x0020) |\n ((i >> 3) & 0x0004);\n gtab[i] = (i & 0x0080) | ((i >> 2) & 0x0010) |\n ((i >> 4) & 0x0002);\n btab[i] = ((i >> 1) & 0x0040) | ((i >> 3) & 0x0008) |\n ((i >> 5) & 0x0001);\n }\n break;\n case 4:\n for (i = 0; i < 256; i++) {\n rtab[i] = ((i << 4) & 0x0800) | ((i << 2) & 0x0100) |\n (i & 0x0020) | ((i >> 2) & 0x0004);\n gtab[i] = ((i << 3) & 0x0400) | ((i << 1) & 0x0080) |\n ((i >> 1) & 0x0010) | ((i >> 3) & 0x0002);\n btab[i] = ((i << 2) & 0x0200) | (i & 0x0040) |\n ((i >> 2) & 0x0008) | ((i >> 4) & 0x0001);\n }\n break;\n case 5:\n for (i = 0; i < 256; i++) {\n rtab[i] = ((i << 7) & 0x4000) | ((i << 5) & 0x0800) |\n ((i << 3) & 0x0100) | ((i << 1) & 0x0020) |\n ((i >> 1) & 0x0004);\n gtab[i] = ((i << 6) & 0x2000) | ((i << 4) & 0x0400) |\n ((i << 2) & 0x0080) | (i & 0x0010) |\n ((i >> 2) & 0x0002);\n btab[i] = ((i << 5) & 0x1000) | ((i << 3) & 0x0200) |\n ((i << 1) & 0x0040) | ((i >> 1) & 0x0008) |\n ((i >> 3) & 0x0001);\n }\n break;\n case 6:\n for (i = 0; i < 256; i++) {\n rtab[i] = ((i << 10) & 0x20000) | ((i << 8) & 0x4000) |\n ((i << 6) & 0x0800) | ((i << 4) & 0x0100) |\n ((i << 2) & 0x0020) | (i & 0x0004);\n gtab[i] = ((i << 9) & 0x10000) | ((i << 7) & 0x2000) |\n ((i << 5) & 0x0400) | ((i << 3) & 0x0080) |\n ((i << 1) & 0x0010) | ((i >> 1) & 0x0002);\n btab[i] = ((i << 8) & 0x8000) | ((i << 6) & 0x1000) |\n ((i << 4) & 0x0200) | ((i << 2) & 0x0040) |\n (i & 0x0008) | ((i >> 2) & 0x0001);\n }\n break;\n default:\n ERROR_INT(\"cqlevels not in [1...6]\", procName, 1);\n break;\n }\n\n return 0;\n}", "project": "leptonica", "hash": 339342197708385869308093782612647527658, "size": 93, "commit_id": "5ee24b398bb67666f6d173763eaaedd9c36fb1e5", "message": "Fixed issue 22140 in oss-fuzz: Heap-buffer-overflow\n* color quantized pix must be 8 bpp before extra colors are added.", "target": 0, "dataset": "other", "idx": 296010 }, { "func": "xmlParseTryOrFinish(xmlParserCtxtPtr ctxt, int terminate) {\n int ret = 0;\n int avail, tlen;\n xmlChar cur, next;\n const xmlChar *lastlt, *lastgt;\n\n if (ctxt->input == NULL)\n return(0);\n\n#ifdef DEBUG_PUSH\n switch (ctxt->instate) {\n\tcase XML_PARSER_EOF:\n\t xmlGenericError(xmlGenericErrorContext,\n\t\t \"PP: try EOF\\n\"); break;\n\tcase XML_PARSER_START:\n\t xmlGenericError(xmlGenericErrorContext,\n\t\t \"PP: try START\\n\"); break;\n\tcase XML_PARSER_MISC:\n\t xmlGenericError(xmlGenericErrorContext,\n\t\t \"PP: try MISC\\n\");break;\n\tcase XML_PARSER_COMMENT:\n\t xmlGenericError(xmlGenericErrorContext,\n\t\t \"PP: try COMMENT\\n\");break;\n\tcase XML_PARSER_PROLOG:\n\t xmlGenericError(xmlGenericErrorContext,\n\t\t \"PP: try PROLOG\\n\");break;\n\tcase XML_PARSER_START_TAG:\n\t xmlGenericError(xmlGenericErrorContext,\n\t\t \"PP: try START_TAG\\n\");break;\n\tcase XML_PARSER_CONTENT:\n\t xmlGenericError(xmlGenericErrorContext,\n\t\t \"PP: try CONTENT\\n\");break;\n\tcase XML_PARSER_CDATA_SECTION:\n\t xmlGenericError(xmlGenericErrorContext,\n\t\t \"PP: try CDATA_SECTION\\n\");break;\n\tcase XML_PARSER_END_TAG:\n\t xmlGenericError(xmlGenericErrorContext,\n\t\t \"PP: try END_TAG\\n\");break;\n\tcase XML_PARSER_ENTITY_DECL:\n\t xmlGenericError(xmlGenericErrorContext,\n\t\t \"PP: try ENTITY_DECL\\n\");break;\n\tcase XML_PARSER_ENTITY_VALUE:\n\t xmlGenericError(xmlGenericErrorContext,\n\t\t \"PP: try ENTITY_VALUE\\n\");break;\n\tcase XML_PARSER_ATTRIBUTE_VALUE:\n\t xmlGenericError(xmlGenericErrorContext,\n\t\t \"PP: try ATTRIBUTE_VALUE\\n\");break;\n\tcase XML_PARSER_DTD:\n\t xmlGenericError(xmlGenericErrorContext,\n\t\t \"PP: try DTD\\n\");break;\n\tcase XML_PARSER_EPILOG:\n\t xmlGenericError(xmlGenericErrorContext,\n\t\t \"PP: try EPILOG\\n\");break;\n\tcase XML_PARSER_PI:\n\t xmlGenericError(xmlGenericErrorContext,\n\t\t \"PP: try PI\\n\");break;\n case XML_PARSER_IGNORE:\n xmlGenericError(xmlGenericErrorContext,\n\t\t \"PP: try IGNORE\\n\");break;\n }\n#endif\n\n if ((ctxt->input != NULL) &&\n (ctxt->input->cur - ctxt->input->base > 4096)) {\n\txmlSHRINK(ctxt);\n\tctxt->checkIndex = 0;\n }\n xmlParseGetLasts(ctxt, &lastlt, &lastgt);\n\n while (ctxt->instate != XML_PARSER_EOF) {\n\tif ((ctxt->errNo != XML_ERR_OK) && (ctxt->disableSAX == 1))\n\t return(0);\n\n\tif (ctxt->input == NULL) break;\n\tif (ctxt->input->buf == NULL)\n\t avail = ctxt->input->length -\n\t (ctxt->input->cur - ctxt->input->base);\n\telse {\n\t /*\n\t * If we are operating on converted input, try to flush\n\t * remainng chars to avoid them stalling in the non-converted\n\t * buffer. But do not do this in document start where\n\t * encoding=\"...\" may not have been read and we work on a\n\t * guessed encoding.\n\t */\n\t if ((ctxt->instate != XML_PARSER_START) &&\n\t (ctxt->input->buf->raw != NULL) &&\n\t\t(xmlBufIsEmpty(ctxt->input->buf->raw) == 0)) {\n size_t base = xmlBufGetInputBase(ctxt->input->buf->buffer,\n ctxt->input);\n\t\tsize_t current = ctxt->input->cur - ctxt->input->base;\n\n\t\txmlParserInputBufferPush(ctxt->input->buf, 0, \"\");\n xmlBufSetInputBaseCur(ctxt->input->buf->buffer, ctxt->input,\n base, current);\n\t }\n\t avail = xmlBufUse(ctxt->input->buf->buffer) -\n\t\t (ctxt->input->cur - ctxt->input->base);\n\t}\n if (avail < 1)\n\t goto done;\n switch (ctxt->instate) {\n case XML_PARSER_EOF:\n\t /*\n\t\t * Document parsing is done !\n\t\t */\n\t goto done;\n case XML_PARSER_START:\n\t\tif (ctxt->charset == XML_CHAR_ENCODING_NONE) {\n\t\t xmlChar start[4];\n\t\t xmlCharEncoding enc;\n\n\t\t /*\n\t\t * Very first chars read from the document flow.\n\t\t */\n\t\t if (avail < 4)\n\t\t\tgoto done;\n\n\t\t /*\n\t\t * Get the 4 first bytes and decode the charset\n\t\t * if enc != XML_CHAR_ENCODING_NONE\n\t\t * plug some encoding conversion routines,\n\t\t * else xmlSwitchEncoding will set to (default)\n\t\t * UTF8.\n\t\t */\n\t\t start[0] = RAW;\n\t\t start[1] = NXT(1);\n\t\t start[2] = NXT(2);\n\t\t start[3] = NXT(3);\n\t\t enc = xmlDetectCharEncoding(start, 4);\n\t\t xmlSwitchEncoding(ctxt, enc);\n\t\t break;\n\t\t}\n\n\t\tif (avail < 2)\n\t\t goto done;\n\t\tcur = ctxt->input->cur[0];\n\t\tnext = ctxt->input->cur[1];\n\t\tif (cur == 0) {\n\t\t if ((ctxt->sax) && (ctxt->sax->setDocumentLocator))\n\t\t\tctxt->sax->setDocumentLocator(ctxt->userData,\n\t\t\t\t\t\t &xmlDefaultSAXLocator);\n\t\t xmlFatalErr(ctxt, XML_ERR_DOCUMENT_EMPTY, NULL);\n\t\t xmlHaltParser(ctxt);\n#ifdef DEBUG_PUSH\n\t\t xmlGenericError(xmlGenericErrorContext,\n\t\t\t \"PP: entering EOF\\n\");\n#endif\n\t\t if ((ctxt->sax) && (ctxt->sax->endDocument != NULL))\n\t\t\tctxt->sax->endDocument(ctxt->userData);\n\t\t goto done;\n\t\t}\n\t if ((cur == '<') && (next == '?')) {\n\t\t /* PI or XML decl */\n\t\t if (avail < 5) return(ret);\n\t\t if ((!terminate) &&\n\t\t (xmlParseLookupSequence(ctxt, '?', '>', 0) < 0))\n\t\t\treturn(ret);\n\t\t if ((ctxt->sax) && (ctxt->sax->setDocumentLocator))\n\t\t\tctxt->sax->setDocumentLocator(ctxt->userData,\n\t\t\t\t\t\t &xmlDefaultSAXLocator);\n\t\t if ((ctxt->input->cur[2] == 'x') &&\n\t\t\t(ctxt->input->cur[3] == 'm') &&\n\t\t\t(ctxt->input->cur[4] == 'l') &&\n\t\t\t(IS_BLANK_CH(ctxt->input->cur[5]))) {\n\t\t\tret += 5;\n#ifdef DEBUG_PUSH\n\t\t\txmlGenericError(xmlGenericErrorContext,\n\t\t\t\t\"PP: Parsing XML Decl\\n\");\n#endif\n\t\t\txmlParseXMLDecl(ctxt);\n\t\t\tif (ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) {\n\t\t\t /*\n\t\t\t * The XML REC instructs us to stop parsing right\n\t\t\t * here\n\t\t\t */\n\t\t\t xmlHaltParser(ctxt);\n\t\t\t return(0);\n\t\t\t}\n\t\t\tctxt->standalone = ctxt->input->standalone;\n\t\t\tif ((ctxt->encoding == NULL) &&\n\t\t\t (ctxt->input->encoding != NULL))\n\t\t\t ctxt->encoding = xmlStrdup(ctxt->input->encoding);\n\t\t\tif ((ctxt->sax) && (ctxt->sax->startDocument) &&\n\t\t\t (!ctxt->disableSAX))\n\t\t\t ctxt->sax->startDocument(ctxt->userData);\n\t\t\tctxt->instate = XML_PARSER_MISC;\n#ifdef DEBUG_PUSH\n\t\t\txmlGenericError(xmlGenericErrorContext,\n\t\t\t\t\"PP: entering MISC\\n\");\n#endif\n\t\t } else {\n\t\t\tctxt->version = xmlCharStrdup(XML_DEFAULT_VERSION);\n\t\t\tif ((ctxt->sax) && (ctxt->sax->startDocument) &&\n\t\t\t (!ctxt->disableSAX))\n\t\t\t ctxt->sax->startDocument(ctxt->userData);\n\t\t\tctxt->instate = XML_PARSER_MISC;\n#ifdef DEBUG_PUSH\n\t\t\txmlGenericError(xmlGenericErrorContext,\n\t\t\t\t\"PP: entering MISC\\n\");\n#endif\n\t\t }\n\t\t} else {\n\t\t if ((ctxt->sax) && (ctxt->sax->setDocumentLocator))\n\t\t\tctxt->sax->setDocumentLocator(ctxt->userData,\n\t\t\t\t\t\t &xmlDefaultSAXLocator);\n\t\t ctxt->version = xmlCharStrdup(XML_DEFAULT_VERSION);\n\t\t if (ctxt->version == NULL) {\n\t\t xmlErrMemory(ctxt, NULL);\n\t\t\tbreak;\n\t\t }\n\t\t if ((ctxt->sax) && (ctxt->sax->startDocument) &&\n\t\t (!ctxt->disableSAX))\n\t\t\tctxt->sax->startDocument(ctxt->userData);\n\t\t ctxt->instate = XML_PARSER_MISC;\n#ifdef DEBUG_PUSH\n\t\t xmlGenericError(xmlGenericErrorContext,\n\t\t\t \"PP: entering MISC\\n\");\n#endif\n\t\t}\n\t\tbreak;\n case XML_PARSER_START_TAG: {\n\t const xmlChar *name;\n\t\tconst xmlChar *prefix = NULL;\n\t\tconst xmlChar *URI = NULL;\n\t\tint nsNr = ctxt->nsNr;\n\n\t\tif ((avail < 2) && (ctxt->inputNr == 1))\n\t\t goto done;\n\t\tcur = ctxt->input->cur[0];\n\t if (cur != '<') {\n\t\t xmlFatalErr(ctxt, XML_ERR_DOCUMENT_EMPTY, NULL);\n\t\t xmlHaltParser(ctxt);\n\t\t if ((ctxt->sax) && (ctxt->sax->endDocument != NULL))\n\t\t\tctxt->sax->endDocument(ctxt->userData);\n\t\t goto done;\n\t\t}\n\t\tif (!terminate) {\n\t\t if (ctxt->progressive) {\n\t\t /* > can be found unescaped in attribute values */\n\t\t if ((lastgt == NULL) || (ctxt->input->cur >= lastgt))\n\t\t\t goto done;\n\t\t } else if (xmlParseLookupSequence(ctxt, '>', 0, 0) < 0) {\n\t\t\tgoto done;\n\t\t }\n\t\t}\n\t\tif (ctxt->spaceNr == 0)\n\t\t spacePush(ctxt, -1);\n\t\telse if (*ctxt->space == -2)\n\t\t spacePush(ctxt, -1);\n\t\telse\n\t\t spacePush(ctxt, *ctxt->space);\n#ifdef LIBXML_SAX1_ENABLED\n\t\tif (ctxt->sax2)\n#endif /* LIBXML_SAX1_ENABLED */\n\t\t name = xmlParseStartTag2(ctxt, &prefix, &URI, &tlen);\n#ifdef LIBXML_SAX1_ENABLED\n\t\telse\n\t\t name = xmlParseStartTag(ctxt);\n#endif /* LIBXML_SAX1_ENABLED */\n\t\tif (ctxt->instate == XML_PARSER_EOF)\n\t\t goto done;\n\t\tif (name == NULL) {\n\t\t spacePop(ctxt);\n\t\t xmlHaltParser(ctxt);\n\t\t if ((ctxt->sax) && (ctxt->sax->endDocument != NULL))\n\t\t\tctxt->sax->endDocument(ctxt->userData);\n\t\t goto done;\n\t\t}\n#ifdef LIBXML_VALID_ENABLED\n\t\t/*\n\t\t * [ VC: Root Element Type ]\n\t\t * The Name in the document type declaration must match\n\t\t * the element type of the root element.\n\t\t */\n\t\tif (ctxt->validate && ctxt->wellFormed && ctxt->myDoc &&\n\t\t ctxt->node && (ctxt->node == ctxt->myDoc->children))\n\t\t ctxt->valid &= xmlValidateRoot(&ctxt->vctxt, ctxt->myDoc);\n#endif /* LIBXML_VALID_ENABLED */\n\n\t\t/*\n\t\t * Check for an Empty Element.\n\t\t */\n\t\tif ((RAW == '/') && (NXT(1) == '>')) {\n\t\t SKIP(2);\n\n\t\t if (ctxt->sax2) {\n\t\t\tif ((ctxt->sax != NULL) &&\n\t\t\t (ctxt->sax->endElementNs != NULL) &&\n\t\t\t (!ctxt->disableSAX))\n\t\t\t ctxt->sax->endElementNs(ctxt->userData, name,\n\t\t\t prefix, URI);\n\t\t\tif (ctxt->nsNr - nsNr > 0)\n\t\t\t nsPop(ctxt, ctxt->nsNr - nsNr);\n#ifdef LIBXML_SAX1_ENABLED\n\t\t } else {\n\t\t\tif ((ctxt->sax != NULL) &&\n\t\t\t (ctxt->sax->endElement != NULL) &&\n\t\t\t (!ctxt->disableSAX))\n\t\t\t ctxt->sax->endElement(ctxt->userData, name);\n#endif /* LIBXML_SAX1_ENABLED */\n\t\t }\n\t\t if (ctxt->instate == XML_PARSER_EOF)\n\t\t\tgoto done;\n\t\t spacePop(ctxt);\n\t\t if (ctxt->nameNr == 0) {\n\t\t\tctxt->instate = XML_PARSER_EPILOG;\n\t\t } else {\n\t\t\tctxt->instate = XML_PARSER_CONTENT;\n\t\t }\n ctxt->progressive = 1;\n\t\t break;\n\t\t}\n\t\tif (RAW == '>') {\n\t\t NEXT;\n\t\t} else {\n\t\t xmlFatalErrMsgStr(ctxt, XML_ERR_GT_REQUIRED,\n\t\t\t\t\t \"Couldn't find end of Start Tag %s\\n\",\n\t\t\t\t\t name);\n\t\t nodePop(ctxt);\n\t\t spacePop(ctxt);\n\t\t}\n\t\tif (ctxt->sax2)\n\t\t nameNsPush(ctxt, name, prefix, URI, ctxt->nsNr - nsNr);\n#ifdef LIBXML_SAX1_ENABLED\n\t\telse\n\t\t namePush(ctxt, name);\n#endif /* LIBXML_SAX1_ENABLED */\n\n\t\tctxt->instate = XML_PARSER_CONTENT;\n ctxt->progressive = 1;\n break;\n\t }\n case XML_PARSER_CONTENT: {\n\t\tconst xmlChar *test;\n\t\tunsigned int cons;\n\t\tif ((avail < 2) && (ctxt->inputNr == 1))\n\t\t goto done;\n\t\tcur = ctxt->input->cur[0];\n\t\tnext = ctxt->input->cur[1];\n\n\t\ttest = CUR_PTR;\n\t cons = ctxt->input->consumed;\n\t\tif ((cur == '<') && (next == '/')) {\n\t\t ctxt->instate = XML_PARSER_END_TAG;\n\t\t break;\n\t } else if ((cur == '<') && (next == '?')) {\n\t\t if ((!terminate) &&\n\t\t (xmlParseLookupSequence(ctxt, '?', '>', 0) < 0)) {\n ctxt->progressive = XML_PARSER_PI;\n\t\t\tgoto done;\n }\n\t\t xmlParsePI(ctxt);\n\t\t ctxt->instate = XML_PARSER_CONTENT;\n ctxt->progressive = 1;\n\t\t} else if ((cur == '<') && (next != '!')) {\n\t\t ctxt->instate = XML_PARSER_START_TAG;\n\t\t break;\n\t\t} else if ((cur == '<') && (next == '!') &&\n\t\t (ctxt->input->cur[2] == '-') &&\n\t\t\t (ctxt->input->cur[3] == '-')) {\n\t\t int term;\n\n\t if (avail < 4)\n\t\t goto done;\n\t\t ctxt->input->cur += 4;\n\t\t term = xmlParseLookupSequence(ctxt, '-', '-', '>');\n\t\t ctxt->input->cur -= 4;\n\t\t if ((!terminate) && (term < 0)) {\n ctxt->progressive = XML_PARSER_COMMENT;\n\t\t\tgoto done;\n }\n\t\t xmlParseComment(ctxt);\n\t\t ctxt->instate = XML_PARSER_CONTENT;\n ctxt->progressive = 1;\n\t\t} else if ((cur == '<') && (ctxt->input->cur[1] == '!') &&\n\t\t (ctxt->input->cur[2] == '[') &&\n\t\t (ctxt->input->cur[3] == 'C') &&\n\t\t (ctxt->input->cur[4] == 'D') &&\n\t\t (ctxt->input->cur[5] == 'A') &&\n\t\t (ctxt->input->cur[6] == 'T') &&\n\t\t (ctxt->input->cur[7] == 'A') &&\n\t\t (ctxt->input->cur[8] == '[')) {\n\t\t SKIP(9);\n\t\t ctxt->instate = XML_PARSER_CDATA_SECTION;\n\t\t break;\n\t\t} else if ((cur == '<') && (next == '!') &&\n\t\t (avail < 9)) {\n\t\t goto done;\n\t\t} else if (cur == '&') {\n\t\t if ((!terminate) &&\n\t\t (xmlParseLookupSequence(ctxt, ';', 0, 0) < 0))\n\t\t\tgoto done;\n\t\t xmlParseReference(ctxt);\n\t\t} else {\n\t\t /* TODO Avoid the extra copy, handle directly !!! */\n\t\t /*\n\t\t * Goal of the following test is:\n\t\t * - minimize calls to the SAX 'character' callback\n\t\t * when they are mergeable\n\t\t * - handle an problem for isBlank when we only parse\n\t\t * a sequence of blank chars and the next one is\n\t\t * not available to check against '<' presence.\n\t\t * - tries to homogenize the differences in SAX\n\t\t * callbacks between the push and pull versions\n\t\t * of the parser.\n\t\t */\n\t\t if ((ctxt->inputNr == 1) &&\n\t\t (avail < XML_PARSER_BIG_BUFFER_SIZE)) {\n\t\t\tif (!terminate) {\n\t\t\t if (ctxt->progressive) {\n\t\t\t\tif ((lastlt == NULL) ||\n\t\t\t\t (ctxt->input->cur > lastlt))\n\t\t\t\t goto done;\n\t\t\t } else if (xmlParseLookupSequence(ctxt,\n\t\t\t '<', 0, 0) < 0) {\n\t\t\t\tgoto done;\n\t\t\t }\n\t\t\t}\n }\n\t\t ctxt->checkIndex = 0;\n\t\t xmlParseCharData(ctxt, 0);\n\t\t}\n\t\tif ((cons == ctxt->input->consumed) && (test == CUR_PTR)) {\n\t\t xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR,\n\t\t \"detected an error in element content\\n\");\n\t\t xmlHaltParser(ctxt);\n\t\t break;\n\t\t}\n\t\tbreak;\n\t }\n case XML_PARSER_END_TAG:\n\t\tif (avail < 2)\n\t\t goto done;\n\t\tif (!terminate) {\n\t\t if (ctxt->progressive) {\n\t\t /* > can be found unescaped in attribute values */\n\t\t if ((lastgt == NULL) || (ctxt->input->cur >= lastgt))\n\t\t\t goto done;\n\t\t } else if (xmlParseLookupSequence(ctxt, '>', 0, 0) < 0) {\n\t\t\tgoto done;\n\t\t }\n\t\t}\n\t\tif (ctxt->sax2) {\n\t\t xmlParseEndTag2(ctxt,\n\t\t (void *) ctxt->pushTab[ctxt->nameNr * 3 - 3],\n\t\t (void *) ctxt->pushTab[ctxt->nameNr * 3 - 2], 0,\n\t\t (int) (ptrdiff_t)\n ctxt->pushTab[ctxt->nameNr * 3 - 1], 0);\n\t\t nameNsPop(ctxt);\n\t\t}\n#ifdef LIBXML_SAX1_ENABLED\n\t\t else\n\t\t xmlParseEndTag1(ctxt, 0);\n#endif /* LIBXML_SAX1_ENABLED */\n\t\tif (ctxt->instate == XML_PARSER_EOF) {\n\t\t /* Nothing */\n\t\t} else if (ctxt->nameNr == 0) {\n\t\t ctxt->instate = XML_PARSER_EPILOG;\n\t\t} else {\n\t\t ctxt->instate = XML_PARSER_CONTENT;\n\t\t}\n\t\tbreak;\n case XML_PARSER_CDATA_SECTION: {\n\t /*\n\t\t * The Push mode need to have the SAX callback for\n\t\t * cdataBlock merge back contiguous callbacks.\n\t\t */\n\t\tint base;\n\n\t\tbase = xmlParseLookupSequence(ctxt, ']', ']', '>');\n\t\tif (base < 0) {\n\t\t if (avail >= XML_PARSER_BIG_BUFFER_SIZE + 2) {\n\t\t int tmp;\n\n\t\t\ttmp = xmlCheckCdataPush(ctxt->input->cur,\n\t\t\t XML_PARSER_BIG_BUFFER_SIZE, 0);\n\t\t\tif (tmp < 0) {\n\t\t\t tmp = -tmp;\n\t\t\t ctxt->input->cur += tmp;\n\t\t\t goto encoding_error;\n\t\t\t}\n\t\t\tif ((ctxt->sax != NULL) && (!ctxt->disableSAX)) {\n\t\t\t if (ctxt->sax->cdataBlock != NULL)\n\t\t\t\tctxt->sax->cdataBlock(ctxt->userData,\n\t\t\t\t ctxt->input->cur, tmp);\n\t\t\t else if (ctxt->sax->characters != NULL)\n\t\t\t\tctxt->sax->characters(ctxt->userData,\n\t\t\t\t ctxt->input->cur, tmp);\n\t\t\t}\n\t\t\tif (ctxt->instate == XML_PARSER_EOF)\n\t\t\t goto done;\n\t\t\tSKIPL(tmp);\n\t\t\tctxt->checkIndex = 0;\n\t\t }\n\t\t goto done;\n\t\t} else {\n\t\t int tmp;\n\n\t\t tmp = xmlCheckCdataPush(ctxt->input->cur, base, 1);\n\t\t if ((tmp < 0) || (tmp != base)) {\n\t\t\ttmp = -tmp;\n\t\t\tctxt->input->cur += tmp;\n\t\t\tgoto encoding_error;\n\t\t }\n\t\t if ((ctxt->sax != NULL) && (base == 0) &&\n\t\t (ctxt->sax->cdataBlock != NULL) &&\n\t\t (!ctxt->disableSAX)) {\n\t\t\t/*\n\t\t\t * Special case to provide identical behaviour\n\t\t\t * between pull and push parsers on enpty CDATA\n\t\t\t * sections\n\t\t\t */\n\t\t\t if ((ctxt->input->cur - ctxt->input->base >= 9) &&\n\t\t\t (!strncmp((const char *)&ctxt->input->cur[-9],\n\t\t\t \"sax->cdataBlock(ctxt->userData,\n\t\t\t BAD_CAST \"\", 0);\n\t\t } else if ((ctxt->sax != NULL) && (base > 0) &&\n\t\t\t(!ctxt->disableSAX)) {\n\t\t\tif (ctxt->sax->cdataBlock != NULL)\n\t\t\t ctxt->sax->cdataBlock(ctxt->userData,\n\t\t\t\t\t\t ctxt->input->cur, base);\n\t\t\telse if (ctxt->sax->characters != NULL)\n\t\t\t ctxt->sax->characters(ctxt->userData,\n\t\t\t\t\t\t ctxt->input->cur, base);\n\t\t }\n\t\t if (ctxt->instate == XML_PARSER_EOF)\n\t\t\tgoto done;\n\t\t SKIPL(base + 3);\n\t\t ctxt->checkIndex = 0;\n\t\t ctxt->instate = XML_PARSER_CONTENT;\n#ifdef DEBUG_PUSH\n\t\t xmlGenericError(xmlGenericErrorContext,\n\t\t\t \"PP: entering CONTENT\\n\");\n#endif\n\t\t}\n\t\tbreak;\n\t }\n case XML_PARSER_MISC:\n\t\tSKIP_BLANKS;\n\t\tif (ctxt->input->buf == NULL)\n\t\t avail = ctxt->input->length -\n\t\t (ctxt->input->cur - ctxt->input->base);\n\t\telse\n\t\t avail = xmlBufUse(ctxt->input->buf->buffer) -\n\t\t (ctxt->input->cur - ctxt->input->base);\n\t\tif (avail < 2)\n\t\t goto done;\n\t\tcur = ctxt->input->cur[0];\n\t\tnext = ctxt->input->cur[1];\n\t if ((cur == '<') && (next == '?')) {\n\t\t if ((!terminate) &&\n\t\t (xmlParseLookupSequence(ctxt, '?', '>', 0) < 0)) {\n ctxt->progressive = XML_PARSER_PI;\n\t\t\tgoto done;\n }\n#ifdef DEBUG_PUSH\n\t\t xmlGenericError(xmlGenericErrorContext,\n\t\t\t \"PP: Parsing PI\\n\");\n#endif\n\t\t xmlParsePI(ctxt);\n\t\t if (ctxt->instate == XML_PARSER_EOF)\n\t\t\tgoto done;\n\t\t ctxt->instate = XML_PARSER_MISC;\n ctxt->progressive = 1;\n\t\t ctxt->checkIndex = 0;\n\t\t} else if ((cur == '<') && (next == '!') &&\n\t\t (ctxt->input->cur[2] == '-') &&\n\t\t (ctxt->input->cur[3] == '-')) {\n\t\t if ((!terminate) &&\n\t\t (xmlParseLookupSequence(ctxt, '-', '-', '>') < 0)) {\n ctxt->progressive = XML_PARSER_COMMENT;\n\t\t\tgoto done;\n }\n#ifdef DEBUG_PUSH\n\t\t xmlGenericError(xmlGenericErrorContext,\n\t\t\t \"PP: Parsing Comment\\n\");\n#endif\n\t\t xmlParseComment(ctxt);\n\t\t if (ctxt->instate == XML_PARSER_EOF)\n\t\t\tgoto done;\n\t\t ctxt->instate = XML_PARSER_MISC;\n ctxt->progressive = 1;\n\t\t ctxt->checkIndex = 0;\n\t\t} else if ((cur == '<') && (next == '!') &&\n\t\t (ctxt->input->cur[2] == 'D') &&\n\t\t (ctxt->input->cur[3] == 'O') &&\n\t\t (ctxt->input->cur[4] == 'C') &&\n\t\t (ctxt->input->cur[5] == 'T') &&\n\t\t (ctxt->input->cur[6] == 'Y') &&\n\t\t (ctxt->input->cur[7] == 'P') &&\n\t\t (ctxt->input->cur[8] == 'E')) {\n\t\t if ((!terminate) &&\n\t\t (xmlParseLookupSequence(ctxt, '>', 0, 0) < 0)) {\n ctxt->progressive = XML_PARSER_DTD;\n\t\t\tgoto done;\n }\n#ifdef DEBUG_PUSH\n\t\t xmlGenericError(xmlGenericErrorContext,\n\t\t\t \"PP: Parsing internal subset\\n\");\n#endif\n\t\t ctxt->inSubset = 1;\n ctxt->progressive = 0;\n\t\t ctxt->checkIndex = 0;\n\t\t xmlParseDocTypeDecl(ctxt);\n\t\t if (ctxt->instate == XML_PARSER_EOF)\n\t\t\tgoto done;\n\t\t if (RAW == '[') {\n\t\t\tctxt->instate = XML_PARSER_DTD;\n#ifdef DEBUG_PUSH\n\t\t\txmlGenericError(xmlGenericErrorContext,\n\t\t\t\t\"PP: entering DTD\\n\");\n#endif\n\t\t } else {\n\t\t\t/*\n\t\t\t * Create and update the external subset.\n\t\t\t */\n\t\t\tctxt->inSubset = 2;\n\t\t\tif ((ctxt->sax != NULL) && (!ctxt->disableSAX) &&\n\t\t\t (ctxt->sax->externalSubset != NULL))\n\t\t\t ctxt->sax->externalSubset(ctxt->userData,\n\t\t\t\t ctxt->intSubName, ctxt->extSubSystem,\n\t\t\t\t ctxt->extSubURI);\n\t\t\tctxt->inSubset = 0;\n\t\t\txmlCleanSpecialAttr(ctxt);\n\t\t\tctxt->instate = XML_PARSER_PROLOG;\n#ifdef DEBUG_PUSH\n\t\t\txmlGenericError(xmlGenericErrorContext,\n\t\t\t\t\"PP: entering PROLOG\\n\");\n#endif\n\t\t }\n\t\t} else if ((cur == '<') && (next == '!') &&\n\t\t (avail < 9)) {\n\t\t goto done;\n\t\t} else {\n\t\t ctxt->instate = XML_PARSER_START_TAG;\n\t\t ctxt->progressive = XML_PARSER_START_TAG;\n\t\t xmlParseGetLasts(ctxt, &lastlt, &lastgt);\n#ifdef DEBUG_PUSH\n\t\t xmlGenericError(xmlGenericErrorContext,\n\t\t\t \"PP: entering START_TAG\\n\");\n#endif\n\t\t}\n\t\tbreak;\n case XML_PARSER_PROLOG:\n\t\tSKIP_BLANKS;\n\t\tif (ctxt->input->buf == NULL)\n\t\t avail = ctxt->input->length - (ctxt->input->cur - ctxt->input->base);\n\t\telse\n\t\t avail = xmlBufUse(ctxt->input->buf->buffer) -\n (ctxt->input->cur - ctxt->input->base);\n\t\tif (avail < 2)\n\t\t goto done;\n\t\tcur = ctxt->input->cur[0];\n\t\tnext = ctxt->input->cur[1];\n\t if ((cur == '<') && (next == '?')) {\n\t\t if ((!terminate) &&\n\t\t (xmlParseLookupSequence(ctxt, '?', '>', 0) < 0)) {\n ctxt->progressive = XML_PARSER_PI;\n\t\t\tgoto done;\n }\n#ifdef DEBUG_PUSH\n\t\t xmlGenericError(xmlGenericErrorContext,\n\t\t\t \"PP: Parsing PI\\n\");\n#endif\n\t\t xmlParsePI(ctxt);\n\t\t if (ctxt->instate == XML_PARSER_EOF)\n\t\t\tgoto done;\n\t\t ctxt->instate = XML_PARSER_PROLOG;\n ctxt->progressive = 1;\n\t\t} else if ((cur == '<') && (next == '!') &&\n\t\t (ctxt->input->cur[2] == '-') && (ctxt->input->cur[3] == '-')) {\n\t\t if ((!terminate) &&\n\t\t (xmlParseLookupSequence(ctxt, '-', '-', '>') < 0)) {\n ctxt->progressive = XML_PARSER_COMMENT;\n\t\t\tgoto done;\n }\n#ifdef DEBUG_PUSH\n\t\t xmlGenericError(xmlGenericErrorContext,\n\t\t\t \"PP: Parsing Comment\\n\");\n#endif\n\t\t xmlParseComment(ctxt);\n\t\t if (ctxt->instate == XML_PARSER_EOF)\n\t\t\tgoto done;\n\t\t ctxt->instate = XML_PARSER_PROLOG;\n ctxt->progressive = 1;\n\t\t} else if ((cur == '<') && (next == '!') &&\n\t\t (avail < 4)) {\n\t\t goto done;\n\t\t} else {\n\t\t ctxt->instate = XML_PARSER_START_TAG;\n\t\t if (ctxt->progressive == 0)\n\t\t\tctxt->progressive = XML_PARSER_START_TAG;\n\t\t xmlParseGetLasts(ctxt, &lastlt, &lastgt);\n#ifdef DEBUG_PUSH\n\t\t xmlGenericError(xmlGenericErrorContext,\n\t\t\t \"PP: entering START_TAG\\n\");\n#endif\n\t\t}\n\t\tbreak;\n case XML_PARSER_EPILOG:\n\t\tSKIP_BLANKS;\n\t\tif (ctxt->input->buf == NULL)\n\t\t avail = ctxt->input->length - (ctxt->input->cur - ctxt->input->base);\n\t\telse\n\t\t avail = xmlBufUse(ctxt->input->buf->buffer) -\n (ctxt->input->cur - ctxt->input->base);\n\t\tif (avail < 2)\n\t\t goto done;\n\t\tcur = ctxt->input->cur[0];\n\t\tnext = ctxt->input->cur[1];\n\t if ((cur == '<') && (next == '?')) {\n\t\t if ((!terminate) &&\n\t\t (xmlParseLookupSequence(ctxt, '?', '>', 0) < 0)) {\n ctxt->progressive = XML_PARSER_PI;\n\t\t\tgoto done;\n }\n#ifdef DEBUG_PUSH\n\t\t xmlGenericError(xmlGenericErrorContext,\n\t\t\t \"PP: Parsing PI\\n\");\n#endif\n\t\t xmlParsePI(ctxt);\n\t\t if (ctxt->instate == XML_PARSER_EOF)\n\t\t\tgoto done;\n\t\t ctxt->instate = XML_PARSER_EPILOG;\n ctxt->progressive = 1;\n\t\t} else if ((cur == '<') && (next == '!') &&\n\t\t (ctxt->input->cur[2] == '-') && (ctxt->input->cur[3] == '-')) {\n\t\t if ((!terminate) &&\n\t\t (xmlParseLookupSequence(ctxt, '-', '-', '>') < 0)) {\n ctxt->progressive = XML_PARSER_COMMENT;\n\t\t\tgoto done;\n }\n#ifdef DEBUG_PUSH\n\t\t xmlGenericError(xmlGenericErrorContext,\n\t\t\t \"PP: Parsing Comment\\n\");\n#endif\n\t\t xmlParseComment(ctxt);\n\t\t if (ctxt->instate == XML_PARSER_EOF)\n\t\t\tgoto done;\n\t\t ctxt->instate = XML_PARSER_EPILOG;\n ctxt->progressive = 1;\n\t\t} else if ((cur == '<') && (next == '!') &&\n\t\t (avail < 4)) {\n\t\t goto done;\n\t\t} else {\n\t\t xmlFatalErr(ctxt, XML_ERR_DOCUMENT_END, NULL);\n\t\t xmlHaltParser(ctxt);\n#ifdef DEBUG_PUSH\n\t\t xmlGenericError(xmlGenericErrorContext,\n\t\t\t \"PP: entering EOF\\n\");\n#endif\n\t\t if ((ctxt->sax) && (ctxt->sax->endDocument != NULL))\n\t\t\tctxt->sax->endDocument(ctxt->userData);\n\t\t goto done;\n\t\t}\n\t\tbreak;\n case XML_PARSER_DTD: {\n\t /*\n\t\t * Sorry but progressive parsing of the internal subset\n\t\t * is not expected to be supported. We first check that\n\t\t * the full content of the internal subset is available and\n\t\t * the parsing is launched only at that point.\n\t\t * Internal subset ends up with \"']' S? '>'\" in an unescaped\n\t\t * section and not in a ']]>' sequence which are conditional\n\t\t * sections (whoever argued to keep that crap in XML deserve\n\t\t * a place in hell !).\n\t\t */\n\t\tint base, i;\n\t\txmlChar *buf;\n\t xmlChar quote = 0;\n size_t use;\n\n\t\tbase = ctxt->input->cur - ctxt->input->base;\n\t\tif (base < 0) return(0);\n\t\tif (ctxt->checkIndex > base)\n\t\t base = ctxt->checkIndex;\n\t\tbuf = xmlBufContent(ctxt->input->buf->buffer);\n use = xmlBufUse(ctxt->input->buf->buffer);\n\t\tfor (;(unsigned int) base < use; base++) {\n\t\t if (quote != 0) {\n\t\t if (buf[base] == quote)\n\t\t\t quote = 0;\n\t\t\tcontinue;\n\t\t }\n\t\t if ((quote == 0) && (buf[base] == '<')) {\n\t\t int found = 0;\n\t\t\t/* special handling of comments */\n\t\t if (((unsigned int) base + 4 < use) &&\n\t\t\t (buf[base + 1] == '!') &&\n\t\t\t (buf[base + 2] == '-') &&\n\t\t\t (buf[base + 3] == '-')) {\n\t\t\t for (;(unsigned int) base + 3 < use; base++) {\n\t\t\t\tif ((buf[base] == '-') &&\n\t\t\t\t (buf[base + 1] == '-') &&\n\t\t\t\t (buf[base + 2] == '>')) {\n\t\t\t\t found = 1;\n\t\t\t\t base += 2;\n\t\t\t\t break;\n\t\t\t\t}\n\t\t }\n\t\t\t if (!found) {\n#if 0\n\t\t\t fprintf(stderr, \"unfinished comment\\n\");\n#endif\n\t\t\t break; /* for */\n\t\t }\n\t\t continue;\n\t\t\t}\n\t\t }\n\t\t if (buf[base] == '\"') {\n\t\t quote = '\"';\n\t\t\tcontinue;\n\t\t }\n\t\t if (buf[base] == '\\'') {\n\t\t quote = '\\'';\n\t\t\tcontinue;\n\t\t }\n\t\t if (buf[base] == ']') {\n#if 0\n\t\t fprintf(stderr, \"%c%c%c%c: \", buf[base],\n\t\t\t buf[base + 1], buf[base + 2], buf[base + 3]);\n#endif\n\t\t if ((unsigned int) base +1 >= use)\n\t\t\t break;\n\t\t\tif (buf[base + 1] == ']') {\n\t\t\t /* conditional crap, skip both ']' ! */\n\t\t\t base++;\n\t\t\t continue;\n\t\t\t}\n\t\t for (i = 1; (unsigned int) base + i < use; i++) {\n\t\t\t if (buf[base + i] == '>') {\n#if 0\n\t\t\t fprintf(stderr, \"found\\n\");\n#endif\n\t\t\t goto found_end_int_subset;\n\t\t\t }\n\t\t\t if (!IS_BLANK_CH(buf[base + i])) {\n#if 0\n\t\t\t fprintf(stderr, \"not found\\n\");\n#endif\n\t\t\t goto not_end_of_int_subset;\n\t\t\t }\n\t\t\t}\n#if 0\n\t\t\tfprintf(stderr, \"end of stream\\n\");\n#endif\n\t\t break;\n\n\t\t }\nnot_end_of_int_subset:\n continue; /* for */\n\t\t}\n\t\t/*\n\t\t * We didn't found the end of the Internal subset\n\t\t */\n if (quote == 0)\n ctxt->checkIndex = base;\n else\n ctxt->checkIndex = 0;\n#ifdef DEBUG_PUSH\n\t\tif (next == 0)\n\t\t xmlGenericError(xmlGenericErrorContext,\n\t\t\t \"PP: lookup of int subset end filed\\n\");\n#endif\n\t goto done;\n\nfound_end_int_subset:\n ctxt->checkIndex = 0;\n\t\txmlParseInternalSubset(ctxt);\n\t\tif (ctxt->instate == XML_PARSER_EOF)\n\t\t goto done;\n\t\tctxt->inSubset = 2;\n\t\tif ((ctxt->sax != NULL) && (!ctxt->disableSAX) &&\n\t\t (ctxt->sax->externalSubset != NULL))\n\t\t ctxt->sax->externalSubset(ctxt->userData, ctxt->intSubName,\n\t\t\t ctxt->extSubSystem, ctxt->extSubURI);\n\t\tctxt->inSubset = 0;\n\t\txmlCleanSpecialAttr(ctxt);\n\t\tif (ctxt->instate == XML_PARSER_EOF)\n\t\t goto done;\n\t\tctxt->instate = XML_PARSER_PROLOG;\n\t\tctxt->checkIndex = 0;\n#ifdef DEBUG_PUSH\n\t\txmlGenericError(xmlGenericErrorContext,\n\t\t\t\"PP: entering PROLOG\\n\");\n#endif\n break;\n\t }\n case XML_PARSER_COMMENT:\n\t\txmlGenericError(xmlGenericErrorContext,\n\t\t\t\"PP: internal error, state == COMMENT\\n\");\n\t\tctxt->instate = XML_PARSER_CONTENT;\n#ifdef DEBUG_PUSH\n\t\txmlGenericError(xmlGenericErrorContext,\n\t\t\t\"PP: entering CONTENT\\n\");\n#endif\n\t\tbreak;\n case XML_PARSER_IGNORE:\n\t\txmlGenericError(xmlGenericErrorContext,\n\t\t\t\"PP: internal error, state == IGNORE\");\n\t ctxt->instate = XML_PARSER_DTD;\n#ifdef DEBUG_PUSH\n\t\txmlGenericError(xmlGenericErrorContext,\n\t\t\t\"PP: entering DTD\\n\");\n#endif\n\t break;\n case XML_PARSER_PI:\n\t\txmlGenericError(xmlGenericErrorContext,\n\t\t\t\"PP: internal error, state == PI\\n\");\n\t\tctxt->instate = XML_PARSER_CONTENT;\n#ifdef DEBUG_PUSH\n\t\txmlGenericError(xmlGenericErrorContext,\n\t\t\t\"PP: entering CONTENT\\n\");\n#endif\n\t\tbreak;\n case XML_PARSER_ENTITY_DECL:\n\t\txmlGenericError(xmlGenericErrorContext,\n\t\t\t\"PP: internal error, state == ENTITY_DECL\\n\");\n\t\tctxt->instate = XML_PARSER_DTD;\n#ifdef DEBUG_PUSH\n\t\txmlGenericError(xmlGenericErrorContext,\n\t\t\t\"PP: entering DTD\\n\");\n#endif\n\t\tbreak;\n case XML_PARSER_ENTITY_VALUE:\n\t\txmlGenericError(xmlGenericErrorContext,\n\t\t\t\"PP: internal error, state == ENTITY_VALUE\\n\");\n\t\tctxt->instate = XML_PARSER_CONTENT;\n#ifdef DEBUG_PUSH\n\t\txmlGenericError(xmlGenericErrorContext,\n\t\t\t\"PP: entering DTD\\n\");\n#endif\n\t\tbreak;\n case XML_PARSER_ATTRIBUTE_VALUE:\n\t\txmlGenericError(xmlGenericErrorContext,\n\t\t\t\"PP: internal error, state == ATTRIBUTE_VALUE\\n\");\n\t\tctxt->instate = XML_PARSER_START_TAG;\n#ifdef DEBUG_PUSH\n\t\txmlGenericError(xmlGenericErrorContext,\n\t\t\t\"PP: entering START_TAG\\n\");\n#endif\n\t\tbreak;\n case XML_PARSER_SYSTEM_LITERAL:\n\t\txmlGenericError(xmlGenericErrorContext,\n\t\t\t\"PP: internal error, state == SYSTEM_LITERAL\\n\");\n\t\tctxt->instate = XML_PARSER_START_TAG;\n#ifdef DEBUG_PUSH\n\t\txmlGenericError(xmlGenericErrorContext,\n\t\t\t\"PP: entering START_TAG\\n\");\n#endif\n\t\tbreak;\n case XML_PARSER_PUBLIC_LITERAL:\n\t\txmlGenericError(xmlGenericErrorContext,\n\t\t\t\"PP: internal error, state == PUBLIC_LITERAL\\n\");\n\t\tctxt->instate = XML_PARSER_START_TAG;\n#ifdef DEBUG_PUSH\n\t\txmlGenericError(xmlGenericErrorContext,\n\t\t\t\"PP: entering START_TAG\\n\");\n#endif\n\t\tbreak;\n\t}\n }\ndone:\n#ifdef DEBUG_PUSH\n xmlGenericError(xmlGenericErrorContext, \"PP: done %d\\n\", ret);\n#endif\n return(ret);\nencoding_error:\n {\n char buffer[150];\n\n\tsnprintf(buffer, 149, \"Bytes: 0x%02X 0x%02X 0x%02X 0x%02X\\n\",\n\t\t\tctxt->input->cur[0], ctxt->input->cur[1],\n\t\t\tctxt->input->cur[2], ctxt->input->cur[3]);\n\t__xmlErrEncoding(ctxt, XML_ERR_INVALID_CHAR,\n\t\t \"Input is not proper UTF-8, indicate encoding !\\n%s\",\n\t\t BAD_CAST buffer, NULL);\n }\n return(0);\n}", "project": "libxml2", "hash": 218330395375774225323465042365495968493, "size": 982, "commit_id": "5a02583c7e683896d84878bd90641d8d9b0d0549", "message": "Fix memory leak in xmlParseBalancedChunkMemoryRecover\n\nWhen doc is NULL, namespace created in xmlTreeEnsureXMLDecl\nis bind to newDoc->oldNs, in this case, set newDoc->oldNs to\nNULL and free newDoc will cause a memory leak.\n\nFound with libFuzzer.\n\nCloses #82.", "target": 0, "dataset": "other", "idx": 299168 }, { "func": "xmlFatalErr(xmlParserCtxtPtr ctxt, xmlParserErrors error, const char *info)\n{\n const char *errmsg;\n\n if ((ctxt != NULL) && (ctxt->disableSAX != 0) &&\n (ctxt->instate == XML_PARSER_EOF))\n\treturn;\n switch (error) {\n case XML_ERR_INVALID_HEX_CHARREF:\n errmsg = \"CharRef: invalid hexadecimal value\";\n break;\n case XML_ERR_INVALID_DEC_CHARREF:\n errmsg = \"CharRef: invalid decimal value\";\n break;\n case XML_ERR_INVALID_CHARREF:\n errmsg = \"CharRef: invalid value\";\n break;\n case XML_ERR_INTERNAL_ERROR:\n errmsg = \"internal error\";\n break;\n case XML_ERR_PEREF_AT_EOF:\n errmsg = \"PEReference at end of document\";\n break;\n case XML_ERR_PEREF_IN_PROLOG:\n errmsg = \"PEReference in prolog\";\n break;\n case XML_ERR_PEREF_IN_EPILOG:\n errmsg = \"PEReference in epilog\";\n break;\n case XML_ERR_PEREF_NO_NAME:\n errmsg = \"PEReference: no name\";\n break;\n case XML_ERR_PEREF_SEMICOL_MISSING:\n errmsg = \"PEReference: expecting ';'\";\n break;\n case XML_ERR_ENTITY_LOOP:\n errmsg = \"Detected an entity reference loop\";\n break;\n case XML_ERR_ENTITY_NOT_STARTED:\n errmsg = \"EntityValue: \\\" or ' expected\";\n break;\n case XML_ERR_ENTITY_PE_INTERNAL:\n errmsg = \"PEReferences forbidden in internal subset\";\n break;\n case XML_ERR_ENTITY_NOT_FINISHED:\n errmsg = \"EntityValue: \\\" or ' expected\";\n break;\n case XML_ERR_ATTRIBUTE_NOT_STARTED:\n errmsg = \"AttValue: \\\" or ' expected\";\n break;\n case XML_ERR_LT_IN_ATTRIBUTE:\n errmsg = \"Unescaped '<' not allowed in attributes values\";\n break;\n case XML_ERR_LITERAL_NOT_STARTED:\n errmsg = \"SystemLiteral \\\" or ' expected\";\n break;\n case XML_ERR_LITERAL_NOT_FINISHED:\n errmsg = \"Unfinished System or Public ID \\\" or ' expected\";\n break;\n case XML_ERR_MISPLACED_CDATA_END:\n errmsg = \"Sequence ']]>' not allowed in content\";\n break;\n case XML_ERR_URI_REQUIRED:\n errmsg = \"SYSTEM or PUBLIC, the URI is missing\";\n break;\n case XML_ERR_PUBID_REQUIRED:\n errmsg = \"PUBLIC, the Public Identifier is missing\";\n break;\n case XML_ERR_HYPHEN_IN_COMMENT:\n errmsg = \"Comment must not contain '--' (double-hyphen)\";\n break;\n case XML_ERR_PI_NOT_STARTED:\n errmsg = \"xmlParsePI : no target name\";\n break;\n case XML_ERR_RESERVED_XML_NAME:\n errmsg = \"Invalid PI name\";\n break;\n case XML_ERR_NOTATION_NOT_STARTED:\n errmsg = \"NOTATION: Name expected here\";\n break;\n case XML_ERR_NOTATION_NOT_FINISHED:\n errmsg = \"'>' required to close NOTATION declaration\";\n break;\n case XML_ERR_VALUE_REQUIRED:\n errmsg = \"Entity value required\";\n break;\n case XML_ERR_URI_FRAGMENT:\n errmsg = \"Fragment not allowed\";\n break;\n case XML_ERR_ATTLIST_NOT_STARTED:\n errmsg = \"'(' required to start ATTLIST enumeration\";\n break;\n case XML_ERR_NMTOKEN_REQUIRED:\n errmsg = \"NmToken expected in ATTLIST enumeration\";\n break;\n case XML_ERR_ATTLIST_NOT_FINISHED:\n errmsg = \"')' required to finish ATTLIST enumeration\";\n break;\n case XML_ERR_MIXED_NOT_STARTED:\n errmsg = \"MixedContentDecl : '|' or ')*' expected\";\n break;\n case XML_ERR_PCDATA_REQUIRED:\n errmsg = \"MixedContentDecl : '#PCDATA' expected\";\n break;\n case XML_ERR_ELEMCONTENT_NOT_STARTED:\n errmsg = \"ContentDecl : Name or '(' expected\";\n break;\n case XML_ERR_ELEMCONTENT_NOT_FINISHED:\n errmsg = \"ContentDecl : ',' '|' or ')' expected\";\n break;\n case XML_ERR_PEREF_IN_INT_SUBSET:\n errmsg =\n \"PEReference: forbidden within markup decl in internal subset\";\n break;\n case XML_ERR_GT_REQUIRED:\n errmsg = \"expected '>'\";\n break;\n case XML_ERR_CONDSEC_INVALID:\n errmsg = \"XML conditional section '[' expected\";\n break;\n case XML_ERR_EXT_SUBSET_NOT_FINISHED:\n errmsg = \"Content error in the external subset\";\n break;\n case XML_ERR_CONDSEC_INVALID_KEYWORD:\n errmsg =\n \"conditional section INCLUDE or IGNORE keyword expected\";\n break;\n case XML_ERR_CONDSEC_NOT_FINISHED:\n errmsg = \"XML conditional section not closed\";\n break;\n case XML_ERR_XMLDECL_NOT_STARTED:\n errmsg = \"Text declaration '' expected\";\n break;\n case XML_ERR_EXT_ENTITY_STANDALONE:\n errmsg = \"external parsed entities cannot be standalone\";\n break;\n case XML_ERR_ENTITYREF_SEMICOL_MISSING:\n errmsg = \"EntityRef: expecting ';'\";\n break;\n case XML_ERR_DOCTYPE_NOT_FINISHED:\n errmsg = \"DOCTYPE improperly terminated\";\n break;\n case XML_ERR_LTSLASH_REQUIRED:\n errmsg = \"EndTag: 'errNo = error;\n if (info == NULL) {\n __xmlRaiseError(NULL, NULL, NULL, ctxt, NULL, XML_FROM_PARSER, error,\n XML_ERR_FATAL, NULL, 0, info, NULL, NULL, 0, 0, \"%s\\n\",\n errmsg);\n } else {\n __xmlRaiseError(NULL, NULL, NULL, ctxt, NULL, XML_FROM_PARSER, error,\n XML_ERR_FATAL, NULL, 0, info, NULL, NULL, 0, 0, \"%s: %s\\n\",\n errmsg, info);\n }\n if (ctxt != NULL) {\n\tctxt->wellFormed = 0;\n\tif (ctxt->recovery == 0)\n\t ctxt->disableSAX = 1;\n }\n}", "project": "libxml2", "hash": 212070842774581946674608889307349639734, "size": 206, "commit_id": "5a02583c7e683896d84878bd90641d8d9b0d0549", "message": "Fix memory leak in xmlParseBalancedChunkMemoryRecover\n\nWhen doc is NULL, namespace created in xmlTreeEnsureXMLDecl\nis bind to newDoc->oldNs, in this case, set newDoc->oldNs to\nNULL and free newDoc will cause a memory leak.\n\nFound with libFuzzer.\n\nCloses #82.", "target": 0, "dataset": "other", "idx": 299177 }, { "func": "xmlParseInNodeContext(xmlNodePtr node, const char *data, int datalen,\n int options, xmlNodePtr *lst) {\n#ifdef SAX2\n xmlParserCtxtPtr ctxt;\n xmlDocPtr doc = NULL;\n xmlNodePtr fake, cur;\n int nsnr = 0;\n\n xmlParserErrors ret = XML_ERR_OK;\n\n /*\n * check all input parameters, grab the document\n */\n if ((lst == NULL) || (node == NULL) || (data == NULL) || (datalen < 0))\n return(XML_ERR_INTERNAL_ERROR);\n switch (node->type) {\n case XML_ELEMENT_NODE:\n case XML_ATTRIBUTE_NODE:\n case XML_TEXT_NODE:\n case XML_CDATA_SECTION_NODE:\n case XML_ENTITY_REF_NODE:\n case XML_PI_NODE:\n case XML_COMMENT_NODE:\n case XML_DOCUMENT_NODE:\n case XML_HTML_DOCUMENT_NODE:\n\t break;\n\tdefault:\n\t return(XML_ERR_INTERNAL_ERROR);\n\n }\n while ((node != NULL) && (node->type != XML_ELEMENT_NODE) &&\n (node->type != XML_DOCUMENT_NODE) &&\n\t (node->type != XML_HTML_DOCUMENT_NODE))\n\tnode = node->parent;\n if (node == NULL)\n\treturn(XML_ERR_INTERNAL_ERROR);\n if (node->type == XML_ELEMENT_NODE)\n\tdoc = node->doc;\n else\n doc = (xmlDocPtr) node;\n if (doc == NULL)\n\treturn(XML_ERR_INTERNAL_ERROR);\n\n /*\n * allocate a context and set-up everything not related to the\n * node position in the tree\n */\n if (doc->type == XML_DOCUMENT_NODE)\n\tctxt = xmlCreateMemoryParserCtxt((char *) data, datalen);\n#ifdef LIBXML_HTML_ENABLED\n else if (doc->type == XML_HTML_DOCUMENT_NODE) {\n\tctxt = htmlCreateMemoryParserCtxt((char *) data, datalen);\n /*\n * When parsing in context, it makes no sense to add implied\n * elements like html/body/etc...\n */\n options |= HTML_PARSE_NOIMPLIED;\n }\n#endif\n else\n return(XML_ERR_INTERNAL_ERROR);\n\n if (ctxt == NULL)\n return(XML_ERR_NO_MEMORY);\n\n /*\n * Use input doc's dict if present, else assure XML_PARSE_NODICT is set.\n * We need a dictionary for xmlDetectSAX2, so if there's no doc dict\n * we must wait until the last moment to free the original one.\n */\n if (doc->dict != NULL) {\n if (ctxt->dict != NULL)\n\t xmlDictFree(ctxt->dict);\n\tctxt->dict = doc->dict;\n } else\n options |= XML_PARSE_NODICT;\n\n if (doc->encoding != NULL) {\n xmlCharEncodingHandlerPtr hdlr;\n\n if (ctxt->encoding != NULL)\n\t xmlFree((xmlChar *) ctxt->encoding);\n ctxt->encoding = xmlStrdup((const xmlChar *) doc->encoding);\n\n hdlr = xmlFindCharEncodingHandler((const char *) doc->encoding);\n if (hdlr != NULL) {\n xmlSwitchToEncoding(ctxt, hdlr);\n\t} else {\n return(XML_ERR_UNSUPPORTED_ENCODING);\n }\n }\n\n xmlCtxtUseOptionsInternal(ctxt, options, NULL);\n xmlDetectSAX2(ctxt);\n ctxt->myDoc = doc;\n /* parsing in context, i.e. as within existing content */\n ctxt->input_id = 2;\n ctxt->instate = XML_PARSER_CONTENT;\n\n fake = xmlNewComment(NULL);\n if (fake == NULL) {\n xmlFreeParserCtxt(ctxt);\n\treturn(XML_ERR_NO_MEMORY);\n }\n xmlAddChild(node, fake);\n\n if (node->type == XML_ELEMENT_NODE) {\n\tnodePush(ctxt, node);\n\t/*\n\t * initialize the SAX2 namespaces stack\n\t */\n\tcur = node;\n\twhile ((cur != NULL) && (cur->type == XML_ELEMENT_NODE)) {\n\t xmlNsPtr ns = cur->nsDef;\n\t const xmlChar *iprefix, *ihref;\n\n\t while (ns != NULL) {\n\t\tif (ctxt->dict) {\n\t\t iprefix = xmlDictLookup(ctxt->dict, ns->prefix, -1);\n\t\t ihref = xmlDictLookup(ctxt->dict, ns->href, -1);\n\t\t} else {\n\t\t iprefix = ns->prefix;\n\t\t ihref = ns->href;\n\t\t}\n\n\t if (xmlGetNamespace(ctxt, iprefix) == NULL) {\n\t\t nsPush(ctxt, iprefix, ihref);\n\t\t nsnr++;\n\t\t}\n\t\tns = ns->next;\n\t }\n\t cur = cur->parent;\n\t}\n }\n\n if ((ctxt->validate) || (ctxt->replaceEntities != 0)) {\n\t/*\n\t * ID/IDREF registration will be done in xmlValidateElement below\n\t */\n\tctxt->loadsubset |= XML_SKIP_IDS;\n }\n\n#ifdef LIBXML_HTML_ENABLED\n if (doc->type == XML_HTML_DOCUMENT_NODE)\n __htmlParseContent(ctxt);\n else\n#endif\n\txmlParseContent(ctxt);\n\n nsPop(ctxt, nsnr);\n if ((RAW == '<') && (NXT(1) == '/')) {\n\txmlFatalErr(ctxt, XML_ERR_NOT_WELL_BALANCED, NULL);\n } else if (RAW != 0) {\n\txmlFatalErr(ctxt, XML_ERR_EXTRA_CONTENT, NULL);\n }\n if ((ctxt->node != NULL) && (ctxt->node != node)) {\n\txmlFatalErr(ctxt, XML_ERR_NOT_WELL_BALANCED, NULL);\n\tctxt->wellFormed = 0;\n }\n\n if (!ctxt->wellFormed) {\n if (ctxt->errNo == 0)\n\t ret = XML_ERR_INTERNAL_ERROR;\n\telse\n\t ret = (xmlParserErrors)ctxt->errNo;\n } else {\n ret = XML_ERR_OK;\n }\n\n /*\n * Return the newly created nodeset after unlinking it from\n * the pseudo sibling.\n */\n\n cur = fake->next;\n fake->next = NULL;\n node->last = fake;\n\n if (cur != NULL) {\n\tcur->prev = NULL;\n }\n\n *lst = cur;\n\n while (cur != NULL) {\n\tcur->parent = NULL;\n\tcur = cur->next;\n }\n\n xmlUnlinkNode(fake);\n xmlFreeNode(fake);\n\n\n if (ret != XML_ERR_OK) {\n xmlFreeNodeList(*lst);\n\t*lst = NULL;\n }\n\n if (doc->dict != NULL)\n ctxt->dict = NULL;\n xmlFreeParserCtxt(ctxt);\n\n return(ret);\n#else /* !SAX2 */\n return(XML_ERR_INTERNAL_ERROR);\n#endif\n}", "project": "libxml2", "hash": 29453031340580933081426113788998303658, "size": 207, "commit_id": "5a02583c7e683896d84878bd90641d8d9b0d0549", "message": "Fix memory leak in xmlParseBalancedChunkMemoryRecover\n\nWhen doc is NULL, namespace created in xmlTreeEnsureXMLDecl\nis bind to newDoc->oldNs, in this case, set newDoc->oldNs to\nNULL and free newDoc will cause a memory leak.\n\nFound with libFuzzer.\n\nCloses #82.", "target": 0, "dataset": "other", "idx": 299178 }, { "func": "xmlParserHandlePEReference(xmlParserCtxtPtr ctxt) {\n switch(ctxt->instate) {\n\tcase XML_PARSER_CDATA_SECTION:\n\t return;\n case XML_PARSER_COMMENT:\n\t return;\n\tcase XML_PARSER_START_TAG:\n\t return;\n\tcase XML_PARSER_END_TAG:\n\t return;\n case XML_PARSER_EOF:\n\t xmlFatalErr(ctxt, XML_ERR_PEREF_AT_EOF, NULL);\n\t return;\n case XML_PARSER_PROLOG:\n\tcase XML_PARSER_START:\n\tcase XML_PARSER_MISC:\n\t xmlFatalErr(ctxt, XML_ERR_PEREF_IN_PROLOG, NULL);\n\t return;\n\tcase XML_PARSER_ENTITY_DECL:\n case XML_PARSER_CONTENT:\n case XML_PARSER_ATTRIBUTE_VALUE:\n case XML_PARSER_PI:\n\tcase XML_PARSER_SYSTEM_LITERAL:\n\tcase XML_PARSER_PUBLIC_LITERAL:\n\t /* we just ignore it there */\n\t return;\n case XML_PARSER_EPILOG:\n\t xmlFatalErr(ctxt, XML_ERR_PEREF_IN_EPILOG, NULL);\n\t return;\n\tcase XML_PARSER_ENTITY_VALUE:\n\t /*\n\t * NOTE: in the case of entity values, we don't do the\n\t * substitution here since we need the literal\n\t * entity value to be able to save the internal\n\t * subset of the document.\n\t * This will be handled by xmlStringDecodeEntities\n\t */\n\t return;\n case XML_PARSER_DTD:\n\t /*\n\t * [WFC: Well-Formedness Constraint: PEs in Internal Subset]\n\t * In the internal DTD subset, parameter-entity references\n\t * can occur only where markup declarations can occur, not\n\t * within markup declarations.\n\t * In that case this is handled in xmlParseMarkupDecl\n\t */\n\t if ((ctxt->external == 0) && (ctxt->inputNr == 1))\n\t\treturn;\n\t if (IS_BLANK_CH(NXT(1)) || NXT(1) == 0)\n\t\treturn;\n break;\n case XML_PARSER_IGNORE:\n return;\n }\n\n xmlParsePEReference(ctxt);\n}", "project": "libxml2", "hash": 114050598154388267386526355899263886847, "size": 57, "commit_id": "5a02583c7e683896d84878bd90641d8d9b0d0549", "message": "Fix memory leak in xmlParseBalancedChunkMemoryRecover\n\nWhen doc is NULL, namespace created in xmlTreeEnsureXMLDecl\nis bind to newDoc->oldNs, in this case, set newDoc->oldNs to\nNULL and free newDoc will cause a memory leak.\n\nFound with libFuzzer.\n\nCloses #82.", "target": 0, "dataset": "other", "idx": 299184 }, { "func": "xmlGetPredefinedEntity(const xmlChar *name) {\n if (name == NULL) return(NULL);\n switch (name[0]) {\n case 'l':\n\t if (xmlStrEqual(name, BAD_CAST \"lt\"))\n\t return(&xmlEntityLt);\n\t break;\n case 'g':\n\t if (xmlStrEqual(name, BAD_CAST \"gt\"))\n\t return(&xmlEntityGt);\n\t break;\n case 'a':\n\t if (xmlStrEqual(name, BAD_CAST \"amp\"))\n\t return(&xmlEntityAmp);\n\t if (xmlStrEqual(name, BAD_CAST \"apos\"))\n\t return(&xmlEntityApos);\n\t break;\n case 'q':\n\t if (xmlStrEqual(name, BAD_CAST \"quot\"))\n\t return(&xmlEntityQuot);\n\t break;\n\tdefault:\n\t break;\n }\n return(NULL);\n}", "project": "libxml2", "hash": 264286027445710878977958753707940429559, "size": 26, "commit_id": "bf22713507fe1fc3a2c4b525cf0a88c2dc87a3a2", "message": "Validate UTF8 in xmlEncodeEntities\n\nCode is currently assuming UTF-8 without validating. Truncated UTF-8\ninput can cause out-of-bounds array access.\n\nAdds further checks to partial fix in 50f06b3e.\n\nFixes #178", "target": 0, "dataset": "other", "idx": 302151 }, { "func": "xmlDumpEntityDecl(xmlBufferPtr buf, xmlEntityPtr ent) {\n if ((buf == NULL) || (ent == NULL)) return;\n switch (ent->etype) {\n\tcase XML_INTERNAL_GENERAL_ENTITY:\n\t xmlBufferWriteChar(buf, \"name);\n\t xmlBufferWriteChar(buf, \" \");\n\t if (ent->orig != NULL)\n\t\txmlBufferWriteQuotedString(buf, ent->orig);\n\t else\n\t\txmlDumpEntityContent(buf, ent->content);\n\t xmlBufferWriteChar(buf, \">\\n\");\n\t break;\n\tcase XML_EXTERNAL_GENERAL_PARSED_ENTITY:\n\t xmlBufferWriteChar(buf, \"name);\n\t if (ent->ExternalID != NULL) {\n\t\t xmlBufferWriteChar(buf, \" PUBLIC \");\n\t\t xmlBufferWriteQuotedString(buf, ent->ExternalID);\n\t\t xmlBufferWriteChar(buf, \" \");\n\t\t xmlBufferWriteQuotedString(buf, ent->SystemID);\n\t } else {\n\t\t xmlBufferWriteChar(buf, \" SYSTEM \");\n\t\t xmlBufferWriteQuotedString(buf, ent->SystemID);\n\t }\n\t xmlBufferWriteChar(buf, \">\\n\");\n\t break;\n\tcase XML_EXTERNAL_GENERAL_UNPARSED_ENTITY:\n\t xmlBufferWriteChar(buf, \"name);\n\t if (ent->ExternalID != NULL) {\n\t\t xmlBufferWriteChar(buf, \" PUBLIC \");\n\t\t xmlBufferWriteQuotedString(buf, ent->ExternalID);\n\t\t xmlBufferWriteChar(buf, \" \");\n\t\t xmlBufferWriteQuotedString(buf, ent->SystemID);\n\t } else {\n\t\t xmlBufferWriteChar(buf, \" SYSTEM \");\n\t\t xmlBufferWriteQuotedString(buf, ent->SystemID);\n\t }\n\t if (ent->content != NULL) { /* Should be true ! */\n\t\txmlBufferWriteChar(buf, \" NDATA \");\n\t\tif (ent->orig != NULL)\n\t\t xmlBufferWriteCHAR(buf, ent->orig);\n\t\telse\n\t\t xmlBufferWriteCHAR(buf, ent->content);\n\t }\n\t xmlBufferWriteChar(buf, \">\\n\");\n\t break;\n\tcase XML_INTERNAL_PARAMETER_ENTITY:\n\t xmlBufferWriteChar(buf, \"name);\n\t xmlBufferWriteChar(buf, \" \");\n\t if (ent->orig == NULL)\n\t\txmlDumpEntityContent(buf, ent->content);\n\t else\n\t\txmlBufferWriteQuotedString(buf, ent->orig);\n\t xmlBufferWriteChar(buf, \">\\n\");\n\t break;\n\tcase XML_EXTERNAL_PARAMETER_ENTITY:\n\t xmlBufferWriteChar(buf, \"name);\n\t if (ent->ExternalID != NULL) {\n\t\t xmlBufferWriteChar(buf, \" PUBLIC \");\n\t\t xmlBufferWriteQuotedString(buf, ent->ExternalID);\n\t\t xmlBufferWriteChar(buf, \" \");\n\t\t xmlBufferWriteQuotedString(buf, ent->SystemID);\n\t } else {\n\t\t xmlBufferWriteChar(buf, \" SYSTEM \");\n\t\t xmlBufferWriteQuotedString(buf, ent->SystemID);\n\t }\n\t xmlBufferWriteChar(buf, \">\\n\");\n\t break;\n\tdefault:\n\t xmlEntitiesErr(XML_DTD_UNKNOWN_ENTITY,\n\t\t\"xmlDumpEntitiesDecl: internal: unknown type entity type\");\n }\n}", "project": "libxml2", "hash": 60703147487214742593861323015835448995, "size": 77, "commit_id": "bf22713507fe1fc3a2c4b525cf0a88c2dc87a3a2", "message": "Validate UTF8 in xmlEncodeEntities\n\nCode is currently assuming UTF-8 without validating. Truncated UTF-8\ninput can cause out-of-bounds array access.\n\nAdds further checks to partial fix in 50f06b3e.\n\nFixes #178", "target": 0, "dataset": "other", "idx": 302152 }, { "func": "xmlAddEntity(xmlDtdPtr dtd, const xmlChar *name, int type,\n\t const xmlChar *ExternalID, const xmlChar *SystemID,\n\t const xmlChar *content) {\n xmlDictPtr dict = NULL;\n xmlEntitiesTablePtr table = NULL;\n xmlEntityPtr ret, predef;\n\n if (name == NULL)\n\treturn(NULL);\n if (dtd == NULL)\n\treturn(NULL);\n if (dtd->doc != NULL)\n dict = dtd->doc->dict;\n\n switch (type) {\n case XML_INTERNAL_GENERAL_ENTITY:\n case XML_EXTERNAL_GENERAL_PARSED_ENTITY:\n case XML_EXTERNAL_GENERAL_UNPARSED_ENTITY:\n predef = xmlGetPredefinedEntity(name);\n if (predef != NULL) {\n int valid = 0;\n\n /* 4.6 Predefined Entities */\n if ((type == XML_INTERNAL_GENERAL_ENTITY) &&\n (content != NULL)) {\n int c = predef->content[0];\n\n if (((content[0] == c) && (content[1] == 0)) &&\n ((c == '>') || (c == '\\'') || (c == '\"'))) {\n valid = 1;\n } else if ((content[0] == '&') && (content[1] == '#')) {\n if (content[2] == 'x') {\n xmlChar *hex = BAD_CAST \"0123456789ABCDEF\";\n xmlChar ref[] = \"00;\";\n\n ref[0] = hex[c / 16 % 16];\n ref[1] = hex[c % 16];\n if (xmlStrcasecmp(&content[3], ref) == 0)\n valid = 1;\n } else {\n xmlChar ref[] = \"00;\";\n\n ref[0] = '0' + c / 10 % 10;\n ref[1] = '0' + c % 10;\n if (xmlStrEqual(&content[2], ref))\n valid = 1;\n }\n }\n }\n if (!valid) {\n xmlEntitiesErr(XML_ERR_ENTITY_PROCESSING,\n \"xmlAddEntity: invalid redeclaration of predefined\"\n \" entity\");\n return(NULL);\n }\n }\n\t if (dtd->entities == NULL)\n\t\tdtd->entities = xmlHashCreateDict(0, dict);\n\t table = dtd->entities;\n\t break;\n case XML_INTERNAL_PARAMETER_ENTITY:\n case XML_EXTERNAL_PARAMETER_ENTITY:\n\t if (dtd->pentities == NULL)\n\t\tdtd->pentities = xmlHashCreateDict(0, dict);\n\t table = dtd->pentities;\n\t break;\n case XML_INTERNAL_PREDEFINED_ENTITY:\n\t return(NULL);\n }\n if (table == NULL)\n\treturn(NULL);\n ret = xmlCreateEntity(dict, name, type, ExternalID, SystemID, content);\n if (ret == NULL)\n return(NULL);\n ret->doc = dtd->doc;\n\n if (xmlHashAddEntry(table, name, ret)) {\n\t/*\n\t * entity was already defined at another level.\n\t */\n xmlFreeEntity(ret);\n\treturn(NULL);\n }\n return(ret);\n}", "project": "libxml2", "hash": 324121824023216555104001569785580486559, "size": 85, "commit_id": "bf22713507fe1fc3a2c4b525cf0a88c2dc87a3a2", "message": "Validate UTF8 in xmlEncodeEntities\n\nCode is currently assuming UTF-8 without validating. Truncated UTF-8\ninput can cause out-of-bounds array access.\n\nAdds further checks to partial fix in 50f06b3e.\n\nFixes #178", "target": 0, "dataset": "other", "idx": 302157 }, { "func": "create_syncinfo_value(int type, const char *cookie, const char **uuids)\n{\n BerElement *ber;\n struct berval *bvp = NULL;\n\n if ((ber = der_alloc()) == NULL) {\n return (NULL);\n }\n\n switch (type) {\n case LDAP_TAG_SYNC_NEW_COOKIE:\n ber_printf(ber, \"to\", type, cookie);\n break;\n case LDAP_TAG_SYNC_REFRESH_DELETE:\n case LDAP_TAG_SYNC_REFRESH_PRESENT:\n ber_printf(ber, \"t{\", type);\n if (cookie)\n ber_printf(ber, \"s\", cookie);\n /* ber_printf(ber, \"b\",1); */\n ber_printf(ber, \"}\");\n break;\n case LDAP_TAG_SYNC_ID_SET:\n ber_printf(ber, \"t{\", type);\n if (cookie)\n ber_printf(ber, \"s\", cookie);\n if (uuids)\n ber_printf(ber, \"b[v]\", 1, uuids);\n ber_printf(ber, \"}\");\n break;\n default:\n break;\n }\n ber_flatten(ber, &bvp);\n ber_free(ber, 1);\n\n return (bvp);\n}", "project": "389-ds-base", "hash": 97933143727854955529897456864030891391, "size": 37, "commit_id": "2e5b526012612d1d6ccace46398bee679a730271", "message": "Issue 4711 - SIGSEV with sync_repl (#4738)\n\nBug description:\n\tsync_repl sends back entries identified with a unique\n\tidentifier that is 'nsuniqueid'. If 'nsuniqueid' is\n\tmissing, then it may crash\n\nFix description:\n\tCheck a nsuniqueid is available else returns OP_ERR\n\nrelates: https://github.com/389ds/389-ds-base/issues/4711\n\nReviewed by: Pierre Rogier, James Chapman, William Brown (Thanks!)\n\nPlatforms tested: F33", "target": 0, "dataset": "other", "idx": 302818 }, { "func": "xmlParseTryOrFinish(xmlParserCtxtPtr ctxt, int terminate) {\n int ret = 0;\n int avail, tlen;\n xmlChar cur, next;\n const xmlChar *lastlt, *lastgt;\n\n if (ctxt->input == NULL)\n return(0);\n\n#ifdef DEBUG_PUSH\n switch (ctxt->instate) {\n\tcase XML_PARSER_EOF:\n\t xmlGenericError(xmlGenericErrorContext,\n\t\t \"PP: try EOF\\n\"); break;\n\tcase XML_PARSER_START:\n\t xmlGenericError(xmlGenericErrorContext,\n\t\t \"PP: try START\\n\"); break;\n\tcase XML_PARSER_MISC:\n\t xmlGenericError(xmlGenericErrorContext,\n\t\t \"PP: try MISC\\n\");break;\n\tcase XML_PARSER_COMMENT:\n\t xmlGenericError(xmlGenericErrorContext,\n\t\t \"PP: try COMMENT\\n\");break;\n\tcase XML_PARSER_PROLOG:\n\t xmlGenericError(xmlGenericErrorContext,\n\t\t \"PP: try PROLOG\\n\");break;\n\tcase XML_PARSER_START_TAG:\n\t xmlGenericError(xmlGenericErrorContext,\n\t\t \"PP: try START_TAG\\n\");break;\n\tcase XML_PARSER_CONTENT:\n\t xmlGenericError(xmlGenericErrorContext,\n\t\t \"PP: try CONTENT\\n\");break;\n\tcase XML_PARSER_CDATA_SECTION:\n\t xmlGenericError(xmlGenericErrorContext,\n\t\t \"PP: try CDATA_SECTION\\n\");break;\n\tcase XML_PARSER_END_TAG:\n\t xmlGenericError(xmlGenericErrorContext,\n\t\t \"PP: try END_TAG\\n\");break;\n\tcase XML_PARSER_ENTITY_DECL:\n\t xmlGenericError(xmlGenericErrorContext,\n\t\t \"PP: try ENTITY_DECL\\n\");break;\n\tcase XML_PARSER_ENTITY_VALUE:\n\t xmlGenericError(xmlGenericErrorContext,\n\t\t \"PP: try ENTITY_VALUE\\n\");break;\n\tcase XML_PARSER_ATTRIBUTE_VALUE:\n\t xmlGenericError(xmlGenericErrorContext,\n\t\t \"PP: try ATTRIBUTE_VALUE\\n\");break;\n\tcase XML_PARSER_DTD:\n\t xmlGenericError(xmlGenericErrorContext,\n\t\t \"PP: try DTD\\n\");break;\n\tcase XML_PARSER_EPILOG:\n\t xmlGenericError(xmlGenericErrorContext,\n\t\t \"PP: try EPILOG\\n\");break;\n\tcase XML_PARSER_PI:\n\t xmlGenericError(xmlGenericErrorContext,\n\t\t \"PP: try PI\\n\");break;\n case XML_PARSER_IGNORE:\n xmlGenericError(xmlGenericErrorContext,\n\t\t \"PP: try IGNORE\\n\");break;\n }\n#endif\n\n if ((ctxt->input != NULL) &&\n (ctxt->input->cur - ctxt->input->base > 4096)) {\n\txmlSHRINK(ctxt);\n\tctxt->checkIndex = 0;\n }\n xmlParseGetLasts(ctxt, &lastlt, &lastgt);\n\n while (ctxt->instate != XML_PARSER_EOF) {\n\tif ((ctxt->errNo != XML_ERR_OK) && (ctxt->disableSAX == 1))\n\t return(0);\n\n\n\t/*\n\t * Pop-up of finished entities.\n\t */\n\twhile ((RAW == 0) && (ctxt->inputNr > 1))\n\t xmlPopInput(ctxt);\n\n\tif (ctxt->input == NULL) break;\n\tif (ctxt->input->buf == NULL)\n\t avail = ctxt->input->length -\n\t (ctxt->input->cur - ctxt->input->base);\n\telse {\n\t /*\n\t * If we are operating on converted input, try to flush\n\t * remainng chars to avoid them stalling in the non-converted\n\t * buffer. But do not do this in document start where\n\t * encoding=\"...\" may not have been read and we work on a\n\t * guessed encoding.\n\t */\n\t if ((ctxt->instate != XML_PARSER_START) &&\n\t (ctxt->input->buf->raw != NULL) &&\n\t\t(xmlBufIsEmpty(ctxt->input->buf->raw) == 0)) {\n size_t base = xmlBufGetInputBase(ctxt->input->buf->buffer,\n ctxt->input);\n\t\tsize_t current = ctxt->input->cur - ctxt->input->base;\n\n\t\txmlParserInputBufferPush(ctxt->input->buf, 0, \"\");\n xmlBufSetInputBaseCur(ctxt->input->buf->buffer, ctxt->input,\n base, current);\n\t }\n\t avail = xmlBufUse(ctxt->input->buf->buffer) -\n\t\t (ctxt->input->cur - ctxt->input->base);\n\t}\n if (avail < 1)\n\t goto done;\n switch (ctxt->instate) {\n case XML_PARSER_EOF:\n\t /*\n\t\t * Document parsing is done !\n\t\t */\n\t goto done;\n case XML_PARSER_START:\n\t\tif (ctxt->charset == XML_CHAR_ENCODING_NONE) {\n\t\t xmlChar start[4];\n\t\t xmlCharEncoding enc;\n\n\t\t /*\n\t\t * Very first chars read from the document flow.\n\t\t */\n\t\t if (avail < 4)\n\t\t\tgoto done;\n\n\t\t /*\n\t\t * Get the 4 first bytes and decode the charset\n\t\t * if enc != XML_CHAR_ENCODING_NONE\n\t\t * plug some encoding conversion routines,\n\t\t * else xmlSwitchEncoding will set to (default)\n\t\t * UTF8.\n\t\t */\n\t\t start[0] = RAW;\n\t\t start[1] = NXT(1);\n\t\t start[2] = NXT(2);\n\t\t start[3] = NXT(3);\n\t\t enc = xmlDetectCharEncoding(start, 4);\n\t\t xmlSwitchEncoding(ctxt, enc);\n\t\t break;\n\t\t}\n\n\t\tif (avail < 2)\n\t\t goto done;\n\t\tcur = ctxt->input->cur[0];\n\t\tnext = ctxt->input->cur[1];\n\t\tif (cur == 0) {\n\t\t if ((ctxt->sax) && (ctxt->sax->setDocumentLocator))\n\t\t\tctxt->sax->setDocumentLocator(ctxt->userData,\n\t\t\t\t\t\t &xmlDefaultSAXLocator);\n\t\t xmlFatalErr(ctxt, XML_ERR_DOCUMENT_EMPTY, NULL);\n\t\t xmlHaltParser(ctxt);\n#ifdef DEBUG_PUSH\n\t\t xmlGenericError(xmlGenericErrorContext,\n\t\t\t \"PP: entering EOF\\n\");\n#endif\n\t\t if ((ctxt->sax) && (ctxt->sax->endDocument != NULL))\n\t\t\tctxt->sax->endDocument(ctxt->userData);\n\t\t goto done;\n\t\t}\n\t if ((cur == '<') && (next == '?')) {\n\t\t /* PI or XML decl */\n\t\t if (avail < 5) return(ret);\n\t\t if ((!terminate) &&\n\t\t (xmlParseLookupSequence(ctxt, '?', '>', 0) < 0))\n\t\t\treturn(ret);\n\t\t if ((ctxt->sax) && (ctxt->sax->setDocumentLocator))\n\t\t\tctxt->sax->setDocumentLocator(ctxt->userData,\n\t\t\t\t\t\t &xmlDefaultSAXLocator);\n\t\t if ((ctxt->input->cur[2] == 'x') &&\n\t\t\t(ctxt->input->cur[3] == 'm') &&\n\t\t\t(ctxt->input->cur[4] == 'l') &&\n\t\t\t(IS_BLANK_CH(ctxt->input->cur[5]))) {\n\t\t\tret += 5;\n#ifdef DEBUG_PUSH\n\t\t\txmlGenericError(xmlGenericErrorContext,\n\t\t\t\t\"PP: Parsing XML Decl\\n\");\n#endif\n\t\t\txmlParseXMLDecl(ctxt);\n\t\t\tif (ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) {\n\t\t\t /*\n\t\t\t * The XML REC instructs us to stop parsing right\n\t\t\t * here\n\t\t\t */\n\t\t\t xmlHaltParser(ctxt);\n\t\t\t return(0);\n\t\t\t}\n\t\t\tctxt->standalone = ctxt->input->standalone;\n\t\t\tif ((ctxt->encoding == NULL) &&\n\t\t\t (ctxt->input->encoding != NULL))\n\t\t\t ctxt->encoding = xmlStrdup(ctxt->input->encoding);\n\t\t\tif ((ctxt->sax) && (ctxt->sax->startDocument) &&\n\t\t\t (!ctxt->disableSAX))\n\t\t\t ctxt->sax->startDocument(ctxt->userData);\n\t\t\tctxt->instate = XML_PARSER_MISC;\n#ifdef DEBUG_PUSH\n\t\t\txmlGenericError(xmlGenericErrorContext,\n\t\t\t\t\"PP: entering MISC\\n\");\n#endif\n\t\t } else {\n\t\t\tctxt->version = xmlCharStrdup(XML_DEFAULT_VERSION);\n\t\t\tif ((ctxt->sax) && (ctxt->sax->startDocument) &&\n\t\t\t (!ctxt->disableSAX))\n\t\t\t ctxt->sax->startDocument(ctxt->userData);\n\t\t\tctxt->instate = XML_PARSER_MISC;\n#ifdef DEBUG_PUSH\n\t\t\txmlGenericError(xmlGenericErrorContext,\n\t\t\t\t\"PP: entering MISC\\n\");\n#endif\n\t\t }\n\t\t} else {\n\t\t if ((ctxt->sax) && (ctxt->sax->setDocumentLocator))\n\t\t\tctxt->sax->setDocumentLocator(ctxt->userData,\n\t\t\t\t\t\t &xmlDefaultSAXLocator);\n\t\t ctxt->version = xmlCharStrdup(XML_DEFAULT_VERSION);\n\t\t if (ctxt->version == NULL) {\n\t\t xmlErrMemory(ctxt, NULL);\n\t\t\tbreak;\n\t\t }\n\t\t if ((ctxt->sax) && (ctxt->sax->startDocument) &&\n\t\t (!ctxt->disableSAX))\n\t\t\tctxt->sax->startDocument(ctxt->userData);\n\t\t ctxt->instate = XML_PARSER_MISC;\n#ifdef DEBUG_PUSH\n\t\t xmlGenericError(xmlGenericErrorContext,\n\t\t\t \"PP: entering MISC\\n\");\n#endif\n\t\t}\n\t\tbreak;\n case XML_PARSER_START_TAG: {\n\t const xmlChar *name;\n\t\tconst xmlChar *prefix = NULL;\n\t\tconst xmlChar *URI = NULL;\n\t\tint nsNr = ctxt->nsNr;\n\n\t\tif ((avail < 2) && (ctxt->inputNr == 1))\n\t\t goto done;\n\t\tcur = ctxt->input->cur[0];\n\t if (cur != '<') {\n\t\t xmlFatalErr(ctxt, XML_ERR_DOCUMENT_EMPTY, NULL);\n\t\t xmlHaltParser(ctxt);\n\t\t if ((ctxt->sax) && (ctxt->sax->endDocument != NULL))\n\t\t\tctxt->sax->endDocument(ctxt->userData);\n\t\t goto done;\n\t\t}\n\t\tif (!terminate) {\n\t\t if (ctxt->progressive) {\n\t\t /* > can be found unescaped in attribute values */\n\t\t if ((lastgt == NULL) || (ctxt->input->cur >= lastgt))\n\t\t\t goto done;\n\t\t } else if (xmlParseLookupSequence(ctxt, '>', 0, 0) < 0) {\n\t\t\tgoto done;\n\t\t }\n\t\t}\n\t\tif (ctxt->spaceNr == 0)\n\t\t spacePush(ctxt, -1);\n\t\telse if (*ctxt->space == -2)\n\t\t spacePush(ctxt, -1);\n\t\telse\n\t\t spacePush(ctxt, *ctxt->space);\n#ifdef LIBXML_SAX1_ENABLED\n\t\tif (ctxt->sax2)\n#endif /* LIBXML_SAX1_ENABLED */\n\t\t name = xmlParseStartTag2(ctxt, &prefix, &URI, &tlen);\n#ifdef LIBXML_SAX1_ENABLED\n\t\telse\n\t\t name = xmlParseStartTag(ctxt);\n#endif /* LIBXML_SAX1_ENABLED */\n\t\tif (ctxt->instate == XML_PARSER_EOF)\n\t\t goto done;\n\t\tif (name == NULL) {\n\t\t spacePop(ctxt);\n\t\t xmlHaltParser(ctxt);\n\t\t if ((ctxt->sax) && (ctxt->sax->endDocument != NULL))\n\t\t\tctxt->sax->endDocument(ctxt->userData);\n\t\t goto done;\n\t\t}\n#ifdef LIBXML_VALID_ENABLED\n\t\t/*\n\t\t * [ VC: Root Element Type ]\n\t\t * The Name in the document type declaration must match\n\t\t * the element type of the root element.\n\t\t */\n\t\tif (ctxt->validate && ctxt->wellFormed && ctxt->myDoc &&\n\t\t ctxt->node && (ctxt->node == ctxt->myDoc->children))\n\t\t ctxt->valid &= xmlValidateRoot(&ctxt->vctxt, ctxt->myDoc);\n#endif /* LIBXML_VALID_ENABLED */\n\n\t\t/*\n\t\t * Check for an Empty Element.\n\t\t */\n\t\tif ((RAW == '/') && (NXT(1) == '>')) {\n\t\t SKIP(2);\n\n\t\t if (ctxt->sax2) {\n\t\t\tif ((ctxt->sax != NULL) &&\n\t\t\t (ctxt->sax->endElementNs != NULL) &&\n\t\t\t (!ctxt->disableSAX))\n\t\t\t ctxt->sax->endElementNs(ctxt->userData, name,\n\t\t\t prefix, URI);\n\t\t\tif (ctxt->nsNr - nsNr > 0)\n\t\t\t nsPop(ctxt, ctxt->nsNr - nsNr);\n#ifdef LIBXML_SAX1_ENABLED\n\t\t } else {\n\t\t\tif ((ctxt->sax != NULL) &&\n\t\t\t (ctxt->sax->endElement != NULL) &&\n\t\t\t (!ctxt->disableSAX))\n\t\t\t ctxt->sax->endElement(ctxt->userData, name);\n#endif /* LIBXML_SAX1_ENABLED */\n\t\t }\n\t\t if (ctxt->instate == XML_PARSER_EOF)\n\t\t\tgoto done;\n\t\t spacePop(ctxt);\n\t\t if (ctxt->nameNr == 0) {\n\t\t\tctxt->instate = XML_PARSER_EPILOG;\n\t\t } else {\n\t\t\tctxt->instate = XML_PARSER_CONTENT;\n\t\t }\n ctxt->progressive = 1;\n\t\t break;\n\t\t}\n\t\tif (RAW == '>') {\n\t\t NEXT;\n\t\t} else {\n\t\t xmlFatalErrMsgStr(ctxt, XML_ERR_GT_REQUIRED,\n\t\t\t\t\t \"Couldn't find end of Start Tag %s\\n\",\n\t\t\t\t\t name);\n\t\t nodePop(ctxt);\n\t\t spacePop(ctxt);\n\t\t}\n\t\tif (ctxt->sax2)\n\t\t nameNsPush(ctxt, name, prefix, URI, ctxt->nsNr - nsNr);\n#ifdef LIBXML_SAX1_ENABLED\n\t\telse\n\t\t namePush(ctxt, name);\n#endif /* LIBXML_SAX1_ENABLED */\n\n\t\tctxt->instate = XML_PARSER_CONTENT;\n ctxt->progressive = 1;\n break;\n\t }\n case XML_PARSER_CONTENT: {\n\t\tconst xmlChar *test;\n\t\tunsigned int cons;\n\t\tif ((avail < 2) && (ctxt->inputNr == 1))\n\t\t goto done;\n\t\tcur = ctxt->input->cur[0];\n\t\tnext = ctxt->input->cur[1];\n\n\t\ttest = CUR_PTR;\n\t cons = ctxt->input->consumed;\n\t\tif ((cur == '<') && (next == '/')) {\n\t\t ctxt->instate = XML_PARSER_END_TAG;\n\t\t break;\n\t } else if ((cur == '<') && (next == '?')) {\n\t\t if ((!terminate) &&\n\t\t (xmlParseLookupSequence(ctxt, '?', '>', 0) < 0)) {\n ctxt->progressive = XML_PARSER_PI;\n\t\t\tgoto done;\n }\n\t\t xmlParsePI(ctxt);\n\t\t ctxt->instate = XML_PARSER_CONTENT;\n ctxt->progressive = 1;\n\t\t} else if ((cur == '<') && (next != '!')) {\n\t\t ctxt->instate = XML_PARSER_START_TAG;\n\t\t break;\n\t\t} else if ((cur == '<') && (next == '!') &&\n\t\t (ctxt->input->cur[2] == '-') &&\n\t\t\t (ctxt->input->cur[3] == '-')) {\n\t\t int term;\n\n\t if (avail < 4)\n\t\t goto done;\n\t\t ctxt->input->cur += 4;\n\t\t term = xmlParseLookupSequence(ctxt, '-', '-', '>');\n\t\t ctxt->input->cur -= 4;\n\t\t if ((!terminate) && (term < 0)) {\n ctxt->progressive = XML_PARSER_COMMENT;\n\t\t\tgoto done;\n }\n\t\t xmlParseComment(ctxt);\n\t\t ctxt->instate = XML_PARSER_CONTENT;\n ctxt->progressive = 1;\n\t\t} else if ((cur == '<') && (ctxt->input->cur[1] == '!') &&\n\t\t (ctxt->input->cur[2] == '[') &&\n\t\t (ctxt->input->cur[3] == 'C') &&\n\t\t (ctxt->input->cur[4] == 'D') &&\n\t\t (ctxt->input->cur[5] == 'A') &&\n\t\t (ctxt->input->cur[6] == 'T') &&\n\t\t (ctxt->input->cur[7] == 'A') &&\n\t\t (ctxt->input->cur[8] == '[')) {\n\t\t SKIP(9);\n\t\t ctxt->instate = XML_PARSER_CDATA_SECTION;\n\t\t break;\n\t\t} else if ((cur == '<') && (next == '!') &&\n\t\t (avail < 9)) {\n\t\t goto done;\n\t\t} else if (cur == '&') {\n\t\t if ((!terminate) &&\n\t\t (xmlParseLookupSequence(ctxt, ';', 0, 0) < 0))\n\t\t\tgoto done;\n\t\t xmlParseReference(ctxt);\n\t\t} else {\n\t\t /* TODO Avoid the extra copy, handle directly !!! */\n\t\t /*\n\t\t * Goal of the following test is:\n\t\t * - minimize calls to the SAX 'character' callback\n\t\t * when they are mergeable\n\t\t * - handle an problem for isBlank when we only parse\n\t\t * a sequence of blank chars and the next one is\n\t\t * not available to check against '<' presence.\n\t\t * - tries to homogenize the differences in SAX\n\t\t * callbacks between the push and pull versions\n\t\t * of the parser.\n\t\t */\n\t\t if ((ctxt->inputNr == 1) &&\n\t\t (avail < XML_PARSER_BIG_BUFFER_SIZE)) {\n\t\t\tif (!terminate) {\n\t\t\t if (ctxt->progressive) {\n\t\t\t\tif ((lastlt == NULL) ||\n\t\t\t\t (ctxt->input->cur > lastlt))\n\t\t\t\t goto done;\n\t\t\t } else if (xmlParseLookupSequence(ctxt,\n\t\t\t '<', 0, 0) < 0) {\n\t\t\t\tgoto done;\n\t\t\t }\n\t\t\t}\n }\n\t\t ctxt->checkIndex = 0;\n\t\t xmlParseCharData(ctxt, 0);\n\t\t}\n\t\t/*\n\t\t * Pop-up of finished entities.\n\t\t */\n\t\twhile ((RAW == 0) && (ctxt->inputNr > 1))\n\t\t xmlPopInput(ctxt);\n\t\tif ((cons == ctxt->input->consumed) && (test == CUR_PTR)) {\n\t\t xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR,\n\t\t \"detected an error in element content\\n\");\n\t\t xmlHaltParser(ctxt);\n\t\t break;\n\t\t}\n\t\tbreak;\n\t }\n case XML_PARSER_END_TAG:\n\t\tif (avail < 2)\n\t\t goto done;\n\t\tif (!terminate) {\n\t\t if (ctxt->progressive) {\n\t\t /* > can be found unescaped in attribute values */\n\t\t if ((lastgt == NULL) || (ctxt->input->cur >= lastgt))\n\t\t\t goto done;\n\t\t } else if (xmlParseLookupSequence(ctxt, '>', 0, 0) < 0) {\n\t\t\tgoto done;\n\t\t }\n\t\t}\n\t\tif (ctxt->sax2) {\n\t\t xmlParseEndTag2(ctxt,\n\t\t (void *) ctxt->pushTab[ctxt->nameNr * 3 - 3],\n\t\t (void *) ctxt->pushTab[ctxt->nameNr * 3 - 2], 0,\n\t\t (int) (long) ctxt->pushTab[ctxt->nameNr * 3 - 1], 0);\n\t\t nameNsPop(ctxt);\n\t\t}\n#ifdef LIBXML_SAX1_ENABLED\n\t\t else\n\t\t xmlParseEndTag1(ctxt, 0);\n#endif /* LIBXML_SAX1_ENABLED */\n\t\tif (ctxt->instate == XML_PARSER_EOF) {\n\t\t /* Nothing */\n\t\t} else if (ctxt->nameNr == 0) {\n\t\t ctxt->instate = XML_PARSER_EPILOG;\n\t\t} else {\n\t\t ctxt->instate = XML_PARSER_CONTENT;\n\t\t}\n\t\tbreak;\n case XML_PARSER_CDATA_SECTION: {\n\t /*\n\t\t * The Push mode need to have the SAX callback for\n\t\t * cdataBlock merge back contiguous callbacks.\n\t\t */\n\t\tint base;\n\n\t\tbase = xmlParseLookupSequence(ctxt, ']', ']', '>');\n\t\tif (base < 0) {\n\t\t if (avail >= XML_PARSER_BIG_BUFFER_SIZE + 2) {\n\t\t int tmp;\n\n\t\t\ttmp = xmlCheckCdataPush(ctxt->input->cur,\n\t\t\t XML_PARSER_BIG_BUFFER_SIZE, 0);\n\t\t\tif (tmp < 0) {\n\t\t\t tmp = -tmp;\n\t\t\t ctxt->input->cur += tmp;\n\t\t\t goto encoding_error;\n\t\t\t}\n\t\t\tif ((ctxt->sax != NULL) && (!ctxt->disableSAX)) {\n\t\t\t if (ctxt->sax->cdataBlock != NULL)\n\t\t\t\tctxt->sax->cdataBlock(ctxt->userData,\n\t\t\t\t ctxt->input->cur, tmp);\n\t\t\t else if (ctxt->sax->characters != NULL)\n\t\t\t\tctxt->sax->characters(ctxt->userData,\n\t\t\t\t ctxt->input->cur, tmp);\n\t\t\t}\n\t\t\tif (ctxt->instate == XML_PARSER_EOF)\n\t\t\t goto done;\n\t\t\tSKIPL(tmp);\n\t\t\tctxt->checkIndex = 0;\n\t\t }\n\t\t goto done;\n\t\t} else {\n\t\t int tmp;\n\n\t\t tmp = xmlCheckCdataPush(ctxt->input->cur, base, 1);\n\t\t if ((tmp < 0) || (tmp != base)) {\n\t\t\ttmp = -tmp;\n\t\t\tctxt->input->cur += tmp;\n\t\t\tgoto encoding_error;\n\t\t }\n\t\t if ((ctxt->sax != NULL) && (base == 0) &&\n\t\t (ctxt->sax->cdataBlock != NULL) &&\n\t\t (!ctxt->disableSAX)) {\n\t\t\t/*\n\t\t\t * Special case to provide identical behaviour\n\t\t\t * between pull and push parsers on enpty CDATA\n\t\t\t * sections\n\t\t\t */\n\t\t\t if ((ctxt->input->cur - ctxt->input->base >= 9) &&\n\t\t\t (!strncmp((const char *)&ctxt->input->cur[-9],\n\t\t\t \"sax->cdataBlock(ctxt->userData,\n\t\t\t BAD_CAST \"\", 0);\n\t\t } else if ((ctxt->sax != NULL) && (base > 0) &&\n\t\t\t(!ctxt->disableSAX)) {\n\t\t\tif (ctxt->sax->cdataBlock != NULL)\n\t\t\t ctxt->sax->cdataBlock(ctxt->userData,\n\t\t\t\t\t\t ctxt->input->cur, base);\n\t\t\telse if (ctxt->sax->characters != NULL)\n\t\t\t ctxt->sax->characters(ctxt->userData,\n\t\t\t\t\t\t ctxt->input->cur, base);\n\t\t }\n\t\t if (ctxt->instate == XML_PARSER_EOF)\n\t\t\tgoto done;\n\t\t SKIPL(base + 3);\n\t\t ctxt->checkIndex = 0;\n\t\t ctxt->instate = XML_PARSER_CONTENT;\n#ifdef DEBUG_PUSH\n\t\t xmlGenericError(xmlGenericErrorContext,\n\t\t\t \"PP: entering CONTENT\\n\");\n#endif\n\t\t}\n\t\tbreak;\n\t }\n case XML_PARSER_MISC:\n\t\tSKIP_BLANKS;\n\t\tif (ctxt->input->buf == NULL)\n\t\t avail = ctxt->input->length -\n\t\t (ctxt->input->cur - ctxt->input->base);\n\t\telse\n\t\t avail = xmlBufUse(ctxt->input->buf->buffer) -\n\t\t (ctxt->input->cur - ctxt->input->base);\n\t\tif (avail < 2)\n\t\t goto done;\n\t\tcur = ctxt->input->cur[0];\n\t\tnext = ctxt->input->cur[1];\n\t if ((cur == '<') && (next == '?')) {\n\t\t if ((!terminate) &&\n\t\t (xmlParseLookupSequence(ctxt, '?', '>', 0) < 0)) {\n ctxt->progressive = XML_PARSER_PI;\n\t\t\tgoto done;\n }\n#ifdef DEBUG_PUSH\n\t\t xmlGenericError(xmlGenericErrorContext,\n\t\t\t \"PP: Parsing PI\\n\");\n#endif\n\t\t xmlParsePI(ctxt);\n\t\t if (ctxt->instate == XML_PARSER_EOF)\n\t\t\tgoto done;\n\t\t ctxt->instate = XML_PARSER_MISC;\n ctxt->progressive = 1;\n\t\t ctxt->checkIndex = 0;\n\t\t} else if ((cur == '<') && (next == '!') &&\n\t\t (ctxt->input->cur[2] == '-') &&\n\t\t (ctxt->input->cur[3] == '-')) {\n\t\t if ((!terminate) &&\n\t\t (xmlParseLookupSequence(ctxt, '-', '-', '>') < 0)) {\n ctxt->progressive = XML_PARSER_COMMENT;\n\t\t\tgoto done;\n }\n#ifdef DEBUG_PUSH\n\t\t xmlGenericError(xmlGenericErrorContext,\n\t\t\t \"PP: Parsing Comment\\n\");\n#endif\n\t\t xmlParseComment(ctxt);\n\t\t if (ctxt->instate == XML_PARSER_EOF)\n\t\t\tgoto done;\n\t\t ctxt->instate = XML_PARSER_MISC;\n ctxt->progressive = 1;\n\t\t ctxt->checkIndex = 0;\n\t\t} else if ((cur == '<') && (next == '!') &&\n\t\t (ctxt->input->cur[2] == 'D') &&\n\t\t (ctxt->input->cur[3] == 'O') &&\n\t\t (ctxt->input->cur[4] == 'C') &&\n\t\t (ctxt->input->cur[5] == 'T') &&\n\t\t (ctxt->input->cur[6] == 'Y') &&\n\t\t (ctxt->input->cur[7] == 'P') &&\n\t\t (ctxt->input->cur[8] == 'E')) {\n\t\t if ((!terminate) &&\n\t\t (xmlParseLookupSequence(ctxt, '>', 0, 0) < 0)) {\n ctxt->progressive = XML_PARSER_DTD;\n\t\t\tgoto done;\n }\n#ifdef DEBUG_PUSH\n\t\t xmlGenericError(xmlGenericErrorContext,\n\t\t\t \"PP: Parsing internal subset\\n\");\n#endif\n\t\t ctxt->inSubset = 1;\n ctxt->progressive = 0;\n\t\t ctxt->checkIndex = 0;\n\t\t xmlParseDocTypeDecl(ctxt);\n\t\t if (ctxt->instate == XML_PARSER_EOF)\n\t\t\tgoto done;\n\t\t if (RAW == '[') {\n\t\t\tctxt->instate = XML_PARSER_DTD;\n#ifdef DEBUG_PUSH\n\t\t\txmlGenericError(xmlGenericErrorContext,\n\t\t\t\t\"PP: entering DTD\\n\");\n#endif\n\t\t } else {\n\t\t\t/*\n\t\t\t * Create and update the external subset.\n\t\t\t */\n\t\t\tctxt->inSubset = 2;\n\t\t\tif ((ctxt->sax != NULL) && (!ctxt->disableSAX) &&\n\t\t\t (ctxt->sax->externalSubset != NULL))\n\t\t\t ctxt->sax->externalSubset(ctxt->userData,\n\t\t\t\t ctxt->intSubName, ctxt->extSubSystem,\n\t\t\t\t ctxt->extSubURI);\n\t\t\tctxt->inSubset = 0;\n\t\t\txmlCleanSpecialAttr(ctxt);\n\t\t\tctxt->instate = XML_PARSER_PROLOG;\n#ifdef DEBUG_PUSH\n\t\t\txmlGenericError(xmlGenericErrorContext,\n\t\t\t\t\"PP: entering PROLOG\\n\");\n#endif\n\t\t }\n\t\t} else if ((cur == '<') && (next == '!') &&\n\t\t (avail < 9)) {\n\t\t goto done;\n\t\t} else {\n\t\t ctxt->instate = XML_PARSER_START_TAG;\n\t\t ctxt->progressive = XML_PARSER_START_TAG;\n\t\t xmlParseGetLasts(ctxt, &lastlt, &lastgt);\n#ifdef DEBUG_PUSH\n\t\t xmlGenericError(xmlGenericErrorContext,\n\t\t\t \"PP: entering START_TAG\\n\");\n#endif\n\t\t}\n\t\tbreak;\n case XML_PARSER_PROLOG:\n\t\tSKIP_BLANKS;\n\t\tif (ctxt->input->buf == NULL)\n\t\t avail = ctxt->input->length - (ctxt->input->cur - ctxt->input->base);\n\t\telse\n\t\t avail = xmlBufUse(ctxt->input->buf->buffer) -\n (ctxt->input->cur - ctxt->input->base);\n\t\tif (avail < 2)\n\t\t goto done;\n\t\tcur = ctxt->input->cur[0];\n\t\tnext = ctxt->input->cur[1];\n\t if ((cur == '<') && (next == '?')) {\n\t\t if ((!terminate) &&\n\t\t (xmlParseLookupSequence(ctxt, '?', '>', 0) < 0)) {\n ctxt->progressive = XML_PARSER_PI;\n\t\t\tgoto done;\n }\n#ifdef DEBUG_PUSH\n\t\t xmlGenericError(xmlGenericErrorContext,\n\t\t\t \"PP: Parsing PI\\n\");\n#endif\n\t\t xmlParsePI(ctxt);\n\t\t if (ctxt->instate == XML_PARSER_EOF)\n\t\t\tgoto done;\n\t\t ctxt->instate = XML_PARSER_PROLOG;\n ctxt->progressive = 1;\n\t\t} else if ((cur == '<') && (next == '!') &&\n\t\t (ctxt->input->cur[2] == '-') && (ctxt->input->cur[3] == '-')) {\n\t\t if ((!terminate) &&\n\t\t (xmlParseLookupSequence(ctxt, '-', '-', '>') < 0)) {\n ctxt->progressive = XML_PARSER_COMMENT;\n\t\t\tgoto done;\n }\n#ifdef DEBUG_PUSH\n\t\t xmlGenericError(xmlGenericErrorContext,\n\t\t\t \"PP: Parsing Comment\\n\");\n#endif\n\t\t xmlParseComment(ctxt);\n\t\t if (ctxt->instate == XML_PARSER_EOF)\n\t\t\tgoto done;\n\t\t ctxt->instate = XML_PARSER_PROLOG;\n ctxt->progressive = 1;\n\t\t} else if ((cur == '<') && (next == '!') &&\n\t\t (avail < 4)) {\n\t\t goto done;\n\t\t} else {\n\t\t ctxt->instate = XML_PARSER_START_TAG;\n\t\t if (ctxt->progressive == 0)\n\t\t\tctxt->progressive = XML_PARSER_START_TAG;\n\t\t xmlParseGetLasts(ctxt, &lastlt, &lastgt);\n#ifdef DEBUG_PUSH\n\t\t xmlGenericError(xmlGenericErrorContext,\n\t\t\t \"PP: entering START_TAG\\n\");\n#endif\n\t\t}\n\t\tbreak;\n case XML_PARSER_EPILOG:\n\t\tSKIP_BLANKS;\n\t\tif (ctxt->input->buf == NULL)\n\t\t avail = ctxt->input->length - (ctxt->input->cur - ctxt->input->base);\n\t\telse\n\t\t avail = xmlBufUse(ctxt->input->buf->buffer) -\n (ctxt->input->cur - ctxt->input->base);\n\t\tif (avail < 2)\n\t\t goto done;\n\t\tcur = ctxt->input->cur[0];\n\t\tnext = ctxt->input->cur[1];\n\t if ((cur == '<') && (next == '?')) {\n\t\t if ((!terminate) &&\n\t\t (xmlParseLookupSequence(ctxt, '?', '>', 0) < 0)) {\n ctxt->progressive = XML_PARSER_PI;\n\t\t\tgoto done;\n }\n#ifdef DEBUG_PUSH\n\t\t xmlGenericError(xmlGenericErrorContext,\n\t\t\t \"PP: Parsing PI\\n\");\n#endif\n\t\t xmlParsePI(ctxt);\n\t\t if (ctxt->instate == XML_PARSER_EOF)\n\t\t\tgoto done;\n\t\t ctxt->instate = XML_PARSER_EPILOG;\n ctxt->progressive = 1;\n\t\t} else if ((cur == '<') && (next == '!') &&\n\t\t (ctxt->input->cur[2] == '-') && (ctxt->input->cur[3] == '-')) {\n\t\t if ((!terminate) &&\n\t\t (xmlParseLookupSequence(ctxt, '-', '-', '>') < 0)) {\n ctxt->progressive = XML_PARSER_COMMENT;\n\t\t\tgoto done;\n }\n#ifdef DEBUG_PUSH\n\t\t xmlGenericError(xmlGenericErrorContext,\n\t\t\t \"PP: Parsing Comment\\n\");\n#endif\n\t\t xmlParseComment(ctxt);\n\t\t if (ctxt->instate == XML_PARSER_EOF)\n\t\t\tgoto done;\n\t\t ctxt->instate = XML_PARSER_EPILOG;\n ctxt->progressive = 1;\n\t\t} else if ((cur == '<') && (next == '!') &&\n\t\t (avail < 4)) {\n\t\t goto done;\n\t\t} else {\n\t\t xmlFatalErr(ctxt, XML_ERR_DOCUMENT_END, NULL);\n\t\t xmlHaltParser(ctxt);\n#ifdef DEBUG_PUSH\n\t\t xmlGenericError(xmlGenericErrorContext,\n\t\t\t \"PP: entering EOF\\n\");\n#endif\n\t\t if ((ctxt->sax) && (ctxt->sax->endDocument != NULL))\n\t\t\tctxt->sax->endDocument(ctxt->userData);\n\t\t goto done;\n\t\t}\n\t\tbreak;\n case XML_PARSER_DTD: {\n\t /*\n\t\t * Sorry but progressive parsing of the internal subset\n\t\t * is not expected to be supported. We first check that\n\t\t * the full content of the internal subset is available and\n\t\t * the parsing is launched only at that point.\n\t\t * Internal subset ends up with \"']' S? '>'\" in an unescaped\n\t\t * section and not in a ']]>' sequence which are conditional\n\t\t * sections (whoever argued to keep that crap in XML deserve\n\t\t * a place in hell !).\n\t\t */\n\t\tint base, i;\n\t\txmlChar *buf;\n\t xmlChar quote = 0;\n size_t use;\n\n\t\tbase = ctxt->input->cur - ctxt->input->base;\n\t\tif (base < 0) return(0);\n\t\tif (ctxt->checkIndex > base)\n\t\t base = ctxt->checkIndex;\n\t\tbuf = xmlBufContent(ctxt->input->buf->buffer);\n use = xmlBufUse(ctxt->input->buf->buffer);\n\t\tfor (;(unsigned int) base < use; base++) {\n\t\t if (quote != 0) {\n\t\t if (buf[base] == quote)\n\t\t\t quote = 0;\n\t\t\tcontinue;\n\t\t }\n\t\t if ((quote == 0) && (buf[base] == '<')) {\n\t\t int found = 0;\n\t\t\t/* special handling of comments */\n\t\t if (((unsigned int) base + 4 < use) &&\n\t\t\t (buf[base + 1] == '!') &&\n\t\t\t (buf[base + 2] == '-') &&\n\t\t\t (buf[base + 3] == '-')) {\n\t\t\t for (;(unsigned int) base + 3 < use; base++) {\n\t\t\t\tif ((buf[base] == '-') &&\n\t\t\t\t (buf[base + 1] == '-') &&\n\t\t\t\t (buf[base + 2] == '>')) {\n\t\t\t\t found = 1;\n\t\t\t\t base += 2;\n\t\t\t\t break;\n\t\t\t\t}\n\t\t }\n\t\t\t if (!found) {\n#if 0\n\t\t\t fprintf(stderr, \"unfinished comment\\n\");\n#endif\n\t\t\t break; /* for */\n\t\t }\n\t\t continue;\n\t\t\t}\n\t\t }\n\t\t if (buf[base] == '\"') {\n\t\t quote = '\"';\n\t\t\tcontinue;\n\t\t }\n\t\t if (buf[base] == '\\'') {\n\t\t quote = '\\'';\n\t\t\tcontinue;\n\t\t }\n\t\t if (buf[base] == ']') {\n#if 0\n\t\t fprintf(stderr, \"%c%c%c%c: \", buf[base],\n\t\t\t buf[base + 1], buf[base + 2], buf[base + 3]);\n#endif\n\t\t if ((unsigned int) base +1 >= use)\n\t\t\t break;\n\t\t\tif (buf[base + 1] == ']') {\n\t\t\t /* conditional crap, skip both ']' ! */\n\t\t\t base++;\n\t\t\t continue;\n\t\t\t}\n\t\t for (i = 1; (unsigned int) base + i < use; i++) {\n\t\t\t if (buf[base + i] == '>') {\n#if 0\n\t\t\t fprintf(stderr, \"found\\n\");\n#endif\n\t\t\t goto found_end_int_subset;\n\t\t\t }\n\t\t\t if (!IS_BLANK_CH(buf[base + i])) {\n#if 0\n\t\t\t fprintf(stderr, \"not found\\n\");\n#endif\n\t\t\t goto not_end_of_int_subset;\n\t\t\t }\n\t\t\t}\n#if 0\n\t\t\tfprintf(stderr, \"end of stream\\n\");\n#endif\n\t\t break;\n\n\t\t }\nnot_end_of_int_subset:\n continue; /* for */\n\t\t}\n\t\t/*\n\t\t * We didn't found the end of the Internal subset\n\t\t */\n if (quote == 0)\n ctxt->checkIndex = base;\n else\n ctxt->checkIndex = 0;\n#ifdef DEBUG_PUSH\n\t\tif (next == 0)\n\t\t xmlGenericError(xmlGenericErrorContext,\n\t\t\t \"PP: lookup of int subset end filed\\n\");\n#endif\n\t goto done;\n\nfound_end_int_subset:\n ctxt->checkIndex = 0;\n\t\txmlParseInternalSubset(ctxt);\n\t\tif (ctxt->instate == XML_PARSER_EOF)\n\t\t goto done;\n\t\tctxt->inSubset = 2;\n\t\tif ((ctxt->sax != NULL) && (!ctxt->disableSAX) &&\n\t\t (ctxt->sax->externalSubset != NULL))\n\t\t ctxt->sax->externalSubset(ctxt->userData, ctxt->intSubName,\n\t\t\t ctxt->extSubSystem, ctxt->extSubURI);\n\t\tctxt->inSubset = 0;\n\t\txmlCleanSpecialAttr(ctxt);\n\t\tif (ctxt->instate == XML_PARSER_EOF)\n\t\t goto done;\n\t\tctxt->instate = XML_PARSER_PROLOG;\n\t\tctxt->checkIndex = 0;\n#ifdef DEBUG_PUSH\n\t\txmlGenericError(xmlGenericErrorContext,\n\t\t\t\"PP: entering PROLOG\\n\");\n#endif\n break;\n\t }\n case XML_PARSER_COMMENT:\n\t\txmlGenericError(xmlGenericErrorContext,\n\t\t\t\"PP: internal error, state == COMMENT\\n\");\n\t\tctxt->instate = XML_PARSER_CONTENT;\n#ifdef DEBUG_PUSH\n\t\txmlGenericError(xmlGenericErrorContext,\n\t\t\t\"PP: entering CONTENT\\n\");\n#endif\n\t\tbreak;\n case XML_PARSER_IGNORE:\n\t\txmlGenericError(xmlGenericErrorContext,\n\t\t\t\"PP: internal error, state == IGNORE\");\n\t ctxt->instate = XML_PARSER_DTD;\n#ifdef DEBUG_PUSH\n\t\txmlGenericError(xmlGenericErrorContext,\n\t\t\t\"PP: entering DTD\\n\");\n#endif\n\t break;\n case XML_PARSER_PI:\n\t\txmlGenericError(xmlGenericErrorContext,\n\t\t\t\"PP: internal error, state == PI\\n\");\n\t\tctxt->instate = XML_PARSER_CONTENT;\n#ifdef DEBUG_PUSH\n\t\txmlGenericError(xmlGenericErrorContext,\n\t\t\t\"PP: entering CONTENT\\n\");\n#endif\n\t\tbreak;\n case XML_PARSER_ENTITY_DECL:\n\t\txmlGenericError(xmlGenericErrorContext,\n\t\t\t\"PP: internal error, state == ENTITY_DECL\\n\");\n\t\tctxt->instate = XML_PARSER_DTD;\n#ifdef DEBUG_PUSH\n\t\txmlGenericError(xmlGenericErrorContext,\n\t\t\t\"PP: entering DTD\\n\");\n#endif\n\t\tbreak;\n case XML_PARSER_ENTITY_VALUE:\n\t\txmlGenericError(xmlGenericErrorContext,\n\t\t\t\"PP: internal error, state == ENTITY_VALUE\\n\");\n\t\tctxt->instate = XML_PARSER_CONTENT;\n#ifdef DEBUG_PUSH\n\t\txmlGenericError(xmlGenericErrorContext,\n\t\t\t\"PP: entering DTD\\n\");\n#endif\n\t\tbreak;\n case XML_PARSER_ATTRIBUTE_VALUE:\n\t\txmlGenericError(xmlGenericErrorContext,\n\t\t\t\"PP: internal error, state == ATTRIBUTE_VALUE\\n\");\n\t\tctxt->instate = XML_PARSER_START_TAG;\n#ifdef DEBUG_PUSH\n\t\txmlGenericError(xmlGenericErrorContext,\n\t\t\t\"PP: entering START_TAG\\n\");\n#endif\n\t\tbreak;\n case XML_PARSER_SYSTEM_LITERAL:\n\t\txmlGenericError(xmlGenericErrorContext,\n\t\t\t\"PP: internal error, state == SYSTEM_LITERAL\\n\");\n\t\tctxt->instate = XML_PARSER_START_TAG;\n#ifdef DEBUG_PUSH\n\t\txmlGenericError(xmlGenericErrorContext,\n\t\t\t\"PP: entering START_TAG\\n\");\n#endif\n\t\tbreak;\n case XML_PARSER_PUBLIC_LITERAL:\n\t\txmlGenericError(xmlGenericErrorContext,\n\t\t\t\"PP: internal error, state == PUBLIC_LITERAL\\n\");\n\t\tctxt->instate = XML_PARSER_START_TAG;\n#ifdef DEBUG_PUSH\n\t\txmlGenericError(xmlGenericErrorContext,\n\t\t\t\"PP: entering START_TAG\\n\");\n#endif\n\t\tbreak;\n\t}\n }\ndone:\n#ifdef DEBUG_PUSH\n xmlGenericError(xmlGenericErrorContext, \"PP: done %d\\n\", ret);\n#endif\n return(ret);\nencoding_error:\n {\n char buffer[150];\n\n\tsnprintf(buffer, 149, \"Bytes: 0x%02X 0x%02X 0x%02X 0x%02X\\n\",\n\t\t\tctxt->input->cur[0], ctxt->input->cur[1],\n\t\t\tctxt->input->cur[2], ctxt->input->cur[3]);\n\t__xmlErrEncoding(ctxt, XML_ERR_INVALID_CHAR,\n\t\t \"Input is not proper UTF-8, indicate encoding !\\n%s\",\n\t\t BAD_CAST buffer, NULL);\n }\n return(0);\n}", "project": "libxml2", "hash": 295858187991972635883184178483438046363, "size": 993, "commit_id": "90ccb58242866b0ba3edbef8fe44214a101c2b3e", "message": "Prevent unwanted external entity reference\n\nFor https://bugzilla.gnome.org/show_bug.cgi?id=780691\n\n* parser.c: add a specific check to avoid PE reference", "target": 0, "dataset": "other", "idx": 302855 }, { "func": "pam_sm_acct_mgmt(pam_handle_t *pamh, int flags UNUSED,\n\t\t int argc, const char **argv)\n{\n const char *username;\n const char *database = NULL;\n const char *cryptmode = NULL;\n int retval = PAM_AUTH_ERR, ctrl;\n\n /* parse arguments */\n ctrl = _pam_parse(pamh, argc, argv, &database, &cryptmode);\n\n /* Get the username */\n retval = pam_get_user(pamh, &username, NULL);\n if ((retval != PAM_SUCCESS) || (!username)) {\n pam_syslog(pamh, LOG_ERR,\"can not get the username\");\n return PAM_SERVICE_ERR;\n }\n\n /* Now use the username to look up password in the database file */\n retval = user_lookup(pamh, database, cryptmode, username, \"\", ctrl);\n switch (retval) {\n case -2:\n\t /* some sort of system error. The log was already printed */\n\t return PAM_SERVICE_ERR;\n\tcase -1:\n\t /* incorrect password, but we don't care */\n\t /* FALL THROUGH */\n\tcase 0:\n\t /* authentication succeeded. dumbest password ever. */\n\t return PAM_SUCCESS;\n\tcase 1:\n\t /* the user does not exist in the database */\n\t return PAM_USER_UNKNOWN;\n default:\n\t /* we don't know anything about this return value */\n\t pam_syslog(pamh, LOG_ERR,\n\t\t \"internal module error (retval = %d, user = `%s'\",\n\t\t retval, username);\n return PAM_SERVICE_ERR;\n }\n\n return PAM_SUCCESS;\n}", "project": "linux-pam", "hash": 87056403522661685787472883939158706571, "size": 43, "commit_id": "57a1e2b274d0a6376d92ada9926e5c5741e7da20", "message": "pam_userdb: fix password hash comparison\n\nStarting with commit Linux-PAM-0-77-28-g0b3e583 that introduced hashed\npasswords support in pam_userdb, hashes are compared case-insensitively.\nThis bug leads to accepting hashes for completely different passwords in\naddition to those that should be accepted.\n\nAdditionally, commit Linux-PAM-1_1_6-13-ge2a8187 that added support for\nmodern password hashes with different lengths and settings, did not\nupdate the hash comparison accordingly, which leads to accepting\ncomputed hashes longer than stored hashes when the latter is a prefix\nof the former.\n\n* modules/pam_userdb/pam_userdb.c (user_lookup): Reject the computed\nhash whose length differs from the stored hash length.\nCompare computed and stored hashes case-sensitively.\nFixes CVE-2013-7041.\n\nBug-Debian: http://bugs.debian.org/731368", "target": 0, "dataset": "other", "idx": 307217 }, { "func": "XML_Parse(XML_Parser parser, const char *s, int len, int isFinal)\n{\n if ((parser == NULL) || (len < 0) || ((s == NULL) && (len != 0))) {\n errorCode = XML_ERROR_INVALID_ARGUMENT;\n return XML_STATUS_ERROR;\n }\n switch (ps_parsing) {\n case XML_SUSPENDED:\n errorCode = XML_ERROR_SUSPENDED;\n return XML_STATUS_ERROR;\n case XML_FINISHED:\n errorCode = XML_ERROR_FINISHED;\n return XML_STATUS_ERROR;\n case XML_INITIALIZED:\n if (parentParser == NULL && !startParsing(parser)) {\n errorCode = XML_ERROR_NO_MEMORY;\n return XML_STATUS_ERROR;\n }\n default:\n ps_parsing = XML_PARSING;\n }\n\n if (len == 0) {\n ps_finalBuffer = (XML_Bool)isFinal;\n if (!isFinal)\n return XML_STATUS_OK;\n positionPtr = bufferPtr;\n parseEndPtr = bufferEnd;\n\n /* If data are left over from last buffer, and we now know that these\n data are the final chunk of input, then we have to check them again\n to detect errors based on that fact.\n */\n errorCode = processor(parser, bufferPtr, parseEndPtr, &bufferPtr);\n\n if (errorCode == XML_ERROR_NONE) {\n switch (ps_parsing) {\n case XML_SUSPENDED:\n XmlUpdatePosition(encoding, positionPtr, bufferPtr, &position);\n positionPtr = bufferPtr;\n return XML_STATUS_SUSPENDED;\n case XML_INITIALIZED:\n case XML_PARSING:\n ps_parsing = XML_FINISHED;\n /* fall through */\n default:\n return XML_STATUS_OK;\n }\n }\n eventEndPtr = eventPtr;\n processor = errorProcessor;\n return XML_STATUS_ERROR;\n }\n#ifndef XML_CONTEXT_BYTES\n else if (bufferPtr == bufferEnd) {\n const char *end;\n int nLeftOver;\n enum XML_Status result;\n /* Detect overflow (a+b > MAX <==> b > MAX-a) */\n if (len > ((XML_Size)-1) / 2 - parseEndByteIndex) {\n errorCode = XML_ERROR_NO_MEMORY;\n eventPtr = eventEndPtr = NULL;\n processor = errorProcessor;\n return XML_STATUS_ERROR;\n }\n parseEndByteIndex += len;\n positionPtr = s;\n ps_finalBuffer = (XML_Bool)isFinal;\n\n errorCode = processor(parser, s, parseEndPtr = s + len, &end);\n\n if (errorCode != XML_ERROR_NONE) {\n eventEndPtr = eventPtr;\n processor = errorProcessor;\n return XML_STATUS_ERROR;\n }\n else {\n switch (ps_parsing) {\n case XML_SUSPENDED:\n result = XML_STATUS_SUSPENDED;\n break;\n case XML_INITIALIZED:\n case XML_PARSING:\n if (isFinal) {\n ps_parsing = XML_FINISHED;\n return XML_STATUS_OK;\n }\n /* fall through */\n default:\n result = XML_STATUS_OK;\n }\n }\n\n XmlUpdatePosition(encoding, positionPtr, end, &position);\n nLeftOver = s + len - end;\n if (nLeftOver) {\n if (buffer == NULL || nLeftOver > bufferLim - buffer) {\n /* avoid _signed_ integer overflow */\n char *temp = NULL;\n const int bytesToAllocate = (int)((unsigned)len * 2U);\n if (bytesToAllocate > 0) {\n temp = (buffer == NULL\n ? (char *)MALLOC(bytesToAllocate)\n : (char *)REALLOC(buffer, bytesToAllocate));\n }\n if (temp == NULL) {\n errorCode = XML_ERROR_NO_MEMORY;\n eventPtr = eventEndPtr = NULL;\n processor = errorProcessor;\n return XML_STATUS_ERROR;\n }\n buffer = temp;\n bufferLim = buffer + bytesToAllocate;\n }\n memcpy(buffer, end, nLeftOver);\n }\n bufferPtr = buffer;\n bufferEnd = buffer + nLeftOver;\n positionPtr = bufferPtr;\n parseEndPtr = bufferEnd;\n eventPtr = bufferPtr;\n eventEndPtr = bufferPtr;\n return result;\n }\n#endif /* not defined XML_CONTEXT_BYTES */\n else {\n void *buff = XML_GetBuffer(parser, len);\n if (buff == NULL)\n return XML_STATUS_ERROR;\n else {\n memcpy(buff, s, len);\n return XML_ParseBuffer(parser, len, isFinal);\n }\n }\n}", "project": "libexpat", "hash": 47764366571076017146311601753689143156, "size": 135, "commit_id": "c4bf96bb51dd2a1b0e185374362ee136fe2c9d7f", "message": "xmlparse.c: Fix external entity infinite loop bug (CVE-2017-9233)", "target": 0, "dataset": "other", "idx": 308314 }, { "func": "XML_StopParser(XML_Parser parser, XML_Bool resumable)\n{\n if (parser == NULL)\n return XML_STATUS_ERROR;\n switch (ps_parsing) {\n case XML_SUSPENDED:\n if (resumable) {\n errorCode = XML_ERROR_SUSPENDED;\n return XML_STATUS_ERROR;\n }\n ps_parsing = XML_FINISHED;\n break;\n case XML_FINISHED:\n errorCode = XML_ERROR_FINISHED;\n return XML_STATUS_ERROR;\n default:\n if (resumable) {\n#ifdef XML_DTD\n if (isParamEntity) {\n errorCode = XML_ERROR_SUSPEND_PE;\n return XML_STATUS_ERROR;\n }\n#endif\n ps_parsing = XML_SUSPENDED;\n }\n else\n ps_parsing = XML_FINISHED;\n }\n return XML_STATUS_OK;\n}", "project": "libexpat", "hash": 7326064273720756846969647604782083266, "size": 30, "commit_id": "c4bf96bb51dd2a1b0e185374362ee136fe2c9d7f", "message": "xmlparse.c: Fix external entity infinite loop bug (CVE-2017-9233)", "target": 0, "dataset": "other", "idx": 308315 }, { "func": "XML_ParseBuffer(XML_Parser parser, int len, int isFinal)\n{\n const char *start;\n enum XML_Status result = XML_STATUS_OK;\n\n if (parser == NULL)\n return XML_STATUS_ERROR;\n switch (ps_parsing) {\n case XML_SUSPENDED:\n errorCode = XML_ERROR_SUSPENDED;\n return XML_STATUS_ERROR;\n case XML_FINISHED:\n errorCode = XML_ERROR_FINISHED;\n return XML_STATUS_ERROR;\n case XML_INITIALIZED:\n if (parentParser == NULL && !startParsing(parser)) {\n errorCode = XML_ERROR_NO_MEMORY;\n return XML_STATUS_ERROR;\n }\n default:\n ps_parsing = XML_PARSING;\n }\n\n start = bufferPtr;\n positionPtr = start;\n bufferEnd += len;\n parseEndPtr = bufferEnd;\n parseEndByteIndex += len;\n ps_finalBuffer = (XML_Bool)isFinal;\n\n errorCode = processor(parser, start, parseEndPtr, &bufferPtr);\n\n if (errorCode != XML_ERROR_NONE) {\n eventEndPtr = eventPtr;\n processor = errorProcessor;\n return XML_STATUS_ERROR;\n }\n else {\n switch (ps_parsing) {\n case XML_SUSPENDED:\n result = XML_STATUS_SUSPENDED;\n break;\n case XML_INITIALIZED:\n case XML_PARSING:\n if (isFinal) {\n ps_parsing = XML_FINISHED;\n return result;\n }\n default: ; /* should not happen */\n }\n }\n\n XmlUpdatePosition(encoding, positionPtr, bufferPtr, &position);\n positionPtr = bufferPtr;\n return result;\n}", "project": "libexpat", "hash": 264369662740461059623453992041597452976, "size": 56, "commit_id": "c4bf96bb51dd2a1b0e185374362ee136fe2c9d7f", "message": "xmlparse.c: Fix external entity infinite loop bug (CVE-2017-9233)", "target": 0, "dataset": "other", "idx": 308332 }, { "func": "static PathInfo *ConvertPrimitiveToPath(\n const DrawInfo *magick_unused(draw_info),const PrimitiveInfo *primitive_info,\n ExceptionInfo *exception)\n{\n MagickBooleanType\n closed_subpath;\n\n PathInfo\n *path_info;\n\n PathInfoCode\n code;\n\n PointInfo\n p,\n q;\n\n ssize_t\n i,\n n;\n\n ssize_t\n coordinates,\n start;\n\n magick_unreferenced(draw_info);\n\n /*\n Converts a PrimitiveInfo structure into a vector path structure.\n */\n switch (primitive_info->primitive)\n {\n case PointPrimitive:\n case ColorPrimitive:\n case MattePrimitive:\n case TextPrimitive:\n case ImagePrimitive:\n return((PathInfo *) NULL);\n default:\n break;\n }\n for (i=0; primitive_info[i].primitive != UndefinedPrimitive; i++) ;\n path_info=(PathInfo *) AcquireQuantumMemory((size_t) (3UL*i+1UL),\n sizeof(*path_info));\n if (path_info == (PathInfo *) NULL)\n {\n (void) ThrowMagickException(exception,GetMagickModule(),\n ResourceLimitError,\"MemoryAllocationFailed\",\"`%s'\",\"\");\n return((PathInfo *) NULL);\n }\n coordinates=0;\n closed_subpath=MagickFalse;\n n=0;\n p.x=(-1.0);\n p.y=(-1.0);\n q.x=(-1.0);\n q.y=(-1.0);\n start=0;\n for (i=0; primitive_info[i].primitive != UndefinedPrimitive; i++)\n {\n code=LineToCode;\n if (coordinates <= 0)\n {\n /*\n New subpath.\n */\n coordinates=(ssize_t) primitive_info[i].coordinates;\n p=primitive_info[i].point;\n start=n;\n code=MoveToCode;\n closed_subpath=primitive_info[i].closed_subpath;\n }\n coordinates--;\n if ((code == MoveToCode) || (coordinates <= 0) ||\n (fabs(q.x-primitive_info[i].point.x) >= MagickEpsilon) ||\n (fabs(q.y-primitive_info[i].point.y) >= MagickEpsilon))\n {\n /*\n Eliminate duplicate points.\n */\n path_info[n].code=code;\n path_info[n].point=primitive_info[i].point;\n q=primitive_info[i].point;\n n++;\n }\n if (coordinates > 0)\n continue; /* next point in current subpath */\n if (closed_subpath != MagickFalse)\n {\n closed_subpath=MagickFalse;\n continue;\n }\n /*\n Mark the p point as open if the subpath is not closed.\n */\n path_info[start].code=OpenCode;\n path_info[n].code=GhostlineCode;\n path_info[n].point=primitive_info[i].point;\n n++;\n path_info[n].code=LineToCode;\n path_info[n].point=p;\n n++;\n }\n path_info[n].code=EndCode;\n path_info[n].point.x=0.0;\n path_info[n].point.y=0.0;\n if (IsEventLogging() != MagickFalse)\n LogPathInfo(path_info);\n path_info=(PathInfo *) ResizeQuantumMemory(path_info,(size_t) (n+1),\n sizeof(*path_info));\n return(path_info);\n}", "project": "ImageMagick6", "hash": 281567156548199783118078565974681215404, "size": 112, "commit_id": "9a94877f7823b0b8a41d50638dd105229d91fa89", "message": "https://github.com/ImageMagick/ImageMagick/issues/3339", "target": 0, "dataset": "other", "idx": 316691 }, { "func": "madvise_behavior_valid(int behavior)\n{\n\tswitch (behavior) {\n\tcase MADV_DOFORK:\n\tcase MADV_DONTFORK:\n\tcase MADV_NORMAL:\n\tcase MADV_SEQUENTIAL:\n\tcase MADV_RANDOM:\n\tcase MADV_REMOVE:\n\tcase MADV_WILLNEED:\n\tcase MADV_DONTNEED:\n\tcase MADV_FREE:\n\tcase MADV_COLD:\n\tcase MADV_PAGEOUT:\n#ifdef CONFIG_KSM\n\tcase MADV_MERGEABLE:\n\tcase MADV_UNMERGEABLE:\n#endif\n#ifdef CONFIG_TRANSPARENT_HUGEPAGE\n\tcase MADV_HUGEPAGE:\n\tcase MADV_NOHUGEPAGE:\n#endif\n\tcase MADV_DONTDUMP:\n\tcase MADV_DODUMP:\n\tcase MADV_WIPEONFORK:\n\tcase MADV_KEEPONFORK:\n#ifdef CONFIG_MEMORY_FAILURE\n\tcase MADV_SOFT_OFFLINE:\n\tcase MADV_HWPOISON:\n#endif\n\t\treturn true;\n\n\tdefault:\n\t\treturn false;\n\t}\n}", "project": "linux", "hash": 183595931484820385165810600377399110430, "size": 36, "commit_id": "bc0c4d1e176eeb614dc8734fc3ace34292771f11", "message": "mm: check that mm is still valid in madvise()\n\nIORING_OP_MADVISE can end up basically doing mprotect() on the VM of\nanother process, which means that it can race with our crazy core dump\nhandling which accesses the VM state without holding the mmap_sem\n(because it incorrectly thinks that it is the final user).\n\nThis is clearly a core dumping problem, but we've never fixed it the\nright way, and instead have the notion of \"check that the mm is still\nok\" using mmget_still_valid() after getting the mmap_sem for writing in\nany situation where we're not the original VM thread.\n\nSee commit 04f5866e41fb (\"coredump: fix race condition between\nmmget_not_zero()/get_task_mm() and core dumping\") for more background on\nthis whole mmget_still_valid() thing. You might want to have a barf bag\nhandy when you do.\n\nWe're discussing just fixing this properly in the only remaining core\ndumping routines. But even if we do that, let's make do_madvise() do\nthe right thing, and then when we fix core dumping, we can remove all\nthese mmget_still_valid() checks.\n\nReported-and-tested-by: Jann Horn \nFixes: c1ca757bd6f4 (\"io_uring: add IORING_OP_MADVISE\")\nAcked-by: Jens Axboe \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 323569 }, { "func": "madvise_vma(struct vm_area_struct *vma, struct vm_area_struct **prev,\n\t\tunsigned long start, unsigned long end, int behavior)\n{\n\tswitch (behavior) {\n\tcase MADV_REMOVE:\n\t\treturn madvise_remove(vma, prev, start, end);\n\tcase MADV_WILLNEED:\n\t\treturn madvise_willneed(vma, prev, start, end);\n\tcase MADV_COLD:\n\t\treturn madvise_cold(vma, prev, start, end);\n\tcase MADV_PAGEOUT:\n\t\treturn madvise_pageout(vma, prev, start, end);\n\tcase MADV_FREE:\n\tcase MADV_DONTNEED:\n\t\treturn madvise_dontneed_free(vma, prev, start, end, behavior);\n\tdefault:\n\t\treturn madvise_behavior(vma, prev, start, end, behavior);\n\t}\n}", "project": "linux", "hash": 325117918366824671595870181469631201471, "size": 19, "commit_id": "bc0c4d1e176eeb614dc8734fc3ace34292771f11", "message": "mm: check that mm is still valid in madvise()\n\nIORING_OP_MADVISE can end up basically doing mprotect() on the VM of\nanother process, which means that it can race with our crazy core dump\nhandling which accesses the VM state without holding the mmap_sem\n(because it incorrectly thinks that it is the final user).\n\nThis is clearly a core dumping problem, but we've never fixed it the\nright way, and instead have the notion of \"check that the mm is still\nok\" using mmget_still_valid() after getting the mmap_sem for writing in\nany situation where we're not the original VM thread.\n\nSee commit 04f5866e41fb (\"coredump: fix race condition between\nmmget_not_zero()/get_task_mm() and core dumping\") for more background on\nthis whole mmget_still_valid() thing. You might want to have a barf bag\nhandy when you do.\n\nWe're discussing just fixing this properly in the only remaining core\ndumping routines. But even if we do that, let's make do_madvise() do\nthe right thing, and then when we fix core dumping, we can remove all\nthese mmget_still_valid() checks.\n\nReported-and-tested-by: Jann Horn \nFixes: c1ca757bd6f4 (\"io_uring: add IORING_OP_MADVISE\")\nAcked-by: Jens Axboe \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 323576 }, { "func": "archive_string_conversion_set_opt(struct archive_string_conv *sc, int opt)\n{\n\tswitch (opt) {\n\t/*\n\t * A filename in UTF-8 was made with libarchive 2.x in a wrong\n\t * assumption that wchar_t was Unicode.\n\t * This option enables simulating the assumption in order to read\n\t * that filename correctly.\n\t */\n\tcase SCONV_SET_OPT_UTF8_LIBARCHIVE2X:\n#if (defined(_WIN32) && !defined(__CYGWIN__)) \\\n\t || defined(__STDC_ISO_10646__) || defined(__APPLE__)\n\t\t/*\n\t\t * Nothing to do for it since wchar_t on these platforms\n\t\t * is really Unicode.\n\t\t */\n\t\t(void)sc; /* UNUSED */\n#else\n\t\tif ((sc->flag & SCONV_UTF8_LIBARCHIVE_2) == 0) {\n\t\t\tsc->flag |= SCONV_UTF8_LIBARCHIVE_2;\n\t\t\t/* Set up string converters. */\n\t\t\tsetup_converter(sc);\n\t\t}\n#endif\n\t\tbreak;\n\tcase SCONV_SET_OPT_NORMALIZATION_C:\n\t\tif ((sc->flag & SCONV_NORMALIZATION_C) == 0) {\n\t\t\tsc->flag |= SCONV_NORMALIZATION_C;\n\t\t\tsc->flag &= ~SCONV_NORMALIZATION_D;\n\t\t\t/* Set up string converters. */\n\t\t\tsetup_converter(sc);\n\t\t}\n\t\tbreak;\n\tcase SCONV_SET_OPT_NORMALIZATION_D:\n#if defined(HAVE_ICONV)\n\t\t/*\n\t\t * If iconv will take the string, do not change the\n\t\t * setting of the normalization.\n\t\t */\n\t\tif (!(sc->flag & SCONV_WIN_CP) &&\n\t\t (sc->flag & (SCONV_FROM_UTF16 | SCONV_FROM_UTF8)) &&\n\t\t !(sc->flag & (SCONV_TO_UTF16 | SCONV_TO_UTF8)))\n\t\t\tbreak;\n#endif\n\t\tif ((sc->flag & SCONV_NORMALIZATION_D) == 0) {\n\t\t\tsc->flag |= SCONV_NORMALIZATION_D;\n\t\t\tsc->flag &= ~SCONV_NORMALIZATION_C;\n\t\t\t/* Set up string converters. */\n\t\t\tsetup_converter(sc);\n\t\t}\n\t\tbreak;\n\tdefault:\n\t\tbreak;\n\t}\n}", "project": "libarchive", "hash": 120106567138309345770035438035237547613, "size": 55, "commit_id": "4f085eea879e2be745f4d9bf57e8513ae48157f4", "message": "Fix a possible heap-buffer-overflow in archive_string_append_from_wcs()\n\nWhen we grow the archive_string buffer, we have to make sure it fits\nat least one maximum-sized multibyte character in the current locale\nand the null character.\n\nFixes #1298", "target": 0, "dataset": "other", "idx": 325863 }, { "func": "static struct tty_driver *tty_lookup_driver(dev_t device, struct file *filp,\n\t\tint *index)\n{\n\tstruct tty_driver *driver = NULL;\n\n\tswitch (device) {\n#ifdef CONFIG_VT\n\tcase MKDEV(TTY_MAJOR, 0): {\n\t\textern struct tty_driver *console_driver;\n\t\tdriver = tty_driver_kref_get(console_driver);\n\t\t*index = fg_console;\n\t\tbreak;\n\t}\n#endif\n\tcase MKDEV(TTYAUX_MAJOR, 1): {\n\t\tstruct tty_driver *console_driver = console_device(index);\n\t\tif (console_driver) {\n\t\t\tdriver = tty_driver_kref_get(console_driver);\n\t\t\tif (driver && filp) {\n\t\t\t\t/* Don't let /dev/console block */\n\t\t\t\tfilp->f_flags |= O_NONBLOCK;\n\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\t\tif (driver)\n\t\t\ttty_driver_kref_put(driver);\n\t\treturn ERR_PTR(-ENODEV);\n\t}\n\tdefault:\n\t\tdriver = get_tty_driver(device, index);\n\t\tif (!driver)\n\t\t\treturn ERR_PTR(-ENODEV);\n\t\tbreak;\n\t}\n\treturn driver;\n}", "project": "linux", "hash": 184139703082662583169585276515818449195, "size": 36, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 325995 }, { "func": "ex_findpat(exarg_T *eap)\n{\n int\t\twhole = TRUE;\n long\tn;\n char_u\t*p;\n int\t\taction;\n\n switch (cmdnames[eap->cmdidx].cmd_name[2])\n {\n\tcase 'e':\t// \":psearch\", \":isearch\" and \":dsearch\"\n\t\tif (cmdnames[eap->cmdidx].cmd_name[0] == 'p')\n\t\t action = ACTION_GOTO;\n\t\telse\n\t\t action = ACTION_SHOW;\n\t\tbreak;\n\tcase 'i':\t// \":ilist\" and \":dlist\"\n\t\taction = ACTION_SHOW_ALL;\n\t\tbreak;\n\tcase 'u':\t// \":ijump\" and \":djump\"\n\t\taction = ACTION_GOTO;\n\t\tbreak;\n\tdefault:\t// \":isplit\" and \":dsplit\"\n\t\taction = ACTION_SPLIT;\n\t\tbreak;\n }\n\n n = 1;\n if (vim_isdigit(*eap->arg))\t// get count\n {\n\tn = getdigits(&eap->arg);\n\teap->arg = skipwhite(eap->arg);\n }\n if (*eap->arg == '/') // Match regexp, not just whole words\n {\n\twhole = FALSE;\n\t++eap->arg;\n\tp = skip_regexp(eap->arg, '/', magic_isset());\n\tif (*p)\n\t{\n\t *p++ = NUL;\n\t p = skipwhite(p);\n\n\t // Check for trailing illegal characters\n\t if (!ends_excmd2(eap->arg, p))\n\t\teap->errmsg = ex_errmsg(e_trailing_arg, p);\n\t else\n\t\tset_nextcmd(eap, p);\n\t}\n }\n if (!eap->skip)\n\tfind_pattern_in_path(eap->arg, 0, (int)STRLEN(eap->arg),\n\t\t\t whole, !eap->forceit,\n\t\t\t *eap->cmd == 'd' ?\tFIND_DEFINE : FIND_ANY,\n\t\t\t n, action, eap->line1, eap->line2);\n}", "project": "vim", "hash": 200425605723980351809506018398343234654, "size": 55, "commit_id": "0b5b06cb4777d1401fdf83e7d48d287662236e7e", "message": "patch 8.2.3581: reading character past end of line\n\nProblem: Reading character past end of line.\nSolution: Correct the cursor column.", "target": 0, "dataset": "other", "idx": 330221 }, { "func": "ex_later(exarg_T *eap)\n{\n long\tcount = 0;\n int\t\tsec = FALSE;\n int\t\tfile = FALSE;\n char_u\t*p = eap->arg;\n\n if (*p == NUL)\n\tcount = 1;\n else if (isdigit(*p))\n {\n\tcount = getdigits(&p);\n\tswitch (*p)\n\t{\n\t case 's': ++p; sec = TRUE; break;\n\t case 'm': ++p; sec = TRUE; count *= 60; break;\n\t case 'h': ++p; sec = TRUE; count *= 60 * 60; break;\n\t case 'd': ++p; sec = TRUE; count *= 24 * 60 * 60; break;\n\t case 'f': ++p; file = TRUE; break;\n\t}\n }\n\n if (*p != NUL)\n\tsemsg(_(e_invarg2), eap->arg);\n else\n\tundo_time(eap->cmdidx == CMD_earlier ? -count : count,\n\t\t\t\t\t\t\t sec, file, FALSE);\n}", "project": "vim", "hash": 290244159663678570716239480673337888363, "size": 28, "commit_id": "0b5b06cb4777d1401fdf83e7d48d287662236e7e", "message": "patch 8.2.3581: reading character past end of line\n\nProblem: Reading character past end of line.\nSolution: Correct the cursor column.", "target": 0, "dataset": "other", "idx": 330224 }, { "func": "get_address(\n exarg_T\t*eap UNUSED,\n char_u\t**ptr,\n cmd_addr_T\taddr_type,\n int\t\tskip,\t\t// only skip the address, don't use it\n int\t\tsilent,\t\t// no errors or side effects\n int\t\tto_other_file, // flag: may jump to other file\n int\t\taddress_count UNUSED) // 1 for first address, >1 after comma\n{\n int\t\tc;\n int\t\ti;\n long\tn;\n char_u\t*cmd;\n pos_T\tpos;\n pos_T\t*fp;\n linenr_T\tlnum;\n buf_T\t*buf;\n\n cmd = skipwhite(*ptr);\n lnum = MAXLNUM;\n do\n {\n\tswitch (*cmd)\n\t{\n\t case '.':\t\t\t // '.' - Cursor position\n\t\t++cmd;\n\t\tswitch (addr_type)\n\t\t{\n\t\t case ADDR_LINES:\n\t\t case ADDR_OTHER:\n\t\t\tlnum = curwin->w_cursor.lnum;\n\t\t\tbreak;\n\t\t case ADDR_WINDOWS:\n\t\t\tlnum = CURRENT_WIN_NR;\n\t\t\tbreak;\n\t\t case ADDR_ARGUMENTS:\n\t\t\tlnum = curwin->w_arg_idx + 1;\n\t\t\tbreak;\n\t\t case ADDR_LOADED_BUFFERS:\n\t\t case ADDR_BUFFERS:\n\t\t\tlnum = curbuf->b_fnum;\n\t\t\tbreak;\n\t\t case ADDR_TABS:\n\t\t\tlnum = CURRENT_TAB_NR;\n\t\t\tbreak;\n\t\t case ADDR_NONE:\n\t\t case ADDR_TABS_RELATIVE:\n\t\t case ADDR_UNSIGNED:\n\t\t\taddr_error(addr_type);\n\t\t\tcmd = NULL;\n\t\t\tgoto error;\n\t\t\tbreak;\n\t\t case ADDR_QUICKFIX:\n#ifdef FEAT_QUICKFIX\n\t\t\tlnum = qf_get_cur_idx(eap);\n#endif\n\t\t\tbreak;\n\t\t case ADDR_QUICKFIX_VALID:\n#ifdef FEAT_QUICKFIX\n\t\t\tlnum = qf_get_cur_valid_idx(eap);\n#endif\n\t\t\tbreak;\n\t\t}\n\t\tbreak;\n\n\t case '$':\t\t\t // '$' - last line\n\t\t++cmd;\n\t\tswitch (addr_type)\n\t\t{\n\t\t case ADDR_LINES:\n\t\t case ADDR_OTHER:\n\t\t\tlnum = curbuf->b_ml.ml_line_count;\n\t\t\tbreak;\n\t\t case ADDR_WINDOWS:\n\t\t\tlnum = LAST_WIN_NR;\n\t\t\tbreak;\n\t\t case ADDR_ARGUMENTS:\n\t\t\tlnum = ARGCOUNT;\n\t\t\tbreak;\n\t\t case ADDR_LOADED_BUFFERS:\n\t\t\tbuf = lastbuf;\n\t\t\twhile (buf->b_ml.ml_mfp == NULL)\n\t\t\t{\n\t\t\t if (buf->b_prev == NULL)\n\t\t\t\tbreak;\n\t\t\t buf = buf->b_prev;\n\t\t\t}\n\t\t\tlnum = buf->b_fnum;\n\t\t\tbreak;\n\t\t case ADDR_BUFFERS:\n\t\t\tlnum = lastbuf->b_fnum;\n\t\t\tbreak;\n\t\t case ADDR_TABS:\n\t\t\tlnum = LAST_TAB_NR;\n\t\t\tbreak;\n\t\t case ADDR_NONE:\n\t\t case ADDR_TABS_RELATIVE:\n\t\t case ADDR_UNSIGNED:\n\t\t\taddr_error(addr_type);\n\t\t\tcmd = NULL;\n\t\t\tgoto error;\n\t\t\tbreak;\n\t\t case ADDR_QUICKFIX:\n#ifdef FEAT_QUICKFIX\n\t\t\tlnum = qf_get_size(eap);\n\t\t\tif (lnum == 0)\n\t\t\t lnum = 1;\n#endif\n\t\t\tbreak;\n\t\t case ADDR_QUICKFIX_VALID:\n#ifdef FEAT_QUICKFIX\n\t\t\tlnum = qf_get_valid_size(eap);\n\t\t\tif (lnum == 0)\n\t\t\t lnum = 1;\n#endif\n\t\t\tbreak;\n\t\t}\n\t\tbreak;\n\n\t case '\\'':\t\t\t // ''' - mark\n\t\tif (*++cmd == NUL)\n\t\t{\n\t\t cmd = NULL;\n\t\t goto error;\n\t\t}\n\t\tif (addr_type != ADDR_LINES)\n\t\t{\n\t\t addr_error(addr_type);\n\t\t cmd = NULL;\n\t\t goto error;\n\t\t}\n\t\tif (skip)\n\t\t ++cmd;\n\t\telse\n\t\t{\n\t\t // Only accept a mark in another file when it is\n\t\t // used by itself: \":'M\".\n\t\t fp = getmark(*cmd, to_other_file && cmd[1] == NUL);\n\t\t ++cmd;\n\t\t if (fp == (pos_T *)-1)\n\t\t\t// Jumped to another file.\n\t\t\tlnum = curwin->w_cursor.lnum;\n\t\t else\n\t\t {\n\t\t\tif (check_mark(fp) == FAIL)\n\t\t\t{\n\t\t\t cmd = NULL;\n\t\t\t goto error;\n\t\t\t}\n\t\t\tlnum = fp->lnum;\n\t\t }\n\t\t}\n\t\tbreak;\n\n\t case '/':\n\t case '?':\t\t\t// '/' or '?' - search\n\t\tc = *cmd++;\n\t\tif (addr_type != ADDR_LINES)\n\t\t{\n\t\t addr_error(addr_type);\n\t\t cmd = NULL;\n\t\t goto error;\n\t\t}\n\t\tif (skip)\t// skip \"/pat/\"\n\t\t{\n\t\t cmd = skip_regexp(cmd, c, magic_isset());\n\t\t if (*cmd == c)\n\t\t\t++cmd;\n\t\t}\n\t\telse\n\t\t{\n\t\t int flags;\n\n\t\t pos = curwin->w_cursor; // save curwin->w_cursor\n\n\t\t // When '/' or '?' follows another address, start from\n\t\t // there.\n\t\t if (lnum > 0 && lnum != MAXLNUM)\n\t\t\tcurwin->w_cursor.lnum =\n\t\t\t\tlnum > curbuf->b_ml.ml_line_count\n\t\t\t\t\t ? curbuf->b_ml.ml_line_count : lnum;\n\n\t\t // Start a forward search at the end of the line (unless\n\t\t // before the first line).\n\t\t // Start a backward search at the start of the line.\n\t\t // This makes sure we never match in the current\n\t\t // line, and can match anywhere in the\n\t\t // next/previous line.\n\t\t if (c == '/' && curwin->w_cursor.lnum > 0)\n\t\t\tcurwin->w_cursor.col = MAXCOL;\n\t\t else\n\t\t\tcurwin->w_cursor.col = 0;\n\t\t searchcmdlen = 0;\n\t\t flags = silent ? 0 : SEARCH_HIS | SEARCH_MSG;\n\t\t if (!do_search(NULL, c, c, cmd, 1L, flags, NULL))\n\t\t {\n\t\t\tcurwin->w_cursor = pos;\n\t\t\tcmd = NULL;\n\t\t\tgoto error;\n\t\t }\n\t\t lnum = curwin->w_cursor.lnum;\n\t\t curwin->w_cursor = pos;\n\t\t // adjust command string pointer\n\t\t cmd += searchcmdlen;\n\t\t}\n\t\tbreak;\n\n\t case '\\\\':\t\t // \"\\?\", \"\\/\" or \"\\&\", repeat search\n\t\t++cmd;\n\t\tif (addr_type != ADDR_LINES)\n\t\t{\n\t\t addr_error(addr_type);\n\t\t cmd = NULL;\n\t\t goto error;\n\t\t}\n\t\tif (*cmd == '&')\n\t\t i = RE_SUBST;\n\t\telse if (*cmd == '?' || *cmd == '/')\n\t\t i = RE_SEARCH;\n\t\telse\n\t\t{\n\t\t emsg(_(e_backslash_should_be_followed_by));\n\t\t cmd = NULL;\n\t\t goto error;\n\t\t}\n\n\t\tif (!skip)\n\t\t{\n\t\t /*\n\t\t * When search follows another address, start from\n\t\t * there.\n\t\t */\n\t\t if (lnum != MAXLNUM)\n\t\t\tpos.lnum = lnum;\n\t\t else\n\t\t\tpos.lnum = curwin->w_cursor.lnum;\n\n\t\t /*\n\t\t * Start the search just like for the above\n\t\t * do_search().\n\t\t */\n\t\t if (*cmd != '?')\n\t\t\tpos.col = MAXCOL;\n\t\t else\n\t\t\tpos.col = 0;\n\t\t pos.coladd = 0;\n\t\t if (searchit(curwin, curbuf, &pos, NULL,\n\t\t\t\t*cmd == '?' ? BACKWARD : FORWARD,\n\t\t\t\t(char_u *)\"\", 1L, SEARCH_MSG, i, NULL) != FAIL)\n\t\t\tlnum = pos.lnum;\n\t\t else\n\t\t {\n\t\t\tcmd = NULL;\n\t\t\tgoto error;\n\t\t }\n\t\t}\n\t\t++cmd;\n\t\tbreak;\n\n\t default:\n\t\tif (VIM_ISDIGIT(*cmd))\t// absolute line number\n\t\t lnum = getdigits(&cmd);\n\t}\n\n\tfor (;;)\n\t{\n\t cmd = skipwhite(cmd);\n\t if (*cmd != '-' && *cmd != '+' && !VIM_ISDIGIT(*cmd))\n\t\tbreak;\n\n\t if (lnum == MAXLNUM)\n\t {\n\t\tswitch (addr_type)\n\t\t{\n\t\t case ADDR_LINES:\n\t\t case ADDR_OTHER:\n\t\t\t// \"+1\" is same as \".+1\"\n\t\t\tlnum = curwin->w_cursor.lnum;\n\t\t\tbreak;\n\t\t case ADDR_WINDOWS:\n\t\t\tlnum = CURRENT_WIN_NR;\n\t\t\tbreak;\n\t\t case ADDR_ARGUMENTS:\n\t\t\tlnum = curwin->w_arg_idx + 1;\n\t\t\tbreak;\n\t\t case ADDR_LOADED_BUFFERS:\n\t\t case ADDR_BUFFERS:\n\t\t\tlnum = curbuf->b_fnum;\n\t\t\tbreak;\n\t\t case ADDR_TABS:\n\t\t\tlnum = CURRENT_TAB_NR;\n\t\t\tbreak;\n\t\t case ADDR_TABS_RELATIVE:\n\t\t\tlnum = 1;\n\t\t\tbreak;\n\t\t case ADDR_QUICKFIX:\n#ifdef FEAT_QUICKFIX\n\t\t\tlnum = qf_get_cur_idx(eap);\n#endif\n\t\t\tbreak;\n\t\t case ADDR_QUICKFIX_VALID:\n#ifdef FEAT_QUICKFIX\n\t\t\tlnum = qf_get_cur_valid_idx(eap);\n#endif\n\t\t\tbreak;\n\t\t case ADDR_NONE:\n\t\t case ADDR_UNSIGNED:\n\t\t\tlnum = 0;\n\t\t\tbreak;\n\t\t}\n\t }\n\n\t if (VIM_ISDIGIT(*cmd))\n\t\ti = '+';\t\t// \"number\" is same as \"+number\"\n\t else\n\t\ti = *cmd++;\n\t if (!VIM_ISDIGIT(*cmd))\t// '+' is '+1', but '+0' is not '+1'\n\t\tn = 1;\n\t else\n\t\tn = getdigits(&cmd);\n\n\t if (addr_type == ADDR_TABS_RELATIVE)\n\t {\n\t\temsg(_(e_invalid_range));\n\t\tcmd = NULL;\n\t\tgoto error;\n\t }\n\t else if (addr_type == ADDR_LOADED_BUFFERS\n\t\t || addr_type == ADDR_BUFFERS)\n\t\tlnum = compute_buffer_local_count(\n\t\t\t\t addr_type, lnum, (i == '-') ? -1 * n : n);\n\t else\n\t {\n#ifdef FEAT_FOLDING\n\t\t// Relative line addressing, need to adjust for folded lines\n\t\t// now, but only do it after the first address.\n\t\tif (addr_type == ADDR_LINES && (i == '-' || i == '+')\n\t\t\t&& address_count >= 2)\n\t\t (void)hasFolding(lnum, NULL, &lnum);\n#endif\n\t\tif (i == '-')\n\t\t lnum -= n;\n\t\telse\n\t\t lnum += n;\n\t }\n\t}\n } while (*cmd == '/' || *cmd == '?');\n\nerror:\n *ptr = cmd;\n return lnum;\n}", "project": "vim", "hash": 150636938504434408675638994295434802584, "size": 352, "commit_id": "0b5b06cb4777d1401fdf83e7d48d287662236e7e", "message": "patch 8.2.3581: reading character past end of line\n\nProblem: Reading character past end of line.\nSolution: Correct the cursor column.", "target": 0, "dataset": "other", "idx": 330225 }, { "func": "ex_sleep(exarg_T *eap)\n{\n int\t\tn;\n long\tlen;\n\n if (cursor_valid())\n {\n\tn = W_WINROW(curwin) + curwin->w_wrow - msg_scrolled;\n\tif (n >= 0)\n\t windgoto((int)n, curwin->w_wincol + curwin->w_wcol);\n }\n\n len = eap->line2;\n switch (*eap->arg)\n {\n\tcase 'm': break;\n\tcase NUL: len *= 1000L; break;\n\tdefault: semsg(_(e_invarg2), eap->arg); return;\n }\n\n // Hide the cursor if invoked with !\n do_sleep(len, eap->forceit);\n}", "project": "vim", "hash": 239387884951875353184353276710033879486, "size": 23, "commit_id": "0b5b06cb4777d1401fdf83e7d48d287662236e7e", "message": "patch 8.2.3581: reading character past end of line\n\nProblem: Reading character past end of line.\nSolution: Correct the cursor column.", "target": 0, "dataset": "other", "idx": 330226 }, { "func": "handle_did_throw()\n{\n char\t*p = NULL;\n msglist_T\t*messages = NULL;\n ESTACK_CHECK_DECLARATION\n\n /*\n * If the uncaught exception is a user exception, report it as an\n * error. If it is an error exception, display the saved error\n * message now. For an interrupt exception, do nothing; the\n * interrupt message is given elsewhere.\n */\n switch (current_exception->type)\n {\n\tcase ET_USER:\n\t vim_snprintf((char *)IObuff, IOSIZE,\n\t\t _(\"E605: Exception not caught: %s\"),\n\t\t current_exception->value);\n\t p = (char *)vim_strsave(IObuff);\n\t break;\n\tcase ET_ERROR:\n\t messages = current_exception->messages;\n\t current_exception->messages = NULL;\n\t break;\n\tcase ET_INTERRUPT:\n\t break;\n }\n\n estack_push(ETYPE_EXCEPT, current_exception->throw_name,\n\t\t\t\t\tcurrent_exception->throw_lnum);\n ESTACK_CHECK_SETUP\n current_exception->throw_name = NULL;\n\n discard_current_exception();\t// uses IObuff if 'verbose'\n suppress_errthrow = TRUE;\n force_abort = TRUE;\n\n if (messages != NULL)\n {\n\tdo\n\t{\n\t msglist_T\t*next = messages->next;\n\t int\t\tsave_compiling = estack_compiling;\n\n\t estack_compiling = messages->msg_compiling;\n\t emsg(messages->msg);\n\t vim_free(messages->msg);\n\t vim_free(messages->sfile);\n\t vim_free(messages);\n\t messages = next;\n\t estack_compiling = save_compiling;\n\t}\n\twhile (messages != NULL);\n }\n else if (p != NULL)\n {\n\temsg(p);\n\tvim_free(p);\n }\n vim_free(SOURCING_NAME);\n ESTACK_CHECK_NOW\n estack_pop();\n}", "project": "vim", "hash": 234959764557963082290111516016227235428, "size": 63, "commit_id": "0b5b06cb4777d1401fdf83e7d48d287662236e7e", "message": "patch 8.2.3581: reading character past end of line\n\nProblem: Reading character past end of line.\nSolution: Correct the cursor column.", "target": 0, "dataset": "other", "idx": 330254 }, { "func": "ex_tabnext(exarg_T *eap)\n{\n int tab_number;\n\n if (ERROR_IF_POPUP_WINDOW)\n\treturn;\n switch (eap->cmdidx)\n {\n\tcase CMD_tabfirst:\n\tcase CMD_tabrewind:\n\t goto_tabpage(1);\n\t break;\n\tcase CMD_tablast:\n\t goto_tabpage(9999);\n\t break;\n\tcase CMD_tabprevious:\n\tcase CMD_tabNext:\n\t if (eap->arg && *eap->arg != NUL)\n\t {\n\t\tchar_u *p = eap->arg;\n\t\tchar_u *p_save = p;\n\n\t\ttab_number = getdigits(&p);\n\t\tif (p == p_save || *p_save == '-' || *p != NUL\n\t\t\t || tab_number == 0)\n\t\t{\n\t\t // No numbers as argument.\n\t\t eap->errmsg = ex_errmsg(e_invarg2, eap->arg);\n\t\t return;\n\t\t}\n\t }\n\t else\n\t {\n\t\tif (eap->addr_count == 0)\n\t\t tab_number = 1;\n\t\telse\n\t\t{\n\t\t tab_number = eap->line2;\n\t\t if (tab_number < 1)\n\t\t {\n\t\t\teap->errmsg = _(e_invalid_range);\n\t\t\treturn;\n\t\t }\n\t\t}\n\t }\n\t goto_tabpage(-tab_number);\n\t break;\n\tdefault: // CMD_tabnext\n\t tab_number = get_tabpage_arg(eap);\n\t if (eap->errmsg == NULL)\n\t\tgoto_tabpage(tab_number);\n\t break;\n }\n}", "project": "vim", "hash": 53704724345710676083767754326254044823, "size": 54, "commit_id": "0b5b06cb4777d1401fdf83e7d48d287662236e7e", "message": "patch 8.2.3581: reading character past end of line\n\nProblem: Reading character past end of line.\nSolution: Correct the cursor column.", "target": 0, "dataset": "other", "idx": 330255 }, { "func": "MagickExport Image *SteganoImage(const Image *image,const Image *watermark,\n ExceptionInfo *exception)\n{\n#define GetBit(alpha,i) ((((size_t) (alpha) >> (size_t) (i)) & 0x01) != 0)\n#define SetBit(alpha,i,set) (Quantum) ((set) != 0 ? (size_t) (alpha) \\\n | (one << (size_t) (i)) : (size_t) (alpha) & ~(one << (size_t) (i)))\n#define SteganoImageTag \"Stegano/Image\"\n\n CacheView\n *stegano_view,\n *watermark_view;\n\n Image\n *stegano_image;\n\n int\n c;\n\n MagickBooleanType\n status;\n\n PixelInfo\n pixel;\n\n Quantum\n *q;\n\n ssize_t\n x;\n\n size_t\n depth,\n one;\n\n ssize_t\n i,\n j,\n k,\n y;\n\n /*\n Initialize steganographic image attributes.\n */\n assert(image != (const Image *) NULL);\n assert(image->signature == MagickCoreSignature);\n if (image->debug != MagickFalse)\n (void) LogMagickEvent(TraceEvent,GetMagickModule(),\"%s\",image->filename);\n assert(watermark != (const Image *) NULL);\n assert(watermark->signature == MagickCoreSignature);\n assert(exception != (ExceptionInfo *) NULL);\n assert(exception->signature == MagickCoreSignature);\n one=1UL;\n stegano_image=CloneImage(image,0,0,MagickTrue,exception);\n if (stegano_image == (Image *) NULL)\n return((Image *) NULL);\n stegano_image->depth=MAGICKCORE_QUANTUM_DEPTH;\n if (SetImageStorageClass(stegano_image,DirectClass,exception) == MagickFalse)\n {\n stegano_image=DestroyImage(stegano_image);\n return((Image *) NULL);\n }\n /*\n Hide watermark in low-order bits of image.\n */\n c=0;\n i=0;\n j=0;\n depth=stegano_image->depth;\n k=stegano_image->offset;\n status=MagickTrue;\n watermark_view=AcquireVirtualCacheView(watermark,exception);\n stegano_view=AcquireAuthenticCacheView(stegano_image,exception);\n for (i=(ssize_t) depth-1; (i >= 0) && (j < (ssize_t) depth); i--)\n {\n for (y=0; (y < (ssize_t) watermark->rows) && (j < (ssize_t) depth); y++)\n {\n for (x=0; (x < (ssize_t) watermark->columns) && (j < (ssize_t) depth); x++)\n {\n ssize_t\n offset;\n\n (void) GetOneCacheViewVirtualPixelInfo(watermark_view,x,y,&pixel,\n exception);\n offset=k/(ssize_t) stegano_image->columns;\n if (offset >= (ssize_t) stegano_image->rows)\n break;\n q=GetCacheViewAuthenticPixels(stegano_view,k % (ssize_t)\n stegano_image->columns,k/(ssize_t) stegano_image->columns,1,1,\n exception);\n if (q == (Quantum *) NULL)\n break;\n switch (c)\n {\n case 0:\n {\n SetPixelRed(stegano_image,SetBit(GetPixelRed(stegano_image,q),j,\n GetBit(GetPixelInfoIntensity(stegano_image,&pixel),i)),q);\n break;\n }\n case 1:\n {\n SetPixelGreen(stegano_image,SetBit(GetPixelGreen(stegano_image,q),j,\n GetBit(GetPixelInfoIntensity(stegano_image,&pixel),i)),q);\n break;\n }\n case 2:\n {\n SetPixelBlue(stegano_image,SetBit(GetPixelBlue(stegano_image,q),j,\n GetBit(GetPixelInfoIntensity(stegano_image,&pixel),i)),q);\n break;\n }\n }\n if (SyncCacheViewAuthenticPixels(stegano_view,exception) == MagickFalse)\n break;\n c++;\n if (c == 3)\n c=0;\n k++;\n if (k == (ssize_t) (stegano_image->columns*stegano_image->columns))\n k=0;\n if (k == stegano_image->offset)\n j++;\n }\n }\n if (image->progress_monitor != (MagickProgressMonitor) NULL)\n {\n MagickBooleanType\n proceed;\n\n proceed=SetImageProgress(image,SteganoImageTag,(MagickOffsetType)\n (depth-i),depth);\n if (proceed == MagickFalse)\n status=MagickFalse;\n }\n }\n stegano_view=DestroyCacheView(stegano_view);\n watermark_view=DestroyCacheView(watermark_view);\n if (status == MagickFalse)\n stegano_image=DestroyImage(stegano_image);\n return(stegano_image);\n}", "project": "ImageMagick", "hash": 71860574229034994101645055513642971601, "size": 141, "commit_id": "94174beff065cb5683d09d79e992c3ebbdead311", "message": "https://github.com/ImageMagick/ImageMagick/issues/3296", "target": 0, "dataset": "other", "idx": 330267 }, { "func": "packet_setsockopt(struct socket *sock, int level, int optname, sockptr_t optval,\n\t\t unsigned int optlen)\n{\n\tstruct sock *sk = sock->sk;\n\tstruct packet_sock *po = pkt_sk(sk);\n\tint ret;\n\n\tif (level != SOL_PACKET)\n\t\treturn -ENOPROTOOPT;\n\n\tswitch (optname) {\n\tcase PACKET_ADD_MEMBERSHIP:\n\tcase PACKET_DROP_MEMBERSHIP:\n\t{\n\t\tstruct packet_mreq_max mreq;\n\t\tint len = optlen;\n\t\tmemset(&mreq, 0, sizeof(mreq));\n\t\tif (len < sizeof(struct packet_mreq))\n\t\t\treturn -EINVAL;\n\t\tif (len > sizeof(mreq))\n\t\t\tlen = sizeof(mreq);\n\t\tif (copy_from_sockptr(&mreq, optval, len))\n\t\t\treturn -EFAULT;\n\t\tif (len < (mreq.mr_alen + offsetof(struct packet_mreq, mr_address)))\n\t\t\treturn -EINVAL;\n\t\tif (optname == PACKET_ADD_MEMBERSHIP)\n\t\t\tret = packet_mc_add(sk, &mreq);\n\t\telse\n\t\t\tret = packet_mc_drop(sk, &mreq);\n\t\treturn ret;\n\t}\n\n\tcase PACKET_RX_RING:\n\tcase PACKET_TX_RING:\n\t{\n\t\tunion tpacket_req_u req_u;\n\t\tint len;\n\n\t\tlock_sock(sk);\n\t\tswitch (po->tp_version) {\n\t\tcase TPACKET_V1:\n\t\tcase TPACKET_V2:\n\t\t\tlen = sizeof(req_u.req);\n\t\t\tbreak;\n\t\tcase TPACKET_V3:\n\t\tdefault:\n\t\t\tlen = sizeof(req_u.req3);\n\t\t\tbreak;\n\t\t}\n\t\tif (optlen < len) {\n\t\t\tret = -EINVAL;\n\t\t} else {\n\t\t\tif (copy_from_sockptr(&req_u.req, optval, len))\n\t\t\t\tret = -EFAULT;\n\t\t\telse\n\t\t\t\tret = packet_set_ring(sk, &req_u, 0,\n\t\t\t\t\t\t optname == PACKET_TX_RING);\n\t\t}\n\t\trelease_sock(sk);\n\t\treturn ret;\n\t}\n\tcase PACKET_COPY_THRESH:\n\t{\n\t\tint val;\n\n\t\tif (optlen != sizeof(val))\n\t\t\treturn -EINVAL;\n\t\tif (copy_from_sockptr(&val, optval, sizeof(val)))\n\t\t\treturn -EFAULT;\n\n\t\tpkt_sk(sk)->copy_thresh = val;\n\t\treturn 0;\n\t}\n\tcase PACKET_VERSION:\n\t{\n\t\tint val;\n\n\t\tif (optlen != sizeof(val))\n\t\t\treturn -EINVAL;\n\t\tif (copy_from_sockptr(&val, optval, sizeof(val)))\n\t\t\treturn -EFAULT;\n\t\tswitch (val) {\n\t\tcase TPACKET_V1:\n\t\tcase TPACKET_V2:\n\t\tcase TPACKET_V3:\n\t\t\tbreak;\n\t\tdefault:\n\t\t\treturn -EINVAL;\n\t\t}\n\t\tlock_sock(sk);\n\t\tif (po->rx_ring.pg_vec || po->tx_ring.pg_vec) {\n\t\t\tret = -EBUSY;\n\t\t} else {\n\t\t\tpo->tp_version = val;\n\t\t\tret = 0;\n\t\t}\n\t\trelease_sock(sk);\n\t\treturn ret;\n\t}\n\tcase PACKET_RESERVE:\n\t{\n\t\tunsigned int val;\n\n\t\tif (optlen != sizeof(val))\n\t\t\treturn -EINVAL;\n\t\tif (copy_from_sockptr(&val, optval, sizeof(val)))\n\t\t\treturn -EFAULT;\n\t\tif (val > INT_MAX)\n\t\t\treturn -EINVAL;\n\t\tlock_sock(sk);\n\t\tif (po->rx_ring.pg_vec || po->tx_ring.pg_vec) {\n\t\t\tret = -EBUSY;\n\t\t} else {\n\t\t\tpo->tp_reserve = val;\n\t\t\tret = 0;\n\t\t}\n\t\trelease_sock(sk);\n\t\treturn ret;\n\t}\n\tcase PACKET_LOSS:\n\t{\n\t\tunsigned int val;\n\n\t\tif (optlen != sizeof(val))\n\t\t\treturn -EINVAL;\n\t\tif (copy_from_sockptr(&val, optval, sizeof(val)))\n\t\t\treturn -EFAULT;\n\n\t\tlock_sock(sk);\n\t\tif (po->rx_ring.pg_vec || po->tx_ring.pg_vec) {\n\t\t\tret = -EBUSY;\n\t\t} else {\n\t\t\tpo->tp_loss = !!val;\n\t\t\tret = 0;\n\t\t}\n\t\trelease_sock(sk);\n\t\treturn ret;\n\t}\n\tcase PACKET_AUXDATA:\n\t{\n\t\tint val;\n\n\t\tif (optlen < sizeof(val))\n\t\t\treturn -EINVAL;\n\t\tif (copy_from_sockptr(&val, optval, sizeof(val)))\n\t\t\treturn -EFAULT;\n\n\t\tlock_sock(sk);\n\t\tpo->auxdata = !!val;\n\t\trelease_sock(sk);\n\t\treturn 0;\n\t}\n\tcase PACKET_ORIGDEV:\n\t{\n\t\tint val;\n\n\t\tif (optlen < sizeof(val))\n\t\t\treturn -EINVAL;\n\t\tif (copy_from_sockptr(&val, optval, sizeof(val)))\n\t\t\treturn -EFAULT;\n\n\t\tlock_sock(sk);\n\t\tpo->origdev = !!val;\n\t\trelease_sock(sk);\n\t\treturn 0;\n\t}\n\tcase PACKET_VNET_HDR:\n\t{\n\t\tint val;\n\n\t\tif (sock->type != SOCK_RAW)\n\t\t\treturn -EINVAL;\n\t\tif (optlen < sizeof(val))\n\t\t\treturn -EINVAL;\n\t\tif (copy_from_sockptr(&val, optval, sizeof(val)))\n\t\t\treturn -EFAULT;\n\n\t\tlock_sock(sk);\n\t\tif (po->rx_ring.pg_vec || po->tx_ring.pg_vec) {\n\t\t\tret = -EBUSY;\n\t\t} else {\n\t\t\tpo->has_vnet_hdr = !!val;\n\t\t\tret = 0;\n\t\t}\n\t\trelease_sock(sk);\n\t\treturn ret;\n\t}\n\tcase PACKET_TIMESTAMP:\n\t{\n\t\tint val;\n\n\t\tif (optlen != sizeof(val))\n\t\t\treturn -EINVAL;\n\t\tif (copy_from_sockptr(&val, optval, sizeof(val)))\n\t\t\treturn -EFAULT;\n\n\t\tpo->tp_tstamp = val;\n\t\treturn 0;\n\t}\n\tcase PACKET_FANOUT:\n\t{\n\t\tint val;\n\n\t\tif (optlen != sizeof(val))\n\t\t\treturn -EINVAL;\n\t\tif (copy_from_sockptr(&val, optval, sizeof(val)))\n\t\t\treturn -EFAULT;\n\n\t\treturn fanout_add(sk, val & 0xffff, val >> 16);\n\t}\n\tcase PACKET_FANOUT_DATA:\n\t{\n\t\tif (!po->fanout)\n\t\t\treturn -EINVAL;\n\n\t\treturn fanout_set_data(po, optval, optlen);\n\t}\n\tcase PACKET_IGNORE_OUTGOING:\n\t{\n\t\tint val;\n\n\t\tif (optlen != sizeof(val))\n\t\t\treturn -EINVAL;\n\t\tif (copy_from_sockptr(&val, optval, sizeof(val)))\n\t\t\treturn -EFAULT;\n\t\tif (val < 0 || val > 1)\n\t\t\treturn -EINVAL;\n\n\t\tpo->prot_hook.ignore_outgoing = !!val;\n\t\treturn 0;\n\t}\n\tcase PACKET_TX_HAS_OFF:\n\t{\n\t\tunsigned int val;\n\n\t\tif (optlen != sizeof(val))\n\t\t\treturn -EINVAL;\n\t\tif (copy_from_sockptr(&val, optval, sizeof(val)))\n\t\t\treturn -EFAULT;\n\n\t\tlock_sock(sk);\n\t\tif (po->rx_ring.pg_vec || po->tx_ring.pg_vec) {\n\t\t\tret = -EBUSY;\n\t\t} else {\n\t\t\tpo->tp_tx_has_off = !!val;\n\t\t\tret = 0;\n\t\t}\n\t\trelease_sock(sk);\n\t\treturn 0;\n\t}\n\tcase PACKET_QDISC_BYPASS:\n\t{\n\t\tint val;\n\n\t\tif (optlen != sizeof(val))\n\t\t\treturn -EINVAL;\n\t\tif (copy_from_sockptr(&val, optval, sizeof(val)))\n\t\t\treturn -EFAULT;\n\n\t\tpo->xmit = val ? packet_direct_xmit : dev_queue_xmit;\n\t\treturn 0;\n\t}\n\tdefault:\n\t\treturn -ENOPROTOOPT;\n\t}\n}", "project": "linux", "hash": 310102491789672136843158299369166808230, "size": 266, "commit_id": "acf69c946233259ab4d64f8869d4037a198c7f06", "message": "net/packet: fix overflow in tpacket_rcv\n\nUsing tp_reserve to calculate netoff can overflow as\ntp_reserve is unsigned int and netoff is unsigned short.\n\nThis may lead to macoff receving a smaller value then\nsizeof(struct virtio_net_hdr), and if po->has_vnet_hdr\nis set, an out-of-bounds write will occur when\ncalling virtio_net_hdr_from_skb.\n\nThe bug is fixed by converting netoff to unsigned int\nand checking if it exceeds USHRT_MAX.\n\nThis addresses CVE-2020-14386\n\nFixes: 8913336a7e8d (\"packet: add PACKET_RESERVE sockopt\")\nSigned-off-by: Or Cohen \nSigned-off-by: Eric Dumazet \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 330381 }, { "func": "static void *packet_current_rx_frame(struct packet_sock *po,\n\t\t\t\t\t struct sk_buff *skb,\n\t\t\t\t\t int status, unsigned int len)\n{\n\tchar *curr = NULL;\n\tswitch (po->tp_version) {\n\tcase TPACKET_V1:\n\tcase TPACKET_V2:\n\t\tcurr = packet_lookup_frame(po, &po->rx_ring,\n\t\t\t\t\tpo->rx_ring.head, status);\n\t\treturn curr;\n\tcase TPACKET_V3:\n\t\treturn __packet_lookup_frame_in_block(po, skb, len);\n\tdefault:\n\t\tWARN(1, \"TPACKET version not supported\\n\");\n\t\tBUG();\n\t\treturn NULL;\n\t}\n}", "project": "linux", "hash": 215124896136142906682292112523403493735, "size": 19, "commit_id": "acf69c946233259ab4d64f8869d4037a198c7f06", "message": "net/packet: fix overflow in tpacket_rcv\n\nUsing tp_reserve to calculate netoff can overflow as\ntp_reserve is unsigned int and netoff is unsigned short.\n\nThis may lead to macoff receving a smaller value then\nsizeof(struct virtio_net_hdr), and if po->has_vnet_hdr\nis set, an out-of-bounds write will occur when\ncalling virtio_net_hdr_from_skb.\n\nThe bug is fixed by converting netoff to unsigned int\nand checking if it exceeds USHRT_MAX.\n\nThis addresses CVE-2020-14386\n\nFixes: 8913336a7e8d (\"packet: add PACKET_RESERVE sockopt\")\nSigned-off-by: Or Cohen \nSigned-off-by: Eric Dumazet \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 330413 }, { "func": "static const char *vnc_auth_name(VncDisplay *vd) {\n switch (vd->auth) {\n case VNC_AUTH_INVALID:\n return \"invalid\";\n case VNC_AUTH_NONE:\n return \"none\";\n case VNC_AUTH_VNC:\n return \"vnc\";\n case VNC_AUTH_RA2:\n return \"ra2\";\n case VNC_AUTH_RA2NE:\n return \"ra2ne\";\n case VNC_AUTH_TIGHT:\n return \"tight\";\n case VNC_AUTH_ULTRA:\n return \"ultra\";\n case VNC_AUTH_TLS:\n return \"tls\";\n case VNC_AUTH_VENCRYPT:\n switch (vd->subauth) {\n case VNC_AUTH_VENCRYPT_PLAIN:\n return \"vencrypt+plain\";\n case VNC_AUTH_VENCRYPT_TLSNONE:\n return \"vencrypt+tls+none\";\n case VNC_AUTH_VENCRYPT_TLSVNC:\n return \"vencrypt+tls+vnc\";\n case VNC_AUTH_VENCRYPT_TLSPLAIN:\n return \"vencrypt+tls+plain\";\n case VNC_AUTH_VENCRYPT_X509NONE:\n return \"vencrypt+x509+none\";\n case VNC_AUTH_VENCRYPT_X509VNC:\n return \"vencrypt+x509+vnc\";\n case VNC_AUTH_VENCRYPT_X509PLAIN:\n return \"vencrypt+x509+plain\";\n case VNC_AUTH_VENCRYPT_TLSSASL:\n return \"vencrypt+tls+sasl\";\n case VNC_AUTH_VENCRYPT_X509SASL:\n return \"vencrypt+x509+sasl\";\n default:\n return \"vencrypt\";\n }\n case VNC_AUTH_SASL:\n return \"sasl\";\n }\n return \"unknown\";\n}", "project": "qemu", "hash": 139114253278531834397606390397307642831, "size": 46, "commit_id": "4c65fed8bdf96780735dbdb92a8bd0d6b6526cc3", "message": "ui: vnc: avoid floating point exception\n\nWhile sending 'SetPixelFormat' messages to a VNC server,\nthe client could set the 'red-max', 'green-max' and 'blue-max'\nvalues to be zero. This leads to a floating point exception in\nwrite_png_palette while doing frame buffer updates.\n\nReported-by: Lian Yihan \nSigned-off-by: Prasad J Pandit \nReviewed-by: Gerd Hoffmann \nSigned-off-by: Peter Maydell ", "target": 0, "dataset": "other", "idx": 330523 }, { "func": "repodata_lookup_num(Repodata *data, Id solvid, Id keyname, unsigned long long notfound)\n{\n unsigned char *dp;\n Repokey *key;\n unsigned int high, low;\n\n dp = find_key_data(data, solvid, keyname, &key);\n if (!dp)\n return notfound;\n switch (key->type)\n {\n case REPOKEY_TYPE_NUM:\n data_read_num64(dp, &low, &high);\n return (unsigned long long)high << 32 | low;\n case REPOKEY_TYPE_CONSTANT:\n return key->size;\n default:\n return notfound;\n }\n}", "project": "libsolv", "hash": 182201117033730852154489429339173187927, "size": 20, "commit_id": "fdb9c9c03508990e4583046b590c30d958f272da", "message": "repodata_schema2id: fix heap-buffer-overflow in memcmp\n\nWhen the length of last schema in data->schemadata is\nless than length of input schema, we got a read overflow\nin asan test.\n\nSigned-off-by: Zhipeng Xie ", "target": 0, "dataset": "other", "idx": 333102 }, { "func": "repodata_lookup_idarray(Repodata *data, Id solvid, Id keyname, Queue *q)\n{\n unsigned char *dp;\n Repokey *key;\n Id id;\n int eof = 0;\n\n queue_empty(q);\n dp = find_key_data(data, solvid, keyname, &key);\n if (!dp)\n return 0;\n switch (key->type)\n {\n case REPOKEY_TYPE_CONSTANTID:\n queue_push(q, key->size);\n break;\n case REPOKEY_TYPE_ID:\n dp = data_read_id(dp, &id);\n queue_push(q, id);\n break;\n case REPOKEY_TYPE_IDARRAY:\n for (;;)\n\t{\n\t dp = data_read_ideof(dp, &id, &eof);\n\t queue_push(q, id);\n\t if (eof)\n\t break;\n\t}\n break;\n default:\n return 0;\n }\n return 1;\n}", "project": "libsolv", "hash": 261736702862690081749741984278449219658, "size": 34, "commit_id": "fdb9c9c03508990e4583046b590c30d958f272da", "message": "repodata_schema2id: fix heap-buffer-overflow in memcmp\n\nWhen the length of last schema in data->schemadata is\nless than length of input schema, we got a read overflow\nin asan test.\n\nSigned-off-by: Zhipeng Xie ", "target": 0, "dataset": "other", "idx": 333116 }, { "func": "repodata_set_kv(Repodata *data, Id solvid, Id keyname, Id keytype, KeyValue *kv)\n{\n switch (keytype)\n {\n case REPOKEY_TYPE_ID:\n repodata_set_id(data, solvid, keyname, kv->id);\n break;\n case REPOKEY_TYPE_CONSTANTID:\n repodata_set_constantid(data, solvid, keyname, kv->id);\n break;\n case REPOKEY_TYPE_IDARRAY:\n repodata_add_idarray(data, solvid, keyname, kv->id);\n break;\n case REPOKEY_TYPE_STR:\n repodata_set_str(data, solvid, keyname, kv->str);\n break;\n case REPOKEY_TYPE_VOID:\n repodata_set_void(data, solvid, keyname);\n break;\n case REPOKEY_TYPE_NUM:\n repodata_set_num(data, solvid, keyname, SOLV_KV_NUM64(kv));\n break;\n case REPOKEY_TYPE_CONSTANT:\n repodata_set_constant(data, solvid, keyname, kv->num);\n break;\n case REPOKEY_TYPE_DIRNUMNUMARRAY:\n if (kv->id)\n repodata_add_dirnumnum(data, solvid, keyname, kv->id, kv->num, kv->num2);\n break;\n case REPOKEY_TYPE_DIRSTRARRAY:\n repodata_add_dirstr(data, solvid, keyname, kv->id, kv->str);\n break;\n case_CHKSUM_TYPES:\n repodata_set_bin_checksum(data, solvid, keyname, keytype, (const unsigned char *)kv->str);\n break;\n default:\n break;\n }\n}", "project": "libsolv", "hash": 245980890417734938015295302789398398438, "size": 39, "commit_id": "fdb9c9c03508990e4583046b590c30d958f272da", "message": "repodata_schema2id: fix heap-buffer-overflow in memcmp\n\nWhen the length of last schema in data->schemadata is\nless than length of input schema, we got a read overflow\nin asan test.\n\nSigned-off-by: Zhipeng Xie ", "target": 0, "dataset": "other", "idx": 333163 }, { "func": "solvabledata_fetch(Solvable *s, KeyValue *kv, Id keyname)\n{\n kv->id = keyname;\n switch (keyname)\n {\n case SOLVABLE_NAME:\n kv->eof = 1;\n return &s->name;\n case SOLVABLE_ARCH:\n kv->eof = 1;\n return &s->arch;\n case SOLVABLE_EVR:\n kv->eof = 1;\n return &s->evr;\n case SOLVABLE_VENDOR:\n kv->eof = 1;\n return &s->vendor;\n case SOLVABLE_PROVIDES:\n kv->eof = 0;\n return s->provides ? s->repo->idarraydata + s->provides : 0;\n case SOLVABLE_OBSOLETES:\n kv->eof = 0;\n return s->obsoletes ? s->repo->idarraydata + s->obsoletes : 0;\n case SOLVABLE_CONFLICTS:\n kv->eof = 0;\n return s->conflicts ? s->repo->idarraydata + s->conflicts : 0;\n case SOLVABLE_REQUIRES:\n kv->eof = 0;\n return s->requires ? s->repo->idarraydata + s->requires : 0;\n case SOLVABLE_RECOMMENDS:\n kv->eof = 0;\n return s->recommends ? s->repo->idarraydata + s->recommends : 0;\n case SOLVABLE_SUPPLEMENTS:\n kv->eof = 0;\n return s->supplements ? s->repo->idarraydata + s->supplements : 0;\n case SOLVABLE_SUGGESTS:\n kv->eof = 0;\n return s->suggests ? s->repo->idarraydata + s->suggests : 0;\n case SOLVABLE_ENHANCES:\n kv->eof = 0;\n return s->enhances ? s->repo->idarraydata + s->enhances : 0;\n case RPM_RPMDBID:\n kv->eof = 1;\n return s->repo->rpmdbid ? s->repo->rpmdbid + (s - s->repo->pool->solvables - s->repo->start) : 0;\n default:\n return 0;\n }\n}", "project": "libsolv", "hash": 167861335753939543422932498985537785859, "size": 48, "commit_id": "fdb9c9c03508990e4583046b590c30d958f272da", "message": "repodata_schema2id: fix heap-buffer-overflow in memcmp\n\nWhen the length of last schema in data->schemadata is\nless than length of input schema, we got a read overflow\nin asan test.\n\nSigned-off-by: Zhipeng Xie ", "target": 0, "dataset": "other", "idx": 333166 }, { "func": "repodata_lookup_bin_checksum(Repodata *data, Id solvid, Id keyname, Id *typep)\n{\n unsigned char *dp;\n Repokey *key;\n\n dp = find_key_data(data, solvid, keyname, &key);\n if (!dp)\n return 0;\n switch (key->type)\n {\n case_CHKSUM_TYPES:\n break;\n default:\n return 0;\n }\n *typep = key->type;\n return dp;\n}", "project": "libsolv", "hash": 254465477956717086438345825833029974036, "size": 18, "commit_id": "fdb9c9c03508990e4583046b590c30d958f272da", "message": "repodata_schema2id: fix heap-buffer-overflow in memcmp\n\nWhen the length of last schema in data->schemadata is\nless than length of input schema, we got a read overflow\nin asan test.\n\nSigned-off-by: Zhipeng Xie ", "target": 0, "dataset": "other", "idx": 333173 }, { "func": "repodata_stringify(Pool *pool, Repodata *data, Repokey *key, KeyValue *kv, int flags)\n{\n switch (key->type)\n {\n case REPOKEY_TYPE_ID:\n case REPOKEY_TYPE_CONSTANTID:\n case REPOKEY_TYPE_IDARRAY:\n if (data && data->localpool)\n\tkv->str = stringpool_id2str(&data->spool, kv->id);\n else\n\tkv->str = pool_id2str(pool, kv->id);\n if ((flags & SEARCH_SKIP_KIND) != 0 && key->storage == KEY_STORAGE_SOLVABLE && (key->name == SOLVABLE_NAME || key->type == REPOKEY_TYPE_IDARRAY))\n\t{\n\t const char *s;\n\t for (s = kv->str; *s >= 'a' && *s <= 'z'; s++)\n\t ;\n\t if (*s == ':' && s > kv->str)\n\t kv->str = s + 1;\n\t}\n return kv->str;\n case REPOKEY_TYPE_STR:\n return kv->str;\n case REPOKEY_TYPE_DIRSTRARRAY:\n if (!(flags & SEARCH_FILES))\n\treturn kv->str;\t/* match just the basename */\n if (kv->num)\n\treturn kv->str;\t/* already stringified */\n /* Put the full filename into kv->str. */\n kv->str = repodata_dir2str(data, kv->id, kv->str);\n kv->num = 1;\t/* mark stringification */\n return kv->str;\n case_CHKSUM_TYPES:\n if (!(flags & SEARCH_CHECKSUMS))\n\treturn 0;\t/* skip em */\n if (kv->num)\n\treturn kv->str;\t/* already stringified */\n kv->str = repodata_chk2str(data, key->type, (const unsigned char *)kv->str);\n kv->num = 1;\t/* mark stringification */\n return kv->str;\n default:\n return 0;\n }\n}", "project": "libsolv", "hash": 29315709222529736625460981732681956586, "size": 43, "commit_id": "fdb9c9c03508990e4583046b590c30d958f272da", "message": "repodata_schema2id: fix heap-buffer-overflow in memcmp\n\nWhen the length of last schema in data->schemadata is\nless than length of input schema, we got a read overflow\nin asan test.\n\nSigned-off-by: Zhipeng Xie ", "target": 0, "dataset": "other", "idx": 333175 }, { "func": "datamatcher_checkbasename(Datamatcher *ma, const char *basename)\n{\n int l;\n const char *match = ma->matchdata;\n if (!match)\n return 1;\n switch (ma->flags & SEARCH_STRINGMASK)\n {\n case SEARCH_STRING:\n break;\n case SEARCH_STRINGEND:\n if (match != ma->match)\n\tbreak;\t\t/* had slash, do exact match on basename */\n /* FALLTHROUGH */\n case SEARCH_GLOB:\n /* check if the basename ends with match */\n l = strlen(basename) - strlen(match);\n if (l < 0)\n\treturn 0;\n basename += l;\n break;\n default:\n return 1;\t/* maybe matches */\n }\n if ((ma->flags & SEARCH_NOCASE) != 0)\n return !strcasecmp(match, basename);\n else\n return !strcmp(match, basename);\n}", "project": "libsolv", "hash": 39893542155738102130443905075555816753, "size": 29, "commit_id": "fdb9c9c03508990e4583046b590c30d958f272da", "message": "repodata_schema2id: fix heap-buffer-overflow in memcmp\n\nWhen the length of last schema in data->schemadata is\nless than length of input schema, we got a read overflow\nin asan test.\n\nSigned-off-by: Zhipeng Xie ", "target": 0, "dataset": "other", "idx": 333176 }, { "func": "datamatcher_match(Datamatcher *ma, const char *str)\n{\n int l;\n switch ((ma->flags & SEARCH_STRINGMASK))\n {\n case SEARCH_SUBSTRING:\n if (ma->flags & SEARCH_NOCASE)\n\treturn strcasestr(str, ma->match) != 0;\n else\n\treturn strstr(str, ma->match) != 0;\n case SEARCH_STRING:\n if (ma->flags & SEARCH_NOCASE)\n\treturn !strcasecmp(ma->match, str);\n else\n\treturn !strcmp(ma->match, str);\n case SEARCH_STRINGSTART:\n if (ma->flags & SEARCH_NOCASE)\n return !strncasecmp(ma->match, str, strlen(ma->match));\n else\n return !strncmp(ma->match, str, strlen(ma->match));\n case SEARCH_STRINGEND:\n l = strlen(str) - strlen(ma->match);\n if (l < 0)\n\treturn 0;\n if (ma->flags & SEARCH_NOCASE)\n\treturn !strcasecmp(ma->match, str + l);\n else\n\treturn !strcmp(ma->match, str + l);\n case SEARCH_GLOB:\n return !fnmatch(ma->match, str, (ma->flags & SEARCH_NOCASE) ? FNM_CASEFOLD : 0);\n case SEARCH_REGEX:\n return !regexec((const regex_t *)ma->matchdata, str, 0, NULL, 0);\n default:\n return 0;\n }\n}", "project": "libsolv", "hash": 139729358804907678124725284395747124784, "size": 36, "commit_id": "fdb9c9c03508990e4583046b590c30d958f272da", "message": "repodata_schema2id: fix heap-buffer-overflow in memcmp\n\nWhen the length of last schema in data->schemadata is\nless than length of input schema, we got a read overflow\nin asan test.\n\nSigned-off-by: Zhipeng Xie ", "target": 0, "dataset": "other", "idx": 333187 }, { "func": "data_skip_key(Repodata *data, unsigned char *dp, Repokey *key)\n{\n int nentries, schema;\n switch(key->type)\n {\n case REPOKEY_TYPE_FIXARRAY:\n dp = data_read_id(dp, &nentries);\n if (!nentries)\n\treturn dp;\n dp = data_read_id(dp, &schema);\n while (nentries--)\n\tdp = data_skip_schema(data, dp, schema);\n return dp;\n case REPOKEY_TYPE_FLEXARRAY:\n dp = data_read_id(dp, &nentries);\n while (nentries--)\n\t{\n\t dp = data_read_id(dp, &schema);\n\t dp = data_skip_schema(data, dp, schema);\n\t}\n return dp;\n default:\n if (key->storage == KEY_STORAGE_INCORE)\n dp = data_skip(dp, key->type);\n else if (key->storage == KEY_STORAGE_VERTICAL_OFFSET)\n\t{\n\t dp = data_skip(dp, REPOKEY_TYPE_ID);\n\t dp = data_skip(dp, REPOKEY_TYPE_ID);\n\t}\n return dp;\n }\n}", "project": "libsolv", "hash": 303607463514069357378814568453813484760, "size": 32, "commit_id": "fdb9c9c03508990e4583046b590c30d958f272da", "message": "repodata_schema2id: fix heap-buffer-overflow in memcmp\n\nWhen the length of last schema in data->schemadata is\nless than length of input schema, we got a read overflow\nin asan test.\n\nSigned-off-by: Zhipeng Xie ", "target": 0, "dataset": "other", "idx": 333190 }, { "func": "data_fetch_uninternalized(Repodata *data, Repokey *key, Id value, KeyValue *kv)\n{\n Id *array;\n kv->eof = 1;\n switch (key->type)\n {\n case REPOKEY_TYPE_STR:\n kv->str = (const char *)data->attrdata + value;\n return;\n case REPOKEY_TYPE_CONSTANT:\n kv->num2 = 0;\n kv->num = key->size;\n return;\n case REPOKEY_TYPE_CONSTANTID:\n kv->id = key->size;\n return;\n case REPOKEY_TYPE_NUM:\n kv->num2 = 0;\n kv->num = value;\n if (value & 0x80000000)\n\t{\n\t kv->num = (unsigned int)data->attrnum64data[value ^ 0x80000000];\n\t kv->num2 = (unsigned int)(data->attrnum64data[value ^ 0x80000000] >> 32);\n\t}\n return;\n case_CHKSUM_TYPES:\n kv->num = 0;\t/* not stringified */\n kv->str = (const char *)data->attrdata + value;\n return;\n case REPOKEY_TYPE_BINARY:\n kv->str = (const char *)data_read_id(data->attrdata + value, (Id *)&kv->num);\n return;\n case REPOKEY_TYPE_IDARRAY:\n array = data->attriddata + (value + kv->entry);\n kv->id = array[0];\n kv->eof = array[1] ? 0 : 1;\n return;\n case REPOKEY_TYPE_DIRSTRARRAY:\n kv->num = 0;\t/* not stringified */\n array = data->attriddata + (value + kv->entry * 2);\n kv->id = array[0];\n kv->str = (const char *)data->attrdata + array[1];\n kv->eof = array[2] ? 0 : 1;\n return;\n case REPOKEY_TYPE_DIRNUMNUMARRAY:\n array = data->attriddata + (value + kv->entry * 3);\n kv->id = array[0];\n kv->num = array[1];\n kv->num2 = array[2];\n kv->eof = array[3] ? 0 : 1;\n return;\n case REPOKEY_TYPE_FIXARRAY:\n case REPOKEY_TYPE_FLEXARRAY:\n array = data->attriddata + (value + kv->entry);\n kv->id = array[0];\t\t/* the handle */\n kv->eof = array[1] ? 0 : 1;\n return;\n default:\n kv->id = value;\n return;\n }\n}", "project": "libsolv", "hash": 277645994829767427474730867460304731952, "size": 62, "commit_id": "fdb9c9c03508990e4583046b590c30d958f272da", "message": "repodata_schema2id: fix heap-buffer-overflow in memcmp\n\nWhen the length of last schema in data->schemadata is\nless than length of input schema, we got a read overflow\nin asan test.\n\nSigned-off-by: Zhipeng Xie ", "target": 0, "dataset": "other", "idx": 333202 }, { "func": "dataiterator_seek(Dataiterator *di, int whence)\n{\n if ((whence & DI_SEEK_STAY) != 0)\n di->rootlevel = di->nparents;\n switch (whence & ~DI_SEEK_STAY)\n {\n case DI_SEEK_CHILD:\n if (di->state != di_nextarrayelement)\n\tbreak;\n if ((whence & DI_SEEK_STAY) != 0)\n\tdi->rootlevel = di->nparents + 1;\t/* XXX: dangerous! */\n di->state = di_entersub;\n break;\n case DI_SEEK_PARENT:\n if (!di->nparents)\n\t{\n\t di->state = di_bye;\n\t break;\n\t}\n di->nparents--;\n if (di->rootlevel > di->nparents)\n\tdi->rootlevel = di->nparents;\n di->dp = di->parents[di->nparents].dp;\n di->kv = di->parents[di->nparents].kv;\n di->keyp = di->parents[di->nparents].keyp;\n di->key = di->data->keys + *di->keyp;\n di->ddp = (unsigned char *)di->kv.str;\n di->keyname = di->keynames[di->nparents - di->rootlevel];\n di->state = di_nextarrayelement;\n break;\n case DI_SEEK_REWIND:\n if (!di->nparents)\n\t{\n\t di->state = di_bye;\n\t break;\n\t}\n di->dp = (unsigned char *)di->kv.parent->str;\n di->keyp = di->data->schemadata + di->data->schemata[di->kv.parent->id];\n di->state = di_enterschema;\n break;\n default:\n break;\n }\n}", "project": "libsolv", "hash": 10200487585873494387369571373073746078, "size": 44, "commit_id": "fdb9c9c03508990e4583046b590c30d958f272da", "message": "repodata_schema2id: fix heap-buffer-overflow in memcmp\n\nWhen the length of last schema in data->schemadata is\nless than length of input schema, we got a read overflow\nin asan test.\n\nSigned-off-by: Zhipeng Xie ", "target": 0, "dataset": "other", "idx": 333213 }, { "func": "dataiterator_strdup(Dataiterator *di)\n{\n int l = -1;\n\n if (!di->kv.str || di->kv.str == di->dupstr)\n return;\n switch (di->key->type)\n {\n case_CHKSUM_TYPES:\n case REPOKEY_TYPE_DIRSTRARRAY:\n if (di->kv.num)\t/* was it stringified into tmp space? */\n l = strlen(di->kv.str) + 1;\n break;\n default:\n break;\n }\n if (l < 0 && di->key->storage == KEY_STORAGE_VERTICAL_OFFSET)\n {\n switch (di->key->type)\n\t{\n\tcase REPOKEY_TYPE_STR:\n\tcase REPOKEY_TYPE_DIRSTRARRAY:\n\t l = strlen(di->kv.str) + 1;\n\t break;\n\tcase_CHKSUM_TYPES:\n\t l = solv_chksum_len(di->key->type);\n\t break;\n\tcase REPOKEY_TYPE_BINARY:\n\t l = di->kv.num;\n\t break;\n\t}\n }\n if (l >= 0)\n {\n if (!di->dupstrn || di->dupstrn < l)\n\t{\n\t di->dupstrn = l + 16;\n\t di->dupstr = solv_realloc(di->dupstr, di->dupstrn);\n\t}\n if (l)\n memcpy(di->dupstr, di->kv.str, l);\n di->kv.str = di->dupstr;\n }\n}", "project": "libsolv", "hash": 48977525156320506199342716281297350930, "size": 44, "commit_id": "fdb9c9c03508990e4583046b590c30d958f272da", "message": "repodata_schema2id: fix heap-buffer-overflow in memcmp\n\nWhen the length of last schema in data->schemadata is\nless than length of input schema, we got a read overflow\nin asan test.\n\nSigned-off-by: Zhipeng Xie ", "target": 0, "dataset": "other", "idx": 333223 }, { "func": "_tiffSeekProc(thandle_t hdata, toff_t off, int whence) {\n TIFFSTATE *state = (TIFFSTATE *)hdata;\n\n TRACE((\"_tiffSeekProc: off: %u whence: %d \\n\", (uint)off, whence));\n dump_state(state);\n switch (whence) {\n case 0:\n state->loc = off;\n break;\n case 1:\n state->loc += off;\n break;\n case 2:\n state->loc = state->eof + off;\n break;\n }\n dump_state(state);\n return state->loc;\n}", "project": "Pillow", "hash": 77754525170865080885596504070781682345, "size": 19, "commit_id": "3fee28eb9479bf7d59e0fa08068f9cc4a6e2f04c", "message": "Incorrect error code checking in TiffDecode.c\n\n* since Pillow 8.1.0\n* CVE-2021-25289", "target": 0, "dataset": "other", "idx": 333831 }, { "func": "method_from_memberref (MonoImage *image, guint32 idx, MonoGenericContext *typespec_context,\n\t\t gboolean *used_context)\n{\n\tMonoClass *klass = NULL;\n\tMonoMethod *method = NULL;\n\tMonoTableInfo *tables = image->tables;\n\tguint32 cols[6];\n\tguint32 nindex, class, sig_idx;\n\tconst char *mname;\n\tMonoMethodSignature *sig;\n\tconst char *ptr;\n\n\tmono_metadata_decode_row (&tables [MONO_TABLE_MEMBERREF], idx-1, cols, 3);\n\tnindex = cols [MONO_MEMBERREF_CLASS] >> MONO_MEMBERREF_PARENT_BITS;\n\tclass = cols [MONO_MEMBERREF_CLASS] & MONO_MEMBERREF_PARENT_MASK;\n\t/*g_print (\"methodref: 0x%x 0x%x %s\\n\", class, nindex,\n\t\tmono_metadata_string_heap (m, cols [MONO_MEMBERREF_NAME]));*/\n\n\tmname = mono_metadata_string_heap (image, cols [MONO_MEMBERREF_NAME]);\n\n\t/*\n\t * Whether we actually used the `typespec_context' or not.\n\t * This is used to tell our caller whether or not it's safe to insert the returned\n\t * method into a cache.\n\t */\n\tif (used_context)\n\t\t*used_context = class == MONO_MEMBERREF_PARENT_TYPESPEC;\n\n\tswitch (class) {\n\tcase MONO_MEMBERREF_PARENT_TYPEREF:\n\t\tklass = mono_class_from_typeref (image, MONO_TOKEN_TYPE_REF | nindex);\n\t\tif (!klass) {\n\t\t\tchar *name = mono_class_name_from_token (image, MONO_TOKEN_TYPE_REF | nindex);\n\t\t\tg_warning (\"Missing method %s in assembly %s, type %s\", mname, image->name, name);\n\t\t\tmono_loader_set_error_type_load (name, image->assembly_name);\n\t\t\tg_free (name);\n\t\t\treturn NULL;\n\t\t}\n\t\tbreak;\n\tcase MONO_MEMBERREF_PARENT_TYPESPEC:\n\t\t/*\n\t\t * Parse the TYPESPEC in the parent's context.\n\t\t */\n\t\tklass = mono_class_get_full (image, MONO_TOKEN_TYPE_SPEC | nindex, typespec_context);\n\t\tif (!klass) {\n\t\t\tchar *name = mono_class_name_from_token (image, MONO_TOKEN_TYPE_SPEC | nindex);\n\t\t\tg_warning (\"Missing method %s in assembly %s, type %s\", mname, image->name, name);\n\t\t\tmono_loader_set_error_type_load (name, image->assembly_name);\n\t\t\tg_free (name);\n\t\t\treturn NULL;\n\t\t}\n\t\tbreak;\n\tcase MONO_MEMBERREF_PARENT_TYPEDEF:\n\t\tklass = mono_class_get (image, MONO_TOKEN_TYPE_DEF | nindex);\n\t\tif (!klass) {\n\t\t\tchar *name = mono_class_name_from_token (image, MONO_TOKEN_TYPE_DEF | nindex);\n\t\t\tg_warning (\"Missing method %s in assembly %s, type %s\", mname, image->name, name);\n\t\t\tmono_loader_set_error_type_load (name, image->assembly_name);\n\t\t\tg_free (name);\n\t\t\treturn NULL;\n\t\t}\n\t\tbreak;\n\tcase MONO_MEMBERREF_PARENT_METHODDEF:\n\t\treturn mono_get_method (image, MONO_TOKEN_METHOD_DEF | nindex, NULL);\n\t\t\n\tdefault:\n\t\t{\n\t\t\t/* This message leaks */\n\t\t\tchar *message = g_strdup_printf (\"Memberref parent unknown: class: %d, index %d\", class, nindex);\n\t\t\tmono_loader_set_error_method_load (\"\", message);\n\t\t\treturn NULL;\n\t\t}\n\n\t}\n\tg_assert (klass);\n\tmono_class_init (klass);\n\n\tsig_idx = cols [MONO_MEMBERREF_SIGNATURE];\n\n\tif (!mono_verifier_verify_memberref_signature (image, sig_idx, NULL)) {\n\t\tmono_loader_set_error_method_load (klass->name, mname);\n\t\treturn NULL;\n\t}\n\n\tptr = mono_metadata_blob_heap (image, sig_idx);\n\tmono_metadata_decode_blob_size (ptr, &ptr);\n\n\tsig = find_cached_memberref_sig (image, sig_idx);\n\tif (!sig) {\n\t\tsig = mono_metadata_parse_method_signature (image, 0, ptr, NULL);\n\t\tif (sig == NULL)\n\t\t\treturn NULL;\n\n\t\tsig = cache_memberref_sig (image, sig_idx, sig);\n\t}\n\n\tswitch (class) {\n\tcase MONO_MEMBERREF_PARENT_TYPEREF:\n\tcase MONO_MEMBERREF_PARENT_TYPEDEF:\n\t\tmethod = find_method (klass, NULL, mname, sig, klass);\n\t\tbreak;\n\n\tcase MONO_MEMBERREF_PARENT_TYPESPEC: {\n\t\tMonoType *type;\n\n\t\ttype = &klass->byval_arg;\n\n\t\tif (type->type != MONO_TYPE_ARRAY && type->type != MONO_TYPE_SZARRAY) {\n\t\t\tMonoClass *in_class = klass->generic_class ? klass->generic_class->container_class : klass;\n\t\t\tmethod = find_method (in_class, NULL, mname, sig, klass);\n\t\t\tbreak;\n\t\t}\n\n\t\t/* we're an array and we created these methods already in klass in mono_class_init () */\n\t\tmethod = mono_method_search_in_array_class (klass, mname, sig);\n\t\tbreak;\n\t}\n\tdefault:\n\t\tg_error (\"Memberref parent unknown: class: %d, index %d\", class, nindex);\n\t\tg_assert_not_reached ();\n\t}\n\n\tif (!method) {\n\t\tchar *msig = mono_signature_get_desc (sig, FALSE);\n\t\tchar * class_name = mono_type_get_name (&klass->byval_arg);\n\t\tGString *s = g_string_new (mname);\n\t\tif (sig->generic_param_count)\n\t\t\tg_string_append_printf (s, \"<[%d]>\", sig->generic_param_count);\n\t\tg_string_append_printf (s, \"(%s)\", msig);\n\t\tg_free (msig);\n\t\tmsig = g_string_free (s, FALSE);\n\n\t\tg_warning (\n\t\t\t\"Missing method %s::%s in assembly %s, referenced in assembly %s\",\n\t\t\tclass_name, msig, klass->image->name, image->name);\n\t\tmono_loader_set_error_method_load (class_name, mname);\n\t\tg_free (msig);\n\t\tg_free (class_name);\n\t}\n\n\treturn method;\n}", "project": "mono", "hash": 41988716889051350062038418219136280505, "size": 142, "commit_id": "8e890a3bf80a4620e417814dc14886b1bbd17625", "message": "Search for dllimported shared libs in the base directory, not cwd.\n\n* loader.c: we don't search the current directory anymore for shared\nlibraries referenced in DllImport attributes, as it has a slight\nsecurity risk. We search in the same directory where the referencing\nimage was loaded from, instead. Fixes bug# 641915.", "target": 0, "dataset": "other", "idx": 334496 }, { "func": "field_from_memberref (MonoImage *image, guint32 token, MonoClass **retklass,\n\t\t MonoGenericContext *context)\n{\n\tMonoClass *klass;\n\tMonoClassField *field;\n\tMonoTableInfo *tables = image->tables;\n\tMonoType *sig_type;\n\tguint32 cols[6];\n\tguint32 nindex, class, class_table;\n\tconst char *fname;\n\tconst char *ptr;\n\tguint32 idx = mono_metadata_token_index (token);\n\n\tmono_metadata_decode_row (&tables [MONO_TABLE_MEMBERREF], idx-1, cols, MONO_MEMBERREF_SIZE);\n\tnindex = cols [MONO_MEMBERREF_CLASS] >> MONO_MEMBERREF_PARENT_BITS;\n\tclass = cols [MONO_MEMBERREF_CLASS] & MONO_MEMBERREF_PARENT_MASK;\n\n\tfname = mono_metadata_string_heap (image, cols [MONO_MEMBERREF_NAME]);\n\n\tif (!mono_verifier_verify_memberref_signature (image, cols [MONO_MEMBERREF_SIGNATURE], NULL)) {\n\t\tmono_loader_set_error_bad_image (g_strdup_printf (\"Bad field signature class token 0x%08x field name %s token 0x%08x on image %s\", class, fname, token, image->name));\n\t\treturn NULL;\n\t}\n\n\tswitch (class) {\n\tcase MONO_MEMBERREF_PARENT_TYPEDEF:\n\t\tclass_table = MONO_TOKEN_TYPE_DEF;\n\t\tklass = mono_class_get (image, MONO_TOKEN_TYPE_DEF | nindex);\n\t\tbreak;\n\tcase MONO_MEMBERREF_PARENT_TYPEREF:\n\t\tclass_table = MONO_TOKEN_TYPE_REF;\n\t\tklass = mono_class_from_typeref (image, MONO_TOKEN_TYPE_REF | nindex);\n\t\tbreak;\n\tcase MONO_MEMBERREF_PARENT_TYPESPEC:\n\t\tclass_table = MONO_TOKEN_TYPE_SPEC;\n\t\tklass = mono_class_get_full (image, MONO_TOKEN_TYPE_SPEC | nindex, context);\n\t\tbreak;\n\tdefault:\n\t\t/*FIXME this must set a loader error!*/\n\t\tg_warning (\"field load from %x\", class);\n\t\treturn NULL;\n\t}\n\n\tif (!klass) {\n\t\tchar *name = mono_class_name_from_token (image, class_table | nindex);\n\t\tg_warning (\"Missing field %s in class %s (type token %d)\", fname, name, class_table | nindex);\n\t\tmono_loader_set_error_type_load (name, image->assembly_name);\n\t\tg_free (name);\n\t\treturn NULL;\n\t}\n\n\tptr = mono_metadata_blob_heap (image, cols [MONO_MEMBERREF_SIGNATURE]);\n\tmono_metadata_decode_blob_size (ptr, &ptr);\n\t/* we may want to check the signature here... */\n\n\tif (*ptr++ != 0x6) {\n\t\tg_warning (\"Bad field signature class token %08x field name %s token %08x\", class, fname, token);\n\t\tmono_loader_set_error_field_load (klass, fname);\n\t\treturn NULL;\n\t}\n\t/* FIXME: This needs a cache, especially for generic instances, since\n\t * mono_metadata_parse_type () allocates everything from a mempool.\n\t */\n\tsig_type = find_cached_memberref_sig (image, cols [MONO_MEMBERREF_SIGNATURE]);\n\tif (!sig_type) {\n\t\tsig_type = mono_metadata_parse_type (image, MONO_PARSE_TYPE, 0, ptr, &ptr);\n\t\tif (sig_type == NULL) {\n\t\t\tmono_loader_set_error_field_load (klass, fname);\n\t\t\treturn NULL;\n\t\t}\n\t\tsig_type = cache_memberref_sig (image, cols [MONO_MEMBERREF_SIGNATURE], sig_type);\n\t}\n\n\tmono_class_init (klass); /*FIXME is this really necessary?*/\n\tif (retklass)\n\t\t*retklass = klass;\n\tfield = mono_class_get_field_from_name_full (klass, fname, sig_type);\n\n\tif (!field)\n\t\tmono_loader_set_error_field_load (klass, fname);\n\n\treturn field;\n}", "project": "mono", "hash": 212497351050666973257805926893917743445, "size": 83, "commit_id": "8e890a3bf80a4620e417814dc14886b1bbd17625", "message": "Search for dllimported shared libs in the base directory, not cwd.\n\n* loader.c: we don't search the current directory anymore for shared\nlibraries referenced in DllImport attributes, as it has a slight\nsecurity risk. We search in the same directory where the referencing\nimage was loaded from, instead. Fixes bug# 641915.", "target": 0, "dataset": "other", "idx": 334513 }, { "func": "mono_loader_error_prepare_exception (MonoLoaderError *error)\n{\n\tMonoException *ex = NULL;\n\n\tswitch (error->exception_type) {\n\tcase MONO_EXCEPTION_TYPE_LOAD: {\n\t\tchar *cname = g_strdup (error->class_name);\n\t\tchar *aname = g_strdup (error->assembly_name);\n\t\tMonoString *class_name;\n\t\t\n\t\tmono_loader_clear_error ();\n\t\t\n\t\tclass_name = mono_string_new (mono_domain_get (), cname);\n\n\t\tex = mono_get_exception_type_load (class_name, aname);\n\t\tg_free (cname);\n\t\tg_free (aname);\n\t\tbreak;\n }\n\tcase MONO_EXCEPTION_MISSING_METHOD: {\n\t\tchar *cname = g_strdup (error->class_name);\n\t\tchar *aname = g_strdup (error->member_name);\n\t\t\n\t\tmono_loader_clear_error ();\n\t\tex = mono_get_exception_missing_method (cname, aname);\n\t\tg_free (cname);\n\t\tg_free (aname);\n\t\tbreak;\n\t}\n\t\t\n\tcase MONO_EXCEPTION_MISSING_FIELD: {\n\t\tchar *cnspace = g_strdup ((error->klass && *error->klass->name_space) ? error->klass->name_space : \"\");\n\t\tchar *cname = g_strdup (error->klass ? error->klass->name : \"\");\n\t\tchar *cmembername = g_strdup (error->member_name);\n char *class_name;\n\n\t\tmono_loader_clear_error ();\n\t\tclass_name = g_strdup_printf (\"%s%s%s\", cnspace, cnspace ? \".\" : \"\", cname);\n\t\t\n\t\tex = mono_get_exception_missing_field (class_name, cmembername);\n\t\tg_free (class_name);\n\t\tg_free (cname);\n\t\tg_free (cmembername);\n\t\tg_free (cnspace);\n\t\tbreak;\n }\n\t\n\tcase MONO_EXCEPTION_FILE_NOT_FOUND: {\n\t\tchar *msg;\n\t\tchar *filename;\n\n\t\tif (error->ref_only)\n\t\t\tmsg = g_strdup_printf (\"Cannot resolve dependency to assembly '%s' because it has not been preloaded. When using the ReflectionOnly APIs, dependent assemblies must be pre-loaded or loaded on demand through the ReflectionOnlyAssemblyResolve event.\", error->assembly_name);\n\t\telse\n\t\t\tmsg = g_strdup_printf (\"Could not load file or assembly '%s' or one of its dependencies.\", error->assembly_name);\n\t\tfilename = g_strdup (error->assembly_name);\n\t\t/* Has to call this before calling anything which might call mono_class_init () */\n\t\tmono_loader_clear_error ();\n\t\tex = mono_get_exception_file_not_found2 (msg, mono_string_new (mono_domain_get (), filename));\n\t\tg_free (msg);\n\t\tg_free (filename);\n\t\tbreak;\n\t}\n\n\tcase MONO_EXCEPTION_BAD_IMAGE: {\n\t\tchar *msg = g_strdup (error->msg);\n\t\tmono_loader_clear_error ();\n\t\tex = mono_get_exception_bad_image_format (msg);\n\t\tg_free (msg);\n\t\tbreak;\n\t}\n\n\tdefault:\n\t\tg_assert_not_reached ();\n\t}\n\n\treturn ex;\n}", "project": "mono", "hash": 80152244309077199366702488968990859114, "size": 78, "commit_id": "8e890a3bf80a4620e417814dc14886b1bbd17625", "message": "Search for dllimported shared libs in the base directory, not cwd.\n\n* loader.c: we don't search the current directory anymore for shared\nlibraries referenced in DllImport attributes, as it has a slight\nsecurity risk. We search in the same directory where the referencing\nimage was loaded from, instead. Fixes bug# 641915.", "target": 0, "dataset": "other", "idx": 334518 }, { "func": "dnp3_al_obj_procprefix(tvbuff_t *tvb, int offset, guint8 al_objq_prefix, guint32 *al_ptaddr, proto_tree *item_tree)\n{\n int prefixbytes = 0;\n proto_item *prefix_item;\n\n switch (al_objq_prefix)\n {\n case AL_OBJQL_PREFIX_NI: /* No Prefix */\n prefixbytes = 0;\n prefix_item = proto_tree_add_uint(item_tree, hf_dnp3_al_point_index, tvb, offset, 0, *al_ptaddr);\n proto_item_set_generated(prefix_item);\n break;\n case AL_OBJQL_PREFIX_1O:\n *al_ptaddr = tvb_get_guint8(tvb, offset);\n proto_tree_add_item(item_tree, hf_dnp3_al_index8, tvb, offset, 1, ENC_LITTLE_ENDIAN);\n prefixbytes = 1;\n break;\n case AL_OBJQL_PREFIX_2O:\n *al_ptaddr = tvb_get_letohs(tvb, offset);\n proto_tree_add_item(item_tree, hf_dnp3_al_index16, tvb, offset, 2, ENC_LITTLE_ENDIAN);\n prefixbytes = 2;\n break;\n case AL_OBJQL_PREFIX_4O:\n *al_ptaddr = tvb_get_letohl(tvb, offset);\n proto_tree_add_item(item_tree, hf_dnp3_al_index32, tvb, offset, 4, ENC_LITTLE_ENDIAN);\n prefixbytes = 4;\n break;\n case AL_OBJQL_PREFIX_1OS:\n *al_ptaddr = tvb_get_guint8(tvb, offset);\n proto_tree_add_item(item_tree, hf_dnp3_al_size8, tvb, offset, 1, ENC_LITTLE_ENDIAN);\n prefixbytes = 1;\n break;\n case AL_OBJQL_PREFIX_2OS:\n *al_ptaddr = tvb_get_letohs(tvb, offset);\n proto_tree_add_item(item_tree, hf_dnp3_al_size16, tvb, offset, 2, ENC_LITTLE_ENDIAN);\n prefixbytes = 2;\n break;\n case AL_OBJQL_PREFIX_4OS:\n *al_ptaddr = tvb_get_letohl(tvb, offset);\n proto_tree_add_item(item_tree, hf_dnp3_al_size32, tvb, offset, 4, ENC_LITTLE_ENDIAN);\n prefixbytes = 4;\n break;\n }\n return prefixbytes;\n}", "project": "wireshark", "hash": 309050247187502083199025176522757557785, "size": 45, "commit_id": "618661b22e34a59b21117db723d8ff91e064d4ba", "message": "dnp: plug a memory leak.\n\nIf we're throwing away the data, *throw away the data* - free it, as\nwe're not using it as the backing data for a tvbuff.", "target": 0, "dataset": "other", "idx": 335501 }, { "func": "dnp3_al_process_object(tvbuff_t *tvb, packet_info *pinfo, int offset,\n proto_tree *robj_tree, gboolean header_only,\n guint16 *al_objtype, nstime_t *al_cto)\n{\n\n guint8 al_objq, al_objq_prefix, al_objq_range, al_oct_len = 0, bitindex;\n guint16 al_obj, temp;\n guint32 al_ptaddr = 0;\n int num_items = 0;\n int orig_offset, rangebytes = 0;\n proto_item *object_item, *range_item;\n proto_tree *object_tree, *qualifier_tree, *range_tree;\n\n orig_offset = offset;\n\n /* Application Layer Objects in this Message */\n *al_objtype =\n al_obj = tvb_get_ntohs(tvb, offset);\n\n /* Special handling for Octet string objects as the variation is the length of the string */\n temp = al_obj & 0xFF00;\n if ((temp == AL_OBJ_OCT) || (temp == AL_OBJ_OCT_EVT )) {\n al_oct_len = al_obj & 0xFF;\n al_obj = temp;\n }\n\n /* Create Data Objects Detail Tree */\n if (AL_OBJ_GROUP(al_obj) == 0x0) {\n object_item = proto_tree_add_uint_format(robj_tree, hf_dnp3_al_obj, tvb, offset, 2, al_obj,\n \"Object(s): %s (0x%04x)\",\n val_to_str_ext_const(al_obj, &dnp3_al_obj_vals_ext, \"Unknown group 0 Variation\"),\n al_obj);\n if (try_val_to_str_ext(al_obj, &dnp3_al_obj_vals_ext) == NULL) {\n expert_add_info(pinfo, object_item, &ei_dnp3_unknown_group0_variation);\n }\n }\n else {\n object_item = proto_tree_add_uint_format(robj_tree, hf_dnp3_al_obj, tvb, offset, 2, al_obj,\n \"Object(s): %s (0x%04x)\",\n val_to_str_ext_const(al_obj, &dnp3_al_obj_vals_ext, \"Unknown Object\\\\Variation\"),\n al_obj);\n if (try_val_to_str_ext(al_obj, &dnp3_al_obj_vals_ext) == NULL) {\n expert_add_info(pinfo, object_item, &ei_dnp3_unknown_object);\n }\n }\n object_tree = proto_item_add_subtree(object_item, ett_dnp3_al_obj);\n\n offset += 2;\n\n /* Object Qualifier */\n al_objq = tvb_get_guint8(tvb, offset);\n al_objq_prefix = al_objq & AL_OBJQ_PREFIX;\n al_objq_prefix = al_objq_prefix >> 4;\n al_objq_range = al_objq & AL_OBJQ_RANGE;\n\n qualifier_tree = proto_tree_add_subtree_format(object_tree, tvb, offset, 1, ett_dnp3_al_obj_qualifier, NULL,\n \"Qualifier Field, Prefix: %s, Range: %s\",\n val_to_str_ext_const(al_objq_prefix, &dnp3_al_objq_prefix_vals_ext, \"Unknown Prefix Type\"),\n val_to_str_ext_const(al_objq_range, &dnp3_al_objq_range_vals_ext, \"Unknown Range Type\"));\n proto_tree_add_item(qualifier_tree, hf_dnp3_al_objq_prefix, tvb, offset, 1, ENC_BIG_ENDIAN);\n proto_tree_add_item(qualifier_tree, hf_dnp3_al_objq_range, tvb, offset, 1, ENC_BIG_ENDIAN);\n\n offset += 1;\n\n /* Create (possibly synthesized) number of items and range field tree */\n range_tree = proto_tree_add_subtree(object_tree, tvb, offset, 0, ett_dnp3_al_obj_range, &range_item, \"Number of Items: \");\n\n switch (al_objq_range)\n {\n case AL_OBJQL_RANGE_SSI8: /* 8-bit Start and Stop Indices in Range Field */\n num_items = ( tvb_get_guint8(tvb, offset+1) - tvb_get_guint8(tvb, offset) + 1);\n proto_item_set_generated(range_item);\n al_ptaddr = tvb_get_guint8(tvb, offset);\n proto_tree_add_item(range_tree, hf_dnp3_al_range_start8, tvb, offset, 1, ENC_LITTLE_ENDIAN);\n proto_tree_add_item(range_tree, hf_dnp3_al_range_stop8, tvb, offset + 1, 1, ENC_LITTLE_ENDIAN);\n rangebytes = 2;\n break;\n case AL_OBJQL_RANGE_SSI16: /* 16-bit Start and Stop Indices in Range Field */\n num_items = ( tvb_get_letohs(tvb, offset+2) - tvb_get_letohs(tvb, (offset)) + 1);\n proto_item_set_generated(range_item);\n al_ptaddr = tvb_get_letohs(tvb, offset);\n proto_tree_add_item(range_tree, hf_dnp3_al_range_start16, tvb, offset, 2, ENC_LITTLE_ENDIAN);\n proto_tree_add_item(range_tree, hf_dnp3_al_range_stop16, tvb, offset + 2, 2, ENC_LITTLE_ENDIAN);\n rangebytes = 4;\n break;\n case AL_OBJQL_RANGE_SSI32: /* 32-bit Start and Stop Indices in Range Field */\n num_items = ( tvb_get_letohl(tvb, offset+4) - tvb_get_letohl(tvb, offset) + 1);\n proto_item_set_generated(range_item);\n al_ptaddr = tvb_get_letohl(tvb, offset);\n proto_tree_add_item(range_tree, hf_dnp3_al_range_start32, tvb, offset, 4, ENC_LITTLE_ENDIAN);\n proto_tree_add_item(range_tree, hf_dnp3_al_range_stop32, tvb, offset + 4, 4, ENC_LITTLE_ENDIAN);\n rangebytes = 8;\n break;\n case AL_OBJQL_RANGE_AA8: /* 8-bit Absolute Address in Range Field */\n num_items = 1;\n proto_item_set_generated(range_item);\n al_ptaddr = tvb_get_guint8(tvb, offset);\n proto_tree_add_item(range_tree, hf_dnp3_al_range_abs8, tvb, offset, 1, ENC_LITTLE_ENDIAN);\n rangebytes = 1;\n break;\n case AL_OBJQL_RANGE_AA16: /* 16-bit Absolute Address in Range Field */\n num_items = 1;\n proto_item_set_generated(range_item);\n al_ptaddr = tvb_get_letohs(tvb, offset);\n proto_tree_add_item(range_tree, hf_dnp3_al_range_abs16, tvb, offset, 2, ENC_LITTLE_ENDIAN);\n rangebytes = 2;\n break;\n case AL_OBJQL_RANGE_AA32: /* 32-bit Absolute Address in Range Field */\n num_items = 1;\n proto_item_set_generated(range_item);\n al_ptaddr = tvb_get_letohl(tvb, offset);\n proto_tree_add_item(range_tree, hf_dnp3_al_range_abs32, tvb, offset, 4, ENC_LITTLE_ENDIAN);\n rangebytes = 4;\n break;\n case AL_OBJQL_RANGE_SF8: /* 8-bit Single Field Quantity in Range Field */\n num_items = tvb_get_guint8(tvb, offset);\n proto_tree_add_item(range_tree, hf_dnp3_al_range_quant8, tvb, offset, 1, ENC_LITTLE_ENDIAN);\n rangebytes = 1;\n proto_item_set_len(range_item, rangebytes);\n break;\n case AL_OBJQL_RANGE_SF16: /* 16-bit Single Field Quantity in Range Field */\n num_items = tvb_get_letohs(tvb, offset);\n proto_tree_add_item(range_tree, hf_dnp3_al_range_quant16, tvb, offset, 2, ENC_LITTLE_ENDIAN);\n rangebytes = 2;\n proto_item_set_len(range_item, rangebytes);\n break;\n case AL_OBJQL_RANGE_SF32: /* 32-bit Single Field Quantity in Range Field */\n num_items = tvb_get_letohl(tvb, offset);\n proto_tree_add_item(range_tree, hf_dnp3_al_range_quant32, tvb, offset, 4, ENC_LITTLE_ENDIAN);\n rangebytes = 4;\n proto_item_set_len(range_item, rangebytes);\n break;\n case AL_OBJQL_RANGE_FF: /* 8 bit object count in Range Field */\n num_items = tvb_get_guint8(tvb, offset);\n proto_tree_add_item(range_tree, hf_dnp3_al_range_quant8, tvb, offset, 1, ENC_LITTLE_ENDIAN);\n rangebytes = 1;\n proto_item_set_len(range_item, rangebytes);\n }\n if (num_items > 0) {\n proto_item_append_text(object_item, \", %d point%s\", num_items, plurality(num_items, \"\", \"s\"));\n }\n proto_item_append_text(range_item, \"%d\", num_items);\n\n /* A negative number of items is an error */\n if (num_items < 0) {\n proto_item_append_text(range_item, \" (bogus)\");\n expert_add_info(pinfo, range_item, &ei_dnp_num_items_neg);\n return tvb_captured_length(tvb);\n }\n\n /* Move offset past any range field */\n offset += rangebytes;\n\n bitindex = 0; /* Temp variable for cycling through points when object values are encoded into\n bits; primarily objects 0x0101, 0x0301 & 0x1001 */\n\n /* Only process the point information for replies or items with point index lists */\n if (!header_only || al_objq_prefix > 0) {\n int item_num;\n int start_offset;\n\n start_offset = offset;\n for (item_num = 0; item_num < num_items; item_num++)\n {\n proto_item *point_item;\n proto_tree *point_tree;\n guint data_pos;\n int prefixbytes;\n\n /* Create Point item and process prefix */\n if (al_objq_prefix <= AL_OBJQL_PREFIX_4O) {\n point_tree = proto_tree_add_subtree(object_tree, tvb, offset, -1, ett_dnp3_al_obj_point, &point_item, \"Point Number\");\n }\n else {\n point_tree = proto_tree_add_subtree(object_tree, tvb, offset, -1, ett_dnp3_al_obj_point, &point_item, \"Object: Size\");\n }\n\n data_pos = offset;\n prefixbytes = dnp3_al_obj_procprefix(tvb, offset, al_objq_prefix, &al_ptaddr, point_tree);\n\n /* If this is an 'empty' object type and the num_items field is not equal to zero,\n then the packet is potentially malicious */\n if ((num_items != 0) && (dnp3_al_empty_obj(al_obj))) {\n proto_item_append_text(range_item, \" (bogus)\");\n expert_add_info(pinfo, range_item, &ei_dnp3_num_items_invalid);\n num_items = 0;\n }\n\n proto_item_append_text(point_item, \" %u\", al_ptaddr);\n proto_item_set_len(point_item, prefixbytes);\n data_pos += prefixbytes;\n\n if (!header_only || (AL_OBJQL_PREFIX_1OS <= al_objq_prefix && al_objq_prefix <= AL_OBJQL_PREFIX_4OS)) {\n /* Process the object values */\n guint8 al_2bit, al_ptflags, al_bi_val, al_tcc_code;\n gint16 al_val_int16;\n guint16 al_val_uint16, al_ctlobj_stat;\n guint16 al_relms, al_filename_len, al_file_ctrl_mode;\n gint32 al_val_int32;\n guint32 al_val_uint32, file_data_size;\n nstime_t al_reltime, al_abstime;\n gboolean al_bit;\n gfloat al_valflt;\n gdouble al_valdbl;\n const gchar *ctl_status_str;\n\n /* Device Attributes (g0) all have a type code, use that rather than the individual variation */\n if (AL_OBJ_GROUP(al_obj) == 0x0) {\n guint32 data_type;\n guint8 da_len;\n\n /* Add and retrieve the data type */\n proto_tree_add_item_ret_uint(point_tree, hf_dnp3_al_datatype, tvb, data_pos, 1, ENC_LITTLE_ENDIAN, &data_type);\n data_pos++;\n\n /* If a valid data type process it */\n if (try_val_to_str(data_type, dnp3_al_data_type_vals) != NULL) {\n switch(data_type) {\n case AL_DATA_TYPE_NONE:\n break;\n case AL_DATA_TYPE_VSTR:\n da_len = tvb_get_guint8(tvb, data_pos);\n proto_tree_add_item(point_tree, hf_dnp3_al_da_length, tvb, data_pos, 1, ENC_LITTLE_ENDIAN);\n data_pos++;\n const guint8* da_value;\n proto_tree_add_item_ret_string(point_tree, hf_dnp3_al_da_value, tvb, data_pos, da_len, ENC_ASCII|ENC_NA, wmem_packet_scope(), &da_value);\n proto_item_append_text(object_item, \", Value: %s\", da_value);\n data_pos += da_len;\n break;\n case AL_DATA_TYPE_UINT:\n da_len = tvb_get_guint8(tvb, data_pos);\n proto_tree_add_item(point_tree, hf_dnp3_al_da_length, tvb, data_pos, 1, ENC_LITTLE_ENDIAN);\n data_pos++;\n if (da_len == 1) {\n proto_tree_add_item(point_tree, hf_dnp3_al_da_uint8, tvb, data_pos, 1, ENC_LITTLE_ENDIAN);\n proto_item_append_text(object_item, \", Value: %u\", tvb_get_guint8(tvb, data_pos));\n data_pos++;\n }\n else if (da_len == 2) {\n proto_tree_add_item(point_tree, hf_dnp3_al_da_uint16, tvb, data_pos, 2, ENC_LITTLE_ENDIAN);\n proto_item_append_text(object_item, \", Value: %u\", tvb_get_letohs(tvb, data_pos));\n data_pos += 2;\n }\n else if (da_len == 4) {\n proto_tree_add_item(point_tree, hf_dnp3_al_da_uint32, tvb, data_pos, 4, ENC_LITTLE_ENDIAN);\n proto_item_append_text(object_item, \", Value: %u\", tvb_get_letohl(tvb, data_pos));\n data_pos += 4;\n }\n break;\n case AL_DATA_TYPE_INT:\n da_len = tvb_get_guint8(tvb, data_pos);\n proto_tree_add_item(point_tree, hf_dnp3_al_da_length, tvb, data_pos, 1, ENC_LITTLE_ENDIAN);\n data_pos++;\n if (da_len == 1) {\n proto_tree_add_item(point_tree, hf_dnp3_al_da_int8, tvb, data_pos, 1, ENC_LITTLE_ENDIAN);\n proto_item_append_text(object_item, \", Value: %d\", tvb_get_guint8(tvb, data_pos));\n data_pos++;\n }\n else if (da_len == 2) {\n proto_tree_add_item(point_tree, hf_dnp3_al_da_int16, tvb, data_pos, 2, ENC_LITTLE_ENDIAN);\n proto_item_append_text(object_item, \", Value: %d\", tvb_get_letohs(tvb, data_pos));\n data_pos += 2;\n }\n else if (da_len == 4) {\n proto_tree_add_item(point_tree, hf_dnp3_al_da_int32, tvb, data_pos, 4, ENC_LITTLE_ENDIAN);\n proto_item_append_text(object_item, \", Value: %d\", tvb_get_letohl(tvb, data_pos));\n data_pos += 4;\n }\n break;\n case AL_DATA_TYPE_FLT:\n da_len = tvb_get_guint8(tvb, data_pos);\n proto_tree_add_item(point_tree, hf_dnp3_al_da_length, tvb, data_pos, 1, ENC_LITTLE_ENDIAN);\n data_pos++;\n if (da_len == 4) {\n proto_tree_add_item(point_tree, hf_dnp3_al_da_flt, tvb, data_pos, 4, ENC_LITTLE_ENDIAN);\n proto_item_append_text(object_item, \", Value: %g\", tvb_get_letohieee_float(tvb, data_pos));\n data_pos += 4;\n }\n else if (da_len == 8) {\n proto_tree_add_item(point_tree, hf_dnp3_al_da_dbl, tvb, data_pos, 8, ENC_LITTLE_ENDIAN);\n proto_item_append_text(object_item, \", Value: %g\", tvb_get_letohieee_double(tvb, data_pos));\n data_pos += 8;\n }\n break;\n case AL_DATA_TYPE_OSTR:\n break;\n case AL_DATA_TYPE_BSTR:\n break;\n case AL_DATA_TYPE_TIME:\n break;\n case AL_DATA_TYPE_UNCD:\n break;\n case AL_DATA_TYPE_U8BS8LIST:\n break;\n case AL_DATA_TYPE_U8BS8EXLIST:\n break;\n }\n }\n offset = data_pos;\n }\n else {\n\n /* All other objects are handled here, by their variations */\n switch (al_obj)\n {\n\n /* There is nothing to handle for the default variations */\n case AL_OBJ_BI_ALL: /* Binary Input Default Variation (Obj:01, Var:Default) */\n case AL_OBJ_BIC_ALL: /* Binary Input Change Default Variation (Obj:02, Var:Default) */\n case AL_OBJ_BOC_ALL: /* Binary Output Event Default Variation (Obj:11, Var:Default) */\n case AL_OBJ_2BI_ALL: /* Double-bit Input Default Variation (Obj:03, Var:Default) */\n case AL_OBJ_2BIC_ALL: /* Double-bit Input Change Default Variation (Obj:04, Var:Default) */\n case AL_OBJ_CTR_ALL: /* Binary Counter Default Variation (Obj:20, Var:Default) */\n case AL_OBJ_CTRC_ALL: /* Binary Counter Change Default Variation (Obj:22 Var:Default) */\n case AL_OBJ_AI_ALL: /* Analog Input Default Variation (Obj:30, Var:Default) */\n case AL_OBJ_AIC_ALL: /* Analog Input Change Default Variation (Obj:32 Var:Default) */\n case AL_OBJ_AIDB_ALL: /* Analog Input Deadband Default Variation (Obj:34, Var:Default) */\n case AL_OBJ_AOC_ALL: /* Analog Output Event Default Variation (Obj:42 Var:Default) */\n\n offset = data_pos;\n break;\n\n /* Bit-based Data objects here */\n case AL_OBJ_BI_1BIT: /* Single-Bit Binary Input (Obj:01, Var:01) */\n case AL_OBJ_BO: /* Binary Output (Obj:10, Var:01) */\n case AL_OBJ_CTL_PMASK: /* Pattern Mask (Obj:12, Var:03) */\n case AL_OBJ_IIN: /* Internal Indications - IIN (Obj: 80, Var:01) */\n\n /* Extract the bit from the packed byte */\n al_bi_val = tvb_get_guint8(tvb, data_pos);\n al_bit = (al_bi_val & 1) > 0;\n if (al_obj == AL_OBJ_IIN) {\n /* For an IIN bit, work out the IIN constant value for the bit position to get the name of the bit */\n guint16 iin_bit = 0;\n if (al_ptaddr < 8) {\n iin_bit = 0x100 << al_ptaddr;\n }\n else {\n iin_bit = 1 << (al_ptaddr - 8);\n }\n proto_item_append_text(point_item, \" (%s), Value: %u\",\n val_to_str_const(iin_bit, dnp3_al_iin_vals, \"Invalid IIN bit\"), al_bit);\n }\n else\n {\n if (al_objq_prefix != AL_OBJQL_PREFIX_NI) {\n /* Each item has an index prefix, in this case bump\n the bitindex to force the correct offset adjustment */\n bitindex = 7;\n }\n else {\n /* Regular packed bits, get the value at the appropriate bit index */\n al_bit = (al_bi_val & (1 << bitindex)) > 0;\n }\n proto_item_append_text(point_item, \", Value: %u\", al_bit);\n }\n proto_tree_add_boolean(point_tree, hf_dnp3_al_bit, tvb, data_pos, 1, al_bit);\n proto_item_set_len(point_item, prefixbytes + 1);\n\n /* Increment the bit index for next cycle */\n bitindex++;\n\n /* If we have counted 8 bits or read the last item,\n reset bit index and move onto the next byte */\n if ((bitindex > 7) || (item_num == (num_items-1)))\n {\n bitindex = 0;\n offset += (prefixbytes + 1);\n }\n break;\n\n case AL_OBJ_2BI_NF: /* Double-bit Input No Flags (Obj:03, Var:01) */\n\n if (bitindex > 3)\n {\n bitindex = 0;\n offset += (prefixbytes + 1);\n }\n\n /* Extract the Double-bit from the packed byte */\n al_bi_val = tvb_get_guint8(tvb, offset);\n al_2bit = ((al_bi_val >> (bitindex << 1)) & 3);\n\n proto_item_append_text(point_item, \", Value: %u\", al_2bit);\n proto_tree_add_uint(point_tree, hf_dnp3_al_2bit, tvb, offset, 1, al_2bit);\n proto_item_set_len(point_item, prefixbytes + 1);\n\n /* If we've read the last item, then move the offset past this byte */\n if (item_num == (num_items-1))\n {\n offset += (prefixbytes + 1);\n }\n\n /* Increment the bit index for next cycle */\n bitindex++;\n break;\n\n case AL_OBJ_BI_STAT: /* Binary Input With Status (Obj:01, Var:02) */\n case AL_OBJ_BIC_NOTIME: /* Binary Input Change Without Time (Obj:02, Var:01) */\n case AL_OBJ_BO_STAT: /* Binary Output Status (Obj:10, Var:02) */\n case AL_OBJ_BOC_NOTIME: /* Binary Output Change Without Time (Obj:11, Var:01) */\n\n /* Get Point Flags */\n al_ptflags = tvb_get_guint8(tvb, data_pos);\n\n switch (al_obj) {\n case AL_OBJ_BI_STAT:\n case AL_OBJ_BIC_NOTIME:\n dnp3_al_obj_quality(tvb, data_pos, al_ptflags, point_tree, point_item, BIN_IN);\n break;\n case AL_OBJ_BO_STAT:\n case AL_OBJ_BOC_NOTIME:\n dnp3_al_obj_quality(tvb, data_pos, al_ptflags, point_tree, point_item, BIN_OUT);\n break;\n }\n data_pos += 1;\n\n al_bit = (al_ptflags & AL_OBJ_BI_FLAG7) > 0;\n proto_item_append_text(point_item, \", Value: %u\", al_bit);\n\n proto_item_set_len(point_item, data_pos - offset);\n\n offset = data_pos;\n break;\n\n case AL_OBJ_2BI_STAT: /* Double-bit Input With Status (Obj:03, Var:02) */\n case AL_OBJ_2BIC_NOTIME: /* Double-bit Input Change Without Time (Obj:04, Var:01) */\n\n /* Get Point Flags */\n al_ptflags = tvb_get_guint8(tvb, data_pos);\n dnp3_al_obj_quality(tvb, data_pos, al_ptflags, point_tree, point_item, BIN_IN);\n data_pos += 1;\n\n al_2bit = (al_ptflags >> 6) & 3;\n proto_item_append_text(point_item, \", Value: %u\", al_2bit);\n proto_item_set_len(point_item, data_pos - offset);\n\n offset = data_pos;\n break;\n\n case AL_OBJ_BIC_TIME: /* Binary Input Change w/ Time (Obj:02, Var:02) */\n case AL_OBJ_BOC_TIME: /* Binary Output Change w/ Time (Obj:11, Var:02) */\n\n /* Get Point Flags */\n al_ptflags = tvb_get_guint8(tvb, data_pos);\n switch (al_obj) {\n case AL_OBJ_BIC_TIME:\n dnp3_al_obj_quality(tvb, data_pos, al_ptflags, point_tree, point_item, BIN_IN);\n break;\n case AL_OBJ_BOC_TIME:\n dnp3_al_obj_quality(tvb, data_pos, al_ptflags, point_tree, point_item, BIN_OUT);\n break;\n }\n data_pos += 1;\n\n /* Get timestamp */\n dnp3_al_get_timestamp(&al_abstime, tvb, data_pos);\n proto_tree_add_time(point_tree, hf_dnp3_al_timestamp, tvb, data_pos, 6, &al_abstime);\n data_pos += 6;\n\n al_bit = (al_ptflags & AL_OBJ_BI_FLAG7) >> 7; /* bit shift 1xxxxxxx -> xxxxxxx1 */\n proto_item_append_text(point_item, \", Value: %u, Timestamp: %s\",\n al_bit, abs_time_to_str(wmem_packet_scope(), &al_abstime, ABSOLUTE_TIME_UTC, FALSE));\n proto_item_set_len(point_item, data_pos - offset);\n\n offset = data_pos;\n break;\n\n case AL_OBJ_2BIC_TIME: /* Double-bit Input Change w/ Time (Obj:04, Var:02) */\n\n /* Get Point Flags */\n al_ptflags = tvb_get_guint8(tvb, data_pos);\n dnp3_al_obj_quality(tvb, (offset+prefixbytes), al_ptflags, point_tree, point_item, BIN_IN);\n data_pos += 1;\n\n\n /* Get timestamp */\n dnp3_al_get_timestamp(&al_abstime, tvb, data_pos);\n proto_tree_add_time(point_tree, hf_dnp3_al_timestamp, tvb, data_pos, 6, &al_abstime);\n data_pos += 6;\n\n al_2bit = (al_ptflags >> 6) & 3; /* bit shift 11xxxxxx -> 00000011 */\n proto_item_append_text(point_item, \", Value: %u, Timestamp: %s\",\n al_2bit, abs_time_to_str(wmem_packet_scope(), &al_abstime, ABSOLUTE_TIME_UTC, FALSE));\n proto_item_set_len(point_item, data_pos - offset);\n\n offset = data_pos;\n break;\n\n case AL_OBJ_BIC_RTIME: /* Binary Input Change w/ Relative Time (Obj:02, Var:03) */\n\n /* Get Point Flags */\n al_ptflags = tvb_get_guint8(tvb, data_pos);\n dnp3_al_obj_quality(tvb, data_pos, al_ptflags, point_tree, point_item, BIN_IN);\n data_pos += 1;\n\n /* Get relative time in ms, and convert to ns_time */\n al_relms = tvb_get_letohs(tvb, data_pos);\n al_reltime.secs = al_relms / 1000;\n al_reltime.nsecs = (al_relms % 1000) * 1000000;\n /* Now add to CTO time */\n nstime_sum(&al_abstime, al_cto, &al_reltime);\n proto_tree_add_time(point_tree, hf_dnp3_al_rel_timestamp, tvb, data_pos, 2, &al_reltime);\n data_pos += 2;\n\n al_bit = (al_ptflags & AL_OBJ_BI_FLAG7) >> 7; /* bit shift 1xxxxxxx -> xxxxxxx1 */\n proto_item_append_text(point_item, \", Value: %u, Timestamp: %s\",\n al_bit, abs_time_to_str(wmem_packet_scope(), &al_abstime, ABSOLUTE_TIME_UTC, FALSE));\n proto_item_set_len(point_item, data_pos - offset);\n\n offset = data_pos;\n break;\n\n case AL_OBJ_CTLOP_BLK: /* Control Relay Output Block (Obj:12, Var:01) */\n case AL_OBJ_CTL_PCB: /* Pattern Control Block (Obj:12, Var:02) */\n {\n proto_tree *tcc_tree;\n\n /* Add a expand/collapse for TCC */\n al_tcc_code = tvb_get_guint8(tvb, data_pos);\n tcc_tree = proto_tree_add_subtree_format(point_tree, tvb, data_pos, 1,\n ett_dnp3_al_obj_point_tcc, NULL, \"Control Code [0x%02x]\",al_tcc_code);\n\n /* Add the Control Code to the Point number list for quick visual reference as to the operation */\n proto_item_append_text(point_item, \" [%s]\", val_to_str_const((al_tcc_code & AL_OBJCTLC_CODE),\n dnp3_al_ctlc_code_vals,\n \"Invalid Operation\"));\n\n /* Add Trip/Close qualifier (if applicable) to previously appended quick visual reference */\n proto_item_append_text(point_item, \" [%s]\", val_to_str_const((al_tcc_code & AL_OBJCTLC_TC) >> 6,\n dnp3_al_ctlc_tc_vals,\n \"Invalid Qualifier\"));\n\n\n\n /* Control Code 'Operation Type' */\n proto_tree_add_item(tcc_tree, hf_dnp3_ctlobj_code_c, tvb, data_pos, 1, ENC_LITTLE_ENDIAN);\n\n /* Control Code Misc Values */\n proto_tree_add_item(tcc_tree, hf_dnp3_ctlobj_code_m, tvb, data_pos, 1, ENC_LITTLE_ENDIAN);\n\n /* Control Code 'Trip Close Code' */\n proto_tree_add_item(tcc_tree, hf_dnp3_ctlobj_code_tc, tvb, data_pos, 1, ENC_LITTLE_ENDIAN);\n data_pos += 1;\n\n /* Get \"Count\" Field */\n proto_tree_add_item(point_tree, hf_dnp3_al_count, tvb, data_pos, 1, ENC_LITTLE_ENDIAN);\n data_pos += 1;\n\n /* Get \"On Time\" Field */\n proto_tree_add_item(point_tree, hf_dnp3_al_on_time, tvb, data_pos, 4, ENC_LITTLE_ENDIAN);\n data_pos += 4;\n\n /* Get \"Off Time\" Field */\n proto_tree_add_item(point_tree, hf_dnp3_al_off_time, tvb, data_pos, 4, ENC_LITTLE_ENDIAN);\n data_pos += 4;\n\n /* Get \"Control Status\" Field */\n proto_tree_add_item(point_tree, hf_dnp3_al_ctrlstatus, tvb, data_pos, 1, ENC_LITTLE_ENDIAN);\n data_pos += 1;\n\n proto_item_set_len(point_item, data_pos - offset);\n\n offset = data_pos;\n break;\n }\n\n case AL_OBJ_BOE_NOTIME: /* Binary Command Event (Obj:13, Var:01) */\n case AL_OBJ_BOE_TIME: /* Binary Command Event with time (Obj:13, Var:02) */\n case AL_OBJ_AOC_32EVNT: /* 32-bit Analog Command Event (Obj:43, Var:01) */\n case AL_OBJ_AOC_16EVNT: /* 16-bit Analog Command Event (Obj:43, Var:02) */\n case AL_OBJ_AOC_32EVTT: /* 32-bit Analog Command Event with time (Obj:43, Var:03) */\n case AL_OBJ_AOC_16EVTT: /* 16-bit Analog Command Event with time (Obj:43, Var:04) */\n case AL_OBJ_AOC_FLTEVNT: /* 32-bit Floating Point Analog Command Event (Obj:43, Var:05) */\n case AL_OBJ_AOC_DBLEVNT: /* 64-bit Floating Point Analog Command Event (Obj:43, Var:06) */\n case AL_OBJ_AOC_FLTEVTT: /* 32-bit Floating Point Analog Command Event with time (Obj:43, Var:07) */\n case AL_OBJ_AOC_DBLEVTT: /* 64-bit Floating Point Analog Command Event with time (Obj:43, Var:08) */\n {\n /* Get the status code */\n al_ctlobj_stat = tvb_get_guint8(tvb, data_pos) & AL_OBJCTL_STATUS_MASK;\n ctl_status_str = val_to_str_ext(al_ctlobj_stat, &dnp3_al_ctl_status_vals_ext, \"Invalid Status (0x%02x)\");\n proto_item_append_text(point_item, \" [Status: %s (0x%02x)]\", ctl_status_str, al_ctlobj_stat);\n proto_tree_add_item(point_tree, hf_dnp3_al_ctrlstatus, tvb, data_pos, 1, ENC_LITTLE_ENDIAN);\n\n /* Get the command value */\n switch(al_obj)\n {\n case AL_OBJ_BOE_NOTIME:\n case AL_OBJ_BOE_TIME:\n proto_tree_add_item(point_tree, hf_dnp3_bocs_bit, tvb, data_pos, 1, ENC_LITTLE_ENDIAN);\n data_pos += 1;\n break;\n case AL_OBJ_AOC_32EVNT:\n case AL_OBJ_AOC_32EVTT:\n data_pos += 1; /* Step past status */\n al_val_int32 = tvb_get_letohl(tvb, data_pos);\n proto_item_append_text(point_item, \", Value: %d\", al_val_int32);\n proto_tree_add_item(point_tree, hf_dnp3_al_anaout32, tvb, data_pos, 4, ENC_LITTLE_ENDIAN);\n break;\n case AL_OBJ_AOC_16EVNT:\n case AL_OBJ_AOC_16EVTT:\n data_pos += 1; /* Step past status */\n al_val_int16 = tvb_get_letohs(tvb, data_pos);\n proto_item_append_text(point_item, \", Value: %d\", al_val_int16);\n proto_tree_add_item(point_tree, hf_dnp3_al_anaout16, tvb, data_pos, 2, ENC_LITTLE_ENDIAN);\n data_pos += 2;\n break;\n case AL_OBJ_AOC_FLTEVNT:\n case AL_OBJ_AOC_FLTEVTT:\n data_pos += 1; /* Step past status */\n al_valflt = tvb_get_letohieee_float(tvb, data_pos);\n proto_item_append_text(point_item, \", Value: %g\", al_valflt);\n proto_tree_add_item(point_tree, hf_dnp3_al_anaoutflt, tvb, data_pos, 4, ENC_LITTLE_ENDIAN);\n data_pos += 4;\n break;\n case AL_OBJ_AOC_DBLEVNT:\n case AL_OBJ_AOC_DBLEVTT:\n data_pos += 1; /* Step past status */\n al_valdbl = tvb_get_letohieee_double(tvb, data_pos);\n proto_item_append_text(point_item, \", Value: %g\", al_valdbl);\n proto_tree_add_item(point_tree, hf_dnp3_al_anaoutdbl, tvb, data_pos, 8, ENC_LITTLE_ENDIAN);\n data_pos += 8;\n break;\n }\n\n /* Get the timestamp */\n switch(al_obj)\n {\n case AL_OBJ_BOE_TIME: /* Binary Command Event with time (Obj:13, Var:02) */\n case AL_OBJ_AOC_32EVTT: /* 32-bit Analog Command Event with time (Obj:43, Var:03) */\n case AL_OBJ_AOC_16EVTT: /* 16-bit Analog Command Event with time (Obj:43, Var:04) */\n case AL_OBJ_AOC_FLTEVTT: /* 32-bit Floating Point Analog Command Event with time (Obj:43, Var:07) */\n case AL_OBJ_AOC_DBLEVTT: /* 64-bit Floating Point Analog Command Event with time (Obj:43, Var:08) */\n dnp3_al_get_timestamp(&al_abstime, tvb, data_pos);\n proto_item_append_text(point_item, \", Timestamp: %s\", abs_time_to_str(wmem_packet_scope(), &al_abstime, ABSOLUTE_TIME_UTC, FALSE));\n proto_tree_add_time(point_tree, hf_dnp3_al_timestamp, tvb, data_pos, 6, &al_abstime);\n data_pos += 6;\n break;\n }\n\n proto_item_set_len(point_item, data_pos - offset);\n offset = data_pos;\n break;\n }\n\n case AL_OBJ_AO_32OPB: /* 32-Bit Analog Output Block (Obj:41, Var:01) */\n case AL_OBJ_AO_16OPB: /* 16-Bit Analog Output Block (Obj:41, Var:02) */\n case AL_OBJ_AO_FLTOPB: /* 32-Bit Floating Point Output Block (Obj:41, Var:03) */\n case AL_OBJ_AO_DBLOPB: /* 64-Bit Floating Point Output Block (Obj:41, Var:04) */\n\n switch (al_obj)\n {\n case AL_OBJ_AO_32OPB:\n al_val_int32 = tvb_get_letohl(tvb, data_pos);\n proto_item_append_text(point_item, \", Value: %d\", al_val_int32);\n proto_tree_add_item(point_tree, hf_dnp3_al_anaout32, tvb, data_pos, 4, ENC_LITTLE_ENDIAN);\n data_pos += 4;\n break;\n case AL_OBJ_AO_16OPB:\n al_val_int16 = tvb_get_letohs(tvb, data_pos);\n proto_item_append_text(point_item, \", Value: %d\", al_val_int16);\n proto_tree_add_item(point_tree, hf_dnp3_al_anaout16, tvb, data_pos, 2, ENC_LITTLE_ENDIAN);\n data_pos += 2;\n break;\n case AL_OBJ_AO_FLTOPB:\n al_valflt = tvb_get_letohieee_float(tvb, data_pos);\n proto_item_append_text(point_item, \", Value: %g\", al_valflt);\n proto_tree_add_item(point_tree, hf_dnp3_al_anaoutflt, tvb, data_pos, 4, ENC_LITTLE_ENDIAN);\n data_pos += 4;\n break;\n case AL_OBJ_AO_DBLOPB:\n al_valdbl = tvb_get_letohieee_double(tvb, data_pos);\n proto_item_append_text(point_item, \", Value: %g\", al_valdbl);\n proto_tree_add_item(point_tree, hf_dnp3_al_anaoutdbl, tvb, data_pos, 8, ENC_LITTLE_ENDIAN);\n data_pos += 8;\n break;\n }\n\n /* Get control status */\n al_ctlobj_stat = tvb_get_guint8(tvb, data_pos) & AL_OBJCTL_STATUS_MASK;\n ctl_status_str = val_to_str_ext(al_ctlobj_stat, &dnp3_al_ctl_status_vals_ext, \"Invalid Status (0x%02x)\");\n proto_item_append_text(point_item, \" [Status: %s (0x%02x)]\", ctl_status_str, al_ctlobj_stat);\n proto_tree_add_item(point_tree, hf_dnp3_al_ctrlstatus, tvb, data_pos, 1, ENC_LITTLE_ENDIAN);\n data_pos += 1;\n\n proto_item_set_len(point_item, data_pos - offset);\n\n offset = data_pos;\n break;\n\n case AL_OBJ_CTR_32: /* 32-Bit Binary Counter (Obj:20, Var:01) */\n case AL_OBJ_CTR_16: /* 16-Bit Binary Counter (Obj:20, Var:02) */\n case AL_OBJ_DCTR_32: /* 32-Bit Binary Delta Counter (Obj:20, Var:03) */\n case AL_OBJ_DCTR_16: /* 16-Bit Binary Delta Counter (Obj:20, Var:04) */\n case AL_OBJ_CTR_32NF: /* 32-Bit Binary Counter Without Flag (Obj:20, Var:05) */\n case AL_OBJ_CTR_16NF: /* 16-Bit Binary Counter Without Flag (Obj:20, Var:06) */\n case AL_OBJ_DCTR_32NF: /* 32-Bit Binary Delta Counter Without Flag (Obj:20, Var:07) */\n case AL_OBJ_DCTR_16NF: /* 16-Bit Binary Delta Counter Without Flag (Obj:20, Var:08) */\n case AL_OBJ_FCTR_32: /* 32-Bit Frozen Counter (Obj:21, Var:01) */\n case AL_OBJ_FCTR_16: /* 16-Bit Frozen Counter (Obj:21, Var:02) */\n case AL_OBJ_FDCTR_32: /* 21 03 32-Bit Frozen Delta Counter */\n case AL_OBJ_FDCTR_16: /* 21 04 16-Bit Frozen Delta Counter */\n case AL_OBJ_FCTR_32T: /* 32-Bit Frozen Counter w/ Time of Freeze (Obj:21 Var:05 ) */\n case AL_OBJ_FCTR_16T: /* 16-Bit Frozen Counter w/ Time of Freeze (Obj:21 Var:06) */\n case AL_OBJ_FDCTR_32T: /* 32-Bit Frozen Delta Counter w/ Time of Freeze (Obj:21 Var:07) */\n case AL_OBJ_FDCTR_16T: /* 16-Bit Frozen Delta Counter w/ Time of Freeze (Obj:21 Var:08) */\n case AL_OBJ_FCTR_32NF: /* 32-Bit Frozen Counter Without Flag (Obj:21 Var:09) */\n case AL_OBJ_FCTR_16NF: /* 16-Bit Frozen Counter Without Flag (Obj:21 Var:10) */\n case AL_OBJ_FDCTR_32NF: /* 32-Bit Frozen Delta Counter Without Flag (Obj:21 Var:11) */\n case AL_OBJ_FDCTR_16NF: /* 16-Bit Frozen Delta Counter Without Flag (Obj:21 Var:12) */\n case AL_OBJ_CTRC_32: /* 32-Bit Counter Change Event w/o Time (Obj:22, Var:01) */\n case AL_OBJ_CTRC_16: /* 16-Bit Counter Change Event w/o Time (Obj:22, Var:02) */\n case AL_OBJ_DCTRC_32: /* 32-Bit Delta Counter Change Event w/o Time (Obj:22, Var:03) */\n case AL_OBJ_DCTRC_16: /* 16-Bit Delta Counter Change Event w/o Time (Obj:22, Var:04) */\n case AL_OBJ_CTRC_32T: /* 32-Bit Counter Change Event with Time (Obj:22, Var:05) */\n case AL_OBJ_CTRC_16T: /* 16-Bit Counter Change Event with Time (Obj:22, Var:06) */\n case AL_OBJ_DCTRC_32T: /* 32-Bit Delta Counter Change Event with Time (Obj:22, Var:07) */\n case AL_OBJ_DCTRC_16T: /* 16-Bit Delta Counter Change Event with Time (Obj:22, Var:08) */\n case AL_OBJ_FCTRC_32: /* 32-Bit Frozen Counter Change Event (Obj:23 Var:01) */\n case AL_OBJ_FCTRC_16: /* 16-Bit Frozen Counter Change Event (Obj:23 Var:02) */\n case AL_OBJ_FDCTRC_32: /* 32-Bit Frozen Delta Counter Change Event (Obj:23 Var:03) */\n case AL_OBJ_FDCTRC_16: /* 16-Bit Frozen Delta Counter Change Event (Obj:23 Var:04) */\n case AL_OBJ_FCTRC_32T: /* 32-Bit Frozen Counter Change Event w/ Time of Freeze (Obj:23 Var:05) */\n case AL_OBJ_FCTRC_16T: /* 16-Bit Frozen Counter Change Event w/ Time of Freeze (Obj:23 Var:06) */\n case AL_OBJ_FDCTRC_32T: /* 32-Bit Frozen Delta Counter Change Event w/ Time of Freeze (Obj:23 Var:07) */\n case AL_OBJ_FDCTRC_16T: /* 16-Bit Frozen Delta Counter Change Event w/ Time of Freeze (Obj:23 Var:08) */\n\n /* Get Point Flags for those types that have them, it's easier to block out those that don't have flags */\n switch (al_obj)\n {\n case AL_OBJ_CTR_32NF:\n case AL_OBJ_CTR_16NF:\n case AL_OBJ_DCTR_32NF:\n case AL_OBJ_DCTR_16NF:\n case AL_OBJ_FCTR_32NF:\n case AL_OBJ_FCTR_16NF:\n case AL_OBJ_FDCTR_32NF:\n case AL_OBJ_FDCTR_16NF:\n break;\n\n default:\n al_ptflags = tvb_get_guint8(tvb, data_pos);\n dnp3_al_obj_quality(tvb, data_pos, al_ptflags, point_tree, point_item, COUNTER);\n data_pos += 1;\n break;\n }\n\n /* Get Counter values */\n switch (al_obj)\n {\n case AL_OBJ_CTR_32:\n case AL_OBJ_DCTR_32:\n case AL_OBJ_CTR_32NF:\n case AL_OBJ_DCTR_32NF:\n case AL_OBJ_FCTR_32:\n case AL_OBJ_FDCTR_32:\n case AL_OBJ_FCTR_32T:\n case AL_OBJ_FDCTR_32T:\n case AL_OBJ_FCTR_32NF:\n case AL_OBJ_FDCTR_32NF:\n case AL_OBJ_CTRC_32:\n case AL_OBJ_DCTRC_32:\n case AL_OBJ_CTRC_32T:\n case AL_OBJ_DCTRC_32T:\n case AL_OBJ_FCTRC_32:\n case AL_OBJ_FDCTRC_32:\n case AL_OBJ_FCTRC_32T:\n case AL_OBJ_FDCTRC_32T:\n\n al_val_uint32 = tvb_get_letohl(tvb, data_pos);\n proto_item_append_text(point_item, \", Count: %u\", al_val_uint32);\n proto_tree_add_item(point_tree, hf_dnp3_al_cnt32, tvb, data_pos, 4, ENC_LITTLE_ENDIAN);\n data_pos += 4;\n break;\n\n case AL_OBJ_CTR_16:\n case AL_OBJ_DCTR_16:\n case AL_OBJ_CTR_16NF:\n case AL_OBJ_DCTR_16NF:\n case AL_OBJ_FCTR_16:\n case AL_OBJ_FDCTR_16:\n case AL_OBJ_FCTR_16T:\n case AL_OBJ_FDCTR_16T:\n case AL_OBJ_FCTR_16NF:\n case AL_OBJ_FDCTR_16NF:\n case AL_OBJ_CTRC_16:\n case AL_OBJ_DCTRC_16:\n case AL_OBJ_CTRC_16T:\n case AL_OBJ_DCTRC_16T:\n case AL_OBJ_FCTRC_16:\n case AL_OBJ_FDCTRC_16:\n case AL_OBJ_FCTRC_16T:\n case AL_OBJ_FDCTRC_16T:\n\n al_val_uint16 = tvb_get_letohs(tvb, data_pos);\n proto_item_append_text(point_item, \", Count: %u\", al_val_uint16);\n proto_tree_add_item(point_tree, hf_dnp3_al_cnt16, tvb, data_pos, 2, ENC_LITTLE_ENDIAN);\n data_pos += 2;\n break;\n }\n\n /* Get the time for those points that have it */\n switch (al_obj)\n {\n case AL_OBJ_FCTR_32T:\n case AL_OBJ_FCTR_16T:\n case AL_OBJ_FDCTR_32T:\n case AL_OBJ_FDCTR_16T:\n case AL_OBJ_CTRC_32T:\n case AL_OBJ_CTRC_16T:\n case AL_OBJ_DCTRC_32T:\n case AL_OBJ_DCTRC_16T:\n case AL_OBJ_FCTRC_32T:\n case AL_OBJ_FCTRC_16T:\n case AL_OBJ_FDCTRC_32T:\n case AL_OBJ_FDCTRC_16T:\n dnp3_al_get_timestamp(&al_abstime, tvb, data_pos);\n proto_item_append_text(point_item, \", Timestamp: %s\", abs_time_to_str(wmem_packet_scope(), &al_abstime, ABSOLUTE_TIME_UTC, FALSE));\n proto_tree_add_time(point_tree, hf_dnp3_al_timestamp, tvb, data_pos, 6, &al_abstime);\n data_pos += 6;\n break;\n }\n\n proto_item_set_len(point_item, data_pos - offset);\n offset = data_pos;\n break;\n\n case AL_OBJ_AI_32: /* 32-Bit Analog Input (Obj:30, Var:01) */\n case AL_OBJ_AI_16: /* 16-Bit Analog Input (Obj:30, Var:02) */\n case AL_OBJ_AI_32NF: /* 32-Bit Analog Input Without Flag (Obj:30, Var:03) */\n case AL_OBJ_AI_16NF: /* 16-Bit Analog Input Without Flag (Obj:30, Var:04) */\n case AL_OBJ_AI_FLT: /* 32-Bit Floating Point Input (Obj:30, Var:05) */\n case AL_OBJ_AI_DBL: /* 64-Bit Floating Point Input (Obj:30, Var:06) */\n case AL_OBJ_AIF_FLT: /* 32-Bit Frozen Floating Point Input (Obj:31, Var:07) */\n case AL_OBJ_AIF_DBL: /* 64-Bit Frozen Floating Point Input (Obj:31, Var:08) */\n case AL_OBJ_AIC_32NT: /* 32-Bit Analog Change Event w/o Time (Obj:32, Var:01) */\n case AL_OBJ_AIC_16NT: /* 16-Bit Analog Change Event w/o Time (Obj:32, Var:02) */\n case AL_OBJ_AIC_32T: /* 32-Bit Analog Change Event with Time (Obj:32, Var:03) */\n case AL_OBJ_AIC_16T: /* 16-Bit Analog Change Event with Time (Obj:32, Var:04) */\n case AL_OBJ_AIC_FLTNT: /* 32-Bit Floating Point Change Event w/o Time (Obj:32, Var:05) */\n case AL_OBJ_AIC_DBLNT: /* 64-Bit Floating Point Change Event w/o Time (Obj:32, Var:06) */\n case AL_OBJ_AIC_FLTT: /* 32-Bit Floating Point Change Event w/ Time (Obj:32, Var:07) */\n case AL_OBJ_AIC_DBLT: /* 64-Bit Floating Point Change Event w/ Time (Obj:32, Var:08) */\n case AL_OBJ_AIFC_FLTNT: /* 32-Bit Floating Point Frozen Change Event w/o Time (Obj:33, Var:05) */\n case AL_OBJ_AIFC_DBLNT: /* 64-Bit Floating Point Frozen Change Event w/o Time (Obj:33, Var:06) */\n case AL_OBJ_AIFC_FLTT: /* 32-Bit Floating Point Frozen Change Event w/ Time (Obj:33, Var:07) */\n case AL_OBJ_AIFC_DBLT: /* 64-Bit Floating Point Frozen Change Event w/ Time (Obj:33, Var:08) */\n case AL_OBJ_AIDB_16: /* 16-Bit Analog Input Deadband (Obj:34, Var:01) */\n case AL_OBJ_AIDB_32: /* 32-Bit Analog Input Deadband (Obj:34, Var:02) */\n case AL_OBJ_AIDB_FLT: /* 32-Bit Floating Point Analog Input Deadband (Obj:34, Var:03) */\n\n /* Get Point Flags for those types that have them */\n switch (al_obj)\n {\n case AL_OBJ_AI_32NF:\n case AL_OBJ_AI_16NF:\n case AL_OBJ_AIDB_16:\n case AL_OBJ_AIDB_32:\n case AL_OBJ_AIDB_FLT:\n break;\n\n default:\n al_ptflags = tvb_get_guint8(tvb, data_pos);\n dnp3_al_obj_quality(tvb, data_pos, al_ptflags, point_tree, point_item, ANA_IN);\n data_pos += 1;\n break;\n }\n\n switch (al_obj)\n {\n case AL_OBJ_AI_32:\n case AL_OBJ_AI_32NF:\n case AL_OBJ_AIC_32NT:\n case AL_OBJ_AIC_32T:\n case AL_OBJ_AIDB_32:\n\n al_val_int32 = tvb_get_letohl(tvb, data_pos);\n proto_item_append_text(point_item, \", Value: %d\", al_val_int32);\n proto_tree_add_item(point_tree, hf_dnp3_al_ana32, tvb, data_pos, 4, ENC_LITTLE_ENDIAN);\n data_pos += 4;\n break;\n\n case AL_OBJ_AI_16:\n case AL_OBJ_AI_16NF:\n case AL_OBJ_AIC_16NT:\n case AL_OBJ_AIC_16T:\n case AL_OBJ_AIDB_16:\n\n al_val_int16 = tvb_get_letohs(tvb, data_pos);\n proto_item_append_text(point_item, \", Value: %d\", al_val_int16);\n proto_tree_add_item(point_tree, hf_dnp3_al_ana16, tvb, data_pos, 2, ENC_LITTLE_ENDIAN);\n data_pos += 2;\n break;\n\n case AL_OBJ_AI_FLT:\n case AL_OBJ_AIF_FLT:\n case AL_OBJ_AIC_FLTNT:\n case AL_OBJ_AIC_FLTT:\n case AL_OBJ_AIFC_FLTNT:\n case AL_OBJ_AIFC_FLTT:\n case AL_OBJ_AIDB_FLT:\n\n al_valflt = tvb_get_letohieee_float(tvb, data_pos);\n proto_item_append_text(point_item, \", Value: %g\", al_valflt);\n proto_tree_add_item(point_tree, hf_dnp3_al_anaflt, tvb, data_pos, 4, ENC_LITTLE_ENDIAN);\n data_pos += 4;\n break;\n\n case AL_OBJ_AI_DBL:\n case AL_OBJ_AIF_DBL:\n case AL_OBJ_AIC_DBLNT:\n case AL_OBJ_AIC_DBLT:\n case AL_OBJ_AIFC_DBLNT:\n case AL_OBJ_AIFC_DBLT:\n\n al_valdbl = tvb_get_letohieee_double(tvb, data_pos);\n proto_item_append_text(point_item, \", Value: %g\", al_valdbl);\n proto_tree_add_item(point_tree, hf_dnp3_al_anadbl, tvb, data_pos, 8, ENC_LITTLE_ENDIAN);\n data_pos += 8;\n break;\n }\n\n /* Get timestamp */\n switch (al_obj)\n {\n case AL_OBJ_AIC_32T:\n case AL_OBJ_AIC_16T:\n case AL_OBJ_AIC_FLTT:\n case AL_OBJ_AIC_DBLT:\n case AL_OBJ_AIFC_FLTT:\n case AL_OBJ_AIFC_DBLT:\n dnp3_al_get_timestamp(&al_abstime, tvb, data_pos);\n proto_item_append_text(point_item, \", Timestamp: %s\", abs_time_to_str(wmem_packet_scope(), &al_abstime, ABSOLUTE_TIME_UTC, FALSE));\n proto_tree_add_time(point_tree, hf_dnp3_al_timestamp, tvb, data_pos, 6, &al_abstime);\n data_pos += 6;\n break;\n }\n\n proto_item_set_len(point_item, data_pos - offset);\n\n offset = data_pos;\n break;\n\n case AL_OBJ_AO_32: /* 32-Bit Analog Output Status (Obj:40, Var:01) */\n case AL_OBJ_AO_16: /* 16-Bit Analog Output Status (Obj:40, Var:02) */\n case AL_OBJ_AO_FLT: /* 32-Bit Floating Point Output Status (Obj:40, Var:03) */\n case AL_OBJ_AO_DBL: /* 64-Bit Floating Point Output Status (Obj:40, Var:04) */\n case AL_OBJ_AOC_32NT: /* 32-Bit Analog Output Event w/o Time (Obj:42, Var:01) */\n case AL_OBJ_AOC_16NT: /* 16-Bit Analog Output Event w/o Time (Obj:42, Var:02) */\n case AL_OBJ_AOC_32T: /* 32-Bit Analog Output Event with Time (Obj:42, Var:03) */\n case AL_OBJ_AOC_16T: /* 16-Bit Analog Output Event with Time (Obj:42, Var:04) */\n case AL_OBJ_AOC_FLTNT: /* 32-Bit Floating Point Output Event w/o Time (Obj:42, Var:05) */\n case AL_OBJ_AOC_DBLNT: /* 64-Bit Floating Point Output Event w/o Time (Obj:42, Var:06) */\n case AL_OBJ_AOC_FLTT: /* 32-Bit Floating Point Output Event w/ Time (Obj:42, Var:07) */\n case AL_OBJ_AOC_DBLT: /* 64-Bit Floating Point Output Event w/ Time (Obj:42, Var:08) */\n\n /* Get Point Flags */\n al_ptflags = tvb_get_guint8(tvb, data_pos);\n dnp3_al_obj_quality(tvb, data_pos, al_ptflags, point_tree, point_item, ANA_OUT);\n data_pos += 1;\n\n switch (al_obj)\n {\n case AL_OBJ_AO_32: /* 32-Bit Analog Output Status (Obj:40, Var:01) */\n case AL_OBJ_AOC_32NT: /* 32-Bit Analog Output Event w/o Time (Obj:42, Var:01) */\n case AL_OBJ_AOC_32T: /* 32-Bit Analog Output Event with Time (Obj:42, Var:03) */\n\n al_val_int32 = tvb_get_letohl(tvb, data_pos);\n proto_item_append_text(point_item, \", Value: %d\", al_val_int32);\n proto_tree_add_item(point_tree, hf_dnp3_al_anaout32, tvb, data_pos, 4, ENC_LITTLE_ENDIAN);\n data_pos += 4;\n break;\n\n case AL_OBJ_AO_16: /* 16-Bit Analog Output Status (Obj:40, Var:02) */\n case AL_OBJ_AOC_16NT: /* 16-Bit Analog Output Event w/o Time (Obj:42, Var:02) */\n case AL_OBJ_AOC_16T: /* 16-Bit Analog Output Event with Time (Obj:42, Var:04) */\n\n al_val_int16 = tvb_get_letohs(tvb, data_pos);\n proto_item_append_text(point_item, \", Value: %d\", al_val_int16);\n proto_tree_add_item(point_tree, hf_dnp3_al_anaout16, tvb, data_pos, 2, ENC_LITTLE_ENDIAN);\n data_pos += 2;\n break;\n\n case AL_OBJ_AO_FLT: /* 32-Bit Floating Point Output Status (Obj:40, Var:03) */\n case AL_OBJ_AOC_FLTNT: /* 32-Bit Floating Point Output Event w/o Time (Obj:42, Var:05) */\n case AL_OBJ_AOC_FLTT: /* 32-Bit Floating Point Output Event w/ Time (Obj:42, Var:07) */\n\n al_valflt = tvb_get_letohieee_float(tvb, data_pos);\n proto_item_append_text(point_item, \", Value: %g\", al_valflt);\n proto_tree_add_item(point_tree, hf_dnp3_al_anaoutflt, tvb, data_pos, 4, ENC_LITTLE_ENDIAN);\n data_pos += 4;\n break;\n\n case AL_OBJ_AO_DBL: /* 64-Bit Floating Point Output Status (Obj:40, Var:04) */\n case AL_OBJ_AOC_DBLNT: /* 64-Bit Floating Point Output Event w/o Time (Obj:42, Var:06) */\n case AL_OBJ_AOC_DBLT: /* 64-Bit Floating Point Output Event w/ Time (Obj:42, Var:08) */\n\n al_valdbl = tvb_get_letohieee_double(tvb, data_pos);\n proto_item_append_text(point_item, \", Value: %g\", al_valdbl);\n proto_tree_add_item(point_tree, hf_dnp3_al_anaoutdbl, tvb, data_pos, 8, ENC_LITTLE_ENDIAN);\n data_pos += 8;\n break;\n }\n\n /* Get timestamp */\n switch (al_obj)\n {\n case AL_OBJ_AOC_32T:\n case AL_OBJ_AOC_16T:\n case AL_OBJ_AOC_FLTT:\n case AL_OBJ_AOC_DBLT:\n dnp3_al_get_timestamp(&al_abstime, tvb, data_pos);\n proto_item_append_text(point_item, \", Timestamp: %s\", abs_time_to_str(wmem_packet_scope(), &al_abstime, ABSOLUTE_TIME_UTC, FALSE));\n proto_tree_add_time(point_tree, hf_dnp3_al_timestamp, tvb, data_pos, 6, &al_abstime);\n data_pos += 6;\n break;\n }\n\n proto_item_set_len(point_item, data_pos - offset);\n offset = data_pos;\n break;\n\n case AL_OBJ_TD: /* Time and Date (Obj:50, Var:01) */\n case AL_OBJ_TDR: /* Time and Date at Last Recorded Time (Obj:50, Var:03) */\n case AL_OBJ_TDCTO: /* Time and Date CTO (Obj:51, Var:01) */\n\n dnp3_al_get_timestamp(&al_abstime, tvb, data_pos);\n proto_tree_add_time(object_tree, hf_dnp3_al_timestamp, tvb, data_pos, 6, &al_abstime);\n data_pos += 6;\n proto_item_set_len(point_item, data_pos - offset);\n\n if (al_obj == AL_OBJ_TDCTO) {\n /* Copy the time object to the CTO for any other relative time objects in this response */\n nstime_copy(al_cto, &al_abstime);\n }\n\n offset = data_pos;\n break;\n\n case AL_OBJ_TDELAYF: /* Time Delay - Fine (Obj:52, Var:02) */\n\n proto_tree_add_item(object_tree, hf_dnp3_al_time_delay, tvb, data_pos, 2, ENC_LITTLE_ENDIAN);\n data_pos += 2;\n proto_item_set_len(point_item, data_pos - offset);\n\n offset = data_pos;\n break;\n\n case AL_OBJ_CLASS0: /* Class Data Objects */\n case AL_OBJ_CLASS1:\n case AL_OBJ_CLASS2:\n case AL_OBJ_CLASS3:\n\n /* No data here */\n offset = data_pos;\n break;\n\n case AL_OBJ_FILE_CMD: /* File Control - File Command (Obj:70, Var:03) */\n /* File name offset and length */\n proto_tree_add_item(point_tree, hf_dnp3_al_file_string_offset, tvb, data_pos, 2, ENC_LITTLE_ENDIAN);\n data_pos += 2;\n al_filename_len = tvb_get_letohs(tvb, data_pos);\n proto_tree_add_item(point_tree, hf_dnp3_al_file_string_length, tvb, data_pos, 2, ENC_LITTLE_ENDIAN);\n data_pos += 2;\n\n /* Grab the mode as it determines if some of the following fields are relevant */\n al_file_ctrl_mode = tvb_get_letohs(tvb, data_pos + 16);\n\n /* Creation Time */\n if (al_file_ctrl_mode == AL_OBJ_FILE_MODE_WRITE) {\n dnp3_al_get_timestamp(&al_abstime, tvb, data_pos);\n proto_tree_add_time(point_tree, hf_dnp3_al_timestamp, tvb, data_pos, 6, &al_abstime);\n }\n data_pos += 6;\n\n /* Perms */\n if (al_file_ctrl_mode == AL_OBJ_FILE_MODE_WRITE) {\n proto_item *perms_item;\n proto_tree *perms_tree;\n\n perms_item = proto_tree_add_item(point_tree, hf_dnp3_al_file_perms, tvb, offset, 2, ENC_LITTLE_ENDIAN);\n\n perms_tree = proto_item_add_subtree(perms_item, ett_dnp3_al_obj_point_perms);\n proto_tree_add_item(perms_tree, hf_dnp3_al_file_perms_read_owner, tvb, offset, 2, ENC_LITTLE_ENDIAN);\n proto_tree_add_item(perms_tree, hf_dnp3_al_file_perms_write_owner, tvb, offset, 2, ENC_LITTLE_ENDIAN);\n proto_tree_add_item(perms_tree, hf_dnp3_al_file_perms_exec_owner, tvb, offset, 2, ENC_LITTLE_ENDIAN);\n proto_tree_add_item(perms_tree, hf_dnp3_al_file_perms_read_group, tvb, offset, 2, ENC_LITTLE_ENDIAN);\n proto_tree_add_item(perms_tree, hf_dnp3_al_file_perms_write_group, tvb, offset, 2, ENC_LITTLE_ENDIAN);\n proto_tree_add_item(perms_tree, hf_dnp3_al_file_perms_exec_group, tvb, offset, 2, ENC_LITTLE_ENDIAN);\n proto_tree_add_item(perms_tree, hf_dnp3_al_file_perms_read_world, tvb, offset, 2, ENC_LITTLE_ENDIAN);\n proto_tree_add_item(perms_tree, hf_dnp3_al_file_perms_write_world, tvb, offset, 2, ENC_LITTLE_ENDIAN);\n proto_tree_add_item(perms_tree, hf_dnp3_al_file_perms_exec_world, tvb, offset, 2, ENC_LITTLE_ENDIAN);\n }\n data_pos += 2;\n\n /* Auth Key */\n proto_tree_add_item(point_tree, hf_dnp3_al_file_auth, tvb, data_pos, 4, ENC_LITTLE_ENDIAN);\n data_pos += 4;\n\n /* File Size */\n if (al_file_ctrl_mode == AL_OBJ_FILE_MODE_WRITE || al_file_ctrl_mode == AL_OBJ_FILE_MODE_APPEND) {\n proto_tree_add_item(point_tree, hf_dnp3_al_file_size, tvb, data_pos, 4, ENC_LITTLE_ENDIAN);\n }\n data_pos += 4;\n\n /* Mode */\n proto_tree_add_item(point_tree, hf_dnp3_al_file_mode, tvb, data_pos, 2, ENC_LITTLE_ENDIAN);\n data_pos += 2;\n\n /* Max Block Size */\n proto_tree_add_item(point_tree, hf_dnp3_al_file_maxblk, tvb, data_pos, 2, ENC_LITTLE_ENDIAN);\n data_pos += 2;\n\n /* Request ID */\n proto_tree_add_item(point_tree, hf_dnp3_al_file_reqID, tvb, data_pos, 2, ENC_LITTLE_ENDIAN);\n data_pos += 2;\n\n /* Filename */\n if (al_filename_len > 0) {\n proto_tree_add_item(point_tree, hf_dnp3_al_file_name, tvb, data_pos, al_filename_len, ENC_ASCII|ENC_NA);\n }\n data_pos += al_filename_len;\n proto_item_set_len(point_item, data_pos - offset);\n\n offset = data_pos;\n break;\n\n case AL_OBJ_FILE_STAT: /* File Control - File Status (Obj:70, Var:04) */\n\n /* File Handle */\n proto_tree_add_item(point_tree, hf_dnp3_al_file_handle, tvb, data_pos, 4, ENC_LITTLE_ENDIAN);\n data_pos += 4;\n\n /* File Size */\n proto_tree_add_item(point_tree, hf_dnp3_al_file_size, tvb, data_pos, 4, ENC_LITTLE_ENDIAN);\n data_pos += 4;\n\n /* Max Block Size */\n proto_tree_add_item(point_tree, hf_dnp3_al_file_maxblk, tvb, data_pos, 2, ENC_LITTLE_ENDIAN);\n data_pos += 2;\n\n /* Request ID */\n proto_tree_add_item(point_tree, hf_dnp3_al_file_reqID, tvb, data_pos, 2, ENC_LITTLE_ENDIAN);\n data_pos += 2;\n\n /* Status code */\n proto_tree_add_item(point_tree, hf_dnp3_al_file_status, tvb, data_pos, 1, ENC_LITTLE_ENDIAN);\n data_pos += 1;\n\n /* Optional text */\n file_data_size = al_ptaddr - (data_pos - offset - prefixbytes);\n if ((file_data_size) > 0) {\n proto_tree_add_item(point_tree, hf_dnp3_al_file_data, tvb, data_pos, file_data_size, ENC_NA);\n data_pos += file_data_size;\n }\n\n proto_item_set_len(point_item, data_pos - offset);\n\n offset = data_pos;\n break;\n\n case AL_OBJ_FILE_TRANS: /* File Control - File Transport (Obj:70, Var:05) */\n\n /* File Handle */\n proto_tree_add_item(point_tree, hf_dnp3_al_file_handle, tvb, data_pos, 4, ENC_LITTLE_ENDIAN);\n data_pos += 4;\n\n /* File block (bits 0 - 30) and last block flag (bit 31) */\n proto_tree_add_item(point_tree, hf_dnp3_al_file_blocknum, tvb, data_pos, 4, ENC_LITTLE_ENDIAN);\n proto_tree_add_item(point_tree, hf_dnp3_al_file_lastblock, tvb, data_pos, 4, ENC_LITTLE_ENDIAN);\n data_pos += 4;\n\n /* File data */\n file_data_size = al_ptaddr - (data_pos - offset - prefixbytes);\n if ((file_data_size) > 0) {\n proto_tree_add_item(point_tree, hf_dnp3_al_file_data, tvb, data_pos, file_data_size, ENC_NA);\n data_pos += file_data_size;\n }\n\n proto_item_set_len(point_item, data_pos - offset);\n\n offset = data_pos;\n break;\n\n case AL_OBJ_FILE_TRAN_ST: /* File Control Tansport Status (Obj:70, Var:06) */\n\n /* File Handle */\n proto_tree_add_item(point_tree, hf_dnp3_al_file_handle, tvb, data_pos, 4, ENC_LITTLE_ENDIAN);\n data_pos += 4;\n\n /* File block (bits 0 - 30) and last block flag (bit 31) */\n proto_tree_add_item(point_tree, hf_dnp3_al_file_blocknum, tvb, data_pos, 4, ENC_LITTLE_ENDIAN);\n proto_tree_add_item(point_tree, hf_dnp3_al_file_lastblock, tvb, data_pos, 4, ENC_LITTLE_ENDIAN);\n data_pos += 4;\n\n /* Status code */\n proto_tree_add_item(point_tree, hf_dnp3_al_file_status, tvb, data_pos, 1, ENC_LITTLE_ENDIAN);\n data_pos += 1;\n\n /* Optional text */\n file_data_size = al_ptaddr - (data_pos - offset - prefixbytes);\n if ((file_data_size) > 0) {\n proto_tree_add_item(point_tree, hf_dnp3_al_file_data, tvb, data_pos, file_data_size, ENC_NA);\n data_pos += file_data_size;\n }\n\n proto_item_set_len(point_item, data_pos - offset);\n\n offset = data_pos;\n break;\n\n case AL_OBJ_OCT: /* Octet string */\n case AL_OBJ_OCT_EVT: /* Octet string event */\n\n /* read the number of bytes defined by the variation */\n if (al_oct_len > 0) {\n proto_tree_add_item(object_tree, hf_dnp3_al_octet_string, tvb, data_pos, al_oct_len, ENC_NA);\n data_pos += al_oct_len;\n proto_item_set_len(point_item, data_pos - offset);\n }\n\n offset = data_pos;\n break;\n\n default: /* In case of unknown object */\n\n proto_tree_add_item(object_tree, hf_dnp3_unknown_data_chunk, tvb, offset, -1, ENC_NA);\n offset = tvb_captured_length(tvb); /* Finish decoding if unknown object is encountered... */\n break;\n }\n }\n\n /* And increment the point address, may be overwritten by an index value */\n al_ptaddr++;\n }\n else {\n /* No objects, just prefixes, move past prefix values */\n offset = data_pos;\n }\n if (start_offset > offset) {\n expert_add_info(pinfo, point_item, &ei_dnp_invalid_length);\n offset = tvb_captured_length(tvb); /* Finish decoding if unknown object is encountered... */\n }\n }\n }\n proto_item_set_len(object_item, offset - orig_offset);\n\n return offset;\n}", "project": "wireshark", "hash": 166107750976274369422482227949409021676, "size": 1249, "commit_id": "618661b22e34a59b21117db723d8ff91e064d4ba", "message": "dnp: plug a memory leak.\n\nIf we're throwing away the data, *throw away the data* - free it, as\nwe're not using it as the backing data for a tvbuff.", "target": 0, "dataset": "other", "idx": 335504 }, { "func": "dnp3_al_empty_obj(guint16 al_obj)\n{\n\n /* return a TRUE if we expect an empty object (default var, class object, etc) */\n switch (al_obj)\n {\n case AL_OBJ_BI_ALL: /* Binary Input Default Variation (Obj:01, Var:Default) */\n case AL_OBJ_BIC_ALL: /* Binary Input Change Default Variation (Obj:02, Var:Default) */\n case AL_OBJ_BOC_ALL: /* Binary Output Event Default Variation (Obj:11, Var:Default) */\n case AL_OBJ_2BI_ALL: /* Double-bit Input Default Variation (Obj:03, Var:Default) */\n case AL_OBJ_2BIC_ALL: /* Double-bit Input Change Default Variation (Obj:04, Var:Default) */\n case AL_OBJ_CTR_ALL: /* Binary Counter Default Variation (Obj:20, Var:Default) */\n case AL_OBJ_CTRC_ALL: /* Binary Counter Change Default Variation (Obj:22 Var:Default) */\n case AL_OBJ_AI_ALL: /* Analog Input Default Variation (Obj:30, Var:Default) */\n case AL_OBJ_AIC_ALL: /* Analog Input Change Default Variation (Obj:32 Var:Default) */\n case AL_OBJ_AIDB_ALL: /* Analog Input Deadband Default Variation (Obj:34, Var:Default) */\n case AL_OBJ_AOC_ALL: /* Analog Output Event Default Variation (Obj:42 Var:Default) */\n case AL_OBJ_CLASS0: /* Class Data Objects */\n case AL_OBJ_CLASS1:\n case AL_OBJ_CLASS2:\n case AL_OBJ_CLASS3:\n return TRUE;\n break;\n default:\n return FALSE;\n break;\n }\n}", "project": "wireshark", "hash": 53036625978070021974058007298153576070, "size": 28, "commit_id": "618661b22e34a59b21117db723d8ff91e064d4ba", "message": "dnp: plug a memory leak.\n\nIf we're throwing away the data, *throw away the data* - free it, as\nwe're not using it as the backing data for a tvbuff.", "target": 0, "dataset": "other", "idx": 335507 }, { "func": "dissect_dnp3_al(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)\n{\n guint8 al_ctl, al_seq, al_func, al_class = 0, i;\n guint16 bytes, obj_type = 0;\n guint data_len = 0, offset = 0;\n proto_item *ti, *tc;\n proto_tree *al_tree, *robj_tree;\n const gchar *func_code_str, *obj_type_str;\n nstime_t al_cto;\n static int * const control_flags[] = {\n &hf_dnp3_al_fir,\n &hf_dnp3_al_fin,\n &hf_dnp3_al_con,\n &hf_dnp3_al_uns,\n &hf_dnp3_al_seq,\n NULL\n };\n\n nstime_set_zero (&al_cto);\n\n data_len = tvb_captured_length(tvb);\n\n /* Handle the control byte and function code */\n al_ctl = tvb_get_guint8(tvb, offset);\n al_seq = al_ctl & DNP3_AL_SEQ;\n al_func = tvb_get_guint8(tvb, (offset+1));\n func_code_str = val_to_str_ext(al_func, &dnp3_al_func_vals_ext, \"Unknown function (0x%02x)\");\n\n /* Clear out lower layer info */\n col_clear(pinfo->cinfo, COL_INFO);\n col_append_sep_str(pinfo->cinfo, COL_INFO, NULL, func_code_str);\n col_set_fence(pinfo->cinfo, COL_INFO);\n\n /* format up the text representation */\n al_tree = proto_tree_add_subtree(tree, tvb, offset, data_len, ett_dnp3_al, &ti, \"Application Layer: (\");\n if (al_ctl & DNP3_AL_FIR) proto_item_append_text(ti, \"FIR, \");\n if (al_ctl & DNP3_AL_FIN) proto_item_append_text(ti, \"FIN, \");\n if (al_ctl & DNP3_AL_CON) proto_item_append_text(ti, \"CON, \");\n if (al_ctl & DNP3_AL_UNS) proto_item_append_text(ti, \"UNS, \");\n proto_item_append_text(ti, \"Sequence %u, %s)\", al_seq, func_code_str);\n\n /* Application Layer control byte subtree */\n tc = proto_tree_add_bitmask(al_tree, tvb, offset, hf_dnp3_al_ctl, ett_dnp3_al_ctl, control_flags, ENC_BIG_ENDIAN);\n proto_item_append_text(tc, \"(\");\n if (al_ctl & DNP3_AL_FIR) proto_item_append_text(tc, \"FIR, \");\n if (al_ctl & DNP3_AL_FIN) proto_item_append_text(tc, \"FIN, \");\n if (al_ctl & DNP3_AL_CON) proto_item_append_text(tc, \"CON, \");\n if (al_ctl & DNP3_AL_UNS) proto_item_append_text(tc, \"UNS, \");\n proto_item_append_text(tc, \"Sequence %u)\", al_seq);\n offset += 1;\n\n#if 0\n /* If this packet is NOT the final Application Layer Message, exit and continue\n processing the remaining data in the fragment. */\n if (!(al_ctl & DNP3_AL_FIN)) {\n t_robj = proto_tree_add_expert(al_tree, pinfo, &ei_dnp3_buffering_user_data_until_final_frame_is_received, tvb, offset, -1);\n return 1;\n }\n#endif\n\n /* Application Layer Function Code Byte */\n proto_tree_add_uint_format(al_tree, hf_dnp3_al_func, tvb, offset, 1, al_func,\n \"Function Code: %s (0x%02x)\", func_code_str, al_func);\n offset += 1;\n\n switch (al_func)\n {\n case AL_FUNC_READ: /* Read Function Code 0x01 */\n\n /* Create Read Request Data Objects Tree */\n robj_tree = proto_tree_add_subtree(al_tree, tvb, offset, -1, ett_dnp3_al_objdet, NULL, \"READ Request Data Objects\");\n\n /* Process Data Object Details */\n while (offset <= (data_len-2)) { /* 2 octet object code + CRC32 */\n offset = dnp3_al_process_object(tvb, pinfo, offset, robj_tree, TRUE, &obj_type, &al_cto);\n\n /* Update class type for each object that was a class read */\n switch(obj_type) {\n case AL_OBJ_CLASS0:\n case AL_OBJ_CLASS1:\n case AL_OBJ_CLASS2:\n case AL_OBJ_CLASS3:\n al_class |= (1 << ((obj_type & 0x0f) - 1));\n break;\n default:\n /* For reads for specific object types, bit-mask out the first byte and add the generic obj description to the column info */\n obj_type_str = val_to_str_ext((obj_type & 0xFF00), &dnp3_al_read_obj_vals_ext, \"Unknown Object Type\");\n col_append_sep_str(pinfo->cinfo, COL_INFO, NULL, obj_type_str);\n break;\n }\n\n }\n\n /* Update the col info if there were class reads */\n if (al_class != 0) {\n col_append_sep_str(pinfo->cinfo, COL_INFO, NULL, \"Class \");\n for (i = 0; i < 4; i++) {\n if (al_class & (1 << i)) {\n col_append_fstr(pinfo->cinfo, COL_INFO, \"%u\", i);\n }\n }\n }\n\n break;\n\n case AL_FUNC_WRITE: /* Write Function Code 0x02 */\n\n /* Create Write Request Data Objects Tree */\n robj_tree = proto_tree_add_subtree(al_tree, tvb, offset, -1, ett_dnp3_al_objdet, NULL, \"WRITE Request Data Objects\");\n\n /* Process Data Object Details */\n while (offset <= (data_len-2)) { /* 2 octet object code + CRC32 */\n offset = dnp3_al_process_object(tvb, pinfo, offset, robj_tree, FALSE, &obj_type, &al_cto);\n\n /* For writes for specific object types, bit-mask out the first byte and add the generic obj description to the column info */\n obj_type_str = val_to_str_ext((obj_type & 0xFF00), &dnp3_al_write_obj_vals_ext, \"Unknown Object Type\");\n col_append_sep_str(pinfo->cinfo, COL_INFO, NULL, obj_type_str);\n\n }\n\n break;\n\n case AL_FUNC_SELECT: /* Select Function Code 0x03 */\n\n /* Create Select Request Data Objects Tree */\n robj_tree = proto_tree_add_subtree(al_tree, tvb, offset, -1, ett_dnp3_al_objdet, NULL, \"SELECT Request Data Objects\");\n\n /* Process Data Object Details */\n while (offset <= (data_len-2)) { /* 2 octet object code + CRC32 */\n offset = dnp3_al_process_object(tvb, pinfo, offset, robj_tree, FALSE, &obj_type, &al_cto);\n }\n\n break;\n\n case AL_FUNC_OPERATE: /* Operate Function Code 0x04 */\n /* Functionally identical to 'SELECT' Function Code */\n\n /* Create Operate Request Data Objects Tree */\n robj_tree = proto_tree_add_subtree(al_tree, tvb, offset, -1, ett_dnp3_al_objdet, NULL, \"OPERATE Request Data Objects\");\n\n /* Process Data Object Details */\n while (offset <= (data_len-2)) { /* 2 octet object code + CRC32 */\n offset = dnp3_al_process_object(tvb, pinfo, offset, robj_tree, FALSE, &obj_type, &al_cto);\n }\n\n break;\n\n case AL_FUNC_DIROP: /* Direct Operate Function Code 0x05 */\n case AL_FUNC_DIROPNACK: /* Direct Operate No ACK Function Code 0x06 */\n /* Functionally identical to 'SELECT' Function Code */\n\n /* Create Direct Operate Request Data Objects Tree */\n robj_tree = proto_tree_add_subtree(al_tree, tvb, offset, -1, ett_dnp3_al_objdet, NULL, \"DIRECT OPERATE Request Data Objects\");\n\n /* Process Data Object Details */\n while (offset <= (data_len-2)) { /* 2 octet object code + CRC32 */\n offset = dnp3_al_process_object(tvb, pinfo, offset, robj_tree, FALSE, &obj_type, &al_cto);\n }\n\n break;\n\n case AL_FUNC_FRZ: /* Immediate Freeze Function Code 0x07 */\n case AL_FUNC_FRZNACK: /* Immediate Freeze No ACK Function Code 0x08 */\n case AL_FUNC_FRZCLR: /* Freeze and Clear Function Code 0x09 */\n case AL_FUNC_FRZCLRNACK: /* Freeze and Clear No ACK Function Code 0x0A */\n\n /* Create Freeze Request Data Objects Tree */\n robj_tree = proto_tree_add_subtree(al_tree, tvb, offset, -1, ett_dnp3_al_objdet, NULL, \"Freeze Request Data Objects\");\n\n /* Process Data Object Details */\n while (offset <= (data_len-2)) { /* 2 octet object code + CRC32 */\n offset = dnp3_al_process_object(tvb, pinfo, offset, robj_tree, TRUE, &obj_type, &al_cto);\n }\n\n break;\n\n case AL_FUNC_ENSPMSG: /* Enable Spontaneous Messages Function Code 0x14 */\n\n /* Create Enable Spontaneous Messages Data Objects Tree */\n robj_tree = proto_tree_add_subtree(al_tree, tvb, offset, -1, ett_dnp3_al_objdet, NULL, \"Enable Spontaneous Msg's Data Objects\");\n\n /* Process Data Object Details */\n while (offset <= (data_len-2)) { /* 2 octet object code + CRC32 */\n offset = dnp3_al_process_object(tvb, pinfo, offset, robj_tree, FALSE, &obj_type, &al_cto);\n }\n\n break;\n\n case AL_FUNC_DISSPMSG: /* Disable Spontaneous Messages Function Code 0x15 */\n\n /* Create Disable Spontaneous Messages Data Objects Tree */\n robj_tree = proto_tree_add_subtree(al_tree, tvb, offset, -1, ett_dnp3_al_objdet, NULL, \"Disable Spontaneous Msg's Data Objects\");\n\n /* Process Data Object Details */\n while (offset <= (data_len-2)) { /* 2 octet object code + CRC32 */\n offset = dnp3_al_process_object(tvb, pinfo, offset, robj_tree, FALSE, &obj_type, &al_cto);\n }\n\n break;\n\n case AL_FUNC_DELAYMST: /* Delay Measurement Function Code 0x17 */\n\n break;\n\n case AL_FUNC_OPENFILE: /* Open File Function Code 0x19 */\n case AL_FUNC_CLOSEFILE: /* Close File Function Code 0x1A */\n case AL_FUNC_DELETEFILE: /* Delete File Function Code 0x1B */\n\n /* Create File Data Objects Tree */\n robj_tree = proto_tree_add_subtree(al_tree, tvb, offset, -1, ett_dnp3_al_objdet, NULL, \"File Data Objects\");\n\n /* Process Data Object Details */\n while (offset <= (data_len-2)) { /* 2 octet object code + CRC32 */\n offset = dnp3_al_process_object(tvb, pinfo, offset, robj_tree, FALSE, &obj_type, &al_cto);\n }\n\n break;\n\n case AL_FUNC_RESPON: /* Response Function Code 0x81 */\n case AL_FUNC_UNSOLI: /* Unsolicited Response Function Code 0x82 */\n\n /* Application Layer IIN bits req'd if message is a response */\n dnp3_al_process_iin(tvb, pinfo, offset, al_tree);\n offset += 2;\n\n /* Ensure there is actual data remaining in the message.\n A response will not contain data following the IIN bits,\n if there is none available */\n bytes = tvb_reported_length_remaining(tvb, offset);\n if (bytes > 0)\n {\n /* Create Response Data Objects Tree */\n robj_tree = proto_tree_add_subtree(al_tree, tvb, offset, -1, ett_dnp3_al_objdet, NULL, \"RESPONSE Data Objects\");\n\n /* Process Data Object Details */\n while (offset <= (data_len-2)) { /* 2 octet object code + CRC32 */\n offset = dnp3_al_process_object(tvb, pinfo, offset, robj_tree, FALSE, &obj_type, &al_cto);\n }\n\n break;\n }\n\n default: /* Unknown Function */\n\n break;\n }\n\n return 0;\n}", "project": "wireshark", "hash": 258808981316363780963723327340571066833, "size": 249, "commit_id": "618661b22e34a59b21117db723d8ff91e064d4ba", "message": "dnp: plug a memory leak.\n\nIf we're throwing away the data, *throw away the data* - free it, as\nwe're not using it as the backing data for a tvbuff.", "target": 0, "dataset": "other", "idx": 335512 }, { "func": "rb_to_id(VALUE name)\n{\n VALUE tmp;\n ID id;\n\n switch (TYPE(name)) {\n default:\n\ttmp = rb_check_string_type(name);\n\tif (NIL_P(tmp)) {\n\t tmp = rb_inspect(name);\n\t rb_raise(rb_eTypeError, \"%s is not a symbol\",\n\t\t RSTRING_PTR(tmp));\n\t}\n\tname = tmp;\n\t/* fall through */\n case T_STRING:\n\tname = rb_str_intern(name);\n\t/* fall through */\n case T_SYMBOL:\n\treturn SYM2ID(name);\n }\n return id;\n}", "project": "ruby", "hash": 222076678266924877872386466248589973179, "size": 23, "commit_id": "1c2ef610358af33f9ded3086aa2d70aac03dcac5", "message": "* string.c (rb_str_justify): CVE-2009-4124.\n Fixes a bug reported by \n Emmanouel Kellinis , KPMG London;\n Patch by nobu.\n\n\ngit-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@26038 b2dd03c8-39d4-4d8f-98ff-823fe69b080e", "target": 0, "dataset": "other", "idx": 336827 }, { "func": "rb_str_match(VALUE x, VALUE y)\n{\n switch (TYPE(y)) {\n case T_STRING:\n\trb_raise(rb_eTypeError, \"type mismatch: String given\");\n\n case T_REGEXP:\n\treturn rb_reg_match(y, x);\n\n default:\n\treturn rb_funcall(y, rb_intern(\"=~\"), 1, x);\n }\n}", "project": "ruby", "hash": 86002463496297031099008633479469163325, "size": 13, "commit_id": "1c2ef610358af33f9ded3086aa2d70aac03dcac5", "message": "* string.c (rb_str_justify): CVE-2009-4124.\n Fixes a bug reported by \n Emmanouel Kellinis , KPMG London;\n Patch by nobu.\n\n\ngit-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@26038 b2dd03c8-39d4-4d8f-98ff-823fe69b080e", "target": 0, "dataset": "other", "idx": 336889 }, { "func": "rb_str_conv_enc_opts(VALUE str, rb_encoding *from, rb_encoding *to, int ecflags, VALUE ecopts)\n{\n rb_econv_t *ec;\n rb_econv_result_t ret;\n long len;\n VALUE newstr;\n const unsigned char *sp;\n unsigned char *dp;\n\n if (!to) return str;\n if (from == to) return str;\n if ((rb_enc_asciicompat(to) && ENC_CODERANGE(str) == ENC_CODERANGE_7BIT) ||\n\tto == rb_ascii8bit_encoding()) {\n\tif (STR_ENC_GET(str) != to) {\n\t str = rb_str_dup(str);\n\t rb_enc_associate(str, to);\n\t}\n\treturn str;\n }\n\n len = RSTRING_LEN(str);\n newstr = rb_str_new(0, len);\n\n retry:\n ec = rb_econv_open_opts(from->name, to->name, ecflags, ecopts);\n if (!ec) return str;\n\n sp = (unsigned char*)RSTRING_PTR(str);\n dp = (unsigned char*)RSTRING_PTR(newstr);\n ret = rb_econv_convert(ec, &sp, (unsigned char*)RSTRING_END(str),\n\t\t\t &dp, (unsigned char*)RSTRING_END(newstr), 0);\n rb_econv_close(ec);\n switch (ret) {\n case econv_destination_buffer_full:\n\t/* destination buffer short */\n\tlen *= 2;\n\trb_str_resize(newstr, len);\n\tgoto retry;\n\n case econv_finished:\n\tlen = dp - (unsigned char*)RSTRING_PTR(newstr);\n\trb_str_set_len(newstr, len);\n\trb_enc_associate(newstr, to);\n\treturn newstr;\n\n default:\n\t/* some error, return original */\n\treturn str;\n }\n}", "project": "ruby", "hash": 319249284786125177585283426665448187431, "size": 50, "commit_id": "1c2ef610358af33f9ded3086aa2d70aac03dcac5", "message": "* string.c (rb_str_justify): CVE-2009-4124.\n Fixes a bug reported by \n Emmanouel Kellinis , KPMG London;\n Patch by nobu.\n\n\ngit-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@26038 b2dd03c8-39d4-4d8f-98ff-823fe69b080e", "target": 0, "dataset": "other", "idx": 336928 }, { "func": "str_gsub(int argc, VALUE *argv, VALUE str, int bang)\n{\n VALUE pat, val, repl, match, dest, hash = Qnil;\n struct re_registers *regs;\n long beg, n;\n long beg0, end0;\n long offset, blen, slen, len, last;\n int iter = 0;\n char *sp, *cp;\n int tainted = 0;\n rb_encoding *str_enc;\n\n switch (argc) {\n case 1:\n\tRETURN_ENUMERATOR(str, argc, argv);\n\titer = 1;\n\tbreak;\n case 2:\n\trepl = argv[1];\n\thash = rb_check_convert_type(argv[1], T_HASH, \"Hash\", \"to_hash\");\n\tif (NIL_P(hash)) {\n\t StringValue(repl);\n\t}\n\tif (OBJ_TAINTED(repl)) tainted = 1;\n\tbreak;\n default:\n\trb_raise(rb_eArgError, \"wrong number of arguments (%d for 2)\", argc);\n }\n\n pat = get_pat(argv[0], 1);\n beg = rb_reg_search(pat, str, 0, 0);\n if (beg < 0) {\n\tif (bang) return Qnil;\t/* no match, no substitution */\n\treturn rb_str_dup(str);\n }\n\n offset = 0;\n n = 0;\n blen = RSTRING_LEN(str) + 30; /* len + margin */\n dest = rb_str_buf_new(blen);\n sp = RSTRING_PTR(str);\n slen = RSTRING_LEN(str);\n cp = sp;\n str_enc = STR_ENC_GET(str);\n\n do {\n\tn++;\n\tmatch = rb_backref_get();\n\tregs = RMATCH_REGS(match);\n\tbeg0 = BEG(0);\n\tend0 = END(0);\n\tif (iter || !NIL_P(hash)) {\n if (iter) {\n val = rb_obj_as_string(rb_yield(rb_reg_nth_match(0, match)));\n }\n else {\n val = rb_hash_aref(hash, rb_str_subseq(str, BEG(0), END(0) - BEG(0)));\n val = rb_obj_as_string(val);\n }\n\t str_mod_check(str, sp, slen);\n\t if (val == dest) { \t/* paranoid check [ruby-dev:24827] */\n\t\trb_raise(rb_eRuntimeError, \"block should not cheat\");\n\t }\n\t}\n\telse {\n\t val = rb_reg_regsub(repl, str, regs, pat);\n\t}\n\n\tif (OBJ_TAINTED(val)) tainted = 1;\n\n\tlen = beg - offset;\t/* copy pre-match substr */\n if (len) {\n rb_enc_str_buf_cat(dest, cp, len, str_enc);\n }\n\n rb_str_buf_append(dest, val);\n\n\tlast = offset;\n\toffset = end0;\n\tif (beg0 == end0) {\n\t /*\n\t * Always consume at least one character of the input string\n\t * in order to prevent infinite loops.\n\t */\n\t if (RSTRING_LEN(str) <= end0) break;\n\t len = rb_enc_fast_mbclen(RSTRING_PTR(str)+end0, RSTRING_END(str), str_enc);\n rb_enc_str_buf_cat(dest, RSTRING_PTR(str)+end0, len, str_enc);\n\t offset = end0 + len;\n\t}\n\tcp = RSTRING_PTR(str) + offset;\n\tif (offset > RSTRING_LEN(str)) break;\n\tbeg = rb_reg_search(pat, str, offset, 0);\n } while (beg >= 0);\n if (RSTRING_LEN(str) > offset) {\n rb_enc_str_buf_cat(dest, cp, RSTRING_LEN(str) - offset, str_enc);\n }\n rb_reg_search(pat, str, last, 0);\n if (bang) {\n rb_str_shared_replace(str, dest);\n }\n else {\n\tRBASIC(dest)->klass = rb_obj_class(str);\n\tOBJ_INFECT(dest, str);\n\tstr = dest;\n }\n\n if (tainted) OBJ_TAINT(str);\n return str;\n}", "project": "ruby", "hash": 162306387430390580050477356094136079865, "size": 109, "commit_id": "1c2ef610358af33f9ded3086aa2d70aac03dcac5", "message": "* string.c (rb_str_justify): CVE-2009-4124.\n Fixes a bug reported by \n Emmanouel Kellinis , KPMG London;\n Patch by nobu.\n\n\ngit-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@26038 b2dd03c8-39d4-4d8f-98ff-823fe69b080e", "target": 0, "dataset": "other", "idx": 336996 }, { "func": "rb_str_aref(VALUE str, VALUE indx)\n{\n long idx;\n\n switch (TYPE(indx)) {\n case T_FIXNUM:\n\tidx = FIX2LONG(indx);\n\n num_index:\n\tstr = rb_str_substr(str, idx, 1);\n\tif (!NIL_P(str) && RSTRING_LEN(str) == 0) return Qnil;\n\treturn str;\n\n case T_REGEXP:\n\treturn rb_str_subpat(str, indx, INT2FIX(0));\n\n case T_STRING:\n\tif (rb_str_index(str, indx, 0) != -1)\n\t return rb_str_dup(indx);\n\treturn Qnil;\n\n default:\n\t/* check if indx is Range */\n\t{\n\t long beg, len;\n\t VALUE tmp;\n\n\t len = str_strlen(str, STR_ENC_GET(str));\n\t switch (rb_range_beg_len(indx, &beg, &len, len, 0)) {\n\t case Qfalse:\n\t\tbreak;\n\t case Qnil:\n\t\treturn Qnil;\n\t default:\n\t\ttmp = rb_str_substr(str, beg, len);\n\t\treturn tmp;\n\t }\n\t}\n\tidx = NUM2LONG(indx);\n\tgoto num_index;\n }\n return Qnil;\t\t/* not reached */\n}", "project": "ruby", "hash": 87822511194525891320245745366563826224, "size": 43, "commit_id": "1c2ef610358af33f9ded3086aa2d70aac03dcac5", "message": "* string.c (rb_str_justify): CVE-2009-4124.\n Fixes a bug reported by \n Emmanouel Kellinis , KPMG London;\n Patch by nobu.\n\n\ngit-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@26038 b2dd03c8-39d4-4d8f-98ff-823fe69b080e", "target": 0, "dataset": "other", "idx": 337013 }, { "func": "MagickExport Image *MergeImageLayers(Image *image,const LayerMethod method,\n ExceptionInfo *exception)\n{\n#define MergeLayersTag \"Merge/Layers\"\n\n Image\n *canvas;\n\n MagickBooleanType\n proceed;\n\n RectangleInfo\n page;\n\n register const Image\n *next;\n\n size_t\n number_images,\n height,\n width;\n\n ssize_t\n scene;\n\n assert(image != (Image *) NULL);\n assert(image->signature == MagickCoreSignature);\n if (image->debug != MagickFalse)\n (void) LogMagickEvent(TraceEvent,GetMagickModule(),\"%s\",image->filename);\n assert(exception != (ExceptionInfo *) NULL);\n assert(exception->signature == MagickCoreSignature);\n /*\n Determine canvas image size, and its virtual canvas size and offset\n */\n page=image->page;\n width=image->columns;\n height=image->rows;\n switch (method)\n {\n case TrimBoundsLayer:\n case MergeLayer:\n default:\n {\n next=GetNextImageInList(image);\n for ( ; next != (Image *) NULL; next=GetNextImageInList(next))\n {\n if (page.x > next->page.x)\n {\n width+=page.x-next->page.x;\n page.x=next->page.x;\n }\n if (page.y > next->page.y)\n {\n height+=page.y-next->page.y;\n page.y=next->page.y;\n }\n if ((ssize_t) width < (next->page.x+(ssize_t) next->columns-page.x))\n width=(size_t) next->page.x+(ssize_t) next->columns-page.x;\n if ((ssize_t) height < (next->page.y+(ssize_t) next->rows-page.y))\n height=(size_t) next->page.y+(ssize_t) next->rows-page.y;\n }\n break;\n }\n case FlattenLayer:\n {\n if (page.width > 0)\n width=page.width;\n if (page.height > 0)\n height=page.height;\n page.x=0;\n page.y=0;\n break;\n }\n case MosaicLayer:\n {\n if (page.width > 0)\n width=page.width;\n if (page.height > 0)\n height=page.height;\n for (next=image; next != (Image *) NULL; next=GetNextImageInList(next))\n {\n if (method == MosaicLayer)\n {\n page.x=next->page.x;\n page.y=next->page.y;\n if ((ssize_t) width < (next->page.x+(ssize_t) next->columns))\n width=(size_t) next->page.x+next->columns;\n if ((ssize_t) height < (next->page.y+(ssize_t) next->rows))\n height=(size_t) next->page.y+next->rows;\n }\n }\n page.width=width;\n page.height=height;\n page.x=0;\n page.y=0;\n }\n break;\n }\n /*\n Set virtual canvas size if not defined.\n */\n if (page.width == 0)\n page.width=page.x < 0 ? width : width+page.x;\n if (page.height == 0)\n page.height=page.y < 0 ? height : height+page.y;\n /*\n Handle \"TrimBoundsLayer\" method separately to normal 'layer merge'.\n */\n if (method == TrimBoundsLayer)\n {\n number_images=GetImageListLength(image);\n for (scene=0; scene < (ssize_t) number_images; scene++)\n {\n image->page.x-=page.x;\n image->page.y-=page.y;\n image->page.width=width;\n image->page.height=height;\n proceed=SetImageProgress(image,MergeLayersTag,(MagickOffsetType) scene,\n number_images);\n if (proceed == MagickFalse)\n break;\n image=GetNextImageInList(image);\n if (image == (Image *) NULL)\n break;\n }\n return((Image *) NULL);\n }\n /*\n Create canvas size of width and height, and background color.\n */\n canvas=CloneImage(image,width,height,MagickTrue,exception);\n if (canvas == (Image *) NULL)\n return((Image *) NULL);\n canvas->background_color.alpha_trait=BlendPixelTrait;\n (void) SetImageBackgroundColor(canvas,exception);\n canvas->page=page;\n canvas->dispose=UndefinedDispose;\n /*\n Compose images onto canvas, with progress monitor\n */\n number_images=GetImageListLength(image);\n for (scene=0; scene < (ssize_t) number_images; scene++)\n {\n (void) CompositeImage(canvas,image,image->compose,MagickTrue,image->page.x-\n canvas->page.x,image->page.y-canvas->page.y,exception);\n proceed=SetImageProgress(image,MergeLayersTag,(MagickOffsetType) scene,\n number_images);\n if (proceed == MagickFalse)\n break;\n image=GetNextImageInList(image);\n if (image == (Image *) NULL)\n break;\n }\n return(canvas);\n}", "project": "ImageMagick", "hash": 101058300584399947795797173609102503090, "size": 155, "commit_id": "ef59bd764f88d893f1219fee8ba696a5d3f8c1c4", "message": "There is a Division by Zero in function OptimizeLayerFrames (#2743)\n\nin file MagickCore/layer.c. cur->ticks_per_seconds can be zero\r\nwith a crafted input argument *image. This is similar to\r\nCVE-2019-13454.", "target": 0, "dataset": "other", "idx": 338499 }, { "func": "static char *stibp_state(void)\n{\n\tif (spectre_v2_enabled == SPECTRE_V2_IBRS_ENHANCED)\n\t\treturn \"\";\n\n\tswitch (spectre_v2_user_stibp) {\n\tcase SPECTRE_V2_USER_NONE:\n\t\treturn \", STIBP: disabled\";\n\tcase SPECTRE_V2_USER_STRICT:\n\t\treturn \", STIBP: forced\";\n\tcase SPECTRE_V2_USER_STRICT_PREFERRED:\n\t\treturn \", STIBP: always-on\";\n\tcase SPECTRE_V2_USER_PRCTL:\n\tcase SPECTRE_V2_USER_SECCOMP:\n\t\tif (static_key_enabled(&switch_to_cond_stibp))\n\t\t\treturn \", STIBP: conditional\";\n\t}\n\treturn \"\";\n}", "project": "linux", "hash": 295589332026090499973924411052675720131, "size": 19, "commit_id": "4d8df8cbb9156b0a0ab3f802b80cb5db57acc0bf", "message": "x86/speculation: PR_SPEC_FORCE_DISABLE enforcement for indirect branches.\n\nCurrently, it is possible to enable indirect branch speculation even after\nit was force-disabled using the PR_SPEC_FORCE_DISABLE option. Moreover, the\nPR_GET_SPECULATION_CTRL command gives afterwards an incorrect result\n(force-disabled when it is in fact enabled). This also is inconsistent\nvs. STIBP and the documention which cleary states that\nPR_SPEC_FORCE_DISABLE cannot be undone.\n\nFix this by actually enforcing force-disabled indirect branch\nspeculation. PR_SPEC_ENABLE called after PR_SPEC_FORCE_DISABLE now fails\nwith -EPERM as described in the documentation.\n\nFixes: 9137bb27e60e (\"x86/speculation: Add prctl() control for indirect branch speculation\")\nSigned-off-by: Anthony Steinhauser \nSigned-off-by: Thomas Gleixner \nCc: stable@vger.kernel.org", "target": 0, "dataset": "other", "idx": 338787 }, { "func": "spectre_v2_user_select_mitigation(enum spectre_v2_mitigation_cmd v2_cmd)\n{\n\tenum spectre_v2_user_mitigation mode = SPECTRE_V2_USER_NONE;\n\tbool smt_possible = IS_ENABLED(CONFIG_SMP);\n\tenum spectre_v2_user_cmd cmd;\n\n\tif (!boot_cpu_has(X86_FEATURE_IBPB) && !boot_cpu_has(X86_FEATURE_STIBP))\n\t\treturn;\n\n\tif (cpu_smt_control == CPU_SMT_FORCE_DISABLED ||\n\t cpu_smt_control == CPU_SMT_NOT_SUPPORTED)\n\t\tsmt_possible = false;\n\n\tcmd = spectre_v2_parse_user_cmdline(v2_cmd);\n\tswitch (cmd) {\n\tcase SPECTRE_V2_USER_CMD_NONE:\n\t\tgoto set_mode;\n\tcase SPECTRE_V2_USER_CMD_FORCE:\n\t\tmode = SPECTRE_V2_USER_STRICT;\n\t\tbreak;\n\tcase SPECTRE_V2_USER_CMD_PRCTL:\n\tcase SPECTRE_V2_USER_CMD_PRCTL_IBPB:\n\t\tmode = SPECTRE_V2_USER_PRCTL;\n\t\tbreak;\n\tcase SPECTRE_V2_USER_CMD_AUTO:\n\tcase SPECTRE_V2_USER_CMD_SECCOMP:\n\tcase SPECTRE_V2_USER_CMD_SECCOMP_IBPB:\n\t\tif (IS_ENABLED(CONFIG_SECCOMP))\n\t\t\tmode = SPECTRE_V2_USER_SECCOMP;\n\t\telse\n\t\t\tmode = SPECTRE_V2_USER_PRCTL;\n\t\tbreak;\n\t}\n\n\t/* Initialize Indirect Branch Prediction Barrier */\n\tif (boot_cpu_has(X86_FEATURE_IBPB)) {\n\t\tsetup_force_cpu_cap(X86_FEATURE_USE_IBPB);\n\n\t\tswitch (cmd) {\n\t\tcase SPECTRE_V2_USER_CMD_FORCE:\n\t\tcase SPECTRE_V2_USER_CMD_PRCTL_IBPB:\n\t\tcase SPECTRE_V2_USER_CMD_SECCOMP_IBPB:\n\t\t\tstatic_branch_enable(&switch_mm_always_ibpb);\n\t\t\tbreak;\n\t\tcase SPECTRE_V2_USER_CMD_PRCTL:\n\t\tcase SPECTRE_V2_USER_CMD_AUTO:\n\t\tcase SPECTRE_V2_USER_CMD_SECCOMP:\n\t\t\tstatic_branch_enable(&switch_mm_cond_ibpb);\n\t\t\tbreak;\n\t\tdefault:\n\t\t\tbreak;\n\t\t}\n\n\t\tpr_info(\"mitigation: Enabling %s Indirect Branch Prediction Barrier\\n\",\n\t\t\tstatic_key_enabled(&switch_mm_always_ibpb) ?\n\t\t\t\"always-on\" : \"conditional\");\n\n\t\tspectre_v2_user_ibpb = mode;\n\t}\n\n\t/*\n\t * If enhanced IBRS is enabled or SMT impossible, STIBP is not\n\t * required.\n\t */\n\tif (!smt_possible || spectre_v2_enabled == SPECTRE_V2_IBRS_ENHANCED)\n\t\treturn;\n\n\t/*\n\t * At this point, an STIBP mode other than \"off\" has been set.\n\t * If STIBP support is not being forced, check if STIBP always-on\n\t * is preferred.\n\t */\n\tif (mode != SPECTRE_V2_USER_STRICT &&\n\t boot_cpu_has(X86_FEATURE_AMD_STIBP_ALWAYS_ON))\n\t\tmode = SPECTRE_V2_USER_STRICT_PREFERRED;\n\n\t/*\n\t * If STIBP is not available, clear the STIBP mode.\n\t */\n\tif (!boot_cpu_has(X86_FEATURE_STIBP))\n\t\tmode = SPECTRE_V2_USER_NONE;\n\n\tspectre_v2_user_stibp = mode;\n\nset_mode:\n\tpr_info(\"%s\\n\", spectre_v2_user_strings[mode]);\n}", "project": "linux", "hash": 92201893915362032370981745639941853605, "size": 87, "commit_id": "4d8df8cbb9156b0a0ab3f802b80cb5db57acc0bf", "message": "x86/speculation: PR_SPEC_FORCE_DISABLE enforcement for indirect branches.\n\nCurrently, it is possible to enable indirect branch speculation even after\nit was force-disabled using the PR_SPEC_FORCE_DISABLE option. Moreover, the\nPR_GET_SPECULATION_CTRL command gives afterwards an incorrect result\n(force-disabled when it is in fact enabled). This also is inconsistent\nvs. STIBP and the documention which cleary states that\nPR_SPEC_FORCE_DISABLE cannot be undone.\n\nFix this by actually enforcing force-disabled indirect branch\nspeculation. PR_SPEC_ENABLE called after PR_SPEC_FORCE_DISABLE now fails\nwith -EPERM as described in the documentation.\n\nFixes: 9137bb27e60e (\"x86/speculation: Add prctl() control for indirect branch speculation\")\nSigned-off-by: Anthony Steinhauser \nSigned-off-by: Thomas Gleixner \nCc: stable@vger.kernel.org", "target": 0, "dataset": "other", "idx": 338790 }, { "func": "evbuffer_ptr_set(struct evbuffer *buf, struct evbuffer_ptr *pos,\n size_t position, enum evbuffer_ptr_how how)\n{\n\tsize_t left = position;\n\tstruct evbuffer_chain *chain = NULL;\n\n\tEVBUFFER_LOCK(buf);\n\n\tswitch (how) {\n\tcase EVBUFFER_PTR_SET:\n\t\tchain = buf->first;\n\t\tpos->pos = position;\n\t\tposition = 0;\n\t\tbreak;\n\tcase EVBUFFER_PTR_ADD:\n\t\t/* this avoids iterating over all previous chains if\n\t\t we just want to advance the position */\n\t\tif (pos->pos < 0 || EV_SIZE_MAX - position < (size_t)pos->pos) {\n\t\t\tEVBUFFER_UNLOCK(buf);\n\t\t\treturn -1;\n\t\t}\n\t\tchain = pos->_internal.chain;\n\t\tpos->pos += position;\n\t\tposition = pos->_internal.pos_in_chain;\n\t\tbreak;\n\t}\n\n\tEVUTIL_ASSERT(EV_SIZE_MAX - left >= position);\n\twhile (chain && position + left >= chain->off) {\n\t\tleft -= chain->off - position;\n\t\tchain = chain->next;\n\t\tposition = 0;\n\t}\n\tif (chain) {\n\t\tpos->_internal.chain = chain;\n\t\tpos->_internal.pos_in_chain = position + left;\n\t} else {\n\t\tpos->_internal.chain = NULL;\n\t\tpos->pos = -1;\n\t}\n\n\tEVBUFFER_UNLOCK(buf);\n\n\treturn chain != NULL ? 0 : -1;\n}", "project": "libevent", "hash": 178139330642064672286545576135847770595, "size": 45, "commit_id": "20d6d4458bee5d88bda1511c225c25b2d3198d6c", "message": "Fix CVE-2014-6272 in Libevent 2.0\n\nFor this fix, we need to make sure that passing too-large inputs to\nthe evbuffer functions can't make us do bad things with the heap.\n\nAlso, lower the maximum chunk size to the lower of off_t, size_t maximum.\n\nThis is necessary since otherwise we could get into an infinite loop\nif we make a chunk that 'misalign' cannot index into.", "target": 0, "dataset": "other", "idx": 346351 }, { "func": "map_attribute_to_value_type (CK_ATTRIBUTE_TYPE type)\n{\n\tswitch (type) {\n\tcase CKA_TOKEN:\n\tcase CKA_PRIVATE:\n\tcase CKA_TRUSTED:\n\tcase CKA_SENSITIVE:\n\tcase CKA_ENCRYPT:\n\tcase CKA_DECRYPT:\n\tcase CKA_WRAP:\n\tcase CKA_UNWRAP:\n\tcase CKA_SIGN:\n\tcase CKA_SIGN_RECOVER:\n\tcase CKA_VERIFY:\n\tcase CKA_VERIFY_RECOVER:\n\tcase CKA_DERIVE:\n\tcase CKA_EXTRACTABLE:\n\tcase CKA_LOCAL:\n\tcase CKA_NEVER_EXTRACTABLE:\n\tcase CKA_ALWAYS_SENSITIVE:\n\tcase CKA_MODIFIABLE:\n\tcase CKA_COPYABLE:\n\tcase CKA_SECONDARY_AUTH: /* Deprecated */\n\tcase CKA_ALWAYS_AUTHENTICATE:\n\tcase CKA_WRAP_WITH_TRUSTED:\n\tcase CKA_RESET_ON_INIT:\n\tcase CKA_HAS_RESET:\n\tcase CKA_COLOR:\n\t\treturn P11_RPC_VALUE_BYTE;\n\tcase CKA_CLASS:\n\tcase CKA_CERTIFICATE_TYPE:\n\tcase CKA_CERTIFICATE_CATEGORY:\n\tcase CKA_JAVA_MIDP_SECURITY_DOMAIN:\n\tcase CKA_KEY_TYPE:\n\tcase CKA_MODULUS_BITS:\n\tcase CKA_PRIME_BITS:\n\tcase CKA_SUB_PRIME_BITS:\n\tcase CKA_VALUE_BITS:\n\tcase CKA_VALUE_LEN:\n\tcase CKA_KEY_GEN_MECHANISM:\n\tcase CKA_AUTH_PIN_FLAGS: /* Deprecated */\n\tcase CKA_HW_FEATURE_TYPE:\n\tcase CKA_PIXEL_X:\n\tcase CKA_PIXEL_Y:\n\tcase CKA_RESOLUTION:\n\tcase CKA_CHAR_ROWS:\n\tcase CKA_CHAR_COLUMNS:\n\tcase CKA_BITS_PER_PIXEL:\n\tcase CKA_MECHANISM_TYPE:\n\t\treturn P11_RPC_VALUE_ULONG;\n\tcase CKA_WRAP_TEMPLATE:\n\tcase CKA_UNWRAP_TEMPLATE:\n\t\treturn P11_RPC_VALUE_ATTRIBUTE_ARRAY;\n\tcase CKA_ALLOWED_MECHANISMS:\n\t\treturn P11_RPC_VALUE_MECHANISM_TYPE_ARRAY;\n\tcase CKA_START_DATE:\n\tcase CKA_END_DATE:\n\t\treturn P11_RPC_VALUE_DATE;\n\tdefault:\n\t\tp11_debug (\"cannot determine the type of attribute value for %lu; assuming byte array\",\n\t\t\t type);\n\t\t/* fallthrough */\n\tcase CKA_LABEL:\n\tcase CKA_APPLICATION:\n\tcase CKA_VALUE:\n\tcase CKA_OBJECT_ID:\n\tcase CKA_ISSUER:\n\tcase CKA_SERIAL_NUMBER:\n\tcase CKA_AC_ISSUER:\n\tcase CKA_OWNER:\n\tcase CKA_ATTR_TYPES:\n\tcase CKA_URL:\n\tcase CKA_HASH_OF_SUBJECT_PUBLIC_KEY:\n\tcase CKA_HASH_OF_ISSUER_PUBLIC_KEY:\n\tcase CKA_CHECK_VALUE:\n\tcase CKA_SUBJECT:\n\tcase CKA_ID:\n\tcase CKA_MODULUS:\n\tcase CKA_PUBLIC_EXPONENT:\n\tcase CKA_PRIVATE_EXPONENT:\n\tcase CKA_PRIME_1:\n\tcase CKA_PRIME_2:\n\tcase CKA_EXPONENT_1:\n\tcase CKA_EXPONENT_2:\n\tcase CKA_COEFFICIENT:\n\tcase CKA_PRIME:\n\tcase CKA_SUBPRIME:\n\tcase CKA_BASE:\n\tcase CKA_EC_PARAMS:\n\t\t/* same as CKA_ECDSA_PARAMS */\n\tcase CKA_EC_POINT:\n\tcase CKA_CHAR_SETS:\n\tcase CKA_ENCODING_METHODS:\n\tcase CKA_MIME_TYPES:\n\tcase CKA_REQUIRED_CMS_ATTRIBUTES:\n\tcase CKA_DEFAULT_CMS_ATTRIBUTES:\n\tcase CKA_SUPPORTED_CMS_ATTRIBUTES:\n\t\treturn P11_RPC_VALUE_BYTE_ARRAY;\n\t}\n}", "project": "p11-kit", "hash": 210418704553110269244226153689966663949, "size": 100, "commit_id": "69d751ca9df9ac101adfb1e5aa7e83e3358106ba", "message": "Fix bounds check in p11_rpc_buffer_get_byte_array\n\nThis bounds check should be using off, not *offset, because it has been\nadvanced four bytes from reading a uint32 earlier in the function.\nAdditionally, the pointer that is returned is computed using off, not\n*offset.", "target": 0, "dataset": "other", "idx": 349487 }, { "func": "mechanism_has_no_parameters (CK_MECHANISM_TYPE mech)\n{\n\t/* This list is incomplete */\n\n\tswitch (mech) {\n\tcase CKM_RSA_PKCS_KEY_PAIR_GEN:\n\tcase CKM_RSA_X9_31_KEY_PAIR_GEN:\n\tcase CKM_RSA_PKCS:\n\tcase CKM_RSA_9796:\n\tcase CKM_RSA_X_509:\n\tcase CKM_RSA_X9_31:\n\tcase CKM_MD2_RSA_PKCS:\n\tcase CKM_MD5_RSA_PKCS:\n\tcase CKM_SHA1_RSA_PKCS:\n\tcase CKM_SHA256_RSA_PKCS:\n\tcase CKM_SHA384_RSA_PKCS:\n\tcase CKM_SHA512_RSA_PKCS:\n\tcase CKM_RIPEMD128_RSA_PKCS:\n\tcase CKM_RIPEMD160_RSA_PKCS:\n\tcase CKM_SHA1_RSA_X9_31:\n\tcase CKM_DSA_KEY_PAIR_GEN:\n\tcase CKM_DSA_PARAMETER_GEN:\n\tcase CKM_DSA:\n\tcase CKM_DSA_SHA1:\n\tcase CKM_FORTEZZA_TIMESTAMP:\n\tcase CKM_EC_KEY_PAIR_GEN:\n\tcase CKM_ECDSA:\n\tcase CKM_ECDSA_SHA1:\n\tcase CKM_DH_PKCS_KEY_PAIR_GEN:\n\tcase CKM_DH_PKCS_PARAMETER_GEN:\n\tcase CKM_X9_42_DH_KEY_PAIR_GEN:\n\tcase CKM_X9_42_DH_PARAMETER_GEN:\n\tcase CKM_KEA_KEY_PAIR_GEN:\n\tcase CKM_GENERIC_SECRET_KEY_GEN:\n\tcase CKM_RC2_KEY_GEN:\n\tcase CKM_RC4_KEY_GEN:\n\tcase CKM_RC4:\n\tcase CKM_RC5_KEY_GEN:\n\tcase CKM_AES_KEY_GEN:\n\tcase CKM_AES_ECB:\n\tcase CKM_AES_MAC:\n\tcase CKM_DES_KEY_GEN:\n\tcase CKM_DES2_KEY_GEN:\n\tcase CKM_DES3_KEY_GEN:\n\tcase CKM_CDMF_KEY_GEN:\n\tcase CKM_CAST_KEY_GEN:\n\tcase CKM_CAST3_KEY_GEN:\n\tcase CKM_CAST128_KEY_GEN:\n\tcase CKM_IDEA_KEY_GEN:\n\tcase CKM_SSL3_PRE_MASTER_KEY_GEN:\n\tcase CKM_TLS_PRE_MASTER_KEY_GEN:\n\tcase CKM_SKIPJACK_KEY_GEN:\n\tcase CKM_BATON_KEY_GEN:\n\tcase CKM_JUNIPER_KEY_GEN:\n\tcase CKM_RC2_ECB:\n\tcase CKM_DES_ECB:\n\tcase CKM_DES3_ECB:\n\tcase CKM_CDMF_ECB:\n\tcase CKM_CAST_ECB:\n\tcase CKM_CAST3_ECB:\n\tcase CKM_CAST128_ECB:\n\tcase CKM_RC5_ECB:\n\tcase CKM_IDEA_ECB:\n\tcase CKM_RC2_MAC:\n\tcase CKM_DES_MAC:\n\tcase CKM_DES3_MAC:\n\tcase CKM_CDMF_MAC:\n\tcase CKM_CAST_MAC:\n\tcase CKM_CAST3_MAC:\n\tcase CKM_RC5_MAC:\n\tcase CKM_IDEA_MAC:\n\tcase CKM_SSL3_MD5_MAC:\n\tcase CKM_SSL3_SHA1_MAC:\n\tcase CKM_SKIPJACK_WRAP:\n\tcase CKM_BATON_WRAP:\n\tcase CKM_JUNIPER_WRAP:\n\tcase CKM_MD2:\n\tcase CKM_MD2_HMAC:\n\tcase CKM_MD5:\n\tcase CKM_MD5_HMAC:\n\tcase CKM_SHA_1:\n\tcase CKM_SHA_1_HMAC:\n\tcase CKM_SHA256:\n\tcase CKM_SHA256_HMAC:\n\tcase CKM_SHA384:\n\tcase CKM_SHA384_HMAC:\n\tcase CKM_SHA512:\n\tcase CKM_SHA512_HMAC:\n\tcase CKM_FASTHASH:\n\tcase CKM_RIPEMD128:\n\tcase CKM_RIPEMD128_HMAC:\n\tcase CKM_RIPEMD160:\n\tcase CKM_RIPEMD160_HMAC:\n\tcase CKM_KEY_WRAP_LYNKS:\n\t\treturn true;\n\tdefault:\n\t\treturn false;\n\t};\n}", "project": "p11-kit", "hash": 59707849252456741875822905526105327299, "size": 99, "commit_id": "69d751ca9df9ac101adfb1e5aa7e83e3358106ba", "message": "Fix bounds check in p11_rpc_buffer_get_byte_array\n\nThis bounds check should be using off, not *offset, because it has been\nadvanced four bytes from reading a uint32 earlier in the function.\nAdditionally, the pointer that is returned is computed using off, not\n*offset.", "target": 0, "dataset": "other", "idx": 349499 }, { "func": "lept_seek_proc(thandle_t cookie,\n toff_t offs,\n int whence)\n{\n FILE* fp = (FILE *)cookie;\n#if defined(_MSC_VER)\n __int64 pos = 0;\n if (!cookie || !fp)\n return (tsize_t)-1;\n switch (whence) {\n case SEEK_SET:\n pos = 0;\n break;\n case SEEK_CUR:\n pos = ftell(fp);\n break;\n case SEEK_END:\n _fseeki64(fp, 0, SEEK_END);\n pos = _ftelli64(fp);\n break;\n }\n pos = (__int64)(pos + offs);\n _fseeki64(fp, pos, SEEK_SET);\n if (pos == _ftelli64(fp))\n return (tsize_t)pos;\n#elif defined(_LARGEFILE64_SOURCE)\n off64_t pos = 0;\n if (!cookie || !fp)\n return (tsize_t)-1;\n switch (whence) {\n case SEEK_SET:\n pos = 0;\n break;\n case SEEK_CUR:\n pos = ftello(fp);\n break;\n case SEEK_END:\n fseeko(fp, 0, SEEK_END);\n pos = ftello(fp);\n break;\n }\n pos = (off64_t)(pos + offs);\n fseeko(fp, pos, SEEK_SET);\n if (pos == ftello(fp))\n return (tsize_t)pos;\n#else\n off_t pos = 0;\n if (!cookie || !fp)\n return (tsize_t)-1;\n switch (whence) {\n case SEEK_SET:\n pos = 0;\n break;\n case SEEK_CUR:\n pos = ftell(fp);\n break;\n case SEEK_END:\n fseek(fp, 0, SEEK_END);\n pos = ftell(fp);\n break;\n }\n pos = (off_t)(pos + offs);\n fseek(fp, pos, SEEK_SET);\n if (pos == ftell(fp))\n return (tsize_t)pos;\n#endif\n return (tsize_t)-1;\n}", "project": "leptonica", "hash": 35282636740504733954148214870141128260, "size": 68, "commit_id": "5ba34b1fe741d69d43a6c8cf767756997eadd87c", "message": "Issue 23654 in oss-fuzz: Heap-buffer-overflow in pixReadFromTiffStream\n * Increase scanline buffer for reading gray+alpha and converting to RGBA", "target": 0, "dataset": "other", "idx": 350343 }, { "func": "getTiffCompressedFormat(l_uint16 tiffcomp)\n{\nl_int32 comptype;\n\n switch (tiffcomp)\n {\n case COMPRESSION_CCITTFAX4:\n comptype = IFF_TIFF_G4;\n break;\n case COMPRESSION_CCITTFAX3:\n comptype = IFF_TIFF_G3;\n break;\n case COMPRESSION_CCITTRLE:\n comptype = IFF_TIFF_RLE;\n break;\n case COMPRESSION_PACKBITS:\n comptype = IFF_TIFF_PACKBITS;\n break;\n case COMPRESSION_LZW:\n comptype = IFF_TIFF_LZW;\n break;\n case COMPRESSION_ADOBE_DEFLATE:\n comptype = IFF_TIFF_ZIP;\n break;\n case COMPRESSION_JPEG:\n comptype = IFF_TIFF_JPEG;\n break;\n default:\n comptype = IFF_TIFF;\n break;\n }\n return comptype;\n}", "project": "leptonica", "hash": 200408300784253387889202497059120107619, "size": 33, "commit_id": "5ba34b1fe741d69d43a6c8cf767756997eadd87c", "message": "Issue 23654 in oss-fuzz: Heap-buffer-overflow in pixReadFromTiffStream\n * Increase scanline buffer for reading gray+alpha and converting to RGBA", "target": 0, "dataset": "other", "idx": 350344 }, { "func": "tiffSeekCallback(thandle_t handle,\n toff_t offset,\n l_int32 whence)\n{\nL_MEMSTREAM *mstream;\n\n PROCNAME(\"tiffSeekCallback\");\n mstream = (L_MEMSTREAM *)handle;\n switch (whence) {\n case SEEK_SET:\n/* lept_stderr(\"seek_set: offset = %d\\n\", offset); */\n if((size_t)offset != offset) { /* size_t overflow on uint32 */\n return (toff_t)ERROR_INT(\"too large offset value\", procName, 1);\n }\n mstream->offset = offset;\n break;\n case SEEK_CUR:\n/* lept_stderr(\"seek_cur: offset = %d\\n\", offset); */\n mstream->offset += offset;\n break;\n case SEEK_END:\n/* lept_stderr(\"seek end: hw = %d, offset = %d\\n\",\n mstream->hw, offset); */\n mstream->offset = mstream->hw - offset; /* offset >= 0 */\n break;\n default:\n return (toff_t)ERROR_INT(\"bad whence value\", procName,\n mstream->offset);\n }\n\n return mstream->offset;\n}", "project": "leptonica", "hash": 2210498943431417765137745862202173354, "size": 32, "commit_id": "5ba34b1fe741d69d43a6c8cf767756997eadd87c", "message": "Issue 23654 in oss-fuzz: Heap-buffer-overflow in pixReadFromTiffStream\n * Increase scanline buffer for reading gray+alpha and converting to RGBA", "target": 0, "dataset": "other", "idx": 350380 }, { "func": "srs_strerror(int code)\n{\n\tswitch (code) {\n\t\t/* Simple errors */\n\t\tcase SRS_SUCCESS:\n\t\t\treturn \"Success\";\n\t\tcase SRS_ENOTSRSADDRESS:\n\t\t\treturn \"Not an SRS address.\";\n\n\t\t/* Config errors */\n\t\tcase SRS_ENOSECRETS:\n\t\t\treturn \"No secrets in SRS configuration.\";\n\t\tcase SRS_ESEPARATORINVALID:\n\t\t\treturn \"Invalid separator suggested.\";\n\n\t\t/* Input errors */\n\t\tcase SRS_ENOSENDERATSIGN:\n\t\t\treturn \"No at sign in sender address\";\n\t\tcase SRS_EBUFTOOSMALL:\n\t\t\treturn \"Buffer too small.\";\n\n\t\t/* Syntax errors */\n\t\tcase SRS_ENOSRS0HOST:\n\t\t\treturn \"No host in SRS0 address.\";\n\t\tcase SRS_ENOSRS0USER:\n\t\t\treturn \"No user in SRS0 address.\";\n\t\tcase SRS_ENOSRS0HASH:\n\t\t\treturn \"No hash in SRS0 address.\";\n\t\tcase SRS_ENOSRS0STAMP:\n\t\t\treturn \"No timestamp in SRS0 address.\";\n\t\tcase SRS_ENOSRS1HOST:\n\t\t\treturn \"No host in SRS1 address.\";\n\t\tcase SRS_ENOSRS1USER:\n\t\t\treturn \"No user in SRS1 address.\";\n\t\tcase SRS_ENOSRS1HASH:\n\t\t\treturn \"No hash in SRS1 address.\";\n\t\tcase SRS_EBADTIMESTAMPCHAR:\n\t\t\treturn \"Bad base32 character in timestamp.\";\n\t\tcase SRS_EHASHTOOSHORT:\n\t\t\treturn \"Hash too short in SRS address.\";\n\n\t\t/* SRS errors */\n\t\tcase SRS_ETIMESTAMPOUTOFDATE:\n\t\t\treturn \"Time stamp out of date.\";\n\t\tcase SRS_EHASHINVALID:\n\t\t\treturn \"Hash invalid in SRS address.\";\n\n\t\tdefault:\n\t\t\treturn \"Unknown error in SRS library.\";\n\t}\n}", "project": "postsrsd", "hash": 246156044938100194738724087461496717220, "size": 51, "commit_id": "4733fb11f6bec6524bb8518c5e1a699288c26bac", "message": "SECURITY: Fix potential denial of service attack against PostSRSd\n\nI discovered that PostSRSd could be tricked into consuming a lot of CPU\ntime with an SRS address that has an excessively long time stamp tag,\ne.g.\n\nSRS0=HHHH=TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT=0@example.com", "target": 0, "dataset": "other", "idx": 372386 }, { "func": "rsRetVal qqueueConstruct(qqueue_t **ppThis, queueType_t qType, int iWorkerThreads,\n\t\t int iMaxQueueSize, rsRetVal (*pConsumer)(void*, batch_t*,int*))\n{\n\tDEFiRet;\n\tqqueue_t *pThis;\n\n\tASSERT(ppThis != NULL);\n\tASSERT(pConsumer != NULL);\n\tASSERT(iWorkerThreads >= 0);\n\n\tCHKmalloc(pThis = (qqueue_t *)calloc(1, sizeof(qqueue_t)));\n\n\t/* we have an object, so let's fill the properties */\n\tobjConstructSetObjInfo(pThis);\n\tif((pThis->pszSpoolDir = (uchar*) strdup((char*)glbl.GetWorkDir())) == NULL)\n\t\tABORT_FINALIZE(RS_RET_OUT_OF_MEMORY);\n\n\t/* set some water marks so that we have useful defaults if none are set specifically */\n\tpThis->iFullDlyMrk = iMaxQueueSize - (iMaxQueueSize / 100) * 3; /* default 97% */\n\tpThis->iLightDlyMrk = iMaxQueueSize - (iMaxQueueSize / 100) * 30; /* default 70% */\n\n\tpThis->lenSpoolDir = ustrlen(pThis->pszSpoolDir);\n\tpThis->iMaxFileSize = 1024 * 1024; /* default is 1 MiB */\n\tpThis->iQueueSize = 0;\n\tpThis->nLogDeq = 0;\n\tpThis->iMaxQueueSize = iMaxQueueSize;\n\tpThis->pConsumer = pConsumer;\n\tpThis->iNumWorkerThreads = iWorkerThreads;\n\tpThis->iDeqtWinToHr = 25; /* disable time-windowed dequeuing by default */\n\tpThis->iDeqBatchSize = 8; /* conservative default, should still provide good performance */\n\n\tpThis->pszFilePrefix = NULL;\n\tpThis->qType = qType;\n\n\t/* set type-specific handlers and other very type-specific things (we can not totally hide it...) */\n\tswitch(qType) {\n\t\tcase QUEUETYPE_FIXED_ARRAY:\n\t\t\tpThis->qConstruct = qConstructFixedArray;\n\t\t\tpThis->qDestruct = qDestructFixedArray;\n\t\t\tpThis->qAdd = qAddFixedArray;\n\t\t\tpThis->qDeq = qDeqFixedArray;\n\t\t\tpThis->qDel = qDelFixedArray;\n\t\t\tpThis->MultiEnq = qqueueMultiEnqObjNonDirect;\n\t\t\tbreak;\n\t\tcase QUEUETYPE_LINKEDLIST:\n\t\t\tpThis->qConstruct = qConstructLinkedList;\n\t\t\tpThis->qDestruct = qDestructLinkedList;\n\t\t\tpThis->qAdd = qAddLinkedList;\n\t\t\tpThis->qDeq = (rsRetVal (*)(qqueue_t*,void**)) qDeqLinkedList;\n\t\t\tpThis->qDel = (rsRetVal (*)(qqueue_t*)) qDelLinkedList;\n\t\t\tpThis->MultiEnq = qqueueMultiEnqObjNonDirect;\n\t\t\tbreak;\n\t\tcase QUEUETYPE_DISK:\n\t\t\tpThis->qConstruct = qConstructDisk;\n\t\t\tpThis->qDestruct = qDestructDisk;\n\t\t\tpThis->qAdd = qAddDisk;\n\t\t\tpThis->qDeq = qDeqDisk;\n\t\t\tpThis->qDel = qDelDisk;\n\t\t\tpThis->MultiEnq = qqueueMultiEnqObjNonDirect;\n\t\t\t/* special handling */\n\t\t\tpThis->iNumWorkerThreads = 1; /* we need exactly one worker */\n\t\t\tbreak;\n\t\tcase QUEUETYPE_DIRECT:\n\t\t\tpThis->qConstruct = qConstructDirect;\n\t\t\tpThis->qDestruct = qDestructDirect;\n\t\t\tpThis->qAdd = qAddDirect;\n\t\t\tpThis->qDel = qDelDirect;\n\t\t\tpThis->MultiEnq = qqueueMultiEnqObjDirect;\n\t\t\tbreak;\n\t}\n\n\tINIT_ATOMIC_HELPER_MUT(pThis->mutQueueSize);\n\tINIT_ATOMIC_HELPER_MUT(pThis->mutLogDeq);\n\nfinalize_it:\n\tOBJCONSTRUCT_CHECK_SUCCESS_AND_CLEANUP\n\tRETiRet;\n}", "project": "rsyslog", "hash": 4568383636846122196499397663148308845, "size": 78, "commit_id": "dfa88369d4ca4290db56b843f9eabdae1bfe0fd5", "message": "bugfix: memory leak when $RepeatedMsgReduction on was used\n\nbug tracker: http://bugzilla.adiscon.com/show_bug.cgi?id=225", "target": 0, "dataset": "other", "idx": 373770 }, { "func": "static const char *prot_name(enum protocol protocol)\n{\n\tswitch (protocol) {\n\t\tcase PROTO_LOCAL:\n\t\tcase PROTO_FILE:\n\t\t\treturn \"file\";\n\t\tcase PROTO_SSH:\n\t\t\treturn \"ssh\";\n\t\tcase PROTO_GIT:\n\t\t\treturn \"git\";\n\t\tdefault:\n\t\t\treturn \"unknown protocol\";\n\t}\n}", "project": "git", "hash": 275181690077940434266218125063613301084, "size": 14, "commit_id": "f82a97eb9197c1e3768e72648f37ce0ca3233734", "message": "mingw: handle `subst`-ed \"DOS drives\"\n\nOver a decade ago, in 25fe217b86c (Windows: Treat Windows style path\nnames., 2008-03-05), Git was taught to handle absolute Windows paths,\ni.e. paths that start with a drive letter and a colon.\n\nUnbeknownst to us, while drive letters of physical drives are limited to\nletters of the English alphabet, there is a way to assign virtual drive\nletters to arbitrary directories, via the `subst` command, which is\n_not_ limited to English letters.\n\nIt is therefore possible to have absolute Windows paths of the form\n`1:\\what\\the\\hex.txt`. Even \"better\": pretty much arbitrary Unicode\nletters can also be used, e.g. `ä:\\tschibät.sch`.\n\nWhile it can be sensibly argued that users who set up such funny drive\nletters really seek adverse consequences, the Windows Operating System\nis known to be a platform where many users are at the mercy of\nadministrators who have their very own idea of what constitutes a\nreasonable setup.\n\nTherefore, let's just make sure that such funny paths are still\nconsidered absolute paths by Git, on Windows.\n\nIn addition to Unicode characters, pretty much any character is a valid\ndrive letter, as far as `subst` is concerned, even `:` and `\"` or even a\nspace character. While it is probably the opposite of smart to use them,\nlet's safeguard `is_dos_drive_prefix()` against all of them.\n\nNote: `[::1]:repo` is a valid URL, but not a valid path on Windows.\nAs `[` is now considered a valid drive letter, we need to be very\ncareful to avoid misinterpreting such a string as valid local path in\n`url_is_local_not_ssh()`. To do that, we use the just-introduced\nfunction `is_valid_path()` (which will label the string as invalid file\nname because of the colon characters).\n\nThis fixes CVE-2019-1351.\n\nReported-by: Nicolas Joly \nSigned-off-by: Johannes Schindelin ", "target": 0, "dataset": "other", "idx": 376255 }, { "func": "static char *displayP4(Op *pOp, char *zTemp, int nTemp){\n char *zP4 = zTemp;\n StrAccum x;\n assert( nTemp>=20 );\n sqlite3StrAccumInit(&x, 0, zTemp, nTemp, 0);\n switch( pOp->p4type ){\n case P4_KEYINFO: {\n int j;\n KeyInfo *pKeyInfo = pOp->p4.pKeyInfo;\n assert( pKeyInfo->aSortFlags!=0 );\n sqlite3_str_appendf(&x, \"k(%d\", pKeyInfo->nKeyField);\n for(j=0; jnKeyField; j++){\n CollSeq *pColl = pKeyInfo->aColl[j];\n const char *zColl = pColl ? pColl->zName : \"\";\n if( strcmp(zColl, \"BINARY\")==0 ) zColl = \"B\";\n sqlite3_str_appendf(&x, \",%s%s%s\", \n (pKeyInfo->aSortFlags[j] & KEYINFO_ORDER_DESC) ? \"-\" : \"\", \n (pKeyInfo->aSortFlags[j] & KEYINFO_ORDER_BIGNULL)? \"N.\" : \"\", \n zColl);\n }\n sqlite3_str_append(&x, \")\", 1);\n break;\n }\n#ifdef SQLITE_ENABLE_CURSOR_HINTS\n case P4_EXPR: {\n displayP4Expr(&x, pOp->p4.pExpr);\n break;\n }\n#endif\n case P4_COLLSEQ: {\n CollSeq *pColl = pOp->p4.pColl;\n sqlite3_str_appendf(&x, \"(%.20s)\", pColl->zName);\n break;\n }\n case P4_FUNCDEF: {\n FuncDef *pDef = pOp->p4.pFunc;\n sqlite3_str_appendf(&x, \"%s(%d)\", pDef->zName, pDef->nArg);\n break;\n }\n case P4_FUNCCTX: {\n FuncDef *pDef = pOp->p4.pCtx->pFunc;\n sqlite3_str_appendf(&x, \"%s(%d)\", pDef->zName, pDef->nArg);\n break;\n }\n case P4_INT64: {\n sqlite3_str_appendf(&x, \"%lld\", *pOp->p4.pI64);\n break;\n }\n case P4_INT32: {\n sqlite3_str_appendf(&x, \"%d\", pOp->p4.i);\n break;\n }\n case P4_REAL: {\n sqlite3_str_appendf(&x, \"%.16g\", *pOp->p4.pReal);\n break;\n }\n case P4_MEM: {\n Mem *pMem = pOp->p4.pMem;\n if( pMem->flags & MEM_Str ){\n zP4 = pMem->z;\n }else if( pMem->flags & (MEM_Int|MEM_IntReal) ){\n sqlite3_str_appendf(&x, \"%lld\", pMem->u.i);\n }else if( pMem->flags & MEM_Real ){\n sqlite3_str_appendf(&x, \"%.16g\", pMem->u.r);\n }else if( pMem->flags & MEM_Null ){\n zP4 = \"NULL\";\n }else{\n assert( pMem->flags & MEM_Blob );\n zP4 = \"(blob)\";\n }\n break;\n }\n#ifndef SQLITE_OMIT_VIRTUALTABLE\n case P4_VTAB: {\n sqlite3_vtab *pVtab = pOp->p4.pVtab->pVtab;\n sqlite3_str_appendf(&x, \"vtab:%p\", pVtab);\n break;\n }\n#endif\n case P4_INTARRAY: {\n int i;\n int *ai = pOp->p4.ai;\n int n = ai[0]; /* The first element of an INTARRAY is always the\n ** count of the number of elements to follow */\n for(i=1; i<=n; i++){\n sqlite3_str_appendf(&x, \",%d\", ai[i]);\n }\n zTemp[0] = '[';\n sqlite3_str_append(&x, \"]\", 1);\n break;\n }\n case P4_SUBPROGRAM: {\n sqlite3_str_appendf(&x, \"program\");\n break;\n }\n case P4_DYNBLOB:\n case P4_ADVANCE: {\n zTemp[0] = 0;\n break;\n }\n case P4_TABLE: {\n sqlite3_str_appendf(&x, \"%s\", pOp->p4.pTab->zName);\n break;\n }\n default: {\n zP4 = pOp->p4.z;\n if( zP4==0 ){\n zP4 = zTemp;\n zTemp[0] = 0;\n }\n }\n }\n sqlite3StrAccumFinish(&x);\n assert( zP4!=0 );\n return zP4;\n}", "project": "sqlite", "hash": 156504397330528554545351270502608420337, "size": 116, "commit_id": "8654186b0236d556aa85528c2573ee0b6ab71be3", "message": "When an error occurs while rewriting the parser tree for window functions\nin the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set,\nand make sure that this shuts down any subsequent code generation that might\ndepend on the transformations that were implemented. This fixes a problem\ndiscovered by the Yongheng and Rui fuzzer.\n\nFossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f", "target": 0, "dataset": "other", "idx": 378625 }, { "func": "shell_control_structure (type)\n enum command_type type;\n{\n switch (type)\n {\n#if defined (ARITH_FOR_COMMAND)\n case cm_arith_for:\n#endif\n#if defined (SELECT_COMMAND)\n case cm_select:\n#endif\n#if defined (DPAREN_ARITHMETIC)\n case cm_arith:\n#endif\n#if defined (COND_COMMAND)\n case cm_cond:\n#endif\n case cm_case:\n case cm_while:\n case cm_until:\n case cm_if:\n case cm_for:\n case cm_group:\n case cm_function_def:\n return (1);\n\n default:\n return (0);\n }\n}", "project": "bash", "hash": 183789761589000057913564770975533342488, "size": 30, "commit_id": "863d31ae775d56b785dc5b0105b6d251515d81d5", "message": "commit bash-20120224 snapshot", "target": 0, "dataset": "other", "idx": 379378 }, { "func": "builtin_status (result)\n int result;\n{\n int r;\n\n switch (result)\n {\n case EX_USAGE:\n r = EX_BADUSAGE;\n break;\n case EX_REDIRFAIL:\n case EX_BADSYNTAX:\n case EX_BADASSIGN:\n case EX_EXPFAIL:\n r = EXECUTION_FAILURE;\n break;\n default:\n r = EXECUTION_SUCCESS;\n break;\n }\n return (r);\n}", "project": "bash", "hash": 186734517170259011485627737349835259688, "size": 22, "commit_id": "863d31ae775d56b785dc5b0105b6d251515d81d5", "message": "commit bash-20120224 snapshot", "target": 0, "dataset": "other", "idx": 379388 }, { "func": "execute_connection (command, asynchronous, pipe_in, pipe_out, fds_to_close)\n COMMAND *command;\n int asynchronous, pipe_in, pipe_out;\n struct fd_bitmap *fds_to_close;\n{\n COMMAND *tc, *second;\n int ignore_return, exec_result, was_error_trap, invert;\n volatile int save_line_number;\n\n ignore_return = (command->flags & CMD_IGNORE_RETURN) != 0;\n\n switch (command->value.Connection->connector)\n {\n /* Do the first command asynchronously. */\n case '&':\n tc = command->value.Connection->first;\n if (tc == 0)\n\treturn (EXECUTION_SUCCESS);\n\n if (ignore_return)\n\ttc->flags |= CMD_IGNORE_RETURN;\n tc->flags |= CMD_AMPERSAND;\n\n /* If this shell was compiled without job control support,\n\t if we are currently in a subshell via `( xxx )', or if job\n\t control is not active then the standard input for an\n\t asynchronous command is forced to /dev/null. */\n#if defined (JOB_CONTROL)\n if ((subshell_environment || !job_control) && !stdin_redir)\n#else\n if (!stdin_redir)\n#endif /* JOB_CONTROL */\n\ttc->flags |= CMD_STDIN_REDIR;\n\n exec_result = execute_command_internal (tc, 1, pipe_in, pipe_out, fds_to_close);\n QUIT;\n\n if (tc->flags & CMD_STDIN_REDIR)\n\ttc->flags &= ~CMD_STDIN_REDIR;\n\n second = command->value.Connection->second;\n if (second)\n\t{\n\t if (ignore_return)\n\t second->flags |= CMD_IGNORE_RETURN;\n\n\t exec_result = execute_command_internal (second, asynchronous, pipe_in, pipe_out, fds_to_close);\n\t}\n\n break;\n\n /* Just call execute command on both sides. */\n case ';':\n if (ignore_return)\n\t{\n\t if (command->value.Connection->first)\n\t command->value.Connection->first->flags |= CMD_IGNORE_RETURN;\n\t if (command->value.Connection->second)\n\t command->value.Connection->second->flags |= CMD_IGNORE_RETURN;\n\t}\n executing_list++;\n QUIT;\n execute_command (command->value.Connection->first);\n QUIT;\n exec_result = execute_command_internal (command->value.Connection->second,\n\t\t\t\t asynchronous, pipe_in, pipe_out,\n\t\t\t\t fds_to_close);\n executing_list--;\n break;\n\n case '|':\n was_error_trap = signal_is_trapped (ERROR_TRAP) && signal_is_ignored (ERROR_TRAP) == 0;\n invert = (command->flags & CMD_INVERT_RETURN) != 0;\n ignore_return = (command->flags & CMD_IGNORE_RETURN) != 0;\n\n line_number_for_err_trap = line_number;\n exec_result = execute_pipeline (command, asynchronous, pipe_in, pipe_out, fds_to_close);\n\n if (was_error_trap && ignore_return == 0 && invert == 0 && exec_result != EXECUTION_SUCCESS)\n\t{\n\t last_command_exit_value = exec_result;\n\t save_line_number = line_number;\n\t line_number = line_number_for_err_trap;\n\t run_error_trap ();\n\t line_number = save_line_number;\n\t}\n\n if (ignore_return == 0 && invert == 0 && exit_immediately_on_error && exec_result != EXECUTION_SUCCESS)\n\t{\n\t last_command_exit_value = exec_result;\n\t run_pending_traps ();\n\t jump_to_top_level (ERREXIT);\n\t}\n\n break;\n\n case AND_AND:\n case OR_OR:\n if (asynchronous)\n\t{\n\t /* If we have something like `a && b &' or `a || b &', run the\n\t && or || stuff in a subshell. Force a subshell and just call\n\t execute_command_internal again. Leave asynchronous on\n\t so that we get a report from the parent shell about the\n\t background job. */\n\t command->flags |= CMD_FORCE_SUBSHELL;\n\t exec_result = execute_command_internal (command, 1, pipe_in, pipe_out, fds_to_close);\n\t break;\n\t}\n\n /* Execute the first command. If the result of that is successful\n\t and the connector is AND_AND, or the result is not successful\n\t and the connector is OR_OR, then execute the second command,\n\t otherwise return. */\n\n executing_list++;\n if (command->value.Connection->first)\n\tcommand->value.Connection->first->flags |= CMD_IGNORE_RETURN;\n\n exec_result = execute_command (command->value.Connection->first);\n QUIT;\n if (((command->value.Connection->connector == AND_AND) &&\n\t (exec_result == EXECUTION_SUCCESS)) ||\n\t ((command->value.Connection->connector == OR_OR) &&\n\t (exec_result != EXECUTION_SUCCESS)))\n\t{\n\t if (ignore_return && command->value.Connection->second)\n\t command->value.Connection->second->flags |= CMD_IGNORE_RETURN;\n\n\t exec_result = execute_command (command->value.Connection->second);\n\t}\n executing_list--;\n break;\n\n default:\n command_error (\"execute_connection\", CMDERR_BADCONN, command->value.Connection->connector, 0);\n jump_to_top_level (DISCARD);\n exec_result = EXECUTION_FAILURE;\n }\n\n return exec_result;\n}", "project": "bash", "hash": 117334965504995267575122809776396740618, "size": 142, "commit_id": "863d31ae775d56b785dc5b0105b6d251515d81d5", "message": "commit bash-20120224 snapshot", "target": 0, "dataset": "other", "idx": 379518 }, { "func": "struct device_node *dlpar_configure_connector(__be32 drc_index,\n\t\t\t\t\t struct device_node *parent)\n{\n\tstruct device_node *dn;\n\tstruct device_node *first_dn = NULL;\n\tstruct device_node *last_dn = NULL;\n\tstruct property *property;\n\tstruct property *last_property = NULL;\n\tstruct cc_workarea *ccwa;\n\tchar *data_buf;\n\tint cc_token;\n\tint rc = -1;\n\n\tcc_token = rtas_token(\"ibm,configure-connector\");\n\tif (cc_token == RTAS_UNKNOWN_SERVICE)\n\t\treturn NULL;\n\n\tdata_buf = kzalloc(RTAS_DATA_BUF_SIZE, GFP_KERNEL);\n\tif (!data_buf)\n\t\treturn NULL;\n\n\tccwa = (struct cc_workarea *)&data_buf[0];\n\tccwa->drc_index = drc_index;\n\tccwa->zero = 0;\n\n\tdo {\n\t\t/* Since we release the rtas_data_buf lock between configure\n\t\t * connector calls we want to re-populate the rtas_data_buffer\n\t\t * with the contents of the previous call.\n\t\t */\n\t\tspin_lock(&rtas_data_buf_lock);\n\n\t\tmemcpy(rtas_data_buf, data_buf, RTAS_DATA_BUF_SIZE);\n\t\trc = rtas_call(cc_token, 2, 1, NULL, rtas_data_buf, NULL);\n\t\tmemcpy(data_buf, rtas_data_buf, RTAS_DATA_BUF_SIZE);\n\n\t\tspin_unlock(&rtas_data_buf_lock);\n\n\t\tswitch (rc) {\n\t\tcase COMPLETE:\n\t\t\tbreak;\n\n\t\tcase NEXT_SIBLING:\n\t\t\tdn = dlpar_parse_cc_node(ccwa);\n\t\t\tif (!dn)\n\t\t\t\tgoto cc_error;\n\n\t\t\tdn->parent = last_dn->parent;\n\t\t\tlast_dn->sibling = dn;\n\t\t\tlast_dn = dn;\n\t\t\tbreak;\n\n\t\tcase NEXT_CHILD:\n\t\t\tdn = dlpar_parse_cc_node(ccwa);\n\t\t\tif (!dn)\n\t\t\t\tgoto cc_error;\n\n\t\t\tif (!first_dn) {\n\t\t\t\tdn->parent = parent;\n\t\t\t\tfirst_dn = dn;\n\t\t\t} else {\n\t\t\t\tdn->parent = last_dn;\n\t\t\t\tif (last_dn)\n\t\t\t\t\tlast_dn->child = dn;\n\t\t\t}\n\n\t\t\tlast_dn = dn;\n\t\t\tbreak;\n\n\t\tcase NEXT_PROPERTY:\n\t\t\tproperty = dlpar_parse_cc_property(ccwa);\n\t\t\tif (!property)\n\t\t\t\tgoto cc_error;\n\n\t\t\tif (!last_dn->properties)\n\t\t\t\tlast_dn->properties = property;\n\t\t\telse\n\t\t\t\tlast_property->next = property;\n\n\t\t\tlast_property = property;\n\t\t\tbreak;\n\n\t\tcase PREV_PARENT:\n\t\t\tlast_dn = last_dn->parent;\n\t\t\tbreak;\n\n\t\tcase CALL_AGAIN:\n\t\t\tbreak;\n\n\t\tcase MORE_MEMORY:\n\t\tcase ERR_CFG_USE:\n\t\tdefault:\n\t\t\tprintk(KERN_ERR \"Unexpected Error (%d) \"\n\t\t\t \"returned from configure-connector\\n\", rc);\n\t\t\tgoto cc_error;\n\t\t}\n\t} while (rc);\n\ncc_error:\n\tkfree(data_buf);\n\n\tif (rc) {\n\t\tif (first_dn)\n\t\t\tdlpar_free_cc_nodes(first_dn);\n\n\t\treturn NULL;\n\t}\n\n\treturn first_dn;\n}", "project": "linux", "hash": 294711919323697127375111054501624372202, "size": 110, "commit_id": "efa9ace68e487ddd29c2b4d6dd23242158f1f607", "message": "powerpc/pseries/dlpar: Fix a missing check in dlpar_parse_cc_property()\n\nIn dlpar_parse_cc_property(), 'prop->name' is allocated by kstrdup().\nkstrdup() may return NULL, so it should be checked and handle error.\nAnd prop should be freed if 'prop->name' is NULL.\n\nSigned-off-by: Gen Zhang \nSigned-off-by: Michael Ellerman ", "target": 0, "dataset": "other", "idx": 380140 }, { "func": "MagickExport Image *SparseColorImage(const Image *image,\n const SparseColorMethod method,const size_t number_arguments,\n const double *arguments,ExceptionInfo *exception)\n{\n#define SparseColorTag \"Distort/SparseColor\"\n\n SparseColorMethod\n sparse_method;\n\n double\n *coeff;\n\n Image\n *sparse_image;\n\n size_t\n number_colors;\n\n assert(image != (Image *) NULL);\n assert(image->signature == MagickCoreSignature);\n if (image->debug != MagickFalse)\n (void) LogMagickEvent(TraceEvent,GetMagickModule(),\"%s\",image->filename);\n assert(exception != (ExceptionInfo *) NULL);\n assert(exception->signature == MagickCoreSignature);\n\n /* Determine number of color values needed per control point */\n number_colors=0;\n if ((GetPixelRedTraits(image) & UpdatePixelTrait) != 0)\n number_colors++;\n if ((GetPixelGreenTraits(image) & UpdatePixelTrait) != 0)\n number_colors++;\n if ((GetPixelBlueTraits(image) & UpdatePixelTrait) != 0)\n number_colors++;\n if (((GetPixelBlackTraits(image) & UpdatePixelTrait) != 0) &&\n (image->colorspace == CMYKColorspace))\n number_colors++;\n if (((GetPixelAlphaTraits(image) & UpdatePixelTrait) != 0) &&\n (image->alpha_trait != UndefinedPixelTrait))\n number_colors++;\n\n /*\n Convert input arguments into mapping coefficients, this this case\n we are mapping (distorting) colors, rather than coordinates.\n */\n { DistortMethod\n distort_method;\n\n distort_method=(DistortMethod) method;\n if ( distort_method >= SentinelDistortion )\n distort_method = ShepardsDistortion; /* Pretend to be Shepards */\n coeff = GenerateCoefficients(image, &distort_method, number_arguments,\n arguments, number_colors, exception);\n if ( coeff == (double *) NULL )\n return((Image *) NULL);\n /*\n Note some Distort Methods may fall back to other simpler methods,\n Currently the only fallback of concern is Bilinear to Affine\n (Barycentric), which is alaso sparse_colr method. This also ensures\n correct two and one color Barycentric handling.\n */\n sparse_method = (SparseColorMethod) distort_method;\n if ( distort_method == ShepardsDistortion )\n sparse_method = method; /* return non-distort methods to normal */\n if ( sparse_method == InverseColorInterpolate )\n coeff[0]=0.5; /* sqrt() the squared distance for inverse */\n }\n\n /* Verbose output */\n if (IsStringTrue(GetImageArtifact(image,\"verbose\")) != MagickFalse) {\n\n switch (sparse_method) {\n case BarycentricColorInterpolate:\n {\n ssize_t x=0;\n (void) FormatLocaleFile(stderr, \"Barycentric Sparse Color:\\n\");\n if ((GetPixelRedTraits(image) & UpdatePixelTrait) != 0)\n (void) FormatLocaleFile(stderr, \" -channel R -fx '%+lf*i %+lf*j %+lf' \\\\\\n\",\n coeff[x], coeff[x+1], coeff[x+2]),x+=3;\n if ((GetPixelGreenTraits(image) & UpdatePixelTrait) != 0)\n (void) FormatLocaleFile(stderr, \" -channel G -fx '%+lf*i %+lf*j %+lf' \\\\\\n\",\n coeff[x], coeff[x+1], coeff[x+2]),x+=3;\n if ((GetPixelBlueTraits(image) & UpdatePixelTrait) != 0)\n (void) FormatLocaleFile(stderr, \" -channel B -fx '%+lf*i %+lf*j %+lf' \\\\\\n\",\n coeff[x], coeff[x+1], coeff[x+2]),x+=3;\n if (((GetPixelBlackTraits(image) & UpdatePixelTrait) != 0) &&\n (image->colorspace == CMYKColorspace))\n (void) FormatLocaleFile(stderr, \" -channel K -fx '%+lf*i %+lf*j %+lf' \\\\\\n\",\n coeff[x], coeff[x+1], coeff[x+2]),x+=3;\n if (((GetPixelAlphaTraits(image) & UpdatePixelTrait) != 0) &&\n (image->alpha_trait != UndefinedPixelTrait))\n (void) FormatLocaleFile(stderr, \" -channel A -fx '%+lf*i %+lf*j %+lf' \\\\\\n\",\n coeff[x], coeff[x+1], coeff[x+2]),x+=3;\n break;\n }\n case BilinearColorInterpolate:\n {\n ssize_t x=0;\n (void) FormatLocaleFile(stderr, \"Bilinear Sparse Color\\n\");\n if ((GetPixelRedTraits(image) & UpdatePixelTrait) != 0)\n (void) FormatLocaleFile(stderr, \" -channel R -fx '%+lf*i %+lf*j %+lf*i*j %+lf;\\n\",\n coeff[ x ], coeff[x+1],\n coeff[x+2], coeff[x+3]),x+=4;\n if ((GetPixelGreenTraits(image) & UpdatePixelTrait) != 0)\n (void) FormatLocaleFile(stderr, \" -channel G -fx '%+lf*i %+lf*j %+lf*i*j %+lf;\\n\",\n coeff[ x ], coeff[x+1],\n coeff[x+2], coeff[x+3]),x+=4;\n if ((GetPixelBlueTraits(image) & UpdatePixelTrait) != 0)\n (void) FormatLocaleFile(stderr, \" -channel B -fx '%+lf*i %+lf*j %+lf*i*j %+lf;\\n\",\n coeff[ x ], coeff[x+1],\n coeff[x+2], coeff[x+3]),x+=4;\n if (((GetPixelBlackTraits(image) & UpdatePixelTrait) != 0) &&\n (image->colorspace == CMYKColorspace))\n (void) FormatLocaleFile(stderr, \" -channel K -fx '%+lf*i %+lf*j %+lf*i*j %+lf;\\n\",\n coeff[ x ], coeff[x+1],\n coeff[x+2], coeff[x+3]),x+=4;\n if (((GetPixelAlphaTraits(image) & UpdatePixelTrait) != 0) &&\n (image->alpha_trait != UndefinedPixelTrait))\n (void) FormatLocaleFile(stderr, \" -channel A -fx '%+lf*i %+lf*j %+lf*i*j %+lf;\\n\",\n coeff[ x ], coeff[x+1],\n coeff[x+2], coeff[x+3]),x+=4;\n break;\n }\n default:\n /* sparse color method is too complex for FX emulation */\n break;\n }\n }\n\n /* Generate new image for generated interpolated gradient.\n * ASIDE: Actually we could have just replaced the colors of the original\n * image, but IM Core policy, is if storage class could change then clone\n * the image.\n */\n\n sparse_image=CloneImage(image,0,0,MagickTrue,exception);\n if (sparse_image == (Image *) NULL)\n return((Image *) NULL);\n if (SetImageStorageClass(sparse_image,DirectClass,exception) == MagickFalse)\n { /* if image is ColorMapped - change it to DirectClass */\n sparse_image=DestroyImage(sparse_image);\n return((Image *) NULL);\n }\n { /* ----- MAIN CODE ----- */\n CacheView\n *sparse_view;\n\n MagickBooleanType\n status;\n\n MagickOffsetType\n progress;\n\n ssize_t\n j;\n\n status=MagickTrue;\n progress=0;\n sparse_view=AcquireAuthenticCacheView(sparse_image,exception);\n#if defined(MAGICKCORE_OPENMP_SUPPORT)\n #pragma omp parallel for schedule(static) shared(progress,status) \\\n magick_number_threads(image,sparse_image,sparse_image->rows,1)\n#endif\n for (j=0; j < (ssize_t) sparse_image->rows; j++)\n {\n MagickBooleanType\n sync;\n\n PixelInfo\n pixel; /* pixel to assign to distorted image */\n\n ssize_t\n i;\n\n Quantum\n *magick_restrict q;\n\n q=GetCacheViewAuthenticPixels(sparse_view,0,j,sparse_image->columns,\n 1,exception);\n if (q == (Quantum *) NULL)\n {\n status=MagickFalse;\n continue;\n }\n GetPixelInfo(sparse_image,&pixel);\n for (i=0; i < (ssize_t) image->columns; i++)\n {\n GetPixelInfoPixel(image,q,&pixel);\n switch (sparse_method)\n {\n case BarycentricColorInterpolate:\n {\n ssize_t x=0;\n if ((GetPixelRedTraits(image) & UpdatePixelTrait) != 0)\n pixel.red = coeff[x]*i +coeff[x+1]*j\n +coeff[x+2], x+=3;\n if ((GetPixelGreenTraits(image) & UpdatePixelTrait) != 0)\n pixel.green = coeff[x]*i +coeff[x+1]*j\n +coeff[x+2], x+=3;\n if ((GetPixelBlueTraits(image) & UpdatePixelTrait) != 0)\n pixel.blue = coeff[x]*i +coeff[x+1]*j\n +coeff[x+2], x+=3;\n if (((GetPixelBlackTraits(image) & UpdatePixelTrait) != 0) &&\n (image->colorspace == CMYKColorspace))\n pixel.black = coeff[x]*i +coeff[x+1]*j\n +coeff[x+2], x+=3;\n if (((GetPixelAlphaTraits(image) & UpdatePixelTrait) != 0) &&\n (image->alpha_trait != UndefinedPixelTrait))\n pixel.alpha = coeff[x]*i +coeff[x+1]*j\n +coeff[x+2], x+=3;\n break;\n }\n case BilinearColorInterpolate:\n {\n ssize_t x=0;\n if ((GetPixelRedTraits(image) & UpdatePixelTrait) != 0)\n pixel.red = coeff[x]*i + coeff[x+1]*j +\n coeff[x+2]*i*j + coeff[x+3], x+=4;\n if ((GetPixelGreenTraits(image) & UpdatePixelTrait) != 0)\n pixel.green = coeff[x]*i + coeff[x+1]*j +\n coeff[x+2]*i*j + coeff[x+3], x+=4;\n if ((GetPixelBlueTraits(image) & UpdatePixelTrait) != 0)\n pixel.blue = coeff[x]*i + coeff[x+1]*j +\n coeff[x+2]*i*j + coeff[x+3], x+=4;\n if (((GetPixelBlackTraits(image) & UpdatePixelTrait) != 0) &&\n (image->colorspace == CMYKColorspace))\n pixel.black = coeff[x]*i + coeff[x+1]*j +\n coeff[x+2]*i*j + coeff[x+3], x+=4;\n if (((GetPixelAlphaTraits(image) & UpdatePixelTrait) != 0) &&\n (image->alpha_trait != UndefinedPixelTrait))\n pixel.alpha = coeff[x]*i + coeff[x+1]*j +\n coeff[x+2]*i*j + coeff[x+3], x+=4;\n break;\n }\n case InverseColorInterpolate:\n case ShepardsColorInterpolate:\n { /* Inverse (Squared) Distance weights average (IDW) */\n size_t\n k;\n double\n denominator;\n\n if ((GetPixelRedTraits(image) & UpdatePixelTrait) != 0)\n pixel.red=0.0;\n if ((GetPixelGreenTraits(image) & UpdatePixelTrait) != 0)\n pixel.green=0.0;\n if ((GetPixelBlueTraits(image) & UpdatePixelTrait) != 0)\n pixel.blue=0.0;\n if (((GetPixelBlackTraits(image) & UpdatePixelTrait) != 0) &&\n (image->colorspace == CMYKColorspace))\n pixel.black=0.0;\n if (((GetPixelAlphaTraits(image) & UpdatePixelTrait) != 0) &&\n (image->alpha_trait != UndefinedPixelTrait))\n pixel.alpha=0.0;\n denominator = 0.0;\n for(k=0; kcolorspace == CMYKColorspace))\n pixel.black += arguments[x++]*weight;\n if (((GetPixelAlphaTraits(image) & UpdatePixelTrait) != 0) &&\n (image->alpha_trait != UndefinedPixelTrait))\n pixel.alpha += arguments[x++]*weight;\n denominator += weight;\n }\n if ((GetPixelRedTraits(image) & UpdatePixelTrait) != 0)\n pixel.red/=denominator;\n if ((GetPixelGreenTraits(image) & UpdatePixelTrait) != 0)\n pixel.green/=denominator;\n if ((GetPixelBlueTraits(image) & UpdatePixelTrait) != 0)\n pixel.blue/=denominator;\n if (((GetPixelBlackTraits(image) & UpdatePixelTrait) != 0) &&\n (image->colorspace == CMYKColorspace))\n pixel.black/=denominator;\n if (((GetPixelAlphaTraits(image) & UpdatePixelTrait) != 0) &&\n (image->alpha_trait != UndefinedPixelTrait))\n pixel.alpha/=denominator;\n break;\n }\n case ManhattanColorInterpolate:\n {\n size_t\n k;\n\n double\n minimum = MagickMaximumValue;\n\n /*\n Just use the closest control point you can find!\n */\n for(k=0; kcolorspace == CMYKColorspace))\n pixel.black=arguments[x++];\n if (((GetPixelAlphaTraits(image) & UpdatePixelTrait) != 0) &&\n (image->alpha_trait != UndefinedPixelTrait))\n pixel.alpha=arguments[x++];\n minimum = distance;\n }\n }\n break;\n }\n case VoronoiColorInterpolate:\n default:\n {\n size_t\n k;\n\n double\n minimum = MagickMaximumValue;\n\n /*\n Just use the closest control point you can find!\n */\n for (k=0; kcolorspace == CMYKColorspace))\n pixel.black=arguments[x++];\n if (((GetPixelAlphaTraits(image) & UpdatePixelTrait) != 0) &&\n (image->alpha_trait != UndefinedPixelTrait))\n pixel.alpha=arguments[x++];\n minimum = distance;\n }\n }\n break;\n }\n }\n /* set the color directly back into the source image */\n if ((GetPixelRedTraits(image) & UpdatePixelTrait) != 0)\n pixel.red=(MagickRealType) ClampPixel(QuantumRange*pixel.red);\n if ((GetPixelGreenTraits(image) & UpdatePixelTrait) != 0)\n pixel.green=(MagickRealType) ClampPixel(QuantumRange*pixel.green);\n if ((GetPixelBlueTraits(image) & UpdatePixelTrait) != 0)\n pixel.blue=(MagickRealType) ClampPixel(QuantumRange*pixel.blue);\n if (((GetPixelBlackTraits(image) & UpdatePixelTrait) != 0) &&\n (image->colorspace == CMYKColorspace))\n pixel.black=(MagickRealType) ClampPixel(QuantumRange*pixel.black);\n if (((GetPixelAlphaTraits(image) & UpdatePixelTrait) != 0) &&\n (image->alpha_trait != UndefinedPixelTrait))\n pixel.alpha=(MagickRealType) ClampPixel(QuantumRange*pixel.alpha);\n SetPixelViaPixelInfo(sparse_image,&pixel,q);\n q+=GetPixelChannels(sparse_image);\n }\n sync=SyncCacheViewAuthenticPixels(sparse_view,exception);\n if (sync == MagickFalse)\n status=MagickFalse;\n if (image->progress_monitor != (MagickProgressMonitor) NULL)\n {\n MagickBooleanType\n proceed;\n\n#if defined(MAGICKCORE_OPENMP_SUPPORT)\n #pragma omp atomic\n#endif\n progress++;\n proceed=SetImageProgress(image,SparseColorTag,progress,image->rows);\n if (proceed == MagickFalse)\n status=MagickFalse;\n }\n }\n sparse_view=DestroyCacheView(sparse_view);\n if (status == MagickFalse)\n sparse_image=DestroyImage(sparse_image);\n }\n coeff = (double *) RelinquishMagickMemory(coeff);\n return(sparse_image);\n}", "project": "ImageMagick", "hash": 284155849153647272159161252106011653159, "size": 399, "commit_id": "f8e8535bc821f24a30beee0030ff21ee3a2deedc", "message": "https://github.com/ImageMagick/ImageMagick/issues/3331", "target": 0, "dataset": "other", "idx": 383180 }, { "func": "static const char *poly_basis_str(ssize_t n)\n{\n /* return the result for this polynomial term */\n switch(n) {\n case 0: return(\"\"); /* constant */\n case 1: return(\"*ii\");\n case 2: return(\"*jj\"); /* affine order = 1 terms = 3 */\n case 3: return(\"*ii*jj\"); /* bilinear order = 1.5 terms = 4 */\n case 4: return(\"*ii*ii\");\n case 5: return(\"*jj*jj\"); /* quadratic order = 2 terms = 6 */\n case 6: return(\"*ii*ii*ii\");\n case 7: return(\"*ii*ii*jj\");\n case 8: return(\"*ii*jj*jj\");\n case 9: return(\"*jj*jj*jj\"); /* cubic order = 3 terms = 10 */\n case 10: return(\"*ii*ii*ii*ii\");\n case 11: return(\"*ii*ii*ii*jj\");\n case 12: return(\"*ii*ii*jj*jj\");\n case 13: return(\"*ii*jj*jj*jj\");\n case 14: return(\"*jj*jj*jj*jj\"); /* quartic order = 4 terms = 15 */\n case 15: return(\"*ii*ii*ii*ii*ii\");\n case 16: return(\"*ii*ii*ii*ii*jj\");\n case 17: return(\"*ii*ii*ii*jj*jj\");\n case 18: return(\"*ii*ii*jj*jj*jj\");\n case 19: return(\"*ii*jj*jj*jj*jj\");\n case 20: return(\"*jj*jj*jj*jj*jj\"); /* quintic order = 5 terms = 21 */\n }\n return( \"UNKNOWN\" ); /* should never happen */\n}", "project": "ImageMagick", "hash": 177403967842915300246880344810230899436, "size": 28, "commit_id": "f8e8535bc821f24a30beee0030ff21ee3a2deedc", "message": "https://github.com/ImageMagick/ImageMagick/issues/3331", "target": 0, "dataset": "other", "idx": 383187 }, { "func": "spnego_gss_display_status(\n\t\tOM_uint32 *minor_status,\n\t\tOM_uint32 status_value,\n\t\tint status_type,\n\t\tgss_OID mech_type,\n\t\tOM_uint32 *message_context,\n\t\tgss_buffer_t status_string)\n{\n\tOM_uint32 maj = GSS_S_COMPLETE;\n\tint ret;\n\n\tdsyslog(\"Entering display_status\\n\");\n\n\t*message_context = 0;\n\tswitch (status_value) {\n\t case ERR_SPNEGO_NO_MECHS_AVAILABLE:\n\t\t/* CSTYLED */\n\t\t*status_string = make_err_msg(_(\"SPNEGO cannot find \"\n\t\t\t\t\t\t\"mechanisms to negotiate\"));\n\t\tbreak;\n\t case ERR_SPNEGO_NO_CREDS_ACQUIRED:\n\t\t/* CSTYLED */\n\t\t*status_string = make_err_msg(_(\"SPNEGO failed to acquire \"\n\t\t\t\t\t\t\"creds\"));\n\t\tbreak;\n\t case ERR_SPNEGO_NO_MECH_FROM_ACCEPTOR:\n\t\t/* CSTYLED */\n\t\t*status_string = make_err_msg(_(\"SPNEGO acceptor did not \"\n\t\t\t\t\t\t\"select a mechanism\"));\n\t\tbreak;\n\t case ERR_SPNEGO_NEGOTIATION_FAILED:\n\t\t/* CSTYLED */\n\t\t*status_string = make_err_msg(_(\"SPNEGO failed to negotiate a \"\n\t\t\t\t\t\t\"mechanism\"));\n\t\tbreak;\n\t case ERR_SPNEGO_NO_TOKEN_FROM_ACCEPTOR:\n\t\t/* CSTYLED */\n\t\t*status_string = make_err_msg(_(\"SPNEGO acceptor did not \"\n\t\t\t\t\t\t\"return a valid token\"));\n\t\tbreak;\n\t default:\n\t\t/* Not one of our minor codes; might be from a mech. Call back\n\t\t * to gss_display_status, but first check for recursion. */\n\t\tif (k5_getspecific(K5_KEY_GSS_SPNEGO_STATUS) != NULL) {\n\t\t\t/* Perhaps we returned a com_err code like ENOMEM. */\n\t\t\tconst char *err = error_message(status_value);\n\t\t\t*status_string = make_err_msg(err);\n\t\t\tbreak;\n\t\t}\n\t\t/* Set a non-null pointer value; doesn't matter which one. */\n\t\tret = k5_setspecific(K5_KEY_GSS_SPNEGO_STATUS, &ret);\n\t\tif (ret != 0) {\n\t\t\t*minor_status = ret;\n\t\t\tmaj = GSS_S_FAILURE;\n\t\t\tbreak;\n\t\t}\n\t\tmaj = gss_display_status(minor_status, status_value,\n\t\t\t\t\t status_type, mech_type,\n\t\t\t\t\t message_context, status_string);\n\t\t/* This is unlikely to fail; not much we can do if it does. */\n\t\t(void)k5_setspecific(K5_KEY_GSS_SPNEGO_STATUS, NULL);\n\t\tbreak;\n\t}\n\n\tdsyslog(\"Leaving display_status\\n\");\n\treturn maj;\n}", "project": "krb5", "hash": 152728559874541881030653866582705884537, "size": 67, "commit_id": "524688ce87a15fc75f87efc8c039ba4c7d5c197b", "message": "Fix null deref in SPNEGO acceptor [CVE-2014-4344]\n\nWhen processing a continuation token, acc_ctx_cont was dereferencing\nthe initial byte of the token without checking the length. This could\nresult in a null dereference.\n\nCVE-2014-4344:\n\nIn MIT krb5 1.5 and newer, an unauthenticated or partially\nauthenticated remote attacker can cause a NULL dereference and\napplication crash during a SPNEGO negotiation by sending an empty\ntoken as the second or later context token from initiator to acceptor.\nThe attacker must provide at least one valid context token in the\nsecurity context negotiation before sending the empty token. This can\nbe done by an unauthenticated attacker by forcing SPNEGO to\nrenegotiate the underlying mechanism, or by using IAKERB to wrap an\nunauthenticated AS-REQ as the first token.\n\n CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C\n\n[kaduk@mit.edu: CVE summary, CVSSv2 vector]\n\nticket: 7970 (new)\nsubject: NULL dereference in SPNEGO acceptor for continuation tokens [CVE-2014-4344]\ntarget_version: 1.12.2\ntags: pullup", "target": 0, "dataset": "other", "idx": 383734 }, { "func": "exif_entry_get_value (ExifEntry *e, char *val, unsigned int maxlen)\n{\n\tunsigned int i, j, k;\n\tExifShort v_short, v_short2, v_short3, v_short4;\n\tExifByte v_byte;\n\tExifRational v_rat;\n\tExifSRational v_srat;\n\tchar b[64];\n\tconst char *c;\n\tExifByteOrder o;\n\tdouble d;\n\tExifEntry *entry;\n\tstatic const struct {\n\t\tchar label[5];\n\t\tchar major, minor;\n\t} versions[] = {\n\t\t{\"0110\", 1, 1},\n\t\t{\"0120\", 1, 2},\n\t\t{\"0200\", 2, 0},\n\t\t{\"0210\", 2, 1},\n\t\t{\"0220\", 2, 2},\n\t\t{\"0221\", 2, 21},\n\t\t{\"0230\", 2, 3},\n\t\t{\"\" , 0, 0}\n\t};\n\n\t(void) bindtextdomain (GETTEXT_PACKAGE, LOCALEDIR);\n\n\tif (!e || !e->parent || !e->parent->parent || !maxlen || !val)\n\t\treturn val;\n\n\t/* make sure the returned string is zero terminated */\n\t/* FIXME: this is inefficient in the case of long buffers and should\n\t * instead be taken care of on each write instead. */\n\tmemset (val, 0, maxlen);\n\n\t/* We need the byte order */\n\to = exif_data_get_byte_order (e->parent->parent);\n\n\t/* Sanity check */\n\tif (e->size != e->components * exif_format_get_size (e->format)) {\n\t\tsnprintf (val, maxlen, _(\"Invalid size of entry (%i, \"\n\t\t\t\"expected %li x %i).\"), e->size, e->components,\n\t\t\t\texif_format_get_size (e->format));\n\t\treturn val;\n\t}\n\n\tswitch (e->tag) {\n\tcase EXIF_TAG_USER_COMMENT:\n\n\t\t/*\n\t\t * The specification says UNDEFINED, but some\n\t\t * manufacturers don't care and use ASCII. If this is the\n\t\t * case here, only refuse to read it if there is no chance\n\t\t * of finding readable data.\n\t\t */\n\t\tif ((e->format != EXIF_FORMAT_ASCII) || \n\t\t (e->size <= 8) ||\n\t\t ( memcmp (e->data, \"ASCII\\0\\0\\0\" , 8) &&\n\t\t memcmp (e->data, \"UNICODE\\0\" , 8) &&\n\t\t memcmp (e->data, \"JIS\\0\\0\\0\\0\\0\", 8) &&\n\t\t memcmp (e->data, \"\\0\\0\\0\\0\\0\\0\\0\\0\", 8)))\n\t\t\tCF (e, EXIF_FORMAT_UNDEFINED, val, maxlen);\n\n\t\t/*\n\t\t * Note that, according to the specification (V2.1, p 40),\n\t\t * the user comment field does not have to be \n\t\t * NULL terminated.\n\t\t */\n\t\tif ((e->size >= 8) && !memcmp (e->data, \"ASCII\\0\\0\\0\", 8)) {\n\t\t\tstrncpy (val, (char *) e->data + 8, MIN (e->size - 8, maxlen-1));\n\t\t\tbreak;\n\t\t}\n\t\tif ((e->size >= 8) && !memcmp (e->data, \"UNICODE\\0\", 8)) {\n\t\t\tstrncpy (val, _(\"Unsupported UNICODE string\"), maxlen-1);\n\t\t/* FIXME: use iconv to convert into the locale encoding.\n\t\t * EXIF 2.2 implies (but does not say) that this encoding is\n\t\t * UCS-2.\n\t\t */\n\t\t\tbreak;\n\t\t}\n\t\tif ((e->size >= 8) && !memcmp (e->data, \"JIS\\0\\0\\0\\0\\0\", 8)) {\n\t\t\tstrncpy (val, _(\"Unsupported JIS string\"), maxlen-1);\n\t\t/* FIXME: use iconv to convert into the locale encoding */\n\t\t\tbreak;\n\t\t}\n\n\t\t/* Check if there is really some information in the tag. */\n\t\tfor (i = 0; (i < e->size) &&\n\t\t\t (!e->data[i] || (e->data[i] == ' ')); i++);\n\t\tif (i == e->size) break;\n\n\t\t/*\n\t\t * If we reach this point, the tag does not\n \t\t * comply with the standard but seems to contain data.\n\t\t * Print as much as possible.\n\t\t * Note: make sure we do not overwrite the final \\0 at maxlen-1\n\t\t */\n\t\texif_entry_log (e, EXIF_LOG_CODE_DEBUG,\n\t\t\t_(\"Tag UserComment contains data but is \"\n\t\t\t \"against specification.\"));\n \t\tfor (j = 0; (i < e->size) && (j < maxlen-1); i++, j++) {\n\t\t\texif_entry_log (e, EXIF_LOG_CODE_DEBUG,\n\t\t\t\t_(\"Byte at position %i: 0x%02x\"), i, e->data[i]);\n \t\t\tval[j] = isprint (e->data[i]) ? e->data[i] : '.';\n\t\t}\n\t\tbreak;\n\n\tcase EXIF_TAG_EXIF_VERSION:\n\t\tCF (e, EXIF_FORMAT_UNDEFINED, val, maxlen);\n\t\tCC (e, 4, val, maxlen);\n\t\tstrncpy (val, _(\"Unknown Exif Version\"), maxlen-1);\n\t\tfor (i = 0; *versions[i].label; i++) {\n\t\t\tif (!memcmp (e->data, versions[i].label, 4)) {\n \t\t\t\tsnprintf (val, maxlen,\n\t\t\t\t\t_(\"Exif Version %d.%d\"),\n\t\t\t\t\tversions[i].major,\n\t\t\t\t\tversions[i].minor);\n \t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\t\tbreak;\n\tcase EXIF_TAG_FLASH_PIX_VERSION:\n\t\tCF (e, EXIF_FORMAT_UNDEFINED, val, maxlen);\n\t\tCC (e, 4, val, maxlen);\n\t\tif (!memcmp (e->data, \"0100\", 4))\n\t\t\tstrncpy (val, _(\"FlashPix Version 1.0\"), maxlen-1);\n\t\telse if (!memcmp (e->data, \"0101\", 4))\n\t\t\tstrncpy (val, _(\"FlashPix Version 1.01\"), maxlen-1);\n\t\telse\n\t\t\tstrncpy (val, _(\"Unknown FlashPix Version\"), maxlen-1);\n\t\tbreak;\n\tcase EXIF_TAG_COPYRIGHT:\n\t\tCF (e, EXIF_FORMAT_ASCII, val, maxlen);\n\n\t\t/*\n\t\t * First part: Photographer.\n\t\t * Some cameras store a string like \" \" here. Ignore it.\n\t\t * Remember that a corrupted tag might not be NUL-terminated\n\t\t */\n\t\tif (e->size && e->data && match_repeated_char(e->data, ' ', e->size))\n\t\t\tstrncpy (val, (char *) e->data, MIN (maxlen-1, e->size));\n\t\telse\n\t\t\tstrncpy (val, _(\"[None]\"), maxlen-1);\n\t\tstrncat (val, \" \", maxlen-1 - strlen (val));\n\t\tstrncat (val, _(\"(Photographer)\"), maxlen-1 - strlen (val));\n\n\t\t/* Second part: Editor. */\n\t\tstrncat (val, \" - \", maxlen-1 - strlen (val));\n\t\tk = 0;\n\t\tif (e->size && e->data) {\n\t\t\tconst unsigned char *tagdata = memchr(e->data, 0, e->size);\n\t\t\tif (tagdata++) {\n\t\t\t\tunsigned int editor_ofs = tagdata - e->data;\n\t\t\t\tunsigned int remaining = e->size - editor_ofs;\n\t\t\t\tif (match_repeated_char(tagdata, ' ', remaining)) {\n\t\t\t\t\tstrncat (val, (const char*)tagdata, MIN (maxlen-1 - strlen (val), remaining));\n\t\t\t\t\t++k;\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\tif (!k)\n\t\t\tstrncat (val, _(\"[None]\"), maxlen-1 - strlen (val));\n\t\tstrncat (val, \" \", maxlen-1 - strlen (val));\n\t\tstrncat (val, _(\"(Editor)\"), maxlen-1 - strlen (val));\n\n\t\tbreak;\n\tcase EXIF_TAG_FNUMBER:\n\t\tCF (e, EXIF_FORMAT_RATIONAL, val, maxlen);\n\t\tCC (e, 1, val, maxlen);\n\t\tv_rat = exif_get_rational (e->data, o);\n\t\tif (!v_rat.denominator) {\n\t\t\texif_entry_format_value(e, val, maxlen);\n\t\t\tbreak;\n\t\t}\n\t\td = (double) v_rat.numerator / (double) v_rat.denominator;\n\t\tsnprintf (val, maxlen, \"f/%.01f\", d);\n\t\tbreak;\n\tcase EXIF_TAG_APERTURE_VALUE:\n\tcase EXIF_TAG_MAX_APERTURE_VALUE:\n\t\tCF (e, EXIF_FORMAT_RATIONAL, val, maxlen);\n\t\tCC (e, 1, val, maxlen);\n\t\tv_rat = exif_get_rational (e->data, o);\n\t\tif (!v_rat.denominator || (0x80000000 == v_rat.numerator)) {\n\t\t\texif_entry_format_value(e, val, maxlen);\n\t\t\tbreak;\n\t\t}\n\t\td = (double) v_rat.numerator / (double) v_rat.denominator;\n\t\tsnprintf (val, maxlen, _(\"%.02f EV\"), d);\n\t\tsnprintf (b, sizeof (b), _(\" (f/%.01f)\"), pow (2, d / 2.));\n\t\tstrncat (val, b, maxlen-1 - strlen (val));\n\t\tbreak;\n\tcase EXIF_TAG_FOCAL_LENGTH:\n\t\tCF (e, EXIF_FORMAT_RATIONAL, val, maxlen);\n\t\tCC (e, 1, val, maxlen);\n\t\tv_rat = exif_get_rational (e->data, o);\n\t\tif (!v_rat.denominator) {\n\t\t\texif_entry_format_value(e, val, maxlen);\n\t\t\tbreak;\n\t\t}\n\n\t\t/*\n\t\t * For calculation of the 35mm equivalent,\n\t\t * Minolta cameras need a multiplier that depends on the\n\t\t * camera model.\n\t\t */\n\t\td = 0.;\n\t\tentry = exif_content_get_entry (\n\t\t\te->parent->parent->ifd[EXIF_IFD_0], EXIF_TAG_MAKE);\n\t\tif (entry && entry->data && entry->size >= 7 &&\n\t\t !strncmp ((char *)entry->data, \"Minolta\", 7)) {\n\t\t\tentry = exif_content_get_entry (\n\t\t\t\t\te->parent->parent->ifd[EXIF_IFD_0],\n\t\t\t\t\tEXIF_TAG_MODEL);\n\t\t\tif (entry && entry->data && entry->size >= 8) {\n\t\t\t\tif (!strncmp ((char *)entry->data, \"DiMAGE 7\", 8))\n\t\t\t\t\td = 3.9;\n\t\t\t\telse if (!strncmp ((char *)entry->data, \"DiMAGE 5\", 8))\n\t\t\t\t\td = 4.9;\n\t\t\t}\n\t\t}\n\t\tif (d)\n\t\t\tsnprintf (b, sizeof (b), _(\" (35 equivalent: %.0f mm)\"),\n\t\t\t\t (d * (double) v_rat.numerator /\n\t\t\t\t (double) v_rat.denominator));\n\t\telse\n\t\t\tb[0] = 0;\n\n\t\td = (double) v_rat.numerator / (double) v_rat.denominator;\n\t\tsnprintf (val, maxlen, \"%.1f mm\", d);\n\t\tstrncat (val, b, maxlen-1 - strlen (val));\n\t\tbreak;\n\tcase EXIF_TAG_SUBJECT_DISTANCE:\n\t\tCF (e, EXIF_FORMAT_RATIONAL, val, maxlen);\n\t\tCC (e, 1, val, maxlen);\n\t\tv_rat = exif_get_rational (e->data, o);\n\t\tif (!v_rat.denominator) {\n\t\t\texif_entry_format_value(e, val, maxlen);\n\t\t\tbreak;\n\t\t}\n\t\td = (double) v_rat.numerator / (double) v_rat.denominator;\n\t\tsnprintf (val, maxlen, \"%.1f m\", d);\n\t\tbreak;\n\tcase EXIF_TAG_EXPOSURE_TIME:\n\t\tCF (e, EXIF_FORMAT_RATIONAL, val, maxlen);\n\t\tCC (e, 1, val, maxlen);\n\t\tv_rat = exif_get_rational (e->data, o);\n\t\tif (!v_rat.denominator) {\n\t\t\texif_entry_format_value(e, val, maxlen);\n\t\t\tbreak;\n\t\t}\n\t\td = (double) v_rat.numerator / (double) v_rat.denominator;\n\t\tif (d < 1 && d)\n\t\t\tsnprintf (val, maxlen, _(\"1/%.0f\"), 1. / d);\n\t\telse\n\t\t\tsnprintf (val, maxlen, \"%.0f\", d);\n\t\tstrncat (val, _(\" sec.\"), maxlen-1 - strlen (val));\n\t\tbreak;\n\tcase EXIF_TAG_SHUTTER_SPEED_VALUE:\n\t\tCF (e, EXIF_FORMAT_SRATIONAL, val, maxlen);\n\t\tCC (e, 1, val, maxlen);\n\t\tv_srat = exif_get_srational (e->data, o);\n\t\tif (!v_srat.denominator) {\n\t\t\texif_entry_format_value(e, val, maxlen);\n\t\t\tbreak;\n\t\t}\n\t\td = (double) v_srat.numerator / (double) v_srat.denominator;\n\t\tsnprintf (val, maxlen, _(\"%.02f EV\"), d);\n\t\tif (pow (2, d))\n\t\t\td = 1. / pow (2, d);\n\t\tif (d < 1 && d)\n\t\t snprintf (b, sizeof (b), _(\" (1/%.0f sec.)\"), 1. / d);\n\t\telse\n\t\t snprintf (b, sizeof (b), _(\" (%.0f sec.)\"), d);\n\t\tstrncat (val, b, maxlen-1 - strlen (val));\n\t\tbreak;\n\tcase EXIF_TAG_BRIGHTNESS_VALUE:\n\t\tCF (e, EXIF_FORMAT_SRATIONAL, val, maxlen);\n\t\tCC (e, 1, val, maxlen);\n\t\tv_srat = exif_get_srational (e->data, o);\n\t\tif (!v_srat.denominator) {\n\t\t\texif_entry_format_value(e, val, maxlen);\n\t\t\tbreak;\n\t\t}\n\t\td = (double) v_srat.numerator / (double) v_srat.denominator;\n\t\tsnprintf (val, maxlen, _(\"%.02f EV\"), d);\n\t\tsnprintf (b, sizeof (b), _(\" (%.02f cd/m^2)\"),\n\t\t\t1. / (M_PI * 0.3048 * 0.3048) * pow (2, d));\n\t\tstrncat (val, b, maxlen-1 - strlen (val));\n\t\tbreak;\n\tcase EXIF_TAG_FILE_SOURCE:\n\t\tCF (e, EXIF_FORMAT_UNDEFINED, val, maxlen);\n\t\tCC (e, 1, val, maxlen);\n\t\tv_byte = e->data[0];\n\t\tif (v_byte == 3)\n\t\t\tstrncpy (val, _(\"DSC\"), maxlen-1);\n\t\telse\n\t\t\tsnprintf (val, maxlen, _(\"Internal error (unknown \"\n\t\t\t\t \"value %i)\"), v_byte);\n\t\tbreak;\n\tcase EXIF_TAG_COMPONENTS_CONFIGURATION:\n\t\tCF (e, EXIF_FORMAT_UNDEFINED, val, maxlen);\n\t\tCC (e, 4, val, maxlen);\n\t\tfor (i = 0; i < 4; i++) {\n\t\t\tswitch (e->data[i]) {\n\t\t\tcase 0: c = _(\"-\"); break;\n\t\t\tcase 1: c = _(\"Y\"); break;\n\t\t\tcase 2: c = _(\"Cb\"); break;\n\t\t\tcase 3: c = _(\"Cr\"); break;\n\t\t\tcase 4: c = _(\"R\"); break;\n\t\t\tcase 5: c = _(\"G\"); break;\n\t\t\tcase 6: c = _(\"B\"); break;\n\t\t\tdefault: c = _(\"Reserved\"); break;\n\t\t\t}\n\t\t\tstrncat (val, c, maxlen-1 - strlen (val));\n\t\t\tif (i < 3)\n\t\t\t\tstrncat (val, \" \", maxlen-1 - strlen (val));\n\t\t}\n\t\tbreak;\n\tcase EXIF_TAG_EXPOSURE_BIAS_VALUE:\n\t\tCF (e, EXIF_FORMAT_SRATIONAL, val, maxlen);\n\t\tCC (e, 1, val, maxlen);\n\t\tv_srat = exif_get_srational (e->data, o);\n\t\tif (!v_srat.denominator) {\n\t\t\texif_entry_format_value(e, val, maxlen);\n\t\t\tbreak;\n\t\t}\n\t\td = (double) v_srat.numerator / (double) v_srat.denominator;\n\t\tsnprintf (val, maxlen, _(\"%.02f EV\"), d);\n\t\tbreak;\n\tcase EXIF_TAG_SCENE_TYPE:\n\t\tCF (e, EXIF_FORMAT_UNDEFINED, val, maxlen);\n\t\tCC (e, 1, val, maxlen);\n\t\tv_byte = e->data[0];\n\t\tif (v_byte == 1)\n\t\t\tstrncpy (val, _(\"Directly photographed\"), maxlen-1);\n\t\telse\n\t\t\tsnprintf (val, maxlen, _(\"Internal error (unknown \"\n\t\t\t\t \"value %i)\"), v_byte);\n\t\tbreak;\n\tcase EXIF_TAG_YCBCR_SUB_SAMPLING:\n\t\tCF (e, EXIF_FORMAT_SHORT, val, maxlen);\n\t\tCC (e, 2, val, maxlen);\n\t\tv_short = exif_get_short (e->data, o);\n\t\tv_short2 = exif_get_short (\n\t\t\te->data + exif_format_get_size (e->format),\n\t\t\to);\n\t\tif ((v_short == 2) && (v_short2 == 1))\n\t\t\tstrncpy (val, _(\"YCbCr4:2:2\"), maxlen-1);\n\t\telse if ((v_short == 2) && (v_short2 == 2))\n\t\t\tstrncpy (val, _(\"YCbCr4:2:0\"), maxlen-1);\n\t\telse\n\t\t\tsnprintf (val, maxlen, \"%u, %u\", v_short, v_short2);\n\t\tbreak;\n\tcase EXIF_TAG_SUBJECT_AREA:\n\t\tCF (e, EXIF_FORMAT_SHORT, val, maxlen);\n\t\tswitch (e->components) {\n\t\tcase 2:\n\t\t\tv_short = exif_get_short (e->data, o);\n\t\t\tv_short2 = exif_get_short (e->data + 2, o);\n\t\t\tsnprintf (val, maxlen, \"(x,y) = (%i,%i)\",\n\t\t\t\t v_short, v_short2);\n\t\t\tbreak;\n\t\tcase 3:\n\t\t\tv_short = exif_get_short (e->data, o);\n\t\t\tv_short2 = exif_get_short (e->data + 2, o);\n\t\t\tv_short3 = exif_get_short (e->data + 4, o);\n\t\t\tsnprintf (val, maxlen, _(\"Within distance %i of \"\n\t\t\t\t\"(x,y) = (%i,%i)\"), v_short3, v_short,\n\t\t\t\tv_short2);\n\t\t\tbreak;\n\t\tcase 4:\n\t\t\tv_short = exif_get_short (e->data, o);\n\t\t\tv_short2 = exif_get_short (e->data + 2, o);\n\t\t\tv_short3 = exif_get_short (e->data + 4, o);\n\t\t\tv_short4 = exif_get_short (e->data + 6, o);\n\t\t\tsnprintf (val, maxlen, _(\"Within rectangle \"\n\t\t\t\t\"(width %i, height %i) around \"\n\t\t\t\t\"(x,y) = (%i,%i)\"), v_short3, v_short4,\n\t\t\t\tv_short, v_short2);\n\t\t\tbreak;\n\t\tdefault:\n\t\t\tsnprintf (val, maxlen, _(\"Unexpected number \"\n\t\t\t\t\"of components (%li, expected 2, 3, or 4).\"),\n\t\t\t\te->components);\t\n\t\t}\n\t\tbreak;\n\tcase EXIF_TAG_GPS_VERSION_ID:\n\t\t/* This is only valid in the GPS IFD */\n\t\tCF (e, EXIF_FORMAT_BYTE, val, maxlen);\n\t\tCC (e, 4, val, maxlen);\n\t\tv_byte = e->data[0];\n\t\tsnprintf (val, maxlen, \"%u\", v_byte);\n\t\tfor (i = 1; i < e->components; i++) {\n\t\t\tv_byte = e->data[i];\n\t\t\tsnprintf (b, sizeof (b), \".%u\", v_byte);\n\t\t\tstrncat (val, b, maxlen-1 - strlen (val));\n\t\t}\n\t\tbreak;\n\tcase EXIF_TAG_INTEROPERABILITY_VERSION:\n\t/* a.k.a. case EXIF_TAG_GPS_LATITUDE: */\n\t\t/* This tag occurs in EXIF_IFD_INTEROPERABILITY */\n\t\tif (e->format == EXIF_FORMAT_UNDEFINED) {\n\t\t\tstrncpy (val, (char *) e->data, MIN (maxlen-1, e->size));\n\t\t\tbreak;\n\t\t}\n\t\t/* EXIF_TAG_GPS_LATITUDE is the same numerically as\n\t\t * EXIF_TAG_INTEROPERABILITY_VERSION but in EXIF_IFD_GPS\n\t\t */\n\t\texif_entry_format_value(e, val, maxlen);\n\t\tbreak;\n\tcase EXIF_TAG_GPS_ALTITUDE_REF:\n\t\t/* This is only valid in the GPS IFD */\n\t\tCF (e, EXIF_FORMAT_BYTE, val, maxlen);\n\t\tCC (e, 1, val, maxlen);\n\t\tv_byte = e->data[0];\n\t\tif (v_byte == 0)\n\t\t\tstrncpy (val, _(\"Sea level\"), maxlen-1);\n\t\telse if (v_byte == 1)\n\t\t\tstrncpy (val, _(\"Sea level reference\"), maxlen-1);\n\t\telse\n\t\t\tsnprintf (val, maxlen, _(\"Internal error (unknown \"\n\t\t\t\t \"value %i)\"), v_byte);\n\t\tbreak;\n\tcase EXIF_TAG_GPS_TIME_STAMP:\n\t\t/* This is only valid in the GPS IFD */\n\t\tCF (e, EXIF_FORMAT_RATIONAL, val, maxlen);\n\t\tCC (e, 3, val, maxlen);\n\n\t\tv_rat = exif_get_rational (e->data, o);\n\t\tif (!v_rat.denominator) {\n\t\t\texif_entry_format_value(e, val, maxlen);\n\t\t\tbreak;\n\t\t}\n\t\ti = v_rat.numerator / v_rat.denominator;\n\n\t\tv_rat = exif_get_rational (e->data +\n\t\t\t\t\t exif_format_get_size (e->format),\n\t\t\t\t\t o);\n\t\tif (!v_rat.denominator) {\n\t\t\texif_entry_format_value(e, val, maxlen);\n\t\t\tbreak;\n\t\t}\n\t\tj = v_rat.numerator / v_rat.denominator;\n\n\t\tv_rat = exif_get_rational (e->data +\n\t\t\t\t\t 2*exif_format_get_size (e->format),\n\t\t\t\t\t o);\n\t\tif (!v_rat.denominator) {\n\t\t\texif_entry_format_value(e, val, maxlen);\n\t\t\tbreak;\n\t\t}\n\t\td = (double) v_rat.numerator / (double) v_rat.denominator;\n\t\tsnprintf (val, maxlen, \"%02u:%02u:%05.2f\", i, j, d);\n\t\tbreak;\n\n\tcase EXIF_TAG_METERING_MODE:\n\tcase EXIF_TAG_COMPRESSION:\n\tcase EXIF_TAG_LIGHT_SOURCE:\n\tcase EXIF_TAG_FOCAL_PLANE_RESOLUTION_UNIT:\n\tcase EXIF_TAG_RESOLUTION_UNIT:\n\tcase EXIF_TAG_EXPOSURE_PROGRAM:\n\tcase EXIF_TAG_FLASH:\n\tcase EXIF_TAG_SUBJECT_DISTANCE_RANGE:\n\tcase EXIF_TAG_COLOR_SPACE:\n\t\tCF (e,EXIF_FORMAT_SHORT, val, maxlen);\n\t\tCC (e, 1, val, maxlen);\n\t\tv_short = exif_get_short (e->data, o);\n\n\t\t/* Search the tag */\n\t\tfor (i = 0; list2[i].tag && (list2[i].tag != e->tag); i++);\n\t\tif (!list2[i].tag) {\n\t\t\tsnprintf (val, maxlen, _(\"Internal error (unknown \"\n\t\t\t\t \"value %i)\"), v_short);\n\t\t\tbreak;\n\t\t}\n\n\t\t/* Find the value */\n\t\tfor (j = 0; list2[i].elem[j].values[0] &&\n\t\t\t (list2[i].elem[j].index < v_short); j++);\n\t\tif (list2[i].elem[j].index != v_short) {\n\t\t\tsnprintf (val, maxlen, _(\"Internal error (unknown \"\n\t\t\t\t \"value %i)\"), v_short);\n\t\t\tbreak;\n\t\t}\n\n\t\t/* Find a short enough value */\n\t\tmemset (val, 0, maxlen);\n\t\tfor (k = 0; list2[i].elem[j].values[k]; k++) {\n\t\t\tsize_t l = strlen (_(list2[i].elem[j].values[k]));\n\t\t\tif ((maxlen > l) && (strlen (val) < l))\n\t\t\t\tstrncpy (val, _(list2[i].elem[j].values[k]), maxlen-1);\n\t\t}\n\t\tif (!val[0]) snprintf (val, maxlen, \"%i\", v_short);\n\n\t\tbreak;\n\n\tcase EXIF_TAG_PLANAR_CONFIGURATION:\n\tcase EXIF_TAG_SENSING_METHOD:\n\tcase EXIF_TAG_ORIENTATION:\n\tcase EXIF_TAG_YCBCR_POSITIONING:\n\tcase EXIF_TAG_PHOTOMETRIC_INTERPRETATION:\n\tcase EXIF_TAG_CUSTOM_RENDERED:\n\tcase EXIF_TAG_EXPOSURE_MODE:\n\tcase EXIF_TAG_WHITE_BALANCE:\n\tcase EXIF_TAG_SCENE_CAPTURE_TYPE:\n\tcase EXIF_TAG_GAIN_CONTROL:\n\tcase EXIF_TAG_SATURATION:\n\tcase EXIF_TAG_CONTRAST:\n\tcase EXIF_TAG_SHARPNESS:\n\t\tCF (e, EXIF_FORMAT_SHORT, val, maxlen);\n\t\tCC (e, 1, val, maxlen);\n\t\tv_short = exif_get_short (e->data, o);\n\n\t\t/* Search the tag */\n\t\tfor (i = 0; list[i].tag && (list[i].tag != e->tag); i++);\n\t\tif (!list[i].tag) {\n\t\t\tsnprintf (val, maxlen, _(\"Internal error (unknown \"\n\t\t\t\t \"value %i)\"), v_short);\n\t\t\tbreak;\n\t\t}\n\n\t\t/* Find the value */\n\t\tfor (j = 0; list[i].strings[j] && (j < v_short); j++);\n\t\tif (!list[i].strings[j])\n\t\t\tsnprintf (val, maxlen, \"%i\", v_short);\n\t\telse if (!*list[i].strings[j])\n\t\t\tsnprintf (val, maxlen, _(\"Unknown value %i\"), v_short);\n\t\telse\n\t\t\tstrncpy (val, _(list[i].strings[j]), maxlen-1);\n\t\tbreak;\n\n\tcase EXIF_TAG_XP_TITLE:\n\tcase EXIF_TAG_XP_COMMENT:\n\tcase EXIF_TAG_XP_AUTHOR:\n\tcase EXIF_TAG_XP_KEYWORDS:\n\tcase EXIF_TAG_XP_SUBJECT:\n\t{\n\t\tunsigned char *utf16;\n\n\t\t/* Sanity check the size to prevent overflow. Note EXIF files are 64kb at most. */\n\t\tif (e->size >= 65536 - sizeof(uint16_t)*2) break;\n\n\t\t/* The tag may not be U+0000-terminated , so make a local\n\t\t U+0000-terminated copy before converting it */\n\t\tutf16 = exif_mem_alloc (e->priv->mem, e->size+sizeof(uint16_t)+1);\n\t\tif (!utf16) break;\n\t\tmemcpy(utf16, e->data, e->size);\n\n\t\t/* NUL terminate the string. If the size is odd (which isn't possible\n\t\t * for a valid UTF16 string), then this will overwrite the high byte of\n\t\t * the final half word, plus add a full zero NUL word at the end.\n\t\t */\n\t\tutf16[e->size] = 0;\n\t\tutf16[e->size+1] = 0;\n\t\tutf16[e->size+2] = 0;\n\n\t\t/* Warning! The texts are converted from UTF16 to UTF8 */\n\t\t/* FIXME: use iconv to convert into the locale encoding */\n\t\texif_convert_utf16_to_utf8(val, utf16, maxlen);\n\t\texif_mem_free(e->priv->mem, utf16);\n\t\tbreak;\n\t}\n\n\tdefault:\n\t\t/* Use a generic value formatting */\n\t\texif_entry_format_value(e, val, maxlen);\n\t}\n\n\treturn val;\n}", "project": "libexif", "hash": 96196385413825038531426685586673546332, "size": 571, "commit_id": "9266d14b5ca4e29b970fa03272318e5f99386e06", "message": "fixed a incorrect overflow check that could be optimized away.\n\ninspired by:\nhttps://android.googlesource.com/platform/external/libexif/+/8e7345f3bc0bad06ac369d6cbc1124c8ceaf7d4b\n\nhttps://source.android.com/security/bulletin/2020-11-01\n\nCVE-2020-0452", "target": 0, "dataset": "other", "idx": 384338 }, { "func": "*iwl_dump_ini_mon_dram_fill_header(struct iwl_fw_runtime *fwrt,\n\t\t\t\t struct iwl_fw_ini_region_cfg *reg,\n\t\t\t\t void *data)\n{\n\tstruct iwl_fw_ini_monitor_dump *mon_dump = (void *)data;\n\tu32 write_ptr_addr, write_ptr_msk, cycle_cnt_addr, cycle_cnt_msk;\n\n\tswitch (fwrt->trans->trans_cfg->device_family) {\n\tcase IWL_DEVICE_FAMILY_9000:\n\tcase IWL_DEVICE_FAMILY_22000:\n\t\twrite_ptr_addr = MON_BUFF_WRPTR_VER2;\n\t\twrite_ptr_msk = -1;\n\t\tcycle_cnt_addr = MON_BUFF_CYCLE_CNT_VER2;\n\t\tcycle_cnt_msk = -1;\n\t\tbreak;\n\tdefault:\n\t\tIWL_ERR(fwrt, \"Unsupported device family %d\\n\",\n\t\t\tfwrt->trans->trans_cfg->device_family);\n\t\treturn NULL;\n\t}\n\n\treturn iwl_dump_ini_mon_fill_header(fwrt, reg, mon_dump, write_ptr_addr,\n\t\t\t\t\t write_ptr_msk, cycle_cnt_addr,\n\t\t\t\t\t cycle_cnt_msk);\n}", "project": "linux", "hash": 235718456202065170164923679301298655877, "size": 25, "commit_id": "b4b814fec1a5a849383f7b3886b654a13abbda7d", "message": "iwlwifi: dbg_ini: fix memory leak in alloc_sgtable\n\nIn alloc_sgtable if alloc_page fails, the alocated table should be\nreleased.\n\nSigned-off-by: Navid Emamdoost \nSigned-off-by: Luca Coelho ", "target": 0, "dataset": "other", "idx": 384458 }, { "func": " AsioFrontend(const RGWProcessEnv& env, RGWFrontendConfig* conf,\n\t dmc::SchedulerCtx& sched_ctx)\n : env(env), conf(conf), pause_mutex(context.get_executor())\n {\n auto sched_t = dmc::get_scheduler_t(ctx());\n switch(sched_t){\n case dmc::scheduler_t::dmclock:\n scheduler.reset(new dmc::AsyncScheduler(ctx(),\n context,\n std::ref(sched_ctx.get_dmc_client_counters()),\n sched_ctx.get_dmc_client_config(),\n *sched_ctx.get_dmc_client_config(),\n dmc::AtLimit::Reject));\n break;\n case dmc::scheduler_t::none:\n lderr(ctx()) << \"Got invalid scheduler type for beast, defaulting to throttler\" << dendl;\n [[fallthrough]];\n case dmc::scheduler_t::throttler:\n scheduler.reset(new dmc::SimpleThrottler(ctx()));\n\n }\n }", "project": "ceph", "hash": 186306232591223933483747054247022359109, "size": 22, "commit_id": "ff72c50a2c43c57aead933eb4903ad1ca6d1748a", "message": "rgw: improve beast\n\nAvoid leaking connections that had partially-consumed\nclient data on unexpected disconnect.\n\nResolves CVE-2020-1700 (moderate impact flaw).\n\nFixes: https://tracker.ceph.com/issues/42531\n\nSigned-off-by: Or Friedmann \nSigned-off-by: Matt Benjamin ", "target": 0, "dataset": "other", "idx": 384564 }, { "func": "dissect_tcpopt_exp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)\n{\n proto_item *item;\n proto_tree *exp_tree;\n guint16 magic;\n int offset = 0, optlen = tvb_reported_length(tvb);\n\n item = proto_tree_add_item(tree, proto_tcp_option_exp, tvb, offset, -1, ENC_NA);\n exp_tree = proto_item_add_subtree(item, ett_tcp_option_exp);\n\n proto_tree_add_item(exp_tree, hf_tcp_option_kind, tvb, offset, 1, ENC_BIG_ENDIAN);\n proto_tree_add_item(exp_tree, hf_tcp_option_len, tvb, offset + 1, 1, ENC_BIG_ENDIAN);\n if (tcp_exp_options_with_magic && ((optlen - 2) > 0)) {\n magic = tvb_get_ntohs(tvb, offset + 2);\n proto_tree_add_item(exp_tree, hf_tcp_option_exp_magic_number, tvb,\n offset + 2, 2, ENC_BIG_ENDIAN);\n switch (magic) {\n case 0xf989: /* RFC7413, TCP Fast Open */\n dissect_tcpopt_tfo_payload(tvb, offset+2, optlen-2, pinfo, exp_tree, data);\n break;\n default:\n /* Unknown magic number */\n break;\n }\n } else {\n proto_tree_add_item(exp_tree, hf_tcp_option_exp_data, tvb,\n offset + 2, optlen - 2, ENC_NA);\n tcp_info_append_uint(pinfo, \"Expxx\", TRUE);\n }\n return tvb_captured_length(tvb);\n}", "project": "wireshark", "hash": 182212560169616323688068730423550415354, "size": 31, "commit_id": "7f3fe6164a68b76d9988c4253b24d43f498f1753", "message": "TCP: do not use an unknown status when the checksum is 0xffff\n\nOtherwise it triggers an assert when adding the column as the field is\ndefined as BASE_NONE and not BASE_DEC or BASE_HEX. Thus an unknown value\n(not in proto_checksum_vals[)array) cannot be represented.\nMark the checksum as bad even if we process the packet.\nCloses #16816\n\nConflicts:\n\tepan/dissectors/packet-tcp.c", "target": 0, "dataset": "other", "idx": 385239 }, { "func": "xmlXPathCmpNodesExt(xmlNodePtr node1, xmlNodePtr node2) {\n int depth1, depth2;\n int misc = 0, precedence1 = 0, precedence2 = 0;\n xmlNodePtr miscNode1 = NULL, miscNode2 = NULL;\n xmlNodePtr cur, root;\n long l1, l2;\n\n if ((node1 == NULL) || (node2 == NULL))\n\treturn(-2);\n\n if (node1 == node2)\n\treturn(0);\n\n /*\n * a couple of optimizations which will avoid computations in most cases\n */\n switch (node1->type) {\n\tcase XML_ELEMENT_NODE:\n\t if (node2->type == XML_ELEMENT_NODE) {\n\t\tif ((0 > (long) node1->content) && /* TODO: Would a != 0 suffice here? */\n\t\t (0 > (long) node2->content) &&\n\t\t (node1->doc == node2->doc))\n\t\t{\n\t\t l1 = -((long) node1->content);\n\t\t l2 = -((long) node2->content);\n\t\t if (l1 < l2)\n\t\t\treturn(1);\n\t\t if (l1 > l2)\n\t\t\treturn(-1);\n\t\t} else\n\t\t goto turtle_comparison;\n\t }\n\t break;\n\tcase XML_ATTRIBUTE_NODE:\n\t precedence1 = 1; /* element is owner */\n\t miscNode1 = node1;\n\t node1 = node1->parent;\n\t misc = 1;\n\t break;\n\tcase XML_TEXT_NODE:\n\tcase XML_CDATA_SECTION_NODE:\n\tcase XML_COMMENT_NODE:\n\tcase XML_PI_NODE: {\n\t miscNode1 = node1;\n\t /*\n\t * Find nearest element node.\n\t */\n\t if (node1->prev != NULL) {\n\t\tdo {\n\t\t node1 = node1->prev;\n\t\t if (node1->type == XML_ELEMENT_NODE) {\n\t\t\tprecedence1 = 3; /* element in prev-sibl axis */\n\t\t\tbreak;\n\t\t }\n\t\t if (node1->prev == NULL) {\n\t\t\tprecedence1 = 2; /* element is parent */\n\t\t\t/*\n\t\t\t* URGENT TODO: Are there any cases, where the\n\t\t\t* parent of such a node is not an element node?\n\t\t\t*/\n\t\t\tnode1 = node1->parent;\n\t\t\tbreak;\n\t\t }\n\t\t} while (1);\n\t } else {\n\t\tprecedence1 = 2; /* element is parent */\n\t\tnode1 = node1->parent;\n\t }\n\t if ((node1 == NULL) || (node1->type != XML_ELEMENT_NODE) ||\n\t\t(0 <= (long) node1->content)) {\n\t\t/*\n\t\t* Fallback for whatever case.\n\t\t*/\n\t\tnode1 = miscNode1;\n\t\tprecedence1 = 0;\n\t } else\n\t\tmisc = 1;\n\t}\n\t break;\n\tcase XML_NAMESPACE_DECL:\n\t /*\n\t * TODO: why do we return 1 for namespace nodes?\n\t */\n\t return(1);\n\tdefault:\n\t break;\n }\n switch (node2->type) {\n\tcase XML_ELEMENT_NODE:\n\t break;\n\tcase XML_ATTRIBUTE_NODE:\n\t precedence2 = 1; /* element is owner */\n\t miscNode2 = node2;\n\t node2 = node2->parent;\n\t misc = 1;\n\t break;\n\tcase XML_TEXT_NODE:\n\tcase XML_CDATA_SECTION_NODE:\n\tcase XML_COMMENT_NODE:\n\tcase XML_PI_NODE: {\n\t miscNode2 = node2;\n\t if (node2->prev != NULL) {\n\t\tdo {\n\t\t node2 = node2->prev;\n\t\t if (node2->type == XML_ELEMENT_NODE) {\n\t\t\tprecedence2 = 3; /* element in prev-sibl axis */\n\t\t\tbreak;\n\t\t }\n\t\t if (node2->prev == NULL) {\n\t\t\tprecedence2 = 2; /* element is parent */\n\t\t\tnode2 = node2->parent;\n\t\t\tbreak;\n\t\t }\n\t\t} while (1);\n\t } else {\n\t\tprecedence2 = 2; /* element is parent */\n\t\tnode2 = node2->parent;\n\t }\n\t if ((node2 == NULL) || (node2->type != XML_ELEMENT_NODE) ||\n\t\t(0 <= (long) node2->content))\n\t {\n\t\tnode2 = miscNode2;\n\t\tprecedence2 = 0;\n\t } else\n\t\tmisc = 1;\n\t}\n\t break;\n\tcase XML_NAMESPACE_DECL:\n\t return(1);\n\tdefault:\n\t break;\n }\n if (misc) {\n\tif (node1 == node2) {\n\t if (precedence1 == precedence2) {\n\t\t/*\n\t\t* The ugly case; but normally there aren't many\n\t\t* adjacent non-element nodes around.\n\t\t*/\n\t\tcur = miscNode2->prev;\n\t\twhile (cur != NULL) {\n\t\t if (cur == miscNode1)\n\t\t\treturn(1);\n\t\t if (cur->type == XML_ELEMENT_NODE)\n\t\t\treturn(-1);\n\t\t cur = cur->prev;\n\t\t}\n\t\treturn (-1);\n\t } else {\n\t\t/*\n\t\t* Evaluate based on higher precedence wrt to the element.\n\t\t* TODO: This assumes attributes are sorted before content.\n\t\t* Is this 100% correct?\n\t\t*/\n\t\tif (precedence1 < precedence2)\n\t\t return(1);\n\t\telse\n\t\t return(-1);\n\t }\n\t}\n\t/*\n\t* Special case: One of the helper-elements is contained by the other.\n\t* \n\t* \n\t* Text-1(precedence1 == 2)\n\t* \n\t* Text-6(precedence2 == 3)\n\t* \n\t*/\n\tif ((precedence2 == 3) && (precedence1 > 1)) {\n\t cur = node1->parent;\n\t while (cur) {\n\t\tif (cur == node2)\n\t\t return(1);\n\t\tcur = cur->parent;\n\t }\n\t}\n\tif ((precedence1 == 3) && (precedence2 > 1)) {\n\t cur = node2->parent;\n\t while (cur) {\n\t\tif (cur == node1)\n\t\t return(-1);\n\t\tcur = cur->parent;\n\t }\n\t}\n }\n\n /*\n * Speedup using document order if availble.\n */\n if ((node1->type == XML_ELEMENT_NODE) &&\n\t(node2->type == XML_ELEMENT_NODE) &&\n\t(0 > (long) node1->content) &&\n\t(0 > (long) node2->content) &&\n\t(node1->doc == node2->doc)) {\n\n\tl1 = -((long) node1->content);\n\tl2 = -((long) node2->content);\n\tif (l1 < l2)\n\t return(1);\n\tif (l1 > l2)\n\t return(-1);\n }\n\nturtle_comparison:\n\n if (node1 == node2->prev)\n\treturn(1);\n if (node1 == node2->next)\n\treturn(-1);\n /*\n * compute depth to root\n */\n for (depth2 = 0, cur = node2; cur->parent != NULL; cur = cur->parent) {\n\tif (cur->parent == node1)\n\t return(1);\n\tdepth2++;\n }\n root = cur;\n for (depth1 = 0, cur = node1; cur->parent != NULL; cur = cur->parent) {\n\tif (cur->parent == node2)\n\t return(-1);\n\tdepth1++;\n }\n /*\n * Distinct document (or distinct entities :-( ) case.\n */\n if (root != cur) {\n\treturn(-2);\n }\n /*\n * get the nearest common ancestor.\n */\n while (depth1 > depth2) {\n\tdepth1--;\n\tnode1 = node1->parent;\n }\n while (depth2 > depth1) {\n\tdepth2--;\n\tnode2 = node2->parent;\n }\n while (node1->parent != node2->parent) {\n\tnode1 = node1->parent;\n\tnode2 = node2->parent;\n\t/* should not happen but just in case ... */\n\tif ((node1 == NULL) || (node2 == NULL))\n\t return(-2);\n }\n /*\n * Find who's first.\n */\n if (node1 == node2->prev)\n\treturn(1);\n if (node1 == node2->next)\n\treturn(-1);\n /*\n * Speedup using document order if availble.\n */\n if ((node1->type == XML_ELEMENT_NODE) &&\n\t(node2->type == XML_ELEMENT_NODE) &&\n\t(0 > (long) node1->content) &&\n\t(0 > (long) node2->content) &&\n\t(node1->doc == node2->doc)) {\n\n\tl1 = -((long) node1->content);\n\tl2 = -((long) node2->content);\n\tif (l1 < l2)\n\t return(1);\n\tif (l1 > l2)\n\t return(-1);\n }\n\n for (cur = node1->next;cur != NULL;cur = cur->next)\n\tif (cur == node2)\n\t return(1);\n return(-1); /* assume there is no sibling list corruption */\n}", "project": "libxml2", "hash": 212615234961347253752232624592355326342, "size": 277, "commit_id": "0f3b843b3534784ef57a4f9b874238aa1fda5a73", "message": "Fix XPath stack frame logic\n\nMove the calls to xmlXPathSetFrame and xmlXPathPopFrame around in\nxmlXPathCompOpEvalPositionalPredicate to make sure that the context\nobject on the stack is actually protected. Otherwise, memory corruption\ncan occur when calling sloppily coded XPath extension functions.\n\nFixes bug 783160.", "target": 0, "dataset": "other", "idx": 385317 }, { "func": "MagickExport Image *WaveletDenoiseImage(const Image *image,\n const double threshold,const double softness,ExceptionInfo *exception)\n{\n CacheView\n *image_view,\n *noise_view;\n\n float\n *kernel,\n *pixels;\n\n Image\n *noise_image;\n\n MagickBooleanType\n status;\n\n MagickSizeType\n number_pixels;\n\n MemoryInfo\n *pixels_info;\n\n size_t\n max_channels;\n\n ssize_t\n channel;\n\n static const double\n noise_levels[]= {\n 0.8002, 0.2735, 0.1202, 0.0585, 0.0291, 0.0152, 0.0080, 0.0044 };\n\n /*\n Initialize noise image attributes.\n */\n assert(image != (const Image *) NULL);\n assert(image->signature == MagickCoreSignature);\n if (image->debug != MagickFalse)\n (void) LogMagickEvent(TraceEvent,GetMagickModule(),\"%s\",image->filename);\n assert(exception != (ExceptionInfo *) NULL);\n assert(exception->signature == MagickCoreSignature);\n noise_image=(Image *) NULL;\n#if defined(MAGICKCORE_OPENCL_SUPPORT)\n noise_image=AccelerateWaveletDenoiseImage(image,threshold,exception);\n if (noise_image != (Image *) NULL)\n return(noise_image);\n#endif\n noise_image=CloneImage(image,0,0,MagickTrue,exception);\n if (noise_image == (Image *) NULL)\n return((Image *) NULL);\n if (SetImageStorageClass(noise_image,DirectClass) == MagickFalse)\n {\n noise_image=DestroyImage(noise_image);\n return((Image *) NULL);\n }\n if (AcquireMagickResource(WidthResource,3*image->columns) == MagickFalse)\n ThrowImageException(ResourceLimitError,\"MemoryAllocationFailed\");\n pixels_info=AcquireVirtualMemory(3*image->columns,image->rows*\n sizeof(*pixels));\n kernel=(float *) AcquireQuantumMemory(MagickMax(image->rows,image->columns)+1,\n GetOpenMPMaximumThreads()*sizeof(*kernel));\n if ((pixels_info == (MemoryInfo *) NULL) || (kernel == (float *) NULL))\n {\n if (kernel != (float *) NULL)\n kernel=(float *) RelinquishMagickMemory(kernel);\n if (pixels_info != (MemoryInfo *) NULL)\n pixels_info=RelinquishVirtualMemory(pixels_info);\n ThrowImageException(ResourceLimitError,\"MemoryAllocationFailed\");\n }\n pixels=(float *) GetVirtualMemoryBlob(pixels_info);\n status=MagickTrue;\n number_pixels=image->columns*image->rows;\n max_channels=(size_t) (image->colorspace == CMYKColorspace ? 4 : 3);\n image_view=AcquireAuthenticCacheView(image,exception);\n noise_view=AcquireAuthenticCacheView(noise_image,exception);\n for (channel=0; channel < (ssize_t) max_channels; channel++)\n {\n ssize_t\n i;\n\n size_t\n high_pass,\n low_pass;\n\n ssize_t\n level,\n y;\n\n if (status == MagickFalse)\n continue;\n /*\n Copy channel from image to wavelet pixel array.\n */\n i=0;\n for (y=0; y < (ssize_t) image->rows; y++)\n {\n const IndexPacket\n *magick_restrict indexes;\n\n const PixelPacket\n *magick_restrict p;\n\n ssize_t\n x;\n\n p=GetCacheViewAuthenticPixels(image_view,0,y,image->columns,1,exception);\n if (p == (const PixelPacket *) NULL)\n {\n status=MagickFalse;\n break;\n }\n indexes=GetCacheViewVirtualIndexQueue(image_view);\n for (x=0; x < (ssize_t) image->columns; x++)\n {\n switch (channel)\n {\n case 0: pixels[i]=(float) GetPixelRed(p); break;\n case 1: pixels[i]=(float) GetPixelGreen(p); break;\n case 2: pixels[i]=(float) GetPixelBlue(p); break;\n case 3: pixels[i]=(float) indexes[x]; break;\n default: break;\n }\n i++;\n p++;\n }\n }\n /*\n Low pass filter outputs are called approximation kernel & high pass\n filters are referred to as detail kernel. The detail kernel\n have high values in the noisy parts of the signal.\n */\n high_pass=0;\n for (level=0; level < 5; level++)\n {\n double\n magnitude;\n\n ssize_t\n x,\n y;\n\n low_pass=(size_t) (number_pixels*((level & 0x01)+1));\n#if defined(MAGICKCORE_OPENMP_SUPPORT)\n #pragma omp parallel for schedule(static,1) \\\n magick_number_threads(image,image,image->rows,1)\n#endif\n for (y=0; y < (ssize_t) image->rows; y++)\n {\n const int\n id = GetOpenMPThreadId();\n\n float\n *magick_restrict p,\n *magick_restrict q;\n\n ssize_t\n x;\n\n p=kernel+id*image->columns;\n q=pixels+y*image->columns;\n HatTransform(q+high_pass,1,image->columns,(size_t) (1UL << level),p);\n q+=low_pass;\n for (x=0; x < (ssize_t) image->columns; x++)\n *q++=(*p++);\n }\n#if defined(MAGICKCORE_OPENMP_SUPPORT)\n #pragma omp parallel for schedule(static,1) \\\n magick_number_threads(image,image,image->columns,1)\n#endif\n for (x=0; x < (ssize_t) image->columns; x++)\n {\n const int\n id = GetOpenMPThreadId();\n\n float\n *magick_restrict p,\n *magick_restrict q;\n\n ssize_t\n y;\n\n p=kernel+id*image->rows;\n q=pixels+x+low_pass;\n HatTransform(q,image->columns,image->rows,(size_t) (1UL << level),p);\n for (y=0; y < (ssize_t) image->rows; y++)\n {\n *q=(*p++);\n q+=image->columns;\n }\n }\n /*\n To threshold, each coefficient is compared to a threshold value and\n attenuated / shrunk by some factor.\n */\n magnitude=threshold*noise_levels[level];\n for (i=0; i < (ssize_t) number_pixels; ++i)\n {\n pixels[high_pass+i]-=pixels[low_pass+i];\n if (pixels[high_pass+i] < -magnitude)\n pixels[high_pass+i]+=magnitude-softness*magnitude;\n else\n if (pixels[high_pass+i] > magnitude)\n pixels[high_pass+i]-=magnitude-softness*magnitude;\n else\n pixels[high_pass+i]*=softness;\n if (high_pass != 0)\n pixels[i]+=pixels[high_pass+i];\n }\n high_pass=low_pass;\n }\n /*\n Reconstruct image from the thresholded wavelet kernel.\n */\n i=0;\n for (y=0; y < (ssize_t) image->rows; y++)\n {\n MagickBooleanType\n sync;\n\n IndexPacket\n *magick_restrict noise_indexes;\n\n PixelPacket\n *magick_restrict q;\n\n ssize_t\n x;\n\n q=GetCacheViewAuthenticPixels(noise_view,0,y,noise_image->columns,1,\n exception);\n if (q == (PixelPacket *) NULL)\n {\n status=MagickFalse;\n break;\n }\n noise_indexes=GetCacheViewAuthenticIndexQueue(noise_view);\n for (x=0; x < (ssize_t) image->columns; x++)\n {\n float\n pixel;\n\n pixel=pixels[i]+pixels[low_pass+i];\n switch (channel)\n {\n case 0: SetPixelRed(q,ClampToQuantum(pixel)); break;\n case 1: SetPixelGreen(q,ClampToQuantum(pixel)); break;\n case 2: SetPixelBlue(q,ClampToQuantum(pixel)); break;\n case 3: SetPixelIndex(noise_indexes+x,ClampToQuantum(pixel)); break;\n default: break;\n }\n i++;\n q++;\n }\n sync=SyncCacheViewAuthenticPixels(noise_view,exception);\n if (sync == MagickFalse)\n status=MagickFalse;\n }\n if (image->progress_monitor != (MagickProgressMonitor) NULL)\n {\n MagickBooleanType\n proceed;\n\n proceed=SetImageProgress(image,AddNoiseImageTag,(MagickOffsetType)\n channel,max_channels);\n if (proceed == MagickFalse)\n status=MagickFalse;\n }\n }\n noise_view=DestroyCacheView(noise_view);\n image_view=DestroyCacheView(image_view);\n kernel=(float *) RelinquishMagickMemory(kernel);\n pixels_info=RelinquishVirtualMemory(pixels_info);\n return(noise_image);\n}", "project": "ImageMagick6", "hash": 22659183776707721834270721183592591686, "size": 275, "commit_id": "f1e68d22d1b35459421710587a0dcbab6900b51f", "message": "https://github.com/ImageMagick/ImageMagick/issues/3296", "target": 0, "dataset": "other", "idx": 385769 }, { "func": "MagickExport Image *SteganoImage(const Image *image,const Image *watermark,\n ExceptionInfo *exception)\n{\n#define GetBit(alpha,i) ((((size_t) (alpha) >> (size_t) (i)) & 0x01) != 0)\n#define SetBit(alpha,i,set) (alpha)=(Quantum) ((set) != 0 ? (size_t) (alpha) \\\n | (one << (size_t) (i)) : (size_t) (alpha) & ~(one << (size_t) (i)))\n#define SteganoImageTag \"Stegano/Image\"\n\n CacheView\n *stegano_view,\n *watermark_view;\n\n Image\n *stegano_image;\n\n int\n c;\n\n MagickBooleanType\n status;\n\n PixelPacket\n pixel;\n\n PixelPacket\n *q;\n\n ssize_t\n x;\n\n size_t\n depth,\n one;\n\n ssize_t\n i,\n j,\n k,\n y;\n\n /*\n Initialize steganographic image attributes.\n */\n assert(image != (const Image *) NULL);\n assert(image->signature == MagickCoreSignature);\n if (image->debug != MagickFalse)\n (void) LogMagickEvent(TraceEvent,GetMagickModule(),\"%s\",image->filename);\n assert(watermark != (const Image *) NULL);\n assert(watermark->signature == MagickCoreSignature);\n assert(exception != (ExceptionInfo *) NULL);\n assert(exception->signature == MagickCoreSignature);\n one=1UL;\n stegano_image=CloneImage(image,0,0,MagickTrue,exception);\n if (stegano_image == (Image *) NULL)\n return((Image *) NULL);\n if (SetImageStorageClass(stegano_image,DirectClass) == MagickFalse)\n {\n InheritException(exception,&stegano_image->exception);\n stegano_image=DestroyImage(stegano_image);\n return((Image *) NULL);\n }\n stegano_image->depth=MAGICKCORE_QUANTUM_DEPTH;\n /*\n Hide watermark in low-order bits of image.\n */\n c=0;\n i=0;\n j=0;\n depth=stegano_image->depth;\n k=image->offset;\n status=MagickTrue;\n watermark_view=AcquireVirtualCacheView(watermark,exception);\n stegano_view=AcquireAuthenticCacheView(stegano_image,exception);\n for (i=(ssize_t) depth-1; (i >= 0) && (j < (ssize_t) depth); i--)\n {\n for (y=0; (y < (ssize_t) watermark->rows) && (j < (ssize_t) depth); y++)\n {\n for (x=0; (x < (ssize_t) watermark->columns) && (j < (ssize_t) depth); x++)\n {\n (void) GetOneCacheViewVirtualPixel(watermark_view,x,y,&pixel,exception);\n if ((k/(ssize_t) stegano_image->columns) >= (ssize_t) stegano_image->rows)\n break;\n q=GetCacheViewAuthenticPixels(stegano_view,k % (ssize_t)\n stegano_image->columns,k/(ssize_t) stegano_image->columns,1,1,\n exception);\n if (q == (PixelPacket *) NULL)\n break;\n switch (c)\n {\n case 0:\n {\n SetBit(GetPixelRed(q),j,GetBit(ClampToQuantum(GetPixelIntensity(\n image,&pixel)),i));\n break;\n }\n case 1:\n {\n SetBit(GetPixelGreen(q),j,GetBit(ClampToQuantum(GetPixelIntensity(\n image,&pixel)),i));\n break;\n }\n case 2:\n {\n SetBit(GetPixelBlue(q),j,GetBit(ClampToQuantum(GetPixelIntensity(\n image,&pixel)),i));\n break;\n }\n }\n if (SyncCacheViewAuthenticPixels(stegano_view,exception) == MagickFalse)\n break;\n c++;\n if (c == 3)\n c=0;\n k++;\n if (k == (ssize_t) (stegano_image->columns*stegano_image->columns))\n k=0;\n if (k == image->offset)\n j++;\n }\n }\n if (image->progress_monitor != (MagickProgressMonitor) NULL)\n {\n MagickBooleanType\n proceed;\n\n proceed=SetImageProgress(image,SteganoImageTag,(MagickOffsetType)\n (depth-i),depth);\n if (proceed == MagickFalse)\n status=MagickFalse;\n }\n }\n stegano_view=DestroyCacheView(stegano_view);\n watermark_view=DestroyCacheView(watermark_view);\n if (stegano_image->storage_class == PseudoClass)\n (void) SyncImage(stegano_image);\n if (status == MagickFalse)\n stegano_image=DestroyImage(stegano_image);\n return(stegano_image);\n}", "project": "ImageMagick6", "hash": 279373058925797105165124730883670444826, "size": 139, "commit_id": "f1e68d22d1b35459421710587a0dcbab6900b51f", "message": "https://github.com/ImageMagick/ImageMagick/issues/3296", "target": 0, "dataset": "other", "idx": 385777 }, { "func": "string_modifier_check(struct magic_set *ms, struct magic *m)\n{\n\tif ((ms->flags & MAGIC_CHECK) == 0)\n\t\treturn 0;\n\n\tif (m->type != FILE_PSTRING && (m->str_flags & PSTRING_LEN) != 0) {\n\t\tfile_magwarn(ms,\n\t\t \"'/BHhLl' modifiers are only allowed for pascal strings\\n\");\n\t\treturn -1;\n\t}\n\tswitch (m->type) {\n\tcase FILE_BESTRING16:\n\tcase FILE_LESTRING16:\n\t\tif (m->str_flags != 0) {\n\t\t\tfile_magwarn(ms,\n\t\t\t \"no modifiers allowed for 16-bit strings\\n\");\n\t\t\treturn -1;\n\t\t}\n\t\tbreak;\n\tcase FILE_STRING:\n\tcase FILE_PSTRING:\n\t\tif ((m->str_flags & REGEX_OFFSET_START) != 0) {\n\t\t\tfile_magwarn(ms,\n\t\t\t \"'/%c' only allowed on regex and search\\n\",\n\t\t\t CHAR_REGEX_OFFSET_START);\n\t\t\treturn -1;\n\t\t}\n\t\tbreak;\n\tcase FILE_SEARCH:\n\t\tif (m->str_range == 0) {\n\t\t\tfile_magwarn(ms,\n\t\t\t \"missing range; defaulting to %d\\n\",\n STRING_DEFAULT_RANGE);\n\t\t\tm->str_range = STRING_DEFAULT_RANGE;\n\t\t\treturn -1;\n\t\t}\n\t\tbreak;\n\tcase FILE_REGEX:\n\t\tif ((m->str_flags & STRING_COMPACT_WHITESPACE) != 0) {\n\t\t\tfile_magwarn(ms, \"'/%c' not allowed on regex\\n\",\n\t\t\t CHAR_COMPACT_WHITESPACE);\n\t\t\treturn -1;\n\t\t}\n\t\tif ((m->str_flags & STRING_COMPACT_OPTIONAL_WHITESPACE) != 0) {\n\t\t\tfile_magwarn(ms, \"'/%c' not allowed on regex\\n\",\n\t\t\t CHAR_COMPACT_OPTIONAL_WHITESPACE);\n\t\t\treturn -1;\n\t\t}\n\t\tbreak;\n\tdefault:\n\t\tfile_magwarn(ms, \"coding error: m->type=%d\\n\",\n\t\t m->type);\n\t\treturn -1;\n\t}\n\treturn 0;\n}", "project": "php-src", "hash": 235816288902642274459786756193487571207, "size": 56, "commit_id": "91aa340180eccfc15d4a143b54d47b8120f898be", "message": "Fixed bug #68827 Double free with disabled ZMM", "target": 0, "dataset": "other", "idx": 385980 }, { "func": "getvalue(struct magic_set *ms, struct magic *m, const char **p, int action)\n{\n\tswitch (m->type) {\n\tcase FILE_BESTRING16:\n\tcase FILE_LESTRING16:\n\tcase FILE_STRING:\n\tcase FILE_PSTRING:\n\tcase FILE_REGEX:\n\tcase FILE_SEARCH:\n\tcase FILE_NAME:\n\tcase FILE_USE:\n\t\t*p = getstr(ms, m, *p, action == FILE_COMPILE);\n\t\tif (*p == NULL) {\n\t\t\tif (ms->flags & MAGIC_CHECK)\n\t\t\t\tfile_magwarn(ms, \"cannot get string from `%s'\",\n\t\t\t\t m->value.s);\n\t\t\treturn -1;\n\t\t}\n\t\treturn 0;\n\tcase FILE_FLOAT:\n\tcase FILE_BEFLOAT:\n\tcase FILE_LEFLOAT:\n\t\tif (m->reln != 'x') {\n\t\t\tchar *ep;\n#ifdef HAVE_STRTOF\n\t\t\tm->value.f = strtof(*p, &ep);\n#else\n\t\t\tm->value.f = (float)strtod(*p, &ep);\n#endif\n\t\t\t*p = ep;\n\t\t}\n\t\treturn 0;\n\tcase FILE_DOUBLE:\n\tcase FILE_BEDOUBLE:\n\tcase FILE_LEDOUBLE:\n\t\tif (m->reln != 'x') {\n\t\t\tchar *ep;\n\t\t\tm->value.d = strtod(*p, &ep);\n\t\t\t*p = ep;\n\t\t}\n\t\treturn 0;\n\tdefault:\n\t\tif (m->reln != 'x') {\n\t\t\tchar *ep;\n\t\t\tm->value.q = file_signextend(ms, m,\n\t\t\t (uint64_t)strtoull(*p, &ep, 0));\n\t\t\t*p = ep;\n\t\t\teatsize(p);\n\t\t}\n\t\treturn 0;\n\t}\n}", "project": "php-src", "hash": 243587011913446177746611066585437446569, "size": 52, "commit_id": "91aa340180eccfc15d4a143b54d47b8120f898be", "message": "Fixed bug #68827 Double free with disabled ZMM", "target": 0, "dataset": "other", "idx": 385982 }, { "func": "apprentice_magic_strength(const struct magic *m)\n{\n#define MULT 10\n\tsize_t val = 2 * MULT;\t/* baseline strength */\n\n\tswitch (m->type) {\n\tcase FILE_DEFAULT:\t/* make sure this sorts last */\n\t\tif (m->factor_op != FILE_FACTOR_OP_NONE)\n\t\t\tabort();\n\t\treturn 0;\n\n\tcase FILE_BYTE:\n\t\tval += 1 * MULT;\n\t\tbreak;\n\n\tcase FILE_SHORT:\n\tcase FILE_LESHORT:\n\tcase FILE_BESHORT:\n\t\tval += 2 * MULT;\n\t\tbreak;\n\n\tcase FILE_LONG:\n\tcase FILE_LELONG:\n\tcase FILE_BELONG:\n\tcase FILE_MELONG:\n\t\tval += 4 * MULT;\n\t\tbreak;\n\n\tcase FILE_PSTRING:\n\tcase FILE_STRING:\n\t\tval += m->vallen * MULT;\n\t\tbreak;\n\n\tcase FILE_BESTRING16:\n\tcase FILE_LESTRING16:\n\t\tval += m->vallen * MULT / 2;\n\t\tbreak;\n\n\tcase FILE_SEARCH:\n\tcase FILE_REGEX:\n\t\tval += m->vallen * MAX(MULT / m->vallen, 1);\n\t\tbreak;\n\n\tcase FILE_DATE:\n\tcase FILE_LEDATE:\n\tcase FILE_BEDATE:\n\tcase FILE_MEDATE:\n\tcase FILE_LDATE:\n\tcase FILE_LELDATE:\n\tcase FILE_BELDATE:\n\tcase FILE_MELDATE:\n\tcase FILE_FLOAT:\n\tcase FILE_BEFLOAT:\n\tcase FILE_LEFLOAT:\n\t\tval += 4 * MULT;\n\t\tbreak;\n\n\tcase FILE_QUAD:\n\tcase FILE_BEQUAD:\n\tcase FILE_LEQUAD:\n\tcase FILE_QDATE:\n\tcase FILE_LEQDATE:\n\tcase FILE_BEQDATE:\n\tcase FILE_QLDATE:\n\tcase FILE_LEQLDATE:\n\tcase FILE_BEQLDATE:\n\tcase FILE_QWDATE:\n\tcase FILE_LEQWDATE:\n\tcase FILE_BEQWDATE:\n\tcase FILE_DOUBLE:\n\tcase FILE_BEDOUBLE:\n\tcase FILE_LEDOUBLE:\n\t\tval += 8 * MULT;\n\t\tbreak;\n\n\tcase FILE_INDIRECT:\n\tcase FILE_NAME:\n\tcase FILE_USE:\n\t\tbreak;\n\n\tdefault:\n\t\tval = 0;\n\t\t(void)fprintf(stderr, \"Bad type %d\\n\", m->type);\n\t\tabort();\n\t}\n\n\tswitch (m->reln) {\n\tcase 'x':\t/* matches anything penalize */\n\tcase '!': /* matches almost anything penalize */\n\t\tval = 0;\n\t\tbreak;\n\n\tcase '=':\t/* Exact match, prefer */\n\t\tval += MULT;\n\t\tbreak;\n\n\tcase '>':\n\tcase '<':\t/* comparison match reduce strength */\n\t\tval -= 2 * MULT;\n\t\tbreak;\n\n\tcase '^':\n\tcase '&':\t/* masking bits, we could count them too */\n\t\tval -= MULT;\n\t\tbreak;\n\n\tdefault:\n\t\t(void)fprintf(stderr, \"Bad relation %c\\n\", m->reln);\n\t\tabort();\n\t}\n\n\tif (val == 0)\t/* ensure we only return 0 for FILE_DEFAULT */\n\t\tval = 1;\n\n\tswitch (m->factor_op) {\n\tcase FILE_FACTOR_OP_NONE:\n\t\tbreak;\n\tcase FILE_FACTOR_OP_PLUS:\n\t\tval += m->factor;\n\t\tbreak;\n\tcase FILE_FACTOR_OP_MINUS:\n\t\tval -= m->factor;\n\t\tbreak;\n\tcase FILE_FACTOR_OP_TIMES:\n\t\tval *= m->factor;\n\t\tbreak;\n\tcase FILE_FACTOR_OP_DIV:\n\t\tval /= m->factor;\n\t\tbreak;\n\tdefault:\n\t\tabort();\n\t}\n\n\t/*\n\t * Magic entries with no description get a bonus because they depend\n\t * on subsequent magic entries to print something.\n\t */\n\tif (m->desc[0] == '\\0')\n\t\tval++;\n\treturn val;\n}", "project": "php-src", "hash": 47705692250392114264514146810730924759, "size": 141, "commit_id": "91aa340180eccfc15d4a143b54d47b8120f898be", "message": "Fixed bug #68827 Double free with disabled ZMM", "target": 0, "dataset": "other", "idx": 385983 }, { "func": "file_signextend(struct magic_set *ms, struct magic *m, uint64_t v)\n{\n\tif (!(m->flag & UNSIGNED)) {\n\t\tswitch(m->type) {\n\t\t/*\n\t\t * Do not remove the casts below. They are\n\t\t * vital. When later compared with the data,\n\t\t * the sign extension must have happened.\n\t\t */\n\t\tcase FILE_BYTE:\n\t\t\tv = (signed char) v;\n\t\t\tbreak;\n\t\tcase FILE_SHORT:\n\t\tcase FILE_BESHORT:\n\t\tcase FILE_LESHORT:\n\t\t\tv = (short) v;\n\t\t\tbreak;\n\t\tcase FILE_DATE:\n\t\tcase FILE_BEDATE:\n\t\tcase FILE_LEDATE:\n\t\tcase FILE_MEDATE:\n\t\tcase FILE_LDATE:\n\t\tcase FILE_BELDATE:\n\t\tcase FILE_LELDATE:\n\t\tcase FILE_MELDATE:\n\t\tcase FILE_LONG:\n\t\tcase FILE_BELONG:\n\t\tcase FILE_LELONG:\n\t\tcase FILE_MELONG:\n\t\tcase FILE_FLOAT:\n\t\tcase FILE_BEFLOAT:\n\t\tcase FILE_LEFLOAT:\n\t\t\tv = (int32_t) v;\n\t\t\tbreak;\n\t\tcase FILE_QUAD:\n\t\tcase FILE_BEQUAD:\n\t\tcase FILE_LEQUAD:\n\t\tcase FILE_QDATE:\n\t\tcase FILE_QLDATE:\n\t\tcase FILE_QWDATE:\n\t\tcase FILE_BEQDATE:\n\t\tcase FILE_BEQLDATE:\n\t\tcase FILE_BEQWDATE:\n\t\tcase FILE_LEQDATE:\n\t\tcase FILE_LEQLDATE:\n\t\tcase FILE_LEQWDATE:\n\t\tcase FILE_DOUBLE:\n\t\tcase FILE_BEDOUBLE:\n\t\tcase FILE_LEDOUBLE:\n\t\t\tv = (int64_t) v;\n\t\t\tbreak;\n\t\tcase FILE_STRING:\n\t\tcase FILE_PSTRING:\n\t\tcase FILE_BESTRING16:\n\t\tcase FILE_LESTRING16:\n\t\tcase FILE_REGEX:\n\t\tcase FILE_SEARCH:\n\t\tcase FILE_DEFAULT:\n\t\tcase FILE_INDIRECT:\n\t\tcase FILE_NAME:\n\t\tcase FILE_USE:\n\t\t\tbreak;\n\t\tdefault:\n\t\t\tif (ms->flags & MAGIC_CHECK)\n\t\t\t file_magwarn(ms, \"cannot happen: m->type=%d\\n\",\n\t\t\t\t m->type);\n\t\t\treturn ~0U;\n\t\t}\n\t}\n\treturn v;\n}", "project": "php-src", "hash": 238258836866404964818634132518988731058, "size": 71, "commit_id": "91aa340180eccfc15d4a143b54d47b8120f898be", "message": "Fixed bug #68827 Double free with disabled ZMM", "target": 0, "dataset": "other", "idx": 385984 }, { "func": "static inline struct usb_endpoint_descriptor *ep_desc(struct usb_gadget *gadget,\n\t\t\t\t\tstruct usb_endpoint_descriptor *fs,\n\t\t\t\t\tstruct usb_endpoint_descriptor *hs,\n\t\t\t\t\tstruct usb_endpoint_descriptor *ss)\n{\n\tswitch (gadget->speed) {\n\tcase USB_SPEED_SUPER:\n\t\treturn ss;\n\tcase USB_SPEED_HIGH:\n\t\treturn hs;\n\tdefault:\n\t\treturn fs;\n\t}\n}", "project": "linux", "hash": 174877051442233490867763770444970763390, "size": 14, "commit_id": "e8d5f92b8d30bb4ade76494490c3c065e12411b1", "message": "usb: gadget: function: printer: fix use-after-free in __lock_acquire\n\nFix this by increase object reference count.\n\nBUG: KASAN: use-after-free in __lock_acquire+0x3fd4/0x4180\nkernel/locking/lockdep.c:3831\nRead of size 8 at addr ffff8880683b0018 by task syz-executor.0/3377\n\nCPU: 1 PID: 3377 Comm: syz-executor.0 Not tainted 5.6.11 #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011\nCall Trace:\n __dump_stack lib/dump_stack.c:77 [inline]\n dump_stack+0xce/0x128 lib/dump_stack.c:118\n print_address_description.constprop.4+0x21/0x3c0 mm/kasan/report.c:374\n __kasan_report+0x131/0x1b0 mm/kasan/report.c:506\n kasan_report+0x12/0x20 mm/kasan/common.c:641\n __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135\n __lock_acquire+0x3fd4/0x4180 kernel/locking/lockdep.c:3831\n lock_acquire+0x127/0x350 kernel/locking/lockdep.c:4488\n __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]\n _raw_spin_lock_irqsave+0x35/0x50 kernel/locking/spinlock.c:159\n printer_ioctl+0x4a/0x110 drivers/usb/gadget/function/f_printer.c:723\n vfs_ioctl fs/ioctl.c:47 [inline]\n ksys_ioctl+0xfb/0x130 fs/ioctl.c:763\n __do_sys_ioctl fs/ioctl.c:772 [inline]\n __se_sys_ioctl fs/ioctl.c:770 [inline]\n __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:770\n do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294\n entry_SYSCALL_64_after_hwframe+0x49/0xbe\nRIP: 0033:0x4531a9\nCode: ed 60 fc ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48\n89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d\n01 f0 ff ff 0f 83 bb 60 fc ff c3 66 2e 0f 1f 84 00 00 00 00\nRSP: 002b:00007fd14ad72c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 000000000073bfa8 RCX: 00000000004531a9\nRDX: fffffffffffffff9 RSI: 000000000000009e RDI: 0000000000000003\nRBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 00000000004bbd61\nR13: 00000000004d0a98 R14: 00007fd14ad736d4 R15: 00000000ffffffff\n\nAllocated by task 2393:\n save_stack+0x21/0x90 mm/kasan/common.c:72\n set_track mm/kasan/common.c:80 [inline]\n __kasan_kmalloc.constprop.3+0xa7/0xd0 mm/kasan/common.c:515\n kasan_kmalloc+0x9/0x10 mm/kasan/common.c:529\n kmem_cache_alloc_trace+0xfa/0x2d0 mm/slub.c:2813\n kmalloc include/linux/slab.h:555 [inline]\n kzalloc include/linux/slab.h:669 [inline]\n gprinter_alloc+0xa1/0x870 drivers/usb/gadget/function/f_printer.c:1416\n usb_get_function+0x58/0xc0 drivers/usb/gadget/functions.c:61\n config_usb_cfg_link+0x1ed/0x3e0 drivers/usb/gadget/configfs.c:444\n configfs_symlink+0x527/0x11d0 fs/configfs/symlink.c:202\n vfs_symlink+0x33d/0x5b0 fs/namei.c:4201\n do_symlinkat+0x11b/0x1d0 fs/namei.c:4228\n __do_sys_symlinkat fs/namei.c:4242 [inline]\n __se_sys_symlinkat fs/namei.c:4239 [inline]\n __x64_sys_symlinkat+0x73/0xb0 fs/namei.c:4239\n do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294\n entry_SYSCALL_64_after_hwframe+0x49/0xbe\n\nFreed by task 3368:\n save_stack+0x21/0x90 mm/kasan/common.c:72\n set_track mm/kasan/common.c:80 [inline]\n kasan_set_free_info mm/kasan/common.c:337 [inline]\n __kasan_slab_free+0x135/0x190 mm/kasan/common.c:476\n kasan_slab_free+0xe/0x10 mm/kasan/common.c:485\n slab_free_hook mm/slub.c:1444 [inline]\n slab_free_freelist_hook mm/slub.c:1477 [inline]\n slab_free mm/slub.c:3034 [inline]\n kfree+0xf7/0x410 mm/slub.c:3995\n gprinter_free+0x49/0xd0 drivers/usb/gadget/function/f_printer.c:1353\n usb_put_function+0x38/0x50 drivers/usb/gadget/functions.c:87\n config_usb_cfg_unlink+0x2db/0x3b0 drivers/usb/gadget/configfs.c:485\n configfs_unlink+0x3b9/0x7f0 fs/configfs/symlink.c:250\n vfs_unlink+0x287/0x570 fs/namei.c:4073\n do_unlinkat+0x4f9/0x620 fs/namei.c:4137\n __do_sys_unlink fs/namei.c:4184 [inline]\n __se_sys_unlink fs/namei.c:4182 [inline]\n __x64_sys_unlink+0x42/0x50 fs/namei.c:4182\n do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294\n entry_SYSCALL_64_after_hwframe+0x49/0xbe\n\nThe buggy address belongs to the object at ffff8880683b0000\n which belongs to the cache kmalloc-1k of size 1024\nThe buggy address is located 24 bytes inside of\n 1024-byte region [ffff8880683b0000, ffff8880683b0400)\nThe buggy address belongs to the page:\npage:ffffea0001a0ec00 refcount:1 mapcount:0 mapping:ffff88806c00e300\nindex:0xffff8880683b1800 compound_mapcount: 0\nflags: 0x100000000010200(slab|head)\nraw: 0100000000010200 0000000000000000 0000000600000001 ffff88806c00e300\nraw: ffff8880683b1800 000000008010000a 00000001ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\n\nReported-by: Kyungtae Kim \nSigned-off-by: Zqiang \nSigned-off-by: Felipe Balbi ", "target": 0, "dataset": "other", "idx": 389345 }, { "func": "tiff_set_rgb_fields(gx_device_tiff *tfdev)\n{\n /* Put in a switch statement in case we want to have others */\n switch (tfdev->icc_struct->device_profile[0]->data_cs) {\n case gsRGB:\n TIFFSetField(tfdev->tif, TIFFTAG_PHOTOMETRIC, PHOTOMETRIC_RGB);\n break;\n case gsCIELAB:\n TIFFSetField(tfdev->tif, TIFFTAG_PHOTOMETRIC, PHOTOMETRIC_ICCLAB);\n break;\n default:\n TIFFSetField(tfdev->tif, TIFFTAG_PHOTOMETRIC, PHOTOMETRIC_RGB);\n break;\n }\n TIFFSetField(tfdev->tif, TIFFTAG_FILLORDER, FILLORDER_MSB2LSB);\n TIFFSetField(tfdev->tif, TIFFTAG_SAMPLESPERPIXEL, 3);\n\n tiff_set_compression((gx_device_printer *)tfdev, tfdev->tif,\n tfdev->Compression, tfdev->MaxStripSize);\n}", "project": "ghostpdl", "hash": 248843912808093179473627250898010104637, "size": 20, "commit_id": "714e8995cd582d418276915cbbec3c70711fb19e", "message": "Bug 701807: avoid buffer overflow in tiff12_print_page().\n\nFixes:\n ./sanbin/gs -r650 -sOutputFile=tmp -sDEVICE=tiff12nc ../bug-701807.pdf", "target": 0, "dataset": "other", "idx": 389795 }, { "func": "static TValue *trace_state(lua_State *L, lua_CFunction dummy, void *ud)\n{\n jit_State *J = (jit_State *)ud;\n UNUSED(dummy);\n do {\n retry:\n switch (J->state) {\n case LJ_TRACE_START:\n J->state = LJ_TRACE_RECORD; /* trace_start() may change state. */\n trace_start(J);\n lj_dispatch_update(J2G(J));\n break;\n\n case LJ_TRACE_RECORD:\n trace_pendpatch(J, 0);\n setvmstate(J2G(J), RECORD);\n lj_vmevent_send_(L, RECORD,\n\t/* Save/restore tmptv state for trace recorder. */\n\tTValue savetv = J2G(J)->tmptv;\n\tTValue savetv2 = J2G(J)->tmptv2;\n\tsetintV(L->top++, J->cur.traceno);\n\tsetfuncV(L, L->top++, J->fn);\n\tsetintV(L->top++, J->pt ? (int32_t)proto_bcpos(J->pt, J->pc) : -1);\n\tsetintV(L->top++, J->framedepth);\n ,\n\tJ2G(J)->tmptv = savetv;\n\tJ2G(J)->tmptv2 = savetv2;\n );\n lj_record_ins(J);\n break;\n\n case LJ_TRACE_END:\n trace_pendpatch(J, 1);\n J->loopref = 0;\n if ((J->flags & JIT_F_OPT_LOOP) &&\n\t J->cur.link == J->cur.traceno && J->framedepth + J->retdepth == 0) {\n\tsetvmstate(J2G(J), OPT);\n\tlj_opt_dce(J);\n\tif (lj_opt_loop(J)) { /* Loop optimization failed? */\n\t J->cur.link = 0;\n\t J->cur.linktype = LJ_TRLINK_NONE;\n\t J->loopref = J->cur.nins;\n\t J->state = LJ_TRACE_RECORD; /* Try to continue recording. */\n\t break;\n\t}\n\tJ->loopref = J->chain[IR_LOOP]; /* Needed by assembler. */\n }\n lj_opt_split(J);\n lj_opt_sink(J);\n if (!J->loopref) J->cur.snap[J->cur.nsnap-1].count = SNAPCOUNT_DONE;\n J->state = LJ_TRACE_ASM;\n break;\n\n case LJ_TRACE_ASM:\n setvmstate(J2G(J), ASM);\n lj_asm_trace(J, &J->cur);\n trace_stop(J);\n setvmstate(J2G(J), INTERP);\n J->state = LJ_TRACE_IDLE;\n lj_dispatch_update(J2G(J));\n return NULL;\n\n default: /* Trace aborted asynchronously. */\n setintV(L->top++, (int32_t)LJ_TRERR_RECERR);\n /* fallthrough */\n case LJ_TRACE_ERR:\n trace_pendpatch(J, 1);\n if (trace_abort(J))\n\tgoto retry;\n setvmstate(J2G(J), INTERP);\n J->state = LJ_TRACE_IDLE;\n lj_dispatch_update(J2G(J));\n return NULL;\n }\n } while (J->state > LJ_TRACE_RECORD);\n return NULL;\n}", "project": "LuaJIT", "hash": 227663103558859011074877147786605614202, "size": 77, "commit_id": "e296f56b825c688c3530a981dc6b495d972f3d01", "message": "Call error function on rethrow after trace exit.", "target": 0, "dataset": "other", "idx": 394655 }, { "func": "ppp_print(netdissect_options *ndo,\n register const u_char *p, u_int length)\n{\n\tu_int proto,ppp_header;\n u_int olen = length; /* _o_riginal length */\n\tu_int hdr_len = 0;\n\n\t/*\n\t * Here, we assume that p points to the Address and Control\n\t * field (if they present).\n\t */\n\tif (length < 2)\n\t\tgoto trunc;\n\tND_TCHECK2(*p, 2);\n ppp_header = EXTRACT_16BITS(p);\n\n switch(ppp_header) {\n case (PPP_WITHDIRECTION_IN << 8 | PPP_CONTROL):\n if (ndo->ndo_eflag) ND_PRINT((ndo, \"In \"));\n p += 2;\n length -= 2;\n hdr_len += 2;\n break;\n case (PPP_WITHDIRECTION_OUT << 8 | PPP_CONTROL):\n if (ndo->ndo_eflag) ND_PRINT((ndo, \"Out \"));\n p += 2;\n length -= 2;\n hdr_len += 2;\n break;\n case (PPP_ADDRESS << 8 | PPP_CONTROL):\n p += 2;\t\t\t/* ACFC not used */\n length -= 2;\n hdr_len += 2;\n break;\n\n default:\n break;\n }\n\n\tif (length < 2)\n\t\tgoto trunc;\n\tND_TCHECK(*p);\n\tif (*p % 2) {\n\t\tproto = *p;\t\t/* PFC is used */\n\t\tp++;\n\t\tlength--;\n\t\thdr_len++;\n\t} else {\n\t\tND_TCHECK2(*p, 2);\n\t\tproto = EXTRACT_16BITS(p);\n\t\tp += 2;\n\t\tlength -= 2;\n\t\thdr_len += 2;\n\t}\n\n\tif (ndo->ndo_eflag)\n\t\tND_PRINT((ndo, \"%s (0x%04x), length %u: \",\n\t\t tok2str(ppptype2str, \"unknown\", proto),\n\t\t proto,\n\t\t olen));\n\n\thandle_ppp(ndo, proto, p, length);\n\treturn (hdr_len);\ntrunc:\n\tND_PRINT((ndo, \"[|ppp]\"));\n\treturn (0);\n}", "project": "tcpdump", "hash": 330624539722487594346352559468299480364, "size": 67, "commit_id": "32027e199368dad9508965aae8cd8de5b6ab5231", "message": "PPP: When un-escaping, don't allocate a too-large buffer.\n\nThe buffer should be big enough to hold the captured data, but it\ndoesn't need to be big enough to hold the entire on-the-network packet,\nif we haven't captured all of it.\n\n(backported from commit e4add0b010ed6f2180dcb05a13026242ed935334)", "target": 0, "dataset": "other", "idx": 397627 }, { "func": "handle_ctrl_proto(netdissect_options *ndo,\n u_int proto, const u_char *pptr, int length)\n{\n\tconst char *typestr;\n\tu_int code, len;\n\tint (*pfunc)(netdissect_options *, const u_char *, int);\n\tint x, j;\n const u_char *tptr;\n\n tptr=pptr;\n\n typestr = tok2str(ppptype2str, \"unknown ctrl-proto (0x%04x)\", proto);\n\tND_PRINT((ndo, \"%s, \", typestr));\n\n\tif (length < 4) /* FIXME weak boundary checking */\n\t\tgoto trunc;\n\tND_TCHECK2(*tptr, 2);\n\n\tcode = *tptr++;\n\n\tND_PRINT((ndo, \"%s (0x%02x), id %u, length %u\",\n\t tok2str(cpcodes, \"Unknown Opcode\",code),\n\t code,\n\t *tptr++, /* ID */\n\t length + 2));\n\n\tif (!ndo->ndo_vflag)\n\t\treturn;\n\n\tif (length <= 4)\n\t\treturn; /* there may be a NULL confreq etc. */\n\n\tND_TCHECK2(*tptr, 2);\n\tlen = EXTRACT_16BITS(tptr);\n\ttptr += 2;\n\n\tND_PRINT((ndo, \"\\n\\tencoded length %u (=Option(s) length %u)\", len, len - 4));\n\n\tif (ndo->ndo_vflag > 1)\n\t\tprint_unknown_data(ndo, pptr - 2, \"\\n\\t\", 6);\n\n\n\tswitch (code) {\n\tcase CPCODES_VEXT:\n\t\tif (length < 11)\n\t\t\tbreak;\n\t\tND_TCHECK2(*tptr, 4);\n\t\tND_PRINT((ndo, \"\\n\\t Magic-Num 0x%08x\", EXTRACT_32BITS(tptr)));\n\t\ttptr += 4;\n\t\tND_TCHECK2(*tptr, 3);\n\t\tND_PRINT((ndo, \" Vendor: %s (%u)\",\n tok2str(oui_values,\"Unknown\",EXTRACT_24BITS(tptr)),\n EXTRACT_24BITS(tptr)));\n\t\t/* XXX: need to decode Kind and Value(s)? */\n\t\tbreak;\n\tcase CPCODES_CONF_REQ:\n\tcase CPCODES_CONF_ACK:\n\tcase CPCODES_CONF_NAK:\n\tcase CPCODES_CONF_REJ:\n\t\tx = len - 4;\t/* Code(1), Identifier(1) and Length(2) */\n\t\tdo {\n\t\t\tswitch (proto) {\n\t\t\tcase PPP_LCP:\n\t\t\t\tpfunc = print_lcp_config_options;\n\t\t\t\tbreak;\n\t\t\tcase PPP_IPCP:\n\t\t\t\tpfunc = print_ipcp_config_options;\n\t\t\t\tbreak;\n\t\t\tcase PPP_IPV6CP:\n\t\t\t\tpfunc = print_ip6cp_config_options;\n\t\t\t\tbreak;\n\t\t\tcase PPP_CCP:\n\t\t\t\tpfunc = print_ccp_config_options;\n\t\t\t\tbreak;\n\t\t\tcase PPP_BACP:\n\t\t\t\tpfunc = print_bacp_config_options;\n\t\t\t\tbreak;\n\t\t\tdefault:\n\t\t\t\t/*\n\t\t\t\t * No print routine for the options for\n\t\t\t\t * this protocol.\n\t\t\t\t */\n\t\t\t\tpfunc = NULL;\n\t\t\t\tbreak;\n\t\t\t}\n\n\t\t\tif (pfunc == NULL) /* catch the above null pointer if unknown CP */\n\t\t\t\tbreak;\n\n\t\t\tif ((j = (*pfunc)(ndo, tptr, len)) == 0)\n\t\t\t\tbreak;\n\t\t\tx -= j;\n\t\t\ttptr += j;\n\t\t} while (x > 0);\n\t\tbreak;\n\n\tcase CPCODES_TERM_REQ:\n\tcase CPCODES_TERM_ACK:\n\t\t/* XXX: need to decode Data? */\n\t\tbreak;\n\tcase CPCODES_CODE_REJ:\n\t\t/* XXX: need to decode Rejected-Packet? */\n\t\tbreak;\n\tcase CPCODES_PROT_REJ:\n\t\tif (length < 6)\n\t\t\tbreak;\n\t\tND_TCHECK2(*tptr, 2);\n\t\tND_PRINT((ndo, \"\\n\\t Rejected %s Protocol (0x%04x)\",\n\t\t tok2str(ppptype2str,\"unknown\", EXTRACT_16BITS(tptr)),\n\t\t EXTRACT_16BITS(tptr)));\n\t\t/* XXX: need to decode Rejected-Information? - hexdump for now */\n\t\tif (len > 6) {\n\t\t\tND_PRINT((ndo, \"\\n\\t Rejected Packet\"));\n\t\t\tprint_unknown_data(ndo, tptr + 2, \"\\n\\t \", len - 2);\n\t\t}\n\t\tbreak;\n\tcase CPCODES_ECHO_REQ:\n\tcase CPCODES_ECHO_RPL:\n\tcase CPCODES_DISC_REQ:\n\t\tif (length < 8)\n\t\t\tbreak;\n\t\tND_TCHECK2(*tptr, 4);\n\t\tND_PRINT((ndo, \"\\n\\t Magic-Num 0x%08x\", EXTRACT_32BITS(tptr)));\n\t\t/* XXX: need to decode Data? - hexdump for now */\n\t\tif (len > 8) {\n\t\t\tND_PRINT((ndo, \"\\n\\t -----trailing data-----\"));\n\t\t\tND_TCHECK2(tptr[4], len - 8);\n\t\t\tprint_unknown_data(ndo, tptr + 4, \"\\n\\t \", len - 8);\n\t\t}\n\t\tbreak;\n\tcase CPCODES_ID:\n\t\tif (length < 8)\n\t\t\tbreak;\n\t\tND_TCHECK2(*tptr, 4);\n\t\tND_PRINT((ndo, \"\\n\\t Magic-Num 0x%08x\", EXTRACT_32BITS(tptr)));\n\t\t/* RFC 1661 says this is intended to be human readable */\n\t\tif (len > 8) {\n\t\t\tND_PRINT((ndo, \"\\n\\t Message\\n\\t \"));\n\t\t\tif (fn_printn(ndo, tptr + 4, len - 4, ndo->ndo_snapend))\n\t\t\t\tgoto trunc;\n\t\t}\n\t\tbreak;\n\tcase CPCODES_TIME_REM:\n\t\tif (length < 12)\n\t\t\tbreak;\n\t\tND_TCHECK2(*tptr, 4);\n\t\tND_PRINT((ndo, \"\\n\\t Magic-Num 0x%08x\", EXTRACT_32BITS(tptr)));\n\t\tND_TCHECK2(*(tptr + 4), 4);\n\t\tND_PRINT((ndo, \", Seconds-Remaining %us\", EXTRACT_32BITS(tptr + 4)));\n\t\t/* XXX: need to decode Message? */\n\t\tbreak;\n\tdefault:\n\t\t/* XXX this is dirty but we do not get the\n\t\t * original pointer passed to the begin\n\t\t * the PPP packet */\n\t\tif (ndo->ndo_vflag <= 1)\n\t\t\tprint_unknown_data(ndo, pptr - 2, \"\\n\\t \", length + 2);\n\t\tbreak;\n\t}\n\treturn;\n\ntrunc:\n\tND_PRINT((ndo, \"[|%s]\", typestr));\n}", "project": "tcpdump", "hash": 85166252343424287207975166935741920960, "size": 164, "commit_id": "32027e199368dad9508965aae8cd8de5b6ab5231", "message": "PPP: When un-escaping, don't allocate a too-large buffer.\n\nThe buffer should be big enough to hold the captured data, but it\ndoesn't need to be big enough to hold the entire on-the-network packet,\nif we haven't captured all of it.\n\n(backported from commit e4add0b010ed6f2180dcb05a13026242ed935334)", "target": 0, "dataset": "other", "idx": 397628 }, { "func": "handle_ppp(netdissect_options *ndo,\n u_int proto, const u_char *p, int length)\n{\n\tif ((proto & 0xff00) == 0x7e00) { /* is this an escape code ? */\n\t\tppp_hdlc(ndo, p - 1, length);\n\t\treturn;\n\t}\n\n\tswitch (proto) {\n\tcase PPP_LCP: /* fall through */\n\tcase PPP_IPCP:\n\tcase PPP_OSICP:\n\tcase PPP_MPLSCP:\n\tcase PPP_IPV6CP:\n\tcase PPP_CCP:\n\tcase PPP_BACP:\n\t\thandle_ctrl_proto(ndo, proto, p, length);\n\t\tbreak;\n\tcase PPP_ML:\n\t\thandle_mlppp(ndo, p, length);\n\t\tbreak;\n\tcase PPP_CHAP:\n\t\thandle_chap(ndo, p, length);\n\t\tbreak;\n\tcase PPP_PAP:\n\t\thandle_pap(ndo, p, length);\n\t\tbreak;\n\tcase PPP_BAP:\t\t/* XXX: not yet completed */\n\t\thandle_bap(ndo, p, length);\n\t\tbreak;\n\tcase ETHERTYPE_IP:\t/*XXX*/\n case PPP_VJNC:\n\tcase PPP_IP:\n\t\tip_print(ndo, p, length);\n\t\tbreak;\n\tcase ETHERTYPE_IPV6:\t/*XXX*/\n\tcase PPP_IPV6:\n\t\tip6_print(ndo, p, length);\n\t\tbreak;\n\tcase ETHERTYPE_IPX:\t/*XXX*/\n\tcase PPP_IPX:\n\t\tipx_print(ndo, p, length);\n\t\tbreak;\n\tcase PPP_OSI:\n\t\tisoclns_print(ndo, p, length);\n\t\tbreak;\n\tcase PPP_MPLS_UCAST:\n\tcase PPP_MPLS_MCAST:\n\t\tmpls_print(ndo, p, length);\n\t\tbreak;\n\tcase PPP_COMP:\n\t\tND_PRINT((ndo, \"compressed PPP data\"));\n\t\tbreak;\n\tdefault:\n\t\tND_PRINT((ndo, \"%s \", tok2str(ppptype2str, \"unknown PPP protocol (0x%04x)\", proto)));\n\t\tprint_unknown_data(ndo, p, \"\\n\\t\", length);\n\t\tbreak;\n\t}\n}", "project": "tcpdump", "hash": 20173003994320868443943589684525890842, "size": 59, "commit_id": "32027e199368dad9508965aae8cd8de5b6ab5231", "message": "PPP: When un-escaping, don't allocate a too-large buffer.\n\nThe buffer should be big enough to hold the captured data, but it\ndoesn't need to be big enough to hold the entire on-the-network packet,\nif we haven't captured all of it.\n\n(backported from commit e4add0b010ed6f2180dcb05a13026242ed935334)", "target": 0, "dataset": "other", "idx": 397639 }, { "func": "ipmi_get_session_info(struct ipmi_intf * intf,\n\t\t\t\t\t Ipmi_Session_Request_Type session_request_type,\n\t\t\t\t\t uint32_t id_or_handle)\n{\n\tint i, retval = 0;\n\n\tstruct ipmi_rs * rsp;\n\tstruct ipmi_rq req;\n\tuint8_t rqdata[5]; // max length of the variable length request\n\tstruct get_session_info_rsp session_info;\n\n\tmemset(&req, 0, sizeof(req));\n\tmemset(&session_info, 0, sizeof(session_info));\n\treq.msg.netfn = IPMI_NETFN_APP; // 0x06\n\treq.msg.cmd = IPMI_GET_SESSION_INFO; // 0x3D\n\treq.msg.data = rqdata;\n\n\tswitch (session_request_type)\n\t{\n\t\t\n\tcase IPMI_SESSION_REQUEST_CURRENT:\n\tcase IPMI_SESSION_REQUEST_BY_ID:\t\n\tcase IPMI_SESSION_REQUEST_BY_HANDLE:\n\t\tswitch (session_request_type)\n\t\t{\n\t\tcase IPMI_SESSION_REQUEST_CURRENT:\n\t\t\trqdata[0] = 0x00;\n\t\t\treq.msg.data_len = 1;\n\t\t\tbreak;\n\t\tcase IPMI_SESSION_REQUEST_BY_ID:\t\n\t\t\trqdata[0] = 0xFF;\n\t\t\trqdata[1] = id_or_handle & 0x000000FF;\n\t\t\trqdata[2] = (id_or_handle >> 8) & 0x000000FF;\n\t\t\trqdata[3] = (id_or_handle >> 16) & 0x000000FF;\n\t\t\trqdata[4] = (id_or_handle >> 24) & 0x000000FF;\n\t\t\treq.msg.data_len = 5;\n\t\t\tbreak;\n\t\tcase IPMI_SESSION_REQUEST_BY_HANDLE:\n\t\t\trqdata[0] = 0xFE;\n\t\t\trqdata[1] = (uint8_t)id_or_handle;\n\t\t\treq.msg.data_len = 2;\n\t\t\tbreak;\n\t\tcase IPMI_SESSION_REQUEST_ALL:\n\t\t\tbreak;\n\t\t}\n\n\t\trsp = intf->sendrecv(intf, &req);\n\t\tif (!rsp)\n\t\t{\n\t\t\tlprintf(LOG_ERR, \"Get Session Info command failed\");\n\t\t\tretval = -1;\n\t\t}\n\t\telse if (rsp->ccode)\n\t\t{\n\t\t\tlprintf(LOG_ERR, \"Get Session Info command failed: %s\",\n\t\t\t\tval2str(rsp->ccode, completion_code_vals));\n\t\t\tretval = -1;\n\t\t}\n\n\t\tif (retval < 0)\n\t\t{\n\t\t\tif ((session_request_type == IPMI_SESSION_REQUEST_CURRENT) &&\n\t\t\t (strncmp(intf->name, \"lan\", 3) != 0))\n\t\t\t\tlprintf(LOG_ERR, \"It is likely that the channel in use \"\n\t\t\t\t\t\"does not support sessions\");\n\t\t}\n\t\telse\n\t\t{\n\t\t\tmemcpy(&session_info, rsp->data,\n\t\t\t __min(rsp->data_len, sizeof(session_info)));\n\t\t\tprint_session_info(&session_info,\n\t\t\t __min(rsp->data_len, sizeof(session_info)));\n\t\t}\n\t\tbreak;\n\t\t\n\tcase IPMI_SESSION_REQUEST_ALL:\n\t\treq.msg.data_len = 1;\n\t\ti = 1;\n\t\tdo\n\t\t{\n\t\t\trqdata[0] = i++;\n\t\t\trsp = intf->sendrecv(intf, &req);\n\t\t\t\n\t\t\tif (!rsp)\n\t\t\t{\n\t\t\t\tlprintf(LOG_ERR, \"Get Session Info command failed\");\n\t\t\t\tretval = -1;\n\t\t\t\tbreak;\n\t\t\t}\n\t\t\telse if (rsp->ccode && rsp->ccode != 0xCC && rsp->ccode != 0xCB)\n\t\t\t{\n\t\t\t\tlprintf(LOG_ERR, \"Get Session Info command failed: %s\",\n\t\t\t\t\tval2str(rsp->ccode, completion_code_vals));\n\t\t\t\tretval = -1;\n\t\t\t\tbreak;\n\t\t\t}\n\t\t\telse if (rsp->data_len < 3)\n\t\t\t{\n\t\t\t\tretval = -1;\n\t\t\t\tbreak;\n\t\t\t}\n\n\t\t\tmemcpy(&session_info, rsp->data,\n\t\t\t __min(rsp->data_len, sizeof(session_info)));\n\t\t\tprint_session_info(&session_info,\n\t\t\t __min(rsp->data_len, sizeof(session_info)));\n\t\t\t\n\t\t} while (i <= session_info.session_slot_count);\n\t\tbreak;\n\t}\n\n\treturn retval;\n}", "project": "ipmitool", "hash": 242323179109677020584476187087776996309, "size": 113, "commit_id": "41d7026946fafbd4d1ec0bcaca3ea30a6e8eed22", "message": "session: Fix buffer overflow in ipmi_get_session_info\n\nPartial fix for CVE-2020-5208, see\nhttps://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp\n\nThe `ipmi_get_session_info` function does not properly check the\nresponse `data_len`, which is used as a copy size, allowing stack buffer\noverflow.", "target": 0, "dataset": "other", "idx": 398021 }, { "func": "static const char *imap_get_field(enum ConnAccountField field, void *gf_data)\n{\n switch (field)\n {\n case MUTT_CA_LOGIN:\n return cs_subset_string(NeoMutt->sub, \"imap_login\");\n case MUTT_CA_USER:\n return cs_subset_string(NeoMutt->sub, \"imap_user\");\n case MUTT_CA_PASS:\n return cs_subset_string(NeoMutt->sub, \"imap_pass\");\n case MUTT_CA_OAUTH_CMD:\n return cs_subset_string(NeoMutt->sub, \"imap_oauth_refresh_command\");\n case MUTT_CA_HOST:\n default:\n return NULL;\n }\n}", "project": "neomutt", "hash": 181059205237023286200554906090561831757, "size": 17, "commit_id": "fa1db5785e5cfd9d3cd27b7571b9fe268d2ec2dc", "message": "Fix seqset iterator when it ends in a comma\n\nIf the seqset ended with a comma, the substr_end marker would be just\nbefore the trailing nul. In the next call, the loop to skip the\nmarker would iterate right past the end of string too.\n\nThe fix is simple: place the substr_end marker and skip past it\nimmediately.", "target": 0, "dataset": "other", "idx": 399295 }, { "func": "main(int ac, char **av)\n{\n\tint c_flag = 0, d_flag = 0, D_flag = 0, k_flag = 0, s_flag = 0;\n\tint sock, ch, result, saved_errno;\n\tchar *shell, *format, *pidstr, *agentsocket = NULL;\n#ifdef HAVE_SETRLIMIT\n\tstruct rlimit rlim;\n#endif\n\textern int optind;\n\textern char *optarg;\n\tpid_t pid;\n\tchar pidstrbuf[1 + 3 * sizeof pid];\n\tsize_t len;\n\tmode_t prev_mask;\n\tint timeout = -1; /* INFTIM */\n\tstruct pollfd *pfd = NULL;\n\tsize_t npfd = 0;\n\tu_int maxfds;\n\n\t/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */\n\tsanitise_stdfd();\n\n\t/* drop */\n\tsetegid(getgid());\n\tsetgid(getgid());\n\n\tplatform_disable_tracing(0);\t/* strict=no */\n\n#ifdef RLIMIT_NOFILE\n\tif (getrlimit(RLIMIT_NOFILE, &rlim) == -1)\n\t\tfatal(\"%s: getrlimit: %s\", __progname, strerror(errno));\n#endif\n\n\t__progname = ssh_get_progname(av[0]);\n\tseed_rng();\n\n\twhile ((ch = getopt(ac, av, \"cDdksE:a:O:P:t:\")) != -1) {\n\t\tswitch (ch) {\n\t\tcase 'E':\n\t\t\tfingerprint_hash = ssh_digest_alg_by_name(optarg);\n\t\t\tif (fingerprint_hash == -1)\n\t\t\t\tfatal(\"Invalid hash algorithm \\\"%s\\\"\", optarg);\n\t\t\tbreak;\n\t\tcase 'c':\n\t\t\tif (s_flag)\n\t\t\t\tusage();\n\t\t\tc_flag++;\n\t\t\tbreak;\n\t\tcase 'k':\n\t\t\tk_flag++;\n\t\t\tbreak;\n\t\tcase 'O':\n\t\t\tif (strcmp(optarg, \"no-restrict-websafe\") == 0)\n\t\t\t\trestrict_websafe = 0;\n\t\t\telse\n\t\t\t\tfatal(\"Unknown -O option\");\n\t\t\tbreak;\n\t\tcase 'P':\n\t\t\tif (allowed_providers != NULL)\n\t\t\t\tfatal(\"-P option already specified\");\n\t\t\tallowed_providers = xstrdup(optarg);\n\t\t\tbreak;\n\t\tcase 's':\n\t\t\tif (c_flag)\n\t\t\t\tusage();\n\t\t\ts_flag++;\n\t\t\tbreak;\n\t\tcase 'd':\n\t\t\tif (d_flag || D_flag)\n\t\t\t\tusage();\n\t\t\td_flag++;\n\t\t\tbreak;\n\t\tcase 'D':\n\t\t\tif (d_flag || D_flag)\n\t\t\t\tusage();\n\t\t\tD_flag++;\n\t\t\tbreak;\n\t\tcase 'a':\n\t\t\tagentsocket = optarg;\n\t\t\tbreak;\n\t\tcase 't':\n\t\t\tif ((lifetime = convtime(optarg)) == -1) {\n\t\t\t\tfprintf(stderr, \"Invalid lifetime\\n\");\n\t\t\t\tusage();\n\t\t\t}\n\t\t\tbreak;\n\t\tdefault:\n\t\t\tusage();\n\t\t}\n\t}\n\tac -= optind;\n\tav += optind;\n\n\tif (ac > 0 && (c_flag || k_flag || s_flag || d_flag || D_flag))\n\t\tusage();\n\n\tif (allowed_providers == NULL)\n\t\tallowed_providers = xstrdup(DEFAULT_ALLOWED_PROVIDERS);\n\n\tif (ac == 0 && !c_flag && !s_flag) {\n\t\tshell = getenv(\"SHELL\");\n\t\tif (shell != NULL && (len = strlen(shell)) > 2 &&\n\t\t strncmp(shell + len - 3, \"csh\", 3) == 0)\n\t\t\tc_flag = 1;\n\t}\n\tif (k_flag) {\n\t\tconst char *errstr = NULL;\n\n\t\tpidstr = getenv(SSH_AGENTPID_ENV_NAME);\n\t\tif (pidstr == NULL) {\n\t\t\tfprintf(stderr, \"%s not set, cannot kill agent\\n\",\n\t\t\t SSH_AGENTPID_ENV_NAME);\n\t\t\texit(1);\n\t\t}\n\t\tpid = (int)strtonum(pidstr, 2, INT_MAX, &errstr);\n\t\tif (errstr) {\n\t\t\tfprintf(stderr,\n\t\t\t \"%s=\\\"%s\\\", which is not a good PID: %s\\n\",\n\t\t\t SSH_AGENTPID_ENV_NAME, pidstr, errstr);\n\t\t\texit(1);\n\t\t}\n\t\tif (kill(pid, SIGTERM) == -1) {\n\t\t\tperror(\"kill\");\n\t\t\texit(1);\n\t\t}\n\t\tformat = c_flag ? \"unsetenv %s;\\n\" : \"unset %s;\\n\";\n\t\tprintf(format, SSH_AUTHSOCKET_ENV_NAME);\n\t\tprintf(format, SSH_AGENTPID_ENV_NAME);\n\t\tprintf(\"echo Agent pid %ld killed;\\n\", (long)pid);\n\t\texit(0);\n\t}\n\n\t/*\n\t * Minimum file descriptors:\n\t * stdio (3) + listener (1) + syslog (1 maybe) + connection (1) +\n\t * a few spare for libc / stack protectors / sanitisers, etc.\n\t */\n#define SSH_AGENT_MIN_FDS (3+1+1+1+4)\n\tif (rlim.rlim_cur < SSH_AGENT_MIN_FDS)\n\t\tfatal(\"%s: file descriptor rlimit %lld too low (minimum %u)\",\n\t\t __progname, (long long)rlim.rlim_cur, SSH_AGENT_MIN_FDS);\n\tmaxfds = rlim.rlim_cur - SSH_AGENT_MIN_FDS;\n\n\tparent_pid = getpid();\n\n\tif (agentsocket == NULL) {\n\t\t/* Create private directory for agent socket */\n\t\tmktemp_proto(socket_dir, sizeof(socket_dir));\n\t\tif (mkdtemp(socket_dir) == NULL) {\n\t\t\tperror(\"mkdtemp: private socket dir\");\n\t\t\texit(1);\n\t\t}\n\t\tsnprintf(socket_name, sizeof socket_name, \"%s/agent.%ld\", socket_dir,\n\t\t (long)parent_pid);\n\t} else {\n\t\t/* Try to use specified agent socket */\n\t\tsocket_dir[0] = '\\0';\n\t\tstrlcpy(socket_name, agentsocket, sizeof socket_name);\n\t}\n\n\t/*\n\t * Create socket early so it will exist before command gets run from\n\t * the parent.\n\t */\n\tprev_mask = umask(0177);\n\tsock = unix_listener(socket_name, SSH_LISTEN_BACKLOG, 0);\n\tif (sock < 0) {\n\t\t/* XXX - unix_listener() calls error() not perror() */\n\t\t*socket_name = '\\0'; /* Don't unlink any existing file */\n\t\tcleanup_exit(1);\n\t}\n\tumask(prev_mask);\n\n\t/*\n\t * Fork, and have the parent execute the command, if any, or present\n\t * the socket data. The child continues as the authentication agent.\n\t */\n\tif (D_flag || d_flag) {\n\t\tlog_init(__progname,\n\t\t d_flag ? SYSLOG_LEVEL_DEBUG3 : SYSLOG_LEVEL_INFO,\n\t\t SYSLOG_FACILITY_AUTH, 1);\n\t\tformat = c_flag ? \"setenv %s %s;\\n\" : \"%s=%s; export %s;\\n\";\n\t\tprintf(format, SSH_AUTHSOCKET_ENV_NAME, socket_name,\n\t\t SSH_AUTHSOCKET_ENV_NAME);\n\t\tprintf(\"echo Agent pid %ld;\\n\", (long)parent_pid);\n\t\tfflush(stdout);\n\t\tgoto skip;\n\t}\n\tpid = fork();\n\tif (pid == -1) {\n\t\tperror(\"fork\");\n\t\tcleanup_exit(1);\n\t}\n\tif (pid != 0) {\t\t/* Parent - execute the given command. */\n\t\tclose(sock);\n\t\tsnprintf(pidstrbuf, sizeof pidstrbuf, \"%ld\", (long)pid);\n\t\tif (ac == 0) {\n\t\t\tformat = c_flag ? \"setenv %s %s;\\n\" : \"%s=%s; export %s;\\n\";\n\t\t\tprintf(format, SSH_AUTHSOCKET_ENV_NAME, socket_name,\n\t\t\t SSH_AUTHSOCKET_ENV_NAME);\n\t\t\tprintf(format, SSH_AGENTPID_ENV_NAME, pidstrbuf,\n\t\t\t SSH_AGENTPID_ENV_NAME);\n\t\t\tprintf(\"echo Agent pid %ld;\\n\", (long)pid);\n\t\t\texit(0);\n\t\t}\n\t\tif (setenv(SSH_AUTHSOCKET_ENV_NAME, socket_name, 1) == -1 ||\n\t\t setenv(SSH_AGENTPID_ENV_NAME, pidstrbuf, 1) == -1) {\n\t\t\tperror(\"setenv\");\n\t\t\texit(1);\n\t\t}\n\t\texecvp(av[0], av);\n\t\tperror(av[0]);\n\t\texit(1);\n\t}\n\t/* child */\n\tlog_init(__progname, SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_AUTH, 0);\n\n\tif (setsid() == -1) {\n\t\terror(\"setsid: %s\", strerror(errno));\n\t\tcleanup_exit(1);\n\t}\n\n\t(void)chdir(\"/\");\n\tif (stdfd_devnull(1, 1, 1) == -1)\n\t\terror_f(\"stdfd_devnull failed\");\n\n#ifdef HAVE_SETRLIMIT\n\t/* deny core dumps, since memory contains unencrypted private keys */\n\trlim.rlim_cur = rlim.rlim_max = 0;\n\tif (setrlimit(RLIMIT_CORE, &rlim) == -1) {\n\t\terror(\"setrlimit RLIMIT_CORE: %s\", strerror(errno));\n\t\tcleanup_exit(1);\n\t}\n#endif\n\nskip:\n\n\tcleanup_pid = getpid();\n\n#ifdef ENABLE_PKCS11\n\tpkcs11_init(0);\n#endif\n\tnew_socket(AUTH_SOCKET, sock);\n\tif (ac > 0)\n\t\tparent_alive_interval = 10;\n\tidtab_init();\n\tssh_signal(SIGPIPE, SIG_IGN);\n\tssh_signal(SIGINT, (d_flag | D_flag) ? cleanup_handler : SIG_IGN);\n\tssh_signal(SIGHUP, cleanup_handler);\n\tssh_signal(SIGTERM, cleanup_handler);\n\n\tif (pledge(\"stdio rpath cpath unix id proc exec\", NULL) == -1)\n\t\tfatal(\"%s: pledge: %s\", __progname, strerror(errno));\n\tplatform_pledge_agent();\n\n\twhile (1) {\n\t\tprepare_poll(&pfd, &npfd, &timeout, maxfds);\n\t\tresult = poll(pfd, npfd, timeout);\n\t\tsaved_errno = errno;\n\t\tif (parent_alive_interval != 0)\n\t\t\tcheck_parent_exists();\n\t\t(void) reaper();\t/* remove expired keys */\n\t\tif (result == -1) {\n\t\t\tif (saved_errno == EINTR)\n\t\t\t\tcontinue;\n\t\t\tfatal(\"poll: %s\", strerror(saved_errno));\n\t\t} else if (result > 0)\n\t\t\tafter_poll(pfd, npfd, maxfds);\n\t}\n\t/* NOTREACHED */\n}", "project": "openssh-portable", "hash": 236041941261918951253961077096740691282, "size": 271, "commit_id": "e04fd6dde16de1cdc5a4d9946397ff60d96568db", "message": "upstream: factor SSH_AGENT_CONSTRAIN_EXTENSION parsing into its own\n\nfunction and remove an unused variable; ok dtucker@\n\nOpenBSD-Commit-ID: e1a938657fbf7ef0ba5e73b30365734a0cc96559", "target": 0, "dataset": "other", "idx": 400204 }, { "func": "parse_key_constraints(struct sshbuf *m, struct sshkey *k, time_t *deathp,\n u_int *secondsp, int *confirmp, char **sk_providerp)\n{\n\tu_char ctype;\n\tint r;\n\tu_int seconds, maxsign = 0;\n\n\twhile (sshbuf_len(m)) {\n\t\tif ((r = sshbuf_get_u8(m, &ctype)) != 0) {\n\t\t\terror_fr(r, \"parse constraint type\");\n\t\t\tgoto out;\n\t\t}\n\t\tswitch (ctype) {\n\t\tcase SSH_AGENT_CONSTRAIN_LIFETIME:\n\t\t\tif (*deathp != 0) {\n\t\t\t\terror_f(\"lifetime already set\");\n\t\t\t\tr = SSH_ERR_INVALID_FORMAT;\n\t\t\t\tgoto out;\n\t\t\t}\n\t\t\tif ((r = sshbuf_get_u32(m, &seconds)) != 0) {\n\t\t\t\terror_fr(r, \"parse lifetime constraint\");\n\t\t\t\tgoto out;\n\t\t\t}\n\t\t\t*deathp = monotime() + seconds;\n\t\t\t*secondsp = seconds;\n\t\t\tbreak;\n\t\tcase SSH_AGENT_CONSTRAIN_CONFIRM:\n\t\t\tif (*confirmp != 0) {\n\t\t\t\terror_f(\"confirm already set\");\n\t\t\t\tr = SSH_ERR_INVALID_FORMAT;\n\t\t\t\tgoto out;\n\t\t\t}\n\t\t\t*confirmp = 1;\n\t\t\tbreak;\n\t\tcase SSH_AGENT_CONSTRAIN_MAXSIGN:\n\t\t\tif (k == NULL) {\n\t\t\t\terror_f(\"maxsign not valid here\");\n\t\t\t\tr = SSH_ERR_INVALID_FORMAT;\n\t\t\t\tgoto out;\n\t\t\t}\n\t\t\tif (maxsign != 0) {\n\t\t\t\terror_f(\"maxsign already set\");\n\t\t\t\tr = SSH_ERR_INVALID_FORMAT;\n\t\t\t\tgoto out;\n\t\t\t}\n\t\t\tif ((r = sshbuf_get_u32(m, &maxsign)) != 0) {\n\t\t\t\terror_fr(r, \"parse maxsign constraint\");\n\t\t\t\tgoto out;\n\t\t\t}\n\t\t\tif ((r = sshkey_enable_maxsign(k, maxsign)) != 0) {\n\t\t\t\terror_fr(r, \"enable maxsign\");\n\t\t\t\tgoto out;\n\t\t\t}\n\t\t\tbreak;\n\t\tcase SSH_AGENT_CONSTRAIN_EXTENSION:\n\t\t\tif ((r = parse_key_constraint_extension(m,\n\t\t\t sk_providerp)) != 0)\n\t\t\t\tgoto out; /* error already logged */\n\t\t\tbreak;\n\t\tdefault:\n\t\t\terror_f(\"Unknown constraint %d\", ctype);\n\t\t\tr = SSH_ERR_FEATURE_UNSUPPORTED;\n\t\t\tgoto out;\n\t\t}\n\t}\n\t/* success */\n\tr = 0;\n out:\n\treturn r;\n}", "project": "openssh-portable", "hash": 302547089865800792591833484855608026826, "size": 70, "commit_id": "e04fd6dde16de1cdc5a4d9946397ff60d96568db", "message": "upstream: factor SSH_AGENT_CONSTRAIN_EXTENSION parsing into its own\n\nfunction and remove an unused variable; ok dtucker@\n\nOpenBSD-Commit-ID: e1a938657fbf7ef0ba5e73b30365734a0cc96559", "target": 0, "dataset": "other", "idx": 400219 }, { "func": "httpMaybeRemovePublic(StoreEntry * e, Http::StatusCode status)\n{\n int remove = 0;\n int forbidden = 0;\n\n // If the incoming response already goes into a public entry, then there is\n // nothing to remove. This protects ready-for-collapsing entries as well.\n if (!EBIT_TEST(e->flags, KEY_PRIVATE))\n return;\n\n // If the new/incoming response cannot be stored, then it does not\n // compete with the old stored response for the public key, and the\n // old stored response should be left as is.\n if (e->mem_obj->request && !e->mem_obj->request->flags.cachable)\n return;\n\n switch (status) {\n\n case Http::scOkay:\n\n case Http::scNonAuthoritativeInformation:\n\n case Http::scMultipleChoices:\n\n case Http::scMovedPermanently:\n\n case Http::scFound:\n\n case Http::scSeeOther:\n\n case Http::scGone:\n\n case Http::scNotFound:\n remove = 1;\n\n break;\n\n case Http::scForbidden:\n\n case Http::scMethodNotAllowed:\n forbidden = 1;\n\n break;\n\n#if WORK_IN_PROGRESS\n\n case Http::scUnauthorized:\n forbidden = 1;\n\n break;\n\n#endif\n\n default:\n#if QUESTIONABLE\n /*\n * Any 2xx response should eject previously cached entities...\n */\n\n if (status >= 200 && status < 300)\n remove = 1;\n\n#endif\n\n break;\n }\n\n if (!remove && !forbidden)\n return;\n\n StoreEntry *pe = findPreviouslyCachedEntry(e);\n\n if (pe != NULL) {\n assert(e != pe);\n#if USE_HTCP\n neighborsHtcpClear(e, e->mem_obj->request, e->mem_obj->method, HTCP_CLR_INVALIDATION);\n#endif\n pe->release(true);\n }\n\n /** \\par\n * Also remove any cached HEAD response in case the object has\n * changed.\n */\n if (e->mem_obj->request)\n pe = storeGetPublicByRequestMethod(e->mem_obj->request, Http::METHOD_HEAD);\n else\n pe = storeGetPublic(e->mem_obj->storeId(), Http::METHOD_HEAD);\n\n if (pe != NULL) {\n assert(e != pe);\n#if USE_HTCP\n neighborsHtcpClear(e, e->mem_obj->request, HttpRequestMethod(Http::METHOD_HEAD), HTCP_CLR_INVALIDATION);\n#endif\n pe->release(true);\n }\n}", "project": "squid", "hash": 80586079574726957852984870026774951522, "size": 97, "commit_id": "fd68382860633aca92065e6c343cfd1b12b126e7", "message": "Improve Transfer-Encoding handling (#702)\n\nReject messages containing Transfer-Encoding header with coding other\nthan chunked or identity. Squid does not support other codings.\n\nFor simplicity and security sake, also reject messages where\nTransfer-Encoding contains unnecessary complex values that are\ntechnically equivalent to \"chunked\" or \"identity\" (e.g., \",,chunked\" or\n\"identity, chunked\").\n\nRFC 7230 formally deprecated and removed identity coding, but it is\nstill used by some agents.", "target": 0, "dataset": "other", "idx": 402301 }, { "func": "copyOneHeaderFromClientsideRequestToUpstreamRequest(const HttpHeaderEntry *e, const String strConnection, const HttpRequest * request, HttpHeader * hdr_out, const int we_do_ranges, const Http::StateFlags &flags)\n{\n debugs(11, 5, \"httpBuildRequestHeader: \" << e->name << \": \" << e->value );\n\n switch (e->id) {\n\n /** \\par RFC 2616 sect 13.5.1 - Hop-by-Hop headers which Squid should not pass on. */\n\n case Http::HdrType::PROXY_AUTHORIZATION:\n /** \\par Proxy-Authorization:\n * Only pass on proxy authentication to peers for which\n * authentication forwarding is explicitly enabled\n */\n if (!flags.originpeer && flags.proxying && request->peer_login &&\n (strcmp(request->peer_login, \"PASS\") == 0 ||\n strcmp(request->peer_login, \"PROXYPASS\") == 0 ||\n strcmp(request->peer_login, \"PASSTHRU\") == 0)) {\n hdr_out->addEntry(e->clone());\n }\n break;\n\n /** \\par RFC 2616 sect 13.5.1 - Hop-by-Hop headers which Squid does not pass on. */\n\n case Http::HdrType::CONNECTION: /** \\par Connection: */\n case Http::HdrType::TE: /** \\par TE: */\n case Http::HdrType::KEEP_ALIVE: /** \\par Keep-Alive: */\n case Http::HdrType::PROXY_AUTHENTICATE: /** \\par Proxy-Authenticate: */\n case Http::HdrType::TRAILER: /** \\par Trailer: */\n case Http::HdrType::UPGRADE: /** \\par Upgrade: */\n case Http::HdrType::TRANSFER_ENCODING: /** \\par Transfer-Encoding: */\n break;\n\n /** \\par OTHER headers I haven't bothered to track down yet. */\n\n case Http::HdrType::AUTHORIZATION:\n /** \\par WWW-Authorization:\n * Pass on WWW authentication */\n\n if (!flags.originpeer) {\n hdr_out->addEntry(e->clone());\n } else {\n /** \\note In accelerators, only forward authentication if enabled\n * (see also httpFixupAuthentication for special cases)\n */\n if (request->peer_login &&\n (strcmp(request->peer_login, \"PASS\") == 0 ||\n strcmp(request->peer_login, \"PASSTHRU\") == 0 ||\n strcmp(request->peer_login, \"PROXYPASS\") == 0)) {\n hdr_out->addEntry(e->clone());\n }\n }\n\n break;\n\n case Http::HdrType::HOST:\n /** \\par Host:\n * Normally Squid rewrites the Host: header.\n * However, there is one case when we don't: If the URL\n * went through our redirector and the admin configured\n * 'redir_rewrites_host' to be off.\n */\n if (request->peer_domain)\n hdr_out->putStr(Http::HdrType::HOST, request->peer_domain);\n else if (request->flags.redirected && !Config.onoff.redir_rewrites_host)\n hdr_out->addEntry(e->clone());\n else {\n SBuf authority = request->url.authority();\n hdr_out->putStr(Http::HdrType::HOST, authority.c_str());\n }\n\n break;\n\n case Http::HdrType::IF_MODIFIED_SINCE:\n /** \\par If-Modified-Since:\n * append unless we added our own,\n * but only if cache_miss_revalidate is enabled, or\n * the request is not cacheable, or\n * the request contains authentication credentials.\n * \\note at most one client's If-Modified-Since header can pass through\n */\n // XXX: need to check and cleanup the auth case so cacheable auth requests get cached.\n if (hdr_out->has(Http::HdrType::IF_MODIFIED_SINCE))\n break;\n else if (Config.onoff.cache_miss_revalidate || !request->flags.cachable || request->flags.auth)\n hdr_out->addEntry(e->clone());\n break;\n\n case Http::HdrType::IF_NONE_MATCH:\n /** \\par If-None-Match:\n * append if the wildcard '*' special case value is present, or\n * cache_miss_revalidate is disabled, or\n * the request is not cacheable in this proxy, or\n * the request contains authentication credentials.\n * \\note this header lists a set of responses for the server to elide sending. Squid added values are extending that set.\n */\n // XXX: need to check and cleanup the auth case so cacheable auth requests get cached.\n if (hdr_out->hasListMember(Http::HdrType::IF_MATCH, \"*\", ',') || Config.onoff.cache_miss_revalidate || !request->flags.cachable || request->flags.auth)\n hdr_out->addEntry(e->clone());\n break;\n\n case Http::HdrType::MAX_FORWARDS:\n /** \\par Max-Forwards:\n * pass only on TRACE or OPTIONS requests */\n if (request->method == Http::METHOD_TRACE || request->method == Http::METHOD_OPTIONS) {\n const int64_t hops = e->getInt64();\n\n if (hops > 0)\n hdr_out->putInt64(Http::HdrType::MAX_FORWARDS, hops - 1);\n }\n\n break;\n\n case Http::HdrType::VIA:\n /** \\par Via:\n * If Via is disabled then forward any received header as-is.\n * Otherwise leave for explicit updated addition later. */\n\n if (!Config.onoff.via)\n hdr_out->addEntry(e->clone());\n\n break;\n\n case Http::HdrType::RANGE:\n\n case Http::HdrType::IF_RANGE:\n\n case Http::HdrType::REQUEST_RANGE:\n /** \\par Range:, If-Range:, Request-Range:\n * Only pass if we accept ranges */\n if (!we_do_ranges)\n hdr_out->addEntry(e->clone());\n\n break;\n\n case Http::HdrType::PROXY_CONNECTION: // SHOULD ignore. But doing so breaks things.\n break;\n\n case Http::HdrType::CONTENT_LENGTH:\n // pass through unless we chunk; also, keeping this away from default\n // prevents request smuggling via Connection: Content-Length tricks\n if (!flags.chunked_request)\n hdr_out->addEntry(e->clone());\n break;\n\n case Http::HdrType::X_FORWARDED_FOR:\n\n case Http::HdrType::CACHE_CONTROL:\n /** \\par X-Forwarded-For:, Cache-Control:\n * handled specially by Squid, so leave off for now.\n * append these after the loop if needed */\n break;\n\n case Http::HdrType::FRONT_END_HTTPS:\n /** \\par Front-End-Https:\n * Pass thru only if peer is configured with front-end-https */\n if (!flags.front_end_https)\n hdr_out->addEntry(e->clone());\n\n break;\n\n default:\n /** \\par default.\n * pass on all other header fields\n * which are NOT listed by the special Connection: header. */\n\n if (strConnection.size()>0 && strListIsMember(&strConnection, e->name.termedBuf(), ',')) {\n debugs(11, 2, \"'\" << e->name << \"' header cropped by Connection: definition\");\n return;\n }\n\n hdr_out->addEntry(e->clone());\n }\n}", "project": "squid", "hash": 47816274928638449666370344858081702478, "size": 173, "commit_id": "fd68382860633aca92065e6c343cfd1b12b126e7", "message": "Improve Transfer-Encoding handling (#702)\n\nReject messages containing Transfer-Encoding header with coding other\nthan chunked or identity. Squid does not support other codings.\n\nFor simplicity and security sake, also reject messages where\nTransfer-Encoding contains unnecessary complex values that are\ntechnically equivalent to \"chunked\" or \"identity\" (e.g., \",,chunked\" or\n\"identity, chunked\").\n\nRFC 7230 formally deprecated and removed identity coding, but it is\nstill used by some agents.", "target": 0, "dataset": "other", "idx": 402354 }, { "func": "tlsAttemptHandshake(ConnStateData *conn, PF *callback)\n{\n // TODO: maybe throw instead of returning -1\n // see https://github.com/squid-cache/squid/pull/81#discussion_r153053278\n int fd = conn->clientConnection->fd;\n auto session = fd_table[fd].ssl.get();\n\n errno = 0;\n\n#if USE_OPENSSL\n const auto ret = SSL_accept(session);\n if (ret > 0)\n return 1;\n\n const int xerrno = errno;\n const auto ssl_error = SSL_get_error(session, ret);\n\n switch (ssl_error) {\n\n case SSL_ERROR_WANT_READ:\n Comm::SetSelect(fd, COMM_SELECT_READ, callback, (callback ? conn : nullptr), 0);\n return 0;\n\n case SSL_ERROR_WANT_WRITE:\n Comm::SetSelect(fd, COMM_SELECT_WRITE, callback, (callback ? conn : nullptr), 0);\n return 0;\n\n case SSL_ERROR_SYSCALL:\n if (ret == 0) {\n debugs(83, 2, \"Error negotiating SSL connection on FD \" << fd << \": Aborted by client: \" << ssl_error);\n } else {\n debugs(83, (xerrno == ECONNRESET) ? 1 : 2, \"Error negotiating SSL connection on FD \" << fd << \": \" <<\n (xerrno == 0 ? Security::ErrorString(ssl_error) : xstrerr(xerrno)));\n }\n break;\n\n case SSL_ERROR_ZERO_RETURN:\n debugs(83, DBG_IMPORTANT, \"Error negotiating SSL connection on FD \" << fd << \": Closed by client\");\n break;\n\n default:\n debugs(83, DBG_IMPORTANT, \"Error negotiating SSL connection on FD \" <<\n fd << \": \" << Security::ErrorString(ssl_error) <<\n \" (\" << ssl_error << \"/\" << ret << \")\");\n }\n\n#elif USE_GNUTLS\n\n const auto x = gnutls_handshake(session);\n if (x == GNUTLS_E_SUCCESS)\n return 1;\n\n if (gnutls_error_is_fatal(x)) {\n debugs(83, 2, \"Error negotiating TLS on \" << conn->clientConnection << \": Aborted by client: \" << Security::ErrorString(x));\n\n } else if (x == GNUTLS_E_INTERRUPTED || x == GNUTLS_E_AGAIN) {\n const auto ioAction = (gnutls_record_get_direction(session)==0 ? COMM_SELECT_READ : COMM_SELECT_WRITE);\n Comm::SetSelect(fd, ioAction, callback, (callback ? conn : nullptr), 0);\n return 0;\n }\n\n#else\n // Performing TLS handshake should never be reachable without a TLS/SSL library.\n (void)session; // avoid compiler and static analysis complaints\n fatal(\"FATAL: HTTPS not supported by this Squid.\");\n#endif\n\n return -1;\n}", "project": "squid", "hash": 236014138705907601565578262944564688292, "size": 69, "commit_id": "fd68382860633aca92065e6c343cfd1b12b126e7", "message": "Improve Transfer-Encoding handling (#702)\n\nReject messages containing Transfer-Encoding header with coding other\nthan chunked or identity. Squid does not support other codings.\n\nFor simplicity and security sake, also reject messages where\nTransfer-Encoding contains unnecessary complex values that are\ntechnically equivalent to \"chunked\" or \"identity\" (e.g., \",,chunked\" or\n\"identity, chunked\").\n\nRFC 7230 formally deprecated and removed identity coding, but it is\nstill used by some agents.", "target": 0, "dataset": "other", "idx": 402378 }, { "func": "struct sk_buff *__hci_cmd_sync_ev(struct hci_dev *hdev, u16 opcode, u32 plen,\n\t\t\t\t const void *param, u8 event, u32 timeout)\n{\n\tstruct hci_request req;\n\tstruct sk_buff *skb;\n\tint err = 0;\n\n\tbt_dev_dbg(hdev, \"\");\n\n\thci_req_init(&req, hdev);\n\n\thci_req_add_ev(&req, opcode, plen, param, event);\n\n\thdev->req_status = HCI_REQ_PEND;\n\n\terr = hci_req_run_skb(&req, hci_req_sync_complete);\n\tif (err < 0)\n\t\treturn ERR_PTR(err);\n\n\terr = wait_event_interruptible_timeout(hdev->req_wait_q,\n\t\t\thdev->req_status != HCI_REQ_PEND, timeout);\n\n\tif (err == -ERESTARTSYS)\n\t\treturn ERR_PTR(-EINTR);\n\n\tswitch (hdev->req_status) {\n\tcase HCI_REQ_DONE:\n\t\terr = -bt_to_errno(hdev->req_result);\n\t\tbreak;\n\n\tcase HCI_REQ_CANCELED:\n\t\terr = -hdev->req_result;\n\t\tbreak;\n\n\tdefault:\n\t\terr = -ETIMEDOUT;\n\t\tbreak;\n\t}\n\n\thdev->req_status = hdev->req_result = 0;\n\tskb = hdev->req_skb;\n\thdev->req_skb = NULL;\n\n\tbt_dev_dbg(hdev, \"end: err %d\", err);\n\n\tif (err < 0) {\n\t\tkfree_skb(skb);\n\t\treturn ERR_PTR(err);\n\t}\n\n\tif (!skb)\n\t\treturn ERR_PTR(-ENODATA);\n\n\treturn skb;\n}", "project": "linux", "hash": 334878474288642091574945220965333570843, "size": 55, "commit_id": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "message": "bluetooth: eliminate the potential race condition when removing the HCI controller\n\nThere is a possible race condition vulnerability between issuing a HCI\ncommand and removing the cont. Specifically, functions hci_req_sync()\nand hci_dev_do_close() can race each other like below:\n\nthread-A in hci_req_sync() | thread-B in hci_dev_do_close()\n | hci_req_sync_lock(hdev);\ntest_bit(HCI_UP, &hdev->flags); |\n... | test_and_clear_bit(HCI_UP, &hdev->flags)\nhci_req_sync_lock(hdev); |\n |\nIn this commit we alter the sequence in function hci_req_sync(). Hence,\nthe thread-A cannot issue th.\n\nSigned-off-by: Lin Ma \nCc: Marcel Holtmann \nFixes: 7c6a329e4447 (\"[Bluetooth] Fix regression from using default link policy\")\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 402491 }, { "func": "CryptRsaSign(\n\t TPMT_SIGNATURE *sigOut,\n\t OBJECT *key, // IN: key to use\n\t TPM2B_DIGEST *hIn, // IN: the digest to sign\n\t RAND_STATE *rand // IN: the random number generator\n\t // to use (mostly for testing)\n\t )\n{\n TPM_RC retVal = TPM_RC_SUCCESS;\n UINT16 modSize;\n size_t outlen;\n int padding;\n EVP_PKEY *pkey = NULL;\n EVP_PKEY_CTX *ctx = NULL;\n const EVP_MD *md;\n const char *digestname;\n TPMI_ALG_HASH hashAlg;\n\n // parameter checks\n pAssert(sigOut != NULL && key != NULL && hIn != NULL);\n modSize = key->publicArea.unique.rsa.t.size;\n // for all non-null signatures, the size is the size of the key modulus\n sigOut->signature.rsapss.sig.t.size = modSize;\n TEST(sigOut->sigAlg);\n\n switch(sigOut->sigAlg)\n {\n case ALG_NULL_VALUE:\n sigOut->signature.rsapss.sig.t.size = 0;\n return TPM_RC_SUCCESS;\n case ALG_RSAPSS_VALUE:\n padding = RSA_PKCS1_PSS_PADDING;\n hashAlg = sigOut->signature.rsapss.hash;\n break;\n case ALG_RSASSA_VALUE:\n padding = RSA_PKCS1_PADDING;\n hashAlg = sigOut->signature.rsassa.hash;\n break;\n default:\n ERROR_RETURN(TPM_RC_SCHEME);\n }\n\n digestname = GetDigestNameByHashAlg(hashAlg);\n if (digestname == NULL)\n ERROR_RETURN(TPM_RC_VALUE);\n\n md = EVP_get_digestbyname(digestname);\n if (md == NULL)\n ERROR_RETURN(TPM_RC_FAILURE);\n\n retVal = InitOpenSSLRSAPrivateKey(key, &pkey);\n if (retVal != TPM_RC_SUCCESS)\n return retVal;\n\n ctx = EVP_PKEY_CTX_new(pkey, NULL);\n if (ctx == NULL ||\n EVP_PKEY_sign_init(ctx) <= 0)\n ERROR_RETURN(TPM_RC_FAILURE);\n\n if (EVP_PKEY_CTX_set_rsa_padding(ctx, padding) <= 0 ||\n EVP_PKEY_CTX_set_signature_md(ctx, md) <= 0)\n ERROR_RETURN(TPM_RC_FAILURE);\n\n outlen = sigOut->signature.rsapss.sig.t.size;\n if (EVP_PKEY_sign(ctx,\n sigOut->signature.rsapss.sig.t.buffer, &outlen,\n hIn->b.buffer, hIn->b.size) <= 0)\n ERROR_RETURN(TPM_RC_FAILURE);\n\n sigOut->signature.rsapss.sig.t.size = outlen;\n\n Exit:\n EVP_PKEY_free(pkey);\n EVP_PKEY_CTX_free(ctx);\n\n return retVal;\n}", "project": "libtpms", "hash": 329505039385839112886101915776837441529, "size": 77, "commit_id": "40cfe134c017d3aeaaed05ce71eaf9bfbe556b16", "message": "tpm2: Fix output buffer parameter and size for RSA decryption\n\nFor the RSA decryption we have to use an output buffer of the size of the\n(largest possible) RSA key for the decryption to always work.\n\nThis fixes a stack corruption bug that caused a SIGBUS and termination of\n'swtpm'.\n\nSigned-off-by: Stefan Berger ", "target": 0, "dataset": "other", "idx": 404488 }, { "func": "CryptRsaDecrypt(\n\t\tTPM2B *dOut, // OUT: the decrypted data\n\t\tTPM2B *cIn, // IN: the data to decrypt\n\t\tOBJECT *key, // IN: the key to use for decryption\n\t\tTPMT_RSA_DECRYPT *scheme, // IN: the padding scheme\n\t\tconst TPM2B *label // IN: in case it is needed for the scheme\n\t\t)\n{\n TPM_RC retVal;\n EVP_PKEY *pkey = NULL;\n EVP_PKEY_CTX *ctx = NULL;\n const EVP_MD *md = NULL;\n const char *digestname;\n size_t outlen;\n unsigned char *tmp = NULL;\n unsigned char buffer[MAX_RSA_KEY_BYTES];\n\n // Make sure that the necessary parameters are provided\n pAssert(cIn != NULL && dOut != NULL && key != NULL);\n // Size is checked to make sure that the encrypted value is the right size\n if(cIn->size != key->publicArea.unique.rsa.t.size)\n ERROR_RETURN(TPM_RC_SIZE);\n TEST(scheme->scheme);\n\n retVal = InitOpenSSLRSAPrivateKey(key, &pkey);\n if (retVal != TPM_RC_SUCCESS)\n return retVal;\n\n ctx = EVP_PKEY_CTX_new(pkey, NULL);\n if (ctx == NULL ||\n EVP_PKEY_decrypt_init(ctx) <= 0)\n ERROR_RETURN(TPM_RC_FAILURE);\n\n switch(scheme->scheme)\n\t{\n\t case ALG_NULL_VALUE: // 'raw' encryption\n if (EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_NO_PADDING) <= 0)\n ERROR_RETURN(TPM_RC_FAILURE);\n break;\n\t case ALG_RSAES_VALUE:\n if (EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) <= 0)\n ERROR_RETURN(TPM_RC_FAILURE);\n break;\n\t case ALG_OAEP_VALUE:\n digestname = GetDigestNameByHashAlg(scheme->details.oaep.hashAlg);\n if (digestname == NULL)\n ERROR_RETURN(TPM_RC_VALUE);\n\n md = EVP_get_digestbyname(digestname);\n if (md == NULL ||\n EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_OAEP_PADDING) <= 0 ||\n EVP_PKEY_CTX_set_rsa_oaep_md(ctx, md) <= 0)\n ERROR_RETURN(TPM_RC_FAILURE);\n\n if (label->size > 0) {\n tmp = malloc(label->size);\n if (tmp == NULL)\n ERROR_RETURN(TPM_RC_FAILURE);\n memcpy(tmp, label->buffer, label->size);\n }\n\n if (EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, tmp, label->size) <= 0)\n ERROR_RETURN(TPM_RC_FAILURE);\n tmp = NULL;\n break;\n\t default:\n ERROR_RETURN(TPM_RC_SCHEME);\n break;\n\t}\n\n /* cannot use cOut->buffer */\n outlen = sizeof(buffer);\n if (EVP_PKEY_decrypt(ctx, buffer, &outlen,\n cIn->buffer, cIn->size) <= 0)\n ERROR_RETURN(TPM_RC_FAILURE);\n\n if (outlen > dOut->size)\n ERROR_RETURN(TPM_RC_FAILURE);\n\n memcpy(dOut->buffer, buffer, outlen);\n dOut->size = outlen;\n\n retVal = TPM_RC_SUCCESS;\n\n Exit:\n EVP_PKEY_free(pkey);\n EVP_PKEY_CTX_free(ctx);\n free(tmp);\n\n return retVal;\n}", "project": "libtpms", "hash": 84935986072655399087103363215779446823, "size": 91, "commit_id": "40cfe134c017d3aeaaed05ce71eaf9bfbe556b16", "message": "tpm2: Fix output buffer parameter and size for RSA decryption\n\nFor the RSA decryption we have to use an output buffer of the size of the\n(largest possible) RSA key for the decryption to always work.\n\nThis fixes a stack corruption bug that caused a SIGBUS and termination of\n'swtpm'.\n\nSigned-off-by: Stefan Berger ", "target": 0, "dataset": "other", "idx": 404492 }, { "func": "CryptRsaValidateSignature(\n\t\t\t TPMT_SIGNATURE *sig, // IN: signature\n\t\t\t OBJECT *key, // IN: public modulus\n\t\t\t TPM2B_DIGEST *digest // IN: The digest being validated\n\t\t\t )\n{\n TPM_RC retVal;\n //\n // Fatal programming errors\n pAssert(key != NULL && sig != NULL && digest != NULL);\n switch(sig->sigAlg)\n\t{\n\t case ALG_RSAPSS_VALUE:\n\t case ALG_RSASSA_VALUE:\n\t break;\n\t default:\n\t return TPM_RC_SCHEME;\n\t}\n // Errors that might be caused by calling parameters\n if(sig->signature.rsassa.sig.t.size != key->publicArea.unique.rsa.t.size)\n\tERROR_RETURN(TPM_RC_SIGNATURE);\n TEST(sig->sigAlg);\n // Decrypt the block\n retVal = RSAEP(&sig->signature.rsassa.sig.b, key);\n if(retVal == TPM_RC_SUCCESS)\n\t{\n\t switch(sig->sigAlg)\n\t\t{\n\t\t case ALG_RSAPSS_VALUE:\n\t\t retVal = PssDecode(sig->signature.any.hashAlg, &digest->b,\n\t\t\t\t &sig->signature.rsassa.sig.b);\n\t\t break;\n\t\t case ALG_RSASSA_VALUE:\n\t\t retVal = RSASSA_Decode(sig->signature.any.hashAlg, &digest->b,\n\t\t\t\t\t &sig->signature.rsassa.sig.b);\n\t\t break;\n\t\t default:\n\t\t return TPM_RC_SCHEME;\n\t\t}\n\t}\n Exit:\n return (retVal != TPM_RC_SUCCESS) ? TPM_RC_SIGNATURE : TPM_RC_SUCCESS;\n}", "project": "libtpms", "hash": 323615386645690955900987316305760228741, "size": 43, "commit_id": "40cfe134c017d3aeaaed05ce71eaf9bfbe556b16", "message": "tpm2: Fix output buffer parameter and size for RSA decryption\n\nFor the RSA decryption we have to use an output buffer of the size of the\n(largest possible) RSA key for the decryption to always work.\n\nThis fixes a stack corruption bug that caused a SIGBUS and termination of\n'swtpm'.\n\nSigned-off-by: Stefan Berger ", "target": 0, "dataset": "other", "idx": 404498 }, { "func": "CryptRsaValidateSignature(\n\t\t\t TPMT_SIGNATURE *sig, // IN: signature\n\t\t\t OBJECT *key, // IN: public modulus\n\t\t\t TPM2B_DIGEST *digest // IN: The digest being validated\n\t\t\t )\n{\n TPM_RC retVal;\n int padding;\n EVP_PKEY *pkey = NULL;\n EVP_PKEY_CTX *ctx = NULL;\n const EVP_MD *md;\n const char *digestname;\n\n //\n // Fatal programming errors\n pAssert(key != NULL && sig != NULL && digest != NULL);\n switch(sig->sigAlg)\n\t{\n\t case ALG_RSAPSS_VALUE:\n\t padding = RSA_PKCS1_PSS_PADDING;\n\t break;\n\t case ALG_RSASSA_VALUE:\n\t padding = RSA_PKCS1_PADDING;\n\t break;\n\t default:\n\t return TPM_RC_SCHEME;\n\t}\n // Errors that might be caused by calling parameters\n if(sig->signature.rsassa.sig.t.size != key->publicArea.unique.rsa.t.size)\n\tERROR_RETURN(TPM_RC_SIGNATURE);\n TEST(sig->sigAlg);\n\n retVal = InitOpenSSLRSAPublicKey(key, &pkey);\n if (retVal != TPM_RC_SUCCESS)\n return retVal;\n\n digestname = GetDigestNameByHashAlg(sig->signature.any.hashAlg);\n if (digestname == NULL)\n ERROR_RETURN(TPM_RC_VALUE);\n\n md = EVP_get_digestbyname(digestname);\n ctx = EVP_PKEY_CTX_new(pkey, NULL);\n if (md == NULL || ctx == NULL ||\n EVP_PKEY_verify_init(ctx) <= 0)\n ERROR_RETURN(TPM_RC_FAILURE);\n\n if (EVP_PKEY_CTX_set_rsa_padding(ctx, padding) <= 0 ||\n EVP_PKEY_CTX_set_signature_md(ctx, md) <= 0)\n ERROR_RETURN(TPM_RC_FAILURE);\n\n if (EVP_PKEY_verify(ctx,\n sig->signature.rsassa.sig.t.buffer, sig->signature.rsassa.sig.t.size,\n digest->t.buffer, digest->t.size) <= 0)\n ERROR_RETURN(TPM_RC_SIGNATURE);\n\n retVal = TPM_RC_SUCCESS;\n\n Exit:\n EVP_PKEY_free(pkey);\n EVP_PKEY_CTX_free(ctx);\n\n return (retVal != TPM_RC_SUCCESS) ? TPM_RC_SIGNATURE : TPM_RC_SUCCESS;\n}", "project": "libtpms", "hash": 243238253409032269871735114238117674056, "size": 63, "commit_id": "40cfe134c017d3aeaaed05ce71eaf9bfbe556b16", "message": "tpm2: Fix output buffer parameter and size for RSA decryption\n\nFor the RSA decryption we have to use an output buffer of the size of the\n(largest possible) RSA key for the decryption to always work.\n\nThis fixes a stack corruption bug that caused a SIGBUS and termination of\n'swtpm'.\n\nSigned-off-by: Stefan Berger ", "target": 0, "dataset": "other", "idx": 404500 }, { "func": "CryptRsaSign(\n\t TPMT_SIGNATURE *sigOut,\n\t OBJECT *key, // IN: key to use\n\t TPM2B_DIGEST *hIn, // IN: the digest to sign\n\t RAND_STATE *rand // IN: the random number generator\n\t // to use (mostly for testing)\n\t )\n{\n TPM_RC retVal = TPM_RC_SUCCESS;\n UINT16 modSize;\n // parameter checks\n pAssert(sigOut != NULL && key != NULL && hIn != NULL);\n modSize = key->publicArea.unique.rsa.t.size;\n // for all non-null signatures, the size is the size of the key modulus\n sigOut->signature.rsapss.sig.t.size = modSize;\n TEST(sigOut->sigAlg);\n switch(sigOut->sigAlg)\n\t{\n\t case ALG_NULL_VALUE:\n\t sigOut->signature.rsapss.sig.t.size = 0;\n\t return TPM_RC_SUCCESS;\n\t case ALG_RSAPSS_VALUE:\n\t retVal = PssEncode(&sigOut->signature.rsapss.sig.b,\n\t\t\t sigOut->signature.rsapss.hash, &hIn->b, rand);\n\t break;\n\t case ALG_RSASSA_VALUE:\n\t retVal = RSASSA_Encode(&sigOut->signature.rsassa.sig.b,\n\t\t\t\t sigOut->signature.rsassa.hash, &hIn->b);\n\t break;\n\t default:\n\t retVal = TPM_RC_SCHEME;\n\t}\n if(retVal == TPM_RC_SUCCESS)\n\t{\n\t // Do the encryption using the private key\n\t retVal = RSADP(&sigOut->signature.rsapss.sig.b, key);\n\t}\n return retVal;\n}", "project": "libtpms", "hash": 51916080698963362426359677995635194996, "size": 39, "commit_id": "40cfe134c017d3aeaaed05ce71eaf9bfbe556b16", "message": "tpm2: Fix output buffer parameter and size for RSA decryption\n\nFor the RSA decryption we have to use an output buffer of the size of the\n(largest possible) RSA key for the decryption to always work.\n\nThis fixes a stack corruption bug that caused a SIGBUS and termination of\n'swtpm'.\n\nSigned-off-by: Stefan Berger ", "target": 0, "dataset": "other", "idx": 404507 }, { "func": "handle_delete_command(GraphicsManager *self, const GraphicsCommand *g, Cursor *c, bool *is_dirty, CellPixelSize cell) {\n static GraphicsCommand d;\n switch (g->delete_action) {\n#define I(u, data, func) filter_refs(self, data, g->delete_action == u, func, cell); *is_dirty = true; break\n#define D(l, u, data, func) case l: case u: I(u, data, func)\n#define G(l, u, func) D(l, u, g, func)\n case 0:\n D('a', 'A', NULL, clear_filter_func);\n D('i', 'I', &g->id, id_filter_func);\n G('p', 'P', point_filter_func);\n G('q', 'Q', point3d_filter_func);\n G('x', 'X', x_filter_func);\n G('y', 'Y', y_filter_func);\n G('z', 'Z', z_filter_func);\n case 'c':\n case 'C':\n d.x_offset = c->x + 1; d.y_offset = c->y + 1;\n I('C', &d, point_filter_func);\n default:\n REPORT_ERROR(\"Unknown graphics command delete action: %c\", g->delete_action);\n break;\n#undef G\n#undef D\n#undef I\n }\n if (!self->image_count && self->count) self->count = 0;\n}", "project": "kitty", "hash": 146096056004919235370289197828304944150, "size": 27, "commit_id": "82c137878c2b99100a3cdc1c0f0efea069313901", "message": "Graphics protocol: Dont return filename in the error message when opening file fails, since filenames can contain control characters\n\nFixes #3128", "target": 0, "dataset": "other", "idx": 412009 }, { "func": "grman_handle_command(GraphicsManager *self, const GraphicsCommand *g, const uint8_t *payload, Cursor *c, bool *is_dirty, CellPixelSize cell) {\n const char *ret = NULL;\n\n switch(g->action) {\n case 0:\n case 't':\n case 'T':\n case 'q': {\n uint32_t iid = g->id, q_iid = iid;\n if (g->action == 'q') { iid = 0; if (!q_iid) { REPORT_ERROR(\"Query graphics command without image id\"); break; } }\n Image *image = handle_add_command(self, g, payload, is_dirty, iid);\n ret = create_add_response(self, image != NULL, g->action == 'q' ? q_iid: self->last_init_graphics_command.id);\n if (self->last_init_graphics_command.action == 'T' && image && image->data_loaded) handle_put_command(self, &self->last_init_graphics_command, c, is_dirty, image, cell);\n id_type added_image_id = image ? image->internal_id : 0;\n if (g->action == 'q') remove_images(self, add_trim_predicate, 0);\n if (self->used_storage > STORAGE_LIMIT) apply_storage_quota(self, STORAGE_LIMIT, added_image_id);\n break;\n }\n case 'p':\n if (!g->id) {\n REPORT_ERROR(\"Put graphics command without image id\");\n break;\n }\n handle_put_command(self, g, c, is_dirty, NULL, cell);\n ret = create_add_response(self, true, g->id);\n break;\n case 'd':\n handle_delete_command(self, g, c, is_dirty, cell);\n break;\n default:\n REPORT_ERROR(\"Unknown graphics command action: %c\", g->action);\n break;\n }\n return ret;\n}", "project": "kitty", "hash": 11997148625610745627643699139636683633, "size": 35, "commit_id": "82c137878c2b99100a3cdc1c0f0efea069313901", "message": "Graphics protocol: Dont return filename in the error message when opening file fails, since filenames can contain control characters\n\nFixes #3128", "target": 0, "dataset": "other", "idx": 412012 }, { "func": "zlib_strerror(int ret) {\n#define Z(x) case x: return #x;\n static char buf[128];\n switch(ret) {\n case Z_ERRNO:\n return strerror(errno);\n default:\n snprintf(buf, sizeof(buf)/sizeof(buf[0]), \"Unknown error: %d\", ret);\n return buf;\n Z(Z_STREAM_ERROR);\n Z(Z_DATA_ERROR);\n Z(Z_MEM_ERROR);\n Z(Z_BUF_ERROR);\n Z(Z_VERSION_ERROR);\n }\n#undef Z\n}", "project": "kitty", "hash": 217953607852283844117581011568057036735, "size": 17, "commit_id": "82c137878c2b99100a3cdc1c0f0efea069313901", "message": "Graphics protocol: Dont return filename in the error message when opening file fails, since filenames can contain control characters\n\nFixes #3128", "target": 0, "dataset": "other", "idx": 412027 }, { "func": "usbtest_do_ioctl(struct usb_interface *intf, struct usbtest_param_32 *param)\n{\n\tstruct usbtest_dev\t*dev = usb_get_intfdata(intf);\n\tstruct usb_device\t*udev = testdev_to_usbdev(dev);\n\tstruct urb\t\t*urb;\n\tstruct scatterlist\t*sg;\n\tstruct usb_sg_request\treq;\n\tunsigned\t\ti;\n\tint\tretval = -EOPNOTSUPP;\n\n\tif (param->iterations <= 0)\n\t\treturn -EINVAL;\n\tif (param->sglen > MAX_SGLEN)\n\t\treturn -EINVAL;\n\t/*\n\t * Just a bunch of test cases that every HCD is expected to handle.\n\t *\n\t * Some may need specific firmware, though it'd be good to have\n\t * one firmware image to handle all the test cases.\n\t *\n\t * FIXME add more tests! cancel requests, verify the data, control\n\t * queueing, concurrent read+write threads, and so on.\n\t */\n\tswitch (param->test_num) {\n\n\tcase 0:\n\t\tdev_info(&intf->dev, \"TEST 0: NOP\\n\");\n\t\tretval = 0;\n\t\tbreak;\n\n\t/* Simple non-queued bulk I/O tests */\n\tcase 1:\n\t\tif (dev->out_pipe == 0)\n\t\t\tbreak;\n\t\tdev_info(&intf->dev,\n\t\t\t\t\"TEST 1: write %d bytes %u times\\n\",\n\t\t\t\tparam->length, param->iterations);\n\t\turb = simple_alloc_urb(udev, dev->out_pipe, param->length, 0);\n\t\tif (!urb) {\n\t\t\tretval = -ENOMEM;\n\t\t\tbreak;\n\t\t}\n\t\t/* FIRMWARE: bulk sink (maybe accepts short writes) */\n\t\tretval = simple_io(dev, urb, param->iterations, 0, 0, \"test1\");\n\t\tsimple_free_urb(urb);\n\t\tbreak;\n\tcase 2:\n\t\tif (dev->in_pipe == 0)\n\t\t\tbreak;\n\t\tdev_info(&intf->dev,\n\t\t\t\t\"TEST 2: read %d bytes %u times\\n\",\n\t\t\t\tparam->length, param->iterations);\n\t\turb = simple_alloc_urb(udev, dev->in_pipe, param->length, 0);\n\t\tif (!urb) {\n\t\t\tretval = -ENOMEM;\n\t\t\tbreak;\n\t\t}\n\t\t/* FIRMWARE: bulk source (maybe generates short writes) */\n\t\tretval = simple_io(dev, urb, param->iterations, 0, 0, \"test2\");\n\t\tsimple_free_urb(urb);\n\t\tbreak;\n\tcase 3:\n\t\tif (dev->out_pipe == 0 || param->vary == 0)\n\t\t\tbreak;\n\t\tdev_info(&intf->dev,\n\t\t\t\t\"TEST 3: write/%d 0..%d bytes %u times\\n\",\n\t\t\t\tparam->vary, param->length, param->iterations);\n\t\turb = simple_alloc_urb(udev, dev->out_pipe, param->length, 0);\n\t\tif (!urb) {\n\t\t\tretval = -ENOMEM;\n\t\t\tbreak;\n\t\t}\n\t\t/* FIRMWARE: bulk sink (maybe accepts short writes) */\n\t\tretval = simple_io(dev, urb, param->iterations, param->vary,\n\t\t\t\t\t0, \"test3\");\n\t\tsimple_free_urb(urb);\n\t\tbreak;\n\tcase 4:\n\t\tif (dev->in_pipe == 0 || param->vary == 0)\n\t\t\tbreak;\n\t\tdev_info(&intf->dev,\n\t\t\t\t\"TEST 4: read/%d 0..%d bytes %u times\\n\",\n\t\t\t\tparam->vary, param->length, param->iterations);\n\t\turb = simple_alloc_urb(udev, dev->in_pipe, param->length, 0);\n\t\tif (!urb) {\n\t\t\tretval = -ENOMEM;\n\t\t\tbreak;\n\t\t}\n\t\t/* FIRMWARE: bulk source (maybe generates short writes) */\n\t\tretval = simple_io(dev, urb, param->iterations, param->vary,\n\t\t\t\t\t0, \"test4\");\n\t\tsimple_free_urb(urb);\n\t\tbreak;\n\n\t/* Queued bulk I/O tests */\n\tcase 5:\n\t\tif (dev->out_pipe == 0 || param->sglen == 0)\n\t\t\tbreak;\n\t\tdev_info(&intf->dev,\n\t\t\t\"TEST 5: write %d sglists %d entries of %d bytes\\n\",\n\t\t\t\tparam->iterations,\n\t\t\t\tparam->sglen, param->length);\n\t\tsg = alloc_sglist(param->sglen, param->length,\n\t\t\t\t0, dev, dev->out_pipe);\n\t\tif (!sg) {\n\t\t\tretval = -ENOMEM;\n\t\t\tbreak;\n\t\t}\n\t\t/* FIRMWARE: bulk sink (maybe accepts short writes) */\n\t\tretval = perform_sglist(dev, param->iterations, dev->out_pipe,\n\t\t\t\t&req, sg, param->sglen);\n\t\tfree_sglist(sg, param->sglen);\n\t\tbreak;\n\n\tcase 6:\n\t\tif (dev->in_pipe == 0 || param->sglen == 0)\n\t\t\tbreak;\n\t\tdev_info(&intf->dev,\n\t\t\t\"TEST 6: read %d sglists %d entries of %d bytes\\n\",\n\t\t\t\tparam->iterations,\n\t\t\t\tparam->sglen, param->length);\n\t\tsg = alloc_sglist(param->sglen, param->length,\n\t\t\t\t0, dev, dev->in_pipe);\n\t\tif (!sg) {\n\t\t\tretval = -ENOMEM;\n\t\t\tbreak;\n\t\t}\n\t\t/* FIRMWARE: bulk source (maybe generates short writes) */\n\t\tretval = perform_sglist(dev, param->iterations, dev->in_pipe,\n\t\t\t\t&req, sg, param->sglen);\n\t\tfree_sglist(sg, param->sglen);\n\t\tbreak;\n\tcase 7:\n\t\tif (dev->out_pipe == 0 || param->sglen == 0 || param->vary == 0)\n\t\t\tbreak;\n\t\tdev_info(&intf->dev,\n\t\t\t\"TEST 7: write/%d %d sglists %d entries 0..%d bytes\\n\",\n\t\t\t\tparam->vary, param->iterations,\n\t\t\t\tparam->sglen, param->length);\n\t\tsg = alloc_sglist(param->sglen, param->length,\n\t\t\t\tparam->vary, dev, dev->out_pipe);\n\t\tif (!sg) {\n\t\t\tretval = -ENOMEM;\n\t\t\tbreak;\n\t\t}\n\t\t/* FIRMWARE: bulk sink (maybe accepts short writes) */\n\t\tretval = perform_sglist(dev, param->iterations, dev->out_pipe,\n\t\t\t\t&req, sg, param->sglen);\n\t\tfree_sglist(sg, param->sglen);\n\t\tbreak;\n\tcase 8:\n\t\tif (dev->in_pipe == 0 || param->sglen == 0 || param->vary == 0)\n\t\t\tbreak;\n\t\tdev_info(&intf->dev,\n\t\t\t\"TEST 8: read/%d %d sglists %d entries 0..%d bytes\\n\",\n\t\t\t\tparam->vary, param->iterations,\n\t\t\t\tparam->sglen, param->length);\n\t\tsg = alloc_sglist(param->sglen, param->length,\n\t\t\t\tparam->vary, dev, dev->in_pipe);\n\t\tif (!sg) {\n\t\t\tretval = -ENOMEM;\n\t\t\tbreak;\n\t\t}\n\t\t/* FIRMWARE: bulk source (maybe generates short writes) */\n\t\tretval = perform_sglist(dev, param->iterations, dev->in_pipe,\n\t\t\t\t&req, sg, param->sglen);\n\t\tfree_sglist(sg, param->sglen);\n\t\tbreak;\n\n\t/* non-queued sanity tests for control (chapter 9 subset) */\n\tcase 9:\n\t\tretval = 0;\n\t\tdev_info(&intf->dev,\n\t\t\t\"TEST 9: ch9 (subset) control tests, %d times\\n\",\n\t\t\t\tparam->iterations);\n\t\tfor (i = param->iterations; retval == 0 && i--; /* NOP */)\n\t\t\tretval = ch9_postconfig(dev);\n\t\tif (retval)\n\t\t\tdev_err(&intf->dev, \"ch9 subset failed, \"\n\t\t\t\t\t\"iterations left %d\\n\", i);\n\t\tbreak;\n\n\t/* queued control messaging */\n\tcase 10:\n\t\tretval = 0;\n\t\tdev_info(&intf->dev,\n\t\t\t\t\"TEST 10: queue %d control calls, %d times\\n\",\n\t\t\t\tparam->sglen,\n\t\t\t\tparam->iterations);\n\t\tretval = test_ctrl_queue(dev, param);\n\t\tbreak;\n\n\t/* simple non-queued unlinks (ring with one urb) */\n\tcase 11:\n\t\tif (dev->in_pipe == 0 || !param->length)\n\t\t\tbreak;\n\t\tretval = 0;\n\t\tdev_info(&intf->dev, \"TEST 11: unlink %d reads of %d\\n\",\n\t\t\t\tparam->iterations, param->length);\n\t\tfor (i = param->iterations; retval == 0 && i--; /* NOP */)\n\t\t\tretval = unlink_simple(dev, dev->in_pipe,\n\t\t\t\t\t\tparam->length);\n\t\tif (retval)\n\t\t\tdev_err(&intf->dev, \"unlink reads failed %d, \"\n\t\t\t\t\"iterations left %d\\n\", retval, i);\n\t\tbreak;\n\tcase 12:\n\t\tif (dev->out_pipe == 0 || !param->length)\n\t\t\tbreak;\n\t\tretval = 0;\n\t\tdev_info(&intf->dev, \"TEST 12: unlink %d writes of %d\\n\",\n\t\t\t\tparam->iterations, param->length);\n\t\tfor (i = param->iterations; retval == 0 && i--; /* NOP */)\n\t\t\tretval = unlink_simple(dev, dev->out_pipe,\n\t\t\t\t\t\tparam->length);\n\t\tif (retval)\n\t\t\tdev_err(&intf->dev, \"unlink writes failed %d, \"\n\t\t\t\t\"iterations left %d\\n\", retval, i);\n\t\tbreak;\n\n\t/* ep halt tests */\n\tcase 13:\n\t\tif (dev->out_pipe == 0 && dev->in_pipe == 0)\n\t\t\tbreak;\n\t\tretval = 0;\n\t\tdev_info(&intf->dev, \"TEST 13: set/clear %d halts\\n\",\n\t\t\t\tparam->iterations);\n\t\tfor (i = param->iterations; retval == 0 && i--; /* NOP */)\n\t\t\tretval = halt_simple(dev);\n\n\t\tif (retval)\n\t\t\tERROR(dev, \"halts failed, iterations left %d\\n\", i);\n\t\tbreak;\n\n\t/* control write tests */\n\tcase 14:\n\t\tif (!dev->info->ctrl_out)\n\t\t\tbreak;\n\t\tdev_info(&intf->dev, \"TEST 14: %d ep0out, %d..%d vary %d\\n\",\n\t\t\t\tparam->iterations,\n\t\t\t\trealworld ? 1 : 0, param->length,\n\t\t\t\tparam->vary);\n\t\tretval = ctrl_out(dev, param->iterations,\n\t\t\t\tparam->length, param->vary, 0);\n\t\tbreak;\n\n\t/* iso write tests */\n\tcase 15:\n\t\tif (dev->out_iso_pipe == 0 || param->sglen == 0)\n\t\t\tbreak;\n\t\tdev_info(&intf->dev,\n\t\t\t\"TEST 15: write %d iso, %d entries of %d bytes\\n\",\n\t\t\t\tparam->iterations,\n\t\t\t\tparam->sglen, param->length);\n\t\t/* FIRMWARE: iso sink */\n\t\tretval = test_queue(dev, param,\n\t\t\t\tdev->out_iso_pipe, dev->iso_out, 0);\n\t\tbreak;\n\n\t/* iso read tests */\n\tcase 16:\n\t\tif (dev->in_iso_pipe == 0 || param->sglen == 0)\n\t\t\tbreak;\n\t\tdev_info(&intf->dev,\n\t\t\t\"TEST 16: read %d iso, %d entries of %d bytes\\n\",\n\t\t\t\tparam->iterations,\n\t\t\t\tparam->sglen, param->length);\n\t\t/* FIRMWARE: iso source */\n\t\tretval = test_queue(dev, param,\n\t\t\t\tdev->in_iso_pipe, dev->iso_in, 0);\n\t\tbreak;\n\n\t/* FIXME scatterlist cancel (needs helper thread) */\n\n\t/* Tests for bulk I/O using DMA mapping by core and odd address */\n\tcase 17:\n\t\tif (dev->out_pipe == 0)\n\t\t\tbreak;\n\t\tdev_info(&intf->dev,\n\t\t\t\"TEST 17: write odd addr %d bytes %u times core map\\n\",\n\t\t\tparam->length, param->iterations);\n\n\t\tretval = test_unaligned_bulk(\n\t\t\t\tdev, dev->out_pipe,\n\t\t\t\tparam->length, param->iterations,\n\t\t\t\t0, \"test17\");\n\t\tbreak;\n\n\tcase 18:\n\t\tif (dev->in_pipe == 0)\n\t\t\tbreak;\n\t\tdev_info(&intf->dev,\n\t\t\t\"TEST 18: read odd addr %d bytes %u times core map\\n\",\n\t\t\tparam->length, param->iterations);\n\n\t\tretval = test_unaligned_bulk(\n\t\t\t\tdev, dev->in_pipe,\n\t\t\t\tparam->length, param->iterations,\n\t\t\t\t0, \"test18\");\n\t\tbreak;\n\n\t/* Tests for bulk I/O using premapped coherent buffer and odd address */\n\tcase 19:\n\t\tif (dev->out_pipe == 0)\n\t\t\tbreak;\n\t\tdev_info(&intf->dev,\n\t\t\t\"TEST 19: write odd addr %d bytes %u times premapped\\n\",\n\t\t\tparam->length, param->iterations);\n\n\t\tretval = test_unaligned_bulk(\n\t\t\t\tdev, dev->out_pipe,\n\t\t\t\tparam->length, param->iterations,\n\t\t\t\tURB_NO_TRANSFER_DMA_MAP, \"test19\");\n\t\tbreak;\n\n\tcase 20:\n\t\tif (dev->in_pipe == 0)\n\t\t\tbreak;\n\t\tdev_info(&intf->dev,\n\t\t\t\"TEST 20: read odd addr %d bytes %u times premapped\\n\",\n\t\t\tparam->length, param->iterations);\n\n\t\tretval = test_unaligned_bulk(\n\t\t\t\tdev, dev->in_pipe,\n\t\t\t\tparam->length, param->iterations,\n\t\t\t\tURB_NO_TRANSFER_DMA_MAP, \"test20\");\n\t\tbreak;\n\n\t/* control write tests with unaligned buffer */\n\tcase 21:\n\t\tif (!dev->info->ctrl_out)\n\t\t\tbreak;\n\t\tdev_info(&intf->dev,\n\t\t\t\t\"TEST 21: %d ep0out odd addr, %d..%d vary %d\\n\",\n\t\t\t\tparam->iterations,\n\t\t\t\trealworld ? 1 : 0, param->length,\n\t\t\t\tparam->vary);\n\t\tretval = ctrl_out(dev, param->iterations,\n\t\t\t\tparam->length, param->vary, 1);\n\t\tbreak;\n\n\t/* unaligned iso tests */\n\tcase 22:\n\t\tif (dev->out_iso_pipe == 0 || param->sglen == 0)\n\t\t\tbreak;\n\t\tdev_info(&intf->dev,\n\t\t\t\"TEST 22: write %d iso odd, %d entries of %d bytes\\n\",\n\t\t\t\tparam->iterations,\n\t\t\t\tparam->sglen, param->length);\n\t\tretval = test_queue(dev, param,\n\t\t\t\tdev->out_iso_pipe, dev->iso_out, 1);\n\t\tbreak;\n\n\tcase 23:\n\t\tif (dev->in_iso_pipe == 0 || param->sglen == 0)\n\t\t\tbreak;\n\t\tdev_info(&intf->dev,\n\t\t\t\"TEST 23: read %d iso odd, %d entries of %d bytes\\n\",\n\t\t\t\tparam->iterations,\n\t\t\t\tparam->sglen, param->length);\n\t\tretval = test_queue(dev, param,\n\t\t\t\tdev->in_iso_pipe, dev->iso_in, 1);\n\t\tbreak;\n\n\t/* unlink URBs from a bulk-OUT queue */\n\tcase 24:\n\t\tif (dev->out_pipe == 0 || !param->length || param->sglen < 4)\n\t\t\tbreak;\n\t\tretval = 0;\n\t\tdev_info(&intf->dev, \"TEST 24: unlink from %d queues of \"\n\t\t\t\t\"%d %d-byte writes\\n\",\n\t\t\t\tparam->iterations, param->sglen, param->length);\n\t\tfor (i = param->iterations; retval == 0 && i > 0; --i) {\n\t\t\tretval = unlink_queued(dev, dev->out_pipe,\n\t\t\t\t\t\tparam->sglen, param->length);\n\t\t\tif (retval) {\n\t\t\t\tdev_err(&intf->dev,\n\t\t\t\t\t\"unlink queued writes failed %d, \"\n\t\t\t\t\t\"iterations left %d\\n\", retval, i);\n\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\t\tbreak;\n\n\t/* Simple non-queued interrupt I/O tests */\n\tcase 25:\n\t\tif (dev->out_int_pipe == 0)\n\t\t\tbreak;\n\t\tdev_info(&intf->dev,\n\t\t\t\t\"TEST 25: write %d bytes %u times\\n\",\n\t\t\t\tparam->length, param->iterations);\n\t\turb = simple_alloc_urb(udev, dev->out_int_pipe, param->length,\n\t\t\t\tdev->int_out->bInterval);\n\t\tif (!urb) {\n\t\t\tretval = -ENOMEM;\n\t\t\tbreak;\n\t\t}\n\t\t/* FIRMWARE: interrupt sink (maybe accepts short writes) */\n\t\tretval = simple_io(dev, urb, param->iterations, 0, 0, \"test25\");\n\t\tsimple_free_urb(urb);\n\t\tbreak;\n\tcase 26:\n\t\tif (dev->in_int_pipe == 0)\n\t\t\tbreak;\n\t\tdev_info(&intf->dev,\n\t\t\t\t\"TEST 26: read %d bytes %u times\\n\",\n\t\t\t\tparam->length, param->iterations);\n\t\turb = simple_alloc_urb(udev, dev->in_int_pipe, param->length,\n\t\t\t\tdev->int_in->bInterval);\n\t\tif (!urb) {\n\t\t\tretval = -ENOMEM;\n\t\t\tbreak;\n\t\t}\n\t\t/* FIRMWARE: interrupt source (maybe generates short writes) */\n\t\tretval = simple_io(dev, urb, param->iterations, 0, 0, \"test26\");\n\t\tsimple_free_urb(urb);\n\t\tbreak;\n\tcase 27:\n\t\t/* We do performance test, so ignore data compare */\n\t\tif (dev->out_pipe == 0 || param->sglen == 0 || pattern != 0)\n\t\t\tbreak;\n\t\tdev_info(&intf->dev,\n\t\t\t\"TEST 27: bulk write %dMbytes\\n\", (param->iterations *\n\t\t\tparam->sglen * param->length) / (1024 * 1024));\n\t\tretval = test_queue(dev, param,\n\t\t\t\tdev->out_pipe, NULL, 0);\n\t\tbreak;\n\tcase 28:\n\t\tif (dev->in_pipe == 0 || param->sglen == 0 || pattern != 0)\n\t\t\tbreak;\n\t\tdev_info(&intf->dev,\n\t\t\t\"TEST 28: bulk read %dMbytes\\n\", (param->iterations *\n\t\t\tparam->sglen * param->length) / (1024 * 1024));\n\t\tretval = test_queue(dev, param,\n\t\t\t\tdev->in_pipe, NULL, 0);\n\t\tbreak;\n\t/* Test data Toggle/seq_nr clear between bulk out transfers */\n\tcase 29:\n\t\tif (dev->out_pipe == 0)\n\t\t\tbreak;\n\t\tretval = 0;\n\t\tdev_info(&intf->dev, \"TEST 29: Clear toggle between bulk writes %d times\\n\",\n\t\t\t\tparam->iterations);\n\t\tfor (i = param->iterations; retval == 0 && i > 0; --i)\n\t\t\tretval = toggle_sync_simple(dev);\n\n\t\tif (retval)\n\t\t\tERROR(dev, \"toggle sync failed, iterations left %d\\n\",\n\t\t\t i);\n\t\tbreak;\n\t}\n\treturn retval;\n}", "project": "linux", "hash": 29274930207251128844707186543618325515, "size": 453, "commit_id": "28ebeb8db77035e058a510ce9bd17c2b9a009dba", "message": "usb: usbtest: fix missing kfree(dev->buf) in usbtest_disconnect\n\nBUG: memory leak\nunreferenced object 0xffff888055046e00 (size 256):\n comm \"kworker/2:9\", pid 2570, jiffies 4294942129 (age 1095.500s)\n hex dump (first 32 bytes):\n 00 70 04 55 80 88 ff ff 18 bb 5a 81 ff ff ff ff .p.U......Z.....\n f5 96 78 81 ff ff ff ff 37 de 8e 81 ff ff ff ff ..x.....7.......\n backtrace:\n [<00000000d121dccf>] kmemleak_alloc_recursive\ninclude/linux/kmemleak.h:43 [inline]\n [<00000000d121dccf>] slab_post_alloc_hook mm/slab.h:586 [inline]\n [<00000000d121dccf>] slab_alloc_node mm/slub.c:2786 [inline]\n [<00000000d121dccf>] slab_alloc mm/slub.c:2794 [inline]\n [<00000000d121dccf>] kmem_cache_alloc_trace+0x15e/0x2d0 mm/slub.c:2811\n [<000000005c3c3381>] kmalloc include/linux/slab.h:555 [inline]\n [<000000005c3c3381>] usbtest_probe+0x286/0x19d0\ndrivers/usb/misc/usbtest.c:2790\n [<000000001cec6910>] usb_probe_interface+0x2bd/0x870\ndrivers/usb/core/driver.c:361\n [<000000007806c118>] really_probe+0x48d/0x8f0 drivers/base/dd.c:551\n [<00000000a3308c3e>] driver_probe_device+0xfc/0x2a0 drivers/base/dd.c:724\n [<000000003ef66004>] __device_attach_driver+0x1b6/0x240\ndrivers/base/dd.c:831\n [<00000000eee53e97>] bus_for_each_drv+0x14e/0x1e0 drivers/base/bus.c:431\n [<00000000bb0648d0>] __device_attach+0x1f9/0x350 drivers/base/dd.c:897\n [<00000000838b324a>] device_initial_probe+0x1a/0x20 drivers/base/dd.c:944\n [<0000000030d501c1>] bus_probe_device+0x1e1/0x280 drivers/base/bus.c:491\n [<000000005bd7adef>] device_add+0x131d/0x1c40 drivers/base/core.c:2504\n [<00000000a0937814>] usb_set_configuration+0xe84/0x1ab0\ndrivers/usb/core/message.c:2030\n [<00000000e3934741>] generic_probe+0x6a/0xe0 drivers/usb/core/generic.c:210\n [<0000000098ade0f1>] usb_probe_device+0x90/0xd0\ndrivers/usb/core/driver.c:266\n [<000000007806c118>] really_probe+0x48d/0x8f0 drivers/base/dd.c:551\n [<00000000a3308c3e>] driver_probe_device+0xfc/0x2a0 drivers/base/dd.c:724\n\nAcked-by: Alan Stern \nReported-by: Kyungtae Kim \nSigned-off-by: Zqiang \nLink: https://lore.kernel.org/r/20200612035210.20494-1-qiang.zhang@windriver.com\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 412274 }, { "func": "lys_snode2stmt(LYS_NODE nodetype)\n{\n switch(nodetype) {\n case LYS_CONTAINER:\n return LY_STMT_CONTAINER;\n case LYS_CHOICE:\n return LY_STMT_CHOICE;\n case LYS_LEAF:\n return LY_STMT_LEAF;\n case LYS_LEAFLIST:\n return LY_STMT_LEAFLIST;\n case LYS_LIST:\n return LY_STMT_LIST;\n case LYS_ANYXML:\n case LYS_ANYDATA:\n return LY_STMT_ANYDATA;\n case LYS_CASE:\n return LY_STMT_CASE;\n case LYS_NOTIF:\n return LY_STMT_NOTIFICATION;\n case LYS_RPC:\n return LY_STMT_RPC;\n case LYS_INPUT:\n return LY_STMT_INPUT;\n case LYS_OUTPUT:\n return LY_STMT_OUTPUT;\n case LYS_GROUPING:\n return LY_STMT_GROUPING;\n case LYS_USES:\n return LY_STMT_USES;\n case LYS_AUGMENT:\n return LY_STMT_AUGMENT;\n case LYS_ACTION:\n return LY_STMT_ACTION;\n default:\n return LY_STMT_NODE;\n }\n}", "project": "libyang", "hash": 248266779756947001615802187231139506858, "size": 38, "commit_id": "59a0bff1a5a2f0a0eac07e4bf94d4aea9dd3708d", "message": "plugins BUGFIX handle empty revision correctly\n\nFixes #1451", "target": 0, "dataset": "other", "idx": 413421 }, { "func": "static zval *phar_convert_to_other(phar_archive_data *source, int convert, char *ext, php_uint32 flags TSRMLS_DC) /* {{{ */\n{\n\tphar_archive_data *phar;\n\tphar_entry_info *entry, newentry;\n\tzval *ret;\n\n\t/* invalidate phar cache */\n\tPHAR_G(last_phar) = NULL;\n\tPHAR_G(last_phar_name) = PHAR_G(last_alias) = NULL;\n\n\tphar = (phar_archive_data *) ecalloc(1, sizeof(phar_archive_data));\n\t/* set whole-archive compression and type from parameter */\n\tphar->flags = flags;\n\tphar->is_data = source->is_data;\n\n\tswitch (convert) {\n\t\tcase PHAR_FORMAT_TAR:\n\t\t\tphar->is_tar = 1;\n\t\t\tbreak;\n\t\tcase PHAR_FORMAT_ZIP:\n\t\t\tphar->is_zip = 1;\n\t\t\tbreak;\n\t\tdefault:\n\t\t\tphar->is_data = 0;\n\t\t\tbreak;\n\t}\n\n\tzend_hash_init(&(phar->manifest), sizeof(phar_entry_info),\n\t\tzend_get_hash_value, destroy_phar_manifest_entry, 0);\n\tzend_hash_init(&phar->mounted_dirs, sizeof(char *),\n\t\tzend_get_hash_value, NULL, 0);\n\tzend_hash_init(&phar->virtual_dirs, sizeof(char *),\n\t\tzend_get_hash_value, NULL, 0);\n\n\tphar->fp = php_stream_fopen_tmpfile();\n\tif (phar->fp == NULL) {\n\t\tzend_throw_exception_ex(phar_ce_PharException, 0 TSRMLS_CC, \"unable to create temporary file\");\n\t\treturn NULL;\n\t}\n\tphar->fname = source->fname;\n\tphar->fname_len = source->fname_len;\n\tphar->is_temporary_alias = source->is_temporary_alias;\n\tphar->alias = source->alias;\n\n\tif (source->metadata) {\n\t\tzval *t;\n\n\t\tt = source->metadata;\n\t\tALLOC_ZVAL(phar->metadata);\n\t\t*phar->metadata = *t;\n\t\tzval_copy_ctor(phar->metadata);\n\t\tZ_SET_REFCOUNT_P(phar->metadata, 1);\n\n\t\tphar->metadata_len = 0;\n\t}\n\n\t/* first copy each file's uncompressed contents to a temporary file and set per-file flags */\n\tfor (zend_hash_internal_pointer_reset(&source->manifest); SUCCESS == zend_hash_has_more_elements(&source->manifest); zend_hash_move_forward(&source->manifest)) {\n\n\t\tif (FAILURE == zend_hash_get_current_data(&source->manifest, (void **) &entry)) {\n\t\t\tzend_hash_destroy(&(phar->manifest));\n\t\t\tphp_stream_close(phar->fp);\n\t\t\tefree(phar);\n\t\t\tzend_throw_exception_ex(spl_ce_UnexpectedValueException, 0 TSRMLS_CC,\n\t\t\t\t\"Cannot convert phar archive \\\"%s\\\"\", source->fname);\n\t\t\treturn NULL;\n\t\t}\n\n\t\tnewentry = *entry;\n\n\t\tif (newentry.link) {\n\t\t\tnewentry.link = estrdup(newentry.link);\n\t\t\tgoto no_copy;\n\t\t}\n\n\t\tif (newentry.tmp) {\n\t\t\tnewentry.tmp = estrdup(newentry.tmp);\n\t\t\tgoto no_copy;\n\t\t}\n\n\t\tnewentry.metadata_str.c = 0;\n\n\t\tif (FAILURE == phar_copy_file_contents(&newentry, phar->fp TSRMLS_CC)) {\n\t\t\tzend_hash_destroy(&(phar->manifest));\n\t\t\tphp_stream_close(phar->fp);\n\t\t\tefree(phar);\n\t\t\t/* exception already thrown */\n\t\t\treturn NULL;\n\t\t}\nno_copy:\n\t\tnewentry.filename = estrndup(newentry.filename, newentry.filename_len);\n\n\t\tif (newentry.metadata) {\n\t\t\tzval *t;\n\n\t\t\tt = newentry.metadata;\n\t\t\tALLOC_ZVAL(newentry.metadata);\n\t\t\t*newentry.metadata = *t;\n\t\t\tzval_copy_ctor(newentry.metadata);\n\t\t\tZ_SET_REFCOUNT_P(newentry.metadata, 1);\n\n\t\t\tnewentry.metadata_str.c = NULL;\n\t\t\tnewentry.metadata_str.len = 0;\n\t\t}\n\n\t\tnewentry.is_zip = phar->is_zip;\n\t\tnewentry.is_tar = phar->is_tar;\n\n\t\tif (newentry.is_tar) {\n\t\t\tnewentry.tar_type = (entry->is_dir ? TAR_DIR : TAR_FILE);\n\t\t}\n\n\t\tnewentry.is_modified = 1;\n\t\tnewentry.phar = phar;\n\t\tnewentry.old_flags = newentry.flags & ~PHAR_ENT_COMPRESSION_MASK; /* remove compression from old_flags */\n\t\tphar_set_inode(&newentry TSRMLS_CC);\n\t\tzend_hash_add(&(phar->manifest), newentry.filename, newentry.filename_len, (void*)&newentry, sizeof(phar_entry_info), NULL);\n\t\tphar_add_virtual_dirs(phar, newentry.filename, newentry.filename_len TSRMLS_CC);\n\t}\n\n\tif ((ret = phar_rename_archive(phar, ext, 0 TSRMLS_CC))) {\n\t\treturn ret;\n\t} else {\n\t\tzend_hash_destroy(&(phar->manifest));\n\t\tzend_hash_destroy(&(phar->mounted_dirs));\n\t\tzend_hash_destroy(&(phar->virtual_dirs));\n\t\tphp_stream_close(phar->fp);\n\t\tefree(phar->fname);\n\t\tefree(phar);\n\t\treturn NULL;\n\t}\n}", "project": "php-src", "hash": 120001864044394333890794030593351075079, "size": 132, "commit_id": "b2cf3f064b8f5efef89bb084521b61318c71781b", "message": "Fixed bug #68901 (use after free)", "target": 0, "dataset": "other", "idx": 413486 }, { "func": "get_bounding_box (GeglOperation *operation)\n{\n GeglChantO *o = GEGL_CHANT_PROPERTIES (operation);\n GeglRectangle result = {0,0,0,0};\n pnm_struct img;\n FILE *fp;\n\n fp = (!strcmp (o->path, \"-\") ? stdin : fopen (o->path,\"rb\") );\n\n if (!fp)\n return result;\n\n if (!ppm_load_read_header (fp, &img))\n goto out;\n\n switch (img.bpc)\n {\n case 1:\n gegl_operation_set_format (operation, \"output\",\n babl_format (\"R'G'B' u8\"));\n break;\n\n case 2:\n gegl_operation_set_format (operation, \"output\",\n babl_format (\"R'G'B' u16\"));\n break;\n\n default:\n g_warning (\"%s: Programmer stupidity error\", G_STRLOC);\n }\n\n result.width = img.width;\n result.height = img.height;\n\n out:\n if (stdin != fp)\n fclose (fp);\n\n return result;\n}", "project": "gegl", "hash": 48422139737621865272285169290005349079, "size": 40, "commit_id": "4757cdf73d3675478d645a3ec8250ba02168a230", "message": "ppm-load: CVE-2012-4433: add plausibility checks for header fields\n\nRefuse values that are non-decimal, negative or overflow the target\ntype.", "target": 0, "dataset": "other", "idx": 414964 }, { "func": "int __cil_reset_node(struct cil_tree_node *node, __attribute__((unused)) uint32_t *finished, __attribute__((unused)) void *extra_args)\n{\n\tswitch (node->flavor) {\n\tcase CIL_CLASS:\n\t\tcil_reset_class(node->data);\n\t\tbreak;\n\tcase CIL_PERM:\n\tcase CIL_MAP_PERM:\n\t\tcil_reset_perm(node->data);\n\t\tbreak;\n\tcase CIL_CLASSPERMISSION:\n\t\tcil_reset_classpermission(node->data);\n\t\tbreak;\n\tcase CIL_CLASSPERMISSIONSET:\n\t\tcil_reset_classpermissionset(node->data);\n\t\tbreak;\n\tcase CIL_CLASSMAPPING:\n\t\tcil_reset_classmapping(node->data);\n\t\tbreak;\n\tcase CIL_TYPEALIAS:\n\tcase CIL_SENSALIAS:\n\tcase CIL_CATALIAS:\n\t\tcil_reset_alias(node->data);\n\t\tbreak;\n\tcase CIL_USERRANGE:\n\t\tcil_reset_userrange(node->data);\n\t\tbreak;\n\tcase CIL_USERLEVEL:\n\t\tcil_reset_userlevel(node->data);\n\t\tbreak;\n\tcase CIL_USER:\n\t\tcil_reset_user(node->data);\n\t\tbreak;\n\tcase CIL_USERATTRIBUTE:\n\t\tcil_reset_userattr(node->data);\n\t\tbreak;\n\tcase CIL_USERATTRIBUTESET:\n\t\tcil_reset_userattributeset(node->data);\n\t\tbreak;\n\tcase CIL_SELINUXUSERDEFAULT:\n\tcase CIL_SELINUXUSER:\n\t\tcil_reset_selinuxuser(node->data);\n\t\tbreak;\n\tcase CIL_ROLE:\n\t\tcil_reset_role(node->data);\n\t\tbreak;\n\tcase CIL_ROLEATTRIBUTE:\n\t\tcil_reset_roleattr(node->data);\n\t\tbreak;\n\tcase CIL_ROLEATTRIBUTESET:\n\t\tcil_reset_roleattributeset(node->data);\n\t\tbreak;\n\tcase CIL_TYPE:\n\t\tcil_reset_type(node->data);\n\t\tbreak;\n\tcase CIL_TYPEATTRIBUTE:\n\t\tcil_reset_typeattr(node->data);\n\t\tbreak;\n\tcase CIL_TYPEATTRIBUTESET:\n\t\tcil_reset_typeattributeset(node->data);\n\t\tbreak;\n\tcase CIL_RANGETRANSITION:\n\t\tcil_reset_rangetransition(node->data);\n\t\tbreak;\n\tcase CIL_AVRULE:\n\t\tcil_reset_avrule(node->data);\n\t\tbreak;\n\tcase CIL_SENS:\n\t\tcil_reset_sens(node->data);\n\t\tbreak;\n\tcase CIL_CAT:\n\t\tcil_reset_cat(node->data);\n\t\tbreak;\n\tcase CIL_SENSCAT:\n\t\tcil_reset_senscat(node->data);\n\t\tbreak;\n\tcase CIL_CATSET:\n\t\tcil_reset_catset(node->data);\n\t\tbreak;\n\tcase CIL_LEVEL:\n\t\tcil_reset_level(node->data);\n\t\tbreak;\n\tcase CIL_LEVELRANGE:\n\t\tcil_reset_levelrange(node->data);\n\t\tbreak;\n\tcase CIL_CONTEXT:\n\t\tcil_reset_context(node->data);\n\t\tbreak;\n\tcase CIL_SIDCONTEXT:\n\t\tcil_reset_sidcontext(node->data);\n\t\tbreak;\n\tcase CIL_FILECON:\n\t\tcil_reset_filecon(node->data);\n\t\tbreak;\n\tcase CIL_IBPKEYCON:\n\t\tcil_reset_ibpkeycon(node->data);\n\t\tbreak;\n\tcase CIL_IBENDPORTCON:\n\t\tcil_reset_ibendportcon(node->data);\n\t\tbreak;\n\tcase CIL_PORTCON:\n\t\tcil_reset_portcon(node->data);\n\t\tbreak;\n\tcase CIL_NODECON:\n\t\tcil_reset_nodecon(node->data);\n\t\tbreak;\n\tcase CIL_GENFSCON:\n\t\tcil_reset_genfscon(node->data);\n\t\tbreak;\n\tcase CIL_NETIFCON:\n\t\tcil_reset_netifcon(node->data);\n\t\tbreak;\n\tcase CIL_PIRQCON:\n\t\tcil_reset_pirqcon(node->data);\n\t\tbreak;\n\tcase CIL_IOMEMCON:\n\t\tcil_reset_iomemcon(node->data);\n\t\tbreak;\n\tcase CIL_IOPORTCON:\n\t\tcil_reset_ioportcon(node->data);\n\t\tbreak;\n\tcase CIL_PCIDEVICECON:\n\t\tcil_reset_pcidevicecon(node->data);\n\t\tbreak;\n\tcase CIL_DEVICETREECON:\n\t\tcil_reset_devicetreecon(node->data);\n\t\tbreak;\n\tcase CIL_FSUSE:\n\t\tcil_reset_fsuse(node->data);\n\t\tbreak;\n\tcase CIL_SID:\n\t\tcil_reset_sid(node->data);\n\t\tbreak;\n\tcase CIL_CONSTRAIN:\n\tcase CIL_MLSCONSTRAIN:\n\t\tcil_reset_constrain(node->data);\n\t\tbreak;\n\tcase CIL_VALIDATETRANS:\n\tcase CIL_MLSVALIDATETRANS:\n\t\tcil_reset_validatetrans(node->data);\n\t\tbreak;\n\tcase CIL_DEFAULTUSER:\n\tcase CIL_DEFAULTROLE:\n\tcase CIL_DEFAULTTYPE:\n\t\tcil_reset_default(node->data);\n\t\tbreak;\n\tcase CIL_DEFAULTRANGE:\n\t\tcil_reset_defaultrange(node->data);\n\t\tbreak;\n\tcase CIL_BOOLEANIF:\n\t\tcil_reset_booleanif(node->data);\n\t\tbreak;\n\tcase CIL_TUNABLEIF:\n\tcase CIL_CALL:\n\t\tbreak; /* Not effected by optional block disabling */\n\tcase CIL_MACRO:\n\tcase CIL_SIDORDER:\n\tcase CIL_CLASSORDER:\n\tcase CIL_CATORDER:\n\tcase CIL_SENSITIVITYORDER:\n\tcase CIL_EXPANDTYPEATTRIBUTE:\n\t\tbreak; /* Nothing to reset */\n\tdefault:\n\t\tbreak;\n\t}\n\n\treturn SEPOL_OK;\n}", "project": "selinux", "hash": 175550583773114272660714962301080856142, "size": 168, "commit_id": "c49a8ea09501ad66e799ea41b8154b6770fec2c8", "message": "libsepol/cil: cil_reset_classperms_set() should not reset classpermission\n\nIn struct cil_classperms_set, the set field is a pointer to a\nstruct cil_classpermission which is looked up in the symbol table.\nSince the cil_classperms_set does not create the cil_classpermission,\nit should not reset it.\n\nSet the set field to NULL instead of resetting the classpermission\nthat it points to.\n\nSigned-off-by: James Carter ", "target": 0, "dataset": "other", "idx": 416771 }, { "func": "calc_enc_length (gnutls_session_t session, int data_size,\n\t\t int hash_size, uint8_t * pad, int random_pad,\n\t\t cipher_type_t block_algo, uint16_t blocksize)\n{\n uint8_t rnd;\n int length, ret;\n\n *pad = 0;\n\n switch (block_algo)\n {\n case CIPHER_STREAM:\n length = data_size + hash_size;\n\n break;\n case CIPHER_BLOCK:\n ret =_gnutls_rnd (RND_NONCE, &rnd, 1);\n if ( ret < 0)\n\t{\n\t gnutls_assert ();\n\t return ret;\n\t}\n\n /* make rnd a multiple of blocksize */\n if (session->security_parameters.version == GNUTLS_SSL3 ||\n\t random_pad == 0)\n\t{\n\t rnd = 0;\n\t}\n else\n\t{\n\t rnd = (rnd / blocksize) * blocksize;\n\t /* added to avoid the case of pad calculated 0\n\t * seen below for pad calculation.\n\t */\n\t if (rnd > blocksize)\n\t rnd -= blocksize;\n\t}\n\n length = data_size + hash_size;\n\n *pad = (uint8_t) (blocksize - (length % blocksize)) + rnd;\n\n length += *pad;\n if (session->security_parameters.version >= GNUTLS_TLS1_1)\n\tlength += blocksize;\t/* for the IV */\n\n break;\n default:\n gnutls_assert ();\n return GNUTLS_E_INTERNAL_ERROR;\n }\n\n return length;\n}", "project": "gnutls", "hash": 281239646107286603981096497088860698079, "size": 55, "commit_id": "d223040e498bd50a4b9e0aa493e78587ae1ed653", "message": "Fix broken debug check for GNUTLS-SA-2008-1.", "target": 0, "dataset": "other", "idx": 417231 }, { "func": "processor_errfd(struct io *io, int evt, void *arg)\n{\n\tconst char\t*name = arg;\n\tchar\t\t*line = NULL;\n\tssize_t\t\t len;\n\n\tswitch (evt) {\n\tcase IO_DATAIN:\n\t\twhile ((line = io_getline(io, &len)) != NULL)\n\t\t\tlog_warnx(\"%s: %s\", name, line);\n\t}\n}", "project": "src", "hash": 283011954283735891863306794359814309269, "size": 12, "commit_id": "6c3220444ed06b5796dedfd53a0f4becd903c0d1", "message": "smtpd's filter state machine can prematurely release resources\nleading to a crash. From gilles@", "target": 0, "dataset": "other", "idx": 421503 }, { "func": "filter_protocol(uint64_t reqid, enum filter_phase phase, const char *param)\n{\n\tstruct filter_session *fs;\n\tuint64_t\t\ttoken = 0;\n\tchar\t\t *nparam = NULL;\n\t\n\tfs = tree_xget(&sessions, reqid);\n\n\tswitch (phase) {\n\tcase FILTER_HELO:\n\tcase FILTER_EHLO:\n\t\tfree(fs->helo);\n\t\tfs->helo = xstrdup(param);\n\t\tbreak;\n\tcase FILTER_MAIL_FROM:\n\t\tfree(fs->mail_from);\n\t\tfs->mail_from = xstrdup(param + 1);\n\t\t*strchr(fs->mail_from, '>') = '\\0';\n\t\tparam = fs->mail_from;\n\n\t\tbreak;\n\tcase FILTER_RCPT_TO:\n\t\tnparam = xstrdup(param + 1);\n\t\t*strchr(nparam, '>') = '\\0';\n\t\tparam = nparam;\n\t\tbreak;\n\tcase FILTER_STARTTLS:\n\t\t/* TBD */\n\t\tbreak;\n\tdefault:\n\t\tbreak;\n\t}\n\n\tfree(fs->lastparam);\n\tfs->lastparam = xstrdup(param);\n\n\tfilter_protocol_internal(fs, &token, reqid, phase, param);\n\tif (nparam)\n\t\tfree(nparam);\n}", "project": "src", "hash": 316156916491086867995672293156439816809, "size": 40, "commit_id": "6c3220444ed06b5796dedfd53a0f4becd903c0d1", "message": "smtpd's filter state machine can prematurely release resources\nleading to a crash. From gilles@", "target": 0, "dataset": "other", "idx": 421506 }, { "func": "processor_io(struct io *io, int evt, void *arg)\n{\n\tstruct processor_instance *processor;\n\tconst char\t\t*name = arg;\n\tchar\t\t\t*line = NULL;\n\tssize_t\t\t\t len;\n\n\tswitch (evt) {\n\tcase IO_DATAIN:\n\t\twhile ((line = io_getline(io, &len)) != NULL) {\n\t\t\tif (strncmp(\"register|\", line, 9) == 0) {\n\t\t\t\tprocessor_register(name, line);\n\t\t\t\tcontinue;\n\t\t\t}\n\t\t\t\n\t\t\tprocessor = dict_xget(&processors, name);\n\t\t\tif (!processor->ready)\n\t\t\t\tfatalx(\"Non-register message before register|\"\n\t\t\t\t \"ready: %s\", line);\n\t\t\telse if (strncmp(line, \"filter-result|\", 14) == 0 ||\n\t\t\t strncmp(line, \"filter-dataline|\", 16) == 0)\n\t\t\t\tlka_filter_process_response(name, line);\n\t\t\telse if (strncmp(line, \"report|\", 7) == 0)\n\t\t\t\tlka_report_proc(name, line);\n\t\t\telse\n\t\t\t\tfatalx(\"Invalid filter message type: %s\", line);\n\t\t}\n\t}\n}", "project": "src", "hash": 63429798833757534369280984967860666896, "size": 29, "commit_id": "6c3220444ed06b5796dedfd53a0f4becd903c0d1", "message": "smtpd's filter state machine can prematurely release resources\nleading to a crash. From gilles@", "target": 0, "dataset": "other", "idx": 421508 }, { "func": "filter_session_io(struct io *io, int evt, void *arg)\n{\n\tstruct filter_session *fs = arg;\n\tchar *line = NULL;\n\tssize_t len;\n\n\tlog_trace(TRACE_IO, \"filter session: %p: %s %s\", fs, io_strevent(evt),\n\t io_strio(io));\n\n\tswitch (evt) {\n\tcase IO_DATAIN:\n\tnextline:\n\t\tline = io_getline(fs->io, &len);\n\t\t/* No complete line received */\n\t\tif (line == NULL)\n\t\t\treturn;\n\n\t\tfilter_data(fs->id, line);\n\n\t\tgoto nextline;\n\t}\n}", "project": "src", "hash": 4978771540234783063665004784258488512, "size": 22, "commit_id": "6c3220444ed06b5796dedfd53a0f4becd903c0d1", "message": "smtpd's filter state machine can prematurely release resources\nleading to a crash. From gilles@", "target": 0, "dataset": "other", "idx": 421514 }, { "func": "lka_report_smtp_link_connect(const char *direction, struct timeval *tv, uint64_t reqid, const char *rdns,\n int fcrdns,\n const struct sockaddr_storage *ss_src,\n const struct sockaddr_storage *ss_dest)\n{\n\tstruct filter_session *fs;\n\tchar\tsrc[NI_MAXHOST + 5];\n\tchar\tdest[NI_MAXHOST + 5];\n\tuint16_t\tsrc_port = 0;\n\tuint16_t\tdest_port = 0;\n\tconst char *fcrdns_str;\n\n\tif (ss_src->ss_family == AF_INET)\n\t\tsrc_port = ntohs(((const struct sockaddr_in *)ss_src)->sin_port);\n\telse if (ss_src->ss_family == AF_INET6)\n\t\tsrc_port = ntohs(((const struct sockaddr_in6 *)ss_src)->sin6_port);\n\n\tif (ss_dest->ss_family == AF_INET)\n\t\tdest_port = ntohs(((const struct sockaddr_in *)ss_dest)->sin_port);\n\telse if (ss_dest->ss_family == AF_INET6)\n\t\tdest_port = ntohs(((const struct sockaddr_in6 *)ss_dest)->sin6_port);\n\n\tif (strcmp(ss_to_text(ss_src), \"local\") == 0) {\n\t\t(void)snprintf(src, sizeof src, \"unix:%s\", SMTPD_SOCKET);\n\t\t(void)snprintf(dest, sizeof dest, \"unix:%s\", SMTPD_SOCKET);\n\t} else {\n\t\t(void)snprintf(src, sizeof src, \"%s:%d\", ss_to_text(ss_src), src_port);\n\t\t(void)snprintf(dest, sizeof dest, \"%s:%d\", ss_to_text(ss_dest), dest_port);\n\t}\n\n\tswitch (fcrdns) {\n\tcase 1:\n\t\tfcrdns_str = \"pass\";\n\t\tbreak;\n\tcase 0:\n\t\tfcrdns_str = \"fail\";\n\t\tbreak;\n\tdefault:\n\t\tfcrdns_str = \"error\";\n\t\tbreak;\n\t}\n\n\tfs = tree_xget(&sessions, reqid);\n\tfs->rdns = xstrdup(rdns);\n\tfs->fcrdns = fcrdns;\n\tfs->ss_src = *ss_src;\n\tfs->ss_dest = *ss_dest;\n\n\treport_smtp_broadcast(reqid, direction, tv, \"link-connect\",\n\t \"%s|%s|%s|%s\\n\", rdns, fcrdns_str, src, dest);\n}", "project": "src", "hash": 46526113424003190666577287786703753308, "size": 51, "commit_id": "6c3220444ed06b5796dedfd53a0f4becd903c0d1", "message": "smtpd's filter state machine can prematurely release resources\nleading to a crash. From gilles@", "target": 0, "dataset": "other", "idx": 421526 }, { "func": "lka_report_smtp_tx_rcpt(const char *direction, struct timeval *tv, uint64_t reqid, uint32_t msgid, const char *address, int ok)\n{\n\tconst char *result;\n\n\tswitch (ok) {\n\tcase 1:\n\t\tresult = \"ok\";\n\t\tbreak;\n\tcase 0:\n\t\tresult = \"permfail\";\n\t\tbreak;\n\tdefault:\n\t\tresult = \"tempfail\";\n\t\tbreak;\n\t}\n\treport_smtp_broadcast(reqid, direction, tv, \"tx-rcpt\", \"%08x|%s|%s\\n\",\n\t msgid, result, address);\n}", "project": "src", "hash": 288835403151624367446614023744054169705, "size": 18, "commit_id": "6c3220444ed06b5796dedfd53a0f4becd903c0d1", "message": "smtpd's filter state machine can prematurely release resources\nleading to a crash. From gilles@", "target": 0, "dataset": "other", "idx": 421536 }, { "func": "lka_report_smtp_tx_mail(const char *direction, struct timeval *tv, uint64_t reqid, uint32_t msgid, const char *address, int ok)\n{\n\tconst char *result;\n\n\tswitch (ok) {\n\tcase 1:\n\t\tresult = \"ok\";\n\t\tbreak;\n\tcase 0:\n\t\tresult = \"permfail\";\n\t\tbreak;\n\tdefault:\n\t\tresult = \"tempfail\";\n\t\tbreak;\n\t}\n\treport_smtp_broadcast(reqid, direction, tv, \"tx-mail\", \"%08x|%s|%s\\n\",\n\t msgid, result, address);\n}", "project": "src", "hash": 98695356897986932493032355329053602895, "size": 18, "commit_id": "6c3220444ed06b5796dedfd53a0f4becd903c0d1", "message": "smtpd's filter state machine can prematurely release resources\nleading to a crash. From gilles@", "target": 0, "dataset": "other", "idx": 421539 }, { "func": "lka_report_smtp_tx_data(const char *direction, struct timeval *tv, uint64_t reqid, uint32_t msgid, int ok)\n{\n\tconst char *result;\n\n\tswitch (ok) {\n\tcase 1:\n\t\tresult = \"ok\";\n\t\tbreak;\n\tcase 0:\n\t\tresult = \"permfail\";\n\t\tbreak;\n\tdefault:\n\t\tresult = \"tempfail\";\n\t\tbreak;\n\t}\n\treport_smtp_broadcast(reqid, direction, tv, \"tx-data\", \"%08x|%s\\n\",\n\t msgid, result);\n}", "project": "src", "hash": 251916666645334128176443363604590406110, "size": 18, "commit_id": "6c3220444ed06b5796dedfd53a0f4becd903c0d1", "message": "smtpd's filter state machine can prematurely release resources\nleading to a crash. From gilles@", "target": 0, "dataset": "other", "idx": 421563 }, { "func": "lka_filter_init(void)\n{\n\tvoid\t\t*iter;\n\tconst char\t*name;\n\tstruct filter \t*filter;\n\tstruct filter_config\t*filter_config;\n\tsize_t\t\ti;\n\tchar\t\t buffer[LINE_MAX];\t/* for traces */\n\n\tdict_init(&filters);\n\tdict_init(&filter_chains);\n\n\t/* first pass, allocate and init individual filters */\n\titer = NULL;\n\twhile (dict_iter(env->sc_filters_dict, &iter, &name, (void **)&filter_config)) {\n\t\tswitch (filter_config->filter_type) {\n\t\tcase FILTER_TYPE_BUILTIN:\n\t\t\tfilter = xcalloc(1, sizeof(*filter));\n\t\t\tfilter->name = name;\n\t\t\tfilter->phases |= (1<phase);\n\t\t\tfilter->config = filter_config;\n\t\t\tdict_set(&filters, name, filter);\n\t\t\tlog_trace(TRACE_FILTERS, \"filters init type=builtin, name=%s, hooks=%08x\",\n\t\t\t name, filter->phases);\n\t\t\tbreak;\n\n\t\tcase FILTER_TYPE_PROC:\n\t\t\tfilter = xcalloc(1, sizeof(*filter));\n\t\t\tfilter->name = name;\n\t\t\tfilter->proc = filter_config->proc;\n\t\t\tfilter->config = filter_config;\n\t\t\tdict_set(&filters, name, filter);\n\t\t\tlog_trace(TRACE_FILTERS, \"filters init type=proc, name=%s, proc=%s\",\n\t\t\t name, filter_config->proc);\n\t\t\tbreak;\n\n\t\tcase FILTER_TYPE_CHAIN:\n\t\t\tbreak;\n\t\t}\n\t}\n\n\t/* second pass, allocate and init filter chains but don't build yet */\n\titer = NULL;\n\twhile (dict_iter(env->sc_filters_dict, &iter, &name, (void **)&filter_config)) {\n\t\tswitch (filter_config->filter_type) {\n\t\tcase FILTER_TYPE_CHAIN:\n\t\t\tfilter = xcalloc(1, sizeof(*filter));\n\t\t\tfilter->name = name;\n\t\t\tfilter->chain = xcalloc(filter_config->chain_size, sizeof(void **));\n\t\t\tfilter->chain_size = filter_config->chain_size;\n\t\t\tfilter->config = filter_config;\n\n\t\t\tbuffer[0] = '\\0';\n\t\t\tfor (i = 0; i < filter->chain_size; ++i) {\n\t\t\t\tfilter->chain[i] = dict_xget(&filters, filter_config->chain[i]);\n\t\t\t\tif (i)\n\t\t\t\t\t(void)strlcat(buffer, \", \", sizeof buffer);\n\t\t\t\t(void)strlcat(buffer, filter->chain[i]->name, sizeof buffer);\n\t\t\t}\n\t\t\tlog_trace(TRACE_FILTERS, \"filters init type=chain, name=%s { %s }\", name, buffer);\n\n\t\t\tdict_set(&filters, name, filter);\n\t\t\tbreak;\n\n\t\tcase FILTER_TYPE_BUILTIN:\n\t\tcase FILTER_TYPE_PROC:\n\t\t\tbreak;\n\t\t}\n\t}\n}", "project": "src", "hash": 314070537432002752664116229582378217608, "size": 70, "commit_id": "6c3220444ed06b5796dedfd53a0f4becd903c0d1", "message": "smtpd's filter state machine can prematurely release resources\nleading to a crash. From gilles@", "target": 0, "dataset": "other", "idx": 421573 }, { "func": "lka_report_smtp_filter_response(const char *direction, struct timeval *tv, uint64_t reqid,\n int phase, int response, const char *param)\n{\n\tconst char *phase_name;\n\tconst char *response_name;\n\n\tswitch (phase) {\n\tcase FILTER_CONNECT:\n\t\tphase_name = \"connected\";\n\t\tbreak;\n\tcase FILTER_HELO:\n\t\tphase_name = \"helo\";\n\t\tbreak;\n\tcase FILTER_EHLO:\n\t\tphase_name = \"ehlo\";\n\t\tbreak;\n\tcase FILTER_STARTTLS:\n\t\tphase_name = \"tls\";\n\t\tbreak;\n\tcase FILTER_AUTH:\n\t\tphase_name = \"auth\";\n\t\tbreak;\n\tcase FILTER_MAIL_FROM:\n\t\tphase_name = \"mail-from\";\n\t\tbreak;\n\tcase FILTER_RCPT_TO:\n\t\tphase_name = \"rcpt-to\";\n\t\tbreak;\n\tcase FILTER_DATA:\n\t\tphase_name = \"data\";\n\t\tbreak;\n\tcase FILTER_DATA_LINE:\n\t\tphase_name = \"data-line\";\n\t\tbreak;\n\tcase FILTER_RSET:\n\t\tphase_name = \"rset\";\n\t\tbreak;\n\tcase FILTER_QUIT:\n\t\tphase_name = \"quit\";\n\t\tbreak;\n\tcase FILTER_NOOP:\n\t\tphase_name = \"noop\";\n\t\tbreak;\n\tcase FILTER_HELP:\n\t\tphase_name = \"help\";\n\t\tbreak;\n\tcase FILTER_WIZ:\n\t\tphase_name = \"wiz\";\n\t\tbreak;\n\tcase FILTER_COMMIT:\n\t\tphase_name = \"commit\";\n\t\tbreak;\n\tdefault:\n\t\tphase_name = \"\";\n\t}\n\n\tswitch (response) {\n\tcase FILTER_PROCEED:\n\t\tresponse_name = \"proceed\";\n\t\tbreak;\n\tcase FILTER_JUNK:\n\t\tresponse_name = \"junk\";\n\t\tbreak;\n\tcase FILTER_REWRITE:\n\t\tresponse_name = \"rewrite\";\n\t\tbreak;\n\tcase FILTER_REJECT:\n\t\tresponse_name = \"reject\";\n\t\tbreak;\n\tcase FILTER_DISCONNECT:\n\t\tresponse_name = \"disconnect\";\n\t\tbreak;\n\tdefault:\n\t\tresponse_name = \"\";\n\t}\n\n\treport_smtp_broadcast(reqid, direction, tv, \"filter-response\",\n\t \"%s|%s%s%s\\n\", phase_name, response_name, param ? \"|\" : \"\",\n\t param ? param : \"\");\n}", "project": "src", "hash": 108522649274740568365573916146247128963, "size": 80, "commit_id": "6c3220444ed06b5796dedfd53a0f4becd903c0d1", "message": "smtpd's filter state machine can prematurely release resources\nleading to a crash. From gilles@", "target": 0, "dataset": "other", "idx": 421578 }, { "func": "AlterObjectNamespace_oid(Oid classId, Oid objid, Oid nspOid,\n\t\t\t\t\t\t ObjectAddresses *objsMoved)\n{\n\tOid\t\t\toldNspOid = InvalidOid;\n\tObjectAddress dep;\n\n\tdep.classId = classId;\n\tdep.objectId = objid;\n\tdep.objectSubId = 0;\n\n\tswitch (getObjectClass(&dep))\n\t{\n\t\tcase OCLASS_CLASS:\n\t\t\t{\n\t\t\t\tRelation\trel;\n\n\t\t\t\trel = relation_open(objid, AccessExclusiveLock);\n\t\t\t\toldNspOid = RelationGetNamespace(rel);\n\n\t\t\t\tAlterTableNamespaceInternal(rel, oldNspOid, nspOid, objsMoved);\n\n\t\t\t\trelation_close(rel, NoLock);\n\t\t\t\tbreak;\n\t\t\t}\n\n\t\tcase OCLASS_TYPE:\n\t\t\toldNspOid = AlterTypeNamespace_oid(objid, nspOid, objsMoved);\n\t\t\tbreak;\n\n\t\tcase OCLASS_PROC:\n\t\tcase OCLASS_COLLATION:\n\t\tcase OCLASS_CONVERSION:\n\t\tcase OCLASS_OPERATOR:\n\t\tcase OCLASS_OPCLASS:\n\t\tcase OCLASS_OPFAMILY:\n\t\tcase OCLASS_STATISTIC_EXT:\n\t\tcase OCLASS_TSPARSER:\n\t\tcase OCLASS_TSDICT:\n\t\tcase OCLASS_TSTEMPLATE:\n\t\tcase OCLASS_TSCONFIG:\n\t\t\t{\n\t\t\t\tRelation\tcatalog;\n\n\t\t\t\tcatalog = table_open(classId, RowExclusiveLock);\n\n\t\t\t\toldNspOid = AlterObjectNamespace_internal(catalog, objid,\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t nspOid);\n\n\t\t\t\ttable_close(catalog, RowExclusiveLock);\n\t\t\t}\n\t\t\tbreak;\n\n\t\tcase OCLASS_CAST:\n\t\tcase OCLASS_CONSTRAINT:\n\t\tcase OCLASS_DEFAULT:\n\t\tcase OCLASS_LANGUAGE:\n\t\tcase OCLASS_LARGEOBJECT:\n\t\tcase OCLASS_AM:\n\t\tcase OCLASS_AMOP:\n\t\tcase OCLASS_AMPROC:\n\t\tcase OCLASS_REWRITE:\n\t\tcase OCLASS_TRIGGER:\n\t\tcase OCLASS_SCHEMA:\n\t\tcase OCLASS_ROLE:\n\t\tcase OCLASS_DATABASE:\n\t\tcase OCLASS_TBLSPACE:\n\t\tcase OCLASS_FDW:\n\t\tcase OCLASS_FOREIGN_SERVER:\n\t\tcase OCLASS_USER_MAPPING:\n\t\tcase OCLASS_DEFACL:\n\t\tcase OCLASS_EXTENSION:\n\t\tcase OCLASS_EVENT_TRIGGER:\n\t\tcase OCLASS_POLICY:\n\t\tcase OCLASS_PUBLICATION:\n\t\tcase OCLASS_PUBLICATION_REL:\n\t\tcase OCLASS_SUBSCRIPTION:\n\t\tcase OCLASS_TRANSFORM:\n\t\t\t/* ignore object types that don't have schema-qualified names */\n\t\t\tbreak;\n\n\t\t\t/*\n\t\t\t * There's intentionally no default: case here; we want the\n\t\t\t * compiler to warn if a new OCLASS hasn't been handled above.\n\t\t\t */\n\t}\n\n\treturn oldNspOid;\n}", "project": "postgres", "hash": 273593337679603001025702369742874977131, "size": 88, "commit_id": "b048f558dd7c26a0c630a2cff29d3d8981eaf6b9", "message": "Fix priv checks for ALTER DEPENDS ON EXTENSION\n\nMarking an object as dependant on an extension did not have any\nprivilege check whatsoever; this allowed any user to mark objects as\ndroppable by anyone able to DROP EXTENSION, which could be used to cause\nsystem-wide havoc. Disallow by checking that the calling user owns the\nmentioned object.\n\n(No constraints are placed on the extension.)\n\nSecurity: CVE-2020-1720\nReported-by: Tom Lane\nDiscussion: 31605.1566429043@sss.pgh.pa.us", "target": 0, "dataset": "other", "idx": 423622 }, { "func": "report_name_conflict(Oid classId, const char *name)\n{\n\tchar\t *msgfmt;\n\n\tswitch (classId)\n\t{\n\t\tcase EventTriggerRelationId:\n\t\t\tmsgfmt = gettext_noop(\"event trigger \\\"%s\\\" already exists\");\n\t\t\tbreak;\n\t\tcase ForeignDataWrapperRelationId:\n\t\t\tmsgfmt = gettext_noop(\"foreign-data wrapper \\\"%s\\\" already exists\");\n\t\t\tbreak;\n\t\tcase ForeignServerRelationId:\n\t\t\tmsgfmt = gettext_noop(\"server \\\"%s\\\" already exists\");\n\t\t\tbreak;\n\t\tcase LanguageRelationId:\n\t\t\tmsgfmt = gettext_noop(\"language \\\"%s\\\" already exists\");\n\t\t\tbreak;\n\t\tcase PublicationRelationId:\n\t\t\tmsgfmt = gettext_noop(\"publication \\\"%s\\\" already exists\");\n\t\t\tbreak;\n\t\tcase SubscriptionRelationId:\n\t\t\tmsgfmt = gettext_noop(\"subscription \\\"%s\\\" already exists\");\n\t\t\tbreak;\n\t\tdefault:\n\t\t\telog(ERROR, \"unsupported object class %u\", classId);\n\t\t\tbreak;\n\t}\n\n\tereport(ERROR,\n\t\t\t(errcode(ERRCODE_DUPLICATE_OBJECT),\n\t\t\t errmsg(msgfmt, name)));\n}", "project": "postgres", "hash": 27413747125287013578494714008631453479, "size": 33, "commit_id": "b048f558dd7c26a0c630a2cff29d3d8981eaf6b9", "message": "Fix priv checks for ALTER DEPENDS ON EXTENSION\n\nMarking an object as dependant on an extension did not have any\nprivilege check whatsoever; this allowed any user to mark objects as\ndroppable by anyone able to DROP EXTENSION, which could be used to cause\nsystem-wide havoc. Disallow by checking that the calling user owns the\nmentioned object.\n\n(No constraints are placed on the extension.)\n\nSecurity: CVE-2020-1720\nReported-by: Tom Lane\nDiscussion: 31605.1566429043@sss.pgh.pa.us", "target": 0, "dataset": "other", "idx": 423623 }, { "func": "report_namespace_conflict(Oid classId, const char *name, Oid nspOid)\n{\n\tchar\t *msgfmt;\n\n\tAssert(OidIsValid(nspOid));\n\n\tswitch (classId)\n\t{\n\t\tcase ConversionRelationId:\n\t\t\tAssert(OidIsValid(nspOid));\n\t\t\tmsgfmt = gettext_noop(\"conversion \\\"%s\\\" already exists in schema \\\"%s\\\"\");\n\t\t\tbreak;\n\t\tcase StatisticExtRelationId:\n\t\t\tAssert(OidIsValid(nspOid));\n\t\t\tmsgfmt = gettext_noop(\"statistics object \\\"%s\\\" already exists in schema \\\"%s\\\"\");\n\t\t\tbreak;\n\t\tcase TSParserRelationId:\n\t\t\tAssert(OidIsValid(nspOid));\n\t\t\tmsgfmt = gettext_noop(\"text search parser \\\"%s\\\" already exists in schema \\\"%s\\\"\");\n\t\t\tbreak;\n\t\tcase TSDictionaryRelationId:\n\t\t\tAssert(OidIsValid(nspOid));\n\t\t\tmsgfmt = gettext_noop(\"text search dictionary \\\"%s\\\" already exists in schema \\\"%s\\\"\");\n\t\t\tbreak;\n\t\tcase TSTemplateRelationId:\n\t\t\tAssert(OidIsValid(nspOid));\n\t\t\tmsgfmt = gettext_noop(\"text search template \\\"%s\\\" already exists in schema \\\"%s\\\"\");\n\t\t\tbreak;\n\t\tcase TSConfigRelationId:\n\t\t\tAssert(OidIsValid(nspOid));\n\t\t\tmsgfmt = gettext_noop(\"text search configuration \\\"%s\\\" already exists in schema \\\"%s\\\"\");\n\t\t\tbreak;\n\t\tdefault:\n\t\t\telog(ERROR, \"unsupported object class %u\", classId);\n\t\t\tbreak;\n\t}\n\n\tereport(ERROR,\n\t\t\t(errcode(ERRCODE_DUPLICATE_OBJECT),\n\t\t\t errmsg(msgfmt, name, get_namespace_name(nspOid))));\n}", "project": "postgres", "hash": 117504460568327258672605251176256656559, "size": 41, "commit_id": "b048f558dd7c26a0c630a2cff29d3d8981eaf6b9", "message": "Fix priv checks for ALTER DEPENDS ON EXTENSION\n\nMarking an object as dependant on an extension did not have any\nprivilege check whatsoever; this allowed any user to mark objects as\ndroppable by anyone able to DROP EXTENSION, which could be used to cause\nsystem-wide havoc. Disallow by checking that the calling user owns the\nmentioned object.\n\n(No constraints are placed on the extension.)\n\nSecurity: CVE-2020-1720\nReported-by: Tom Lane\nDiscussion: 31605.1566429043@sss.pgh.pa.us", "target": 0, "dataset": "other", "idx": 423625 }, { "func": "ExecRenameStmt(RenameStmt *stmt)\n{\n\tswitch (stmt->renameType)\n\t{\n\t\tcase OBJECT_TABCONSTRAINT:\n\t\tcase OBJECT_DOMCONSTRAINT:\n\t\t\treturn RenameConstraint(stmt);\n\n\t\tcase OBJECT_DATABASE:\n\t\t\treturn RenameDatabase(stmt->subname, stmt->newname);\n\n\t\tcase OBJECT_ROLE:\n\t\t\treturn RenameRole(stmt->subname, stmt->newname);\n\n\t\tcase OBJECT_SCHEMA:\n\t\t\treturn RenameSchema(stmt->subname, stmt->newname);\n\n\t\tcase OBJECT_TABLESPACE:\n\t\t\treturn RenameTableSpace(stmt->subname, stmt->newname);\n\n\t\tcase OBJECT_TABLE:\n\t\tcase OBJECT_SEQUENCE:\n\t\tcase OBJECT_VIEW:\n\t\tcase OBJECT_MATVIEW:\n\t\tcase OBJECT_INDEX:\n\t\tcase OBJECT_FOREIGN_TABLE:\n\t\t\treturn RenameRelation(stmt);\n\n\t\tcase OBJECT_COLUMN:\n\t\tcase OBJECT_ATTRIBUTE:\n\t\t\treturn renameatt(stmt);\n\n\t\tcase OBJECT_RULE:\n\t\t\treturn RenameRewriteRule(stmt->relation, stmt->subname,\n\t\t\t\t\t\t\t\t\t stmt->newname);\n\n\t\tcase OBJECT_TRIGGER:\n\t\t\treturn renametrig(stmt);\n\n\t\tcase OBJECT_POLICY:\n\t\t\treturn rename_policy(stmt);\n\n\t\tcase OBJECT_DOMAIN:\n\t\tcase OBJECT_TYPE:\n\t\t\treturn RenameType(stmt);\n\n\t\tcase OBJECT_AGGREGATE:\n\t\tcase OBJECT_COLLATION:\n\t\tcase OBJECT_CONVERSION:\n\t\tcase OBJECT_EVENT_TRIGGER:\n\t\tcase OBJECT_FDW:\n\t\tcase OBJECT_FOREIGN_SERVER:\n\t\tcase OBJECT_FUNCTION:\n\t\tcase OBJECT_OPCLASS:\n\t\tcase OBJECT_OPFAMILY:\n\t\tcase OBJECT_LANGUAGE:\n\t\tcase OBJECT_PROCEDURE:\n\t\tcase OBJECT_ROUTINE:\n\t\tcase OBJECT_STATISTIC_EXT:\n\t\tcase OBJECT_TSCONFIGURATION:\n\t\tcase OBJECT_TSDICTIONARY:\n\t\tcase OBJECT_TSPARSER:\n\t\tcase OBJECT_TSTEMPLATE:\n\t\tcase OBJECT_PUBLICATION:\n\t\tcase OBJECT_SUBSCRIPTION:\n\t\t\t{\n\t\t\t\tObjectAddress address;\n\t\t\t\tRelation\tcatalog;\n\t\t\t\tRelation\trelation;\n\n\t\t\t\taddress = get_object_address(stmt->renameType,\n\t\t\t\t\t\t\t\t\t\t\t stmt->object,\n\t\t\t\t\t\t\t\t\t\t\t &relation,\n\t\t\t\t\t\t\t\t\t\t\t AccessExclusiveLock, false);\n\t\t\t\tAssert(relation == NULL);\n\n\t\t\t\tcatalog = table_open(address.classId, RowExclusiveLock);\n\t\t\t\tAlterObjectRename_internal(catalog,\n\t\t\t\t\t\t\t\t\t\t address.objectId,\n\t\t\t\t\t\t\t\t\t\t stmt->newname);\n\t\t\t\ttable_close(catalog, RowExclusiveLock);\n\n\t\t\t\treturn address;\n\t\t\t}\n\n\t\tdefault:\n\t\t\telog(ERROR, \"unrecognized rename stmt type: %d\",\n\t\t\t\t (int) stmt->renameType);\n\t\t\treturn InvalidObjectAddress;\t/* keep compiler happy */\n\t}\n}", "project": "postgres", "hash": 107523326345101617080706515530975119875, "size": 91, "commit_id": "b048f558dd7c26a0c630a2cff29d3d8981eaf6b9", "message": "Fix priv checks for ALTER DEPENDS ON EXTENSION\n\nMarking an object as dependant on an extension did not have any\nprivilege check whatsoever; this allowed any user to mark objects as\ndroppable by anyone able to DROP EXTENSION, which could be used to cause\nsystem-wide havoc. Disallow by checking that the calling user owns the\nmentioned object.\n\n(No constraints are placed on the extension.)\n\nSecurity: CVE-2020-1720\nReported-by: Tom Lane\nDiscussion: 31605.1566429043@sss.pgh.pa.us", "target": 0, "dataset": "other", "idx": 423626 }, { "func": "ExecAlterObjectSchemaStmt(AlterObjectSchemaStmt *stmt,\n\t\t\t\t\t\t ObjectAddress *oldSchemaAddr)\n{\n\tObjectAddress address;\n\tOid\t\t\toldNspOid;\n\n\tswitch (stmt->objectType)\n\t{\n\t\tcase OBJECT_EXTENSION:\n\t\t\taddress = AlterExtensionNamespace(strVal((Value *) stmt->object), stmt->newschema,\n\t\t\t\t\t\t\t\t\t\t\t oldSchemaAddr ? &oldNspOid : NULL);\n\t\t\tbreak;\n\n\t\tcase OBJECT_FOREIGN_TABLE:\n\t\tcase OBJECT_SEQUENCE:\n\t\tcase OBJECT_TABLE:\n\t\tcase OBJECT_VIEW:\n\t\tcase OBJECT_MATVIEW:\n\t\t\taddress = AlterTableNamespace(stmt,\n\t\t\t\t\t\t\t\t\t\t oldSchemaAddr ? &oldNspOid : NULL);\n\t\t\tbreak;\n\n\t\tcase OBJECT_DOMAIN:\n\t\tcase OBJECT_TYPE:\n\t\t\taddress = AlterTypeNamespace(castNode(List, stmt->object), stmt->newschema,\n\t\t\t\t\t\t\t\t\t\t stmt->objectType,\n\t\t\t\t\t\t\t\t\t\t oldSchemaAddr ? &oldNspOid : NULL);\n\t\t\tbreak;\n\n\t\t\t/* generic code path */\n\t\tcase OBJECT_AGGREGATE:\n\t\tcase OBJECT_COLLATION:\n\t\tcase OBJECT_CONVERSION:\n\t\tcase OBJECT_FUNCTION:\n\t\tcase OBJECT_OPERATOR:\n\t\tcase OBJECT_OPCLASS:\n\t\tcase OBJECT_OPFAMILY:\n\t\tcase OBJECT_PROCEDURE:\n\t\tcase OBJECT_ROUTINE:\n\t\tcase OBJECT_STATISTIC_EXT:\n\t\tcase OBJECT_TSCONFIGURATION:\n\t\tcase OBJECT_TSDICTIONARY:\n\t\tcase OBJECT_TSPARSER:\n\t\tcase OBJECT_TSTEMPLATE:\n\t\t\t{\n\t\t\t\tRelation\tcatalog;\n\t\t\t\tRelation\trelation;\n\t\t\t\tOid\t\t\tclassId;\n\t\t\t\tOid\t\t\tnspOid;\n\n\t\t\t\taddress = get_object_address(stmt->objectType,\n\t\t\t\t\t\t\t\t\t\t\t stmt->object,\n\t\t\t\t\t\t\t\t\t\t\t &relation,\n\t\t\t\t\t\t\t\t\t\t\t AccessExclusiveLock,\n\t\t\t\t\t\t\t\t\t\t\t false);\n\t\t\t\tAssert(relation == NULL);\n\t\t\t\tclassId = address.classId;\n\t\t\t\tcatalog = table_open(classId, RowExclusiveLock);\n\t\t\t\tnspOid = LookupCreationNamespace(stmt->newschema);\n\n\t\t\t\toldNspOid = AlterObjectNamespace_internal(catalog, address.objectId,\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t nspOid);\n\t\t\t\ttable_close(catalog, RowExclusiveLock);\n\t\t\t}\n\t\t\tbreak;\n\n\t\tdefault:\n\t\t\telog(ERROR, \"unrecognized AlterObjectSchemaStmt type: %d\",\n\t\t\t\t (int) stmt->objectType);\n\t\t\treturn InvalidObjectAddress;\t/* keep compiler happy */\n\t}\n\n\tif (oldSchemaAddr)\n\t\tObjectAddressSet(*oldSchemaAddr, NamespaceRelationId, oldNspOid);\n\n\treturn address;\n}", "project": "postgres", "hash": 114570561615124201207977259250046388361, "size": 77, "commit_id": "b048f558dd7c26a0c630a2cff29d3d8981eaf6b9", "message": "Fix priv checks for ALTER DEPENDS ON EXTENSION\n\nMarking an object as dependant on an extension did not have any\nprivilege check whatsoever; this allowed any user to mark objects as\ndroppable by anyone able to DROP EXTENSION, which could be used to cause\nsystem-wide havoc. Disallow by checking that the calling user owns the\nmentioned object.\n\n(No constraints are placed on the extension.)\n\nSecurity: CVE-2020-1720\nReported-by: Tom Lane\nDiscussion: 31605.1566429043@sss.pgh.pa.us", "target": 0, "dataset": "other", "idx": 423629 }, { "func": "ExecAlterOwnerStmt(AlterOwnerStmt *stmt)\n{\n\tOid\t\t\tnewowner = get_rolespec_oid(stmt->newowner, false);\n\n\tswitch (stmt->objectType)\n\t{\n\t\tcase OBJECT_DATABASE:\n\t\t\treturn AlterDatabaseOwner(strVal((Value *) stmt->object), newowner);\n\n\t\tcase OBJECT_SCHEMA:\n\t\t\treturn AlterSchemaOwner(strVal((Value *) stmt->object), newowner);\n\n\t\tcase OBJECT_TYPE:\n\t\tcase OBJECT_DOMAIN:\t\t/* same as TYPE */\n\t\t\treturn AlterTypeOwner(castNode(List, stmt->object), newowner, stmt->objectType);\n\t\t\tbreak;\n\n\t\tcase OBJECT_FDW:\n\t\t\treturn AlterForeignDataWrapperOwner(strVal((Value *) stmt->object),\n\t\t\t\t\t\t\t\t\t\t\t\tnewowner);\n\n\t\tcase OBJECT_FOREIGN_SERVER:\n\t\t\treturn AlterForeignServerOwner(strVal((Value *) stmt->object),\n\t\t\t\t\t\t\t\t\t\t newowner);\n\n\t\tcase OBJECT_EVENT_TRIGGER:\n\t\t\treturn AlterEventTriggerOwner(strVal((Value *) stmt->object),\n\t\t\t\t\t\t\t\t\t\t newowner);\n\n\t\tcase OBJECT_PUBLICATION:\n\t\t\treturn AlterPublicationOwner(strVal((Value *) stmt->object),\n\t\t\t\t\t\t\t\t\t\t newowner);\n\n\t\tcase OBJECT_SUBSCRIPTION:\n\t\t\treturn AlterSubscriptionOwner(strVal((Value *) stmt->object),\n\t\t\t\t\t\t\t\t\t\t newowner);\n\n\t\t\t/* Generic cases */\n\t\tcase OBJECT_AGGREGATE:\n\t\tcase OBJECT_COLLATION:\n\t\tcase OBJECT_CONVERSION:\n\t\tcase OBJECT_FUNCTION:\n\t\tcase OBJECT_LANGUAGE:\n\t\tcase OBJECT_LARGEOBJECT:\n\t\tcase OBJECT_OPERATOR:\n\t\tcase OBJECT_OPCLASS:\n\t\tcase OBJECT_OPFAMILY:\n\t\tcase OBJECT_PROCEDURE:\n\t\tcase OBJECT_ROUTINE:\n\t\tcase OBJECT_STATISTIC_EXT:\n\t\tcase OBJECT_TABLESPACE:\n\t\tcase OBJECT_TSDICTIONARY:\n\t\tcase OBJECT_TSCONFIGURATION:\n\t\t\t{\n\t\t\t\tRelation\tcatalog;\n\t\t\t\tRelation\trelation;\n\t\t\t\tOid\t\t\tclassId;\n\t\t\t\tObjectAddress address;\n\n\t\t\t\taddress = get_object_address(stmt->objectType,\n\t\t\t\t\t\t\t\t\t\t\t stmt->object,\n\t\t\t\t\t\t\t\t\t\t\t &relation,\n\t\t\t\t\t\t\t\t\t\t\t AccessExclusiveLock,\n\t\t\t\t\t\t\t\t\t\t\t false);\n\t\t\t\tAssert(relation == NULL);\n\t\t\t\tclassId = address.classId;\n\n\t\t\t\t/*\n\t\t\t\t * XXX - get_object_address returns Oid of pg_largeobject\n\t\t\t\t * catalog for OBJECT_LARGEOBJECT because of historical\n\t\t\t\t * reasons. Fix up it here.\n\t\t\t\t */\n\t\t\t\tif (classId == LargeObjectRelationId)\n\t\t\t\t\tclassId = LargeObjectMetadataRelationId;\n\n\t\t\t\tcatalog = table_open(classId, RowExclusiveLock);\n\n\t\t\t\tAlterObjectOwner_internal(catalog, address.objectId, newowner);\n\t\t\t\ttable_close(catalog, RowExclusiveLock);\n\n\t\t\t\treturn address;\n\t\t\t}\n\t\t\tbreak;\n\n\t\tdefault:\n\t\t\telog(ERROR, \"unrecognized AlterOwnerStmt type: %d\",\n\t\t\t\t (int) stmt->objectType);\n\t\t\treturn InvalidObjectAddress;\t/* keep compiler happy */\n\t}\n}", "project": "postgres", "hash": 93486448459772187543661492417243913523, "size": 90, "commit_id": "b048f558dd7c26a0c630a2cff29d3d8981eaf6b9", "message": "Fix priv checks for ALTER DEPENDS ON EXTENSION\n\nMarking an object as dependant on an extension did not have any\nprivilege check whatsoever; this allowed any user to mark objects as\ndroppable by anyone able to DROP EXTENSION, which could be used to cause\nsystem-wide havoc. Disallow by checking that the calling user owns the\nmentioned object.\n\n(No constraints are placed on the extension.)\n\nSecurity: CVE-2020-1720\nReported-by: Tom Lane\nDiscussion: 31605.1566429043@sss.pgh.pa.us", "target": 0, "dataset": "other", "idx": 423630 }, { "func": "PHP_FUNCTION(enchant_broker_get_dict_path)\n{\n\tzval *broker;\n\tenchant_broker *pbroker;\n\tlong dict_type;\n\tchar *value;\n\n\tif (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, \"rl\", &broker, &dict_type) == FAILURE) {\n\t\tRETURN_FALSE;\n\t}\n\t\n\tPHP_ENCHANT_GET_BROKER;\n\n\tswitch (dict_type) {\n\t\tcase PHP_ENCHANT_MYSPELL:\n\t\t\tPHP_ENCHANT_GET_BROKER;\n\t\t\tvalue = enchant_broker_get_param(pbroker->pbroker, \"enchant.myspell.dictionary.path\");\n\t\t\tbreak;\n\n\t\tcase PHP_ENCHANT_ISPELL:\n\t\t\tPHP_ENCHANT_GET_BROKER;\n\t\t\tvalue = enchant_broker_get_param(pbroker->pbroker, \"enchant.ispell.dictionary.path\");\n\t\t\tbreak;\n\n\t\tdefault:\n\t\t\tRETURN_FALSE;\n\t}\n\n\tRETURN_STRING(value, 1);\n}", "project": "php-src", "hash": 178100738032591353931231762958151769099, "size": 30, "commit_id": "bdfe457a2c1b47209e32783b3a6447e81baf179a", "message": "Port for for bug #68552", "target": 0, "dataset": "other", "idx": 429190 }, { "func": "main(int argc, char **argv)\n{\n\tint i, retval = 0, dflag = 0, kflag = 0;\n\tconst char *target_user = NULL, *user = NULL, *tty = NULL;\n\tstruct passwd *pwd;\n\tstruct timeval tv;\n\tfd_set write_fds;\n\tchar path[BUFLEN];\n\tstruct stat st;\n\n\t/* Check that there's nothing funny going on with stdio. */\n\tif ((fstat(STDIN_FILENO, &st) == -1) ||\n\t (fstat(STDOUT_FILENO, &st) == -1) ||\n\t (fstat(STDERR_FILENO, &st) == -1)) {\n\t\t/* Appropriate the \"no controlling tty\" error code. */\n\t\treturn 3;\n\t}\n\n\t/* Parse arguments. */\n\twhile ((i = getopt(argc, argv, \"dk\")) != -1) {\n\t\tswitch (i) {\n\t\t\tcase 'd':\n\t\t\t\tdflag++;\n\t\t\t\tbreak;\n\t\t\tcase 'k':\n\t\t\t\tkflag++;\n\t\t\t\tbreak;\n\t\t\tdefault:\n\t\t\t\tfprintf(stderr, USAGE, argv[0]);\n\t\t\t\treturn 1;\n\t\t\t\tbreak;\n\t\t}\n\t}\n\n\t/* Bail if both -k and -d are given together. */\n\tif ((kflag + dflag) > 1) {\n\t\tfprintf(stderr, USAGE, argv[0]);\n\t\treturn 1;\n\t}\n\n\t/* Check that we're setuid. */\n\tif (geteuid() != 0) {\n\t\tfprintf(stderr, \"%s must be setuid root\\n\",\n\t\t\targv[0]);\n\t\tretval = 2;\n\t}\n\n\t/* Check that we have a controlling tty. */\n\ttty = ttyname(STDIN_FILENO);\n\tif ((tty == NULL) || (strlen(tty) == 0)) {\n\t\ttty = ttyname(STDOUT_FILENO);\n\t}\n\tif ((tty == NULL) || (strlen(tty) == 0)) {\n\t\ttty = ttyname(STDERR_FILENO);\n\t}\n\tif ((tty == NULL) || (strlen(tty) == 0)) {\n\t\ttty = \"unknown\";\n\t}\n\n\t/* Get the name of the invoking (requesting) user. */\n\tpwd = getpwuid(getuid());\n\tif (pwd == NULL) {\n\t\tretval = 4;\n\t}\n\n\t/* Get the name of the target user. */\n\tuser = strdup(pwd->pw_name);\n\tif (user == NULL) {\n\t\tretval = 4;\n\t} else {\n\t\ttarget_user = (optind < argc) ? argv[optind] : user;\n\t\tif ((strchr(target_user, '.') != NULL) ||\n\t\t (strchr(target_user, '/') != NULL) ||\n\t\t (strchr(target_user, '%') != NULL)) {\n\t\t\tfprintf(stderr, \"unknown user: %s\\n\",\n\t\t\t\ttarget_user);\n\t\t\tretval = 4;\n\t\t}\n\t}\n\n\t/* Sanity check the tty to make sure we should be checking\n\t * for timestamps which pertain to it. */\n\tif (retval == 0) {\n\t\ttty = check_tty(tty);\n\t\tif (tty == NULL) {\n\t\t\tfprintf(stderr, \"invalid tty\\n\");\n\t\t\tretval = 6;\n\t\t}\n\t}\n\n\tdo {\n\t\t/* Sanity check the timestamp directory itself. */\n\t\tif (retval == 0) {\n\t\t\tif (check_dir_perms(NULL, TIMESTAMPDIR) != PAM_SUCCESS) {\n\t\t\t\tretval = 5;\n\t\t\t}\n\t\t}\n\n\t\tif (retval == 0) {\n\t\t\t/* Generate the name of the timestamp file. */\n\t\t\tformat_timestamp_name(path, sizeof(path), TIMESTAMPDIR,\n\t\t\t\t\t tty, user, target_user);\n\t\t}\n\n\t\tif (retval == 0) {\n\t\t\tif (kflag) {\n\t\t\t\t/* Remove the timestamp. */\n\t\t\t\tif (lstat(path, &st) != -1) {\n\t\t\t\t\tretval = unlink(path);\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\t/* Check the timestamp. */\n\t\t\t\tif (lstat(path, &st) != -1) {\n\t\t\t\t\t/* Check oldest login against timestamp */\n\t\t\t\t\tif (check_login_time(user, st.st_mtime) != PAM_SUCCESS) {\n\t\t\t\t\t\tretval = 7;\n\t\t\t\t\t} else if (!timestamp_good(st.st_mtime, time(NULL),\n\t\t\t\t\t\t\t DEFAULT_TIMESTAMP_TIMEOUT) == PAM_SUCCESS) {\n\t\t\t\t\t\tretval = 7;\n\t\t\t\t\t}\n\t\t\t\t} else {\n\t\t\t\t\tretval = 7;\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\tif (dflag > 0) {\n\t\t\tstruct timeval now;\n\t\t\t/* Send the would-be-returned value to our parent. */\n\t\t\tsignal(SIGPIPE, SIG_DFL);\n\t\t\tfprintf(stdout, \"%d\\n\", retval);\n\t\t\tfflush(stdout);\n\t\t\t/* Wait. */\n\t\t\tgettimeofday(&now, NULL);\n\t\t\ttv.tv_sec = CHECK_INTERVAL;\n\t\t\t/* round the sleep time to get woken up on a whole second */\n\t\t\ttv.tv_usec = 1000000 - now.tv_usec;\n\t\t\tif (now.tv_usec < 500000)\n\t\t\t\ttv.tv_sec--;\n\t\t\tFD_ZERO(&write_fds);\n\t\t\tFD_SET(STDOUT_FILENO, &write_fds);\n\t\t\tselect(STDOUT_FILENO + 1,\n\t\t\t NULL, NULL, &write_fds,\n\t\t\t &tv);\n\t\t\tretval = 0;\n\t\t}\n\t} while (dflag > 0);\n\n\treturn retval;\n}", "project": "linux-pam", "hash": 338766117525068652721769982934226291754, "size": 150, "commit_id": "9dcead87e6d7f66d34e7a56d11a30daca367dffb", "message": "pam_timestamp: fix potential directory traversal issue (ticket #27)\n\npam_timestamp uses values of PAM_RUSER and PAM_TTY as components of\nthe timestamp pathname it creates, so extra care should be taken to\navoid potential directory traversal issues.\n\n* modules/pam_timestamp/pam_timestamp.c (check_tty): Treat\n\".\" and \"..\" tty values as invalid.\n(get_ruser): Treat \".\" and \"..\" ruser values, as well as any ruser\nvalue containing '/', as invalid.\n\nFixes CVE-2014-2583.\n\nReported-by: Sebastian Krahmer ", "target": 0, "dataset": "other", "idx": 429354 }, { "func": "mysql_get_optionv(MYSQL *mysql, enum mysql_option option, void *arg, ...)\n{\n va_list ap;\n\n va_start(ap, arg);\n\n switch(option) {\n case MYSQL_OPT_CONNECT_TIMEOUT:\n *((uint *)arg)= mysql->options.connect_timeout;\n break;\n case MYSQL_OPT_COMPRESS:\n *((my_bool *)arg)= mysql->options.compress;\n break;\n case MYSQL_OPT_NAMED_PIPE:\n *((my_bool *)arg)= mysql->options.named_pipe;\n break;\n case MYSQL_OPT_LOCAL_INFILE:\t\t\t/* Allow LOAD DATA LOCAL ?*/\n *((uint *)arg)= test(mysql->options.client_flag & CLIENT_LOCAL_FILES);\n break;\n case MYSQL_INIT_COMMAND:\n /* mysql_get_optionsv(mysql, MYSQL_INIT_COMMAND, commands, elements) */\n {\n unsigned int *elements;\n if (arg)\n *((char **)arg)= mysql->options.init_command ? mysql->options.init_command->buffer : NULL;\n if ((elements= va_arg(ap, unsigned int *)))\n *elements= mysql->options.init_command ? mysql->options.init_command->elements : 0;\n }\n break;\n case MYSQL_READ_DEFAULT_FILE:\n *((char **)arg)= mysql->options.my_cnf_file;\n break;\n case MYSQL_READ_DEFAULT_GROUP:\n *((char **)arg)= mysql->options.my_cnf_group;\n break;\n case MYSQL_SET_CHARSET_DIR:\n /* not supported in this version. Since all character sets\n are internally available, we don't throw an error */\n *((char **)arg)= NULL;\n break;\n case MYSQL_SET_CHARSET_NAME:\n if (mysql->charset)\n *((const char **)arg)= mysql->charset->csname;\n else\n *((char **)arg)= mysql->options.charset_name;\n break;\n case MYSQL_OPT_RECONNECT:\n *((my_bool *)arg)= mysql->options.reconnect;\n break;\n case MYSQL_OPT_PROTOCOL:\n *((uint *)arg)= mysql->options.protocol;\n break;\n case MYSQL_OPT_READ_TIMEOUT:\n *((uint *)arg)= mysql->options.read_timeout;\n break;\n case MYSQL_OPT_WRITE_TIMEOUT:\n *((uint *)arg)= mysql->options.write_timeout;\n break;\n case MYSQL_REPORT_DATA_TRUNCATION:\n *((my_bool *)arg)= mysql->options.report_data_truncation;\n break;\n case MYSQL_PROGRESS_CALLBACK:\n *((void (**)(const MYSQL *, uint, uint, double, const char *, uint))arg)=\n mysql->options.extension ? mysql->options.extension->report_progress : NULL;\n break;\n case MYSQL_SERVER_PUBLIC_KEY:\n *((char **)arg)= mysql->options.extension ?\n mysql->options.extension->server_public_key : NULL;\n break;\n case MYSQL_PLUGIN_DIR:\n *((char **)arg)= mysql->options.extension ? mysql->options.extension->plugin_dir : NULL;\n break;\n case MYSQL_DEFAULT_AUTH:\n *((char **)arg)= mysql->options.extension ? mysql->options.extension->default_auth : NULL;\n break;\n case MYSQL_OPT_NONBLOCK:\n *((my_bool *)arg)= test(mysql->options.extension && mysql->options.extension->async_context);\n break;\n case MYSQL_OPT_CAN_HANDLE_EXPIRED_PASSWORDS:\n *((my_bool *)arg)= test(mysql->options.client_flag & CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS);\n break;\n case MYSQL_OPT_SSL_ENFORCE:\n *((my_bool *)arg)= mysql->options.use_ssl;\n break;\n case MYSQL_OPT_SSL_VERIFY_SERVER_CERT:\n *((my_bool *)arg)= test(mysql->options.client_flag & CLIENT_SSL_VERIFY_SERVER_CERT);\n break;\n case MYSQL_OPT_SSL_KEY:\n *((char **)arg)= mysql->options.ssl_key;\n break;\n case MYSQL_OPT_SSL_CERT:\n *((char **)arg)= mysql->options.ssl_cert;\n break;\n case MYSQL_OPT_SSL_CA:\n *((char **)arg)= mysql->options.ssl_ca;\n break;\n case MYSQL_OPT_SSL_CAPATH:\n *((char **)arg)= mysql->options.ssl_capath;\n break;\n case MYSQL_OPT_SSL_CIPHER:\n *((char **)arg)= mysql->options.ssl_cipher;\n break;\n case MYSQL_OPT_SSL_CRL:\n *((char **)arg)= mysql->options.extension ? mysql->options.ssl_cipher : NULL;\n break;\n case MYSQL_OPT_SSL_CRLPATH:\n *((char **)arg)= mysql->options.extension ? mysql->options.extension->ssl_crlpath : NULL;\n break;\n case MYSQL_OPT_CONNECT_ATTRS:\n /* mysql_get_optionsv(mysql, MYSQL_OPT_CONNECT_ATTRS, keys, vals, elements) */\n {\n unsigned int i, *elements;\n char **key= NULL;\n void *arg1;\n char **val= NULL;\n\n if (arg)\n key= *(char ***)arg;\n\n arg1= va_arg(ap, char **);\n if (arg1)\n val= *(char ***)arg1;\n\n if (!(elements= va_arg(ap, unsigned int *)))\n goto error;\n\n *elements= 0;\n\n if (!mysql->options.extension ||\n !hash_inited(&mysql->options.extension->connect_attrs))\n break;\n\n *elements= mysql->options.extension->connect_attrs.records;\n\n if (val || key)\n {\n for (i=0; i < *elements; i++)\n {\n uchar *p= hash_element(&mysql->options.extension->connect_attrs, i);\n if (key)\n key[i]= (char *)p;\n p+= strlen((char *)p) + 1;\n if (val)\n val[i]= (char *)p;\n }\n }\n }\n break;\n case MYSQL_OPT_MAX_ALLOWED_PACKET:\n *((unsigned long *)arg)= (mysql) ? mysql->options.max_allowed_packet :\n max_allowed_packet;\n break;\n case MYSQL_OPT_NET_BUFFER_LENGTH:\n *((unsigned long *)arg)= net_buffer_length;\n break;\n case MYSQL_SECURE_AUTH:\n *((my_bool *)arg)= mysql->options.secure_auth;\n break;\n case MYSQL_OPT_BIND:\n *((char **)arg)= mysql->options.bind_address;\n break;\n case MARIADB_OPT_TLS_CIPHER_STRENGTH:\n *((unsigned int *)arg) = mysql->options.extension ? mysql->options.extension->tls_cipher_strength : 0;\n break;\n case MARIADB_OPT_SSL_FP:\n case MARIADB_OPT_TLS_PEER_FP:\n *((char **)arg)= mysql->options.extension ? mysql->options.extension->tls_fp : NULL;\n break;\n case MARIADB_OPT_SSL_FP_LIST:\n case MARIADB_OPT_TLS_PEER_FP_LIST:\n *((char **)arg)= mysql->options.extension ? mysql->options.extension->tls_fp_list : NULL;\n break;\n case MARIADB_OPT_TLS_PASSPHRASE:\n *((char **)arg)= mysql->options.extension ? mysql->options.extension->tls_pw : NULL;\n break;\n case MARIADB_OPT_CONNECTION_READ_ONLY:\n *((my_bool *)arg)= mysql->options.extension ? mysql->options.extension->read_only : 0;\n break;\n case MARIADB_OPT_USERDATA:\n /* nysql_get_optionv(mysql, MARIADB_OPT_USERDATA, key, value) */\n {\n uchar *p;\n void *data= va_arg(ap, void *);\n char *key= (char *)arg;\n if (key && data && mysql->options.extension && hash_inited(&mysql->options.extension->userdata) &&\n (p= (uchar *)hash_search(&mysql->options.extension->userdata, (uchar *)key,\n (uint)strlen((char *)key))))\n {\n p+= strlen(key) + 1;\n *((void **)data)= *((void **)p);\n break;\n }\n if (data)\n *((void **)data)= NULL;\n }\n break;\n case MARIADB_OPT_CONNECTION_HANDLER:\n *((char **)arg)= mysql->options.extension ? mysql->options.extension->connection_handler : NULL;\n break;\n case MARIADB_OPT_IO_WAIT:\n *((int(**)(my_socket, my_bool, int))arg) = mysql->options.extension ? mysql->options.extension->io_wait : NULL;\n break;\n default:\n va_end(ap);\n SET_CLIENT_ERROR(mysql, CR_NOT_IMPLEMENTED, SQLSTATE_UNKNOWN, 0);\n return(1);\n }\n va_end(ap);\n return(0);\nerror:\n va_end(ap);\n return(1);\n}", "project": "mariadb-connector-c", "hash": 194710675967656627923422250366895056077, "size": 213, "commit_id": "2759b87d72926b7c9b5426437a7c8dd15ff57945", "message": "sanity checks for client-supplied OK packet content\n\nreported by Matthias Kaiser, Apple Information Security", "target": 0, "dataset": "other", "idx": 429663 }, { "func": "mysql_optionsv(MYSQL *mysql,enum mysql_option option, ...)\n{\n va_list ap;\n void *arg1;\n size_t stacksize;\n struct mysql_async_context *ctxt;\n\n va_start(ap, option);\n\n arg1= va_arg(ap, void *);\n\n switch (option) {\n case MYSQL_OPT_CONNECT_TIMEOUT:\n mysql->options.connect_timeout= *(uint*) arg1;\n break;\n case MYSQL_OPT_COMPRESS:\n mysql->options.compress= 1;\t\t\t/* Remember for connect */\n mysql->options.client_flag|= CLIENT_COMPRESS;\n break;\n case MYSQL_OPT_NAMED_PIPE:\n mysql->options.named_pipe=1;\t\t/* Force named pipe */\n break;\n case MYSQL_OPT_LOCAL_INFILE:\t\t\t/* Allow LOAD DATA LOCAL ?*/\n if (!arg1 || test(*(unsigned int*) arg1))\n mysql->options.client_flag|= CLIENT_LOCAL_FILES;\n else\n mysql->options.client_flag&= ~CLIENT_LOCAL_FILES;\n if (arg1) {\n CHECK_OPT_EXTENSION_SET(&mysql->options);\n mysql->extension->auto_local_infile= *(uint*)arg1 == LOCAL_INFILE_MODE_AUTO\n ? WAIT_FOR_QUERY : ALWAYS_ACCEPT;\n }\n break;\n case MYSQL_INIT_COMMAND:\n options_add_initcommand(&mysql->options, (char *)arg1);\n break;\n case MYSQL_READ_DEFAULT_FILE:\n OPT_SET_VALUE_STR(&mysql->options, my_cnf_file, (char *)arg1);\n break;\n case MYSQL_READ_DEFAULT_GROUP:\n OPT_SET_VALUE_STR(&mysql->options, my_cnf_group, arg1 ? (char *)arg1 : \"\");\n break;\n case MYSQL_SET_CHARSET_DIR:\n OPT_SET_VALUE_STR(&mysql->options, charset_dir, arg1);\n break;\n case MYSQL_SET_CHARSET_NAME:\n OPT_SET_VALUE_STR(&mysql->options, charset_name, arg1);\n break;\n case MYSQL_OPT_RECONNECT:\n mysql->options.reconnect= *(my_bool *)arg1;\n break;\n case MYSQL_OPT_PROTOCOL:\n mysql->options.protocol= *((uint *)arg1);\n break;\n#ifdef _WIN32\n case MYSQL_SHARED_MEMORY_BASE_NAME:\n OPT_SET_VALUE_STR(&mysql->options, shared_memory_base_name, arg1);\n break;\n#endif\n case MYSQL_OPT_READ_TIMEOUT:\n mysql->options.read_timeout= *(uint *)arg1;\n break;\n case MYSQL_OPT_WRITE_TIMEOUT:\n mysql->options.write_timeout= *(uint *)arg1;\n break;\n case MYSQL_REPORT_DATA_TRUNCATION:\n mysql->options.report_data_truncation= *(my_bool *)arg1;\n break;\n case MYSQL_PROGRESS_CALLBACK:\n CHECK_OPT_EXTENSION_SET(&mysql->options);\n if (mysql->options.extension)\n mysql->options.extension->report_progress=\n (void (*)(const MYSQL *, uint, uint, double, const char *, uint)) arg1;\n break;\n case MYSQL_SERVER_PUBLIC_KEY:\n OPT_SET_EXTENDED_VALUE_STR(&mysql->options, server_public_key, (char *)arg1);\n break;\n case MYSQL_PLUGIN_DIR:\n OPT_SET_EXTENDED_VALUE_STR(&mysql->options, plugin_dir, (char *)arg1);\n break;\n case MYSQL_DEFAULT_AUTH:\n OPT_SET_EXTENDED_VALUE_STR(&mysql->options, default_auth, (char *)arg1);\n break;\n case MYSQL_OPT_NONBLOCK:\n if (mysql->options.extension &&\n (ctxt = mysql->options.extension->async_context) != 0)\n {\n /*\n We must not allow changing the stack size while a non-blocking call is\n suspended (as the stack is then in use).\n */\n if (ctxt->suspended)\n goto end;\n my_context_destroy(&ctxt->async_context);\n free(ctxt);\n }\n if (!(ctxt= (struct mysql_async_context *)\n calloc(1, sizeof(*ctxt))))\n {\n SET_CLIENT_ERROR(mysql, CR_OUT_OF_MEMORY, SQLSTATE_UNKNOWN, 0);\n goto end;\n }\n stacksize= 0;\n if (arg1)\n stacksize= *(const size_t *)arg1;\n if (!stacksize)\n stacksize= ASYNC_CONTEXT_DEFAULT_STACK_SIZE;\n if (my_context_init(&ctxt->async_context, stacksize))\n {\n free(ctxt);\n goto end;\n }\n if (!mysql->options.extension)\n if(!(mysql->options.extension= (struct st_mysql_options_extension *)\n calloc(1, sizeof(struct st_mysql_options_extension))))\n {\n free(ctxt);\n SET_CLIENT_ERROR(mysql, CR_OUT_OF_MEMORY, SQLSTATE_UNKNOWN, 0);\n goto end;\n }\n mysql->options.extension->async_context= ctxt;\n break;\n case MYSQL_OPT_MAX_ALLOWED_PACKET:\n if (mysql)\n mysql->options.max_allowed_packet= (unsigned long)(*(size_t *)arg1);\n else\n max_allowed_packet= (unsigned long)(*(size_t *)arg1);\n break;\n case MYSQL_OPT_NET_BUFFER_LENGTH:\n net_buffer_length= (unsigned long)(*(size_t *)arg1);\n break;\n case MYSQL_OPT_CAN_HANDLE_EXPIRED_PASSWORDS:\n if (*(my_bool *)arg1)\n mysql->options.client_flag |= CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS;\n else\n mysql->options.client_flag &= ~CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS;\n break;\n case MYSQL_OPT_SSL_ENFORCE:\n mysql->options.use_ssl= (*(my_bool *)arg1);\n break;\n case MYSQL_OPT_SSL_VERIFY_SERVER_CERT:\n if (*(my_bool *)arg1)\n mysql->options.client_flag |= CLIENT_SSL_VERIFY_SERVER_CERT;\n else\n mysql->options.client_flag &= ~CLIENT_SSL_VERIFY_SERVER_CERT;\n break;\n case MYSQL_OPT_SSL_KEY:\n OPT_SET_VALUE_STR(&mysql->options, ssl_key, (char *)arg1);\n break;\n case MYSQL_OPT_SSL_CERT:\n OPT_SET_VALUE_STR(&mysql->options, ssl_cert, (char *)arg1);\n break;\n case MYSQL_OPT_SSL_CA:\n OPT_SET_VALUE_STR(&mysql->options, ssl_ca, (char *)arg1);\n break;\n case MYSQL_OPT_SSL_CAPATH:\n OPT_SET_VALUE_STR(&mysql->options, ssl_capath, (char *)arg1);\n break;\n case MYSQL_OPT_SSL_CIPHER:\n OPT_SET_VALUE_STR(&mysql->options, ssl_cipher, (char *)arg1);\n break;\n case MYSQL_OPT_SSL_CRL:\n OPT_SET_EXTENDED_VALUE_STR(&mysql->options, ssl_crl, (char *)arg1);\n break;\n case MYSQL_OPT_SSL_CRLPATH:\n OPT_SET_EXTENDED_VALUE_STR(&mysql->options, ssl_crlpath, (char *)arg1);\n break;\n case MYSQL_OPT_CONNECT_ATTR_DELETE:\n {\n uchar *h;\n CHECK_OPT_EXTENSION_SET(&mysql->options);\n if (hash_inited(&mysql->options.extension->connect_attrs) &&\n (h= (uchar *)hash_search(&mysql->options.extension->connect_attrs, (uchar *)arg1,\n arg1 ? (uint)strlen((char *)arg1) : 0)))\n {\n uchar *p= h;\n size_t key_len= strlen((char *)p);\n mysql->options.extension->connect_attrs_len-= key_len + get_store_length(key_len);\n p+= key_len + 1;\n key_len= strlen((char *)p);\n mysql->options.extension->connect_attrs_len-= key_len + get_store_length(key_len);\n hash_delete(&mysql->options.extension->connect_attrs, h);\n }\n\n }\n break;\n case MYSQL_OPT_CONNECT_ATTR_RESET:\n CHECK_OPT_EXTENSION_SET(&mysql->options);\n if (hash_inited(&mysql->options.extension->connect_attrs))\n {\n hash_free(&mysql->options.extension->connect_attrs);\n mysql->options.extension->connect_attrs_len= 0;\n }\n break;\n case MARIADB_OPT_CONNECTION_HANDLER:\n OPT_SET_EXTENDED_VALUE_STR(&mysql->options, connection_handler, (char *)arg1);\n break;\n case MARIADB_OPT_PORT:\n OPT_SET_VALUE_INT(&mysql->options, port, *((uint *)arg1));\n break;\n case MARIADB_OPT_UNIXSOCKET:\n OPT_SET_VALUE_STR(&mysql->options, unix_socket, arg1);\n break;\n case MARIADB_OPT_USER:\n OPT_SET_VALUE_STR(&mysql->options, user, arg1);\n break;\n case MARIADB_OPT_HOST:\n OPT_SET_VALUE_STR(&mysql->options, host, arg1);\n break;\n case MARIADB_OPT_SCHEMA:\n OPT_SET_VALUE_STR(&mysql->options, db, arg1);\n break;\n case MARIADB_OPT_DEBUG:\n break;\n case MARIADB_OPT_FOUND_ROWS:\n mysql->options.client_flag|= CLIENT_FOUND_ROWS;\n break;\n case MARIADB_OPT_INTERACTIVE:\n mysql->options.client_flag|= CLIENT_INTERACTIVE;\n break;\n case MARIADB_OPT_MULTI_RESULTS:\n mysql->options.client_flag|= CLIENT_MULTI_RESULTS;\n break;\n case MARIADB_OPT_MULTI_STATEMENTS:\n mysql->options.client_flag|= CLIENT_MULTI_STATEMENTS | CLIENT_MULTI_RESULTS;\n break;\n case MARIADB_OPT_PASSWORD:\n OPT_SET_VALUE_STR(&mysql->options, password, arg1);\n break;\n case MARIADB_OPT_USERDATA:\n {\n void *data= va_arg(ap, void *);\n uchar *buffer, *p;\n char *key= (char *)arg1;\n\n if (!key || !data)\n {\n SET_CLIENT_ERROR(mysql, CR_INVALID_PARAMETER_NO, SQLSTATE_UNKNOWN, 0);\n goto end;\n }\n\n CHECK_OPT_EXTENSION_SET(&mysql->options);\n if (!hash_inited(&mysql->options.extension->userdata))\n {\n if (_hash_init(&mysql->options.extension->userdata,\n 0, 0, 0, ma_get_hash_keyval, ma_int_hash_free, 0))\n {\n SET_CLIENT_ERROR(mysql, CR_OUT_OF_MEMORY, SQLSTATE_UNKNOWN, 0);\n goto end;\n }\n }\n /* check if key is already in buffer */\n p= (uchar *)hash_search(&mysql->options.extension->userdata, \n (uchar *)key,\n (uint)strlen(key));\n if (p)\n {\n p+= strlen(key) + 1;\n memcpy(p, &data, sizeof(void *));\n break;\n }\n\n if (!(buffer= (uchar *)malloc(strlen(key) + 1 + sizeof(void *))))\n {\n SET_CLIENT_ERROR(mysql, CR_OUT_OF_MEMORY, SQLSTATE_UNKNOWN, 0);\n goto end;\n }\n\n p= buffer;\n strcpy((char *)p, key);\n p+= strlen(key) + 1;\n memcpy(p, &data, sizeof(void *));\n\n if (hash_insert(&mysql->options.extension->userdata, buffer))\n {\n free(buffer);\n SET_CLIENT_ERROR(mysql, CR_INVALID_PARAMETER_NO, SQLSTATE_UNKNOWN, 0);\n goto end;\n }\n }\n break;\n case MYSQL_OPT_CONNECT_ATTR_ADD:\n {\n uchar *buffer;\n void *arg2= va_arg(ap, void *);\n size_t storage_len, key_len= arg1 ? strlen((char *)arg1) : 0,\n value_len= arg2 ? strlen((char *)arg2) : 0;\n if (!key_len || !value_len)\n {\n SET_CLIENT_ERROR(mysql, CR_INVALID_PARAMETER_NO, SQLSTATE_UNKNOWN, 0);\n goto end;\n }\n storage_len= key_len + value_len +\n get_store_length(key_len) +\n get_store_length(value_len);\n\n /* since we store terminating zero character in hash, we need\n * to increase lengths */\n key_len++;\n value_len++;\n\n CHECK_OPT_EXTENSION_SET(&mysql->options);\n if (!key_len ||\n storage_len + mysql->options.extension->connect_attrs_len > 0xFFFF)\n {\n SET_CLIENT_ERROR(mysql, CR_INVALID_PARAMETER_NO, SQLSTATE_UNKNOWN, 0);\n goto end;\n }\n\n if (!hash_inited(&mysql->options.extension->connect_attrs))\n {\n if (_hash_init(&mysql->options.extension->connect_attrs,\n 0, 0, 0, ma_get_hash_keyval, ma_int_hash_free, 0))\n {\n SET_CLIENT_ERROR(mysql, CR_OUT_OF_MEMORY, SQLSTATE_UNKNOWN, 0);\n goto end;\n }\n }\n if ((buffer= (uchar *)malloc(key_len + value_len)))\n {\n uchar *p= buffer;\n strcpy((char *)p, arg1);\n p+= (strlen(arg1) + 1);\n if (arg2)\n strcpy((char *)p, arg2);\n\n if (hash_insert(&mysql->options.extension->connect_attrs, buffer))\n {\n free(buffer);\n SET_CLIENT_ERROR(mysql, CR_INVALID_PARAMETER_NO, SQLSTATE_UNKNOWN, 0);\n goto end;\n }\n mysql->options.extension->connect_attrs_len+= storage_len;\n }\n else\n {\n SET_CLIENT_ERROR(mysql, CR_OUT_OF_MEMORY, SQLSTATE_UNKNOWN, 0);\n goto end;\n }\n }\n break;\n case MYSQL_ENABLE_CLEARTEXT_PLUGIN:\n break;\n case MYSQL_SECURE_AUTH:\n mysql->options.secure_auth= *(my_bool *)arg1;\n break;\n case MYSQL_OPT_BIND:\n OPT_SET_VALUE_STR(&mysql->options, bind_address, arg1);\n break;\n case MARIADB_OPT_TLS_CIPHER_STRENGTH:\n OPT_SET_EXTENDED_VALUE_INT(&mysql->options, tls_cipher_strength, *((unsigned int *)arg1));\n break;\n case MARIADB_OPT_SSL_FP:\n case MARIADB_OPT_TLS_PEER_FP:\n OPT_SET_EXTENDED_VALUE_STR(&mysql->options, tls_fp, (char *)arg1);\n mysql->options.use_ssl= 1;\n break;\n case MARIADB_OPT_SSL_FP_LIST:\n case MARIADB_OPT_TLS_PEER_FP_LIST:\n OPT_SET_EXTENDED_VALUE_STR(&mysql->options, tls_fp_list, (char *)arg1);\n mysql->options.use_ssl= 1;\n break;\n case MARIADB_OPT_TLS_PASSPHRASE:\n OPT_SET_EXTENDED_VALUE_STR(&mysql->options, tls_pw, (char *)arg1);\n break;\n case MARIADB_OPT_CONNECTION_READ_ONLY:\n OPT_SET_EXTENDED_VALUE_INT(&mysql->options, read_only, *(my_bool *)arg1);\n break;\n case MARIADB_OPT_PROXY_HEADER:\n {\n size_t arg2 = va_arg(ap, size_t);\n OPT_SET_EXTENDED_VALUE(&mysql->options, proxy_header, (char *)arg1);\n OPT_SET_EXTENDED_VALUE(&mysql->options, proxy_header_len, arg2);\n }\n break;\n case MARIADB_OPT_TLS_VERSION:\n case MYSQL_OPT_TLS_VERSION:\n OPT_SET_EXTENDED_VALUE_STR(&mysql->options, tls_version, (char *)arg1);\n break;\n case MARIADB_OPT_IO_WAIT:\n CHECK_OPT_EXTENSION_SET(&mysql->options);\n mysql->options.extension->io_wait = (int(*)(my_socket, my_bool, int))arg1;\n break;\n default:\n va_end(ap);\n SET_CLIENT_ERROR(mysql, CR_NOT_IMPLEMENTED, SQLSTATE_UNKNOWN, 0);\n return(1);\n }\n va_end(ap);\n return(0);\nend:\n va_end(ap);\n return(1);\n}", "project": "mariadb-connector-c", "hash": 1535397833526224090369838694127475084, "size": 394, "commit_id": "2759b87d72926b7c9b5426437a7c8dd15ff57945", "message": "sanity checks for client-supplied OK packet content\n\nreported by Matthias Kaiser, Apple Information Security", "target": 0, "dataset": "other", "idx": 429711 }, { "func": "virSecuritySELinuxSetHostdevLabel(virSecurityManager *mgr,\n virDomainDef *def,\n virDomainHostdevDef *dev,\n const char *vroot)\n\n{\n virSecurityLabelDef *secdef;\n\n secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);\n if (!secdef || !secdef->relabel)\n return 0;\n\n switch (dev->mode) {\n case VIR_DOMAIN_HOSTDEV_MODE_SUBSYS:\n return virSecuritySELinuxSetHostdevSubsysLabel(mgr, def, dev, vroot);\n\n case VIR_DOMAIN_HOSTDEV_MODE_CAPABILITIES:\n return virSecuritySELinuxSetHostdevCapsLabel(mgr, def, dev, vroot);\n\n default:\n return 0;\n }\n}", "project": "libvirt", "hash": 233509576780172787836982113836322225549, "size": 23, "commit_id": "15073504dbb624d3f6c911e85557019d3620fdb2", "message": "security: fix SELinux label generation logic\n\nA process can access a file if the set of MCS categories\nfor the file is equal-to *or* a subset-of, the set of\nMCS categories for the process.\n\nIf there are two VMs:\n\n a) svirt_t:s0:c117\n b) svirt_t:s0:c117,c720\n\nThen VM (b) is able to access files labelled for VM (a).\n\nIOW, we must discard case where the categories are equal\nbecause that is a subset of many other valid category pairs.\n\nFixes: https://gitlab.com/libvirt/libvirt/-/issues/153\nCVE-2021-3631\nReviewed-by: Peter Krempa \nSigned-off-by: Daniel P. Berrangé ", "target": 0, "dataset": "other", "idx": 430247 }, { "func": "virSecuritySELinuxRestoreSecuritySmartcardCallback(virDomainDef *def,\n virDomainSmartcardDef *dev,\n void *opaque)\n{\n virSecurityManager *mgr = opaque;\n const char *database;\n\n switch (dev->type) {\n case VIR_DOMAIN_SMARTCARD_TYPE_HOST:\n break;\n\n case VIR_DOMAIN_SMARTCARD_TYPE_HOST_CERTIFICATES:\n database = dev->data.cert.database;\n if (!database)\n database = VIR_DOMAIN_SMARTCARD_DEFAULT_DATABASE;\n return virSecuritySELinuxRestoreFileLabel(mgr, database, true);\n\n case VIR_DOMAIN_SMARTCARD_TYPE_PASSTHROUGH:\n return virSecuritySELinuxRestoreChardevLabel(mgr, def,\n dev->data.passthru, false);\n\n default:\n virReportError(VIR_ERR_INTERNAL_ERROR,\n _(\"unknown smartcard type %d\"),\n dev->type);\n return -1;\n }\n\n return 0;\n}", "project": "libvirt", "hash": 145949792710665178130385970517724725904, "size": 30, "commit_id": "15073504dbb624d3f6c911e85557019d3620fdb2", "message": "security: fix SELinux label generation logic\n\nA process can access a file if the set of MCS categories\nfor the file is equal-to *or* a subset-of, the set of\nMCS categories for the process.\n\nIf there are two VMs:\n\n a) svirt_t:s0:c117\n b) svirt_t:s0:c117,c720\n\nThen VM (b) is able to access files labelled for VM (a).\n\nIOW, we must discard case where the categories are equal\nbecause that is a subset of many other valid category pairs.\n\nFixes: https://gitlab.com/libvirt/libvirt/-/issues/153\nCVE-2021-3631\nReviewed-by: Peter Krempa \nSigned-off-by: Daniel P. Berrangé ", "target": 0, "dataset": "other", "idx": 430248 }, { "func": "virSecuritySELinuxSetMemoryLabel(virSecurityManager *mgr,\n virDomainDef *def,\n virDomainMemoryDef *mem)\n{\n virSecurityLabelDef *seclabel;\n\n switch (mem->model) {\n case VIR_DOMAIN_MEMORY_MODEL_NVDIMM:\n case VIR_DOMAIN_MEMORY_MODEL_VIRTIO_PMEM:\n seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);\n if (!seclabel || !seclabel->relabel)\n return 0;\n\n if (virSecuritySELinuxSetFilecon(mgr, mem->nvdimmPath,\n seclabel->imagelabel, true) < 0)\n return -1;\n break;\n\n case VIR_DOMAIN_MEMORY_MODEL_NONE:\n case VIR_DOMAIN_MEMORY_MODEL_DIMM:\n case VIR_DOMAIN_MEMORY_MODEL_LAST:\n break;\n }\n\n return 0;\n}", "project": "libvirt", "hash": 238686783427356160619895401530451709962, "size": 26, "commit_id": "15073504dbb624d3f6c911e85557019d3620fdb2", "message": "security: fix SELinux label generation logic\n\nA process can access a file if the set of MCS categories\nfor the file is equal-to *or* a subset-of, the set of\nMCS categories for the process.\n\nIf there are two VMs:\n\n a) svirt_t:s0:c117\n b) svirt_t:s0:c117,c720\n\nThen VM (b) is able to access files labelled for VM (a).\n\nIOW, we must discard case where the categories are equal\nbecause that is a subset of many other valid category pairs.\n\nFixes: https://gitlab.com/libvirt/libvirt/-/issues/153\nCVE-2021-3631\nReviewed-by: Peter Krempa \nSigned-off-by: Daniel P. Berrangé ", "target": 0, "dataset": "other", "idx": 430258 }, { "func": "virSecuritySELinuxRestoreChardevLabel(virSecurityManager *mgr,\n virDomainDef *def,\n virDomainChrSourceDef *dev_source,\n bool chardevStdioLogd)\n\n{\n virSecurityLabelDef *seclabel;\n virSecurityDeviceLabelDef *chr_seclabel = NULL;\n char *in = NULL, *out = NULL;\n int ret = -1;\n\n seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);\n if (!seclabel || !seclabel->relabel)\n return 0;\n\n chr_seclabel = virDomainChrSourceDefGetSecurityLabelDef(dev_source,\n SECURITY_SELINUX_NAME);\n if (chr_seclabel && !chr_seclabel->relabel)\n return 0;\n\n if (!chr_seclabel &&\n dev_source->type == VIR_DOMAIN_CHR_TYPE_FILE &&\n chardevStdioLogd)\n return 0;\n\n switch (dev_source->type) {\n case VIR_DOMAIN_CHR_TYPE_DEV:\n case VIR_DOMAIN_CHR_TYPE_FILE:\n if (virSecuritySELinuxRestoreFileLabel(mgr,\n dev_source->data.file.path,\n true) < 0)\n goto done;\n ret = 0;\n break;\n\n case VIR_DOMAIN_CHR_TYPE_UNIX:\n if (!dev_source->data.nix.listen) {\n if (virSecuritySELinuxRestoreFileLabel(mgr,\n dev_source->data.file.path,\n true) < 0)\n goto done;\n }\n ret = 0;\n break;\n\n case VIR_DOMAIN_CHR_TYPE_PIPE:\n out = g_strdup_printf(\"%s.out\", dev_source->data.file.path);\n in = g_strdup_printf(\"%s.in\", dev_source->data.file.path);\n if (virFileExists(in) && virFileExists(out)) {\n if ((virSecuritySELinuxRestoreFileLabel(mgr, out, true) < 0) ||\n (virSecuritySELinuxRestoreFileLabel(mgr, in, true) < 0)) {\n goto done;\n }\n } else if (virSecuritySELinuxRestoreFileLabel(mgr,\n dev_source->data.file.path,\n true) < 0) {\n goto done;\n }\n ret = 0;\n break;\n\n default:\n ret = 0;\n break;\n }\n\n done:\n VIR_FREE(in);\n VIR_FREE(out);\n return ret;\n}", "project": "libvirt", "hash": 325625664029635515390031833875625829817, "size": 71, "commit_id": "15073504dbb624d3f6c911e85557019d3620fdb2", "message": "security: fix SELinux label generation logic\n\nA process can access a file if the set of MCS categories\nfor the file is equal-to *or* a subset-of, the set of\nMCS categories for the process.\n\nIf there are two VMs:\n\n a) svirt_t:s0:c117\n b) svirt_t:s0:c117,c720\n\nThen VM (b) is able to access files labelled for VM (a).\n\nIOW, we must discard case where the categories are equal\nbecause that is a subset of many other valid category pairs.\n\nFixes: https://gitlab.com/libvirt/libvirt/-/issues/153\nCVE-2021-3631\nReviewed-by: Peter Krempa \nSigned-off-by: Daniel P. Berrangé ", "target": 0, "dataset": "other", "idx": 430271 }, { "func": "virSecuritySELinuxSetHostdevCapsLabel(virSecurityManager *mgr,\n virDomainDef *def,\n virDomainHostdevDef *dev,\n const char *vroot)\n{\n int ret = -1;\n virSecurityLabelDef *secdef;\n char *path;\n\n secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);\n if (secdef == NULL)\n return 0;\n\n switch (dev->source.caps.type) {\n case VIR_DOMAIN_HOSTDEV_CAPS_TYPE_STORAGE: {\n if (vroot) {\n path = g_strdup_printf(\"%s/%s\", vroot,\n dev->source.caps.u.storage.block);\n } else {\n path = g_strdup(dev->source.caps.u.storage.block);\n }\n ret = virSecuritySELinuxSetFilecon(mgr, path, secdef->imagelabel, true);\n VIR_FREE(path);\n break;\n }\n\n case VIR_DOMAIN_HOSTDEV_CAPS_TYPE_MISC: {\n if (vroot) {\n path = g_strdup_printf(\"%s/%s\", vroot,\n dev->source.caps.u.misc.chardev);\n } else {\n path = g_strdup(dev->source.caps.u.misc.chardev);\n }\n ret = virSecuritySELinuxSetFilecon(mgr, path, secdef->imagelabel, true);\n VIR_FREE(path);\n break;\n }\n\n default:\n ret = 0;\n break;\n }\n\n return ret;\n}", "project": "libvirt", "hash": 263124801348462021790945536041131053547, "size": 45, "commit_id": "15073504dbb624d3f6c911e85557019d3620fdb2", "message": "security: fix SELinux label generation logic\n\nA process can access a file if the set of MCS categories\nfor the file is equal-to *or* a subset-of, the set of\nMCS categories for the process.\n\nIf there are two VMs:\n\n a) svirt_t:s0:c117\n b) svirt_t:s0:c117,c720\n\nThen VM (b) is able to access files labelled for VM (a).\n\nIOW, we must discard case where the categories are equal\nbecause that is a subset of many other valid category pairs.\n\nFixes: https://gitlab.com/libvirt/libvirt/-/issues/153\nCVE-2021-3631\nReviewed-by: Peter Krempa \nSigned-off-by: Daniel P. Berrangé ", "target": 0, "dataset": "other", "idx": 430280 }, { "func": "virSecuritySELinuxSetChardevLabel(virSecurityManager *mgr,\n virDomainDef *def,\n virDomainChrSourceDef *dev_source,\n bool chardevStdioLogd)\n\n{\n virSecurityLabelDef *seclabel;\n virSecurityDeviceLabelDef *chr_seclabel = NULL;\n char *imagelabel = NULL;\n char *in = NULL, *out = NULL;\n int ret = -1;\n\n seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);\n if (!seclabel || !seclabel->relabel)\n return 0;\n\n chr_seclabel = virDomainChrSourceDefGetSecurityLabelDef(dev_source,\n SECURITY_SELINUX_NAME);\n\n if (chr_seclabel && !chr_seclabel->relabel)\n return 0;\n\n if (!chr_seclabel &&\n dev_source->type == VIR_DOMAIN_CHR_TYPE_FILE &&\n chardevStdioLogd)\n return 0;\n\n if (chr_seclabel)\n imagelabel = chr_seclabel->label;\n if (!imagelabel)\n imagelabel = seclabel->imagelabel;\n\n switch (dev_source->type) {\n case VIR_DOMAIN_CHR_TYPE_DEV:\n case VIR_DOMAIN_CHR_TYPE_FILE:\n ret = virSecuritySELinuxSetFilecon(mgr,\n dev_source->data.file.path,\n imagelabel,\n true);\n break;\n\n case VIR_DOMAIN_CHR_TYPE_UNIX:\n if (!dev_source->data.nix.listen) {\n if (virSecuritySELinuxSetFilecon(mgr,\n dev_source->data.nix.path,\n imagelabel,\n true) < 0)\n goto done;\n }\n ret = 0;\n break;\n\n case VIR_DOMAIN_CHR_TYPE_PIPE:\n in = g_strdup_printf(\"%s.in\", dev_source->data.file.path);\n out = g_strdup_printf(\"%s.out\", dev_source->data.file.path);\n if (virFileExists(in) && virFileExists(out)) {\n if ((virSecuritySELinuxSetFilecon(mgr, in, imagelabel, true) < 0) ||\n (virSecuritySELinuxSetFilecon(mgr, out, imagelabel, true) < 0)) {\n goto done;\n }\n } else if (virSecuritySELinuxSetFilecon(mgr,\n dev_source->data.file.path,\n imagelabel,\n true) < 0) {\n goto done;\n }\n ret = 0;\n break;\n\n default:\n ret = 0;\n break;\n }\n\n done:\n VIR_FREE(in);\n VIR_FREE(out);\n return ret;\n}", "project": "libvirt", "hash": 126563003496962784221567589789268752078, "size": 79, "commit_id": "15073504dbb624d3f6c911e85557019d3620fdb2", "message": "security: fix SELinux label generation logic\n\nA process can access a file if the set of MCS categories\nfor the file is equal-to *or* a subset-of, the set of\nMCS categories for the process.\n\nIf there are two VMs:\n\n a) svirt_t:s0:c117\n b) svirt_t:s0:c117,c720\n\nThen VM (b) is able to access files labelled for VM (a).\n\nIOW, we must discard case where the categories are equal\nbecause that is a subset of many other valid category pairs.\n\nFixes: https://gitlab.com/libvirt/libvirt/-/issues/153\nCVE-2021-3631\nReviewed-by: Peter Krempa \nSigned-off-by: Daniel P. Berrangé ", "target": 0, "dataset": "other", "idx": 430290 }, { "func": "virSecuritySELinuxRestoreHostdevCapsLabel(virSecurityManager *mgr,\n virDomainHostdevDef *dev,\n const char *vroot)\n{\n int ret = -1;\n char *path;\n\n switch (dev->source.caps.type) {\n case VIR_DOMAIN_HOSTDEV_CAPS_TYPE_STORAGE: {\n if (vroot) {\n path = g_strdup_printf(\"%s/%s\", vroot,\n dev->source.caps.u.storage.block);\n } else {\n path = g_strdup(dev->source.caps.u.storage.block);\n }\n ret = virSecuritySELinuxRestoreFileLabel(mgr, path, true);\n VIR_FREE(path);\n break;\n }\n\n case VIR_DOMAIN_HOSTDEV_CAPS_TYPE_MISC: {\n if (vroot) {\n path = g_strdup_printf(\"%s/%s\", vroot,\n dev->source.caps.u.misc.chardev);\n } else {\n path = g_strdup(dev->source.caps.u.misc.chardev);\n }\n ret = virSecuritySELinuxRestoreFileLabel(mgr, path, true);\n VIR_FREE(path);\n break;\n }\n\n default:\n ret = 0;\n break;\n }\n\n return ret;\n}", "project": "libvirt", "hash": 143991972812937246850018600949633344232, "size": 39, "commit_id": "15073504dbb624d3f6c911e85557019d3620fdb2", "message": "security: fix SELinux label generation logic\n\nA process can access a file if the set of MCS categories\nfor the file is equal-to *or* a subset-of, the set of\nMCS categories for the process.\n\nIf there are two VMs:\n\n a) svirt_t:s0:c117\n b) svirt_t:s0:c117,c720\n\nThen VM (b) is able to access files labelled for VM (a).\n\nIOW, we must discard case where the categories are equal\nbecause that is a subset of many other valid category pairs.\n\nFixes: https://gitlab.com/libvirt/libvirt/-/issues/153\nCVE-2021-3631\nReviewed-by: Peter Krempa \nSigned-off-by: Daniel P. Berrangé ", "target": 0, "dataset": "other", "idx": 430293 }, { "func": "virSecuritySELinuxSetTPMFileLabel(virSecurityManager *mgr,\n virDomainDef *def,\n virDomainTPMDef *tpm)\n{\n int rc;\n virSecurityLabelDef *seclabel;\n char *cancel_path;\n const char *tpmdev;\n\n seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);\n if (seclabel == NULL)\n return 0;\n\n switch (tpm->type) {\n case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH:\n tpmdev = tpm->data.passthrough.source.data.file.path;\n rc = virSecuritySELinuxSetFilecon(mgr, tpmdev, seclabel->imagelabel, false);\n if (rc < 0)\n return -1;\n\n if ((cancel_path = virTPMCreateCancelPath(tpmdev)) != NULL) {\n rc = virSecuritySELinuxSetFilecon(mgr,\n cancel_path,\n seclabel->imagelabel, false);\n VIR_FREE(cancel_path);\n if (rc < 0) {\n virSecuritySELinuxRestoreTPMFileLabelInt(mgr, def, tpm);\n return -1;\n }\n } else {\n return -1;\n }\n break;\n case VIR_DOMAIN_TPM_TYPE_EMULATOR:\n tpmdev = tpm->data.emulator.source.data.nix.path;\n rc = virSecuritySELinuxSetFilecon(mgr, tpmdev, seclabel->imagelabel, false);\n if (rc < 0)\n return -1;\n break;\n case VIR_DOMAIN_TPM_TYPE_LAST:\n break;\n }\n\n return 0;\n}", "project": "libvirt", "hash": 17452078163541697528173873256063171784, "size": 45, "commit_id": "15073504dbb624d3f6c911e85557019d3620fdb2", "message": "security: fix SELinux label generation logic\n\nA process can access a file if the set of MCS categories\nfor the file is equal-to *or* a subset-of, the set of\nMCS categories for the process.\n\nIf there are two VMs:\n\n a) svirt_t:s0:c117\n b) svirt_t:s0:c117,c720\n\nThen VM (b) is able to access files labelled for VM (a).\n\nIOW, we must discard case where the categories are equal\nbecause that is a subset of many other valid category pairs.\n\nFixes: https://gitlab.com/libvirt/libvirt/-/issues/153\nCVE-2021-3631\nReviewed-by: Peter Krempa \nSigned-off-by: Daniel P. Berrangé ", "target": 0, "dataset": "other", "idx": 430301 }, { "func": "virSecuritySELinuxSetSecuritySmartcardCallback(virDomainDef *def,\n virDomainSmartcardDef *dev,\n void *opaque)\n{\n const char *database;\n virSecurityManager *mgr = opaque;\n virSecuritySELinuxData *data = virSecurityManagerGetPrivateData(mgr);\n\n switch (dev->type) {\n case VIR_DOMAIN_SMARTCARD_TYPE_HOST:\n break;\n\n case VIR_DOMAIN_SMARTCARD_TYPE_HOST_CERTIFICATES:\n database = dev->data.cert.database;\n if (!database)\n database = VIR_DOMAIN_SMARTCARD_DEFAULT_DATABASE;\n return virSecuritySELinuxSetFilecon(mgr, database, data->content_context, true);\n\n case VIR_DOMAIN_SMARTCARD_TYPE_PASSTHROUGH:\n return virSecuritySELinuxSetChardevLabel(mgr, def,\n dev->data.passthru, false);\n\n default:\n virReportError(VIR_ERR_INTERNAL_ERROR,\n _(\"unknown smartcard type %d\"),\n dev->type);\n return -1;\n }\n\n return 0;\n}", "project": "libvirt", "hash": 313741382841781615491557400874875895628, "size": 31, "commit_id": "15073504dbb624d3f6c911e85557019d3620fdb2", "message": "security: fix SELinux label generation logic\n\nA process can access a file if the set of MCS categories\nfor the file is equal-to *or* a subset-of, the set of\nMCS categories for the process.\n\nIf there are two VMs:\n\n a) svirt_t:s0:c117\n b) svirt_t:s0:c117,c720\n\nThen VM (b) is able to access files labelled for VM (a).\n\nIOW, we must discard case where the categories are equal\nbecause that is a subset of many other valid category pairs.\n\nFixes: https://gitlab.com/libvirt/libvirt/-/issues/153\nCVE-2021-3631\nReviewed-by: Peter Krempa \nSigned-off-by: Daniel P. Berrangé ", "target": 0, "dataset": "other", "idx": 430313 }, { "func": "virSecuritySELinuxRestoreHostdevLabel(virSecurityManager *mgr,\n virDomainDef *def,\n virDomainHostdevDef *dev,\n const char *vroot)\n\n{\n virSecurityLabelDef *secdef;\n\n secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);\n if (!secdef || !secdef->relabel)\n return 0;\n\n switch (dev->mode) {\n case VIR_DOMAIN_HOSTDEV_MODE_SUBSYS:\n return virSecuritySELinuxRestoreHostdevSubsysLabel(mgr, dev, vroot);\n\n case VIR_DOMAIN_HOSTDEV_MODE_CAPABILITIES:\n return virSecuritySELinuxRestoreHostdevCapsLabel(mgr, dev, vroot);\n\n default:\n return 0;\n }\n}", "project": "libvirt", "hash": 288454981250748869882410166262384029914, "size": 23, "commit_id": "15073504dbb624d3f6c911e85557019d3620fdb2", "message": "security: fix SELinux label generation logic\n\nA process can access a file if the set of MCS categories\nfor the file is equal-to *or* a subset-of, the set of\nMCS categories for the process.\n\nIf there are two VMs:\n\n a) svirt_t:s0:c117\n b) svirt_t:s0:c117,c720\n\nThen VM (b) is able to access files labelled for VM (a).\n\nIOW, we must discard case where the categories are equal\nbecause that is a subset of many other valid category pairs.\n\nFixes: https://gitlab.com/libvirt/libvirt/-/issues/153\nCVE-2021-3631\nReviewed-by: Peter Krempa \nSigned-off-by: Daniel P. Berrangé ", "target": 0, "dataset": "other", "idx": 430314 }, { "func": "virSecuritySELinuxRestoreMemoryLabel(virSecurityManager *mgr,\n virDomainDef *def,\n virDomainMemoryDef *mem)\n{\n int ret = -1;\n virSecurityLabelDef *seclabel;\n\n switch (mem->model) {\n case VIR_DOMAIN_MEMORY_MODEL_NVDIMM:\n case VIR_DOMAIN_MEMORY_MODEL_VIRTIO_PMEM:\n seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);\n if (!seclabel || !seclabel->relabel)\n return 0;\n\n ret = virSecuritySELinuxRestoreFileLabel(mgr, mem->nvdimmPath, true);\n break;\n\n case VIR_DOMAIN_MEMORY_MODEL_DIMM:\n case VIR_DOMAIN_MEMORY_MODEL_NONE:\n case VIR_DOMAIN_MEMORY_MODEL_LAST:\n ret = 0;\n break;\n }\n\n return ret;\n}", "project": "libvirt", "hash": 334461574086184101784162386783892571308, "size": 26, "commit_id": "15073504dbb624d3f6c911e85557019d3620fdb2", "message": "security: fix SELinux label generation logic\n\nA process can access a file if the set of MCS categories\nfor the file is equal-to *or* a subset-of, the set of\nMCS categories for the process.\n\nIf there are two VMs:\n\n a) svirt_t:s0:c117\n b) svirt_t:s0:c117,c720\n\nThen VM (b) is able to access files labelled for VM (a).\n\nIOW, we must discard case where the categories are equal\nbecause that is a subset of many other valid category pairs.\n\nFixes: https://gitlab.com/libvirt/libvirt/-/issues/153\nCVE-2021-3631\nReviewed-by: Peter Krempa \nSigned-off-by: Daniel P. Berrangé ", "target": 0, "dataset": "other", "idx": 430319 }, { "func": "virSecuritySELinuxRestoreTPMFileLabelInt(virSecurityManager *mgr,\n virDomainDef *def,\n virDomainTPMDef *tpm)\n{\n int rc = 0;\n virSecurityLabelDef *seclabel;\n char *cancel_path;\n const char *tpmdev;\n\n seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);\n if (seclabel == NULL)\n return 0;\n\n switch (tpm->type) {\n case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH:\n tpmdev = tpm->data.passthrough.source.data.file.path;\n rc = virSecuritySELinuxRestoreFileLabel(mgr, tpmdev, false);\n\n if ((cancel_path = virTPMCreateCancelPath(tpmdev)) != NULL) {\n if (virSecuritySELinuxRestoreFileLabel(mgr, cancel_path, false) < 0)\n rc = -1;\n VIR_FREE(cancel_path);\n }\n break;\n case VIR_DOMAIN_TPM_TYPE_EMULATOR:\n /* swtpm will have removed the Unix socket upon termination */\n case VIR_DOMAIN_TPM_TYPE_LAST:\n break;\n }\n\n return rc;\n}", "project": "libvirt", "hash": 282433106052166837827589830549611873766, "size": 32, "commit_id": "15073504dbb624d3f6c911e85557019d3620fdb2", "message": "security: fix SELinux label generation logic\n\nA process can access a file if the set of MCS categories\nfor the file is equal-to *or* a subset-of, the set of\nMCS categories for the process.\n\nIf there are two VMs:\n\n a) svirt_t:s0:c117\n b) svirt_t:s0:c117,c720\n\nThen VM (b) is able to access files labelled for VM (a).\n\nIOW, we must discard case where the categories are equal\nbecause that is a subset of many other valid category pairs.\n\nFixes: https://gitlab.com/libvirt/libvirt/-/issues/153\nCVE-2021-3631\nReviewed-by: Peter Krempa \nSigned-off-by: Daniel P. Berrangé ", "target": 0, "dataset": "other", "idx": 430321 }, { "func": "nfs4_bind_one_conn_to_session_done(struct rpc_task *task, void *calldata)\n{\n\tstruct nfs41_bind_conn_to_session_args *args = task->tk_msg.rpc_argp;\n\tstruct nfs41_bind_conn_to_session_res *res = task->tk_msg.rpc_resp;\n\tstruct nfs_client *clp = args->client;\n\n\tswitch (task->tk_status) {\n\tcase -NFS4ERR_BADSESSION:\n\tcase -NFS4ERR_DEADSESSION:\n\t\tnfs4_schedule_session_recovery(clp->cl_session,\n\t\t\t\ttask->tk_status);\n\t}\n\tif (args->dir == NFS4_CDFC4_FORE_OR_BOTH &&\n\t\t\tres->dir != NFS4_CDFS4_BOTH) {\n\t\trpc_task_close_connection(task);\n\t\tif (args->retries++ < MAX_BIND_CONN_TO_SESSION_RETRIES)\n\t\t\trpc_restart_call(task);\n\t}\n}", "project": "linux", "hash": 317446974948790940535709202404832652570, "size": 19, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 430949 }, { "func": "nfs4_map_atomic_open_claim(struct nfs_server *server,\n\t\tenum open_claim_type4 claim)\n{\n\tif (server->caps & NFS_CAP_ATOMIC_OPEN_V1)\n\t\treturn claim;\n\tswitch (claim) {\n\tdefault:\n\t\treturn claim;\n\tcase NFS4_OPEN_CLAIM_FH:\n\t\treturn NFS4_OPEN_CLAIM_NULL;\n\tcase NFS4_OPEN_CLAIM_DELEG_CUR_FH:\n\t\treturn NFS4_OPEN_CLAIM_DELEGATE_CUR;\n\tcase NFS4_OPEN_CLAIM_DELEG_PREV_FH:\n\t\treturn NFS4_OPEN_CLAIM_DELEGATE_PREV;\n\t}\n}", "project": "linux", "hash": 325511659244424413608401428235346265463, "size": 16, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431090 }, { "func": "nfs4_layoutcommit_done(struct rpc_task *task, void *calldata)\n{\n\tstruct nfs4_layoutcommit_data *data = calldata;\n\tstruct nfs_server *server = NFS_SERVER(data->args.inode);\n\n\tif (!nfs41_sequence_done(task, &data->res.seq_res))\n\t\treturn;\n\n\tswitch (task->tk_status) { /* Just ignore these failures */\n\tcase -NFS4ERR_DELEG_REVOKED: /* layout was recalled */\n\tcase -NFS4ERR_BADIOMODE: /* no IOMODE_RW layout for range */\n\tcase -NFS4ERR_BADLAYOUT: /* no layout */\n\tcase -NFS4ERR_GRACE:\t /* loca_recalim always false */\n\t\ttask->tk_status = 0;\n\tcase 0:\n\t\tbreak;\n\tdefault:\n\t\tif (nfs4_async_handle_error(task, server, NULL, NULL) == -EAGAIN) {\n\t\t\trpc_restart_call_prepare(task);\n\t\t\treturn;\n\t\t}\n\t}\n}", "project": "linux", "hash": 143376572112993623280619496556908466864, "size": 23, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431106 }, { "func": "nfs4_map_atomic_open_share(struct nfs_server *server,\n\t\tfmode_t fmode, int openflags)\n{\n\tu32 res = 0;\n\n\tswitch (fmode & (FMODE_READ | FMODE_WRITE)) {\n\tcase FMODE_READ:\n\t\tres = NFS4_SHARE_ACCESS_READ;\n\t\tbreak;\n\tcase FMODE_WRITE:\n\t\tres = NFS4_SHARE_ACCESS_WRITE;\n\t\tbreak;\n\tcase FMODE_READ|FMODE_WRITE:\n\t\tres = NFS4_SHARE_ACCESS_BOTH;\n\t}\n\tif (!(server->caps & NFS_CAP_ATOMIC_OPEN_V1))\n\t\tgoto out;\n\t/* Want no delegation if we're using O_DIRECT */\n\tif (openflags & O_DIRECT)\n\t\tres |= NFS4_SHARE_WANT_NO_DELEG;\nout:\n\treturn res;\n}", "project": "linux", "hash": 252693469243386292863017349523686394224, "size": 23, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431305 }, { "func": "nfs4_layoutget_handle_exception(struct rpc_task *task,\n\t\tstruct nfs4_layoutget *lgp, struct nfs4_exception *exception)\n{\n\tstruct inode *inode = lgp->args.inode;\n\tstruct nfs_server *server = NFS_SERVER(inode);\n\tstruct pnfs_layout_hdr *lo;\n\tint nfs4err = task->tk_status;\n\tint err, status = 0;\n\tLIST_HEAD(head);\n\n\tdprintk(\"--> %s tk_status => %d\\n\", __func__, -task->tk_status);\n\n\tnfs4_sequence_free_slot(&lgp->res.seq_res);\n\n\tswitch (nfs4err) {\n\tcase 0:\n\t\tgoto out;\n\n\t/*\n\t * NFS4ERR_LAYOUTUNAVAILABLE means we are not supposed to use pnfs\n\t * on the file. set tk_status to -ENODATA to tell upper layer to\n\t * retry go inband.\n\t */\n\tcase -NFS4ERR_LAYOUTUNAVAILABLE:\n\t\tstatus = -ENODATA;\n\t\tgoto out;\n\t/*\n\t * NFS4ERR_BADLAYOUT means the MDS cannot return a layout of\n\t * length lgp->args.minlength != 0 (see RFC5661 section 18.43.3).\n\t */\n\tcase -NFS4ERR_BADLAYOUT:\n\t\tstatus = -EOVERFLOW;\n\t\tgoto out;\n\t/*\n\t * NFS4ERR_LAYOUTTRYLATER is a conflict with another client\n\t * (or clients) writing to the same RAID stripe except when\n\t * the minlength argument is 0 (see RFC5661 section 18.43.3).\n\t *\n\t * Treat it like we would RECALLCONFLICT -- we retry for a little\n\t * while, and then eventually give up.\n\t */\n\tcase -NFS4ERR_LAYOUTTRYLATER:\n\t\tif (lgp->args.minlength == 0) {\n\t\t\tstatus = -EOVERFLOW;\n\t\t\tgoto out;\n\t\t}\n\t\tstatus = -EBUSY;\n\t\tbreak;\n\tcase -NFS4ERR_RECALLCONFLICT:\n\t\tstatus = -ERECALLCONFLICT;\n\t\tbreak;\n\tcase -NFS4ERR_DELEG_REVOKED:\n\tcase -NFS4ERR_ADMIN_REVOKED:\n\tcase -NFS4ERR_EXPIRED:\n\tcase -NFS4ERR_BAD_STATEID:\n\t\texception->timeout = 0;\n\t\tspin_lock(&inode->i_lock);\n\t\tlo = NFS_I(inode)->layout;\n\t\t/* If the open stateid was bad, then recover it. */\n\t\tif (!lo || test_bit(NFS_LAYOUT_INVALID_STID, &lo->plh_flags) ||\n\t\t !nfs4_stateid_match_other(&lgp->args.stateid, &lo->plh_stateid)) {\n\t\t\tspin_unlock(&inode->i_lock);\n\t\t\texception->state = lgp->args.ctx->state;\n\t\t\texception->stateid = &lgp->args.stateid;\n\t\t\tbreak;\n\t\t}\n\n\t\t/*\n\t\t * Mark the bad layout state as invalid, then retry\n\t\t */\n\t\tpnfs_mark_layout_stateid_invalid(lo, &head);\n\t\tspin_unlock(&inode->i_lock);\n\t\tnfs_commit_inode(inode, 0);\n\t\tpnfs_free_lseg_list(&head);\n\t\tstatus = -EAGAIN;\n\t\tgoto out;\n\t}\n\n\terr = nfs4_handle_exception(server, nfs4err, exception);\n\tif (!status) {\n\t\tif (exception->retry)\n\t\t\tstatus = -EAGAIN;\n\t\telse\n\t\t\tstatus = err;\n\t}\nout:\n\tdprintk(\"<-- %s\\n\", __func__);\n\treturn status;\n}", "project": "linux", "hash": 196061715184100118463763666382210448511, "size": 89, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431315 }, { "func": "nfs4_opendata_check_deleg(struct nfs4_opendata *data, struct nfs4_state *state)\n{\n\tstruct nfs_client *clp = NFS_SERVER(state->inode)->nfs_client;\n\tstruct nfs_delegation *delegation;\n\tint delegation_flags = 0;\n\n\trcu_read_lock();\n\tdelegation = rcu_dereference(NFS_I(state->inode)->delegation);\n\tif (delegation)\n\t\tdelegation_flags = delegation->flags;\n\trcu_read_unlock();\n\tswitch (data->o_arg.claim) {\n\tdefault:\n\t\tbreak;\n\tcase NFS4_OPEN_CLAIM_DELEGATE_CUR:\n\tcase NFS4_OPEN_CLAIM_DELEG_CUR_FH:\n\t\tpr_err_ratelimited(\"NFS: Broken NFSv4 server %s is \"\n\t\t\t\t \"returning a delegation for \"\n\t\t\t\t \"OPEN(CLAIM_DELEGATE_CUR)\\n\",\n\t\t\t\t clp->cl_hostname);\n\t\treturn;\n\t}\n\tif ((delegation_flags & 1UL<inode,\n\t\t\t\tdata->owner->so_cred,\n\t\t\t\tdata->o_res.delegation_type,\n\t\t\t\t&data->o_res.delegation,\n\t\t\t\tdata->o_res.pagemod_limit);\n\telse\n\t\tnfs_inode_reclaim_delegation(state->inode,\n\t\t\t\tdata->owner->so_cred,\n\t\t\t\tdata->o_res.delegation_type,\n\t\t\t\t&data->o_res.delegation,\n\t\t\t\tdata->o_res.pagemod_limit);\n\n\tif (data->o_res.do_recall)\n\t\tnfs_async_inode_return_delegation(state->inode,\n\t\t\t\t\t\t &data->o_res.delegation);\n}", "project": "linux", "hash": 93972605142788078735450186772583020611, "size": 39, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431364 }, { "func": "nfs4_recoverable_stateid(const nfs4_stateid *stateid)\n{\n\tif (!stateid)\n\t\treturn NULL;\n\tswitch (stateid->type) {\n\tcase NFS4_OPEN_STATEID_TYPE:\n\tcase NFS4_LOCK_STATEID_TYPE:\n\tcase NFS4_DELEGATION_STATEID_TYPE:\n\t\treturn stateid;\n\tdefault:\n\t\tbreak;\n\t}\n\treturn NULL;\n}", "project": "linux", "hash": 207847271330312309875332019031810107199, "size": 14, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431459 }, { "func": "nfs4_opendata_get_inode(struct nfs4_opendata *data)\n{\n\tstruct inode *inode;\n\n\tswitch (data->o_arg.claim) {\n\tcase NFS4_OPEN_CLAIM_NULL:\n\tcase NFS4_OPEN_CLAIM_DELEGATE_CUR:\n\tcase NFS4_OPEN_CLAIM_DELEGATE_PREV:\n\t\tif (!(data->f_attr.valid & NFS_ATTR_FATTR))\n\t\t\treturn ERR_PTR(-EAGAIN);\n\t\tinode = nfs_fhget(data->dir->d_sb, &data->o_res.fh,\n\t\t\t\t&data->f_attr, data->f_label);\n\t\tbreak;\n\tdefault:\n\t\tinode = d_inode(data->dentry);\n\t\tihold(inode);\n\t\tnfs_refresh_inode(inode, &data->f_attr);\n\t}\n\treturn inode;\n}", "project": "linux", "hash": 180585769354374291078207685282599249696, "size": 20, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431524 }, { "func": "nfs4_run_exchange_id(struct nfs_client *clp, const struct cred *cred,\n\t\t\tu32 sp4_how, struct rpc_xprt *xprt)\n{\n\tstruct rpc_message msg = {\n\t\t.rpc_proc = &nfs4_procedures[NFSPROC4_CLNT_EXCHANGE_ID],\n\t\t.rpc_cred = cred,\n\t};\n\tstruct rpc_task_setup task_setup_data = {\n\t\t.rpc_client = clp->cl_rpcclient,\n\t\t.callback_ops = &nfs4_exchange_id_call_ops,\n\t\t.rpc_message = &msg,\n\t\t.flags = RPC_TASK_TIMEOUT | RPC_TASK_NO_ROUND_ROBIN,\n\t};\n\tstruct nfs41_exchange_id_data *calldata;\n\tint status;\n\n\tif (!refcount_inc_not_zero(&clp->cl_count))\n\t\treturn ERR_PTR(-EIO);\n\n\tstatus = -ENOMEM;\n\tcalldata = kzalloc(sizeof(*calldata), GFP_NOFS);\n\tif (!calldata)\n\t\tgoto out;\n\n\tnfs4_init_boot_verifier(clp, &calldata->args.verifier);\n\n\tstatus = nfs4_init_uniform_client_string(clp);\n\tif (status)\n\t\tgoto out_calldata;\n\n\tcalldata->res.server_owner = kzalloc(sizeof(struct nfs41_server_owner),\n\t\t\t\t\t\tGFP_NOFS);\n\tstatus = -ENOMEM;\n\tif (unlikely(calldata->res.server_owner == NULL))\n\t\tgoto out_calldata;\n\n\tcalldata->res.server_scope = kzalloc(sizeof(struct nfs41_server_scope),\n\t\t\t\t\tGFP_NOFS);\n\tif (unlikely(calldata->res.server_scope == NULL))\n\t\tgoto out_server_owner;\n\n\tcalldata->res.impl_id = kzalloc(sizeof(struct nfs41_impl_id), GFP_NOFS);\n\tif (unlikely(calldata->res.impl_id == NULL))\n\t\tgoto out_server_scope;\n\n\tswitch (sp4_how) {\n\tcase SP4_NONE:\n\t\tcalldata->args.state_protect.how = SP4_NONE;\n\t\tbreak;\n\n\tcase SP4_MACH_CRED:\n\t\tcalldata->args.state_protect = nfs4_sp4_mach_cred_request;\n\t\tbreak;\n\n\tdefault:\n\t\t/* unsupported! */\n\t\tWARN_ON_ONCE(1);\n\t\tstatus = -EINVAL;\n\t\tgoto out_impl_id;\n\t}\n\tif (xprt) {\n\t\ttask_setup_data.rpc_xprt = xprt;\n\t\ttask_setup_data.flags |= RPC_TASK_SOFTCONN;\n\t\tmemcpy(calldata->args.verifier.data, clp->cl_confirm.data,\n\t\t\t\tsizeof(calldata->args.verifier.data));\n\t}\n\tcalldata->args.client = clp;\n\tcalldata->args.flags = EXCHGID4_FLAG_SUPP_MOVED_REFER |\n\tEXCHGID4_FLAG_BIND_PRINC_STATEID;\n#ifdef CONFIG_NFS_V4_1_MIGRATION\n\tcalldata->args.flags |= EXCHGID4_FLAG_SUPP_MOVED_MIGR;\n#endif\n\tmsg.rpc_argp = &calldata->args;\n\tmsg.rpc_resp = &calldata->res;\n\ttask_setup_data.callback_data = calldata;\n\n\treturn rpc_run_task(&task_setup_data);\n\nout_impl_id:\n\tkfree(calldata->res.impl_id);\nout_server_scope:\n\tkfree(calldata->res.server_scope);\nout_server_owner:\n\tkfree(calldata->res.server_owner);\nout_calldata:\n\tkfree(calldata);\nout:\n\tnfs_put_client(clp);\n\treturn ERR_PTR(status);\n}", "project": "linux", "hash": 114643880881686006071511559747247142556, "size": 90, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431557 }, { "func": "nfs41_proc_secinfo_no_name(struct nfs_server *server, struct nfs_fh *fhandle,\n\t\t\t struct nfs_fsinfo *info, struct nfs4_secinfo_flavors *flavors)\n{\n\tstruct nfs4_exception exception = {\n\t\t.interruptible = true,\n\t};\n\tint err;\n\tdo {\n\t\t/* first try using integrity protection */\n\t\terr = -NFS4ERR_WRONGSEC;\n\n\t\t/* try to use integrity protection with machine cred */\n\t\tif (_nfs4_is_integrity_protected(server->nfs_client))\n\t\t\terr = _nfs41_proc_secinfo_no_name(server, fhandle, info,\n\t\t\t\t\t\t\t flavors, true);\n\n\t\t/*\n\t\t * if unable to use integrity protection, or SECINFO with\n\t\t * integrity protection returns NFS4ERR_WRONGSEC (which is\n\t\t * disallowed by spec, but exists in deployed servers) use\n\t\t * the current filesystem's rpc_client and the user cred.\n\t\t */\n\t\tif (err == -NFS4ERR_WRONGSEC)\n\t\t\terr = _nfs41_proc_secinfo_no_name(server, fhandle, info,\n\t\t\t\t\t\t\t flavors, false);\n\n\t\tswitch (err) {\n\t\tcase 0:\n\t\tcase -NFS4ERR_WRONGSEC:\n\t\tcase -ENOTSUPP:\n\t\t\tgoto out;\n\t\tdefault:\n\t\t\terr = nfs4_handle_exception(server, err, &exception);\n\t\t}\n\t} while (exception.retry);\nout:\n\treturn err;\n}", "project": "linux", "hash": 157246286695117646286356162232721518795, "size": 38, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431615 }, { "func": "static struct hci_conn *__hci_conn_lookup_handle(struct hci_dev *hdev,\n\t\t\t\t\t\t __u16 handle)\n{\n\tstruct hci_chan *chan;\n\n\tswitch (hdev->dev_type) {\n\tcase HCI_PRIMARY:\n\t\treturn hci_conn_hash_lookup_handle(hdev, handle);\n\tcase HCI_AMP:\n\t\tchan = hci_chan_lookup_handle(hdev, handle);\n\t\tif (chan)\n\t\t\treturn chan->conn;\n\t\tbreak;\n\tdefault:\n\t\tbt_dev_err(hdev, \"unknown dev_type %d\", hdev->dev_type);\n\t\tbreak;\n\t}\n\n\treturn NULL;\n}", "project": "linux", "hash": 79212700789228554864370802694243845898, "size": 20, "commit_id": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "message": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()\n\nCheck upon `num_rsp` is insufficient. A malformed event packet with a\nlarge `num_rsp` number makes hci_extended_inquiry_result_evt() go out\nof bounds. Fix it.\n\nThis patch fixes the following syzbot bug:\n\n https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2\n\nReported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com\nCc: stable@vger.kernel.org\nSigned-off-by: Peilin Ye \nAcked-by: Greg Kroah-Hartman \nSigned-off-by: Marcel Holtmann ", "target": 0, "dataset": "other", "idx": 431911 }, { "func": "static struct vmcb_seg *svm_seg(struct kvm_vcpu *vcpu, int seg)\n{\n\tstruct vmcb_save_area *save = &to_svm(vcpu)->vmcb->save;\n\n\tswitch (seg) {\n\tcase VCPU_SREG_CS: return &save->cs;\n\tcase VCPU_SREG_DS: return &save->ds;\n\tcase VCPU_SREG_ES: return &save->es;\n\tcase VCPU_SREG_FS: return &save->fs;\n\tcase VCPU_SREG_GS: return &save->gs;\n\tcase VCPU_SREG_SS: return &save->ss;\n\tcase VCPU_SREG_TR: return &save->tr;\n\tcase VCPU_SREG_LDTR: return &save->ldtr;\n\t}\n\tBUG();\n\treturn NULL;\n}", "project": "linux", "hash": 306918154708741586059845353539148394457, "size": 17, "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon \nReviewed-by: Vitaly Kuznetsov \nSigned-off-by: Miaohe Lin \nSigned-off-by: Paolo Bonzini ", "target": 0, "dataset": "other", "idx": 432452 }, { "func": "set_max_block_time(self, time)\n VALUE self;\n VALUE time;\n{\n struct Tcl_Time tcl_time;\n VALUE divmod;\n\n switch(TYPE(time)) {\n case T_FIXNUM:\n case T_BIGNUM:\n /* time is micro-second value */\n divmod = rb_funcall(time, rb_intern(\"divmod\"), 1, LONG2NUM(1000000));\n tcl_time.sec = NUM2LONG(RARRAY_PTR(divmod)[0]);\n tcl_time.usec = NUM2LONG(RARRAY_PTR(divmod)[1]);\n break;\n\n case T_FLOAT:\n /* time is second value */\n divmod = rb_funcall(time, rb_intern(\"divmod\"), 1, INT2FIX(1));\n tcl_time.sec = NUM2LONG(RARRAY_PTR(divmod)[0]);\n tcl_time.usec = (long)(NUM2DBL(RARRAY_PTR(divmod)[1]) * 1000000);\n\n default:\n {\n\t VALUE tmp = rb_funcallv(time, ID_inspect, 0, 0);\n\t rb_raise(rb_eArgError, \"invalid value for time: '%s'\",\n\t\t StringValuePtr(tmp));\n\t}\n }\n\n Tcl_SetMaxBlockTime(&tcl_time);\n\n return Qnil;\n}", "project": "tk", "hash": 322811910419656772841123508095332082898, "size": 34, "commit_id": "ebd0fc80d62eeb7b8556522256f8d035e013eb65", "message": "tcltklib.c: check argument\n\n* ext/tk/tcltklib.c (ip_cancel_eval_core): check argument type and\n length.\n\ngit-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@51468 b2dd03c8-39d4-4d8f-98ff-823fe69b080e", "target": 0, "dataset": "other", "idx": 432840 }, { "func": "do_fontx_ioctl(int cmd, struct consolefontdesc __user *user_cfd, int perm, struct console_font_op *op)\n{\n\tstruct consolefontdesc cfdarg;\n\tint i;\n\n\tif (copy_from_user(&cfdarg, user_cfd, sizeof(struct consolefontdesc))) \n\t\treturn -EFAULT;\n \t\n\tswitch (cmd) {\n\tcase PIO_FONTX:\n\t\tif (!perm)\n\t\t\treturn -EPERM;\n\t\top->op = KD_FONT_OP_SET;\n\t\top->flags = KD_FONT_FLAG_OLD;\n\t\top->width = 8;\n\t\top->height = cfdarg.charheight;\n\t\top->charcount = cfdarg.charcount;\n\t\top->data = cfdarg.chardata;\n\t\treturn con_font_op(vc_cons[fg_console].d, op);\n\tcase GIO_FONTX: {\n\t\top->op = KD_FONT_OP_GET;\n\t\top->flags = KD_FONT_FLAG_OLD;\n\t\top->width = 8;\n\t\top->height = cfdarg.charheight;\n\t\top->charcount = cfdarg.charcount;\n\t\top->data = cfdarg.chardata;\n\t\ti = con_font_op(vc_cons[fg_console].d, op);\n\t\tif (i)\n\t\t\treturn i;\n\t\tcfdarg.charheight = op->height;\n\t\tcfdarg.charcount = op->charcount;\n\t\tif (copy_to_user(user_cfd, &cfdarg, sizeof(struct consolefontdesc)))\n\t\t\treturn -EFAULT;\n\t\treturn 0;\n\t\t}\n\t}\n\treturn -EINVAL;\n}", "project": "linux", "hash": 29158297128510727007057079682585935243, "size": 38, "commit_id": "ca4463bf8438b403596edd0ec961ca0d4fbe0220", "message": "vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console\n\nThe VT_DISALLOCATE ioctl can free a virtual console while tty_release()\nis still running, causing a use-after-free in con_shutdown(). This\noccurs because VT_DISALLOCATE considers a virtual console's\n'struct vc_data' to be unused as soon as the corresponding tty's\nrefcount hits 0. But actually it may be still being closed.\n\nFix this by making vc_data be reference-counted via the embedded\n'struct tty_port'. A newly allocated virtual console has refcount 1.\nOpening it for the first time increments the refcount to 2. Closing it\nfor the last time decrements the refcount (in tty_operations::cleanup()\nso that it happens late enough), as does VT_DISALLOCATE.\n\nReproducer:\n\t#include \n\t#include \n\t#include \n\t#include \n\n\tint main()\n\t{\n\t\tif (fork()) {\n\t\t\tfor (;;)\n\t\t\t\tclose(open(\"/dev/tty5\", O_RDWR));\n\t\t} else {\n\t\t\tint fd = open(\"/dev/tty10\", O_RDWR);\n\n\t\t\tfor (;;)\n\t\t\t\tioctl(fd, VT_DISALLOCATE, 5);\n\t\t}\n\t}\n\nKASAN report:\n\tBUG: KASAN: use-after-free in con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\tWrite of size 8 at addr ffff88806a4ec108 by task syz_vt/129\n\n\tCPU: 0 PID: 129 Comm: syz_vt Not tainted 5.6.0-rc2 #11\n\tHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20191223_100556-anatol 04/01/2014\n\tCall Trace:\n\t [...]\n\t con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\t release_tty+0xa8/0x410 drivers/tty/tty_io.c:1514\n\t tty_release_struct+0x34/0x50 drivers/tty/tty_io.c:1629\n\t tty_release+0x984/0xed0 drivers/tty/tty_io.c:1789\n\t [...]\n\n\tAllocated by task 129:\n\t [...]\n\t kzalloc include/linux/slab.h:669 [inline]\n\t vc_allocate drivers/tty/vt/vt.c:1085 [inline]\n\t vc_allocate+0x1ac/0x680 drivers/tty/vt/vt.c:1066\n\t con_install+0x4d/0x3f0 drivers/tty/vt/vt.c:3229\n\t tty_driver_install_tty drivers/tty/tty_io.c:1228 [inline]\n\t tty_init_dev+0x94/0x350 drivers/tty/tty_io.c:1341\n\t tty_open_by_driver drivers/tty/tty_io.c:1987 [inline]\n\t tty_open+0x3ca/0xb30 drivers/tty/tty_io.c:2035\n\t [...]\n\n\tFreed by task 130:\n\t [...]\n\t kfree+0xbf/0x1e0 mm/slab.c:3757\n\t vt_disallocate drivers/tty/vt/vt_ioctl.c:300 [inline]\n\t vt_ioctl+0x16dc/0x1e30 drivers/tty/vt/vt_ioctl.c:818\n\t tty_ioctl+0x9db/0x11b0 drivers/tty/tty_io.c:2660\n\t [...]\n\nFixes: 4001d7b7fc27 (\"vt: push down the tty lock so we can see what is left to tackle\")\nCc: # v3.4+\nReported-by: syzbot+522643ab5729b0421998@syzkaller.appspotmail.com\nAcked-by: Jiri Slaby \nSigned-off-by: Eric Biggers \nLink: https://lore.kernel.org/r/20200322034305.210082-2-ebiggers@kernel.org\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 437072 }, { "func": "do_unimap_ioctl(int cmd, struct unimapdesc __user *user_ud, int perm, struct vc_data *vc)\n{\n\tstruct unimapdesc tmp;\n\n\tif (copy_from_user(&tmp, user_ud, sizeof tmp))\n\t\treturn -EFAULT;\n\tswitch (cmd) {\n\tcase PIO_UNIMAP:\n\t\tif (!perm)\n\t\t\treturn -EPERM;\n\t\treturn con_set_unimap(vc, tmp.entry_ct, tmp.entries);\n\tcase GIO_UNIMAP:\n\t\tif (!perm && fg_console != vc->vc_num)\n\t\t\treturn -EPERM;\n\t\treturn con_get_unimap(vc, tmp.entry_ct, &(user_ud->entry_ct), tmp.entries);\n\t}\n\treturn 0;\n}", "project": "linux", "hash": 207677644648533758149703542423647100247, "size": 18, "commit_id": "ca4463bf8438b403596edd0ec961ca0d4fbe0220", "message": "vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console\n\nThe VT_DISALLOCATE ioctl can free a virtual console while tty_release()\nis still running, causing a use-after-free in con_shutdown(). This\noccurs because VT_DISALLOCATE considers a virtual console's\n'struct vc_data' to be unused as soon as the corresponding tty's\nrefcount hits 0. But actually it may be still being closed.\n\nFix this by making vc_data be reference-counted via the embedded\n'struct tty_port'. A newly allocated virtual console has refcount 1.\nOpening it for the first time increments the refcount to 2. Closing it\nfor the last time decrements the refcount (in tty_operations::cleanup()\nso that it happens late enough), as does VT_DISALLOCATE.\n\nReproducer:\n\t#include \n\t#include \n\t#include \n\t#include \n\n\tint main()\n\t{\n\t\tif (fork()) {\n\t\t\tfor (;;)\n\t\t\t\tclose(open(\"/dev/tty5\", O_RDWR));\n\t\t} else {\n\t\t\tint fd = open(\"/dev/tty10\", O_RDWR);\n\n\t\t\tfor (;;)\n\t\t\t\tioctl(fd, VT_DISALLOCATE, 5);\n\t\t}\n\t}\n\nKASAN report:\n\tBUG: KASAN: use-after-free in con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\tWrite of size 8 at addr ffff88806a4ec108 by task syz_vt/129\n\n\tCPU: 0 PID: 129 Comm: syz_vt Not tainted 5.6.0-rc2 #11\n\tHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20191223_100556-anatol 04/01/2014\n\tCall Trace:\n\t [...]\n\t con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\t release_tty+0xa8/0x410 drivers/tty/tty_io.c:1514\n\t tty_release_struct+0x34/0x50 drivers/tty/tty_io.c:1629\n\t tty_release+0x984/0xed0 drivers/tty/tty_io.c:1789\n\t [...]\n\n\tAllocated by task 129:\n\t [...]\n\t kzalloc include/linux/slab.h:669 [inline]\n\t vc_allocate drivers/tty/vt/vt.c:1085 [inline]\n\t vc_allocate+0x1ac/0x680 drivers/tty/vt/vt.c:1066\n\t con_install+0x4d/0x3f0 drivers/tty/vt/vt.c:3229\n\t tty_driver_install_tty drivers/tty/tty_io.c:1228 [inline]\n\t tty_init_dev+0x94/0x350 drivers/tty/tty_io.c:1341\n\t tty_open_by_driver drivers/tty/tty_io.c:1987 [inline]\n\t tty_open+0x3ca/0xb30 drivers/tty/tty_io.c:2035\n\t [...]\n\n\tFreed by task 130:\n\t [...]\n\t kfree+0xbf/0x1e0 mm/slab.c:3757\n\t vt_disallocate drivers/tty/vt/vt_ioctl.c:300 [inline]\n\t vt_ioctl+0x16dc/0x1e30 drivers/tty/vt/vt_ioctl.c:818\n\t tty_ioctl+0x9db/0x11b0 drivers/tty/tty_io.c:2660\n\t [...]\n\nFixes: 4001d7b7fc27 (\"vt: push down the tty lock so we can see what is left to tackle\")\nCc: # v3.4+\nReported-by: syzbot+522643ab5729b0421998@syzkaller.appspotmail.com\nAcked-by: Jiri Slaby \nSigned-off-by: Eric Biggers \nLink: https://lore.kernel.org/r/20200322034305.210082-2-ebiggers@kernel.org\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 437093 }, { "func": "bfad_im_get_host_port_state(struct Scsi_Host *shost)\n{\n\tstruct bfad_im_port_s *im_port =\n\t\t\t(struct bfad_im_port_s *) shost->hostdata[0];\n\tstruct bfad_s *bfad = im_port->bfad;\n\tstruct bfa_port_attr_s attr;\n\n\tbfa_fcport_get_attr(&bfad->bfa, &attr);\n\n\tswitch (attr.port_state) {\n\tcase BFA_PORT_ST_LINKDOWN:\n\t\tfc_host_port_state(shost) = FC_PORTSTATE_LINKDOWN;\n\t\tbreak;\n\tcase BFA_PORT_ST_LINKUP:\n\t\tfc_host_port_state(shost) = FC_PORTSTATE_ONLINE;\n\t\tbreak;\n\tcase BFA_PORT_ST_DISABLED:\n\tcase BFA_PORT_ST_STOPPED:\n\tcase BFA_PORT_ST_IOCDOWN:\n\tcase BFA_PORT_ST_IOCDIS:\n\t\tfc_host_port_state(shost) = FC_PORTSTATE_OFFLINE;\n\t\tbreak;\n\tcase BFA_PORT_ST_UNINIT:\n\tcase BFA_PORT_ST_ENABLING_QWAIT:\n\tcase BFA_PORT_ST_ENABLING:\n\tcase BFA_PORT_ST_DISABLING_QWAIT:\n\tcase BFA_PORT_ST_DISABLING:\n\tdefault:\n\t\tfc_host_port_state(shost) = FC_PORTSTATE_UNKNOWN;\n\t\tbreak;\n\t}\n}", "project": "linux", "hash": 323476008251613511127214012581485582325, "size": 32, "commit_id": "0e62395da2bd5166d7c9e14cbc7503b256a34cb0", "message": "scsi: bfa: release allocated memory in case of error\n\nIn bfad_im_get_stats if bfa_port_get_stats fails, allocated memory needs to\nbe released.\n\nLink: https://lore.kernel.org/r/20190910234417.22151-1-navid.emamdoost@gmail.com\nSigned-off-by: Navid Emamdoost \nSigned-off-by: Martin K. Petersen ", "target": 0, "dataset": "other", "idx": 439518 }, { "func": "bfad_im_get_host_speed(struct Scsi_Host *shost)\n{\n\tstruct bfad_im_port_s *im_port =\n\t\t\t(struct bfad_im_port_s *) shost->hostdata[0];\n\tstruct bfad_s *bfad = im_port->bfad;\n\tstruct bfa_port_attr_s attr;\n\n\tbfa_fcport_get_attr(&bfad->bfa, &attr);\n\tswitch (attr.speed) {\n\tcase BFA_PORT_SPEED_10GBPS:\n\t\tfc_host_speed(shost) = FC_PORTSPEED_10GBIT;\n\t\tbreak;\n\tcase BFA_PORT_SPEED_16GBPS:\n\t\tfc_host_speed(shost) = FC_PORTSPEED_16GBIT;\n\t\tbreak;\n\tcase BFA_PORT_SPEED_8GBPS:\n\t\tfc_host_speed(shost) = FC_PORTSPEED_8GBIT;\n\t\tbreak;\n\tcase BFA_PORT_SPEED_4GBPS:\n\t\tfc_host_speed(shost) = FC_PORTSPEED_4GBIT;\n\t\tbreak;\n\tcase BFA_PORT_SPEED_2GBPS:\n\t\tfc_host_speed(shost) = FC_PORTSPEED_2GBIT;\n\t\tbreak;\n\tcase BFA_PORT_SPEED_1GBPS:\n\t\tfc_host_speed(shost) = FC_PORTSPEED_1GBIT;\n\t\tbreak;\n\tdefault:\n\t\tfc_host_speed(shost) = FC_PORTSPEED_UNKNOWN;\n\t\tbreak;\n\t}\n}", "project": "linux", "hash": 78956898298006009373704506145927367773, "size": 32, "commit_id": "0e62395da2bd5166d7c9e14cbc7503b256a34cb0", "message": "scsi: bfa: release allocated memory in case of error\n\nIn bfad_im_get_stats if bfa_port_get_stats fails, allocated memory needs to\nbe released.\n\nLink: https://lore.kernel.org/r/20190910234417.22151-1-navid.emamdoost@gmail.com\nSigned-off-by: Navid Emamdoost \nSigned-off-by: Martin K. Petersen ", "target": 0, "dataset": "other", "idx": 439529 }, { "func": "bfad_im_get_host_port_type(struct Scsi_Host *shost)\n{\n\tstruct bfad_im_port_s *im_port =\n\t\t\t(struct bfad_im_port_s *) shost->hostdata[0];\n\tstruct bfad_s *bfad = im_port->bfad;\n\tstruct bfa_lport_attr_s port_attr;\n\n\tbfa_fcs_lport_get_attr(&bfad->bfa_fcs.fabric.bport, &port_attr);\n\n\tswitch (port_attr.port_type) {\n\tcase BFA_PORT_TYPE_NPORT:\n\t\tfc_host_port_type(shost) = FC_PORTTYPE_NPORT;\n\t\tbreak;\n\tcase BFA_PORT_TYPE_NLPORT:\n\t\tfc_host_port_type(shost) = FC_PORTTYPE_NLPORT;\n\t\tbreak;\n\tcase BFA_PORT_TYPE_P2P:\n\t\tfc_host_port_type(shost) = FC_PORTTYPE_PTP;\n\t\tbreak;\n\tcase BFA_PORT_TYPE_LPORT:\n\t\tfc_host_port_type(shost) = FC_PORTTYPE_LPORT;\n\t\tbreak;\n\tdefault:\n\t\tfc_host_port_type(shost) = FC_PORTTYPE_UNKNOWN;\n\t\tbreak;\n\t}\n}", "project": "linux", "hash": 315107495364540261618018720056811563134, "size": 27, "commit_id": "0e62395da2bd5166d7c9e14cbc7503b256a34cb0", "message": "scsi: bfa: release allocated memory in case of error\n\nIn bfad_im_get_stats if bfa_port_get_stats fails, allocated memory needs to\nbe released.\n\nLink: https://lore.kernel.org/r/20190910234417.22151-1-navid.emamdoost@gmail.com\nSigned-off-by: Navid Emamdoost \nSigned-off-by: Martin K. Petersen ", "target": 0, "dataset": "other", "idx": 439531 }, { "func": "mwifiex_band_to_radio_type(u8 band)\n{\n\tswitch (band) {\n\tcase BAND_A:\n\tcase BAND_AN:\n\tcase BAND_A | BAND_AN:\n\tcase BAND_A | BAND_AN | BAND_AAC:\n\t\treturn HostCmd_SCAN_RADIO_TYPE_A;\n\tcase BAND_B:\n\tcase BAND_G:\n\tcase BAND_B | BAND_G:\n\tdefault:\n\t\treturn HostCmd_SCAN_RADIO_TYPE_BG;\n\t}\n}", "project": "linux", "hash": 259343542037303693445826086809160003071, "size": 15, "commit_id": "5c455c5ab332773464d02ba17015acdca198f03d", "message": "mwifiex: Fix possible buffer overflows in mwifiex_cmd_802_11_ad_hoc_start\n\nmwifiex_cmd_802_11_ad_hoc_start() calls memcpy() without checking\nthe destination size may trigger a buffer overflower,\nwhich a local user could use to cause denial of service\nor the execution of arbitrary code.\nFix it by putting the length check before calling memcpy().\n\nSigned-off-by: Zhang Xiaohui \nSigned-off-by: Kalle Valo \nLink: https://lore.kernel.org/r/20201206084801.26479-1-ruc_zhangxiaohui@163.com", "target": 0, "dataset": "other", "idx": 444806 }, { "func": "static const char *assoc_failure_reason_to_str(u16 cap_info)\n{\n\tswitch (cap_info) {\n\tcase CONNECT_ERR_AUTH_ERR_STA_FAILURE:\n\t\treturn \"CONNECT_ERR_AUTH_ERR_STA_FAILURE\";\n\tcase CONNECT_ERR_AUTH_MSG_UNHANDLED:\n\t\treturn \"CONNECT_ERR_AUTH_MSG_UNHANDLED\";\n\tcase CONNECT_ERR_ASSOC_ERR_TIMEOUT:\n\t\treturn \"CONNECT_ERR_ASSOC_ERR_TIMEOUT\";\n\tcase CONNECT_ERR_ASSOC_ERR_AUTH_REFUSED:\n\t\treturn \"CONNECT_ERR_ASSOC_ERR_AUTH_REFUSED\";\n\tcase CONNECT_ERR_STA_FAILURE:\n\t\treturn \"CONNECT_ERR_STA_FAILURE\";\n\t}\n\n\treturn \"Unknown connect failure\";\n}", "project": "linux", "hash": 36789622360329558713381076398087116182, "size": 17, "commit_id": "5c455c5ab332773464d02ba17015acdca198f03d", "message": "mwifiex: Fix possible buffer overflows in mwifiex_cmd_802_11_ad_hoc_start\n\nmwifiex_cmd_802_11_ad_hoc_start() calls memcpy() without checking\nthe destination size may trigger a buffer overflower,\nwhich a local user could use to cause denial of service\nor the execution of arbitrary code.\nFix it by putting the length check before calling memcpy().\n\nSigned-off-by: Zhang Xiaohui \nSigned-off-by: Kalle Valo \nLink: https://lore.kernel.org/r/20201206084801.26479-1-ruc_zhangxiaohui@163.com", "target": 0, "dataset": "other", "idx": 444809 }, { "func": "int service_init(int argc __attribute__((unused)),\n\t\t char **argv __attribute__((unused)),\n\t\t char **envp __attribute__((unused)))\n{\n int opt;\n const char *prefix;\n\n initialize_nntp_error_table();\n\n if (geteuid() == 0) fatal(\"must run as the Cyrus user\", EC_USAGE);\n setproctitle_init(argc, argv, envp);\n\n /* set signal handlers */\n signals_set_shutdown(&shut_down);\n signal(SIGPIPE, SIG_IGN);\n\n /* load the SASL plugins */\n global_sasl_init(1, 1, mysasl_cb);\n\n if ((prefix = config_getstring(IMAPOPT_NEWSPREFIX)))\n\tsnprintf(newsprefix, sizeof(newsprefix), \"%s.\", prefix);\n\n newsgroups = split_wildmats((char *) config_getstring(IMAPOPT_NEWSGROUPS));\n\n /* initialize duplicate delivery database */\n if (duplicate_init(NULL, 0) != 0) {\n\tsyslog(LOG_ERR, \n\t \"unable to init duplicate delivery database\\n\");\n\tfatal(\"unable to init duplicate delivery database\", EC_SOFTWARE);\n }\n\n /* open the mboxlist, we'll need it for real work */\n mboxlist_init(0);\n mboxlist_open(NULL);\n\n /* open the quota db, we'll need it for expunge */\n quotadb_init(0);\n quotadb_open(NULL);\n\n /* open the user deny db */\n denydb_init(0);\n denydb_open(NULL);\n\n /* setup for sending IMAP IDLE notifications */\n idle_enabled();\n\n while ((opt = getopt(argc, argv, \"srfp:\")) != EOF) {\n\tswitch(opt) {\n\tcase 's': /* nntps (do starttls right away) */\n\t nntps = 1;\n\t if (!tls_enabled()) {\n\t\tsyslog(LOG_ERR, \"nntps: required OpenSSL options not present\");\n\t\tfatal(\"nntps: required OpenSSL options not present\",\n\t\t EC_CONFIG);\n\t }\n\t break;\n\n\tcase 'r': /* enter reader-only mode */\n\t nntp_capa = MODE_READ;\n\t break;\n\n\tcase 'f': /* enter feeder-only mode */\n\t nntp_capa = MODE_FEED;\n\t break;\n\n\tcase 'p': /* external protection */\n\t extprops_ssf = atoi(optarg);\n\t break;\n\n\tdefault:\n\t usage();\n\t}\n }\n\n /* Initialize the annotatemore extention */\n annotatemore_init(NULL, NULL);\n annotatemore_open();\n\n newsmaster = (char *) config_getstring(IMAPOPT_NEWSMASTER);\n newsmaster_authstate = auth_newstate(newsmaster);\n\n singleinstance = config_getswitch(IMAPOPT_SINGLEINSTANCESTORE);\n\n /* Create a protgroup for input from the client and selected backend */\n protin = protgroup_new(2);\n\n return 0;\n}", "project": "cyrus-imapd", "hash": 210181073289714912479110203330142494150, "size": 88, "commit_id": "0f8f026699829b65733c3081657b24e2174f4f4d", "message": "CVE-2011-3208 - fix buffer overflow in nntpd", "target": 0, "dataset": "other", "idx": 451913 }, { "func": " */\nstatic struct request *bfq_choose_req(struct bfq_data *bfqd,\n\t\t\t\t struct request *rq1,\n\t\t\t\t struct request *rq2,\n\t\t\t\t sector_t last)\n{\n\tsector_t s1, s2, d1 = 0, d2 = 0;\n\tunsigned long back_max;\n#define BFQ_RQ1_WRAP\t0x01 /* request 1 wraps */\n#define BFQ_RQ2_WRAP\t0x02 /* request 2 wraps */\n\tunsigned int wrap = 0; /* bit mask: requests behind the disk head? */\n\n\tif (!rq1 || rq1 == rq2)\n\t\treturn rq2;\n\tif (!rq2)\n\t\treturn rq1;\n\n\tif (rq_is_sync(rq1) && !rq_is_sync(rq2))\n\t\treturn rq1;\n\telse if (rq_is_sync(rq2) && !rq_is_sync(rq1))\n\t\treturn rq2;\n\tif ((rq1->cmd_flags & REQ_META) && !(rq2->cmd_flags & REQ_META))\n\t\treturn rq1;\n\telse if ((rq2->cmd_flags & REQ_META) && !(rq1->cmd_flags & REQ_META))\n\t\treturn rq2;\n\n\ts1 = blk_rq_pos(rq1);\n\ts2 = blk_rq_pos(rq2);\n\n\t/*\n\t * By definition, 1KiB is 2 sectors.\n\t */\n\tback_max = bfqd->bfq_back_max * 2;\n\n\t/*\n\t * Strict one way elevator _except_ in the case where we allow\n\t * short backward seeks which are biased as twice the cost of a\n\t * similar forward seek.\n\t */\n\tif (s1 >= last)\n\t\td1 = s1 - last;\n\telse if (s1 + back_max >= last)\n\t\td1 = (last - s1) * bfqd->bfq_back_penalty;\n\telse\n\t\twrap |= BFQ_RQ1_WRAP;\n\n\tif (s2 >= last)\n\t\td2 = s2 - last;\n\telse if (s2 + back_max >= last)\n\t\td2 = (last - s2) * bfqd->bfq_back_penalty;\n\telse\n\t\twrap |= BFQ_RQ2_WRAP;\n\n\t/* Found required data */\n\n\t/*\n\t * By doing switch() on the bit mask \"wrap\" we avoid having to\n\t * check two variables for all permutations: --> faster!\n\t */\n\tswitch (wrap) {\n\tcase 0: /* common case for CFQ: rq1 and rq2 not wrapped */\n\t\tif (d1 < d2)\n\t\t\treturn rq1;\n\t\telse if (d2 < d1)\n\t\t\treturn rq2;\n\n\t\tif (s1 >= s2)\n\t\t\treturn rq1;\n\t\telse\n\t\t\treturn rq2;\n\n\tcase BFQ_RQ2_WRAP:\n\t\treturn rq1;\n\tcase BFQ_RQ1_WRAP:\n\t\treturn rq2;\n\tcase BFQ_RQ1_WRAP|BFQ_RQ2_WRAP: /* both rqs wrapped */\n\tdefault:\n\t\t/*\n\t\t * Since both rqs are wrapped,\n\t\t * start with the one that's further behind head\n\t\t * (--> only *one* back seek required),\n\t\t * since back seek takes more time than forward.\n\t\t */\n\t\tif (s1 <= s2)\n\t\t\treturn rq1;\n\t\telse\n\t\t\treturn rq2;\n\t}", "project": "linux", "hash": 195234290134076571378527469414881397174, "size": 88, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453311 }, { "func": "\nstatic struct bfq_queue **bfq_async_queue_prio(struct bfq_data *bfqd,\n\t\t\t\t\t struct bfq_group *bfqg,\n\t\t\t\t\t int ioprio_class, int ioprio)\n{\n\tswitch (ioprio_class) {\n\tcase IOPRIO_CLASS_RT:\n\t\treturn &bfqg->async_bfqq[0][ioprio];\n\tcase IOPRIO_CLASS_NONE:\n\t\tioprio = IOPRIO_NORM;\n\t\t/* fall through */\n\tcase IOPRIO_CLASS_BE:\n\t\treturn &bfqg->async_bfqq[1][ioprio];\n\tcase IOPRIO_CLASS_IDLE:\n\t\treturn &bfqg->async_idle_bfqq;\n\tdefault:\n\t\treturn NULL;\n\t}", "project": "linux", "hash": 208648959290189617142636116571768508583, "size": 18, "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667] dump_backtrace+0x0/0x310\n[13058.354672] show_stack+0x28/0x38\n[13058.354681] dump_stack+0xd8/0x108\n[13058.354687] print_address_description+0x68/0x2d0\n[13058.354690] kasan_report+0x124/0x2e0\n[13058.354697] __asan_load8+0x88/0xb0\n[13058.354702] bfq_idle_slice_timer+0xac/0x290\n[13058.354707] __hrtimer_run_queues+0x298/0x8b8\n[13058.354710] hrtimer_interrupt+0x1b8/0x678\n[13058.354716] arch_timer_handler_phys+0x4c/0x78\n[13058.354722] handle_percpu_devid_irq+0xf0/0x558\n[13058.354731] generic_handle_irq+0x50/0x70\n[13058.354735] __handle_domain_irq+0x94/0x110\n[13058.354739] gic_handle_irq+0x8c/0x1b0\n[13058.354742] el1_irq+0xb8/0x140\n[13058.354748] do_wp_page+0x260/0xe28\n[13058.354752] __handle_mm_fault+0x8ec/0x9b0\n[13058.354756] handle_mm_fault+0x280/0x460\n[13058.354762] do_page_fault+0x3ec/0x890\n[13058.354765] do_mem_abort+0xc0/0x1b0\n[13058.354768] el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780] kasan_kmalloc+0xe0/0x190\n[13058.354784] kasan_slab_alloc+0x14/0x20\n[13058.354788] kmem_cache_alloc_node+0x130/0x440\n[13058.354793] bfq_get_queue+0x138/0x858\n[13058.354797] bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801] bfq_init_rq+0x1f4/0x1180\n[13058.354806] bfq_insert_requests+0x264/0x1c98\n[13058.354811] blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818] blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826] blk_flush_plug_list+0x230/0x548\n[13058.354830] blk_finish_plug+0x60/0x80\n[13058.354838] read_pages+0xec/0x2c0\n[13058.354842] __do_page_cache_readahead+0x374/0x438\n[13058.354846] ondemand_readahead+0x24c/0x6b0\n[13058.354851] page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858] generic_file_buffered_read+0x588/0xc58\n[13058.354862] generic_file_read_iter+0x1b4/0x278\n[13058.354965] ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972] __vfs_read+0x238/0x320\n[13058.354976] vfs_read+0xbc/0x1c0\n[13058.354980] ksys_read+0xdc/0x1b8\n[13058.354984] __arm64_sys_read+0x50/0x60\n[13058.354990] el0_svc_common+0xb4/0x1d8\n[13058.354994] el0_svc_handler+0x50/0xa8\n[13058.354998] el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007] __kasan_slab_free+0x120/0x228\n[13058.355010] kasan_slab_free+0x10/0x18\n[13058.355014] kmem_cache_free+0x288/0x3f0\n[13058.355018] bfq_put_queue+0x134/0x208\n[13058.355022] bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026] bfq_exit_icq+0x28/0x40\n[13058.355030] ioc_exit_icq+0xa0/0x150\n[13058.355035] put_io_context_active+0x250/0x438\n[13058.355038] exit_io_context+0xd0/0x138\n[13058.355045] do_exit+0x734/0xc58\n[13058.355050] do_group_exit+0x78/0x220\n[13058.355054] __wake_up_parent+0x0/0x50\n[13058.355058] el0_svc_common+0xb4/0x1d8\n[13058.355062] el0_svc_handler+0x50/0xa8\n[13058.355066] el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797] ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801] ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808] ^\n[13058.370811] ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815] ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente \nReported-by: Wang Wang \nSigned-off-by: Zhiqiang Liu \nSigned-off-by: Feilong Lin \nSigned-off-by: Jens Axboe ", "target": 0, "dataset": "other", "idx": 453397 }, { "func": "FindArrayData (\r\n IN VOID *Array,\r\n IN UINT8 Type,\r\n IN UINT64 Value,\r\n OUT UINTN *Index OPTIONAL\r\n )\r\n{\r\n UINTN Count;\r\n UINT64 TmpValue;\r\n UINT64 ValueComp;\r\n\r\n ASSERT (Array != NULL);\r\n\r\n Count = 0;\r\n TmpValue = 0;\r\n\r\n switch (Type) {\r\n case EFI_IFR_TYPE_NUM_SIZE_8:\r\n ValueComp = (UINT8) Value;\r\n break;\r\n\r\n case EFI_IFR_TYPE_NUM_SIZE_16:\r\n ValueComp = (UINT16) Value;\r\n break;\r\n\r\n case EFI_IFR_TYPE_NUM_SIZE_32:\r\n ValueComp = (UINT32) Value;\r\n break;\r\n\r\n case EFI_IFR_TYPE_NUM_SIZE_64:\r\n ValueComp = (UINT64) Value;\r\n break;\r\n\r\n default:\r\n ValueComp = 0;\r\n break;\r\n }\r\n\r\n while ((TmpValue = GetArrayData (Array, Type, Count)) != 0) {\r\n if (ValueComp == TmpValue) {\r\n if (Index != NULL) {\r\n *Index = Count;\r\n }\r\n return TRUE;\r\n }\r\n\r\n Count ++;\r\n }\r\n\r\n return FALSE;\r\n}\r", "project": "edk2", "hash": 305430671658083379923767975146563531212, "size": 51, "commit_id": "f1d78c489a39971b5aac5d2fc8a39bfa925c3c5d", "message": "MdeModulePkg/DisplayEngine: Zero memory before free (CVE-2019-14558)\n\nREF: https://bugzilla.tianocore.org/show_bug.cgi?id=1611\n\nCc: Liming Gao \nCc: Eric Dong \nCc: Jian J Wang \nSigned-off-by: Dandan Bi \nReviewed-by: Eric Dong \nReviewed-by: Jian J Wang ", "target": 0, "dataset": "other", "idx": 455257 }, { "func": "HiiValueToUINT64 (\r\n IN EFI_HII_VALUE *Value\r\n )\r\n{\r\n UINT64 RetVal;\r\n\r\n RetVal = 0;\r\n\r\n switch (Value->Type) {\r\n case EFI_IFR_TYPE_NUM_SIZE_8:\r\n RetVal = Value->Value.u8;\r\n break;\r\n\r\n case EFI_IFR_TYPE_NUM_SIZE_16:\r\n RetVal = Value->Value.u16;\r\n break;\r\n\r\n case EFI_IFR_TYPE_NUM_SIZE_32:\r\n RetVal = Value->Value.u32;\r\n break;\r\n\r\n case EFI_IFR_TYPE_BOOLEAN:\r\n RetVal = Value->Value.b;\r\n break;\r\n\r\n case EFI_IFR_TYPE_DATE:\r\n RetVal = *(UINT64*) &Value->Value.date;\r\n break;\r\n\r\n case EFI_IFR_TYPE_TIME:\r\n RetVal = (*(UINT64*) &Value->Value.time) & 0xffffff;\r\n break;\r\n\r\n default:\r\n RetVal = Value->Value.u64;\r\n break;\r\n }\r\n\r\n return RetVal;\r\n}\r", "project": "edk2", "hash": 273653425015054426788068459822429047505, "size": 40, "commit_id": "f1d78c489a39971b5aac5d2fc8a39bfa925c3c5d", "message": "MdeModulePkg/DisplayEngine: Zero memory before free (CVE-2019-14558)\n\nREF: https://bugzilla.tianocore.org/show_bug.cgi?id=1611\n\nCc: Liming Gao \nCc: Eric Dong \nCc: Jian J Wang \nSigned-off-by: Dandan Bi \nReviewed-by: Eric Dong \nReviewed-by: Jian J Wang ", "target": 0, "dataset": "other", "idx": 455258 }, { "func": "IsTypeInBuffer (\r\n IN EFI_HII_VALUE *Value\r\n )\r\n{\r\n switch (Value->Type) {\r\n case EFI_IFR_TYPE_BUFFER:\r\n case EFI_IFR_TYPE_DATE:\r\n case EFI_IFR_TYPE_TIME:\r\n case EFI_IFR_TYPE_REF:\r\n return TRUE;\r\n\r\n default:\r\n return FALSE;\r\n }\r\n}\r", "project": "edk2", "hash": 75625381769090481717041038163565178263, "size": 15, "commit_id": "f1d78c489a39971b5aac5d2fc8a39bfa925c3c5d", "message": "MdeModulePkg/DisplayEngine: Zero memory before free (CVE-2019-14558)\n\nREF: https://bugzilla.tianocore.org/show_bug.cgi?id=1611\n\nCc: Liming Gao \nCc: Eric Dong \nCc: Jian J Wang \nSigned-off-by: Dandan Bi \nReviewed-by: Eric Dong \nReviewed-by: Jian J Wang ", "target": 0, "dataset": "other", "idx": 455260 }, { "func": "GetBufAndLenForValue (\r\n IN EFI_HII_VALUE *Value,\r\n OUT UINT8 **Buf,\r\n OUT UINT16 *BufLen\r\n )\r\n{\r\n switch (Value->Type) {\r\n case EFI_IFR_TYPE_BUFFER:\r\n *Buf = Value->Buffer;\r\n *BufLen = Value->BufferLen;\r\n break;\r\n\r\n case EFI_IFR_TYPE_DATE:\r\n *Buf = (UINT8 *) (&Value->Value.date);\r\n *BufLen = (UINT16) sizeof (EFI_HII_DATE);\r\n break;\r\n\r\n case EFI_IFR_TYPE_TIME:\r\n *Buf = (UINT8 *) (&Value->Value.time);\r\n *BufLen = (UINT16) sizeof (EFI_HII_TIME);\r\n break;\r\n\r\n case EFI_IFR_TYPE_REF:\r\n *Buf = (UINT8 *) (&Value->Value.ref);\r\n *BufLen = (UINT16) sizeof (EFI_HII_REF);\r\n break;\r\n\r\n default:\r\n *Buf = NULL;\r\n *BufLen = 0;\r\n }\r\n}\r", "project": "edk2", "hash": 67935012226339981386144982886192486927, "size": 32, "commit_id": "f1d78c489a39971b5aac5d2fc8a39bfa925c3c5d", "message": "MdeModulePkg/DisplayEngine: Zero memory before free (CVE-2019-14558)\n\nREF: https://bugzilla.tianocore.org/show_bug.cgi?id=1611\n\nCc: Liming Gao \nCc: Eric Dong \nCc: Jian J Wang \nSigned-off-by: Dandan Bi \nReviewed-by: Eric Dong \nReviewed-by: Jian J Wang ", "target": 0, "dataset": "other", "idx": 455261 }, { "func": "SetArrayData (\r\n IN VOID *Array,\r\n IN UINT8 Type,\r\n IN UINTN Index,\r\n IN UINT64 Value\r\n )\r\n{\r\n\r\n ASSERT (Array != NULL);\r\n\r\n switch (Type) {\r\n case EFI_IFR_TYPE_NUM_SIZE_8:\r\n *(((UINT8 *) Array) + Index) = (UINT8) Value;\r\n break;\r\n\r\n case EFI_IFR_TYPE_NUM_SIZE_16:\r\n *(((UINT16 *) Array) + Index) = (UINT16) Value;\r\n break;\r\n\r\n case EFI_IFR_TYPE_NUM_SIZE_32:\r\n *(((UINT32 *) Array) + Index) = (UINT32) Value;\r\n break;\r\n\r\n case EFI_IFR_TYPE_NUM_SIZE_64:\r\n *(((UINT64 *) Array) + Index) = (UINT64) Value;\r\n break;\r\n\r\n default:\r\n break;\r\n }\r\n}\r", "project": "edk2", "hash": 271975919956490251214622392528994005041, "size": 31, "commit_id": "f1d78c489a39971b5aac5d2fc8a39bfa925c3c5d", "message": "MdeModulePkg/DisplayEngine: Zero memory before free (CVE-2019-14558)\n\nREF: https://bugzilla.tianocore.org/show_bug.cgi?id=1611\n\nCc: Liming Gao \nCc: Eric Dong \nCc: Jian J Wang \nSigned-off-by: Dandan Bi \nReviewed-by: Eric Dong \nReviewed-by: Jian J Wang ", "target": 0, "dataset": "other", "idx": 455265 }, { "func": "IsTypeInUINT64 (\r\n IN EFI_HII_VALUE *Value\r\n )\r\n{\r\n switch (Value->Type) {\r\n case EFI_IFR_TYPE_NUM_SIZE_8:\r\n case EFI_IFR_TYPE_NUM_SIZE_16:\r\n case EFI_IFR_TYPE_NUM_SIZE_32:\r\n case EFI_IFR_TYPE_NUM_SIZE_64:\r\n case EFI_IFR_TYPE_BOOLEAN:\r\n return TRUE;\r\n\r\n default:\r\n return FALSE;\r\n }\r\n}\r", "project": "edk2", "hash": 94721068395447429133243814785731323363, "size": 16, "commit_id": "f1d78c489a39971b5aac5d2fc8a39bfa925c3c5d", "message": "MdeModulePkg/DisplayEngine: Zero memory before free (CVE-2019-14558)\n\nREF: https://bugzilla.tianocore.org/show_bug.cgi?id=1611\n\nCc: Liming Gao \nCc: Eric Dong \nCc: Jian J Wang \nSigned-off-by: Dandan Bi \nReviewed-by: Eric Dong \nReviewed-by: Jian J Wang ", "target": 0, "dataset": "other", "idx": 455269 }, { "func": "ProcessOptions (\r\n IN UI_MENU_OPTION *MenuOption,\r\n IN BOOLEAN Selected,\r\n OUT CHAR16 **OptionString,\r\n IN BOOLEAN SkipErrorValue\r\n )\r\n{\r\n EFI_STATUS Status;\r\n CHAR16 *StringPtr;\r\n UINTN Index;\r\n FORM_DISPLAY_ENGINE_STATEMENT *Question;\r\n CHAR16 FormattedNumber[21];\r\n UINT16 Number;\r\n CHAR16 Character[2];\r\n EFI_INPUT_KEY Key;\r\n UINTN BufferSize;\r\n DISPLAY_QUESTION_OPTION *OneOfOption;\r\n LIST_ENTRY *Link;\r\n EFI_HII_VALUE HiiValue;\r\n EFI_HII_VALUE *QuestionValue;\r\n DISPLAY_QUESTION_OPTION *Option;\r\n UINTN Index2;\r\n UINT8 *ValueArray;\r\n UINT8 ValueType;\r\n EFI_IFR_ORDERED_LIST *OrderList;\r\n BOOLEAN ValueInvalid;\r\n UINTN MaxLen;\r\n\r\n Status = EFI_SUCCESS;\r\n\r\n StringPtr = NULL;\r\n Character[1] = L'\\0';\r\n *OptionString = NULL;\r\n ValueInvalid = FALSE;\r\n\r\n ZeroMem (FormattedNumber, 21 * sizeof (CHAR16));\r\n BufferSize = (gOptionBlockWidth + 1) * 2 * gStatementDimensions.BottomRow;\r\n\r\n Question = MenuOption->ThisTag;\r\n QuestionValue = &Question->CurrentValue;\r\n\r\n switch (Question->OpCode->OpCode) {\r\n case EFI_IFR_ORDERED_LIST_OP:\r\n\r\n //\r\n // Check whether there are Options of this OrderedList\r\n //\r\n if (IsListEmpty (&Question->OptionListHead)) {\r\n break;\r\n }\r\n\r\n OrderList = (EFI_IFR_ORDERED_LIST *) Question->OpCode;\r\n\r\n Link = GetFirstNode (&Question->OptionListHead);\r\n OneOfOption = DISPLAY_QUESTION_OPTION_FROM_LINK (Link);\r\n\r\n ValueType = OneOfOption->OptionOpCode->Type;\r\n ValueArray = Question->CurrentValue.Buffer;\r\n\r\n if (Selected) {\r\n //\r\n // Go ask for input\r\n //\r\n Status = GetSelectionInputPopUp (MenuOption);\r\n } else {\r\n //\r\n // We now know how many strings we will have, so we can allocate the\r\n // space required for the array or strings.\r\n //\r\n MaxLen = OrderList->MaxContainers * BufferSize / sizeof (CHAR16);\r\n *OptionString = AllocateZeroPool (MaxLen * sizeof (CHAR16));\r\n ASSERT (*OptionString);\r\n\r\n HiiValue.Type = ValueType;\r\n HiiValue.Value.u64 = 0;\r\n for (Index = 0; Index < OrderList->MaxContainers; Index++) {\r\n HiiValue.Value.u64 = GetArrayData (ValueArray, ValueType, Index);\r\n if (HiiValue.Value.u64 == 0) {\r\n //\r\n // Values for the options in ordered lists should never be a 0\r\n //\r\n break;\r\n }\r\n\r\n OneOfOption = ValueToOption (Question, &HiiValue);\r\n if (OneOfOption == NULL) {\r\n if (SkipErrorValue) {\r\n //\r\n // Just try to get the option string, skip the value which not has option.\r\n //\r\n continue;\r\n }\r\n\r\n //\r\n // Show error message\r\n //\r\n do {\r\n CreateDialog (&Key, gEmptyString, gOptionMismatch, gPressEnter, gEmptyString, NULL);\r\n } while (Key.UnicodeChar != CHAR_CARRIAGE_RETURN);\r\n\r\n //\r\n // The initial value of the orderedlist is invalid, force to be valid value\r\n // Exit current DisplayForm with new value.\r\n //\r\n gUserInput->SelectedStatement = Question;\r\n gMisMatch = TRUE;\r\n ValueArray = AllocateZeroPool (Question->CurrentValue.BufferLen);\r\n ASSERT (ValueArray != NULL);\r\n gUserInput->InputValue.Buffer = ValueArray;\r\n gUserInput->InputValue.BufferLen = Question->CurrentValue.BufferLen;\r\n gUserInput->InputValue.Type = Question->CurrentValue.Type;\r\n\r\n Link = GetFirstNode (&Question->OptionListHead);\r\n Index2 = 0;\r\n while (!IsNull (&Question->OptionListHead, Link) && Index2 < OrderList->MaxContainers) {\r\n Option = DISPLAY_QUESTION_OPTION_FROM_LINK (Link);\r\n Link = GetNextNode (&Question->OptionListHead, Link);\r\n SetArrayData (ValueArray, ValueType, Index2, Option->OptionOpCode->Value.u64);\r\n Index2++;\r\n }\r\n SetArrayData (ValueArray, ValueType, Index2, 0);\r\n\r\n FreePool (*OptionString);\r\n *OptionString = NULL;\r\n return EFI_NOT_FOUND;\r\n }\r\n\r\n Character[0] = LEFT_ONEOF_DELIMITER;\r\n NewStrCat (OptionString[0], MaxLen, Character);\r\n StringPtr = GetToken (OneOfOption->OptionOpCode->Option, gFormData->HiiHandle);\r\n ASSERT (StringPtr != NULL);\r\n NewStrCat (OptionString[0], MaxLen, StringPtr);\r\n Character[0] = RIGHT_ONEOF_DELIMITER;\r\n NewStrCat (OptionString[0], MaxLen, Character);\r\n Character[0] = CHAR_CARRIAGE_RETURN;\r\n NewStrCat (OptionString[0], MaxLen, Character);\r\n FreePool (StringPtr);\r\n }\r\n\r\n //\r\n // If valid option more than the max container, skip these options.\r\n //\r\n if (Index >= OrderList->MaxContainers) {\r\n break;\r\n }\r\n\r\n //\r\n // Search the other options, try to find the one not in the container.\r\n //\r\n Link = GetFirstNode (&Question->OptionListHead);\r\n while (!IsNull (&Question->OptionListHead, Link)) {\r\n OneOfOption = DISPLAY_QUESTION_OPTION_FROM_LINK (Link);\r\n Link = GetNextNode (&Question->OptionListHead, Link);\r\n\r\n if (FindArrayData (ValueArray, ValueType, OneOfOption->OptionOpCode->Value.u64, NULL)) {\r\n continue;\r\n }\r\n\r\n if (SkipErrorValue) {\r\n //\r\n // Not report error, just get the correct option string info.\r\n //\r\n Character[0] = LEFT_ONEOF_DELIMITER;\r\n NewStrCat (OptionString[0], MaxLen, Character);\r\n StringPtr = GetToken (OneOfOption->OptionOpCode->Option, gFormData->HiiHandle);\r\n ASSERT (StringPtr != NULL);\r\n NewStrCat (OptionString[0], MaxLen, StringPtr);\r\n Character[0] = RIGHT_ONEOF_DELIMITER;\r\n NewStrCat (OptionString[0], MaxLen, Character);\r\n Character[0] = CHAR_CARRIAGE_RETURN;\r\n NewStrCat (OptionString[0], MaxLen, Character);\r\n FreePool (StringPtr);\r\n\r\n continue;\r\n }\r\n\r\n if (!ValueInvalid) {\r\n ValueInvalid = TRUE;\r\n //\r\n // Show error message\r\n //\r\n do {\r\n CreateDialog (&Key, gEmptyString, gOptionMismatch, gPressEnter, gEmptyString, NULL);\r\n } while (Key.UnicodeChar != CHAR_CARRIAGE_RETURN);\r\n\r\n //\r\n // The initial value of the orderedlist is invalid, force to be valid value\r\n // Exit current DisplayForm with new value.\r\n //\r\n gUserInput->SelectedStatement = Question;\r\n gMisMatch = TRUE;\r\n ValueArray = AllocateCopyPool (Question->CurrentValue.BufferLen, Question->CurrentValue.Buffer);\r\n ASSERT (ValueArray != NULL);\r\n gUserInput->InputValue.Buffer = ValueArray;\r\n gUserInput->InputValue.BufferLen = Question->CurrentValue.BufferLen;\r\n gUserInput->InputValue.Type = Question->CurrentValue.Type;\r\n }\r\n\r\n SetArrayData (ValueArray, ValueType, Index++, OneOfOption->OptionOpCode->Value.u64);\r\n }\r\n\r\n if (ValueInvalid) {\r\n FreePool (*OptionString);\r\n *OptionString = NULL;\r\n return EFI_NOT_FOUND;\r\n }\r\n }\r\n break;\r\n\r\n case EFI_IFR_ONE_OF_OP:\r\n //\r\n // Check whether there are Options of this OneOf\r\n //\r\n if (IsListEmpty (&Question->OptionListHead)) {\r\n break;\r\n }\r\n if (Selected) {\r\n //\r\n // Go ask for input\r\n //\r\n Status = GetSelectionInputPopUp (MenuOption);\r\n } else {\r\n MaxLen = BufferSize / sizeof(CHAR16);\r\n *OptionString = AllocateZeroPool (BufferSize);\r\n ASSERT (*OptionString);\r\n\r\n OneOfOption = ValueToOption (Question, QuestionValue);\r\n if (OneOfOption == NULL) {\r\n if (SkipErrorValue) {\r\n //\r\n // Not report error, just get the correct option string info.\r\n //\r\n Link = GetFirstNode (&Question->OptionListHead);\r\n OneOfOption = DISPLAY_QUESTION_OPTION_FROM_LINK (Link);\r\n } else {\r\n //\r\n // Show error message\r\n //\r\n do {\r\n CreateDialog (&Key, gEmptyString, gOptionMismatch, gPressEnter, gEmptyString, NULL);\r\n } while (Key.UnicodeChar != CHAR_CARRIAGE_RETURN);\r\n\r\n //\r\n // Force the Question value to be valid\r\n // Exit current DisplayForm with new value.\r\n //\r\n Link = GetFirstNode (&Question->OptionListHead);\r\n Option = DISPLAY_QUESTION_OPTION_FROM_LINK (Link);\r\n\r\n gUserInput->InputValue.Type = Option->OptionOpCode->Type;\r\n switch (gUserInput->InputValue.Type) {\r\n case EFI_IFR_TYPE_NUM_SIZE_8:\r\n gUserInput->InputValue.Value.u8 = Option->OptionOpCode->Value.u8;\r\n break;\r\n case EFI_IFR_TYPE_NUM_SIZE_16:\r\n CopyMem (&gUserInput->InputValue.Value.u16, &Option->OptionOpCode->Value.u16, sizeof (UINT16));\r\n break;\r\n case EFI_IFR_TYPE_NUM_SIZE_32:\r\n CopyMem (&gUserInput->InputValue.Value.u32, &Option->OptionOpCode->Value.u32, sizeof (UINT32));\r\n break;\r\n case EFI_IFR_TYPE_NUM_SIZE_64:\r\n CopyMem (&gUserInput->InputValue.Value.u64, &Option->OptionOpCode->Value.u64, sizeof (UINT64));\r\n break;\r\n default:\r\n ASSERT (FALSE);\r\n break;\r\n }\r\n gUserInput->SelectedStatement = Question;\r\n gMisMatch = TRUE;\r\n FreePool (*OptionString);\r\n *OptionString = NULL;\r\n return EFI_NOT_FOUND;\r\n }\r\n }\r\n\r\n Character[0] = LEFT_ONEOF_DELIMITER;\r\n NewStrCat (OptionString[0], MaxLen, Character);\r\n StringPtr = GetToken (OneOfOption->OptionOpCode->Option, gFormData->HiiHandle);\r\n ASSERT (StringPtr != NULL);\r\n NewStrCat (OptionString[0], MaxLen, StringPtr);\r\n Character[0] = RIGHT_ONEOF_DELIMITER;\r\n NewStrCat (OptionString[0], MaxLen, Character);\r\n\r\n FreePool (StringPtr);\r\n }\r\n break;\r\n\r\n case EFI_IFR_CHECKBOX_OP:\r\n if (Selected) {\r\n //\r\n // Since this is a BOOLEAN operation, flip it upon selection\r\n //\r\n gUserInput->InputValue.Type = QuestionValue->Type;\r\n gUserInput->InputValue.Value.b = (BOOLEAN) (QuestionValue->Value.b ? FALSE : TRUE);\r\n\r\n //\r\n // Perform inconsistent check\r\n //\r\n return EFI_SUCCESS;\r\n } else {\r\n *OptionString = AllocateZeroPool (BufferSize);\r\n ASSERT (*OptionString);\r\n\r\n *OptionString[0] = LEFT_CHECKBOX_DELIMITER;\r\n\r\n if (QuestionValue->Value.b) {\r\n *(OptionString[0] + 1) = CHECK_ON;\r\n } else {\r\n *(OptionString[0] + 1) = CHECK_OFF;\r\n }\r\n *(OptionString[0] + 2) = RIGHT_CHECKBOX_DELIMITER;\r\n }\r\n break;\r\n\r\n case EFI_IFR_NUMERIC_OP:\r\n if (Selected) {\r\n //\r\n // Go ask for input\r\n //\r\n Status = GetNumericInput (MenuOption);\r\n } else {\r\n *OptionString = AllocateZeroPool (BufferSize);\r\n ASSERT (*OptionString);\r\n\r\n *OptionString[0] = LEFT_NUMERIC_DELIMITER;\r\n\r\n //\r\n // Formatted print\r\n //\r\n PrintFormattedNumber (Question, FormattedNumber, 21 * sizeof (CHAR16));\r\n Number = (UINT16) GetStringWidth (FormattedNumber);\r\n CopyMem (OptionString[0] + 1, FormattedNumber, Number);\r\n\r\n *(OptionString[0] + Number / 2) = RIGHT_NUMERIC_DELIMITER;\r\n }\r\n break;\r\n\r\n case EFI_IFR_DATE_OP:\r\n if (Selected) {\r\n //\r\n // This is similar to numerics\r\n //\r\n Status = GetNumericInput (MenuOption);\r\n } else {\r\n *OptionString = AllocateZeroPool (BufferSize);\r\n ASSERT (*OptionString);\r\n\r\n switch (MenuOption->Sequence) {\r\n case 0:\r\n *OptionString[0] = LEFT_NUMERIC_DELIMITER;\r\n if (QuestionValue->Value.date.Month == 0xff){\r\n UnicodeSPrint (OptionString[0] + 1, 21 * sizeof (CHAR16), L\"??\");\r\n } else {\r\n UnicodeSPrint (OptionString[0] + 1, 21 * sizeof (CHAR16), L\"%02d\", QuestionValue->Value.date.Month);\r\n }\r\n *(OptionString[0] + 3) = DATE_SEPARATOR;\r\n break;\r\n\r\n case 1:\r\n SetUnicodeMem (OptionString[0], 4, L' ');\r\n if (QuestionValue->Value.date.Day == 0xff){\r\n UnicodeSPrint (OptionString[0] + 4, 21 * sizeof (CHAR16), L\"??\");\r\n } else {\r\n UnicodeSPrint (OptionString[0] + 4, 21 * sizeof (CHAR16), L\"%02d\", QuestionValue->Value.date.Day);\r\n }\r\n *(OptionString[0] + 6) = DATE_SEPARATOR;\r\n break;\r\n\r\n case 2:\r\n SetUnicodeMem (OptionString[0], 7, L' ');\r\n if (QuestionValue->Value.date.Year == 0xff){\r\n UnicodeSPrint (OptionString[0] + 7, 21 * sizeof (CHAR16), L\"????\");\r\n } else {\r\n UnicodeSPrint (OptionString[0] + 7, 21 * sizeof (CHAR16), L\"%04d\", QuestionValue->Value.date.Year);\r\n }\r\n *(OptionString[0] + 11) = RIGHT_NUMERIC_DELIMITER;\r\n break;\r\n }\r\n }\r\n break;\r\n\r\n case EFI_IFR_TIME_OP:\r\n if (Selected) {\r\n //\r\n // This is similar to numerics\r\n //\r\n Status = GetNumericInput (MenuOption);\r\n } else {\r\n *OptionString = AllocateZeroPool (BufferSize);\r\n ASSERT (*OptionString);\r\n\r\n switch (MenuOption->Sequence) {\r\n case 0:\r\n *OptionString[0] = LEFT_NUMERIC_DELIMITER;\r\n if (QuestionValue->Value.time.Hour == 0xff){\r\n UnicodeSPrint (OptionString[0] + 1, 21 * sizeof (CHAR16), L\"??\");\r\n } else {\r\n UnicodeSPrint (OptionString[0] + 1, 21 * sizeof (CHAR16), L\"%02d\", QuestionValue->Value.time.Hour);\r\n }\r\n *(OptionString[0] + 3) = TIME_SEPARATOR;\r\n break;\r\n\r\n case 1:\r\n SetUnicodeMem (OptionString[0], 4, L' ');\r\n if (QuestionValue->Value.time.Minute == 0xff){\r\n UnicodeSPrint (OptionString[0] + 4, 21 * sizeof (CHAR16), L\"??\");\r\n } else {\r\n UnicodeSPrint (OptionString[0] + 4, 21 * sizeof (CHAR16), L\"%02d\", QuestionValue->Value.time.Minute);\r\n }\r\n *(OptionString[0] + 6) = TIME_SEPARATOR;\r\n break;\r\n\r\n case 2:\r\n SetUnicodeMem (OptionString[0], 7, L' ');\r\n if (QuestionValue->Value.time.Second == 0xff){\r\n UnicodeSPrint (OptionString[0] + 7, 21 * sizeof (CHAR16), L\"??\");\r\n } else {\r\n UnicodeSPrint (OptionString[0] + 7, 21 * sizeof (CHAR16), L\"%02d\", QuestionValue->Value.time.Second);\r\n }\r\n *(OptionString[0] + 9) = RIGHT_NUMERIC_DELIMITER;\r\n break;\r\n }\r\n }\r\n break;\r\n\r\n case EFI_IFR_STRING_OP:\r\n if (Selected) {\r\n StringPtr = AllocateZeroPool (Question->CurrentValue.BufferLen + sizeof (CHAR16));\r\n ASSERT (StringPtr);\r\n CopyMem(StringPtr, Question->CurrentValue.Buffer, Question->CurrentValue.BufferLen);\r\n\r\n Status = ReadString (MenuOption, gPromptForData, StringPtr);\r\n if (EFI_ERROR (Status)) {\r\n FreePool (StringPtr);\r\n return Status;\r\n }\r\n\r\n gUserInput->InputValue.Buffer = AllocateCopyPool (Question->CurrentValue.BufferLen, StringPtr);\r\n gUserInput->InputValue.BufferLen = Question->CurrentValue.BufferLen;\r\n gUserInput->InputValue.Type = Question->CurrentValue.Type;\r\n gUserInput->InputValue.Value.string = HiiSetString(gFormData->HiiHandle, gUserInput->InputValue.Value.string, StringPtr, NULL);\r\n FreePool (StringPtr);\r\n return EFI_SUCCESS;\r\n } else {\r\n *OptionString = AllocateZeroPool (BufferSize);\r\n ASSERT (*OptionString);\r\n\r\n if (((CHAR16 *) Question->CurrentValue.Buffer)[0] == 0x0000) {\r\n *(OptionString[0]) = '_';\r\n } else {\r\n if (Question->CurrentValue.BufferLen < BufferSize) {\r\n BufferSize = Question->CurrentValue.BufferLen;\r\n }\r\n CopyMem (OptionString[0], (CHAR16 *) Question->CurrentValue.Buffer, BufferSize);\r\n }\r\n }\r\n break;\r\n\r\n case EFI_IFR_PASSWORD_OP:\r\n if (Selected) {\r\n Status = PasswordProcess (MenuOption);\r\n }\r\n break;\r\n\r\n default:\r\n break;\r\n }\r\n\r\n return Status;\r\n}\r", "project": "edk2", "hash": 11980144124481565147555382190206927988, "size": 470, "commit_id": "f1d78c489a39971b5aac5d2fc8a39bfa925c3c5d", "message": "MdeModulePkg/DisplayEngine: Zero memory before free (CVE-2019-14558)\n\nREF: https://bugzilla.tianocore.org/show_bug.cgi?id=1611\n\nCc: Liming Gao \nCc: Eric Dong \nCc: Jian J Wang \nSigned-off-by: Dandan Bi \nReviewed-by: Eric Dong \nReviewed-by: Jian J Wang ", "target": 0, "dataset": "other", "idx": 455270 }, { "func": "PrintFormattedNumber (\r\n IN FORM_DISPLAY_ENGINE_STATEMENT *Question,\r\n IN OUT CHAR16 *FormattedNumber,\r\n IN UINTN BufferSize\r\n )\r\n{\r\n INT64 Value;\r\n CHAR16 *Format;\r\n EFI_HII_VALUE *QuestionValue;\r\n EFI_IFR_NUMERIC *NumericOp;\r\n\r\n if (BufferSize < (21 * sizeof (CHAR16))) {\r\n return EFI_BUFFER_TOO_SMALL;\r\n }\r\n\r\n QuestionValue = &Question->CurrentValue;\r\n NumericOp = (EFI_IFR_NUMERIC *) Question->OpCode;\r\n\r\n Value = (INT64) QuestionValue->Value.u64;\r\n switch (NumericOp->Flags & EFI_IFR_DISPLAY) {\r\n case EFI_IFR_DISPLAY_INT_DEC:\r\n switch (QuestionValue->Type) {\r\n case EFI_IFR_NUMERIC_SIZE_1:\r\n Value = (INT64) ((INT8) QuestionValue->Value.u8);\r\n break;\r\n\r\n case EFI_IFR_NUMERIC_SIZE_2:\r\n Value = (INT64) ((INT16) QuestionValue->Value.u16);\r\n break;\r\n\r\n case EFI_IFR_NUMERIC_SIZE_4:\r\n Value = (INT64) ((INT32) QuestionValue->Value.u32);\r\n break;\r\n\r\n case EFI_IFR_NUMERIC_SIZE_8:\r\n default:\r\n break;\r\n }\r\n\r\n if (Value < 0) {\r\n Value = -Value;\r\n Format = L\"-%ld\";\r\n } else {\r\n Format = L\"%ld\";\r\n }\r\n break;\r\n\r\n case EFI_IFR_DISPLAY_UINT_DEC:\r\n Format = L\"%ld\";\r\n break;\r\n\r\n case EFI_IFR_DISPLAY_UINT_HEX:\r\n Format = L\"%lx\";\r\n break;\r\n\r\n default:\r\n return EFI_UNSUPPORTED;\r\n }\r\n\r\n UnicodeSPrint (FormattedNumber, BufferSize, Format, Value);\r\n\r\n return EFI_SUCCESS;\r\n}\r", "project": "edk2", "hash": 272118904603416682254878043740081743568, "size": 63, "commit_id": "f1d78c489a39971b5aac5d2fc8a39bfa925c3c5d", "message": "MdeModulePkg/DisplayEngine: Zero memory before free (CVE-2019-14558)\n\nREF: https://bugzilla.tianocore.org/show_bug.cgi?id=1611\n\nCc: Liming Gao \nCc: Eric Dong \nCc: Jian J Wang \nSigned-off-by: Dandan Bi \nReviewed-by: Eric Dong \nReviewed-by: Jian J Wang ", "target": 0, "dataset": "other", "idx": 455273 }, { "func": "GetArrayData (\r\n IN VOID *Array,\r\n IN UINT8 Type,\r\n IN UINTN Index\r\n )\r\n{\r\n UINT64 Data;\r\n\r\n ASSERT (Array != NULL);\r\n\r\n Data = 0;\r\n switch (Type) {\r\n case EFI_IFR_TYPE_NUM_SIZE_8:\r\n Data = (UINT64) *(((UINT8 *) Array) + Index);\r\n break;\r\n\r\n case EFI_IFR_TYPE_NUM_SIZE_16:\r\n Data = (UINT64) *(((UINT16 *) Array) + Index);\r\n break;\r\n\r\n case EFI_IFR_TYPE_NUM_SIZE_32:\r\n Data = (UINT64) *(((UINT32 *) Array) + Index);\r\n break;\r\n\r\n case EFI_IFR_TYPE_NUM_SIZE_64:\r\n Data = (UINT64) *(((UINT64 *) Array) + Index);\r\n break;\r\n\r\n default:\r\n break;\r\n }\r\n\r\n return Data;\r\n}\r", "project": "edk2", "hash": 43712451578424515606561213990308086384, "size": 34, "commit_id": "f1d78c489a39971b5aac5d2fc8a39bfa925c3c5d", "message": "MdeModulePkg/DisplayEngine: Zero memory before free (CVE-2019-14558)\n\nREF: https://bugzilla.tianocore.org/show_bug.cgi?id=1611\n\nCc: Liming Gao \nCc: Eric Dong \nCc: Jian J Wang \nSigned-off-by: Dandan Bi \nReviewed-by: Eric Dong \nReviewed-by: Jian J Wang ", "target": 0, "dataset": "other", "idx": 455275 }, { "func": "static struct hid_input *hidinput_allocate(struct hid_device *hid,\n\t\t\t\t\t unsigned int application)\n{\n\tstruct hid_input *hidinput = kzalloc(sizeof(*hidinput), GFP_KERNEL);\n\tstruct input_dev *input_dev = input_allocate_device();\n\tconst char *suffix = NULL;\n\tsize_t suffix_len, name_len;\n\n\tif (!hidinput || !input_dev)\n\t\tgoto fail;\n\n\tif ((hid->quirks & HID_QUIRK_INPUT_PER_APP) &&\n\t hid->maxapplication > 1) {\n\t\tswitch (application) {\n\t\tcase HID_GD_KEYBOARD:\n\t\t\tsuffix = \"Keyboard\";\n\t\t\tbreak;\n\t\tcase HID_GD_KEYPAD:\n\t\t\tsuffix = \"Keypad\";\n\t\t\tbreak;\n\t\tcase HID_GD_MOUSE:\n\t\t\tsuffix = \"Mouse\";\n\t\t\tbreak;\n\t\tcase HID_DG_STYLUS:\n\t\t\tsuffix = \"Pen\";\n\t\t\tbreak;\n\t\tcase HID_DG_TOUCHSCREEN:\n\t\t\tsuffix = \"Touchscreen\";\n\t\t\tbreak;\n\t\tcase HID_DG_TOUCHPAD:\n\t\t\tsuffix = \"Touchpad\";\n\t\t\tbreak;\n\t\tcase HID_GD_SYSTEM_CONTROL:\n\t\t\tsuffix = \"System Control\";\n\t\t\tbreak;\n\t\tcase HID_CP_CONSUMER_CONTROL:\n\t\t\tsuffix = \"Consumer Control\";\n\t\t\tbreak;\n\t\tcase HID_GD_WIRELESS_RADIO_CTLS:\n\t\t\tsuffix = \"Wireless Radio Control\";\n\t\t\tbreak;\n\t\tcase HID_GD_SYSTEM_MULTIAXIS:\n\t\t\tsuffix = \"System Multi Axis\";\n\t\t\tbreak;\n\t\tdefault:\n\t\t\tbreak;\n\t\t}\n\t}\n\n\tif (suffix) {\n\t\tname_len = strlen(hid->name);\n\t\tsuffix_len = strlen(suffix);\n\t\tif ((name_len < suffix_len) ||\n\t\t strcmp(hid->name + name_len - suffix_len, suffix)) {\n\t\t\thidinput->name = kasprintf(GFP_KERNEL, \"%s %s\",\n\t\t\t\t\t\t hid->name, suffix);\n\t\t\tif (!hidinput->name)\n\t\t\t\tgoto fail;\n\t\t}\n\t}\n\n\tinput_set_drvdata(input_dev, hid);\n\tinput_dev->event = hidinput_input_event;\n\tinput_dev->open = hidinput_open;\n\tinput_dev->close = hidinput_close;\n\tinput_dev->setkeycode = hidinput_setkeycode;\n\tinput_dev->getkeycode = hidinput_getkeycode;\n\n\tinput_dev->name = hidinput->name ? hidinput->name : hid->name;\n\tinput_dev->phys = hid->phys;\n\tinput_dev->uniq = hid->uniq;\n\tinput_dev->id.bustype = hid->bus;\n\tinput_dev->id.vendor = hid->vendor;\n\tinput_dev->id.product = hid->product;\n\tinput_dev->id.version = hid->version;\n\tinput_dev->dev.parent = &hid->dev;\n\n\thidinput->input = input_dev;\n\thidinput->application = application;\n\tlist_add_tail(&hidinput->list, &hid->inputs);\n\n\tINIT_LIST_HEAD(&hidinput->reports);\n\n\treturn hidinput;\n\nfail:\n\tkfree(hidinput);\n\tinput_free_device(input_dev);\n\thid_err(hid, \"Out of memory during hid input probe\\n\");\n\treturn NULL;\n}", "project": "linux", "hash": 109027466243231103255090217808396090484, "size": 91, "commit_id": "35556bed836f8dc07ac55f69c8d17dce3e7f0e25", "message": "HID: core: Sanitize event code and type when mapping input\n\nWhen calling into hid_map_usage(), the passed event code is\nblindly stored as is, even if it doesn't fit in the associated bitmap.\n\nThis event code can come from a variety of sources, including devices\nmasquerading as input devices, only a bit more \"programmable\".\n\nInstead of taking the event code at face value, check that it actually\nfits the corresponding bitmap, and if it doesn't:\n- spit out a warning so that we know which device is acting up\n- NULLify the bitmap pointer so that we catch unexpected uses\n\nCode paths that can make use of untrusted inputs can now check\nthat the mapping was indeed correct and bail out if not.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Marc Zyngier \nSigned-off-by: Benjamin Tissoires ", "target": 0, "dataset": "other", "idx": 458417 }, { "func": "_gcry_mpi_ec_curve_point (gcry_mpi_point_t point, mpi_ec_t ctx)\n{\n int res = 0;\n gcry_mpi_t x, y, w;\n\n x = mpi_new (0);\n y = mpi_new (0);\n w = mpi_new (0);\n\n switch (ctx->model)\n {\n case MPI_EC_WEIERSTRASS:\n {\n gcry_mpi_t xxx;\n\n if (_gcry_mpi_ec_get_affine (x, y, point, ctx))\n goto leave;\n\n xxx = mpi_new (0);\n\n /* y^2 == x^3 + a·x + b */\n ec_pow2 (y, y, ctx);\n\n ec_pow3 (xxx, x, ctx);\n ec_mulm (w, ctx->a, x, ctx);\n ec_addm (w, w, ctx->b, ctx);\n ec_addm (w, w, xxx, ctx);\n\n if (!mpi_cmp (y, w))\n res = 1;\n\n _gcry_mpi_release (xxx);\n }\n break;\n case MPI_EC_MONTGOMERY:\n {\n#define xx y\n /* With Montgomery curve, only X-coordinate is valid. */\n if (_gcry_mpi_ec_get_affine (x, NULL, point, ctx))\n goto leave;\n\n /* The equation is: b * y^2 == x^3 + a · x^2 + x */\n /* We check if right hand is quadratic residue or not by\n Euler's criterion. */\n /* CTX->A has (a-2)/4 and CTX->B has b^-1 */\n ec_mulm (w, ctx->a, mpi_const (MPI_C_FOUR), ctx);\n ec_addm (w, w, mpi_const (MPI_C_TWO), ctx);\n ec_mulm (w, w, x, ctx);\n ec_pow2 (xx, x, ctx);\n ec_addm (w, w, xx, ctx);\n ec_addm (w, w, mpi_const (MPI_C_ONE), ctx);\n ec_mulm (w, w, x, ctx);\n ec_mulm (w, w, ctx->b, ctx);\n#undef xx\n /* Compute Euler's criterion: w^(p-1)/2 */\n#define p_minus1 y\n ec_subm (p_minus1, ctx->p, mpi_const (MPI_C_ONE), ctx);\n mpi_rshift (p_minus1, p_minus1, 1);\n ec_powm (w, w, p_minus1, ctx);\n\n res = !mpi_cmp_ui (w, 1);\n#undef p_minus1\n }\n break;\n case MPI_EC_EDWARDS:\n {\n if (_gcry_mpi_ec_get_affine (x, y, point, ctx))\n goto leave;\n\n /* a · x^2 + y^2 - 1 - b · x^2 · y^2 == 0 */\n ec_pow2 (x, x, ctx);\n ec_pow2 (y, y, ctx);\n if (ctx->dialect == ECC_DIALECT_ED25519)\n mpi_sub (w, ctx->p, x);\n else\n ec_mulm (w, ctx->a, x, ctx);\n ec_addm (w, w, y, ctx);\n ec_subm (w, w, mpi_const (MPI_C_ONE), ctx);\n ec_mulm (x, x, y, ctx);\n ec_mulm (x, x, ctx->b, ctx);\n ec_subm (w, w, x, ctx);\n if (!mpi_cmp_ui (w, 0))\n res = 1;\n }\n break;\n }\n\n leave:\n _gcry_mpi_release (w);\n _gcry_mpi_release (x);\n _gcry_mpi_release (y);\n\n return res;\n}", "project": "libgcrypt", "hash": 20552192842602205307907408640162609425, "size": 94, "commit_id": "bf76acbf0da6b0f245e491bec12c0f0a1b5be7c9", "message": "ecc: Add input validation for X25519.\n\n* cipher/ecc.c (ecc_decrypt_raw): Add input validation.\n* mpi/ec.c (ec_p_init): Use scratch buffer for bad points.\n(_gcry_mpi_ec_bad_point): New.\n\n--\n\nFollowing is the paper describing the attack:\n\n May the Fourth Be With You: A Microarchitectural Side Channel Attack\n on Real-World Applications of Curve25519\n by Daniel Genkin, Luke Valenta, and Yuval Yarom\n\nIn the current implementation, we do output checking and it results an\nerror for those bad points. However, when attacked, the computation\nwill done with leak of private key, even it will results errors. To\nmitigate leak, we added input validation.\n\nNote that we only list bad points with MSB=0. By X25519, MSB is\nalways cleared.\n\nIn future, we should implement constant-time field computation. Then,\nthis input validation could be removed, if performance is important\nand we are sure for no leak.\n\nCVE-id: CVE-2017-0379\nSigned-off-by: NIIBE Yutaka ", "target": 0, "dataset": "other", "idx": 458701 }, { "func": "main(int argc, char* argv[])\n{\n\tint c;\n\tconst char* cfgfile = CONFIGFILE;\n\tconst char* winopt = NULL;\n\tconst char* log_ident_default;\n\tint cmdline_verbose = 0;\n\tint debug_mode = 0;\n\tint need_pidfile = 1;\n\n#ifdef UB_ON_WINDOWS\n\tint cmdline_cfg = 0;\n#endif\n\n\tlog_init(NULL, 0, NULL);\n\tlog_ident_default = strrchr(argv[0],'/')?strrchr(argv[0],'/')+1:argv[0];\n\tlog_ident_set_default(log_ident_default);\n\tlog_ident_set(log_ident_default);\n\t/* parse the options */\n\twhile( (c=getopt(argc, argv, \"c:dhpvw:V\")) != -1) {\n\t\tswitch(c) {\n\t\tcase 'c':\n\t\t\tcfgfile = optarg;\n#ifdef UB_ON_WINDOWS\n\t\t\tcmdline_cfg = 1;\n#endif\n\t\t\tbreak;\n\t\tcase 'v':\n\t\t\tcmdline_verbose++;\n\t\t\tverbosity++;\n\t\t\tbreak;\n\t\tcase 'p':\n\t\t\tneed_pidfile = 0;\n\t\t\tbreak;\n\t\tcase 'd':\n\t\t\tdebug_mode++;\n\t\t\tbreak;\n\t\tcase 'w':\n\t\t\twinopt = optarg;\n\t\t\tbreak;\n\t\tcase 'V':\n\t\t\tprint_build_options();\n\t\t\treturn 0;\n\t\tcase '?':\n\t\tcase 'h':\n\t\tdefault:\n\t\t\tusage();\n\t\t\treturn 1;\n\t\t}\n\t}\n\targc -= optind;\n\t/* argv += optind; not using further arguments */\n\n\tif(winopt) {\n#ifdef UB_ON_WINDOWS\n\t\twsvc_command_option(winopt, cfgfile, cmdline_verbose, \n\t\t\tcmdline_cfg);\n#else\n\t\tfatal_exit(\"option not supported\");\n#endif\n\t}\n\n\tif(argc != 0) {\n\t\tusage();\n\t\treturn 1;\n\t}\n\n\trun_daemon(cfgfile, cmdline_verbose, debug_mode, need_pidfile);\n\tlog_init(NULL, 0, NULL); /* close logfile */\n#ifndef unbound_testbound\n\tif(log_get_lock()) {\n\t\tlock_basic_destroy((lock_basic_type*)log_get_lock());\n\t}\n#endif\n\treturn 0;\n}", "project": "unbound", "hash": 47526447137519018859373714069061365207, "size": 76, "commit_id": "ad387832979b6ce4c93f64fe706301cd7d034e87", "message": "- Fix for #303 CVE-2020-28935 : Fix that symlink does not interfere\n with chown of pidfile.", "target": 0, "dataset": "other", "idx": 462297 }, { "func": "MagickExport const char *GetImageProperty(const Image *image,\n const char *property)\n{\n double\n alpha;\n\n ExceptionInfo\n *exception;\n\n FxInfo\n *fx_info;\n\n MagickStatusType\n status;\n\n register const char\n *p;\n\n assert(image != (Image *) NULL);\n assert(image->signature == MagickCoreSignature);\n if (image->debug != MagickFalse)\n (void) LogMagickEvent(TraceEvent,GetMagickModule(),\"%s\",image->filename);\n p=(const char *) NULL;\n if (image->properties != (void *) NULL)\n {\n if (property == (const char *) NULL)\n {\n ResetSplayTreeIterator((SplayTreeInfo *) image->properties);\n p=(const char *) GetNextValueInSplayTree((SplayTreeInfo *)\n image->properties);\n return(p);\n }\n if (LocaleNCompare(\"fx:\",property,3) != 0) /* NOT fx: !!!! */\n {\n p=(const char *) GetValueFromSplayTree((SplayTreeInfo *)\n image->properties,property);\n if (p != (const char *) NULL)\n return(p);\n }\n }\n if ((property == (const char *) NULL) ||\n (strchr(property,':') == (char *) NULL))\n return(p);\n exception=(&((Image *) image)->exception);\n switch (*property)\n {\n case '8':\n {\n if (LocaleNCompare(\"8bim:\",property,5) == 0)\n {\n (void) Get8BIMProperty(image,property);\n break;\n }\n break;\n }\n case 'E':\n case 'e':\n {\n if (LocaleNCompare(\"exif:\",property,5) == 0)\n {\n (void) GetEXIFProperty(image,property);\n break;\n }\n break;\n }\n case 'F':\n case 'f':\n {\n if (LocaleNCompare(\"fx:\",property,3) == 0)\n {\n if ((image->columns == 0) || (image->rows == 0))\n break;\n fx_info=AcquireFxInfo(image,property+3);\n status=FxEvaluateChannelExpression(fx_info,DefaultChannels,0,0,&alpha,\n exception);\n fx_info=DestroyFxInfo(fx_info);\n if (status != MagickFalse)\n {\n char\n value[MaxTextExtent];\n\n (void) FormatLocaleString(value,MaxTextExtent,\"%.*g\",\n GetMagickPrecision(),(double) alpha);\n (void) SetImageProperty((Image *) image,property,value);\n }\n break;\n }\n break;\n }\n case 'H':\n case 'h':\n {\n if (LocaleNCompare(\"hex:\",property,4) == 0)\n {\n MagickPixelPacket\n pixel;\n\n if ((image->columns == 0) || (image->rows == 0))\n break;\n GetMagickPixelPacket(image,&pixel);\n fx_info=AcquireFxInfo(image,property+4);\n status=FxEvaluateChannelExpression(fx_info,RedChannel,0,0,&alpha,\n exception);\n pixel.red=(MagickRealType) QuantumRange*alpha;\n status&=FxEvaluateChannelExpression(fx_info,GreenChannel,0,0,&alpha,\n exception);\n pixel.green=(MagickRealType) QuantumRange*alpha;\n status&=FxEvaluateChannelExpression(fx_info,BlueChannel,0,0,&alpha,\n exception);\n pixel.blue=(MagickRealType) QuantumRange*alpha;\n status&=FxEvaluateChannelExpression(fx_info,OpacityChannel,0,0,&alpha,\n exception);\n pixel.opacity=(MagickRealType) QuantumRange*(1.0-alpha);\n if (image->colorspace == CMYKColorspace)\n {\n status&=FxEvaluateChannelExpression(fx_info,BlackChannel,0,0,\n &alpha,exception);\n pixel.index=(MagickRealType) QuantumRange*alpha;\n }\n fx_info=DestroyFxInfo(fx_info);\n if (status != MagickFalse)\n {\n char\n hex[MaxTextExtent],\n name[MaxTextExtent];\n\n (void) QueryMagickColorname(image,&pixel,SVGCompliance,name,\n exception);\n GetColorTuple(&pixel,MagickTrue,hex);\n (void) SetImageProperty((Image *) image,property,hex+1);\n }\n break;\n }\n break;\n }\n case 'I':\n case 'i':\n {\n if ((LocaleNCompare(\"icc:\",property,4) == 0) ||\n (LocaleNCompare(\"icm:\",property,4) == 0))\n {\n (void) GetICCProperty(image,property);\n break;\n }\n if (LocaleNCompare(\"iptc:\",property,5) == 0)\n {\n (void) GetIPTCProperty(image,property);\n break;\n }\n break;\n }\n case 'P':\n case 'p':\n {\n if (LocaleNCompare(\"pixel:\",property,6) == 0)\n {\n MagickPixelPacket\n pixel;\n\n GetMagickPixelPacket(image,&pixel);\n fx_info=AcquireFxInfo(image,property+6);\n status=FxEvaluateChannelExpression(fx_info,RedChannel,0,0,&alpha,\n exception);\n pixel.red=(MagickRealType) QuantumRange*alpha;\n status&=FxEvaluateChannelExpression(fx_info,GreenChannel,0,0,&alpha,\n exception);\n pixel.green=(MagickRealType) QuantumRange*alpha;\n status&=FxEvaluateChannelExpression(fx_info,BlueChannel,0,0,&alpha,\n exception);\n pixel.blue=(MagickRealType) QuantumRange*alpha;\n status&=FxEvaluateChannelExpression(fx_info,OpacityChannel,0,0,&alpha,\n exception);\n pixel.opacity=(MagickRealType) QuantumRange*(1.0-alpha);\n if (image->colorspace == CMYKColorspace)\n {\n status&=FxEvaluateChannelExpression(fx_info,BlackChannel,0,0,\n &alpha,exception);\n pixel.index=(MagickRealType) QuantumRange*alpha;\n }\n fx_info=DestroyFxInfo(fx_info);\n if (status != MagickFalse)\n {\n char\n name[MaxTextExtent];\n\n (void) QueryMagickColorname(image,&pixel,SVGCompliance,name,\n exception);\n (void) SetImageProperty((Image *) image,property,name);\n }\n break;\n }\n break;\n }\n case 'X':\n case 'x':\n {\n if (LocaleNCompare(\"xmp:\",property,4) == 0)\n {\n (void) GetXMPProperty(image,property);\n break;\n }\n break;\n }\n default:\n break;\n }\n if (image->properties != (void *) NULL)\n {\n p=(const char *) GetValueFromSplayTree((SplayTreeInfo *)\n image->properties,property);\n return(p);\n }\n return((const char *) NULL);\n}", "project": "ImageMagick6", "hash": 171514066941256331469122671300022262539, "size": 214, "commit_id": "5bf7ff59c8ada957d6a681a0a2cc29f3813ad4bc", "message": "https://github.com/ImageMagick/ImageMagick/issues/1225", "target": 0, "dataset": "other", "idx": 462956 }, { "func": "MagickExport const char *GetMagickProperty(const ImageInfo *image_info,\n Image *image,const char *property)\n{\n char\n value[MaxTextExtent];\n\n const char\n *string;\n\n assert(property[0] != '\\0');\n if (property[1] == '\\0') /* single letter property request */\n return(GetMagickPropertyLetter(image_info,image,*property));\n *value='\\0'; /* formatted string */\n string=(char *) NULL; /* constant string reference */\n switch (*property)\n {\n case 'b':\n {\n if ((LocaleCompare(\"base\",property) == 0) ||\n (LocaleCompare(\"basename\",property) == 0) )\n {\n GetPathComponent(image->magick_filename,BasePath,value);\n break;\n }\n if (LocaleCompare(\"bit-depth\",property) == 0)\n {\n (void) FormatLocaleString(value,MaxTextExtent,\"%.20g\",(double)\n GetImageDepth(image,&image->exception));\n break;\n }\n if (LocaleCompare(\"bounding-box\",property) == 0)\n {\n RectangleInfo\n geometry;\n\n geometry=GetImageBoundingBox(image,&image->exception);\n (void) FormatLocaleString(value,MagickPathExtent,\"%g,%g %g,%g\\n\",\n (double) geometry.x,(double) geometry.y,\n (double) geometry.x+geometry.width,\n (double) geometry.y+geometry.height);\n break;\n }\n break;\n }\n case 'c':\n {\n if (LocaleCompare(\"channels\",property) == 0)\n {\n /*\n Image channels.\n */\n (void) FormatLocaleString(value,MaxTextExtent,\"%s\",\n CommandOptionToMnemonic(MagickColorspaceOptions,(ssize_t)\n image->colorspace));\n LocaleLower(value);\n if (image->matte != MagickFalse)\n (void) ConcatenateMagickString(value,\"a\",MaxTextExtent);\n break;\n }\n if (LocaleCompare(\"colors\",property) == 0)\n {\n image->colors=GetNumberColors(image,(FILE *) NULL,&image->exception);\n (void) FormatLocaleString(value,MaxTextExtent,\"%.20g\",(double)\n image->colors);\n break;\n }\n if (LocaleCompare(\"colorspace\",property) == 0)\n {\n string=CommandOptionToMnemonic(MagickColorspaceOptions,(ssize_t)\n image->colorspace);\n break;\n }\n if (LocaleCompare(\"compose\",property) == 0)\n {\n string=CommandOptionToMnemonic(MagickComposeOptions,(ssize_t)\n image->compose);\n break;\n }\n if (LocaleCompare(\"compression\",property) == 0)\n {\n string=CommandOptionToMnemonic(MagickCompressOptions,(ssize_t)\n image->compression);\n break;\n }\n if (LocaleCompare(\"copyright\",property) == 0)\n {\n (void) CopyMagickString(value,GetMagickCopyright(),MaxTextExtent);\n break;\n }\n break;\n }\n case 'd':\n {\n if (LocaleCompare(\"depth\",property) == 0)\n {\n (void) FormatLocaleString(value,MaxTextExtent,\"%.20g\",(double)\n image->depth);\n break;\n }\n if (LocaleCompare(\"directory\",property) == 0)\n {\n GetPathComponent(image->magick_filename,HeadPath,value);\n break;\n }\n break;\n }\n case 'e':\n {\n if (LocaleCompare(\"entropy\",property) == 0)\n {\n double\n entropy;\n\n (void) GetImageChannelEntropy(image,image_info->channel,&entropy,\n &image->exception);\n (void) FormatLocaleString(value,MaxTextExtent,\"%.*g\",\n GetMagickPrecision(),entropy);\n break;\n }\n if (LocaleCompare(\"extension\",property) == 0)\n {\n GetPathComponent(image->magick_filename,ExtensionPath,value);\n break;\n }\n break;\n }\n case 'g':\n {\n if (LocaleCompare(\"gamma\",property) == 0)\n {\n (void) FormatLocaleString(value,MaxTextExtent,\"%.*g\",\n GetMagickPrecision(),image->gamma);\n break;\n }\n if ((image_info != (ImageInfo *) NULL) &&\n (LocaleCompare(\"group\",property) == 0))\n {\n (void) FormatLocaleString(value,MaxTextExtent,\"0x%lx\",(unsigned long)\n image_info->group);\n break;\n }\n break;\n }\n case 'h':\n {\n if (LocaleCompare(\"height\",property) == 0)\n {\n (void) FormatLocaleString(value,MaxTextExtent,\"%.20g\",\n image->magick_rows != 0 ? (double) image->magick_rows : 256.0);\n break;\n }\n break;\n }\n case 'i':\n {\n if (LocaleCompare(\"input\",property) == 0)\n {\n string=image->filename;\n break;\n }\n if (LocaleCompare(\"interlace\",property) == 0)\n {\n string=CommandOptionToMnemonic(MagickInterlaceOptions,(ssize_t)\n image->interlace);\n break;\n }\n break;\n }\n case 'k':\n {\n if (LocaleCompare(\"kurtosis\",property) == 0)\n {\n double\n kurtosis,\n skewness;\n\n (void) GetImageChannelKurtosis(image,image_info->channel,&kurtosis,\n &skewness,&image->exception);\n (void) FormatLocaleString(value,MaxTextExtent,\"%.*g\",\n GetMagickPrecision(),kurtosis);\n break;\n }\n break;\n }\n case 'm':\n {\n if (LocaleCompare(\"magick\",property) == 0)\n {\n string=image->magick;\n break;\n }\n if ((LocaleCompare(\"max\",property) == 0) ||\n (LocaleCompare(\"maxima\",property) == 0))\n {\n double\n maximum,\n minimum;\n\n (void) GetImageChannelRange(image,image_info->channel,&minimum,\n &maximum,&image->exception);\n (void) FormatLocaleString(value,MaxTextExtent,\"%.*g\",\n GetMagickPrecision(),maximum);\n break;\n }\n if (LocaleCompare(\"mean\",property) == 0)\n {\n double\n mean,\n standard_deviation;\n\n (void) GetImageChannelMean(image,image_info->channel,&mean,\n &standard_deviation,&image->exception);\n (void) FormatLocaleString(value,MaxTextExtent,\"%.*g\",\n GetMagickPrecision(),mean);\n break;\n }\n if ((LocaleCompare(\"min\",property) == 0) ||\n (LocaleCompare(\"minima\",property) == 0))\n {\n double\n maximum,\n minimum;\n\n (void) GetImageChannelRange(image,image_info->channel,&minimum,\n &maximum,&image->exception);\n (void) FormatLocaleString(value,MaxTextExtent,\"%.*g\",\n GetMagickPrecision(),minimum);\n break;\n }\n break;\n }\n case 'o':\n {\n if (LocaleCompare(\"opaque\",property) == 0)\n {\n MagickBooleanType\n opaque;\n\n opaque=IsOpaqueImage(image,&image->exception);\n (void) CopyMagickString(value,opaque != MagickFalse ? \"true\" :\n \"false\",MaxTextExtent);\n break;\n }\n if (LocaleCompare(\"orientation\",property) == 0)\n {\n string=CommandOptionToMnemonic(MagickOrientationOptions,(ssize_t)\n image->orientation);\n break;\n }\n if ((image_info != (ImageInfo *) NULL) &&\n (LocaleCompare(\"output\",property) == 0))\n {\n (void) CopyMagickString(value,image_info->filename,MaxTextExtent);\n break;\n }\n break;\n }\n case 'p':\n {\n if (LocaleCompare(\"page\",property) == 0)\n {\n (void) FormatLocaleString(value,MaxTextExtent,\"%.20gx%.20g\",(double)\n image->page.width,(double) image->page.height);\n break;\n }\n#if defined(MAGICKCORE_LCMS_DELEGATE)\n if (LocaleCompare(\"profile:icc\",property) == 0 ||\n LocaleCompare(\"profile:icm\",property) == 0)\n {\n#if !defined(LCMS_VERSION) || (LCMS_VERSION < 2000)\n#define cmsUInt32Number DWORD\n#endif\n\n const StringInfo\n *profile;\n\n cmsHPROFILE\n icc_profile;\n\n profile=GetImageProfile(image,property+8);\n if (profile == (StringInfo *) NULL)\n break;\n\n icc_profile=cmsOpenProfileFromMem(GetStringInfoDatum(profile),\n (cmsUInt32Number) GetStringInfoLength(profile));\n if (icc_profile != (cmsHPROFILE *) NULL)\n {\n#if defined(LCMS_VERSION) && (LCMS_VERSION < 2000)\n string=cmsTakeProductName(icc_profile);\n#else\n (void) cmsGetProfileInfoASCII(icc_profile,cmsInfoDescription,\n \"en\",\"US\",value,MaxTextExtent);\n#endif\n (void) cmsCloseProfile(icc_profile);\n }\n }\n#endif\n if (LocaleCompare(\"printsize.x\",property) == 0)\n {\n (void) FormatLocaleString(value,MagickPathExtent,\"%.*g\",\n GetMagickPrecision(),PerceptibleReciprocal(image->x_resolution)*\n image->columns);\n break;\n }\n if (LocaleCompare(\"printsize.y\",property) == 0)\n {\n (void) FormatLocaleString(value,MagickPathExtent,\"%.*g\",\n GetMagickPrecision(),PerceptibleReciprocal(image->y_resolution)*\n image->rows);\n break;\n }\n if (LocaleCompare(\"profiles\",property) == 0)\n {\n const char\n *name;\n\n ResetImageProfileIterator(image);\n name=GetNextImageProfile(image);\n if (name != (char *) NULL)\n {\n (void) CopyMagickString(value,name,MaxTextExtent);\n name=GetNextImageProfile(image);\n while (name != (char *) NULL)\n {\n ConcatenateMagickString(value,\",\",MaxTextExtent);\n ConcatenateMagickString(value,name,MaxTextExtent);\n name=GetNextImageProfile(image);\n }\n }\n break;\n }\n break;\n }\n case 'q':\n {\n if (LocaleCompare(\"quality\",property) == 0)\n {\n (void) FormatLocaleString(value,MaxTextExtent,\"%.20g\",(double)\n image->quality);\n break;\n }\n break;\n }\n case 'r':\n {\n if (LocaleCompare(\"rendering-intent\",property) == 0)\n {\n string=CommandOptionToMnemonic(MagickIntentOptions,(ssize_t)\n image->rendering_intent);\n break;\n }\n if (LocaleCompare(\"resolution.x\",property) == 0)\n {\n (void) FormatLocaleString(value,MaxTextExtent,\"%g\",\n image->x_resolution);\n break;\n }\n if (LocaleCompare(\"resolution.y\",property) == 0)\n {\n (void) FormatLocaleString(value,MaxTextExtent,\"%g\",\n image->y_resolution);\n break;\n }\n break;\n }\n case 's':\n {\n if (LocaleCompare(\"scene\",property) == 0)\n {\n if ((image_info != (ImageInfo *) NULL) &&\n (image_info->number_scenes != 0))\n (void) FormatLocaleString(value,MaxTextExtent,\"%.20g\",(double)\n image_info->scene);\n else\n (void) FormatLocaleString(value,MaxTextExtent,\"%.20g\",(double)\n image->scene);\n break;\n }\n if (LocaleCompare(\"scenes\",property) == 0)\n {\n (void) FormatLocaleString(value,MaxTextExtent,\"%.20g\",(double)\n GetImageListLength(image));\n break;\n }\n if (LocaleCompare(\"size\",property) == 0)\n {\n (void) FormatMagickSize(GetBlobSize(image),MagickFalse,value);\n break;\n }\n if (LocaleCompare(\"skewness\",property) == 0)\n {\n double\n kurtosis,\n skewness;\n\n (void) GetImageChannelKurtosis(image,image_info->channel,&kurtosis,\n &skewness,&image->exception);\n (void) FormatLocaleString(value,MaxTextExtent,\"%.*g\",\n GetMagickPrecision(),skewness);\n break;\n }\n if ((LocaleCompare(\"standard-deviation\",property) == 0) ||\n (LocaleCompare(\"standard_deviation\",property) == 0))\n {\n double\n mean,\n standard_deviation;\n\n (void) GetImageChannelMean(image,image_info->channel,&mean,\n &standard_deviation,&image->exception);\n (void) FormatLocaleString(value,MaxTextExtent,\"%.*g\",\n GetMagickPrecision(),standard_deviation);\n break;\n }\n break;\n }\n case 't':\n {\n if (LocaleCompare(\"type\",property) == 0)\n {\n string=CommandOptionToMnemonic(MagickTypeOptions,(ssize_t)\n IdentifyImageType(image,&image->exception));\n break;\n }\n break;\n }\n case 'u':\n {\n if ((image_info != (ImageInfo *) NULL) &&\n (LocaleCompare(\"unique\",property) == 0))\n {\n string=image_info->unique;\n break;\n }\n if (LocaleCompare(\"units\",property) == 0)\n {\n /*\n Image resolution units.\n */\n string=CommandOptionToMnemonic(MagickResolutionOptions,(ssize_t)\n image->units);\n break;\n }\n break;\n }\n case 'v':\n {\n if (LocaleCompare(\"version\",property) == 0)\n {\n string=GetMagickVersion((size_t *) NULL);\n break;\n }\n break;\n }\n case 'w':\n {\n if (LocaleCompare(\"width\",property) == 0)\n {\n (void) FormatLocaleString(value,MaxTextExtent,\"%.20g\",(double)\n (image->magick_columns != 0 ? image->magick_columns : 256));\n break;\n }\n break;\n }\n case 'x': /* FUTURE: Obsolete X resolution */\n {\n if ((LocaleCompare(\"xresolution\",property) == 0) ||\n (LocaleCompare(\"x-resolution\",property) == 0) )\n {\n (void) FormatLocaleString(value,MaxTextExtent,\"%.20g\",\n image->x_resolution);\n break;\n }\n break;\n }\n case 'y': /* FUTURE: Obsolete Y resolution */\n {\n if ((LocaleCompare(\"yresolution\",property) == 0) ||\n (LocaleCompare(\"y-resolution\",property) == 0) )\n {\n (void) FormatLocaleString(value,MaxTextExtent,\"%.20g\",\n image->y_resolution);\n break;\n }\n break;\n }\n case 'z':\n {\n if ((image_info != (ImageInfo *) NULL) &&\n (LocaleCompare(\"zero\",property) == 0))\n {\n string=image_info->zero;\n break;\n }\n break;\n }\n }\n if (*value != '\\0')\n string=value;\n if (string != (char *) NULL)\n {\n (void) SetImageArtifact(image,\"get-property\", string);\n return(GetImageArtifact(image,\"get-property\"));\n }\n return((char *) NULL);\n}", "project": "ImageMagick6", "hash": 251175941008833198756247117507008348885, "size": 506, "commit_id": "5bf7ff59c8ada957d6a681a0a2cc29f3813ad4bc", "message": "https://github.com/ImageMagick/ImageMagick/issues/1225", "target": 0, "dataset": "other", "idx": 462958 }, { "func": "static const char *GetMagickPropertyLetter(const ImageInfo *image_info,\n Image *image,const char letter)\n{\n#define WarnNoImageInfoReturn(format,arg) \\\n if (image_info == (ImageInfo *) NULL ) { \\\n (void) ThrowMagickException(&image->exception,GetMagickModule(), \\\n OptionWarning,\"NoImageInfoForProperty\",format,arg); \\\n return((const char *) NULL); \\\n }\n\n char\n value[MaxTextExtent];\n\n const char\n *string;\n\n assert(image != (Image *) NULL);\n assert(image->signature == MagickCoreSignature);\n if (image->debug != MagickFalse)\n (void) LogMagickEvent(TraceEvent,GetMagickModule(),\"%s\",image->filename);\n *value='\\0';\n string=(char *) NULL;\n switch (letter)\n {\n case 'b':\n {\n /*\n Image size read in - in bytes.\n */\n (void) FormatMagickSize(image->extent,MagickFalse,value);\n if (image->extent == 0)\n (void) FormatMagickSize(GetBlobSize(image),MagickFalse,value);\n break;\n }\n case 'c':\n {\n /*\n Image comment property - empty string by default.\n */\n string=GetImageProperty(image,\"comment\");\n if (string == (const char *) NULL)\n string=\"\";\n break;\n }\n case 'd':\n {\n /*\n Directory component of filename.\n */\n GetPathComponent(image->magick_filename,HeadPath,value);\n if (*value == '\\0')\n string=\"\";\n break;\n }\n case 'e':\n {\n /*\n Filename extension (suffix) of image file.\n */\n GetPathComponent(image->magick_filename,ExtensionPath,value);\n if (*value == '\\0')\n string=\"\";\n break;\n }\n case 'f':\n {\n /*\n Filename without directory component.\n */\n GetPathComponent(image->magick_filename,TailPath,value);\n if (*value == '\\0')\n string=\"\";\n break;\n }\n case 'g':\n {\n /*\n Image geometry, canvas and offset %Wx%H+%X+%Y.\n */\n (void) FormatLocaleString(value,MaxTextExtent,\"%.20gx%.20g%+.20g%+.20g\",\n (double) image->page.width,(double) image->page.height,\n (double) image->page.x,(double) image->page.y);\n break;\n }\n case 'h':\n {\n /*\n Image height (current).\n */\n (void) FormatLocaleString(value,MaxTextExtent,\"%.20g\",(double)\n (image->rows != 0 ? image->rows : image->magick_rows));\n break;\n }\n case 'i':\n {\n /*\n Filename last used for image (read or write).\n */\n string=image->filename;\n break;\n }\n case 'k':\n {\n /*\n Number of unique colors.\n */\n (void) FormatLocaleString(value,MaxTextExtent,\"%.20g\",(double)\n GetNumberColors(image,(FILE *) NULL,&image->exception));\n break;\n }\n case 'l':\n {\n /*\n Image label property - empty string by default.\n */\n string=GetImageProperty(image,\"label\");\n if (string == (const char *) NULL)\n string=\"\";\n break;\n }\n case 'm':\n {\n /*\n Image format (file magick).\n */\n string=image->magick;\n break;\n }\n case 'n':\n {\n /*\n Number of images in the list.\n */\n (void) FormatLocaleString(value,MaxTextExtent,\"%.20g\",(double)\n GetImageListLength(image));\n break;\n }\n case 'o':\n {\n /*\n Output Filename - for delegate use only\n */\n WarnNoImageInfoReturn(\"\\\"%%%c\\\"\",letter);\n string=image_info->filename;\n break;\n }\n case 'p':\n {\n /*\n Image index in current image list -- As 'n' OBSOLETE.\n */\n (void) FormatLocaleString(value,MaxTextExtent,\"%.20g\",(double)\n GetImageIndexInList(image));\n break;\n }\n case 'q':\n {\n /*\n Quantum depth of image in memory.\n */\n (void) FormatLocaleString(value,MaxTextExtent,\"%.20g\",(double)\n MAGICKCORE_QUANTUM_DEPTH);\n break;\n }\n case 'r':\n {\n ColorspaceType\n colorspace;\n\n /*\n Image storage class and colorspace.\n */\n colorspace=image->colorspace;\n if ((image->columns != 0) && (image->rows != 0) &&\n (SetImageGray(image,&image->exception) != MagickFalse))\n colorspace=GRAYColorspace;\n (void) FormatLocaleString(value,MaxTextExtent,\"%s %s %s\",\n CommandOptionToMnemonic(MagickClassOptions,(ssize_t)\n image->storage_class),CommandOptionToMnemonic(MagickColorspaceOptions,\n (ssize_t) colorspace),image->matte != MagickFalse ? \"Matte\" : \"\" );\n break;\n }\n case 's':\n {\n /*\n Image scene number.\n */\n WarnNoImageInfoReturn(\"\\\"%%%c\\\"\",letter);\n if (image_info->number_scenes != 0)\n (void) FormatLocaleString(value,MaxTextExtent,\"%.20g\",(double)\n image_info->scene);\n else\n (void) FormatLocaleString(value,MaxTextExtent,\"%.20g\",(double)\n image->scene);\n break;\n }\n case 't':\n {\n /*\n Base filename without directory or extension.\n */\n GetPathComponent(image->magick_filename,BasePath,value);\n break;\n }\n case 'u':\n {\n /*\n Unique filename.\n */\n WarnNoImageInfoReturn(\"\\\"%%%c\\\"\",letter);\n string=image_info->unique;\n break;\n }\n case 'w':\n {\n /*\n Image width (current).\n */\n (void) FormatLocaleString(value,MaxTextExtent,\"%.20g\",(double)\n (image->columns != 0 ? image->columns : image->magick_columns));\n break;\n }\n case 'x':\n {\n /*\n Image horizontal resolution.\n */\n (void) FormatLocaleString(value,MaxTextExtent,\"%.20g\",\n fabs(image->x_resolution) > MagickEpsilon ? image->x_resolution : 72.0);\n break;\n }\n case 'y':\n {\n /*\n Image vertical resolution.\n */\n (void) FormatLocaleString(value,MaxTextExtent,\"%.20g\",\n fabs(image->y_resolution) > MagickEpsilon ? image->y_resolution : 72.0);\n break;\n }\n case 'z':\n {\n /*\n Image depth.\n */\n (void) FormatLocaleString(value,MaxTextExtent,\"%.20g\",(double)\n image->depth);\n break;\n }\n case 'A':\n {\n /*\n Image alpha channel.\n */\n (void) FormatLocaleString(value,MaxTextExtent,\"%s\",\n CommandOptionToMnemonic(MagickBooleanOptions,(ssize_t) image->matte));\n break;\n }\n case 'B':\n {\n /*\n Image size read in - in bytes.\n */\n (void) FormatLocaleString(value,MaxTextExtent,\"%.20g\",(double)\n image->extent);\n if (image->extent == 0)\n (void) FormatLocaleString(value,MaxTextExtent,\"%.20g\",(double)\n GetBlobSize(image));\n break;\n }\n case 'C':\n {\n /*\n Image compression method.\n */\n (void) FormatLocaleString(value,MaxTextExtent,\"%s\",\n CommandOptionToMnemonic(MagickCompressOptions,(ssize_t)\n image->compression));\n break;\n }\n case 'D':\n {\n /*\n Image dispose method.\n */\n (void) FormatLocaleString(value,MaxTextExtent,\"%s\",\n CommandOptionToMnemonic(MagickDisposeOptions,(ssize_t) image->dispose));\n break;\n }\n case 'F':\n {\n const char\n *q;\n\n register char\n *p;\n\n static char\n whitelist[] =\n \"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 \"\n \"$-_.+!*'(),{}|\\\\^~[]`\\\"><#%;/?:@&=\";\n\n /*\n Magick filename (sanitized) - filename given incl. coder & read mods.\n */\n (void) CopyMagickString(value,image->magick_filename,MaxTextExtent);\n p=value;\n q=value+strlen(value);\n for (p+=strspn(p,whitelist); p != q; p+=strspn(p,whitelist))\n *p='_';\n break;\n }\n case 'G':\n {\n /*\n Image size as geometry = \"%wx%h\".\n */\n (void) FormatLocaleString(value,MaxTextExtent,\"%.20gx%.20g\",(double)\n image->magick_columns,(double) image->magick_rows);\n break;\n }\n case 'H':\n {\n /*\n Layer canvas height.\n */\n (void) FormatLocaleString(value,MaxTextExtent,\"%.20g\",(double)\n image->page.height);\n break;\n }\n case 'M':\n {\n /*\n Magick filename - filename given incl. coder & read mods.\n */\n string=image->magick_filename;\n break;\n }\n case 'O':\n {\n /*\n Layer canvas offset with sign = \"+%X+%Y\".\n */\n (void) FormatLocaleString(value,MaxTextExtent,\"%+ld%+ld\",(long)\n image->page.x,(long) image->page.y);\n break;\n }\n case 'P':\n {\n /*\n Layer canvas page size = \"%Wx%H\".\n */\n (void) FormatLocaleString(value,MaxTextExtent,\"%.20gx%.20g\",(double)\n image->page.width,(double) image->page.height);\n break;\n }\n case 'Q':\n {\n /*\n Image compression quality.\n */\n (void) FormatLocaleString(value,MaxTextExtent,\"%.20g\",(double)\n (image->quality == 0 ? 92 : image->quality));\n break;\n }\n case 'S':\n {\n /*\n Image scenes.\n */\n WarnNoImageInfoReturn(\"\\\"%%%c\\\"\",letter);\n if (image_info->number_scenes == 0)\n string=\"2147483647\";\n else\n (void) FormatLocaleString(value,MaxTextExtent,\"%.20g\",(double)\n image_info->scene+image_info->number_scenes);\n break;\n }\n case 'T':\n {\n /*\n Image time delay for animations.\n */\n (void) FormatLocaleString(value,MaxTextExtent,\"%.20g\",(double)\n image->delay);\n break;\n }\n case 'U':\n {\n /*\n Image resolution units.\n */\n (void) FormatLocaleString(value,MaxTextExtent,\"%s\",\n CommandOptionToMnemonic(MagickResolutionOptions,(ssize_t)\n image->units));\n break;\n }\n case 'W':\n {\n /*\n Layer canvas width.\n */\n (void) FormatLocaleString(value,MaxTextExtent,\"%.20g\",(double)\n image->page.width);\n break;\n }\n case 'X':\n {\n /*\n Layer canvas X offset.\n */\n (void) FormatLocaleString(value,MaxTextExtent,\"%+.20g\",(double)\n image->page.x);\n break;\n }\n case 'Y':\n {\n /*\n Layer canvas Y offset.\n */\n (void) FormatLocaleString(value,MaxTextExtent,\"%+.20g\",(double)\n image->page.y);\n break;\n }\n case 'Z':\n {\n /*\n Zero filename.\n */\n WarnNoImageInfoReturn(\"\\\"%%%c\\\"\",letter);\n string=image_info->zero;\n break;\n }\n case '@':\n {\n RectangleInfo\n page;\n\n /*\n Image bounding box.\n */\n page=GetImageBoundingBox(image,&image->exception);\n (void) FormatLocaleString(value,MaxTextExtent,\"%.20gx%.20g%+.20g%+.20g\",\n (double) page.width,(double) page.height,(double) page.x,(double)\n page.y);\n break;\n }\n case '#':\n {\n /*\n Image signature.\n */\n if ((image->columns != 0) && (image->rows != 0))\n (void) SignatureImage(image);\n string=GetImageProperty(image,\"signature\");\n break;\n }\n case '%':\n {\n /*\n Percent escaped.\n */\n string=\"%\";\n break;\n }\n }\n if (*value != '\\0')\n string=value;\n if (string != (char *) NULL)\n {\n (void) SetImageArtifact(image,\"get-property\",string);\n return(GetImageArtifact(image,\"get-property\"));\n }\n return((char *) NULL);\n}", "project": "ImageMagick6", "hash": 207668242379766768614404100976312119040, "size": 475, "commit_id": "5bf7ff59c8ada957d6a681a0a2cc29f3813ad4bc", "message": "https://github.com/ImageMagick/ImageMagick/issues/1225", "target": 0, "dataset": "other", "idx": 462960 }, { "func": "MagickExport char *InterpretImageProperties(const ImageInfo *image_info,\n Image *image,const char *embed_text)\n{\n#define ExtendInterpretText(string_length) \\\nDisableMSCWarning(4127) \\\n{ \\\n size_t length=(string_length); \\\n if ((size_t) (q-interpret_text+length+1) >= extent) \\\n { \\\n extent+=length; \\\n interpret_text=(char *) ResizeQuantumMemory(interpret_text,extent+ \\\n MaxTextExtent,sizeof(*interpret_text)); \\\n if (interpret_text == (char *) NULL) \\\n { \\\n if (property_info != image_info) \\\n property_info=DestroyImageInfo(property_info); \\\n return((char *) NULL); \\\n } \\\n q=interpret_text+strlen(interpret_text); \\\n } \\\n} \\\nRestoreMSCWarning\n\n#define AppendKeyValue2Text(key,value)\\\nDisableMSCWarning(4127) \\\n{ \\\n size_t length=strlen(key)+strlen(value)+2; \\\n if ((size_t) (q-interpret_text+length+1) >= extent) \\\n { \\\n extent+=length; \\\n interpret_text=(char *) ResizeQuantumMemory(interpret_text,extent+ \\\n MaxTextExtent,sizeof(*interpret_text)); \\\n if (interpret_text == (char *) NULL) \\\n { \\\n if (property_info != image_info) \\\n property_info=DestroyImageInfo(property_info); \\\n return((char *) NULL); \\\n } \\\n q=interpret_text+strlen(interpret_text); \\\n } \\\n q+=FormatLocaleString(q,extent,\"%s=%s\\n\",(key),(value)); \\\n} \\\nRestoreMSCWarning\n\n#define AppendString2Text(string) \\\nDisableMSCWarning(4127) \\\n{ \\\n size_t length=strlen((string)); \\\n if ((size_t) (q-interpret_text+length+1) >= extent) \\\n { \\\n extent+=length; \\\n interpret_text=(char *) ResizeQuantumMemory(interpret_text,extent+ \\\n MaxTextExtent,sizeof(*interpret_text)); \\\n if (interpret_text == (char *) NULL) \\\n { \\\n if (property_info != image_info) \\\n property_info=DestroyImageInfo(property_info); \\\n return((char *) NULL); \\\n } \\\n q=interpret_text+strlen(interpret_text); \\\n } \\\n (void) CopyMagickString(q,(string),extent); \\\n q+=length; \\\n} \\\nRestoreMSCWarning\n\n char\n *interpret_text;\n\n ImageInfo\n *property_info;\n\n register char\n *q; /* current position in interpret_text */\n\n register const char\n *p; /* position in embed_text string being expanded */\n\n size_t\n extent; /* allocated length of interpret_text */\n\n MagickBooleanType\n number;\n\n assert(image != (Image *) NULL);\n assert(image->signature == MagickCoreSignature);\n if (image->debug != MagickFalse)\n (void) LogMagickEvent(TraceEvent,GetMagickModule(),\"%s\",image->filename);\n if (embed_text == (const char *) NULL)\n return(ConstantString(\"\"));\n p=embed_text;\n while ((isspace((int) ((unsigned char) *p)) != 0) && (*p != '\\0'))\n p++;\n if (*p == '\\0')\n return(ConstantString(\"\"));\n if ((*p == '@') && (IsPathAccessible(p+1) != MagickFalse))\n {\n /*\n Replace string from file.\n */\n if (IsRightsAuthorized(PathPolicyDomain,ReadPolicyRights,p) == MagickFalse)\n {\n errno=EPERM;\n (void) ThrowMagickException(&image->exception,GetMagickModule(),\n PolicyError,\"NotAuthorized\",\"`%s'\",p);\n return(ConstantString(\"\"));\n }\n interpret_text=FileToString(p+1,~0UL,&image->exception);\n if (interpret_text != (char *) NULL)\n return(interpret_text);\n }\n /*\n Translate any embedded format characters.\n */\n if (image_info != (ImageInfo *) NULL)\n property_info=(ImageInfo *) image_info;\n else\n property_info=CloneImageInfo(image_info);\n interpret_text=AcquireString(embed_text); /* new string with extra space */\n extent=MaxTextExtent; /* how many extra space */\n number=MagickFalse; /* is last char a number? */\n for (q=interpret_text; *p!='\\0';\n number=(isdigit((int) ((unsigned char) *p))) ? MagickTrue : MagickFalse,p++)\n {\n /*\n Look for the various escapes, (and handle other specials).\n */\n *q='\\0';\n ExtendInterpretText(MaxTextExtent);\n switch (*p)\n {\n case '\\\\':\n {\n switch (*(p+1))\n {\n case '\\0':\n continue;\n case 'r': /* convert to RETURN */\n {\n *q++='\\r';\n p++;\n continue;\n }\n case 'n': /* convert to NEWLINE */\n {\n *q++='\\n';\n p++;\n continue;\n }\n case '\\n': /* EOL removal UNIX,MacOSX */\n {\n p++;\n continue;\n }\n case '\\r': /* EOL removal DOS,Windows */\n {\n p++;\n if (*p == '\\n') /* return-newline EOL */\n p++;\n continue;\n }\n default:\n {\n p++;\n *q++=(*p);\n }\n }\n continue;\n }\n case '&':\n {\n if (LocaleNCompare(\"<\",p,4) == 0)\n {\n *q++='<';\n p+=3;\n }\n else\n if (LocaleNCompare(\">\",p,4) == 0)\n {\n *q++='>';\n p+=3;\n }\n else\n if (LocaleNCompare(\"&\",p,5) == 0)\n {\n *q++='&';\n p+=4;\n }\n else\n *q++=(*p);\n continue;\n }\n case '%':\n break; /* continue to next set of handlers */\n default:\n {\n *q++=(*p); /* any thing else is 'as normal' */\n continue;\n }\n }\n p++; /* advance beyond the percent */\n /*\n Doubled percent - or percent at end of string.\n */\n if ((*p == '\\0') || (*p == '\\'') || (*p == '\"'))\n p--;\n if (*p == '%')\n {\n *q++='%';\n continue;\n }\n /*\n Single letter escapes %c.\n */\n if (*p != '[')\n {\n const char\n *value;\n\n /* But only if not preceeded by a number! */\n if (number != MagickFalse)\n {\n *q++='%'; /* do NOT substitute the percent */\n p--; /* back up one */\n continue;\n }\n value=GetMagickPropertyLetter(property_info,image,*p);\n if (value != (char *) NULL)\n {\n AppendString2Text(value);\n continue;\n }\n (void) ThrowMagickException(&image->exception,GetMagickModule(),\n OptionWarning,\"UnknownImageProperty\",\"\\\"%%%c\\\"\",*p);\n continue;\n }\n {\n char\n pattern[2*MaxTextExtent];\n\n const char\n *key,\n *value;\n\n register ssize_t\n len;\n\n ssize_t\n depth;\n\n /*\n Braced Percent Escape %[...]\n */\n p++; /* advance p to just inside the opening brace */\n depth=1;\n if ( *p == ']' )\n {\n (void) ThrowMagickException(&image->exception,GetMagickModule(),\n OptionWarning,\"UnknownImageProperty\",\"\\\"%%[]\\\"\");\n break;\n }\n for (len=0; len<(MaxTextExtent-1L) && (*p != '\\0');)\n {\n if ((*p == '\\\\') && (*(p+1) != '\\0'))\n {\n /*\n Skip escaped braces within braced pattern.\n */\n pattern[len++]=(*p++);\n pattern[len++]=(*p++);\n continue;\n }\n if (*p == '[')\n depth++;\n if (*p == ']')\n depth--;\n if (depth <= 0)\n break;\n pattern[len++]=(*p++);\n }\n pattern[len]='\\0';\n if (depth != 0)\n {\n /*\n Check for unmatched final ']' for \"%[...]\".\n */\n if (len >= 64)\n {\n pattern[61] = '.'; /* truncate string for error message */\n pattern[62] = '.';\n pattern[63] = '.';\n pattern[64] = '\\0';\n }\n (void) ThrowMagickException(&image->exception,GetMagickModule(),\n OptionError,\"UnbalancedBraces\",\"\\\"%%[%s\\\"\",pattern);\n interpret_text=DestroyString(interpret_text);\n if (property_info != image_info)\n property_info=DestroyImageInfo(property_info);\n return((char *) NULL);\n }\n /*\n Special Lookup Prefixes %[prefix:...]\n */\n if (LocaleNCompare(\"fx:\",pattern,3) == 0)\n {\n double\n value;\n\n FxInfo\n *fx_info;\n\n MagickBooleanType\n status;\n\n /*\n FX - value calculator.\n */\n fx_info=AcquireFxInfo(image,pattern+3);\n status=FxEvaluateChannelExpression(fx_info,DefaultChannels,0,0,&value,\n &image->exception);\n fx_info=DestroyFxInfo(fx_info);\n if (status != MagickFalse)\n {\n char\n result[MagickPathExtent];\n\n (void) FormatLocaleString(result,MagickPathExtent,\"%.*g\",\n GetMagickPrecision(),(double) value);\n AppendString2Text(result);\n }\n continue;\n }\n if (LocaleNCompare(\"option:\",pattern,7) == 0)\n {\n /*\n Option - direct global option lookup (with globbing).\n */\n if (IsGlob(pattern+7) != MagickFalse)\n {\n ResetImageOptionIterator(property_info);\n while ((key=GetNextImageOption(property_info)) != (const char *) NULL)\n if (GlobExpression(key,pattern+7,MagickTrue) != MagickFalse)\n {\n value=GetImageOption(property_info,key);\n if (value != (const char *) NULL)\n AppendKeyValue2Text(key,value);\n /* else - assertion failure? key but no value! */\n }\n continue;\n }\n value=GetImageOption(property_info,pattern+7);\n if (value != (char *) NULL)\n AppendString2Text(value);\n /* else - no global option of this specifc name */\n continue;\n }\n if (LocaleNCompare(\"artifact:\",pattern,9) == 0)\n {\n /*\n Artifact - direct image artifact lookup (with glob).\n */\n if (IsGlob(pattern+9) != MagickFalse)\n {\n ResetImageArtifactIterator(image);\n while ((key=GetNextImageArtifact(image)) != (const char *) NULL)\n if (GlobExpression(key,pattern+9,MagickTrue) != MagickFalse)\n {\n value=GetImageArtifact(image,key);\n if (value != (const char *) NULL)\n AppendKeyValue2Text(key,value);\n /* else - assertion failure? key but no value! */\n }\n continue;\n }\n value=GetImageArtifact(image,pattern+9);\n if (value != (char *) NULL)\n AppendString2Text(value);\n /* else - no artifact of this specifc name */\n continue;\n }\n /*\n Handle special image properties, for example:\n %[exif:...] %[fx:...] %[pixel:...].\n\n FUTURE: handle %[property:...] prefix - abort other lookups.\n */\n value=GetImageProperty(image,pattern);\n if (value != (const char *) NULL)\n {\n AppendString2Text(value);\n continue;\n }\n /*\n Handle property 'glob' patterns such as:\n %[*] %[user:array_??] %[filename:e*]\n */\n if (IsGlob(pattern) != MagickFalse)\n {\n ResetImagePropertyIterator(image);\n while ((key=GetNextImageProperty(image)) != (const char *) NULL)\n if (GlobExpression(key,pattern,MagickTrue) != MagickFalse)\n {\n value=GetImageProperty(image,key);\n if (value != (const char *) NULL)\n AppendKeyValue2Text(key,value);\n /* else - assertion failure? */\n }\n continue;\n }\n /*\n Look for a known property or image attribute such as\n %[basename] %[denisty] %[delay]. Also handles a braced single\n letter: %[b] %[G] %[g].\n */\n value=GetMagickProperty(property_info,image,pattern);\n if (value != (const char *) NULL)\n {\n AppendString2Text(value);\n continue;\n }\n /*\n Look for a per-image Artifact (user option, post-interpreted)\n */\n value=GetImageArtifact(image,pattern);\n if (value != (char *) NULL)\n {\n AppendString2Text(value);\n continue;\n }\n /*\n Look for user option of this name (should never match in CLI usage).\n */\n value=GetImageOption(property_info,pattern);\n if (value != (char *) NULL)\n {\n AppendString2Text(value);\n continue;\n }\n /*\n Failed to find any match anywhere!\n */\n if (len >= 64)\n {\n pattern[61] = '.'; /* truncate string for error message */\n pattern[62] = '.';\n pattern[63] = '.';\n pattern[64] = '\\0';\n }\n (void) ThrowMagickException(&image->exception,GetMagickModule(),\n OptionWarning,\"UnknownImageProperty\",\"\\\"%%[%s]\\\"\",pattern);\n /* continue */\n } /* Braced Percent Escape */\n } /* for each char in 'embed_text' */\n *q='\\0';\n if (property_info != image_info)\n property_info=DestroyImageInfo(property_info);\n return(interpret_text);\n}", "project": "ImageMagick6", "hash": 248188385074506403094429626965686595035, "size": 458, "commit_id": "5bf7ff59c8ada957d6a681a0a2cc29f3813ad4bc", "message": "https://github.com/ImageMagick/ImageMagick/issues/1225", "target": 0, "dataset": "other", "idx": 462965 }, { "func": "formUpdateBuffer(Anchor *a, Buffer *buf, FormItemList *form)\n{\n Buffer save;\n char *p;\n int spos, epos, rows, c_rows, pos, col = 0;\n Line *l;\n\n copyBuffer(&save, buf);\n gotoLine(buf, a->start.line);\n switch (form->type) {\n case FORM_TEXTAREA:\n case FORM_INPUT_TEXT:\n case FORM_INPUT_FILE:\n case FORM_INPUT_PASSWORD:\n case FORM_INPUT_CHECKBOX:\n case FORM_INPUT_RADIO:\n#ifdef MENU_SELECT\n case FORM_SELECT:\n#endif\t\t\t\t/* MENU_SELECT */\n\tspos = a->start.pos;\n\tepos = a->end.pos;\n\tbreak;\n default:\n\tspos = a->start.pos + 1;\n\tepos = a->end.pos - 1;\n }\n switch (form->type) {\n case FORM_INPUT_CHECKBOX:\n case FORM_INPUT_RADIO:\n\tif (buf->currentLine == NULL ||\n\t spos >= buf->currentLine->len || spos < 0)\n\t break;\n\tif (form->checked)\n\t buf->currentLine->lineBuf[spos] = '*';\n\telse\n\t buf->currentLine->lineBuf[spos] = ' ';\n\tbreak;\n case FORM_INPUT_TEXT:\n case FORM_INPUT_FILE:\n case FORM_INPUT_PASSWORD:\n case FORM_TEXTAREA:\n#ifdef MENU_SELECT\n case FORM_SELECT:\n\tif (form->type == FORM_SELECT) {\n\t p = form->label->ptr;\n\t updateSelectOption(form, form->select_option);\n\t}\n\telse\n#endif\t\t\t\t/* MENU_SELECT */\n\t{\n\t if (!form->value)\n\t\tbreak;\n\t p = form->value->ptr;\n\t}\n\tl = buf->currentLine;\n\tif (!l)\n\t break;\n\tif (form->type == FORM_TEXTAREA) {\n\t int n = a->y - buf->currentLine->linenumber;\n\t if (n > 0)\n\t\tfor (; l && n; l = l->prev, n--) ;\n\t else if (n < 0)\n\t\tfor (; l && n; l = l->prev, n++) ;\n\t if (!l)\n\t\tbreak;\n\t}\n\trows = form->rows ? form->rows : 1;\n\tcol = COLPOS(l, a->start.pos);\n\tfor (c_rows = 0; c_rows < rows; c_rows++, l = l->next) {\n\t if (rows > 1) {\n\t\tpos = columnPos(l, col);\n\t\ta = retrieveAnchor(buf->formitem, l->linenumber, pos);\n\t\tif (a == NULL)\n\t\t break;\n\t\tspos = a->start.pos;\n\t\tepos = a->end.pos;\n\t }\n\t if (a->start.line != a->end.line || spos > epos || epos >= l->len || spos < 0 || epos < 0)\n\t\tbreak;\n\t pos = form_update_line(l, &p, spos, epos, COLPOS(l, epos) - col,\n\t\t\t\t rows > 1,\n\t\t\t\t form->type == FORM_INPUT_PASSWORD);\n\t if (pos != epos) {\n\t\tshiftAnchorPosition(buf->href, buf->hmarklist,\n\t\t\t\t a->start.line, spos, pos - epos);\n\t\tshiftAnchorPosition(buf->name, buf->hmarklist,\n\t\t\t\t a->start.line, spos, pos - epos);\n\t\tshiftAnchorPosition(buf->img, buf->hmarklist,\n\t\t\t\t a->start.line, spos, pos - epos);\n\t\tshiftAnchorPosition(buf->formitem, buf->hmarklist,\n\t\t\t\t a->start.line, spos, pos - epos);\n\t }\n\t}\n\tbreak;\n }\n copyBuffer(buf, &save);\n arrangeLine(buf);\n}", "project": "w3m", "hash": 45577909683508718942973794972642241617, "size": 98, "commit_id": "e2c7ecec6f9b730ad3c9bf8c8df9212970f183d7", "message": "Prevent dereference near-null pointer in formUpdateBuffer\n\nBug-Debian: https://github.com/tats/w3m/issues/35", "target": 0, "dataset": "other", "idx": 463013 }, { "func": "table_parse_lookup(enum table_service service, const char *key,\n const char *line, union lookup *lk)\n{\n\tchar\tbuffer[LINE_MAX], *p;\n\tsize_t\tlen;\n\n\tlen = strlen(line);\n\n\tswitch (service) {\n\tcase K_ALIAS:\n\t\tlk->expand = calloc(1, sizeof(*lk->expand));\n\t\tif (lk->expand == NULL)\n\t\t\treturn (-1);\n\t\tif (!expand_line(lk->expand, line, 1)) {\n\t\t\texpand_free(lk->expand);\n\t\t\treturn (-1);\n\t\t}\n\t\treturn (1);\n\n\tcase K_DOMAIN:\n\t\tif (strlcpy(lk->domain.name, line, sizeof(lk->domain.name))\n\t\t >= sizeof(lk->domain.name))\n\t\t\treturn (-1);\n\t\treturn (1);\n\n\tcase K_CREDENTIALS:\n\n\t\t/* credentials are stored as user:password */\n\t\tif (len < 3)\n\t\t\treturn (-1);\n\n\t\t/* too big to fit in a smtp session line */\n\t\tif (len >= LINE_MAX)\n\t\t\treturn (-1);\n\n\t\tp = strchr(line, ':');\n\t\tif (p == NULL) {\n\t\t\tif (strlcpy(lk->creds.username, key, sizeof (lk->creds.username))\n\t\t\t >= sizeof (lk->creds.username))\n\t\t\t\treturn (-1);\n\t\t\tif (strlcpy(lk->creds.password, line, sizeof(lk->creds.password))\n\t\t\t >= sizeof(lk->creds.password))\n\t\t\t\treturn (-1);\n\t\t\treturn (1);\n\t\t}\n\n\t\tif (p == line || p == line + len - 1)\n\t\t\treturn (-1);\n\n\t\tmemmove(lk->creds.username, line, p - line);\n\t\tlk->creds.username[p - line] = '\\0';\n\n\t\tif (strlcpy(lk->creds.password, p+1, sizeof(lk->creds.password))\n\t\t >= sizeof(lk->creds.password))\n\t\t\treturn (-1);\n\n\t\treturn (1);\n\n\tcase K_NETADDR:\n\t\tif (!text_to_netaddr(&lk->netaddr, line))\n\t\t\treturn (-1);\n\t\treturn (1);\n\n\tcase K_USERINFO:\n\t\tif (!bsnprintf(buffer, sizeof(buffer), \"%s:%s\", key, line))\n\t\t\treturn (-1);\n\t\tif (!text_to_userinfo(&lk->userinfo, buffer))\n\t\t\treturn (-1);\n \t\treturn (1);\n\n\tcase K_SOURCE:\n\t\tif (parse_sockaddr((struct sockaddr *)&lk->source.addr,\n\t\t PF_UNSPEC, line) == -1)\n\t\t\treturn (-1);\n\t\treturn (1);\n\n\tcase K_MAILADDR:\n\t\tif (!text_to_mailaddr(&lk->mailaddr, line))\n\t\t\treturn (-1);\n\t\treturn (1);\n\n\tcase K_MAILADDRMAP:\n\t\tlk->maddrmap = calloc(1, sizeof(*lk->maddrmap));\n\t\tif (lk->maddrmap == NULL)\n\t\t\treturn (-1);\n\t\tmaddrmap_init(lk->maddrmap);\n\t\tif (!mailaddr_line(lk->maddrmap, line)) {\n\t\t\tmaddrmap_free(lk->maddrmap);\n\t\t\treturn (-1);\n\t\t}\n\t\treturn (1);\n\n\tcase K_ADDRNAME:\n\t\tif (parse_sockaddr((struct sockaddr *)&lk->addrname.addr,\n\t\t PF_UNSPEC, key) == -1)\n\t\t\treturn (-1);\n\t\tif (strlcpy(lk->addrname.name, line, sizeof(lk->addrname.name))\n\t\t >= sizeof(lk->addrname.name))\n\t\t\treturn (-1);\n\t\treturn (1);\n\n\tcase K_RELAYHOST:\n\t\tif (strlcpy(lk->relayhost, line, sizeof(lk->relayhost))\n\t\t >= sizeof(lk->relayhost))\n\t\t\treturn (-1);\n\t\treturn (1);\n\n\tdefault:\n\t\treturn (-1);\n\t}\n}", "project": "src", "hash": 49282835837482719100169350639655532770, "size": 111, "commit_id": "79a034b4aed29e965f45a13409268290c9910043", "message": "Use regfree after we're done with preg.\n\nFrom gilles@", "target": 0, "dataset": "other", "idx": 468894 }, { "func": "table_dump(struct table *t)\n{\n\tconst char *type;\n\tchar buf[LINE_MAX];\n\n\tswitch(t->t_type) {\n\tcase T_NONE:\n\t\ttype = \"NONE\";\n\t\tbreak;\n\tcase T_DYNAMIC:\n\t\ttype = \"DYNAMIC\";\n\t\tbreak;\n\tcase T_LIST:\n\t\ttype = \"LIST\";\n\t\tbreak;\n\tcase T_HASH:\n\t\ttype = \"HASH\";\n\t\tbreak;\n\tdefault:\n\t\ttype = \"???\";\n\t\tbreak;\n\t}\n\n\tif (t->t_config[0])\n\t\tsnprintf(buf, sizeof(buf), \" config=\\\"%s\\\"\", t->t_config);\n\telse\n\t\tbuf[0] = '\\0';\n\n\tlog_debug(\"TABLE \\\"%s\\\" backend=%s type=%s%s\", t->t_name,\n\t t->t_backend->name, type, buf);\n\n\tif (t->t_backend->dump)\n\t\tt->t_backend->dump(t);\n}", "project": "src", "hash": 166558614969388875596496694470507206464, "size": 34, "commit_id": "79a034b4aed29e965f45a13409268290c9910043", "message": "Use regfree after we're done with preg.\n\nFrom gilles@", "target": 0, "dataset": "other", "idx": 468898 }, { "func": "parse_sockaddr(struct sockaddr *sa, int family, const char *str)\n{\n\tstruct in_addr\t\t ina;\n\tstruct in6_addr\t\t in6a;\n\tstruct sockaddr_in\t*sin;\n\tstruct sockaddr_in6\t*sin6;\n\tchar\t\t\t*cp, *str2;\n\tconst char\t\t*errstr;\n\n\tswitch (family) {\n\tcase PF_UNSPEC:\n\t\tif (parse_sockaddr(sa, PF_INET, str) == 0)\n\t\t\treturn (0);\n\t\treturn parse_sockaddr(sa, PF_INET6, str);\n\n\tcase PF_INET:\n\t\tif (inet_pton(PF_INET, str, &ina) != 1)\n\t\t\treturn (-1);\n\n\t\tsin = (struct sockaddr_in *)sa;\n\t\tmemset(sin, 0, sizeof *sin);\n\t\tsin->sin_len = sizeof(struct sockaddr_in);\n\t\tsin->sin_family = PF_INET;\n\t\tsin->sin_addr.s_addr = ina.s_addr;\n\t\treturn (0);\n\n\tcase PF_INET6:\n\t\tif (strncasecmp(\"ipv6:\", str, 5) == 0)\n\t\t\tstr += 5;\n\t\tcp = strchr(str, SCOPE_DELIMITER);\n\t\tif (cp) {\n\t\t\tstr2 = strdup(str);\n\t\t\tif (str2 == NULL)\n\t\t\t\treturn (-1);\n\t\t\tstr2[cp - str] = '\\0';\n\t\t\tif (inet_pton(PF_INET6, str2, &in6a) != 1) {\n\t\t\t\tfree(str2);\n\t\t\t\treturn (-1);\n\t\t\t}\n\t\t\tcp++;\n\t\t\tfree(str2);\n\t\t} else if (inet_pton(PF_INET6, str, &in6a) != 1)\n\t\t\treturn (-1);\n\n\t\tsin6 = (struct sockaddr_in6 *)sa;\n\t\tmemset(sin6, 0, sizeof *sin6);\n\t\tsin6->sin6_len = sizeof(struct sockaddr_in6);\n\t\tsin6->sin6_family = PF_INET6;\n\t\tsin6->sin6_addr = in6a;\n\n\t\tif (cp == NULL)\n\t\t\treturn (0);\n\n\t\tif (IN6_IS_ADDR_LINKLOCAL(&in6a) ||\n\t\t IN6_IS_ADDR_MC_LINKLOCAL(&in6a) ||\n\t\t IN6_IS_ADDR_MC_INTFACELOCAL(&in6a))\n\t\t\tif ((sin6->sin6_scope_id = if_nametoindex(cp)))\n\t\t\t\treturn (0);\n\n\t\tsin6->sin6_scope_id = strtonum(cp, 0, UINT32_MAX, &errstr);\n\t\tif (errstr)\n\t\t\treturn (-1);\n\t\treturn (0);\n\n\tdefault:\n\t\tbreak;\n\t}\n\n\treturn (-1);\n}", "project": "src", "hash": 196785708567508275139801888138028702305, "size": 70, "commit_id": "79a034b4aed29e965f45a13409268290c9910043", "message": "Use regfree after we're done with preg.\n\nFrom gilles@", "target": 0, "dataset": "other", "idx": 468908 }, { "func": "table_service_name(enum table_service s)\n{\n\tswitch (s) {\n\tcase K_NONE:\t\treturn \"NONE\";\n\tcase K_ALIAS:\t\treturn \"ALIAS\";\n\tcase K_DOMAIN:\t\treturn \"DOMAIN\";\n\tcase K_CREDENTIALS:\treturn \"CREDENTIALS\";\n\tcase K_NETADDR:\t\treturn \"NETADDR\";\n\tcase K_USERINFO:\treturn \"USERINFO\";\n\tcase K_SOURCE:\t\treturn \"SOURCE\";\n\tcase K_MAILADDR:\treturn \"MAILADDR\";\n\tcase K_ADDRNAME:\treturn \"ADDRNAME\";\n\tcase K_MAILADDRMAP:\treturn \"MAILADDRMAP\";\n\tcase K_RELAYHOST:\treturn \"RELAYHOST\";\n\tcase K_STRING:\t\treturn \"STRING\";\n\tcase K_REGEX:\t\treturn \"REGEX\";\n\t}\n\treturn \"???\";\n}", "project": "src", "hash": 332905979210102938023151233670785985268, "size": 19, "commit_id": "79a034b4aed29e965f45a13409268290c9910043", "message": "Use regfree after we're done with preg.\n\nFrom gilles@", "target": 0, "dataset": "other", "idx": 468911 }, { "func": "iasecc_pin_cmd(struct sc_card *card, struct sc_pin_cmd_data *data, int *tries_left)\n{\n\tstruct sc_context *ctx = card->ctx;\n\tint rv;\n\n\tLOG_FUNC_CALLED(ctx);\n\tsc_log(ctx, \"iasecc_pin_cmd() cmd 0x%X, PIN type 0x%X, PIN reference %i, PIN-1 %p:%i, PIN-2 %p:%i\",\n\t\t\tdata->cmd, data->pin_type, data->pin_reference,\n\t\t\tdata->pin1.data, data->pin1.len, data->pin2.data, data->pin2.len);\n\n\tswitch (data->cmd) {\n\tcase SC_PIN_CMD_VERIFY:\n\t\trv = iasecc_pin_verify(card, data->pin_type, data->pin_reference, data->pin1.data, data->pin1.len, tries_left);\n\t\tbreak;\n\tcase SC_PIN_CMD_CHANGE:\n\t\tif (data->pin_type == SC_AC_AUT)\n\t\t\trv = iasecc_keyset_change(card, data, tries_left);\n\t\telse\n\t\t\trv = iasecc_pin_change(card, data, tries_left);\n\t\tbreak;\n\tcase SC_PIN_CMD_UNBLOCK:\n\t\trv = iasecc_pin_reset(card, data, tries_left);\n\t\tbreak;\n\tcase SC_PIN_CMD_GET_INFO:\n\t\trv = iasecc_pin_get_policy(card, data);\n\t\tbreak;\n\tdefault:\n\t\tsc_log(ctx, \"Other pin commands not supported yet: 0x%X\", data->cmd);\n\t\trv = SC_ERROR_NOT_SUPPORTED;\n\t}\n\n\tLOG_FUNC_RETURN(ctx, rv);\n}", "project": "OpenSC", "hash": 246215688756594669154534051618834388954, "size": 33, "commit_id": "03628449b75a93787eb2359412a3980365dda49b", "message": "iasecc: fixed unbound recursion", "target": 0, "dataset": "other", "idx": 477410 }, { "func": "flag_in_afflist(int flagtype, char_u *afflist, unsigned flag)\n{\n char_u\t*p;\n unsigned\tn;\n\n switch (flagtype)\n {\n\tcase AFT_CHAR:\n\t return vim_strchr(afflist, flag) != NULL;\n\n\tcase AFT_CAPLONG:\n\tcase AFT_LONG:\n\t for (p = afflist; *p != NUL; )\n\t {\n#ifdef FEAT_MBYTE\n\t\tn = mb_ptr2char_adv(&p);\n#else\n\t\tn = *p++;\n#endif\n\t\tif ((flagtype == AFT_LONG || (n >= 'A' && n <= 'Z'))\n\t\t\t\t\t\t\t\t && *p != NUL)\n#ifdef FEAT_MBYTE\n\t\t n = mb_ptr2char_adv(&p) + (n << 16);\n#else\n\t\t n = *p++ + (n << 16);\n#endif\n\t\tif (n == flag)\n\t\t return TRUE;\n\t }\n\t break;\n\n\tcase AFT_NUM:\n\t for (p = afflist; *p != NUL; )\n\t {\n\t\tn = getdigits(&p);\n\t\tif (n == flag)\n\t\t return TRUE;\n\t\tif (*p != NUL)\t/* skip over comma */\n\t\t ++p;\n\t }\n\t break;\n }\n return FALSE;\n}", "project": "vim", "hash": 120005223660897787450636932915525369809, "size": 44, "commit_id": "399c297aa93afe2c0a39e2a1b3f972aebba44c9d", "message": "patch 8.0.0322: possible overflow with corrupted spell file\n\nProblem: Possible overflow with spell file where the tree length is\n corrupted.\nSolution: Check for an invalid length (suggested by shqking)", "target": 0, "dataset": "other", "idx": 477995 }, { "func": "static struct SYMBOL *process_pscomment(struct SYMBOL *s)\n{\n\tchar w[32], *p, *q;\n\tint voice;\n\tfloat h1;\n\tint lock = 0;\n\n\tp = s->text + 2;\t\t/* skip '%%' */\n\tq = p + strlen(p) - 5;\n\tif (q > p\n\t && strncmp(q, \" lock\", 5) == 0) {\n\t\tlock = 1;\n\t\t*q = '\\0';\n\t}\n\tp = get_str(w, p, sizeof w);\n\tif (s->state == ABC_S_HEAD\n\t && !check_header(s)) {\n\t\terror(1, s, \"Cannot have %%%%%s in tune header\", w);\n\t\treturn s;\n\t}\n\tswitch (w[0]) {\n\tcase 'b':\n\t\tif (strcmp(w, \"beginps\") == 0\n\t\t || strcmp(w, \"beginsvg\") == 0) {\n\t\t\tchar use;\n\n\t\t\tif (w[5] == 'p') {\n\t\t\t\tif (strncmp(p, \"svg\", 3) == 0)\n\t\t\t\t\tuse = 's';\n\t\t\t\telse if (strncmp(p, \"nosvg\", 5) == 0)\n\t\t\t\t\tuse = 'p';\n\t\t\t\telse\n\t\t\t\t\tuse = 'b';\n\t\t\t} else {\n\t\t\t\tuse = 'g';\n\t\t\t}\n\t\t\tp = s->text + 2 + 7;\n\t\t\twhile (*p != '\\0' && *p != '\\n')\n\t\t\t\tp++;\n\t\t\tif (*p == '\\0')\n\t\t\t\treturn s;\t\t/* empty */\n\t\t\tps_def(s, p + 1, use);\n\t\t\treturn s;\n\t\t}\n\t\tif (strcmp(w, \"begintext\") == 0) {\n\t\t\tint job;\n\n\t\t\tif (s->state == ABC_S_TUNE) {\n\t\t\t\tif (!multicol_start)\n\t\t\t\t\tgen_ly(1);\n\t\t\t} else if (s->state == ABC_S_GLOBAL) {\n\t\t\t\tif (epsf || !in_fname)\n\t\t\t\t\treturn s;\n\t\t\t}\n\t\t\tp = s->text + 2 + 9;\n\t\t\twhile (*p == ' ' || *p == '\\t')\n\t\t\t\tp++;\n\t\t\tif (*p != '\\n') {\n\t\t\t\tjob = get_textopt(p);\n\t\t\t\twhile (*p != '\\0' && *p != '\\n')\n\t\t\t\t\tp++;\n\t\t\t\tif (*p == '\\0')\n\t\t\t\t\treturn s;\t/* empty */\n\t\t\t} else {\n\t\t\t\tjob = cfmt.textoption;\n\t\t\t}\n\t\t\tif (job != T_SKIP) {\n\t\t\t\tp++;\n\t\t\t\twrite_text(w, p, job);\n\t\t\t}\n\t\t\treturn s;\n\t\t}\n\t\tif (strcmp(w, \"break\") == 0) {\n\t\t\tstruct brk_s *brk;\n\n\t\t\tif (s->state != ABC_S_HEAD) {\n\t\t\t\terror(1, s, \"%%%%%s ignored\", w);\n\t\t\t\treturn s;\n\t\t\t}\n\t\t\tif (*p == '\\0')\n\t\t\t\treturn s;\n\t\t\tfor (;;) {\n\t\t\t\tbrk = malloc(sizeof *brk);\n\t\t\t\tp = get_symsel(&brk->symsel, p);\n\t\t\t\tif (!p) {\n\t\t\t\t\terror(1, s, \"Bad selection in %%%%%s\", w);\n\t\t\t\t\treturn s;\n\t\t\t\t}\n\t\t\t\tbrk->next = brks;\n\t\t\t\tbrks = brk;\n\t\t\t\tif (*p != ',' && *p != ' ')\n\t\t\t\t\tbreak;\n\t\t\t\tp++;\n\t\t\t}\n\t\t\treturn s;\n\t\t}\n\t\tbreak;\n\tcase 'c':\n\t\tif (strcmp(w, \"center\") == 0)\n\t\t\tgoto center;\n\t\tif (strcmp(w, \"clef\") == 0) {\n\t\t\tif (s->state != ABC_S_GLOBAL)\n\t\t\t\tclef_def(s);\n\t\t\treturn s;\n\t\t}\n\t\tif (strcmp(w, \"clip\") == 0) {\n\t\t\tif (!cur_tune_opts) {\n\t\t\t\terror(1, s, \"%%%%%s not in %%%%tune sequence\", w);\n\t\t\t\treturn s;\n\t\t\t}\n\n\t\t\t/* %%clip \"-\" */\n\t\t\tif (*p != '-') {\n\t\t\t\tp = get_symsel(&clip_start, p);\n\t\t\t\tif (!p) {\n\t\t\t\t\terror(1, s, \"Bad start in %%%%%s\", w);\n\t\t\t\t\treturn s;\n\t\t\t\t}\n\t\t\t\tif (*p != '-') {\n\t\t\t\t\terror(1, s, \"Lack of '-' in %%%%%s\", w);\n\t\t\t\t\treturn s;\n\t\t\t\t}\n\t\t\t}\n\t\t\tp++;\n\t\t\tp = get_symsel(&clip_end, p);\n\t\t\tif (!p) {\n\t\t\t\terror(1, s, \"Bad end in %%%%%s\", w);\n\t\t\t\treturn s;\n\t\t\t}\n\t\t\tif (clip_start.bar < 0)\n\t\t\t\tclip_start.bar = 0;\n\t\t\tif (clip_end.bar < clip_start.bar\n\t\t\t || (clip_end.bar == clip_start.bar\n\t\t\t && clip_end.time <= clip_start.time)) {\n\t\t\t\tclip_end.bar = (short unsigned) ~0 >> 1;\n\t\t\t}\n\t\t\treturn s;\n\t\t}\n\t\tbreak;\n\tcase 'd':\n\t\tif (strcmp(w, \"deco\") == 0) {\n\t\t\tdeco_add(p);\n\t\t\treturn s;\n\t\t}\n\t\tif (strcmp(w, \"dynamic\") == 0) {\n\t\t\tset_voice_param(curvoice, s->state, w, p);\n\t\t\treturn s;\n\t\t}\n\t\tbreak;\n\tcase 'E':\n\t\tif (strcmp(w, \"EPS\") == 0) {\n\t\t\tfloat x1, y1, x2, y2;\n\t\t\tFILE *fp;\n\t\t\tchar fn[STRL1], line[STRL1];\n\n\t\t\tgen_ly(1);\n\t\t\tif (secure\n\t\t\t || cfmt.textoption == T_SKIP)\n\t\t\t\treturn s;\n\t\t\tget_str(line, p, sizeof line);\n\t\t\tif ((fp = open_file(line, \"eps\", fn)) == NULL) {\n\t\t\t\terror(1, s, \"No such file: %s\", line);\n\t\t\t\treturn s;\n\t\t\t}\n\n\t\t\t/* get the bounding box */\n\t\t\tx1 = x2 = 0;\n\t\t\twhile (fgets(line, sizeof line, fp)) {\n\t\t\t\tif (strncmp(line, \"%%BoundingBox:\", 14) == 0) {\n\t\t\t\t\tif (sscanf(&line[14], \"%f %f %f %f\",\n\t\t\t\t\t\t &x1, &y1, &x2, &y2) == 4)\n\t\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t}\n\t\t\tfclose(fp);\n\t\t\tif (x1 == x2) {\n\t\t\t\terror(1, s, \"No bounding box in '%s'\", fn);\n\t\t\t\treturn s;\n\t\t\t}\n\t\t\tif (cfmt.textoption == T_CENTER\n\t\t\t || cfmt.textoption == T_RIGHT) {\n\t\t\t\tfloat lw;\n\n\t\t\t\tlw = ((cfmt.landscape ? cfmt.pageheight : cfmt.pagewidth)\n\t\t\t\t\t- cfmt.leftmargin - cfmt.rightmargin) / cfmt.scale;\n\t\t\t\tif (cfmt.textoption == T_CENTER)\n\t\t\t\t\tx1 += (lw - (x2 - x1)) * 0.5;\n\t\t\t\telse\n\t\t\t\t\tx1 += lw - (x2 - x1);\n\t\t\t}\n\t\t\ta2b(\"\\001\");\t/* include file (must be the first after eob) */\n\t\t\tbskip(y2 - y1);\n\t\t\ta2b(\"%.2f %.2f%%%s\\n\", x1, -y1, fn);\n\t\t\tbuffer_eob(0);\n\t\t\treturn s;\n\t\t}\n\t\tbreak;\n\tcase 'g':\n\t\tif (strcmp(w, \"gchord\") == 0\n\t\t || strcmp(w, \"gstemdir\") == 0) {\n\t\t\tset_voice_param(curvoice, s->state, w, p);\n\t\t\treturn s;\n\t\t}\n\t\tif (strcmp(w, \"glyph\") == 0) {\n\t\t\tif (!svg && epsf <= 1)\n\t\t\t\tglyph_add(p);\n\t\t\treturn s;\n\t\t}\n\t\tbreak;\n\tcase 'm':\n\t\tif (strcmp(w, \"map\") == 0) {\n\t\t\tget_map(p);\n\t\t\treturn s;\n\t\t}\n\t\tif (strcmp(w, \"maxsysstaffsep\") == 0) {\n\t\t\tif (s->state != ABC_S_TUNE)\n\t\t\t\tbreak;\n\t\t\tparsys->voice[curvoice - voice_tb].maxsep = scan_u(p, 0);\n\t\t\treturn s;\n\t\t}\n\t\tif (strcmp(w, \"multicol\") == 0) {\n\t\t\tfloat bposy;\n\n\t\t\tgenerate();\n\t\t\tif (strncmp(p, \"start\", 5) == 0) {\n\t\t\t\tif (!in_page)\n\t\t\t\t\ta2b(\"%%\\n\");\t/* initialize the output */\n\t\t\t\tbuffer_eob(0);\n\t\t\t\tbposy = get_bposy();\n\t\t\t\tmulticol_max = multicol_start = bposy;\n\t\t\t\tlmarg = cfmt.leftmargin;\n\t\t\t\trmarg = cfmt.rightmargin;\n\t\t\t} else if (strncmp(p, \"new\", 3) == 0) {\n\t\t\t\tif (multicol_start == 0) {\n\t\t\t\t\terror(1, s,\n\t\t\t\t\t \"%%%%%s new without start\", w);\n\t\t\t\t} else {\n\t\t\t\t\tbuffer_eob(0);\n\t\t\t\t\tbposy = get_bposy();\n\t\t\t\t\tif (bposy < multicol_start)\n\t\t\t\t\t\tbskip((bposy - multicol_start)\n\t\t\t\t\t\t\t\t/ cfmt.scale);\n\t\t\t\t\tif (bposy < multicol_max)\n\t\t\t\t\t\tmulticol_max = bposy;\n\t\t\t\t\tcfmt.leftmargin = lmarg;\n\t\t\t\t\tcfmt.rightmargin = rmarg;\n\t\t\t\t}\n\t\t\t} else if (strncmp(p, \"end\", 3) == 0) {\n\t\t\t\tif (multicol_start == 0) {\n\t\t\t\t\terror(1, s,\n\t\t\t\t\t \"%%%%%s end without start\", w);\n\t\t\t\t} else {\n\t\t\t\t\tbuffer_eob(0);\n\t\t\t\t\tbposy = get_bposy();\n\t\t\t\t\tif (bposy > multicol_max)\n\t\t\t\t\t\tbskip((bposy - multicol_max)\n\t\t\t\t\t\t\t\t/ cfmt.scale);\n\t\t\t\t\telse\n\t\t\t\t\t\ta2b(\"%%\\n\");\t/* force write_buffer */\n\t\t\t\t\tcfmt.leftmargin = lmarg;\n\t\t\t\t\tcfmt.rightmargin = rmarg;\n\t\t\t\t\tmulticol_start = 0;\n\t\t\t\t\tbuffer_eob(0);\n\t\t\t\t\tif (!info['X' - 'A']\n\t\t\t\t\t && !epsf)\n\t\t\t\t\t\twrite_buffer();\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\terror(1, s,\n\t\t\t\t \"Unknown keyword '%s' in %%%%%s\", p, w);\n\t\t\t}\n\t\t\treturn s;\n\t\t}\n\t\tbreak;\n\tcase 'M':\n\t\tif (strcmp(w, \"MIDI\") == 0\n\t\t && strncmp(p, \"temperamentequal\", 16) == 0) {\n\t\t\tint n;\n\n\t\t\tif (cfmt.nedo) {\n\t\t\t\terror(1, s, \"%%%%MIDI temperamentequal redefined\");\n\t\t\t\treturn s;\n\t\t\t}\n\t\t\tp += 16;\n\t\t\twhile (isspace((unsigned char) *p))\n\t\t\t\tp++;\n\t\t\tn = atoi(p);\n\t\t\tif (n < 7 || n > 53) {\n\t\t\t\terror(1, s, \"Bad value in %%%%MIDI temperamentequal\");\n\t\t\t\treturn s;\n\t\t\t}\n\t\t\tcfmt.nedo = n;\n\t\t}\n\t\tbreak;\n\tcase 'n':\n\t\tif (strcmp(w, \"newpage\") == 0) {\n\t\t\tif (epsf || !in_fname)\n\t\t\t\treturn s;\n\t\t\tif (s->state == ABC_S_TUNE)\n\t\t\t\tgenerate();\n\t\t\tbuffer_eob(0);\n\t\t\twrite_buffer();\n//\t\t\tuse_buffer = 0;\n\t\t\tif (isdigit((unsigned char) *p))\n\t\t\t\tpagenum = atoi(p);\n\t\t\tclose_page();\n\t\t\tif (s->state == ABC_S_TUNE)\n\t\t\t\tbskip(cfmt.topspace);\n\t\t\treturn s;\n\t\t}\n\t\tbreak;\n\tcase 'p':\n\t\tif (strcmp(w, \"pos\") == 0) {\t// %%pos \n\t\t\tp = get_str(w, p, sizeof w);\n\t\t\tset_voice_param(curvoice, s->state, w, p);\n\t\t\treturn s;\n\t\t}\n\t\tif (strcmp(w, \"ps\") == 0\n\t\t || strcmp(w, \"postscript\") == 0) {\n\t\t\tps_def(s, p, 'b');\n\t\t\treturn s;\n\t\t}\n\t\tbreak;\n\tcase 'o':\n\t\tif (strcmp(w, \"ornament\") == 0) {\n\t\t\tset_voice_param(curvoice, s->state, w, p);\n\t\t\treturn s;\n\t\t}\n\t\tbreak;\n\tcase 'r':\n\t\tif (strcmp(w, \"repbra\") == 0) {\n\t\t\tif (s->state != ABC_S_TUNE)\n\t\t\t\treturn s;\n\t\t\tcurvoice->norepbra = strchr(\"0FfNn\", *p)\n\t\t\t\t\t\t|| *p == '\\0';\n\t\t\treturn s;\n\t\t}\n\t\tif (strcmp(w, \"repeat\") == 0) {\n\t\t\tint n, k;\n\n\t\t\tif (s->state != ABC_S_TUNE)\n\t\t\t\treturn s;\n\t\t\tif (!curvoice->last_sym) {\n\t\t\t\terror(1, s,\n\t\t\t\t \"%%%s cannot start a tune\", w);\n\t\t\t\treturn s;\n\t\t\t}\n\t\t\tif (*p == '\\0') {\n\t\t\t\tn = 1;\n\t\t\t\tk = 1;\n\t\t\t} else {\n\t\t\t\tn = atoi(p);\n\t\t\t\tif (n < 1\n\t\t\t\t || (curvoice->last_sym->type == BAR\n\t\t\t\t\t&& n > 2)) {\n\t\t\t\t\terror(1, s,\n\t\t\t\t\t \"Incorrect 1st value in %%%%%s\", w);\n\t\t\t\t\treturn s;\n\t\t\t\t}\n\t\t\t\twhile (*p != '\\0' && !isspace((unsigned char) *p))\n\t\t\t\t\tp++;\n\t\t\t\twhile (isspace((unsigned char) *p))\n\t\t\t\t\tp++;\n\t\t\t\tif (*p == '\\0') {\n\t\t\t\t\tk = 1;\n\t\t\t\t} else {\n\t\t\t\t\tk = atoi(p);\n\t\t\t\t\tif (k < 1) {\n//\t\t\t\t\t || (curvoice->last_sym->type == BAR\n//\t\t\t\t\t && n == 2\n//\t\t\t\t\t && k > 1)) {\n\t\t\t\t\t\terror(1, s,\n\t\t\t\t\t\t \"Incorrect 2nd value in %%%%%s\", w);\n\t\t\t\t\t\treturn s;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t\ts->aux = REPEAT;\n\t\t\tif (curvoice->last_sym->type == BAR)\n\t\t\t\ts->doty = n;\n\t\t\telse\n\t\t\t\ts->doty = -n;\n\t\t\tsym_link(s, FMTCHG);\n\t\t\ts->nohdi1 = k;\n\t\t\ts->text = NULL;\n\t\t\treturn s;\n\t\t}\n\t\tbreak;\n\tcase 's':\n\t\tif (strcmp(w, \"setbarnb\") == 0) {\n\t\t\tif (s->state == ABC_S_TUNE) {\n\t\t\t\tstruct SYMBOL *s2;\n\t\t\t\tint n;\n\n\t\t\t\tn = atoi(p);\n\t\t\t\tfor (s2 = s->abc_next; s2; s2 = s2->abc_next) {\n\t\t\t\t\tif (s2->abc_type == ABC_T_BAR) {\n\t\t\t\t\t\ts2->aux = n;\n\t\t\t\t\t\tbreak;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\treturn s;\n\t\t\t}\n\t\t\tstrcpy(w, \"measurefirst\");\n\t\t\tbreak;\n\t\t}\n\t\tif (strcmp(w, \"sep\") == 0) {\n\t\t\tfloat h2, len, lwidth;\n\n\t\t\tif (s->state == ABC_S_TUNE) {\n\t\t\t\tgen_ly(0);\n\t\t\t} else if (s->state == ABC_S_GLOBAL) {\n\t\t\t\tif (epsf || !in_fname)\n\t\t\t\t\treturn s;\n\t\t\t}\n\t\t\tlwidth = (cfmt.landscape ? cfmt.pageheight : cfmt.pagewidth)\n\t\t\t\t- cfmt.leftmargin - cfmt.rightmargin;\n\t\t\th1 = h2 = len = 0;\n\t\t\tif (*p != '\\0') {\n\t\t\t\th1 = scan_u(p, 0);\n\t\t\t\twhile (*p != '\\0' && !isspace((unsigned char) *p))\n\t\t\t\t\tp++;\n\t\t\t\twhile (isspace((unsigned char) *p))\n\t\t\t\t\tp++;\n\t\t\t}\n\t\t\tif (*p != '\\0') {\n\t\t\t\th2 = scan_u(p, 0);\n\t\t\t\twhile (*p != '\\0' && !isspace((unsigned char) *p))\n\t\t\t\t\tp++;\n\t\t\t\twhile (isspace((unsigned char) *p))\n\t\t\t\t\tp++;\n\t\t\t}\n\t\t\tif (*p != '\\0')\n\t\t\t\tlen = scan_u(p, 0);\n\t\t\tif (h1 < 1)\n\t\t\t\th1 = 0.5 CM;\n\t\t\tif (h2 < 1)\n\t\t\t\th2 = h1;\n\t\t\tif (len < 1)\n\t\t\t\tlen = 3.0 CM;\n\t\t\tbskip(h1);\n\t\t\ta2b(\"%.1f %.1f sep0\\n\",\n\t\t\t len / cfmt.scale,\n\t\t\t (lwidth - len) * 0.5 / cfmt.scale);\n\t\t\tbskip(h2);\n\t\t\tbuffer_eob(0);\n\t\t\treturn s;\n\t\t}\n\t\tif (strcmp(w, \"staff\") == 0) {\n\t\t\tint staff;\n\n\t\t\tif (s->state != ABC_S_TUNE)\n\t\t\t\treturn s;\n\t\t\tif (*p == '+')\n\t\t\t\tstaff = curvoice->cstaff + atoi(p + 1);\n\t\t\telse if (*p == '-')\n\t\t\t\tstaff = curvoice->cstaff - atoi(p + 1);\n\t\t\telse\n\t\t\t\tstaff = atoi(p) - 1;\n\t\t\tif ((unsigned) staff > (unsigned) nstaff) {\n\t\t\t\terror(1, s, \"Bad staff in %%%%%s\", w);\n\t\t\t\treturn s;\n\t\t\t}\n\t\t\tcurvoice->floating = 0;\n\t\t\tcurvoice->cstaff = staff;\n\t\t\treturn s;\n\t\t}\n\t\tif (strcmp(w, \"staffbreak\") == 0) {\n\t\t\tif (s->state != ABC_S_TUNE)\n\t\t\t\treturn s;\n\t\t\tif (isdigit(*p)) {\n\t\t\t\ts->xmx = scan_u(p, 0);\n\t\t\t\tif (s->xmx < 0) {\n\t\t\t\t\terror(1, s, \"Bad value in %%%%%s\", w);\n\t\t\t\t\treturn s;\n\t\t\t\t}\n\t\t\t\tif (p[strlen(p) - 1] == 'f')\n\t\t\t\t\ts->doty = 1;\n\t\t\t} else {\n\t\t\t\ts->xmx = 0.5 CM;\n\t\t\t\tif (*p == 'f')\n\t\t\t\t\ts->doty = 1;\n\t\t\t}\n\t\t\tsym_link(s, STBRK);\n\t\t\treturn s;\n\t\t}\n\t\tif (strcmp(w, \"stafflines\") == 0) {\n\t\t\tif (isdigit((unsigned char) *p)) {\n\t\t\t\tswitch (atoi(p)) {\n\t\t\t\tcase 0: p = \"...\"; break;\n\t\t\t\tcase 1: p = \"..|\"; break;\n\t\t\t\tcase 2: p = \".||\"; break;\n\t\t\t\tcase 3: p = \".|||\"; break;\n\t\t\t\tcase 4: p = \"||||\"; break;\n\t\t\t\tcase 5: p = \"|||||\"; break;\n\t\t\t\tcase 6: p = \"||||||\"; break;\n\t\t\t\tcase 7: p = \"|||||||\"; break;\n\t\t\t\tcase 8: p = \"||||||||\"; break;\n\t\t\t\tdefault:\n\t\t\t\t\terror(1, s, \"Bad number of lines\");\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\tint l;\n\n\t\t\t\tl = strlen(p);\n\t\t\t\tq = p;\n\t\t\t\tp = getarena(l + 1);\n\t\t\t\tstrcpy(p, q);\n\t\t\t}\n\t\t\tif (s->state != ABC_S_TUNE) {\n\t\t\t\tfor (voice = 0; voice < MAXVOICE; voice++)\n\t\t\t\t\tvoice_tb[voice].stafflines = p;\n\t\t\t} else {\n\t\t\t\tcurvoice->stafflines = p;\n\t\t\t}\n\t\t\treturn s;\n\t\t}\n\t\tif (strcmp(w, \"staffscale\") == 0) {\n\t\t\tchar *q;\n\t\t\tfloat scale;\n\n\t\t\tscale = strtod(p, &q);\n\t\t\tif (scale < 0.3 || scale > 2\n\t\t\t || (*q != '\\0' && *q != ' ')) {\n\t\t\t\terror(1, s, \"Bad value in %%%%%s\", w);\n\t\t\t\treturn s;\n\t\t\t}\n\t\t\tif (s->state != ABC_S_TUNE) {\n\t\t\t\tfor (voice = 0; voice < MAXVOICE; voice++)\n\t\t\t\t\tvoice_tb[voice].staffscale = scale;\n\t\t\t} else {\n\t\t\t\tcurvoice->staffscale = scale;\n\t\t\t}\n\t\t\treturn s;\n\t\t}\n\t\tif (strcmp(w, \"staves\") == 0\n\t\t || strcmp(w, \"score\") == 0) {\n\t\t\tif (s->state == ABC_S_GLOBAL)\n\t\t\t\treturn s;\n\t\t\tget_staves(s);\n\t\t\treturn s;\n\t\t}\n\t\tif (strcmp(w, \"stemdir\") == 0) {\n\t\t\tset_voice_param(curvoice, s->state, w, p);\n\t\t\treturn s;\n\t\t}\n\t\tif (strcmp(w, \"sysstaffsep\") == 0) {\n\t\t\tif (s->state != ABC_S_TUNE)\n\t\t\t\tbreak;\n\t\t\tparsys->voice[curvoice - voice_tb].sep = scan_u(p, 0);\n\t\t\treturn s;\n\t\t}\n\t\tbreak;\n\tcase 't':\n\t\tif (strcmp(w, \"text\") == 0) {\n\t\t\tint job;\n\ncenter:\n\t\t\tif (s->state == ABC_S_TUNE) {\n\t\t\t\tgen_ly(1);\n\t\t\t} else if (s->state == ABC_S_GLOBAL) {\n\t\t\t\tif (epsf || !in_fname)\n\t\t\t\t\treturn s;\n\t\t\t}\n\t\t\tif (w[0] == 'c') {\n\t\t\t\tjob = T_CENTER;\n\t\t\t} else {\n\t\t\t\tjob = cfmt.textoption;\n\t\t\t\tswitch(job) {\n\t\t\t\tcase T_SKIP:\n\t\t\t\t\treturn s;\n\t\t\t\tcase T_LEFT:\n\t\t\t\tcase T_RIGHT:\n\t\t\t\tcase T_CENTER:\n\t\t\t\t\tbreak;\n\t\t\t\tdefault:\n\t\t\t\t\tjob = T_LEFT;\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t}\n\t\t\twrite_text(w, p, job);\n\t\t\treturn s;\n\t\t}\n\t\tif (strcmp(w, \"tablature\") == 0) {\n\t\t\tstruct tblt_s *tblt;\n\t\t\tint i, j;\n\n\t\t\ttblt = tblt_parse(p);\n\t\t\tif (tblt == 0)\n\t\t\t\treturn s;\n\n\t\t\tswitch (s->state) {\n\t\t\tcase ABC_S_TUNE:\n\t\t\tcase ABC_S_HEAD:\n\t\t\t\tfor (i = 0; i < ncmdtblt; i++) {\n\t\t\t\t\tif (cmdtblts[i].active)\n\t\t\t\t\t\tcontinue;\n\t\t\t\t\tj = cmdtblts[i].index;\n\t\t\t\t\tif (j < 0 || tblts[j] == tblt)\n\t\t\t\t\t\treturn s;\n\t\t\t\t}\n\t\t\t\t/* !! 2 tblts per voice !! */\n\t\t\t\tif (curvoice->tblts[0] == tblt\n\t\t\t\t || curvoice->tblts[1] == tblt)\n\t\t\t\t\tbreak;\n\t\t\t\tif (curvoice->tblts[1]) {\n\t\t\t\t\terror(1, s,\n\t\t\t\t\t\t\"Too many tablatures for voice %s\",\n\t\t\t\t\t\tcurvoice->id);\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t\tif (!curvoice->tblts[0])\n\t\t\t\t\tcurvoice->tblts[0] = tblt;\n\t\t\t\telse\n\t\t\t\t\tcurvoice->tblts[1] = tblt;\n\t\t\t\tbreak;\n\t\t\t}\n\t\t\treturn s;\n\t\t}\n\t\tif (strcmp(w, \"transpose\") == 0) {\n\t\t\tstruct VOICE_S *p_voice;\n\t\t\tstruct SYMBOL *s2;\n\t\t\tint i, val;\n\n\t\t\tval = get_transpose(p);\n\t\t\tswitch (s->state) {\n\t\t\tcase ABC_S_GLOBAL:\n\t\t\t\tcfmt.transpose = val;\n\t\t\t\treturn s;\n\t\t\tcase ABC_S_HEAD: {\n\t\t\t\tcfmt.transpose += val;\n\t\t\t\tfor (i = MAXVOICE, p_voice = voice_tb;\n\t\t\t\t --i >= 0;\n\t\t\t\t p_voice++) {\n\t\t\t\t\tp_voice->transpose = cfmt.transpose;\n\t\t\t\t\tmemcpy(&p_voice->key, &p_voice->okey,\n\t\t\t\t\t\tsizeof p_voice->key);\n\t\t\t\t\tkey_transpose(&p_voice->key);\n\t\t\t\t\tmemcpy(&p_voice->ckey, &p_voice->key,\n\t\t\t\t\t\tsizeof p_voice->ckey);\n\t\t\t\t\tif (p_voice->key.empty)\n\t\t\t\t\t\tp_voice->key.sf = 0;\n\t\t\t\t}\n\t\t\t\treturn s;\n\t\t\t }\n\t\t\t}\n\t\t\tcurvoice->transpose = cfmt.transpose + val;\n\t\t\ts2 = curvoice->sym;\n\t\t\tif (!s2) {\n\t\t\t\tmemcpy(&curvoice->key, &curvoice->okey,\n\t\t\t\t\tsizeof curvoice->key);\n\t\t\t\tkey_transpose(&curvoice->key);\n\t\t\t\tmemcpy(&curvoice->ckey, &curvoice->key,\n\t\t\t\t\tsizeof curvoice->ckey);\n\t\t\t\tif (curvoice->key.empty)\n\t\t\t\t\tcurvoice->key.sf = 0;\n\t\t\t\treturn s;\n\t\t\t}\n\t\t\tfor (;;) {\n\t\t\t\tif (s2->type == KEYSIG)\n\t\t\t\t\tbreak;\n\t\t\t\tif (s2->time == curvoice->time) {\n\t\t\t\t\ts2 = s2->prev;\n\t\t\t\t\tif (s2)\n\t\t\t\t\t\tcontinue;\n\t\t\t\t}\n\t\t\t\ts2 = s;\n\t\t\t\ts2->abc_type = ABC_T_INFO;\n\t\t\t\ts2->text = (char *) getarena(2);\n\t\t\t\ts2->text[0] = 'K';\n\t\t\t\ts2->text[1] = '\\0';\n\t\t\t\tsym_link(s2, KEYSIG);\n//\t\t\t\tif (!curvoice->ckey.empty)\n//\t\t\t\t\ts2->aux = curvoice->ckey.sf;\n\t\t\t\ts2->aux = curvoice->key.sf;\n\t\t\t\tbreak;\n\t\t\t}\n\t\t\tmemcpy(&s2->u.key, &curvoice->okey,\n\t\t\t\t\t\tsizeof s2->u.key);\n\t\t\tkey_transpose(&s2->u.key);\n\t\t\tmemcpy(&curvoice->ckey, &s2->u.key,\n\t\t\t\t\t\tsizeof curvoice->ckey);\n\t\t\tif (curvoice->key.empty)\n\t\t\t\ts2->u.key.sf = 0;\n\t\t\treturn s;\n\t\t}\n\t\tif (strcmp(w, \"tune\") == 0) {\n\t\t\tstruct SYMBOL *s2, *s3;\n\t\t\tstruct tune_opt_s *opt, *opt2;\n\n\t\t\tif (s->state != ABC_S_GLOBAL) {\n\t\t\t\terror(1, s, \"%%%%%s ignored\", w);\n\t\t\t\treturn s;\n\t\t\t}\n\n\t\t\t/* if void %%tune, remove all tune options */\n\t\t\tif (*p == '\\0') {\n\t\t\t\topt = tune_opts;\n\t\t\t\twhile (opt) {\n\t\t\t\t\tfree_voice_opt(opt->voice_opts);\n\t\t\t\t\topt2 = opt->next;\n\t\t\t\t\tfree(opt);\n\t\t\t\t\topt = opt2;\n\t\t\t\t}\n\t\t\t\ttune_opts = NULL;\n\t\t\t\treturn s;\n\t\t\t}\n\n\t\t\tif (strcmp(p, \"end\") == 0)\n\t\t\t\treturn s;\t/* end of previous %%tune */\n\n\t\t\t/* search the end of the tune options */\n\t\t\ts2 = s;\n\t\t\tfor (;;) {\n\t\t\t\ts3 = s2->abc_next;\n\t\t\t\tif (!s3)\n\t\t\t\t\tbreak;\n\t\t\t\tif (s3->abc_type != ABC_T_NULL\n\t\t\t\t && (s3->abc_type != ABC_T_PSCOM\n\t\t\t\t || strncmp(&s3->text[2], \"tune \", 5) == 0))\n\t\t\t\t\tbreak;\n\t\t\t\ts2 = s3;\n\t\t\t}\n\n\t\t\t/* search if already a same %%tune */\n\t\t\topt2 = NULL;\n\t\t\tfor (opt = tune_opts; opt; opt = opt->next) {\n\t\t\t\tif (strcmp(opt->s->text, s->text) == 0)\n\t\t\t\t\tbreak;\n\t\t\t\topt2 = opt;\n\t\t\t}\n\n\t\t\tif (opt) {\n\t\t\t\tfree_voice_opt(opt->voice_opts);\n\t\t\t\tif (s2 == s) {\t\t\t/* no option */\n\t\t\t\t\tif (!opt2)\n\t\t\t\t\t\ttune_opts = opt->next;\n\t\t\t\t\telse\n\t\t\t\t\t\topt2->next = opt->next;\n\t\t\t\t\tfree(opt);\n\t\t\t\t\treturn s;\n\t\t\t\t}\n\t\t\t\topt->voice_opts = NULL;\n\t\t\t} else {\n\t\t\t\tif (s2 == s)\t\t\t/* no option */\n\t\t\t\t\treturn s;\n\t\t\t\topt = malloc(sizeof *opt);\n\t\t\t\tmemset(opt, 0, sizeof *opt);\n\t\t\t\topt->next = tune_opts;\n\t\t\t\ttune_opts = opt;\n\t\t\t}\n\n\t\t\t/* link the options */\n\t\t\topt->s = s3 = s;\n\t\t\tcur_tune_opts = opt;\n\t\t\ts = s->abc_next;\n\t\t\tfor (;;) {\n\t\t\t\tif (s->abc_type != ABC_T_PSCOM)\n\t\t\t\t\tcontinue;\n\t\t\t\tif (strncmp(&s->text[2], \"voice \", 6) == 0) {\n\t\t\t\t\ts = process_pscomment(s);\n\t\t\t\t} else {\n\t\t\t\t\ts->state = ABC_S_HEAD;\n\n\t\t\t\t\t/* !! no reverse link !! */\n\t\t\t\t\ts3->next = s;\n\t\t\t\t\ts3 = s;\n\t\t\t\t}\n\t\t\t\tif (s == s2)\n\t\t\t\t\tbreak;\n\t\t\t\ts = s->abc_next;\n\t\t\t}\n\t\t\tcur_tune_opts = NULL;\n\t\t\treturn s;\n\t\t}\n\t\tbreak;\n\tcase 'u':\n\t\tif (strcmp(w, \"user\") == 0) {\n\t\t\tdeco[s->u.user.symbol] = parse.deco_tb[s->u.user.value - 128];\n\t\t\treturn s;\n\t\t}\n\t\tbreak;\n\tcase 'v':\n\t\tif (strcmp(w, \"vocal\") == 0) {\n\t\t\tset_voice_param(curvoice, s->state, w, p);\n\t\t\treturn s;\n\t\t}\n\t\tif (strcmp(w, \"voice\") == 0) {\n\t\t\tstruct SYMBOL *s2, *s3;\n\t\t\tstruct voice_opt_s *opt, *opt2;\n\n\t\t\tif (s->state != ABC_S_GLOBAL) {\n\t\t\t\terror(1, s, \"%%%%voice ignored\");\n\t\t\t\treturn s;\n\t\t\t}\n\n\t\t\t/* if void %%voice, free all voice options */\n\t\t\tif (*p == '\\0') {\n\t\t\t\tif (cur_tune_opts) {\n\t\t\t\t\tfree_voice_opt(cur_tune_opts->voice_opts);\n\t\t\t\t\tcur_tune_opts->voice_opts = NULL;\n\t\t\t\t} else {\n\t\t\t\t\tfree_voice_opt(voice_opts);\n\t\t\t\t\tvoice_opts = NULL;\n\t\t\t\t}\n\t\t\t\treturn s;\n\t\t\t}\n\n\t\t\tif (strcmp(p, \"end\") == 0)\n\t\t\t\treturn s;\t/* end of previous %%voice */\n\n\t\t\tif (cur_tune_opts)\n\t\t\t\topt = cur_tune_opts->voice_opts;\n\t\t\telse\n\t\t\t\topt = voice_opts;\n\n\t\t\t/* search the end of the voice options */\n\t\t\ts2 = s;\n\t\t\tfor (;;) {\n\t\t\t\ts3 = s2->abc_next;\n\t\t\t\tif (!s3)\n\t\t\t\t\tbreak;\n\t\t\t\tif (s3->abc_type != ABC_T_NULL\n\t\t\t\t && (s3->abc_type != ABC_T_PSCOM\n\t\t\t\t || strncmp(&s3->text[2], \"score \", 6) == 0\n\t\t\t\t || strncmp(&s3->text[2], \"staves \", 7) == 0\n\t\t\t\t || strncmp(&s3->text[2], \"tune \", 5) == 0\n\t\t\t\t || strncmp(&s3->text[2], \"voice \", 6) == 0))\n\t\t\t\t\tbreak;\n\t\t\t\ts2 = s3;\n\t\t\t}\n\n\t\t\t/* if already the same %%voice\n\t\t\t * remove the options */\n\t\t\topt2 = NULL;\n\t\t\tfor ( ; opt; opt = opt->next) {\n\t\t\t\tif (strcmp(opt->s->text, s->text) == 0) {\n\t\t\t\t\tif (!opt2) {\n\t\t\t\t\t\tif (cur_tune_opts)\n\t\t\t\t\t\t\tcur_tune_opts->voice_opts = NULL;\n\t\t\t\t\t\telse\n\t\t\t\t\t\t\tvoice_opts = NULL;\n\t\t\t\t\t} else {\n\t\t\t\t\t\topt2->next = opt->next;\n\t\t\t\t\t}\n\t\t\t\t\tfree(opt);\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t\topt2 = opt;\n\t\t\t}\n\t\t\tif (s2 == s)\t\t/* no option */\n\t\t\t\treturn s;\n\t\t\topt = malloc(sizeof *opt + strlen(p));\n\t\t\tmemset(opt, 0, sizeof *opt);\n\t\t\tif (cur_tune_opts) {\n\t\t\t\topt->next = cur_tune_opts->voice_opts;\n\t\t\t\tcur_tune_opts->voice_opts = opt;\n\t\t\t} else {\n\t\t\t\topt->next = voice_opts;\n\t\t\t\tvoice_opts = opt;\n\t\t\t}\n\n\t\t\t/* link the options */\n\t\t\topt->s = s3 = s;\n\t\t\tfor ( ; s != s2; s = s->abc_next) {\n\t\t\t\tif (s->abc_next->abc_type != ABC_T_PSCOM)\n\t\t\t\t\tcontinue;\n\t\t\t\ts->abc_next->state = ABC_S_TUNE;\n\t\t\t\ts3->next = s->abc_next;\n\t\t\t\ts3 = s3->next;\n\t\t\t}\n\t\t\treturn s;\n\t\t}\n\t\tif (strcmp(w, \"voicecolor\") == 0) {\n\t\t\tint color;\n\n\t\t\tif (!curvoice)\n\t\t\t\treturn s;\n\n\t\t\tcolor = get_color(p);\n\t\t\tif (color < 0)\n\t\t\t\terror(1, s, \"Bad color in %%%%voicecolor\");\n\t\t\telse\n\t\t\t\tcurvoice->color = color;\n\t\t\treturn s;\n\t\t}\n\t\tif (strcmp(w, \"voicecombine\") == 0) {\n\t\t\tint combine;\n\n\t\t\tif (sscanf(p, \"%d\", &combine) != 1) {\n\t\t\t\terror(1, s, \"Bad value in %%%%voicecombine\");\n\t\t\t\treturn s;\n\t\t\t}\n\t\t\tswitch (s->state) {\n\t\t\tcase ABC_S_GLOBAL:\n\t\t\t\tcfmt.combinevoices = combine;\n\t\t\t\tbreak;\n\t\t\tcase ABC_S_HEAD:\n\t\t\t\tfor (voice = 0; voice < MAXVOICE; voice++)\n\t\t\t\t\tvoice_tb[voice].combine = combine;\n\t\t\t\tbreak;\n\t\t\tdefault:\n\t\t\t\tcurvoice->combine = combine;\n\t\t\t\tbreak;\n\t\t\t}\n\t\t\treturn s;\n\t\t}\n\t\tif (strcmp(w, \"voicemap\") == 0) {\n\t\t\tif (s->state != ABC_S_TUNE) {\n\t\t\t\tfor (voice = 0; voice < MAXVOICE; voice++)\n\t\t\t\t\tvoice_tb[voice].map_name = p;\n\t\t\t} else {\n\t\t\t\tcurvoice->map_name = p;\n\t\t\t}\n\t\t\treturn s;\n\t\t}\n\t\tif (strcmp(w, \"voicescale\") == 0) {\n\t\t\tchar *q;\n\t\t\tfloat scale;\n\n\t\t\tscale = strtod(p, &q);\n\t\t\tif (scale < 0.6 || scale > 1.5\n\t\t\t || (*q != '\\0' && *q != ' ')) {\n\t\t\t\terror(1, s, \"Bad %%%%voicescale value\");\n\t\t\t\treturn s;\n\t\t\t}\n\t\t\tif (s->state != ABC_S_TUNE) {\n\t\t\t\tfor (voice = 0; voice < MAXVOICE; voice++)\n\t\t\t\t\tvoice_tb[voice].scale = scale;\n\t\t\t} else {\n\t\t\t\tcurvoice->scale = scale;\n\t\t\t}\n\t\t\treturn s;\n\t\t}\n\t\tif (strcmp(w, \"volume\") == 0) {\n\t\t\tset_voice_param(curvoice, s->state, w, p);\n\t\t\treturn s;\n\t\t}\n\t\tif (strcmp(w, \"vskip\") == 0) {\n\t\t\tif (s->state == ABC_S_TUNE) {\n\t\t\t\tgen_ly(0);\n\t\t\t} else if (s->state == ABC_S_GLOBAL) {\n\t\t\t\tif (epsf || !in_fname)\n\t\t\t\t\treturn s;\n\t\t\t}\n\t\t\tbskip(scan_u(p, 0));\n\t\t\tbuffer_eob(0);\n\t\t\treturn s;\n\t\t}\n\t\tbreak;\n\t}\n\tif (s->state == ABC_S_TUNE) {\n\t\tif (strcmp(w, \"leftmargin\") == 0\n\t\t || strcmp(w, \"rightmargin\") == 0\n\t\t || strcmp(w, \"scale\") == 0) {\n\t\t\tgenerate();\n\t\t\tblock_put();\n\t\t}\n\t}\n\tinterpret_fmt_line(w, p, lock);\n\tif (cfmt.alignbars && strcmp(w, \"alignbars\") == 0) {\n\t\tint i;\n\n\t\tgenerate();\n\t\tif ((unsigned) cfmt.alignbars > MAXSTAFF) {\n\t\t\terror(1, s, \"Too big value in %%%%alignbars\");\n\t\t\tcfmt.alignbars = MAXSTAFF;\n\t\t}\n\t\tif (staves_found >= 0)\t\t/* (compatibility) */\n\t\t\tcfmt.alignbars = nstaff + 1;\n\t\tfirst_voice = curvoice = voice_tb;\n\t\tfor (i = 0; i < cfmt.alignbars; i++) {\n\t\t\tvoice_tb[i].staff = voice_tb[i].cstaff = i;\n\t\t\tvoice_tb[i].next = &voice_tb[i + 1];\n\t\t\tparsys->staff[i].flags |= STOP_BAR;\n\t\t\tparsys->voice[i].staff = i;\n\t\t\tparsys->voice[i].range = i;\n\t\t}\n\t\ti--;\n\t\tvoice_tb[i].next = NULL;\n\t\tparsys->nstaff = nstaff = i;\n\t}\n\treturn s;\n}", "project": "abcm2ps", "hash": 10912611028421088100681772729815999449, "size": 985, "commit_id": "2f56e1179cab6affeb8afa9d6c324008fe40d8e3", "message": "fix: array overflow when wrong duration in voice overlay\n\nIssue #83,", "target": 0, "dataset": "other", "idx": 484349 }, { "func": "isdn_net_ciscohdlck_slarp_in(isdn_net_local *lp, struct sk_buff *skb)\n{\n\tunsigned char *p;\n\tint period;\n\tu32 code;\n\tu32 my_seq, addr;\n\tu32 your_seq, mask;\n\tu32 local;\n\tu16 unused;\n\n\tif (skb->len < 14)\n\t\treturn;\n\n\tp = skb->data;\n\tp += get_u32(p, &code);\n\t\n\tswitch (code) {\n\tcase CISCO_SLARP_REQUEST:\n\t\tlp->cisco_yourseq = 0;\n\t\tisdn_net_ciscohdlck_slarp_send_reply(lp);\n\t\tbreak;\n\tcase CISCO_SLARP_REPLY:\n\t\taddr = ntohl(*(u32 *)p);\n\t\tmask = ntohl(*(u32 *)(p+4));\n\t\tif (mask != 0xfffffffc)\n\t\t\tgoto slarp_reply_out;\n\t\tif ((addr & 3) == 0 || (addr & 3) == 3)\n\t\t\tgoto slarp_reply_out;\n\t\tlocal = addr ^ 3;\n\t\tprintk(KERN_INFO \"%s: got slarp reply: \"\n\t\t\t\"remote ip: %d.%d.%d.%d, \"\n\t\t\t\"local ip: %d.%d.%d.%d \"\n\t\t\t\"mask: %d.%d.%d.%d\\n\",\n\t\t lp->netdev->dev->name,\n\t\t HIPQUAD(addr),\n\t\t HIPQUAD(local),\n\t\t HIPQUAD(mask));\n\t\tbreak;\n slarp_reply_out:\n\t\t printk(KERN_INFO \"%s: got invalid slarp \"\n\t\t\t\t \"reply (%d.%d.%d.%d/%d.%d.%d.%d) \"\n\t\t\t\t \"- ignored\\n\", lp->netdev->dev->name,\n\t\t\t\t HIPQUAD(addr), HIPQUAD(mask));\n\t\tbreak;\n\tcase CISCO_SLARP_KEEPALIVE:\n\t\tperiod = (int)((jiffies - lp->cisco_last_slarp_in\n\t\t\t\t+ HZ/2 - 1) / HZ);\n\t\tif (lp->cisco_debserint &&\n\t\t\t\t(period != lp->cisco_keepalive_period) &&\n\t\t\t\tlp->cisco_last_slarp_in) {\n\t\t\tprintk(KERN_DEBUG \"%s: Keepalive period mismatch - \"\n\t\t\t\t\"is %d but should be %d.\\n\",\n\t\t\t\tlp->netdev->dev->name, period,\n\t\t\t\tlp->cisco_keepalive_period);\n\t\t}\n\t\tlp->cisco_last_slarp_in = jiffies;\n\t\tp += get_u32(p, &my_seq);\n\t\tp += get_u32(p, &your_seq);\n\t\tp += get_u16(p, &unused);\n\t\tlp->cisco_yourseq = my_seq;\n\t\tlp->cisco_mineseen = your_seq;\n\t\tbreak;\n\t}\n}", "target": 0, "cwe": [ "CWE-119" ], "project": "linux-2.6", "commit_id": "0f13864e5b24d9cbe18d125d41bfa4b726a82e40", "hash": 205623067823879189029699741679791489125, "size": 64, "message": "isdn: avoid copying overly-long strings\n\nAddresses http://bugzilla.kernel.org/show_bug.cgi?id=9416\n\nSigned-off-by: Karsten Keil \nSigned-off-by: Andrew Morton \nSigned-off-by: Linus Torvalds ", "dataset": "other", "idx": 487405 }, { "func": "isdn_ciscohdlck_dev_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)\n{\n\tisdn_net_local *lp = (isdn_net_local *) dev->priv;\n\tunsigned long len = 0;\n\tunsigned long expires = 0;\n\tint tmp = 0;\n\tint period = lp->cisco_keepalive_period;\n\ts8 debserint = lp->cisco_debserint;\n\tint rc = 0;\n\n\tif (lp->p_encap != ISDN_NET_ENCAP_CISCOHDLCK)\n\t\treturn -EINVAL;\n\n\tswitch (cmd) {\n\t\t/* get/set keepalive period */\n\t\tcase SIOCGKEEPPERIOD:\n\t\t\tlen = (unsigned long)sizeof(lp->cisco_keepalive_period);\n\t\t\tif (copy_to_user(ifr->ifr_data,\n\t\t\t\t&lp->cisco_keepalive_period, len))\n\t\t\t\trc = -EFAULT;\n\t\t\tbreak;\n\t\tcase SIOCSKEEPPERIOD:\n\t\t\ttmp = lp->cisco_keepalive_period;\n\t\t\tlen = (unsigned long)sizeof(lp->cisco_keepalive_period);\n\t\t\tif (copy_from_user(&period, ifr->ifr_data, len))\n\t\t\t\trc = -EFAULT;\n\t\t\tif ((period > 0) && (period <= 32767))\n\t\t\t\tlp->cisco_keepalive_period = period;\n\t\t\telse\n\t\t\t\trc = -EINVAL;\n\t\t\tif (!rc && (tmp != lp->cisco_keepalive_period)) {\n\t\t\t\texpires = (unsigned long)(jiffies +\n\t\t\t\t\tlp->cisco_keepalive_period * HZ);\n\t\t\t\tmod_timer(&lp->cisco_timer, expires);\n\t\t\t\tprintk(KERN_INFO \"%s: Keepalive period set \"\n\t\t\t\t\t\"to %d seconds.\\n\",\n\t\t\t\t\tdev->name, lp->cisco_keepalive_period);\n\t\t\t}\n\t\t\tbreak;\n\n\t\t/* get/set debugging */\n\t\tcase SIOCGDEBSERINT:\n\t\t\tlen = (unsigned long)sizeof(lp->cisco_debserint);\n\t\t\tif (copy_to_user(ifr->ifr_data,\n\t\t\t\t&lp->cisco_debserint, len))\n\t\t\t\trc = -EFAULT;\n\t\t\tbreak;\n\t\tcase SIOCSDEBSERINT:\n\t\t\tlen = (unsigned long)sizeof(lp->cisco_debserint);\n\t\t\tif (copy_from_user(&debserint,\n\t\t\t\tifr->ifr_data, len))\n\t\t\t\trc = -EFAULT;\n\t\t\tif ((debserint >= 0) && (debserint <= 64))\n\t\t\t\tlp->cisco_debserint = debserint;\n\t\t\telse\n\t\t\t\trc = -EINVAL;\n\t\t\tbreak;\n\n\t\tdefault:\n\t\t\trc = -EINVAL;\n\t\t\tbreak;\n\t}\n\treturn (rc);\n}", "target": 0, "cwe": [ "CWE-119" ], "project": "linux-2.6", "commit_id": "0f13864e5b24d9cbe18d125d41bfa4b726a82e40", "hash": 330743078382042076676597224612168697712, "size": 64, "message": "isdn: avoid copying overly-long strings\n\nAddresses http://bugzilla.kernel.org/show_bug.cgi?id=9416\n\nSigned-off-by: Karsten Keil \nSigned-off-by: Andrew Morton \nSigned-off-by: Linus Torvalds ", "dataset": "other", "idx": 487408 }, { "func": "sbni_ioctl( struct net_device *dev, struct ifreq *ifr, int cmd )\n{\n\tstruct net_local *nl = (struct net_local *) dev->priv; \n\tstruct sbni_flags flags;\n\tint error = 0;\n\n#ifdef CONFIG_SBNI_MULTILINE\n\tstruct net_device *slave_dev;\n\tchar slave_name[ 8 ];\n#endif\n \n\tswitch( cmd ) {\n\tcase SIOCDEVGETINSTATS :\n\t\tif (copy_to_user( ifr->ifr_data, &nl->in_stats,\n\t\t\t\t\tsizeof(struct sbni_in_stats) ))\n\t\t\terror = -EFAULT;\n\t\tbreak;\n\n\tcase SIOCDEVRESINSTATS :\n\t\tif (!capable(CAP_NET_ADMIN))\n\t\t\treturn -EPERM;\n\t\tmemset( &nl->in_stats, 0, sizeof(struct sbni_in_stats) );\n\t\tbreak;\n\n\tcase SIOCDEVGHWSTATE :\n\t\tflags.mac_addr\t= *(u32 *)(dev->dev_addr + 3);\n\t\tflags.rate\t= nl->csr1.rate;\n\t\tflags.slow_mode\t= (nl->state & FL_SLOW_MODE) != 0;\n\t\tflags.rxl\t= nl->cur_rxl_index;\n\t\tflags.fixed_rxl\t= nl->delta_rxl == 0;\n\n\t\tif (copy_to_user( ifr->ifr_data, &flags, sizeof flags ))\n\t\t\terror = -EFAULT;\n\t\tbreak;\n\n\tcase SIOCDEVSHWSTATE :\n\t\tif (!capable(CAP_NET_ADMIN))\n\t\t\treturn -EPERM;\n\n\t\tspin_lock( &nl->lock );\n\t\tflags = *(struct sbni_flags*) &ifr->ifr_ifru;\n\t\tif( flags.fixed_rxl )\n\t\t\tnl->delta_rxl = 0,\n\t\t\tnl->cur_rxl_index = flags.rxl;\n\t\telse\n\t\t\tnl->delta_rxl = DEF_RXL_DELTA,\n\t\t\tnl->cur_rxl_index = DEF_RXL;\n\n\t\tnl->csr1.rxl = rxl_tab[ nl->cur_rxl_index ];\n\t\tnl->csr1.rate = flags.rate;\n\t\toutb( *(u8 *)&nl->csr1 | PR_RES, dev->base_addr + CSR1 );\n\t\tspin_unlock( &nl->lock );\n\t\tbreak;\n\n#ifdef CONFIG_SBNI_MULTILINE\n\n\tcase SIOCDEVENSLAVE :\n\t\tif (!capable(CAP_NET_ADMIN))\n\t\t\treturn -EPERM;\n\n\t\tif (copy_from_user( slave_name, ifr->ifr_data, sizeof slave_name ))\n\t\t\treturn -EFAULT;\n\t\tslave_dev = dev_get_by_name(&init_net, slave_name );\n\t\tif( !slave_dev || !(slave_dev->flags & IFF_UP) ) {\n\t\t\tprintk( KERN_ERR \"%s: trying to enslave non-active \"\n\t\t\t\t\"device %s\\n\", dev->name, slave_name );\n\t\t\treturn -EPERM;\n\t\t}\n\n\t\treturn enslave( dev, slave_dev );\n\n\tcase SIOCDEVEMANSIPATE :\n\t\tif (!capable(CAP_NET_ADMIN))\n\t\t\treturn -EPERM;\n\n\t\treturn emancipate( dev );\n\n#endif\t/* CONFIG_SBNI_MULTILINE */\n\n\tdefault :\n\t\treturn -EOPNOTSUPP;\n\t}\n\n\treturn error;\n}", "target": 0, "cwe": [ "CWE-264" ], "project": "linux-2.6", "commit_id": "f2455eb176ac87081bbfc9a44b21c7cd2bc1967e", "hash": 232324628272873095618685062531940041066, "size": 85, "message": "wan: Missing capability checks in sbni_ioctl()\n\nThere are missing capability checks in the following code:\n\n1300 static int\n1301 sbni_ioctl( struct net_device *dev, struct ifreq *ifr, int cmd)\n1302 {\n[...]\n1319 case SIOCDEVRESINSTATS :\n1320 if( current->euid != 0 ) /* root only */\n1321 return -EPERM;\n[...]\n1336 case SIOCDEVSHWSTATE :\n1337 if( current->euid != 0 ) /* root only */\n1338 return -EPERM;\n[...]\n1357 case SIOCDEVENSLAVE :\n1358 if( current->euid != 0 ) /* root only */\n1359 return -EPERM;\n[...]\n1372 case SIOCDEVEMANSIPATE :\n1373 if( current->euid != 0 ) /* root only */\n1374 return -EPERM;\n\nHere's my proposed fix:\n\nMissing capability checks.\n\nSigned-off-by: Eugene Teo \nSigned-off-by: David S. Miller ", "dataset": "other", "idx": 488945 }, { "func": "SYSCALL_DEFINE5(keyctl, int, option, unsigned long, arg2, unsigned long, arg3,\n\t\tunsigned long, arg4, unsigned long, arg5)\n{\n\tswitch (option) {\n\tcase KEYCTL_GET_KEYRING_ID:\n\t\treturn keyctl_get_keyring_ID((key_serial_t) arg2,\n\t\t\t\t\t (int) arg3);\n\n\tcase KEYCTL_JOIN_SESSION_KEYRING:\n\t\treturn keyctl_join_session_keyring((const char __user *) arg2);\n\n\tcase KEYCTL_UPDATE:\n\t\treturn keyctl_update_key((key_serial_t) arg2,\n\t\t\t\t\t (const void __user *) arg3,\n\t\t\t\t\t (size_t) arg4);\n\n\tcase KEYCTL_REVOKE:\n\t\treturn keyctl_revoke_key((key_serial_t) arg2);\n\n\tcase KEYCTL_DESCRIBE:\n\t\treturn keyctl_describe_key((key_serial_t) arg2,\n\t\t\t\t\t (char __user *) arg3,\n\t\t\t\t\t (unsigned) arg4);\n\n\tcase KEYCTL_CLEAR:\n\t\treturn keyctl_keyring_clear((key_serial_t) arg2);\n\n\tcase KEYCTL_LINK:\n\t\treturn keyctl_keyring_link((key_serial_t) arg2,\n\t\t\t\t\t (key_serial_t) arg3);\n\n\tcase KEYCTL_UNLINK:\n\t\treturn keyctl_keyring_unlink((key_serial_t) arg2,\n\t\t\t\t\t (key_serial_t) arg3);\n\n\tcase KEYCTL_SEARCH:\n\t\treturn keyctl_keyring_search((key_serial_t) arg2,\n\t\t\t\t\t (const char __user *) arg3,\n\t\t\t\t\t (const char __user *) arg4,\n\t\t\t\t\t (key_serial_t) arg5);\n\n\tcase KEYCTL_READ:\n\t\treturn keyctl_read_key((key_serial_t) arg2,\n\t\t\t\t (char __user *) arg3,\n\t\t\t\t (size_t) arg4);\n\n\tcase KEYCTL_CHOWN:\n\t\treturn keyctl_chown_key((key_serial_t) arg2,\n\t\t\t\t\t(uid_t) arg3,\n\t\t\t\t\t(gid_t) arg4);\n\n\tcase KEYCTL_SETPERM:\n\t\treturn keyctl_setperm_key((key_serial_t) arg2,\n\t\t\t\t\t (key_perm_t) arg3);\n\n\tcase KEYCTL_INSTANTIATE:\n\t\treturn keyctl_instantiate_key((key_serial_t) arg2,\n\t\t\t\t\t (const void __user *) arg3,\n\t\t\t\t\t (size_t) arg4,\n\t\t\t\t\t (key_serial_t) arg5);\n\n\tcase KEYCTL_NEGATE:\n\t\treturn keyctl_negate_key((key_serial_t) arg2,\n\t\t\t\t\t (unsigned) arg3,\n\t\t\t\t\t (key_serial_t) arg4);\n\n\tcase KEYCTL_SET_REQKEY_KEYRING:\n\t\treturn keyctl_set_reqkey_keyring(arg2);\n\n\tcase KEYCTL_SET_TIMEOUT:\n\t\treturn keyctl_set_timeout((key_serial_t) arg2,\n\t\t\t\t\t (unsigned) arg3);\n\n\tcase KEYCTL_ASSUME_AUTHORITY:\n\t\treturn keyctl_assume_authority((key_serial_t) arg2);\n\n\tcase KEYCTL_GET_SECURITY:\n\t\treturn keyctl_get_security((key_serial_t) arg2,\n\t\t\t\t\t (char __user *) arg3,\n\t\t\t\t\t (size_t) arg4);\n\n\tcase KEYCTL_SESSION_TO_PARENT:\n\t\treturn keyctl_session_to_parent();\n\n\tdefault:\n\t\treturn -EOPNOTSUPP;\n\t}\n\n} /* end sys_keyctl() */", "target": 0, "cwe": [ "CWE-476" ], "project": "linux-2.6", "commit_id": "9d1ac65a9698513d00e5608d93fca0c53f536c14", "hash": 277667312556509208264971921406638233364, "size": 89, "message": "KEYS: Fix RCU no-lock warning in keyctl_session_to_parent()\n\nThere's an protected access to the parent process's credentials in the middle\nof keyctl_session_to_parent(). This results in the following RCU warning:\n\n ===================================================\n [ INFO: suspicious rcu_dereference_check() usage. ]\n ---------------------------------------------------\n security/keys/keyctl.c:1291 invoked rcu_dereference_check() without protection!\n\n other info that might help us debug this:\n\n rcu_scheduler_active = 1, debug_locks = 0\n 1 lock held by keyctl-session-/2137:\n #0: (tasklist_lock){.+.+..}, at: [] keyctl_session_to_parent+0x60/0x236\n\n stack backtrace:\n Pid: 2137, comm: keyctl-session- Not tainted 2.6.36-rc2-cachefs+ #1\n Call Trace:\n [] lockdep_rcu_dereference+0xaa/0xb3\n [] keyctl_session_to_parent+0xed/0x236\n [] sys_keyctl+0xb4/0xb6\n [] system_call_fastpath+0x16/0x1b\n\nThe code should take the RCU read lock to make sure the parents credentials\ndon't go away, even though it's holding a spinlock and has IRQ disabled.\n\nSigned-off-by: David Howells \nSigned-off-by: Linus Torvalds ", "dataset": "other", "idx": 492798 }, { "func": "context_length_arg (char const *str, intmax_t *out)\n{\n switch (xstrtoimax (str, 0, 10, out, \"\"))\n {\n case LONGINT_OK:\n case LONGINT_OVERFLOW:\n if (0 <= *out)\n break;\n /* Fall through. */\n default:\n error (EXIT_TROUBLE, 0, \"%s: %s\", str,\n _(\"invalid context length argument\"));\n }\n}", "target": 0, "cwe": [ "CWE-189" ], "project": "grep", "commit_id": "8fcf61523644df42e1905c81bed26838e0b04f91", "hash": 207577513737770924560756869139121793235, "size": 14, "message": "grep: fix integer-overflow issues in main program\n\n* NEWS: Document this.\n* bootstrap.conf (gnulib_modules): Add inttypes, xstrtoimax.\nRemove xstrtoumax.\n* src/main.c: Include , for INTMAX_MAX, PRIdMAX.\n(context_length_arg, prtext, grepbuf, grep, grepfile)\n(get_nondigit_option, main):\nUse intmax_t, not int, for line counts.\n(context_length_arg, main): Silently ceiling line counts\nto maximum value, since there's no practical difference between\ndoing that and using infinite-precision arithmetic.\n(out_before, out_after, pending): Now intmax_t, not int.\n(max_count, outleft): Now intmax_t, not off_t.\n(prepend_args, prepend_default_options, main):\nUse size_t, not int, for sizes.\n(prepend_default_options): Check for int and size_t overflow.", "dataset": "other", "idx": 496468 }, { "func": "main (int argc, char **argv)\n{\n char *keys;\n size_t keycc, oldcc, keyalloc;\n int with_filenames;\n size_t cc;\n int opt, status, prepended;\n int prev_optind, last_recursive;\n intmax_t default_context;\n FILE *fp;\n exit_failure = EXIT_TROUBLE;\n initialize_main (&argc, &argv);\n set_program_name (argv[0]);\n program_name = argv[0];\n\n keys = NULL;\n keycc = 0;\n with_filenames = 0;\n eolbyte = '\\n';\n filename_mask = ~0;\n\n max_count = INTMAX_MAX;\n\n /* The value -1 means to use DEFAULT_CONTEXT. */\n out_after = out_before = -1;\n /* Default before/after context: chaged by -C/-NUM options */\n default_context = 0;\n /* Changed by -o option */\n only_matching = 0;\n\n /* Internationalization. */\n#if defined HAVE_SETLOCALE\n setlocale (LC_ALL, \"\");\n#endif\n#if defined ENABLE_NLS\n bindtextdomain (PACKAGE, LOCALEDIR);\n textdomain (PACKAGE);\n#endif\n\n exit_failure = EXIT_TROUBLE;\n atexit (clean_up_stdout);\n\n last_recursive = 0;\n prepended = prepend_default_options (getenv (\"GREP_OPTIONS\"), &argc, &argv);\n setmatcher (NULL);\n\n while (prev_optind = optind,\n (opt = get_nondigit_option (argc, argv, &default_context)) != -1)\n switch (opt)\n {\n case 'A':\n context_length_arg (optarg, &out_after);\n break;\n\n case 'B':\n context_length_arg (optarg, &out_before);\n break;\n\n case 'C':\n /* Set output match context, but let any explicit leading or\n trailing amount specified with -A or -B stand. */\n context_length_arg (optarg, &default_context);\n break;\n\n case 'D':\n if (STREQ (optarg, \"read\"))\n devices = READ_DEVICES;\n else if (STREQ (optarg, \"skip\"))\n devices = SKIP_DEVICES;\n else\n error (EXIT_TROUBLE, 0, _(\"unknown devices method\"));\n break;\n\n case 'E':\n setmatcher (\"egrep\");\n break;\n\n case 'F':\n setmatcher (\"fgrep\");\n break;\n\n case 'P':\n setmatcher (\"perl\");\n break;\n\n case 'G':\n setmatcher (\"grep\");\n break;\n\n case 'X': /* undocumented on purpose */\n setmatcher (optarg);\n break;\n\n case 'H':\n with_filenames = 1;\n no_filenames = 0;\n break;\n\n case 'I':\n binary_files = WITHOUT_MATCH_BINARY_FILES;\n break;\n\n case 'T':\n align_tabs = 1;\n break;\n\n case 'U':\n#if defined HAVE_DOS_FILE_CONTENTS\n dos_use_file_type = DOS_BINARY;\n#endif\n break;\n\n case 'u':\n#if defined HAVE_DOS_FILE_CONTENTS\n dos_report_unix_offset = 1;\n#endif\n break;\n\n case 'V':\n show_version = 1;\n break;\n\n case 'a':\n binary_files = TEXT_BINARY_FILES;\n break;\n\n case 'b':\n out_byte = 1;\n break;\n\n case 'c':\n count_matches = 1;\n break;\n\n case 'd':\n directories = XARGMATCH (\"--directories\", optarg,\n directories_args, directories_types);\n if (directories == RECURSE_DIRECTORIES)\n last_recursive = prev_optind;\n break;\n\n case 'e':\n cc = strlen (optarg);\n keys = xrealloc (keys, keycc + cc + 1);\n strcpy (&keys[keycc], optarg);\n keycc += cc;\n keys[keycc++] = '\\n';\n break;\n\n case 'f':\n fp = STREQ (optarg, \"-\") ? stdin : fopen (optarg, \"r\");\n if (!fp)\n error (EXIT_TROUBLE, errno, \"%s\", optarg);\n for (keyalloc = 1; keyalloc <= keycc + 1; keyalloc *= 2)\n ;\n keys = xrealloc (keys, keyalloc);\n oldcc = keycc;\n while (!feof (fp)\n && (cc = fread (keys + keycc, 1, keyalloc - 1 - keycc, fp)) > 0)\n {\n keycc += cc;\n if (keycc == keyalloc - 1)\n keys = x2nrealloc (keys, &keyalloc, sizeof *keys);\n }\n if (fp != stdin)\n fclose (fp);\n /* Append final newline if file ended in non-newline. */\n if (oldcc != keycc && keys[keycc - 1] != '\\n')\n keys[keycc++] = '\\n';\n break;\n\n case 'h':\n with_filenames = 0;\n no_filenames = 1;\n break;\n\n case 'i':\n case 'y':\t\t\t/* For old-timers . . . */\n match_icase = 1;\n break;\n\n case 'L':\n /* Like -l, except list files that don't contain matches.\n Inspired by the same option in Hume's gre. */\n list_files = -1;\n break;\n\n case 'l':\n list_files = 1;\n break;\n\n case 'm':\n switch (xstrtoimax (optarg, 0, 10, &max_count, \"\"))\n {\n case LONGINT_OK:\n case LONGINT_OVERFLOW:\n break;\n\n default:\n error (EXIT_TROUBLE, 0, _(\"invalid max count\"));\n }\n break;\n\n case 'n':\n out_line = 1;\n break;\n\n case 'o':\n only_matching = 1;\n break;\n\n case 'q':\n exit_on_match = 1;\n exit_failure = 0;\n break;\n\n case 'R':\n case 'r':\n directories = RECURSE_DIRECTORIES;\n last_recursive = prev_optind;\n break;\n\n case 's':\n suppress_errors = 1;\n break;\n\n case 'v':\n out_invert = 1;\n break;\n\n case 'w':\n match_words = 1;\n break;\n\n case 'x':\n match_lines = 1;\n break;\n\n case 'Z':\n filename_mask = 0;\n break;\n\n case 'z':\n eolbyte = '\\0';\n break;\n\n case BINARY_FILES_OPTION:\n if (STREQ (optarg, \"binary\"))\n binary_files = BINARY_BINARY_FILES;\n else if (STREQ (optarg, \"text\"))\n binary_files = TEXT_BINARY_FILES;\n else if (STREQ (optarg, \"without-match\"))\n binary_files = WITHOUT_MATCH_BINARY_FILES;\n else\n error (EXIT_TROUBLE, 0, _(\"unknown binary-files type\"));\n break;\n\n case COLOR_OPTION:\n if (optarg)\n {\n if (!strcasecmp (optarg, \"always\") || !strcasecmp (optarg, \"yes\")\n || !strcasecmp (optarg, \"force\"))\n color_option = 1;\n else if (!strcasecmp (optarg, \"never\") || !strcasecmp (optarg, \"no\")\n || !strcasecmp (optarg, \"none\"))\n color_option = 0;\n else if (!strcasecmp (optarg, \"auto\") || !strcasecmp (optarg, \"tty\")\n || !strcasecmp (optarg, \"if-tty\"))\n color_option = 2;\n else\n show_help = 1;\n }\n else\n color_option = 2;\n break;\n\n case EXCLUDE_OPTION:\n if (!excluded_patterns)\n excluded_patterns = new_exclude ();\n add_exclude (excluded_patterns, optarg, EXCLUDE_WILDCARDS);\n break;\n case EXCLUDE_FROM_OPTION:\n if (!excluded_patterns)\n excluded_patterns = new_exclude ();\n if (add_exclude_file (add_exclude, excluded_patterns, optarg,\n EXCLUDE_WILDCARDS, '\\n') != 0)\n {\n error (EXIT_TROUBLE, errno, \"%s\", optarg);\n }\n break;\n\n case EXCLUDE_DIRECTORY_OPTION:\n if (!excluded_directory_patterns)\n excluded_directory_patterns = new_exclude ();\n add_exclude (excluded_directory_patterns, optarg, EXCLUDE_WILDCARDS);\n break;\n\n case INCLUDE_OPTION:\n if (!included_patterns)\n included_patterns = new_exclude ();\n add_exclude (included_patterns, optarg,\n EXCLUDE_WILDCARDS | EXCLUDE_INCLUDE);\n break;\n\n case GROUP_SEPARATOR_OPTION:\n group_separator = optarg;\n break;\n\n case LINE_BUFFERED_OPTION:\n line_buffered = 1;\n break;\n\n case LABEL_OPTION:\n label = optarg;\n break;\n\n case MMAP_OPTION:\n error (0, 0, _(\"the --mmap option has been a no-op since 2010\"));\n break;\n\n case 0:\n /* long options */\n break;\n\n default:\n usage (EXIT_TROUBLE);\n break;\n\n }\n\n if (color_option == 2)\n color_option = isatty (STDOUT_FILENO) && should_colorize ();\n init_colorize ();\n\n /* POSIX.2 says that -q overrides -l, which in turn overrides the\n other output options. */\n if (exit_on_match)\n list_files = 0;\n if (exit_on_match | list_files)\n {\n count_matches = 0;\n done_on_match = 1;\n }\n out_quiet = count_matches | done_on_match;\n\n if (out_after < 0)\n out_after = default_context;\n if (out_before < 0)\n out_before = default_context;\n\n if (color_option)\n {\n /* Legacy. */\n char *userval = getenv (\"GREP_COLOR\");\n if (userval != NULL && *userval != '\\0')\n selected_match_color = context_match_color = userval;\n\n /* New GREP_COLORS has priority. */\n parse_grep_colors ();\n }\n\n if (show_version)\n {\n version_etc (stdout, program_name, PACKAGE_NAME, VERSION, AUTHORS,\n (char *) NULL);\n exit (EXIT_SUCCESS);\n }\n\n if (show_help)\n usage (EXIT_SUCCESS);\n\n struct stat tmp_stat;\n if (fstat (STDOUT_FILENO, &tmp_stat) == 0 && S_ISREG (tmp_stat.st_mode))\n out_stat = tmp_stat;\n\n if (keys)\n {\n if (keycc == 0)\n {\n /* No keys were specified (e.g. -f /dev/null). Match nothing. */\n out_invert ^= 1;\n match_lines = match_words = 0;\n }\n else\n /* Strip trailing newline. */\n --keycc;\n }\n else if (optind < argc)\n {\n /* A copy must be made in case of an xrealloc() or free() later. */\n keycc = strlen (argv[optind]);\n keys = xmalloc (keycc + 1);\n strcpy (keys, argv[optind++]);\n }\n else\n usage (EXIT_TROUBLE);\n\n compile (keys, keycc);\n free (keys);\n\n if ((argc - optind > 1 && !no_filenames) || with_filenames)\n out_file = 1;\n\n#ifdef SET_BINARY\n /* Output is set to binary mode because we shouldn't convert\n NL to CR-LF pairs, especially when grepping binary files. */\n if (!isatty (1))\n SET_BINARY (1);\n#endif\n\n if (max_count == 0)\n exit (EXIT_FAILURE);\n\n if (optind < argc)\n {\n status = 1;\n do\n {\n char *file = argv[optind];\n if (!STREQ (file, \"-\")\n && (included_patterns || excluded_patterns\n || excluded_directory_patterns))\n {\n if (isdir (file))\n {\n if (excluded_directory_patterns\n && excluded_file_name (excluded_directory_patterns,\n file))\n continue;\n }\n else\n {\n if (included_patterns\n && excluded_file_name (included_patterns, file))\n continue;\n if (excluded_patterns\n && excluded_file_name (excluded_patterns, file))\n continue;\n }\n }\n status &= grepfile (STREQ (file, \"-\") ? (char *) NULL : file,\n &stats_base);\n }\n while (++optind < argc);\n }\n else if (directories == RECURSE_DIRECTORIES && prepended < last_recursive)\n {\n status = 1;\n if (stat (\".\", &stats_base.stat) == 0)\n status = grepdir (NULL, &stats_base);\n else\n suppressible_error (\".\", errno);\n }\n else\n status = grepfile ((char *) NULL, &stats_base);\n\n /* We register via atexit() to test stdout. */\n exit (errseen ? EXIT_TROUBLE : status);\n}", "target": 0, "cwe": [ "CWE-189" ], "project": "grep", "commit_id": "8fcf61523644df42e1905c81bed26838e0b04f91", "hash": 123783434567238592980016788607610822812, "size": 459, "message": "grep: fix integer-overflow issues in main program\n\n* NEWS: Document this.\n* bootstrap.conf (gnulib_modules): Add inttypes, xstrtoimax.\nRemove xstrtoumax.\n* src/main.c: Include , for INTMAX_MAX, PRIdMAX.\n(context_length_arg, prtext, grepbuf, grep, grepfile)\n(get_nondigit_option, main):\nUse intmax_t, not int, for line counts.\n(context_length_arg, main): Silently ceiling line counts\nto maximum value, since there's no practical difference between\ndoing that and using infinite-precision arithmetic.\n(out_before, out_after, pending): Now intmax_t, not int.\n(max_count, outleft): Now intmax_t, not off_t.\n(prepend_args, prepend_default_options, main):\nUse size_t, not int, for sizes.\n(prepend_default_options): Check for int and size_t overflow.", "dataset": "other", "idx": 496477 }, { "func": "get_event_stage (ClutterEventTranslator *translator,\n XIEvent *xi_event)\n{\n Window xwindow = None;\n\n switch (xi_event->evtype)\n {\n case XI_KeyPress:\n case XI_KeyRelease:\n case XI_ButtonPress:\n case XI_ButtonRelease:\n case XI_Motion:\n#ifdef HAVE_XINPUT_2_2\n case XI_TouchBegin:\n case XI_TouchUpdate:\n case XI_TouchEnd:\n#endif /* HAVE_XINPUT_2_2 */\n {\n XIDeviceEvent *xev = (XIDeviceEvent *) xi_event;\n\n xwindow = xev->event;\n }\n break;\n\n case XI_Enter:\n case XI_Leave:\n case XI_FocusIn:\n case XI_FocusOut:\n {\n XIEnterEvent *xev = (XIEnterEvent *) xi_event;\n\n xwindow = xev->event;\n }\n break;\n\n default:\n break;\n }\n\n if (xwindow == None)\n return NULL;\n\n return clutter_x11_get_stage_from_window (xwindow);\n}", "target": 0, "cwe": [ "CWE-264" ], "project": "clutter", "commit_id": "e310c68d7b38d521e341f4e8a36f54303079d74e", "hash": 196225477572593737658907036525241729066, "size": 44, "message": "x11: trap errors when calling XIQueryDevice\n\nDevices can disappear at any time, causing XIQueryDevice\nto throw an error. At the same time, plug a memory leak.\n\nhttps://bugzilla.gnome.org/show_bug.cgi?id=701974", "dataset": "other", "idx": 497475 }, { "func": "clutter_device_manager_xi2_get_core_device (ClutterDeviceManager *manager,\n ClutterInputDeviceType device_type)\n{\n ClutterDeviceManagerXI2 *manager_xi2 = CLUTTER_DEVICE_MANAGER_XI2 (manager);\n ClutterBackendX11 *backend_x11;\n ClutterInputDevice *device;\n int device_id;\n\n backend_x11 =\n CLUTTER_BACKEND_X11 (_clutter_device_manager_get_backend (manager));\n\n XIGetClientPointer (backend_x11->xdpy, None, &device_id);\n\n device = g_hash_table_lookup (manager_xi2->devices_by_id,\n GINT_TO_POINTER (device_id));\n\n switch (device_type)\n {\n case CLUTTER_POINTER_DEVICE:\n return device;\n\n case CLUTTER_KEYBOARD_DEVICE:\n return clutter_input_device_get_associated_device (device);\n\n default:\n break;\n }\n\n return NULL;\n}", "target": 0, "cwe": [ "CWE-264" ], "project": "clutter", "commit_id": "e310c68d7b38d521e341f4e8a36f54303079d74e", "hash": 17988060839565654710887493528673888598, "size": 30, "message": "x11: trap errors when calling XIQueryDevice\n\nDevices can disappear at any time, causing XIQueryDevice\nto throw an error. At the same time, plug a memory leak.\n\nhttps://bugzilla.gnome.org/show_bug.cgi?id=701974", "dataset": "other", "idx": 497481 }, { "func": "create_device (ClutterDeviceManagerXI2 *manager_xi2,\n ClutterBackendX11 *backend_x11,\n XIDeviceInfo *info)\n{\n ClutterInputDeviceType source, touch_source;\n ClutterInputDevice *retval;\n ClutterInputMode mode;\n gboolean is_enabled;\n guint num_touches = 0;\n\n if (info->use == XIMasterKeyboard || info->use == XISlaveKeyboard)\n source = CLUTTER_KEYBOARD_DEVICE;\n else if (info->use == XISlavePointer &&\n is_touch_device (info->classes, info->num_classes,\n &touch_source,\n &num_touches))\n {\n source = touch_source;\n }\n else\n {\n gchar *name;\n\n name = g_ascii_strdown (info->name, -1);\n\n if (strstr (name, \"eraser\") != NULL)\n source = CLUTTER_ERASER_DEVICE;\n else if (strstr (name, \"cursor\") != NULL)\n source = CLUTTER_CURSOR_DEVICE;\n else if (strstr (name, \"wacom\") != NULL || strstr (name, \"pen\") != NULL)\n source = CLUTTER_PEN_DEVICE;\n else\n source = CLUTTER_POINTER_DEVICE;\n\n g_free (name);\n }\n\n switch (info->use)\n {\n case XIMasterKeyboard:\n case XIMasterPointer:\n mode = CLUTTER_INPUT_MODE_MASTER;\n is_enabled = TRUE;\n break;\n\n case XISlaveKeyboard:\n case XISlavePointer:\n mode = CLUTTER_INPUT_MODE_SLAVE;\n is_enabled = FALSE;\n break;\n\n case XIFloatingSlave:\n default:\n mode = CLUTTER_INPUT_MODE_FLOATING;\n is_enabled = FALSE;\n break;\n }\n\n retval = g_object_new (CLUTTER_TYPE_INPUT_DEVICE_XI2,\n \"name\", info->name,\n \"id\", info->deviceid,\n \"has-cursor\", (info->use == XIMasterPointer),\n \"device-manager\", manager_xi2,\n \"device-type\", source,\n \"device-mode\", mode,\n \"backend\", backend_x11,\n \"enabled\", is_enabled,\n NULL);\n\n translate_device_classes (backend_x11->xdpy, retval,\n info->classes,\n info->num_classes);\n\n CLUTTER_NOTE (BACKEND, \"Created device '%s' (id: %d, has-cursor: %s)\",\n info->name,\n info->deviceid,\n info->use == XIMasterPointer ? \"yes\" : \"no\");\n\n return retval;\n}", "target": 0, "cwe": [ "CWE-264" ], "project": "clutter", "commit_id": "e310c68d7b38d521e341f4e8a36f54303079d74e", "hash": 106965987655231464409661636185297401618, "size": 80, "message": "x11: trap errors when calling XIQueryDevice\n\nDevices can disappear at any time, causing XIQueryDevice\nto throw an error. At the same time, plug a memory leak.\n\nhttps://bugzilla.gnome.org/show_bug.cgi?id=701974", "dataset": "other", "idx": 497489 }, { "func": "clutter_device_manager_xi2_set_property (GObject *gobject,\n guint prop_id,\n const GValue *value,\n GParamSpec *pspec)\n{\n ClutterDeviceManagerXI2 *manager_xi2 = CLUTTER_DEVICE_MANAGER_XI2 (gobject);\n\n switch (prop_id)\n {\n case PROP_OPCODE:\n manager_xi2->opcode = g_value_get_int (value);\n break;\n\n default:\n G_OBJECT_WARN_INVALID_PROPERTY_ID (gobject, prop_id, pspec);\n break;\n }\n}", "target": 0, "cwe": [ "CWE-264" ], "project": "clutter", "commit_id": "e310c68d7b38d521e341f4e8a36f54303079d74e", "hash": 60345327082249084314023125815731337925, "size": 18, "message": "x11: trap errors when calling XIQueryDevice\n\nDevices can disappear at any time, causing XIQueryDevice\nto throw an error. At the same time, plug a memory leak.\n\nhttps://bugzilla.gnome.org/show_bug.cgi?id=701974", "dataset": "other", "idx": 497490 }, { "func": "clutter_device_manager_xi2_translate_event (ClutterEventTranslator *translator,\n gpointer native,\n ClutterEvent *event)\n{\n ClutterDeviceManagerXI2 *manager_xi2 = CLUTTER_DEVICE_MANAGER_XI2 (translator);\n ClutterTranslateReturn retval = CLUTTER_TRANSLATE_CONTINUE;\n ClutterBackendX11 *backend_x11;\n ClutterStageX11 *stage_x11 = NULL;\n ClutterStage *stage = NULL;\n ClutterInputDevice *device, *source_device;\n XGenericEventCookie *cookie;\n XIEvent *xi_event;\n XEvent *xevent;\n\n backend_x11 = CLUTTER_BACKEND_X11 (clutter_get_default_backend ());\n\n xevent = native;\n\n cookie = &xevent->xcookie;\n\n if (cookie->type != GenericEvent ||\n cookie->extension != manager_xi2->opcode)\n return CLUTTER_TRANSLATE_CONTINUE;\n\n xi_event = (XIEvent *) cookie->data;\n\n if (!xi_event)\n return CLUTTER_TRANSLATE_REMOVE;\n\n if (!(xi_event->evtype == XI_HierarchyChanged ||\n xi_event->evtype == XI_DeviceChanged))\n {\n stage = get_event_stage (translator, xi_event);\n if (stage == NULL || CLUTTER_ACTOR_IN_DESTRUCTION (stage))\n return CLUTTER_TRANSLATE_CONTINUE;\n else\n stage_x11 = CLUTTER_STAGE_X11 (_clutter_stage_get_window (stage));\n }\n\n event->any.stage = stage;\n\n switch (xi_event->evtype)\n {\n case XI_HierarchyChanged:\n {\n XIHierarchyEvent *xev = (XIHierarchyEvent *) xi_event;\n\n translate_hierarchy_event (backend_x11, manager_xi2, xev);\n }\n retval = CLUTTER_TRANSLATE_REMOVE;\n break;\n\n case XI_DeviceChanged:\n {\n XIDeviceChangedEvent *xev = (XIDeviceChangedEvent *) xi_event;\n\n device = g_hash_table_lookup (manager_xi2->devices_by_id,\n GINT_TO_POINTER (xev->deviceid));\n source_device = g_hash_table_lookup (manager_xi2->devices_by_id,\n GINT_TO_POINTER (xev->sourceid));\n if (device)\n {\n _clutter_input_device_reset_axes (device);\n translate_device_classes (backend_x11->xdpy,\n device,\n xev->classes,\n xev->num_classes);\n }\n\n if (source_device)\n _clutter_input_device_reset_scroll_info (source_device);\n }\n retval = CLUTTER_TRANSLATE_REMOVE;\n break;\n\n case XI_KeyPress:\n case XI_KeyRelease:\n {\n XIDeviceEvent *xev = (XIDeviceEvent *) xi_event;\n ClutterEventX11 *event_x11;\n char buffer[7] = { 0, };\n gunichar n;\n\n event->key.type = event->type = (xev->evtype == XI_KeyPress)\n ? CLUTTER_KEY_PRESS\n : CLUTTER_KEY_RELEASE;\n\n event->key.time = xev->time;\n event->key.stage = stage;\n event->key.modifier_state =\n _clutter_input_device_xi2_translate_state (&xev->mods, &xev->buttons, &xev->group);\n event->key.hardware_keycode = xev->detail;\n\n /* keyval is the key ignoring all modifiers ('1' vs. '!') */\n event->key.keyval =\n _clutter_keymap_x11_translate_key_state (backend_x11->keymap,\n event->key.hardware_keycode,\n &event->key.modifier_state,\n NULL);\n\n /* KeyEvents have platform specific data associated to them */\n event_x11 = _clutter_event_x11_new ();\n _clutter_event_set_platform_data (event, event_x11);\n\n event_x11->key_group =\n _clutter_keymap_x11_get_key_group (backend_x11->keymap,\n event->key.modifier_state);\n event_x11->key_is_modifier =\n _clutter_keymap_x11_get_is_modifier (backend_x11->keymap,\n event->key.hardware_keycode);\n event_x11->num_lock_set =\n _clutter_keymap_x11_get_num_lock_state (backend_x11->keymap);\n event_x11->caps_lock_set =\n _clutter_keymap_x11_get_caps_lock_state (backend_x11->keymap);\n\n source_device = g_hash_table_lookup (manager_xi2->devices_by_id,\n GINT_TO_POINTER (xev->sourceid));\n clutter_event_set_source_device (event, source_device);\n\n device = g_hash_table_lookup (manager_xi2->devices_by_id,\n GINT_TO_POINTER (xev->deviceid));\n clutter_event_set_device (event, device);\n\n /* XXX keep this in sync with the evdev device manager */\n n = print_keysym (event->key.keyval, buffer, sizeof (buffer));\n if (n == 0)\n {\n /* not printable */\n event->key.unicode_value = (gunichar) '\\0';\n }\n else\n {\n event->key.unicode_value = g_utf8_get_char_validated (buffer, n);\n if (event->key.unicode_value == -1 ||\n event->key.unicode_value == -2)\n event->key.unicode_value = (gunichar) '\\0';\n }\n\n CLUTTER_NOTE (EVENT,\n \"%s: win:0x%x device:%d source:%d, key: %12s (%d)\",\n event->any.type == CLUTTER_KEY_PRESS\n ? \"key press \"\n : \"key release\",\n (unsigned int) stage_x11->xwin,\n xev->deviceid,\n xev->sourceid,\n event->key.keyval ? buffer : \"(none)\",\n event->key.keyval);\n\n if (xi_event->evtype == XI_KeyPress)\n _clutter_stage_x11_set_user_time (stage_x11, event->key.time);\n\n retval = CLUTTER_TRANSLATE_QUEUE;\n }\n break;\n\n case XI_ButtonPress:\n case XI_ButtonRelease:\n {\n XIDeviceEvent *xev = (XIDeviceEvent *) xi_event;\n\n source_device = g_hash_table_lookup (manager_xi2->devices_by_id,\n GINT_TO_POINTER (xev->sourceid));\n device = g_hash_table_lookup (manager_xi2->devices_by_id,\n GINT_TO_POINTER (xev->deviceid));\n\n /* Set the stage for core events coming out of nowhere (see bug #684509) */\n if (clutter_input_device_get_device_mode (device) == CLUTTER_INPUT_MODE_MASTER &&\n clutter_input_device_get_pointer_stage (device) == NULL &&\n stage != NULL)\n _clutter_input_device_set_stage (device, stage);\n\n switch (xev->detail)\n {\n case 4:\n case 5:\n case 6:\n case 7:\n /* we only generate Scroll events on ButtonPress */\n if (xi_event->evtype == XI_ButtonRelease)\n return CLUTTER_TRANSLATE_REMOVE;\n\n event->scroll.type = event->type = CLUTTER_SCROLL;\n\n if (xev->detail == 4)\n event->scroll.direction = CLUTTER_SCROLL_UP;\n else if (xev->detail == 5)\n event->scroll.direction = CLUTTER_SCROLL_DOWN;\n else if (xev->detail == 6)\n event->scroll.direction = CLUTTER_SCROLL_LEFT;\n else\n event->scroll.direction = CLUTTER_SCROLL_RIGHT;\n\n event->scroll.stage = stage;\n\n event->scroll.time = xev->time;\n event->scroll.x = xev->event_x;\n event->scroll.y = xev->event_y;\n event->scroll.modifier_state =\n _clutter_input_device_xi2_translate_state (&xev->mods,\n &xev->buttons,\n &xev->group);\n\n clutter_event_set_source_device (event, source_device);\n clutter_event_set_device (event, device);\n\n event->scroll.axes = translate_axes (event->scroll.device,\n event->scroll.x,\n event->scroll.y,\n stage_x11,\n &xev->valuators);\n\n CLUTTER_NOTE (EVENT,\n \"scroll: win:0x%x, device:%d '%s', time:%d \"\n \"(direction:%s, \"\n \"x:%.2f, y:%.2f, \"\n \"emulated:%s)\",\n (unsigned int) stage_x11->xwin,\n device->id,\n device->device_name,\n event->any.time,\n event->scroll.direction == CLUTTER_SCROLL_UP ? \"up\" :\n event->scroll.direction == CLUTTER_SCROLL_DOWN ? \"down\" :\n event->scroll.direction == CLUTTER_SCROLL_LEFT ? \"left\" :\n event->scroll.direction == CLUTTER_SCROLL_RIGHT ? \"right\" :\n \"invalid\",\n event->scroll.x,\n event->scroll.y,\n#ifdef HAVE_XINPUT_2_2\n (xev->flags & XIPointerEmulated) ? \"yes\" : \"no\"\n#else\n \"no\"\n#endif\n );\n break;\n\n default:\n event->button.type = event->type =\n (xi_event->evtype == XI_ButtonPress) ? CLUTTER_BUTTON_PRESS\n : CLUTTER_BUTTON_RELEASE;\n\n event->button.stage = stage;\n\n event->button.time = xev->time;\n event->button.x = xev->event_x;\n event->button.y = xev->event_y;\n event->button.button = xev->detail;\n event->button.modifier_state =\n _clutter_input_device_xi2_translate_state (&xev->mods,\n &xev->buttons,\n &xev->group);\n\n clutter_event_set_source_device (event, source_device);\n clutter_event_set_device (event, device);\n\n event->button.axes = translate_axes (event->button.device,\n event->button.x,\n event->button.y,\n stage_x11,\n &xev->valuators);\n\n CLUTTER_NOTE (EVENT,\n \"%s: win:0x%x, device:%d '%s', time:%d \"\n \"(button:%d, \"\n \"x:%.2f, y:%.2f, \"\n \"axes:%s, \"\n \"emulated:%s)\",\n event->any.type == CLUTTER_BUTTON_PRESS\n ? \"button press \"\n : \"button release\",\n (unsigned int) stage_x11->xwin,\n device->id,\n device->device_name,\n event->any.time,\n event->button.button,\n event->button.x,\n event->button.y,\n event->button.axes != NULL ? \"yes\" : \"no\",\n#ifdef HAVE_XINPUT_2_2\n (xev->flags & XIPointerEmulated) ? \"yes\" : \"no\"\n#else\n \"no\"\n#endif\n );\n break;\n }\n\n if (source_device != NULL && device->stage != NULL)\n _clutter_input_device_set_stage (source_device, device->stage);\n\n#ifdef HAVE_XINPUT_2_2\n if (xev->flags & XIPointerEmulated)\n _clutter_event_set_pointer_emulated (event, TRUE);\n#endif /* HAVE_XINPUT_2_2 */\n\n if (xi_event->evtype == XI_ButtonPress)\n _clutter_stage_x11_set_user_time (stage_x11, event->button.time);\n\n retval = CLUTTER_TRANSLATE_QUEUE;\n }\n break;\n\n case XI_Motion:\n {\n XIDeviceEvent *xev = (XIDeviceEvent *) xi_event;\n gdouble delta_x, delta_y;\n\n source_device = g_hash_table_lookup (manager_xi2->devices_by_id,\n GINT_TO_POINTER (xev->sourceid));\n device = g_hash_table_lookup (manager_xi2->devices_by_id,\n GINT_TO_POINTER (xev->deviceid));\n\n /* Set the stage for core events coming out of nowhere (see bug #684509) */\n if (clutter_input_device_get_device_mode (device) == CLUTTER_INPUT_MODE_MASTER &&\n clutter_input_device_get_pointer_stage (device) == NULL &&\n stage != NULL)\n _clutter_input_device_set_stage (device, stage);\n\n if (scroll_valuators_changed (source_device,\n &xev->valuators,\n &delta_x, &delta_y))\n {\n event->scroll.type = event->type = CLUTTER_SCROLL;\n event->scroll.direction = CLUTTER_SCROLL_SMOOTH;\n\n event->scroll.stage = stage;\n event->scroll.time = xev->time;\n event->scroll.x = xev->event_x;\n event->scroll.y = xev->event_y;\n event->scroll.modifier_state =\n _clutter_input_device_xi2_translate_state (&xev->mods,\n &xev->buttons,\n &xev->group);\n\n clutter_event_set_scroll_delta (event, delta_x, delta_y);\n clutter_event_set_source_device (event, source_device);\n clutter_event_set_device (event, device);\n\n CLUTTER_NOTE (EVENT,\n \"smooth scroll: win:0x%x device:%d '%s' (x:%.2f, y:%.2f, delta:%f, %f)\",\n (unsigned int) stage_x11->xwin,\n event->scroll.device->id,\n event->scroll.device->device_name,\n event->scroll.x,\n event->scroll.y,\n delta_x, delta_y);\n\n retval = CLUTTER_TRANSLATE_QUEUE;\n break;\n }\n\n event->motion.type = event->type = CLUTTER_MOTION;\n\n event->motion.stage = stage;\n\n event->motion.time = xev->time;\n event->motion.x = xev->event_x;\n event->motion.y = xev->event_y;\n event->motion.modifier_state =\n _clutter_input_device_xi2_translate_state (&xev->mods,\n &xev->buttons,\n &xev->group);\n\n clutter_event_set_source_device (event, source_device);\n clutter_event_set_device (event, device);\n\n event->motion.axes = translate_axes (event->motion.device,\n event->motion.x,\n event->motion.y,\n stage_x11,\n &xev->valuators);\n\n if (source_device != NULL && device->stage != NULL)\n _clutter_input_device_set_stage (source_device, device->stage);\n\n#ifdef HAVE_XINPUT_2_2\n if (xev->flags & XIPointerEmulated)\n _clutter_event_set_pointer_emulated (event, TRUE);\n#endif /* HAVE_XINPUT_2_2 */\n\n CLUTTER_NOTE (EVENT, \"motion: win:0x%x device:%d '%s' (x:%.2f, y:%.2f, axes:%s)\",\n (unsigned int) stage_x11->xwin,\n event->motion.device->id,\n event->motion.device->device_name,\n event->motion.x,\n event->motion.y,\n event->motion.axes != NULL ? \"yes\" : \"no\");\n\n retval = CLUTTER_TRANSLATE_QUEUE;\n }\n break;\n\n#ifdef HAVE_XINPUT_2_2\n case XI_TouchBegin:\n case XI_TouchEnd:\n {\n XIDeviceEvent *xev = (XIDeviceEvent *) xi_event;\n\n source_device = g_hash_table_lookup (manager_xi2->devices_by_id,\n GINT_TO_POINTER (xev->sourceid));\n\n if (xi_event->evtype == XI_TouchBegin)\n event->touch.type = event->type = CLUTTER_TOUCH_BEGIN;\n else\n event->touch.type = event->type = CLUTTER_TOUCH_END;\n\n event->touch.stage = stage;\n event->touch.time = xev->time;\n event->touch.x = xev->event_x;\n event->touch.y = xev->event_y;\n event->touch.modifier_state =\n _clutter_input_device_xi2_translate_state (&xev->mods,\n &xev->buttons,\n &xev->group);\n\n clutter_event_set_source_device (event, source_device);\n\n device = g_hash_table_lookup (manager_xi2->devices_by_id,\n GINT_TO_POINTER (xev->deviceid));\n clutter_event_set_device (event, device);\n\n event->touch.axes = translate_axes (event->touch.device,\n event->motion.x,\n event->motion.y,\n stage_x11,\n &xev->valuators);\n\n if (xi_event->evtype == XI_TouchBegin)\n {\n event->touch.modifier_state |= CLUTTER_BUTTON1_MASK;\n\n _clutter_stage_x11_set_user_time (stage_x11, event->touch.time);\n }\n\n event->touch.sequence = GUINT_TO_POINTER (xev->detail);\n\n if (xev->flags & XITouchEmulatingPointer)\n _clutter_event_set_pointer_emulated (event, TRUE);\n\n CLUTTER_NOTE (EVENT, \"touch %s: win:0x%x device:%d '%s' (seq:%d, x:%.2f, y:%.2f, axes:%s)\",\n event->type == CLUTTER_TOUCH_BEGIN ? \"begin\" : \"end\",\n (unsigned int) stage_x11->xwin,\n event->touch.device->id,\n event->touch.device->device_name,\n GPOINTER_TO_UINT (event->touch.sequence),\n event->touch.x,\n event->touch.y,\n event->touch.axes != NULL ? \"yes\" : \"no\");\n\n retval = CLUTTER_TRANSLATE_QUEUE;\n }\n break;\n\n case XI_TouchUpdate:\n {\n XIDeviceEvent *xev = (XIDeviceEvent *) xi_event;\n\n source_device = g_hash_table_lookup (manager_xi2->devices_by_id,\n GINT_TO_POINTER (xev->sourceid));\n\n event->touch.type = event->type = CLUTTER_TOUCH_UPDATE;\n event->touch.stage = stage;\n event->touch.time = xev->time;\n event->touch.sequence = GUINT_TO_POINTER (xev->detail);\n event->touch.x = xev->event_x;\n event->touch.y = xev->event_y;\n\n clutter_event_set_source_device (event, source_device);\n\n device = g_hash_table_lookup (manager_xi2->devices_by_id,\n GINT_TO_POINTER (xev->deviceid));\n clutter_event_set_device (event, device);\n\n event->touch.axes = translate_axes (event->touch.device,\n event->motion.x,\n event->motion.y,\n stage_x11,\n &xev->valuators);\n\n event->touch.modifier_state =\n _clutter_input_device_xi2_translate_state (&xev->mods,\n &xev->buttons,\n &xev->group);\n event->touch.modifier_state |= CLUTTER_BUTTON1_MASK;\n\n if (xev->flags & XITouchEmulatingPointer)\n _clutter_event_set_pointer_emulated (event, TRUE);\n\n CLUTTER_NOTE (EVENT, \"touch update: win:0x%x device:%d '%s' (seq:%d, x:%.2f, y:%.2f, axes:%s)\",\n (unsigned int) stage_x11->xwin,\n event->touch.device->id,\n event->touch.device->device_name,\n GPOINTER_TO_UINT (event->touch.sequence),\n event->touch.x,\n event->touch.y,\n event->touch.axes != NULL ? \"yes\" : \"no\");\n\n retval = CLUTTER_TRANSLATE_QUEUE;\n }\n break;\n#endif /* HAVE_XINPUT_2_2 */\n\n case XI_Enter:\n case XI_Leave:\n {\n XIEnterEvent *xev = (XIEnterEvent *) xi_event;\n\n device = g_hash_table_lookup (manager_xi2->devices_by_id,\n GINT_TO_POINTER (xev->deviceid));\n\n source_device = g_hash_table_lookup (manager_xi2->devices_by_id,\n GINT_TO_POINTER (xev->sourceid));\n\n if (xi_event->evtype == XI_Enter)\n {\n event->crossing.type = event->type = CLUTTER_ENTER;\n\n event->crossing.stage = stage;\n event->crossing.source = CLUTTER_ACTOR (stage);\n event->crossing.related = NULL;\n\n event->crossing.time = xev->time;\n event->crossing.x = xev->event_x;\n event->crossing.y = xev->event_y;\n\n _clutter_input_device_set_stage (device, stage);\n }\n else\n {\n if (device->stage == NULL)\n {\n CLUTTER_NOTE (EVENT,\n \"Discarding Leave for ButtonRelease \"\n \"event off-stage\");\n\n retval = CLUTTER_TRANSLATE_REMOVE;\n break;\n }\n\n event->crossing.type = event->type = CLUTTER_LEAVE;\n\n event->crossing.stage = stage;\n event->crossing.source = CLUTTER_ACTOR (stage);\n event->crossing.related = NULL;\n\n event->crossing.time = xev->time;\n event->crossing.x = xev->event_x;\n event->crossing.y = xev->event_y;\n\n _clutter_input_device_set_stage (device, NULL);\n }\n\n _clutter_input_device_reset_scroll_info (source_device);\n\n clutter_event_set_device (event, device);\n clutter_event_set_source_device (event, source_device);\n\n retval = CLUTTER_TRANSLATE_QUEUE;\n }\n break;\n\n case XI_FocusIn:\n case XI_FocusOut:\n retval = CLUTTER_TRANSLATE_CONTINUE;\n break;\n }\n\n return retval;\n}", "target": 0, "cwe": [ "CWE-264" ], "project": "clutter", "commit_id": "e310c68d7b38d521e341f4e8a36f54303079d74e", "hash": 256484034806480666678476757977498162198, "size": 569, "message": "x11: trap errors when calling XIQueryDevice\n\nDevices can disappear at any time, causing XIQueryDevice\nto throw an error. At the same time, plug a memory leak.\n\nhttps://bugzilla.gnome.org/show_bug.cgi?id=701974", "dataset": "other", "idx": 497496 }, { "func": "ms_escher_line_type_to_xl (GOLineDashType ld)\n{\n\tswitch (ld) {\n\tdefault:\n\tcase GO_LINE_NONE:\t\treturn -1;\n\tcase GO_LINE_SOLID:\t\treturn 0;\n\tcase GO_LINE_S_DOT:\t\treturn 2;\n\tcase GO_LINE_S_DASH_DOT:\treturn 3;\n\tcase GO_LINE_S_DASH_DOT_DOT:\treturn 4;\n\tcase GO_LINE_DASH_DOT_DOT_DOT:\treturn 4;\n\tcase GO_LINE_DOT:\t\treturn 5;\n\tcase GO_LINE_S_DASH:\t\treturn 6;\n\tcase GO_LINE_DASH:\t\treturn 7;\n\tcase GO_LINE_LONG_DASH:\t\treturn 8;\n\tcase GO_LINE_DASH_DOT:\t\treturn 9;\n\tcase GO_LINE_DASH_DOT_DOT:\treturn 10;\n\t}\n}", "target": 0, "cwe": [ "CWE-119" ], "project": "gnumeric", "commit_id": "b5480b69345b3c6d56ee0ed9c9e9880bb2a08cdc", "hash": 198422521346481884140808674121110835590, "size": 18, "message": "xls: fuzzed file crash.", "dataset": "other", "idx": 497528 }, { "func": "ms_escher_read_BSE (MSEscherState *state, MSEscherHeader *h)\n{\n\t/* read the header */\n\tgboolean needs_free;\n\tguint8 const * data = ms_escher_get_data (state,\n\t\th->offset + COMMON_HEADER_LEN, 36, &needs_free);\n\tguint8 const win_type\t= GSF_LE_GET_GUINT8 (data + 0);\n\tguint8 const mac_type\t= GSF_LE_GET_GUINT8 (data + 1);\n\t/*guint16 const tag\t= GSF_LE_GET_GUINT16 (data + 18);*/\n\tguint32 const size\t= GSF_LE_GET_GUINT32 (data + 20);\n\tguint32 const ref_count\t= GSF_LE_GET_GUINT32 (data + 24);\n\tgint32 const del_offset\t= GSF_LE_GET_GUINT32 (data + 28);\n\tguint8 const is_texture\t= GSF_LE_GET_GUINT8 (data + 32);\n\tguint8 const name_len\t= GSF_LE_GET_GUINT8 (data + 33);\n\tguint8 checksum[16]; /* RSA Data Security, Inc. MD4 Message-Digest Algorithm */\n\tchar const *name = \"unknown\";\n\tint i;\n\tfor (i = 16; i-- > 0;)\n\t\tchecksum[i] = GSF_LE_GET_GUINT8 (data + 2 + i);\n\n\td (0 , {\n\t\tg_printerr (\"Win type = %s;\\n\", bliptype_name (win_type));\n\t\tg_printerr (\"Mac type = %s;\\n\", bliptype_name (mac_type));\n\t\tg_printerr (\"Size = 0x%x(=%d) RefCount = 0x%x DelayOffset = 0x%x '%s';\\n\",\n\t\t\tsize, size, ref_count, del_offset, name);\n\n\t\tswitch (is_texture) {\n\t\tcase 0: g_printerr (\"Default usage;\\n\"); break;\n\t\tcase 1: g_printerr (\"Is texture;\\n\"); break;\n\t\tdefault:g_printerr (\"UNKNOWN USAGE : %d;\\n\", is_texture);\n\t\t}\n\n\t\tg_printerr (\"Checksum = 0x\");\n\t\tfor (i = 0; i < 16; ++i)\n\t\t\tg_printerr (\"%02x\", checksum[i]);\n\t\tg_printerr (\";\\n\");\n\t});\n\n\t/* Very red herring I think */\n\tif (name_len != 0) {\n\t\tg_printerr (\"WARNING : Maybe a name?\\n\");\n\t\t/* name = biff_get_text (data+36, name_len, &txt_byte_len); */\n\t}\n\n\t/* Ignore empties */\n\tif (h->len > 36 + COMMON_HEADER_LEN)\n\t\treturn ms_escher_read_container (state, h, 36, FALSE);\n\n\t/* Store a blank */\n\tms_container_add_blip (state->container, NULL);\n\treturn FALSE;\n}", "target": 0, "cwe": [ "CWE-119" ], "project": "gnumeric", "commit_id": "b5480b69345b3c6d56ee0ed9c9e9880bb2a08cdc", "hash": 215740926741447076019291053696652032342, "size": 52, "message": "xls: fuzzed file crash.", "dataset": "other", "idx": 497535 }, { "func": "bliptype_name (int const type)\n{\n\tswitch (type) {\n\tcase 2:\t return \"emf.gz\";\n\tcase 3:\t return \"wmf.gz\";\n\tcase 4:\t return \"pict.gz\";\n\tcase 5:\t return \"jpg\";\n\tcase 6:\t return \"png\";\n\tcase 7:\t return \"dib\";\n\tdefault: return \"Unknown\";\n\t}\n}", "target": 0, "cwe": [ "CWE-119" ], "project": "gnumeric", "commit_id": "b5480b69345b3c6d56ee0ed9c9e9880bb2a08cdc", "hash": 338901918662036376265653944295679454909, "size": 12, "message": "xls: fuzzed file crash.", "dataset": "other", "idx": 497544 }, { "func": "static const EVP_MD *nid_to_evpmd(int nid)\n{\n switch (nid) {\n case NID_X9_62_prime256v1:\n return EVP_sha256();\n case NID_secp384r1:\n return EVP_sha384();\n case NID_secp521r1:\n return EVP_sha512();\n default:\n return NULL;\n }\n\n return NULL;\n}", "target": 0, "cwe": [ "CWE-310" ], "project": "libssh", "commit_id": "e99246246b4061f7e71463f8806b9dcad65affa0", "hash": 5794060601551204010536903667388045253, "size": 15, "message": "security: fix for vulnerability CVE-2014-0017\n\nWhen accepting a new connection, a forking server based on libssh forks\nand the child process handles the request. The RAND_bytes() function of\nopenssl doesn't reset its state after the fork, but simply adds the\ncurrent process id (getpid) to the PRNG state, which is not guaranteed\nto be unique.\nThis can cause several children to end up with same PRNG state which is\na security issue.", "dataset": "other", "idx": 497561 }, { "func": "ReadImage (FILE *fp,\n tga_info *info,\n const gchar *filename)\n{\n static gint32 image_ID;\n gint32 layer_ID;\n\n GimpPixelRgn pixel_rgn;\n GimpDrawable *drawable;\n guchar *data, *buffer, *row;\n GimpImageType dtype = 0;\n GimpImageBaseType itype = 0;\n gint i, y;\n\n gint max_tileheight, tileheight;\n\n guint cmap_bytes = 0;\n guchar *tga_cmap = NULL;\n guchar *gimp_cmap = NULL;\n guchar *convert_cmap = NULL;\n\n switch (info->imageType)\n {\n case TGA_TYPE_MAPPED:\n cmap_bytes = (info->colorMapSize + 7 ) / 8;\n tga_cmap = g_new (guchar, info->colorMapLength * cmap_bytes);\n\n if (info->colorMapSize > 24)\n {\n /* indexed + full alpha => promoted to RGBA */\n itype = GIMP_RGB;\n dtype = GIMP_RGBA_IMAGE;\n convert_cmap = g_new (guchar, info->colorMapLength * 4);\n }\n else if (info->colorMapIndex + info->colorMapLength > 256)\n {\n /* more than 256 colormap entries => promoted to RGB */\n itype = GIMP_RGB;\n dtype = GIMP_RGB_IMAGE;\n convert_cmap = g_new (guchar, info->colorMapLength * 3);\n }\n else if (info->alphaBits > 0)\n {\n /* if alpha exists here, promote to RGB */\n itype = GIMP_RGB;\n dtype = GIMP_RGBA_IMAGE;\n convert_cmap = g_new (guchar, info->colorMapLength * 4);\n }\n else\n {\n itype = GIMP_INDEXED;\n dtype = GIMP_INDEXED_IMAGE;\n gimp_cmap = g_new (guchar, info->colorMapLength * 3);\n }\n break;\n\n case TGA_TYPE_GRAY:\n itype = GIMP_GRAY;\n\n if (info->alphaBits)\n dtype = GIMP_GRAYA_IMAGE;\n else\n dtype = GIMP_GRAY_IMAGE;\n break;\n\n case TGA_TYPE_COLOR:\n itype = GIMP_RGB;\n\n if (info->alphaBits)\n dtype = GIMP_RGBA_IMAGE;\n else\n dtype = GIMP_RGB_IMAGE;\n break;\n }\n\n /* Handle colormap */\n\n if (info->imageType == TGA_TYPE_MAPPED)\n {\n if (cmap_bytes <= 4 &&\n fread (tga_cmap, info->colorMapLength * cmap_bytes, 1, fp) == 1)\n {\n if (convert_cmap)\n {\n if (info->colorMapSize == 32)\n bgr2rgb (convert_cmap, tga_cmap,\n info->colorMapLength, cmap_bytes, 1);\n else if (info->colorMapSize == 24)\n bgr2rgb (convert_cmap, tga_cmap,\n info->colorMapLength, cmap_bytes, 0);\n else if (info->colorMapSize == 16 || info->colorMapSize == 15)\n upsample (convert_cmap, tga_cmap,\n info->colorMapLength, cmap_bytes, info->alphaBits);\n else\n {\n g_message (\"Unsupported colormap depth: %u\",\n info->colorMapSize);\n return -1;\n }\n }\n else\n {\n if (info->colorMapSize == 24)\n bgr2rgb (gimp_cmap, tga_cmap,\n info->colorMapLength, cmap_bytes, 0);\n else if (info->colorMapSize == 16 || info->colorMapSize == 15)\n upsample (gimp_cmap, tga_cmap,\n info->colorMapLength, cmap_bytes, info->alphaBits);\n else\n {\n g_message (\"Unsupported colormap depth: %u\",\n info->colorMapSize);\n return -1;\n }\n }\n }\n else\n {\n g_message (\"File '%s' is truncated or corrupted\",\n gimp_filename_to_utf8 (filename));\n return -1;\n }\n }\n\n image_ID = gimp_image_new (info->width, info->height, itype);\n gimp_image_set_filename (image_ID, filename);\n\n if (gimp_cmap)\n gimp_image_set_colormap (image_ID, gimp_cmap, info->colorMapLength);\n\n layer_ID = gimp_layer_new (image_ID,\n _(\"Background\"),\n info->width, info->height,\n dtype, 100,\n GIMP_NORMAL_MODE);\n\n gimp_image_insert_layer (image_ID, layer_ID, -1, 0);\n\n drawable = gimp_drawable_get (layer_ID);\n\n /* Prepare the pixel region. */\n gimp_pixel_rgn_init (&pixel_rgn, drawable, 0, 0,\n info->width, info->height, TRUE, FALSE);\n\n /* Allocate the data. */\n max_tileheight = gimp_tile_height ();\n data = g_new (guchar, info->width * max_tileheight * drawable->bpp);\n buffer = g_new (guchar, info->width * info->bytes);\n\n if (info->flipVert)\n {\n for (i = 0; i < info->height; i += tileheight)\n {\n tileheight = i ? max_tileheight : (info->height % max_tileheight);\n if (tileheight == 0)\n tileheight = max_tileheight;\n\n for (y = 1; y <= tileheight; ++y)\n {\n row = data + (info->width * drawable->bpp * (tileheight - y));\n read_line (fp, row, buffer, info, drawable, convert_cmap);\n }\n\n gimp_progress_update ((gdouble) (i + tileheight) /\n (gdouble) info->height);\n gimp_pixel_rgn_set_rect (&pixel_rgn, data, 0,\n info->height - i - tileheight,\n info->width, tileheight);\n }\n }\n else\n {\n for (i = 0; i < info->height; i += max_tileheight)\n {\n tileheight = MIN (max_tileheight, info->height - i);\n\n for (y = 0; y < tileheight; ++y)\n {\n row= data + (info->width * drawable->bpp * y);\n read_line (fp, row, buffer, info, drawable, convert_cmap);\n }\n\n gimp_progress_update ((gdouble) (i + tileheight) /\n (gdouble) info->height);\n gimp_pixel_rgn_set_rect (&pixel_rgn, data, 0, i,\n info->width, tileheight);\n }\n }\n gimp_progress_update (1.0);\n\n g_free (data);\n g_free (buffer);\n\n g_free (convert_cmap);\n g_free (gimp_cmap);\n g_free (tga_cmap);\n\n gimp_drawable_flush (drawable);\n gimp_drawable_detach (drawable);\n\n return image_ID;\n} /*read_image*/", "target": 0, "cwe": [ "CWE-125" ], "project": "GIMP", "commit_id": "22e2571c25425f225abdb11a566cc281fca6f366", "hash": 324149756710289117892678617508089521833, "size": 202, "message": "plug-ins: TGA 16-bit RGB (without alpha bit) is also valid.\n\nAccording to some spec on the web, 16-bit RGB is also valid. In this\ncase, the last bit is simply ignored (at least that's how it is\nimplemented right now).\n\n(cherry picked from commit 8ea316667c8a3296bce2832b3986b58d0fdfc077)", "dataset": "other", "idx": 498632 }, { "func": "copyin_file (struct cpio_file_stat *file_hdr, int in_file_des)\n{\n bool existing_dir = false;\n\n if (!to_stdout_option\n && try_existing_file (file_hdr, in_file_des, &existing_dir) < 0)\n return;\n\n /* Do the real copy or link. */\n switch (file_hdr->c_mode & CP_IFMT)\n {\n case CP_IFREG:\n copyin_regular_file (file_hdr, in_file_des);\n break;\n\n case CP_IFDIR:\n cpio_create_dir (file_hdr, existing_dir);\n break;\n\n case CP_IFCHR:\n case CP_IFBLK:\n#ifdef CP_IFSOCK\n case CP_IFSOCK:\n#endif\n#ifdef CP_IFIFO\n case CP_IFIFO:\n#endif\n copyin_device (file_hdr);\n break;\n\n#ifdef CP_IFLNK\n case CP_IFLNK:\n copyin_link (file_hdr, in_file_des);\n break;\n#endif\n\n default:\n error (0, 0, _(\"%s: unknown file type\"), file_hdr->c_name);\n tape_toss_input (in_file_des, file_hdr->c_filesize);\n tape_skip_padding (in_file_des, file_hdr->c_filesize);\n }\n}", "target": 0, "cwe": [ "CWE-190" ], "project": "cpio", "commit_id": "dd96882877721703e19272fe25034560b794061b", "hash": 50149426099157403893020217744213548434, "size": 42, "message": "Rewrite dynamic string support.\n\n* src/dstring.c (ds_init): Take a single argument.\n(ds_free): New function.\n(ds_resize): Take a single argument. Use x2nrealloc to expand\nthe storage.\n(ds_reset,ds_append,ds_concat,ds_endswith): New function.\n(ds_fgetstr): Rewrite. In particular, this fixes integer overflow.\n* src/dstring.h (dynamic_string): Keep both the allocated length\n(ds_size) and index of the next free byte in the string (ds_idx).\n(ds_init,ds_resize): Change signature.\n(ds_len): New macro.\n(ds_free,ds_reset,ds_append,ds_concat,ds_endswith): New protos.\n* src/copyin.c: Use new ds_ functions.\n* src/copyout.c: Likewise.\n* src/copypass.c: Likewise.\n* src/util.c: Likewise.", "dataset": "other", "idx": 499643 }, { "func": "arf_stores_inode_p (enum archive_format arf)\n{\n switch (arf)\n {\n case arf_tar:\n case arf_ustar:\n return 0;\n\n default:\n break;\n }\n return 1;\n}", "target": 0, "cwe": [ "CWE-190" ], "project": "cpio", "commit_id": "dd96882877721703e19272fe25034560b794061b", "hash": 41045857523298159027775050187922366069, "size": 13, "message": "Rewrite dynamic string support.\n\n* src/dstring.c (ds_init): Take a single argument.\n(ds_free): New function.\n(ds_resize): Take a single argument. Use x2nrealloc to expand\nthe storage.\n(ds_reset,ds_append,ds_concat,ds_endswith): New function.\n(ds_fgetstr): Rewrite. In particular, this fixes integer overflow.\n* src/dstring.h (dynamic_string): Keep both the allocated length\n(ds_size) and index of the next free byte in the string (ds_idx).\n(ds_init,ds_resize): Change signature.\n(ds_len): New macro.\n(ds_free,ds_reset,ds_append,ds_concat,ds_endswith): New protos.\n* src/copyin.c: Use new ds_ functions.\n* src/copyout.c: Likewise.\n* src/copypass.c: Likewise.\n* src/util.c: Likewise.", "dataset": "other", "idx": 499656 }, { "func": "write_out_header (struct cpio_file_stat *file_hdr, int out_des)\n{\n dev_t dev;\n dev_t rdev;\n \n switch (archive_format)\n {\n case arf_newascii:\n return write_out_new_ascii_header (\"070701\", file_hdr, out_des);\n \n case arf_crcascii:\n return write_out_new_ascii_header (\"070702\", file_hdr, out_des);\n \n case arf_oldascii:\n return write_out_old_ascii_header (makedev (file_hdr->c_dev_maj,\n\t\t\t\t\t\t file_hdr->c_dev_min),\n\t\t\t\t\t makedev (file_hdr->c_rdev_maj,\n\t\t\t\t\t\t file_hdr->c_rdev_min),\n\t\t\t\t\t file_hdr, out_des);\n \n case arf_hpoldascii:\n hp_compute_dev (file_hdr, &dev, &rdev);\n return write_out_old_ascii_header (dev, rdev, file_hdr, out_des);\n \n case arf_tar:\n case arf_ustar:\n if (is_tar_filename_too_long (file_hdr->c_name))\n\t{\n\t error (0, 0, _(\"%s: file name too long\"), file_hdr->c_name);\n\t return 1;\n\t}\n return write_out_tar_header (file_hdr, out_des);\n\n case arf_binary:\n return write_out_binary_header (makedev (file_hdr->c_rdev_maj,\n\t\t\t\t\t file_hdr->c_rdev_min),\n\t\t\t\t file_hdr, out_des);\n\n case arf_hpbinary:\n hp_compute_dev (file_hdr, &dev, &rdev);\n /* FIXME: dev ignored. Should it be? */\n return write_out_binary_header (rdev, file_hdr, out_des);\n\n default:\n abort ();\n }\n}", "target": 0, "cwe": [ "CWE-190" ], "project": "cpio", "commit_id": "dd96882877721703e19272fe25034560b794061b", "hash": 150114752285239015252633376272281612006, "size": 47, "message": "Rewrite dynamic string support.\n\n* src/dstring.c (ds_init): Take a single argument.\n(ds_free): New function.\n(ds_resize): Take a single argument. Use x2nrealloc to expand\nthe storage.\n(ds_reset,ds_append,ds_concat,ds_endswith): New function.\n(ds_fgetstr): Rewrite. In particular, this fixes integer overflow.\n* src/dstring.h (dynamic_string): Keep both the allocated length\n(ds_size) and index of the next free byte in the string (ds_idx).\n(ds_init,ds_resize): Change signature.\n(ds_len): New macro.\n(ds_free,ds_reset,ds_append,ds_concat,ds_endswith): New protos.\n* src/copyin.c: Use new ds_ functions.\n* src/copyout.c: Likewise.\n* src/copypass.c: Likewise.\n* src/util.c: Likewise.", "dataset": "other", "idx": 499660 }, { "func": "hp_compute_dev (struct cpio_file_stat *file_hdr, dev_t *pdev, dev_t *prdev)\n{\n /* HP/UX cpio creates archives that look just like ordinary archives,\n but for devices it sets major = 0, minor = 1, and puts the\n actual major/minor number in the filesize field. */\n switch (file_hdr->c_mode & CP_IFMT)\n {\n case CP_IFCHR:\n case CP_IFBLK:\n#ifdef CP_IFSOCK\n case CP_IFSOCK:\n#endif\n#ifdef CP_IFIFO\n case CP_IFIFO:\n#endif\n file_hdr->c_filesize = makedev (file_hdr->c_rdev_maj,\n\t\t\t\t file_hdr->c_rdev_min);\n *pdev = *prdev = makedev (0, 1);\n break;\n\n default:\n *pdev = makedev (file_hdr->c_dev_maj, file_hdr->c_dev_min);\n *prdev = makedev (file_hdr->c_rdev_maj, file_hdr->c_rdev_min);\n break;\n }\n}", "target": 0, "cwe": [ "CWE-190" ], "project": "cpio", "commit_id": "dd96882877721703e19272fe25034560b794061b", "hash": 296169277754140154225333129856124108781, "size": 26, "message": "Rewrite dynamic string support.\n\n* src/dstring.c (ds_init): Take a single argument.\n(ds_free): New function.\n(ds_resize): Take a single argument. Use x2nrealloc to expand\nthe storage.\n(ds_reset,ds_append,ds_concat,ds_endswith): New function.\n(ds_fgetstr): Rewrite. In particular, this fixes integer overflow.\n* src/dstring.h (dynamic_string): Keep both the allocated length\n(ds_size) and index of the next free byte in the string (ds_idx).\n(ds_init,ds_resize): Change signature.\n(ds_len): New macro.\n(ds_free,ds_reset,ds_append,ds_concat,ds_endswith): New protos.\n* src/copyin.c: Use new ds_ functions.\n* src/copyout.c: Likewise.\n* src/copypass.c: Likewise.\n* src/util.c: Likewise.", "dataset": "other", "idx": 499703 }, { "func": "read_in_old_ascii (struct cpio_file_stat *file_hdr, int in_des)\n{\n struct old_ascii_header ascii_header;\n unsigned long dev;\n\n tape_buffered_read (ascii_header.c_dev, in_des,\n\t\t sizeof ascii_header - sizeof ascii_header.c_magic);\n dev = FROM_OCTAL (ascii_header.c_dev);\n file_hdr->c_dev_maj = major (dev);\n file_hdr->c_dev_min = minor (dev);\n\n file_hdr->c_ino = FROM_OCTAL (ascii_header.c_ino);\n file_hdr->c_mode = FROM_OCTAL (ascii_header.c_mode);\n file_hdr->c_uid = FROM_OCTAL (ascii_header.c_uid);\n file_hdr->c_gid = FROM_OCTAL (ascii_header.c_gid);\n file_hdr->c_nlink = FROM_OCTAL (ascii_header.c_nlink);\n dev = FROM_OCTAL (ascii_header.c_rdev);\n file_hdr->c_rdev_maj = major (dev);\n file_hdr->c_rdev_min = minor (dev);\n\n file_hdr->c_mtime = FROM_OCTAL (ascii_header.c_mtime);\n file_hdr->c_filesize = FROM_OCTAL (ascii_header.c_filesize);\n read_name_from_file (file_hdr, in_des, FROM_OCTAL (ascii_header.c_namesize));\n\n /* HP/UX cpio creates archives that look just like ordinary archives,\n but for devices it sets major = 0, minor = 1, and puts the\n actual major/minor number in the filesize field. See if this\n is an HP/UX cpio archive, and if so fix it. We have to do this\n here because process_copy_in() assumes filesize is always 0\n for devices. */\n switch (file_hdr->c_mode & CP_IFMT)\n {\n case CP_IFCHR:\n case CP_IFBLK:\n#ifdef CP_IFSOCK\n case CP_IFSOCK:\n#endif\n#ifdef CP_IFIFO\n case CP_IFIFO:\n#endif\n\tif (file_hdr->c_filesize != 0\n\t && file_hdr->c_rdev_maj == 0\n\t && file_hdr->c_rdev_min == 1)\n\t {\n\t file_hdr->c_rdev_maj = major (file_hdr->c_filesize);\n\t file_hdr->c_rdev_min = minor (file_hdr->c_filesize);\n\t file_hdr->c_filesize = 0;\n\t }\n\tbreak;\n default:\n\tbreak;\n }\n}", "target": 0, "cwe": [ "CWE-190" ], "project": "cpio", "commit_id": "dd96882877721703e19272fe25034560b794061b", "hash": 58444715879706996046318133967686034934, "size": 53, "message": "Rewrite dynamic string support.\n\n* src/dstring.c (ds_init): Take a single argument.\n(ds_free): New function.\n(ds_resize): Take a single argument. Use x2nrealloc to expand\nthe storage.\n(ds_reset,ds_append,ds_concat,ds_endswith): New function.\n(ds_fgetstr): Rewrite. In particular, this fixes integer overflow.\n* src/dstring.h (dynamic_string): Keep both the allocated length\n(ds_size) and index of the next free byte in the string (ds_idx).\n(ds_init,ds_resize): Change signature.\n(ds_len): New macro.\n(ds_free,ds_reset,ds_append,ds_concat,ds_endswith): New protos.\n* src/copyin.c: Use new ds_ functions.\n* src/copyout.c: Likewise.\n* src/copypass.c: Likewise.\n* src/util.c: Likewise.", "dataset": "other", "idx": 499719 }, { "func": "const char *SSL_rstate_string(const SSL *s)\n{\n switch (s->rlayer.rstate) {\n case SSL_ST_READ_HEADER:\n return \"RH\";\n case SSL_ST_READ_BODY:\n return \"RB\";\n case SSL_ST_READ_DONE:\n return \"RD\";\n default:\n return \"unknown\";\n }\n}", "target": 0, "cwe": [ "CWE-20" ], "project": "openssl", "commit_id": "63658103d4441924f8dbfc517b99bb54758a98b9", "hash": 290561002437833243559854157238607148859, "size": 13, "message": "Fix a hang with SSL_peek()\n\nIf while calling SSL_peek() we read an empty record then we go into an\ninfinite loop, continually trying to read data from the empty record and\nnever making any progress. This could be exploited by a malicious peer in\na Denial Of Service attack.\n\nCVE-2016-6305\n\nGitHub Issue #1563\n\nReviewed-by: Rich Salz ", "dataset": "other", "idx": 503776 }, { "func": "const char *SSL_rstate_string_long(const SSL *s)\n{\n switch (s->rlayer.rstate) {\n case SSL_ST_READ_HEADER:\n return \"read header\";\n case SSL_ST_READ_BODY:\n return \"read body\";\n case SSL_ST_READ_DONE:\n return \"read done\";\n default:\n return \"unknown\";\n }\n}", "target": 0, "cwe": [ "CWE-20" ], "project": "openssl", "commit_id": "63658103d4441924f8dbfc517b99bb54758a98b9", "hash": 205574468302938001865003258846762989690, "size": 13, "message": "Fix a hang with SSL_peek()\n\nIf while calling SSL_peek() we read an empty record then we go into an\ninfinite loop, continually trying to read data from the empty record and\nnever making any progress. This could be exploited by a malicious peer in\na Denial Of Service attack.\n\nCVE-2016-6305\n\nGitHub Issue #1563\n\nReviewed-by: Rich Salz ", "dataset": "other", "idx": 503777 }, { "func": "Agraph_t *agraphof(void *obj)\n{\n switch (AGTYPE(obj)) {\n case AGINEDGE:\n case AGOUTEDGE:\n\treturn ((Agedge_t *) obj)->node->root;\n case AGNODE:\n\treturn ((Agnode_t *) obj)->root;\n case AGRAPH:\n\treturn (Agraph_t *) obj;\n default:\t\t\t/* actually can't occur if only 2 bit tags */\n\tagerr(AGERR, \"agraphof a bad object\");\n\treturn NILgraph;\n }\n}", "target": 0, "cwe": [ "CWE-476" ], "project": "graphviz", "commit_id": "839085f8026afd6f6920a0c31ad2a9d880d97932", "hash": 248563598394800902846024511939663049757, "size": 15, "message": "attempted fix for null pointer deference on malformed input", "dataset": "other", "idx": 505492 }, { "func": "test_command()\n{\n int what;\n int save_token = c_token++;\n\n if (!term) /* unknown terminal */\n\tint_error(c_token, \"use 'set term' to set terminal type first\");\n\n what = lookup_table(&test_tbl[0], c_token);\n switch (what) {\n\tdefault:\n\t if (!END_OF_COMMAND)\n\t\tint_error(c_token, \"unrecognized test option\");\n\t /* otherwise fall through to test_term */\n\tcase TEST_TERMINAL: test_term(); break;\n\tcase TEST_PALETTE: test_palette_subcommand(); break;\n }\n\n /* prevent annoying error messages if there was no previous plot */\n /* and the \"test\" window is resized. */\n if (!replot_line || !(*replot_line)) {\n\tm_capture( &replot_line, save_token, c_token );\n }\n}", "target": 0, "cwe": [ "CWE-415" ], "project": "gnuplot", "commit_id": "052cbd17c3cbbc602ee080b2617d32a8417d7563", "hash": 85754035012068824739355968773477687910, "size": 24, "message": "successive failures of \"set print \" could cause double-free\nBug #2312", "dataset": "other", "idx": 506487 }, { "func": "save_command()\n{\n FILE *fp;\n char *save_file = NULL;\n TBOOLEAN append = FALSE;\n int what;\n\n c_token++;\n what = lookup_table(&save_tbl[0], c_token);\n\n switch (what) {\n\tcase SAVE_FUNCS:\n\tcase SAVE_SET:\n\tcase SAVE_TERMINAL:\n\tcase SAVE_VARS:\n\tcase SAVE_FIT:\n\tcase SAVE_DATABLOCKS:\n\t c_token++;\n\t break;\n\tdefault:\n\t break;\n }\n\n save_file = try_to_get_string();\n if (!save_file)\n\tint_error(c_token, \"expecting filename\");\n if (equals(c_token, \"append\")) {\n\tappend = TRUE;\n\tc_token++;\n }\n#ifdef PIPES\n if (save_file[0]=='|') {\n\trestrict_popen();\n\tfp = popen(save_file+1,\"w\");\n } else\n#endif\n {\n gp_expand_tilde(&save_file);\n#ifdef _WIN32\n fp = !strcmp(save_file,\"-\") ? stdout\n\t: loadpath_fopen(save_file, append?\"a\":\"w\");\n#else\n fp = !strcmp(save_file,\"-\") ? stdout\n\t: fopen(save_file, append?\"a\":\"w\");\n#endif\n }\n\n if (!fp)\n\tos_error(c_token, \"Cannot open save file\");\n\n switch (what) {\n case SAVE_FUNCS:\n\t save_functions(fp);\n\tbreak;\n case SAVE_SET:\n\t save_set(fp);\n\tbreak;\n case SAVE_TERMINAL:\n\t save_term(fp);\n\tbreak;\n case SAVE_VARS:\n\t save_variables(fp);\n\tbreak;\n case SAVE_FIT:\n\t save_fit(fp);\n\tbreak;\n case SAVE_DATABLOCKS:\n\t save_datablocks(fp);\n\tbreak;\n default:\n\t save_all(fp);\n }\n\n if (stdout != fp) {\n#ifdef PIPES\n\tif (save_file[0] == '|')\n\t (void) pclose(fp);\n\telse\n#endif\n\t (void) fclose(fp);\n }\n\n free(save_file);\n}", "target": 0, "cwe": [ "CWE-415" ], "project": "gnuplot", "commit_id": "052cbd17c3cbbc602ee080b2617d32a8417d7563", "hash": 188824118221818722622733572912516895351, "size": 84, "message": "successive failures of \"set print \" could cause double-free\nBug #2312", "dataset": "other", "idx": 506546 }, { "func": "style_from_fill(struct fill_style_type *fs)\n{\n int fillpar, style;\n\n switch( fs->fillstyle ) {\n case FS_SOLID:\n case FS_TRANSPARENT_SOLID:\n\tfillpar = fs->filldensity;\n\tstyle = ((fillpar & 0xfff) << 4) + fs->fillstyle;\n\tbreak;\n case FS_PATTERN:\n case FS_TRANSPARENT_PATTERN:\n\tfillpar = fs->fillpattern;\n\tstyle = ((fillpar & 0xfff) << 4) + fs->fillstyle;\n\tbreak;\n case FS_EMPTY:\n default:\n\t/* solid fill with background color */\n\tstyle = FS_EMPTY;\n\tbreak;\n }\n\n return style;\n}", "target": 0, "cwe": [ "CWE-787" ], "project": "gnuplot", "commit_id": "963c7df3e0c5266efff260d0dff757dfe03d3632", "hash": 300309668460626552839519627634493712058, "size": 24, "message": "Better error handling for faulty font syntax\n\nA missing close-quote in an enhanced text font specification could\ncause a segfault.\nBug #2303", "dataset": "other", "idx": 506584 }, { "func": "parse_term_size( float *xsize, float *ysize, size_units default_units )\n{\n size_units units = default_units;\n\n if (END_OF_COMMAND)\n\tint_error(c_token, \"size requires two numbers: xsize, ysize\");\n *xsize = real_expression();\n if (almost_equals(c_token,\"in$ches\")) {\n\tc_token++;\n\tunits = INCHES;\n } else if (equals(c_token,\"cm\")) {\n\tc_token++;\n\tunits = CM;\n }\n switch (units) {\n case INCHES:\t*xsize *= gp_resolution; break;\n case CM:\t\t*xsize *= (float)gp_resolution / 2.54; break;\n case PIXELS:\n default:\t\t break;\n }\n\n if (!equals(c_token++,\",\"))\n\tint_error(c_token, \"size requires two numbers: xsize, ysize\");\n *ysize = real_expression();\n if (almost_equals(c_token,\"in$ches\")) {\n\tc_token++;\n\tunits = INCHES;\n } else if (equals(c_token,\"cm\")) {\n\tc_token++;\n\tunits = CM;\n }\n switch (units) {\n case INCHES:\t*ysize *= gp_resolution; break;\n case CM:\t\t*ysize *= (float)gp_resolution / 2.54; break;\n case PIXELS:\n default:\t\t break;\n }\n\n if (*xsize < 1 || *ysize < 1)\n\tint_error(c_token, \"size: out of range\");\n\n return units;\n}", "target": 0, "cwe": [ "CWE-787" ], "project": "gnuplot", "commit_id": "963c7df3e0c5266efff260d0dff757dfe03d3632", "hash": 280874159317171214735244919746551090798, "size": 43, "message": "Better error handling for faulty font syntax\n\nA missing close-quote in an enhanced text font specification could\ncause a segfault.\nBug #2303", "dataset": "other", "idx": 506598 }, { "func": "Field *Item_sum::create_tmp_field(bool group, TABLE *table)\n{\n Field *UNINIT_VAR(new_field);\n MEM_ROOT *mem_root= table->in_use->mem_root;\n\n switch (cmp_type()) {\n case REAL_RESULT:\n {\n new_field= new (mem_root)\n Field_double(max_char_length(), maybe_null, &name, decimals, TRUE);\n break;\n }\n case INT_RESULT:\n case TIME_RESULT:\n case DECIMAL_RESULT:\n case STRING_RESULT:\n new_field= tmp_table_field_from_field_type(table);\n break;\n case ROW_RESULT:\n // This case should never be choosen\n DBUG_ASSERT(0);\n new_field= 0;\n break;\n }\n if (new_field)\n new_field->init(table);\n return new_field;\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 111612933618597107069933857608428524963, "size": 28, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508478 }, { "func": "Field *create_tmp_field(THD *thd, TABLE *table,Item *item, Item::Type type,\n Item ***copy_func, Field **from_field,\n Field **default_field,\n bool group, bool modify_item,\n bool table_cant_handle_bit_fields,\n bool make_copy_field)\n{\n Field *result;\n Item::Type orig_type= type;\n Item *orig_item= 0;\n\n DBUG_ASSERT(thd == table->in_use);\n\n if (type != Item::FIELD_ITEM &&\n item->real_item()->type() == Item::FIELD_ITEM)\n {\n orig_item= item;\n item= item->real_item();\n type= Item::FIELD_ITEM;\n }\n\n switch (type) {\n case Item::TYPE_HOLDER:\n case Item::SUM_FUNC_ITEM:\n {\n result= item->create_tmp_field(group, table);\n if (!result)\n my_error(ER_OUT_OF_RESOURCES, MYF(ME_FATALERROR));\n return result;\n }\n case Item::DEFAULT_VALUE_ITEM:\n {\n Field *field= ((Item_default_value*) item)->field;\n if (field->default_value && (field->flags & BLOB_FLAG))\n {\n /*\n We have to use a copy function when using a blob with default value\n as the we have to calcuate the default value before we can use it.\n */\n return create_tmp_field_from_item(thd, item, table,\n (make_copy_field ? 0 : copy_func),\n modify_item);\n }\n }\n /* Fall through */\n case Item::FIELD_ITEM:\n case Item::CONTEXTUALLY_TYPED_VALUE_ITEM:\n case Item::INSERT_VALUE_ITEM:\n case Item::TRIGGER_FIELD_ITEM:\n {\n Item_field *field= (Item_field*) item;\n bool orig_modify= modify_item;\n if (orig_type == Item::REF_ITEM)\n modify_item= 0;\n /*\n If item have to be able to store NULLs but underlaid field can't do it,\n create_tmp_field_from_field() can't be used for tmp field creation.\n */\n if (((field->maybe_null && field->in_rollup) || \n\t(thd->create_tmp_table_for_derived && /* for mat. view/dt */\n\t orig_item && orig_item->maybe_null)) && \n !field->field->maybe_null())\n {\n bool save_maybe_null= FALSE;\n /*\n The item the ref points to may have maybe_null flag set while\n the ref doesn't have it. This may happen for outer fields\n when the outer query decided at some point after name resolution phase\n that this field might be null. Take this into account here.\n */\n if (orig_item)\n {\n save_maybe_null= item->maybe_null;\n item->maybe_null= orig_item->maybe_null;\n }\n result= create_tmp_field_from_item(thd, item, table, NULL,\n modify_item);\n *from_field= field->field;\n if (result && modify_item)\n field->result_field= result;\n if (orig_item)\n {\n item->maybe_null= save_maybe_null;\n result->field_name= orig_item->name;\n }\n }\n else if (table_cant_handle_bit_fields && field->field->type() ==\n MYSQL_TYPE_BIT)\n {\n const Type_handler *handler= item->type_handler_long_or_longlong();\n *from_field= field->field;\n if ((result=\n handler->make_and_init_table_field(&item->name,\n Record_addr(item->maybe_null),\n *item, table)))\n create_tmp_field_from_item_finalize(thd, result, item,\n copy_func, modify_item);\n if (result && modify_item)\n field->result_field= result;\n }\n else\n {\n LEX_CSTRING *tmp= orig_item ? &orig_item->name : &item->name;\n result= create_tmp_field_from_field(thd, (*from_field= field->field),\n tmp, table,\n modify_item ? field :\n NULL);\n }\n\n if (orig_type == Item::REF_ITEM && orig_modify)\n ((Item_ref*)orig_item)->set_result_field(result);\n /*\n Fields that are used as arguments to the DEFAULT() function already have\n their data pointers set to the default value during name resolution. See\n Item_default_value::fix_fields.\n */\n if (orig_type != Item::DEFAULT_VALUE_ITEM && field->field->eq_def(result))\n *default_field= field->field;\n return result;\n }\n /* Fall through */\n case Item::FUNC_ITEM:\n if (((Item_func *) item)->functype() == Item_func::FUNC_SP)\n {\n Item_func_sp *item_func_sp= (Item_func_sp *) item;\n Field *sp_result_field= item_func_sp->get_sp_result_field();\n\n if (make_copy_field)\n {\n DBUG_ASSERT(item_func_sp->result_field);\n *from_field= item_func_sp->result_field;\n }\n else\n {\n *((*copy_func)++)= item;\n }\n Field *result_field=\n create_tmp_field_from_field(thd,\n sp_result_field,\n &item_func_sp->name,\n table,\n NULL);\n\n if (modify_item)\n item->set_result_field(result_field);\n\n return result_field;\n }\n\n /* Fall through */\n case Item::COND_ITEM:\n case Item::SUBSELECT_ITEM:\n case Item::REF_ITEM:\n case Item::EXPR_CACHE_ITEM:\n if (make_copy_field)\n {\n DBUG_ASSERT(((Item_result_field*)item)->result_field);\n *from_field= ((Item_result_field*)item)->result_field;\n }\n /* Fall through */\n case Item::FIELD_AVG_ITEM:\n case Item::FIELD_STD_ITEM:\n case Item::PROC_ITEM:\n case Item::INT_ITEM:\n case Item::REAL_ITEM:\n case Item::DECIMAL_ITEM:\n case Item::STRING_ITEM:\n case Item::DATE_ITEM:\n case Item::NULL_ITEM:\n case Item::VARBIN_ITEM:\n case Item::CACHE_ITEM:\n case Item::WINDOW_FUNC_ITEM: // psergey-winfunc:\n case Item::PARAM_ITEM:\n return create_tmp_field_from_item(thd, item, table,\n (make_copy_field ? 0 : copy_func),\n modify_item);\n default:\t\t\t\t\t// Dosen't have to be stored\n return 0;\n }\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 182735055217858395528211955024952141108, "size": 180, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508573 }, { "func": "pick_table_access_method(JOIN_TAB *tab)\n{\n switch (tab->type) \n {\n case JT_REF:\n tab->read_first_record= join_read_always_key;\n tab->read_record.read_record_func= join_read_next_same;\n break;\n\n case JT_REF_OR_NULL:\n tab->read_first_record= join_read_always_key_or_null;\n tab->read_record.read_record_func= join_read_next_same_or_null;\n break;\n\n case JT_CONST:\n tab->read_first_record= join_read_const;\n tab->read_record.read_record_func= join_no_more_records;\n break;\n\n case JT_EQ_REF:\n tab->read_first_record= join_read_key;\n tab->read_record.read_record_func= join_no_more_records;\n break;\n\n case JT_FT:\n tab->read_first_record= join_ft_read_first;\n tab->read_record.read_record_func= join_ft_read_next;\n break;\n\n case JT_SYSTEM:\n tab->read_first_record= join_read_system;\n tab->read_record.read_record_func= join_no_more_records;\n break;\n\n /* keep gcc happy */ \n default:\n break; \n }\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 4536766429927427268550920142196057013, "size": 39, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508736 }, { "func": " bool vcol_assignment_allowed_value() const\n {\n switch (state) {\n case NULL_VALUE:\n case DEFAULT_VALUE:\n case IGNORE_VALUE:\n return true;\n case NO_VALUE:\n case INT_VALUE:\n case REAL_VALUE:\n case STRING_VALUE:\n case TIME_VALUE:\n case LONG_DATA_VALUE:\n case DECIMAL_VALUE:\n break;\n }\n return false;\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 64853562255230332806744922059620610047, "size": 18, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509449 }, { "project": "jsish", "commit_id": "858da537bde4de9d8c92466d5a866505310bc328", "target": 0, "func": "Jsi_Obj *Jsi_ObjNewType(Jsi_Interp *interp, Jsi_otype otype)\n{\n Jsi_Obj *obj = Jsi_ObjNew(interp);\n obj->ot = (otype==JSI_OT_ARRAY?JSI_OT_OBJECT:otype);\n switch (otype) {\n case JSI_OT_BOOL: obj->__proto__ = interp->Boolean_prototype; break;\n case JSI_OT_NUMBER: obj->__proto__ = interp->Number_prototype; break;\n case JSI_OT_STRING: obj->__proto__ = interp->String_prototype; break;\n case JSI_OT_FUNCTION:obj->__proto__ = interp->Function_prototype; break;\n case JSI_OT_REGEXP: obj->__proto__ = interp->RegExp_prototype; break;\n case JSI_OT_OBJECT: obj->__proto__ = interp->Object_prototype; break;\n case JSI_OT_ARRAY: obj->__proto__ = interp->Array_prototype;\n obj->isarrlist = 1;\n break;\n default: assert(0); break;\n }\n if (interp->protoInit)\n assert(obj->__proto__);\n return obj;\n}", "idx": 520861, "cwe": "CWE-190", "hash": 74587892828681831376009147077418301144, "dataset": "other" }, { "project": "jsish", "commit_id": "858da537bde4de9d8c92466d5a866505310bc328", "target": 0, "func": "static Jsi_RC CDataSetCmd_(Jsi_Interp *interp, Jsi_Value *args, Jsi_Value *_this,\n Jsi_Value **ret, Jsi_Func *funcPtr, int op)\n{\n UdcGet(cd, _this, funcPtr);\n uchar *dptr = NULL;\n Jsi_Value *arg = Jsi_ValueArrayIndex(interp, args, 0);\n char kbuf[BUFSIZ];\n void *key = kbuf;\n bool isNull = Jsi_ValueIsNull(interp, arg);\n if (isNull) {\n if (cd->mapPtr || cd->arrSize)\n return Jsi_LogError(\"null key used with c-array/map\");\n } else {\n if (!cd->mapPtr && cd->arrSize<=0)\n return Jsi_LogError(\"must be array/map\");\n if (JSI_OK != jsi_csGetKey(interp, cd, arg, &key, sizeof(kbuf), 1))\n return JSI_ERROR;\n }\n\n dptr = (uchar*)cd->data;\n if (isNull) {\n } else if (cd->mapPtr) {\n Jsi_MapEntry *mPtr = Jsi_MapEntryFind(*cd->mapPtr, key);\n if (mPtr)\n dptr = (uchar*)Jsi_MapValueGet(mPtr);\n else {\n bool isNew;\n if (cd->maxSize && Jsi_MapSize(*cd->mapPtr)>=cd->maxSize)\n return Jsi_LogError(\"map would exceeded maxSize: %d\", cd->maxSize);\n if (!cd->noAuto)\n mPtr = Jsi_MapEntryNew(*cd->mapPtr, key, &isNew);\n if (!mPtr)\n return Jsi_LogError(\"arg 1: key not found [%s]\", Jsi_ValueToString(interp, arg, NULL));\n Jsi_StructSpec *sl = cd->sl;\n dptr = (uchar*)Jsi_Calloc(1, sl->size);\n Jsi_MapValueSet(mPtr, dptr);\n jsi_csStructInit(sl, dptr);\n }\n } else if (!cd->arrSize)\n return Jsi_LogError(\"expected a c-array or map\");\n else {\n uint kind = (uintptr_t)key;\n if (kind>=cd->arrSize)\n return Jsi_LogError(\"array index out of bounds: %d not in 0,%d\", kind, cd->arrSize-1);\n dptr = ((uchar*)cd->data) + cd->sl->size*kind;\n if (cd->isPtrs)\n dptr = ((uchar*)cd->data) + sizeof(void*)*kind;\n else if (cd->isPtr2)\n dptr = (uchar*)(*(void**)dptr) + sizeof(void*)*kind;\n }\n int argc = Jsi_ValueGetLength(interp, args);\n Jsi_Value *arg2 = Jsi_ValueArrayIndex(interp, args, 1);\n if (op == 2 && argc == 2) {\n } else if (argc == 2) {\n if (!Jsi_ValueIsObjType(interp, arg2, JSI_OT_OBJECT))\n return Jsi_LogError(\"arg 3: last must be an object with 3 args\");\n return Jsi_OptionsConf(interp, (Jsi_OptionSpec*)cd->sf, dptr, arg2, ret, 0);\n } else if (argc != 3)\n return Jsi_LogError(\"expected 2 or 3 args\");\n const char *cp;\n if (!(cp = Jsi_ValueString(interp, arg2, NULL)))\n return Jsi_LogError(\"with 3 args, string expected for arg 2\");\n Jsi_Value *arg3 = Jsi_ValueArrayIndex(interp, args, 2);\n if (op == 2) {\n if (arg3) {\n if (!Jsi_ValueIsNumber(interp, arg3))\n return Jsi_LogError(\"expected number\");\n } else {\n arg3 = Jsi_ValueNewNumber(interp, 1);\n Jsi_IncrRefCount(interp, arg3);\n }\n }\n Jsi_RC rc = Jsi_OptionsSet(interp, (Jsi_OptionSpec*)cd->sf, dptr, cp, arg3, (op==2?JSI_OPTS_INCR:0));\n if (op==2 && argc==2)\n Jsi_DecrRefCount(interp, arg3);\n if (op == 2 && rc == JSI_OK) {\n if (interp->strict && Jsi_NumberIsNaN(interp->cdataIncrVal))\n return Jsi_LogError(\"result is NaN\");\n Jsi_ValueMakeNumber(interp, ret, interp->cdataIncrVal);\n }\n return rc;\n}", "idx": 520919, "cwe": "CWE-190", "hash": 70632281853975844423239924793375639005, "dataset": "other" }, { "project": "jsish", "commit_id": "858da537bde4de9d8c92466d5a866505310bc328", "target": 0, "func": "static Jsi_RC CDataStructDefineCmd(Jsi_Interp *interp, Jsi_Value *args, Jsi_Value *_this,\n Jsi_Value **ret, Jsi_Func *funcPtr)\n{\n \n Jsi_RC rc = JSI_OK;\n Jsi_OptionTypedef *st = NULL;\n jsi_csInitType(interp);\n Jsi_Value *eval = NULL, *val = Jsi_ValueArrayIndex(interp, args, 0),\n *flds = Jsi_ValueArrayIndex(interp, args, 1);\n int vlen, flen, i, argc, clen = 0, arrCnt=0;\n Jsi_DString fStr = {};\n char **argv = NULL, *cmt, *eq, *cp, *ce, *cpval, ocp;\n const char *vstr = Jsi_ValueString(interp, val, &vlen),\n *fstr = Jsi_ValueString(interp, flds, &flen);\n if (vstr) {\n cmt = Jsi_Strstr(fstr, \"//\");\n eq = Jsi_Strchr(fstr, '=');\n Jsi_DString tStr = {fstr};\n fstr=jsi_TrimStr(Jsi_DSValue(&tStr));\n Jsi_SplitStr(fstr, &argc, &argv, (cmt?\"\\n\":\";\"), &fStr);\n Jsi_DSFree(&tStr);\n if (!cmt && argc>0 && !argv[argc-1][0])\n argc--;\n if (eq) {\n eval = Jsi_ValueNewArray(interp, NULL, 0);\n Jsi_IncrRefCount(interp, eval);\n }\n } else if (!Jsi_ValueIsArray(interp,flds) || (argc=Jsi_ValueGetLength(interp, flds))<1)\n return Jsi_LogError(\"arg 2 must be string or non-empty array\");\n if (argc>200)\n return Jsi_LogError(\"too many fields: %d>200\", argc);\n Jsi_StructSpec *sl, *sf, recs[argc+2];\n memset(recs, 0, sizeof(recs));\n sl = recs+argc+1;\n sf = recs;\n SIGINIT(sl, OPTS_STRUCT);\n if (vstr) {\n sl->name = Jsi_KeyAdd(interp, vstr);\n } else if (Jsi_OptionsProcess(interp, StructOptions, sl, val, 0) < 0) {\n rc = JSI_ERROR;\n goto bail;\n }\n if (!Jsi_StrIsAlnum(sl->name)) {\n rc = Jsi_LogError(\"invalid struct name: %s\", sl->name);\n goto bail;\n }\n if (jsi_csStructGet(interp, sl->name)) {\n rc = Jsi_LogError(\"struct already exists: %s\", sl->name);\n goto bail;\n }\n for (i = 0; iname) || !sf->type) {\n rc = Jsi_LogError(\"invalid struct field name: %s\", sf->name);\n goto bail;\n }\n if (!Jsi_ValueObjLookup(interp, val, \"init\", 0) && (sf->type->flags&jsi_CTYP_STRUCT))\n inival = Jsi_ValueNewBoolean(interp, true);\n } else {\n if (cmt) {\n cp = Jsi_Strstr(argv[i], \"//\"); \n if (cp) {\n *cp = 0;\n cp += 2;\n cp = jsi_TrimStr(cp);\n sf->help = Jsi_KeyAdd(interp, cp);\n }\n cp = Jsi_Strchr(argv[i], ';'); \n if (cp) *cp = 0;\n }\n cp = Jsi_Strchr(argv[i], '='); \n if (cp) {\n if (!eval)\n goto bail;\n *cp++ = 0;\n cp = jsi_TrimStr(cp);\n int cplen = Jsi_Strlen(cp);\n if (cplen>1 && (cp[0] == '\\'' || cp[0] == '\"') && cp[0] == cp[cplen-1]) {\n cpval = cp+1;\n cp[cplen-1] = 0;\n inival = Jsi_ValueNewStringDup(interp, cpval);\n }\n else if (Jsi_GetDouble(interp, cp, &numVal) == JSI_OK)\n inival = Jsi_ValueNewNumber(interp, numVal);\n else if (Jsi_GetBool(interp, cp, &bVal) == JSI_OK)\n inival = Jsi_ValueNewBoolean(interp, bVal);\n else\n inival = Jsi_ValueNewStringDup(interp, cp);\n }\n cp = argv[i];\n while (*cp && isspace(*cp)) cp++;\n ce = cp;\n while (*ce && !isspace(*ce)) ce++;\n ocp = *ce;\n if (!ocp) {\n rc = Jsi_LogError(\"bad field: %s\", cp);\n goto bail;\n }\n *ce = 0;\n sf->type = Jsi_TypeLookup(interp, cp);\n *ce = ocp;\n if (!sf->type) {\n rc = Jsi_LogError(\"unknown type: %s\", argv[i]);\n goto bail;\n }\n if (!inival && (sf->type->flags&jsi_CTYP_STRUCT))\n inival = Jsi_ValueNewBoolean(interp, true);\n\n cp = ce+1;\n while (*cp && isspace(*cp)) cp++;\n ce = cp;\n while (*ce && (isalnum(*ce) || *ce == '_')) ce++;\n ocp = *ce;\n *ce = 0;\n if (!*cp) {\n rc = Jsi_LogError(\"missing or bad struct field name\");\n goto bail;\n }\n sf->name = Jsi_KeyAdd(interp, cp);\n if (ocp) {\n ce++;\n clen = Jsi_Strlen(ce);\n }\n if (ocp == '@') {\n isbitset = 1;\n } else\n if (ocp == ':') {\n int bsiz = -1;\n if (Jsi_GetInt(interp, ce, &bsiz,10) != JSI_OK || bsiz<=0 || bsiz>64) {\n rc = Jsi_LogError(\"bad bit size: %s\", ce);\n goto bail;\n }\n sf->bits = bsiz;\n } else if (ocp == '[' && clen>1 && ce[clen-1]==']') {\n int asiz = -1;\n ce[clen-1] = 0;\n if (Jsi_GetInt(interp, ce, &asiz, 10) != JSI_OK || asiz<=0) {\n rc = Jsi_LogError(\"bad size: %s\", cp);\n goto bail;\n }\n sf->arrSize = asiz;\n } else if (ocp) {\n rc = Jsi_LogError(\"bad field: %s\", cp);\n goto bail;\n }\n val = NULL; \n }\n if (inival) {\n Jsi_Value *sval = Jsi_ValueNewObj(interp, NULL);\n Jsi_ValueInsert(interp, sval, \"init\", inival, 0);\n Jsi_ValueArraySet(interp, eval, sval, i);\n }\n bool isEnum = (sf->type && (sf->type->flags&jsi_CTYP_ENUM));\n if (isbitset) {\n if (!isEnum) {\n rc = Jsi_LogError(\"bitset type is not an enum\");\n goto bail;\n }\n sf->flags |= JSI_OPT_BITSET_ENUM;\n }\n if (sf->arrSize) {\n if (sf->arrSize>interp->maxArrayList) {\n rc = Jsi_LogError(\"array size too big: %d >= %d\", sf->arrSize, interp->maxArrayList);\n goto bail;\n }\n if (sf->bits || isEnum) {\n rc = Jsi_LogError(\"array of %s unsupported\", (sf->bits?\"bits\":\"enums\"));\n goto bail;\n }\n arrCnt++;\n }\n }\n recs[argc].id = JSI_OPTION_END;\n rc = jsi_csSetupStruct(interp, sl, recs, recs, argc, &st, arrCnt);\n if (rc != JSI_OK || !st) {\n rc = JSI_ERROR;\n goto bail;\n }\n sl = jsi_csGetStructSpec(st->extData);\n sf = jsi_csGetFieldSpec(sl->extData);\n if (vstr)\n flds = eval;\n for (i = 0; ihPtr);\n return rc;\n}", "idx": 520894, "cwe": "CWE-190", "hash": 299584608578676936382777765131833479729, "dataset": "other" }, { "project": "jsish", "commit_id": "858da537bde4de9d8c92466d5a866505310bc328", "target": 0, "func": "Jsi_Obj *jsi_ObjNew_(Jsi_Interp *interp)\n{\n Jsi_Obj *obj = (Jsi_Obj*)Jsi_Calloc(1,sizeof(*obj));\n SIGINIT(obj,OBJ);\n jsi_DebugObj(obj,\"New\", jsi_DebugValueCallIdx(), interp);\n obj->ot = JSI_OT_OBJECT;\n obj->tree = Jsi_TreeNew(interp, JSI_KEYS_STRINGKEY, NULL);\n obj->tree->opts.freeTreeProc = DeleteTreeValue;\n obj->tree->flags.valuesonly = 1;\n obj->__proto__ = interp->Object_prototype;\n interp->dbPtr->objCnt++;\n interp->dbPtr->objAllocCnt++;\n return obj;\n}", "idx": 520904, "cwe": "CWE-190", "hash": 279993471280802924305188118877391455507, "dataset": "other" }, { "project": "jsish", "commit_id": "858da537bde4de9d8c92466d5a866505310bc328", "target": 0, "func": "Jsi_RC Jsi_CDataStructInit(Jsi_Interp *interp, uchar* data, const char *sname) { return JSI_ERROR; }", "idx": 520888, "cwe": "CWE-190", "hash": 194232572574700585364933409110458325716, "dataset": "other" }, { "project": "jsish", "commit_id": "858da537bde4de9d8c92466d5a866505310bc328", "target": 0, "func": "Jsi_RC Jsi_CDataStructInit(Jsi_Interp *interp, uchar* data, const char *sname)\n{\n Jsi_StructSpec * sl = jsi_csStructGet(interp, sname);\n if (!sl)\n return Jsi_LogError(\"unknown struct: %s\", sname);\n return jsi_csStructInit(sl, data);\n}", "idx": 520925, "cwe": "CWE-190", "hash": 329392728513643299001362166559936144129, "dataset": "other" }, { "project": "jsish", "commit_id": "858da537bde4de9d8c92466d5a866505310bc328", "target": 0, "func": "static Jsi_RC jsi_csNewCData(Jsi_Interp *interp, CDataObj *cd, int flags) {\n\n Jsi_StructSpec *slKey = NULL, *keySpec = NULL, *sf = cd->sf, *sl = cd->sl;\n \n if (!sf)\n cd->sf = sf = jsi_csStructFields(interp, cd->structName);\n if (!sl)\n sl = cd->sl = Jsi_CDataStruct(interp, cd->structName);\n if (!sf)\n return Jsi_LogError(\"missing struct/fields: %s\", cd->structName);\n \n if (cd->keyName) {\n slKey = keySpec = Jsi_CDataStruct(interp, cd->keyName);\n if (slKey == NULL)\n return Jsi_LogError(\"unknown key struct: %s\", cd->keyName);\n }\n\n const char *vparm = cd->varParam;\n if (vparm && vparm[0]) {\n char parm[200] = {}, *parms=parm, *ep;\n int plen = Jsi_Strlen(vparm);\n if (plen>=2 && vparm[0] == '[' && vparm[plen-1]==']') {\n snprintf(parm, sizeof(parm), \"%.*s\", plen-2, vparm+1);\n int sz = 0;\n if (parm[0] && isdigit(parm[0])) {\n sz=strtoul(parm, &ep, 0);\n if (*ep || sz<=0)\n return Jsi_LogError(\"bad array size: %s\", vparm);\n cd->arrSize = sz;\n } else {\n Jsi_EnumSpec *ei = (typeof(ei))Jsi_HashGet(interp->EnumItemHash, parm, 0);\n if (!ei || (sz=ei->value)<=0)\n return Jsi_LogError(\"bad array enum: %s\", vparm);\n }\n \n } else if (plen>=2 && vparm[0] == '{' && vparm[plen-1]=='}') {\n snprintf(parm, sizeof(parm), \"%.*s\", plen-2, vparm+1);\n cd->mapType = JSI_MAP_TREE;\n if (parms[0]) {\n const char *ktn = NULL;\n if (*parms == '#') {\n cd->mapType = JSI_MAP_HASH;\n parms++;\n }\n if (*parms == '0') {\n cd->keyType = JSI_KEYS_ONEWORD;\n if (parms[1])\n return Jsi_LogError(\"Trailing junk: %s\", vparm);\n } else if (parms[0] == '@') {\n slKey = Jsi_CDataStruct(interp, ktn=(parms+1));\n if (!slKey)\n return Jsi_LogError(\"unknown key struct: %s\", ktn);\n cd->keyName = slKey->name;\n } else if (parms[0])\n return Jsi_LogError(\"Trailing junk: %s\", vparm);\n }\n\n } else\n return Jsi_LogError(\"expected either {} or []: %s\", vparm);\n \n }\n cd->sl->value++;\n \n if (cd->keyName) {\n cd->slKey = Jsi_CDataStruct(interp, cd->keyName);\n if (!cd->slKey)\n return Jsi_LogError(\"unknown key struct: %s\", cd->keyName);\n cd->keysf = jsi_csStructFields(interp, cd->keyName);\n cd->keyType = (Jsi_Key_Type)slKey->size;\n cd->slKey->value++;\n }\n \n if (cd->arrSize<=0 && cd->mapType != JSI_MAP_NONE) {\n if (interp->cdataNewVal && interp->cdataNewVal->data)\n cd->mapPtr = (Jsi_Map**)(interp->cdataNewVal->data);\n else\n cd->mapPtr = (Jsi_Map**)&cd->data;\n cd->isAlloc = 1;\n *cd->mapPtr = Jsi_MapNew(interp, cd->mapType, cd->keyType, jsi_csMapFree);\n if (cd->slKey) {\n Jsi_MapOpts mo;\n Jsi_MapConf(*cd->mapPtr, &mo, 0);\n mo.fmtKeyProc = jsi_csFmtKeyCmd;\n mo.user = (void*)cd;\n Jsi_MapConf(*cd->mapPtr, &mo, 1);\n }\n } else {\n uint i, sz = (cd->arrSize<=0 ? 1 : cd->arrSize);\n cd->keyType = JSI_KEYS_ONEWORD;\n if (interp->cdataNewVal && interp->cdataNewVal->data)\n cd->data = interp->cdataNewVal->data;\n else {\n cd->isAlloc = 1;\n cd->data = (typeof(cd->data))Jsi_Calloc(sz, cd->sl->size);\n }\n for (i=0; idata) + i*cd->sl->size));\n }\n\n return JSI_OK;\n}", "idx": 520885, "cwe": "CWE-190", "hash": 26095207121118949641557131265913311494, "dataset": "other" }, { "project": "jsish", "commit_id": "858da537bde4de9d8c92466d5a866505310bc328", "target": 0, "func": "static Jsi_RC CDataTypeConfCmd(Jsi_Interp *interp, Jsi_Value *args, Jsi_Value *_this,\n Jsi_Value **ret, Jsi_Func *funcPtr)\n{\n \n char *arg1 = Jsi_ValueArrayIndexToStr(interp, args, 0, NULL);\n Jsi_OptionTypedef *nd = NULL;\n jsi_csInitType(interp);\n if (arg1)\n nd = (typeof(nd))Jsi_TypeLookup(interp, arg1);\n if (!nd)\n return Jsi_LogError(\"Unknown type: %s\", arg1);\n return CDataOptionsConf(interp, TypeOptions, args, nd, ret, 0, 1);\n}", "idx": 520930, "cwe": "CWE-190", "hash": 2881075471044156992022809190138324749, "dataset": "other" }, { "project": "jsish", "commit_id": "858da537bde4de9d8c92466d5a866505310bc328", "target": 0, "func": "void Jsi_ObjFree(Jsi_Interp *interp, Jsi_Obj *obj)\n{\n interp->dbPtr->objCnt--;\n //assert(obj->refcnt == 0);\n jsi_AllObjOp(interp, obj, 0);\n#ifdef JSI_MEM_DEBUG\n if (interp != obj->VD.interp)\n printf(\"interp mismatch of objFree: %p!=%p : %p\\n\", interp, obj->VD.interp, obj);\n jsi_DebugObj(obj,\"Free\", jsi_DebugValueCallIdx(), interp);\n if (obj->VD.hPtr && !interp->cleanup) {\n Jsi_HashEntryDelete(obj->VD.hPtr);\n obj->VD.hPtr = NULL;\n }\n#endif\n /* printf(\"Free obj: %x\\n\", (int)obj); */\n switch (obj->ot) {\n case JSI_OT_STRING:\n if (!obj->isstrkey)\n Jsi_Free(obj->d.s.str);\n obj->d.s.str = 0;\n obj->isstrkey = 0;\n break;\n case JSI_OT_FUNCTION:\n jsi_FuncObjFree(obj->d.fobj);\n break;\n case JSI_OT_ITER:\n Jsi_IterObjFree(obj->d.iobj);\n break;\n case JSI_OT_USEROBJ:\n jsi_UserObjFree(interp, obj->d.uobj);\n case JSI_OT_ARRAY:\n case JSI_OT_OBJECT:\n break;\n case JSI_OT_REGEXP:\n if ((obj->d.robj->eflags&JSI_REG_STATIC)==0) {\n regfree(&obj->d.robj->reg);\n Jsi_Free(obj->d.robj);\n }\n break;\n default:\n break;\n }\n if (obj->tree)\n Jsi_TreeDelete(obj->tree);\n if (obj->arr) {\n int i = -1;\n while (++i < (int)obj->arrCnt)\n if (obj->arr[i])\n Jsi_DecrRefCount(interp, obj->arr[i]);\n Jsi_Free(obj->arr);\n obj->arr = NULL;\n }\n obj->tree = NULL;\n if (obj->clearProto)\n Jsi_DecrRefCount(interp, obj->__proto__);\n#ifdef JSI_MEM_DEBUG\n memset(obj, 0, (sizeof(*obj)-sizeof(obj->VD)));\n#endif\n Jsi_Free(obj);\n}", "idx": 520965, "cwe": "CWE-190", "hash": 267027911609440232197084852267293477612, "dataset": "other" }, { "project": "jsish", "commit_id": "858da537bde4de9d8c92466d5a866505310bc328", "target": 0, "func": "static Jsi_RC CDataSetCmd(Jsi_Interp *interp, Jsi_Value *args, Jsi_Value *_this,\n Jsi_Value **ret, Jsi_Func *funcPtr) {\n return CDataSetCmd_(interp, args, _this, ret, funcPtr, 1);\n}", "idx": 520860, "cwe": "CWE-190", "hash": 223608017948542150778598050509676444801, "dataset": "other" } ] }, { "call_depth": 6, "longest_call_chain": [ "objects_fn", "cgit_clone_objects", "send_file", "html_status", "htmlf", "html" ], "group_size": 17, "functions": [ { "func": "void cgit_clone_head(struct cgit_context *ctx)\n{\n\tsend_file(ctx, git_path(\"%s\", \"HEAD\"));\n}", "target": 0, "cwe": [], "project": "cgit", "commit_id": "02a545e63454530c1639014d3239c14ced2022c6", "hash": 314249282590770671223546270827555248747, "size": 4, "message": "Add support for cloning over http\n\nThis patch implements basic support for cloning over http, based on the\nwork on git-http-backend by Shawn O. Pearce.\n\nSigned-off-by: Lars Hjemli ", "dataset": "other", "idx": 505407 }, { "func": "static void print_pack_info(struct cgit_context *ctx)\n{\n\tstruct packed_git *pack;\n\tint ofs;\n\n\tctx->page.mimetype = \"text/plain\";\n\tctx->page.filename = \"objects/info/packs\";\n\tcgit_print_http_headers(ctx);\n\tofs = strlen(ctx->repo->path) + strlen(\"/objects/pack/\");\n\tprepare_packed_git();\n\tfor (pack = packed_git; pack; pack = pack->next)\n\t\tif (pack->pack_local)\n\t\t\thtmlf(\"P %s\\n\", pack->pack_name + ofs);\n}", "target": 0, "cwe": [], "project": "cgit", "commit_id": "02a545e63454530c1639014d3239c14ced2022c6", "hash": 191021917082730353696311990666473076425, "size": 14, "message": "Add support for cloning over http\n\nThis patch implements basic support for cloning over http, based on the\nwork on git-http-backend by Shawn O. Pearce.\n\nSigned-off-by: Lars Hjemli ", "dataset": "other", "idx": 505397 }, { "func": "static void send_file(struct cgit_context *ctx, char *path)\n{\n\tstruct stat st;\n\tint err;\n\n\tif (stat(path, &st)) {\n\t\tswitch (errno) {\n\t\tcase ENOENT:\n\t\t\terr = 404;\n\t\t\tbreak;\n\t\tcase EACCES:\n\t\t\terr = 403;\n\t\t\tbreak;\n\t\tdefault:\n\t\t\terr = 400;\n\t\t}\n\t\thtml_status(err, 0);\n\t\treturn;\n\t}\n\tctx->page.mimetype = \"application/octet-stream\";\n\tctx->page.filename = path;\n\tif (prefixcmp(ctx->repo->path, path))\n\t\tctx->page.filename += strlen(ctx->repo->path) + 1;\n\tcgit_print_http_headers(ctx);\n\thtml_include(path);\n}", "target": 0, "cwe": [], "project": "cgit", "commit_id": "02a545e63454530c1639014d3239c14ced2022c6", "hash": 34446898179193463548332823693496340505, "size": 26, "message": "Add support for cloning over http\n\nThis patch implements basic support for cloning over http, based on the\nwork on git-http-backend by Shawn O. Pearce.\n\nSigned-off-by: Lars Hjemli ", "dataset": "other", "idx": 505409 }, { "func": "void html(const char *txt)\n{\n\twrite(htmlfd, txt, strlen(txt));\n}", "target": 0, "cwe": [], "project": "cgit", "commit_id": "02a545e63454530c1639014d3239c14ced2022c6", "hash": 213627352939805154354230397310282842267, "size": 4, "message": "Add support for cloning over http\n\nThis patch implements basic support for cloning over http, based on the\nwork on git-http-backend by Shawn O. Pearce.\n\nSigned-off-by: Lars Hjemli ", "dataset": "other", "idx": 505390 }, { "func": "void cgit_clone_objects(struct cgit_context *ctx)\n{\n\tif (!ctx->qry.path) {\n\t\thtml_status(400, 0);\n\t\treturn;\n\t}\n\n\tif (!strcmp(ctx->qry.path, \"info/packs\")) {\n\t\tprint_pack_info(ctx);\n\t\treturn;\n\t}\n\n\tsend_file(ctx, git_path(\"objects/%s\", ctx->qry.path));\n}", "target": 0, "cwe": [], "project": "cgit", "commit_id": "02a545e63454530c1639014d3239c14ced2022c6", "hash": 209540227055473645784310057151849585489, "size": 14, "message": "Add support for cloning over http\n\nThis patch implements basic support for cloning over http, based on the\nwork on git-http-backend by Shawn O. Pearce.\n\nSigned-off-by: Lars Hjemli ", "dataset": "other", "idx": 505396 }, { "func": "void html_option(char *value, char *text, char *selected_value)\n{\n\thtml(\"\\n\");\n}", "target": 0, "cwe": [], "project": "cgit", "commit_id": "02a545e63454530c1639014d3239c14ced2022c6", "hash": 42511312361887253990551710666443797348, "size": 11, "message": "Add support for cloning over http\n\nThis patch implements basic support for cloning over http, based on the\nwork on git-http-backend by Shawn O. Pearce.\n\nSigned-off-by: Lars Hjemli ", "dataset": "other", "idx": 505392 }, { "func": "void html_link_open(char *url, char *title, char *class)\n{\n\thtml(\"\");\n}", "target": 0, "cwe": [], "project": "cgit", "commit_id": "02a545e63454530c1639014d3239c14ced2022c6", "hash": 321143728927757988978728900557652888878, "size": 14, "message": "Add support for cloning over http\n\nThis patch implements basic support for cloning over http, based on the\nwork on git-http-backend by Shawn O. Pearce.\n\nSigned-off-by: Lars Hjemli ", "dataset": "other", "idx": 505398 }, { "func": "static void objects_fn(struct cgit_context *ctx)\n{\n\tcgit_clone_objects(ctx);\n}", "target": 0, "cwe": [], "project": "cgit", "commit_id": "02a545e63454530c1639014d3239c14ced2022c6", "hash": 205399448775119045109221559964847810896, "size": 4, "message": "Add support for cloning over http\n\nThis patch implements basic support for cloning over http, based on the\nwork on git-http-backend by Shawn O. Pearce.\n\nSigned-off-by: Lars Hjemli ", "dataset": "other", "idx": 505382 }, { "func": "void html_status(int code, int more_headers)\n{\n\thtmlf(\"Status: %d\\n\", code);\n\tif (!more_headers)\n\t\thtml(\"\\n\");\n}", "target": 0, "cwe": [], "project": "cgit", "commit_id": "02a545e63454530c1639014d3239c14ced2022c6", "hash": 163791303368434471591438478673581037180, "size": 6, "message": "Add support for cloning over http\n\nThis patch implements basic support for cloning over http, based on the\nwork on git-http-backend by Shawn O. Pearce.\n\nSigned-off-by: Lars Hjemli ", "dataset": "other", "idx": 505383 }, { "func": "void htmlf(const char *format, ...)\n{\n\tstatic char buf[65536];\n\tva_list args;\n\n\tva_start(args, format);\n\tvsnprintf(buf, sizeof(buf), format, args);\n\tva_end(args);\n\thtml(buf);\n}", "target": 0, "cwe": [], "project": "cgit", "commit_id": "02a545e63454530c1639014d3239c14ced2022c6", "hash": 132595146260847090664800797207711458607, "size": 10, "message": "Add support for cloning over http\n\nThis patch implements basic support for cloning over http, based on the\nwork on git-http-backend by Shawn O. Pearce.\n\nSigned-off-by: Lars Hjemli ", "dataset": "other", "idx": 505405 }, { "func": "static int print_ref_info(const char *refname, const unsigned char *sha1,\n int flags, void *cb_data)\n{\n\tstruct object *obj;\n\n\tif (!(obj = parse_object(sha1)))\n\t\treturn 0;\n\n\tif (!strcmp(refname, \"HEAD\") || !prefixcmp(refname, \"refs/heads/\"))\n\t\thtmlf(\"%s\\t%s\\n\", sha1_to_hex(sha1), refname);\n\telse if (!prefixcmp(refname, \"refs/tags\") && obj->type == OBJ_TAG) {\n\t\tif (!(obj = deref_tag(obj, refname, 0)))\n\t\t\treturn 0;\n\t\thtmlf(\"%s\\t%s\\n\", sha1_to_hex(sha1), refname);\n\t\thtmlf(\"%s\\t%s^{}\\n\", sha1_to_hex(obj->sha1), refname);\n\t}\n\treturn 0;\n}", "target": 0, "cwe": [], "project": "cgit", "commit_id": "02a545e63454530c1639014d3239c14ced2022c6", "hash": 5937442165527735981495018550760907026, "size": 18, "message": "Add support for cloning over http\n\nThis patch implements basic support for cloning over http, based on the\nwork on git-http-backend by Shawn O. Pearce.\n\nSigned-off-by: Lars Hjemli ", "dataset": "other", "idx": 505386 }, { "func": "int html_include(const char *filename)\n{\n\tFILE *f;\n\tchar buf[4096];\n\tsize_t len;\n\n\tif (!(f = fopen(filename, \"r\"))) {\n\t\tfprintf(stderr, \"[cgit] Failed to include file %s: %s (%d).\\n\",\n\t\t\tfilename, strerror(errno), errno);\n\t\treturn -1;\n\t}\n\twhile((len = fread(buf, 1, 4096, f)) > 0)\n\t\twrite(htmlfd, buf, len);\n\tfclose(f);\n\treturn 0;\n}", "target": 0, "cwe": [], "project": "cgit", "commit_id": "02a545e63454530c1639014d3239c14ced2022c6", "hash": 207852502402932260586764209553845751240, "size": 16, "message": "Add support for cloning over http\n\nThis patch implements basic support for cloning over http, based on the\nwork on git-http-backend by Shawn O. Pearce.\n\nSigned-off-by: Lars Hjemli ", "dataset": "other", "idx": 505380 }, { "func": "static void HEAD_fn(struct cgit_context *ctx)\n{\n\tcgit_clone_head(ctx);\n}", "target": 0, "cwe": [], "project": "cgit", "commit_id": "02a545e63454530c1639014d3239c14ced2022c6", "hash": 84241754861886426574323077652051359144, "size": 4, "message": "Add support for cloning over http\n\nThis patch implements basic support for cloning over http, based on the\nwork on git-http-backend by Shawn O. Pearce.\n\nSigned-off-by: Lars Hjemli ", "dataset": "other", "idx": 505414 }, { "func": "void html_hidden(char *name, char *value)\n{\n\thtml(\"\");\n}", "target": 0, "cwe": [], "project": "cgit", "commit_id": "02a545e63454530c1639014d3239c14ced2022c6", "hash": 339660141407589488692883169499035967387, "size": 8, "message": "Add support for cloning over http\n\nThis patch implements basic support for cloning over http, based on the\nwork on git-http-backend by Shawn O. Pearce.\n\nSigned-off-by: Lars Hjemli ", "dataset": "other", "idx": 505408 }, { "func": "void html_txt(char *txt)\n{\n\tchar *t = txt;\n\twhile(t && *t){\n\t\tint c = *t;\n\t\tif (c=='<' || c=='>' || c=='&') {\n\t\t\twrite(htmlfd, txt, t - txt);\n\t\t\tif (c=='>')\n\t\t\t\thtml(\">\");\n\t\t\telse if (c=='<')\n\t\t\t\thtml(\"<\");\n\t\t\telse if (c=='&')\n\t\t\t\thtml(\"&\");\n\t\t\ttxt = t+1;\n\t\t}\n\t\tt++;\n\t}\n\tif (t!=txt)\n\t\thtml(txt);\n}", "target": 0, "cwe": [], "project": "cgit", "commit_id": "02a545e63454530c1639014d3239c14ced2022c6", "hash": 223476773350010800054129336387817182618, "size": 20, "message": "Add support for cloning over http\n\nThis patch implements basic support for cloning over http, based on the\nwork on git-http-backend by Shawn O. Pearce.\n\nSigned-off-by: Lars Hjemli ", "dataset": "other", "idx": 505401 }, { "func": "void html_ntxt(int len, char *txt)\n{\n\tchar *t = txt;\n\twhile(t && *t && len--){\n\t\tint c = *t;\n\t\tif (c=='<' || c=='>' || c=='&') {\n\t\t\twrite(htmlfd, txt, t - txt);\n\t\t\tif (c=='>')\n\t\t\t\thtml(\">\");\n\t\t\telse if (c=='<')\n\t\t\t\thtml(\"<\");\n\t\t\telse if (c=='&')\n\t\t\t\thtml(\"&\");\n\t\t\ttxt = t+1;\n\t\t}\n\t\tt++;\n\t}\n\tif (t!=txt)\n\t\twrite(htmlfd, txt, t - txt);\n\tif (len<0)\n\t\thtml(\"...\");\n}", "target": 0, "cwe": [], "project": "cgit", "commit_id": "02a545e63454530c1639014d3239c14ced2022c6", "hash": 255546233949194527812938200572990685763, "size": 22, "message": "Add support for cloning over http\n\nThis patch implements basic support for cloning over http, based on the\nwork on git-http-backend by Shawn O. Pearce.\n\nSigned-off-by: Lars Hjemli ", "dataset": "other", "idx": 505379 }, { "func": "void html_attr(char *txt)\n{\n\tchar *t = txt;\n\twhile(t && *t){\n\t\tint c = *t;\n\t\tif (c=='<' || c=='>' || c=='\\'') {\n\t\t\twrite(htmlfd, txt, t - txt);\n\t\t\tif (c=='>')\n\t\t\t\thtml(\">\");\n\t\t\telse if (c=='<')\n\t\t\t\thtml(\"<\");\n\t\t\telse if (c=='\\'')\n\t\t\t\thtml(\""e;\");\n\t\t\ttxt = t+1;\n\t\t}\n\t\tt++;\n\t}\n\tif (t!=txt)\n\t\thtml(txt);\n}", "target": 0, "cwe": [], "project": "cgit", "commit_id": "02a545e63454530c1639014d3239c14ced2022c6", "hash": 227480900301261836927385779448867171099, "size": 20, "message": "Add support for cloning over http\n\nThis patch implements basic support for cloning over http, based on the\nwork on git-http-backend by Shawn O. Pearce.\n\nSigned-off-by: Lars Hjemli ", "dataset": "other", "idx": 505384 } ] }, { "call_depth": 2, "longest_call_chain": [ "fuse_init_inode", "fuse_init_dir" ], "group_size": 5, "functions": [ { "func": "void fuse_init_symlink(struct inode *inode)\n{\n\tinode->i_op = &fuse_symlink_inode_operations;\n\tinode->i_data.a_ops = &fuse_symlink_aops;\n\tinode_nohighmem(inode);\n}", "project": "linux", "hash": 134125597654794916961496442715325225100, "size": 6, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342078 }, { "func": "void fuse_init_dir(struct inode *inode)\n{\n\tstruct fuse_inode *fi = get_fuse_inode(inode);\n\n\tinode->i_op = &fuse_dir_inode_operations;\n\tinode->i_fop = &fuse_dir_operations;\n\n\tspin_lock_init(&fi->rdc.lock);\n\tfi->rdc.cached = false;\n\tfi->rdc.size = 0;\n\tfi->rdc.pos = 0;\n\tfi->rdc.version = 0;\n}", "project": "linux", "hash": 230566172457668392384425762479781380328, "size": 13, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341928 }, { "func": "static void fuse_init_inode(struct inode *inode, struct fuse_attr *attr)\n{\n\tinode->i_mode = attr->mode & S_IFMT;\n\tinode->i_size = attr->size;\n\tinode->i_mtime.tv_sec = attr->mtime;\n\tinode->i_mtime.tv_nsec = attr->mtimensec;\n\tinode->i_ctime.tv_sec = attr->ctime;\n\tinode->i_ctime.tv_nsec = attr->ctimensec;\n\tif (S_ISREG(inode->i_mode)) {\n\t\tfuse_init_common(inode);\n\t\tfuse_init_file_inode(inode);\n\t} else if (S_ISDIR(inode->i_mode))\n\t\tfuse_init_dir(inode);\n\telse if (S_ISLNK(inode->i_mode))\n\t\tfuse_init_symlink(inode);\n\telse if (S_ISCHR(inode->i_mode) || S_ISBLK(inode->i_mode) ||\n\t\t S_ISFIFO(inode->i_mode) || S_ISSOCK(inode->i_mode)) {\n\t\tfuse_init_common(inode);\n\t\tinit_special_inode(inode, inode->i_mode,\n\t\t\t\t new_decode_dev(attr->rdev));\n\t} else\n\t\tBUG();\n}", "project": "linux", "hash": 156304172245835147430111556298268202243, "size": 23, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342091 }, { "func": "void fuse_init_file_inode(struct inode *inode)\n{\n\tstruct fuse_inode *fi = get_fuse_inode(inode);\n\n\tinode->i_fop = &fuse_file_operations;\n\tinode->i_data.a_ops = &fuse_file_aops;\n\n\tINIT_LIST_HEAD(&fi->write_files);\n\tINIT_LIST_HEAD(&fi->queued_writes);\n\tfi->writectr = 0;\n\tinit_waitqueue_head(&fi->page_waitq);\n\tfi->writepages = RB_ROOT;\n\n\tif (IS_ENABLED(CONFIG_FUSE_DAX))\n\t\tfuse_dax_inode_init(inode);\n}", "project": "linux", "hash": 178322434593035571712059798050359282724, "size": 16, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 341941 }, { "func": "void fuse_init_common(struct inode *inode)\n{\n\tinode->i_op = &fuse_common_inode_operations;\n}", "project": "linux", "hash": 248772838405627279827367902211068504461, "size": 4, "commit_id": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "message": "fuse: fix bad inode\n\nJan Kara's analysis of the syzbot report (edited):\n\n The reproducer opens a directory on FUSE filesystem, it then attaches\n dnotify mark to the open directory. After that a fuse_do_getattr() call\n finds that attributes returned by the server are inconsistent, and calls\n make_bad_inode() which, among other things does:\n\n inode->i_mode = S_IFREG;\n\n This then confuses dnotify which doesn't tear down its structures\n properly and eventually crashes.\n\nAvoid calling make_bad_inode() on a live inode: switch to a private flag on\nthe fuse inode. Also add the test to ops which the bad_inode_ops would\nhave caught.\n\nThis bug goes back to the initial merge of fuse in 2.6.14...\n\nReported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com\nSigned-off-by: Miklos Szeredi \nTested-by: Jan Kara \nCc: ", "target": 0, "dataset": "other", "idx": 342087 } ] }, { "call_depth": 6, "longest_call_chain": [ "uvc_probe", "uvc_parse_control", "uvc_parse_standard_control", "uvc_parse_streaming", "uvc_parse_format", "uvc_colorspace" ], "group_size": 45, "functions": [ { "func": "static ssize_t tty_line_name(struct tty_driver *driver, int index, char *p)\n{\n\tif (driver->flags & TTY_DRIVER_UNNUMBERED_NODE)\n\t\treturn sprintf(p, \"%s\", driver->name);\n\telse\n\t\treturn sprintf(p, \"%s%d\", driver->name,\n\t\t\t index + driver->name_base);\n}", "project": "linux", "hash": 301790338222910075192029204516894260499, "size": 8, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 326065 }, { "func": "static int uvc_scan_chain_entity(struct uvc_video_chain *chain,\n\tstruct uvc_entity *entity)\n{\n\tswitch (UVC_ENTITY_TYPE(entity)) {\n\tcase UVC_VC_EXTENSION_UNIT:\n\t\tif (uvc_trace_param & UVC_TRACE_PROBE)\n\t\t\tprintk(KERN_CONT \" <- XU %d\", entity->id);\n\n\t\tif (entity->bNrInPins != 1) {\n\t\t\tuvc_trace(UVC_TRACE_DESCR, \"Extension unit %d has more \"\n\t\t\t\t\"than 1 input pin.\\n\", entity->id);\n\t\t\treturn -1;\n\t\t}\n\n\t\tbreak;\n\n\tcase UVC_VC_PROCESSING_UNIT:\n\t\tif (uvc_trace_param & UVC_TRACE_PROBE)\n\t\t\tprintk(KERN_CONT \" <- PU %d\", entity->id);\n\n\t\tif (chain->processing != NULL) {\n\t\t\tuvc_trace(UVC_TRACE_DESCR, \"Found multiple \"\n\t\t\t\t\"Processing Units in chain.\\n\");\n\t\t\treturn -1;\n\t\t}\n\n\t\tchain->processing = entity;\n\t\tbreak;\n\n\tcase UVC_VC_SELECTOR_UNIT:\n\t\tif (uvc_trace_param & UVC_TRACE_PROBE)\n\t\t\tprintk(KERN_CONT \" <- SU %d\", entity->id);\n\n\t\t/* Single-input selector units are ignored. */\n\t\tif (entity->bNrInPins == 1)\n\t\t\tbreak;\n\n\t\tif (chain->selector != NULL) {\n\t\t\tuvc_trace(UVC_TRACE_DESCR, \"Found multiple Selector \"\n\t\t\t\t\"Units in chain.\\n\");\n\t\t\treturn -1;\n\t\t}\n\n\t\tchain->selector = entity;\n\t\tbreak;\n\n\tcase UVC_ITT_VENDOR_SPECIFIC:\n\tcase UVC_ITT_CAMERA:\n\tcase UVC_ITT_MEDIA_TRANSPORT_INPUT:\n\t\tif (uvc_trace_param & UVC_TRACE_PROBE)\n\t\t\tprintk(KERN_CONT \" <- IT %d\\n\", entity->id);\n\n\t\tbreak;\n\n\tcase UVC_OTT_VENDOR_SPECIFIC:\n\tcase UVC_OTT_DISPLAY:\n\tcase UVC_OTT_MEDIA_TRANSPORT_OUTPUT:\n\t\tif (uvc_trace_param & UVC_TRACE_PROBE)\n\t\t\tprintk(KERN_CONT \" OT %d\", entity->id);\n\n\t\tbreak;\n\n\tcase UVC_TT_STREAMING:\n\t\tif (UVC_ENTITY_IS_ITERM(entity)) {\n\t\t\tif (uvc_trace_param & UVC_TRACE_PROBE)\n\t\t\t\tprintk(KERN_CONT \" <- IT %d\\n\", entity->id);\n\t\t} else {\n\t\t\tif (uvc_trace_param & UVC_TRACE_PROBE)\n\t\t\t\tprintk(KERN_CONT \" OT %d\", entity->id);\n\t\t}\n\n\t\tbreak;\n\n\tdefault:\n\t\tuvc_trace(UVC_TRACE_DESCR, \"Unsupported entity type \"\n\t\t\t\"0x%04x found in chain.\\n\", UVC_ENTITY_TYPE(entity));\n\t\treturn -1;\n\t}\n\n\tlist_add_tail(&entity->chain, &chain->entities);\n\treturn 0;\n}", "project": "linux", "hash": 158672920257125284463065425067554869108, "size": 82, "commit_id": "68035c80e129c4cfec659aac4180354530b26527", "message": "media: uvcvideo: Avoid cyclic entity chains due to malformed USB descriptors\n\nWay back in 2017, fuzzing the 4.14-rc2 USB stack with syzkaller kicked\nup the following WARNING from the UVC chain scanning code:\n\n | list_add double add: new=ffff880069084010, prev=ffff880069084010,\n | next=ffff880067d22298.\n | ------------[ cut here ]------------\n | WARNING: CPU: 1 PID: 1846 at lib/list_debug.c:31 __list_add_valid+0xbd/0xf0\n | Modules linked in:\n | CPU: 1 PID: 1846 Comm: kworker/1:2 Not tainted\n | 4.14.0-rc2-42613-g1488251d1a98 #238\n | Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011\n | Workqueue: usb_hub_wq hub_event\n | task: ffff88006b01ca40 task.stack: ffff880064358000\n | RIP: 0010:__list_add_valid+0xbd/0xf0 lib/list_debug.c:29\n | RSP: 0018:ffff88006435ddd0 EFLAGS: 00010286\n | RAX: 0000000000000058 RBX: ffff880067d22298 RCX: 0000000000000000\n | RDX: 0000000000000058 RSI: ffffffff85a58800 RDI: ffffed000c86bbac\n | RBP: ffff88006435dde8 R08: 1ffff1000c86ba52 R09: 0000000000000000\n | R10: 0000000000000002 R11: 0000000000000000 R12: ffff880069084010\n | R13: ffff880067d22298 R14: ffff880069084010 R15: ffff880067d222a0\n | FS: 0000000000000000(0000) GS:ffff88006c900000(0000) knlGS:0000000000000000\n | CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n | CR2: 0000000020004ff2 CR3: 000000006b447000 CR4: 00000000000006e0\n | Call Trace:\n | __list_add ./include/linux/list.h:59\n | list_add_tail+0x8c/0x1b0 ./include/linux/list.h:92\n | uvc_scan_chain_forward.isra.8+0x373/0x416\n | drivers/media/usb/uvc/uvc_driver.c:1471\n | uvc_scan_chain drivers/media/usb/uvc/uvc_driver.c:1585\n | uvc_scan_device drivers/media/usb/uvc/uvc_driver.c:1769\n | uvc_probe+0x77f2/0x8f00 drivers/media/usb/uvc/uvc_driver.c:2104\n\nLooking into the output from usbmon, the interesting part is the\nfollowing data packet:\n\n ffff880069c63e00 30710169 C Ci:1:002:0 0 143 = 09028f00 01030080\n 00090403 00000e01 00000924 03000103 7c003328 010204db\n\nIf we drop the lead configuration and interface descriptors, we're left\nwith an output terminal descriptor describing a generic display:\n\n /* Output terminal descriptor */\n buf[0]\t09\n buf[1]\t24\n buf[2]\t03\t/* UVC_VC_OUTPUT_TERMINAL */\n buf[3]\t00\t/* ID */\n buf[4]\t01\t/* type == 0x0301 (UVC_OTT_DISPLAY) */\n buf[5]\t03\n buf[6]\t7c\n buf[7]\t00\t/* source ID refers to self! */\n buf[8]\t33\n\nThe problem with this descriptor is that it is self-referential: the\nsource ID of 0 matches itself! This causes the 'struct uvc_entity'\nrepresenting the display to be added to its chain list twice during\n'uvc_scan_chain()': once via 'uvc_scan_chain_entity()' when it is\nprocessed directly from the 'dev->entities' list and then again\nimmediately afterwards when trying to follow the source ID in\n'uvc_scan_chain_forward()'\n\nAdd a check before adding an entity to a chain list to ensure that the\nentity is not already part of a chain.\n\nLink: https://lore.kernel.org/linux-media/CAAeHK+z+Si69jUR+N-SjN9q4O+o5KFiNManqEa-PjUta7EOb7A@mail.gmail.com/\n\nCc: \nFixes: c0efd232929c (\"V4L/DVB (8145a): USB Video Class driver\")\nReported-by: Andrey Konovalov \nSigned-off-by: Will Deacon \nSigned-off-by: Laurent Pinchart \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 409201 }, { "func": "static int uvc_register_terms(struct uvc_device *dev,\n\tstruct uvc_video_chain *chain)\n{\n\tstruct uvc_streaming *stream;\n\tstruct uvc_entity *term;\n\tint ret;\n\n\tlist_for_each_entry(term, &chain->entities, chain) {\n\t\tif (UVC_ENTITY_TYPE(term) != UVC_TT_STREAMING)\n\t\t\tcontinue;\n\n\t\tstream = uvc_stream_by_id(dev, term->id);\n\t\tif (stream == NULL) {\n\t\t\tuvc_printk(KERN_INFO, \"No streaming interface found \"\n\t\t\t\t \"for terminal %u.\", term->id);\n\t\t\tcontinue;\n\t\t}\n\n\t\tstream->chain = chain;\n\t\tret = uvc_register_video(dev, stream);\n\t\tif (ret < 0)\n\t\t\treturn ret;\n\n\t\t/* Register a metadata node, but ignore a possible failure,\n\t\t * complete registration of video nodes anyway.\n\t\t */\n\t\tuvc_meta_register(stream);\n\n\t\tterm->vdev = &stream->vdev;\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 172000632023694218523623626042497313250, "size": 33, "commit_id": "68035c80e129c4cfec659aac4180354530b26527", "message": "media: uvcvideo: Avoid cyclic entity chains due to malformed USB descriptors\n\nWay back in 2017, fuzzing the 4.14-rc2 USB stack with syzkaller kicked\nup the following WARNING from the UVC chain scanning code:\n\n | list_add double add: new=ffff880069084010, prev=ffff880069084010,\n | next=ffff880067d22298.\n | ------------[ cut here ]------------\n | WARNING: CPU: 1 PID: 1846 at lib/list_debug.c:31 __list_add_valid+0xbd/0xf0\n | Modules linked in:\n | CPU: 1 PID: 1846 Comm: kworker/1:2 Not tainted\n | 4.14.0-rc2-42613-g1488251d1a98 #238\n | Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011\n | Workqueue: usb_hub_wq hub_event\n | task: ffff88006b01ca40 task.stack: ffff880064358000\n | RIP: 0010:__list_add_valid+0xbd/0xf0 lib/list_debug.c:29\n | RSP: 0018:ffff88006435ddd0 EFLAGS: 00010286\n | RAX: 0000000000000058 RBX: ffff880067d22298 RCX: 0000000000000000\n | RDX: 0000000000000058 RSI: ffffffff85a58800 RDI: ffffed000c86bbac\n | RBP: ffff88006435dde8 R08: 1ffff1000c86ba52 R09: 0000000000000000\n | R10: 0000000000000002 R11: 0000000000000000 R12: ffff880069084010\n | R13: ffff880067d22298 R14: ffff880069084010 R15: ffff880067d222a0\n | FS: 0000000000000000(0000) GS:ffff88006c900000(0000) knlGS:0000000000000000\n | CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n | CR2: 0000000020004ff2 CR3: 000000006b447000 CR4: 00000000000006e0\n | Call Trace:\n | __list_add ./include/linux/list.h:59\n | list_add_tail+0x8c/0x1b0 ./include/linux/list.h:92\n | uvc_scan_chain_forward.isra.8+0x373/0x416\n | drivers/media/usb/uvc/uvc_driver.c:1471\n | uvc_scan_chain drivers/media/usb/uvc/uvc_driver.c:1585\n | uvc_scan_device drivers/media/usb/uvc/uvc_driver.c:1769\n | uvc_probe+0x77f2/0x8f00 drivers/media/usb/uvc/uvc_driver.c:2104\n\nLooking into the output from usbmon, the interesting part is the\nfollowing data packet:\n\n ffff880069c63e00 30710169 C Ci:1:002:0 0 143 = 09028f00 01030080\n 00090403 00000e01 00000924 03000103 7c003328 010204db\n\nIf we drop the lead configuration and interface descriptors, we're left\nwith an output terminal descriptor describing a generic display:\n\n /* Output terminal descriptor */\n buf[0]\t09\n buf[1]\t24\n buf[2]\t03\t/* UVC_VC_OUTPUT_TERMINAL */\n buf[3]\t00\t/* ID */\n buf[4]\t01\t/* type == 0x0301 (UVC_OTT_DISPLAY) */\n buf[5]\t03\n buf[6]\t7c\n buf[7]\t00\t/* source ID refers to self! */\n buf[8]\t33\n\nThe problem with this descriptor is that it is self-referential: the\nsource ID of 0 matches itself! This causes the 'struct uvc_entity'\nrepresenting the display to be added to its chain list twice during\n'uvc_scan_chain()': once via 'uvc_scan_chain_entity()' when it is\nprocessed directly from the 'dev->entities' list and then again\nimmediately afterwards when trying to follow the source ID in\n'uvc_scan_chain_forward()'\n\nAdd a check before adding an entity to a chain list to ensure that the\nentity is not already part of a chain.\n\nLink: https://lore.kernel.org/linux-media/CAAeHK+z+Si69jUR+N-SjN9q4O+o5KFiNManqEa-PjUta7EOb7A@mail.gmail.com/\n\nCc: \nFixes: c0efd232929c (\"V4L/DVB (8145a): USB Video Class driver\")\nReported-by: Andrey Konovalov \nSigned-off-by: Will Deacon \nSigned-off-by: Laurent Pinchart \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 409186 }, { "func": "static ssize_t show_cons_active(struct device *dev,\n\t\t\t\tstruct device_attribute *attr, char *buf)\n{\n\tstruct console *cs[16];\n\tint i = 0;\n\tstruct console *c;\n\tssize_t count = 0;\n\n\tconsole_lock();\n\tfor_each_console(c) {\n\t\tif (!c->device)\n\t\t\tcontinue;\n\t\tif (!c->write)\n\t\t\tcontinue;\n\t\tif ((c->flags & CON_ENABLED) == 0)\n\t\t\tcontinue;\n\t\tcs[i++] = c;\n\t\tif (i >= ARRAY_SIZE(cs))\n\t\t\tbreak;\n\t}\n\twhile (i--) {\n\t\tint index = cs[i]->index;\n\t\tstruct tty_driver *drv = cs[i]->device(cs[i], &index);\n\n\t\t/* don't resolve tty0 as some programs depend on it */\n\t\tif (drv && (cs[i]->index > 0 || drv->major != TTY_MAJOR))\n\t\t\tcount += tty_line_name(drv, index, buf + count);\n\t\telse\n\t\t\tcount += sprintf(buf + count, \"%s%d\",\n\t\t\t\t\t cs[i]->name, cs[i]->index);\n\n\t\tcount += sprintf(buf + count, \"%c\", i ? ' ':'\\n');\n\t}\n\tconsole_unlock();\n\n\treturn count;\n}", "project": "linux", "hash": 49365584489150956154989483452687197100, "size": 37, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 326009 }, { "func": "static void mcba_usb_xmit_change_bitrate(struct mcba_priv *priv, u16 bitrate)\n{\n\tstruct mcba_usb_msg_change_bitrate usb_msg = {\n\t\t.cmd_id = MBCA_CMD_CHANGE_BIT_RATE\n\t};\n\n\tput_unaligned_be16(bitrate, &usb_msg.bitrate);\n\n\tmcba_usb_xmit_cmd(priv, (struct mcba_usb_msg *)&usb_msg);\n}", "project": "linux", "hash": 188683096646241800878542207363038339402, "size": 10, "commit_id": "4d6636498c41891d0482a914dd570343a838ad79", "message": "can: mcba_usb: fix use-after-free on disconnect\n\nThe driver was accessing its driver data after having freed it.\n\nFixes: 51f3baad7de9 (\"can: mcba_usb: Add support for Microchip CAN BUS Analyzer\")\nCc: stable # 4.12\nCc: Remigiusz Kołłątaj \nReported-by: syzbot+e29b17e5042bbc56fae9@syzkaller.appspotmail.com\nSigned-off-by: Johan Hovold \nSigned-off-by: Marc Kleine-Budde ", "target": 0, "dataset": "other", "idx": 398305 }, { "func": "static inline void mcba_usb_free_ctx(struct mcba_usb_ctx *ctx)\n{\n\t/* Increase number of free ctxs before freeing ctx */\n\tatomic_inc(&ctx->priv->free_ctx_cnt);\n\n\tctx->ndx = MCBA_CTX_FREE;\n\n\t/* Wake up the queue once ctx is marked free */\n\tnetif_wake_queue(ctx->priv->netdev);\n}", "project": "linux", "hash": 246424264661185394003140197825898501745, "size": 10, "commit_id": "4d6636498c41891d0482a914dd570343a838ad79", "message": "can: mcba_usb: fix use-after-free on disconnect\n\nThe driver was accessing its driver data after having freed it.\n\nFixes: 51f3baad7de9 (\"can: mcba_usb: Add support for Microchip CAN BUS Analyzer\")\nCc: stable # 4.12\nCc: Remigiusz Kołłątaj \nReported-by: syzbot+e29b17e5042bbc56fae9@syzkaller.appspotmail.com\nSigned-off-by: Johan Hovold \nSigned-off-by: Marc Kleine-Budde ", "target": 0, "dataset": "other", "idx": 398310 }, { "func": "static int mcba_set_termination(struct net_device *netdev, u16 term)\n{\n\tstruct mcba_priv *priv = netdev_priv(netdev);\n\tstruct mcba_usb_msg_termination usb_msg = {\n\t\t.cmd_id = MBCA_CMD_SETUP_TERMINATION_RESISTANCE\n\t};\n\n\tif (term == MCBA_TERMINATION_ENABLED)\n\t\tusb_msg.termination = 1;\n\telse\n\t\tusb_msg.termination = 0;\n\n\tmcba_usb_xmit_cmd(priv, (struct mcba_usb_msg *)&usb_msg);\n\n\treturn 0;\n}", "project": "linux", "hash": 91455352954186980372178199682080613248, "size": 16, "commit_id": "4d6636498c41891d0482a914dd570343a838ad79", "message": "can: mcba_usb: fix use-after-free on disconnect\n\nThe driver was accessing its driver data after having freed it.\n\nFixes: 51f3baad7de9 (\"can: mcba_usb: Add support for Microchip CAN BUS Analyzer\")\nCc: stable # 4.12\nCc: Remigiusz Kołłątaj \nReported-by: syzbot+e29b17e5042bbc56fae9@syzkaller.appspotmail.com\nSigned-off-by: Johan Hovold \nSigned-off-by: Marc Kleine-Budde ", "target": 0, "dataset": "other", "idx": 398303 }, { "func": "int uvc_register_video_device(struct uvc_device *dev,\n\t\t\t struct uvc_streaming *stream,\n\t\t\t struct video_device *vdev,\n\t\t\t struct uvc_video_queue *queue,\n\t\t\t enum v4l2_buf_type type,\n\t\t\t const struct v4l2_file_operations *fops,\n\t\t\t const struct v4l2_ioctl_ops *ioctl_ops)\n{\n\tint ret;\n\n\t/* Initialize the video buffers queue. */\n\tret = uvc_queue_init(queue, type, !uvc_no_drop_param);\n\tif (ret)\n\t\treturn ret;\n\n\t/* Register the device with V4L. */\n\n\t/*\n\t * We already hold a reference to dev->udev. The video device will be\n\t * unregistered before the reference is released, so we don't need to\n\t * get another one.\n\t */\n\tvdev->v4l2_dev = &dev->vdev;\n\tvdev->fops = fops;\n\tvdev->ioctl_ops = ioctl_ops;\n\tvdev->release = uvc_release;\n\tvdev->prio = &stream->chain->prio;\n\tif (type == V4L2_BUF_TYPE_VIDEO_OUTPUT)\n\t\tvdev->vfl_dir = VFL_DIR_TX;\n\telse\n\t\tvdev->vfl_dir = VFL_DIR_RX;\n\n\tswitch (type) {\n\tcase V4L2_BUF_TYPE_VIDEO_CAPTURE:\n\tdefault:\n\t\tvdev->device_caps = V4L2_CAP_VIDEO_CAPTURE | V4L2_CAP_STREAMING;\n\t\tbreak;\n\tcase V4L2_BUF_TYPE_VIDEO_OUTPUT:\n\t\tvdev->device_caps = V4L2_CAP_VIDEO_OUTPUT | V4L2_CAP_STREAMING;\n\t\tbreak;\n\tcase V4L2_BUF_TYPE_META_CAPTURE:\n\t\tvdev->device_caps = V4L2_CAP_META_CAPTURE | V4L2_CAP_STREAMING;\n\t\tbreak;\n\t}\n\n\tstrscpy(vdev->name, dev->name, sizeof(vdev->name));\n\n\t/*\n\t * Set the driver data before calling video_register_device, otherwise\n\t * the file open() handler might race us.\n\t */\n\tvideo_set_drvdata(vdev, stream);\n\n\tret = video_register_device(vdev, VFL_TYPE_GRABBER, -1);\n\tif (ret < 0) {\n\t\tuvc_printk(KERN_ERR, \"Failed to register %s device (%d).\\n\",\n\t\t\t v4l2_type_names[type], ret);\n\t\treturn ret;\n\t}\n\n\tkref_get(&dev->ref);\n\treturn 0;\n}", "project": "linux", "hash": 181079295328812323234607917498799606242, "size": 63, "commit_id": "68035c80e129c4cfec659aac4180354530b26527", "message": "media: uvcvideo: Avoid cyclic entity chains due to malformed USB descriptors\n\nWay back in 2017, fuzzing the 4.14-rc2 USB stack with syzkaller kicked\nup the following WARNING from the UVC chain scanning code:\n\n | list_add double add: new=ffff880069084010, prev=ffff880069084010,\n | next=ffff880067d22298.\n | ------------[ cut here ]------------\n | WARNING: CPU: 1 PID: 1846 at lib/list_debug.c:31 __list_add_valid+0xbd/0xf0\n | Modules linked in:\n | CPU: 1 PID: 1846 Comm: kworker/1:2 Not tainted\n | 4.14.0-rc2-42613-g1488251d1a98 #238\n | Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011\n | Workqueue: usb_hub_wq hub_event\n | task: ffff88006b01ca40 task.stack: ffff880064358000\n | RIP: 0010:__list_add_valid+0xbd/0xf0 lib/list_debug.c:29\n | RSP: 0018:ffff88006435ddd0 EFLAGS: 00010286\n | RAX: 0000000000000058 RBX: ffff880067d22298 RCX: 0000000000000000\n | RDX: 0000000000000058 RSI: ffffffff85a58800 RDI: ffffed000c86bbac\n | RBP: ffff88006435dde8 R08: 1ffff1000c86ba52 R09: 0000000000000000\n | R10: 0000000000000002 R11: 0000000000000000 R12: ffff880069084010\n | R13: ffff880067d22298 R14: ffff880069084010 R15: ffff880067d222a0\n | FS: 0000000000000000(0000) GS:ffff88006c900000(0000) knlGS:0000000000000000\n | CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n | CR2: 0000000020004ff2 CR3: 000000006b447000 CR4: 00000000000006e0\n | Call Trace:\n | __list_add ./include/linux/list.h:59\n | list_add_tail+0x8c/0x1b0 ./include/linux/list.h:92\n | uvc_scan_chain_forward.isra.8+0x373/0x416\n | drivers/media/usb/uvc/uvc_driver.c:1471\n | uvc_scan_chain drivers/media/usb/uvc/uvc_driver.c:1585\n | uvc_scan_device drivers/media/usb/uvc/uvc_driver.c:1769\n | uvc_probe+0x77f2/0x8f00 drivers/media/usb/uvc/uvc_driver.c:2104\n\nLooking into the output from usbmon, the interesting part is the\nfollowing data packet:\n\n ffff880069c63e00 30710169 C Ci:1:002:0 0 143 = 09028f00 01030080\n 00090403 00000e01 00000924 03000103 7c003328 010204db\n\nIf we drop the lead configuration and interface descriptors, we're left\nwith an output terminal descriptor describing a generic display:\n\n /* Output terminal descriptor */\n buf[0]\t09\n buf[1]\t24\n buf[2]\t03\t/* UVC_VC_OUTPUT_TERMINAL */\n buf[3]\t00\t/* ID */\n buf[4]\t01\t/* type == 0x0301 (UVC_OTT_DISPLAY) */\n buf[5]\t03\n buf[6]\t7c\n buf[7]\t00\t/* source ID refers to self! */\n buf[8]\t33\n\nThe problem with this descriptor is that it is self-referential: the\nsource ID of 0 matches itself! This causes the 'struct uvc_entity'\nrepresenting the display to be added to its chain list twice during\n'uvc_scan_chain()': once via 'uvc_scan_chain_entity()' when it is\nprocessed directly from the 'dev->entities' list and then again\nimmediately afterwards when trying to follow the source ID in\n'uvc_scan_chain_forward()'\n\nAdd a check before adding an entity to a chain list to ensure that the\nentity is not already part of a chain.\n\nLink: https://lore.kernel.org/linux-media/CAAeHK+z+Si69jUR+N-SjN9q4O+o5KFiNManqEa-PjUta7EOb7A@mail.gmail.com/\n\nCc: \nFixes: c0efd232929c (\"V4L/DVB (8145a): USB Video Class driver\")\nReported-by: Andrey Konovalov \nSigned-off-by: Will Deacon \nSigned-off-by: Laurent Pinchart \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 409225 }, { "func": "static int mcba_usb_probe(struct usb_interface *intf,\n\t\t\t const struct usb_device_id *id)\n{\n\tstruct net_device *netdev;\n\tstruct mcba_priv *priv;\n\tint err = -ENOMEM;\n\tstruct usb_device *usbdev = interface_to_usbdev(intf);\n\n\tnetdev = alloc_candev(sizeof(struct mcba_priv), MCBA_MAX_TX_URBS);\n\tif (!netdev) {\n\t\tdev_err(&intf->dev, \"Couldn't alloc candev\\n\");\n\t\treturn -ENOMEM;\n\t}\n\n\tpriv = netdev_priv(netdev);\n\n\tpriv->udev = usbdev;\n\tpriv->netdev = netdev;\n\tpriv->usb_ka_first_pass = true;\n\tpriv->can_ka_first_pass = true;\n\tpriv->can_speed_check = false;\n\n\tinit_usb_anchor(&priv->rx_submitted);\n\tinit_usb_anchor(&priv->tx_submitted);\n\n\tusb_set_intfdata(intf, priv);\n\n\t/* Init CAN device */\n\tpriv->can.state = CAN_STATE_STOPPED;\n\tpriv->can.termination_const = mcba_termination;\n\tpriv->can.termination_const_cnt = ARRAY_SIZE(mcba_termination);\n\tpriv->can.bitrate_const = mcba_bitrate;\n\tpriv->can.bitrate_const_cnt = ARRAY_SIZE(mcba_bitrate);\n\n\tpriv->can.do_set_termination = mcba_set_termination;\n\tpriv->can.do_set_mode = mcba_net_set_mode;\n\tpriv->can.do_get_berr_counter = mcba_net_get_berr_counter;\n\tpriv->can.do_set_bittiming = mcba_net_set_bittiming;\n\n\tnetdev->netdev_ops = &mcba_netdev_ops;\n\n\tnetdev->flags |= IFF_ECHO; /* we support local echo */\n\n\tSET_NETDEV_DEV(netdev, &intf->dev);\n\n\terr = register_candev(netdev);\n\tif (err) {\n\t\tnetdev_err(netdev, \"couldn't register CAN device: %d\\n\", err);\n\n\t\tgoto cleanup_free_candev;\n\t}\n\n\tdevm_can_led_init(netdev);\n\n\t/* Start USB dev only if we have successfully registered CAN device */\n\terr = mcba_usb_start(priv);\n\tif (err) {\n\t\tif (err == -ENODEV)\n\t\t\tnetif_device_detach(priv->netdev);\n\n\t\tnetdev_warn(netdev, \"couldn't start device: %d\\n\", err);\n\n\t\tgoto cleanup_unregister_candev;\n\t}\n\n\tdev_info(&intf->dev, \"Microchip CAN BUS Analyzer connected\\n\");\n\n\treturn 0;\n\ncleanup_unregister_candev:\n\tunregister_candev(priv->netdev);\n\ncleanup_free_candev:\n\tfree_candev(netdev);\n\n\treturn err;\n}", "project": "linux", "hash": 62042834356172783330993597262242753312, "size": 77, "commit_id": "4d6636498c41891d0482a914dd570343a838ad79", "message": "can: mcba_usb: fix use-after-free on disconnect\n\nThe driver was accessing its driver data after having freed it.\n\nFixes: 51f3baad7de9 (\"can: mcba_usb: Add support for Microchip CAN BUS Analyzer\")\nCc: stable # 4.12\nCc: Remigiusz Kołłątaj \nReported-by: syzbot+e29b17e5042bbc56fae9@syzkaller.appspotmail.com\nSigned-off-by: Johan Hovold \nSigned-off-by: Marc Kleine-Budde ", "target": 0, "dataset": "other", "idx": 398307 }, { "func": "static void mcba_usb_xmit_cmd(struct mcba_priv *priv,\n\t\t\t struct mcba_usb_msg *usb_msg)\n{\n\tstruct mcba_usb_ctx *ctx = NULL;\n\tint err;\n\n\tctx = mcba_usb_get_free_ctx(priv, NULL);\n\tif (!ctx) {\n\t\tnetdev_err(priv->netdev,\n\t\t\t \"Lack of free ctx. Sending (%d) cmd aborted\",\n\t\t\t usb_msg->cmd_id);\n\n\t\treturn;\n\t}\n\n\terr = mcba_usb_xmit(priv, usb_msg, ctx);\n\tif (err)\n\t\tnetdev_err(priv->netdev, \"Failed to send cmd (%d)\",\n\t\t\t usb_msg->cmd_id);\n}", "project": "linux", "hash": 251758569847857211498583327480563794770, "size": 20, "commit_id": "4d6636498c41891d0482a914dd570343a838ad79", "message": "can: mcba_usb: fix use-after-free on disconnect\n\nThe driver was accessing its driver data after having freed it.\n\nFixes: 51f3baad7de9 (\"can: mcba_usb: Add support for Microchip CAN BUS Analyzer\")\nCc: stable # 4.12\nCc: Remigiusz Kołłątaj \nReported-by: syzbot+e29b17e5042bbc56fae9@syzkaller.appspotmail.com\nSigned-off-by: Johan Hovold \nSigned-off-by: Marc Kleine-Budde ", "target": 0, "dataset": "other", "idx": 398314 }, { "func": "static int uvc_scan_chain_forward(struct uvc_video_chain *chain,\n\tstruct uvc_entity *entity, struct uvc_entity *prev)\n{\n\tstruct uvc_entity *forward;\n\tint found;\n\n\t/* Forward scan */\n\tforward = NULL;\n\tfound = 0;\n\n\twhile (1) {\n\t\tforward = uvc_entity_by_reference(chain->dev, entity->id,\n\t\t\tforward);\n\t\tif (forward == NULL)\n\t\t\tbreak;\n\t\tif (forward == prev)\n\t\t\tcontinue;\n\n\t\tswitch (UVC_ENTITY_TYPE(forward)) {\n\t\tcase UVC_VC_EXTENSION_UNIT:\n\t\t\tif (forward->bNrInPins != 1) {\n\t\t\t\tuvc_trace(UVC_TRACE_DESCR, \"Extension unit %d \"\n\t\t\t\t\t \"has more than 1 input pin.\\n\",\n\t\t\t\t\t entity->id);\n\t\t\t\treturn -EINVAL;\n\t\t\t}\n\n\t\t\tlist_add_tail(&forward->chain, &chain->entities);\n\t\t\tif (uvc_trace_param & UVC_TRACE_PROBE) {\n\t\t\t\tif (!found)\n\t\t\t\t\tprintk(KERN_CONT \" (->\");\n\n\t\t\t\tprintk(KERN_CONT \" XU %d\", forward->id);\n\t\t\t\tfound = 1;\n\t\t\t}\n\t\t\tbreak;\n\n\t\tcase UVC_OTT_VENDOR_SPECIFIC:\n\t\tcase UVC_OTT_DISPLAY:\n\t\tcase UVC_OTT_MEDIA_TRANSPORT_OUTPUT:\n\t\tcase UVC_TT_STREAMING:\n\t\t\tif (UVC_ENTITY_IS_ITERM(forward)) {\n\t\t\t\tuvc_trace(UVC_TRACE_DESCR, \"Unsupported input \"\n\t\t\t\t\t\"terminal %u.\\n\", forward->id);\n\t\t\t\treturn -EINVAL;\n\t\t\t}\n\n\t\t\tlist_add_tail(&forward->chain, &chain->entities);\n\t\t\tif (uvc_trace_param & UVC_TRACE_PROBE) {\n\t\t\t\tif (!found)\n\t\t\t\t\tprintk(KERN_CONT \" (->\");\n\n\t\t\t\tprintk(KERN_CONT \" OT %d\", forward->id);\n\t\t\t\tfound = 1;\n\t\t\t}\n\t\t\tbreak;\n\t\t}\n\t}\n\tif (found)\n\t\tprintk(KERN_CONT \")\");\n\n\treturn 0;\n}", "project": "linux", "hash": 40134444787400205515449543582828290804, "size": 63, "commit_id": "68035c80e129c4cfec659aac4180354530b26527", "message": "media: uvcvideo: Avoid cyclic entity chains due to malformed USB descriptors\n\nWay back in 2017, fuzzing the 4.14-rc2 USB stack with syzkaller kicked\nup the following WARNING from the UVC chain scanning code:\n\n | list_add double add: new=ffff880069084010, prev=ffff880069084010,\n | next=ffff880067d22298.\n | ------------[ cut here ]------------\n | WARNING: CPU: 1 PID: 1846 at lib/list_debug.c:31 __list_add_valid+0xbd/0xf0\n | Modules linked in:\n | CPU: 1 PID: 1846 Comm: kworker/1:2 Not tainted\n | 4.14.0-rc2-42613-g1488251d1a98 #238\n | Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011\n | Workqueue: usb_hub_wq hub_event\n | task: ffff88006b01ca40 task.stack: ffff880064358000\n | RIP: 0010:__list_add_valid+0xbd/0xf0 lib/list_debug.c:29\n | RSP: 0018:ffff88006435ddd0 EFLAGS: 00010286\n | RAX: 0000000000000058 RBX: ffff880067d22298 RCX: 0000000000000000\n | RDX: 0000000000000058 RSI: ffffffff85a58800 RDI: ffffed000c86bbac\n | RBP: ffff88006435dde8 R08: 1ffff1000c86ba52 R09: 0000000000000000\n | R10: 0000000000000002 R11: 0000000000000000 R12: ffff880069084010\n | R13: ffff880067d22298 R14: ffff880069084010 R15: ffff880067d222a0\n | FS: 0000000000000000(0000) GS:ffff88006c900000(0000) knlGS:0000000000000000\n | CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n | CR2: 0000000020004ff2 CR3: 000000006b447000 CR4: 00000000000006e0\n | Call Trace:\n | __list_add ./include/linux/list.h:59\n | list_add_tail+0x8c/0x1b0 ./include/linux/list.h:92\n | uvc_scan_chain_forward.isra.8+0x373/0x416\n | drivers/media/usb/uvc/uvc_driver.c:1471\n | uvc_scan_chain drivers/media/usb/uvc/uvc_driver.c:1585\n | uvc_scan_device drivers/media/usb/uvc/uvc_driver.c:1769\n | uvc_probe+0x77f2/0x8f00 drivers/media/usb/uvc/uvc_driver.c:2104\n\nLooking into the output from usbmon, the interesting part is the\nfollowing data packet:\n\n ffff880069c63e00 30710169 C Ci:1:002:0 0 143 = 09028f00 01030080\n 00090403 00000e01 00000924 03000103 7c003328 010204db\n\nIf we drop the lead configuration and interface descriptors, we're left\nwith an output terminal descriptor describing a generic display:\n\n /* Output terminal descriptor */\n buf[0]\t09\n buf[1]\t24\n buf[2]\t03\t/* UVC_VC_OUTPUT_TERMINAL */\n buf[3]\t00\t/* ID */\n buf[4]\t01\t/* type == 0x0301 (UVC_OTT_DISPLAY) */\n buf[5]\t03\n buf[6]\t7c\n buf[7]\t00\t/* source ID refers to self! */\n buf[8]\t33\n\nThe problem with this descriptor is that it is self-referential: the\nsource ID of 0 matches itself! This causes the 'struct uvc_entity'\nrepresenting the display to be added to its chain list twice during\n'uvc_scan_chain()': once via 'uvc_scan_chain_entity()' when it is\nprocessed directly from the 'dev->entities' list and then again\nimmediately afterwards when trying to follow the source ID in\n'uvc_scan_chain_forward()'\n\nAdd a check before adding an entity to a chain list to ensure that the\nentity is not already part of a chain.\n\nLink: https://lore.kernel.org/linux-media/CAAeHK+z+Si69jUR+N-SjN9q4O+o5KFiNManqEa-PjUta7EOb7A@mail.gmail.com/\n\nCc: \nFixes: c0efd232929c (\"V4L/DVB (8145a): USB Video Class driver\")\nReported-by: Andrey Konovalov \nSigned-off-by: Will Deacon \nSigned-off-by: Laurent Pinchart \nSigned-off-by: Mauro Carvalho Chehab ", "target": 1, "dataset": "other", "idx": 208387 }, { "func": "static int uvc_scan_chain_forward(struct uvc_video_chain *chain,\n\tstruct uvc_entity *entity, struct uvc_entity *prev)\n{\n\tstruct uvc_entity *forward;\n\tint found;\n\n\t/* Forward scan */\n\tforward = NULL;\n\tfound = 0;\n\n\twhile (1) {\n\t\tforward = uvc_entity_by_reference(chain->dev, entity->id,\n\t\t\tforward);\n\t\tif (forward == NULL)\n\t\t\tbreak;\n\t\tif (forward == prev)\n\t\t\tcontinue;\n\t\tif (forward->chain.next || forward->chain.prev) {\n\t\t\tuvc_trace(UVC_TRACE_DESCR, \"Found reference to \"\n\t\t\t\t\"entity %d already in chain.\\n\", forward->id);\n\t\t\treturn -EINVAL;\n\t\t}\n\n\t\tswitch (UVC_ENTITY_TYPE(forward)) {\n\t\tcase UVC_VC_EXTENSION_UNIT:\n\t\t\tif (forward->bNrInPins != 1) {\n\t\t\t\tuvc_trace(UVC_TRACE_DESCR, \"Extension unit %d \"\n\t\t\t\t\t \"has more than 1 input pin.\\n\",\n\t\t\t\t\t entity->id);\n\t\t\t\treturn -EINVAL;\n\t\t\t}\n\n\t\t\tlist_add_tail(&forward->chain, &chain->entities);\n\t\t\tif (uvc_trace_param & UVC_TRACE_PROBE) {\n\t\t\t\tif (!found)\n\t\t\t\t\tprintk(KERN_CONT \" (->\");\n\n\t\t\t\tprintk(KERN_CONT \" XU %d\", forward->id);\n\t\t\t\tfound = 1;\n\t\t\t}\n\t\t\tbreak;\n\n\t\tcase UVC_OTT_VENDOR_SPECIFIC:\n\t\tcase UVC_OTT_DISPLAY:\n\t\tcase UVC_OTT_MEDIA_TRANSPORT_OUTPUT:\n\t\tcase UVC_TT_STREAMING:\n\t\t\tif (UVC_ENTITY_IS_ITERM(forward)) {\n\t\t\t\tuvc_trace(UVC_TRACE_DESCR, \"Unsupported input \"\n\t\t\t\t\t\"terminal %u.\\n\", forward->id);\n\t\t\t\treturn -EINVAL;\n\t\t\t}\n\n\t\t\tlist_add_tail(&forward->chain, &chain->entities);\n\t\t\tif (uvc_trace_param & UVC_TRACE_PROBE) {\n\t\t\t\tif (!found)\n\t\t\t\t\tprintk(KERN_CONT \" (->\");\n\n\t\t\t\tprintk(KERN_CONT \" OT %d\", forward->id);\n\t\t\t\tfound = 1;\n\t\t\t}\n\t\t\tbreak;\n\t\t}\n\t}\n\tif (found)\n\t\tprintk(KERN_CONT \")\");\n\n\treturn 0;\n}", "project": "linux", "hash": 295353061660172152390372845804699304944, "size": 68, "commit_id": "68035c80e129c4cfec659aac4180354530b26527", "message": "media: uvcvideo: Avoid cyclic entity chains due to malformed USB descriptors\n\nWay back in 2017, fuzzing the 4.14-rc2 USB stack with syzkaller kicked\nup the following WARNING from the UVC chain scanning code:\n\n | list_add double add: new=ffff880069084010, prev=ffff880069084010,\n | next=ffff880067d22298.\n | ------------[ cut here ]------------\n | WARNING: CPU: 1 PID: 1846 at lib/list_debug.c:31 __list_add_valid+0xbd/0xf0\n | Modules linked in:\n | CPU: 1 PID: 1846 Comm: kworker/1:2 Not tainted\n | 4.14.0-rc2-42613-g1488251d1a98 #238\n | Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011\n | Workqueue: usb_hub_wq hub_event\n | task: ffff88006b01ca40 task.stack: ffff880064358000\n | RIP: 0010:__list_add_valid+0xbd/0xf0 lib/list_debug.c:29\n | RSP: 0018:ffff88006435ddd0 EFLAGS: 00010286\n | RAX: 0000000000000058 RBX: ffff880067d22298 RCX: 0000000000000000\n | RDX: 0000000000000058 RSI: ffffffff85a58800 RDI: ffffed000c86bbac\n | RBP: ffff88006435dde8 R08: 1ffff1000c86ba52 R09: 0000000000000000\n | R10: 0000000000000002 R11: 0000000000000000 R12: ffff880069084010\n | R13: ffff880067d22298 R14: ffff880069084010 R15: ffff880067d222a0\n | FS: 0000000000000000(0000) GS:ffff88006c900000(0000) knlGS:0000000000000000\n | CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n | CR2: 0000000020004ff2 CR3: 000000006b447000 CR4: 00000000000006e0\n | Call Trace:\n | __list_add ./include/linux/list.h:59\n | list_add_tail+0x8c/0x1b0 ./include/linux/list.h:92\n | uvc_scan_chain_forward.isra.8+0x373/0x416\n | drivers/media/usb/uvc/uvc_driver.c:1471\n | uvc_scan_chain drivers/media/usb/uvc/uvc_driver.c:1585\n | uvc_scan_device drivers/media/usb/uvc/uvc_driver.c:1769\n | uvc_probe+0x77f2/0x8f00 drivers/media/usb/uvc/uvc_driver.c:2104\n\nLooking into the output from usbmon, the interesting part is the\nfollowing data packet:\n\n ffff880069c63e00 30710169 C Ci:1:002:0 0 143 = 09028f00 01030080\n 00090403 00000e01 00000924 03000103 7c003328 010204db\n\nIf we drop the lead configuration and interface descriptors, we're left\nwith an output terminal descriptor describing a generic display:\n\n /* Output terminal descriptor */\n buf[0]\t09\n buf[1]\t24\n buf[2]\t03\t/* UVC_VC_OUTPUT_TERMINAL */\n buf[3]\t00\t/* ID */\n buf[4]\t01\t/* type == 0x0301 (UVC_OTT_DISPLAY) */\n buf[5]\t03\n buf[6]\t7c\n buf[7]\t00\t/* source ID refers to self! */\n buf[8]\t33\n\nThe problem with this descriptor is that it is self-referential: the\nsource ID of 0 matches itself! This causes the 'struct uvc_entity'\nrepresenting the display to be added to its chain list twice during\n'uvc_scan_chain()': once via 'uvc_scan_chain_entity()' when it is\nprocessed directly from the 'dev->entities' list and then again\nimmediately afterwards when trying to follow the source ID in\n'uvc_scan_chain_forward()'\n\nAdd a check before adding an entity to a chain list to ensure that the\nentity is not already part of a chain.\n\nLink: https://lore.kernel.org/linux-media/CAAeHK+z+Si69jUR+N-SjN9q4O+o5KFiNManqEa-PjUta7EOb7A@mail.gmail.com/\n\nCc: \nFixes: c0efd232929c (\"V4L/DVB (8145a): USB Video Class driver\")\nReported-by: Andrey Konovalov \nSigned-off-by: Will Deacon \nSigned-off-by: Laurent Pinchart \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 409209 }, { "func": "static int uvc_parse_streaming(struct uvc_device *dev,\n\tstruct usb_interface *intf)\n{\n\tstruct uvc_streaming *streaming = NULL;\n\tstruct uvc_format *format;\n\tstruct uvc_frame *frame;\n\tstruct usb_host_interface *alts = &intf->altsetting[0];\n\tunsigned char *_buffer, *buffer = alts->extra;\n\tint _buflen, buflen = alts->extralen;\n\tunsigned int nformats = 0, nframes = 0, nintervals = 0;\n\tunsigned int size, i, n, p;\n\tu32 *interval;\n\tu16 psize;\n\tint ret = -EINVAL;\n\n\tif (intf->cur_altsetting->desc.bInterfaceSubClass\n\t\t!= UVC_SC_VIDEOSTREAMING) {\n\t\tuvc_trace(UVC_TRACE_DESCR, \"device %d interface %d isn't a \"\n\t\t\t\"video streaming interface\\n\", dev->udev->devnum,\n\t\t\tintf->altsetting[0].desc.bInterfaceNumber);\n\t\treturn -EINVAL;\n\t}\n\n\tif (usb_driver_claim_interface(&uvc_driver.driver, intf, dev)) {\n\t\tuvc_trace(UVC_TRACE_DESCR, \"device %d interface %d is already \"\n\t\t\t\"claimed\\n\", dev->udev->devnum,\n\t\t\tintf->altsetting[0].desc.bInterfaceNumber);\n\t\treturn -EINVAL;\n\t}\n\n\tstreaming = uvc_stream_new(dev, intf);\n\tif (streaming == NULL) {\n\t\tusb_driver_release_interface(&uvc_driver.driver, intf);\n\t\treturn -ENOMEM;\n\t}\n\n\t/* The Pico iMage webcam has its class-specific interface descriptors\n\t * after the endpoint descriptors.\n\t */\n\tif (buflen == 0) {\n\t\tfor (i = 0; i < alts->desc.bNumEndpoints; ++i) {\n\t\t\tstruct usb_host_endpoint *ep = &alts->endpoint[i];\n\n\t\t\tif (ep->extralen == 0)\n\t\t\t\tcontinue;\n\n\t\t\tif (ep->extralen > 2 &&\n\t\t\t ep->extra[1] == USB_DT_CS_INTERFACE) {\n\t\t\t\tuvc_trace(UVC_TRACE_DESCR, \"trying extra data \"\n\t\t\t\t\t\"from endpoint %u.\\n\", i);\n\t\t\t\tbuffer = alts->endpoint[i].extra;\n\t\t\t\tbuflen = alts->endpoint[i].extralen;\n\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\t}\n\n\t/* Skip the standard interface descriptors. */\n\twhile (buflen > 2 && buffer[1] != USB_DT_CS_INTERFACE) {\n\t\tbuflen -= buffer[0];\n\t\tbuffer += buffer[0];\n\t}\n\n\tif (buflen <= 2) {\n\t\tuvc_trace(UVC_TRACE_DESCR, \"no class-specific streaming \"\n\t\t\t\"interface descriptors found.\\n\");\n\t\tgoto error;\n\t}\n\n\t/* Parse the header descriptor. */\n\tswitch (buffer[2]) {\n\tcase UVC_VS_OUTPUT_HEADER:\n\t\tstreaming->type = V4L2_BUF_TYPE_VIDEO_OUTPUT;\n\t\tsize = 9;\n\t\tbreak;\n\n\tcase UVC_VS_INPUT_HEADER:\n\t\tstreaming->type = V4L2_BUF_TYPE_VIDEO_CAPTURE;\n\t\tsize = 13;\n\t\tbreak;\n\n\tdefault:\n\t\tuvc_trace(UVC_TRACE_DESCR, \"device %d videostreaming interface \"\n\t\t\t\"%d HEADER descriptor not found.\\n\", dev->udev->devnum,\n\t\t\talts->desc.bInterfaceNumber);\n\t\tgoto error;\n\t}\n\n\tp = buflen >= 4 ? buffer[3] : 0;\n\tn = buflen >= size ? buffer[size-1] : 0;\n\n\tif (buflen < size + p*n) {\n\t\tuvc_trace(UVC_TRACE_DESCR, \"device %d videostreaming \"\n\t\t\t\"interface %d HEADER descriptor is invalid.\\n\",\n\t\t\tdev->udev->devnum, alts->desc.bInterfaceNumber);\n\t\tgoto error;\n\t}\n\n\tstreaming->header.bNumFormats = p;\n\tstreaming->header.bEndpointAddress = buffer[6];\n\tif (buffer[2] == UVC_VS_INPUT_HEADER) {\n\t\tstreaming->header.bmInfo = buffer[7];\n\t\tstreaming->header.bTerminalLink = buffer[8];\n\t\tstreaming->header.bStillCaptureMethod = buffer[9];\n\t\tstreaming->header.bTriggerSupport = buffer[10];\n\t\tstreaming->header.bTriggerUsage = buffer[11];\n\t} else {\n\t\tstreaming->header.bTerminalLink = buffer[7];\n\t}\n\tstreaming->header.bControlSize = n;\n\n\tstreaming->header.bmaControls = kmemdup(&buffer[size], p * n,\n\t\t\t\t\t\tGFP_KERNEL);\n\tif (streaming->header.bmaControls == NULL) {\n\t\tret = -ENOMEM;\n\t\tgoto error;\n\t}\n\n\tbuflen -= buffer[0];\n\tbuffer += buffer[0];\n\n\t_buffer = buffer;\n\t_buflen = buflen;\n\n\t/* Count the format and frame descriptors. */\n\twhile (_buflen > 2 && _buffer[1] == USB_DT_CS_INTERFACE) {\n\t\tswitch (_buffer[2]) {\n\t\tcase UVC_VS_FORMAT_UNCOMPRESSED:\n\t\tcase UVC_VS_FORMAT_MJPEG:\n\t\tcase UVC_VS_FORMAT_FRAME_BASED:\n\t\t\tnformats++;\n\t\t\tbreak;\n\n\t\tcase UVC_VS_FORMAT_DV:\n\t\t\t/* DV format has no frame descriptor. We will create a\n\t\t\t * dummy frame descriptor with a dummy frame interval.\n\t\t\t */\n\t\t\tnformats++;\n\t\t\tnframes++;\n\t\t\tnintervals++;\n\t\t\tbreak;\n\n\t\tcase UVC_VS_FORMAT_MPEG2TS:\n\t\tcase UVC_VS_FORMAT_STREAM_BASED:\n\t\t\tuvc_trace(UVC_TRACE_DESCR, \"device %d videostreaming \"\n\t\t\t\t\"interface %d FORMAT %u is not supported.\\n\",\n\t\t\t\tdev->udev->devnum,\n\t\t\t\talts->desc.bInterfaceNumber, _buffer[2]);\n\t\t\tbreak;\n\n\t\tcase UVC_VS_FRAME_UNCOMPRESSED:\n\t\tcase UVC_VS_FRAME_MJPEG:\n\t\t\tnframes++;\n\t\t\tif (_buflen > 25)\n\t\t\t\tnintervals += _buffer[25] ? _buffer[25] : 3;\n\t\t\tbreak;\n\n\t\tcase UVC_VS_FRAME_FRAME_BASED:\n\t\t\tnframes++;\n\t\t\tif (_buflen > 21)\n\t\t\t\tnintervals += _buffer[21] ? _buffer[21] : 3;\n\t\t\tbreak;\n\t\t}\n\n\t\t_buflen -= _buffer[0];\n\t\t_buffer += _buffer[0];\n\t}\n\n\tif (nformats == 0) {\n\t\tuvc_trace(UVC_TRACE_DESCR, \"device %d videostreaming interface \"\n\t\t\t\"%d has no supported formats defined.\\n\",\n\t\t\tdev->udev->devnum, alts->desc.bInterfaceNumber);\n\t\tgoto error;\n\t}\n\n\tsize = nformats * sizeof(*format) + nframes * sizeof(*frame)\n\t + nintervals * sizeof(*interval);\n\tformat = kzalloc(size, GFP_KERNEL);\n\tif (format == NULL) {\n\t\tret = -ENOMEM;\n\t\tgoto error;\n\t}\n\n\tframe = (struct uvc_frame *)&format[nformats];\n\tinterval = (u32 *)&frame[nframes];\n\n\tstreaming->format = format;\n\tstreaming->nformats = nformats;\n\n\t/* Parse the format descriptors. */\n\twhile (buflen > 2 && buffer[1] == USB_DT_CS_INTERFACE) {\n\t\tswitch (buffer[2]) {\n\t\tcase UVC_VS_FORMAT_UNCOMPRESSED:\n\t\tcase UVC_VS_FORMAT_MJPEG:\n\t\tcase UVC_VS_FORMAT_DV:\n\t\tcase UVC_VS_FORMAT_FRAME_BASED:\n\t\t\tformat->frame = frame;\n\t\t\tret = uvc_parse_format(dev, streaming, format,\n\t\t\t\t&interval, buffer, buflen);\n\t\t\tif (ret < 0)\n\t\t\t\tgoto error;\n\n\t\t\tframe += format->nframes;\n\t\t\tformat++;\n\n\t\t\tbuflen -= ret;\n\t\t\tbuffer += ret;\n\t\t\tcontinue;\n\n\t\tdefault:\n\t\t\tbreak;\n\t\t}\n\n\t\tbuflen -= buffer[0];\n\t\tbuffer += buffer[0];\n\t}\n\n\tif (buflen)\n\t\tuvc_trace(UVC_TRACE_DESCR, \"device %d videostreaming interface \"\n\t\t\t\"%d has %u bytes of trailing descriptor garbage.\\n\",\n\t\t\tdev->udev->devnum, alts->desc.bInterfaceNumber, buflen);\n\n\t/* Parse the alternate settings to find the maximum bandwidth. */\n\tfor (i = 0; i < intf->num_altsetting; ++i) {\n\t\tstruct usb_host_endpoint *ep;\n\t\talts = &intf->altsetting[i];\n\t\tep = uvc_find_endpoint(alts,\n\t\t\t\tstreaming->header.bEndpointAddress);\n\t\tif (ep == NULL)\n\t\t\tcontinue;\n\n\t\tpsize = le16_to_cpu(ep->desc.wMaxPacketSize);\n\t\tpsize = (psize & 0x07ff) * (1 + ((psize >> 11) & 3));\n\t\tif (psize > streaming->maxpsize)\n\t\t\tstreaming->maxpsize = psize;\n\t}\n\n\tlist_add_tail(&streaming->list, &dev->streams);\n\treturn 0;\n\nerror:\n\tusb_driver_release_interface(&uvc_driver.driver, intf);\n\tuvc_stream_delete(streaming);\n\treturn ret;\n}", "project": "linux", "hash": 27869652276220980568374001483416601178, "size": 245, "commit_id": "68035c80e129c4cfec659aac4180354530b26527", "message": "media: uvcvideo: Avoid cyclic entity chains due to malformed USB descriptors\n\nWay back in 2017, fuzzing the 4.14-rc2 USB stack with syzkaller kicked\nup the following WARNING from the UVC chain scanning code:\n\n | list_add double add: new=ffff880069084010, prev=ffff880069084010,\n | next=ffff880067d22298.\n | ------------[ cut here ]------------\n | WARNING: CPU: 1 PID: 1846 at lib/list_debug.c:31 __list_add_valid+0xbd/0xf0\n | Modules linked in:\n | CPU: 1 PID: 1846 Comm: kworker/1:2 Not tainted\n | 4.14.0-rc2-42613-g1488251d1a98 #238\n | Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011\n | Workqueue: usb_hub_wq hub_event\n | task: ffff88006b01ca40 task.stack: ffff880064358000\n | RIP: 0010:__list_add_valid+0xbd/0xf0 lib/list_debug.c:29\n | RSP: 0018:ffff88006435ddd0 EFLAGS: 00010286\n | RAX: 0000000000000058 RBX: ffff880067d22298 RCX: 0000000000000000\n | RDX: 0000000000000058 RSI: ffffffff85a58800 RDI: ffffed000c86bbac\n | RBP: ffff88006435dde8 R08: 1ffff1000c86ba52 R09: 0000000000000000\n | R10: 0000000000000002 R11: 0000000000000000 R12: ffff880069084010\n | R13: ffff880067d22298 R14: ffff880069084010 R15: ffff880067d222a0\n | FS: 0000000000000000(0000) GS:ffff88006c900000(0000) knlGS:0000000000000000\n | CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n | CR2: 0000000020004ff2 CR3: 000000006b447000 CR4: 00000000000006e0\n | Call Trace:\n | __list_add ./include/linux/list.h:59\n | list_add_tail+0x8c/0x1b0 ./include/linux/list.h:92\n | uvc_scan_chain_forward.isra.8+0x373/0x416\n | drivers/media/usb/uvc/uvc_driver.c:1471\n | uvc_scan_chain drivers/media/usb/uvc/uvc_driver.c:1585\n | uvc_scan_device drivers/media/usb/uvc/uvc_driver.c:1769\n | uvc_probe+0x77f2/0x8f00 drivers/media/usb/uvc/uvc_driver.c:2104\n\nLooking into the output from usbmon, the interesting part is the\nfollowing data packet:\n\n ffff880069c63e00 30710169 C Ci:1:002:0 0 143 = 09028f00 01030080\n 00090403 00000e01 00000924 03000103 7c003328 010204db\n\nIf we drop the lead configuration and interface descriptors, we're left\nwith an output terminal descriptor describing a generic display:\n\n /* Output terminal descriptor */\n buf[0]\t09\n buf[1]\t24\n buf[2]\t03\t/* UVC_VC_OUTPUT_TERMINAL */\n buf[3]\t00\t/* ID */\n buf[4]\t01\t/* type == 0x0301 (UVC_OTT_DISPLAY) */\n buf[5]\t03\n buf[6]\t7c\n buf[7]\t00\t/* source ID refers to self! */\n buf[8]\t33\n\nThe problem with this descriptor is that it is self-referential: the\nsource ID of 0 matches itself! This causes the 'struct uvc_entity'\nrepresenting the display to be added to its chain list twice during\n'uvc_scan_chain()': once via 'uvc_scan_chain_entity()' when it is\nprocessed directly from the 'dev->entities' list and then again\nimmediately afterwards when trying to follow the source ID in\n'uvc_scan_chain_forward()'\n\nAdd a check before adding an entity to a chain list to ensure that the\nentity is not already part of a chain.\n\nLink: https://lore.kernel.org/linux-media/CAAeHK+z+Si69jUR+N-SjN9q4O+o5KFiNManqEa-PjUta7EOb7A@mail.gmail.com/\n\nCc: \nFixes: c0efd232929c (\"V4L/DVB (8145a): USB Video Class driver\")\nReported-by: Andrey Konovalov \nSigned-off-by: Will Deacon \nSigned-off-by: Laurent Pinchart \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 409208 }, { "func": "static struct usb_device *testdev_to_usbdev(struct usbtest_dev *test)\n{\n\treturn interface_to_usbdev(test->intf);\n}", "project": "linux", "hash": 301571800582739700198547554476762014194, "size": 4, "commit_id": "28ebeb8db77035e058a510ce9bd17c2b9a009dba", "message": "usb: usbtest: fix missing kfree(dev->buf) in usbtest_disconnect\n\nBUG: memory leak\nunreferenced object 0xffff888055046e00 (size 256):\n comm \"kworker/2:9\", pid 2570, jiffies 4294942129 (age 1095.500s)\n hex dump (first 32 bytes):\n 00 70 04 55 80 88 ff ff 18 bb 5a 81 ff ff ff ff .p.U......Z.....\n f5 96 78 81 ff ff ff ff 37 de 8e 81 ff ff ff ff ..x.....7.......\n backtrace:\n [<00000000d121dccf>] kmemleak_alloc_recursive\ninclude/linux/kmemleak.h:43 [inline]\n [<00000000d121dccf>] slab_post_alloc_hook mm/slab.h:586 [inline]\n [<00000000d121dccf>] slab_alloc_node mm/slub.c:2786 [inline]\n [<00000000d121dccf>] slab_alloc mm/slub.c:2794 [inline]\n [<00000000d121dccf>] kmem_cache_alloc_trace+0x15e/0x2d0 mm/slub.c:2811\n [<000000005c3c3381>] kmalloc include/linux/slab.h:555 [inline]\n [<000000005c3c3381>] usbtest_probe+0x286/0x19d0\ndrivers/usb/misc/usbtest.c:2790\n [<000000001cec6910>] usb_probe_interface+0x2bd/0x870\ndrivers/usb/core/driver.c:361\n [<000000007806c118>] really_probe+0x48d/0x8f0 drivers/base/dd.c:551\n [<00000000a3308c3e>] driver_probe_device+0xfc/0x2a0 drivers/base/dd.c:724\n [<000000003ef66004>] __device_attach_driver+0x1b6/0x240\ndrivers/base/dd.c:831\n [<00000000eee53e97>] bus_for_each_drv+0x14e/0x1e0 drivers/base/bus.c:431\n [<00000000bb0648d0>] __device_attach+0x1f9/0x350 drivers/base/dd.c:897\n [<00000000838b324a>] device_initial_probe+0x1a/0x20 drivers/base/dd.c:944\n [<0000000030d501c1>] bus_probe_device+0x1e1/0x280 drivers/base/bus.c:491\n [<000000005bd7adef>] device_add+0x131d/0x1c40 drivers/base/core.c:2504\n [<00000000a0937814>] usb_set_configuration+0xe84/0x1ab0\ndrivers/usb/core/message.c:2030\n [<00000000e3934741>] generic_probe+0x6a/0xe0 drivers/usb/core/generic.c:210\n [<0000000098ade0f1>] usb_probe_device+0x90/0xd0\ndrivers/usb/core/driver.c:266\n [<000000007806c118>] really_probe+0x48d/0x8f0 drivers/base/dd.c:551\n [<00000000a3308c3e>] driver_probe_device+0xfc/0x2a0 drivers/base/dd.c:724\n\nAcked-by: Alan Stern \nReported-by: Kyungtae Kim \nSigned-off-by: Zqiang \nLink: https://lore.kernel.org/r/20200612035210.20494-1-qiang.zhang@windriver.com\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 412243 }, { "func": "static int is_good_ext(struct usbtest_dev *tdev, u8 *buf)\n{\n\tstruct usb_ext_cap_descriptor *ext;\n\tu32 attr;\n\n\text = (struct usb_ext_cap_descriptor *) buf;\n\n\tif (ext->bLength != USB_DT_USB_EXT_CAP_SIZE) {\n\t\tERROR(tdev, \"bogus usb 2.0 extension descriptor length\\n\");\n\t\treturn 0;\n\t}\n\n\tattr = le32_to_cpu(ext->bmAttributes);\n\t/* bits[1:15] is used and others are reserved */\n\tif (attr & ~0xfffe) {\t/* reserved == 0 */\n\t\tERROR(tdev, \"reserved bits set\\n\");\n\t\treturn 0;\n\t}\n\n\treturn 1;\n}", "project": "linux", "hash": 218936243254521412647011876095238938683, "size": 21, "commit_id": "28ebeb8db77035e058a510ce9bd17c2b9a009dba", "message": "usb: usbtest: fix missing kfree(dev->buf) in usbtest_disconnect\n\nBUG: memory leak\nunreferenced object 0xffff888055046e00 (size 256):\n comm \"kworker/2:9\", pid 2570, jiffies 4294942129 (age 1095.500s)\n hex dump (first 32 bytes):\n 00 70 04 55 80 88 ff ff 18 bb 5a 81 ff ff ff ff .p.U......Z.....\n f5 96 78 81 ff ff ff ff 37 de 8e 81 ff ff ff ff ..x.....7.......\n backtrace:\n [<00000000d121dccf>] kmemleak_alloc_recursive\ninclude/linux/kmemleak.h:43 [inline]\n [<00000000d121dccf>] slab_post_alloc_hook mm/slab.h:586 [inline]\n [<00000000d121dccf>] slab_alloc_node mm/slub.c:2786 [inline]\n [<00000000d121dccf>] slab_alloc mm/slub.c:2794 [inline]\n [<00000000d121dccf>] kmem_cache_alloc_trace+0x15e/0x2d0 mm/slub.c:2811\n [<000000005c3c3381>] kmalloc include/linux/slab.h:555 [inline]\n [<000000005c3c3381>] usbtest_probe+0x286/0x19d0\ndrivers/usb/misc/usbtest.c:2790\n [<000000001cec6910>] usb_probe_interface+0x2bd/0x870\ndrivers/usb/core/driver.c:361\n [<000000007806c118>] really_probe+0x48d/0x8f0 drivers/base/dd.c:551\n [<00000000a3308c3e>] driver_probe_device+0xfc/0x2a0 drivers/base/dd.c:724\n [<000000003ef66004>] __device_attach_driver+0x1b6/0x240\ndrivers/base/dd.c:831\n [<00000000eee53e97>] bus_for_each_drv+0x14e/0x1e0 drivers/base/bus.c:431\n [<00000000bb0648d0>] __device_attach+0x1f9/0x350 drivers/base/dd.c:897\n [<00000000838b324a>] device_initial_probe+0x1a/0x20 drivers/base/dd.c:944\n [<0000000030d501c1>] bus_probe_device+0x1e1/0x280 drivers/base/bus.c:491\n [<000000005bd7adef>] device_add+0x131d/0x1c40 drivers/base/core.c:2504\n [<00000000a0937814>] usb_set_configuration+0xe84/0x1ab0\ndrivers/usb/core/message.c:2030\n [<00000000e3934741>] generic_probe+0x6a/0xe0 drivers/usb/core/generic.c:210\n [<0000000098ade0f1>] usb_probe_device+0x90/0xd0\ndrivers/usb/core/driver.c:266\n [<000000007806c118>] really_probe+0x48d/0x8f0 drivers/base/dd.c:551\n [<00000000a3308c3e>] driver_probe_device+0xfc/0x2a0 drivers/base/dd.c:724\n\nAcked-by: Alan Stern \nReported-by: Kyungtae Kim \nSigned-off-by: Zqiang \nLink: https://lore.kernel.org/r/20200612035210.20494-1-qiang.zhang@windriver.com\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 412279 }, { "func": "static int uvc_parse_format(struct uvc_device *dev,\n\tstruct uvc_streaming *streaming, struct uvc_format *format,\n\tu32 **intervals, unsigned char *buffer, int buflen)\n{\n\tstruct usb_interface *intf = streaming->intf;\n\tstruct usb_host_interface *alts = intf->cur_altsetting;\n\tstruct uvc_format_desc *fmtdesc;\n\tstruct uvc_frame *frame;\n\tconst unsigned char *start = buffer;\n\tunsigned int width_multiplier = 1;\n\tunsigned int interval;\n\tunsigned int i, n;\n\tu8 ftype;\n\n\tformat->type = buffer[2];\n\tformat->index = buffer[3];\n\n\tswitch (buffer[2]) {\n\tcase UVC_VS_FORMAT_UNCOMPRESSED:\n\tcase UVC_VS_FORMAT_FRAME_BASED:\n\t\tn = buffer[2] == UVC_VS_FORMAT_UNCOMPRESSED ? 27 : 28;\n\t\tif (buflen < n) {\n\t\t\tuvc_trace(UVC_TRACE_DESCR, \"device %d videostreaming \"\n\t\t\t \"interface %d FORMAT error\\n\",\n\t\t\t dev->udev->devnum,\n\t\t\t alts->desc.bInterfaceNumber);\n\t\t\treturn -EINVAL;\n\t\t}\n\n\t\t/* Find the format descriptor from its GUID. */\n\t\tfmtdesc = uvc_format_by_guid(&buffer[5]);\n\n\t\tif (fmtdesc != NULL) {\n\t\t\tstrscpy(format->name, fmtdesc->name,\n\t\t\t\tsizeof(format->name));\n\t\t\tformat->fcc = fmtdesc->fcc;\n\t\t} else {\n\t\t\tuvc_printk(KERN_INFO, \"Unknown video format %pUl\\n\",\n\t\t\t\t&buffer[5]);\n\t\t\tsnprintf(format->name, sizeof(format->name), \"%pUl\\n\",\n\t\t\t\t&buffer[5]);\n\t\t\tformat->fcc = 0;\n\t\t}\n\n\t\tformat->bpp = buffer[21];\n\n\t\t/* Some devices report a format that doesn't match what they\n\t\t * really send.\n\t\t */\n\t\tif (dev->quirks & UVC_QUIRK_FORCE_Y8) {\n\t\t\tif (format->fcc == V4L2_PIX_FMT_YUYV) {\n\t\t\t\tstrscpy(format->name, \"Greyscale 8-bit (Y8 )\",\n\t\t\t\t\tsizeof(format->name));\n\t\t\t\tformat->fcc = V4L2_PIX_FMT_GREY;\n\t\t\t\tformat->bpp = 8;\n\t\t\t\twidth_multiplier = 2;\n\t\t\t}\n\t\t}\n\n\t\tif (buffer[2] == UVC_VS_FORMAT_UNCOMPRESSED) {\n\t\t\tftype = UVC_VS_FRAME_UNCOMPRESSED;\n\t\t} else {\n\t\t\tftype = UVC_VS_FRAME_FRAME_BASED;\n\t\t\tif (buffer[27])\n\t\t\t\tformat->flags = UVC_FMT_FLAG_COMPRESSED;\n\t\t}\n\t\tbreak;\n\n\tcase UVC_VS_FORMAT_MJPEG:\n\t\tif (buflen < 11) {\n\t\t\tuvc_trace(UVC_TRACE_DESCR, \"device %d videostreaming \"\n\t\t\t \"interface %d FORMAT error\\n\",\n\t\t\t dev->udev->devnum,\n\t\t\t alts->desc.bInterfaceNumber);\n\t\t\treturn -EINVAL;\n\t\t}\n\n\t\tstrscpy(format->name, \"MJPEG\", sizeof(format->name));\n\t\tformat->fcc = V4L2_PIX_FMT_MJPEG;\n\t\tformat->flags = UVC_FMT_FLAG_COMPRESSED;\n\t\tformat->bpp = 0;\n\t\tftype = UVC_VS_FRAME_MJPEG;\n\t\tbreak;\n\n\tcase UVC_VS_FORMAT_DV:\n\t\tif (buflen < 9) {\n\t\t\tuvc_trace(UVC_TRACE_DESCR, \"device %d videostreaming \"\n\t\t\t \"interface %d FORMAT error\\n\",\n\t\t\t dev->udev->devnum,\n\t\t\t alts->desc.bInterfaceNumber);\n\t\t\treturn -EINVAL;\n\t\t}\n\n\t\tswitch (buffer[8] & 0x7f) {\n\t\tcase 0:\n\t\t\tstrscpy(format->name, \"SD-DV\", sizeof(format->name));\n\t\t\tbreak;\n\t\tcase 1:\n\t\t\tstrscpy(format->name, \"SDL-DV\", sizeof(format->name));\n\t\t\tbreak;\n\t\tcase 2:\n\t\t\tstrscpy(format->name, \"HD-DV\", sizeof(format->name));\n\t\t\tbreak;\n\t\tdefault:\n\t\t\tuvc_trace(UVC_TRACE_DESCR, \"device %d videostreaming \"\n\t\t\t \"interface %d: unknown DV format %u\\n\",\n\t\t\t dev->udev->devnum,\n\t\t\t alts->desc.bInterfaceNumber, buffer[8]);\n\t\t\treturn -EINVAL;\n\t\t}\n\n\t\tstrlcat(format->name, buffer[8] & (1 << 7) ? \" 60Hz\" : \" 50Hz\",\n\t\t\tsizeof(format->name));\n\n\t\tformat->fcc = V4L2_PIX_FMT_DV;\n\t\tformat->flags = UVC_FMT_FLAG_COMPRESSED | UVC_FMT_FLAG_STREAM;\n\t\tformat->bpp = 0;\n\t\tftype = 0;\n\n\t\t/* Create a dummy frame descriptor. */\n\t\tframe = &format->frame[0];\n\t\tmemset(&format->frame[0], 0, sizeof(format->frame[0]));\n\t\tframe->bFrameIntervalType = 1;\n\t\tframe->dwDefaultFrameInterval = 1;\n\t\tframe->dwFrameInterval = *intervals;\n\t\t*(*intervals)++ = 1;\n\t\tformat->nframes = 1;\n\t\tbreak;\n\n\tcase UVC_VS_FORMAT_MPEG2TS:\n\tcase UVC_VS_FORMAT_STREAM_BASED:\n\t\t/* Not supported yet. */\n\tdefault:\n\t\tuvc_trace(UVC_TRACE_DESCR, \"device %d videostreaming \"\n\t\t \"interface %d unsupported format %u\\n\",\n\t\t dev->udev->devnum, alts->desc.bInterfaceNumber,\n\t\t buffer[2]);\n\t\treturn -EINVAL;\n\t}\n\n\tuvc_trace(UVC_TRACE_DESCR, \"Found format %s.\\n\", format->name);\n\n\tbuflen -= buffer[0];\n\tbuffer += buffer[0];\n\n\t/* Parse the frame descriptors. Only uncompressed, MJPEG and frame\n\t * based formats have frame descriptors.\n\t */\n\twhile (buflen > 2 && buffer[1] == USB_DT_CS_INTERFACE &&\n\t buffer[2] == ftype) {\n\t\tframe = &format->frame[format->nframes];\n\t\tif (ftype != UVC_VS_FRAME_FRAME_BASED)\n\t\t\tn = buflen > 25 ? buffer[25] : 0;\n\t\telse\n\t\t\tn = buflen > 21 ? buffer[21] : 0;\n\n\t\tn = n ? n : 3;\n\n\t\tif (buflen < 26 + 4*n) {\n\t\t\tuvc_trace(UVC_TRACE_DESCR, \"device %d videostreaming \"\n\t\t\t \"interface %d FRAME error\\n\", dev->udev->devnum,\n\t\t\t alts->desc.bInterfaceNumber);\n\t\t\treturn -EINVAL;\n\t\t}\n\n\t\tframe->bFrameIndex = buffer[3];\n\t\tframe->bmCapabilities = buffer[4];\n\t\tframe->wWidth = get_unaligned_le16(&buffer[5])\n\t\t\t * width_multiplier;\n\t\tframe->wHeight = get_unaligned_le16(&buffer[7]);\n\t\tframe->dwMinBitRate = get_unaligned_le32(&buffer[9]);\n\t\tframe->dwMaxBitRate = get_unaligned_le32(&buffer[13]);\n\t\tif (ftype != UVC_VS_FRAME_FRAME_BASED) {\n\t\t\tframe->dwMaxVideoFrameBufferSize =\n\t\t\t\tget_unaligned_le32(&buffer[17]);\n\t\t\tframe->dwDefaultFrameInterval =\n\t\t\t\tget_unaligned_le32(&buffer[21]);\n\t\t\tframe->bFrameIntervalType = buffer[25];\n\t\t} else {\n\t\t\tframe->dwMaxVideoFrameBufferSize = 0;\n\t\t\tframe->dwDefaultFrameInterval =\n\t\t\t\tget_unaligned_le32(&buffer[17]);\n\t\t\tframe->bFrameIntervalType = buffer[21];\n\t\t}\n\t\tframe->dwFrameInterval = *intervals;\n\n\t\t/* Several UVC chipsets screw up dwMaxVideoFrameBufferSize\n\t\t * completely. Observed behaviours range from setting the\n\t\t * value to 1.1x the actual frame size to hardwiring the\n\t\t * 16 low bits to 0. This results in a higher than necessary\n\t\t * memory usage as well as a wrong image size information. For\n\t\t * uncompressed formats this can be fixed by computing the\n\t\t * value from the frame size.\n\t\t */\n\t\tif (!(format->flags & UVC_FMT_FLAG_COMPRESSED))\n\t\t\tframe->dwMaxVideoFrameBufferSize = format->bpp\n\t\t\t\t* frame->wWidth * frame->wHeight / 8;\n\n\t\t/* Some bogus devices report dwMinFrameInterval equal to\n\t\t * dwMaxFrameInterval and have dwFrameIntervalStep set to\n\t\t * zero. Setting all null intervals to 1 fixes the problem and\n\t\t * some other divisions by zero that could happen.\n\t\t */\n\t\tfor (i = 0; i < n; ++i) {\n\t\t\tinterval = get_unaligned_le32(&buffer[26+4*i]);\n\t\t\t*(*intervals)++ = interval ? interval : 1;\n\t\t}\n\n\t\t/* Make sure that the default frame interval stays between\n\t\t * the boundaries.\n\t\t */\n\t\tn -= frame->bFrameIntervalType ? 1 : 2;\n\t\tframe->dwDefaultFrameInterval =\n\t\t\tmin(frame->dwFrameInterval[n],\n\t\t\t max(frame->dwFrameInterval[0],\n\t\t\t\tframe->dwDefaultFrameInterval));\n\n\t\tif (dev->quirks & UVC_QUIRK_RESTRICT_FRAME_RATE) {\n\t\t\tframe->bFrameIntervalType = 1;\n\t\t\tframe->dwFrameInterval[0] =\n\t\t\t\tframe->dwDefaultFrameInterval;\n\t\t}\n\n\t\tuvc_trace(UVC_TRACE_DESCR, \"- %ux%u (%u.%u fps)\\n\",\n\t\t\tframe->wWidth, frame->wHeight,\n\t\t\t10000000/frame->dwDefaultFrameInterval,\n\t\t\t(100000000/frame->dwDefaultFrameInterval)%10);\n\n\t\tformat->nframes++;\n\t\tbuflen -= buffer[0];\n\t\tbuffer += buffer[0];\n\t}\n\n\tif (buflen > 2 && buffer[1] == USB_DT_CS_INTERFACE &&\n\t buffer[2] == UVC_VS_STILL_IMAGE_FRAME) {\n\t\tbuflen -= buffer[0];\n\t\tbuffer += buffer[0];\n\t}\n\n\tif (buflen > 2 && buffer[1] == USB_DT_CS_INTERFACE &&\n\t buffer[2] == UVC_VS_COLORFORMAT) {\n\t\tif (buflen < 6) {\n\t\t\tuvc_trace(UVC_TRACE_DESCR, \"device %d videostreaming \"\n\t\t\t \"interface %d COLORFORMAT error\\n\",\n\t\t\t dev->udev->devnum,\n\t\t\t alts->desc.bInterfaceNumber);\n\t\t\treturn -EINVAL;\n\t\t}\n\n\t\tformat->colorspace = uvc_colorspace(buffer[3]);\n\n\t\tbuflen -= buffer[0];\n\t\tbuffer += buffer[0];\n\t}\n\n\treturn buffer - start;\n}", "project": "linux", "hash": 32784759999840524246832250390292682619, "size": 257, "commit_id": "68035c80e129c4cfec659aac4180354530b26527", "message": "media: uvcvideo: Avoid cyclic entity chains due to malformed USB descriptors\n\nWay back in 2017, fuzzing the 4.14-rc2 USB stack with syzkaller kicked\nup the following WARNING from the UVC chain scanning code:\n\n | list_add double add: new=ffff880069084010, prev=ffff880069084010,\n | next=ffff880067d22298.\n | ------------[ cut here ]------------\n | WARNING: CPU: 1 PID: 1846 at lib/list_debug.c:31 __list_add_valid+0xbd/0xf0\n | Modules linked in:\n | CPU: 1 PID: 1846 Comm: kworker/1:2 Not tainted\n | 4.14.0-rc2-42613-g1488251d1a98 #238\n | Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011\n | Workqueue: usb_hub_wq hub_event\n | task: ffff88006b01ca40 task.stack: ffff880064358000\n | RIP: 0010:__list_add_valid+0xbd/0xf0 lib/list_debug.c:29\n | RSP: 0018:ffff88006435ddd0 EFLAGS: 00010286\n | RAX: 0000000000000058 RBX: ffff880067d22298 RCX: 0000000000000000\n | RDX: 0000000000000058 RSI: ffffffff85a58800 RDI: ffffed000c86bbac\n | RBP: ffff88006435dde8 R08: 1ffff1000c86ba52 R09: 0000000000000000\n | R10: 0000000000000002 R11: 0000000000000000 R12: ffff880069084010\n | R13: ffff880067d22298 R14: ffff880069084010 R15: ffff880067d222a0\n | FS: 0000000000000000(0000) GS:ffff88006c900000(0000) knlGS:0000000000000000\n | CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n | CR2: 0000000020004ff2 CR3: 000000006b447000 CR4: 00000000000006e0\n | Call Trace:\n | __list_add ./include/linux/list.h:59\n | list_add_tail+0x8c/0x1b0 ./include/linux/list.h:92\n | uvc_scan_chain_forward.isra.8+0x373/0x416\n | drivers/media/usb/uvc/uvc_driver.c:1471\n | uvc_scan_chain drivers/media/usb/uvc/uvc_driver.c:1585\n | uvc_scan_device drivers/media/usb/uvc/uvc_driver.c:1769\n | uvc_probe+0x77f2/0x8f00 drivers/media/usb/uvc/uvc_driver.c:2104\n\nLooking into the output from usbmon, the interesting part is the\nfollowing data packet:\n\n ffff880069c63e00 30710169 C Ci:1:002:0 0 143 = 09028f00 01030080\n 00090403 00000e01 00000924 03000103 7c003328 010204db\n\nIf we drop the lead configuration and interface descriptors, we're left\nwith an output terminal descriptor describing a generic display:\n\n /* Output terminal descriptor */\n buf[0]\t09\n buf[1]\t24\n buf[2]\t03\t/* UVC_VC_OUTPUT_TERMINAL */\n buf[3]\t00\t/* ID */\n buf[4]\t01\t/* type == 0x0301 (UVC_OTT_DISPLAY) */\n buf[5]\t03\n buf[6]\t7c\n buf[7]\t00\t/* source ID refers to self! */\n buf[8]\t33\n\nThe problem with this descriptor is that it is self-referential: the\nsource ID of 0 matches itself! This causes the 'struct uvc_entity'\nrepresenting the display to be added to its chain list twice during\n'uvc_scan_chain()': once via 'uvc_scan_chain_entity()' when it is\nprocessed directly from the 'dev->entities' list and then again\nimmediately afterwards when trying to follow the source ID in\n'uvc_scan_chain_forward()'\n\nAdd a check before adding an entity to a chain list to ensure that the\nentity is not already part of a chain.\n\nLink: https://lore.kernel.org/linux-media/CAAeHK+z+Si69jUR+N-SjN9q4O+o5KFiNManqEa-PjUta7EOb7A@mail.gmail.com/\n\nCc: \nFixes: c0efd232929c (\"V4L/DVB (8145a): USB Video Class driver\")\nReported-by: Andrey Konovalov \nSigned-off-by: Will Deacon \nSigned-off-by: Laurent Pinchart \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 409202 }, { "func": "static void mcba_usb_xmit_read_fw_ver(struct mcba_priv *priv, u8 pic)\n{\n\tstruct mcba_usb_msg_fw_ver usb_msg = {\n\t\t.cmd_id = MBCA_CMD_READ_FW_VERSION,\n\t\t.pic = pic\n\t};\n\n\tmcba_usb_xmit_cmd(priv, (struct mcba_usb_msg *)&usb_msg);\n}", "project": "linux", "hash": 210035305527356733271858080741368634908, "size": 9, "commit_id": "4d6636498c41891d0482a914dd570343a838ad79", "message": "can: mcba_usb: fix use-after-free on disconnect\n\nThe driver was accessing its driver data after having freed it.\n\nFixes: 51f3baad7de9 (\"can: mcba_usb: Add support for Microchip CAN BUS Analyzer\")\nCc: stable # 4.12\nCc: Remigiusz Kołłątaj \nReported-by: syzbot+e29b17e5042bbc56fae9@syzkaller.appspotmail.com\nSigned-off-by: Johan Hovold \nSigned-off-by: Marc Kleine-Budde ", "target": 0, "dataset": "other", "idx": 398298 }, { "func": "static void mcba_usb_write_bulk_callback(struct urb *urb)\n{\n\tstruct mcba_usb_ctx *ctx = urb->context;\n\tstruct net_device *netdev;\n\n\tWARN_ON(!ctx);\n\n\tnetdev = ctx->priv->netdev;\n\n\t/* free up our allocated buffer */\n\tusb_free_coherent(urb->dev, urb->transfer_buffer_length,\n\t\t\t urb->transfer_buffer, urb->transfer_dma);\n\n\tif (ctx->can) {\n\t\tif (!netif_device_present(netdev))\n\t\t\treturn;\n\n\t\tnetdev->stats.tx_packets++;\n\t\tnetdev->stats.tx_bytes += ctx->dlc;\n\n\t\tcan_led_event(netdev, CAN_LED_EVENT_TX);\n\t\tcan_get_echo_skb(netdev, ctx->ndx);\n\t}\n\n\tif (urb->status)\n\t\tnetdev_info(netdev, \"Tx URB aborted (%d)\\n\", urb->status);\n\n\t/* Release the context */\n\tmcba_usb_free_ctx(ctx);\n}", "project": "linux", "hash": 45538321204085505452222659569558628924, "size": 30, "commit_id": "4d6636498c41891d0482a914dd570343a838ad79", "message": "can: mcba_usb: fix use-after-free on disconnect\n\nThe driver was accessing its driver data after having freed it.\n\nFixes: 51f3baad7de9 (\"can: mcba_usb: Add support for Microchip CAN BUS Analyzer\")\nCc: stable # 4.12\nCc: Remigiusz Kołłątaj \nReported-by: syzbot+e29b17e5042bbc56fae9@syzkaller.appspotmail.com\nSigned-off-by: Johan Hovold \nSigned-off-by: Marc Kleine-Budde ", "target": 0, "dataset": "other", "idx": 398313 }, { "func": "static int is_good_con_id(struct usbtest_dev *tdev, u8 *buf)\n{\n\tstruct usb_ss_container_id_descriptor *con_id;\n\n\tcon_id = (struct usb_ss_container_id_descriptor *) buf;\n\n\tif (con_id->bLength != USB_DT_USB_SS_CONTN_ID_SIZE) {\n\t\tERROR(tdev, \"bogus container id descriptor length\\n\");\n\t\treturn 0;\n\t}\n\n\tif (con_id->bReserved) {\t/* reserved == 0 */\n\t\tERROR(tdev, \"reserved bits set\\n\");\n\t\treturn 0;\n\t}\n\n\treturn 1;\n}", "project": "linux", "hash": 32617160002271902847533175308372532676, "size": 18, "commit_id": "28ebeb8db77035e058a510ce9bd17c2b9a009dba", "message": "usb: usbtest: fix missing kfree(dev->buf) in usbtest_disconnect\n\nBUG: memory leak\nunreferenced object 0xffff888055046e00 (size 256):\n comm \"kworker/2:9\", pid 2570, jiffies 4294942129 (age 1095.500s)\n hex dump (first 32 bytes):\n 00 70 04 55 80 88 ff ff 18 bb 5a 81 ff ff ff ff .p.U......Z.....\n f5 96 78 81 ff ff ff ff 37 de 8e 81 ff ff ff ff ..x.....7.......\n backtrace:\n [<00000000d121dccf>] kmemleak_alloc_recursive\ninclude/linux/kmemleak.h:43 [inline]\n [<00000000d121dccf>] slab_post_alloc_hook mm/slab.h:586 [inline]\n [<00000000d121dccf>] slab_alloc_node mm/slub.c:2786 [inline]\n [<00000000d121dccf>] slab_alloc mm/slub.c:2794 [inline]\n [<00000000d121dccf>] kmem_cache_alloc_trace+0x15e/0x2d0 mm/slub.c:2811\n [<000000005c3c3381>] kmalloc include/linux/slab.h:555 [inline]\n [<000000005c3c3381>] usbtest_probe+0x286/0x19d0\ndrivers/usb/misc/usbtest.c:2790\n [<000000001cec6910>] usb_probe_interface+0x2bd/0x870\ndrivers/usb/core/driver.c:361\n [<000000007806c118>] really_probe+0x48d/0x8f0 drivers/base/dd.c:551\n [<00000000a3308c3e>] driver_probe_device+0xfc/0x2a0 drivers/base/dd.c:724\n [<000000003ef66004>] __device_attach_driver+0x1b6/0x240\ndrivers/base/dd.c:831\n [<00000000eee53e97>] bus_for_each_drv+0x14e/0x1e0 drivers/base/bus.c:431\n [<00000000bb0648d0>] __device_attach+0x1f9/0x350 drivers/base/dd.c:897\n [<00000000838b324a>] device_initial_probe+0x1a/0x20 drivers/base/dd.c:944\n [<0000000030d501c1>] bus_probe_device+0x1e1/0x280 drivers/base/bus.c:491\n [<000000005bd7adef>] device_add+0x131d/0x1c40 drivers/base/core.c:2504\n [<00000000a0937814>] usb_set_configuration+0xe84/0x1ab0\ndrivers/usb/core/message.c:2030\n [<00000000e3934741>] generic_probe+0x6a/0xe0 drivers/usb/core/generic.c:210\n [<0000000098ade0f1>] usb_probe_device+0x90/0xd0\ndrivers/usb/core/driver.c:266\n [<000000007806c118>] really_probe+0x48d/0x8f0 drivers/base/dd.c:551\n [<00000000a3308c3e>] driver_probe_device+0xfc/0x2a0 drivers/base/dd.c:724\n\nAcked-by: Alan Stern \nReported-by: Kyungtae Kim \nSigned-off-by: Zqiang \nLink: https://lore.kernel.org/r/20200612035210.20494-1-qiang.zhang@windriver.com\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 412246 }, { "func": "static void uvc_unregister_video(struct uvc_device *dev)\n{\n\tstruct uvc_streaming *stream;\n\n\tlist_for_each_entry(stream, &dev->streams, list) {\n\t\tif (!video_is_registered(&stream->vdev))\n\t\t\tcontinue;\n\n\t\tvideo_unregister_device(&stream->vdev);\n\t\tvideo_unregister_device(&stream->meta.vdev);\n\n\t\tuvc_debugfs_cleanup_stream(stream);\n\t}\n\n\tuvc_status_unregister(dev);\n\n\tif (dev->vdev.dev)\n\t\tv4l2_device_unregister(&dev->vdev);\n#ifdef CONFIG_MEDIA_CONTROLLER\n\tif (media_devnode_is_registered(dev->mdev.devnode))\n\t\tmedia_device_unregister(&dev->mdev);\n#endif\n}", "project": "linux", "hash": 197964739696470058616185361162188454468, "size": 23, "commit_id": "68035c80e129c4cfec659aac4180354530b26527", "message": "media: uvcvideo: Avoid cyclic entity chains due to malformed USB descriptors\n\nWay back in 2017, fuzzing the 4.14-rc2 USB stack with syzkaller kicked\nup the following WARNING from the UVC chain scanning code:\n\n | list_add double add: new=ffff880069084010, prev=ffff880069084010,\n | next=ffff880067d22298.\n | ------------[ cut here ]------------\n | WARNING: CPU: 1 PID: 1846 at lib/list_debug.c:31 __list_add_valid+0xbd/0xf0\n | Modules linked in:\n | CPU: 1 PID: 1846 Comm: kworker/1:2 Not tainted\n | 4.14.0-rc2-42613-g1488251d1a98 #238\n | Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011\n | Workqueue: usb_hub_wq hub_event\n | task: ffff88006b01ca40 task.stack: ffff880064358000\n | RIP: 0010:__list_add_valid+0xbd/0xf0 lib/list_debug.c:29\n | RSP: 0018:ffff88006435ddd0 EFLAGS: 00010286\n | RAX: 0000000000000058 RBX: ffff880067d22298 RCX: 0000000000000000\n | RDX: 0000000000000058 RSI: ffffffff85a58800 RDI: ffffed000c86bbac\n | RBP: ffff88006435dde8 R08: 1ffff1000c86ba52 R09: 0000000000000000\n | R10: 0000000000000002 R11: 0000000000000000 R12: ffff880069084010\n | R13: ffff880067d22298 R14: ffff880069084010 R15: ffff880067d222a0\n | FS: 0000000000000000(0000) GS:ffff88006c900000(0000) knlGS:0000000000000000\n | CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n | CR2: 0000000020004ff2 CR3: 000000006b447000 CR4: 00000000000006e0\n | Call Trace:\n | __list_add ./include/linux/list.h:59\n | list_add_tail+0x8c/0x1b0 ./include/linux/list.h:92\n | uvc_scan_chain_forward.isra.8+0x373/0x416\n | drivers/media/usb/uvc/uvc_driver.c:1471\n | uvc_scan_chain drivers/media/usb/uvc/uvc_driver.c:1585\n | uvc_scan_device drivers/media/usb/uvc/uvc_driver.c:1769\n | uvc_probe+0x77f2/0x8f00 drivers/media/usb/uvc/uvc_driver.c:2104\n\nLooking into the output from usbmon, the interesting part is the\nfollowing data packet:\n\n ffff880069c63e00 30710169 C Ci:1:002:0 0 143 = 09028f00 01030080\n 00090403 00000e01 00000924 03000103 7c003328 010204db\n\nIf we drop the lead configuration and interface descriptors, we're left\nwith an output terminal descriptor describing a generic display:\n\n /* Output terminal descriptor */\n buf[0]\t09\n buf[1]\t24\n buf[2]\t03\t/* UVC_VC_OUTPUT_TERMINAL */\n buf[3]\t00\t/* ID */\n buf[4]\t01\t/* type == 0x0301 (UVC_OTT_DISPLAY) */\n buf[5]\t03\n buf[6]\t7c\n buf[7]\t00\t/* source ID refers to self! */\n buf[8]\t33\n\nThe problem with this descriptor is that it is self-referential: the\nsource ID of 0 matches itself! This causes the 'struct uvc_entity'\nrepresenting the display to be added to its chain list twice during\n'uvc_scan_chain()': once via 'uvc_scan_chain_entity()' when it is\nprocessed directly from the 'dev->entities' list and then again\nimmediately afterwards when trying to follow the source ID in\n'uvc_scan_chain_forward()'\n\nAdd a check before adding an entity to a chain list to ensure that the\nentity is not already part of a chain.\n\nLink: https://lore.kernel.org/linux-media/CAAeHK+z+Si69jUR+N-SjN9q4O+o5KFiNManqEa-PjUta7EOb7A@mail.gmail.com/\n\nCc: \nFixes: c0efd232929c (\"V4L/DVB (8145a): USB Video Class driver\")\nReported-by: Andrey Konovalov \nSigned-off-by: Will Deacon \nSigned-off-by: Laurent Pinchart \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 409204 }, { "func": "static int uvc_register_chains(struct uvc_device *dev)\n{\n\tstruct uvc_video_chain *chain;\n\tint ret;\n\n\tlist_for_each_entry(chain, &dev->chains, list) {\n\t\tret = uvc_register_terms(dev, chain);\n\t\tif (ret < 0)\n\t\t\treturn ret;\n\n#ifdef CONFIG_MEDIA_CONTROLLER\n\t\tret = uvc_mc_register_entities(chain);\n\t\tif (ret < 0)\n\t\t\tuvc_printk(KERN_INFO,\n\t\t\t\t \"Failed to register entities (%d).\\n\", ret);\n#endif\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 309142913211865347974026936524472669010, "size": 20, "commit_id": "68035c80e129c4cfec659aac4180354530b26527", "message": "media: uvcvideo: Avoid cyclic entity chains due to malformed USB descriptors\n\nWay back in 2017, fuzzing the 4.14-rc2 USB stack with syzkaller kicked\nup the following WARNING from the UVC chain scanning code:\n\n | list_add double add: new=ffff880069084010, prev=ffff880069084010,\n | next=ffff880067d22298.\n | ------------[ cut here ]------------\n | WARNING: CPU: 1 PID: 1846 at lib/list_debug.c:31 __list_add_valid+0xbd/0xf0\n | Modules linked in:\n | CPU: 1 PID: 1846 Comm: kworker/1:2 Not tainted\n | 4.14.0-rc2-42613-g1488251d1a98 #238\n | Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011\n | Workqueue: usb_hub_wq hub_event\n | task: ffff88006b01ca40 task.stack: ffff880064358000\n | RIP: 0010:__list_add_valid+0xbd/0xf0 lib/list_debug.c:29\n | RSP: 0018:ffff88006435ddd0 EFLAGS: 00010286\n | RAX: 0000000000000058 RBX: ffff880067d22298 RCX: 0000000000000000\n | RDX: 0000000000000058 RSI: ffffffff85a58800 RDI: ffffed000c86bbac\n | RBP: ffff88006435dde8 R08: 1ffff1000c86ba52 R09: 0000000000000000\n | R10: 0000000000000002 R11: 0000000000000000 R12: ffff880069084010\n | R13: ffff880067d22298 R14: ffff880069084010 R15: ffff880067d222a0\n | FS: 0000000000000000(0000) GS:ffff88006c900000(0000) knlGS:0000000000000000\n | CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n | CR2: 0000000020004ff2 CR3: 000000006b447000 CR4: 00000000000006e0\n | Call Trace:\n | __list_add ./include/linux/list.h:59\n | list_add_tail+0x8c/0x1b0 ./include/linux/list.h:92\n | uvc_scan_chain_forward.isra.8+0x373/0x416\n | drivers/media/usb/uvc/uvc_driver.c:1471\n | uvc_scan_chain drivers/media/usb/uvc/uvc_driver.c:1585\n | uvc_scan_device drivers/media/usb/uvc/uvc_driver.c:1769\n | uvc_probe+0x77f2/0x8f00 drivers/media/usb/uvc/uvc_driver.c:2104\n\nLooking into the output from usbmon, the interesting part is the\nfollowing data packet:\n\n ffff880069c63e00 30710169 C Ci:1:002:0 0 143 = 09028f00 01030080\n 00090403 00000e01 00000924 03000103 7c003328 010204db\n\nIf we drop the lead configuration and interface descriptors, we're left\nwith an output terminal descriptor describing a generic display:\n\n /* Output terminal descriptor */\n buf[0]\t09\n buf[1]\t24\n buf[2]\t03\t/* UVC_VC_OUTPUT_TERMINAL */\n buf[3]\t00\t/* ID */\n buf[4]\t01\t/* type == 0x0301 (UVC_OTT_DISPLAY) */\n buf[5]\t03\n buf[6]\t7c\n buf[7]\t00\t/* source ID refers to self! */\n buf[8]\t33\n\nThe problem with this descriptor is that it is self-referential: the\nsource ID of 0 matches itself! This causes the 'struct uvc_entity'\nrepresenting the display to be added to its chain list twice during\n'uvc_scan_chain()': once via 'uvc_scan_chain_entity()' when it is\nprocessed directly from the 'dev->entities' list and then again\nimmediately afterwards when trying to follow the source ID in\n'uvc_scan_chain_forward()'\n\nAdd a check before adding an entity to a chain list to ensure that the\nentity is not already part of a chain.\n\nLink: https://lore.kernel.org/linux-media/CAAeHK+z+Si69jUR+N-SjN9q4O+o5KFiNManqEa-PjUta7EOb7A@mail.gmail.com/\n\nCc: \nFixes: c0efd232929c (\"V4L/DVB (8145a): USB Video Class driver\")\nReported-by: Andrey Konovalov \nSigned-off-by: Will Deacon \nSigned-off-by: Laurent Pinchart \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 409211 }, { "func": "static int uvc_scan_device(struct uvc_device *dev)\n{\n\tstruct uvc_video_chain *chain;\n\tstruct uvc_entity *term;\n\n\tlist_for_each_entry(term, &dev->entities, list) {\n\t\tif (!UVC_ENTITY_IS_OTERM(term))\n\t\t\tcontinue;\n\n\t\t/* If the terminal is already included in a chain, skip it.\n\t\t * This can happen for chains that have multiple output\n\t\t * terminals, where all output terminals beside the first one\n\t\t * will be inserted in the chain in forward scans.\n\t\t */\n\t\tif (term->chain.next || term->chain.prev)\n\t\t\tcontinue;\n\n\t\tchain = uvc_alloc_chain(dev);\n\t\tif (chain == NULL)\n\t\t\treturn -ENOMEM;\n\n\t\tterm->flags |= UVC_ENTITY_FLAG_DEFAULT;\n\n\t\tif (uvc_scan_chain(chain, term) < 0) {\n\t\t\tkfree(chain);\n\t\t\tcontinue;\n\t\t}\n\n\t\tuvc_trace(UVC_TRACE_PROBE, \"Found a valid video chain (%s).\\n\",\n\t\t\t uvc_print_chain(chain));\n\n\t\tlist_add_tail(&chain->list, &dev->chains);\n\t}\n\n\tif (list_empty(&dev->chains))\n\t\tuvc_scan_fallback(dev);\n\n\tif (list_empty(&dev->chains)) {\n\t\tuvc_printk(KERN_INFO, \"No valid video chain found.\\n\");\n\t\treturn -1;\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 261531566756926077100754724285749532948, "size": 44, "commit_id": "68035c80e129c4cfec659aac4180354530b26527", "message": "media: uvcvideo: Avoid cyclic entity chains due to malformed USB descriptors\n\nWay back in 2017, fuzzing the 4.14-rc2 USB stack with syzkaller kicked\nup the following WARNING from the UVC chain scanning code:\n\n | list_add double add: new=ffff880069084010, prev=ffff880069084010,\n | next=ffff880067d22298.\n | ------------[ cut here ]------------\n | WARNING: CPU: 1 PID: 1846 at lib/list_debug.c:31 __list_add_valid+0xbd/0xf0\n | Modules linked in:\n | CPU: 1 PID: 1846 Comm: kworker/1:2 Not tainted\n | 4.14.0-rc2-42613-g1488251d1a98 #238\n | Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011\n | Workqueue: usb_hub_wq hub_event\n | task: ffff88006b01ca40 task.stack: ffff880064358000\n | RIP: 0010:__list_add_valid+0xbd/0xf0 lib/list_debug.c:29\n | RSP: 0018:ffff88006435ddd0 EFLAGS: 00010286\n | RAX: 0000000000000058 RBX: ffff880067d22298 RCX: 0000000000000000\n | RDX: 0000000000000058 RSI: ffffffff85a58800 RDI: ffffed000c86bbac\n | RBP: ffff88006435dde8 R08: 1ffff1000c86ba52 R09: 0000000000000000\n | R10: 0000000000000002 R11: 0000000000000000 R12: ffff880069084010\n | R13: ffff880067d22298 R14: ffff880069084010 R15: ffff880067d222a0\n | FS: 0000000000000000(0000) GS:ffff88006c900000(0000) knlGS:0000000000000000\n | CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n | CR2: 0000000020004ff2 CR3: 000000006b447000 CR4: 00000000000006e0\n | Call Trace:\n | __list_add ./include/linux/list.h:59\n | list_add_tail+0x8c/0x1b0 ./include/linux/list.h:92\n | uvc_scan_chain_forward.isra.8+0x373/0x416\n | drivers/media/usb/uvc/uvc_driver.c:1471\n | uvc_scan_chain drivers/media/usb/uvc/uvc_driver.c:1585\n | uvc_scan_device drivers/media/usb/uvc/uvc_driver.c:1769\n | uvc_probe+0x77f2/0x8f00 drivers/media/usb/uvc/uvc_driver.c:2104\n\nLooking into the output from usbmon, the interesting part is the\nfollowing data packet:\n\n ffff880069c63e00 30710169 C Ci:1:002:0 0 143 = 09028f00 01030080\n 00090403 00000e01 00000924 03000103 7c003328 010204db\n\nIf we drop the lead configuration and interface descriptors, we're left\nwith an output terminal descriptor describing a generic display:\n\n /* Output terminal descriptor */\n buf[0]\t09\n buf[1]\t24\n buf[2]\t03\t/* UVC_VC_OUTPUT_TERMINAL */\n buf[3]\t00\t/* ID */\n buf[4]\t01\t/* type == 0x0301 (UVC_OTT_DISPLAY) */\n buf[5]\t03\n buf[6]\t7c\n buf[7]\t00\t/* source ID refers to self! */\n buf[8]\t33\n\nThe problem with this descriptor is that it is self-referential: the\nsource ID of 0 matches itself! This causes the 'struct uvc_entity'\nrepresenting the display to be added to its chain list twice during\n'uvc_scan_chain()': once via 'uvc_scan_chain_entity()' when it is\nprocessed directly from the 'dev->entities' list and then again\nimmediately afterwards when trying to follow the source ID in\n'uvc_scan_chain_forward()'\n\nAdd a check before adding an entity to a chain list to ensure that the\nentity is not already part of a chain.\n\nLink: https://lore.kernel.org/linux-media/CAAeHK+z+Si69jUR+N-SjN9q4O+o5KFiNManqEa-PjUta7EOb7A@mail.gmail.com/\n\nCc: \nFixes: c0efd232929c (\"V4L/DVB (8145a): USB Video Class driver\")\nReported-by: Andrey Konovalov \nSigned-off-by: Will Deacon \nSigned-off-by: Laurent Pinchart \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 409212 }, { "func": "static void uvc_stream_delete(struct uvc_streaming *stream)\n{\n\tif (stream->async_wq)\n\t\tdestroy_workqueue(stream->async_wq);\n\n\tmutex_destroy(&stream->mutex);\n\n\tusb_put_intf(stream->intf);\n\n\tkfree(stream->format);\n\tkfree(stream->header.bmaControls);\n\tkfree(stream);\n}", "project": "linux", "hash": 28666930626399463046824614664885842156, "size": 13, "commit_id": "68035c80e129c4cfec659aac4180354530b26527", "message": "media: uvcvideo: Avoid cyclic entity chains due to malformed USB descriptors\n\nWay back in 2017, fuzzing the 4.14-rc2 USB stack with syzkaller kicked\nup the following WARNING from the UVC chain scanning code:\n\n | list_add double add: new=ffff880069084010, prev=ffff880069084010,\n | next=ffff880067d22298.\n | ------------[ cut here ]------------\n | WARNING: CPU: 1 PID: 1846 at lib/list_debug.c:31 __list_add_valid+0xbd/0xf0\n | Modules linked in:\n | CPU: 1 PID: 1846 Comm: kworker/1:2 Not tainted\n | 4.14.0-rc2-42613-g1488251d1a98 #238\n | Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011\n | Workqueue: usb_hub_wq hub_event\n | task: ffff88006b01ca40 task.stack: ffff880064358000\n | RIP: 0010:__list_add_valid+0xbd/0xf0 lib/list_debug.c:29\n | RSP: 0018:ffff88006435ddd0 EFLAGS: 00010286\n | RAX: 0000000000000058 RBX: ffff880067d22298 RCX: 0000000000000000\n | RDX: 0000000000000058 RSI: ffffffff85a58800 RDI: ffffed000c86bbac\n | RBP: ffff88006435dde8 R08: 1ffff1000c86ba52 R09: 0000000000000000\n | R10: 0000000000000002 R11: 0000000000000000 R12: ffff880069084010\n | R13: ffff880067d22298 R14: ffff880069084010 R15: ffff880067d222a0\n | FS: 0000000000000000(0000) GS:ffff88006c900000(0000) knlGS:0000000000000000\n | CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n | CR2: 0000000020004ff2 CR3: 000000006b447000 CR4: 00000000000006e0\n | Call Trace:\n | __list_add ./include/linux/list.h:59\n | list_add_tail+0x8c/0x1b0 ./include/linux/list.h:92\n | uvc_scan_chain_forward.isra.8+0x373/0x416\n | drivers/media/usb/uvc/uvc_driver.c:1471\n | uvc_scan_chain drivers/media/usb/uvc/uvc_driver.c:1585\n | uvc_scan_device drivers/media/usb/uvc/uvc_driver.c:1769\n | uvc_probe+0x77f2/0x8f00 drivers/media/usb/uvc/uvc_driver.c:2104\n\nLooking into the output from usbmon, the interesting part is the\nfollowing data packet:\n\n ffff880069c63e00 30710169 C Ci:1:002:0 0 143 = 09028f00 01030080\n 00090403 00000e01 00000924 03000103 7c003328 010204db\n\nIf we drop the lead configuration and interface descriptors, we're left\nwith an output terminal descriptor describing a generic display:\n\n /* Output terminal descriptor */\n buf[0]\t09\n buf[1]\t24\n buf[2]\t03\t/* UVC_VC_OUTPUT_TERMINAL */\n buf[3]\t00\t/* ID */\n buf[4]\t01\t/* type == 0x0301 (UVC_OTT_DISPLAY) */\n buf[5]\t03\n buf[6]\t7c\n buf[7]\t00\t/* source ID refers to self! */\n buf[8]\t33\n\nThe problem with this descriptor is that it is self-referential: the\nsource ID of 0 matches itself! This causes the 'struct uvc_entity'\nrepresenting the display to be added to its chain list twice during\n'uvc_scan_chain()': once via 'uvc_scan_chain_entity()' when it is\nprocessed directly from the 'dev->entities' list and then again\nimmediately afterwards when trying to follow the source ID in\n'uvc_scan_chain_forward()'\n\nAdd a check before adding an entity to a chain list to ensure that the\nentity is not already part of a chain.\n\nLink: https://lore.kernel.org/linux-media/CAAeHK+z+Si69jUR+N-SjN9q4O+o5KFiNManqEa-PjUta7EOb7A@mail.gmail.com/\n\nCc: \nFixes: c0efd232929c (\"V4L/DVB (8145a): USB Video Class driver\")\nReported-by: Andrey Konovalov \nSigned-off-by: Will Deacon \nSigned-off-by: Laurent Pinchart \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 409197 }, { "func": "static netdev_tx_t mcba_usb_xmit(struct mcba_priv *priv,\n\t\t\t\t struct mcba_usb_msg *usb_msg,\n\t\t\t\t struct mcba_usb_ctx *ctx)\n{\n\tstruct urb *urb;\n\tu8 *buf;\n\tint err;\n\n\t/* create a URB, and a buffer for it, and copy the data to the URB */\n\turb = usb_alloc_urb(0, GFP_ATOMIC);\n\tif (!urb)\n\t\treturn -ENOMEM;\n\n\tbuf = usb_alloc_coherent(priv->udev, MCBA_USB_TX_BUFF_SIZE, GFP_ATOMIC,\n\t\t\t\t &urb->transfer_dma);\n\tif (!buf) {\n\t\terr = -ENOMEM;\n\t\tgoto nomembuf;\n\t}\n\n\tmemcpy(buf, usb_msg, MCBA_USB_TX_BUFF_SIZE);\n\n\tusb_fill_bulk_urb(urb, priv->udev,\n\t\t\t usb_sndbulkpipe(priv->udev, MCBA_USB_EP_OUT), buf,\n\t\t\t MCBA_USB_TX_BUFF_SIZE, mcba_usb_write_bulk_callback,\n\t\t\t ctx);\n\n\turb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP;\n\tusb_anchor_urb(urb, &priv->tx_submitted);\n\n\terr = usb_submit_urb(urb, GFP_ATOMIC);\n\tif (unlikely(err))\n\t\tgoto failed;\n\n\t/* Release our reference to this URB, the USB core will eventually free\n\t * it entirely.\n\t */\n\tusb_free_urb(urb);\n\n\treturn 0;\n\nfailed:\n\tusb_unanchor_urb(urb);\n\tusb_free_coherent(priv->udev, MCBA_USB_TX_BUFF_SIZE, buf,\n\t\t\t urb->transfer_dma);\n\n\tif (err == -ENODEV)\n\t\tnetif_device_detach(priv->netdev);\n\telse\n\t\tnetdev_warn(priv->netdev, \"failed tx_urb %d\\n\", err);\n\nnomembuf:\n\tusb_free_urb(urb);\n\n\treturn err;\n}", "project": "linux", "hash": 183725081123063603967366006984033386601, "size": 56, "commit_id": "4d6636498c41891d0482a914dd570343a838ad79", "message": "can: mcba_usb: fix use-after-free on disconnect\n\nThe driver was accessing its driver data after having freed it.\n\nFixes: 51f3baad7de9 (\"can: mcba_usb: Add support for Microchip CAN BUS Analyzer\")\nCc: stable # 4.12\nCc: Remigiusz Kołłątaj \nReported-by: syzbot+e29b17e5042bbc56fae9@syzkaller.appspotmail.com\nSigned-off-by: Johan Hovold \nSigned-off-by: Marc Kleine-Budde ", "target": 0, "dataset": "other", "idx": 398300 }, { "func": "static inline void mcba_init_ctx(struct mcba_priv *priv)\n{\n\tint i = 0;\n\n\tfor (i = 0; i < MCBA_MAX_TX_URBS; i++) {\n\t\tpriv->tx_context[i].ndx = MCBA_CTX_FREE;\n\t\tpriv->tx_context[i].priv = priv;\n\t}\n\n\tatomic_set(&priv->free_ctx_cnt, ARRAY_SIZE(priv->tx_context));\n}", "project": "linux", "hash": 91421999980957916521793713906278235751, "size": 11, "commit_id": "4d6636498c41891d0482a914dd570343a838ad79", "message": "can: mcba_usb: fix use-after-free on disconnect\n\nThe driver was accessing its driver data after having freed it.\n\nFixes: 51f3baad7de9 (\"can: mcba_usb: Add support for Microchip CAN BUS Analyzer\")\nCc: stable # 4.12\nCc: Remigiusz Kołłątaj \nReported-by: syzbot+e29b17e5042bbc56fae9@syzkaller.appspotmail.com\nSigned-off-by: Johan Hovold \nSigned-off-by: Marc Kleine-Budde ", "target": 0, "dataset": "other", "idx": 398304 }, { "func": "static int mcba_net_set_bittiming(struct net_device *netdev)\n{\n\tstruct mcba_priv *priv = netdev_priv(netdev);\n\tconst u16 bitrate_kbps = priv->can.bittiming.bitrate / 1000;\n\n\tmcba_usb_xmit_change_bitrate(priv, bitrate_kbps);\n\n\treturn 0;\n}", "project": "linux", "hash": 119493037126678850958961489266494581845, "size": 9, "commit_id": "4d6636498c41891d0482a914dd570343a838ad79", "message": "can: mcba_usb: fix use-after-free on disconnect\n\nThe driver was accessing its driver data after having freed it.\n\nFixes: 51f3baad7de9 (\"can: mcba_usb: Add support for Microchip CAN BUS Analyzer\")\nCc: stable # 4.12\nCc: Remigiusz Kołłątaj \nReported-by: syzbot+e29b17e5042bbc56fae9@syzkaller.appspotmail.com\nSigned-off-by: Johan Hovold \nSigned-off-by: Marc Kleine-Budde ", "target": 0, "dataset": "other", "idx": 398322 }, { "func": "static u32 uvc_colorspace(const u8 primaries)\n{\n\tstatic const u8 colorprimaries[] = {\n\t\t0,\n\t\tV4L2_COLORSPACE_SRGB,\n\t\tV4L2_COLORSPACE_470_SYSTEM_M,\n\t\tV4L2_COLORSPACE_470_SYSTEM_BG,\n\t\tV4L2_COLORSPACE_SMPTE170M,\n\t\tV4L2_COLORSPACE_SMPTE240M,\n\t};\n\n\tif (primaries < ARRAY_SIZE(colorprimaries))\n\t\treturn colorprimaries[primaries];\n\n\treturn 0;\n}", "project": "linux", "hash": 315549388529798411249317114254224813410, "size": 16, "commit_id": "68035c80e129c4cfec659aac4180354530b26527", "message": "media: uvcvideo: Avoid cyclic entity chains due to malformed USB descriptors\n\nWay back in 2017, fuzzing the 4.14-rc2 USB stack with syzkaller kicked\nup the following WARNING from the UVC chain scanning code:\n\n | list_add double add: new=ffff880069084010, prev=ffff880069084010,\n | next=ffff880067d22298.\n | ------------[ cut here ]------------\n | WARNING: CPU: 1 PID: 1846 at lib/list_debug.c:31 __list_add_valid+0xbd/0xf0\n | Modules linked in:\n | CPU: 1 PID: 1846 Comm: kworker/1:2 Not tainted\n | 4.14.0-rc2-42613-g1488251d1a98 #238\n | Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011\n | Workqueue: usb_hub_wq hub_event\n | task: ffff88006b01ca40 task.stack: ffff880064358000\n | RIP: 0010:__list_add_valid+0xbd/0xf0 lib/list_debug.c:29\n | RSP: 0018:ffff88006435ddd0 EFLAGS: 00010286\n | RAX: 0000000000000058 RBX: ffff880067d22298 RCX: 0000000000000000\n | RDX: 0000000000000058 RSI: ffffffff85a58800 RDI: ffffed000c86bbac\n | RBP: ffff88006435dde8 R08: 1ffff1000c86ba52 R09: 0000000000000000\n | R10: 0000000000000002 R11: 0000000000000000 R12: ffff880069084010\n | R13: ffff880067d22298 R14: ffff880069084010 R15: ffff880067d222a0\n | FS: 0000000000000000(0000) GS:ffff88006c900000(0000) knlGS:0000000000000000\n | CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n | CR2: 0000000020004ff2 CR3: 000000006b447000 CR4: 00000000000006e0\n | Call Trace:\n | __list_add ./include/linux/list.h:59\n | list_add_tail+0x8c/0x1b0 ./include/linux/list.h:92\n | uvc_scan_chain_forward.isra.8+0x373/0x416\n | drivers/media/usb/uvc/uvc_driver.c:1471\n | uvc_scan_chain drivers/media/usb/uvc/uvc_driver.c:1585\n | uvc_scan_device drivers/media/usb/uvc/uvc_driver.c:1769\n | uvc_probe+0x77f2/0x8f00 drivers/media/usb/uvc/uvc_driver.c:2104\n\nLooking into the output from usbmon, the interesting part is the\nfollowing data packet:\n\n ffff880069c63e00 30710169 C Ci:1:002:0 0 143 = 09028f00 01030080\n 00090403 00000e01 00000924 03000103 7c003328 010204db\n\nIf we drop the lead configuration and interface descriptors, we're left\nwith an output terminal descriptor describing a generic display:\n\n /* Output terminal descriptor */\n buf[0]\t09\n buf[1]\t24\n buf[2]\t03\t/* UVC_VC_OUTPUT_TERMINAL */\n buf[3]\t00\t/* ID */\n buf[4]\t01\t/* type == 0x0301 (UVC_OTT_DISPLAY) */\n buf[5]\t03\n buf[6]\t7c\n buf[7]\t00\t/* source ID refers to self! */\n buf[8]\t33\n\nThe problem with this descriptor is that it is self-referential: the\nsource ID of 0 matches itself! This causes the 'struct uvc_entity'\nrepresenting the display to be added to its chain list twice during\n'uvc_scan_chain()': once via 'uvc_scan_chain_entity()' when it is\nprocessed directly from the 'dev->entities' list and then again\nimmediately afterwards when trying to follow the source ID in\n'uvc_scan_chain_forward()'\n\nAdd a check before adding an entity to a chain list to ensure that the\nentity is not already part of a chain.\n\nLink: https://lore.kernel.org/linux-media/CAAeHK+z+Si69jUR+N-SjN9q4O+o5KFiNManqEa-PjUta7EOb7A@mail.gmail.com/\n\nCc: \nFixes: c0efd232929c (\"V4L/DVB (8145a): USB Video Class driver\")\nReported-by: Andrey Konovalov \nSigned-off-by: Will Deacon \nSigned-off-by: Laurent Pinchart \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 409198 }, { "func": "static void uvc_delete(struct kref *kref)\n{\n\tstruct uvc_device *dev = container_of(kref, struct uvc_device, ref);\n\tstruct list_head *p, *n;\n\n\tuvc_status_cleanup(dev);\n\tuvc_ctrl_cleanup_device(dev);\n\n\tusb_put_intf(dev->intf);\n\tusb_put_dev(dev->udev);\n\n#ifdef CONFIG_MEDIA_CONTROLLER\n\tmedia_device_cleanup(&dev->mdev);\n#endif\n\n\tlist_for_each_safe(p, n, &dev->chains) {\n\t\tstruct uvc_video_chain *chain;\n\t\tchain = list_entry(p, struct uvc_video_chain, list);\n\t\tkfree(chain);\n\t}\n\n\tlist_for_each_safe(p, n, &dev->entities) {\n\t\tstruct uvc_entity *entity;\n\t\tentity = list_entry(p, struct uvc_entity, list);\n#ifdef CONFIG_MEDIA_CONTROLLER\n\t\tuvc_mc_cleanup_entity(entity);\n#endif\n\t\tkfree(entity);\n\t}\n\n\tlist_for_each_safe(p, n, &dev->streams) {\n\t\tstruct uvc_streaming *streaming;\n\t\tstreaming = list_entry(p, struct uvc_streaming, list);\n\t\tusb_driver_release_interface(&uvc_driver.driver,\n\t\t\tstreaming->intf);\n\t\tuvc_stream_delete(streaming);\n\t}\n\n\tkfree(dev);\n}", "project": "linux", "hash": 95480158427995764568376172552868666068, "size": 40, "commit_id": "68035c80e129c4cfec659aac4180354530b26527", "message": "media: uvcvideo: Avoid cyclic entity chains due to malformed USB descriptors\n\nWay back in 2017, fuzzing the 4.14-rc2 USB stack with syzkaller kicked\nup the following WARNING from the UVC chain scanning code:\n\n | list_add double add: new=ffff880069084010, prev=ffff880069084010,\n | next=ffff880067d22298.\n | ------------[ cut here ]------------\n | WARNING: CPU: 1 PID: 1846 at lib/list_debug.c:31 __list_add_valid+0xbd/0xf0\n | Modules linked in:\n | CPU: 1 PID: 1846 Comm: kworker/1:2 Not tainted\n | 4.14.0-rc2-42613-g1488251d1a98 #238\n | Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011\n | Workqueue: usb_hub_wq hub_event\n | task: ffff88006b01ca40 task.stack: ffff880064358000\n | RIP: 0010:__list_add_valid+0xbd/0xf0 lib/list_debug.c:29\n | RSP: 0018:ffff88006435ddd0 EFLAGS: 00010286\n | RAX: 0000000000000058 RBX: ffff880067d22298 RCX: 0000000000000000\n | RDX: 0000000000000058 RSI: ffffffff85a58800 RDI: ffffed000c86bbac\n | RBP: ffff88006435dde8 R08: 1ffff1000c86ba52 R09: 0000000000000000\n | R10: 0000000000000002 R11: 0000000000000000 R12: ffff880069084010\n | R13: ffff880067d22298 R14: ffff880069084010 R15: ffff880067d222a0\n | FS: 0000000000000000(0000) GS:ffff88006c900000(0000) knlGS:0000000000000000\n | CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n | CR2: 0000000020004ff2 CR3: 000000006b447000 CR4: 00000000000006e0\n | Call Trace:\n | __list_add ./include/linux/list.h:59\n | list_add_tail+0x8c/0x1b0 ./include/linux/list.h:92\n | uvc_scan_chain_forward.isra.8+0x373/0x416\n | drivers/media/usb/uvc/uvc_driver.c:1471\n | uvc_scan_chain drivers/media/usb/uvc/uvc_driver.c:1585\n | uvc_scan_device drivers/media/usb/uvc/uvc_driver.c:1769\n | uvc_probe+0x77f2/0x8f00 drivers/media/usb/uvc/uvc_driver.c:2104\n\nLooking into the output from usbmon, the interesting part is the\nfollowing data packet:\n\n ffff880069c63e00 30710169 C Ci:1:002:0 0 143 = 09028f00 01030080\n 00090403 00000e01 00000924 03000103 7c003328 010204db\n\nIf we drop the lead configuration and interface descriptors, we're left\nwith an output terminal descriptor describing a generic display:\n\n /* Output terminal descriptor */\n buf[0]\t09\n buf[1]\t24\n buf[2]\t03\t/* UVC_VC_OUTPUT_TERMINAL */\n buf[3]\t00\t/* ID */\n buf[4]\t01\t/* type == 0x0301 (UVC_OTT_DISPLAY) */\n buf[5]\t03\n buf[6]\t7c\n buf[7]\t00\t/* source ID refers to self! */\n buf[8]\t33\n\nThe problem with this descriptor is that it is self-referential: the\nsource ID of 0 matches itself! This causes the 'struct uvc_entity'\nrepresenting the display to be added to its chain list twice during\n'uvc_scan_chain()': once via 'uvc_scan_chain_entity()' when it is\nprocessed directly from the 'dev->entities' list and then again\nimmediately afterwards when trying to follow the source ID in\n'uvc_scan_chain_forward()'\n\nAdd a check before adding an entity to a chain list to ensure that the\nentity is not already part of a chain.\n\nLink: https://lore.kernel.org/linux-media/CAAeHK+z+Si69jUR+N-SjN9q4O+o5KFiNManqEa-PjUta7EOb7A@mail.gmail.com/\n\nCc: \nFixes: c0efd232929c (\"V4L/DVB (8145a): USB Video Class driver\")\nReported-by: Andrey Konovalov \nSigned-off-by: Will Deacon \nSigned-off-by: Laurent Pinchart \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 409213 }, { "func": "static int get_altsetting(struct usbtest_dev *dev)\n{\n\tstruct usb_interface\t*iface = dev->intf;\n\tstruct usb_device\t*udev = interface_to_usbdev(iface);\n\tint\t\t\tretval;\n\n\tretval = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0),\n\t\t\tUSB_REQ_GET_INTERFACE, USB_DIR_IN|USB_RECIP_INTERFACE,\n\t\t\t0, iface->altsetting[0].desc.bInterfaceNumber,\n\t\t\tdev->buf, 1, USB_CTRL_GET_TIMEOUT);\n\tswitch (retval) {\n\tcase 1:\n\t\treturn dev->buf[0];\n\tcase 0:\n\t\tretval = -ERANGE;\n\t\t/* FALLTHROUGH */\n\tdefault:\n\t\treturn retval;\n\t}\n}", "project": "linux", "hash": 315443015883508908626260586947802891537, "size": 20, "commit_id": "28ebeb8db77035e058a510ce9bd17c2b9a009dba", "message": "usb: usbtest: fix missing kfree(dev->buf) in usbtest_disconnect\n\nBUG: memory leak\nunreferenced object 0xffff888055046e00 (size 256):\n comm \"kworker/2:9\", pid 2570, jiffies 4294942129 (age 1095.500s)\n hex dump (first 32 bytes):\n 00 70 04 55 80 88 ff ff 18 bb 5a 81 ff ff ff ff .p.U......Z.....\n f5 96 78 81 ff ff ff ff 37 de 8e 81 ff ff ff ff ..x.....7.......\n backtrace:\n [<00000000d121dccf>] kmemleak_alloc_recursive\ninclude/linux/kmemleak.h:43 [inline]\n [<00000000d121dccf>] slab_post_alloc_hook mm/slab.h:586 [inline]\n [<00000000d121dccf>] slab_alloc_node mm/slub.c:2786 [inline]\n [<00000000d121dccf>] slab_alloc mm/slub.c:2794 [inline]\n [<00000000d121dccf>] kmem_cache_alloc_trace+0x15e/0x2d0 mm/slub.c:2811\n [<000000005c3c3381>] kmalloc include/linux/slab.h:555 [inline]\n [<000000005c3c3381>] usbtest_probe+0x286/0x19d0\ndrivers/usb/misc/usbtest.c:2790\n [<000000001cec6910>] usb_probe_interface+0x2bd/0x870\ndrivers/usb/core/driver.c:361\n [<000000007806c118>] really_probe+0x48d/0x8f0 drivers/base/dd.c:551\n [<00000000a3308c3e>] driver_probe_device+0xfc/0x2a0 drivers/base/dd.c:724\n [<000000003ef66004>] __device_attach_driver+0x1b6/0x240\ndrivers/base/dd.c:831\n [<00000000eee53e97>] bus_for_each_drv+0x14e/0x1e0 drivers/base/bus.c:431\n [<00000000bb0648d0>] __device_attach+0x1f9/0x350 drivers/base/dd.c:897\n [<00000000838b324a>] device_initial_probe+0x1a/0x20 drivers/base/dd.c:944\n [<0000000030d501c1>] bus_probe_device+0x1e1/0x280 drivers/base/bus.c:491\n [<000000005bd7adef>] device_add+0x131d/0x1c40 drivers/base/core.c:2504\n [<00000000a0937814>] usb_set_configuration+0xe84/0x1ab0\ndrivers/usb/core/message.c:2030\n [<00000000e3934741>] generic_probe+0x6a/0xe0 drivers/usb/core/generic.c:210\n [<0000000098ade0f1>] usb_probe_device+0x90/0xd0\ndrivers/usb/core/driver.c:266\n [<000000007806c118>] really_probe+0x48d/0x8f0 drivers/base/dd.c:551\n [<00000000a3308c3e>] driver_probe_device+0xfc/0x2a0 drivers/base/dd.c:724\n\nAcked-by: Alan Stern \nReported-by: Kyungtae Kim \nSigned-off-by: Zqiang \nLink: https://lore.kernel.org/r/20200612035210.20494-1-qiang.zhang@windriver.com\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 412268 }, { "func": "static int uvc_probe(struct usb_interface *intf,\n\t\t const struct usb_device_id *id)\n{\n\tstruct usb_device *udev = interface_to_usbdev(intf);\n\tstruct uvc_device *dev;\n\tconst struct uvc_device_info *info =\n\t\t(const struct uvc_device_info *)id->driver_info;\n\tint function;\n\tint ret;\n\n\tif (id->idVendor && id->idProduct)\n\t\tuvc_trace(UVC_TRACE_PROBE, \"Probing known UVC device %s \"\n\t\t\t\t\"(%04x:%04x)\\n\", udev->devpath, id->idVendor,\n\t\t\t\tid->idProduct);\n\telse\n\t\tuvc_trace(UVC_TRACE_PROBE, \"Probing generic UVC device %s\\n\",\n\t\t\t\tudev->devpath);\n\n\t/* Allocate memory for the device and initialize it. */\n\tdev = kzalloc(sizeof(*dev), GFP_KERNEL);\n\tif (dev == NULL)\n\t\treturn -ENOMEM;\n\n\tINIT_LIST_HEAD(&dev->entities);\n\tINIT_LIST_HEAD(&dev->chains);\n\tINIT_LIST_HEAD(&dev->streams);\n\tkref_init(&dev->ref);\n\tatomic_set(&dev->nmappings, 0);\n\tmutex_init(&dev->lock);\n\n\tdev->udev = usb_get_dev(udev);\n\tdev->intf = usb_get_intf(intf);\n\tdev->intfnum = intf->cur_altsetting->desc.bInterfaceNumber;\n\tdev->info = info ? info : &uvc_quirk_none;\n\tdev->quirks = uvc_quirks_param == -1\n\t\t ? dev->info->quirks : uvc_quirks_param;\n\n\tif (udev->product != NULL)\n\t\tstrscpy(dev->name, udev->product, sizeof(dev->name));\n\telse\n\t\tsnprintf(dev->name, sizeof(dev->name),\n\t\t\t \"UVC Camera (%04x:%04x)\",\n\t\t\t le16_to_cpu(udev->descriptor.idVendor),\n\t\t\t le16_to_cpu(udev->descriptor.idProduct));\n\n\t/*\n\t * Add iFunction or iInterface to names when available as additional\n\t * distinguishers between interfaces. iFunction is prioritized over\n\t * iInterface which matches Windows behavior at the point of writing.\n\t */\n\tif (intf->intf_assoc && intf->intf_assoc->iFunction != 0)\n\t\tfunction = intf->intf_assoc->iFunction;\n\telse\n\t\tfunction = intf->cur_altsetting->desc.iInterface;\n\tif (function != 0) {\n\t\tsize_t len;\n\n\t\tstrlcat(dev->name, \": \", sizeof(dev->name));\n\t\tlen = strlen(dev->name);\n\t\tusb_string(udev, function, dev->name + len,\n\t\t\t sizeof(dev->name) - len);\n\t}\n\n\t/* Initialize the media device. */\n#ifdef CONFIG_MEDIA_CONTROLLER\n\tdev->mdev.dev = &intf->dev;\n\tstrscpy(dev->mdev.model, dev->name, sizeof(dev->mdev.model));\n\tif (udev->serial)\n\t\tstrscpy(dev->mdev.serial, udev->serial,\n\t\t\tsizeof(dev->mdev.serial));\n\tusb_make_path(udev, dev->mdev.bus_info, sizeof(dev->mdev.bus_info));\n\tdev->mdev.hw_revision = le16_to_cpu(udev->descriptor.bcdDevice);\n\tmedia_device_init(&dev->mdev);\n\n\tdev->vdev.mdev = &dev->mdev;\n#endif\n\n\t/* Parse the Video Class control descriptor. */\n\tif (uvc_parse_control(dev) < 0) {\n\t\tuvc_trace(UVC_TRACE_PROBE, \"Unable to parse UVC \"\n\t\t\t\"descriptors.\\n\");\n\t\tgoto error;\n\t}\n\n\tuvc_printk(KERN_INFO, \"Found UVC %u.%02x device %s (%04x:%04x)\\n\",\n\t\tdev->uvc_version >> 8, dev->uvc_version & 0xff,\n\t\tudev->product ? udev->product : \"\",\n\t\tle16_to_cpu(udev->descriptor.idVendor),\n\t\tle16_to_cpu(udev->descriptor.idProduct));\n\n\tif (dev->quirks != dev->info->quirks) {\n\t\tuvc_printk(KERN_INFO, \"Forcing device quirks to 0x%x by module \"\n\t\t\t\"parameter for testing purpose.\\n\", dev->quirks);\n\t\tuvc_printk(KERN_INFO, \"Please report required quirks to the \"\n\t\t\t\"linux-uvc-devel mailing list.\\n\");\n\t}\n\n\t/* Register the V4L2 device. */\n\tif (v4l2_device_register(&intf->dev, &dev->vdev) < 0)\n\t\tgoto error;\n\n\t/* Initialize controls. */\n\tif (uvc_ctrl_init_device(dev) < 0)\n\t\tgoto error;\n\n\t/* Scan the device for video chains. */\n\tif (uvc_scan_device(dev) < 0)\n\t\tgoto error;\n\n\t/* Register video device nodes. */\n\tif (uvc_register_chains(dev) < 0)\n\t\tgoto error;\n\n#ifdef CONFIG_MEDIA_CONTROLLER\n\t/* Register the media device node */\n\tif (media_device_register(&dev->mdev) < 0)\n\t\tgoto error;\n#endif\n\t/* Save our data pointer in the interface data. */\n\tusb_set_intfdata(intf, dev);\n\n\t/* Initialize the interrupt URB. */\n\tif ((ret = uvc_status_init(dev)) < 0) {\n\t\tuvc_printk(KERN_INFO, \"Unable to initialize the status \"\n\t\t\t\"endpoint (%d), status interrupt will not be \"\n\t\t\t\"supported.\\n\", ret);\n\t}\n\n\tuvc_trace(UVC_TRACE_PROBE, \"UVC device initialized.\\n\");\n\tusb_enable_autosuspend(udev);\n\treturn 0;\n\nerror:\n\tuvc_unregister_video(dev);\n\tkref_put(&dev->ref, uvc_delete);\n\treturn -ENODEV;\n}", "project": "linux", "hash": 131172942807688393244455826610994222131, "size": 137, "commit_id": "68035c80e129c4cfec659aac4180354530b26527", "message": "media: uvcvideo: Avoid cyclic entity chains due to malformed USB descriptors\n\nWay back in 2017, fuzzing the 4.14-rc2 USB stack with syzkaller kicked\nup the following WARNING from the UVC chain scanning code:\n\n | list_add double add: new=ffff880069084010, prev=ffff880069084010,\n | next=ffff880067d22298.\n | ------------[ cut here ]------------\n | WARNING: CPU: 1 PID: 1846 at lib/list_debug.c:31 __list_add_valid+0xbd/0xf0\n | Modules linked in:\n | CPU: 1 PID: 1846 Comm: kworker/1:2 Not tainted\n | 4.14.0-rc2-42613-g1488251d1a98 #238\n | Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011\n | Workqueue: usb_hub_wq hub_event\n | task: ffff88006b01ca40 task.stack: ffff880064358000\n | RIP: 0010:__list_add_valid+0xbd/0xf0 lib/list_debug.c:29\n | RSP: 0018:ffff88006435ddd0 EFLAGS: 00010286\n | RAX: 0000000000000058 RBX: ffff880067d22298 RCX: 0000000000000000\n | RDX: 0000000000000058 RSI: ffffffff85a58800 RDI: ffffed000c86bbac\n | RBP: ffff88006435dde8 R08: 1ffff1000c86ba52 R09: 0000000000000000\n | R10: 0000000000000002 R11: 0000000000000000 R12: ffff880069084010\n | R13: ffff880067d22298 R14: ffff880069084010 R15: ffff880067d222a0\n | FS: 0000000000000000(0000) GS:ffff88006c900000(0000) knlGS:0000000000000000\n | CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n | CR2: 0000000020004ff2 CR3: 000000006b447000 CR4: 00000000000006e0\n | Call Trace:\n | __list_add ./include/linux/list.h:59\n | list_add_tail+0x8c/0x1b0 ./include/linux/list.h:92\n | uvc_scan_chain_forward.isra.8+0x373/0x416\n | drivers/media/usb/uvc/uvc_driver.c:1471\n | uvc_scan_chain drivers/media/usb/uvc/uvc_driver.c:1585\n | uvc_scan_device drivers/media/usb/uvc/uvc_driver.c:1769\n | uvc_probe+0x77f2/0x8f00 drivers/media/usb/uvc/uvc_driver.c:2104\n\nLooking into the output from usbmon, the interesting part is the\nfollowing data packet:\n\n ffff880069c63e00 30710169 C Ci:1:002:0 0 143 = 09028f00 01030080\n 00090403 00000e01 00000924 03000103 7c003328 010204db\n\nIf we drop the lead configuration and interface descriptors, we're left\nwith an output terminal descriptor describing a generic display:\n\n /* Output terminal descriptor */\n buf[0]\t09\n buf[1]\t24\n buf[2]\t03\t/* UVC_VC_OUTPUT_TERMINAL */\n buf[3]\t00\t/* ID */\n buf[4]\t01\t/* type == 0x0301 (UVC_OTT_DISPLAY) */\n buf[5]\t03\n buf[6]\t7c\n buf[7]\t00\t/* source ID refers to self! */\n buf[8]\t33\n\nThe problem with this descriptor is that it is self-referential: the\nsource ID of 0 matches itself! This causes the 'struct uvc_entity'\nrepresenting the display to be added to its chain list twice during\n'uvc_scan_chain()': once via 'uvc_scan_chain_entity()' when it is\nprocessed directly from the 'dev->entities' list and then again\nimmediately afterwards when trying to follow the source ID in\n'uvc_scan_chain_forward()'\n\nAdd a check before adding an entity to a chain list to ensure that the\nentity is not already part of a chain.\n\nLink: https://lore.kernel.org/linux-media/CAAeHK+z+Si69jUR+N-SjN9q4O+o5KFiNManqEa-PjUta7EOb7A@mail.gmail.com/\n\nCc: \nFixes: c0efd232929c (\"V4L/DVB (8145a): USB Video Class driver\")\nReported-by: Andrey Konovalov \nSigned-off-by: Will Deacon \nSigned-off-by: Laurent Pinchart \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 409193 }, { "func": "static int uvc_scan_chain_backward(struct uvc_video_chain *chain,\n\tstruct uvc_entity **_entity)\n{\n\tstruct uvc_entity *entity = *_entity;\n\tstruct uvc_entity *term;\n\tint id = -EINVAL, i;\n\n\tswitch (UVC_ENTITY_TYPE(entity)) {\n\tcase UVC_VC_EXTENSION_UNIT:\n\tcase UVC_VC_PROCESSING_UNIT:\n\t\tid = entity->baSourceID[0];\n\t\tbreak;\n\n\tcase UVC_VC_SELECTOR_UNIT:\n\t\t/* Single-input selector units are ignored. */\n\t\tif (entity->bNrInPins == 1) {\n\t\t\tid = entity->baSourceID[0];\n\t\t\tbreak;\n\t\t}\n\n\t\tif (uvc_trace_param & UVC_TRACE_PROBE)\n\t\t\tprintk(KERN_CONT \" <- IT\");\n\n\t\tchain->selector = entity;\n\t\tfor (i = 0; i < entity->bNrInPins; ++i) {\n\t\t\tid = entity->baSourceID[i];\n\t\t\tterm = uvc_entity_by_id(chain->dev, id);\n\t\t\tif (term == NULL || !UVC_ENTITY_IS_ITERM(term)) {\n\t\t\t\tuvc_trace(UVC_TRACE_DESCR, \"Selector unit %d \"\n\t\t\t\t\t\"input %d isn't connected to an \"\n\t\t\t\t\t\"input terminal\\n\", entity->id, i);\n\t\t\t\treturn -1;\n\t\t\t}\n\n\t\t\tif (term->chain.next || term->chain.prev) {\n\t\t\t\tuvc_trace(UVC_TRACE_DESCR, \"Found reference to \"\n\t\t\t\t\t\"entity %d already in chain.\\n\",\n\t\t\t\t\tterm->id);\n\t\t\t\treturn -EINVAL;\n\t\t\t}\n\n\t\t\tif (uvc_trace_param & UVC_TRACE_PROBE)\n\t\t\t\tprintk(KERN_CONT \" %d\", term->id);\n\n\t\t\tlist_add_tail(&term->chain, &chain->entities);\n\t\t\tuvc_scan_chain_forward(chain, term, entity);\n\t\t}\n\n\t\tif (uvc_trace_param & UVC_TRACE_PROBE)\n\t\t\tprintk(KERN_CONT \"\\n\");\n\n\t\tid = 0;\n\t\tbreak;\n\n\tcase UVC_ITT_VENDOR_SPECIFIC:\n\tcase UVC_ITT_CAMERA:\n\tcase UVC_ITT_MEDIA_TRANSPORT_INPUT:\n\tcase UVC_OTT_VENDOR_SPECIFIC:\n\tcase UVC_OTT_DISPLAY:\n\tcase UVC_OTT_MEDIA_TRANSPORT_OUTPUT:\n\tcase UVC_TT_STREAMING:\n\t\tid = UVC_ENTITY_IS_OTERM(entity) ? entity->baSourceID[0] : 0;\n\t\tbreak;\n\t}\n\n\tif (id <= 0) {\n\t\t*_entity = NULL;\n\t\treturn id;\n\t}\n\n\tentity = uvc_entity_by_id(chain->dev, id);\n\tif (entity == NULL) {\n\t\tuvc_trace(UVC_TRACE_DESCR, \"Found reference to \"\n\t\t\t\"unknown entity %d.\\n\", id);\n\t\treturn -EINVAL;\n\t}\n\n\t*_entity = entity;\n\treturn 0;\n}", "project": "linux", "hash": 299417654192371140739058978216446808364, "size": 80, "commit_id": "68035c80e129c4cfec659aac4180354530b26527", "message": "media: uvcvideo: Avoid cyclic entity chains due to malformed USB descriptors\n\nWay back in 2017, fuzzing the 4.14-rc2 USB stack with syzkaller kicked\nup the following WARNING from the UVC chain scanning code:\n\n | list_add double add: new=ffff880069084010, prev=ffff880069084010,\n | next=ffff880067d22298.\n | ------------[ cut here ]------------\n | WARNING: CPU: 1 PID: 1846 at lib/list_debug.c:31 __list_add_valid+0xbd/0xf0\n | Modules linked in:\n | CPU: 1 PID: 1846 Comm: kworker/1:2 Not tainted\n | 4.14.0-rc2-42613-g1488251d1a98 #238\n | Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011\n | Workqueue: usb_hub_wq hub_event\n | task: ffff88006b01ca40 task.stack: ffff880064358000\n | RIP: 0010:__list_add_valid+0xbd/0xf0 lib/list_debug.c:29\n | RSP: 0018:ffff88006435ddd0 EFLAGS: 00010286\n | RAX: 0000000000000058 RBX: ffff880067d22298 RCX: 0000000000000000\n | RDX: 0000000000000058 RSI: ffffffff85a58800 RDI: ffffed000c86bbac\n | RBP: ffff88006435dde8 R08: 1ffff1000c86ba52 R09: 0000000000000000\n | R10: 0000000000000002 R11: 0000000000000000 R12: ffff880069084010\n | R13: ffff880067d22298 R14: ffff880069084010 R15: ffff880067d222a0\n | FS: 0000000000000000(0000) GS:ffff88006c900000(0000) knlGS:0000000000000000\n | CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n | CR2: 0000000020004ff2 CR3: 000000006b447000 CR4: 00000000000006e0\n | Call Trace:\n | __list_add ./include/linux/list.h:59\n | list_add_tail+0x8c/0x1b0 ./include/linux/list.h:92\n | uvc_scan_chain_forward.isra.8+0x373/0x416\n | drivers/media/usb/uvc/uvc_driver.c:1471\n | uvc_scan_chain drivers/media/usb/uvc/uvc_driver.c:1585\n | uvc_scan_device drivers/media/usb/uvc/uvc_driver.c:1769\n | uvc_probe+0x77f2/0x8f00 drivers/media/usb/uvc/uvc_driver.c:2104\n\nLooking into the output from usbmon, the interesting part is the\nfollowing data packet:\n\n ffff880069c63e00 30710169 C Ci:1:002:0 0 143 = 09028f00 01030080\n 00090403 00000e01 00000924 03000103 7c003328 010204db\n\nIf we drop the lead configuration and interface descriptors, we're left\nwith an output terminal descriptor describing a generic display:\n\n /* Output terminal descriptor */\n buf[0]\t09\n buf[1]\t24\n buf[2]\t03\t/* UVC_VC_OUTPUT_TERMINAL */\n buf[3]\t00\t/* ID */\n buf[4]\t01\t/* type == 0x0301 (UVC_OTT_DISPLAY) */\n buf[5]\t03\n buf[6]\t7c\n buf[7]\t00\t/* source ID refers to self! */\n buf[8]\t33\n\nThe problem with this descriptor is that it is self-referential: the\nsource ID of 0 matches itself! This causes the 'struct uvc_entity'\nrepresenting the display to be added to its chain list twice during\n'uvc_scan_chain()': once via 'uvc_scan_chain_entity()' when it is\nprocessed directly from the 'dev->entities' list and then again\nimmediately afterwards when trying to follow the source ID in\n'uvc_scan_chain_forward()'\n\nAdd a check before adding an entity to a chain list to ensure that the\nentity is not already part of a chain.\n\nLink: https://lore.kernel.org/linux-media/CAAeHK+z+Si69jUR+N-SjN9q4O+o5KFiNManqEa-PjUta7EOb7A@mail.gmail.com/\n\nCc: \nFixes: c0efd232929c (\"V4L/DVB (8145a): USB Video Class driver\")\nReported-by: Andrey Konovalov \nSigned-off-by: Will Deacon \nSigned-off-by: Laurent Pinchart \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 409219 }, { "func": "static void uvc_disconnect(struct usb_interface *intf)\n{\n\tstruct uvc_device *dev = usb_get_intfdata(intf);\n\n\t/* Set the USB interface data to NULL. This can be done outside the\n\t * lock, as there's no other reader.\n\t */\n\tusb_set_intfdata(intf, NULL);\n\n\tif (intf->cur_altsetting->desc.bInterfaceSubClass ==\n\t UVC_SC_VIDEOSTREAMING)\n\t\treturn;\n\n\tuvc_unregister_video(dev);\n\tkref_put(&dev->ref, uvc_delete);\n}", "project": "linux", "hash": 265663367862227739120417033071795931420, "size": 16, "commit_id": "68035c80e129c4cfec659aac4180354530b26527", "message": "media: uvcvideo: Avoid cyclic entity chains due to malformed USB descriptors\n\nWay back in 2017, fuzzing the 4.14-rc2 USB stack with syzkaller kicked\nup the following WARNING from the UVC chain scanning code:\n\n | list_add double add: new=ffff880069084010, prev=ffff880069084010,\n | next=ffff880067d22298.\n | ------------[ cut here ]------------\n | WARNING: CPU: 1 PID: 1846 at lib/list_debug.c:31 __list_add_valid+0xbd/0xf0\n | Modules linked in:\n | CPU: 1 PID: 1846 Comm: kworker/1:2 Not tainted\n | 4.14.0-rc2-42613-g1488251d1a98 #238\n | Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011\n | Workqueue: usb_hub_wq hub_event\n | task: ffff88006b01ca40 task.stack: ffff880064358000\n | RIP: 0010:__list_add_valid+0xbd/0xf0 lib/list_debug.c:29\n | RSP: 0018:ffff88006435ddd0 EFLAGS: 00010286\n | RAX: 0000000000000058 RBX: ffff880067d22298 RCX: 0000000000000000\n | RDX: 0000000000000058 RSI: ffffffff85a58800 RDI: ffffed000c86bbac\n | RBP: ffff88006435dde8 R08: 1ffff1000c86ba52 R09: 0000000000000000\n | R10: 0000000000000002 R11: 0000000000000000 R12: ffff880069084010\n | R13: ffff880067d22298 R14: ffff880069084010 R15: ffff880067d222a0\n | FS: 0000000000000000(0000) GS:ffff88006c900000(0000) knlGS:0000000000000000\n | CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n | CR2: 0000000020004ff2 CR3: 000000006b447000 CR4: 00000000000006e0\n | Call Trace:\n | __list_add ./include/linux/list.h:59\n | list_add_tail+0x8c/0x1b0 ./include/linux/list.h:92\n | uvc_scan_chain_forward.isra.8+0x373/0x416\n | drivers/media/usb/uvc/uvc_driver.c:1471\n | uvc_scan_chain drivers/media/usb/uvc/uvc_driver.c:1585\n | uvc_scan_device drivers/media/usb/uvc/uvc_driver.c:1769\n | uvc_probe+0x77f2/0x8f00 drivers/media/usb/uvc/uvc_driver.c:2104\n\nLooking into the output from usbmon, the interesting part is the\nfollowing data packet:\n\n ffff880069c63e00 30710169 C Ci:1:002:0 0 143 = 09028f00 01030080\n 00090403 00000e01 00000924 03000103 7c003328 010204db\n\nIf we drop the lead configuration and interface descriptors, we're left\nwith an output terminal descriptor describing a generic display:\n\n /* Output terminal descriptor */\n buf[0]\t09\n buf[1]\t24\n buf[2]\t03\t/* UVC_VC_OUTPUT_TERMINAL */\n buf[3]\t00\t/* ID */\n buf[4]\t01\t/* type == 0x0301 (UVC_OTT_DISPLAY) */\n buf[5]\t03\n buf[6]\t7c\n buf[7]\t00\t/* source ID refers to self! */\n buf[8]\t33\n\nThe problem with this descriptor is that it is self-referential: the\nsource ID of 0 matches itself! This causes the 'struct uvc_entity'\nrepresenting the display to be added to its chain list twice during\n'uvc_scan_chain()': once via 'uvc_scan_chain_entity()' when it is\nprocessed directly from the 'dev->entities' list and then again\nimmediately afterwards when trying to follow the source ID in\n'uvc_scan_chain_forward()'\n\nAdd a check before adding an entity to a chain list to ensure that the\nentity is not already part of a chain.\n\nLink: https://lore.kernel.org/linux-media/CAAeHK+z+Si69jUR+N-SjN9q4O+o5KFiNManqEa-PjUta7EOb7A@mail.gmail.com/\n\nCc: \nFixes: c0efd232929c (\"V4L/DVB (8145a): USB Video Class driver\")\nReported-by: Andrey Konovalov \nSigned-off-by: Will Deacon \nSigned-off-by: Laurent Pinchart \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 409207 }, { "func": "static int uvc_parse_vendor_control(struct uvc_device *dev,\n\tconst unsigned char *buffer, int buflen)\n{\n\tstruct usb_device *udev = dev->udev;\n\tstruct usb_host_interface *alts = dev->intf->cur_altsetting;\n\tstruct uvc_entity *unit;\n\tunsigned int n, p;\n\tint handled = 0;\n\n\tswitch (le16_to_cpu(dev->udev->descriptor.idVendor)) {\n\tcase 0x046d:\t\t/* Logitech */\n\t\tif (buffer[1] != 0x41 || buffer[2] != 0x01)\n\t\t\tbreak;\n\n\t\t/* Logitech implements several vendor specific functions\n\t\t * through vendor specific extension units (LXU).\n\t\t *\n\t\t * The LXU descriptors are similar to XU descriptors\n\t\t * (see \"USB Device Video Class for Video Devices\", section\n\t\t * 3.7.2.6 \"Extension Unit Descriptor\") with the following\n\t\t * differences:\n\t\t *\n\t\t * ----------------------------------------------------------\n\t\t * 0\t\tbLength\t\t1\t Number\n\t\t *\tSize of this descriptor, in bytes: 24+p+n*2\n\t\t * ----------------------------------------------------------\n\t\t * 23+p+n\tbmControlsType\tN\tBitmap\n\t\t *\tIndividual bits in the set are defined:\n\t\t *\t0: Absolute\n\t\t *\t1: Relative\n\t\t *\n\t\t *\tThis bitset is mapped exactly the same as bmControls.\n\t\t * ----------------------------------------------------------\n\t\t * 23+p+n*2\tbReserved\t1\tBoolean\n\t\t * ----------------------------------------------------------\n\t\t * 24+p+n*2\tiExtension\t1\tIndex\n\t\t *\tIndex of a string descriptor that describes this\n\t\t *\textension unit.\n\t\t * ----------------------------------------------------------\n\t\t */\n\t\tp = buflen >= 22 ? buffer[21] : 0;\n\t\tn = buflen >= 25 + p ? buffer[22+p] : 0;\n\n\t\tif (buflen < 25 + p + 2*n) {\n\t\t\tuvc_trace(UVC_TRACE_DESCR, \"device %d videocontrol \"\n\t\t\t\t\"interface %d EXTENSION_UNIT error\\n\",\n\t\t\t\tudev->devnum, alts->desc.bInterfaceNumber);\n\t\t\tbreak;\n\t\t}\n\n\t\tunit = uvc_alloc_entity(UVC_VC_EXTENSION_UNIT, buffer[3],\n\t\t\t\t\tp + 1, 2*n);\n\t\tif (unit == NULL)\n\t\t\treturn -ENOMEM;\n\n\t\tmemcpy(unit->extension.guidExtensionCode, &buffer[4], 16);\n\t\tunit->extension.bNumControls = buffer[20];\n\t\tmemcpy(unit->baSourceID, &buffer[22], p);\n\t\tunit->extension.bControlSize = buffer[22+p];\n\t\tunit->extension.bmControls = (u8 *)unit + sizeof(*unit);\n\t\tunit->extension.bmControlsType = (u8 *)unit + sizeof(*unit)\n\t\t\t\t\t + n;\n\t\tmemcpy(unit->extension.bmControls, &buffer[23+p], 2*n);\n\n\t\tif (buffer[24+p+2*n] != 0)\n\t\t\tusb_string(udev, buffer[24+p+2*n], unit->name,\n\t\t\t\t sizeof(unit->name));\n\t\telse\n\t\t\tsprintf(unit->name, \"Extension %u\", buffer[3]);\n\n\t\tlist_add_tail(&unit->list, &dev->entities);\n\t\thandled = 1;\n\t\tbreak;\n\t}\n\n\treturn handled;\n}", "project": "linux", "hash": 313198853193888696224988432849818313278, "size": 77, "commit_id": "68035c80e129c4cfec659aac4180354530b26527", "message": "media: uvcvideo: Avoid cyclic entity chains due to malformed USB descriptors\n\nWay back in 2017, fuzzing the 4.14-rc2 USB stack with syzkaller kicked\nup the following WARNING from the UVC chain scanning code:\n\n | list_add double add: new=ffff880069084010, prev=ffff880069084010,\n | next=ffff880067d22298.\n | ------------[ cut here ]------------\n | WARNING: CPU: 1 PID: 1846 at lib/list_debug.c:31 __list_add_valid+0xbd/0xf0\n | Modules linked in:\n | CPU: 1 PID: 1846 Comm: kworker/1:2 Not tainted\n | 4.14.0-rc2-42613-g1488251d1a98 #238\n | Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011\n | Workqueue: usb_hub_wq hub_event\n | task: ffff88006b01ca40 task.stack: ffff880064358000\n | RIP: 0010:__list_add_valid+0xbd/0xf0 lib/list_debug.c:29\n | RSP: 0018:ffff88006435ddd0 EFLAGS: 00010286\n | RAX: 0000000000000058 RBX: ffff880067d22298 RCX: 0000000000000000\n | RDX: 0000000000000058 RSI: ffffffff85a58800 RDI: ffffed000c86bbac\n | RBP: ffff88006435dde8 R08: 1ffff1000c86ba52 R09: 0000000000000000\n | R10: 0000000000000002 R11: 0000000000000000 R12: ffff880069084010\n | R13: ffff880067d22298 R14: ffff880069084010 R15: ffff880067d222a0\n | FS: 0000000000000000(0000) GS:ffff88006c900000(0000) knlGS:0000000000000000\n | CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n | CR2: 0000000020004ff2 CR3: 000000006b447000 CR4: 00000000000006e0\n | Call Trace:\n | __list_add ./include/linux/list.h:59\n | list_add_tail+0x8c/0x1b0 ./include/linux/list.h:92\n | uvc_scan_chain_forward.isra.8+0x373/0x416\n | drivers/media/usb/uvc/uvc_driver.c:1471\n | uvc_scan_chain drivers/media/usb/uvc/uvc_driver.c:1585\n | uvc_scan_device drivers/media/usb/uvc/uvc_driver.c:1769\n | uvc_probe+0x77f2/0x8f00 drivers/media/usb/uvc/uvc_driver.c:2104\n\nLooking into the output from usbmon, the interesting part is the\nfollowing data packet:\n\n ffff880069c63e00 30710169 C Ci:1:002:0 0 143 = 09028f00 01030080\n 00090403 00000e01 00000924 03000103 7c003328 010204db\n\nIf we drop the lead configuration and interface descriptors, we're left\nwith an output terminal descriptor describing a generic display:\n\n /* Output terminal descriptor */\n buf[0]\t09\n buf[1]\t24\n buf[2]\t03\t/* UVC_VC_OUTPUT_TERMINAL */\n buf[3]\t00\t/* ID */\n buf[4]\t01\t/* type == 0x0301 (UVC_OTT_DISPLAY) */\n buf[5]\t03\n buf[6]\t7c\n buf[7]\t00\t/* source ID refers to self! */\n buf[8]\t33\n\nThe problem with this descriptor is that it is self-referential: the\nsource ID of 0 matches itself! This causes the 'struct uvc_entity'\nrepresenting the display to be added to its chain list twice during\n'uvc_scan_chain()': once via 'uvc_scan_chain_entity()' when it is\nprocessed directly from the 'dev->entities' list and then again\nimmediately afterwards when trying to follow the source ID in\n'uvc_scan_chain_forward()'\n\nAdd a check before adding an entity to a chain list to ensure that the\nentity is not already part of a chain.\n\nLink: https://lore.kernel.org/linux-media/CAAeHK+z+Si69jUR+N-SjN9q4O+o5KFiNManqEa-PjUta7EOb7A@mail.gmail.com/\n\nCc: \nFixes: c0efd232929c (\"V4L/DVB (8145a): USB Video Class driver\")\nReported-by: Andrey Konovalov \nSigned-off-by: Will Deacon \nSigned-off-by: Laurent Pinchart \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 409188 }, { "func": "static netdev_tx_t mcba_usb_start_xmit(struct sk_buff *skb,\n\t\t\t\t struct net_device *netdev)\n{\n\tstruct mcba_priv *priv = netdev_priv(netdev);\n\tstruct can_frame *cf = (struct can_frame *)skb->data;\n\tstruct mcba_usb_ctx *ctx = NULL;\n\tstruct net_device_stats *stats = &priv->netdev->stats;\n\tu16 sid;\n\tint err;\n\tstruct mcba_usb_msg_can usb_msg = {\n\t\t.cmd_id = MBCA_CMD_TRANSMIT_MESSAGE_EV\n\t};\n\n\tif (can_dropped_invalid_skb(netdev, skb))\n\t\treturn NETDEV_TX_OK;\n\n\tctx = mcba_usb_get_free_ctx(priv, cf);\n\tif (!ctx)\n\t\treturn NETDEV_TX_BUSY;\n\n\tcan_put_echo_skb(skb, priv->netdev, ctx->ndx);\n\n\tif (cf->can_id & CAN_EFF_FLAG) {\n\t\t/* SIDH | SIDL | EIDH | EIDL\n\t\t * 28 - 21 | 20 19 18 x x x 17 16 | 15 - 8 | 7 - 0\n\t\t */\n\t\tsid = MCBA_SIDL_EXID_MASK;\n\t\t/* store 28-18 bits */\n\t\tsid |= (cf->can_id & 0x1ffc0000) >> 13;\n\t\t/* store 17-16 bits */\n\t\tsid |= (cf->can_id & 0x30000) >> 16;\n\t\tput_unaligned_be16(sid, &usb_msg.sid);\n\n\t\t/* store 15-0 bits */\n\t\tput_unaligned_be16(cf->can_id & 0xffff, &usb_msg.eid);\n\t} else {\n\t\t/* SIDH | SIDL\n\t\t * 10 - 3 | 2 1 0 x x x x x\n\t\t */\n\t\tput_unaligned_be16((cf->can_id & CAN_SFF_MASK) << 5,\n\t\t\t\t &usb_msg.sid);\n\t\tusb_msg.eid = 0;\n\t}\n\n\tusb_msg.dlc = cf->can_dlc;\n\n\tmemcpy(usb_msg.data, cf->data, usb_msg.dlc);\n\n\tif (cf->can_id & CAN_RTR_FLAG)\n\t\tusb_msg.dlc |= MCBA_DLC_RTR_MASK;\n\n\terr = mcba_usb_xmit(priv, (struct mcba_usb_msg *)&usb_msg, ctx);\n\tif (err)\n\t\tgoto xmit_failed;\n\n\treturn NETDEV_TX_OK;\n\nxmit_failed:\n\tcan_free_echo_skb(priv->netdev, ctx->ndx);\n\tmcba_usb_free_ctx(ctx);\n\tdev_kfree_skb(skb);\n\tstats->tx_dropped++;\n\n\treturn NETDEV_TX_OK;\n}", "project": "linux", "hash": 80729319187417828579227789468555643788, "size": 65, "commit_id": "4d6636498c41891d0482a914dd570343a838ad79", "message": "can: mcba_usb: fix use-after-free on disconnect\n\nThe driver was accessing its driver data after having freed it.\n\nFixes: 51f3baad7de9 (\"can: mcba_usb: Add support for Microchip CAN BUS Analyzer\")\nCc: stable # 4.12\nCc: Remigiusz Kołłątaj \nReported-by: syzbot+e29b17e5042bbc56fae9@syzkaller.appspotmail.com\nSigned-off-by: Johan Hovold \nSigned-off-by: Marc Kleine-Budde ", "target": 0, "dataset": "other", "idx": 398302 }, { "func": "static int mcba_usb_start(struct mcba_priv *priv)\n{\n\tstruct net_device *netdev = priv->netdev;\n\tint err, i;\n\n\tmcba_init_ctx(priv);\n\n\tfor (i = 0; i < MCBA_MAX_RX_URBS; i++) {\n\t\tstruct urb *urb = NULL;\n\t\tu8 *buf;\n\n\t\t/* create a URB, and a buffer for it */\n\t\turb = usb_alloc_urb(0, GFP_KERNEL);\n\t\tif (!urb) {\n\t\t\terr = -ENOMEM;\n\t\t\tbreak;\n\t\t}\n\n\t\tbuf = usb_alloc_coherent(priv->udev, MCBA_USB_RX_BUFF_SIZE,\n\t\t\t\t\t GFP_KERNEL, &urb->transfer_dma);\n\t\tif (!buf) {\n\t\t\tnetdev_err(netdev, \"No memory left for USB buffer\\n\");\n\t\t\tusb_free_urb(urb);\n\t\t\terr = -ENOMEM;\n\t\t\tbreak;\n\t\t}\n\n\t\tusb_fill_bulk_urb(urb, priv->udev,\n\t\t\t\t usb_rcvbulkpipe(priv->udev, MCBA_USB_EP_IN),\n\t\t\t\t buf, MCBA_USB_RX_BUFF_SIZE,\n\t\t\t\t mcba_usb_read_bulk_callback, priv);\n\t\turb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP;\n\t\tusb_anchor_urb(urb, &priv->rx_submitted);\n\n\t\terr = usb_submit_urb(urb, GFP_KERNEL);\n\t\tif (err) {\n\t\t\tusb_unanchor_urb(urb);\n\t\t\tusb_free_coherent(priv->udev, MCBA_USB_RX_BUFF_SIZE,\n\t\t\t\t\t buf, urb->transfer_dma);\n\t\t\tusb_free_urb(urb);\n\t\t\tbreak;\n\t\t}\n\n\t\t/* Drop reference, USB core will take care of freeing it */\n\t\tusb_free_urb(urb);\n\t}\n\n\t/* Did we submit any URBs */\n\tif (i == 0) {\n\t\tnetdev_warn(netdev, \"couldn't setup read URBs\\n\");\n\t\treturn err;\n\t}\n\n\t/* Warn if we've couldn't transmit all the URBs */\n\tif (i < MCBA_MAX_RX_URBS)\n\t\tnetdev_warn(netdev, \"rx performance may be slow\\n\");\n\n\tmcba_usb_xmit_read_fw_ver(priv, MCBA_VER_REQ_USB);\n\tmcba_usb_xmit_read_fw_ver(priv, MCBA_VER_REQ_CAN);\n\n\treturn err;\n}", "project": "linux", "hash": 224094000178651132311876619063912973804, "size": 62, "commit_id": "4d6636498c41891d0482a914dd570343a838ad79", "message": "can: mcba_usb: fix use-after-free on disconnect\n\nThe driver was accessing its driver data after having freed it.\n\nFixes: 51f3baad7de9 (\"can: mcba_usb: Add support for Microchip CAN BUS Analyzer\")\nCc: stable # 4.12\nCc: Remigiusz Kołłątaj \nReported-by: syzbot+e29b17e5042bbc56fae9@syzkaller.appspotmail.com\nSigned-off-by: Johan Hovold \nSigned-off-by: Marc Kleine-Budde ", "target": 0, "dataset": "other", "idx": 398311 }, { "func": "static int uvc_scan_chain(struct uvc_video_chain *chain,\n\t\t\t struct uvc_entity *term)\n{\n\tstruct uvc_entity *entity, *prev;\n\n\tuvc_trace(UVC_TRACE_PROBE, \"Scanning UVC chain:\");\n\n\tentity = term;\n\tprev = NULL;\n\n\twhile (entity != NULL) {\n\t\t/* Entity must not be part of an existing chain */\n\t\tif (entity->chain.next || entity->chain.prev) {\n\t\t\tuvc_trace(UVC_TRACE_DESCR, \"Found reference to \"\n\t\t\t\t\"entity %d already in chain.\\n\", entity->id);\n\t\t\treturn -EINVAL;\n\t\t}\n\n\t\t/* Process entity */\n\t\tif (uvc_scan_chain_entity(chain, entity) < 0)\n\t\t\treturn -EINVAL;\n\n\t\t/* Forward scan */\n\t\tif (uvc_scan_chain_forward(chain, entity, prev) < 0)\n\t\t\treturn -EINVAL;\n\n\t\t/* Backward scan */\n\t\tprev = entity;\n\t\tif (uvc_scan_chain_backward(chain, &entity) < 0)\n\t\t\treturn -EINVAL;\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 104946206479007272198511811048877612413, "size": 34, "commit_id": "68035c80e129c4cfec659aac4180354530b26527", "message": "media: uvcvideo: Avoid cyclic entity chains due to malformed USB descriptors\n\nWay back in 2017, fuzzing the 4.14-rc2 USB stack with syzkaller kicked\nup the following WARNING from the UVC chain scanning code:\n\n | list_add double add: new=ffff880069084010, prev=ffff880069084010,\n | next=ffff880067d22298.\n | ------------[ cut here ]------------\n | WARNING: CPU: 1 PID: 1846 at lib/list_debug.c:31 __list_add_valid+0xbd/0xf0\n | Modules linked in:\n | CPU: 1 PID: 1846 Comm: kworker/1:2 Not tainted\n | 4.14.0-rc2-42613-g1488251d1a98 #238\n | Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011\n | Workqueue: usb_hub_wq hub_event\n | task: ffff88006b01ca40 task.stack: ffff880064358000\n | RIP: 0010:__list_add_valid+0xbd/0xf0 lib/list_debug.c:29\n | RSP: 0018:ffff88006435ddd0 EFLAGS: 00010286\n | RAX: 0000000000000058 RBX: ffff880067d22298 RCX: 0000000000000000\n | RDX: 0000000000000058 RSI: ffffffff85a58800 RDI: ffffed000c86bbac\n | RBP: ffff88006435dde8 R08: 1ffff1000c86ba52 R09: 0000000000000000\n | R10: 0000000000000002 R11: 0000000000000000 R12: ffff880069084010\n | R13: ffff880067d22298 R14: ffff880069084010 R15: ffff880067d222a0\n | FS: 0000000000000000(0000) GS:ffff88006c900000(0000) knlGS:0000000000000000\n | CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n | CR2: 0000000020004ff2 CR3: 000000006b447000 CR4: 00000000000006e0\n | Call Trace:\n | __list_add ./include/linux/list.h:59\n | list_add_tail+0x8c/0x1b0 ./include/linux/list.h:92\n | uvc_scan_chain_forward.isra.8+0x373/0x416\n | drivers/media/usb/uvc/uvc_driver.c:1471\n | uvc_scan_chain drivers/media/usb/uvc/uvc_driver.c:1585\n | uvc_scan_device drivers/media/usb/uvc/uvc_driver.c:1769\n | uvc_probe+0x77f2/0x8f00 drivers/media/usb/uvc/uvc_driver.c:2104\n\nLooking into the output from usbmon, the interesting part is the\nfollowing data packet:\n\n ffff880069c63e00 30710169 C Ci:1:002:0 0 143 = 09028f00 01030080\n 00090403 00000e01 00000924 03000103 7c003328 010204db\n\nIf we drop the lead configuration and interface descriptors, we're left\nwith an output terminal descriptor describing a generic display:\n\n /* Output terminal descriptor */\n buf[0]\t09\n buf[1]\t24\n buf[2]\t03\t/* UVC_VC_OUTPUT_TERMINAL */\n buf[3]\t00\t/* ID */\n buf[4]\t01\t/* type == 0x0301 (UVC_OTT_DISPLAY) */\n buf[5]\t03\n buf[6]\t7c\n buf[7]\t00\t/* source ID refers to self! */\n buf[8]\t33\n\nThe problem with this descriptor is that it is self-referential: the\nsource ID of 0 matches itself! This causes the 'struct uvc_entity'\nrepresenting the display to be added to its chain list twice during\n'uvc_scan_chain()': once via 'uvc_scan_chain_entity()' when it is\nprocessed directly from the 'dev->entities' list and then again\nimmediately afterwards when trying to follow the source ID in\n'uvc_scan_chain_forward()'\n\nAdd a check before adding an entity to a chain list to ensure that the\nentity is not already part of a chain.\n\nLink: https://lore.kernel.org/linux-media/CAAeHK+z+Si69jUR+N-SjN9q4O+o5KFiNManqEa-PjUta7EOb7A@mail.gmail.com/\n\nCc: \nFixes: c0efd232929c (\"V4L/DVB (8145a): USB Video Class driver\")\nReported-by: Andrey Konovalov \nSigned-off-by: Will Deacon \nSigned-off-by: Laurent Pinchart \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 409216 }, { "func": "static int uvc_parse_control(struct uvc_device *dev)\n{\n\tstruct usb_host_interface *alts = dev->intf->cur_altsetting;\n\tunsigned char *buffer = alts->extra;\n\tint buflen = alts->extralen;\n\tint ret;\n\n\t/* Parse the default alternate setting only, as the UVC specification\n\t * defines a single alternate setting, the default alternate setting\n\t * zero.\n\t */\n\n\twhile (buflen > 2) {\n\t\tif (uvc_parse_vendor_control(dev, buffer, buflen) ||\n\t\t buffer[1] != USB_DT_CS_INTERFACE)\n\t\t\tgoto next_descriptor;\n\n\t\tif ((ret = uvc_parse_standard_control(dev, buffer, buflen)) < 0)\n\t\t\treturn ret;\n\nnext_descriptor:\n\t\tbuflen -= buffer[0];\n\t\tbuffer += buffer[0];\n\t}\n\n\t/* Check if the optional status endpoint is present. Built-in iSight\n\t * webcams have an interrupt endpoint but spit proprietary data that\n\t * don't conform to the UVC status endpoint messages. Don't try to\n\t * handle the interrupt endpoint for those cameras.\n\t */\n\tif (alts->desc.bNumEndpoints == 1 &&\n\t !(dev->quirks & UVC_QUIRK_BUILTIN_ISIGHT)) {\n\t\tstruct usb_host_endpoint *ep = &alts->endpoint[0];\n\t\tstruct usb_endpoint_descriptor *desc = &ep->desc;\n\n\t\tif (usb_endpoint_is_int_in(desc) &&\n\t\t le16_to_cpu(desc->wMaxPacketSize) >= 8 &&\n\t\t desc->bInterval != 0) {\n\t\t\tuvc_trace(UVC_TRACE_DESCR, \"Found a Status endpoint \"\n\t\t\t\t\"(addr %02x).\\n\", desc->bEndpointAddress);\n\t\t\tdev->int_ep = ep;\n\t\t}\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 195978962155540623941423557781147083104, "size": 46, "commit_id": "68035c80e129c4cfec659aac4180354530b26527", "message": "media: uvcvideo: Avoid cyclic entity chains due to malformed USB descriptors\n\nWay back in 2017, fuzzing the 4.14-rc2 USB stack with syzkaller kicked\nup the following WARNING from the UVC chain scanning code:\n\n | list_add double add: new=ffff880069084010, prev=ffff880069084010,\n | next=ffff880067d22298.\n | ------------[ cut here ]------------\n | WARNING: CPU: 1 PID: 1846 at lib/list_debug.c:31 __list_add_valid+0xbd/0xf0\n | Modules linked in:\n | CPU: 1 PID: 1846 Comm: kworker/1:2 Not tainted\n | 4.14.0-rc2-42613-g1488251d1a98 #238\n | Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011\n | Workqueue: usb_hub_wq hub_event\n | task: ffff88006b01ca40 task.stack: ffff880064358000\n | RIP: 0010:__list_add_valid+0xbd/0xf0 lib/list_debug.c:29\n | RSP: 0018:ffff88006435ddd0 EFLAGS: 00010286\n | RAX: 0000000000000058 RBX: ffff880067d22298 RCX: 0000000000000000\n | RDX: 0000000000000058 RSI: ffffffff85a58800 RDI: ffffed000c86bbac\n | RBP: ffff88006435dde8 R08: 1ffff1000c86ba52 R09: 0000000000000000\n | R10: 0000000000000002 R11: 0000000000000000 R12: ffff880069084010\n | R13: ffff880067d22298 R14: ffff880069084010 R15: ffff880067d222a0\n | FS: 0000000000000000(0000) GS:ffff88006c900000(0000) knlGS:0000000000000000\n | CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n | CR2: 0000000020004ff2 CR3: 000000006b447000 CR4: 00000000000006e0\n | Call Trace:\n | __list_add ./include/linux/list.h:59\n | list_add_tail+0x8c/0x1b0 ./include/linux/list.h:92\n | uvc_scan_chain_forward.isra.8+0x373/0x416\n | drivers/media/usb/uvc/uvc_driver.c:1471\n | uvc_scan_chain drivers/media/usb/uvc/uvc_driver.c:1585\n | uvc_scan_device drivers/media/usb/uvc/uvc_driver.c:1769\n | uvc_probe+0x77f2/0x8f00 drivers/media/usb/uvc/uvc_driver.c:2104\n\nLooking into the output from usbmon, the interesting part is the\nfollowing data packet:\n\n ffff880069c63e00 30710169 C Ci:1:002:0 0 143 = 09028f00 01030080\n 00090403 00000e01 00000924 03000103 7c003328 010204db\n\nIf we drop the lead configuration and interface descriptors, we're left\nwith an output terminal descriptor describing a generic display:\n\n /* Output terminal descriptor */\n buf[0]\t09\n buf[1]\t24\n buf[2]\t03\t/* UVC_VC_OUTPUT_TERMINAL */\n buf[3]\t00\t/* ID */\n buf[4]\t01\t/* type == 0x0301 (UVC_OTT_DISPLAY) */\n buf[5]\t03\n buf[6]\t7c\n buf[7]\t00\t/* source ID refers to self! */\n buf[8]\t33\n\nThe problem with this descriptor is that it is self-referential: the\nsource ID of 0 matches itself! This causes the 'struct uvc_entity'\nrepresenting the display to be added to its chain list twice during\n'uvc_scan_chain()': once via 'uvc_scan_chain_entity()' when it is\nprocessed directly from the 'dev->entities' list and then again\nimmediately afterwards when trying to follow the source ID in\n'uvc_scan_chain_forward()'\n\nAdd a check before adding an entity to a chain list to ensure that the\nentity is not already part of a chain.\n\nLink: https://lore.kernel.org/linux-media/CAAeHK+z+Si69jUR+N-SjN9q4O+o5KFiNManqEa-PjUta7EOb7A@mail.gmail.com/\n\nCc: \nFixes: c0efd232929c (\"V4L/DVB (8145a): USB Video Class driver\")\nReported-by: Andrey Konovalov \nSigned-off-by: Will Deacon \nSigned-off-by: Laurent Pinchart \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 409184 }, { "func": "static int uvc_scan_fallback(struct uvc_device *dev)\n{\n\tstruct uvc_video_chain *chain;\n\tstruct uvc_entity *iterm = NULL;\n\tstruct uvc_entity *oterm = NULL;\n\tstruct uvc_entity *entity;\n\tstruct uvc_entity *prev;\n\n\t/*\n\t * Start by locating the input and output terminals. We only support\n\t * devices with exactly one of each for now.\n\t */\n\tlist_for_each_entry(entity, &dev->entities, list) {\n\t\tif (UVC_ENTITY_IS_ITERM(entity)) {\n\t\t\tif (iterm)\n\t\t\t\treturn -EINVAL;\n\t\t\titerm = entity;\n\t\t}\n\n\t\tif (UVC_ENTITY_IS_OTERM(entity)) {\n\t\t\tif (oterm)\n\t\t\t\treturn -EINVAL;\n\t\t\toterm = entity;\n\t\t}\n\t}\n\n\tif (iterm == NULL || oterm == NULL)\n\t\treturn -EINVAL;\n\n\t/* Allocate the chain and fill it. */\n\tchain = uvc_alloc_chain(dev);\n\tif (chain == NULL)\n\t\treturn -ENOMEM;\n\n\tif (uvc_scan_chain_entity(chain, oterm) < 0)\n\t\tgoto error;\n\n\tprev = oterm;\n\n\t/*\n\t * Add all Processing and Extension Units with two pads. The order\n\t * doesn't matter much, use reverse list traversal to connect units in\n\t * UVC descriptor order as we build the chain from output to input. This\n\t * leads to units appearing in the order meant by the manufacturer for\n\t * the cameras known to require this heuristic.\n\t */\n\tlist_for_each_entry_reverse(entity, &dev->entities, list) {\n\t\tif (entity->type != UVC_VC_PROCESSING_UNIT &&\n\t\t entity->type != UVC_VC_EXTENSION_UNIT)\n\t\t\tcontinue;\n\n\t\tif (entity->num_pads != 2)\n\t\t\tcontinue;\n\n\t\tif (uvc_scan_chain_entity(chain, entity) < 0)\n\t\t\tgoto error;\n\n\t\tprev->baSourceID[0] = entity->id;\n\t\tprev = entity;\n\t}\n\n\tif (uvc_scan_chain_entity(chain, iterm) < 0)\n\t\tgoto error;\n\n\tprev->baSourceID[0] = iterm->id;\n\n\tlist_add_tail(&chain->list, &dev->chains);\n\n\tuvc_trace(UVC_TRACE_PROBE,\n\t\t \"Found a video chain by fallback heuristic (%s).\\n\",\n\t\t uvc_print_chain(chain));\n\n\treturn 0;\n\nerror:\n\tkfree(chain);\n\treturn -EINVAL;\n}", "project": "linux", "hash": 330618355649946974333665988257607224463, "size": 78, "commit_id": "68035c80e129c4cfec659aac4180354530b26527", "message": "media: uvcvideo: Avoid cyclic entity chains due to malformed USB descriptors\n\nWay back in 2017, fuzzing the 4.14-rc2 USB stack with syzkaller kicked\nup the following WARNING from the UVC chain scanning code:\n\n | list_add double add: new=ffff880069084010, prev=ffff880069084010,\n | next=ffff880067d22298.\n | ------------[ cut here ]------------\n | WARNING: CPU: 1 PID: 1846 at lib/list_debug.c:31 __list_add_valid+0xbd/0xf0\n | Modules linked in:\n | CPU: 1 PID: 1846 Comm: kworker/1:2 Not tainted\n | 4.14.0-rc2-42613-g1488251d1a98 #238\n | Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011\n | Workqueue: usb_hub_wq hub_event\n | task: ffff88006b01ca40 task.stack: ffff880064358000\n | RIP: 0010:__list_add_valid+0xbd/0xf0 lib/list_debug.c:29\n | RSP: 0018:ffff88006435ddd0 EFLAGS: 00010286\n | RAX: 0000000000000058 RBX: ffff880067d22298 RCX: 0000000000000000\n | RDX: 0000000000000058 RSI: ffffffff85a58800 RDI: ffffed000c86bbac\n | RBP: ffff88006435dde8 R08: 1ffff1000c86ba52 R09: 0000000000000000\n | R10: 0000000000000002 R11: 0000000000000000 R12: ffff880069084010\n | R13: ffff880067d22298 R14: ffff880069084010 R15: ffff880067d222a0\n | FS: 0000000000000000(0000) GS:ffff88006c900000(0000) knlGS:0000000000000000\n | CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n | CR2: 0000000020004ff2 CR3: 000000006b447000 CR4: 00000000000006e0\n | Call Trace:\n | __list_add ./include/linux/list.h:59\n | list_add_tail+0x8c/0x1b0 ./include/linux/list.h:92\n | uvc_scan_chain_forward.isra.8+0x373/0x416\n | drivers/media/usb/uvc/uvc_driver.c:1471\n | uvc_scan_chain drivers/media/usb/uvc/uvc_driver.c:1585\n | uvc_scan_device drivers/media/usb/uvc/uvc_driver.c:1769\n | uvc_probe+0x77f2/0x8f00 drivers/media/usb/uvc/uvc_driver.c:2104\n\nLooking into the output from usbmon, the interesting part is the\nfollowing data packet:\n\n ffff880069c63e00 30710169 C Ci:1:002:0 0 143 = 09028f00 01030080\n 00090403 00000e01 00000924 03000103 7c003328 010204db\n\nIf we drop the lead configuration and interface descriptors, we're left\nwith an output terminal descriptor describing a generic display:\n\n /* Output terminal descriptor */\n buf[0]\t09\n buf[1]\t24\n buf[2]\t03\t/* UVC_VC_OUTPUT_TERMINAL */\n buf[3]\t00\t/* ID */\n buf[4]\t01\t/* type == 0x0301 (UVC_OTT_DISPLAY) */\n buf[5]\t03\n buf[6]\t7c\n buf[7]\t00\t/* source ID refers to self! */\n buf[8]\t33\n\nThe problem with this descriptor is that it is self-referential: the\nsource ID of 0 matches itself! This causes the 'struct uvc_entity'\nrepresenting the display to be added to its chain list twice during\n'uvc_scan_chain()': once via 'uvc_scan_chain_entity()' when it is\nprocessed directly from the 'dev->entities' list and then again\nimmediately afterwards when trying to follow the source ID in\n'uvc_scan_chain_forward()'\n\nAdd a check before adding an entity to a chain list to ensure that the\nentity is not already part of a chain.\n\nLink: https://lore.kernel.org/linux-media/CAAeHK+z+Si69jUR+N-SjN9q4O+o5KFiNManqEa-PjUta7EOb7A@mail.gmail.com/\n\nCc: \nFixes: c0efd232929c (\"V4L/DVB (8145a): USB Video Class driver\")\nReported-by: Andrey Konovalov \nSigned-off-by: Will Deacon \nSigned-off-by: Laurent Pinchart \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 409220 }, { "func": "static int uvc_parse_standard_control(struct uvc_device *dev,\n\tconst unsigned char *buffer, int buflen)\n{\n\tstruct usb_device *udev = dev->udev;\n\tstruct uvc_entity *unit, *term;\n\tstruct usb_interface *intf;\n\tstruct usb_host_interface *alts = dev->intf->cur_altsetting;\n\tunsigned int i, n, p, len;\n\tu16 type;\n\n\tswitch (buffer[2]) {\n\tcase UVC_VC_HEADER:\n\t\tn = buflen >= 12 ? buffer[11] : 0;\n\n\t\tif (buflen < 12 + n) {\n\t\t\tuvc_trace(UVC_TRACE_DESCR, \"device %d videocontrol \"\n\t\t\t\t\"interface %d HEADER error\\n\", udev->devnum,\n\t\t\t\talts->desc.bInterfaceNumber);\n\t\t\treturn -EINVAL;\n\t\t}\n\n\t\tdev->uvc_version = get_unaligned_le16(&buffer[3]);\n\t\tdev->clock_frequency = get_unaligned_le32(&buffer[7]);\n\n\t\t/* Parse all USB Video Streaming interfaces. */\n\t\tfor (i = 0; i < n; ++i) {\n\t\t\tintf = usb_ifnum_to_if(udev, buffer[12+i]);\n\t\t\tif (intf == NULL) {\n\t\t\t\tuvc_trace(UVC_TRACE_DESCR, \"device %d \"\n\t\t\t\t\t\"interface %d doesn't exists\\n\",\n\t\t\t\t\tudev->devnum, i);\n\t\t\t\tcontinue;\n\t\t\t}\n\n\t\t\tuvc_parse_streaming(dev, intf);\n\t\t}\n\t\tbreak;\n\n\tcase UVC_VC_INPUT_TERMINAL:\n\t\tif (buflen < 8) {\n\t\t\tuvc_trace(UVC_TRACE_DESCR, \"device %d videocontrol \"\n\t\t\t\t\"interface %d INPUT_TERMINAL error\\n\",\n\t\t\t\tudev->devnum, alts->desc.bInterfaceNumber);\n\t\t\treturn -EINVAL;\n\t\t}\n\n\t\t/*\n\t\t * Reject invalid terminal types that would cause issues:\n\t\t *\n\t\t * - The high byte must be non-zero, otherwise it would be\n\t\t * confused with a unit.\n\t\t *\n\t\t * - Bit 15 must be 0, as we use it internally as a terminal\n\t\t * direction flag.\n\t\t *\n\t\t * Other unknown types are accepted.\n\t\t */\n\t\ttype = get_unaligned_le16(&buffer[4]);\n\t\tif ((type & 0x7f00) == 0 || (type & 0x8000) != 0) {\n\t\t\tuvc_trace(UVC_TRACE_DESCR, \"device %d videocontrol \"\n\t\t\t\t\"interface %d INPUT_TERMINAL %d has invalid \"\n\t\t\t\t\"type 0x%04x, skipping\\n\", udev->devnum,\n\t\t\t\talts->desc.bInterfaceNumber,\n\t\t\t\tbuffer[3], type);\n\t\t\treturn 0;\n\t\t}\n\n\t\tn = 0;\n\t\tp = 0;\n\t\tlen = 8;\n\n\t\tif (type == UVC_ITT_CAMERA) {\n\t\t\tn = buflen >= 15 ? buffer[14] : 0;\n\t\t\tlen = 15;\n\n\t\t} else if (type == UVC_ITT_MEDIA_TRANSPORT_INPUT) {\n\t\t\tn = buflen >= 9 ? buffer[8] : 0;\n\t\t\tp = buflen >= 10 + n ? buffer[9+n] : 0;\n\t\t\tlen = 10;\n\t\t}\n\n\t\tif (buflen < len + n + p) {\n\t\t\tuvc_trace(UVC_TRACE_DESCR, \"device %d videocontrol \"\n\t\t\t\t\"interface %d INPUT_TERMINAL error\\n\",\n\t\t\t\tudev->devnum, alts->desc.bInterfaceNumber);\n\t\t\treturn -EINVAL;\n\t\t}\n\n\t\tterm = uvc_alloc_entity(type | UVC_TERM_INPUT, buffer[3],\n\t\t\t\t\t1, n + p);\n\t\tif (term == NULL)\n\t\t\treturn -ENOMEM;\n\n\t\tif (UVC_ENTITY_TYPE(term) == UVC_ITT_CAMERA) {\n\t\t\tterm->camera.bControlSize = n;\n\t\t\tterm->camera.bmControls = (u8 *)term + sizeof(*term);\n\t\t\tterm->camera.wObjectiveFocalLengthMin =\n\t\t\t\tget_unaligned_le16(&buffer[8]);\n\t\t\tterm->camera.wObjectiveFocalLengthMax =\n\t\t\t\tget_unaligned_le16(&buffer[10]);\n\t\t\tterm->camera.wOcularFocalLength =\n\t\t\t\tget_unaligned_le16(&buffer[12]);\n\t\t\tmemcpy(term->camera.bmControls, &buffer[15], n);\n\t\t} else if (UVC_ENTITY_TYPE(term) ==\n\t\t\t UVC_ITT_MEDIA_TRANSPORT_INPUT) {\n\t\t\tterm->media.bControlSize = n;\n\t\t\tterm->media.bmControls = (u8 *)term + sizeof(*term);\n\t\t\tterm->media.bTransportModeSize = p;\n\t\t\tterm->media.bmTransportModes = (u8 *)term\n\t\t\t\t\t\t + sizeof(*term) + n;\n\t\t\tmemcpy(term->media.bmControls, &buffer[9], n);\n\t\t\tmemcpy(term->media.bmTransportModes, &buffer[10+n], p);\n\t\t}\n\n\t\tif (buffer[7] != 0)\n\t\t\tusb_string(udev, buffer[7], term->name,\n\t\t\t\t sizeof(term->name));\n\t\telse if (UVC_ENTITY_TYPE(term) == UVC_ITT_CAMERA)\n\t\t\tsprintf(term->name, \"Camera %u\", buffer[3]);\n\t\telse if (UVC_ENTITY_TYPE(term) == UVC_ITT_MEDIA_TRANSPORT_INPUT)\n\t\t\tsprintf(term->name, \"Media %u\", buffer[3]);\n\t\telse\n\t\t\tsprintf(term->name, \"Input %u\", buffer[3]);\n\n\t\tlist_add_tail(&term->list, &dev->entities);\n\t\tbreak;\n\n\tcase UVC_VC_OUTPUT_TERMINAL:\n\t\tif (buflen < 9) {\n\t\t\tuvc_trace(UVC_TRACE_DESCR, \"device %d videocontrol \"\n\t\t\t\t\"interface %d OUTPUT_TERMINAL error\\n\",\n\t\t\t\tudev->devnum, alts->desc.bInterfaceNumber);\n\t\t\treturn -EINVAL;\n\t\t}\n\n\t\t/* Make sure the terminal type MSB is not null, otherwise it\n\t\t * could be confused with a unit.\n\t\t */\n\t\ttype = get_unaligned_le16(&buffer[4]);\n\t\tif ((type & 0xff00) == 0) {\n\t\t\tuvc_trace(UVC_TRACE_DESCR, \"device %d videocontrol \"\n\t\t\t\t\"interface %d OUTPUT_TERMINAL %d has invalid \"\n\t\t\t\t\"type 0x%04x, skipping\\n\", udev->devnum,\n\t\t\t\talts->desc.bInterfaceNumber, buffer[3], type);\n\t\t\treturn 0;\n\t\t}\n\n\t\tterm = uvc_alloc_entity(type | UVC_TERM_OUTPUT, buffer[3],\n\t\t\t\t\t1, 0);\n\t\tif (term == NULL)\n\t\t\treturn -ENOMEM;\n\n\t\tmemcpy(term->baSourceID, &buffer[7], 1);\n\n\t\tif (buffer[8] != 0)\n\t\t\tusb_string(udev, buffer[8], term->name,\n\t\t\t\t sizeof(term->name));\n\t\telse\n\t\t\tsprintf(term->name, \"Output %u\", buffer[3]);\n\n\t\tlist_add_tail(&term->list, &dev->entities);\n\t\tbreak;\n\n\tcase UVC_VC_SELECTOR_UNIT:\n\t\tp = buflen >= 5 ? buffer[4] : 0;\n\n\t\tif (buflen < 5 || buflen < 6 + p) {\n\t\t\tuvc_trace(UVC_TRACE_DESCR, \"device %d videocontrol \"\n\t\t\t\t\"interface %d SELECTOR_UNIT error\\n\",\n\t\t\t\tudev->devnum, alts->desc.bInterfaceNumber);\n\t\t\treturn -EINVAL;\n\t\t}\n\n\t\tunit = uvc_alloc_entity(buffer[2], buffer[3], p + 1, 0);\n\t\tif (unit == NULL)\n\t\t\treturn -ENOMEM;\n\n\t\tmemcpy(unit->baSourceID, &buffer[5], p);\n\n\t\tif (buffer[5+p] != 0)\n\t\t\tusb_string(udev, buffer[5+p], unit->name,\n\t\t\t\t sizeof(unit->name));\n\t\telse\n\t\t\tsprintf(unit->name, \"Selector %u\", buffer[3]);\n\n\t\tlist_add_tail(&unit->list, &dev->entities);\n\t\tbreak;\n\n\tcase UVC_VC_PROCESSING_UNIT:\n\t\tn = buflen >= 8 ? buffer[7] : 0;\n\t\tp = dev->uvc_version >= 0x0110 ? 10 : 9;\n\n\t\tif (buflen < p + n) {\n\t\t\tuvc_trace(UVC_TRACE_DESCR, \"device %d videocontrol \"\n\t\t\t\t\"interface %d PROCESSING_UNIT error\\n\",\n\t\t\t\tudev->devnum, alts->desc.bInterfaceNumber);\n\t\t\treturn -EINVAL;\n\t\t}\n\n\t\tunit = uvc_alloc_entity(buffer[2], buffer[3], 2, n);\n\t\tif (unit == NULL)\n\t\t\treturn -ENOMEM;\n\n\t\tmemcpy(unit->baSourceID, &buffer[4], 1);\n\t\tunit->processing.wMaxMultiplier =\n\t\t\tget_unaligned_le16(&buffer[5]);\n\t\tunit->processing.bControlSize = buffer[7];\n\t\tunit->processing.bmControls = (u8 *)unit + sizeof(*unit);\n\t\tmemcpy(unit->processing.bmControls, &buffer[8], n);\n\t\tif (dev->uvc_version >= 0x0110)\n\t\t\tunit->processing.bmVideoStandards = buffer[9+n];\n\n\t\tif (buffer[8+n] != 0)\n\t\t\tusb_string(udev, buffer[8+n], unit->name,\n\t\t\t\t sizeof(unit->name));\n\t\telse\n\t\t\tsprintf(unit->name, \"Processing %u\", buffer[3]);\n\n\t\tlist_add_tail(&unit->list, &dev->entities);\n\t\tbreak;\n\n\tcase UVC_VC_EXTENSION_UNIT:\n\t\tp = buflen >= 22 ? buffer[21] : 0;\n\t\tn = buflen >= 24 + p ? buffer[22+p] : 0;\n\n\t\tif (buflen < 24 + p + n) {\n\t\t\tuvc_trace(UVC_TRACE_DESCR, \"device %d videocontrol \"\n\t\t\t\t\"interface %d EXTENSION_UNIT error\\n\",\n\t\t\t\tudev->devnum, alts->desc.bInterfaceNumber);\n\t\t\treturn -EINVAL;\n\t\t}\n\n\t\tunit = uvc_alloc_entity(buffer[2], buffer[3], p + 1, n);\n\t\tif (unit == NULL)\n\t\t\treturn -ENOMEM;\n\n\t\tmemcpy(unit->extension.guidExtensionCode, &buffer[4], 16);\n\t\tunit->extension.bNumControls = buffer[20];\n\t\tmemcpy(unit->baSourceID, &buffer[22], p);\n\t\tunit->extension.bControlSize = buffer[22+p];\n\t\tunit->extension.bmControls = (u8 *)unit + sizeof(*unit);\n\t\tmemcpy(unit->extension.bmControls, &buffer[23+p], n);\n\n\t\tif (buffer[23+p+n] != 0)\n\t\t\tusb_string(udev, buffer[23+p+n], unit->name,\n\t\t\t\t sizeof(unit->name));\n\t\telse\n\t\t\tsprintf(unit->name, \"Extension %u\", buffer[3]);\n\n\t\tlist_add_tail(&unit->list, &dev->entities);\n\t\tbreak;\n\n\tdefault:\n\t\tuvc_trace(UVC_TRACE_DESCR, \"Found an unknown CS_INTERFACE \"\n\t\t\t\"descriptor (%u)\\n\", buffer[2]);\n\t\tbreak;\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 27309152449619057481420737100549532962, "size": 260, "commit_id": "68035c80e129c4cfec659aac4180354530b26527", "message": "media: uvcvideo: Avoid cyclic entity chains due to malformed USB descriptors\n\nWay back in 2017, fuzzing the 4.14-rc2 USB stack with syzkaller kicked\nup the following WARNING from the UVC chain scanning code:\n\n | list_add double add: new=ffff880069084010, prev=ffff880069084010,\n | next=ffff880067d22298.\n | ------------[ cut here ]------------\n | WARNING: CPU: 1 PID: 1846 at lib/list_debug.c:31 __list_add_valid+0xbd/0xf0\n | Modules linked in:\n | CPU: 1 PID: 1846 Comm: kworker/1:2 Not tainted\n | 4.14.0-rc2-42613-g1488251d1a98 #238\n | Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011\n | Workqueue: usb_hub_wq hub_event\n | task: ffff88006b01ca40 task.stack: ffff880064358000\n | RIP: 0010:__list_add_valid+0xbd/0xf0 lib/list_debug.c:29\n | RSP: 0018:ffff88006435ddd0 EFLAGS: 00010286\n | RAX: 0000000000000058 RBX: ffff880067d22298 RCX: 0000000000000000\n | RDX: 0000000000000058 RSI: ffffffff85a58800 RDI: ffffed000c86bbac\n | RBP: ffff88006435dde8 R08: 1ffff1000c86ba52 R09: 0000000000000000\n | R10: 0000000000000002 R11: 0000000000000000 R12: ffff880069084010\n | R13: ffff880067d22298 R14: ffff880069084010 R15: ffff880067d222a0\n | FS: 0000000000000000(0000) GS:ffff88006c900000(0000) knlGS:0000000000000000\n | CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n | CR2: 0000000020004ff2 CR3: 000000006b447000 CR4: 00000000000006e0\n | Call Trace:\n | __list_add ./include/linux/list.h:59\n | list_add_tail+0x8c/0x1b0 ./include/linux/list.h:92\n | uvc_scan_chain_forward.isra.8+0x373/0x416\n | drivers/media/usb/uvc/uvc_driver.c:1471\n | uvc_scan_chain drivers/media/usb/uvc/uvc_driver.c:1585\n | uvc_scan_device drivers/media/usb/uvc/uvc_driver.c:1769\n | uvc_probe+0x77f2/0x8f00 drivers/media/usb/uvc/uvc_driver.c:2104\n\nLooking into the output from usbmon, the interesting part is the\nfollowing data packet:\n\n ffff880069c63e00 30710169 C Ci:1:002:0 0 143 = 09028f00 01030080\n 00090403 00000e01 00000924 03000103 7c003328 010204db\n\nIf we drop the lead configuration and interface descriptors, we're left\nwith an output terminal descriptor describing a generic display:\n\n /* Output terminal descriptor */\n buf[0]\t09\n buf[1]\t24\n buf[2]\t03\t/* UVC_VC_OUTPUT_TERMINAL */\n buf[3]\t00\t/* ID */\n buf[4]\t01\t/* type == 0x0301 (UVC_OTT_DISPLAY) */\n buf[5]\t03\n buf[6]\t7c\n buf[7]\t00\t/* source ID refers to self! */\n buf[8]\t33\n\nThe problem with this descriptor is that it is self-referential: the\nsource ID of 0 matches itself! This causes the 'struct uvc_entity'\nrepresenting the display to be added to its chain list twice during\n'uvc_scan_chain()': once via 'uvc_scan_chain_entity()' when it is\nprocessed directly from the 'dev->entities' list and then again\nimmediately afterwards when trying to follow the source ID in\n'uvc_scan_chain_forward()'\n\nAdd a check before adding an entity to a chain list to ensure that the\nentity is not already part of a chain.\n\nLink: https://lore.kernel.org/linux-media/CAAeHK+z+Si69jUR+N-SjN9q4O+o5KFiNManqEa-PjUta7EOb7A@mail.gmail.com/\n\nCc: \nFixes: c0efd232929c (\"V4L/DVB (8145a): USB Video Class driver\")\nReported-by: Andrey Konovalov \nSigned-off-by: Will Deacon \nSigned-off-by: Laurent Pinchart \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 409210 }, { "func": "static int set_altsetting(struct usbtest_dev *dev, int alternate)\n{\n\tstruct usb_interface\t\t*iface = dev->intf;\n\tstruct usb_device\t\t*udev;\n\n\tif (alternate < 0 || alternate >= 256)\n\t\treturn -EINVAL;\n\n\tudev = interface_to_usbdev(iface);\n\treturn usb_set_interface(udev,\n\t\t\tiface->altsetting[0].desc.bInterfaceNumber,\n\t\t\talternate);\n}", "project": "linux", "hash": 230443237056237448332487840140544561977, "size": 13, "commit_id": "28ebeb8db77035e058a510ce9bd17c2b9a009dba", "message": "usb: usbtest: fix missing kfree(dev->buf) in usbtest_disconnect\n\nBUG: memory leak\nunreferenced object 0xffff888055046e00 (size 256):\n comm \"kworker/2:9\", pid 2570, jiffies 4294942129 (age 1095.500s)\n hex dump (first 32 bytes):\n 00 70 04 55 80 88 ff ff 18 bb 5a 81 ff ff ff ff .p.U......Z.....\n f5 96 78 81 ff ff ff ff 37 de 8e 81 ff ff ff ff ..x.....7.......\n backtrace:\n [<00000000d121dccf>] kmemleak_alloc_recursive\ninclude/linux/kmemleak.h:43 [inline]\n [<00000000d121dccf>] slab_post_alloc_hook mm/slab.h:586 [inline]\n [<00000000d121dccf>] slab_alloc_node mm/slub.c:2786 [inline]\n [<00000000d121dccf>] slab_alloc mm/slub.c:2794 [inline]\n [<00000000d121dccf>] kmem_cache_alloc_trace+0x15e/0x2d0 mm/slub.c:2811\n [<000000005c3c3381>] kmalloc include/linux/slab.h:555 [inline]\n [<000000005c3c3381>] usbtest_probe+0x286/0x19d0\ndrivers/usb/misc/usbtest.c:2790\n [<000000001cec6910>] usb_probe_interface+0x2bd/0x870\ndrivers/usb/core/driver.c:361\n [<000000007806c118>] really_probe+0x48d/0x8f0 drivers/base/dd.c:551\n [<00000000a3308c3e>] driver_probe_device+0xfc/0x2a0 drivers/base/dd.c:724\n [<000000003ef66004>] __device_attach_driver+0x1b6/0x240\ndrivers/base/dd.c:831\n [<00000000eee53e97>] bus_for_each_drv+0x14e/0x1e0 drivers/base/bus.c:431\n [<00000000bb0648d0>] __device_attach+0x1f9/0x350 drivers/base/dd.c:897\n [<00000000838b324a>] device_initial_probe+0x1a/0x20 drivers/base/dd.c:944\n [<0000000030d501c1>] bus_probe_device+0x1e1/0x280 drivers/base/bus.c:491\n [<000000005bd7adef>] device_add+0x131d/0x1c40 drivers/base/core.c:2504\n [<00000000a0937814>] usb_set_configuration+0xe84/0x1ab0\ndrivers/usb/core/message.c:2030\n [<00000000e3934741>] generic_probe+0x6a/0xe0 drivers/usb/core/generic.c:210\n [<0000000098ade0f1>] usb_probe_device+0x90/0xd0\ndrivers/usb/core/driver.c:266\n [<000000007806c118>] really_probe+0x48d/0x8f0 drivers/base/dd.c:551\n [<00000000a3308c3e>] driver_probe_device+0xfc/0x2a0 drivers/base/dd.c:724\n\nAcked-by: Alan Stern \nReported-by: Kyungtae Kim \nSigned-off-by: Zqiang \nLink: https://lore.kernel.org/r/20200612035210.20494-1-qiang.zhang@windriver.com\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 412257 }, { "func": "static int uvc_register_video(struct uvc_device *dev,\n\t\tstruct uvc_streaming *stream)\n{\n\tint ret;\n\n\t/* Initialize the streaming interface with default parameters. */\n\tret = uvc_video_init(stream);\n\tif (ret < 0) {\n\t\tuvc_printk(KERN_ERR, \"Failed to initialize the device (%d).\\n\",\n\t\t\t ret);\n\t\treturn ret;\n\t}\n\n\tif (stream->type == V4L2_BUF_TYPE_VIDEO_CAPTURE)\n\t\tstream->chain->caps |= V4L2_CAP_VIDEO_CAPTURE\n\t\t\t| V4L2_CAP_META_CAPTURE;\n\telse\n\t\tstream->chain->caps |= V4L2_CAP_VIDEO_OUTPUT;\n\n\tuvc_debugfs_init_stream(stream);\n\n\t/* Register the device with V4L. */\n\treturn uvc_register_video_device(dev, stream, &stream->vdev,\n\t\t\t\t\t &stream->queue, stream->type,\n\t\t\t\t\t &uvc_fops, &uvc_ioctl_ops);\n}", "project": "linux", "hash": 304462608977514286931372183774250999261, "size": 26, "commit_id": "68035c80e129c4cfec659aac4180354530b26527", "message": "media: uvcvideo: Avoid cyclic entity chains due to malformed USB descriptors\n\nWay back in 2017, fuzzing the 4.14-rc2 USB stack with syzkaller kicked\nup the following WARNING from the UVC chain scanning code:\n\n | list_add double add: new=ffff880069084010, prev=ffff880069084010,\n | next=ffff880067d22298.\n | ------------[ cut here ]------------\n | WARNING: CPU: 1 PID: 1846 at lib/list_debug.c:31 __list_add_valid+0xbd/0xf0\n | Modules linked in:\n | CPU: 1 PID: 1846 Comm: kworker/1:2 Not tainted\n | 4.14.0-rc2-42613-g1488251d1a98 #238\n | Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011\n | Workqueue: usb_hub_wq hub_event\n | task: ffff88006b01ca40 task.stack: ffff880064358000\n | RIP: 0010:__list_add_valid+0xbd/0xf0 lib/list_debug.c:29\n | RSP: 0018:ffff88006435ddd0 EFLAGS: 00010286\n | RAX: 0000000000000058 RBX: ffff880067d22298 RCX: 0000000000000000\n | RDX: 0000000000000058 RSI: ffffffff85a58800 RDI: ffffed000c86bbac\n | RBP: ffff88006435dde8 R08: 1ffff1000c86ba52 R09: 0000000000000000\n | R10: 0000000000000002 R11: 0000000000000000 R12: ffff880069084010\n | R13: ffff880067d22298 R14: ffff880069084010 R15: ffff880067d222a0\n | FS: 0000000000000000(0000) GS:ffff88006c900000(0000) knlGS:0000000000000000\n | CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n | CR2: 0000000020004ff2 CR3: 000000006b447000 CR4: 00000000000006e0\n | Call Trace:\n | __list_add ./include/linux/list.h:59\n | list_add_tail+0x8c/0x1b0 ./include/linux/list.h:92\n | uvc_scan_chain_forward.isra.8+0x373/0x416\n | drivers/media/usb/uvc/uvc_driver.c:1471\n | uvc_scan_chain drivers/media/usb/uvc/uvc_driver.c:1585\n | uvc_scan_device drivers/media/usb/uvc/uvc_driver.c:1769\n | uvc_probe+0x77f2/0x8f00 drivers/media/usb/uvc/uvc_driver.c:2104\n\nLooking into the output from usbmon, the interesting part is the\nfollowing data packet:\n\n ffff880069c63e00 30710169 C Ci:1:002:0 0 143 = 09028f00 01030080\n 00090403 00000e01 00000924 03000103 7c003328 010204db\n\nIf we drop the lead configuration and interface descriptors, we're left\nwith an output terminal descriptor describing a generic display:\n\n /* Output terminal descriptor */\n buf[0]\t09\n buf[1]\t24\n buf[2]\t03\t/* UVC_VC_OUTPUT_TERMINAL */\n buf[3]\t00\t/* ID */\n buf[4]\t01\t/* type == 0x0301 (UVC_OTT_DISPLAY) */\n buf[5]\t03\n buf[6]\t7c\n buf[7]\t00\t/* source ID refers to self! */\n buf[8]\t33\n\nThe problem with this descriptor is that it is self-referential: the\nsource ID of 0 matches itself! This causes the 'struct uvc_entity'\nrepresenting the display to be added to its chain list twice during\n'uvc_scan_chain()': once via 'uvc_scan_chain_entity()' when it is\nprocessed directly from the 'dev->entities' list and then again\nimmediately afterwards when trying to follow the source ID in\n'uvc_scan_chain_forward()'\n\nAdd a check before adding an entity to a chain list to ensure that the\nentity is not already part of a chain.\n\nLink: https://lore.kernel.org/linux-media/CAAeHK+z+Si69jUR+N-SjN9q4O+o5KFiNManqEa-PjUta7EOb7A@mail.gmail.com/\n\nCc: \nFixes: c0efd232929c (\"V4L/DVB (8145a): USB Video Class driver\")\nReported-by: Andrey Konovalov \nSigned-off-by: Will Deacon \nSigned-off-by: Laurent Pinchart \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 409205 }, { "func": "static int ch9_postconfig(struct usbtest_dev *dev)\n{\n\tstruct usb_interface\t*iface = dev->intf;\n\tstruct usb_device\t*udev = interface_to_usbdev(iface);\n\tint\t\t\ti, alt, retval;\n\n\t/* [9.2.3] if there's more than one altsetting, we need to be able to\n\t * set and get each one. mostly trusts the descriptors from usbcore.\n\t */\n\tfor (i = 0; i < iface->num_altsetting; i++) {\n\n\t\t/* 9.2.3 constrains the range here */\n\t\talt = iface->altsetting[i].desc.bAlternateSetting;\n\t\tif (alt < 0 || alt >= iface->num_altsetting) {\n\t\t\tdev_err(&iface->dev,\n\t\t\t\t\t\"invalid alt [%d].bAltSetting = %d\\n\",\n\t\t\t\t\ti, alt);\n\t\t}\n\n\t\t/* [real world] get/set unimplemented if there's only one */\n\t\tif (realworld && iface->num_altsetting == 1)\n\t\t\tcontinue;\n\n\t\t/* [9.4.10] set_interface */\n\t\tretval = set_altsetting(dev, alt);\n\t\tif (retval) {\n\t\t\tdev_err(&iface->dev, \"can't set_interface = %d, %d\\n\",\n\t\t\t\t\talt, retval);\n\t\t\treturn retval;\n\t\t}\n\n\t\t/* [9.4.4] get_interface always works */\n\t\tretval = get_altsetting(dev);\n\t\tif (retval != alt) {\n\t\t\tdev_err(&iface->dev, \"get alt should be %d, was %d\\n\",\n\t\t\t\t\talt, retval);\n\t\t\treturn (retval < 0) ? retval : -EDOM;\n\t\t}\n\n\t}\n\n\t/* [real world] get_config unimplemented if there's only one */\n\tif (!realworld || udev->descriptor.bNumConfigurations != 1) {\n\t\tint\texpected = udev->actconfig->desc.bConfigurationValue;\n\n\t\t/* [9.4.2] get_configuration always works\n\t\t * ... although some cheap devices (like one TI Hub I've got)\n\t\t * won't return config descriptors except before set_config.\n\t\t */\n\t\tretval = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0),\n\t\t\t\tUSB_REQ_GET_CONFIGURATION,\n\t\t\t\tUSB_DIR_IN | USB_RECIP_DEVICE,\n\t\t\t\t0, 0, dev->buf, 1, USB_CTRL_GET_TIMEOUT);\n\t\tif (retval != 1 || dev->buf[0] != expected) {\n\t\t\tdev_err(&iface->dev, \"get config --> %d %d (1 %d)\\n\",\n\t\t\t\tretval, dev->buf[0], expected);\n\t\t\treturn (retval < 0) ? retval : -EDOM;\n\t\t}\n\t}\n\n\t/* there's always [9.4.3] a device descriptor [9.6.1] */\n\tretval = usb_get_descriptor(udev, USB_DT_DEVICE, 0,\n\t\t\tdev->buf, sizeof(udev->descriptor));\n\tif (retval != sizeof(udev->descriptor)) {\n\t\tdev_err(&iface->dev, \"dev descriptor --> %d\\n\", retval);\n\t\treturn (retval < 0) ? retval : -EDOM;\n\t}\n\n\t/*\n\t * there's always [9.4.3] a bos device descriptor [9.6.2] in USB\n\t * 3.0 spec\n\t */\n\tif (le16_to_cpu(udev->descriptor.bcdUSB) >= 0x0210) {\n\t\tstruct usb_bos_descriptor *bos = NULL;\n\t\tstruct usb_dev_cap_header *header = NULL;\n\t\tunsigned total, num, length;\n\t\tu8 *buf;\n\n\t\tretval = usb_get_descriptor(udev, USB_DT_BOS, 0, dev->buf,\n\t\t\t\tsizeof(*udev->bos->desc));\n\t\tif (retval != sizeof(*udev->bos->desc)) {\n\t\t\tdev_err(&iface->dev, \"bos descriptor --> %d\\n\", retval);\n\t\t\treturn (retval < 0) ? retval : -EDOM;\n\t\t}\n\n\t\tbos = (struct usb_bos_descriptor *)dev->buf;\n\t\ttotal = le16_to_cpu(bos->wTotalLength);\n\t\tnum = bos->bNumDeviceCaps;\n\n\t\tif (total > TBUF_SIZE)\n\t\t\ttotal = TBUF_SIZE;\n\n\t\t/*\n\t\t * get generic device-level capability descriptors [9.6.2]\n\t\t * in USB 3.0 spec\n\t\t */\n\t\tretval = usb_get_descriptor(udev, USB_DT_BOS, 0, dev->buf,\n\t\t\t\ttotal);\n\t\tif (retval != total) {\n\t\t\tdev_err(&iface->dev, \"bos descriptor set --> %d\\n\",\n\t\t\t\t\tretval);\n\t\t\treturn (retval < 0) ? retval : -EDOM;\n\t\t}\n\n\t\tlength = sizeof(*udev->bos->desc);\n\t\tbuf = dev->buf;\n\t\tfor (i = 0; i < num; i++) {\n\t\t\tbuf += length;\n\t\t\tif (buf + sizeof(struct usb_dev_cap_header) >\n\t\t\t\t\tdev->buf + total)\n\t\t\t\tbreak;\n\n\t\t\theader = (struct usb_dev_cap_header *)buf;\n\t\t\tlength = header->bLength;\n\n\t\t\tif (header->bDescriptorType !=\n\t\t\t\t\tUSB_DT_DEVICE_CAPABILITY) {\n\t\t\t\tdev_warn(&udev->dev, \"not device capability descriptor, skip\\n\");\n\t\t\t\tcontinue;\n\t\t\t}\n\n\t\t\tswitch (header->bDevCapabilityType) {\n\t\t\tcase USB_CAP_TYPE_EXT:\n\t\t\t\tif (buf + USB_DT_USB_EXT_CAP_SIZE >\n\t\t\t\t\t\tdev->buf + total ||\n\t\t\t\t\t\t!is_good_ext(dev, buf)) {\n\t\t\t\t\tdev_err(&iface->dev, \"bogus usb 2.0 extension descriptor\\n\");\n\t\t\t\t\treturn -EDOM;\n\t\t\t\t}\n\t\t\t\tbreak;\n\t\t\tcase USB_SS_CAP_TYPE:\n\t\t\t\tif (buf + USB_DT_USB_SS_CAP_SIZE >\n\t\t\t\t\t\tdev->buf + total ||\n\t\t\t\t\t\t!is_good_ss_cap(dev, buf)) {\n\t\t\t\t\tdev_err(&iface->dev, \"bogus superspeed device capability descriptor\\n\");\n\t\t\t\t\treturn -EDOM;\n\t\t\t\t}\n\t\t\t\tbreak;\n\t\t\tcase CONTAINER_ID_TYPE:\n\t\t\t\tif (buf + USB_DT_USB_SS_CONTN_ID_SIZE >\n\t\t\t\t\t\tdev->buf + total ||\n\t\t\t\t\t\t!is_good_con_id(dev, buf)) {\n\t\t\t\t\tdev_err(&iface->dev, \"bogus container id descriptor\\n\");\n\t\t\t\t\treturn -EDOM;\n\t\t\t\t}\n\t\t\t\tbreak;\n\t\t\tdefault:\n\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\t}\n\n\t/* there's always [9.4.3] at least one config descriptor [9.6.3] */\n\tfor (i = 0; i < udev->descriptor.bNumConfigurations; i++) {\n\t\tretval = usb_get_descriptor(udev, USB_DT_CONFIG, i,\n\t\t\t\tdev->buf, TBUF_SIZE);\n\t\tif (!is_good_config(dev, retval)) {\n\t\t\tdev_err(&iface->dev,\n\t\t\t\t\t\"config [%d] descriptor --> %d\\n\",\n\t\t\t\t\ti, retval);\n\t\t\treturn (retval < 0) ? retval : -EDOM;\n\t\t}\n\n\t\t/* FIXME cross-checking udev->config[i] to make sure usbcore\n\t\t * parsed it right (etc) would be good testing paranoia\n\t\t */\n\t}\n\n\t/* and sometimes [9.2.6.6] speed dependent descriptors */\n\tif (le16_to_cpu(udev->descriptor.bcdUSB) == 0x0200) {\n\t\tstruct usb_qualifier_descriptor *d = NULL;\n\n\t\t/* device qualifier [9.6.2] */\n\t\tretval = usb_get_descriptor(udev,\n\t\t\t\tUSB_DT_DEVICE_QUALIFIER, 0, dev->buf,\n\t\t\t\tsizeof(struct usb_qualifier_descriptor));\n\t\tif (retval == -EPIPE) {\n\t\t\tif (udev->speed == USB_SPEED_HIGH) {\n\t\t\t\tdev_err(&iface->dev,\n\t\t\t\t\t\t\"hs dev qualifier --> %d\\n\",\n\t\t\t\t\t\tretval);\n\t\t\t\treturn retval;\n\t\t\t}\n\t\t\t/* usb2.0 but not high-speed capable; fine */\n\t\t} else if (retval != sizeof(struct usb_qualifier_descriptor)) {\n\t\t\tdev_err(&iface->dev, \"dev qualifier --> %d\\n\", retval);\n\t\t\treturn (retval < 0) ? retval : -EDOM;\n\t\t} else\n\t\t\td = (struct usb_qualifier_descriptor *) dev->buf;\n\n\t\t/* might not have [9.6.2] any other-speed configs [9.6.4] */\n\t\tif (d) {\n\t\t\tunsigned max = d->bNumConfigurations;\n\t\t\tfor (i = 0; i < max; i++) {\n\t\t\t\tretval = usb_get_descriptor(udev,\n\t\t\t\t\tUSB_DT_OTHER_SPEED_CONFIG, i,\n\t\t\t\t\tdev->buf, TBUF_SIZE);\n\t\t\t\tif (!is_good_config(dev, retval)) {\n\t\t\t\t\tdev_err(&iface->dev,\n\t\t\t\t\t\t\"other speed config --> %d\\n\",\n\t\t\t\t\t\tretval);\n\t\t\t\t\treturn (retval < 0) ? retval : -EDOM;\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\t/* FIXME fetch strings from at least the device descriptor */\n\n\t/* [9.4.5] get_status always works */\n\tretval = usb_get_std_status(udev, USB_RECIP_DEVICE, 0, dev->buf);\n\tif (retval) {\n\t\tdev_err(&iface->dev, \"get dev status --> %d\\n\", retval);\n\t\treturn retval;\n\t}\n\n\t/* FIXME configuration.bmAttributes says if we could try to set/clear\n\t * the device's remote wakeup feature ... if we can, test that here\n\t */\n\n\tretval = usb_get_std_status(udev, USB_RECIP_INTERFACE,\n\t\t\tiface->altsetting[0].desc.bInterfaceNumber, dev->buf);\n\tif (retval) {\n\t\tdev_err(&iface->dev, \"get interface status --> %d\\n\", retval);\n\t\treturn retval;\n\t}\n\t/* FIXME get status for each endpoint in the interface */\n\n\treturn 0;\n}", "project": "linux", "hash": 17269362960988621502711306359607192946, "size": 229, "commit_id": "28ebeb8db77035e058a510ce9bd17c2b9a009dba", "message": "usb: usbtest: fix missing kfree(dev->buf) in usbtest_disconnect\n\nBUG: memory leak\nunreferenced object 0xffff888055046e00 (size 256):\n comm \"kworker/2:9\", pid 2570, jiffies 4294942129 (age 1095.500s)\n hex dump (first 32 bytes):\n 00 70 04 55 80 88 ff ff 18 bb 5a 81 ff ff ff ff .p.U......Z.....\n f5 96 78 81 ff ff ff ff 37 de 8e 81 ff ff ff ff ..x.....7.......\n backtrace:\n [<00000000d121dccf>] kmemleak_alloc_recursive\ninclude/linux/kmemleak.h:43 [inline]\n [<00000000d121dccf>] slab_post_alloc_hook mm/slab.h:586 [inline]\n [<00000000d121dccf>] slab_alloc_node mm/slub.c:2786 [inline]\n [<00000000d121dccf>] slab_alloc mm/slub.c:2794 [inline]\n [<00000000d121dccf>] kmem_cache_alloc_trace+0x15e/0x2d0 mm/slub.c:2811\n [<000000005c3c3381>] kmalloc include/linux/slab.h:555 [inline]\n [<000000005c3c3381>] usbtest_probe+0x286/0x19d0\ndrivers/usb/misc/usbtest.c:2790\n [<000000001cec6910>] usb_probe_interface+0x2bd/0x870\ndrivers/usb/core/driver.c:361\n [<000000007806c118>] really_probe+0x48d/0x8f0 drivers/base/dd.c:551\n [<00000000a3308c3e>] driver_probe_device+0xfc/0x2a0 drivers/base/dd.c:724\n [<000000003ef66004>] __device_attach_driver+0x1b6/0x240\ndrivers/base/dd.c:831\n [<00000000eee53e97>] bus_for_each_drv+0x14e/0x1e0 drivers/base/bus.c:431\n [<00000000bb0648d0>] __device_attach+0x1f9/0x350 drivers/base/dd.c:897\n [<00000000838b324a>] device_initial_probe+0x1a/0x20 drivers/base/dd.c:944\n [<0000000030d501c1>] bus_probe_device+0x1e1/0x280 drivers/base/bus.c:491\n [<000000005bd7adef>] device_add+0x131d/0x1c40 drivers/base/core.c:2504\n [<00000000a0937814>] usb_set_configuration+0xe84/0x1ab0\ndrivers/usb/core/message.c:2030\n [<00000000e3934741>] generic_probe+0x6a/0xe0 drivers/usb/core/generic.c:210\n [<0000000098ade0f1>] usb_probe_device+0x90/0xd0\ndrivers/usb/core/driver.c:266\n [<000000007806c118>] really_probe+0x48d/0x8f0 drivers/base/dd.c:551\n [<00000000a3308c3e>] driver_probe_device+0xfc/0x2a0 drivers/base/dd.c:724\n\nAcked-by: Alan Stern \nReported-by: Kyungtae Kim \nSigned-off-by: Zqiang \nLink: https://lore.kernel.org/r/20200612035210.20494-1-qiang.zhang@windriver.com\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 412254 }, { "func": "struct tty_struct *alloc_tty_struct(struct tty_driver *driver, int idx)\n{\n\tstruct tty_struct *tty;\n\n\ttty = kzalloc(sizeof(*tty), GFP_KERNEL);\n\tif (!tty)\n\t\treturn NULL;\n\n\tkref_init(&tty->kref);\n\ttty->magic = TTY_MAGIC;\n\tif (tty_ldisc_init(tty)) {\n\t\tkfree(tty);\n\t\treturn NULL;\n\t}\n\ttty->session = NULL;\n\ttty->pgrp = NULL;\n\tmutex_init(&tty->legacy_mutex);\n\tmutex_init(&tty->throttle_mutex);\n\tinit_rwsem(&tty->termios_rwsem);\n\tmutex_init(&tty->winsize_mutex);\n\tinit_ldsem(&tty->ldisc_sem);\n\tinit_waitqueue_head(&tty->write_wait);\n\tinit_waitqueue_head(&tty->read_wait);\n\tINIT_WORK(&tty->hangup_work, do_tty_hangup);\n\tmutex_init(&tty->atomic_write_lock);\n\tspin_lock_init(&tty->ctrl_lock);\n\tspin_lock_init(&tty->flow_lock);\n\tspin_lock_init(&tty->files_lock);\n\tINIT_LIST_HEAD(&tty->tty_files);\n\tINIT_WORK(&tty->SAK_work, do_SAK_work);\n\n\ttty->driver = driver;\n\ttty->ops = driver->ops;\n\ttty->index = idx;\n\ttty_line_name(driver, idx, tty->name);\n\ttty->dev = tty_get_device(tty);\n\n\treturn tty;\n}", "project": "linux", "hash": 263364311731158957481802989755942670680, "size": 39, "commit_id": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "message": "tty: Fix ->session locking\n\nCurrently, locking of ->session is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don't.\nTwo of the writers hold the ctrl_lock (because they already need it for\n->pgrp), but __proc_set_tty() doesn't do that yet.\n\nOn a PREEMPT=y system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I'm\nnot sure about that.)\n\nChange the locking on ->session such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n hold it. This should be fine because the same lock can already be\n taken through the call to tty_vhangup_session().\n The tricky part is that we need to shorten the area covered by\n siglock to be able to take tty_lock() without ugly retry logic; as\n far as I can tell, this should be fine, since nothing in the\n signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n hold the lock a little longer.\n - All readers that aren't holding tty_lock() hold ctrl_lock: By\n adding locking to tiocgsid() and __do_SAK(), and expanding the area\n covered by ctrl_lock in tiocspgrp().\n\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \nReviewed-by: Jiri Slaby \nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 325957 }, { "func": "static int is_good_config(struct usbtest_dev *tdev, int len)\n{\n\tstruct usb_config_descriptor\t*config;\n\n\tif (len < sizeof(*config))\n\t\treturn 0;\n\tconfig = (struct usb_config_descriptor *) tdev->buf;\n\n\tswitch (config->bDescriptorType) {\n\tcase USB_DT_CONFIG:\n\tcase USB_DT_OTHER_SPEED_CONFIG:\n\t\tif (config->bLength != 9) {\n\t\t\tERROR(tdev, \"bogus config descriptor length\\n\");\n\t\t\treturn 0;\n\t\t}\n\t\t/* this bit 'must be 1' but often isn't */\n\t\tif (!realworld && !(config->bmAttributes & 0x80)) {\n\t\t\tERROR(tdev, \"high bit of config attributes not set\\n\");\n\t\t\treturn 0;\n\t\t}\n\t\tif (config->bmAttributes & 0x1f) {\t/* reserved == 0 */\n\t\t\tERROR(tdev, \"reserved config bits set\\n\");\n\t\t\treturn 0;\n\t\t}\n\t\tbreak;\n\tdefault:\n\t\treturn 0;\n\t}\n\n\tif (le16_to_cpu(config->wTotalLength) == len)\t/* read it all */\n\t\treturn 1;\n\tif (le16_to_cpu(config->wTotalLength) >= TBUF_SIZE)\t/* max partial read */\n\t\treturn 1;\n\tERROR(tdev, \"bogus config descriptor read size\\n\");\n\treturn 0;\n}", "project": "linux", "hash": 175724392686928098838663409143955659611, "size": 36, "commit_id": "28ebeb8db77035e058a510ce9bd17c2b9a009dba", "message": "usb: usbtest: fix missing kfree(dev->buf) in usbtest_disconnect\n\nBUG: memory leak\nunreferenced object 0xffff888055046e00 (size 256):\n comm \"kworker/2:9\", pid 2570, jiffies 4294942129 (age 1095.500s)\n hex dump (first 32 bytes):\n 00 70 04 55 80 88 ff ff 18 bb 5a 81 ff ff ff ff .p.U......Z.....\n f5 96 78 81 ff ff ff ff 37 de 8e 81 ff ff ff ff ..x.....7.......\n backtrace:\n [<00000000d121dccf>] kmemleak_alloc_recursive\ninclude/linux/kmemleak.h:43 [inline]\n [<00000000d121dccf>] slab_post_alloc_hook mm/slab.h:586 [inline]\n [<00000000d121dccf>] slab_alloc_node mm/slub.c:2786 [inline]\n [<00000000d121dccf>] slab_alloc mm/slub.c:2794 [inline]\n [<00000000d121dccf>] kmem_cache_alloc_trace+0x15e/0x2d0 mm/slub.c:2811\n [<000000005c3c3381>] kmalloc include/linux/slab.h:555 [inline]\n [<000000005c3c3381>] usbtest_probe+0x286/0x19d0\ndrivers/usb/misc/usbtest.c:2790\n [<000000001cec6910>] usb_probe_interface+0x2bd/0x870\ndrivers/usb/core/driver.c:361\n [<000000007806c118>] really_probe+0x48d/0x8f0 drivers/base/dd.c:551\n [<00000000a3308c3e>] driver_probe_device+0xfc/0x2a0 drivers/base/dd.c:724\n [<000000003ef66004>] __device_attach_driver+0x1b6/0x240\ndrivers/base/dd.c:831\n [<00000000eee53e97>] bus_for_each_drv+0x14e/0x1e0 drivers/base/bus.c:431\n [<00000000bb0648d0>] __device_attach+0x1f9/0x350 drivers/base/dd.c:897\n [<00000000838b324a>] device_initial_probe+0x1a/0x20 drivers/base/dd.c:944\n [<0000000030d501c1>] bus_probe_device+0x1e1/0x280 drivers/base/bus.c:491\n [<000000005bd7adef>] device_add+0x131d/0x1c40 drivers/base/core.c:2504\n [<00000000a0937814>] usb_set_configuration+0xe84/0x1ab0\ndrivers/usb/core/message.c:2030\n [<00000000e3934741>] generic_probe+0x6a/0xe0 drivers/usb/core/generic.c:210\n [<0000000098ade0f1>] usb_probe_device+0x90/0xd0\ndrivers/usb/core/driver.c:266\n [<000000007806c118>] really_probe+0x48d/0x8f0 drivers/base/dd.c:551\n [<00000000a3308c3e>] driver_probe_device+0xfc/0x2a0 drivers/base/dd.c:724\n\nAcked-by: Alan Stern \nReported-by: Kyungtae Kim \nSigned-off-by: Zqiang \nLink: https://lore.kernel.org/r/20200612035210.20494-1-qiang.zhang@windriver.com\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 412285 }, { "func": "static int is_good_ss_cap(struct usbtest_dev *tdev, u8 *buf)\n{\n\tstruct usb_ss_cap_descriptor *ss;\n\n\tss = (struct usb_ss_cap_descriptor *) buf;\n\n\tif (ss->bLength != USB_DT_USB_SS_CAP_SIZE) {\n\t\tERROR(tdev, \"bogus superspeed device capability descriptor length\\n\");\n\t\treturn 0;\n\t}\n\n\t/*\n\t * only bit[1] of bmAttributes is used for LTM and others are\n\t * reserved\n\t */\n\tif (ss->bmAttributes & ~0x02) {\t/* reserved == 0 */\n\t\tERROR(tdev, \"reserved bits set in bmAttributes\\n\");\n\t\treturn 0;\n\t}\n\n\t/* bits[0:3] of wSpeedSupported is used and others are reserved */\n\tif (le16_to_cpu(ss->wSpeedSupported) & ~0x0f) {\t/* reserved == 0 */\n\t\tERROR(tdev, \"reserved bits set in wSpeedSupported\\n\");\n\t\treturn 0;\n\t}\n\n\treturn 1;\n}", "project": "linux", "hash": 137903617825913928942554641092409562864, "size": 28, "commit_id": "28ebeb8db77035e058a510ce9bd17c2b9a009dba", "message": "usb: usbtest: fix missing kfree(dev->buf) in usbtest_disconnect\n\nBUG: memory leak\nunreferenced object 0xffff888055046e00 (size 256):\n comm \"kworker/2:9\", pid 2570, jiffies 4294942129 (age 1095.500s)\n hex dump (first 32 bytes):\n 00 70 04 55 80 88 ff ff 18 bb 5a 81 ff ff ff ff .p.U......Z.....\n f5 96 78 81 ff ff ff ff 37 de 8e 81 ff ff ff ff ..x.....7.......\n backtrace:\n [<00000000d121dccf>] kmemleak_alloc_recursive\ninclude/linux/kmemleak.h:43 [inline]\n [<00000000d121dccf>] slab_post_alloc_hook mm/slab.h:586 [inline]\n [<00000000d121dccf>] slab_alloc_node mm/slub.c:2786 [inline]\n [<00000000d121dccf>] slab_alloc mm/slub.c:2794 [inline]\n [<00000000d121dccf>] kmem_cache_alloc_trace+0x15e/0x2d0 mm/slub.c:2811\n [<000000005c3c3381>] kmalloc include/linux/slab.h:555 [inline]\n [<000000005c3c3381>] usbtest_probe+0x286/0x19d0\ndrivers/usb/misc/usbtest.c:2790\n [<000000001cec6910>] usb_probe_interface+0x2bd/0x870\ndrivers/usb/core/driver.c:361\n [<000000007806c118>] really_probe+0x48d/0x8f0 drivers/base/dd.c:551\n [<00000000a3308c3e>] driver_probe_device+0xfc/0x2a0 drivers/base/dd.c:724\n [<000000003ef66004>] __device_attach_driver+0x1b6/0x240\ndrivers/base/dd.c:831\n [<00000000eee53e97>] bus_for_each_drv+0x14e/0x1e0 drivers/base/bus.c:431\n [<00000000bb0648d0>] __device_attach+0x1f9/0x350 drivers/base/dd.c:897\n [<00000000838b324a>] device_initial_probe+0x1a/0x20 drivers/base/dd.c:944\n [<0000000030d501c1>] bus_probe_device+0x1e1/0x280 drivers/base/bus.c:491\n [<000000005bd7adef>] device_add+0x131d/0x1c40 drivers/base/core.c:2504\n [<00000000a0937814>] usb_set_configuration+0xe84/0x1ab0\ndrivers/usb/core/message.c:2030\n [<00000000e3934741>] generic_probe+0x6a/0xe0 drivers/usb/core/generic.c:210\n [<0000000098ade0f1>] usb_probe_device+0x90/0xd0\ndrivers/usb/core/driver.c:266\n [<000000007806c118>] really_probe+0x48d/0x8f0 drivers/base/dd.c:551\n [<00000000a3308c3e>] driver_probe_device+0xfc/0x2a0 drivers/base/dd.c:724\n\nAcked-by: Alan Stern \nReported-by: Kyungtae Kim \nSigned-off-by: Zqiang \nLink: https://lore.kernel.org/r/20200612035210.20494-1-qiang.zhang@windriver.com\nSigned-off-by: Greg Kroah-Hartman ", "target": 0, "dataset": "other", "idx": 412266 } ] }, { "call_depth": 4, "longest_call_chain": [ "Open_table_context", "m_flags", "Profiler", "BindToCPU" ], "group_size": 13, "functions": [ { "func": "static long get_us_interval(struct timeval *start, struct timeval *end) {\n return (((end->tv_sec - start->tv_sec) * 1000000)\n + (end->tv_usec - start->tv_usec));\n}", "project": "hhvm", "hash": 226869654135616472232911777556010156798, "size": 4, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219250 }, { "func": " MachineInfo() {\n m_cpu_num = sysconf(_SC_NPROCESSORS_CONF);\n m_cpu_frequencies = get_cpu_frequency_from_file(\"/proc/cpuinfo\", m_cpu_num);\n\n if (m_cpu_frequencies)\n return;\n\n m_cpu_frequencies = new int64_t[m_cpu_num];\n for (int i = 0; i < m_cpu_num; i++) {\n cpu_set_t prev_mask;\n GET_AFFINITY(0, sizeof(cpu_set_t), &prev_mask);\n BindToCPU(i);\n // Make sure the current process gets scheduled to the target cpu. This\n // might not be necessary though.\n usleep(0);\n m_cpu_frequencies[i] = get_cpu_frequency();\n SET_AFFINITY(0, sizeof(cpu_set_t), &prev_mask);\n }\n }", "project": "hhvm", "hash": 180263000948610311410935395853679103945, "size": 19, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219057 }, { "func": "static int64_t* get_cpu_frequency_from_file(const char *file, int ncpus)\n{\n std::ifstream cpuinfo(file);\n if (cpuinfo.fail()) {\n return nullptr;\n }\n char line[MAX_LINELENGTH];\n int64_t* freqs = new int64_t[ncpus];\n for (int i = 0; i < ncpus; ++i) {\n freqs[i] = 0;\n }\n int processor = -1;\n\n while (cpuinfo.getline(line, sizeof(line))) {\n if (sscanf(line, \"processor : %d\", &processor) == 1) {\n continue;\n }\n float freq;\n if ((sscanf(line, \"cpu MHz : %f\", &freq) == 1) ||\n (sscanf(line, \"clock : %f\", &freq) == 1)) {\n if (processor != -1 && processor < ncpus) {\n freqs[processor] = nearbyint(freq);\n processor = -1;\n }\n }\n }\n for (int i = 0; i < ncpus; ++i) {\n if (freqs[i] == 0) {\n delete[] freqs;\n return nullptr;\n }\n }\n return freqs;\n}", "project": "hhvm", "hash": 248085455882707873436144105338088029488, "size": 34, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219292 }, { "func": " static void BindToCPU(uint32_t cpu_id) {\n cpu_set_t new_mask;\n CPU_ZERO(&new_mask);\n CPU_SET(cpu_id, &new_mask);\n SET_AFFINITY(0, sizeof(cpu_set_t), &new_mask);\n }", "project": "hhvm", "hash": 252561999300798108266609964241078876025, "size": 6, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219879 }, { "func": " explicit TraceProfiler(int flags)\n : Profiler(true)\n , m_traceBuffer(nullptr)\n , m_traceBufferSize(0)\n , m_nextTraceEntry(0)\n , m_traceBufferFilled(false)\n , m_maxTraceBuffer(0)\n , m_overflowCalls(0)\n , m_flags(flags)\n {\n if (!(m_flags & IHaveInfiniteMemory) && pthread_mutex_trylock(&s_inUse)) {\n // This profiler uses a very large amount of memory. Only allow\n // one in the process at any time.\n m_successful = false;\n } else {\n m_maxTraceBuffer = RuntimeOption::ProfilerMaxTraceBuffer;\n Extension* ext = ExtensionRegistry::get(s_hotprofiler);\n assertx(ext);\n IniSetting::Bind(ext, IniSetting::PHP_INI_ALL,\n \"profiler.max_trace_buffer\",\n &m_maxTraceBuffer);\n }\n }", "project": "hhvm", "hash": 97949173461319208565106839514492844861, "size": 23, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219466 }, { "func": " explicit HierarchicalProfiler(int flags) : Profiler(true), m_flags(flags) {\n }", "project": "hhvm", "hash": 56700908204766941970227207576771894312, "size": 2, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219660 }, { "func": "void Profiler::endAllFrames() {\n while (m_stack) {\n endFrame(nullptr, nullptr, true);\n }\n}", "project": "hhvm", "hash": 245415849160079604862531924084058340861, "size": 5, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219314 }, { "func": " void endAllFrames() override {\n // Nothing to do for this profiler since all work is done as we go.\n }", "project": "hhvm", "hash": 150441449384399467871760114204802685380, "size": 3, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219864 }, { "func": "Profiler::~Profiler() {\n if (m_has_affinity) {\n SET_AFFINITY(0, sizeof(cpu_set_t), &m_prev_mask);\n }\n\n endAllFrames();\n for (Frame *p = m_frame_free_list; p;) {\n Frame *cur = p;\n p = p->m_parent;\n delete cur;\n }\n}", "project": "hhvm", "hash": 218080934643076592466588935207842016775, "size": 12, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219479 }, { "func": " explicit MemoProfiler(int /*flags*/) : Profiler(true) {}", "project": "hhvm", "hash": 76196938429753322405609073721382273498, "size": 1, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219768 }, { "func": "static int64_t get_cpu_frequency() {\n struct timeval start;\n struct timeval end;\n\n if (gettimeofday(&start, 0)) {\n perror(\"gettimeofday\");\n return 0.0;\n }\n uint64_t tsc_start = cpuCycles();\n uint64_t tsc_end;\n volatile int i;\n // Busy loop for 5 miliseconds. Don't use usleep() here since it causes the\n // CPU to halt which will generate meaningless results.\n do {\n for (i = 0; i < 1000000; i++);\n if (gettimeofday(&end, 0)) {\n perror(\"gettimeofday\");\n return 0.0;\n }\n tsc_end = cpuCycles();\n } while (get_us_interval(&start, &end) < 5000);\n\n return nearbyint((tsc_end - tsc_start) * 1.0\n / (get_us_interval(&start, &end)));\n}", "project": "hhvm", "hash": 82995547803504983128639277702102155539, "size": 25, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219071 }, { "func": "Profiler::Profiler(bool needCPUAffinity) : m_successful(true),\n m_stack(nullptr),\n m_frame_free_list(nullptr),\n m_has_affinity(needCPUAffinity) {\n if (!s_rand_initialized) {\n s_rand_initialized = true;\n srand(math_generate_seed());\n }\n\n if (m_has_affinity) {\n //\n // Bind to a random cpu so that we can use rdtsc instruction.\n //\n int cur_cpu_id = rand() % s_machine.m_cpu_num;\n GET_AFFINITY(0, sizeof(cpu_set_t), &m_prev_mask);\n MachineInfo::BindToCPU(cur_cpu_id);\n m_MHz = s_machine.m_cpu_frequencies[cur_cpu_id];\n } else {\n //\n // Take cpu0's speed as a proxy for all cpus.\n //\n m_MHz = s_machine.m_cpu_frequencies[0];\n }\n\n memset(m_func_hash_counters, 0, sizeof(m_func_hash_counters));\n}", "project": "hhvm", "hash": 228890197525810853672696827937472522779, "size": 26, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219669 }, { "func": "Open_table_context::Open_table_context(THD *thd, uint flags)\n :m_thd(thd),\n m_failed_table(NULL),\n m_start_of_statement_svp(thd->mdl_context.mdl_savepoint()),\n m_timeout(flags & MYSQL_LOCK_IGNORE_TIMEOUT ?\n LONG_TIMEOUT : thd->variables.lock_wait_timeout),\n m_flags(flags),\n m_action(OT_NO_ACTION),\n m_has_locks(thd->mdl_context.has_locks()),\n m_has_protection_against_grl(0)\n{}", "target": 0, "cwe": [ "CWE-416" ], "project": "server", "commit_id": "0beed9b5e933f0ff79b3bb346524f7a451d14e38", "hash": 231716104947654513237673151084075997257, "size": 11, "message": "MDEV-28097 use-after-free when WHERE has subquery with an outer reference in HAVING\n\nwhen resolving WHERE and ON clauses, do not look in\nSELECT list/aliases.", "dataset": "other", "idx": 514562 } ] }, { "call_depth": 2, "longest_call_chain": [ "repodata_insert_keyid", "repodata_key2id" ], "group_size": 8, "functions": [ { "func": "repodata_set(Repodata *data, Id solvid, Repokey *key, Id val)\n{\n Id keyid;\n\n keyid = repodata_key2id(data, key, 1);\n repodata_insert_keyid(data, solvid, keyid, val, 1);\n}", "project": "libsolv", "hash": 265395641112341355673876176285320051140, "size": 7, "commit_id": "fdb9c9c03508990e4583046b590c30d958f272da", "message": "repodata_schema2id: fix heap-buffer-overflow in memcmp\n\nWhen the length of last schema in data->schemadata is\nless than length of input schema, we got a read overflow\nin asan test.\n\nSigned-off-by: Zhipeng Xie ", "target": 0, "dataset": "other", "idx": 333099 }, { "func": "repodata_add_stubkey(Repodata *data, Id keyname, Id keytype)\n{\n Repokey xkey;\n\n xkey.name = keyname;\n xkey.type = keytype;\n xkey.storage = KEY_STORAGE_INCORE;\n xkey.size = 0;\n repodata_key2id(data, &xkey, 1);\n}", "project": "libsolv", "hash": 195553579540744494227336917437909307074, "size": 10, "commit_id": "fdb9c9c03508990e4583046b590c30d958f272da", "message": "repodata_schema2id: fix heap-buffer-overflow in memcmp\n\nWhen the length of last schema in data->schemadata is\nless than length of input schema, we got a read overflow\nin asan test.\n\nSigned-off-by: Zhipeng Xie ", "target": 0, "dataset": "other", "idx": 333128 }, { "func": "repodata_set_id(Repodata *data, Id solvid, Id keyname, Id id)\n{\n Repokey key;\n key.name = keyname;\n key.type = REPOKEY_TYPE_ID;\n key.size = 0;\n key.storage = KEY_STORAGE_INCORE;\n repodata_set(data, solvid, &key, id);\n}", "project": "libsolv", "hash": 322873194711386825155043017029628630614, "size": 9, "commit_id": "fdb9c9c03508990e4583046b590c30d958f272da", "message": "repodata_schema2id: fix heap-buffer-overflow in memcmp\n\nWhen the length of last schema in data->schemadata is\nless than length of input schema, we got a read overflow\nin asan test.\n\nSigned-off-by: Zhipeng Xie ", "target": 0, "dataset": "other", "idx": 333130 }, { "func": "repodata_set_constantid(Repodata *data, Id solvid, Id keyname, Id id)\n{\n Repokey key;\n key.name = keyname;\n key.type = REPOKEY_TYPE_CONSTANTID;\n key.size = id;\n key.storage = KEY_STORAGE_INCORE;\n repodata_set(data, solvid, &key, 0);\n}", "project": "libsolv", "hash": 302710374307563152767082566035589346827, "size": 9, "commit_id": "fdb9c9c03508990e4583046b590c30d958f272da", "message": "repodata_schema2id: fix heap-buffer-overflow in memcmp\n\nWhen the length of last schema in data->schemadata is\nless than length of input schema, we got a read overflow\nin asan test.\n\nSigned-off-by: Zhipeng Xie ", "target": 0, "dataset": "other", "idx": 333148 }, { "func": "repodata_set_constant(Repodata *data, Id solvid, Id keyname, unsigned int constant)\n{\n Repokey key;\n key.name = keyname;\n key.type = REPOKEY_TYPE_CONSTANT;\n key.size = constant;\n key.storage = KEY_STORAGE_INCORE;\n repodata_set(data, solvid, &key, 0);\n}", "project": "libsolv", "hash": 96782421605285094343022402102155426946, "size": 9, "commit_id": "fdb9c9c03508990e4583046b590c30d958f272da", "message": "repodata_schema2id: fix heap-buffer-overflow in memcmp\n\nWhen the length of last schema in data->schemadata is\nless than length of input schema, we got a read overflow\nin asan test.\n\nSigned-off-by: Zhipeng Xie ", "target": 0, "dataset": "other", "idx": 333162 }, { "func": "repodata_set_void(Repodata *data, Id solvid, Id keyname)\n{\n Repokey key;\n key.name = keyname;\n key.type = REPOKEY_TYPE_VOID;\n key.size = 0;\n key.storage = KEY_STORAGE_INCORE;\n repodata_set(data, solvid, &key, 0);\n}", "project": "libsolv", "hash": 165985950941020655660961136560028516968, "size": 9, "commit_id": "fdb9c9c03508990e4583046b590c30d958f272da", "message": "repodata_schema2id: fix heap-buffer-overflow in memcmp\n\nWhen the length of last schema in data->schemadata is\nless than length of input schema, we got a read overflow\nin asan test.\n\nSigned-off-by: Zhipeng Xie ", "target": 0, "dataset": "other", "idx": 333186 }, { "func": "repodata_set_idarray(Repodata *data, Id solvid, Id keyname, Queue *q)\n{\n Repokey key;\n int i;\n\n key.name = keyname;\n key.type = REPOKEY_TYPE_IDARRAY;\n key.size = 0;\n key.storage = KEY_STORAGE_INCORE;\n repodata_set(data, solvid, &key, data->attriddatalen);\n data->attriddata = solv_extend(data->attriddata, data->attriddatalen, q->count + 1, sizeof(Id), REPODATA_ATTRIDDATA_BLOCK);\n for (i = 0; i < q->count; i++)\n data->attriddata[data->attriddatalen++] = q->elements[i];\n data->attriddata[data->attriddatalen++] = 0;\n}", "project": "libsolv", "hash": 164155584293236050598438108865125249783, "size": 15, "commit_id": "fdb9c9c03508990e4583046b590c30d958f272da", "message": "repodata_schema2id: fix heap-buffer-overflow in memcmp\n\nWhen the length of last schema in data->schemadata is\nless than length of input schema, we got a read overflow\nin asan test.\n\nSigned-off-by: Zhipeng Xie ", "target": 0, "dataset": "other", "idx": 333201 }, { "func": "repodata_unset(Repodata *data, Id solvid, Id keyname)\n{\n Repokey key;\n key.name = keyname;\n key.type = REPOKEY_TYPE_DELETED;\n key.size = 0;\n key.storage = KEY_STORAGE_INCORE;\n repodata_set(data, solvid, &key, 0);\n}", "project": "libsolv", "hash": 146338794506937882088756913553221904223, "size": 9, "commit_id": "fdb9c9c03508990e4583046b590c30d958f272da", "message": "repodata_schema2id: fix heap-buffer-overflow in memcmp\n\nWhen the length of last schema in data->schemadata is\nless than length of input schema, we got a read overflow\nin asan test.\n\nSigned-off-by: Zhipeng Xie ", "target": 0, "dataset": "other", "idx": 333212 } ] }, { "call_depth": 14, "longest_call_chain": [ "nfs4_xdr_dec_symlink", "nfs4_xdr_dec_create", "decode_getfattr_label", "decode_getfattr_generic", "decode_getfattr_attrs", "decode_attr_mdsthreshold", "decode_first_threshold_item4", "decode_attr_length", "xdr_inline_decode", "xdr_set_next_buffer", "xdr_set_next_page", "xdr_set_page_base", "xdr_stream_page_set_pos", "xdr_stream_set_pos" ], "group_size": 214, "functions": [ { "func": "static int nfs4_xdr_dec_read(struct rpc_rqst *rqstp, struct xdr_stream *xdr,\n\t\t\t void *data)\n{\n\tstruct nfs_pgio_res *res = data;\n\tstruct compound_hdr hdr;\n\tint status;\n\n\tstatus = decode_compound_hdr(xdr, &hdr);\n\tres->op_status = hdr.status;\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_sequence(xdr, &res->seq_res, rqstp);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_putfh(xdr);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_read(xdr, rqstp, res);\n\tif (!status)\n\t\tstatus = res->count;\nout:\n\treturn status;\n}", "project": "linux", "hash": 304647254572790537906679293768581913409, "size": 23, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431076 }, { "func": "static int nfs4_xdr_dec_rename(struct rpc_rqst *rqstp, struct xdr_stream *xdr,\n\t\t\t void *data)\n{\n\tstruct nfs_renameres *res = data;\n\tstruct compound_hdr hdr;\n\tint status;\n\n\tstatus = decode_compound_hdr(xdr, &hdr);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_sequence(xdr, &res->seq_res, rqstp);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_putfh(xdr);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_savefh(xdr);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_putfh(xdr);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_rename(xdr, &res->old_cinfo, &res->new_cinfo);\nout:\n\treturn status;\n}", "project": "linux", "hash": 122290421687140800692805330183599732739, "size": 26, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431142 }, { "func": "static int decode_attr_layout_blksize(struct xdr_stream *xdr, uint32_t *bitmap,\n\t\t\t\t uint32_t *res)\n{\n\t__be32 *p;\n\n\tdprintk(\"%s: bitmap is %x\\n\", __func__, bitmap[2]);\n\t*res = 0;\n\tif (bitmap[2] & FATTR4_WORD2_LAYOUT_BLKSIZE) {\n\t\tp = xdr_inline_decode(xdr, 4);\n\t\tif (unlikely(!p))\n\t\t\treturn -EIO;\n\t\t*res = be32_to_cpup(p);\n\t\tbitmap[2] &= ~FATTR4_WORD2_LAYOUT_BLKSIZE;\n\t}\n\treturn 0;\n}", "project": "linux", "hash": 23274630596876811081255042928630710281, "size": 16, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 430951 }, { "func": "static int decode_fsinfo(struct xdr_stream *xdr, struct nfs_fsinfo *fsinfo)\n{\n\tunsigned int savep;\n\tuint32_t attrlen, bitmap[3];\n\tint status;\n\n\tif ((status = decode_op_hdr(xdr, OP_GETATTR)) != 0)\n\t\tgoto xdr_error;\n\tif ((status = decode_attr_bitmap(xdr, bitmap)) != 0)\n\t\tgoto xdr_error;\n\tif ((status = decode_attr_length(xdr, &attrlen, &savep)) != 0)\n\t\tgoto xdr_error;\n\n\tfsinfo->rtmult = fsinfo->wtmult = 512;\t/* ??? */\n\n\tif ((status = decode_attr_lease_time(xdr, bitmap, &fsinfo->lease_time)) != 0)\n\t\tgoto xdr_error;\n\tif ((status = decode_attr_maxfilesize(xdr, bitmap, &fsinfo->maxfilesize)) != 0)\n\t\tgoto xdr_error;\n\tif ((status = decode_attr_maxread(xdr, bitmap, &fsinfo->rtmax)) != 0)\n\t\tgoto xdr_error;\n\tfsinfo->rtpref = fsinfo->dtpref = fsinfo->rtmax;\n\tif ((status = decode_attr_maxwrite(xdr, bitmap, &fsinfo->wtmax)) != 0)\n\t\tgoto xdr_error;\n\tfsinfo->wtpref = fsinfo->wtmax;\n\n\tstatus = -EIO;\n\tif (unlikely(bitmap[0]))\n\t\tgoto xdr_error;\n\n\tstatus = decode_attr_time_delta(xdr, bitmap, &fsinfo->time_delta);\n\tif (status != 0)\n\t\tgoto xdr_error;\n\tstatus = decode_attr_pnfstype(xdr, bitmap, fsinfo);\n\tif (status != 0)\n\t\tgoto xdr_error;\n\n\tstatus = -EIO;\n\tif (unlikely(bitmap[1]))\n\t\tgoto xdr_error;\n\n\tstatus = decode_attr_layout_blksize(xdr, bitmap, &fsinfo->blksize);\n\tif (status)\n\t\tgoto xdr_error;\n\tstatus = decode_attr_clone_blksize(xdr, bitmap, &fsinfo->clone_blksize);\n\tif (status)\n\t\tgoto xdr_error;\n\n\tstatus = decode_attr_xattrsupport(xdr, bitmap,\n\t\t\t\t\t &fsinfo->xattr_support);\n\tif (status)\n\t\tgoto xdr_error;\n\n\tstatus = verify_attr_len(xdr, savep, attrlen);\nxdr_error:\n\tdprintk(\"%s: xdr returned %d!\\n\", __func__, -status);\n\treturn status;\n}", "project": "linux", "hash": 70670062986414296645943863166447083288, "size": 58, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431070 }, { "func": "static int decode_create_session(struct xdr_stream *xdr,\n\t\t\t\t struct nfs41_create_session_res *res)\n{\n\t__be32 *p;\n\tint status;\n\n\tstatus = decode_op_hdr(xdr, OP_CREATE_SESSION);\n\tif (!status)\n\t\tstatus = decode_sessionid(xdr, &res->sessionid);\n\tif (unlikely(status))\n\t\treturn status;\n\n\t/* seqid, flags */\n\tp = xdr_inline_decode(xdr, 8);\n\tif (unlikely(!p))\n\t\treturn -EIO;\n\tres->seqid = be32_to_cpup(p++);\n\tres->flags = be32_to_cpup(p);\n\n\t/* Channel attributes */\n\tstatus = decode_chan_attrs(xdr, &res->fc_attrs);\n\tif (!status)\n\t\tstatus = decode_chan_attrs(xdr, &res->bc_attrs);\n\treturn status;\n}", "project": "linux", "hash": 37416207974603803052684472381626969494, "size": 25, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431246 }, { "func": "static int decode_attr_time_access(struct xdr_stream *xdr, uint32_t *bitmap, struct timespec64 *time)\n{\n\tint status = 0;\n\n\ttime->tv_sec = 0;\n\ttime->tv_nsec = 0;\n\tif (unlikely(bitmap[1] & (FATTR4_WORD1_TIME_ACCESS - 1U)))\n\t\treturn -EIO;\n\tif (likely(bitmap[1] & FATTR4_WORD1_TIME_ACCESS)) {\n\t\tstatus = decode_attr_time(xdr, time);\n\t\tif (status == 0)\n\t\t\tstatus = NFS_ATTR_FATTR_ATIME;\n\t\tbitmap[1] &= ~FATTR4_WORD1_TIME_ACCESS;\n\t}\n\tdprintk(\"%s: atime=%lld\\n\", __func__, time->tv_sec);\n\treturn status;\n}", "project": "linux", "hash": 186924855362015612989395460268427014886, "size": 17, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431512 }, { "func": "static void xdr_buf_pages_copy_left(const struct xdr_buf *buf,\n\t\t\t\t unsigned int base, unsigned int len,\n\t\t\t\t unsigned int shift)\n{\n\tunsigned int pgto;\n\n\tif (base >= buf->page_len)\n\t\treturn;\n\tif (len > buf->page_len - base)\n\t\tlen = buf->page_len - base;\n\t/* Shift data into head */\n\tif (shift > base) {\n\t\tconst struct kvec *head = buf->head;\n\t\tunsigned int hdto = head->iov_len + base - shift;\n\t\tunsigned int hdlen = len;\n\n\t\tif (WARN_ONCE(shift > head->iov_len + base,\n\t\t\t \"SUNRPC: Misaligned data.\\n\"))\n\t\t\treturn;\n\t\tif (hdto + hdlen > head->iov_len)\n\t\t\thdlen = head->iov_len - hdto;\n\t\t_copy_from_pages(head->iov_base + hdto, buf->pages,\n\t\t\t\t buf->page_base + base, hdlen);\n\t\tbase += hdlen;\n\t\tlen -= hdlen;\n\t\tif (!len)\n\t\t\treturn;\n\t}\n\tpgto = base - shift;\n\t_shift_data_left_pages(buf->pages, buf->page_base + pgto,\n\t\t\t buf->page_base + base, len);\n}", "project": "linux", "hash": 30435696005593937606347044937959356164, "size": 32, "commit_id": "6d1c0f3d28f98ea2736128ed3e46821496dc3a8c", "message": "sunrpc: Avoid a KASAN slab-out-of-bounds bug in xdr_set_page_base()\n\nThis seems to happen fairly easily during READ_PLUS testing on NFS v4.2.\nI found that we could end up accessing xdr->buf->pages[pgnr] with a pgnr\ngreater than the number of pages in the array. So let's just return\nearly if we're setting base to a point at the end of the page data and\nlet xdr_set_tail_base() handle setting up the buffer pointers instead.\n\nSigned-off-by: Anna Schumaker \nFixes: 8d86e373b0ef (\"SUNRPC: Clean up helpers xdr_set_iov() and xdr_set_page_base()\")\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 481082 }, { "func": "static int decode_attr_space_free(struct xdr_stream *xdr, uint32_t *bitmap, uint64_t *res)\n{\n\t__be32 *p;\n\tint status = 0;\n\n\t*res = 0;\n\tif (unlikely(bitmap[1] & (FATTR4_WORD1_SPACE_FREE - 1U)))\n\t\treturn -EIO;\n\tif (likely(bitmap[1] & FATTR4_WORD1_SPACE_FREE)) {\n\t\tp = xdr_inline_decode(xdr, 8);\n\t\tif (unlikely(!p))\n\t\t\treturn -EIO;\n\t\txdr_decode_hyper(p, res);\n\t\tbitmap[1] &= ~FATTR4_WORD1_SPACE_FREE;\n\t}\n\tdprintk(\"%s: space free=%Lu\\n\", __func__, (unsigned long long)*res);\n\treturn status;\n}", "project": "linux", "hash": 280892502980614907111117557666931671464, "size": 18, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431599 }, { "func": "static int decode_attr_files_avail(struct xdr_stream *xdr, uint32_t *bitmap, uint64_t *res)\n{\n\t__be32 *p;\n\tint status = 0;\n\n\t*res = 0;\n\tif (unlikely(bitmap[0] & (FATTR4_WORD0_FILES_AVAIL - 1U)))\n\t\treturn -EIO;\n\tif (likely(bitmap[0] & FATTR4_WORD0_FILES_AVAIL)) {\n\t\tp = xdr_inline_decode(xdr, 8);\n\t\tif (unlikely(!p))\n\t\t\treturn -EIO;\n\t\txdr_decode_hyper(p, res);\n\t\tbitmap[0] &= ~FATTR4_WORD0_FILES_AVAIL;\n\t}\n\tdprintk(\"%s: files avail=%Lu\\n\", __func__, (unsigned long long)*res);\n\treturn status;\n}", "project": "linux", "hash": 191852633305378864689174252877983145786, "size": 18, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431412 }, { "func": "static int decode_attr_symlink_support(struct xdr_stream *xdr, uint32_t *bitmap, uint32_t *res)\n{\n\t__be32 *p;\n\n\t*res = 0;\n\tif (unlikely(bitmap[0] & (FATTR4_WORD0_SYMLINK_SUPPORT - 1U)))\n\t\treturn -EIO;\n\tif (likely(bitmap[0] & FATTR4_WORD0_SYMLINK_SUPPORT)) {\n\t\tp = xdr_inline_decode(xdr, 4);\n\t\tif (unlikely(!p))\n\t\t\treturn -EIO;\n\t\t*res = be32_to_cpup(p);\n\t\tbitmap[0] &= ~FATTR4_WORD0_SYMLINK_SUPPORT;\n\t}\n\tdprintk(\"%s: symlink support=%s\\n\", __func__, *res == 0 ? \"false\" : \"true\");\n\treturn 0;\n}", "project": "linux", "hash": 61154238508853649795512015206527381020, "size": 17, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431377 }, { "func": "static int nfs4_xdr_dec_create(struct rpc_rqst *rqstp, struct xdr_stream *xdr,\n\t\t\t void *data)\n{\n\tstruct nfs4_create_res *res = data;\n\tstruct compound_hdr hdr;\n\tint status;\n\n\tstatus = decode_compound_hdr(xdr, &hdr);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_sequence(xdr, &res->seq_res, rqstp);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_putfh(xdr);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_create(xdr, &res->dir_cinfo);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_getfh(xdr, res->fh);\n\tif (status)\n\t\tgoto out;\n\tdecode_getfattr_label(xdr, res->fattr, res->label, res->server);\nout:\n\treturn status;\n}", "project": "linux", "hash": 69536205817104750526144818926739698665, "size": 26, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431456 }, { "func": "static int decode_attr_clone_blksize(struct xdr_stream *xdr, uint32_t *bitmap,\n\t\t\t\t uint32_t *res)\n{\n\t__be32 *p;\n\n\tdprintk(\"%s: bitmap is %x\\n\", __func__, bitmap[2]);\n\t*res = 0;\n\tif (bitmap[2] & FATTR4_WORD2_CLONE_BLKSIZE) {\n\t\tp = xdr_inline_decode(xdr, 4);\n\t\tif (unlikely(!p))\n\t\t\treturn -EIO;\n\t\t*res = be32_to_cpup(p);\n\t\tbitmap[2] &= ~FATTR4_WORD2_CLONE_BLKSIZE;\n\t}\n\treturn 0;\n}", "project": "linux", "hash": 33218891601616164207323199288242531523, "size": 16, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431546 }, { "func": "static int decode_attr_time(struct xdr_stream *xdr, struct timespec64 *time)\n{\n\t__be32 *p;\n\n\tp = xdr_inline_decode(xdr, nfstime4_maxsz << 2);\n\tif (unlikely(!p))\n\t\treturn -EIO;\n\txdr_decode_nfstime4(p, time);\n\treturn 0;\n}", "project": "linux", "hash": 127181165118921814994839655257394490784, "size": 10, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431420 }, { "func": "static int decode_attr_time_modify(struct xdr_stream *xdr, uint32_t *bitmap, struct timespec64 *time)\n{\n\tint status = 0;\n\n\ttime->tv_sec = 0;\n\ttime->tv_nsec = 0;\n\tif (unlikely(bitmap[1] & (FATTR4_WORD1_TIME_MODIFY - 1U)))\n\t\treturn -EIO;\n\tif (likely(bitmap[1] & FATTR4_WORD1_TIME_MODIFY)) {\n\t\tstatus = decode_attr_time(xdr, time);\n\t\tif (status == 0)\n\t\t\tstatus = NFS_ATTR_FATTR_MTIME;\n\t\tbitmap[1] &= ~FATTR4_WORD1_TIME_MODIFY;\n\t}\n\tdprintk(\"%s: mtime=%lld\\n\", __func__, time->tv_sec);\n\treturn status;\n}", "project": "linux", "hash": 203396715571752805240799724829635588445, "size": 17, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431298 }, { "func": "static int decode_lookupp(struct xdr_stream *xdr)\n{\n\treturn decode_op_hdr(xdr, OP_LOOKUPP);\n}", "project": "linux", "hash": 118950902837007331335878861056459880136, "size": 4, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431193 }, { "func": "static void xdr_set_page(struct xdr_stream *xdr, unsigned int base,\n\t\t\t unsigned int len)\n{\n\tif (xdr_set_page_base(xdr, base, len) == 0) {\n\t\tbase -= xdr->buf->page_len;\n\t\txdr_set_tail_base(xdr, base, len);\n\t}\n}", "project": "linux", "hash": 5234410328572197194460317346665001983, "size": 8, "commit_id": "6d1c0f3d28f98ea2736128ed3e46821496dc3a8c", "message": "sunrpc: Avoid a KASAN slab-out-of-bounds bug in xdr_set_page_base()\n\nThis seems to happen fairly easily during READ_PLUS testing on NFS v4.2.\nI found that we could end up accessing xdr->buf->pages[pgnr] with a pgnr\ngreater than the number of pages in the array. So let's just return\nearly if we're setting base to a point at the end of the page data and\nlet xdr_set_tail_base() handle setting up the buffer pointers instead.\n\nSigned-off-by: Anna Schumaker \nFixes: 8d86e373b0ef (\"SUNRPC: Clean up helpers xdr_set_iov() and xdr_set_page_base()\")\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 481098 }, { "func": "static int decode_secinfo_no_name(struct xdr_stream *xdr, struct nfs4_secinfo_res *res)\n{\n\tint status = decode_op_hdr(xdr, OP_SECINFO_NO_NAME);\n\tif (status)\n\t\treturn status;\n\treturn decode_secinfo_common(xdr, res);\n}", "project": "linux", "hash": 222875606284163252991388642234852122243, "size": 7, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 430992 }, { "func": "static int nfs4_xdr_dec_lock(struct rpc_rqst *rqstp, struct xdr_stream *xdr,\n\t\t\t void *data)\n{\n\tstruct nfs_lock_res *res = data;\n\tstruct compound_hdr hdr;\n\tint status;\n\n\tstatus = decode_compound_hdr(xdr, &hdr);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_sequence(xdr, &res->seq_res, rqstp);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_putfh(xdr);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_lock(xdr, res);\nout:\n\treturn status;\n}", "project": "linux", "hash": 289080995651227631313706432714563423811, "size": 20, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431108 }, { "func": "static int decode_attr_mdsthreshold(struct xdr_stream *xdr,\n\t\t\t\t uint32_t *bitmap,\n\t\t\t\t struct nfs4_threshold *res)\n{\n\t__be32 *p;\n\tint status = 0;\n\tuint32_t num;\n\n\tif (unlikely(bitmap[2] & (FATTR4_WORD2_MDSTHRESHOLD - 1U)))\n\t\treturn -EIO;\n\tif (bitmap[2] & FATTR4_WORD2_MDSTHRESHOLD) {\n\t\t/* Did the server return an unrequested attribute? */\n\t\tif (unlikely(res == NULL))\n\t\t\treturn -EREMOTEIO;\n\t\tp = xdr_inline_decode(xdr, 4);\n\t\tif (unlikely(!p))\n\t\t\treturn -EIO;\n\t\tnum = be32_to_cpup(p);\n\t\tif (num == 0)\n\t\t\treturn 0;\n\t\tif (num > 1)\n\t\t\tprintk(KERN_INFO \"%s: Warning: Multiple pNFS layout \"\n\t\t\t\t\"drivers per filesystem not supported\\n\",\n\t\t\t\t__func__);\n\n\t\tstatus = decode_first_threshold_item4(xdr, res);\n\t\tbitmap[2] &= ~FATTR4_WORD2_MDSTHRESHOLD;\n\t}\n\treturn status;\n}", "project": "linux", "hash": 107140620308532443620123028961188843900, "size": 30, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431191 }, { "func": "int xdr_decode_word(const struct xdr_buf *buf, unsigned int base, u32 *obj)\n{\n\t__be32\traw;\n\tint\tstatus;\n\n\tstatus = read_bytes_from_xdr_buf(buf, base, &raw, sizeof(*obj));\n\tif (status)\n\t\treturn status;\n\t*obj = be32_to_cpu(raw);\n\treturn 0;\n}", "project": "linux", "hash": 66938532445198439598607968803987542078, "size": 11, "commit_id": "6d1c0f3d28f98ea2736128ed3e46821496dc3a8c", "message": "sunrpc: Avoid a KASAN slab-out-of-bounds bug in xdr_set_page_base()\n\nThis seems to happen fairly easily during READ_PLUS testing on NFS v4.2.\nI found that we could end up accessing xdr->buf->pages[pgnr] with a pgnr\ngreater than the number of pages in the array. So let's just return\nearly if we're setting base to a point at the end of the page data and\nlet xdr_set_tail_base() handle setting up the buffer pointers instead.\n\nSigned-off-by: Anna Schumaker \nFixes: 8d86e373b0ef (\"SUNRPC: Clean up helpers xdr_set_iov() and xdr_set_page_base()\")\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 481038 }, { "func": "static unsigned int xdr_set_page_base(struct xdr_stream *xdr,\n\t\t\t\t unsigned int base, unsigned int len)\n{\n\tunsigned int pgnr;\n\tunsigned int maxlen;\n\tunsigned int pgoff;\n\tunsigned int pgend;\n\tvoid *kaddr;\n\n\tmaxlen = xdr->buf->page_len;\n\tif (base >= maxlen) {\n\t\tbase = maxlen;\n\t\tmaxlen = 0;\n\t} else\n\t\tmaxlen -= base;\n\tif (len > maxlen)\n\t\tlen = maxlen;\n\n\txdr_stream_page_set_pos(xdr, base);\n\tbase += xdr->buf->page_base;\n\n\tpgnr = base >> PAGE_SHIFT;\n\txdr->page_ptr = &xdr->buf->pages[pgnr];\n\tkaddr = page_address(*xdr->page_ptr);\n\n\tpgoff = base & ~PAGE_MASK;\n\txdr->p = (__be32*)(kaddr + pgoff);\n\n\tpgend = pgoff + len;\n\tif (pgend > PAGE_SIZE)\n\t\tpgend = PAGE_SIZE;\n\txdr->end = (__be32*)(kaddr + pgend);\n\txdr->iov = NULL;\n\treturn len;\n}", "project": "linux", "hash": 274422321753562622361315728373118052641, "size": 35, "commit_id": "6d1c0f3d28f98ea2736128ed3e46821496dc3a8c", "message": "sunrpc: Avoid a KASAN slab-out-of-bounds bug in xdr_set_page_base()\n\nThis seems to happen fairly easily during READ_PLUS testing on NFS v4.2.\nI found that we could end up accessing xdr->buf->pages[pgnr] with a pgnr\ngreater than the number of pages in the array. So let's just return\nearly if we're setting base to a point at the end of the page data and\nlet xdr_set_tail_base() handle setting up the buffer pointers instead.\n\nSigned-off-by: Anna Schumaker \nFixes: 8d86e373b0ef (\"SUNRPC: Clean up helpers xdr_set_iov() and xdr_set_page_base()\")\nSigned-off-by: Trond Myklebust ", "target": 1, "dataset": "other", "idx": 214890 }, { "func": "static unsigned int xdr_set_page_base(struct xdr_stream *xdr,\n\t\t\t\t unsigned int base, unsigned int len)\n{\n\tunsigned int pgnr;\n\tunsigned int maxlen;\n\tunsigned int pgoff;\n\tunsigned int pgend;\n\tvoid *kaddr;\n\n\tmaxlen = xdr->buf->page_len;\n\tif (base >= maxlen)\n\t\treturn 0;\n\telse\n\t\tmaxlen -= base;\n\tif (len > maxlen)\n\t\tlen = maxlen;\n\n\txdr_stream_page_set_pos(xdr, base);\n\tbase += xdr->buf->page_base;\n\n\tpgnr = base >> PAGE_SHIFT;\n\txdr->page_ptr = &xdr->buf->pages[pgnr];\n\tkaddr = page_address(*xdr->page_ptr);\n\n\tpgoff = base & ~PAGE_MASK;\n\txdr->p = (__be32*)(kaddr + pgoff);\n\n\tpgend = pgoff + len;\n\tif (pgend > PAGE_SIZE)\n\t\tpgend = PAGE_SIZE;\n\txdr->end = (__be32*)(kaddr + pgend);\n\txdr->iov = NULL;\n\treturn len;\n}", "project": "linux", "hash": 272280587655938095471660267479071957383, "size": 34, "commit_id": "6d1c0f3d28f98ea2736128ed3e46821496dc3a8c", "message": "sunrpc: Avoid a KASAN slab-out-of-bounds bug in xdr_set_page_base()\n\nThis seems to happen fairly easily during READ_PLUS testing on NFS v4.2.\nI found that we could end up accessing xdr->buf->pages[pgnr] with a pgnr\ngreater than the number of pages in the array. So let's just return\nearly if we're setting base to a point at the end of the page data and\nlet xdr_set_tail_base() handle setting up the buffer pointers instead.\n\nSigned-off-by: Anna Schumaker \nFixes: 8d86e373b0ef (\"SUNRPC: Clean up helpers xdr_set_iov() and xdr_set_page_base()\")\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 481051 }, { "func": "static int decode_invalid_stateid(struct xdr_stream *xdr, nfs4_stateid *stateid)\n{\n\tnfs4_stateid dummy;\n\n\tnfs4_stateid_copy(stateid, &invalid_stateid);\n\treturn decode_stateid(xdr, &dummy);\n}", "project": "linux", "hash": 107826080757104805217903642720469646385, "size": 7, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431079 }, { "func": "static void xdr_stream_page_set_pos(struct xdr_stream *xdr, unsigned int pos)\n{\n\txdr_stream_set_pos(xdr, pos + xdr->buf->head[0].iov_len);\n}", "project": "linux", "hash": 260167376105389261239054978384322091254, "size": 4, "commit_id": "6d1c0f3d28f98ea2736128ed3e46821496dc3a8c", "message": "sunrpc: Avoid a KASAN slab-out-of-bounds bug in xdr_set_page_base()\n\nThis seems to happen fairly easily during READ_PLUS testing on NFS v4.2.\nI found that we could end up accessing xdr->buf->pages[pgnr] with a pgnr\ngreater than the number of pages in the array. So let's just return\nearly if we're setting base to a point at the end of the page data and\nlet xdr_set_tail_base() handle setting up the buffer pointers instead.\n\nSigned-off-by: Anna Schumaker \nFixes: 8d86e373b0ef (\"SUNRPC: Clean up helpers xdr_set_iov() and xdr_set_page_base()\")\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 481045 }, { "func": "static int nfs4_xdr_dec_fsid_present(struct rpc_rqst *rqstp,\n\t\t\t\t struct xdr_stream *xdr,\n\t\t\t\t void *data)\n{\n\tstruct nfs4_fsid_present_res *res = data;\n\tstruct compound_hdr hdr;\n\tint status;\n\n\tstatus = decode_compound_hdr(xdr, &hdr);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_sequence(xdr, &res->seq_res, rqstp);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_putfh(xdr);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_getfh(xdr, res->fh);\n\tif (status)\n\t\tgoto out;\n\tif (res->renew)\n\t\tstatus = decode_renew(xdr);\nout:\n\treturn status;\n}", "project": "linux", "hash": 178183787088381370779070975925794585013, "size": 25, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431440 }, { "func": "static int decode_delegation_stateid(struct xdr_stream *xdr, nfs4_stateid *stateid)\n{\n\tstateid->type = NFS4_DELEGATION_STATEID_TYPE;\n\treturn decode_stateid(xdr, stateid);\n}", "project": "linux", "hash": 21110094195644708266409382640277641391, "size": 5, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431493 }, { "func": "static int decode_attr_space_avail(struct xdr_stream *xdr, uint32_t *bitmap, uint64_t *res)\n{\n\t__be32 *p;\n\tint status = 0;\n\n\t*res = 0;\n\tif (unlikely(bitmap[1] & (FATTR4_WORD1_SPACE_AVAIL - 1U)))\n\t\treturn -EIO;\n\tif (likely(bitmap[1] & FATTR4_WORD1_SPACE_AVAIL)) {\n\t\tp = xdr_inline_decode(xdr, 8);\n\t\tif (unlikely(!p))\n\t\t\treturn -EIO;\n\t\txdr_decode_hyper(p, res);\n\t\tbitmap[1] &= ~FATTR4_WORD1_SPACE_AVAIL;\n\t}\n\tdprintk(\"%s: space avail=%Lu\\n\", __func__, (unsigned long long)*res);\n\treturn status;\n}", "project": "linux", "hash": 143468167827913396617841758139316845857, "size": 18, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431050 }, { "func": "static int decode_sessionid(struct xdr_stream *xdr, struct nfs4_sessionid *sid)\n{\n\treturn decode_opaque_fixed(xdr, sid->data, NFS4_MAX_SESSIONID_LEN);\n}", "project": "linux", "hash": 236600875702791495309051535503139742646, "size": 4, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431372 }, { "func": "static int nfs4_xdr_dec_open_downgrade(struct rpc_rqst *rqstp,\n\t\t\t\t struct xdr_stream *xdr,\n\t\t\t\t void *data)\n{\n\tstruct nfs_closeres *res = data;\n\tstruct compound_hdr hdr;\n\tint status;\n\n\tstatus = decode_compound_hdr(xdr, &hdr);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_sequence(xdr, &res->seq_res, rqstp);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_putfh(xdr);\n\tif (status)\n\t\tgoto out;\n\tif (res->lr_res) {\n\t\tstatus = decode_layoutreturn(xdr, res->lr_res);\n\t\tres->lr_ret = status;\n\t\tif (status)\n\t\t\tgoto out;\n\t}\n\tstatus = decode_open_downgrade(xdr, res);\nout:\n\treturn status;\n}", "project": "linux", "hash": 13398790080404043938577768403543000737, "size": 27, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431220 }, { "func": "static int decode_exchange_id(struct xdr_stream *xdr,\n\t\t\t struct nfs41_exchange_id_res *res)\n{\n\t__be32 *p;\n\tuint32_t dummy;\n\tchar *dummy_str;\n\tint status;\n\tuint32_t impl_id_count;\n\n\tstatus = decode_op_hdr(xdr, OP_EXCHANGE_ID);\n\tif (status)\n\t\treturn status;\n\n\tp = xdr_inline_decode(xdr, 8);\n\tif (unlikely(!p))\n\t\treturn -EIO;\n\txdr_decode_hyper(p, &res->clientid);\n\tp = xdr_inline_decode(xdr, 12);\n\tif (unlikely(!p))\n\t\treturn -EIO;\n\tres->seqid = be32_to_cpup(p++);\n\tres->flags = be32_to_cpup(p++);\n\n\tres->state_protect.how = be32_to_cpup(p);\n\tswitch (res->state_protect.how) {\n\tcase SP4_NONE:\n\t\tbreak;\n\tcase SP4_MACH_CRED:\n\t\tstatus = decode_op_map(xdr, &res->state_protect.enforce);\n\t\tif (status)\n\t\t\treturn status;\n\t\tstatus = decode_op_map(xdr, &res->state_protect.allow);\n\t\tif (status)\n\t\t\treturn status;\n\t\tbreak;\n\tdefault:\n\t\tWARN_ON_ONCE(1);\n\t\treturn -EIO;\n\t}\n\n\t/* server_owner4.so_minor_id */\n\tp = xdr_inline_decode(xdr, 8);\n\tif (unlikely(!p))\n\t\treturn -EIO;\n\tp = xdr_decode_hyper(p, &res->server_owner->minor_id);\n\n\t/* server_owner4.so_major_id */\n\tstatus = decode_opaque_inline(xdr, &dummy, &dummy_str);\n\tif (unlikely(status))\n\t\treturn status;\n\tmemcpy(res->server_owner->major_id, dummy_str, dummy);\n\tres->server_owner->major_id_sz = dummy;\n\n\t/* server_scope4 */\n\tstatus = decode_opaque_inline(xdr, &dummy, &dummy_str);\n\tif (unlikely(status))\n\t\treturn status;\n\tmemcpy(res->server_scope->server_scope, dummy_str, dummy);\n\tres->server_scope->server_scope_sz = dummy;\n\n\t/* Implementation Id */\n\tp = xdr_inline_decode(xdr, 4);\n\tif (unlikely(!p))\n\t\treturn -EIO;\n\timpl_id_count = be32_to_cpup(p++);\n\n\tif (impl_id_count) {\n\t\t/* nii_domain */\n\t\tstatus = decode_opaque_inline(xdr, &dummy, &dummy_str);\n\t\tif (unlikely(status))\n\t\t\treturn status;\n\t\tmemcpy(res->impl_id->domain, dummy_str, dummy);\n\n\t\t/* nii_name */\n\t\tstatus = decode_opaque_inline(xdr, &dummy, &dummy_str);\n\t\tif (unlikely(status))\n\t\t\treturn status;\n\t\tmemcpy(res->impl_id->name, dummy_str, dummy);\n\n\t\t/* nii_date */\n\t\tp = xdr_inline_decode(xdr, 12);\n\t\tif (unlikely(!p))\n\t\t\treturn -EIO;\n\t\tp = xdr_decode_hyper(p, &res->impl_id->date.seconds);\n\t\tres->impl_id->date.nseconds = be32_to_cpup(p);\n\n\t\t/* if there's more than one entry, ignore the rest */\n\t}\n\treturn 0;\n}", "project": "linux", "hash": 313057039652794208277028441142997112676, "size": 90, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431184 }, { "func": "int read_bytes_from_xdr_buf(const struct xdr_buf *buf, unsigned int base,\n\t\t\t void *obj, unsigned int len)\n{\n\tstruct xdr_buf subbuf;\n\tint status;\n\n\tstatus = xdr_buf_subsegment(buf, &subbuf, base, len);\n\tif (status != 0)\n\t\treturn status;\n\t__read_bytes_from_xdr_buf(&subbuf, obj, len);\n\treturn 0;\n}", "project": "linux", "hash": 295344793464533420519863523838073719653, "size": 12, "commit_id": "6d1c0f3d28f98ea2736128ed3e46821496dc3a8c", "message": "sunrpc: Avoid a KASAN slab-out-of-bounds bug in xdr_set_page_base()\n\nThis seems to happen fairly easily during READ_PLUS testing on NFS v4.2.\nI found that we could end up accessing xdr->buf->pages[pgnr] with a pgnr\ngreater than the number of pages in the array. So let's just return\nearly if we're setting base to a point at the end of the page data and\nlet xdr_set_tail_base() handle setting up the buffer pointers instead.\n\nSigned-off-by: Anna Schumaker \nFixes: 8d86e373b0ef (\"SUNRPC: Clean up helpers xdr_set_iov() and xdr_set_page_base()\")\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 481094 }, { "func": "static int decode_attr_length(struct xdr_stream *xdr, uint32_t *attrlen, unsigned int *savep)\n{\n\t__be32 *p;\n\n\tp = xdr_inline_decode(xdr, 4);\n\tif (unlikely(!p))\n\t\treturn -EIO;\n\t*attrlen = be32_to_cpup(p);\n\t*savep = xdr_stream_pos(xdr);\n\treturn 0;\n}", "project": "linux", "hash": 50939250192623854025100665167789192301, "size": 11, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431233 }, { "func": "static bool xdr_set_next_buffer(struct xdr_stream *xdr)\n{\n\tif (xdr->page_ptr != NULL)\n\t\txdr_set_next_page(xdr);\n\telse if (xdr->iov == xdr->buf->head)\n\t\txdr_set_page(xdr, 0, xdr_stream_remaining(xdr));\n\treturn xdr->p != xdr->end;\n}", "project": "linux", "hash": 4553039352544517299396837252237277587, "size": 8, "commit_id": "6d1c0f3d28f98ea2736128ed3e46821496dc3a8c", "message": "sunrpc: Avoid a KASAN slab-out-of-bounds bug in xdr_set_page_base()\n\nThis seems to happen fairly easily during READ_PLUS testing on NFS v4.2.\nI found that we could end up accessing xdr->buf->pages[pgnr] with a pgnr\ngreater than the number of pages in the array. So let's just return\nearly if we're setting base to a point at the end of the page data and\nlet xdr_set_tail_base() handle setting up the buffer pointers instead.\n\nSigned-off-by: Anna Schumaker \nFixes: 8d86e373b0ef (\"SUNRPC: Clean up helpers xdr_set_iov() and xdr_set_page_base()\")\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 481073 }, { "func": "static int nfs4_xdr_dec_lockt(struct rpc_rqst *rqstp, struct xdr_stream *xdr,\n\t\t\t void *data)\n{\n\tstruct nfs_lockt_res *res = data;\n\tstruct compound_hdr hdr;\n\tint status;\n\n\tstatus = decode_compound_hdr(xdr, &hdr);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_sequence(xdr, &res->seq_res, rqstp);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_putfh(xdr);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_lockt(xdr, res);\nout:\n\treturn status;\n}", "project": "linux", "hash": 64455922632587487386513658788212361615, "size": 20, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431256 }, { "func": "int xdr_decode_array2(const struct xdr_buf *buf, unsigned int base,\n\t\t struct xdr_array2_desc *desc)\n{\n\tif (base >= buf->len)\n\t\treturn -EINVAL;\n\n\treturn xdr_xcode_array2(buf, base, desc, 0);\n}", "project": "linux", "hash": 193102350282648192163247279370915949241, "size": 8, "commit_id": "6d1c0f3d28f98ea2736128ed3e46821496dc3a8c", "message": "sunrpc: Avoid a KASAN slab-out-of-bounds bug in xdr_set_page_base()\n\nThis seems to happen fairly easily during READ_PLUS testing on NFS v4.2.\nI found that we could end up accessing xdr->buf->pages[pgnr] with a pgnr\ngreater than the number of pages in the array. So let's just return\nearly if we're setting base to a point at the end of the page data and\nlet xdr_set_tail_base() handle setting up the buffer pointers instead.\n\nSigned-off-by: Anna Schumaker \nFixes: 8d86e373b0ef (\"SUNRPC: Clean up helpers xdr_set_iov() and xdr_set_page_base()\")\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 481049 }, { "func": "static int xdr_xcode_array2(const struct xdr_buf *buf, unsigned int base,\n\t\t\t struct xdr_array2_desc *desc, int encode)\n{\n\tchar *elem = NULL, *c;\n\tunsigned int copied = 0, todo, avail_here;\n\tstruct page **ppages = NULL;\n\tint err;\n\n\tif (encode) {\n\t\tif (xdr_encode_word(buf, base, desc->array_len) != 0)\n\t\t\treturn -EINVAL;\n\t} else {\n\t\tif (xdr_decode_word(buf, base, &desc->array_len) != 0 ||\n\t\t desc->array_len > desc->array_maxlen ||\n\t\t (unsigned long) base + 4 + desc->array_len *\n\t\t\t\t desc->elem_size > buf->len)\n\t\t\treturn -EINVAL;\n\t}\n\tbase += 4;\n\n\tif (!desc->xcode)\n\t\treturn 0;\n\n\ttodo = desc->array_len * desc->elem_size;\n\n\t/* process head */\n\tif (todo && base < buf->head->iov_len) {\n\t\tc = buf->head->iov_base + base;\n\t\tavail_here = min_t(unsigned int, todo,\n\t\t\t\t buf->head->iov_len - base);\n\t\ttodo -= avail_here;\n\n\t\twhile (avail_here >= desc->elem_size) {\n\t\t\terr = desc->xcode(desc, c);\n\t\t\tif (err)\n\t\t\t\tgoto out;\n\t\t\tc += desc->elem_size;\n\t\t\tavail_here -= desc->elem_size;\n\t\t}\n\t\tif (avail_here) {\n\t\t\tif (!elem) {\n\t\t\t\telem = kmalloc(desc->elem_size, GFP_KERNEL);\n\t\t\t\terr = -ENOMEM;\n\t\t\t\tif (!elem)\n\t\t\t\t\tgoto out;\n\t\t\t}\n\t\t\tif (encode) {\n\t\t\t\terr = desc->xcode(desc, elem);\n\t\t\t\tif (err)\n\t\t\t\t\tgoto out;\n\t\t\t\tmemcpy(c, elem, avail_here);\n\t\t\t} else\n\t\t\t\tmemcpy(elem, c, avail_here);\n\t\t\tcopied = avail_here;\n\t\t}\n\t\tbase = buf->head->iov_len; /* align to start of pages */\n\t}\n\n\t/* process pages array */\n\tbase -= buf->head->iov_len;\n\tif (todo && base < buf->page_len) {\n\t\tunsigned int avail_page;\n\n\t\tavail_here = min(todo, buf->page_len - base);\n\t\ttodo -= avail_here;\n\n\t\tbase += buf->page_base;\n\t\tppages = buf->pages + (base >> PAGE_SHIFT);\n\t\tbase &= ~PAGE_MASK;\n\t\tavail_page = min_t(unsigned int, PAGE_SIZE - base,\n\t\t\t\t\tavail_here);\n\t\tc = kmap(*ppages) + base;\n\n\t\twhile (avail_here) {\n\t\t\tavail_here -= avail_page;\n\t\t\tif (copied || avail_page < desc->elem_size) {\n\t\t\t\tunsigned int l = min(avail_page,\n\t\t\t\t\tdesc->elem_size - copied);\n\t\t\t\tif (!elem) {\n\t\t\t\t\telem = kmalloc(desc->elem_size,\n\t\t\t\t\t\t GFP_KERNEL);\n\t\t\t\t\terr = -ENOMEM;\n\t\t\t\t\tif (!elem)\n\t\t\t\t\t\tgoto out;\n\t\t\t\t}\n\t\t\t\tif (encode) {\n\t\t\t\t\tif (!copied) {\n\t\t\t\t\t\terr = desc->xcode(desc, elem);\n\t\t\t\t\t\tif (err)\n\t\t\t\t\t\t\tgoto out;\n\t\t\t\t\t}\n\t\t\t\t\tmemcpy(c, elem + copied, l);\n\t\t\t\t\tcopied += l;\n\t\t\t\t\tif (copied == desc->elem_size)\n\t\t\t\t\t\tcopied = 0;\n\t\t\t\t} else {\n\t\t\t\t\tmemcpy(elem + copied, c, l);\n\t\t\t\t\tcopied += l;\n\t\t\t\t\tif (copied == desc->elem_size) {\n\t\t\t\t\t\terr = desc->xcode(desc, elem);\n\t\t\t\t\t\tif (err)\n\t\t\t\t\t\t\tgoto out;\n\t\t\t\t\t\tcopied = 0;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\tavail_page -= l;\n\t\t\t\tc += l;\n\t\t\t}\n\t\t\twhile (avail_page >= desc->elem_size) {\n\t\t\t\terr = desc->xcode(desc, c);\n\t\t\t\tif (err)\n\t\t\t\t\tgoto out;\n\t\t\t\tc += desc->elem_size;\n\t\t\t\tavail_page -= desc->elem_size;\n\t\t\t}\n\t\t\tif (avail_page) {\n\t\t\t\tunsigned int l = min(avail_page,\n\t\t\t\t\t desc->elem_size - copied);\n\t\t\t\tif (!elem) {\n\t\t\t\t\telem = kmalloc(desc->elem_size,\n\t\t\t\t\t\t GFP_KERNEL);\n\t\t\t\t\terr = -ENOMEM;\n\t\t\t\t\tif (!elem)\n\t\t\t\t\t\tgoto out;\n\t\t\t\t}\n\t\t\t\tif (encode) {\n\t\t\t\t\tif (!copied) {\n\t\t\t\t\t\terr = desc->xcode(desc, elem);\n\t\t\t\t\t\tif (err)\n\t\t\t\t\t\t\tgoto out;\n\t\t\t\t\t}\n\t\t\t\t\tmemcpy(c, elem + copied, l);\n\t\t\t\t\tcopied += l;\n\t\t\t\t\tif (copied == desc->elem_size)\n\t\t\t\t\t\tcopied = 0;\n\t\t\t\t} else {\n\t\t\t\t\tmemcpy(elem + copied, c, l);\n\t\t\t\t\tcopied += l;\n\t\t\t\t\tif (copied == desc->elem_size) {\n\t\t\t\t\t\terr = desc->xcode(desc, elem);\n\t\t\t\t\t\tif (err)\n\t\t\t\t\t\t\tgoto out;\n\t\t\t\t\t\tcopied = 0;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t\tif (avail_here) {\n\t\t\t\tkunmap(*ppages);\n\t\t\t\tppages++;\n\t\t\t\tc = kmap(*ppages);\n\t\t\t}\n\n\t\t\tavail_page = min(avail_here,\n\t\t\t\t (unsigned int) PAGE_SIZE);\n\t\t}\n\t\tbase = buf->page_len; /* align to start of tail */\n\t}\n\n\t/* process tail */\n\tbase -= buf->page_len;\n\tif (todo) {\n\t\tc = buf->tail->iov_base + base;\n\t\tif (copied) {\n\t\t\tunsigned int l = desc->elem_size - copied;\n\n\t\t\tif (encode)\n\t\t\t\tmemcpy(c, elem + copied, l);\n\t\t\telse {\n\t\t\t\tmemcpy(elem + copied, c, l);\n\t\t\t\terr = desc->xcode(desc, elem);\n\t\t\t\tif (err)\n\t\t\t\t\tgoto out;\n\t\t\t}\n\t\t\ttodo -= l;\n\t\t\tc += l;\n\t\t}\n\t\twhile (todo) {\n\t\t\terr = desc->xcode(desc, c);\n\t\t\tif (err)\n\t\t\t\tgoto out;\n\t\t\tc += desc->elem_size;\n\t\t\ttodo -= desc->elem_size;\n\t\t}\n\t}\n\terr = 0;\n\nout:\n\tkfree(elem);\n\tif (ppages)\n\t\tkunmap(*ppages);\n\treturn err;\n}", "project": "linux", "hash": 256833529519034384371113633552510214936, "size": 192, "commit_id": "6d1c0f3d28f98ea2736128ed3e46821496dc3a8c", "message": "sunrpc: Avoid a KASAN slab-out-of-bounds bug in xdr_set_page_base()\n\nThis seems to happen fairly easily during READ_PLUS testing on NFS v4.2.\nI found that we could end up accessing xdr->buf->pages[pgnr] with a pgnr\ngreater than the number of pages in the array. So let's just return\nearly if we're setting base to a point at the end of the page data and\nlet xdr_set_tail_base() handle setting up the buffer pointers instead.\n\nSigned-off-by: Anna Schumaker \nFixes: 8d86e373b0ef (\"SUNRPC: Clean up helpers xdr_set_iov() and xdr_set_page_base()\")\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 481103 }, { "func": "static int nfs4_xdr_dec_fsinfo(struct rpc_rqst *req, struct xdr_stream *xdr,\n\t\t\t void *data)\n{\n\tstruct nfs4_fsinfo_res *res = data;\n\tstruct compound_hdr hdr;\n\tint status;\n\n\tstatus = decode_compound_hdr(xdr, &hdr);\n\tif (!status)\n\t\tstatus = decode_sequence(xdr, &res->seq_res, req);\n\tif (!status)\n\t\tstatus = decode_putfh(xdr);\n\tif (!status)\n\t\tstatus = decode_fsinfo(xdr, res->fsinfo);\n\treturn status;\n}", "project": "linux", "hash": 145036155950838326818828573460259455208, "size": 16, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431425 }, { "func": "static int decode_secinfo_common(struct xdr_stream *xdr, struct nfs4_secinfo_res *res)\n{\n\tstruct nfs4_secinfo4 *sec_flavor;\n\tunsigned int i, num_flavors;\n\tint status;\n\t__be32 *p;\n\n\tp = xdr_inline_decode(xdr, 4);\n\tif (unlikely(!p))\n\t\treturn -EIO;\n\n\tres->flavors->num_flavors = 0;\n\tnum_flavors = be32_to_cpup(p);\n\n\tfor (i = 0; i < num_flavors; i++) {\n\t\tsec_flavor = &res->flavors->flavors[i];\n\t\tif ((char *)&sec_flavor[1] - (char *)res->flavors > PAGE_SIZE)\n\t\t\tbreak;\n\n\t\tp = xdr_inline_decode(xdr, 4);\n\t\tif (unlikely(!p))\n\t\t\treturn -EIO;\n\t\tsec_flavor->flavor = be32_to_cpup(p);\n\n\t\tif (sec_flavor->flavor == RPC_AUTH_GSS) {\n\t\t\tstatus = decode_secinfo_gss(xdr, sec_flavor);\n\t\t\tif (status)\n\t\t\t\tgoto out;\n\t\t}\n\t\tres->flavors->num_flavors++;\n\t}\n\n\tstatus = 0;\nout:\n\treturn status;\n}", "project": "linux", "hash": 270335364668099282479704687205812029277, "size": 36, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431464 }, { "func": "static int decode_getfattr_label(struct xdr_stream *xdr, struct nfs_fattr *fattr,\n\t\tstruct nfs4_label *label, const struct nfs_server *server)\n{\n\treturn decode_getfattr_generic(xdr, fattr, NULL, NULL, label, server);\n}", "project": "linux", "hash": 86570273944280305824377187642979651697, "size": 5, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431181 }, { "func": "void xdr_init_decode_pages(struct xdr_stream *xdr, struct xdr_buf *buf,\n\t\t\t struct page **pages, unsigned int len)\n{\n\tmemset(buf, 0, sizeof(*buf));\n\tbuf->pages = pages;\n\tbuf->page_len = len;\n\tbuf->buflen = len;\n\tbuf->len = len;\n\txdr_init_decode(xdr, buf, NULL, NULL);\n}", "project": "linux", "hash": 258826111872225921079079181648424071654, "size": 10, "commit_id": "6d1c0f3d28f98ea2736128ed3e46821496dc3a8c", "message": "sunrpc: Avoid a KASAN slab-out-of-bounds bug in xdr_set_page_base()\n\nThis seems to happen fairly easily during READ_PLUS testing on NFS v4.2.\nI found that we could end up accessing xdr->buf->pages[pgnr] with a pgnr\ngreater than the number of pages in the array. So let's just return\nearly if we're setting base to a point at the end of the page data and\nlet xdr_set_tail_base() handle setting up the buffer pointers instead.\n\nSigned-off-by: Anna Schumaker \nFixes: 8d86e373b0ef (\"SUNRPC: Clean up helpers xdr_set_iov() and xdr_set_page_base()\")\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 481109 }, { "func": "static int nfs4_xdr_dec_locku(struct rpc_rqst *rqstp, struct xdr_stream *xdr,\n\t\t\t void *data)\n{\n\tstruct nfs_locku_res *res = data;\n\tstruct compound_hdr hdr;\n\tint status;\n\n\tstatus = decode_compound_hdr(xdr, &hdr);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_sequence(xdr, &res->seq_res, rqstp);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_putfh(xdr);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_locku(xdr, res);\nout:\n\treturn status;\n}", "project": "linux", "hash": 158947614947534116635770739678050709983, "size": 20, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431587 }, { "func": "static int decode_attr_supported(struct xdr_stream *xdr, uint32_t *bitmap, uint32_t *bitmask)\n{\n\tif (likely(bitmap[0] & FATTR4_WORD0_SUPPORTED_ATTRS)) {\n\t\tint ret;\n\t\tret = decode_attr_bitmap(xdr, bitmask);\n\t\tif (unlikely(ret < 0))\n\t\t\treturn ret;\n\t\tbitmap[0] &= ~FATTR4_WORD0_SUPPORTED_ATTRS;\n\t} else\n\t\tbitmask[0] = bitmask[1] = bitmask[2] = 0;\n\tdprintk(\"%s: bitmask=%08x:%08x:%08x\\n\", __func__,\n\t\tbitmask[0], bitmask[1], bitmask[2]);\n\treturn 0;\n}", "project": "linux", "hash": 158950137998583402383437806970836154958, "size": 14, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431504 }, { "func": "static int decode_lockt(struct xdr_stream *xdr, struct nfs_lockt_res *res)\n{\n\tint status;\n\tstatus = decode_op_hdr(xdr, OP_LOCKT);\n\tif (status == -NFS4ERR_DENIED)\n\t\treturn decode_lock_denied(xdr, res->denied);\n\treturn status;\n}", "project": "linux", "hash": 31455589533795522850023719646605761728, "size": 8, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431462 }, { "func": "static int decode_getfattr_generic(struct xdr_stream *xdr, struct nfs_fattr *fattr,\n\t\tstruct nfs_fh *fh, struct nfs4_fs_locations *fs_loc,\n\t\tstruct nfs4_label *label, const struct nfs_server *server)\n{\n\tunsigned int savep;\n\tuint32_t attrlen,\n\t\t bitmap[3] = {0};\n\tint status;\n\n\tstatus = decode_op_hdr(xdr, OP_GETATTR);\n\tif (status < 0)\n\t\tgoto xdr_error;\n\n\tstatus = decode_attr_bitmap(xdr, bitmap);\n\tif (status < 0)\n\t\tgoto xdr_error;\n\n\tstatus = decode_attr_length(xdr, &attrlen, &savep);\n\tif (status < 0)\n\t\tgoto xdr_error;\n\n\tstatus = decode_getfattr_attrs(xdr, bitmap, fattr, fh, fs_loc,\n\t\t\t\t\tlabel, server);\n\tif (status < 0)\n\t\tgoto xdr_error;\n\n\tstatus = verify_attr_len(xdr, savep, attrlen);\nxdr_error:\n\tdprintk(\"%s: xdr returned %d\\n\", __func__, -status);\n\treturn status;\n}", "project": "linux", "hash": 32342408155415316833989362979572692136, "size": 31, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431267 }, { "func": "static int decode_link(struct xdr_stream *xdr, struct nfs4_change_info *cinfo)\n{\n\tint status;\n\n\tstatus = decode_op_hdr(xdr, OP_LINK);\n\tif (status)\n\t\treturn status;\n\treturn decode_change_info(xdr, cinfo);\n}", "project": "linux", "hash": 64957577388417810888125403894225921642, "size": 9, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431036 }, { "func": "static int decode_secinfo(struct xdr_stream *xdr, struct nfs4_secinfo_res *res)\n{\n\tint status = decode_op_hdr(xdr, OP_SECINFO);\n\tif (status)\n\t\treturn status;\n\treturn decode_secinfo_common(xdr, res);\n}", "project": "linux", "hash": 76618917194732953279120571299113695620, "size": 7, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431370 }, { "func": "static int decode_attr_mounted_on_fileid(struct xdr_stream *xdr, uint32_t *bitmap, uint64_t *fileid)\n{\n\t__be32 *p;\n\tint ret = 0;\n\n\t*fileid = 0;\n\tif (unlikely(bitmap[1] & (FATTR4_WORD1_MOUNTED_ON_FILEID - 1U)))\n\t\treturn -EIO;\n\tif (likely(bitmap[1] & FATTR4_WORD1_MOUNTED_ON_FILEID)) {\n\t\tp = xdr_inline_decode(xdr, 8);\n\t\tif (unlikely(!p))\n\t\t\treturn -EIO;\n\t\txdr_decode_hyper(p, fileid);\n\t\tbitmap[1] &= ~FATTR4_WORD1_MOUNTED_ON_FILEID;\n\t\tret = NFS_ATTR_FATTR_MOUNTED_ON_FILEID;\n\t}\n\tdprintk(\"%s: fileid=%Lu\\n\", __func__, (unsigned long long)*fileid);\n\treturn ret;\n}", "project": "linux", "hash": 156116741770183436420887800458817627560, "size": 19, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431292 }, { "func": "static int decode_attr_type(struct xdr_stream *xdr, uint32_t *bitmap, uint32_t *type)\n{\n\t__be32 *p;\n\tint ret = 0;\n\n\t*type = 0;\n\tif (unlikely(bitmap[0] & (FATTR4_WORD0_TYPE - 1U)))\n\t\treturn -EIO;\n\tif (likely(bitmap[0] & FATTR4_WORD0_TYPE)) {\n\t\tp = xdr_inline_decode(xdr, 4);\n\t\tif (unlikely(!p))\n\t\t\treturn -EIO;\n\t\t*type = be32_to_cpup(p);\n\t\tif (*type < NF4REG || *type > NF4NAMEDATTR) {\n\t\t\tdprintk(\"%s: bad type %d\\n\", __func__, *type);\n\t\t\treturn -EIO;\n\t\t}\n\t\tbitmap[0] &= ~FATTR4_WORD0_TYPE;\n\t\tret = NFS_ATTR_FATTR_TYPE;\n\t}\n\tdprintk(\"%s: type=0%o\\n\", __func__, nfs_type2fmt[*type]);\n\treturn ret;\n}", "project": "linux", "hash": 156535365885210867436330142044165185812, "size": 23, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431167 }, { "func": "static int decode_attr_fh_expire_type(struct xdr_stream *xdr,\n\t\t\t\t uint32_t *bitmap, uint32_t *type)\n{\n\t__be32 *p;\n\n\t*type = 0;\n\tif (unlikely(bitmap[0] & (FATTR4_WORD0_FH_EXPIRE_TYPE - 1U)))\n\t\treturn -EIO;\n\tif (likely(bitmap[0] & FATTR4_WORD0_FH_EXPIRE_TYPE)) {\n\t\tp = xdr_inline_decode(xdr, 4);\n\t\tif (unlikely(!p))\n\t\t\treturn -EIO;\n\t\t*type = be32_to_cpup(p);\n\t\tbitmap[0] &= ~FATTR4_WORD0_FH_EXPIRE_TYPE;\n\t}\n\tdprintk(\"%s: expire type=0x%x\\n\", __func__, *type);\n\treturn 0;\n}", "project": "linux", "hash": 236972886519963451119391990232459783146, "size": 18, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431311 }, { "func": "static int nfs4_xdr_dec_fs_locations(struct rpc_rqst *req,\n\t\t\t\t struct xdr_stream *xdr,\n\t\t\t\t void *data)\n{\n\tstruct nfs4_fs_locations_res *res = data;\n\tstruct compound_hdr hdr;\n\tint status;\n\n\tstatus = decode_compound_hdr(xdr, &hdr);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_sequence(xdr, &res->seq_res, req);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_putfh(xdr);\n\tif (status)\n\t\tgoto out;\n\tif (res->migration) {\n\t\txdr_enter_page(xdr, PAGE_SIZE);\n\t\tstatus = decode_getfattr_generic(xdr,\n\t\t\t\t\t&res->fs_locations->fattr,\n\t\t\t\t\t NULL, res->fs_locations,\n\t\t\t\t\t NULL, res->fs_locations->server);\n\t\tif (status)\n\t\t\tgoto out;\n\t\tif (res->renew)\n\t\t\tstatus = decode_renew(xdr);\n\t} else {\n\t\tstatus = decode_lookup(xdr);\n\t\tif (status)\n\t\t\tgoto out;\n\t\txdr_enter_page(xdr, PAGE_SIZE);\n\t\tstatus = decode_getfattr_generic(xdr,\n\t\t\t\t\t&res->fs_locations->fattr,\n\t\t\t\t\t NULL, res->fs_locations,\n\t\t\t\t\t NULL, res->fs_locations->server);\n\t}\nout:\n\treturn status;\n}", "project": "linux", "hash": 199815338408552688627524812546718909635, "size": 40, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 430955 }, { "func": "void xdr_terminate_string(const struct xdr_buf *buf, const u32 len)\n{\n\tchar *kaddr;\n\n\tkaddr = kmap_atomic(buf->pages[0]);\n\tkaddr[buf->page_base + len] = '\\0';\n\tkunmap_atomic(kaddr);\n}", "project": "linux", "hash": 124894026376403289203327237581526558085, "size": 8, "commit_id": "6d1c0f3d28f98ea2736128ed3e46821496dc3a8c", "message": "sunrpc: Avoid a KASAN slab-out-of-bounds bug in xdr_set_page_base()\n\nThis seems to happen fairly easily during READ_PLUS testing on NFS v4.2.\nI found that we could end up accessing xdr->buf->pages[pgnr] with a pgnr\ngreater than the number of pages in the array. So let's just return\nearly if we're setting base to a point at the end of the page data and\nlet xdr_set_tail_base() handle setting up the buffer pointers instead.\n\nSigned-off-by: Anna Schumaker \nFixes: 8d86e373b0ef (\"SUNRPC: Clean up helpers xdr_set_iov() and xdr_set_page_base()\")\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 481048 }, { "func": "static int decode_readdir(struct xdr_stream *xdr, struct rpc_rqst *req, struct nfs4_readdir_res *readdir)\n{\n\tint\t\tstatus;\n\t__be32\t\tverf[2];\n\n\tstatus = decode_op_hdr(xdr, OP_READDIR);\n\tif (!status)\n\t\tstatus = decode_verifier(xdr, readdir->verifier.data);\n\tif (unlikely(status))\n\t\treturn status;\n\tmemcpy(verf, readdir->verifier.data, sizeof(verf));\n\tdprintk(\"%s: verifier = %08x:%08x\\n\",\n\t\t\t__func__, verf[0], verf[1]);\n\treturn xdr_read_pages(xdr, xdr->buf->page_len);\n}", "project": "linux", "hash": 190544632997372732603428913088555022153, "size": 15, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431335 }, { "func": "static int decode_chan_attrs(struct xdr_stream *xdr,\n\t\t\t struct nfs4_channel_attrs *attrs)\n{\n\t__be32 *p;\n\tu32 nr_attrs, val;\n\n\tp = xdr_inline_decode(xdr, 28);\n\tif (unlikely(!p))\n\t\treturn -EIO;\n\tval = be32_to_cpup(p++);\t/* headerpadsz */\n\tif (val)\n\t\treturn -EINVAL;\t\t/* no support for header padding yet */\n\tattrs->max_rqst_sz = be32_to_cpup(p++);\n\tattrs->max_resp_sz = be32_to_cpup(p++);\n\tattrs->max_resp_sz_cached = be32_to_cpup(p++);\n\tattrs->max_ops = be32_to_cpup(p++);\n\tattrs->max_reqs = be32_to_cpup(p++);\n\tnr_attrs = be32_to_cpup(p);\n\tif (unlikely(nr_attrs > 1)) {\n\t\tprintk(KERN_WARNING \"NFS: %s: Invalid rdma channel attrs \"\n\t\t\t\"count %u\\n\", __func__, nr_attrs);\n\t\treturn -EINVAL;\n\t}\n\tif (nr_attrs == 1) {\n\t\tp = xdr_inline_decode(xdr, 4); /* skip rdma_attrs */\n\t\tif (unlikely(!p))\n\t\t\treturn -EIO;\n\t}\n\treturn 0;\n}", "project": "linux", "hash": 161470280813788593071154207641766843976, "size": 30, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431169 }, { "func": "static int decode_attr_space_used(struct xdr_stream *xdr, uint32_t *bitmap, uint64_t *used)\n{\n\t__be32 *p;\n\tint ret = 0;\n\n\t*used = 0;\n\tif (unlikely(bitmap[1] & (FATTR4_WORD1_SPACE_USED - 1U)))\n\t\treturn -EIO;\n\tif (likely(bitmap[1] & FATTR4_WORD1_SPACE_USED)) {\n\t\tp = xdr_inline_decode(xdr, 8);\n\t\tif (unlikely(!p))\n\t\t\treturn -EIO;\n\t\txdr_decode_hyper(p, used);\n\t\tbitmap[1] &= ~FATTR4_WORD1_SPACE_USED;\n\t\tret = NFS_ATTR_FATTR_SPACE_USED;\n\t}\n\tdprintk(\"%s: space used=%Lu\\n\", __func__,\n\t\t\t(unsigned long long)*used);\n\treturn ret;\n}", "project": "linux", "hash": 140579568479290912095885284436505202963, "size": 20, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431628 }, { "func": "static int decode_op_map(struct xdr_stream *xdr, struct nfs4_op_map *op_map)\n{\n\t__be32 *p;\n\tuint32_t bitmap_words;\n\tunsigned int i;\n\n\tp = xdr_inline_decode(xdr, 4);\n\tif (!p)\n\t\treturn -EIO;\n\tbitmap_words = be32_to_cpup(p++);\n\tif (bitmap_words > NFS4_OP_MAP_NUM_WORDS)\n\t\treturn -EIO;\n\tp = xdr_inline_decode(xdr, 4 * bitmap_words);\n\tfor (i = 0; i < bitmap_words; i++)\n\t\top_map->u.words[i] = be32_to_cpup(p++);\n\n\treturn 0;\n}", "project": "linux", "hash": 127108229794814672432844861910069893579, "size": 18, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431074 }, { "func": "static int decode_attr_space_total(struct xdr_stream *xdr, uint32_t *bitmap, uint64_t *res)\n{\n\t__be32 *p;\n\tint status = 0;\n\n\t*res = 0;\n\tif (unlikely(bitmap[1] & (FATTR4_WORD1_SPACE_TOTAL - 1U)))\n\t\treturn -EIO;\n\tif (likely(bitmap[1] & FATTR4_WORD1_SPACE_TOTAL)) {\n\t\tp = xdr_inline_decode(xdr, 8);\n\t\tif (unlikely(!p))\n\t\t\treturn -EIO;\n\t\txdr_decode_hyper(p, res);\n\t\tbitmap[1] &= ~FATTR4_WORD1_SPACE_TOTAL;\n\t}\n\tdprintk(\"%s: space total=%Lu\\n\", __func__, (unsigned long long)*res);\n\treturn status;\n}", "project": "linux", "hash": 122842168300386055795273360873414109636, "size": 18, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431053 }, { "func": "static int decode_attr_pnfstype(struct xdr_stream *xdr, uint32_t *bitmap,\n\t\t\t\tstruct nfs_fsinfo *fsinfo)\n{\n\tint status = 0;\n\n\tdprintk(\"%s: bitmap is %x\\n\", __func__, bitmap[1]);\n\tif (unlikely(bitmap[1] & (FATTR4_WORD1_FS_LAYOUT_TYPES - 1U)))\n\t\treturn -EIO;\n\tif (bitmap[1] & FATTR4_WORD1_FS_LAYOUT_TYPES) {\n\t\tstatus = decode_pnfs_layout_types(xdr, fsinfo);\n\t\tbitmap[1] &= ~FATTR4_WORD1_FS_LAYOUT_TYPES;\n\t}\n\treturn status;\n}", "project": "linux", "hash": 52631735654516349793138557735664700110, "size": 14, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431308 }, { "func": "static int decode_attr_fsid(struct xdr_stream *xdr, uint32_t *bitmap, struct nfs_fsid *fsid)\n{\n\t__be32 *p;\n\tint ret = 0;\n\n\tfsid->major = 0;\n\tfsid->minor = 0;\n\tif (unlikely(bitmap[0] & (FATTR4_WORD0_FSID - 1U)))\n\t\treturn -EIO;\n\tif (likely(bitmap[0] & FATTR4_WORD0_FSID)) {\n\t\tp = xdr_inline_decode(xdr, 16);\n\t\tif (unlikely(!p))\n\t\t\treturn -EIO;\n\t\tp = xdr_decode_hyper(p, &fsid->major);\n\t\txdr_decode_hyper(p, &fsid->minor);\n\t\tbitmap[0] &= ~FATTR4_WORD0_FSID;\n\t\tret = NFS_ATTR_FATTR_FSID;\n\t}\n\tdprintk(\"%s: fsid=(0x%Lx/0x%Lx)\\n\", __func__,\n\t\t\t(unsigned long long)fsid->major,\n\t\t\t(unsigned long long)fsid->minor);\n\treturn ret;\n}", "project": "linux", "hash": 334791425900451981518600566525589845338, "size": 23, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431260 }, { "func": "bool xdr_stream_subsegment(struct xdr_stream *xdr, struct xdr_buf *subbuf,\n\t\t\t unsigned int nbytes)\n{\n\tunsigned int remaining, offset, len;\n\n\tif (xdr_buf_subsegment(xdr->buf, subbuf, xdr_stream_pos(xdr), nbytes))\n\t\treturn false;\n\n\tif (subbuf->head[0].iov_len)\n\t\tif (!__xdr_inline_decode(xdr, subbuf->head[0].iov_len))\n\t\t\treturn false;\n\n\tremaining = subbuf->page_len;\n\toffset = subbuf->page_base;\n\twhile (remaining) {\n\t\tlen = min_t(unsigned int, remaining, PAGE_SIZE) - offset;\n\n\t\tif (xdr->p == xdr->end && !xdr_set_next_buffer(xdr))\n\t\t\treturn false;\n\t\tif (!__xdr_inline_decode(xdr, len))\n\t\t\treturn false;\n\n\t\tremaining -= len;\n\t\toffset = 0;\n\t}\n\n\treturn true;\n}", "project": "linux", "hash": 92230322961656519927778066668330807282, "size": 28, "commit_id": "6d1c0f3d28f98ea2736128ed3e46821496dc3a8c", "message": "sunrpc: Avoid a KASAN slab-out-of-bounds bug in xdr_set_page_base()\n\nThis seems to happen fairly easily during READ_PLUS testing on NFS v4.2.\nI found that we could end up accessing xdr->buf->pages[pgnr] with a pgnr\ngreater than the number of pages in the array. So let's just return\nearly if we're setting base to a point at the end of the page data and\nlet xdr_set_tail_base() handle setting up the buffer pointers instead.\n\nSigned-off-by: Anna Schumaker \nFixes: 8d86e373b0ef (\"SUNRPC: Clean up helpers xdr_set_iov() and xdr_set_page_base()\")\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 481079 }, { "func": "static int decode_attr_group(struct xdr_stream *xdr, uint32_t *bitmap,\n\t\tconst struct nfs_server *server, kgid_t *gid,\n\t\tstruct nfs4_string *group_name)\n{\n\tssize_t len;\n\tchar *p;\n\n\t*gid = make_kgid(&init_user_ns, -2);\n\tif (unlikely(bitmap[1] & (FATTR4_WORD1_OWNER_GROUP - 1U)))\n\t\treturn -EIO;\n\tif (!(bitmap[1] & FATTR4_WORD1_OWNER_GROUP))\n\t\treturn 0;\n\tbitmap[1] &= ~FATTR4_WORD1_OWNER_GROUP;\n\n\tif (group_name != NULL) {\n\t\tlen = decode_nfs4_string(xdr, group_name, GFP_NOIO);\n\t\tif (len <= 0)\n\t\t\tgoto out;\n\t\tdprintk(\"%s: name=%s\\n\", __func__, group_name->data);\n\t\treturn NFS_ATTR_FATTR_GROUP_NAME;\n\t} else {\n\t\tlen = xdr_stream_decode_opaque_inline(xdr, (void **)&p,\n\t\t\t\tXDR_MAX_NETOBJ);\n\t\tif (len <= 0 || nfs_map_group_to_gid(server, p, len, gid) != 0)\n\t\t\tgoto out;\n\t\tdprintk(\"%s: gid=%d\\n\", __func__, (int)from_kgid(&init_user_ns, *gid));\n\t\treturn NFS_ATTR_FATTR_GROUP;\n\t}\nout:\n\tif (len == -EBADMSG)\n\t\treturn -EIO;\n\treturn 0;\n}", "project": "linux", "hash": 240577636355445608594083185731899227668, "size": 33, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431385 }, { "func": "static void __read_bytes_from_xdr_buf(const struct xdr_buf *subbuf,\n\t\t\t\t void *obj, unsigned int len)\n{\n\tunsigned int this_len;\n\n\tthis_len = min_t(unsigned int, len, subbuf->head[0].iov_len);\n\tmemcpy(obj, subbuf->head[0].iov_base, this_len);\n\tlen -= this_len;\n\tobj += this_len;\n\tthis_len = min_t(unsigned int, len, subbuf->page_len);\n\t_copy_from_pages(obj, subbuf->pages, subbuf->page_base, this_len);\n\tlen -= this_len;\n\tobj += this_len;\n\tthis_len = min_t(unsigned int, len, subbuf->tail[0].iov_len);\n\tmemcpy(obj, subbuf->tail[0].iov_base, this_len);\n}", "project": "linux", "hash": 273869851632407932890292764789975360978, "size": 16, "commit_id": "6d1c0f3d28f98ea2736128ed3e46821496dc3a8c", "message": "sunrpc: Avoid a KASAN slab-out-of-bounds bug in xdr_set_page_base()\n\nThis seems to happen fairly easily during READ_PLUS testing on NFS v4.2.\nI found that we could end up accessing xdr->buf->pages[pgnr] with a pgnr\ngreater than the number of pages in the array. So let's just return\nearly if we're setting base to a point at the end of the page data and\nlet xdr_set_tail_base() handle setting up the buffer pointers instead.\n\nSigned-off-by: Anna Schumaker \nFixes: 8d86e373b0ef (\"SUNRPC: Clean up helpers xdr_set_iov() and xdr_set_page_base()\")\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 481113 }, { "func": "static int decode_verifier(struct xdr_stream *xdr, void *verifier)\n{\n\treturn decode_opaque_fixed(xdr, verifier, NFS4_VERIFIER_SIZE);\n}", "project": "linux", "hash": 156955548149272974600664133088176926519, "size": 4, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431630 }, { "func": "static int nfs4_xdr_dec_open_noattr(struct rpc_rqst *rqstp,\n\t\t\t\t struct xdr_stream *xdr,\n\t\t\t\t void *data)\n{\n\tstruct nfs_openres *res = data;\n\tstruct compound_hdr hdr;\n\tint status;\n\n\tstatus = decode_compound_hdr(xdr, &hdr);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_sequence(xdr, &res->seq_res, rqstp);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_putfh(xdr);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_open(xdr, res);\n\tif (status)\n\t\tgoto out;\n\tif (res->access_request)\n\t\tdecode_access(xdr, &res->access_supported, &res->access_result);\n\tdecode_getfattr(xdr, res->f_attr, res->server);\n\tif (res->lg_res)\n\t\tdecode_layoutget(xdr, rqstp, res->lg_res);\nout:\n\treturn status;\n}", "project": "linux", "hash": 227635184940857893666730461367324860824, "size": 28, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 430954 }, { "func": "static int decode_attr_files_free(struct xdr_stream *xdr, uint32_t *bitmap, uint64_t *res)\n{\n\t__be32 *p;\n\tint status = 0;\n\n\t*res = 0;\n\tif (unlikely(bitmap[0] & (FATTR4_WORD0_FILES_FREE - 1U)))\n\t\treturn -EIO;\n\tif (likely(bitmap[0] & FATTR4_WORD0_FILES_FREE)) {\n\t\tp = xdr_inline_decode(xdr, 8);\n\t\tif (unlikely(!p))\n\t\t\treturn -EIO;\n\t\txdr_decode_hyper(p, res);\n\t\tbitmap[0] &= ~FATTR4_WORD0_FILES_FREE;\n\t}\n\tdprintk(\"%s: files free=%Lu\\n\", __func__, (unsigned long long)*res);\n\treturn status;\n}", "project": "linux", "hash": 151095507535590159450956029362210982882, "size": 18, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431441 }, { "func": "static int decode_open_stateid(struct xdr_stream *xdr, nfs4_stateid *stateid)\n{\n\tstateid->type = NFS4_OPEN_STATEID_TYPE;\n\treturn decode_stateid(xdr, stateid);\n}", "project": "linux", "hash": 320413315706024610261807846032540079174, "size": 5, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431516 }, { "func": "static bool __decode_op_hdr(struct xdr_stream *xdr, enum nfs_opnum4 expected,\n\t\tint *nfs_retval)\n{\n\t__be32 *p;\n\tuint32_t opnum;\n\tint32_t nfserr;\n\n\tp = xdr_inline_decode(xdr, 8);\n\tif (unlikely(!p))\n\t\tgoto out_overflow;\n\topnum = be32_to_cpup(p++);\n\tif (unlikely(opnum != expected))\n\t\tgoto out_bad_operation;\n\tif (unlikely(*p != cpu_to_be32(NFS_OK)))\n\t\tgoto out_status;\n\t*nfs_retval = 0;\n\treturn true;\nout_status:\n\tnfserr = be32_to_cpup(p);\n\ttrace_nfs4_xdr_status(xdr, opnum, nfserr);\n\t*nfs_retval = nfs4_stat_to_errno(nfserr);\n\treturn true;\nout_bad_operation:\n\tdprintk(\"nfs: Server returned operation\"\n\t\t\" %d but we issued a request for %d\\n\",\n\t\t\topnum, expected);\n\t*nfs_retval = -EREMOTEIO;\n\treturn false;\nout_overflow:\n\t*nfs_retval = -EIO;\n\treturn false;\n}", "project": "linux", "hash": 36246652736100225940386678164346124975, "size": 32, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431528 }, { "func": "static int nfs4_xdr_dec_layoutreturn(struct rpc_rqst *rqstp,\n\t\t\t\t struct xdr_stream *xdr,\n\t\t\t\t void *data)\n{\n\tstruct nfs4_layoutreturn_res *res = data;\n\tstruct compound_hdr hdr;\n\tint status;\n\n\tstatus = decode_compound_hdr(xdr, &hdr);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_sequence(xdr, &res->seq_res, rqstp);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_putfh(xdr);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_layoutreturn(xdr, res);\nout:\n\treturn status;\n}", "project": "linux", "hash": 177599820520913619121383298415529570142, "size": 21, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431413 }, { "func": "int xdr_encode_word(const struct xdr_buf *buf, unsigned int base, u32 obj)\n{\n\t__be32\traw = cpu_to_be32(obj);\n\n\treturn write_bytes_to_xdr_buf(buf, base, &raw, sizeof(obj));\n}", "project": "linux", "hash": 164821059413075850098571610113030288944, "size": 6, "commit_id": "6d1c0f3d28f98ea2736128ed3e46821496dc3a8c", "message": "sunrpc: Avoid a KASAN slab-out-of-bounds bug in xdr_set_page_base()\n\nThis seems to happen fairly easily during READ_PLUS testing on NFS v4.2.\nI found that we could end up accessing xdr->buf->pages[pgnr] with a pgnr\ngreater than the number of pages in the array. So let's just return\nearly if we're setting base to a point at the end of the page data and\nlet xdr_set_tail_base() handle setting up the buffer pointers instead.\n\nSigned-off-by: Anna Schumaker \nFixes: 8d86e373b0ef (\"SUNRPC: Clean up helpers xdr_set_iov() and xdr_set_page_base()\")\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 481061 }, { "func": "static int decode_attr_files_total(struct xdr_stream *xdr, uint32_t *bitmap, uint64_t *res)\n{\n\t__be32 *p;\n\tint status = 0;\n\n\t*res = 0;\n\tif (unlikely(bitmap[0] & (FATTR4_WORD0_FILES_TOTAL - 1U)))\n\t\treturn -EIO;\n\tif (likely(bitmap[0] & FATTR4_WORD0_FILES_TOTAL)) {\n\t\tp = xdr_inline_decode(xdr, 8);\n\t\tif (unlikely(!p))\n\t\t\treturn -EIO;\n\t\txdr_decode_hyper(p, res);\n\t\tbitmap[0] &= ~FATTR4_WORD0_FILES_TOTAL;\n\t}\n\tdprintk(\"%s: files total=%Lu\\n\", __func__, (unsigned long long)*res);\n\treturn status;\n}", "project": "linux", "hash": 264328746737742026103648107517012668832, "size": 18, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 430998 }, { "func": "static void xdr_buf_pages_zero(const struct xdr_buf *buf, unsigned int pgbase,\n\t\t\t unsigned int len)\n{\n\tstruct page **pages = buf->pages;\n\tstruct page **page;\n\tchar *vpage;\n\tunsigned int zero;\n\n\tif (!len)\n\t\treturn;\n\tif (pgbase >= buf->page_len) {\n\t\txdr_buf_iov_zero(buf->tail, pgbase - buf->page_len, len);\n\t\treturn;\n\t}\n\tif (pgbase + len > buf->page_len) {\n\t\txdr_buf_iov_zero(buf->tail, 0, pgbase + len - buf->page_len);\n\t\tlen = buf->page_len - pgbase;\n\t}\n\n\tpgbase += buf->page_base;\n\n\tpage = pages + (pgbase >> PAGE_SHIFT);\n\tpgbase &= ~PAGE_MASK;\n\n\tdo {\n\t\tzero = PAGE_SIZE - pgbase;\n\t\tif (zero > len)\n\t\t\tzero = len;\n\n\t\tvpage = kmap_atomic(*page);\n\t\tmemset(vpage + pgbase, 0, zero);\n\t\tkunmap_atomic(vpage);\n\n\t\tflush_dcache_page(*page);\n\t\tpgbase = 0;\n\t\tpage++;\n\n\t} while ((len -= zero) != 0);\n}", "project": "linux", "hash": 156131899079592198140787672729348189991, "size": 39, "commit_id": "6d1c0f3d28f98ea2736128ed3e46821496dc3a8c", "message": "sunrpc: Avoid a KASAN slab-out-of-bounds bug in xdr_set_page_base()\n\nThis seems to happen fairly easily during READ_PLUS testing on NFS v4.2.\nI found that we could end up accessing xdr->buf->pages[pgnr] with a pgnr\ngreater than the number of pages in the array. So let's just return\nearly if we're setting base to a point at the end of the page data and\nlet xdr_set_tail_base() handle setting up the buffer pointers instead.\n\nSigned-off-by: Anna Schumaker \nFixes: 8d86e373b0ef (\"SUNRPC: Clean up helpers xdr_set_iov() and xdr_set_page_base()\")\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 481108 }, { "func": "static unsigned int xdr_shrink_bufhead(struct xdr_buf *buf, unsigned int len)\n{\n\tstruct kvec *head = buf->head;\n\tunsigned int shift, buflen = max(buf->len, len);\n\n\tWARN_ON_ONCE(len > head->iov_len);\n\tif (head->iov_len > buflen) {\n\t\tbuf->buflen -= head->iov_len - buflen;\n\t\thead->iov_len = buflen;\n\t}\n\tif (len >= head->iov_len)\n\t\treturn 0;\n\tshift = head->iov_len - len;\n\txdr_buf_try_expand(buf, shift);\n\txdr_buf_head_shift_right(buf, len, buflen - len, shift);\n\thead->iov_len = len;\n\tbuf->buflen -= shift;\n\tbuf->len -= shift;\n\treturn shift;\n}", "project": "linux", "hash": 169619485223707544303891114440769237125, "size": 20, "commit_id": "6d1c0f3d28f98ea2736128ed3e46821496dc3a8c", "message": "sunrpc: Avoid a KASAN slab-out-of-bounds bug in xdr_set_page_base()\n\nThis seems to happen fairly easily during READ_PLUS testing on NFS v4.2.\nI found that we could end up accessing xdr->buf->pages[pgnr] with a pgnr\ngreater than the number of pages in the array. So let's just return\nearly if we're setting base to a point at the end of the page data and\nlet xdr_set_tail_base() handle setting up the buffer pointers instead.\n\nSigned-off-by: Anna Schumaker \nFixes: 8d86e373b0ef (\"SUNRPC: Clean up helpers xdr_set_iov() and xdr_set_page_base()\")\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 481062 }, { "func": "static int decode_remove(struct xdr_stream *xdr, struct nfs4_change_info *cinfo)\n{\n\tint status;\n\n\tstatus = decode_op_hdr(xdr, OP_REMOVE);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_change_info(xdr, cinfo);\nout:\n\treturn status;\n}", "project": "linux", "hash": 19916559467201984485854546610709513431, "size": 11, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431032 }, { "func": "static int nfs4_xdr_dec_create_session(struct rpc_rqst *rqstp,\n\t\t\t\t struct xdr_stream *xdr,\n\t\t\t\t void *res)\n{\n\tstruct compound_hdr hdr;\n\tint status;\n\n\tstatus = decode_compound_hdr(xdr, &hdr);\n\tif (!status)\n\t\tstatus = decode_create_session(xdr, res);\n\treturn status;\n}", "project": "linux", "hash": 328458812502671235907373146863268899142, "size": 12, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431445 }, { "func": "static int decode_stateid(struct xdr_stream *xdr, nfs4_stateid *stateid)\n{\n\treturn decode_opaque_fixed(xdr, stateid, NFS4_STATEID_SIZE);\n}", "project": "linux", "hash": 238077108234011573110682432250737562265, "size": 4, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431530 }, { "func": "static int decode_layoutreturn(struct xdr_stream *xdr,\n\t\t\t struct nfs4_layoutreturn_res *res)\n{\n\t__be32 *p;\n\tint status;\n\n\tstatus = decode_op_hdr(xdr, OP_LAYOUTRETURN);\n\tif (status)\n\t\treturn status;\n\tp = xdr_inline_decode(xdr, 4);\n\tif (unlikely(!p))\n\t\treturn -EIO;\n\tres->lrs_present = be32_to_cpup(p);\n\tif (res->lrs_present)\n\t\tstatus = decode_layout_stateid(xdr, &res->stateid);\n\telse\n\t\tnfs4_stateid_copy(&res->stateid, &invalid_stateid);\n\treturn status;\n}", "project": "linux", "hash": 103642007862060434758009660802346638407, "size": 19, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431263 }, { "func": "int decode_layoutreturn(struct xdr_stream *xdr,\n\t\t\t struct nfs4_layoutreturn_res *res)\n{\n\treturn 0;\n}", "project": "linux", "hash": 168481888347912113218497472802071375500, "size": 5, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431300 }, { "func": "static int decode_renew(struct xdr_stream *xdr)\n{\n\treturn decode_op_hdr(xdr, OP_RENEW);\n}", "project": "linux", "hash": 249017144251561791692922425103340501020, "size": 4, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431171 }, { "func": "static int decode_getfattr(struct xdr_stream *xdr, struct nfs_fattr *fattr,\n\t\tconst struct nfs_server *server)\n{\n\treturn decode_getfattr_generic(xdr, fattr, NULL, NULL, NULL, server);\n}", "project": "linux", "hash": 27390055506149198576380449319086680127, "size": 5, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431579 }, { "func": "static int nfs4_xdr_dec_get_lease_time(struct rpc_rqst *rqstp,\n\t\t\t\t struct xdr_stream *xdr,\n\t\t\t\t void *data)\n{\n\tstruct nfs4_get_lease_time_res *res = data;\n\tstruct compound_hdr hdr;\n\tint status;\n\n\tstatus = decode_compound_hdr(xdr, &hdr);\n\tif (!status)\n\t\tstatus = decode_sequence(xdr, &res->lr_seq_res, rqstp);\n\tif (!status)\n\t\tstatus = decode_putrootfh(xdr);\n\tif (!status)\n\t\tstatus = decode_fsinfo(xdr, res->lr_fsinfo);\n\treturn status;\n}", "project": "linux", "hash": 47812285952988783674074413365080609509, "size": 17, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431252 }, { "func": "static void xdr_buf_tail_copy_left(const struct xdr_buf *buf, unsigned int base,\n\t\t\t\t unsigned int len, unsigned int shift)\n{\n\tconst struct kvec *tail = buf->tail;\n\n\tif (base >= tail->iov_len)\n\t\treturn;\n\tif (len > tail->iov_len - base)\n\t\tlen = tail->iov_len - base;\n\t/* Shift data into head */\n\tif (shift > buf->page_len + base) {\n\t\tconst struct kvec *head = buf->head;\n\t\tunsigned int hdto =\n\t\t\thead->iov_len + buf->page_len + base - shift;\n\t\tunsigned int hdlen = len;\n\n\t\tif (WARN_ONCE(shift > head->iov_len + buf->page_len + base,\n\t\t\t \"SUNRPC: Misaligned data.\\n\"))\n\t\t\treturn;\n\t\tif (hdto + hdlen > head->iov_len)\n\t\t\thdlen = head->iov_len - hdto;\n\t\tmemcpy(head->iov_base + hdto, tail->iov_base + base, hdlen);\n\t\tbase += hdlen;\n\t\tlen -= hdlen;\n\t\tif (!len)\n\t\t\treturn;\n\t}\n\t/* Shift data into pages */\n\tif (shift > base) {\n\t\tunsigned int pgto = buf->page_len + base - shift;\n\t\tunsigned int pglen = len;\n\n\t\tif (pgto + pglen > buf->page_len)\n\t\t\tpglen = buf->page_len - pgto;\n\t\t_copy_to_pages(buf->pages, buf->page_base + pgto,\n\t\t\t tail->iov_base + base, pglen);\n\t\tbase += pglen;\n\t\tlen -= pglen;\n\t\tif (!len)\n\t\t\treturn;\n\t}\n\tmemmove(tail->iov_base + base - shift, tail->iov_base + base, len);\n}", "project": "linux", "hash": 165365942419942163673254103252569518172, "size": 43, "commit_id": "6d1c0f3d28f98ea2736128ed3e46821496dc3a8c", "message": "sunrpc: Avoid a KASAN slab-out-of-bounds bug in xdr_set_page_base()\n\nThis seems to happen fairly easily during READ_PLUS testing on NFS v4.2.\nI found that we could end up accessing xdr->buf->pages[pgnr] with a pgnr\ngreater than the number of pages in the array. So let's just return\nearly if we're setting base to a point at the end of the page data and\nlet xdr_set_tail_base() handle setting up the buffer pointers instead.\n\nSigned-off-by: Anna Schumaker \nFixes: 8d86e373b0ef (\"SUNRPC: Clean up helpers xdr_set_iov() and xdr_set_page_base()\")\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 481107 }, { "func": "static int decode_lock_denied (struct xdr_stream *xdr, struct file_lock *fl)\n{\n\tuint64_t offset, length, clientid;\n\t__be32 *p;\n\tuint32_t namelen, type;\n\n\tp = xdr_inline_decode(xdr, 32); /* read 32 bytes */\n\tif (unlikely(!p))\n\t\treturn -EIO;\n\tp = xdr_decode_hyper(p, &offset); /* read 2 8-byte long words */\n\tp = xdr_decode_hyper(p, &length);\n\ttype = be32_to_cpup(p++); /* 4 byte read */\n\tif (fl != NULL) { /* manipulate file lock */\n\t\tfl->fl_start = (loff_t)offset;\n\t\tfl->fl_end = fl->fl_start + (loff_t)length - 1;\n\t\tif (length == ~(uint64_t)0)\n\t\t\tfl->fl_end = OFFSET_MAX;\n\t\tfl->fl_type = F_WRLCK;\n\t\tif (type & 1)\n\t\t\tfl->fl_type = F_RDLCK;\n\t\tfl->fl_pid = 0;\n\t}\n\tp = xdr_decode_hyper(p, &clientid); /* read 8 bytes */\n\tnamelen = be32_to_cpup(p); /* read 4 bytes */ /* have read all 32 bytes now */\n\tp = xdr_inline_decode(xdr, namelen); /* variable size field */\n\tif (likely(!p))\n\t\treturn -EIO;\n\treturn -NFS4ERR_DENIED;\n}", "project": "linux", "hash": 287080228558280277283501960428503091676, "size": 29, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 430945 }, { "func": "static ssize_t decode_nfs4_string(struct xdr_stream *xdr,\n\t\tstruct nfs4_string *name, gfp_t gfp_flags)\n{\n\tssize_t ret;\n\n\tret = xdr_stream_decode_string_dup(xdr, &name->data,\n\t\t\tXDR_MAX_NETOBJ, gfp_flags);\n\tname->len = 0;\n\tif (ret > 0)\n\t\tname->len = ret;\n\treturn ret;\n}", "project": "linux", "hash": 137804535558923583349335717312811411785, "size": 12, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431243 }, { "func": "static int nfs4_xdr_dec_pathconf(struct rpc_rqst *req, struct xdr_stream *xdr,\n\t\t\t\t void *data)\n{\n\tstruct nfs4_pathconf_res *res = data;\n\tstruct compound_hdr hdr;\n\tint status;\n\n\tstatus = decode_compound_hdr(xdr, &hdr);\n\tif (!status)\n\t\tstatus = decode_sequence(xdr, &res->seq_res, req);\n\tif (!status)\n\t\tstatus = decode_putfh(xdr);\n\tif (!status)\n\t\tstatus = decode_pathconf(xdr, res->pathconf);\n\treturn status;\n}", "project": "linux", "hash": 42757951098968624950875229492732718921, "size": 16, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431432 }, { "func": "static int decode_lock_stateid(struct xdr_stream *xdr, nfs4_stateid *stateid)\n{\n\tstateid->type = NFS4_LOCK_STATEID_TYPE;\n\treturn decode_stateid(xdr, stateid);\n}", "project": "linux", "hash": 237084235347639685098559377785595841594, "size": 5, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431084 }, { "func": "static void xdr_realign_pages(struct xdr_stream *xdr)\n{\n\tstruct xdr_buf *buf = xdr->buf;\n\tstruct kvec *iov = buf->head;\n\tunsigned int cur = xdr_stream_pos(xdr);\n\tunsigned int copied;\n\n\t/* Realign pages to current pointer position */\n\tif (iov->iov_len > cur) {\n\t\tcopied = xdr_shrink_bufhead(buf, cur);\n\t\ttrace_rpc_xdr_alignment(xdr, cur, copied);\n\t\txdr_set_page(xdr, 0, buf->page_len);\n\t}\n}", "project": "linux", "hash": 263987331194285131395619113028919276248, "size": 14, "commit_id": "6d1c0f3d28f98ea2736128ed3e46821496dc3a8c", "message": "sunrpc: Avoid a KASAN slab-out-of-bounds bug in xdr_set_page_base()\n\nThis seems to happen fairly easily during READ_PLUS testing on NFS v4.2.\nI found that we could end up accessing xdr->buf->pages[pgnr] with a pgnr\ngreater than the number of pages in the array. So let's just return\nearly if we're setting base to a point at the end of the page data and\nlet xdr_set_tail_base() handle setting up the buffer pointers instead.\n\nSigned-off-by: Anna Schumaker \nFixes: 8d86e373b0ef (\"SUNRPC: Clean up helpers xdr_set_iov() and xdr_set_page_base()\")\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 481081 }, { "func": "static int decode_readlink(struct xdr_stream *xdr, struct rpc_rqst *req)\n{\n\tstruct xdr_buf *rcvbuf = &req->rq_rcv_buf;\n\tu32 len, recvd;\n\t__be32 *p;\n\tint status;\n\n\tstatus = decode_op_hdr(xdr, OP_READLINK);\n\tif (status)\n\t\treturn status;\n\n\t/* Convert length of symlink */\n\tp = xdr_inline_decode(xdr, 4);\n\tif (unlikely(!p))\n\t\treturn -EIO;\n\tlen = be32_to_cpup(p);\n\tif (len >= rcvbuf->page_len || len <= 0) {\n\t\tdprintk(\"nfs: server returned giant symlink!\\n\");\n\t\treturn -ENAMETOOLONG;\n\t}\n\trecvd = xdr_read_pages(xdr, len);\n\tif (recvd < len) {\n\t\tdprintk(\"NFS: server cheating in readlink reply: \"\n\t\t\t\t\"count %u > recvd %u\\n\", len, recvd);\n\t\treturn -EIO;\n\t}\n\t/*\n\t * The XDR encode routine has set things up so that\n\t * the link text will be copied directly into the\n\t * buffer. We just have to do overflow-checking,\n\t * and and null-terminate the text (the VFS expects\n\t * null-termination).\n\t */\n\txdr_terminate_string(rcvbuf, len);\n\treturn 0;\n}", "project": "linux", "hash": 27870910665415586997030324136263521162, "size": 36, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431334 }, { "func": "static int nfs4_xdr_dec_secinfo(struct rpc_rqst *rqstp,\n\t\t\t\tstruct xdr_stream *xdr,\n\t\t\t\tvoid *data)\n{\n\tstruct nfs4_secinfo_res *res = data;\n\tstruct compound_hdr hdr;\n\tint status;\n\n\tstatus = decode_compound_hdr(xdr, &hdr);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_sequence(xdr, &res->seq_res, rqstp);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_putfh(xdr);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_secinfo(xdr, res);\nout:\n\treturn status;\n}", "project": "linux", "hash": 193022720952358386919704384433455747850, "size": 21, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431291 }, { "func": "static int decode_statfs(struct xdr_stream *xdr, struct nfs_fsstat *fsstat)\n{\n\tunsigned int savep;\n\tuint32_t attrlen, bitmap[3] = {0};\n\tint status;\n\n\tif ((status = decode_op_hdr(xdr, OP_GETATTR)) != 0)\n\t\tgoto xdr_error;\n\tif ((status = decode_attr_bitmap(xdr, bitmap)) != 0)\n\t\tgoto xdr_error;\n\tif ((status = decode_attr_length(xdr, &attrlen, &savep)) != 0)\n\t\tgoto xdr_error;\n\n\tif ((status = decode_attr_files_avail(xdr, bitmap, &fsstat->afiles)) != 0)\n\t\tgoto xdr_error;\n\tif ((status = decode_attr_files_free(xdr, bitmap, &fsstat->ffiles)) != 0)\n\t\tgoto xdr_error;\n\tif ((status = decode_attr_files_total(xdr, bitmap, &fsstat->tfiles)) != 0)\n\t\tgoto xdr_error;\n\n\tstatus = -EIO;\n\tif (unlikely(bitmap[0]))\n\t\tgoto xdr_error;\n\n\tif ((status = decode_attr_space_avail(xdr, bitmap, &fsstat->abytes)) != 0)\n\t\tgoto xdr_error;\n\tif ((status = decode_attr_space_free(xdr, bitmap, &fsstat->fbytes)) != 0)\n\t\tgoto xdr_error;\n\tif ((status = decode_attr_space_total(xdr, bitmap, &fsstat->tbytes)) != 0)\n\t\tgoto xdr_error;\n\n\tstatus = verify_attr_len(xdr, savep, attrlen);\nxdr_error:\n\tdprintk(\"%s: xdr returned %d!\\n\", __func__, -status);\n\treturn status;\n}", "project": "linux", "hash": 306377305321553864736352412516806914826, "size": 36, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431133 }, { "func": "static int decode_getfattr_attrs(struct xdr_stream *xdr, uint32_t *bitmap,\n\t\tstruct nfs_fattr *fattr, struct nfs_fh *fh,\n\t\tstruct nfs4_fs_locations *fs_loc, struct nfs4_label *label,\n\t\tconst struct nfs_server *server)\n{\n\tint status;\n\tumode_t fmode = 0;\n\tuint32_t type;\n\tint32_t err;\n\n\tstatus = decode_attr_type(xdr, bitmap, &type);\n\tif (status < 0)\n\t\tgoto xdr_error;\n\tfattr->mode = 0;\n\tif (status != 0) {\n\t\tfattr->mode |= nfs_type2fmt[type];\n\t\tfattr->valid |= status;\n\t}\n\n\tstatus = decode_attr_change(xdr, bitmap, &fattr->change_attr);\n\tif (status < 0)\n\t\tgoto xdr_error;\n\tfattr->valid |= status;\n\n\tstatus = decode_attr_size(xdr, bitmap, &fattr->size);\n\tif (status < 0)\n\t\tgoto xdr_error;\n\tfattr->valid |= status;\n\n\tstatus = decode_attr_fsid(xdr, bitmap, &fattr->fsid);\n\tif (status < 0)\n\t\tgoto xdr_error;\n\tfattr->valid |= status;\n\n\terr = 0;\n\tstatus = decode_attr_error(xdr, bitmap, &err);\n\tif (status < 0)\n\t\tgoto xdr_error;\n\n\tstatus = decode_attr_filehandle(xdr, bitmap, fh);\n\tif (status < 0)\n\t\tgoto xdr_error;\n\n\tstatus = decode_attr_fileid(xdr, bitmap, &fattr->fileid);\n\tif (status < 0)\n\t\tgoto xdr_error;\n\tfattr->valid |= status;\n\n\tstatus = decode_attr_fs_locations(xdr, bitmap, fs_loc);\n\tif (status < 0)\n\t\tgoto xdr_error;\n\tfattr->valid |= status;\n\n\tstatus = -EIO;\n\tif (unlikely(bitmap[0]))\n\t\tgoto xdr_error;\n\n\tstatus = decode_attr_mode(xdr, bitmap, &fmode);\n\tif (status < 0)\n\t\tgoto xdr_error;\n\tif (status != 0) {\n\t\tfattr->mode |= fmode;\n\t\tfattr->valid |= status;\n\t}\n\n\tstatus = decode_attr_nlink(xdr, bitmap, &fattr->nlink);\n\tif (status < 0)\n\t\tgoto xdr_error;\n\tfattr->valid |= status;\n\n\tstatus = decode_attr_owner(xdr, bitmap, server, &fattr->uid, fattr->owner_name);\n\tif (status < 0)\n\t\tgoto xdr_error;\n\tfattr->valid |= status;\n\n\tstatus = decode_attr_group(xdr, bitmap, server, &fattr->gid, fattr->group_name);\n\tif (status < 0)\n\t\tgoto xdr_error;\n\tfattr->valid |= status;\n\n\tstatus = decode_attr_rdev(xdr, bitmap, &fattr->rdev);\n\tif (status < 0)\n\t\tgoto xdr_error;\n\tfattr->valid |= status;\n\n\tstatus = decode_attr_space_used(xdr, bitmap, &fattr->du.nfs3.used);\n\tif (status < 0)\n\t\tgoto xdr_error;\n\tfattr->valid |= status;\n\n\tstatus = decode_attr_time_access(xdr, bitmap, &fattr->atime);\n\tif (status < 0)\n\t\tgoto xdr_error;\n\tfattr->valid |= status;\n\n\tstatus = decode_attr_time_metadata(xdr, bitmap, &fattr->ctime);\n\tif (status < 0)\n\t\tgoto xdr_error;\n\tfattr->valid |= status;\n\n\tstatus = decode_attr_time_modify(xdr, bitmap, &fattr->mtime);\n\tif (status < 0)\n\t\tgoto xdr_error;\n\tfattr->valid |= status;\n\n\tstatus = decode_attr_mounted_on_fileid(xdr, bitmap, &fattr->mounted_on_fileid);\n\tif (status < 0)\n\t\tgoto xdr_error;\n\tfattr->valid |= status;\n\n\tstatus = -EIO;\n\tif (unlikely(bitmap[1]))\n\t\tgoto xdr_error;\n\n\tstatus = decode_attr_mdsthreshold(xdr, bitmap, fattr->mdsthreshold);\n\tif (status < 0)\n\t\tgoto xdr_error;\n\n\tif (label) {\n\t\tstatus = decode_attr_security_label(xdr, bitmap, label);\n\t\tif (status < 0)\n\t\t\tgoto xdr_error;\n\t\tfattr->valid |= status;\n\t}\n\nxdr_error:\n\tdprintk(\"%s: xdr returned %d\\n\", __func__, -status);\n\treturn status;\n}", "project": "linux", "hash": 158519416269592691764866232511252763941, "size": 129, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 430941 }, { "func": "static int decode_attr_aclsupport(struct xdr_stream *xdr, uint32_t *bitmap, uint32_t *res)\n{\n\t__be32 *p;\n\n\t*res = 0;\n\tif (unlikely(bitmap[0] & (FATTR4_WORD0_ACLSUPPORT - 1U)))\n\t\treturn -EIO;\n\tif (likely(bitmap[0] & FATTR4_WORD0_ACLSUPPORT)) {\n\t\tp = xdr_inline_decode(xdr, 4);\n\t\tif (unlikely(!p))\n\t\t\treturn -EIO;\n\t\t*res = be32_to_cpup(p);\n\t\tbitmap[0] &= ~FATTR4_WORD0_ACLSUPPORT;\n\t}\n\tdprintk(\"%s: ACLs supported=%u\\n\", __func__, (unsigned int)*res);\n\treturn 0;\n}", "project": "linux", "hash": 56276008072819153440662622102358184657, "size": 17, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431427 }, { "func": "static int decode_opaque_fixed(struct xdr_stream *xdr, void *buf, size_t len)\n{\n\tssize_t ret = xdr_stream_decode_opaque_fixed(xdr, buf, len);\n\tif (unlikely(ret < 0))\n\t\treturn -EIO;\n\treturn 0;\n}", "project": "linux", "hash": 19807079248785338578623818524328164024, "size": 7, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431492 }, { "func": "static int decode_attr_maxwrite(struct xdr_stream *xdr, uint32_t *bitmap, uint32_t *res)\n{\n\t__be32 *p;\n\tint status = 0;\n\n\t*res = 1024;\n\tif (unlikely(bitmap[0] & (FATTR4_WORD0_MAXWRITE - 1U)))\n\t\treturn -EIO;\n\tif (likely(bitmap[0] & FATTR4_WORD0_MAXWRITE)) {\n\t\tuint64_t maxwrite;\n\t\tp = xdr_inline_decode(xdr, 8);\n\t\tif (unlikely(!p))\n\t\t\treturn -EIO;\n\t\txdr_decode_hyper(p, &maxwrite);\n\t\tif (maxwrite > 0x7FFFFFFF)\n\t\t\tmaxwrite = 0x7FFFFFFF;\n\t\t*res = (uint32_t)maxwrite;\n\t\tbitmap[0] &= ~FATTR4_WORD0_MAXWRITE;\n\t}\n\tdprintk(\"%s: maxwrite=%lu\\n\", __func__, (unsigned long)*res);\n\treturn status;\n}", "project": "linux", "hash": 185713344792466967810863070824082303050, "size": 22, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431179 }, { "func": "static int decode_space_limit(struct xdr_stream *xdr,\n\t\tunsigned long *pagemod_limit)\n{\n\t__be32 *p;\n\tuint32_t limit_type, nblocks, blocksize;\n\tu64 maxsize = 0;\n\n\tp = xdr_inline_decode(xdr, 12);\n\tif (unlikely(!p))\n\t\treturn -EIO;\n\tlimit_type = be32_to_cpup(p++);\n\tswitch (limit_type) {\n\tcase NFS4_LIMIT_SIZE:\n\t\txdr_decode_hyper(p, &maxsize);\n\t\tbreak;\n\tcase NFS4_LIMIT_BLOCKS:\n\t\tnblocks = be32_to_cpup(p++);\n\t\tblocksize = be32_to_cpup(p);\n\t\tmaxsize = (uint64_t)nblocks * (uint64_t)blocksize;\n\t}\n\tmaxsize >>= PAGE_SHIFT;\n\t*pagemod_limit = min_t(u64, maxsize, ULONG_MAX);\n\treturn 0;\n}", "project": "linux", "hash": 227108526490361893420872409564584486820, "size": 24, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431075 }, { "func": "static int decode_sequence(struct xdr_stream *xdr,\n\t\t\t struct nfs4_sequence_res *res,\n\t\t\t struct rpc_rqst *rqstp)\n{\n#if defined(CONFIG_NFS_V4_1)\n\tstruct nfs4_session *session;\n\tstruct nfs4_sessionid id;\n\tu32 dummy;\n\tint status;\n\t__be32 *p;\n\n\tif (res->sr_slot == NULL)\n\t\treturn 0;\n\tif (!res->sr_slot->table->session)\n\t\treturn 0;\n\n\tstatus = decode_op_hdr(xdr, OP_SEQUENCE);\n\tif (!status)\n\t\tstatus = decode_sessionid(xdr, &id);\n\tif (unlikely(status))\n\t\tgoto out_err;\n\n\t/*\n\t * If the server returns different values for sessionID, slotID or\n\t * sequence number, the server is looney tunes.\n\t */\n\tstatus = -EREMOTEIO;\n\tsession = res->sr_slot->table->session;\n\n\tif (memcmp(id.data, session->sess_id.data,\n\t\t NFS4_MAX_SESSIONID_LEN)) {\n\t\tdprintk(\"%s Invalid session id\\n\", __func__);\n\t\tgoto out_err;\n\t}\n\n\tp = xdr_inline_decode(xdr, 20);\n\tif (unlikely(!p))\n\t\tgoto out_overflow;\n\n\t/* seqid */\n\tdummy = be32_to_cpup(p++);\n\tif (dummy != res->sr_slot->seq_nr) {\n\t\tdprintk(\"%s Invalid sequence number\\n\", __func__);\n\t\tgoto out_err;\n\t}\n\t/* slot id */\n\tdummy = be32_to_cpup(p++);\n\tif (dummy != res->sr_slot->slot_nr) {\n\t\tdprintk(\"%s Invalid slot id\\n\", __func__);\n\t\tgoto out_err;\n\t}\n\t/* highest slot id */\n\tres->sr_highest_slotid = be32_to_cpup(p++);\n\t/* target highest slot id */\n\tres->sr_target_highest_slotid = be32_to_cpup(p++);\n\t/* result flags */\n\tres->sr_status_flags = be32_to_cpup(p);\n\tstatus = 0;\nout_err:\n\tres->sr_status = status;\n\treturn status;\nout_overflow:\n\tstatus = -EIO;\n\tgoto out_err;\n#else /* CONFIG_NFS_V4_1 */\n\treturn 0;\n#endif /* CONFIG_NFS_V4_1 */\n}", "project": "linux", "hash": 134217625796907035090550897724006932551, "size": 68, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431406 }, { "func": "static unsigned int xdr_set_iov(struct xdr_stream *xdr, struct kvec *iov,\n\t\t\t\tunsigned int base, unsigned int len)\n{\n\tif (len > iov->iov_len)\n\t\tlen = iov->iov_len;\n\tif (unlikely(base > len))\n\t\tbase = len;\n\txdr->p = (__be32*)(iov->iov_base + base);\n\txdr->end = (__be32*)(iov->iov_base + len);\n\txdr->iov = iov;\n\txdr->page_ptr = NULL;\n\treturn len - base;\n}", "project": "linux", "hash": 49060835101314216555452463410166203158, "size": 13, "commit_id": "6d1c0f3d28f98ea2736128ed3e46821496dc3a8c", "message": "sunrpc: Avoid a KASAN slab-out-of-bounds bug in xdr_set_page_base()\n\nThis seems to happen fairly easily during READ_PLUS testing on NFS v4.2.\nI found that we could end up accessing xdr->buf->pages[pgnr] with a pgnr\ngreater than the number of pages in the array. So let's just return\nearly if we're setting base to a point at the end of the page data and\nlet xdr_set_tail_base() handle setting up the buffer pointers instead.\n\nSigned-off-by: Anna Schumaker \nFixes: 8d86e373b0ef (\"SUNRPC: Clean up helpers xdr_set_iov() and xdr_set_page_base()\")\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 481074 }, { "func": "static int decode_access(struct xdr_stream *xdr, u32 *supported, u32 *access)\n{\n\t__be32 *p;\n\tuint32_t supp, acc;\n\tint status;\n\n\tstatus = decode_op_hdr(xdr, OP_ACCESS);\n\tif (status)\n\t\treturn status;\n\tp = xdr_inline_decode(xdr, 8);\n\tif (unlikely(!p))\n\t\treturn -EIO;\n\tsupp = be32_to_cpup(p++);\n\tacc = be32_to_cpup(p);\n\t*supported = supp;\n\t*access = acc;\n\treturn 0;\n}", "project": "linux", "hash": 84540082800919063819742690073725482814, "size": 18, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431331 }, { "func": "static int nfs4_xdr_dec_delegreturn(struct rpc_rqst *rqstp,\n\t\t\t\t struct xdr_stream *xdr,\n\t\t\t\t void *data)\n{\n\tstruct nfs4_delegreturnres *res = data;\n\tstruct compound_hdr hdr;\n\tint status;\n\n\tstatus = decode_compound_hdr(xdr, &hdr);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_sequence(xdr, &res->seq_res, rqstp);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_putfh(xdr);\n\tif (status != 0)\n\t\tgoto out;\n\tif (res->lr_res) {\n\t\tstatus = decode_layoutreturn(xdr, res->lr_res);\n\t\tres->lr_ret = status;\n\t\tif (status)\n\t\t\tgoto out;\n\t}\n\tif (res->fattr) {\n\t\tstatus = decode_getfattr(xdr, res->fattr, res->server);\n\t\tif (status != 0)\n\t\t\tgoto out;\n\t}\n\tstatus = decode_delegreturn(xdr);\nout:\n\treturn status;\n}", "project": "linux", "hash": 245479066344039326171553790921602876705, "size": 32, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431439 }, { "func": "static int decode_pnfs_layout_types(struct xdr_stream *xdr,\n\t\t\t\t struct nfs_fsinfo *fsinfo)\n{\n\t__be32 *p;\n\tuint32_t i;\n\n\tp = xdr_inline_decode(xdr, 4);\n\tif (unlikely(!p))\n\t\treturn -EIO;\n\tfsinfo->nlayouttypes = be32_to_cpup(p);\n\n\t/* pNFS is not supported by the underlying file system */\n\tif (fsinfo->nlayouttypes == 0)\n\t\treturn 0;\n\n\t/* Decode and set first layout type, move xdr->p past unused types */\n\tp = xdr_inline_decode(xdr, fsinfo->nlayouttypes * 4);\n\tif (unlikely(!p))\n\t\treturn -EIO;\n\n\t/* If we get too many, then just cap it at the max */\n\tif (fsinfo->nlayouttypes > NFS_MAX_LAYOUT_TYPES) {\n\t\tprintk(KERN_INFO \"NFS: %s: Warning: Too many (%u) pNFS layout types\\n\",\n\t\t\t__func__, fsinfo->nlayouttypes);\n\t\tfsinfo->nlayouttypes = NFS_MAX_LAYOUT_TYPES;\n\t}\n\n\tfor(i = 0; i < fsinfo->nlayouttypes; ++i)\n\t\tfsinfo->layouttype[i] = be32_to_cpup(p++);\n\treturn 0;\n}", "project": "linux", "hash": 169593449172144384640103319177742270280, "size": 31, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431107 }, { "func": "static int decode_lock(struct xdr_stream *xdr, struct nfs_lock_res *res)\n{\n\tint status;\n\n\tstatus = decode_op_hdr(xdr, OP_LOCK);\n\tif (status == -EIO)\n\t\tgoto out;\n\tif (status == 0) {\n\t\tstatus = decode_lock_stateid(xdr, &res->stateid);\n\t\tif (unlikely(status))\n\t\t\tgoto out;\n\t} else if (status == -NFS4ERR_DENIED)\n\t\tstatus = decode_lock_denied(xdr, NULL);\n\tif (res->open_seqid != NULL)\n\t\tnfs_increment_open_seqid(status, res->open_seqid);\n\tnfs_increment_lock_seqid(status, res->lock_seqid);\nout:\n\treturn status;\n}", "project": "linux", "hash": 280583003464234476405107328603197283120, "size": 19, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431161 }, { "func": "static int nfs4_xdr_dec_getattr(struct rpc_rqst *rqstp, struct xdr_stream *xdr,\n\t\t\t\tvoid *data)\n{\n\tstruct nfs4_getattr_res *res = data;\n\tstruct compound_hdr hdr;\n\tint status;\n\n\tstatus = decode_compound_hdr(xdr, &hdr);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_sequence(xdr, &res->seq_res, rqstp);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_putfh(xdr);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_getfattr_label(xdr, res->fattr, res->label, res->server);\nout:\n\treturn status;\n}", "project": "linux", "hash": 197243852890252043016579167175581052953, "size": 20, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431028 }, { "func": "static int decode_attr_bitmap(struct xdr_stream *xdr, uint32_t *bitmap)\n{\n\tssize_t ret;\n\tret = decode_bitmap4(xdr, bitmap, 3);\n\treturn ret < 0 ? ret : 0;\n}", "project": "linux", "hash": 55280088289140816354582490420905210748, "size": 6, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431418 }, { "func": "static int decode_attr_rdev(struct xdr_stream *xdr, uint32_t *bitmap, dev_t *rdev)\n{\n\tuint32_t major = 0, minor = 0;\n\t__be32 *p;\n\tint ret = 0;\n\n\t*rdev = MKDEV(0,0);\n\tif (unlikely(bitmap[1] & (FATTR4_WORD1_RAWDEV - 1U)))\n\t\treturn -EIO;\n\tif (likely(bitmap[1] & FATTR4_WORD1_RAWDEV)) {\n\t\tdev_t tmp;\n\n\t\tp = xdr_inline_decode(xdr, 8);\n\t\tif (unlikely(!p))\n\t\t\treturn -EIO;\n\t\tmajor = be32_to_cpup(p++);\n\t\tminor = be32_to_cpup(p);\n\t\ttmp = MKDEV(major, minor);\n\t\tif (MAJOR(tmp) == major && MINOR(tmp) == minor)\n\t\t\t*rdev = tmp;\n\t\tbitmap[1] &= ~ FATTR4_WORD1_RAWDEV;\n\t\tret = NFS_ATTR_FATTR_RDEV;\n\t}\n\tdprintk(\"%s: rdev=(0x%x:0x%x)\\n\", __func__, major, minor);\n\treturn ret;\n}", "project": "linux", "hash": 249761883562751592236614582303069261634, "size": 26, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431613 }, { "func": "static int decode_setattr(struct xdr_stream *xdr)\n{\n\tint status;\n\n\tstatus = decode_op_hdr(xdr, OP_SETATTR);\n\tif (status)\n\t\treturn status;\n\tif (decode_bitmap4(xdr, NULL, 0) >= 0)\n\t\treturn 0;\n\treturn -EIO;\n}", "project": "linux", "hash": 43183833224331967528573718116127806771, "size": 11, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431450 }, { "func": "static int decode_no_delegation(struct xdr_stream *xdr, struct nfs_openres *res)\n{\n\t__be32 *p;\n\tuint32_t why_no_delegation;\n\n\tp = xdr_inline_decode(xdr, 4);\n\tif (unlikely(!p))\n\t\treturn -EIO;\n\twhy_no_delegation = be32_to_cpup(p);\n\tswitch (why_no_delegation) {\n\t\tcase WND4_CONTENTION:\n\t\tcase WND4_RESOURCE:\n\t\t\txdr_inline_decode(xdr, 4);\n\t\t\t/* Ignore for now */\n\t}\n\treturn 0;\n}", "project": "linux", "hash": 285502549716663562720560722124792395857, "size": 17, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431551 }, { "func": "static int nfs4_xdr_dec_open_confirm(struct rpc_rqst *rqstp,\n\t\t\t\t struct xdr_stream *xdr,\n\t\t\t\t void *data)\n{\n\tstruct nfs_open_confirmres *res = data;\n\tstruct compound_hdr hdr;\n\tint status;\n\n\tstatus = decode_compound_hdr(xdr, &hdr);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_putfh(xdr);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_open_confirm(xdr, res);\nout:\n\treturn status;\n}", "project": "linux", "hash": 304893123587485211238810708745563220774, "size": 18, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431202 }, { "func": "unsigned int xdr_expand_hole(struct xdr_stream *xdr, unsigned int offset,\n\t\t\t unsigned int length)\n{\n\tstruct xdr_buf *buf = xdr->buf;\n\tunsigned int from, to, shift;\n\n\txdr_realign_pages(xdr);\n\tfrom = xdr_page_pos(xdr);\n\tto = xdr_align_size(offset + length);\n\n\t/* Could the hole be behind us? */\n\tif (to > from) {\n\t\tunsigned int buflen = buf->len - buf->head->iov_len;\n\t\tshift = to - from;\n\t\txdr_buf_try_expand(buf, shift);\n\t\txdr_buf_pages_shift_right(buf, from, buflen, shift);\n\t\txdr_set_page(xdr, to, xdr_stream_remaining(xdr));\n\t} else if (to != from)\n\t\txdr_align_data(xdr, to, 0);\n\txdr_buf_pages_zero(buf, offset, length);\n\n\treturn length;\n}", "project": "linux", "hash": 272497114320754453414121103167962202315, "size": 23, "commit_id": "6d1c0f3d28f98ea2736128ed3e46821496dc3a8c", "message": "sunrpc: Avoid a KASAN slab-out-of-bounds bug in xdr_set_page_base()\n\nThis seems to happen fairly easily during READ_PLUS testing on NFS v4.2.\nI found that we could end up accessing xdr->buf->pages[pgnr] with a pgnr\ngreater than the number of pages in the array. So let's just return\nearly if we're setting base to a point at the end of the page data and\nlet xdr_set_tail_base() handle setting up the buffer pointers instead.\n\nSigned-off-by: Anna Schumaker \nFixes: 8d86e373b0ef (\"SUNRPC: Clean up helpers xdr_set_iov() and xdr_set_page_base()\")\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 481101 }, { "func": "static int decode_attr_lease_time(struct xdr_stream *xdr, uint32_t *bitmap, uint32_t *res)\n{\n\t__be32 *p;\n\n\t*res = 60;\n\tif (unlikely(bitmap[0] & (FATTR4_WORD0_LEASE_TIME - 1U)))\n\t\treturn -EIO;\n\tif (likely(bitmap[0] & FATTR4_WORD0_LEASE_TIME)) {\n\t\tp = xdr_inline_decode(xdr, 4);\n\t\tif (unlikely(!p))\n\t\t\treturn -EIO;\n\t\t*res = be32_to_cpup(p);\n\t\tbitmap[0] &= ~FATTR4_WORD0_LEASE_TIME;\n\t}\n\tdprintk(\"%s: lease time=%u\\n\", __func__, (unsigned int)*res);\n\treturn 0;\n}", "project": "linux", "hash": 48308452835082136962016433902761466121, "size": 17, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431577 }, { "func": "static unsigned int xdr_align_pages(struct xdr_stream *xdr, unsigned int len)\n{\n\tstruct xdr_buf *buf = xdr->buf;\n\tunsigned int nwords = XDR_QUADLEN(len);\n\tunsigned int copied;\n\n\tif (xdr->nwords == 0)\n\t\treturn 0;\n\n\txdr_realign_pages(xdr);\n\tif (nwords > xdr->nwords) {\n\t\tnwords = xdr->nwords;\n\t\tlen = nwords << 2;\n\t}\n\tif (buf->page_len <= len)\n\t\tlen = buf->page_len;\n\telse if (nwords < xdr->nwords) {\n\t\t/* Truncate page data and move it into the tail */\n\t\tcopied = xdr_shrink_pagelen(buf, len);\n\t\ttrace_rpc_xdr_alignment(xdr, len, copied);\n\t}\n\treturn len;\n}", "project": "linux", "hash": 294959836612056906624893050447526562776, "size": 23, "commit_id": "6d1c0f3d28f98ea2736128ed3e46821496dc3a8c", "message": "sunrpc: Avoid a KASAN slab-out-of-bounds bug in xdr_set_page_base()\n\nThis seems to happen fairly easily during READ_PLUS testing on NFS v4.2.\nI found that we could end up accessing xdr->buf->pages[pgnr] with a pgnr\ngreater than the number of pages in the array. So let's just return\nearly if we're setting base to a point at the end of the page data and\nlet xdr_set_tail_base() handle setting up the buffer pointers instead.\n\nSigned-off-by: Anna Schumaker \nFixes: 8d86e373b0ef (\"SUNRPC: Clean up helpers xdr_set_iov() and xdr_set_page_base()\")\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 481068 }, { "func": "static int decode_close(struct xdr_stream *xdr, struct nfs_closeres *res)\n{\n\tint status;\n\n\tstatus = decode_op_hdr(xdr, OP_CLOSE);\n\tif (status != -EIO)\n\t\tnfs_increment_open_seqid(status, res->seqid);\n\tif (!status)\n\t\tstatus = decode_invalid_stateid(xdr, &res->stateid);\n\treturn status;\n}", "project": "linux", "hash": 125656200390976653961536473108021060844, "size": 11, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431455 }, { "func": "static int nfs4_xdr_dec_readdir(struct rpc_rqst *rqstp, struct xdr_stream *xdr,\n\t\t\t\tvoid *data)\n{\n\tstruct nfs4_readdir_res *res = data;\n\tstruct compound_hdr hdr;\n\tint status;\n\n\tstatus = decode_compound_hdr(xdr, &hdr);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_sequence(xdr, &res->seq_res, rqstp);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_putfh(xdr);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_readdir(xdr, rqstp, res);\nout:\n\treturn status;\n}", "project": "linux", "hash": 196557610770743657667197166552447470071, "size": 20, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431373 }, { "func": "static int decode_create(struct xdr_stream *xdr, struct nfs4_change_info *cinfo)\n{\n\t__be32 *p;\n\tuint32_t bmlen;\n\tint status;\n\n\tstatus = decode_op_hdr(xdr, OP_CREATE);\n\tif (status)\n\t\treturn status;\n\tif ((status = decode_change_info(xdr, cinfo)))\n\t\treturn status;\n\tp = xdr_inline_decode(xdr, 4);\n\tif (unlikely(!p))\n\t\treturn -EIO;\n\tbmlen = be32_to_cpup(p);\n\tp = xdr_inline_decode(xdr, bmlen << 2);\n\tif (likely(p))\n\t\treturn 0;\n\treturn -EIO;\n}", "project": "linux", "hash": 114019355520251815264236805597327808221, "size": 20, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431207 }, { "func": "static int decode_attr_maxlink(struct xdr_stream *xdr, uint32_t *bitmap, uint32_t *maxlink)\n{\n\t__be32 *p;\n\tint status = 0;\n\n\t*maxlink = 1;\n\tif (unlikely(bitmap[0] & (FATTR4_WORD0_MAXLINK - 1U)))\n\t\treturn -EIO;\n\tif (likely(bitmap[0] & FATTR4_WORD0_MAXLINK)) {\n\t\tp = xdr_inline_decode(xdr, 4);\n\t\tif (unlikely(!p))\n\t\t\treturn -EIO;\n\t\t*maxlink = be32_to_cpup(p);\n\t\tbitmap[0] &= ~FATTR4_WORD0_MAXLINK;\n\t}\n\tdprintk(\"%s: maxlink=%u\\n\", __func__, *maxlink);\n\treturn status;\n}", "project": "linux", "hash": 86012522364823879184566461513960302041, "size": 18, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431535 }, { "func": "static int decode_putrootfh(struct xdr_stream *xdr)\n{\n\treturn decode_op_hdr(xdr, OP_PUTROOTFH);\n}", "project": "linux", "hash": 105151072985968946784337302417161729918, "size": 4, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431205 }, { "func": "ssize_t xdr_stream_decode_string_dup(struct xdr_stream *xdr, char **str,\n\t\tsize_t maxlen, gfp_t gfp_flags)\n{\n\tvoid *p;\n\tssize_t ret;\n\n\tret = xdr_stream_decode_opaque_inline(xdr, &p, maxlen);\n\tif (ret > 0) {\n\t\tchar *s = kmemdup_nul(p, ret, gfp_flags);\n\t\tif (s != NULL) {\n\t\t\t*str = s;\n\t\t\treturn strlen(s);\n\t\t}\n\t\tret = -ENOMEM;\n\t}\n\t*str = NULL;\n\treturn ret;\n}", "project": "linux", "hash": 104597577300290097019952439651919668011, "size": 18, "commit_id": "6d1c0f3d28f98ea2736128ed3e46821496dc3a8c", "message": "sunrpc: Avoid a KASAN slab-out-of-bounds bug in xdr_set_page_base()\n\nThis seems to happen fairly easily during READ_PLUS testing on NFS v4.2.\nI found that we could end up accessing xdr->buf->pages[pgnr] with a pgnr\ngreater than the number of pages in the array. So let's just return\nearly if we're setting base to a point at the end of the page data and\nlet xdr_set_tail_base() handle setting up the buffer pointers instead.\n\nSigned-off-by: Anna Schumaker \nFixes: 8d86e373b0ef (\"SUNRPC: Clean up helpers xdr_set_iov() and xdr_set_page_base()\")\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 481111 }, { "func": "static int decode_lookup(struct xdr_stream *xdr)\n{\n\treturn decode_op_hdr(xdr, OP_LOOKUP);\n}", "project": "linux", "hash": 310537453744611101188352634444677792828, "size": 4, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431525 }, { "func": "int nfs4_decode_dirent(struct xdr_stream *xdr, struct nfs_entry *entry,\n\t\t bool plus)\n{\n\tunsigned int savep;\n\tuint32_t bitmap[3] = {0};\n\tuint32_t len;\n\tuint64_t new_cookie;\n\t__be32 *p = xdr_inline_decode(xdr, 4);\n\tif (unlikely(!p))\n\t\treturn -EAGAIN;\n\tif (*p == xdr_zero) {\n\t\tp = xdr_inline_decode(xdr, 4);\n\t\tif (unlikely(!p))\n\t\t\treturn -EAGAIN;\n\t\tif (*p == xdr_zero)\n\t\t\treturn -EAGAIN;\n\t\tentry->eof = 1;\n\t\treturn -EBADCOOKIE;\n\t}\n\n\tp = xdr_inline_decode(xdr, 12);\n\tif (unlikely(!p))\n\t\treturn -EAGAIN;\n\tp = xdr_decode_hyper(p, &new_cookie);\n\tentry->len = be32_to_cpup(p);\n\n\tp = xdr_inline_decode(xdr, entry->len);\n\tif (unlikely(!p))\n\t\treturn -EAGAIN;\n\tentry->name = (const char *) p;\n\n\t/*\n\t * In case the server doesn't return an inode number,\n\t * we fake one here. (We don't use inode number 0,\n\t * since glibc seems to choke on it...)\n\t */\n\tentry->ino = 1;\n\tentry->fattr->valid = 0;\n\n\tif (decode_attr_bitmap(xdr, bitmap) < 0)\n\t\treturn -EAGAIN;\n\n\tif (decode_attr_length(xdr, &len, &savep) < 0)\n\t\treturn -EAGAIN;\n\n\tif (decode_getfattr_attrs(xdr, bitmap, entry->fattr, entry->fh,\n\t\t\tNULL, entry->label, entry->server) < 0)\n\t\treturn -EAGAIN;\n\tif (entry->fattr->valid & NFS_ATTR_FATTR_MOUNTED_ON_FILEID)\n\t\tentry->ino = entry->fattr->mounted_on_fileid;\n\telse if (entry->fattr->valid & NFS_ATTR_FATTR_FILEID)\n\t\tentry->ino = entry->fattr->fileid;\n\n\tentry->d_type = DT_UNKNOWN;\n\tif (entry->fattr->valid & NFS_ATTR_FATTR_TYPE)\n\t\tentry->d_type = nfs_umode_to_dtype(entry->fattr->mode);\n\n\tentry->prev_cookie = entry->cookie;\n\tentry->cookie = new_cookie;\n\n\treturn 0;\n}", "project": "linux", "hash": 94827035008983712309332280432230795533, "size": 62, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431210 }, { "func": "static int decode_attr_mode(struct xdr_stream *xdr, uint32_t *bitmap, umode_t *mode)\n{\n\tuint32_t tmp;\n\t__be32 *p;\n\tint ret = 0;\n\n\t*mode = 0;\n\tif (unlikely(bitmap[1] & (FATTR4_WORD1_MODE - 1U)))\n\t\treturn -EIO;\n\tif (likely(bitmap[1] & FATTR4_WORD1_MODE)) {\n\t\tp = xdr_inline_decode(xdr, 4);\n\t\tif (unlikely(!p))\n\t\t\treturn -EIO;\n\t\ttmp = be32_to_cpup(p);\n\t\t*mode = tmp & ~S_IFMT;\n\t\tbitmap[1] &= ~FATTR4_WORD1_MODE;\n\t\tret = NFS_ATTR_FATTR_MODE;\n\t}\n\tdprintk(\"%s: file mode=0%o\\n\", __func__, (unsigned int)*mode);\n\treturn ret;\n}", "project": "linux", "hash": 219907876245733703299792762752380849362, "size": 21, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431374 }, { "func": "static int decode_getfh(struct xdr_stream *xdr, struct nfs_fh *fh)\n{\n\t__be32 *p;\n\tuint32_t len;\n\tint status;\n\n\t/* Zero handle first to allow comparisons */\n\tmemset(fh, 0, sizeof(*fh));\n\n\tstatus = decode_op_hdr(xdr, OP_GETFH);\n\tif (status)\n\t\treturn status;\n\n\tp = xdr_inline_decode(xdr, 4);\n\tif (unlikely(!p))\n\t\treturn -EIO;\n\tlen = be32_to_cpup(p);\n\tif (len > NFS4_FHSIZE)\n\t\treturn -EIO;\n\tfh->size = len;\n\tp = xdr_inline_decode(xdr, len);\n\tif (unlikely(!p))\n\t\treturn -EIO;\n\tmemcpy(fh->data, p, len);\n\treturn 0;\n}", "project": "linux", "hash": 286315607705918053588620819978114733363, "size": 26, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431264 }, { "func": "static int decode_layoutget(struct xdr_stream *xdr, struct rpc_rqst *req,\n\t\t\t struct nfs4_layoutget_res *res)\n{\n\t__be32 *p;\n\tint status;\n\tu32 layout_count;\n\tu32 recvd;\n\n\tstatus = decode_op_hdr(xdr, OP_LAYOUTGET);\n\tif (status)\n\t\tgoto out;\n\tp = xdr_inline_decode(xdr, 4);\n\tif (unlikely(!p))\n\t\tgoto out_overflow;\n\tres->return_on_close = be32_to_cpup(p);\n\tdecode_layout_stateid(xdr, &res->stateid);\n\tp = xdr_inline_decode(xdr, 4);\n\tif (unlikely(!p))\n\t\tgoto out_overflow;\n\tlayout_count = be32_to_cpup(p);\n\tif (!layout_count) {\n\t\tdprintk(\"%s: server responded with empty layout array\\n\",\n\t\t\t__func__);\n\t\tstatus = -EINVAL;\n\t\tgoto out;\n\t}\n\n\tp = xdr_inline_decode(xdr, 28);\n\tif (unlikely(!p))\n\t\tgoto out_overflow;\n\tp = xdr_decode_hyper(p, &res->range.offset);\n\tp = xdr_decode_hyper(p, &res->range.length);\n\tres->range.iomode = be32_to_cpup(p++);\n\tres->type = be32_to_cpup(p++);\n\tres->layoutp->len = be32_to_cpup(p);\n\n\tdprintk(\"%s roff:%lu rlen:%lu riomode:%d, lo_type:0x%x, lo.len:%d\\n\",\n\t\t__func__,\n\t\t(unsigned long)res->range.offset,\n\t\t(unsigned long)res->range.length,\n\t\tres->range.iomode,\n\t\tres->type,\n\t\tres->layoutp->len);\n\n\trecvd = xdr_read_pages(xdr, res->layoutp->len);\n\tif (res->layoutp->len > recvd) {\n\t\tdprintk(\"NFS: server cheating in layoutget reply: \"\n\t\t\t\t\"layout len %u > recvd %u\\n\",\n\t\t\t\tres->layoutp->len, recvd);\n\t\tstatus = -EINVAL;\n\t\tgoto out;\n\t}\n\n\tif (layout_count > 1) {\n\t\t/* We only handle a length one array at the moment. Any\n\t\t * further entries are just ignored. Note that this means\n\t\t * the client may see a response that is less than the\n\t\t * minimum it requested.\n\t\t */\n\t\tdprintk(\"%s: server responded with %d layouts, dropping tail\\n\",\n\t\t\t__func__, layout_count);\n\t}\n\nout:\n\tres->status = status;\n\treturn status;\nout_overflow:\n\tstatus = -EIO;\n\tgoto out;\n}", "project": "linux", "hash": 68899635834668588254136255183337091531, "size": 70, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431257 }, { "func": "static int decode_layoutget(struct xdr_stream *xdr, struct rpc_rqst *req,\n\t\t\t struct nfs4_layoutget_res *res)\n{\n\treturn 0;\n}", "project": "linux", "hash": 71682402525668555032167848550435715054, "size": 5, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431620 }, { "func": "static int nfs4_xdr_dec_getdeviceinfo(struct rpc_rqst *rqstp,\n\t\t\t\t struct xdr_stream *xdr,\n\t\t\t\t void *data)\n{\n\tstruct nfs4_getdeviceinfo_res *res = data;\n\tstruct compound_hdr hdr;\n\tint status;\n\n\tstatus = decode_compound_hdr(xdr, &hdr);\n\tif (status != 0)\n\t\tgoto out;\n\tstatus = decode_sequence(xdr, &res->seq_res, rqstp);\n\tif (status != 0)\n\t\tgoto out;\n\tstatus = decode_getdeviceinfo(xdr, res);\nout:\n\treturn status;\n}", "project": "linux", "hash": 223394051193888352497952621392600638883, "size": 18, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431560 }, { "func": "unsigned int xdr_stream_pos(const struct xdr_stream *xdr)\n{\n\treturn (unsigned int)(XDR_QUADLEN(xdr->buf->len) - xdr->nwords) << 2;\n}", "project": "linux", "hash": 211887249565252643380818268534152838759, "size": 4, "commit_id": "6d1c0f3d28f98ea2736128ed3e46821496dc3a8c", "message": "sunrpc: Avoid a KASAN slab-out-of-bounds bug in xdr_set_page_base()\n\nThis seems to happen fairly easily during READ_PLUS testing on NFS v4.2.\nI found that we could end up accessing xdr->buf->pages[pgnr] with a pgnr\ngreater than the number of pages in the array. So let's just return\nearly if we're setting base to a point at the end of the page data and\nlet xdr_set_tail_base() handle setting up the buffer pointers instead.\n\nSigned-off-by: Anna Schumaker \nFixes: 8d86e373b0ef (\"SUNRPC: Clean up helpers xdr_set_iov() and xdr_set_page_base()\")\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 481093 }, { "func": "int write_bytes_to_xdr_buf(const struct xdr_buf *buf, unsigned int base,\n\t\t\t void *obj, unsigned int len)\n{\n\tstruct xdr_buf subbuf;\n\tint status;\n\n\tstatus = xdr_buf_subsegment(buf, &subbuf, base, len);\n\tif (status != 0)\n\t\treturn status;\n\t__write_bytes_to_xdr_buf(&subbuf, obj, len);\n\treturn 0;\n}", "project": "linux", "hash": 163098687223736670328844832335937035961, "size": 12, "commit_id": "6d1c0f3d28f98ea2736128ed3e46821496dc3a8c", "message": "sunrpc: Avoid a KASAN slab-out-of-bounds bug in xdr_set_page_base()\n\nThis seems to happen fairly easily during READ_PLUS testing on NFS v4.2.\nI found that we could end up accessing xdr->buf->pages[pgnr] with a pgnr\ngreater than the number of pages in the array. So let's just return\nearly if we're setting base to a point at the end of the page data and\nlet xdr_set_tail_base() handle setting up the buffer pointers instead.\n\nSigned-off-by: Anna Schumaker \nFixes: 8d86e373b0ef (\"SUNRPC: Clean up helpers xdr_set_iov() and xdr_set_page_base()\")\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 481084 }, { "func": "static int decode_first_threshold_item4(struct xdr_stream *xdr,\n\t\t\t\t\tstruct nfs4_threshold *res)\n{\n\t__be32 *p;\n\tunsigned int savep;\n\tuint32_t bitmap[3] = {0,}, attrlen;\n\tint status;\n\n\t/* layout type */\n\tp = xdr_inline_decode(xdr, 4);\n\tif (unlikely(!p))\n\t\treturn -EIO;\n\tres->l_type = be32_to_cpup(p);\n\n\t/* thi_hintset bitmap */\n\tstatus = decode_attr_bitmap(xdr, bitmap);\n\tif (status < 0)\n\t\tgoto xdr_error;\n\n\t/* thi_hintlist length */\n\tstatus = decode_attr_length(xdr, &attrlen, &savep);\n\tif (status < 0)\n\t\tgoto xdr_error;\n\t/* thi_hintlist */\n\tstatus = decode_threshold_hint(xdr, bitmap, &res->rd_sz, THRESHOLD_RD);\n\tif (status < 0)\n\t\tgoto xdr_error;\n\tstatus = decode_threshold_hint(xdr, bitmap, &res->wr_sz, THRESHOLD_WR);\n\tif (status < 0)\n\t\tgoto xdr_error;\n\tstatus = decode_threshold_hint(xdr, bitmap, &res->rd_io_sz,\n\t\t\t\t THRESHOLD_RD_IO);\n\tif (status < 0)\n\t\tgoto xdr_error;\n\tstatus = decode_threshold_hint(xdr, bitmap, &res->wr_io_sz,\n\t\t\t\t THRESHOLD_WR_IO);\n\tif (status < 0)\n\t\tgoto xdr_error;\n\n\tstatus = verify_attr_len(xdr, savep, attrlen);\n\tres->bm = bitmap[0];\n\n\tdprintk(\"%s bm=0x%x rd_sz=%llu wr_sz=%llu rd_io=%llu wr_io=%llu\\n\",\n\t\t __func__, res->bm, res->rd_sz, res->wr_sz, res->rd_io_sz,\n\t\tres->wr_io_sz);\nxdr_error:\n\tdprintk(\"%s ret=%d!\\n\", __func__, status);\n\treturn status;\n}", "project": "linux", "hash": 4526746448874476818706534843428411206, "size": 49, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431559 }, { "func": "void xdr_enter_page(struct xdr_stream *xdr, unsigned int len)\n{\n\tlen = xdr_align_pages(xdr, len);\n\t/*\n\t * Position current pointer at beginning of tail, and\n\t * set remaining message length.\n\t */\n\tif (len != 0)\n\t\txdr_set_page_base(xdr, 0, len);\n}", "project": "linux", "hash": 52130912404787094891860819892137623860, "size": 10, "commit_id": "6d1c0f3d28f98ea2736128ed3e46821496dc3a8c", "message": "sunrpc: Avoid a KASAN slab-out-of-bounds bug in xdr_set_page_base()\n\nThis seems to happen fairly easily during READ_PLUS testing on NFS v4.2.\nI found that we could end up accessing xdr->buf->pages[pgnr] with a pgnr\ngreater than the number of pages in the array. So let's just return\nearly if we're setting base to a point at the end of the page data and\nlet xdr_set_tail_base() handle setting up the buffer pointers instead.\n\nSigned-off-by: Anna Schumaker \nFixes: 8d86e373b0ef (\"SUNRPC: Clean up helpers xdr_set_iov() and xdr_set_page_base()\")\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 481104 }, { "func": "static void xdr_buf_pages_shift_left(const struct xdr_buf *buf,\n\t\t\t\t unsigned int base, unsigned int len,\n\t\t\t\t unsigned int shift)\n{\n\tif (!shift || !len)\n\t\treturn;\n\tif (base >= buf->page_len) {\n\t\txdr_buf_tail_shift_left(buf, base - buf->page_len, len, shift);\n\t\treturn;\n\t}\n\txdr_buf_pages_copy_left(buf, base, len, shift);\n\tlen += base;\n\tif (len <= buf->page_len)\n\t\treturn;\n\txdr_buf_tail_copy_left(buf, 0, len - buf->page_len, shift);\n}", "project": "linux", "hash": 250082728009353231213440303094151877779, "size": 16, "commit_id": "6d1c0f3d28f98ea2736128ed3e46821496dc3a8c", "message": "sunrpc: Avoid a KASAN slab-out-of-bounds bug in xdr_set_page_base()\n\nThis seems to happen fairly easily during READ_PLUS testing on NFS v4.2.\nI found that we could end up accessing xdr->buf->pages[pgnr] with a pgnr\ngreater than the number of pages in the array. So let's just return\nearly if we're setting base to a point at the end of the page data and\nlet xdr_set_tail_base() handle setting up the buffer pointers instead.\n\nSigned-off-by: Anna Schumaker \nFixes: 8d86e373b0ef (\"SUNRPC: Clean up helpers xdr_set_iov() and xdr_set_page_base()\")\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 481085 }, { "func": "__be32 * xdr_inline_decode(struct xdr_stream *xdr, size_t nbytes)\n{\n\t__be32 *p;\n\n\tif (unlikely(nbytes == 0))\n\t\treturn xdr->p;\n\tif (xdr->p == xdr->end && !xdr_set_next_buffer(xdr))\n\t\tgoto out_overflow;\n\tp = __xdr_inline_decode(xdr, nbytes);\n\tif (p != NULL)\n\t\treturn p;\n\treturn xdr_copy_to_scratch(xdr, nbytes);\nout_overflow:\n\ttrace_rpc_xdr_overflow(xdr, nbytes);\n\treturn NULL;\n}", "project": "linux", "hash": 205036226170957693379388940173161061017, "size": 16, "commit_id": "6d1c0f3d28f98ea2736128ed3e46821496dc3a8c", "message": "sunrpc: Avoid a KASAN slab-out-of-bounds bug in xdr_set_page_base()\n\nThis seems to happen fairly easily during READ_PLUS testing on NFS v4.2.\nI found that we could end up accessing xdr->buf->pages[pgnr] with a pgnr\ngreater than the number of pages in the array. So let's just return\nearly if we're setting base to a point at the end of the page data and\nlet xdr_set_tail_base() handle setting up the buffer pointers instead.\n\nSigned-off-by: Anna Schumaker \nFixes: 8d86e373b0ef (\"SUNRPC: Clean up helpers xdr_set_iov() and xdr_set_page_base()\")\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 481088 }, { "func": "static void xdr_buf_head_copy_right(const struct xdr_buf *buf,\n\t\t\t\t unsigned int base, unsigned int len,\n\t\t\t\t unsigned int shift)\n{\n\tconst struct kvec *head = buf->head;\n\tconst struct kvec *tail = buf->tail;\n\tunsigned int to = base + shift;\n\tunsigned int pglen = 0, pgto = 0;\n\tunsigned int talen = 0, tato = 0;\n\n\tif (base >= head->iov_len)\n\t\treturn;\n\tif (len > head->iov_len - base)\n\t\tlen = head->iov_len - base;\n\tif (to >= buf->page_len + head->iov_len) {\n\t\ttato = to - buf->page_len - head->iov_len;\n\t\ttalen = len;\n\t} else if (to >= head->iov_len) {\n\t\tpgto = to - head->iov_len;\n\t\tpglen = len;\n\t\tif (pgto + pglen > buf->page_len) {\n\t\t\ttalen = pgto + pglen - buf->page_len;\n\t\t\tpglen -= talen;\n\t\t}\n\t} else {\n\t\tpglen = len - to;\n\t\tif (pglen > buf->page_len) {\n\t\t\ttalen = pglen - buf->page_len;\n\t\t\tpglen = buf->page_len;\n\t\t}\n\t}\n\n\tlen -= talen;\n\tbase += len;\n\tif (talen + tato > tail->iov_len)\n\t\ttalen = tail->iov_len > tato ? tail->iov_len - tato : 0;\n\tmemcpy(tail->iov_base + tato, head->iov_base + base, talen);\n\n\tlen -= pglen;\n\tbase -= pglen;\n\t_copy_to_pages(buf->pages, buf->page_base + pgto, head->iov_base + base,\n\t\t pglen);\n\n\tbase -= len;\n\tmemmove(head->iov_base + to, head->iov_base + base, len);\n}", "project": "linux", "hash": 208417489189811030320698695227199863902, "size": 46, "commit_id": "6d1c0f3d28f98ea2736128ed3e46821496dc3a8c", "message": "sunrpc: Avoid a KASAN slab-out-of-bounds bug in xdr_set_page_base()\n\nThis seems to happen fairly easily during READ_PLUS testing on NFS v4.2.\nI found that we could end up accessing xdr->buf->pages[pgnr] with a pgnr\ngreater than the number of pages in the array. So let's just return\nearly if we're setting base to a point at the end of the page data and\nlet xdr_set_tail_base() handle setting up the buffer pointers instead.\n\nSigned-off-by: Anna Schumaker \nFixes: 8d86e373b0ef (\"SUNRPC: Clean up helpers xdr_set_iov() and xdr_set_page_base()\")\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 481044 }, { "func": "unsigned int xdr_align_data(struct xdr_stream *xdr, unsigned int offset,\n\t\t\t unsigned int length)\n{\n\tstruct xdr_buf *buf = xdr->buf;\n\tunsigned int from, bytes, len;\n\tunsigned int shift;\n\n\txdr_realign_pages(xdr);\n\tfrom = xdr_page_pos(xdr);\n\n\tif (from >= buf->page_len + buf->tail->iov_len)\n\t\treturn 0;\n\tif (from + buf->head->iov_len >= buf->len)\n\t\treturn 0;\n\n\tlen = buf->len - buf->head->iov_len;\n\n\t/* We only shift data left! */\n\tif (WARN_ONCE(from < offset, \"SUNRPC: misaligned data src=%u dst=%u\\n\",\n\t\t from, offset))\n\t\treturn 0;\n\tif (WARN_ONCE(offset > buf->page_len,\n\t\t \"SUNRPC: buffer overflow. offset=%u, page_len=%u\\n\",\n\t\t offset, buf->page_len))\n\t\treturn 0;\n\n\t/* Move page data to the left */\n\tshift = from - offset;\n\txdr_buf_pages_shift_left(buf, from, len, shift);\n\n\tbytes = xdr_stream_remaining(xdr);\n\tif (length > bytes)\n\t\tlength = bytes;\n\tbytes -= length;\n\n\txdr->buf->len -= shift;\n\txdr_set_page(xdr, offset + length, bytes);\n\treturn length;\n}", "project": "linux", "hash": 324214890936878009675270450600925360684, "size": 39, "commit_id": "6d1c0f3d28f98ea2736128ed3e46821496dc3a8c", "message": "sunrpc: Avoid a KASAN slab-out-of-bounds bug in xdr_set_page_base()\n\nThis seems to happen fairly easily during READ_PLUS testing on NFS v4.2.\nI found that we could end up accessing xdr->buf->pages[pgnr] with a pgnr\ngreater than the number of pages in the array. So let's just return\nearly if we're setting base to a point at the end of the page data and\nlet xdr_set_tail_base() handle setting up the buffer pointers instead.\n\nSigned-off-by: Anna Schumaker \nFixes: 8d86e373b0ef (\"SUNRPC: Clean up helpers xdr_set_iov() and xdr_set_page_base()\")\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 481095 }, { "func": "static int decode_attr_time_delta(struct xdr_stream *xdr, uint32_t *bitmap,\n\t\t\t\t struct timespec64 *time)\n{\n\tint status = 0;\n\n\ttime->tv_sec = 0;\n\ttime->tv_nsec = 0;\n\tif (unlikely(bitmap[1] & (FATTR4_WORD1_TIME_DELTA - 1U)))\n\t\treturn -EIO;\n\tif (likely(bitmap[1] & FATTR4_WORD1_TIME_DELTA)) {\n\t\tstatus = decode_attr_time(xdr, time);\n\t\tbitmap[1] &= ~FATTR4_WORD1_TIME_DELTA;\n\t}\n\tdprintk(\"%s: time_delta=%lld %ld\\n\", __func__, time->tv_sec,\n\t\ttime->tv_nsec);\n\treturn status;\n}", "project": "linux", "hash": 290857699316597575084073792058436526126, "size": 17, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 430984 }, { "func": "static int decode_attr_security_label(struct xdr_stream *xdr, uint32_t *bitmap,\n\t\t\t\t\tstruct nfs4_label *label)\n{\n\tuint32_t pi = 0;\n\tuint32_t lfs = 0;\n\t__u32 len;\n\t__be32 *p;\n\tint status = 0;\n\n\tif (unlikely(bitmap[2] & (FATTR4_WORD2_SECURITY_LABEL - 1U)))\n\t\treturn -EIO;\n\tif (likely(bitmap[2] & FATTR4_WORD2_SECURITY_LABEL)) {\n\t\tp = xdr_inline_decode(xdr, 4);\n\t\tif (unlikely(!p))\n\t\t\treturn -EIO;\n\t\tlfs = be32_to_cpup(p++);\n\t\tp = xdr_inline_decode(xdr, 4);\n\t\tif (unlikely(!p))\n\t\t\treturn -EIO;\n\t\tpi = be32_to_cpup(p++);\n\t\tp = xdr_inline_decode(xdr, 4);\n\t\tif (unlikely(!p))\n\t\t\treturn -EIO;\n\t\tlen = be32_to_cpup(p++);\n\t\tp = xdr_inline_decode(xdr, len);\n\t\tif (unlikely(!p))\n\t\t\treturn -EIO;\n\t\tif (len < NFS4_MAXLABELLEN) {\n\t\t\tif (label) {\n\t\t\t\tmemcpy(label->label, p, len);\n\t\t\t\tlabel->len = len;\n\t\t\t\tlabel->pi = pi;\n\t\t\t\tlabel->lfs = lfs;\n\t\t\t\tstatus = NFS_ATTR_FATTR_V4_SECURITY_LABEL;\n\t\t\t}\n\t\t\tbitmap[2] &= ~FATTR4_WORD2_SECURITY_LABEL;\n\t\t} else\n\t\t\tprintk(KERN_WARNING \"%s: label too long (%u)!\\n\",\n\t\t\t\t\t__func__, len);\n\t}\n\tif (label && label->label)\n\t\tdprintk(\"%s: label=%s, len=%d, PI=%d, LFS=%d\\n\", __func__,\n\t\t\t(char *)label->label, label->len, label->pi, label->lfs);\n\treturn status;\n}", "project": "linux", "hash": 293774740721234251683748491997728460674, "size": 45, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 1, "dataset": "other", "idx": 210250 }, { "func": "static int decode_attr_security_label(struct xdr_stream *xdr, uint32_t *bitmap,\n\t\t\t\t\tstruct nfs4_label *label)\n{\n\tuint32_t pi = 0;\n\tuint32_t lfs = 0;\n\t__u32 len;\n\t__be32 *p;\n\tint status = 0;\n\n\tif (unlikely(bitmap[2] & (FATTR4_WORD2_SECURITY_LABEL - 1U)))\n\t\treturn -EIO;\n\tif (likely(bitmap[2] & FATTR4_WORD2_SECURITY_LABEL)) {\n\t\tp = xdr_inline_decode(xdr, 4);\n\t\tif (unlikely(!p))\n\t\t\treturn -EIO;\n\t\tlfs = be32_to_cpup(p++);\n\t\tp = xdr_inline_decode(xdr, 4);\n\t\tif (unlikely(!p))\n\t\t\treturn -EIO;\n\t\tpi = be32_to_cpup(p++);\n\t\tp = xdr_inline_decode(xdr, 4);\n\t\tif (unlikely(!p))\n\t\t\treturn -EIO;\n\t\tlen = be32_to_cpup(p++);\n\t\tp = xdr_inline_decode(xdr, len);\n\t\tif (unlikely(!p))\n\t\t\treturn -EIO;\n\t\tif (len < NFS4_MAXLABELLEN) {\n\t\t\tif (label) {\n\t\t\t\tif (label->len) {\n\t\t\t\t\tif (label->len < len)\n\t\t\t\t\t\treturn -ERANGE;\n\t\t\t\t\tmemcpy(label->label, p, len);\n\t\t\t\t}\n\t\t\t\tlabel->len = len;\n\t\t\t\tlabel->pi = pi;\n\t\t\t\tlabel->lfs = lfs;\n\t\t\t\tstatus = NFS_ATTR_FATTR_V4_SECURITY_LABEL;\n\t\t\t}\n\t\t\tbitmap[2] &= ~FATTR4_WORD2_SECURITY_LABEL;\n\t\t} else\n\t\t\tprintk(KERN_WARNING \"%s: label too long (%u)!\\n\",\n\t\t\t\t\t__func__, len);\n\t}\n\tif (label && label->label)\n\t\tdprintk(\"%s: label=%s, len=%d, PI=%d, LFS=%d\\n\", __func__,\n\t\t\t(char *)label->label, label->len, label->pi, label->lfs);\n\treturn status;\n}", "project": "linux", "hash": 57059966302914892646918225923262002221, "size": 49, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431495 }, { "func": "static int nfs4_xdr_dec_secinfo_no_name(struct rpc_rqst *rqstp,\n\t\t\t\t\tstruct xdr_stream *xdr,\n\t\t\t\t\tvoid *data)\n{\n\tstruct nfs4_secinfo_res *res = data;\n\tstruct compound_hdr hdr;\n\tint status;\n\n\tstatus = decode_compound_hdr(xdr, &hdr);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_sequence(xdr, &res->seq_res, rqstp);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_putrootfh(xdr);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_secinfo_no_name(xdr, res);\nout:\n\treturn status;\n}", "project": "linux", "hash": 39771483932218671244590748352871996943, "size": 21, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431281 }, { "func": "static int nfs4_xdr_dec_layoutget(struct rpc_rqst *rqstp,\n\t\t\t\t struct xdr_stream *xdr,\n\t\t\t\t void *data)\n{\n\tstruct nfs4_layoutget_res *res = data;\n\tstruct compound_hdr hdr;\n\tint status;\n\n\tstatus = decode_compound_hdr(xdr, &hdr);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_sequence(xdr, &res->seq_res, rqstp);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_putfh(xdr);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_layoutget(xdr, rqstp, res);\nout:\n\treturn status;\n}", "project": "linux", "hash": 80945037056508744480047500867810689609, "size": 21, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431328 }, { "func": "static int decode_attr_maxfilesize(struct xdr_stream *xdr, uint32_t *bitmap, uint64_t *res)\n{\n\t__be32 *p;\n\tint status = 0;\n\n\t*res = 0;\n\tif (unlikely(bitmap[0] & (FATTR4_WORD0_MAXFILESIZE - 1U)))\n\t\treturn -EIO;\n\tif (likely(bitmap[0] & FATTR4_WORD0_MAXFILESIZE)) {\n\t\tp = xdr_inline_decode(xdr, 8);\n\t\tif (unlikely(!p))\n\t\t\treturn -EIO;\n\t\txdr_decode_hyper(p, res);\n\t\tbitmap[0] &= ~FATTR4_WORD0_MAXFILESIZE;\n\t}\n\tdprintk(\"%s: maxfilesize=%Lu\\n\", __func__, (unsigned long long)*res);\n\treturn status;\n}", "project": "linux", "hash": 319890832782055304500066245999321649753, "size": 18, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431592 }, { "func": "unsigned int xdr_page_pos(const struct xdr_stream *xdr)\n{\n\tunsigned int pos = xdr_stream_pos(xdr);\n\n\tWARN_ON(pos < xdr->buf->head[0].iov_len);\n\treturn pos - xdr->buf->head[0].iov_len;\n}", "project": "linux", "hash": 204505592465137450968953609154695041120, "size": 7, "commit_id": "6d1c0f3d28f98ea2736128ed3e46821496dc3a8c", "message": "sunrpc: Avoid a KASAN slab-out-of-bounds bug in xdr_set_page_base()\n\nThis seems to happen fairly easily during READ_PLUS testing on NFS v4.2.\nI found that we could end up accessing xdr->buf->pages[pgnr] with a pgnr\ngreater than the number of pages in the array. So let's just return\nearly if we're setting base to a point at the end of the page data and\nlet xdr_set_tail_base() handle setting up the buffer pointers instead.\n\nSigned-off-by: Anna Schumaker \nFixes: 8d86e373b0ef (\"SUNRPC: Clean up helpers xdr_set_iov() and xdr_set_page_base()\")\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 481106 }, { "func": "static int decode_opaque_inline(struct xdr_stream *xdr, unsigned int *len, char **string)\n{\n\tssize_t ret = xdr_stream_decode_opaque_inline(xdr, (void **)string,\n\t\t\tNFS4_OPAQUE_LIMIT);\n\tif (unlikely(ret < 0))\n\t\treturn -EIO;\n\t*len = ret;\n\treturn 0;\n}", "project": "linux", "hash": 150109345362936003993588850465564947562, "size": 9, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431409 }, { "func": "static int decode_attr_owner(struct xdr_stream *xdr, uint32_t *bitmap,\n\t\tconst struct nfs_server *server, kuid_t *uid,\n\t\tstruct nfs4_string *owner_name)\n{\n\tssize_t len;\n\tchar *p;\n\n\t*uid = make_kuid(&init_user_ns, -2);\n\tif (unlikely(bitmap[1] & (FATTR4_WORD1_OWNER - 1U)))\n\t\treturn -EIO;\n\tif (!(bitmap[1] & FATTR4_WORD1_OWNER))\n\t\treturn 0;\n\tbitmap[1] &= ~FATTR4_WORD1_OWNER;\n\n\tif (owner_name != NULL) {\n\t\tlen = decode_nfs4_string(xdr, owner_name, GFP_NOIO);\n\t\tif (len <= 0)\n\t\t\tgoto out;\n\t\tdprintk(\"%s: name=%s\\n\", __func__, owner_name->data);\n\t\treturn NFS_ATTR_FATTR_OWNER_NAME;\n\t} else {\n\t\tlen = xdr_stream_decode_opaque_inline(xdr, (void **)&p,\n\t\t\t\tXDR_MAX_NETOBJ);\n\t\tif (len <= 0 || nfs_map_name_to_uid(server, p, len, uid) != 0)\n\t\t\tgoto out;\n\t\tdprintk(\"%s: uid=%d\\n\", __func__, (int)from_kuid(&init_user_ns, *uid));\n\t\treturn NFS_ATTR_FATTR_OWNER;\n\t}\nout:\n\tif (len == -EBADMSG)\n\t\treturn -EIO;\n\treturn 0;\n}", "project": "linux", "hash": 208965251759880377881149831461712824192, "size": 33, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431410 }, { "func": "static int decode_change_info(struct xdr_stream *xdr, struct nfs4_change_info *cinfo)\n{\n\t__be32 *p;\n\n\tp = xdr_inline_decode(xdr, 20);\n\tif (unlikely(!p))\n\t\treturn -EIO;\n\tcinfo->atomic = be32_to_cpup(p++);\n\tp = xdr_decode_hyper(p, &cinfo->before);\n\txdr_decode_hyper(p, &cinfo->after);\n\treturn 0;\n}", "project": "linux", "hash": 338011731179727304150214961356043270096, "size": 12, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431063 }, { "func": "static int decode_layoutcommit(struct xdr_stream *xdr,\n\t\t\t struct rpc_rqst *req,\n\t\t\t struct nfs4_layoutcommit_res *res)\n{\n\t__be32 *p;\n\t__u32 sizechanged;\n\tint status;\n\n\tstatus = decode_op_hdr(xdr, OP_LAYOUTCOMMIT);\n\tres->status = status;\n\tif (status)\n\t\treturn status;\n\n\tp = xdr_inline_decode(xdr, 4);\n\tif (unlikely(!p))\n\t\treturn -EIO;\n\tsizechanged = be32_to_cpup(p);\n\n\tif (sizechanged) {\n\t\t/* throw away new size */\n\t\tp = xdr_inline_decode(xdr, 8);\n\t\tif (unlikely(!p))\n\t\t\treturn -EIO;\n\t}\n\treturn 0;\n}", "project": "linux", "hash": 88463090715712541708563010082553025709, "size": 26, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431096 }, { "func": "static int nfs4_xdr_dec_exchange_id(struct rpc_rqst *rqstp,\n\t\t\t\t struct xdr_stream *xdr,\n\t\t\t\t void *res)\n{\n\tstruct compound_hdr hdr;\n\tint status;\n\n\tstatus = decode_compound_hdr(xdr, &hdr);\n\tif (!status)\n\t\tstatus = decode_exchange_id(xdr, res);\n\treturn status;\n}", "project": "linux", "hash": 180336499453108075796598945686649129245, "size": 12, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431085 }, { "func": "static unsigned int xdr_shrink_pagelen(struct xdr_buf *buf, unsigned int len)\n{\n\tunsigned int shift, buflen = buf->len - buf->head->iov_len;\n\n\tWARN_ON_ONCE(len > buf->page_len);\n\tif (buf->head->iov_len >= buf->len || len > buflen)\n\t\tbuflen = len;\n\tif (buf->page_len > buflen) {\n\t\tbuf->buflen -= buf->page_len - buflen;\n\t\tbuf->page_len = buflen;\n\t}\n\tif (len >= buf->page_len)\n\t\treturn 0;\n\tshift = buf->page_len - len;\n\txdr_buf_try_expand(buf, shift);\n\txdr_buf_pages_shift_right(buf, len, buflen - len, shift);\n\tbuf->page_len = len;\n\tbuf->len -= shift;\n\tbuf->buflen -= shift;\n\treturn shift;\n}", "project": "linux", "hash": 337203705432253243113672884706283861838, "size": 21, "commit_id": "6d1c0f3d28f98ea2736128ed3e46821496dc3a8c", "message": "sunrpc: Avoid a KASAN slab-out-of-bounds bug in xdr_set_page_base()\n\nThis seems to happen fairly easily during READ_PLUS testing on NFS v4.2.\nI found that we could end up accessing xdr->buf->pages[pgnr] with a pgnr\ngreater than the number of pages in the array. So let's just return\nearly if we're setting base to a point at the end of the page data and\nlet xdr_set_tail_base() handle setting up the buffer pointers instead.\n\nSigned-off-by: Anna Schumaker \nFixes: 8d86e373b0ef (\"SUNRPC: Clean up helpers xdr_set_iov() and xdr_set_page_base()\")\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 481060 }, { "func": "static void xdr_set_next_page(struct xdr_stream *xdr)\n{\n\tunsigned int newbase;\n\n\tnewbase = (1 + xdr->page_ptr - xdr->buf->pages) << PAGE_SHIFT;\n\tnewbase -= xdr->buf->page_base;\n\tif (newbase < xdr->buf->page_len)\n\t\txdr_set_page_base(xdr, newbase, xdr_stream_remaining(xdr));\n\telse\n\t\txdr_set_tail_base(xdr, 0, xdr_stream_remaining(xdr));\n}", "project": "linux", "hash": 143934761100754012721328653481157803239, "size": 11, "commit_id": "6d1c0f3d28f98ea2736128ed3e46821496dc3a8c", "message": "sunrpc: Avoid a KASAN slab-out-of-bounds bug in xdr_set_page_base()\n\nThis seems to happen fairly easily during READ_PLUS testing on NFS v4.2.\nI found that we could end up accessing xdr->buf->pages[pgnr] with a pgnr\ngreater than the number of pages in the array. So let's just return\nearly if we're setting base to a point at the end of the page data and\nlet xdr_set_tail_base() handle setting up the buffer pointers instead.\n\nSigned-off-by: Anna Schumaker \nFixes: 8d86e373b0ef (\"SUNRPC: Clean up helpers xdr_set_iov() and xdr_set_page_base()\")\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 481092 }, { "func": "static int nfs4_xdr_dec_renew(struct rpc_rqst *rqstp, struct xdr_stream *xdr,\n\t\t\t void *__unused)\n{\n\tstruct compound_hdr hdr;\n\tint status;\n\n\tstatus = decode_compound_hdr(xdr, &hdr);\n\tif (!status)\n\t\tstatus = decode_renew(xdr);\n\treturn status;\n}", "project": "linux", "hash": 121456511166392708590323587882958310863, "size": 11, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431297 }, { "func": "static int nfs4_xdr_dec_layoutcommit(struct rpc_rqst *rqstp,\n\t\t\t\t struct xdr_stream *xdr,\n\t\t\t\t void *data)\n{\n\tstruct nfs4_layoutcommit_res *res = data;\n\tstruct compound_hdr hdr;\n\tint status;\n\n\tstatus = decode_compound_hdr(xdr, &hdr);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_sequence(xdr, &res->seq_res, rqstp);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_putfh(xdr);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_layoutcommit(xdr, rqstp, res);\n\tif (status)\n\t\tgoto out;\n\tdecode_getfattr(xdr, res->fattr, res->server);\nout:\n\treturn status;\n}", "project": "linux", "hash": 158965686412226342975794558612144596561, "size": 24, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431414 }, { "func": "static int nfs4_xdr_dec_symlink(struct rpc_rqst *rqstp, struct xdr_stream *xdr,\n\t\t\t\tvoid *res)\n{\n\treturn nfs4_xdr_dec_create(rqstp, xdr, res);\n}", "project": "linux", "hash": 135942183004088784739124398672488986737, "size": 5, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431118 }, { "func": "static void __write_bytes_to_xdr_buf(const struct xdr_buf *subbuf,\n\t\t\t\t void *obj, unsigned int len)\n{\n\tunsigned int this_len;\n\n\tthis_len = min_t(unsigned int, len, subbuf->head[0].iov_len);\n\tmemcpy(subbuf->head[0].iov_base, obj, this_len);\n\tlen -= this_len;\n\tobj += this_len;\n\tthis_len = min_t(unsigned int, len, subbuf->page_len);\n\t_copy_to_pages(subbuf->pages, subbuf->page_base, obj, this_len);\n\tlen -= this_len;\n\tobj += this_len;\n\tthis_len = min_t(unsigned int, len, subbuf->tail[0].iov_len);\n\tmemcpy(subbuf->tail[0].iov_base, obj, this_len);\n}", "project": "linux", "hash": 42811641084824293534098096642797639507, "size": 16, "commit_id": "6d1c0f3d28f98ea2736128ed3e46821496dc3a8c", "message": "sunrpc: Avoid a KASAN slab-out-of-bounds bug in xdr_set_page_base()\n\nThis seems to happen fairly easily during READ_PLUS testing on NFS v4.2.\nI found that we could end up accessing xdr->buf->pages[pgnr] with a pgnr\ngreater than the number of pages in the array. So let's just return\nearly if we're setting base to a point at the end of the page data and\nlet xdr_set_tail_base() handle setting up the buffer pointers instead.\n\nSigned-off-by: Anna Schumaker \nFixes: 8d86e373b0ef (\"SUNRPC: Clean up helpers xdr_set_iov() and xdr_set_page_base()\")\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 481087 }, { "func": "static int nfs4_xdr_dec_remove(struct rpc_rqst *rqstp, struct xdr_stream *xdr,\n\t\t\t void *data)\n{\n\tstruct nfs_removeres *res = data;\n\tstruct compound_hdr hdr;\n\tint status;\n\n\tstatus = decode_compound_hdr(xdr, &hdr);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_sequence(xdr, &res->seq_res, rqstp);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_putfh(xdr);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_remove(xdr, &res->cinfo);\nout:\n\treturn status;\n}", "project": "linux", "hash": 22405213893989893072714709477060413834, "size": 20, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431468 }, { "func": "static void xdr_buf_pages_copy_right(const struct xdr_buf *buf,\n\t\t\t\t unsigned int base, unsigned int len,\n\t\t\t\t unsigned int shift)\n{\n\tconst struct kvec *tail = buf->tail;\n\tunsigned int to = base + shift;\n\tunsigned int pglen = 0;\n\tunsigned int talen = 0, tato = 0;\n\n\tif (base >= buf->page_len)\n\t\treturn;\n\tif (len > buf->page_len - base)\n\t\tlen = buf->page_len - base;\n\tif (to >= buf->page_len) {\n\t\ttato = to - buf->page_len;\n\t\tif (tail->iov_len >= len + tato)\n\t\t\ttalen = len;\n\t\telse if (tail->iov_len > tato)\n\t\t\ttalen = tail->iov_len - tato;\n\t} else if (len + to >= buf->page_len) {\n\t\tpglen = buf->page_len - to;\n\t\ttalen = len - pglen;\n\t\tif (talen > tail->iov_len)\n\t\t\ttalen = tail->iov_len;\n\t} else\n\t\tpglen = len;\n\n\t_copy_from_pages(tail->iov_base + tato, buf->pages,\n\t\t\t buf->page_base + base + pglen, talen);\n\t_shift_data_right_pages(buf->pages, buf->page_base + to,\n\t\t\t\tbuf->page_base + base, pglen);\n}", "project": "linux", "hash": 99047755131870024248738887875692824689, "size": 32, "commit_id": "6d1c0f3d28f98ea2736128ed3e46821496dc3a8c", "message": "sunrpc: Avoid a KASAN slab-out-of-bounds bug in xdr_set_page_base()\n\nThis seems to happen fairly easily during READ_PLUS testing on NFS v4.2.\nI found that we could end up accessing xdr->buf->pages[pgnr] with a pgnr\ngreater than the number of pages in the array. So let's just return\nearly if we're setting base to a point at the end of the page data and\nlet xdr_set_tail_base() handle setting up the buffer pointers instead.\n\nSigned-off-by: Anna Schumaker \nFixes: 8d86e373b0ef (\"SUNRPC: Clean up helpers xdr_set_iov() and xdr_set_page_base()\")\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 481099 }, { "func": "static int decode_attr_time_metadata(struct xdr_stream *xdr, uint32_t *bitmap, struct timespec64 *time)\n{\n\tint status = 0;\n\n\ttime->tv_sec = 0;\n\ttime->tv_nsec = 0;\n\tif (unlikely(bitmap[1] & (FATTR4_WORD1_TIME_METADATA - 1U)))\n\t\treturn -EIO;\n\tif (likely(bitmap[1] & FATTR4_WORD1_TIME_METADATA)) {\n\t\tstatus = decode_attr_time(xdr, time);\n\t\tif (status == 0)\n\t\t\tstatus = NFS_ATTR_FATTR_CTIME;\n\t\tbitmap[1] &= ~FATTR4_WORD1_TIME_METADATA;\n\t}\n\tdprintk(\"%s: ctime=%lld\\n\", __func__, time->tv_sec);\n\treturn status;\n}", "project": "linux", "hash": 20334921903811710419656863815885452267, "size": 17, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431259 }, { "func": "static int decode_read(struct xdr_stream *xdr, struct rpc_rqst *req,\n\t\t struct nfs_pgio_res *res)\n{\n\t__be32 *p;\n\tuint32_t count, eof, recvd;\n\tint status;\n\n\tstatus = decode_op_hdr(xdr, OP_READ);\n\tif (status)\n\t\treturn status;\n\tp = xdr_inline_decode(xdr, 8);\n\tif (unlikely(!p))\n\t\treturn -EIO;\n\teof = be32_to_cpup(p++);\n\tcount = be32_to_cpup(p);\n\trecvd = xdr_read_pages(xdr, count);\n\tif (count > recvd) {\n\t\tdprintk(\"NFS: server cheating in read reply: \"\n\t\t\t\t\"count %u > recvd %u\\n\", count, recvd);\n\t\tcount = recvd;\n\t\teof = 0;\n\t}\n\tres->eof = eof;\n\tres->count = count;\n\treturn 0;\n}", "project": "linux", "hash": 306692945289934579828421151045341097849, "size": 26, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431467 }, { "func": "static void xdr_buf_tail_copy_right(const struct xdr_buf *buf,\n\t\t\t\t unsigned int base, unsigned int len,\n\t\t\t\t unsigned int shift)\n{\n\tconst struct kvec *tail = buf->tail;\n\tunsigned int to = base + shift;\n\n\tif (to >= tail->iov_len)\n\t\treturn;\n\tif (len + to > tail->iov_len)\n\t\tlen = tail->iov_len - to;\n\tmemmove(tail->iov_base + to, tail->iov_base + base, len);\n}", "project": "linux", "hash": 338167305075703019078977763333950862557, "size": 13, "commit_id": "6d1c0f3d28f98ea2736128ed3e46821496dc3a8c", "message": "sunrpc: Avoid a KASAN slab-out-of-bounds bug in xdr_set_page_base()\n\nThis seems to happen fairly easily during READ_PLUS testing on NFS v4.2.\nI found that we could end up accessing xdr->buf->pages[pgnr] with a pgnr\ngreater than the number of pages in the array. So let's just return\nearly if we're setting base to a point at the end of the page data and\nlet xdr_set_tail_base() handle setting up the buffer pointers instead.\n\nSigned-off-by: Anna Schumaker \nFixes: 8d86e373b0ef (\"SUNRPC: Clean up helpers xdr_set_iov() and xdr_set_page_base()\")\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 481071 }, { "func": "static int decode_commit(struct xdr_stream *xdr, struct nfs_commitres *res)\n{\n\tstruct nfs_writeverf *verf = res->verf;\n\tint status;\n\n\tstatus = decode_op_hdr(xdr, OP_COMMIT);\n\tif (!status)\n\t\tstatus = decode_write_verifier(xdr, &verf->verifier);\n\tif (!status)\n\t\tverf->committed = NFS_FILE_SYNC;\n\treturn status;\n}", "project": "linux", "hash": 286243749575854720977272127613697468655, "size": 12, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431416 }, { "func": "static int nfs4_xdr_dec_close(struct rpc_rqst *rqstp, struct xdr_stream *xdr,\n\t\t\t void *data)\n{\n\tstruct nfs_closeres *res = data;\n\tstruct compound_hdr hdr;\n\tint status;\n\n\tstatus = decode_compound_hdr(xdr, &hdr);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_sequence(xdr, &res->seq_res, rqstp);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_putfh(xdr);\n\tif (status)\n\t\tgoto out;\n\tif (res->lr_res) {\n\t\tstatus = decode_layoutreturn(xdr, res->lr_res);\n\t\tres->lr_ret = status;\n\t\tif (status)\n\t\t\tgoto out;\n\t}\n\tif (res->fattr != NULL) {\n\t\tstatus = decode_getfattr(xdr, res->fattr, res->server);\n\t\tif (status != 0)\n\t\t\tgoto out;\n\t}\n\tstatus = decode_close(xdr, res);\nout:\n\treturn status;\n}", "project": "linux", "hash": 189722454261122333415599873949928666478, "size": 31, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431531 }, { "func": "static int decode_attr_exclcreat_supported(struct xdr_stream *xdr,\n\t\t\t\t uint32_t *bitmap, uint32_t *bitmask)\n{\n\tif (likely(bitmap[2] & FATTR4_WORD2_SUPPATTR_EXCLCREAT)) {\n\t\tint ret;\n\t\tret = decode_attr_bitmap(xdr, bitmask);\n\t\tif (unlikely(ret < 0))\n\t\t\treturn ret;\n\t\tbitmap[2] &= ~FATTR4_WORD2_SUPPATTR_EXCLCREAT;\n\t} else\n\t\tbitmask[0] = bitmask[1] = bitmask[2] = 0;\n\tdprintk(\"%s: bitmask=%08x:%08x:%08x\\n\", __func__,\n\t\tbitmask[0], bitmask[1], bitmask[2]);\n\treturn 0;\n}", "project": "linux", "hash": 208798610506278832051588444879587788626, "size": 15, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431198 }, { "func": "static int nfs4_xdr_dec_readlink(struct rpc_rqst *rqstp,\n\t\t\t\t struct xdr_stream *xdr,\n\t\t\t\t void *data)\n{\n\tstruct nfs4_readlink_res *res = data;\n\tstruct compound_hdr hdr;\n\tint status;\n\n\tstatus = decode_compound_hdr(xdr, &hdr);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_sequence(xdr, &res->seq_res, rqstp);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_putfh(xdr);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_readlink(xdr, rqstp);\nout:\n\treturn status;\n}", "project": "linux", "hash": 27634885362063077424069727207483183081, "size": 21, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431612 }, { "func": "static int decode_attr_maxname(struct xdr_stream *xdr, uint32_t *bitmap, uint32_t *maxname)\n{\n\t__be32 *p;\n\tint status = 0;\n\n\t*maxname = 1024;\n\tif (unlikely(bitmap[0] & (FATTR4_WORD0_MAXNAME - 1U)))\n\t\treturn -EIO;\n\tif (likely(bitmap[0] & FATTR4_WORD0_MAXNAME)) {\n\t\tp = xdr_inline_decode(xdr, 4);\n\t\tif (unlikely(!p))\n\t\t\treturn -EIO;\n\t\t*maxname = be32_to_cpup(p);\n\t\tbitmap[0] &= ~FATTR4_WORD0_MAXNAME;\n\t}\n\tdprintk(\"%s: maxname=%u\\n\", __func__, *maxname);\n\treturn status;\n}", "project": "linux", "hash": 173020951256138634569261285612272613974, "size": 18, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431135 }, { "func": "static int decode_locku(struct xdr_stream *xdr, struct nfs_locku_res *res)\n{\n\tint status;\n\n\tstatus = decode_op_hdr(xdr, OP_LOCKU);\n\tif (status != -EIO)\n\t\tnfs_increment_lock_seqid(status, res->seqid);\n\tif (status == 0)\n\t\tstatus = decode_lock_stateid(xdr, &res->stateid);\n\treturn status;\n}", "project": "linux", "hash": 96645024103163596218209318438212888370, "size": 11, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431251 }, { "func": "static int nfs4_xdr_dec_commit(struct rpc_rqst *rqstp, struct xdr_stream *xdr,\n\t\t\t void *data)\n{\n\tstruct nfs_commitres *res = data;\n\tstruct compound_hdr hdr;\n\tint status;\n\n\tstatus = decode_compound_hdr(xdr, &hdr);\n\tres->op_status = hdr.status;\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_sequence(xdr, &res->seq_res, rqstp);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_putfh(xdr);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_commit(xdr, res);\nout:\n\treturn status;\n}", "project": "linux", "hash": 111050609745201556838991999880695558642, "size": 21, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431573 }, { "func": "static int decode_delegreturn(struct xdr_stream *xdr)\n{\n\treturn decode_op_hdr(xdr, OP_DELEGRETURN);\n}", "project": "linux", "hash": 279634606282270163821260541254183746547, "size": 4, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431526 }, { "func": "static int decode_attr_fileid(struct xdr_stream *xdr, uint32_t *bitmap, uint64_t *fileid)\n{\n\t__be32 *p;\n\tint ret = 0;\n\n\t*fileid = 0;\n\tif (unlikely(bitmap[0] & (FATTR4_WORD0_FILEID - 1U)))\n\t\treturn -EIO;\n\tif (likely(bitmap[0] & FATTR4_WORD0_FILEID)) {\n\t\tp = xdr_inline_decode(xdr, 8);\n\t\tif (unlikely(!p))\n\t\t\treturn -EIO;\n\t\txdr_decode_hyper(p, fileid);\n\t\tbitmap[0] &= ~FATTR4_WORD0_FILEID;\n\t\tret = NFS_ATTR_FATTR_FILEID;\n\t}\n\tdprintk(\"%s: fileid=%Lu\\n\", __func__, (unsigned long long)*fileid);\n\treturn ret;\n}", "project": "linux", "hash": 314213392002580117812738495949950479476, "size": 19, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431369 }, { "func": "static int nfs4_xdr_dec_lookupp(struct rpc_rqst *rqstp, struct xdr_stream *xdr,\n\t\tvoid *data)\n{\n\tstruct nfs4_lookupp_res *res = data;\n\tstruct compound_hdr hdr;\n\tint status;\n\n\tstatus = decode_compound_hdr(xdr, &hdr);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_sequence(xdr, &res->seq_res, rqstp);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_putfh(xdr);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_lookupp(xdr);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_getfh(xdr, res->fh);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_getfattr_label(xdr, res->fattr, res->label, res->server);\nout:\n\treturn status;\n}", "project": "linux", "hash": 316521528310487394968386580119788964003, "size": 26, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431384 }, { "func": "static int decode_attr_change(struct xdr_stream *xdr, uint32_t *bitmap, uint64_t *change)\n{\n\t__be32 *p;\n\tint ret = 0;\n\n\t*change = 0;\n\tif (unlikely(bitmap[0] & (FATTR4_WORD0_CHANGE - 1U)))\n\t\treturn -EIO;\n\tif (likely(bitmap[0] & FATTR4_WORD0_CHANGE)) {\n\t\tp = xdr_inline_decode(xdr, 8);\n\t\tif (unlikely(!p))\n\t\t\treturn -EIO;\n\t\txdr_decode_hyper(p, change);\n\t\tbitmap[0] &= ~FATTR4_WORD0_CHANGE;\n\t\tret = NFS_ATTR_FATTR_CHANGE;\n\t}\n\tdprintk(\"%s: change attribute=%Lu\\n\", __func__,\n\t\t\t(unsigned long long)*change);\n\treturn ret;\n}", "project": "linux", "hash": 249607048181147483320811642406369693421, "size": 20, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431444 }, { "func": "static int nfs4_xdr_dec_lookup_root(struct rpc_rqst *rqstp,\n\t\t\t\t struct xdr_stream *xdr,\n\t\t\t\t void *data)\n{\n\tstruct nfs4_lookup_res *res = data;\n\tstruct compound_hdr hdr;\n\tint status;\n\n\tstatus = decode_compound_hdr(xdr, &hdr);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_sequence(xdr, &res->seq_res, rqstp);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_putrootfh(xdr);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_getfh(xdr, res->fh);\n\tif (status == 0)\n\t\tstatus = decode_getfattr_label(xdr, res->fattr,\n\t\t\t\t\t\tres->label, res->server);\nout:\n\treturn status;\n}", "project": "linux", "hash": 116681646457406141549175858579157021452, "size": 24, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431610 }, { "func": "static unsigned int xdr_buf_pages_fill_sparse(const struct xdr_buf *buf,\n\t\t\t\t\t unsigned int buflen, gfp_t gfp)\n{\n\tunsigned int i, npages, pagelen;\n\n\tif (!(buf->flags & XDRBUF_SPARSE_PAGES))\n\t\treturn buflen;\n\tif (buflen <= buf->head->iov_len)\n\t\treturn buflen;\n\tpagelen = buflen - buf->head->iov_len;\n\tif (pagelen > buf->page_len)\n\t\tpagelen = buf->page_len;\n\tnpages = (pagelen + buf->page_base + PAGE_SIZE - 1) >> PAGE_SHIFT;\n\tfor (i = 0; i < npages; i++) {\n\t\tif (!buf->pages[i])\n\t\t\tcontinue;\n\t\tbuf->pages[i] = alloc_page(gfp);\n\t\tif (likely(buf->pages[i]))\n\t\t\tcontinue;\n\t\tbuflen -= pagelen;\n\t\tpagelen = i << PAGE_SHIFT;\n\t\tif (pagelen > buf->page_base)\n\t\t\tbuflen += pagelen - buf->page_base;\n\t\tbreak;\n\t}\n\treturn buflen;\n}", "project": "linux", "hash": 196977118063378885416370760087140897911, "size": 27, "commit_id": "6d1c0f3d28f98ea2736128ed3e46821496dc3a8c", "message": "sunrpc: Avoid a KASAN slab-out-of-bounds bug in xdr_set_page_base()\n\nThis seems to happen fairly easily during READ_PLUS testing on NFS v4.2.\nI found that we could end up accessing xdr->buf->pages[pgnr] with a pgnr\ngreater than the number of pages in the array. So let's just return\nearly if we're setting base to a point at the end of the page data and\nlet xdr_set_tail_base() handle setting up the buffer pointers instead.\n\nSigned-off-by: Anna Schumaker \nFixes: 8d86e373b0ef (\"SUNRPC: Clean up helpers xdr_set_iov() and xdr_set_page_base()\")\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 481112 }, { "func": "static int decode_attr_nlink(struct xdr_stream *xdr, uint32_t *bitmap, uint32_t *nlink)\n{\n\t__be32 *p;\n\tint ret = 0;\n\n\t*nlink = 1;\n\tif (unlikely(bitmap[1] & (FATTR4_WORD1_NUMLINKS - 1U)))\n\t\treturn -EIO;\n\tif (likely(bitmap[1] & FATTR4_WORD1_NUMLINKS)) {\n\t\tp = xdr_inline_decode(xdr, 4);\n\t\tif (unlikely(!p))\n\t\t\treturn -EIO;\n\t\t*nlink = be32_to_cpup(p);\n\t\tbitmap[1] &= ~FATTR4_WORD1_NUMLINKS;\n\t\tret = NFS_ATTR_FATTR_NLINK;\n\t}\n\tdprintk(\"%s: nlink=%u\\n\", __func__, (unsigned int)*nlink);\n\treturn ret;\n}", "project": "linux", "hash": 7473014409285046553571290599539110090, "size": 19, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431541 }, { "func": "static int decode_attr_filehandle(struct xdr_stream *xdr, uint32_t *bitmap, struct nfs_fh *fh)\n{\n\t__be32 *p;\n\tu32 len;\n\n\tif (fh != NULL)\n\t\tmemset(fh, 0, sizeof(*fh));\n\n\tif (unlikely(bitmap[0] & (FATTR4_WORD0_FILEHANDLE - 1U)))\n\t\treturn -EIO;\n\tif (likely(bitmap[0] & FATTR4_WORD0_FILEHANDLE)) {\n\t\tp = xdr_inline_decode(xdr, 4);\n\t\tif (unlikely(!p))\n\t\t\treturn -EIO;\n\t\tlen = be32_to_cpup(p);\n\t\tif (len > NFS4_FHSIZE)\n\t\t\treturn -EIO;\n\t\tp = xdr_inline_decode(xdr, len);\n\t\tif (unlikely(!p))\n\t\t\treturn -EIO;\n\t\tif (fh != NULL) {\n\t\t\tmemcpy(fh->data, p, len);\n\t\t\tfh->size = len;\n\t\t}\n\t\tbitmap[0] &= ~FATTR4_WORD0_FILEHANDLE;\n\t}\n\treturn 0;\n}", "project": "linux", "hash": 164240408313763976677776859888936569705, "size": 28, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 430965 }, { "func": "static int decode_getacl(struct xdr_stream *xdr, struct rpc_rqst *req,\n\t\t\t struct nfs_getaclres *res)\n{\n\tunsigned int savep;\n\tuint32_t attrlen,\n\t\t bitmap[3] = {0};\n\tint status;\n\tunsigned int pg_offset;\n\n\tres->acl_len = 0;\n\tif ((status = decode_op_hdr(xdr, OP_GETATTR)) != 0)\n\t\tgoto out;\n\n\txdr_enter_page(xdr, xdr->buf->page_len);\n\n\t/* Calculate the offset of the page data */\n\tpg_offset = xdr->buf->head[0].iov_len;\n\n\tif ((status = decode_attr_bitmap(xdr, bitmap)) != 0)\n\t\tgoto out;\n\tif ((status = decode_attr_length(xdr, &attrlen, &savep)) != 0)\n\t\tgoto out;\n\n\tif (unlikely(bitmap[0] & (FATTR4_WORD0_ACL - 1U)))\n\t\treturn -EIO;\n\tif (likely(bitmap[0] & FATTR4_WORD0_ACL)) {\n\n\t\t/* The bitmap (xdr len + bitmaps) and the attr xdr len words\n\t\t * are stored with the acl data to handle the problem of\n\t\t * variable length bitmaps.*/\n\t\tres->acl_data_offset = xdr_stream_pos(xdr) - pg_offset;\n\t\tres->acl_len = attrlen;\n\n\t\t/* Check for receive buffer overflow */\n\t\tif (res->acl_len > (xdr->nwords << 2) ||\n\t\t res->acl_len + res->acl_data_offset > xdr->buf->page_len) {\n\t\t\tres->acl_flags |= NFS4_ACL_TRUNC;\n\t\t\tdprintk(\"NFS: acl reply: attrlen %u > page_len %u\\n\",\n\t\t\t\t\tattrlen, xdr->nwords << 2);\n\t\t}\n\t} else\n\t\tstatus = -EOPNOTSUPP;\n\nout:\n\treturn status;\n}", "project": "linux", "hash": 252547646942296287959476935763981141156, "size": 46, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431383 }, { "func": "static int decode_write_verifier(struct xdr_stream *xdr, struct nfs_write_verifier *verifier)\n{\n\treturn decode_opaque_fixed(xdr, verifier->data, NFS4_VERIFIER_SIZE);\n}", "project": "linux", "hash": 36312021648887230977124602312011727969, "size": 4, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431158 }, { "func": "static int decode_open_confirm(struct xdr_stream *xdr, struct nfs_open_confirmres *res)\n{\n\tint status;\n\n\tstatus = decode_op_hdr(xdr, OP_OPEN_CONFIRM);\n\tif (status != -EIO)\n\t\tnfs_increment_open_seqid(status, res->seqid);\n\tif (!status)\n\t\tstatus = decode_open_stateid(xdr, &res->stateid);\n\treturn status;\n}", "project": "linux", "hash": 302171317509767665541411234793550509387, "size": 11, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 430946 }, { "func": "static int decode_write(struct xdr_stream *xdr, struct nfs_pgio_res *res)\n{\n\t__be32 *p;\n\tint status;\n\n\tstatus = decode_op_hdr(xdr, OP_WRITE);\n\tif (status)\n\t\treturn status;\n\n\tp = xdr_inline_decode(xdr, 8);\n\tif (unlikely(!p))\n\t\treturn -EIO;\n\tres->count = be32_to_cpup(p++);\n\tres->verf->committed = be32_to_cpup(p++);\n\treturn decode_write_verifier(xdr, &res->verf->verifier);\n}", "project": "linux", "hash": 281437159234366567710238365611380797604, "size": 16, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431279 }, { "func": "static int decode_attr_fs_locations(struct xdr_stream *xdr, uint32_t *bitmap, struct nfs4_fs_locations *res)\n{\n\tint n;\n\t__be32 *p;\n\tint status = -EIO;\n\n\tif (unlikely(bitmap[0] & (FATTR4_WORD0_FS_LOCATIONS -1U)))\n\t\tgoto out;\n\tstatus = 0;\n\tif (unlikely(!(bitmap[0] & FATTR4_WORD0_FS_LOCATIONS)))\n\t\tgoto out;\n\tbitmap[0] &= ~FATTR4_WORD0_FS_LOCATIONS;\n\tstatus = -EIO;\n\t/* Ignore borken servers that return unrequested attrs */\n\tif (unlikely(res == NULL))\n\t\tgoto out;\n\tdprintk(\"%s: fsroot:\\n\", __func__);\n\tstatus = decode_pathname(xdr, &res->fs_path);\n\tif (unlikely(status != 0))\n\t\tgoto out;\n\tp = xdr_inline_decode(xdr, 4);\n\tif (unlikely(!p))\n\t\tgoto out_eio;\n\tn = be32_to_cpup(p);\n\tif (n <= 0)\n\t\tgoto out_eio;\n\tfor (res->nlocations = 0; res->nlocations < n; res->nlocations++) {\n\t\tu32 m;\n\t\tstruct nfs4_fs_location *loc;\n\n\t\tif (res->nlocations == NFS4_FS_LOCATIONS_MAXENTRIES)\n\t\t\tbreak;\n\t\tloc = &res->locations[res->nlocations];\n\t\tp = xdr_inline_decode(xdr, 4);\n\t\tif (unlikely(!p))\n\t\t\tgoto out_eio;\n\t\tm = be32_to_cpup(p);\n\n\t\tdprintk(\"%s: servers:\\n\", __func__);\n\t\tfor (loc->nservers = 0; loc->nservers < m; loc->nservers++) {\n\t\t\tstruct nfs4_string *server;\n\n\t\t\tif (loc->nservers == NFS4_FS_LOCATION_MAXSERVERS) {\n\t\t\t\tunsigned int i;\n\t\t\t\tdprintk(\"%s: using first %u of %u servers \"\n\t\t\t\t\t\"returned for location %u\\n\",\n\t\t\t\t\t\t__func__,\n\t\t\t\t\t\tNFS4_FS_LOCATION_MAXSERVERS,\n\t\t\t\t\t\tm, res->nlocations);\n\t\t\t\tfor (i = loc->nservers; i < m; i++) {\n\t\t\t\t\tunsigned int len;\n\t\t\t\t\tchar *data;\n\t\t\t\t\tstatus = decode_opaque_inline(xdr, &len, &data);\n\t\t\t\t\tif (unlikely(status != 0))\n\t\t\t\t\t\tgoto out_eio;\n\t\t\t\t}\n\t\t\t\tbreak;\n\t\t\t}\n\t\t\tserver = &loc->servers[loc->nservers];\n\t\t\tstatus = decode_opaque_inline(xdr, &server->len, &server->data);\n\t\t\tif (unlikely(status != 0))\n\t\t\t\tgoto out_eio;\n\t\t\tdprintk(\"%s \", server->data);\n\t\t}\n\t\tstatus = decode_pathname(xdr, &loc->rootpath);\n\t\tif (unlikely(status != 0))\n\t\t\tgoto out_eio;\n\t}\n\tif (res->nlocations != 0)\n\t\tstatus = NFS_ATTR_FATTR_V4_LOCATIONS;\nout:\n\tdprintk(\"%s: fs_locations done, error = %d\\n\", __func__, status);\n\treturn status;\nout_eio:\n\tstatus = -EIO;\n\tgoto out;\n}", "project": "linux", "hash": 10557401925893532615409983516525453672, "size": 77, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431522 }, { "func": "static int nfs4_xdr_dec_lookup(struct rpc_rqst *rqstp, struct xdr_stream *xdr,\n\t\t\t void *data)\n{\n\tstruct nfs4_lookup_res *res = data;\n\tstruct compound_hdr hdr;\n\tint status;\n\n\tstatus = decode_compound_hdr(xdr, &hdr);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_sequence(xdr, &res->seq_res, rqstp);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_putfh(xdr);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_lookup(xdr);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_getfh(xdr, res->fh);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_getfattr_label(xdr, res->fattr, res->label, res->server);\nout:\n\treturn status;\n}", "project": "linux", "hash": 174180026105582726028362251978680316011, "size": 26, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431534 }, { "func": "static int decode_pathname(struct xdr_stream *xdr, struct nfs4_pathname *path)\n{\n\tu32 n;\n\t__be32 *p;\n\tint status = 0;\n\n\tp = xdr_inline_decode(xdr, 4);\n\tif (unlikely(!p))\n\t\treturn -EIO;\n\tn = be32_to_cpup(p);\n\tif (n == 0)\n\t\tgoto root_path;\n\tdprintk(\"pathname4: \");\n\tif (n > NFS4_PATHNAME_MAXCOMPONENTS) {\n\t\tdprintk(\"cannot parse %d components in path\\n\", n);\n\t\tgoto out_eio;\n\t}\n\tfor (path->ncomponents = 0; path->ncomponents < n; path->ncomponents++) {\n\t\tstruct nfs4_string *component = &path->components[path->ncomponents];\n\t\tstatus = decode_opaque_inline(xdr, &component->len, &component->data);\n\t\tif (unlikely(status != 0))\n\t\t\tgoto out_eio;\n\t\tifdebug (XDR)\n\t\t\tpr_cont(\"%s%.*s \",\n\t\t\t\t(path->ncomponents != n ? \"/ \" : \"\"),\n\t\t\t\tcomponent->len, component->data);\n\t}\nout:\n\treturn status;\nroot_path:\n/* a root pathname is sent as a zero component4 */\n\tpath->ncomponents = 1;\n\tpath->components[0].len=0;\n\tpath->components[0].data=NULL;\n\tdprintk(\"pathname4: /\\n\");\n\tgoto out;\nout_eio:\n\tdprintk(\" status %d\", status);\n\tstatus = -EIO;\n\tgoto out;\n}", "project": "linux", "hash": 148965901625376324145146643592940747386, "size": 41, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431505 }, { "func": "static int nfs4_xdr_dec_access(struct rpc_rqst *rqstp, struct xdr_stream *xdr,\n\t\t\t void *data)\n{\n\tstruct nfs4_accessres *res = data;\n\tstruct compound_hdr hdr;\n\tint status;\n\n\tstatus = decode_compound_hdr(xdr, &hdr);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_sequence(xdr, &res->seq_res, rqstp);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_putfh(xdr);\n\tif (status != 0)\n\t\tgoto out;\n\tstatus = decode_access(xdr, &res->supported, &res->access);\n\tif (status != 0)\n\t\tgoto out;\n\tif (res->fattr)\n\t\tdecode_getfattr(xdr, res->fattr, res->server);\nout:\n\treturn status;\n}", "project": "linux", "hash": 57922618835498233496023567633555099138, "size": 24, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431473 }, { "func": "static int decode_threshold_hint(struct xdr_stream *xdr,\n\t\t\t\t uint32_t *bitmap,\n\t\t\t\t uint64_t *res,\n\t\t\t\t uint32_t hint_bit)\n{\n\t__be32 *p;\n\n\t*res = 0;\n\tif (likely(bitmap[0] & hint_bit)) {\n\t\tp = xdr_inline_decode(xdr, 8);\n\t\tif (unlikely(!p))\n\t\t\treturn -EIO;\n\t\txdr_decode_hyper(p, res);\n\t}\n\treturn 0;\n}", "project": "linux", "hash": 212759149966822345172387053357336425637, "size": 16, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431448 }, { "func": "static int decode_attr_link_support(struct xdr_stream *xdr, uint32_t *bitmap, uint32_t *res)\n{\n\t__be32 *p;\n\n\t*res = 0;\n\tif (unlikely(bitmap[0] & (FATTR4_WORD0_LINK_SUPPORT - 1U)))\n\t\treturn -EIO;\n\tif (likely(bitmap[0] & FATTR4_WORD0_LINK_SUPPORT)) {\n\t\tp = xdr_inline_decode(xdr, 4);\n\t\tif (unlikely(!p))\n\t\t\treturn -EIO;\n\t\t*res = be32_to_cpup(p);\n\t\tbitmap[0] &= ~FATTR4_WORD0_LINK_SUPPORT;\n\t}\n\tdprintk(\"%s: link support=%s\\n\", __func__, *res == 0 ? \"false\" : \"true\");\n\treturn 0;\n}", "project": "linux", "hash": 52502844772454391686270490749553274684, "size": 17, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431367 }, { "func": "void xdr_init_decode(struct xdr_stream *xdr, struct xdr_buf *buf, __be32 *p,\n\t\t struct rpc_rqst *rqst)\n{\n\txdr->buf = buf;\n\txdr_reset_scratch_buffer(xdr);\n\txdr->nwords = XDR_QUADLEN(buf->len);\n\tif (xdr_set_iov(xdr, buf->head, 0, buf->len) == 0 &&\n\t xdr_set_page_base(xdr, 0, buf->len) == 0)\n\t\txdr_set_iov(xdr, buf->tail, 0, buf->len);\n\tif (p != NULL && p > xdr->p && xdr->end >= p) {\n\t\txdr->nwords -= p - xdr->p;\n\t\txdr->p = p;\n\t}\n\txdr->rqst = rqst;\n}", "project": "linux", "hash": 274435134367671426055596927793002505129, "size": 15, "commit_id": "6d1c0f3d28f98ea2736128ed3e46821496dc3a8c", "message": "sunrpc: Avoid a KASAN slab-out-of-bounds bug in xdr_set_page_base()\n\nThis seems to happen fairly easily during READ_PLUS testing on NFS v4.2.\nI found that we could end up accessing xdr->buf->pages[pgnr] with a pgnr\ngreater than the number of pages in the array. So let's just return\nearly if we're setting base to a point at the end of the page data and\nlet xdr_set_tail_base() handle setting up the buffer pointers instead.\n\nSigned-off-by: Anna Schumaker \nFixes: 8d86e373b0ef (\"SUNRPC: Clean up helpers xdr_set_iov() and xdr_set_page_base()\")\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 481043 }, { "func": "static int decode_pathconf(struct xdr_stream *xdr, struct nfs_pathconf *pathconf)\n{\n\tunsigned int savep;\n\tuint32_t attrlen, bitmap[3] = {0};\n\tint status;\n\n\tif ((status = decode_op_hdr(xdr, OP_GETATTR)) != 0)\n\t\tgoto xdr_error;\n\tif ((status = decode_attr_bitmap(xdr, bitmap)) != 0)\n\t\tgoto xdr_error;\n\tif ((status = decode_attr_length(xdr, &attrlen, &savep)) != 0)\n\t\tgoto xdr_error;\n\n\tif ((status = decode_attr_maxlink(xdr, bitmap, &pathconf->max_link)) != 0)\n\t\tgoto xdr_error;\n\tif ((status = decode_attr_maxname(xdr, bitmap, &pathconf->max_namelen)) != 0)\n\t\tgoto xdr_error;\n\n\tstatus = verify_attr_len(xdr, savep, attrlen);\nxdr_error:\n\tdprintk(\"%s: xdr returned %d!\\n\", __func__, -status);\n\treturn status;\n}", "project": "linux", "hash": 90324169564359152470545297772185954908, "size": 23, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431089 }, { "func": "static int decode_server_caps(struct xdr_stream *xdr, struct nfs4_server_caps_res *res)\n{\n\tunsigned int savep;\n\tuint32_t attrlen, bitmap[3] = {0};\n\tint status;\n\n\tif ((status = decode_op_hdr(xdr, OP_GETATTR)) != 0)\n\t\tgoto xdr_error;\n\tif ((status = decode_attr_bitmap(xdr, bitmap)) != 0)\n\t\tgoto xdr_error;\n\tif ((status = decode_attr_length(xdr, &attrlen, &savep)) != 0)\n\t\tgoto xdr_error;\n\tif ((status = decode_attr_supported(xdr, bitmap, res->attr_bitmask)) != 0)\n\t\tgoto xdr_error;\n\tif ((status = decode_attr_fh_expire_type(xdr, bitmap,\n\t\t\t\t\t\t &res->fh_expire_type)) != 0)\n\t\tgoto xdr_error;\n\tif ((status = decode_attr_link_support(xdr, bitmap, &res->has_links)) != 0)\n\t\tgoto xdr_error;\n\tif ((status = decode_attr_symlink_support(xdr, bitmap, &res->has_symlinks)) != 0)\n\t\tgoto xdr_error;\n\tif ((status = decode_attr_aclsupport(xdr, bitmap, &res->acl_bitmask)) != 0)\n\t\tgoto xdr_error;\n\tif ((status = decode_attr_exclcreat_supported(xdr, bitmap,\n\t\t\t\tres->exclcreat_bitmask)) != 0)\n\t\tgoto xdr_error;\n\tstatus = verify_attr_len(xdr, savep, attrlen);\nxdr_error:\n\tdprintk(\"%s: xdr returned %d!\\n\", __func__, -status);\n\treturn status;\n}", "project": "linux", "hash": 112343841465059223627010990330702113488, "size": 31, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431327 }, { "func": "int xdr_encode_array2(const struct xdr_buf *buf, unsigned int base,\n\t\t struct xdr_array2_desc *desc)\n{\n\tif ((unsigned long) base + 4 + desc->array_len * desc->elem_size >\n\t buf->head->iov_len + buf->page_len + buf->tail->iov_len)\n\t\treturn -EINVAL;\n\n\treturn xdr_xcode_array2(buf, base, desc, 1);\n}", "project": "linux", "hash": 88640571638696695122956942682056057988, "size": 9, "commit_id": "6d1c0f3d28f98ea2736128ed3e46821496dc3a8c", "message": "sunrpc: Avoid a KASAN slab-out-of-bounds bug in xdr_set_page_base()\n\nThis seems to happen fairly easily during READ_PLUS testing on NFS v4.2.\nI found that we could end up accessing xdr->buf->pages[pgnr] with a pgnr\ngreater than the number of pages in the array. So let's just return\nearly if we're setting base to a point at the end of the page data and\nlet xdr_set_tail_base() handle setting up the buffer pointers instead.\n\nSigned-off-by: Anna Schumaker \nFixes: 8d86e373b0ef (\"SUNRPC: Clean up helpers xdr_set_iov() and xdr_set_page_base()\")\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 481089 }, { "func": "static int nfs4_xdr_dec_write(struct rpc_rqst *rqstp, struct xdr_stream *xdr,\n\t\t\t void *data)\n{\n\tstruct nfs_pgio_res *res = data;\n\tstruct compound_hdr hdr;\n\tint status;\n\n\tstatus = decode_compound_hdr(xdr, &hdr);\n\tres->op_status = hdr.status;\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_sequence(xdr, &res->seq_res, rqstp);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_putfh(xdr);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_write(xdr, res);\n\tif (status)\n\t\tgoto out;\n\tif (res->fattr)\n\t\tdecode_getfattr(xdr, res->fattr, res->server);\n\tif (!status)\n\t\tstatus = res->count;\nout:\n\treturn status;\n}", "project": "linux", "hash": 330745244548837857047472100067122457111, "size": 27, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431419 }, { "func": "static void xdr_buf_tail_shift_right(const struct xdr_buf *buf,\n\t\t\t\t unsigned int base, unsigned int len,\n\t\t\t\t unsigned int shift)\n{\n\tconst struct kvec *tail = buf->tail;\n\n\tif (base >= tail->iov_len || !shift || !len)\n\t\treturn;\n\txdr_buf_tail_copy_right(buf, base, len, shift);\n}", "project": "linux", "hash": 162782180096650039453545153022394505920, "size": 10, "commit_id": "6d1c0f3d28f98ea2736128ed3e46821496dc3a8c", "message": "sunrpc: Avoid a KASAN slab-out-of-bounds bug in xdr_set_page_base()\n\nThis seems to happen fairly easily during READ_PLUS testing on NFS v4.2.\nI found that we could end up accessing xdr->buf->pages[pgnr] with a pgnr\ngreater than the number of pages in the array. So let's just return\nearly if we're setting base to a point at the end of the page data and\nlet xdr_set_tail_base() handle setting up the buffer pointers instead.\n\nSigned-off-by: Anna Schumaker \nFixes: 8d86e373b0ef (\"SUNRPC: Clean up helpers xdr_set_iov() and xdr_set_page_base()\")\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 481102 }, { "func": "static void xdr_buf_try_expand(struct xdr_buf *buf, unsigned int len)\n{\n\tstruct kvec *head = buf->head;\n\tstruct kvec *tail = buf->tail;\n\tunsigned int sum = head->iov_len + buf->page_len + tail->iov_len;\n\tunsigned int free_space, newlen;\n\n\tif (sum > buf->len) {\n\t\tfree_space = min_t(unsigned int, sum - buf->len, len);\n\t\tnewlen = xdr_buf_pages_fill_sparse(buf, buf->len + free_space,\n\t\t\t\t\t\t GFP_KERNEL);\n\t\tfree_space = newlen - buf->len;\n\t\tbuf->len = newlen;\n\t\tlen -= free_space;\n\t\tif (!len)\n\t\t\treturn;\n\t}\n\n\tif (buf->buflen > sum) {\n\t\t/* Expand the tail buffer */\n\t\tfree_space = min_t(unsigned int, buf->buflen - sum, len);\n\t\ttail->iov_len += free_space;\n\t\tbuf->len += free_space;\n\t}\n}", "project": "linux", "hash": 24509649115672067651775955241435879740, "size": 25, "commit_id": "6d1c0f3d28f98ea2736128ed3e46821496dc3a8c", "message": "sunrpc: Avoid a KASAN slab-out-of-bounds bug in xdr_set_page_base()\n\nThis seems to happen fairly easily during READ_PLUS testing on NFS v4.2.\nI found that we could end up accessing xdr->buf->pages[pgnr] with a pgnr\ngreater than the number of pages in the array. So let's just return\nearly if we're setting base to a point at the end of the page data and\nlet xdr_set_tail_base() handle setting up the buffer pointers instead.\n\nSigned-off-by: Anna Schumaker \nFixes: 8d86e373b0ef (\"SUNRPC: Clean up helpers xdr_set_iov() and xdr_set_page_base()\")\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 481063 }, { "func": "static int nfs4_xdr_dec_open(struct rpc_rqst *rqstp, struct xdr_stream *xdr,\n\t\t\t void *data)\n{\n\tstruct nfs_openres *res = data;\n\tstruct compound_hdr hdr;\n\tint status;\n\n\tstatus = decode_compound_hdr(xdr, &hdr);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_sequence(xdr, &res->seq_res, rqstp);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_putfh(xdr);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_open(xdr, res);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_getfh(xdr, &res->fh);\n\tif (status)\n\t\tgoto out;\n\tif (res->access_request)\n\t\tdecode_access(xdr, &res->access_supported, &res->access_result);\n\tdecode_getfattr_label(xdr, res->f_attr, res->f_label, res->server);\n\tif (res->lg_res)\n\t\tdecode_layoutget(xdr, rqstp, res->lg_res);\nout:\n\treturn status;\n}", "project": "linux", "hash": 328010917070760791319268236262335511412, "size": 30, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 430964 }, { "func": "static int decode_rename(struct xdr_stream *xdr, struct nfs4_change_info *old_cinfo,\n\t struct nfs4_change_info *new_cinfo)\n{\n\tint status;\n\n\tstatus = decode_op_hdr(xdr, OP_RENAME);\n\tif (status)\n\t\tgoto out;\n\tif ((status = decode_change_info(xdr, old_cinfo)))\n\t\tgoto out;\n\tstatus = decode_change_info(xdr, new_cinfo);\nout:\n\treturn status;\n}", "project": "linux", "hash": 139348787697425605392499416662392747165, "size": 14, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431396 }, { "func": "unsigned int xdr_read_pages(struct xdr_stream *xdr, unsigned int len)\n{\n\tunsigned int nwords = XDR_QUADLEN(len);\n\tunsigned int base, end, pglen;\n\n\tpglen = xdr_align_pages(xdr, nwords << 2);\n\tif (pglen == 0)\n\t\treturn 0;\n\n\tbase = (nwords << 2) - pglen;\n\tend = xdr_stream_remaining(xdr) - pglen;\n\n\txdr_set_tail_base(xdr, base, end);\n\treturn len <= pglen ? len : pglen;\n}", "project": "linux", "hash": 39534359731415588109601533955517122422, "size": 15, "commit_id": "6d1c0f3d28f98ea2736128ed3e46821496dc3a8c", "message": "sunrpc: Avoid a KASAN slab-out-of-bounds bug in xdr_set_page_base()\n\nThis seems to happen fairly easily during READ_PLUS testing on NFS v4.2.\nI found that we could end up accessing xdr->buf->pages[pgnr] with a pgnr\ngreater than the number of pages in the array. So let's just return\nearly if we're setting base to a point at the end of the page data and\nlet xdr_set_tail_base() handle setting up the buffer pointers instead.\n\nSigned-off-by: Anna Schumaker \nFixes: 8d86e373b0ef (\"SUNRPC: Clean up helpers xdr_set_iov() and xdr_set_page_base()\")\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 481090 }, { "func": "static int decode_attr_xattrsupport(struct xdr_stream *xdr, uint32_t *bitmap,\n\t\t\t\t uint32_t *res)\n{\n\t__be32 *p;\n\n\t*res = 0;\n\tif (unlikely(bitmap[2] & (FATTR4_WORD2_XATTR_SUPPORT - 1U)))\n\t\treturn -EIO;\n\tif (likely(bitmap[2] & FATTR4_WORD2_XATTR_SUPPORT)) {\n\t\tp = xdr_inline_decode(xdr, 4);\n\t\tif (unlikely(!p))\n\t\t\treturn -EIO;\n\t\t*res = be32_to_cpup(p);\n\t\tbitmap[2] &= ~FATTR4_WORD2_XATTR_SUPPORT;\n\t}\n\tdprintk(\"%s: XATTR support=%s\\n\", __func__,\n\t\t*res == 0 ? \"false\" : \"true\");\n\treturn 0;\n}", "project": "linux", "hash": 315906859438264589601439487238315811926, "size": 19, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431091 }, { "func": "static __be32 * __xdr_inline_decode(struct xdr_stream *xdr, size_t nbytes)\n{\n\tunsigned int nwords = XDR_QUADLEN(nbytes);\n\t__be32 *p = xdr->p;\n\t__be32 *q = p + nwords;\n\n\tif (unlikely(nwords > xdr->nwords || q > xdr->end || q < p))\n\t\treturn NULL;\n\txdr->p = q;\n\txdr->nwords -= nwords;\n\treturn p;\n}", "project": "linux", "hash": 164315782528871219606143329433060948846, "size": 12, "commit_id": "6d1c0f3d28f98ea2736128ed3e46821496dc3a8c", "message": "sunrpc: Avoid a KASAN slab-out-of-bounds bug in xdr_set_page_base()\n\nThis seems to happen fairly easily during READ_PLUS testing on NFS v4.2.\nI found that we could end up accessing xdr->buf->pages[pgnr] with a pgnr\ngreater than the number of pages in the array. So let's just return\nearly if we're setting base to a point at the end of the page data and\nlet xdr_set_tail_base() handle setting up the buffer pointers instead.\n\nSigned-off-by: Anna Schumaker \nFixes: 8d86e373b0ef (\"SUNRPC: Clean up helpers xdr_set_iov() and xdr_set_page_base()\")\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 481110 }, { "func": "static int nfs4_xdr_dec_bind_conn_to_session(struct rpc_rqst *rqstp,\n\t\t\t\t\tstruct xdr_stream *xdr,\n\t\t\t\t\tvoid *res)\n{\n\tstruct compound_hdr hdr;\n\tint status;\n\n\tstatus = decode_compound_hdr(xdr, &hdr);\n\tif (!status)\n\t\tstatus = decode_bind_conn_to_session(xdr, res);\n\treturn status;\n}", "project": "linux", "hash": 137421022361637900858994818097818158249, "size": 12, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431044 }, { "func": "static void xdr_buf_tail_shift_left(const struct xdr_buf *buf,\n\t\t\t\t unsigned int base, unsigned int len,\n\t\t\t\t unsigned int shift)\n{\n\tif (!shift || !len)\n\t\treturn;\n\txdr_buf_tail_copy_left(buf, base, len, shift);\n}", "project": "linux", "hash": 21172027649948387709080362167756336398, "size": 8, "commit_id": "6d1c0f3d28f98ea2736128ed3e46821496dc3a8c", "message": "sunrpc: Avoid a KASAN slab-out-of-bounds bug in xdr_set_page_base()\n\nThis seems to happen fairly easily during READ_PLUS testing on NFS v4.2.\nI found that we could end up accessing xdr->buf->pages[pgnr] with a pgnr\ngreater than the number of pages in the array. So let's just return\nearly if we're setting base to a point at the end of the page data and\nlet xdr_set_tail_base() handle setting up the buffer pointers instead.\n\nSigned-off-by: Anna Schumaker \nFixes: 8d86e373b0ef (\"SUNRPC: Clean up helpers xdr_set_iov() and xdr_set_page_base()\")\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 481059 }, { "func": "static int decode_bind_conn_to_session(struct xdr_stream *xdr,\n\t\t\t\tstruct nfs41_bind_conn_to_session_res *res)\n{\n\t__be32 *p;\n\tint status;\n\n\tstatus = decode_op_hdr(xdr, OP_BIND_CONN_TO_SESSION);\n\tif (!status)\n\t\tstatus = decode_sessionid(xdr, &res->sessionid);\n\tif (unlikely(status))\n\t\treturn status;\n\n\t/* dir flags, rdma mode bool */\n\tp = xdr_inline_decode(xdr, 8);\n\tif (unlikely(!p))\n\t\treturn -EIO;\n\n\tres->dir = be32_to_cpup(p++);\n\tif (res->dir == 0 || res->dir > NFS4_CDFS4_BOTH)\n\t\treturn -EIO;\n\tif (be32_to_cpup(p) == 0)\n\t\tres->use_conn_in_rdma_mode = false;\n\telse\n\t\tres->use_conn_in_rdma_mode = true;\n\n\treturn 0;\n}", "project": "linux", "hash": 269804944671319529923407260374575546021, "size": 27, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431600 }, { "func": "static int nfs4_xdr_dec_link(struct rpc_rqst *rqstp, struct xdr_stream *xdr,\n\t\t\t void *data)\n{\n\tstruct nfs4_link_res *res = data;\n\tstruct compound_hdr hdr;\n\tint status;\n\n\tstatus = decode_compound_hdr(xdr, &hdr);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_sequence(xdr, &res->seq_res, rqstp);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_putfh(xdr);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_savefh(xdr);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_putfh(xdr);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_link(xdr, &res->cinfo);\n\tif (status)\n\t\tgoto out;\n\t/*\n\t * Note order: OP_LINK leaves the directory as the current\n\t * filehandle.\n\t */\n\tstatus = decode_restorefh(xdr);\n\tif (status)\n\t\tgoto out;\n\tdecode_getfattr_label(xdr, res->fattr, res->label, res->server);\nout:\n\treturn status;\n}", "project": "linux", "hash": 320736187312062374901207934048745990543, "size": 36, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431332 }, { "func": "static int decode_getdeviceinfo(struct xdr_stream *xdr,\n\t\t\t\tstruct nfs4_getdeviceinfo_res *res)\n{\n\tstruct pnfs_device *pdev = res->pdev;\n\t__be32 *p;\n\tuint32_t len, type;\n\tint status;\n\n\tstatus = decode_op_hdr(xdr, OP_GETDEVICEINFO);\n\tif (status) {\n\t\tif (status == -ETOOSMALL) {\n\t\t\tp = xdr_inline_decode(xdr, 4);\n\t\t\tif (unlikely(!p))\n\t\t\t\treturn -EIO;\n\t\t\tpdev->mincount = be32_to_cpup(p);\n\t\t\tdprintk(\"%s: Min count too small. mincnt = %u\\n\",\n\t\t\t\t__func__, pdev->mincount);\n\t\t}\n\t\treturn status;\n\t}\n\n\tp = xdr_inline_decode(xdr, 8);\n\tif (unlikely(!p))\n\t\treturn -EIO;\n\ttype = be32_to_cpup(p++);\n\tif (type != pdev->layout_type) {\n\t\tdprintk(\"%s: layout mismatch req: %u pdev: %u\\n\",\n\t\t\t__func__, pdev->layout_type, type);\n\t\treturn -EINVAL;\n\t}\n\t/*\n\t * Get the length of the opaque device_addr4. xdr_read_pages places\n\t * the opaque device_addr4 in the xdr_buf->pages (pnfs_device->pages)\n\t * and places the remaining xdr data in xdr_buf->tail\n\t */\n\tpdev->mincount = be32_to_cpup(p);\n\tif (xdr_read_pages(xdr, pdev->mincount) != pdev->mincount)\n\t\treturn -EIO;\n\n\t/* Parse notification bitmap, verifying that it is zero. */\n\tp = xdr_inline_decode(xdr, 4);\n\tif (unlikely(!p))\n\t\treturn -EIO;\n\tlen = be32_to_cpup(p);\n\tif (len) {\n\t\tuint32_t i;\n\n\t\tp = xdr_inline_decode(xdr, 4 * len);\n\t\tif (unlikely(!p))\n\t\t\treturn -EIO;\n\n\t\tres->notification = be32_to_cpup(p++);\n\t\tfor (i = 1; i < len; i++) {\n\t\t\tif (be32_to_cpup(p++)) {\n\t\t\t\tdprintk(\"%s: unsupported notification\\n\",\n\t\t\t\t\t__func__);\n\t\t\t\treturn -EIO;\n\t\t\t}\n\t\t}\n\t}\n\treturn 0;\n}", "project": "linux", "hash": 138955842478482010330788831772495324198, "size": 62, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431025 }, { "func": "static int decode_attr_error(struct xdr_stream *xdr, uint32_t *bitmap, int32_t *res)\n{\n\t__be32 *p;\n\n\tif (unlikely(bitmap[0] & (FATTR4_WORD0_RDATTR_ERROR - 1U)))\n\t\treturn -EIO;\n\tif (likely(bitmap[0] & FATTR4_WORD0_RDATTR_ERROR)) {\n\t\tp = xdr_inline_decode(xdr, 4);\n\t\tif (unlikely(!p))\n\t\t\treturn -EIO;\n\t\tbitmap[0] &= ~FATTR4_WORD0_RDATTR_ERROR;\n\t\t*res = -be32_to_cpup(p);\n\t}\n\treturn 0;\n}", "project": "linux", "hash": 27814938081443021230873908470778262939, "size": 15, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431152 }, { "func": "static int decode_rw_delegation(struct xdr_stream *xdr,\n\t\tuint32_t delegation_type,\n\t\tstruct nfs_openres *res)\n{\n\t__be32 *p;\n\tint status;\n\n\tstatus = decode_delegation_stateid(xdr, &res->delegation);\n\tif (unlikely(status))\n\t\treturn status;\n\tp = xdr_inline_decode(xdr, 4);\n\tif (unlikely(!p))\n\t\treturn -EIO;\n\tres->do_recall = be32_to_cpup(p);\n\n\tswitch (delegation_type) {\n\tcase NFS4_OPEN_DELEGATE_READ:\n\t\tres->delegation_type = FMODE_READ;\n\t\tbreak;\n\tcase NFS4_OPEN_DELEGATE_WRITE:\n\t\tres->delegation_type = FMODE_WRITE|FMODE_READ;\n\t\tif (decode_space_limit(xdr, &res->pagemod_limit) < 0)\n\t\t\t\treturn -EIO;\n\t}\n\treturn decode_ace(xdr, NULL);\n}", "project": "linux", "hash": 296832361505457265509204300972225529807, "size": 26, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431094 }, { "func": "static int decode_delegation(struct xdr_stream *xdr, struct nfs_openres *res)\n{\n\t__be32 *p;\n\tuint32_t delegation_type;\n\n\tp = xdr_inline_decode(xdr, 4);\n\tif (unlikely(!p))\n\t\treturn -EIO;\n\tdelegation_type = be32_to_cpup(p);\n\tres->delegation_type = 0;\n\tswitch (delegation_type) {\n\tcase NFS4_OPEN_DELEGATE_NONE:\n\t\treturn 0;\n\tcase NFS4_OPEN_DELEGATE_READ:\n\tcase NFS4_OPEN_DELEGATE_WRITE:\n\t\treturn decode_rw_delegation(xdr, delegation_type, res);\n\tcase NFS4_OPEN_DELEGATE_NONE_EXT:\n\t\treturn decode_no_delegation(xdr, res);\n\t}\n\treturn -EIO;\n}", "project": "linux", "hash": 114041615787701709285538636557973520065, "size": 21, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431375 }, { "func": "static void xdr_stream_set_pos(struct xdr_stream *xdr, unsigned int pos)\n{\n\tunsigned int blen = xdr->buf->len;\n\n\txdr->nwords = blen > pos ? XDR_QUADLEN(blen) - XDR_QUADLEN(pos) : 0;\n}", "project": "linux", "hash": 2495507525326293656807669593583823355, "size": 6, "commit_id": "6d1c0f3d28f98ea2736128ed3e46821496dc3a8c", "message": "sunrpc: Avoid a KASAN slab-out-of-bounds bug in xdr_set_page_base()\n\nThis seems to happen fairly easily during READ_PLUS testing on NFS v4.2.\nI found that we could end up accessing xdr->buf->pages[pgnr] with a pgnr\ngreater than the number of pages in the array. So let's just return\nearly if we're setting base to a point at the end of the page data and\nlet xdr_set_tail_base() handle setting up the buffer pointers instead.\n\nSigned-off-by: Anna Schumaker \nFixes: 8d86e373b0ef (\"SUNRPC: Clean up helpers xdr_set_iov() and xdr_set_page_base()\")\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 481067 }, { "func": "static int decode_layout_stateid(struct xdr_stream *xdr, nfs4_stateid *stateid)\n{\n\tstateid->type = NFS4_LAYOUT_STATEID_TYPE;\n\treturn decode_stateid(xdr, stateid);\n}", "project": "linux", "hash": 42182891012734130134724424236315537321, "size": 5, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431117 }, { "func": "static int decode_ace(struct xdr_stream *xdr, void *ace)\n{\n\t__be32 *p;\n\tunsigned int strlen;\n\tchar *str;\n\n\tp = xdr_inline_decode(xdr, 12);\n\tif (unlikely(!p))\n\t\treturn -EIO;\n\treturn decode_opaque_inline(xdr, &strlen, &str);\n}", "project": "linux", "hash": 34573632385113046245981429049867543382, "size": 11, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431057 }, { "func": "static int decode_secinfo_gss(struct xdr_stream *xdr,\n\t\t\t struct nfs4_secinfo4 *flavor)\n{\n\tu32 oid_len;\n\t__be32 *p;\n\n\tp = xdr_inline_decode(xdr, 4);\n\tif (unlikely(!p))\n\t\treturn -EIO;\n\toid_len = be32_to_cpup(p);\n\tif (oid_len > GSS_OID_MAX_LEN)\n\t\treturn -EINVAL;\n\n\tp = xdr_inline_decode(xdr, oid_len);\n\tif (unlikely(!p))\n\t\treturn -EIO;\n\tmemcpy(flavor->flavor_info.oid.data, p, oid_len);\n\tflavor->flavor_info.oid.len = oid_len;\n\n\tp = xdr_inline_decode(xdr, 8);\n\tif (unlikely(!p))\n\t\treturn -EIO;\n\tflavor->flavor_info.qop = be32_to_cpup(p++);\n\tflavor->flavor_info.service = be32_to_cpup(p);\n\n\treturn 0;\n}", "project": "linux", "hash": 84284112533055164525785089103492561049, "size": 27, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431397 }, { "func": "static int nfs4_xdr_dec_setattr(struct rpc_rqst *rqstp,\n\t\t\t\tstruct xdr_stream *xdr,\n\t\t\t\tvoid *data)\n{\n\tstruct nfs_setattrres *res = data;\n\tstruct compound_hdr hdr;\n\tint status;\n\n\tstatus = decode_compound_hdr(xdr, &hdr);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_sequence(xdr, &res->seq_res, rqstp);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_putfh(xdr);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_setattr(xdr);\n\tif (status)\n\t\tgoto out;\n\tdecode_getfattr_label(xdr, res->fattr, res->label, res->server);\nout:\n\treturn status;\n}", "project": "linux", "hash": 254272091247457974285264560553852402023, "size": 24, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431099 }, { "func": "static int nfs4_xdr_dec_statfs(struct rpc_rqst *req, struct xdr_stream *xdr,\n\t\t\t void *data)\n{\n\tstruct nfs4_statfs_res *res = data;\n\tstruct compound_hdr hdr;\n\tint status;\n\n\tstatus = decode_compound_hdr(xdr, &hdr);\n\tif (!status)\n\t\tstatus = decode_sequence(xdr, &res->seq_res, req);\n\tif (!status)\n\t\tstatus = decode_putfh(xdr);\n\tif (!status)\n\t\tstatus = decode_statfs(xdr, res->fsstat);\n\treturn status;\n}", "project": "linux", "hash": 293234689712423749487948082236404285847, "size": 16, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431483 }, { "func": "static int decode_open(struct xdr_stream *xdr, struct nfs_openres *res)\n{\n\t__be32 *p;\n\tuint32_t savewords, bmlen, i;\n\tint status;\n\n\tif (!__decode_op_hdr(xdr, OP_OPEN, &status))\n\t\treturn status;\n\tnfs_increment_open_seqid(status, res->seqid);\n\tif (status)\n\t\treturn status;\n\tstatus = decode_open_stateid(xdr, &res->stateid);\n\tif (unlikely(status))\n\t\treturn status;\n\n\tdecode_change_info(xdr, &res->cinfo);\n\n\tp = xdr_inline_decode(xdr, 8);\n\tif (unlikely(!p))\n\t\treturn -EIO;\n\tres->rflags = be32_to_cpup(p++);\n\tbmlen = be32_to_cpup(p);\n\tif (bmlen > 10)\n\t\tgoto xdr_error;\n\n\tp = xdr_inline_decode(xdr, bmlen << 2);\n\tif (unlikely(!p))\n\t\treturn -EIO;\n\tsavewords = min_t(uint32_t, bmlen, NFS4_BITMAP_SIZE);\n\tfor (i = 0; i < savewords; ++i)\n\t\tres->attrset[i] = be32_to_cpup(p++);\n\tfor (; i < NFS4_BITMAP_SIZE; i++)\n\t\tres->attrset[i] = 0;\n\n\treturn decode_delegation(xdr, res);\nxdr_error:\n\tdprintk(\"%s: Bitmap too large! Length = %u\\n\", __func__, bmlen);\n\treturn -EIO;\n}", "project": "linux", "hash": 188572705649854545760669103198272270019, "size": 39, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431176 }, { "func": "static void xdr_buf_head_shift_right(const struct xdr_buf *buf,\n\t\t\t\t unsigned int base, unsigned int len,\n\t\t\t\t unsigned int shift)\n{\n\tconst struct kvec *head = buf->head;\n\n\tif (!shift)\n\t\treturn;\n\tif (base >= head->iov_len) {\n\t\txdr_buf_pages_shift_right(buf, head->iov_len - base, len,\n\t\t\t\t\t shift);\n\t\treturn;\n\t}\n\tif (base + len > head->iov_len)\n\t\txdr_buf_pages_shift_right(buf, 0, base + len - head->iov_len,\n\t\t\t\t\t shift);\n\txdr_buf_head_copy_right(buf, base, len, shift);\n}", "project": "linux", "hash": 10204471783855253912730738861397013460, "size": 18, "commit_id": "6d1c0f3d28f98ea2736128ed3e46821496dc3a8c", "message": "sunrpc: Avoid a KASAN slab-out-of-bounds bug in xdr_set_page_base()\n\nThis seems to happen fairly easily during READ_PLUS testing on NFS v4.2.\nI found that we could end up accessing xdr->buf->pages[pgnr] with a pgnr\ngreater than the number of pages in the array. So let's just return\nearly if we're setting base to a point at the end of the page data and\nlet xdr_set_tail_base() handle setting up the buffer pointers instead.\n\nSigned-off-by: Anna Schumaker \nFixes: 8d86e373b0ef (\"SUNRPC: Clean up helpers xdr_set_iov() and xdr_set_page_base()\")\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 481039 }, { "func": "static int decode_open_downgrade(struct xdr_stream *xdr, struct nfs_closeres *res)\n{\n\tint status;\n\n\tstatus = decode_op_hdr(xdr, OP_OPEN_DOWNGRADE);\n\tif (status != -EIO)\n\t\tnfs_increment_open_seqid(status, res->seqid);\n\tif (!status)\n\t\tstatus = decode_open_stateid(xdr, &res->stateid);\n\treturn status;\n}", "project": "linux", "hash": 230907741292039799722618558457502215872, "size": 11, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 430995 }, { "func": "static void xdr_buf_pages_shift_right(const struct xdr_buf *buf,\n\t\t\t\t unsigned int base, unsigned int len,\n\t\t\t\t unsigned int shift)\n{\n\tif (!shift || !len)\n\t\treturn;\n\tif (base >= buf->page_len) {\n\t\txdr_buf_tail_shift_right(buf, base - buf->page_len, len, shift);\n\t\treturn;\n\t}\n\tif (base + len > buf->page_len)\n\t\txdr_buf_tail_shift_right(buf, 0, base + len - buf->page_len,\n\t\t\t\t\t shift);\n\txdr_buf_pages_copy_right(buf, base, len, shift);\n}", "project": "linux", "hash": 296289120077690451303060410120099681780, "size": 15, "commit_id": "6d1c0f3d28f98ea2736128ed3e46821496dc3a8c", "message": "sunrpc: Avoid a KASAN slab-out-of-bounds bug in xdr_set_page_base()\n\nThis seems to happen fairly easily during READ_PLUS testing on NFS v4.2.\nI found that we could end up accessing xdr->buf->pages[pgnr] with a pgnr\ngreater than the number of pages in the array. So let's just return\nearly if we're setting base to a point at the end of the page data and\nlet xdr_set_tail_base() handle setting up the buffer pointers instead.\n\nSigned-off-by: Anna Schumaker \nFixes: 8d86e373b0ef (\"SUNRPC: Clean up helpers xdr_set_iov() and xdr_set_page_base()\")\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 481065 }, { "func": "static void xdr_buf_iov_zero(const struct kvec *iov, unsigned int base,\n\t\t\t unsigned int len)\n{\n\tif (base >= iov->iov_len)\n\t\treturn;\n\tif (len > iov->iov_len - base)\n\t\tlen = iov->iov_len - base;\n\tmemset(iov->iov_base + base, 0, len);\n}", "project": "linux", "hash": 163903050059254585818077346794837320741, "size": 9, "commit_id": "6d1c0f3d28f98ea2736128ed3e46821496dc3a8c", "message": "sunrpc: Avoid a KASAN slab-out-of-bounds bug in xdr_set_page_base()\n\nThis seems to happen fairly easily during READ_PLUS testing on NFS v4.2.\nI found that we could end up accessing xdr->buf->pages[pgnr] with a pgnr\ngreater than the number of pages in the array. So let's just return\nearly if we're setting base to a point at the end of the page data and\nlet xdr_set_tail_base() handle setting up the buffer pointers instead.\n\nSigned-off-by: Anna Schumaker \nFixes: 8d86e373b0ef (\"SUNRPC: Clean up helpers xdr_set_iov() and xdr_set_page_base()\")\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 481058 }, { "func": "static int nfs4_xdr_dec_server_caps(struct rpc_rqst *req,\n\t\t\t\t struct xdr_stream *xdr,\n\t\t\t\t void *data)\n{\n\tstruct nfs4_server_caps_res *res = data;\n\tstruct compound_hdr hdr;\n\tint status;\n\n\tstatus = decode_compound_hdr(xdr, &hdr);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_sequence(xdr, &res->seq_res, req);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_putfh(xdr);\n\tif (status)\n\t\tgoto out;\n\tstatus = decode_server_caps(xdr, res);\nout:\n\treturn status;\n}", "project": "linux", "hash": 75176089816142268090919039679012996114, "size": 21, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431574 }, { "func": "static int verify_attr_len(struct xdr_stream *xdr, unsigned int savep, uint32_t attrlen)\n{\n\tunsigned int attrwords = XDR_QUADLEN(attrlen);\n\tunsigned int nwords = (xdr_stream_pos(xdr) - savep) >> 2;\n\n\tif (unlikely(attrwords != nwords)) {\n\t\tdprintk(\"%s: server returned incorrect attribute length: \"\n\t\t\t\"%u %c %u\\n\",\n\t\t\t\t__func__,\n\t\t\t\tattrwords << 2,\n\t\t\t\t(attrwords < nwords) ? '<' : '>',\n\t\t\t\tnwords << 2);\n\t\treturn -EIO;\n\t}\n\treturn 0;\n}", "project": "linux", "hash": 62508461568097026017631474674385758454, "size": 16, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431317 }, { "func": "static unsigned int xdr_set_tail_base(struct xdr_stream *xdr,\n\t\t\t\t unsigned int base, unsigned int len)\n{\n\tstruct xdr_buf *buf = xdr->buf;\n\n\txdr_stream_set_pos(xdr, base + buf->page_len + buf->head->iov_len);\n\treturn xdr_set_iov(xdr, buf->tail, base, len);\n}", "project": "linux", "hash": 247725362593095268135489282101542465051, "size": 8, "commit_id": "6d1c0f3d28f98ea2736128ed3e46821496dc3a8c", "message": "sunrpc: Avoid a KASAN slab-out-of-bounds bug in xdr_set_page_base()\n\nThis seems to happen fairly easily during READ_PLUS testing on NFS v4.2.\nI found that we could end up accessing xdr->buf->pages[pgnr] with a pgnr\ngreater than the number of pages in the array. So let's just return\nearly if we're setting base to a point at the end of the page data and\nlet xdr_set_tail_base() handle setting up the buffer pointers instead.\n\nSigned-off-by: Anna Schumaker \nFixes: 8d86e373b0ef (\"SUNRPC: Clean up helpers xdr_set_iov() and xdr_set_page_base()\")\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 481040 }, { "func": "int xdr_buf_subsegment(const struct xdr_buf *buf, struct xdr_buf *subbuf,\n\t\t unsigned int base, unsigned int len)\n{\n\tsubbuf->buflen = subbuf->len = len;\n\tif (base < buf->head[0].iov_len) {\n\t\tsubbuf->head[0].iov_base = buf->head[0].iov_base + base;\n\t\tsubbuf->head[0].iov_len = min_t(unsigned int, len,\n\t\t\t\t\t\tbuf->head[0].iov_len - base);\n\t\tlen -= subbuf->head[0].iov_len;\n\t\tbase = 0;\n\t} else {\n\t\tbase -= buf->head[0].iov_len;\n\t\tsubbuf->head[0].iov_base = buf->head[0].iov_base;\n\t\tsubbuf->head[0].iov_len = 0;\n\t}\n\n\tif (base < buf->page_len) {\n\t\tsubbuf->page_len = min(buf->page_len - base, len);\n\t\tbase += buf->page_base;\n\t\tsubbuf->page_base = base & ~PAGE_MASK;\n\t\tsubbuf->pages = &buf->pages[base >> PAGE_SHIFT];\n\t\tlen -= subbuf->page_len;\n\t\tbase = 0;\n\t} else {\n\t\tbase -= buf->page_len;\n\t\tsubbuf->pages = buf->pages;\n\t\tsubbuf->page_base = 0;\n\t\tsubbuf->page_len = 0;\n\t}\n\n\tif (base < buf->tail[0].iov_len) {\n\t\tsubbuf->tail[0].iov_base = buf->tail[0].iov_base + base;\n\t\tsubbuf->tail[0].iov_len = min_t(unsigned int, len,\n\t\t\t\t\t\tbuf->tail[0].iov_len - base);\n\t\tlen -= subbuf->tail[0].iov_len;\n\t\tbase = 0;\n\t} else {\n\t\tbase -= buf->tail[0].iov_len;\n\t\tsubbuf->tail[0].iov_base = buf->tail[0].iov_base;\n\t\tsubbuf->tail[0].iov_len = 0;\n\t}\n\n\tif (base || len)\n\t\treturn -1;\n\treturn 0;\n}", "project": "linux", "hash": 260006136650729870556210729763594879872, "size": 46, "commit_id": "6d1c0f3d28f98ea2736128ed3e46821496dc3a8c", "message": "sunrpc: Avoid a KASAN slab-out-of-bounds bug in xdr_set_page_base()\n\nThis seems to happen fairly easily during READ_PLUS testing on NFS v4.2.\nI found that we could end up accessing xdr->buf->pages[pgnr] with a pgnr\ngreater than the number of pages in the array. So let's just return\nearly if we're setting base to a point at the end of the page data and\nlet xdr_set_tail_base() handle setting up the buffer pointers instead.\n\nSigned-off-by: Anna Schumaker \nFixes: 8d86e373b0ef (\"SUNRPC: Clean up helpers xdr_set_iov() and xdr_set_page_base()\")\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 481066 }, { "func": "static int decode_attr_maxread(struct xdr_stream *xdr, uint32_t *bitmap, uint32_t *res)\n{\n\t__be32 *p;\n\tint status = 0;\n\n\t*res = 1024;\n\tif (unlikely(bitmap[0] & (FATTR4_WORD0_MAXREAD - 1U)))\n\t\treturn -EIO;\n\tif (likely(bitmap[0] & FATTR4_WORD0_MAXREAD)) {\n\t\tuint64_t maxread;\n\t\tp = xdr_inline_decode(xdr, 8);\n\t\tif (unlikely(!p))\n\t\t\treturn -EIO;\n\t\txdr_decode_hyper(p, &maxread);\n\t\tif (maxread > 0x7FFFFFFF)\n\t\t\tmaxread = 0x7FFFFFFF;\n\t\t*res = (uint32_t)maxread;\n\t\tbitmap[0] &= ~FATTR4_WORD0_MAXREAD;\n\t}\n\tdprintk(\"%s: maxread=%lu\\n\", __func__, (unsigned long)*res);\n\treturn status;\n}", "project": "linux", "hash": 156645682585945248421637440394061222907, "size": 22, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431470 }, { "func": "static int decode_attr_size(struct xdr_stream *xdr, uint32_t *bitmap, uint64_t *size)\n{\n\t__be32 *p;\n\tint ret = 0;\n\n\t*size = 0;\n\tif (unlikely(bitmap[0] & (FATTR4_WORD0_SIZE - 1U)))\n\t\treturn -EIO;\n\tif (likely(bitmap[0] & FATTR4_WORD0_SIZE)) {\n\t\tp = xdr_inline_decode(xdr, 8);\n\t\tif (unlikely(!p))\n\t\t\treturn -EIO;\n\t\txdr_decode_hyper(p, size);\n\t\tbitmap[0] &= ~FATTR4_WORD0_SIZE;\n\t\tret = NFS_ATTR_FATTR_SIZE;\n\t}\n\tdprintk(\"%s: file size=%Lu\\n\", __func__, (unsigned long long)*size);\n\treturn ret;\n}", "project": "linux", "hash": 172016904006324187892787286436768239250, "size": 19, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431581 } ] }, { "call_depth": 4, "longest_call_chain": [ "latm_dmx_process", "latm_dmx_check_pid", "latm_dmx_check_dur", "latm_dmx_sync_frame_bs" ], "group_size": 6, "functions": [ { "func": "static void latm_dmx_check_pid(GF_Filter *filter, GF_LATMDmxCtx *ctx)\n{\n\tu8 *dsi_b;\n\tu32 dsi_s, sr, timescale=0;\n\tu32 codecid;\n\tif (!ctx->opid) {\n\t\tctx->opid = gf_filter_pid_new(filter);\n\t\tgf_filter_pid_copy_properties(ctx->opid, ctx->ipid);\n\t\tlatm_dmx_check_dur(filter, ctx);\n\t}\n\tif (!GF_M4ASampleRates[ctx->acfg.base_sr_index]) {\n\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_PARSER, (\"[LATMDmx] Wrong sample rate in audio config, broken stream\\n\"));\n\t\tctx->in_error = GF_NON_COMPLIANT_BITSTREAM;\n\t\treturn;\n\t}\n\n\tif ((ctx->sr_idx == ctx->acfg.base_sr_index) && (ctx->nb_ch == ctx->acfg.nb_chan )\n\t\t&& (ctx->base_object_type == ctx->acfg.base_object_type) ) return;\n\n\tif (ctx->acfg.base_object_type==GF_M4A_USAC)\n\t\tcodecid = GF_CODECID_USAC;\n\telse\n\t\tcodecid = GF_CODECID_AAC_MPEG4;\n\t//copy properties at init or reconfig\n\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_STREAM_TYPE, & PROP_UINT( GF_STREAM_AUDIO));\n\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_CODECID, & PROP_UINT( codecid));\n\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_SAMPLES_PER_FRAME, & PROP_UINT(ctx->frame_size) );\n\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_UNFRAMED, & PROP_BOOL(GF_FALSE) );\n\tif (ctx->is_file && ctx->index) {\n\t\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_PLAYBACK_MODE, & PROP_UINT(GF_PLAYBACK_MODE_FASTFORWARD) );\n\t}\n\tif (ctx->duration.num)\n\t\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_DURATION, & PROP_FRAC64(ctx->duration));\n\n\n\tctx->nb_ch = ctx->acfg.nb_chan;\n\tctx->base_object_type = ctx->acfg.base_object_type;\n\n\tsr = GF_M4ASampleRates[ctx->acfg.base_sr_index];\n\tif (!ctx->timescale) {\n\t\t//we change sample rate, change cts\n\t\tif (ctx->cts && (ctx->sr_idx != ctx->acfg.base_sr_index)) {\n\t\t\tctx->cts *= sr;\n\t\t\tctx->cts /= GF_M4ASampleRates[ctx->sr_idx];\n\t\t}\n\t}\n\tctx->sr_idx = ctx->acfg.base_sr_index;\n\n\tctx->dts_inc = ctx->frame_size;\n\tgf_m4a_write_config(&ctx->acfg, &dsi_b, &dsi_s);\n\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_DECODER_CONFIG, & PROP_DATA_NO_COPY(dsi_b, dsi_s) );\n\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_PROFILE_LEVEL, & PROP_UINT (ctx->acfg.audioPL) );\n\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_SAMPLE_RATE, & PROP_UINT(sr));\n\n\ttimescale = sr;\n\n\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_TIMESCALE, & PROP_UINT(ctx->timescale ? ctx->timescale : timescale));\n\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_NUM_CHANNELS, & PROP_UINT(ctx->nb_ch) );\n\n\tif (ctx->bitrate) {\n\t\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_BITRATE, & PROP_UINT(ctx->bitrate));\n\t}\n}", "project": "gpac", "hash": 165495346712678193500478445775721262302, "size": 63, "commit_id": "b2db2f99b4c30f96e17b9a14537c776da6cb5dca", "message": "fixed #1728", "target": 0, "dataset": "other", "idx": 271472 }, { "func": "static GFINLINE void latm_dmx_update_cts(GF_LATMDmxCtx *ctx)\n{\n\tassert(ctx->dts_inc);\n\n\tif (ctx->timescale) {\n\t\tu64 inc = ctx->dts_inc;\n\t\tinc *= ctx->timescale;\n\t\tinc /= GF_M4ASampleRates[ctx->sr_idx];\n\t\tctx->cts += inc;\n\t} else {\n\t\tctx->cts += ctx->dts_inc;\n\t}\n}", "project": "gpac", "hash": 326400713483767484341063456654570434654, "size": 13, "commit_id": "b2db2f99b4c30f96e17b9a14537c776da6cb5dca", "message": "fixed #1728", "target": 0, "dataset": "other", "idx": 271475 }, { "func": "static void latm_dmx_check_dur(GF_Filter *filter, GF_LATMDmxCtx *ctx)\n{\n\tFILE *stream;\n\tGF_BitStream *bs;\n\tGF_M4ADecSpecInfo acfg;\n\tu64 duration, cur_dur, cur_pos, rate;\n\ts32 sr_idx = -1;\n\tconst GF_PropertyValue *p;\n\tif (!ctx->opid || ctx->timescale || ctx->file_loaded) return;\n\n\tif (ctx->index<=0) {\n\t\tctx->file_loaded = GF_TRUE;\n\t\treturn;\n\t}\n\n\tp = gf_filter_pid_get_property(ctx->ipid, GF_PROP_PID_FILEPATH);\n\tif (!p || !p->value.string || !strncmp(p->value.string, \"gmem://\", 7)) {\n\t\tctx->is_file = GF_FALSE;\n\t\tctx->file_loaded = GF_TRUE;\n\t\treturn;\n\t}\n\tctx->is_file = GF_TRUE;\n\n\tstream = gf_fopen(p->value.string, \"rb\");\n\tif (!stream) return;\n\n\tctx->index_size = 0;\n\n\tmemset(&acfg, 0, sizeof(GF_M4ADecSpecInfo));\n\n\n\tbs = gf_bs_from_file(stream, GF_BITSTREAM_READ);\n\tduration = 0;\n\tcur_dur = 0;\n\tcur_pos = gf_bs_get_position(bs);\n\twhile (latm_dmx_sync_frame_bs(bs, &acfg, 0, NULL, NULL)) {\n\t\tif ((sr_idx>=0) && (sr_idx != acfg.base_sr_index)) {\n\t\t\tduration *= GF_M4ASampleRates[acfg.base_sr_index];\n\t\t\tduration /= GF_M4ASampleRates[sr_idx];\n\n\t\t\tcur_dur *= GF_M4ASampleRates[acfg.base_sr_index];\n\t\t\tcur_dur /= GF_M4ASampleRates[sr_idx];\n\t\t}\n\t\tsr_idx = acfg.base_sr_index;\n\t\tduration += ctx->frame_size;\n\t\tcur_dur += ctx->frame_size;\n\t\tif (cur_dur > ctx->index * GF_M4ASampleRates[sr_idx]) {\n\t\t\tif (!ctx->index_alloc_size) ctx->index_alloc_size = 10;\n\t\t\telse if (ctx->index_alloc_size == ctx->index_size) ctx->index_alloc_size *= 2;\n\t\t\tctx->indexes = gf_realloc(ctx->indexes, sizeof(LATMIdx)*ctx->index_alloc_size);\n\t\t\tctx->indexes[ctx->index_size].pos = cur_pos;\n\t\t\tctx->indexes[ctx->index_size].duration = (Double) duration;\n\t\t\tctx->indexes[ctx->index_size].duration /= GF_M4ASampleRates[sr_idx];\n\t\t\tctx->index_size ++;\n\t\t\tcur_dur = 0;\n\t\t}\n\n\t\tcur_pos = gf_bs_get_position(bs);\n\t}\n\trate = gf_bs_get_position(bs);\n\tgf_bs_del(bs);\n\tgf_fclose(stream);\n\n\tif (sr_idx>=0) {\n\t\tif (!ctx->duration.num || (ctx->duration.num * GF_M4ASampleRates[sr_idx] != duration * ctx->duration.den)) {\n\t\t\tctx->duration.num = (s32) duration;\n\t\t\tctx->duration.den = GF_M4ASampleRates[sr_idx];\n\n\t\t\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_DURATION, & PROP_FRAC64(ctx->duration));\n\n\t\t\tif (duration && !gf_sys_is_test_mode() ) {\n\t\t\t\trate *= 8 * ctx->duration.den;\n\t\t\t\trate /= ctx->duration.num;\n\t\t\t\tctx->bitrate = (u32) rate;\n\t\t\t}\n\t\t}\n\t}\n\tp = gf_filter_pid_get_property(ctx->ipid, GF_PROP_PID_FILE_CACHED);\n\tif (p && p->value.boolean) ctx->file_loaded = GF_TRUE;\n\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_CAN_DATAREF, & PROP_BOOL(GF_TRUE ) );\n}", "project": "gpac", "hash": 268079972344018463318373147938902590521, "size": 81, "commit_id": "b2db2f99b4c30f96e17b9a14537c776da6cb5dca", "message": "fixed #1728", "target": 0, "dataset": "other", "idx": 271469 }, { "func": "GF_Err latm_dmx_process(GF_Filter *filter)\n{\n\tGF_LATMDmxCtx *ctx = gf_filter_get_udta(filter);\n\tGF_FilterPacket *pck, *dst_pck;\n\tu32 pos;\n\tu8 *data, *output;\n\tu32 pck_size, prev_pck_size;\n\tu64 cts = GF_FILTER_NO_TS;\n\n\tif (ctx->in_error)\n\t\treturn ctx->in_error;\n\n\t//always reparse duration\n\tif (!ctx->duration.num)\n\t\tlatm_dmx_check_dur(filter, ctx);\n\n\tif (ctx->opid && !ctx->is_playing)\n\t\treturn GF_OK;\n\n\tpck = gf_filter_pid_get_packet(ctx->ipid);\n\tif (!pck) {\n\t\tif (gf_filter_pid_is_eos(ctx->ipid)) {\n\t\t\tif (!ctx->latm_buffer_size) {\n\t\t\t\tif (ctx->opid)\n\t\t\t\t\tgf_filter_pid_set_eos(ctx->opid);\n\t\t\t\tif (ctx->src_pck) gf_filter_pck_unref(ctx->src_pck);\n\t\t\t\tctx->src_pck = NULL;\n\t\t\t\treturn GF_EOS;\n\t\t\t}\n\t\t} else {\n\t\t\treturn GF_OK;\n\t\t}\n\t}\n\n\tdata = (char *) gf_filter_pck_get_data(pck, &pck_size);\n\n\t//input pid sets some timescale - we flushed pending data , update cts\n\tif (ctx->timescale && pck) {\n\t\tcts = gf_filter_pck_get_cts(pck);\n\t}\n\n\tprev_pck_size = ctx->latm_buffer_size;\n\n\tif (pck && !ctx->resume_from) {\n\t\tif (ctx->latm_buffer_size + pck_size > ctx->latm_buffer_alloc) {\n\t\t\tctx->latm_buffer_alloc = ctx->latm_buffer_size + pck_size;\n\t\t\tctx->latm_buffer = gf_realloc(ctx->latm_buffer, ctx->latm_buffer_alloc);\n\t\t}\n\t\tmemcpy(ctx->latm_buffer + ctx->latm_buffer_size, data, pck_size);\n\t\tctx->latm_buffer_size += pck_size;\n\t}\n\n\tif (!ctx->bs) ctx->bs = gf_bs_new(ctx->latm_buffer, ctx->latm_buffer_size, GF_BITSTREAM_READ);\n\telse gf_bs_reassign_buffer(ctx->bs, ctx->latm_buffer, ctx->latm_buffer_size);\n\n\tif (ctx->resume_from) {\n\t\tgf_bs_seek(ctx->bs, ctx->resume_from-1);\n\t\tctx->resume_from = 0;\n\t}\n\n\tif (cts == GF_FILTER_NO_TS)\n\t\tprev_pck_size = 0;\n\n\n\twhile (1) {\n\t\tpos = (u32) gf_bs_get_position(ctx->bs);\n\t\tu8 latm_buffer[4096];\n\t\tu32 latm_frame_size = 4096;\n\t\tif (!latm_dmx_sync_frame_bs(ctx->bs,&ctx->acfg, &latm_frame_size, latm_buffer, NULL)) break;\n\n\t\tif (ctx->in_seek) {\n\t\t\tu64 nb_samples_at_seek = (u64) (ctx->start_range * GF_M4ASampleRates[ctx->sr_idx]);\n\t\t\tif (ctx->cts + ctx->dts_inc >= nb_samples_at_seek) {\n\t\t\t\t//u32 samples_to_discard = (ctx->cts + ctx->dts_inc) - nb_samples_at_seek;\n\t\t\t\tctx->in_seek = GF_FALSE;\n\t\t\t}\n\t\t}\n\n\t\tlatm_dmx_check_pid(filter, ctx);\n\n\t\tif (!ctx->is_playing) {\n\t\t\tctx->resume_from = pos+1;\n\t\t\treturn GF_OK;\n\t\t}\n\n\t\tif (!ctx->in_seek) {\n\t\t\tGF_FilterSAPType sap = GF_FILTER_SAP_1;\n\n\t\t\tdst_pck = gf_filter_pck_new_alloc(ctx->opid, latm_frame_size, &output);\n\t\t\tif (ctx->src_pck) gf_filter_pck_merge_properties(ctx->src_pck, dst_pck);\n\n\t\t\tmemcpy(output, latm_buffer, latm_frame_size);\n\n\t\t\tgf_filter_pck_set_cts(dst_pck, ctx->cts);\n\t\t\tgf_filter_pck_set_duration(dst_pck, ctx->dts_inc);\n\t\t\tgf_filter_pck_set_framing(dst_pck, GF_TRUE, GF_TRUE);\n\n\t\t\t/*xHE-AAC, check RAP*/\n\t\t\tif (ctx->acfg.base_object_type==GF_CODECID_USAC) {\n\t\t\t\tif (latm_frame_size && (output[0] & 0x80) && !ctx->prev_sap) {\n\t\t\t\t\tsap = GF_FILTER_SAP_1;\n\t\t\t\t\tctx->prev_sap = GF_TRUE;\n\t\t\t\t} else {\n\t\t\t\t\tsap = GF_FILTER_SAP_NONE;\n\t\t\t\t\tctx->prev_sap = GF_FALSE;\n\t\t\t\t}\n\t\t\t}\n\t\t\tgf_filter_pck_set_sap(dst_pck, sap);\n\n\t\t\tgf_filter_pck_send(dst_pck);\n\t\t}\n\t\tlatm_dmx_update_cts(ctx);\n\n\t\tif (prev_pck_size) {\n\t\t\tpos = (u32) gf_bs_get_position(ctx->bs);\n\t\t\tif (prev_pck_size<=pos) {\n\t\t\t\tprev_pck_size=0;\n\t\t\t\tif (ctx->src_pck) gf_filter_pck_unref(ctx->src_pck);\n\t\t\t\tctx->src_pck = pck;\n\t\t\t\tif (pck)\n\t\t\t\t\tgf_filter_pck_ref_props(&ctx->src_pck);\n\t\t\t}\n\t\t}\n\t}\n\n\tif (pck) {\n\t\tpos = (u32) gf_bs_get_position(ctx->bs);\n\t\tassert(ctx->latm_buffer_size >= pos);\n\t\tmemmove(ctx->latm_buffer, ctx->latm_buffer+pos, ctx->latm_buffer_size - pos);\n\t\tctx->latm_buffer_size -= pos;\n\t\tgf_filter_pid_drop_packet(ctx->ipid);\n\t\tassert(!ctx->resume_from);\n\t} else {\n\t\tctx->latm_buffer_size = 0;\n\t\treturn latm_dmx_process(filter);\n\t}\n\treturn GF_OK;\n}", "project": "gpac", "hash": 129393460693122238437209841613363417813, "size": 138, "commit_id": "b2db2f99b4c30f96e17b9a14537c776da6cb5dca", "message": "fixed #1728", "target": 1, "dataset": "other", "idx": 198278 }, { "func": "GF_Err latm_dmx_process(GF_Filter *filter)\n{\n\tGF_LATMDmxCtx *ctx = gf_filter_get_udta(filter);\n\tGF_FilterPacket *pck, *dst_pck;\n\tu32 pos;\n\tu8 *data=NULL, *output;\n\tu32 pck_size=0, prev_pck_size;\n\tu64 cts = GF_FILTER_NO_TS;\n\n\tif (ctx->in_error)\n\t\treturn ctx->in_error;\n\n\t//always reparse duration\n\tif (!ctx->duration.num)\n\t\tlatm_dmx_check_dur(filter, ctx);\n\n\tif (ctx->opid && !ctx->is_playing)\n\t\treturn GF_OK;\n\n\tpck = gf_filter_pid_get_packet(ctx->ipid);\n\tif (!pck) {\n\t\tif (gf_filter_pid_is_eos(ctx->ipid)) {\n\t\t\tif (!ctx->latm_buffer_size) {\n\t\t\t\tif (ctx->opid)\n\t\t\t\t\tgf_filter_pid_set_eos(ctx->opid);\n\t\t\t\tif (ctx->src_pck) gf_filter_pck_unref(ctx->src_pck);\n\t\t\t\tctx->src_pck = NULL;\n\t\t\t\treturn GF_EOS;\n\t\t\t}\n\t\t} else {\n\t\t\treturn GF_OK;\n\t\t}\n\t} else {\n\t\tdata = (char *) gf_filter_pck_get_data(pck, &pck_size);\n\t}\n\n\t//input pid sets some timescale - we flushed pending data , update cts\n\tif (ctx->timescale && pck) {\n\t\tcts = gf_filter_pck_get_cts(pck);\n\t}\n\n\tprev_pck_size = ctx->latm_buffer_size;\n\n\tif (pck && !ctx->resume_from) {\n\t\tif (ctx->latm_buffer_size + pck_size > ctx->latm_buffer_alloc) {\n\t\t\tctx->latm_buffer_alloc = ctx->latm_buffer_size + pck_size;\n\t\t\tctx->latm_buffer = gf_realloc(ctx->latm_buffer, ctx->latm_buffer_alloc);\n\t\t}\n\t\tmemcpy(ctx->latm_buffer + ctx->latm_buffer_size, data, pck_size);\n\t\tctx->latm_buffer_size += pck_size;\n\t}\n\n\tif (!ctx->bs) ctx->bs = gf_bs_new(ctx->latm_buffer, ctx->latm_buffer_size, GF_BITSTREAM_READ);\n\telse gf_bs_reassign_buffer(ctx->bs, ctx->latm_buffer, ctx->latm_buffer_size);\n\n\tif (ctx->resume_from) {\n\t\tgf_bs_seek(ctx->bs, ctx->resume_from-1);\n\t\tctx->resume_from = 0;\n\t}\n\n\tif (cts == GF_FILTER_NO_TS)\n\t\tprev_pck_size = 0;\n\n\n\twhile (1) {\n\t\tpos = (u32) gf_bs_get_position(ctx->bs);\n\t\tu8 latm_buffer[4096];\n\t\tu32 latm_frame_size = 4096;\n\t\tif (!latm_dmx_sync_frame_bs(ctx->bs,&ctx->acfg, &latm_frame_size, latm_buffer, NULL)) break;\n\n\t\tif (ctx->in_seek) {\n\t\t\tu64 nb_samples_at_seek = (u64) (ctx->start_range * GF_M4ASampleRates[ctx->sr_idx]);\n\t\t\tif (ctx->cts + ctx->dts_inc >= nb_samples_at_seek) {\n\t\t\t\t//u32 samples_to_discard = (ctx->cts + ctx->dts_inc) - nb_samples_at_seek;\n\t\t\t\tctx->in_seek = GF_FALSE;\n\t\t\t}\n\t\t}\n\n\t\tlatm_dmx_check_pid(filter, ctx);\n\n\t\tif (!ctx->is_playing) {\n\t\t\tctx->resume_from = pos+1;\n\t\t\treturn GF_OK;\n\t\t}\n\n\t\tif (!ctx->in_seek) {\n\t\t\tGF_FilterSAPType sap = GF_FILTER_SAP_1;\n\n\t\t\tdst_pck = gf_filter_pck_new_alloc(ctx->opid, latm_frame_size, &output);\n\t\t\tif (ctx->src_pck) gf_filter_pck_merge_properties(ctx->src_pck, dst_pck);\n\n\t\t\tmemcpy(output, latm_buffer, latm_frame_size);\n\n\t\t\tgf_filter_pck_set_cts(dst_pck, ctx->cts);\n\t\t\tgf_filter_pck_set_duration(dst_pck, ctx->dts_inc);\n\t\t\tgf_filter_pck_set_framing(dst_pck, GF_TRUE, GF_TRUE);\n\n\t\t\t/*xHE-AAC, check RAP*/\n\t\t\tif (ctx->acfg.base_object_type==GF_CODECID_USAC) {\n\t\t\t\tif (latm_frame_size && (output[0] & 0x80) && !ctx->prev_sap) {\n\t\t\t\t\tsap = GF_FILTER_SAP_1;\n\t\t\t\t\tctx->prev_sap = GF_TRUE;\n\t\t\t\t} else {\n\t\t\t\t\tsap = GF_FILTER_SAP_NONE;\n\t\t\t\t\tctx->prev_sap = GF_FALSE;\n\t\t\t\t}\n\t\t\t}\n\t\t\tgf_filter_pck_set_sap(dst_pck, sap);\n\n\t\t\tgf_filter_pck_send(dst_pck);\n\t\t}\n\t\tlatm_dmx_update_cts(ctx);\n\n\t\tif (prev_pck_size) {\n\t\t\tpos = (u32) gf_bs_get_position(ctx->bs);\n\t\t\tif (prev_pck_size<=pos) {\n\t\t\t\tprev_pck_size=0;\n\t\t\t\tif (ctx->src_pck) gf_filter_pck_unref(ctx->src_pck);\n\t\t\t\tctx->src_pck = pck;\n\t\t\t\tif (pck)\n\t\t\t\t\tgf_filter_pck_ref_props(&ctx->src_pck);\n\t\t\t}\n\t\t}\n\t}\n\n\tif (pck) {\n\t\tpos = (u32) gf_bs_get_position(ctx->bs);\n\t\tassert(ctx->latm_buffer_size >= pos);\n\t\tmemmove(ctx->latm_buffer, ctx->latm_buffer+pos, ctx->latm_buffer_size - pos);\n\t\tctx->latm_buffer_size -= pos;\n\t\tgf_filter_pid_drop_packet(ctx->ipid);\n\t\tassert(!ctx->resume_from);\n\t} else {\n\t\tctx->latm_buffer_size = 0;\n\t\treturn latm_dmx_process(filter);\n\t}\n\treturn GF_OK;\n}", "project": "gpac", "hash": 10482263121380563115286320698149929915, "size": 138, "commit_id": "b2db2f99b4c30f96e17b9a14537c776da6cb5dca", "message": "fixed #1728", "target": 0, "dataset": "other", "idx": 271474 }, { "func": "static Bool latm_dmx_sync_frame_bs(GF_BitStream *bs, GF_M4ADecSpecInfo *acfg, u32 *nb_bytes, u8 *buffer, u32 *nb_skipped)\n{\n\tu32 val, size;\n\tu64 pos, mux_size;\n\tif (nb_skipped) *nb_skipped = 0;\n\tif (!acfg) return 0;\n\n\twhile (gf_bs_available(bs)>3) {\n\t\tval = gf_bs_read_u8(bs);\n\t\tif (val!=0x56) {\n\t\t\tif (nb_skipped) (*nb_skipped) ++;\n\t\t\tcontinue;\n\t\t}\n\t\tval = gf_bs_read_int(bs, 3);\n\t\tif (val != 0x07) {\n\t\t\tgf_bs_read_int(bs, 5);\n\t\t\tif (nb_skipped) (*nb_skipped) ++;\n\t\t\tcontinue;\n\t\t}\n\t\tmux_size = gf_bs_read_int(bs, 13);\n\t\tpos = gf_bs_get_position(bs);\n\t\tif (mux_size>gf_bs_available(bs) ) {\n\t\t\tgf_bs_seek(bs, pos-3);\n\t\t\treturn GF_FALSE;\n\t\t}\n\n\t\t/*use same stream mux*/\n\t\tif (!gf_bs_read_int(bs, 1)) {\n\t\t\tBool amux_version, amux_versionA;\n\n\t\t\tamux_version = (Bool)gf_bs_read_int(bs, 1);\n\t\t\tamux_versionA = GF_FALSE;\n\t\t\tif (amux_version) amux_versionA = (Bool)gf_bs_read_int(bs, 1);\n\t\t\tif (!amux_versionA) {\n\t\t\t\tu32 i, allStreamsSameTimeFraming, numProgram;\n\t\t\t\tif (amux_version) gf_latm_get_value(bs);\n\n\t\t\t\tallStreamsSameTimeFraming = gf_bs_read_int(bs, 1);\n\t\t\t\t/*numSubFrames = */gf_bs_read_int(bs, 6);\n\t\t\t\tnumProgram = gf_bs_read_int(bs, 4);\n\t\t\t\tfor (i=0; i<=numProgram; i++) {\n\t\t\t\t\tu32 j, num_lay;\n\t\t\t\t\tnum_lay = gf_bs_read_int(bs, 3);\n\t\t\t\t\tfor (j=0; j<=num_lay; j++) {\n\t\t\t\t\t\tu32 frameLengthType;\n\t\t\t\t\t\tBool same_cfg = GF_FALSE;\n\t\t\t\t\t\tif (i || j) same_cfg = (Bool)gf_bs_read_int(bs, 1);\n\n\t\t\t\t\t\tif (!same_cfg) {\n\t\t\t\t\t\t\tif (amux_version==1) gf_latm_get_value(bs);\n\t\t\t\t\t\t\tgf_m4a_parse_config(bs, acfg, GF_FALSE);\n\t\t\t\t\t\t}\n\t\t\t\t\t\tframeLengthType = gf_bs_read_int(bs, 3);\n\t\t\t\t\t\tif (!frameLengthType) {\n\t\t\t\t\t\t\t/*latmBufferFullness = */gf_bs_read_int(bs, 8);\n\t\t\t\t\t\t\tif (!allStreamsSameTimeFraming) {\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t} else {\n\t\t\t\t\t\t\t/*not supported*/\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\n\t\t\t\t}\n\t\t\t\t/*other data present*/\n\t\t\t\tif (gf_bs_read_int(bs, 1)) {\n//\t\t\t\t\tu32 k = 0;\n\t\t\t\t}\n\t\t\t\t/*CRCcheck present*/\n\t\t\t\tif (gf_bs_read_int(bs, 1)) {\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\tsize = 0;\n\t\twhile (1) {\n\t\t\tu32 tmp = gf_bs_read_int(bs, 8);\n\t\t\tsize += tmp;\n\t\t\tif (tmp!=255) break;\n\t\t}\n\t\tif (gf_bs_available(bs) < size) {\n\t\t\tgf_bs_seek(bs, pos-3);\n\t\t\treturn GF_FALSE;\n\t\t}\n\n\t\tif (nb_bytes) {\n\t\t\t*nb_bytes = (u32) size;\n\t\t}\n\n\t\tif (buffer) {\n\t\t\tgf_bs_read_data(bs, (char *) buffer, size);\n\t\t} else {\n\t\t\twhile (size) {\n\t\t\t\tgf_bs_read_int(bs, 8);\n\t\t\t\tsize--;\n\t\t\t}\n\t\t}\n\n\t\t/*parse amux*/\n\t\tgf_bs_seek(bs, pos + mux_size);\n\n\t\tif ((gf_bs_available(bs)>2) && gf_bs_peek_bits(bs, 11, 0) != 0x2B7) {\n\t\t\tgf_bs_seek(bs, pos + 1);\n\t\t\tif (nb_skipped) (*nb_skipped) ++;\n\t\t\tcontinue;\n\t\t}\n\n\t\treturn GF_TRUE;\n\t}\n\treturn GF_FALSE;\n}", "project": "gpac", "hash": 156960673027032244624743319408540723268, "size": 110, "commit_id": "b2db2f99b4c30f96e17b9a14537c776da6cb5dca", "message": "fixed #1728", "target": 0, "dataset": "other", "idx": 271470 } ] }, { "call_depth": 3, "longest_call_chain": [ "mariadb_get_info", "mariadb_get_infov", "mariadb_get_socket" ], "group_size": 9, "functions": [ { "func": "my_bool STDCALL mariadb_get_info(MYSQL *mysql, enum mariadb_value value, void *arg)\n{\n return mariadb_get_infov(mysql, value, arg);\n}", "project": "mariadb-connector-c", "hash": 260222517558586894785283733852562791600, "size": 4, "commit_id": "2759b87d72926b7c9b5426437a7c8dd15ff57945", "message": "sanity checks for client-supplied OK packet content\n\nreported by Matthias Kaiser, Apple Information Security", "target": 0, "dataset": "other", "idx": 429729 }, { "func": "mysql_get_socket(MYSQL *mysql)\n{\n return mariadb_get_socket(mysql);\n}", "project": "mariadb-connector-c", "hash": 72239553276577952597504120876756915746, "size": 4, "commit_id": "2759b87d72926b7c9b5426437a7c8dd15ff57945", "message": "sanity checks for client-supplied OK packet content\n\nreported by Matthias Kaiser, Apple Information Security", "target": 0, "dataset": "other", "idx": 429694 }, { "func": "static my_socket mariadb_get_socket(MYSQL *mysql)\n{\n my_socket sock= INVALID_SOCKET;\n if (mysql->net.pvio)\n {\n ma_pvio_get_handle(mysql->net.pvio, &sock);\n\n }\n /* if an asynchronous connect is in progress, we need to obtain\n pvio handle from async_context until the connection was\n successfully established.\n */\n else if (mysql->options.extension && mysql->options.extension->async_context &&\n mysql->options.extension->async_context->pvio)\n {\n ma_pvio_get_handle(mysql->options.extension->async_context->pvio, &sock);\n }\n return sock;\n}", "project": "mariadb-connector-c", "hash": 315036384148822492369287916293424404609, "size": 19, "commit_id": "2759b87d72926b7c9b5426437a7c8dd15ff57945", "message": "sanity checks for client-supplied OK packet content\n\nreported by Matthias Kaiser, Apple Information Security", "target": 0, "dataset": "other", "idx": 429745 }, { "func": "my_bool STDCALL mariadb_connection(MYSQL *mysql)\n{\n return (strstr(mysql->server_version, \"MariaDB\") ||\n strstr(mysql->server_version, \"-maria-\"));\n}", "project": "mariadb-connector-c", "hash": 115443252438559440682462900203206671459, "size": 5, "commit_id": "2759b87d72926b7c9b5426437a7c8dd15ff57945", "message": "sanity checks for client-supplied OK packet content\n\nreported by Matthias Kaiser, Apple Information Security", "target": 0, "dataset": "other", "idx": 429713 }, { "func": "my_bool mariadb_get_infov(MYSQL *mysql, enum mariadb_value value, void *arg, ...)\n{\n va_list ap;\n\n va_start(ap, arg);\n\n switch(value) {\n case MARIADB_MAX_ALLOWED_PACKET:\n *((size_t *)arg)= (size_t)max_allowed_packet;\n break;\n case MARIADB_NET_BUFFER_LENGTH:\n *((size_t *)arg)= (size_t)net_buffer_length;\n break;\n case MARIADB_CONNECTION_ERROR_ID:\n if (!mysql)\n goto error;\n *((unsigned int *)arg)= mysql->net.last_errno;\n break;\n case MARIADB_CONNECTION_ERROR:\n if (!mysql)\n goto error;\n *((char **)arg)= mysql->net.last_error;\n break;\n case MARIADB_CONNECTION_SQLSTATE:\n if (!mysql)\n goto error;\n *((char **)arg)= mysql->net.sqlstate;\n break;\n case MARIADB_CONNECTION_TLS_VERSION:\n #ifdef HAVE_TLS\n if (mysql && mysql->net.pvio && mysql->net.pvio->ctls)\n *((char **)arg)= (char *)ma_pvio_tls_get_protocol_version(mysql->net.pvio->ctls);\n else\n #endif\n goto error;\n break;\n case MARIADB_CONNECTION_TLS_VERSION_ID:\n #ifdef HAVE_TLS\n if (mysql && mysql->net.pvio && mysql->net.pvio->ctls)\n *((unsigned int *)arg)= ma_pvio_tls_get_protocol_version_id(mysql->net.pvio->ctls);\n else\n #endif\n goto error;\n break;\n case MARIADB_TLS_LIBRARY:\n#ifdef HAVE_TLS\n *((const char **)arg)= tls_library_version;\n#else\n *((const char **)arg)= \"Off\";\n#endif\n break;\n case MARIADB_CLIENT_VERSION:\n *((const char **)arg)= MARIADB_CLIENT_VERSION_STR;\n break;\n case MARIADB_CLIENT_VERSION_ID:\n *((size_t *)arg)= MARIADB_VERSION_ID;\n break;\n case MARIADB_CONNECTION_SERVER_VERSION:\n if (mysql)\n *((char **)arg)= mysql->server_version;\n else\n goto error;\n break;\n case MARIADB_CONNECTION_SERVER_TYPE:\n if (mysql)\n *((const char **)arg)= mariadb_connection(mysql) ? \"MariaDB\" : \"MySQL\";\n else\n goto error;\n break;\n case MARIADB_CONNECTION_SERVER_VERSION_ID:\n if (mysql)\n *((size_t *)arg)= mariadb_server_version_id(mysql);\n else\n goto error;\n break;\n case MARIADB_CONNECTION_PROTOCOL_VERSION_ID:\n if (mysql)\n *((unsigned int *)arg)= mysql->protocol_version;\n else\n goto error;\n break;\n case MARIADB_CONNECTION_MARIADB_CHARSET_INFO:\n if (mysql)\n mariadb_get_charset_info(mysql, (MY_CHARSET_INFO *)arg);\n else\n goto error;\n break;\n case MARIADB_CONNECTION_SOCKET:\n if (mysql)\n *((my_socket *)arg)= mariadb_get_socket(mysql);\n else\n goto error;\n break;\n case MARIADB_CONNECTION_TYPE:\n if (mysql && mysql->net.pvio)\n *((int *)arg)= (int)mysql->net.pvio->type;\n else\n goto error;\n break;\n case MARIADB_CONNECTION_ASYNC_TIMEOUT_MS:\n if (mysql && mysql->options.extension && mysql->options.extension->async_context)\n *((unsigned int *)arg)= mysql->options.extension->async_context->timeout_value;\n break;\n case MARIADB_CONNECTION_ASYNC_TIMEOUT:\n if (mysql && mysql->options.extension && mysql->options.extension->async_context)\n {\n unsigned int timeout= mysql->options.extension->async_context->timeout_value;\n if (timeout > UINT_MAX - 999)\n *((unsigned int *)arg)= (timeout - 1)/1000 + 1;\n else\n *((unsigned int *)arg)= (timeout+999)/1000;\n }\n break;\n case MARIADB_CHARSET_NAME:\n {\n char *name;\n name= va_arg(ap, char *);\n if (name)\n *((MARIADB_CHARSET_INFO **)arg)= (MARIADB_CHARSET_INFO *)mysql_find_charset_name(name);\n else\n goto error;\n }\n break;\n case MARIADB_CHARSET_ID:\n {\n unsigned int nr;\n nr= va_arg(ap, unsigned int);\n *((MARIADB_CHARSET_INFO **)arg)= (MARIADB_CHARSET_INFO *)mysql_find_charset_nr(nr);\n }\n break;\n case MARIADB_CONNECTION_SSL_CIPHER:\n #ifdef HAVE_TLS\n if (mysql && mysql->net.pvio && mysql->net.pvio->ctls)\n *((char **)arg)= (char *)ma_pvio_tls_cipher(mysql->net.pvio->ctls);\n else\n #endif\n goto error;\n break;\n case MARIADB_CLIENT_ERRORS:\n *((char ***)arg)= (char **)client_errors;\n break;\n case MARIADB_CONNECTION_INFO:\n if (mysql)\n *((char **)arg)= (char *)mysql->info;\n else\n goto error;\n break;\n case MARIADB_CONNECTION_PVIO_TYPE:\n if (mysql && mysql->net.pvio)\n *((unsigned int *)arg)= (unsigned int)mysql->net.pvio->type;\n else\n goto error;\n break;\n case MARIADB_CONNECTION_SCHEMA:\n if (mysql)\n *((char **)arg)= mysql->db;\n else\n goto error;\n break;\n case MARIADB_CONNECTION_USER:\n if (mysql)\n *((char **)arg)= mysql->user;\n else\n goto error;\n break;\n case MARIADB_CONNECTION_PORT:\n if (mysql)\n *((unsigned int *)arg)= mysql->port;\n else\n goto error;\n break;\n case MARIADB_CONNECTION_UNIX_SOCKET:\n if (mysql)\n *((char **)arg)= mysql->unix_socket;\n else\n goto error;\n break;\n case MARIADB_CONNECTION_HOST:\n if (mysql)\n *((char **)arg)= mysql->host;\n else\n goto error;\n break;\n case MARIADB_CONNECTION_SERVER_STATUS:\n if (mysql)\n *((unsigned int *)arg)= mysql->server_status;\n else\n goto error;\n break;\n case MARIADB_CONNECTION_SERVER_CAPABILITIES:\n if (mysql)\n *((unsigned long *)arg)= mysql->server_capabilities;\n else\n goto error;\n break;\n case MARIADB_CONNECTION_EXTENDED_SERVER_CAPABILITIES:\n if (mysql)\n *((unsigned long *)arg)= mysql->extension->mariadb_server_capabilities;\n else\n goto error;\n break;\n case MARIADB_CONNECTION_CLIENT_CAPABILITIES:\n if (mysql)\n *((unsigned long *)arg)= mysql->client_flag;\n else\n goto error;\n break;\n default:\n va_end(ap);\n return(-1);\n }\n va_end(ap);\n return(0);\nerror:\n va_end(ap);\n return(-1);\n}", "project": "mariadb-connector-c", "hash": 169671727087038349126198218159280624326, "size": 217, "commit_id": "2759b87d72926b7c9b5426437a7c8dd15ff57945", "message": "sanity checks for client-supplied OK packet content\n\nreported by Matthias Kaiser, Apple Information Security", "target": 0, "dataset": "other", "idx": 429678 }, { "func": "void STDCALL mysql_get_character_set_info(MYSQL *mysql, MY_CHARSET_INFO *cs)\n{\n mariadb_get_charset_info(mysql, cs);\n}", "project": "mariadb-connector-c", "hash": 217164025069153547830281264000695896647, "size": 4, "commit_id": "2759b87d72926b7c9b5426437a7c8dd15ff57945", "message": "sanity checks for client-supplied OK packet content\n\nreported by Matthias Kaiser, Apple Information Security", "target": 0, "dataset": "other", "idx": 429705 }, { "func": "unsigned long STDCALL mysql_get_server_version(MYSQL *mysql)\n{\n return (unsigned long)mariadb_server_version_id(mysql);\n}", "project": "mariadb-connector-c", "hash": 122711105199939788046945873828848009668, "size": 4, "commit_id": "2759b87d72926b7c9b5426437a7c8dd15ff57945", "message": "sanity checks for client-supplied OK packet content\n\nreported by Matthias Kaiser, Apple Information Security", "target": 0, "dataset": "other", "idx": 429708 }, { "func": "static void mariadb_get_charset_info(MYSQL *mysql, MY_CHARSET_INFO *cs)\n{\n if (!cs)\n return;\n\n cs->number= mysql->charset->nr;\n cs->csname= mysql->charset->csname;\n cs->name= mysql->charset->name;\n cs->state= 0;\n cs->comment= NULL;\n cs->dir= NULL;\n cs->mbminlen= mysql->charset->char_minlen;\n cs->mbmaxlen= mysql->charset->char_maxlen;\n\n return;\n}", "project": "mariadb-connector-c", "hash": 234853578981854839530463108815494608239, "size": 16, "commit_id": "2759b87d72926b7c9b5426437a7c8dd15ff57945", "message": "sanity checks for client-supplied OK packet content\n\nreported by Matthias Kaiser, Apple Information Security", "target": 0, "dataset": "other", "idx": 429695 }, { "func": "static size_t mariadb_server_version_id(MYSQL *mysql)\n{\n size_t major, minor, patch;\n char *p;\n\n if (!(p = mysql->server_version)) {\n return 0;\n }\n\n major = strtol(p, &p, 10);\n p += 1; /* consume the dot */\n minor = strtol(p, &p, 10);\n p += 1; /* consume the dot */\n patch = strtol(p, &p, 10);\n\n return (major * 10000L + (unsigned long)(minor * 100L + patch));\n}", "project": "mariadb-connector-c", "hash": 313301315730600233929478529358826963028, "size": 17, "commit_id": "2759b87d72926b7c9b5426437a7c8dd15ff57945", "message": "sanity checks for client-supplied OK packet content\n\nreported by Matthias Kaiser, Apple Information Security", "target": 0, "dataset": "other", "idx": 429739 } ] }, { "call_depth": 2, "longest_call_chain": [ "do_migrate_pages", "migrate_to_node" ], "group_size": 3, "functions": [ { "func": "static int migrate_to_node(struct mm_struct *mm, int source, int dest,\n\t\t\t int flags)\n{\n\tnodemask_t nmask;\n\tLIST_HEAD(pagelist);\n\tint err = 0;\n\n\tnodes_clear(nmask);\n\tnode_set(source, nmask);\n\n\t/*\n\t * This does not \"check\" the range but isolates all pages that\n\t * need migration. Between passing in the full user address\n\t * space range and MPOL_MF_DISCONTIG_OK, this call can not fail.\n\t */\n\tVM_BUG_ON(!(flags & (MPOL_MF_MOVE | MPOL_MF_MOVE_ALL)));\n\tqueue_pages_range(mm, mm->mmap->vm_start, mm->task_size, &nmask,\n\t\t\tflags | MPOL_MF_DISCONTIG_OK, &pagelist);\n\n\tif (!list_empty(&pagelist)) {\n\t\terr = migrate_pages(&pagelist, alloc_new_node_page, NULL, dest,\n\t\t\t\t\tMIGRATE_SYNC, MR_SYSCALL);\n\t\tif (err)\n\t\t\tputback_movable_pages(&pagelist);\n\t}\n\n\treturn err;\n}", "project": "linux", "hash": 57431817655390405182321098741681023041, "size": 28, "commit_id": "aa9f7d5172fac9bf1f09e678c35e287a40a7b7dd", "message": "mm: mempolicy: require at least one nodeid for MPOL_PREFERRED\n\nUsing an empty (malformed) nodelist that is not caught during mount option\nparsing leads to a stack-out-of-bounds access.\n\nThe option string that was used was: \"mpol=prefer:,\". However,\nMPOL_PREFERRED requires a single node number, which is not being provided\nhere.\n\nAdd a check that 'nodes' is not empty after parsing for MPOL_PREFERRED's\nnodeid.\n\nFixes: 095f1fc4ebf3 (\"mempolicy: rework shmem mpol parsing and display\")\nReported-by: Entropy Moe <3ntr0py1337@gmail.com>\nReported-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nSigned-off-by: Randy Dunlap \nSigned-off-by: Andrew Morton \nTested-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nCc: Lee Schermerhorn \nLink: http://lkml.kernel.org/r/89526377-7eb6-b662-e1d8-4430928abde9@infradead.org\nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 366784 }, { "func": "int do_migrate_pages(struct mm_struct *mm, const nodemask_t *from,\n\t\t const nodemask_t *to, int flags)\n{\n\treturn -ENOSYS;\n}", "project": "linux", "hash": 144231077392164082153551800114564616857, "size": 5, "commit_id": "aa9f7d5172fac9bf1f09e678c35e287a40a7b7dd", "message": "mm: mempolicy: require at least one nodeid for MPOL_PREFERRED\n\nUsing an empty (malformed) nodelist that is not caught during mount option\nparsing leads to a stack-out-of-bounds access.\n\nThe option string that was used was: \"mpol=prefer:,\". However,\nMPOL_PREFERRED requires a single node number, which is not being provided\nhere.\n\nAdd a check that 'nodes' is not empty after parsing for MPOL_PREFERRED's\nnodeid.\n\nFixes: 095f1fc4ebf3 (\"mempolicy: rework shmem mpol parsing and display\")\nReported-by: Entropy Moe <3ntr0py1337@gmail.com>\nReported-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nSigned-off-by: Randy Dunlap \nSigned-off-by: Andrew Morton \nTested-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nCc: Lee Schermerhorn \nLink: http://lkml.kernel.org/r/89526377-7eb6-b662-e1d8-4430928abde9@infradead.org\nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 366736 }, { "func": "int do_migrate_pages(struct mm_struct *mm, const nodemask_t *from,\n\t\t const nodemask_t *to, int flags)\n{\n\tint busy = 0;\n\tint err;\n\tnodemask_t tmp;\n\n\terr = migrate_prep();\n\tif (err)\n\t\treturn err;\n\n\tdown_read(&mm->mmap_sem);\n\n\t/*\n\t * Find a 'source' bit set in 'tmp' whose corresponding 'dest'\n\t * bit in 'to' is not also set in 'tmp'. Clear the found 'source'\n\t * bit in 'tmp', and return that pair for migration.\n\t * The pair of nodemasks 'to' and 'from' define the map.\n\t *\n\t * If no pair of bits is found that way, fallback to picking some\n\t * pair of 'source' and 'dest' bits that are not the same. If the\n\t * 'source' and 'dest' bits are the same, this represents a node\n\t * that will be migrating to itself, so no pages need move.\n\t *\n\t * If no bits are left in 'tmp', or if all remaining bits left\n\t * in 'tmp' correspond to the same bit in 'to', return false\n\t * (nothing left to migrate).\n\t *\n\t * This lets us pick a pair of nodes to migrate between, such that\n\t * if possible the dest node is not already occupied by some other\n\t * source node, minimizing the risk of overloading the memory on a\n\t * node that would happen if we migrated incoming memory to a node\n\t * before migrating outgoing memory source that same node.\n\t *\n\t * A single scan of tmp is sufficient. As we go, we remember the\n\t * most recent pair that moved (s != d). If we find a pair\n\t * that not only moved, but what's better, moved to an empty slot\n\t * (d is not set in tmp), then we break out then, with that pair.\n\t * Otherwise when we finish scanning from_tmp, we at least have the\n\t * most recent pair that moved. If we get all the way through\n\t * the scan of tmp without finding any node that moved, much less\n\t * moved to an empty node, then there is nothing left worth migrating.\n\t */\n\n\ttmp = *from;\n\twhile (!nodes_empty(tmp)) {\n\t\tint s,d;\n\t\tint source = NUMA_NO_NODE;\n\t\tint dest = 0;\n\n\t\tfor_each_node_mask(s, tmp) {\n\n\t\t\t/*\n\t\t\t * do_migrate_pages() tries to maintain the relative\n\t\t\t * node relationship of the pages established between\n\t\t\t * threads and memory areas.\n *\n\t\t\t * However if the number of source nodes is not equal to\n\t\t\t * the number of destination nodes we can not preserve\n\t\t\t * this node relative relationship. In that case, skip\n\t\t\t * copying memory from a node that is in the destination\n\t\t\t * mask.\n\t\t\t *\n\t\t\t * Example: [2,3,4] -> [3,4,5] moves everything.\n\t\t\t * [0-7] - > [3,4,5] moves only 0,1,2,6,7.\n\t\t\t */\n\n\t\t\tif ((nodes_weight(*from) != nodes_weight(*to)) &&\n\t\t\t\t\t\t(node_isset(s, *to)))\n\t\t\t\tcontinue;\n\n\t\t\td = node_remap(s, *from, *to);\n\t\t\tif (s == d)\n\t\t\t\tcontinue;\n\n\t\t\tsource = s;\t/* Node moved. Memorize */\n\t\t\tdest = d;\n\n\t\t\t/* dest not in remaining from nodes? */\n\t\t\tif (!node_isset(dest, tmp))\n\t\t\t\tbreak;\n\t\t}\n\t\tif (source == NUMA_NO_NODE)\n\t\t\tbreak;\n\n\t\tnode_clear(source, tmp);\n\t\terr = migrate_to_node(mm, source, dest, flags);\n\t\tif (err > 0)\n\t\t\tbusy += err;\n\t\tif (err < 0)\n\t\t\tbreak;\n\t}\n\tup_read(&mm->mmap_sem);\n\tif (err < 0)\n\t\treturn err;\n\treturn busy;\n\n}", "project": "linux", "hash": 34555350525968629378338002509289543925, "size": 98, "commit_id": "aa9f7d5172fac9bf1f09e678c35e287a40a7b7dd", "message": "mm: mempolicy: require at least one nodeid for MPOL_PREFERRED\n\nUsing an empty (malformed) nodelist that is not caught during mount option\nparsing leads to a stack-out-of-bounds access.\n\nThe option string that was used was: \"mpol=prefer:,\". However,\nMPOL_PREFERRED requires a single node number, which is not being provided\nhere.\n\nAdd a check that 'nodes' is not empty after parsing for MPOL_PREFERRED's\nnodeid.\n\nFixes: 095f1fc4ebf3 (\"mempolicy: rework shmem mpol parsing and display\")\nReported-by: Entropy Moe <3ntr0py1337@gmail.com>\nReported-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nSigned-off-by: Randy Dunlap \nSigned-off-by: Andrew Morton \nTested-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nCc: Lee Schermerhorn \nLink: http://lkml.kernel.org/r/89526377-7eb6-b662-e1d8-4430928abde9@infradead.org\nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 366755 } ] }, { "call_depth": 2, "longest_call_chain": [ "rawsock_release", "nfc_sock_unlink" ], "group_size": 2, "functions": [ { "func": "static int rawsock_release(struct socket *sock)\n{\n\tstruct sock *sk = sock->sk;\n\n\tpr_debug(\"sock=%p sk=%p\\n\", sock, sk);\n\n\tif (!sk)\n\t\treturn 0;\n\n\tif (sock->type == SOCK_RAW)\n\t\tnfc_sock_unlink(&raw_sk_list, sk);\n\n\tsock_orphan(sk);\n\tsock_put(sk);\n\n\treturn 0;\n}", "project": "linux", "hash": 229886445869372015577038901647377189013, "size": 17, "commit_id": "26896f01467a28651f7a536143fe5ac8449d4041", "message": "net/nfc/rawsock.c: add CAP_NET_RAW check.\n\nWhen creating a raw AF_NFC socket, CAP_NET_RAW needs to be checked first.\n\nSigned-off-by: Qingyu Li \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 319218 }, { "func": "static void nfc_sock_unlink(struct nfc_sock_list *l, struct sock *sk)\n{\n\twrite_lock(&l->lock);\n\tsk_del_node_init(sk);\n\twrite_unlock(&l->lock);\n}", "project": "linux", "hash": 30489459246821751512855792025173971400, "size": 6, "commit_id": "26896f01467a28651f7a536143fe5ac8449d4041", "message": "net/nfc/rawsock.c: add CAP_NET_RAW check.\n\nWhen creating a raw AF_NFC socket, CAP_NET_RAW needs to be checked first.\n\nSigned-off-by: Qingyu Li \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 319214 } ] }, { "call_depth": 2, "longest_call_chain": [ "mt_event", "mt_touch_event" ], "group_size": 2, "functions": [ { "func": "static int mt_touch_event(struct hid_device *hid, struct hid_field *field,\n\t\t\t\tstruct hid_usage *usage, __s32 value)\n{\n\t/* we will handle the hidinput part later, now remains hiddev */\n\tif (hid->claimed & HID_CLAIMED_HIDDEV && hid->hiddev_hid_event)\n\t\thid->hiddev_hid_event(hid, field, usage, value);\n\n\treturn 1;\n}", "project": "linux", "hash": 227116154465513790452947489814597359482, "size": 9, "commit_id": "35556bed836f8dc07ac55f69c8d17dce3e7f0e25", "message": "HID: core: Sanitize event code and type when mapping input\n\nWhen calling into hid_map_usage(), the passed event code is\nblindly stored as is, even if it doesn't fit in the associated bitmap.\n\nThis event code can come from a variety of sources, including devices\nmasquerading as input devices, only a bit more \"programmable\".\n\nInstead of taking the event code at face value, check that it actually\nfits the corresponding bitmap, and if it doesn't:\n- spit out a warning so that we know which device is acting up\n- NULLify the bitmap pointer so that we catch unexpected uses\n\nCode paths that can make use of untrusted inputs can now check\nthat the mapping was indeed correct and bail out if not.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Marc Zyngier \nSigned-off-by: Benjamin Tissoires ", "target": 0, "dataset": "other", "idx": 458341 }, { "func": "static int mt_event(struct hid_device *hid, struct hid_field *field,\n\t\t\t\tstruct hid_usage *usage, __s32 value)\n{\n\tstruct mt_device *td = hid_get_drvdata(hid);\n\tstruct mt_report_data *rdata;\n\n\trdata = mt_find_report_data(td, field->report);\n\tif (rdata && rdata->is_mt_collection)\n\t\treturn mt_touch_event(hid, field, usage, value);\n\n\treturn 0;\n}", "project": "linux", "hash": 287382281141959264594709041897656794231, "size": 12, "commit_id": "35556bed836f8dc07ac55f69c8d17dce3e7f0e25", "message": "HID: core: Sanitize event code and type when mapping input\n\nWhen calling into hid_map_usage(), the passed event code is\nblindly stored as is, even if it doesn't fit in the associated bitmap.\n\nThis event code can come from a variety of sources, including devices\nmasquerading as input devices, only a bit more \"programmable\".\n\nInstead of taking the event code at face value, check that it actually\nfits the corresponding bitmap, and if it doesn't:\n- spit out a warning so that we know which device is acting up\n- NULLify the bitmap pointer so that we catch unexpected uses\n\nCode paths that can make use of untrusted inputs can now check\nthat the mapping was indeed correct and bail out if not.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Marc Zyngier \nSigned-off-by: Benjamin Tissoires ", "target": 0, "dataset": "other", "idx": 458360 } ] }, { "call_depth": 4, "longest_call_chain": [ "process_update", "validate_esl_list", "get_esl_cert", "get_esl_signature_list" ], "group_size": 15, "functions": [ { "project": "skiboot", "commit_id": "5be38b672c1410e2f10acd3ad2eecfdc81d5daf7", "target": 0, "func": "int check_timestamp(const char *key, const struct efi_time *timestamp,\n\t\t char *last_timestamp)\n{\n\tstruct efi_time *prev;\n\tuint64_t new;\n\tuint64_t last;\n\n\tprev = get_last_timestamp(key, last_timestamp);\n\tif (prev == NULL)\n\t\treturn OPAL_INTERNAL_ERROR;\n\n\tprlog(PR_DEBUG, \"timestamp year is %d month %d day %d\\n\",\n\t\t\tle16_to_cpu(timestamp->year), timestamp->month,\n\t\t\ttimestamp->day);\n\tprlog(PR_DEBUG, \"prev year is %d month %d day %d\\n\",\n\t\t\tle16_to_cpu(prev->year), prev->month, prev->day);\n\n\tnew = unpack_timestamp(timestamp);\n\tlast = unpack_timestamp(prev);\n\n\tif (new > last)\n\t\treturn OPAL_SUCCESS;\n\n\treturn OPAL_PERMISSION;\n}", "idx": 521655, "cwe": "CWE-681", "hash": 71734921946669776012689805880040557221, "dataset": "other" }, { "project": "skiboot", "commit_id": "5be38b672c1410e2f10acd3ad2eecfdc81d5daf7", "target": 0, "func": "static int verify_signature(const struct efi_variable_authentication_2 *auth,\n\t\t\t const char *newcert, const size_t new_data_size,\n\t\t\t const struct secvar *avar)\n{\n\tmbedtls_pkcs7 *pkcs7 = NULL;\n\tmbedtls_x509_crt x509;\n\tchar *signing_cert = NULL;\n\tchar *x509_buf = NULL;\n\tint signing_cert_size;\n\tint rc = 0;\n\tchar *errbuf;\n\tint eslvarsize;\n\tint eslsize;\n\tint offset = 0;\n\n\tif (!auth)\n\t\treturn OPAL_PARAMETER;\n\n\t/* Extract the pkcs7 from the auth structure */\n\tpkcs7 = get_pkcs7(auth);\n\t/* Failure to parse pkcs7 implies bad input. */\n\tif (!pkcs7)\n\t\treturn OPAL_PARAMETER;\n\n\tprlog(PR_INFO, \"Load the signing certificate from the keystore\");\n\n\teslvarsize = avar->data_size;\n\n\t/* Variable is not empty */\n\twhile (eslvarsize > 0) {\n\t\tprlog(PR_DEBUG, \"esl var size size is %d offset is %d\\n\", eslvarsize, offset);\n\t\tif (eslvarsize < sizeof(EFI_SIGNATURE_LIST))\n\t\t\tbreak;\n\n\t\t/* Calculate the size of the ESL */\n\t\teslsize = get_esl_signature_list_size(avar->data + offset,\n\t\t\t\t\t\t eslvarsize);\n\t\t/* If could not extract the size */\n\t\tif (eslsize <= 0) {\n\t\t\trc = OPAL_PARAMETER;\n\t\t\tbreak;\n\t\t}\n\n\t\t/* Extract the certificate from the ESL */\n\t\tsigning_cert_size = get_esl_cert(avar->data + offset,\n\t\t\t\t\t\t eslvarsize, &signing_cert);\n\t\tif (signing_cert_size < 0) {\n\t\t\trc = signing_cert_size;\n\t\t\tbreak;\n\t\t}\n\n\t\tmbedtls_x509_crt_init(&x509);\n\t\trc = mbedtls_x509_crt_parse(&x509,\n\t\t\t\t\t signing_cert,\n\t\t\t\t\t signing_cert_size);\n\n\t\t/* This should not happen, unless something corrupted in PNOR */\n\t\tif(rc) {\n\t\t\tprlog(PR_ERR, \"X509 certificate parsing failed %04x\\n\", rc);\n\t\t\trc = OPAL_INTERNAL_ERROR;\n\t\t\tbreak;\n\t\t}\n\n\t\tx509_buf = zalloc(CERT_BUFFER_SIZE);\n\t\trc = mbedtls_x509_crt_info(x509_buf,\n\t\t\t\t\t CERT_BUFFER_SIZE,\n\t\t\t\t\t \"CRT:\",\n\t\t\t\t\t &x509);\n\n\t\t/* This should not happen, unless something corrupted in PNOR */\n\t\tif (rc < 0) {\n\t\t\tfree(x509_buf);\n\t\t\trc = OPAL_INTERNAL_ERROR;\n\t\t\tbreak;\n\t\t}\n\n\t\tprlog(PR_INFO, \"%s \\n\", x509_buf);\n\t\tfree(x509_buf);\n\t\tx509_buf = NULL;\n\n\t\trc = mbedtls_pkcs7_signed_hash_verify(pkcs7, &x509, newcert, new_data_size);\n\n\t\t/* If you find a signing certificate, you are done */\n\t\tif (rc == 0) {\n\t\t\tprlog(PR_INFO, \"Signature Verification passed\\n\");\n\t\t\tmbedtls_x509_crt_free(&x509);\n\t\t\tbreak;\n\t\t} else {\n\t\t\terrbuf = zalloc(MBEDTLS_ERR_BUFFER_SIZE);\n\t\t\tmbedtls_strerror(rc, errbuf, MBEDTLS_ERR_BUFFER_SIZE);\n\t\t\tprlog(PR_ERR, \"Signature Verification failed %02x %s\\n\",\n\t\t\t\t\trc, errbuf);\n\t\t\tfree(errbuf);\n\t\t\trc = OPAL_PERMISSION;\n\t\t}\n\n\n\t\t/* Look for the next ESL */\n\t\toffset = offset + eslsize;\n\t\teslvarsize = eslvarsize - eslsize;\n\t\tmbedtls_x509_crt_free(&x509);\n\t\tfree(signing_cert);\n\t\t/* Since we are going to allocate again in the next iteration */\n\t\tsigning_cert = NULL;\n\n\t}\n\n\tfree(signing_cert);\n\tmbedtls_pkcs7_free(pkcs7);\n\tfree(pkcs7);\n\n\treturn rc;\n}", "idx": 521654, "cwe": "CWE-681", "hash": 169175420840573290317758226120475277153, "dataset": "other" }, { "project": "skiboot", "commit_id": "5be38b672c1410e2f10acd3ad2eecfdc81d5daf7", "target": 0, "func": "int process_update(const struct secvar *update, char **newesl,\n\t\t int *new_data_size, struct efi_time *timestamp,\n\t\t struct list_head *bank, char *last_timestamp)\n{\n\tstruct efi_variable_authentication_2 *auth = NULL;\n\tvoid *auth_buffer = NULL;\n\tint auth_buffer_size = 0;\n\tconst char *key_authority[3];\n\tchar *tbhbuffer = NULL;\n\tsize_t tbhbuffersize = 0;\n\tstruct secvar *avar = NULL;\n\tint rc = 0;\n\tint i;\n\n\t/* We need to split data into authentication descriptor and new ESL */\n\tauth_buffer_size = get_auth_descriptor2(update->data,\n\t\t\t\t\t\tupdate->data_size,\n\t\t\t\t\t\t&auth_buffer);\n\tif ((auth_buffer_size < 0)\n\t || (update->data_size < auth_buffer_size)) {\n\t\tprlog(PR_ERR, \"Invalid auth buffer size\\n\");\n\t\trc = auth_buffer_size;\n\t\tgoto out;\n\t}\n\n\tauth = auth_buffer;\n\n\tif (!timestamp) {\n\t\trc = OPAL_INTERNAL_ERROR;\n\t\tgoto out;\n\t}\n\n\tmemcpy(timestamp, auth_buffer, sizeof(struct efi_time));\n\n\trc = check_timestamp(update->key, timestamp, last_timestamp);\n\t/* Failure implies probably an older command being resubmitted */\n\tif (rc != OPAL_SUCCESS) {\n\t\tprlog(PR_ERR, \"Timestamp verification failed for key %s\\n\", update->key);\n\t\tgoto out;\n\t}\n\n\t/* Calculate the size of new ESL data */\n\t*new_data_size = update->data_size - auth_buffer_size;\n\tif (*new_data_size < 0) {\n\t\tprlog(PR_ERR, \"Invalid new ESL (new data content) size\\n\");\n\t\trc = OPAL_PARAMETER;\n\t\tgoto out;\n\t}\n\t*newesl = zalloc(*new_data_size);\n\tif (!(*newesl)) {\n\t\trc = OPAL_NO_MEM;\n\t\tgoto out;\n\t}\n\tmemcpy(*newesl, update->data + auth_buffer_size, *new_data_size);\n\n\t/* Validate the new ESL is in right format */\n\trc = validate_esl_list(update->key, *newesl, *new_data_size);\n\tif (rc < 0) {\n\t\tprlog(PR_ERR, \"ESL validation failed for key %s with error %04x\\n\",\n\t\t update->key, rc);\n\t\tgoto out;\n\t}\n\n\tif (setup_mode) {\n\t\trc = OPAL_SUCCESS;\n\t\tgoto out;\n\t}\n\n\t/* Prepare the data to be verified */\n\ttbhbuffer = get_hash_to_verify(update->key, *newesl, *new_data_size,\n\t\t\t\ttimestamp);\n\tif (!tbhbuffer) {\n\t\trc = OPAL_INTERNAL_ERROR;\n\t\tgoto out;\n\t}\n\n\t/* Get the authority to verify the signature */\n\tget_key_authority(key_authority, update->key);\n\n\t/*\n\t * Try for all the authorities that are allowed to sign.\n\t * For eg. db/dbx can be signed by both PK or KEK\n\t */\n\tfor (i = 0; key_authority[i] != NULL; i++) {\n\t\tprlog(PR_DEBUG, \"key is %s\\n\", update->key);\n\t\tprlog(PR_DEBUG, \"key authority is %s\\n\", key_authority[i]);\n\t\tavar = find_secvar(key_authority[i],\n\t\t\t\t strlen(key_authority[i]) + 1,\n\t\t\t\t bank);\n\t\tif (!avar || !avar->data_size)\n\t\t\tcontinue;\n\n\t\t/* Verify the signature */\n\t\trc = verify_signature(auth, tbhbuffer, tbhbuffersize,\n\t\t\t\t avar);\n\n\t\t/* Break if signature verification is successful */\n\t\tif (rc == OPAL_SUCCESS) {\n\t\t\tprlog(PR_INFO, \"Key %s successfully verified by authority %s\\n\", update->key, key_authority[i]);\n\t\t\tbreak;\n\t\t}\n\t}\n\nout:\n\tfree(auth_buffer);\n\tfree(tbhbuffer);\n\n\treturn rc;\n}", "idx": 521660, "cwe": "CWE-681", "hash": 178401092850407839532373766829369702237, "dataset": "other" }, { "project": "skiboot", "commit_id": "5be38b672c1410e2f10acd3ad2eecfdc81d5daf7", "target": 1, "func": "static uint64_t unpack_timestamp(const struct efi_time *timestamp)\n{\n\tuint64_t val = 0;\n\tuint16_t year = le32_to_cpu(timestamp->year);\n\n\t/* pad1, nanosecond, timezone, daylight and pad2 are meant to be zero */\n\tval |= ((uint64_t) timestamp->pad1 & 0xFF) << 0;\n\tval |= ((uint64_t) timestamp->second & 0xFF) << (1*8);\n\tval |= ((uint64_t) timestamp->minute & 0xFF) << (2*8);\n\tval |= ((uint64_t) timestamp->hour & 0xFF) << (3*8);\n\tval |= ((uint64_t) timestamp->day & 0xFF) << (4*8);\n\tval |= ((uint64_t) timestamp->month & 0xFF) << (5*8);\n\tval |= ((uint64_t) year) << (6*8);\n\n\treturn val;\n}", "idx": 217514, "cwe": "CWE-681", "hash": 261903108962534180969470598132431142070, "dataset": "other" }, { "project": "skiboot", "commit_id": "5be38b672c1410e2f10acd3ad2eecfdc81d5daf7", "target": 0, "func": "static uint64_t unpack_timestamp(const struct efi_time *timestamp)\n{\n\tuint64_t val = 0;\n\tuint16_t year = le16_to_cpu(timestamp->year);\n\n\t/* pad1, nanosecond, timezone, daylight and pad2 are meant to be zero */\n\tval |= ((uint64_t) timestamp->pad1 & 0xFF) << 0;\n\tval |= ((uint64_t) timestamp->second & 0xFF) << (1*8);\n\tval |= ((uint64_t) timestamp->minute & 0xFF) << (2*8);\n\tval |= ((uint64_t) timestamp->hour & 0xFF) << (3*8);\n\tval |= ((uint64_t) timestamp->day & 0xFF) << (4*8);\n\tval |= ((uint64_t) timestamp->month & 0xFF) << (5*8);\n\tval |= ((uint64_t) year) << (6*8);\n\n\treturn val;\n}", "idx": 521649, "cwe": "CWE-681", "hash": 337463125729458282018478225518421551092, "dataset": "other" }, { "project": "skiboot", "commit_id": "5be38b672c1410e2f10acd3ad2eecfdc81d5daf7", "target": 0, "func": "static size_t get_pkcs7_len(const struct efi_variable_authentication_2 *auth)\n{\n\tuint32_t dw_length;\n\tsize_t size;\n\n\tassert(auth != NULL);\n\n\tdw_length = le32_to_cpu(auth->auth_info.hdr.dw_length);\n\tsize = dw_length - (sizeof(auth->auth_info.hdr.dw_length)\n\t\t\t+ sizeof(auth->auth_info.hdr.w_revision)\n\t\t\t+ sizeof(auth->auth_info.hdr.w_certificate_type)\n\t\t\t+ sizeof(auth->auth_info.cert_type));\n\n\treturn size;\n}", "idx": 521659, "cwe": "CWE-681", "hash": 250773754624625586965202166265104085065, "dataset": "other" }, { "project": "skiboot", "commit_id": "5be38b672c1410e2f10acd3ad2eecfdc81d5daf7", "target": 0, "func": "int get_auth_descriptor2(const void *buf, const size_t buflen, void **auth_buffer)\n{\n\tconst struct efi_variable_authentication_2 *auth = buf;\n\tint auth_buffer_size;\n\tsize_t len;\n\n\tassert(auth_buffer != NULL);\n\tif (buflen < sizeof(struct efi_variable_authentication_2)\n\t || !buf)\n\t\t\treturn OPAL_PARAMETER;\n\n\tlen = get_pkcs7_len(auth);\n\t/* pkcs7 content length cannot be greater than buflen */ \n\tif (len > buflen)\n\t\treturn OPAL_PARAMETER;\n\n\tauth_buffer_size = sizeof(auth->timestamp) + sizeof(auth->auth_info.hdr)\n\t\t\t + sizeof(auth->auth_info.cert_type) + len;\n\n\t*auth_buffer = zalloc(auth_buffer_size);\n\tif (!(*auth_buffer))\n\t\treturn OPAL_NO_MEM;\n\n\t/*\n\t * Data = auth descriptor + new ESL data.\n\t * Extracts only the auth descriptor from data.\n\t */\n\tmemcpy(*auth_buffer, buf, auth_buffer_size);\n\n\treturn auth_buffer_size;\n}", "idx": 521656, "cwe": "CWE-681", "hash": 305644016089787436408464435206138914640, "dataset": "other" }, { "project": "skiboot", "commit_id": "5be38b672c1410e2f10acd3ad2eecfdc81d5daf7", "target": 0, "func": "static bool validate_hash(uuid_t type, int size)\n{\n if (uuid_equals(&type, &EFI_CERT_SHA1_GUID) && (size == 20))\n return true;\n\n if (uuid_equals(&type, &EFI_CERT_SHA224_GUID) && (size == 28))\n return true;\n\n if (uuid_equals(&type, &EFI_CERT_SHA256_GUID) && (size == 32))\n return true;\n\n if (uuid_equals(&type, &EFI_CERT_SHA384_GUID) && (size == 48))\n return true;\n\n if (uuid_equals(&type, &EFI_CERT_SHA512_GUID) && (size == 64))\n return true;\n\n return false;\n}", "idx": 521657, "cwe": "CWE-681", "hash": 178128338452607838604171323429136382734, "dataset": "other" }, { "project": "skiboot", "commit_id": "5be38b672c1410e2f10acd3ad2eecfdc81d5daf7", "target": 0, "func": "static mbedtls_pkcs7* get_pkcs7(const struct efi_variable_authentication_2 *auth)\n{\n\tchar *checkpkcs7cert = NULL;\n\tsize_t len;\n\tmbedtls_pkcs7 *pkcs7 = NULL;\n\tint rc;\n\n\tlen = get_pkcs7_len(auth);\n\n\tpkcs7 = malloc(sizeof(struct mbedtls_pkcs7));\n\tif (!pkcs7)\n\t\treturn NULL;\n\n\tmbedtls_pkcs7_init(pkcs7);\n\trc = mbedtls_pkcs7_parse_der( auth->auth_info.cert_data, len, pkcs7);\n\tif (rc <= 0) {\n\t\tprlog(PR_ERR, \"Parsing pkcs7 failed %04x\\n\", rc);\n\t\tgoto out;\n\t}\n\n\tcheckpkcs7cert = zalloc(CERT_BUFFER_SIZE);\n\tif (!checkpkcs7cert)\n\t\tgoto out;\n\n\trc = mbedtls_x509_crt_info(checkpkcs7cert, CERT_BUFFER_SIZE, \"CRT:\",\n\t\t\t\t &(pkcs7->signed_data.certs));\n\tif (rc < 0) {\n\t\tprlog(PR_ERR, \"Failed to parse the certificate in PKCS7 structure\\n\");\n\t\tfree(checkpkcs7cert);\n\t\tgoto out;\n\t}\n\n\tprlog(PR_DEBUG, \"%s \\n\", checkpkcs7cert);\n\tfree(checkpkcs7cert);\n\treturn pkcs7;\n\nout:\n\tmbedtls_pkcs7_free(pkcs7);\n\tpkcs7 = NULL;\n\treturn pkcs7;\n}", "idx": 521644, "cwe": "CWE-681", "hash": 285422590631529911090789466166025019210, "dataset": "other" }, { "project": "skiboot", "commit_id": "5be38b672c1410e2f10acd3ad2eecfdc81d5daf7", "target": 0, "func": "static void get_key_authority(const char *ret[3], const char *key)\n{\n\tint i = 0;\n\n\tif (key_equals(key, \"PK\")) {\n\t\tret[i++] = \"PK\";\n\t} else if (key_equals(key, \"KEK\")) {\n\t\tret[i++] = \"PK\";\n\t} else if (key_equals(key, \"db\") || key_equals(key, \"dbx\")) {\n\t\tret[i++] = \"KEK\";\n\t\tret[i++] = \"PK\";\n\t}\n\n\tret[i] = NULL;\n}", "idx": 521642, "cwe": "CWE-681", "hash": 297738273191075284106162991641740642673, "dataset": "other" }, { "project": "skiboot", "commit_id": "5be38b672c1410e2f10acd3ad2eecfdc81d5daf7", "target": 0, "func": "static int32_t get_esl_signature_list_size(const char *buf, const size_t buflen)\n{\n\tEFI_SIGNATURE_LIST *list = get_esl_signature_list(buf, buflen);\n\n\tif (!list)\n\t\treturn OPAL_PARAMETER;\n\n\treturn le32_to_cpu(list->SignatureListSize);\n}", "idx": 521643, "cwe": "CWE-681", "hash": 78060638800999667578112940727001384482, "dataset": "other" }, { "project": "skiboot", "commit_id": "5be38b672c1410e2f10acd3ad2eecfdc81d5daf7", "target": 0, "func": "static EFI_SIGNATURE_LIST* get_esl_signature_list(const char *buf, size_t buflen)\n{\n\tEFI_SIGNATURE_LIST *list = NULL;\n\n\tif (buflen < sizeof(EFI_SIGNATURE_LIST) || !buf)\n\t\treturn NULL;\n\n\tlist = (EFI_SIGNATURE_LIST *)buf;\n\n\treturn list;\n}", "idx": 521652, "cwe": "CWE-681", "hash": 120387305635648549803864652788577802214, "dataset": "other" }, { "project": "skiboot", "commit_id": "5be38b672c1410e2f10acd3ad2eecfdc81d5daf7", "target": 0, "func": "static int get_esl_cert(const char *buf, const size_t buflen, char **cert)\n{\n\tsize_t sig_data_offset;\n\tsize_t size;\n\tEFI_SIGNATURE_LIST *list = get_esl_signature_list(buf, buflen);\n\n\tif (!list)\n\t\treturn OPAL_PARAMETER;\n\n\tassert(cert != NULL);\n\n\tsize = le32_to_cpu(list->SignatureSize) - sizeof(uuid_t);\n\n\tprlog(PR_DEBUG,\"size of signature list size is %u\\n\",\n\t\t\tle32_to_cpu(list->SignatureListSize));\n\tprlog(PR_DEBUG, \"size of signature header size is %u\\n\",\n\t\t\tle32_to_cpu(list->SignatureHeaderSize));\n\tprlog(PR_DEBUG, \"size of signature size is %u\\n\",\n\t\t\tle32_to_cpu(list->SignatureSize));\n\n\tsig_data_offset = sizeof(EFI_SIGNATURE_LIST)\n\t\t\t + le32_to_cpu(list->SignatureHeaderSize)\n\t\t\t + 16 * sizeof(uint8_t);\n\tif (sig_data_offset > buflen)\n\t\treturn OPAL_PARAMETER;\n\n\t*cert = zalloc(size);\n\tif (!(*cert))\n\t\treturn OPAL_NO_MEM;\n\n\t/* Since buf can have more than one ESL, copy only the size calculated\n\t * to return single ESL */\n\tmemcpy(*cert, buf + sig_data_offset, size);\n\n\treturn size;\n}", "idx": 521650, "cwe": "CWE-681", "hash": 76056064316561882808219871420473489575, "dataset": "other" }, { "project": "skiboot", "commit_id": "5be38b672c1410e2f10acd3ad2eecfdc81d5daf7", "target": 0, "func": "static bool validate_cert(char *signing_cert, int signing_cert_size)\n{\n\tmbedtls_x509_crt x509;\n\tchar *x509_buf = NULL;\n\tint rc;\n\n\tmbedtls_x509_crt_init(&x509);\n\trc = mbedtls_x509_crt_parse(&x509, signing_cert, signing_cert_size);\n\n\t/* If failure in parsing the certificate, exit */\n\tif(rc) {\n\t\tprlog(PR_ERR, \"X509 certificate parsing failed %04x\\n\", rc);\n\t\treturn false;\n\t}\n\n\tx509_buf = zalloc(CERT_BUFFER_SIZE);\n\trc = mbedtls_x509_crt_info(x509_buf, CERT_BUFFER_SIZE, \"CRT:\", &x509);\n\n\tmbedtls_x509_crt_free(&x509);\n\tfree(x509_buf);\n\tx509_buf = NULL;\n\n\t/* If failure in reading the certificate, exit */\n\tif (rc < 0)\n\t\treturn false;\n\n\treturn true;\n}", "idx": 521646, "cwe": "CWE-681", "hash": 89322362298830297891556293893589653635, "dataset": "other" }, { "project": "skiboot", "commit_id": "5be38b672c1410e2f10acd3ad2eecfdc81d5daf7", "target": 0, "func": "int validate_esl_list(const char *key, const char *esl, const size_t size)\n{\n\tint count = 0;\n\tint dsize;\n\tchar *data = NULL;\n\tint eslvarsize = size;\n\tint eslsize;\n\tint rc = OPAL_SUCCESS;\n\tint offset = 0;\n\tEFI_SIGNATURE_LIST *list = NULL;\n\n\twhile (eslvarsize > 0) {\n\t\tprlog(PR_DEBUG, \"esl var size size is %d offset is %d\\n\", eslvarsize, offset);\n\t\tif (eslvarsize < sizeof(EFI_SIGNATURE_LIST))\n\t\t\tbreak;\n\n\t\t/* Check Supported ESL Type */\n\t\tlist = get_esl_signature_list(esl, eslvarsize);\n\n\t\tif (!list)\n\t\t\treturn OPAL_PARAMETER;\n\n\t\t/* Calculate the size of the ESL */\n\t\teslsize = le32_to_cpu(list->SignatureListSize);\n\n\t\t/* If could not extract the size */\n\t\tif (eslsize <= 0) {\n\t\t\tprlog(PR_ERR, \"Invalid size of the ESL: %u\\n\",\n\t\t\t\t\tle32_to_cpu(list->SignatureListSize));\n\t\t\trc = OPAL_PARAMETER;\n\t\t\tbreak;\n\t\t}\n\n\t\t/* Extract the certificate from the ESL */\n\t\tdsize = get_esl_cert(esl, eslvarsize, &data);\n\t\tif (dsize < 0) {\n\t\t\trc = dsize;\n\t\t\tbreak;\n\t\t}\n\n\t\tif (key_equals(key, \"dbx\")) {\n\t\t\tif (!validate_hash(list->SignatureType, dsize)) {\n\t\t\t\tprlog(PR_ERR, \"No valid hash is found\\n\");\n\t\t\t\trc = OPAL_PARAMETER;\n\t\t\t\tbreak;\n\t\t\t}\n\t\t} else {\n\t\t if (!uuid_equals(&list->SignatureType, &EFI_CERT_X509_GUID)\n\t\t\t || !validate_cert(data, dsize)) {\n\t\t\t\tprlog(PR_ERR, \"No valid cert is found\\n\");\n\t\t\t\trc = OPAL_PARAMETER;\n\t\t\t\tbreak;\n\t\t }\n\t\t}\n\n\t\tcount++;\n\n\t\t/* Look for the next ESL */\n\t\toffset = offset + eslsize;\n\t\teslvarsize = eslvarsize - eslsize;\n\t\tfree(data);\n\t\t/* Since we are going to allocate again in the next iteration */\n\t\tdata = NULL;\n\t}\n\n\tif (rc == OPAL_SUCCESS) {\n\t\tif (key_equals(key, \"PK\") && (count > 1)) {\n\t\t\tprlog(PR_ERR, \"PK can only be one\\n\");\n\t\t\trc = OPAL_PARAMETER;\n\t\t} else {\n\t\t\trc = count;\n\t\t}\n\t}\n\n\tfree(data);\n\n\tprlog(PR_INFO, \"Total ESLs are %d\\n\", rc);\n\treturn rc;\n}", "idx": 521648, "cwe": "CWE-681", "hash": 135687032396769714616764529094035254125, "dataset": "other" } ] }, { "call_depth": 2, "longest_call_chain": [ "cliprdr_read_format_list", "cliprdr_free_format_list" ], "group_size": 3, "functions": [ { "func": "UINT cliprdr_read_format_list(wStream* s, CLIPRDR_FORMAT_LIST* formatList, BOOL useLongFormatNames)\n{\n\tUINT32 index;\n\tsize_t position;\n\tBOOL asciiNames;\n\tint formatNameLength;\n\tchar* szFormatName;\n\tWCHAR* wszFormatName;\n\tUINT32 dataLen = formatList->dataLen;\n\tCLIPRDR_FORMAT* formats = NULL;\n\tUINT error = CHANNEL_RC_OK;\n\n\tasciiNames = (formatList->msgFlags & CB_ASCII_NAMES) ? TRUE : FALSE;\n\n\tindex = 0;\n\tformatList->numFormats = 0;\n\tposition = Stream_GetPosition(s);\n\n\tif (!formatList->dataLen)\n\t{\n\t\t/* empty format list */\n\t\tformatList->formats = NULL;\n\t\tformatList->numFormats = 0;\n\t}\n\telse if (!useLongFormatNames)\n\t{\n\t\tformatList->numFormats = (dataLen / 36);\n\n\t\tif ((formatList->numFormats * 36) != dataLen)\n\t\t{\n\t\t\tWLog_ERR(TAG, \"Invalid short format list length: %\" PRIu32 \"\", dataLen);\n\t\t\treturn ERROR_INTERNAL_ERROR;\n\t\t}\n\n\t\tif (formatList->numFormats)\n\t\t\tformats = (CLIPRDR_FORMAT*)calloc(formatList->numFormats, sizeof(CLIPRDR_FORMAT));\n\n\t\tif (!formats)\n\t\t{\n\t\t\tWLog_ERR(TAG, \"calloc failed!\");\n\t\t\treturn CHANNEL_RC_NO_MEMORY;\n\t\t}\n\n\t\tformatList->formats = formats;\n\n\t\twhile (dataLen)\n\t\t{\n\t\t\tStream_Read_UINT32(s, formats[index].formatId); /* formatId (4 bytes) */\n\t\t\tdataLen -= 4;\n\n\t\t\tformats[index].formatName = NULL;\n\n\t\t\t/* According to MS-RDPECLIP 2.2.3.1.1.1 formatName is \"a 32-byte block containing\n\t\t\t * the *null-terminated* name assigned to the Clipboard Format: (32 ASCII 8 characters\n\t\t\t * or 16 Unicode characters)\"\n\t\t\t * However, both Windows RDSH and mstsc violate this specs as seen in the following\n\t\t\t * example of a transferred short format name string: [R.i.c.h. .T.e.x.t. .F.o.r.m.a.t.]\n\t\t\t * These are 16 unicode charaters - *without* terminating null !\n\t\t\t */\n\n\t\t\tif (asciiNames)\n\t\t\t{\n\t\t\t\tszFormatName = (char*)Stream_Pointer(s);\n\n\t\t\t\tif (szFormatName[0])\n\t\t\t\t{\n\t\t\t\t\t/* ensure null termination */\n\t\t\t\t\tformats[index].formatName = (char*)malloc(32 + 1);\n\t\t\t\t\tif (!formats[index].formatName)\n\t\t\t\t\t{\n\t\t\t\t\t\tWLog_ERR(TAG, \"malloc failed!\");\n\t\t\t\t\t\terror = CHANNEL_RC_NO_MEMORY;\n\t\t\t\t\t\tgoto error_out;\n\t\t\t\t\t}\n\t\t\t\t\tCopyMemory(formats[index].formatName, szFormatName, 32);\n\t\t\t\t\tformats[index].formatName[32] = '\\0';\n\t\t\t\t}\n\t\t\t}\n\t\t\telse\n\t\t\t{\n\t\t\t\twszFormatName = (WCHAR*)Stream_Pointer(s);\n\n\t\t\t\tif (wszFormatName[0])\n\t\t\t\t{\n\t\t\t\t\t/* ConvertFromUnicode always returns a null-terminated\n\t\t\t\t\t * string on success, even if the source string isn't.\n\t\t\t\t\t */\n\t\t\t\t\tif (ConvertFromUnicode(CP_UTF8, 0, wszFormatName, 16,\n\t\t\t\t\t &(formats[index].formatName), 0, NULL, NULL) < 1)\n\t\t\t\t\t{\n\t\t\t\t\t\tWLog_ERR(TAG, \"failed to convert short clipboard format name\");\n\t\t\t\t\t\terror = ERROR_INTERNAL_ERROR;\n\t\t\t\t\t\tgoto error_out;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tStream_Seek(s, 32);\n\t\t\tdataLen -= 32;\n\t\t\tindex++;\n\t\t}\n\t}\n\telse\n\t{\n\t\twhile (dataLen)\n\t\t{\n\t\t\tStream_Seek(s, 4); /* formatId (4 bytes) */\n\t\t\tdataLen -= 4;\n\n\t\t\twszFormatName = (WCHAR*)Stream_Pointer(s);\n\n\t\t\tif (!wszFormatName[0])\n\t\t\t\tformatNameLength = 0;\n\t\t\telse\n\t\t\t\tformatNameLength = _wcslen(wszFormatName);\n\n\t\t\tStream_Seek(s, (formatNameLength + 1) * 2);\n\t\t\tdataLen -= ((formatNameLength + 1) * 2);\n\n\t\t\tformatList->numFormats++;\n\t\t}\n\n\t\tdataLen = formatList->dataLen;\n\t\tStream_SetPosition(s, position);\n\n\t\tif (formatList->numFormats)\n\t\t\tformats = (CLIPRDR_FORMAT*)calloc(formatList->numFormats, sizeof(CLIPRDR_FORMAT));\n\n\t\tif (!formats)\n\t\t{\n\t\t\tWLog_ERR(TAG, \"calloc failed!\");\n\t\t\treturn CHANNEL_RC_NO_MEMORY;\n\t\t}\n\n\t\tformatList->formats = formats;\n\n\t\twhile (dataLen)\n\t\t{\n\t\t\tStream_Read_UINT32(s, formats[index].formatId); /* formatId (4 bytes) */\n\t\t\tdataLen -= 4;\n\n\t\t\tformats[index].formatName = NULL;\n\n\t\t\twszFormatName = (WCHAR*)Stream_Pointer(s);\n\n\t\t\tif (!wszFormatName[0])\n\t\t\t\tformatNameLength = 0;\n\t\t\telse\n\t\t\t\tformatNameLength = _wcslen(wszFormatName);\n\n\t\t\tif (formatNameLength)\n\t\t\t{\n\t\t\t\tif (ConvertFromUnicode(CP_UTF8, 0, wszFormatName, -1, &(formats[index].formatName),\n\t\t\t\t 0, NULL, NULL) < 1)\n\t\t\t\t{\n\t\t\t\t\tWLog_ERR(TAG, \"failed to convert long clipboard format name\");\n\t\t\t\t\terror = ERROR_INTERNAL_ERROR;\n\t\t\t\t\tgoto error_out;\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tStream_Seek(s, (formatNameLength + 1) * 2);\n\t\t\tdataLen -= ((formatNameLength + 1) * 2);\n\n\t\t\tindex++;\n\t\t}\n\t}\n\n\treturn error;\n\nerror_out:\n\tcliprdr_free_format_list(formatList);\n\treturn error;\n}", "project": "FreeRDP", "hash": 291591512452233208574467037688769410743, "size": 174, "commit_id": "b73143cf7ee5fe4cdabcbf56908aa15d8a883821", "message": "Fixed oob read in cliprdr_read_format_list", "target": 1, "dataset": "other", "idx": 206874 }, { "func": "UINT cliprdr_read_format_list(wStream* s, CLIPRDR_FORMAT_LIST* formatList, BOOL useLongFormatNames)\n{\n\tUINT32 index;\n\tsize_t position;\n\tBOOL asciiNames;\n\tint formatNameLength;\n\tchar* szFormatName;\n\tWCHAR* wszFormatName;\n\twStream sub1, sub2;\n\tCLIPRDR_FORMAT* formats = NULL;\n\tUINT error = CHANNEL_RC_OK;\n\n\tasciiNames = (formatList->msgFlags & CB_ASCII_NAMES) ? TRUE : FALSE;\n\n\tindex = 0;\n\t/* empty format list */\n\tformatList->formats = NULL;\n\tformatList->numFormats = 0;\n\n\tStream_StaticInit(&sub1, Stream_Pointer(s), formatList->dataLen);\n\tif (!Stream_SafeSeek(s, formatList->dataLen))\n\t\treturn ERROR_INVALID_DATA;\n\n\tif (!formatList->dataLen)\n\t{\n\t}\n\telse if (!useLongFormatNames)\n\t{\n\t\tconst size_t cap = Stream_Capacity(&sub1);\n\t\tformatList->numFormats = (cap / 36);\n\n\t\tif ((formatList->numFormats * 36) != cap)\n\t\t{\n\t\t\tWLog_ERR(TAG, \"Invalid short format list length: %\" PRIuz \"\", cap);\n\t\t\treturn ERROR_INTERNAL_ERROR;\n\t\t}\n\n\t\tif (formatList->numFormats)\n\t\t\tformats = (CLIPRDR_FORMAT*)calloc(formatList->numFormats, sizeof(CLIPRDR_FORMAT));\n\n\t\tif (!formats)\n\t\t{\n\t\t\tWLog_ERR(TAG, \"calloc failed!\");\n\t\t\treturn CHANNEL_RC_NO_MEMORY;\n\t\t}\n\n\t\tformatList->formats = formats;\n\n\t\twhile (Stream_GetRemainingLength(&sub1) >= 4)\n\t\t{\n\t\t\tStream_Read_UINT32(&sub1, formats[index].formatId); /* formatId (4 bytes) */\n\n\t\t\tformats[index].formatName = NULL;\n\n\t\t\t/* According to MS-RDPECLIP 2.2.3.1.1.1 formatName is \"a 32-byte block containing\n\t\t\t * the *null-terminated* name assigned to the Clipboard Format: (32 ASCII 8 characters\n\t\t\t * or 16 Unicode characters)\"\n\t\t\t * However, both Windows RDSH and mstsc violate this specs as seen in the following\n\t\t\t * example of a transferred short format name string: [R.i.c.h. .T.e.x.t. .F.o.r.m.a.t.]\n\t\t\t * These are 16 unicode charaters - *without* terminating null !\n\t\t\t */\n\n\t\t\tszFormatName = (char*)Stream_Pointer(&sub1);\n\t\t\twszFormatName = (WCHAR*)Stream_Pointer(&sub1);\n\t\t\tif (!Stream_SafeSeek(&sub1, 32))\n\t\t\t\tgoto error_out;\n\t\t\tif (asciiNames)\n\t\t\t{\n\t\t\t\tif (szFormatName[0])\n\t\t\t\t{\n\t\t\t\t\t/* ensure null termination */\n\t\t\t\t\tformats[index].formatName = (char*)malloc(32 + 1);\n\t\t\t\t\tif (!formats[index].formatName)\n\t\t\t\t\t{\n\t\t\t\t\t\tWLog_ERR(TAG, \"malloc failed!\");\n\t\t\t\t\t\terror = CHANNEL_RC_NO_MEMORY;\n\t\t\t\t\t\tgoto error_out;\n\t\t\t\t\t}\n\t\t\t\t\tCopyMemory(formats[index].formatName, szFormatName, 32);\n\t\t\t\t\tformats[index].formatName[32] = '\\0';\n\t\t\t\t}\n\t\t\t}\n\t\t\telse\n\t\t\t{\n\t\t\t\tif (wszFormatName[0])\n\t\t\t\t{\n\t\t\t\t\t/* ConvertFromUnicode always returns a null-terminated\n\t\t\t\t\t * string on success, even if the source string isn't.\n\t\t\t\t\t */\n\t\t\t\t\tif (ConvertFromUnicode(CP_UTF8, 0, wszFormatName, 16,\n\t\t\t\t\t &(formats[index].formatName), 0, NULL, NULL) < 1)\n\t\t\t\t\t{\n\t\t\t\t\t\tWLog_ERR(TAG, \"failed to convert short clipboard format name\");\n\t\t\t\t\t\terror = ERROR_INTERNAL_ERROR;\n\t\t\t\t\t\tgoto error_out;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tindex++;\n\t\t}\n\t}\n\telse\n\t{\n\t\tsub2 = sub1;\n\t\twhile (Stream_GetRemainingLength(&sub1) > 0)\n\t\t{\n\t\t\tsize_t rest;\n\t\t\tif (!Stream_SafeSeek(&sub1, 4)) /* formatId (4 bytes) */\n\t\t\t\tgoto error_out;\n\n\t\t\twszFormatName = (WCHAR*)Stream_Pointer(&sub1);\n\t\t\trest = Stream_GetRemainingLength(&sub1);\n\t\t\tformatNameLength = _wcsnlen(wszFormatName, rest / sizeof(WCHAR));\n\n\t\t\tif (!Stream_SafeSeek(&sub1, (formatNameLength + 1) * sizeof(WCHAR)))\n\t\t\t\tgoto error_out;\n\t\t\tformatList->numFormats++;\n\t\t}\n\n\t\tif (formatList->numFormats)\n\t\t\tformats = (CLIPRDR_FORMAT*)calloc(formatList->numFormats, sizeof(CLIPRDR_FORMAT));\n\n\t\tif (!formats)\n\t\t{\n\t\t\tWLog_ERR(TAG, \"calloc failed!\");\n\t\t\treturn CHANNEL_RC_NO_MEMORY;\n\t\t}\n\n\t\tformatList->formats = formats;\n\n\t\twhile (Stream_GetRemainingLength(&sub2) >= 4)\n\t\t{\n\t\t\tsize_t rest;\n\t\t\tStream_Read_UINT32(&sub2, formats[index].formatId); /* formatId (4 bytes) */\n\n\t\t\tformats[index].formatName = NULL;\n\n\t\t\twszFormatName = (WCHAR*)Stream_Pointer(&sub2);\n\t\t\trest = Stream_GetRemainingLength(&sub2);\n\t\t\tformatNameLength = _wcsnlen(wszFormatName, rest / sizeof(WCHAR));\n\t\t\tif (!Stream_SafeSeek(&sub2, (formatNameLength + 1) * sizeof(WCHAR)))\n\t\t\t\tgoto error_out;\n\n\t\t\tif (formatNameLength)\n\t\t\t{\n\t\t\t\tif (ConvertFromUnicode(CP_UTF8, 0, wszFormatName, formatNameLength,\n\t\t\t\t &(formats[index].formatName), 0, NULL, NULL) < 1)\n\t\t\t\t{\n\t\t\t\t\tWLog_ERR(TAG, \"failed to convert long clipboard format name\");\n\t\t\t\t\terror = ERROR_INTERNAL_ERROR;\n\t\t\t\t\tgoto error_out;\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tindex++;\n\t\t}\n\t}\n\n\treturn error;\n\nerror_out:\n\tcliprdr_free_format_list(formatList);\n\treturn error;\n}", "project": "FreeRDP", "hash": 237858437120074239124496021317037679825, "size": 165, "commit_id": "b73143cf7ee5fe4cdabcbf56908aa15d8a883821", "message": "Fixed oob read in cliprdr_read_format_list", "target": 0, "dataset": "other", "idx": 388319 }, { "func": "void cliprdr_free_format_list(CLIPRDR_FORMAT_LIST* formatList)\n{\n\tUINT index = 0;\n\n\tif (formatList == NULL)\n\t\treturn;\n\n\tif (formatList->formats)\n\t{\n\t\tfor (index = 0; index < formatList->numFormats; index++)\n\t\t{\n\t\t\tfree(formatList->formats[index].formatName);\n\t\t}\n\n\t\tfree(formatList->formats);\n\t\tformatList->formats = NULL;\n\t\tformatList->numFormats = 0;\n\t}\n}", "project": "FreeRDP", "hash": 49693099553199385547731737762972154156, "size": 19, "commit_id": "b73143cf7ee5fe4cdabcbf56908aa15d8a883821", "message": "Fixed oob read in cliprdr_read_format_list", "target": 0, "dataset": "other", "idx": 388317 } ] }, { "call_depth": 3, "longest_call_chain": [ "trace_buffer_unlock_commit_regs", "ftrace_trace_stack", "__ftrace_trace_stack" ], "group_size": 15, "functions": [ { "func": "int __trace_bputs(unsigned long ip, const char *str)\n{\n\tstruct ring_buffer_event *event;\n\tstruct ring_buffer *buffer;\n\tstruct bputs_entry *entry;\n\tunsigned long irq_flags;\n\tint size = sizeof(struct bputs_entry);\n\tint pc;\n\n\tif (!(global_trace.trace_flags & TRACE_ITER_PRINTK))\n\t\treturn 0;\n\n\tpc = preempt_count();\n\n\tif (unlikely(tracing_selftest_running || tracing_disabled))\n\t\treturn 0;\n\n\tlocal_save_flags(irq_flags);\n\tbuffer = global_trace.trace_buffer.buffer;\n\tevent = __trace_buffer_lock_reserve(buffer, TRACE_BPUTS, size,\n\t\t\t\t\t irq_flags, pc);\n\tif (!event)\n\t\treturn 0;\n\n\tentry = ring_buffer_event_data(event);\n\tentry->ip\t\t\t= ip;\n\tentry->str\t\t\t= str;\n\n\t__buffer_unlock_commit(buffer, event);\n\tftrace_trace_stack(&global_trace, buffer, irq_flags, 4, pc, NULL);\n\n\treturn 1;\n}", "project": "linux", "hash": 97935509873229655098639551909617223595, "size": 33, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445651 }, { "func": "void __trace_stack(struct trace_array *tr, unsigned long flags, int skip,\n\t\t int pc)\n{\n\tstruct ring_buffer *buffer = tr->trace_buffer.buffer;\n\n\tif (rcu_is_watching()) {\n\t\t__ftrace_trace_stack(buffer, flags, skip, pc, NULL);\n\t\treturn;\n\t}\n\n\t/*\n\t * When an NMI triggers, RCU is enabled via rcu_nmi_enter(),\n\t * but if the above rcu_is_watching() failed, then the NMI\n\t * triggered someplace critical, and rcu_irq_enter() should\n\t * not be called from NMI.\n\t */\n\tif (unlikely(in_nmi()))\n\t\treturn;\n\n\t/*\n\t * It is possible that a function is being traced in a\n\t * location that RCU is not watching. A call to\n\t * rcu_irq_enter() will make sure that it is, but there's\n\t * a few internal rcu functions that could be traced\n\t * where that wont work either. In those cases, we just\n\t * do nothing.\n\t */\n\tif (unlikely(rcu_irq_enter_disabled()))\n\t\treturn;\n\n\trcu_irq_enter_irqson();\n\t__ftrace_trace_stack(buffer, flags, skip, pc, NULL);\n\trcu_irq_exit_irqson();\n}", "project": "linux", "hash": 148688729114021066957743413682696870780, "size": 34, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445686 }, { "func": "trace_buffer_lock_reserve(struct ring_buffer *buffer,\n\t\t\t int type,\n\t\t\t unsigned long len,\n\t\t\t unsigned long flags, int pc)\n{\n\treturn __trace_buffer_lock_reserve(buffer, type, len, flags, pc);\n}", "project": "linux", "hash": 290494509004862626438777072381730768500, "size": 7, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445711 }, { "func": "void trace_dump_stack(int skip)\n{\n\tunsigned long flags;\n\n\tif (tracing_disabled || tracing_selftest_running)\n\t\treturn;\n\n\tlocal_save_flags(flags);\n\n\t/*\n\t * Skip 3 more, seems to get us at the caller of\n\t * this function.\n\t */\n\tskip += 3;\n\t__ftrace_trace_stack(global_trace.trace_buffer.buffer,\n\t\t\t flags, skip, preempt_count(), NULL);\n}", "project": "linux", "hash": 209716427486737830029222622578390806861, "size": 17, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445554 }, { "func": "static void __ftrace_trace_stack(struct ring_buffer *buffer,\n\t\t\t\t unsigned long flags,\n\t\t\t\t int skip, int pc, struct pt_regs *regs)\n{\n\tstruct trace_event_call *call = &event_kernel_stack;\n\tstruct ring_buffer_event *event;\n\tstruct stack_entry *entry;\n\tstruct stack_trace trace;\n\tint use_stack;\n\tint size = FTRACE_STACK_ENTRIES;\n\n\ttrace.nr_entries\t= 0;\n\ttrace.skip\t\t= skip;\n\n\t/*\n\t * Add two, for this function and the call to save_stack_trace()\n\t * If regs is set, then these functions will not be in the way.\n\t */\n\tif (!regs)\n\t\ttrace.skip += 2;\n\n\t/*\n\t * Since events can happen in NMIs there's no safe way to\n\t * use the per cpu ftrace_stacks. We reserve it and if an interrupt\n\t * or NMI comes in, it will just have to use the default\n\t * FTRACE_STACK_SIZE.\n\t */\n\tpreempt_disable_notrace();\n\n\tuse_stack = __this_cpu_inc_return(ftrace_stack_reserve);\n\t/*\n\t * We don't need any atomic variables, just a barrier.\n\t * If an interrupt comes in, we don't care, because it would\n\t * have exited and put the counter back to what we want.\n\t * We just need a barrier to keep gcc from moving things\n\t * around.\n\t */\n\tbarrier();\n\tif (use_stack == 1) {\n\t\ttrace.entries\t\t= this_cpu_ptr(ftrace_stack.calls);\n\t\ttrace.max_entries\t= FTRACE_STACK_MAX_ENTRIES;\n\n\t\tif (regs)\n\t\t\tsave_stack_trace_regs(regs, &trace);\n\t\telse\n\t\t\tsave_stack_trace(&trace);\n\n\t\tif (trace.nr_entries > size)\n\t\t\tsize = trace.nr_entries;\n\t} else\n\t\t/* From now on, use_stack is a boolean */\n\t\tuse_stack = 0;\n\n\tsize *= sizeof(unsigned long);\n\n\tevent = __trace_buffer_lock_reserve(buffer, TRACE_STACK,\n\t\t\t\t\t sizeof(*entry) + size, flags, pc);\n\tif (!event)\n\t\tgoto out;\n\tentry = ring_buffer_event_data(event);\n\n\tmemset(&entry->caller, 0, size);\n\n\tif (use_stack)\n\t\tmemcpy(&entry->caller, trace.entries,\n\t\t trace.nr_entries * sizeof(unsigned long));\n\telse {\n\t\ttrace.max_entries\t= FTRACE_STACK_ENTRIES;\n\t\ttrace.entries\t\t= entry->caller;\n\t\tif (regs)\n\t\t\tsave_stack_trace_regs(regs, &trace);\n\t\telse\n\t\t\tsave_stack_trace(&trace);\n\t}\n\n\tentry->size = trace.nr_entries;\n\n\tif (!call_filter_check_discard(call, entry, buffer, event))\n\t\t__buffer_unlock_commit(buffer, event);\n\n out:\n\t/* Again, don't let gcc optimize things here */\n\tbarrier();\n\t__this_cpu_dec(ftrace_stack_reserve);\n\tpreempt_enable_notrace();\n\n}", "project": "linux", "hash": 228181925911186695377319876003635852001, "size": 87, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445528 }, { "func": "static inline void __ftrace_trace_stack(struct ring_buffer *buffer,\n\t\t\t\t\tunsigned long flags,\n\t\t\t\t\tint skip, int pc, struct pt_regs *regs)\n{\n}", "project": "linux", "hash": 326356546210729082046651620939364926726, "size": 5, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445804 }, { "func": "static void put_trace_buf(void)\n{\n\t/* Don't let the decrement of nesting leak before this */\n\tbarrier();\n\tthis_cpu_dec(trace_percpu_buffer->nesting);\n}", "project": "linux", "hash": 151274970754355397862267931791174596447, "size": 6, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445718 }, { "func": "trace_event_setup(struct ring_buffer_event *event,\n\t\t int type, unsigned long flags, int pc)\n{\n\tstruct trace_entry *ent = ring_buffer_event_data(event);\n\n\ttracing_generic_entry_update(ent, flags, pc);\n\tent->type = type;\n}", "project": "linux", "hash": 33661644687624186718785817022496531739, "size": 8, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445676 }, { "func": "void trace_buffer_unlock_commit_regs(struct trace_array *tr,\n\t\t\t\t struct ring_buffer *buffer,\n\t\t\t\t struct ring_buffer_event *event,\n\t\t\t\t unsigned long flags, int pc,\n\t\t\t\t struct pt_regs *regs)\n{\n\t__buffer_unlock_commit(buffer, event);\n\n\t/*\n\t * If regs is not set, then skip the following callers:\n\t * trace_buffer_unlock_commit_regs\n\t * event_trigger_unlock_commit\n\t * trace_event_buffer_commit\n\t * trace_event_raw_event_sched_switch\n\t * Note, we can still get here via blktrace, wakeup tracer\n\t * and mmiotrace, but that's ok if they lose a function or\n\t * two. They are that meaningful.\n\t */\n\tftrace_trace_stack(tr, buffer, flags, regs ? 0 : 4, pc, regs);\n\tftrace_trace_userstack(buffer, flags, pc);\n}", "project": "linux", "hash": 286052656294965236812004646636467502665, "size": 21, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445619 }, { "func": "static inline void ftrace_trace_stack(struct trace_array *tr,\n\t\t\t\t struct ring_buffer *buffer,\n\t\t\t\t unsigned long flags,\n\t\t\t\t int skip, int pc, struct pt_regs *regs)\n{\n}", "project": "linux", "hash": 12958771922969768168390039976616805710, "size": 6, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445697 }, { "func": "static inline void ftrace_trace_stack(struct trace_array *tr,\n\t\t\t\t struct ring_buffer *buffer,\n\t\t\t\t unsigned long flags,\n\t\t\t\t int skip, int pc, struct pt_regs *regs)\n{\n\tif (!(tr->trace_flags & TRACE_ITER_STACKTRACE))\n\t\treturn;\n\n\t__ftrace_trace_stack(buffer, flags, skip, pc, regs);\n}", "project": "linux", "hash": 122015228433718164966279605143093293709, "size": 10, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445815 }, { "func": "int __trace_puts(unsigned long ip, const char *str, int size)\n{\n\tstruct ring_buffer_event *event;\n\tstruct ring_buffer *buffer;\n\tstruct print_entry *entry;\n\tunsigned long irq_flags;\n\tint alloc;\n\tint pc;\n\n\tif (!(global_trace.trace_flags & TRACE_ITER_PRINTK))\n\t\treturn 0;\n\n\tpc = preempt_count();\n\n\tif (unlikely(tracing_selftest_running || tracing_disabled))\n\t\treturn 0;\n\n\talloc = sizeof(*entry) + size + 2; /* possible \\n added */\n\n\tlocal_save_flags(irq_flags);\n\tbuffer = global_trace.trace_buffer.buffer;\n\tevent = __trace_buffer_lock_reserve(buffer, TRACE_PRINT, alloc, \n\t\t\t\t\t irq_flags, pc);\n\tif (!event)\n\t\treturn 0;\n\n\tentry = ring_buffer_event_data(event);\n\tentry->ip = ip;\n\n\tmemcpy(&entry->buf, str, size);\n\n\t/* Add a newline if necessary */\n\tif (entry->buf[size - 1] != '\\n') {\n\t\tentry->buf[size] = '\\n';\n\t\tentry->buf[size + 1] = '\\0';\n\t} else\n\t\tentry->buf[size] = '\\0';\n\n\t__buffer_unlock_commit(buffer, event);\n\tftrace_trace_stack(&global_trace, buffer, irq_flags, 4, pc, NULL);\n\n\treturn size;\n}", "project": "linux", "hash": 333230938796332990582828767642145709691, "size": 43, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445537 }, { "func": "__trace_buffer_lock_reserve(struct ring_buffer *buffer,\n\t\t\t int type,\n\t\t\t unsigned long len,\n\t\t\t unsigned long flags, int pc)\n{\n\tstruct ring_buffer_event *event;\n\n\tevent = ring_buffer_lock_reserve(buffer, len);\n\tif (event != NULL)\n\t\ttrace_event_setup(event, type, flags, pc);\n\n\treturn event;\n}", "project": "linux", "hash": 277862938369440085694307103004898588643, "size": 13, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445828 }, { "func": "int trace_vbprintk(unsigned long ip, const char *fmt, va_list args)\n{\n\tstruct trace_event_call *call = &event_bprint;\n\tstruct ring_buffer_event *event;\n\tstruct ring_buffer *buffer;\n\tstruct trace_array *tr = &global_trace;\n\tstruct bprint_entry *entry;\n\tunsigned long flags;\n\tchar *tbuffer;\n\tint len = 0, size, pc;\n\n\tif (unlikely(tracing_selftest_running || tracing_disabled))\n\t\treturn 0;\n\n\t/* Don't pollute graph traces with trace_vprintk internals */\n\tpause_graph_tracing();\n\n\tpc = preempt_count();\n\tpreempt_disable_notrace();\n\n\ttbuffer = get_trace_buf();\n\tif (!tbuffer) {\n\t\tlen = 0;\n\t\tgoto out_nobuffer;\n\t}\n\n\tlen = vbin_printf((u32 *)tbuffer, TRACE_BUF_SIZE/sizeof(int), fmt, args);\n\n\tif (len > TRACE_BUF_SIZE/sizeof(int) || len < 0)\n\t\tgoto out;\n\n\tlocal_save_flags(flags);\n\tsize = sizeof(*entry) + sizeof(u32) * len;\n\tbuffer = tr->trace_buffer.buffer;\n\tevent = __trace_buffer_lock_reserve(buffer, TRACE_BPRINT, size,\n\t\t\t\t\t flags, pc);\n\tif (!event)\n\t\tgoto out;\n\tentry = ring_buffer_event_data(event);\n\tentry->ip\t\t\t= ip;\n\tentry->fmt\t\t\t= fmt;\n\n\tmemcpy(entry->buf, tbuffer, sizeof(u32) * len);\n\tif (!call_filter_check_discard(call, entry, buffer, event)) {\n\t\t__buffer_unlock_commit(buffer, event);\n\t\tftrace_trace_stack(tr, buffer, flags, 6, pc, NULL);\n\t}\n\nout:\n\tput_trace_buf();\n\nout_nobuffer:\n\tpreempt_enable_notrace();\n\tunpause_graph_tracing();\n\n\treturn len;\n}", "project": "linux", "hash": 253947971610352669400134070783242158477, "size": 57, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445733 }, { "func": "int call_filter_check_discard(struct trace_event_call *call, void *rec,\n\t\t\t struct ring_buffer *buffer,\n\t\t\t struct ring_buffer_event *event)\n{\n\tif (unlikely(call->flags & TRACE_EVENT_FL_FILTERED) &&\n\t !filter_match_preds(call->filter, rec)) {\n\t\t__trace_event_discard_commit(buffer, event);\n\t\treturn 1;\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 295670194917690430799317477652109148509, "size": 12, "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia \nReported-by: Chunyan Zhang \nSigned-off-by: Steven Rostedt (VMware) ", "target": 0, "dataset": "other", "idx": 445792 } ] }, { "call_depth": 2, "longest_call_chain": [ "pfkey_release", "pfkey_remove" ], "group_size": 2, "functions": [ { "func": "static void pfkey_remove(struct sock *sk)\n{\n\tmutex_lock(&pfkey_mutex);\n\tsk_del_node_init_rcu(sk);\n\tmutex_unlock(&pfkey_mutex);\n}", "project": "linux", "hash": 230308791328813975097851220292826017886, "size": 6, "commit_id": "9a564bccb78a76740ea9d75a259942df8143d02c", "message": "af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\n\nAdd __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\nto initialize the buffer of supp_skb to fix a kernel-info-leak issue.\n1) Function pfkey_register calls compose_sadb_supported to request\na sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate\na sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then\ncompose_sadb_supported treats the memory as a struct sadb_supported and\nbegins to initialize. But it just initializes the field sadb_supported_len\nand field sadb_supported_exttype without field sadb_supported_reserved.\n\nReported-by: TCS Robot \nSigned-off-by: Haimin Zhang \nSigned-off-by: Steffen Klassert ", "target": 0, "dataset": "other", "idx": 268074 }, { "func": "static int pfkey_release(struct socket *sock)\n{\n\tstruct sock *sk = sock->sk;\n\n\tif (!sk)\n\t\treturn 0;\n\n\tpfkey_remove(sk);\n\n\tsock_orphan(sk);\n\tsock->sk = NULL;\n\tskb_queue_purge(&sk->sk_write_queue);\n\n\tsynchronize_rcu();\n\tsock_put(sk);\n\n\treturn 0;\n}", "project": "linux", "hash": 223159857245137510117397759974667139981, "size": 18, "commit_id": "9a564bccb78a76740ea9d75a259942df8143d02c", "message": "af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\n\nAdd __GFP_ZERO flag for compose_sadb_supported in function pfkey_register\nto initialize the buffer of supp_skb to fix a kernel-info-leak issue.\n1) Function pfkey_register calls compose_sadb_supported to request\na sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate\na sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then\ncompose_sadb_supported treats the memory as a struct sadb_supported and\nbegins to initialize. But it just initializes the field sadb_supported_len\nand field sadb_supported_exttype without field sadb_supported_reserved.\n\nReported-by: TCS Robot \nSigned-off-by: Haimin Zhang \nSigned-off-by: Steffen Klassert ", "target": 0, "dataset": "other", "idx": 268027 } ] }, { "call_depth": 3, "longest_call_chain": [ "HrReadHeaders", "HrParseHeaders", "HrGetHeaderValue" ], "group_size": 14, "functions": [ { "func": "HRESULT Http::HrFinalize()\n{\n\tHRESULT hr = hrSuccess;\n\n\tHrResponseHeader(\"Content-Length\", stringify(m_strRespBody.length()));\n\n\t// force chunked http for long size response, should check version >= 1.1 to disable chunking\n\tif (m_strRespBody.size() < HTTP_CHUNK_SIZE || m_strHttpVer != \"1.1\") {\n\t\thr = HrFlushHeaders();\n\t\tif (hr != hrSuccess && hr != MAPI_E_END_OF_SESSION) {\n\t\t\tec_log_debug(\"Http::HrFinalize flush fail %d\", hr);\n\t\t\tm_ulRetCode = 0;\n\t\t\treturn hr;\n\t\t}\n\t\tif (!m_strRespBody.empty()) {\n\t\t\tm_lpChannel->HrWriteString(m_strRespBody);\n\t\t\tec_log_debug(\"Response body:\\n%s\", m_strRespBody.c_str());\n\t\t}\n\t}\n\telse\n\t{\n\t\tconst char *lpstrBody = m_strRespBody.data();\n\t\tchar lpstrLen[10];\n\t\tauto szBodyLen = m_strRespBody.size(); // length of data to be sent to the client\n\t\tsize_t szBodyWritten = 0; // length of data sent to client\n\t\tunsigned int szPart = HTTP_CHUNK_SIZE;\t\t\t\t\t\t// default length of chunk data to be written\n\n\t\tHrResponseHeader(\"Transfer-Encoding\", \"chunked\");\n\t\thr = HrFlushHeaders();\n\t\tif (hr != hrSuccess && hr != MAPI_E_END_OF_SESSION) {\n\t\t\tec_log_debug(\"Http::HrFinalize flush fail(2) %d\", hr);\n\t\t\tm_ulRetCode = 0;\n\t\t\treturn hr;\n\t\t}\n\n\t\twhile (szBodyWritten < szBodyLen)\n\t\t{\n\t\t\tif ((szBodyWritten + HTTP_CHUNK_SIZE) > szBodyLen)\n\t\t\t\tszPart = szBodyLen - szBodyWritten;\t\t\t\t// change length of data for last chunk\n\t\t\t// send hex length of data and data part\n\t\t\tsnprintf(lpstrLen, sizeof(lpstrLen), \"%X\", szPart);\n\t\t\tm_lpChannel->HrWriteLine(lpstrLen);\n\t\t\tm_lpChannel->HrWriteLine(string_view(lpstrBody, szPart));\n\t\t\tszBodyWritten += szPart;\n\t\t\tlpstrBody += szPart;\n\t\t}\n\n\t\t// end of response\n\t\tsnprintf(lpstrLen, 10, \"0\\r\\n\");\n\t\tm_lpChannel->HrWriteLine(lpstrLen);\n\t\t// just the first part of the body in the log. header shows it's chunked.\n\t\tec_log_debug(\"%s\", m_strRespBody.c_str());\n\t}\n\n\t// if http_log_enable?\n\tchar szTime[32];\n\ttime_t now = time(NULL);\n\ttm local;\n\tstd::string strAgent;\n\tlocaltime_r(&now, &local);\n\t// @todo we're in C LC_TIME locale to get the correct (month) format, but the timezone will be GMT, which is not wanted.\n\tstrftime(szTime, ARRAY_SIZE(szTime), \"%d/%b/%Y:%H:%M:%S %z\", &local);\n\tHrGetHeaderValue(\"User-Agent\", &strAgent);\n\tec_log_notice(\"%s - %s [%s] \\\"%s\\\" %d %d \\\"-\\\" \\\"%s\\\"\", m_lpChannel->peer_addr(), m_strUser.empty() ? \"-\" : m_strUser.c_str(), szTime, m_strAction.c_str(), m_ulRetCode, (int)m_strRespBody.length(), strAgent.c_str());\n\tm_ulRetCode = 0;\n\treturn hr;\n}", "project": "kopano-core", "hash": 259595367262276487244267405280402291162, "size": 67, "commit_id": "512457466b87039c6a8d25887fdaca6173619546", "message": "Set limit on header size to prevent bad alloc\n\nThis sets a hard limit of 64 KiB to the header to prevent a memory\nallocation exception from being thrown during the parsing of the request\nheaders.", "target": 0, "dataset": "other", "idx": 412624 }, { "func": "HRESULT Http::HrGetDepth(ULONG *ulDepth)\n{\n\tstd::string strDepth;\n\t/*\n\t * Valid input: [0, 1, infinity]\n\t */\n\tauto hr = HrGetHeaderValue(\"Depth\", &strDepth);\n\tif (hr != hrSuccess)\n\t\t*ulDepth = 0; /* Default is no subfolders. Default should become a parameter. It is action dependent. */\n\telse if (strDepth == \"infinity\")\n\t\t*ulDepth = 2;\n\telse {\n\t\t*ulDepth = atoi(strDepth.c_str());\n\t\tif (*ulDepth > 1)\n\t\t\t*ulDepth = 1;\n\t}\n\treturn hr;\n}", "project": "kopano-core", "hash": 217517827692339967634595091257873772062, "size": 18, "commit_id": "512457466b87039c6a8d25887fdaca6173619546", "message": "Set limit on header size to prevent bad alloc\n\nThis sets a hard limit of 64 KiB to the header to prevent a memory\nallocation exception from being thrown during the parsing of the request\nheaders.", "target": 0, "dataset": "other", "idx": 412614 }, { "func": "HRESULT Http::HrReadBody()\n{\n\tstd::string strLength;\n\n\t// find the Content-Length\n\tif (HrGetHeaderValue(\"Content-Length\", &strLength) != hrSuccess) {\n\t\tec_log_debug(\"Http::HrReadBody content-length missing\");\n\t\treturn MAPI_E_NOT_FOUND;\n\t}\n\tauto ulContLength = atoi(strLength.c_str());\n\tif (ulContLength <= 0) {\n\t\tec_log_debug(\"Http::HrReadBody content-length invalid %d\", ulContLength);\n\t\treturn MAPI_E_NOT_FOUND;\n\t}\n\tauto hr = m_lpChannel->HrReadBytes(&m_strReqBody, ulContLength);\n\tif (!m_strUser.empty())\n\t\tec_log_debug(\"Request body:\\n%s\", m_strReqBody.c_str());\n\treturn hr;\n}", "project": "kopano-core", "hash": 113696208786814068339618293734508448744, "size": 19, "commit_id": "512457466b87039c6a8d25887fdaca6173619546", "message": "Set limit on header size to prevent bad alloc\n\nThis sets a hard limit of 64 KiB to the header to prevent a memory\nallocation exception from being thrown during the parsing of the request\nheaders.", "target": 0, "dataset": "other", "idx": 412634 }, { "func": "HRESULT Http::HrRequestAuth(const std::string &strMsg)\n{\n\tauto hr = HrResponseHeader(401, \"Unauthorized\");\n\tif (hr != hrSuccess)\n\t\treturn hr;\n\treturn HrResponseHeader(\"WWW-Authenticate\", \"Basic realm=\\\"\" + strMsg + \"\\\"\");\n}", "project": "kopano-core", "hash": 326592081151301752571350035393463588511, "size": 7, "commit_id": "512457466b87039c6a8d25887fdaca6173619546", "message": "Set limit on header size to prevent bad alloc\n\nThis sets a hard limit of 64 KiB to the header to prevent a memory\nallocation exception from being thrown during the parsing of the request\nheaders.", "target": 0, "dataset": "other", "idx": 412626 }, { "func": "HRESULT Http::HrReadHeaders()\n{\n\tHRESULT hr;\n\tstd::string strBuffer;\n\tULONG n = 0;\n\tstd::map::iterator iHeader = mapHeaders.end();\n\n\tec_log_debug(\"Receiving headers:\");\n\tdo\n\t{\n\t\thr = m_lpChannel->HrReadLine(strBuffer);\n\t\tif (hr != hrSuccess)\n\t\t\treturn hr;\n\t\tif (strBuffer.empty())\n\t\t\tbreak;\n\n\t\tif (n == 0) {\n\t\t\tm_strAction = strBuffer;\n\t\t} else {\n\t\t\tauto pos = strBuffer.find(':');\n\t\t\tsize_t start = 0;\n\n\t\t\tif (strBuffer[0] == ' ' || strBuffer[0] == '\\t') {\n\t\t\t\tif (iHeader == mapHeaders.end())\n\t\t\t\t\tcontinue;\n\t\t\t\t// continue header\n\t\t\t\twhile (strBuffer[start] == ' ' || strBuffer[start] == '\\t')\n\t\t\t\t\t++start;\n\t\t\t\tiHeader->second += strBuffer.substr(start);\n\t\t\t} else {\n\t\t\t\t// new header\n\t\t\t\tauto r = mapHeaders.emplace(strBuffer.substr(0, pos), strBuffer.substr(pos + 2));\n\t\t\t\tiHeader = r.first;\n\t\t\t}\n\t\t}\n\n\t\tif (strBuffer.find(\"Authorization\") != std::string::npos)\n\t\t\tec_log_debug(\"< Authorization:

%s